From fa7225c82381bac4432a6edf16f53b5370238d85 Mon Sep 17 00:00:00 2001
From: Apple <opensource@apple.com>
Date: Thu, 22 Sep 2016 17:46:01 +0000
Subject: [PATCH] Security-57740.1.18.tar.gz
---
CircleJoinRequested/CircleJoinRequested.m | 273 +-
...m.apple.security.CircleJoinRequested.plist | 10 +
CircleJoinRequested/entitlements.plist | 1 +
CloudKeychainProxy/CloudKeychainProxy.1 | 79 -
...chainSyncingProxy+IDSProxyReceiveMessage.h | 35 +
...chainSyncingProxy+IDSProxyReceiveMessage.m | 399 +
...KeychainSyncingProxy+IDSProxySendMessage.h | 31 +-
...KeychainSyncingProxy+IDSProxySendMessage.m | 306 +
...IDSKeychainSyncingProxy+IDSProxyThrottle.h | 35 +
...IDSKeychainSyncingProxy+IDSProxyThrottle.m | 397 +
.../IDSKeychainSyncingProxy-Info.plist | 4 +-
.../IDSPersistentState.h | 2 +-
.../IDSPersistentState.m | 4 +-
.../IDSProxy.h | 41 +-
IDSKeychainSyncingProxy/IDSProxy.m | 415 +
...ecurity.idskeychainsyncingproxy.ios.plist} | 36 +-
...security.idskeychainsyncingproxy.osx.plist | 4 +-
.../en.lproj/InfoPlist.strings | 0
...idskeychainsyncingproxy.entitlements.plist | 8 +-
.../idskeychainsyncingproxy.m | 96 +-
ISACLProtectedItems/Info.plist | 6 +-
KVSKeychainSyncingProxy/CKDAccount.h | 15 +
KVSKeychainSyncingProxy/CKDKVSProxy.h | 148 +
KVSKeychainSyncingProxy/CKDKVSProxy.m | 1278 +++
KVSKeychainSyncingProxy/CKDKVSStore.h | 32 +
KVSKeychainSyncingProxy/CKDKVSStore.m | 208 +
.../CKDPersistentState.h | 29 +-
KVSKeychainSyncingProxy/CKDPersistentState.m | 133 +
KVSKeychainSyncingProxy/CKDSecuritydAccount.h | 19 +
KVSKeychainSyncingProxy/CKDSecuritydAccount.m | 55 +
KVSKeychainSyncingProxy/CKDStore.h | 28 +
.../CloudKeychainProxy-Info.plist | 2 +-
.../cloudkeychain.entitlements.plist | 1 -
KVSKeychainSyncingProxy/cloudkeychainproxy.m | 420 +
...ple.security.cloudkeychainproxy3.ios.plist | 0
...ple.security.cloudkeychainproxy3.osx.plist | 2 +-
Keychain/KCATableViewController.m | 1 -
Keychain/Keychain-Info.plist | 8 +-
.../Keychain_114x114.png | Bin
.../Keychain_144x144.png | Bin
.../Keychain_57x57.png | Bin
.../Keychain_72x72.png | Bin
KeychainCircle/Info.plist | 26 +
KeychainCircle/KCAESGCMDuplexSession.h | 38 +
KeychainCircle/KCAESGCMDuplexSession.m | 314 +
KeychainCircle/KCAccountKCCircleDelegate.h | 45 +
KeychainCircle/KCAccountKCCircleDelegate.m | 77 +
KeychainCircle/KCDer.h | 46 +
KeychainCircle/KCDer.m | 144 +
KeychainCircle/KCError.h | 34 +
KeychainCircle/KCError.m | 47 +
KeychainCircle/KCJoiningAcceptSession.m | 244 +
KeychainCircle/KCJoiningMessages.h | 113 +
KeychainCircle/KCJoiningMessages.m | 393 +
KeychainCircle/KCJoiningRequestSession.m | 370 +
KeychainCircle/KCJoiningSession.h | 197 +
KeychainCircle/KCSRPContext.h | 76 +
KeychainCircle/KCSRPContext.m | 245 +
KeychainCircle/KeychainCircle.h | 9 +
KeychainCircle/NSData+SecRandom.h | 11 +
KeychainCircle/NSData+SecRandom.m | 26 +
KeychainCircle/NSError+KCCreationHelpers.h | 53 +
KeychainCircle/NSError+KCCreationHelpers.m | 116 +
KeychainCircle/Tests/Info.plist | 24 +
KeychainCircle/Tests/KCAESGCMTest.m | 138 +
KeychainCircle/Tests/KCDerTest.m | 114 +
KeychainCircle/Tests/KCJoiningSessionTest.m | 579 +
KeychainCircle/Tests/KCSRPTests.m | 108 +
KeychainCircle/Tests/KeychainCircle.plist | 102 +
...KeychainSyncAccountNotification-Info.plist | 2 +-
.../KeychainSyncAccountNotification.m | 22 +-
Modules/Security.iOS.modulemap | 20 +
Modules/Security.macOS.modulemap | 48 +
OSX/Breadcrumb/SecBreadcrumb.c | 89 +-
...nife-on-bread.c => bc-10-knife-on-bread.m} | 58 +-
...com.apple.private.alloy.keychainsync.plist | Bin 458 -> 0 bytes
.../en.lproj/InfoPlist.strings | 2 -
...idskeychainsyncingproxy.entitlements.plist | 30 -
.../KNAppDelegate.m | 18 +-
.../KNPersistentState.h | 4 +-
.../Keychain Circle Notification-Info.plist | 2 +-
.../NSDictionary+compactDescription.m | 2 +-
...ecurity.keychain-circle-notification.plist | 8 +-
.../entitlments.plist | 2 +
OSX/Keychain/KDAppDelegate.m | 44 +-
OSX/Keychain/KDCirclePeer.m | 4 +-
OSX/Keychain/KDSecCircle.h | 2 +-
OSX/Keychain/KDSecCircle.m | 15 +-
OSX/Keychain/Keychain-Info.plist | 2 +-
OSX/Modules | 1 +
OSX/OSX.xcodeproj/project.pbxproj | 2281 ++--
.../xcshareddata/xcschemes/World.xcscheme | 144 -
.../xcschemes/copyHeaders.xcscheme | 89 -
.../xcschemes/osx - World.xcscheme | 323 +
...ests.xcscheme => osx - secdtests.xcscheme} | 65 +-
...tests.xcscheme => osx - sectests.xcscheme} | 20 +-
.../Info.plist} | 24 +-
.../SecurityTests-Entitlements.plist | 47 +
OSX/SecurityTestsOSX/main.m | 47 +
OSX/SecurityTestsOSX/testlist.h | 7 +
OSX/authd/Info.plist | 2 +-
OSX/authd/agent.c | 2 +-
OSX/authd/authdb.c | 89 +-
OSX/authd/authdb.h | 2 +-
OSX/authd/authitems.c | 59 +-
OSX/authd/authitems.h | 5 +-
OSX/authd/authorization.plist | 89 +-
OSX/authd/authtoken.c | 19 +-
OSX/authd/ccaudit.c | 11 +-
OSX/authd/engine.c | 88 +-
OSX/authd/process.c | 11 +-
OSX/authd/rule.c | 32 +-
OSX/authd/rule.h | 12 +-
OSX/authd/server.c | 100 +-
OSX/authd/session.c | 6 +-
.../cloud_keychain_diagnose-Prefix.pch | 5 -
OSX/codesign_tests/CaspianTests/CaspianTests | 7 +
OSX/config/base.xcconfig | 3 +-
OSX/config/security.xcconfig | 1 +
OSX/lib/AppWorkaround.plist | 90 -
OSX/lib/Info-Security.plist | 8 +-
.../en.lproj/authorization.buttons.strings | 4 +
.../en.lproj/authorization.prompts.strings | 4 +
OSX/lib/framework.sb | 3 +
OSX/lib/plugins/csparser-Info.plist | 10 +-
OSX/lib/security.exp-in | 606 +-
OSX/libsecurity_apple_csp/TODO | 1 -
OSX/libsecurity_apple_csp/lib/AppleCSP.cpp | 6 +-
.../lib/AppleCSPUtils.cpp | 2 +-
.../lib/BlockCryptor.cpp | 6 +-
OSX/libsecurity_apple_csp/lib/DH_keys.cpp | 2 +-
OSX/libsecurity_apple_csp/lib/DH_keys.h | 2 +-
OSX/libsecurity_apple_csp/lib/DH_utils.cpp | 2 +-
OSX/libsecurity_apple_csp/lib/FEECSPUtils.cpp | 2 +-
OSX/libsecurity_apple_csp/lib/FEEKeys.cpp | 10 +-
OSX/libsecurity_apple_csp/lib/FEEKeys.h | 3 +
.../lib/FEESignatureObject.cpp | 2 +-
.../lib/RSA_DSA_keys.cpp | 6 +-
OSX/libsecurity_apple_csp/lib/RSA_DSA_keys.h | 3 +
.../lib/RSA_DSA_signature.cpp | 2 +-
.../lib/RSA_DSA_utils.cpp | 2 +-
.../lib/RSA_asymmetric.cpp | 4 +-
.../lib/SignatureContext.cpp | 2 +-
OSX/libsecurity_apple_csp/lib/ascContext.cpp | 4 +-
.../lib/bsafeSymmetric.cpp | 2 +-
OSX/libsecurity_apple_csp/lib/cspdebugging.h | 5 +-
OSX/libsecurity_apple_csp/lib/desContext.cpp | 2 +-
.../project.pbxproj | 69 +-
.../open_ssl/bn/bn_prime.c | 5 +-
.../open_ssl/openssl/opensslconf.h | 1 +
.../open_ssl/opensslUtils/opensslAsn1.cpp | 2 +-
.../open_ssl/opensslUtils/opensslUtils.cpp | 2 +-
.../lib/SSCSPDLSession.cpp | 15 +-
.../lib/SSCSPSession.cpp | 2 +-
OSX/libsecurity_apple_cspdl/lib/SSContext.cpp | 2 +-
.../lib/SSDLSession.cpp | 33 +-
.../lib/SSDatabase.cpp | 88 +-
OSX/libsecurity_apple_cspdl/lib/SSDatabase.h | 31 +-
OSX/libsecurity_apple_cspdl/lib/SSKey.cpp | 10 +-
.../project.pbxproj | 34 +-
.../project.pbxproj | 34 +-
OSX/libsecurity_apple_x509_cl/TODO | 1 -
.../lib/AppleX509CLSession.cpp | 4 +-
.../lib/cldebugging.h | 4 +-
.../project.pbxproj | 35 +-
.../lib/TPCertInfo.cpp | 4 +-
.../lib/tpCredRequest.cpp | 2 +-
.../lib/tpdebugging.h | 33 +-
.../project.pbxproj | 40 +-
OSX/libsecurity_asn1/config/base.xcconfig | 3 +-
OSX/libsecurity_asn1/config/lib.xcconfig | 20 +-
OSX/libsecurity_asn1/lib/SecAsn1Types.h | 6 +
OSX/libsecurity_asn1/lib/plarena.h | 2 +-
OSX/libsecurity_asn1/lib/secasn1d.c | 4 +-
OSX/libsecurity_asn1/lib/secasn1e.c | 39 +-
.../project.pbxproj | 232 +-
.../lib/Authorization.c | 4 +-
.../lib/Authorization.h | 9 +-
.../lib/AuthorizationPlugin.h | 10 +-
.../lib/AuthorizationTagsPriv.h | 24 +
.../lib/trampolineClient.cpp | 12 +-
.../project.pbxproj | 21 +-
OSX/libsecurity_cdsa_client/lib/aclclient.cpp | 42 +-
OSX/libsecurity_cdsa_client/lib/aclclient.h | 8 +-
.../lib/cssmclient.cpp | 12 +-
OSX/libsecurity_cdsa_client/lib/cssmclient.h | 6 +-
OSX/libsecurity_cdsa_client/lib/dlclient.cpp | 52 +-
OSX/libsecurity_cdsa_client/lib/dlclient.h | 19 +
.../lib/securestorage.cpp | 18 +-
.../lib/securestorage.h | 9 +-
OSX/libsecurity_cdsa_client/lib/tpclient.cpp | 4 +-
.../project.pbxproj | 29 +-
.../lib/ACabstractsession.cpp | 69 +
.../lib/ACabstractsession.h | 39 +
.../lib/CLabstractsession.cpp | 548 +
.../lib/CLabstractsession.h | 143 +
.../lib/CSPabstractsession.cpp | 847 ++
.../lib/CSPabstractsession.h | 239 +
.../lib/CSPsession.cpp | 4 +-
.../lib/DLabstractsession.cpp | 333 +
.../lib/DLabstractsession.h | 107 +
.../lib/DatabaseSession.cpp | 154 +-
.../lib/TPabstractsession.cpp | 416 +
.../lib/TPabstractsession.h | 140 +
OSX/libsecurity_cdsa_plugin/lib/generator.cfg | 59 -
OSX/libsecurity_cdsa_plugin/lib/generator.mk | 29 -
OSX/libsecurity_cdsa_plugin/lib/generator.pl | 247 -
.../project.pbxproj | 141 +-
.../lib/AuthorizationData.cpp | 102 +-
.../lib/AuthorizationData.h | 15 +-
OSX/libsecurity_cdsa_utilities/lib/Schema.m4 | 2 +-
.../lib/acl_codesigning.cpp | 6 +-
.../lib/acl_preauth.cpp | 6 +-
.../lib/acl_secret.cpp | 8 +-
.../lib/acl_threshold.cpp | 2 +-
.../lib/aclsubject.h | 1 +
OSX/libsecurity_cdsa_utilities/lib/context.h | 2 +-
.../lib/cssmcred.cpp | 2 +-
.../lib/cssmdbname.cpp | 1 +
.../lib/cssmerrors.cpp | 7 +-
OSX/libsecurity_cdsa_utilities/lib/cssmlist.h | 3 +-
OSX/libsecurity_cdsa_utilities/lib/db++.cpp | 10 +-
.../lib/handletemplates_defs.h | 2 +-
.../lib/objectacl.cpp | 34 +-
.../lib/osxverifier.cpp | 20 +-
OSX/libsecurity_cdsa_utilities/lib/walkers.h | 4 +-
.../project.pbxproj | 24 +-
OSX/libsecurity_cdsa_utils/lib/cuDbUtils.cpp | 31 +-
OSX/libsecurity_cdsa_utils/lib/cuDbUtils.h | 2 +-
OSX/libsecurity_cdsa_utils/lib/cuFileIo.c | 11 +-
OSX/libsecurity_cdsa_utils/lib/cuFileIo.h | 7 +
.../project.pbxproj | 23 +-
.../project.pbxproj | 20 +-
OSX/libsecurity_cms/lib/CMSEncoder.cpp | 13 +-
.../libsecurity_cms.xcodeproj/project.pbxproj | 30 +-
.../regressions/cms-hashagility-test.c | 1 +
.../regressions/cms-hashagility-test.h | 1 +
.../regressions/cms-trust-settings-test.c | 127 +
.../regressions/cms-trust-settings-test.h | 180 +
.../regressions/cms_regressions.h | 3 +-
.../CodeSigningHelper-Info.plist | 2 +-
.../CodeSigningHelper/main.c | 5 +
.../CodeSigningHelper/main.cpp | 108 +
OSX/libsecurity_codesigning/lib/CSCommon.h | 7 +-
OSX/libsecurity_codesigning/lib/Code.cpp | 7 +-
.../lib/CodeSigner.cpp | 4 +-
.../lib/SecAssessment.cpp | 21 +-
.../lib/SecAssessment.h | 6 +-
OSX/libsecurity_codesigning/lib/SecCode.cpp | 50 +-
OSX/libsecurity_codesigning/lib/SecCode.h | 63 +-
OSX/libsecurity_codesigning/lib/SecCodePriv.h | 38 +
.../lib/SecCodeSigner.cpp | 2 +
.../lib/SecRequirement.h | 4 -
.../lib/SecRequirementPriv.h | 12 +-
.../lib/SecStaticCode.cpp | 87 +-
.../lib/SecStaticCode.h | 40 +-
OSX/libsecurity_codesigning/lib/SecTask.c | 56 +-
OSX/libsecurity_codesigning/lib/SecTask.h | 15 +
OSX/libsecurity_codesigning/lib/SecTaskPriv.h | 10 +
.../lib/StaticCode.cpp | 309 +-
OSX/libsecurity_codesigning/lib/StaticCode.h | 11 +-
.../lib/bundlediskrep.cpp | 220 +-
.../lib/bundlediskrep.h | 15 +-
.../lib/codedirectory.cpp | 17 +-
.../lib/codedirectory.h | 3 +-
OSX/libsecurity_codesigning/lib/cs.h | 7 +-
OSX/libsecurity_codesigning/lib/cskernel.cpp | 67 +-
OSX/libsecurity_codesigning/lib/csprocess.cpp | 17 +-
OSX/libsecurity_codesigning/lib/csprocess.h | 11 +-
OSX/libsecurity_codesigning/lib/csutilities.h | 2 +-
.../lib/dirscanner.cpp | 56 +-
OSX/libsecurity_codesigning/lib/dirscanner.h | 4 +
.../lib/diskimagerep.cpp | 35 +-
OSX/libsecurity_codesigning/lib/diskrep.cpp | 4 +
OSX/libsecurity_codesigning/lib/diskrep.h | 1 +
.../lib/evaluationmanager.cpp | 102 +-
.../lib/evaluationmanager.h | 2 +
.../lib/filediskrep.cpp | 5 +-
OSX/libsecurity_codesigning/lib/machorep.cpp | 58 +-
OSX/libsecurity_codesigning/lib/machorep.h | 4 +-
.../lib/piddiskrep.cpp | 35 +-
OSX/libsecurity_codesigning/lib/piddiskrep.h | 7 +-
OSX/libsecurity_codesigning/lib/policydb.cpp | 34 +-
OSX/libsecurity_codesigning/lib/policydb.h | 7 +-
.../lib/policyengine.cpp | 171 +-
.../lib/policyengine.h | 2 +-
OSX/libsecurity_codesigning/lib/reqinterp.cpp | 20 +-
OSX/libsecurity_codesigning/lib/reqparser.cpp | 2 +
OSX/libsecurity_codesigning/lib/resources.cpp | 33 +-
OSX/libsecurity_codesigning/lib/resources.h | 2 +-
.../lib/security_codesigning.exp | 7 +
OSX/libsecurity_codesigning/lib/signer.cpp | 50 +-
OSX/libsecurity_codesigning/lib/signer.h | 3 +-
.../lib/signerutils.cpp | 8 +-
.../lib/singlediskrep.cpp | 7 +-
.../lib/singlediskrep.h | 2 +-
OSX/libsecurity_codesigning/lib/syspolicy.sql | 2 +
OSX/libsecurity_codesigning/lib/xpcengine.cpp | 32 +-
OSX/libsecurity_codesigning/lib/xpcengine.h | 1 +
.../project.pbxproj | 93 +-
.../project.pbxproj | 30 +-
OSX/libsecurity_cryptkit/lib/ckutilities.c | 6 +-
.../lib/feeDigitalSignature.c | 6 +
OSX/libsecurity_cryptkit/lib/feeECDSA.c | 5 +-
OSX/libsecurity_cryptkit/lib/giantIntegers.c | 6 +-
OSX/libsecurity_cryptkit/lib/giantIntegers.h | 2 +-
.../lib/giantPort_Generic.h | 6 +-
OSX/libsecurity_cryptkit/lib/platform.c | 15 +-
.../project.pbxproj | 18 +-
OSX/libsecurity_cssm/lib/attachment.cpp | 7 +-
OSX/libsecurity_cssm/lib/certextensions.h | 5 +
OSX/libsecurity_cssm/lib/cssmaci.h | 5 +
OSX/libsecurity_cssm/lib/cssmapple.h | 18 +-
OSX/libsecurity_cssm/lib/cssmapplePriv.h | 12 +
OSX/libsecurity_cssm/lib/cssmcli.h | 5 +
OSX/libsecurity_cssm/lib/cssmcspi.h | 5 +
OSX/libsecurity_cssm/lib/cssmdli.h | 5 +
OSX/libsecurity_cssm/lib/cssmkrapi.h | 5 +
OSX/libsecurity_cssm/lib/cssmkrspi.h | 5 +
OSX/libsecurity_cssm/lib/cssmspi.h | 4 +
OSX/libsecurity_cssm/lib/cssmtpi.h | 5 +
OSX/libsecurity_cssm/lib/cssmtype.h | 5 +
OSX/libsecurity_cssm/lib/emmspi.h | 5 +
OSX/libsecurity_cssm/lib/emmtype.h | 5 +
OSX/libsecurity_cssm/lib/manager.cpp | 18 +-
OSX/libsecurity_cssm/lib/modload_plugin.cpp | 20 +-
OSX/libsecurity_cssm/lib/modload_plugin.h | 2 +
OSX/libsecurity_cssm/lib/modloader.cpp | 4 +-
OSX/libsecurity_cssm/lib/transition.cpp | 5 -
OSX/libsecurity_cssm/lib/x509defs.h | 5 +
.../project.pbxproj | 18 +-
OSX/libsecurity_filedb/lib/AppleDatabase.cpp | 23 +-
OSX/libsecurity_filedb/lib/AppleDatabase.h | 5 +
OSX/libsecurity_filedb/lib/AtomicFile.cpp | 184 +-
OSX/libsecurity_filedb/lib/AtomicFile.h | 3 -
.../project.pbxproj | 36 +-
OSX/libsecurity_keychain/lib/ACL.cpp | 42 +-
OSX/libsecurity_keychain/lib/Access.cpp | 16 +-
.../lib/AppleBaselineEscrowCertificates.h | 42 +-
OSX/libsecurity_keychain/lib/CCallbackMgr.cp | 153 +-
OSX/libsecurity_keychain/lib/CCallbackMgr.h | 11 +-
OSX/libsecurity_keychain/lib/Certificate.cpp | 49 +-
.../lib/CertificateRequest.h | 2 +-
.../lib/CertificateValues.cpp | 13 +
.../lib/CertificateValues.h | 1 +
.../lib/DLDBListCFPref.cpp | 48 +-
.../lib/DynamicDLDBList.cpp | 10 +-
OSX/libsecurity_keychain/lib/Globals.cpp | 3 +
OSX/libsecurity_keychain/lib/Identity.cpp | 120 +-
OSX/libsecurity_keychain/lib/Identity.h | 7 +-
.../lib/IdentityCursor.cpp | 40 +-
OSX/libsecurity_keychain/lib/Item.cpp | 269 +-
OSX/libsecurity_keychain/lib/Item.h | 16 +-
OSX/libsecurity_keychain/lib/KCCursor.cpp | 48 +-
OSX/libsecurity_keychain/lib/KCCursor.h | 3 +
.../lib/KCEventNotifier.cpp | 2 +-
OSX/libsecurity_keychain/lib/KeyItem.cpp | 664 +-
OSX/libsecurity_keychain/lib/KeyItem.h | 40 +-
OSX/libsecurity_keychain/lib/Keychains.cpp | 431 +-
OSX/libsecurity_keychain/lib/Keychains.h | 34 +-
OSX/libsecurity_keychain/lib/Policies.cpp | 4 +-
OSX/libsecurity_keychain/lib/SecAccess.cpp | 1 -
OSX/libsecurity_keychain/lib/SecAccess.h | 2 +-
OSX/libsecurity_keychain/lib/SecBasePriv.h | 1 +
OSX/libsecurity_keychain/lib/SecBridge.h | 107 +-
OSX/libsecurity_keychain/lib/SecCFTypes.cpp | 1 -
OSX/libsecurity_keychain/lib/SecCFTypes.h | 1 -
.../lib/SecCertificate.cpp | 251 +-
OSX/libsecurity_keychain/lib/SecCertificate.h | 37 +-
.../lib/SecCertificateP.c | 124 +-
.../lib/SecCertificatePriv.h | 99 +-
.../lib/SecCertificatePrivP.h | 19 +-
.../lib/SecFDERecoveryAsymmetricCrypto.cpp | 11 +-
OSX/libsecurity_keychain/lib/SecFrameworkP.c | 109 +-
OSX/libsecurity_keychain/lib/SecIdentity.cpp | 87 +-
OSX/libsecurity_keychain/lib/SecIdentity.h | 3 +-
OSX/libsecurity_keychain/lib/SecImport.cpp | 2 +-
.../lib/SecImportExportOpenSSH.cpp | 2 +-
.../lib/SecImportExportPkcs8.cpp | 2 +-
.../lib/SecImportExportUtils.h | 4 +-
OSX/libsecurity_keychain/lib/SecInternal.h | 3 +-
OSX/libsecurity_keychain/lib/SecItem.cpp | 921 +-
OSX/libsecurity_keychain/lib/SecItem.h | 36 +
.../lib/SecItemConstants.c | 8 +
OSX/libsecurity_keychain/lib/SecItemPriv.h | 67 +-
OSX/libsecurity_keychain/lib/SecKey.cpp | 1904 ++--
OSX/libsecurity_keychain/lib/SecKey.h | 685 +-
OSX/libsecurity_keychain/lib/SecKeyPriv.h | 182 +-
OSX/libsecurity_keychain/lib/SecKeychain.cpp | 273 +-
OSX/libsecurity_keychain/lib/SecKeychain.h | 6 +-
.../lib/SecKeychainItem.cpp | 814 +-
.../lib/SecKeychainItem.h | 2 +-
.../lib/SecKeychainItemExtendedAttributes.cpp | 22 +-
.../lib/SecKeychainPriv.h | 16 +
.../lib/SecKeychainSearch.cpp | 24 +-
OSX/libsecurity_keychain/lib/SecPassword.cpp | 6 +-
OSX/libsecurity_keychain/lib/SecPolicy.cpp | 142 +-
OSX/libsecurity_keychain/lib/SecPolicy.h | 183 +-
OSX/libsecurity_keychain/lib/SecPolicyPriv.h | 1328 ++-
OSX/libsecurity_keychain/lib/SecRandom.h | 2 +
OSX/libsecurity_keychain/lib/SecTrust.cpp | 960 +-
OSX/libsecurity_keychain/lib/SecTrust.h | 57 +-
.../lib/SecTrustOSXEntryPoints.cpp | 290 +
OSX/libsecurity_keychain/lib/SecTrustPriv.h | 407 +-
.../lib/SecTrustSettings.cpp | 166 +-
.../lib/SecTrustSettings.h | 4 +-
.../lib/SecTrustSettingsCertificates.h | 173 +-
.../lib/SecTrustSettingsPriv.h | 21 +-
.../lib/StorageManager.cpp | 684 +-
OSX/libsecurity_keychain/lib/StorageManager.h | 52 +-
OSX/libsecurity_keychain/lib/TokenLogin.cpp | 614 +
OSX/libsecurity_keychain/lib/TokenLogin.h | 49 +
OSX/libsecurity_keychain/lib/Trust.cpp | 52 +-
OSX/libsecurity_keychain/lib/Trust.h | 2 +-
.../lib/TrustAdditions.cpp | 48 +-
OSX/libsecurity_keychain/lib/TrustItem.cpp | 10 +-
.../lib/TrustSettings.cpp | 98 +-
.../lib/TrustSettingsSchema.h | 3 +-
OSX/libsecurity_keychain/lib/TrustStore.cpp | 12 +-
.../lib/TrustedApplication.cpp | 12 +-
.../lib/UnlockReferralItem.cpp | 10 +-
OSX/libsecurity_keychain/lib/defaultcreds.cpp | 14 +-
.../lib/security_keychain.exp | 24 +-
.../libDER/Tests/parseTicket.c | 23 -
.../libDER/config/base.xcconfig | 3 +-
.../libDER/config/lib.xcconfig | 11 +-
.../libDER/libDER.xcodeproj/project.pbxproj | 184 +-
.../libDER/libDER/DER_CertCrl.h | 12 +-
.../libDER/libDER/DER_Decode.c | 215 +-
.../libDER/libDER/DER_Decode.h | 49 +-
.../libDER/libDER/DER_Digest.h | 12 +-
.../libDER/libDER/DER_Encode.c | 7 +-
.../libDER/libDER/DER_Encode.h | 13 +-
.../libDER/libDER/DER_Keys.h | 12 +-
.../libDER/libDER/asn1Types.h | 51 +-
.../libDER/libDER/libDER.h | 15 +-
.../libDER/libDER/libDER_config.h | 13 +-
OSX/libsecurity_keychain/libDER/libDER/oids.c | 85 +-
OSX/libsecurity_keychain/libDER/libDER/oids.h | 16 +-
.../libDER/libDER/oidsPriv.h | 20 +-
.../project.pbxproj | 305 +-
.../regressions/kc-01-keychain-creation.c | 35 +
.../regressions/kc-02-unlock-noui.c | 36 +
.../regressions/kc-03-keychain-list.c | 124 +
.../regressions/kc-03-status.c | 43 +-
.../regressions/kc-04-is-valid.c | 27 +-
.../kc-05-find-existing-items-locked.c | 126 +
.../regressions/kc-05-find-existing-items.c | 120 +
.../regressions/kc-06-cert-search-email.m | 207 +
.../regressions/kc-10-item-add-certificate.c | 18 +-
.../regressions/kc-10-item-add-generic.c | 23 +-
.../regressions/kc-10-item-add-internet.c | 33 +-
.../regressions/kc-12-item-create-keypair.c | 24 +-
.../kc-12-key-create-symmetric-and-use.m | 258 +
.../regressions/kc-12-key-create-symmetric.c | 77 +
.../kc-15-item-update-label-skimaad.m | 169 +
.../regressions/kc-15-key-update-valueref.c | 301 +
.../regressions/kc-16-item-update-password.c | 94 +
.../regressions/kc-18-find-combined.c | 1790 ++-
.../regressions}/kc-19-item-copy-internet.c | 53 +-
.../regressions/kc-20-identity-find-stress.c | 87 +
.../kc-20-identity-key-attributes.c | 101 +
.../kc-20-identity-persistent-refs.c | 174 +
.../regressions/kc-20-item-find-stress.c | 75 +
.../regressions/kc-20-key-find-stress.c | 75 +
.../regressions}/kc-21-item-use-callback.c | 67 +-
.../regressions/kc-21-item-xattrs.c | 404 +
.../regressions/kc-23-key-export-symmetric.m | 142 +
.../regressions/kc-24-key-copy-keychains.c | 290 +
.../regressions/kc-26-key-import-public.m | 222 +
.../regressions/kc-27-key-non-extractable.c | 236 +
.../regressions/kc-28-cert-sign.c | 733 ++
.../regressions/kc-28-p12-import.m | 268 +
.../regressions/kc-30-xara-helpers.h | 93 +-
.../regressions/kc-30-xara-item-helpers.h | 127 +-
.../regressions/kc-30-xara-key-helpers.h | 234 +-
.../regressions/kc-30-xara-upgrade-helpers.h | 1500 ++-
.../regressions/kc-30-xara.c | 590 +-
.../regressions/kc-40-seckey.c | 609 -
.../regressions/kc-40-seckey.m | 1415 +++
.../{kc-41-sececkey.c => kc-41-sececkey.m} | 111 +-
.../regressions/kc-42-trust-revocation.c | 62 +-
.../regressions/kc-43-seckey-interop.m | 603 +
.../regressions/kc-helpers.h | 253 +
.../regressions/kc-identity-helpers.h | 270 +
.../regressions/kc-item-helpers.h | 153 +
.../regressions/kc-key-helpers.h | 283 +
.../regressions/kc-keychain-file-helpers.h | 2384 ++++
.../regressions/keychain_regressions.h | 33 +
.../regressions/si-34-one-true-keychain.c | 6 +-
.../xpc-tsa/XPCTimeStampingService-Info.plist | 2 +-
OSX/libsecurity_keychain/xpc-tsa/main-tsa.m | 6 +-
.../xpc/XPCKeychainSandboxCheck-Info.plist | 2 +-
.../lib/AppleManifest.cpp | 36 +-
.../lib/ManifestInternal.cpp | 40 +-
OSX/libsecurity_manifest/lib/SecManifest.cpp | 20 +-
.../project.pbxproj | 25 +-
OSX/libsecurity_mds/lib/MDSAttrParser.cpp | 21 +-
OSX/libsecurity_mds/lib/MDSAttrUtils.h | 4 +-
OSX/libsecurity_mds/lib/MDSDatabase.cpp | 12 +-
OSX/libsecurity_mds/lib/MDSDatabase.h | 12 +-
OSX/libsecurity_mds/lib/MDSDictionary.cpp | 20 +-
OSX/libsecurity_mds/lib/MDSDictionary.h | 6 +-
OSX/libsecurity_mds/lib/MDSModule.cpp | 2 +-
OSX/libsecurity_mds/lib/MDSSession.cpp | 12 +-
OSX/libsecurity_mds/lib/mds.h | 5 +
OSX/libsecurity_mds/lib/mdsapi.cpp | 2 +-
.../libsecurity_mds.xcodeproj/project.pbxproj | 42 +-
OSX/libsecurity_ocspd/common/ocspdDebug.h | 42 +-
.../project.pbxproj | 28 +-
OSX/libsecurity_pkcs12/lib/pkcs12Debug.h | 8 +-
OSX/libsecurity_pkcs12/lib/pkcs12Utils.cpp | 12 +-
.../project.pbxproj | 21 +-
.../lib/SDCSPDLPlugin.cpp | 4 +-
OSX/libsecurity_sd_cspdl/lib/SDCSPSession.cpp | 6 +-
OSX/libsecurity_sd_cspdl/lib/SDCSPSession.h | 4 +-
OSX/libsecurity_sd_cspdl/lib/SDContext.cpp | 2 +-
OSX/libsecurity_sd_cspdl/lib/SDDLSession.cpp | 8 +-
.../project.pbxproj | 42 +-
OSX/libsecurity_smime/TODO | 9 -
OSX/libsecurity_smime/lib/SecCMS.c | 439 +-
OSX/libsecurity_smime/lib/SecCMS.h | 67 +
OSX/libsecurity_smime/lib/cmscinfo.c | 2 +
OSX/libsecurity_smime/lib/cmscipher.c | 7 +
OSX/libsecurity_smime/lib/cmsdecode.c | 19 +-
OSX/libsecurity_smime/lib/cmsdigdata.c | 6 +
OSX/libsecurity_smime/lib/cmsdigest.c | 29 +-
OSX/libsecurity_smime/lib/cmsencdata.c | 3 +
OSX/libsecurity_smime/lib/cmsmessage.c | 4 +-
OSX/libsecurity_smime/lib/cmspubkey.c | 974 +-
OSX/libsecurity_smime/lib/cmsrecinfo.c | 4 -
OSX/libsecurity_smime/lib/cmsreclist.c | 1 +
OSX/libsecurity_smime/lib/cmssigdata.c | 19 +-
OSX/libsecurity_smime/lib/cmssiginfo.c | 7 -
OSX/libsecurity_smime/lib/cmsutil.c | 8 +-
OSX/libsecurity_smime/lib/cryptohi.c | 722 +-
OSX/libsecurity_smime/lib/cryptohi.h | 8 +
OSX/libsecurity_smime/lib/smimeutil.c | 6 +
OSX/libsecurity_smime/lib/tsaSupport.c | 40 +-
.../project.pbxproj | 44 +-
.../regressions/cms-01-basic.c | 501 +
.../regressions/cms-01-basic.h | 1341 +++
.../regressions/smime-cms-test.c | 35 +-
.../regressions/smime_regressions.h | 1 +
OSX/libsecurity_ssl/config/base.xcconfig | 3 +-
OSX/libsecurity_ssl/config/kext.xcconfig | 2 +-
OSX/libsecurity_ssl/config/lib.xcconfig | 6 +-
OSX/libsecurity_ssl/config/tests.xcconfig | 13 +-
OSX/libsecurity_ssl/dtlsEcho/dtlsEchoClient.c | 310 -
OSX/libsecurity_ssl/dtlsEcho/dtlsEchoServer.c | 325 -
OSX/libsecurity_ssl/lib/SSLRecordInternal.c | 18 +-
OSX/libsecurity_ssl/lib/SecureTransport.h | 97 +-
OSX/libsecurity_ssl/lib/SecureTransportPriv.h | 40 +-
OSX/libsecurity_ssl/lib/appleSession.c | 470 -
OSX/libsecurity_ssl/lib/security_ssl.exp | 3 +-
OSX/libsecurity_ssl/lib/sslCipherSpecs.c | 14 +-
OSX/libsecurity_ssl/lib/sslContext.c | 472 +-
OSX/libsecurity_ssl/lib/sslContext.h | 23 +-
OSX/libsecurity_ssl/lib/sslCrypto.c | 276 +-
OSX/libsecurity_ssl/lib/sslCrypto.h | 1 -
OSX/libsecurity_ssl/lib/sslDebug.h | 32 +-
OSX/libsecurity_ssl/lib/sslKeychain.c | 1 -
OSX/libsecurity_ssl/lib/sslRecord.c | 1 -
OSX/libsecurity_ssl/lib/sslTransport.c | 206 +-
OSX/libsecurity_ssl/lib/sslTypes.h | 1 -
OSX/libsecurity_ssl/lib/sslUtils.c | 140 -
OSX/libsecurity_ssl/lib/sslUtils.h | 82 -
OSX/libsecurity_ssl/lib/tlsCallbacks.c | 40 +-
OSX/libsecurity_ssl/lib/tls_record_internal.h | 1 -
.../libsecurity_ssl.xcodeproj/project.pbxproj | 20 +-
OSX/libsecurity_ssl/regressions/ssl-39-echo.c | 2 +-
.../regressions/ssl-41-clientauth.c | 5 +
.../regressions/ssl-42-ciphers.c | 9 +-
.../regressions/ssl-43-ciphers.c | 44 +-
.../regressions/ssl-44-crashes.c | 16 +-
.../regressions/ssl-45-tls12.c | 35 +-
.../ssl-46-SSLGetSupportedCiphers.c | 51 +-
.../regressions/ssl-47-falsestart.c | 44 +-
.../regressions/ssl-48-split.c | 2 +-
OSX/libsecurity_ssl/regressions/ssl-49-sni.c | 5 +-
.../regressions/ssl-51-state.c | 1 +
.../regressions/ssl-52-noconn.c | 2 +
.../regressions/ssl-53-clientauth.c | 2 -
OSX/libsecurity_ssl/regressions/ssl-54-dhe.c | 3 -
.../regressions/ssl-55-sessioncache.c | 132 +-
.../regressions/ssl-56-renegotiate.c | 464 +
OSX/libsecurity_ssl/regressions/ssl-utils.h | 12 +-
.../regressions/ssl_regressions.h | 1 +
OSX/libsecurity_ssl/sslViewer/fileIo.c | 116 -
OSX/libsecurity_ssl/sslViewer/ioSock.c | 502 -
OSX/libsecurity_ssl/sslViewer/ioSock.h | 110 -
OSX/libsecurity_ssl/sslViewer/printCert.c | 218 -
OSX/libsecurity_ssl/sslViewer/sslAppUtils.cpp | 1592 ---
OSX/libsecurity_ssl/sslViewer/sslAppUtils.h | 167 -
OSX/libsecurity_ssl/sslViewer/sslServer.1 | 79 -
OSX/libsecurity_ssl/sslViewer/sslServer.cpp | 1061 --
OSX/libsecurity_ssl/sslViewer/sslViewer.1 | 79 -
OSX/libsecurity_ssl/sslViewer/sslViewer.cpp | 1870 ----
.../sslViewer.xcodeproj/project.pbxproj | 454 -
.../libsecurity_transform_core.xcconfig | 1 +
.../security_transform_Default.xcconfig | 1 +
.../security_transform_Deployment.xcconfig | 1 +
.../security_transform_Development.xcconfig | 1 +
OSX/libsecurity_transform/custom.h | 4 +-
.../lib/SecDigestTransform.h | 2 +-
OSX/libsecurity_transform/lib/c++utils.cpp | 2 +-
.../project.pbxproj | 26 +-
.../unit-tests-Info.plist | 2 +-
.../lib/SecTranslocate.cpp | 500 +
.../lib/SecTranslocate.h | 218 +
.../lib/SecTranslocateClient.cpp | 190 +
.../lib/SecTranslocateClient.hpp | 63 +
.../lib/SecTranslocateDANotification.cpp | 221 +
.../lib/SecTranslocateDANotification.hpp | 50 +
.../lib/SecTranslocateInterface.cpp | 95 +
.../lib/SecTranslocateInterface.hpp | 56 +
.../lib/SecTranslocateLSNotification.cpp | 282 +
.../lib/SecTranslocateLSNotification.hpp | 56 +
.../lib/SecTranslocateServer.cpp | 167 +
.../lib/SecTranslocateServer.hpp | 73 +
.../lib/SecTranslocateShared.cpp | 1023 ++
.../lib/SecTranslocateShared.hpp | 89 +
.../lib/SecTranslocateUtilities.cpp | 330 +
.../lib/SecTranslocateUtilities.hpp | 108 +
.../lib/SecTranslocateXPCServer.cpp | 155 +
.../lib/SecTranslocateXPCServer.hpp | 51 +
.../lib/security_translocate.exp | 25 +
.../project.pbxproj | 383 +
.../lib/CSPDLTransaction.cpp | 61 +-
.../lib/CSPDLTransaction.h | 25 +-
.../lib/FileLockTransaction.cpp | 76 +
.../lib/FileLockTransaction.h | 69 +
OSX/libsecurity_utilities/lib/alloc.h | 9 +-
.../lib/casts.h} | 51 +-
OSX/libsecurity_utilities/lib/ccaudit.cpp | 2 +-
OSX/libsecurity_utilities/lib/cfclass.cpp | 49 +-
OSX/libsecurity_utilities/lib/cfmach++.cpp | 8 +-
OSX/libsecurity_utilities/lib/cfutilities.cpp | 2 +-
OSX/libsecurity_utilities/lib/cfutilities.h | 4 +-
.../lib/coderepository.cpp | 8 +-
.../lib/coderepository.h | 8 +-
OSX/libsecurity_utilities/lib/daemon.cpp | 4 +-
OSX/libsecurity_utilities/lib/debugging.cpp | 518 -
OSX/libsecurity_utilities/lib/debugging.h | 130 +-
.../lib/debugging_internal.cpp | 546 +-
.../lib/debugging_internal.h | 125 +-
OSX/libsecurity_utilities/lib/errors.cpp | 90 +-
OSX/libsecurity_utilities/lib/errors.h | 5 +
OSX/libsecurity_utilities/lib/exports | 6 +
OSX/libsecurity_utilities/lib/globalizer.h | 2 +-
OSX/libsecurity_utilities/lib/hosts.cpp | 2 +-
OSX/libsecurity_utilities/lib/iodevices.cpp | 17 +-
OSX/libsecurity_utilities/lib/ip++.cpp | 18 +-
OSX/libsecurity_utilities/lib/mach++.cpp | 13 +-
OSX/libsecurity_utilities/lib/mach++.h | 1 +
OSX/libsecurity_utilities/lib/macho++.cpp | 8 +-
.../lib/machrunloopserver.cpp | 2 +-
OSX/libsecurity_utilities/lib/machserver.cpp | 40 +-
OSX/libsecurity_utilities/lib/memutils.h | 2 +-
OSX/libsecurity_utilities/lib/muscle++.cpp | 11 +-
OSX/libsecurity_utilities/lib/osxcode.cpp | 12 +-
OSX/libsecurity_utilities/lib/pcsc++.cpp | 50 +-
OSX/libsecurity_utilities/lib/powerwatch.cpp | 40 +-
OSX/libsecurity_utilities/lib/refcount.h | 13 +-
OSX/libsecurity_utilities/lib/seccfobject.cpp | 30 +-
OSX/libsecurity_utilities/lib/seccfobject.h | 29 +-
OSX/libsecurity_utilities/lib/selector.cpp | 16 +-
OSX/libsecurity_utilities/lib/simpleprefs.cpp | 2 +-
OSX/libsecurity_utilities/lib/socks++4.cpp | 6 +-
OSX/libsecurity_utilities/lib/socks++5.cpp | 12 +-
OSX/libsecurity_utilities/lib/sqlite++.cpp | 5 +-
OSX/libsecurity_utilities/lib/superblob.h | 33 +-
OSX/libsecurity_utilities/lib/threading.cpp | 15 +-
OSX/libsecurity_utilities/lib/threading.h | 27 +
OSX/libsecurity_utilities/lib/tqueue.h | 10 +-
OSX/libsecurity_utilities/lib/unix++.cpp | 95 +-
OSX/libsecurity_utilities/lib/unix++.h | 13 +-
OSX/libsecurity_utilities/lib/unixchild.cpp | 78 +-
OSX/libsecurity_utilities/lib/vproc++.cpp | 1 +
.../project.pbxproj | 121 +-
OSX/libsecurityd/lib/SharedMemoryClient.cpp | 38 +-
OSX/libsecurityd/lib/eventlistener.cpp | 254 +-
OSX/libsecurityd/lib/eventlistener.h | 8 +
OSX/libsecurityd/lib/ssblob.cpp | 139 +-
OSX/libsecurityd/lib/ssblob.h | 40 +-
OSX/libsecurityd/lib/ssclient.cpp | 18 +-
OSX/libsecurityd/lib/ssclient.h | 29 +-
OSX/libsecurityd/lib/sstransit.cpp | 6 +-
OSX/libsecurityd/lib/transition.cpp | 201 +-
OSX/libsecurityd/lib/xdr_cssm.c | 2 +-
.../libsecurityd.xcodeproj/project.pbxproj | 46 +-
OSX/libsecurityd/mig/ucsp.defs | 63 +-
.../regressions.xcodeproj/project.pbxproj | 36 +-
OSX/regressions/test/testenv.h | 2 +
OSX/regressions/test/testenv.m | 63 +-
OSX/regressions/test/testmore.c | 81 +-
OSX/regressions/test/testpolicy.m | 23 +-
.../CKBridge/SOSCloudKeychainClient.c | 215 +-
.../CKBridge/SOSCloudKeychainClient.h | 16 +-
.../CKBridge/SOSCloudKeychainConstants.c | 6 +-
.../CKBridge/SOSCloudKeychainConstants.h | 6 +-
.../CKBridge/SOSCloudKeychainLogging.c | 222 +
.../CKBridge/SOSCloudKeychainLogging.h | 13 +
.../CloudKeychainProxy/CKDKVSProxy.h | 10 +-
.../CloudKeychainProxy/CKDKVSProxy.m | 176 +-
.../CloudKeychainProxy/CKDUserInteraction.m | 129 -
.../cloudkeychain.entitlements.plist | 19 -
.../CloudKeychainProxy/cloudkeychainproxy.m | 15 -
.../en.lproj/InfoPlist.strings | 2 -
OSX/sec/SOSCircle/Empty.c | 0
.../IDSKeychainSyncingProxy/IDSProxy.m | 685 --
...idskeychainsyncingproxy.entitlements.plist | 30 -
.../SOSCircle/Regressions/CKDKeyValueStore.h | 94 -
.../SOSCircle/Regressions/CKDKeyValueStore.m | 365 -
.../Regressions/SOSRegressionUtilities.c | 2 +-
.../SOSCircle/Regressions/SOSTestDataSource.c | 25 +-
OSX/sec/SOSCircle/Regressions/SOSTestDevice.c | 14 +-
OSX/sec/SOSCircle/Regressions/SOSTestDevice.h | 2 +
.../Regressions/sc-130-resignationticket.c | 18 +-
OSX/sec/SOSCircle/Regressions/sc-140-hsa2.c | 247 +-
.../Regressions/sc-150-backupkeyderivation.c | 4 +-
OSX/sec/SOSCircle/Regressions/sc-150-ring.c | 7 +
.../Regressions/sc-153-backupslicekeybag.c | 15 +-
.../SOSCircle/Regressions/sc-20-keynames.c | 10 +-
.../SOSCircle/Regressions/sc-25-soskeygen.c | 25 +-
.../Regressions/sc-31-peerinfo-simplefuzz.c | 4 +-
OSX/sec/SOSCircle/Regressions/sc-40-circle.c | 17 +-
.../Regressions/sc-45-digestvector.c | 9 +
.../SOSCircle/SecureObjectSync/SOSAccount.c | 1439 ++-
.../SOSCircle/SecureObjectSync/SOSAccount.h | 78 +-
.../SecureObjectSync/SOSAccountBackup.c | 138 +-
.../SecureObjectSync/SOSAccountCircles.c | 41 +-
.../SecureObjectSync/SOSAccountCredentials.c | 35 +-
.../SecureObjectSync/SOSAccountFullPeerInfo.c | 21 +-
.../SecureObjectSync/SOSAccountLog.c | 51 +
.../SecureObjectSync/SOSAccountLog.h | 27 +
.../SecureObjectSync/SOSAccountPeers.c | 30 +
.../SecureObjectSync/SOSAccountPersistence.c | 55 +-
.../SecureObjectSync/SOSAccountPriv.h | 65 +-
.../SecureObjectSync/SOSAccountRingUpdate.c | 77 +-
.../SecureObjectSync/SOSAccountRings.c | 223 +-
.../SecureObjectSync/SOSAccountTransaction.c | 199 +
.../SecureObjectSync/SOSAccountTransaction.h | 41 +
.../SecureObjectSync/SOSAccountUpdate.c | 123 +-
.../SecureObjectSync/SOSAccountViewSync.c | 379 +
.../SecureObjectSync/SOSBackupSliceKeyBag.c | 29 +-
.../SecureObjectSync/SOSBackupSliceKeyBag.h | 3 +
.../SOSCircle/SecureObjectSync/SOSCircle.c | 329 +-
.../SOSCircle/SecureObjectSync/SOSCircle.h | 16 +-
.../SOSCircle/SecureObjectSync/SOSCircleDer.c | 10 +-
.../SecureObjectSync/SOSCloudCircle.c | 208 +-
.../SecureObjectSync/SOSCloudCircle.h | 61 +-
.../SecureObjectSync/SOSCloudCircleInternal.h | 6 +-
OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c | 287 +-
OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.h | 9 +-
.../SecureObjectSync/SOSDataSource.h | 44 +-
.../SecureObjectSync/SOSDigestVector.c | 79 +-
.../SecureObjectSync/SOSDigestVector.h | 4 +-
.../SecureObjectSync/SOSECWrapUnwrap.c | 2 +-
.../SOSCircle/SecureObjectSync/SOSEngine.c | 985 +-
.../SOSCircle/SecureObjectSync/SOSEngine.h | 18 +-
.../SecureObjectSync/SOSExports.exp-in | 62 +-
.../SecureObjectSync/SOSForerunnerSession.c | 1464 ---
.../SecureObjectSync/SOSForerunnerSession.h | 380 -
.../SecureObjectSync/SOSFullPeerInfo.c | 74 +-
.../SecureObjectSync/SOSFullPeerInfo.h | 2 +
.../SOSCircle/SecureObjectSync/SOSGenCount.c | 23 +-
.../SOSCircle/SecureObjectSync/SOSInternal.c | 31 +-
.../SOSCircle/SecureObjectSync/SOSInternal.h | 5 +
.../SOSCircle/SecureObjectSync/SOSKVSKeys.c | 73 +-
.../SOSCircle/SecureObjectSync/SOSKVSKeys.h | 5 +-
OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.c | 84 +-
OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.h | 4 -
.../SOSCircle/SecureObjectSync/SOSPeerCoder.c | 44 +-
.../SOSCircle/SecureObjectSync/SOSPeerCoder.h | 29 +-
.../SOSCircle/SecureObjectSync/SOSPeerInfo.c | 162 +-
.../SOSCircle/SecureObjectSync/SOSPeerInfo.h | 13 +-
.../SecureObjectSync/SOSPeerInfoCollections.h | 2 +-
.../SecureObjectSync/SOSPeerInfoDER.c | 12 +-
.../SecureObjectSync/SOSPeerInfoV2.c | 45 +-
.../SecureObjectSync/SOSPeerInfoV2.h | 3 +
.../SOSCircle/SecureObjectSync/SOSPersist.h | 94 +
.../SecureObjectSync/SOSRingBackup.c | 2 +-
.../SOSRingConcordanceTrust.c | 7 +-
.../SOSCircle/SecureObjectSync/SOSRingDER.c | 10 +-
.../SOSCircle/SecureObjectSync/SOSRingTypes.c | 7 +-
.../SOSCircle/SecureObjectSync/SOSRingUtils.c | 17 +-
.../SOSCircle/SecureObjectSync/SOSRingUtils.h | 5 +
.../SecureObjectSync/SOSSysdiagnose.c | 113 +-
.../SOSCircle/SecureObjectSync/SOSTransport.c | 125 +-
.../SOSCircle/SecureObjectSync/SOSTransport.h | 4 +-
.../SecureObjectSync/SOSTransportCircleKVS.c | 17 +-
.../SecureObjectSync/SOSTransportMessage.c | 8 +-
.../SecureObjectSync/SOSTransportMessageIDS.c | 202 +-
.../SecureObjectSync/SOSTransportMessageIDS.h | 11 +-
.../SecureObjectSync/SOSTransportMessageKVS.c | 14 +-
OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h | 3 +-
.../SecureObjectSync/SOSUserKeygen.c | 15 +-
OSX/sec/SOSCircle/SecureObjectSync/SOSViews.c | 243 +-
.../SecureObjectSync/SOSViews.exp-in | 26 +
OSX/sec/SOSCircle/SecureObjectSync/SOSViews.h | 18 +-
.../SOSCircle/SecureObjectSync/ViewList.list | 40 +
.../SOSCircle/Tool/NSFileHandle+Formatting.h | 21 +
.../SOSCircle/Tool/NSFileHandle+Formatting.m | 30 +
OSX/sec/SOSCircle/Tool/keychain_log.c | 104 +-
OSX/sec/SOSCircle/Tool/keychain_sync.c | 188 +-
OSX/sec/SOSCircle/Tool/keychain_sync.h | 2 +-
OSX/sec/SOSCircle/Tool/keychain_sync_test.h | 15 +
OSX/sec/SOSCircle/Tool/keychain_sync_test.m | 90 +
OSX/sec/SOSCircle/Tool/secToolFileIO.c | 1 -
OSX/sec/SOSCircle/Tool/secToolFileIO.h | 1 -
OSX/sec/SOSCircle/Tool/secViewDisplay.c | 148 +
.../SOSCircle/Tool/secViewDisplay.h} | 28 +-
OSX/sec/SOSCircle/Tool/syncbackup.c | 87 +
OSX/sec/SOSCircle/Tool/syncbackup.h | 40 +
.../AppleBaselineEscrowCertificates.h | 95 +-
.../Regressions/Security_regressions.h | 55 +-
.../Regressions/secitem/si-12-item-stress.c | 4 +-
.../Regressions/secitem/si-13-item-system.m | 2 +-
.../Regressions/secitem/si-15-certificate.c | 20 +-
.../secitem/si-15-delete-access-group.m | 88 +
.../secitem/si-16-ec-certificate.c | 13 +-
.../secitem/si-17-item-system-bluetooth.m | 2 +-
.../secitem/si-20-sectrust-activation.c | 942 --
.../Regressions/secitem/si-20-sectrust.c | 206 +-
.../Regressions/secitem/si-20-sectrust.h | 84 +
.../Regressions/secitem/si-21-sectrust-asr.c | 20 +-
.../Regressions/secitem/si-22-sectrust-iap.c | 617 +-
.../Regressions/secitem/si-22-sectrust-iap.h | 427 +
.../Regressions/secitem/si-23-sectrust-ocsp.c | 4 +-
.../secitem/si-24-sectrust-appleid.c | 29 -
.../si-24-sectrust-digicert-malaysia.c | 4 +-
.../secitem/si-24-sectrust-diginotar.c | 6 +-
.../Regressions/secitem/si-24-sectrust-itms.c | 16 +-
.../secitem/si-24-sectrust-mobileasset.c | 29 -
.../Regressions/secitem/si-24-sectrust-nist.c | 4 +-
.../secitem/si-24-sectrust-otatasking.c | 29 -
...st-shoebox.c => si-24-sectrust-passbook.c} | 281 +-
.../si-25-sectrust-apple-authentication.c | 700 --
.../secitem/si-25-sectrust-ipsec-eap.c | 778 --
...ning.c => si-26-sectrust-copyproperties.c} | 31 +-
.../secitem/si-27-sectrust-exceptions.c | 194 +-
.../secitem/si-28-sectrustsettings.c | 215 -
.../secitem/si-28-sectrustsettings.h | 288 +
.../secitem/si-28-sectrustsettings.m | 565 +
.../secitem/si-29-sectrust-codesigning.c | 695 --
.../secitem/si-33-keychain-backup.c | 10 +-
.../Regressions/secitem/si-40-seckey-custom.c | 15 +-
.../Regressions/secitem/si-40-seckey.c | 718 +-
.../Regressions/secitem/si-41-sececkey.c | 612 +-
.../Security/Regressions/secitem/si-60-cms.c | 6 +-
.../Regressions/secitem/si-66-smime.c | 4 +-
.../secitem/si-67-sectrust-blacklist.c | 21 +-
.../Regressions/secitem/si-69-keydesc.c | 4 +-
.../secitem/si-70-sectrust-unified.c | 6 +-
.../secitem/si-71-mobile-store-policy.c | 16 +-
.../secitem/si-73-secpasswordgenerate.c | 1040 +-
.../Regressions/secitem/si-74-OTAPKISigner.c | 12 +-
.../secitem/si-75-AppleIDRecordSigning.c | 267 -
.../secitem/si-76-shared-credentials.c | 4 +-
.../secitem/si-79-smp-cert-policy.c | 410 -
.../secitem/si-81-sectrust-appletv.c | 558 -
.../secitem/si-81-sectrust-server-auth.c | 581 -
.../Regressions/secitem/si-82-token-ag.c | 33 +
.../secitem/si-83-seccertificate-sighashalg.c | 3 +-
.../secitem/si-84-sectrust-atv-appsigning.c | 478 -
.../secitem/si-85-sectrust-ssl-policy.c | 101 +-
...-eap-tls.h => si-85-sectrust-ssl-policy.h} | 71 +-
.../secitem/si-86-sectrust-eap-tls.c | 69 -
.../secitem/si-87-sectrust-name-constraints.c | 16 +-
.../secitem/si-88-sectrust-vpnprofile.c | 113 -
.../secitem/si-88-sectrust-vpnprofile.h | 450 -
.../Security/Regressions/secitem/si-90-emcs.m | 6 -
.../Regressions/secitem/si-91-sectrust-ast2.c | 105 -
.../Regressions/secitem/si-91-sectrust-ast2.h | 265 -
.../secitem/si-92-sectrust-homekit.c | 109 -
.../secitem/si-92-sectrust-homekit.h | 409 -
.../Regressions/secitem/si-95-cms-basic.c | 508 +
.../Regressions/secitem/si-95-cms-basic.h | 1341 +++
.../secitem/si-97-sectrust-path-scoring.h | 685 ++
.../secitem/si-97-sectrust-path-scoring.m | 256 +
.../secitem/si_77_SecAccessControl.c | 5 +-
.../Regressions/vmdh/vmdh-41-example.c | 7 +-
.../Regressions/vmdh/vmdh-42-example2.c | 7 +-
OSX/sec/Security/SecAccessControl.c | 41 +-
OSX/sec/Security/SecAccessControl.h | 33 +-
OSX/sec/Security/SecBase.h | 1 +
OSX/sec/Security/SecBasePriv.h | 1 -
OSX/sec/Security/SecCFAllocator.c | 64 +
.../sec/Security/SecCFAllocator.h | 25 +-
OSX/sec/Security/SecCMS.c | 29 +-
OSX/sec/Security/SecCMS.h | 8 +-
OSX/sec/Security/SecCTKKey.c | 257 +-
OSX/sec/Security/SecCTKKeyPriv.h | 2 +-
OSX/sec/Security/SecCertificate.c | 738 +-
OSX/sec/Security/SecCertificateInternal.h | 17 +
OSX/sec/Security/SecCertificatePath.c | 343 +-
OSX/sec/Security/SecCertificatePath.h | 18 +-
OSX/sec/Security/SecCertificatePriv.h | 43 +-
OSX/sec/Security/SecCertificateRequest.c | 2 +-
OSX/sec/Security/SecDH.c | 28 +-
OSX/sec/Security/SecDigest.c | 100 +
OSX/sec/Security/SecECKey.c | 491 +-
OSX/sec/Security/SecEMCS.m | 11 +-
OSX/sec/Security/SecExports.exp-in | 399 +-
OSX/sec/Security/SecFramework.c | 136 +-
OSX/sec/Security/SecFrameworkStrings.h | 6 +-
OSX/sec/Security/SecItem.c | 500 +-
OSX/sec/Security/SecItem.h | 32 +-
OSX/sec/Security/SecItemBackup.c | 19 +
OSX/sec/Security/SecItemConstants.c | 30 +-
OSX/sec/Security/SecItemInternal.h | 6 +
OSX/sec/Security/SecItemPriv.h | 97 +-
OSX/sec/Security/SecItemShim.h | 64 +
OSX/sec/Security/SecKey.c | 1148 +-
OSX/sec/Security/SecKey.h | 659 +-
OSX/sec/Security/SecKeyAdaptors.c | 1217 ++
OSX/sec/Security/SecKeyInternal.h | 18 +
OSX/sec/Security/SecKeyPriv.h | 114 +-
OSX/sec/Security/SecOTRFullIdentity.c | 15 +-
OSX/sec/Security/SecOTRIdentityPriv.h | 7 +-
OSX/sec/Security/SecOTRPublicIdentity.c | 14 +-
OSX/sec/Security/SecOTRSession.c | 34 +-
OSX/sec/Security/SecOTRSession.h | 1 +
OSX/sec/Security/SecOTRSessionAKE.c | 188 +-
OSX/sec/Security/SecPasswordGenerate.c | 88 +-
OSX/sec/Security/SecPasswordGenerate.h | 7 +
OSX/sec/Security/SecPolicy.c | 1994 +++-
OSX/sec/Security/SecPolicy.h | 26 +-
OSX/sec/Security/SecPolicyInternal.h | 75 +-
OSX/sec/Security/SecPolicyLeafCallbacks.c | 822 ++
OSX/sec/Security/SecPolicyPriv.h | 1156 +-
OSX/sec/Security/SecRSAKey.c | 778 +-
OSX/sec/Security/SecRandom.h | 2 +
OSX/sec/Security/SecServerEncryptionSupport.c | 30 +-
OSX/sec/Security/SecServerEncryptionSupport.h | 5 +-
OSX/sec/Security/SecSharedCredential.c | 28 +-
OSX/sec/Security/SecSharedCredential.h | 16 +-
.../SecSignatureVerificationSupport.c | 119 +
.../SecSignatureVerificationSupport.h | 22 +
OSX/sec/Security/SecTrust.c | 661 +-
OSX/sec/Security/SecTrust.h | 46 +-
OSX/sec/Security/SecTrustInternal.h | 23 +-
OSX/sec/Security/SecTrustPriv.h | 244 +-
OSX/sec/Security/SecTrustSettings.c | 2 +-
OSX/sec/Security/SecTrustSettings.h | 19 +-
OSX/sec/Security/SecTrustSettingsPriv.h | 22 +-
OSX/sec/Security/SecTrustStore.c | 151 +-
OSX/sec/Security/SecTrustStore.h | 8 +
OSX/sec/Security/Security.h | 4 +-
OSX/sec/Security/SecuritydXPC.c | 21 +-
OSX/sec/Security/Tool/SecurityCommands.h | 12 +-
OSX/sec/Security/Tool/codesign.c | 1 +
OSX/sec/Security/Tool/keychain_find.c | 2 +
OSX/sec/Security/Tool/keychain_util.c | 8 +-
OSX/sec/Security/Tool/scep.c | 19 +-
OSX/sec/Security/Tool/show_certificates.c | 129 +
OSX/sec/Security/Tool/verify_cert.c | 77 +-
OSX/sec/Security/cssmapple.h | 4 +
OSX/sec/SecurityTool/security.1 | 3 +
OSX/sec/SecurityTool/whoami.m | 4 +-
.../com.apple.security.swcagent.plist | 4 -
OSX/sec/SharedWebCredential/swcagent.m | 120 +-
OSX/sec/config/base.xcconfig | 3 +-
OSX/sec/config/lib-arc-only.xcconfig | 2 +-
OSX/sec/config/lib.xcconfig | 10 +-
OSX/sec/config/release.xcconfig | 2 +-
OSX/sec/ipc/client.c | 26 +-
OSX/sec/ipc/com.apple.secd.plist | 2 +-
OSX/sec/ipc/com.apple.securityd.plist | 6 +-
OSX/sec/ipc/securityd_client.h | 35 +-
OSX/sec/ipc/server.c | 884 +-
OSX/sec/os_log/README_os_log_prefs.txt | 5 +
OSX/sec/os_log/com.apple.securityd.plist | 35 +
OSX/sec/sec.xcodeproj/project.pbxproj | 960 +-
OSX/sec/securityd/OTATrustUtilities.c | 312 +-
OSX/sec/securityd/OTATrustUtilities.h | 5 +
.../securityd/Regressions/SOSAccountTesting.h | 186 +-
.../Regressions/SOSTransportTestTransports.c | 203 +-
.../Regressions/SOSTransportTestTransports.h | 17 +-
.../Regressions/SecdTestKeychainUtilities.c | 20 +
.../Regressions/SecdTestKeychainUtilities.h | 6 +
OSX/sec/securityd/Regressions/secd-01-items.c | 1 +
.../Regressions/secd-05-corrupted-items.m | 2 +-
.../Regressions/secd-100-initialsync.c | 126 +
.../Regressions/secd-130-other-peer-views.c | 186 +
.../Regressions/secd-20-keychain_upgrade.m | 5 +-
.../securityd/Regressions/secd-200-logstate.c | 209 +
.../Regressions/secd-21-transmogrify.m | 16 +-
.../Regressions/secd-31-keychain-bad.c | 2 +-
.../Regressions/secd-31-keychain-unreadable.c | 2 +-
.../Regressions/secd-33-keychain-ctk.c | 662 --
.../Regressions/secd-33-keychain-ctk.m | 1045 ++
.../securityd/Regressions/secd-49-manifests.c | 2 +-
.../securityd/Regressions/secd-50-account.c | 2 +-
.../Regressions/secd-51-account-inflate.c | 36 +-
.../Regressions/secd-52-account-changed.c | 12 +-
.../secd-52-offering-gencount-reset.c | 10 +-
.../Regressions/secd-55-account-circle.c | 32 +-
.../Regressions/secd-56-account-apply.c | 172 +-
.../secd-57-1-account-last-standing.c | 169 +
.../Regressions/secd-57-account-leave.c | 12 +-
.../Regressions/secd-58-password-change.c | 4 +-
.../Regressions/secd-59-account-cleanup.c | 6 +-
.../secd-60-account-cloud-identity.c | 65 +-
...d-61-account-leave-not-in-kansas-anymore.c | 8 +-
.../Regressions/secd-62-account-backup.c | 89 +-
.../Regressions/secd-62-account-hsa-join.c | 11 +-
.../secd-63-account-resurrection.c | 6 +-
.../Regressions/secd-64-circlereset.c | 59 +-
.../secd-65-account-retirement-reset.c | 4 +-
.../Regressions/secd-70-engine-corrupt.c | 4 +
.../Regressions/secd-70-otr-remote.c | 4 +-
.../Regressions/secd-71-engine-save-sample1.h | 125 +
.../Regressions/secd-71-engine-save.c | 148 +
.../Regressions/secd-76-idstransport.c | 313 +
.../Regressions/secd-80-views-basic.c | 53 +-
.../Regressions/secd-81-item-acl-stress.c | 4 +-
.../securityd/Regressions/secd-81-item-acl.c | 4 +-
.../Regressions/secd-82-persistent-ref.c | 7 +-
.../Regressions/secd-82-secproperties-basic.c | 2 +-
.../Regressions/secd-83-item-match-policy.m | 229 +
.../Regressions/secd-83-item-match-trusted.m | 51 +
.../secd-83-item-match-valid-on-date.m | 68 +
.../Regressions/secd-83-item-match.h | 10 +
OSX/sec/securityd/Regressions/secd-90-hsa2.c | 143 +-
.../Regressions/secd-95-escrow-persistence.c | 12 +-
.../secd60-account-cloud-exposure.c | 23 +-
.../Regressions/secd_77_ids_messaging.c | 299 +
.../securityd/Regressions/secd_regressions.h | 14 +-
OSX/sec/securityd/SOSCloudCircleServer.c | 821 +-
OSX/sec/securityd/SOSCloudCircleServer.h | 14 +
OSX/sec/securityd/SecCAIssuerCache.c | 12 +-
OSX/sec/securityd/SecCAIssuerRequest.c | 32 +-
OSX/sec/securityd/SecDbItem.c | 15 +-
OSX/sec/securityd/SecDbItem.h | 3 +-
OSX/sec/securityd/SecDbKeychainItem.c | 93 +-
OSX/sec/securityd/SecDbKeychainItem.h | 2 +-
OSX/sec/securityd/SecDbQuery.c | 69 +-
OSX/sec/securityd/SecDbQuery.h | 10 +
OSX/sec/securityd/SecItemBackupServer.c | 2 +-
OSX/sec/securityd/SecItemDataSource.c | 139 +-
OSX/sec/securityd/SecItemDb.c | 125 +-
OSX/sec/securityd/SecItemDb.h | 6 +-
OSX/sec/securityd/SecItemSchema.c | 215 +-
OSX/sec/securityd/SecItemServer.c | 649 +-
OSX/sec/securityd/SecItemServer.h | 8 +
OSX/sec/securityd/SecOCSPCache.c | 3 +
OSX/sec/securityd/SecOCSPResponse.c | 73 +-
OSX/sec/securityd/SecOCSPResponse.h | 6 +-
OSX/sec/securityd/SecPolicyServer.c | 2576 +++--
OSX/sec/securityd/SecPolicyServer.h | 12 +-
OSX/sec/securityd/SecTrustServer.c | 495 +-
OSX/sec/securityd/SecTrustServer.h | 24 +-
OSX/sec/securityd/SecTrustStoreServer.c | 136 +-
OSX/sec/securityd/SecTrustStoreServer.h | 3 +
OSX/sec/securityd/asynchttp.c | 24 +-
OSX/sec/securityd/asynchttp.h | 4 +-
OSX/sec/securityd/entitlements.plist | 6 +-
OSX/sec/securityd/nameconstraints.c | 2 +-
OSX/sec/securityd/personalization.c | 28 +
.../personalization.h} | 16 +-
OSX/sec/securityd/spi.c | 15 +
OSX/sectests/SecurityTests-Entitlements.plist | 4 +
OSX/sectests/testlist.h | 5 +-
OSX/security2/sub_commands.h | 2 +
OSX/shared_regressions/shared_regressions.h | 41 +-
.../AppleApplicationIntegration2CA.cer | Bin 0 -> 1052 bytes
.../AppleApplicationIntegrationCA.cer | Bin
.../AppleCodeSigningCA.cer | Bin 0 -> 1042 bytes
.../AppleCorporateRootCA.cer | Bin 0 -> 949 bytes
.../AppleCorporateVPNClientCA.cer | Bin 0 -> 1096 bytes
.../AppleHomeKitServerCA.cer | Bin 0 -> 668 bytes
.../AppleMacOSApplicationSigning.cer | Bin 0 -> 1370 bytes
.../AppleRootCA.cer | Bin
.../AppleRootG2.cer | Bin 0 -> 1430 bytes
.../AppleRootG3.cer | Bin 0 -> 583 bytes
.../AppleServerAuthentication.cer | Bin 0 -> 1020 bytes
.../AppleSoftwareUpdateCA.cer | Bin 0 -> 1047 bytes
.../AppleSystemIntegrationCAG3.cer | Bin 0 -> 751 bytes
.../AppleWWDR-expired.cer | Bin
.../AppleWWDR-test.cer | Bin
.../AppleWWDR.cer | Bin 0 -> 1062 bytes
.../AppleiPhoneCA.cer | Bin
.../AppleiPhoneDeviceCA.cer | Bin 0 -> 877 bytes
.../DeveloperIDCA.cer | Bin 0 -> 1032 bytes
.../EntrustCAL1C.cer | Bin 0 -> 1270 bytes
.../EntrustRootCA.cer | Bin 0 -> 1070 bytes
.../FakeAppleRootCA.cer | Bin 0 -> 828 bytes
.../InvalidEKUTest16.cer | Bin 0 -> 992 bytes
.../PairingRootCA.cer | Bin 0 -> 689 bytes
.../PinningPolicyTrustTest.plist | 2020 ++++
.../SSLTrustPolicyTestRootCertificate.cer | Bin 0 -> 987 bytes
.../TestAppleGlobalRootCA.cer | Bin 0 -> 630 bytes
.../TestAppleRootCA-ECC.cer | Bin 0 -> 555 bytes
.../TestAppleRootCA.cer | Bin 0 -> 1232 bytes
.../TestAppleRootCAG3.cer | Bin 0 -> 592 bytes
.../TestAppleServerAuthentication.cer | Bin 0 -> 1043 bytes
.../TestAppleSystemIntegration2CA.cer | Bin 0 -> 1070 bytes
.../TestAppleSystemIntegrationCA-ECC.cer | Bin 0 -> 732 bytes
.../TestAppleiPhoneDeviceCA.cer | Bin 0 -> 892 bytes
.../WiFiIntermediateCA.cer | Bin 0 -> 1115 bytes
.../WiFiRootCA.cer | Bin 0 -> 1038 bytes
.../WrongPairingRootCA.cer | Bin 0 -> 689 bytes
.../apn_legacy.cer | Bin 0 -> 1319 bytes
.../apple_corp_vpn_client.cer | Bin 0 -> 1113 bytes
.../appleid_authority.cer | Bin
.../appleid_record_signing.cer | Bin 0 -> 1301 bytes
.../asset_signing.cer | Bin
.../si-20-sectrust-policies-data/ast2.cer | Bin 0 -> 1185 bytes
.../configuration_profile.cer | Bin 0 -> 1367 bytes
.../developer_id.cer | Bin 0 -> 1385 bytes
.../developmentupdate.cer | Bin 0 -> 1332 bytes
.../device_activation.cer | Bin 0 -> 875 bytes
.../device_cert.cer | Bin 0 -> 835 bytes
.../si-20-sectrust-policies-data/escrow.cer | Bin 0 -> 2962 bytes
.../factory_device_cert.cer | Bin 0 -> 896 bytes
.../si-20-sectrust-policies-data/fmip.cer | Bin 0 -> 2479 bytes
.../generic_apple_server.cer | Bin 0 -> 1037 bytes
.../si-20-sectrust-policies-data/gsa.cer | Bin 0 -> 1030 bytes
.../si-20-sectrust-policies-data/homekit.cer | Bin 0 -> 792 bytes
.../si-20-sectrust-policies-data/ids.cer | Bin 0 -> 1165 bytes
.../ios_app_signing.cer | Bin 0 -> 903 bytes
.../ios_provisioning_profile.cer | Bin 0 -> 1021 bytes
.../ios_vpn_app_signing.cer | Bin 0 -> 925 bytes
.../iphone_developer.cer | Bin 0 -> 1448 bytes
.../si-20-sectrust-policies-data/ivpntest.cer | Bin 0 -> 1672 bytes
.../ivpntestCA.cer | Bin 0 -> 1180 bytes
.../mac_app_store_receipt.cer | Bin 0 -> 1408 bytes
.../mac_app_store_receipt_badoid.cer | Bin 0 -> 1406 bytes
.../mac_developer.cer | Bin 0 -> 1423 bytes
.../osx_provisioning_profile.cer | Bin 0 -> 1334 bytes
.../pairing_host_cert.cer | Bin 0 -> 702 bytes
.../passbook_cardman.cer | Bin 0 -> 1525 bytes
.../passbook_testcard.cer | Bin
.../si-20-sectrust-policies-data/smp.cer | Bin 0 -> 714 bytes
.../softwaresigning.cer | Bin 0 -> 1343 bytes
.../softwareupdate.cer | Bin 0 -> 1328 bytes
.../task_signing.cer | Bin
.../test_ios_app_signing.cer | Bin 0 -> 1046 bytes
.../test_ios_provisioning_profile.cer | Bin 0 -> 1031 bytes
.../test_ipsec_gateway.cer | Bin 0 -> 807 bytes
.../si-20-sectrust-policies-data/test_smp.cer | Bin 0 -> 712 bytes
.../test_tvos_app_signing.cer | Bin 0 -> 1366 bytes
.../tvos_app_signing.cer | Bin 0 -> 1379 bytes
.../tvos_vpn_profile.cer | Bin 0 -> 1060 bytes
.../si-20-sectrust-policies-data/ucrt.cer | Bin 0 -> 839 bytes
.../ucrtTestIntermediate.cer | Bin 0 -> 499 bytes
.../ucrtTestRootCA.cer | Bin 0 -> 551 bytes
.../wifi_user.cer | Bin 0 -> 1305 bytes
.../si-20-sectrust-policies.m | 425 +
OSX/shared_regressions/si-44-seckey-ec.m | 81 +
OSX/shared_regressions/si-44-seckey-gen.m | 94 +
OSX/shared_regressions/si-44-seckey-ies.m | 289 +
OSX/shared_regressions/si-44-seckey-rsa.m | 153 +
.../si-82-sectrust-ct-certs.h | 1029 --
.../si-82-sectrust-ct-data/CA_alpha.crt | Bin 0 -> 715 bytes
.../si-82-sectrust-ct-data/CA_beta.crt | Bin 0 -> 715 bytes
.../si-82-sectrust-ct-data/CTlogs.plist | 198 +
.../bad_hash_ocsp_response.bin | Bin 0 -> 374 bytes
.../digicert_sha2_ev_server_ca.crt | Bin 0 -> 1210 bytes
.../invalid_ocsp_response.bin | 2 +
.../si-82-sectrust-ct-data/pilot_3055998.crt | Bin 0 -> 1534 bytes
.../pilot_3055998_issuer.crt | Bin 0 -> 1290 bytes
.../si-82-sectrust-ct-data/serverA.crt | Bin 0 -> 744 bytes
.../serverA_proof_Alfa_3.bin | Bin 0 -> 118 bytes
.../serverA_proof_Bravo_3.bin | Bin 0 -> 118 bytes
.../si-82-sectrust-ct-data/serverD.crt | Bin 0 -> 744 bytes
.../si-82-sectrust-ct-data/serverD_proof.bin | Bin 0 -> 117 bytes
.../si-82-sectrust-ct-data/serverF.crt | Bin 0 -> 887 bytes
.../si-82-sectrust-ct-data/server_1601.crt | Bin 0 -> 1008 bytes
.../si-82-sectrust-ct-data/server_1603.crt | Bin 0 -> 1011 bytes
.../si-82-sectrust-ct-data/server_1604.crt | Bin 0 -> 1132 bytes
.../si-82-sectrust-ct-data/server_1701.crt | Bin 0 -> 1133 bytes
.../si-82-sectrust-ct-data/server_1704.crt | Bin 0 -> 1133 bytes
.../si-82-sectrust-ct-data/server_1705.crt | Bin 0 -> 1253 bytes
.../si-82-sectrust-ct-data/server_1801.crt | Bin 0 -> 1251 bytes
.../si-82-sectrust-ct-data/server_1804.crt | Bin 0 -> 1252 bytes
.../si-82-sectrust-ct-data/server_1805.crt | Bin 0 -> 1375 bytes
.../si-82-sectrust-ct-data/server_2001.crt | Bin 0 -> 1372 bytes
.../valid_ocsp_response.bin | Bin 0 -> 374 bytes
.../whitelist_00008013.crt | Bin 0 -> 1464 bytes
.../whitelist_00008013_issuer.crt | Bin 0 -> 1236 bytes
.../whitelist_5555bc4f.crt | Bin 0 -> 1594 bytes
.../whitelist_5555bc4f_issuer.crt | Bin 0 -> 1210 bytes
.../whitelist_aaaae152.crt | Bin 0 -> 1520 bytes
.../whitelist_fff9b5f6.crt | Bin 0 -> 1353 bytes
.../whitelist_fff9b5f6_issuer.crt | Bin 0 -> 1327 bytes
.../www_digicert_com_2015.crt | Bin 0 -> 2144 bytes
.../www_digicert_com_2016.crt | Bin 0 -> 2297 bytes
.../si-82-sectrust-ct-data/www_paypal_com.crt | Bin 0 -> 1548 bytes
.../www_paypal_com_issuer.crt | Bin 0 -> 1512 bytes
OSX/shared_regressions/si-82-sectrust-ct.c | 1300 ---
OSX/shared_regressions/si-82-sectrust-ct.m | 381 +
OSX/tlsnke/README.tlsnke | 3 -
OSX/tlsnke/tlsnke.xcodeproj/project.pbxproj | 611 -
.../contents.xcworkspacedata | 7 -
OSX/tlsnke/tlsnke/tlsnke.h | 104 -
OSX/tlsnke/tlsnketest/cert-1.h | 66 -
OSX/tlsnke/tlsnketest/dtls_client.c | 276 -
OSX/tlsnke/tlsnketest/identity-1.h | 151 -
OSX/tlsnke/tlsnketest/main.c | 295 -
OSX/tlsnke/tlsnketest/privkey-1.h | 54 -
OSX/tlsnke/tlsnketest/ssl-utils.c | 123 -
OSX/tlsnke/tlsnketest/st_test.c | 759 --
OSX/tlsnke/tlsnketest/tlssocket.c | 344 -
OSX/tlsnke/tlsnketest/tlssocket.h | 59 -
.../SecTrustOSXEntryPoints.h} | 47 +-
OSX/trustd/com.apple.trustd.agent.plist | 4 -
OSX/trustd/entitlements.plist | 12 +
OSX/trustd/trustd-Info.plist | 2 +-
OSX/utilities/Regressions/su-07-debugging.c | 102 +-
OSX/utilities/Regressions/su-16-cfdate-der.c | 6 +-
.../Regressions/su-41-secdb-stress.c | 2 +
OSX/utilities/config/lib.xcconfig | 4 +
OSX/utilities/src/SecAKSWrappers.c | 9 +-
OSX/utilities/src/SecAKSWrappers.h | 1 -
OSX/utilities/src/SecAppleAnchor.c | 583 +-
OSX/utilities/src/SecAppleAnchorPriv.h | 28 +-
OSX/utilities/src/SecCFError.c | 3 +-
OSX/utilities/src/SecCFWrappers.c | 102 +-
OSX/utilities/src/SecCFWrappers.h | 177 +-
OSX/utilities/src/SecDb.c | 268 +-
OSX/utilities/src/SecDb.h | 4 +-
OSX/utilities/src/SecFileLocations.c | 38 +-
OSX/utilities/src/SecFileLocations.h | 9 +-
OSX/utilities/src/SecInternalRelease.c | 30 +-
OSX/utilities/src/SecInternalReleasePriv.h | 27 +-
OSX/utilities/src/SecMeta.h | 2 +-
OSX/utilities/src/SecdUsage.c | 0
OSX/utilities/src/cloud_keychain_diagnose.c | 1252 ---
OSX/utilities/src/debugging.c | 318 +-
OSX/utilities/src/debugging.h | 155 +-
OSX/utilities/src/der_date.c | 2 +-
OSX/utilities/src/fileIo.c | 15 +-
OSX/utilities/src/fileIo.h | 7 +-
OSX/utilities/src/iCloudKeychainTrace.h | 8 +-
OSX/utilities/src/iOSforOSX-SecAttr.c | 2 +
OSX/utilities/src/simulate_crash.c | 25 +
.../utilities.xcodeproj/project.pbxproj | 34 +-
OTAPKIAssetTool/OTAPKIAssetTool.xcconfig | 4 +-
README | 3 +-
RegressionTests/Security.plist | 41 +-
RegressionTests/Security_edumode.plist | 6 -
RegressionTests/secbackuptest/secbackuptest.m | 41 +-
.../secitemfunctionality.entitlements | 11 +
.../secitemfunctionality.m | 554 +
.../secitemnotifications.entitlements | 10 +
.../secitemnotifications.m | 71 +
.../secitemstresstest.entitlements | 11 +
.../secitemstresstest/secitemstresstest.m | 246 +
Security-Info.plist | 4 +-
Security.exp-in | 12 +-
Security.xcodeproj/project.pbxproj | 9916 ++++++++---------
.../xcschemes/Security_executables.xcscheme | 87 -
.../xcschemes/Security_frameworks.xcscheme | 87 -
.../xcschemes/Security_temporary_UI.xcscheme | 87 -
.../{Debug.xcscheme => ios - Debug.xcscheme} | 127 +-
...elease.xcscheme => ios - Release.xcscheme} | 62 +-
...ests.xcscheme => ios - secdtests.xcscheme} | 20 +-
.../xcshareddata/xcschemes/phase1.xcscheme | 87 -
.../xcshareddata/xcschemes/phase2.xcscheme | 87 -
SecurityFeatures/CopyHeaders.sh | 13 +
SecurityFeatures/ExternalProject.sh | 14 +
SecurityFeatures/OSX/SecurityFeatures.h | 35 +
SecurityFeatures/README.txt | 18 +
.../iOS/SecurityFeatures.h | 18 +-
.../Default-568h@2x.png | Bin
.../Invalid-asset_signing.crt | Bin 1009 -> 0 bytes
SecurityTests/SecurityDevTests-Info.plist | 8 +-
.../SecurityTests-Entitlements.plist | 6 +-
SecurityTests/SecurityTests-Info.plist | 8 +-
.../AppleRootCertificate.crt | Bin 1215 -> 0 bytes
.../Invalid-task_signing.crt | Bin 1000 -> 0 bytes
.../mobileasset-certs/asset_signing.crt | Bin 1009 -> 0 bytes
.../mobileasset-certs/iPhoneCACert.crt | Bin 1015 -> 0 bytes
.../regressions/kc/kc-05-retain-release.c | 36 -
.../regressions/kc/kc-10-unlock-noui.c | 37 -
.../regressions/kc/kc-22-key-symmetric.c | 133 -
.../Apple TEST RootCertificate.crt | Bin 1244 -> 0 bytes
.../shoebox-certs/AppleRootCertificate.crt | Bin 1215 -> 0 bytes
.../InvalidWildcardTest27Test28.cer | Bin 0 -> 991 bytes
.../InvalidWildcardTest30.cer | Bin 0 -> 979 bytes
.../InvalidWildcardTest31.cer | Bin 0 -> 981 bytes
.../InvalidWildcardTest32.cer | Bin 0 -> 983 bytes
.../InvalidWildcardTest33.cer | Bin 0 -> 980 bytes
.../InvalidWildcardTest34.cer | Bin 0 -> 980 bytes
.../ssl-policy-certs/SSLTrustPolicyTest.plist | 107 +-
.../ssl-policy-certs/TestDescriptions.txt | 119 +-
SecurityTests/testmain.c | 1 -
.../SecurityTool.xcodeproj/project.pbxproj | 83 +-
SecurityTool/access_utils.c | 2 +-
SecurityTool/authz.c | 18 +-
SecurityTool/cmsutil.c | 10 +-
SecurityTool/cmsutil.h | 2 +-
SecurityTool/config/project.xcconfig | 5 +-
SecurityTool/createFVMaster.c | 12 +-
SecurityTool/db_commands.cpp | 2 +-
SecurityTool/display_error_code.c | 4 +-
SecurityTool/identity_find.c | 8 +-
SecurityTool/identity_prefs.c | 6 +-
SecurityTool/key_create.c | 2 +-
SecurityTool/keychain_add.c | 146 +-
SecurityTool/keychain_create.c | 4 +-
SecurityTool/keychain_delete.c | 2 +-
SecurityTool/keychain_export.c | 315 +-
SecurityTool/keychain_export.h | 1 +
SecurityTool/keychain_find.c | 274 +-
SecurityTool/keychain_find.h | 4 +
SecurityTool/keychain_import.c | 22 +-
SecurityTool/keychain_list.c | 135 +-
SecurityTool/keychain_list.h | 1 +
SecurityTool/keychain_lock.c | 2 +-
SecurityTool/keychain_recode.c | 2 +-
SecurityTool/keychain_set_settings.c | 12 +-
SecurityTool/keychain_show_info.c | 2 +-
SecurityTool/keychain_unlock.c | 4 +-
SecurityTool/keychain_utilities.c | 29 +-
SecurityTool/keychain_utilities.h | 4 +-
SecurityTool/leaks.c | 2 +-
SecurityTool/readline.c | 23 +-
SecurityTool/security.1 | 47 +-
SecurityTool/security.c | 133 +-
SecurityTool/{security.h => security_tool.h} | 0
SecurityTool/smartcards.h | 10 +
SecurityTool/smartcards.m | 91 +
SecurityTool/srCdsaUtils.cpp | 2 +-
SecurityTool/sub_commands.h | 2 +
SecurityTool/translocate.c | 261 +
.../fileIo.h => SecurityTool/translocate.h | 29 +-
SecurityTool/trust_settings_impexp.c | 10 +-
SecurityTool/trusted_cert_add.c | 10 +-
SecurityTool/trusted_cert_utils.c | 19 +-
SecurityTool/verify_cert.c | 5 +-
SecurityTool/verify_cert.h | 2 +-
.../SharedWebCredentialViewService-Info.plist | 8 +-
WHITEPAPER | 146 -
asl/com.apple.securityd | 31 -
ckcdiagnose/ckcdiagnose.sh | 12 +-
codesign_wrapper/MISBase.h | 44 -
codesign_wrapper/MISEntitlement.c | 100 -
codesign_wrapper/MISEntitlement.h | 23 -
codesign_wrapper/codesign.c | 276 -
codesign_wrapper/codesign_wrapper.c | 1034 --
codesign_wrapper/codesign_wrapper.h | 87 -
.../dtlsEcho => dtlsEcho}/README | 0
dtlsEcho/dtlsEchoClient.c | 421 +
dtlsEcho/dtlsEchoServer.c | 436 +
.../com.apple.icloudKeychainStats.plist | 19 -
iCloudStat/main.c | 260 -
libsecurity_smime/TODO | 9 -
libsecurity_smime/lib/cmsasn1.c | 6 +-
libsecurity_smime/lib/cmscinfo.c | 13 +-
libsecurity_smime/lib/cmsdigdata.c | 6 +
libsecurity_smime/lib/cmsencdata.c | 3 +
libsecurity_smime/lib/cmslocal.h | 9 +
libsecurity_smime/lib/cmspubkey.c | 583 +-
libsecurity_smime/lib/cmsrecinfo.c | 102 +-
libsecurity_smime/lib/cmssigdata.c | 4 +
libsecurity_smime/lib/cmssiginfo.c | 11 +-
libsecurity_smime/lib/cmstpriv.h | 2 +-
libsecurity_smime/lib/cmsutil.c | 17 +
libsecurity_smime/lib/secoid.c | 6 +-
libsecurity_smime/lib/smimeutil.c | 6 +
.../project.pbxproj | 103 +-
ntlm/NtlmGenerator.c | 61 +-
ntlm/NtlmGenerator.h | 4 +-
ntlm/ntlmBlobPriv.c | 109 +-
ntlm/ntlmBlobPriv.h | 17 +-
resources/English.lproj/Certificate.strings | Bin 22712 -> 24718 bytes
resources/English.lproj/CloudKeychain.strings | Bin 12608 -> 10030 bytes
resources/English.lproj/OID.strings | Bin 211564 -> 212512 bytes
resources/TrustedLogs.plist | 24 -
sbr | 25 -
secacltests/sec_acl_stress.c | 7 +-
secdtests/secdtests-entitlements.plist | 6 +
sectask/SecEntitlements.h | 8 +
sectask/SecTask.c | 51 +-
sectask/SecTask.h | 17 +-
sectask/regressions/sectask-10-sectask.c | 19 +-
securityd/config/project.xcconfig | 3 +-
securityd/securityd.xcodeproj/project.pbxproj | 121 +-
.../KeyStore/KeyStore-Info.plist | 6 +-
.../project.pbxproj | 17 +-
.../com.apple.securitydservice.sb | 5 +-
.../securityd_service/main.c | 86 +-
securityd/src/AuthorizationDBPlist.cpp | 416 -
securityd/src/AuthorizationDBPlist.h | 83 -
securityd/src/AuthorizationEngine.cpp | 366 -
securityd/src/AuthorizationEngine.h | 103 -
securityd/src/AuthorizationMechEval.cpp | 56 -
securityd/src/AuthorizationMechEval.h | 69 -
securityd/src/AuthorizationRule.cpp | 224 -
securityd/src/AuthorizationRule.h | 161 -
securityd/src/SharedMemoryServer.cpp | 33 +-
securityd/src/SharedMemoryServer.h | 3 +-
securityd/src/acl_keychain.cpp | 99 +-
securityd/src/acl_keychain.h | 5 +
securityd/src/acls.cpp | 73 +-
securityd/src/acls.h | 8 +-
securityd/src/agentquery.cpp | 267 +-
securityd/src/agentquery.h | 24 +-
securityd/src/auditevents.cpp | 2 +-
securityd/src/authhost.cpp | 30 +-
securityd/src/authhost.h | 12 +-
securityd/src/authority.cpp | 319 -
securityd/src/authority.h | 132 -
securityd/src/ccaudit_extensions.cpp | 2 +-
securityd/src/ccaudit_extensions.h | 2 +-
securityd/src/child.cpp | 17 +-
securityd/src/clientid.cpp | 92 +-
securityd/src/clientid.h | 38 +-
securityd/src/codesigdb.cpp | 77 +-
securityd/src/codesigdb.h | 38 +-
securityd/src/connection.cpp | 18 +-
securityd/src/connection.h | 14 +-
securityd/src/credential.cpp | 2 +-
securityd/src/csproxy.cpp | 59 +-
securityd/src/csproxy.h | 45 +-
securityd/src/database.cpp | 79 +-
securityd/src/database.h | 28 +-
securityd/src/dbcrypto.cpp | 52 +-
securityd/src/dbcrypto.h | 9 +-
securityd/src/entropy.cpp | 6 +-
securityd/src/kcdatabase.cpp | 452 +-
securityd/src/kcdatabase.h | 55 +-
securityd/src/kckey.cpp | 6 +-
securityd/src/kckey.h | 2 -
securityd/src/localkey.cpp | 4 +-
securityd/src/main.cpp | 21 +-
securityd/src/notifications.cpp | 27 +-
securityd/src/pcscmonitor.cpp | 18 +-
securityd/src/process.cpp | 77 +-
securityd/src/process.h | 10 +-
securityd/src/reader.cpp | 22 +-
securityd/src/securityd.order | 105 +-
securityd/src/server.cpp | 82 +-
securityd/src/server.h | 25 +-
securityd/src/session.cpp | 368 +-
securityd/src/session.h | 74 +-
securityd/src/structure.cpp | 2 +-
securityd/src/tempdatabase.cpp | 4 +-
securityd/src/token.cpp | 48 +-
securityd/src/token.h | 2 -
securityd/src/tokenaccess.cpp | 10 +-
securityd/src/tokenacl.cpp | 2 +-
securityd/src/tokencache.cpp | 21 +-
securityd/src/tokend.cpp | 16 +-
securityd/src/tokendatabase.cpp | 51 +-
securityd/src/tokendatabase.h | 10 +-
securityd/src/tokenkey.cpp | 2 +-
securityd/src/transition.cpp | 401 +-
spiralsink114.png | Bin 24752 -> 0 bytes
spiralsink57.png | Bin 7978 -> 0 bytes
sslViewer/SSLViewer.c | 6 +-
sslViewer/ioSock.c | 3 +-
sslViewer/sslAppUtils.cpp | 46 +
sslViewer/sslAppUtils.h | 3 +
sslViewer/sslServer.cpp | 2 +-
sslViewer/sslViewer-entitlements.plist | 2 +
xcconfig/Security.xcconfig | 10 +
1461 files changed, 97703 insertions(+), 64277 deletions(-)
delete mode 100644 CloudKeychainProxy/CloudKeychainProxy.1
create mode 100644 IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyReceiveMessage.h
create mode 100644 IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyReceiveMessage.m
rename OSX/sec/SOSCircle/CloudKeychainProxy/CKDUserInteraction.h => IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxySendMessage.h (60%)
create mode 100644 IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxySendMessage.m
create mode 100644 IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyThrottle.h
create mode 100644 IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyThrottle.m
rename {OSX/sec/SOSCircle/IDSKeychainSyncingProxy => IDSKeychainSyncingProxy}/IDSPersistentState.h (96%)
rename {OSX/sec/SOSCircle/IDSKeychainSyncingProxy => IDSKeychainSyncingProxy}/IDSPersistentState.m (96%)
rename {OSX/sec/SOSCircle/IDSKeychainSyncingProxy => IDSKeychainSyncingProxy}/IDSProxy.h (75%)
create mode 100644 IDSKeychainSyncingProxy/IDSProxy.m
rename IDSKeychainSyncingProxy/{com.apple.security.idskeychainsyncingproxy.plist => com.apple.security.idskeychainsyncingproxy.ios.plist} (79%)
rename OSX/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist => IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.osx.plist (97%)
rename {CloudKeychainProxy => IDSKeychainSyncingProxy}/en.lproj/InfoPlist.strings (100%)
rename {OSX/sec/SOSCircle/IDSKeychainSyncingProxy => IDSKeychainSyncingProxy}/idskeychainsyncingproxy.m (68%)
create mode 100644 KVSKeychainSyncingProxy/CKDAccount.h
create mode 100644 KVSKeychainSyncingProxy/CKDKVSProxy.h
create mode 100644 KVSKeychainSyncingProxy/CKDKVSProxy.m
create mode 100644 KVSKeychainSyncingProxy/CKDKVSStore.h
create mode 100644 KVSKeychainSyncingProxy/CKDKVSStore.m
rename OSX/sec/SOSCircle/osxshim.c => KVSKeychainSyncingProxy/CKDPersistentState.h (68%)
create mode 100644 KVSKeychainSyncingProxy/CKDPersistentState.m
create mode 100644 KVSKeychainSyncingProxy/CKDSecuritydAccount.h
create mode 100644 KVSKeychainSyncingProxy/CKDSecuritydAccount.m
create mode 100644 KVSKeychainSyncingProxy/CKDStore.h
rename {CloudKeychainProxy => KVSKeychainSyncingProxy}/CloudKeychainProxy-Info.plist (93%)
rename {OSX/CloudKeychainProxy => KVSKeychainSyncingProxy}/cloudkeychain.entitlements.plist (96%)
create mode 100644 KVSKeychainSyncingProxy/cloudkeychainproxy.m
rename CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist => KVSKeychainSyncingProxy/com.apple.security.cloudkeychainproxy3.ios.plist (100%)
rename OSX/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist => KVSKeychainSyncingProxy/com.apple.security.cloudkeychainproxy3.osx.plist (98%)
rename Keychain_114x114.png => Keychain/Keychain_114x114.png (100%)
rename Keychain_144x144.png => Keychain/Keychain_144x144.png (100%)
rename Keychain_57x57.png => Keychain/Keychain_57x57.png (100%)
rename Keychain_72x72.png => Keychain/Keychain_72x72.png (100%)
create mode 100644 KeychainCircle/Info.plist
create mode 100644 KeychainCircle/KCAESGCMDuplexSession.h
create mode 100644 KeychainCircle/KCAESGCMDuplexSession.m
create mode 100644 KeychainCircle/KCAccountKCCircleDelegate.h
create mode 100644 KeychainCircle/KCAccountKCCircleDelegate.m
create mode 100644 KeychainCircle/KCDer.h
create mode 100644 KeychainCircle/KCDer.m
create mode 100644 KeychainCircle/KCError.h
create mode 100644 KeychainCircle/KCError.m
create mode 100644 KeychainCircle/KCJoiningAcceptSession.m
create mode 100644 KeychainCircle/KCJoiningMessages.h
create mode 100644 KeychainCircle/KCJoiningMessages.m
create mode 100644 KeychainCircle/KCJoiningRequestSession.m
create mode 100644 KeychainCircle/KCJoiningSession.h
create mode 100644 KeychainCircle/KCSRPContext.h
create mode 100644 KeychainCircle/KCSRPContext.m
create mode 100644 KeychainCircle/KeychainCircle.h
create mode 100644 KeychainCircle/NSData+SecRandom.h
create mode 100644 KeychainCircle/NSData+SecRandom.m
create mode 100644 KeychainCircle/NSError+KCCreationHelpers.h
create mode 100644 KeychainCircle/NSError+KCCreationHelpers.m
create mode 100644 KeychainCircle/Tests/Info.plist
create mode 100644 KeychainCircle/Tests/KCAESGCMTest.m
create mode 100644 KeychainCircle/Tests/KCDerTest.m
create mode 100644 KeychainCircle/Tests/KCJoiningSessionTest.m
create mode 100644 KeychainCircle/Tests/KCSRPTests.m
create mode 100644 KeychainCircle/Tests/KeychainCircle.plist
create mode 100644 Modules/Security.iOS.modulemap
create mode 100644 Modules/Security.macOS.modulemap
rename OSX/Breadcrumb/{bc-10-knife-on-bread.c => bc-10-knife-on-bread.m} (53%)
delete mode 100644 OSX/IDSKeychainSyncingProxy/com.apple.private.alloy.keychainsync.plist
delete mode 100644 OSX/IDSKeychainSyncingProxy/en.lproj/InfoPlist.strings
delete mode 100644 OSX/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist
create mode 120000 OSX/Modules
delete mode 100644 OSX/OSX.xcodeproj/xcshareddata/xcschemes/World.xcscheme
delete mode 100644 OSX/OSX.xcodeproj/xcshareddata/xcschemes/copyHeaders.xcscheme
create mode 100644 OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme
rename OSX/OSX.xcodeproj/xcshareddata/xcschemes/{secdtests.xcscheme => osx - secdtests.xcscheme} (81%)
rename OSX/OSX.xcodeproj/xcshareddata/xcschemes/{sectests.xcscheme => osx - sectests.xcscheme} (82%)
rename OSX/{IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist => SecurityTestsOSX/Info.plist} (58%)
create mode 100644 OSX/SecurityTestsOSX/SecurityTests-Entitlements.plist
create mode 100644 OSX/SecurityTestsOSX/main.m
create mode 100644 OSX/SecurityTestsOSX/testlist.h
delete mode 100644 OSX/cloud_keychain_diagnose/cloud_keychain_diagnose-Prefix.pch
delete mode 100644 OSX/lib/AppWorkaround.plist
delete mode 100644 OSX/libsecurity_apple_csp/TODO
delete mode 100644 OSX/libsecurity_apple_x509_cl/TODO
create mode 100644 OSX/libsecurity_cdsa_plugin/lib/ACabstractsession.cpp
create mode 100644 OSX/libsecurity_cdsa_plugin/lib/ACabstractsession.h
create mode 100644 OSX/libsecurity_cdsa_plugin/lib/CLabstractsession.cpp
create mode 100644 OSX/libsecurity_cdsa_plugin/lib/CLabstractsession.h
create mode 100644 OSX/libsecurity_cdsa_plugin/lib/CSPabstractsession.cpp
create mode 100644 OSX/libsecurity_cdsa_plugin/lib/CSPabstractsession.h
create mode 100644 OSX/libsecurity_cdsa_plugin/lib/DLabstractsession.cpp
create mode 100644 OSX/libsecurity_cdsa_plugin/lib/DLabstractsession.h
create mode 100644 OSX/libsecurity_cdsa_plugin/lib/TPabstractsession.cpp
create mode 100644 OSX/libsecurity_cdsa_plugin/lib/TPabstractsession.h
delete mode 100644 OSX/libsecurity_cdsa_plugin/lib/generator.cfg
delete mode 100644 OSX/libsecurity_cdsa_plugin/lib/generator.mk
delete mode 100644 OSX/libsecurity_cdsa_plugin/lib/generator.pl
create mode 100644 OSX/libsecurity_cms/regressions/cms-trust-settings-test.c
create mode 100644 OSX/libsecurity_cms/regressions/cms-trust-settings-test.h
create mode 100644 OSX/libsecurity_codesigning/CodeSigningHelper/main.cpp
create mode 100644 OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp
create mode 100644 OSX/libsecurity_keychain/lib/TokenLogin.cpp
create mode 100644 OSX/libsecurity_keychain/lib/TokenLogin.h
create mode 100644 OSX/libsecurity_keychain/regressions/kc-01-keychain-creation.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-02-unlock-noui.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-03-keychain-list.c
rename SecurityTests/regressions/kc/kc-12-status.c => OSX/libsecurity_keychain/regressions/kc-03-status.c (81%)
mode change 100755 => 100644
rename SecurityTests/regressions/kc/kc-26-is-valid.c => OSX/libsecurity_keychain/regressions/kc-04-is-valid.c (68%)
mode change 100755 => 100644
create mode 100644 OSX/libsecurity_keychain/regressions/kc-05-find-existing-items-locked.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-05-find-existing-items.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-06-cert-search-email.m
rename SecurityTests/regressions/kc/kc-16-item-add-certificate.c => OSX/libsecurity_keychain/regressions/kc-10-item-add-certificate.c (95%)
rename SecurityTests/regressions/kc/kc-15-item-add-generic.c => OSX/libsecurity_keychain/regressions/kc-10-item-add-generic.c (73%)
mode change 100755 => 100644
rename SecurityTests/regressions/kc/kc-18-item-find-internet.c => OSX/libsecurity_keychain/regressions/kc-10-item-add-internet.c (77%)
mode change 100755 => 100644
rename SecurityTests/regressions/kc/kc-17-item-find-key.c => OSX/libsecurity_keychain/regressions/kc-12-item-create-keypair.c (87%)
mode change 100755 => 100644
create mode 100644 OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric-and-use.m
create mode 100644 OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-15-item-update-label-skimaad.m
create mode 100644 OSX/libsecurity_keychain/regressions/kc-15-key-update-valueref.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-16-item-update-password.c
rename SecurityTests/regressions/kc/kc-51-testSecItemFind.c => OSX/libsecurity_keychain/regressions/kc-18-find-combined.c (59%)
rename {SecurityTests/regressions/kc => OSX/libsecurity_keychain/regressions}/kc-19-item-copy-internet.c (63%)
mode change 100755 => 100644
create mode 100644 OSX/libsecurity_keychain/regressions/kc-20-identity-find-stress.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-20-identity-key-attributes.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-20-identity-persistent-refs.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-20-item-find-stress.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-20-key-find-stress.c
rename {SecurityTests/regressions/kc => OSX/libsecurity_keychain/regressions}/kc-21-item-use-callback.c (54%)
create mode 100644 OSX/libsecurity_keychain/regressions/kc-21-item-xattrs.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-23-key-export-symmetric.m
create mode 100644 OSX/libsecurity_keychain/regressions/kc-24-key-copy-keychains.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-26-key-import-public.m
create mode 100644 OSX/libsecurity_keychain/regressions/kc-27-key-non-extractable.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-28-cert-sign.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-28-p12-import.m
delete mode 100644 OSX/libsecurity_keychain/regressions/kc-40-seckey.c
create mode 100644 OSX/libsecurity_keychain/regressions/kc-40-seckey.m
rename OSX/libsecurity_keychain/regressions/{kc-41-sececkey.c => kc-41-sececkey.m} (83%)
create mode 100644 OSX/libsecurity_keychain/regressions/kc-43-seckey-interop.m
create mode 100644 OSX/libsecurity_keychain/regressions/kc-helpers.h
create mode 100644 OSX/libsecurity_keychain/regressions/kc-identity-helpers.h
create mode 100644 OSX/libsecurity_keychain/regressions/kc-item-helpers.h
create mode 100644 OSX/libsecurity_keychain/regressions/kc-key-helpers.h
create mode 100644 OSX/libsecurity_keychain/regressions/kc-keychain-file-helpers.h
delete mode 100644 OSX/libsecurity_smime/TODO
create mode 100644 OSX/libsecurity_smime/regressions/cms-01-basic.c
create mode 100644 OSX/libsecurity_smime/regressions/cms-01-basic.h
delete mode 100644 OSX/libsecurity_ssl/dtlsEcho/dtlsEchoClient.c
delete mode 100644 OSX/libsecurity_ssl/dtlsEcho/dtlsEchoServer.c
delete mode 100644 OSX/libsecurity_ssl/lib/appleSession.c
delete mode 100644 OSX/libsecurity_ssl/lib/sslUtils.c
delete mode 100644 OSX/libsecurity_ssl/lib/sslUtils.h
create mode 100644 OSX/libsecurity_ssl/regressions/ssl-56-renegotiate.c
delete mode 100644 OSX/libsecurity_ssl/sslViewer/fileIo.c
delete mode 100644 OSX/libsecurity_ssl/sslViewer/ioSock.c
delete mode 100644 OSX/libsecurity_ssl/sslViewer/ioSock.h
delete mode 100644 OSX/libsecurity_ssl/sslViewer/printCert.c
delete mode 100644 OSX/libsecurity_ssl/sslViewer/sslAppUtils.cpp
delete mode 100644 OSX/libsecurity_ssl/sslViewer/sslAppUtils.h
delete mode 100644 OSX/libsecurity_ssl/sslViewer/sslServer.1
delete mode 100644 OSX/libsecurity_ssl/sslViewer/sslServer.cpp
delete mode 100644 OSX/libsecurity_ssl/sslViewer/sslViewer.1
delete mode 100644 OSX/libsecurity_ssl/sslViewer/sslViewer.cpp
delete mode 100644 OSX/libsecurity_ssl/sslViewer/sslViewer.xcodeproj/project.pbxproj
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocate.cpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocate.h
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateClient.cpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateClient.hpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateDANotification.cpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateDANotification.hpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateInterface.cpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateInterface.hpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateLSNotification.cpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateLSNotification.hpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateServer.cpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateServer.hpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateShared.cpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateShared.hpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateUtilities.cpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateUtilities.hpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateXPCServer.cpp
create mode 100644 OSX/libsecurity_translocate/lib/SecTranslocateXPCServer.hpp
create mode 100644 OSX/libsecurity_translocate/lib/security_translocate.exp
create mode 100644 OSX/libsecurity_translocate/libsecurity_translocate.xcodeproj/project.pbxproj
create mode 100644 OSX/libsecurity_utilities/lib/FileLockTransaction.cpp
create mode 100644 OSX/libsecurity_utilities/lib/FileLockTransaction.h
rename OSX/{libsecurity_ssl/lib/appleSession.h => libsecurity_utilities/lib/casts.h} (55%)
delete mode 100644 OSX/libsecurity_utilities/lib/debugging.cpp
mode change 100644 => 120000 OSX/libsecurity_utilities/lib/debugging.h
create mode 100644 OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainLogging.c
create mode 100644 OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainLogging.h
delete mode 100644 OSX/sec/SOSCircle/CloudKeychainProxy/CKDUserInteraction.m
delete mode 100644 OSX/sec/SOSCircle/CloudKeychainProxy/cloudkeychain.entitlements.plist
delete mode 100644 OSX/sec/SOSCircle/CloudKeychainProxy/en.lproj/InfoPlist.strings
delete mode 100644 OSX/sec/SOSCircle/Empty.c
delete mode 100644 OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSProxy.m
delete mode 100644 OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist
delete mode 100644 OSX/sec/SOSCircle/Regressions/CKDKeyValueStore.h
delete mode 100644 OSX/sec/SOSCircle/Regressions/CKDKeyValueStore.m
create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountLog.c
create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountLog.h
create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.c
create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.h
create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountViewSync.c
delete mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.c
delete mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.h
create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPersist.h
create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSViews.exp-in
create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/ViewList.list
create mode 100644 OSX/sec/SOSCircle/Tool/NSFileHandle+Formatting.h
create mode 100644 OSX/sec/SOSCircle/Tool/NSFileHandle+Formatting.m
create mode 100644 OSX/sec/SOSCircle/Tool/keychain_sync_test.h
create mode 100644 OSX/sec/SOSCircle/Tool/keychain_sync_test.m
create mode 100644 OSX/sec/SOSCircle/Tool/secViewDisplay.c
rename OSX/{tlsnke/tlsnketest/ssl-utils.h => sec/SOSCircle/Tool/secViewDisplay.h} (71%)
create mode 100644 OSX/sec/SOSCircle/Tool/syncbackup.c
create mode 100644 OSX/sec/SOSCircle/Tool/syncbackup.h
create mode 100644 OSX/sec/Security/Regressions/secitem/si-15-delete-access-group.m
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-20-sectrust-activation.c
create mode 100644 OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.h
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-24-sectrust-appleid.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-24-sectrust-mobileasset.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-24-sectrust-otatasking.c
rename OSX/sec/Security/Regressions/secitem/{si-24-sectrust-shoebox.c => si-24-sectrust-passbook.c} (73%)
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-25-sectrust-apple-authentication.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-25-sectrust-ipsec-eap.c
rename OSX/sec/Security/Regressions/secitem/{si-26-applicationsigning.c => si-26-sectrust-copyproperties.c} (97%)
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.c
create mode 100644 OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.h
create mode 100644 OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.m
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-29-sectrust-codesigning.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-75-AppleIDRecordSigning.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-79-smp-cert-policy.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-81-sectrust-appletv.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-81-sectrust-server-auth.c
create mode 100644 OSX/sec/Security/Regressions/secitem/si-82-token-ag.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-84-sectrust-atv-appsigning.c
rename OSX/sec/Security/Regressions/secitem/{si-86-sectrust-eap-tls.h => si-85-sectrust-ssl-policy.h} (53%)
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-86-sectrust-eap-tls.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-88-sectrust-vpnprofile.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-88-sectrust-vpnprofile.h
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-91-sectrust-ast2.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-91-sectrust-ast2.h
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.c
delete mode 100644 OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.h
create mode 100644 OSX/sec/Security/Regressions/secitem/si-95-cms-basic.c
create mode 100644 OSX/sec/Security/Regressions/secitem/si-95-cms-basic.h
create mode 100644 OSX/sec/Security/Regressions/secitem/si-97-sectrust-path-scoring.h
create mode 100644 OSX/sec/Security/Regressions/secitem/si-97-sectrust-path-scoring.m
create mode 100644 OSX/sec/Security/SecCFAllocator.c
rename codesign_wrapper/codesign.h => OSX/sec/Security/SecCFAllocator.h (72%)
create mode 100644 OSX/sec/Security/SecDigest.c
create mode 100644 OSX/sec/Security/SecItemShim.h
create mode 100644 OSX/sec/Security/SecKeyAdaptors.c
create mode 100644 OSX/sec/Security/SecPolicyLeafCallbacks.c
create mode 100644 OSX/sec/Security/SecSignatureVerificationSupport.c
create mode 100644 OSX/sec/Security/SecSignatureVerificationSupport.h
create mode 100644 OSX/sec/os_log/README_os_log_prefs.txt
create mode 100644 OSX/sec/os_log/com.apple.securityd.plist
create mode 100644 OSX/sec/securityd/Regressions/secd-100-initialsync.c
create mode 100644 OSX/sec/securityd/Regressions/secd-130-other-peer-views.c
create mode 100644 OSX/sec/securityd/Regressions/secd-200-logstate.c
delete mode 100644 OSX/sec/securityd/Regressions/secd-33-keychain-ctk.c
create mode 100644 OSX/sec/securityd/Regressions/secd-33-keychain-ctk.m
create mode 100644 OSX/sec/securityd/Regressions/secd-57-1-account-last-standing.c
create mode 100644 OSX/sec/securityd/Regressions/secd-71-engine-save-sample1.h
create mode 100644 OSX/sec/securityd/Regressions/secd-71-engine-save.c
create mode 100644 OSX/sec/securityd/Regressions/secd-76-idstransport.c
create mode 100644 OSX/sec/securityd/Regressions/secd-83-item-match-policy.m
create mode 100644 OSX/sec/securityd/Regressions/secd-83-item-match-trusted.m
create mode 100644 OSX/sec/securityd/Regressions/secd-83-item-match-valid-on-date.m
create mode 100644 OSX/sec/securityd/Regressions/secd-83-item-match.h
create mode 100644 OSX/sec/securityd/Regressions/secd_77_ids_messaging.c
create mode 100644 OSX/sec/securityd/personalization.c
rename OSX/sec/{SOSCircle/IDSKeychainSyncingProxy/idksmain.m => securityd/personalization.h} (77%)
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleApplicationIntegration2CA.cer
rename SecurityTests/AppleID-certs/Apple Application Integration Certification Authority Cert.crt => OSX/shared_regressions/si-20-sectrust-policies-data/AppleApplicationIntegrationCA.cer (100%)
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleCodeSigningCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleCorporateRootCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleCorporateVPNClientCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleHomeKitServerCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleMacOSApplicationSigning.cer
rename SecurityTests/AppleID-certs/AppleRootCertificate.crt => OSX/shared_regressions/si-20-sectrust-policies-data/AppleRootCA.cer (100%)
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleRootG2.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleRootG3.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleServerAuthentication.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleSoftwareUpdateCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleSystemIntegrationCAG3.cer
rename SecurityTests/shoebox-certs/Apple Worldwide Developer Relations Certification Authority Cert.crt => OSX/shared_regressions/si-20-sectrust-policies-data/AppleWWDR-expired.cer (100%)
rename SecurityTests/shoebox-certs/Apple Worldwide Developer Relations Certification Authority TEST Cert.crt => OSX/shared_regressions/si-20-sectrust-policies-data/AppleWWDR-test.cer (100%)
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleWWDR.cer
rename SecurityTests/AppleID-certs/iPhoneCACert.crt => OSX/shared_regressions/si-20-sectrust-policies-data/AppleiPhoneCA.cer (100%)
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/AppleiPhoneDeviceCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/DeveloperIDCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/EntrustCAL1C.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/EntrustRootCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/FakeAppleRootCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/InvalidEKUTest16.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/PairingRootCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/SSLTrustPolicyTestRootCertificate.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleGlobalRootCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleRootCA-ECC.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleRootCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleRootCAG3.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleServerAuthentication.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleSystemIntegration2CA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleSystemIntegrationCA-ECC.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleiPhoneDeviceCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/WiFiIntermediateCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/WiFiRootCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/WrongPairingRootCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/apn_legacy.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/apple_corp_vpn_client.cer
rename SecurityTests/AppleID-certs/Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt => OSX/shared_regressions/si-20-sectrust-policies-data/appleid_authority.cer (100%)
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/appleid_record_signing.cer
rename SecurityTests/AppleID-certs/Invalid-asset_signing.crt => OSX/shared_regressions/si-20-sectrust-policies-data/asset_signing.cer (100%)
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ast2.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/configuration_profile.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/developer_id.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/developmentupdate.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/device_activation.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/device_cert.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/escrow.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/factory_device_cert.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/fmip.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/generic_apple_server.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/gsa.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/homekit.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ids.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ios_app_signing.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ios_provisioning_profile.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ios_vpn_app_signing.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/iphone_developer.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ivpntest.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ivpntestCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/mac_app_store_receipt.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/mac_app_store_receipt_badoid.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/mac_developer.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/osx_provisioning_profile.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/pairing_host_cert.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/passbook_cardman.cer
rename SecurityTests/shoebox-certs/Invalid.com.apple.testcard.crt => OSX/shared_regressions/si-20-sectrust-policies-data/passbook_testcard.cer (100%)
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/smp.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/softwaresigning.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/softwareupdate.cer
rename SecurityTests/OTATasking-certs/task_signing.crt => OSX/shared_regressions/si-20-sectrust-policies-data/task_signing.cer (100%)
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/test_ios_app_signing.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/test_ios_provisioning_profile.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/test_ipsec_gateway.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/test_smp.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/test_tvos_app_signing.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/tvos_app_signing.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/tvos_vpn_profile.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ucrt.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ucrtTestIntermediate.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/ucrtTestRootCA.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies-data/wifi_user.cer
create mode 100644 OSX/shared_regressions/si-20-sectrust-policies.m
create mode 100644 OSX/shared_regressions/si-44-seckey-ec.m
create mode 100644 OSX/shared_regressions/si-44-seckey-gen.m
create mode 100644 OSX/shared_regressions/si-44-seckey-ies.m
create mode 100644 OSX/shared_regressions/si-44-seckey-rsa.m
delete mode 100644 OSX/shared_regressions/si-82-sectrust-ct-certs.h
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/CA_alpha.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/CA_beta.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/CTlogs.plist
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/bad_hash_ocsp_response.bin
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/digicert_sha2_ev_server_ca.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/invalid_ocsp_response.bin
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/pilot_3055998.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/pilot_3055998_issuer.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/serverA.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/serverA_proof_Alfa_3.bin
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/serverA_proof_Bravo_3.bin
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/serverD.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/serverD_proof.bin
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/serverF.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/server_1601.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/server_1603.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/server_1604.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/server_1701.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/server_1704.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/server_1705.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/server_1801.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/server_1804.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/server_1805.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/server_2001.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/valid_ocsp_response.bin
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_00008013.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_00008013_issuer.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_5555bc4f.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_5555bc4f_issuer.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_aaaae152.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_fff9b5f6.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_fff9b5f6_issuer.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/www_digicert_com_2015.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/www_digicert_com_2016.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/www_paypal_com.crt
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-data/www_paypal_com_issuer.crt
delete mode 100644 OSX/shared_regressions/si-82-sectrust-ct.c
create mode 100644 OSX/shared_regressions/si-82-sectrust-ct.m
delete mode 100644 OSX/tlsnke/README.tlsnke
delete mode 100644 OSX/tlsnke/tlsnke.xcodeproj/project.pbxproj
delete mode 100644 OSX/tlsnke/tlsnke.xcodeproj/project.xcworkspace/contents.xcworkspacedata
delete mode 100644 OSX/tlsnke/tlsnke/tlsnke.h
delete mode 100644 OSX/tlsnke/tlsnketest/cert-1.h
delete mode 100644 OSX/tlsnke/tlsnketest/dtls_client.c
delete mode 100644 OSX/tlsnke/tlsnketest/identity-1.h
delete mode 100644 OSX/tlsnke/tlsnketest/main.c
delete mode 100644 OSX/tlsnke/tlsnketest/privkey-1.h
delete mode 100644 OSX/tlsnke/tlsnketest/ssl-utils.c
delete mode 100644 OSX/tlsnke/tlsnketest/st_test.c
delete mode 100644 OSX/tlsnke/tlsnketest/tlssocket.c
delete mode 100644 OSX/tlsnke/tlsnketest/tlssocket.h
rename OSX/{libsecurity_ssl/sslViewer/printCert.h => trustd/SecTrustOSXEntryPoints.h} (50%)
create mode 100644 OSX/trustd/entitlements.plist
delete mode 100644 OSX/utilities/src/SecdUsage.c
delete mode 100644 OSX/utilities/src/cloud_keychain_diagnose.c
create mode 100644 RegressionTests/secitemfunctionality/secitemfunctionality.entitlements
create mode 100644 RegressionTests/secitemfunctionality/secitemfunctionality.m
create mode 100644 RegressionTests/secitemnotifications/secitemnotifications.entitlements
create mode 100644 RegressionTests/secitemnotifications/secitemnotifications.m
create mode 100644 RegressionTests/secitemstresstest/secitemstresstest.entitlements
create mode 100644 RegressionTests/secitemstresstest/secitemstresstest.m
delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/Security_executables.xcscheme
delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/Security_frameworks.xcscheme
delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/Security_temporary_UI.xcscheme
rename Security.xcodeproj/xcshareddata/xcschemes/{Debug.xcscheme => ios - Debug.xcscheme} (93%)
rename Security.xcodeproj/xcshareddata/xcschemes/{Release.xcscheme => ios - Release.xcscheme} (93%)
rename Security.xcodeproj/xcshareddata/xcschemes/{secdtests.xcscheme => ios - secdtests.xcscheme} (94%)
delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/phase1.xcscheme
delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/phase2.xcscheme
create mode 100755 SecurityFeatures/CopyHeaders.sh
create mode 100755 SecurityFeatures/ExternalProject.sh
create mode 100644 SecurityFeatures/OSX/SecurityFeatures.h
create mode 100644 SecurityFeatures/README.txt
rename IDSKeychainSyncingProxy/idksmain.m => SecurityFeatures/iOS/SecurityFeatures.h (74%)
rename Default-568h@2x.png => SecurityTests/Default-568h@2x.png (100%)
delete mode 100644 SecurityTests/OTATasking-certs/Invalid-asset_signing.crt
delete mode 100644 SecurityTests/mobileasset-certs/AppleRootCertificate.crt
delete mode 100644 SecurityTests/mobileasset-certs/Invalid-task_signing.crt
delete mode 100644 SecurityTests/mobileasset-certs/asset_signing.crt
delete mode 100644 SecurityTests/mobileasset-certs/iPhoneCACert.crt
delete mode 100755 SecurityTests/regressions/kc/kc-05-retain-release.c
delete mode 100755 SecurityTests/regressions/kc/kc-10-unlock-noui.c
delete mode 100755 SecurityTests/regressions/kc/kc-22-key-symmetric.c
delete mode 100644 SecurityTests/shoebox-certs/Apple TEST RootCertificate.crt
delete mode 100644 SecurityTests/shoebox-certs/AppleRootCertificate.crt
create mode 100644 SecurityTests/ssl-policy-certs/InvalidWildcardTest27Test28.cer
create mode 100644 SecurityTests/ssl-policy-certs/InvalidWildcardTest30.cer
create mode 100644 SecurityTests/ssl-policy-certs/InvalidWildcardTest31.cer
create mode 100644 SecurityTests/ssl-policy-certs/InvalidWildcardTest32.cer
create mode 100644 SecurityTests/ssl-policy-certs/InvalidWildcardTest33.cer
create mode 100644 SecurityTests/ssl-policy-certs/InvalidWildcardTest34.cer
rename SecurityTool/{security.h => security_tool.h} (100%)
create mode 100644 SecurityTool/smartcards.h
create mode 100644 SecurityTool/smartcards.m
create mode 100644 SecurityTool/translocate.c
rename OSX/libsecurity_ssl/sslViewer/fileIo.h => SecurityTool/translocate.h (71%)
delete mode 100644 WHITEPAPER
delete mode 100644 asl/com.apple.securityd
delete mode 100644 codesign_wrapper/MISBase.h
delete mode 100644 codesign_wrapper/MISEntitlement.c
delete mode 100644 codesign_wrapper/MISEntitlement.h
delete mode 100644 codesign_wrapper/codesign.c
delete mode 100644 codesign_wrapper/codesign_wrapper.c
delete mode 100644 codesign_wrapper/codesign_wrapper.h
rename {OSX/libsecurity_ssl/dtlsEcho => dtlsEcho}/README (100%)
create mode 100644 dtlsEcho/dtlsEchoClient.c
create mode 100644 dtlsEcho/dtlsEchoServer.c
delete mode 100644 iCloudStat/com.apple.icloudKeychainStats.plist
delete mode 100644 iCloudStat/main.c
delete mode 100644 libsecurity_smime/TODO
delete mode 100644 resources/TrustedLogs.plist
delete mode 100755 sbr
delete mode 100644 securityd/src/AuthorizationDBPlist.cpp
delete mode 100644 securityd/src/AuthorizationDBPlist.h
delete mode 100644 securityd/src/AuthorizationEngine.cpp
delete mode 100644 securityd/src/AuthorizationEngine.h
delete mode 100644 securityd/src/AuthorizationMechEval.cpp
delete mode 100644 securityd/src/AuthorizationMechEval.h
delete mode 100644 securityd/src/AuthorizationRule.cpp
delete mode 100644 securityd/src/AuthorizationRule.h
delete mode 100644 securityd/src/authority.cpp
delete mode 100644 securityd/src/authority.h
delete mode 100644 spiralsink114.png
delete mode 100644 spiralsink57.png
create mode 100644 xcconfig/Security.xcconfig
diff --git a/CircleJoinRequested/CircleJoinRequested.m b/CircleJoinRequested/CircleJoinRequested.m
index 4c8bddd3..ba4bbb13 100644
--- a/CircleJoinRequested/CircleJoinRequested.m
+++ b/CircleJoinRequested/CircleJoinRequested.m
@@ -25,6 +25,7 @@
#import <SpringBoardServices/SBSCFUserNotificationKeys.h>
#include <dispatch/dispatch.h>
#include "SecureObjectSync/SOSCloudCircle.h"
+#include "SecureObjectSync/SOSCloudCircleInternal.h"
#include "SecureObjectSync/SOSPeerInfo.h"
#include <notify.h>
#include <sysexits.h>
@@ -36,9 +37,14 @@
#import "NSDate+TimeIntervalDescription.h"
#include <xpc/activity.h>
#include <xpc/private.h>
+#import "os/activity.h"
#import <syslog.h>
#include "utilities/SecCFRelease.h"
#include "utilities/debugging.h"
+#include "utilities/SecAKSWrappers.h"
+
+#import "CoreCDP/CDPFollowUpController.h"
+#import "CoreCDP/CDPFollowUpContext.h"
// As long as we are logging the failure use exit code of zero to make launchd happy
#define EXIT_LOGGED_FAILURE(code) xpc_transaction_end(); exit(0)
@@ -51,10 +57,64 @@ bool currentAlertIsForKickOut = false;
NSMutableDictionary *applicants = nil;
volatile NSString *debugState = @"main?";
dispatch_block_t doOnceInMainBlockChain = NULL;
+bool _isLocked = true;
+bool processApplicantsAfterUnlock = false;
+bool _unlockedSinceBoot = false;
NSString *castleKeychainUrl = @"prefs:root=CASTLE&path=Keychain/ADVANCED";
NSString *rejoinICDPUrl = @"prefs:root=CASTLE&aaaction=CDP&command=rejoin";
+BOOL processRequests(CFErrorRef *error);
+
+
+static void keybagDidLock()
+{
+ secnotice("cjr", "keybagDidLock");
+}
+
+static void keybagDidUnlock()
+{
+ secnotice("cjr", "keybagDidUnlock");
+
+ CFErrorRef error = NULL;
+
+ if(processApplicantsAfterUnlock){
+ processRequests(&error);
+ processApplicantsAfterUnlock = false;
+ }
+
+}
+
+static bool updateIsLocked ()
+{
+ CFErrorRef aksError = NULL;
+ if (!SecAKSGetIsLocked(&_isLocked, &aksError)) {
+ _isLocked = YES;
+ secerror("Got error querying lock state: %@", aksError);
+ CFReleaseSafe(aksError);
+ return NO;
+ }
+ if (!_isLocked)
+ _unlockedSinceBoot = YES;
+ return YES;
+}
+
+static void keybagStateChange ()
+{
+ secerror("osactivity initiated");
+ os_activity_initiate("keybagStateChanged", OS_ACTIVITY_FLAG_DEFAULT, ^{
+ BOOL wasLocked = _isLocked;
+ if ( updateIsLocked()) {
+ if (wasLocked == _isLocked)
+ secerror("still %s ignoring", _isLocked ? "locked" : "unlocked");
+ else if (_isLocked)
+ keybagDidLock();
+ else
+ keybagDidUnlock();
+ }
+ });
+}
+
static void doOnceInMain(dispatch_block_t block)
{
if (doOnceInMainBlockChain) {
@@ -111,22 +171,22 @@ static NSMutableArray *applicantsInState(ApplicantUIState state)
}
-static BOOL processRequests(CFErrorRef *error) {
+BOOL processRequests(CFErrorRef *error) {
NSMutableArray *toAccept = [[applicantsInState(ApplicantAccepted) mapWithBlock:^id(id obj) {return (id)[obj rawPeerInfo];}] mutableCopy];
NSMutableArray *toReject = [[applicantsInState(ApplicantRejected) mapWithBlock:^id(id obj) {return (id)[obj rawPeerInfo];}] mutableCopy];
bool ok = true;
if ([toAccept count]) {
- NSLog(@"Process accept: %@", toAccept);
+ secnotice("cjr", "Process accept: %@", toAccept);
ok = ok && SOSCCAcceptApplicants((__bridge CFArrayRef) toAccept, error);
if (ok) {
- NSLog(@"kSOSCCHoldLockForInitialSync");
+ secnotice("cjr", "kSOSCCHoldLockForInitialSync");
notify_post(kSOSCCHoldLockForInitialSync);
}
}
if ([toReject count]) {
- NSLog(@"Process reject: %@", toReject);
+ secnotice("cjr", "Process reject: %@", toReject);
ok = ok && SOSCCRejectApplicants((__bridge CFArrayRef) toReject, error);
}
@@ -162,7 +222,7 @@ static void applicantChoice(CFUserNotificationRef userNotification, CFOptionFlag
} else if (kCFUserNotificationDefaultResponse == responseFlags) {
choice = ApplicantAccepted;
} else {
- NSLog(@"Unexpected response %lu", responseFlags);
+ secnotice("cjr", "Unexpected response %lu", responseFlags);
choice = ApplicantRejected;
}
@@ -179,20 +239,26 @@ static void applicantChoice(CFUserNotificationRef userNotification, CFOptionFlag
// If this device has ever set up the public key this should work without the password...
processed = processRequests(&error);
if (processed) {
- NSLog(@"Didn't need password to process %@", onScreen);
+ secnotice("cjr", "Didn't need password to process %@", onScreen);
cancelCurrentAlert(true);
return;
} else {
// ...however if the public key gets lost we should "just" fall through to the validate
// password path.
- NSLog(@"Couldn't process reject without password (e=%@) for %@ (will try with password next)", error, onScreen);
+ secnotice("cjr", "Couldn't process reject without password (e=%@) for %@ (will try with password next)", error, onScreen);
+
+ if (CFErrorGetCode(error) == -536870174 && CFErrorGetDomain(error) == kSecKernDomain) {
+ secnotice("cjr", "system is locked, dismiss the notification");
+ processApplicantsAfterUnlock = true;
+ return;
+ }
}
CFReleaseNull(error);
}
NSString *password = (__bridge NSString *) CFUserNotificationGetResponseValue(userNotification, kCFUserNotificationTextFieldValuesKey, 0);
if (!password) {
- NSLog(@"No password given, retry");
+ secnotice("cjr", "No password given, retry");
askAboutAll(true);
return;
}
@@ -204,10 +270,10 @@ static void applicantChoice(CFUserNotificationRef userNotification, CFOptionFlag
// failure a few times before we give up.
for (int try = 0; try < 5 && !processed; try++) {
if (!SOSCCTryUserCredentials(CFSTR(""), (__bridge CFDataRef) passwordBytes, &error)) {
- NSLog(@"Try user credentials failed %@", error);
+ secnotice("cjr", "Try user credentials failed %@", error);
if ((error == NULL) ||
(CFEqual(kSOSErrorDomain, CFErrorGetDomain(error)) && kSOSErrorWrongPassword == CFErrorGetCode(error))) {
- NSLog(@"Calling askAboutAll again...");
+ secnotice("cjr", "Calling askAboutAll again...");
[onScreen enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
Applicant *applicant = (Applicant*) obj;
applicant.applicantUIState = ApplicantWaiting;
@@ -221,7 +287,7 @@ static void applicantChoice(CFUserNotificationRef userNotification, CFOptionFlag
processed = processRequests(&error);
if (!processed) {
- NSLog(@"Can't processRequests: %@ for %@", error, onScreen);
+ secnotice("cjr", "Can't processRequests: %@ for %@", error, onScreen);
}
CFReleaseNull(error);
}
@@ -299,7 +365,7 @@ static NSDictionary *createNote(Applicant *applicantToAskAbout)
static void askAboutAll(bool passwordFailure)
{
if ([[MCProfileConnection sharedConnection] effectiveBoolValueForSetting: MCFeatureAccountModificationAllowed] == MCRestrictedBoolExplicitNo) {
- NSLog(@"Account modifications not allowed.");
+ secnotice("cjr", "Account modifications not allowed.");
return;
}
@@ -319,11 +385,11 @@ static void askAboutAll(bool passwordFailure)
currentAlertIsForApplicants = true;
Applicant *applicantToAskAbout = firstApplicantWaitingOrOnScreen();
- NSLog(@"Asking about: %@ (of: %@)", applicantToAskAbout, applicants);
+ secnotice("cjr", "Asking about: %@ (of: %@)", applicantToAskAbout, applicants);
NSDictionary *noteAttributes = createNote(applicantToAskAbout);
if(!noteAttributes) {
- NSLog(@"NULL data for %@", applicantToAskAbout);
+ secnotice("cjr", "NULL data for %@", applicantToAskAbout);
cancelCurrentAlert(true);
return;
}
@@ -333,14 +399,14 @@ static void askAboutAll(bool passwordFailure)
if (currentAlert) {
SInt32 err = CFUserNotificationUpdate(currentAlert, 0, flags, (__bridge CFDictionaryRef) noteAttributes);
if (err) {
- NSLog(@"CFUserNotificationUpdate err=%d", (int)err);
+ secnotice("cjr", "CFUserNotificationUpdate err=%d", (int)err);
EXIT_LOGGED_FAILURE(EX_SOFTWARE);
}
} else {
SInt32 err = 0;
currentAlert = CFUserNotificationCreate(NULL, 0.0, flags, &err, (__bridge CFDictionaryRef) noteAttributes);
if (err) {
- NSLog(@"Can't make notification for %@ err=%x", applicantToAskAbout, (int)err);
+ secnotice("cjr", "Can't make notification for %@ err=%x", applicantToAskAbout, (int)err);
EXIT_LOGGED_FAILURE(EX_SOFTWARE);
}
@@ -362,7 +428,7 @@ static void scheduleActivity(int alertInterval)
xpc_dictionary_set_string(options, XPC_ACTIVITY_PRIORITY, XPC_ACTIVITY_PRIORITY_UTILITY);
xpc_activity_register(kLaunchLaterXPCName, options, ^(xpc_activity_t activity) {
- NSLog(@"activity handler fired");
+ secnotice("cjr", "activity handler fired");
});
}
@@ -377,7 +443,7 @@ static void reminderChoice(CFUserNotificationRef userNotification, CFOptionFlags
if (responseFlags == kCFUserNotificationAlternateResponse) {
// Use security code
BOOL ok = [[LSApplicationWorkspace defaultWorkspace] openSensitiveURL:[NSURL URLWithString:castleKeychainUrl] withOptions:nil];
- NSLog(@"%s iCSC: opening %@ ok=%d", __FUNCTION__, castleKeychainUrl, ok);
+ secnotice("cjr", "%s iCSC: opening %@ ok=%d", __FUNCTION__, castleKeychainUrl, ok);
}
}
@@ -389,7 +455,7 @@ static bool iCloudResetAvailable() {
SecureBackup *backupd = [SecureBackup new];
NSDictionary *backupdResults;
NSError *error = [backupd getAccountInfoWithInfo:nil results:&backupdResults];
- NSLog(@"SecureBackup e=%@ r=%@", error, backupdResults);
+ secnotice("cjr", "SecureBackup e=%@ r=%@", error, backupdResults);
return (error == nil && [backupdResults[kSecureBackupIsEnabledKey] isEqualToNumber:@YES]);
}
@@ -422,7 +488,7 @@ static void postApplicationReminderAlert(NSDate *nowish, PersistentState *state,
if (CPIsInternalDevice() &&
state.defaultPendingApplicationReminderAlertInterval != state.pendingApplicationReminderAlertInterval) {
-#if !defined(NDEBUG)
+#ifdef DEBUG
body = [body stringByAppendingFormat: @"ãdebug interval %u; wait time %@ã",
state.pendingApplicationReminderAlertInterval,
[nowish copyDescriptionOfIntervalSince:state.applicationDate]];
@@ -437,13 +503,12 @@ static void postApplicationReminderAlert(NSDate *nowish, PersistentState *state,
(id) kCFUserNotificationAlertTopMostKey : @YES,
(__bridge id) SBUserNotificationDontDismissOnUnlock : @YES,
(__bridge id) SBUserNotificationDismissOnLock : @NO,
- (__bridge id) SBUserNotificationOneButtonPerLine : @YES,
};
SInt32 err = 0;
currentAlert = CFUserNotificationCreate(NULL, 0.0, kCFUserNotificationPlainAlertLevel, &err, (__bridge CFDictionaryRef) pendingAttributes);
if (err) {
- NSLog(@"Can't make pending notification err=%x", (int)err);
+ secnotice("cjr", "Can't make pending notification err=%x", (int)err);
} else {
currentAlertIsForApplicants = false;
currentAlertSource = CFUserNotificationCreateRunLoopSource(NULL, currentAlert, reminderChoice, 0);
@@ -453,7 +518,9 @@ static void postApplicationReminderAlert(NSDate *nowish, PersistentState *state,
static void kickOutChoice(CFUserNotificationRef userNotification, CFOptionFlags responseFlags) {
- NSLog(@"kOC %@ %lu", userNotification, responseFlags);
+ secnotice("cjr", "kOC %@ %lu", userNotification, responseFlags);
+
+ //default response: continue -> settings pref pane advanced keychain sync page
if (responseFlags == kCFUserNotificationDefaultResponse) {
// We need to let things unwind to main for the new state to get saved
doOnceInMain(^{
@@ -472,9 +539,40 @@ static void kickOutChoice(CFUserNotificationRef userNotification, CFOptionFlags
}
NSURL *url = [NSURL URLWithString: localICDP ? rejoinICDPUrl : castleKeychainUrl];
BOOL ok = [[LSApplicationWorkspace defaultWorkspace] openSensitiveURL:url withOptions:nil];
- NSLog(@"ok=%d opening %@", ok, url);
+ secnotice("cjr", "ok=%d opening %@", ok, url);
});
}
+ //alternate response: later -> call CD
+ else if (responseFlags == kCFUserNotificationAlternateResponse) {
+ // We need to let things unwind to main for the new state to get saved
+ doOnceInMain(^{
+ CDPFollowUpController *cdpd = [[CDPFollowUpController alloc] init];
+ ACAccountStore *store = [ACAccountStore new];
+ ACAccount *primary = [store aa_primaryAppleAccount];
+ NSString *dsid = [primary aa_personID];
+ bool localICDP = false;
+ if (dsid) {
+ NSDictionary *options = @{ (__bridge id) kPCSSetupDSID : dsid, };
+ PCSIdentitySetRef identity = PCSIdentitySetCreate((__bridge CFDictionaryRef) options, NULL, NULL);
+
+ if (identity) {
+ localICDP = PCSIdentitySetIsICDP(identity, NULL);
+ CFRelease(identity);
+ }
+ }
+ if(localICDP){
+ NSError *localError = nil;
+ CDPFollowUpContext *context = [CDPFollowUpContext contextForStateRepair];
+ [cdpd postFollowUpWithContext:context error:&localError ];
+ if(localError){
+ secnotice("cjr", "request to CoreCDP to follow up failed: %@", localError);
+ }
+ else
+ secnotice("cjr", "CoreCDP handling follow up");
+ }
+ });
+
+ }
cancelCurrentAlert(true);
}
@@ -505,7 +603,7 @@ static void postKickedOutAlert(enum DepartureReason reason)
ADClientSetValueForScalarKey(CJRAggdNumCircleDevicesKey, num_peers);
debugState = @"pKOA A";
- syslog(LOG_ERR, "DepartureReason %d", reason);
+ secnotice("cjr", "DepartureReason %d", reason);
switch (reason) {
case kSOSDiscoveredRetirement:
case kSOSLostPrivateKey:
@@ -522,6 +620,7 @@ static void postKickedOutAlert(enum DepartureReason reason)
return;
break;
+ case kSOSPasswordChanged:
case kSOSNeverLeftCircle:
case kSOSMembershipRevoked:
case kSOSLeftUntrustedCircle:
@@ -541,6 +640,7 @@ static void postKickedOutAlert(enum DepartureReason reason)
"kSOSNeverAppliedToCircle",
"kSOSDiscoveredRetirement",
"kSOSLostPrivateKey",
+ "kSOSPasswordChanged",
"unknown reason"
};
int idx = (kSOSDepartureReasonError <= reason && reason <= kSOSLostPrivateKey) ? reason : (kSOSLostPrivateKey + 1);
@@ -557,13 +657,12 @@ static void postKickedOutAlert(enum DepartureReason reason)
(id) kCFUserNotificationAlertTopMostKey : @YES,
(__bridge id) SBUserNotificationDismissOnLock : @NO,
(__bridge id) SBUserNotificationDontDismissOnUnlock : @YES,
- (__bridge id) SBUserNotificationOneButtonPerLine : @YES,
};
SInt32 err = 0;
-
+
if (currentAlertIsForKickOut) {
debugState = @"pKOA B";
- NSLog(@"Updating existing alert %@ with %@", currentAlert, kickedAttributes);
+ secnotice("cjr", "Updating existing alert %@ with %@", currentAlert, kickedAttributes);
CFUserNotificationUpdate(currentAlert, 0, kCFUserNotificationPlainAlertLevel, (__bridge CFDictionaryRef) kickedAttributes);
} else {
debugState = @"pKOA C";
@@ -571,24 +670,26 @@ static void postKickedOutAlert(enum DepartureReason reason)
CFUserNotificationRef note = CFUserNotificationCreate(NULL, 0.0, kCFUserNotificationPlainAlertLevel, &err, (__bridge CFDictionaryRef) kickedAttributes);
assert((note == NULL) == (err != 0));
if (err) {
- NSLog(@"Can't make kicked out notification err=%x", (int)err);
+ secnotice("cjr", "Can't make kicked out notification err=%x", (int)err);
+ CFReleaseNull(note);
} else {
currentAlertIsForApplicants = false;
currentAlertIsForKickOut = true;
currentAlert = note;
- NSLog(@"New ko alert %@ a=%@", currentAlert, kickedAttributes);
+ secnotice("cjr", "New ko alert %@ a=%@", currentAlert, kickedAttributes);
currentAlertSource = CFUserNotificationCreateRunLoopSource(NULL, currentAlert, kickOutChoice, 0);
CFRunLoopAddSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode);
int backupStateChangeToken;
notify_register_dispatch("com.apple.EscrowSecurityAlert.reset", &backupStateChangeToken, dispatch_get_main_queue(), ^(int token) {
if (currentAlert == note) {
- NSLog(@"Backup state might have changed (dS=%@)", debugState);
+ secnotice("cjr", "Backup state might have changed (dS=%@)", debugState);
postKickedOutAlert(reason);
} else {
- NSLog(@"Backup state may have changed, but we don't care anymore (dS=%@)", debugState);
+ secnotice("cjr", "Backup state may have changed, but we don't care anymore (dS=%@)", debugState);
}
});
+
debugState = @"pKOA D";
CFRunLoopRun();
debugState = @"pKOA E";
@@ -609,12 +710,11 @@ static bool processEvents()
NSDate *nowish = [NSDate date];
PersistentState *state = [PersistentState loadFromStorage];
enum DepartureReason departureReason = SOSCCGetLastDepartureReason(&departError);
- NSLog(@"CircleStatus %d -> %d{%d} (s=%p)", state.lastCircleStatus, circleStatus, departureReason, state);
-
+ secnotice("cjr", "CircleStatus %d -> %d{%d} (s=%p)", state.lastCircleStatus, circleStatus, departureReason, state);
// Pending application reminder
NSTimeInterval timeUntilApplicationAlert = [state.pendingApplicationReminder timeIntervalSinceDate:nowish];
- NSLog(@"Time until pendingApplicationReminder (%@) %f", [state.pendingApplicationReminder debugDescription], timeUntilApplicationAlert);
+ secnotice("cjr", "Time until pendingApplicationReminder (%@) %f", [state.pendingApplicationReminder debugDescription], timeUntilApplicationAlert);
if (circleStatus == kSOSCCRequestPending) {
if (timeUntilApplicationAlert <= 0) {
debugState = @"reminderAlert";
@@ -624,16 +724,27 @@ static bool processEvents()
}
}
-
+ if(circleStatus == kSOSCCError && state.lastCircleStatus != kSOSCCError && (departureReason == kSOSNeverLeftCircle)) {
+ secnotice("cjr", "error from SOSCCThisDeviceIsInCircle: %@", error);
+ CFIndex errorCode = CFErrorGetCode(error);
+ if(errorCode == kSOSErrorPublicKeyAbsent){
+ secnotice("cjr", "We need the password to re-validate ourselves - it's changed on another device");
+ postKickedOutAlert(kSOSPasswordChanged);
+ state.lastCircleStatus = kSOSCCError;
+ [state writeToStorage];
+ return true;
+ }
+ }
+
// No longer in circle?
if ((state.lastCircleStatus == kSOSCCInCircle && (circleStatus == kSOSCCNotInCircle || circleStatus == kSOSCCCircleAbsent)) ||
(state.lastCircleStatus == kSOSCCCircleAbsent && circleStatus == kSOSCCNotInCircle && state.absentCircleWithNoReason) ||
state.debugShowLeftReason) {
// Used to be in the circle, now we aren't - tell the user why
debugState = @"processEvents B";
-
- if (state.debugShowLeftReason) {
- NSLog(@"debugShowLeftReason: %@", state.debugShowLeftReason);
+
+ if (state.debugShowLeftReason) {
+ secnotice("cjr", "debugShowLeftReason: %@", state.debugShowLeftReason);
departureReason = [state.debugShowLeftReason intValue];
state.debugShowLeftReason = nil;
CFReleaseNull(departError);
@@ -642,14 +753,14 @@ static bool processEvents()
if (departureReason != kSOSDepartureReasonError) {
state.absentCircleWithNoReason = (circleStatus == kSOSCCCircleAbsent && departureReason == kSOSNeverLeftCircle);
- NSLog(@"Depature reason %d", departureReason);
+ secnotice("cjr", "Depature reason %d", departureReason);
postKickedOutAlert(departureReason);
- NSLog(@"pKOA returned (cS %d lCS %d)", circleStatus, state.lastCircleStatus);
+ secnotice("cjr", "pKOA returned (cS %d lCS %d)", circleStatus, state.lastCircleStatus);
} else {
- NSLog(@"Couldn't get last departure reason: %@", departError);
+ secnotice("cjr", "Couldn't get last departure reason: %@", departError);
}
- }
-
+
+ }
// Circle applications: pending request(s) started / completed
debugState = @"processEvents C";
@@ -658,13 +769,13 @@ static bool processEvents()
state.lastCircleStatus = circleStatus;
if (lastCircleStatus != kSOSCCRequestPending && circleStatus == kSOSCCRequestPending) {
- NSLog(@"Pending request started");
+ secnotice("cjr", "Pending request started");
state.applicationDate = nowish;
state.pendingApplicationReminder = [nowish dateByAddingTimeInterval: state.pendingApplicationReminderAlertInterval];
scheduleActivity(state.pendingApplicationReminderAlertInterval);
}
if (lastCircleStatus == kSOSCCRequestPending && circleStatus != kSOSCCRequestPending) {
- NSLog(@"Pending request completed");
+ secnotice("cjr", "Pending request completed");
state.applicationDate = [NSDate distantPast];
state.pendingApplicationReminder = [NSDate distantFuture];
}
@@ -680,31 +791,31 @@ static bool processEvents()
debugState = @"processEvents D1";
notify_register_dispatch(kSOSCCCircleChangedNotification, ¬ifyToken, dispatch_get_main_queue(), ^(int token) {
if (postedAlert != currentAlert) {
- NSLog(@"-- CC after original alert gone (currentAlertIsForApplicants %d, pA %p, cA %p -- %@)",
+ secnotice("cjr", "-- CC after original alert gone (currentAlertIsForApplicants %d, pA %p, cA %p -- %@)",
currentAlertIsForApplicants, postedAlert, currentAlert, currentAlert);
notify_cancel(token);
} else {
- CFErrorRef localError = NULL;
+ CFErrorRef localError = NULL;
SOSCCStatus newCircleStatus = SOSCCThisDeviceIsInCircle(&localError);
if (newCircleStatus != kSOSCCRequestPending) {
if (newCircleStatus == kSOSCCError)
- NSLog(@"No longer pending (nCS=%d, alert=%@) error: %@", newCircleStatus, currentAlert, localError);
+ secnotice("cjr", "No longer pending (nCS=%d, alert=%@) error: %@", newCircleStatus, currentAlert, localError);
else
- NSLog(@"No longer pending (nCS=%d, alert=%@)", newCircleStatus, currentAlert);
+ secnotice("cjr", "No longer pending (nCS=%d, alert=%@)", newCircleStatus, currentAlert);
cancelCurrentAlert(true);
} else {
- NSLog(@"Still pending...");
+ secnotice("cjr", "Still pending...");
}
CFReleaseNull(localError);
}
});
debugState = @"processEvents D2";
- NSLog(@"NOTE: currentAlertIsForApplicants %d, token %d", currentAlertIsForApplicants, notifyToken);
+ secnotice("cjr", "NOTE: currentAlertIsForApplicants %d, token %d", currentAlertIsForApplicants, notifyToken);
CFRunLoopRun();
return true;
}
- debugState = @"processEvents D4";
- NSLog(@"SOSCCThisDeviceIsInCircle status %d, not checking applicants", circleStatus);
+ debugState = @"processEvents D4";
+ secnotice("cjr", "SOSCCThisDeviceIsInCircle status %d, not checking applicants", circleStatus);
return false;
}
@@ -723,7 +834,7 @@ static bool processEvents()
int notify_token = -42;
debugState = @"processEvents F";
int notify_register_status = notify_register_dispatch(kSOSCCCircleChangedNotification, ¬ify_token, dispatch_get_main_queue(), ^(int token) {
- NSLog(@"Notified: %s", kSOSCCCircleChangedNotification);
+ secnotice("cjr", "Notified: %s", kSOSCCCircleChangedNotification);
CFErrorRef circleStatusError = NULL;
bool needsUpdate = false;
@@ -745,7 +856,7 @@ static bool processEvents()
break;
default:
- NSLog(@"Update to %@ >> %@ with pending order, should work out ok though", existingApplicant, newApplicant);
+ secnotice("cjr", "Update to %@ >> %@ with pending order, should work out ok though", existingApplicant, newApplicant);
break;
}
} else {
@@ -754,7 +865,7 @@ static bool processEvents()
}
}
if (copyPeerError) {
- NSLog(@"Could not update peer info array: %@", copyPeerError);
+ secnotice("cjr", "Could not update peer info array: %@", copyPeerError);
CFRelease(copyPeerError);
return;
}
@@ -769,27 +880,27 @@ static bool processEvents()
[applicants removeObjectsForKeys:idsToRemoveFromApplicants];
if (newIds.count == 0) {
- NSLog(@"All applicants were handled elsewhere");
+ secnotice("cjr", "All applicants were handled elsewhere");
cancelCurrentAlert(true);
}
SOSCCStatus currentCircleStatus = SOSCCThisDeviceIsInCircle(&circleStatusError);
if (kSOSCCInCircle != currentCircleStatus) {
- NSLog(@"Left circle (%d), not handling remaining %lu applicants", currentCircleStatus, (unsigned long)newIds.count);
+ secnotice("cjr", "Left circle (%d), not handling remaining %lu applicants", currentCircleStatus, (unsigned long)newIds.count);
cancelCurrentAlert(true);
}
if (needsUpdate) {
askAboutAll(false);
} else {
- NSLog(@"needsUpdate false, not updating alert");
+ secnotice("cjr", "needsUpdate false, not updating alert");
}
// Log circleStatusError?
CFReleaseNull(circleStatusError);
});
- NSLog(@"ACC token %d, status %d", notify_token, notify_register_status);
+ secnotice("cjr", "ACC token %d, status %d", notify_token, notify_register_status);
debugState = @"processEvents F2";
if (applicants.count == 0) {
- NSLog(@"No applicants");
+ secnotice("cjr", "No applicants");
} else {
debugState = @"processEvents F3";
askAboutAll(false);
@@ -809,24 +920,34 @@ static bool processEvents()
int main (int argc, const char * argv[]) {
+
xpc_transaction_begin();
-
+
@autoreleasepool {
- // NOTE: DISPATCH_QUEUE_PRIORITY_LOW will not actually manage to drain events in a lot of cases (like circleStatus != kSOSCCInCircle)
- xpc_set_event_stream_handler("com.apple.notifyd.matching", dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), ^(xpc_object_t object) {
- char *event_description = xpc_copy_description(object);
- NSLog(@"notifyd event: %s\nAlert (%p) %s %s\ndebugState: %@", event_description, currentAlert,
- currentAlertIsForApplicants ? "for applicants" : "!applicants",
- currentAlertIsForKickOut ? "KO" : "!KO", debugState);
- free(event_description);
- });
-
- xpc_activity_register(kLaunchLaterXPCName, XPC_ACTIVITY_CHECK_IN, ^(xpc_activity_t activity) {
- });
+ // NOTE: DISPATCH_QUEUE_PRIORITY_LOW will not actually manage to drain events in a lot of cases (like circleStatus != kSOSCCInCircle)
+ xpc_set_event_stream_handler("com.apple.notifyd.matching", dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), ^(xpc_object_t object) {
+ char *event_description = xpc_copy_description(object);
+ const char *notificationName = xpc_dictionary_get_string(object, "Notification");
+
+ if (notificationName && strcmp(notificationName, kUserKeybagStateChangeNotification)==0) {
+ secnotice("cjr", "keybag changed!");
+ keybagStateChange();
+ }
+
+ secnotice("cjr", "notifyd event: %s\nAlert (%p) %s %s\ndebugState: %@", event_description, currentAlert,
+ currentAlertIsForApplicants ? "for applicants" : "!applicants",
+ currentAlertIsForKickOut ? "KO" : "!KO", debugState);
+ free(event_description);
+ });
+
+ xpc_activity_register(kLaunchLaterXPCName, XPC_ACTIVITY_CHECK_IN, ^(xpc_activity_t activity) {
+ });
+
int falseInARow = 0;
while (falseInARow < 2) {
if (processEvents()) {
+ secnotice("cjr", "Processed events!!!");
falseInARow = 0;
} else {
falseInARow++;
@@ -838,8 +959,8 @@ int main (int argc, const char * argv[]) {
}
}
}
-
- NSLog(@"Done");
+
+ secnotice("cjr", "Done");
xpc_transaction_end();
return(0);
}
diff --git a/CircleJoinRequested/com.apple.security.CircleJoinRequested.plist b/CircleJoinRequested/com.apple.security.CircleJoinRequested.plist
index 10ce645e..72e08d7f 100644
--- a/CircleJoinRequested/com.apple.security.CircleJoinRequested.plist
+++ b/CircleJoinRequested/com.apple.security.CircleJoinRequested.plist
@@ -16,6 +16,16 @@
<dict>
<key>com.apple.notifyd.matching</key>
<dict>
+ <key>com.apple.mobile.keybagd.lock_status</key>
+ <dict>
+ <key>Notification</key>
+ <string>com.apple.mobile.keybagd.lock_status</string>
+ </dict>
+ <key>kPublicKeyNotAvailable</key>
+ <dict>
+ <key>Notification</key>
+ <string>com.apple.security.publickeynotavailable</string>
+ </dict>
<key>com.apple.mobile.keybagd.first_unlock</key>
<dict>
<key>Notification</key>
diff --git a/CircleJoinRequested/entitlements.plist b/CircleJoinRequested/entitlements.plist
index ad2e091f..cefdfc48 100644
--- a/CircleJoinRequested/entitlements.plist
+++ b/CircleJoinRequested/entitlements.plist
@@ -14,6 +14,7 @@
<true/>
<key>keychain-access-groups</key>
<array>
+ <string>keychain-cloud-circle</string>
<string>com.apple.ProtectedCloudStorage</string>
</array>
</dict>
diff --git a/CloudKeychainProxy/CloudKeychainProxy.1 b/CloudKeychainProxy/CloudKeychainProxy.1
deleted file mode 100644
index e2565fb7..00000000
--- a/CloudKeychainProxy/CloudKeychainProxy.1
+++ /dev/null
@@ -1,79 +0,0 @@
-.\"Modified from man(1) of FreeBSD, the NetBSD mdoc.template, and mdoc.samples.
-.\"See Also:
-.\"man mdoc.samples for a complete listing of options
-.\"man mdoc for the short list of editing options
-.\"/usr/share/misc/mdoc.template
-.Dd 1/15/13 \" DATE
-.Dt CloudKeychainProxy 1 \" Program name and manual section number
-.Os Darwin
-.Sh NAME \" Section Header - required - don't modify
-.Nm CloudKeychainProxy,
-.\" The following lines are read in generating the apropos(man -k) database. Use only key
-.\" words here as the database is built based on the words here and in the .ND line.
-.Nm Other_name_for_same_program(),
-.Nm Yet another name for the same program.
-.\" Use .Nm macro to designate other names for the documented program.
-.Nd This line parsed for whatis database.
-.Sh SYNOPSIS \" Section Header - required - don't modify
-.Nm
-.Op Fl abcd \" [-abcd]
-.Op Fl a Ar path \" [-a path]
-.Op Ar file \" [file]
-.Op Ar \" [file ...]
-.Ar arg0 \" Underlined argument - use .Ar anywhere to underline
-arg2 ... \" Arguments
-.Sh DESCRIPTION \" Section Header - required - don't modify
-Use the .Nm macro to refer to your program throughout the man page like such:
-.Nm
-Underlining is accomplished with the .Ar macro like this:
-.Ar underlined text .
-.Pp \" Inserts a space
-A list of items with descriptions:
-.Bl -tag -width -indent \" Begins a tagged list
-.It item a \" Each item preceded by .It macro
-Description of item a
-.It item b
-Description of item b
-.El \" Ends the list
-.Pp
-A list of flags and their descriptions:
-.Bl -tag -width -indent \" Differs from above in tag removed
-.It Fl a \"-a flag as a list item
-Description of -a flag
-.It Fl b
-Description of -b flag
-.El \" Ends the list
-.Pp
-.\" .Sh ENVIRONMENT \" May not be needed
-.\" .Bl -tag -width "ENV_VAR_1" -indent \" ENV_VAR_1 is width of the string ENV_VAR_1
-.\" .It Ev ENV_VAR_1
-.\" Description of ENV_VAR_1
-.\" .It Ev ENV_VAR_2
-.\" Description of ENV_VAR_2
-.\" .El
-.Sh FILES \" File used or created by the topic of the man page
-.Bl -tag -width "/Users/joeuser/Library/really_long_file_name" -compact
-.It Pa /usr/share/file_name
-FILE_1 description
-.It Pa /Users/joeuser/Library/really_long_file_name
-FILE_2 description
-.El \" Ends the list
-.\" .Sh DIAGNOSTICS \" May not be needed
-.\" .Bl -diag
-.\" .It Diagnostic Tag
-.\" Diagnostic informtion here.
-.\" .It Diagnostic Tag
-.\" Diagnostic informtion here.
-.\" .El
-.Sh SEE ALSO
-.\" List links in ascending order by section, alphabetically within a section.
-.\" Please do not reference files that do not exist without filing a bug report
-.Xr a 1 ,
-.Xr b 1 ,
-.Xr c 1 ,
-.Xr a 2 ,
-.Xr b 2 ,
-.Xr a 3 ,
-.Xr b 3
-.\" .Sh BUGS \" Document known, unremedied bugs
-.\" .Sh HISTORY \" Document history if command behaves in a unique manner
\ No newline at end of file
diff --git a/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyReceiveMessage.h b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyReceiveMessage.h
new file mode 100644
index 00000000..68965c9c
--- /dev/null
+++ b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyReceiveMessage.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#import "IDSProxy.h"
+
+@interface IDSKeychainSyncingProxy (IDSProxyReceiveMessage)
+//receive message routines
+-(BOOL) checkForFragmentation:(NSDictionary*)message id:(NSString*)fromID data:(NSData*)messageData;
+-(NSMutableDictionary*) combineMessage:(NSString*)deviceID peerID:(NSString*)peerID uuid:(NSString*)uuid;
+- (void)service:(IDSService *)service account:(IDSAccount *)account incomingMessage:(NSDictionary *)message fromID:(NSString *)fromID context:(IDSMessageContext *)context;
+- (void)sendMessageToSecurity:(NSMutableDictionary*)messageAndFromID fromID:(NSString*)fromID;
+- (void) handleAllPendingMessage;
+
+@end
diff --git a/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyReceiveMessage.m b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyReceiveMessage.m
new file mode 100644
index 00000000..7e59ef57
--- /dev/null
+++ b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyReceiveMessage.m
@@ -0,0 +1,399 @@
+/*
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#import <Foundation/Foundation.h>
+#import <Foundation/NSArray.h>
+#import <Foundation/Foundation.h>
+
+#import <Security/SecBasePriv.h>
+#import <Security/SecItemPriv.h>
+#import <utilities/debugging.h>
+#import <notify.h>
+
+#include <Security/CKBridge/SOSCloudKeychainConstants.h>
+#include <Security/SecureObjectSync/SOSARCDefines.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
+
+#import <IDS/IDS.h>
+#import <os/activity.h>
+
+#include <utilities/SecAKSWrappers.h>
+#include <utilities/SecCFRelease.h>
+#include <AssertMacros.h>
+
+#import "IDSPersistentState.h"
+#import "IDSKeychainSyncingProxy+IDSProxyReceiveMessage.h"
+#import "IDSKeychainSyncingProxy+IDSProxySendMessage.h"
+#import "IDSProxy.h"
+
+static NSString *const kIDSNumberOfFragments = @"NumberOfIDSMessageFragments";
+static NSString *const kIDSFragmentIndex = @"kFragmentIndex";
+static NSString *const kIDSOperationType = @"IDSMessageOperation";
+static NSString *const kIDSMessageToSendKey = @"MessageToSendKey";
+static NSString *const kIDSMessageUniqueID = @"MessageID";
+
+@implementation IDSKeychainSyncingProxy (IDSProxyReceiveMessage)
+
+
+-(int) countNumberOfValidObjects:(NSMutableArray*)fragmentsForDeviceID
+{
+ __block int count = 0;
+ [fragmentsForDeviceID enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL * _Nonnull stop) {
+ if(obj != [NSNull null]){
+ count++;
+ }
+ }];
+ return count;
+}
+
+-(BOOL) checkForFragmentation:(NSDictionary*)message id:(NSString*)fromID data:(NSData*)messageData
+{
+ BOOL handOffMessage = false;
+
+ if([message valueForKey:kIDSNumberOfFragments] != nil){
+ NSNumber *idsNumberOfFragments = [message objectForKey:kIDSNumberOfFragments];
+ NSNumber *index = [message objectForKey:kIDSFragmentIndex];
+ NSString *uuidString = [message objectForKey:kIDSMessageUniqueID];
+
+ if([IDSKeychainSyncingProxy idsProxy].allFragmentedMessages == nil)
+ [IDSKeychainSyncingProxy idsProxy].allFragmentedMessages = [NSMutableDictionary dictionary];
+
+ NSMutableDictionary *uniqueMessages = [[IDSKeychainSyncingProxy idsProxy].allFragmentedMessages objectForKey: fromID];
+ if(uniqueMessages == nil)
+ uniqueMessages = [NSMutableDictionary dictionary];
+
+ NSMutableArray *fragmentsForDeviceID = [uniqueMessages objectForKey: uuidString];
+ if(fragmentsForDeviceID == nil){
+ fragmentsForDeviceID = [ [NSMutableArray alloc] initWithCapacity: [idsNumberOfFragments longValue]];
+ for (int i = 0; i <[idsNumberOfFragments longValue] ; i++) {
+ [fragmentsForDeviceID addObject:[NSNull null]];
+ }
+ }
+
+ [fragmentsForDeviceID replaceObjectAtIndex: [index intValue] withObject:messageData ];
+ [uniqueMessages setObject: fragmentsForDeviceID forKey:uuidString];
+ [[IDSKeychainSyncingProxy idsProxy].allFragmentedMessages setObject:uniqueMessages forKey: fromID];
+
+ if([self countNumberOfValidObjects:fragmentsForDeviceID] == [idsNumberOfFragments longValue])
+ handOffMessage = true;
+ else
+ handOffMessage = false;
+
+ }
+ else //no fragmentation in the message, ready to hand off to securityd
+ handOffMessage = true;
+
+ return handOffMessage;
+
+}
+
+-(NSMutableDictionary*) combineMessage:(NSString*)deviceID peerID:(NSString*)peerID uuid:(NSString*)uuid
+{
+ NSString *dataKey = [ NSString stringWithUTF8String: kMessageKeyIDSDataMessage ];
+ NSString *deviceIDKey = [ NSString stringWithUTF8String: kMessageKeyDeviceID ];
+ NSString *peerIDKey = [ NSString stringWithUTF8String: kMessageKeyPeerID ];
+
+ NSMutableDictionary *uniqueMessage = [[IDSKeychainSyncingProxy idsProxy].allFragmentedMessages objectForKey:deviceID];
+ NSMutableArray *messagesForUUID = [uniqueMessage objectForKey:uuid];
+ NSMutableData* completeMessage = [NSMutableData data];
+
+ [messagesForUUID enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) {
+ NSData *messageFragment = (NSData*)obj;
+ secnotice("IDS Transport","this is our index: %lu and size: %lu", (unsigned long)idx, (unsigned long)[messageFragment length]);
+
+ [completeMessage appendData: messageFragment];
+ }];
+ [uniqueMessage removeObjectForKey:uuid];
+ [[IDSKeychainSyncingProxy idsProxy].allFragmentedMessages removeObjectForKey:deviceID];
+ return [NSMutableDictionary dictionaryWithObjectsAndKeys: completeMessage, dataKey, deviceID, deviceIDKey, peerID, peerIDKey, nil];
+}
+
+-(void) handleTestMessage:(NSString*)operation id:(NSString*)ID
+{
+ int operationType = [operation intValue];
+ switch(operationType){
+ case kIDSPeerAvailabilityDone:
+ {
+ secnotice("IDS Transport","!received availability response!: %@", ID);
+ notify_post(kSOSCCPeerAvailable);
+ //cancel timer!
+ dispatch_source_t timer = [[IDSKeychainSyncingProxy idsProxy].pingTimers objectForKey:ID];
+ if(timer != nil){
+ secnotice("IDS Transport", "timer not nil");
+ dispatch_cancel(timer);
+ [[IDSKeychainSyncingProxy idsProxy].pingTimers removeObjectForKey:ID];
+ }
+ //call securityd to sync with device over IDS
+ __block CFErrorRef cf_error = NULL;
+ __block bool success = false;
+
+ [self sendKeysCallout:^NSMutableDictionary *(NSMutableDictionary *pending, NSError** error) {
+
+ success = SOSCCRequestSyncWithPeerOverIDS(((__bridge CFStringRef)ID), &cf_error);
+
+ if(success){
+ secnotice("IDSPing", "sent device ID: %@ to securityd to sync over IDS", ID);
+ }
+ else{
+ secerror("Could not hand device ID: %@ to securityd, error: %@", ID, cf_error);
+ }
+
+ return NULL;
+ }];
+ CFReleaseSafe(cf_error);
+
+ break;
+ }
+ case kIDSEndPingTestMessage:
+ secnotice("IDS Transport","received pong message from other device: %@, ping test PASSED", ID);
+ break;
+ case kIDSSendOneMessage:
+ secnotice("IDS Transport","received ping test message, dropping on the floor now");
+ break;
+
+ case kIDSPeerAvailability:
+ case kIDSStartPingTestMessage:
+ {
+ char* messageCharS;
+ if(operationType == kIDSPeerAvailability){
+ secnotice("IDS Transport","Received Availability Message from:%@!", ID);
+ asprintf(&messageCharS, "%d",kIDSPeerAvailabilityDone);
+ }
+ else{
+ secnotice("IDS Transport","Received PingTest Message from: %@!", ID);
+ asprintf(&messageCharS, "%d", kIDSEndPingTestMessage);
+ }
+
+ NSString *operationString = [[NSString alloc] initWithUTF8String:messageCharS];
+ NSString* messageString = @"peer availability check finished";
+ NSDictionary* messsageDictionary = @{kIDSOperationType:operationString, kIDSMessageToSendKey:messageString};
+ NSString *identifier = [NSString string];
+
+ NSError *localError = NULL;
+ if (!self.isLocked)
+ [self sendIDSMessage:messsageDictionary name:ID peer:@"me" identifier:&identifier error:&localError];
+ else
+ secnotice("IDS Transport", "device is locked, not responding to availability check");
+
+ free(messageCharS);
+
+ break;
+ }
+ default:
+ break;
+ }
+}
+
+- (void)service:(IDSService *)service account:(IDSAccount *)account incomingMessage:(NSDictionary *)message fromID:(NSString *)fromID context:(IDSMessageContext *)context
+{
+ secnotice("IDS Transport","message: %@", message);
+ NSString *dataKey = [ NSString stringWithUTF8String: kMessageKeyIDSDataMessage ];
+ NSString *deviceIDKey = [ NSString stringWithUTF8String: kMessageKeyDeviceID ];
+ NSString *peerIDKey = [ NSString stringWithUTF8String: kMessageKeyPeerID ];
+ NSString *sendersPeerIDKey = [NSString stringWithUTF8String: kMessageKeySendersPeerID];
+
+ NSString *ID = nil;
+ uint32_t operationType;
+ bool hadError = false;
+ CFStringRef errorMessage = NULL;
+ __block NSString* myPeerID = @"";
+ __block NSData *messageData = nil;
+
+ NSString* operationTypeAsString = nil;
+ NSMutableDictionary *messageDictionary = nil;
+
+ NSArray *devices = [_service devices];
+ for(NSUInteger i = 0; i < [ devices count ]; i++){
+ IDSDevice *device = devices[i];
+ if( [(IDSCopyIDForDevice(device)) containsString: fromID] == YES){
+ ID = device.uniqueID;
+ break;
+ }
+ }
+ secnotice("IDS Transport", "Received message from: %@", ID);
+ NSString *sendersPeerID = [message objectForKey: sendersPeerIDKey];
+
+ if(sendersPeerID == nil)
+ sendersPeerID = [NSString string];
+
+
+ require_action_quiet(ID, fail, hadError = true; errorMessage = CFSTR("require the sender's device ID"));
+
+ operationTypeAsString = [message objectForKey: kIDSOperationType];
+ messageDictionary = [message objectForKey: kIDSMessageToSendKey];
+
+ secnotice("IDS Transport","from peer %@, operation type as string: %@, as integer: %d", ID, operationTypeAsString, [operationTypeAsString intValue]);
+ operationType = [operationTypeAsString intValue];
+
+ if(operationType == kIDSPeerAvailabilityDone || operationType == kIDSEndPingTestMessage || operationType == kIDSSendOneMessage || operationType == kIDSPeerAvailability || operationType == kIDSStartPingTestMessage)
+ {
+ [self handleTestMessage:operationTypeAsString id:ID];
+ }
+ else if(operationType == kIDSKeychainSyncIDSFragmentation)
+ {
+ [messageDictionary enumerateKeysAndObjectsUsingBlock:^(id key, id obj, BOOL *stop) {
+ myPeerID = (NSString*)key;
+ messageData = (NSData*)obj;
+ }];
+
+ BOOL readyToHandOffToSecD = [self checkForFragmentation:message id:ID data:messageData];
+
+ NSMutableDictionary *messageAndFromID = nil;
+
+ if(readyToHandOffToSecD && ([message objectForKey:kIDSFragmentIndex])!= nil){
+ secnotice("IDS Transport","fragmentation: messageData: %@, myPeerID: %@", messageData, myPeerID);
+ NSString* uuid = [message objectForKey:kIDSMessageUniqueID];
+ messageAndFromID = [self combineMessage:ID peerID:myPeerID uuid:uuid];
+ }
+ else if(readyToHandOffToSecD){
+ secnotice("IDS Transport","no fragmentation: messageData: %@, myPeerID: %@", messageData, myPeerID);
+ messageAndFromID = [NSMutableDictionary dictionaryWithObjectsAndKeys: messageData, dataKey, ID, deviceIDKey, myPeerID, peerIDKey, nil];
+ }
+ else
+ return;
+
+ //set the sender's peer id so we can check it in securityd
+ [messageAndFromID setObject:sendersPeerID forKey:sendersPeerIDKey];
+
+ if([IDSKeychainSyncingProxy idsProxy].isLocked){
+ //hang on to the message and set the retry deadline
+ [self.unhandledMessageBuffer setObject: messageAndFromID forKey: fromID];
+ }
+ else
+ [self sendMessageToSecurity:messageAndFromID fromID:fromID];
+ }
+ else
+ secerror("dropping IDS message");
+
+fail:
+ if(hadError)
+ secerror("error:%@", errorMessage);
+}
+
+
+- (void) handleAllPendingMessage
+{
+ secnotice("IDS Transport", "Attempting to handle pending messsages");
+ if([self.unhandledMessageBuffer count] > 0){
+ secnotice("IDS Transport", "handling Message: %@", self.unhandledMessageBuffer);
+ NSMutableDictionary *copyOfUnhanlded = [NSMutableDictionary dictionaryWithDictionary:self.unhandledMessageBuffer];
+ [copyOfUnhanlded enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
+ {
+ NSMutableDictionary *messageAndFromID = (NSMutableDictionary*)obj;
+ NSString *fromID = (NSString*)key;
+ //remove the message from the official message buffer (if it fails to get handled it'll be reset again in sendMessageToSecurity)
+ [self.unhandledMessageBuffer removeObjectForKey: fromID];
+ [self sendMessageToSecurity:messageAndFromID fromID:fromID];
+ }];
+ }
+}
+
+- (bool) shouldPersistMessage:(NSDictionary*) newMessageAndFromID id:(NSString*)fromID
+{
+ __block bool persistMessage = true;
+
+ //get the dictionary of messages for a particular device id
+ NSDictionary* messagesForID = [self.unhandledMessageBuffer valueForKey:fromID];
+
+ //Grab the data blob
+ CFStringRef dataKey = CFStringCreateWithCString(kCFAllocatorDefault, kMessageKeyIDSDataMessage, kCFStringEncodingASCII);
+ CFDataRef messageData = asData(CFDictionaryGetValue((__bridge CFDictionaryRef)newMessageAndFromID, dataKey), NULL);
+
+ [messagesForID enumerateKeysAndObjectsUsingBlock:^(id key, id obj, BOOL * stop) {
+ NSData* queuedMessage = (NSData*)obj;
+
+ if([queuedMessage isEqual:(__bridge NSData*)messageData])
+ persistMessage = false;
+ }];
+
+ CFReleaseNull(dataKey);
+ return persistMessage;
+}
+
+-(void)sendMessageToSecurity:(NSMutableDictionary*)messageAndFromID fromID:(NSString*)fromID
+{
+ __block CFErrorRef cf_error = NULL;
+ __block HandleIDSMessageReason success = kHandleIDSMessageSuccess;
+
+ [self sendKeysCallout:^NSMutableDictionary *(NSMutableDictionary *pending, NSError** error) {
+
+ success = SOSCCHandleIDSMessage(((__bridge CFDictionaryRef)messageAndFromID), &cf_error);
+ //turns out the error needs to be evaluated as sync_and_do returns bools
+ if(cf_error != NULL)
+ {
+ CFStringRef errorDescription = CFErrorCopyDescription(cf_error);
+ if (CFStringCompare(errorDescription, CFSTR("The operation couldnât be completed. (Mach error -536870174 - Kern return error)"), 0) == 0 ) {
+ success = kHandleIDSMessageLocked;
+ }
+ CFReleaseNull(errorDescription);
+ }
+
+ if(success == kHandleIDSMessageLocked){
+ secnotice("IDS Transport","cannot handle messages from: %@ when locked, error:%@", fromID, cf_error);
+ if(!self.unhandledMessageBuffer)
+ self.unhandledMessageBuffer = [NSMutableDictionary dictionary];
+
+ //write message to disk if message is new to the unhandled queue
+ if([self shouldPersistMessage:messageAndFromID id:fromID])
+ [self persistState];
+
+ [self.unhandledMessageBuffer setObject: messageAndFromID forKey: fromID];
+ secnotice("IDS Transport", "unhandledMessageBuffer: %@", self.unhandledMessageBuffer);
+
+ return NULL;
+ }
+ else if(success == kHandleIDSMessageNotReady){
+ secnotice("IDS Transport","not ready to handle message from: %@, error:%@", fromID, cf_error);
+ if(!self.unhandledMessageBuffer)
+ self.unhandledMessageBuffer = [NSMutableDictionary dictionary];
+ [self.unhandledMessageBuffer setObject: messageAndFromID forKey: fromID];
+ secnotice("IDS Transport","unhandledMessageBuffer: %@", self.unhandledMessageBuffer);
+ //set timer
+ [[IDSKeychainSyncingProxy idsProxy] scheduleRetryRequestTimer];
+
+ //write message to disk if message is new to the unhandled queue
+ if([self shouldPersistMessage:messageAndFromID id:fromID])
+ [self persistState];
+
+ return NULL;
+ }
+ else if(success == kHandleIDSmessageDeviceIDMismatch){
+ secnotice("IDS Transport","message for a ghost! dropping message. error:%@", cf_error);
+ return NULL;
+ }
+ else if(success == kHandleIDSMessageDontHandle){
+ secnotice("IDS Transport","error in message, dropping message. error:%@", cf_error);
+ return NULL;
+ }
+ else{
+ secnotice("IDS Transport","IDSProxy handled this message %@, from: %@", messageAndFromID, fromID);
+ return (NSMutableDictionary*)messageAndFromID;
+ }
+
+ CFReleaseNull(cf_error);
+ }];
+}
+
+@end
diff --git a/OSX/sec/SOSCircle/CloudKeychainProxy/CKDUserInteraction.h b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxySendMessage.h
similarity index 60%
rename from OSX/sec/SOSCircle/CloudKeychainProxy/CKDUserInteraction.h
rename to IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxySendMessage.h
index bd520ca9..516c2a49 100644
--- a/OSX/sec/SOSCircle/CloudKeychainProxy/CKDUserInteraction.h
+++ b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxySendMessage.h
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,28 +17,17 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
-//
-// CKDUserInteraction.h
-// CloudKeychainProxy
-//
-
-#import <Foundation/Foundation.h>
-#import <CoreFoundation/CFUserNotification.h>
-
-typedef bool (^CKDUserInteractionBlock) (CFDictionaryRef responses, int64_t flags);
-@interface CKDUserInteraction : NSObject
-{
-
-}
-@property (atomic) CFUserNotificationRef userNotificationRef;
-@property CFRunLoopSourceRef runLoopSourceRef;
+#import "IDSProxy.h"
-+ (CKDUserInteraction *) sharedInstance;
-- (void)requestShowNotification:(NSDictionary *)infoForUserInfo completion:(CKDUserInteractionBlock)completionf;
+@interface IDSKeychainSyncingProxy (IDSProxySendMessage)
+-(BOOL) sendFragmentedIDSMessages:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) ourPeerID error:(NSError**) error;
+-(BOOL) sendIDSMessage:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) peerID identifier:(NSString **)identifier error:(NSError**) error;
+-(void) pingDevices:(NSArray*)list peerID:(NSString*)peerID;
+- (void)pingTimerFired:(NSString*)deviceName peerID:(NSString*)peerID identifier:(NSString*)identifier;
@end
diff --git a/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxySendMessage.m b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxySendMessage.m
new file mode 100644
index 00000000..870f161e
--- /dev/null
+++ b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxySendMessage.m
@@ -0,0 +1,306 @@
+/*
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#import <Foundation/NSArray.h>
+#import <Foundation/Foundation.h>
+
+#import <Security/SecBasePriv.h>
+#import <Security/SecItemPriv.h>
+#import <utilities/debugging.h>
+#import <notify.h>
+
+#include <Security/CKBridge/SOSCloudKeychainConstants.h>
+#include <Security/SecureObjectSync/SOSARCDefines.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
+
+#import <IDS/IDS.h>
+#import <os/activity.h>
+
+#include <utilities/SecAKSWrappers.h>
+#include <utilities/SecCFRelease.h>
+#include <AssertMacros.h>
+
+#import "IDSProxy.h"
+#import "IDSPersistentState.h"
+#import "IDSKeychainSyncingProxy+IDSProxySendMessage.h"
+#import "IDSKeychainSyncingProxy+IDSProxyThrottle.h"
+
+#define kSecServerKeychainChangedNotification "com.apple.security.keychainchanged"
+
+
+static NSString *const IDSSendMessageOptionForceEncryptionOffKey = @"IDSSendMessageOptionForceEncryptionOff";
+
+static NSString *const kIDSNumberOfFragments = @"NumberOfIDSMessageFragments";
+static NSString *const kIDSFragmentIndex = @"kFragmentIndex";
+static NSString *const kIDSOperationType = @"IDSMessageOperation";
+static NSString *const kIDSMessageToSendKey = @"MessageToSendKey";
+static NSString *const kIDSMessageUniqueID = @"MessageID";
+static const int64_t kRetryTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms leeway for handling unhandled messages.
+static const int64_t timeout = 7;
+
+static const int64_t kMaxIDSMessagePayloadSize = 64000;
+
+
+@implementation IDSKeychainSyncingProxy (IDSProxySendMessage)
+
+-(bool) chunkAndSendKeychainPayload:(NSMutableData*)keychainData deviceID:(NSString*)deviceName ourPeerID:(NSString*)ourPeerID theirPeerID:(NSString*) theirPeerID operation:(NSString*)operationTypeAsString error:(NSError**) error
+{
+ __block BOOL result = false;
+
+ CFUUIDRef uuid = CFUUIDCreate(kCFAllocatorDefault);
+ CFStringRef uuidString = CFUUIDCreateString(kCFAllocatorDefault, uuid);
+
+ uint64_t keychainDataLength = (uint64_t)[keychainData length];
+ NSUInteger tempLength = [keychainData length];
+ int fragmentIndex = 0;
+ int startingPosition = 0;
+
+ int totalNumberOfFragments = ceil((double)((double)keychainDataLength/(double)kMaxIDSMessagePayloadSize));
+ secnotice("IDS Transport","Total number of Fragments: %d", totalNumberOfFragments);
+
+ while(tempLength != 0){
+ secnotice("IDS Transport","length: %lu", (unsigned long)tempLength);
+ NSUInteger endlength;
+ if(tempLength < kMaxIDSMessagePayloadSize)
+ endlength = tempLength;
+ else
+ endlength = kMaxIDSMessagePayloadSize;
+
+ NSData *fragment = [keychainData subdataWithRange:NSMakeRange(startingPosition, endlength)];
+ NSMutableDictionary *newFragmentDictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:fragment, theirPeerID, nil];
+
+ NSMutableDictionary* newMessageFragment = [NSMutableDictionary dictionaryWithObjectsAndKeys:deviceName, @"deviceID",
+ [[NSNumber alloc]initWithInt: totalNumberOfFragments], kIDSNumberOfFragments,
+ [[NSNumber alloc] initWithInt: fragmentIndex], kIDSFragmentIndex,
+ newFragmentDictionary,kIDSMessageToSendKey,
+ operationTypeAsString, kIDSOperationType,
+ (__bridge NSString*)uuidString, kIDSMessageUniqueID, nil];
+ NSString *identifier = [NSString string];
+
+ secnotice("IDS Transport","sending fragment: %@", newMessageFragment);
+ result = [self sendIDSMessage:newMessageFragment name:deviceName peer:ourPeerID identifier:&identifier error:error];
+ startingPosition+=endlength;
+ tempLength -= endlength;
+ fragmentIndex++;
+ }
+ CFReleaseNull(uuidString);
+ CFReleaseNull(uuid);
+ return result;
+}
+
+-(BOOL) sendFragmentedIDSMessages:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) ourPeerID error:(NSError**) error
+{
+
+ __block BOOL result = false;
+
+ __block NSMutableData *keychainData = nil;
+ __block NSString *theirPeerID = nil;
+ secnotice("IDS Transport","fragmenting message! %@", data);
+ NSString *identifier = [NSString string];
+
+ NSString* operationTypeAsString = [data objectForKey: kIDSOperationType];
+ NSMutableDictionary *messageDictionary = [data objectForKey: kIDSMessageToSendKey];
+
+ if([operationTypeAsString intValue] == kIDSKeychainSyncIDSFragmentation){
+
+ [messageDictionary enumerateKeysAndObjectsUsingBlock:^(id key, id obj, BOOL *stop) {
+ keychainData = (NSMutableData*)obj;
+ theirPeerID = (NSString*)key;
+ return;
+ }];
+ secnotice("IDS Transport","keychainData length: %lu", (unsigned long)[keychainData length]);
+ if((uint64_t)[keychainData length] >= kMaxIDSMessagePayloadSize){
+ [self chunkAndSendKeychainPayload:keychainData deviceID:deviceName ourPeerID:ourPeerID theirPeerID:theirPeerID operation:operationTypeAsString error:error];
+ }
+ else{ //message is less than the max encryption size, pass it along
+ secnotice("IDS Transport","sending message, no fragmentation: %@", data);
+ result = [self sendIDSMessage:data name:deviceName peer:ourPeerID identifier:&identifier error:error];
+ }
+ }
+ else
+ result = [self sendIDSMessage:data name:deviceName peer:ourPeerID identifier:&identifier error:error];
+
+
+
+ secnotice("IDS Transport","returning result: %d, error: %@", result, *error);
+ return result;
+}
+
+- (void)pingTimerFired:(NSString*)deviceID peerID:(NSString*)peerID identifier:(NSString*)identifier
+{
+ secnotice("IDS Transport", "device ID: %@ !!!!!!!!!!!!!!!!Ping timeout is up!!!!!!!!!!!!", deviceID);
+ //call securityd to sync with device over KVS
+ __block CFErrorRef cf_error = NULL;
+ __block bool success = kHandleIDSMessageSuccess;
+
+ dispatch_source_t timer = [[IDSKeychainSyncingProxy idsProxy].pingTimers objectForKey:deviceID]; //remove timer
+ dispatch_cancel(timer); //cancel timer
+
+ [[IDSKeychainSyncingProxy idsProxy].pingTimers removeObjectForKey:deviceID];
+
+ [self sendKeysCallout:^NSMutableDictionary *(NSMutableDictionary *pending, NSError** error) {
+
+ success = SOSCCRequestSyncWithPeerOverKVS(((__bridge CFStringRef)deviceID), &cf_error);
+
+ if(success){
+ secnotice("IDSPing", "sent peerID: %@ to securityd to sync over KVS", deviceID);
+ }
+ else{
+ secerror("Could not hand peerID: %@ to securityd, error: %@", deviceID, cf_error);
+ }
+
+ return NULL;
+ }];
+ CFReleaseSafe(cf_error);
+}
+
+
+-(void) pingDevices:(NSArray*)list peerID:(NSString*)peerID
+{
+ NSDictionary *messageDictionary = @{kIDSOperationType : [NSString stringWithFormat:@"%d", kIDSPeerAvailability], kIDSMessageToSendKey : @"checking peers"};
+
+ [list enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL * top) {
+ NSString* deviceID = (NSString*)obj;
+ NSString* identifier = [NSString string];
+
+ secnotice("IDS Transport", "sending to id: %@", deviceID);
+ NSError *localErr = nil;
+
+ [self recordTimestampOfWriteToIDS: messageDictionary deviceName:deviceID peerID:peerID]; //add pings to throttling
+ NSDictionary *safeValues = [self filterForWritableValues:messageDictionary];
+
+ if(safeValues != nil && [safeValues count] > 0){
+ [self sendIDSMessage:safeValues name:deviceID peer:peerID identifier:&identifier error:&localErr];
+
+ if(localErr != nil){
+ secerror("sending ping to peer %@ had an error: %@", deviceID, localErr);
+ [self sendKeysCallout:^NSMutableDictionary *(NSMutableDictionary *pending, NSError** error) {
+ CFErrorRef kvsError = nil;
+ bool success = SOSCCRequestSyncWithPeerOverKVS(((__bridge CFStringRef)deviceID), &kvsError);
+
+ if(success){
+ secnotice("IDSPing", "sent peerID: %@ to securityd to sync over KVS", deviceID);
+ }
+ else{
+ secerror("Could not hand peerID: %@ to securityd, error: %@", deviceID, kvsError);
+ }
+ CFReleaseNull(kvsError);
+ return NULL;
+ }];
+ }
+ else{
+ dispatch_source_t timer = nil;
+ if( [self.pingTimers objectForKey:deviceID] == nil){
+ timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_main_queue());
+
+ dispatch_source_set_timer(timer, dispatch_time(DISPATCH_TIME_NOW, timeout * NSEC_PER_SEC), DISPATCH_TIME_FOREVER, kRetryTimerLeeway);
+ dispatch_source_set_event_handler(timer, ^{
+ [self pingTimerFired:deviceID peerID:peerID identifier:identifier];
+ });
+ dispatch_resume(timer);
+
+ [self.pingTimers setObject:timer forKey:deviceID];
+ }
+ }
+ }
+ }];
+
+}
+-(BOOL) sendIDSMessage:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) peerID identifier:(NSString **)identifier error:(NSError**) error
+{
+ BOOL result = true;
+ NSDictionary *userInfo;
+ NSInteger code = 0;
+
+ NSString *errorMessage;
+ NSMutableSet *destinations = [NSMutableSet set];
+ NSArray *ListOfIDSDevices = nil;
+ IDSMessagePriority priority = IDSMessagePriorityHigh;
+ IDSDevice *device = nil;
+ BOOL encryptionOff = YES;
+ NSError *localError = nil;
+ NSString *sendersPeerIDKey = [ NSString stringWithUTF8String: kMessageKeySendersPeerID];
+
+ secnotice("backoff","!!writing these keys to IDS!!: %@", data);
+
+ NSDictionary *options = @{IDSSendMessageOptionForceEncryptionOffKey : [NSNumber numberWithBool:encryptionOff] };
+
+ NSMutableDictionary *dataCopy = [NSMutableDictionary dictionaryWithDictionary: data];
+
+ [dataCopy setObject:peerID forKey:sendersPeerIDKey];
+
+ secnotice("IDS Transport", "Sending message from: %@ to: %@", peerID, deviceName);
+
+ require_action_quiet(_service, fail, code = kSecIDSErrorNotRegistered; errorMessage = createErrorString(@"Could not send message to peer: %@: IDS delegate uninitialized, can't use IDS to send this message", deviceName));
+
+ secnotice("IDS Transport","devices: %@", [_service devices]);
+ secnotice("IDS Transport", " we have their deviceName: %@", deviceName);
+
+ ListOfIDSDevices = [_service devices];
+
+ require_action_quiet([ListOfIDSDevices count]> 0, fail, code = kSecIDSErrorNotRegistered; errorMessage=createErrorString(@"Could not send message to peer: %@: IDS devices are not registered yet", deviceName));
+ secnotice("IDS Transport","This is our list of devices: %@", ListOfIDSDevices);
+
+ for(NSUInteger i = 0; i < [ ListOfIDSDevices count ]; i++){
+ device = ListOfIDSDevices[i];
+ if( [ deviceName compare:device.uniqueID ] == 0){
+ [destinations addObject: IDSCopyIDForDevice(device)];
+ }
+ }
+
+ require_action_quiet([destinations count] != 0, fail, code = kSecIDSErrorCouldNotFindMatchingAuthToken; errorMessage = createErrorString(@"Could not send message to peer: %@: IDS device ID for peer does not match any devices within an IDS Account", deviceName));
+
+ result = [_service sendMessage:dataCopy toDestinations:destinations priority:priority options:options identifier:identifier error:&localError ] ;
+
+ require_action_quiet(localError == nil, fail, code = kSecIDSErrorFailedToSend; errorMessage = createErrorString(@"Had an error sending IDS message to peer: %@", deviceName));
+
+ secnotice("IDS Transport", "identifier: %@", *identifier);
+
+ secnotice("IDS Transport","sent to peer:%@, message: %@", deviceName, dataCopy);
+
+ return result;
+
+fail:
+ userInfo = [ NSDictionary dictionaryWithObjectsAndKeys:errorMessage, NSLocalizedDescriptionKey, nil ];
+ if(error != nil){
+ *error = [NSError errorWithDomain:@"com.apple.security.ids.error" code:code userInfo:userInfo];
+ secerror("%@", *error);
+ }
+ if(localError != nil)
+ secerror("%@", localError);
+
+ return false;
+}
+
+- (void)service:(IDSService *)service account:(IDSAccount *)account identifier:(NSString *)identifier didSendWithSuccess:(BOOL)success error:(NSError *)error
+{
+ if (error) {
+ NSLog(@"IDSKeychainSyncingProxy didSendWithSuccess identifier=%@ error=%@", identifier, error);
+ } else {
+ NSLog(@"IDSKeychainSyncingProxy didSendWithSuccess identifier=%@ Success!", identifier);
+ }
+}
+
+@end
diff --git a/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyThrottle.h b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyThrottle.h
new file mode 100644
index 00000000..a1230294
--- /dev/null
+++ b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyThrottle.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#import "IDSProxy.h"
+
+@interface IDSKeychainSyncingProxy (IDSProxyThrottle)
+
+- (dispatch_source_t)setNewTimer:(int)timeout key:(NSString*)key deviceName:(NSString*)deviceName peerID:(NSString*)peerID;
+- (NSDictionary*)filterForWritableValues:(NSDictionary *)values;
+- (void)recordTimestampForAppropriateInterval:(NSMutableDictionary**)timeTable key:(NSString*)key consecutiveWrites:(NSNumber**)consecutiveWrites;
+- (void)recordTimestampOfWriteToIDS:(NSDictionary *)values deviceName:(NSString*)name peerID:(NSString*)peerid;
+
+
+@end
diff --git a/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyThrottle.m b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyThrottle.m
new file mode 100644
index 00000000..ece00909
--- /dev/null
+++ b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy+IDSProxyThrottle.m
@@ -0,0 +1,397 @@
+/*
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#import <Foundation/NSArray.h>
+#import <Foundation/Foundation.h>
+
+#import <Security/SecBasePriv.h>
+#import <Security/SecItemPriv.h>
+#import <utilities/debugging.h>
+#import <notify.h>
+
+#include <Security/CKBridge/SOSCloudKeychainConstants.h>
+#include <Security/SecureObjectSync/SOSARCDefines.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
+
+#import <IDS/IDS.h>
+#import <os/activity.h>
+
+#include <utilities/SecAKSWrappers.h>
+#include <utilities/SecCFRelease.h>
+#include <AssertMacros.h>
+
+#import "IDSPersistentState.h"
+#import "IDSKeychainSyncingProxy+IDSProxySendMessage.h"
+#import "IDSKeychainSyncingProxy+IDSProxyThrottle.h"
+
+static NSString *kExportUnhandledMessages = @"UnhandledMessages";
+static NSString *kMonitorState = @"MonitorState";
+
+static NSString *kMonitorPenaltyBoxKey = @"Penalty";
+static NSString *kMonitorMessageKey = @"Message";
+static NSString *kMonitorConsecutiveWrites = @"ConsecutiveWrites";
+static NSString *kMonitorLastWriteTimestamp = @"LastWriteTimestamp";
+static NSString *kMonitorMessageQueue = @"MessageQueue";
+static NSString *kMonitorPenaltyTimer = @"PenaltyTimer";
+static NSString *kMonitorDidWriteDuringPenalty = @"DidWriteDuringPenalty";
+
+static NSString *kMonitorTimeTable = @"TimeTable";
+static NSString *kMonitorFirstMinute = @"AFirstMinute";
+static NSString *kMonitorSecondMinute = @"BSecondMinute";
+static NSString *kMonitorThirdMinute = @"CThirdMinute";
+static NSString *kMonitorFourthMinute = @"DFourthMinute";
+static NSString *kMonitorFifthMinute = @"EFifthMinute";
+static NSString *kMonitorWroteInTimeSlice = @"TimeSlice";
+
+static int max_penalty_timeout = 32;
+static int seconds_per_minute = 60;
+
+static const int64_t kRetryTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms leeway for handling unhandled messages.
+
+@implementation IDSKeychainSyncingProxy (IDSProxyThrottle)
+
+-(dispatch_source_t)setNewTimer:(int)timeout key:(NSString*)key deviceName:(NSString*)deviceName peerID:(NSString*)peerID
+{
+
+ __block dispatch_source_t timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_main_queue());
+ dispatch_source_set_timer(timer, dispatch_time(DISPATCH_TIME_NOW, timeout * NSEC_PER_SEC * seconds_per_minute), DISPATCH_TIME_FOREVER, kRetryTimerLeeway);
+ dispatch_source_set_event_handler(timer, ^{
+ [self penaltyTimerFired:key deviceName:deviceName peerID:peerID];
+ });
+ dispatch_resume(timer);
+ return timer;
+}
+
+-(void) increasePenalty:(NSNumber*)currentPenalty key:(NSString*)key keyEntry:(NSMutableDictionary**)keyEntry deviceName:(NSString*)deviceName peerID:(NSString*)peerID
+{
+ secnotice("backoff", "increasing penalty!");
+ int newPenalty = 0;
+
+ if ([currentPenalty intValue] <= 0)
+ newPenalty = 1;
+ else
+ newPenalty = fmin([currentPenalty intValue]*2, max_penalty_timeout);
+
+ secnotice("backoff", "key %@, waiting %d minutes long to send next messages", key, newPenalty);
+
+ NSNumber* penalty_timeout = [[NSNumber alloc]initWithInt:newPenalty];
+ dispatch_source_t existingTimer = [*keyEntry objectForKey:kMonitorPenaltyTimer];
+
+ if(existingTimer != nil){
+ [*keyEntry removeObjectForKey:kMonitorPenaltyTimer];
+ dispatch_suspend(existingTimer);
+ dispatch_source_set_timer(existingTimer,dispatch_time(DISPATCH_TIME_NOW, newPenalty * NSEC_PER_SEC * seconds_per_minute), DISPATCH_TIME_FOREVER, kRetryTimerLeeway);
+ dispatch_resume(existingTimer);
+ [*keyEntry setObject:existingTimer forKey:kMonitorPenaltyTimer];
+ }
+ else{
+ dispatch_source_t timer = [self setNewTimer:newPenalty key:key deviceName:deviceName peerID:peerID];
+ [*keyEntry setObject:timer forKey:kMonitorPenaltyTimer];
+ }
+
+ [*keyEntry setObject:penalty_timeout forKey:kMonitorPenaltyBoxKey];
+ [[IDSKeychainSyncingProxy idsProxy].monitor setObject:*keyEntry forKey:key];
+}
+
+-(void) decreasePenalty:(NSNumber*)currentPenalty key:(NSString*)key keyEntry:(NSMutableDictionary**)keyEntry deviceName:(NSString*)deviceName peerID:(NSString*)peerID
+{
+ int newPenalty = 0;
+ secnotice("backoff","decreasing penalty!");
+ if([currentPenalty intValue] == 0 || [currentPenalty intValue] == 1)
+ newPenalty = 0;
+ else
+ newPenalty = [currentPenalty intValue]/2;
+
+ secnotice("backoff","key %@, waiting %d minutes long to send next messages", key, newPenalty);
+
+ NSNumber* penalty_timeout = [[NSNumber alloc]initWithInt:newPenalty];
+
+ dispatch_source_t existingTimer = [*keyEntry objectForKey:kMonitorPenaltyTimer];
+ if(existingTimer != nil){
+ [*keyEntry removeObjectForKey:kMonitorPenaltyTimer];
+ dispatch_suspend(existingTimer);
+ if(newPenalty != 0){
+ dispatch_source_set_timer(existingTimer,dispatch_time(DISPATCH_TIME_NOW, newPenalty * NSEC_PER_SEC * seconds_per_minute), DISPATCH_TIME_FOREVER, kRetryTimerLeeway);
+ dispatch_resume(existingTimer);
+ [*keyEntry setObject:existingTimer forKey:kMonitorPenaltyTimer];
+ }
+ else{
+ dispatch_resume(existingTimer);
+ dispatch_source_cancel(existingTimer);
+ }
+ }
+ else{
+ if(newPenalty != 0){
+ dispatch_source_t timer = [self setNewTimer:newPenalty key:key deviceName:deviceName peerID:peerID];
+ [*keyEntry setObject:timer forKey:kMonitorPenaltyTimer];
+ }
+ }
+
+ [*keyEntry setObject:penalty_timeout forKey:kMonitorPenaltyBoxKey];
+ [[IDSKeychainSyncingProxy idsProxy].monitor setObject:*keyEntry forKey:key];
+
+}
+
+- (void)penaltyTimerFired:(NSString*)key deviceName:(NSString*)deviceName peerID:(NSString*)peerID
+{
+ secnotice("backoff", "key: %@, !!!!!!!!!!!!!!!!penalty timeout is up!!!!!!!!!!!!", key);
+ NSMutableDictionary *keyEntry = [[IDSKeychainSyncingProxy idsProxy].monitor objectForKey:key];
+ if(!keyEntry){
+ [self initializeKeyEntry:key];
+ keyEntry = [[IDSKeychainSyncingProxy idsProxy].monitor objectForKey:key];
+ }
+ NSMutableArray *queuedMessages = [[IDSKeychainSyncingProxy idsProxy].monitor objectForKey:kMonitorMessageQueue];
+ secnotice("backoff","key: %@, queuedMessages: %@", key, queuedMessages);
+ if(queuedMessages && [queuedMessages count] != 0){
+ secnotice("backoff","key: %@, message queue not empty, writing to IDS!", key);
+ [queuedMessages enumerateObjectsUsingBlock:^(id _Nonnull obj, NSUInteger idx, BOOL * _Nonnull stop) {
+ NSError* error = nil;
+ NSDictionary* message = (NSDictionary*) obj;
+ NSString *identifier = [NSString string];
+ [self sendIDSMessage:message name:deviceName peer:peerID identifier:&identifier error:&error];
+ }];
+
+ [[IDSKeychainSyncingProxy idsProxy].monitor setObject:[NSMutableArray array] forKey:kMonitorMessageQueue];
+ }
+ //decrease timeout since we successfully wrote messages out
+ NSNumber *penalty_timeout = [keyEntry objectForKey:kMonitorPenaltyBoxKey];
+ secnotice("backoff", "key: %@, current penalty timeout: %@", key, penalty_timeout);
+
+ NSString* didWriteDuringTimeout = [keyEntry objectForKey:kMonitorDidWriteDuringPenalty];
+ if( didWriteDuringTimeout && [didWriteDuringTimeout isEqualToString:@"YES"] )
+ {
+ //increase timeout since we wrote during out penalty timeout
+ [self increasePenalty:penalty_timeout key:key keyEntry:&keyEntry deviceName:deviceName peerID:peerID];
+ }
+ else{
+ //decrease timeout since we successfully wrote messages out
+ [self decreasePenalty:penalty_timeout key:key keyEntry:&keyEntry deviceName:deviceName peerID:peerID];
+ }
+
+ //resetting the check
+ [keyEntry setObject: @"NO" forKey:kMonitorDidWriteDuringPenalty];
+
+ //recompute the timetable and number of consecutive writes to IDS
+ NSMutableDictionary *timetableForKey = [keyEntry objectForKey:kMonitorTimeTable];
+ if(timetableForKey == nil){
+ timetableForKey = [self initializeTimeTable:key];
+ }
+ NSNumber *consecutiveWrites = [keyEntry objectForKey:kMonitorConsecutiveWrites];
+ if(consecutiveWrites == nil){
+ consecutiveWrites = [[NSNumber alloc] initWithInt:0];
+ }
+ [self recordTimestampForAppropriateInterval:&timetableForKey key:key consecutiveWrites:&consecutiveWrites];
+
+ [keyEntry setObject:consecutiveWrites forKey:kMonitorConsecutiveWrites];
+ [keyEntry setObject:timetableForKey forKey:kMonitorTimeTable];
+ [[IDSKeychainSyncingProxy idsProxy].monitor setObject:keyEntry forKey:key];
+
+}
+
+-(NSMutableDictionary*)initializeTimeTable:(NSString*)key
+{
+ NSDate *currentTime = [NSDate date];
+ NSMutableDictionary *firstMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute], kMonitorFirstMinute, @"YES", kMonitorWroteInTimeSlice, nil];
+ NSMutableDictionary *secondMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 2],kMonitorSecondMinute, @"NO", kMonitorWroteInTimeSlice, nil];
+ NSMutableDictionary *thirdMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 3], kMonitorThirdMinute, @"NO",kMonitorWroteInTimeSlice, nil];
+ NSMutableDictionary *fourthMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 4],kMonitorFourthMinute, @"NO", kMonitorWroteInTimeSlice, nil];
+ NSMutableDictionary *fifthMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 5], kMonitorFifthMinute, @"NO", kMonitorWroteInTimeSlice, nil];
+
+ NSMutableDictionary *timeTable = [NSMutableDictionary dictionaryWithObjectsAndKeys: firstMinute, kMonitorFirstMinute,
+ secondMinute, kMonitorSecondMinute,
+ thirdMinute, kMonitorThirdMinute,
+ fourthMinute, kMonitorFourthMinute,
+ fifthMinute, kMonitorFifthMinute, nil];
+ return timeTable;
+}
+
+- (void)initializeKeyEntry:(NSString*)key
+{
+ NSMutableDictionary *timeTable = [[IDSKeychainSyncingProxy idsProxy] initializeTimeTable:key];
+ NSDate *currentTime = [NSDate date];
+
+ NSMutableDictionary *keyEntry = [NSMutableDictionary dictionaryWithObjectsAndKeys: key, kMonitorMessageKey, @0, kMonitorConsecutiveWrites, currentTime, kMonitorLastWriteTimestamp, @0, kMonitorPenaltyBoxKey, timeTable, kMonitorTimeTable,[NSMutableDictionary dictionary], kMonitorMessageQueue, nil];
+
+ [[IDSKeychainSyncingProxy idsProxy].monitor setObject:keyEntry forKey:key];
+
+}
+
+- (void)recordTimestampForAppropriateInterval:(NSMutableDictionary**)timeTable key:(NSString*)key consecutiveWrites:(NSNumber**)consecutiveWrites
+{
+ NSDate *currentTime = [NSDate date];
+ __block int cWrites = [*consecutiveWrites intValue];
+ __block BOOL foundTimeSlot = NO;
+ __block NSMutableDictionary *previousTable = nil;
+
+ NSArray *sortedTimestampKeys = [[*timeTable allKeys] sortedArrayUsingSelector:@selector(compare:)];
+ [sortedTimestampKeys enumerateObjectsUsingBlock:^(id arrayObject, NSUInteger idx, BOOL *stop)
+ {
+ if(foundTimeSlot == YES)
+ return;
+
+ NSString *sortedKey = (NSString*)arrayObject;
+
+ //grab the dictionary containing write information
+ //(date, boolean to check if a write occured in the timeslice,
+ NSMutableDictionary *minutesTable = [*timeTable objectForKey: sortedKey];
+ if(minutesTable == nil)
+ minutesTable = [[IDSKeychainSyncingProxy idsProxy] initializeTimeTable:key];
+
+ NSString *minuteKey = (NSString*)sortedKey;
+ NSDate *timeStampForSlice = [minutesTable objectForKey:minuteKey];
+
+ if(timeStampForSlice && [timeStampForSlice compare:currentTime] == NSOrderedDescending){
+ foundTimeSlot = YES;
+ NSString* written = [minutesTable objectForKey:kMonitorWroteInTimeSlice];
+ //figure out if we have previously recorded a write in this time slice
+ if([written isEqualToString:@"NO"]){
+ [minutesTable setObject:@"YES" forKey:kMonitorWroteInTimeSlice];
+ if(previousTable != nil){
+ //if we wrote in the previous time slice count the current time as in the consecutive write count
+ written = [previousTable objectForKey:kMonitorWroteInTimeSlice];
+ if([written isEqualToString:@"YES"]){
+ cWrites++;
+ }
+ else if ([written isEqualToString:@"NO"]){
+ cWrites = 0;
+ }
+ }
+ }
+ return;
+ }
+ previousTable = minutesTable;
+ }];
+
+ if(foundTimeSlot == NO){
+ //reset the time table
+ secnotice("backoff","didn't find a time slot, resetting the table");
+
+ //record if a write occured between the last time slice of
+ //the time table entries and now.
+ NSMutableDictionary *lastTable = [*timeTable objectForKey:kMonitorFifthMinute];
+ NSDate *lastDate = [lastTable objectForKey:kMonitorFifthMinute];
+
+ if(lastDate && ((double)[currentTime timeIntervalSinceDate: lastDate] >= seconds_per_minute)){
+ *consecutiveWrites = [[NSNumber alloc]initWithInt:0];
+ }
+ else{
+ NSString* written = [lastTable objectForKey:kMonitorWroteInTimeSlice];
+ if(written && [written isEqualToString:@"YES"]){
+ cWrites++;
+ *consecutiveWrites = [[NSNumber alloc]initWithInt:cWrites];
+ }
+ else{
+ *consecutiveWrites = [[NSNumber alloc]initWithInt:0];
+ }
+ }
+
+ *timeTable = [[IDSKeychainSyncingProxy idsProxy] initializeTimeTable:key];
+ return;
+ }
+ *consecutiveWrites = [[NSNumber alloc]initWithInt:cWrites];
+}
+- (void)recordTimestampOfWriteToIDS:(NSDictionary *)values deviceName:(NSString*)name peerID:(NSString*)peerid
+{
+ if([[IDSKeychainSyncingProxy idsProxy].monitor count] == 0){
+ [values enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
+ {
+ [self initializeKeyEntry: key];
+ }];
+ }
+ else{
+ [values enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
+ {
+ NSMutableDictionary *keyEntry = [[IDSKeychainSyncingProxy idsProxy].monitor objectForKey:key];
+ if(keyEntry == nil){
+ [self initializeKeyEntry: key];
+ }
+ else{
+ NSNumber *penalty_timeout = [keyEntry objectForKey:kMonitorPenaltyBoxKey];
+ NSDate *lastWriteTimestamp = [keyEntry objectForKey:kMonitorLastWriteTimestamp];
+ NSMutableDictionary *timeTable = [keyEntry objectForKey: kMonitorTimeTable];
+ NSNumber *existingWrites = [keyEntry objectForKey: kMonitorConsecutiveWrites];
+ NSDate *currentTime = [NSDate date];
+
+ //record the write happened in our timetable structure
+ [self recordTimestampForAppropriateInterval:&timeTable key:key consecutiveWrites:&existingWrites];
+
+ int consecutiveWrites = [existingWrites intValue];
+ secnotice("backoff","consecutive writes: %d", consecutiveWrites);
+ [keyEntry setObject:existingWrites forKey:kMonitorConsecutiveWrites];
+ [keyEntry setObject:timeTable forKey:kMonitorTimeTable];
+ [keyEntry setObject:currentTime forKey:kMonitorLastWriteTimestamp];
+ [[IDSKeychainSyncingProxy idsProxy].monitor setObject:keyEntry forKey:key];
+
+ if( (penalty_timeout && [penalty_timeout intValue] != 0 ) || ((double)[currentTime timeIntervalSinceDate: lastWriteTimestamp] <= 60 && consecutiveWrites >= 5)){
+
+ if( (penalty_timeout == nil || [penalty_timeout intValue] == 0) && consecutiveWrites == 5){
+ secnotice("backoff","written for 5 consecutive minutes, time to start throttling");
+ [self increasePenalty:penalty_timeout key:key keyEntry:&keyEntry deviceName:name peerID:peerid];
+ }
+ else
+ secnotice("backoff","monitor: keys have been written for 5 or more minutes, recording we wrote during timeout");
+
+ //record we wrote during a timeout
+ [keyEntry setObject: @"YES" forKey:kMonitorDidWriteDuringPenalty];
+ }
+ else if((double)[currentTime timeIntervalSinceDate: lastWriteTimestamp] <= 60 && consecutiveWrites < 5){
+ //for debugging purposes
+ secnotice("backoff","monitor: still writing freely");
+ [keyEntry setObject: @"NO" forKey:kMonitorDidWriteDuringPenalty];
+ }
+ else if([penalty_timeout intValue] != 0 && ((double)[currentTime timeIntervalSinceDate: lastWriteTimestamp] > 60 && consecutiveWrites > 5) ){
+
+ //encountered a write even though we're in throttle mode
+ [keyEntry setObject: @"YES" forKey:kMonitorDidWriteDuringPenalty];
+ }
+ }
+ }];
+ }
+}
+
+- (NSDictionary*)filterForWritableValues:(NSDictionary *)values
+{
+ secnotice("backoff", "filterForWritableValues: %@", values);
+ NSMutableDictionary *keyEntry_operationType = [[IDSKeychainSyncingProxy idsProxy].monitor objectForKey:@"IDSMessageOperation"];
+
+ secnotice("backoff", "keyEntry_operationType: %@", keyEntry_operationType);
+
+ NSNumber *penalty = [keyEntry_operationType objectForKey:kMonitorPenaltyBoxKey];
+
+ if(penalty && [penalty intValue] != 0){
+
+ NSMutableArray *queuedMessage = [[IDSKeychainSyncingProxy idsProxy].monitor objectForKey:kMonitorMessageQueue];
+ if(queuedMessage == nil)
+ queuedMessage = [NSMutableArray array];
+ secnotice("backoff", "writing to queuedMessages: %@", queuedMessage);
+ [queuedMessage addObject:values];
+ [[IDSKeychainSyncingProxy idsProxy].monitor setObject:queuedMessage forKey:kMonitorMessageQueue];
+ return NULL;
+ }
+
+ return values;
+}
+
+@end
diff --git a/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist
index 316edd1c..07887652 100644
--- a/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist
+++ b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist
@@ -21,10 +21,12 @@
<key>CFBundlePackageType</key>
<string>BNDL</string>
<key>CFBundleShortVersionString</key>
- <string>10.0</string>
+ <string>1.0</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>${CURRENT_PROJECT_VERSION}</string>
+ <key>NSHumanReadableCopyright</key>
+ <string>Copyright © 2013 Apple, Inc. All rights reserved.</string>
</dict>
</plist>
diff --git a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSPersistentState.h b/IDSKeychainSyncingProxy/IDSPersistentState.h
similarity index 96%
rename from OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSPersistentState.h
rename to IDSKeychainSyncingProxy/IDSPersistentState.h
index 5afb3a73..11a124fa 100644
--- a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSPersistentState.h
+++ b/IDSKeychainSyncingProxy/IDSPersistentState.h
@@ -35,7 +35,7 @@
+ (id)read:(NSURL *)path error:(NSError **)error;
+ (BOOL)write:(NSURL *)path data:(id)plist error:(NSError **)error;
+ (NSString *)dictionaryDescription: (NSDictionary *)state;
-+ (NSMutableDictionary *)unhandledMessages;
++ (NSMutableDictionary *)idsState;
+ (void)setUnhandledMessages: (NSDictionary *)unhandledMessages;
+ (NSURL *)registrationFileURL;
diff --git a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSPersistentState.m b/IDSKeychainSyncingProxy/IDSPersistentState.m
similarity index 96%
rename from OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSPersistentState.m
rename to IDSKeychainSyncingProxy/IDSPersistentState.m
index 294fc341..0bc5b581 100644
--- a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSPersistentState.m
+++ b/IDSKeychainSyncingProxy/IDSPersistentState.m
@@ -108,7 +108,7 @@ static CFStringRef kRegistrationFileName = CFSTR("com.apple.security.idskeychain
return [elements componentsJoinedByString: @" "];
}
-+ (NSMutableDictionary *)unhandledMessages
++ (NSMutableDictionary *)idsState
{
NSError *error = NULL;
id stateDictionary = [IDSKeychainSyncingProxyPersistentState read:[[self class] registrationFileURL] error:&error];
@@ -122,7 +122,7 @@ static CFStringRef kRegistrationFileName = CFSTR("com.apple.security.idskeychain
+ (void)setUnhandledMessages: (NSDictionary *)unhandledMessages
{
NSError *error = NULL;
- secdebug("keyregister", "Write registeredKeys: <%@>", [self dictionaryDescription: unhandledMessages]);
+ secdebug("IDS unhandled message", "Write unhandled Messages and monitor state: <%@>", [self dictionaryDescription: unhandledMessages]);
[IDSKeychainSyncingProxyPersistentState write:[[self class] registrationFileURL] data:unhandledMessages error:&error];
}
diff --git a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSProxy.h b/IDSKeychainSyncingProxy/IDSProxy.h
similarity index 75%
rename from OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSProxy.h
rename to IDSKeychainSyncingProxy/IDSProxy.h
index 29a88c4f..61e3228a 100644
--- a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSProxy.h
+++ b/IDSKeychainSyncingProxy/IDSProxy.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -32,9 +32,6 @@
#import "SOSCloudKeychainClient.h"
#import <utilities/debugging.h>
-#define IDSPROXYSCOPE "IDSProxy"
-#define IDSServiceNameKeychainSync "com.apple.private.alloy.keychainsync"
-
typedef enum {
kIDSStartPingTestMessage = 1,
kIDSEndPingTestMessage= 2,
@@ -42,7 +39,8 @@ typedef enum {
kIDSSyncMessagesRaw = 4,
kIDSSyncMessagesCompact = 5,
kIDSPeerAvailability = 6,
- kIDSPeerAvailabilityDone = 7
+ kIDSPeerAvailabilityDone = 7,
+ kIDSKeychainSyncIDSFragmentation = 8
} idsOperation;
typedef enum {
@@ -51,32 +49,36 @@ typedef enum {
kSecIDSErrorFailedToSend=-3,
kSecIDSErrorCouldNotFindMatchingAuthToken = -4,
kSecIDSErrorDeviceIsLocked = -5,
- kSecIDSErrorBatchControllerUninitialized = -6
+ kSecIDSErrorNoPeersAvailable = -6
+
} idsError;
-@interface IDSKeychainSyncingProxy : NSObject <IDSServiceDelegate, IDSBatchIDQueryControllerDelegate>
+@interface IDSKeychainSyncingProxy : NSObject <IDSServiceDelegate>
{
- CloudItemsChangedBlock itemsChangedCallback;
IDSService *_service;
NSString *_deviceID;
- NSMutableDictionary *_unhandledMessageBuffer;
}
@property (retain, nonatomic) NSMutableDictionary *unhandledMessageBuffer;
@property (retain, nonatomic) NSMutableDictionary *shadowPendingMessages;
+@property (retain, nonatomic) NSMutableDictionary *allFragmentedMessages;
+@property (retain, nonatomic) NSMutableDictionary *pingTimers;
+
+@property (atomic) dispatch_source_t penaltyTimer;
+@property (atomic) bool penaltyTimerScheduled;
+@property (retain, atomic) NSMutableDictionary *monitor;
+@property (retain, atomic) NSDictionary *queuedMessages;
@property (atomic) bool isIDSInitDone;
@property (atomic) bool isSecDRunningAsRoot;
+@property (atomic) bool doesSecDHavePeer;
@property (atomic) dispatch_queue_t calloutQueue;
@property (atomic) bool isLocked;
@property (atomic) bool unlockedSinceBoot;
-@property (atomic) dispatch_source_t syncTimer;
-@property (atomic) bool syncTimerScheduled;
-@property (atomic) dispatch_time_t deadline;
-@property (atomic) dispatch_time_t lastSyncTime;
+@property (atomic) dispatch_source_t retryTimer;
+@property (atomic) bool retryTimerScheduled;
@property (atomic) bool inCallout;
-@property (atomic) bool oldInCallout;
@property (atomic) bool setIDSDeviceID;
@property (atomic) bool shadowDoSetIDSDeviceID;
@@ -86,13 +88,16 @@ typedef enum {
+ (IDSKeychainSyncingProxy *) idsProxy;
- (id)init;
-- (void)setItemsChangedBlock:(CloudItemsChangedBlock)itemsChangedBlock;
-- (void)streamEvent:(xpc_object_t)notification;
-- (BOOL) sendIDSMessage:(NSDictionary*)data name:(NSString*)deviceName peer:(NSString*) peerID error:(NSError**) error;
-- (BOOL) doSetIDSDeviceID: (NSError**)error;
+- (void) importIDSState: (NSMutableDictionary*) state;
+
+- (void) doSetIDSDeviceID;
- (void) doIDSInitialization;
- (void) calloutWith: (void(^)(NSMutableDictionary *pending, bool handlePendingMesssages, bool doSetDeviceID, dispatch_queue_t queue, void(^done)(NSMutableDictionary *handledMessages, bool handledPendingMessage, bool handledSettingDeviceID))) callout;
- (void) sendKeysCallout: (NSMutableDictionary *(^)(NSMutableDictionary* pending, NSError** error)) handleMessages;
+- (void)persistState;
+- (void)scheduleRetryRequestTimer;
@end
+
+NSString* createErrorString(NSString* format, ...);
diff --git a/IDSKeychainSyncingProxy/IDSProxy.m b/IDSKeychainSyncingProxy/IDSProxy.m
new file mode 100644
index 00000000..c5d349f1
--- /dev/null
+++ b/IDSKeychainSyncingProxy/IDSProxy.m
@@ -0,0 +1,415 @@
+/*
+ * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// IDSProxy.m
+// ids-xpc
+//
+
+
+#import <Foundation/NSArray.h>
+#import <Foundation/Foundation.h>
+
+#import <Security/SecBasePriv.h>
+#import <Security/SecItemPriv.h>
+#import <utilities/debugging.h>
+#import <notify.h>
+
+#include <Security/CKBridge/SOSCloudKeychainConstants.h>
+#include <Security/SecureObjectSync/SOSARCDefines.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
+
+#import <IDS/IDS.h>
+#import <os/activity.h>
+
+#include <utilities/SecAKSWrappers.h>
+#include <utilities/SecCFRelease.h>
+#include <AssertMacros.h>
+
+#import "IDSProxy.h"
+#import "IDSKeychainSyncingProxy+IDSProxyReceiveMessage.h"
+#import "IDSKeychainSyncingProxy+IDSProxySendMessage.h"
+#import "IDSKeychainSyncingProxy+IDSProxyThrottle.h"
+#import "IDSPersistentState.h"
+
+#define kSecServerKeychainChangedNotification "com.apple.security.keychainchanged"
+#define kSecServerPeerInfoAvailable "com.apple.security.fpiAvailable"
+
+#define IDSServiceNameKeychainSync "com.apple.private.alloy.keychainsync"
+static NSString *kMonitorState = @"MonitorState";
+static NSString *kExportUnhandledMessages = @"UnhandledMessages";
+static const char *kStreamName = "com.apple.notifyd.matching";
+
+NSString *const IDSSendMessageOptionForceEncryptionOffKey = @"IDSSendMessageOptionForceEncryptionOff";
+static const int64_t kRetryTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms leeway for handling unhandled messages.
+static const int64_t kMinMessageRetryDelay = (NSEC_PER_SEC * 8);
+
+CFStringRef kSOSErrorDomain = CFSTR("com.apple.security.sos.error");
+
+CFIndex kSOSErrorPeerNotFound = 1032;
+CFIndex SECD_RUN_AS_ROOT_ERROR = 1041;
+
+#define IDSPROXYSCOPE "IDSProxy"
+
+@implementation IDSKeychainSyncingProxy
+
++ (IDSKeychainSyncingProxy *) idsProxy
+{
+ static IDSKeychainSyncingProxy *idsProxy;
+ if (!idsProxy) {
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ idsProxy = [[self alloc] init];
+ });
+ }
+ return idsProxy;
+}
+
+-(NSDictionary*) exportState
+{
+ return @{ kMonitorState:_monitor,
+ kExportUnhandledMessages:_unhandledMessageBuffer
+ };
+
+}
+- (void)persistState
+{
+ if([_unhandledMessageBuffer count] > 0){
+ [IDSKeychainSyncingProxyPersistentState setUnhandledMessages:[self exportState]];
+ }
+}
+
+- (void) importIDSState: (NSMutableDictionary*) state
+{
+ _unhandledMessageBuffer = state[kExportUnhandledMessages];
+ if(!_unhandledMessageBuffer)
+ _unhandledMessageBuffer = [NSMutableDictionary dictionary];
+
+ _monitor = state[kMonitorState];
+ if(_monitor == nil)
+ _monitor = [NSMutableDictionary dictionary];
+}
+
+- (id)init
+{
+ if (self = [super init])
+ {
+ secnotice("event", "%@ start", self);
+
+ _isIDSInitDone = false;
+ _service = nil;
+ _calloutQueue = dispatch_queue_create("IDSCallout", DISPATCH_QUEUE_SERIAL);
+ _unhandledMessageBuffer = [ [NSMutableDictionary alloc] initWithCapacity: 0];
+ _pingTimers = [ [NSMutableDictionary alloc] initWithCapacity: 0];
+
+ _isSecDRunningAsRoot = false;
+ _doesSecDHavePeer = true;
+
+ secdebug(IDSPROXYSCOPE, "%@ done", self);
+
+ [self doIDSInitialization];
+ if(_isIDSInitDone)
+ [self doSetIDSDeviceID];
+
+
+ // Register for lock state changes
+ xpc_set_event_stream_handler(kStreamName, dispatch_get_main_queue(),
+ ^(xpc_object_t notification){
+ [self streamEvent:notification];
+ });
+
+ _retryTimer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_main_queue());
+ dispatch_source_set_timer(_retryTimer, DISPATCH_TIME_FOREVER, DISPATCH_TIME_FOREVER, kRetryTimerLeeway);
+ dispatch_source_set_event_handler(_retryTimer, ^{
+ [self timerFired];
+ });
+ dispatch_resume(_retryTimer);
+ [self importIDSState: [IDSKeychainSyncingProxyPersistentState idsState]];
+
+ int notificationToken;
+ notify_register_dispatch(kSecServerKeychainChangedNotification, ¬ificationToken, dispatch_get_main_queue(),
+ ^ (int token __unused)
+ {
+ secinfo("backoff", "keychain changed, wiping backoff monitor state");
+ _monitor = [NSMutableDictionary dictionary];
+ });
+ int peerInfo;
+ notify_register_dispatch(kSecServerPeerInfoAvailable, &peerInfo, dispatch_get_main_queue(),
+ ^ (int token __unused)
+ {
+ secinfo("IDS Transport", "secd has a peer info");
+ if(_doesSecDHavePeer == false){
+ _doesSecDHavePeer = true;
+ [self doSetIDSDeviceID];
+ }
+ });
+
+ [self updateUnlockedSinceBoot];
+ [self updateIsLocked];
+ if (!_isLocked)
+ [self keybagDidUnlock];
+
+
+ }
+ return self;
+}
+
+- (void)streamEvent:(xpc_object_t)notification
+{
+#if (!TARGET_IPHONE_SIMULATOR)
+ const char *notificationName = xpc_dictionary_get_string(notification, "Notification");
+ if (!notificationName) {
+ } else if (strcmp(notificationName, kUserKeybagStateChangeNotification)==0) {
+ return [self keybagStateChange];
+ }
+ const char *eventName = xpc_dictionary_get_string(notification, "XPCEventName");
+ char *desc = xpc_copy_description(notification);
+ secnotice("event", "%@ event: %s name: %s desc: %s", self, eventName, notificationName, desc);
+ if (desc)
+ free((void *)desc);
+#endif
+}
+
+- (void) keybagDidLock
+{
+ secnotice("IDS Transport", "%@ locking!", self);
+}
+
+- (void) keybagDidUnlock
+{
+ secnotice("IDS Transport", "%@ unlocking!", self);
+ [self handleAllPendingMessage];
+}
+
+- (BOOL) updateUnlockedSinceBoot
+{
+ CFErrorRef aksError = NULL;
+ if (!SecAKSGetHasBeenUnlocked(&_unlockedSinceBoot, &aksError)) {
+ secerror("%@ Got error from SecAKSGetHasBeenUnlocked: %@", self, aksError);
+ CFReleaseSafe(aksError);
+ return NO;
+ }
+ return YES;
+}
+
+- (BOOL) updateIsLocked
+{
+ CFErrorRef aksError = NULL;
+ if (!SecAKSGetIsLocked(&_isLocked, &aksError)) {
+ secerror("%@ Got error querying lock state: %@", self, aksError);
+ CFReleaseSafe(aksError);
+ return NO;
+ }
+ secerror("updateIsLocked: %d", _isLocked);
+ if (!_isLocked)
+ _unlockedSinceBoot = YES;
+ return YES;
+}
+
+- (void) keybagStateChange
+{
+ os_activity_initiate("keybagStateChanged", OS_ACTIVITY_FLAG_DEFAULT, ^{
+ secerror("keybagStateChange! was locked: %d", _isLocked);
+ BOOL wasLocked = _isLocked;
+ if ([self updateIsLocked]) {
+ if (wasLocked == _isLocked)
+ secdebug("IDS Transport", "%@ still %s ignoring", self, _isLocked ? "locked" : "unlocked");
+ else if (_isLocked)
+ [self keybagDidLock];
+ else
+ [self keybagDidUnlock];
+ }
+ });
+}
+
+
+- (void)timerFired
+{
+ if(_unhandledMessageBuffer)
+ secnotice("IDS Transport", "%@ attempting to hand unhandled messages to securityd, here is our message queue: %@", self, _unhandledMessageBuffer);
+
+ if(_isLocked)
+ _retryTimerScheduled = NO;
+ else if([_unhandledMessageBuffer count] == 0)
+ _retryTimerScheduled = NO;
+ else if (_retryTimerScheduled && !_isLocked)
+ [self handleAllPendingMessage];
+ else
+ [[IDSKeychainSyncingProxy idsProxy] scheduleRetryRequestTimer];
+
+}
+
+- (void)scheduleRetryRequestTimer
+{
+ secnotice("IDS Transport", "scheduling unhandled messages timer");
+ dispatch_source_set_timer(_retryTimer, dispatch_time(DISPATCH_TIME_NOW, kMinMessageRetryDelay), DISPATCH_TIME_FOREVER, kRetryTimerLeeway);
+ _retryTimerScheduled = YES;
+}
+
+- (void)doIDSInitialization
+{
+
+ secnotice("IDS Transport", "doIDSInitialization!");
+
+ _service = [[IDSService alloc] initWithService: @IDSServiceNameKeychainSync];
+
+ if( _service == nil ){
+ _isIDSInitDone = false;
+ secerror("Could not create ids service");
+ }
+ else{
+ secnotice("IDS Transport", "IDS Transport Successfully set up IDS!");
+ [_service addDelegate:self queue: dispatch_get_main_queue()];
+
+ _isIDSInitDone = true;
+ if(_isSecDRunningAsRoot == false)
+ [self doSetIDSDeviceID];
+ }
+}
+
+- (void) doSetIDSDeviceID
+{
+ NSInteger code = 0;
+ NSString *errorMessage = nil;
+ __block NSString* deviceID;
+
+ if(!_isIDSInitDone){
+ [self doIDSInitialization];
+ }
+ require_action_quiet(_isSecDRunningAsRoot == false, fail, errorMessage = @"cannot set IDS device ID, secd is running as root"; code = SECD_RUN_AS_ROOT_ERROR;);
+ require_action_quiet(_doesSecDHavePeer == true, fail, errorMessage = @"cannot set IDS deviceID, secd does not have a full peer info for account"; code = kSOSErrorPeerNotFound);
+ require_action_quiet(_isIDSInitDone, fail, errorMessage = @"IDSKeychainSyncingProxy can't set up the IDS service"; code = kSecIDSErrorNotRegistered);
+ require_action_quiet(!_isLocked, fail, errorMessage = @"IDSKeychainSyncingProxy can't set device ID, device is locked"; code = kSecIDSErrorDeviceIsLocked);
+
+ deviceID = IDSCopyLocalDeviceUniqueID();
+ secdebug("IDS Transport", "This is our IDS device ID: %@", deviceID);
+
+ require_action_quiet(deviceID != nil, fail, errorMessage = @"IDSKeychainSyncingProxy could not retrieve device ID from keychain"; code = kSecIDSErrorNoDeviceID);
+
+ if(_inCallout && _isSecDRunningAsRoot == false){
+ _shadowDoSetIDSDeviceID = YES;
+ }
+ else{
+ _setIDSDeviceID = YES;
+ [self calloutWith:^(NSMutableDictionary *pending, bool handlePendingMesssages, bool doSetDeviceID, dispatch_queue_t queue, void(^done)(NSMutableDictionary *, bool, bool)) {
+ CFErrorRef localError = NULL;
+ bool handledSettingID = false;
+ handledSettingID = SOSCCSetDeviceID((__bridge CFStringRef) deviceID, &localError);
+ if(!handledSettingID && localError != NULL){
+
+ if(CFErrorGetCode(localError) == SECD_RUN_AS_ROOT_ERROR){
+ secerror("SETTING RUN AS ROOT ERROR: %@", localError);
+ _isSecDRunningAsRoot = true;
+ }
+ else if (CFErrorGetCode(localError) == -536870174 && CFErrorGetDomain(localError) == kSecKernDomain) {
+ secnotice("IDS Transport", "system is locked, cannot set device ID, error: %@", localError);
+ _isLocked = true;
+ }
+ else if (CFErrorGetCode(localError) == kSOSErrorPeerNotFound && CFStringCompare(CFErrorGetDomain(localError), kSOSErrorDomain, 0) == 0){
+ secnotice("IDS Transport","securityd does not have a peer yet , error: %@", localError);
+ _doesSecDHavePeer = false;
+ }
+ }
+ CFReleaseNull(localError);
+ dispatch_async(queue, ^{
+ done(nil, NO, handledSettingID);
+ });
+ }];
+ }
+fail:
+ if(errorMessage != nil){
+ secerror("Setting device ID error: %@, code: %ld", errorMessage, (long)code);
+ }
+}
+
+- (void) calloutWith: (void(^)(NSMutableDictionary *pending, bool handlePendingMesssages, bool doSetDeviceID, dispatch_queue_t queue, void(^done)(NSMutableDictionary *handledMessages, bool handledPendingMessage, bool handledSettingDeviceID))) callout
+{
+ // In IDSKeychainSyncingProxy serial queue
+ dispatch_queue_t idsproxy_queue = dispatch_get_main_queue();
+
+ // dispatch_get_global_queue - well-known global concurrent queue
+ // dispatch_get_main_queue - default queue that is bound to the main thread
+ xpc_transaction_begin();
+ dispatch_async(_calloutQueue, ^{
+ __block NSMutableDictionary *myPending;
+ __block bool myHandlePendingMessage;
+ __block bool myDoSetDeviceID;
+ __block bool wasLocked;
+ dispatch_sync(idsproxy_queue, ^{
+ myPending = [_unhandledMessageBuffer copy];
+ myHandlePendingMessage = _handleAllPendingMessages;
+ myDoSetDeviceID = _setIDSDeviceID;
+ wasLocked = _isLocked;
+
+ _inCallout = YES;
+
+ _shadowHandleAllPendingMessages = NO;
+ });
+
+ callout(myPending, myHandlePendingMessage, myDoSetDeviceID, idsproxy_queue, ^(NSMutableDictionary *handledMessages, bool handledPendingMessage, bool handledSetDeviceID) {
+ secdebug("event", "%@ %s%s before callout handled: %s%s", self, myHandlePendingMessage ? "P" : "p", myDoSetDeviceID ? "D" : "d", handledPendingMessage ? "H" : "h", handledSetDeviceID ? "I" : "i");
+
+ // In IDSKeychainSyncingProxy's serial queue
+ _inCallout = NO;
+
+ // Update setting device id
+ _setIDSDeviceID = ((myDoSetDeviceID && !handledSetDeviceID));
+
+ _shadowDoSetIDSDeviceID = NO;
+
+ if(_setIDSDeviceID && !_isLocked && _isSecDRunningAsRoot == false && _doesSecDHavePeer)
+ [self doSetIDSDeviceID];
+
+ xpc_transaction_end();
+ });
+ });
+}
+
+- (void) sendKeysCallout: (NSMutableDictionary*(^)(NSMutableDictionary* pending, NSError** error)) handleMessages {
+ [self calloutWith: ^(NSMutableDictionary *pending, bool handlePendingMesssages, bool doSetDeviceID, dispatch_queue_t queue, void(^done)(NSMutableDictionary *, bool, bool)) {
+ NSError* error = NULL;
+
+ NSMutableDictionary* handled = handleMessages(pending, &error);
+
+ dispatch_async(queue, ^{
+ if (!handled && error) {
+ secerror("%@ did not handle message: %@", self, error);
+ }
+
+ done(handled, NO, NO);
+ });
+ }];
+}
+
+NSString* createErrorString(NSString* format, ...)
+{
+ va_list va;
+ va_start(va, format);
+ NSString* errorString = ([[NSString alloc] initWithFormat:format arguments:va]);
+ va_end(va);
+ return errorString;
+
+}
+
+@end
diff --git a/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist b/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.ios.plist
similarity index 79%
rename from IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist
rename to IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.ios.plist
index 9f09d8bc..2f1f1d6c 100644
--- a/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist
+++ b/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.ios.plist
@@ -2,10 +2,31 @@
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
+ <key>EnablePressuredExit</key>
+ <true/>
+ <key>EnvironmentVariables</key>
+ <dict>
+ <key>DEBUGSCOPE</key>
+ <string>all</string>
+ <key>WAIT4DEBUGGER</key>
+ <string>NO</string>
+ </dict>
+ <key>Label</key>
+ <string>com.apple.security.idskeychainsyncingproxy</string>
<key>LaunchEvents</key>
<dict>
<key>com.apple.notifyd.matching</key>
<dict>
+ <key>com.apple.mobile.keybagd.first_unlock</key>
+ <dict>
+ <key>Notification</key>
+ <string>com.apple.mobile.keybagd.first_unlock</string>
+ </dict>
+ <key>com.apple.mobile.keybagd.lock_status</key>
+ <dict>
+ <key>Notification</key>
+ <string>com.apple.mobile.keybagd.lock_status</string>
+ </dict>
<key>com.apple.keystore.lockstatus</key>
<dict>
<key>Notification</key>
@@ -13,17 +34,6 @@
</dict>
</dict>
</dict>
- <key>Program</key>
- <string>/System/Library/Frameworks/Security.framework/IDSKeychainSyncingProxy.bundle/IDSKeychainSyncingProxy</string>
- <key>Label</key>
- <string>com.apple.security.idskeychainsyncingproxy</string>
- <key>EnvironmentVariables</key>
- <dict>
- <key>DEBUGSCOPE</key>
- <string>all</string>
- <key>WAIT4DEBUGGER</key>
- <string>NO</string>
- </dict>
<key>MachServices</key>
<dict>
<key>com.apple.private.alloy.keychainsync-idswake</key>
@@ -31,14 +41,14 @@
<key>com.apple.security.idskeychainsyncingproxy</key>
<true/>
</dict>
+ <key>Program</key>
+ <string>/System/Library/Frameworks/Security.framework/IDSKeychainSyncingProxy.bundle/IDSKeychainSyncingProxy</string>
<key>ProgramArguments</key>
<array>
<string>/System/Library/Frameworks/Security.framework/IDSKeychainSyncingProxy.bundle/IDSKeychainSyncingProxy</string>
</array>
<key>RunAtLoad</key>
<false/>
- <key>EnablePressuredExit</key>
- <true/>
<key>enabletransactions</key>
<true/>
</dict>
diff --git a/OSX/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist b/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.osx.plist
similarity index 97%
rename from OSX/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist
rename to IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.osx.plist
index 6c9d8691..c60f567d 100644
--- a/OSX/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist
+++ b/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.osx.plist
@@ -41,7 +41,7 @@
<false/>
<key>EnablePressuredExit</key>
<true/>
- <key>enabletransactions</key>
- <true/>
+ <key>KeepAlive</key>
+ <false/>
</dict>
</plist>
diff --git a/CloudKeychainProxy/en.lproj/InfoPlist.strings b/IDSKeychainSyncingProxy/en.lproj/InfoPlist.strings
similarity index 100%
rename from CloudKeychainProxy/en.lproj/InfoPlist.strings
rename to IDSKeychainSyncingProxy/en.lproj/InfoPlist.strings
diff --git a/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist b/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist
index f62eceff..de454689 100644
--- a/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist
+++ b/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist
@@ -2,14 +2,16 @@
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
+ <key> keychain-cloud-circle</key>
+ <true/>
<key>com.apple.wifi.manager-access</key>
<true/>
+ <key>com.apple.private.ids.remoteurlconnection</key>
+ <true/>
<key>com.apple.private.ids.force-encryption-off</key>
<array>
<string>com.apple.private.alloy.keychainsync</string>
</array>
- <key>com.apple.private.ids.remoteurlconnection</key>
- <true/>
<key>com.apple.private.ids.messaging.high-priority</key>
<array>
<string>com.apple.private.alloy.keychainsync</string>
@@ -20,8 +22,8 @@
</array>
<key>keychain-access-groups</key>
<array>
- <string>IMCore</string>
<string>apple</string>
+ <string>IMCore</string>
<string>InternetAccounts</string>
</array>
<key>application-identifier</key>
diff --git a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idskeychainsyncingproxy.m b/IDSKeychainSyncingProxy/idskeychainsyncingproxy.m
similarity index 68%
rename from OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idskeychainsyncingproxy.m
rename to IDSKeychainSyncingProxy/idskeychainsyncingproxy.m
index 365eedc4..eba2c266 100644
--- a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idskeychainsyncingproxy.m
+++ b/IDSKeychainSyncingProxy/idskeychainsyncingproxy.m
@@ -37,7 +37,8 @@
#include "SOSCloudKeychainConstants.h"
-#import "IDSProxy.h"
+#import "IDSKeychainSyncingProxy+IDSProxyThrottle.h"
+#import "IDSKeychainSyncingProxy+IDSProxySendMessage.h"
int idsproxymain(int argc, const char *argv[]);
@@ -77,8 +78,39 @@ static void idskeychainsyncingproxy_peer_dictionary_handler(const xpc_connection
if(operation && !strcmp(operation, kOperationGetDeviceID)){
- NSError *error;
- BOOL object = [[IDSKeychainSyncingProxy idsProxy] doSetIDSDeviceID:&error];
+ [[IDSKeychainSyncingProxy idsProxy] doSetIDSDeviceID];
+ xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
+ xpc_dictionary_set_bool(replyMessage, kMessageKeyValue, true);
+ xpc_connection_send_message(peer, replyMessage);
+ secdebug(PROXYXPCSCOPE, "Set our IDS Device ID message sent");
+
+ }
+ else if (operation && !strcmp(operation, kOperationSendFragmentedIDSMessage))
+ {
+ xpc_object_t xidsMessageData = xpc_dictionary_get_value(event, kMessageKeyValue);
+ xpc_object_t xDeviceName = xpc_dictionary_get_value(event, kMessageKeyDeviceName);
+ xpc_object_t xPeerID = xpc_dictionary_get_value(event, kMessageKeyPeerID);
+ BOOL object = false;
+
+ NSString *deviceName = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xDeviceName));
+ NSString *peerID = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xPeerID));
+ NSDictionary *messageDictionary = (__bridge_transfer NSDictionary*)(_CFXPCCreateCFObjectFromXPCObject(xidsMessageData));
+ NSError *error = NULL;
+ bool isNameString = (CFGetTypeID((__bridge CFTypeRef)(deviceName)) == CFStringGetTypeID());
+ bool isPeerIDString = (CFGetTypeID((__bridge CFTypeRef)(peerID)) == CFStringGetTypeID());
+ bool isMessageDictionary = (CFGetTypeID((__bridge CFTypeRef)(messageDictionary)) == CFDictionaryGetTypeID());
+
+ require_quiet(isNameString, xit);
+ require_quiet(isPeerIDString, xit);
+ require_quiet(isMessageDictionary, xit);
+
+ [[IDSKeychainSyncingProxy idsProxy] recordTimestampOfWriteToIDS: messageDictionary deviceName:deviceName peerID:peerID];
+ NSDictionary *safeValues = [[IDSKeychainSyncingProxy idsProxy] filterForWritableValues:messageDictionary];
+
+ if(safeValues != nil && [safeValues count] > 0){
+ object = [[IDSKeychainSyncingProxy idsProxy] sendFragmentedIDSMessages:safeValues name:deviceName peer:peerID error:&error];
+ }
+
xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
xpc_dictionary_set_bool(replyMessage, kMessageKeyValue, object);
@@ -87,14 +119,36 @@ static void idskeychainsyncingproxy_peer_dictionary_handler(const xpc_connection
xpc_dictionary_set_value(replyMessage, kMessageKeyError, xerrobj);
}
xpc_connection_send_message(peer, replyMessage);
- secdebug(PROXYXPCSCOPE, "Set our IDS Device ID message sent");
+ secdebug(PROXYXPCSCOPE, "IDS message sent");
+ }
+ else if(operation && !strcmp(operation, kOperationSendDeviceList)) //IDS device availability check
+ {
+ xpc_object_t xidsDeviceList = xpc_dictionary_get_value(event, kMessageKeyValue);
+ xpc_object_t xPeerID = xpc_dictionary_get_value(event, kMessageKeyPeerID);
+
+ NSArray *idsList = (__bridge_transfer NSArray*)(_CFXPCCreateCFObjectFromXPCObject(xidsDeviceList));
+ NSString *peerID = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xPeerID));
+
+ bool isMessageArray = (CFGetTypeID((__bridge CFTypeRef)(idsList)) == CFArrayGetTypeID());
+ bool isPeerIDString = (CFGetTypeID((__bridge CFTypeRef)(peerID)) == CFStringGetTypeID());
+
+ require_quiet(isMessageArray, xit);
+ require_quiet(isPeerIDString, xit);
+
+ [[IDSKeychainSyncingProxy idsProxy] pingDevices:idsList peerID:peerID];
+
+ xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
+ xpc_dictionary_set_bool(replyMessage, kMessageKeyValue, true);
+ xpc_connection_send_message(peer, replyMessage);
+ secdebug(PROXYXPCSCOPE, "IDS device list sent");
}
- else if (operation && !strcmp(operation, kOperationSendIDSMessage))
+ else if (operation && !strcmp(operation, kOperationSendIDSMessage)) //for IDS tests
{
xpc_object_t xidsMessageData = xpc_dictionary_get_value(event, kMessageKeyValue);
xpc_object_t xDeviceName = xpc_dictionary_get_value(event, kMessageKeyDeviceName);
xpc_object_t xPeerID = xpc_dictionary_get_value(event, kMessageKeyPeerID);
+ BOOL object = false;
NSString *deviceName = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xDeviceName));
NSString *peerID = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xPeerID));
@@ -103,12 +157,13 @@ static void idskeychainsyncingproxy_peer_dictionary_handler(const xpc_connection
bool isNameString = (CFGetTypeID((__bridge CFTypeRef)(deviceName)) == CFStringGetTypeID());
bool isPeerIDString = (CFGetTypeID((__bridge CFTypeRef)(peerID)) == CFStringGetTypeID());
bool isMessageDictionary = (CFGetTypeID((__bridge CFTypeRef)(messageDictionary)) == CFDictionaryGetTypeID());
-
+
require_quiet(isNameString, xit);
require_quiet(isPeerIDString, xit);
require_quiet(isMessageDictionary, xit);
- BOOL object = [[IDSKeychainSyncingProxy idsProxy] sendIDSMessage:messageDictionary name:deviceName peer:peerID error:&error];
+ NSString *identifier = [NSString string];
+ object = [[IDSKeychainSyncingProxy idsProxy] sendIDSMessage:messageDictionary name:deviceName peer:peerID identifier:&identifier error:&error];
xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
xpc_dictionary_set_bool(replyMessage, kMessageKeyValue, object);
@@ -119,8 +174,8 @@ static void idskeychainsyncingproxy_peer_dictionary_handler(const xpc_connection
}
xpc_connection_send_message(peer, replyMessage);
secdebug(PROXYXPCSCOPE, "IDS message sent");
-
}
+
else
{
char *description = xpc_copy_description(event);
@@ -133,22 +188,6 @@ xit:
describeXPCObject("handle_operation fail: ", event);
}
-
-static void initializeProxyObjectWithConnection(const xpc_connection_t connection)
-{
- [[IDSKeychainSyncingProxy idsProxy] setItemsChangedBlock:^CFArrayRef(CFDictionaryRef values)
- {
- secdebug(PROXYXPCSCOPE, "IDSKeychainSyncingProxy called back");
- xpc_object_t xobj = _CFXPCCreateXPCObjectFromCFObject(values);
- xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
- xpc_dictionary_set_uint64(message, kMessageKeyVersion, kCKDXPCVersion);
- xpc_dictionary_set_string(message, kMessageKeyOperation, kMessageOperationItemChanged);
- xpc_dictionary_set_value(message, kMessageKeyValue, xobj?xobj:xpc_null_create());
- xpc_connection_send_message(connection, message); // Send message; don't wait for a reply
- return NULL;
- }];
-}
-
static void idskeychainsyncingproxy_peer_event_handler(xpc_connection_t peer, xpc_object_t event)
{
describeXPCObject("peer: ", peer);
@@ -183,8 +222,8 @@ static void idskeychainsyncingproxy_event_handler(xpc_connection_t peer)
secdebug(PROXYXPCSCOPE, "expected XPC_TYPE_CONNECTION");
return;
}
- initializeProxyObjectWithConnection(peer);
- xpc_connection_set_event_handler(peer, ^(xpc_object_t event)
+
+ xpc_connection_set_event_handler(peer, ^(xpc_object_t event)
{
idskeychainsyncingproxy_peer_event_handler(peer, event);
});
@@ -227,3 +266,8 @@ int idsproxymain(int argc, const char *argv[])
return EXIT_FAILURE;
}
+
+int main(int argc, const char *argv[])
+{
+ return idsproxymain(argc, argv);
+}
diff --git a/ISACLProtectedItems/Info.plist b/ISACLProtectedItems/Info.plist
index 75762714..5cf8ec41 100644
--- a/ISACLProtectedItems/Info.plist
+++ b/ISACLProtectedItems/Info.plist
@@ -2,14 +2,14 @@
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
- <key>CFBundleDisplayName</key>
- <string>AKPU/ACL protected keychain items</string>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
+ <key>CFBundleDisplayName</key>
+ <string>AKPU/ACL protected keychain items</string>
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
- <string>com.apple.securityservices.${PRODUCT_NAME:rfc1034identifier}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/KVSKeychainSyncingProxy/CKDAccount.h b/KVSKeychainSyncingProxy/CKDAccount.h
new file mode 100644
index 00000000..24cb3979
--- /dev/null
+++ b/KVSKeychainSyncingProxy/CKDAccount.h
@@ -0,0 +1,15 @@
+//
+// CKDAccount.h
+// Security
+//
+//
+
+#import <Foundation/Foundation.h>
+
+@protocol CKDAccount
+
+- (NSSet*) keysChanged: (NSDictionary<NSString*, NSObject*>*) keyValues error: (NSError**) error;
+- (bool) ensurePeerRegistration: (NSError**) error;
+- (bool) syncWithAllPeers: (NSError**) error;
+
+@end
diff --git a/KVSKeychainSyncingProxy/CKDKVSProxy.h b/KVSKeychainSyncingProxy/CKDKVSProxy.h
new file mode 100644
index 00000000..e6f2023d
--- /dev/null
+++ b/KVSKeychainSyncingProxy/CKDKVSProxy.h
@@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// CKDKVSProxy.h
+// ckd-xpc
+
+#import <Foundation/Foundation.h>
+#import <dispatch/queue.h>
+#import <xpc/xpc.h>
+#import <IDS/IDS.h>
+
+#import <utilities/debugging.h>
+
+#import "SOSCloudKeychainConstants.h"
+#import "SOSCloudKeychainClient.h"
+
+#import "CKDStore.h"
+#import "CKDAccount.h"
+
+#define XPROXYSCOPE "proxy"
+
+typedef void (^FreshnessResponseBlock)(bool success, NSError *err);
+
+@interface UbiqitousKVSProxy : NSObject
+{
+ id currentiCloudToken;
+ int callbackMethod;
+}
+
+@property (readonly) NSObject<CKDStore>* store;
+@property (readonly) NSObject<CKDAccount>* account;
+
+
+@property (retain, nonatomic) NSMutableSet *alwaysKeys;
+@property (retain, nonatomic) NSMutableSet *firstUnlockKeys;
+@property (retain, nonatomic) NSMutableSet *unlockedKeys;
+
+@property (atomic) bool unlockedSinceBoot;
+@property (atomic) bool isLocked;
+@property (atomic) bool seenKVSStoreChange;
+
+
+@property (retain, nonatomic) NSMutableSet *pendingKeys;
+@property (retain, nonatomic) NSMutableSet *shadowPendingKeys;
+
+@property (retain, nonatomic) NSString *dsid;
+
+@property (atomic) bool syncWithPeersPending;
+@property (atomic) bool shadowSyncWithPeersPending;
+
+@property (atomic) bool ensurePeerRegistration;
+@property (atomic) bool shadowEnsurePeerRegistration;
+
+@property (atomic) bool inCallout;
+
+@property (retain, nonatomic) NSMutableArray<FreshnessResponseBlock> *freshnessCompletions;
+@property (atomic) dispatch_time_t nextFreshnessTime;
+
+@property (atomic) dispatch_source_t syncTimer;
+@property (atomic) bool syncTimerScheduled;
+
+@property (atomic) dispatch_time_t deadline;
+@property (atomic) dispatch_time_t lastSyncTime;
+
+
+@property (atomic) dispatch_queue_t calloutQueue;
+
+@property (atomic) dispatch_queue_t ckdkvsproxy_queue;
+@property (atomic) dispatch_source_t penaltyTimer;
+@property (atomic) bool penaltyTimerScheduled;
+@property (retain, atomic) NSMutableDictionary *monitor;
+@property (retain, atomic) NSDictionary *queuedMessages;
+
+@property (copy, atomic) dispatch_block_t shadowFlushBlock;
+
+
++ (UbiqitousKVSProxy *) sharedKVSProxy;
+- (NSString *)description;
+- (id)init NS_UNAVAILABLE;
+- (id)initWithAccount:(NSObject<CKDAccount>*) account
+ store:(NSObject<CKDStore>*) store NS_DESIGNATED_INITIALIZER;
+
+// Requests:
+
+- (void)clearStore;
+- (void)synchronizeStore;
+- (id) objectForKey: (NSString*) key;
+- (NSDictionary<NSString *, id>*) copyAsDictionary;
+- (void)setObjectsFromDictionary:(NSDictionary<NSString*, NSObject*> *)otherDictionary;
+- (void)waitForSynchronization:(void (^)(NSDictionary<NSString*, NSObject*> *results, NSError *err))handler;
+
+
+// Callbacks from stores when things happen
+- (void)storeKeysChanged: (NSSet<NSString*>*) changedKeys initial: (bool) initial;
+- (void)storeAccountChanged;
+
+- (void)streamEvent:(xpc_object_t)notification;
+
+- (void)processAllItems;
+- (void)requestSyncWithAllPeers;
+- (void)requestEnsurePeerRegistration;
+
+- (void)registerAtTimeKeys:(NSDictionary*)keyparms;
+
+- (NSSet*) keysForCurrentLockState;
+- (void) intersectWithCurrentLockState: (NSMutableSet*) set;
+
+- (NSMutableSet*) pendKeysAndGetNewlyPended: (NSSet*) keysToPend;
+
+- (NSMutableSet*) pendingKeysForCurrentLockState;
+- (NSMutableSet*) pendKeysAndGetPendingForCurrentLockState: (NSSet*) startingSet;
+
+- (void)processPendingKeysForCurrentLockState;
+
+- (void)registerKeys: (NSDictionary*)keys;
+
+- (void)processKeyChangedEvent:(NSDictionary *)keysChangedInCloud;
+- (NSMutableDictionary *)copyValues:(NSSet *)keysOfInterest;
+
+- (void) doAfterFlush: (dispatch_block_t) block;
+- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration))) callout;
+- (void) sendKeysCallout: (NSSet *(^)(NSSet* pending, NSError **error)) handleKeys;
+
+- (void)recordWriteToKVS:(NSDictionary *)values;
+- (NSDictionary*)recordHaltedValuesAndReturnValuesToSafelyWrite:(NSDictionary *)values;
+
+@end
diff --git a/KVSKeychainSyncingProxy/CKDKVSProxy.m b/KVSKeychainSyncingProxy/CKDKVSProxy.m
new file mode 100644
index 00000000..213a4a27
--- /dev/null
+++ b/KVSKeychainSyncingProxy/CKDKVSProxy.m
@@ -0,0 +1,1278 @@
+/*
+ * Copyright (c) 2012-2014,2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// CKDKVSProxy.m
+// ckd-xpc
+//
+
+#import <Foundation/Foundation.h>
+
+#import <utilities/debugging.h>
+#import <os/activity.h>
+
+#import "CKDKVSProxy.h"
+#import "CKDPersistentState.h"
+#import "CKDKVSStore.h"
+#import "CKDSecuritydAccount.h"
+
+#include <Security/SecureObjectSync/SOSARCDefines.h>
+#include <Security/SecureObjectSync/SOSKVSKeys.h>
+
+#include "SOSCloudKeychainConstants.h"
+
+#include <utilities/SecAKSWrappers.h>
+
+/*
+ The total space available in your appâs iCloud key-value storage is 1 MB.
+ The maximum number of keys you can specify is 1024, and the size limit for
+ each value associated with a key is 1 MB. So, for example, if you store a
+ single large value of 1 MB for a single key, that consumes your total
+ available storage. If you store 1 KB of data for each key, you can use
+ 1,000 key-value pairs.
+ */
+
+static const char *kStreamName = "com.apple.notifyd.matching";
+
+static NSString *kKeyKeyParameterKeys = @"KeyParameterKeys";
+static NSString *kKeyCircleKeys = @"CircleKeys";
+static NSString *kKeyMessageKeys = @"MessageKeys";
+
+static NSString *kKeyAlwaysKeys = @"AlwaysKeys";
+static NSString *kKeyFirstUnlockKeys = @"FirstUnlockKeys";
+static NSString *kKeyUnlockedKeys = @"UnlockedKeys";
+static NSString *kKeyPendingKeys = @"PendingKeys";
+static NSString *kKeyUnsentChangedKeys = @"unsentChangedKeys";
+static NSString *kKeyUnlockNotificationRequested = @"unlockNotificationRequested";
+static NSString *kKeySyncWithPeersPending = @"SyncWithPeersPending";
+static NSString *kKeyEnsurePeerRegistration = @"EnsurePeerRegistration";
+static NSString *kKeyDSID = @"DSID";
+static NSString *kMonitorState = @"MonitorState";
+
+static NSString *kMonitorPenaltyBoxKey = @"Penalty";
+static NSString *kMonitorMessageKey = @"Message";
+static NSString *kMonitorConsecutiveWrites = @"ConsecutiveWrites";
+static NSString *kMonitorLastWriteTimestamp = @"LastWriteTimestamp";
+static NSString *kMonitorMessageQueue = @"MessageQueue";
+static NSString *kMonitorPenaltyTimer = @"PenaltyTimer";
+static NSString *kMonitorDidWriteDuringPenalty = @"DidWriteDuringPenalty";
+
+static NSString *kMonitorTimeTable = @"TimeTable";
+static NSString *kMonitorFirstMinute = @"AFirstMinute";
+static NSString *kMonitorSecondMinute = @"BSecondMinute";
+static NSString *kMonitorThirdMinute = @"CThirdMinute";
+static NSString *kMonitorFourthMinute = @"DFourthMinute";
+static NSString *kMonitorFifthMinute = @"EFifthMinute";
+static NSString *kMonitorWroteInTimeSlice = @"TimeSlice";
+
+#define kSecServerKeychainChangedNotification "com.apple.security.keychainchanged"
+
+static int max_penalty_timeout = 32;
+static int seconds_per_minute = 60;
+
+static const int64_t kMinSyncDelay = (NSEC_PER_MSEC * 500); // 500ms minimum delay before a syncWithAllPeers call.
+static const int64_t kMaxSyncDelay = (NSEC_PER_SEC * 5); // 5s maximun delay for a given request
+static const int64_t kMinSyncInterval = (NSEC_PER_SEC * 15); // 15s minimum time between successive syncWithAllPeers calls.
+static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms leeway for sync events.
+
+static NSString* asNSString(NSObject* object) {
+ return [object isKindOfClass:[NSString class]] ? (NSString*) object : nil;
+}
+
+@interface NSMutableDictionary (FindAndRemove)
+-(NSObject*)extractObjectForKey:(NSString*)key;
+@end
+
+@implementation NSMutableDictionary (FindAndRemove)
+-(NSObject*)extractObjectForKey:(NSString*)key {
+ NSObject* result = [self objectForKey:key];
+ [self removeObjectForKey: key];
+ return result;
+}
+@end
+
+@implementation UbiqitousKVSProxy
+
+- (void)persistState
+{
+ [SOSPersistentState setRegisteredKeys:[self exportKeyInterests]];
+}
+
++ (UbiqitousKVSProxy *) sharedKVSProxy
+{
+ static UbiqitousKVSProxy *sharedKVSProxy;
+ if (!sharedKVSProxy) {
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ sharedKVSProxy = [[self alloc] initWithAccount: [CKDSecuritydAccount securitydAccount]
+ store: [CKDKVSStore kvsInterface]];
+ });
+ }
+ return sharedKVSProxy;
+}
+
+- (id)initWithAccount:(NSObject<CKDAccount>*) account
+ store:(NSObject<CKDStore>*) store
+{
+ if (self = [super init])
+ {
+ secnotice("event", "%@ start", self);
+
+#if !(TARGET_OS_EMBEDDED)
+ // rdar://problem/26247270
+ if (geteuid() == 0) {
+ secerror("Cannot run CloudKeychainProxy as root");
+ return NULL;
+ }
+#endif
+ _unlockedSinceBoot = NO;
+ _isLocked = YES; // until we know for sure
+ _ensurePeerRegistration = NO;
+ _syncWithPeersPending = NO;
+
+
+ _account = account;
+ _store = store;
+
+ _calloutQueue = dispatch_queue_create("CKDCallout", DISPATCH_QUEUE_SERIAL);
+ _ckdkvsproxy_queue = dispatch_get_main_queue();
+
+ _freshnessCompletions = [NSMutableArray<FreshnessResponseBlock> array];
+
+ _syncTimer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, _ckdkvsproxy_queue);
+ dispatch_source_set_timer(_syncTimer, DISPATCH_TIME_FOREVER, DISPATCH_TIME_FOREVER, kSyncTimerLeeway);
+ dispatch_source_set_event_handler(_syncTimer, ^{
+ [self timerFired];
+ });
+ dispatch_resume(_syncTimer);
+
+ _monitor = [NSMutableDictionary dictionary];
+
+ int notificationToken;
+ notify_register_dispatch(kSecServerKeychainChangedNotification, ¬ificationToken, _ckdkvsproxy_queue,
+ ^ (int token __unused)
+ {
+ secinfo("backoff", "keychain changed, wiping backoff monitor state");
+ _monitor = [NSMutableDictionary dictionary];
+ });
+
+ [self importKeyInterests: [SOSPersistentState registeredKeys]];
+
+ // Register for lock state changes
+ xpc_set_event_stream_handler(kStreamName, _ckdkvsproxy_queue,
+ ^(xpc_object_t notification){
+ [self streamEvent:notification];
+ });
+ _dsid = @"";
+
+ [self updateUnlockedSinceBoot];
+ [self updateIsLocked];
+ if (!_isLocked)
+ [self keybagDidUnlock];
+
+ [[self store] connectToProxy: self];
+
+ secdebug(XPROXYSCOPE, "%@ done", self);
+ }
+ return self;
+}
+
+- (NSString *)description
+{
+ return [NSString stringWithFormat:@"<%s%s%s%s%s%s%s%s%s%s%s>",
+ _isLocked ? "L" : "U",
+ _unlockedSinceBoot ? "B" : "-",
+ _seenKVSStoreChange ? "K" : "-",
+ _syncTimerScheduled ? "T" : "-",
+ _syncWithPeersPending ? "s" : "-",
+ _ensurePeerRegistration ? "e" : "-",
+ [_pendingKeys count] ? "p" : "-",
+ _inCallout ? "C" : "-",
+ _shadowSyncWithPeersPending ? "S" : "-",
+ _shadowEnsurePeerRegistration ? "E" : "-",
+ [_shadowPendingKeys count] ? "P" : "-"];
+}
+
+//
+// MARK: XPC Function commands
+//
+- (void) clearStore {
+ [self.store removeAllObjects];
+}
+
+- (void)synchronizeStore {
+ [self.store pushWrites];
+}
+
+- (id) objectForKey: (NSString*) key {
+ return [self.store objectForKey: key];
+}
+- (NSDictionary<NSString *, id>*) copyAsDictionary {
+ return [self.store copyAsDictionary];
+}
+
+//
+//
+//
+- (void)processAllItems
+{
+ NSDictionary *allItems = [self.store copyAsDictionary];
+ if (allItems)
+ {
+ secnotice("event", "%@ sending: %@", self, [[allItems allKeys] componentsJoinedByString: @" "]);
+ [self processKeyChangedEvent:allItems];
+ }
+ else
+ secdebug(XPROXYSCOPE, "%@ No items in KVS", self);
+}
+
+- (void)dealloc
+{
+ secdebug(XPROXYSCOPE, "%@", self);
+ [[NSNotificationCenter defaultCenter] removeObserver:self
+ name:NSUbiquitousKeyValueStoreDidChangeExternallyNotification
+ object:nil];
+
+ [[NSNotificationCenter defaultCenter] removeObserver:self
+ name:NSUbiquityIdentityDidChangeNotification
+ object:nil];
+}
+
+// MARK: Penalty measurement and handling
+-(dispatch_source_t)setNewTimer:(int)timeout key:(NSString*)key
+{
+ __block dispatch_source_t timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, _ckdkvsproxy_queue);
+ dispatch_source_set_timer(timer, dispatch_time(DISPATCH_TIME_NOW, timeout * NSEC_PER_SEC * seconds_per_minute), DISPATCH_TIME_FOREVER, kSyncTimerLeeway);
+ dispatch_source_set_event_handler(timer, ^{
+ [self penaltyTimerFired:key];
+ });
+ dispatch_resume(timer);
+ return timer;
+}
+
+-(void) increasePenalty:(NSNumber*)currentPenalty key:(NSString*)key keyEntry:(NSMutableDictionary**)keyEntry
+{
+ secnotice("backoff", "increasing penalty!");
+ int newPenalty = 0;
+ if([currentPenalty intValue] == max_penalty_timeout){
+ newPenalty = max_penalty_timeout;
+ }
+ else if ([currentPenalty intValue] == 0)
+ newPenalty = 1;
+ else
+ newPenalty = [currentPenalty intValue]*2;
+
+ secnotice("backoff", "key %@, waiting %d minutes long to send next messages", key, newPenalty);
+
+ NSNumber* penalty_timeout = [[NSNumber alloc]initWithInt:newPenalty];
+ dispatch_source_t existingTimer = [*keyEntry valueForKey:kMonitorPenaltyTimer];
+
+ if(existingTimer != nil){
+ [*keyEntry removeObjectForKey:kMonitorPenaltyTimer];
+ dispatch_suspend(existingTimer);
+ dispatch_source_set_timer(existingTimer,dispatch_time(DISPATCH_TIME_NOW, newPenalty * NSEC_PER_SEC * seconds_per_minute), DISPATCH_TIME_FOREVER, kSyncTimerLeeway);
+ dispatch_resume(existingTimer);
+ [*keyEntry setObject:existingTimer forKey:kMonitorPenaltyTimer];
+ }
+ else{
+ dispatch_source_t timer = [self setNewTimer:newPenalty key:key];
+ [*keyEntry setObject:timer forKey:kMonitorPenaltyTimer];
+ }
+
+ [*keyEntry setObject:penalty_timeout forKey:kMonitorPenaltyBoxKey];
+ [_monitor setObject:*keyEntry forKey:key];
+}
+
+-(void) decreasePenalty:(NSNumber*)currentPenalty key:(NSString*)key keyEntry:(NSMutableDictionary**)keyEntry
+{
+ int newPenalty = 0;
+ secnotice("backoff","decreasing penalty!");
+ if([currentPenalty intValue] == 0 || [currentPenalty intValue] == 1)
+ newPenalty = 0;
+ else
+ newPenalty = [currentPenalty intValue]/2;
+
+ secnotice("backoff","key %@, waiting %d minutes long to send next messages", key, newPenalty);
+
+ NSNumber* penalty_timeout = [[NSNumber alloc]initWithInt:newPenalty];
+
+ dispatch_source_t existingTimer = [*keyEntry valueForKey:kMonitorPenaltyTimer];
+ if(existingTimer != nil){
+ [*keyEntry removeObjectForKey:kMonitorPenaltyTimer];
+ dispatch_suspend(existingTimer);
+ if(newPenalty != 0){
+ dispatch_source_set_timer(existingTimer,dispatch_time(DISPATCH_TIME_NOW, newPenalty * NSEC_PER_SEC * seconds_per_minute), DISPATCH_TIME_FOREVER, kSyncTimerLeeway);
+ dispatch_resume(existingTimer);
+ [*keyEntry setObject:existingTimer forKey:kMonitorPenaltyTimer];
+ }
+ else{
+ dispatch_resume(existingTimer);
+ dispatch_source_cancel(existingTimer);
+ }
+ }
+ else{
+ if(newPenalty != 0){
+ dispatch_source_t timer = [self setNewTimer:newPenalty key:key];
+ [*keyEntry setObject:timer forKey:kMonitorPenaltyTimer];
+ }
+ }
+
+ [*keyEntry setObject:penalty_timeout forKey:kMonitorPenaltyBoxKey];
+ [_monitor setObject:*keyEntry forKey:key];
+
+}
+
+- (void)penaltyTimerFired:(NSString*)key
+{
+ secnotice("backoff", "key: %@, !!!!!!!!!!!!!!!!penalty timeout is up!!!!!!!!!!!!", key);
+
+ NSMutableDictionary *keyEntry = [_monitor objectForKey:key];
+ NSMutableDictionary *queuedMessages = [keyEntry objectForKey:kMonitorMessageQueue];
+ secnotice("backoff","key: %@, queuedMessages: %@", key, queuedMessages);
+ if(queuedMessages && [queuedMessages count] != 0){
+ secnotice("backoff","key: %@, message queue not empty, writing to KVS!", key);
+ [self setObjectsFromDictionary:queuedMessages];
+ [keyEntry setObject:[NSMutableDictionary dictionary] forKey:kMonitorMessageQueue];
+ }
+
+ NSNumber *penalty_timeout = [keyEntry valueForKey:kMonitorPenaltyBoxKey];
+ secnotice("backoff", "key: %@, current penalty timeout: %@", key, penalty_timeout);
+
+ NSString* didWriteDuringTimeout = [keyEntry objectForKey:kMonitorDidWriteDuringPenalty];
+ if( didWriteDuringTimeout && [didWriteDuringTimeout isEqualToString:@"YES"] )
+ {
+ //increase timeout since we wrote during out penalty timeout
+ [self increasePenalty:penalty_timeout key:key keyEntry:&keyEntry];
+ }
+ else{
+ //decrease timeout since we successfully wrote messages out
+ [self decreasePenalty:penalty_timeout key:key keyEntry:&keyEntry];
+ }
+
+ //resetting the check
+ [keyEntry setObject: @"NO" forKey:kMonitorDidWriteDuringPenalty];
+
+ //recompute the timetable and number of consecutive writes to KVS
+ NSMutableDictionary *timetable = [keyEntry valueForKey:kMonitorTimeTable];
+ NSNumber *consecutiveWrites = [keyEntry valueForKey:kMonitorConsecutiveWrites];
+ [self recordTimestampForAppropriateInterval:&timetable key:key consecutiveWrites:&consecutiveWrites];
+
+ [keyEntry setObject:consecutiveWrites forKey:kMonitorConsecutiveWrites];
+ [keyEntry setObject:timetable forKey:kMonitorTimeTable];
+ [_monitor setObject:keyEntry forKey:key];
+}
+
+-(NSMutableDictionary*)initializeTimeTable:(NSString*)key
+{
+ NSDate *currentTime = [NSDate date];
+ NSMutableDictionary *firstMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute], kMonitorFirstMinute, @"YES", kMonitorWroteInTimeSlice, nil];
+ NSMutableDictionary *secondMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 2],kMonitorSecondMinute, @"NO", kMonitorWroteInTimeSlice, nil];
+ NSMutableDictionary *thirdMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 3], kMonitorThirdMinute, @"NO",kMonitorWroteInTimeSlice, nil];
+ NSMutableDictionary *fourthMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 4],kMonitorFourthMinute, @"NO", kMonitorWroteInTimeSlice, nil];
+ NSMutableDictionary *fifthMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 5], kMonitorFifthMinute, @"NO", kMonitorWroteInTimeSlice, nil];
+
+ NSMutableDictionary *timeTable = [NSMutableDictionary dictionaryWithObjectsAndKeys: firstMinute, kMonitorFirstMinute,
+ secondMinute, kMonitorSecondMinute,
+ thirdMinute, kMonitorThirdMinute,
+ fourthMinute, kMonitorFourthMinute,
+ fifthMinute, kMonitorFifthMinute, nil];
+ return timeTable;
+}
+
+- (void)initializeKeyEntry:(NSString*)key
+{
+ NSMutableDictionary *timeTable = [self initializeTimeTable:key];
+ NSDate *currentTime = [NSDate date];
+
+ NSMutableDictionary *keyEntry = [NSMutableDictionary dictionaryWithObjectsAndKeys: key, kMonitorMessageKey, @0, kMonitorConsecutiveWrites, currentTime, kMonitorLastWriteTimestamp, @0, kMonitorPenaltyBoxKey, timeTable, kMonitorTimeTable,[NSMutableDictionary dictionary], kMonitorMessageQueue, nil];
+
+ [_monitor setObject:keyEntry forKey:key];
+
+}
+
+- (void)recordTimestampForAppropriateInterval:(NSMutableDictionary**)timeTable key:(NSString*)key consecutiveWrites:(NSNumber**)consecutiveWrites
+{
+ NSDate *currentTime = [NSDate date];
+ __block int cWrites = [*consecutiveWrites intValue];
+ __block BOOL foundTimeSlot = NO;
+ __block NSMutableDictionary *previousTable = nil;
+ NSArray *sorted = [[*timeTable allKeys] sortedArrayUsingSelector:@selector(compare:)];
+ [sorted enumerateObjectsUsingBlock:^(id sortedKey, NSUInteger idx, BOOL *stop)
+ {
+ if(foundTimeSlot == YES)
+ return;
+ [*timeTable enumerateKeysAndObjectsUsingBlock: ^(id minute, id obj, BOOL *stop2)
+ {
+ if(foundTimeSlot == YES)
+ return;
+ if([sortedKey isEqualToString:minute]){
+ NSMutableDictionary *minutesTable = (NSMutableDictionary*)obj;
+ NSString *minuteKey = (NSString*)minute;
+ NSDate *date = [minutesTable valueForKey:minuteKey];
+ if([date compare:currentTime] == NSOrderedDescending){
+ foundTimeSlot = YES;
+ NSString* written = [minutesTable valueForKey:kMonitorWroteInTimeSlice];
+ if([written isEqualToString:@"NO"]){
+ [minutesTable setObject:@"YES" forKey:kMonitorWroteInTimeSlice];
+ if(previousTable != nil){
+ written = [previousTable valueForKey:kMonitorWroteInTimeSlice];
+ if([written isEqualToString:@"YES"]){
+ cWrites++;
+ }
+ else if ([written isEqualToString:@"NO"]){
+ cWrites = 0;
+ }
+ }
+ }
+ return;
+ }
+ previousTable = minutesTable;
+ }
+ }];
+ }];
+
+ if(foundTimeSlot == NO){
+ //reset the time table
+ secnotice("backoff","didn't find a time slot, resetting the table");
+ NSMutableDictionary *lastTable = [*timeTable valueForKey:kMonitorFifthMinute];
+ NSDate *lastDate = [lastTable valueForKey:kMonitorFifthMinute];
+
+ if((double)[currentTime timeIntervalSinceDate: lastDate] >= seconds_per_minute){
+ *consecutiveWrites = [[NSNumber alloc]initWithInt:0];
+ }
+ else{
+ NSString* written = [lastTable valueForKey:kMonitorWroteInTimeSlice];
+ if([written isEqualToString:@"YES"]){
+ cWrites++;
+ *consecutiveWrites = [[NSNumber alloc]initWithInt:cWrites];
+ }
+ else{
+ *consecutiveWrites = [[NSNumber alloc]initWithInt:0];
+ }
+ }
+
+ *timeTable = [self initializeTimeTable:key];
+ return;
+ }
+ *consecutiveWrites = [[NSNumber alloc]initWithInt:cWrites];
+}
+- (void)recordWriteToKVS:(NSDictionary *)values
+{
+ if([_monitor count] == 0){
+ [values enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
+ {
+ [self initializeKeyEntry: key];
+ }];
+ }
+ else{
+ [values enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
+ {
+ NSMutableDictionary *keyEntry = [_monitor objectForKey:key];
+ if(keyEntry == nil){
+ [self initializeKeyEntry: key];
+ }
+ else{
+ NSNumber *penalty_timeout = [keyEntry objectForKey:kMonitorPenaltyBoxKey];
+ NSDate *lastWriteTimestamp = [keyEntry objectForKey:kMonitorLastWriteTimestamp];
+ NSMutableDictionary *timeTable = [keyEntry objectForKey: kMonitorTimeTable];
+ NSNumber *existingWrites = [keyEntry objectForKey: kMonitorConsecutiveWrites];
+ NSDate *currentTime = [NSDate date];
+
+ [self recordTimestampForAppropriateInterval:&timeTable key:key consecutiveWrites:&existingWrites];
+
+ int consecutiveWrites = [existingWrites intValue];
+ secnotice("backoff","consecutive writes: %d", consecutiveWrites);
+ [keyEntry setObject:existingWrites forKey:kMonitorConsecutiveWrites];
+ [keyEntry setObject:timeTable forKey:kMonitorTimeTable];
+ [keyEntry setObject:currentTime forKey:kMonitorLastWriteTimestamp];
+ [_monitor setObject:keyEntry forKey:key];
+
+ if([penalty_timeout intValue] != 0 || ((double)[currentTime timeIntervalSinceDate: lastWriteTimestamp] <= 60 && consecutiveWrites >= 5)){
+ if([penalty_timeout intValue] != 0 && consecutiveWrites == 5){
+ secnotice("backoff","written for 5 consecutive minutes, time to start throttling");
+ [self increasePenalty:penalty_timeout key:key keyEntry:&keyEntry];
+ }
+ else
+ secnotice("backoff","monitor: keys have been written for 5 or more minutes, recording we wrote during timeout");
+
+ //record we wrote during a timeout
+ [keyEntry setObject: @"YES" forKey:kMonitorDidWriteDuringPenalty];
+ }
+ //keep writing freely but record it
+ else if((double)[currentTime timeIntervalSinceDate: lastWriteTimestamp] <= 60 && consecutiveWrites < 5){
+ secnotice("backoff","monitor: still writing freely");
+ }
+ }
+ }];
+ }
+}
+
+- (NSDictionary*)recordHaltedValuesAndReturnValuesToSafelyWrite:(NSDictionary *)values
+{
+ NSMutableDictionary *SafeMessages = [NSMutableDictionary dictionary];
+ [values enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
+ {
+ NSMutableDictionary *keyEntry = [_monitor objectForKey:key];
+ NSNumber *penalty = [keyEntry objectForKey:kMonitorPenaltyBoxKey];
+ if([penalty intValue] != 0){
+ NSMutableDictionary* existingQueue = [keyEntry valueForKey:kMonitorMessageQueue];
+
+ [existingQueue setObject:obj forKey:key];
+
+ [keyEntry setObject:existingQueue forKey:kMonitorMessageQueue];
+ [_monitor setObject:keyEntry forKey:key];
+ }
+ else{
+ [SafeMessages setObject:obj forKey:key];
+ }
+ }];
+ return SafeMessages;
+}
+
+// MARK: Object setting
+
+
+- (void)setStoreObjectsFromDictionary:(NSDictionary *)values
+{
+ if (values == nil) {
+ secdebug(XPROXYSCOPE, "%@ NULL? values: %@", self, values);
+ return;
+ }
+
+ NSMutableDictionary<NSString*, NSObject*> *mutableValues = [values mutableCopy];
+ NSString* newDSID = asNSString([mutableValues extractObjectForKey:(__bridge NSString*) kSOSKVSOfficialDSIDKey]);
+ if (newDSID) {
+ _dsid = newDSID;
+ }
+
+ NSString* requiredDSID = asNSString([mutableValues extractObjectForKey:(__bridge NSString*) kSOSKVSRequiredKey]);
+ if (requiredDSID) {
+ if (_dsid == nil || [_dsid isEqualToString: @""]) {
+ secdebug("dsid", "CloudKeychainProxy setting dsid to :%@ from securityd", requiredDSID);
+ _dsid = requiredDSID;
+ } else if (![_dsid isEqual: requiredDSID]) {
+ secerror("Account DSIDs do not match, cloud keychain proxy: %@, securityd: %@", _dsid, requiredDSID);
+ secerror("Not going to write these: %@ into KVS!", values);
+ return;
+ } else {
+ secnoticeq("dsid", "DSIDs match, writing");
+ }
+ }
+
+ secnoticeq("keytrace", "%@ sending: %@", self, [[mutableValues allKeys] componentsJoinedByString: @" "]);
+ [mutableValues enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
+ {
+ if (obj == NULL || obj == [NSNull null]) {
+ [self.store removeObjectForKey:key];
+ } else {
+ if ([key hasPrefix:@"ak|"]) { // TODO: somewhat of a hack
+ id oldObj = [self.store objectForKey:key];
+ if ([oldObj isEqual: obj]) {
+ // Fix KVS repeated message undelivery by sending a NULL first (deafness)
+ secnoticeq("keytrace", "forcing resend of key write: %@", key);
+ [self.store removeObjectForKey:key];
+ }
+ }
+ [self.store setObject:obj forKey:key];
+ }
+ }];
+
+ [self.store pushWrites];
+}
+
+- (void)setObjectsFromDictionary:(NSDictionary<NSString*, NSObject*> *)values
+{
+ [[UbiqitousKVSProxy sharedKVSProxy] recordWriteToKVS: values];
+ NSDictionary *safeValues = [[UbiqitousKVSProxy sharedKVSProxy] recordHaltedValuesAndReturnValuesToSafelyWrite: values];
+ if([safeValues count] !=0){
+ [[UbiqitousKVSProxy sharedKVSProxy] setStoreObjectsFromDictionary:safeValues];
+ }
+}
+
+- (void)waitForSynchronization:(void (^)(NSDictionary<NSString*, NSObject*> *results, NSError *err))handler
+{
+ secnoticeq("fresh", "%s Requesting WFS", kWAIT2MINID);
+
+ [_freshnessCompletions addObject: ^(bool success, NSError *error){
+ secnoticeq("fresh", "%s WFS Done", kWAIT2MINID);
+ handler(nil, error);
+ }];
+
+ if ([self.freshnessCompletions count] == 1) {
+ // We can't talk to synchronize on the _ckdkvsproxy_queue or we deadlock,
+ // bounce to a global concurrent queue
+ dispatch_after(_nextFreshnessTime, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+ NSError *error = nil;
+ bool success = [self.store pullUpdates:&error];
+
+ dispatch_async(_ckdkvsproxy_queue, ^{
+ [self waitForSyncDone: success error: error];
+ });
+ });
+ }
+}
+
+- (void) waitForSyncDone: (bool) success error: (NSError*) error{
+ if (success) {
+ const uint64_t delayBeforeCallingAgainInSeconds = 5ull * NSEC_PER_SEC;
+ _nextFreshnessTime = dispatch_time(DISPATCH_TIME_NOW, delayBeforeCallingAgainInSeconds);
+ }
+
+ secnoticeq("fresh", "%s Completing WFS", kWAIT2MINID);
+ [_freshnessCompletions enumerateObjectsUsingBlock:^(FreshnessResponseBlock _Nonnull block,
+ NSUInteger idx,
+ BOOL * _Nonnull stop) {
+ block(success, error);
+ }];
+ [_freshnessCompletions removeAllObjects];
+
+}
+
+//
+// MARK: ----- KVS key lists -----
+//
+
+
+- (NSDictionary*) exportKeyInterests
+{
+ return @{ kKeyAlwaysKeys:[_alwaysKeys allObjects],
+ kKeyFirstUnlockKeys:[_firstUnlockKeys allObjects],
+ kKeyUnlockedKeys:[_unlockedKeys allObjects],
+ kMonitorState:_monitor,
+ kKeyPendingKeys:[_pendingKeys allObjects],
+ kKeySyncWithPeersPending:[NSNumber numberWithBool:_syncWithPeersPending],
+ kKeyEnsurePeerRegistration:[NSNumber numberWithBool:_ensurePeerRegistration],
+ kKeyDSID:_dsid
+ };
+}
+
+- (void) importKeyInterests: (NSDictionary*) interests
+{
+ _alwaysKeys = [NSMutableSet setWithArray: interests[kKeyAlwaysKeys]];
+ _firstUnlockKeys = [NSMutableSet setWithArray: interests[kKeyFirstUnlockKeys]];
+ _unlockedKeys = [NSMutableSet setWithArray: interests[kKeyUnlockedKeys]];
+
+ _pendingKeys = [NSMutableSet setWithArray: interests[kKeyPendingKeys]];
+ _syncWithPeersPending = [interests[kKeySyncWithPeersPending] boolValue];
+ _ensurePeerRegistration = [interests[kKeyEnsurePeerRegistration] boolValue];
+ _dsid = interests[kKeyDSID];
+ _monitor = interests[kMonitorState];
+ if(_monitor == nil)
+ _monitor = [NSMutableDictionary dictionary];
+
+}
+
+- (NSMutableSet *)copyAllKeyInterests
+{
+ NSMutableSet *allKeys = [NSMutableSet setWithSet: _alwaysKeys];
+ [allKeys unionSet: _firstUnlockKeys];
+ [allKeys unionSet: _unlockedKeys];
+ return allKeys;
+}
+
+-(void)registerAtTimeKeys:(NSDictionary*)keyparms
+{
+ if (keyparms == nil)
+ return;
+
+ NSArray *alwaysArray = [keyparms valueForKey: kKeyAlwaysKeys];
+ NSArray *firstUnlockedKeysArray = [keyparms valueForKey: kKeyFirstUnlockKeys];
+ NSArray *whenUnlockedKeysArray = [keyparms valueForKey: kKeyUnlockedKeys];
+
+ if(alwaysArray)
+ [_alwaysKeys unionSet: [NSMutableSet setWithArray: alwaysArray]];
+ if(firstUnlockedKeysArray)
+ [_firstUnlockKeys unionSet: [NSMutableSet setWithArray: firstUnlockedKeysArray]];
+ if(whenUnlockedKeysArray)
+ [_unlockedKeys unionSet: [NSMutableSet setWithArray: whenUnlockedKeysArray]];
+}
+
+
+- (void)registerKeys: (NSDictionary*)keys
+{
+ secdebug(XPROXYSCOPE, "registerKeys: keys: %@", keys);
+
+ NSMutableSet *allOldKeys = [self copyAllKeyInterests];
+
+ NSDictionary *keyparms = [keys valueForKey: [NSString stringWithUTF8String: kMessageKeyParameter]];
+ NSDictionary *circles = [keys valueForKey: [NSString stringWithUTF8String: kMessageCircle]];
+ NSDictionary *messages = [keys valueForKey: [NSString stringWithUTF8String: kMessageMessage]];
+
+ _alwaysKeys = [NSMutableSet set];
+ _firstUnlockKeys = [NSMutableSet set];
+ _unlockedKeys = [NSMutableSet set];
+
+ [self registerAtTimeKeys: keyparms];
+ [self registerAtTimeKeys: circles];
+ [self registerAtTimeKeys: messages];
+
+ NSMutableSet *allNewKeys = [self copyAllKeyInterests];
+
+ // Make sure keys we no longer care about are not pending
+ [_pendingKeys intersectSet:allNewKeys];
+ if (_shadowPendingKeys) {
+ [_shadowPendingKeys intersectSet:allNewKeys];
+ }
+
+ // All new keys only is new keys (remove old keys)
+ [allNewKeys minusSet:allOldKeys];
+
+ // Mark new keys pending, they're new!
+ NSMutableSet *newKeysForCurrentLockState = [self pendKeysAndGetNewlyPended:allNewKeys];
+
+ [self persistState]; // Before we might call out, save our state so we recover if we crash
+
+ [self intersectWithCurrentLockState: newKeysForCurrentLockState];
+ // TODO: Don't processPendingKeysForCurrentLockState if none of the new keys have values.
+ if ([newKeysForCurrentLockState count] != 0) {
+ [self processPendingKeysForCurrentLockState];
+ }
+}
+
+// MARK: ----- Event Handling -----
+
+- (void)streamEvent:(xpc_object_t)notification
+{
+#if (!TARGET_IPHONE_SIMULATOR)
+ const char *notificationName = xpc_dictionary_get_string(notification, "Notification");
+ if (!notificationName) {
+ } else if (strcmp(notificationName, kUserKeybagStateChangeNotification)==0) {
+ return [self keybagStateChange];
+ } else if (strcmp(notificationName, kCloudKeychainStorechangeChangeNotification)==0) {
+ return [self kvsStoreChange];
+ } else if (strcmp(notificationName, kNotifyTokenForceUpdate)==0) {
+ // DEBUG -- Possibly remove in future
+ return [self processAllItems];
+ }
+ const char *eventName = xpc_dictionary_get_string(notification, "XPCEventName");
+ char *desc = xpc_copy_description(notification);
+ secnotice("event", "%@ event: %s name: %s desc: %s", self, eventName, notificationName, desc);
+ if (desc)
+ free((void *)desc);
+#endif
+}
+
+- (void)storeKeysChanged: (NSSet<NSString*>*) changedKeys initial: (bool) initial
+{
+ // Mark that our store is talking to us, so we don't have to make up for missing anything previous.
+ _seenKVSStoreChange = YES;
+
+ // Unmark them as pending as they have just changed and we'll process them.
+ [_pendingKeys minusSet:changedKeys];
+
+ // Only send values that we're currently interested in.
+ NSSet *keysOfInterestThatChanged = [self pendKeysAndGetPendingForCurrentLockState:changedKeys];
+ NSMutableDictionary *changedValues = [self copyValues:keysOfInterestThatChanged];
+ if (initial)
+ changedValues[(__bridge NSString*)kSOSKVSInitialSyncKey] = @"true";
+
+ secnotice("event", "%@ keysChangedInCloud: %@ keysOfInterest: %@ initial: %@",
+ self,
+ [[changedKeys allObjects] componentsJoinedByString: @" "],
+ [[changedValues allKeys] componentsJoinedByString: @" "],
+ initial ? @"YES" : @"NO");
+
+ if ([changedValues count])
+ [self processKeyChangedEvent:changedValues];
+}
+
+- (void)storeAccountChanged
+{
+ secnotice("event", "%@", self);
+
+ NSDictionary *changedValues = nil;
+ if(_dsid)
+ changedValues = @{ (__bridge NSString*)kSOSKVSAccountChangedKey: _dsid };
+ else
+ changedValues = @{ (__bridge NSString*)kSOSKVSAccountChangedKey: @"true" };
+
+ [self processKeyChangedEvent:changedValues];
+}
+
+- (void) doAfterFlush: (dispatch_block_t) block
+{
+ //Flush any pending communication to Securityd.
+ if(!_inCallout)
+ dispatch_async(_calloutQueue, block);
+ else
+ _shadowFlushBlock = block;
+}
+
+- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration))) callout
+{
+ // In CKDKVSProxy's serial queue
+
+ // dispatch_get_global_queue - well-known global concurrent queue
+ // dispatch_get_main_queue - default queue that is bound to the main thread
+ xpc_transaction_begin();
+ dispatch_async(_calloutQueue, ^{
+ __block NSSet *myPending;
+ __block bool mySyncWithPeersPending;
+ __block bool myEnsurePeerRegistration;
+ __block bool wasLocked;
+ dispatch_sync(_ckdkvsproxy_queue, ^{
+ myPending = [_pendingKeys copy];
+ mySyncWithPeersPending = _syncWithPeersPending;
+ myEnsurePeerRegistration = _ensurePeerRegistration;
+ wasLocked = _isLocked;
+
+ _inCallout = YES;
+
+ _shadowPendingKeys = [NSMutableSet set];
+ _shadowSyncWithPeersPending = NO;
+ });
+
+ callout(myPending, mySyncWithPeersPending, myEnsurePeerRegistration, _ckdkvsproxy_queue, ^(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration) {
+ secdebug("event", "%@ %s%s before callout handled: %s%s", self, mySyncWithPeersPending ? "S" : "s", myEnsurePeerRegistration ? "E" : "e", handledSyncWithPeers ? "S" : "s", handledEnsurePeerRegistration ? "E" : "e");
+
+ // In CKDKVSProxy's serial queue
+ _inCallout = NO;
+
+ // Update ensurePeerRegistration
+ _ensurePeerRegistration = ((myEnsurePeerRegistration && !handledEnsurePeerRegistration) || _shadowEnsurePeerRegistration);
+
+ _shadowEnsurePeerRegistration = NO;
+
+ if(_ensurePeerRegistration && !_isLocked)
+ [self doEnsurePeerRegistration];
+
+ // Update SyncWithPeers stuff.
+ _syncWithPeersPending = ((mySyncWithPeersPending && (!handledSyncWithPeers)) || _shadowSyncWithPeersPending);
+
+ _shadowSyncWithPeersPending = NO;
+ if (handledSyncWithPeers)
+ _lastSyncTime = dispatch_time(DISPATCH_TIME_NOW, 0);
+
+ // Update pendingKeys and handle them
+ [_pendingKeys removeObject: [NSNull null]]; // Don't let NULL hang around
+
+ [_pendingKeys minusSet: handledKeys];
+ bool hadShadowPendingKeys = [_shadowPendingKeys count];
+ // Move away shadownPendingKeys first, because pendKeysAndGetPendingForCurrentLockState
+ // will look at them. See rdar://problem/20733166.
+ NSSet *oldShadowPendingKeys = _shadowPendingKeys;
+ _shadowPendingKeys = nil;
+
+ NSSet *filteredKeys = [self pendKeysAndGetPendingForCurrentLockState:oldShadowPendingKeys];
+
+ secnoticeq("keytrace", "%@ account handled: %@ pending: %@", self,
+ [[handledKeys allObjects] componentsJoinedByString: @" "],
+ [[filteredKeys allObjects] componentsJoinedByString: @" "]);
+
+ // Write state to disk
+ [self persistState];
+
+ // Handle shadow pended stuff
+ if (_syncWithPeersPending && !_isLocked)
+ [self scheduleSyncRequestTimer];
+ /* We don't want to call processKeyChangedEvent if we failed to
+ handle pending keys and the device didn't unlock nor receive
+ any kvs changes while we were in our callout.
+ Doing so will lead to securityd and CloudKeychainProxy
+ talking to each other forever in a tight loop if securityd
+ repeatedly returns an error processing the same message.
+ Instead we leave any old pending keys until the next event. */
+
+ if (hadShadowPendingKeys || (!_isLocked && wasLocked)){
+ [self processKeyChangedEvent:[self copyValues:filteredKeys]];
+ if(_shadowFlushBlock != NULL)
+ secerror("Flush block is not null and sending new keys");
+ }
+ if(_shadowFlushBlock != NULL){
+ dispatch_async(_calloutQueue, _shadowFlushBlock);
+ _shadowFlushBlock = NULL;
+ }
+
+ xpc_transaction_end();
+ });
+ });
+}
+
+- (void) sendKeysCallout: (NSSet *(^)(NSSet* pending, NSError** error)) handleKeys {
+ [self calloutWith: ^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool)) {
+ NSError* error = NULL;
+
+ secnotice("CloudKeychainProxy", "send keys: %@", pending);
+ NSSet * handled = handleKeys(pending, &error);
+
+ dispatch_async(queue, ^{
+ if (!handled) {
+ secerror("%@ ensurePeerRegistration failed: %@", self, error);
+ }
+
+ done(handled, NO, NO);
+ });
+ }];
+}
+
+- (void) doEnsurePeerRegistration
+{
+ NSObject<CKDAccount>* accountDelegate = [self account];
+ [self calloutWith:^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool)) {
+ NSError* error = nil;
+ bool handledEnsurePeerRegistration = [accountDelegate ensurePeerRegistration:&error];
+ secnotice("EnsurePeerRegistration", "%@ ensurePeerRegistration called, %@ (%@)", self, handledEnsurePeerRegistration ? @"success" : @"failure", error);
+ dispatch_async(queue, ^{
+ done(nil, NO, handledEnsurePeerRegistration);
+ });
+ }];
+}
+
+- (void) doSyncWithAllPeers
+{
+ NSObject<CKDAccount>* accountDelegate = [self account];
+ [self calloutWith:^(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *, bool, bool)) {
+ NSError* error = NULL;
+ SyncWithAllPeersReason reason = [accountDelegate syncWithAllPeers: &error];
+ dispatch_async(queue, ^{
+ bool handledSyncWithPeers = NO;
+ if (reason == kSyncWithAllPeersSuccess) {
+ handledSyncWithPeers = YES;
+ secnotice("event", "%@ syncWithAllPeers succeeded", self);
+ } else if (reason == kSyncWithAllPeersLocked) {
+ secnotice("event", "%@ syncWithAllPeers attempted while locked - waiting for unlock", self);
+ handledSyncWithPeers = NO;
+ [self updateIsLocked];
+ } else if (reason == kSyncWithAllPeersOtherFail) {
+ // Pretend we handled syncWithPeers, by pushing out the _lastSyncTime
+ // This will cause us to wait for kMinSyncInterval seconds before
+ // retrying, so we don't spam securityd if sync is failing
+ secerror("%@ syncWithAllPeers %@, rescheduling timer", self, error);
+ _lastSyncTime = dispatch_time(DISPATCH_TIME_NOW, 0);
+ } else {
+ secerror("%@ syncWithAllPeers %@, unknown reason: %d", self, error, reason);
+ }
+
+ done(nil, handledSyncWithPeers, false);
+ });
+ }];
+}
+
+- (void)timerFired
+{
+ secnotice("event", "%@ syncWithPeersPending: %d inCallout: %d isLocked: %d", self, _syncWithPeersPending, _inCallout, _isLocked);
+ _syncTimerScheduled = NO;
+ if(_ensurePeerRegistration){
+ [self doEnsurePeerRegistration];
+ }
+ if (_syncWithPeersPending && !_inCallout && !_isLocked){
+ [self doSyncWithAllPeers];
+ }
+}
+
+- (dispatch_time_t) nextSyncTime
+{
+ dispatch_time_t nextSync = dispatch_time(DISPATCH_TIME_NOW, kMinSyncDelay);
+
+ // Don't sync again unless we waited at least kMinSyncInterval
+ if (_lastSyncTime) {
+ dispatch_time_t soonest = dispatch_time(_lastSyncTime, kMinSyncInterval);
+ if (nextSync < soonest || _deadline < soonest) {
+ secdebug("timer", "%@ backing off", self);
+ return soonest;
+ }
+ }
+
+ // Don't delay more than kMaxSyncDelay after the first request.
+ if (nextSync > _deadline) {
+ secdebug("timer", "%@ hit deadline", self);
+ return _deadline;
+ }
+
+ // Bump the timer by kMinSyncDelay
+ if (_syncTimerScheduled)
+ secdebug("timer", "%@ bumped timer", self);
+ else
+ secdebug("timer", "%@ scheduled timer", self);
+
+ return nextSync;
+}
+
+- (void)scheduleSyncRequestTimer
+{
+ dispatch_source_set_timer(_syncTimer, [self nextSyncTime], DISPATCH_TIME_FOREVER, kSyncTimerLeeway);
+ _syncTimerScheduled = YES;
+}
+
+- (void)requestSyncWithAllPeers // secd calling SOSCCSyncWithAllPeers invokes this
+{
+#if !defined(NDEBUG)
+ NSString *desc = [self description];
+#endif
+
+ if (!_syncWithPeersPending || (_inCallout && !_shadowSyncWithPeersPending))
+ _deadline = dispatch_time(DISPATCH_TIME_NOW, kMaxSyncDelay);
+
+ if (!_syncWithPeersPending) {
+ _syncWithPeersPending = YES;
+ [self persistState];
+ }
+
+ if (_inCallout)
+ _shadowSyncWithPeersPending = YES;
+ else if (!_isLocked)
+ [self scheduleSyncRequestTimer];
+
+ secdebug("event", "%@ %@", desc, self);
+}
+
+- (void)requestEnsurePeerRegistration // secd calling SOSCCSyncWithAllPeers invokes this
+{
+#if !defined(NDEBUG)
+ NSString *desc = [self description];
+#endif
+
+ if (_inCallout) {
+ _shadowEnsurePeerRegistration = YES;
+ } else {
+ _ensurePeerRegistration = YES;
+ if (!_isLocked){
+ [self doEnsurePeerRegistration];
+ }
+ [self persistState];
+ }
+
+ secdebug("event", "%@ %@", desc, self);
+}
+
+
+- (BOOL) updateUnlockedSinceBoot
+{
+ CFErrorRef aksError = NULL;
+ if (!SecAKSGetHasBeenUnlocked(&_unlockedSinceBoot, &aksError)) {
+ secerror("%@ Got error from SecAKSGetHasBeenUnlocked: %@", self, aksError);
+ CFReleaseSafe(aksError);
+ return NO;
+ }
+ return YES;
+}
+
+- (BOOL) updateIsLocked
+{
+ CFErrorRef aksError = NULL;
+ if (!SecAKSGetIsLocked(&_isLocked, &aksError)) {
+ _isLocked = YES;
+ secerror("%@ Got error querying lock state: %@", self, aksError);
+ CFReleaseSafe(aksError);
+ return NO;
+ }
+ if (!_isLocked)
+ _unlockedSinceBoot = YES;
+ return YES;
+}
+
+- (void) keybagStateChange
+{
+ os_activity_initiate("keybagStateChanged", OS_ACTIVITY_FLAG_DEFAULT, ^{
+ BOOL wasLocked = _isLocked;
+ if ([self updateIsLocked]) {
+ if (wasLocked == _isLocked)
+ secdebug("event", "%@ still %s ignoring", self, _isLocked ? "locked" : "unlocked");
+ else if (_isLocked)
+ [self keybagDidLock];
+ else
+ [self keybagDidUnlock];
+ }
+ });
+}
+
+- (void) keybagDidLock
+{
+ secnotice("event", "%@", self);
+}
+
+- (void) keybagDidUnlock
+{
+ secnotice("event", "%@", self);
+ if (_ensurePeerRegistration) {
+ [self doEnsurePeerRegistration];
+ }
+
+ // First send changed keys to securityd so it can proccess updates
+ [self processPendingKeysForCurrentLockState];
+
+ // Then, tickle securityd to perform a sync if needed.
+ if (_syncWithPeersPending && !_syncTimerScheduled) {
+ [self doSyncWithAllPeers];
+ }
+}
+
+- (void) kvsStoreChange {
+ os_activity_initiate("kvsStoreChange", OS_ACTIVITY_FLAG_DEFAULT, ^{
+ if (!_seenKVSStoreChange) {
+ secnotice("event", "%@ received darwin notification before first NSNotification", self);
+ // TODO This might not be needed if we always get the NSNotification
+ // deleived even if we were launched due to a kvsStoreChange
+ // Send all keys for current lock state to securityd so it can proccess them
+ [self pendKeysAndGetNewlyPended: [self copyAllKeyInterests]];
+ [self processPendingKeysForCurrentLockState];
+ } else {
+ secdebug("event", "%@ ignored, waiting for NSNotification", self);
+ }
+ });
+}
+
+//
+// MARK: ----- Key Filtering -----
+//
+
+- (NSSet*) keysForCurrentLockState
+{
+ secdebug("filtering", "%@ Filtering: unlockedSinceBoot: %d\n unlocked: %d\n, keysOfInterest: <%@>", self, (int) _unlockedSinceBoot, (int) !_isLocked, [SOSPersistentState dictionaryDescription: [self exportKeyInterests]]);
+
+ NSMutableSet *currentStateKeys = [NSMutableSet setWithSet: _alwaysKeys];
+ if (_unlockedSinceBoot)
+ [currentStateKeys unionSet: _firstUnlockKeys];
+
+ if (!_isLocked)
+ [currentStateKeys unionSet: _unlockedKeys];
+
+ return currentStateKeys;
+}
+
+
+- (NSMutableSet*) pendKeysAndGetNewlyPended: (NSSet*) keysToPend
+{
+ NSMutableSet *filteredKeysToPend = [self copyAllKeyInterests];
+ [filteredKeysToPend intersectSet: keysToPend];
+
+ NSMutableSet *newlyPendedKeys = [filteredKeysToPend mutableCopy];
+ [newlyPendedKeys minusSet: _pendingKeys];
+ if (_shadowPendingKeys) {
+ [newlyPendedKeys minusSet: _shadowPendingKeys];
+ }
+
+ if (_shadowPendingKeys) {
+ [_shadowPendingKeys unionSet:filteredKeysToPend];
+ }
+ else{
+ [_pendingKeys unionSet:filteredKeysToPend];
+ }
+
+ return newlyPendedKeys;
+}
+
+- (void) intersectWithCurrentLockState: (NSMutableSet*) set
+{
+ [set intersectSet: [self keysForCurrentLockState]];
+}
+
+- (NSMutableSet*) pendingKeysForCurrentLockState
+{
+ NSMutableSet * result = [_pendingKeys mutableCopy];
+ [self intersectWithCurrentLockState:result];
+ return result;
+}
+
+- (NSMutableSet*) pendKeysAndGetPendingForCurrentLockState: (NSSet*) startingSet
+{
+ [self pendKeysAndGetNewlyPended: startingSet];
+
+ return [self pendingKeysForCurrentLockState];
+}
+
+- (NSMutableDictionary *)copyValues:(NSSet*)keysOfInterest
+{
+ // Grab values from store.
+ NSObject<CKDStore> *store = [self store];
+ NSMutableDictionary *changedValues = [NSMutableDictionary dictionaryWithCapacity:0];
+ [keysOfInterest enumerateObjectsUsingBlock:^(id obj, BOOL *stop)
+ {
+ NSString* key = (NSString*) obj;
+ id objval = [store objectForKey:key];
+ if (!objval) objval = [NSNull null];
+
+ [changedValues setObject:objval forKey:key];
+ secdebug(XPROXYSCOPE, "%@ storeChanged updated value for %@", self, key);
+ }];
+ return changedValues;
+}
+
+/*
+ During RegisterKeys, separate keys-of-interest into three disjoint sets:
+ - keys that we always want to be notified about; this means we can get the
+ value at any time
+ - keys that require the device to have been unlocked at least once
+ - keys that require the device to be unlocked now
+
+ Typically, the sets of keys will be:
+
+ - Dk: alwaysKeys
+ - Ck: firstUnlock
+ - Ak: unlocked
+
+ The caller is responsible for making sure that the keys in e.g. alwaysKeys are
+ values that can be handled at any time (that is, not when unlocked)
+
+ Each time we get a notification from ubiquity that keys have changed, we need to
+ see if anything of interest changed. If we don't care, then done.
+
+ For each key-of-interest that changed, we either notify the client that things
+ changed, or add it to a pendingNotifications list. If the notification to the
+ client fails, also add it to the pendingNotifications list. This pending list
+ should be written to persistent storage and consulted any time we either get an
+ item changed notification, or get a stream event signalling a change in lock state.
+
+ We can notify the client either through XPC if a connection is set up, or call a
+ routine in securityd to launch it.
+
+ */
+
+- (void)processKeyChangedEvent:(NSDictionary *)changedValues
+{
+ NSMutableDictionary* filtered = [NSMutableDictionary dictionary];
+
+ secnotice("processKeyChangedEvent", "changedValues:%@", changedValues);
+ NSMutableArray* nullKeys = [NSMutableArray array];
+ // Remove nulls because we don't want them in securityd.
+ [changedValues enumerateKeysAndObjectsUsingBlock:^(id key, id obj, BOOL *stop) {
+ if (obj == [NSNull null]){
+ [nullKeys addObject:key];
+ }else{
+ filtered[key] = obj;
+ }
+ }];
+ if ([nullKeys count])
+ [_pendingKeys minusSet: [NSSet setWithArray: nullKeys]];
+
+ if([filtered count] != 0 ) {
+ [self sendKeysCallout:^NSSet *(NSSet *pending, NSError** error) {
+ secnotice("processing keys", "pending:%@", pending);
+ NSError *updateError = nil;
+ return [[self account] keysChanged: filtered error: &updateError];
+ }];
+ } else {
+ secnoticeq("keytrace", "%@ null: %@ pending: %@", self,
+ [nullKeys componentsJoinedByString: @" "],
+ [[_pendingKeys allObjects] componentsJoinedByString: @" "]);
+ }
+}
+
+- (void) processPendingKeysForCurrentLockState
+{
+ [self processKeyChangedEvent: [self copyValues: [self pendingKeysForCurrentLockState]]];
+}
+
+@end
+
+
diff --git a/KVSKeychainSyncingProxy/CKDKVSStore.h b/KVSKeychainSyncingProxy/CKDKVSStore.h
new file mode 100644
index 00000000..6dabc84f
--- /dev/null
+++ b/KVSKeychainSyncingProxy/CKDKVSStore.h
@@ -0,0 +1,32 @@
+//
+// CKDKVSStore.h
+//
+
+#import <Foundation/Foundation.h>
+
+#import "CKDStore.h"
+#import "CKDKVSProxy.h"
+
+@interface CKDKVSStore : NSObject <CKDStore>
+
++ (instancetype)kvsInterface;
+- (instancetype)init;
+
+- (void)connectToProxy: (UbiqitousKVSProxy*) proxy;
+
+- (NSObject*)objectForKey:(NSString*)key;
+
+- (void)setObject:(id)obj forKey:(NSString*)key;
+- (void)addEntriesFromDictionary:(NSDictionary<NSString*, NSObject*> *)otherDictionary;
+
+- (void)removeObjectForKey:(NSString*)key;
+- (void)removeAllObjects;
+
+- (NSDictionary<NSString *, id>*) copyAsDictionary;
+
+- (void)pushWrites;
+- (BOOL)pullUpdates:(NSError**) failure;
+
+- (void)kvsStoreChanged: (NSNotification*) notification;
+
+@end
diff --git a/KVSKeychainSyncingProxy/CKDKVSStore.m b/KVSKeychainSyncingProxy/CKDKVSStore.m
new file mode 100644
index 00000000..5ce77181
--- /dev/null
+++ b/KVSKeychainSyncingProxy/CKDKVSStore.m
@@ -0,0 +1,208 @@
+//
+// CKDKVSStore.m
+// Security
+//
+// Created by Mitch Adler on 5/15/16.
+//
+//
+
+#import "CKDKVSStore.h"
+#import "CKDKVSProxy.h"
+
+#include "SOSCloudKeychainConstants.h"
+#include <utilities/debugging.h>
+
+#import <Foundation/NSUbiquitousKeyValueStore.h>
+#import <Foundation/NSUbiquitousKeyValueStore_Private.h>
+#import "SyncedDefaults/SYDConstants.h"
+#include <os/activity.h>
+
+//KVS error codes
+#define UPDATE_RESUBMIT 4
+
+@interface CKDKVSStore ()
+@property (readwrite, weak) UbiqitousKVSProxy* proxy;
+@property (readwrite) NSUbiquitousKeyValueStore* cloudStore;
+@end
+
+@implementation CKDKVSStore
+
++ (instancetype)kvsInterface {
+ return [[CKDKVSStore alloc] init];
+}
+
+- (instancetype)init {
+ self = [super init];
+
+ self->_cloudStore = [NSUbiquitousKeyValueStore defaultStore];
+ self->_proxy = nil;
+
+ if (!self.cloudStore) {
+ secerror("NO NSUbiquitousKeyValueStore defaultStore!!!");
+ return nil;
+ }
+
+ return self;
+}
+
+- (void) connectToProxy: (UbiqitousKVSProxy*) proxy {
+ _proxy = proxy;
+
+ [[NSNotificationCenter defaultCenter] addObserver:self
+ selector:@selector(kvsStoreChanged:)
+ name:NSUbiquitousKeyValueStoreDidChangeExternallyNotification
+ object:nil];
+
+}
+
+- (void)setObject:(id)obj forKey:(NSString*)key {
+ NSUbiquitousKeyValueStore *store = [self cloudStore];
+ if (store)
+ {
+ id value = [store objectForKey:key];
+ if (value)
+ secdebug("kvsdebug", "%@ key %@ changed: %@ to: %@", self, key, value, obj);
+ else
+ secdebug("kvsdebug", "%@ key %@ initialized to: %@", self, key, obj);
+ [store setObject:obj forKey:key];
+ [self pushWrites];
+ } else {
+ secerror("Can't get kvs store, key: %@ not set to: %@", key, obj);
+ }
+}
+
+- (NSDictionary<NSString *, id>*) copyAsDictionary {
+ return [self.cloudStore dictionaryRepresentation];
+}
+
+- (void)addEntriesFromDictionary:(NSDictionary<NSString*, NSObject*> *)otherDictionary {
+ [otherDictionary enumerateKeysAndObjectsUsingBlock:^(NSString * _Nonnull key, NSObject * _Nonnull obj, BOOL * _Nonnull stop) {
+ [self setObject:obj forKey:key];
+ }];
+}
+
+- (id)objectForKey:(NSString*)key {
+ return [self.cloudStore objectForKey:key];
+}
+
+- (void)removeObjectForKey:(NSString*)key {
+ return [self.cloudStore removeObjectForKey:key];
+}
+
+- (void)removeAllObjects {
+ [[[[self.cloudStore dictionaryRepresentation] allKeys] copy] enumerateObjectsUsingBlock:^(NSString * _Nonnull obj, NSUInteger idx, BOOL * _Nonnull stop) {
+ [self.cloudStore removeObjectForKey:obj];
+ }];
+}
+
+- (void)pushWrites {
+ [[self cloudStore] synchronize];
+}
+
+- (void) kvsStoreChanged:(NSNotification *)notification {
+ /*
+ Posted when the value of one or more keys in the local key-value store
+ changed due to incoming data pushed from iCloud. This notification is
+ sent only upon a change received from iCloud; it is not sent when your
+ app sets a value.
+
+ The user info dictionary can contain the reason for the notification as
+ well as a list of which values changed, as follows:
+
+ The value of the NSUbiquitousKeyValueStoreChangeReasonKey key, when
+ present, indicates why the key-value store changed. Its value is one of
+ the constants in "Change Reason Values."
+
+ The value of the NSUbiquitousKeyValueStoreChangedKeysKey, when present,
+ is an array of strings, each the name of a key whose value changed. The
+ notification object is the NSUbiquitousKeyValueStore object whose contents
+ changed.
+
+ NSUbiquitousKeyValueStoreInitialSyncChange is only posted if there is any
+ local value that has been overwritten by a distant value. If there is no
+ conflict between the local and the distant values when doing the initial
+ sync (e.g. if the cloud has no data stored or the client has not stored
+ any data yet), you'll never see that notification.
+
+ NSUbiquitousKeyValueStoreInitialSyncChange implies an initial round trip
+ with server but initial round trip with server does not imply
+ NSUbiquitousKeyValueStoreInitialSyncChange.
+ */
+ os_activity_initiate("cloudChanged", OS_ACTIVITY_FLAG_DEFAULT, ^{
+ secdebug(XPROXYSCOPE, "%@ KVS Remote changed notification: %@", self, notification);
+
+ NSDictionary *userInfo = [notification userInfo];
+ NSNumber *reason = [userInfo objectForKey:NSUbiquitousKeyValueStoreChangeReasonKey];
+ NSArray *keysChangedArray = [userInfo objectForKey:NSUbiquitousKeyValueStoreChangedKeysKey];
+ NSSet *keysChanged = keysChangedArray ? [NSSet setWithArray: keysChangedArray] : nil;
+
+ if (reason) switch ([reason integerValue]) {
+ case NSUbiquitousKeyValueStoreInitialSyncChange:
+ [self.proxy storeKeysChanged: keysChanged initial: YES];
+ break;
+
+ case NSUbiquitousKeyValueStoreServerChange:
+ [self.proxy storeKeysChanged: keysChanged initial: NO];
+ break;
+
+ case NSUbiquitousKeyValueStoreQuotaViolationChange:
+ seccritical("Received NSUbiquitousKeyValueStoreQuotaViolationChange");
+ break;
+
+ case NSUbiquitousKeyValueStoreAccountChange:
+ [self.proxy storeAccountChanged];
+ break;
+
+ default:
+ secinfo("kvsstore", "ignoring unknown notification: %@", reason);
+ break;
+ }
+ });
+}
+
+// try to synchronize asap, and invoke the handler on completion to take incoming changes.
+
+static bool isResubmitError(NSError* error) {
+ return error && (CFErrorGetCode((__bridge CFErrorRef) error) == UPDATE_RESUBMIT) &&
+ (CFErrorGetDomain((__bridge CFErrorRef)error) == __SYDErrorKVSDomain);
+}
+
+- (BOOL) pullUpdates:(NSError **)failure
+{
+ __block NSError *tempFailure = nil;
+ const int kMaximumTries = 10;
+ int tryCount = 0;
+ // Retry up to 10 times, since we're told this can fail and WE have to deal with it.
+
+ dispatch_semaphore_t freshSemaphore = dispatch_semaphore_create(0);
+
+ do {
+ ++tryCount;
+ secnoticeq("fresh", "%s CALLING OUT TO syncdefaultsd SWCH, try %d: %@", kWAIT2MINID, tryCount, self);
+
+ [[self cloudStore] synchronizeWithCompletionHandler:^(NSError *error) {
+ if (error) {
+ tempFailure = error;
+ secnotice("fresh", "%s RETURNING FROM syncdefaultsd SWCH: %@: %@", kWAIT2MINID, self, error);
+ } else {
+ secnotice("fresh", "%s RETURNING FROM syncdefaultsd SWCH: %@", kWAIT2MINID, self);
+ [[self cloudStore] synchronize]; // Per olivier in <rdar://problem/13412631>, sync before getting values
+ secnotice("fresh", "%s RETURNING FROM syncdefaultsd SYNC: %@", kWAIT2MINID, self);
+ }
+ dispatch_semaphore_signal(freshSemaphore);
+ }];
+ dispatch_semaphore_wait(freshSemaphore, DISPATCH_TIME_FOREVER);
+ } while (tryCount < kMaximumTries && isResubmitError(tempFailure));
+
+ if (isResubmitError(tempFailure)) {
+ secerrorq("%s %d retry attempts to request freshness exceeded, failing", kWAIT2MINID, tryCount);
+ }
+
+ if (failure && (*failure == NULL)) {
+ *failure = tempFailure;
+ }
+
+ return tempFailure == nil;
+}
+
+@end
diff --git a/OSX/sec/SOSCircle/osxshim.c b/KVSKeychainSyncingProxy/CKDPersistentState.h
similarity index 68%
rename from OSX/sec/SOSCircle/osxshim.c
rename to KVSKeychainSyncingProxy/CKDPersistentState.h
index 845d8d32..22934752 100644
--- a/OSX/sec/SOSCircle/osxshim.c
+++ b/KVSKeychainSyncingProxy/CKDPersistentState.h
@@ -1,6 +1,6 @@
/*
* Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
- *
+ *
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
@@ -21,20 +21,23 @@
* @APPLE_LICENSE_HEADER_END@
*/
+//
+// SOSPersistentState.h
+// ckdxpc
+//
-#include <stdbool.h>
-#include <CoreFoundation/CoreFoundation.h>
-
-typedef void *SOSDataSourceFactoryRef;
-//typedef void *SOSAccountRef;
+#import <Foundation/NSString.h>
-// XXX Need to plumb these from security to secd. If we can.
+@interface SOSPersistentState : NSObject
+{
+}
-typedef SOSDataSourceFactoryRef (^AccountDataSourceFactoryBlock)();
++ (id)read:(NSURL *)path error:(NSError **)error;
++ (BOOL)write:(NSURL *)path data:(id)plist error:(NSError **)error;
++ (NSString *)dictionaryDescription: (NSDictionary *)state;
++ (NSMutableDictionary *)registeredKeys;
++ (void)setRegisteredKeys: (NSDictionary *)keysToRegister;
++ (NSURL *)registrationFileURL;
-bool SOSKeychainAccountSetFactoryForAccount(AccountDataSourceFactoryBlock factory);
+@end
-bool SOSKeychainAccountSetFactoryForAccount(AccountDataSourceFactoryBlock factory)
-{
- return false;
-}
diff --git a/KVSKeychainSyncingProxy/CKDPersistentState.m b/KVSKeychainSyncingProxy/CKDPersistentState.m
new file mode 100644
index 00000000..9eb1e17c
--- /dev/null
+++ b/KVSKeychainSyncingProxy/CKDPersistentState.m
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// SOSPersistentState.m
+// ckdxpc
+//
+
+#import <Security/Security.h>
+#import <Foundation/NSPropertyList.h>
+#import <Foundation/NSArray.h>
+#import <Foundation/NSPropertyList.h>
+#import <Foundation/NSData.h>
+#import <Foundation/NSDictionary.h>
+#import <utilities/debugging.h>
+#import <utilities/SecFileLocations.h>
+
+#import "CKDPersistentState.h"
+
+#if ! __has_feature(objc_arc)
+#error This file must be compiled with ARC. Either turn on ARC for the project or use -fobjc-arc flag
+#endif
+
+// may want to have this hold incoming events in file as well
+
+// TODO: Sandbox stuff
+
+static CFStringRef kRegistrationFileName = CFSTR("com.apple.security.cloudkeychainproxy3.keysToRegister.plist");
+
+@implementation SOSPersistentState
+
++ (BOOL)write:(NSURL *)path data:(id)plist error:(NSError **)error
+{
+ if (![NSPropertyListSerialization propertyList: plist isValidForFormat: NSPropertyListXMLFormat_v1_0])
+ {
+ secerror("can't save PersistentState as XML");
+ return false;
+ }
+
+ NSData *data = [NSPropertyListSerialization dataWithPropertyList: plist
+ format: NSPropertyListXMLFormat_v1_0 options: 0 error: error];
+ if (data == nil)
+ {
+ secerror("error serializing PersistentState to xml: %@", *error);
+ return false;
+ }
+
+ BOOL writeStatus = [data writeToURL: path options: NSDataWritingAtomic error: error];
+ if (!writeStatus)
+ secerror("error writing PersistentState to file: %@", *error);
+
+ return writeStatus;
+}
+
++ (id)read: (NSURL *)path error:(NSError **)error
+{
+ NSData *data = [NSData dataWithContentsOfURL: path options: 0 error: error];
+ if (data == nil)
+ {
+ secdebug("keyregister", "error reading PersistentState from %@: %@", path, *error);
+ return nil;
+ }
+
+ // Now the deserializing:
+
+ NSPropertyListFormat format;
+ id plist = [NSPropertyListSerialization propertyListWithData: data
+ options: NSPropertyListMutableContainersAndLeaves format: &format error: error];
+
+ if (plist == nil)
+ secerror("could not deserialize PersistentState from %@: %@", path, *error);
+
+ return plist;
+}
+
++ (NSURL *)registrationFileURL
+{
+ return (NSURL *)CFBridgingRelease(SecCopyURLForFileInPreferencesDirectory(kRegistrationFileName));
+}
+
++ (NSString *)dictionaryDescription: (NSDictionary *)state
+{
+ NSMutableArray *elements = [NSMutableArray array];
+ [state enumerateKeysAndObjectsUsingBlock: ^(NSString *key, id obj, BOOL *stop) {
+ [elements addObject: [key stringByAppendingString: @":"]];
+ if ([obj isKindOfClass:[NSArray class]]) {
+ [elements addObject: [(NSArray *)obj componentsJoinedByString: @" "]];
+ } else {
+ [elements addObject: [NSString stringWithFormat:@"%@", obj]];
+ }
+ }];
+ return [elements componentsJoinedByString: @" "];
+}
+
++ (NSMutableDictionary *)registeredKeys
+{
+ NSError *error = NULL;
+ id stateDictionary = [SOSPersistentState read:[[self class] registrationFileURL] error:&error];
+ secdebug("keyregister", "Read registeredKeys: <%@>", [self dictionaryDescription: stateDictionary]);
+ // Ignore older states with an NSArray
+ if (![stateDictionary isKindOfClass:[NSDictionary class]])
+ return NULL;
+ return [NSMutableDictionary dictionaryWithDictionary:stateDictionary];
+}
+
++ (void)setRegisteredKeys: (NSDictionary *)keysToRegister
+{
+ NSError *error = NULL;
+ secdebug("keyregister", "Write registeredKeys: <%@>", [self dictionaryDescription: keysToRegister]);
+ [SOSPersistentState write:[[self class] registrationFileURL] data:keysToRegister error:&error];
+}
+
+@end
diff --git a/KVSKeychainSyncingProxy/CKDSecuritydAccount.h b/KVSKeychainSyncingProxy/CKDSecuritydAccount.h
new file mode 100644
index 00000000..930329e6
--- /dev/null
+++ b/KVSKeychainSyncingProxy/CKDSecuritydAccount.h
@@ -0,0 +1,19 @@
+//
+// CKDSecuritydAccount.h
+// Security
+//
+//
+
+
+#include "CKDAccount.h"
+#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
+
+@interface CKDSecuritydAccount : NSObject<CKDAccount>
+
++ (instancetype) securitydAccount;
+
+- (NSSet*) keysChanged: (NSDictionary<NSString*, NSObject*>*) keyValues error: (NSError**) error;
+- (bool) ensurePeerRegistration: (NSError**) error;
+- (SyncWithAllPeersReason) syncWithAllPeers: (NSError**) error;
+
+@end
diff --git a/KVSKeychainSyncingProxy/CKDSecuritydAccount.m b/KVSKeychainSyncingProxy/CKDSecuritydAccount.m
new file mode 100644
index 00000000..07d98f9e
--- /dev/null
+++ b/KVSKeychainSyncingProxy/CKDSecuritydAccount.m
@@ -0,0 +1,55 @@
+//
+// CKDSecuritydAccount+CKDSecuritydAccount_m.m
+// Security
+//
+//
+
+#import "Foundation/Foundation.h"
+#import "CKDSecuritydAccount.h"
+
+#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
+#include <Security/SecItemPriv.h>
+
+@implementation CKDSecuritydAccount
+
++ (instancetype) securitydAccount
+{
+ return [[CKDSecuritydAccount alloc] init];
+}
+
+- (NSSet*) keysChanged: (NSDictionary<NSString*, NSObject*>*)keyValues error: (NSError**) error
+{
+ CFErrorRef cf_error = NULL;
+ NSArray* handled = (__bridge_transfer NSArray*) _SecKeychainSyncUpdateMessage((__bridge CFDictionaryRef)keyValues, &cf_error);
+ NSError *updateError = (__bridge_transfer NSError*)cf_error;
+ if (error)
+ *error = updateError;
+
+ return [NSSet setWithArray:handled];
+}
+
+- (bool) ensurePeerRegistration: (NSError**) error
+{
+ CFErrorRef localError = NULL;
+ bool result = SOSCCProcessEnsurePeerRegistration(error ? &localError : NULL);
+
+ if (error && localError) {
+ *error = (__bridge_transfer NSError*) localError;
+ }
+
+ return result;
+}
+
+- (SyncWithAllPeersReason) syncWithAllPeers: (NSError**) error
+{
+ CFErrorRef localError = NULL;
+ SyncWithAllPeersReason result = SOSCCProcessSyncWithAllPeers(error ? &localError : NULL);
+
+ if (error && localError) {
+ *error = (__bridge_transfer NSError*) localError;
+ }
+
+ return result;
+}
+
+@end
diff --git a/KVSKeychainSyncingProxy/CKDStore.h b/KVSKeychainSyncingProxy/CKDStore.h
new file mode 100644
index 00000000..53dc2679
--- /dev/null
+++ b/KVSKeychainSyncingProxy/CKDStore.h
@@ -0,0 +1,28 @@
+//
+// CKDStore.h
+// Security
+//
+//
+
+#import <Foundation/Foundation.h>
+
+@class UbiqitousKVSProxy;
+
+@protocol CKDStore
+
+- (void)connectToProxy: (UbiqitousKVSProxy*) proxy;
+
+- (NSObject*)objectForKey:(NSString*)key;
+
+- (void)setObject:(id)obj forKey:(NSString*)key;
+- (void)addEntriesFromDictionary:(NSDictionary<NSString*, NSObject*> *)otherDictionary;
+
+- (void)removeObjectForKey:(NSString*)key;
+- (void)removeAllObjects;
+
+- (NSDictionary<NSString *, id>*) copyAsDictionary;
+
+- (void)pushWrites;
+- (BOOL)pullUpdates:(NSError**) failure;
+
+@end
diff --git a/CloudKeychainProxy/CloudKeychainProxy-Info.plist b/KVSKeychainSyncingProxy/CloudKeychainProxy-Info.plist
similarity index 93%
rename from CloudKeychainProxy/CloudKeychainProxy-Info.plist
rename to KVSKeychainSyncingProxy/CloudKeychainProxy-Info.plist
index 132f0435..5678d775 100644
--- a/CloudKeychainProxy/CloudKeychainProxy-Info.plist
+++ b/KVSKeychainSyncingProxy/CloudKeychainProxy-Info.plist
@@ -9,7 +9,7 @@
<key>CFBundleIconFile</key>
<string></string>
<key>CFBundleIdentifier</key>
- <string>com.apple.security.cloudkeychainproxy3</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/OSX/CloudKeychainProxy/cloudkeychain.entitlements.plist b/KVSKeychainSyncingProxy/cloudkeychain.entitlements.plist
similarity index 96%
rename from OSX/CloudKeychainProxy/cloudkeychain.entitlements.plist
rename to KVSKeychainSyncingProxy/cloudkeychain.entitlements.plist
index 46c70ef7..b39e11a1 100644
--- a/OSX/CloudKeychainProxy/cloudkeychain.entitlements.plist
+++ b/KVSKeychainSyncingProxy/cloudkeychain.entitlements.plist
@@ -11,7 +11,6 @@
<key>keychain-access-groups</key>
<array>
<string>sync</string>
- <string>*</string>
</array>
<key>com.apple.developer.ubiquity-kvstore-identifier</key>
<string>com.apple.security.cloudkeychainproxy3</string>
diff --git a/KVSKeychainSyncingProxy/cloudkeychainproxy.m b/KVSKeychainSyncingProxy/cloudkeychainproxy.m
new file mode 100644
index 00000000..ae78aa49
--- /dev/null
+++ b/KVSKeychainSyncingProxy/cloudkeychainproxy.m
@@ -0,0 +1,420 @@
+/*
+ * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// main.m
+// ckd-xpc
+//
+//
+
+/*
+ This XPC service is essentially just a proxy to iCloud KVS, which exists since
+ the main security code cannot link against Foundation.
+
+ See sendTSARequestWithXPC in tsaSupport.c for how to call the service
+
+ send message to app with xpc_connection_send_message
+
+ For now, build this with:
+
+ ~rc/bin/buildit . --rootsDirectory=/var/tmp -noverify -offline -target CloudKeychainProxy
+
+ and install or upgrade with:
+
+ darwinup install /var/tmp/sec.roots/sec~dst
+ darwinup upgrade /var/tmp/sec.roots/sec~dst
+
+ You must use darwinup during development to update system caches
+*/
+
+//------------------------------------------------------------------------------------------------
+
+#include <AssertMacros.h>
+
+#import <Foundation/Foundation.h>
+#import <Security/Security.h>
+#import <utilities/SecCFRelease.h>
+#import <xpc/xpc.h>
+#import <xpc/private.h>
+#import <CoreFoundation/CFXPCBridge.h>
+#import <sysexits.h>
+#import <syslog.h>
+#import <CommonCrypto/CommonDigest.h>
+#include <utilities/SecXPCError.h>
+#include <utilities/SecCFError.h>
+#include <TargetConditionals.h>
+
+#import "CKDKVSProxy.h"
+
+void finalize_connection(void *not_used);
+void handle_connection_event(const xpc_connection_t peer);
+static void cloudkeychainproxy_peer_dictionary_handler(const xpc_connection_t peer, xpc_object_t event);
+
+static bool operation_put_dictionary(xpc_object_t event);
+static bool operation_get_v2(xpc_connection_t peer, xpc_object_t event);
+
+int ckdproxymain(int argc, const char *argv[]);
+
+#define PROXYXPCSCOPE "xpcproxy"
+
+static void describeXPCObject(char *prefix, xpc_object_t object)
+{
+//#ifndef NDEBUG
+ // This is useful for debugging.
+ if (object)
+ {
+ char *desc = xpc_copy_description(object);
+ secdebug(PROXYXPCSCOPE, "%s%s\n", prefix, desc);
+ free(desc);
+ }
+ else
+ secdebug(PROXYXPCSCOPE, "%s<NULL>\n", prefix);
+
+//#endif
+}
+
+static void cloudkeychainproxy_peer_dictionary_handler(const xpc_connection_t peer, xpc_object_t event)
+{
+ bool result = false;
+ int err = 0;
+
+ require_action_string(xpc_get_type(event) == XPC_TYPE_DICTIONARY, xit, err = -51, "expected XPC_TYPE_DICTIONARY");
+
+ const char *operation = xpc_dictionary_get_string(event, kMessageKeyOperation);
+ require_action(operation, xit, result = false);
+
+ // Check protocol version
+ uint64_t version = xpc_dictionary_get_uint64(event, kMessageKeyVersion);
+ secdebug(PROXYXPCSCOPE, "Reply version: %lld\n", version);
+ require_action(version == kCKDXPCVersion, xit, result = false);
+
+ // Operations
+ secdebug(PROXYXPCSCOPE, "Handling %s operation", operation);
+
+
+ if (operation && !strcmp(operation, kOperationPUTDictionary))
+ {
+ operation_put_dictionary(event);
+ }
+ else if (operation && !strcmp(operation, kOperationGETv2))
+ {
+ operation_get_v2(peer, event);
+ }
+ else if (operation && !strcmp(operation, kOperationClearStore))
+ {
+ [[UbiqitousKVSProxy sharedKVSProxy] clearStore];
+ xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
+ if (replyMessage) // Caller wanted an ACK, so give one
+ {
+ xpc_dictionary_set_string(replyMessage, kMessageKeyValue, "ACK");
+ xpc_connection_send_message(peer, replyMessage);
+ }
+ }
+ else if (operation && !strcmp(operation, kOperationSynchronize))
+ {
+ [[UbiqitousKVSProxy sharedKVSProxy] synchronizeStore];
+ xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
+ if (replyMessage) // Caller wanted an ACK, so give one
+ {
+ xpc_dictionary_set_string(replyMessage, kMessageKeyValue, "ACK");
+ xpc_connection_send_message(peer, replyMessage);
+ }
+ }
+ else if (operation && !strcmp(operation, kOperationSynchronizeAndWait))
+ {
+ xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
+ secnotice(XPROXYSCOPE, "%s XPC request: %s", kWAIT2MINID, kOperationSynchronizeAndWait);
+
+ [[UbiqitousKVSProxy sharedKVSProxy] waitForSynchronization:^(__unused NSDictionary *values, NSError *error)
+ {
+ secnotice(PROXYXPCSCOPE, "%s Result from [[UbiqitousKVSProxy sharedKVSProxy] waitForSynchronization:]: %@", kWAIT2MINID, error);
+
+ if (replyMessage) // Caller wanted an ACK, so give one
+ {
+ if (error)
+ {
+ xpc_object_t xerrobj = SecCreateXPCObjectWithCFError((__bridge CFErrorRef)(error));
+ xpc_dictionary_set_value(replyMessage, kMessageKeyError, xerrobj);
+ } else {
+ xpc_dictionary_set_string(replyMessage, kMessageKeyValue, "ACK");
+ }
+ xpc_connection_send_message(peer, replyMessage);
+ }
+ }];
+ }
+ else if (operation && !strcmp(operation, kOperationRegisterKeys))
+ {
+ xpc_object_t xkeysToRegisterDict = xpc_dictionary_get_value(event, kMessageKeyValue);
+
+ xpc_object_t xKTRallkeys = xpc_dictionary_get_value(xkeysToRegisterDict, kMessageAllKeys);
+
+ NSDictionary *KTRallkeys = (__bridge_transfer NSDictionary *)(_CFXPCCreateCFObjectFromXPCObject(xKTRallkeys));
+
+ [[UbiqitousKVSProxy sharedKVSProxy] registerKeys: KTRallkeys];
+
+ xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
+ xpc_dictionary_set_string(replyMessage, kMessageKeyValue, "ACK");
+ xpc_connection_send_message(peer, replyMessage);
+
+ secdebug(PROXYXPCSCOPE, "RegisterKeys message sent");
+ }
+ else if (operation && !strcmp(operation, kOperationRequestSyncWithAllPeers))
+ {
+ [[UbiqitousKVSProxy sharedKVSProxy] requestSyncWithAllPeers];
+ xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
+ if (replyMessage) // Caller wanted an ACK, so give one
+ {
+ xpc_dictionary_set_string(replyMessage, kMessageKeyValue, "ACK");
+ xpc_connection_send_message(peer, replyMessage);
+ }
+ secdebug(PROXYXPCSCOPE, "RequestSyncWithAllPeers reply sent");
+ }
+ else if (operation && !strcmp(operation, kOperationRequestEnsurePeerRegistration))
+ {
+ [[UbiqitousKVSProxy sharedKVSProxy] requestEnsurePeerRegistration];
+ xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
+ if (replyMessage) // Caller wanted an ACK, so give one
+ {
+ xpc_dictionary_set_string(replyMessage, kMessageKeyValue, "ACK");
+ xpc_connection_send_message(peer, replyMessage);
+ }
+ secdebug(PROXYXPCSCOPE, "RequestEnsurePeerRegistration reply sent");
+ }
+ else if (operation && !strcmp(operation, kOperationFlush))
+ {
+ [[UbiqitousKVSProxy sharedKVSProxy] doAfterFlush:^{
+ xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
+ if (replyMessage) // Caller wanted an ACK, so give one
+ {
+ xpc_dictionary_set_string(replyMessage, kMessageKeyValue, "ACK");
+ xpc_connection_send_message(peer, replyMessage);
+ }
+ secdebug(PROXYXPCSCOPE, "flush reply sent");
+ }];
+ }
+ else
+ {
+ char *description = xpc_copy_description(event);
+ secdebug(PROXYXPCSCOPE, "Unknown op=%s request from pid %d: %s", operation, xpc_connection_get_pid(peer), description);
+ free(description);
+ }
+ result = true;
+xit:
+ if (!result)
+ describeXPCObject("handle_operation fail: ", event);
+}
+
+void finalize_connection(void *not_used)
+{
+ secdebug(PROXYXPCSCOPE, "finalize_connection");
+ [[UbiqitousKVSProxy sharedKVSProxy] synchronizeStore];
+ xpc_transaction_end();
+}
+
+static bool operation_put_dictionary(xpc_object_t event)
+{
+ // PUT a set of objects into the KVS store. Return false if error
+ describeXPCObject("operation_put_dictionary event: ", event);
+ xpc_object_t xvalue = xpc_dictionary_get_value(event, kMessageKeyValue);
+ if (!xvalue) {
+ return false;
+ }
+
+ NSObject* object = (__bridge_transfer NSObject*) _CFXPCCreateCFObjectFromXPCObject(xvalue);
+ if (![object isKindOfClass:[NSDictionary<NSString*, NSObject*> class]]) {
+ describeXPCObject("operation_put_dictionary unable to convert to CF: ", xvalue);
+ return false;
+ }
+
+ [[UbiqitousKVSProxy sharedKVSProxy] setObjectsFromDictionary: (NSDictionary<NSString*, NSObject*> *)object];
+
+ return true;
+}
+
+static bool operation_get_v2(xpc_connection_t peer, xpc_object_t event)
+{
+ // GET a set of objects from the KVS store. Return false if error
+ describeXPCObject("operation_get_v2 event: ", event);
+
+ xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
+ if (!replyMessage)
+ {
+ secdebug(PROXYXPCSCOPE, "can't create replyMessage");
+ assert(true); //must have a reply handler
+ return false;
+ }
+ xpc_object_t returnedValues = xpc_dictionary_create(NULL, NULL, 0);
+ if (!returnedValues)
+ {
+ secdebug(PROXYXPCSCOPE, "can't create returnedValues");
+ assert(true); // must have a spot for the returned values
+ return false;
+ }
+
+ xpc_object_t xvalue = xpc_dictionary_get_value(event, kMessageKeyValue);
+ if (!xvalue)
+ {
+ secdebug(PROXYXPCSCOPE, "missing \"value\" key");
+ return false;
+ }
+
+ xpc_object_t xkeystoget = xpc_dictionary_get_value(xvalue, kMessageKeyKeysToGet);
+ if (xkeystoget)
+ {
+ secdebug(PROXYXPCSCOPE, "got xkeystoget");
+ CFTypeRef keystoget = _CFXPCCreateCFObjectFromXPCObject(xkeystoget);
+ if (!keystoget || (CFGetTypeID(keystoget)!=CFArrayGetTypeID())) // not "getAll", this is an error of some kind
+ {
+ secdebug(PROXYXPCSCOPE, "can't convert keystoget or is not an array");
+ CFReleaseSafe(keystoget);
+ return false;
+ }
+
+ [(__bridge NSArray *)keystoget enumerateObjectsUsingBlock: ^ (id obj, NSUInteger idx, BOOL *stop)
+ {
+ NSString *key = (NSString *)obj;
+ id object = [[UbiqitousKVSProxy sharedKVSProxy] objectForKey:key];
+ secdebug(PROXYXPCSCOPE, "[UbiqitousKVSProxy sharedKVSProxy] get: key: %@, object: %@", key, object);
+ xpc_object_t xobject = object ? _CFXPCCreateXPCObjectFromCFObject((__bridge CFTypeRef)object) : xpc_null_create();
+ xpc_dictionary_set_value(returnedValues, [key UTF8String], xobject);
+ describeXPCObject("operation_get_v2: value from kvs: ", xobject);
+ }];
+ }
+ else // get all values from kvs
+ {
+ secdebug(PROXYXPCSCOPE, "get all values from kvs");
+ NSDictionary *all = [[UbiqitousKVSProxy sharedKVSProxy] copyAsDictionary];
+ [all enumerateKeysAndObjectsUsingBlock: ^ (id key, id obj, BOOL *stop)
+ {
+ xpc_object_t xobject = obj ? _CFXPCCreateXPCObjectFromCFObject((__bridge CFTypeRef)obj) : xpc_null_create();
+ xpc_dictionary_set_value(returnedValues, [(NSString *)key UTF8String], xobject);
+ }];
+ }
+
+ xpc_dictionary_set_uint64(replyMessage, kMessageKeyVersion, kCKDXPCVersion);
+ xpc_dictionary_set_value(replyMessage, kMessageKeyValue, returnedValues);
+ xpc_connection_send_message(peer, replyMessage);
+
+ return true;
+}
+
+static void cloudkeychainproxy_peer_event_handler(xpc_connection_t peer, xpc_object_t event)
+{
+ describeXPCObject("peer: ", peer);
+ xpc_type_t type = xpc_get_type(event);
+ if (type == XPC_TYPE_ERROR) {
+ if (event == XPC_ERROR_CONNECTION_INVALID) {
+ // The client process on the other end of the connection has either
+ // crashed or cancelled the connection. After receiving this error,
+ // the connection is in an invalid state, and you do not need to
+ // call xpc_connection_cancel(). Just tear down any associated state
+ // here.
+ } else if (event == XPC_ERROR_TERMINATION_IMMINENT) {
+ // Handle per-connection termination cleanup.
+ }
+ } else {
+ assert(type == XPC_TYPE_DICTIONARY);
+ // Handle the message.
+ // describeXPCObject("dictionary:", event);
+ dispatch_async(dispatch_get_main_queue(), ^{
+ cloudkeychainproxy_peer_dictionary_handler(peer, event);
+ });
+ }
+}
+
+static void cloudkeychainproxy_event_handler(xpc_connection_t peer)
+{
+ // By defaults, new connections will target the default dispatch
+ // concurrent queue.
+
+ if (xpc_get_type(peer) != XPC_TYPE_CONNECTION)
+ {
+ secdebug(PROXYXPCSCOPE, "expected XPC_TYPE_CONNECTION");
+ return;
+ }
+
+ xpc_connection_set_event_handler(peer, ^(xpc_object_t event)
+ {
+ cloudkeychainproxy_peer_event_handler(peer, event);
+ });
+
+ // This will tell the connection to begin listening for events. If you
+ // have some other initialization that must be done asynchronously, then
+ // you can defer this call until after that initialization is done.
+ xpc_connection_resume(peer);
+}
+
+static void diagnostics(int argc, const char *argv[])
+{
+ @autoreleasepool
+ {
+ NSDictionary *all = [[UbiqitousKVSProxy sharedKVSProxy] copyAsDictionary];
+ NSLog(@"All: %@",all);
+ }
+}
+
+int ckdproxymain(int argc, const char *argv[])
+{
+ secdebug(PROXYXPCSCOPE, "Starting CloudKeychainProxy");
+ char *wait4debugger = getenv("WAIT4DEBUGGER");
+
+ if (wait4debugger && !strcasecmp("YES", wait4debugger))
+ {
+ syslog(LOG_ERR, "Waiting for debugger");
+ kill(getpid(), SIGTSTP);
+ }
+
+ if (argc > 1) {
+ diagnostics(argc, argv);
+ return 0;
+ }
+
+ id proxyID = [UbiqitousKVSProxy sharedKVSProxy];
+
+ if (proxyID) { // nothing bad happened when initializing
+
+
+ xpc_connection_t listener = xpc_connection_create_mach_service(xpcServiceName, NULL, XPC_CONNECTION_MACH_SERVICE_LISTENER);
+ xpc_connection_set_event_handler(listener, ^(xpc_object_t object){ cloudkeychainproxy_event_handler(object); });
+
+ // It looks to me like there is insufficient locking to allow a request to come in on the XPC connection while doing the initial all items.
+ // Therefore I'm leaving the XPC connection suspended until that has time to process.
+ xpc_connection_resume(listener);
+
+ @autoreleasepool
+ {
+ secdebug(PROXYXPCSCOPE, "Starting mainRunLoop");
+ NSRunLoop *runLoop = [NSRunLoop mainRunLoop];
+ [runLoop run];
+ }
+ }
+
+ secdebug(PROXYXPCSCOPE, "Exiting CloudKeychainProxy");
+
+ return EXIT_FAILURE;
+}
+
+int main(int argc, const char *argv[])
+{
+ return ckdproxymain(argc, argv);
+}
diff --git a/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist b/KVSKeychainSyncingProxy/com.apple.security.cloudkeychainproxy3.ios.plist
similarity index 100%
rename from CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist
rename to KVSKeychainSyncingProxy/com.apple.security.cloudkeychainproxy3.ios.plist
diff --git a/OSX/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist b/KVSKeychainSyncingProxy/com.apple.security.cloudkeychainproxy3.osx.plist
similarity index 98%
rename from OSX/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist
rename to KVSKeychainSyncingProxy/com.apple.security.cloudkeychainproxy3.osx.plist
index c9056a14..b841f7f2 100644
--- a/OSX/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist
+++ b/KVSKeychainSyncingProxy/com.apple.security.cloudkeychainproxy3.osx.plist
@@ -28,7 +28,7 @@
<key>EnvironmentVariables</key>
<dict>
<key>DEBUGSCOPE</key>
- <string>none</string>
+ <string>all</string>
<key>WAIT4DEBUGGER</key>
<string>NO</string>
</dict>
diff --git a/Keychain/KCATableViewController.m b/Keychain/KCATableViewController.m
index 78b3bfbd..ded63880 100644
--- a/Keychain/KCATableViewController.m
+++ b/Keychain/KCATableViewController.m
@@ -279,7 +279,6 @@
nd[(NSString *)kCFUserNotificationAlertMessageKey] = @"To view details";
nd[(NSString *)kCFUserNotificationDefaultButtonTitleKey] = @"OK";
nd[(NSString *)kCFUserNotificationAlternateButtonTitleKey] = @"Cancel";
- nd[(__bridge __strong id)(SBUserNotificationGroupsTextFields)] = (__bridge id)(kCFBooleanTrue);
nd[(NSString *)kCFUserNotificationTextFieldTitlesKey] = @[@"Passcode"];
nd[(__bridge NSString *)SBUserNotificationTextAutocapitalizationType] = @[ @(NO_AUTOCAPITALIZATION) ];
nd[(__bridge NSString *)SBUserNotificationTextAutocapitalizationType] = @[ @(NO_AUTOCORRECTION) ];
diff --git a/Keychain/Keychain-Info.plist b/Keychain/Keychain-Info.plist
index 98556e5b..b27b1b31 100644
--- a/Keychain/Keychain-Info.plist
+++ b/Keychain/Keychain-Info.plist
@@ -22,7 +22,7 @@
</dict>
</dict>
<key>CFBundleIdentifier</key>
- <string>com.apple.security.${PRODUCT_NAME:rfc1034identifier}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
@@ -37,14 +37,12 @@
<string>${CURRENT_PROJECT_VERSION}</string>
<key>LSRequiresIPhoneOS</key>
<true/>
+ <key>UIRequiresFullScreen</key>
+ <true/>
<key>UIMainStoryboardFile</key>
<string>MainStoryboard_iPhone</string>
<key>UIMainStoryboardFile~ipad</key>
<string>MainStoryboard_iPhone</string>
- <key>UIRequiredDeviceCapabilities</key>
- <array>
- <string>armv7</string>
- </array>
<key>UIStatusBarTintParameters</key>
<dict>
<key>UINavigationBar</key>
diff --git a/Keychain_114x114.png b/Keychain/Keychain_114x114.png
similarity index 100%
rename from Keychain_114x114.png
rename to Keychain/Keychain_114x114.png
diff --git a/Keychain_144x144.png b/Keychain/Keychain_144x144.png
similarity index 100%
rename from Keychain_144x144.png
rename to Keychain/Keychain_144x144.png
diff --git a/Keychain_57x57.png b/Keychain/Keychain_57x57.png
similarity index 100%
rename from Keychain_57x57.png
rename to Keychain/Keychain_57x57.png
diff --git a/Keychain_72x72.png b/Keychain/Keychain_72x72.png
similarity index 100%
rename from Keychain_72x72.png
rename to Keychain/Keychain_72x72.png
diff --git a/KeychainCircle/Info.plist b/KeychainCircle/Info.plist
new file mode 100644
index 00000000..d3de8eef
--- /dev/null
+++ b/KeychainCircle/Info.plist
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>CFBundleDevelopmentRegion</key>
+ <string>en</string>
+ <key>CFBundleExecutable</key>
+ <string>$(EXECUTABLE_NAME)</string>
+ <key>CFBundleIdentifier</key>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+ <key>CFBundleInfoDictionaryVersion</key>
+ <string>6.0</string>
+ <key>CFBundleName</key>
+ <string>$(PRODUCT_NAME)</string>
+ <key>CFBundlePackageType</key>
+ <string>FMWK</string>
+ <key>CFBundleShortVersionString</key>
+ <string>1.0</string>
+ <key>CFBundleSignature</key>
+ <string>????</string>
+ <key>CFBundleVersion</key>
+ <string>$(CURRENT_PROJECT_VERSION)</string>
+ <key>NSPrincipalClass</key>
+ <string></string>
+</dict>
+</plist>
diff --git a/KeychainCircle/KCAESGCMDuplexSession.h b/KeychainCircle/KCAESGCMDuplexSession.h
new file mode 100644
index 00000000..0304f1d1
--- /dev/null
+++ b/KeychainCircle/KCAESGCMDuplexSession.h
@@ -0,0 +1,38 @@
+//
+// KCAESGCMDuplexSession.h
+// Security
+//
+//
+
+#import <Foundation/Foundation.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface KCAESGCMDuplexSession : NSObject <NSSecureCoding>
+
+- (nullable NSData*) encrypt: (NSData*) data error: (NSError**) error;
+- (nullable NSData*) decryptAndVerify: (NSData*) data error: (NSError**) error;
+
++ (nullable instancetype) sessionAsSender: (NSData*) sharedSecret
+ context: (uint64_t) context;
++ (nullable instancetype) sessionAsReceiver: (NSData*) sharedSecret
+ context: (uint64_t) context;
+
+- (nullable instancetype) initAsSender: (NSData*) sharedSecret
+ context: (uint64_t) context;
+- (nullable instancetype) initAsReceiver: (NSData*) sharedSecret
+ context: (uint64_t) context;
+- (nullable instancetype) initWithSecret: (NSData*) sharedSecret
+ context: (uint64_t) context
+ as: (bool) inverted NS_DESIGNATED_INITIALIZER;
+
+- (instancetype) init NS_UNAVAILABLE;
+
+
+- (void)encodeWithCoder:(NSCoder *)aCoder;
+- (nullable instancetype)initWithCoder:(NSCoder *)aDecoder;
++ (BOOL)supportsSecureCoding;
+
+@end
+
+NS_ASSUME_NONNULL_END
diff --git a/KeychainCircle/KCAESGCMDuplexSession.m b/KeychainCircle/KCAESGCMDuplexSession.m
new file mode 100644
index 00000000..7f80ee0a
--- /dev/null
+++ b/KeychainCircle/KCAESGCMDuplexSession.m
@@ -0,0 +1,314 @@
+//
+// KCAESGCMDuplexSession.m
+// Security
+//
+//
+
+#import <KeychainCircle/KCAESGCMDuplexSession.h>
+#import <KeychainCircle/KCDer.h>
+#import <KeychainCircle/KCError.h>
+#import <NSError+KCCreationHelpers.h>
+#import <NSData+SecRandom.h>
+
+#include <corecrypto/ccaes.h>
+#include <corecrypto/ccmode.h>
+#include <corecrypto/cchkdf.h>
+#include <corecrypto/ccsha2.h>
+
+#include <corecrypto/ccder.h>
+
+#include <libkern/OSByteOrder.h>
+
+
+#define kdfInfoForwardString "send->recv"
+#define kdfInfoBackwardString "recv->send"
+static NSData* kdfInfoSendToReceive = nil;
+static NSData* kdfInfoReceiveToSend = nil;
+
+static const int kKCAESGCMTagSize = CCAES_KEY_SIZE_128;
+static const int kKCAESGCMKeySize = CCAES_KEY_SIZE_128;
+
+static bool derive_and_init(const struct ccmode_gcm *mode, ccgcm_ctx* ctx, NSData* sharedSecret, NSData* info) {
+ const struct ccdigest_info *di = ccsha256_di();
+
+ NSMutableData* space = [NSMutableData dataWithLength:di->output_size];
+
+ int cc_status = 0;
+
+ cc_status = cchkdf(di,
+ sharedSecret.length, sharedSecret.bytes,
+ 0, NULL,
+ info.length, info.bytes,
+ space.length, space.mutableBytes);
+
+ if (cc_status != 0) {
+ return false;
+ }
+ // We only use the first 16 bytes (128 bits) for the key.
+ cc_status = ccgcm_init(mode, ctx, kKCAESGCMKeySize, space.bytes);
+ cc_clear(space.length, space.mutableBytes);
+
+ return cc_status == 0;
+}
+
+@interface NSMutableData(KAESGCM)
+- (void) replaceTrailingWith7LSB: (uint64_t) value;
+@end
+
+@implementation NSMutableData(KAESGCM)
+- (void) replaceTrailingWith7LSB: (uint64_t) value {
+ uint8_t bytes[sizeof(value)];
+ OSWriteBigInt64(bytes, 0, value);
+
+ [self replaceBytesInRange: NSMakeRange(self.length - 7, 7) withBytes: (bytes + 1)];
+}
+@end
+
+
+
+@interface KCAESGCMDuplexSession ()
+@property (readwrite) bool asSender;
+@property (readwrite) uint64_t context;
+@property (readwrite) NSData* secret;
+
+@property (readwrite) ccgcm_ctx * send;
+@property (readwrite) ccgcm_ctx * receive;
+
+@end
+
+@implementation KCAESGCMDuplexSession
+
++ (nullable instancetype) sessionAsSender: (NSData*) sharedSecret
+ context: (uint64_t) context {
+ return [[KCAESGCMDuplexSession alloc] initAsSender:sharedSecret
+ context:context];
+}
+
++ (nullable instancetype) sessionAsReceiver: (NSData*) sharedSecret
+ context: (uint64_t) context {
+ return [[KCAESGCMDuplexSession alloc] initAsReceiver:sharedSecret
+ context:context];
+
+}
+
+static NSString* KCDSSender = @"asSender";
+static NSString* KCDSSecret = @"secret";
+static NSString* KCDSContext = @"context";
+
+- (void)encodeWithCoder:(NSCoder *)aCoder {
+ [aCoder encodeBool: self.asSender forKey:KCDSSender];
+ [aCoder encodeObject: self.secret forKey:KCDSSecret];
+ [aCoder encodeInt64: self.context forKey:KCDSContext];
+}
+
+- (nullable instancetype)initWithCoder:(NSCoder *)aDecoder {
+
+ bool asSender = [aDecoder decodeBoolForKey:KCDSSender];
+ NSData* secret = [aDecoder decodeObjectOfClass:[NSData class] forKey:KCDSSecret];
+ uint64_t context = [aDecoder decodeInt64ForKey:KCDSContext];
+
+ return [self initWithSecret:secret context:context as:asSender];
+}
+
++ (BOOL)supportsSecureCoding {
+ return true;
+}
+
+
+
+- (nullable instancetype) initAsSender: (NSData*) sharedSecret context: (uint64_t) context {
+ return [self initWithSecret:sharedSecret context:context as:true];
+}
+
+- (nullable instancetype) initAsReceiver: (NSData*) sharedSecret context: (uint64_t) context {
+ return [self initWithSecret:sharedSecret context:context as:false];
+}
+
+- (nullable instancetype) initWithSecret: (NSData*) sharedSecret
+ context: (uint64_t) context
+ as: (bool) sender {
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ kdfInfoSendToReceive = [NSData dataWithBytesNoCopy: kdfInfoForwardString
+ length: strlen(kdfInfoForwardString)
+ freeWhenDone: false];
+
+ kdfInfoReceiveToSend = [NSData dataWithBytesNoCopy: kdfInfoBackwardString
+ length: strlen(kdfInfoBackwardString)
+ freeWhenDone: false];
+ });
+
+ self = [super init];
+
+ self.asSender = sender;
+ self.secret = sharedSecret;
+ self.send = malloc(ccgcm_context_size(ccaes_gcm_encrypt_mode()));
+ self.receive = malloc(ccgcm_context_size(ccaes_gcm_decrypt_mode()));
+ self.context = context;
+
+ if (self.send == nil || self.receive == nil) {
+ return nil;
+ }
+
+ derive_and_init(ccaes_gcm_encrypt_mode(),
+ self.send, self.secret,
+ sender ? kdfInfoSendToReceive : kdfInfoReceiveToSend);
+ derive_and_init(ccaes_gcm_decrypt_mode(),
+ self.receive, self.secret,
+ !sender ? kdfInfoSendToReceive : kdfInfoReceiveToSend);
+
+ return self;
+}
+
+- (size_t) encryptCapsuleSize: (NSData*) plaintext IV: (NSData*) iv {
+ size_t iv_size = kcder_sizeof_data(iv, nil);
+ if (iv_size == 0) {
+ return 0;
+ }
+ size_t text_size = kcder_sizeof_data(plaintext, nil);
+ if (text_size == 0) {
+ return 0;
+ }
+ size_t tag_size = kcder_sizeof_data([NSMutableData dataWithLength: kKCAESGCMTagSize], nil);
+ if (tag_size == 0) {
+ return 0;
+ }
+ return ccder_sizeof(CCDER_CONSTRUCTED_SEQUENCE, iv_size + text_size + tag_size);
+}
+
+- (bool) GCM:(const struct ccmode_gcm*) mode
+ context:(ccgcm_ctx*) ctx
+ iv:(NSData*) iv
+ size:(size_t) data_size
+ data:(const uint8_t*) data
+ processed:(uint8_t*) result
+ tag:(uint8_t*) tagBuffer
+ error:(NSError**) error {
+ int cc_status;
+
+ cc_status = ccgcm_reset(mode, ctx);
+ if (!CoreCryptoError(cc_status, error, @"ccgcm_reset failed: %d", cc_status))
+ return NO;
+
+ cc_status = ccgcm_set_iv(mode, ctx, iv.length, iv.bytes);
+ if (!CoreCryptoError(cc_status, error, @"ccgcm_set_iv failed: %d", cc_status))
+ return NO;
+
+ cc_status = ccgcm_update(mode, ctx, data_size, data, result);
+ if (!CoreCryptoError(cc_status, error, @"ccgcm_update failed: %d", cc_status))
+ return NO;
+
+ cc_status = ccgcm_finalize(mode, ctx, kKCAESGCMTagSize, tagBuffer);
+ return CoreCryptoError(cc_status, error, @"ccgcm_finalize failed: %d", cc_status);
+}
+
+
+- (nullable NSData*) encrypt: (NSData*) data error: (NSError**) error {
+ static const int kIVSizeInBytes = 16;
+
+ NSMutableData* iv = [NSMutableData dataWithRandomBytes: kIVSizeInBytes];
+
+ NSMutableData* result = [NSMutableData dataWithLength: [self encryptCapsuleSize: data IV: iv]];
+
+ // Encode with all the space set up for the result:
+
+ uint8_t* der_end = result.mutableBytes + result.length;
+ const uint8_t* der = result.bytes;
+
+ uint8_t* tag = NULL;
+ uint8_t* encrypted = NULL;
+
+ der_end = ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der,
+ kcder_encode_data(iv, error, der,
+ kcder_encode_raw_octet_space(data.length, &encrypted, der,
+ kcder_encode_raw_octet_space(kKCAESGCMTagSize, &tag, der, der_end))));
+
+ if (der_end != der) {
+ KCJoiningErrorCreate(kAllocationFailure, error, @"Failed to allocate space for der");
+ return nil;
+ }
+
+ const struct ccmode_gcm * mode = ccaes_gcm_encrypt_mode();
+
+ return [self GCM:mode
+ context:self.send
+ iv:iv
+ size:data.length
+ data:data.bytes
+ processed:encrypted
+ tag:tag
+ error:error] ? result : nil;
+}
+
+- (nullable NSData*) decryptAndVerify: (NSData*) data error: (NSError**) error {
+
+ const uint8_t *der = data.bytes;
+ const uint8_t *der_end = der + data.length;
+
+ const uint8_t *sequence_end = 0;
+ der = ccder_decode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, &sequence_end, der, der_end);
+
+ if (der == NULL || sequence_end != der_end) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"decode failed");
+ return nil;
+ }
+
+ const uint8_t *encrypted = 0;
+ size_t encrypted_len = 0;
+ const uint8_t *received_tag = 0;
+
+ NSData* iv;
+
+ der = kcder_decode_data(&iv, error, der, der_end);
+ if (der == NULL) return nil;
+
+ encrypted = ccder_decode_constructed_tl(CCDER_OCTET_STRING, &der, der, der_end);
+ encrypted_len = der - encrypted;
+
+ received_tag = ccder_decode_constructed_tl(CCDER_OCTET_STRING, &der, der, der_end);
+
+ if (der == NULL) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"Decode failure");
+ return nil;
+ }
+
+ if (der != der_end) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"Extra space");
+ return nil;
+ }
+
+ if (der - received_tag != kKCAESGCMTagSize) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"Unexpected tag size: %d", der - received_tag);
+ return nil;
+ }
+
+ NSMutableData* decrypted = [NSMutableData dataWithLength: encrypted_len];
+
+ uint8_t tag[kKCAESGCMTagSize];
+ memcpy(tag, received_tag, sizeof(tag));
+
+ const struct ccmode_gcm * mode = ccaes_gcm_decrypt_mode();
+
+ return [self GCM:mode
+ context:self.receive
+ iv:iv
+ size:encrypted_len
+ data:encrypted
+ processed:decrypted.mutableBytes
+ tag:tag
+ error:error] ? decrypted : nil;
+}
+
+- (void) finalize {
+ if (self.send) {
+ ccgcm_ctx_clear(sizeof(*self.send), self.send);
+ free(self.send);
+ }
+ if (self.receive) {
+ ccgcm_ctx_clear(sizeof(*self.receive), self.receive);
+ free(self.receive);
+ }
+ [super finalize];
+}
+
+@end
diff --git a/KeychainCircle/KCAccountKCCircleDelegate.h b/KeychainCircle/KCAccountKCCircleDelegate.h
new file mode 100644
index 00000000..dec0a273
--- /dev/null
+++ b/KeychainCircle/KCAccountKCCircleDelegate.h
@@ -0,0 +1,45 @@
+//
+// KCAccountKCCircleDelegate.h
+// Security
+//
+
+#import <KeychainCircle/KCJoiningSession.h>
+
+@interface KCJoiningRequestAccountCircleDelegate : NSObject < KCJoiningRequestCircleDelegate>
+/*!
+ Get this devices peer info (As Application)
+
+ @result
+ SOSPeerInfoRef object or NULL if we had an error.
+ */
+- (SOSPeerInfoRef) copyPeerInfoError: (NSError**) error;
+
+/*!
+ Handle recipt of confirmed circleJoinData over the channel
+
+ @parameter circleJoinData
+ Data the acceptor made to allow us to join the circle.
+
+ */
+- (bool) processCircleJoinData: (NSData*) circleJoinData error: (NSError**)error;
+
++ (instancetype) delegate;
+
+@end
+
+@interface KCJoiningAcceptAccountCircleDelegate : NSObject < KCJoiningAcceptCircleDelegate>
+/*!
+ Handle the request's peer info and get the blob they can use to get in circle
+ @param peer
+ SOSPeerInfo sent from requestor to apply to the circle
+ @param error
+ Error resulting in looking at peer and trying to produce circle join data
+ @result
+ Data containing blob the requestor can use to get in circle
+ */
+- (NSData*) circleJoinDataFor: (SOSPeerInfoRef) peer
+ error: (NSError**) error;
+
++ (instancetype) delegate;
+
+@end
diff --git a/KeychainCircle/KCAccountKCCircleDelegate.m b/KeychainCircle/KCAccountKCCircleDelegate.m
new file mode 100644
index 00000000..12b64781
--- /dev/null
+++ b/KeychainCircle/KCAccountKCCircleDelegate.m
@@ -0,0 +1,77 @@
+//
+// KCAccountKCCircleDelegate.m
+// Security
+//
+// Created by Mitch Adler on 4/11/16.
+//
+//
+
+#import <KeychainCircle/KCAccountKCCircleDelegate.h>
+
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+
+
+@implementation KCJoiningRequestAccountCircleDelegate
+/*!
+ Get this devices peer info (As Application)
+
+ @result
+ SOSPeerInfoRef object or NULL if we had an error.
+ */
+- (SOSPeerInfoRef) copyPeerInfoError: (NSError**) error {
+ CFErrorRef failure = NULL;
+ SOSPeerInfoRef result = SOSCCCopyApplication(error ? &failure : NULL);
+ if (failure != NULL && error != nil) {
+ *error = (__bridge_transfer NSError*) failure;
+ }
+ return result;
+}
+
+/*!
+ Handle recipt of confirmed circleJoinData over the channel
+
+ @parameter circleJoinData
+ Data the acceptor made to allow us to join the circle.
+
+ */
+- (bool) processCircleJoinData: (NSData*) circleJoinData error: (NSError**)error {
+ CFErrorRef failure = NULL;
+ bool result = SOSCCJoinWithCircleJoiningBlob((__bridge CFDataRef) circleJoinData, &failure);
+ if (failure != NULL && error != nil) {
+ *error = (__bridge_transfer NSError*) failure;
+ }
+ return result;
+}
+
++ (instancetype) delegate {
+ return [[KCJoiningRequestAccountCircleDelegate alloc] init];
+}
+
+@end
+
+@implementation KCJoiningAcceptAccountCircleDelegate
+/*!
+ Handle the request's peer info and get the blob they can use to get in circle
+ @param peer
+ SOSPeerInfo sent from requestor to apply to the circle
+ @param error
+ Error resulting in looking at peer and trying to produce circle join data
+ @result
+ Data containing blob the requestor can use to get in circle
+ */
+- (NSData*) circleJoinDataFor: (SOSPeerInfoRef) peer
+ error: (NSError**) error {
+ CFErrorRef failure = NULL;
+ CFDataRef result = SOSCCCopyCircleJoiningBlob(peer, &failure);
+ if (failure != NULL && error != nil) {
+ *error = (__bridge_transfer NSError*) failure;
+ }
+ return (__bridge_transfer NSData*) result;
+}
+
++ (instancetype) delegate {
+ return [[KCJoiningAcceptAccountCircleDelegate alloc] init];
+}
+
+@end
+
diff --git a/KeychainCircle/KCDer.h b/KeychainCircle/KCDer.h
new file mode 100644
index 00000000..1ecc51dd
--- /dev/null
+++ b/KeychainCircle/KCDer.h
@@ -0,0 +1,46 @@
+//
+// KCDer.h
+// KeychainCircle
+//
+//
+
+#include <Foundation/Foundation.h>
+#include <corecrypto/ccder.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+// These should probably be shared with security, but we don't export our der'izing functions yet.
+const uint8_t* _Nullable
+kcder_decode_data_nocopy(NSData* _Nullable * _Nonnull data,
+ NSError* _Nullable * _Nullable error,
+ const uint8_t* _Nonnull der, const uint8_t * _Nullable der_end);
+const uint8_t* _Nullable
+kcder_decode_data(NSData* _Nullable* _Nonnull data, NSError* _Nullable * _Nullable error,
+ const uint8_t* der, const uint8_t * _Nullable der_end);
+size_t
+kcder_sizeof_data(NSData* data, NSError** error);
+uint8_t* _Nullable
+kcder_encode_data(NSData* data, NSError**error,
+ const uint8_t * _Nonnull der, uint8_t * _Nullable der_end);
+uint8_t* _Nullable
+kcder_encode_data_optional(NSData* _Nullable data, NSError* _Nullable * _Nullable error,
+ const uint8_t *der, uint8_t *der_end);
+
+const uint8_t* _Nullable
+kcder_decode_string(NSString*_Nullable * _Nonnull string,
+ NSError* _Nullable * _Nullable error,
+ const uint8_t* _Nonnull der,
+ const uint8_t* _Nullable der_end);
+size_t
+kcder_sizeof_string(NSString* string,
+ NSError* _Nullable * _Nullable error);
+uint8_t* _Nullable
+kcder_encode_string(NSString* string,
+ NSError* _Nullable * _Nullable error,
+ const uint8_t * _Nonnull der, uint8_t * _Nullable der_end);
+
+uint8_t *
+kcder_encode_raw_octet_space(size_t s_size, uint8_t * _Nullable * _Nonnull location,
+ const uint8_t * _Nonnull der, uint8_t * _Nullable der_end);
+
+NS_ASSUME_NONNULL_END
diff --git a/KeychainCircle/KCDer.m b/KeychainCircle/KCDer.m
new file mode 100644
index 00000000..38ac5d7f
--- /dev/null
+++ b/KeychainCircle/KCDer.m
@@ -0,0 +1,144 @@
+//
+// KCDer.m
+// Security
+//
+//
+
+#import <Foundation/Foundation.h>
+
+#include <KeychainCircle/KCDer.h>
+#import <KeychainCircle/KCError.h>
+
+// These should probably be shared with security, but we don't export our der'izing functions yet.
+
+
+static const uint8_t* kcder_decode_data_internal(NSData** data, bool copy,
+ NSError**error,
+ const uint8_t* der, const uint8_t *der_end)
+{
+ if (NULL == der)
+ return NULL;
+
+ size_t payload_size = 0;
+ const uint8_t *payload = ccder_decode_tl(CCDER_OCTET_STRING, &payload_size, der, der_end);
+
+ if (NULL == payload || payload + payload_size > der_end) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"Unknown data encoding");
+ return NULL;
+ }
+
+ *data = copy ? [NSData dataWithBytes: (void*)payload length: payload_size] :
+ [NSData dataWithBytesNoCopy: (void*)payload length:payload_size freeWhenDone:NO];
+
+ if (NULL == *data) {
+ KCJoiningErrorCreate(kAllocationFailure, error, @"Allocation failure!");
+ return NULL;
+ }
+
+ return payload + payload_size;
+}
+
+
+const uint8_t* kcder_decode_data_nocopy(NSData** data,
+ NSError**error,
+ const uint8_t* der, const uint8_t *der_end)
+{
+ return kcder_decode_data_internal(data, NO, error, der, der_end);
+}
+
+const uint8_t* kcder_decode_data(NSData** data,
+ NSError**error,
+ const uint8_t* der, const uint8_t *der_end) {
+ return kcder_decode_data_internal(data, YES, error, der, der_end);
+}
+
+
+size_t kcder_sizeof_data(NSData* data, NSError** error) {
+ return ccder_sizeof_raw_octet_string(data.length);
+}
+
+uint8_t* kcder_encode_data_optional(NSData* _Nullable data, NSError**error,
+ const uint8_t *der, uint8_t *der_end)
+{
+ if (data == nil) return der_end;
+
+ return kcder_encode_data(data, error, der, der_end);
+
+}
+
+
+uint8_t* kcder_encode_data(NSData* data, NSError**error,
+ const uint8_t *der, uint8_t *der_end)
+{
+ return ccder_encode_tl(CCDER_OCTET_STRING, data.length, der,
+ ccder_encode_body(data.length, data.bytes, der, der_end));
+
+}
+
+
+const uint8_t* kcder_decode_string(NSString** string, NSError**error,
+ const uint8_t* der, const uint8_t *der_end)
+{
+ if (NULL == der)
+ return NULL;
+
+ size_t payload_size = 0;
+ const uint8_t *payload = ccder_decode_tl(CCDER_UTF8_STRING, &payload_size, der, der_end);
+
+ if (NULL == payload || payload + payload_size > der_end) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"Unknown string encoding");
+ return NULL;
+ }
+
+ *string = [[NSString alloc] initWithBytes:payload length:payload_size encoding:NSUTF8StringEncoding];
+
+ if (nil == *string) {
+ KCJoiningErrorCreate(kAllocationFailure, error, @"Allocation failure!");
+ return NULL;
+ }
+
+ return payload + payload_size;
+}
+
+
+size_t kcder_sizeof_string(NSString* string, NSError** error)
+{
+ return ccder_sizeof(CCDER_UTF8_STRING, [string lengthOfBytesUsingEncoding:NSUTF8StringEncoding]);
+}
+
+
+uint8_t* kcder_encode_string(NSString* string, NSError** error,
+ const uint8_t *der, uint8_t *der_end)
+{
+ // Obey the NULL allowed rules.
+ if (!der_end)
+ return NULL;
+
+ NSUInteger max = (der_end - der);
+ void *buffer = der_end - max;
+ NSUInteger used = 0;
+ if (![string getBytes:buffer
+ maxLength:max
+ usedLength:&used
+ encoding:NSUTF8StringEncoding
+ options:0
+ range:NSMakeRange(0, string.length)
+ remainingRange:nil]) {
+ KCJoiningErrorCreate(kDERStringEncodingFailed, error, @"String encoding failed");
+ return NULL;
+ }
+
+ return ccder_encode_tl(CCDER_UTF8_STRING, used, der,
+ ccder_encode_body(used, buffer, der, der_end));
+
+}
+
+uint8_t *kcder_encode_raw_octet_space(size_t s_size, uint8_t **location,
+ const uint8_t *der, uint8_t *der_end) {
+ der_end = ccder_encode_body_nocopy(s_size, der, der_end);
+ if (der_end && location)
+ *location = der_end;
+
+ return ccder_encode_tl(CCDER_OCTET_STRING, s_size, der, der_end);
+}
+
diff --git a/KeychainCircle/KCError.h b/KeychainCircle/KCError.h
new file mode 100644
index 00000000..80868862
--- /dev/null
+++ b/KeychainCircle/KCError.h
@@ -0,0 +1,34 @@
+//
+// KCError.h
+// Security
+//
+//
+
+#import <Foundation/Foundation.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+typedef enum {
+ kAllocationFailure,
+ kDERUnknownEncoding,
+ kDERStringEncodingFailed,
+ kDEREncodingFailed,
+ kDERSpaceExhausted,
+ kKCTagMismatch,
+ kUnexpectedMessage,
+ kInternalError,
+} KCJoiningError;
+
+@interface NSError(KCJoiningError)
++ (instancetype) errorWithJoiningError:(KCJoiningError) code
+ format:(NSString *) format
+ arguments:(va_list) va;
++ (instancetype) errorWithJoiningError:(KCJoiningError) code
+ format:(NSString *) format, ...;
+- (instancetype) initWithJoiningError:(KCJoiningError) code
+ userInfo:(NSDictionary *)dict;
+@end
+
+void KCJoiningErrorCreate(KCJoiningError code, NSError* _Nullable * _Nullable error, NSString* _Nonnull format, ...);
+
+NS_ASSUME_NONNULL_END
diff --git a/KeychainCircle/KCError.m b/KeychainCircle/KCError.m
new file mode 100644
index 00000000..5d8aae88
--- /dev/null
+++ b/KeychainCircle/KCError.m
@@ -0,0 +1,47 @@
+//
+// KCError.m
+// Security
+//
+//
+
+#import "KCError.h"
+
+static NSString* KCErrorDomain = @"com.apple.security.keychaincircle";
+
+
+@implementation NSError(KCJoiningError)
+
++ (nonnull instancetype) errorWithJoiningError:(KCJoiningError) code
+ format:(NSString*) format
+ arguments:(va_list) va {
+ return [[NSError alloc] initWithJoiningError:code
+ userInfo:@{NSLocalizedDescriptionKey:[[NSString alloc] initWithFormat:format arguments:va]}];
+
+}
+
++ (nonnull instancetype) errorWithJoiningError:(KCJoiningError) code
+ format:(NSString*) format, ... {
+
+ va_list va;
+ va_start(va, format);
+ NSError* result = [NSError errorWithJoiningError:code format:format arguments:va];
+ va_end(va);
+
+ return result;
+
+}
+- (nonnull instancetype) initWithJoiningError:(KCJoiningError) code
+ userInfo:(nonnull NSDictionary *)dict {
+ return [self initWithDomain:KCErrorDomain code:code userInfo:dict];
+}
+@end
+
+void KCJoiningErrorCreate(KCJoiningError code, NSError** error, NSString* format, ...) {
+ if (error && (*error == nil)) {
+ va_list va;
+ va_start(va, format);
+ *error = [NSError errorWithJoiningError:code format:format arguments:va];
+ va_end(va);
+ }
+}
+
diff --git a/KeychainCircle/KCJoiningAcceptSession.m b/KeychainCircle/KCJoiningAcceptSession.m
new file mode 100644
index 00000000..60b7ada7
--- /dev/null
+++ b/KeychainCircle/KCJoiningAcceptSession.m
@@ -0,0 +1,244 @@
+//
+// KCJoiningAcceptSession.m
+// Security
+//
+//
+
+#import <Foundation/Foundation.h>
+
+#import <KeychainCircle/KCJoiningSession.h>
+
+#import <KeychainCircle/KCError.h>
+#import <KeychainCircle/KCDer.h>
+#import <KeychainCircle/KCJoiningMessages.h>
+
+#import <KeychainCircle/NSError+KCCreationHelpers.h>
+
+#include <corecrypto/ccder.h>
+#include <corecrypto/ccrng.h>
+#include <corecrypto/ccsha2.h>
+#include <corecrypto/ccdh_gp.h>
+
+#include <CommonCrypto/CommonRandomSPI.h>
+
+typedef enum {
+ kExpectingA,
+ kExpectingM,
+ kExpectingPeerInfo,
+ kAcceptDone
+} KCJoiningAcceptSessionState;
+
+@interface KCJoiningAcceptSession ()
+@property (readonly) uint64_t dsid;
+@property (readonly) NSObject<KCJoiningAcceptSecretDelegate>* secretDelegate;
+@property (readonly) NSObject<KCJoiningAcceptCircleDelegate>* circleDelegate;
+@property (readonly) KCSRPServerContext* context;
+@property (readonly) KCAESGCMDuplexSession* session;
+@property (readonly) KCJoiningAcceptSessionState state;
+@property (readwrite) NSData* startMessage;
+@end
+
+@implementation KCJoiningAcceptSession
+
++ (nullable instancetype) sessionWithInitialMessage: (NSData*) message
+ secretDelegate: (NSObject<KCJoiningAcceptSecretDelegate>*) secretDelegate
+ circleDelegate: (NSObject<KCJoiningAcceptCircleDelegate>*) circleDelegate
+ dsid: (uint64_t) dsid
+ error: (NSError**) error {
+
+ int cc_error = 0;
+ struct ccrng_state * rng = ccrng(&cc_error);
+
+ if (rng == nil) {
+ CoreCryptoError(cc_error, error, @"RNG fetch failed");
+ return nil;
+ }
+
+ return [[KCJoiningAcceptSession alloc] initWithSecretDelegate: secretDelegate
+ circleDelegate: circleDelegate
+ dsid: dsid
+ rng: rng
+ error: error];
+}
+
+- (bool) setupSession: (NSError**) error {
+ NSData* key = [self->_context getKey];
+
+ if (key == nil) {
+ KCJoiningErrorCreate(kInternalError, error, @"No session key available");
+ return nil;
+ }
+
+ self->_session = [KCAESGCMDuplexSession sessionAsReceiver:key context:self.dsid];
+
+ return self.session != nil;
+}
+
+- (nullable instancetype) initWithSecretDelegate: (NSObject<KCJoiningAcceptSecretDelegate>*) secretDelegate
+ circleDelegate: (NSObject<KCJoiningAcceptCircleDelegate>*) circleDelegate
+ dsid: (uint64_t) dsid
+ rng: (struct ccrng_state *)rng
+ error: (NSError**) error {
+ self = [super init];
+
+ NSString* name = [NSString stringWithFormat: @"%llu", dsid];
+
+ self->_context = [[KCSRPServerContext alloc] initWithUser: name
+ password: [secretDelegate secret]
+ digestInfo: ccsha256_di()
+ group: ccsrp_gp_rfc5054_3072()
+ randomSource: rng];
+ self->_secretDelegate = secretDelegate;
+ self->_circleDelegate = circleDelegate;
+ self->_state = kExpectingA;
+ self->_dsid = dsid;
+
+ return self;
+}
+
+- (NSString*) stateString {
+ switch (self.state) {
+ case kExpectingA: return @"âA";
+ case kExpectingM: return @"âM";
+ case kExpectingPeerInfo: return @"âPeerInfo";
+ case kAcceptDone: return @"done";
+ default: return [NSString stringWithFormat:@"%d", self.state];
+ }
+}
+
+- (NSString *)description {
+ return [NSString stringWithFormat: @"<KCJoiningAcceptSession@%p %lld %@ %@>", self, self.dsid, [self stateString], self.context];
+}
+
+- (NSData*) copyChallengeMessage: (NSError**) error {
+ NSData* challenge = [self.context copyChallengeFor: self.startMessage error: error];
+ if (challenge == nil) return nil;
+
+ NSData* srpMessage = [NSData dataWithEncodedSequenceData:self.context.salt data:challenge error:error];
+
+ if (![self setupSession:error]) return nil;
+
+ return srpMessage;
+}
+
+- (NSData*) processInitialMessage: (NSData*) initialMessage error: (NSError**) error {
+ self.startMessage = extractStartFromInitialMessage(initialMessage, error);
+ if (self.startMessage == nil) return nil;
+
+ NSData* srpMessage = [self copyChallengeMessage: error];
+ if (srpMessage == nil) return nil;
+
+ self->_state = kExpectingM;
+ return [[KCJoiningMessage messageWithType:kChallenge
+ data:srpMessage
+ error:error] der];
+}
+
+- (NSData*) processResponse: (KCJoiningMessage*) message error:(NSError**) error {
+ if ([message type] != kResponse) {
+ KCJoiningErrorCreate(kUnexpectedMessage, error, @"Expected response!");
+ return nil;
+ }
+
+ // We handle failure, don't capture the error.
+ NSData* confirmation = [self.context copyConfirmationFor:message.firstData error:NULL];
+ if (!confirmation) {
+ // Find out what kind of error we should send.
+ NSData* errorData = nil;
+
+ switch ([self.secretDelegate verificationFailed: error]) {
+ case kKCRetryError:
+ // We fill in an error if they didn't, but if they did this wont bother.
+ KCJoiningErrorCreate(kInternalError, error, @"Delegate returned error without filling in error: %@", self.secretDelegate);
+ return nil;
+ case kKCRetryWithSameChallenge:
+ errorData = [NSData data];
+ break;
+ case kKCRetryWithNewChallenge:
+ if ([self.context resetWithPassword:[self.secretDelegate secret] error:error]) {
+ errorData = [self copyChallengeMessage: error];
+ }
+ break;
+ }
+ if (errorData == nil) return nil;
+
+ return [[KCJoiningMessage messageWithType:kError
+ data:errorData
+ error:error] der];
+ }
+
+ NSData* encoded = [NSData dataWithEncodedString:[self.secretDelegate accountCode] error:error];
+ if (encoded == nil)
+ return nil;
+
+ NSData* encrypted = [self.session encrypt:encoded error:error];
+ if (encrypted == nil) return nil;
+
+ self->_state = kExpectingPeerInfo;
+
+ return [[KCJoiningMessage messageWithType:kVerification
+ data:confirmation
+ payload:encrypted
+ error:error] der];
+}
+
+
+- (NSData*) processApplication: (KCJoiningMessage*) message error:(NSError**) error {
+ if ([message type] != kPeerInfo) {
+ KCJoiningErrorCreate(kUnexpectedMessage, error, @"Expected peerInfo!");
+ return nil;
+ }
+
+ NSData* decryptedPayload = [self.session decryptAndVerify:message.firstData error:error];
+ if (decryptedPayload == nil) return nil;
+
+ CFErrorRef cfError = NULL;
+ SOSPeerInfoRef ref = SOSPeerInfoCreateFromData(NULL, &cfError, (__bridge CFDataRef) decryptedPayload);
+ if (ref == NULL) {
+ if (error) *error = (__bridge_transfer NSError*) cfError;
+ cfError = NULL;
+ return nil;
+ }
+
+ NSData* joinData = [self.circleDelegate circleJoinDataFor:ref error:error];
+ if (joinData == nil) return nil;
+
+ NSData* encryptedOutgoing = [self.session encrypt:joinData error:error];
+ if (encryptedOutgoing == nil) return nil;
+
+ self->_state = kAcceptDone;
+
+ return [[KCJoiningMessage messageWithType:kCircleBlob
+ data:encryptedOutgoing
+ error:error] der];
+}
+
+
+- (nullable NSData*) processMessage: (NSData*) incomingMessage error: (NSError**) error {
+ NSData* result = nil;
+
+ KCJoiningMessage *message = (self.state != kExpectingA) ? [KCJoiningMessage messageWithDER:incomingMessage error:error] : nil;
+
+ switch(self.state) {
+ case kExpectingA:
+ return [self processInitialMessage:incomingMessage error: error];
+ case kExpectingM:
+ if (message == nil) return nil;
+ return [self processResponse:message error: error];
+ break;
+ case kExpectingPeerInfo:
+ if (message == nil) return nil;
+ return [self processApplication:message error: error];
+ break;
+ case kAcceptDone:
+ KCJoiningErrorCreate(kUnexpectedMessage, error, @"Unexpected message while done");
+ break;
+ }
+ return result;
+}
+
+- (bool) isDone {
+ return self.state == kAcceptDone;
+}
+
+@end
diff --git a/KeychainCircle/KCJoiningMessages.h b/KeychainCircle/KCJoiningMessages.h
new file mode 100644
index 00000000..18610d41
--- /dev/null
+++ b/KeychainCircle/KCJoiningMessages.h
@@ -0,0 +1,113 @@
+//
+// KCJoiningMessages.h
+// KeychainCircle
+//
+//
+
+#import <Foundation/Foundation.h>
+
+// Initial messages are versioned and not typed for negotiation.
+NS_ASSUME_NONNULL_BEGIN
+
+NSData* extractStartFromInitialMessage(NSData* initialMessage, NSError** error);
+
+size_t sizeof_initialmessage(NSData*data);
+uint8_t* _Nullable encode_initialmessage(NSData* data, NSError**error,
+ const uint8_t *der, uint8_t *der_end);
+const uint8_t* _Nullable decode_initialmessage(NSData* _Nonnull * _Nonnull data, NSError** error,
+ const uint8_t* der, const uint8_t *der_end);
+
+size_t sizeof_seq_data_data(NSData*data1, NSData*data2, NSError** error);
+uint8_t* _Nullable encode_seq_data_data(NSData* data, NSData*data2, NSError**error,
+ const uint8_t *der, uint8_t *der_end);
+const uint8_t* _Nullable decode_seq_data_data(NSData* _Nonnull * _Nonnull data1, NSData* _Nonnull * _Nonnull data2,
+ NSError** error,
+ const uint8_t* der, const uint8_t *der_end);
+
+size_t sizeof_seq_string_data(NSString*string, NSData*data, NSError** error);
+uint8_t* _Nullable encode_seq_string_data(NSString* string, NSData*data, NSError**error,
+ const uint8_t *der, uint8_t *der_end);
+const uint8_t* _Nullable decode_seq_string_data(NSString* _Nonnull * _Nonnull string, NSData* _Nonnull * _Nonnull data,
+ NSError** error,
+ const uint8_t* der, const uint8_t *der_end);
+
+@interface NSData(KCJoiningMessages)
+
++ (nullable instancetype) dataWithEncodedString: (NSString*) string
+ error: (NSError**) error;
+
++ (nullable instancetype) dataWithEncodedSequenceData: (NSData*) data1
+ data: (NSData*) data2
+ error: (NSError**) error;
+
+- (bool) decodeSequenceData: (NSData* _Nullable * _Nonnull) data1
+ data: (NSData* _Nullable * _Nonnull) data2
+ error: (NSError** _Nullable) error;
+
+
++ (nullable instancetype) dataWithEncodedSequenceString: (NSString*) string
+ data: (NSData*) data
+ error: (NSError**) error;
+
+- (bool) decodeSequenceString: (NSString* _Nullable * _Nonnull) string
+ data: (NSData* _Nullable * _Nonnull) data
+ error: (NSError** _Nullable) error;
+@end
+
+@interface NSString(KCJoiningMessages)
++ (nullable instancetype) decodeFromDER: (NSData*)der error: (NSError** _Nullable) error;
+@end
+
+// Subsequent messages have a message type
+typedef enum {
+ kChallenge = 1,
+ kResponse = 2,
+ kVerification = 3,
+ kPeerInfo = 4,
+ kCircleBlob = 5,
+
+ kError = 0,
+
+ kUnknown = 255,
+
+ kLargestMessageType = kUnknown,
+
+} KCJoiningMessageType;
+
+
+@interface KCJoiningMessage : NSObject
+
+@property (readonly) KCJoiningMessageType type;
+@property (readonly) NSData* firstData;
+@property (nullable, readonly) NSData* secondData;
+
+@property (readonly) NSData* der;
+
++ (nullable instancetype) messageWithDER: (NSData*) message
+ error: (NSError**) error;
+
++ (nullable instancetype) messageWithType: (KCJoiningMessageType) type
+ data: (NSData*) firstData
+ error: (NSError**) error;
+
++ (nullable instancetype) messageWithType: (KCJoiningMessageType) type
+ data: (NSData*) firstData
+ payload: (NSData*) secondData
+ error: (NSError**) error;
+
+
+- (nullable instancetype) initWithDER: (NSData*) message
+ error: (NSError**) error NS_DESIGNATED_INITIALIZER;
+
+- (nullable instancetype) initWithType: (KCJoiningMessageType) type
+ data: (NSData*) firstData
+ payload: (nullable NSData*) secondData
+ error: (NSError**) error NS_DESIGNATED_INITIALIZER;
+
+
+- (instancetype) init NS_UNAVAILABLE;
+
+@end
+
+NS_ASSUME_NONNULL_END
+
diff --git a/KeychainCircle/KCJoiningMessages.m b/KeychainCircle/KCJoiningMessages.m
new file mode 100644
index 00000000..c2922cdd
--- /dev/null
+++ b/KeychainCircle/KCJoiningMessages.m
@@ -0,0 +1,393 @@
+//
+// KCJoiningMessages.m
+// Security
+//
+// Created by Mitch Adler on 2/17/16.
+//
+//
+
+#import <Foundation/Foundation.h>
+
+#import <KeychainCircle/KCDer.h>
+#import <KeychainCircle/KCError.h>
+#import <KeychainCircle/KCJoiningMessages.h>
+
+#include <corecrypto/ccder.h>
+
+
+@implementation KCJoiningMessage
+
++ (nullable instancetype) messageWithDER: (NSData*) message
+ error: (NSError**) error {
+ return [[KCJoiningMessage alloc] initWithDER: message error: nil];
+}
+
++ (nullable instancetype) messageWithType: (KCJoiningMessageType) type
+ data: (NSData*) firstData
+ error: (NSError**) error {
+ return [[KCJoiningMessage alloc] initWithType:type data:firstData payload:nil error:error];
+}
+
++ (nullable instancetype) messageWithType: (KCJoiningMessageType) type
+ data: (NSData*) firstData
+ payload: (NSData*) secondData
+ error: (NSError**) error {
+ return [[KCJoiningMessage alloc] initWithType:type data:firstData payload:secondData error:error];
+
+}
+
+- (bool) inflatePartsOfEncoding: (NSError**) error {
+ const uint8_t *der = self.der.bytes;
+ const uint8_t *der_end = der + self.der.length;
+
+ const uint8_t *sequence_end = 0;
+
+ der = ccder_decode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, &sequence_end, der, der_end);
+
+ if (der == 0) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"Not sequence");
+ return false;
+ }
+
+ if (sequence_end != der_end) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"Extra data at end of message");
+ return false;
+ }
+
+ uint64_t type;
+ der = ccder_decode_uint64(&type, der, der_end);
+
+ self->_type = (type > kLargestMessageType) ? kUnknown : (KCJoiningMessageType) type;
+
+ NSData* firstData;
+ NSData* secondData;
+
+ der = kcder_decode_data_nocopy(&firstData, error, der, der_end);
+
+ if (der != der_end) {
+ der = kcder_decode_data_nocopy(&secondData, error, der, der_end);
+ }
+
+ self->_firstData = firstData;
+ self->_secondData = secondData;
+
+ if (der != der_end) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"Extra in sequence");
+ return false;
+ }
+
+ return true;
+}
+
++ (size_t) encodedSizeType: (KCJoiningMessageType) type
+ data: (NSData*) firstData
+ payload: (nullable NSData*) secondData
+ error: (NSError**) error {
+ size_t type_size = ccder_sizeof_uint64(type);
+
+ size_t srp_data_size = kcder_sizeof_data(firstData, error);
+ if (srp_data_size == 0) return 0;
+
+ size_t encrypted_payload_size = 0;
+
+ if (secondData != nil) {
+ encrypted_payload_size = kcder_sizeof_data(secondData, error);
+ if (srp_data_size == 0) return 0;
+ }
+
+
+ return ccder_sizeof(CCDER_CONSTRUCTED_SEQUENCE, type_size + srp_data_size + encrypted_payload_size);
+}
+
++ (nullable NSData*) encodeToDERType: (KCJoiningMessageType) type
+ data: (NSData*) firstData
+ payload: (nullable NSData*) secondData
+ error: (NSError**) error {
+
+ size_t length = [KCJoiningMessage encodedSizeType:type
+ data:firstData
+ payload:secondData
+ error: error];
+ if (length == 0) return nil;
+
+ NSMutableData* encoded = [NSMutableData dataWithLength: length];
+
+ uint8_t* der = encoded.mutableBytes;
+ uint8_t* der_end = der + encoded.length;
+
+ uint8_t* encode_end = ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der,
+ ccder_encode_uint64(type, der,
+ kcder_encode_data(firstData, error, der,
+ kcder_encode_data_optional(secondData, error, der, der_end))));
+
+ if (encode_end == NULL) return nil;
+ if (encode_end != der) {
+ KCJoiningErrorCreate(kDEREncodingFailed, error, @"Size didn't match encoding");
+ return nil;
+ }
+
+ return encoded;
+}
+
+- (nullable instancetype) initWithDER: (NSData*) message
+ error: (NSError**) error {
+ self = [super init];
+
+ self->_der = [NSData dataWithData: message];
+
+ return [self inflatePartsOfEncoding: error] ? self : nil;
+}
+
+- (nullable instancetype) initWithType: (KCJoiningMessageType) type
+ data: (NSData*) firstData
+ payload: (nullable NSData*) secondData
+ error: (NSError**) error {
+ self = [super init];
+
+ self->_der = [KCJoiningMessage encodeToDERType:type
+ data:firstData
+ payload:secondData
+ error:error];
+ if (self->_der == nil) return nil;
+
+ return [self inflatePartsOfEncoding: error] ? self : nil;
+}
+
+@end
+
+
+@implementation NSData(KCJoiningMessages)
+
++ (nullable instancetype) dataWithEncodedString: (NSString*) string
+ error: (NSError**) error {
+ size_t result_size = kcder_sizeof_string(string, error);
+ if (result_size == 0) return nil;
+
+ NSMutableData *result = [NSMutableData dataWithLength: result_size];
+
+ uint8_t *der = result.mutableBytes;
+ uint8_t *der_end = der + result.length;
+
+ uint8_t *encode_done = kcder_encode_string(string, error,
+ der, der_end);
+
+ if (encode_done != der) {
+ KCJoiningErrorCreate(kDEREncodingFailed, error, @"extra data");
+ return nil;
+ }
+
+ return result;
+}
+
++ (nullable instancetype) dataWithEncodedSequenceData: (NSData*) data1
+ data: (NSData*) data2
+ error: (NSError**) error {
+ size_t result_size = sizeof_seq_data_data(data1, data2, error);
+ if (result_size == 0) return nil;
+
+ NSMutableData *result = [NSMutableData dataWithLength: result_size];
+
+ uint8_t *der = result.mutableBytes;
+ uint8_t *der_end = der + result.length;
+
+ uint8_t *encode_done = encode_seq_data_data(data1, data2, error,
+ der, der_end);
+
+ if (encode_done != der) {
+ KCJoiningErrorCreate(kDEREncodingFailed, error, @"extra data");
+ return nil;
+ }
+
+ return result;
+}
+
+- (bool) decodeSequenceData: (NSData* _Nullable * _Nonnull) data1
+ data: (NSData* _Nullable * _Nonnull) data2
+ error: (NSError** _Nullable) error {
+
+ return NULL != decode_seq_data_data(data1, data2, error, self.bytes, self.bytes + self.length);
+}
+
++ (nullable instancetype) dataWithEncodedSequenceString: (NSString*) string
+ data: (NSData*) data
+ error: (NSError**) error {
+ size_t result_size = sizeof_seq_string_data(string, data, error);
+ if (result_size == 0) return nil;
+
+ NSMutableData *result = [NSMutableData dataWithLength: result_size];
+
+ uint8_t *der = result.mutableBytes;
+ uint8_t *der_end = der + result.length;
+
+ uint8_t *encode_done = encode_seq_string_data(string, data, error,
+ der, der_end);
+
+ if (encode_done != der) {
+ KCJoiningErrorCreate(kDEREncodingFailed, error, @"extra data");
+ return nil;
+ }
+
+ return result;
+}
+
+- (bool) decodeSequenceString: (NSString* _Nullable * _Nonnull) string
+ data: (NSData* _Nullable * _Nonnull) data
+ error: (NSError** _Nullable) error {
+ return NULL != decode_seq_string_data(string, data, error, self.bytes, self.bytes + self.length);
+}
+
+@end
+
+@implementation NSString(KCJoiningMessages)
++ (nullable instancetype) decodeFromDER: (NSData*)der error: (NSError** _Nullable) error {
+ NSString* result = nil;
+ const uint8_t* decode_result = kcder_decode_string(&result, error, der.bytes, der.bytes+der.length);
+ if (decode_result == nil) return nil;
+ if (decode_result != der.bytes + der.length) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"extra data in string");
+ return nil;
+ }
+
+ return result;
+}
+@end
+
+
+NSData* extractStartFromInitialMessage(NSData* initialMessage, NSError** error) {
+ NSData* result = nil;
+ const uint8_t *der = [initialMessage bytes];
+ const uint8_t *der_end = der + [initialMessage length];
+ const uint8_t *parse_end = decode_initialmessage(&result, error, der, der_end);
+
+ // Allow extra stuff in here for future start messages.
+ if (parse_end == NULL) {
+ return nil;
+ }
+ return result;
+
+}
+
+const uint8_t* decode_initialmessage(NSData** data, NSError** error,
+ const uint8_t* der, const uint8_t *der_end)
+{
+ if (NULL == der)
+ return NULL;
+
+ const uint8_t *sequence_end = 0;
+ der = ccder_decode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, &sequence_end, der, der_end);
+
+ if (der == NULL || sequence_end != der_end) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"decode failed");
+ return nil;
+ }
+
+ uint64_t version = 0;
+ der = ccder_decode_uint64(&version, der, der_end);
+
+ if (der == NULL) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"Version mising");
+ return nil;
+ }
+
+ if (version != 0) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"Bad version: %d", version);
+ return nil;
+ }
+
+ return kcder_decode_data(data, error, der, der_end);
+}
+
+size_t sizeof_initialmessage(NSData*data) {
+ size_t version_size = ccder_sizeof_uint64(0);
+ if (version_size == 0) {
+ return 0;
+ }
+ size_t message_size = kcder_sizeof_data(data, nil);
+ if (message_size == 0) {
+ return 0;
+ }
+ return ccder_sizeof(CCDER_CONSTRUCTED_SEQUENCE, version_size + message_size);
+}
+
+uint8_t* encode_initialmessage(NSData* data, NSError**error,
+ const uint8_t *der, uint8_t *der_end)
+{
+ return ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der,
+ ccder_encode_uint64(0, der,
+ kcder_encode_data(data, error, der, der_end)));
+
+}
+
+
+size_t sizeof_seq_data_data(NSData*data1, NSData*data2, NSError**error) {
+ size_t data1_size = kcder_sizeof_data(data1, error);
+ if (data1_size == 0) {
+ return 0;
+ }
+ size_t data2_size = kcder_sizeof_data(data2, error);
+ if (data2_size == 0) {
+ return 0;
+ }
+ return ccder_sizeof(CCDER_CONSTRUCTED_SEQUENCE, data1_size + data2_size);
+}
+
+uint8_t* encode_seq_data_data(NSData* data1, NSData*data2, NSError**error,
+ const uint8_t *der, uint8_t *der_end) {
+ return ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der,
+ kcder_encode_data(data1, error, der,
+ kcder_encode_data(data2, error, der, der_end)));
+}
+
+const uint8_t* decode_seq_data_data(NSData** data1, NSData** data2, NSError** error,
+ const uint8_t* der, const uint8_t *der_end) {
+ if (NULL == der)
+ return NULL;
+
+ const uint8_t *sequence_end = 0;
+ der = ccder_decode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, &sequence_end, der, der_end);
+
+ if (der == NULL || sequence_end != der_end) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"decode failed");
+ return nil;
+ }
+
+ der = kcder_decode_data(data1, error, der, der_end);
+ return kcder_decode_data(data2, error, der, der_end);
+}
+
+size_t sizeof_seq_string_data(NSString*string, NSData*data, NSError** error) {
+ size_t string_size = kcder_sizeof_string(string, error);
+ if (string_size == 0) {
+ return 0;
+ }
+ size_t data_size = kcder_sizeof_data(data, error);
+ if (data_size == 0) {
+ return 0;
+ }
+ return ccder_sizeof(CCDER_CONSTRUCTED_SEQUENCE, string_size + data_size);
+}
+
+uint8_t* _Nullable encode_seq_string_data(NSString* string, NSData*data, NSError**error,
+ const uint8_t *der, uint8_t *der_end) {
+ return ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der,
+ kcder_encode_string(string, error, der,
+ kcder_encode_data(data, error, der, der_end)));
+}
+
+const uint8_t* _Nullable decode_seq_string_data(NSString* _Nonnull * _Nonnull string, NSData* _Nonnull * _Nonnull data,
+ NSError** error,
+ const uint8_t* der, const uint8_t *der_end) {
+ if (NULL == der)
+ return NULL;
+
+ const uint8_t *sequence_end = 0;
+ der = ccder_decode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, &sequence_end, der, der_end);
+
+ if (der == NULL || sequence_end != der_end) {
+ KCJoiningErrorCreate(kDERUnknownEncoding, error, @"decode failed");
+ return nil;
+ }
+
+ der = kcder_decode_string(string, error, der, der_end);
+ return kcder_decode_data(data, error, der, der_end);
+}
diff --git a/KeychainCircle/KCJoiningRequestSession.m b/KeychainCircle/KCJoiningRequestSession.m
new file mode 100644
index 00000000..e41c53bb
--- /dev/null
+++ b/KeychainCircle/KCJoiningRequestSession.m
@@ -0,0 +1,370 @@
+//
+// KCJoiningSession.m
+// Security
+//
+//
+
+#import <Foundation/Foundation.h>
+
+#import <KeychainCircle/KCJoiningSession.h>
+
+#import <KeychainCircle/KCError.h>
+#import <KeychainCircle/KCDer.h>
+#import <KeychainCircle/KCSRPContext.h>
+
+#import <KeychainCircle/KCJoiningMessages.h>
+
+#include <corecrypto/ccrng.h>
+#include <corecrypto/ccsha2.h>
+#include <corecrypto/ccdh_gp.h>
+#include <corecrypto/ccder.h>
+#include <CommonCrypto/CommonRandomSPI.h>
+
+#include <utilities/debugging.h>
+
+#import <KeychainCircle/NSError+KCCreationHelpers.h>
+
+typedef enum {
+ kExpectingB,
+ kExpectingHAMK,
+ kRequestSecretDone
+} KCJoiningRequestSecretSessionState;
+
+typedef enum {
+ kExpectingCircleBlob,
+ kRequestCircleDone
+} KCJoiningRequestCircleSessionState;
+
+@interface KCJoiningRequestSecretSession ()
+@property (readonly) NSObject<KCJoiningRequestSecretDelegate>* secretDelegate;
+@property (readonly) KCSRPClientContext* context;
+@property (readonly) uint64_t dsid;
+@property (readonly) KCJoiningRequestSecretSessionState state;
+
+@property (readwrite) NSData* challenge;
+@property (readwrite) NSData* salt;
+@end
+
+@implementation KCJoiningRequestSecretSession : NSObject
+
+- (nullable NSData*) initialMessage: (NSError**) error {
+ NSData* start = [self->_context copyStart: error];
+ if (start == nil) return nil;
+
+ NSMutableData* initialMessage = [NSMutableData dataWithLength: sizeof_initialmessage(start)];
+
+ if (NULL == encode_initialmessage(start, error, initialMessage.mutableBytes, initialMessage.mutableBytes + initialMessage.length))
+ return nil;
+
+ return initialMessage;
+}
+
+- (bool) isDone {
+ return self->_state == kRequestSecretDone;
+}
+
+- (bool) setupSession: (NSError**) error {
+ NSData* key = [self->_context getKey];
+
+ if (key == nil) {
+ KCJoiningErrorCreate(kInternalError, error, @"No session key available");
+ return nil;
+ }
+
+ self->_session = [KCAESGCMDuplexSession sessionAsSender:key context:self.dsid];
+
+ return self.session != nil;
+}
+
+- (nullable NSData*) copyResponseForChallenge:(NSData*) challenge
+ salt:(NSData*) salt
+ secret: (NSString*) password
+ error: (NSError**) error {
+ NSData* response = [self->_context copyResposeToChallenge:challenge
+ password:password
+ salt:salt
+ error:error];
+
+ if (!response) {
+ // @@@ return error to other side???
+ return nil;
+ } else {
+ if (![self setupSession: error]) return nil;
+
+ self.challenge = challenge;
+ self.salt = salt;
+
+ self->_state = kExpectingHAMK;
+ return [[KCJoiningMessage messageWithType:kResponse
+ data:response
+ error:error] der];
+ }
+}
+
+
+- (nullable NSData*) copyResponseForSecret: (NSString*) password
+ error: (NSError**) error {
+ return [self copyResponseForChallenge:self.challenge salt:self.salt secret:password error:error];
+}
+
+- (nullable NSData*) handleChallengeData: (NSData*) challengeData
+ secret: (NSString*) password
+ error: (NSError**) error {
+ NSData* challenge = nil;
+ NSData* salt = nil;
+
+ if (![challengeData decodeSequenceData:&salt data:&challenge error:error]) return nil;
+
+ return [self copyResponseForChallenge:challenge salt:salt secret:password error:error];
+
+}
+
+- (nullable NSData*) handleChallenge: (KCJoiningMessage*) message
+ secret: (NSString*) password
+ error: (NSError**)error {
+ // Parse the challenge message
+ // Salt and Challenge packet
+ if ([message type] != kChallenge) {
+ KCJoiningErrorCreate(kUnexpectedMessage, error, @"Expected challenge!");
+ return nil;
+ }
+
+ return [self handleChallengeData:[message firstData] secret:password error:error];
+}
+
+- (NSData*) handleChallenge: (KCJoiningMessage*) message error: (NSError**)error {
+ return [self handleChallenge:message
+ secret:[self.secretDelegate secret]
+ error:error];
+
+}
+
+- (NSData*) handleVerification: (KCJoiningMessage*) message error: (NSError**) error {
+ if ([message type] == kError) {
+ bool newCode = [[message firstData] length] == 0;
+ NSString* nextSecret = [self.secretDelegate verificationFailed: newCode];
+
+ if (nextSecret) {
+ if (newCode) {
+ return [self copyResponseForSecret:nextSecret error:error];
+ } else {
+ return [self handleChallengeData:[message firstData] secret:nextSecret error:error];
+ }
+ } else {
+ return nil;
+ }
+ }
+
+ if ([message type] != kVerification) {
+ KCJoiningErrorCreate(kUnexpectedMessage, error, @"Expected verification!");
+ return nil;
+ }
+
+ if (![self.context verifyConfirmation:[message firstData] error:error]) {
+ // Sender thought we had it right, but he can't prove he has it right!
+ KCJoiningErrorCreate(kInternalError, error, @"Got verification but acceptor doesn't have matching secret: %@", self);
+ secnotice("request-session", "Verification failed: %@", self);
+ return nil;
+ }
+
+ {
+ NSData* payload = [self.session decryptAndVerify:[message secondData] error:error];
+ if (payload == nil) return nil;
+
+ NSString* accountCode = [NSString decodeFromDER:payload error:error];
+ if (accountCode == nil) return nil;
+
+ if (![self.secretDelegate processAccountCode:accountCode error:error]) return nil;
+ }
+
+ self->_state = kRequestSecretDone;
+
+ return [NSData data];
+}
+
+
+
+
+// [self.delegate processCircleJoinData:circleData error:error];
+
+- (NSData*) processMessage: (NSData*) incomingMessage error: (NSError**) error {
+ NSData* result = nil;
+ KCJoiningMessage* message = [KCJoiningMessage messageWithDER: incomingMessage error: error];
+ if (message == nil) return nil;
+
+ switch(self->_state) {
+ case kExpectingB:
+ return [self handleChallenge:message error: error];
+ break;
+ case kExpectingHAMK:
+ return [self handleVerification:message error:error];
+ break;
+ case kRequestSecretDone:
+ KCJoiningErrorCreate(kUnexpectedMessage, error, @"Done, no messages expected.");
+ break;
+ }
+
+ return result;
+}
+
++ (nullable instancetype)sessionWithSecretDelegate: (NSObject<KCJoiningRequestSecretDelegate>*) secretDelegate
+ dsid: (uint64_t)dsid
+ error: (NSError**) error {
+ return [[KCJoiningRequestSecretSession alloc] initWithSecretDelegate:secretDelegate
+ dsid:dsid
+ error:error];
+}
+
+- (nullable instancetype)initWithSecretDelegate: (NSObject<KCJoiningRequestSecretDelegate>*) secretDelegate
+ dsid: (uint64_t)dsid
+ error: (NSError**)error {
+ int cc_error = 0;
+ struct ccrng_state * rng = ccrng(&cc_error);
+
+ if (rng == nil) {
+ CoreCryptoError(cc_error, error, @"RNG fetch failed");
+ return nil;
+ }
+
+ return [self initWithSecretDelegate: secretDelegate
+ dsid: dsid
+ rng: rng
+ error: error];
+}
+
+- (nullable instancetype)initWithSecretDelegate: (NSObject<KCJoiningRequestSecretDelegate>*) secretDelegate
+ dsid: (uint64_t)dsid
+ rng: (struct ccrng_state *)rng
+ error: (NSError**)error {
+
+ self = [super init];
+
+ self->_secretDelegate = secretDelegate;
+ self->_state = kExpectingB;
+ self->_dsid = dsid;
+
+ NSString* name = [NSString stringWithFormat: @"%llu", dsid];
+
+ self->_context = [[KCSRPClientContext alloc] initWithUser: name
+ digestInfo: ccsha256_di()
+ group: ccsrp_gp_rfc5054_3072()
+ randomSource: rng];
+
+ return self;
+}
+
+- (NSString*) stateString {
+ switch (self.state) {
+ case kExpectingB: return @"âB";
+ case kExpectingHAMK: return @"âHAMK";
+ case kRequestSecretDone: return @"SecretDone";
+ default: return [NSString stringWithFormat:@"%d", self.state];
+ }
+}
+
+- (NSString *)description {
+ return [NSString stringWithFormat: @"<KCJoiningAcceptSession@%p %lld %@ %@>", self, self.dsid, [self stateString], self.context];
+}
+
+@end
+
+@interface KCJoiningRequestCircleSession ()
+@property (readonly) NSObject<KCJoiningRequestCircleDelegate>* circleDelegate;
+@property (readonly) KCAESGCMDuplexSession* session;
+@property (readwrite) KCJoiningRequestCircleSessionState state;
+@end
+
+@implementation KCJoiningRequestCircleSession
+- (nullable NSData*) encryptedPeerInfo: (NSError**) error {
+ // Get our peer info and send it along:
+ if (self->_session == nil) {
+ KCJoiningErrorCreate(kInternalError, error, @"Attempt to encrypt with no session");
+ return nil;
+ }
+
+ SOSPeerInfoRef us = [self.circleDelegate copyPeerInfoError:error];
+ if (us == NULL) return nil;
+ CFErrorRef cfError = NULL;
+ NSData* piEncoded = (__bridge_transfer NSData*) SOSPeerInfoCopyEncodedData(us, NULL, &cfError);
+
+ if (piEncoded == nil) {
+ if (error != nil) {
+ *error = (__bridge_transfer NSError*) cfError;
+ }
+ return nil;
+ }
+
+ return [self->_session encrypt:piEncoded error:error];
+}
+
+- (nullable NSData*) initialMessage: (NSError**) error {
+ NSData* encryptedPi = [self encryptedPeerInfo:error];
+ if (encryptedPi == nil) return nil;
+
+ self->_state = kExpectingCircleBlob;
+
+ return [[KCJoiningMessage messageWithType:kPeerInfo
+ data:encryptedPi
+ error:error] der];
+
+}
+
+- (NSData*) handleCircleBlob: (KCJoiningMessage*) message error: (NSError**) error {
+ if ([message type] != kCircleBlob) {
+ KCJoiningErrorCreate(kUnexpectedMessage, error, @"Expected CircleBlob!");
+ return nil;
+ }
+
+ NSData* circleBlob = [self.session decryptAndVerify:message.firstData error:error];
+ if (circleBlob == nil) return nil;
+
+ if (![self.circleDelegate processCircleJoinData: circleBlob error:error])
+ return nil;
+
+ self->_state = kRequestCircleDone;
+
+ return [NSData data]; // Success, an empty message.
+}
+
+- (NSData*) processMessage: (NSData*) incomingMessage error: (NSError**) error {
+ NSData* result = nil;
+ KCJoiningMessage* message = [KCJoiningMessage messageWithDER: incomingMessage error: error];
+ if (message == nil) return nil;
+
+ switch(self.state) {
+ case kExpectingCircleBlob:
+ return [self handleCircleBlob:message error:error];
+ case kRequestCircleDone:
+ KCJoiningErrorCreate(kUnexpectedMessage, error, @"Done, no messages expected.");
+ break;
+ }
+
+ return result;
+}
+
+- (bool) isDone {
+ return self.state = kRequestCircleDone;
+}
+
++ (instancetype) sessionWithCircleDelegate: (NSObject<KCJoiningRequestCircleDelegate>*) circleDelegate
+ session: (KCAESGCMDuplexSession*) session
+ error: (NSError**) error {
+ return [[KCJoiningRequestCircleSession alloc] initWithCircleDelegate:circleDelegate
+ session:session
+ error:error];
+}
+
+- (instancetype) initWithCircleDelegate: (NSObject<KCJoiningRequestCircleDelegate>*) circleDelegate
+ session: (KCAESGCMDuplexSession*) session
+ error: (NSError**) error {
+ self = [super init];
+
+ self->_circleDelegate = circleDelegate;
+ self->_session = session;
+ self.state = kExpectingCircleBlob;
+
+ return self;
+}
+
+@end
+
diff --git a/KeychainCircle/KCJoiningSession.h b/KeychainCircle/KCJoiningSession.h
new file mode 100644
index 00000000..6e66ea0b
--- /dev/null
+++ b/KeychainCircle/KCJoiningSession.h
@@ -0,0 +1,197 @@
+//
+// KCJoiningSession.h
+// KeychainCircle
+//
+//
+
+#import <KeychainCircle/KCSRPContext.h>
+#import <KeychainCircle/KCAESGCMDuplexSession.h>
+#include <Security/SecureObjectSync/SOSPeerInfo.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+@protocol KCJoiningRequestCircleDelegate
+/*!
+ Get this devices peer info (As Application)
+
+ @result
+ SOSPeerInfoRef object or NULL if we had an error.
+ */
+- (SOSPeerInfoRef) copyPeerInfoError: (NSError**) error;
+
+/*!
+ Handle recipt of confirmed circleJoinData over the channel
+
+ @parameter circleJoinData
+ Data the acceptor made to allow us to join the circle.
+
+ */
+- (bool) processCircleJoinData: (NSData*) circleJoinData error: (NSError**)error;
+
+@end
+
+@protocol KCJoiningRequestSecretDelegate
+/*!
+ Get the shared secret for this session.
+ Not called during creation or initialMessage: to allow the initial message to be sent before
+ we know the secret.
+ Called during message processing.
+
+ @result
+ String containing shared secret for session
+ */
+- (NSString*) secret;
+
+/*!
+ Handle verification failure
+ @result
+ NULL if we should give up. Secret to use on retry, if not.
+ */
+- (NSString*) verificationFailed: (bool) codeChanged;
+
+/*!
+ Handle recipt of confirmed accountCode over the channel
+
+ @parameter accountCode
+ Data the acceptor made to allow us to join the circle.
+ */
+- (bool) processAccountCode: (NSString*) accountCode error: (NSError**)error;
+
+@end
+
+@interface KCJoiningRequestSecretSession : NSObject
+@property (nullable, readonly) KCAESGCMDuplexSession* session;
+
+- (bool) isDone;
+
+- (nullable NSData*) initialMessage: (NSError**) error;
+- (nullable NSData*) processMessage: (NSData*) incomingMessage error: (NSError**) error;
+
++ (nullable instancetype)sessionWithSecretDelegate: (NSObject<KCJoiningRequestSecretDelegate>*) secretDelegate
+ dsid: (uint64_t)dsid
+ error: (NSError**) error;
+
+- (nullable instancetype)initWithSecretDelegate: (NSObject<KCJoiningRequestSecretDelegate>*) secretDelegate
+ dsid: (uint64_t)dsid
+ error: (NSError**)error;
+
+- (nullable instancetype)initWithSecretDelegate: (NSObject<KCJoiningRequestSecretDelegate>*) secretDelegate
+ dsid: (uint64_t)dsid
+ rng: (struct ccrng_state *)rng
+ error: (NSError**)error NS_DESIGNATED_INITIALIZER;
+
+- (instancetype)init NS_UNAVAILABLE;
+
+@end
+
+
+@interface KCJoiningRequestCircleSession : NSObject
+
+- (bool) isDone;
+
+- (nullable NSData*) initialMessage: (NSError**) error;
+- (nullable NSData*) processMessage: (NSData*) incomingMessage error: (NSError**) error;
+
++ (instancetype) sessionWithCircleDelegate: (NSObject<KCJoiningRequestCircleDelegate>*) circleDelegate
+ session: (KCAESGCMDuplexSession*) session
+ error: (NSError**) error;
+
+- (instancetype) initWithCircleDelegate: (NSObject<KCJoiningRequestCircleDelegate>*) circleDelegate
+ session: (KCAESGCMDuplexSession*) session
+ error: (NSError**) error NS_DESIGNATED_INITIALIZER;
+
+- (instancetype)init NS_UNAVAILABLE;
+@end
+
+
+@protocol KCJoiningAcceptCircleDelegate
+/*!
+ Handle the request's peer info and get the blob they can use to get in circle
+ @param peer
+ SOSPeerInfo sent from requestor to apply to the circle
+ @param error
+ Error resulting in looking at peer and trying to produce circle join data
+ @result
+ Data containing blob the requestor can use to get in circle
+ */
+- (NSData*) circleJoinDataFor: (SOSPeerInfoRef) peer
+ error: (NSError**) error;
+@end
+
+typedef enum {
+ kKCRetryError = 0,
+ kKCRetryWithSameChallenge,
+ kKCRetryWithNewChallenge
+} KCRetryOrNot;
+
+@protocol KCJoiningAcceptSecretDelegate
+/*!
+ Get the shared secret for this session
+ @result
+ String containing shared secret for session
+*/
+- (NSString*) secret;
+/*!
+ Get the code the other device can use to access the account
+ @result
+ String containing code to access the account
+*/
+- (NSString*) accountCode;
+
+/*!
+ Handle verification failure
+ @result
+ NULL if we should permit retry with the same secret. New secret if we've changed it.
+ */
+- (KCRetryOrNot) verificationFailed: (NSError**) error;
+
+@end
+
+
+@interface KCJoiningAcceptSession : NSObject
+/*!
+ create an appropriate joining session given the initial message.
+
+ @parameter message
+ initial message received from the requestor
+ @parameter delegate
+ delegate which will provide data and processing (see KCJoiningAcceptSecretDelegate protocol
+ @parameter error
+ failures to find a session for the initial message
+ @result
+ KCJoiningAcceptSession that can handle the data from the peer
+
+ */
++ (nullable instancetype) sessionWithInitialMessage: (NSData*) message
+ secretDelegate: (NSObject<KCJoiningAcceptSecretDelegate>*) delegate
+ circleDelegate: (NSObject<KCJoiningAcceptCircleDelegate>*) delegate
+ dsid: (uint64_t) dsid
+ error: (NSError**) error;
+
+
+- (nullable instancetype)initWithSecretDelegate: (NSObject<KCJoiningAcceptSecretDelegate>*) delegate
+ circleDelegate: (NSObject<KCJoiningAcceptCircleDelegate>*) delegate
+ dsid: (uint64_t) dsid
+ rng: (struct ccrng_state *)rng
+ error: (NSError**) error NS_DESIGNATED_INITIALIZER;
+
+/*!
+ create an appropriate joining session given the initial message.
+
+ @parameter incomingMessage
+ message received from the requestor
+ @parameter error
+ failures parse the message
+ @result
+ Data to send to the requestor, or NULL if we had an error.
+ Calling this function when we are done results in an error return.
+ */
+- (nullable NSData*) processMessage: (NSData*) incomingMessage error: (NSError**) error;
+
+- (bool) isDone;
+
+- (id)init NS_UNAVAILABLE;
+
+@end
+
+NS_ASSUME_NONNULL_END
diff --git a/KeychainCircle/KCSRPContext.h b/KeychainCircle/KCSRPContext.h
new file mode 100644
index 00000000..c0d8149e
--- /dev/null
+++ b/KeychainCircle/KCSRPContext.h
@@ -0,0 +1,76 @@
+//
+// SRPSession.h
+// KeychainCircle
+//
+//
+
+#import <Foundation/Foundation.h>
+
+#include <corecrypto/ccdigest.h>
+#include <corecrypto/ccrng.h>
+#include <corecrypto/ccsrp.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface KCSRPContext : NSObject
+
+- (instancetype) init NS_UNAVAILABLE;
+
+- (instancetype) initWithUser: (NSString*) user
+ digestInfo: (const struct ccdigest_info *) di
+ group: (ccsrp_const_gp_t) gp
+ randomSource: (struct ccrng_state *) rng NS_DESIGNATED_INITIALIZER;
+
+- (bool) isAuthenticated;
+
+// Returns an NSData that refers to the key in the context.
+// It becomes invalid when this context is released.
+- (NSData*) getKey;
+
+@end
+
+@interface KCSRPClientContext : KCSRPContext
+
+- (nullable NSData*) copyStart: (NSError**) error;
+- (nullable NSData*) copyResposeToChallenge: (NSData*) B_data
+ password: (NSString*) password
+ salt: (NSData*) salt
+ error: (NSError**) error;
+- (bool) verifyConfirmation: (NSData*) HAMK_data
+ error: (NSError**) error;
+
+@end
+
+@interface KCSRPServerContext : KCSRPContext
+@property (readonly) NSData* salt;
+
+- (instancetype) initWithUser: (NSString*) user
+ salt: (NSData*) salt
+ verifier: (NSData*) verifier
+ digestInfo: (const struct ccdigest_info *) di
+ group: (ccsrp_const_gp_t) gp
+ randomSource: (struct ccrng_state *) rng NS_DESIGNATED_INITIALIZER;
+
+- (instancetype) initWithUser: (NSString*)user
+ password: (NSString*)password
+ digestInfo: (const struct ccdigest_info *) di
+ group: (ccsrp_const_gp_t) gp
+ randomSource: (struct ccrng_state *) rng NS_DESIGNATED_INITIALIZER;
+
+- (instancetype) initWithUser: (NSString*) user
+ digestInfo: (const struct ccdigest_info *) di
+ group: (ccsrp_const_gp_t) gp
+ randomSource: (struct ccrng_state *) rng NS_UNAVAILABLE;
+
+
+- (bool) resetWithPassword: (NSString*) password
+ error: (NSError**) error;
+
+- (nullable NSData*) copyChallengeFor: (NSData*) A_data
+ error: (NSError**) error;
+- (nullable NSData*) copyConfirmationFor: (NSData*) M_data
+ error: (NSError**) error;
+
+@end
+
+NS_ASSUME_NONNULL_END
diff --git a/KeychainCircle/KCSRPContext.m b/KeychainCircle/KCSRPContext.m
new file mode 100644
index 00000000..dab973fe
--- /dev/null
+++ b/KeychainCircle/KCSRPContext.m
@@ -0,0 +1,245 @@
+//
+// SRPSession.m
+// Security
+//
+//
+
+
+#import <Foundation/Foundation.h>
+#import "KCSRPContext.h"
+
+#include <os/base.h>
+
+#include <corecrypto/ccsrp.h>
+#include <corecrypto/ccsha2.h>
+#include <corecrypto/ccdh_gp.h>
+#include <corecrypto/ccder.h>
+
+#import "NSError+KCCreationHelpers.h"
+
+static const NSStringEncoding srpStringEncoding = NSUTF8StringEncoding;
+
+@interface KCSRPContext ()
+@property (readwrite) ccsrp_ctx* context;
+@property (readwrite) struct ccrng_state *rng;
+@property (readwrite) NSString* user;
+@end
+
+@implementation KCSRPContext
+
++ (KCSRPContext*) createWithUser: (NSString*) user
+ digestInfo: (const struct ccdigest_info *) di
+ group: (ccsrp_const_gp_t) gp
+ randomSource: (struct ccrng_state *) rng {
+ return [[self alloc] initWithUser:user
+ digestInfo:di
+ group:gp
+ randomSource:rng];
+}
+
+- (NSData*) dataForPassword: (NSString*) password {
+ return [password dataUsingEncoding:srpStringEncoding];
+}
+
+- (nullable const char *) userNameString {
+ return [self.user cStringUsingEncoding:srpStringEncoding];
+}
+
+- (instancetype) initWithUser: (NSString*) user
+ digestInfo: (const struct ccdigest_info *) di
+ group: (ccsrp_const_gp_t) gp
+ randomSource: (struct ccrng_state *) rng
+{
+ self = [super init];
+
+ self.context = malloc(ccsrp_sizeof_srp(di, gp));
+ ccsrp_ctx_init(self.context, di, gp);
+
+ self.user = user;
+ self.rng = rng;
+
+ return self;
+}
+
+- (void) finalize {
+ ccsrp_ctx_clear(ccsrp_ctx_di(self.context),
+ ccsrp_ctx_gp(self.context),
+ self.context);
+
+ free(self.context);
+}
+
+- (NSData*) getKey {
+ size_t key_length = 0;
+ const void * key = ccsrp_get_session_key(self.context, &key_length);
+
+ return key ? [NSData dataWithBytesNoCopy:(void *)key length:key_length freeWhenDone:false] : nil;
+}
+
+- (bool) isAuthenticated {
+ return ccsrp_is_authenticated(self.context);
+}
+
+@end
+
+
+@implementation KCSRPClientContext
+
+- (NSData*) copyStart: (NSError**) error {
+ NSMutableData* A_data = [NSMutableData dataWithLength: ccsrp_exchange_size(self.context)];
+
+ int result = ccsrp_client_start_authentication(self.context, self.rng, A_data.mutableBytes);
+ if (!CoreCryptoError(result, error, @"Start packet copy failed: %d", result)) {
+ A_data = NULL;
+ }
+
+ return A_data;
+}
+
+static bool ExactDataSizeRequirement(NSData* data, NSUInteger expectedLength, NSError**error, NSString* name) {
+ return RequirementError(data.length == expectedLength, error, @"%@ incorrect size, Expected %ld, got %ld", name, (unsigned long)expectedLength, (unsigned long)data.length);
+}
+
+- (nullable NSData*) copyResposeToChallenge: (NSData*) B_data
+ password: (NSString*) password
+ salt: (NSData*) salt
+ error: (NSError**) error {
+
+ if (!ExactDataSizeRequirement(B_data, ccsrp_exchange_size(self.context), error, @"challenge data"))
+ return nil;
+
+ NSMutableData* M_data = [NSMutableData dataWithLength: ccsrp_session_size(self.context)];
+ NSData* passwordData = [self dataForPassword: password];
+
+ int result = ccsrp_client_process_challenge(self.context,
+ [self userNameString],
+ passwordData.length,
+ passwordData.bytes,
+ salt.length,
+ salt.bytes,
+ B_data.bytes,
+ M_data.mutableBytes);
+
+ if (!CoreCryptoError(result, error, @"Challenge processing failed: %d", result)) {
+ M_data = NULL;
+ }
+
+ return M_data;
+}
+
+- (bool) verifyConfirmation: (NSData*) HAMK_data
+ error: (NSError**) error {
+ if (!ExactDataSizeRequirement(HAMK_data, ccsrp_session_size(self.context), error, @"confirmation data"))
+ return nil;
+
+ return ccsrp_client_verify_session(self.context, HAMK_data.bytes);
+}
+
+@end
+
+@interface KCSRPServerContext ()
+@property (readwrite) NSData* verifier;
+@end
+
+@implementation KCSRPServerContext
+
+- (bool) resetWithPassword: (NSString*) password
+ error: (NSError**) error {
+ const int salt_length = 16;
+
+ NSMutableData* salt = [NSMutableData dataWithLength: salt_length];
+ NSMutableData* verifier = [NSMutableData dataWithLength: ccsrp_ctx_sizeof_n(self.context)];
+
+ NSData* passwordData = [self dataForPassword: password];
+
+ int generateResult = ccsrp_generate_salt_and_verification(self.context,
+ self.rng,
+ [self userNameString],
+ passwordData.length,
+ passwordData.bytes,
+ salt.length,
+ salt.mutableBytes,
+ verifier.mutableBytes);
+
+ if (!CoreCryptoError(generateResult, error, @"Error generating SRP salt/verifier")) {
+ return false;
+ }
+
+ self.verifier = verifier;
+ self->_salt = salt;
+
+ return true;
+}
+
+- (instancetype) initWithUser: (NSString*)user
+ password: (NSString*)password
+ digestInfo: (const struct ccdigest_info *) di
+ group: (ccsrp_const_gp_t) gp
+ randomSource: (struct ccrng_state *) rng {
+ self = [super initWithUser: user
+ digestInfo: di
+ group: gp
+ randomSource: rng];
+
+ if (![self resetWithPassword:password error:nil]) {
+ return nil;
+ }
+
+ return self;
+}
+
+- (instancetype) initWithUser: (NSString*) user
+ salt: (NSData*) salt
+ verifier: (NSData*) verifier
+ digestInfo: (const struct ccdigest_info *) di
+ group: (ccsrp_const_gp_t) gp
+ randomSource: (struct ccrng_state *) rng {
+ self = [super initWithUser: user
+ digestInfo: di
+ group: gp
+ randomSource: rng];
+
+ self.verifier = verifier;
+ self->_salt = salt;
+
+ return self;
+}
+
+
+- (NSData*) copyChallengeFor: (NSData*) A_data
+ error: (NSError**) error {
+ if (!ExactDataSizeRequirement(A_data, ccsrp_exchange_size(self.context), error, @"start data"))
+ return nil;
+
+ NSMutableData* B_data = [NSMutableData dataWithLength: ccsrp_exchange_size(self.context)];
+
+ int result = ccsrp_server_start_authentication(self.context, self.rng,
+ [self userNameString],
+ self.salt.length, self.salt.bytes,
+ self.verifier.bytes, A_data.bytes,
+ B_data.mutableBytes);
+
+ if (!CoreCryptoError(result, error, @"Server start authentication failed: %d", result)) {
+ B_data = NULL;
+ }
+
+ return B_data;
+}
+
+- (NSData*) copyConfirmationFor: (NSData*) M_data
+ error: (NSError**) error {
+ if (!ExactDataSizeRequirement(M_data, ccsrp_session_size(self.context), error, @"response data"))
+ return nil;
+
+ NSMutableData* HAMK_data = [NSMutableData dataWithLength: ccsrp_session_size(self.context)];
+
+ bool verify = ccsrp_server_verify_session(self.context, M_data.bytes, HAMK_data.mutableBytes);
+
+ if (!CoreCryptoError(!verify, error, @"SRP verification failed")) {
+ HAMK_data = NULL;
+ }
+
+ return HAMK_data;
+}
+
+@end
diff --git a/KeychainCircle/KeychainCircle.h b/KeychainCircle/KeychainCircle.h
new file mode 100644
index 00000000..8122f4e6
--- /dev/null
+++ b/KeychainCircle/KeychainCircle.h
@@ -0,0 +1,9 @@
+//
+// KeychainCircle.h
+// KeychainCircle
+//
+
+#import <KeychainCircle/KCSRPContext.h>
+#import <KeychainCircle/KCJoiningSession.h>
+#import <KeychainCircle/KCAccountKCCircleDelegate.h>
+#import <KeychainCircle/KCAESGCMDuplexSession.h>
diff --git a/KeychainCircle/NSData+SecRandom.h b/KeychainCircle/NSData+SecRandom.h
new file mode 100644
index 00000000..04f7f3fb
--- /dev/null
+++ b/KeychainCircle/NSData+SecRandom.h
@@ -0,0 +1,11 @@
+//
+// NSData+SecRandom.h
+// Security
+//
+//
+
+@interface NSData (SecRandom)
+
++ (instancetype) dataWithRandomBytes: (int) length;
+
+@end
diff --git a/KeychainCircle/NSData+SecRandom.m b/KeychainCircle/NSData+SecRandom.m
new file mode 100644
index 00000000..5de75615
--- /dev/null
+++ b/KeychainCircle/NSData+SecRandom.m
@@ -0,0 +1,26 @@
+//
+// NSData+SecRandom.m
+// Security
+//
+// Created by Mitch Adler on 4/15/16.
+//
+//
+
+#import <Foundation/Foundation.h>
+#import <NSData+SecRandom.h>
+
+#include <Security/SecRandom.h>
+
+@implementation NSMutableData (SecRandom)
+
++ (instancetype) dataWithRandomBytes: (int) length {
+
+ NSMutableData* result = [NSMutableData dataWithLength: length];
+
+ if (0 != SecRandomCopyBytes(kSecRandomDefault, result.length, result.mutableBytes))
+ return nil;
+
+ return result;
+}
+
+@end
diff --git a/KeychainCircle/NSError+KCCreationHelpers.h b/KeychainCircle/NSError+KCCreationHelpers.h
new file mode 100644
index 00000000..4a04a356
--- /dev/null
+++ b/KeychainCircle/NSError+KCCreationHelpers.h
@@ -0,0 +1,53 @@
+//
+// NSError+KCCreationHelpers.h
+// KeychainCircle
+//
+//
+
+#import <Foundation/Foundation.h>
+
+NS_ASSUME_NONNULL_BEGIN
+
+// Returns false and fills in error with formatted description if cc_result is an error
+bool CoreCryptoError(int cc_result, NSError * _Nullable * _Nullable error, NSString * _Nonnull description, ...) NS_FORMAT_FUNCTION(3, 4);
+// Returns false and fills in a requirement error if requirement is false
+// We should have something better than -50 here.
+bool RequirementError(bool requirement, NSError * _Nullable * _Nullable error, NSString * _Nonnull description, ...) NS_FORMAT_FUNCTION(3, 4);
+
+bool OSStatusError(OSStatus status, NSError * _Nullable * _Nullable error, NSString* _Nonnull description, ...) NS_FORMAT_FUNCTION(3, 4);
+
+
+// MARK: Error Extensions
+@interface NSError(KCCreationHelpers)
+
++ (instancetype) errorWithOSStatus:(OSStatus) status
+ userInfo:(NSDictionary *)dict;
+
+- (instancetype) initWithOSStatus:(OSStatus) status
+ userInfo:(NSDictionary *)dict;
+
++ (instancetype) errorWithOSStatus:(OSStatus) status
+ description:(NSString*)description
+ args:(va_list)va;
+
+- (instancetype) initWithOSStatus:(OSStatus) status
+ description:(NSString*)description
+ args:(va_list)va;
+
++ (instancetype) errorWithCoreCryptoStatus:(int) status
+ userInfo:(NSDictionary *)dict;
+
+- (instancetype) initWithCoreCryptoStatus:(int) status
+ userInfo:(NSDictionary *)dict;
+
++ (instancetype) errorWithCoreCryptoStatus:(int) status
+ description:(NSString*)description
+ args:(va_list)va;
+
+- (instancetype) initWithCoreCryptoStatus:(int) status
+ description:(NSString*)description
+ args:(va_list)va;
+
+@end
+
+NS_ASSUME_NONNULL_END
diff --git a/KeychainCircle/NSError+KCCreationHelpers.m b/KeychainCircle/NSError+KCCreationHelpers.m
new file mode 100644
index 00000000..0d0e6fc8
--- /dev/null
+++ b/KeychainCircle/NSError+KCCreationHelpers.m
@@ -0,0 +1,116 @@
+//
+// NSError+KCCreationHelpers.m
+// KechainCircle
+//
+//
+
+#import <Foundation/Foundation.h>
+
+#import <NSError+KCCreationHelpers.h>
+
+static NSString* coreCryptoDomain = @"kSecCoreCryptoDomain";
+static NSString* srpDomain = @"com.apple.security.srp";
+
+static NSDictionary* UserInfoFromVA(NSString*description, va_list va) {
+ return @{NSLocalizedDescriptionKey:[[NSString alloc] initWithFormat:description
+ arguments:va]};
+}
+
+// We should get this from SecCFError.h and Security.framework..
+bool CoreCryptoError(int cc_result, NSError** error, NSString* description, ...)
+{
+ bool failed = cc_result != 0;
+
+ if (failed && error && !*error) {
+ va_list va;
+ va_start(va, description);
+ *error = [NSError errorWithCoreCryptoStatus:cc_result
+ description:description
+ args:va];
+ va_end(va);
+ }
+
+ return !failed;
+}
+
+bool OSStatusError(OSStatus status, NSError** error, NSString*description, ...) {
+ bool failed = status != 0;
+
+ if (failed && error && !*error) {
+ va_list va;
+ va_start(va, description);
+ *error = [NSError errorWithOSStatus:status
+ description:description
+ args:va];
+ va_end(va);
+ }
+
+ return !failed;
+}
+
+bool RequirementError(bool requirement, NSError** error, NSString*description, ...) {
+ bool failed = !requirement;
+
+ if (failed && error && !*error) {
+ va_list va;
+ va_start(va, description);
+ *error = [NSError errorWithOSStatus:-50
+ description:description
+ args:va];
+ va_end(va);
+ }
+
+ return !failed;
+}
+
+
+@implementation NSError(KCCreationHelpers)
+
++ (instancetype) errorWithOSStatus:(OSStatus) status
+ userInfo:(NSDictionary *)dict {
+ return [[NSError alloc] initWithOSStatus:status userInfo:dict];
+}
+
+- (instancetype) initWithOSStatus:(OSStatus) status
+ userInfo:(NSDictionary *)dict {
+ return [self initWithDomain:NSOSStatusErrorDomain code:status userInfo:dict];
+}
+
++ (instancetype) errorWithOSStatus:(OSStatus) status
+ description:(NSString*)description
+ args:(va_list)va {
+ return [[NSError alloc] initWithOSStatus:status description:description args:va];
+}
+
+- (instancetype) initWithOSStatus:(OSStatus) status
+ description:(NSString*)description
+ args:(va_list)va {
+ return [self initWithOSStatus:status
+ userInfo:UserInfoFromVA(description, va)];
+}
+
++ (instancetype) errorWithCoreCryptoStatus:(int) status
+ userInfo:(NSDictionary *)dict {
+ return [[NSError alloc] initWithCoreCryptoStatus:status userInfo:dict];
+}
+
+
+- (instancetype) initWithCoreCryptoStatus:(int) status
+ userInfo:(NSDictionary *)dict {
+ return [self initWithDomain:coreCryptoDomain code:status userInfo:dict];
+}
+
++ (instancetype) errorWithCoreCryptoStatus:(int) status
+ description:(NSString*)description
+ args:(va_list)va {
+ return [[NSError alloc] initWithCoreCryptoStatus:status description:description args:va];
+}
+
+- (instancetype) initWithCoreCryptoStatus:(int) status
+ description:(NSString*)description
+ args:(va_list)va {
+ return [self initWithCoreCryptoStatus:status
+ userInfo:UserInfoFromVA(description, va)];
+}
+
+@end
diff --git a/KeychainCircle/Tests/Info.plist b/KeychainCircle/Tests/Info.plist
new file mode 100644
index 00000000..ba72822e
--- /dev/null
+++ b/KeychainCircle/Tests/Info.plist
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>CFBundleDevelopmentRegion</key>
+ <string>en</string>
+ <key>CFBundleExecutable</key>
+ <string>$(EXECUTABLE_NAME)</string>
+ <key>CFBundleIdentifier</key>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+ <key>CFBundleInfoDictionaryVersion</key>
+ <string>6.0</string>
+ <key>CFBundleName</key>
+ <string>$(PRODUCT_NAME)</string>
+ <key>CFBundlePackageType</key>
+ <string>BNDL</string>
+ <key>CFBundleShortVersionString</key>
+ <string>1.0</string>
+ <key>CFBundleSignature</key>
+ <string>????</string>
+ <key>CFBundleVersion</key>
+ <string>1</string>
+</dict>
+</plist>
diff --git a/KeychainCircle/Tests/KCAESGCMTest.m b/KeychainCircle/Tests/KCAESGCMTest.m
new file mode 100644
index 00000000..25e02df7
--- /dev/null
+++ b/KeychainCircle/Tests/KCAESGCMTest.m
@@ -0,0 +1,138 @@
+//
+// KCAESGCMTest.m
+// Keychain Circle
+//
+//
+
+#import <XCTest/XCTest.h>
+
+#import <Foundation/Foundation.h>
+#import <KeychainCircle/KCAESGCMDuplexSession.h>
+
+@interface KCAESGCMTest : XCTestCase
+
+@end
+
+@implementation KCAESGCMTest
+
+- (void)setUp {
+ [super setUp];
+ // Put setup code here. This method is called before the invocation of each test method in the class.
+}
+
+- (void)tearDown {
+ // Put teardown code here. This method is called after the invocation of each test method in the class.
+ [super tearDown];
+}
+
+- (void) sendMessage: (NSData*) message
+ from: (KCAESGCMDuplexSession*) sender
+ to: (KCAESGCMDuplexSession*) receiver {
+ NSError* error = nil;
+ NSData* sendToRecv = [sender encrypt:message error:&error];
+
+ XCTAssertNil(error, @"Got error");
+ XCTAssertNotNil(sendToRecv, @"Failed to get data");
+
+ error = nil;
+ NSData* decryptedSendToRecv = [receiver decryptAndVerify:sendToRecv error:&error];
+
+ XCTAssertNil(error, @"Error decrypting");
+ XCTAssertNotNil(decryptedSendToRecv, @"Got decryption");
+
+ XCTAssertEqualObjects(message, decryptedSendToRecv, @"Send to recv failed.");
+}
+
+- (void)testAESGCMDuplex {
+ uint64_t context = 0x81FC134000123041;
+ uint8_t secretBytes[] = { 0x11, 0x22, 0x33, 0x13, 0x44, 0xF1, 0x13, 0x92, 0x11, 0x22, 0x33, 0x13, 0x44, 0xF1, 0x13, 0x92 };
+ NSData* secret = [NSData dataWithBytes:secretBytes length:sizeof(secretBytes)];
+
+ KCAESGCMDuplexSession* sender = [KCAESGCMDuplexSession sessionAsSender:secret
+ context:context];
+
+ KCAESGCMDuplexSession* receiver = [KCAESGCMDuplexSession sessionAsReceiver:secret
+ context:context];
+
+ uint8_t sendToRecvBuffer[] = { 0x1, 0x2, 0x3, 0x88, 0xFF, 0xE1 };
+ NSData* sendToRecvData = [NSData dataWithBytes:sendToRecvBuffer length:sizeof(sendToRecvBuffer)];
+
+ [self sendMessage:sendToRecvData from:sender to:receiver];
+
+ uint8_t recvToSendBuffer[] = { 0x81, 0x52, 0x63, 0x88, 0xFF, 0xE1 };
+ NSData* recvToSendData = [NSData dataWithBytes:recvToSendBuffer length:sizeof(recvToSendBuffer)];
+
+ [self sendMessage:recvToSendData from:receiver to:sender];
+}
+
+- (KCAESGCMDuplexSession*) archiveDearchive: (KCAESGCMDuplexSession*) original {
+ NSMutableData *data = [NSMutableData data];
+ NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data];
+ [archiver encodeObject:original forKey:@"Top"];
+ [archiver finishEncoding];
+
+ NSKeyedUnarchiver *unarchiver = [[NSKeyedUnarchiver alloc] initForReadingWithData:data];
+
+ // Customize the unarchiver.
+ KCAESGCMDuplexSession *result = [unarchiver decodeObjectForKey:@"Top"];
+ [unarchiver finishDecoding];
+
+ return result;
+}
+
+- (void)doAESGCMDuplexCodingFlattenSender: (bool) flattenSender
+ Receiver: (bool) flattenReceiver {
+ uint64_t context = 0x81FC134000123041;
+ uint8_t secretBytes[] = { 0x73, 0xb7, 0x7f, 0xff, 0x7f, 0xe3, 0x44, 0x6b, 0xa4, 0xec, 0x9d, 0x5d, 0x68, 0x12, 0x13, 0x71 };
+ NSData* secret = [NSData dataWithBytes:secretBytes length:sizeof(secretBytes)];
+
+ KCAESGCMDuplexSession* sender = [KCAESGCMDuplexSession sessionAsSender:secret
+ context:context];
+
+ KCAESGCMDuplexSession* receiver = [KCAESGCMDuplexSession sessionAsReceiver:secret
+ context:context];
+
+ {
+ uint8_t sendToRecvBuffer[] = { 0x0e, 0x9b, 0x9d, 0x2c, 0x90, 0x96, 0x8a };
+ NSData* sendToRecvData = [NSData dataWithBytes:sendToRecvBuffer length:sizeof(sendToRecvBuffer)];
+
+ [self sendMessage:sendToRecvData from:sender to:receiver];
+
+
+ uint8_t recvToSendBuffer[] = { 0x9b, 0x63, 0xaf, 0xb5, 0x4d, 0xa0, 0xfa, 0x9d, 0x90 };
+ NSData* recvToSendData = [NSData dataWithBytes:recvToSendBuffer length:sizeof(recvToSendBuffer)];
+
+ [self sendMessage:recvToSendData from:receiver to:sender];
+ }
+
+ // Re-encode...
+ if (flattenSender) {
+ sender = [self archiveDearchive:sender];
+ }
+
+ if (flattenReceiver) {
+ receiver = [self archiveDearchive:receiver];
+ }
+
+ {
+ uint8_t sendToRecvBuffer[] = { 0xae, 0xee, 0x5f, 0x62, 0xb2, 0x72, 0x6f, 0x0a, 0xb6, 0x56 };
+ NSData* sendToRecvData = [NSData dataWithBytes:sendToRecvBuffer length:sizeof(sendToRecvBuffer)];
+
+ [self sendMessage:sendToRecvData from:sender to:receiver];
+
+
+ uint8_t recvToSendBuffer[] = { 0x49, 0x0b, 0xbb, 0x2d, 0x20, 0xb1, 0x8a, 0xfc, 0xba, 0xd1, 0xFF };
+ NSData* recvToSendData = [NSData dataWithBytes:recvToSendBuffer length:sizeof(recvToSendBuffer)];
+
+ [self sendMessage:recvToSendData from:receiver to:sender];
+ }
+}
+
+- (void)testAESGCMDuplexCoding {
+ [self doAESGCMDuplexCodingFlattenSender:NO Receiver:YES];
+ [self doAESGCMDuplexCodingFlattenSender:YES Receiver:NO];
+ [self doAESGCMDuplexCodingFlattenSender:YES Receiver:YES];
+}
+
+
+@end
diff --git a/KeychainCircle/Tests/KCDerTest.m b/KeychainCircle/Tests/KCDerTest.m
new file mode 100644
index 00000000..c4dcc319
--- /dev/null
+++ b/KeychainCircle/Tests/KCDerTest.m
@@ -0,0 +1,114 @@
+//
+// KCDerTest.m
+// Security
+//
+//
+
+#import <XCTest/XCTest.h>
+
+#import <Foundation/Foundation.h>
+#import <KeychainCircle/KCDer.h>
+
+@interface KCDerTest : XCTestCase
+
+@end
+
+@implementation KCDerTest
+
+- (void)setUp {
+ [super setUp];
+ // Put setup code here. This method is called before the invocation of each test method in the class.
+}
+
+- (void)tearDown {
+ // Put teardown code here. This method is called after the invocation of each test method in the class.
+ [super tearDown];
+}
+
+- (void) roundTripData: (NSData*) data {
+ NSError* error = nil;
+ size_t size = kcder_sizeof_data(data, &error);
+
+ XCTAssert(size != 0, @"Bad size: %@", data);
+
+ if (size == 0)
+ return;
+
+ uint8_t buffer[size];
+ error = nil;
+ uint8_t* beginning = kcder_encode_data(data, &error, buffer, buffer + sizeof(buffer));
+
+ XCTAssert(beginning != NULL, "Error encoding: %@", error);
+
+ if (beginning == NULL)
+ return;
+
+ XCTAssertEqual(beginning, &buffer[0], @"Size != buffer use");
+
+ NSData* recovered = nil;
+
+ error = nil;
+ const uint8_t* end = kcder_decode_data(&recovered, &error, buffer, buffer + sizeof(buffer));
+
+ XCTAssert(end != NULL, "Error decoding: %@", error);
+
+ if (end == NULL)
+ return;
+
+ XCTAssertEqual(end, buffer + sizeof(buffer), @"readback didn't use all the buffer");
+
+ XCTAssertEqualObjects(data, recovered, @"Didn't get equal object");
+
+}
+
+- (void)testData {
+ [self roundTripData: [NSData data]];
+
+ uint8_t bytes[] = { 1, 2, 3, 0xFF, 4, 0x0, 0xA };
+ [self roundTripData: [NSData dataWithBytes:bytes length:sizeof(bytes)]];
+}
+
+- (void) roundTripString: (NSString*) string {
+ NSError* error = nil;
+
+ size_t size = kcder_sizeof_string(string, &error);
+
+ XCTAssert(size != 0, @"Bad size: %@", string);
+
+ if (size == 0)
+ return;
+
+ uint8_t buffer[size];
+ error = nil;
+ uint8_t* beginning = kcder_encode_string(string, &error, buffer, buffer + sizeof(buffer));
+
+ XCTAssert(beginning != NULL, "Error encoding: %@", error);
+
+ if (beginning == NULL)
+ return;
+
+ XCTAssertEqual(beginning, &buffer[0], @"Size != buffer use");
+
+ NSString* recovered = nil;
+
+ error = nil;
+ const uint8_t* end = kcder_decode_string(&recovered, &error, buffer, buffer + sizeof(buffer));
+
+ XCTAssert(end != NULL, "Error decoding: %@", error);
+
+ if (end == NULL)
+ return;
+
+ XCTAssertEqual(end, buffer + sizeof(buffer), @"readback didn't use all the buffer");
+
+ XCTAssertEqualObjects(string, recovered, @"Didn't get equal object");
+
+}
+
+- (void)testString {
+ [self roundTripString: [NSString stringWithCString:"Test" encoding:NSUTF8StringEncoding]];
+ [self roundTripString: [NSString stringWithCString:"üðð¸âï¸â§â" encoding:NSUTF8StringEncoding]];
+}
+
+
+@end
diff --git a/KeychainCircle/Tests/KCJoiningSessionTest.m b/KeychainCircle/Tests/KCJoiningSessionTest.m
new file mode 100644
index 00000000..d44a297f
--- /dev/null
+++ b/KeychainCircle/Tests/KCJoiningSessionTest.m
@@ -0,0 +1,579 @@
+//
+// KCJoiningSessionTest.m
+// Security
+//
+//
+
+#import <XCTest/XCTest.h>
+
+#import <Foundation/Foundation.h>
+
+#import <KeychainCircle/KCJoiningSession.h>
+#import <KeychainCircle/KCError.h>
+#import <KeychainCircle/NSError+KCCreationHelpers.h>
+#import <KeychainCircle/KCAESGCMDuplexSession.h>
+
+#include <Security/SecBase.h>
+#include <Security/SecureObjectSync/SOSFullPeerInfo.h>
+#include <Security/SecureObjectSync/SOSPeerInfoInternal.h>
+
+#include <CommonCrypto/CommonRandomSPI.h>
+
+
+__unused static SOSFullPeerInfoRef SOSNSFullPeerInfoCreate(NSDictionary* gestalt,
+ NSData* backupKey, SecKeyRef signingKey,
+ NSError**error)
+{
+ CFErrorRef errorRef = NULL;
+
+ SOSFullPeerInfoRef result = SOSFullPeerInfoCreate(NULL, (__bridge CFDictionaryRef) gestalt, (__bridge CFDataRef) backupKey, signingKey, &errorRef);
+
+ if (errorRef && error) {
+ *error = (__bridge_transfer NSError*) errorRef;
+ errorRef = NULL;
+ }
+
+ return result;
+}
+
+static SecKeyRef GenerateFullECKey_internal(int keySize, NSError** error)
+{
+ SecKeyRef full_key = NULL;
+
+ NSDictionary* keygen_parameters = @{ (__bridge NSString*)kSecAttrKeyType:(__bridge NSString*) kSecAttrKeyTypeEC,
+ (__bridge NSString*)kSecAttrKeySizeInBits: [NSNumber numberWithInt: keySize] };
+
+
+ (void) OSStatusError(SecKeyGeneratePair((__bridge CFDictionaryRef)keygen_parameters, NULL, &full_key), error, @"Generate Key failed");
+
+ return full_key;
+}
+
+static SecKeyRef GenerateFullECKey(int keySize, NSError** error) {
+ return GenerateFullECKey_internal(keySize, error);
+}
+
+
+__unused static SOSFullPeerInfoRef SOSCreateFullPeerInfoFromName(NSString* name, SecKeyRef* outSigningKey, NSError** error)
+{
+ if (outSigningKey == NULL)
+ return NULL;
+
+ *outSigningKey = GenerateFullECKey(256, error);
+ if (*outSigningKey == NULL)
+ return NULL;
+
+ return SOSNSFullPeerInfoCreate(@{(__bridge NSString*)kPIUserDefinedDeviceNameKey:name}, nil, *outSigningKey, error);
+}
+
+
+@interface KCJoiningRequestTestDelegate : NSObject <KCJoiningRequestSecretDelegate, KCJoiningRequestCircleDelegate>
+@property (readwrite) NSString* sharedSecret;
+
+@property (readonly) NSString* accountCode;
+@property (readonly) NSData* circleJoinData;
+@property (readwrite) SOSPeerInfoRef peerInfo;
+
+@property (readwrite) NSString* incorrectSecret;
+@property (readwrite) int incorrectTries;
+
+
++ (id) requestDelegateWithSecret:(NSString*) secret;
+- (id) init NS_UNAVAILABLE;
+- (id) initWithSecret: (NSString*) secret
+ incorrectSecret: (NSString*) wrongSecret
+ incorrectTries: (int) retries NS_DESIGNATED_INITIALIZER;
+- (NSString*) secret;
+- (NSString*) verificationFailed: (bool) codeChanged;
+- (SOSPeerInfoRef) copyPeerInfoError: (NSError**) error;
+- (bool) processCircleJoinData: (NSData*) circleJoinData error: (NSError**)error ;
+- (bool) processAccountCode: (NSString*) accountCode error: (NSError**)error;
+
+@end
+
+@implementation KCJoiningRequestTestDelegate
+
++ (id) requestDelegateWithSecret:(NSString*) secret {
+ return [[KCJoiningRequestTestDelegate alloc] initWithSecret:secret
+ incorrectSecret:@""
+ incorrectTries:0];
+}
+
++ (id) requestDelegateWithSecret:(NSString*) secret
+ incorrectSecret:(NSString*) wrongSecret
+ incorrectTries:(int) retries {
+ return [[KCJoiningRequestTestDelegate alloc] initWithSecret:secret
+ incorrectSecret:wrongSecret
+ incorrectTries:retries];
+}
+
+
+- (id) initWithSecret: (NSString*) secret
+ incorrectSecret: (NSString*) incorrectSecret
+ incorrectTries: (int) retries {
+ self = [super init];
+
+ SecKeyRef signingKey = GenerateFullECKey(256, NULL);
+
+ self.peerInfo = SOSPeerInfoCreate(NULL, (__bridge CFDictionaryRef) @{(__bridge NSString*)kPIUserDefinedDeviceNameKey:@"Fakey"}, NULL, signingKey, NULL);
+
+ if (self.peerInfo == NULL)
+ return nil;
+
+ self.sharedSecret = secret;
+ self.incorrectSecret = incorrectSecret;
+ self.incorrectTries = retries;
+
+ return self;
+}
+
+- (NSString*) nextSecret {
+ if (self.incorrectTries > 0) {
+ self.incorrectTries -= 1;
+ return self.incorrectSecret;
+ }
+ return self.sharedSecret;
+}
+
+- (NSString*) secret {
+ return [self nextSecret];
+}
+
+- (NSString*) verificationFailed: (bool) codeChanged {
+ return [self nextSecret];
+}
+
+- (SOSPeerInfoRef) copyPeerInfoError: (NSError**) error {
+ return self.peerInfo;
+}
+
+- (bool) processCircleJoinData: (NSData*) circleJoinData error: (NSError**)error {
+ self->_circleJoinData = circleJoinData;
+ return true;
+}
+
+- (bool) processAccountCode: (NSString*) accountCode error: (NSError**)error {
+ self->_accountCode = accountCode;
+ return true;
+}
+
+@end
+
+@interface KCJoiningAcceptTestDelegate : NSObject <KCJoiningAcceptSecretDelegate, KCJoiningAcceptCircleDelegate>
+@property (readonly) NSArray<NSString*>* secrets;
+@property (readwrite) NSUInteger currentSecret;
+@property (readwrite) int retriesLeft;
+@property (readwrite) int retriesPerSecret;
+
+@property (readonly) NSString* codeToUse;
+@property (readonly) NSData* circleJoinData;
+@property (readonly) SOSPeerInfoRef peerInfo;
+
++ (id) acceptDelegateWithSecret: (NSString*) secret code: (NSString*) code;
++ (id) acceptDelegateWithSecrets: (NSArray<NSString*>*) secrets retries: (int) retries code: (NSString*) code;
+- (id) initWithSecrets: (NSArray<NSString*>*) secrets retries: (int) retries code: (NSString*) code NS_DESIGNATED_INITIALIZER;
+
+
+- (NSString*) secret;
+- (NSString*) accountCode;
+
+- (KCRetryOrNot) verificationFailed: (NSError**) error;
+- (NSData*) circleJoinDataFor: (SOSPeerInfoRef) peer
+ error: (NSError**) error;
+
+- (id) init NS_UNAVAILABLE;
+
+@end
+
+@implementation KCJoiningAcceptTestDelegate
+
++ (id) acceptDelegateWithSecrets: (NSArray<NSString*>*) secrets retries: (int) retries code: (NSString*) code {
+ return [[KCJoiningAcceptTestDelegate alloc] initWithSecrets:secrets retries:retries code:code];
+
+}
+
++ (id) acceptDelegateWithSecret: (NSString*) secret code: (NSString*) code {
+ return [[KCJoiningAcceptTestDelegate alloc] initWithSecret:secret code:code];
+}
+
+- (id) initWithSecret: (NSString*) secret code: (NSString*) code {
+ return [self initWithSecrets:@[secret] retries:3 code:code];
+}
+
+- (id) initWithSecrets: (NSArray<NSString*>*) secrets retries: (int) retries code: (NSString*) code {
+ self = [super init];
+
+ self->_secrets = secrets;
+ self.currentSecret = 0;
+ self->_retriesPerSecret = retries;
+ self->_retriesLeft = self.retriesPerSecret;
+
+ self->_codeToUse = code;
+
+ uint8_t joinDataBuffer[] = { 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 };
+ self->_circleJoinData = [NSData dataWithBytes: joinDataBuffer length: sizeof(joinDataBuffer) ];
+
+ return self;
+}
+
+- (KCRetryOrNot) advanceSecret {
+ if (self.retriesLeft == 0) {
+ self.currentSecret += 1;
+ if (self.currentSecret >= [self.secrets count]) {
+ self.currentSecret = [self.secrets count] - 1;
+ }
+ self.retriesLeft = self.retriesPerSecret;
+ return kKCRetryWithNewChallenge;
+ } else {
+ self.retriesLeft -= 1;
+ return kKCRetryWithSameChallenge;
+ }
+}
+
+- (NSString*) secret {
+ return self.secrets[self.currentSecret];
+}
+- (NSString*) accountCode {
+ return self.codeToUse;
+}
+
+- (KCRetryOrNot) verificationFailed: (NSError**) error {
+ return [self advanceSecret];
+}
+
+- (NSData*) circleJoinDataFor: (SOSPeerInfoRef) peer
+ error: (NSError**) error {
+ uint8_t joinDataBuffer[] = { 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 };
+
+ self->_peerInfo = peer;
+ return [NSData dataWithBytes: joinDataBuffer length: sizeof(joinDataBuffer) ];
+}
+
+
+@end
+
+
+@interface KCJoiningSessionTest : XCTestCase
+
+@end
+
+@implementation KCJoiningSessionTest
+
+- (void)setUp {
+ [super setUp];
+ // Put setup code here. This method is called before the invocation of each test method in the class.
+}
+
+- (void)tearDown {
+ // Put teardown code here. This method is called after the invocation of each test method in the class.
+ [super tearDown];
+}
+
+- (void)testJoiningSession {
+ NSError* error = nil;
+
+ NSString* secret = @"123456";
+ NSString* code = @"987654";
+
+ uint64_t dsid = 0x1234567887654321;
+
+ KCJoiningRequestTestDelegate* requestDelegate = [KCJoiningRequestTestDelegate requestDelegateWithSecret: secret];
+ KCJoiningRequestSecretSession *requestSession = [[KCJoiningRequestSecretSession alloc] initWithSecretDelegate:requestDelegate
+ dsid:dsid
+ rng:ccDRBGGetRngState()
+ error:&error];
+
+ NSData* initialMessage = [requestSession initialMessage: &error];
+
+ XCTAssertNotNil(initialMessage, @"No initial message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ KCJoiningAcceptTestDelegate* acceptDelegate = [KCJoiningAcceptTestDelegate acceptDelegateWithSecret:secret code:code];
+ KCJoiningAcceptSession* acceptSession = [[KCJoiningAcceptSession alloc] initWithSecretDelegate:acceptDelegate
+ circleDelegate:acceptDelegate
+ dsid:dsid
+ rng:ccDRBGGetRngState()
+ error:&error];
+
+ error = nil;
+ NSData* challenge = [acceptSession processMessage: initialMessage error: &error];
+
+ XCTAssertNotNil(challenge, @"No initial message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ error = nil;
+ NSData* response = [requestSession processMessage: challenge error: &error];
+
+ XCTAssertNotNil(response, @"No response message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ error = nil;
+ NSData* verification = [acceptSession processMessage: response error: &error];
+
+ XCTAssertNotNil(verification, @"No verification message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ error = nil;
+ NSData* doneMessage = [requestSession processMessage: verification error: &error];
+
+ XCTAssertNotNil(doneMessage, @"No response message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertTrue([requestSession isDone], @"SecretSession done");
+ XCTAssertFalse([acceptSession isDone], @"Unexpected accept session done");
+
+ KCAESGCMDuplexSession* aesSession = [requestSession session];
+ requestSession = nil;
+
+ KCJoiningRequestCircleSession* requestSecretSession = [KCJoiningRequestCircleSession sessionWithCircleDelegate:requestDelegate session:aesSession error:&error];
+
+ XCTAssertNotNil(requestSecretSession, @"No request secret session");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ error = nil;
+ NSData* peerInfoMessage = [requestSecretSession initialMessage: &error];
+
+ XCTAssertNotNil(peerInfoMessage, @"No peerInfo message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertEqualObjects(requestDelegate.accountCode, acceptDelegate.codeToUse, @"Code made it");
+
+ error = nil;
+ NSData* blobMessage = [acceptSession processMessage:peerInfoMessage error: &error];
+
+ XCTAssertNotNil(blobMessage, @"No blob message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ // We have different peer_info types due to wierd linking of our tests.
+ // Compare the der representations:
+ NSData* rp_der = requestDelegate.peerInfo != nil ? (__bridge_transfer NSData*) SOSPeerInfoCopyEncodedData(requestDelegate.peerInfo, NULL, NULL) : nil;
+ NSData* ap_der = acceptDelegate.peerInfo != nil ? (__bridge_transfer NSData*) SOSPeerInfoCopyEncodedData(acceptDelegate.peerInfo, NULL, NULL) : nil;
+
+ XCTAssertEqualObjects(rp_der, ap_der, @"Peer infos match");
+
+ error = nil;
+ NSData* nothing = [requestSecretSession processMessage:blobMessage error: &error];
+
+ XCTAssertEqualObjects(requestDelegate.circleJoinData, acceptDelegate.circleJoinData);
+
+ XCTAssertNotNil(nothing, @"No initial message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertTrue([requestSecretSession isDone], @"requesor done");
+ XCTAssertTrue([acceptSession isDone], @"acceptor done");
+
+}
+
+- (void)testJoiningSessionRetry {
+ NSError* error = nil;
+
+ NSString* secret = @"123456";
+ NSString* code = @"987654";
+
+ uint64_t dsid = 0x1234567887654321;
+
+ KCJoiningRequestTestDelegate* requestDelegate = [KCJoiningRequestTestDelegate requestDelegateWithSecret: secret incorrectSecret:@"777888" incorrectTries:3];
+ KCJoiningRequestSecretSession *requestSession = [[KCJoiningRequestSecretSession alloc] initWithSecretDelegate:requestDelegate
+ dsid:dsid
+ rng:ccDRBGGetRngState()
+ error:&error];
+
+ NSData* initialMessage = [requestSession initialMessage: &error];
+
+ XCTAssertNotNil(initialMessage, @"No initial message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ KCJoiningAcceptTestDelegate* acceptDelegate = [KCJoiningAcceptTestDelegate acceptDelegateWithSecret:secret code:code];
+ KCJoiningAcceptSession* acceptSession = [[KCJoiningAcceptSession alloc] initWithSecretDelegate:acceptDelegate
+ circleDelegate:acceptDelegate
+ dsid:dsid
+ rng:ccDRBGGetRngState()
+ error:&error];
+
+ error = nil;
+ NSData* challenge = [acceptSession processMessage: initialMessage error: &error];
+
+ XCTAssertNotNil(challenge, @"No initial message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ NSData* response = nil;
+ NSData* verification = nil;
+
+ NSData* nextChallenge = challenge;
+ for (int tries = 0; tries < 4; ++tries) {
+ error = nil;
+ response = [requestSession processMessage: nextChallenge error: &error];
+
+ XCTAssertNotNil(response, @"No response message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertNotEqualObjects(requestDelegate.accountCode, acceptDelegate.codeToUse, @"Code should not make it");
+
+ error = nil;
+ verification = [acceptSession processMessage: response error: &error];
+
+ XCTAssertNotNil(verification, @"No verification message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ nextChallenge = verification;
+ }
+
+ error = nil;
+ NSData* doneMessage = [requestSession processMessage: verification error: &error];
+
+ XCTAssertNotNil(doneMessage, @"No response message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertTrue([requestSession isDone], @"SecretSession done");
+ XCTAssertFalse([acceptSession isDone], @"Unexpected accept session done");
+
+ KCAESGCMDuplexSession* aesSession = [requestSession session];
+ requestSession = nil;
+
+ error = nil;
+ KCJoiningRequestCircleSession* requestSecretSession = [KCJoiningRequestCircleSession sessionWithCircleDelegate:requestDelegate session:aesSession error:&error];
+
+ XCTAssertNotNil(requestSecretSession, @"No request secret session");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ error = nil;
+ NSData* peerInfoMessage = [requestSecretSession initialMessage: &error];
+
+ XCTAssertNotNil(peerInfoMessage, @"No peerInfo message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertEqualObjects(requestDelegate.accountCode, acceptDelegate.codeToUse, @"Code made it");
+
+ error = nil;
+ NSData* blobMessage = [acceptSession processMessage:peerInfoMessage error: &error];
+
+ XCTAssertNotNil(blobMessage, @"No blob message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ // We have different peer_info types due to wierd linking of our tests.
+ // Compare the der representations:
+ NSData* rp_der = requestDelegate.peerInfo != nil ? (__bridge_transfer NSData*) SOSPeerInfoCopyEncodedData(requestDelegate.peerInfo, NULL, NULL) : nil;
+ NSData* ap_der = acceptDelegate.peerInfo != nil ? (__bridge_transfer NSData*) SOSPeerInfoCopyEncodedData(acceptDelegate.peerInfo, NULL, NULL) : nil;
+
+ XCTAssertEqualObjects(rp_der, ap_der, @"Peer infos match");
+
+ error = nil;
+ NSData* nothing = [requestSecretSession processMessage:blobMessage error: &error];
+
+ XCTAssertEqualObjects(requestDelegate.circleJoinData, acceptDelegate.circleJoinData);
+
+ XCTAssertNotNil(nothing, @"No initial message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertTrue([requestSecretSession isDone], @"requesor done");
+ XCTAssertTrue([acceptSession isDone], @"acceptor done");
+
+}
+
+- (void)testJoiningSessionCodeChange {
+ NSError* error = nil;
+
+ NSString* secret = @"123456";
+ NSString* code = @"987654";
+
+ uint64_t dsid = 0x1234567887654321;
+
+ KCJoiningRequestTestDelegate* requestDelegate = [KCJoiningRequestTestDelegate requestDelegateWithSecret: secret];
+ KCJoiningRequestSecretSession *requestSession = [[KCJoiningRequestSecretSession alloc] initWithSecretDelegate:requestDelegate
+ dsid:dsid
+ rng:ccDRBGGetRngState()
+ error:&error];
+
+ NSData* initialMessage = [requestSession initialMessage: &error];
+
+ XCTAssertNotNil(initialMessage, @"No initial message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ KCJoiningAcceptTestDelegate* acceptDelegate = [KCJoiningAcceptTestDelegate acceptDelegateWithSecrets:@[@"222222", @"3333333", secret] retries:1 code:code];
+ KCJoiningAcceptSession* acceptSession = [[KCJoiningAcceptSession alloc] initWithSecretDelegate:acceptDelegate
+ circleDelegate:acceptDelegate
+ dsid:dsid
+ rng:ccDRBGGetRngState()
+ error:&error];
+
+ error = nil;
+ NSData* challenge = [acceptSession processMessage: initialMessage error: &error];
+
+ XCTAssertNotNil(challenge, @"No initial message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ NSData* response = nil;
+ NSData* verification = nil;
+
+ NSData* nextChallenge = challenge;
+ for (int tries = 0; tries < 5; ++tries) {
+ error = nil;
+ response = [requestSession processMessage: nextChallenge error: &error];
+
+ XCTAssertNotNil(response, @"No response message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertNotEqualObjects(requestDelegate.accountCode, acceptDelegate.codeToUse, @"Code should not make it");
+
+ error = nil;
+ verification = [acceptSession processMessage: response error: &error];
+
+ XCTAssertNotNil(verification, @"No verification message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ nextChallenge = verification;
+ }
+
+ error = nil;
+ NSData* doneMessage = [requestSession processMessage: verification error: &error];
+
+ XCTAssertNotNil(doneMessage, @"No response message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertTrue([requestSession isDone], @"SecretSession done");
+ XCTAssertFalse([acceptSession isDone], @"Unexpected accept session done");
+
+ KCAESGCMDuplexSession* aesSession = [requestSession session];
+ requestSession = nil;
+
+ error = nil;
+ KCJoiningRequestCircleSession* requestSecretSession = [KCJoiningRequestCircleSession sessionWithCircleDelegate:requestDelegate session:aesSession error:&error];
+
+ XCTAssertNotNil(requestSecretSession, @"No request secret session");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ error = nil;
+ NSData* peerInfoMessage = [requestSecretSession initialMessage: &error];
+
+ XCTAssertNotNil(peerInfoMessage, @"No peerInfo message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertEqualObjects(requestDelegate.accountCode, acceptDelegate.codeToUse, @"Code made it");
+
+ error = nil;
+ NSData* blobMessage = [acceptSession processMessage:peerInfoMessage error: &error];
+
+ XCTAssertNotNil(blobMessage, @"No blob message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ // We have different peer_info types due to wierd linking of our tests.
+ // Compare the der representations:
+ NSData* rp_der = requestDelegate.peerInfo != nil ? (__bridge_transfer NSData*) SOSPeerInfoCopyEncodedData(requestDelegate.peerInfo, NULL, NULL) : nil;
+ NSData* ap_der = acceptDelegate.peerInfo != nil ? (__bridge_transfer NSData*) SOSPeerInfoCopyEncodedData(acceptDelegate.peerInfo, NULL, NULL) : nil;
+
+ XCTAssertEqualObjects(rp_der, ap_der, @"Peer infos match");
+
+ error = nil;
+ NSData* nothing = [requestSecretSession processMessage:blobMessage error: &error];
+
+ XCTAssertEqualObjects(requestDelegate.circleJoinData, acceptDelegate.circleJoinData);
+
+ XCTAssertNotNil(nothing, @"No initial message");
+ XCTAssertNil(error, @"Got error %@", error);
+
+ XCTAssertTrue([requestSecretSession isDone], @"requesor done");
+ XCTAssertTrue([acceptSession isDone], @"acceptor done");
+
+}
+
+@end
diff --git a/KeychainCircle/Tests/KCSRPTests.m b/KeychainCircle/Tests/KCSRPTests.m
new file mode 100644
index 00000000..e518a261
--- /dev/null
+++ b/KeychainCircle/Tests/KCSRPTests.m
@@ -0,0 +1,108 @@
+//
+// KeychainCircleTests.m
+// KeychainCircleTests
+//
+//
+
+#import <XCTest/XCTest.h>
+
+#import "KCSRPContext.h"
+#include <corecrypto/ccrng.h>
+#include <corecrypto/ccsha2.h>
+#include <corecrypto/ccdh_gp.h>
+#include <CommonCrypto/CommonRandomSPI.h>
+
+@interface KCSRPTests : XCTestCase
+
+@end
+
+@implementation KCSRPTests
+
+- (void)setUp {
+ [super setUp];
+ // Put setup code here. This method is called before the invocation of each test method in the class.
+}
+
+- (void)tearDown {
+ // Put teardown code here. This method is called after the invocation of each test method in the class.
+ [super tearDown];
+}
+
+- (void) negotiateWithUser: (NSString*) user
+ digestInfo: (const struct ccdigest_info*) di
+ group: (ccsrp_const_gp_t) group
+ randomSource: (struct ccrng_state *) rng {
+
+ NSString* password = @"TryMeAs a ü password, sucka";
+
+ KCSRPClientContext * client = [[KCSRPClientContext alloc] initWithUser: user
+ digestInfo: di
+ group: group
+ randomSource: rng];
+ XCTAssert([client getKey] == NULL, @"No key yet");
+ XCTAssert(![client isAuthenticated], @"Not yet authenticated");
+
+ XCTAssert(client, @"No KCSRPClientContext created");
+
+ KCSRPServerContext * server = [[KCSRPServerContext alloc] initWithUser:user
+ password:password
+ digestInfo:di
+ group:group
+ randomSource:rng];
+
+
+ XCTAssert(server, @"No KCSRPServerContext created");
+
+ XCTAssert([server getKey] == NULL, @"No key yet");
+
+ NSError* error = nil;
+
+ NSData* A_data = [client copyStart:&error];
+ XCTAssert(A_data, @"copied start failed (%@)", error);
+ error = nil;
+
+ XCTAssert([client getKey] == NULL, @"Shouldn't have key");
+ XCTAssert(![client isAuthenticated], @"Not yet authenticated");
+
+ NSData* B_data = [server copyChallengeFor:A_data error: &error];
+ XCTAssert(B_data, @"Copied challenge for start failed (%@)", error);
+ error = nil;
+
+ XCTAssert([server getKey] != NULL, @"Should have key");
+ XCTAssert(![server isAuthenticated], @"Not yet authenticated");
+
+ NSData* M_data = [client copyResposeToChallenge:B_data
+ password:password
+ salt:server.salt
+ error:&error];
+ XCTAssert(M_data, @"Copied responseToChallenge failed (%@)", error);
+ error = nil;
+
+ XCTAssert([client getKey] != NULL, @"Don't have key");
+ XCTAssert(![client isAuthenticated], @"Not yet authenticated");
+
+ NSData* HAMK_data = [server copyConfirmationFor:M_data error:&error];
+ XCTAssert(HAMK_data, @"Copied confirmation failed (%@)", error);
+ error = nil;
+
+ XCTAssert([server getKey] != NULL, @"Don't have key");
+ XCTAssert([server isAuthenticated], @"Not yet authenticated");
+
+ bool verified = [client verifyConfirmation:HAMK_data error:&error];
+ XCTAssert(verified, @"Verification failed (%@)", error);
+ error = nil;
+
+ XCTAssert([client getKey] != NULL, @"Don't have key");
+ XCTAssert([client isAuthenticated], @"Should be authenticated");
+
+
+}
+
+- (void)testNegotiation {
+ [self negotiateWithUser: @"TestUser"
+ digestInfo: ccsha256_di()
+ group: ccsrp_gp_rfc5054_3072()
+ randomSource: ccDRBGGetRngState()];
+}
+
+@end
diff --git a/KeychainCircle/Tests/KeychainCircle.plist b/KeychainCircle/Tests/KeychainCircle.plist
new file mode 100644
index 00000000..daf13f84
--- /dev/null
+++ b/KeychainCircle/Tests/KeychainCircle.plist
@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>BATSConfigVersion</key>
+ <string>0.1.0</string>
+ <key>Project</key>
+ <string>Security</string>
+ <key>TestSpecificLogs</key>
+ <array>
+ <string>/var/log/module/com.apple.securityd/security.log.*</string>
+ <string>/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/security.log.*</string>
+ </array>
+ <key>Tests</key>
+ <array>
+ <dict>
+ <key>TestName</key>
+ <string>KCDer</string>
+ <key>WorkingDirectory</key>
+ <string>/AppleInternal/Tests/Security</string>
+ <key>Arch</key>
+ <string>platform-native</string>
+ <key>AsRoot</key>
+ <false/>
+ <key>Command</key>
+ <array>
+ <string>BATS_XCTEST_CMD -NSTreatUnknownArgumentsAsOpen NO -ApplePersistenceIgnoreState YES -XCTest KCDerTest KeychainCircleTests.xctest</string>
+ </array>
+ </dict>
+ <dict>
+ <key>TestName</key>
+ <string>KCAESGCM</string>
+ <key>WorkingDirectory</key>
+ <string>/AppleInternal/Tests/Security</string>
+ <key>Arch</key>
+ <string>platform-native</string>
+ <key>AsRoot</key>
+ <false/>
+ <key>Command</key>
+ <array>
+ <string>BATS_XCTEST_CMD -NSTreatUnknownArgumentsAsOpen NO -ApplePersistenceIgnoreState YES -XCTest testAESGCMDuplex KeychainCircleTests.xctest</string>
+ </array>
+ </dict>
+ <dict>
+ <key>TestName</key>
+ <string>KCAESGCMCoding</string>
+ <key>WorkingDirectory</key>
+ <string>/AppleInternal/Tests/Security</string>
+ <key>Arch</key>
+ <string>platform-native</string>
+ <key>AsRoot</key>
+ <false/>
+ <key>Command</key>
+ <array>
+ <string>BATS_XCTEST_CMD -NSTreatUnknownArgumentsAsOpen NO -ApplePersistenceIgnoreState YES -XCTest testAESGCMDuplexCoding KeychainCircleTests.xctest</string>
+ </array>
+ </dict>
+ <dict>
+ <key>TestName</key>
+ <string>JoiningSession</string>
+ <key>WorkingDirectory</key>
+ <string>/AppleInternal/Tests/Security</string>
+ <key>Arch</key>
+ <string>platform-native</string>
+ <key>AsRoot</key>
+ <false/>
+ <key>Command</key>
+ <array>
+ <string>BATS_XCTEST_CMD -NSTreatUnknownArgumentsAsOpen NO -ApplePersistenceIgnoreState YES -XCTest testJoiningSession KeychainCircleTests.xctest</string>
+ </array>
+ </dict>
+ <dict>
+ <key>TestName</key>
+ <string>JoiningSessionRetry</string>
+ <key>WorkingDirectory</key>
+ <string>/AppleInternal/Tests/Security</string>
+ <key>Arch</key>
+ <string>platform-native</string>
+ <key>AsRoot</key>
+ <false/>
+ <key>Command</key>
+ <array>
+ <string>BATS_XCTEST_CMD -NSTreatUnknownArgumentsAsOpen NO -ApplePersistenceIgnoreState YES -XCTest testJoiningSessionRetry KeychainCircleTests.xctest</string>
+ </array>
+ </dict>
+ <dict>
+ <key>TestName</key>
+ <string>JoiningSessionCodeChange</string>
+ <key>WorkingDirectory</key>
+ <string>/AppleInternal/Tests/Security</string>
+ <key>Arch</key>
+ <string>platform-native</string>
+ <key>AsRoot</key>
+ <false/>
+ <key>Command</key>
+ <array>
+ <string>BATS_XCTEST_CMD -NSTreatUnknownArgumentsAsOpen NO -ApplePersistenceIgnoreState YES -XCTest testJoiningSessionCodeChange KeychainCircleTests.xctest</string>
+ </array>
+ </dict>
+ </array>
+</dict>
+</plist>
diff --git a/KeychainSyncAccountNotification/KeychainSyncAccountNotification-Info.plist b/KeychainSyncAccountNotification/KeychainSyncAccountNotification-Info.plist
index 9806922e..d11ac900 100644
--- a/KeychainSyncAccountNotification/KeychainSyncAccountNotification-Info.plist
+++ b/KeychainSyncAccountNotification/KeychainSyncAccountNotification-Info.plist
@@ -9,7 +9,7 @@
<key>CFBundleIconFile</key>
<string></string>
<key>CFBundleIdentifier</key>
- <string>com.apple.security.${PRODUCT_NAME:rfc1034identifier}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m b/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m
index 3d522f93..c710f866 100644
--- a/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m
+++ b/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m
@@ -2,15 +2,16 @@
// KeychainSyncAccountNotification.m
// Security
//
-// Created by keith on 5/2/13.
-//
-//
#import "KeychainSyncAccountNotification.h"
#import <Accounts/ACLogging.h>
#import <Accounts/Accounts.h>
#import <Accounts/Accounts_Private.h>
+#if TARGET_OS_IPHONE
#import <AppleAccount/ACAccount+AppleAccount.h>
+#else
+#import <AOSAccounts/ACAccount+iCloudAccount.h>
+#endif
#import <AccountsDaemon/ACDAccountStore.h>
#import <AccountsDaemon/ACDClientAuthorizationManager.h>
#import <AccountsDaemon/ACDClientAuthorization.h>
@@ -18,12 +19,22 @@
@implementation KeychainSyncAccountNotification
+
+- (bool)accountIsPrimary:(ACAccount *)account
+{
+#if TARGET_OS_IPHONE
+ return [account aa_isPrimaryAccount];
+#else
+ return [account icaIsPrimaryAccount];
+#endif
+}
+
- (BOOL)account:(ACAccount *)account willChangeWithType:(ACAccountChangeType)changeType inStore:(ACDAccountStore *)store oldAccount:(ACAccount *)oldAccount {
if ((changeType == kACAccountChangeTypeDeleted) && [oldAccount.accountType.identifier isEqualToString:ACAccountTypeIdentifierAppleAccount]) {
if(oldAccount.identifier != NULL && oldAccount.username !=NULL){
- if ([oldAccount aa_isPrimaryAccount]) {
+ if ([self accountIsPrimary:oldAccount]) {
CFErrorRef removalError = NULL;
@@ -48,7 +59,8 @@
- (void)account:(ACAccount *)account didChangeWithType:(ACAccountChangeType)changeType inStore:(ACDAccountStore *)store oldAccount:(ACAccount *)oldAccount {
if (changeType == kACAccountChangeTypeDeleted) {
if (oldAccount.identifier != NULL && oldAccount.username != NULL){
- if ([oldAccount aa_isPrimaryAccount]) {
+
+ if ([self accountIsPrimary:oldAccount]) {
CFErrorRef removalError = NULL;
ACLogDebug(@"Performing SOS circle credential removal for account %@: %@", oldAccount.identifier, oldAccount.username);
if (!SOSCCLoggedOutOfAccount(&removalError)) {
diff --git a/Modules/Security.iOS.modulemap b/Modules/Security.iOS.modulemap
new file mode 100644
index 00000000..19cd51d0
--- /dev/null
+++ b/Modules/Security.iOS.modulemap
@@ -0,0 +1,20 @@
+framework module Security [extern_c] {
+ umbrella header "Security.h"
+
+ export *
+ module * {
+ export *
+ }
+
+
+ explicit module CipherSuite {
+ header "CipherSuite.h"
+ export *
+ }
+ explicit module SecureTransport {
+ header "SecureTransport.h"
+ export *
+ }
+
+}
+
diff --git a/Modules/Security.macOS.modulemap b/Modules/Security.macOS.modulemap
new file mode 100644
index 00000000..d7b5dd1c
--- /dev/null
+++ b/Modules/Security.macOS.modulemap
@@ -0,0 +1,48 @@
+framework module Security [extern_c] {
+ umbrella header "Security.h"
+ header "SecurityFeatures.h"
+
+ export *
+ module * {
+ export *
+ }
+
+
+ explicit module AuthorizationPlugin {
+ header "AuthorizationPlugin.h"
+ export *
+ }
+ explicit module AuthSession {
+ header "AuthSession.h"
+ export *
+ }
+ explicit module CodeSigning {
+ header "CodeSigning.h"
+ export *
+ }
+ explicit module eisl {
+ header "eisl.h"
+ export *
+ }
+ explicit module SecAsn1Coder {
+ header "SecAsn1Coder.h"
+ export *
+ }
+ explicit module SecAsn1Templates {
+ header "SecAsn1Templates.h"
+ export *
+ }
+ explicit module SecureDownload {
+ header "SecureDownload.h"
+ export *
+ }
+ explicit module SecRandom {
+ header "SecRandom.h"
+ export *
+ }
+ explicit module SecureTransport {
+ header "SecureTransport.h"
+ export *
+ }
+}
+
diff --git a/OSX/Breadcrumb/SecBreadcrumb.c b/OSX/Breadcrumb/SecBreadcrumb.c
index b0c3b56d..44b1ac55 100644
--- a/OSX/Breadcrumb/SecBreadcrumb.c
+++ b/OSX/Breadcrumb/SecBreadcrumb.c
@@ -17,7 +17,9 @@ static const int kKeySize = CCAES_KEY_SIZE_128;
static const int kSaltSize = 20;
static const int kIterations = 5000;
static const CFIndex tagLen = 16;
-static const uint8_t BCversion = 1;
+static const CFIndex ivLen = 16;
+static const uint8_t BCversion1 = 1;
+static const uint8_t BCversion2 = 2;
static const size_t paddingSize = 256;
static const size_t maxSize = 1024;
@@ -30,6 +32,7 @@ SecBreadcrumbCreateFromPassword(CFStringRef inPassword,
const struct ccmode_ecb *ecb = ccaes_ecb_encrypt_mode();
const struct ccmode_gcm *gcm = ccaes_gcm_encrypt_mode();
const struct ccdigest_info *di = ccsha256_di();
+ uint8_t iv[ivLen];
CFMutableDataRef key, npw;
CFDataRef pw;
@@ -43,7 +46,15 @@ SecBreadcrumbCreateFromPassword(CFStringRef inPassword,
return false;
CFDataSetLength(key, kKeySize + kSaltSize + 4);
- CCRandomCopyBytes(kCCRandomDefault, CFDataGetMutableBytePtr(key), CFDataGetLength(key) - 4);
+ if (SecRandomCopyBytes(kSecRandomDefault, CFDataGetLength(key) - 4, CFDataGetMutableBytePtr(key)) != 0) {
+ CFReleaseNull(key);
+ return false;
+ }
+ if (SecRandomCopyBytes(kSecRandomDefault, ivLen, iv) != 0) {
+ CFReleaseNull(key);
+ return false;
+ }
+
uint32_t size = htonl(kIterations);
memcpy(CFDataGetMutableBytePtr(key) + kKeySize + kSaltSize, &size, sizeof(size));
@@ -66,7 +77,7 @@ SecBreadcrumbCreateFromPassword(CFStringRef inPassword,
}
CFIndex paddedSize = passwordLength + paddingSize - (passwordLength % paddingSize);
- const CFIndex outLength = 1 + 4 + paddedSize + tagLen;
+ const CFIndex outLength = 1 + ivLen + 4 + paddedSize + tagLen;
npw = CFDataCreateMutable(NULL, outLength);
if (npw == NULL) {
@@ -77,10 +88,11 @@ SecBreadcrumbCreateFromPassword(CFStringRef inPassword,
CFDataSetLength(npw, outLength);
memset(CFDataGetMutableBytePtr(npw), 0, outLength);
- CFDataGetMutableBytePtr(npw)[0] = BCversion;
+ CFDataGetMutableBytePtr(npw)[0] = BCversion2;
+ memcpy(CFDataGetMutableBytePtr(npw) + 1, iv, ivLen);
size = htonl(passwordLength);
- memcpy(CFDataGetMutableBytePtr(npw) + 1, &size, sizeof(size));
- memcpy(CFDataGetMutableBytePtr(npw) + 5, CFDataGetBytePtr(pw), passwordLength);
+ memcpy(CFDataGetMutableBytePtr(npw) + 1 + ivLen, &size, sizeof(size));
+ memcpy(CFDataGetMutableBytePtr(npw) + 1 + ivLen + 4, CFDataGetBytePtr(pw), passwordLength);
/*
* Now create a GCM encrypted password using the random key
@@ -88,8 +100,9 @@ SecBreadcrumbCreateFromPassword(CFStringRef inPassword,
ccgcm_ctx_decl(gcm->size, ctx);
ccgcm_init(gcm, ctx, kKeySize, CFDataGetMutableBytePtr(key));
+ ccgcm_set_iv(gcm, ctx, ivLen, iv);
ccgcm_gmac(gcm, ctx, 1, CFDataGetMutableBytePtr(npw));
- ccgcm_update(gcm, ctx, outLength - tagLen - 1, CFDataGetMutableBytePtr(npw) + 1, CFDataGetMutableBytePtr(npw) + 1);
+ ccgcm_update(gcm, ctx, outLength - tagLen - ivLen - 1, CFDataGetMutableBytePtr(npw) + 1 + ivLen, CFDataGetMutableBytePtr(npw) + 1 + ivLen);
ccgcm_finalize(gcm, ctx, tagLen, CFDataGetMutableBytePtr(npw) + outLength - tagLen);
ccgcm_ctx_clear(gcm->size, ctx);
@@ -138,9 +151,9 @@ SecBreadcrumbCopyPassword(CFStringRef inPassword,
CFErrorRef *outError)
{
const struct ccmode_ecb *ecb = ccaes_ecb_decrypt_mode();
- const struct ccmode_gcm *gcm = ccaes_gcm_decrypt_mode();
const struct ccdigest_info *di = ccsha256_di();
CFMutableDataRef gcmkey, oldpw;
+ CFIndex outLength;
CFDataRef pw;
uint32_t size;
@@ -152,11 +165,16 @@ SecBreadcrumbCopyPassword(CFStringRef inPassword,
return false;
}
- if (CFDataGetLength(inBreadcrumb) < 1 + 4 + paddingSize + tagLen) {
- return false;
- }
-
- if (CFDataGetBytePtr(inBreadcrumb)[0] != BCversion) {
+ if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion1) {
+ if (CFDataGetLength(inBreadcrumb) < 1 + 4 + paddingSize + tagLen)
+ return false;
+
+ outLength = CFDataGetLength(inBreadcrumb) - 1 - tagLen;
+ } else if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion2) {
+ if (CFDataGetLength(inBreadcrumb) < 1 + ivLen + 4 + paddingSize + tagLen)
+ return false;
+ outLength = CFDataGetLength(inBreadcrumb) - 1 - ivLen - tagLen;
+ } else {
return false;
}
@@ -165,7 +183,6 @@ SecBreadcrumbCopyPassword(CFStringRef inPassword,
return false;
}
- const CFIndex outLength = CFDataGetLength(inBreadcrumb) - 1 - tagLen;
if ((outLength % 16) != 0 && outLength < 4) {
CFReleaseNull(gcmkey);
return false;
@@ -177,7 +194,6 @@ SecBreadcrumbCopyPassword(CFStringRef inPassword,
return false;
}
CFDataSetLength(oldpw, outLength);
-
/*
* Create data for password
@@ -220,23 +236,38 @@ SecBreadcrumbCopyPassword(CFStringRef inPassword,
/*
* GCM unwrap
*/
-
+
uint8_t tag[tagLen];
- ccgcm_ctx_decl(gcm->size, ctx);
-
- ccgcm_init(gcm, ctx, kKeySize, CFDataGetMutableBytePtr(gcmkey));
- ccgcm_gmac(gcm, ctx, 1, CFDataGetBytePtr(inBreadcrumb));
- ccgcm_update(gcm, ctx, outLength, CFDataGetBytePtr(inBreadcrumb) + 1, CFDataGetMutableBytePtr(oldpw));
- ccgcm_finalize(gcm, ctx, tagLen, tag);
- ccgcm_ctx_clear(gcm->size, ctx);
-
- CFReleaseNull(gcmkey);
-
- if (memcmp(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + outLength, tagLen) != 0) {
- CFReleaseNull(oldpw);
- return false;
+
+ if (CFDataGetBytePtr(inBreadcrumb)[0] == BCversion1) {
+ memcpy(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + outLength, tagLen);
+
+ ccgcm_one_shot_legacy(ccaes_gcm_decrypt_mode(), kKeySize, CFDataGetMutableBytePtr(gcmkey), 0, NULL, 1, CFDataGetBytePtr(inBreadcrumb),
+ outLength, CFDataGetBytePtr(inBreadcrumb) + 1, CFDataGetMutableBytePtr(oldpw), tagLen, tag);
+ if (memcmp(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + outLength, tagLen) != 0) {
+ CFReleaseNull(oldpw);
+ return false;
+ }
+
+ } else {
+ const uint8_t *iv = CFDataGetBytePtr(inBreadcrumb) + 1;
+ int res;
+ memcpy(tag, CFDataGetBytePtr(inBreadcrumb) + 1 + ivLen + outLength, tagLen);
+
+ res = ccgcm_one_shot(ccaes_gcm_decrypt_mode(), kKeySize, CFDataGetMutableBytePtr(gcmkey),
+ ivLen, iv,
+ 1, CFDataGetBytePtr(inBreadcrumb),
+ outLength, CFDataGetBytePtr(inBreadcrumb) + 1 + ivLen, CFDataGetMutableBytePtr(oldpw),
+ tagLen, tag);
+ if (res) {
+ CFReleaseNull(oldpw);
+ return false;
+ }
}
+
+ CFReleaseNull(gcmkey);
+
memcpy(&size, CFDataGetMutableBytePtr(oldpw), sizeof(size));
size = ntohl(size);
if (size > outLength - 4) {
diff --git a/OSX/Breadcrumb/bc-10-knife-on-bread.c b/OSX/Breadcrumb/bc-10-knife-on-bread.m
similarity index 53%
rename from OSX/Breadcrumb/bc-10-knife-on-bread.c
rename to OSX/Breadcrumb/bc-10-knife-on-bread.m
index e3d4409b..638eb729 100644
--- a/OSX/Breadcrumb/bc-10-knife-on-bread.c
+++ b/OSX/Breadcrumb/bc-10-knife-on-bread.m
@@ -22,27 +22,19 @@
*/
+#include <Foundation/Foundation.h>
#include <Security/Security.h>
#include <Security/SecBreadcrumb.h>
#include "breadcrumb_regressions.h"
-static void
-print_hex(const char *label, CFDataRef data)
-{
- CFIndex count, n;
- printf("%s = ", label);
- const uint8_t *ptr = CFDataGetBytePtr(data);
- count = CFDataGetLength(data);
- for (n = 0; n < count; n++) {
- printf("%02x", ptr[n]);
- }
- printf("\n");
-}
+static NSString *after1 = @"XAKyA0TbLKpDOBl+Ur1CQpjGDtn3wp8bYiM07iJSGVIhaaG4AAATiA==";
+static NSString *bc1 = @"AdSXILtQrtsD+eT/UjMxxu4QTjlIJjvFDhpMXfk2eZ1CCJVhCuAhNcoL4DsU85DgSBCAswzVcSEU+bLMt+DT1jJfjJKVBus1Hd5lCA+N4wVtC66w3GK/WDQdGvLZ+BL86GkeRM2/+wH4/t5qOtxIJPS5SYZhnM5EP8xFYg30MLqXZqpwZhqYBJmVPMqEbLuihYAcAJreiZm4NN09CxvD36mvU3NyQOdHzAiQ+ADMiVI84qjU0qFH1KaZEoMHn3AqjAdviHUTOaNQXNepidedBZhSl4QBeuT2CaCYHjCXny9BYT+hCEU1yXn3RYeWyjcmFKmIz8gRvWf3ckF3XaSVL7MwqfsWw1tdI9OPi7zhauqphRGELw==";
+static NSString *after2 = @"l/y+EOCUEeQHudNLQd5SoCJ2s/+rfH/kdbxbwZ7YGGb/U2FMAAATiA==";
+static NSString *bc2 = @"AuuaJCuKmffY3XAqTYNygSFQ4QnlkSqTHGYUMaxDRA1lQhbxJh58zAOvcsahYH9lSb4+YoMR6G7hDmqlKae8h3jrn0vhT4FlIySFS3MUPvmGOuhUecb+Gi2AYwc9x1uz7f0FSRxxL+v04r2AkmH1Cv6cL7pvued7vxUjzX4VrexFj+uF7i/HSGStg2+D3L+CRs2+dKZZ9BqiKjavsX9XPkvJAD0r8rKHncOBrRxL7A3+ysBTZi2VCi/8QTDSGp6DmpXEJ4NTo/IrZ+trOXe0MuocLMg+Jf6V8jy5ZfaQoGTuM3fJiD6EFGT68QtLrjqU9KdtHhQdCmFVi60zbWqEBRNN7IyRNyPJX48NqFPZuAUW7BL0YbuhdUX2Oj7+hFz99vch1T0=";
-
-#define kTestCount 6
+#define kTestCount 10
int bc_10_password(int argc, char *const *argv)
{
CFDataRef breadcrumb = NULL, encryptedKey = NULL;
@@ -59,12 +51,9 @@ int bc_10_password(int argc, char *const *argv)
ok(oldPassword && CFStringCompare(password, oldPassword, 0) == kCFCompareEqualTo, "not same password");
CFRelease(oldPassword);
-
- print_hex("encrypted key before", encryptedKey);
-
+
CFDataRef newEncryptedKey;
-
printf("changing password from \"password\" to \"newpassword\"\n");
newEncryptedKey = SecBreadcrumbCreateNewEncryptedKey(password,
@@ -73,9 +62,6 @@ int bc_10_password(int argc, char *const *argv)
&error);
ok(newEncryptedKey, "no new encrypted key");
- print_hex("encrypted key after", newEncryptedKey);
-
-
ok(SecBreadcrumbCopyPassword(newpassword, breadcrumb, newEncryptedKey, &oldPassword, NULL), "unwrap failed");
ok(oldPassword && CFStringCompare(password, oldPassword, 0) == kCFCompareEqualTo, "not same password");
@@ -84,5 +70,35 @@ int bc_10_password(int argc, char *const *argv)
CFRelease(oldPassword);
CFRelease(newEncryptedKey);
+ /*
+ * Check KAT for IV less operation (version1)
+ */
+
+ breadcrumb = CFBridgingRetain([[NSData alloc] initWithBase64EncodedString:bc1 options:0]);
+ newEncryptedKey = CFBridgingRetain([[NSData alloc] initWithBase64EncodedString:after1 options:0]);
+
+ ok(SecBreadcrumbCopyPassword(newpassword, breadcrumb, newEncryptedKey, &oldPassword, NULL), "unwrap failed");
+
+ ok(oldPassword && CFStringCompare(password, oldPassword, 0) == kCFCompareEqualTo, "not same password");
+
+ CFRelease(breadcrumb);
+ CFRelease(oldPassword);
+ CFRelease(newEncryptedKey);
+
+ /*
+ * Check KAT for IV less operation (version2)
+ */
+
+ breadcrumb = CFBridgingRetain([[NSData alloc] initWithBase64EncodedString:bc2 options:0]);
+ newEncryptedKey = CFBridgingRetain([[NSData alloc] initWithBase64EncodedString:after2 options:0]);
+
+ ok(SecBreadcrumbCopyPassword(newpassword, breadcrumb, newEncryptedKey, &oldPassword, NULL), "unwrap failed");
+
+ ok(oldPassword && CFStringCompare(password, oldPassword, 0) == kCFCompareEqualTo, "not same password");
+
+ CFRelease(breadcrumb);
+ CFRelease(oldPassword);
+ CFRelease(newEncryptedKey);
+
return 0;
}
diff --git a/OSX/IDSKeychainSyncingProxy/com.apple.private.alloy.keychainsync.plist b/OSX/IDSKeychainSyncingProxy/com.apple.private.alloy.keychainsync.plist
deleted file mode 100644
index f08f2617b1ce77c9f0708dda9741267278cb8c15..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 458
zcma)$O-{ow6ojA4Ut4}^V8H^|u|a~U3l7kzEcmS|wL+pz6&d@Ln7XkQJFT*3#Z5Q>
z+=T@f;1r|~mPmP<(LBvJng^q#b<O4nsVpt8tgcmS_4SR-tp=^{jAUEsRP->JNsfa{
zfw7ZgiOKL>TBBIjVN<;CrZ(zpBY8*<Z&(`h=$7%QfI50XaOR|rgKnao=2|VVkWyb<
zXkO&{naN)Ve(H2v$7A`JCU}R=q40%B&|0*^zsj7hh4hH)smF{_=$S;$m_v^#r894W
z8IPEZZ5H$3x-h-mlw?ABQl|P;3Oi?$eD&TxaZ1Y0gevUAF`PjQuHXsg@B**!2Ji3*
YUu2uK$bbZ71V2|HzY4pB7DArC0Z1&AumAu6
diff --git a/OSX/IDSKeychainSyncingProxy/en.lproj/InfoPlist.strings b/OSX/IDSKeychainSyncingProxy/en.lproj/InfoPlist.strings
deleted file mode 100644
index 477b28ff..00000000
--- a/OSX/IDSKeychainSyncingProxy/en.lproj/InfoPlist.strings
+++ /dev/null
@@ -1,2 +0,0 @@
-/* Localized versions of Info.plist keys */
-
diff --git a/OSX/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist b/OSX/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist
deleted file mode 100644
index 9d23eb1c..00000000
--- a/OSX/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist
+++ /dev/null
@@ -1,30 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>com.apple.wifi.manager-access</key>
- <true/>
- <key>com.apple.private.ids.remoteurlconnection</key>
- <true/>
- <key>com.apple.private.ids.force-encryption-off</key>
- <array>
- <string>com.apple.private.alloy.keychainsync</string>
- </array>
- <key>com.apple.private.ids.messaging.high-priority</key>
- <array>
- <string>com.apple.private.alloy.keychainsync</string>
- </array>
- <key>com.apple.private.ids.messaging</key>
- <array>
- <string>com.apple.private.alloy.keychainsync</string>
- </array>
- <key>keychain-access-groups</key>
- <array>
- <string>IMCore</string>
- <string>apple</string>
- <string>InternetAccounts</string>
- </array>
- <key>application-identifier</key>
- <string>com.apple.security.idskeychainsyncingproxy</string>
-</dict>
-</plist>
diff --git a/OSX/Keychain Circle Notification/KNAppDelegate.m b/OSX/Keychain Circle Notification/KNAppDelegate.m
index 044bd17b..05160674 100644
--- a/OSX/Keychain Circle Notification/KNAppDelegate.m
+++ b/OSX/Keychain Circle Notification/KNAppDelegate.m
@@ -36,6 +36,8 @@
#include <msgtracer_client.h>
#include <msgtracer_keys.h>
#include <CrashReporterSupport/CrashReporterSupportPrivate.h>
+#import "CoreCDP/CDPFollowUpController.h"
+#import "CoreCDP/CDPFollowUpContext.h"
static const char * const kLaunchLaterXPCName = "com.apple.security.Keychain-Circle-Notification-TICK";
static const NSString * const kKickedOutKey = @"KickedOut";
@@ -62,9 +64,11 @@ static NSUserNotificationCenter *appropriateNotificationCenter()
AEDesc aeDesc;
BOOL createdAEDesc = createAEDescWithAEActionAndAccountID((__bridge NSString *) kMMServiceIDKeychainSync, eventName, account, &aeDesc);
if (createdAEDesc) {
- LSLaunchURLSpec lsSpec = {
+ NSArray *prefPaneURL = [NSArray arrayWithObject: [NSURL fileURLWithPath:@"/System/Library/PreferencePanes/iCloudPref.prefPane"]];
+
+ LSLaunchURLSpec lsSpec = {
.appURL = NULL,
- .itemURLs = (__bridge CFArrayRef)([NSArray arrayWithObject: [NSURL fileURLWithPath:@"/System/Library/PreferencePanes/iCloudPref.prefPane"]]),
+ .itemURLs = (__bridge CFArrayRef)prefPaneURL,
.passThruParams = &aeDesc,
.launchFlags = kLSLaunchDefaults | kLSLaunchAsync,
.asyncRefCon = NULL,
@@ -313,7 +317,7 @@ bool isAppleInternal(void)
// Remove reminders
NSUserNotificationCenter *noteCenter = appropriateNotificationCenter();
for (NSUserNotification *note in noteCenter.deliveredNotifications) {
- if (note.userInfo[kValidOnlyOutOfCircleKey] && note.userInfo[@"ApplicationReminder"]) {
+ if (note.userInfo[(NSString*) kValidOnlyOutOfCircleKey] && note.userInfo[@"ApplicationReminder"]) {
NSLog(@"{ChangeCallback} Removing notification %@", note);
[appropriateNotificationCenter() removeDeliveredNotification: note];
}
@@ -333,7 +337,7 @@ bool isAppleInternal(void)
NSLog(@"{ChangeCallback} me.circle.isInCircle");
NSUserNotificationCenter *noteCenter = appropriateNotificationCenter();
for (NSUserNotification *note in noteCenter.deliveredNotifications) {
- if (note.userInfo[kValidOnlyOutOfCircleKey]) {
+ if (note.userInfo[(NSString*) kValidOnlyOutOfCircleKey]) {
NSLog(@"Removing existing notification (%@) now that we are in circle", note);
[appropriateNotificationCenter() removeDeliveredNotification: note];
}
@@ -455,7 +459,7 @@ bool isAppleInternal(void)
{
NSUserNotificationCenter *noteCenter = appropriateNotificationCenter();
for (NSUserNotification *note in noteCenter.deliveredNotifications) {
- if (note.userInfo[kKickedOutKey]) {
+ if (note.userInfo[(NSString*) kKickedOutKey]) {
if (note.isPresented) {
NSLog(@"Already posted&presented (removing): %@", note);
[appropriateNotificationCenter() removeDeliveredNotification: note];
@@ -540,8 +544,8 @@ bool isAppleInternal(void)
note.userInfo = @{
@"ApplicationReminder" : @1,
kValidOnlyOutOfCircleKey: @1,
- @"Activate" : (__bridge NSString *) kMMPropertyKeychainWADetailsAEAction,
- };
+ @"Activate" : (__bridge NSString *) kMMPropertyKeychainWADetailsAEAction,
+ };
NSLog(@"About to post #-/%lu (REMINDER): %@ (I=%@)", noteCenter.deliveredNotifications.count, note, [note.userInfo compactDescription]);
[appropriateNotificationCenter() deliverNotification:note];
diff --git a/OSX/Keychain Circle Notification/KNPersistentState.h b/OSX/Keychain Circle Notification/KNPersistentState.h
index 8c2f2a5a..d794dff4 100644
--- a/OSX/Keychain Circle Notification/KNPersistentState.h
+++ b/OSX/Keychain Circle Notification/KNPersistentState.h
@@ -23,8 +23,8 @@
#import <Foundation/Foundation.h>
-#include "SecureObjectSync/SOSCloudCircle.h"
-#include "SecureObjectSync/SOSPeerInfo.h"
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSPeerInfo.h>
@interface KNPersistentState : NSObject
+(instancetype)loadFromStorage;
diff --git a/OSX/Keychain Circle Notification/Keychain Circle Notification-Info.plist b/OSX/Keychain Circle Notification/Keychain Circle Notification-Info.plist
index 9955cea7..f689ae50 100644
--- a/OSX/Keychain Circle Notification/Keychain Circle Notification-Info.plist
+++ b/OSX/Keychain Circle Notification/Keychain Circle Notification-Info.plist
@@ -7,7 +7,7 @@
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
- <string>com.security.apple.${PRODUCT_NAME:rfc1034identifier}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/OSX/Keychain Circle Notification/NSDictionary+compactDescription.m b/OSX/Keychain Circle Notification/NSDictionary+compactDescription.m
index 64350b77..15e3318a 100644
--- a/OSX/Keychain Circle Notification/NSDictionary+compactDescription.m
+++ b/OSX/Keychain Circle Notification/NSDictionary+compactDescription.m
@@ -47,7 +47,7 @@
{
NSMutableArray *results = [NSMutableArray new];
for (NSString *k in self) {
- if ([k isEqualToString:kSecValueData]) {
+ if ([k isEqualToString:(__bridge NSString*) kSecValueData]) {
[results addObject:[NSString stringWithFormat:@"%@=<not-logged>", [k compactDescription]]];
continue;
}
diff --git a/OSX/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist b/OSX/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist
index 0167ddd5..fd668fba 100644
--- a/OSX/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist
+++ b/OSX/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist
@@ -5,11 +5,13 @@
<key>Label</key>
<string>com.apple.security.keychain-circle-notification</string>
<key>RunAtLoad</key>
- <true/>
+ <false/>
<key>KeepAlive</key>
<false/>
- <key>ProcessType</key>
- <string>Background</string>
+ <key>EnablePressuredExit</key>
+ <true/>
+ <key>LimitLoadToSessionType</key>
+ <string>Aqua</string>
<key>LaunchEvents</key>
<dict>
<key>com.apple.notifyd.matching</key>
diff --git a/OSX/Keychain Circle Notification/entitlments.plist b/OSX/Keychain Circle Notification/entitlments.plist
index f1eb0a17..356b6481 100644
--- a/OSX/Keychain Circle Notification/entitlments.plist
+++ b/OSX/Keychain Circle Notification/entitlments.plist
@@ -2,6 +2,8 @@
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
+ <key>com.apple.accounts.appleaccount.fullaccess</key>
+ <true/>
<key>com.apple.private.notificationcenter-system</key>
<array>
<dict>
diff --git a/OSX/Keychain/KDAppDelegate.m b/OSX/Keychain/KDAppDelegate.m
index 92431e81..b3fca93c 100644
--- a/OSX/Keychain/KDAppDelegate.m
+++ b/OSX/Keychain/KDAppDelegate.m
@@ -43,7 +43,9 @@
self.itemDataSource = [[KDSecItems alloc] init];
self.itemTable.dataSource = self.itemDataSource;
-
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-variable"
int notificationToken;
uint32_t rc = notify_register_dispatch(kSecServerKeychainChangedNotification, ¬ificationToken, dispatch_get_main_queue(), ^(int token __unused) {
NSLog(@"Received %s", kSecServerKeychainChangedNotification);
@@ -51,26 +53,32 @@
[self.itemTable reloadData];
});
NSAssert(rc == 0, @"Can't register for %s", kSecServerKeychainChangedNotification);
+#pragma clang diagnostic pop
self.circle = [KDSecCircle new];
+
+ __weak typeof(self) weakSelf = self;
[self.circle addChangeCallback:^{
- self.circleStatusCell.stringValue = self.circle.status;
-
- [self setCheckbox];
-
- self.peerCountCell.objectValue = @(self.circle.peers.count);
- NSString *peerNames = [[self.circle.peers mapWithBlock:^id(id obj) {
- return ((KDCirclePeer*)obj).name;
- }] componentsJoinedByString:@"\n"];
- [self.peerTextList.textStorage replaceCharactersInRange:NSMakeRange(0, [self.peerTextList.textStorage length]) withString:peerNames];
-
- self.applicantCountCell.objectValue = @(self.circle.applicants.count);
- NSString *applicantNames = [[self.circle.applicants mapWithBlock:^id(id obj) {
- return ((KDCirclePeer*)obj).name;
- }] componentsJoinedByString:@"\n"];
- [self.applicantTextList.textStorage replaceCharactersInRange:NSMakeRange(0, [self.applicantTextList.textStorage length]) withString:applicantNames];
-
- [self.syncSpinner stopAnimation:nil];
+ __strong typeof(self) strongSelf = weakSelf;
+ if(strongSelf) {
+ strongSelf.circleStatusCell.stringValue = strongSelf.circle.status;
+
+ [strongSelf setCheckbox];
+
+ strongSelf.peerCountCell.objectValue = @(strongSelf.circle.peers.count);
+ NSString *peerNames = [[strongSelf.circle.peers mapWithBlock:^id(id obj) {
+ return ((KDCirclePeer*)obj).name;
+ }] componentsJoinedByString:@"\n"];
+ [strongSelf.peerTextList.textStorage replaceCharactersInRange:NSMakeRange(0, [strongSelf.peerTextList.textStorage length]) withString:peerNames];
+
+ strongSelf.applicantCountCell.objectValue = @(strongSelf.circle.applicants.count);
+ NSString *applicantNames = [[strongSelf.circle.applicants mapWithBlock:^id(id obj) {
+ return ((KDCirclePeer*)obj).name;
+ }] componentsJoinedByString:@"\n"];
+ [strongSelf.applicantTextList.textStorage replaceCharactersInRange:NSMakeRange(0, [strongSelf.applicantTextList.textStorage length]) withString:applicantNames];
+
+ [strongSelf.syncSpinner stopAnimation:nil];
+ }
}];
}
diff --git a/OSX/Keychain/KDCirclePeer.m b/OSX/Keychain/KDCirclePeer.m
index a813b41c..91f8864e 100644
--- a/OSX/Keychain/KDCirclePeer.m
+++ b/OSX/Keychain/KDCirclePeer.m
@@ -23,8 +23,8 @@
#import "KDCirclePeer.h"
-#include "SecureObjectSync/SOSCloudCircle.h"
-#include "SecureObjectSync/SOSPeerInfo.h"
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSPeerInfo.h>
@interface KDCirclePeer ()
diff --git a/OSX/Keychain/KDSecCircle.h b/OSX/Keychain/KDSecCircle.h
index 214c77ab..42f70275 100644
--- a/OSX/Keychain/KDSecCircle.h
+++ b/OSX/Keychain/KDSecCircle.h
@@ -22,7 +22,7 @@
*/
-#import "SecureObjectSync/SOSCloudCircle.h"
+#import <Security/SecureObjectSync/SOSCloudCircle.h>
#import <Foundation/Foundation.h>
@interface KDSecCircle : NSObject
diff --git a/OSX/Keychain/KDSecCircle.m b/OSX/Keychain/KDSecCircle.m
index 31cbc174..14ddc7d2 100644
--- a/OSX/Keychain/KDSecCircle.m
+++ b/OSX/Keychain/KDSecCircle.m
@@ -26,10 +26,13 @@
#import "KDCirclePeer.h"
#include <notify.h>
#include <dispatch/dispatch.h>
-#import "SecureObjectSync/SOSCloudCircle.h"
-#include "SecureObjectSync/SOSPeerInfo.h"
+
+#import <Security/SecureObjectSync/SOSCloudCircle.h>
+#import <Security/SecureObjectSync/SOSPeerInfo.h>
+
#import <CloudServices/SecureBackup.h>
-#include "../utilities/utilities/debugging.h"
+
+#include <utilities/debugging.h>
@interface KDSecCircle ()
@property (retain) NSMutableArray *callbacks;
@@ -129,6 +132,10 @@ typedef void (^applicantBlock)(id applicant);
});
}
+// Tell clang that these bools are okay, even if NSAssert doesn't use them
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-variable"
+
-(void)acceptApplicantId:(NSString*)applicantId
{
[self forApplicantId:applicantId run:^void(id applicant) {
@@ -147,6 +154,8 @@ typedef void (^applicantBlock)(id applicant);
}];
}
+#pragma clang diagnostic pop
+
-(id)init
{
self = [super init];
diff --git a/OSX/Keychain/Keychain-Info.plist b/OSX/Keychain/Keychain-Info.plist
index 36213f65..70ad5526 100644
--- a/OSX/Keychain/Keychain-Info.plist
+++ b/OSX/Keychain/Keychain-Info.plist
@@ -9,7 +9,7 @@
<key>CFBundleIconFile</key>
<string>Icon.icns</string>
<key>CFBundleIdentifier</key>
- <string>com.apple.security.${PRODUCT_NAME:rfc1034identifier}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/OSX/Modules b/OSX/Modules
new file mode 120000
index 00000000..287aeb42
--- /dev/null
+++ b/OSX/Modules
@@ -0,0 +1 @@
+./Modules
\ No newline at end of file
diff --git a/OSX/OSX.xcodeproj/project.pbxproj b/OSX/OSX.xcodeproj/project.pbxproj
index 2bb44ff5..482c5946 100644
--- a/OSX/OSX.xcodeproj/project.pbxproj
+++ b/OSX/OSX.xcodeproj/project.pbxproj
@@ -7,29 +7,6 @@
objects = {
/* Begin PBXAggregateTarget section */
- 0C6C642915D5ADB500BC68CD /* Security_kexts */ = {
- isa = PBXAggregateTarget;
- buildConfigurationList = 0C6C642A15D5ADB500BC68CD /* Build configuration list for PBXAggregateTarget "Security_kexts" */;
- buildPhases = (
- );
- dependencies = (
- );
- name = Security_kexts;
- productName = Security_kexts;
- };
- 182BB598146FE295000BF1F3 /* World */ = {
- isa = PBXAggregateTarget;
- buildConfigurationList = 182BB599146FE295000BF1F3 /* Build configuration list for PBXAggregateTarget "World" */;
- buildPhases = (
- 18F2360315CB30EC00060520 /* ShellScript */,
- );
- dependencies = (
- 186F779914E5A06500434E1F /* PBXTargetDependency */,
- 186F779B14E5A06800434E1F /* PBXTargetDependency */,
- );
- name = World;
- productName = SecurityFramework;
- };
186F778814E59FB200434E1F /* Security_frameworks */ = {
isa = PBXAggregateTarget;
buildConfigurationList = 186F778914E59FB200434E1F /* Build configuration list for PBXAggregateTarget "Security_frameworks" */;
@@ -54,18 +31,17 @@
3705CADE1A8971DF00402F75 /* PBXTargetDependency */,
37AB39401A44A95500B56E04 /* PBXTargetDependency */,
37A7CEDA197DBA8700926CE8 /* PBXTargetDependency */,
- 722CF218175D602F00BCE0A5 /* PBXTargetDependency */,
- 521470291697842500DF0DB3 /* PBXTargetDependency */,
- CDEB2BD21A8151CD00B0E23A /* PBXTargetDependency */,
18F235FF15CA100300060520 /* PBXTargetDependency */,
- 186F779114E5A00F00434E1F /* PBXTargetDependency */,
BE48AE291ADF204E000836C1 /* PBXTargetDependency */,
+ 186F779114E5A00F00434E1F /* PBXTargetDependency */,
0CCEBDBA16C303D8001BD7F6 /* PBXTargetDependency */,
0CFC55E315DDB86500BEC89E /* PBXTargetDependency */,
C2432A2515C726B50096DB5B /* PBXTargetDependency */,
4CB23B90169F59D8003A0131 /* PBXTargetDependency */,
EBB9FFE01682E71F00FF9774 /* PBXTargetDependency */,
F94E7A971ACC8CC200F23132 /* PBXTargetDependency */,
+ EBB6970E1BE2095F00715F16 /* PBXTargetDependency */,
+ D466FA771CA0C2A500433142 /* PBXTargetDependency */,
);
name = Security_executables;
productName = Other;
@@ -97,14 +73,13 @@
/* Begin PBXBuildFile section */
0C03D62B17D93EED0087643B /* SecDH.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C03D60317D93E810087643B /* SecDH.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0C0C887D1CCED19E00617D1B /* si-82-sectrust-ct-data in Resources */ = {isa = PBXBuildFile; fileRef = 0C0C887C1CCED19E00617D1B /* si-82-sectrust-ct-data */; };
0C10987616CAAE8200803B8F /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; };
- 0C4EAE4C1766864F00773425 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; };
- 0C4EAE761766875E00773425 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
0C4EAE7717668DDF00773425 /* libsecdRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0C4EAE721766865000773425 /* libsecdRegressions.a */; };
0C4F055E15C9E51A00F9DFD5 /* sslTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C4F055D15C9E51A00F9DFD5 /* sslTypes.h */; settings = {ATTRIBUTES = (Private, ); }; };
0C6C632A15D1989900BC68CD /* libsecurity_ssl_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0C6D77CF15C8B66000BB4405 /* libsecurity_ssl_regressions.a */; };
0C6C633015D19FF500BC68CD /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; };
- 0C6D0065177B54CB0095D167 /* com.apple.securityd in CopyFiles */ = {isa = PBXBuildFile; fileRef = 0C6D0064177B54C60095D167 /* com.apple.securityd */; };
+ 0C869B6A1C865E62006A2873 /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0C869B691C865E62006A2873 /* CoreCDP.framework */; };
0CAA7AB516C9A72A00A32C6D /* libsecurity_keychain_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CBD50B316C325F000713B6C /* libsecurity_keychain_regressions.a */; };
0CC2CB101B6A04D80074B0F2 /* libDiagnosticMessagesClient.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CC2CB0F1B6A04D80074B0F2 /* libDiagnosticMessagesClient.dylib */; };
0CC3351C16C1ED8000399E53 /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18D4053B14CE2C1600A2BE4E /* libsecurity.a */; };
@@ -172,8 +147,6 @@
182BB5B8146FF0A2000BF1F3 /* libobjc.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B7146FF0A1000BF1F3 /* libobjc.dylib */; };
182BB5BA146FF0BF000BF1F3 /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */; };
182BB5BB146FF62F000BF1F3 /* libsecurity_comcryption.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B676146DE75E007E536C /* libsecurity_comcryption.a */; };
- 1831329B14EB2C6D00F0BCAC /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; };
- 1831329C14EB2C6D00F0BCAC /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; };
18363C1417026084002D5C1C /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
1844605F146DE93E00B12992 /* csp_capabilities.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 1844605B146DE93E00B12992 /* csp_capabilities.mdsinfo */; };
18446060146DE93E00B12992 /* csp_capabilities_common.mds in Resources */ = {isa = PBXBuildFile; fileRef = 1844605C146DE93E00B12992 /* csp_capabilities_common.mds */; };
@@ -375,6 +348,8 @@
18FE688B1471A46700A2CBE3 /* SecureTransportPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB372146F13BB000BF1F3 /* SecureTransportPriv.h */; settings = {ATTRIBUTES = (Private, ); }; };
18FE688C1471A46700A2CBE3 /* TrustSettingsSchema.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1C8146EAD5D000BF1F3 /* TrustSettingsSchema.h */; settings = {ATTRIBUTES = (Private, ); }; };
18FE688D1471A46700A2CBE3 /* X509Templates.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844609E146DFCB700B12992 /* X509Templates.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 1FDA9ABC1C4489280083929D /* SecTranslocate.h in Headers */ = {isa = PBXBuildFile; fileRef = 1FDA9ABB1C4489280083929D /* SecTranslocate.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 1FDA9ABD1C448DFC0083929D /* libsecurity_translocate.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1F6FC6001C3D9D90001C758F /* libsecurity_translocate.a */; };
3705CAD91A896E0600402F75 /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 3705CACD1A896DA800402F75 /* main.c */; };
3705CADA1A896E0F00402F75 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; };
371AB2F21A04052E00A08CF2 /* teamid.sh in CopyFiles */ = {isa = PBXBuildFile; fileRef = 371AB2CA1A04050700A08CF2 /* teamid.sh */; };
@@ -389,7 +364,6 @@
39BFB04516D304DE0022564B /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */; };
431B737F1B27762C00EB0360 /* CloudServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 431B73571B27762300EB0360 /* CloudServices.framework */; };
431B73C11B2777A200EB0360 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
- 432800831B4CE730002E8525 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; };
432800841B4CE731002E8525 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; };
4328FE9B1B4CDBA5002E8525 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; };
4328FED11B4CDC11002E8525 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */; };
@@ -398,11 +372,8 @@
4381B9A91B28C6B2002BBC79 /* CloudServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 431B73571B27762300EB0360 /* CloudServices.framework */; };
4381B9AA1B28E09F002BBC79 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
43A599161B0CFCAB00D14A7B /* CloudKeychain.strings in CopyFiles */ = {isa = PBXBuildFile; fileRef = 43A598591B0CF2AB00D14A7B /* CloudKeychain.strings */; };
- 43C3B0D41AFD569600786702 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; };
43C3B0D51AFD56B700786702 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; };
43C3B2681AFD5B4800786702 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
- 43C3B2C61AFD5BBB00786702 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD19A65E1A8065E900F9C276 /* Foundation.framework */; };
- 43C3B3311AFD5E1100786702 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; };
43C3B35A1AFD5E1800786702 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; };
4469FC291AA0A5AF0021AA26 /* libctkclient_test.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FC001AA0A56F0021AA26 /* libctkclient_test.a */; };
44A655A71AA4B4F30059D185 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FC011AA0A56F0021AA26 /* libctkclient.a */; };
@@ -415,6 +386,7 @@
44D78BBA1A0A616200B63C6C /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; };
44D78BBB1A0A617700B63C6C /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */; };
44F7912019FFED88008B8147 /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */; };
+ 486326331CAA0C6500A466D9 /* com.apple.securityd.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 486326321CAA0C6500A466D9 /* com.apple.securityd.plist */; };
48FDA8771AF98A3600A9366F /* SOSCloudCircleInternal.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 48FDA84D1AF989F600A9366F /* SOSCloudCircleInternal.h */; };
4A5C1790161A9DFB00ABF784 /* authd_private.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 18F2351A15C9FA3C00060520 /* authd_private.h */; };
4C01DF14164C3E7C006798CD /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; };
@@ -462,24 +434,17 @@
4CE7EAA31AEAF5230067F5BD /* SecItemBackup.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CE7EA7D1AEAF50F0067F5BD /* SecItemBackup.h */; settings = {ATTRIBUTES = (Private, ); }; };
5208BF4F16A0993C0062DDC5 /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18D4053B14CE2C1600A2BE4E /* libsecurity.a */; };
5208C0D716A0C96F0062DDC5 /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; };
- 5214701216977CB800DF0DB3 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = 5214701016977CB800DF0DB3 /* InfoPlist.strings */; };
- 5214701D16977D9500DF0DB3 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
- 5214701E16977DA700DF0DB3 /* libCloudKeychainProxy.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C01DE32164C3793006798CD /* libCloudKeychainProxy.a */; };
- 521470261697800500DF0DB3 /* com.apple.security.cloudkeychainproxy.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 5214702516977FEC00DF0DB3 /* com.apple.security.cloudkeychainproxy.plist */; };
5241C60D16DC1BA100DB5C6F /* libSecOtrOSX.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288F215FFE9D7008CE3E3 /* libSecOtrOSX.a */; };
5244926A1AFD6CB70043695A /* der_plist.h in Headers */ = {isa = PBXBuildFile; fileRef = 524492691AFD6CB70043695A /* der_plist.h */; settings = {ATTRIBUTES = (Private, ); }; };
52669053169D181900ED8231 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; };
- 529E948C169E29450000AC9B /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18FE67EA1471A3AA00A2CBE3 /* Security.framework */; };
529E948D169E29470000AC9B /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18FE67EA1471A3AA00A2CBE3 /* Security.framework */; };
52AEA489153C778C005AFC59 /* tsaSupportPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 52AEA484153C7581005AFC59 /* tsaSupportPriv.h */; settings = {ATTRIBUTES = (Private, ); }; };
52B006C015238F76005D4556 /* TimeStampingPrefs.plist in Resources */ = {isa = PBXBuildFile; fileRef = 52B006BF15238F76005D4556 /* TimeStampingPrefs.plist */; };
52B5A9C21519330300664F11 /* tsaSupport.h in Headers */ = {isa = PBXBuildFile; fileRef = 52B5A9C01519330300664F11 /* tsaSupport.h */; settings = {ATTRIBUTES = (Private, ); }; };
52B5A9C31519330300664F11 /* tsaTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 52B5A9C11519330300664F11 /* tsaTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 52C3D236169B56860091D9D3 /* ckdmain.m in Sources */ = {isa = PBXBuildFile; fileRef = 52C3D235169B56860091D9D3 /* ckdmain.m */; };
52CD052316A0E24900218387 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; };
52F8DDFA1AF2E56700A2C271 /* SOSViews.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 52F8DDF91AF2E56600A2C271 /* SOSViews.h */; };
52F8DE211AF2E57300A2C271 /* SOSBackupSliceKeyBag.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 52F8DE201AF2E57300A2C271 /* SOSBackupSliceKeyBag.h */; };
- 52F8DE251AF2E58B00A2C271 /* SOSForerunnerSession.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 52F8DE231AF2E58B00A2C271 /* SOSForerunnerSession.h */; };
52F8DE4C1AF2EB6600A2C271 /* SOSTypes.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 52F8DE4B1AF2EB6600A2C271 /* SOSTypes.h */; };
532847791785076B009118DC /* Localizable.strings in Resources */ = {isa = PBXBuildFile; fileRef = 5328475117850741009118DC /* Localizable.strings */; };
5E605AFC1AB859B70049FA14 /* libcoreauthd_test_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E605AFB1AB859B70049FA14 /* libcoreauthd_test_client.a */; };
@@ -497,20 +462,20 @@
5EF7C2501B00EA7A00E5E99C /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; };
5EF7C2511B00EAF100E5E99C /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */; };
5EF7C2521B00EB0A00E5E99C /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; };
- 5EFB69BD1B0CBE030095A36E /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F1214CF43C000B05E7F /* libDER.a */; };
5EFB69C31B0CC16F0095A36E /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F6014CF655B00B05E7F /* libsecipc_client.a */; };
- 72756C31175D48C100F52070 /* cloud_keychain_diagnose.c in Sources */ = {isa = PBXBuildFile; fileRef = 72756C30175D48C100F52070 /* cloud_keychain_diagnose.c */; };
+ 6C721DB11D3D18D700888AE1 /* login.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6C721DB01D3D18D700888AE1 /* login.framework */; };
+ 6C721DD61D3D18EC00888AE1 /* login.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6C721DB01D3D18D700888AE1 /* login.framework */; };
7A21DAE619B7F27C0007D37F /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
+ 8E64DB4A1C17C26F0076C9DF /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; };
+ 8E64DB4B1C17C2830076C9DF /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; };
AAF3DCCB1666D03300376593 /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F235F715CA0D9D00060520 /* libsecurity_utilities.a */; };
AC5688BC18B4396D00F0526C /* SecCMS.h in Headers */ = {isa = PBXBuildFile; fileRef = AC5688BA18B4396D00F0526C /* SecCMS.h */; settings = {ATTRIBUTES = (Private, ); }; };
ACB6171918B5231800EBEDD7 /* libsecurity_smime_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = ACB6171818B5231800EBEDD7 /* libsecurity_smime_regressions.a */; };
- BE2C05151AD893DF00D6A139 /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F2360015CAF41100060520 /* libsecurity_codesigning.a */; };
BE48AE031ADF1DF4000836C1 /* server.c in Sources */ = {isa = PBXBuildFile; fileRef = 18270EF314CF333400B05E7F /* server.c */; };
BE48AE051ADF1DF4000836C1 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; };
BE48AE061ADF1DF4000836C1 /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */; };
BE48AE071ADF1DF4000836C1 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; };
BE48AE081ADF1DF4000836C1 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */; };
- BE48AE091ADF1DF4000836C1 /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18D4053B14CE2C1600A2BE4E /* libsecurity.a */; };
BE48AE0A1ADF1DF4000836C1 /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F235F715CA0D9D00060520 /* libsecurity_utilities.a */; };
BE48AE0B1ADF1DF4000836C1 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
BE48AE0C1ADF1DF4000836C1 /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; };
@@ -520,74 +485,128 @@
BE48AE101ADF1DF4000836C1 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
BE48AE111ADF1DF4000836C1 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */; };
BE48AE121ADF1DF4000836C1 /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */; };
- BE48AE131ADF1DF4000836C1 /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270C7D14CE573D00B05E7F /* libsecurityd.a */; };
- BE48AE141ADF1DF4000836C1 /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; };
BE48AE151ADF1DF4000836C1 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FC011AA0A56F0021AA26 /* libctkclient.a */; };
- BE48AE161ADF1DF4000836C1 /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F6014CF655B00B05E7F /* libsecipc_client.a */; };
BE48AE171ADF1DF4000836C1 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; };
BE48AE181ADF1DF4000836C1 /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFB14CF427800B05E7F /* CFNetwork.framework */; };
BE48AE251ADF1FD3000836C1 /* com.apple.trustd.agent.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = BE48AE241ADF1FD3000836C1 /* com.apple.trustd.agent.plist */; };
BE48AE271ADF2016000836C1 /* com.apple.trustd.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = BE48AE261ADF2011000836C1 /* com.apple.trustd.plist */; };
- BE60737A1ADC9E89007FECC1 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; };
- BE6073A51ADC9F1C007FECC1 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FC011AA0A56F0021AA26 /* libctkclient.a */; };
- BE6073A61ADC9F7A007FECC1 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */; };
- BE6073A71ADC9F88007FECC1 /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFB14CF427800B05E7F /* CFNetwork.framework */; };
- BE607DC61AD8673C001B7778 /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */; };
- BE607DC71AD86746001B7778 /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; };
- BE607DC81AD86859001B7778 /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; };
- BE607DC91AD8685B001B7778 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; };
BE8C5F0A16F7CE450074CF86 /* framework.sb in Resources */ = {isa = PBXBuildFile; fileRef = BE8C5F0916F7CE450074CF86 /* framework.sb */; };
BE8D22C01ABB74C3009A4E18 /* libSecTrustOSX.a in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8D22BC1ABB747B009A4E18 /* libSecTrustOSX.a */; };
- BE94B7941AD83AF700A7216D /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */; };
- BE94B7951AD83AF700A7216D /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */; };
- BE94B7971AD83AF700A7216D /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; };
- BE94B7981AD83AF700A7216D /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
- BE94B7CD1AD83B9900A7216D /* server.c in Sources */ = {isa = PBXBuildFile; fileRef = 18270EF314CF333400B05E7F /* server.c */; };
- BE94B7D01AD83D0D00A7216D /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F6014CF655B00B05E7F /* libsecipc_client.a */; };
- BE94B7D21AD83D0D00A7216D /* libSecTrustOSX.a in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8D22BC1ABB747B009A4E18 /* libSecTrustOSX.a */; };
- BE94B7D41AD83D0D00A7216D /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18D4053B14CE2C1600A2BE4E /* libsecurity.a */; };
- BE94B7D51AD83D2B00A7216D /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
- BE94B7D81AD83D6A00A7216D /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270C7D14CE573D00B05E7F /* libsecurityd.a */; };
- BE94B7DC1AD8425E00A7216D /* com.apple.trustd.asl in Copy asl module */ = {isa = PBXBuildFile; fileRef = BE94B7DA1AD8424700A7216D /* com.apple.trustd.asl */; };
- BE94B7DD1AD8426500A7216D /* com.apple.trustd.sb in Copy sandbox profile */ = {isa = PBXBuildFile; fileRef = BE94B7DB1AD8424700A7216D /* com.apple.trustd.sb */; };
- BE94B7F01AD8457200A7216D /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; };
- BE9703F71AD865540041D253 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; };
BEC3A76816F79497003E5634 /* SecTaskPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = BEC3A76716F79497003E5634 /* SecTaskPriv.h */; settings = {ATTRIBUTES = (Private, ); }; };
- BEFB63691B6834AB0052149A /* AppWorkaround.plist in Resources */ = {isa = PBXBuildFile; fileRef = BEFB63681B6834AB0052149A /* AppWorkaround.plist */; };
C2407A1B1B30BBF30067E6AE /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
C288A0891505796F00E773B7 /* libOpenScriptingUtil.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = C288A0881505795D00E773B7 /* libOpenScriptingUtil.dylib */; settings = {ATTRIBUTES = (Weak, ); }; };
- CD0637581A840B5B00C81E74 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
- CD0CB49E1A818A0D00C058A4 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18FE67EA1471A3AA00A2CBE3 /* Security.framework */; };
- CD19A65D1A8065DC00F9C276 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
- CD19A65F1A8065E900F9C276 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD19A65E1A8065E900F9C276 /* Foundation.framework */; };
- CD19A6611A8069D100F9C276 /* libIDSKeychainSyncingProxy.a in Frameworks */ = {isa = PBXBuildFile; fileRef = CD63AD0C1A8061FA001B5671 /* libIDSKeychainSyncingProxy.a */; };
- CD276BE41A83F204003226BC /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = CD276BE21A83F204003226BC /* InfoPlist.strings */; };
- CD2E85F61A81793B00F8B00A /* IDS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD7446D8195A1CFE00FB01C0 /* IDS.framework */; };
- CD63AD161A8064C2001B5671 /* idksmain.m in Sources */ = {isa = PBXBuildFile; fileRef = CD63AD151A8064C2001B5671 /* idksmain.m */; };
- CD7446D9195A1CFE00FB01C0 /* IDS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD7446D8195A1CFE00FB01C0 /* IDS.framework */; };
CD8B5A9D1B618ED9004D4AEF /* SOSPeerInfoPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = CD8B5A9C1B618ED9004D4AEF /* SOSPeerInfoPriv.h */; };
- CDAE4B9A1A86F6F20000AA84 /* idskeychainsyncingproxy.entitlements.plist in Resources */ = {isa = PBXBuildFile; fileRef = CD63AD191A8064DE001B5671 /* idskeychainsyncingproxy.entitlements.plist */; };
- CDAE4BC21A86F6FF0000AA84 /* cloudkeychain.entitlements.plist in Resources */ = {isa = PBXBuildFile; fileRef = 5214702416977FEC00DF0DB3 /* cloudkeychain.entitlements.plist */; };
- CDB22CE31A9D2EA70043E348 /* IDSKeychainSyncingProxy-Info.plist in Resources */ = {isa = PBXBuildFile; fileRef = CD63AD181A8064DE001B5671 /* IDSKeychainSyncingProxy-Info.plist */; };
CDDE9D1E1729E2E60013B0E8 /* SecPasswordGenerate.h in Headers */ = {isa = PBXBuildFile; fileRef = CDDE9D1C1729DF250013B0E8 /* SecPasswordGenerate.h */; settings = {ATTRIBUTES = (Private, ); }; };
- CDE08DD41A85E92200B5C261 /* com.apple.security.idskeychainsyncingproxy.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = CD50D6D21A841C0E00C35E74 /* com.apple.security.idskeychainsyncingproxy.plist */; };
- CDF91EC91AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist in Resources */ = {isa = PBXBuildFile; fileRef = CDF91EC81AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist */; };
- CDF91EF51AAE028F00E88CF7 /* com.apple.private.alloy.keychainsync.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = CDF91EC81AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist */; };
D41685841B3A288F001FB54E /* oids.h in Headers */ = {isa = PBXBuildFile; fileRef = D41685831B3A288F001FB54E /* oids.h */; settings = {ATTRIBUTES = (Public, ); }; };
+ D42817D01C6000E1007F95D8 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 1807384B146D0D4E00F05C24 /* Security.framework */; };
+ D42CFD771BFD3379008C8737 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; };
+ D42FA82B1C9B8D3D003E46A7 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = D42FA82A1C9B8D3D003E46A7 /* main.m */; };
+ D42FA8451C9B8FDE003E46A7 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D42FA8441C9B8FDE003E46A7 /* Foundation.framework */; };
+ D42FA8461C9B9000003E46A7 /* libsecurity_cms_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D4CBC1281BE981DE00C5795E /* libsecurity_cms_regressions.a */; };
+ D42FA8471C9B9000003E46A7 /* libsecurity_keychain_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CBD50B316C325F000713B6C /* libsecurity_keychain_regressions.a */; };
+ D42FA8481C9B9000003E46A7 /* libsecurity_smime_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = ACB6171818B5231800EBEDD7 /* libsecurity_smime_regressions.a */; };
+ D42FA8491C9B9000003E46A7 /* libsecurity_ssl_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0C6D77CF15C8B66000BB4405 /* libsecurity_ssl_regressions.a */; };
+ D42FA84A1C9B900A003E46A7 /* libSharedRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D40772181C9B52210016AA66 /* libSharedRegressions.a */; };
+ D42FA84B1C9B9013003E46A7 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
+ D42FA84D1C9B901E003E46A7 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D42FA84C1C9B901E003E46A7 /* IOKit.framework */; };
+ D42FA84E1C9B903F003E46A7 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 1807384B146D0D4E00F05C24 /* Security.framework */; };
+ D42FA8501C9B9047003E46A7 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D42FA84F1C9B9047003E46A7 /* CoreFoundation.framework */; };
+ D42FA87D1C9B9186003E46A7 /* si-82-sectrust-ct-logs.plist in Resources */ = {isa = PBXBuildFile; fileRef = D42FA87C1C9B9186003E46A7 /* si-82-sectrust-ct-logs.plist */; };
+ D42FA8E91C9B95EC003E46A7 /* libregressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CC3356016C1EF5D00399E53 /* libregressions.a */; };
+ D42FA8EA1C9BAA44003E46A7 /* bc-10-knife-on-bread.m in Sources */ = {isa = PBXBuildFile; fileRef = EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.m */; };
+ D42FA8EB1C9BAAD5003E46A7 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; };
+ D447C0C21D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = D447C0C11D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib */; };
+ D447C0E71D2C9C390082FC1D /* libDiagnosticMessagesClient.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = D447C0C11D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib */; };
+ D45FC3E11C9E068700509CDA /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270C7D14CE573D00B05E7F /* libsecurityd.a */; };
+ D45FC3E41C9E06B500509CDA /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; };
+ D467D0EA1C9DF27100C9DE3E /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F6014CF655B00B05E7F /* libsecipc_client.a */; };
+ D47F51221C3B80DF00A7CEFE /* SecCFAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = D47F51211C3B80DE00A7CEFE /* SecCFAllocator.h */; settings = {ATTRIBUTES = (Private, ); }; };
D4CBC1451BE981F600C5795E /* libsecurity_cms_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D4CBC1281BE981DE00C5795E /* libsecurity_cms_regressions.a */; };
+ D4D886C41CEBDBEB00DC7583 /* ssl-policy-certs in Resources */ = {isa = PBXBuildFile; fileRef = D4D886C31CEBDBEB00DC7583 /* ssl-policy-certs */; };
+ D4D886F31CED01F800DC7583 /* nist-certs in Resources */ = {isa = PBXBuildFile; fileRef = D4D886F21CED01F800DC7583 /* nist-certs */; };
+ D4D886FE1CED07B400DC7583 /* Digisign-Server-ID-Enrich-Entrust-Cert.crt in Copy DigicertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = D4D886FA1CED07B400DC7583 /* Digisign-Server-ID-Enrich-Entrust-Cert.crt */; };
+ D4D886FF1CED07B400DC7583 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt in Copy DigicertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = D4D886FB1CED07B400DC7583 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt */; };
+ D4D887001CED07B400DC7583 /* Invalid-webmail.jaring.my.crt in Copy DigicertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = D4D886FC1CED07B400DC7583 /* Invalid-webmail.jaring.my.crt */; };
+ D4D887011CED07B400DC7583 /* Invalid-www.cybersecurity.my.crt in Copy DigicertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = D4D886FD1CED07B400DC7583 /* Invalid-www.cybersecurity.my.crt */; };
+ D4D8871B1CED081700DC7583 /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887041CED081500DC7583 /* diginotar-public-ca-2025-Cert.crt */; };
+ D4D8871C1CED081700DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887051CED081500DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
+ D4D8871D1CED081700DC7583 /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887061CED081500DC7583 /* diginotar-services-diginotar-root-Cert.crt */; };
+ D4D8871E1CED081700DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887071CED081500DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt */; };
+ D4D8871F1CED081700DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887081CED081500DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
+ D4D887201CED081700DC7583 /* diginotar.root.ca-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887091CED081500DC7583 /* diginotar.root.ca-entrust-secure-server-Cert.crt */; };
+ D4D887231CED081700DC7583 /* Invalid-asterisk.google.com.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D8870C1CED081600DC7583 /* Invalid-asterisk.google.com.crt */; };
+ D4D887241CED081700DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D8870D1CED081600DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
+ D4D887251CED081700DC7583 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D8870E1CED081600DC7583 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */; };
+ D4D887261CED081700DC7583 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D8870F1CED081600DC7583 /* Invalid-diginotarpkioverheidcaoverheid.crt */; };
+ D4D887271CED081700DC7583 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887101CED081600DC7583 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */; };
+ D4D887281CED081700DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887111CED081600DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
+ D4D887291CED081700DC7583 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887121CED081600DC7583 /* Invalid-webmail.portofamsterdam.nl.crt */; };
+ D4D8872A1CED081700DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887131CED081600DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
+ D4D8872B1CED081700DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887141CED081600DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
+ D4D8872C1CED081700DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887151CED081600DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
+ D4D8872D1CED081700DC7583 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887161CED081700DC7583 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */; };
+ D4D8872F1CED081700DC7583 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887181CED081700DC7583 /* staatdernederlandenorganisatieca-g2-Cert.crt */; };
+ D4D887301CED081700DC7583 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = D4D887191CED081700DC7583 /* staatdernederlandenoverheidca-Cert.crt */; };
+ D4D887321CED093200DC7583 /* Invalid-asterisk.google.com.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D8870C1CED081600DC7583 /* Invalid-asterisk.google.com.crt */; };
+ D4D887331CED093A00DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887111CED081600DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
+ D4D887341CED094200DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887131CED081600DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
+ D4D887351CED094C00DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887141CED081600DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
+ D4D887361CED095600DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887151CED081600DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
+ D4D887371CED098500DC7583 /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887041CED081500DC7583 /* diginotar-public-ca-2025-Cert.crt */; };
+ D4D887381CED098500DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887051CED081500DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
+ D4D887391CED098500DC7583 /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887061CED081500DC7583 /* diginotar-services-diginotar-root-Cert.crt */; };
+ D4D8873A1CED098500DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887071CED081500DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt */; };
+ D4D8873B1CED098500DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887081CED081500DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
+ D4D8873C1CED099F00DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D8870D1CED081600DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
+ D4D8873D1CED099F00DC7583 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D8870E1CED081600DC7583 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */; };
+ D4D8873E1CED099F00DC7583 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D8870F1CED081600DC7583 /* Invalid-diginotarpkioverheidcaoverheid.crt */; };
+ D4D8873F1CED099F00DC7583 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887101CED081600DC7583 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */; };
+ D4D887401CED09B300DC7583 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887181CED081700DC7583 /* staatdernederlandenorganisatieca-g2-Cert.crt */; };
+ D4D887411CED09B300DC7583 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887191CED081700DC7583 /* staatdernederlandenoverheidca-Cert.crt */; };
+ D4D887421CED09BD00DC7583 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887161CED081700DC7583 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */; };
+ D4D887431CED09C500DC7583 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = D4D887121CED081600DC7583 /* Invalid-webmail.portofamsterdam.nl.crt */; };
+ D4D887441CED09DA00DC7583 /* Expectations.plist in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D8870B1CED081500DC7583 /* Expectations.plist */; };
+ D4D887451CED09F600DC7583 /* DigiNotar_Root_CA_G2-RootCertificate.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887031CED081500DC7583 /* DigiNotar_Root_CA_G2-RootCertificate.crt */; };
+ D4D887461CED09F600DC7583 /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887041CED081500DC7583 /* diginotar-public-ca-2025-Cert.crt */; };
+ D4D887471CED09F600DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887051CED081500DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
+ D4D887481CED09F600DC7583 /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887061CED081500DC7583 /* diginotar-services-diginotar-root-Cert.crt */; };
+ D4D887491CED09F600DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887071CED081500DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt */; };
+ D4D8874A1CED09F600DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887081CED081500DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
+ D4D8874B1CED09F600DC7583 /* DigiNotarCA2007RootCertificate.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D8870A1CED081500DC7583 /* DigiNotarCA2007RootCertificate.crt */; };
+ D4D8874C1CED09FF00DC7583 /* Invalid-asterisk.google.com.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D8870C1CED081600DC7583 /* Invalid-asterisk.google.com.crt */; };
+ D4D8874D1CED0A0600DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887111CED081600DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
+ D4D8874E1CED0A0F00DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887131CED081600DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
+ D4D8874F1CED0A2A00DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887141CED081600DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
+ D4D887501CED0A3400DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887151CED081600DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
+ D4D887511CED0A4400DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D8870D1CED081600DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
+ D4D887521CED0A4B00DC7583 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = D4D887121CED081600DC7583 /* Invalid-webmail.portofamsterdam.nl.crt */; };
+ D4D9B9FE1C7E5CCA008785EB /* SecServerEncryptionSupport.h in Headers */ = {isa = PBXBuildFile; fileRef = D4D9B9FD1C7E5CCA008785EB /* SecServerEncryptionSupport.h */; settings = {ATTRIBUTES = (Private, ); }; };
D4DDD3D01BE3EC0300E8AE2D /* libDiagnosticMessagesClient.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = D4DDD3A71BE3EB4200E8AE2D /* libDiagnosticMessagesClient.dylib */; };
+ D4DDD9671CA2F2A700AA03AE /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = D4DDD9661CA2F2A700AA03AE /* libbsm.dylib */; };
+ D4DDD9961CA320FE00AA03AE /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 1807384B146D0D4E00F05C24 /* Security.framework */; };
+ D4DDD9971CA3216C00AA03AE /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 1807384B146D0D4E00F05C24 /* Security.framework */; };
+ D4EC94D61CEA48000083E753 /* si-20-sectrust-policies-data in Resources */ = {isa = PBXBuildFile; fileRef = D4EC94D51CEA48000083E753 /* si-20-sectrust-policies-data */; };
+ DC247FB51CBF1C2500527D67 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F1214CF43C000B05E7F /* libDER.a */; };
+ DC247FD81CBF1C3F00527D67 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F1214CF43C000B05E7F /* libDER.a */; };
+ DC311CC81CCEC82E00E14E8D /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; };
+ DC7EFBAB1CBC46A7005F9624 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */; };
+ DC7EFC0E1CBC7567005F9624 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */; };
+ E74583F51BF66506001B54A4 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; };
E76079D61951FDAF00F69731 /* liblogging.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E76079D51951FDA800F69731 /* liblogging.a */; };
E778BFBC17176DDE00302C14 /* security.exp-in in Sources */ = {isa = PBXBuildFile; fileRef = 182BB562146F4C73000BF1F3 /* security.exp-in */; };
EB22F3F918A26BCA0016A8EC /* SecBreadcrumb.c in Sources */ = {isa = PBXBuildFile; fileRef = EB22F3F718A26BA50016A8EC /* SecBreadcrumb.c */; };
EB22F3FA18A26BCE0016A8EC /* SecBreadcrumb.h in Headers */ = {isa = PBXBuildFile; fileRef = EB22F3F818A26BA50016A8EC /* SecBreadcrumb.h */; settings = {ATTRIBUTES = (Private, ); }; };
- EB22F3FB18A26BE40016A8EC /* bc-10-knife-on-bread.c in Sources */ = {isa = PBXBuildFile; fileRef = EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.c */; };
+ EB22F3FB18A26BE40016A8EC /* bc-10-knife-on-bread.m in Sources */ = {isa = PBXBuildFile; fileRef = EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.m */; };
EB5D733B1B0CB0FF009CAA47 /* SOSPeerInfo.h in Old SOS header location */ = {isa = PBXBuildFile; fileRef = 4CB86AED167A6FF300F46643 /* SOSPeerInfo.h */; };
EB5D733C1B0CB109009CAA47 /* SOSTypes.h in Old SOS header location */ = {isa = PBXBuildFile; fileRef = 52F8DE4B1AF2EB6600A2C271 /* SOSTypes.h */; };
- EBC1B8E31BE9708300E6ACA6 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBC1B8E21BE9708300E6ACA6 /* Foundation.framework */; };
- EBF2D7141C1E0AF7006AB6FF /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBF2D7131C1E0AF7006AB6FF /* Foundation.framework */; };
- EBF2D7631C1E2B58006AB6FF /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBF2D7131C1E0AF7006AB6FF /* Foundation.framework */; };
- EBF2D7641C1E3AB2006AB6FF /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBF2D7131C1E0AF7006AB6FF /* Foundation.framework */; };
- EBF2E29D1BEC8D9200626DE4 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBF2E29C1BEC8D9200626DE4 /* IOKit.framework */; };
+ EB73EFE81C210947008191E3 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD19A65E1A8065E900F9C276 /* Foundation.framework */; };
+ EB73EFE91C210947008191E3 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD19A65E1A8065E900F9C276 /* Foundation.framework */; };
+ EB73EFEA1C210947008191E3 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD19A65E1A8065E900F9C276 /* Foundation.framework */; };
+ EB73EFEB1C210947008191E3 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD19A65E1A8065E900F9C276 /* Foundation.framework */; };
+ EB73F0451C210E6F008191E3 /* SecurityFeatures.h in Headers */ = {isa = PBXBuildFile; fileRef = EB73F0441C210DF8008191E3 /* SecurityFeatures.h */; settings = {ATTRIBUTES = (Public, ); }; };
+ EBB6970B1BE2091300715F16 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD19A65E1A8065E900F9C276 /* Foundation.framework */; };
+ EBB6970F1BE209D400715F16 /* secbackupntest.m in Sources */ = {isa = PBXBuildFile; fileRef = EBB696FF1BE208CB00715F16 /* secbackupntest.m */; };
+ EBB697101BE20A1200715F16 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 1807384B146D0D4E00F05C24 /* Security.framework */; };
F93C493E1AB8FF670047E01A /* ckcdiagnose.sh in CopyFiles */ = {isa = PBXBuildFile; fileRef = F93C493D1AB8FF670047E01A /* ckcdiagnose.sh */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; };
/* End PBXBuildFile section */
@@ -648,20 +667,6 @@
remoteGlobalIDString = 0CCA42D715C8A395002AEC4C;
remoteInfo = dtlsEchoServer;
};
- 0C6D77EA15C8C06600BB4405 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 0CE08A73148FF2C6000473EB;
- remoteInfo = tlsnketest;
- };
- 0C6D77EC15C8C06600BB4405 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 0CDF46A014DC794300FFE2FD;
- remoteInfo = tlssocket;
- };
0CBD50B216C325F000713B6C /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */;
@@ -1089,20 +1094,6 @@
remoteGlobalIDString = 18FE67E91471A3AA00A2CBE3;
remoteInfo = copyHeaders;
};
- 186F779814E5A06500434E1F /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 186F778814E59FB200434E1F;
- remoteInfo = Framework;
- };
- 186F779A14E5A06800434E1F /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 186F778C14E59FDA00434E1F;
- remoteInfo = Helpers;
- };
1879B537146DDBE5007E536C /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 1879B532146DDBE5007E536C /* libsecurity_utilities.xcodeproj */;
@@ -1404,13 +1395,6 @@
remoteGlobalIDString = 795CA7FF0D38013D00BAE6A2;
remoteInfo = libASN1;
};
- 1885B45014D9AB3D00519375 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 1879B5FC146DE704007E536C /* libsecurity_asn1.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 795CA7FE0D38013D00BAE6A2;
- remoteInfo = libASN1;
- };
18AD56A514CDED59008233F2 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
@@ -1446,6 +1430,20 @@
remoteGlobalIDString = 18FE67E91471A3AA00A2CBE3;
remoteInfo = copyHeaders;
};
+ 1F6FC5FF1C3D9D90001C758F /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 1F6FC5DF1C3D9D90001C758F /* libsecurity_translocate.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = 1FAA71431C10D8E000EAAE3E;
+ remoteInfo = libsecurity_translocate;
+ };
+ 1FDA9A5E1C4471EC0083929D /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 1F6FC5DF1C3D9D90001C758F /* libsecurity_translocate.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 1FAA71421C10D8E000EAAE3E;
+ remoteInfo = libsecurity_translocate;
+ };
3705CADD1A8971DF00402F75 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
@@ -1488,13 +1486,6 @@
remoteGlobalIDString = 4A5CCA4E15ACEFA500702357;
remoteInfo = libSecOtrOSX;
};
- 4C01DE31164C3793006798CD /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 528402A0164445760035F320;
- remoteInfo = libCloudKeychainProxy;
- };
4C01DF12164C3E74006798CD /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
@@ -1642,27 +1633,6 @@
remoteGlobalIDString = E702E73514E1F3EA00CDE635;
remoteInfo = libSecureObjectSync;
};
- 5214701716977D1D00DF0DB3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = E742A09B14E343E70052A486;
- remoteInfo = utilities;
- };
- 5214701916977D2500DF0DB3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 5284029F164445760035F320;
- remoteInfo = libCloudKeychainProxy;
- };
- 521470281697842500DF0DB3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 5214700516977CB800DF0DB3;
- remoteInfo = CloudKeychainProxy;
- };
52B5A8F5151928B400664F11 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */;
@@ -1670,13 +1640,6 @@
remoteGlobalIDString = 52200F8F14F2B88000F7F6E7;
remoteInfo = XPCTimeStampingService;
};
- 5ED88B6D1B0DEF3100F3B047 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 053BA313091C00BF00A7007A;
- remoteInfo = libDER;
- };
5ED88B6F1B0DEF4700F3B047 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
@@ -1733,13 +1696,6 @@
remoteGlobalIDString = 186CDD0E14CA116C00AF9171;
remoteInfo = libSecItemShimOSX;
};
- 722CF217175D602F00BCE0A5 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 72756BFD175D485D00F52070;
- remoteInfo = cloud_keychain_diagnose;
- };
ACB6171718B5231800EBEDD7 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 1879B712146DE825007E536C /* libsecurity_smime.xcodeproj */;
@@ -1761,13 +1717,6 @@
remoteGlobalIDString = 18270F5414CF651900B05E7F;
remoteInfo = libsecipc_client;
};
- BE48ADFB1ADF1DF4000836C1 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = E702E73514E1F3EA00CDE635;
- remoteInfo = libSecureObjectSync;
- };
BE48ADFD1ADF1DF4000836C1 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */;
@@ -1775,27 +1724,6 @@
remoteGlobalIDString = E742A09B14E343E70052A486;
remoteInfo = utilities;
};
- BE48ADFF1ADF1DF4000836C1 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 18D4056114CE53C200A2BE4E;
- remoteInfo = libsecurityd;
- };
- BE48AE011ADF1DF4000836C1 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 18D4043414CE0CF300A2BE4E;
- remoteInfo = libsecurity;
- };
- BE48AE221ADF1E66000836C1 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = BE8D227F1ABB7199009A4E18;
- remoteInfo = libSecTrustOSX;
- };
BE48AE281ADF204E000836C1 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
@@ -1817,89 +1745,110 @@
remoteGlobalIDString = BE8D228E1ABB7199009A4E18;
remoteInfo = libSecTrustOSX;
};
- BE94B7E01AD8442600A7216D /* PBXContainerItemProxy */ = {
+ C2432A0715C7112A0096DB5B /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = C209696015BF52040093035F;
+ remoteInfo = gkunpack;
+ };
+ C2432A2415C726B50096DB5B /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = C209695F15BF52040093035F;
+ remoteInfo = gkunpack;
+ };
+ D40772171C9B52210016AA66 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = D40771B81C9B4D200016AA66;
+ remoteInfo = libSharedRegressions;
+ };
+ D42FA8361C9B8F77003E46A7 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 1879B64B146DE750007E536C /* libsecurity_cms.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = 18270F5414CF651900B05E7F;
- remoteInfo = libsecipc_client;
+ remoteGlobalIDString = D4C3345B1BE2A2B100D8C1EF;
+ remoteInfo = libsecurity_cms_regressions;
};
- BE94B7E41AD8446500A7216D /* PBXContainerItemProxy */ = {
+ D42FA8381C9B8F7D003E46A7 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */;
+ containerPortal = 0CC3355B16C1EF5D00399E53 /* regressions.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = E742A09B14E343E70052A486;
- remoteInfo = utilities;
+ remoteGlobalIDString = E710C6FD133192E900F85568;
+ remoteInfo = regressions;
};
- BE94B7E61AD8446C00A7216D /* PBXContainerItemProxy */ = {
+ D42FA83A1C9B8F94003E46A7 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
+ containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = 18D4056114CE53C200A2BE4E;
- remoteInfo = libsecurityd;
+ remoteGlobalIDString = 0CBD500016C3242200713B6C;
+ remoteInfo = libsecurity_keychain_regressions;
};
- BE94B7E81AD8447B00A7216D /* PBXContainerItemProxy */ = {
+ D42FA83C1C9B8F94003E46A7 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
+ containerPortal = 1879B71F146DE839007E536C /* libsecurity_ssl.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = 18D4043414CE0CF300A2BE4E;
- remoteInfo = libsecurity;
+ remoteGlobalIDString = 0CCA415815C89E8B002AEC4C;
+ remoteInfo = libsecurity_ssl_regressions;
};
- BE94B7EA1AD8449300A7216D /* PBXContainerItemProxy */ = {
+ D42FA83E1C9B8F94003E46A7 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
+ containerPortal = 1879B712146DE825007E536C /* libsecurity_smime.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = BE8D227F1ABB7199009A4E18;
- remoteInfo = libSecTrustOSX;
+ remoteGlobalIDString = AC62F5EF18B4356A00704BBD;
+ remoteInfo = libsecurity_smime_regressions;
};
- BE94B7EE1AD8453300A7216D /* PBXContainerItemProxy */ = {
+ D42FA8401C9B8FA7003E46A7 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = E702E73514E1F3EA00CDE635;
- remoteInfo = libSecureObjectSync;
+ remoteGlobalIDString = D40771B71C9B4D200016AA66;
+ remoteInfo = libSharedRegressions;
};
- C2432A0715C7112A0096DB5B /* PBXContainerItemProxy */ = {
+ D42FA8421C9B8FD0003E46A7 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = C209696015BF52040093035F;
- remoteInfo = gkunpack;
+ containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E742A09B14E343E70052A486;
+ remoteInfo = utilities;
};
- C2432A2415C726B50096DB5B /* PBXContainerItemProxy */ = {
+ D45FC3E21C9E069000509CDA /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */;
+ containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = C209695F15BF52040093035F;
- remoteInfo = gkunpack;
+ remoteGlobalIDString = 18D4056114CE53C200A2BE4E;
+ remoteInfo = libsecurityd;
};
- CD63AD0B1A8061FA001B5671 /* PBXContainerItemProxy */ = {
+ D45FC3E51C9E06BD00509CDA /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = CD3F914B1A802EBF00E07119;
- remoteInfo = libIDSKeychainSyncingProxy;
+ proxyType = 1;
+ remoteGlobalIDString = E702E73514E1F3EA00CDE635;
+ remoteInfo = libSecureObjectSync;
};
- CD63AD111A8063AF001B5671 /* PBXContainerItemProxy */ = {
+ D466FA761CA0C2A500433142 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
+ containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = CD3F914A1A802EBF00E07119;
- remoteInfo = libIDSKeychainSyncingProxy;
+ remoteGlobalIDString = D42FA8231C9B8D3C003E46A7;
+ remoteInfo = SecurityTestsOSX;
};
- CD63AD131A8063B7001B5671 /* PBXContainerItemProxy */ = {
+ D46B08011C8FBE6A00B5939A /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */;
+ containerPortal = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = E742A09B14E343E70052A486;
- remoteInfo = utilities;
+ remoteGlobalIDString = D46B07A51C8FB22900B5939A;
+ remoteInfo = libDERInstall;
};
- CDEB2BD11A8151CD00B0E23A /* PBXContainerItemProxy */ = {
+ D46B08A71C8FD8D900B5939A /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
+ containerPortal = 1879B5FC146DE704007E536C /* libsecurity_asn1.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = CD63ACDF1A8061FA001B5671;
- remoteInfo = IDSKeychainSyncingProxy;
+ remoteGlobalIDString = D46B08791C8FCA5000B5939A;
+ remoteInfo = libASN1Install;
};
D4A2FC7D1BC89D5200BF6E56 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
@@ -1922,12 +1871,26 @@
remoteGlobalIDString = D4C3345C1BE2A2B100D8C1EF;
remoteInfo = libsecurity_cms_regressions;
};
- E7421C7D1ADC8E0D005FC1C0 /* PBXContainerItemProxy */ = {
+ DC311CC61CCEC81D00E14E8D /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 0CC9A7F0146DF66000C18F89;
- remoteInfo = tlsnke;
+ containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E742A09B14E343E70052A486;
+ remoteInfo = utilities;
+ };
+ DC872EE91CC983EE0076C0E7 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 053BA313091C00BF00A7007A;
+ remoteInfo = libDER;
+ };
+ DC872F141CC983F70076C0E7 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 053BA313091C00BF00A7007A;
+ remoteInfo = libDER;
};
E760796E1951F99600F69731 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
@@ -1957,6 +1920,13 @@
remoteGlobalIDString = EB2E1F05166D69B800A7EF61;
remoteInfo = CodeSigningHelper;
};
+ EBB6970D1BE2095F00715F16 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EBB697031BE208FC00715F16;
+ remoteInfo = secbackupntest;
+ };
EBB9FFDF1682E71F00FF9774 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */;
@@ -1964,6 +1934,13 @@
remoteGlobalIDString = EBB9FF6E1682E51300FF9774;
remoteInfo = CodeSigningHelper;
};
+ EBE012001C21368400CB6A63 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EBE011D31C21357200CB6A63;
+ remoteInfo = SecurityFeature;
+ };
F94E7A961ACC8CC200F23132 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18073841146D0D4E00F05C24 /* Project object */;
@@ -1977,10 +1954,10 @@
0C6D003C177B545D0095D167 /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
- dstPath = /private/etc/asl;
+ dstPath = /System/Library/Preferences/Logging/Subsystems;
dstSubfolderSpec = 0;
files = (
- 0C6D0065177B54CB0095D167 /* com.apple.securityd in CopyFiles */,
+ 486326331CAA0C6500A466D9 /* com.apple.securityd.plist in CopyFiles */,
);
runOnlyForDeploymentPostprocessing = 1;
};
@@ -2071,13 +2048,13 @@
};
4C49390E16E51ED100CE110C /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
- buildActionMask = 12;
+ buildActionMask = 8;
dstPath = /System/Library/LaunchAgents;
dstSubfolderSpec = 0;
files = (
4C49390F16E51FC700CE110C /* com.apple.security.keychain-circle-notification.plist in CopyFiles */,
);
- runOnlyForDeploymentPostprocessing = 0;
+ runOnlyForDeploymentPostprocessing = 1;
};
4CB23B44169F5873003A0131 /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
@@ -2101,30 +2078,10 @@
48FDA8771AF98A3600A9366F /* SOSCloudCircleInternal.h in Copy SecureObjectSync Headers */,
4CB86AF7167A6FF300F46643 /* SOSPeerInfo.h in Copy SecureObjectSync Headers */,
52F8DDFA1AF2E56700A2C271 /* SOSViews.h in Copy SecureObjectSync Headers */,
- 52F8DE251AF2E58B00A2C271 /* SOSForerunnerSession.h in Copy SecureObjectSync Headers */,
);
name = "Copy SecureObjectSync Headers";
runOnlyForDeploymentPostprocessing = 1;
};
- 5214702316977EA600DF0DB3 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/System/Library/LaunchAgents";
- dstSubfolderSpec = 0;
- files = (
- 521470261697800500DF0DB3 /* com.apple.security.cloudkeychainproxy.plist in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
- };
- 72756BFC175D485D00F52070 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = /usr/share/man/man1/;
- dstSubfolderSpec = 0;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 1;
- };
BE48AE191ADF1DF4000836C1 /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
@@ -2154,47 +2111,101 @@
);
runOnlyForDeploymentPostprocessing = 1;
};
- BE94B79B1AD83AF700A7216D /* Copy sandbox profile */ = {
+ D4D886F61CED070600DC7583 /* Copy DigiNotar Resources */ = {
isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = "$(SYSTEM_LIBRARY_DIR)/Sandbox/Profiles";
- dstSubfolderSpec = 0;
+ buildActionMask = 2147483647;
+ dstPath = DigiNotar;
+ dstSubfolderSpec = 7;
files = (
- BE94B7DD1AD8426500A7216D /* com.apple.trustd.sb in Copy sandbox profile */,
- );
- name = "Copy sandbox profile";
- runOnlyForDeploymentPostprocessing = 1;
+ D4D887431CED09C500DC7583 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar Resources */,
+ D4D887421CED09BD00DC7583 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar Resources */,
+ D4D887401CED09B300DC7583 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar Resources */,
+ D4D887411CED09B300DC7583 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar Resources */,
+ D4D8873C1CED099F00DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar Resources */,
+ D4D8873D1CED099F00DC7583 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar Resources */,
+ D4D8873E1CED099F00DC7583 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar Resources */,
+ D4D8873F1CED099F00DC7583 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar Resources */,
+ D4D887371CED098500DC7583 /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar Resources */,
+ D4D887381CED098500DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar Resources */,
+ D4D887391CED098500DC7583 /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar Resources */,
+ D4D8873A1CED098500DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar Resources */,
+ D4D8873B1CED098500DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar Resources */,
+ D4D887361CED095600DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar Resources */,
+ D4D887351CED094C00DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar Resources */,
+ D4D887341CED094200DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar Resources */,
+ D4D887331CED093A00DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar Resources */,
+ D4D887321CED093200DC7583 /* Invalid-asterisk.google.com.crt in Copy DigiNotar Resources */,
+ );
+ name = "Copy DigiNotar Resources";
+ runOnlyForDeploymentPostprocessing = 0;
};
- BE94B79F1AD83AF700A7216D /* Copy asl module */ = {
+ D4D886F71CED070800DC7583 /* Copy DigiNotar-Entrust Resources */ = {
isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = /private/etc/asl;
- dstSubfolderSpec = 0;
+ buildActionMask = 2147483647;
+ dstPath = "DigiNotar-Entrust";
+ dstSubfolderSpec = 7;
files = (
- BE94B7DC1AD8425E00A7216D /* com.apple.trustd.asl in Copy asl module */,
- );
- name = "Copy asl module";
- runOnlyForDeploymentPostprocessing = 1;
+ D4D8871B1CED081700DC7583 /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ D4D8871C1CED081700DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ D4D8871D1CED081700DC7583 /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ D4D8871E1CED081700DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ D4D8871F1CED081700DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ D4D887201CED081700DC7583 /* diginotar.root.ca-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ D4D887231CED081700DC7583 /* Invalid-asterisk.google.com.crt in Copy DigiNotar-Entrust Resources */,
+ D4D887241CED081700DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-Entrust Resources */,
+ D4D887251CED081700DC7583 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ D4D887261CED081700DC7583 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar-Entrust Resources */,
+ D4D887271CED081700DC7583 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ D4D887281CED081700DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-Entrust Resources */,
+ D4D887291CED081700DC7583 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-Entrust Resources */,
+ D4D8872A1CED081700DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-Entrust Resources */,
+ D4D8872B1CED081700DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-Entrust Resources */,
+ D4D8872C1CED081700DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-Entrust Resources */,
+ D4D8872D1CED081700DC7583 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar-Entrust Resources */,
+ D4D8872F1CED081700DC7583 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ D4D887301CED081700DC7583 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ );
+ name = "Copy DigiNotar-Entrust Resources";
+ runOnlyForDeploymentPostprocessing = 0;
};
- CD63AD1D1A806552001B5671 /* CopyFiles */ = {
+ D4D886F81CED070A00DC7583 /* Copy DigiNotar-ok Resources */ = {
isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/System/Library/LaunchAgents";
- dstSubfolderSpec = 0;
+ buildActionMask = 2147483647;
+ dstPath = "DigiNotar-ok";
+ dstSubfolderSpec = 7;
files = (
- CDE08DD41A85E92200B5C261 /* com.apple.security.idskeychainsyncingproxy.plist in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
+ D4D887521CED0A4B00DC7583 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-ok Resources */,
+ D4D887511CED0A4400DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-ok Resources */,
+ D4D887501CED0A3400DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-ok Resources */,
+ D4D8874F1CED0A2A00DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-ok Resources */,
+ D4D8874E1CED0A0F00DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-ok Resources */,
+ D4D8874D1CED0A0600DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-ok Resources */,
+ D4D8874C1CED09FF00DC7583 /* Invalid-asterisk.google.com.crt in Copy DigiNotar-ok Resources */,
+ D4D887451CED09F600DC7583 /* DigiNotar_Root_CA_G2-RootCertificate.crt in Copy DigiNotar-ok Resources */,
+ D4D887461CED09F600DC7583 /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-ok Resources */,
+ D4D887471CED09F600DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-ok Resources */,
+ D4D887481CED09F600DC7583 /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-ok Resources */,
+ D4D887491CED09F600DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-ok Resources */,
+ D4D8874A1CED09F600DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-ok Resources */,
+ D4D8874B1CED09F600DC7583 /* DigiNotarCA2007RootCertificate.crt in Copy DigiNotar-ok Resources */,
+ D4D887441CED09DA00DC7583 /* Expectations.plist in Copy DigiNotar-ok Resources */,
+ );
+ name = "Copy DigiNotar-ok Resources";
+ runOnlyForDeploymentPostprocessing = 0;
};
- CDF91EF41AAE025C00E88CF7 /* CopyFiles */ = {
+ D4D886F91CED070C00DC7583 /* Copy DigicertMalaysia Resources */ = {
isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = /System/Library/IdentityServices/ServiceDefinitions;
- dstSubfolderSpec = 0;
+ buildActionMask = 2147483647;
+ dstPath = DigicertMalaysia;
+ dstSubfolderSpec = 7;
files = (
- CDF91EF51AAE028F00E88CF7 /* com.apple.private.alloy.keychainsync.plist in CopyFiles */,
+ D4D886FE1CED07B400DC7583 /* Digisign-Server-ID-Enrich-Entrust-Cert.crt in Copy DigicertMalaysia Resources */,
+ D4D886FF1CED07B400DC7583 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt in Copy DigicertMalaysia Resources */,
+ D4D887001CED07B400DC7583 /* Invalid-webmail.jaring.my.crt in Copy DigicertMalaysia Resources */,
+ D4D887011CED07B400DC7583 /* Invalid-www.cybersecurity.my.crt in Copy DigicertMalaysia Resources */,
);
- runOnlyForDeploymentPostprocessing = 1;
+ name = "Copy DigicertMalaysia Resources";
+ runOnlyForDeploymentPostprocessing = 0;
};
EB5D73121B0CB0E0009CAA47 /* Old SOS header location */ = {
isa = PBXCopyFilesBuildPhase;
@@ -2208,6 +2219,15 @@
name = "Old SOS header location";
runOnlyForDeploymentPostprocessing = 1;
};
+ EBB697021BE208FC00715F16 /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = /usr/share/man/man1/;
+ dstSubfolderSpec = 0;
+ files = (
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
F93C49351AB8FD3B0047E01A /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
@@ -2222,14 +2242,14 @@
/* Begin PBXFileReference section */
0C03D60317D93E810087643B /* SecDH.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecDH.h; path = sec/Security/SecDH.h; sourceTree = SOURCE_ROOT; };
+ 0C0C887C1CCED19E00617D1B /* si-82-sectrust-ct-data */ = {isa = PBXFileReference; lastKnownFileType = folder; name = "si-82-sectrust-ct-data"; path = "../shared_regressions/si-82-sectrust-ct-data"; sourceTree = "<group>"; };
0C4F055D15C9E51A00F9DFD5 /* sslTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sslTypes.h; path = libsecurity_ssl/lib/sslTypes.h; sourceTree = SOURCE_ROOT; };
0C6C630B15D193C800BC68CD /* sectests */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = sectests; sourceTree = BUILT_PRODUCTS_DIR; };
0C6C630E15D193C800BC68CD /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = "<group>"; };
0C6C632415D1964200BC68CD /* testlist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = testlist.h; sourceTree = "<group>"; };
0C6C632F15D19DE600BC68CD /* test.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = test.xcconfig; sourceTree = "<group>"; };
0C6D0064177B54C60095D167 /* com.apple.securityd */ = {isa = PBXFileReference; lastKnownFileType = text; name = com.apple.securityd; path = asl/com.apple.securityd; sourceTree = SOURCE_ROOT; };
- 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = tlsnke.xcodeproj; path = tlsnke/tlsnke.xcodeproj; sourceTree = "<group>"; };
- 0CC1228B19C75B9000D23178 /* shared_regressions.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = shared_regressions.h; sourceTree = "<group>"; };
+ 0C869B691C865E62006A2873 /* CoreCDP.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreCDP.framework; path = System/Library/PrivateFrameworks/CoreCDP.framework; sourceTree = SDKROOT; };
0CC2CB0F1B6A04D80074B0F2 /* libDiagnosticMessagesClient.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libDiagnosticMessagesClient.dylib; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/usr/lib/libDiagnosticMessagesClient.dylib; sourceTree = DEVELOPER_DIR; };
0CC3352D16C1ED8000399E53 /* secdtests */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secdtests; sourceTree = BUILT_PRODUCTS_DIR; };
0CC3355716C1EEE700399E53 /* main.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = main.c; path = secdtests/main.c; sourceTree = "<group>"; };
@@ -2254,8 +2274,6 @@
18270EFD14CF429600B05E7F /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; };
18270EFF14CF42CA00B05E7F /* libcorecrypto.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcorecrypto.a; path = /usr/local/lib/libcorecrypto.a; sourceTree = "<absolute>"; };
18270F0814CF43C000B05E7F /* libDER.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libDER.xcodeproj; path = libsecurity_keychain/libDER/libDER.xcodeproj; sourceTree = "<group>"; };
- 18270F3A14CF44C400B05E7F /* debugging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = debugging.c; sourceTree = "<group>"; };
- 18270F3B14CF44C400B05E7F /* debugging.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = debugging.h; sourceTree = "<group>"; };
182A190F15D09AF0006AB103 /* connection.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = connection.h; sourceTree = "<group>"; };
182A191015D09AFF006AB103 /* connection.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = connection.c; sourceTree = "<group>"; };
182BB187146EAD4C000BF1F3 /* SecAccess.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAccess.h; path = libsecurity_keychain/lib/SecAccess.h; sourceTree = SOURCE_ROOT; };
@@ -2341,7 +2359,7 @@
182BB55C146F4544000BF1F3 /* FDEPrefs.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = FDEPrefs.plist; sourceTree = "<group>"; };
182BB55D146F4544000BF1F3 /* generateErrStrings.pl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.perl; path = generateErrStrings.pl; sourceTree = "<group>"; };
182BB55E146F4544000BF1F3 /* Security.order */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = Security.order; sourceTree = "<group>"; };
- 182BB562146F4C73000BF1F3 /* security.exp-in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = "security.exp-in"; sourceTree = "<group>"; };
+ 182BB562146F4C73000BF1F3 /* security.exp-in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; lineEnding = 0; path = "security.exp-in"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = "<none>"; };
182BB568146F4DCA000BF1F3 /* csparser.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = csparser.bundle; sourceTree = BUILT_PRODUCTS_DIR; };
182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = System/Library/Frameworks/CoreFoundation.framework; sourceTree = SDKROOT; };
182BB593146FE1ED000BF1F3 /* libantlr2c++.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = "libantlr2c++.a"; path = "/usr/local/lib/libantlr2c++.a"; sourceTree = "<absolute>"; };
@@ -2409,8 +2427,8 @@
18446193146E9A8F00B12992 /* SecCodeHostLib.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCodeHostLib.h; path = libsecurity_codesigning/lib/SecCodeHostLib.h; sourceTree = SOURCE_ROOT; };
18446194146E9A8F00B12992 /* SecAssessment.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAssessment.h; path = libsecurity_codesigning/lib/SecAssessment.h; sourceTree = SOURCE_ROOT; };
184461A3146E9D3200B12992 /* libsecurityd.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurityd.xcodeproj; path = libsecurityd/libsecurityd.xcodeproj; sourceTree = "<group>"; };
- 18500F9A14708D0E006F9AB4 /* SecDebugErrorMessages.strings */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.strings; name = SecDebugErrorMessages.strings; path = derived_src/SecDebugErrorMessages.strings; sourceTree = BUILT_PRODUCTS_DIR; };
- 18500FA014708F19006F9AB4 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = derived_src/en.lproj/SecErrorMessages.strings; sourceTree = BUILT_PRODUCTS_DIR; };
+ 18500F9A14708D0E006F9AB4 /* SecDebugErrorMessages.strings */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = SecDebugErrorMessages.strings; path = derived_src/SecDebugErrorMessages.strings; sourceTree = BUILT_PRODUCTS_DIR; };
+ 18500FA014708F19006F9AB4 /* en */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = en; path = derived_src/en.lproj/SecErrorMessages.strings; sourceTree = BUILT_PRODUCTS_DIR; };
186CDD1614CA11C700AF9171 /* sec.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; path = sec.xcodeproj; sourceTree = "<group>"; };
18752C1D16F2837A004E2799 /* libaks.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libaks.a; path = usr/local/lib/libaks.a; sourceTree = SDKROOT; };
1879B4A9146DCA18007E536C /* cssm.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = cssm.mdsinfo; path = libsecurity_cssm/mds/cssm.mdsinfo; sourceTree = SOURCE_ROOT; };
@@ -2469,7 +2487,7 @@
187D6B9215D4359F00E27494 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/authorization.prompts.strings; sourceTree = "<group>"; };
187D6B9515D436BF00E27494 /* authorization.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = authorization.plist; sourceTree = "<group>"; };
188AD8D91471FE3D0081C619 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/FDELocalizable.strings; sourceTree = "<group>"; };
- 188AD8DB1471FE3E0081C619 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = "<group>"; };
+ 188AD8DB1471FE3E0081C619 /* en */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = "<group>"; };
18A5493115EFD2F40059E6DC /* dummy.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = dummy.cpp; sourceTree = "<group>"; };
18B647E814D9EB6300F538BF /* oidsalg.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oidsalg.h; path = ../libsecurity_asn1/lib/oidsalg.h; sourceTree = "<group>"; };
18B647EA14D9EE4300F538BF /* oidsattr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oidsattr.h; path = ../libsecurity_asn1/lib/oidsattr.h; sourceTree = "<group>"; };
@@ -2525,6 +2543,8 @@
18F235FC15CA0EDB00060520 /* libstdc++.6.0.9.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = "libstdc++.6.0.9.dylib"; path = "/usr/lib/libstdc++.6.0.9.dylib"; sourceTree = "<absolute>"; };
18F2360015CAF41100060520 /* libsecurity_codesigning.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libsecurity_codesigning.a; path = /usr/local/lib/libsecurity_codesigning.a; sourceTree = "<absolute>"; };
18FE67EA1471A3AA00A2CBE3 /* Security.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Security.framework; sourceTree = BUILT_PRODUCTS_DIR; };
+ 1F6FC5DF1C3D9D90001C758F /* libsecurity_translocate.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_translocate.xcodeproj; path = libsecurity_translocate/libsecurity_translocate.xcodeproj; sourceTree = "<group>"; };
+ 1FDA9ABB1C4489280083929D /* SecTranslocate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecTranslocate.h; path = libsecurity_translocate/lib/SecTranslocate.h; sourceTree = SOURCE_ROOT; };
3705CACC1A896D5A00402F75 /* SecTask-Entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; path = "SecTask-Entitlements.plist"; sourceTree = "<group>"; };
3705CACD1A896DA800402F75 /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = "<group>"; };
3705CAD21A896DE800402F75 /* SecTaskTest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = SecTaskTest; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -2546,6 +2566,7 @@
44B2603E18F81A6A008DF20F /* SecAccessControl.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecAccessControl.h; path = sec/Security/SecAccessControl.h; sourceTree = SOURCE_ROOT; };
44B2606918F81BFE008DF20F /* SecAccessControlPriv.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecAccessControlPriv.h; path = sec/Security/SecAccessControlPriv.h; sourceTree = SOURCE_ROOT; };
44D78B8F1A0A611C00B63C6C /* libaks_acl.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libaks_acl.a; path = usr/local/lib/libaks_acl.a; sourceTree = SDKROOT; };
+ 486326321CAA0C6500A466D9 /* com.apple.securityd.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; name = com.apple.securityd.plist; path = sec/os_log/com.apple.securityd.plist; sourceTree = "<group>"; };
48FDA84D1AF989F600A9366F /* SOSCloudCircleInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSCloudCircleInternal.h; path = sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h; sourceTree = SOURCE_ROOT; };
4C0F6F861985877800178101 /* SecEntitlements.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecEntitlements.h; sourceTree = "<group>"; };
4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; path = utilities.xcodeproj; sourceTree = "<group>"; };
@@ -2596,23 +2617,16 @@
4CD1980C16DD3BDF00A9E8FD /* NSArray+mapWithBlock.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "NSArray+mapWithBlock.m"; path = "Keychain Circle Notification/NSArray+mapWithBlock.m"; sourceTree = SOURCE_ROOT; };
4CE7EA7D1AEAF50F0067F5BD /* SecItemBackup.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecItemBackup.h; path = sec/Security/SecItemBackup.h; sourceTree = SOURCE_ROOT; };
4CF42BB515A3947F00ACACE1 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = System/Library/Frameworks/Security.framework; sourceTree = SDKROOT; };
- 5214700616977CB800DF0DB3 /* CloudKeychainProxy.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = CloudKeychainProxy.bundle; sourceTree = BUILT_PRODUCTS_DIR; };
5214700716977CB800DF0DB3 /* Cocoa.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Cocoa.framework; path = System/Library/Frameworks/Cocoa.framework; sourceTree = SDKROOT; };
- 5214700F16977CB800DF0DB3 /* CloudKeychainProxy-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "CloudKeychainProxy-Info.plist"; sourceTree = "<group>"; };
- 5214701116977CB800DF0DB3 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = "<group>"; };
- 5214702416977FEC00DF0DB3 /* cloudkeychain.entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = cloudkeychain.entitlements.plist; sourceTree = "<group>"; };
- 5214702516977FEC00DF0DB3 /* com.apple.security.cloudkeychainproxy.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.security.cloudkeychainproxy.plist; sourceTree = "<group>"; };
524492691AFD6CB70043695A /* der_plist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = der_plist.h; path = ../utilities/src/der_plist.h; sourceTree = "<group>"; };
52AEA484153C7581005AFC59 /* tsaSupportPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = tsaSupportPriv.h; path = libsecurity_smime/lib/tsaSupportPriv.h; sourceTree = SOURCE_ROOT; };
52B006BF15238F76005D4556 /* TimeStampingPrefs.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = TimeStampingPrefs.plist; sourceTree = "<group>"; };
52B5A9C01519330300664F11 /* tsaSupport.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = tsaSupport.h; path = libsecurity_smime/lib/tsaSupport.h; sourceTree = SOURCE_ROOT; };
52B5A9C11519330300664F11 /* tsaTemplates.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = tsaTemplates.h; path = libsecurity_smime/lib/tsaTemplates.h; sourceTree = SOURCE_ROOT; };
- 52C3D235169B56860091D9D3 /* ckdmain.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = ckdmain.m; path = sec/SOSCircle/CloudKeychainProxy/ckdmain.m; sourceTree = SOURCE_ROOT; };
52F8DDF91AF2E56600A2C271 /* SOSViews.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSViews.h; path = ../sec/SOSCircle/SecureObjectSync/SOSViews.h; sourceTree = "<group>"; };
52F8DE201AF2E57300A2C271 /* SOSBackupSliceKeyBag.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSBackupSliceKeyBag.h; path = ../sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h; sourceTree = "<group>"; };
- 52F8DE231AF2E58B00A2C271 /* SOSForerunnerSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSForerunnerSession.h; path = ../sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.h; sourceTree = "<group>"; };
52F8DE4B1AF2EB6600A2C271 /* SOSTypes.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSTypes.h; path = ../sec/SOSCircle/SecureObjectSync/SOSTypes.h; sourceTree = "<group>"; };
- 5328475217850741009118DC /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/Localizable.strings; sourceTree = "<group>"; };
+ 5328475217850741009118DC /* en */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/Localizable.strings; sourceTree = "<group>"; };
5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcoreauthd_client.a; path = usr/local/lib/libcoreauthd_client.a; sourceTree = SDKROOT; };
5E605AFB1AB859B70049FA14 /* libcoreauthd_test_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcoreauthd_test_client.a; path = usr/local/lib/libcoreauthd_test_client.a; sourceTree = SDKROOT; };
5E7AF4721ACD64AC00005140 /* libACM.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libACM.a; path = usr/local/lib/libACM.a; sourceTree = SDKROOT; };
@@ -2622,50 +2636,90 @@
5EF7C23A1B00E48200E5E99C /* main.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = main.c; path = ../../secacltests/main.c; sourceTree = "<group>"; };
5EF7C23C1B00E48200E5E99C /* secacltests-entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = "secacltests-entitlements.plist"; path = "../../secacltests/secacltests-entitlements.plist"; sourceTree = "<group>"; };
5EF7C23D1B00E48200E5E99C /* testlist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = testlist.h; path = ../../secacltests/testlist.h; sourceTree = "<group>"; };
+ 6C721DB01D3D18D700888AE1 /* login.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = login.framework; path = System/Library/PrivateFrameworks/login.framework; sourceTree = SDKROOT; };
721680A8179B40F600406BB4 /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = "<group>"; };
721680AA179B40F600406BB4 /* iCloudStats.1 */ = {isa = PBXFileReference; lastKnownFileType = text.man; path = iCloudStats.1; sourceTree = "<group>"; };
721680BD179B4F9100406BB4 /* com.apple.iCloudStats.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.iCloudStats.plist; sourceTree = "<group>"; };
- 72756BFE175D485D00F52070 /* cloud_keychain_diagnose */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = cloud_keychain_diagnose; sourceTree = BUILT_PRODUCTS_DIR; };
- 72756C04175D485D00F52070 /* cloud_keychain_diagnose-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "cloud_keychain_diagnose-Prefix.pch"; sourceTree = "<group>"; };
- 72756C30175D48C100F52070 /* cloud_keychain_diagnose.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = cloud_keychain_diagnose.c; path = utilities/src/cloud_keychain_diagnose.c; sourceTree = SOURCE_ROOT; };
AC5688BA18B4396D00F0526C /* SecCMS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCMS.h; path = libsecurity_smime/lib/SecCMS.h; sourceTree = SOURCE_ROOT; };
BE48AE211ADF1DF4000836C1 /* trustd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = trustd; sourceTree = BUILT_PRODUCTS_DIR; };
BE48AE241ADF1FD3000836C1 /* com.apple.trustd.agent.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.trustd.agent.plist; sourceTree = "<group>"; };
BE48AE261ADF2011000836C1 /* com.apple.trustd.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.trustd.plist; sourceTree = "<group>"; };
BE7048911AD84C53000402D8 /* trustd-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "trustd-Prefix.pch"; path = "trustd/trustd-Prefix.pch"; sourceTree = SOURCE_ROOT; };
+ BE7169F41C0E7A2B00AFC620 /* entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = entitlements.plist; sourceTree = "<group>"; };
BE8C5F0916F7CE450074CF86 /* framework.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = framework.sb; sourceTree = "<group>"; };
- BE94B7A41AD83AF700A7216D /* trustd.xpc */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = trustd.xpc; sourceTree = BUILT_PRODUCTS_DIR; };
BE94B7A51AD83AF800A7216D /* trustd-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "trustd-Info.plist"; sourceTree = "<group>"; };
BE94B7DA1AD8424700A7216D /* com.apple.trustd.asl */ = {isa = PBXFileReference; lastKnownFileType = text; name = com.apple.trustd.asl; path = ../trustd/com.apple.trustd.asl; sourceTree = "<group>"; };
BE94B7DB1AD8424700A7216D /* com.apple.trustd.sb */ = {isa = PBXFileReference; lastKnownFileType = text; name = com.apple.trustd.sb; path = ../trustd/com.apple.trustd.sb; sourceTree = "<group>"; };
BEC3A76716F79497003E5634 /* SecTaskPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTaskPriv.h; path = libsecurity_codesigning/lib/SecTaskPriv.h; sourceTree = SOURCE_ROOT; };
- BEFB63681B6834AB0052149A /* AppWorkaround.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = AppWorkaround.plist; sourceTree = "<group>"; };
C288A0881505795D00E773B7 /* libOpenScriptingUtil.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libOpenScriptingUtil.dylib; path = ../../../../../usr/lib/libOpenScriptingUtil.dylib; sourceTree = "<group>"; };
CD19A65E1A8065E900F9C276 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
CD276BE31A83F204003226BC /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = IDSKeychainSyncingProxy/en.lproj/InfoPlist.strings; sourceTree = "<group>"; };
CD4F43CC1B546A1900FE3569 /* SOSPeerInfoV2.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSPeerInfoV2.h; path = sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.h; sourceTree = SOURCE_ROOT; };
- CD50D6D21A841C0E00C35E74 /* com.apple.security.idskeychainsyncingproxy.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.security.idskeychainsyncingproxy.plist; sourceTree = "<group>"; };
- CD63ACE01A8061FA001B5671 /* IDSKeychainSyncingProxy.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = IDSKeychainSyncingProxy.bundle; sourceTree = BUILT_PRODUCTS_DIR; };
- CD63AD151A8064C2001B5671 /* idksmain.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = idksmain.m; path = ../../IDSKeychainSyncingProxy/idksmain.m; sourceTree = "<group>"; };
- CD63AD181A8064DE001B5671 /* IDSKeychainSyncingProxy-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "IDSKeychainSyncingProxy-Info.plist"; sourceTree = "<group>"; };
- CD63AD191A8064DE001B5671 /* idskeychainsyncingproxy.entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = idskeychainsyncingproxy.entitlements.plist; sourceTree = "<group>"; };
CD7446D8195A1CFE00FB01C0 /* IDS.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IDS.framework; path = System/Library/PrivateFrameworks/IDS.framework; sourceTree = SDKROOT; };
CD8B5A9C1B618ED9004D4AEF /* SOSPeerInfoPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSPeerInfoPriv.h; path = ../sec/SOSCircle/SecureObjectSync/SOSPeerInfoPriv.h; sourceTree = "<group>"; };
CDDE9D1C1729DF250013B0E8 /* SecPasswordGenerate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecPasswordGenerate.h; path = ../sec/Security/SecPasswordGenerate.h; sourceTree = "<group>"; };
- CDF91EC81AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist */ = {isa = PBXFileReference; lastKnownFileType = file.bplist; path = com.apple.private.alloy.keychainsync.plist; sourceTree = "<group>"; };
D41685831B3A288F001FB54E /* oids.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = oids.h; path = libsecurity_keychain/libDER/libDER/oids.h; sourceTree = SOURCE_ROOT; };
+ D42FA8241C9B8D3C003E46A7 /* SecurityTestsOSX.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = SecurityTestsOSX.app; sourceTree = BUILT_PRODUCTS_DIR; };
+ D42FA82A1C9B8D3D003E46A7 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
+ D42FA8311C9B8D3D003E46A7 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
+ D42FA8351C9B8EC4003E46A7 /* testlist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = testlist.h; sourceTree = "<group>"; };
+ D42FA8441C9B8FDE003E46A7 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.12.sdk/System/Library/Frameworks/Foundation.framework; sourceTree = DEVELOPER_DIR; };
+ D42FA84C1C9B901E003E46A7 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.12.sdk/System/Library/Frameworks/IOKit.framework; sourceTree = DEVELOPER_DIR; };
+ D42FA84F1C9B9047003E46A7 /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.12.sdk/System/Library/Frameworks/CoreFoundation.framework; sourceTree = DEVELOPER_DIR; };
+ D42FA87A1C9B9099003E46A7 /* SecurityTests-Entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "SecurityTests-Entitlements.plist"; sourceTree = "<group>"; };
+ D42FA87C1C9B9186003E46A7 /* si-82-sectrust-ct-logs.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = "si-82-sectrust-ct-logs.plist"; path = "../shared_regressions/si-82-sectrust-ct-logs.plist"; sourceTree = "<group>"; };
+ D447C0C11D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libDiagnosticMessagesClient.dylib; path = usr/lib/libDiagnosticMessagesClient.dylib; sourceTree = SDKROOT; };
D46E9CED1B1E5DEF00ED650E /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.xib; name = Base; path = Base.lproj/MainMenu.xib; sourceTree = "<group>"; };
D46E9CEE1B1E5DEF00ED650E /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.xib; name = Base; path = Base.lproj/MainMenu.xib; sourceTree = "<group>"; };
+ D47F51211C3B80DE00A7CEFE /* SecCFAllocator.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecCFAllocator.h; path = ../sec/Security/SecCFAllocator.h; sourceTree = "<group>"; };
+ D4D886C31CEBDBEB00DC7583 /* ssl-policy-certs */ = {isa = PBXFileReference; lastKnownFileType = folder; name = "ssl-policy-certs"; path = "../../SecurityTests/ssl-policy-certs"; sourceTree = "<group>"; };
+ D4D886F21CED01F800DC7583 /* nist-certs */ = {isa = PBXFileReference; lastKnownFileType = folder; name = "nist-certs"; path = "../../SecurityTests/nist-certs"; sourceTree = "<group>"; };
+ D4D886FA1CED07B400DC7583 /* Digisign-Server-ID-Enrich-Entrust-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Digisign-Server-ID-Enrich-Entrust-Cert.crt"; path = "../../SecurityTests/DigicertMalaysia/Digisign-Server-ID-Enrich-Entrust-Cert.crt"; sourceTree = "<group>"; };
+ D4D886FB1CED07B400DC7583 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Digisign-Server-ID-Enrich-GTETrust-Cert.crt"; path = "../../SecurityTests/DigicertMalaysia/Digisign-Server-ID-Enrich-GTETrust-Cert.crt"; sourceTree = "<group>"; };
+ D4D886FC1CED07B400DC7583 /* Invalid-webmail.jaring.my.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-webmail.jaring.my.crt"; path = "../../SecurityTests/DigicertMalaysia/Invalid-webmail.jaring.my.crt"; sourceTree = "<group>"; };
+ D4D886FD1CED07B400DC7583 /* Invalid-www.cybersecurity.my.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-www.cybersecurity.my.crt"; path = "../../SecurityTests/DigicertMalaysia/Invalid-www.cybersecurity.my.crt"; sourceTree = "<group>"; };
+ D4D887031CED081500DC7583 /* DigiNotar_Root_CA_G2-RootCertificate.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "DigiNotar_Root_CA_G2-RootCertificate.crt"; path = "../../SecurityTests/DigiNotar/DigiNotar_Root_CA_G2-RootCertificate.crt"; sourceTree = "<group>"; };
+ D4D887041CED081500DC7583 /* diginotar-public-ca-2025-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "diginotar-public-ca-2025-Cert.crt"; path = "../../SecurityTests/DigiNotar/diginotar-public-ca-2025-Cert.crt"; sourceTree = "<group>"; };
+ D4D887051CED081500DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "diginotar-services-1024-entrust-secure-server-Cert.crt"; path = "../../SecurityTests/DigiNotar/diginotar-services-1024-entrust-secure-server-Cert.crt"; sourceTree = "<group>"; };
+ D4D887061CED081500DC7583 /* diginotar-services-diginotar-root-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "diginotar-services-diginotar-root-Cert.crt"; path = "../../SecurityTests/DigiNotar/diginotar-services-diginotar-root-Cert.crt"; sourceTree = "<group>"; };
+ D4D887071CED081500DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "diginotar.cyberca-gte.global.root-Cert.crt"; path = "../../SecurityTests/DigiNotar/diginotar.cyberca-gte.global.root-Cert.crt"; sourceTree = "<group>"; };
+ D4D887081CED081500DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "diginotar.extended.validation-diginotar.root.ca-Cert.crt"; path = "../../SecurityTests/DigiNotar/diginotar.extended.validation-diginotar.root.ca-Cert.crt"; sourceTree = "<group>"; };
+ D4D887091CED081500DC7583 /* diginotar.root.ca-entrust-secure-server-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "diginotar.root.ca-entrust-secure-server-Cert.crt"; path = "../../SecurityTests/DigiNotar/diginotar.root.ca-entrust-secure-server-Cert.crt"; sourceTree = "<group>"; };
+ D4D8870A1CED081500DC7583 /* DigiNotarCA2007RootCertificate.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = DigiNotarCA2007RootCertificate.crt; path = ../../SecurityTests/DigiNotar/DigiNotarCA2007RootCertificate.crt; sourceTree = "<group>"; };
+ D4D8870B1CED081500DC7583 /* Expectations.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; name = Expectations.plist; path = ../../SecurityTests/DigiNotar/Expectations.plist; sourceTree = "<group>"; };
+ D4D8870C1CED081600DC7583 /* Invalid-asterisk.google.com.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-asterisk.google.com.crt"; path = "../../SecurityTests/DigiNotar/Invalid-asterisk.google.com.crt"; sourceTree = "<group>"; };
+ D4D8870D1CED081600DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-CertiID_Enterprise_Certificate_Authority.crt"; path = "../../SecurityTests/DigiNotar/Invalid-CertiID_Enterprise_Certificate_Authority.crt"; sourceTree = "<group>"; };
+ D4D8870E1CED081600DC7583 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt"; path = "../../SecurityTests/DigiNotar/Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt"; sourceTree = "<group>"; };
+ D4D8870F1CED081600DC7583 /* Invalid-diginotarpkioverheidcaoverheid.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-diginotarpkioverheidcaoverheid.crt"; path = "../../SecurityTests/DigiNotar/Invalid-diginotarpkioverheidcaoverheid.crt"; sourceTree = "<group>"; };
+ D4D887101CED081600DC7583 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt"; path = "../../SecurityTests/DigiNotar/Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt"; sourceTree = "<group>"; };
+ D4D887111CED081600DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt"; path = "../../SecurityTests/DigiNotar/Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt"; sourceTree = "<group>"; };
+ D4D887121CED081600DC7583 /* Invalid-webmail.portofamsterdam.nl.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-webmail.portofamsterdam.nl.crt"; path = "../../SecurityTests/DigiNotar/Invalid-webmail.portofamsterdam.nl.crt"; sourceTree = "<group>"; };
+ D4D887131CED081600DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-webmail.terneuzen.nl-diginotar-services.crt"; path = "../../SecurityTests/DigiNotar/Invalid-webmail.terneuzen.nl-diginotar-services.crt"; sourceTree = "<group>"; };
+ D4D887141CED081600DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-www.maestre.com-diginotal.extended.validation.crt"; path = "../../SecurityTests/DigiNotar/Invalid-www.maestre.com-diginotal.extended.validation.crt"; sourceTree = "<group>"; };
+ D4D887151CED081600DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt"; path = "../../SecurityTests/DigiNotar/Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt"; sourceTree = "<group>"; };
+ D4D887161CED081700DC7583 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt; path = ../../SecurityTests/DigiNotar/Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt; sourceTree = "<group>"; };
+ D4D887171CED081700DC7583 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = Ministerie_van_Defensie_Certificatie_Autoriteit.crt; path = ../../SecurityTests/DigiNotar/Ministerie_van_Defensie_Certificatie_Autoriteit.crt; sourceTree = "<group>"; };
+ D4D887181CED081700DC7583 /* staatdernederlandenorganisatieca-g2-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "staatdernederlandenorganisatieca-g2-Cert.crt"; path = "../../SecurityTests/DigiNotar/staatdernederlandenorganisatieca-g2-Cert.crt"; sourceTree = "<group>"; };
+ D4D887191CED081700DC7583 /* staatdernederlandenoverheidca-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "staatdernederlandenoverheidca-Cert.crt"; path = "../../SecurityTests/DigiNotar/staatdernederlandenoverheidca-Cert.crt"; sourceTree = "<group>"; };
+ D4D9B9FD1C7E5CCA008785EB /* SecServerEncryptionSupport.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecServerEncryptionSupport.h; path = ../sec/Security/SecServerEncryptionSupport.h; sourceTree = "<group>"; };
D4DDD3A71BE3EB4200E8AE2D /* libDiagnosticMessagesClient.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libDiagnosticMessagesClient.dylib; path = ../../../../../../usr/lib/libDiagnosticMessagesClient.dylib; sourceTree = "<group>"; };
- EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "bc-10-knife-on-bread.c"; path = "Breadcrumb/bc-10-knife-on-bread.c"; sourceTree = "<group>"; };
+ D4DDD9661CA2F2A700AA03AE /* libbsm.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libbsm.dylib; path = usr/lib/libbsm.dylib; sourceTree = SDKROOT; };
+ D4EC94D51CEA48000083E753 /* si-20-sectrust-policies-data */ = {isa = PBXFileReference; lastKnownFileType = folder; name = "si-20-sectrust-policies-data"; path = "../shared_regressions/si-20-sectrust-policies-data"; sourceTree = "<group>"; };
+ DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SecurityFoundation.framework; path = System/Library/Frameworks/SecurityFoundation.framework; sourceTree = SDKROOT; };
+ EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "bc-10-knife-on-bread.m"; path = "Breadcrumb/bc-10-knife-on-bread.m"; sourceTree = "<group>"; };
EB22F3F618A26BA50016A8EC /* breadcrumb_regressions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = breadcrumb_regressions.h; path = Breadcrumb/breadcrumb_regressions.h; sourceTree = "<group>"; };
EB22F3F718A26BA50016A8EC /* SecBreadcrumb.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = SecBreadcrumb.c; path = Breadcrumb/SecBreadcrumb.c; sourceTree = "<group>"; };
EB22F3F818A26BA50016A8EC /* SecBreadcrumb.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecBreadcrumb.h; path = Breadcrumb/SecBreadcrumb.h; sourceTree = "<group>"; };
- EB93FF531BE088F600978606 /* secbackupntest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = secbackupntest.m; path = secbackupntest/secbackupntest.m; sourceTree = "<group>"; };
- EB93FF541BE088FC00978606 /* Security.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Security.plist; sourceTree = "<group>"; };
- EB93FF8D1BE08DE600978606 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.12.Internal.sdk/System/Library/Frameworks/IOKit.framework; sourceTree = DEVELOPER_DIR; };
- EBC1B8E21BE9708300E6ACA6 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.12.Internal.sdk/System/Library/Frameworks/Foundation.framework; sourceTree = DEVELOPER_DIR; };
+ EB73F03E1C210D49008191E3 /* SecurityFeatures.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecurityFeatures.h; path = SecurityFeatures/iOS/SecurityFeatures.h; sourceTree = "<group>"; };
+ EB73F03F1C210D58008191E3 /* SecurityFeatures.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecurityFeatures.h; path = SecurityFeatures/OSX/SecurityFeatures.h; sourceTree = "<group>"; };
+ EB73F0401C210D78008191E3 /* CopyHeaders.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; name = CopyHeaders.sh; path = SecurityFeatures/CopyHeaders.sh; sourceTree = "<group>"; };
+ EB73F0411C210D78008191E3 /* README.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = README.txt; path = SecurityFeatures/README.txt; sourceTree = "<group>"; };
+ EB73F0441C210DF8008191E3 /* SecurityFeatures.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecurityFeatures.h; path = include/Security/SecurityFeatures.h; sourceTree = "<group>"; };
+ EBB696FD1BE208BA00715F16 /* Security.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Security.plist; sourceTree = "<group>"; };
+ EBB696FF1BE208CB00715F16 /* secbackupntest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = secbackupntest.m; path = secbackupntest/secbackupntest.m; sourceTree = "<group>"; };
+ EBB697041BE208FC00715F16 /* secbackupntest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secbackupntest; sourceTree = BUILT_PRODUCTS_DIR; };
EBD8B52718A55668004A650F /* README */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = README; path = Breadcrumb/README; sourceTree = "<group>"; };
+ EBE011FF1C2135E200CB6A63 /* ExternalProject.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; name = ExternalProject.sh; path = SecurityFeatures/ExternalProject.sh; sourceTree = "<group>"; };
EBF2D7131C1E0AF7006AB6FF /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/System/Library/Frameworks/Foundation.framework; sourceTree = DEVELOPER_DIR; };
EBF2E29C1BEC8D9200626DE4 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/System/Library/Frameworks/IOKit.framework; sourceTree = DEVELOPER_DIR; };
F93C493D1AB8FF670047E01A /* ckcdiagnose.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = ckcdiagnose.sh; sourceTree = "<group>"; };
@@ -2676,13 +2730,15 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- EBF2D7641C1E3AB2006AB6FF /* Foundation.framework in Frameworks */,
+ EB73EFE91C210947008191E3 /* Foundation.framework in Frameworks */,
+ 0C6C632A15D1989900BC68CD /* libsecurity_ssl_regressions.a in Frameworks */,
D4CBC1451BE981F600C5795E /* libsecurity_cms_regressions.a in Frameworks */,
18CD682717272EBC005345FB /* libaks.a in Frameworks */,
0CCEBDB416C2D026001BD7F6 /* libregressions.a in Frameworks */,
+ DC247FB51CBF1C2500527D67 /* libDER.a in Frameworks */,
52669053169D181900ED8231 /* Security.framework in Frameworks */,
+ DC7EFBAB1CBC46A7005F9624 /* SecurityFoundation.framework in Frameworks */,
0C6C633015D19FF500BC68CD /* CoreFoundation.framework in Frameworks */,
- 0C6C632A15D1989900BC68CD /* libsecurity_ssl_regressions.a in Frameworks */,
0CAA7AB516C9A72A00A32C6D /* libsecurity_keychain_regressions.a in Frameworks */,
ACB6171918B5231800EBEDD7 /* libsecurity_smime_regressions.a in Frameworks */,
18CD684E17272EE2005345FB /* IOKit.framework in Frameworks */,
@@ -2693,29 +2749,32 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- EBF2D7141C1E0AF7006AB6FF /* Foundation.framework in Frameworks */,
+ D447C0E71D2C9C390082FC1D /* libDiagnosticMessagesClient.dylib in Frameworks */,
5E7AF49B1ACD64E600005140 /* libACM.a in Frameworks */,
- 5E605AFC1AB859B70049FA14 /* libcoreauthd_test_client.a in Frameworks */,
- 44D78BB91A0A615800B63C6C /* libaks_acl.a in Frameworks */,
187A05B1170393FF0038C158 /* libaks.a in Frameworks */,
- 18363C1417026084002D5C1C /* IOKit.framework in Frameworks */,
- 39BFB04516D304DE0022564B /* SystemConfiguration.framework in Frameworks */,
- 0CC3351E16C1ED8000399E53 /* libDER.a in Frameworks */,
+ 44D78BB91A0A615800B63C6C /* libaks_acl.a in Frameworks */,
0C10987616CAAE8200803B8F /* libASN1.a in Frameworks */,
+ D4DDD9671CA2F2A700AA03AE /* libbsm.dylib in Frameworks */,
+ 5E605AFC1AB859B70049FA14 /* libcoreauthd_test_client.a in Frameworks */,
+ 4469FC291AA0A5AF0021AA26 /* libctkclient_test.a in Frameworks */,
+ 0CC3351E16C1ED8000399E53 /* libDER.a in Frameworks */,
+ 0CCEBDB816C2E6CE001BD7F6 /* libsqlite3.dylib in Frameworks */,
0CC3356316C1EFBE00399E53 /* libregressions.a in Frameworks */,
+ 0C4EAE7717668DDF00773425 /* libsecdRegressions.a in Frameworks */,
+ 0CC3352616C1ED8000399E53 /* libsecipc_client.a in Frameworks */,
0CC3351F16C1ED8000399E53 /* libSecItemShimOSX.a in Frameworks */,
- 0CC3352016C1ED8000399E53 /* libutilities.a in Frameworks */,
+ 0CC3352716C1ED8000399E53 /* libSecureObjectSync.a in Frameworks */,
0CC3351C16C1ED8000399E53 /* libsecurity.a in Frameworks */,
0CCEBDB616C2E431001BD7F6 /* libsecurityd.a in Frameworks */,
- 0CC3352616C1ED8000399E53 /* libsecipc_client.a in Frameworks */,
- 0CC3352716C1ED8000399E53 /* libSecureObjectSync.a in Frameworks */,
- 0CCEBDB816C2E6CE001BD7F6 /* libsqlite3.dylib in Frameworks */,
- 0CC3352416C1ED8000399E53 /* CoreFoundation.framework in Frameworks */,
- 0CCEBDB716C2E6B0001BD7F6 /* CFNetwork.framework in Frameworks */,
- 4469FC291AA0A5AF0021AA26 /* libctkclient_test.a in Frameworks */,
0CC3352316C1ED8000399E53 /* libSOSRegressions.a in Frameworks */,
+ 0CC3352016C1ED8000399E53 /* libutilities.a in Frameworks */,
0CCEBDBB16C30924001BD7F6 /* libutilitiesRegressions.a in Frameworks */,
- 0C4EAE7717668DDF00773425 /* libsecdRegressions.a in Frameworks */,
+ 0CCEBDB716C2E6B0001BD7F6 /* CFNetwork.framework in Frameworks */,
+ 0CC3352416C1ED8000399E53 /* CoreFoundation.framework in Frameworks */,
+ EB73EFE81C210947008191E3 /* Foundation.framework in Frameworks */,
+ 18363C1417026084002D5C1C /* IOKit.framework in Frameworks */,
+ 39BFB04516D304DE0022564B /* SystemConfiguration.framework in Frameworks */,
+ D4DDD9961CA320FE00AA03AE /* Security.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -2723,6 +2782,7 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ 1FDA9ABD1C448DFC0083929D /* libsecurity_translocate.a in Frameworks */,
0CC2CB101B6A04D80074B0F2 /* libDiagnosticMessagesClient.dylib in Frameworks */,
44D78BB81A0A615500B63C6C /* libaks_acl.a in Frameworks */,
44F7912019FFED88008B8147 /* libcoreauthd_client.a in Frameworks */,
@@ -2780,26 +2840,29 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ 6C721DB11D3D18D700888AE1 /* login.framework in Frameworks */,
+ D447C0C21D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib in Frameworks */,
5E7AF4731ACD64AC00005140 /* libACM.a in Frameworks */,
- 44D78BBB1A0A617700B63C6C /* libcoreauthd_client.a in Frameworks */,
189757871700CF4C00672567 /* libaks.a in Frameworks */,
- 395E7CEE16C64EA500CD82A4 /* SystemConfiguration.framework in Frameworks */,
- 5208BF4F16A0993C0062DDC5 /* libsecurity.a in Frameworks */,
- AAF3DCCB1666D03300376593 /* libsecurity_utilities.a in Frameworks */,
- 4C7D8765160A74C400D041E3 /* libutilities.a in Frameworks */,
44D78BBA1A0A616200B63C6C /* libaks_acl.a in Frameworks */,
- 18F2360115CAF41200060520 /* libsecurity_codesigning.a in Frameworks */,
- 1831329B14EB2C6D00F0BCAC /* libASN1.a in Frameworks */,
- 1831329C14EB2C6D00F0BCAC /* libDER.a in Frameworks */,
- 18270EFE14CF429600B05E7F /* IOKit.framework in Frameworks */,
- 18270EFA14CF426200B05E7F /* libsqlite3.dylib in Frameworks */,
+ 8E64DB4B1C17C2830076C9DF /* libASN1.a in Frameworks */,
18270EF914CF425100B05E7F /* libbsm.dylib in Frameworks */,
- 18270EE814CF294500B05E7F /* libsecurityd.a in Frameworks */,
- 4C01DF14164C3E7C006798CD /* libSecureObjectSync.a in Frameworks */,
+ 44D78BBB1A0A617700B63C6C /* libcoreauthd_client.a in Frameworks */,
44A655CF1AA4B4F50059D185 /* libctkclient.a in Frameworks */,
+ 8E64DB4A1C17C26F0076C9DF /* libDER.a in Frameworks */,
+ AAF3DCCB1666D03300376593 /* libsecurity_utilities.a in Frameworks */,
+ 18F2360115CAF41200060520 /* libsecurity_codesigning.a in Frameworks */,
+ 18270EFA14CF426200B05E7F /* libsqlite3.dylib in Frameworks */,
4C8D8651177A752D0019A804 /* libsecipc_client.a in Frameworks */,
- 18270EF814CF424900B05E7F /* CoreFoundation.framework in Frameworks */,
+ 4C01DF14164C3E7C006798CD /* libSecureObjectSync.a in Frameworks */,
+ 5208BF4F16A0993C0062DDC5 /* libsecurity.a in Frameworks */,
+ 18270EE814CF294500B05E7F /* libsecurityd.a in Frameworks */,
+ 4C7D8765160A74C400D041E3 /* libutilities.a in Frameworks */,
18270EFC14CF427800B05E7F /* CFNetwork.framework in Frameworks */,
+ 18270EF814CF424900B05E7F /* CoreFoundation.framework in Frameworks */,
+ 18270EFE14CF429600B05E7F /* IOKit.framework in Frameworks */,
+ 395E7CEE16C64EA500CD82A4 /* SystemConfiguration.framework in Frameworks */,
+ D4DDD9971CA3216C00AA03AE /* Security.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -2808,6 +2871,7 @@
buildActionMask = 2147483647;
files = (
182BB592146FE1D7000BF1F3 /* CoreFoundation.framework in Frameworks */,
+ DC311CC81CCEC82E00E14E8D /* libutilities.a in Frameworks */,
182BB591146FE12F000BF1F3 /* libsecurity_utilities.a in Frameworks */,
182BB590146FE125000BF1F3 /* libsecurity_cdsa_utilities.a in Frameworks */,
182BB589146FE013000BF1F3 /* libsecurity_codesigning.a in Frameworks */,
@@ -2855,11 +2919,12 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ 0C869B6A1C865E62006A2873 /* CoreCDP.framework in Frameworks */,
+ 4CAEACCD16D6FC7600263776 /* Security.framework in Frameworks */,
4C97761E17BEB23E0002BFE4 /* AOSAccounts.framework in Frameworks */,
4C5DD46C17A5F67300696A79 /* AppleSystemInfo.framework in Frameworks */,
4C328D301778EC4F0015EED1 /* AOSUI.framework in Frameworks */,
43651E021B016BE8008C4B88 /* CrashReporterSupport.framework in Frameworks */,
- 4CAEACCD16D6FC7600263776 /* Security.framework in Frameworks */,
4C96F7C216D6DF8400D3B39D /* Cocoa.framework in Frameworks */,
431B737F1B27762C00EB0360 /* CloudServices.framework in Frameworks */,
431B73C11B2777A200EB0360 /* libutilities.a in Frameworks */,
@@ -2870,7 +2935,7 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- EBC1B8E31BE9708300E6ACA6 /* Foundation.framework in Frameworks */,
+ EB73EFEA1C210947008191E3 /* Foundation.framework in Frameworks */,
44D78BB71A0A613900B63C6C /* libaks_acl.a in Frameworks */,
52CD052316A0E24900218387 /* Security.framework in Frameworks */,
432800841B4CE731002E8525 /* libaks.a in Frameworks */,
@@ -2895,25 +2960,11 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- 5214700316977CB800DF0DB3 /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- CD7446D9195A1CFE00FB01C0 /* IDS.framework in Frameworks */,
- 5214701E16977DA700DF0DB3 /* libCloudKeychainProxy.a in Frameworks */,
- 5214701D16977D9500DF0DB3 /* libutilities.a in Frameworks */,
- 529E948C169E29450000AC9B /* Security.framework in Frameworks */,
- 0C4EAE4C1766864F00773425 /* libaks.a in Frameworks */,
- 0C4EAE761766875E00773425 /* IOKit.framework in Frameworks */,
- 43C3B2C61AFD5BBB00786702 /* Foundation.framework in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
5EF7C2071B00E25400E5E99C /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- EBF2D7631C1E2B58006AB6FF /* Foundation.framework in Frameworks */,
+ EBB6970B1BE2091300715F16 /* Foundation.framework in Frameworks */,
5EF7C2521B00EB0A00E5E99C /* libaks.a in Frameworks */,
5EF7C2511B00EAF100E5E99C /* libcoreauthd_client.a in Frameworks */,
5EF7C2501B00EA7A00E5E99C /* libACM.a in Frameworks */,
@@ -2925,33 +2976,24 @@
5EF7C24B1B00E71D00E5E99C /* libsecurity.a in Frameworks */,
5ED88B451B0DE63E00F3B047 /* libsecurityd.a in Frameworks */,
5EF7C2401B00E4C300E5E99C /* libregressions.a in Frameworks */,
- 5EFB69BD1B0CBE030095A36E /* libDER.a in Frameworks */,
+ D42CFD771BFD3379008C8737 /* libDER.a in Frameworks */,
5EFB69C31B0CC16F0095A36E /* libsecipc_client.a in Frameworks */,
5EF7C24A1B00E6E300E5E99C /* Security.framework in Frameworks */,
438166AB1B4EC98000C54D58 /* libctkclient.a in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
- 72756BFB175D485D00F52070 /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- EBF2E29D1BEC8D9200626DE4 /* IOKit.framework in Frameworks */,
- 43C3B0D41AFD569600786702 /* Security.framework in Frameworks */,
- 43C3B3311AFD5E1100786702 /* CoreFoundation.framework in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
BE48AE041ADF1DF4000836C1 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ 6C721DD61D3D18EC00888AE1 /* login.framework in Frameworks */,
+ D45FC3E41C9E06B500509CDA /* libSecureObjectSync.a in Frameworks */,
D4DDD3D01BE3EC0300E8AE2D /* libDiagnosticMessagesClient.dylib in Frameworks */,
BE48AE051ADF1DF4000836C1 /* libACM.a in Frameworks */,
BE48AE061ADF1DF4000836C1 /* libcoreauthd_client.a in Frameworks */,
BE48AE071ADF1DF4000836C1 /* libaks.a in Frameworks */,
BE48AE081ADF1DF4000836C1 /* SystemConfiguration.framework in Frameworks */,
- BE48AE091ADF1DF4000836C1 /* libsecurity.a in Frameworks */,
BE48AE0A1ADF1DF4000836C1 /* libsecurity_utilities.a in Frameworks */,
BE48AE0B1ADF1DF4000836C1 /* libutilities.a in Frameworks */,
BE48AE0C1ADF1DF4000836C1 /* libaks_acl.a in Frameworks */,
@@ -2961,53 +3003,43 @@
BE48AE101ADF1DF4000836C1 /* IOKit.framework in Frameworks */,
BE48AE111ADF1DF4000836C1 /* libsqlite3.dylib in Frameworks */,
BE48AE121ADF1DF4000836C1 /* libbsm.dylib in Frameworks */,
- BE48AE131ADF1DF4000836C1 /* libsecurityd.a in Frameworks */,
- BE48AE141ADF1DF4000836C1 /* libSecureObjectSync.a in Frameworks */,
+ D45FC3E11C9E068700509CDA /* libsecurityd.a in Frameworks */,
+ D467D0EA1C9DF27100C9DE3E /* libsecipc_client.a in Frameworks */,
BE48AE151ADF1DF4000836C1 /* libctkclient.a in Frameworks */,
- BE48AE161ADF1DF4000836C1 /* libsecipc_client.a in Frameworks */,
BE48AE171ADF1DF4000836C1 /* CoreFoundation.framework in Frameworks */,
BE48AE181ADF1DF4000836C1 /* CFNetwork.framework in Frameworks */,
+ D42817D01C6000E1007F95D8 /* Security.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
- BE94B7931AD83AF700A7216D /* Frameworks */ = {
+ D42FA8211C9B8D3C003E46A7 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- BE60737A1ADC9E89007FECC1 /* libACM.a in Frameworks */,
- BE607DC61AD8673C001B7778 /* libcoreauthd_client.a in Frameworks */,
- BE9703F71AD865540041D253 /* libaks.a in Frameworks */,
- BE6073A61ADC9F7A007FECC1 /* SystemConfiguration.framework in Frameworks */,
- BE607DC71AD86746001B7778 /* libaks_acl.a in Frameworks */,
- BE6073A51ADC9F1C007FECC1 /* libctkclient.a in Frameworks */,
- BE94B7D41AD83D0D00A7216D /* libsecurity.a in Frameworks */,
- BE94B7D51AD83D2B00A7216D /* libutilities.a in Frameworks */,
- BE94B7D21AD83D0D00A7216D /* libSecTrustOSX.a in Frameworks */,
- BE2C05151AD893DF00D6A139 /* libsecurity_codesigning.a in Frameworks */,
- BE607DC81AD86859001B7778 /* libASN1.a in Frameworks */,
- BE607DC91AD8685B001B7778 /* libDER.a in Frameworks */,
- BE94B7981AD83AF700A7216D /* IOKit.framework in Frameworks */,
- BE94B7941AD83AF700A7216D /* libsqlite3.dylib in Frameworks */,
- BE94B7951AD83AF700A7216D /* libbsm.dylib in Frameworks */,
- BE94B7D81AD83D6A00A7216D /* libsecurityd.a in Frameworks */,
- BE94B7F01AD8457200A7216D /* libSecureObjectSync.a in Frameworks */,
- BE94B7D01AD83D0D00A7216D /* libsecipc_client.a in Frameworks */,
- BE94B7971AD83AF700A7216D /* CoreFoundation.framework in Frameworks */,
- BE6073A71ADC9F88007FECC1 /* CFNetwork.framework in Frameworks */,
+ D42FA8501C9B9047003E46A7 /* CoreFoundation.framework in Frameworks */,
+ D42FA84E1C9B903F003E46A7 /* Security.framework in Frameworks */,
+ DC7EFC0E1CBC7567005F9624 /* SecurityFoundation.framework in Frameworks */,
+ D42FA8451C9B8FDE003E46A7 /* Foundation.framework in Frameworks */,
+ D42FA84D1C9B901E003E46A7 /* IOKit.framework in Frameworks */,
+ D42FA8EB1C9BAAD5003E46A7 /* libaks.a in Frameworks */,
+ D42FA8E91C9B95EC003E46A7 /* libregressions.a in Frameworks */,
+ DC247FD81CBF1C3F00527D67 /* libDER.a in Frameworks */,
+ D42FA84A1C9B900A003E46A7 /* libSharedRegressions.a in Frameworks */,
+ D42FA8461C9B9000003E46A7 /* libsecurity_cms_regressions.a in Frameworks */,
+ D42FA8471C9B9000003E46A7 /* libsecurity_keychain_regressions.a in Frameworks */,
+ D42FA8481C9B9000003E46A7 /* libsecurity_smime_regressions.a in Frameworks */,
+ D42FA8491C9B9000003E46A7 /* libsecurity_ssl_regressions.a in Frameworks */,
+ D42FA84B1C9B9013003E46A7 /* libutilities.a in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
- CD63ACDD1A8061FA001B5671 /* Frameworks */ = {
+ EBB697011BE208FC00715F16 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- CD0CB49E1A818A0D00C058A4 /* Security.framework in Frameworks */,
- CD2E85F61A81793B00F8B00A /* IDS.framework in Frameworks */,
- CD19A65F1A8065E900F9C276 /* Foundation.framework in Frameworks */,
- CD19A65D1A8065DC00F9C276 /* libutilities.a in Frameworks */,
- 432800831B4CE730002E8525 /* libaks.a in Frameworks */,
- CD0637581A840B5B00C81E74 /* IOKit.framework in Frameworks */,
- CD19A6611A8069D100F9C276 /* libIDSKeychainSyncingProxy.a in Frameworks */,
+ EBB697101BE20A1200715F16 /* Security.framework in Frameworks */,
+ E74583F51BF66506001B54A4 /* IOKit.framework in Frameworks */,
+ EB73EFEB1C210947008191E3 /* Foundation.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -3033,32 +3065,6 @@
path = lib;
sourceTree = "<group>";
};
- 0C6D77DF15C8C06500BB4405 /* Products */ = {
- isa = PBXGroup;
- children = (
- E7421C7E1ADC8E0D005FC1C0 /* tlsnke.kext */,
- 0C6D77EB15C8C06600BB4405 /* tlsnketest */,
- 0C6D77ED15C8C06600BB4405 /* libtlssocket.a */,
- );
- name = Products;
- sourceTree = "<group>";
- };
- 0C6D77EE15C8C07C00BB4405 /* tlsnke */ = {
- isa = PBXGroup;
- children = (
- 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */,
- );
- name = tlsnke;
- sourceTree = "<group>";
- };
- 0CC1228A19C75B8F00D23178 /* shared_regressions */ = {
- isa = PBXGroup;
- children = (
- 0CC1228B19C75B9000D23178 /* shared_regressions.h */,
- );
- path = shared_regressions;
- sourceTree = "<group>";
- };
0CC3355516C1EEAD00399E53 /* secdtests */ = {
isa = PBXGroup;
children = (
@@ -3079,6 +3085,7 @@
1807383F146D0D4E00F05C24 = {
isa = PBXGroup;
children = (
+ 486326321CAA0C6500A466D9 /* com.apple.securityd.plist */,
F93C493C1AB8FF670047E01A /* ckcdiagnose */,
CD276BE21A83F204003226BC /* InfoPlist.strings */,
EB22F3CE18A26B640016A8EC /* Breadcrumb */,
@@ -3089,24 +3096,21 @@
186CDD0314CA10E700AF9171 /* sec */,
186CDE7914CA3A3800AF9171 /* secd */,
4C0F6FAF1985879300178101 /* sectask */,
- 0CC1228A19C75B8F00D23178 /* shared_regressions */,
- 0C6D77EE15C8C07C00BB4405 /* tlsnke */,
181EA421146D4A2A00A6D320 /* config */,
0CC3355516C1EEAD00399E53 /* secdtests */,
0C6C630D15D193C800BC68CD /* sectests */,
18F234ED15C9F9A700060520 /* authd */,
BE94B7D91AD8421F00A7216D /* trustd */,
- 5214700D16977CB800DF0DB3 /* CloudKeychainProxy */,
4CB23B48169F5873003A0131 /* security2 */,
4CC7A7B516CC2A85003E10C1 /* KeychainDemoApp */,
4C96F7C316D6DF8400D3B39D /* Keychain Circle Notification */,
- 72756C00175D485D00F52070 /* cloud_keychain_diagnose */,
721680A7179B40F600406BB4 /* iCloudStats */,
37A7CEAC197DB8FA00926CE8 /* codesign_tests */,
37AB39101A44A88000B56E04 /* gk_reset_check */,
- CD63ACE11A8061FA001B5671 /* IDSKeychainSyncingProxy */,
5EF7C20B1B00E25400E5E99C /* secacltests */,
- EB93FF2A1BE0889E00978606 /* RegressionTests */,
+ EB73F0121C210CC7008191E3 /* SecurityFeatures */,
+ EBB696D51BE2089400715F16 /* RegressionTests */,
+ D42FA8251C9B8D3C003E46A7 /* SecurityTestsOSX */,
1807384D146D0D4E00F05C24 /* Frameworks */,
1807384C146D0D4E00F05C24 /* Products */,
);
@@ -3121,19 +3125,17 @@
18270ED614CF282600B05E7F /* secd */,
0C6C630B15D193C800BC68CD /* sectests */,
18F234EB15C9F9A600060520 /* authd.xpc */,
- 5214700616977CB800DF0DB3 /* CloudKeychainProxy.bundle */,
4CB23B46169F5873003A0131 /* security2 */,
0CC3352D16C1ED8000399E53 /* secdtests */,
4CC7A7B316CC2A84003E10C1 /* Cloud Keychain Utility.app */,
4C96F7C116D6DF8300D3B39D /* Keychain Circle Notification.app */,
- 72756BFE175D485D00F52070 /* cloud_keychain_diagnose */,
37A7CEAB197DB8FA00926CE8 /* codesign_tests */,
37AB390F1A44A88000B56E04 /* gk_reset_check */,
- CD63ACE01A8061FA001B5671 /* IDSKeychainSyncingProxy.bundle */,
3705CAD21A896DE800402F75 /* SecTaskTest */,
5EF7C20A1B00E25400E5E99C /* secacltests */,
- BE94B7A41AD83AF700A7216D /* trustd.xpc */,
BE48AE211ADF1DF4000836C1 /* trustd */,
+ EBB697041BE208FC00715F16 /* secbackupntest */,
+ D42FA8241C9B8D3C003E46A7 /* SecurityTestsOSX.app */,
);
name = Products;
sourceTree = "<group>";
@@ -3141,11 +3143,17 @@
1807384D146D0D4E00F05C24 /* Frameworks */ = {
isa = PBXGroup;
children = (
+ 6C721DB01D3D18D700888AE1 /* login.framework */,
+ D447C0C11D2C9BAB0082FC1D /* libDiagnosticMessagesClient.dylib */,
+ DC7EFBAA1CBC46A7005F9624 /* SecurityFoundation.framework */,
+ D4DDD9661CA2F2A700AA03AE /* libbsm.dylib */,
+ 0C869B691C865E62006A2873 /* CoreCDP.framework */,
+ D42FA84F1C9B9047003E46A7 /* CoreFoundation.framework */,
+ D42FA84C1C9B901E003E46A7 /* IOKit.framework */,
+ D42FA8441C9B8FDE003E46A7 /* Foundation.framework */,
EBF2D7131C1E0AF7006AB6FF /* Foundation.framework */,
D4DDD3A71BE3EB4200E8AE2D /* libDiagnosticMessagesClient.dylib */,
EBF2E29C1BEC8D9200626DE4 /* IOKit.framework */,
- EBC1B8E21BE9708300E6ACA6 /* Foundation.framework */,
- EB93FF8D1BE08DE600978606 /* IOKit.framework */,
4C97761D17BEB23E0002BFE4 /* AOSAccounts.framework */,
4C328D2F1778EC4F0015EED1 /* AOSUI.framework */,
4C5DD46B17A5F67300696A79 /* AppleSystemInfo.framework */,
@@ -3216,6 +3224,7 @@
181EA3D0146D1ED200A6D320 /* libsecurity */ = {
isa = PBXGroup;
children = (
+ 1F6FC5DF1C3D9D90001C758F /* libsecurity_translocate.xcodeproj */,
1879B532146DDBE5007E536C /* libsecurity_utilities.xcodeproj */,
1879B547146DE212007E536C /* libsecurity_cdsa_utils.xcodeproj */,
1879B550146DE227007E536C /* libsecurity_cdsa_utilities.xcodeproj */,
@@ -3297,8 +3306,6 @@
18270F3114CF448600B05E7F /* security_utilities */ = {
isa = PBXGroup;
children = (
- 18270F3A14CF44C400B05E7F /* debugging.c */,
- 18270F3B14CF44C400B05E7F /* debugging.h */,
);
path = security_utilities;
sourceTree = "<group>";
@@ -3306,7 +3313,6 @@
182BB228146F0674000BF1F3 /* Resources */ = {
isa = PBXGroup;
children = (
- BEFB63681B6834AB0052149A /* AppWorkaround.plist */,
187D6B8F15D4359F00E27494 /* authorization.buttons.strings */,
187D6B9115D4359F00E27494 /* authorization.prompts.strings */,
43A598591B0CF2AB00D14A7B /* CloudKeychain.strings */,
@@ -3368,18 +3374,17 @@
BE8D22BC1ABB747B009A4E18 /* libSecTrustOSX.a */,
18270F6014CF655B00B05E7F /* libsecipc_client.a */,
4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */,
- 4C1288EC15FFE9D7008CE3E3 /* libSOSRegressions.a */,
- 4C1288EE15FFE9D7008CE3E3 /* libSecurityRegressions.a */,
- 4C1288F015FFE9D7008CE3E3 /* libsecuritydRegressions.a */,
4C1288F215FFE9D7008CE3E3 /* libSecOtrOSX.a */,
- 4C01DE32164C3793006798CD /* libCloudKeychainProxy.a */,
- CD63AD0C1A8061FA001B5671 /* libIDSKeychainSyncingProxy.a */,
4CB23B76169F5873003A0131 /* libSecurityTool.a */,
4CB23B78169F5873003A0131 /* libSecurityCommands.a */,
4CB23B7A169F5873003A0131 /* libSOSCommands.a */,
- 0C4EAE721766865000773425 /* libsecdRegressions.a */,
E760796F1951F99600F69731 /* libSWCAgent.a */,
E76079D51951FDA800F69731 /* liblogging.a */,
+ 4C1288EC15FFE9D7008CE3E3 /* libSOSRegressions.a */,
+ 4C1288EE15FFE9D7008CE3E3 /* libSecurityRegressions.a */,
+ 4C1288F015FFE9D7008CE3E3 /* libsecuritydRegressions.a */,
+ 0C4EAE721766865000773425 /* libsecdRegressions.a */,
+ D40772181C9B52210016AA66 /* libSharedRegressions.a */,
);
name = Products;
sourceTree = "<group>";
@@ -3482,6 +3487,7 @@
isa = PBXGroup;
children = (
524492691AFD6CB70043695A /* der_plist.h */,
+ 1FDA9ABB1C4489280083929D /* SecTranslocate.h */,
184460A1146DFCB700B12992 /* asn1Templates.h */,
1844614F146E923B00B12992 /* AuthorizationPriv.h */,
1844614E146E923B00B12992 /* AuthorizationTagsPriv.h */,
@@ -3504,6 +3510,7 @@
182BB1B4146EAD5D000BF1F3 /* SecCertificateBundle.h */,
182BB1B5146EAD5D000BF1F3 /* SecCertificatePriv.h */,
182BB1B6146EAD5D000BF1F3 /* SecCertificateRequest.h */,
+ D47F51211C3B80DE00A7CEFE /* SecCFAllocator.h */,
AC5688BA18B4396D00F0526C /* SecCMS.h */,
182BB383146F14D2000BF1F3 /* SecCmsBase.h */,
182BB384146F14D2000BF1F3 /* SecCmsContentInfo.h */,
@@ -3542,6 +3549,7 @@
182BB1CF146EAD5D000BF1F3 /* SecRandomP.h */,
182BB1CE146EAD5D000BF1F3 /* SecRecoveryPassword.h */,
1844618F146E9A8F00B12992 /* SecRequirementPriv.h */,
+ D4D9B9FD1C7E5CCA008785EB /* SecServerEncryptionSupport.h */,
182BB38F146F14D2000BF1F3 /* SecSMIME.h */,
1844618E146E9A8F00B12992 /* SecStaticCodePriv.h */,
182BB3B7146F1BF9000BF1F3 /* SecTransformInternal.h */,
@@ -3555,7 +3563,6 @@
48FDA84D1AF989F600A9366F /* SOSCloudCircleInternal.h */,
4CB86AE6167A6FF200F46643 /* SOSCircle.h */,
4CB86AE7167A6FF200F46643 /* SOSCloudCircle.h */,
- 52F8DE231AF2E58B00A2C271 /* SOSForerunnerSession.h */,
4CB86AED167A6FF300F46643 /* SOSPeerInfo.h */,
CD8B5A9C1B618ED9004D4AEF /* SOSPeerInfoPriv.h */,
CD4F43CC1B546A1900FE3569 /* SOSPeerInfoV2.h */,
@@ -3832,7 +3839,7 @@
isa = PBXGroup;
children = (
1879B739146DE845007E536C /* libsecurity_transform.a */,
- 1879B73D146DE845007E536C /* unit-tests.octest */,
+ 1879B73D146DE845007E536C /* unit-tests.xctest */,
1879B73F146DE845007E536C /* 100-sha2 */,
1879B741146DE845007E536C /* input-speed-test */,
);
@@ -3897,6 +3904,14 @@
name = "Supporting Files";
sourceTree = "<group>";
};
+ 1F6FC5E01C3D9D90001C758F /* Products */ = {
+ isa = PBXGroup;
+ children = (
+ 1F6FC6001C3D9D90001C758F /* libsecurity_translocate.a */,
+ );
+ name = Products;
+ sourceTree = "<group>";
+ };
3705CAA31A896CEE00402F75 /* SecTask */ = {
isa = PBXGroup;
children = (
@@ -4038,26 +4053,6 @@
name = "Supporting Files";
sourceTree = "<group>";
};
- 5214700D16977CB800DF0DB3 /* CloudKeychainProxy */ = {
- isa = PBXGroup;
- children = (
- 52C3D235169B56860091D9D3 /* ckdmain.m */,
- 5214700E16977CB800DF0DB3 /* Supporting Files */,
- );
- path = CloudKeychainProxy;
- sourceTree = "<group>";
- };
- 5214700E16977CB800DF0DB3 /* Supporting Files */ = {
- isa = PBXGroup;
- children = (
- 5214702416977FEC00DF0DB3 /* cloudkeychain.entitlements.plist */,
- 5214702516977FEC00DF0DB3 /* com.apple.security.cloudkeychainproxy.plist */,
- 5214700F16977CB800DF0DB3 /* CloudKeychainProxy-Info.plist */,
- 5214701016977CB800DF0DB3 /* InfoPlist.strings */,
- );
- name = "Supporting Files";
- sourceTree = "<group>";
- };
5EF7C20B1B00E25400E5E99C /* secacltests */ = {
isa = PBXGroup;
children = (
@@ -4079,23 +4074,6 @@
path = iCloudStats;
sourceTree = "<group>";
};
- 72756C00175D485D00F52070 /* cloud_keychain_diagnose */ = {
- isa = PBXGroup;
- children = (
- 72756C30175D48C100F52070 /* cloud_keychain_diagnose.c */,
- 72756C03175D485D00F52070 /* Supporting Files */,
- );
- path = cloud_keychain_diagnose;
- sourceTree = "<group>";
- };
- 72756C03175D485D00F52070 /* Supporting Files */ = {
- isa = PBXGroup;
- children = (
- 72756C04175D485D00F52070 /* cloud_keychain_diagnose-Prefix.pch */,
- );
- name = "Supporting Files";
- sourceTree = "<group>";
- };
BE94B7D91AD8421F00A7216D /* trustd */ = {
isa = PBXGroup;
children = (
@@ -4103,37 +4081,85 @@
BE48AE241ADF1FD3000836C1 /* com.apple.trustd.agent.plist */,
BE48AE261ADF2011000836C1 /* com.apple.trustd.plist */,
BE94B7DB1AD8424700A7216D /* com.apple.trustd.sb */,
+ BE7169F41C0E7A2B00AFC620 /* entitlements.plist */,
BE94B7A51AD83AF800A7216D /* trustd-Info.plist */,
BE7048911AD84C53000402D8 /* trustd-Prefix.pch */,
);
path = trustd;
sourceTree = SOURCE_ROOT;
};
- CD63ACE11A8061FA001B5671 /* IDSKeychainSyncingProxy */ = {
+ D42FA8251C9B8D3C003E46A7 /* SecurityTestsOSX */ = {
isa = PBXGroup;
children = (
- CD63AD151A8064C2001B5671 /* idksmain.m */,
- CD63ACE21A8061FA001B5671 /* Supporting Files */,
- );
- path = IDSKeychainSyncingProxy;
+ D42FA82A1C9B8D3D003E46A7 /* main.m */,
+ D42FA8351C9B8EC4003E46A7 /* testlist.h */,
+ D42FA87C1C9B9186003E46A7 /* si-82-sectrust-ct-logs.plist */,
+ D4EC94D51CEA48000083E753 /* si-20-sectrust-policies-data */,
+ D4D886F21CED01F800DC7583 /* nist-certs */,
+ D4D887311CED091100DC7583 /* DigiNotar */,
+ D4D887021CED07CA00DC7583 /* DigicertMalaysia */,
+ D4D886C31CEBDBEB00DC7583 /* ssl-policy-certs */,
+ 0C0C887C1CCED19E00617D1B /* si-82-sectrust-ct-data */,
+ D42FA8291C9B8D3D003E46A7 /* Supporting Files */,
+ );
+ path = SecurityTestsOSX;
sourceTree = "<group>";
};
- CD63ACE21A8061FA001B5671 /* Supporting Files */ = {
+ D42FA8291C9B8D3D003E46A7 /* Supporting Files */ = {
isa = PBXGroup;
children = (
- CD63AD181A8064DE001B5671 /* IDSKeychainSyncingProxy-Info.plist */,
- CD63AD191A8064DE001B5671 /* idskeychainsyncingproxy.entitlements.plist */,
- CDF91EC81AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist */,
- CD50D6D21A841C0E00C35E74 /* com.apple.security.idskeychainsyncingproxy.plist */,
+ D42FA87A1C9B9099003E46A7 /* SecurityTests-Entitlements.plist */,
+ D42FA8311C9B8D3D003E46A7 /* Info.plist */,
);
name = "Supporting Files";
sourceTree = "<group>";
};
+ D4D887021CED07CA00DC7583 /* DigicertMalaysia */ = {
+ isa = PBXGroup;
+ children = (
+ D4D886FA1CED07B400DC7583 /* Digisign-Server-ID-Enrich-Entrust-Cert.crt */,
+ D4D886FB1CED07B400DC7583 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt */,
+ D4D886FC1CED07B400DC7583 /* Invalid-webmail.jaring.my.crt */,
+ D4D886FD1CED07B400DC7583 /* Invalid-www.cybersecurity.my.crt */,
+ );
+ name = DigicertMalaysia;
+ sourceTree = "<group>";
+ };
+ D4D887311CED091100DC7583 /* DigiNotar */ = {
+ isa = PBXGroup;
+ children = (
+ D4D887031CED081500DC7583 /* DigiNotar_Root_CA_G2-RootCertificate.crt */,
+ D4D887041CED081500DC7583 /* diginotar-public-ca-2025-Cert.crt */,
+ D4D887051CED081500DC7583 /* diginotar-services-1024-entrust-secure-server-Cert.crt */,
+ D4D887061CED081500DC7583 /* diginotar-services-diginotar-root-Cert.crt */,
+ D4D887071CED081500DC7583 /* diginotar.cyberca-gte.global.root-Cert.crt */,
+ D4D887081CED081500DC7583 /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */,
+ D4D887091CED081500DC7583 /* diginotar.root.ca-entrust-secure-server-Cert.crt */,
+ D4D8870A1CED081500DC7583 /* DigiNotarCA2007RootCertificate.crt */,
+ D4D8870B1CED081500DC7583 /* Expectations.plist */,
+ D4D8870C1CED081600DC7583 /* Invalid-asterisk.google.com.crt */,
+ D4D8870D1CED081600DC7583 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */,
+ D4D8870E1CED081600DC7583 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */,
+ D4D8870F1CED081600DC7583 /* Invalid-diginotarpkioverheidcaoverheid.crt */,
+ D4D887101CED081600DC7583 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */,
+ D4D887111CED081600DC7583 /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */,
+ D4D887121CED081600DC7583 /* Invalid-webmail.portofamsterdam.nl.crt */,
+ D4D887131CED081600DC7583 /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */,
+ D4D887141CED081600DC7583 /* Invalid-www.maestre.com-diginotal.extended.validation.crt */,
+ D4D887151CED081600DC7583 /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */,
+ D4D887161CED081700DC7583 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */,
+ D4D887171CED081700DC7583 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt */,
+ D4D887181CED081700DC7583 /* staatdernederlandenorganisatieca-g2-Cert.crt */,
+ D4D887191CED081700DC7583 /* staatdernederlandenoverheidca-Cert.crt */,
+ );
+ name = DigiNotar;
+ sourceTree = "<group>";
+ };
EB22F3CE18A26B640016A8EC /* Breadcrumb */ = {
isa = PBXGroup;
children = (
EBD8B52718A55668004A650F /* README */,
- EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.c */,
+ EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.m */,
EB22F3F618A26BA50016A8EC /* breadcrumb_regressions.h */,
EB22F3F718A26BA50016A8EC /* SecBreadcrumb.c */,
EB22F3F818A26BA50016A8EC /* SecBreadcrumb.h */,
@@ -4141,20 +4167,58 @@
name = Breadcrumb;
sourceTree = "<group>";
};
- EB93FF2A1BE0889E00978606 /* RegressionTests */ = {
+ EB73F0121C210CC7008191E3 /* SecurityFeatures */ = {
+ isa = PBXGroup;
+ children = (
+ EB73F03C1C210CF2008191E3 /* BUILT_PRODUCTS_DIR */,
+ EB73F03B1C210CDF008191E3 /* iOS */,
+ EB73F03D1C210CFE008191E3 /* OSX */,
+ EB73F0401C210D78008191E3 /* CopyHeaders.sh */,
+ EBE011FF1C2135E200CB6A63 /* ExternalProject.sh */,
+ EB73F0411C210D78008191E3 /* README.txt */,
+ );
+ name = SecurityFeatures;
+ path = ..;
+ sourceTree = "<group>";
+ };
+ EB73F03B1C210CDF008191E3 /* iOS */ = {
+ isa = PBXGroup;
+ children = (
+ EB73F03E1C210D49008191E3 /* SecurityFeatures.h */,
+ );
+ name = iOS;
+ sourceTree = "<group>";
+ };
+ EB73F03C1C210CF2008191E3 /* BUILT_PRODUCTS_DIR */ = {
+ isa = PBXGroup;
+ children = (
+ EB73F0441C210DF8008191E3 /* SecurityFeatures.h */,
+ );
+ name = BUILT_PRODUCTS_DIR;
+ sourceTree = BUILT_PRODUCTS_DIR;
+ };
+ EB73F03D1C210CFE008191E3 /* OSX */ = {
+ isa = PBXGroup;
+ children = (
+ EB73F03F1C210D58008191E3 /* SecurityFeatures.h */,
+ );
+ name = OSX;
+ sourceTree = "<group>";
+ };
+ EBB696D51BE2089400715F16 /* RegressionTests */ = {
isa = PBXGroup;
children = (
- EB93FF541BE088FC00978606 /* Security.plist */,
- EB93FF521BE088E000978606 /* secbackupntest */,
+ EBB696FE1BE208BD00715F16 /* secbackupntest */,
+ EBB696FD1BE208BA00715F16 /* Security.plist */,
);
name = RegressionTests;
path = ../RegressionTests;
sourceTree = "<group>";
};
- EB93FF521BE088E000978606 /* secbackupntest */ = {
+ EBB696FE1BE208BD00715F16 /* secbackupntest */ = {
isa = PBXGroup;
children = (
- EB93FF531BE088F600978606 /* secbackupntest.m */,
+ EBB696FF1BE208CB00715F16 /* secbackupntest.m */,
);
name = secbackupntest;
sourceTree = "<group>";
@@ -4175,6 +4239,7 @@
isa = PBXHeadersBuildPhase;
buildActionMask = 2147483647;
files = (
+ EB73F0451C210E6F008191E3 /* SecurityFeatures.h in Headers */,
CD8B5A9D1B618ED9004D4AEF /* SOSPeerInfoPriv.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
@@ -4277,6 +4342,7 @@
18FE68591471A46600A2CBE3 /* ocspTemplates.h in Headers */,
44B2606A18F81C0F008DF20F /* SecAccessControlPriv.h in Headers */,
18FE685A1471A46600A2CBE3 /* osKeyTemplates.h in Headers */,
+ 1FDA9ABC1C4489280083929D /* SecTranslocate.h in Headers */,
18FE685B1471A46600A2CBE3 /* SecAccessPriv.h in Headers */,
18FE685C1471A46600A2CBE3 /* secasn1t.h in Headers */,
18FE685D1471A46600A2CBE3 /* SecAssessment.h in Headers */,
@@ -4286,6 +4352,7 @@
18FE68621471A46600A2CBE3 /* SecCertificateRequest.h in Headers */,
18FE68631471A46600A2CBE3 /* SecCmsBase.h in Headers */,
AC5688BC18B4396D00F0526C /* SecCMS.h in Headers */,
+ D47F51221C3B80DF00A7CEFE /* SecCFAllocator.h in Headers */,
18FE68641471A46600A2CBE3 /* SecCmsContentInfo.h in Headers */,
18FE68651471A46600A2CBE3 /* SecCmsDecoder.h in Headers */,
18FE68661471A46600A2CBE3 /* SecCmsDigestContext.h in Headers */,
@@ -4322,6 +4389,7 @@
18FE68831471A46700A2CBE3 /* SecRequirementPriv.h in Headers */,
18FE68841471A46700A2CBE3 /* SecSMIME.h in Headers */,
18FE68851471A46700A2CBE3 /* SecStaticCodePriv.h in Headers */,
+ D4D9B9FE1C7E5CCA008785EB /* SecServerEncryptionSupport.h in Headers */,
18FE68861471A46700A2CBE3 /* SecTransformInternal.h in Headers */,
18FE68871471A46700A2CBE3 /* SecTrustedApplicationPriv.h in Headers */,
BEC3A76816F79497003E5634 /* SecTaskPriv.h in Headers */,
@@ -4350,6 +4418,23 @@
};
/* End PBXHeadersBuildPhase section */
+/* Begin PBXLegacyTarget section */
+ EBE011D31C21357200CB6A63 /* SecurityFeatures */ = {
+ isa = PBXLegacyTarget;
+ buildArgumentsString = "$(PROJECT_DIR)/../SecurityFeatures/ExternalProject.sh $(ACTION)";
+ buildConfigurationList = EBE011FE1C21357200CB6A63 /* Build configuration list for PBXLegacyTarget "SecurityFeatures" */;
+ buildPhases = (
+ );
+ buildToolPath = /bin/bash;
+ buildWorkingDirectory = "$(PROJECT_DIR)/../SecurityFeatures";
+ dependencies = (
+ );
+ name = SecurityFeatures;
+ passBuildSettingsInEnvironment = 1;
+ productName = SecurityFeature;
+ };
+/* End PBXLegacyTarget section */
+
/* Begin PBXNativeTarget section */
0C6C630A15D193C800BC68CD /* sectests */ = {
isa = PBXNativeTarget;
@@ -4366,6 +4451,7 @@
ACB6173F18B5232700EBEDD7 /* PBXTargetDependency */,
0CBD50C716C3260D00713B6C /* PBXTargetDependency */,
0CCEBDB316C2CFD4001BD7F6 /* PBXTargetDependency */,
+ DC872EEA1CC983EE0076C0E7 /* PBXTargetDependency */,
);
name = sectests;
productName = sectests;
@@ -4401,6 +4487,7 @@
isa = PBXNativeTarget;
buildConfigurationList = 18073875146D0D4E00F05C24 /* Build configuration list for PBXNativeTarget "Security" */;
buildPhases = (
+ EB73F0431C210DA9008191E3 /* Copy Security Feature header */,
18073846146D0D4E00F05C24 /* Sources */,
18073847146D0D4E00F05C24 /* Frameworks */,
18073848146D0D4E00F05C24 /* Headers */,
@@ -4414,12 +4501,15 @@
E778BFB91717461800302C14 /* PBXBuildRule */,
);
dependencies = (
+ 4C12894415FFED03008CE3E3 /* PBXTargetDependency */,
+ D46B08A81C8FD8D900B5939A /* PBXTargetDependency */,
+ EBE012011C21368400CB6A63 /* PBXTargetDependency */,
1879B545146DE18D007E536C /* PBXTargetDependency */,
+ 1FDA9A5F1C4471EC0083929D /* PBXTargetDependency */,
+ D46B08021C8FBE6A00B5939A /* PBXTargetDependency */,
BE8D22951ABB747A009A4E18 /* PBXTargetDependency */,
4AD6F6F41651CC2500DB4CE6 /* PBXTargetDependency */,
- 4C12894415FFED03008CE3E3 /* PBXTargetDependency */,
18FE688F1471A4C900A2CBE3 /* PBXTargetDependency */,
- 1885B45114D9AB3D00519375 /* PBXTargetDependency */,
18270F5D14CF655B00B05E7F /* PBXTargetDependency */,
18AD56A614CDED59008233F2 /* PBXTargetDependency */,
182BB410146F248D000BF1F3 /* PBXTargetDependency */,
@@ -4495,6 +4585,7 @@
);
dependencies = (
182BB596146FE27F000BF1F3 /* PBXTargetDependency */,
+ DC311CC71CCEC81D00E14E8D /* PBXTargetDependency */,
182BB58F146FE11C000BF1F3 /* PBXTargetDependency */,
182BB58D146FE0FF000BF1F3 /* PBXTargetDependency */,
182BB588146FE001000BF1F3 /* PBXTargetDependency */,
@@ -4531,6 +4622,7 @@
buildPhases = (
18FE67E71471A3AA00A2CBE3 /* Headers */,
4CB86AE4167A6F3D00F46643 /* Copy SecureObjectSync Headers */,
+ 5E3BDC291CD20B4300C80B61 /* Unifdef RC_HIDE_J79/J80 */,
);
buildRules = (
);
@@ -4648,26 +4740,6 @@
productReference = 4CC7A7B316CC2A84003E10C1 /* Cloud Keychain Utility.app */;
productType = "com.apple.product-type.application";
};
- 5214700516977CB800DF0DB3 /* CloudKeychainProxy */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 5214701416977CB800DF0DB3 /* Build configuration list for PBXNativeTarget "CloudKeychainProxy" */;
- buildPhases = (
- 5214700216977CB800DF0DB3 /* Sources */,
- 5214700316977CB800DF0DB3 /* Frameworks */,
- 5214700416977CB800DF0DB3 /* Resources */,
- 5214702316977EA600DF0DB3 /* CopyFiles */,
- );
- buildRules = (
- );
- dependencies = (
- 5214701A16977D2500DF0DB3 /* PBXTargetDependency */,
- 5214701816977D1D00DF0DB3 /* PBXTargetDependency */,
- );
- name = CloudKeychainProxy;
- productName = CloudKeychainProxy;
- productReference = 5214700616977CB800DF0DB3 /* CloudKeychainProxy.bundle */;
- productType = "com.apple.product-type.bundle";
- };
5EF7C2091B00E25400E5E99C /* secacltests */ = {
isa = PBXNativeTarget;
buildConfigurationList = 5EF7C2381B00E25400E5E99C /* Build configuration list for PBXNativeTarget "secacltests" */;
@@ -4679,7 +4751,6 @@
);
dependencies = (
5ED88B701B0DEF4700F3B047 /* PBXTargetDependency */,
- 5ED88B6E1B0DEF3100F3B047 /* PBXTargetDependency */,
5EFB69C21B0CBFC30095A36E /* PBXTargetDependency */,
5EE556971B01DA3E006F78F2 /* PBXTargetDependency */,
5EE556951B01DA33006F78F2 /* PBXTargetDependency */,
@@ -4692,23 +4763,6 @@
productReference = 5EF7C20A1B00E25400E5E99C /* secacltests */;
productType = "com.apple.product-type.tool";
};
- 72756BFD175D485D00F52070 /* cloud_keychain_diagnose */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 72756C2F175D485D00F52070 /* Build configuration list for PBXNativeTarget "cloud_keychain_diagnose" */;
- buildPhases = (
- 72756BFA175D485D00F52070 /* Sources */,
- 72756BFB175D485D00F52070 /* Frameworks */,
- 72756BFC175D485D00F52070 /* CopyFiles */,
- );
- buildRules = (
- );
- dependencies = (
- );
- name = cloud_keychain_diagnose;
- productName = cloud_keychain_diagnose;
- productReference = 72756BFE175D485D00F52070 /* cloud_keychain_diagnose */;
- productType = "com.apple.product-type.tool";
- };
BE48ADF71ADF1DF4000836C1 /* trustd */ = {
isa = PBXNativeTarget;
buildConfigurationList = BE48AE1E1ADF1DF4000836C1 /* Build configuration list for PBXNativeTarget "trustd" */;
@@ -4721,62 +4775,61 @@
buildRules = (
);
dependencies = (
+ D45FC3E61C9E06BD00509CDA /* PBXTargetDependency */,
+ D45FC3E31C9E069000509CDA /* PBXTargetDependency */,
BE48ADF81ADF1DF4000836C1 /* PBXTargetDependency */,
- BE48AE001ADF1DF4000836C1 /* PBXTargetDependency */,
- BE48ADFE1ADF1DF4000836C1 /* PBXTargetDependency */,
- BE48ADFA1ADF1DF4000836C1 /* PBXTargetDependency */,
BE48ADFC1ADF1DF4000836C1 /* PBXTargetDependency */,
- BE48AE231ADF1E66000836C1 /* PBXTargetDependency */,
);
name = trustd;
productName = secd;
productReference = BE48AE211ADF1DF4000836C1 /* trustd */;
productType = "com.apple.product-type.tool";
};
- BE94B77E1AD83AF700A7216D /* trustd.xpc */ = {
+ D42FA8231C9B8D3C003E46A7 /* SecurityTestsOSX */ = {
isa = PBXNativeTarget;
- buildConfigurationList = BE94B7A11AD83AF700A7216D /* Build configuration list for PBXNativeTarget "trustd.xpc" */;
+ buildConfigurationList = D42FA8321C9B8D3D003E46A7 /* Build configuration list for PBXNativeTarget "SecurityTestsOSX" */;
buildPhases = (
- BE94B7801AD83AF700A7216D /* Sources */,
- BE94B7931AD83AF700A7216D /* Frameworks */,
- BE94B79B1AD83AF700A7216D /* Copy sandbox profile */,
- BE94B79F1AD83AF700A7216D /* Copy asl module */,
+ D42FA8201C9B8D3C003E46A7 /* Sources */,
+ D42FA8211C9B8D3C003E46A7 /* Frameworks */,
+ D42FA8221C9B8D3C003E46A7 /* Resources */,
+ D4D886F61CED070600DC7583 /* Copy DigiNotar Resources */,
+ D4D886F71CED070800DC7583 /* Copy DigiNotar-Entrust Resources */,
+ D4D886F81CED070A00DC7583 /* Copy DigiNotar-ok Resources */,
+ D4D886F91CED070C00DC7583 /* Copy DigicertMalaysia Resources */,
);
buildRules = (
);
dependencies = (
- BE94B7E11AD8442600A7216D /* PBXTargetDependency */,
- BE94B7E91AD8447B00A7216D /* PBXTargetDependency */,
- BE94B7E71AD8446C00A7216D /* PBXTargetDependency */,
- BE94B7EF1AD8453300A7216D /* PBXTargetDependency */,
- BE94B7E51AD8446500A7216D /* PBXTargetDependency */,
- BE94B7EB1AD8449300A7216D /* PBXTargetDependency */,
- );
- name = trustd.xpc;
- productName = security.auth;
- productReference = BE94B7A41AD83AF700A7216D /* trustd.xpc */;
- productType = "com.apple.product-type.bundle";
+ D42FA83B1C9B8F94003E46A7 /* PBXTargetDependency */,
+ D42FA83D1C9B8F94003E46A7 /* PBXTargetDependency */,
+ D42FA83F1C9B8F94003E46A7 /* PBXTargetDependency */,
+ D42FA8371C9B8F77003E46A7 /* PBXTargetDependency */,
+ D42FA8391C9B8F7D003E46A7 /* PBXTargetDependency */,
+ D42FA8431C9B8FD0003E46A7 /* PBXTargetDependency */,
+ DC872F151CC983F70076C0E7 /* PBXTargetDependency */,
+ D42FA8411C9B8FA7003E46A7 /* PBXTargetDependency */,
+ );
+ name = SecurityTestsOSX;
+ productName = SecurityTestsOSX;
+ productReference = D42FA8241C9B8D3C003E46A7 /* SecurityTestsOSX.app */;
+ productType = "com.apple.product-type.application";
};
- CD63ACDF1A8061FA001B5671 /* IDSKeychainSyncingProxy */ = {
+ EBB697031BE208FC00715F16 /* secbackupntest */ = {
isa = PBXNativeTarget;
- buildConfigurationList = CD63AD101A8061FA001B5671 /* Build configuration list for PBXNativeTarget "IDSKeychainSyncingProxy" */;
+ buildConfigurationList = EBB697081BE208FC00715F16 /* Build configuration list for PBXNativeTarget "secbackupntest" */;
buildPhases = (
- CD63ACDC1A8061FA001B5671 /* Sources */,
- CD63ACDD1A8061FA001B5671 /* Frameworks */,
- CD63ACDE1A8061FA001B5671 /* Resources */,
- CD63AD1D1A806552001B5671 /* CopyFiles */,
- CDF91EF41AAE025C00E88CF7 /* CopyFiles */,
+ EBB697001BE208FC00715F16 /* Sources */,
+ EBB697011BE208FC00715F16 /* Frameworks */,
+ EBB697021BE208FC00715F16 /* CopyFiles */,
);
buildRules = (
);
dependencies = (
- CD63AD141A8063B7001B5671 /* PBXTargetDependency */,
- CD63AD121A8063AF001B5671 /* PBXTargetDependency */,
);
- name = IDSKeychainSyncingProxy;
- productName = IDSKeychainSyncingProxy;
- productReference = CD63ACE01A8061FA001B5671 /* IDSKeychainSyncingProxy.bundle */;
- productType = "com.apple.product-type.bundle";
+ name = secbackupntest;
+ productName = secbackupntest;
+ productReference = EBB697041BE208FC00715F16 /* secbackupntest */;
+ productType = "com.apple.product-type.tool";
};
/* End PBXNativeTarget section */
@@ -4784,7 +4837,7 @@
18073841146D0D4E00F05C24 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
TargetAttributes = {
3705CAD11A896DE800402F75 = {
CreatedOnToolsVersion = 7.0;
@@ -4798,8 +4851,14 @@
5EF7C2091B00E25400E5E99C = {
CreatedOnToolsVersion = 7.0;
};
- CD63ACDF1A8061FA001B5671 = {
- CreatedOnToolsVersion = 7.0;
+ D42FA8231C9B8D3C003E46A7 = {
+ CreatedOnToolsVersion = 8.0;
+ };
+ EBB697031BE208FC00715F16 = {
+ CreatedOnToolsVersion = 7.2;
+ };
+ EBE011D31C21357200CB6A63 = {
+ CreatedOnToolsVersion = 7.2;
};
F93C49311AB8FD350047E01A = {
CreatedOnToolsVersion = 6.3;
@@ -4930,6 +4989,10 @@
ProductGroup = 1879B72C146DE844007E536C /* Products */;
ProjectRef = 1879B72B146DE844007E536C /* libsecurity_transform.xcodeproj */;
},
+ {
+ ProductGroup = 1F6FC5E01C3D9D90001C758F /* Products */;
+ ProjectRef = 1F6FC5DF1C3D9D90001C758F /* libsecurity_translocate.xcodeproj */;
+ },
{
ProductGroup = 1879B533146DDBE5007E536C /* Products */;
ProjectRef = 1879B532146DDBE5007E536C /* libsecurity_utilities.xcodeproj */;
@@ -4946,10 +5009,6 @@
ProductGroup = 186CDD1714CA11C700AF9171 /* Products */;
ProjectRef = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */;
},
- {
- ProductGroup = 0C6D77DF15C8C06500BB4405 /* Products */;
- ProjectRef = 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */;
- },
{
ProductGroup = 4C12893815FFECF3008CE3E3 /* Products */;
ProjectRef = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */;
@@ -4959,29 +5018,26 @@
targets = (
186F778814E59FB200434E1F /* Security_frameworks */,
186F778C14E59FDA00434E1F /* Security_executables */,
- 0C6C642915D5ADB500BC68CD /* Security_kexts */,
- 182BB598146FE295000BF1F3 /* World */,
+ 4CE4729E16D833FD009070D1 /* Security_temporary_UI */,
1807384A146D0D4E00F05C24 /* Security */,
182BB567146F4DCA000BF1F3 /* csparser */,
18FE67E91471A3AA00A2CBE3 /* copyHeaders */,
18270ED514CF282600B05E7F /* secd */,
0CC3350716C1ED8000399E53 /* secdtests */,
+ D42FA8231C9B8D3C003E46A7 /* SecurityTestsOSX */,
0C6C630A15D193C800BC68CD /* sectests */,
18F234EA15C9F9A600060520 /* authd */,
- BE94B77E1AD83AF700A7216D /* trustd.xpc */,
BE48ADF71ADF1DF4000836C1 /* trustd */,
- 5214700516977CB800DF0DB3 /* CloudKeychainProxy */,
- CD63ACDF1A8061FA001B5671 /* IDSKeychainSyncingProxy */,
4CB23B45169F5873003A0131 /* security2 */,
4CC7A7B216CC2A84003E10C1 /* Cloud Keychain Utility */,
4C96F7C016D6DF8300D3B39D /* Keychain Circle Notification */,
- 4CE4729E16D833FD009070D1 /* Security_temporary_UI */,
- 72756BFD175D485D00F52070 /* cloud_keychain_diagnose */,
37A7CEAA197DB8FA00926CE8 /* codesign_tests */,
37AB390E1A44A88000B56E04 /* gk_reset_check */,
3705CAD11A896DE800402F75 /* SecTaskTest */,
F93C49311AB8FD350047E01A /* ckcdiagnose.sh */,
5EF7C2091B00E25400E5E99C /* secacltests */,
+ EBB697031BE208FC00715F16 /* secbackupntest */,
+ EBE011D31C21357200CB6A63 /* SecurityFeatures */,
);
};
/* End PBXProject section */
@@ -5015,20 +5071,6 @@
remoteRef = 0C6D77D215C8B66000BB4405 /* PBXContainerItemProxy */;
sourceTree = BUILT_PRODUCTS_DIR;
};
- 0C6D77EB15C8C06600BB4405 /* tlsnketest */ = {
- isa = PBXReferenceProxy;
- fileType = "compiled.mach-o.executable";
- path = tlsnketest;
- remoteRef = 0C6D77EA15C8C06600BB4405 /* PBXContainerItemProxy */;
- sourceTree = BUILT_PRODUCTS_DIR;
- };
- 0C6D77ED15C8C06600BB4405 /* libtlssocket.a */ = {
- isa = PBXReferenceProxy;
- fileType = archive.ar;
- path = libtlssocket.a;
- remoteRef = 0C6D77EC15C8C06600BB4405 /* PBXContainerItemProxy */;
- sourceTree = BUILT_PRODUCTS_DIR;
- };
0CBD50B316C325F000713B6C /* libsecurity_keychain_regressions.a */ = {
isa = PBXReferenceProxy;
fileType = archive.ar;
@@ -5372,10 +5414,10 @@
remoteRef = 1879B738146DE845007E536C /* PBXContainerItemProxy */;
sourceTree = BUILT_PRODUCTS_DIR;
};
- 1879B73D146DE845007E536C /* unit-tests.octest */ = {
+ 1879B73D146DE845007E536C /* unit-tests.xctest */ = {
isa = PBXReferenceProxy;
fileType = wrapper.cfbundle;
- path = "unit-tests.octest";
+ path = "unit-tests.xctest";
remoteRef = 1879B73C146DE845007E536C /* PBXContainerItemProxy */;
sourceTree = BUILT_PRODUCTS_DIR;
};
@@ -5407,11 +5449,11 @@
remoteRef = 18D4053A14CE2C1600A2BE4E /* PBXContainerItemProxy */;
sourceTree = BUILT_PRODUCTS_DIR;
};
- 4C01DE32164C3793006798CD /* libCloudKeychainProxy.a */ = {
+ 1F6FC6001C3D9D90001C758F /* libsecurity_translocate.a */ = {
isa = PBXReferenceProxy;
fileType = archive.ar;
- path = libCloudKeychainProxy.a;
- remoteRef = 4C01DE31164C3793006798CD /* PBXContainerItemProxy */;
+ path = libsecurity_translocate.a;
+ remoteRef = 1F6FC5FF1C3D9D90001C758F /* PBXContainerItemProxy */;
sourceTree = BUILT_PRODUCTS_DIR;
};
4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */ = {
@@ -5512,11 +5554,11 @@
remoteRef = C2432A0715C7112A0096DB5B /* PBXContainerItemProxy */;
sourceTree = BUILT_PRODUCTS_DIR;
};
- CD63AD0C1A8061FA001B5671 /* libIDSKeychainSyncingProxy.a */ = {
+ D40772181C9B52210016AA66 /* libSharedRegressions.a */ = {
isa = PBXReferenceProxy;
fileType = archive.ar;
- path = libIDSKeychainSyncingProxy.a;
- remoteRef = CD63AD0B1A8061FA001B5671 /* PBXContainerItemProxy */;
+ path = libSharedRegressions.a;
+ remoteRef = D40772171C9B52210016AA66 /* PBXContainerItemProxy */;
sourceTree = BUILT_PRODUCTS_DIR;
};
D4CBC1281BE981DE00C5795E /* libsecurity_cms_regressions.a */ = {
@@ -5526,13 +5568,6 @@
remoteRef = D4CBC1271BE981DE00C5795E /* PBXContainerItemProxy */;
sourceTree = BUILT_PRODUCTS_DIR;
};
- E7421C7E1ADC8E0D005FC1C0 /* tlsnke.kext */ = {
- isa = PBXReferenceProxy;
- fileType = wrapper.cfbundle;
- path = tlsnke.kext;
- remoteRef = E7421C7D1ADC8E0D005FC1C0 /* PBXContainerItemProxy */;
- sourceTree = BUILT_PRODUCTS_DIR;
- };
E760796F1951F99600F69731 /* libSWCAgent.a */ = {
isa = PBXReferenceProxy;
fileType = archive.ar;
@@ -5587,7 +5622,6 @@
188AD8DD1471FE3E0081C619 /* InfoPlist.strings in Resources */,
52B006C015238F76005D4556 /* TimeStampingPrefs.plist in Resources */,
187D6B9315D435BD00E27494 /* authorization.buttons.strings in Resources */,
- BEFB63691B6834AB0052149A /* AppWorkaround.plist in Resources */,
187D6B9415D435C700E27494 /* authorization.prompts.strings in Resources */,
);
runOnlyForDeploymentPostprocessing = 0;
@@ -5621,23 +5655,15 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- 5214700416977CB800DF0DB3 /* Resources */ = {
+ D42FA8221C9B8D3C003E46A7 /* Resources */ = {
isa = PBXResourcesBuildPhase;
buildActionMask = 2147483647;
files = (
- CDAE4BC21A86F6FF0000AA84 /* cloudkeychain.entitlements.plist in Resources */,
- 5214701216977CB800DF0DB3 /* InfoPlist.strings in Resources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- CD63ACDE1A8061FA001B5671 /* Resources */ = {
- isa = PBXResourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- CDB22CE31A9D2EA70043E348 /* IDSKeychainSyncingProxy-Info.plist in Resources */,
- CDAE4B9A1A86F6F20000AA84 /* idskeychainsyncingproxy.entitlements.plist in Resources */,
- CDF91EC91AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist in Resources */,
- CD276BE41A83F204003226BC /* InfoPlist.strings in Resources */,
+ D4D886F31CED01F800DC7583 /* nist-certs in Resources */,
+ D4D886C41CEBDBEB00DC7583 /* ssl-policy-certs in Resources */,
+ D4EC94D61CEA48000083E753 /* si-20-sectrust-policies-data in Resources */,
+ 0C0C887D1CCED19E00617D1B /* si-82-sectrust-ct-data in Resources */,
+ D42FA87D1C9B9186003E46A7 /* si-82-sectrust-ct-logs.plist in Resources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -5670,7 +5696,7 @@
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "DST=${BUILT_PRODUCTS_DIR}/${CONTENTS_FOLDER_PATH}/XPCServices\n\nXPC_SERVICE=XPCKeychainSandboxCheck.xpc\nditto -v ${BUILT_PRODUCTS_DIR}/${XPC_SERVICE} ${DST}/${XPC_SERVICE}\nif [ $0 -ne 0 ]; then\n\texit $0;\nfi\n\nif [ ! -h ${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}/XPCServices ]; then\n ln -s Versions/Current/XPCServices ${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}/XPCServices\nfi\n\nexit 0";
+ shellScript = "if [ ! -h ${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}/XPCServices ]; then\n ln -s Versions/Current/XPCServices ${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}/XPCServices\nfi\n\nexit 0";
showEnvVarsInLog = 0;
};
18500F961470828E006F9AB4 /* Run Script Generate Strings */ = {
@@ -5679,29 +5705,57 @@
files = (
);
inputPaths = (
+ "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/Authorization.h",
+ "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/AuthSession.h",
+ "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecureTransport.h",
+ "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecBase.h",
+ "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmerr.h",
+ "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmapple.h",
+ "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/CSCommon.h",
+ "${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/AuthorizationPriv.h",
+ "${PROJECT_DIR}/libsecurity_keychain/lib/MacOSErrorStrings.h",
+ "${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/SecureTransportPriv.h",
);
name = "Run Script Generate Strings";
outputPaths = (
+ "${BUILT_PRODUCTS_DIR}/derived_src/SecDebugErrorMessages.strings",
+ "${BUILT_PRODUCTS_DIR}/derived_src/en.lproj/SecErrorMessages.strings",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "DERIVED_SRC=${BUILT_PRODUCTS_DIR}/derived_src\nmkdir -p ${DERIVED_SRC}\n\n# make error message string files\n\nGENDEBUGSTRS[0]=YES; ERRORSTRINGS[0]=${DERIVED_SRC}/SecDebugErrorMessages.strings\nGENDEBUGSTRS[1]=NO ; ERRORSTRINGS[1]=${DERIVED_SRC}/en.lproj/SecErrorMessages.strings\n\nmkdir -p ${DERIVED_SRC}/en.lproj\n\nfor ((ix=0;ix<2;ix++)) ; do\nperl lib/generateErrStrings.pl \\\n${GENDEBUGSTRS[ix]} \\\n${DERIVED_SRC} \\\n${ERRORSTRINGS[ix]} \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/Authorization.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/AuthSession.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecureTransport.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecBase.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmerr.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmapple.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/CSCommon.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/AuthorizationPriv.h \\\n${PROJECT_DIR}/libsecurity_keychain/lib/MacOSErrorStrings.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/SecureTransportPriv.h\ndone";
showEnvVarsInLog = 0;
};
- 18F2360315CB30EC00060520 /* ShellScript */ = {
+ 5E3BDC291CD20B4300C80B61 /* Unifdef RC_HIDE_J79/J80 */ = {
isa = PBXShellScriptBuildPhase;
buildActionMask = 2147483647;
files = (
);
inputPaths = (
);
+ name = "Unifdef RC_HIDE_J79/J80";
outputPaths = (
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "DST=${BUILT_PRODUCTS_DIR}/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices\n\nXPC_SERVICE=authd.xpc\nditto -v ${BUILT_PRODUCTS_DIR}/${XPC_SERVICE} ${DST}/${XPC_SERVICE}\n\nXPC_SERVICE=trustd.xpc\nditto -v ${BUILT_PRODUCTS_DIR}/${XPC_SERVICE} ${DST}/${XPC_SERVICE}\n\nexit 0";
+ shellScript = "if [ -d $DSTROOT ]; then\n RC_HIDE_J79_VAL=0\n RC_HIDE_J80_VAL=0\n SEC_HDRS_PATH=\"System/Library/Frameworks/Security.framework/Headers\"\n\n if [ ! -z $RC_HIDE_J79 ]; then\n RC_HIDE_J79_VAL=1\n fi\n\n if [ ! -z $RC_HIDE_J80 ]; then\n RC_HIDE_J80_VAL=1\n fi\n\n if [ -a $DSTROOT/$SEC_HDRS_PATH/SecAccessControl.h ]; then\n unifdef -B -DRC_HIDE_J79=$RC_HIDE_J79_VAL -DRC_HIDE_J80=$RC_HIDE_J80_VAL -o $DSTROOT/$SEC_HDRS_PATH/SecAccessControl.h $DSTROOT/$SEC_HDRS_PATH/SecAccessControl.h\n if [$? eq 2]; then\n exit 2\n fi\n fi\n\n if [ -a $DSTROOT/$SEC_HDRS_PATH/SecItem.h ]; then\n unifdef -B -DRC_HIDE_J79=$RC_HIDE_J79_VAL -DRC_HIDE_J80=$RC_HIDE_J80_VAL -o $DSTROOT/$SEC_HDRS_PATH/SecItem.h $DSTROOT/$SEC_HDRS_PATH/SecItem.h\n if [$? eq 2]; then\n exit 2\n fi\n fi\n\n exit 0\nfi";
showEnvVarsInLog = 0;
};
+ EB73F0431C210DA9008191E3 /* Copy Security Feature header */ = {
+ isa = PBXShellScriptBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ );
+ inputPaths = (
+ );
+ name = "Copy Security Feature header";
+ outputPaths = (
+ "$(BUILT_PRODUCTS_DIR)/include/Security/SecurityFeatures.h",
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ shellPath = /bin/sh;
+ shellScript = "sh ${PROJECT_DIR}/../SecurityFeatures/CopyHeaders.sh OSX";
+ };
/* End PBXShellScriptBuildPhase section */
/* Begin PBXSourcesBuildPhase section */
@@ -5710,7 +5764,7 @@
buildActionMask = 2147483647;
files = (
0CCEBDB116C2CFC1001BD7F6 /* main.c in Sources */,
- EB22F3FB18A26BE40016A8EC /* bc-10-knife-on-bread.c in Sources */,
+ EB22F3FB18A26BE40016A8EC /* bc-10-knife-on-bread.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -5834,14 +5888,6 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- 5214700216977CB800DF0DB3 /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 52C3D236169B56860091D9D3 /* ckdmain.m in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
5EF7C2061B00E25400E5E99C /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
@@ -5851,14 +5897,6 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- 72756BFA175D485D00F52070 /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 72756C31175D48C100F52070 /* cloud_keychain_diagnose.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
BE48AE021ADF1DF4000836C1 /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
@@ -5867,19 +5905,20 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- BE94B7801AD83AF700A7216D /* Sources */ = {
+ D42FA8201C9B8D3C003E46A7 /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
- BE94B7CD1AD83B9900A7216D /* server.c in Sources */,
+ D42FA82B1C9B8D3D003E46A7 /* main.m in Sources */,
+ D42FA8EA1C9BAA44003E46A7 /* bc-10-knife-on-bread.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
- CD63ACDC1A8061FA001B5671 /* Sources */ = {
+ EBB697001BE208FC00715F16 /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
- CD63AD161A8064C2001B5671 /* idksmain.m in Sources */,
+ EBB6970F1BE209D400715F16 /* secbackupntest.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -6136,16 +6175,6 @@
target = 18FE67E91471A3AA00A2CBE3 /* copyHeaders */;
targetProxy = 186F779614E5A04200434E1F /* PBXContainerItemProxy */;
};
- 186F779914E5A06500434E1F /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 186F778814E59FB200434E1F /* Security_frameworks */;
- targetProxy = 186F779814E5A06500434E1F /* PBXContainerItemProxy */;
- };
- 186F779B14E5A06800434E1F /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 186F778C14E59FDA00434E1F /* Security_executables */;
- targetProxy = 186F779A14E5A06800434E1F /* PBXContainerItemProxy */;
- };
1879B545146DE18D007E536C /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
name = libsecurity_utilities;
@@ -6161,11 +6190,6 @@
name = libsecurity_cssm;
targetProxy = 1879B56D146DE2D3007E536C /* PBXContainerItemProxy */;
};
- 1885B45114D9AB3D00519375 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libASN1;
- targetProxy = 1885B45014D9AB3D00519375 /* PBXContainerItemProxy */;
- };
18AD56A614CDED59008233F2 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
name = sec;
@@ -6186,6 +6210,11 @@
target = 18FE67E91471A3AA00A2CBE3 /* copyHeaders */;
targetProxy = 18FE688E1471A4C900A2CBE3 /* PBXContainerItemProxy */;
};
+ 1FDA9A5F1C4471EC0083929D /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ name = libsecurity_translocate;
+ targetProxy = 1FDA9A5E1C4471EC0083929D /* PBXContainerItemProxy */;
+ };
3705CADE1A8971DF00402F75 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 3705CAD11A896DE800402F75 /* SecTaskTest */;
@@ -6271,26 +6300,6 @@
name = libSecureObjectSync;
targetProxy = 5208C0FD16A0D3980062DDC5 /* PBXContainerItemProxy */;
};
- 5214701816977D1D00DF0DB3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = utilities;
- targetProxy = 5214701716977D1D00DF0DB3 /* PBXContainerItemProxy */;
- };
- 5214701A16977D2500DF0DB3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libCloudKeychainProxy;
- targetProxy = 5214701916977D2500DF0DB3 /* PBXContainerItemProxy */;
- };
- 521470291697842500DF0DB3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 5214700516977CB800DF0DB3 /* CloudKeychainProxy */;
- targetProxy = 521470281697842500DF0DB3 /* PBXContainerItemProxy */;
- };
- 5ED88B6E1B0DEF3100F3B047 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libDER;
- targetProxy = 5ED88B6D1B0DEF3100F3B047 /* PBXContainerItemProxy */;
- };
5ED88B701B0DEF4700F3B047 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
name = libsecipc_client;
@@ -6331,11 +6340,6 @@
name = libSecItemShimOSX;
targetProxy = 5EFB69C11B0CBFC30095A36E /* PBXContainerItemProxy */;
};
- 722CF218175D602F00BCE0A5 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 72756BFD175D485D00F52070 /* cloud_keychain_diagnose */;
- targetProxy = 722CF217175D602F00BCE0A5 /* PBXContainerItemProxy */;
- };
ACB6173F18B5232700EBEDD7 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
name = libsecurity_smime_regressions;
@@ -6346,31 +6350,11 @@
name = libsecipc_client;
targetProxy = BE48ADF91ADF1DF4000836C1 /* PBXContainerItemProxy */;
};
- BE48ADFA1ADF1DF4000836C1 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libSecureObjectSync;
- targetProxy = BE48ADFB1ADF1DF4000836C1 /* PBXContainerItemProxy */;
- };
BE48ADFC1ADF1DF4000836C1 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
name = utilities;
targetProxy = BE48ADFD1ADF1DF4000836C1 /* PBXContainerItemProxy */;
};
- BE48ADFE1ADF1DF4000836C1 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurityd;
- targetProxy = BE48ADFF1ADF1DF4000836C1 /* PBXContainerItemProxy */;
- };
- BE48AE001ADF1DF4000836C1 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurity;
- targetProxy = BE48AE011ADF1DF4000836C1 /* PBXContainerItemProxy */;
- };
- BE48AE231ADF1E66000836C1 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libSecTrustOSX;
- targetProxy = BE48AE221ADF1E66000836C1 /* PBXContainerItemProxy */;
- };
BE48AE291ADF204E000836C1 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = BE48ADF71ADF1DF4000836C1 /* trustd */;
@@ -6381,55 +6365,70 @@
name = libSecTrustOSX;
targetProxy = BE8D22941ABB747A009A4E18 /* PBXContainerItemProxy */;
};
- BE94B7E11AD8442600A7216D /* PBXTargetDependency */ = {
+ C2432A2515C726B50096DB5B /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- name = libsecipc_client;
- targetProxy = BE94B7E01AD8442600A7216D /* PBXContainerItemProxy */;
- };
- BE94B7E51AD8446500A7216D /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = utilities;
- targetProxy = BE94B7E41AD8446500A7216D /* PBXContainerItemProxy */;
+ name = gkunpack;
+ targetProxy = C2432A2415C726B50096DB5B /* PBXContainerItemProxy */;
};
- BE94B7E71AD8446C00A7216D /* PBXTargetDependency */ = {
+ D42FA8371C9B8F77003E46A7 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- name = libsecurityd;
- targetProxy = BE94B7E61AD8446C00A7216D /* PBXContainerItemProxy */;
+ name = libsecurity_cms_regressions;
+ targetProxy = D42FA8361C9B8F77003E46A7 /* PBXContainerItemProxy */;
};
- BE94B7E91AD8447B00A7216D /* PBXTargetDependency */ = {
+ D42FA8391C9B8F7D003E46A7 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- name = libsecurity;
- targetProxy = BE94B7E81AD8447B00A7216D /* PBXContainerItemProxy */;
+ name = regressions;
+ targetProxy = D42FA8381C9B8F7D003E46A7 /* PBXContainerItemProxy */;
};
- BE94B7EB1AD8449300A7216D /* PBXTargetDependency */ = {
+ D42FA83B1C9B8F94003E46A7 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- name = libSecTrustOSX;
- targetProxy = BE94B7EA1AD8449300A7216D /* PBXContainerItemProxy */;
+ name = libsecurity_keychain_regressions;
+ targetProxy = D42FA83A1C9B8F94003E46A7 /* PBXContainerItemProxy */;
};
- BE94B7EF1AD8453300A7216D /* PBXTargetDependency */ = {
+ D42FA83D1C9B8F94003E46A7 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- name = libSecureObjectSync;
- targetProxy = BE94B7EE1AD8453300A7216D /* PBXContainerItemProxy */;
+ name = libsecurity_ssl_regressions;
+ targetProxy = D42FA83C1C9B8F94003E46A7 /* PBXContainerItemProxy */;
};
- C2432A2515C726B50096DB5B /* PBXTargetDependency */ = {
+ D42FA83F1C9B8F94003E46A7 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- name = gkunpack;
- targetProxy = C2432A2415C726B50096DB5B /* PBXContainerItemProxy */;
+ name = libsecurity_smime_regressions;
+ targetProxy = D42FA83E1C9B8F94003E46A7 /* PBXContainerItemProxy */;
};
- CD63AD121A8063AF001B5671 /* PBXTargetDependency */ = {
+ D42FA8411C9B8FA7003E46A7 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- name = libIDSKeychainSyncingProxy;
- targetProxy = CD63AD111A8063AF001B5671 /* PBXContainerItemProxy */;
+ name = libSharedRegressions;
+ targetProxy = D42FA8401C9B8FA7003E46A7 /* PBXContainerItemProxy */;
};
- CD63AD141A8063B7001B5671 /* PBXTargetDependency */ = {
+ D42FA8431C9B8FD0003E46A7 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
name = utilities;
- targetProxy = CD63AD131A8063B7001B5671 /* PBXContainerItemProxy */;
+ targetProxy = D42FA8421C9B8FD0003E46A7 /* PBXContainerItemProxy */;
};
- CDEB2BD21A8151CD00B0E23A /* PBXTargetDependency */ = {
+ D45FC3E31C9E069000509CDA /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- target = CD63ACDF1A8061FA001B5671 /* IDSKeychainSyncingProxy */;
- targetProxy = CDEB2BD11A8151CD00B0E23A /* PBXContainerItemProxy */;
+ name = libsecurityd;
+ targetProxy = D45FC3E21C9E069000509CDA /* PBXContainerItemProxy */;
+ };
+ D45FC3E61C9E06BD00509CDA /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ name = libSecureObjectSync;
+ targetProxy = D45FC3E51C9E06BD00509CDA /* PBXContainerItemProxy */;
+ };
+ D466FA771CA0C2A500433142 /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ target = D42FA8231C9B8D3C003E46A7 /* SecurityTestsOSX */;
+ targetProxy = D466FA761CA0C2A500433142 /* PBXContainerItemProxy */;
+ };
+ D46B08021C8FBE6A00B5939A /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ name = libDERInstall;
+ targetProxy = D46B08011C8FBE6A00B5939A /* PBXContainerItemProxy */;
+ };
+ D46B08A81C8FD8D900B5939A /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ name = libASN1Install;
+ targetProxy = D46B08A71C8FD8D900B5939A /* PBXContainerItemProxy */;
};
D4A2FC7E1BC89D5200BF6E56 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
@@ -6441,16 +6440,41 @@
name = libsecurity_cms_regressions;
targetProxy = D4CBC1191BE981DE00C5795E /* PBXContainerItemProxy */;
};
+ DC311CC71CCEC81D00E14E8D /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ name = utilities;
+ targetProxy = DC311CC61CCEC81D00E14E8D /* PBXContainerItemProxy */;
+ };
+ DC872EEA1CC983EE0076C0E7 /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ name = libDER;
+ targetProxy = DC872EE91CC983EE0076C0E7 /* PBXContainerItemProxy */;
+ };
+ DC872F151CC983F70076C0E7 /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ name = libDER;
+ targetProxy = DC872F141CC983F70076C0E7 /* PBXContainerItemProxy */;
+ };
E76079FA1951FDF600F69731 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
name = liblogging;
targetProxy = E76079F91951FDF600F69731 /* PBXContainerItemProxy */;
};
+ EBB6970E1BE2095F00715F16 /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ target = EBB697031BE208FC00715F16 /* secbackupntest */;
+ targetProxy = EBB6970D1BE2095F00715F16 /* PBXContainerItemProxy */;
+ };
EBB9FFE01682E71F00FF9774 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
name = CodeSigningHelper;
targetProxy = EBB9FFDF1682E71F00FF9774 /* PBXContainerItemProxy */;
};
+ EBE012011C21368400CB6A63 /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ target = EBE011D31C21357200CB6A63 /* SecurityFeatures */;
+ targetProxy = EBE012001C21368400CB6A63 /* PBXContainerItemProxy */;
+ };
F94E7A971ACC8CC200F23132 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = F93C49311AB8FD350047E01A /* ckcdiagnose.sh */;
@@ -6558,14 +6582,6 @@
name = MainMenu.xib;
sourceTree = "<group>";
};
- 5214701016977CB800DF0DB3 /* InfoPlist.strings */ = {
- isa = PBXVariantGroup;
- children = (
- 5214701116977CB800DF0DB3 /* en */,
- );
- name = InfoPlist.strings;
- sourceTree = "<group>";
- };
5328475117850741009118DC /* Localizable.strings */ = {
isa = PBXVariantGroup;
children = (
@@ -6589,13 +6605,13 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */;
buildSettings = {
+ ARCHS = "$(ARCHS_STANDARD)";
CODE_SIGN_ENTITLEMENTS = "sectests/SecurityTests-Entitlements.plist";
LIBRARY_SEARCH_PATHS = (
"$(inherited)",
/usr/lib/system,
);
OTHER_LDFLAGS = "-t";
- VALID_ARCHS = x86_64;
};
name = Debug;
};
@@ -6603,27 +6619,13 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */;
buildSettings = {
+ ARCHS = "$(ARCHS_STANDARD)";
CODE_SIGN_ENTITLEMENTS = "sectests/SecurityTests-Entitlements.plist";
LIBRARY_SEARCH_PATHS = (
"$(inherited)",
/usr/lib/system,
);
OTHER_LDFLAGS = "-t";
- VALID_ARCHS = x86_64;
- };
- name = Release;
- };
- 0C6C642B15D5ADB500BC68CD /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Debug;
- };
- 0C6C642C15D5ADB500BC68CD /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- PRODUCT_NAME = "$(TARGET_NAME)";
};
name = Release;
};
@@ -6631,11 +6633,14 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */;
buildSettings = {
+ ARCHS = "$(ARCHS_STANDARD)";
+ CLANG_ENABLE_OBJC_ARC = YES;
CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist;
HEADER_SEARCH_PATHS = (
"$(inherited)",
"$(PROJECT_DIR)/sec",
"$(PROJECT_DIR)/utilities",
+ "$(PROJECT_DIR)",
);
LIBRARY_SEARCH_PATHS = (
"$(inherited)",
@@ -6649,7 +6654,6 @@
AppleSystemInfo,
);
PRODUCT_NAME = secdtests;
- VALID_ARCHS = x86_64;
};
name = Debug;
};
@@ -6657,11 +6661,14 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */;
buildSettings = {
+ ARCHS = "$(ARCHS_STANDARD)";
+ CLANG_ENABLE_OBJC_ARC = YES;
CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist;
HEADER_SEARCH_PATHS = (
"$(inherited)",
"$(PROJECT_DIR)/sec",
"$(PROJECT_DIR)/utilities",
+ "$(PROJECT_DIR)",
);
LIBRARY_SEARCH_PATHS = (
"$(inherited)",
@@ -6675,7 +6682,6 @@
AppleSystemInfo,
);
PRODUCT_NAME = secdtests;
- VALID_ARCHS = x86_64;
};
name = Release;
};
@@ -6683,6 +6689,11 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 181EA423146D4A2A00A6D320 /* debug.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ ENABLE_TESTABILITY = YES;
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ ONLY_ACTIVE_ARCH = YES;
+ SDKROOT = macosx.internal;
};
name = Debug;
};
@@ -6690,6 +6701,9 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 181EA425146D4A2A00A6D320 /* release.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ SDKROOT = macosx.internal;
};
name = Release;
};
@@ -6698,15 +6712,23 @@
baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
+ DEFINES_MODULE = YES;
EXPORTED_SYMBOLS_FILE = "$(BUILT_PRODUCTS_DIR)/$(TARGETNAME).$(CURRENT_ARCH).exp";
INFOPLIST_FILE = "lib/Info-Security.plist";
+ INSTALLHDRS_SCRIPT_PHASE = YES;
INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks";
LIBRARY_SEARCH_PATHS = (
"$(inherited)",
/usr/lib/system,
);
- OTHER_LDFLAGS = "-laks";
- "OTHER_LDFLAGS[sdk=*simulator*]" = "";
+ MODULEMAP_FILE = Modules/Security.macOS.modulemap;
+ OTHER_LDFLAGS = (
+ "-Wl,-upward-lcoretls",
+ "-Wl,-upward-lcoretls_cfhelpers",
+ "-laks",
+ "-lCrashReporterClient",
+ );
+ PRODUCT_BUNDLE_IDENTIFIER = com.apple.security;
};
name = Debug;
};
@@ -6715,16 +6737,24 @@
baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
+ DEFINES_MODULE = YES;
EXPORTED_SYMBOLS_FILE = "$(BUILT_PRODUCTS_DIR)/$(TARGETNAME).$(CURRENT_ARCH).exp";
INFOPLIST_FILE = "lib/Info-Security.plist";
+ INSTALLHDRS_SCRIPT_PHASE = YES;
INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks";
LIBRARY_SEARCH_PATHS = (
"$(inherited)",
/usr/lib/system,
);
+ MODULEMAP_FILE = Modules/Security.macOS.modulemap;
ORDER_FILE = lib/Security.order;
- OTHER_LDFLAGS = "-laks";
- "OTHER_LDFLAGS[sdk=*simulator*]" = "";
+ OTHER_LDFLAGS = (
+ "-Wl,-upward-lcoretls",
+ "-Wl,-upward-lcoretls_cfhelpers",
+ "-laks",
+ "-lCrashReporterClient",
+ );
+ PRODUCT_BUNDLE_IDENTIFIER = com.apple.security;
SECTORDER_FLAGS = "-order_file_statistics";
};
name = Release;
@@ -6733,10 +6763,15 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */;
buildSettings = {
+ ARCHS = "$(ARCHS_STANDARD)";
CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist;
+ FRAMEWORK_SEARCH_PATHS = (
+ "$(inherited)",
+ "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+ );
GCC_PREPROCESSOR_DEFINITIONS = (
"SECITEM_SHIM_OSX=1",
- "SECTRUST_OSX=0",
+ "SECTRUST_OSX=1",
"$(inherited)",
);
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
@@ -6759,7 +6794,6 @@
AppleSystemInfo,
);
USE_HEADERMAP = NO;
- VALID_ARCHS = x86_64;
};
name = Debug;
};
@@ -6767,10 +6801,15 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */;
buildSettings = {
+ ARCHS = "$(ARCHS_STANDARD)";
CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist;
+ FRAMEWORK_SEARCH_PATHS = (
+ "$(inherited)",
+ "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+ );
GCC_PREPROCESSOR_DEFINITIONS = (
"SECITEM_SHIM_OSX=1",
- "SECTRUST_OSX=0",
+ "SECTRUST_OSX=1",
"$(inherited)",
);
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
@@ -6793,7 +6832,6 @@
AppleSystemInfo,
);
USE_HEADERMAP = NO;
- VALID_ARCHS = x86_64;
};
name = Release;
};
@@ -6806,6 +6844,7 @@
INFOPLIST_FILE = "lib/plugins/csparser-Info.plist";
INSTALLHDRS_SCRIPT_PHASE = NO;
INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/PlugIns";
+ PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.csparser;
WRAPPER_EXTENSION = bundle;
};
name = Debug;
@@ -6819,24 +6858,11 @@
INFOPLIST_FILE = "lib/plugins/csparser-Info.plist";
INSTALLHDRS_SCRIPT_PHASE = NO;
INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/PlugIns";
+ PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.csparser;
WRAPPER_EXTENSION = bundle;
};
name = Release;
};
- 182BB59A146FE295000BF1F3 /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Debug;
- };
- 182BB59B146FE295000BF1F3 /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Release;
- };
186F778A14E59FB200434E1F /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
@@ -6896,9 +6922,10 @@
INFOPLIST_FILE = authd/Info.plist;
INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices";
MACH_O_TYPE = mh_execute;
+ PRODUCT_BUNDLE_IDENTIFIER = "com.apple.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = "$(TARGET_NAME)";
RUN_CLANG_STATIC_ANALYZER = YES;
- SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator";
+ SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator appletvos appletvsimulator watchos watchsimulator";
WRAPPER_EXTENSION = xpc;
};
name = Debug;
@@ -6934,8 +6961,9 @@
INFOPLIST_FILE = authd/Info.plist;
INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices";
MACH_O_TYPE = mh_execute;
+ PRODUCT_BUNDLE_IDENTIFIER = "com.apple.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = "$(TARGET_NAME)";
- SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator";
+ SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator appletvos appletvsimulator watchos watchsimulator";
WRAPPER_EXTENSION = xpc;
};
name = Release;
@@ -6969,7 +6997,6 @@
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
CLANG_CXX_LIBRARY = "libc++";
- CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
@@ -7013,7 +7040,6 @@
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
CLANG_CXX_LIBRARY = "libc++";
- CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
@@ -7200,7 +7226,6 @@
4C96F7D616D6DF8400D3B39D /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
- ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
CLANG_CXX_LIBRARY = "libc++";
CLANG_ENABLE_OBJC_ARC = YES;
@@ -7215,8 +7240,8 @@
COMBINE_HIDPI_IMAGES = YES;
COPY_PHASE_STRIP = NO;
FRAMEWORK_SEARCH_PATHS = (
- "$(inherited)",
- "$(SDKROOT)/System/Library/PrivateFrameworks",
+ "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+ "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_DYNAMIC_NO_PIC = NO;
@@ -7233,17 +7258,19 @@
GCC_WARN_UNINITIALIZED_AUTOS = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
HEADER_SEARCH_PATHS = (
- "$(inherited)",
- "$(SDKROOT)/System/Library/Frameworks/Security.framework/PrivateHeaders",
- "$(SDKROOT)/System/Library/Frameworks/CoreFoundation.framework/PrivateHeaders",
+ "$(PROJECT_DIR)/Keychain",
+ Circle,
+ Notification,
+ "$(PROJECT_DIR)/sec/ProjectHeaders",
+ "$(PROJECT_DIR)/utilities",
"$(PROJECT_DIR)/sec",
+ "$(inherited)",
);
INFOPLIST_FILE = "Keychain Circle Notification/Keychain Circle Notification-Info.plist";
INSTALL_PATH = /System/Library/CoreServices;
ONLY_ACTIVE_ARCH = YES;
+ PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = "$(TARGET_NAME)";
- SDKROOT = "";
- VALID_ARCHS = x86_64;
WRAPPER_EXTENSION = app;
};
name = Debug;
@@ -7251,7 +7278,6 @@
4C96F7D716D6DF8400D3B39D /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
- ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
CLANG_CXX_LIBRARY = "libc++";
CLANG_ENABLE_OBJC_ARC = YES;
@@ -7268,8 +7294,8 @@
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
ENABLE_NS_ASSERTIONS = NO;
FRAMEWORK_SEARCH_PATHS = (
- "$(inherited)",
- "$(SDKROOT)/System/Library/PrivateFrameworks",
+ "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+ "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_ENABLE_OBJC_EXCEPTIONS = YES;
@@ -7279,16 +7305,18 @@
GCC_WARN_UNINITIALIZED_AUTOS = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
HEADER_SEARCH_PATHS = (
- "$(inherited)",
- "$(SDKROOT)/System/Library/Frameworks/Security.framework/PrivateHeaders",
- "$(SDKROOT)/System/Library/Frameworks/CoreFoundation.framework/PrivateHeaders",
+ "$(PROJECT_DIR)/Keychain",
+ Circle,
+ Notification,
+ "$(PROJECT_DIR)/sec/ProjectHeaders",
+ "$(PROJECT_DIR)/utilities",
"$(PROJECT_DIR)/sec",
+ "$(inherited)",
);
INFOPLIST_FILE = "Keychain Circle Notification/Keychain Circle Notification-Info.plist";
INSTALL_PATH = /System/Library/CoreServices;
+ PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = "$(TARGET_NAME)";
- SDKROOT = "";
- VALID_ARCHS = x86_64;
WRAPPER_EXTENSION = app;
};
name = Release;
@@ -7337,8 +7365,7 @@
COPY_PHASE_STRIP = NO;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
- "$(SDKROOT)/System/Library/PrivateFrameworks",
- "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+ "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_DYNAMIC_NO_PIC = NO;
@@ -7355,17 +7382,16 @@
GCC_WARN_UNINITIALIZED_AUTOS = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
HEADER_SEARCH_PATHS = (
- "$(inherited)",
- "$(SDKROOT)/System/Library/Frameworks/Security.framework/PrivateHeaders",
- "$(SDKROOT)/System/Library/Frameworks/CoreFoundation.framework/PrivateHeaders",
+ "$(PROJECT_DIR)/sec/ProjectHeaders",
+ "$(PROJECT_DIR)/utilities",
"$(PROJECT_DIR)/sec",
+ "$(inherited)",
);
INFOPLIST_FILE = "Keychain/Keychain-Info.plist";
INSTALL_PATH = /AppleInternal/Applications;
ONLY_ACTIVE_ARCH = YES;
+ PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = "$(TARGET_NAME)";
- SDKROOT = "";
- VALID_ARCHS = x86_64;
WRAPPER_EXTENSION = app;
};
name = Debug;
@@ -7391,8 +7417,7 @@
ENABLE_NS_ASSERTIONS = NO;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
- "$(SDKROOT)/System/Library/PrivateFrameworks",
- "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+ "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_ENABLE_OBJC_EXCEPTIONS = YES;
@@ -7402,16 +7427,15 @@
GCC_WARN_UNINITIALIZED_AUTOS = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
HEADER_SEARCH_PATHS = (
- "$(inherited)",
- "$(SDKROOT)/System/Library/Frameworks/Security.framework/PrivateHeaders",
- "$(SDKROOT)/System/Library/Frameworks/CoreFoundation.framework/PrivateHeaders",
+ "$(PROJECT_DIR)/sec/ProjectHeaders",
+ "$(PROJECT_DIR)/utilities",
"$(PROJECT_DIR)/sec",
+ "$(inherited)",
);
INFOPLIST_FILE = "Keychain/Keychain-Info.plist";
INSTALL_PATH = /AppleInternal/Applications;
+ PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = "$(TARGET_NAME)";
- SDKROOT = "";
- VALID_ARCHS = x86_64;
WRAPPER_EXTENSION = app;
};
name = Release;
@@ -7430,103 +7454,11 @@
};
name = Release;
};
- 5214701516977CB800DF0DB3 /* Debug */ = {
- isa = XCBuildConfiguration;
- baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */;
- buildSettings = {
- CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
- CLANG_CXX_LIBRARY = "libc++";
- CLANG_ENABLE_OBJC_ARC = YES;
- CLANG_WARN_CONSTANT_CONVERSION = YES;
- CLANG_WARN_EMPTY_BODY = YES;
- CLANG_WARN_ENUM_CONVERSION = YES;
- CLANG_WARN_INT_CONVERSION = YES;
- CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
- CODE_SIGN_ENTITLEMENTS = CloudKeychainProxy/cloudkeychain.entitlements.plist;
- CODE_SIGN_IDENTITY = "-";
- COMBINE_HIDPI_IMAGES = YES;
- COPY_PHASE_STRIP = NO;
- FRAMEWORK_SEARCH_PATHS = (
- "$(inherited)",
- "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
- "$(SDKROOT)/System/Library/Frameworks",
- );
- GCC_C_LANGUAGE_STANDARD = gnu99;
- GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
- GCC_OPTIMIZATION_LEVEL = 0;
- GCC_PREPROCESSOR_DEFINITIONS = (
- "DEBUG=1",
- "$(inherited)",
- );
- GCC_SYMBOLS_PRIVATE_EXTERN = NO;
- GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES;
- GCC_WARN_UNINITIALIZED_AUTOS = YES;
- GCC_WARN_UNUSED_VARIABLE = YES;
- INFOPLIST_FILE = "CloudKeychainProxy/CloudKeychainProxy-Info.plist";
- INSTALL_PATH = "$(INDIGO_INSTALL_PATH_PREFIX)$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/Resources";
- MACH_O_TYPE = mh_execute;
- ONLY_ACTIVE_ARCH = YES;
- "OTHER_LDFLAGS[sdk=iphoneos*]" = (
- "$(inherited)",
- "-framework",
- MobileKeyBag,
- );
- PRODUCT_NAME = "$(TARGET_NAME)";
- PROVISIONING_PROFILE = "";
- VALID_ARCHS = "armv6 armv7 x86_64";
- WRAPPER_EXTENSION = bundle;
- };
- name = Debug;
- };
- 5214701616977CB800DF0DB3 /* Release */ = {
- isa = XCBuildConfiguration;
- baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */;
- buildSettings = {
- CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
- CLANG_CXX_LIBRARY = "libc++";
- CLANG_ENABLE_OBJC_ARC = YES;
- CLANG_WARN_CONSTANT_CONVERSION = YES;
- CLANG_WARN_EMPTY_BODY = YES;
- CLANG_WARN_ENUM_CONVERSION = YES;
- CLANG_WARN_INT_CONVERSION = YES;
- CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
- CODE_SIGN_ENTITLEMENTS = CloudKeychainProxy/cloudkeychain.entitlements.plist;
- CODE_SIGN_IDENTITY = "-";
- COMBINE_HIDPI_IMAGES = YES;
- COPY_PHASE_STRIP = YES;
- DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
- FRAMEWORK_SEARCH_PATHS = (
- "$(inherited)",
- "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
- "$(SDKROOT)/System/Library/Frameworks",
- );
- GCC_C_LANGUAGE_STANDARD = gnu99;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
- GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES;
- GCC_WARN_UNINITIALIZED_AUTOS = YES;
- GCC_WARN_UNUSED_VARIABLE = YES;
- INFOPLIST_FILE = "CloudKeychainProxy/CloudKeychainProxy-Info.plist";
- INSTALL_PATH = "$(INDIGO_INSTALL_PATH_PREFIX)$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/Resources";
- MACH_O_TYPE = mh_execute;
- "OTHER_LDFLAGS[sdk=iphoneos*]" = (
- "$(inherited)",
- "-framework",
- MobileKeyBag,
- );
- PRODUCT_NAME = "$(TARGET_NAME)";
- PROVISIONING_PROFILE = "";
- VALID_ARCHS = "armv6 armv7 x86_64";
- WRAPPER_EXTENSION = bundle;
- };
- name = Release;
- };
5EF7C20E1B00E25400E5E99C /* Debug */ = {
isa = XCBuildConfiguration;
baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */;
buildSettings = {
+ ARCHS = "$(ARCHS_STANDARD)";
CLANG_ENABLE_OBJC_ARC = YES;
CODE_SIGN_ENTITLEMENTS = "../secacltests/secacltests-entitlements.plist";
GCC_PREPROCESSOR_DEFINITIONS = (
@@ -7550,7 +7482,6 @@
"-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
PRODUCT_NAME = "$(TARGET_NAME)";
- VALID_ARCHS = x86_64;
};
name = Debug;
};
@@ -7558,6 +7489,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */;
buildSettings = {
+ ARCHS = "$(ARCHS_STANDARD)";
CLANG_ENABLE_OBJC_ARC = YES;
CODE_SIGN_ENTITLEMENTS = "../secacltests/secacltests-entitlements.plist";
GCC_WARN_UNDECLARED_SELECTOR = YES;
@@ -7576,94 +7508,23 @@
"-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
PRODUCT_NAME = "$(TARGET_NAME)";
- VALID_ARCHS = x86_64;
};
name = Release;
};
- 72756C07175D485D00F52070 /* Debug */ = {
+ BE48AE1F1ADF1DF4000836C1 /* Debug */ = {
isa = XCBuildConfiguration;
- baseConfigurationReference = 4CB23B91169F5CFF003A0131 /* command.xcconfig */;
+ baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */;
buildSettings = {
- ALWAYS_SEARCH_USER_PATHS = NO;
ARCHS = "$(ARCHS_STANDARD)";
- CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
- CLANG_CXX_LIBRARY = "libc++";
- CLANG_ENABLE_MODULES = YES;
- CLANG_ENABLE_OBJC_ARC = YES;
- CLANG_WARN_BOOL_CONVERSION = YES;
- CLANG_WARN_CONSTANT_CONVERSION = YES;
- CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
- CLANG_WARN_EMPTY_BODY = YES;
- CLANG_WARN_ENUM_CONVERSION = YES;
- CLANG_WARN_INT_CONVERSION = YES;
- CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
- CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
- COPY_PHASE_STRIP = NO;
- GCC_C_LANGUAGE_STANDARD = gnu99;
- GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
- GCC_OPTIMIZATION_LEVEL = 0;
- GCC_PRECOMPILE_PREFIX_HEADER = NO;
+ CODE_SIGN_ENTITLEMENTS = trustd/entitlements.plist;
+ FRAMEWORK_SEARCH_PATHS = (
+ "$(inherited)",
+ "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+ );
GCC_PREPROCESSOR_DEFINITIONS = (
- "DEBUG=1",
- "$(inherited)",
- );
- GCC_SYMBOLS_PRIVATE_EXTERN = NO;
- GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
- GCC_WARN_UNDECLARED_SELECTOR = YES;
- GCC_WARN_UNINITIALIZED_AUTOS = YES;
- GCC_WARN_UNUSED_FUNCTION = YES;
- GCC_WARN_UNUSED_VARIABLE = YES;
- ONLY_ACTIVE_ARCH = YES;
- OTHER_LDFLAGS = "-laks";
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Debug;
- };
- 72756C08175D485D00F52070 /* Release */ = {
- isa = XCBuildConfiguration;
- baseConfigurationReference = 4CB23B91169F5CFF003A0131 /* command.xcconfig */;
- buildSettings = {
- ALWAYS_SEARCH_USER_PATHS = NO;
- ARCHS = "$(ARCHS_STANDARD)";
- CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
- CLANG_CXX_LIBRARY = "libc++";
- CLANG_ENABLE_MODULES = YES;
- CLANG_ENABLE_OBJC_ARC = YES;
- CLANG_WARN_BOOL_CONVERSION = YES;
- CLANG_WARN_CONSTANT_CONVERSION = YES;
- CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
- CLANG_WARN_EMPTY_BODY = YES;
- CLANG_WARN_ENUM_CONVERSION = YES;
- CLANG_WARN_INT_CONVERSION = YES;
- CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
- CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
- COPY_PHASE_STRIP = YES;
- DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
- ENABLE_NS_ASSERTIONS = NO;
- GCC_C_LANGUAGE_STANDARD = gnu99;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
- GCC_PRECOMPILE_PREFIX_HEADER = NO;
- GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
- GCC_WARN_UNDECLARED_SELECTOR = YES;
- GCC_WARN_UNINITIALIZED_AUTOS = YES;
- GCC_WARN_UNUSED_FUNCTION = YES;
- GCC_WARN_UNUSED_VARIABLE = YES;
- OTHER_LDFLAGS = "-laks";
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Release;
- };
- BE48AE1F1ADF1DF4000836C1 /* Debug */ = {
- isa = XCBuildConfiguration;
- baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */;
- buildSettings = {
- GCC_PREPROCESSOR_DEFINITIONS = (
- "SECITEM_SHIM_OSX=1",
- "SECTRUST_OSX=0",
- "TRUSTD_SERVER=1",
+ "SECITEM_SHIM_OSX=1",
+ "SECTRUST_OSX=1",
+ "TRUSTD_SERVER=1",
"$(inherited)",
);
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
@@ -7675,9 +7536,10 @@
"$(PROJECT_DIR)/utilities",
"$(PROJECT_DIR)",
"$(PROJECT_DIR)/../ios/asn1",
- "$(PROJECT_DIR)/../libsecurity_keychain/libDER",
+ "$(PROJECT_DIR)/libsecurity_keychain/libDER",
"$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers",
"$(inherited)",
+ "$(PROJECT_DIR)/trustd/",
);
INSTALL_PATH = /usr/libexec;
"OTHER_LDFLAGS[sdk=macosx*]" = (
@@ -7687,7 +7549,6 @@
);
PRODUCT_NAME = trustd;
USE_HEADERMAP = NO;
- VALID_ARCHS = x86_64;
};
name = Debug;
};
@@ -7695,9 +7556,15 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */;
buildSettings = {
+ ARCHS = "$(ARCHS_STANDARD)";
+ CODE_SIGN_ENTITLEMENTS = trustd/entitlements.plist;
+ FRAMEWORK_SEARCH_PATHS = (
+ "$(inherited)",
+ "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
+ );
GCC_PREPROCESSOR_DEFINITIONS = (
"SECITEM_SHIM_OSX=1",
- "SECTRUST_OSX=0",
+ "SECTRUST_OSX=1",
"TRUSTD_SERVER=1",
"$(inherited)",
);
@@ -7710,9 +7577,10 @@
"$(PROJECT_DIR)/utilities",
"$(PROJECT_DIR)",
"$(PROJECT_DIR)/../ios/asn1",
- "$(PROJECT_DIR)/../libsecurity_keychain/libDER",
+ "$(PROJECT_DIR)/libsecurity_keychain/libDER",
"$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers",
"$(inherited)",
+ "$(PROJECT_DIR)/trustd/",
);
INSTALL_PATH = /usr/libexec;
"OTHER_LDFLAGS[sdk=macosx*]" = (
@@ -7722,229 +7590,213 @@
);
PRODUCT_NAME = trustd;
USE_HEADERMAP = NO;
- VALID_ARCHS = x86_64;
};
name = Release;
};
- BE94B7A21AD83AF700A7216D /* Debug */ = {
+ D42FA8331C9B8D3D003E46A7 /* Debug */ = {
+ isa = XCBuildConfiguration;
+ baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */;
+ buildSettings = {
+ ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
+ CLANG_ANALYZER_NONNULL = YES;
+ CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
+ CODE_SIGN_ENTITLEMENTS = "SecurityTestsOSX/SecurityTests-Entitlements.plist";
+ COMBINE_HIDPI_IMAGES = YES;
+ INFOPLIST_FILE = SecurityTestsOSX/Info.plist;
+ INSTALL_PATH = /AppleInternal/CoreOS/tests/Security/;
+ LIBRARY_SEARCH_PATHS = (
+ "$(inherited)",
+ /usr/lib/system,
+ );
+ OTHER_LDFLAGS = "-t";
+ PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.SecurityTestsOSX;
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Debug;
+ };
+ D42FA8341C9B8D3D003E46A7 /* Release */ = {
+ isa = XCBuildConfiguration;
+ baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */;
+ buildSettings = {
+ ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
+ CLANG_ANALYZER_NONNULL = YES;
+ CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
+ CODE_SIGN_ENTITLEMENTS = "SecurityTestsOSX/SecurityTests-Entitlements.plist";
+ COMBINE_HIDPI_IMAGES = YES;
+ INFOPLIST_FILE = SecurityTestsOSX/Info.plist;
+ INSTALL_PATH = /AppleInternal/CoreOS/tests/Security/;
+ LIBRARY_SEARCH_PATHS = (
+ "$(inherited)",
+ /usr/lib/system,
+ );
+ OTHER_LDFLAGS = "-t";
+ PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.SecurityTestsOSX;
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Release;
+ };
+ EBB697091BE208FC00715F16 /* Debug */ = {
isa = XCBuildConfiguration;
- baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
+ CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
+ CLANG_CXX_LIBRARY = "libc++";
+ CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_EMPTY_BODY = YES;
- CLANG_WARN_IMPLICIT_SIGN_CONVERSION = YES;
- CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
- COMBINE_HIDPI_IMAGES = YES;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
+ CODE_SIGN_IDENTITY = "-";
+ COPY_PHASE_STRIP = NO;
+ DEBUG_INFORMATION_FORMAT = dwarf;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_C_LANGUAGE_STANDARD = gnu99;
+ GCC_DYNAMIC_NO_PIC = NO;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_OPTIMIZATION_LEVEL = 0;
GCC_PREPROCESSOR_DEFINITIONS = (
- "SECITEM_SHIM_OSX=1",
- "SECTRUST_OSX=0",
- "TRUSTD_SERVER=1",
+ "DEBUG=1",
"$(inherited)",
);
- GCC_TREAT_IMPLICIT_FUNCTION_DECLARATIONS_AS_ERRORS = YES;
- GCC_TREAT_INCOMPATIBLE_POINTER_TYPE_WARNINGS_AS_ERRORS = YES;
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_MISSING_FIELD_INITIALIZERS = YES;
- GCC_WARN_ABOUT_MISSING_NEWLINE = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES;
- GCC_WARN_INITIALIZER_NOT_FULLY_BRACKETED = YES;
- GCC_WARN_SHADOW = YES;
- GCC_WARN_SIGN_COMPARE = YES;
- GCC_WARN_UNINITIALIZED_AUTOS = YES;
- GCC_WARN_UNKNOWN_PRAGMAS = YES;
+ GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
GCC_WARN_UNUSED_FUNCTION = YES;
- GCC_WARN_UNUSED_LABEL = YES;
- GCC_WARN_UNUSED_PARAMETER = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
- HEADER_SEARCH_PATHS = (
- "$(PROJECT_DIR)/sec",
- "$(PROJECT_DIR)/sec/securityd",
- "$(PROJECT_DIR)/sec/ipc",
- "$(PROJECT_DIR)/sec/SOSCircle",
- "$(PROJECT_DIR)/utilities",
- "$(PROJECT_DIR)",
- "$(PROJECT_DIR)/../ios/asn1",
- "$(PROJECT_DIR)/../libsecurity_keychain/libDER",
- "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers",
- "$(inherited)",
- );
- INFOPLIST_FILE = "trustd/trustd-Info.plist";
- INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices";
- MACH_O_TYPE = mh_execute;
- "OTHER_LDFLAGS[sdk=macosx*]" = (
- "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
- "-framework",
- AppleSystemInfo,
- );
- PRODUCT_NAME = trustd;
- RUN_CLANG_STATIC_ANALYZER = YES;
- SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator";
- USE_HEADERMAP = NO;
- VALID_ARCHS = "armv6 armv7 x86_64 x86_64h";
- WRAPPER_EXTENSION = xpc;
+ INSTALL_PATH = /AppleInternal/CoreOS/tests/Security;
+ MTL_ENABLE_DEBUG_INFO = YES;
+ ONLY_ACTIVE_ARCH = YES;
+ OTHER_LDFLAGS = "-laks";
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ SDKROOT = macosx.internal;
};
name = Debug;
};
- BE94B7A31AD83AF700A7216D /* Release */ = {
+ EBB6970A1BE208FC00715F16 /* Release */ = {
isa = XCBuildConfiguration;
- baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
+ CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
+ CLANG_CXX_LIBRARY = "libc++";
+ CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_EMPTY_BODY = YES;
- CLANG_WARN_IMPLICIT_SIGN_CONVERSION = YES;
- CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
- COMBINE_HIDPI_IMAGES = YES;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
- GCC_PREPROCESSOR_DEFINITIONS = (
- "SECITEM_SHIM_OSX=1",
- "SECTRUST_OSX=0",
- "TRUSTD_SERVER=1",
- "$(inherited)",
- );
- GCC_TREAT_IMPLICIT_FUNCTION_DECLARATIONS_AS_ERRORS = YES;
- GCC_TREAT_INCOMPATIBLE_POINTER_TYPE_WARNINGS_AS_ERRORS = YES;
+ CODE_SIGN_IDENTITY = "-";
+ COPY_PHASE_STRIP = NO;
+ DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+ ENABLE_NS_ASSERTIONS = NO;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_C_LANGUAGE_STANDARD = gnu99;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_MISSING_FIELD_INITIALIZERS = YES;
- GCC_WARN_ABOUT_MISSING_NEWLINE = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES;
- GCC_WARN_INITIALIZER_NOT_FULLY_BRACKETED = YES;
- GCC_WARN_SHADOW = YES;
- GCC_WARN_SIGN_COMPARE = YES;
- GCC_WARN_UNINITIALIZED_AUTOS = YES;
- GCC_WARN_UNKNOWN_PRAGMAS = YES;
+ GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
GCC_WARN_UNUSED_FUNCTION = YES;
- GCC_WARN_UNUSED_LABEL = YES;
- GCC_WARN_UNUSED_PARAMETER = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
- HEADER_SEARCH_PATHS = (
- "$(PROJECT_DIR)/sec",
- "$(PROJECT_DIR)/sec/securityd",
- "$(PROJECT_DIR)/sec/ipc",
- "$(PROJECT_DIR)/sec/SOSCircle",
- "$(PROJECT_DIR)/utilities",
- "$(PROJECT_DIR)",
- "$(PROJECT_DIR)/../ios/asn1",
- "$(PROJECT_DIR)/../libsecurity_keychain/libDER",
- "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers",
- "$(inherited)",
- );
- INFOPLIST_FILE = "trustd/trustd-Info.plist";
- INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices";
- MACH_O_TYPE = mh_execute;
- "OTHER_LDFLAGS[sdk=macosx*]" = (
- "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
- "-framework",
- AppleSystemInfo,
- );
- PRODUCT_NAME = trustd;
- SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator";
- USE_HEADERMAP = NO;
- VALID_ARCHS = "armv6 armv7 x86_64 x86_64h";
- WRAPPER_EXTENSION = xpc;
+ INSTALL_PATH = /AppleInternal/CoreOS/tests/Security;
+ MTL_ENABLE_DEBUG_INFO = NO;
+ OTHER_LDFLAGS = "-laks";
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ SDKROOT = macosx.internal;
};
name = Release;
};
- CD63ACE41A8061FA001B5671 /* Debug */ = {
+ EBE011D41C21357200CB6A63 /* Debug */ = {
isa = XCBuildConfiguration;
- baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */;
buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
CLANG_CXX_LIBRARY = "libc++";
+ CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
- CODE_SIGN_ENTITLEMENTS = IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist;
- CODE_SIGN_IDENTITY = "-";
- COMBINE_HIDPI_IMAGES = YES;
COPY_PHASE_STRIP = NO;
- FRAMEWORK_SEARCH_PATHS = (
- "$(inherited)",
- "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
- );
+ DEBUGGING_SYMBOLS = YES;
+ DEBUG_INFORMATION_FORMAT = dwarf;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
+ GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_OPTIMIZATION_LEVEL = 0;
GCC_PREPROCESSOR_DEFINITIONS = (
"DEBUG=1",
"$(inherited)",
);
- GCC_SYMBOLS_PRIVATE_EXTERN = NO;
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES;
- GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
+ GCC_WARN_UNUSED_FUNCTION = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
- INFOPLIST_FILE = "IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist";
- INSTALL_PATH = "$(INDIGO_INSTALL_PATH_PREFIX)$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/Resources";
- LIBRARY_SEARCH_PATHS = (
- "$(inherited)",
- "$(DEVELOPER_DIR)/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/usr/local/lib",
- );
- MACH_O_TYPE = mh_execute;
+ MTL_ENABLE_DEBUG_INFO = YES;
ONLY_ACTIVE_ARCH = YES;
- "OTHER_LDFLAGS[sdk=iphoneos*]" = (
- "$(inherited)",
- "-framework",
- MobileKeyBag,
- );
+ OTHER_CFLAGS = "";
+ OTHER_LDFLAGS = "";
PRODUCT_NAME = "$(TARGET_NAME)";
- PROVISIONING_PROFILE = "";
- VALID_ARCHS = "armv6 armv7 x86_64";
- WRAPPER_EXTENSION = bundle;
};
name = Debug;
};
- CD63ACE51A8061FA001B5671 /* Release */ = {
+ EBE011D51C21357200CB6A63 /* Release */ = {
isa = XCBuildConfiguration;
- baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */;
buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
CLANG_CXX_LIBRARY = "libc++";
+ CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
- CODE_SIGN_ENTITLEMENTS = IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist;
- CODE_SIGN_IDENTITY = "-";
- COMBINE_HIDPI_IMAGES = YES;
- COPY_PHASE_STRIP = YES;
+ COPY_PHASE_STRIP = NO;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
- FRAMEWORK_SEARCH_PATHS = (
- "$(inherited)",
- "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
- );
+ ENABLE_NS_ASSERTIONS = NO;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
GCC_C_LANGUAGE_STANDARD = gnu99;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES;
- GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
+ GCC_WARN_UNUSED_FUNCTION = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
- INFOPLIST_FILE = "IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist";
- INSTALL_PATH = "$(INDIGO_INSTALL_PATH_PREFIX)$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/Resources";
- LIBRARY_SEARCH_PATHS = (
- "$(inherited)",
- "$(DEVELOPER_DIR)/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/usr/local/lib",
- );
- MACH_O_TYPE = mh_execute;
- "OTHER_LDFLAGS[sdk=iphoneos*]" = (
- "$(inherited)",
- "-framework",
- MobileKeyBag,
- );
+ MTL_ENABLE_DEBUG_INFO = NO;
+ OTHER_CFLAGS = "";
+ OTHER_LDFLAGS = "";
PRODUCT_NAME = "$(TARGET_NAME)";
- PROVISIONING_PROFILE = "";
- VALID_ARCHS = "armv6 armv7 x86_64";
- WRAPPER_EXTENSION = bundle;
};
name = Release;
};
@@ -7974,15 +7826,6 @@
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
- 0C6C642A15D5ADB500BC68CD /* Build configuration list for PBXAggregateTarget "Security_kexts" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 0C6C642B15D5ADB500BC68CD /* Debug */,
- 0C6C642C15D5ADB500BC68CD /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
0CC3352A16C1ED8000399E53 /* Build configuration list for PBXNativeTarget "secdtests" */ = {
isa = XCConfigurationList;
buildConfigurations = (
@@ -8028,15 +7871,6 @@
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
- 182BB599146FE295000BF1F3 /* Build configuration list for PBXAggregateTarget "World" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 182BB59A146FE295000BF1F3 /* Debug */,
- 182BB59B146FE295000BF1F3 /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
186F778914E59FB200434E1F /* Build configuration list for PBXAggregateTarget "Security_frameworks" */ = {
isa = XCConfigurationList;
buildConfigurations = (
@@ -8136,15 +7970,6 @@
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
- 5214701416977CB800DF0DB3 /* Build configuration list for PBXNativeTarget "CloudKeychainProxy" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 5214701516977CB800DF0DB3 /* Debug */,
- 5214701616977CB800DF0DB3 /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
5EF7C2381B00E25400E5E99C /* Build configuration list for PBXNativeTarget "secacltests" */ = {
isa = XCConfigurationList;
buildConfigurations = (
@@ -8154,38 +7979,38 @@
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
- 72756C2F175D485D00F52070 /* Build configuration list for PBXNativeTarget "cloud_keychain_diagnose" */ = {
+ BE48AE1E1ADF1DF4000836C1 /* Build configuration list for PBXNativeTarget "trustd" */ = {
isa = XCConfigurationList;
buildConfigurations = (
- 72756C07175D485D00F52070 /* Debug */,
- 72756C08175D485D00F52070 /* Release */,
+ BE48AE1F1ADF1DF4000836C1 /* Debug */,
+ BE48AE201ADF1DF4000836C1 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
- BE48AE1E1ADF1DF4000836C1 /* Build configuration list for PBXNativeTarget "trustd" */ = {
+ D42FA8321C9B8D3D003E46A7 /* Build configuration list for PBXNativeTarget "SecurityTestsOSX" */ = {
isa = XCConfigurationList;
buildConfigurations = (
- BE48AE1F1ADF1DF4000836C1 /* Debug */,
- BE48AE201ADF1DF4000836C1 /* Release */,
+ D42FA8331C9B8D3D003E46A7 /* Debug */,
+ D42FA8341C9B8D3D003E46A7 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
- BE94B7A11AD83AF700A7216D /* Build configuration list for PBXNativeTarget "trustd.xpc" */ = {
+ EBB697081BE208FC00715F16 /* Build configuration list for PBXNativeTarget "secbackupntest" */ = {
isa = XCConfigurationList;
buildConfigurations = (
- BE94B7A21AD83AF700A7216D /* Debug */,
- BE94B7A31AD83AF700A7216D /* Release */,
+ EBB697091BE208FC00715F16 /* Debug */,
+ EBB6970A1BE208FC00715F16 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
- CD63AD101A8061FA001B5671 /* Build configuration list for PBXNativeTarget "IDSKeychainSyncingProxy" */ = {
+ EBE011FE1C21357200CB6A63 /* Build configuration list for PBXLegacyTarget "SecurityFeatures" */ = {
isa = XCConfigurationList;
buildConfigurations = (
- CD63ACE41A8061FA001B5671 /* Debug */,
- CD63ACE51A8061FA001B5671 /* Release */,
+ EBE011D41C21357200CB6A63 /* Debug */,
+ EBE011D51C21357200CB6A63 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/World.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/World.xcscheme
deleted file mode 100644
index 081a81f4..00000000
--- a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/World.xcscheme
+++ /dev/null
@@ -1,144 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
- LastUpgradeVersion = "0700"
- version = "1.3">
- <BuildAction
- parallelizeBuildables = "NO"
- buildImplicitDependencies = "YES">
- <BuildActionEntries>
- <BuildActionEntry
- buildForTesting = "YES"
- buildForRunning = "YES"
- buildForProfiling = "YES"
- buildForArchiving = "YES"
- buildForAnalyzing = "YES">
- <BuildableReference
- BuildableIdentifier = "primary"
- BlueprintIdentifier = "182BB598146FE295000BF1F3"
- BuildableName = "World"
- BlueprintName = "World"
- ReferencedContainer = "container:OSX.xcodeproj">
- </BuildableReference>
- </BuildActionEntry>
- </BuildActionEntries>
- </BuildAction>
- <TestAction
- buildConfiguration = "Debug"
- selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
- selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
- shouldUseLaunchSchemeArgsEnv = "YES">
- <Testables>
- </Testables>
- <MacroExpansion>
- <BuildableReference
- BuildableIdentifier = "primary"
- BlueprintIdentifier = "0C6C630A15D193C800BC68CD"
- BuildableName = "sectests"
- BlueprintName = "sectests"
- ReferencedContainer = "container:OSX.xcodeproj">
- </BuildableReference>
- </MacroExpansion>
- <AdditionalOptions>
- </AdditionalOptions>
- </TestAction>
- <LaunchAction
- buildConfiguration = "Debug"
- selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
- selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
- launchStyle = "0"
- useCustomWorkingDirectory = "NO"
- ignoresPersistentStateOnLaunch = "NO"
- debugDocumentVersioning = "YES"
- debugServiceExtension = "internal"
- allowLocationSimulation = "YES">
- <BuildableProductRunnable
- runnableDebuggingMode = "0">
- <BuildableReference
- BuildableIdentifier = "primary"
- BlueprintIdentifier = "0C6C630A15D193C800BC68CD"
- BuildableName = "sectests"
- BlueprintName = "sectests"
- ReferencedContainer = "container:OSX.xcodeproj">
- </BuildableReference>
- </BuildableProductRunnable>
- <CommandLineArguments>
- <CommandLineArgument
- argument = "ssl-42-ciphers"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "kc-30-xara"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "ssl-43-ciphers"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "ssl-44-crashes"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "ssl-45-tls12"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "ssl-46-SSLGetSupportedCiphers"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "ssl-47-falsestart"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "ssl-48-split"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "ssl-51-state"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "ssl-53-clientauth"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "ssl-54-dhe"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "si_33_keychain_backup"
- isEnabled = "NO">
- </CommandLineArgument>
- <CommandLineArgument
- argument = "cms-hash-agility-test"
- isEnabled = "NO">
- </CommandLineArgument>
- </CommandLineArguments>
- <AdditionalOptions>
- </AdditionalOptions>
- </LaunchAction>
- <ProfileAction
- buildConfiguration = "Release"
- shouldUseLaunchSchemeArgsEnv = "YES"
- savedToolIdentifier = ""
- useCustomWorkingDirectory = "NO"
- debugDocumentVersioning = "YES">
- <MacroExpansion>
- <BuildableReference
- BuildableIdentifier = "primary"
- BlueprintIdentifier = "182BB598146FE295000BF1F3"
- BuildableName = "World"
- BlueprintName = "World"
- ReferencedContainer = "container:OSX.xcodeproj">
- </BuildableReference>
- </MacroExpansion>
- </ProfileAction>
- <AnalyzeAction
- buildConfiguration = "Debug">
- </AnalyzeAction>
- <ArchiveAction
- buildConfiguration = "Release"
- revealArchiveInOrganizer = "YES">
- </ArchiveAction>
-</Scheme>
diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/copyHeaders.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/copyHeaders.xcscheme
deleted file mode 100644
index cf5e1e5c..00000000
--- a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/copyHeaders.xcscheme
+++ /dev/null
@@ -1,89 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
- LastUpgradeVersion = "0700"
- version = "1.3">
- <BuildAction
- parallelizeBuildables = "YES"
- buildImplicitDependencies = "YES">
- <BuildActionEntries>
- <BuildActionEntry
- buildForTesting = "YES"
- buildForRunning = "YES"
- buildForProfiling = "YES"
- buildForArchiving = "YES"
- buildForAnalyzing = "YES">
- <BuildableReference
- BuildableIdentifier = "primary"
- BlueprintIdentifier = "18FE67E91471A3AA00A2CBE3"
- BuildableName = "Security.framework"
- BlueprintName = "copyHeaders"
- ReferencedContainer = "container:OSX.xcodeproj">
- </BuildableReference>
- </BuildActionEntry>
- </BuildActionEntries>
- </BuildAction>
- <TestAction
- buildConfiguration = "Debug"
- selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
- selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
- shouldUseLaunchSchemeArgsEnv = "YES">
- <Testables>
- </Testables>
- <MacroExpansion>
- <BuildableReference
- BuildableIdentifier = "primary"
- BlueprintIdentifier = "18FE67E91471A3AA00A2CBE3"
- BuildableName = "Security.framework"
- BlueprintName = "copyHeaders"
- ReferencedContainer = "container:OSX.xcodeproj">
- </BuildableReference>
- </MacroExpansion>
- <AdditionalOptions>
- </AdditionalOptions>
- </TestAction>
- <LaunchAction
- buildConfiguration = "Debug"
- selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
- selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
- launchStyle = "0"
- useCustomWorkingDirectory = "NO"
- ignoresPersistentStateOnLaunch = "NO"
- debugDocumentVersioning = "YES"
- debugServiceExtension = "internal"
- allowLocationSimulation = "YES">
- <MacroExpansion>
- <BuildableReference
- BuildableIdentifier = "primary"
- BlueprintIdentifier = "18FE67E91471A3AA00A2CBE3"
- BuildableName = "Security.framework"
- BlueprintName = "copyHeaders"
- ReferencedContainer = "container:OSX.xcodeproj">
- </BuildableReference>
- </MacroExpansion>
- <AdditionalOptions>
- </AdditionalOptions>
- </LaunchAction>
- <ProfileAction
- buildConfiguration = "Release"
- shouldUseLaunchSchemeArgsEnv = "YES"
- savedToolIdentifier = ""
- useCustomWorkingDirectory = "NO"
- debugDocumentVersioning = "YES">
- <MacroExpansion>
- <BuildableReference
- BuildableIdentifier = "primary"
- BlueprintIdentifier = "18FE67E91471A3AA00A2CBE3"
- BuildableName = "Security.framework"
- BlueprintName = "copyHeaders"
- ReferencedContainer = "container:OSX.xcodeproj">
- </BuildableReference>
- </MacroExpansion>
- </ProfileAction>
- <AnalyzeAction
- buildConfiguration = "Debug">
- </AnalyzeAction>
- <ArchiveAction
- buildConfiguration = "Release"
- revealArchiveInOrganizer = "YES">
- </ArchiveAction>
-</Scheme>
diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme
new file mode 100644
index 00000000..09f31817
--- /dev/null
+++ b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - World.xcscheme
@@ -0,0 +1,323 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Scheme
+ LastUpgradeVersion = "0800"
+ version = "1.3">
+ <BuildAction
+ parallelizeBuildables = "NO"
+ buildImplicitDependencies = "NO">
+ <BuildActionEntries>
+ <BuildActionEntry
+ buildForTesting = "YES"
+ buildForRunning = "YES"
+ buildForProfiling = "YES"
+ buildForArchiving = "YES"
+ buildForAnalyzing = "YES">
+ <BuildableReference
+ BuildableIdentifier = "primary"
+ BlueprintIdentifier = "E74584661BF68EBA001B54A4"
+ BuildableName = "osx"
+ BlueprintName = "osx"
+ ReferencedContainer = "container:../Security.xcodeproj">
+ </BuildableReference>
+ </BuildActionEntry>
+ </BuildActionEntries>
+ </BuildAction>
+ <TestAction
+ buildConfiguration = "Debug"
+ selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+ selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+ shouldUseLaunchSchemeArgsEnv = "YES">
+ <Testables>
+ <TestableReference
+ skipped = "NO">
+ <BuildableReference
+ BuildableIdentifier = "primary"
+ BlueprintIdentifier = "E7D847CD1C6BE9720025BB44"
+ BuildableName = "KeychainCircleTests.xctest"
+ BlueprintName = "KeychainCircleTests"
+ ReferencedContainer = "container:../Security.xcodeproj">
+ </BuildableReference>
+ </TestableReference>
+ </Testables>
+ <MacroExpansion>
+ <BuildableReference
+ BuildableIdentifier = "primary"
+ BlueprintIdentifier = "D42FA8231C9B8D3C003E46A7"
+ BuildableName = "SecurityTestsOSX.app"
+ BlueprintName = "SecurityTestsOSX"
+ ReferencedContainer = "container:OSX.xcodeproj">
+ </BuildableReference>
+ </MacroExpansion>
+ <AdditionalOptions>
+ </AdditionalOptions>
+ </TestAction>
+ <LaunchAction
+ buildConfiguration = "Debug"
+ selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+ selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+ debugAsWhichUser = "root"
+ launchStyle = "0"
+ useCustomWorkingDirectory = "NO"
+ ignoresPersistentStateOnLaunch = "NO"
+ debugDocumentVersioning = "NO"
+ debugServiceExtension = "internal"
+ allowLocationSimulation = "YES">
+ <BuildableProductRunnable
+ runnableDebuggingMode = "0">
+ <BuildableReference
+ BuildableIdentifier = "primary"
+ BlueprintIdentifier = "D42FA8231C9B8D3C003E46A7"
+ BuildableName = "SecurityTestsOSX.app"
+ BlueprintName = "SecurityTestsOSX"
+ ReferencedContainer = "container:OSX.xcodeproj">
+ </BuildableReference>
+ </BuildableProductRunnable>
+ <CommandLineArguments>
+ <CommandLineArgument
+ argument = "ssl-42-ciphers"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "kc-05-find-existing-items-locked"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "kc-20-item-find-stress"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "kc-20-key-find-stress"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "kc-20-identity-find-stress"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "kc-30-xara"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-43-ciphers"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-44-crashes"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-45-tls12"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-46-SSLGetSupportedCiphers"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-47-falsestart"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-48-split"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-51-state"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-53-clientauth"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-54-dhe"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-55-sessioncache"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "ssl-56-renegotiate"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "cms_01_basic"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "cms_hash_agility_test"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "cms_trust_settings_test"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "smime_cms_test"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "smime_cms_test"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "bc_10_password"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "kc_40_seckey"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "kc_41_sececkey"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "kc_42_trust_revocation"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "kc_43_seckey_interop"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_15_certificate"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_16_ec_certificate"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_20_sectrust"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_20_sectrust_policies"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_21_sectrust_asr"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_22_sectrust_iap"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_23_sectrust_ocsp"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_24_sectrust_itms"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_24_sectrust_nist"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_24_sectrust_diginotar"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_24_sectrust_digicert_malaysia"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_24_sectrust_passbook"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_26_sectrust_copyproperties"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_27_sectrust_exceptions"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_28_sectrustsettings"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_44_seckey_gen"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_44_seckey_rsa"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_44_seckey_ec"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_44_seckey_ies"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_67_sectrust_blacklist"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_70_sectrust_unified"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_71_mobile_store_policy"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_74_OTA_PKI_Signer"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_82_seccertificate_ct"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_82_sectrust_ct"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_83_seccertificate_sighashalg"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_85_sectrust_ssl_policy"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "si_87_sectrust_name_constraints"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ </CommandLineArguments>
+ <AdditionalOptions>
+ </AdditionalOptions>
+ </LaunchAction>
+ <ProfileAction
+ buildConfiguration = "Release"
+ shouldUseLaunchSchemeArgsEnv = "YES"
+ savedToolIdentifier = ""
+ useCustomWorkingDirectory = "NO"
+ debugDocumentVersioning = "YES">
+ <MacroExpansion>
+ <BuildableReference
+ BuildableIdentifier = "primary"
+ BlueprintIdentifier = "E74584661BF68EBA001B54A4"
+ BuildableName = "osx"
+ BlueprintName = "osx"
+ ReferencedContainer = "container:../Security.xcodeproj">
+ </BuildableReference>
+ </MacroExpansion>
+ </ProfileAction>
+ <AnalyzeAction
+ buildConfiguration = "Debug">
+ </AnalyzeAction>
+ <ArchiveAction
+ buildConfiguration = "Release"
+ revealArchiveInOrganizer = "YES">
+ </ArchiveAction>
+</Scheme>
diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/secdtests.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - secdtests.xcscheme
similarity index 81%
rename from OSX/OSX.xcodeproj/xcshareddata/xcschemes/secdtests.xcscheme
rename to OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - secdtests.xcscheme
index f92e458a..3173d32d 100644
--- a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/secdtests.xcscheme
+++ b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - secdtests.xcscheme
@@ -1,24 +1,23 @@
<?xml version="1.0" encoding="UTF-8"?>
<Scheme
- LastUpgradeVersion = "0700"
+ LastUpgradeVersion = "0800"
version = "1.3">
<BuildAction
parallelizeBuildables = "NO"
- buildImplicitDependencies = "YES">
+ buildImplicitDependencies = "NO">
<BuildActionEntries>
<BuildActionEntry
buildForTesting = "YES"
buildForRunning = "YES"
buildForProfiling = "YES"
buildForArchiving = "YES"
- buildForAnalyzing = "YES"
- hideIssues = "NO">
+ buildForAnalyzing = "YES">
<BuildableReference
BuildableIdentifier = "primary"
- BlueprintIdentifier = "182BB598146FE295000BF1F3"
- BuildableName = "World"
- BlueprintName = "World"
- ReferencedContainer = "container:OSX.xcodeproj">
+ BlueprintIdentifier = "E74584661BF68EBA001B54A4"
+ BuildableName = "osx"
+ BlueprintName = "osx"
+ ReferencedContainer = "container:../Security.xcodeproj">
</BuildableReference>
</BuildActionEntry>
<BuildActionEntry
@@ -26,8 +25,7 @@
buildForRunning = "YES"
buildForProfiling = "YES"
buildForArchiving = "YES"
- buildForAnalyzing = "YES"
- hideIssues = "NO">
+ buildForAnalyzing = "YES">
<BuildableReference
BuildableIdentifier = "primary"
BlueprintIdentifier = "0CC3350716C1ED8000399E53"
@@ -83,7 +81,23 @@
isEnabled = "NO">
</CommandLineArgument>
<CommandLineArgument
- argument = "secd_60_account_cloud_exposure"
+ argument = "secd_130_other_peer_views"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "secd_100_initialsync"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "secd_77_ids_messaging"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "secd_62_account_backup"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "secd_200_logstate"
isEnabled = "NO">
</CommandLineArgument>
<CommandLineArgument
@@ -163,13 +177,17 @@
isEnabled = "NO">
</CommandLineArgument>
<CommandLineArgument
- argument = "secd-52-account-changed"
+ argument = "secd-52-offering_gencount_reset"
isEnabled = "NO">
</CommandLineArgument>
<CommandLineArgument
argument = "secd_55_account_circle"
isEnabled = "NO">
</CommandLineArgument>
+ <CommandLineArgument
+ argument = "secd_56_account_apply"
+ isEnabled = "NO">
+ </CommandLineArgument>
<CommandLineArgument
argument = "secd_57_account_leave"
isEnabled = "NO">
@@ -198,18 +216,27 @@
argument = "secd_70_engine_corrupt"
isEnabled = "NO">
</CommandLineArgument>
+ <CommandLineArgument
+ argument = "secd_83_item_match_policy"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "secd_83_item_match_valid_on_date"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "secd_83_item_match_trusted"
+ isEnabled = "NO">
+ </CommandLineArgument>
+ <CommandLineArgument
+ argument = "secd_90_hsa2"
+ isEnabled = "NO">
+ </CommandLineArgument>
<CommandLineArgument
argument = "-v"
isEnabled = "NO">
</CommandLineArgument>
</CommandLineArguments>
- <EnvironmentVariables>
- <EnvironmentVariable
- key = "DEBUGSCOPE"
- value = "signing"
- isEnabled = "YES">
- </EnvironmentVariable>
- </EnvironmentVariables>
<AdditionalOptions>
</AdditionalOptions>
</LaunchAction>
diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/sectests.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - sectests.xcscheme
similarity index 82%
rename from OSX/OSX.xcodeproj/xcshareddata/xcschemes/sectests.xcscheme
rename to OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - sectests.xcscheme
index cf04ed9c..1b9c7b70 100644
--- a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/sectests.xcscheme
+++ b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/osx - sectests.xcscheme
@@ -1,11 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<Scheme
- LastUpgradeVersion = "0700"
+ LastUpgradeVersion = "0800"
version = "1.3">
<BuildAction
- parallelizeBuildables = "YES"
- buildImplicitDependencies = "YES">
+ parallelizeBuildables = "NO"
+ buildImplicitDependencies = "NO">
<BuildActionEntries>
+ <BuildActionEntry
+ buildForTesting = "YES"
+ buildForRunning = "YES"
+ buildForProfiling = "YES"
+ buildForArchiving = "YES"
+ buildForAnalyzing = "YES">
+ <BuildableReference
+ BuildableIdentifier = "primary"
+ BlueprintIdentifier = "1807384A146D0D4E00F05C24"
+ BuildableName = "Security.framework"
+ BlueprintName = "Security"
+ ReferencedContainer = "container:OSX.xcodeproj">
+ </BuildableReference>
+ </BuildActionEntry>
<BuildActionEntry
buildForTesting = "YES"
buildForRunning = "YES"
diff --git a/OSX/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist b/OSX/SecurityTestsOSX/Info.plist
similarity index 58%
rename from OSX/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist
rename to OSX/SecurityTestsOSX/Info.plist
index 07887652..d872f1eb 100644
--- a/OSX/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist
+++ b/OSX/SecurityTestsOSX/Info.plist
@@ -2,31 +2,31 @@
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
- <key>Application-Group</key>
- <array>
- <string>InternetAccounts</string>
- </array>
<key>CFBundleDevelopmentRegion</key>
- <string>English</string>
+ <string>en</string>
<key>CFBundleExecutable</key>
- <string>${EXECUTABLE_NAME}</string>
+ <string>$(EXECUTABLE_NAME)</string>
<key>CFBundleIconFile</key>
<string></string>
<key>CFBundleIdentifier</key>
- <string>com.apple.security.idskeychainsyncingproxy</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
- <string>${PRODUCT_NAME}</string>
+ <string>$(PRODUCT_NAME)</string>
<key>CFBundlePackageType</key>
- <string>BNDL</string>
+ <string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
- <string>${CURRENT_PROJECT_VERSION}</string>
- <key>NSHumanReadableCopyright</key>
- <string>Copyright © 2013 Apple, Inc. All rights reserved.</string>
+ <string>1</string>
+ <key>LSMinimumSystemVersion</key>
+ <string>$(MACOSX_DEPLOYMENT_TARGET)</string>
+ <key>NSMainNibFile</key>
+ <string>MainMenu</string>
+ <key>NSPrincipalClass</key>
+ <string>NSApplication</string>
</dict>
</plist>
diff --git a/OSX/SecurityTestsOSX/SecurityTests-Entitlements.plist b/OSX/SecurityTestsOSX/SecurityTests-Entitlements.plist
new file mode 100644
index 00000000..f1509978
--- /dev/null
+++ b/OSX/SecurityTestsOSX/SecurityTests-Entitlements.plist
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>keychain-cloud-circle</key>
+ <true/>
+ <key>com.apple.keystore.access-keychain-keys</key>
+ <true/>
+ <key>com.apple.keystore.device</key>
+ <true/>
+ <key>restore-keychain</key>
+ <true/>
+ <key>migrate-keychain</key>
+ <true/>
+ <key>com.apple.private.system-keychain</key>
+ <true/>
+ <key>modify-anchor-certificates</key>
+ <true/>
+ <key>com.apple.springboard.wipedevice</key>
+ <true/>
+ <key>application-identifier</key>
+ <string>com.apple.security.regressions</string>
+ <key>com.apple.private.uninstall.deletion</key>
+ <true/>
+ <key>keychain-access-groups</key>
+ <array>
+ <string>com.apple.security.regressions</string>
+ <string>lockdown-identities</string>
+ <string>apple</string>
+ <string>com.apple.security.sos</string>
+ <string>123456.test.group</string>
+ <string>123456.test.group2</string>
+ </array>
+ <key>com.apple.private.ubiquity-kvstore-access</key>
+ <array>
+ <string>com.apple.securityd</string>
+ </array>
+ <key>com.apple.developer.ubiquity-kvstore-identifier</key>
+ <string>com.apple.security.cloudkeychainproxy3</string>
+ <key>com.apple.developer.ubiquity-container-identifiers</key>
+ <array>
+ <string>com.apple.security.cloudkeychainproxy3</string>
+ <string>com.apple.security.cloudkeychain</string>
+ <string>CloudKeychainProxy.xpc</string>
+ </array>
+</dict>
+</plist>
diff --git a/OSX/SecurityTestsOSX/main.m b/OSX/SecurityTestsOSX/main.m
new file mode 100644
index 00000000..223fb6c9
--- /dev/null
+++ b/OSX/SecurityTestsOSX/main.m
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#include <stdio.h>
+#include <unistd.h>
+
+#include "test/testenv.h"
+
+#include "testlist.h"
+#include <test/testlist_begin.h>
+#include "testlist.h"
+#include <test/testlist_end.h>
+
+int main(int argc, char *argv[])
+{
+ //printf("Build date : %s %s\n", __DATE__, __TIME__);
+
+ int result = tests_begin(argc, argv);
+
+ fflush(stdout);
+ fflush(stderr);
+
+ sleep(1);
+
+ return result;
+}
diff --git a/OSX/SecurityTestsOSX/testlist.h b/OSX/SecurityTestsOSX/testlist.h
new file mode 100644
index 00000000..5e7364ea
--- /dev/null
+++ b/OSX/SecurityTestsOSX/testlist.h
@@ -0,0 +1,7 @@
+/* Don't prevent multiple inclusion of this file. */
+#include <libsecurity_ssl/regressions/ssl_regressions.h>
+#include <libsecurity_keychain/regressions/keychain_regressions.h>
+#include <Breadcrumb/breadcrumb_regressions.h>
+#include <libsecurity_smime/regressions/smime_regressions.h>
+#include <libsecurity_cms/regressions/cms_regressions.h>
+#include <shared_regressions/shared_regressions.h>
diff --git a/OSX/authd/Info.plist b/OSX/authd/Info.plist
index 0573db37..171006a9 100644
--- a/OSX/authd/Info.plist
+++ b/OSX/authd/Info.plist
@@ -7,7 +7,7 @@
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
- <string>com.apple.${PRODUCT_NAME:rfc1034identifier}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/OSX/authd/agent.c b/OSX/authd/agent.c
index 653734e6..3ca68d34 100644
--- a/OSX/authd/agent.c
+++ b/OSX/authd/agent.c
@@ -130,7 +130,7 @@ agent_create(engine_t engine, mechanism_t mech, auth_token_t auth, process_t pro
agent->actionQueue = dispatch_queue_create("Agent Action Queue", 0);
if (!mechanism_is_privileged(mech)) {
- if (auid != AU_DEFAUDITID) {
+ if (auid != AU_DEFAUDITID && audit_info->auid != AU_DEFAUDITID) {
// User => regular user-level SecurityAgent
agent->agentConnection = xpc_connection_create_mach_service(SECURITYAGENT_BOOTSTRAP_NAME_BASE, NULL, 0);
xpc_connection_set_target_uid(agent->agentConnection, auid);
diff --git a/OSX/authd/authdb.c b/OSX/authd/authdb.c
index 535a7ae0..fcf6160d 100644
--- a/OSX/authd/authdb.c
+++ b/OSX/authd/authdb.c
@@ -106,6 +106,8 @@ static const char * const authdb_upgrade_sql[] = {
"INSERT INTO config VALUES('version', "AUTHDB_VERSION_STRING");"
};
+static sqlite3 * _create_handle(authdb_t db);
+
static int32_t
_sqlite3_exec(sqlite3 * handle, const char * query)
{
@@ -272,9 +274,13 @@ static void _handle_corrupt_db(authdb_connection_t dbconn)
} else {
LOGE("Tried to copy corrupt database at path %s, but we failed with SQLite error %i.", dbconn->db->db_path, rc);
}
- sqlite3_close(corrupt_db);
}
-
+
+ // SQLite documentation says:
+ // Whether or not an error occurs when it is opened, resources associated with the database connection handle should be released by passing it to sqlite3_close() when it is no longer required.
+ if (corrupt_db)
+ sqlite3_close(corrupt_db);
+
_truncate_db(dbconn);
}
@@ -285,7 +291,7 @@ static int32_t _db_maintenance(authdb_connection_t dbconn)
authdb_transaction(dbconn, AuthDBTransactionNormal, ^bool(void) {
- authdb_get_key_value(dbconn, "config", &config);
+ authdb_get_key_value(dbconn, "config", true, &config);
// We don't have a config table
if (NULL == config) {
@@ -293,7 +299,7 @@ static int32_t _db_maintenance(authdb_connection_t dbconn)
s3e = _db_upgrade_from_version(dbconn, 0);
require_noerr_action(s3e, done, LOGE("authdb: failed to initialize database %i", s3e));
- s3e = authdb_get_key_value(dbconn, "config", &config);
+ s3e = authdb_get_key_value(dbconn, "config", true, &config);
require_noerr_action(s3e, done, LOGE("authdb: failed to get config %i", s3e));
}
@@ -346,13 +352,17 @@ static bool _is_busy(int32_t rc)
return SQLITE_BUSY == rc || SQLITE_LOCKED == rc;
}
-static void _checkResult(authdb_connection_t dbconn, int32_t rc, const char * fn_name, sqlite3_stmt * stmt)
+static void _checkResult(authdb_connection_t dbconn, int32_t rc, const char * fn_name, sqlite3_stmt * stmt, const bool skip_maintenance)
{
bool isCorrupt = (SQLITE_CORRUPT == rc) || (SQLITE_NOTADB == rc) || (SQLITE_IOERR == rc);
if (isCorrupt) {
+ if (skip_maintenance) {
+ LOGV("authdb: corrupted db, skipping maintenance %s %s", fn_name, sqlite3_errmsg(dbconn->handle));
+ } else {
_handle_corrupt_db(dbconn);
authdb_maintenance(dbconn);
+ }
} else if (SQLITE_CONSTRAINT == rc || SQLITE_READONLY == rc) {
if (stmt) {
LOGV("authdb: %s %s for %s", fn_name, sqlite3_errmsg(dbconn->handle), sqlite3_sql(stmt));
@@ -457,7 +467,7 @@ authdb_connection_t authdb_connection_acquire(authdb_t db)
void authdb_connection_release(authdb_connection_t * dbconn)
{
- if (!dbconn || !(*dbconn))
+ if (!(*dbconn))
return;
authdb_connection_t tmp = *dbconn;
@@ -479,6 +489,9 @@ static bool _db_check_corrupted(authdb_connection_t dbconn)
bool isCorrupted = true;
sqlite3_stmt *stmt = NULL;
int32_t rc;
+
+ if (!dbconn->handle)
+ return true;
rc = sqlite3_prepare_v2(dbconn->handle, "PRAGMA integrity_check;", -1, &stmt, NULL);
if (rc == SQLITE_LOCKED || rc == SQLITE_BUSY) {
@@ -517,13 +530,19 @@ bool authdb_maintenance(authdb_connection_t dbconn)
_handle_corrupt_db(dbconn);
}
- _db_maintenance(dbconn);
-
- rc = authdb_get_key_value(dbconn, "config", &config);
- require_noerr_action(rc, done, LOGV("authdb: maintenance failed %i", rc));
-
+ if (dbconn->handle == NULL) {
+ dbconn->handle = _create_handle(dbconn->db);
+ }
+
+ require_action(dbconn->handle, done, LOGE("authdb: maintenance cannot open database"));
+
+ _db_maintenance(dbconn);
+
+ rc = authdb_get_key_value(dbconn, "config", true, &config);
+ require_noerr_action(rc, done, LOGV("authdb: maintenance failed %i", rc));
+
_db_load_data(dbconn, config);
-
+
done:
CFReleaseSafe(config);
LOGD("authdb: finished maintenance");
@@ -537,13 +556,13 @@ authdb_exec(authdb_connection_t dbconn, const char * query)
require(query != NULL, done);
rc = _sqlite3_exec(dbconn->handle, query);
- _checkResult(dbconn, rc, __FUNCTION__, NULL);
+ _checkResult(dbconn, rc, __FUNCTION__, NULL, false);
done:
return rc;
}
-static int32_t _prepare(authdb_connection_t dbconn, const char * sql, sqlite3_stmt ** out_stmt)
+static int32_t _prepare(authdb_connection_t dbconn, const char * sql, const bool skip_maintenance, sqlite3_stmt ** out_stmt)
{
int32_t rc;
sqlite3_stmt * stmt = NULL;
@@ -557,7 +576,7 @@ static int32_t _prepare(authdb_connection_t dbconn, const char * sql, sqlite3_st
*out_stmt = stmt;
done:
- _checkResult(dbconn, rc, __FUNCTION__, stmt);
+ _checkResult(dbconn, rc, __FUNCTION__, stmt, skip_maintenance);
return rc;
}
@@ -629,7 +648,7 @@ static int32_t _bindItemsAtIndex(sqlite3_stmt * stmt, int col, auth_items_t item
return rc;
}
-int32_t authdb_get_key_value(authdb_connection_t dbconn, const char * table, auth_items_t * out_items)
+int32_t authdb_get_key_value(authdb_connection_t dbconn, const char * table, const bool skip_maintenance, auth_items_t * out_items)
{
int32_t rc = SQLITE_ERROR;
char * query = NULL;
@@ -641,7 +660,7 @@ int32_t authdb_get_key_value(authdb_connection_t dbconn, const char * table, aut
asprintf(&query, "SELECT * FROM %s", table);
- rc = _prepare(dbconn, query, &stmt);
+ rc = _prepare(dbconn, query, skip_maintenance, &stmt);
require_noerr(rc, done);
items = auth_items_create();
@@ -651,7 +670,7 @@ int32_t authdb_get_key_value(authdb_connection_t dbconn, const char * table, aut
_parseItemsAtIndex(stmt, 1, items, (const char*)sqlite3_column_text(stmt, 0));
break;
default:
- _checkResult(dbconn, rc, __FUNCTION__, stmt);
+ _checkResult(dbconn, rc, __FUNCTION__, stmt, skip_maintenance);
if (_is_busy(rc)) {
sleep(AUTHDB_BUSY_DELAY);
} else {
@@ -683,19 +702,19 @@ int32_t authdb_set_key_value(authdb_connection_t dbconn, const char * table, aut
asprintf(&query, "INSERT OR REPLACE INTO %s VALUES (?,?)", table);
- rc = _prepare(dbconn, query, &stmt);
+ rc = _prepare(dbconn, query, false, &stmt);
require_noerr(rc, done);
auth_items_iterate(items, ^bool(const char *key) {
sqlite3_reset(stmt);
- _checkResult(dbconn, rc, __FUNCTION__, stmt);
+ _checkResult(dbconn, rc, __FUNCTION__, stmt, false);
sqlite3_bind_text(stmt, 1, key, -1, NULL);
_bindItemsAtIndex(stmt, 2, items, key);
rc = sqlite3_step(stmt);
if (rc != SQLITE_DONE) {
- _checkResult(dbconn, rc, __FUNCTION__, stmt);
+ _checkResult(dbconn, rc, __FUNCTION__, stmt, false);
LOGV("authdb: set_key_value, step (%i) %s", rc, sqlite3_errmsg(dbconn->handle));
}
@@ -770,7 +789,7 @@ bool authdb_step(authdb_connection_t dbconn, const char * sql, void (^bind_stmt)
require_action(sql != NULL, done, rc = SQLITE_ERROR);
- rc = _prepare(dbconn, sql, &stmt);
+ rc = _prepare(dbconn, sql, false, &stmt);
require_noerr(rc, done);
if (bind_stmt) {
@@ -810,7 +829,7 @@ bool authdb_step(authdb_connection_t dbconn, const char * sql, void (^bind_stmt)
}
done:
- _checkResult(dbconn, rc, __FUNCTION__, stmt);
+ _checkResult(dbconn, rc, __FUNCTION__, stmt, false);
sqlite3_finalize(stmt);
return rc == SQLITE_DONE;
}
@@ -1006,15 +1025,27 @@ static sqlite3 * _create_handle(authdb_t db)
int32_t rc = sqlite3_open_v2(db->db_path, &handle, SQLITE_OPEN_READWRITE, NULL);
if (rc != SQLITE_OK) {
+ LOGE("authdb: open %s (%i) %s", db->db_path, rc, handle ? sqlite3_errmsg(handle) : "no memory for handle");
+ if (handle) {
+ sqlite3_close(handle);
+ }
char * tmp = dirname(db->db_path);
if (tmp) {
mkpath_np(tmp, 0700);
- }
- rc = sqlite3_open_v2(db->db_path, &handle, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
- dbcreated = true;
- }
- require_noerr_action(rc, done, LOGE("authdb: open %s (%i) %s", db->db_path, rc, sqlite3_errmsg(handle)));
-
+ }
+ rc = sqlite3_open_v2(db->db_path, &handle, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE, NULL);
+ dbcreated = true;
+
+ if (rc != SQLITE_OK) {
+ LOGE("authdb: create %s (%i) %s", db->db_path, rc, handle ? sqlite3_errmsg(handle) : "no memory for handle");
+ if (handle) {
+ sqlite3_close(handle);
+ handle = NULL;
+ }
+ goto done;
+ }
+ }
+
if (_sql_profile_enabled()) {
sqlite3_profile(handle, _profile, NULL);
}
diff --git a/OSX/authd/authdb.h b/OSX/authd/authdb.h
index abe29998..6e5f6b64 100644
--- a/OSX/authd/authdb.h
+++ b/OSX/authd/authdb.h
@@ -48,7 +48,7 @@ AUTH_NONNULL1 AUTH_NONNULL2 AUTH_NONNULL3
bool authdb_step(authdb_connection_t, const char * sql, void (^bind_stmt)(sqlite3_stmt* stmt), authdb_iterator_t iter);
AUTH_NONNULL_ALL
-int32_t authdb_get_key_value(authdb_connection_t, const char * table, auth_items_t * out_items);
+int32_t authdb_get_key_value(authdb_connection_t, const char * table, const bool skip_maintenance, auth_items_t * out_items);
AUTH_NONNULL_ALL
int32_t authdb_set_key_value(authdb_connection_t, const char * table, auth_items_t items);
diff --git a/OSX/authd/authitems.c b/OSX/authd/authitems.c
index a27aa355..4bfe9c9a 100644
--- a/OSX/authd/authitems.c
+++ b/OSX/authd/authitems.c
@@ -489,6 +489,10 @@ auth_items_get_flags(auth_items_t items, const char *key)
bool
auth_items_check_flags(auth_items_t items, const char *key, uint32_t flags)
{
+ // When several bits are set in uint32_t flags, "(current & flags) != 0" checks if ANY flag is set, not all flags!
+ // This odd behavior is currently being relied upon in several places, so be careful when changing / fixing this.
+ // However, this also risks unwanted information leakage in
+ // AuthorizationCopyInfo ==> authorization_copy_info ==> [all info] auth_items_copy_with_flags
uint32_t current = auth_items_get_flags(items,key);
return flags ? (current & flags) != 0 : current == 0;
}
@@ -601,18 +605,18 @@ done:
void
auth_items_set_string(auth_items_t items, const char *key, const char *value)
{
- if (value) {
- size_t valLen = strlen(value);
- auth_item_t item = _find_item(items,key);
- if (item && item->type == AI_TYPE_STRING && valLen < item->bufLen) {
- memcpy(item->data.value, value, valLen+1); // copy null
- item->data.valueLength = valLen;
- } else {
- item = auth_item_create(AI_TYPE_STRING, key, value, valLen, 0);
- if (item) {
- CFDictionarySetValue(items->dictionary, auth_item_get_cf_key(item), item);
- CFReleaseSafe(item);
- }
+ assert(value); // marked non-null
+
+ size_t valLen = strlen(value);
+ auth_item_t item = _find_item(items,key);
+ if (item && item->type == AI_TYPE_STRING && valLen < item->bufLen) {
+ memcpy(item->data.value, value, valLen+1); // copy null
+ item->data.valueLength = valLen;
+ } else {
+ item = auth_item_create(AI_TYPE_STRING, key, value, valLen, 0);
+ if (item) {
+ CFDictionarySetValue(items->dictionary, auth_item_get_cf_key(item), item);
+ CFReleaseSafe(item);
}
}
}
@@ -637,7 +641,9 @@ auth_items_get_string(auth_items_t items, const char *key)
void
auth_items_set_data(auth_items_t items, const char *key, const void *value, size_t len)
{
- if (value && len) {
+ assert(value); // marked non-null
+
+ if (len) {
auth_item_t item = _find_item(items,key);
if (item && item->type == AI_TYPE_DATA && len <= item->bufLen) {
memcpy(item->data.value, value, len);
@@ -655,6 +661,8 @@ auth_items_set_data(auth_items_t items, const char *key, const void *value, size
const void *
auth_items_get_data(auth_items_t items, const char *key, size_t *len)
{
+ assert(len); // marked non-null
+
auth_item_t item = _find_item(items,key);
if (item) {
#if DEBUG
@@ -663,15 +671,34 @@ auth_items_get_data(auth_items_t items, const char *key, size_t *len)
item->data.name, item->type, AI_TYPE_DATA);
}
#endif
- if (len) {
- *len = item->data.valueLength;
- }
+ *len = item->data.valueLength;
return item->data.value;
}
return NULL;
}
+const void *
+auth_items_get_data_with_flags(auth_items_t items, const char *key, size_t *len, uint32_t flags)
+{
+ assert(len); // marked non-null
+
+ auth_item_t item = _find_item(items,key);
+ if (item && (item->data.flags & flags) == flags) {
+#if DEBUG
+ if (!(item->type == AI_TYPE_DATA || item->type == AI_TYPE_UNKNOWN)) {
+ LOGV("auth_items: key = %s, invalid type=%i expected=%i",
+ item->data.name, item->type, AI_TYPE_DATA);
+ }
+#endif
+ *len = item->data.valueLength;
+
+ return item->data.value;
+ }
+
+ return NULL;
+}
+
void
auth_items_set_bool(auth_items_t items, const char *key, bool value)
{
diff --git a/OSX/authd/authitems.h b/OSX/authd/authitems.h
index 94455b79..2fe97095 100644
--- a/OSX/authd/authitems.h
+++ b/OSX/authd/authitems.h
@@ -102,7 +102,10 @@ void auth_items_set_data(auth_items_t, const char *key, const void *value, size_
AUTH_WARN_RESULT AUTH_NONNULL_ALL
const void * auth_items_get_data(auth_items_t, const char *key, size_t * len);
-
+
+AUTH_WARN_RESULT AUTH_NONNULL_ALL
+const void * auth_items_get_data_with_flags(auth_items_t items, const char *key, size_t *len, uint32_t flags);
+
AUTH_NONNULL_ALL
void auth_items_set_bool(auth_items_t, const char *key, bool value);
diff --git a/OSX/authd/authorization.plist b/OSX/authd/authorization.plist
index 618ae61e..96879f0d 100644
--- a/OSX/authd/authorization.plist
+++ b/OSX/authd/authorization.plist
@@ -495,6 +495,22 @@ See remaining rules for examples.
<key>rule</key>
<string>entitled-session-owner-or-authenticate-session-owner</string>
</dict>
+ <key>com.apple.ctk.pair</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>rule</key>
+ <string>kcunlock</string>
+ </dict>
+ <key>com.apple.ctkbind.admin</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>group</key>
+ <string>admin</string>
+ <key>shared</key>
+ <false/>
+ </dict>
<key>com.apple.pf.rule</key>
<dict>
<key>authenticate-user</key>
@@ -828,8 +844,9 @@ See remaining rules for examples.
<array>
<string>loginKC:queryCreate</string>
<string>loginKC:showPasswordUI</string>
- <string>authinternal</string>
</array>
+ <key>version</key>
+ <integer>1</integer>
<key>session-owner</key>
<true/>
<key>shared</key>
@@ -870,10 +887,11 @@ See remaining rules for examples.
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
+ <string>CryptoTokenKit:login</string>
<string>loginwindow:done</string>
</array>
<key>version</key>
- <integer>3</integer>
+ <integer>4</integer>
</dict>
<key>system.login.fus</key>
<dict>
@@ -1468,6 +1486,28 @@ See remaining rules for examples.
<key>rule</key>
<string>authenticate-session-owner</string>
</dict>
+ <key>system.localauthentication.ui</key>
+ <dict>
+ <key>class</key>
+ <string>evaluate-mechanisms</string>
+ <key>comment</key>
+ <string>Used by LocalAuthentication to display its UI.</string>
+ <key>mechanisms</key>
+ <array>
+ <string>LocalAuthentication:UI</string>
+ </array>
+ </dict>
+ <key>system.preferences.continuity</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>comment</key>
+ <string>Used by Password And Continuity PrefPane to request the user's password.</string>
+ <key>rule</key>
+ <array>
+ <string>authenticate-staff-extract-context</string>
+ </array>
+ </dict>
</dict>
<key>rules</key>
<dict>
@@ -1520,6 +1560,20 @@ See remaining rules for examples.
<string>PKINITMechanism:auth,privileged</string>
</array>
</dict>
+ <key>kcunlock</key>
+ <dict>
+ <key>class</key>
+ <string>evaluate-mechanisms</string>
+ <key>extract-password</key>
+ <true/>
+ <key>mechanisms</key>
+ <array>
+ <string>builtin:unlock-keychain</string>
+ <string>builtin:kc-verify,privileged</string>
+ </array>
+ <key>version</key>
+ <integer>1</integer>
+ </dict>
<key>authenticate-admin</key>
<dict>
<key>class</key>
@@ -1557,12 +1611,16 @@ See remaining rules for examples.
<string>Authenticate as an administrator + allow password extraction.</string>
<key>extract-password</key>
<true/>
+ <key>password-only</key>
+ <true/>
<key>group</key>
<string>admin</string>
<key>require-apple-signed</key>
<true/>
<key>timeout</key>
<integer>0</integer>
+ <key>version</key>
+ <integer>1</integer>
</dict>
<key>authenticate-staff-extract</key>
<dict>
@@ -1572,12 +1630,28 @@ See remaining rules for examples.
<string>Authenticate as group staff + allow password to be extracted.</string>
<key>extract-password</key>
<true/>
+ <key>password-only</key>
+ <true/>
<key>group</key>
<string>staff</string>
<key>require-apple-signed</key>
<true/>
<key>timeout</key>
<integer>0</integer>
+ <key>version</key>
+ <integer>1</integer>
+ </dict>
+ <key>authenticate-staff-extract-context</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>2</integer>
+ <key>rule</key>
+ <array>
+ <string>authenticate-staff-extract</string>
+ <string>localauthentication-context</string>
+ </array>
</dict>
<key>authenticate-admin-or-staff-extract</key>
<dict>
@@ -1925,6 +1999,17 @@ See remaining rules for examples.
<key>shared</key>
<false/>
</dict>
+ <key>localauthentication-context</key>
+ <dict>
+ <key>class</key>
+ <string>evaluate-mechanisms</string>
+ <key>comment</key>
+ <string>Used by LocalAuthentication to pass externalized context.</string>
+ <key>mechanisms</key>
+ <array>
+ <string>LocalAuthentication:context</string>
+ </array>
+ </dict>
</dict>
</dict>
</plist>
diff --git a/OSX/authd/authtoken.c b/OSX/authd/authtoken.c
index 51f93105..6f123e6f 100644
--- a/OSX/authd/authtoken.c
+++ b/OSX/authd/authtoken.c
@@ -292,13 +292,15 @@ auth_token_least_privileged(auth_token_t auth)
uid_t
auth_token_get_uid(auth_token_t auth)
{
- return auth ? auth->auditInfo.euid : (uid_t)-2;
+ assert(auth); // marked non-null
+ return auth->auditInfo.euid;
}
pid_t
auth_token_get_pid(auth_token_t auth)
{
- return auth ? auth->auditInfo.pid : -1;
+ assert(auth); // marked non-null
+ return auth->auditInfo.pid;
}
session_t
@@ -479,14 +481,13 @@ auth_token_apple_signed(auth_token_t auth)
bool auth_token_is_creator(auth_token_t auth, process_t proc)
{
+ assert(proc); // marked non-null
__block bool creator = false;
- if (proc) {
- dispatch_sync(auth->dispatch_queue, ^{
- if (auth->creator == proc) {
- creator = true;
- }
- });
- }
+ dispatch_sync(auth->dispatch_queue, ^{
+ if (auth->creator == proc) {
+ creator = true;
+ }
+ });
return creator;
}
diff --git a/OSX/authd/ccaudit.c b/OSX/authd/ccaudit.c
index 52a1504e..4a147303 100644
--- a/OSX/authd/ccaudit.c
+++ b/OSX/authd/ccaudit.c
@@ -191,6 +191,9 @@ void ccaudit_log_success(ccaudit_t ccaudit, credential_t cred, const char * righ
_close(ccaudit);
}
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-parameter"
+
void ccaudit_log_failure(ccaudit_t ccaudit, const char * credName, const char * right)
{
@@ -201,16 +204,14 @@ void ccaudit_log_failure(ccaudit_t ccaudit, const char * credName, const char *
_write(ccaudit, au_to_text(right), "right");
_write(ccaudit, au_to_arg32(1, "authenticated as ", auth_token_get_uid(ccaudit->auth)), "authenticator");
- if (NULL == credName) {
- _write(ccaudit, au_to_text("<unknown user>"), "target username");
- } else {
- _write(ccaudit, au_to_text(credName), "target username");
- }
+ _write(ccaudit, au_to_text("<unknown user>"), "target username");
_write(ccaudit, au_to_return32(EPERM, (uint32_t)errAuthorizationDenied), "return");
_close(ccaudit);
}
+#pragma clang diagnostic pop
+
void ccaudit_log_mechanism(ccaudit_t ccaudit, const char * right, const char * mech, uint32_t status, const char * interrupted)
{
diff --git a/OSX/authd/engine.c b/OSX/authd/engine.c
index 5e6d2ae8..6e2d250c 100644
--- a/OSX/authd/engine.c
+++ b/OSX/authd/engine.c
@@ -30,6 +30,8 @@ static void _set_auth_token_hints(auth_items_t, auth_token_t);
static OSStatus _evaluate_user_credential_for_rule(engine_t, credential_t, rule_t, bool, bool, enum Reason *);
static void _engine_set_credential(engine_t, credential_t, bool);
static OSStatus _evaluate_rule(engine_t, rule_t, bool *);
+static bool _preevaluate_class_rule(engine_t engine, rule_t rule);
+static bool _preevaluate_rule(engine_t engine, rule_t rule);
enum {
kEngineHintsFlagTemporary = (1 << 30)
@@ -552,9 +554,8 @@ _evaluate_authentication(engine_t engine, rule_t rule)
auth_items_set_data(engine->hints, AGENT_HINT_RETRY_REASON, &engine->reason, sizeof(engine->reason));
auth_items_set_int(engine->hints, AGENT_HINT_TRIES, engine->tries);
-
status = _evaluate_mechanisms(engine, mechanisms);
-
+
LOGV("engine[%i]: evaluate mechanisms result %d", connection_get_pid(engine->conn), (int)status);
// successfully ran mechanisms to obtain credential
@@ -794,6 +795,23 @@ _evaluate_class_rule(engine_t engine, rule_t rule, bool *save_pwd)
return status;
}
+static bool
+_preevaluate_class_rule(engine_t engine, rule_t rule)
+{
+ LOGV("engine[%i]: _preevaluate_class_rule %s", connection_get_pid(engine->conn), rule_get_name(rule));
+
+ __block bool password_only = false;
+ rule_delegates_iterator(rule, ^bool(rule_t delegate) {
+ if (_preevaluate_rule(engine, delegate)) {
+ password_only = true;
+ return false;
+ }
+ return true;
+ });
+
+ return password_only;
+}
+
static OSStatus
_evaluate_class_mechanism(engine_t engine, rule_t rule)
{
@@ -876,7 +894,7 @@ _evaluate_rule(engine_t engine, rule_t rule, bool *save_pwd)
*save_pwd |= rule_get_extract_password(rule);
- switch (rule_get_class(rule)) {
+ switch (rule_get_class(rule)) {
case RC_ALLOW:
LOGV("engine[%i]: rule set to allow", connection_get_pid(engine->conn));
return errAuthorizationSuccess;
@@ -890,11 +908,32 @@ _evaluate_rule(engine_t engine, rule_t rule, bool *save_pwd)
case RC_MECHANISM:
return _evaluate_class_mechanism(engine, rule);
default:
- LOGE("engine[%i]: invalid class for rule or rule not found", connection_get_pid(engine->conn));
+ LOGE("engine[%i]: invalid class for rule or rule not found: %s", connection_get_pid(engine->conn), rule_get_name(rule));
return errAuthorizationInternal;
}
}
+// returns true if this rule or its children contain RC_USER rule with password_only==true
+static bool
+_preevaluate_rule(engine_t engine, rule_t rule)
+{
+ LOGV("engine[%i]: _preevaluate_rule %s", connection_get_pid(engine->conn), rule_get_name(rule));
+
+ switch (rule_get_class(rule)) {
+ case RC_ALLOW:
+ case RC_DENY:
+ return false;
+ case RC_USER:
+ return rule_get_password_only(rule);
+ case RC_RULE:
+ return _preevaluate_class_rule(engine, rule);
+ case RC_MECHANISM:
+ return false;
+ default:
+ return false;
+ }
+}
+
static rule_t
_find_rule(engine_t engine, authdb_connection_t dbconn, const char * string)
{
@@ -963,8 +1002,11 @@ static void _parse_environment(engine_t engine, auth_items_t environment)
if (engine->flags & kAuthorizationFlagExtendRights) {
const char * user = auth_items_get_string(environment, kAuthorizationEnvironmentUsername);
const char * pass = auth_items_get_string(environment, kAuthorizationEnvironmentPassword);
+ const bool password_was_used = auth_items_get_string(environment, AGENT_CONTEXT_AP_PAM_SERVICE_NAME) == nil; // AGENT_CONTEXT_AP_PAM_SERVICE_NAME in the context means alternative PAM was used
+ require(password_was_used == true, done);
+
bool shared = auth_items_exist(environment, kAuthorizationEnvironmentShared);
- require(user != NULL, done);
+ require_action(user != NULL, done, LOGV("engine[%i]: user not used password", connection_get_pid(engine->conn)));
struct passwd *pw = getpwnam(user);
require_action(pw != NULL, done, LOGE("engine[%i]: user not found %s", connection_get_pid(engine->conn), user));
@@ -1012,6 +1054,8 @@ OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t en
{
__block OSStatus status = errAuthorizationSuccess;
__block bool savePassword = false;
+ __block bool password_only = false;
+
ccaudit_t ccaudit = NULL;
require(rights != NULL, done);
@@ -1032,7 +1076,32 @@ OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t en
engine->dismissed = false;
auth_rights_clear(engine->grantedRights);
-
+
+ {
+ // first check if any of rights uses rule with password-only set to true
+ // if so, set appropriate hint so SecurityAgent won't use alternate authentication methods like smartcard etc.
+ authdb_connection_t dbconn = authdb_connection_acquire(server_get_database()); // get db handle
+ auth_rights_iterate(rights, ^bool(const char *key) {
+ if (!key)
+ return true;
+ LOGV("engine[%i]: checking if rule %s contains password-only item", connection_get_pid(engine->conn), key);
+
+ rule_t rule = _find_rule(engine, dbconn, key);
+
+ if (rule && _preevaluate_rule(engine, rule)) {
+ password_only = true;
+ return false;
+ }
+ return true;
+ });
+ authdb_connection_release(&dbconn); // release db handle
+ }
+
+ if (password_only) {
+ LOGV("engine[%i]: password-only item found, forcing SecurityAgent to use password-only UI", connection_get_pid(engine->conn));
+ auth_items_set_bool(engine->immutable_hints, AGENT_HINT_PASSWORD_ONLY, true);
+ }
+
auth_rights_iterate(rights, ^bool(const char *key) {
if (!key)
return true;
@@ -1119,13 +1188,18 @@ OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t en
return true;
});
+
+ if (password_only) {
+ LOGV("engine[%i]: removing password-only flag", connection_get_pid(engine->conn));
+ auth_items_remove(engine->immutable_hints, AGENT_HINT_PASSWORD_ONLY);
+ }
if ((engine->flags & kAuthorizationFlagPartialRights) && (auth_rights_get_count(engine->grantedRights) > 0)) {
status = errAuthorizationSuccess;
}
if (engine->dismissed) {
- LOGE("engine[%i]: engine dismissed");
+ LOGE("engine: engine dismissed");
status = errAuthorizationDenied;
}
diff --git a/OSX/authd/process.c b/OSX/authd/process.c
index ce530651..19f71229 100644
--- a/OSX/authd/process.c
+++ b/OSX/authd/process.c
@@ -207,29 +207,34 @@ process_get_key(process_t proc)
uid_t
process_get_uid(process_t proc)
{
- return proc ? proc->auditInfo.euid : (uid_t)-2;
+ assert(proc); // marked non-null
+ return proc->auditInfo.euid;
}
pid_t
process_get_pid(process_t proc)
{
- return proc ? proc->auditInfo.pid : -1;
+ assert(proc); // marked non-null
+ return proc->auditInfo.pid;
}
int32_t process_get_generation(process_t proc)
{
+ assert(proc); // marked non-null
return proc->auditInfo.tid;
}
session_id_t
process_get_session_id(process_t proc)
{
- return proc ? proc->auditInfo.asid : -1;
+ assert(proc); // marked non-null
+ return proc->auditInfo.asid;
}
session_t
process_get_session(process_t proc)
{
+ assert(proc); // marked non-null
return proc->session;
}
diff --git a/OSX/authd/rule.c b/OSX/authd/rule.c
index a307f81e..097e1038 100644
--- a/OSX/authd/rule.c
+++ b/OSX/authd/rule.c
@@ -279,7 +279,10 @@ rule_create_with_plist(RuleType type, CFStringRef name, CFDictionaryRef plist, a
if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterVPNEntitledAndGroup)), false)) {
flags |= RuleFlagVPNEntitledAndGroup;
}
-
+ if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterPasswordOnly)), false)) {
+ flags |= RuleFlagPasswordOnly;
+ }
+
_copy_cf_rule_mechanisms(rule, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterMechanisms)), dbconn);
break;
@@ -296,8 +299,8 @@ rule_create_with_plist(RuleType type, CFStringRef name, CFDictionaryRef plist, a
if (_get_cf_bool(CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterExtractPassword)), false)) {
flags |= RuleFlagExtractPassword;
}
-
- _copy_cf_rule_mechanisms(rule, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterMechanisms)), dbconn);
+
+ _copy_cf_rule_mechanisms(rule, CFDictionaryGetValue(plist, CFSTR(kAuthorizationRuleParameterMechanisms)), dbconn);
break;
case RC_DENY:
@@ -502,7 +505,7 @@ _sql_bind(rule_t rule, sqlite3_stmt * stmt)
rc = sqlite3_bind_text(stmt, column++, rule_get_identifier(rule), -1, NULL);
require_noerr(rc, err);
- CFDataRef data = rule_get_requirment_data(rule);
+ CFDataRef data = rule_get_requirement_data(rule);
if (data) {
rc = sqlite3_bind_blob(stmt, column++, CFDataGetBytePtr(data), (int32_t)CFDataGetLength(data), NULL);
} else {
@@ -862,7 +865,7 @@ rule_copy_to_cfobject(rule_t rule, authdb_connection_t dbconn) {
CFReleaseSafe(tmp);
}
- SecRequirementRef req = rule_get_requirment(rule);
+ SecRequirementRef req = rule_get_requirement(rule);
if (req) {
CFStringRef reqStr = NULL;
SecRequirementCopyString(req, kSecCSDefaultFlags, &reqStr);
@@ -950,7 +953,10 @@ rule_copy_to_cfobject(rule_t rule, authdb_connection_t dbconn) {
if (rule_get_extract_password(rule)) {
CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterExtractPassword), kCFBooleanTrue);
}
-
+ if (rule_get_password_only(rule)) {
+ CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterPasswordOnly), kCFBooleanTrue);
+ }
+
count = CFArrayGetCount(rule->mechanisms);
if (count) {
array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
@@ -993,7 +999,7 @@ rule_copy_to_cfobject(rule_t rule, authdb_connection_t dbconn) {
if (rule_get_extract_password(rule)) {
CFDictionarySetValue(dict, CFSTR(kAuthorizationRuleParameterExtractPassword), kCFBooleanTrue);
}
-
+
n = rule_get_tries(rule);
tmp = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &n);
CFDictionarySetValue(dict, CFSTR("tries"), tmp);
@@ -1156,6 +1162,12 @@ rule_get_extract_password(rule_t rule)
return rule_check_flags(rule, RuleFlagExtractPassword);
}
+bool
+rule_get_password_only(rule_t rule)
+{
+ return rule_check_flags(rule, RuleFlagPasswordOnly);
+}
+
int64_t
rule_get_tries(rule_t rule)
{
@@ -1189,7 +1201,7 @@ const char * rule_get_identifier(rule_t rule)
return auth_items_get_string(rule->data, RULE_IDENTIFIER);
}
-CFDataRef rule_get_requirment_data(rule_t rule)
+CFDataRef rule_get_requirement_data(rule_t rule)
{
if (!rule->requirement_data && auth_items_exist(rule->data, RULE_REQUIREMENT)) {
size_t len;
@@ -1200,10 +1212,10 @@ CFDataRef rule_get_requirment_data(rule_t rule)
return rule->requirement_data;
}
-SecRequirementRef rule_get_requirment(rule_t rule)
+SecRequirementRef rule_get_requirement(rule_t rule)
{
if (!rule->requirement) {
- CFDataRef data = rule_get_requirment_data(rule);
+ CFDataRef data = rule_get_requirement_data(rule);
if (data) {
SecRequirementCreateWithData(data, kSecCSDefaultFlags, &rule->requirement);
}
diff --git a/OSX/authd/rule.h b/OSX/authd/rule.h
index 1d757949..b5499d1d 100644
--- a/OSX/authd/rule.h
+++ b/OSX/authd/rule.h
@@ -36,7 +36,8 @@ enum {
RuleFlagEntitled = 1 << 5,
RuleFlagEntitledAndGroup = 1 << 6,
RuleFlagRequireAppleSigned = 1 << 7,
- RuleFlagVPNEntitledAndGroup = 1 << 8
+ RuleFlagVPNEntitledAndGroup = 1 << 8,
+ RuleFlagPasswordOnly = 1 << 9
};
typedef uint32_t RuleFlags;
@@ -114,7 +115,10 @@ bool rule_get_authenticate_user(rule_t);
AUTH_NONNULL_ALL
bool rule_get_extract_password(rule_t);
-
+
+AUTH_NONNULL_ALL
+bool rule_get_password_only(rule_t);
+
AUTH_NONNULL_ALL
int64_t rule_get_tries(rule_t);
@@ -134,10 +138,10 @@ AUTH_NONNULL_ALL
const char * rule_get_identifier(rule_t);
AUTH_NONNULL_ALL
-CFDataRef rule_get_requirment_data(rule_t);
+CFDataRef rule_get_requirement_data(rule_t);
AUTH_NONNULL_ALL
-SecRequirementRef rule_get_requirment(rule_t);
+SecRequirementRef rule_get_requirement(rule_t);
#if defined(__cplusplus)
}
diff --git a/OSX/authd/server.c b/OSX/authd/server.c
index ef07e325..86943950 100644
--- a/OSX/authd/server.c
+++ b/OSX/authd/server.c
@@ -19,6 +19,7 @@
#include <Security/Authorization.h>
#include <Security/AuthorizationPriv.h>
#include <Security/AuthorizationTagsPriv.h>
+#include <Security/AuthorizationPlugin.h>
#include <xpc/private.h>
#include <dispatch/dispatch.h>
#include <CoreFoundation/CoreFoundation.h>
@@ -199,7 +200,7 @@ static void _setupAuditSessionMonitor()
continue;
}
LOGD("server: au_sdev_handle_t event=%i, session=%i", event, aia.ai_asid);
- if (event == AUE_SESSION_CLOSE) {
+ if (event == AUE_SESSION_END) {
dispatch_async(get_server_dispatch_queue(), ^{
LOGV("server: session %i destroyed", aia.ai_asid);
CFDictionaryRemoveValue(gSessionMap, &aia.ai_asid);
@@ -338,63 +339,59 @@ done:
void
server_unregister_connection(connection_t conn)
{
- if (conn != NULL) {
- process_t proc = connection_get_process(conn);
-
- dispatch_sync(get_server_dispatch_queue(), ^{
- CFIndex connectionCount = process_get_connection_count(proc);
- LOGV("server[%i]: unregistered connection (total=%li)", process_get_pid(proc), connectionCount);
+ assert(conn); // marked non-null
+ process_t proc = connection_get_process(conn);
+
+ dispatch_sync(get_server_dispatch_queue(), ^{
+ CFIndex connectionCount = process_get_connection_count(proc);
+ LOGV("server[%i]: unregistered connection (total=%li)", process_get_pid(proc), connectionCount);
- if (connectionCount == 1) {
- CFDictionaryRemoveValue(gProcessMap, process_get_key(proc));
- }
-
- if (CFDictionaryGetCount(gProcessMap) == 0) {
- xpc_transaction_end();
- gXPCTransaction = false;
- }
- });
- // move the destruction of the connection/process off the server queue
- CFRelease(conn);
- }
+ if (connectionCount == 1) {
+ CFDictionaryRemoveValue(gProcessMap, process_get_key(proc));
+ }
+
+ if (CFDictionaryGetCount(gProcessMap) == 0) {
+ xpc_transaction_end();
+ gXPCTransaction = false;
+ }
+ });
+ // move the destruction of the connection/process off the server queue
+ CFRelease(conn);
}
void
server_register_auth_token(auth_token_t auth)
{
- if (auth != NULL) {
- dispatch_sync(get_server_dispatch_queue(), ^{
- LOGV("server: registering auth %p", auth);
- CFDictionarySetValue(gAuthTokenMap, auth_token_get_key(auth), auth);
- auth_token_set_state(auth, auth_token_state_registered);
- });
- }
+ assert(auth); // marked non-null
+ dispatch_sync(get_server_dispatch_queue(), ^{
+ LOGV("server: registering auth %p", auth);
+ CFDictionarySetValue(gAuthTokenMap, auth_token_get_key(auth), auth);
+ auth_token_set_state(auth, auth_token_state_registered);
+ });
}
void
server_unregister_auth_token(auth_token_t auth)
{
- if (auth != NULL) {
- AuthorizationBlob blob = *(AuthorizationBlob*)auth_token_get_key(auth);
- dispatch_async(get_server_dispatch_queue(), ^{
- LOGV("server: unregistering auth %p", auth);
- CFDictionaryRemoveValue(gAuthTokenMap, &blob);
- });
- }
+ assert(auth);
+ AuthorizationBlob blob = *(AuthorizationBlob*)auth_token_get_key(auth);
+ dispatch_async(get_server_dispatch_queue(), ^{
+ LOGV("server: unregistering auth %p", auth);
+ CFDictionaryRemoveValue(gAuthTokenMap, &blob);
+ });
}
auth_token_t
server_find_copy_auth_token(AuthorizationBlob * blob)
{
+ assert(blob); // marked non-null
__block auth_token_t auth = NULL;
- if (blob != NULL) {
- dispatch_sync(get_server_dispatch_queue(), ^{
- auth = (auth_token_t)CFDictionaryGetValue(gAuthTokenMap, blob);
- if (auth) {
- CFRetain(auth);
- }
- });
- }
+ dispatch_sync(get_server_dispatch_queue(), ^{
+ auth = (auth_token_t)CFDictionaryGetValue(gAuthTokenMap, blob);
+ if (auth) {
+ CFRetain(auth);
+ }
+ });
return auth;
}
@@ -640,15 +637,14 @@ authorization_copy_info(connection_t conn, xpc_object_t message, xpc_object_t re
tag = xpc_dictionary_get_string(message, AUTH_XPC_TAG);
LOGV("server[%i]: requested tag: %s", connection_get_pid(conn), tag ? tag : "(all)");
- if (tag) {
- size_t len;
- const void * data = auth_items_get_data(auth_token_get_context(auth), tag, &len);
- if (data) {
- auth_items_set_data(items, tag, data, len);
- }
- } else {
- auth_items_copy(items, auth_token_get_context(auth));
- }
+ if (tag) {
+ size_t len;
+ const void * data = auth_items_get_data_with_flags(auth_token_get_context(auth), tag, &len, kAuthorizationContextFlagExtractable);
+ if (data)
+ auth_items_set_data(items, tag, data, len);
+ } else {
+ auth_items_copy_with_flags(items, auth_token_get_context(auth), kAuthorizationContextFlagExtractable);
+ }
#if DEBUG
LOGV("server[%i]: Dumping requested AuthRef items", connection_get_pid(conn));
@@ -663,7 +659,7 @@ authorization_copy_info(connection_t conn, xpc_object_t message, xpc_object_t re
done:
CFReleaseSafe(items);
CFReleaseSafe(auth);
- LOGV("server[%i]: AuthorizationCopyInfo %i", connection_get_pid(conn), status);
+ LOGV("server[%i]: AuthorizationCopyInfo %i", connection_get_pid(conn), (int) status);
return status;
}
@@ -762,7 +758,7 @@ done:
static bool _prompt_for_modifications(process_t __unused proc, rule_t __unused rule)
{
// <rdar://problem/13853228> will put back it back at some later date
-// SecRequirementRef ruleReq = rule_get_requirment(rule);
+// SecRequirementRef ruleReq = rule_get_requirement(rule);
//
// if (ruleReq && process_verify_requirment(proc, ruleReq)) {
// return false;
diff --git a/OSX/authd/session.c b/OSX/authd/session.c
index 3e0d76f6..e1ed31c7 100644
--- a/OSX/authd/session.c
+++ b/OSX/authd/session.c
@@ -122,13 +122,15 @@ session_get_key(session_t session)
session_id_t
session_get_id(session_t session)
{
- return session ? session->auditinfo.ai_asid : -1;
+ assert(session); // marked non-null
+ return session->auditinfo.ai_asid;
}
uid_t
session_get_uid(session_t session)
{
- return session ? session->auditinfo.ai_auid : (uid_t)-2;
+ assert(session); // marked non-null
+ return session->auditinfo.ai_auid;
}
CFIndex
diff --git a/OSX/cloud_keychain_diagnose/cloud_keychain_diagnose-Prefix.pch b/OSX/cloud_keychain_diagnose/cloud_keychain_diagnose-Prefix.pch
deleted file mode 100644
index b0e33d79..00000000
--- a/OSX/cloud_keychain_diagnose/cloud_keychain_diagnose-Prefix.pch
+++ /dev/null
@@ -1,5 +0,0 @@
-//
-// Prefix header for all source files of the 'cloud_keychain_diagnose' target in the 'cloud_keychain_diagnose' project
-//
-
-#inclucde <CoreFoundation/CoreFoundation.h>
diff --git a/OSX/codesign_tests/CaspianTests/CaspianTests b/OSX/codesign_tests/CaspianTests/CaspianTests
index 6865b0dd..a332d01d 100755
--- a/OSX/codesign_tests/CaspianTests/CaspianTests
+++ b/OSX/codesign_tests/CaspianTests/CaspianTests
@@ -259,6 +259,13 @@ case $(sw_vers -buildVersion) in
esac
+#
+# Misc regression cases
+#
+
+runTest fail-evil-itunes spctl -a -t exec $ct/evil-itunes.app
+
+
#
# cleanup
#
diff --git a/OSX/config/base.xcconfig b/OSX/config/base.xcconfig
index 930d45ed..63ced241 100644
--- a/OSX/config/base.xcconfig
+++ b/OSX/config/base.xcconfig
@@ -1,6 +1,6 @@
SDKROOT = macosx.internal
-ARCHS = $(ARCHS_STANDARD_32_64_BIT)
+ARCHS[sdk=macosx*] = $(ARCHS_STANDARD_32_64_BIT)
CODE_SIGN_IDENTITY = -;
GCC_VERSION = com.apple.compilers.llvm.clang.1_0
DEBUG_INFORMATION_FORMAT = dwarf-with-dsym
@@ -16,3 +16,4 @@ STRIP_STYLE = debugging
STRIP_INSTALLED_PRODUCT = NO
WARNING_CFLAGS = -Wno-deprecated-declarations $(inherited)
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/OSX/config/security.xcconfig b/OSX/config/security.xcconfig
index fad4101e..afa05f70 100644
--- a/OSX/config/security.xcconfig
+++ b/OSX/config/security.xcconfig
@@ -27,3 +27,4 @@ GCC_WARN_64_TO_32_BIT_CONVERSION = YES
GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES
GCC_WARN_ABOUT_RETURN_TYPE = YES
GCC_WARN_UNUSED_VARIABLE = YES
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/OSX/lib/AppWorkaround.plist b/OSX/lib/AppWorkaround.plist
deleted file mode 100644
index f8e79f20..00000000
--- a/OSX/lib/AppWorkaround.plist
+++ /dev/null
@@ -1,90 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>kCSCheckFixVersion</key>
- <string>1</string>
- <key>kCSCheckFixUniversal</key>
- <dict>
- <key>21946795</key>
- <dict>
- <key>com.autodesk.AdSync</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.AutoCAD2014</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.AutoCAD2015</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.AutoCAD2016</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.fusion360</key>
- <array>
- <string>2.*</string>
- </array>
- <key>com.autodesk.Maya.2015</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.Maya.2016</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.Maya.2017</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.MayaIO.2017</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.MayaLT.2015</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.MayaLT.2016</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.MayaLT.2017</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.pkg.Mudbox2015</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.pkg.Mudbox2016</key>
- <array>
- <string>*</string>
- </array>
- <key>com.autodesk.pkg.Mudbox2017</key>
- <array>
- <string>*</string>
- </array>
- <key>com.ea.Origin</key>
- <array>
- <string>9.*</string>
- </array>
- <key>com.pixar.RenderManNC-Installer</key>
- <array>
- <string>1.*</string>
- </array>
- <key>com.viber.osx</key>
- <array>
- <string>5.*</string>
- </array>
- <key>com.vmware.fusion</key>
- <array>
- <string>7.*</string>
- </array>
- </dict>
- </dict>
-</dict>
-</plist>
diff --git a/OSX/lib/Info-Security.plist b/OSX/lib/Info-Security.plist
index dfb79010..a6a0716e 100644
--- a/OSX/lib/Info-Security.plist
+++ b/OSX/lib/Info-Security.plist
@@ -1,6 +1,6 @@
-<?xml version=1.0 encoding=UTF-8?>
-<!DOCTYPE plist PUBLIC -//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd>
-<plist version=1.0>
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
@@ -9,7 +9,7 @@
<key>CFBundleIconFile</key>
<string></string>
<key>CFBundleIdentifier</key>
- <string>com.apple.security</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
diff --git a/OSX/lib/en.lproj/authorization.buttons.strings b/OSX/lib/en.lproj/authorization.buttons.strings
index 32b139c1..6e6d04a3 100644
--- a/OSX/lib/en.lproj/authorization.buttons.strings
+++ b/OSX/lib/en.lproj/authorization.buttons.strings
@@ -135,3 +135,7 @@
"system.services.networkextension.filtering" = "Modify Configuration";
"com.apple.iCloud.passwordReset" = "Reset Password";
+
+"system.preferences.continuity" = "Unlock";
+
+"com.apple.ctkbind.admin" = "Pair";
diff --git a/OSX/lib/en.lproj/authorization.prompts.strings b/OSX/lib/en.lproj/authorization.prompts.strings
index 2a7b73a3..bab9a0cc 100644
--- a/OSX/lib/en.lproj/authorization.prompts.strings
+++ b/OSX/lib/en.lproj/authorization.prompts.strings
@@ -151,3 +151,7 @@
"system.services.networkextension.filtering" = "__APPNAME__ is trying to modify the content filtering configuration.";
"com.apple.iCloud.passwordReset" = "__APPNAME__ wants to reset your Apple ID password. This Mac can be used to reset your password because you are signed into iCloud on it.";
+
+"system.preferences.continuity" = "__APPNAME__ is trying to unlock the Touch ID preferences.";
+
+"com.apple.ctkbind.admin" = "__APPNAME__ is trying to pair the current user with the SmartCard identity.";
diff --git a/OSX/lib/framework.sb b/OSX/lib/framework.sb
index 74907d8d..7fa76f2d 100644
--- a/OSX/lib/framework.sb
+++ b/OSX/lib/framework.sb
@@ -2,3 +2,6 @@
(allow mach-lookup (global-name "com.apple.secd"))
;; allow clients to communicate with coreauthd
(allow mach-lookup (global-name "com.apple.CoreAuthentication.daemon.libxpc"))
+(allow mach-lookup (global-name "com.apple.CoreAuthentication.agent.libxpc"))
+;; allow clients to communicate with ctkd
+(allow mach-lookup (global-name "com.apple.ctkd.token-client"))
diff --git a/OSX/lib/plugins/csparser-Info.plist b/OSX/lib/plugins/csparser-Info.plist
index 42f9d3a8..7e030584 100644
--- a/OSX/lib/plugins/csparser-Info.plist
+++ b/OSX/lib/plugins/csparser-Info.plist
@@ -7,18 +7,18 @@
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
- <string>com.apple.security.csparser</string>
- <key>CFBundleName</key>
- <string>Code Signing parser for Security.framework use</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
+ <key>CFBundleName</key>
+ <string>Code Signing parser for Security.framework use</string>
<key>CFBundlePackageType</key>
<string>BNDL</string>
+ <key>CFBundleShortVersionString</key>
+ <string>3.0</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>${CURRENT_PROJECT_VERSION}</string>
- <key>CFBundleShortVersionString</key>
- <string>3.0</string>
</dict>
</plist>
diff --git a/OSX/lib/security.exp-in b/OSX/lib/security.exp-in
index d308e7aa..637f8021 100644
--- a/OSX/lib/security.exp-in
+++ b/OSX/lib/security.exp-in
@@ -285,6 +285,8 @@ _SecCodeCopyDesignatedRequirement
_SecCodeCopySigningInformation
_SecCodeMapMemory
_SecCodeSetDetachedSignature
+_SecCodeCopyComponent
+_SecCodeValidateFileResource
_kSecCodeAttributeArchitecture
_kSecCodeAttributeBundleVersion
_kSecCodeAttributeSubarchitecture
@@ -368,6 +370,11 @@ _kSecCodeInfoUnique
_kSecCodeInfoCdHashes
_kSecCodeInfoCodeDirectory
_kSecCodeInfoCodeOffset
+_kSecCodeInfoDiskRepInfo
+_kSecCodeInfoDiskRepOSPlatform
+_kSecCodeInfoDiskRepOSVersionMin
+_kSecCodeInfoDiskRepOSSDKVersion
+_kSecCodeInfoDiskRepNoLibraryValidation
_kSecCodeInfoResourceDirectory
_kSecGuestAttributeCanonical
_kSecGuestAttributeDynamicCode
@@ -375,6 +382,7 @@ _kSecGuestAttributeDynamicCodeInfoPlist
_kSecGuestAttributeHash
_kSecGuestAttributeMachPort
_kSecGuestAttributePid
+_kSecGuestAttributeAudit
_kSecRequirementKeyInfoPlist
_kSecRequirementKeyEntitlements
_kSecRequirementKeyIdentifier
@@ -385,15 +393,18 @@ _kSecCFErrorResourceSeal
_kSecCFErrorResourceAdded
_kSecCFErrorResourceAltered
_kSecCFErrorResourceMissing
+_kSecCFErrorResourceSideband
_kSecCFErrorInfoPlist
_kSecCFErrorGuestAttributes
_kSecCFErrorRequirementSyntax
-_SecTaskGetTypeID
_SecTaskCreateWithAuditToken
_SecTaskCreateFromSelf
_SecTaskCopyValueForEntitlement
_SecTaskCopyValuesForEntitlements
+_SecTaskCopySigningIdentifier
+_SecTaskGetCodeSignStatus
+_SecTaskGetTypeID
_SecTaskValidateForRequirement
_SecAssessmentCreate
@@ -444,6 +455,7 @@ _kSecAssessmentRuleKeyType
_kSecAssessmentRuleKeyExpires
_kSecAssessmentRuleKeyDisabled
_kSecAssessmentRuleKeyBookmark
+_kSecAssessmentContextKeyPrimarySignature
//
// libsecurity_cssm
@@ -1124,13 +1136,16 @@ _kSecClassKey
_kSecClassIdentity
_kSecAttrAccess
_kSecAttrAccessGroup
+_kSecAttrAccessGroupToken
_kSecAttrAccessible
_kSecAttrAccessibleWhenUnlocked
_kSecAttrAccessibleAfterFirstUnlock
_kSecAttrAccessibleAlways
+_kSecAttrAccessibleAlwaysPrivate
_kSecAttrAccessibleWhenUnlockedThisDeviceOnly
_kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
_kSecAttrAccessibleAlwaysThisDeviceOnly
+_kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate
_kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
_kSecAttrCreationDate
_kSecAttrModificationDate
@@ -1195,20 +1210,12 @@ _kSecAttrSynchronizable
_kSecAttrSynchronizableAny
_kSecAttrSyncViewHint
_kSecAttrTokenID
+_kSecAttrTokenOID
+_kSecAttrTokenIDSecureEnclave
_kSecAttrTombstone
-_kSecAttrViewHintPCSMasterKey
-_kSecAttrViewHintPCSiCloudDrive
-_kSecAttrViewHintPCSPhotos
-_kSecAttrViewHintPCSCloudKit
-_kSecAttrViewHintPCSEscrow
-_kSecAttrViewHintPCSFDE
-_kSecAttrViewHintPCSMailDrop
-_kSecAttrViewHintPCSiCloudBackup
-_kSecAttrViewHintPCSNotes
-_kSecAttrViewHintPCSiMessage
-_kSecAttrViewHintAppleTV
-_kSecAttrViewHintHomeKit
-_kSecAttrViewHintThumper
+#include "Security/SecureObjectSync/SOSViews.exp-in"
+_kSecAttrMultiUser
+_kSecUseTombstones
_kSecMatchPolicy
_kSecMatchItemList
_kSecMatchSearchList
@@ -1279,6 +1286,73 @@ _kSecAttrKeyClassPrivate
_kSecAttrKeyClassSymmetric
_kSecPrivateKeyAttrs
_kSecPublicKeyAttrs
+_kSecKeyAlgorithmRSASignatureRaw
+_kSecKeyAlgorithmRSASignatureRawCCUnit
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
+_kSecKeyAlgorithmECDSASignatureRFC4754
+_kSecKeyAlgorithmECDSASignatureDigestX962
+_kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+_kSecKeyAlgorithmECDSASignatureDigestX962SHA224
+_kSecKeyAlgorithmECDSASignatureDigestX962SHA256
+_kSecKeyAlgorithmECDSASignatureDigestX962SHA384
+_kSecKeyAlgorithmECDSASignatureDigestX962SHA512
+_kSecKeyAlgorithmECDSASignatureMessageX962SHA1
+_kSecKeyAlgorithmECDSASignatureMessageX962SHA224
+_kSecKeyAlgorithmECDSASignatureMessageX962SHA256
+_kSecKeyAlgorithmECDSASignatureMessageX962SHA384
+_kSecKeyAlgorithmECDSASignatureMessageX962SHA512
+_kSecKeyAlgorithmRSAEncryptionRaw
+_kSecKeyAlgorithmRSAEncryptionRawCCUnit
+_kSecKeyAlgorithmRSAEncryptionPKCS1
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA1
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA224
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA256
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA384
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA512
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
+_kSecKeyAlgorithmECDHKeyExchangeStandard
+_kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
+_kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
+_kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
+_kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
+_kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
+_kSecKeyAlgorithmECDHKeyExchangeCofactor
+_kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
+_kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
+_kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
+_kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
+_kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
+_kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
+_kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
+_kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
+_kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
+_kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
+_kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
+_kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
+_kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
+_kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
+_kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5
+_kSecKeyKeyExchangeParameterRequestedSize
+_kSecKeyKeyExchangeParameterSharedInfo
_kSecImportExportPassphrase
_kSecImportExportKeychain
_kSecImportExportAccess
@@ -1287,49 +1361,143 @@ _kSecImportItemKeyID
_kSecImportItemTrust
_kSecImportItemCertChain
_kSecImportItemIdentity
-_kSecPolicyAppleX509Basic
-_kSecPolicyAppleSSL
-_kSecPolicyAppleSMIME
-_kSecPolicyAppleEAP
-_kSecPolicyAppleSWUpdateSigning
-_kSecPolicyApplePackageSigning
-_kSecPolicyAppleIPsec
-_kSecPolicyAppleiChat
-_kSecPolicyApplePKINITClient
-_kSecPolicyApplePKINITServer
+_kSecPolicyAppleAST2DiagnosticsServerAuth
+_kSecPolicyAppleATVVPNProfileSigning
_kSecPolicyAppleCodeSigning
-_kSecPolicyMacAppStoreReceipt
+_kSecPolicyAppleEAP
+_kSecPolicyAppleEscrowProxyCompatibilityServerAuth
+_kSecPolicyAppleEscrowProxyServerAuth
+_kSecPolicyAppleEscrowService
+_kSecPolicyAppleExternalDeveloper
+_kSecPolicyAppleFactoryDeviceCertificate
+_kSecPolicyAppleFMiPServerAuth
+_kSecPolicyAppleGenericApplePinned
+_kSecPolicyAppleGenericAppleSSLPinned
+_kSecPolicyAppleGSService
+_kSecPolicyAppleHomeKitServerAuth
+_kSecPolicyAppleiAP
+_kSecPolicyAppleIDAuthority
+_kSecPolicyAppleIDSService
+_kSecPolicyAppleIDSServiceContext
_kSecPolicyAppleIDValidation
-_kSecPolicyAppleTimeStamping
-_kSecPolicyAppleRevocation
-_kSecPolicyApplePassbookSigning
+_kSecPolicyAppleIDValidationRecordSigning
+_kSecPolicyAppleIDValidationRecordSigningPolicy
+_kSecPolicyAppleiPhoneActivation
+_kSecPolicyAppleiPhoneApplicationSigning
+_kSecPolicyAppleiPhoneDeviceCertificate
+_kSecPolicyAppleiPhoneProfileApplicationSigning
+_kSecPolicyAppleiPhoneProvisioningProfileSigning
+_kSecPolicyAppleIPsec
+_kSecPolicyAppleiTunesStoreURLBag
+_kSecPolicyAppleLegacyPushService
+_kSecPolicyAppleLockdownPairing
+_kSecPolicyAppleMMCSCompatibilityServerAuth
+_kSecPolicyAppleMMCSService
+_kSecPolicyAppleMobileAsset
_kSecPolicyAppleMobileStore
-_kSecPolicyAppleEscrowService
+_kSecPolicyAppleOCSPSigner
+_kSecPolicyAppleOSXProvisioningProfileSigning
+_kSecPolicyAppleOTAPKISigner
+_kSecPolicyAppleOTATasking
+_kSecPolicyApplePackageSigning
+_kSecPolicyApplePassbookSigning
+_kSecPolicyApplePayIssuerEncryption
_kSecPolicyApplePCSEscrowService
+_kSecPolicyApplePKINITClient
+_kSecPolicyApplePKINITServer
+_kSecPolicyApplePPQService
+_kSecPolicyApplePPQSigning
_kSecPolicyAppleProfileSigner
+_kSecPolicyApplePushService
_kSecPolicyAppleQAProfileSigner
-_kSecPolicyAppleTestMobileStore
+_kSecPolicyAppleRevocation
_kSecPolicyAppleServerAuthentication
-_kSecPolicyAppleATVAppSigning
-_kSecPolicyAppleTestATVAppSigning
-_kSecPolicyApplePayIssuerEncryption
-_kSecPolicyAppleOSXProvisioningProfileSigning
-_kSecPolicyAppleATVVPNProfileSigning
-_kSecPolicyAppleAST2DiagnosticsServerAuth
-_kSecPolicyOid
-_kSecPolicyName
+_kSecPolicyAppleSMIME
+_kSecPolicyAppleSMPEncryption
+_kSecPolicyAppleSoftwareSigning
+_kSecPolicyAppleSSL
+_kSecPolicyAppleSWUpdateSigning
+_kSecPolicyAppleTestMobileStore
+_kSecPolicyAppleTestOTAPKISigner
+_kSecPolicyAppleTestPPQSigning
+_kSecPolicyAppleTestSMPEncryption
+_kSecPolicyAppleTimeStamping
+_kSecPolicyAppleTVOSApplicationSigning
+_kSecPolicyAppleUniqueDeviceIdentifierCertificate
+_kSecPolicyAppleURLBag
+_kSecPolicyAppleX509Basic
+_kSecPolicyMacAppStoreReceipt
+_kSecPolicyAppleAnchorIncludeTestRoots
+_kSecPolicyCheckAnchorSHA1
+_kSecPolicyCheckAnchorSHA256
+_kSecPolicyCheckAnchorApple
+_kSecPolicyCheckAnchorTrusted
+_kSecPolicyCheckBasicCertificateProcessing
+_kSecPolicyCheckBasicConstraints
+_kSecPolicyCheckBlackListedKey
+_kSecPolicyCheckBlackListedLeaf
+_kSecPolicyCheckCertificatePolicy
+_kSecPolicyCheckCertificateTransparency
+_kSecPolicyCheckChainLength
+_kSecPolicyCheckCriticalExtensions
+_kSecPolicyCheckEAPTrustedServerNames
+_kSecPolicyCheckEmail
+_kSecPolicyCheckExtendedKeyUsage
+_kSecPolicyCheckExtendedValidation
+_kSecPolicyCheckGrayListedKey
+_kSecPolicyCheckGrayListedLeaf
+_kSecPolicyCheckIdLinkage
+_kSecPolicyCheckIntermediateEKU
+_kSecPolicyCheckIntermediateMarkerOid
+_kSecPolicyCheckIntermediateSPKISHA256
+_kSecPolicyCheckIssuerCommonName
+_kSecPolicyCheckKeySize
+_kSecPolicyCheckKeyUsage
+_kSecPolicyCheckLeafMarkerOid
+_kSecPolicyCheckLeafMarkerOidWithoutValueCheck
+_kSecPolicyCheckNoNetworkAccess
+_kSecPolicyCheckNonEmptySubject
+_kSecPolicyCheckNotValidBefore
+_kSecPolicyCheckQualifiedCertStatements
+_kSecPolicyCheckRevocation
+_kSecPolicyCheckRevocationResponseRequired
+_kSecPolicyCheckRevocationOCSP
+_kSecPolicyCheckRevocationCRL
+_kSecPolicyCheckRevocationAny
+_kSecPolicyCheckSignatureHashAlgorithms
+_kSecPolicyCheckSSLHostname
+_kSecPolicyCheckSubjectCommonName
+_kSecPolicyCheckSubjectCommonNamePrefix
+_kSecPolicyCheckSubjectCommonNameTEST
+_kSecPolicyCheckSubjectOrganization
+_kSecPolicyCheckSubjectOrganizationalUnit
+_kSecPolicyCheckUsageConstraints
+_kSecPolicyCheckValidIntermediates
+_kSecPolicyCheckValidLeaf
+_kSecPolicyCheckValidRoot
+_kSecPolicyCheckWeakIntermediates
+_kSecPolicyCheckWeakLeaf
+_kSecPolicyCheckWeakRoot
_kSecPolicyClient
+_kSecPolicyContext
+_kSecPolicyIntermediateMarkerOid
+_kSecPolicyLeafMarkerOid
+_kSecPolicyName
+_kSecPolicyOid
+_kSecPolicyPolicyName
_kSecPolicyRevocationFlags
_kSecPolicyTeamIdentifier
-_kSecPolicyKU_DigitalSignature
-_kSecPolicyKU_NonRepudiation
-_kSecPolicyKU_KeyEncipherment
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+_kSecPolicyKU_CRLSign
_kSecPolicyKU_DataEncipherment
+_kSecPolicyKU_DecipherOnly
+_kSecPolicyKU_DigitalSignature
+_kSecPolicyKU_EncipherOnly
_kSecPolicyKU_KeyAgreement
_kSecPolicyKU_KeyCertSign
-_kSecPolicyKU_CRLSign
-_kSecPolicyKU_EncipherOnly
-_kSecPolicyKU_DecipherOnly
+_kSecPolicyKU_KeyEncipherment
+_kSecPolicyKU_NonRepudiation
+#endif
_kSecPropertyTypeTitle
_kSecPropertyTypeError
_kSecPropertyKeyType
@@ -1461,8 +1629,25 @@ _kSecOIDX509V3SignedCertificate
_kSecOIDX509V3SignedCertificateCStruct
_kSecOIDSRVName
_kSecRandomDefault
+_kSecSignatureDigestAlgorithmUnknown
+_kSecSignatureDigestAlgorithmMD2
+_kSecSignatureDigestAlgorithmMD4
+_kSecSignatureDigestAlgorithmMD5
+_kSecSignatureDigestAlgorithmSHA1
+_kSecSignatureDigestAlgorithmSHA224
+_kSecSignatureDigestAlgorithmSHA256
+_kSecSignatureDigestAlgorithmSHA384
+_kSecSignatureDigestAlgorithmSHA512
+_kSecTrustCertificateTransparency
+_kSecTrustCertificateTransparencyWhiteList
_kSecTrustEvaluationDate
_kSecTrustExtendedValidation
+_kSecTrustInfoCertificateTransparencyKey
+_kSecTrustInfoCertificateTransparencyWhiteListKey
+_kSecTrustInfoCompanyNameKey
+_kSecTrustInfoExtendedValidationKey
+_kSecTrustInfoRevocationKey
+_kSecTrustInfoRevocationValidUntilKey
_kSecTrustOrganizationName
_kSecTrustResultDetails
_kSecTrustResultValue
@@ -1481,6 +1666,7 @@ _SecACLSetAuthorizations
_SecACLUpdateAuthorizations
_SecACLSetContents
_SecACLSetSimpleContents
+_SecBase64Encode
_SecAccessCopyACLList
_SecAccessCopySelectedACLList
_SecAccessCopyMatchingACLList
@@ -1496,19 +1682,36 @@ _SecCertificateAddToKeychain
_SecCertificateBundleExport
_SecCertificateBundleImport
_SecCertificateCopyCommonName
+_SecCertificateCopyCompanyName
_SecCertificateCopyData
-_SecCertificateCopySubjectComponent
+_SecCertificateCopyDNSNames
_SecCertificateCopyEmailAddresses
+_SecCertificateCopyEscrowRoots
_SecCertificateCopyFieldValues
_SecCertificateCopyFirstFieldValue
+_SecCertificateCopyiAPAuthCapabilities
+_SecCertificateCopyIssuerSHA1Digest
+_SecCertificateCopyIssuerSummary
+_SecCertificateCopyLongDescription
+_SecCertificateCopyNTPrincipalNames
+_SecCertificateCopyPrecertTBS
_SecCertificateCopyPreference
_SecCertificateCopyPreferred
_SecCertificateCopyPublicKey
+_SecCertificateCopyPublicKey_ios
_SecCertificateCopyPublicKeySHA1Digest
_SecCertificateCopyPublicKeySHA1DigestFromCertificateData
+_SecCertificateCopyRFC822Names
_SecCertificateCopySHA256Digest
+_SecCertificateCopyShortDescription
+_SecCertificateCopySignedCertificateTimestamps
+_SecCertificateCopySubjectComponent
+_SecCertificateCopySubjectPublicKeyInfoSHA1Digest
+_SecCertificateCopySubjectPublicKeyInfoSHA256Digest
_SecCertificateCopySubjectSummary
-_SecCertificateCopyDNSNames
+_SecCertificateCopySubjectString
+_SecCertificateCopySummaryProperties
+_SecCertificateCopyValues
_SecCertificateCreateItemImplInstance
_SecCertificateCreateFromData
_SecCertificateCreateWithBytes
@@ -1524,15 +1727,48 @@ _SecCertificateGetCLHandle_legacy
_SecCertificateGetCommonName
_SecCertificateGetData
_SecCertificateGetEmailAddress
+_SecCertificateGetExcludedSubtrees
_SecCertificateGetIssuer
+_SecCertificateGetKeyUsage
_SecCertificateGetLength
+_SecCertificateGetPermittedSubtrees
_SecCertificateGetSHA1Digest
_SecCertificateGetSignatureHashAlgorithm
_SecCertificateGetSubject
+_SecCertificateGetSubjectAltName
_SecCertificateGetType
_SecCertificateGetTypeID
+_SecCertificateHasMarkerExtension
_SecCertificateInferLabel
+_SecCertificateIsAtLeastMinKeySize
+_SecCertificateIsCA
_SecCertificateIsSelfSigned
+_SecCertificateIsSelfSignedCA
+_SecCertificateIsSignedBy
+_SecCertificateIsWeak
+_SecCertificateParseGeneralNameContentProperty
+_SecCertificateParseGeneralNames
+_SecCertificatePathCopyAddingLeaf
+_SecCertificatePathCopyCertificates
+_SecCertificatePathCopyFromParent
+_SecCertificatePathCopyPublicKeyAtIndex
+_SecCertificatePathCopyXPCArray
+_SecCertificatePathCreate
+_SecCertificatePathCreateSerialized
+_SecCertificatePathGetCertificateAtIndex
+_SecCertificatePathGetCount
+_SecCertificatePathGetIndexOfCertificate
+_SecCertificatePathGetNextSourceIndex
+_SecCertificatePathGetRoot
+_SecCertificatePathGetUsageConstraintsAtIndex
+_SecCertificatePathHasWeakHash
+_SecCertificatePathIsAnchored
+_SecCertificatePathScore
+_SecCertificatePathSelfSignedIndex
+_SecCertificatePathSetIsAnchored
+_SecCertificatePathSetNextSourceIndex
+_SecCertificatePathSetSelfIssued
+_SecCertificatePathVerify
_SecCertificateRequestCreate
_SecCertificateRequestGetTypeID
_SecCertificateRequestSubmit
@@ -1544,15 +1780,20 @@ _SecCertificateRequestGetData
_SecCertificateReleaseFirstFieldValue
_SecCertificateSetPreference
_SecCertificateSetPreferred
-_SecCertificateCopyValues
-_SecCertificateCopyLongDescription
-_SecCertificateCopyShortDescription
-_SecCertificateCopyEscrowRoots
+_SecCertificateVersion
+_SecCertificateXPCArrayCopyArray
_kSecCertificateProductionEscrowKey
_kSecCertificateProductionPCSEscrowKey
_kSecCertificateEscrowFileName
+_SecCopyEncryptedToServer
+_SecCopyEncryptedToServerKey
+_SecCopyDecryptedForServer
_SecCopyErrorMessageString
+_SecDigestCreate
_SecDigestGetData
+_SecSHA256DigestCreateFromData
+_SecDistinguishedNameCopyNormalizedContent
+_SecErrorGetOSStatus
_SecIdentityAddPreferenceItem
_SecIdentityCompare
_SecIdentityCopyCertificate
@@ -1578,6 +1819,12 @@ _SecInferLabelFromX509Name
_SecItemAdd
_SecItemCopyDisplayNames
_SecItemCopyMatching
+_SecItemCopyParentCertificates
+_SecItemCopyStoredCertificate
+#if TARGET_OS_EMBEDDED
+_SecCopyLastError
+_SecItemUpdateWithError
+#endif
#if TARGET_OS_MAC
_SecItemAdd_ios
_SecItemCopyMatching_ios
@@ -1586,7 +1833,11 @@ _SecItemUpdate_ios
#endif
_SecItemDelete
_SecItemUpdate
+_SecItemUpdateTokenItems
+_SecItemDeleteAllWithAccessGroups
__SecItemGetPersistentReference
+__SecItemMakePersistentRef
+__SecItemParsePersistentRef
_kSecAttrKeyTypeRSA
_kSecAttrKeyTypeDSA
_kSecAttrKeyTypeAES
@@ -1597,6 +1848,7 @@ _kSecAttrKeyTypeRC2
_kSecAttrKeyTypeCAST
_kSecAttrKeyTypeECDSA
_kSecAttrKeyTypeEC
+_kSecAttrKeyTypeECSECPrimeRandom
_kSecAttrPRF
_kSecAttrPRFHmacAlgSHA1
_kSecAttrPRFHmacAlgSHA224
@@ -1608,14 +1860,33 @@ _kSecAttrRounds
_SecECKeyGetNamedCurve
_SecItemExport
_SecItemImport
+_CreatePrivateKeyMatchingQuery
+_SecKeyCopyAttestationKey
+_SecKeyCopyAttributes
+_SecKeyCopyExponent
+_SecKeyCopyExternalRepresentation
+_SecKeyCopyKeyExchangeResult
+_SecKeyCopyPersistentRef
_SecKeyCopyPublicBytes
+_SecKeyCopyPublicKey
+_SecKeyCopyMatchingPrivateKey
_SecKeyCopyModulus
-_SecKeyCopyExponent
_SecKeyCreate
+_SecKeyCreateAttestation
+_SecKeyCreateDecryptedData
+_SecKeyCreateEncryptedData
+_SecKeyCreateFromAttributeDictionary
+_SecKeyCreateFromPublicBytes
+_SecKeyCreateFromSubjectPublicKeyInfoData
_SecKeyCreatePair
+_SecKeyCreatePersistentRefToMatchingPrivateKey
_SecKeyCreateRSAPublicKey
+_SecKeyCreateRandomKey
+_SecKeyCreateSignature
_SecKeyCreateWithCSSMKey
+_SecKeyCreateWithData
_SecKeyDecrypt
+_SecKeyDigestAndVerify
_SecKeyEncrypt
_SecKeyGenerate
_SecKeyGeneratePair
@@ -1625,13 +1896,18 @@ _SecKeyGetBlockSize
_SecKeyGetCSPHandle
_SecKeyGetCSSMKey
_SecKeyGetCredentials
+_SecKeyGetMatchingPrivateKeyStatus
+_SecKeyGetSize
_SecKeyGetStrengthInBits
_SecKeyGetTypeID
_SecKeyImportPair
+_SecKeyIsAlgorithmSupported
_SecKeyRawSign
_SecKeyRawVerify
+_SecKeySetParameter
_SecKeySignDigest
_SecKeyVerifyDigest
+_SecKeyVerifySignature
_SecKeyGenerateSymmetric
_SecKeyCreateFromData
_SecKeyCreateFromPublicData
@@ -1646,6 +1922,7 @@ _SecKeychainAddGenericPassword
_SecKeychainAddIToolsPassword
_SecKeychainAddInternetPassword
_SecKeychainAttributeInfoForItemID
+_SecKeychainAttemptMigrationWithMasterKey
_SecKeychainChangePassword
_SecKeychainCopyAccess
_SecKeychainCopyBlob
@@ -1674,6 +1951,7 @@ _SecKeychainGetTypeID
_SecKeychainGetUserInteractionAllowed
_SecKeychainGetVersion
_SecKeychainGetKeychainVersion
+_SecKeychainGetUserPromptAttempts
_SecKeychainMDSInstall
_SecKeychainIsValid
_SecKeychainItemAdd
@@ -1751,81 +2029,165 @@ __SecKeychainSyncUpdateMessage
_SecKeychainUnlock
_SecKeychainVerifyKeyStorePassphrase
_SecKeychainChangeKeyStorePassphrase
+_SecKeychainStoreUnlockKeyWithPubKeyHash
+_SecKeychainEraseUnlockKeyWithPubKeyHash
_SecGenericPasswordCreate
_SecPasswordSetInitialAccess
_SecPasswordAction
_SecPKCS12Import
+_SecPolicyCheckCertEAPTrustedServerNames
+_SecPolicyCheckCertEmail
+_SecPolicyCheckCertExtendedKeyUsage
+_SecPolicyCheckCertLeafMarkerOid
+_SecPolicyCheckCertLeafMarkerOidWithoutValueCheck
+_SecPolicyCheckCertKeyUsage
+_SecPolicyCheckCertNotValidBefore
+_SecPolicyCheckCertSignatureHashAlgorithms
+_SecPolicyCheckCertSSLHostname
+_SecPolicyCheckCertSubjectCommonName
+_SecPolicyCheckCertSubjectCommonNamePrefix
+_SecPolicyCheckCertSubjectCommonNameTEST
+_SecPolicyCheckCertSubjectOrganization
+_SecPolicyCheckCertSubjectOrganizationalUnit
+_SecPolicyCopyProperties
+_SecPolicyCreate
+_SecPolicyCreateAppleAST2Service
+_SecPolicyCreateAppleATVVPNProfileSigning
+_SecPolicyCreateAppleCompatibilityEscrowProxyService
+_SecPolicyCreateAppleCompatibilityMMCSService
+_SecPolicyCreateAppleEscrowProxyService
+_SecPolicyCreateAppleExternalDeveloper
+_SecPolicyCreateAppleFMiPService
_SecPolicyCreateAppleGSService
+_SecPolicyCreateAppleHomeKitServerAuth
+_SecPolicyCreateAppleIDAuthorityPolicy
_SecPolicyCreateAppleIDSService
_SecPolicyCreateAppleIDSServiceContext
-_SecPolicyCreateApplePushService
-_SecPolicyCreateApplePushServiceLegacy
+_SecPolicyCreateAppleIDValidationRecordSigningPolicy
_SecPolicyCreateAppleMMCSService
-_SecPolicyCreateApplePPQService
-_SecPolicyCreateAppleAST2Service
-_SecPolicyCreateAppleATVAppSigning
-_SecPolicyCreateTestAppleATVAppSigning
-_SecPolicyCreateAppleATVVPNProfileSigning
+_SecPolicyCreateApplePackageSigning
_SecPolicyCreateApplePayIssuerEncryption
+_SecPolicyCreateApplePinned
+_SecPolicyCreateApplePPQService
+_SecPolicyCreateApplePPQSigning
+_SecPolicyCreateApplePushService
+_SecPolicyCreateApplePushServiceLegacy
+_SecPolicyCreateAppleSMPEncryption
+_SecPolicyCreateAppleSoftwareSigning
+_SecPolicyCreateAppleSSLPinned
_SecPolicyCreateAppleSSLService
+_SecPolicyCreateAppleTimeStamping
+_SecPolicyCreateAppleTVOSApplicationSigning
_SecPolicyCreateBasicX509
+_SecPolicyCreateCodeSigning
+_SecPolicyCreateConfigurationProfileSigner
+_SecPolicyCreateEAP
+_SecPolicyCreateEscrowServiceSigner
+_SecPolicyCreateFactoryDeviceCertificate
+_SecPolicyCreateiAP
+_SecPolicyCreateiPhoneActivation
+_SecPolicyCreateiPhoneApplicationSigning
+_SecPolicyCreateiPhoneDeviceCertificate
+_SecPolicyCreateiPhoneProfileApplicationSigning
+_SecPolicyCreateiPhoneProvisioningProfileSigning
+_SecPolicyCreateIPSec
+_SecPolicyCreateiTunesStoreURLBag
+_SecPolicyCreateLockdownPairing
+_SecPolicyCreateMacAppStoreReceipt
+_SecPolicyCreateMobileAsset
+_SecPolicyCreateMobileStoreSigner
+_SecPolicyCreateOCSPSigner
_SecPolicyCreateOSXProvisioningProfileSigning
+_SecPolicyCreateOTAPKISigner
+_SecPolicyCreateOTATasking
+_SecPolicyCreatePassbookCardSigner
+_SecPolicyCreatePCSEscrowServiceSigner
+_SecPolicyCreateQAConfigurationProfileSigner
_SecPolicyCreateRevocation
_SecPolicyCreateSSL
-_SecPolicyCreateWithOID
+_SecPolicyCreateSMIME
+_SecPolicyCreateTestApplePPQSigning
+_SecPolicyCreateTestAppleSMPEncryption
+_SecPolicyCreateTestMobileStoreSigner
+_SecPolicyCreateTestOTAPKISigner
+_SecPolicyCreateAppleUniqueDeviceCertificate
+_SecPolicyCreateURLBag
_SecPolicyCreateWithProperties
+_SecPolicyGetName
+_SecPolicyGetOidString
+_SecPolicyGetTypeID
+_SecPolicyXPCArrayCopyArray
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+_SecPolicyCopy
+_SecPolicyCopyAll
_SecPolicyCreateAppleTimeStampingAndRevocationPolicies
-_SecPolicyCreateApplePackageSigning
-_SecPolicyCreateAppleSWUpdateSigning
-_SecPolicyCreateAppleHomeKitServerAuth
+_SecPolicyCreateItemImplInstance
+_SecPolicyCreateWithOID
_SecPolicyGetOID
+_SecPolicyGetStringForOID
_SecPolicyGetTPHandle
-_SecPolicyGetTypeID
_SecPolicyGetValue
_SecPolicySearchCopyNext
_SecPolicySearchCreate
_SecPolicySearchGetTypeID
-_SecPolicySetValue
-_SecPolicyCopy
-_SecPolicyCopyAll
-_SecPolicyCopyProperties
_SecPolicySetProperties
-_SecPolicyCopyEscrowRootCertificates
-_SecTrustCopyAnchorCertificates
+_SecPolicySetValue
+#endif
_SecTrustCopyCustomAnchorCertificates
+_SecTrustCopyDetailedPropertiesAtIndex
_SecTrustCopyExceptions
-_SecTrustCopyExtendedResult
+_SecTrustCopyFailureDescription
+_SecTrustCopyInfo
_SecTrustCopyPolicies
_SecTrustCopyProperties
_SecTrustCopyPublicKey
_SecTrustCopyResult
+_SecTrustCopySummaryPropertiesAtIndex
_SecTrustCreateWithCertificates
+_SecTrustDeserialize
_SecTrustEvaluate
_SecTrustEvaluateAsync
+_SecTrustEvaluateLeafOnly
_SecTrustGetCertificateAtIndex
_SecTrustGetCertificateCount
-_SecTrustGetCSSMAnchorCertificates
-_SecTrustGetCssmResult
-_SecTrustGetCssmResultCode
+_SecTrustGetDetails
+_SecTrustGetKeychainsAllowed
_SecTrustGetNetworkFetchAllowed
-_SecTrustGetResult
+_SecTrustGetOTAPKIAssetVersionNumber
_SecTrustGetTrustResult
-_SecTrustGetTPHandle
_SecTrustGetTypeID
-_SecTrustGetUserTrust
_SecTrustGetVerifyTime
+_SecTrustOTAPKIGetUpdatedAsset
+_SecTrustSerialize
_SecTrustSetAnchorCertificates
_SecTrustSetAnchorCertificatesOnly
_SecTrustSetExceptions
-_SecTrustSetKeychains
+_SecTrustSetKeychainsAllowed
_SecTrustSetNetworkFetchAllowed
_SecTrustSetOCSPResponse
+_SecTrustSetPolicies
+_SecTrustSetSignedCertificateTimestamps
+_SecTrustSetTrustedLogs
+_SecTrustSetVerifyDate
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+_SecTrustCopyAnchorCertificates
+_SecTrustCopyExtendedResult
+_SecTrustCopyProperties_ios
+_SecTrustGetCSSMAnchorCertificates
+_SecTrustGetCssmResult
+_SecTrustGetCssmResultCode
+_SecTrustGetResult
+_SecTrustGetTPHandle
+_SecTrustGetUserTrust
+_SecTrustLegacySourcesEventRunloopCreate
+_SecTrustLegacyCRLFetch
+_SecTrustLegacyCRLStatus
+_SecTrustSetKeychains
_SecTrustSetOptions
_SecTrustSetParameters
-_SecTrustSetPolicies
_SecTrustSetUserTrust
_SecTrustSetUserTrustLegacy
-_SecTrustSetVerifyDate
+#endif
_SecTrustedApplicationCopyData
_SecTrustedApplicationCreateFromPath
_SecTrustedApplicationCreateApplicationGroup
@@ -1845,6 +2207,7 @@ _SecTrustSettingsCopyTrustSettings
_SecTrustSettingsSetTrustSettings
_SecTrustSettingsRemoveTrustSettings
_SecTrustSettingsCopyCertificates
+_SecTrustSettingsCopyCertificatesForUserAdminDomains
_SecTrustSettingsCopyModificationDate
_SecTrustSettingsCreateExternalRepresentation
_SecTrustSettingsImportExternalRepresentation
@@ -1858,6 +2221,7 @@ _SecCertificateGetCRLDistributionPoints
_SecCertificateGetOCSPResponders
_SecCertificateGetCAIssuers
_SecCertificateShow
+_SecCertificateCreateOidDataFromString
_SecCertificateCopyIssuerSequence
_SecCertificateCopySubjectSequence
_SecCertificateGetNormalizedIssuerContent
@@ -1865,6 +2229,7 @@ _SecCertificateGetNormalizedSubjectContent
_SecCertificateHasSubject
_SecCertificateHasCriticalSubjectAltName
_SecCertificateHasUnknownCriticalExtension
+_SecCertificateIsOidString
_SecCertificateIsValid
_SecCertificateIsValidX
_SecCertificateNotValidBefore
@@ -1876,6 +2241,7 @@ _SecCertificateGetBasicConstraints
_SecCertificateGetPolicyConstraints
_SecCertificateGetPolicyMappings
_SecCertificateGetCertificatePolicies
+_SecCertificateGetiAuthVersion
_SecCertificateGetInhibitAnyPolicySkipCerts
_SecCertificateGetPublicKeyAlgorithm
_SecCertificateGetPublicKeyData
@@ -1883,6 +2249,7 @@ _SecCertificateCreateWithPEM
_SecCertificateCopySerialNumber
_SecCertificateCopyNormalizedIssuerContent
_SecCertificateCopyNormalizedSubjectContent
+_SecCertificateCopyProperties
_SecDERItemCopyOIDDecimalRepresentation
_SecAbsoluteTimeFromDateContent
_SecWrapRecoveryPasswordWithAnswers
@@ -1906,6 +2273,7 @@ __SecKeychainBackupSyncable
__SecKeychainRestoreSyncable
__SecKeychainWriteBackupToFileDescriptor
__SecKeychainRestoreBackupFromFileDescriptor
+__SecKeychainCopyKeybagUUIDFromFileDescriptor
_SecItemBackupWithRegisteredBackups
_SecItemBackupSetConfirmedManifest
_SecItemBackupRestore
@@ -1915,7 +2283,23 @@ __SecSecuritydCopyWhoAmI
__SecSyncBubbleTransfer
__SecSystemKeychainTransfer
__SecSyncDeleteUserViews
-
+_SecOTRFullIdentityCreateFromSecKeyRef
+_SecOTRPublicIdentityCreateFromSecKeyRef
+_SecOTRSAppendRestartPacket
+_SecOTRSAppendSerialization
+_SecOTRSAppendStartPacket
+_SecOTRSessionCreateFromData
+_SecOTRSessionCreateFromID
+_SecOTRSessionCreateFromIDAndFlags
+_SecOTRSessionReset
+_SecOTRSGetIsIdle
+_SecOTRSGetIsReadyForMessages
+_SecOTRSGetMessageKind
+_SecOTRSIsForKeys
+_SecOTRSProcessPacket
+_SecOTRSSignAndProtectMessage
+_SecOTRSVerifyAndExposeMessage
+__SecTokenItemCopyValueData
//
// libsecurity_manifest
@@ -1953,6 +2337,18 @@ _MDS_RemoveSubservice
//
// libsecurity_smime
//
+_kSecCMSSignDigest
+_kSecCMSSignDetached
+_kSecCMSSignHashAlgorithm
+_kSecCMSCertChainMode
+_kSecCMSAdditionalCerts
+_kSecCMSSignedAttributes
+_kSecCMSSignDate
+_kSecCMSAllCerts
+_kSecCMSHashingAlgorithmSHA1
+_kSecCMSHashingAlgorithmSHA256
+_kSecCMSHashingAlgorithmSHA384
+_kSecCMSHashingAlgorithmSHA512
_SecArenaPoolCreate
_SecArenaPoolFree
_SecCmsContentInfoGetBulkKey
@@ -1973,6 +2369,7 @@ _SecCmsContentInfoSetContentEncryptedData
_SecCmsContentInfoSetContentEnvelopedData
_SecCmsContentInfoSetContentSignedData
_SecCmsContentInfoSetContentOther
+_SecCMSCreateSignedData
_SecCmsDecoderCreate
_SecCmsDecoderDestroy
_SecCmsDecoderFinish
@@ -2067,7 +2464,11 @@ _SecCmsSignerInfoSaveSMIMEProfile
_SecCmsUtilVerificationStatusToString
_SecSMIMEFindBulkAlgForRecipients
_SecCMSCertificatesOnlyMessageCopyCertificates
+_SecCMSCreateCertificatesOnlyMessage
_SecCMSCreateCertificatesOnlyMessageIAP
+_SecCMSVerify
+_SecCMSVerifyCopyDataAndAttributes
+_SecCMSVerifySignedData
//
// libsecurity_ssl
@@ -2119,6 +2520,7 @@ _SSLGetCipherSizes
_SSLInternal_PRF
_SSLNewContext
_SSLRead
+_SSLReHandshake
_SSLSetAllowsAnyRoot
_SSLSetAllowsExpiredCerts
_SSLSetAllowsExpiredRoots
@@ -2177,11 +2579,9 @@ _SSLSetPSKSharedSecret
_SSLSetPSKIdentity
_SSLSetMinimumDHGroupSize
_SSLGetMinimumDHGroupSize
-_SSLSetSessionStrengthPolicy
_SSLSetDHEEnabled
_SSLGetDHEEnabled
_SSLSetSessionConfig
-_SSLGetSessionConfig
_kSSLSessionConfig_default
_kSSLSessionConfig_ATSv1
@@ -2192,6 +2592,7 @@ _kSSLSessionConfig_RC4_fallback
_kSSLSessionConfig_TLSv1_fallback
_kSSLSessionConfig_TLSv1_RC4_fallback
_kSSLSessionConfig_legacy_DHE
+_kSSLSessionConfig_anonymous
//
// libsecurity_transform
@@ -2298,10 +2699,20 @@ _SecKeyCreatePublicFromPrivate
//
// libsecurity_utilities
//
-_add_security_log_handler
-_remove_security_log_handler
_secdebug_internal
_secdebugfunc_internal
+#ifdef TARGET_OS_OSX
+_weak_os_log_impl
+_weak_os_log_create
+_weak_os_log_type_enabled
+_logObjForScope
+#endif
+
+//
+// utilities
+//
+_readFileSizet
+_writeFileSizet
//
// libSecureObjectSync
@@ -2331,6 +2742,7 @@ _kSecPasswordCharacterCount
_kSecPasswordGroupSize
_kSecPasswordNumberOfGroups
_kSecPasswordSeparator
+_SecCFAllocatorZeroize
//
// Logging
@@ -2345,11 +2757,6 @@ _SecSetLoggingInfoForCircleScope
//
#include "../sec/Security/SecAccessControlExports.exp-in"
-//
-// utilities
-//
-_SecSecdUsage
-
// SecDH
_SecDHComputeKey
_SecDHCreate
@@ -2460,3 +2867,24 @@ _oidExtendedKeyUsageMicrosoftSGC
_oidExtendedKeyUsageNetscapeSGC
_oidGoogleEmbeddedSignedCertificateTimestamp
_oidGoogleOCSPSignedCertificateTimestamp
+
+//
+// anchor-test SPIs
+//
+_SecIsAppleTrustAnchorData
+_SecIsAppleTrustAnchor
+
+//
+// libsecurity_translocate
+//
+_SecTranslocateStartListening
+_SecTranslocateStartListeningWithOptions
+_SecTranslocateCreateSecureDirectoryForURL
+_SecTranslocateDeleteSecureDirectory
+_SecTranslocateAppLaunchCheckin
+_SecTranslocateURLShouldRunTranslocated
+_SecTranslocateIsTranslocatedURL
+_SecTranslocateCreateOriginalPathForURL
+
+_secLogDisable
+_secLogEnable
diff --git a/OSX/libsecurity_apple_csp/TODO b/OSX/libsecurity_apple_csp/TODO
deleted file mode 100644
index cbdab795..00000000
--- a/OSX/libsecurity_apple_csp/TODO
+++ /dev/null
@@ -1 +0,0 @@
-Things TODO in AppleCSPDL
diff --git a/OSX/libsecurity_apple_csp/lib/AppleCSP.cpp b/OSX/libsecurity_apple_csp/lib/AppleCSP.cpp
index ec9e78ca..1d536c06 100644
--- a/OSX/libsecurity_apple_csp/lib/AppleCSP.cpp
+++ b/OSX/libsecurity_apple_csp/lib/AppleCSP.cpp
@@ -378,7 +378,7 @@ void AppleCSPSession::addRefKey(
cssmKey.KeyHeader.BlobType = CSSM_KEYBLOB_REFERENCE;
cssmKey.KeyHeader.Format = CSSM_KEYBLOB_REF_FORMAT_INTEGER;
keyRefToCssmData(keyRef, cssmKey.KeyData, normAllocator);
- secdebug("freeKey", "CSP addRefKey key %p keyData %p keyRef %p",
+ secinfo("freeKey", "CSP addRefKey key %p keyData %p keyRef %p",
&cssmKey, cssmKey.KeyData.Data, &binKey);
}
@@ -432,7 +432,7 @@ void AppleCSPSession::FreeKey(
StLock<Mutex> _(refKeyMapLock);
BinaryKey *binKey = lookupKeyRef(keyRef);
if(binKey != NULL) {
- secdebug("freeKey", "CSP FreeKey key %p keyData %p binKey %p",
+ secinfo("freeKey", "CSP FreeKey key %p keyData %p binKey %p",
&KeyPtr, KeyPtr.KeyData.Data, binKey);
try {
refKeyMap.erase(keyRef);
@@ -444,7 +444,7 @@ void AppleCSPSession::FreeKey(
}
}
else {
- secdebug("freeKey", "CSP freeKey unknown key");
+ secinfo("freeKey", "CSP freeKey unknown key");
}
}
}
diff --git a/OSX/libsecurity_apple_csp/lib/AppleCSPUtils.cpp b/OSX/libsecurity_apple_csp/lib/AppleCSPUtils.cpp
index 5ba459d3..a167f25a 100644
--- a/OSX/libsecurity_apple_csp/lib/AppleCSPUtils.cpp
+++ b/OSX/libsecurity_apple_csp/lib/AppleCSPUtils.cpp
@@ -625,7 +625,7 @@ static CssmUniformDate *cspNow()
return new CssmUniformDate(cfTime);
}
-#define keyDateDebug(args...) secdebug("keyDate", ## args)
+#define keyDateDebug(args...) secinfo("keyDate", ## args)
/*
* Verify temporal validity of specified key.
diff --git a/OSX/libsecurity_apple_csp/lib/BlockCryptor.cpp b/OSX/libsecurity_apple_csp/lib/BlockCryptor.cpp
index d694ee91..72e5e058 100644
--- a/OSX/libsecurity_apple_csp/lib/BlockCryptor.cpp
+++ b/OSX/libsecurity_apple_csp/lib/BlockCryptor.cpp
@@ -30,9 +30,9 @@
#include <security_utilities/debugging.h>
#include <security_cdsa_utilities/cssmdata.h>
-#define BlockCryptDebug(args...) secdebug("blockCrypt", ## args)
-#define bprintf(args...) secdebug("blockCryptBuf", ## args)
-#define ioprintf(args...) secdebug("blockCryptIo", ## args)
+#define BlockCryptDebug(args...) secinfo("blockCrypt", ## args)
+#define bprintf(args...) secinfo("blockCryptBuf", ## args)
+#define ioprintf(args...) secinfo("blockCryptIo", ## args)
BlockCryptor::~BlockCryptor()
{
diff --git a/OSX/libsecurity_apple_csp/lib/DH_keys.cpp b/OSX/libsecurity_apple_csp/lib/DH_keys.cpp
index 81fbafee..6060dfe5 100644
--- a/OSX/libsecurity_apple_csp/lib/DH_keys.cpp
+++ b/OSX/libsecurity_apple_csp/lib/DH_keys.cpp
@@ -32,7 +32,7 @@
#include <Security/oidsalg.h>
#include <YarrowConnection.h>
-#define dhKeyDebug(args...) secdebug("dhKey", ## args)
+#define dhKeyDebug(args...) secinfo("dhKey", ## args)
/*
* FIXME - the CDSA Algorithm Guide claims that the incoming params argument
diff --git a/OSX/libsecurity_apple_csp/lib/DH_keys.h b/OSX/libsecurity_apple_csp/lib/DH_keys.h
index 95966cb2..b6602116 100644
--- a/OSX/libsecurity_apple_csp/lib/DH_keys.h
+++ b/OSX/libsecurity_apple_csp/lib/DH_keys.h
@@ -39,7 +39,7 @@
#define DH_MIN_KEY_SIZE 512 /* FIXME */
#define DH_MAX_KEY_SIZE 2048
-#define cspDhDebug(args...) secdebug("dhDebug", ## args)
+#define cspDhDebug(args...) secinfo("dhDebug", ## args)
/*
* Diffie-Hellman version of a BinaryKey.
diff --git a/OSX/libsecurity_apple_csp/lib/DH_utils.cpp b/OSX/libsecurity_apple_csp/lib/DH_utils.cpp
index 3eccf481..895e6dc0 100644
--- a/OSX/libsecurity_apple_csp/lib/DH_utils.cpp
+++ b/OSX/libsecurity_apple_csp/lib/DH_utils.cpp
@@ -30,7 +30,7 @@
#include <openssl/dh.h>
#include <openssl/err.h>
-#define dhMiscDebug(args...) secdebug("dhMisc", ## args)
+#define dhMiscDebug(args...) secinfo("dhMisc", ## args)
/*
* Given a Context:
diff --git a/OSX/libsecurity_apple_csp/lib/FEECSPUtils.cpp b/OSX/libsecurity_apple_csp/lib/FEECSPUtils.cpp
index 7e29a84c..8c317b80 100644
--- a/OSX/libsecurity_apple_csp/lib/FEECSPUtils.cpp
+++ b/OSX/libsecurity_apple_csp/lib/FEECSPUtils.cpp
@@ -30,7 +30,7 @@
#include <security_cryptkit/feeFunctions.h>
#include <security_cryptkit/feePublicKey.h>
-#define feeMiscDebug(args...) secdebug("feeMisc", ## args)
+#define feeMiscDebug(args...) secinfo("feeMisc", ## args)
/* Given a FEE error, throw appropriate CssmError */
void CryptKit::throwCryptKit(
diff --git a/OSX/libsecurity_apple_csp/lib/FEEKeys.cpp b/OSX/libsecurity_apple_csp/lib/FEEKeys.cpp
index 5571510d..7ce18248 100644
--- a/OSX/libsecurity_apple_csp/lib/FEEKeys.cpp
+++ b/OSX/libsecurity_apple_csp/lib/FEEKeys.cpp
@@ -34,7 +34,7 @@
#include <assert.h>
#include <security_utilities/debugging.h>
-#define feeKeyDebug(args...) secdebug("feeKey", ## args)
+#define feeKeyDebug(args...) secinfo("feeKey", ## args)
/***
*** FEE-style BinaryKey
@@ -69,7 +69,7 @@ void CryptKit::FEEBinaryKey::generateKeyBlob(
CSSM_KEYATTR_FLAGS &attrFlags) /* IN/OUT */
{
unsigned char *keyBlob;
- unsigned len;
+ unsigned len = 0;
feeReturn frtn = FR_Internal;
bool freeTheKey = false;
feePubKey keyToEncode = mFeeKey;
@@ -243,7 +243,11 @@ void CryptKit::FEEKeyPairGenContext::generate(
}
}
-
+
+void CryptKit::FEEKeyPairGenContext::generate(const Context &context, uint32, CssmData ¶ms, uint32 &attrCount, Context::Attr * &attrs) {
+ CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
+}
+
// this one is specified in, and called from, AppleKeyPairGenContext
void CryptKit::FEEKeyPairGenContext::generate(
const Context &context,
diff --git a/OSX/libsecurity_apple_csp/lib/FEEKeys.h b/OSX/libsecurity_apple_csp/lib/FEEKeys.h
index 54d6b009..58830615 100644
--- a/OSX/libsecurity_apple_csp/lib/FEEKeys.h
+++ b/OSX/libsecurity_apple_csp/lib/FEEKeys.h
@@ -74,6 +74,9 @@ public:
const Context &context,
CssmKey &pubKey,
CssmKey &privKey);
+
+ // declared in CSPFullPluginSession, but not implemented here
+ void generate(const Context &context, uint32, CssmData ¶ms, uint32 &attrCount, Context::Attr * &attrs);
// this one is specified in, and called from, AppleKeyPairGenContext
void generate(
diff --git a/OSX/libsecurity_apple_csp/lib/FEESignatureObject.cpp b/OSX/libsecurity_apple_csp/lib/FEESignatureObject.cpp
index 6cd2dffb..6b868b7a 100644
--- a/OSX/libsecurity_apple_csp/lib/FEESignatureObject.cpp
+++ b/OSX/libsecurity_apple_csp/lib/FEESignatureObject.cpp
@@ -31,7 +31,7 @@
#include <assert.h>
#include <security_utilities/debugging.h>
-#define feeSigObjDebug(args...) secdebug("feeSig", ##args)
+#define feeSigObjDebug(args...) secinfo("feeSig", ##args)
CryptKit::FEESigner::~FEESigner()
{
diff --git a/OSX/libsecurity_apple_csp/lib/RSA_DSA_keys.cpp b/OSX/libsecurity_apple_csp/lib/RSA_DSA_keys.cpp
index 8a7a9553..e73c092f 100644
--- a/OSX/libsecurity_apple_csp/lib/RSA_DSA_keys.cpp
+++ b/OSX/libsecurity_apple_csp/lib/RSA_DSA_keys.cpp
@@ -34,7 +34,7 @@
#define RSA_PUB_EXPONENT 0x10001 /* recommended by RSA */
-#define rsaKeyDebug(args...) secdebug("rsaKey", ## args)
+#define rsaKeyDebug(args...) secinfo("rsaKey", ## args)
/***
@@ -193,6 +193,10 @@ void RSAKeyPairGenContext::generate(
}
}
+
+void RSAKeyPairGenContext::generate(const Context &context, uint32, CssmData ¶ms, uint32 &attrCount, Context::Attr * &attrs) {
+ CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
+}
// this one is specified in, and called from, AppleKeyPairGenContext
void RSAKeyPairGenContext::generate(
diff --git a/OSX/libsecurity_apple_csp/lib/RSA_DSA_keys.h b/OSX/libsecurity_apple_csp/lib/RSA_DSA_keys.h
index 83a0e735..dc24124c 100644
--- a/OSX/libsecurity_apple_csp/lib/RSA_DSA_keys.h
+++ b/OSX/libsecurity_apple_csp/lib/RSA_DSA_keys.h
@@ -103,6 +103,9 @@ public:
CssmKey &pubKey,
CssmKey &privKey);
+ // declared in CSPFullPluginSession, but not implemented here
+ void generate(const Context &context, uint32, CssmData ¶ms, uint32 &attrCount, Context::Attr * &attrs);
+
// this one is specified in, and called from, AppleKeyPairGenContext
void generate(
const Context &context,
diff --git a/OSX/libsecurity_apple_csp/lib/RSA_DSA_signature.cpp b/OSX/libsecurity_apple_csp/lib/RSA_DSA_signature.cpp
index d1be94cb..ae818296 100644
--- a/OSX/libsecurity_apple_csp/lib/RSA_DSA_signature.cpp
+++ b/OSX/libsecurity_apple_csp/lib/RSA_DSA_signature.cpp
@@ -29,7 +29,7 @@
#include <opensslUtils/opensslUtils.h>
#include <opensslUtils/opensslAsn1.h>
-#define rsaSigDebug(args...) secdebug("rsaSig", ## args)
+#define rsaSigDebug(args...) secinfo("rsaSig", ## args)
static ModuleNexus<Mutex> gMutex;
diff --git a/OSX/libsecurity_apple_csp/lib/RSA_DSA_utils.cpp b/OSX/libsecurity_apple_csp/lib/RSA_DSA_utils.cpp
index 6f15d7a5..8b88333a 100644
--- a/OSX/libsecurity_apple_csp/lib/RSA_DSA_utils.cpp
+++ b/OSX/libsecurity_apple_csp/lib/RSA_DSA_utils.cpp
@@ -35,7 +35,7 @@
#include <security_utilities/globalizer.h>
#include <CoreFoundation/CFNumber.h>
-#define rsaMiscDebug(args...) secdebug("rsaMisc", ## args)
+#define rsaMiscDebug(args...) secinfo("rsaMisc", ## args)
/*
* Obtain and cache max key sizes. System preferences only consulted
diff --git a/OSX/libsecurity_apple_csp/lib/RSA_asymmetric.cpp b/OSX/libsecurity_apple_csp/lib/RSA_asymmetric.cpp
index 7d0f0222..d0983f5b 100644
--- a/OSX/libsecurity_apple_csp/lib/RSA_asymmetric.cpp
+++ b/OSX/libsecurity_apple_csp/lib/RSA_asymmetric.cpp
@@ -25,8 +25,8 @@
#include <security_utilities/debugging.h>
#include <opensslUtils/opensslUtils.h>
-#define rsaCryptDebug(args...) secdebug("rsaCrypt", ## args)
-#define rbprintf(args...) secdebug("rsaBuf", ## args)
+#define rsaCryptDebug(args...) secinfo("rsaCrypt", ## args)
+#define rbprintf(args...) secinfo("rsaBuf", ## args)
static ModuleNexus<Mutex> gMutex;
diff --git a/OSX/libsecurity_apple_csp/lib/SignatureContext.cpp b/OSX/libsecurity_apple_csp/lib/SignatureContext.cpp
index 22591749..3f2ac891 100644
--- a/OSX/libsecurity_apple_csp/lib/SignatureContext.cpp
+++ b/OSX/libsecurity_apple_csp/lib/SignatureContext.cpp
@@ -27,7 +27,7 @@
#include <security_utilities/debugging.h>
-#define cspSigDebug(args...) secdebug("cspSig", ## args)
+#define cspSigDebug(args...) secinfo("cspSig", ## args)
SignatureContext::~SignatureContext()
{
diff --git a/OSX/libsecurity_apple_csp/lib/ascContext.cpp b/OSX/libsecurity_apple_csp/lib/ascContext.cpp
index e1b88e84..96a3efb9 100644
--- a/OSX/libsecurity_apple_csp/lib/ascContext.cpp
+++ b/OSX/libsecurity_apple_csp/lib/ascContext.cpp
@@ -30,8 +30,8 @@
#include <security_utilities/logging.h>
#include <Security/cssmapple.h>
-#define abprintf(args...) secdebug("ascBuf", ## args) /* buffer sizes */
-#define aioprintf(args...) secdebug("ascIo", ## args) /* all I/O */
+#define abprintf(args...) secinfo("ascBuf", ## args) /* buffer sizes */
+#define aioprintf(args...) secinfo("ascIo", ## args) /* all I/O */
static Allocator *ascAllocator;
diff --git a/OSX/libsecurity_apple_csp/lib/bsafeSymmetric.cpp b/OSX/libsecurity_apple_csp/lib/bsafeSymmetric.cpp
index db15758c..477166bb 100644
--- a/OSX/libsecurity_apple_csp/lib/bsafeSymmetric.cpp
+++ b/OSX/libsecurity_apple_csp/lib/bsafeSymmetric.cpp
@@ -24,7 +24,7 @@
#include "bsafecspi.h"
#include <security_utilities/debugging.h>
-#define bbprintf(args...) secdebug("BSafeBuf", ## args)
+#define bbprintf(args...) secinfo("BSafeBuf", ## args)
#define VERBOSE_DEBUG 0
#if VERBOSE_DEBUG
diff --git a/OSX/libsecurity_apple_csp/lib/cspdebugging.h b/OSX/libsecurity_apple_csp/lib/cspdebugging.h
index 8648f239..91fdd945 100644
--- a/OSX/libsecurity_apple_csp/lib/cspdebugging.h
+++ b/OSX/libsecurity_apple_csp/lib/cspdebugging.h
@@ -108,10 +108,13 @@ extern void dblog4(char *str, void * arg1, void * arg2, void * arg3, void * arg4
extern "C" {
#endif
+#include <CrashReporterClient.h>
+
static inline void _panic(const char *str)
{
printf("%s\n", str);
- exit(1);
+ CRSetCrashLogMessage(str);
+ abort();
}
#ifdef __cplusplus
diff --git a/OSX/libsecurity_apple_csp/lib/desContext.cpp b/OSX/libsecurity_apple_csp/lib/desContext.cpp
index 2e93686a..43890cfd 100644
--- a/OSX/libsecurity_apple_csp/lib/desContext.cpp
+++ b/OSX/libsecurity_apple_csp/lib/desContext.cpp
@@ -25,7 +25,7 @@
#include <security_utilities/globalizer.h>
#include <security_utilities/threading.h>
-#define DESDebug(args...) secdebug("desContext", ## args)
+#define DESDebug(args...) secinfo("desContext", ## args)
/*
* DES encrypt/decrypt.
diff --git a/OSX/libsecurity_apple_csp/libsecurity_apple_csp.xcodeproj/project.pbxproj b/OSX/libsecurity_apple_csp/libsecurity_apple_csp.xcodeproj/project.pbxproj
index 80686068..ff7ee6a0 100644
--- a/OSX/libsecurity_apple_csp/libsecurity_apple_csp.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_apple_csp/libsecurity_apple_csp.xcodeproj/project.pbxproj
@@ -250,13 +250,6 @@
remoteGlobalIDString = 0539107D0A37721E00B9E848;
remoteInfo = "Copy Open Source Docs";
};
- 182BB344146F10ED000BF1F3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 18446090146DFBC800B12992 /* libsecurity_cdsa_plugin.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = C2C38A530535EDE600D7421F;
- remoteInfo = libsecurity_cdsa_plugin_generate;
- };
18446095146DFBC900B12992 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18446090146DFBC800B12992 /* libsecurity_cdsa_plugin.xcodeproj */;
@@ -403,9 +396,9 @@
C280AE570534BBD900F7E802 /* stack.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = stack.h; sourceTree = "<group>"; };
C280AE580534BBD900F7E802 /* x509.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = x509.h; sourceTree = "<group>"; };
C280AE590534BBD900F7E802 /* x509_vfy.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = x509_vfy.h; sourceTree = "<group>"; };
- C280AE5B0534BBD900F7E802 /* opensslAsn1.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = opensslAsn1.cpp; sourceTree = "<group>"; };
+ C280AE5B0534BBD900F7E802 /* opensslAsn1.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = opensslAsn1.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C280AE5C0534BBD900F7E802 /* opensslAsn1.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = opensslAsn1.h; sourceTree = "<group>"; };
- C280AE5D0534BBD900F7E802 /* opensslUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = opensslUtils.cpp; sourceTree = "<group>"; };
+ C280AE5D0534BBD900F7E802 /* opensslUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = opensslUtils.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C280AE5E0534BBD900F7E802 /* opensslUtils.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = opensslUtils.h; sourceTree = "<group>"; };
C280AE620534BBD900F7E802 /* rsa_chk.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = rsa_chk.c; sourceTree = "<group>"; };
C280AE630534BBD900F7E802 /* rsa_eay.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = rsa_eay.c; sourceTree = "<group>"; };
@@ -423,7 +416,7 @@
C28436FE053488AB000AE0FC /* aescsp.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = aescsp.cpp; sourceTree = "<group>"; };
C28436FF053488AB000AE0FC /* aescspi.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = aescspi.h; sourceTree = "<group>"; };
C2843700053488AB000AE0FC /* algmaker.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = algmaker.cpp; sourceTree = "<group>"; };
- C2843701053488AB000AE0FC /* AppleCSP.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = AppleCSP.cpp; sourceTree = "<group>"; };
+ C2843701053488AB000AE0FC /* AppleCSP.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = AppleCSP.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2843702053488AB000AE0FC /* AppleCSP.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = AppleCSP.h; sourceTree = "<group>"; };
C2843703053488AB000AE0FC /* AppleCSPContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = AppleCSPContext.cpp; sourceTree = "<group>"; };
C2843704053488AB000AE0FC /* AppleCSPContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = AppleCSPContext.h; sourceTree = "<group>"; };
@@ -431,15 +424,15 @@
C2843706053488AB000AE0FC /* AppleCSPKeys.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = AppleCSPKeys.h; sourceTree = "<group>"; };
C2843707053488AB000AE0FC /* AppleCSPPlugin.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = AppleCSPPlugin.cpp; sourceTree = "<group>"; };
C2843708053488AB000AE0FC /* AppleCSPSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = AppleCSPSession.h; sourceTree = "<group>"; };
- C2843709053488AB000AE0FC /* AppleCSPUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = AppleCSPUtils.cpp; sourceTree = "<group>"; };
+ C2843709053488AB000AE0FC /* AppleCSPUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = AppleCSPUtils.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284370A053488AB000AE0FC /* AppleCSPUtils.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = AppleCSPUtils.h; sourceTree = "<group>"; };
- C284370B053488AB000AE0FC /* ascContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = ascContext.cpp; sourceTree = "<group>"; };
+ C284370B053488AB000AE0FC /* ascContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = ascContext.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284370C053488AB000AE0FC /* ascContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = ascContext.h; sourceTree = "<group>"; };
C284370D053488AB000AE0FC /* ascFactory.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = ascFactory.h; sourceTree = "<group>"; };
C284370E053488AB000AE0FC /* bfContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = bfContext.cpp; sourceTree = "<group>"; };
C284370F053488AB000AE0FC /* bfContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = bfContext.h; sourceTree = "<group>"; };
C2843710053488AB000AE0FC /* BinaryKey.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = BinaryKey.h; sourceTree = "<group>"; };
- C2843711053488AB000AE0FC /* BlockCryptor.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = BlockCryptor.cpp; sourceTree = "<group>"; };
+ C2843711053488AB000AE0FC /* BlockCryptor.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = BlockCryptor.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2843712053488AB000AE0FC /* BlockCryptor.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = BlockCryptor.h; sourceTree = "<group>"; };
C2843713053488AB000AE0FC /* boxes-ref.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = "boxes-ref.c"; sourceTree = "<group>"; };
C2843714053488AB000AE0FC /* boxes-ref.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "boxes-ref.h"; sourceTree = "<group>"; };
@@ -450,7 +443,7 @@
C2843719053488AB000AE0FC /* bsafeKeyGen.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = bsafeKeyGen.cpp; sourceTree = "<group>"; };
C284371A053488AB000AE0FC /* bsafePKCS1.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = bsafePKCS1.cpp; sourceTree = "<group>"; };
C284371B053488AB000AE0FC /* bsafePKCS1.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = bsafePKCS1.h; sourceTree = "<group>"; };
- C284371C053488AB000AE0FC /* bsafeSymmetric.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = bsafeSymmetric.cpp; sourceTree = "<group>"; };
+ C284371C053488AB000AE0FC /* bsafeSymmetric.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = bsafeSymmetric.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284371D053488AB000AE0FC /* bsobjects.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = bsobjects.h; sourceTree = "<group>"; };
C284371E053488AB000AE0FC /* castContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = castContext.cpp; sourceTree = "<group>"; };
C284371F053488AB000AE0FC /* castContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = castContext.h; sourceTree = "<group>"; };
@@ -461,25 +454,25 @@
C2843727053488AB000AE0FC /* cspdebugging.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cspdebugging.h; sourceTree = "<group>"; };
C2843728053488AB000AE0FC /* cssmplugin.exp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.exports; path = cssmplugin.exp; sourceTree = "<group>"; };
C2843729053488AB000AE0FC /* deriveKey.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = deriveKey.cpp; sourceTree = "<group>"; };
- C284372C053488AB000AE0FC /* desContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = desContext.cpp; sourceTree = "<group>"; };
+ C284372C053488AB000AE0FC /* desContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = desContext.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284372D053488AB000AE0FC /* desContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = desContext.h; sourceTree = "<group>"; };
C284372E053488AB000AE0FC /* DH_csp.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DH_csp.cpp; sourceTree = "<group>"; };
C284372F053488AB000AE0FC /* DH_csp.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DH_csp.h; sourceTree = "<group>"; };
C2843730053488AB000AE0FC /* DH_exchange.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DH_exchange.cpp; sourceTree = "<group>"; };
C2843731053488AB000AE0FC /* DH_exchange.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DH_exchange.h; sourceTree = "<group>"; };
- C2843732053488AB000AE0FC /* DH_keys.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DH_keys.cpp; sourceTree = "<group>"; };
- C2843733053488AB000AE0FC /* DH_keys.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DH_keys.h; sourceTree = "<group>"; };
- C2843734053488AB000AE0FC /* DH_utils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DH_utils.cpp; sourceTree = "<group>"; };
+ C2843732053488AB000AE0FC /* DH_keys.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = DH_keys.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
+ C2843733053488AB000AE0FC /* DH_keys.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = DH_keys.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
+ C2843734053488AB000AE0FC /* DH_utils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = DH_utils.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2843735053488AB000AE0FC /* DH_utils.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DH_utils.h; sourceTree = "<group>"; };
C2843736053488AB000AE0FC /* DigestContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DigestContext.cpp; sourceTree = "<group>"; };
C2843737053488AB000AE0FC /* DigestContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DigestContext.h; sourceTree = "<group>"; };
C2843738053488AB000AE0FC /* FEEAsymmetricContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = FEEAsymmetricContext.cpp; sourceTree = "<group>"; };
C2843739053488AB000AE0FC /* FEEAsymmetricContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = FEEAsymmetricContext.h; sourceTree = "<group>"; };
- C284373A053488AB000AE0FC /* FEECSPUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = FEECSPUtils.cpp; sourceTree = "<group>"; };
+ C284373A053488AB000AE0FC /* FEECSPUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = FEECSPUtils.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284373B053488AB000AE0FC /* FEECSPUtils.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = FEECSPUtils.h; sourceTree = "<group>"; };
- C284373C053488AB000AE0FC /* FEEKeys.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = FEEKeys.cpp; sourceTree = "<group>"; };
+ C284373C053488AB000AE0FC /* FEEKeys.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = FEEKeys.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284373D053488AB000AE0FC /* FEEKeys.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = FEEKeys.h; sourceTree = "<group>"; };
- C284373E053488AB000AE0FC /* FEESignatureObject.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = FEESignatureObject.cpp; sourceTree = "<group>"; };
+ C284373E053488AB000AE0FC /* FEESignatureObject.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = FEESignatureObject.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284373F053488AB000AE0FC /* FEESignatureObject.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = FEESignatureObject.h; sourceTree = "<group>"; };
C2843740053488AB000AE0FC /* gladmanContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = gladmanContext.cpp; sourceTree = "<group>"; };
C2843741053488AB000AE0FC /* gladmanContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = gladmanContext.h; sourceTree = "<group>"; };
@@ -511,19 +504,19 @@
C2843760053488AC000AE0FC /* rijndael-alg-ref.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "rijndael-alg-ref.h"; sourceTree = "<group>"; };
C2843761053488AC000AE0FC /* rijndaelApi.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = rijndaelApi.c; sourceTree = "<group>"; };
C2843762053488AC000AE0FC /* rijndaelApi.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = rijndaelApi.h; sourceTree = "<group>"; };
- C2843765053488AC000AE0FC /* RSA_asymmetric.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = RSA_asymmetric.cpp; sourceTree = "<group>"; };
+ C2843765053488AC000AE0FC /* RSA_asymmetric.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = RSA_asymmetric.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2843766053488AC000AE0FC /* RSA_asymmetric.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = RSA_asymmetric.h; sourceTree = "<group>"; };
C2843767053488AC000AE0FC /* RSA_DSA_csp.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = RSA_DSA_csp.cpp; sourceTree = "<group>"; };
C2843768053488AC000AE0FC /* RSA_DSA_csp.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = RSA_DSA_csp.h; sourceTree = "<group>"; };
- C2843769053488AC000AE0FC /* RSA_DSA_keys.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = RSA_DSA_keys.cpp; sourceTree = "<group>"; };
+ C2843769053488AC000AE0FC /* RSA_DSA_keys.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = RSA_DSA_keys.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284376A053488AC000AE0FC /* RSA_DSA_keys.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = RSA_DSA_keys.h; sourceTree = "<group>"; };
- C284376B053488AC000AE0FC /* RSA_DSA_signature.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = RSA_DSA_signature.cpp; sourceTree = "<group>"; };
+ C284376B053488AC000AE0FC /* RSA_DSA_signature.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = RSA_DSA_signature.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284376C053488AC000AE0FC /* RSA_DSA_signature.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = RSA_DSA_signature.h; sourceTree = "<group>"; };
- C284376D053488AC000AE0FC /* RSA_DSA_utils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = RSA_DSA_utils.cpp; sourceTree = "<group>"; };
+ C284376D053488AC000AE0FC /* RSA_DSA_utils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = RSA_DSA_utils.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284376E053488AC000AE0FC /* RSA_DSA_utils.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = RSA_DSA_utils.h; sourceTree = "<group>"; };
C2843771053488AC000AE0FC /* SHA1_MD5_Object.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SHA1_MD5_Object.cpp; sourceTree = "<group>"; };
C2843772053488AC000AE0FC /* SHA1_MD5_Object.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SHA1_MD5_Object.h; sourceTree = "<group>"; };
- C2843775053488AC000AE0FC /* SignatureContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SignatureContext.cpp; sourceTree = "<group>"; };
+ C2843775053488AC000AE0FC /* SignatureContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SignatureContext.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2843776053488AC000AE0FC /* SignatureContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SignatureContext.h; sourceTree = "<group>"; };
C2843777053488AC000AE0FC /* vRijndael-alg-ref.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = "vRijndael-alg-ref.c"; sourceTree = "<group>"; };
C2843778053488AC000AE0FC /* wrapKey.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = wrapKey.cpp; sourceTree = "<group>"; };
@@ -1163,7 +1156,6 @@
buildRules = (
);
dependencies = (
- 182BB345146F10ED000BF1F3 /* PBXTargetDependency */,
053910800A37724600B9E848 /* PBXTargetDependency */,
);
name = libsecurity_apple_csp;
@@ -1178,7 +1170,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD2550987FCDC001272E0 /* Build configuration list for PBXProject "libsecurity_apple_csp" */;
compatibilityVersion = "Xcode 3.2";
@@ -1354,11 +1346,6 @@
target = 0539107D0A37721E00B9E848 /* Copy Open Source Docs */;
targetProxy = 0539107F0A37724600B9E848 /* PBXContainerItemProxy */;
};
- 182BB345146F10ED000BF1F3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurity_cdsa_plugin_generate;
- targetProxy = 182BB344146F10ED000BF1F3 /* PBXContainerItemProxy */;
- };
/* End PBXTargetDependency section */
/* Begin XCBuildConfiguration section */
@@ -1428,12 +1415,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18446067146DE98E00B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -1441,12 +1437,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18446067146DE98E00B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_apple_csp/open_ssl/bn/bn_prime.c b/OSX/libsecurity_apple_csp/open_ssl/bn/bn_prime.c
index 83730079..0f65ff3b 100644
--- a/OSX/libsecurity_apple_csp/open_ssl/bn/bn_prime.c
+++ b/OSX/libsecurity_apple_csp/open_ssl/bn/bn_prime.c
@@ -157,6 +157,8 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add,
BN_CTX *ctx;
int checks = BN_prime_checks_for_size(bits);
+ BN_init(&t);
+
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
if (ret == NULL)
@@ -165,8 +167,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add,
}
else
rnd=ret;
- BN_init(&t);
-loop:
+loop:
/* make a random number and set the top and bottom bits */
if (add == NULL)
{
diff --git a/OSX/libsecurity_apple_csp/open_ssl/openssl/opensslconf.h b/OSX/libsecurity_apple_csp/open_ssl/openssl/opensslconf.h
index 3242b5ec..b02cf890 100644
--- a/OSX/libsecurity_apple_csp/open_ssl/openssl/opensslconf.h
+++ b/OSX/libsecurity_apple_csp/open_ssl/openssl/opensslconf.h
@@ -56,6 +56,7 @@ extern "C" {
#define NO_DES 1
#define NO_IDEA 1
#define NO_MDC2 1
+#define NO_MD2 1
#ifdef NDEBUG
#define NO_ERR 1
diff --git a/OSX/libsecurity_apple_csp/open_ssl/opensslUtils/opensslAsn1.cpp b/OSX/libsecurity_apple_csp/open_ssl/opensslUtils/opensslAsn1.cpp
index 5f3b68e6..fc88a8af 100644
--- a/OSX/libsecurity_apple_csp/open_ssl/opensslUtils/opensslAsn1.cpp
+++ b/OSX/libsecurity_apple_csp/open_ssl/opensslUtils/opensslAsn1.cpp
@@ -37,7 +37,7 @@
#include <assert.h>
-#define sslAsn1Debug(args...) secdebug("sslAsn1", ##args)
+#define sslAsn1Debug(args...) secinfo("sslAsn1", ##args)
#ifndef NDEBUG
/* set to 1 to see all ASN related errors */
diff --git a/OSX/libsecurity_apple_csp/open_ssl/opensslUtils/opensslUtils.cpp b/OSX/libsecurity_apple_csp/open_ssl/opensslUtils/opensslUtils.cpp
index ca332942..c20f8e0c 100644
--- a/OSX/libsecurity_apple_csp/open_ssl/opensslUtils/opensslUtils.cpp
+++ b/OSX/libsecurity_apple_csp/open_ssl/opensslUtils/opensslUtils.cpp
@@ -35,7 +35,7 @@
#include <AppleCSPUtils.h>
#include <security_utilities/logging.h>
-#define sslUtilsDebug(args...) secdebug("sslUtils", ## args)
+#define sslUtilsDebug(args...) secinfo("sslUtils", ## args)
openSslException::openSslException(
int irtn,
diff --git a/OSX/libsecurity_apple_cspdl/lib/SSCSPDLSession.cpp b/OSX/libsecurity_apple_cspdl/lib/SSCSPDLSession.cpp
index cfc62236..25755028 100644
--- a/OSX/libsecurity_apple_cspdl/lib/SSCSPDLSession.cpp
+++ b/OSX/libsecurity_apple_cspdl/lib/SSCSPDLSession.cpp
@@ -81,8 +81,9 @@ SSCSPDLSession::makeReferenceKey(SSCSPSession &session, KeyHandle inKeyHandle,
{
SSKey* sskey = new SSKey(session, inKeyHandle, outKey, inSSDatabase, inKeyAttr,
inKeyLabel);
+ (void) sskey; // Compiler thinks this variable isn't used, but we want the side effects of creation. Tell the compiler it's okay.
- secdebug("SecAccessReference", "made a new reference sskey with handle %d [%d]", sskey->keyHandle(), sskey->keyReference());
+ secinfo("SecAccessReference", "made a new reference sskey with handle %d [%ld]", sskey->keyHandle(), sskey->keyReference());
}
SSKey &
@@ -96,7 +97,7 @@ SSCSPDLSession::lookupKey(const CssmKey &inKey)
/* fetch key (this is just mapping the value in inKey.KeyData to an SSKey) */
SSKey &theKey = find<SSKey>(inKey);
- secdebug("SecAccessReference", "looked up a sskey with handle %d [%d]", theKey.keyHandle(), theKey.keyReference());
+ secinfo("SecAccessReference", "looked up a sskey with handle %d [%ld]", theKey.keyHandle(), theKey.keyReference());
#ifdef someday
/*
@@ -147,7 +148,7 @@ SSCSPDLSession::didChangeKeyAcl(SecurityServer::ClientSession &clientSession,
else
{
// @@@ Should we really throw here or just continue without updating the ACL? In reality this should never happen, so let's at least log it and throw.
- secdebug("keyacl", "SSCSPDLSession::didChangeKeyAcl() keyHandle: %lu not found in map", (unsigned long)keyHandle);
+ secinfo("keyacl", "SSCSPDLSession::didChangeKeyAcl() keyHandle: %lu not found in map", (unsigned long)keyHandle);
CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_REFERENCE);
}
}
@@ -177,7 +178,7 @@ void
ClientSessionKey::getAcl(AutoAclEntryInfoList &aclInfos,
const char *selectionTag) const
{
- secdebug("keyacl", "ClientSessionKey::getAcl() keyHandle: %u", mKeyHandle);
+ secinfo("keyacl", "ClientSessionKey::getAcl() keyHandle: %u", mKeyHandle);
aclInfos.allocator(mClientSession.returnAllocator);
mClientSession.getKeyAcl(mKeyHandle, selectionTag,
*static_cast<uint32 *>(aclInfos),
@@ -188,14 +189,14 @@ void
ClientSessionKey::changeAcl(const CSSM_ACL_EDIT &aclEdit,
const CSSM_ACCESS_CREDENTIALS *cred)
{
- secdebug("keyacl", "ClientSessionKey::changeAcl() keyHandle: %u", mKeyHandle);
+ secinfo("keyacl", "ClientSessionKey::changeAcl() keyHandle: %u", mKeyHandle);
mClientSession.changeKeyAcl(mKeyHandle, AccessCredentials::overlay(*cred), AclEdit::overlay(aclEdit));
}
void
ClientSessionKey::getOwner(AutoAclOwnerPrototype &owner) const
{
- secdebug("keyacl", "ClientSessionKey::getOwner() keyHandle: %u", mKeyHandle);
+ secinfo("keyacl", "ClientSessionKey::getOwner() keyHandle: %u", mKeyHandle);
owner.allocator(mClientSession.returnAllocator);
mClientSession.getKeyOwner(mKeyHandle,
*reinterpret_cast<AclOwnerPrototype *>(static_cast<CSSM_ACL_OWNER_PROTOTYPE *>(owner)));
@@ -205,7 +206,7 @@ void
ClientSessionKey::changeOwner(const CSSM_ACL_OWNER_PROTOTYPE &newOwner,
const CSSM_ACCESS_CREDENTIALS *cred)
{
- secdebug("keyacl", "ClientSessionKey::changeOwner() keyHandle: %u", mKeyHandle);
+ secinfo("keyacl", "ClientSessionKey::changeOwner() keyHandle: %u", mKeyHandle);
mClientSession.changeKeyOwner(mKeyHandle, AccessCredentials::overlay(*cred), AclOwnerPrototype::overlay(newOwner));
}
diff --git a/OSX/libsecurity_apple_cspdl/lib/SSCSPSession.cpp b/OSX/libsecurity_apple_cspdl/lib/SSCSPSession.cpp
index d82bb4e3..e1f7b928 100644
--- a/OSX/libsecurity_apple_cspdl/lib/SSCSPSession.cpp
+++ b/OSX/libsecurity_apple_cspdl/lib/SSCSPSession.cpp
@@ -357,7 +357,7 @@ SSCSPSession::FreeKey(const AccessCredentials *accessCred,
// Find the key in the map. Tell tell the key to free itself
// (when the auto_ptr deletes the key it removes itself from the map).
- secdebug("freeKey", "CSPDL FreeKey");
+ secinfo("freeKey", "CSPDL FreeKey");
auto_ptr<SSKey> ssKey(&mSSCSPDLSession.find<SSKey>(ioKey));
ssKey->free(accessCred, ioKey, deleteKey);
}
diff --git a/OSX/libsecurity_apple_cspdl/lib/SSContext.cpp b/OSX/libsecurity_apple_cspdl/lib/SSContext.cpp
index 3d5de0ab..b0523932 100644
--- a/OSX/libsecurity_apple_cspdl/lib/SSContext.cpp
+++ b/OSX/libsecurity_apple_cspdl/lib/SSContext.cpp
@@ -25,7 +25,7 @@
#include "SSKey.h"
#include <security_utilities/debugging.h>
-#define ssCryptDebug(args...) secdebug("ssCrypt", ## args)
+#define ssCryptDebug(args...) secinfo("ssCrypt", ## args)
using namespace SecurityServer;
diff --git a/OSX/libsecurity_apple_cspdl/lib/SSDLSession.cpp b/OSX/libsecurity_apple_cspdl/lib/SSDLSession.cpp
index 40bc29fa..5ead2930 100644
--- a/OSX/libsecurity_apple_cspdl/lib/SSDLSession.cpp
+++ b/OSX/libsecurity_apple_cspdl/lib/SSDLSession.cpp
@@ -73,6 +73,8 @@ try
}
catch (...)
{
+ // Prevent re-throw of exception.
+ return;
}
// Utility functions
@@ -117,7 +119,7 @@ SSDLSession::DbCreate(const char *inDbName,
db->accessRequest(inAccessRequest);
db->resourceControlContext(inCredAndAclEntry);
db->openParameters(inOpenParameters);
- db->create(DLDbIdentifier(CssmSubserviceUid(plugin.myGuid(), &version(), subserviceId(),
+ db->ssCreate(DLDbIdentifier(CssmSubserviceUid(plugin.myGuid(), &version(), subserviceId(),
CSSM_SERVICE_DL | CSSM_SERVICE_CSP),
inDbName, inDbLocation));
db->dbInfo(NULL);
@@ -139,7 +141,7 @@ SSDLSession::CreateWithBlob(const char *DbName,
db->accessRequest(AccessRequest);
db->resourceControlContext(NULL);
db->openParameters(OpenParameters);
- db->createWithBlob(DLDbIdentifier(CssmSubserviceUid(plugin.myGuid(), &version(), subserviceId(),
+ db->ssCreateWithBlob(DLDbIdentifier(CssmSubserviceUid(plugin.myGuid(), &version(), subserviceId(),
CSSM_SERVICE_DL | CSSM_SERVICE_CSP),
DbName, DbLocation),
blob);
@@ -160,7 +162,7 @@ SSDLSession::DbOpen(const char *inDbName,
db->accessRequest(inAccessRequest);
db->accessCredentials(inAccessCred);
db->openParameters(inOpenParameters);
- db->open(DLDbIdentifier(CssmSubserviceUid(plugin.myGuid(), &version(), subserviceId(),
+ db->ssOpen(DLDbIdentifier(CssmSubserviceUid(plugin.myGuid(), &version(), subserviceId(),
CSSM_SERVICE_DL | CSSM_SERVICE_CSP),
inDbName, inDbLocation));
outDbHandle = makeDbHandle(db);
@@ -267,7 +269,7 @@ SSDLSession::DataInsert(CSSM_DB_HANDLE inDbHandle,
{
SSDatabase db = findDbHandle(inDbHandle);
// @@@ Fix client lib.
- SSUniqueRecord uniqueId = db->insert(inRecordType, inAttributes, inData, true); // @@@ Fix me
+ SSUniqueRecord uniqueId = db->ssInsert(inRecordType, inAttributes, inData);
outUniqueId = makeSSUniqueRecord(uniqueId);
// @@@ If this is a key do the right thing.
}
@@ -1289,7 +1291,7 @@ SSDLSession::PassThrough(CSSM_DB_HANDLE inDbHandle,
case CSSM_APPLECSPDL_DB_COPY_BLOB:
{
// make the output parameters
- db->copyBlob(*reinterpret_cast<CSSM_DATA *>(outOutputParams));
+ db->ssCopyBlob(*reinterpret_cast<CSSM_DATA *>(outOutputParams));
break;
}
case CSSM_APPLECSPDL_DB_INSERT_WITHOUT_ENCRYPTION:
@@ -1322,6 +1324,11 @@ SSDLSession::PassThrough(CSSM_DB_HANDLE inDbHandle,
*((uint32*) *outOutputParams) = db->recodeDbToVersion(*((uint32*) inInputParams));
break;
}
+ case CSSM_APPLECSPDL_DB_RECODE_FINISHED:
+ {
+ db->recodeFinished();
+ break;
+ }
case CSSM_APPLECSPDL_DB_TAKE_FILE_LOCK:
{
db->takeFileLock();
@@ -1336,6 +1343,22 @@ SSDLSession::PassThrough(CSSM_DB_HANDLE inDbHandle,
{
db->makeBackup();
break;
+ }
+ case CSSM_APPLECSPDL_DB_MAKE_COPY:
+ {
+ db->makeCopy((const char*) inInputParams);
+ break;
+ }
+ case CSSM_APPLECSPDL_DB_DELETE_FILE:
+ {
+ db->deleteFile();
+ break;
+ }
+ case CSSM_APPLECSPDL_DB_CLONE:
+ {
+ SSDatabase ssdb = db->ssCloneTo(*((DLDbIdentifier*) inInputParams));
+ *((CSSM_DB_HANDLE*) outOutputParams) = makeDbHandle(ssdb);
+ break;
}
default:
{
diff --git a/OSX/libsecurity_apple_cspdl/lib/SSDatabase.cpp b/OSX/libsecurity_apple_cspdl/lib/SSDatabase.cpp
index 755d232a..e4468f4d 100644
--- a/OSX/libsecurity_apple_cspdl/lib/SSDatabase.cpp
+++ b/OSX/libsecurity_apple_cspdl/lib/SSDatabase.cpp
@@ -49,9 +49,9 @@ catch (...)
}
SSUniqueRecord
-SSDatabaseImpl::insert(CSSM_DB_RECORDTYPE recordType,
+SSDatabaseImpl::ssInsert(CSSM_DB_RECORDTYPE recordType,
const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes,
- const CSSM_DATA *data, bool)
+ const CSSM_DATA *data)
{
SSUniqueRecord uniqueId(SSDatabase(this));
check(CSSM_DL_DataInsert(handle(), recordType,
@@ -238,7 +238,7 @@ SSDatabaseImpl::commonCreate(const DLDbIdentifier &dlDbIdentifier, bool &autoCom
}
void
-SSDatabaseImpl::create(const DLDbIdentifier &dlDbIdentifier)
+SSDatabaseImpl::ssCreate(const DLDbIdentifier &dlDbIdentifier)
{
try
{
@@ -260,7 +260,7 @@ SSDatabaseImpl::create(const DLDbIdentifier &dlDbIdentifier)
mSSDbHandle = mClientSession.createDb(dlDbIdentifier, cred, owner, dbParameters);
CssmDataContainer dbb(allocator());
mClientSession.encodeDb(mSSDbHandle, dbb, allocator());
- secdebugfunc("integrity", "opening %s", name());
+ secnotice("integrity", "opening %s", name());
Db::Impl::insert(DBBlobRelationID, NULL, &dbb);
if (autoCommit)
{
@@ -285,13 +285,13 @@ SSDatabaseImpl::create(const DLDbIdentifier &dlDbIdentifier)
}
void
-SSDatabaseImpl::createWithBlob(const DLDbIdentifier &dlDbIdentifier, const CSSM_DATA &blob)
+SSDatabaseImpl::ssCreateWithBlob(const DLDbIdentifier &dlDbIdentifier, const CSSM_DATA &blob)
{
try
{
bool autoCommit;
commonCreate(dlDbIdentifier, autoCommit);
- secdebugfunc("integrity", "opening %s", name());
+ secnotice("integrity", "opening %s", name());
Db::Impl::insert(DBBlobRelationID, NULL, &blob);
if (autoCommit)
{
@@ -308,22 +308,30 @@ SSDatabaseImpl::createWithBlob(const DLDbIdentifier &dlDbIdentifier, const CSSM_
}
void
-SSDatabaseImpl::open(const DLDbIdentifier &dlDbIdentifier)
+SSDatabaseImpl::ssOpen(const DLDbIdentifier &dlDbIdentifier)
{
- mIdentifier = dlDbIdentifier;
- Db::Impl::open();
-
- CssmDataContainer dbb(allocator());
- getDbBlobId(&dbb);
+ load(dlDbIdentifier);
- secdebugfunc("integrity", "opening %s", name());
+ CssmDataContainer dbb(allocator());
+ getDbBlobId(&dbb);
// Pull our version out of the database blob
mSSDbHandle = mClientSession.decodeDb(dlDbIdentifier, AccessCredentials::overlay(accessCredentials()), dbb);
}
void
-SSDatabaseImpl::recode(const CssmData &dbHandleArray, const CssmData &agentData)
+SSDatabaseImpl::load(const DLDbIdentifier &dlDbIdentifier) {
+ mIdentifier = dlDbIdentifier;
+ Db::Impl::open();
+
+ CssmDataContainer dbb(allocator());
+ getDbBlobId(&dbb);
+
+ secnotice("integrity", "loading %s", name());
+}
+
+void
+SSDatabaseImpl::ssRecode(const CssmData &dbHandleArray, const CssmData &agentData)
{
// Start a transaction (Implies activate()).
passThrough(CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT, 0);
@@ -375,9 +383,9 @@ SSDatabaseImpl::recodeDbToVersion(uint32 newBlobVersion) {
try
{
if(isLocked()) {
- secdebugfunc("integrity", "is currently locked");
+ secnotice("integrity", "is currently locked");
} else {
- secdebugfunc("integrity", "is already unlocked");
+ secnotice("integrity", "is already unlocked");
}
CssmDataContainer dbb(allocator());
@@ -389,18 +397,18 @@ SSDatabaseImpl::recodeDbToVersion(uint32 newBlobVersion) {
dbb.clear();
// Create a newDbHandle using the master secrets from the dbBlob we are recoding to.
- secdebugfunc("integrity", "recoding db with handle %d", mSSDbHandle);
+ secnotice("integrity", "recoding db with handle %d", mSSDbHandle);
SecurityServer::DbHandle clonedDbHandle = mClientSession.recodeDbToVersion(newBlobVersion, mSSDbHandle);
- secdebugfunc("integrity", "received db with handle %d", clonedDbHandle);
+ secnotice("integrity", "received db with handle %d", clonedDbHandle);
// @@@ If the dbb changed since we fetched it we should abort or
// retry the operation here.
uint32 newBlobVersion = recodeHelper(clonedDbHandle, dbBlobId);
- secdebugfunc("integrity", "committing transaction %d", clonedDbHandle);
+ secnotice("integrity", "committing transaction %d", clonedDbHandle);
// Commit the transaction to the db
- transaction.success();
+ transaction.commit();
return newBlobVersion;
}
catch (...)
@@ -409,6 +417,11 @@ SSDatabaseImpl::recodeDbToVersion(uint32 newBlobVersion) {
}
}
+void
+SSDatabaseImpl::recodeFinished() {
+ mClientSession.recodeFinished(mSSDbHandle);
+}
+
void SSDatabaseImpl::takeFileLock() {
if(mTransaction) {
// you're already in the middle of a file lock.
@@ -422,9 +435,9 @@ void SSDatabaseImpl::releaseFileLock(bool success) {
if(mTransaction) {
try {
if(success) {
- mTransaction->success();
+ mTransaction->commit();
}
- // The destructor will commit the database and re-enable autocommit (if needed)
+ // If we didn't commit, the destructor will roll back and re-enable autocommit
delete mTransaction;
mTransaction = NULL;
} catch(...) {
@@ -438,6 +451,25 @@ void SSDatabaseImpl::makeBackup() {
passThrough(CSSM_APPLEFILEDL_MAKE_BACKUP, NULL, NULL);
}
+void SSDatabaseImpl::makeCopy(const char* path) {
+ passThrough(CSSM_APPLEFILEDL_MAKE_COPY, path, NULL);
+}
+
+void SSDatabaseImpl::deleteFile() {
+ passThrough(CSSM_APPLEFILEDL_DELETE_FILE, NULL, NULL);
+}
+
+SSDatabase SSDatabaseImpl::ssCloneTo(const DLDbIdentifier& dldbidentifier) {
+ makeCopy(dldbidentifier.dbName());
+ SSDatabase db(mClientSession, dl(), dldbidentifier.dbName(), dldbidentifier.dbLocation());
+
+ db->load(dldbidentifier);
+ db->mSSDbHandle = mClientSession.cloneDb(dldbidentifier, mSSDbHandle);
+
+ return db;
+}
+
+
uint32 SSDatabaseImpl::recodeHelper(SecurityServer::DbHandle clonedDbHandle, CssmClient::DbUniqueRecord& dbBlobId) {
// Recode all keys
@@ -463,8 +495,8 @@ uint32 SSDatabaseImpl::recodeHelper(SecurityServer::DbHandle clonedDbHandle, Css
CSSM_DB_MODIFY_ATTRIBUTE_NONE);
} catch (CssmError cssme) {
const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "corrupt item while recoding: %d %s", (int) cssme.error, errStr);
- secdebugfunc("integrity", "deleting corrupt item");
+ secnotice("integrity", "corrupt item while recoding: %d %s", (int) cssme.error, errStr);
+ secnotice("integrity", "deleting corrupt item");
keyBlobId->deleteRecord();
@@ -472,12 +504,12 @@ uint32 SSDatabaseImpl::recodeHelper(SecurityServer::DbHandle clonedDbHandle, Css
if(keyHandle != 0) {
// tell securityd not to worry about this key again
try {
- secdebugfunc("integrity", "releasing corrupt key");
+ secnotice("integrity", "releasing corrupt key");
mClientSession.releaseKey(keyHandle);
} catch(CssmError cssme) {
// swallow the error
const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "couldn't release corrupt key: %d %s", (int) cssme.error, errStr);
+ secnotice("integrity", "couldn't release corrupt key: %d %s", (int) cssme.error, errStr);
}
}
}
@@ -486,7 +518,7 @@ uint32 SSDatabaseImpl::recodeHelper(SecurityServer::DbHandle clonedDbHandle, Css
// Commit the new blob to securityd, reencode the db blob, release the
// cloned db handle and commit the new blob to the db.
CssmDataContainer dbb(allocator());
- secdebugfunc("integrity", "committing %d", clonedDbHandle);
+ secnotice("integrity", "committing %d", clonedDbHandle);
mClientSession.commitDbForSync(mSSDbHandle, clonedDbHandle,
dbb, allocator());
dbBlobId->modify(DBBlobRelationID, NULL, &dbb,
@@ -512,7 +544,7 @@ void SSDatabaseImpl::getRecordIdentifier(CSSM_DB_UNIQUE_RECORD_PTR uniqueRecord,
dest[3] = 0;
}
-void SSDatabaseImpl::copyBlob(CSSM_DATA &data)
+void SSDatabaseImpl::ssCopyBlob(CSSM_DATA& data)
{
// get the blob from the database
CssmDataContainer dbb(allocator());
diff --git a/OSX/libsecurity_apple_cspdl/lib/SSDatabase.h b/OSX/libsecurity_apple_cspdl/lib/SSDatabase.h
index 04ed9c05..4fefdd5e 100644
--- a/OSX/libsecurity_apple_cspdl/lib/SSDatabase.h
+++ b/OSX/libsecurity_apple_cspdl/lib/SSDatabase.h
@@ -49,12 +49,12 @@ public:
const char *inDbName, const CSSM_NET_ADDRESS *inDbLocation);
virtual ~SSDatabaseImpl();
- void create(const DLDbIdentifier &dlDbIdentifier);
- void createWithBlob(const DLDbIdentifier &dlDbIdentifier, const CSSM_DATA &blob);
- void open(const DLDbIdentifier &dlDbIdentifier);
- SSUniqueRecord insert(CSSM_DB_RECORDTYPE recordType,
+ void ssCreate(const DLDbIdentifier &dlDbIdentifier);
+ void ssCreateWithBlob(const DLDbIdentifier &dlDbIdentifier, const CSSM_DATA &blob);
+ void ssOpen(const DLDbIdentifier &dlDbIdentifier);
+ SSUniqueRecord ssInsert(CSSM_DB_RECORDTYPE recordType,
const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes,
- const CSSM_DATA *data, bool);
+ const CSSM_DATA *data);
void authenticate(CSSM_DB_ACCESS_TYPE inAccessRequest,
const CSSM_ACCESS_CREDENTIALS *inAccessCredentials);
@@ -68,7 +68,7 @@ public:
void setSettings(uint32 inIdleTimeout, bool inLockOnSleep);
bool isLocked();
void changePassphrase(const CSSM_ACCESS_CREDENTIALS *cred);
- void recode(const CssmData &data, const CssmData &extraData);
+ void ssRecode(const CssmData &data, const CssmData &extraData);
@@ -76,6 +76,9 @@ public:
// Returns new version
uint32 recodeDbToVersion(uint32 newBlobVersion);
+ // Tell securityd that we're done with the upgrade operation
+ void recodeFinished();
+
// Try to take or release the file lock on the underlying database.
// You _must_ call these as a pair. They start a transaction on the
// underlying DL object, and that transaction is only finished when release
@@ -92,7 +95,7 @@ public:
SecurityServer::DbHandle dbHandle();
void getRecordIdentifier(const CSSM_DB_UNIQUE_RECORD_PTR uniqueRecord, CSSM_DATA &data);
- void copyBlob(CSSM_DATA &blob);
+ void ssCopyBlob(CSSM_DATA& blob);
// Get the version of this database's encoding
uint32 dbBlobVersion();
@@ -100,10 +103,24 @@ public:
// Try to make a backup copy of this database on the filesystem
void makeBackup();
+ // Try to make a backup copy of this database on the filesystem
+ void makeCopy(const char* path);
+
+ // Try to delete the backing file of this database
+ // AFter you've done this, operations might fail in strange ways.
+ void deleteFile();
+
+ // Duplicate this database to this location, and return the clone.
+ // For best results, use on an unlocked SSDatabase, but it should work on a locked one as well.
+ SSDatabase ssCloneTo(const DLDbIdentifier& dldbidentifier);
+
protected:
CssmClient::DbUniqueRecord getDbBlobId(CssmDataContainer *dbb = NULL);
void commonCreate (const DLDbIdentifier &dlDbIdentifier, bool &autocommit);
+ // Load the database from disk, but don't talk with securityd about it
+ void load(const DLDbIdentifier &dlDbIdentifier);
+
static uint32 getDbVersionFromBlob(const CssmData& dbb);
uint32 recodeHelper(SecurityServer::DbHandle clonedDbHandle, CssmClient::DbUniqueRecord& dbBlobId);
diff --git a/OSX/libsecurity_apple_cspdl/lib/SSKey.cpp b/OSX/libsecurity_apple_cspdl/lib/SSKey.cpp
index 69c57b51..fec984c5 100644
--- a/OSX/libsecurity_apple_cspdl/lib/SSKey.cpp
+++ b/OSX/libsecurity_apple_cspdl/lib/SSKey.cpp
@@ -124,9 +124,7 @@ mClientSession(session.clientSession())
attributes.add(KeySchema::Unwrap,
header.useFor(CSSM_KEYUSE_ANY | CSSM_KEYUSE_UNWRAP));
- // @@@ Fixme
- mUniqueId = inSSDatabase->insert(mRecordType, &attributes, &blob,
- true);
+ mUniqueId = inSSDatabase->ssInsert(mRecordType, &attributes, &blob);
}
header.cspGuid(session.plugin.myGuid()); // Set the csp guid to me.
@@ -290,7 +288,7 @@ SSKey::keyHandle()
clientSession().decodeKey(mUniqueId->database().dbHandle(), blob,
dummyHeader);
- secdebugfunc("SecAccessReference", "decoded a new key into handle %d [reference %d]", mKeyHandle, keyReference());
+ secinfo("SecAccessReference", "decoded a new key into handle %d [reference %ld]", mKeyHandle, keyReference());
// @@@ Check decoded header against returned header
}
@@ -336,7 +334,7 @@ SSKey::didChangeAcl()
{
if (mUniqueId == true)
{
- secdebug("keyacl", "SSKey::didChangeAcl() keyHandle: %lu updating DL entry", (unsigned long)mKeyHandle);
+ secinfo("keyacl", "SSKey::didChangeAcl() keyHandle: %lu updating DL entry", (unsigned long)mKeyHandle);
// The key is persistent, make the change on disk.
CssmDataContainer keyBlob(mAllocator);
clientSession().encodeKey(keyHandle(), keyBlob);
@@ -344,6 +342,6 @@ SSKey::didChangeAcl()
}
else
{
- secdebug("keyacl", "SSKey::didChangeAcl() keyHandle: %lu transient key no update done", (unsigned long)mKeyHandle);
+ secinfo("keyacl", "SSKey::didChangeAcl() keyHandle: %lu transient key no update done", (unsigned long)mKeyHandle);
}
}
diff --git a/OSX/libsecurity_apple_cspdl/libsecurity_apple_cspdl.xcodeproj/project.pbxproj b/OSX/libsecurity_apple_cspdl/libsecurity_apple_cspdl.xcodeproj/project.pbxproj
index c5a74d7c..0e8ed5a1 100644
--- a/OSX/libsecurity_apple_cspdl/libsecurity_apple_cspdl.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_apple_cspdl/libsecurity_apple_cspdl.xcodeproj/project.pbxproj
@@ -29,13 +29,6 @@
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
- 182BB348146F10F6000BF1F3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 184460D8146E7DF300B12992 /* libsecurity_cdsa_plugin.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = C2C38A530535EDE600D7421F;
- remoteInfo = libsecurity_cdsa_plugin_generate;
- };
184460DD146E7DF300B12992 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 184460D8146E7DF300B12992 /* libsecurity_cdsa_plugin.xcodeproj */;
@@ -60,19 +53,19 @@
4C6AA9D10535FDA6006E3284 /* CSPDLDatabase.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = CSPDLDatabase.h; sourceTree = "<group>"; };
4C6AA9D20535FDA6006E3284 /* CSPDLPlugin.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = CSPDLPlugin.cpp; sourceTree = "<group>"; };
4C6AA9D30535FDA6006E3284 /* CSPDLPlugin.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = CSPDLPlugin.h; sourceTree = "<group>"; };
- 4C6AA9D40535FDA6006E3284 /* SSContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SSContext.cpp; sourceTree = "<group>"; };
+ 4C6AA9D40535FDA6006E3284 /* SSContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SSContext.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4C6AA9D50535FDA6006E3284 /* SSContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SSContext.h; sourceTree = "<group>"; };
- 4C6AA9D60535FDA6006E3284 /* SSCSPDLSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SSCSPDLSession.cpp; sourceTree = "<group>"; };
+ 4C6AA9D60535FDA6006E3284 /* SSCSPDLSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SSCSPDLSession.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4C6AA9D70535FDA6006E3284 /* SSCSPDLSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SSCSPDLSession.h; sourceTree = "<group>"; };
- 4C6AA9D80535FDA6006E3284 /* SSCSPSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SSCSPSession.cpp; sourceTree = "<group>"; };
+ 4C6AA9D80535FDA6006E3284 /* SSCSPSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SSCSPSession.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4C6AA9D90535FDA6006E3284 /* SSCSPSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SSCSPSession.h; sourceTree = "<group>"; };
- 4C6AA9DA0535FDA6006E3284 /* SSDatabase.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SSDatabase.cpp; sourceTree = "<group>"; };
+ 4C6AA9DA0535FDA6006E3284 /* SSDatabase.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SSDatabase.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4C6AA9DB0535FDA6006E3284 /* SSDatabase.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SSDatabase.h; sourceTree = "<group>"; };
4C6AA9DC0535FDA6006E3284 /* SSDLSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SSDLSession.cpp; sourceTree = "<group>"; };
4C6AA9DD0535FDA6006E3284 /* SSDLSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SSDLSession.h; sourceTree = "<group>"; };
4C6AA9DE0535FDA6006E3284 /* SSFactory.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SSFactory.cpp; sourceTree = "<group>"; };
4C6AA9DF0535FDA6006E3284 /* SSFactory.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SSFactory.h; sourceTree = "<group>"; };
- 4C6AA9E00535FDA6006E3284 /* SSKey.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SSKey.cpp; sourceTree = "<group>"; };
+ 4C6AA9E00535FDA6006E3284 /* SSKey.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SSKey.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4C6AA9E10535FDA6006E3284 /* SSKey.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SSKey.h; sourceTree = "<group>"; };
4CA1FEBE052A3C8100F22E42 /* libsecurity_apple_cspdl.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libsecurity_apple_cspdl.a; sourceTree = BUILT_PRODUCTS_DIR; };
C2196B5C053B598C005808D4 /* AppleCSPDLBuiltin.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = AppleCSPDLBuiltin.cpp; path = lib/AppleCSPDLBuiltin.cpp; sourceTree = "<group>"; };
@@ -199,7 +192,6 @@
buildRules = (
);
dependencies = (
- 182BB349146F10F6000BF1F3 /* PBXTargetDependency */,
);
name = libsecurity_apple_cspdl;
productInstallPath = /usr/local/lib;
@@ -213,7 +205,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD26A0987FCDC001272E0 /* Build configuration list for PBXProject "libsecurity_apple_cspdl" */;
compatibilityVersion = "Xcode 3.2";
@@ -271,14 +263,6 @@
};
/* End PBXSourcesBuildPhase section */
-/* Begin PBXTargetDependency section */
- 182BB349146F10F6000BF1F3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurity_cdsa_plugin_generate;
- targetProxy = 182BB348146F10F6000BF1F3 /* PBXContainerItemProxy */;
- };
-/* End PBXTargetDependency section */
-
/* Begin XCBuildConfiguration section */
C27AD2640987FCDC001272E0 /* Debug */ = {
isa = XCBuildConfiguration;
@@ -308,6 +292,10 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 184460CD146E7B7B00B12992 /* debug.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ ENABLE_TESTABILITY = YES;
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -315,6 +303,8 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 184460CF146E7B7B00B12992 /* release.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_apple_file_dl/libsecurity_apple_file_dl.xcodeproj/project.pbxproj b/OSX/libsecurity_apple_file_dl/libsecurity_apple_file_dl.xcodeproj/project.pbxproj
index 7d0ef6a4..0d7ea931 100644
--- a/OSX/libsecurity_apple_file_dl/libsecurity_apple_file_dl.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_apple_file_dl/libsecurity_apple_file_dl.xcodeproj/project.pbxproj
@@ -13,13 +13,6 @@
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
- 182BB34C146F1102000BF1F3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 184460F4146E818D00B12992 /* libsecurity_cdsa_plugin.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = C2C38A530535EDE600D7421F;
- remoteInfo = libsecurity_cdsa_plugin_generate;
- };
184460F9146E818D00B12992 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 184460F4146E818D00B12992 /* libsecurity_cdsa_plugin.xcodeproj */;
@@ -139,7 +132,6 @@
buildRules = (
);
dependencies = (
- 182BB34D146F1102000BF1F3 /* PBXTargetDependency */,
);
name = libsecurity_apple_file_dl;
productInstallPath = /usr/local/lib;
@@ -153,7 +145,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD27B0987FCDC001272E0 /* Build configuration list for PBXProject "libsecurity_apple_file_dl" */;
compatibilityVersion = "Xcode 3.2";
@@ -200,14 +192,6 @@
};
/* End PBXSourcesBuildPhase section */
-/* Begin PBXTargetDependency section */
- 182BB34D146F1102000BF1F3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurity_cdsa_plugin_generate;
- targetProxy = 182BB34C146F1102000BF1F3 /* PBXContainerItemProxy */;
- };
-/* End PBXTargetDependency section */
-
/* Begin XCBuildConfiguration section */
C27AD2780987FCDC001272E0 /* Debug */ = {
isa = XCBuildConfiguration;
@@ -229,12 +213,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 184460E8146E808700B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -242,12 +235,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 184460E8146E808700B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_apple_x509_cl/TODO b/OSX/libsecurity_apple_x509_cl/TODO
deleted file mode 100644
index de81bb21..00000000
--- a/OSX/libsecurity_apple_x509_cl/TODO
+++ /dev/null
@@ -1 +0,0 @@
-Things TODO in AppleX509CL
diff --git a/OSX/libsecurity_apple_x509_cl/lib/AppleX509CLSession.cpp b/OSX/libsecurity_apple_x509_cl/lib/AppleX509CLSession.cpp
index 41002892..3c739ab3 100644
--- a/OSX/libsecurity_apple_x509_cl/lib/AppleX509CLSession.cpp
+++ b/OSX/libsecurity_apple_x509_cl/lib/AppleX509CLSession.cpp
@@ -41,13 +41,13 @@ AppleX509CLSession::~AppleX509CLSession()
/* free leftover contents of cache and query maps */
CLCachedEntry *cachedCert = cacheMap.removeFirstEntry();
while(cachedCert != NULL) {
- secdebug("clDetach", "CL detach: deleting a cached Cert\n");
+ secinfo("clDetach", "CL detach: deleting a cached Cert\n");
delete cachedCert;
cachedCert = cacheMap.removeFirstEntry();
}
CLQuery *query = queryMap.removeFirstEntry();
while(query != NULL) {
- secdebug("clDetach", "CL detach: deleting a cached query\n");
+ secinfo("clDetach", "CL detach: deleting a cached query\n");
delete query;
query = queryMap.removeFirstEntry();
}
diff --git a/OSX/libsecurity_apple_x509_cl/lib/cldebugging.h b/OSX/libsecurity_apple_x509_cl/lib/cldebugging.h
index 79709bb1..fca6af6f 100644
--- a/OSX/libsecurity_apple_x509_cl/lib/cldebugging.h
+++ b/OSX/libsecurity_apple_x509_cl/lib/cldebugging.h
@@ -29,10 +29,10 @@
#ifdef NDEBUG
/* this actually compiles to nothing */
-#define clErrorLog(args...) secdebug("clError", ## args)
+#define clErrorLog(args...) secinfo("clError", ## args)
#else
#define clErrorLog(args...) printf(args)
#endif
-#define clFieldLog(args...) secdebug("clField", ## args)
+#define clFieldLog(args...) secinfo("clField", ## args)
#endif /* _CLDEBUGGING_H_ */
diff --git a/OSX/libsecurity_apple_x509_cl/libsecurity_apple_x509_cl.xcodeproj/project.pbxproj b/OSX/libsecurity_apple_x509_cl/libsecurity_apple_x509_cl.xcodeproj/project.pbxproj
index d16472c0..15608529 100644
--- a/OSX/libsecurity_apple_x509_cl/libsecurity_apple_x509_cl.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_apple_x509_cl/libsecurity_apple_x509_cl.xcodeproj/project.pbxproj
@@ -49,13 +49,6 @@
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
- 182BB350146F110B000BF1F3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 18446107146E84E500B12992 /* libsecurity_cdsa_plugin.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = C2C38A530535EDE600D7421F;
- remoteInfo = libsecurity_cdsa_plugin_generate;
- };
1844610C146E84E500B12992 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18446107146E84E500B12992 /* libsecurity_cdsa_plugin.xcodeproj */;
@@ -86,7 +79,7 @@
C284365A053485B1000AE0FC /* AppleX509CL.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = AppleX509CL.cpp; sourceTree = "<group>"; };
C284365B053485B1000AE0FC /* AppleX509CL.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = AppleX509CL.h; sourceTree = "<group>"; };
C284365C053485B1000AE0FC /* AppleX509CLPlugin.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = AppleX509CLPlugin.cpp; sourceTree = "<group>"; };
- C284365D053485B1000AE0FC /* AppleX509CLSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = AppleX509CLSession.cpp; sourceTree = "<group>"; };
+ C284365D053485B1000AE0FC /* AppleX509CLSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = AppleX509CLSession.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C284365E053485B1000AE0FC /* AppleX509CLSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = AppleX509CLSession.h; sourceTree = "<group>"; };
C284365F053485B1000AE0FC /* CertFields.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = CertFields.cpp; sourceTree = "<group>"; };
C2843660053485B1000AE0FC /* CLCachedEntry.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = CLCachedEntry.cpp; sourceTree = "<group>"; };
@@ -95,7 +88,7 @@
C2843663053485B1000AE0FC /* CLCertExtensions.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = CLCertExtensions.h; sourceTree = "<group>"; };
C2843664053485B1000AE0FC /* CLCrlExtensions.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = CLCrlExtensions.cpp; sourceTree = "<group>"; };
C2843665053485B1000AE0FC /* CLCrlExtensions.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = CLCrlExtensions.h; sourceTree = "<group>"; };
- C2843666053485B1000AE0FC /* cldebugging.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cldebugging.h; sourceTree = "<group>"; };
+ C2843666053485B1000AE0FC /* cldebugging.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = cldebugging.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
C2843667053485B1000AE0FC /* CLFieldsCommon.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = CLFieldsCommon.cpp; sourceTree = "<group>"; };
C2843668053485B1000AE0FC /* CLFieldsCommon.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = CLFieldsCommon.h; sourceTree = "<group>"; };
C2843669053485B1000AE0FC /* clNameUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = clNameUtils.cpp; sourceTree = "<group>"; };
@@ -269,7 +262,6 @@
buildRules = (
);
dependencies = (
- 182BB351146F110B000BF1F3 /* PBXTargetDependency */,
);
name = libsecurity_apple_x509_cl;
productInstallPath = /usr/local/lib;
@@ -302,7 +294,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD28D0987FCDC001272E0 /* Build configuration list for PBXProject "libsecurity_apple_x509_cl" */;
compatibilityVersion = "Xcode 3.2";
@@ -390,11 +382,6 @@
/* End PBXSourcesBuildPhase section */
/* Begin PBXTargetDependency section */
- 182BB351146F110B000BF1F3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurity_cdsa_plugin_generate;
- targetProxy = 182BB350146F110B000BF1F3 /* PBXContainerItemProxy */;
- };
C2AAE44B053B54E2009142E3 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
target = 4CA1FEBD052A3C8100F22E42 /* libsecurity_apple_x509_cl */;
@@ -445,12 +432,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18446100146E82B800B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -458,12 +454,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18446100146E82B800B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_apple_x509_tp/lib/TPCertInfo.cpp b/OSX/libsecurity_apple_x509_tp/lib/TPCertInfo.cpp
index 165228a5..62b6f7b8 100644
--- a/OSX/libsecurity_apple_x509_tp/lib/TPCertInfo.cpp
+++ b/OSX/libsecurity_apple_x509_tp/lib/TPCertInfo.cpp
@@ -40,8 +40,8 @@
#include <Security/SecImportExport.h>
#include <Security/SecTrustSettingsPriv.h>
-#define tpTimeDbg(args...) secdebug("tpTime", ## args)
-#define tpCertInfoDbg(args...) secdebug("tpCert", ## args)
+#define tpTimeDbg(args...) secinfo("tpTime", ## args)
+#define tpCertInfoDbg(args...) secinfo("tpCert", ## args)
static const TPClItemCalls tpCertClCalls =
{
diff --git a/OSX/libsecurity_apple_x509_tp/lib/tpCredRequest.cpp b/OSX/libsecurity_apple_x509_tp/lib/tpCredRequest.cpp
index be25daea..3aee72f9 100644
--- a/OSX/libsecurity_apple_x509_tp/lib/tpCredRequest.cpp
+++ b/OSX/libsecurity_apple_x509_tp/lib/tpCredRequest.cpp
@@ -34,7 +34,7 @@
#include <Security/cssmapple.h>
#include <assert.h>
-#define tpCredDebug(args...) secdebug("tpCred", ## args)
+#define tpCredDebug(args...) secinfo("tpCred", ## args)
/*
* Build up a CSSM_X509_NAME from an arbitrary list of name/OID pairs.
diff --git a/OSX/libsecurity_apple_x509_tp/lib/tpdebugging.h b/OSX/libsecurity_apple_x509_tp/lib/tpdebugging.h
index 91032aa6..eb9cc529 100644
--- a/OSX/libsecurity_apple_x509_tp/lib/tpdebugging.h
+++ b/OSX/libsecurity_apple_x509_tp/lib/tpdebugging.h
@@ -27,9 +27,8 @@
#include <security_utilities/debugging.h>
/* If TP_USE_SYSLOG is defined and not 0, use syslog() for debug
- * logging in addition to invoking the secdebug macro (which, as of
- * Snow Leopard, emits a static dtrace probe instead of an actual
- * log message.)
+ * logging in addition to invoking the secinfo macro (which, as of
+ * 10.11, emits a os_log message of a syslog message.)
*/
#ifndef TP_USE_SYSLOG
#define TP_USE_SYSLOG 0
@@ -37,31 +36,31 @@
#if TP_USE_SYSLOG
#include <syslog.h>
-#define tp_secdebug(scope, format...) \
+#define tp_secinfo(scope, format...) \
{ \
syslog(LOG_NOTICE, format); \
- secdebug(scope, format); \
+ secinfo(scope, format); \
}
#else
-#define tp_secdebug(scope, format...) \
- secdebug(scope, format)
+#define tp_secinfo(scope, format...) \
+ secinfo(scope, format)
#endif
#ifdef NDEBUG
/* this actually compiles to nothing */
-#define tpErrorLog(args...) tp_secdebug("tpError", ## args)
+#define tpErrorLog(args...) tp_secinfo("tpError", ## args)
#else
#define tpErrorLog(args...) printf(args)
#endif
-#define tpDebug(args...) tp_secdebug("tpDebug", ## args)
-#define tpDbDebug(args...) tp_secdebug("tpDbDebug", ## args)
-#define tpCrlDebug(args...) tp_secdebug("tpCrlDebug", ## args)
-#define tpPolicyError(args...) tp_secdebug("tpPolicy", ## args)
-#define tpVfyDebug(args...) tp_secdebug("tpVfyDebug", ## args)
-#define tpAnchorDebug(args...) tp_secdebug("tpAnchorDebug", ## args)
-#define tpOcspDebug(args...) tp_secdebug("tpOcsp", ## args)
-#define tpOcspCacheDebug(args...) tp_secdebug("tpOcspCache", ## args)
-#define tpTrustSettingsDbg(args...) tp_secdebug("tpTrustSettings", ## args)
+#define tpDebug(args...) tp_secinfo("tpDebug", ## args)
+#define tpDbDebug(args...) tp_secinfo("tpDbDebug", ## args)
+#define tpCrlDebug(args...) tp_secinfo("tpCrlDebug", ## args)
+#define tpPolicyError(args...) tp_secinfo("tpPolicy", ## args)
+#define tpVfyDebug(args...) tp_secinfo("tpVfyDebug", ## args)
+#define tpAnchorDebug(args...) tp_secinfo("tpAnchorDebug", ## args)
+#define tpOcspDebug(args...) tp_secinfo("tpOcsp", ## args)
+#define tpOcspCacheDebug(args...) tp_secinfo("tpOcspCache", ## args)
+#define tpTrustSettingsDbg(args...) tp_secinfo("tpTrustSettings", ## args)
#endif /* _TPDEBUGGING_H_ */
diff --git a/OSX/libsecurity_apple_x509_tp/libsecurity_apple_x509_tp.xcodeproj/project.pbxproj b/OSX/libsecurity_apple_x509_tp/libsecurity_apple_x509_tp.xcodeproj/project.pbxproj
index f06f458e..649180fa 100644
--- a/OSX/libsecurity_apple_x509_tp/libsecurity_apple_x509_tp.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_apple_x509_tp/libsecurity_apple_x509_tp.xcodeproj/project.pbxproj
@@ -46,13 +46,6 @@
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
- 182BB354146F1117000BF1F3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 1844611E146E86A900B12992 /* libsecurity_cdsa_plugin.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = C2C38A530535EDE600D7421F;
- remoteInfo = libsecurity_cdsa_plugin_generate;
- };
18446123146E86A900B12992 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 1844611E146E86A900B12992 /* libsecurity_cdsa_plugin.xcodeproj */;
@@ -93,16 +86,16 @@
C2B5C4D90534C6AA00AF53F5 /* certGroupUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = certGroupUtils.cpp; sourceTree = "<group>"; };
C2B5C4DA0534C6AA00AF53F5 /* certGroupUtils.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = certGroupUtils.h; sourceTree = "<group>"; };
C2B5C4DF0534C6AA00AF53F5 /* tpCertGroup.cpp */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 8; lastKnownFileType = sourcecode.cpp.cpp; path = tpCertGroup.cpp; sourceTree = "<group>"; tabWidth = 8; usesTabs = 1; };
- C2B5C4E00534C6AA00AF53F5 /* TPCertInfo.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = TPCertInfo.cpp; sourceTree = "<group>"; };
+ C2B5C4E00534C6AA00AF53F5 /* TPCertInfo.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = TPCertInfo.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2B5C4E10534C6AA00AF53F5 /* TPCertInfo.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = TPCertInfo.h; sourceTree = "<group>"; };
- C2B5C4E20534C6AA00AF53F5 /* tpCredRequest.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tpCredRequest.cpp; sourceTree = "<group>"; };
+ C2B5C4E20534C6AA00AF53F5 /* tpCredRequest.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = tpCredRequest.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2B5C4E30534C6AA00AF53F5 /* TPCrlInfo.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = TPCrlInfo.cpp; sourceTree = "<group>"; };
C2B5C4E40534C6AA00AF53F5 /* TPCrlInfo.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = TPCrlInfo.h; sourceTree = "<group>"; };
C2B5C4E50534C6AA00AF53F5 /* tpCrlVerify.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tpCrlVerify.cpp; sourceTree = "<group>"; };
C2B5C4E60534C6AA00AF53F5 /* tpCrlVerify.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tpCrlVerify.h; sourceTree = "<group>"; };
C2B5C4E70534C6AA00AF53F5 /* TPDatabase.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = TPDatabase.cpp; sourceTree = "<group>"; };
C2B5C4E80534C6AA00AF53F5 /* TPDatabase.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = TPDatabase.h; sourceTree = "<group>"; };
- C2B5C4E90534C6AA00AF53F5 /* tpdebugging.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tpdebugging.h; sourceTree = "<group>"; };
+ C2B5C4E90534C6AA00AF53F5 /* tpdebugging.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = tpdebugging.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
C2B5C4EA0534C6AA00AF53F5 /* TPNetwork.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = TPNetwork.cpp; sourceTree = "<group>"; };
C2B5C4EB0534C6AA00AF53F5 /* TPNetwork.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = TPNetwork.h; sourceTree = "<group>"; };
C2B5C4EC0534C6AA00AF53F5 /* tpPolicies.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tpPolicies.cpp; sourceTree = "<group>"; };
@@ -256,7 +249,6 @@
buildRules = (
);
dependencies = (
- 182BB355146F1117000BF1F3 /* PBXTargetDependency */,
);
name = libsecurity_apple_x509_tp;
productInstallPath = /usr/local/lib;
@@ -270,7 +262,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD29B0987FCDD001272E0 /* Build configuration list for PBXProject "libsecurity_apple_x509_tp" */;
compatibilityVersion = "Xcode 3.2";
@@ -337,14 +329,6 @@
};
/* End PBXSourcesBuildPhase section */
-/* Begin PBXTargetDependency section */
- 182BB355146F1117000BF1F3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurity_cdsa_plugin_generate;
- targetProxy = 182BB354146F1117000BF1F3 /* PBXContainerItemProxy */;
- };
-/* End PBXTargetDependency section */
-
/* Begin XCBuildConfiguration section */
C27AD2980987FCDD001272E0 /* Debug */ = {
isa = XCBuildConfiguration;
@@ -366,13 +350,22 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1844611C146E85EA00B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -380,13 +373,20 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1844611C146E85EA00B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_asn1/config/base.xcconfig b/OSX/libsecurity_asn1/config/base.xcconfig
index ea15367d..300d8fb7 100644
--- a/OSX/libsecurity_asn1/config/base.xcconfig
+++ b/OSX/libsecurity_asn1/config/base.xcconfig
@@ -12,6 +12,7 @@ COPY_PHASE_STRIP = NO
STRIP_STYLE = debugging
STRIP_INSTALLED_PRODUCT = NO
-ARCHS = $(ARCHS_STANDARD_32_64_BIT)
+ARCHS[sdk=macosx*] = $(ARCHS_STANDARD_32_64_BIT)
WARNING_CFLAGS = -Wglobal-constructors -Wno-deprecated-declarations $(inherited)
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/OSX/libsecurity_asn1/config/lib.xcconfig b/OSX/libsecurity_asn1/config/lib.xcconfig
index 2373abe7..644ba9df 100644
--- a/OSX/libsecurity_asn1/config/lib.xcconfig
+++ b/OSX/libsecurity_asn1/config/lib.xcconfig
@@ -5,22 +5,16 @@ EXECUTABLE_PREFIX =
CODE_SIGN_IDENTITY =
-HEADER_SEARCH_PATHS[sdk=macosx*] = $(PROJECT_DIR) $(PROJECT_DIR)/../include $(BUILT_PRODUCTS_DIR)/derived_src $(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers $(inherited)
+HEADER_SEARCH_PATHS[sdk=macosx*] = $(PROJECT_DIR) $(PROJECT_DIR)/../include $(PROJECT_DIR)/../utilities $(BUILT_PRODUCTS_DIR)/derived_src $(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers $(inherited)
-HEADER_SEARCH_PATHS[sdk=iphone*] = $(PROJECT_DIR) $(PROJECT_DIR)/../sec $(BUILT_PRODUCTS_DIR)$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include $(inherited)
+HEADER_SEARCH_PATHS[sdk=embedded*] = HEADER_SEARCH_PATHS[sdk=iphone*] = $(PROJECT_DIR) $(PROJECT_DIR)/../sec $(PROJECT_DIR)/../utilities $(BUILT_PRODUCTS_DIR)/usr/local/include $(inherited)
-#include "<DEVELOPER_DIR>/AppleInternal/XcodeConfig/SimulatorSupport.xcconfig"
+INSTALL_PATH = /usr/local/lib
-// Set INSTALL_PATH_ACTUAL to whatever INSTALL_PATH would normally be
-INSTALL_PATH_ACTUAL = /usr/local/lib
+SKIP_INSTALL = YES
-// Set INSTALL_PATH[sdk=macosx*] when SimulatorSupport.xcconfig is unavailable
-INSTALL_PATH[sdk=macosx*] = $(INSTALL_PATH_ACTUAL)
-
-// Use $(INSTALL_PATH_PREFIX) instead of $(SDKROOT) as a prefix for other
-// variables as appropriate
-PUBLIC_HEADERS_FOLDER_PATH = $(INSTALL_PATH_PREFIX)/usr/local/include/security_asn1
-PRIVATE_HEADERS_FOLDER_PATH = $(INSTALL_PATH_PREFIX)/usr/local/include/security_asn1
+PUBLIC_HEADERS_FOLDER_PATH = /usr/local/include/security_asn1
+PRIVATE_HEADERS_FOLDER_PATH = /usr/local/include/security_asn1
ALWAYS_SEARCH_USER_PATHS = NO
@@ -36,4 +30,4 @@ GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES
GCC_WARN_ABOUT_RETURN_TYPE = YES
GCC_WARN_UNUSED_VARIABLE = YES
-SUPPORTED_PLATFORMS = macosx iphoneos iphonesimulator
+SUPPORTED_PLATFORMS = macosx iphoneos iphonesimulator appletvos appletvsimulator watchos watchsimulator
diff --git a/OSX/libsecurity_asn1/lib/SecAsn1Types.h b/OSX/libsecurity_asn1/lib/SecAsn1Types.h
index d24d4821..9cb362b9 100644
--- a/OSX/libsecurity_asn1/lib/SecAsn1Types.h
+++ b/OSX/libsecurity_asn1/lib/SecAsn1Types.h
@@ -44,6 +44,10 @@
#include <stdint.h>
#include <TargetConditionals.h>
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
#if TARGET_OS_EMBEDDED || TARGET_IPHONE_SIMULATOR
/* @@@ We need something that tells us which platform we are building
for that let's us distinguish if we are doing an emulator build. */
@@ -244,4 +248,6 @@ typedef SecAsn1TemplateChooser * SecAsn1TemplateChooserPtr;
CF_ASSUME_NONNULL_END
+#pragma clang diagnostic pop
+
#endif /* _SEC_ASN1_TYPES_H_ */
diff --git a/OSX/libsecurity_asn1/lib/plarena.h b/OSX/libsecurity_asn1/lib/plarena.h
index 359e3851..ef8a5d6a 100644
--- a/OSX/libsecurity_asn1/lib/plarena.h
+++ b/OSX/libsecurity_asn1/lib/plarena.h
@@ -123,7 +123,7 @@ struct PLArenaPool {
PR_BEGIN_MACRO \
PLArena *_a = (pool)->current; \
PRUword _q = (PRUword)p + size + incr; /*__APPLE__ */ \
- if ((p < p + size) && (_q > p) && (_q > p + size) && /*__APPLE__ avoid overflow in _q*/ \
+ if ((p < p + size) && (_q > (PRUword)p) && (_q > (PRUword)p + size) && /*__APPLE__ avoid overflow in _q*/ \
_a->avail == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \
_q <= PL_ARENA_ALIGN(pool,_q) && /*__APPLE__ avoid overflow from alignment*/ \
_a->limit >= PL_ARENA_ALIGN(pool,_q)) { /* __APPLE__ expanded buffer within arena*/ \
diff --git a/OSX/libsecurity_asn1/lib/secasn1d.c b/OSX/libsecurity_asn1/lib/secasn1d.c
index 456309ab..4ff12eef 100644
--- a/OSX/libsecurity_asn1/lib/secasn1d.c
+++ b/OSX/libsecurity_asn1/lib/secasn1d.c
@@ -1069,7 +1069,9 @@ sec_asn1d_check_and_subtract_length (unsigned long *remaining,
PORT_Assert(cx);
if (!remaining || !cx) {
PORT_SetError (SEC_ERROR_INVALID_ARGS);
- cx->status = decodeError;
+ if(cx) {
+ cx->status = decodeError;
+ }
return PR_FALSE;
}
if (*remaining < consumed) {
diff --git a/OSX/libsecurity_asn1/lib/secasn1e.c b/OSX/libsecurity_asn1/lib/secasn1e.c
index 5f383ade..e695972f 100644
--- a/OSX/libsecurity_asn1/lib/secasn1e.c
+++ b/OSX/libsecurity_asn1/lib/secasn1e.c
@@ -40,8 +40,6 @@
#include "secasn1.h"
-#include <syslog.h>
-
typedef enum {
beforeHeader,
duringContents,
@@ -1343,16 +1341,13 @@ SEC_ASN1EncoderStart (const void *src, const SecAsn1Template *theTemplate,
SEC_ASN1EncoderContext *cx;
our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
- if (our_pool == NULL) {
- syslog(LOG_ERR,"SEC_ASN1EncoderStart: failed to create new arena");
- return NULL;
- }
+ if (our_pool == NULL)
+ return NULL;
cx = (SEC_ASN1EncoderContext*)PORT_ArenaZAlloc (our_pool, sizeof(*cx));
if (cx == NULL) {
- syslog(LOG_ERR,"SEC_ASN1EncoderStart: failed to alloc");
- PORT_FreeArena (our_pool, PR_FALSE);
- return NULL;
+ PORT_FreeArena (our_pool, PR_FALSE);
+ return NULL;
}
cx->our_pool = our_pool;
@@ -1367,9 +1362,8 @@ SEC_ASN1EncoderStart (const void *src, const SecAsn1Template *theTemplate,
* Trouble initializing (probably due to failed allocations)
* requires that we just give up.
*/
- syslog(LOG_ERR, "SEC_ASN1EncoderStart: unable to initialize state");
- PORT_FreeArena (our_pool, PR_FALSE);
- return NULL;
+ PORT_FreeArena (our_pool, PR_FALSE);
+ return NULL;
}
return cx;
@@ -1469,9 +1463,6 @@ SEC_ASN1Encode (const void *src, const SecAsn1Template *theTemplate,
rv = SEC_ASN1EncoderUpdate (ecx, NULL, 0);
- if (rv != SECSuccess)
- syslog(LOG_ERR,"SEC_ASN1Encode: encode failure");
-
SEC_ASN1EncoderFinish (ecx);
return rv;
}
@@ -1573,23 +1564,17 @@ SEC_ASN1EncodeItem (PRArenaPool *poolp, SecAsn1Item *dest, const void *src,
encoding_length = 0;
rv = SEC_ASN1Encode (src, theTemplate,
sec_asn1e_encode_item_count, &encoding_length);
- if (rv != SECSuccess) {
- syslog(LOG_ERR, "SEC_ASN1EncodeItem: Encode failed %d", rv);
- return NULL;
- }
+ if (rv != SECSuccess)
+ return NULL;
dest = sec_asn1e_allocate_item (poolp, dest, encoding_length);
- if (dest == NULL) {
- syslog(LOG_ERR, "SEC_ASN1EncodeItem: allocate failure");
- return NULL;
- }
+ if (dest == NULL)
+ return NULL;
/* XXX necessary? This really just checks for a bug in the allocate fn */
PORT_Assert (dest->Data != NULL);
- if (dest->Data == NULL) {
- syslog(LOG_ERR, "SEC_ASN1EncodeItem: data allocate failure");
- return NULL;
- }
+ if (dest->Data == NULL)
+ return NULL;
dest->Length = 0;
(void) SEC_ASN1Encode (src, theTemplate, sec_asn1e_encode_item_store, dest);
diff --git a/OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/project.pbxproj b/OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/project.pbxproj
index 200a8ddb..ca22c61f 100644
--- a/OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/project.pbxproj
@@ -6,66 +6,151 @@
objectVersion = 46;
objects = {
+/* Begin PBXAggregateTarget section */
+ D46B08791C8FCA5000B5939A /* libASN1Install */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = D46B087C1C8FCA5100B5939A /* Build configuration list for PBXAggregateTarget "libASN1Install" */;
+ buildPhases = (
+ D46B087D1C8FCA5800B5939A /* Copy Static Library File */,
+ D46B087E1C8FCA5B00B5939A /* Copy Headers */,
+ );
+ dependencies = (
+ D46B08A41C8FCBA000B5939A /* PBXTargetDependency */,
+ );
+ name = libASN1Install;
+ productName = libASN1Install;
+ };
+/* End PBXAggregateTarget section */
+
/* Begin PBXBuildFile section */
- 18312F9714E99A3F00F0BCAC /* SecNssCoder.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434290534D3B800F287B2 /* SecNssCoder.h */; settings = {ATTRIBUTES = (Private, ); }; };
1885B45314D9BB1A00519375 /* SecNssCoder.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C6434280534D3B800F287B2 /* SecNssCoder.cpp */; };
18B6B2A714DB73A000EDDE5F /* secErrorStr.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6434270534D3B800F287B2 /* secErrorStr.c */; };
4C28246B0F1BC75800CAADEC /* oidsocsp.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C2824670F1BC75800CAADEC /* oidsocsp.c */; };
- 4C28246C0F1BC75800CAADEC /* oidsocsp.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C2824680F1BC75800CAADEC /* oidsocsp.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CA8220D38041D00BAE6A2 /* SecAsn1Coder.c in Sources */ = {isa = PBXBuildFile; fileRef = 0545C7B806502D1100543007 /* SecAsn1Coder.c */; };
- 795CA8230D38041D00BAE6A2 /* SecAsn1Coder.h in Headers */ = {isa = PBXBuildFile; fileRef = 0545C7B906502D1100543007 /* SecAsn1Coder.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CA8240D38041D00BAE6A2 /* SecAsn1Templates.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6433F80534D3B800F287B2 /* SecAsn1Templates.c */; };
- 795CA8250D38041D00BAE6A2 /* SecAsn1Templates.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6433F90534D3B800F287B2 /* SecAsn1Templates.h */; settings = {ATTRIBUTES = (Public, ); }; };
- 795CA8260D38041D00BAE6A2 /* SecAsn1Types.h in Headers */ = {isa = PBXBuildFile; fileRef = 0554F5B609892C980085E7C5 /* SecAsn1Types.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CA8270D38041D00BAE6A2 /* certExtensionTemplates.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6433FA0534D3B800F287B2 /* certExtensionTemplates.c */; };
- 795CA8280D38041D00BAE6A2 /* certExtensionTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6433FB0534D3B800F287B2 /* certExtensionTemplates.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CA8290D38041D00BAE6A2 /* csrTemplates.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6433FC0534D3B800F287B2 /* csrTemplates.c */; };
- 795CA82A0D38041D00BAE6A2 /* csrTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6433FD0534D3B800F287B2 /* csrTemplates.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CA82B0D38041D00BAE6A2 /* keyTemplates.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6433FE0534D3B800F287B2 /* keyTemplates.c */; };
- 795CA82C0D38041D00BAE6A2 /* keyTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 0502B640068A5920006168D5 /* keyTemplates.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CA82D0D38041D00BAE6A2 /* nameTemplates.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6434000534D3B800F287B2 /* nameTemplates.c */; };
- 795CA82E0D38041D00BAE6A2 /* nameTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434010534D3B800F287B2 /* nameTemplates.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CA82F0D38041D00BAE6A2 /* nsprPortX.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6434020534D3B800F287B2 /* nsprPortX.c */; };
795CA8300D38041D00BAE6A2 /* nssUtils.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6434060534D3B800F287B2 /* nssUtils.c */; };
- 795CA8310D38041D00BAE6A2 /* nssUtils.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434070534D3B800F287B2 /* nssUtils.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CA8320D38041D00BAE6A2 /* ocspTemplates.c in Sources */ = {isa = PBXBuildFile; fileRef = 0502BF9A068B51E3006168D5 /* ocspTemplates.c */; };
- 795CA8330D38041D00BAE6A2 /* ocspTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6433FF0534D3B800F287B2 /* ocspTemplates.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CA8350D38041D00BAE6A2 /* secasn1d.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6434210534D3B800F287B2 /* secasn1d.c */; };
795CA8360D38041D00BAE6A2 /* secasn1e.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6434220534D3B800F287B2 /* secasn1e.c */; };
795CA8380D38041D00BAE6A2 /* secasn1u.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C6434240534D3B800F287B2 /* secasn1u.c */; };
795CA8390D38041D00BAE6A2 /* X509Templates.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C64342D0534D3B800F287B2 /* X509Templates.c */; };
- 795CA83A0D38041D00BAE6A2 /* X509Templates.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C64342E0534D3B800F287B2 /* X509Templates.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CA83B0D38041D00BAE6A2 /* osKeyTemplates.c in Sources */ = {isa = PBXBuildFile; fileRef = 0504B16106517A730011D5F5 /* osKeyTemplates.c */; };
- 795CA83C0D38041D00BAE6A2 /* osKeyTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 0504B16206517A730011D5F5 /* osKeyTemplates.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CAAD10D3BEDBB00BAE6A2 /* pkcs7Templates.c in Sources */ = {isa = PBXBuildFile; fileRef = 795CAACD0D3BEDBB00BAE6A2 /* pkcs7Templates.c */; };
- 795CAAD20D3BEDBB00BAE6A2 /* pkcs7Templates.h in Headers */ = {isa = PBXBuildFile; fileRef = 795CAACE0D3BEDBB00BAE6A2 /* pkcs7Templates.h */; settings = {ATTRIBUTES = (Public, ); }; };
795CAAD30D3BEDBB00BAE6A2 /* pkcs12Templates.c in Sources */ = {isa = PBXBuildFile; fileRef = 795CAACF0D3BEDBB00BAE6A2 /* pkcs12Templates.c */; };
- 795CAAD40D3BEDBB00BAE6A2 /* pkcs12Templates.h in Headers */ = {isa = PBXBuildFile; fileRef = 795CAAD00D3BEDBB00BAE6A2 /* pkcs12Templates.h */; settings = {ATTRIBUTES = (Public, ); }; };
- 798B80C10D3E8B6700AC1D04 /* secasn1.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434200534D3B800F287B2 /* secasn1.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 798B80E00D3E8BFC00AC1D04 /* secasn1t.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434230534D3B800F287B2 /* secasn1t.h */; settings = {ATTRIBUTES = (Public, ); }; };
- 79BDD2D10D60CE82000D84D3 /* plarenas.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C64340C0534D3B800F287B2 /* plarenas.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD2ED0D60CEF5000D84D3 /* prtypes.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C64341E0534D3B800F287B2 /* prtypes.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD2F60D60CF24000D84D3 /* prcpucfg.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C64340F0534D3B800F287B2 /* prcpucfg.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD2FC0D60CF66000D84D3 /* secerr.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434260534D3B800F287B2 /* secerr.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD3020D60CFC9000D84D3 /* protypes.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C64341B0534D3B800F287B2 /* protypes.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD30C0D60D0E5000D84D3 /* seccomon.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434250534D3B800F287B2 /* seccomon.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD3100D60D116000D84D3 /* plstr.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C64340D0534D3B800F287B2 /* plstr.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD3110D60D116000D84D3 /* prlog.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434170534D3B800F287B2 /* prlog.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD33F0D60D29A000D84D3 /* prerror.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434130534D3B800F287B2 /* prerror.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD3420D60D2B2000D84D3 /* prerr.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434120534D3B800F287B2 /* prerr.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD3490D60D4A4000D84D3 /* prbit.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C64340E0534D3B800F287B2 /* prbit.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79BDD34A0D60D4A4000D84D3 /* prmem.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6434190534D3B800F287B2 /* prmem.h */; settings = {ATTRIBUTES = (Private, ); }; };
79EF5A780D3C1984009F5270 /* oidsalg.c in Sources */ = {isa = PBXBuildFile; fileRef = 79EF5A730D3C1984009F5270 /* oidsalg.c */; };
- 79EF5A790D3C1984009F5270 /* oidsalg.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EF5A740D3C1984009F5270 /* oidsalg.h */; settings = {ATTRIBUTES = (Public, ); }; };
79EF5A7A0D3C1984009F5270 /* oidsattr.c in Sources */ = {isa = PBXBuildFile; fileRef = 79EF5A750D3C1984009F5270 /* oidsattr.c */; };
- 79EF5A7B0D3C1984009F5270 /* oidsattr.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EF5A760D3C1984009F5270 /* oidsattr.h */; settings = {ATTRIBUTES = (Public, ); }; };
- 79EF5A7C0D3C1984009F5270 /* oidsbase.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EF5A770D3C1984009F5270 /* oidsbase.h */; settings = {ATTRIBUTES = (Public, ); }; };
- 79EF5BA30D3D6EF4009F5270 /* secport.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C64342B0534D3B800F287B2 /* secport.h */; settings = {ATTRIBUTES = (Private, ); }; };
79EF5BA50D3D6EF8009F5270 /* secport.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C64342A0534D3B800F287B2 /* secport.c */; };
79EF5BC90D3D6F44009F5270 /* plarena.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C64340A0534D3B800F287B2 /* plarena.c */; };
- 79EF5BCA0D3D6F44009F5270 /* plarena.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C64340B0534D3B800F287B2 /* plarena.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ D46B08801C8FCABF00B5939A /* SecAsn1Coder.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 0545C7B906502D1100543007 /* SecAsn1Coder.h */; };
+ D46B08811C8FCABF00B5939A /* SecAsn1Templates.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6433F90534D3B800F287B2 /* SecAsn1Templates.h */; };
+ D46B08821C8FCABF00B5939A /* SecAsn1Types.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 0554F5B609892C980085E7C5 /* SecAsn1Types.h */; };
+ D46B08831C8FCABF00B5939A /* secasn1t.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434230534D3B800F287B2 /* secasn1t.h */; };
+ D46B08841C8FCAE400B5939A /* certExtensionTemplates.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6433FB0534D3B800F287B2 /* certExtensionTemplates.h */; };
+ D46B08851C8FCAE400B5939A /* csrTemplates.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6433FD0534D3B800F287B2 /* csrTemplates.h */; };
+ D46B08861C8FCAE400B5939A /* keyTemplates.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 0502B640068A5920006168D5 /* keyTemplates.h */; };
+ D46B08871C8FCAE400B5939A /* nameTemplates.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434010534D3B800F287B2 /* nameTemplates.h */; };
+ D46B08881C8FCAE400B5939A /* pkcs7Templates.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 795CAACE0D3BEDBB00BAE6A2 /* pkcs7Templates.h */; };
+ D46B08891C8FCAE400B5939A /* pkcs12Templates.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 795CAAD00D3BEDBB00BAE6A2 /* pkcs12Templates.h */; };
+ D46B088A1C8FCAE400B5939A /* ocspTemplates.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6433FF0534D3B800F287B2 /* ocspTemplates.h */; };
+ D46B088B1C8FCAE400B5939A /* X509Templates.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C64342E0534D3B800F287B2 /* X509Templates.h */; };
+ D46B088C1C8FCAE400B5939A /* osKeyTemplates.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 0504B16206517A730011D5F5 /* osKeyTemplates.h */; };
+ D46B088D1C8FCAF100B5939A /* nssUtils.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434070534D3B800F287B2 /* nssUtils.h */; };
+ D46B088E1C8FCAFD00B5939A /* oidsalg.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 79EF5A740D3C1984009F5270 /* oidsalg.h */; };
+ D46B088F1C8FCAFD00B5939A /* oidsattr.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 79EF5A760D3C1984009F5270 /* oidsattr.h */; };
+ D46B08901C8FCAFD00B5939A /* oidsbase.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 79EF5A770D3C1984009F5270 /* oidsbase.h */; };
+ D46B08911C8FCAFD00B5939A /* oidsocsp.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C2824680F1BC75800CAADEC /* oidsocsp.h */; };
+ D46B08921C8FCB2900B5939A /* prbit.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C64340E0534D3B800F287B2 /* prbit.h */; };
+ D46B08931C8FCB2900B5939A /* prcpucfg.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C64340F0534D3B800F287B2 /* prcpucfg.h */; };
+ D46B08941C8FCB2900B5939A /* prerr.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434120534D3B800F287B2 /* prerr.h */; };
+ D46B08951C8FCB2900B5939A /* prerror.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434130534D3B800F287B2 /* prerror.h */; };
+ D46B08961C8FCB2900B5939A /* prlog.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434170534D3B800F287B2 /* prlog.h */; };
+ D46B08971C8FCB2900B5939A /* prmem.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434190534D3B800F287B2 /* prmem.h */; };
+ D46B08981C8FCB2900B5939A /* protypes.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C64341B0534D3B800F287B2 /* protypes.h */; };
+ D46B08991C8FCB2900B5939A /* prtypes.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C64341E0534D3B800F287B2 /* prtypes.h */; };
+ D46B089A1C8FCB5E00B5939A /* secasn1.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434200534D3B800F287B2 /* secasn1.h */; };
+ D46B089B1C8FCB5E00B5939A /* seccomon.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434250534D3B800F287B2 /* seccomon.h */; };
+ D46B089C1C8FCB5E00B5939A /* secerr.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434260534D3B800F287B2 /* secerr.h */; };
+ D46B089D1C8FCB5E00B5939A /* SecNssCoder.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C6434290534D3B800F287B2 /* SecNssCoder.h */; };
+ D46B089E1C8FCB5E00B5939A /* secport.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C64342B0534D3B800F287B2 /* secport.h */; };
+ D46B089F1C8FCB8D00B5939A /* plarena.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C64340B0534D3B800F287B2 /* plarena.h */; };
+ D46B08A01C8FCB8D00B5939A /* plarenas.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C64340C0534D3B800F287B2 /* plarenas.h */; };
+ D46B08A11C8FCB8D00B5939A /* plstr.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 4C64340D0534D3B800F287B2 /* plstr.h */; };
+ D46B08A21C8FCB9A00B5939A /* libASN1.a in Copy Static Library File */ = {isa = PBXBuildFile; fileRef = 795CA7FF0D38013D00BAE6A2 /* libASN1.a */; };
/* End PBXBuildFile section */
+/* Begin PBXContainerItemProxy section */
+ D46B08A31C8FCBA000B5939A /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 9D56980C03E74D6100003D05 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 795CA7FE0D38013D00BAE6A2;
+ remoteInfo = libASN1;
+ };
+/* End PBXContainerItemProxy section */
+
+/* Begin PBXCopyFilesBuildPhase section */
+ D46B087D1C8FCA5800B5939A /* Copy Static Library File */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /usr/local/lib;
+ dstSubfolderSpec = 0;
+ files = (
+ D46B08A21C8FCB9A00B5939A /* libASN1.a in Copy Static Library File */,
+ );
+ name = "Copy Static Library File";
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ D46B087E1C8FCA5B00B5939A /* Copy Headers */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /usr/local/include/security_asn1;
+ dstSubfolderSpec = 0;
+ files = (
+ D46B089F1C8FCB8D00B5939A /* plarena.h in Copy Headers */,
+ D46B08A01C8FCB8D00B5939A /* plarenas.h in Copy Headers */,
+ D46B08A11C8FCB8D00B5939A /* plstr.h in Copy Headers */,
+ D46B089A1C8FCB5E00B5939A /* secasn1.h in Copy Headers */,
+ D46B089B1C8FCB5E00B5939A /* seccomon.h in Copy Headers */,
+ D46B089C1C8FCB5E00B5939A /* secerr.h in Copy Headers */,
+ D46B089D1C8FCB5E00B5939A /* SecNssCoder.h in Copy Headers */,
+ D46B089E1C8FCB5E00B5939A /* secport.h in Copy Headers */,
+ D46B08921C8FCB2900B5939A /* prbit.h in Copy Headers */,
+ D46B08931C8FCB2900B5939A /* prcpucfg.h in Copy Headers */,
+ D46B08941C8FCB2900B5939A /* prerr.h in Copy Headers */,
+ D46B08951C8FCB2900B5939A /* prerror.h in Copy Headers */,
+ D46B08961C8FCB2900B5939A /* prlog.h in Copy Headers */,
+ D46B08971C8FCB2900B5939A /* prmem.h in Copy Headers */,
+ D46B08981C8FCB2900B5939A /* protypes.h in Copy Headers */,
+ D46B08991C8FCB2900B5939A /* prtypes.h in Copy Headers */,
+ D46B088E1C8FCAFD00B5939A /* oidsalg.h in Copy Headers */,
+ D46B088F1C8FCAFD00B5939A /* oidsattr.h in Copy Headers */,
+ D46B08901C8FCAFD00B5939A /* oidsbase.h in Copy Headers */,
+ D46B08911C8FCAFD00B5939A /* oidsocsp.h in Copy Headers */,
+ D46B088D1C8FCAF100B5939A /* nssUtils.h in Copy Headers */,
+ D46B08841C8FCAE400B5939A /* certExtensionTemplates.h in Copy Headers */,
+ D46B08851C8FCAE400B5939A /* csrTemplates.h in Copy Headers */,
+ D46B08861C8FCAE400B5939A /* keyTemplates.h in Copy Headers */,
+ D46B08871C8FCAE400B5939A /* nameTemplates.h in Copy Headers */,
+ D46B08881C8FCAE400B5939A /* pkcs7Templates.h in Copy Headers */,
+ D46B08891C8FCAE400B5939A /* pkcs12Templates.h in Copy Headers */,
+ D46B088A1C8FCAE400B5939A /* ocspTemplates.h in Copy Headers */,
+ D46B088B1C8FCAE400B5939A /* X509Templates.h in Copy Headers */,
+ D46B088C1C8FCAE400B5939A /* osKeyTemplates.h in Copy Headers */,
+ D46B08801C8FCABF00B5939A /* SecAsn1Coder.h in Copy Headers */,
+ D46B08811C8FCABF00B5939A /* SecAsn1Templates.h in Copy Headers */,
+ D46B08821C8FCABF00B5939A /* SecAsn1Types.h in Copy Headers */,
+ D46B08831C8FCABF00B5939A /* secasn1t.h in Copy Headers */,
+ );
+ name = "Copy Headers";
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+/* End PBXCopyFilesBuildPhase section */
+
/* Begin PBXFileReference section */
0502B640068A5920006168D5 /* keyTemplates.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = keyTemplates.h; sourceTree = "<group>"; };
0502BF9A068B51E3006168D5 /* ocspTemplates.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ocspTemplates.c; sourceTree = "<group>"; };
@@ -283,40 +368,6 @@
isa = PBXHeadersBuildPhase;
buildActionMask = 2147483647;
files = (
- 79BDD3490D60D4A4000D84D3 /* prbit.h in Headers */,
- 79BDD34A0D60D4A4000D84D3 /* prmem.h in Headers */,
- 79BDD3100D60D116000D84D3 /* plstr.h in Headers */,
- 79BDD3110D60D116000D84D3 /* prlog.h in Headers */,
- 79BDD30C0D60D0E5000D84D3 /* seccomon.h in Headers */,
- 79BDD3420D60D2B2000D84D3 /* prerr.h in Headers */,
- 79BDD33F0D60D29A000D84D3 /* prerror.h in Headers */,
- 79BDD2FC0D60CF66000D84D3 /* secerr.h in Headers */,
- 79EF5BA30D3D6EF4009F5270 /* secport.h in Headers */,
- 798B80C10D3E8B6700AC1D04 /* secasn1.h in Headers */,
- 798B80E00D3E8BFC00AC1D04 /* secasn1t.h in Headers */,
- 79BDD2F60D60CF24000D84D3 /* prcpucfg.h in Headers */,
- 79BDD2ED0D60CEF5000D84D3 /* prtypes.h in Headers */,
- 79EF5BCA0D3D6F44009F5270 /* plarena.h in Headers */,
- 79BDD3020D60CFC9000D84D3 /* protypes.h in Headers */,
- 79BDD2D10D60CE82000D84D3 /* plarenas.h in Headers */,
- 795CA8230D38041D00BAE6A2 /* SecAsn1Coder.h in Headers */,
- 795CA8250D38041D00BAE6A2 /* SecAsn1Templates.h in Headers */,
- 795CA8260D38041D00BAE6A2 /* SecAsn1Types.h in Headers */,
- 795CA8280D38041D00BAE6A2 /* certExtensionTemplates.h in Headers */,
- 795CA82A0D38041D00BAE6A2 /* csrTemplates.h in Headers */,
- 795CA82C0D38041D00BAE6A2 /* keyTemplates.h in Headers */,
- 795CA82E0D38041D00BAE6A2 /* nameTemplates.h in Headers */,
- 795CA8310D38041D00BAE6A2 /* nssUtils.h in Headers */,
- 795CA8330D38041D00BAE6A2 /* ocspTemplates.h in Headers */,
- 795CA83A0D38041D00BAE6A2 /* X509Templates.h in Headers */,
- 795CA83C0D38041D00BAE6A2 /* osKeyTemplates.h in Headers */,
- 795CAAD20D3BEDBB00BAE6A2 /* pkcs7Templates.h in Headers */,
- 795CAAD40D3BEDBB00BAE6A2 /* pkcs12Templates.h in Headers */,
- 79EF5A790D3C1984009F5270 /* oidsalg.h in Headers */,
- 79EF5A7B0D3C1984009F5270 /* oidsattr.h in Headers */,
- 79EF5A7C0D3C1984009F5270 /* oidsbase.h in Headers */,
- 4C28246C0F1BC75800CAADEC /* oidsocsp.h in Headers */,
- 18312F9714E99A3F00F0BCAC /* SecNssCoder.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -346,7 +397,12 @@
9D56980C03E74D6100003D05 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
+ TargetAttributes = {
+ D46B08791C8FCA5000B5939A = {
+ CreatedOnToolsVersion = 7.3;
+ };
+ };
};
buildConfigurationList = C23B0CEC09A298C500B7FCED /* Build configuration list for PBXProject "libsecurity_asn1" */;
compatibilityVersion = "Xcode 3.2";
@@ -364,6 +420,7 @@
projectRoot = "";
targets = (
795CA7FE0D38013D00BAE6A2 /* libASN1 */,
+ D46B08791C8FCA5000B5939A /* libASN1Install */,
);
};
/* End PBXProject section */
@@ -401,18 +458,30 @@
};
/* End PBXSourcesBuildPhase section */
+/* Begin PBXTargetDependency section */
+ D46B08A41C8FCBA000B5939A /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ target = 795CA7FE0D38013D00BAE6A2 /* libASN1 */;
+ targetProxy = D46B08A31C8FCBA000B5939A /* PBXContainerItemProxy */;
+ };
+/* End PBXTargetDependency section */
+
/* Begin XCBuildConfiguration section */
795CA8090D3801A700BAE6A2 /* Debug */ = {
isa = XCBuildConfiguration;
baseConfigurationReference = 18B647F614D9FD4500F538BF /* debug.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
CLANG_STATIC_ANALYZER_MODE = deep;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ ONLY_ACTIVE_ARCH = YES;
RUN_CLANG_STATIC_ANALYZER = YES;
};
name = Debug;
@@ -430,12 +499,14 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18B647F814D9FD4500F538BF /* release.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
CLANG_STATIC_ANALYZER_MODE = deep;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
RUN_CLANG_STATIC_ANALYZER = YES;
};
@@ -450,6 +521,20 @@
};
name = Release;
};
+ D46B087A1C8FCA5100B5939A /* Debug */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Debug;
+ };
+ D46B087B1C8FCA5100B5939A /* Release */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Release;
+ };
/* End XCBuildConfiguration section */
/* Begin XCConfigurationList section */
@@ -471,6 +556,15 @@
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
+ D46B087C1C8FCA5100B5939A /* Build configuration list for PBXAggregateTarget "libASN1Install" */ = {
+ isa = XCConfigurationList;
+ buildConfigurations = (
+ D46B087A1C8FCA5100B5939A /* Debug */,
+ D46B087B1C8FCA5100B5939A /* Release */,
+ );
+ defaultConfigurationIsVisible = 0;
+ defaultConfigurationName = Release;
+ };
/* End XCConfigurationList section */
};
rootObject = 9D56980C03E74D6100003D05 /* Project object */;
diff --git a/OSX/libsecurity_authorization/lib/Authorization.c b/OSX/libsecurity_authorization/lib/Authorization.c
index f864a5c3..533fb326 100644
--- a/OSX/libsecurity_authorization/lib/Authorization.c
+++ b/OSX/libsecurity_authorization/lib/Authorization.c
@@ -106,8 +106,8 @@ OSStatus AuthorizationCreate(const AuthorizationRights *rights,
// Reply
reply = xpc_connection_send_message_with_reply_sync(get_authorization_connection(), message);
- require_action(reply != NULL, done, status = errAuthorizationInternal);
- require_action(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
+ require_action_quiet(reply != NULL, done, status = errAuthorizationInternal);
+ require_action_quiet(xpc_get_type(reply) != XPC_TYPE_ERROR, done, status = errAuthorizationInternal);
// Status
status = (OSStatus)xpc_dictionary_get_int64(reply, AUTH_XPC_STATUS);
diff --git a/OSX/libsecurity_authorization/lib/Authorization.h b/OSX/libsecurity_authorization/lib/Authorization.h
index e70ca25a..068a5e22 100644
--- a/OSX/libsecurity_authorization/lib/Authorization.h
+++ b/OSX/libsecurity_authorization/lib/Authorization.h
@@ -158,7 +158,7 @@ typedef const char *AuthorizationString;
typedef struct {
AuthorizationString name;
size_t valueLength;
- void *value;
+ void * __nullable value;
UInt32 flags;
} AuthorizationItem;
@@ -172,7 +172,7 @@ typedef struct {
*/
typedef struct {
UInt32 count;
- AuthorizationItem *items;
+ AuthorizationItem * __nullable items;
} AuthorizationItemSet;
@@ -188,9 +188,7 @@ typedef struct {
SECURITY NOTE: Applications should take care to not disclose the AuthorizationExternalForm to
potential attackers since it would authorize rights to them.
*/
-enum {
- kAuthorizationExternalFormLength = 32
-};
+static const size_t kAuthorizationExternalFormLength = 32;
typedef struct {
char bytes[kAuthorizationExternalFormLength];
@@ -342,7 +340,6 @@ void AuthorizationCopyRightsAsync(AuthorizationRef authorization,
@param authorization (input) The authorization object on which this operation is performed.
@param tag (input/optional) An optional string tag specifing which sideband information should be returned. When NULL is specified all available information is returned.
- @param flags (input) options specified by the AuthorizationFlags enum. set all unused bits to zero to allow for future expansion.
@param info (output) A pointer to a newly allocated AuthorizationInfoSet in which the requested sideband infomation is returned (info should be deallocated by calling AuthorizationFreeItemSet() when it is no longer needed).
@result errAuthorizationSuccess 0 No error.
diff --git a/OSX/libsecurity_authorization/lib/AuthorizationPlugin.h b/OSX/libsecurity_authorization/lib/AuthorizationPlugin.h
index f57c34a2..66c919df 100644
--- a/OSX/libsecurity_authorization/lib/AuthorizationPlugin.h
+++ b/OSX/libsecurity_authorization/lib/AuthorizationPlugin.h
@@ -214,8 +214,8 @@ typedef struct AuthorizationCallbacks {
/* Read value from context. AuthorizationValue does not own data. */
OSStatus (*GetContextValue)(AuthorizationEngineRef inEngine,
AuthorizationString inKey,
- AuthorizationContextFlags *outContextFlags,
- const AuthorizationValue * __nullable * __nonnull outValue);
+ AuthorizationContextFlags * __nullable outContextFlags,
+ const AuthorizationValue * __nullable * __nullable outValue);
/* Write value to context. AuthorizationValue and data are copied. */
OSStatus (*SetContextValue)(AuthorizationEngineRef inEngine,
@@ -226,7 +226,7 @@ typedef struct AuthorizationCallbacks {
/* Read value from hints. AuthorizationValue does not own data. */
OSStatus (*GetHintValue)(AuthorizationEngineRef inEngine,
AuthorizationString inKey,
- const AuthorizationValue * __nullable * __nonnull outValue);
+ const AuthorizationValue * __nullable * __nullable outValue);
/* Write value to hints. AuthorizationValue and data are copied. */
OSStatus (*SetHintValue)(AuthorizationEngineRef inEngine,
@@ -239,12 +239,12 @@ typedef struct AuthorizationCallbacks {
/* Read SessionId. */
OSStatus (*GetSessionId)(AuthorizationEngineRef inEngine,
- AuthorizationSessionId __nullable * __nonnull outSessionId);
+ AuthorizationSessionId __nullable * __nullable outSessionId);
/* Read value from hints. AuthorizationValue does not own data. */
OSStatus (*GetImmutableHintValue)(AuthorizationEngineRef inEngine,
AuthorizationString inKey,
- const AuthorizationValue * __nullable * __nonnull outValue);
+ const AuthorizationValue * __nullable * __nullable outValue);
} AuthorizationCallbacks;
diff --git a/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h b/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h
index 0e11f023..6001609e 100644
--- a/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h
+++ b/OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h
@@ -229,6 +229,12 @@
*/
#define kAuthorizationRuleParameterRequireAppleSigned "require-apple-signed"
+/*! @defined kAuthorizationRuleParameterPasswordOnly
+ boolean, default false - if true, all alternative authentication methods
+ like smart cards are disabled for this rule, only password is allowed
+ */
+#define kAuthorizationRuleParameterPasswordOnly "password-only"
+
/*
* Hints for internal Authorization use
*/
@@ -240,6 +246,7 @@
#define AGENT_HINT_CUSTOM_PROMPT "prompt"
#define AGENT_HINT_AUTHORIZE_RIGHT "authorize-right"
#define AGENT_HINT_CLIENT_PID "client-pid"
+#define AGENT_HINT_CUSTOM_PID "custom-pid"
#define AGENT_HINT_CLIENT_UID "client-uid"
#define AGENT_HINT_CLIENT_VALIDITY "client-signature-validity"
#define AGENT_HINT_CREATOR_PID "creator-pid"
@@ -253,6 +260,10 @@
#define AGENT_HINT_TOKEN_NAME "token-name"
#define AGENT_HINT_PROCESS_SIGNED "process-apple-signed"
#define AGENT_HINT_SHOW_RESET "show-reset"
+#define AGENT_HINT_PASSWORD_ONLY "password-only"
+
+// Public Key Hash from certificate used for login
+#define AGENT_HINT_TOKEN_HASH "token-hash"
/* passed by loginwindow to securityd and agent */
#define AGENT_HINT_IMMEDIATE_LAUNCH "immediate-agent"
@@ -268,6 +279,7 @@
#define AGENT_HINT_ACL_MISMATCH "acl-mismatch"
#define AGENT_HINT_KEYCHAIN_ITEM_NAME "keychain-item-name"
#define AGENT_HINT_KEYCHAIN_PATH "keychain-path"
+#define AGENT_HINT_KEYCHAIN_CHECK "keychain-check-pwd"
#define AGENT_HINT_WINDOW_LEVEL "window-level"
/* Login Keychain Creation hint keys */
@@ -325,4 +337,16 @@
#define AGENT_CONTEXT_REMEMBER_ACTION "remember-action"
#define AGENT_CONTEXT_ALLOW "allow"
+/* Authorization Hints Providers */
+#define AGENT_CONTEXT_AP_USER_NAME "ap-user-name"
+#define AGENT_CONTEXT_AP_TOKEN "ap-token"
+#define AGENT_CONTEXT_AP_PAM_SERVICE_NAME "ap-pam-service-name"
+#define AGENT_CONTEXT_AP_PAM_ERROR_MESSAGE "ap-pam-error-message"
+
+/* ID of smartcard which was used for authentication */
+#define AGENT_CONTEXT_AUTH_TOKEN_ID "authenticated-token-id"
+
+/* LocalAuthentication specific */
+#define AGENT_CONTEXT_LACONTEXT "la-context"
+
#endif /* !_SECURITY_AUTHORIZATIONTAGSPRIV_H_ */
diff --git a/OSX/libsecurity_authorization/lib/trampolineClient.cpp b/OSX/libsecurity_authorization/lib/trampolineClient.cpp
index a640f0a0..00fed805 100644
--- a/OSX/libsecurity_authorization/lib/trampolineClient.cpp
+++ b/OSX/libsecurity_authorization/lib/trampolineClient.cpp
@@ -152,12 +152,12 @@ OSStatus AuthorizationExecuteWithPrivilegesExternalForm(const AuthorizationExter
if (errno == EAGAIN) {
// potentially recoverable resource shortage
if (n > 0) {
- secdebug("authexec", "resource shortage (EAGAIN), delaying %d seconds", delay);
+ secinfo("authexec", "resource shortage (EAGAIN), delaying %d seconds", delay);
sleep(delay);
continue;
}
}
- secdebug("authexec", "fork failed (errno=%d)", errno);
+ secinfo("authexec", "fork failed (errno=%d)", errno);
close(notify[READ]); close(notify[WRITE]);
return errAuthorizationToolExecuteFailure;
@@ -171,16 +171,16 @@ OSStatus AuthorizationExecuteWithPrivilegesExternalForm(const AuthorizationExter
fclose(mbox);
// get status notification from child
- secdebug("authexec", "parent waiting for status");
+ secinfo("authexec", "parent waiting for status");
ssize_t rc = read(notify[READ], &status, sizeof(status));
status = n2h(status);
switch (rc) {
default: // weird result of read: post error
- secdebug("authexec", "unexpected read return value %ld", long(rc));
+ secinfo("authexec", "unexpected read return value %ld", long(rc));
status = errAuthorizationToolEnvironmentError;
// fall through
case sizeof(status): // read succeeded: child reported an error
- secdebug("authexec", "parent received status=%d", (int)status);
+ secinfo("authexec", "parent received status=%d", (int)status);
close(notify[READ]);
if (communicationsPipe) { close(comm[READ]); close(comm[WRITE]); }
goto exit_point;
@@ -188,7 +188,7 @@ OSStatus AuthorizationExecuteWithPrivilegesExternalForm(const AuthorizationExter
close(notify[READ]);
if (communicationsPipe)
*communicationsPipe = fdopen(comm[READ], "r+");
- secdebug("authexec", "parent resumes (no error)");
+ secinfo("authexec", "parent resumes (no error)");
status = errSecSuccess;
goto exit_point;
}
diff --git a/OSX/libsecurity_authorization/libsecurity_authorization.xcodeproj/project.pbxproj b/OSX/libsecurity_authorization/libsecurity_authorization.xcodeproj/project.pbxproj
index 995cc736..6522557b 100644
--- a/OSX/libsecurity_authorization/libsecurity_authorization.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_authorization/libsecurity_authorization.xcodeproj/project.pbxproj
@@ -53,7 +53,7 @@
40BC5D9605322F76009E6ADA /* AuthorizationTags.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = AuthorizationTags.h; path = lib/AuthorizationTags.h; sourceTree = "<group>"; };
40BC5D9805322F76009E6ADA /* AuthSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = AuthSession.h; path = lib/AuthSession.h; sourceTree = "<group>"; };
40C767090534CCDB008AC043 /* AuthorizationTagsPriv.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = AuthorizationTagsPriv.h; path = lib/AuthorizationTagsPriv.h; sourceTree = "<group>"; };
- 4C481F03058161C400846F0C /* trampolineClient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = trampolineClient.cpp; path = lib/trampolineClient.cpp; sourceTree = "<group>"; };
+ 4C481F03058161C400846F0C /* trampolineClient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; name = trampolineClient.cpp; path = lib/trampolineClient.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4C481F04058161C400846F0C /* trampolineServer.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = trampolineServer.cpp; path = lib/trampolineServer.cpp; sourceTree = "<group>"; };
4C6848A005815EE4003AC7B2 /* privPort.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = privPort.h; path = lib/privPort.h; sourceTree = "<group>"; };
4CA1FEBE052A3C8100F22E42 /* libsecurity_authorization.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libsecurity_authorization.a; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -162,7 +162,6 @@
buildRules = (
);
dependencies = (
- 182BB337146F100D000BF1F3 /* PBXTargetDependency */,
);
name = libsecurity_authorization;
productInstallPath = /usr/local/lib;
@@ -176,7 +175,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD2B70987FCDD001272E0 /* Build configuration list for PBXProject "libsecurity_authorization" */;
compatibilityVersion = "Xcode 3.2";
@@ -266,12 +265,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18446156146E928E00B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -279,12 +287,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18446156146E928E00B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_cdsa_client/lib/aclclient.cpp b/OSX/libsecurity_cdsa_client/lib/aclclient.cpp
index 988943fd..caca8685 100644
--- a/OSX/libsecurity_cdsa_client/lib/aclclient.cpp
+++ b/OSX/libsecurity_cdsa_client/lib/aclclient.cpp
@@ -21,10 +21,12 @@
//
#include <security_cdsa_client/cssmclient.h>
#include <security_cdsa_client/aclclient.h>
-#include <security_cdsa_client/keychainacl.h>
+#include <security_cdsa_client/keyclient.h>
+#include <security_cdsa_client/keychainacl.h>
#include <security_cdsa_utilities/cssmwalkers.h>
#include <security_cdsa_utilities/cssmdata.h>
-
+#include <security_cdsa_utilities/cssmendian.h>
+#include <securityd_client/handletypes.h>
namespace Security {
namespace CssmClient {
@@ -243,7 +245,41 @@ AclFactory::PasswordChangeCredentials::PasswordChangeCredentials (const CssmData
new (allocator) ListElement (CssmAutoData(allocator, password).release()));
}
-
+
+//
+// Manage the (pseudo) credentials used to explicitly provide a master key to a keychain.
+//
+AclFactory::MasterKeyUnlockCredentials::MasterKeyUnlockCredentials (const CssmClient::Key& key,
+ Allocator& allocator) : KeychainCredentials(allocator)
+{
+ // Flatten out this key into:
+ // { h2ni(CSSM_KEY) : raw data for CSSM_KEY }
+ // which is also (on x86_64):
+ // { h2ni(CSSM_KEYHEADER) : 4 byte align : CSSM_DATA{0:0} : raw data for CSSM_KEY }
+ // (placement of alignment bytes uncertain)
+ //
+ // Data format is for consumption by kcdatabase.cpp:unflattenKey()
+
+ size_t dataLen = sizeof(CSSM_KEY) + key->keyData().length();
+ CssmAutoData flattenedKey(allocator);
+ flattenedKey.malloc(dataLen);
+ memset(flattenedKey, 0, dataLen);
+
+ // The key header must be in network-byte order for some reason
+ CSSM_KEYHEADER header = key->header();
+ Security::h2ni(header);
+ memcpy(flattenedKey, &header, sizeof(CSSM_KEYHEADER));
+ memcpy(((uint8_t*) flattenedKey.data()) + sizeof(CSSM_KEY), key->keyData().data(), key->keyData().length());
+
+ mCredentials->sample(0) = TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
+ new (allocator) ListElement(CSSM_SAMPLE_TYPE_SYMMETRIC_KEY),
+ new (allocator) ListElement(CssmAutoData(allocator, CssmData::wrap((SecurityServer::KeyHandle) 0)).release()),
+ new (allocator) ListElement(CssmAutoData(allocator, CssmData::wrap(*((const CssmKey*) key))).release()),
+ new (allocator) ListElement(flattenedKey.release()));
+}
+
+
+
//
// Wide open ("ANY") CSSM forms for owner and ACL entry
//
diff --git a/OSX/libsecurity_cdsa_client/lib/aclclient.h b/OSX/libsecurity_cdsa_client/lib/aclclient.h
index 2daa1cfd..8789eb25 100644
--- a/OSX/libsecurity_cdsa_client/lib/aclclient.h
+++ b/OSX/libsecurity_cdsa_client/lib/aclclient.h
@@ -32,7 +32,7 @@ namespace Security {
namespace CssmClient {
class CSP;
-
+class Key;
//
// Any client-side object that has CSSM-layer ACLs shall be
@@ -139,6 +139,12 @@ public:
PasswordChangeCredentials (const CssmData& password, Allocator& allocator);
};
+ // create an AccessCredentials to explicitly provide a keychain master key
+ class MasterKeyUnlockCredentials : public KeychainCredentials {
+ public:
+ MasterKeyUnlockCredentials (const Key& key, Allocator& allocator);
+ };
+
public:
class AnyResourceContext : public ResourceControlContext {
public:
diff --git a/OSX/libsecurity_cdsa_client/lib/cssmclient.cpp b/OSX/libsecurity_cdsa_client/lib/cssmclient.cpp
index 05a59c49..ce83b5e2 100644
--- a/OSX/libsecurity_cdsa_client/lib/cssmclient.cpp
+++ b/OSX/libsecurity_cdsa_client/lib/cssmclient.cpp
@@ -30,7 +30,7 @@
// and thus don't need to be interlocked explicitly.
//
#include <security_cdsa_client/cssmclient.h>
-#include <syslog.h>
+#include <utilities/debugging.h>
using namespace CssmClient;
@@ -80,7 +80,7 @@ try
if (!isIdle())
{
int i = mChildCount;
- syslog(LOG_ALERT, "Object %p still has %d children at delete.\n", this, i);
+ secerror("Object %p still has %d children at delete.\n", this, i);
}
// release parent from her obligations (if we still have one)
@@ -269,13 +269,13 @@ void CssmImpl::StandardCssm::unsetCssm(CssmImpl *cssm)
mCssm = NULL;
}
-CssmImpl *CssmImpl::StandardCssm::get()
+Cssm CssmImpl::StandardCssm::get()
{
StLock<Mutex> _(*this);
if (mCssm == NULL) { // make the default instance
mCssm = new CssmImpl(true);
}
- return mCssm;
+ return Cssm(mCssm);
}
CssmImpl::StandardCssm::~StandardCssm()
@@ -383,7 +383,7 @@ void ModuleEvents::fault(uint32 subService, CSSM_SERVICE_TYPE type) { }
void
ModuleImpl::appNotifyCallback(CSSM_API_ModuleEventHandler appNotifyCallback, void *appNotifyCallbackCtx)
{
- secdebug("callback","In ModuleImpl::appNotifyCallback, appNotifyCallback=%p, appNotifyCallbackCtx=%p",
+ secinfo("callback","In ModuleImpl::appNotifyCallback, appNotifyCallback=%p, appNotifyCallbackCtx=%p",
appNotifyCallback, appNotifyCallbackCtx);
if (mActive)
Error::throwMe(Error::objectBusy);
@@ -407,7 +407,7 @@ ModuleImpl::activate()
{
session()->init();
// @@@ install handler here (use central dispatch with override)
- secdebug("callback","In ModuleImpl::activate, mAppNotifyCallback=%p, mAppNotifyCallbackCtx=%p",
+ secinfo("callback","In ModuleImpl::activate, mAppNotifyCallback=%p, mAppNotifyCallbackCtx=%p",
mAppNotifyCallback, mAppNotifyCallbackCtx);
check(CSSM_ModuleLoad(&guid(), CSSM_KEY_HIERARCHY_NONE, mAppNotifyCallback, mAppNotifyCallbackCtx));
mActive = true;
diff --git a/OSX/libsecurity_cdsa_client/lib/cssmclient.h b/OSX/libsecurity_cdsa_client/lib/cssmclient.h
index 53719b82..9b003382 100644
--- a/OSX/libsecurity_cdsa_client/lib/cssmclient.h
+++ b/OSX/libsecurity_cdsa_client/lib/cssmclient.h
@@ -350,10 +350,12 @@ private:
~StandardCssm();
void setCssm(CssmImpl *cssm);
void unsetCssm(CssmImpl *cssm);
- CssmImpl *get();
+ Cssm get();
private:
- CssmImpl *mCssm;
+ RefPointer<CssmImpl> mCssm; // 'Leaks' this object (in that it won't ever be deleted after creation), but
+ // there's no safe way to vend and re-create this object in a multi-threaded environment
+ // without an implementation of WeakRefPointer<>.
};
static ModuleNexus<StandardCssm> mStandard;
};
diff --git a/OSX/libsecurity_cdsa_client/lib/dlclient.cpp b/OSX/libsecurity_cdsa_client/lib/dlclient.cpp
index 127f9b13..2846d3cf 100644
--- a/OSX/libsecurity_cdsa_client/lib/dlclient.cpp
+++ b/OSX/libsecurity_cdsa_client/lib/dlclient.cpp
@@ -481,7 +481,7 @@ uint32 DbImpl::dbBlobVersion() {
if(dl()->guid() == gGuidAppleCSPDL) {
check(CSSM_DL_PassThrough(handle(), CSSM_APPLECSPDL_DB_GET_BLOB_VERSION, NULL, (void**) &dbBlobVersionPtr));
} else {
- secdebugfunc("integrity", "Non-Apple CSPDL keychains don't have keychain versions");
+ secnotice("integrity", "Non-Apple CSPDL keychains don't have keychain versions");
}
return dbBlobVersion;
}
@@ -493,6 +493,10 @@ uint32 DbImpl::recodeDbToVersion(uint32 version) {
return newDbVersion;
}
+void DbImpl::recodeFinished() {
+ check(CSSM_DL_PassThrough(handle(), CSSM_APPLECSPDL_DB_RECODE_FINISHED, NULL, NULL));
+}
+
void DbImpl::takeFileLock() {
passThrough(CSSM_APPLECSPDL_DB_TAKE_FILE_LOCK, NULL, NULL);
}
@@ -505,6 +509,52 @@ void DbImpl::makeBackup() {
passThrough(CSSM_APPLECSPDL_DB_MAKE_BACKUP, NULL, NULL);
}
+void DbImpl::makeCopy(const char* path) {
+ passThrough(CSSM_APPLECSPDL_DB_MAKE_COPY, path, NULL);
+}
+
+void DbImpl::deleteFile() {
+ passThrough(CSSM_APPLECSPDL_DB_DELETE_FILE, NULL, NULL);
+}
+
+void DbImpl::transferTo(const DLDbIdentifier& dldbidentifier) {
+ if (dldbidentifier.ssuid().subserviceType() & CSSM_SERVICE_CSP) {
+ // if we're an Apple CSPDL, do the fancy transfer:
+ // clone the file, clone the db, remove the original file
+ string oldPath = name();
+
+ CSSM_DB_HANDLE dbhandle;
+ passThrough(CSSM_APPLECSPDL_DB_CLONE, &dldbidentifier, &dbhandle);
+
+ mDbName = dldbidentifier.dbName();
+ mHandle.DBHandle = dbhandle;
+
+ unlink(oldPath.c_str());
+
+ // Don't cache this name
+ if (mNameFromHandle) {
+ allocator().free(mNameFromHandle);
+ mNameFromHandle = NULL;
+ }
+ } else {
+ // if we're not an Apple CSPDL, just call rename
+ this->rename(dldbidentifier.dbName());
+ }
+}
+
+
+// cloneTo only makes sense if you're on an Apple CSPDL
+Db DbImpl::cloneTo(const DLDbIdentifier& dldbidentifier) {
+ CSSM_DB_HANDLE dbhandle;
+ passThrough(CSSM_APPLECSPDL_DB_CLONE, &dldbidentifier, &dbhandle);
+
+ // This is the only reasonable way to make a SSDbImpl at this layer.
+ CssmClient::Db db(dl(), dldbidentifier.dbName(), dldbidentifier.dbLocation());
+ db->mHandle.DBHandle = dbhandle;
+
+ return db;
+}
+
//
// DbCursorMaker
//
diff --git a/OSX/libsecurity_cdsa_client/lib/dlclient.h b/OSX/libsecurity_cdsa_client/lib/dlclient.h
index 6617a392..fbd05c98 100644
--- a/OSX/libsecurity_cdsa_client/lib/dlclient.h
+++ b/OSX/libsecurity_cdsa_client/lib/dlclient.h
@@ -328,6 +328,9 @@ public:
// Attempt to recode this database to the new version
virtual uint32 recodeDbToVersion(uint32 version);
+ // Declare that the recode operation is complete
+ virtual void recodeFinished();
+
// Try to take or release the file lock on the underlying database.
// You _must_ call these as a pair. They start a transaction on the
// underlying DL object, and that transaction is only finished when release
@@ -339,6 +342,22 @@ public:
// Make a backup of this database on the filesystem
virtual void makeBackup();
+ // Make a copy of this database on the filesystem
+ // Throws a UnixError if anything goes wrong
+ virtual void makeCopy(const char* path);
+
+ // Make a clone of this database in a new location.
+ // This method handles telling securityd about the clone, and copying the
+ // file over.
+ virtual Db cloneTo(const DLDbIdentifier& dldbidentifier);
+
+ // Transfer this database to a new location. If the database is open in
+ // securityd, transfer the lock status as well.
+ virtual void transferTo(const DLDbIdentifier& dldbidentifier);
+
+ // This will attempt to delete the file underlying this database.
+ // Don't call this unless you really, really mean to.
+ virtual void deleteFile();
// Utility methods
diff --git a/OSX/libsecurity_cdsa_client/lib/securestorage.cpp b/OSX/libsecurity_cdsa_client/lib/securestorage.cpp
index 40b1c0ed..7d2d0ab1 100644
--- a/OSX/libsecurity_cdsa_client/lib/securestorage.cpp
+++ b/OSX/libsecurity_cdsa_client/lib/securestorage.cpp
@@ -129,8 +129,16 @@ SSDbImpl::open()
DbImpl::open();
}
-SSDbUniqueRecord
+DbUniqueRecord
SSDbImpl::insert(CSSM_DB_RECORDTYPE recordType,
+ const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes,
+ const CSSM_DATA *data)
+{
+ return DbImpl::insert(recordType, attributes, data);
+}
+
+SSDbUniqueRecord
+SSDbImpl::ssInsert(CSSM_DB_RECORDTYPE recordType,
const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes,
const CSSM_DATA *data,
const CSSM_RESOURCE_CONTROL_CONTEXT *rc)
@@ -148,7 +156,7 @@ SSDbImpl::insert(CSSM_DB_RECORDTYPE recordType,
const CSSM_ACCESS_CREDENTIALS *cred = rc ? rc->AccessCred : NULL;
try
{
- return insert(recordType, attributes, data, group, cred);
+ SSDbUniqueRecord ssdbur = ssInsert(recordType, attributes, data, group, cred);
if (autoCommit)
{
// autoCommit was on so commit now that we are done and turn
@@ -157,6 +165,7 @@ SSDbImpl::insert(CSSM_DB_RECORDTYPE recordType,
CSSM_DL_PassThrough(dldbh, CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT,
reinterpret_cast<const void *>(autoCommit), NULL);
}
+ return ssdbur;
}
catch(...)
{
@@ -171,13 +180,10 @@ SSDbImpl::insert(CSSM_DB_RECORDTYPE recordType,
}
throw;
}
-
- // keep the compiler happy -- this path is NEVER taken
- CssmError::throwMe(0);
}
SSDbUniqueRecord
-SSDbImpl::insert(CSSM_DB_RECORDTYPE recordType,
+SSDbImpl::ssInsert(CSSM_DB_RECORDTYPE recordType,
const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes,
const CSSM_DATA *data, const SSGroup &group,
const CSSM_ACCESS_CREDENTIALS *cred)
diff --git a/OSX/libsecurity_cdsa_client/lib/securestorage.h b/OSX/libsecurity_cdsa_client/lib/securestorage.h
index 7474fbfd..6f8c1b75 100644
--- a/OSX/libsecurity_cdsa_client/lib/securestorage.h
+++ b/OSX/libsecurity_cdsa_client/lib/securestorage.h
@@ -154,12 +154,17 @@ public:
void create();
void open();
- SSDbUniqueRecord insert(CSSM_DB_RECORDTYPE recordType,
+ // This insert is here to explicitly catch calls to DbImpl's insert. You probably want the ssInsert calls below.
+ DbUniqueRecord insert(CSSM_DB_RECORDTYPE recordType,
+ const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes,
+ const CSSM_DATA *data);
+
+ SSDbUniqueRecord ssInsert(CSSM_DB_RECORDTYPE recordType,
const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes,
const CSSM_DATA *data,
const CSSM_RESOURCE_CONTROL_CONTEXT *rc = NULL);
- SSDbUniqueRecord insert(CSSM_DB_RECORDTYPE recordType,
+ SSDbUniqueRecord ssInsert(CSSM_DB_RECORDTYPE recordType,
const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes,
const CSSM_DATA *data, const SSGroup &group,
const CSSM_ACCESS_CREDENTIALS *cred);
diff --git a/OSX/libsecurity_cdsa_client/lib/tpclient.cpp b/OSX/libsecurity_cdsa_client/lib/tpclient.cpp
index f64fef31..95ee733b 100644
--- a/OSX/libsecurity_cdsa_client/lib/tpclient.cpp
+++ b/OSX/libsecurity_cdsa_client/lib/tpclient.cpp
@@ -69,7 +69,7 @@ void TPImpl::certGroupVerify(const CertGroup &certGroup,
void TPImpl::setupCL()
{
if (mUseCL == NULL) {
- secdebug("tpclient", "TP is auto-attaching supporting CL");
+ secinfo("tpclient", "TP is auto-attaching supporting CL");
mUseCL = new CL(gGuidAppleX509CL);
mOwnCL = true;
}
@@ -78,7 +78,7 @@ void TPImpl::setupCL()
void TPImpl::setupCSP()
{
if (mUseCSP == NULL) {
- secdebug("tpclient", "TP is auto-attaching supporting CSP");
+ secinfo("tpclient", "TP is auto-attaching supporting CSP");
mUseCSP = new CSP(gGuidAppleCSP);
mOwnCSP = true;
}
diff --git a/OSX/libsecurity_cdsa_client/libsecurity_cdsa_client.xcodeproj/project.pbxproj b/OSX/libsecurity_cdsa_client/libsecurity_cdsa_client.xcodeproj/project.pbxproj
index 261a2e3a..4f2a5af3 100644
--- a/OSX/libsecurity_cdsa_client/libsecurity_cdsa_client.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_cdsa_client/libsecurity_cdsa_client.xcodeproj/project.pbxproj
@@ -66,9 +66,9 @@
C25F9888052C9E3100EDA739 /* cryptoclient.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cryptoclient.h; sourceTree = "<group>"; };
C25F9889052C9E3100EDA739 /* cspclient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = cspclient.cpp; sourceTree = "<group>"; };
C25F988A052C9E3100EDA739 /* cspclient.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cspclient.h; sourceTree = "<group>"; };
- C25F988B052C9E3100EDA739 /* cssmclient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = cssmclient.cpp; sourceTree = "<group>"; };
+ C25F988B052C9E3100EDA739 /* cssmclient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = cssmclient.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C25F988C052C9E3100EDA739 /* cssmclient.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cssmclient.h; sourceTree = "<group>"; };
- C25F988D052C9E3100EDA739 /* dlclient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = dlclient.cpp; sourceTree = "<group>"; };
+ C25F988D052C9E3100EDA739 /* dlclient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = dlclient.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C25F988E052C9E3100EDA739 /* dlclient.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = dlclient.h; sourceTree = "<group>"; };
C25F988F052C9E3100EDA739 /* DLDBList.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DLDBList.cpp; sourceTree = "<group>"; };
C25F9890052C9E3100EDA739 /* DLDBList.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DLDBList.h; sourceTree = "<group>"; };
@@ -86,7 +86,7 @@
C25F98A0052C9E3200EDA739 /* securestorage.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = securestorage.h; sourceTree = "<group>"; };
C25F98A1052C9E3200EDA739 /* signclient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = signclient.cpp; sourceTree = "<group>"; };
C25F98A2052C9E3200EDA739 /* signclient.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = signclient.h; sourceTree = "<group>"; };
- C25F98A3052C9E3200EDA739 /* tpclient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tpclient.cpp; sourceTree = "<group>"; };
+ C25F98A3052C9E3200EDA739 /* tpclient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = tpclient.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C25F98A4052C9E3200EDA739 /* tpclient.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tpclient.h; sourceTree = "<group>"; };
C25F98A5052C9E3200EDA739 /* wrapkey.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = wrapkey.cpp; sourceTree = "<group>"; };
C25F98A6052C9E3200EDA739 /* wrapkey.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = wrapkey.h; sourceTree = "<group>"; };
@@ -252,7 +252,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD2D60987FCDD001272E0 /* Build configuration list for PBXProject "libsecurity_cdsa_client" */;
compatibilityVersion = "Xcode 3.2";
@@ -281,12 +281,15 @@
files = (
);
inputPaths = (
+ "$(SRCROOT)/",
+ "$(SRCROOT)/lib/",
);
outputPaths = (
+ "${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "nmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
+ shellScript = "# with our source directories as input files, Xcode will only re-run this phase if there's been a source change\nnmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
};
/* End PBXShellScriptBuildPhase section */
@@ -355,12 +358,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18446165146E94DE00B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -368,12 +380,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18446165146E94DE00B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_cdsa_plugin/lib/ACabstractsession.cpp b/OSX/libsecurity_cdsa_plugin/lib/ACabstractsession.cpp
new file mode 100644
index 00000000..6caef051
--- /dev/null
+++ b/OSX/libsecurity_cdsa_plugin/lib/ACabstractsession.cpp
@@ -0,0 +1,69 @@
+//
+// AC plugin transition layer.
+// This file was automatically generated. Do not edit on penalty of futility!
+//
+#include <security_cdsa_plugin/ACsession.h>
+#include <security_cdsa_plugin/cssmplugin.h>
+#include <security_cdsa_utilities/cssmbridge.h>
+#include <Security/cssmaci.h>
+
+
+ACAbstractPluginSession::~ACAbstractPluginSession()
+{ /* virtual */ }
+
+static CSSM_RETURN CSSMACI cssm_AuthCompute(CSSM_AC_HANDLE ACHandle,
+ const CSSM_TUPLEGROUP *BaseAuthorizations,
+ const CSSM_TUPLEGROUP *Credentials,
+ uint32 NumberOfRequestors,
+ const CSSM_LIST *Requestors,
+ const CSSM_LIST *RequestedAuthorizationPeriod,
+ const CSSM_LIST *RequestedAuthorization,
+ CSSM_TUPLEGROUP_PTR AuthorizationResult)
+{
+ BEGIN_API
+ findSession<ACPluginSession>(ACHandle).AuthCompute(Required(BaseAuthorizations),
+ Credentials,
+ NumberOfRequestors,
+ Required(Requestors),
+ RequestedAuthorizationPeriod,
+ Required(RequestedAuthorization),
+ Required(AuthorizationResult));
+ END_API(AC)
+}
+
+static CSSM_RETURN CSSMACI cssm_PassThrough(CSSM_AC_HANDLE ACHandle,
+ CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DL_DB_LIST *DBList,
+ uint32 PassThroughId,
+ const void *InputParams,
+ void **OutputParams)
+{
+ BEGIN_API
+ findSession<ACPluginSession>(ACHandle).PassThrough(TPHandle,
+ CLHandle,
+ CCHandle,
+ Required(DBList),
+ PassThroughId,
+ InputParams,
+ OutputParams);
+ END_API(AC)
+}
+
+
+static const CSSM_SPI_AC_FUNCS ACFunctionStruct = {
+ cssm_AuthCompute,
+ cssm_PassThrough,
+};
+
+static CSSM_MODULE_FUNCS ACFunctionTable = {
+ CSSM_SERVICE_AC, // service type
+ 2, // number of functions
+ (const CSSM_PROC_ADDR *)&ACFunctionStruct
+};
+
+CSSM_MODULE_FUNCS_PTR ACPluginSession::construct()
+{
+ return &ACFunctionTable;
+}
diff --git a/OSX/libsecurity_cdsa_plugin/lib/ACabstractsession.h b/OSX/libsecurity_cdsa_plugin/lib/ACabstractsession.h
new file mode 100644
index 00000000..e7fccead
--- /dev/null
+++ b/OSX/libsecurity_cdsa_plugin/lib/ACabstractsession.h
@@ -0,0 +1,39 @@
+//
+// AC plugin transition layer.
+// This file was automatically generated. Do not edit on penalty of futility!
+//
+#ifndef _H_ACABSTRACTSESSION
+#define _H_ACABSTRACTSESSION
+
+#include <security_cdsa_plugin/pluginsession.h>
+#include <security_cdsa_utilities/cssmdata.h>
+
+
+namespace Security {
+
+
+//
+// A pure abstract class to define the AC module interface
+//
+class ACAbstractPluginSession {
+public:
+ virtual ~ACAbstractPluginSession();
+ virtual void AuthCompute(const CSSM_TUPLEGROUP &BaseAuthorizations,
+ const CSSM_TUPLEGROUP *Credentials,
+ uint32 NumberOfRequestors,
+ const CSSM_LIST &Requestors,
+ const CSSM_LIST *RequestedAuthorizationPeriod,
+ const CSSM_LIST &RequestedAuthorization,
+ CSSM_TUPLEGROUP &AuthorizationResult) = 0;
+ virtual void PassThrough(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DL_DB_LIST &DBList,
+ uint32 PassThroughId,
+ const void *InputParams,
+ void **OutputParams) = 0;
+};
+
+} // end namespace Security
+
+#endif //_H_ACABSTRACTSESSION
diff --git a/OSX/libsecurity_cdsa_plugin/lib/CLabstractsession.cpp b/OSX/libsecurity_cdsa_plugin/lib/CLabstractsession.cpp
new file mode 100644
index 00000000..bfb5e7fe
--- /dev/null
+++ b/OSX/libsecurity_cdsa_plugin/lib/CLabstractsession.cpp
@@ -0,0 +1,548 @@
+//
+// CL plugin transition layer.
+// This file was automatically generated. Do not edit on penalty of futility!
+//
+#include <security_cdsa_plugin/CLsession.h>
+#include <security_cdsa_plugin/cssmplugin.h>
+#include <security_cdsa_utilities/cssmbridge.h>
+#include <Security/cssmcli.h>
+
+
+CLAbstractPluginSession::~CLAbstractPluginSession()
+{ /* virtual */ }
+
+static CSSM_RETURN CSSMCLI cssm_CertGetFirstFieldValue(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *Cert,
+ const CSSM_OID *CertField,
+ CSSM_HANDLE_PTR ResultsHandle,
+ uint32 *NumberOfMatchedFields,
+ CSSM_DATA_PTR *Value)
+{
+ BEGIN_API
+ if ((Required(ResultsHandle) = findSession<CLPluginSession>(CLHandle).CertGetFirstFieldValue(CssmData::required(Cert),
+ CssmData::required(CertField),
+ Required(NumberOfMatchedFields),
+ Required(Value))) == CSSM_INVALID_HANDLE)
+ return CSSMERR_CL_NO_FIELD_VALUES;
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_PassThrough(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ uint32 PassThroughId,
+ const void *InputParams,
+ void **OutputParams)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).PassThrough(CCHandle,
+ PassThroughId,
+ InputParams,
+ OutputParams);
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertGetNextCachedFieldValue(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE ResultsHandle,
+ CSSM_DATA_PTR *Value)
+{
+ BEGIN_API
+ if (!findSession<CLPluginSession>(CLHandle).CertGetNextCachedFieldValue(ResultsHandle,
+ Required(Value)))
+ return CSSMERR_CL_NO_FIELD_VALUES;
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlCreateTemplate(CSSM_CL_HANDLE CLHandle,
+ uint32 NumberOfFields,
+ const CSSM_FIELD *CrlTemplate,
+ CSSM_DATA_PTR NewCrl)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlCreateTemplate(NumberOfFields,
+ CrlTemplate,
+ CssmData::required(NewCrl));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertSign(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *CertTemplate,
+ const CSSM_FIELD *SignScope,
+ uint32 ScopeSize,
+ CSSM_DATA_PTR SignedCert)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertSign(CCHandle,
+ CssmData::required(CertTemplate),
+ SignScope,
+ ScopeSize,
+ CssmData::required(SignedCert));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlGetFirstFieldValue(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *Crl,
+ const CSSM_OID *CrlField,
+ CSSM_HANDLE_PTR ResultsHandle,
+ uint32 *NumberOfMatchedFields,
+ CSSM_DATA_PTR *Value)
+{
+ BEGIN_API
+ if ((Required(ResultsHandle) = findSession<CLPluginSession>(CLHandle).CrlGetFirstFieldValue(CssmData::required(Crl),
+ CssmData::required(CrlField),
+ Required(NumberOfMatchedFields),
+ Required(Value))) == CSSM_INVALID_HANDLE)
+ return CSSMERR_CL_NO_FIELD_VALUES;
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlGetNextFieldValue(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE ResultsHandle,
+ CSSM_DATA_PTR *Value)
+{
+ BEGIN_API
+ if (!findSession<CLPluginSession>(CLHandle).CrlGetNextFieldValue(ResultsHandle,
+ Required(Value)))
+ return CSSMERR_CL_NO_FIELD_VALUES;
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_FreeFields(CSSM_CL_HANDLE CLHandle,
+ uint32 NumberOfFields,
+ CSSM_FIELD_PTR *FieldArray)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).FreeFields(NumberOfFields,
+ Required(FieldArray));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlGetAllFields(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *Crl,
+ uint32 *NumberOfCrlFields,
+ CSSM_FIELD_PTR *CrlFields)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlGetAllFields(CssmData::required(Crl),
+ Required(NumberOfCrlFields),
+ Required(CrlFields));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlAbortCache(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE CrlHandle)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlAbortCache(CrlHandle);
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertGetAllTemplateFields(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *CertTemplate,
+ uint32 *NumberOfFields,
+ CSSM_FIELD_PTR *CertFields)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertGetAllTemplateFields(CssmData::required(CertTemplate),
+ Required(NumberOfFields),
+ Required(CertFields));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlSetFields(CSSM_CL_HANDLE CLHandle,
+ uint32 NumberOfFields,
+ const CSSM_FIELD *CrlTemplate,
+ const CSSM_DATA *OldCrl,
+ CSSM_DATA_PTR ModifiedCrl)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlSetFields(NumberOfFields,
+ CrlTemplate,
+ CssmData::required(OldCrl),
+ CssmData::required(ModifiedCrl));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertGetAllFields(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *Cert,
+ uint32 *NumberOfFields,
+ CSSM_FIELD_PTR *CertFields)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertGetAllFields(CssmData::required(Cert),
+ Required(NumberOfFields),
+ Required(CertFields));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlAddCert(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *Cert,
+ uint32 NumberOfFields,
+ const CSSM_FIELD *CrlEntryFields,
+ const CSSM_DATA *OldCrl,
+ CSSM_DATA_PTR NewCrl)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlAddCert(CCHandle,
+ CssmData::required(Cert),
+ NumberOfFields,
+ CrlEntryFields,
+ CssmData::required(OldCrl),
+ CssmData::required(NewCrl));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_IsCertInCachedCrl(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *Cert,
+ CSSM_HANDLE CrlHandle,
+ CSSM_BOOL *CertFound,
+ CSSM_DATA_PTR CrlRecordIndex)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).IsCertInCachedCrl(CssmData::required(Cert),
+ CrlHandle,
+ Required(CertFound),
+ CssmData::required(CrlRecordIndex));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlSign(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *UnsignedCrl,
+ const CSSM_FIELD *SignScope,
+ uint32 ScopeSize,
+ CSSM_DATA_PTR SignedCrl)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlSign(CCHandle,
+ CssmData::required(UnsignedCrl),
+ SignScope,
+ ScopeSize,
+ CssmData::required(SignedCrl));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertAbortQuery(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE ResultsHandle)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertAbortQuery(ResultsHandle);
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertGetNextFieldValue(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE ResultsHandle,
+ CSSM_DATA_PTR *Value)
+{
+ BEGIN_API
+ if (!findSession<CLPluginSession>(CLHandle).CertGetNextFieldValue(ResultsHandle,
+ Required(Value)))
+ return CSSMERR_CL_NO_FIELD_VALUES;
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertCreateTemplate(CSSM_CL_HANDLE CLHandle,
+ uint32 NumberOfFields,
+ const CSSM_FIELD *CertFields,
+ CSSM_DATA_PTR CertTemplate)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertCreateTemplate(NumberOfFields,
+ CertFields,
+ CssmData::required(CertTemplate));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertCache(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *Cert,
+ CSSM_HANDLE_PTR CertHandle)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertCache(CssmData::required(Cert),
+ Required(CertHandle));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlVerifyWithKey(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *CrlToBeVerified)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlVerifyWithKey(CCHandle,
+ CssmData::required(CrlToBeVerified));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlGetAllCachedRecordFields(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE CrlHandle,
+ const CSSM_DATA *CrlRecordIndex,
+ uint32 *NumberOfFields,
+ CSSM_FIELD_PTR *CrlFields)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlGetAllCachedRecordFields(CrlHandle,
+ CssmData::required(CrlRecordIndex),
+ Required(NumberOfFields),
+ Required(CrlFields));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlRemoveCert(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *Cert,
+ const CSSM_DATA *OldCrl,
+ CSSM_DATA_PTR NewCrl)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlRemoveCert(CssmData::required(Cert),
+ CssmData::required(OldCrl),
+ CssmData::required(NewCrl));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertVerifyWithKey(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *CertToBeVerified)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertVerifyWithKey(CCHandle,
+ CssmData::required(CertToBeVerified));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlGetFirstCachedFieldValue(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE CrlHandle,
+ const CSSM_DATA *CrlRecordIndex,
+ const CSSM_OID *CrlField,
+ CSSM_HANDLE_PTR ResultsHandle,
+ uint32 *NumberOfMatchedFields,
+ CSSM_DATA_PTR *Value)
+{
+ BEGIN_API
+ if ((Required(ResultsHandle) = findSession<CLPluginSession>(CLHandle).CrlGetFirstCachedFieldValue(CrlHandle,
+ CssmData::optional(CrlRecordIndex),
+ CssmData::required(CrlField),
+ Required(NumberOfMatchedFields),
+ Required(Value))) == CSSM_INVALID_HANDLE)
+ return CSSMERR_CL_NO_FIELD_VALUES;
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertGetFirstCachedFieldValue(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE CertHandle,
+ const CSSM_OID *CertField,
+ CSSM_HANDLE_PTR ResultsHandle,
+ uint32 *NumberOfMatchedFields,
+ CSSM_DATA_PTR *Value)
+{
+ BEGIN_API
+ if ((Required(ResultsHandle) = findSession<CLPluginSession>(CLHandle).CertGetFirstCachedFieldValue(CertHandle,
+ CssmData::required(CertField),
+ Required(NumberOfMatchedFields),
+ Required(Value))) == CSSM_INVALID_HANDLE)
+ return CSSMERR_CL_NO_FIELD_VALUES;
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertVerify(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *CertToBeVerified,
+ const CSSM_DATA *SignerCert,
+ const CSSM_FIELD *VerifyScope,
+ uint32 ScopeSize)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertVerify(CCHandle,
+ CssmData::required(CertToBeVerified),
+ CssmData::optional(SignerCert),
+ VerifyScope,
+ ScopeSize);
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertGetKeyInfo(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *Cert,
+ CSSM_KEY_PTR *Key)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertGetKeyInfo(CssmData::required(Cert),
+ Required(Key));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlVerify(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *CrlToBeVerified,
+ const CSSM_DATA *SignerCert,
+ const CSSM_FIELD *VerifyScope,
+ uint32 ScopeSize)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlVerify(CCHandle,
+ CssmData::required(CrlToBeVerified),
+ CssmData::optional(SignerCert),
+ VerifyScope,
+ ScopeSize);
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlDescribeFormat(CSSM_CL_HANDLE CLHandle,
+ uint32 *NumberOfFields,
+ CSSM_OID_PTR *OidList)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlDescribeFormat(Required(NumberOfFields),
+ Required(OidList));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlAbortQuery(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE ResultsHandle)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlAbortQuery(ResultsHandle);
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertDescribeFormat(CSSM_CL_HANDLE CLHandle,
+ uint32 *NumberOfFields,
+ CSSM_OID_PTR *OidList)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertDescribeFormat(Required(NumberOfFields),
+ Required(OidList));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_FreeFieldValue(CSSM_CL_HANDLE CLHandle,
+ const CSSM_OID *CertOrCrlOid,
+ CSSM_DATA_PTR Value)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).FreeFieldValue(CssmData::required(CertOrCrlOid),
+ CssmData::required(Value));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertGroupToSignedBundle(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CERTGROUP *CertGroupToBundle,
+ const CSSM_CERT_BUNDLE_HEADER *BundleInfo,
+ CSSM_DATA_PTR SignedBundle)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertGroupToSignedBundle(CCHandle,
+ Required(CertGroupToBundle),
+ BundleInfo,
+ CssmData::required(SignedBundle));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertAbortCache(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE CertHandle)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertAbortCache(CertHandle);
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlCache(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *Crl,
+ CSSM_HANDLE_PTR CrlHandle)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CrlCache(CssmData::required(Crl),
+ Required(CrlHandle));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_IsCertInCrl(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *Cert,
+ const CSSM_DATA *Crl,
+ CSSM_BOOL *CertFound)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).IsCertInCrl(CssmData::required(Cert),
+ CssmData::required(Crl),
+ Required(CertFound));
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CrlGetNextCachedFieldValue(CSSM_CL_HANDLE CLHandle,
+ CSSM_HANDLE ResultsHandle,
+ CSSM_DATA_PTR *Value)
+{
+ BEGIN_API
+ if (!findSession<CLPluginSession>(CLHandle).CrlGetNextCachedFieldValue(ResultsHandle,
+ Required(Value)))
+ return CSSMERR_CL_NO_FIELD_VALUES;
+ END_API(CL)
+}
+
+static CSSM_RETURN CSSMCLI cssm_CertGroupFromVerifiedBundle(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CERT_BUNDLE *CertBundle,
+ const CSSM_DATA *SignerCert,
+ CSSM_CERTGROUP_PTR *CertGroup)
+{
+ BEGIN_API
+ findSession<CLPluginSession>(CLHandle).CertGroupFromVerifiedBundle(CCHandle,
+ Required(CertBundle),
+ CssmData::optional(SignerCert),
+ Required(CertGroup));
+ END_API(CL)
+}
+
+
+static const CSSM_SPI_CL_FUNCS CLFunctionStruct = {
+ cssm_CertCreateTemplate,
+ cssm_CertGetAllTemplateFields,
+ cssm_CertSign,
+ cssm_CertVerify,
+ cssm_CertVerifyWithKey,
+ cssm_CertGetFirstFieldValue,
+ cssm_CertGetNextFieldValue,
+ cssm_CertAbortQuery,
+ cssm_CertGetKeyInfo,
+ cssm_CertGetAllFields,
+ cssm_FreeFields,
+ cssm_FreeFieldValue,
+ cssm_CertCache,
+ cssm_CertGetFirstCachedFieldValue,
+ cssm_CertGetNextCachedFieldValue,
+ cssm_CertAbortCache,
+ cssm_CertGroupToSignedBundle,
+ cssm_CertGroupFromVerifiedBundle,
+ cssm_CertDescribeFormat,
+ cssm_CrlCreateTemplate,
+ cssm_CrlSetFields,
+ cssm_CrlAddCert,
+ cssm_CrlRemoveCert,
+ cssm_CrlSign,
+ cssm_CrlVerify,
+ cssm_CrlVerifyWithKey,
+ cssm_IsCertInCrl,
+ cssm_CrlGetFirstFieldValue,
+ cssm_CrlGetNextFieldValue,
+ cssm_CrlAbortQuery,
+ cssm_CrlGetAllFields,
+ cssm_CrlCache,
+ cssm_IsCertInCachedCrl,
+ cssm_CrlGetFirstCachedFieldValue,
+ cssm_CrlGetNextCachedFieldValue,
+ cssm_CrlGetAllCachedRecordFields,
+ cssm_CrlAbortCache,
+ cssm_CrlDescribeFormat,
+ cssm_PassThrough,
+};
+
+static CSSM_MODULE_FUNCS CLFunctionTable = {
+ CSSM_SERVICE_CL, // service type
+ 39, // number of functions
+ (const CSSM_PROC_ADDR *)&CLFunctionStruct
+};
+
+CSSM_MODULE_FUNCS_PTR CLPluginSession::construct()
+{
+ return &CLFunctionTable;
+}
diff --git a/OSX/libsecurity_cdsa_plugin/lib/CLabstractsession.h b/OSX/libsecurity_cdsa_plugin/lib/CLabstractsession.h
new file mode 100644
index 00000000..6c3e1cd7
--- /dev/null
+++ b/OSX/libsecurity_cdsa_plugin/lib/CLabstractsession.h
@@ -0,0 +1,143 @@
+//
+// CL plugin transition layer.
+// This file was automatically generated. Do not edit on penalty of futility!
+//
+#ifndef _H_CLABSTRACTSESSION
+#define _H_CLABSTRACTSESSION
+
+#include <security_cdsa_plugin/pluginsession.h>
+#include <security_cdsa_utilities/cssmdata.h>
+
+
+namespace Security {
+
+
+//
+// A pure abstract class to define the CL module interface
+//
+class CLAbstractPluginSession {
+public:
+ virtual ~CLAbstractPluginSession();
+ virtual void CertGetAllFields(const CssmData &Cert,
+ uint32 &NumberOfFields,
+ CSSM_FIELD_PTR &CertFields) = 0;
+ virtual void CertGetAllTemplateFields(const CssmData &CertTemplate,
+ uint32 &NumberOfFields,
+ CSSM_FIELD_PTR &CertFields) = 0;
+ virtual void CrlSetFields(uint32 NumberOfFields,
+ const CSSM_FIELD CrlTemplate[],
+ const CssmData &OldCrl,
+ CssmData &ModifiedCrl) = 0;
+ virtual void CrlAbortCache(CSSM_HANDLE CrlHandle) = 0;
+ virtual void CrlGetAllFields(const CssmData &Crl,
+ uint32 &NumberOfCrlFields,
+ CSSM_FIELD_PTR &CrlFields) = 0;
+ virtual void FreeFields(uint32 NumberOfFields,
+ CSSM_FIELD_PTR &FieldArray) = 0;
+ virtual bool CrlGetNextFieldValue(CSSM_HANDLE ResultsHandle,
+ CSSM_DATA_PTR &Value) = 0;
+ virtual CSSM_HANDLE CrlGetFirstFieldValue(const CssmData &Crl,
+ const CssmData &CrlField,
+ uint32 &NumberOfMatchedFields,
+ CSSM_DATA_PTR &Value) = 0;
+ virtual void CertSign(CSSM_CC_HANDLE CCHandle,
+ const CssmData &CertTemplate,
+ const CSSM_FIELD *SignScope,
+ uint32 ScopeSize,
+ CssmData &SignedCert) = 0;
+ virtual void CrlCreateTemplate(uint32 NumberOfFields,
+ const CSSM_FIELD CrlTemplate[],
+ CssmData &NewCrl) = 0;
+ virtual bool CertGetNextCachedFieldValue(CSSM_HANDLE ResultsHandle,
+ CSSM_DATA_PTR &Value) = 0;
+ virtual void PassThrough(CSSM_CC_HANDLE CCHandle,
+ uint32 PassThroughId,
+ const void *InputParams,
+ void **OutputParams) = 0;
+ virtual CSSM_HANDLE CertGetFirstFieldValue(const CssmData &Cert,
+ const CssmData &CertField,
+ uint32 &NumberOfMatchedFields,
+ CSSM_DATA_PTR &Value) = 0;
+ virtual void CrlVerifyWithKey(CSSM_CC_HANDLE CCHandle,
+ const CssmData &CrlToBeVerified) = 0;
+ virtual void CertCreateTemplate(uint32 NumberOfFields,
+ const CSSM_FIELD CertFields[],
+ CssmData &CertTemplate) = 0;
+ virtual void CertCache(const CssmData &Cert,
+ CSSM_HANDLE &CertHandle) = 0;
+ virtual bool CertGetNextFieldValue(CSSM_HANDLE ResultsHandle,
+ CSSM_DATA_PTR &Value) = 0;
+ virtual void CertAbortQuery(CSSM_HANDLE ResultsHandle) = 0;
+ virtual void IsCertInCachedCrl(const CssmData &Cert,
+ CSSM_HANDLE CrlHandle,
+ CSSM_BOOL &CertFound,
+ CssmData &CrlRecordIndex) = 0;
+ virtual void CrlSign(CSSM_CC_HANDLE CCHandle,
+ const CssmData &UnsignedCrl,
+ const CSSM_FIELD *SignScope,
+ uint32 ScopeSize,
+ CssmData &SignedCrl) = 0;
+ virtual void CrlAddCert(CSSM_CC_HANDLE CCHandle,
+ const CssmData &Cert,
+ uint32 NumberOfFields,
+ const CSSM_FIELD CrlEntryFields[],
+ const CssmData &OldCrl,
+ CssmData &NewCrl) = 0;
+ virtual void CertGroupToSignedBundle(CSSM_CC_HANDLE CCHandle,
+ const CSSM_CERTGROUP &CertGroupToBundle,
+ const CSSM_CERT_BUNDLE_HEADER *BundleInfo,
+ CssmData &SignedBundle) = 0;
+ virtual void FreeFieldValue(const CssmData &CertOrCrlOid,
+ CssmData &Value) = 0;
+ virtual void CertDescribeFormat(uint32 &NumberOfFields,
+ CSSM_OID_PTR &OidList) = 0;
+ virtual void CrlAbortQuery(CSSM_HANDLE ResultsHandle) = 0;
+ virtual void CrlDescribeFormat(uint32 &NumberOfFields,
+ CSSM_OID_PTR &OidList) = 0;
+ virtual void CrlVerify(CSSM_CC_HANDLE CCHandle,
+ const CssmData &CrlToBeVerified,
+ const CssmData *SignerCert,
+ const CSSM_FIELD *VerifyScope,
+ uint32 ScopeSize) = 0;
+ virtual void CertGetKeyInfo(const CssmData &Cert,
+ CSSM_KEY_PTR &Key) = 0;
+ virtual void CertVerify(CSSM_CC_HANDLE CCHandle,
+ const CssmData &CertToBeVerified,
+ const CssmData *SignerCert,
+ const CSSM_FIELD *VerifyScope,
+ uint32 ScopeSize) = 0;
+ virtual CSSM_HANDLE CertGetFirstCachedFieldValue(CSSM_HANDLE CertHandle,
+ const CssmData &CertField,
+ uint32 &NumberOfMatchedFields,
+ CSSM_DATA_PTR &Value) = 0;
+ virtual CSSM_HANDLE CrlGetFirstCachedFieldValue(CSSM_HANDLE CrlHandle,
+ const CssmData *CrlRecordIndex,
+ const CssmData &CrlField,
+ uint32 &NumberOfMatchedFields,
+ CSSM_DATA_PTR &Value) = 0;
+ virtual void CertVerifyWithKey(CSSM_CC_HANDLE CCHandle,
+ const CssmData &CertToBeVerified) = 0;
+ virtual void CrlRemoveCert(const CssmData &Cert,
+ const CssmData &OldCrl,
+ CssmData &NewCrl) = 0;
+ virtual void CrlGetAllCachedRecordFields(CSSM_HANDLE CrlHandle,
+ const CssmData &CrlRecordIndex,
+ uint32 &NumberOfFields,
+ CSSM_FIELD_PTR &CrlFields) = 0;
+ virtual void CertGroupFromVerifiedBundle(CSSM_CC_HANDLE CCHandle,
+ const CSSM_CERT_BUNDLE &CertBundle,
+ const CssmData *SignerCert,
+ CSSM_CERTGROUP_PTR &CertGroup) = 0;
+ virtual bool CrlGetNextCachedFieldValue(CSSM_HANDLE ResultsHandle,
+ CSSM_DATA_PTR &Value) = 0;
+ virtual void IsCertInCrl(const CssmData &Cert,
+ const CssmData &Crl,
+ CSSM_BOOL &CertFound) = 0;
+ virtual void CrlCache(const CssmData &Crl,
+ CSSM_HANDLE &CrlHandle) = 0;
+ virtual void CertAbortCache(CSSM_HANDLE CertHandle) = 0;
+};
+
+} // end namespace Security
+
+#endif //_H_CLABSTRACTSESSION
diff --git a/OSX/libsecurity_cdsa_plugin/lib/CSPabstractsession.cpp b/OSX/libsecurity_cdsa_plugin/lib/CSPabstractsession.cpp
new file mode 100644
index 00000000..a138ed2e
--- /dev/null
+++ b/OSX/libsecurity_cdsa_plugin/lib/CSPabstractsession.cpp
@@ -0,0 +1,847 @@
+//
+// CSP plugin transition layer.
+// This file was automatically generated. Do not edit on penalty of futility!
+//
+#include <security_cdsa_plugin/CSPsession.h>
+#include <security_cdsa_plugin/cssmplugin.h>
+#include <security_cdsa_utilities/cssmbridge.h>
+#include <Security/cssmcspi.h>
+
+
+CSPAbstractPluginSession::~CSPAbstractPluginSession()
+{ /* virtual */ }
+
+static CSSM_RETURN CSSMCSPI cssm_ObtainPrivateKeyFromPublicKey(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_KEY *PublicKey,
+ CSSM_KEY_PTR PrivateKey)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).ObtainPrivateKeyFromPublicKey(CssmKey::required(PublicKey),
+ CssmKey::required(PrivateKey));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GetOperationalStatistics(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CSP_OPERATIONAL_STATISTICS *Statistics)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GetOperationalStatistics(CSPOperationalStatistics::required(Statistics));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_ChangeLoginOwner(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred,
+ const CSSM_ACL_OWNER_PROTOTYPE *NewOwner)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).ChangeLoginOwner(AccessCredentials::required(AccessCred),
+ Required(NewOwner));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_EventNotify(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CONTEXT_EVENT Event,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).EventNotify(Event,
+ CCHandle,
+ Context::required(Context));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_DecryptDataInit(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ CSSM_PRIVILEGE Privilege)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).DecryptDataInit(CCHandle,
+ Context::required(Context),
+ Privilege);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_SignDataInit(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).SignDataInit(CCHandle,
+ Context::required(Context));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_DigestData(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ const CSSM_DATA *DataBufs,
+ uint32 DataBufCount,
+ CSSM_DATA_PTR Digest)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).DigestData(CCHandle,
+ Context::required(Context),
+ &CssmData::required(DataBufs),
+ DataBufCount,
+ CssmData::required(Digest));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GetKeyOwner(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_KEY *Key,
+ CSSM_ACL_OWNER_PROTOTYPE_PTR Owner)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GetKeyOwner(CssmKey::required(Key),
+ Required(Owner));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GetLoginAcl(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_STRING *SelectionTag,
+ uint32 *NumberOfAclInfos,
+ CSSM_ACL_ENTRY_INFO_PTR *AclInfos)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GetLoginAcl(SelectionTag,
+ Required(NumberOfAclInfos),
+ Required(AclInfos));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_VerifyMac(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ const CSSM_DATA *DataBufs,
+ uint32 DataBufCount,
+ const CSSM_DATA *Mac)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).VerifyMac(CCHandle,
+ Context::required(Context),
+ &CssmData::required(DataBufs),
+ DataBufCount,
+ CssmData::required(Mac));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_SignDataFinal(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ CSSM_DATA_PTR Signature)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).SignDataFinal(CCHandle,
+ CssmData::required(Signature));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_VerifyDataUpdate(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *DataBufs,
+ uint32 DataBufCount)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).VerifyDataUpdate(CCHandle,
+ &CssmData::required(DataBufs),
+ DataBufCount);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GenerateMac(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ const CSSM_DATA *DataBufs,
+ uint32 DataBufCount,
+ CSSM_DATA_PTR Mac)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GenerateMac(CCHandle,
+ Context::required(Context),
+ &CssmData::required(DataBufs),
+ DataBufCount,
+ CssmData::required(Mac));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_VerifyMacFinal(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *Mac)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).VerifyMacFinal(CCHandle,
+ CssmData::required(Mac));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GenerateRandom(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ CSSM_DATA_PTR RandomNumber)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GenerateRandom(CCHandle,
+ Context::required(Context),
+ CssmData::required(RandomNumber));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_RetrieveUniqueId(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_DATA_PTR UniqueID)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).RetrieveUniqueId(CssmData::required(UniqueID));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_UnwrapKey(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ const CSSM_KEY *PublicKey,
+ const CSSM_WRAP_KEY *WrappedKey,
+ uint32 KeyUsage,
+ uint32 KeyAttr,
+ const CSSM_DATA *KeyLabel,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
+ CSSM_KEY_PTR UnwrappedKey,
+ CSSM_DATA_PTR DescriptiveData,
+ CSSM_PRIVILEGE Privilege)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).UnwrapKey(CCHandle,
+ Context::required(Context),
+ CssmKey::optional(PublicKey),
+ CssmKey::required(WrappedKey),
+ KeyUsage,
+ KeyAttr,
+ CssmData::optional(KeyLabel),
+ CredAndAclEntry,
+ CssmKey::required(UnwrappedKey),
+ CssmData::required(DescriptiveData),
+ Privilege);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GenerateMacFinal(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ CSSM_DATA_PTR Mac)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GenerateMacFinal(CCHandle,
+ CssmData::required(Mac));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_WrapKey(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred,
+ const CSSM_KEY *Key,
+ const CSSM_DATA *DescriptiveData,
+ CSSM_WRAP_KEY_PTR WrappedKey,
+ CSSM_PRIVILEGE Privilege)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).WrapKey(CCHandle,
+ Context::required(Context),
+ AccessCredentials::required(AccessCred),
+ CssmKey::required(Key),
+ CssmData::optional(DescriptiveData),
+ CssmKey::required(WrappedKey),
+ Privilege);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_DecryptDataFinal(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ CSSM_DATA_PTR RemData)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).DecryptDataFinal(CCHandle,
+ CssmData::required(RemData));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_SignData(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ const CSSM_DATA *DataBufs,
+ uint32 DataBufCount,
+ CSSM_ALGORITHMS DigestAlgorithm,
+ CSSM_DATA_PTR Signature)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).SignData(CCHandle,
+ Context::required(Context),
+ &CssmData::required(DataBufs),
+ DataBufCount,
+ DigestAlgorithm,
+ CssmData::required(Signature));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_EncryptDataInit(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ CSSM_PRIVILEGE Privilege)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).EncryptDataInit(CCHandle,
+ Context::required(Context),
+ Privilege);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_VerifyData(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ const CSSM_DATA *DataBufs,
+ uint32 DataBufCount,
+ CSSM_ALGORITHMS DigestAlgorithm,
+ const CSSM_DATA *Signature)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).VerifyData(CCHandle,
+ Context::required(Context),
+ &CssmData::required(DataBufs),
+ DataBufCount,
+ DigestAlgorithm,
+ CssmData::required(Signature));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GenerateMacUpdate(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *DataBufs,
+ uint32 DataBufCount)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GenerateMacUpdate(CCHandle,
+ &CssmData::required(DataBufs),
+ DataBufCount);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_EncryptDataFinal(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ CSSM_DATA_PTR RemData)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).EncryptDataFinal(CCHandle,
+ CssmData::required(RemData));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_ChangeKeyOwner(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred,
+ const CSSM_KEY *Key,
+ const CSSM_ACL_OWNER_PROTOTYPE *NewOwner)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).ChangeKeyOwner(AccessCredentials::required(AccessCred),
+ CssmKey::required(Key),
+ Required(NewOwner));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_VerifyMacInit(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).VerifyMacInit(CCHandle,
+ Context::required(Context));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_DigestDataClone(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ CSSM_CC_HANDLE ClonedCCHandle)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).DigestDataClone(CCHandle,
+ ClonedCCHandle);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_VerifyDataInit(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).VerifyDataInit(CCHandle,
+ Context::required(Context));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_DecryptDataUpdate(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *CipherBufs,
+ uint32 CipherBufCount,
+ CSSM_DATA_PTR ClearBufs,
+ uint32 ClearBufCount,
+ CSSM_SIZE *bytesDecrypted)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).DecryptDataUpdate(CCHandle,
+ &CssmData::required(CipherBufs),
+ CipherBufCount,
+ &CssmData::required(ClearBufs),
+ ClearBufCount,
+ Required(bytesDecrypted));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GenerateAlgorithmParams(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ uint32 ParamBits,
+ CSSM_DATA_PTR Param,
+ uint32 *NumberOfUpdatedAttibutes,
+ CSSM_CONTEXT_ATTRIBUTE_PTR *UpdatedAttributes)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GenerateAlgorithmParams(CCHandle,
+ Context::required(Context),
+ ParamBits,
+ CssmData::required(Param),
+ Required(NumberOfUpdatedAttibutes),
+ Required(UpdatedAttributes));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GetLoginOwner(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_ACL_OWNER_PROTOTYPE_PTR Owner)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GetLoginOwner(Required(Owner));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GetKeyAcl(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_KEY *Key,
+ const CSSM_STRING *SelectionTag,
+ uint32 *NumberOfAclInfos,
+ CSSM_ACL_ENTRY_INFO_PTR *AclInfos)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GetKeyAcl(CssmKey::required(Key),
+ SelectionTag,
+ Required(NumberOfAclInfos),
+ Required(AclInfos));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_VerifyDevice(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_DATA *DeviceCert)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).VerifyDevice(CssmData::required(DeviceCert));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_EncryptDataUpdate(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *ClearBufs,
+ uint32 ClearBufCount,
+ CSSM_DATA_PTR CipherBufs,
+ uint32 CipherBufCount,
+ CSSM_SIZE *bytesEncrypted)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).EncryptDataUpdate(CCHandle,
+ &CssmData::required(ClearBufs),
+ ClearBufCount,
+ &CssmData::required(CipherBufs),
+ CipherBufCount,
+ Required(bytesEncrypted));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_DigestDataFinal(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ CSSM_DATA_PTR Digest)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).DigestDataFinal(CCHandle,
+ CssmData::required(Digest));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_Login(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred,
+ const CSSM_DATA *LoginName,
+ const void *Reserved)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).Login(AccessCredentials::required(AccessCred),
+ CssmData::optional(LoginName),
+ Reserved);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_ChangeKeyAcl(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred,
+ const CSSM_ACL_EDIT *AclEdit,
+ const CSSM_KEY *Key)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).ChangeKeyAcl(AccessCredentials::required(AccessCred),
+ Required(AclEdit),
+ CssmKey::required(Key));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_SignDataUpdate(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *DataBufs,
+ uint32 DataBufCount)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).SignDataUpdate(CCHandle,
+ &CssmData::required(DataBufs),
+ DataBufCount);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_QueryKeySizeInBits(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ const CSSM_KEY *Key,
+ CSSM_KEY_SIZE_PTR KeySize)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).QueryKeySizeInBits(CCHandle,
+ Context::optional(Context),
+ CssmKey::optional(Key),
+ Required(KeySize));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_Logout(CSSM_CSP_HANDLE CSPHandle)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).Logout();
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_DecryptData(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ const CSSM_DATA *CipherBufs,
+ uint32 CipherBufCount,
+ CSSM_DATA_PTR ClearBufs,
+ uint32 ClearBufCount,
+ CSSM_SIZE *bytesDecrypted,
+ CSSM_DATA_PTR RemData,
+ CSSM_PRIVILEGE Privilege)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).DecryptData(CCHandle,
+ Context::required(Context),
+ &CssmData::required(CipherBufs),
+ CipherBufCount,
+ &CssmData::required(ClearBufs),
+ ClearBufCount,
+ Required(bytesDecrypted),
+ CssmData::required(RemData),
+ Privilege);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_DigestDataInit(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).DigestDataInit(CCHandle,
+ Context::required(Context));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_VerifyDataFinal(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *Signature)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).VerifyDataFinal(CCHandle,
+ CssmData::required(Signature));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GenerateKeyPair(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ uint32 PublicKeyUsage,
+ uint32 PublicKeyAttr,
+ const CSSM_DATA *PublicKeyLabel,
+ CSSM_KEY_PTR PublicKey,
+ uint32 PrivateKeyUsage,
+ uint32 PrivateKeyAttr,
+ const CSSM_DATA *PrivateKeyLabel,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
+ CSSM_KEY_PTR PrivateKey,
+ CSSM_PRIVILEGE Privilege)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GenerateKeyPair(CCHandle,
+ Context::required(Context),
+ PublicKeyUsage,
+ PublicKeyAttr,
+ CssmData::optional(PublicKeyLabel),
+ CssmKey::required(PublicKey),
+ PrivateKeyUsage,
+ PrivateKeyAttr,
+ CssmData::optional(PrivateKeyLabel),
+ CredAndAclEntry,
+ CssmKey::required(PrivateKey),
+ Privilege);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_EncryptData(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ const CSSM_DATA *ClearBufs,
+ uint32 ClearBufCount,
+ CSSM_DATA_PTR CipherBufs,
+ uint32 CipherBufCount,
+ CSSM_SIZE *bytesEncrypted,
+ CSSM_DATA_PTR RemData,
+ CSSM_PRIVILEGE Privilege)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).EncryptData(CCHandle,
+ Context::required(Context),
+ &CssmData::required(ClearBufs),
+ ClearBufCount,
+ &CssmData::required(CipherBufs),
+ CipherBufCount,
+ Required(bytesEncrypted),
+ CssmData::required(RemData),
+ Privilege);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GetTimeValue(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_ALGORITHMS TimeAlgorithm,
+ CSSM_DATA *TimeData)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GetTimeValue(TimeAlgorithm,
+ CssmData::required(TimeData));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_DeriveKey(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ CSSM_DATA_PTR Param,
+ uint32 KeyUsage,
+ uint32 KeyAttr,
+ const CSSM_DATA *KeyLabel,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
+ CSSM_KEY_PTR DerivedKey)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).DeriveKey(CCHandle,
+ Context::required(Context),
+ CssmData::required(Param),
+ KeyUsage,
+ KeyAttr,
+ CssmData::optional(KeyLabel),
+ CredAndAclEntry,
+ CssmKey::required(DerivedKey));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GenerateKey(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ uint32 KeyUsage,
+ uint32 KeyAttr,
+ const CSSM_DATA *KeyLabel,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
+ CSSM_KEY_PTR Key,
+ CSSM_PRIVILEGE Privilege)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GenerateKey(CCHandle,
+ Context::required(Context),
+ KeyUsage,
+ KeyAttr,
+ CssmData::optional(KeyLabel),
+ CredAndAclEntry,
+ CssmKey::required(Key),
+ Privilege);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_PassThrough(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ uint32 PassThroughId,
+ const void *InData,
+ void **OutData)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).PassThrough(CCHandle,
+ Context::required(Context),
+ PassThroughId,
+ InData,
+ OutData);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_VerifyMacUpdate(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *DataBufs,
+ uint32 DataBufCount)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).VerifyMacUpdate(CCHandle,
+ &CssmData::required(DataBufs),
+ DataBufCount);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_FreeKey(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred,
+ CSSM_KEY_PTR KeyPtr,
+ CSSM_BOOL Delete)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).FreeKey(AccessCredentials::optional(AccessCred),
+ CssmKey::required(KeyPtr),
+ Delete);
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_GenerateMacInit(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).GenerateMacInit(CCHandle,
+ Context::required(Context));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_RetrieveCounter(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_DATA_PTR Counter)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).RetrieveCounter(CssmData::required(Counter));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_QuerySize(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_CONTEXT *Context,
+ CSSM_BOOL Encrypt,
+ uint32 QuerySizeCount,
+ CSSM_QUERY_SIZE_DATA_PTR DataBlock)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).QuerySize(CCHandle,
+ Context::required(Context),
+ Encrypt,
+ QuerySizeCount,
+ QuerySizeData::optional(DataBlock));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_ChangeLoginAcl(CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred,
+ const CSSM_ACL_EDIT *AclEdit)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).ChangeLoginAcl(AccessCredentials::required(AccessCred),
+ Required(AclEdit));
+ END_API(CSP)
+}
+
+static CSSM_RETURN CSSMCSPI cssm_DigestDataUpdate(CSSM_CSP_HANDLE CSPHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *DataBufs,
+ uint32 DataBufCount)
+{
+ BEGIN_API
+ findSession<CSPPluginSession>(CSPHandle).DigestDataUpdate(CCHandle,
+ &CssmData::required(DataBufs),
+ DataBufCount);
+ END_API(CSP)
+}
+
+
+static const CSSM_SPI_CSP_FUNCS CSPFunctionStruct = {
+ cssm_EventNotify,
+ cssm_QuerySize,
+ cssm_SignData,
+ cssm_SignDataInit,
+ cssm_SignDataUpdate,
+ cssm_SignDataFinal,
+ cssm_VerifyData,
+ cssm_VerifyDataInit,
+ cssm_VerifyDataUpdate,
+ cssm_VerifyDataFinal,
+ cssm_DigestData,
+ cssm_DigestDataInit,
+ cssm_DigestDataUpdate,
+ cssm_DigestDataClone,
+ cssm_DigestDataFinal,
+ cssm_GenerateMac,
+ cssm_GenerateMacInit,
+ cssm_GenerateMacUpdate,
+ cssm_GenerateMacFinal,
+ cssm_VerifyMac,
+ cssm_VerifyMacInit,
+ cssm_VerifyMacUpdate,
+ cssm_VerifyMacFinal,
+ cssm_EncryptData,
+ cssm_EncryptDataInit,
+ cssm_EncryptDataUpdate,
+ cssm_EncryptDataFinal,
+ cssm_DecryptData,
+ cssm_DecryptDataInit,
+ cssm_DecryptDataUpdate,
+ cssm_DecryptDataFinal,
+ cssm_QueryKeySizeInBits,
+ cssm_GenerateKey,
+ cssm_GenerateKeyPair,
+ cssm_GenerateRandom,
+ cssm_GenerateAlgorithmParams,
+ cssm_WrapKey,
+ cssm_UnwrapKey,
+ cssm_DeriveKey,
+ cssm_FreeKey,
+ cssm_PassThrough,
+ cssm_Login,
+ cssm_Logout,
+ cssm_ChangeLoginAcl,
+ cssm_ObtainPrivateKeyFromPublicKey,
+ cssm_RetrieveUniqueId,
+ cssm_RetrieveCounter,
+ cssm_VerifyDevice,
+ cssm_GetTimeValue,
+ cssm_GetOperationalStatistics,
+ cssm_GetLoginAcl,
+ cssm_GetKeyAcl,
+ cssm_ChangeKeyAcl,
+ cssm_GetKeyOwner,
+ cssm_ChangeKeyOwner,
+ cssm_GetLoginOwner,
+ cssm_ChangeLoginOwner,
+};
+
+static CSSM_MODULE_FUNCS CSPFunctionTable = {
+ CSSM_SERVICE_CSP, // service type
+ 57, // number of functions
+ (const CSSM_PROC_ADDR *)&CSPFunctionStruct
+};
+
+CSSM_MODULE_FUNCS_PTR CSPPluginSession::construct()
+{
+ return &CSPFunctionTable;
+}
diff --git a/OSX/libsecurity_cdsa_plugin/lib/CSPabstractsession.h b/OSX/libsecurity_cdsa_plugin/lib/CSPabstractsession.h
new file mode 100644
index 00000000..2f7f92e2
--- /dev/null
+++ b/OSX/libsecurity_cdsa_plugin/lib/CSPabstractsession.h
@@ -0,0 +1,239 @@
+//
+// CSP plugin transition layer.
+// This file was automatically generated. Do not edit on penalty of futility!
+//
+#ifndef _H_CSPABSTRACTSESSION
+#define _H_CSPABSTRACTSESSION
+
+#include <security_cdsa_plugin/pluginsession.h>
+#include <security_cdsa_utilities/cssmdata.h>
+#include <security_cdsa_utilities/context.h>
+#include <security_cdsa_utilities/cssmacl.h>
+#include <security_cdsa_utilities/cssmdb.h>
+
+
+namespace Security {
+
+
+//
+// A pure abstract class to define the CSP module interface
+//
+class CSPAbstractPluginSession {
+public:
+ virtual ~CSPAbstractPluginSession();
+ virtual void VerifyMacFinal(CSSM_CC_HANDLE CCHandle,
+ const CssmData &Mac) = 0;
+ virtual void GenerateRandom(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ CssmData &RandomNumber) = 0;
+ virtual void RetrieveUniqueId(CssmData &UniqueID) = 0;
+ virtual void SignDataFinal(CSSM_CC_HANDLE CCHandle,
+ CssmData &Signature) = 0;
+ virtual void VerifyDataUpdate(CSSM_CC_HANDLE CCHandle,
+ const CssmData DataBufs[],
+ uint32 DataBufCount) = 0;
+ virtual void GenerateMac(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ const CssmData DataBufs[],
+ uint32 DataBufCount,
+ CssmData &Mac) = 0;
+ virtual void VerifyMac(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ const CssmData DataBufs[],
+ uint32 DataBufCount,
+ const CssmData &Mac) = 0;
+ virtual void ObtainPrivateKeyFromPublicKey(const CssmKey &PublicKey,
+ CssmKey &PrivateKey) = 0;
+ virtual void ChangeLoginOwner(const AccessCredentials &AccessCred,
+ const CSSM_ACL_OWNER_PROTOTYPE &NewOwner) = 0;
+ virtual void SignDataInit(CSSM_CC_HANDLE CCHandle,
+ const Context &Context) = 0;
+ virtual void DecryptDataInit(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ CSSM_PRIVILEGE Privilege) = 0;
+ virtual void EventNotify(CSSM_CONTEXT_EVENT Event,
+ CSSM_CC_HANDLE CCHandle,
+ const Context &Context) = 0;
+ virtual void GetOperationalStatistics(CSPOperationalStatistics &Statistics) = 0;
+ virtual void DigestData(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ const CssmData DataBufs[],
+ uint32 DataBufCount,
+ CssmData &Digest) = 0;
+ virtual void GetLoginAcl(const CSSM_STRING *SelectionTag,
+ uint32 &NumberOfAclInfos,
+ CSSM_ACL_ENTRY_INFO_PTR &AclInfos) = 0;
+ virtual void GetKeyOwner(const CssmKey &Key,
+ CSSM_ACL_OWNER_PROTOTYPE &Owner) = 0;
+ virtual void ChangeKeyOwner(const AccessCredentials &AccessCred,
+ const CssmKey &Key,
+ const CSSM_ACL_OWNER_PROTOTYPE &NewOwner) = 0;
+ virtual void VerifyMacInit(CSSM_CC_HANDLE CCHandle,
+ const Context &Context) = 0;
+ virtual void DigestDataClone(CSSM_CC_HANDLE CCHandle,
+ CSSM_CC_HANDLE ClonedCCHandle) = 0;
+ virtual void GenerateMacUpdate(CSSM_CC_HANDLE CCHandle,
+ const CssmData DataBufs[],
+ uint32 DataBufCount) = 0;
+ virtual void EncryptDataFinal(CSSM_CC_HANDLE CCHandle,
+ CssmData &RemData) = 0;
+ virtual void EncryptDataInit(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ CSSM_PRIVILEGE Privilege) = 0;
+ virtual void VerifyData(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ const CssmData DataBufs[],
+ uint32 DataBufCount,
+ CSSM_ALGORITHMS DigestAlgorithm,
+ const CssmData &Signature) = 0;
+ virtual void UnwrapKey(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ const CssmKey *PublicKey,
+ const CssmKey &WrappedKey,
+ uint32 KeyUsage,
+ uint32 KeyAttr,
+ const CssmData *KeyLabel,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
+ CssmKey &UnwrappedKey,
+ CssmData &DescriptiveData,
+ CSSM_PRIVILEGE Privilege) = 0;
+ virtual void GenerateMacFinal(CSSM_CC_HANDLE CCHandle,
+ CssmData &Mac) = 0;
+ virtual void WrapKey(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ const AccessCredentials &AccessCred,
+ const CssmKey &Key,
+ const CssmData *DescriptiveData,
+ CssmKey &WrappedKey,
+ CSSM_PRIVILEGE Privilege) = 0;
+ virtual void DecryptDataFinal(CSSM_CC_HANDLE CCHandle,
+ CssmData &RemData) = 0;
+ virtual void SignData(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ const CssmData DataBufs[],
+ uint32 DataBufCount,
+ CSSM_ALGORITHMS DigestAlgorithm,
+ CssmData &Signature) = 0;
+ virtual void SignDataUpdate(CSSM_CC_HANDLE CCHandle,
+ const CssmData DataBufs[],
+ uint32 DataBufCount) = 0;
+ virtual void Logout() = 0;
+ virtual void DecryptData(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ const CssmData CipherBufs[],
+ uint32 CipherBufCount,
+ CssmData ClearBufs[],
+ uint32 ClearBufCount,
+ CSSM_SIZE &bytesDecrypted,
+ CssmData &RemData,
+ CSSM_PRIVILEGE Privilege) = 0;
+ virtual void QueryKeySizeInBits(CSSM_CC_HANDLE CCHandle,
+ const Context *Context,
+ const CssmKey *Key,
+ CSSM_KEY_SIZE &KeySize) = 0;
+ virtual void DigestDataInit(CSSM_CC_HANDLE CCHandle,
+ const Context &Context) = 0;
+ virtual void DigestDataFinal(CSSM_CC_HANDLE CCHandle,
+ CssmData &Digest) = 0;
+ virtual void Login(const AccessCredentials &AccessCred,
+ const CssmData *LoginName,
+ const void *Reserved) = 0;
+ virtual void ChangeKeyAcl(const AccessCredentials &AccessCred,
+ const CSSM_ACL_EDIT &AclEdit,
+ const CssmKey &Key) = 0;
+ virtual void GetKeyAcl(const CssmKey &Key,
+ const CSSM_STRING *SelectionTag,
+ uint32 &NumberOfAclInfos,
+ CSSM_ACL_ENTRY_INFO_PTR &AclInfos) = 0;
+ virtual void GenerateAlgorithmParams(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ uint32 ParamBits,
+ CssmData &Param,
+ uint32 &NumberOfUpdatedAttibutes,
+ CSSM_CONTEXT_ATTRIBUTE_PTR &UpdatedAttributes) = 0;
+ virtual void GetLoginOwner(CSSM_ACL_OWNER_PROTOTYPE &Owner) = 0;
+ virtual void VerifyDevice(const CssmData &DeviceCert) = 0;
+ virtual void EncryptDataUpdate(CSSM_CC_HANDLE CCHandle,
+ const CssmData ClearBufs[],
+ uint32 ClearBufCount,
+ CssmData CipherBufs[],
+ uint32 CipherBufCount,
+ CSSM_SIZE &bytesEncrypted) = 0;
+ virtual void VerifyDataInit(CSSM_CC_HANDLE CCHandle,
+ const Context &Context) = 0;
+ virtual void DecryptDataUpdate(CSSM_CC_HANDLE CCHandle,
+ const CssmData CipherBufs[],
+ uint32 CipherBufCount,
+ CssmData ClearBufs[],
+ uint32 ClearBufCount,
+ CSSM_SIZE &bytesDecrypted) = 0;
+ virtual void ChangeLoginAcl(const AccessCredentials &AccessCred,
+ const CSSM_ACL_EDIT &AclEdit) = 0;
+ virtual void DigestDataUpdate(CSSM_CC_HANDLE CCHandle,
+ const CssmData DataBufs[],
+ uint32 DataBufCount) = 0;
+ virtual void GenerateMacInit(CSSM_CC_HANDLE CCHandle,
+ const Context &Context) = 0;
+ virtual void QuerySize(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ CSSM_BOOL Encrypt,
+ uint32 QuerySizeCount,
+ QuerySizeData *DataBlock) = 0;
+ virtual void RetrieveCounter(CssmData &Counter) = 0;
+ virtual void DeriveKey(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ CssmData &Param,
+ uint32 KeyUsage,
+ uint32 KeyAttr,
+ const CssmData *KeyLabel,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
+ CssmKey &DerivedKey) = 0;
+ virtual void GenerateKey(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ uint32 KeyUsage,
+ uint32 KeyAttr,
+ const CssmData *KeyLabel,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
+ CssmKey &Key,
+ CSSM_PRIVILEGE Privilege) = 0;
+ virtual void FreeKey(const AccessCredentials *AccessCred,
+ CssmKey &KeyPtr,
+ CSSM_BOOL Delete) = 0;
+ virtual void PassThrough(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ uint32 PassThroughId,
+ const void *InData,
+ void **OutData) = 0;
+ virtual void VerifyMacUpdate(CSSM_CC_HANDLE CCHandle,
+ const CssmData DataBufs[],
+ uint32 DataBufCount) = 0;
+ virtual void VerifyDataFinal(CSSM_CC_HANDLE CCHandle,
+ const CssmData &Signature) = 0;
+ virtual void GenerateKeyPair(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ uint32 PublicKeyUsage,
+ uint32 PublicKeyAttr,
+ const CssmData *PublicKeyLabel,
+ CssmKey &PublicKey,
+ uint32 PrivateKeyUsage,
+ uint32 PrivateKeyAttr,
+ const CssmData *PrivateKeyLabel,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
+ CssmKey &PrivateKey,
+ CSSM_PRIVILEGE Privilege) = 0;
+ virtual void GetTimeValue(CSSM_ALGORITHMS TimeAlgorithm,
+ CssmData &TimeData) = 0;
+ virtual void EncryptData(CSSM_CC_HANDLE CCHandle,
+ const Context &Context,
+ const CssmData ClearBufs[],
+ uint32 ClearBufCount,
+ CssmData CipherBufs[],
+ uint32 CipherBufCount,
+ CSSM_SIZE &bytesEncrypted,
+ CssmData &RemData,
+ CSSM_PRIVILEGE Privilege) = 0;
+};
+
+} // end namespace Security
+
+#endif //_H_CSPABSTRACTSESSION
diff --git a/OSX/libsecurity_cdsa_plugin/lib/CSPsession.cpp b/OSX/libsecurity_cdsa_plugin/lib/CSPsession.cpp
index f2b674ff..a66e068d 100644
--- a/OSX/libsecurity_cdsa_plugin/lib/CSPsession.cpp
+++ b/OSX/libsecurity_cdsa_plugin/lib/CSPsession.cpp
@@ -1045,7 +1045,7 @@ KeyPool::add(ReferencedKey &referencedKey)
// never add a key that is already in mKeyMap
assert(inserted);
- secdebug("SecAccessReference", "added a referenced key %p for key reference %d", &referencedKey, referencedKey.keyReference());
+ secinfo("SecAccessReference", "added a referenced key %p for key reference %ld", &referencedKey, referencedKey.keyReference());
}
ReferencedKey &
@@ -1062,7 +1062,7 @@ KeyPool::findKeyReference(ReferencedKey::KeyReference keyReference) const
if (it == mKeyMap.end())
CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_REFERENCE);
- secdebug("SecAccessReference", "found a referenced key %p for key reference %d [%d]", it->second, keyReference, it->second->keyReference());
+ secinfo("SecAccessReference", "found a referenced key %p for key reference %ld [%ld]", it->second, keyReference, it->second->keyReference());
return *it->second;
}
diff --git a/OSX/libsecurity_cdsa_plugin/lib/DLabstractsession.cpp b/OSX/libsecurity_cdsa_plugin/lib/DLabstractsession.cpp
new file mode 100644
index 00000000..d29da3d4
--- /dev/null
+++ b/OSX/libsecurity_cdsa_plugin/lib/DLabstractsession.cpp
@@ -0,0 +1,333 @@
+//
+// DL plugin transition layer.
+// This file was automatically generated. Do not edit on penalty of futility!
+//
+#include <security_cdsa_plugin/DLsession.h>
+#include <security_cdsa_plugin/cssmplugin.h>
+#include <security_cdsa_utilities/cssmbridge.h>
+#include <Security/cssmdli.h>
+
+
+DLAbstractPluginSession::~DLAbstractPluginSession()
+{ /* virtual */ }
+
+static CSSM_RETURN CSSMDLI cssm_DataGetFirst(CSSM_DL_DB_HANDLE DLDBHandle,
+ const CSSM_QUERY *Query,
+ CSSM_HANDLE_PTR ResultsHandle,
+ CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes,
+ CSSM_DATA_PTR Data,
+ CSSM_DB_UNIQUE_RECORD_PTR *UniqueId)
+{
+ BEGIN_API
+ if ((Required(ResultsHandle) = findSession<DLPluginSession>(DLDBHandle.DLHandle).DataGetFirst(DLDBHandle.DBHandle,
+ CssmQuery::optional(Query),
+ Attributes,
+ CssmData::optional(Data),
+ Required(UniqueId))) == CSSM_INVALID_HANDLE)
+ return CSSMERR_DL_ENDOFDATA;
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_GetDbNames(CSSM_DL_HANDLE DLHandle,
+ CSSM_NAME_LIST_PTR *NameList)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLHandle).GetDbNames(Required(NameList));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DbClose(CSSM_DL_DB_HANDLE DLDBHandle)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).DbClose(DLDBHandle.DBHandle);
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DataInsert(CSSM_DL_DB_HANDLE DLDBHandle,
+ CSSM_DB_RECORDTYPE RecordType,
+ const CSSM_DB_RECORD_ATTRIBUTE_DATA *Attributes,
+ const CSSM_DATA *Data,
+ CSSM_DB_UNIQUE_RECORD_PTR *UniqueId)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).DataInsert(DLDBHandle.DBHandle,
+ RecordType,
+ Attributes,
+ CssmData::optional(Data),
+ Required(UniqueId));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_GetDbNameFromHandle(CSSM_DL_DB_HANDLE DLDBHandle,
+ char **DbName)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).GetDbNameFromHandle(DLDBHandle.DBHandle,
+ DbName);
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_ChangeDbAcl(CSSM_DL_DB_HANDLE DLDBHandle,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred,
+ const CSSM_ACL_EDIT *AclEdit)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).ChangeDbAcl(DLDBHandle.DBHandle,
+ AccessCredentials::required(AccessCred),
+ Required(AclEdit));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_FreeNameList(CSSM_DL_HANDLE DLHandle,
+ CSSM_NAME_LIST_PTR NameList)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLHandle).FreeNameList(Required(NameList));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_CreateRelation(CSSM_DL_DB_HANDLE DLDBHandle,
+ CSSM_DB_RECORDTYPE RelationID,
+ const char *RelationName,
+ uint32 NumberOfAttributes,
+ const CSSM_DB_SCHEMA_ATTRIBUTE_INFO *pAttributeInfo,
+ uint32 NumberOfIndexes,
+ const CSSM_DB_SCHEMA_INDEX_INFO *pIndexInfo)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).CreateRelation(DLDBHandle.DBHandle,
+ RelationID,
+ RelationName,
+ NumberOfAttributes,
+ pAttributeInfo,
+ NumberOfIndexes,
+ Required(pIndexInfo));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DataAbortQuery(CSSM_DL_DB_HANDLE DLDBHandle,
+ CSSM_HANDLE ResultsHandle)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).DataAbortQuery(DLDBHandle.DBHandle,
+ ResultsHandle);
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DataModify(CSSM_DL_DB_HANDLE DLDBHandle,
+ CSSM_DB_RECORDTYPE RecordType,
+ CSSM_DB_UNIQUE_RECORD_PTR UniqueRecordIdentifier,
+ const CSSM_DB_RECORD_ATTRIBUTE_DATA *AttributesToBeModified,
+ const CSSM_DATA *DataToBeModified,
+ CSSM_DB_MODIFY_MODE ModifyMode)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).DataModify(DLDBHandle.DBHandle,
+ RecordType,
+ Required(UniqueRecordIdentifier),
+ AttributesToBeModified,
+ CssmData::optional(DataToBeModified),
+ ModifyMode);
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DestroyRelation(CSSM_DL_DB_HANDLE DLDBHandle,
+ CSSM_DB_RECORDTYPE RelationID)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).DestroyRelation(DLDBHandle.DBHandle,
+ RelationID);
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DbCreate(CSSM_DL_HANDLE DLHandle,
+ const char *DbName,
+ const CSSM_NET_ADDRESS *DbLocation,
+ const CSSM_DBINFO *DBInfo,
+ CSSM_DB_ACCESS_TYPE AccessRequest,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
+ const void *OpenParameters,
+ CSSM_DB_HANDLE *DbHandle)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLHandle).DbCreate(DbName,
+ DbLocation,
+ Required(DBInfo),
+ AccessRequest,
+ CredAndAclEntry,
+ OpenParameters,
+ Required(DbHandle));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DbOpen(CSSM_DL_HANDLE DLHandle,
+ const char *DbName,
+ const CSSM_NET_ADDRESS *DbLocation,
+ CSSM_DB_ACCESS_TYPE AccessRequest,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred,
+ const void *OpenParameters,
+ CSSM_DB_HANDLE *DbHandle)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLHandle).DbOpen(DbName,
+ DbLocation,
+ AccessRequest,
+ AccessCredentials::optional(AccessCred),
+ OpenParameters,
+ Required(DbHandle));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DataGetNext(CSSM_DL_DB_HANDLE DLDBHandle,
+ CSSM_HANDLE ResultsHandle,
+ CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes,
+ CSSM_DATA_PTR Data,
+ CSSM_DB_UNIQUE_RECORD_PTR *UniqueId)
+{
+ BEGIN_API
+ if (!findSession<DLPluginSession>(DLDBHandle.DLHandle).DataGetNext(DLDBHandle.DBHandle,
+ ResultsHandle,
+ Attributes,
+ CssmData::optional(Data),
+ Required(UniqueId)))
+ return CSSMERR_DL_ENDOFDATA;
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_FreeUniqueRecord(CSSM_DL_DB_HANDLE DLDBHandle,
+ CSSM_DB_UNIQUE_RECORD_PTR UniqueRecord)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).FreeUniqueRecord(DLDBHandle.DBHandle,
+ Required(UniqueRecord));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_ChangeDbOwner(CSSM_DL_DB_HANDLE DLDBHandle,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred,
+ const CSSM_ACL_OWNER_PROTOTYPE *NewOwner)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).ChangeDbOwner(DLDBHandle.DBHandle,
+ AccessCredentials::required(AccessCred),
+ Required(NewOwner));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DbDelete(CSSM_DL_HANDLE DLHandle,
+ const char *DbName,
+ const CSSM_NET_ADDRESS *DbLocation,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLHandle).DbDelete(DbName,
+ DbLocation,
+ AccessCredentials::optional(AccessCred));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_Authenticate(CSSM_DL_DB_HANDLE DLDBHandle,
+ CSSM_DB_ACCESS_TYPE AccessRequest,
+ const CSSM_ACCESS_CREDENTIALS *AccessCred)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).Authenticate(DLDBHandle.DBHandle,
+ AccessRequest,
+ AccessCredentials::required(AccessCred));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DataDelete(CSSM_DL_DB_HANDLE DLDBHandle,
+ const CSSM_DB_UNIQUE_RECORD *UniqueRecordIdentifier)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).DataDelete(DLDBHandle.DBHandle,
+ Required(UniqueRecordIdentifier));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_GetDbOwner(CSSM_DL_DB_HANDLE DLDBHandle,
+ CSSM_ACL_OWNER_PROTOTYPE_PTR Owner)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).GetDbOwner(DLDBHandle.DBHandle,
+ Required(Owner));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_PassThrough(CSSM_DL_DB_HANDLE DLDBHandle,
+ uint32 PassThroughId,
+ const void *InputParams,
+ void **OutputParams)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).PassThrough(DLDBHandle.DBHandle,
+ PassThroughId,
+ InputParams,
+ OutputParams);
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_GetDbAcl(CSSM_DL_DB_HANDLE DLDBHandle,
+ const CSSM_STRING *SelectionTag,
+ uint32 *NumberOfAclInfos,
+ CSSM_ACL_ENTRY_INFO_PTR *AclInfos)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).GetDbAcl(DLDBHandle.DBHandle,
+ SelectionTag,
+ Required(NumberOfAclInfos),
+ Required(AclInfos));
+ END_API(DL)
+}
+
+static CSSM_RETURN CSSMDLI cssm_DataGetFromUniqueRecordId(CSSM_DL_DB_HANDLE DLDBHandle,
+ const CSSM_DB_UNIQUE_RECORD *UniqueRecord,
+ CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR Attributes,
+ CSSM_DATA_PTR Data)
+{
+ BEGIN_API
+ findSession<DLPluginSession>(DLDBHandle.DLHandle).DataGetFromUniqueRecordId(DLDBHandle.DBHandle,
+ Required(UniqueRecord),
+ Attributes,
+ CssmData::optional(Data));
+ END_API(DL)
+}
+
+
+static const CSSM_SPI_DL_FUNCS DLFunctionStruct = {
+ cssm_DbOpen,
+ cssm_DbClose,
+ cssm_DbCreate,
+ cssm_DbDelete,
+ cssm_CreateRelation,
+ cssm_DestroyRelation,
+ cssm_Authenticate,
+ cssm_GetDbAcl,
+ cssm_ChangeDbAcl,
+ cssm_GetDbOwner,
+ cssm_ChangeDbOwner,
+ cssm_GetDbNames,
+ cssm_GetDbNameFromHandle,
+ cssm_FreeNameList,
+ cssm_DataInsert,
+ cssm_DataDelete,
+ cssm_DataModify,
+ cssm_DataGetFirst,
+ cssm_DataGetNext,
+ cssm_DataAbortQuery,
+ cssm_DataGetFromUniqueRecordId,
+ cssm_FreeUniqueRecord,
+ cssm_PassThrough,
+};
+
+static CSSM_MODULE_FUNCS DLFunctionTable = {
+ CSSM_SERVICE_DL, // service type
+ 23, // number of functions
+ (const CSSM_PROC_ADDR *)&DLFunctionStruct
+};
+
+CSSM_MODULE_FUNCS_PTR DLPluginSession::construct()
+{
+ return &DLFunctionTable;
+}
diff --git a/OSX/libsecurity_cdsa_plugin/lib/DLabstractsession.h b/OSX/libsecurity_cdsa_plugin/lib/DLabstractsession.h
new file mode 100644
index 00000000..5457e6f8
--- /dev/null
+++ b/OSX/libsecurity_cdsa_plugin/lib/DLabstractsession.h
@@ -0,0 +1,107 @@
+//
+// DL plugin transition layer.
+// This file was automatically generated. Do not edit on penalty of futility!
+//
+#ifndef _H_DLABSTRACTSESSION
+#define _H_DLABSTRACTSESSION
+
+#include <security_cdsa_plugin/pluginsession.h>
+#include <security_cdsa_utilities/cssmdata.h>
+#include <security_cdsa_utilities/cssmacl.h>
+#include <security_cdsa_utilities/cssmdb.h>
+
+
+namespace Security {
+
+
+//
+// A pure abstract class to define the DL module interface
+//
+class DLAbstractPluginSession {
+public:
+ virtual ~DLAbstractPluginSession();
+ virtual void FreeNameList(CSSM_NAME_LIST &NameList) = 0;
+ virtual void CreateRelation(CSSM_DB_HANDLE DBHandle,
+ CSSM_DB_RECORDTYPE RelationID,
+ const char *RelationName,
+ uint32 NumberOfAttributes,
+ const CSSM_DB_SCHEMA_ATTRIBUTE_INFO *pAttributeInfo,
+ uint32 NumberOfIndexes,
+ const CSSM_DB_SCHEMA_INDEX_INFO &pIndexInfo) = 0;
+ virtual void DataModify(CSSM_DB_HANDLE DBHandle,
+ CSSM_DB_RECORDTYPE RecordType,
+ CSSM_DB_UNIQUE_RECORD &UniqueRecordIdentifier,
+ const CSSM_DB_RECORD_ATTRIBUTE_DATA *AttributesToBeModified,
+ const CssmData *DataToBeModified,
+ CSSM_DB_MODIFY_MODE ModifyMode) = 0;
+ virtual void DataAbortQuery(CSSM_DB_HANDLE DBHandle,
+ CSSM_HANDLE ResultsHandle) = 0;
+ virtual void DestroyRelation(CSSM_DB_HANDLE DBHandle,
+ CSSM_DB_RECORDTYPE RelationID) = 0;
+ virtual void DbCreate(const char *DbName,
+ const CSSM_NET_ADDRESS *DbLocation,
+ const CSSM_DBINFO &DBInfo,
+ CSSM_DB_ACCESS_TYPE AccessRequest,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
+ const void *OpenParameters,
+ CSSM_DB_HANDLE &DbHandle) = 0;
+ virtual CSSM_HANDLE DataGetFirst(CSSM_DB_HANDLE DBHandle,
+ const CssmQuery *Query,
+ CSSM_DB_RECORD_ATTRIBUTE_DATA *Attributes,
+ CssmData *Data,
+ CSSM_DB_UNIQUE_RECORD_PTR &UniqueId) = 0;
+ virtual void GetDbNames(CSSM_NAME_LIST_PTR &NameList) = 0;
+ virtual void DbClose(CSSM_DB_HANDLE DBHandle) = 0;
+ virtual void GetDbNameFromHandle(CSSM_DB_HANDLE DBHandle,
+ char **DbName) = 0;
+ virtual void DataInsert(CSSM_DB_HANDLE DBHandle,
+ CSSM_DB_RECORDTYPE RecordType,
+ const CSSM_DB_RECORD_ATTRIBUTE_DATA *Attributes,
+ const CssmData *Data,
+ CSSM_DB_UNIQUE_RECORD_PTR &UniqueId) = 0;
+ virtual void ChangeDbAcl(CSSM_DB_HANDLE DBHandle,
+ const AccessCredentials &AccessCred,
+ const CSSM_ACL_EDIT &AclEdit) = 0;
+ virtual void PassThrough(CSSM_DB_HANDLE DBHandle,
+ uint32 PassThroughId,
+ const void *InputParams,
+ void **OutputParams) = 0;
+ virtual void GetDbAcl(CSSM_DB_HANDLE DBHandle,
+ const CSSM_STRING *SelectionTag,
+ uint32 &NumberOfAclInfos,
+ CSSM_ACL_ENTRY_INFO_PTR &AclInfos) = 0;
+ virtual void DataGetFromUniqueRecordId(CSSM_DB_HANDLE DBHandle,
+ const CSSM_DB_UNIQUE_RECORD &UniqueRecord,
+ CSSM_DB_RECORD_ATTRIBUTE_DATA *Attributes,
+ CssmData *Data) = 0;
+ virtual void DbOpen(const char *DbName,
+ const CSSM_NET_ADDRESS *DbLocation,
+ CSSM_DB_ACCESS_TYPE AccessRequest,
+ const AccessCredentials *AccessCred,
+ const void *OpenParameters,
+ CSSM_DB_HANDLE &DbHandle) = 0;
+ virtual bool DataGetNext(CSSM_DB_HANDLE DBHandle,
+ CSSM_HANDLE ResultsHandle,
+ CSSM_DB_RECORD_ATTRIBUTE_DATA *Attributes,
+ CssmData *Data,
+ CSSM_DB_UNIQUE_RECORD_PTR &UniqueId) = 0;
+ virtual void FreeUniqueRecord(CSSM_DB_HANDLE DBHandle,
+ CSSM_DB_UNIQUE_RECORD &UniqueRecord) = 0;
+ virtual void ChangeDbOwner(CSSM_DB_HANDLE DBHandle,
+ const AccessCredentials &AccessCred,
+ const CSSM_ACL_OWNER_PROTOTYPE &NewOwner) = 0;
+ virtual void Authenticate(CSSM_DB_HANDLE DBHandle,
+ CSSM_DB_ACCESS_TYPE AccessRequest,
+ const AccessCredentials &AccessCred) = 0;
+ virtual void DbDelete(const char *DbName,
+ const CSSM_NET_ADDRESS *DbLocation,
+ const AccessCredentials *AccessCred) = 0;
+ virtual void DataDelete(CSSM_DB_HANDLE DBHandle,
+ const CSSM_DB_UNIQUE_RECORD &UniqueRecordIdentifier) = 0;
+ virtual void GetDbOwner(CSSM_DB_HANDLE DBHandle,
+ CSSM_ACL_OWNER_PROTOTYPE &Owner) = 0;
+};
+
+} // end namespace Security
+
+#endif //_H_DLABSTRACTSESSION
diff --git a/OSX/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp b/OSX/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp
index 637806ba..1930ad9c 100644
--- a/OSX/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp
+++ b/OSX/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp
@@ -28,7 +28,7 @@
#include <security_utilities/debugging.h>
/* log open/close events */
-#define DOCDebug(args...) secdebug("DBOpen", ## args)
+#define DOCDebug(args...) secinfo("DBOpen", ## args)
using namespace std;
@@ -52,29 +52,26 @@ DatabaseSession::~DatabaseSession()
void
DatabaseSession::GetDbNames(CSSM_NAME_LIST_PTR &outNameList)
{
- secdebug("dbsession", "GetDbNames");
+ secinfo("dbsession", "GetDbNames");
outNameList = mDatabaseManager.getDbNames (*this);
#ifndef NDEBUG
// dump the returned names
uint32 n;
- secdebug("dbsession", "GetDbNames returned %d names", outNameList->NumStrings);
+ secinfo("dbsession", "GetDbNames returned %d names", outNameList->NumStrings);
for (n = 0; n < outNameList->NumStrings; ++n)
{
- secdebug("dbsession", "%d: %s", n, outNameList->String[n]);
+ secinfo("dbsession", "%d: %s", n, outNameList->String[n]);
}
#endif
-
- secdebug("dbsession", "********************");
}
void
DatabaseSession::FreeNameList(CSSM_NAME_LIST &inNameList)
{
- secdebug("dbsession", "FreeNameList");
+ secinfo("dbsession", "FreeNameList");
mDatabaseManager.freeNameList (*this, inNameList);
- secdebug("dbsession", "********************");
}
@@ -85,9 +82,8 @@ DatabaseSession::DbDelete(const char *inDbName,
{
// The databaseManager will notify all its DbContext instances
// that the database is question is being deleted.
- secdebug("dbsession", "DbDelete of %s", inDbName);
+ secnotice("dbsession", "DbDelete of %s", inDbName);
mDatabaseManager.dbDelete(*this, DbName(inDbName, CssmNetAddress::optional(inDbLocation)), inAccessCred);
- secdebug("dbsession", "********************");
}
// DbContext creation and destruction.
@@ -101,7 +97,7 @@ DatabaseSession::DbCreate(const char *inDbName,
CSSM_DB_HANDLE &outDbHandle)
{
outDbHandle = CSSM_INVALID_HANDLE; // CDSA 2.0 says to set this if we fail
- secdebug("dbsession", "DbCreate of %s", inDbName);
+ secnotice("dbsession", "DbCreate of %s", inDbName);
outDbHandle = insertDbContext(mDatabaseManager.dbCreate(*this,
DbName(inDbName, CssmNetAddress::optional(inDbLocation)),
@@ -109,9 +105,7 @@ DatabaseSession::DbCreate(const char *inDbName,
inAccessRequest,
inCredAndAclEntry,
inOpenParameters));
- secdebug("dbsession", "DbCreate returned handle %#lx", outDbHandle);
-
- secdebug("dbsession", "********************");
+ secinfo("dbsession", "DbCreate returned handle %#lx", outDbHandle);
}
void
@@ -123,15 +117,14 @@ DatabaseSession::DbOpen(const char *inDbName,
CSSM_DB_HANDLE &outDbHandle)
{
DOCDebug("DatabaseSession::DbOpen: dbName %s", inDbName);
- secdebug("dbsession", "DbOpen of %s", inDbName);
+ secnotice("dbsession", "DbOpen of %s", inDbName);
outDbHandle = CSSM_INVALID_HANDLE; // CDSA 2.0 says to set this if we fail
outDbHandle = insertDbContext(mDatabaseManager.dbOpen(*this,
DbName(inDbName, CssmNetAddress::optional(inDbLocation)),
inAccessRequest,
inAccessCred,
inOpenParameters));
- secdebug("dbsession", "DbOpen returned handle %#lx", outDbHandle);
- secdebug("dbsession", "********************");
+ secinfo("dbsession", "DbOpen returned handle %#lx", outDbHandle);
}
CSSM_DB_HANDLE
@@ -187,7 +180,6 @@ DatabaseSession::closeAll()
}
mDbContextMap.clear();
- secdebug("dbsession", "********************");
}
// Operations using DbContext instances.
@@ -196,14 +188,13 @@ DatabaseSession::DbClose(CSSM_DB_HANDLE inDbHandle)
{
StLock<Mutex> _(mDbContextMapLock);
DOCDebug("DatabaseSession::Close");
- secdebug("dbsession", "DbClose of handle %ld", inDbHandle);
+ secinfo("dbsession", "DbClose of handle %ld", inDbHandle);
DbContextMap::iterator it = mDbContextMap.find(inDbHandle);
if (it == mDbContextMap.end())
CssmError::throwMe(CSSM_ERRCODE_INVALID_DB_HANDLE);
auto_ptr<DbContext> aDbContext(it->second);
mDbContextMap.erase(it);
mDatabaseManager.dbClose(*aDbContext);
- secdebug("dbsession", "********************");
}
void
@@ -215,23 +206,23 @@ DatabaseSession::CreateRelation(CSSM_DB_HANDLE inDbHandle,
uint32 inNumberOfIndexes,
const CSSM_DB_SCHEMA_INDEX_INFO &inIndexInfo)
{
- secdebug("dbsession", "CreateRelation from handle %ld of record type %X with relation name %s", inDbHandle, inRelationID, inRelationName);
- secdebug("dbsession", "number of attributes = %d", inNumberOfAttributes);
+ secinfo("dbsession", "CreateRelation from handle %ld of record type %X with relation name %s", inDbHandle, inRelationID, inRelationName);
+ secinfo("dbsession", "number of attributes = %d", inNumberOfAttributes);
#ifndef NDEBUG
unsigned n;
for (n = 0; n < inNumberOfAttributes; ++n)
{
- secdebug("dbsession", "%d: id %d name %s, data type %d", n, inAttributeInfo[n].AttributeId,
+ secinfo("dbsession", "%d: id %d name %s, data type %d", n, inAttributeInfo[n].AttributeId,
inAttributeInfo[n].AttributeName,
inAttributeInfo[n].DataType);
}
#endif
- secdebug("dbsession", "number of indexes: %d", inNumberOfIndexes);
+ secinfo("dbsession", "number of indexes: %d", inNumberOfIndexes);
#ifndef NDEBUG
for (n = 0; n < inNumberOfIndexes; ++n)
{
- secdebug("dbsession", "%d: id %d indexid %d indextype %d location %d", n, inIndexInfo.AttributeId,
+ secinfo("dbsession", "%d: id %d indexid %d indextype %d location %d", n, inIndexInfo.AttributeId,
inIndexInfo.IndexedDataLocation,
inIndexInfo.IndexId,
inIndexInfo.IndexType);
@@ -242,17 +233,15 @@ DatabaseSession::CreateRelation(CSSM_DB_HANDLE inDbHandle,
return aDbContext.mDatabase.createRelation(aDbContext, inRelationID, inRelationName,
inNumberOfAttributes, inAttributeInfo,
inNumberOfIndexes, inIndexInfo);
- secdebug("dbsession", "********************");
}
void
DatabaseSession::DestroyRelation(CSSM_DB_HANDLE inDbHandle,
CSSM_DB_RECORDTYPE inRelationID)
{
- secdebug("dbsession", "DestroyRelation (handle %ld) %d", inDbHandle, inRelationID);
+ secinfo("dbsession", "DestroyRelation (handle %ld) %d", inDbHandle, inRelationID);
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.destroyRelation(aDbContext, inRelationID);
- secdebug("dbsession", "********************");
}
void
@@ -260,10 +249,9 @@ DatabaseSession::Authenticate(CSSM_DB_HANDLE inDbHandle,
CSSM_DB_ACCESS_TYPE inAccessRequest,
const AccessCredentials &inAccessCred)
{
- secdebug("dbsession", "Authenticate (handle %ld) inAccessRequest %d", inDbHandle, inAccessRequest);
+ secinfo("dbsession", "Authenticate (handle %ld) inAccessRequest %d", inDbHandle, inAccessRequest);
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.authenticate(aDbContext, inAccessRequest, inAccessCred);
- secdebug("dbsession", "********************");
}
@@ -273,10 +261,9 @@ DatabaseSession::GetDbAcl(CSSM_DB_HANDLE inDbHandle,
uint32 &outNumberOfAclInfos,
CSSM_ACL_ENTRY_INFO_PTR &outAclInfos)
{
- secdebug("dbsession", "GetDbAcl (handle %ld)", inDbHandle);
+ secinfo("dbsession", "GetDbAcl (handle %ld)", inDbHandle);
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.getDbAcl(aDbContext, inSelectionTag, outNumberOfAclInfos, outAclInfos);
- secdebug("dbsession", "********************");
}
void
@@ -284,20 +271,18 @@ DatabaseSession::ChangeDbAcl(CSSM_DB_HANDLE inDbHandle,
const AccessCredentials &inAccessCred,
const CSSM_ACL_EDIT &inAclEdit)
{
- secdebug("dbsession", "ChangeDbAcl (handle %ld)", inDbHandle);
+ secinfo("dbsession", "ChangeDbAcl (handle %ld)", inDbHandle);
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.changeDbAcl(aDbContext, inAccessCred, inAclEdit);
- secdebug("dbsession", "********************");
}
void
DatabaseSession::GetDbOwner(CSSM_DB_HANDLE inDbHandle,
CSSM_ACL_OWNER_PROTOTYPE &outOwner)
{
- secdebug("dbsession", "GetDbOwner (handle %ld)", inDbHandle);
+ secinfo("dbsession", "GetDbOwner (handle %ld)", inDbHandle);
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.getDbOwner(aDbContext, outOwner);
- secdebug("dbsession", "********************");
}
void
@@ -305,21 +290,19 @@ DatabaseSession::ChangeDbOwner(CSSM_DB_HANDLE inDbHandle,
const AccessCredentials &inAccessCred,
const CSSM_ACL_OWNER_PROTOTYPE &inNewOwner)
{
- secdebug("dbsession", "ChangeDbOwner (handle %ld)", inDbHandle);
+ secinfo("dbsession", "ChangeDbOwner (handle %ld)", inDbHandle);
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.changeDbOwner(aDbContext, inAccessCred, inNewOwner);
- secdebug("dbsession", "********************");
}
void
DatabaseSession::GetDbNameFromHandle(CSSM_DB_HANDLE inDbHandle,
char **outDbName)
{
- secdebug("dbsession", "GetDbNameFromHandle (handle %ld)", inDbHandle);
+ secinfo("dbsession", "GetDbNameFromHandle (handle %ld)", inDbHandle);
DbContext &aDbContext = findDbContext(inDbHandle);
Required(outDbName) = aDbContext.mDatabase.getDbNameFromHandle(aDbContext);
- secdebug("dbsession", "name: %s", *outDbName);
- secdebug("dbsession", "********************");
+ secinfo("dbsession", "name: %s", *outDbName);
}
@@ -346,19 +329,19 @@ void DumpAttributeInfo(const CSSM_DB_ATTRIBUTE_INFO &info)
break;
}
- secdebug("dbsession", " Attribute name type: %s", attrNameType);
+ secinfo("dbsession", " Attribute name type: %s", attrNameType);
switch (info.AttributeFormat)
{
case CSSM_DB_ATTRIBUTE_NAME_AS_STRING:
- secdebug("dbsession", " name: %s", info.Label.AttributeName);
+ secinfo("dbsession", " name: %s", info.Label.AttributeName);
break;
case CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER:
- secdebug("dbsession", " name: %d", info.Label.AttributeID);
+ secinfo("dbsession", " name: %d", info.Label.AttributeID);
break;
case CSSM_DB_ATTRIBUTE_NAME_AS_OID:
- secdebug("dbsession", " name is oid");
+ secinfo("dbsession", " name is oid");
break;
}
@@ -394,7 +377,7 @@ void DumpAttributeInfo(const CSSM_DB_ATTRIBUTE_INFO &info)
break;
}
- secdebug("dbsession", " attribute format: %s", s);
+ secinfo("dbsession", " attribute format: %s", s);
}
@@ -403,20 +386,20 @@ void DumpAttributes(const CSSM_DB_RECORD_ATTRIBUTE_DATA *inAttributes)
{
if (!inAttributes)
{
- secdebug("dbsession", "No attributes defined.");
+ secinfo("dbsession", "No attributes defined.");
return;
}
- secdebug("dbsession", "insert into %d", inAttributes->DataRecordType);
- secdebug("dbsession", "Semantic information %d", inAttributes->SemanticInformation);
- secdebug("dbsession", "Number of attributes: %d", inAttributes->NumberOfAttributes);
+ secinfo("dbsession", "insert into %d", inAttributes->DataRecordType);
+ secinfo("dbsession", "Semantic information %d", inAttributes->SemanticInformation);
+ secinfo("dbsession", "Number of attributes: %d", inAttributes->NumberOfAttributes);
unsigned n;
for (n = 0; n < inAttributes->NumberOfAttributes; ++n)
{
DumpAttributeInfo(inAttributes->AttributeData[n].Info);
- secdebug("dbsession", "Attribute %d\n", n);
- secdebug("dbsession", " number of values: %d", inAttributes->AttributeData[n].NumberOfValues);
+ secinfo("dbsession", "Attribute %d\n", n);
+ secinfo("dbsession", " number of values: %d", inAttributes->AttributeData[n].NumberOfValues);
unsigned i;
for (i = 0; i < inAttributes->AttributeData[n].NumberOfValues; ++i)
{
@@ -425,26 +408,26 @@ void DumpAttributes(const CSSM_DB_RECORD_ATTRIBUTE_DATA *inAttributes)
case CSSM_DB_ATTRIBUTE_FORMAT_STRING:
{
std::string ss((char*) inAttributes->AttributeData[n].Value[i].Data, inAttributes->AttributeData[n].Value[i].Length);
- secdebug("dbsession", " Value %d: %s", i, ss.c_str());
+ secinfo("dbsession", " Value %d: %s", i, ss.c_str());
break;
}
case CSSM_DB_ATTRIBUTE_FORMAT_SINT32:
- secdebug("dbsession", " Value %d: %d", i, *(sint32*)inAttributes->AttributeData[n].Value[i].Data);
+ secinfo("dbsession", " Value %d: %d", i, *(sint32*)inAttributes->AttributeData[n].Value[i].Data);
break;
case CSSM_DB_ATTRIBUTE_FORMAT_UINT32:
- secdebug("dbsession", " Value %d: %u", i, *(uint32*)inAttributes->AttributeData[n].Value[i].Data);
+ secinfo("dbsession", " Value %d: %u", i, *(uint32*)inAttributes->AttributeData[n].Value[i].Data);
break;
case CSSM_DB_ATTRIBUTE_FORMAT_BIG_NUM:
- secdebug("dbsession", " Value %d: (bignum)", i);
+ secinfo("dbsession", " Value %d: (bignum)", i);
break;
case CSSM_DB_ATTRIBUTE_FORMAT_REAL:
- secdebug("dbsession", " Value %d: %f", i, *(double*)inAttributes->AttributeData[n].Value[i].Data);
+ secinfo("dbsession", " Value %d: %f", i, *(double*)inAttributes->AttributeData[n].Value[i].Data);
break;
case CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE:
- secdebug("dbsession", " Value %d: %s", i, (char*)inAttributes->AttributeData[n].Value[i].Data);
+ secinfo("dbsession", " Value %d: %s", i, (char*)inAttributes->AttributeData[n].Value[i].Data);
break;
case CSSM_DB_ATTRIBUTE_FORMAT_BLOB:
- secdebug("dbsession", " Value %d: (blob)", i);
+ secinfo("dbsession", " Value %d: (blob)", i);
break;
case CSSM_DB_ATTRIBUTE_FORMAT_MULTI_UINT32:
{
@@ -453,14 +436,14 @@ void DumpAttributes(const CSSM_DB_RECORD_ATTRIBUTE_DATA *inAttributes)
for (j = 0; j < numInts; ++j)
{
uint32* nums = (uint32*) inAttributes->AttributeData[n].Value[i].Data;
- secdebug("dbsession", " %d", nums[j]);
+ secinfo("dbsession", " %d", nums[j]);
}
break;
}
case CSSM_DB_ATTRIBUTE_FORMAT_COMPLEX:
- secdebug("dbsession", " Value %d: (complex)", i);
+ secinfo("dbsession", " Value %d: (complex)", i);
break;
}
}
@@ -490,7 +473,7 @@ DumpUniqueRecord(const CSSM_DB_UNIQUE_RECORD &record)
}
}
- secdebug("dbsession", "RecordLocator.IndexType: %s", s);
+ secinfo("dbsession", "RecordLocator.IndexType: %s", s);
switch (record.RecordLocator.IndexedDataLocation)
{
@@ -513,9 +496,9 @@ DumpUniqueRecord(const CSSM_DB_UNIQUE_RECORD &record)
}
}
- secdebug("dbsession", "RecordLocator.IndexedDataLocation: %s", s);
+ secinfo("dbsession", "RecordLocator.IndexedDataLocation: %s", s);
- secdebug("dbsession", "Attribute info:");
+ secinfo("dbsession", "Attribute info:");
DumpAttributeInfo(record.RecordLocator.Info);
*/
@@ -530,7 +513,7 @@ DumpUniqueRecord(const CSSM_DB_UNIQUE_RECORD &record)
output += hexBuffer;
}
- secdebug("dbsession", " RecordIdentifier.Data: %s", output.c_str());
+ secinfo("dbsession", " RecordIdentifier.Data: %s", output.c_str());
}
#endif /* NDEBUG */
@@ -541,16 +524,14 @@ DatabaseSession::DataInsert(CSSM_DB_HANDLE inDbHandle,
const CssmData *inData,
CSSM_DB_UNIQUE_RECORD_PTR &outUniqueId)
{
- secdebug("dbsession", "%p DataInsert(%lx,%x)", this, inDbHandle, inRecordType);
+ secinfo("dbsession", "%p DataInsert(%lx,%x)", this, inDbHandle, inRecordType);
DbContext &aDbContext = findDbContext(inDbHandle);
outUniqueId = aDbContext.mDatabase.dataInsert(aDbContext, inRecordType, inAttributes, inData);
#ifndef NDEBUG
- secdebug("dbsession", "Returned unique id:");
+ secinfo("dbsession", "Returned unique id:");
DumpUniqueRecord(*outUniqueId);
#endif
-
- secdebug("dbsession", "********************");
}
@@ -558,15 +539,14 @@ void
DatabaseSession::DataDelete(CSSM_DB_HANDLE inDbHandle,
const CSSM_DB_UNIQUE_RECORD &inUniqueRecordIdentifier)
{
- secdebug("dbsession", "%p DataDelete(%lx)", this, inDbHandle);
+ secinfo("dbsession", "%p DataDelete(%lx)", this, inDbHandle);
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.dataDelete(aDbContext, inUniqueRecordIdentifier);
#ifndef NDEBUG
- secdebug("dbsession", "Record identifier:");
+ secinfo("dbsession", "Record identifier:");
DumpUniqueRecord(inUniqueRecordIdentifier);
#endif
- secdebug("dbsession", "********************");
}
@@ -578,15 +558,14 @@ DatabaseSession::DataModify(CSSM_DB_HANDLE inDbHandle,
const CssmData *inDataToBeModified,
CSSM_DB_MODIFY_MODE inModifyMode)
{
- secdebug("dbsession", "%p DataModify(%lx,%x)", this, inDbHandle, inRecordType);
+ secinfo("dbsession", "%p DataModify(%lx,%x)", this, inDbHandle, inRecordType);
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.dataModify(aDbContext, inRecordType, inoutUniqueRecordIdentifier,
inAttributesToBeModified, inDataToBeModified, inModifyMode);
#ifndef NDEBUG
- secdebug("dbsession", "Out record identifier:");
+ secinfo("dbsession", "Out record identifier:");
DumpUniqueRecord(inoutUniqueRecordIdentifier);
#endif
- secdebug("dbsession", "********************");
}
CSSM_HANDLE
@@ -596,21 +575,20 @@ DatabaseSession::DataGetFirst(CSSM_DB_HANDLE inDbHandle,
CssmData *inoutData,
CSSM_DB_UNIQUE_RECORD_PTR &outUniqueId)
{
- secdebug("dbsession", "%p DataGetFirst(%lx)", this, inDbHandle);
+ secinfo("dbsession", "%p DataGetFirst(%lx)", this, inDbHandle);
DbContext &aDbContext = findDbContext(inDbHandle);
CSSM_HANDLE result = aDbContext.mDatabase.dataGetFirst(aDbContext, inQuery,
inoutAttributes, inoutData, outUniqueId);
#ifndef NDEBUG
- secdebug("dbsession", "result handle: %lx", result);
+ secinfo("dbsession", "result handle: %lx", result);
if (result != 0)
{
- secdebug("dbsession", "Returned ID:");
+ secinfo("dbsession", "Returned ID:");
DumpUniqueRecord(*outUniqueId);
}
#endif
- secdebug("dbsession", "********************");
return result;
}
@@ -621,7 +599,7 @@ DatabaseSession::DataGetNext(CSSM_DB_HANDLE inDbHandle,
CssmData *inoutData,
CSSM_DB_UNIQUE_RECORD_PTR &outUniqueRecord)
{
- secdebug("dbsession", "DataGetNext(%lx)", inDbHandle);
+ secinfo("dbsession", "DataGetNext(%lx)", inDbHandle);
DbContext &aDbContext = findDbContext(inDbHandle);
bool result = aDbContext.mDatabase.dataGetNext(aDbContext, inResultsHandle, inoutAttributes,
@@ -630,12 +608,11 @@ DatabaseSession::DataGetNext(CSSM_DB_HANDLE inDbHandle,
#ifndef NDEBUG
if (result)
{
- secdebug("dbsession", "Returned ID:");
+ secinfo("dbsession", "Returned ID:");
DumpUniqueRecord(*outUniqueRecord);
}
#endif
- secdebug("dbsession", "********************");
return result;
}
@@ -643,10 +620,9 @@ void
DatabaseSession::DataAbortQuery(CSSM_DB_HANDLE inDbHandle,
CSSM_HANDLE inResultsHandle)
{
- secdebug("dbsession", "%p DataAbortQuery(%lx)", this, inDbHandle);
+ secinfo("dbsession", "%p DataAbortQuery(%lx)", this, inDbHandle);
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.dataAbortQuery(aDbContext, inResultsHandle);
- secdebug("dbsession", "********************");
}
void
@@ -655,30 +631,28 @@ DatabaseSession::DataGetFromUniqueRecordId(CSSM_DB_HANDLE inDbHandle,
CSSM_DB_RECORD_ATTRIBUTE_DATA_PTR inoutAttributes,
CssmData *inoutData)
{
- secdebug("dbsession", "%p DataGetFromUniqueId(%lx)", this, inDbHandle);
+ secinfo("dbsession", "%p DataGetFromUniqueId(%lx)", this, inDbHandle);
#ifndef NDEBUG
- secdebug("dbsession", "inUniqueRecord:");
+ secinfo("dbsession", "inUniqueRecord:");
DumpUniqueRecord(inUniqueRecord);
#endif
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.dataGetFromUniqueRecordId(aDbContext, inUniqueRecord,
inoutAttributes, inoutData);
- secdebug("dbsession", "********************");
}
void
DatabaseSession::FreeUniqueRecord(CSSM_DB_HANDLE inDbHandle,
CSSM_DB_UNIQUE_RECORD &inUniqueRecordIdentifier)
{
- secdebug("dbsession", "FreeUniqueRecord: %lx", inDbHandle);
+ secinfo("dbsession", "FreeUniqueRecord: %lx", inDbHandle);
#ifndef NDEBUG
- secdebug("dbsession", "inUniqueRecordIdentifier follows:");
+ secinfo("dbsession", "inUniqueRecordIdentifier follows:");
DumpUniqueRecord(inUniqueRecordIdentifier);
#endif
DbContext &aDbContext = findDbContext(inDbHandle);
aDbContext.mDatabase.freeUniqueRecord(aDbContext, inUniqueRecordIdentifier);
- secdebug("dbsession", "********************");
}
void
diff --git a/OSX/libsecurity_cdsa_plugin/lib/TPabstractsession.cpp b/OSX/libsecurity_cdsa_plugin/lib/TPabstractsession.cpp
new file mode 100644
index 00000000..acfb0493
--- /dev/null
+++ b/OSX/libsecurity_cdsa_plugin/lib/TPabstractsession.cpp
@@ -0,0 +1,416 @@
+//
+// TP plugin transition layer.
+// This file was automatically generated. Do not edit on penalty of futility!
+//
+#include <security_cdsa_plugin/TPsession.h>
+#include <security_cdsa_plugin/cssmplugin.h>
+#include <security_cdsa_utilities/cssmbridge.h>
+#include <Security/cssmtpi.h>
+
+
+TPAbstractPluginSession::~TPAbstractPluginSession()
+{ /* virtual */ }
+
+static CSSM_RETURN CSSMTPI cssm_CertReclaimKey(CSSM_TP_HANDLE TPHandle,
+ const CSSM_CERTGROUP *CertGroup,
+ uint32 CertIndex,
+ CSSM_LONG_HANDLE KeyCacheHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertReclaimKey(Required(CertGroup),
+ CertIndex,
+ KeyCacheHandle,
+ CSPHandle,
+ CredAndAclEntry);
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CertGroupToTupleGroup(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ const CSSM_CERTGROUP *CertGroup,
+ CSSM_TUPLEGROUP_PTR *TupleGroup)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertGroupToTupleGroup(CLHandle,
+ Required(CertGroup),
+ Required(TupleGroup));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CertCreateTemplate(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ uint32 NumberOfFields,
+ const CSSM_FIELD *CertFields,
+ CSSM_DATA_PTR CertTemplate)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertCreateTemplate(CLHandle,
+ NumberOfFields,
+ CertFields,
+ CssmData::required(CertTemplate));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_FormRequest(CSSM_TP_HANDLE TPHandle,
+ const CSSM_TP_AUTHORITY_ID *PreferredAuthority,
+ CSSM_TP_FORM_TYPE FormType,
+ CSSM_DATA_PTR BlankForm)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).FormRequest(PreferredAuthority,
+ FormType,
+ CssmData::required(BlankForm));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CrlSign(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_ENCODED_CRL *CrlToBeSigned,
+ const CSSM_CERTGROUP *SignerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT_PTR SignerVerifyResult,
+ CSSM_DATA_PTR SignedCrl)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CrlSign(CLHandle,
+ CCHandle,
+ Required(CrlToBeSigned),
+ Required(SignerCertGroup),
+ SignerVerifyContext,
+ SignerVerifyResult,
+ CssmData::required(SignedCrl));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_TupleGroupToCertGroup(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ const CSSM_TUPLEGROUP *TupleGroup,
+ CSSM_CERTGROUP_PTR *CertTemplates)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).TupleGroupToCertGroup(CLHandle,
+ Required(TupleGroup),
+ Required(CertTemplates));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CertGetAllTemplateFields(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ const CSSM_DATA *CertTemplate,
+ uint32 *NumberOfFields,
+ CSSM_FIELD_PTR *CertFields)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertGetAllTemplateFields(CLHandle,
+ CssmData::required(CertTemplate),
+ Required(NumberOfFields),
+ Required(CertFields));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CertReclaimAbort(CSSM_TP_HANDLE TPHandle,
+ CSSM_LONG_HANDLE KeyCacheHandle)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertReclaimAbort(KeyCacheHandle);
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CrlCreateTemplate(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ uint32 NumberOfFields,
+ const CSSM_FIELD *CrlFields,
+ CSSM_DATA_PTR NewCrlTemplate)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CrlCreateTemplate(CLHandle,
+ NumberOfFields,
+ CrlFields,
+ CssmData::required(NewCrlTemplate));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CertGroupConstruct(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_DL_DB_LIST *DBList,
+ const void *ConstructParams,
+ const CSSM_CERTGROUP *CertGroupFrag,
+ CSSM_CERTGROUP_PTR *CertGroup)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertGroupConstruct(CLHandle,
+ CSPHandle,
+ Required(DBList),
+ ConstructParams,
+ Required(CertGroupFrag),
+ Required(CertGroup));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_PassThrough(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DL_DB_LIST *DBList,
+ uint32 PassThroughId,
+ const void *InputParams,
+ void **OutputParams)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).PassThrough(CLHandle,
+ CCHandle,
+ DBList,
+ PassThroughId,
+ InputParams,
+ OutputParams);
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_RetrieveCredResult(CSSM_TP_HANDLE TPHandle,
+ const CSSM_DATA *ReferenceIdentifier,
+ const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials,
+ sint32 *EstimatedTime,
+ CSSM_BOOL *ConfirmationRequired,
+ CSSM_TP_RESULT_SET_PTR *RetrieveOutput)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).RetrieveCredResult(CssmData::required(ReferenceIdentifier),
+ CallerAuthCredentials,
+ Required(EstimatedTime),
+ Required(ConfirmationRequired),
+ Required(RetrieveOutput));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CertSign(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DATA *CertTemplateToBeSigned,
+ const CSSM_CERTGROUP *SignerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT_PTR SignerVerifyResult,
+ CSSM_DATA_PTR SignedCert)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertSign(CLHandle,
+ CCHandle,
+ CssmData::required(CertTemplateToBeSigned),
+ Required(SignerCertGroup),
+ SignerVerifyContext,
+ SignerVerifyResult,
+ CssmData::required(SignedCert));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_FormSubmit(CSSM_TP_HANDLE TPHandle,
+ CSSM_TP_FORM_TYPE FormType,
+ const CSSM_DATA *Form,
+ const CSSM_TP_AUTHORITY_ID *ClearanceAuthority,
+ const CSSM_TP_AUTHORITY_ID *RepresentedAuthority,
+ CSSM_ACCESS_CREDENTIALS_PTR Credentials)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).FormSubmit(FormType,
+ CssmData::required(Form),
+ ClearanceAuthority,
+ RepresentedAuthority,
+ AccessCredentials::optional(Credentials));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CertGroupVerify(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_CERTGROUP *CertGroupToBeVerified,
+ const CSSM_TP_VERIFY_CONTEXT *VerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT_PTR VerifyContextResult)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertGroupVerify(CLHandle,
+ CSPHandle,
+ Required(CertGroupToBeVerified),
+ VerifyContext,
+ VerifyContextResult);
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_SubmitCredRequest(CSSM_TP_HANDLE TPHandle,
+ const CSSM_TP_AUTHORITY_ID *PreferredAuthority,
+ CSSM_TP_AUTHORITY_REQUEST_TYPE RequestType,
+ const CSSM_TP_REQUEST_SET *RequestInput,
+ const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthContext,
+ sint32 *EstimatedTime,
+ CSSM_DATA_PTR ReferenceIdentifier)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).SubmitCredRequest(PreferredAuthority,
+ RequestType,
+ Required(RequestInput),
+ CallerAuthContext,
+ Required(EstimatedTime),
+ CssmData::required(ReferenceIdentifier));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_ReceiveConfirmation(CSSM_TP_HANDLE TPHandle,
+ const CSSM_DATA *ReferenceIdentifier,
+ CSSM_TP_CONFIRM_RESPONSE_PTR *Responses,
+ sint32 *ElapsedTime)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).ReceiveConfirmation(CssmData::required(ReferenceIdentifier),
+ Required(Responses),
+ Required(ElapsedTime));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_ConfirmCredResult(CSSM_TP_HANDLE TPHandle,
+ const CSSM_DATA *ReferenceIdentifier,
+ const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials,
+ const CSSM_TP_CONFIRM_RESPONSE *Responses,
+ const CSSM_TP_AUTHORITY_ID *PreferredAuthority)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).ConfirmCredResult(CssmData::required(ReferenceIdentifier),
+ CallerAuthCredentials,
+ Required(Responses),
+ PreferredAuthority);
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CrlVerify(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_ENCODED_CRL *CrlToBeVerified,
+ const CSSM_CERTGROUP *SignerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT *VerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT_PTR RevokerVerifyResult)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CrlVerify(CLHandle,
+ CSPHandle,
+ Required(CrlToBeVerified),
+ Required(SignerCertGroup),
+ VerifyContext,
+ RevokerVerifyResult);
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_ApplyCrlToDb(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_ENCODED_CRL *CrlToBeApplied,
+ const CSSM_CERTGROUP *SignerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT *ApplyCrlVerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT_PTR ApplyCrlVerifyResult)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).ApplyCrlToDb(CLHandle,
+ CSPHandle,
+ Required(CrlToBeApplied),
+ Required(SignerCertGroup),
+ ApplyCrlVerifyContext,
+ Required(ApplyCrlVerifyResult));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CertGroupPrune(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ const CSSM_DL_DB_LIST *DBList,
+ const CSSM_CERTGROUP *OrderedCertGroup,
+ CSSM_CERTGROUP_PTR *PrunedCertGroup)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertGroupPrune(CLHandle,
+ Required(DBList),
+ Required(OrderedCertGroup),
+ Required(PrunedCertGroup));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CertRevoke(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_DATA *OldCrlTemplate,
+ const CSSM_CERTGROUP *CertGroupToBeRevoked,
+ const CSSM_CERTGROUP *RevokerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT *RevokerVerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT_PTR RevokerVerifyResult,
+ CSSM_TP_CERTCHANGE_REASON Reason,
+ CSSM_DATA_PTR NewCrlTemplate)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertRevoke(CLHandle,
+ CSPHandle,
+ CssmData::optional(OldCrlTemplate),
+ Required(CertGroupToBeRevoked),
+ Required(RevokerCertGroup),
+ Required(RevokerVerifyContext),
+ Required(RevokerVerifyResult),
+ Reason,
+ CssmData::required(NewCrlTemplate));
+ END_API(TP)
+}
+
+static CSSM_RETURN CSSMTPI cssm_CertRemoveFromCrlTemplate(CSSM_TP_HANDLE TPHandle,
+ CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_DATA *OldCrlTemplate,
+ const CSSM_CERTGROUP *CertGroupToBeRemoved,
+ const CSSM_CERTGROUP *RevokerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT *RevokerVerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT_PTR RevokerVerifyResult,
+ CSSM_DATA_PTR NewCrlTemplate)
+{
+ BEGIN_API
+ findSession<TPPluginSession>(TPHandle).CertRemoveFromCrlTemplate(CLHandle,
+ CSPHandle,
+ CssmData::optional(OldCrlTemplate),
+ Required(CertGroupToBeRemoved),
+ Required(RevokerCertGroup),
+ Required(RevokerVerifyContext),
+ Required(RevokerVerifyResult),
+ CssmData::required(NewCrlTemplate));
+ END_API(TP)
+}
+
+
+static const CSSM_SPI_TP_FUNCS TPFunctionStruct = {
+ cssm_SubmitCredRequest,
+ cssm_RetrieveCredResult,
+ cssm_ConfirmCredResult,
+ cssm_ReceiveConfirmation,
+ cssm_CertReclaimKey,
+ cssm_CertReclaimAbort,
+ cssm_FormRequest,
+ cssm_FormSubmit,
+ cssm_CertGroupVerify,
+ cssm_CertCreateTemplate,
+ cssm_CertGetAllTemplateFields,
+ cssm_CertSign,
+ cssm_CrlVerify,
+ cssm_CrlCreateTemplate,
+ cssm_CertRevoke,
+ cssm_CertRemoveFromCrlTemplate,
+ cssm_CrlSign,
+ cssm_ApplyCrlToDb,
+ cssm_CertGroupConstruct,
+ cssm_CertGroupPrune,
+ cssm_CertGroupToTupleGroup,
+ cssm_TupleGroupToCertGroup,
+ cssm_PassThrough,
+};
+
+static CSSM_MODULE_FUNCS TPFunctionTable = {
+ CSSM_SERVICE_TP, // service type
+ 23, // number of functions
+ (const CSSM_PROC_ADDR *)&TPFunctionStruct
+};
+
+CSSM_MODULE_FUNCS_PTR TPPluginSession::construct()
+{
+ return &TPFunctionTable;
+}
diff --git a/OSX/libsecurity_cdsa_plugin/lib/TPabstractsession.h b/OSX/libsecurity_cdsa_plugin/lib/TPabstractsession.h
new file mode 100644
index 00000000..d8104d62
--- /dev/null
+++ b/OSX/libsecurity_cdsa_plugin/lib/TPabstractsession.h
@@ -0,0 +1,140 @@
+//
+// TP plugin transition layer.
+// This file was automatically generated. Do not edit on penalty of futility!
+//
+#ifndef _H_TPABSTRACTSESSION
+#define _H_TPABSTRACTSESSION
+
+#include <security_cdsa_plugin/pluginsession.h>
+#include <security_cdsa_utilities/cssmdata.h>
+#include <security_cdsa_utilities/cssmacl.h>
+
+
+namespace Security {
+
+
+//
+// A pure abstract class to define the TP module interface
+//
+class TPAbstractPluginSession {
+public:
+ virtual ~TPAbstractPluginSession();
+ virtual void FormRequest(const CSSM_TP_AUTHORITY_ID *PreferredAuthority,
+ CSSM_TP_FORM_TYPE FormType,
+ CssmData &BlankForm) = 0;
+ virtual void CrlSign(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_ENCODED_CRL &CrlToBeSigned,
+ const CSSM_CERTGROUP &SignerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT *SignerVerifyResult,
+ CssmData &SignedCrl) = 0;
+ virtual void CertCreateTemplate(CSSM_CL_HANDLE CLHandle,
+ uint32 NumberOfFields,
+ const CSSM_FIELD CertFields[],
+ CssmData &CertTemplate) = 0;
+ virtual void CertReclaimKey(const CSSM_CERTGROUP &CertGroup,
+ uint32 CertIndex,
+ CSSM_LONG_HANDLE KeyCacheHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry) = 0;
+ virtual void CertGroupToTupleGroup(CSSM_CL_HANDLE CLHandle,
+ const CSSM_CERTGROUP &CertGroup,
+ CSSM_TUPLEGROUP_PTR &TupleGroup) = 0;
+ virtual void RetrieveCredResult(const CssmData &ReferenceIdentifier,
+ const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials,
+ sint32 &EstimatedTime,
+ CSSM_BOOL &ConfirmationRequired,
+ CSSM_TP_RESULT_SET_PTR &RetrieveOutput) = 0;
+ virtual void FormSubmit(CSSM_TP_FORM_TYPE FormType,
+ const CssmData &Form,
+ const CSSM_TP_AUTHORITY_ID *ClearanceAuthority,
+ const CSSM_TP_AUTHORITY_ID *RepresentedAuthority,
+ AccessCredentials *Credentials) = 0;
+ virtual void CertSign(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CssmData &CertTemplateToBeSigned,
+ const CSSM_CERTGROUP &SignerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT *SignerVerifyResult,
+ CssmData &SignedCert) = 0;
+ virtual void CrlCreateTemplate(CSSM_CL_HANDLE CLHandle,
+ uint32 NumberOfFields,
+ const CSSM_FIELD CrlFields[],
+ CssmData &NewCrlTemplate) = 0;
+ virtual void CertReclaimAbort(CSSM_LONG_HANDLE KeyCacheHandle) = 0;
+ virtual void PassThrough(CSSM_CL_HANDLE CLHandle,
+ CSSM_CC_HANDLE CCHandle,
+ const CSSM_DL_DB_LIST *DBList,
+ uint32 PassThroughId,
+ const void *InputParams,
+ void **OutputParams) = 0;
+ virtual void CertGroupConstruct(CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_DL_DB_LIST &DBList,
+ const void *ConstructParams,
+ const CSSM_CERTGROUP &CertGroupFrag,
+ CSSM_CERTGROUP_PTR &CertGroup) = 0;
+ virtual void TupleGroupToCertGroup(CSSM_CL_HANDLE CLHandle,
+ const CSSM_TUPLEGROUP &TupleGroup,
+ CSSM_CERTGROUP_PTR &CertTemplates) = 0;
+ virtual void CertGetAllTemplateFields(CSSM_CL_HANDLE CLHandle,
+ const CssmData &CertTemplate,
+ uint32 &NumberOfFields,
+ CSSM_FIELD_PTR &CertFields) = 0;
+ virtual void ReceiveConfirmation(const CssmData &ReferenceIdentifier,
+ CSSM_TP_CONFIRM_RESPONSE_PTR &Responses,
+ sint32 &ElapsedTime) = 0;
+ virtual void ConfirmCredResult(const CssmData &ReferenceIdentifier,
+ const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials,
+ const CSSM_TP_CONFIRM_RESPONSE &Responses,
+ const CSSM_TP_AUTHORITY_ID *PreferredAuthority) = 0;
+ virtual void SubmitCredRequest(const CSSM_TP_AUTHORITY_ID *PreferredAuthority,
+ CSSM_TP_AUTHORITY_REQUEST_TYPE RequestType,
+ const CSSM_TP_REQUEST_SET &RequestInput,
+ const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthContext,
+ sint32 &EstimatedTime,
+ CssmData &ReferenceIdentifier) = 0;
+ virtual void CertGroupVerify(CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_CERTGROUP &CertGroupToBeVerified,
+ const CSSM_TP_VERIFY_CONTEXT *VerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT *VerifyContextResult) = 0;
+ virtual void CertRemoveFromCrlTemplate(CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CssmData *OldCrlTemplate,
+ const CSSM_CERTGROUP &CertGroupToBeRemoved,
+ const CSSM_CERTGROUP &RevokerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT &RevokerVerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT &RevokerVerifyResult,
+ CssmData &NewCrlTemplate) = 0;
+ virtual void ApplyCrlToDb(CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_ENCODED_CRL &CrlToBeApplied,
+ const CSSM_CERTGROUP &SignerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT *ApplyCrlVerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT &ApplyCrlVerifyResult) = 0;
+ virtual void CertGroupPrune(CSSM_CL_HANDLE CLHandle,
+ const CSSM_DL_DB_LIST &DBList,
+ const CSSM_CERTGROUP &OrderedCertGroup,
+ CSSM_CERTGROUP_PTR &PrunedCertGroup) = 0;
+ virtual void CertRevoke(CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CssmData *OldCrlTemplate,
+ const CSSM_CERTGROUP &CertGroupToBeRevoked,
+ const CSSM_CERTGROUP &RevokerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT &RevokerVerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT &RevokerVerifyResult,
+ CSSM_TP_CERTCHANGE_REASON Reason,
+ CssmData &NewCrlTemplate) = 0;
+ virtual void CrlVerify(CSSM_CL_HANDLE CLHandle,
+ CSSM_CSP_HANDLE CSPHandle,
+ const CSSM_ENCODED_CRL &CrlToBeVerified,
+ const CSSM_CERTGROUP &SignerCertGroup,
+ const CSSM_TP_VERIFY_CONTEXT *VerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT *RevokerVerifyResult) = 0;
+};
+
+} // end namespace Security
+
+#endif //_H_TPABSTRACTSESSION
diff --git a/OSX/libsecurity_cdsa_plugin/lib/generator.cfg b/OSX/libsecurity_cdsa_plugin/lib/generator.cfg
deleted file mode 100644
index 6a585002..00000000
--- a/OSX/libsecurity_cdsa_plugin/lib/generator.cfg
+++ /dev/null
@@ -1,59 +0,0 @@
-#
-# transition.cfg
-#
-# Configuration file for generating the CSSM plugin framework transition layer.
-#
-
-
-#
-# Specify optional arguments
-#
-
-# CSP
-optional CSP:Login LoginName
-optional CSP:GetLoginAcl SelectionTag
-optional CSP:GetKeyAcl SelectionTag
-optional DL:GetDbAcl SelectionTag
-optional CSP:GenerateKey KeyLabel CredAndAclEntry
-optional CSP:GenerateKeyPair PrivateKeyLabel PublicKeyLabel CredAndAclEntry
-optional CSP:WrapKey DescriptiveData
-optional CSP:UnwrapKey PublicKey KeyLabel CredAndAclEntry
-optional CSP:DeriveKey KeyLabel CredAndAclEntry
-optional CSP:FreeKey AccessCred
-optional CSP:QuerySize DataBlock
-optional CSP:QueryKeySizeInBits Context Key
-
-# CL/TP
-optional TP:SubmitCredRequest PreferredAuthority CallerAuthContext
-optional TP:RetrieveCredResult CallerAuthCredentials
-optional TP:ConfirmCredResult CallerAuthCredentials PreferredAuthority
-optional TP:CertReclaimKey CredAndAclEntry
-optional TP:FormRequest PreferredAuthority
-optional TP:FormSubmit ClearanceAuthority RepresentedAuthority Credentials
-optional TP:CertGroupVerify VerifyContext VerifyContextResult
-optional TP:CertSign SignerVerifyContext SignerVerifyResult
-optional TP:CrlVerify VerifyContext RevokerVerifyResult
-optional TP:CertRevoke OldCrlTemplate
-optional TP:CertRemoveFromCrlTemplate OldCrlTemplate
-optional TP:CrlSign SignerVerifyContext SignerVerifyResult
-optional TP:ApplyCrlToDb ApplyCrlVerifyContext
-optional TP:PassThrough DBList
-optional AC:AuthCompute Credentials RequestedAuthorizationPeriod
-optional CL:CertSign SignScope
-optional CL:CertVerify SignerCert VerifyScope
-optional CL:CertGroupToSignedBundle SignerCert BundleInfo
-optional CL:CertGroupFromVerifiedBundle SignerCert
-optional CL:CrlSign SignScope
-optional CL:CrlVerify SignerCert VerifyScope
-optional CL:CrlGetFirstCachedFieldValue CrlRecordIndex
-
-# DL
-optional DL:DbOpen DbLocation AccessCred
-optional DL:DbCreate DbLocation CredAndAclEntry
-optional DL:DbDelete DbLocation AccessCred
-optional DL:DataInsert Attributes Data
-optional DL:DataModify AttributesToBeModified DataToBeModified
-optional DL:DataGetFirst Query Attributes Data
-optional DL:DataGetNext Query Attributes Data
-optional DL:DataGetFromUniqueRecordId Attributes Data
-optional DL:CreateRelation pAttributeInfo
diff --git a/OSX/libsecurity_cdsa_plugin/lib/generator.mk b/OSX/libsecurity_cdsa_plugin/lib/generator.mk
deleted file mode 100644
index 0451e8c4..00000000
--- a/OSX/libsecurity_cdsa_plugin/lib/generator.mk
+++ /dev/null
@@ -1,29 +0,0 @@
-# Makefile for generated files.
-
-SOURCES = $(BUILT_PRODUCTS_DIR)/derived_src/security_cdsa_plugin
-HEADERS = $(SOURCES)
-
-HFILES = $(HEADERS)/ACabstractsession.h
-CPPFILES = $(SOURCES)/ACabstractsession.cpp
-
-build: $(HFILES) $(CPPFILES)
-
-install: build
-
-installhdrs: $(HFILES)
-
-installsrc:
-
-clean:
- rm -f $(SPIGLUE_GEN)
-
-debug: build
-
-profile: build
-
-.PHONY: build clean debug profile
-
-# partial dependencies only
-$(HFILES) $(CPPFILES) : $(PROJECT_DIR)/lib/generator.pl $(PROJECT_DIR)/lib/generator.cfg
- mkdir -p $(SOURCES)
- perl $(PROJECT_DIR)/lib/generator.pl $(CSSM_HEADERS) $(PROJECT_DIR)/lib/generator.cfg $(HEADERS) $(SOURCES)
diff --git a/OSX/libsecurity_cdsa_plugin/lib/generator.pl b/OSX/libsecurity_cdsa_plugin/lib/generator.pl
deleted file mode 100644
index 585186b0..00000000
--- a/OSX/libsecurity_cdsa_plugin/lib/generator.pl
+++ /dev/null
@@ -1,247 +0,0 @@
-#!/usr/bin/perl
-#
-# generator.pl - auto-generate code for the CSSM plugin interfaces
-#
-# Usage:
-# perl generator.pl input-directory h-output-dir c-output-dir
-#
-# Perry The Cynic, Fall 1999.
-#
-@API_H=("cssmapi.h");
-%SPI_H=("AC" => "cssmaci.h", "CSP" => "cssmcspi.h", "DL" => "cssmdli.h",
- "CL" => "cssmcli.h", "TP" => "cssmtpi.h");
-
-$SOURCEPATH=$ARGV[0]; # where all the input files are
-$APICFG=$ARGV[1]; # configuration file
-$HTARGETDIR=$ARGV[2]; # where the generated headers go
-$CTARGETDIR=$ARGV[3]; # where the generated sources go
-
-
-$tabs = "\t\t\t"; # argument indentation (noncritical)
-$warning = "This file was automatically generated. Do not edit on penalty of futility!";
-
-
-#
-# Open and read the configuration file
-#
-$/=undef; # gulp file
-open(APICFG, $APICFG) or die "Cannot open $APICFG: $^E";
-$_=<APICFG>;
-close(APICFG);
-%optionals = /^\s*optional\s+(\w+:\w+)\s+(.*)$/gm;
-
-
-#
-# Pre-arranged arrays for processing below
-#
-%noDataReturnError = ( CL => "CSSMERR_CL_NO_FIELD_VALUES",
- DL => "CSSMERR_DL_ENDOFDATA" );
-
-
-#
-# process one SPI at a time
-#
-while (($type, $header) = each %SPI_H) {
- my(%functions, %methods, %actuals);
- ($typelower = $type) =~ tr/A-Z/a-z/; # lowercase version of type
-
- # start in on the $type header file
- for my $sourcedir (split (/:/, $SOURCEPATH)) {
- open(SPI, "$sourcedir/$header") and last;
- }
- SPI or die "cannot find $header in $SOURCEPATH: $^E";
- $/=undef; # big gulp mode
- $_ = <SPI>; # aaaaah...
- close(SPI); # done
- # throw away leading and trailing crud (only interested in SPI structure)
- s/^.*struct cssm_spi.*{(.*)} CSSM_SPI.*$/$1/s
- or die "bad format in $SPI_H{$name}";
-
- # break up into functions (you'd do that HOW in YOUR language? :-)
- @functions = /CSSM_RETURN \(CSSM${type}I \*([A-Za-z_]+)\)\s+\(([^)]+)\);/g;
- %functions = @functions;
-
- $MOREHEADERS="";
- $MOREHEADERS .= "#include <security_cdsa_utilities/context.h>\n" if /CSSM_CONTEXT/;
- $MOREHEADERS .= "#include <security_cdsa_utilities/cssmacl.h>\n" if /CSSM_(ACL|ACCESS)/;
- $MOREHEADERS .= "#include <security_cdsa_utilities/cssmdb.h>\n" if /CSSM_QUERY/;
-
- # break function arguments into many forms:
- # functions => formal SPI arguments
- # methods => formal C++ method arguments
- # actuals => actual expression forms for transition layer use
- # and (by the way) massage them into a more palatable form...
- $nFunctions = 0;
- while (($function, $_) = each %functions) {
- #
- # Turn CSSM SPI formal into method formal
- #
- $returntype{$function} = "void";
- $prefix{$function} = "";
- $postfix{$function} = ";";
- # reshape initial argument (the module handle, more or less)
- s/^CSSM_${type}_HANDLE ${type}Handle(,\s*\n\s*|$)//s; # remove own handle (-> this)
- s/^CSSM_DL_DB_HANDLE DLDBHandle/CSSM_DB_HANDLE DBHandle/s; # DL_DB handle -> DB handle
- s/CSSM_HANDLE_PTR ResultsHandle(,?)\n//m # turn ptr-to-resultshandle into fn result
- and do {
- $returntype{$function} = "CSSM_HANDLE";
- $prefix{$function} = "if ((Required(ResultsHandle) = ";
- $postfix{$function} = ") == CSSM_INVALID_HANDLE)\n return $noDataReturnError{$type};";
- };
- if ($function =~ /GetNext/) { # *GetNext* returns a bool
- $returntype{$function} = "bool";
- $prefix{$function} = "if (!";
- $postfix{$function} = ")\n return $noDataReturnError{$type};";
- }
- # reshape subsequent arguments
- s/([su]int32) \*(\w+,?)/$1 \&$2/gm; # int * -> int & (output integer)
- s/(CSSM_\w+_PTR) \*(\w+,?)/$1 \&$2/gm; # _PTR * -> _PTR &
- s/(CSSM_\w+)_PTR (\w+)/$1 \*$2/gm; # XYZ_PTR -> XYZ * (explicit)
- s/(const )?CSSM_DATA \*(\w+)Bufs/$1CssmData $2Bufs\[\]/gm; # c DATA *Bufs (plural)
- s/(const )?CSSM_(DATA|OID) \*/$1CssmData \&/gm; # c DATA * -> c Data &
- s/(const )?CSSM_FIELD \*(\w+)Fields/$1CSSM_FIELD $2Fields\[\]/gm; # c FIELD *Fields (plural)
- s/(const )?CSSM_FIELD \*CrlTemplate/$1CSSM_FIELD CrlTemplate\[\]/gm; # c FIELD *CrlTemplate
- s/const CSSM_CONTEXT \*/const Context \&/gm; # c CSSM_CONTEXT * -> c Context &
- s/(const )?CSSM_ACCESS_CREDENTIALS \*/$1AccessCredentials \&/gm; # ditto
- s/(const )?CSSM_QUERY_SIZE_DATA \*/$1QuerySizeData \&/gm; # ditto
- s/(const )?CSSM_CSP_OPERATIONAL_STATISTICS \*/$1CSPOperationalStatistics \&/gm; # ditto
- s/(const )?CSSM_(WRAP_)?KEY \*/$1CssmKey \&/gm; # CSSM[WRAP]KEY * -> CssmKey &
- s/const CSSM_QUERY \*/const CssmQuery \&/gm; # c QUERY * -> c Query &
- s/(const )?(CSSM_[A-Z_]+) \*/$1$2 \&/gm; # c CSSM_ANY * -> c CSSM_ANY &
- $methods{$function} = $_;
-
- #
- # Now turn the method formal into the transition invocation actuals
- #
- s/^CSSM_DB_HANDLE \w+(,?)/DLDBHandle.DBHandle$1/s; # matching change to DL_DB handles
- s/(const )?([A-Z][a-z]\w+) &(\w+)(,?)/$2::required($3)$4/gm; # BIG_ * -> Small_ &
- s/(const )?CssmData (\w+)Bufs\[\](,?)/\&\&CssmData::required($2Bufs)$3/gm; # c DATA *DataBufs
- s/(const )?CSSM_FIELD (\w+)Fields\[\](,?)/$2Fields$3/gm; # c CSSM_FIELD *Fields
- s/(const )?CSSM_FIELD CrlTemplate\[\](,?)/CrlTemplate$2/gm; # c CSSM_FIELD *CrlTemplate
- # now remove formal arguments and clean up
- s/^.* \&\&(\w+,?)/$tabs\&$1/gm; # && escape (to keep real &)
- s/^.* \&(\w+)(,?)/${tabs}Required($1)$2/gm; # dereference for ref transition
- s/^.* \**(\w+,?)/$tabs$1/gm; # otherwise, plain actual argument
- s/^$tabs//;
- $actuals{$function} = $_;
-
- #
- # Fix optional arguments
- #
- foreach $opt (split " ", $optionals{"$type:$function"}) {
- $methods{$function} =~ s/\&$opt\b/\*$opt/; # turn refs back into pointers
- $actuals{$function} =~ s/::required\($opt\)/::optional($opt)/; # optional specific
- $actuals{$function} =~ s/Required\($opt\)/$opt/; # optional generic
- };
- $nFunctions++;
- };
-
- #
- # Prepare to write header and source files
- #
- open(H, ">$HTARGETDIR/${type}abstractsession.h") or die "cannot write ${type}abstractsession.h: $^E";
- open(C, ">$CTARGETDIR/${type}abstractsession.cpp") or die "cannot write ${type}abstractsession.cpp: $^E";
-
- #
- # Create header file
- #
- print H <<HDRHEAD;
-//
-// $type plugin transition layer.
-// $warning
-//
-#ifndef _H_${type}ABSTRACTSESSION
-#define _H_${type}ABSTRACTSESSION
-
-#include <security_cdsa_plugin/pluginsession.h>
-#include <security_cdsa_utilities/cssmdata.h>
-$MOREHEADERS
-
-namespace Security {
-
-
-//
-// A pure abstract class to define the ${type} module interface
-//
-class ${type}AbstractPluginSession {
-public:
- virtual ~${type}AbstractPluginSession();
-HDRHEAD
-
- $functionCount = 0;
- while (($function, $arglist) = each %methods) {
- # generate method declaration
- print H " virtual $returntype{$function} $function($arglist) = 0;\n";
- $functionCount++;
- };
- print H <<HDREND;
-};
-
-} // end namespace Security
-
-#endif //_H_${type}ABSTRACTSESSION
-HDREND
-
- #
- # Create source file
- #
- print C <<BODY;
-//
-// $type plugin transition layer.
-// $warning
-//
-#include <security_cdsa_plugin/${type}session.h>
-#include <security_cdsa_plugin/cssmplugin.h>
-#include <security_cdsa_utilities/cssmbridge.h>
-#include <Security/cssm${typelower}i.h>
-
-
-${type}AbstractPluginSession::~${type}AbstractPluginSession()
-{ /* virtual */ }
-
-BODY
-
- # write transition layer functions
- while (($function, $arglist) = each %functions) {
- $lookupHandle = "${type}Handle";
- $lookupHandle = "DLDBHandle.DLHandle" if $arglist =~ /DL_DB_HANDLE/;
- print C <<SHIM;
-static CSSM_RETURN CSSM${type}I cssm_$function($arglist)
-{
- BEGIN_API
- ${prefix{$function}}findSession<${type}PluginSession>($lookupHandle).$function($actuals{$function})${postfix{$function}}
- END_API($type)
-}
-
-SHIM
- };
-
- # generate dispatch table - in the right order, please
- print C "\nstatic const CSSM_SPI_${type}_FUNCS ${type}FunctionStruct = {\n";
- while ($function = shift @functions) {
- print C " cssm_$function,\n";
- shift @functions; # skip over arglist part
- };
- print C "};\n\n";
-
- print C <<END;
-static CSSM_MODULE_FUNCS ${type}FunctionTable = {
- CSSM_SERVICE_$type, // service type
- $functionCount, // number of functions
- (const CSSM_PROC_ADDR *)&${type}FunctionStruct
-};
-
-CSSM_MODULE_FUNCS_PTR ${type}PluginSession::construct()
-{
- return &${type}FunctionTable;
-}
-END
-
- #
- # Done with this type
- #
- close(H);
- close(C);
-
- print "$nFunctions functions generated for $type SPI transition layer.\n";
-};
diff --git a/OSX/libsecurity_cdsa_plugin/libsecurity_cdsa_plugin.xcodeproj/project.pbxproj b/OSX/libsecurity_cdsa_plugin/libsecurity_cdsa_plugin.xcodeproj/project.pbxproj
index bcdd6fea..f3885e05 100644
--- a/OSX/libsecurity_cdsa_plugin/libsecurity_cdsa_plugin.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_cdsa_plugin/libsecurity_cdsa_plugin.xcodeproj/project.pbxproj
@@ -40,20 +40,6 @@
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
- 182BB36B146F126A000BF1F3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 18446077146DF45600B12992 /* libsecurity_utilities.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = C2C9C69D0CECBE8400B3FE07;
- remoteInfo = libsecurity_utilitiesDTrace;
- };
- 18446071146DEEE300B12992 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 4CA1FEAB052A3C3800F22E42 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = C2C38A530535EDE600D7421F;
- remoteInfo = generate;
- };
1844607C146DF45600B12992 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18446077146DF45600B12992 /* libsecurity_utilities.xcodeproj */;
@@ -71,25 +57,25 @@
18446077146DF45600B12992 /* libsecurity_utilities.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_utilities.xcodeproj; path = ../libsecurity_utilities/libsecurity_utilities.xcodeproj; sourceTree = "<group>"; };
4C34408B0534CC81005148B6 /* Database.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = Database.cpp; sourceTree = "<group>"; };
4C34408C0534CC81005148B6 /* Database.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Database.h; sourceTree = "<group>"; };
- 4C34408D0534CC81005148B6 /* DatabaseSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DatabaseSession.cpp; sourceTree = "<group>"; };
+ 4C34408D0534CC81005148B6 /* DatabaseSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = DatabaseSession.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4C34408E0534CC81005148B6 /* DatabaseSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DatabaseSession.h; sourceTree = "<group>"; };
4C34408F0534CC82005148B6 /* DbContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DbContext.cpp; sourceTree = "<group>"; };
4C3440900534CC82005148B6 /* DbContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DbContext.h; sourceTree = "<group>"; };
- 4C52AC740540B25100536F78 /* ACabstractsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = ACabstractsession.h; path = derived_src/security_cdsa_plugin/ACabstractsession.h; sourceTree = BUILT_PRODUCTS_DIR; };
- 4C52AC750540B25100536F78 /* CLabstractsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = CLabstractsession.h; path = derived_src/security_cdsa_plugin/CLabstractsession.h; sourceTree = BUILT_PRODUCTS_DIR; };
- 4C52AC760540B25100536F78 /* CSPabstractsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = CSPabstractsession.h; path = derived_src/security_cdsa_plugin/CSPabstractsession.h; sourceTree = BUILT_PRODUCTS_DIR; };
- 4C52AC770540B25100536F78 /* DLabstractsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = DLabstractsession.h; path = derived_src/security_cdsa_plugin/DLabstractsession.h; sourceTree = BUILT_PRODUCTS_DIR; };
- 4C52AC780540B25100536F78 /* TPabstractsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = TPabstractsession.h; path = derived_src/security_cdsa_plugin/TPabstractsession.h; sourceTree = BUILT_PRODUCTS_DIR; };
+ 4C52AC740540B25100536F78 /* ACabstractsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = ACabstractsession.h; path = lib/ACabstractsession.h; sourceTree = SOURCE_ROOT; };
+ 4C52AC750540B25100536F78 /* CLabstractsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = CLabstractsession.h; path = lib/CLabstractsession.h; sourceTree = SOURCE_ROOT; };
+ 4C52AC760540B25100536F78 /* CSPabstractsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = CSPabstractsession.h; path = lib/CSPabstractsession.h; sourceTree = SOURCE_ROOT; };
+ 4C52AC770540B25100536F78 /* DLabstractsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = DLabstractsession.h; path = lib/DLabstractsession.h; sourceTree = SOURCE_ROOT; };
+ 4C52AC780540B25100536F78 /* TPabstractsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = TPabstractsession.h; path = lib/TPabstractsession.h; sourceTree = SOURCE_ROOT; };
4CA1FEBE052A3C8100F22E42 /* libsecurity_cdsa_plugin.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libsecurity_cdsa_plugin.a; sourceTree = BUILT_PRODUCTS_DIR; };
- C2196BDB053B6036005808D4 /* ACabstractsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = ACabstractsession.cpp; path = derived_src/security_cdsa_plugin/ACabstractsession.cpp; sourceTree = BUILT_PRODUCTS_DIR; };
- C2196BDC053B6036005808D4 /* CLabstractsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = CLabstractsession.cpp; path = derived_src/security_cdsa_plugin/CLabstractsession.cpp; sourceTree = BUILT_PRODUCTS_DIR; };
- C2196BDD053B6036005808D4 /* CSPabstractsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = CSPabstractsession.cpp; path = derived_src/security_cdsa_plugin/CSPabstractsession.cpp; sourceTree = BUILT_PRODUCTS_DIR; };
- C2196BDE053B6036005808D4 /* DLabstractsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = DLabstractsession.cpp; path = derived_src/security_cdsa_plugin/DLabstractsession.cpp; sourceTree = BUILT_PRODUCTS_DIR; };
- C2196BDF053B6036005808D4 /* TPabstractsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = TPabstractsession.cpp; path = derived_src/security_cdsa_plugin/TPabstractsession.cpp; sourceTree = BUILT_PRODUCTS_DIR; };
+ C2196BDB053B6036005808D4 /* ACabstractsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = ACabstractsession.cpp; path = lib/ACabstractsession.cpp; sourceTree = SOURCE_ROOT; };
+ C2196BDC053B6036005808D4 /* CLabstractsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = CLabstractsession.cpp; path = lib/CLabstractsession.cpp; sourceTree = SOURCE_ROOT; };
+ C2196BDD053B6036005808D4 /* CSPabstractsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = CSPabstractsession.cpp; path = lib/CSPabstractsession.cpp; sourceTree = SOURCE_ROOT; };
+ C2196BDE053B6036005808D4 /* DLabstractsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = DLabstractsession.cpp; path = lib/DLabstractsession.cpp; sourceTree = SOURCE_ROOT; };
+ C2196BDF053B6036005808D4 /* TPabstractsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = TPabstractsession.cpp; path = lib/TPabstractsession.cpp; sourceTree = SOURCE_ROOT; };
C2F8455E052CA23100F4D742 /* ACsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = ACsession.h; sourceTree = "<group>"; };
C2F8455F052CA23100F4D742 /* c++plugin.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "c++plugin.h"; sourceTree = "<group>"; };
C2F84560052CA23100F4D742 /* CLsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = CLsession.h; sourceTree = "<group>"; };
- C2F84561052CA23100F4D742 /* CSPsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = CSPsession.cpp; sourceTree = "<group>"; };
+ C2F84561052CA23100F4D742 /* CSPsession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = CSPsession.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2F84562052CA23100F4D742 /* CSPsession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = CSPsession.h; sourceTree = "<group>"; };
C2F84563052CA23100F4D742 /* csputilities.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = csputilities.cpp; sourceTree = "<group>"; };
C2F84564052CA23100F4D742 /* cssmplugin.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = cssmplugin.cpp; sourceTree = "<group>"; };
@@ -158,16 +144,6 @@
C2196BD8053B5FFE005808D4 /* derived_src */ = {
isa = PBXGroup;
children = (
- C2196BDB053B6036005808D4 /* ACabstractsession.cpp */,
- C2196BDC053B6036005808D4 /* CLabstractsession.cpp */,
- C2196BDD053B6036005808D4 /* CSPabstractsession.cpp */,
- C2196BDE053B6036005808D4 /* DLabstractsession.cpp */,
- C2196BDF053B6036005808D4 /* TPabstractsession.cpp */,
- 4C52AC740540B25100536F78 /* ACabstractsession.h */,
- 4C52AC750540B25100536F78 /* CLabstractsession.h */,
- 4C52AC760540B25100536F78 /* CSPabstractsession.h */,
- 4C52AC770540B25100536F78 /* DLabstractsession.h */,
- 4C52AC780540B25100536F78 /* TPabstractsession.h */,
);
path = derived_src;
sourceTree = BUILT_PRODUCTS_DIR;
@@ -198,6 +174,16 @@
C2F8456C052CA23100F4D742 /* pluginsession.h */,
C2F8456D052CA23100F4D742 /* pluginspi.h */,
C2F8456E052CA23100F4D742 /* TPsession.h */,
+ C2196BDB053B6036005808D4 /* ACabstractsession.cpp */,
+ C2196BDC053B6036005808D4 /* CLabstractsession.cpp */,
+ C2196BDD053B6036005808D4 /* CSPabstractsession.cpp */,
+ C2196BDE053B6036005808D4 /* DLabstractsession.cpp */,
+ C2196BDF053B6036005808D4 /* TPabstractsession.cpp */,
+ 4C52AC740540B25100536F78 /* ACabstractsession.h */,
+ 4C52AC750540B25100536F78 /* CLabstractsession.h */,
+ 4C52AC760540B25100536F78 /* CSPabstractsession.h */,
+ 4C52AC770540B25100536F78 /* DLabstractsession.h */,
+ 4C52AC780540B25100536F78 /* TPabstractsession.h */,
);
path = lib;
sourceTree = "<group>";
@@ -231,24 +217,6 @@
};
/* End PBXHeadersBuildPhase section */
-/* Begin PBXLegacyTarget section */
- C2C38A530535EDE600D7421F /* libsecurity_cdsa_plugin_generate */ = {
- isa = PBXLegacyTarget;
- buildArgumentsString = "-f $(PROJECT_DIR)/lib/generator.mk $ACTION";
- buildConfigurationList = C27AD2DC0987FCDD001272E0 /* Build configuration list for PBXLegacyTarget "libsecurity_cdsa_plugin_generate" */;
- buildPhases = (
- );
- buildToolPath = /usr/bin/gnumake;
- buildWorkingDirectory = "";
- dependencies = (
- 182BB36C146F126A000BF1F3 /* PBXTargetDependency */,
- );
- name = libsecurity_cdsa_plugin_generate;
- passBuildSettingsInEnvironment = 1;
- productName = Generate;
- };
-/* End PBXLegacyTarget section */
-
/* Begin PBXNativeTarget section */
4CA1FEBD052A3C8100F22E42 /* libsecurity_cdsa_plugin */ = {
isa = PBXNativeTarget;
@@ -262,7 +230,6 @@
buildRules = (
);
dependencies = (
- 18446072146DEEE300B12992 /* PBXTargetDependency */,
);
name = libsecurity_cdsa_plugin;
productName = libsecurity_cdsa_plugin;
@@ -275,7 +242,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD2E80987FCDD001272E0 /* Build configuration list for PBXProject "libsecurity_cdsa_plugin" */;
compatibilityVersion = "Xcode 3.2";
@@ -296,7 +263,6 @@
projectRoot = "";
targets = (
4CA1FEBD052A3C8100F22E42 /* libsecurity_cdsa_plugin */,
- C2C38A530535EDE600D7421F /* libsecurity_cdsa_plugin_generate */,
);
};
/* End PBXProject section */
@@ -318,12 +284,15 @@
files = (
);
inputPaths = (
+ "$(SRCROOT)/",
+ "$(SRCROOT)/lib/",
);
outputPaths = (
+ "${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "nmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
+ shellScript = "# with our source directories as input files, Xcode will only re-run this phase if there's been a source change\nnmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
};
/* End PBXShellScriptBuildPhase section */
@@ -350,38 +319,7 @@
};
/* End PBXSourcesBuildPhase section */
-/* Begin PBXTargetDependency section */
- 182BB36C146F126A000BF1F3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurity_utilitiesDTrace;
- targetProxy = 182BB36B146F126A000BF1F3 /* PBXContainerItemProxy */;
- };
- 18446072146DEEE300B12992 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = C2C38A530535EDE600D7421F /* libsecurity_cdsa_plugin_generate */;
- targetProxy = 18446071146DEEE300B12992 /* PBXContainerItemProxy */;
- };
-/* End PBXTargetDependency section */
-
/* Begin XCBuildConfiguration section */
- C27AD2DD0987FCDD001272E0 /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- COMBINE_HIDPI_IMAGES = YES;
- CSSM_HEADERS = "$(PROJECT_DIR)/../libsecurity_cssm/lib";
- INSTALLHDRS_SCRIPT_PHASE = YES;
- };
- name = Debug;
- };
- C27AD2DF0987FCDD001272E0 /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- COMBINE_HIDPI_IMAGES = YES;
- CSSM_HEADERS = "$(PROJECT_DIR)/../libsecurity_cssm/lib";
- INSTALLHDRS_SCRIPT_PHASE = YES;
- };
- name = Release;
- };
C27AD2E50987FCDD001272E0 /* Debug */ = {
isa = XCBuildConfiguration;
baseConfigurationReference = 1844606E146DEE4400B12992 /* debug.xcconfig */;
@@ -408,12 +346,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1844606F146DEE4400B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -421,27 +368,25 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1844606F146DEE4400B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
/* End XCBuildConfiguration section */
/* Begin XCConfigurationList section */
- C27AD2DC0987FCDD001272E0 /* Build configuration list for PBXLegacyTarget "libsecurity_cdsa_plugin_generate" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- C27AD2DD0987FCDD001272E0 /* Debug */,
- C27AD2DF0987FCDD001272E0 /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
C27AD2E40987FCDD001272E0 /* Build configuration list for PBXNativeTarget "libsecurity_cdsa_plugin" */ = {
isa = XCConfigurationList;
buildConfigurations = (
diff --git a/OSX/libsecurity_cdsa_utilities/lib/AuthorizationData.cpp b/OSX/libsecurity_cdsa_utilities/lib/AuthorizationData.cpp
index 26ccdea1..a9f8500e 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/AuthorizationData.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/AuthorizationData.cpp
@@ -104,25 +104,6 @@ AuthValueVector::operator = (const AuthorizationValueVector& valueVector)
return *this;
}
-void
-AuthValueVector::copy(AuthorizationValueVector **data, size_t *length) const
-{
- AuthorizationValueVector valueVector;
- valueVector.count = (UInt32)size();
- valueVector.values = new AuthorizationValue[valueVector.count];
- int i = 0;
- for (const_iterator it = begin(); it != end(); ++it, ++i)
- {
- (*it)->fillInAuthorizationValue(valueVector.values[i]);
- }
-
- DataWalkers::Copier<AuthorizationValueVector> flatValueVector(&valueVector);
- *length = flatValueVector.length();
- *data = flatValueVector.keep();
-
- delete[] valueVector.values;
-}
-
AuthItem::AuthItem(const AuthorizationItem &item) :
mFlags(item.flags),
mOwnsName(true),
@@ -206,36 +187,14 @@ AuthItem::operator = (const AuthItem &other)
return *this;
}
-void
-AuthItem::fillInAuthorizationItem(AuthorizationItem &item)
-{
- item.name = mName;
- item.valueLength = mValue.length;
- item.value = mValue.data;
- item.flags = mFlags;
-}
-
-bool
-AuthItem::getBool(bool &value)
-{
- if (mValue.length == sizeof(bool))
- {
- bool *tmpValue = (bool *)mValue.data;
-
- if (tmpValue)
- {
- value = *tmpValue;
- return true;
- }
- }
-
- return false;
-}
-
bool
AuthItem::getString(string &value)
{
- value = string(static_cast<char*>(mValue.data), mValue.length);
+ // if terminating NUL is included, ignore it
+ size_t len = mValue.length;
+ if (len > 0 && (static_cast<char*>(mValue.data)[len - 1] == 0))
+ --len;
+ value = string(static_cast<char*>(mValue.data), len);
return true;
}
@@ -258,14 +217,11 @@ AuthItemRef::AuthItemRef(AuthorizationString name, AuthorizationValue value, Aut
// AuthItemSet
//
AuthItemSet::AuthItemSet()
-: firstItemName(NULL)
{
}
AuthItemSet::~AuthItemSet()
{
- if (NULL != firstItemName)
- free(firstItemName);
}
AuthItemSet &
@@ -284,21 +240,13 @@ AuthItemSet::operator=(const AuthItemSet& itemSet)
{
std::set<AuthItemRef>::operator=(itemSet);
- if (this != &itemSet) {
- duplicate(itemSet);
- }
-
return *this;
}
AuthItemSet::AuthItemSet(const AuthorizationItemSet *itemSet)
-: firstItemName(NULL)
{
if (NULL != itemSet && NULL != itemSet->items)
{
- if (0 < itemSet->count && NULL != itemSet->items[0].name)
- firstItemName = strdup(itemSet->items[0].name);
-
for (unsigned int i=0; i < itemSet->count; i++)
insert(AuthItemRef(itemSet->items[i]));
}
@@ -307,46 +255,6 @@ AuthItemSet::AuthItemSet(const AuthorizationItemSet *itemSet)
AuthItemSet::AuthItemSet(const AuthItemSet& itemSet)
: std::set<AuthItemRef>(itemSet)
{
- duplicate(itemSet);
-}
-
-void
-AuthItemSet::duplicate(const AuthItemSet& itemSet)
-{
- if (itemSet.firstItemName != NULL)
- firstItemName = strdup(itemSet.firstItemName);
- else
- firstItemName = NULL;
-}
-
-void
-AuthItemSet::copy(AuthorizationItemSet *&data, size_t &length, Allocator &alloc) const
-{
- AuthorizationItemSet itemSet;
- itemSet.count = (UInt32)size();
- itemSet.items = new AuthorizationItem[itemSet.count];
- int i = 0;
- for (const_iterator it = begin(); it != end(); ++it, ++i)
- {
- (*it)->fillInAuthorizationItem(itemSet.items[i]);
- }
-
- DataWalkers::Copier<AuthorizationItemSet> flatItemSet(&itemSet, alloc);
- length = flatItemSet.length();
-
- data = flatItemSet.keep();
- // else flatItemSet disappears again
-
- delete[] itemSet.items;
-}
-
-AuthorizationItemSet *
-AuthItemSet::copy() const
-{
- AuthorizationItemSet *aCopy;
- size_t aLength;
- copy(aCopy, aLength);
- return aCopy;
}
AuthItem *
diff --git a/OSX/libsecurity_cdsa_utilities/lib/AuthorizationData.h b/OSX/libsecurity_cdsa_utilities/lib/AuthorizationData.h
index 3b2c24fa..8dbdc8d0 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/AuthorizationData.h
+++ b/OSX/libsecurity_cdsa_utilities/lib/AuthorizationData.h
@@ -95,8 +95,6 @@ public:
~AuthValueVector() {}
AuthValueVector &operator = (const AuthorizationValueVector& valueVector);
-
- void copy(AuthorizationValueVector **data, size_t *length) const;
};
@@ -120,8 +118,6 @@ public:
AuthItem &operator = (const AuthItem &other);
~AuthItem();
- void fillInAuthorizationItem(AuthorizationItem &item);
-
AuthorizationString name() const { return mName; }
const AuthorizationValue& value() const { return mValue; }
string stringValue() const { return string(static_cast<char *>(mValue.data), mValue.length); }
@@ -136,7 +132,6 @@ private:
mutable bool mOwnsValue;
public:
- bool getBool(bool &value);
bool getString(string &value);
bool getCssmData(CssmAutoData &value);
};
@@ -166,16 +161,8 @@ public:
AuthItemSet &operator = (const AuthorizationItemSet& itemSet);
AuthItemSet &operator = (const AuthItemSet& itemSet);
- void copy(AuthorizationItemSet *&data, size_t &length, Allocator &alloc = Allocator::standard()) const;
- AuthorizationItemSet *copy() const;
-
- char *firstItemName;
-
public:
AuthItem *find(const char *name);
-
-private:
- void duplicate(const AuthItemSet& itemSet);
};
class FindAuthItemByRightName
@@ -191,7 +178,7 @@ public:
{
return (!strcmp(name, authitem->name));
}
-
+
private:
const char *name;
};
diff --git a/OSX/libsecurity_cdsa_utilities/lib/Schema.m4 b/OSX/libsecurity_cdsa_utilities/lib/Schema.m4
index f3b84278..1d4f9e12 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/Schema.m4
+++ b/OSX/libsecurity_cdsa_utilities/lib/Schema.m4
@@ -291,7 +291,7 @@ newAttribute(` Ss', Alias, kSecAlias, (char*) "Alias", 0, NULL, BLOB)
newAttribute(`UISs', Issuer, kSecIssuerItemAttr, (char*) "Issuer", 0, NULL, BLOB)
newAttribute(`UISs', ThisUpdate, kSecThisUpdateItemAttr, (char*) "ThisUpdate", 0, NULL, BLOB)
newAttribute(`UISs', NextUpdate, kSecNextUpdateItemAttr, (char*) "NextUpdate", 0, NULL, BLOB)
-newAttribute(` Ss', URI, kSecUriItemAttr, (char*) "URI", 0, NULL, BLOB)
+newAttribute(`UISs', URI, kSecUriItemAttr, (char*) "URI", 0, NULL, BLOB)
newAttribute(` ISs', CrlNumber, kSecCrlNumberItemAttr, (char*) "CrlNumber", 0, NULL, UINT32)
newAttribute(` ISs', DeltaCrlNumber, kSecDeltaCrlNumberItemAttr, (char*) "DeltaCrlNumber", 0, NULL, UINT32)
endNewClass()
diff --git a/OSX/libsecurity_cdsa_utilities/lib/acl_codesigning.cpp b/OSX/libsecurity_cdsa_utilities/lib/acl_codesigning.cpp
index 5c0cc03f..340bbd2b 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/acl_codesigning.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/acl_codesigning.cpp
@@ -91,11 +91,11 @@ CodeSignatureAclSubject *CodeSignatureAclSubject::Maker::make(const TypedList &l
if (list[n].is(CSSM_LIST_ELEMENT_DATUM)) {
const BlobCore *blob = list[n].data().interpretedAs<const BlobCore>();
if (blob->length() < sizeof(BlobCore)) {
- secdebug("csblob", "runt blob (0x%x/%zd) slot %d in CSSM_LIST",
+ secinfo("csblob", "runt blob (0x%x/%zd) slot %d in CSSM_LIST",
blob->magic(), blob->length(), n);
CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
} else if (blob->length() != list[n].data().length()) {
- secdebug("csblob", "badly sized blob (0x%x/%zd) slot %d in CSSM_LIST",
+ secinfo("csblob", "badly sized blob (0x%x/%zd) slot %d in CSSM_LIST",
blob->magic(), blob->length(), n);
CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
}
@@ -133,7 +133,7 @@ CodeSignatureAclSubject *CodeSignatureAclSubject::Maker::make(const SHA1::Byte *
blob = increment<const BlobCore>(blob, alignUp(blob->length(), commentBagAlignment))) {
size_t leftInBag = difference(commentBag.end(), blob);
if (leftInBag < sizeof(BlobCore) || blob->length() < sizeof(BlobCore) || blob->length() > leftInBag) {
- secdebug("csblob", "invalid blob (0x%x/%zd) [%zd in bag] in code signing ACL for %s - stopping scan",
+ secinfo("csblob", "invalid blob (0x%x/%zd) [%zd in bag] in code signing ACL for %s - stopping scan",
blob->magic(), blob->length(), leftInBag, subj->path().c_str());
break; // can't trust anything beyond this blob
}
diff --git a/OSX/libsecurity_cdsa_utilities/lib/acl_preauth.cpp b/OSX/libsecurity_cdsa_utilities/lib/acl_preauth.cpp
index cd4a5f81..35d806ad 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/acl_preauth.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/acl_preauth.cpp
@@ -170,13 +170,13 @@ bool SourceAclSubject::SourceAclSubject::validates(const AclValidationContext &b
if (!CSSM_ACL_AUTHORIZATION_IS_PREAUTH(auth)) // all muddled up; bail
CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
uint32 slot = CSSM_ACL_AUTHORIZATION_PREAUTH_SLOT(auth);
- secdebug("preauth", "using state %d@%p", slot, &env->store(this));
+ secinfo("preauth", "using state %d@%p", slot, &env->store(this));
bool &accepted = env->store(this).attachment<AclState>((void *)((size_t) slot)).accepted;
if (!accepted) {
- secdebug("preauth", "%p needs to authenticate its subject", this);
+ secinfo("preauth", "%p needs to authenticate its subject", this);
SourceValidationContext ctx(baseCtx);
if (mSourceSubject->validates(ctx)) {
- secdebug("preauth", "%p pre-authenticated", this);
+ secinfo("preauth", "%p pre-authenticated", this);
accepted = true;
}
}
diff --git a/OSX/libsecurity_cdsa_utilities/lib/acl_secret.cpp b/OSX/libsecurity_cdsa_utilities/lib/acl_secret.cpp
index df678e2a..db73d9b7 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/acl_secret.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/acl_secret.cpp
@@ -67,9 +67,9 @@ void SecretAclSubject::secret(const CssmData &s) const
if (mCacheSecret) {
mSecret = s;
mSecretValid = true;
- secdebug("aclsecret", "%p secret stored", this);
+ secinfo("aclsecret", "%p secret stored", this);
} else
- secdebug("aclsecret", "%p refused to store secret", this);
+ secinfo("aclsecret", "%p refused to store secret", this);
}
void SecretAclSubject::secret(CssmManagedData &s) const
@@ -78,9 +78,9 @@ void SecretAclSubject::secret(CssmManagedData &s) const
if (mCacheSecret) {
mSecret = s;
mSecretValid = true;
- secdebug("aclsecret", "%p secret stored", this);
+ secinfo("aclsecret", "%p secret stored", this);
} else
- secdebug("aclsecret", "%p refused to store secret", this);
+ secinfo("aclsecret", "%p refused to store secret", this);
}
diff --git a/OSX/libsecurity_cdsa_utilities/lib/acl_threshold.cpp b/OSX/libsecurity_cdsa_utilities/lib/acl_threshold.cpp
index 835a56be..7cccfa6d 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/acl_threshold.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/acl_threshold.cpp
@@ -156,7 +156,7 @@ void ThresholdAclSubject::exportBlob(Writer &pub, Writer &priv)
void ThresholdAclSubject::add(AclSubject *subject, unsigned beforePosition)
{
- secdebug("threshacl", "adding subject %p before position %u",
+ secinfo("threshacl", "adding subject %p before position %u",
subject, beforePosition);
elements.insert(elements.begin() + beforePosition, subject);
totalSubjects++;
diff --git a/OSX/libsecurity_cdsa_utilities/lib/aclsubject.h b/OSX/libsecurity_cdsa_utilities/lib/aclsubject.h
index d7603184..77374ba3 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/aclsubject.h
+++ b/OSX/libsecurity_cdsa_utilities/lib/aclsubject.h
@@ -34,6 +34,7 @@
#include <security_utilities/globalizer.h>
#include <security_utilities/memutils.h>
#include <security_utilities/adornments.h>
+#include <security_utilities/debugging_internal.h>
#include <map>
#include <set>
#include <string>
diff --git a/OSX/libsecurity_cdsa_utilities/lib/context.h b/OSX/libsecurity_cdsa_utilities/lib/context.h
index f5eb57d7..d5e9532d 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/context.h
+++ b/OSX/libsecurity_cdsa_utilities/lib/context.h
@@ -244,7 +244,7 @@ void walk(Action &operate, CSSM_CONTEXT_ATTRIBUTE &attr)
case CSSM_ATTRIBUTE_DATA_UINT32:
break;
default:
- secdebug("walkers", "invalid attribute (%ux) in context", (unsigned)attr.AttributeType);
+ secinfo("walkers", "invalid attribute (%ux) in context", (unsigned)attr.AttributeType);
break;
}
}
diff --git a/OSX/libsecurity_cdsa_utilities/lib/cssmcred.cpp b/OSX/libsecurity_cdsa_utilities/lib/cssmcred.cpp
index 44a31a05..5f877bbc 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/cssmcred.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/cssmcred.cpp
@@ -92,7 +92,7 @@ bool AccessCredentials::authorizesUI() const {
TypedList &sample = *it;
if(!sample.isProper()) {
- secdebugfunc("integrity", "found a non-proper sample, skipping...");
+ secnotice("integrity", "found a non-proper sample, skipping...");
continue;
}
diff --git a/OSX/libsecurity_cdsa_utilities/lib/cssmdbname.cpp b/OSX/libsecurity_cdsa_utilities/lib/cssmdbname.cpp
index 48706c99..b72c0d4f 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/cssmdbname.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/cssmdbname.cpp
@@ -134,6 +134,7 @@ DbName &
DbName::operator =(const DbName &other)
{
mDbName = other.mDbName;
+ mCanonicalName = other.mCanonicalName;
mDbNameValid = other.mDbNameValid;
if (other.mDbLocation)
{
diff --git a/OSX/libsecurity_cdsa_utilities/lib/cssmerrors.cpp b/OSX/libsecurity_cdsa_utilities/lib/cssmerrors.cpp
index 0d0f7c29..301ced86 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/cssmerrors.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/cssmerrors.cpp
@@ -29,6 +29,7 @@
#include <security_utilities/mach++.h>
#include <Security/cssmapple.h>
#include <Security/SecBase.h>
+#include <Security/SecBasePriv.h>
namespace Security {
@@ -36,12 +37,16 @@ namespace Security {
CssmError::CssmError(CSSM_RETURN err) : error(err)
{
SECURITY_EXCEPTION_THROW_CSSM(this, err);
+
+ snprintf(whatBuffer, whatBufferSize, "CSSM Exception: %d %s", err, cssmErrorString(err));
+ secnotice("security_exception", "%s", what());
+ LogBacktrace();
}
const char *CssmError::what() const throw ()
{
- return "CSSM exception";
+ return whatBuffer;
}
diff --git a/OSX/libsecurity_cdsa_utilities/lib/cssmlist.h b/OSX/libsecurity_cdsa_utilities/lib/cssmlist.h
index 6506b0df..40f77b76 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/cssmlist.h
+++ b/OSX/libsecurity_cdsa_utilities/lib/cssmlist.h
@@ -29,6 +29,7 @@
#define _H_CSSMLIST
#include <security_utilities/utilities.h>
+#include <security_utilities/debugging.h>
#include <security_cdsa_utilities/cssmalloc.h>
#include <security_cdsa_utilities/cssmwalkers.h>
@@ -207,7 +208,7 @@ ListElement *walk(Action &operate, ListElement * &elem)
case CSSM_LIST_ELEMENT_WORDID:
break;
default:
- secdebug("walkers", "invalid list element type (%ux)", (unsigned)elem->type());
+ secinfo("walkers", "invalid list element type (%ux)", (unsigned)elem->type());
break;
}
if (elem->next())
diff --git a/OSX/libsecurity_cdsa_utilities/lib/db++.cpp b/OSX/libsecurity_cdsa_utilities/lib/db++.cpp
index 94874b5a..8f48c05e 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/db++.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/db++.cpp
@@ -57,7 +57,7 @@ void UnixDb::open(const char *path, int flags, int mode, DBTYPE type)
close();
mDb = newDb;
setFd(mDb->fd(mDb));
- secdebug("unixdb", "open(%s,0x%x,0x%x,type=%d)=%p", path, flags, mode, type, mDb);
+ secnotice("unixdb", "open(%s,0x%x,0x%x,type=%d)=%p", path, flags, mode, type, mDb);
} else
UnixError::throwMe();
}
@@ -70,7 +70,7 @@ void UnixDb::open(const std::string &path, int flags, int mode, DBTYPE type)
void UnixDb::close()
{
if (mDb) {
- secdebug("unixdb", "close(%p)", mDb);
+ secnotice("unixdb", "close(%p)", mDb);
mDb->close(mDb);
mDb = NULL;
setFd(invalidFd);
@@ -82,7 +82,7 @@ bool UnixDb::get(const CssmData &key, CssmData &value, int flags) const
Data dKey(key);
Data val;
int rc = mDb->get(mDb, &dKey, &val, flags);
- secdebug("unixdb", "get(%p,[:%ld],flags=0x%x)=%d[:%ld]",
+ secnotice("unixdb", "get(%p,[:%ld],flags=0x%x)=%d[:%ld]",
mDb, key.length(), flags, rc, value.length());
checkError(rc);
if (!rc) {
@@ -107,7 +107,7 @@ bool UnixDb::put(const CssmData &key, const CssmData &value, int flags)
Data dKey(key);
Data dValue(value);
int rc = mDb->put(mDb, &dKey, &dValue, flags);
- secdebug("unixdb", "put(%p,[:%ld],[:%ld],flags=0x%x)=%d",
+ secnotice("unixdb", "put(%p,[:%ld],[:%ld],flags=0x%x)=%d",
mDb, key.length(), value.length(), flags, rc);
checkError(rc);
return !rc;
@@ -116,7 +116,7 @@ bool UnixDb::put(const CssmData &key, const CssmData &value, int flags)
void UnixDb::erase(const CssmData &key, int flags)
{
Data dKey(key);
- secdebug("unixdb", "delete(%p,[:%ld],flags=0x%x)", mDb, key.length(), flags);
+ secnotice("unixdb", "delete(%p,[:%ld],flags=0x%x)", mDb, key.length(), flags);
checkError(mDb->del(mDb, &dKey, flags));
}
diff --git a/OSX/libsecurity_cdsa_utilities/lib/handletemplates_defs.h b/OSX/libsecurity_cdsa_utilities/lib/handletemplates_defs.h
index 1d365838..c815840f 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/handletemplates_defs.h
+++ b/OSX/libsecurity_cdsa_utilities/lib/handletemplates_defs.h
@@ -78,7 +78,7 @@ void MappingHandle<_Handle>::make()
_Handle handle = hbase ^ state().nextSeq();
if (!state().handleInUse(handle)) {
// assumes sizeof(unsigned long) >= sizeof(handle)
- secdebug("handleobj", "create %#lx for %p", static_cast<unsigned long>(handle), this);
+ secinfo("handleobj", "create %#lx for %p", static_cast<unsigned long>(handle), this);
TypedHandle<_Handle>::setHandle(handle);
state().add(handle, this);
return;
diff --git a/OSX/libsecurity_cdsa_utilities/lib/objectacl.cpp b/OSX/libsecurity_cdsa_utilities/lib/objectacl.cpp
index 90f8d484..91cecb6d 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/objectacl.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/objectacl.cpp
@@ -116,7 +116,7 @@ bool ObjectAcl::validates(AclValidationContext &ctx)
pair<EntryMap::const_iterator, EntryMap::const_iterator> range;
if (getRange(ctx.s_credTag(), range) == 0) {
// no such tag
- secdebugfunc("SecAccess", "no tag for cred tag: \"%s\"", ctx.s_credTag().c_str());
+ secinfo("SecAccess", "no tag for cred tag: \"%s\"", ctx.s_credTag().c_str());
CssmError::throwMe(CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND);
}
// try each entry in turn
@@ -249,14 +249,14 @@ unsigned int ObjectAcl::getRange(const std::string &tag,
pair<EntryMap::const_iterator, EntryMap::const_iterator> &range, bool tolerant /* = false */) const
{
if (!tag.empty()) { // tag restriction in effect
- secdebugfunc("SecAccess", "looking for ACL entries matching tag: \"%s\"", tag.c_str());
+ secinfo("SecAccess", "looking for ACL entries matching tag: \"%s\"", tag.c_str());
range = mEntries.equal_range(tag);
unsigned int count = (unsigned int)mEntries.count(tag);
if (count == 0 && !tolerant)
CssmError::throwMe(CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND);
return count;
} else { // try all tags
- secdebugfunc("SecAccess", "no tag given; looking for all ACL entries");
+ secinfo("SecAccess", "no tag given; looking for all ACL entries");
range.first = mEntries.begin();
range.second = mEntries.end();
return (unsigned int)mEntries.size();
@@ -283,12 +283,12 @@ void ObjectAcl::cssmGetAcl(const char *tag, uint32 &count, AclEntryInfo * &acls)
acls = allocator.alloc<AclEntryInfo>(count);
uint32 n = 0;
- secdebugfunc("SecAccess", "getting the ACL for %p (%d entries) tag: %s", this, count, tag ? tag : "<none>");
+ secinfo("SecAccess", "getting the ACL for %p (%d entries) tag: %s", this, count, tag ? tag : "<none>");
for (EntryMap::const_iterator it = range.first; it != range.second; it++, n++) {
acls[n].EntryHandle = it->second.handle;
it->second.toEntryInfo(acls[n].EntryPublicInfo, allocator);
- secdebugfunc("SecAccess", "found an entry of type %d", acls[n].EntryPublicInfo.TypedSubject.Head->WordID);
+ secinfo("SecAccess", "found an entry of type %d", acls[n].EntryPublicInfo.TypedSubject.Head->WordID);
}
count = n;
}
@@ -307,45 +307,47 @@ void ObjectAcl::cssmChangeAcl(const AclEdit &edit,
// what is Thy wish, effendi?
switch (edit.EditMode) {
case CSSM_ACL_EDIT_MODE_ADD: {
- secdebugfunc("SecAccess", "adding ACL for %p (%d) while preserving: %s", this, edit.handle(), preserveTag);
+ secinfo("SecAccess", "adding ACL for %p (%ld) while preserving: %s", this, edit.handle(), preserveTag);
const AclEntryInput &input = Required(edit.newEntry());
if (preserveTag && input.proto().s_tag() == preserveTag)
MacOSError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED);
add(input.proto().s_tag(), input.proto());
- secdebugfunc("SecAccess", "subject type is %d", input.proto().TypedSubject.Head->WordID);
+ secinfo("SecAccess", "subject type is %d", input.proto().TypedSubject.Head->WordID);
}
break;
case CSSM_ACL_EDIT_MODE_REPLACE: {
- secdebugfunc("SecAccess", "replacing ACL for %p (%d to %d) while preserving: %s", this, edit.handle(), edit.newEntry(), preserveTag);
+ secinfo("SecAccess", "replacing ACL for %p (%ld to %p) while preserving: %s", this, edit.handle(), edit.newEntry(), preserveTag);
// keep the handle, and try for some modicum of atomicity
EntryMap::iterator it = findEntryHandle(edit.handle());
if (preserveTag && it->second.tag == preserveTag)
MacOSError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED);
AclEntryPrototype proto2;
it->second.toEntryInfo(proto2, allocator);
- secdebugfunc("SecAccess", "subject type was %d", proto2.TypedSubject.Head->WordID);
+ secinfo("SecAccess", "subject type was %d", proto2.TypedSubject.Head->WordID);
+ DataWalkers::chunkFree(proto2, allocator);
AclEntryPrototype proto = Required(edit.newEntry()).proto(); // (bypassing callbacks)
add(proto.s_tag(), proto, edit.handle());
- secdebugfunc("SecAccess", "new subject type is %d", proto.TypedSubject.Head->WordID);
+ secinfo("SecAccess", "new subject type is %d", proto.TypedSubject.Head->WordID);
mEntries.erase(it);
}
break;
case CSSM_ACL_EDIT_MODE_DELETE: {
- secdebugfunc("SecAccess", "deleting ACL for %p (%d) while preserving: %s", this, edit.handle(), preserveTag);
+ secinfo("SecAccess", "deleting ACL for %p (%ld) while preserving: %s", this, edit.handle(), preserveTag);
EntryMap::iterator it = findEntryHandle(edit.handle());
if (preserveTag && it->second.tag == preserveTag)
MacOSError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED);
AclEntryPrototype proto;
it->second.toEntryInfo(proto, allocator);
- secdebugfunc("SecAccess", "subject type was %d", proto.TypedSubject.Head->WordID);
+ secinfo("SecAccess", "subject type was %d", proto.TypedSubject.Head->WordID);
+ DataWalkers::chunkFree(proto, allocator);
mEntries.erase(it);
break;
}
default:
- secdebugfunc("SecAccess", "no idea what this CSSM_ACL_EDIT type is: %d", edit.EditMode);
+ secinfo("SecAccess", "no idea what this CSSM_ACL_EDIT type is: %d", edit.EditMode);
CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_EDIT_MODE);
}
@@ -361,7 +363,7 @@ void ObjectAcl::cssmGetOwner(AclOwnerPrototype &outOwner)
outOwner.TypedSubject = mOwner.subject->toList(allocator);
outOwner.Delegate = mOwner.delegate;
- secdebugfunc("SecAccess", "%p: getting the owner ACL: type %d", this, outOwner.TypedSubject.Head->WordID);
+ secinfo("SecAccess", "%p: getting the owner ACL: type %d", this, outOwner.TypedSubject.Head->WordID);
}
void ObjectAcl::cssmChangeOwner(const AclOwnerPrototype &newOwner,
@@ -377,7 +379,7 @@ void ObjectAcl::cssmChangeOwner(const AclOwnerPrototype &newOwner,
// okay, replace it
mOwner = newOwner;
- secdebugfunc("SecAccess", "%p: new owner's type is %d", this, newOwner.subject().Head->WordID);
+ secinfo("SecAccess", "%p: new owner's type is %d", this, newOwner.subject().Head->WordID);
changedAcl();
@@ -420,7 +422,7 @@ void ObjectAcl::clear()
{
mOwner = OwnerEntry();
mEntries.erase(mEntries.begin(), mEntries.end());
- secdebug("acl", "%p cleared", this);
+ secinfo("acl", "%p cleared", this);
}
diff --git a/OSX/libsecurity_cdsa_utilities/lib/osxverifier.cpp b/OSX/libsecurity_cdsa_utilities/lib/osxverifier.cpp
index 3bf4520b..6075df06 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/osxverifier.cpp
+++ b/OSX/libsecurity_cdsa_utilities/lib/osxverifier.cpp
@@ -43,17 +43,17 @@ namespace Security {
OSXVerifier::OSXVerifier(OSXCode *code)
{
mPath = code->canonicalPath();
- secdebug("codesign", "building verifier for %s", mPath.c_str());
+ secinfo("codesign", "building verifier for %s", mPath.c_str());
// build new-style verifier
CFRef<SecStaticCodeRef> staticCode = code->codeRef();
switch (OSStatus rc = SecCodeCopyDesignatedRequirement(staticCode,
kSecCSDefaultFlags, &mRequirement.aref())) {
case errSecSuccess:
- secdebug("codesign", " is signed; canonical requirement loaded");
+ secinfo("codesign", " is signed; canonical requirement loaded");
break;
case errSecCSUnsigned:
- secdebug("codesign", " is unsigned; no requirement");
+ secinfo("codesign", " is unsigned; no requirement");
break;
default:
MacOSError::throwMe(rc);
@@ -61,7 +61,7 @@ OSXVerifier::OSXVerifier(OSXCode *code)
// build old-style verifier
makeLegacyHash(code, mLegacyHash);
- secdebug("codesign", " hash generated");
+ secinfo("codesign", " hash generated");
}
@@ -72,7 +72,7 @@ OSXVerifier::OSXVerifier(OSXCode *code)
OSXVerifier::OSXVerifier(const SHA1::Byte *hash, const std::string &path)
: mPath(path)
{
- secdebug("codesign", "building verifier from hash %p and path=%s", hash, path.c_str());
+ secinfo("codesign", "building verifier from hash %p and path=%s", hash, path.c_str());
if (hash)
memcpy(mLegacyHash, hash, sizeof(mLegacyHash));
else
@@ -82,7 +82,7 @@ OSXVerifier::OSXVerifier(const SHA1::Byte *hash, const std::string &path)
OSXVerifier::~OSXVerifier()
{
- secdebug("codesign", "%p verifier destroyed", this);
+ secinfo("codesign", "%p verifier destroyed", this);
}
@@ -94,15 +94,15 @@ void OSXVerifier::add(const BlobCore *blob)
{
if (blob->is<Requirement>()) {
#if defined(NDEBUG)
- secdebug("codesign", "%p verifier adds requirement", this);
+ secinfo("codesign", "%p verifier adds requirement", this);
#else
- secdebug("codesign", "%p verifier adds requirement %s", this,
+ secinfo("codesign", "%p verifier adds requirement %s", this,
Dumper::dump(Requirement::specific(blob), true).c_str());
#endif //NDEBUG
MacOSError::check(SecRequirementCreateWithData(CFTempData(*blob),
kSecCSDefaultFlags, &mRequirement.aref()));
} else {
- secdebug("codesign", "%p verifier adds blob (0x%x,%zd)",
+ secinfo("codesign", "%p verifier adds blob (0x%x,%zd)",
this, blob->magic(), blob->length());
BlobCore * &slot = mAuxiliary[blob->magic()];
if (slot)
@@ -124,7 +124,7 @@ const BlobCore *OSXVerifier::find(BlobCore::Magic magic)
void OSXVerifier::makeLegacyHash(OSXCode *code, SHA1::Digest digest)
{
- secdebug("codesign", "calculating legacy hash for %s", code->canonicalPath().c_str());
+ secinfo("codesign", "calculating legacy hash for %s", code->canonicalPath().c_str());
UnixPlusPlus::AutoFileDesc fd(code->executablePath(), O_RDONLY);
char buffer[legacyHashLimit];
size_t size = fd.read(buffer, legacyHashLimit);
diff --git a/OSX/libsecurity_cdsa_utilities/lib/walkers.h b/OSX/libsecurity_cdsa_utilities/lib/walkers.h
index b8fcb598..4ea7884e 100644
--- a/OSX/libsecurity_cdsa_utilities/lib/walkers.h
+++ b/OSX/libsecurity_cdsa_utilities/lib/walkers.h
@@ -56,7 +56,7 @@ namespace DataWalkers {
#if WALKERDEBUG
-# define DEBUGWALK(who) secdebug("walkers", "walk " who " %s@%p (%ld)", \
+# define DEBUGWALK(who) secinfo("walkers", "walk " who " %s@%p (%ld)", \
Debug::typeName(addr).c_str(), addr, size)
#else
# define DEBUGWALK(who) /* nothing */
@@ -316,7 +316,7 @@ void chunkFree(T *obj, Allocator &alloc = Allocator::standard())
}
template <class T>
-void chunkFree(const T &obj, Allocator &alloc = Allocator::standard())
+void chunkFree(T &obj, Allocator &alloc = Allocator::standard())
{
ChunkFreeWalker w(alloc);
walk(w, obj);
diff --git a/OSX/libsecurity_cdsa_utilities/libsecurity_cdsa_utilities.xcodeproj/project.pbxproj b/OSX/libsecurity_cdsa_utilities/libsecurity_cdsa_utilities.xcodeproj/project.pbxproj
index fc8b8afa..f172ab63 100644
--- a/OSX/libsecurity_cdsa_utilities/libsecurity_cdsa_utilities.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_cdsa_utilities/libsecurity_cdsa_utilities.xcodeproj/project.pbxproj
@@ -167,7 +167,7 @@
4CF64CFB052A3278008ED0EA /* cssmalloc.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cssmalloc.h; sourceTree = "<group>"; };
4CF64CFC052A3278008ED0EA /* cssmcert.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = cssmcert.cpp; sourceTree = "<group>"; };
4CF64CFD052A3278008ED0EA /* cssmcert.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cssmcert.h; sourceTree = "<group>"; };
- 4CF64CFE052A3278008ED0EA /* cssmcred.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = cssmcred.cpp; sourceTree = "<group>"; };
+ 4CF64CFE052A3278008ED0EA /* cssmcred.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = cssmcred.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CF64CFF052A3278008ED0EA /* cssmcred.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cssmcred.h; sourceTree = "<group>"; };
4CF64D00052A3278008ED0EA /* cssmdata.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = cssmdata.cpp; sourceTree = "<group>"; };
4CF64D01052A3278008ED0EA /* cssmdata.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cssmdata.h; sourceTree = "<group>"; };
@@ -207,7 +207,7 @@
C2371E3F06DD3E5E00E15E6F /* acl_preauth.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = acl_preauth.h; sourceTree = "<group>"; };
C2BFD03006E6CDFE0047EA99 /* aclsubject.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = aclsubject.cpp; sourceTree = "<group>"; };
C2BFD03106E6CDFE0047EA99 /* aclsubject.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = aclsubject.h; sourceTree = "<group>"; };
- C2BFD03206E6CDFE0047EA99 /* objectacl.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = objectacl.cpp; sourceTree = "<group>"; };
+ C2BFD03206E6CDFE0047EA99 /* objectacl.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = objectacl.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2BFD03306E6CDFE0047EA99 /* objectacl.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = objectacl.h; sourceTree = "<group>"; };
C2BFD05A06E6D0560047EA99 /* acl_secret.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = acl_secret.cpp; sourceTree = "<group>"; };
C2BFD05B06E6D0560047EA99 /* acl_secret.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = acl_secret.h; sourceTree = "<group>"; };
@@ -456,7 +456,6 @@
buildRules = (
);
dependencies = (
- 182BB4F1146F2734000BF1F3 /* PBXTargetDependency */,
4CFF43000535E5E900638F31 /* PBXTargetDependency */,
);
name = libsecurity_cdsa_utilities;
@@ -486,7 +485,7 @@
4CA2A5330523D2CD00978A7B /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD2FA0987FCDD001272E0 /* Build configuration list for PBXProject "libsecurity_cdsa_utilities" */;
compatibilityVersion = "Xcode 3.2";
@@ -532,18 +531,27 @@
files = (
);
inputPaths = (
+ "$(SRCROOT)/",
+ "$(SRCROOT)/lib/",
);
outputPaths = (
+ "${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "nmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
+ shellScript = "# with our source directories as input files, Xcode will only re-run this phase if there's been a source change\nnmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
};
4CFF42FC0535E5B100638F31 /* ShellScript */ = {
isa = PBXShellScriptBuildPhase;
buildActionMask = 2147483647;
files = (
);
+ inputPaths = (
+ "$(SRCROOT)/lib/KeySchema.m4",
+ );
+ outputPaths = (
+ $BUILT_PRODUCTS_DIR/derived_src/KeySchema.cpp,
+ );
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "TARGET=$BUILT_PRODUCTS_DIR/derived_src/KeySchema.cpp\nmkdir -p $BUILT_PRODUCTS_DIR/derived_src\n/usr/bin/m4 lib/KeySchema.m4 > $TARGET.new\ncmp -s $TARGET.new $TARGET || mv $TARGET.new $TARGET\nTARGET=$BUILT_PRODUCTS_DIR/derived_src/Schema.cpp\n/usr/bin/m4 lib/Schema.m4 > $TARGET.new\ncmp -s $TARGET.new $TARGET || mv $TARGET.new $TARGET";
@@ -653,12 +661,16 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1879B516146DD045007E536C /* debug.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -666,11 +678,13 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1879B518146DD045007E536C /* release.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
};
name = Release;
diff --git a/OSX/libsecurity_cdsa_utils/lib/cuDbUtils.cpp b/OSX/libsecurity_cdsa_utils/lib/cuDbUtils.cpp
index 9e8f65a0..0a822a4b 100644
--- a/OSX/libsecurity_cdsa_utils/lib/cuDbUtils.cpp
+++ b/OSX/libsecurity_cdsa_utils/lib/cuDbUtils.cpp
@@ -189,7 +189,7 @@ CSSM_RETURN cuAddCrlToDb(
CSSM_DL_DB_HANDLE dlDbHand,
CSSM_CL_HANDLE clHand,
const CSSM_DATA *crl,
- const CSSM_DATA *URI) // optional
+ const CSSM_DATA *URI)
{
CSSM_DB_ATTRIBUTE_DATA attrs[MAX_CRL_ATTRS];
CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
@@ -376,7 +376,20 @@ CSSM_RETURN cuAddCrlToDb(
attr->NumberOfValues = 1;
attr->Value = &nextUpdateData;
attr++;
-
+
+ /* ensure URI string does not contain NULL */
+ attrUri = *URI;
+ if((attrUri.Length != 0) &&
+ (attrUri.Data[attrUri.Length - 1] == 0)) {
+ attrUri.Length--;
+ }
+ attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ attr->Info.Label.AttributeName = (char*) "URI";
+ attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
+ attr->NumberOfValues = 1;
+ attr->Value = &attrUri;
+ attr++;
+
/* now the optional attributes */
if(crlNumberPresent) {
attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
@@ -394,20 +407,6 @@ CSSM_RETURN cuAddCrlToDb(
attr->Value = &deltaCrlNumberData;
attr++;
}
- if(URI) {
- /* ensure URI string does not contain NULL */
- attrUri = *URI;
- if((attrUri.Length != 0) &&
- (attrUri.Data[attrUri.Length - 1] == 0)) {
- attrUri.Length--;
- }
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "URI";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr->NumberOfValues = 1;
- attr->Value = &attrUri;
- attr++;
- }
recordAttrs.DataRecordType = CSSM_DL_DB_RECORD_X509_CRL;
recordAttrs.SemanticInformation = 0;
recordAttrs.NumberOfAttributes = (uint32)(attr - attrs);
diff --git a/OSX/libsecurity_cdsa_utils/lib/cuDbUtils.h b/OSX/libsecurity_cdsa_utils/lib/cuDbUtils.h
index c2c0d76d..07f0febd 100644
--- a/OSX/libsecurity_cdsa_utils/lib/cuDbUtils.h
+++ b/OSX/libsecurity_cdsa_utils/lib/cuDbUtils.h
@@ -51,7 +51,7 @@ CSSM_RETURN cuAddCrlToDb(
CSSM_DL_DB_HANDLE dlDbHand,
CSSM_CL_HANDLE clHand,
const CSSM_DATA *crl,
- const CSSM_DATA *URI); // optional
+ const CSSM_DATA *URI);
/*
* Search DB for all records of type CRL or cert, calling appropriate
diff --git a/OSX/libsecurity_cdsa_utils/lib/cuFileIo.c b/OSX/libsecurity_cdsa_utils/lib/cuFileIo.c
index b6181543..7b14cd29 100644
--- a/OSX/libsecurity_cdsa_utils/lib/cuFileIo.c
+++ b/OSX/libsecurity_cdsa_utils/lib/cuFileIo.c
@@ -32,9 +32,18 @@
#include "cuFileIo.h"
int writeFile(
+ const char *fileName,
+ const unsigned char *bytes,
+ unsigned numBytes)
+{
+ size_t n = numBytes;
+ return writeFileSizet(fileName, bytes, n);
+}
+
+int writeFileSizet(
const char *fileName,
const unsigned char *bytes,
- unsigned numBytes)
+ size_t numBytes)
{
int rtn;
int fd;
diff --git a/OSX/libsecurity_cdsa_utils/lib/cuFileIo.h b/OSX/libsecurity_cdsa_utils/lib/cuFileIo.h
index c02fdbde..44ecc853 100644
--- a/OSX/libsecurity_cdsa_utils/lib/cuFileIo.h
+++ b/OSX/libsecurity_cdsa_utils/lib/cuFileIo.h
@@ -22,6 +22,8 @@
Description: simple file read/write utilities
*/
+#include <stddef.h>
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -36,6 +38,11 @@ int writeFile(
const unsigned char *bytes,
unsigned numBytes);
+int writeFileSizet(
+ const char *fileName,
+ const unsigned char *bytes,
+ size_t numBytes);
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cdsa_utils/libsecurity_cdsa_utils.xcodeproj/project.pbxproj b/OSX/libsecurity_cdsa_utils/libsecurity_cdsa_utils.xcodeproj/project.pbxproj
index ce22fcc4..8bda508b 100644
--- a/OSX/libsecurity_cdsa_utils/libsecurity_cdsa_utils.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_cdsa_utils/libsecurity_cdsa_utils.xcodeproj/project.pbxproj
@@ -157,7 +157,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD3080987FCDE001272E0 /* Build configuration list for PBXProject "libsecurity_cdsa_utils" */;
compatibilityVersion = "Xcode 3.2";
@@ -183,12 +183,15 @@
files = (
);
inputPaths = (
+ "$(SRCROOT)/",
+ "$(SRCROOT)/lib/",
);
outputPaths = (
+ "${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "nmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
+ shellScript = "# with our source directories as input files, Xcode will only re-run this phase if there's been a source change\nnmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
};
/* End PBXShellScriptBuildPhase section */
@@ -235,12 +238,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1879B51D146DD04F007E536C /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -248,12 +260,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1879B51D146DD04F007E536C /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_checkpw/libsecurity_checkpw.xcodeproj/project.pbxproj b/OSX/libsecurity_checkpw/libsecurity_checkpw.xcodeproj/project.pbxproj
index 97fd1682..7bc90be2 100644
--- a/OSX/libsecurity_checkpw/libsecurity_checkpw.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_checkpw/libsecurity_checkpw.xcodeproj/project.pbxproj
@@ -12,7 +12,6 @@
1C6C402A1121FC0C00031CDE /* libsecurity_checkpw.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CA1FEBE052A3C8100F22E42 /* libsecurity_checkpw.a */; };
1CB7B4C411065DDB003458C5 /* libsecurity_checkpw.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CA1FEBE052A3C8100F22E42 /* libsecurity_checkpw.a */; };
1CD90B71110111A4008DD07F /* test-checkpw.c in Sources */ = {isa = PBXBuildFile; fileRef = 1CD90B631101115E008DD07F /* test-checkpw.c */; };
- 1CD90B90110112DD008DD07F /* libpam.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 1CD90B8F110112DD008DD07F /* libpam.dylib */; };
1CD90BA2110113AE008DD07F /* libpam.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 1CD90B8F110112DD008DD07F /* libpam.dylib */; };
4CCF8664052A491D00F2E8D8 /* checkpw.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CCF8662052A491D00F2E8D8 /* checkpw.c */; };
4CF36F400581369C00834D11 /* checkpw.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CCF8663052A491D00F2E8D8 /* checkpw.h */; settings = {ATTRIBUTES = (); }; };
@@ -74,7 +73,6 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- 1CD90B90110112DD008DD07F /* libpam.dylib in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -205,7 +203,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD3160987FCDE001272E0 /* Build configuration list for PBXProject "libsecurity_checkpw" */;
compatibilityVersion = "Xcode 3.2";
@@ -332,12 +330,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1844616D146E966100B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -345,12 +352,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1844616D146E966100B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_cms/lib/CMSEncoder.cpp b/OSX/libsecurity_cms/lib/CMSEncoder.cpp
index 4055192a..fd320aca 100644
--- a/OSX/libsecurity_cms/lib/CMSEncoder.cpp
+++ b/OSX/libsecurity_cms/lib/CMSEncoder.cpp
@@ -444,7 +444,6 @@ static OSStatus cmsSetupForSignedData(
numSigners = CFArrayGetCount(cmsEncoder->signers);
}
CFIndex dex;
- SecKeychainRef ourKc = NULL;
SecCertificateRef ourCert = NULL;
SecCmsCertChainMode chainMode = SecCmsCMCertChain;
@@ -471,11 +470,6 @@ static OSStatus cmsSetupForSignedData(
CSSM_PERROR("SecIdentityCopyCertificate", ortn);
break;
}
- ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)ourCert, &ourKc);
- if(ortn) {
- CSSM_PERROR("SecKeychainItemCopyKeychain", ortn);
- break;
- }
signerInfo = SecCmsSignerInfoCreate(cmsEncoder->cmsMsg, ourId, cmsEncoder->digestalgtag);
if (signerInfo == NULL) {
ortn = errSecInternalComponent;
@@ -502,7 +496,7 @@ static OSStatus cmsSetupForSignedData(
}
}
if(cmsEncoder->signedAttributes & kCMSAttrSmimeEncryptionKeyPrefs) {
- ortn = SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerInfo, ourCert, ourKc);
+ ortn = SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerInfo, ourCert, NULL);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddSMIMEEncKeyPrefs", ortn);
@@ -510,7 +504,7 @@ static OSStatus cmsSetupForSignedData(
}
}
if(cmsEncoder->signedAttributes & kCMSAttrSmimeMSEncryptionKeyPrefs) {
- ortn = SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(signerInfo, ourCert, ourKc);
+ ortn = SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(signerInfo, ourCert, NULL);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddMSSMIMEEncKeyPrefs", ortn);
@@ -545,13 +539,10 @@ static OSStatus cmsSetupForSignedData(
break;
}
- CFRELEASE(ourKc);
CFRELEASE(ourCert);
- ourKc = NULL;
ourCert = NULL;
}
if(ortn) {
- CFRELEASE(ourKc);
CFRELEASE(ourCert);
}
return ortn;
diff --git a/OSX/libsecurity_cms/libsecurity_cms.xcodeproj/project.pbxproj b/OSX/libsecurity_cms/libsecurity_cms.xcodeproj/project.pbxproj
index 8900beec..41a286c5 100644
--- a/OSX/libsecurity_cms/libsecurity_cms.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_cms/libsecurity_cms.xcodeproj/project.pbxproj
@@ -14,6 +14,8 @@
052C07F709894AF300E7641D /* CMSDecoder.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 052C07F409894AF300E7641D /* CMSDecoder.cpp */; };
052C07F809894AF300E7641D /* CMSEncoder.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 052C07F509894AF300E7641D /* CMSEncoder.cpp */; };
052C07F909894AF300E7641D /* CMSUtils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 052C07F609894AF300E7641D /* CMSUtils.cpp */; };
+ D43B9E7E1D064F0B00B9DDDA /* cms-trust-settings-test.c in Sources */ = {isa = PBXBuildFile; fileRef = D43B9E7C1D064F0B00B9DDDA /* cms-trust-settings-test.c */; };
+ D43B9E7F1D064F0B00B9DDDA /* cms-trust-settings-test.h in Headers */ = {isa = PBXBuildFile; fileRef = D43B9E7D1D064F0B00B9DDDA /* cms-trust-settings-test.h */; };
D4C334601BE2A2B900D8C1EF /* cms_regressions.h in Headers */ = {isa = PBXBuildFile; fileRef = D4C334571BE29F5200D8C1EF /* cms_regressions.h */; };
D4C334631BE2A31200D8C1EF /* cms-hashagility-test.c in Sources */ = {isa = PBXBuildFile; fileRef = D4C334611BE2A31200D8C1EF /* cms-hashagility-test.c */; };
D4C334641BE2A31200D8C1EF /* cms-hashagility-test.h in Headers */ = {isa = PBXBuildFile; fileRef = D4C334621BE2A31200D8C1EF /* cms-hashagility-test.h */; };
@@ -33,6 +35,8 @@
1844617A146E984400B12992 /* release.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = release.xcconfig; sourceTree = "<group>"; };
4CA1FEBE052A3C8100F22E42 /* libsecurity_cms.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libsecurity_cms.a; sourceTree = BUILT_PRODUCTS_DIR; };
4CCB008B05800B0B00981D43 /* security_cms.exp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.exports; path = security_cms.exp; sourceTree = "<group>"; };
+ D43B9E7C1D064F0B00B9DDDA /* cms-trust-settings-test.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "cms-trust-settings-test.c"; path = "regressions/cms-trust-settings-test.c"; sourceTree = "<group>"; };
+ D43B9E7D1D064F0B00B9DDDA /* cms-trust-settings-test.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "cms-trust-settings-test.h"; path = "regressions/cms-trust-settings-test.h"; sourceTree = "<group>"; };
D4C334571BE29F5200D8C1EF /* cms_regressions.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = cms_regressions.h; path = regressions/cms_regressions.h; sourceTree = "<group>"; };
D4C3345C1BE2A2B100D8C1EF /* libsecurity_cms_regressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurity_cms_regressions.a; sourceTree = BUILT_PRODUCTS_DIR; };
D4C334611BE2A31200D8C1EF /* cms-hashagility-test.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "cms-hashagility-test.c"; path = "regressions/cms-hashagility-test.c"; sourceTree = "<group>"; };
@@ -107,6 +111,8 @@
isa = PBXGroup;
children = (
D4C334571BE29F5200D8C1EF /* cms_regressions.h */,
+ D43B9E7C1D064F0B00B9DDDA /* cms-trust-settings-test.c */,
+ D43B9E7D1D064F0B00B9DDDA /* cms-trust-settings-test.h */,
D4C334611BE2A31200D8C1EF /* cms-hashagility-test.c */,
D4C334621BE2A31200D8C1EF /* cms-hashagility-test.h */,
);
@@ -131,6 +137,7 @@
isa = PBXHeadersBuildPhase;
buildActionMask = 2147483647;
files = (
+ D43B9E7F1D064F0B00B9DDDA /* cms-trust-settings-test.h in Headers */,
D4C334641BE2A31200D8C1EF /* cms-hashagility-test.h in Headers */,
D4C334601BE2A2B900D8C1EF /* cms_regressions.h in Headers */,
);
@@ -179,7 +186,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
TargetAttributes = {
D4C3345B1BE2A2B100D8C1EF = {
CreatedOnToolsVersion = 7.1;
@@ -220,6 +227,7 @@
buildActionMask = 2147483647;
files = (
D4C334631BE2A31200D8C1EF /* cms-hashagility-test.c in Sources */,
+ D43B9E7E1D064F0B00B9DDDA /* cms-trust-settings-test.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -246,13 +254,22 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18446179146E984400B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -260,13 +277,20 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18446179146E984400B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
@@ -276,13 +300,13 @@
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
CLANG_CXX_LIBRARY = "libc++";
- CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN_UNREACHABLE_CODE = YES;
CODE_SIGN_IDENTITY = "-";
+ COMBINE_HIDPI_IMAGES = YES;
DEBUG_INFORMATION_FORMAT = dwarf;
ENABLE_STRICT_OBJC_MSGSEND = YES;
ENABLE_TESTABILITY = YES;
@@ -312,13 +336,13 @@
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
CLANG_CXX_LIBRARY = "libc++";
- CLANG_ENABLE_MODULES = YES;
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
CLANG_WARN_UNREACHABLE_CODE = YES;
CODE_SIGN_IDENTITY = "-";
+ COMBINE_HIDPI_IMAGES = YES;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
ENABLE_NS_ASSERTIONS = NO;
ENABLE_STRICT_OBJC_MSGSEND = YES;
diff --git a/OSX/libsecurity_cms/regressions/cms-hashagility-test.c b/OSX/libsecurity_cms/regressions/cms-hashagility-test.c
index 3024ca49..03961272 100644
--- a/OSX/libsecurity_cms/regressions/cms-hashagility-test.c
+++ b/OSX/libsecurity_cms/regressions/cms-hashagility-test.c
@@ -56,6 +56,7 @@ static void encode_test(void)
"Set digest algorithm to SHA256");
/* Load identity and set as signer */
+ unlink(TMP_KEYCHAIN_PATH);
ok_status(SecKeychainCreate(TMP_KEYCHAIN_PATH, 8, "password", false, NULL, &keychain),
"Create keychain for identity");
ok(p12Data = CFDataCreate(NULL, signing_identity_p12, sizeof(signing_identity_p12)),
diff --git a/OSX/libsecurity_cms/regressions/cms-hashagility-test.h b/OSX/libsecurity_cms/regressions/cms-hashagility-test.h
index 24055e72..27bf5ee3 100644
--- a/OSX/libsecurity_cms/regressions/cms-hashagility-test.h
+++ b/OSX/libsecurity_cms/regressions/cms-hashagility-test.h
@@ -25,6 +25,7 @@
#define cms_hashagility_test_h
#include <stdio.h>
+#include <stdint.h>
int cms_hash_agility_test(int argc, char *const *argv);
diff --git a/OSX/libsecurity_cms/regressions/cms-trust-settings-test.c b/OSX/libsecurity_cms/regressions/cms-trust-settings-test.c
new file mode 100644
index 00000000..84a7dbf9
--- /dev/null
+++ b/OSX/libsecurity_cms/regressions/cms-trust-settings-test.c
@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <AssertMacros.h>
+
+#include <utilities/SecCFRelease.h>
+
+#include <Security/SecBase.h>
+#include <Security/SecImportExport.h>
+#include <Security/SecKeychain.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecTrustSettings.h>
+#include <Security/SecItem.h>
+#include <Security/SecTrust.h>
+#include <Security/SecPolicy.h>
+#include <Security/CMSDecoder.h>
+
+#define kSystemLoginKeychainPath "/Library/Keychains/System.keychain"
+
+#include <test/testmore.h>
+#include "cms-trust-settings-test.h"
+
+// See <rdar://problem/8115188>
+static void test(void) {
+ SecCertificateRef cert = NULL;
+ SecKeychainRef kcRef = NULL;
+ CFMutableDictionaryRef query = NULL;
+ CFDictionaryRef trustSettings = NULL;
+ CFArrayRef persistentRef = NULL;
+ CMSDecoderRef decoder = NULL;
+ SecPolicyRef policy = NULL;
+ SecTrustRef trust = NULL;
+ CMSSignerStatus signerStatus = kCMSSignerInvalidIndex;
+ SecTrustResultType trustResult = kSecTrustResultInvalid;
+
+ /* Add cert to keychain */
+ ok(cert = SecCertificateCreateWithBytes(NULL, _cert, sizeof(_cert)), "Create cert");
+ ok_status(SecKeychainOpen(kSystemLoginKeychainPath, &kcRef), "Open system keychain");
+ if (!kcRef) {
+ goto out;
+ }
+ ok(query = CFDictionaryCreateMutable(NULL, 3, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks),
+ "Create SecItem dictionary");
+ CFDictionaryAddValue(query, kSecValueRef, cert);
+ CFDictionaryAddValue(query, kSecUseKeychain, kcRef);
+ CFDictionaryAddValue(query, kSecReturnPersistentRef, kCFBooleanTrue);
+ ok_status(SecItemAdd(query, (void *)&persistentRef),
+ "Add cert to system keychain");
+
+ /* Set trust settings */
+ CFStringRef temp = kSecTrustSettingsResult;
+ uint32_t otherTemp = kSecTrustSettingsResultDeny;
+ CFNumberRef deny = CFNumberCreate(NULL, kCFNumberSInt32Type, &otherTemp);
+ trustSettings = CFDictionaryCreate(NULL, (const void **)&temp, (const void **)&deny, 1,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFReleaseNull(deny);
+ ok_status(SecTrustSettingsSetTrustSettings(cert, kSecTrustSettingsDomainAdmin, trustSettings),
+ "Set cert as denied");
+ // Wait for trustd to get the message
+ sleep(1);
+
+ /* Create the Decoder */
+ ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder");
+ ok_status(CMSDecoderUpdateMessage(decoder, _signed_message, sizeof(_signed_message)),
+ "Update decoder with CMS message");
+ ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder");
+
+ /* Evaluate trust */
+ ok(policy = SecPolicyCreateBasicX509(), "Create policy");
+ ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, true, &signerStatus, &trust, NULL),
+ "Copy Signer status");
+ ok_status(SecTrustGetTrustResult(trust, &trustResult), "Get trust result");
+ is(trustResult, kSecTrustResultDeny, "Not denied");
+
+out:
+ if (persistentRef) {
+ CFTypeRef item = CFArrayGetValueAtIndex(persistentRef, 0);
+ CFDictionaryRef del = CFDictionaryCreate(NULL, (const void **)&kSecValuePersistentRef, &item, 1,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ SecItemDelete(del);
+ CFReleaseNull(del);
+ }
+ CFReleaseNull(cert);
+ CFReleaseNull(kcRef);
+ CFReleaseNull(query);
+ CFReleaseNull(persistentRef);
+ CFReleaseNull(trustSettings);
+ CFReleaseNull(decoder);
+ CFReleaseNull(policy);
+ CFReleaseNull(trust);
+}
+
+int cms_trust_settings_test(int argc, char *const *argv) {
+ plan_tests(12);
+
+#if !TARGET_OS_IPHONE
+ if (getuid() != 0) {
+ printf("Test must be run as root on OS X");
+ return 0;
+ }
+#endif
+
+ test();
+
+ return 0;
+}
diff --git a/OSX/libsecurity_cms/regressions/cms-trust-settings-test.h b/OSX/libsecurity_cms/regressions/cms-trust-settings-test.h
new file mode 100644
index 00000000..10f1021d
--- /dev/null
+++ b/OSX/libsecurity_cms/regressions/cms-trust-settings-test.h
@@ -0,0 +1,180 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#ifndef cms_trust_settings_test_h
+#define cms_trust_settings_test_h
+
+#include <stdio.h>
+
+int cms_trust_settings_test(int argc, char *const *argv);
+
+unsigned char _cert[] = {
+ 0x30,0x82,0x03,0xE1,0x30,0x82,0x02,0xC9,0xA0,0x03,0x02,0x01,0x02,0x02,0x04,0x74,
+ 0x3F,0x1D,0x98,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
+ 0x05,0x00,0x30,0x81,0xA7,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x03,0x0C,0x11,
+ 0x43,0x4D,0x53,0x20,0x52,0x53,0x41,0x20,0x54,0x65,0x73,0x74,0x20,0x43,0x65,0x72,
+ 0x74,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x14,
+ 0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,
+ 0x49,0x6E,0x63,0x2E,0x31,0x2E,0x30,0x2C,0x06,0x03,0x55,0x04,0x0B,0x0C,0x25,0x53,
+ 0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,
+ 0x69,0x6E,0x67,0x20,0x61,0x6E,0x64,0x20,0x41,0x72,0x63,0x68,0x69,0x74,0x65,0x63,
+ 0x74,0x75,0x72,0x65,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,
+ 0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x21,0x30,0x1F,0x06,0x09,0x2A,
+ 0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,0x16,0x12,0x75,0x73,0x65,0x72,0x6E,0x61,
+ 0x6D,0x65,0x40,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x1E,0x17,0x0D,
+ 0x31,0x36,0x30,0x33,0x31,0x34,0x30,0x30,0x31,0x38,0x32,0x39,0x5A,0x17,0x0D,0x31,
+ 0x36,0x30,0x34,0x31,0x33,0x30,0x30,0x31,0x38,0x32,0x39,0x5A,0x30,0x81,0xA7,0x31,
+ 0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x03,0x0C,0x11,0x43,0x4D,0x53,0x20,0x52,0x53,
+ 0x41,0x20,0x54,0x65,0x73,0x74,0x20,0x43,0x65,0x72,0x74,0x31,0x0B,0x30,0x09,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,
+ 0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x2E,
+ 0x30,0x2C,0x06,0x03,0x55,0x04,0x0B,0x0C,0x25,0x53,0x65,0x63,0x75,0x72,0x69,0x74,
+ 0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x20,0x61,0x6E,
+ 0x64,0x20,0x41,0x72,0x63,0x68,0x69,0x74,0x65,0x63,0x74,0x75,0x72,0x65,0x31,0x13,
+ 0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,
+ 0x6E,0x69,0x61,0x31,0x21,0x30,0x1F,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
+ 0x09,0x01,0x16,0x12,0x75,0x73,0x65,0x72,0x6E,0x61,0x6D,0x65,0x40,0x61,0x70,0x70,
+ 0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,
+ 0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,
+ 0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE2,0x9B,0xCB,0x6C,0x77,0xB7,0xD1,0x05,0xA0,
+ 0xAE,0x86,0x20,0x45,0xD3,0xF4,0x24,0x8D,0x25,0x34,0x31,0xA9,0xE2,0x10,0x36,0xF5,
+ 0x0A,0x0B,0x90,0x4A,0xA5,0x6B,0x5C,0x16,0xCD,0xB0,0x72,0xE9,0xA9,0x80,0x5F,0x6D,
+ 0xB2,0x4D,0xD9,0x58,0x16,0x9F,0x68,0x81,0x9A,0x6B,0xEB,0xD5,0x4B,0xF7,0x7D,0x59,
+ 0xE9,0x46,0x2B,0x5B,0x8F,0xE4,0xEC,0xAB,0x5C,0x07,0x74,0xA2,0x0E,0x59,0xBB,0xFC,
+ 0xD3,0xCF,0xF7,0x21,0x88,0x6C,0x88,0xD9,0x6B,0xA3,0xA3,0x4E,0x5B,0xD1,0x1C,0xFB,
+ 0x04,0xF5,0xB2,0x12,0x0E,0x54,0x59,0x4D,0xCE,0x0A,0xE0,0x26,0x24,0x06,0xEB,0xC8,
+ 0xA2,0xC6,0x41,0x28,0xF9,0x79,0xE4,0xB1,0x4E,0x00,0x6F,0x6E,0xF8,0x96,0x9E,0x45,
+ 0x28,0x70,0xEC,0xC7,0xDC,0xA2,0xDD,0x92,0xAB,0xDD,0x6F,0xD8,0x57,0xBA,0xCC,0x29,
+ 0xBE,0xB7,0x00,0x1E,0x8D,0x13,0x3F,0x47,0x34,0x3C,0xD0,0xC6,0xC8,0x17,0xDF,0x74,
+ 0x8A,0xB1,0xC3,0x68,0xD5,0xBA,0x76,0x60,0x55,0x5F,0x8D,0xFA,0xBD,0xE7,0x11,0x9E,
+ 0x59,0x96,0xE5,0x93,0x70,0xAD,0x41,0xFB,0x61,0x46,0x70,0xC4,0x05,0x12,0x23,0x23,
+ 0xC0,0x9D,0xC8,0xC5,0xF5,0x96,0xE5,0x48,0x10,0x86,0x8A,0x1E,0x3B,0x83,0xD1,0x47,
+ 0x3A,0x27,0x00,0x71,0x10,0xA3,0x52,0xBA,0xAE,0x01,0x43,0x87,0x9C,0x6A,0x1B,0xEA,
+ 0x1A,0x44,0x4F,0x4A,0xAC,0xD4,0x82,0x55,0xEE,0x1F,0x25,0x9C,0x55,0xCA,0xD2,0xD0,
+ 0x3A,0x0B,0x70,0x90,0x60,0x49,0x47,0x02,0xFD,0x89,0x2C,0x9A,0x26,0x36,0x34,0x8F,
+ 0x24,0x39,0x8C,0xE9,0xA2,0x52,0x8F,0x02,0x03,0x01,0x00,0x01,0xA3,0x13,0x30,0x11,
+ 0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,
+ 0xFF,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,
+ 0x03,0x82,0x01,0x01,0x00,0x4C,0xED,0x5B,0xAF,0x13,0x16,0x5D,0xE2,0xDD,0x5C,0x48,
+ 0x1C,0xD5,0x6E,0x8B,0x04,0x51,0xD6,0x38,0x80,0xFD,0x52,0x4A,0x34,0xDC,0x13,0x35,
+ 0x6E,0x64,0x39,0x39,0x39,0x09,0xA7,0x6C,0x2D,0x39,0xF2,0x04,0x21,0xE3,0xEA,0x8F,
+ 0xF8,0xBE,0x46,0x0E,0x20,0x82,0xD0,0xC5,0x60,0xBF,0x57,0x6F,0xD8,0x29,0xB4,0x66,
+ 0xDB,0xBF,0x92,0xC9,0xDC,0x90,0x97,0x0F,0x2F,0x59,0xA0,0x13,0xF3,0xA4,0xCA,0xDE,
+ 0x3F,0x80,0x2A,0x99,0xB4,0xEE,0x71,0xC3,0x56,0x71,0x51,0x37,0x55,0xA1,0x60,0x89,
+ 0xAB,0x94,0x0E,0xB9,0x70,0xA5,0x55,0xF3,0x1A,0x87,0xA4,0x41,0x4C,0x45,0xBA,0xB6,
+ 0x56,0xD6,0x45,0x56,0x12,0x60,0xE5,0x91,0xEC,0xF7,0xBE,0x39,0xA4,0x80,0x08,0x9F,
+ 0xEA,0x17,0x12,0x0E,0xA6,0xE6,0xEF,0x09,0xF7,0x61,0x51,0x57,0x73,0xE3,0x57,0x88,
+ 0xD7,0xF8,0x5F,0xAF,0x5D,0xAF,0x88,0x32,0xB4,0x09,0x3E,0x7C,0x25,0x77,0x35,0xE9,
+ 0x3E,0x6E,0x0A,0xB9,0xB4,0xA3,0x06,0x07,0x0F,0x7E,0x93,0x26,0x16,0x38,0x1E,0x4E,
+ 0x72,0xAF,0x06,0x44,0x1E,0x8D,0x96,0xA6,0x15,0x9C,0x82,0x6D,0x71,0x99,0x84,0x8D,
+ 0x12,0x46,0xF2,0xBB,0xA7,0x63,0x7A,0x32,0xDA,0xA9,0xDE,0xB6,0x34,0x14,0xFB,0x07,
+ 0x0C,0xAB,0x3B,0x0A,0xA1,0x8B,0xDA,0x15,0xB3,0x63,0xF3,0x5C,0x45,0x2F,0x0B,0x6E,
+ 0xC7,0x27,0x72,0xC1,0x37,0x56,0x30,0xE3,0x26,0xBB,0x19,0x4F,0x91,0xA1,0xD0,0x30,
+ 0x29,0x5B,0x79,0x79,0x5C,0xE6,0x4F,0xED,0xCF,0x81,0xB2,0x50,0x35,0x96,0x23,0xB2,
+ 0x9F,0xCA,0x3F,0xB5,0x54,
+};
+
+unsigned char _signed_message[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73,
+ 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20,
+ 0x41, 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xa0, 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+ 0x00, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52,
+ 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+ 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c,
+ 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65,
+ 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06,
+ 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d,
+ 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31,
+ 0x34, 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38,
+ 0x32, 0x39, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53,
+ 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70,
+ 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67,
+ 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30,
+ 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21,
+ 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e,
+ 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
+ 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3,
+ 0xf4, 0x24, 0x8d, 0x25, 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd,
+ 0xb0, 0x72, 0xe9, 0xa9, 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b,
+ 0xf7, 0x7d, 0x59, 0xe9, 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3,
+ 0xcf, 0xf7, 0x21, 0x88, 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e,
+ 0x54, 0x59, 0x4d, 0xce, 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e,
+ 0x00, 0x6f, 0x6e, 0xf8, 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57,
+ 0xba, 0xcc, 0x29, 0xbe, 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a,
+ 0xb1, 0xc3, 0x68, 0xd5, 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70,
+ 0xad, 0x41, 0xfb, 0x61, 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10,
+ 0x86, 0x8a, 0x1e, 0x3b, 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c,
+ 0x6a, 0x1b, 0xea, 0x1a, 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a,
+ 0x0b, 0x70, 0x90, 0x60, 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2,
+ 0x52, 0x8f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01,
+ 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c,
+ 0xd5, 0x6e, 0x8b, 0x04, 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39,
+ 0x09, 0xa7, 0x6c, 0x2d, 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60,
+ 0xbf, 0x57, 0x6f, 0xd8, 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3,
+ 0xa4, 0xca, 0xde, 0x3f, 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab,
+ 0x94, 0x0e, 0xb9, 0x70, 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12,
+ 0x60, 0xe5, 0x91, 0xec, 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7,
+ 0x61, 0x51, 0x57, 0x73, 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25,
+ 0x77, 0x35, 0xe9, 0x3e, 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72,
+ 0xaf, 0x06, 0x44, 0x1e, 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7,
+ 0x63, 0x7a, 0x32, 0xda, 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3,
+ 0x63, 0xf3, 0x5c, 0x45, 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91,
+ 0xa1, 0xd0, 0x30, 0x29, 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f,
+ 0xca, 0x3f, 0xb5, 0x54, 0x31, 0x82, 0x01, 0xdc, 0x30, 0x82, 0x01, 0xd8, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81,
+ 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xc9, 0x25, 0xbe, 0xb8, 0xf2, 0x2c, 0x7f, 0xc8, 0x3a, 0xc3, 0xc2, 0x4b,
+ 0xac, 0x54, 0xcf, 0xa6, 0x75, 0xaa, 0xeb, 0x40, 0x68, 0xee, 0xe2, 0xb1, 0xa8, 0x70, 0x9e, 0xe9, 0x8b, 0xf1, 0x0a, 0x85,
+ 0x88, 0x40, 0xef, 0xb8, 0xa5, 0x04, 0x87, 0x63, 0x03, 0xf5, 0x41, 0x81, 0x29, 0x42, 0x7f, 0x31, 0x8f, 0x5b, 0xde, 0xe8,
+ 0x15, 0xc1, 0xa3, 0x45, 0xf1, 0xbc, 0xff, 0x81, 0x58, 0xbd, 0xac, 0x4c, 0xa5, 0xb3, 0x30, 0x9a, 0xb8, 0x9e, 0x69, 0x10,
+ 0xad, 0x44, 0x7b, 0x93, 0x28, 0xba, 0xca, 0x6f, 0x2e, 0xf8, 0x1b, 0x03, 0xc2, 0x0a, 0x4a, 0x06, 0x32, 0x4d, 0x30, 0x50,
+ 0xb7, 0x9c, 0x57, 0x4d, 0x4b, 0x6c, 0x34, 0x53, 0xd8, 0xf5, 0xca, 0x91, 0xa5, 0xdf, 0xa6, 0x67, 0x0a, 0x2e, 0x02, 0x47,
+ 0x1c, 0x1c, 0xd6, 0x2b, 0xe2, 0x85, 0xc1, 0xda, 0x79, 0xa2, 0xe2, 0x1e, 0xf8, 0x5e, 0xf9, 0x76, 0x55, 0xaf, 0x61, 0xaf,
+ 0xde, 0x0a, 0x7b, 0xeb, 0xa1, 0xa8, 0xc6, 0xef, 0x76, 0x2f, 0x50, 0xd1, 0x0a, 0xce, 0xdb, 0x14, 0xc3, 0x13, 0x72, 0xe5,
+ 0x26, 0x67, 0x90, 0x19, 0x15, 0x7b, 0x79, 0x05, 0xeb, 0x20, 0xb3, 0x5a, 0x4e, 0x78, 0xae, 0x2d, 0x9c, 0xd1, 0x31, 0xfd,
+ 0x2e, 0xcb, 0x84, 0xb9, 0x67, 0xea, 0xaf, 0xb3, 0xc2, 0x5f, 0xf5, 0xcd, 0x7b, 0x66, 0x3f, 0xdf, 0xf7, 0xe7, 0x76, 0x46,
+ 0x57, 0xd9, 0xee, 0x4b, 0xb2, 0xc8, 0x7b, 0xf9, 0x88, 0xab, 0x8e, 0xca, 0xfc, 0x39, 0xd1, 0x8e, 0x1c, 0xba, 0x3e, 0x63,
+ 0xb7, 0xe8, 0x0e, 0x2f, 0xde, 0x6b, 0x76, 0x81, 0xbf, 0x78, 0x26, 0x0c, 0xa0, 0x2c, 0x35, 0x21, 0xde, 0xb4, 0x45, 0x0a,
+ 0x84, 0xea, 0x68, 0xa5, 0x37, 0xe8, 0x4a, 0xbc, 0xa6, 0xcf, 0x24, 0x85, 0x46, 0x33, 0x9e, 0xd9, 0xba, 0x58, 0x75, 0xd7,
+ 0x45, 0xc2, 0x99, 0xe5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+#endif /* cms_trust_settings_test_h */
diff --git a/OSX/libsecurity_cms/regressions/cms_regressions.h b/OSX/libsecurity_cms/regressions/cms_regressions.h
index 30a2e4e6..8d8d5509 100644
--- a/OSX/libsecurity_cms/regressions/cms_regressions.h
+++ b/OSX/libsecurity_cms/regressions/cms_regressions.h
@@ -25,4 +25,5 @@
#include <test/testmore.h>
-ONE_TEST(cms_hash_agility_test)
\ No newline at end of file
+ONE_TEST(cms_hash_agility_test)
+ONE_TEST(cms_trust_settings_test)
diff --git a/OSX/libsecurity_codesigning/CodeSigningHelper/CodeSigningHelper-Info.plist b/OSX/libsecurity_codesigning/CodeSigningHelper/CodeSigningHelper-Info.plist
index 49b47515..40272dbb 100644
--- a/OSX/libsecurity_codesigning/CodeSigningHelper/CodeSigningHelper-Info.plist
+++ b/OSX/libsecurity_codesigning/CodeSigningHelper/CodeSigningHelper-Info.plist
@@ -7,7 +7,7 @@
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
- <string>${PRODUCT_NAME}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/OSX/libsecurity_codesigning/CodeSigningHelper/main.c b/OSX/libsecurity_codesigning/CodeSigningHelper/main.c
index 553a8c4d..f81de057 100644
--- a/OSX/libsecurity_codesigning/CodeSigningHelper/main.c
+++ b/OSX/libsecurity_codesigning/CodeSigningHelper/main.c
@@ -94,6 +94,9 @@ fetchData(xpc_connection_t peer, xpc_object_t event)
pid = (pid_t)xpc_dictionary_get_int64(event, "pid");
if (pid <= 0)
return;
+
+ size_t iphLength;
+ const void* iphash = xpc_dictionary_get_data(event, "infohash", &iphLength);
xpc_object_t reply = xpc_dictionary_create_reply(event);
if (reply == NULL)
@@ -130,6 +133,8 @@ fetchData(xpc_connection_t peer, xpc_object_t event)
xpc_dictionary_set_string(reply, "error", "can't get content of Info.plist");
goto send;
}
+
+ ... check the "right" hash against iphash/iphLength
xpc_dictionary_set_data(reply, "infoPlist", CFDataGetBytePtr(data), CFDataGetLength(data));
CFRelease(data);
diff --git a/OSX/libsecurity_codesigning/CodeSigningHelper/main.cpp b/OSX/libsecurity_codesigning/CodeSigningHelper/main.cpp
new file mode 100644
index 00000000..be200db3
--- /dev/null
+++ b/OSX/libsecurity_codesigning/CodeSigningHelper/main.cpp
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+#include <Security/CodeSigning.h>
+#include <Security/SecCodePriv.h>
+#include <xpc/xpc.h>
+#include <sandbox.h>
+#include <security_utilities/cfutilities.h>
+#include <security_utilities/cfmunge.h>
+#include <security_utilities/logging.h>
+#include "codedirectory.h"
+
+
+
+static void
+request(xpc_connection_t peer, xpc_object_t event)
+{
+ OSStatus rc;
+
+ pid_t pid = (pid_t)xpc_dictionary_get_int64(event, "pid");
+ if (pid <= 0)
+ return;
+
+ xpc_object_t reply = xpc_dictionary_create_reply(event);
+ if (reply == NULL)
+ return;
+
+ CFTemp<CFDictionaryRef> attributes("{%O=%d}", kSecGuestAttributePid, pid);
+ CFRef<SecCodeRef> code;
+ if ((rc = SecCodeCopyGuestWithAttributes(NULL, attributes, kSecCSDefaultFlags, &code.aref())) == noErr) {
+
+ // path to base of client code
+ CFRef<CFURLRef> codePath;
+ if ((rc = SecCodeCopyPath(code, kSecCSDefaultFlags, &codePath.aref())) == noErr) {
+ CFRef<CFDataRef> data = CFURLCreateData(NULL, codePath, kCFStringEncodingUTF8, true);
+ xpc_dictionary_set_data(reply, "bundleURL", CFDataGetBytePtr(data), CFDataGetLength(data));
+ }
+
+ // if the caller wants the Info.plist, get it and verify the hash passed by the caller
+ size_t iphLength;
+ if (const void *iphash = xpc_dictionary_get_data(event, "infohash", &iphLength)) {
+ if (CFRef<CFDataRef> data = SecCodeCopyComponent(code, Security::CodeSigning::cdInfoSlot, CFTempData(iphash, iphLength))) {
+ xpc_dictionary_set_data(reply, "infoPlist", CFDataGetBytePtr(data), CFDataGetLength(data));
+ }
+ }
+ }
+ xpc_connection_send_message(peer, reply);
+ xpc_release(reply);
+}
+
+
+static void CodeSigningHelper_peer_event_handler(xpc_connection_t peer, xpc_object_t event)
+{
+ xpc_type_t type = xpc_get_type(event);
+ if (type == XPC_TYPE_ERROR)
+ return;
+
+ assert(type == XPC_TYPE_DICTIONARY);
+
+ const char *cmd = xpc_dictionary_get_string(event, "command");
+ if (cmd == NULL) {
+ xpc_connection_cancel(peer);
+ } else if (strcmp(cmd, "fetchData") == 0)
+ request(peer, event);
+ else {
+ Syslog::error("peer sent invalid command %s", cmd);
+ xpc_connection_cancel(peer);
+ }
+}
+
+
+static void CodeSigningHelper_event_handler(xpc_connection_t peer)
+{
+ xpc_connection_set_event_handler(peer, ^(xpc_object_t event) {
+ CodeSigningHelper_peer_event_handler(peer, event);
+ });
+ xpc_connection_resume(peer);
+}
+
+int main(int argc, const char *argv[])
+{
+ char *error = NULL;
+ if (sandbox_init("com.apple.CodeSigningHelper", SANDBOX_NAMED, &error)) {
+ Syslog::error("failed to enter sandbox: %s", error);
+ exit(EXIT_FAILURE);
+ }
+ xpc_main(CodeSigningHelper_event_handler);
+ return 0;
+}
diff --git a/OSX/libsecurity_codesigning/lib/CSCommon.h b/OSX/libsecurity_codesigning/lib/CSCommon.h
index be1be0fd..11e2f517 100644
--- a/OSX/libsecurity_codesigning/lib/CSCommon.h
+++ b/OSX/libsecurity_codesigning/lib/CSCommon.h
@@ -118,6 +118,9 @@ CF_ENUM(OSStatus) {
errSecCSNotAppLike = -67002, /* the code is valid but does not seem to be an app */
errSecCSBadDiskImageFormat = -67001, /* disk image format unrecognized, invalid, or unsuitable */
errSecCSUnsupportedDigestAlgorithm = -67000, /* signature digest algorithm(s) specified are not supported */
+ errSecCSInvalidAssociatedFileData = -66999, /* resource fork, Finder information, or similar detritus not allowed */
+ errSecCSInvalidTeamIdentifier = -66998, /* a Team Identifier string is invalid */
+ errSecCSBadTeamIdentifier = -66997, /* a Team Identifier is wrong or inappropriate */
};
/*
@@ -135,6 +138,7 @@ extern const CFStringRef kSecCFErrorResourceSeal; /* CFTypeRef: invalid componen
extern const CFStringRef kSecCFErrorResourceAdded; /* CFURLRef: unsealed resource found */
extern const CFStringRef kSecCFErrorResourceAltered; /* CFURLRef: modified resource found */
extern const CFStringRef kSecCFErrorResourceMissing; /* CFURLRef: sealed (non-optional) resource missing */
+extern const CFStringRef kSecCFErrorResourceSideband; /* CFURLRef: sealed resource has invalid sideband data (resource fork, etc.) */
extern const CFStringRef kSecCFErrorInfoPlist; /* CFTypeRef: Info.plist dictionary or component thereof found invalid */
extern const CFStringRef kSecCFErrorGuestAttributes; /* CFTypeRef: Guest attribute set of element not accepted */
extern const CFStringRef kSecCFErrorRequirementSyntax; /* CFStringRef: compilation error for Requirement source */
@@ -200,11 +204,12 @@ CF_ENUM(SecGuestRef) {
typedef CF_OPTIONS(uint32_t, SecCSFlags) {
kSecCSDefaultFlags = 0, /* no particular flags (default behavior) */
- kSecCSConsiderExpiration = 1 << 31, /* consider expired certificates invalid */
+ kSecCSConsiderExpiration = 1U << 31, /* consider expired certificates invalid */
kSecCSEnforceRevocationChecks = 1 << 30, /* force revocation checks regardless of preference settings */
kSecCSNoNetworkAccess = 1 << 29, /* do not use the network, cancels "kSecCSEnforceRevocationChecks" */
kSecCSReportProgress = 1 << 28, /* make progress report call-backs when configured */
kSecCSCheckTrustedAnchors = 1 << 27, /* build certificate chain to system trust anchors, not to any self-signed certificate */
+ kSecCSQuickCheck = 1 << 26, /* (internal) */
};
diff --git a/OSX/libsecurity_codesigning/lib/Code.cpp b/OSX/libsecurity_codesigning/lib/Code.cpp
index 3194bf3d..d5de3047 100644
--- a/OSX/libsecurity_codesigning/lib/Code.cpp
+++ b/OSX/libsecurity_codesigning/lib/Code.cpp
@@ -259,9 +259,9 @@ SecCode *SecCode::autoLocateGuest(CFDictionaryRef attributes, SecCSFlags flags)
if (CFDictionaryGetCount(attributes) == 0)
return KernelCode::active()->retain();
- // main logic: we need a pid, and we'll take a canonical guest id as an option
- int pid = 0;
- if (!cfscan(attributes, "{%O=%d}", kSecGuestAttributePid, &pid))
+ // main logic: we need a pid or audit trailer; everything else goes to the guests
+ if (CFDictionaryGetValue(attributes, kSecGuestAttributePid) == NULL
+ && CFDictionaryGetValue(attributes, kSecGuestAttributeAudit) == NULL)
CSError::throwMe(errSecCSUnsupportedGuestAttributes, kSecCFErrorGuestAttributes, attributes);
if (SecCode *process =
KernelCode::active()->locateGuest(attributes)) {
@@ -271,6 +271,7 @@ SecCode *SecCode::autoLocateGuest(CFDictionaryRef attributes, SecCSFlags flags)
// might be a code host. Let's find out
CFRef<CFMutableDictionaryRef> rest = makeCFMutableDictionary(attributes);
CFDictionaryRemoveValue(rest, kSecGuestAttributePid);
+ CFDictionaryRemoveValue(rest, kSecGuestAttributeAudit);
if (SecCode *guest = code->locateGuest(rest))
return guest;
}
diff --git a/OSX/libsecurity_codesigning/lib/CodeSigner.cpp b/OSX/libsecurity_codesigning/lib/CodeSigner.cpp
index 783262ba..ee8045f9 100644
--- a/OSX/libsecurity_codesigning/lib/CodeSigner.cpp
+++ b/OSX/libsecurity_codesigning/lib/CodeSigner.cpp
@@ -138,12 +138,12 @@ void SecCodeSigner::sign(SecStaticCode *code, SecCSFlags flags)
return;
Signer operation(*this, code);
if ((flags | mOpFlags) & kSecCSRemoveSignature) {
- secdebug("signer", "%p will remove signature from %p", this, code);
+ secinfo("signer", "%p will remove signature from %p", this, code);
operation.remove(flags);
} else {
if (!valid())
MacOSError::throwMe(errSecCSInvalidObjectRef);
- secdebug("signer", "%p will sign %p (flags 0x%x)", this, code, flags);
+ secinfo("signer", "%p will sign %p (flags 0x%x)", this, code, flags);
operation.sign(flags);
}
code->resetValidity();
diff --git a/OSX/libsecurity_codesigning/lib/SecAssessment.cpp b/OSX/libsecurity_codesigning/lib/SecAssessment.cpp
index ff228381..2c1e06bd 100644
--- a/OSX/libsecurity_codesigning/lib/SecAssessment.cpp
+++ b/OSX/libsecurity_codesigning/lib/SecAssessment.cpp
@@ -27,6 +27,7 @@
#include "xpcengine.h"
#include "csutilities.h"
#include <CoreFoundation/CFRuntime.h>
+#include <CoreFoundation/CFBundlePriv.h>
#include <security_utilities/globalizer.h>
#include <security_utilities/unix++.h>
#include <security_utilities/cfmunge.h>
@@ -133,6 +134,8 @@ CFStringRef kSecAssessmentFeedbackProgress = CFSTR("feedback:progress");
CFStringRef kSecAssessmentFeedbackInfoCurrent = CFSTR("current");
CFStringRef kSecAssessmentFeedbackInfoTotal = CFSTR("total");
+CFStringRef kSecAssessmentContextKeyPrimarySignature = CFSTR("context:primary-signature");
+
CFStringRef kSecAssessmentAssessmentVerdict = CFSTR("assessment:verdict");
CFStringRef kSecAssessmentAssessmentOriginator = CFSTR("assessment:originator");
CFStringRef kSecAssessmentAssessmentAuthority = CFSTR("assessment:authority");
@@ -140,6 +143,7 @@ CFStringRef kSecAssessmentAssessmentSource = CFSTR("assessment:authority:source"
CFStringRef kSecAssessmentAssessmentAuthorityRow = CFSTR("assessment:authority:row");
CFStringRef kSecAssessmentAssessmentAuthorityOverride = CFSTR("assessment:authority:override");
CFStringRef kSecAssessmentAssessmentAuthorityOriginalVerdict = CFSTR("assessment:authority:verdict");
+CFStringRef kSecAssessmentAssessmentAuthorityFlags = CFSTR("assessment:authority:flags");
CFStringRef kSecAssessmentAssessmentFromCache = CFSTR("assessment:authority:cached");
CFStringRef kSecAssessmentAssessmentWeakSignature = CFSTR("assessment:authority:weak");
CFStringRef kSecAssessmentAssessmentCodeSigningError = CFSTR("assessment:cserror");
@@ -238,7 +242,7 @@ static void traceResult(CFURLRef target, MessageTrace &trace, std::string &sanit
string identifier = "UNBUNDLED";
string version = "UNKNOWN";
- if (CFRef<CFBundleRef> bundle = CFBundleCreate(NULL, target)) {
+ if (CFRef<CFBundleRef> bundle = _CFBundleCreateUnique(NULL, target)) {
if (CFStringRef ident = CFBundleGetIdentifier(bundle))
identifier = cfString(ident);
if (CFStringRef vers = CFStringRef(CFBundleGetValueForInfoDictionaryKey(bundle, CFSTR("CFBundleShortVersionString"))))
@@ -497,20 +501,21 @@ Boolean SecAssessmentControl(CFStringRef control, void *arguments, CFErrorRef *e
result = kCFBooleanTrue;
return true;
} else if (CFEqual(control, CFSTR("ui-enable-devid"))) {
- CFTemp<CFDictionaryRef> ctx("{%O=%s}", kSecAssessmentUpdateKeyLabel, "Developer ID");
- if (CFDictionaryRef result = gEngine().enable(NULL, kAuthorityInvalid, kSecCSDefaultFlags, ctx, false))
- CFRelease(result);
+ CFTemp<CFDictionaryRef> ctx("{%O=%s, %O=%O}", kSecAssessmentUpdateKeyLabel, "Developer ID", kSecAssessmentContextKeyUpdate, kSecAssessmentUpdateOperationEnable);
+ SecAssessmentUpdate(NULL, kSecCSDefaultFlags, ctx, errors);
MessageTrace trace("com.apple.security.assessment.state", "enable-devid");
trace.send("enable Developer ID approval");
return true;
} else if (CFEqual(control, CFSTR("ui-disable-devid"))) {
- CFTemp<CFDictionaryRef> ctx("{%O=%s}", kSecAssessmentUpdateKeyLabel, "Developer ID");
- if (CFDictionaryRef result = gEngine().disable(NULL, kAuthorityInvalid, kSecCSDefaultFlags, ctx, false))
- CFRelease(result);
+ CFTemp<CFDictionaryRef> ctx("{%O=%s, %O=%O}", kSecAssessmentUpdateKeyLabel, "Developer ID", kSecAssessmentContextKeyUpdate, kSecAssessmentUpdateOperationDisable);
+ SecAssessmentUpdate(NULL, kSecCSDefaultFlags, ctx, errors);
MessageTrace trace("com.apple.security.assessment.state", "disable-devid");
trace.send("disable Developer ID approval");
return true;
- } else if (CFEqual(control, CFSTR("ui-get-devid"))) {
+ } else if (CFEqual(control, CFSTR("ui-get-devid"))) {
+ xpcEngineCheckDevID((CFBooleanRef*)(arguments));
+ return true;
+ } else if (CFEqual(control, CFSTR("ui-get-devid-local"))) {
CFBooleanRef &result = *(CFBooleanRef*)(arguments);
if (gEngine().value<int>("SELECT disabled FROM authority WHERE label = 'Developer ID';", true))
result = kCFBooleanFalse;
diff --git a/OSX/libsecurity_codesigning/lib/SecAssessment.h b/OSX/libsecurity_codesigning/lib/SecAssessment.h
index fb17a20e..efc6dd4a 100644
--- a/OSX/libsecurity_codesigning/lib/SecAssessment.h
+++ b/OSX/libsecurity_codesigning/lib/SecAssessment.h
@@ -87,7 +87,6 @@ extern CFStringRef kSecAssessmentOperationTypeOpenDocument; // .. LaunchServices
@constant kSecAssessmentAllowWeak Allow signatures that contain known weaknesses, such as an
insecure resource envelope.
@constant kSecAssessmentIgnoreWhitelist Do not search the weak signature whitelist.
- @constant kSecAssessmentFlagDequarantine Set the ASSESSMENT_OK flag if successful.
@constant kSecAssessmentFlagIgnoreActiveAssessments Permit parallel re-assessment of the same target.
@constant kSecAssessmentFlagLowPriority Run the assessment in low priority.
@@ -105,7 +104,7 @@ enum {
kSecAssessmentFlagEnforce = 1 << 26, // force on (disable bypass switches)
kSecAssessmentFlagAllowWeak = 1 << 25, // allow weak signatures
kSecAssessmentFlagIgnoreWhitelist = 1 << 24, // do not search weak signature whitelist
- kSecAssessmentFlagDequarantine = 1 << 23, // set the ASSESSMENT_OK flag if successful
+ // 1 << 23 removed (was kSecAssessmentFlagDequarantine)
kSecAssessmentFlagIgnoreActiveAssessments = 1 << 22, // permit parallel re-assessment of the same target
kSecAssessmentFlagLowPriority = 1 << 21, // run the assessment in low priority
};
@@ -144,6 +143,8 @@ extern CFStringRef kSecAssessmentFeedbackProgress; // progress reporting feedba
extern CFStringRef kSecAssessmentFeedbackInfoCurrent; // info key: current work progress
extern CFStringRef kSecAssessmentFeedbackInfoTotal; // info key: total expected work
+extern CFStringRef kSecAssessmentContextKeyPrimarySignature; // on document assessment, treat code signature as primary and return its status
+
extern CFStringRef kSecAssessmentAssessmentVerdict; // CFBooleanRef: master result - allow or deny
extern CFStringRef kSecAssessmentAssessmentOriginator; // CFStringRef: describing the signature originator
extern CFStringRef kSecAssessmentAssessmentAuthority; // CFDictionaryRef: authority used to arrive at result
@@ -154,6 +155,7 @@ extern CFStringRef kSecAssessmentAssessmentCodeSigningError; // error code retur
extern CFStringRef kSecAssessmentAssessmentAuthorityRow; // (internal)
extern CFStringRef kSecAssessmentAssessmentAuthorityOverride; // (internal)
extern CFStringRef kSecAssessmentAssessmentAuthorityOriginalVerdict; // (internal)
+extern CFStringRef kSecAssessmentAssessmentAuthorityFlags; // (internal)
extern CFStringRef kDisabledOverride; // AuthorityOverride value for "Gatekeeper is disabled"
diff --git a/OSX/libsecurity_codesigning/lib/SecCode.cpp b/OSX/libsecurity_codesigning/lib/SecCode.cpp
index 59587ce7..7f6708bf 100644
--- a/OSX/libsecurity_codesigning/lib/SecCode.cpp
+++ b/OSX/libsecurity_codesigning/lib/SecCode.cpp
@@ -46,6 +46,7 @@ const CFStringRef kSecCFErrorResourceSeal = CFSTR("SecCSResourceSeal");
const CFStringRef kSecCFErrorResourceAdded = CFSTR("SecCSResourceAdded");
const CFStringRef kSecCFErrorResourceAltered = CFSTR("SecCSResourceAltered");
const CFStringRef kSecCFErrorResourceMissing = CFSTR("SecCSResourceMissing");
+const CFStringRef kSecCFErrorResourceSideband = CFSTR("SecCSResourceHasSidebandData");
const CFStringRef kSecCFErrorInfoPlist = CFSTR("SecCSInfoPlist");
const CFStringRef kSecCFErrorGuestAttributes = CFSTR("SecCSGuestAttributes");
const CFStringRef kSecCFErrorRequirementSyntax = CFSTR("SecRequirementSyntax");
@@ -152,8 +153,9 @@ const CFStringRef kSecGuestAttributeCanonical = CFSTR("canonical");
const CFStringRef kSecGuestAttributeHash = CFSTR("codedirectory-hash");
const CFStringRef kSecGuestAttributeMachPort = CFSTR("mach-port");
const CFStringRef kSecGuestAttributePid = CFSTR("pid");
-const CFStringRef kSecGuestAttributeDynamicCode = CFSTR("dynamicCode");
-const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist = CFSTR("dynamicCodeInfoPlist");
+const CFStringRef kSecGuestAttributeAudit = CFSTR("audit");
+const CFStringRef kSecGuestAttributeDynamicCode = CFSTR("dynamicCode");
+const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist = CFSTR("dynamicCodeInfoPlist");
const CFStringRef kSecGuestAttributeArchitecture = CFSTR("architecture");
const CFStringRef kSecGuestAttributeSubarchitecture = CFSTR("subarchitecture");
@@ -204,12 +206,12 @@ OSStatus SecCodeCheckValidity(SecCodeRef codeRef, SecCSFlags flags,
OSStatus SecCodeCheckValidityWithErrors(SecCodeRef codeRef, SecCSFlags flags,
SecRequirementRef requirementRef, CFErrorRef *errors)
{
-#if !SECTRUST_OSX
BEGIN_CSAPI
checkFlags(flags,
kSecCSConsiderExpiration
| kSecCSStrictValidate
+ | kSecCSRestrictSidebandData
| kSecCSEnforceRevocationChecks);
SecPointer<SecCode> code = SecCode::required(codeRef);
code->checkValidity(flags);
@@ -217,41 +219,6 @@ OSStatus SecCodeCheckValidityWithErrors(SecCodeRef codeRef, SecCSFlags flags,
code->staticCode()->validateRequirement(req->requirement(), errSecCSReqFailed);
END_CSAPI_ERRORS
-#else
-#warning resolve before enabling SECTRUST_OSX: <rdar://21328880>
- OSStatus result = errSecSuccess;
- const char *func = "SecCodeCheckValidity";
- CFErrorRef localErrors = NULL;
- if (!errors) { errors = &localErrors; }
- try {
- checkFlags(flags,
- kSecCSConsiderExpiration
- | kSecCSEnforceRevocationChecks);
- SecPointer<SecCode> code = SecCode::required(codeRef);
- code->checkValidity(flags);
- if (const SecRequirement *req = SecRequirement::optional(requirementRef))
- code->staticCode()->validateRequirement(req->requirement(), errSecCSReqFailed);
- }
- catch (...) {
- // the actual error being thrown is not being caught by any of the
- // type-specific blocks contained in the END_CSAPI_ERRORS macro,
- // so we only have the catch-all block here for now.
- result = errSecCSInternalError;
- }
-
- if (errors && *errors) {
- CFShow(errors);
- CFRelease(errors);
- *errors = NULL;
- }
- if (result == errSecCSInternalError) {
- #if !NDEBUG
- Security::Syslog::error("WARNING: %s ignored error %d", func, (int)result);
- #endif
- result = errSecSuccess;
- }
- return result;
-#endif
}
@@ -292,8 +259,15 @@ const CFStringRef kSecCodeInfoCdHashes = CFSTR("cdhashes");
const CFStringRef kSecCodeInfoCodeDirectory = CFSTR("CodeDirectory");
const CFStringRef kSecCodeInfoCodeOffset = CFSTR("CodeOffset");
+const CFStringRef kSecCodeInfoDiskRepInfo = CFSTR("DiskRepInfo");
const CFStringRef kSecCodeInfoResourceDirectory = CFSTR("ResourceDirectory");
+/* DiskInfoRepInfo types */
+const CFStringRef kSecCodeInfoDiskRepOSPlatform = CFSTR("OSPlatform");
+const CFStringRef kSecCodeInfoDiskRepOSVersionMin = CFSTR("OSVersionMin");
+const CFStringRef kSecCodeInfoDiskRepOSSDKVersion = CFSTR("SDKVersion");
+const CFStringRef kSecCodeInfoDiskRepNoLibraryValidation = CFSTR("NoLibraryValidation");
+
OSStatus SecCodeCopySigningInformation(SecStaticCodeRef codeRef, SecCSFlags flags,
CFDictionaryRef *infoRef)
diff --git a/OSX/libsecurity_codesigning/lib/SecCode.h b/OSX/libsecurity_codesigning/lib/SecCode.h
index a5c7dd0e..b636b9d5 100644
--- a/OSX/libsecurity_codesigning/lib/SecCode.h
+++ b/OSX/libsecurity_codesigning/lib/SecCode.h
@@ -111,7 +111,7 @@ OSStatus SecCodeCopyStaticCode(SecCodeRef code, SecCSFlags flags, SecStaticCodeR
and is the ultimate authority on the its dynamic validity and status.
The host relationship is securely established (absent reported errors).
- @param code A valid SecCode object reference representing code running
+ @param guest A valid SecCode object reference representing code running
on the system.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param host On successful return, a SecCode object reference identifying
@@ -121,6 +121,16 @@ OSStatus SecCodeCopyStaticCode(SecCodeRef code, SecCSFlags flags, SecStaticCodeR
*/
OSStatus SecCodeCopyHost(SecCodeRef guest, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED host);
+extern const CFStringRef kSecGuestAttributeCanonical;
+extern const CFStringRef kSecGuestAttributeHash;
+extern const CFStringRef kSecGuestAttributeMachPort;
+extern const CFStringRef kSecGuestAttributePid;
+extern const CFStringRef kSecGuestAttributeAudit;
+extern const CFStringRef kSecGuestAttributeDynamicCode;
+extern const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist;
+extern const CFStringRef kSecGuestAttributeArchitecture;
+extern const CFStringRef kSecGuestAttributeSubarchitecture;
+
/*!
@function SecCodeCopyGuestWithAttributes
This is the omnibus API function for obtaining dynamic code references.
@@ -175,14 +185,6 @@ OSStatus SecCodeCopyHost(SecCodeRef guest, SecCSFlags flags, SecCodeRef * __nonn
@error errSecCSMultipleGuests The attributes specified do not uniquely identify
a guest (the specification is ambiguous).
*/
-extern const CFStringRef kSecGuestAttributeCanonical;
-extern const CFStringRef kSecGuestAttributeHash;
-extern const CFStringRef kSecGuestAttributeMachPort;
-extern const CFStringRef kSecGuestAttributePid;
-extern const CFStringRef kSecGuestAttributeDynamicCode;
-extern const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist;
-extern const CFStringRef kSecGuestAttributeArchitecture;
-extern const CFStringRef kSecGuestAttributeSubarchitecture;
OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef __nullable host,
CFDictionaryRef __nullable attributes, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED guest);
@@ -201,6 +203,30 @@ OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef __nullable host,
This call is secure against attempts to modify the file system source of the
SecCode.
+ @param code The code object to be validated.
+ @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
+ @param requirement An optional code requirement specifying additional conditions
+ the code object must satisfy to be considered valid. If NULL, no additional
+ requirements are imposed.
+ @result If validation passes, errSecSuccess. If validation fails, an OSStatus value
+ documented in CSCommon.h or certain other Security framework headers.
+*/
+OSStatus SecCodeCheckValidity(SecCodeRef code, SecCSFlags flags,
+ SecRequirementRef __nullable requirement);
+
+/*!
+ @function SecCodeCheckValidityWifErrors
+ Performs dynamic validation of the given SecCode object. The call obtains and
+ verifies the signature on the code object. It checks the validity of only those
+ sealed components required to establish identity. It checks the SecCode's
+ dynamic validity status as reported by its host. It ensures that the SecCode's
+ host is in turn valid. Finally, it validates the code against a SecRequirement
+ if one is given. The call succeeds if all these conditions are satisfactory.
+ It fails otherwise.
+
+ This call is secure against attempts to modify the file system source of the
+ SecCode.
+
@param code The code object to be validated.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param requirement An optional code requirement specifying additional conditions
@@ -213,9 +239,6 @@ OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef __nullable host,
@result If validation passes, errSecSuccess. If validation fails, an OSStatus value
documented in CSCommon.h or certain other Security framework headers.
*/
-OSStatus SecCodeCheckValidity(SecCodeRef code, SecCSFlags flags,
- SecRequirementRef __nullable requirement);
-
OSStatus SecCodeCheckValidityWithErrors(SecCodeRef code, SecCSFlags flags,
SecRequirementRef __nullable requirement, CFErrorRef *errors);
@@ -226,10 +249,7 @@ OSStatus SecCodeCheckValidityWithErrors(SecCodeRef code, SecCSFlags flags,
code object can be found. For single files, the URL points to that file.
For bundles, it points to the directory containing the entire bundle.
- This returns the same URL as the kSecCodeInfoMainExecutable key returned
- by SecCodeCopySigningInformation.
-
- @param code The Code or StaticCode object to be located. For a Code
+ @param staticCode The Code or StaticCode object to be located. For a Code
argument, its StaticCode is processed as per SecCodeCopyStaticCode.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param path On successful return, contains a CFURL identifying the location
@@ -340,10 +360,12 @@ OSStatus SecCodeCopyDesignatedRequirement(SecStaticCodeRef code, SecCSFlags flag
@constant kSecCodeInfoFormat A CFString characterizing the type and format of
the code. Suitable for display to a (knowledeable) user.
@constant kSecCodeInfoDigestAlgorithm A CFNumber indicating the kind of cryptographic
- hash function actually used to establish integrity of the signature.
+ hash function chosen to establish integrity of the signature on this system, which
+ is the best supported algorithm from kSecCodeInfoDigestAlgorithms.
@constant kSecCodeInfoDigestAlgorithms A CFArray of CFNumbers indicating the kinds of
cryptographic hash functions available within the signature. The ordering of those items
- has no significance.
+ has no significance in terms of priority, but determines the order in which
+ the hashes appear in kSecCodeInfoCdHashes.
@constant kSecCodeInfoPlatformIdentifier If this code was signed as part of an operating
system release, this value identifies that release.
@constant kSecCodeInfoIdentifier A CFString with the actual signing identifier
@@ -391,6 +413,11 @@ OSStatus SecCodeCopyDesignatedRequirement(SecStaticCodeRef code, SecCSFlags flag
remains stable across (developer-approved) updates.
The algorithm used may change from time to time. However, for any existing signature,
the value is stable.
+ @constant kSecCodeInfoCdHashes An array containing the values of the kSecCodeInfoUnique
+ binary identifier for every digest algorithm supported in the signature, in the same
+ order as in the kSecCodeInfoDigestAlgorithms array. The kSecCodeInfoUnique value
+ will be contained in this array, and be the one corresponding to the
+ kSecCodeInfoDigestAlgorithm value.
*/
CF_ENUM(uint32_t) {
kSecCSInternalInformation = 1 << 0,
diff --git a/OSX/libsecurity_codesigning/lib/SecCodePriv.h b/OSX/libsecurity_codesigning/lib/SecCodePriv.h
index 158121a9..86e1064b 100644
--- a/OSX/libsecurity_codesigning/lib/SecCodePriv.h
+++ b/OSX/libsecurity_codesigning/lib/SecCodePriv.h
@@ -42,8 +42,13 @@ extern "C" {
*/
extern const CFStringRef kSecCodeInfoCodeDirectory; /* Internal */
extern const CFStringRef kSecCodeInfoCodeOffset; /* Internal */
+extern const CFStringRef kSecCodeInfoDiskRepInfo; /* Internal */
extern const CFStringRef kSecCodeInfoResourceDirectory; /* Internal */
+extern const CFStringRef kSecCodeInfoDiskRepOSPlatform; /* Number */
+extern const CFStringRef kSecCodeInfoDiskRepOSVersionMin; /* Number */
+extern const CFStringRef kSecCodeInfoDiskRepOSSDKVersion; /* Number */
+extern const CFStringRef kSecCodeInfoDiskRepNoLibraryValidation; /* String */
/*!
@function SecCodeGetStatus
@@ -178,6 +183,39 @@ OSStatus SecCodeSetDetachedSignature(SecStaticCodeRef code, CFDataRef signature,
SecCSFlags flags);
+
+/*
+ @function SecCodeCopyComponent
+ For a SecStaticCodeRef, directly retrieve the binary blob for a special slot,
+ optionally checking that its native hash is the one given.
+
+ @param code A code or StaticCode object.
+ @param slot The (positive) special slot number requested.
+ @param hash A CFDataRef containing the native slot hash for the slot requested.
+ @result NULL if anything went wrong (including a missing slot), or a CFDataRef
+ containing the slot data.
+ */
+CFDataRef SecCodeCopyComponent(SecCodeRef code, int slot, CFDataRef hash);
+
+
+/*
+ @funtion SecCodeValidateFileResource
+ For a SecStaticCodeRef, check that a given CFData object faithfully represents
+ a plain-file resource in its resource seal.
+ This call will fail if the file is missing in the bundle, even if it is optional.
+
+ @param code A code or StaticCode object.
+ @param relativePath A CFStringRef containing the relative path to a sealed resource
+ file. This path is relative to the resource base, which is either Contents or
+ the bundle root, depending on bundle format.
+ @param fileData A CFDataRef containing the exact contents of that resource file.
+ @param flags Pass kSecCSDefaultFlags.
+ @result noErr if fileData is the exact content of the file at relativePath at the
+ time it was signed. Various error codes if it is different, there was no such file,
+ it was not a plain file, or anything is irregular.
+*/
+OSStatus SecCodeValidateFileResource(SecStaticCodeRef code, CFStringRef relativePath, CFDataRef fileData, SecCSFlags flags);
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_codesigning/lib/SecCodeSigner.cpp b/OSX/libsecurity_codesigning/lib/SecCodeSigner.cpp
index bae22bd5..7d83ce7a 100644
--- a/OSX/libsecurity_codesigning/lib/SecCodeSigner.cpp
+++ b/OSX/libsecurity_codesigning/lib/SecCodeSigner.cpp
@@ -60,6 +60,8 @@ const CFStringRef kSecCodeSignerPreserveMetadata = CFSTR("preserve-metadata");
const CFStringRef kSecCodeSignerTeamIdentifier = CFSTR("teamidentifier");
const CFStringRef kSecCodeSignerPlatformIdentifier = CFSTR("platform-identifier");
+
+
//
// CF-standard type code functions
//
diff --git a/OSX/libsecurity_codesigning/lib/SecRequirement.h b/OSX/libsecurity_codesigning/lib/SecRequirement.h
index 11cf0265..64d782f8 100644
--- a/OSX/libsecurity_codesigning/lib/SecRequirement.h
+++ b/OSX/libsecurity_codesigning/lib/SecRequirement.h
@@ -81,10 +81,6 @@ OSStatus SecRequirementCreateWithData(CFDataRef data, SecCSFlags flags,
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param requirement On successful return, contains a reference to a SecRequirement
object that implements the conditions described in text.
- @param errors An optional pointer to a CFErrorRef variable. If the call fails
- (and something other than errSecSuccess is returned), and this argument is non-NULL,
- a CFErrorRef is stored there further describing the nature and circumstances
- of the failure. The caller must CFRelease() this error object when done with it.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
diff --git a/OSX/libsecurity_codesigning/lib/SecRequirementPriv.h b/OSX/libsecurity_codesigning/lib/SecRequirementPriv.h
index c7ad3683..d1bdfb4b 100644
--- a/OSX/libsecurity_codesigning/lib/SecRequirementPriv.h
+++ b/OSX/libsecurity_codesigning/lib/SecRequirementPriv.h
@@ -87,7 +87,7 @@ OSStatus SecRequirementsCopyRequirements(CFDataRef requirementSet, SecCSFlags fl
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
-enum {
+typedef CF_OPTIONS(uint32_t, SecCSFlagsPriv) {
kSecCSParseRequirement = 0x0001, // accept single requirements
kSecCSParseRequirementSet = 0x0002, // accept requirement sets
};
@@ -110,7 +110,7 @@ OSStatus SecRequirementsCreateWithString(CFStringRef text, SecCSFlags flags,
recompiling the text using SecRequirementCreateWithString will produce a
SecRequirement object that behaves identically to the one you start with.
- @param requirements A SecRequirementRef, or a CFDataRef containing a valid requirement set.
+ @param input A SecRequirementRef, or a CFDataRef containing a valid requirement set.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param text On successful return, contains a reference to a CFString object
containing a text representation of the requirement.
@@ -158,7 +158,9 @@ OSStatus SecRequirementCreateGroup(CFStringRef groupName, SecCertificateRef anch
SecCSFlags flags, SecRequirementRef *requirement);
-
+extern CFStringRef kSecRequirementKeyInfoPlist;
+extern CFStringRef kSecRequirementKeyEntitlements;
+extern CFStringRef kSecRequirementKeyIdentifier;
/*!
@function SecRequirementEvaluate
Explicitly evaluate a SecRequirementRef against context provided in the call.
@@ -181,10 +183,6 @@ OSStatus SecRequirementCreateGroup(CFStringRef groupName, SecCertificateRef anch
an entitlement dictionary. If this key is missing, all references to entitlements will fail.
@constant kSecRequirementKeyIdentifier A context key providing the signing identifier as a CFString.
*/
-extern CFStringRef kSecRequirementKeyInfoPlist;
-extern CFStringRef kSecRequirementKeyEntitlements;
-extern CFStringRef kSecRequirementKeyIdentifier;
-
OSStatus SecRequirementEvaluate(SecRequirementRef requirement,
CFArrayRef certificateChain, CFDictionaryRef context,
SecCSFlags flags);
diff --git a/OSX/libsecurity_codesigning/lib/SecStaticCode.cpp b/OSX/libsecurity_codesigning/lib/SecStaticCode.cpp
index 18625c27..f4889f69 100644
--- a/OSX/libsecurity_codesigning/lib/SecStaticCode.cpp
+++ b/OSX/libsecurity_codesigning/lib/SecStaticCode.cpp
@@ -105,7 +105,6 @@ OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCodeRef, SecCSFlags f
OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCodeRef, SecCSFlags flags,
SecRequirementRef requirementRef, CFErrorRef *errors)
{
-#if !SECTRUST_OSX
BEGIN_CSAPI
checkFlags(flags,
@@ -114,10 +113,11 @@ OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCodeRef, Se
| kSecCSDoNotValidateExecutable
| kSecCSDoNotValidateResources
| kSecCSConsiderExpiration
- | kSecCSEnforceRevocationChecks
+ | kSecCSEnforceRevocationChecks
| kSecCSNoNetworkAccess
| kSecCSCheckNestedCode
| kSecCSStrictValidate
+ | kSecCSRestrictSidebandData
| kSecCSCheckGatekeeperArchitectures
| kSecCSRestrictSymlinks
| kSecCSRestrictToAppLike
@@ -133,56 +133,6 @@ OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCodeRef, Se
code->staticValidate(flags, req);
END_CSAPI_ERRORS
-#else
-#warning resolve before enabling SECTRUST_OSX: <rdar://21328880>
- OSStatus result = errSecSuccess;
- const char *func = "SecStaticCodeCheckValidity";
- CFErrorRef localErrors = NULL;
- if (!errors) { errors = &localErrors; }
- try {
- checkFlags(flags,
- kSecCSReportProgress
- | kSecCSCheckAllArchitectures
- | kSecCSDoNotValidateExecutable
- | kSecCSDoNotValidateResources
- | kSecCSConsiderExpiration
- | kSecCSEnforceRevocationChecks
- | kSecCSNoNetworkAccess
- | kSecCSCheckNestedCode
- | kSecCSStrictValidate
- | kSecCSCheckGatekeeperArchitectures
- );
-
- if (errors)
- flags |= kSecCSFullReport; // internal-use flag
-
- SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(staticCodeRef);
- code->setValidationFlags(flags);
- const SecRequirement *req = SecRequirement::optional(requirementRef);
- DTRACK(CODESIGN_EVAL_STATIC, code, (char*)code->mainExecutablePath().c_str());
- code->staticValidate(flags, req);
- }
- catch (...) {
- // the actual error being thrown is not being caught by any of the
- // type-specific blocks contained in the END_CSAPI_ERRORS macro,
- // so we only have the catch-all block here for now.
- result = errSecCSInternalError;
- }
-
- if (errors && *errors) {
- CFShow(errors);
- CFRelease(errors);
- *errors = NULL;
- }
- if (result == errSecCSInternalError) {
- #if !NDEBUG
- Security::Syslog::error("WARNING: %s ignored error %d", func, (int)result);
- #endif
- result = errSecSuccess;
- }
- return result;
-
-#endif
}
@@ -323,3 +273,36 @@ OSStatus SecStaticCodeCancelValidation(SecStaticCodeRef codeRef, SecCSFlags flag
END_CSAPI
}
+
+
+//
+// Retrieve a component object for a special slot directly.
+//
+CFDataRef SecCodeCopyComponent(SecCodeRef codeRef, int slot, CFDataRef hash)
+{
+ BEGIN_CSAPI
+
+ SecStaticCode* code = SecStaticCode::requiredStatic(codeRef);
+ return code->copyComponent(slot, hash);
+
+ END_CSAPI1(NULL)
+}
+
+
+//
+// Validate a single plain file's resource seal against a memory copy.
+// This will fail for any other file type (symlink, directory, nested code, etc. etc.)
+//
+OSStatus SecCodeValidateFileResource(SecStaticCodeRef codeRef, CFStringRef relativePath, CFDataRef fileData, SecCSFlags flags)
+{
+ BEGIN_CSAPI
+
+ checkFlags(0);
+ if (fileData == NULL)
+ MacOSError::throwMe(errSecCSObjectRequired);
+ SecStaticCode *code = SecStaticCode::requiredStatic(codeRef);
+ code->validatePlainMemoryResource(cfString(relativePath), fileData, flags);
+
+ END_CSAPI
+
+}
diff --git a/OSX/libsecurity_codesigning/lib/SecStaticCode.h b/OSX/libsecurity_codesigning/lib/SecStaticCode.h
index c8f9d40e..3e5a292d 100644
--- a/OSX/libsecurity_codesigning/lib/SecStaticCode.h
+++ b/OSX/libsecurity_codesigning/lib/SecStaticCode.h
@@ -71,12 +71,42 @@ CFTypeID SecStaticCodeGetTypeID(void);
may cause the bundle to be misconstrued. If you expect to submit such paths,
first clean them with realpath(3) or equivalent.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
- @param attributes A CFDictionary containing additional attributes of the code sought.
@param staticCode On successful return, contains a reference to the StaticCode object
representing the code at path. Unchanged on error.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
+*/
+OSStatus SecStaticCodeCreateWithPath(CFURLRef path, SecCSFlags flags, SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode);
+
+extern const CFStringRef kSecCodeAttributeArchitecture;
+extern const CFStringRef kSecCodeAttributeSubarchitecture;
+extern const CFStringRef kSecCodeAttributeUniversalFileOffset;
+extern const CFStringRef kSecCodeAttributeBundleVersion;
+
+/*!
+ @function SecStaticCodeCreateWithPathAndAttributes
+ Given a path to a file system object, create a SecStaticCode object representing
+ the code at that location, if possible. Such a SecStaticCode is not inherently
+ linked to running code in the system.
+ It is possible to create a SecStaticCode object from an unsigned code object.
+ Most uses of such an object will return the errSecCSUnsigned error. However,
+ SecCodeCopyPath and SecCodeCopySigningInformation can be safely applied to such objects.
+
+ @param path A path to a location in the file system. Only file:// URLs are
+ currently supported. For bundles, pass a URL to the root directory of the
+ bundle. For single files, pass a URL to the file. If you pass a URL to the
+ main executable of a bundle, the bundle as a whole will be generally recognized.
+ Caution: Paths containing embedded // or /../ within a bundle's directory
+ may cause the bundle to be misconstrued. If you expect to submit such paths,
+ first clean them with realpath(3) or equivalent.
+ @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
+ @param attributes A CFDictionary containing additional attributes of the code sought.
+ @param staticCode On successful return, contains a reference to the StaticCode object
+ representing the code at path. Unchanged on error.
+ @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
+ CSCommon.h or certain other Security framework headers.
+
@constant kSecCodeAttributeArchitecture Specifies the Mach-O architecture of code desired.
This can be a CFString containing a canonical architecture name ("i386" etc.), or a CFNumber
specifying an architecture numerically (see mach/machine.h). This key is ignored if the code
@@ -88,13 +118,6 @@ CFTypeID SecStaticCodeGetTypeID(void);
if the code is not in Mach-O form.
@constant kSecCodeAttributeUniversalFileOffset The offset of a Mach-O specific slice of a universal Mach-O file.
*/
-extern const CFStringRef kSecCodeAttributeArchitecture;
-extern const CFStringRef kSecCodeAttributeSubarchitecture;
-extern const CFStringRef kSecCodeAttributeUniversalFileOffset;
-extern const CFStringRef kSecCodeAttributeBundleVersion;
-
-OSStatus SecStaticCodeCreateWithPath(CFURLRef path, SecCSFlags flags, SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode);
-
OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes,
SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode);
@@ -152,6 +175,7 @@ CF_ENUM(uint32_t) {
kSecCSCheckGatekeeperArchitectures = (1 << 6) | kSecCSCheckAllArchitectures,
kSecCSRestrictSymlinks = 1 << 7,
kSecCSRestrictToAppLike = 1 << 8,
+ kSecCSRestrictSidebandData = 1 << 9,
};
OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCode, SecCSFlags flags,
diff --git a/OSX/libsecurity_codesigning/lib/SecTask.c b/OSX/libsecurity_codesigning/lib/SecTask.c
index c2b358e8..6639f459 100644
--- a/OSX/libsecurity_codesigning/lib/SecTask.c
+++ b/OSX/libsecurity_codesigning/lib/SecTask.c
@@ -217,9 +217,7 @@ static int SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
}
if (errno != ERANGE) {
// ERANGE means "your buffer is too small, it now tells you how much you need
- // Everything else is a real error, so yell
- syslog(LOG_NOTICE, "SecTaskLoadEntitlements failed error=%d", errno); // to ease diagnostics
- // EINVAL is what the kernel says for unsigned code, so we'll have to let that pass
+ // EINVAL is what the kernel says for unsigned code AND broken code, so we'll have to let that pass
if (errno == EINVAL) {
task->entitlementsLoaded = true;
return 0;
@@ -314,3 +312,55 @@ Boolean SecTaskEntitlementsValidated(SecTaskRef task) {
int rc = csops_task(task, CS_OPS_STATUS, &csflags, sizeof(csflags));
return rc != -1 && ((csflags & mask) == mask);
}
+
+CFStringRef
+SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
+{
+ CFStringRef signingId = NULL;
+ char *data = NULL;
+ struct csheader header;
+ uint32_t bufferlen;
+ int ret;
+
+ ret = csops_task(task, CS_OPS_IDENTITY, &header, sizeof(header));
+ if (ret != -1 || errno != ERANGE)
+ return NULL;
+
+ bufferlen = ntohl(header.length);
+ /* check for insane values */
+ if (bufferlen > 1024 * 1024 || bufferlen < 8) {
+ ret = EINVAL;
+ goto out;
+ }
+ data = malloc(bufferlen + 1);
+ if (data == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+ ret = csops_task(task, CS_OPS_IDENTITY, data, bufferlen);
+ if (ret) {
+ ret = errno;
+ goto out;
+ }
+ data[bufferlen] = '\0';
+
+ signingId = CFStringCreateWithCString(NULL, data + 8, kCFStringEncodingUTF8);
+
+out:
+ if (data)
+ free(data);
+ if (ret && error)
+ *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ret, NULL);
+
+ return signingId;
+}
+
+uint32_t
+SecTaskGetCodeSignStatus(SecTaskRef task)
+{
+ uint32_t flags = 0;
+ if (csops_task(task, CS_OPS_STATUS, &flags, sizeof(flags)) != 0)
+ return 0;
+ return flags;
+}
+
diff --git a/OSX/libsecurity_codesigning/lib/SecTask.h b/OSX/libsecurity_codesigning/lib/SecTask.h
index 90674a35..7ea6df93 100644
--- a/OSX/libsecurity_codesigning/lib/SecTask.h
+++ b/OSX/libsecurity_codesigning/lib/SecTask.h
@@ -103,6 +103,21 @@ CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef task, CFStringRef entitlemen
__nullable
CFDictionaryRef SecTaskCopyValuesForEntitlements(SecTaskRef task, CFArrayRef entitlements, CFErrorRef *error);
+
+
+/*!
+ @function SecTaskCopySigningIdentifier
+ @abstract Return the value of the codesigning identifier.
+ @param task A previously created SecTask object
+ @param error On a NULL return, this will contain a CFError describing
+ the problem. This argument may be NULL if the caller is not interested in
+ detailed errors. The caller must CFRelease the returned value.
+ */
+
+__nullable
+CFStringRef
+SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error);
+
CF_IMPLICIT_BRIDGING_DISABLED
CF_ASSUME_NONNULL_END
diff --git a/OSX/libsecurity_codesigning/lib/SecTaskPriv.h b/OSX/libsecurity_codesigning/lib/SecTaskPriv.h
index 0190ee5b..8ab2469c 100644
--- a/OSX/libsecurity_codesigning/lib/SecTaskPriv.h
+++ b/OSX/libsecurity_codesigning/lib/SecTaskPriv.h
@@ -49,6 +49,16 @@ OSStatus SecTaskValidateForRequirement(SecTaskRef task, CFStringRef requirement)
*/
Boolean SecTaskEntitlementsValidated(SecTaskRef task);
+
+/*!
+ @function SecTaskGetCodeSignStatus
+ @abstract Get code signing flags
+ @param task A previously created SecTask object
+*/
+
+uint32_t
+SecTaskGetCodeSignStatus(SecTaskRef task);
+
#if defined(__cplusplus)
}
#endif
diff --git a/OSX/libsecurity_codesigning/lib/StaticCode.cpp b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
index 0b993cc7..20c6d40a 100644
--- a/OSX/libsecurity_codesigning/lib/StaticCode.cpp
+++ b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
@@ -49,6 +49,7 @@
#include <Security/CMSDecoder.h>
#include <security_utilities/logging.h>
#include <dirent.h>
+#include <sys/xattr.h>
#include <sstream>
#include <IOKit/storage/IOStorageDeviceCharacteristics.h>
#include <dispatch/private.h>
@@ -378,11 +379,23 @@ const CodeDirectory *SecStaticCode::codeDirectory(bool check /* = true */) const
{
if (!mDir) {
// pick our favorite CodeDirectory from the choices we've got
- CodeDirectoryMap candidates;
- if (loadCodeDirectories(candidates)) {
- CodeDirectory::HashAlgorithm type = CodeDirectory::bestHashOf(mHashAlgorithms);
- mDir = candidates[type]; // and the winner is...
- candidates.swap(mCodeDirectories);
+ try {
+ CodeDirectoryMap candidates;
+ if (loadCodeDirectories(candidates)) {
+ CodeDirectory::HashAlgorithm type = CodeDirectory::bestHashOf(mHashAlgorithms);
+ mDir = candidates[type]; // and the winner is...
+ candidates.swap(mCodeDirectories);
+ }
+ } catch (...) {
+ if (check)
+ throw;
+ // We wanted a NON-checked peek and failed to safely decode the existing CodeDirectory.
+ // Pretend this is unsigned, but make sure we didn't somehow cache an invalid CodeDirectory.
+ if (mDir) {
+ assert(false);
+ Syslog::warning("code signing internal problem: mDir set despite exception exit");
+ MacOSError::throwMe(errSecCSInternalError);
+ }
}
}
if (mDir)
@@ -400,6 +413,8 @@ const CodeDirectory *SecStaticCode::codeDirectory(bool check /* = true */) const
bool SecStaticCode::loadCodeDirectories(CodeDirectoryMap& cdMap) const
{
__block CodeDirectoryMap candidates;
+ __block CodeDirectory::HashAlgorithms hashAlgorithms;
+ __block CFRef<CFDataRef> baseDir;
auto add = ^bool (CodeDirectory::SpecialSlot slot){
CFRef<CFDataRef> cdData = diskRep()->component(slot);
if (!cdData)
@@ -410,10 +425,10 @@ bool SecStaticCode::loadCodeDirectories(CodeDirectoryMap& cdMap) const
cd->checkIntegrity();
auto result = candidates.insert(make_pair(cd->hashType, cdData.get()));
if (!result.second)
- MacOSError::throwMe(errSecCSSignatureFailed); // duplicate hashType, go to heck
- mHashAlgorithms.insert(cd->hashType);
+ MacOSError::throwMe(errSecCSSignatureInvalid); // duplicate hashType, go to heck
+ hashAlgorithms.insert(cd->hashType);
if (slot == cdCodeDirectorySlot)
- mBaseDir = cdData;
+ baseDir = cdData;
return true;
};
if (!add(cdCodeDirectorySlot))
@@ -423,7 +438,10 @@ bool SecStaticCode::loadCodeDirectories(CodeDirectoryMap& cdMap) const
break;
if (candidates.empty())
MacOSError::throwMe(errSecCSSignatureFailed); // no viable CodeDirectory in sight
+ // commit to cached values
cdMap.swap(candidates);
+ mHashAlgorithms.swap(hashAlgorithms);
+ mBaseDir = baseDir;
return true;
}
@@ -504,8 +522,9 @@ void SecStaticCode::validateDirectory()
mValidationResult = err.osStatus();
throw;
} catch (...) {
- secdebug("staticCode", "%p validation threw non-common exception", this);
+ secinfo("staticCode", "%p validation threw non-common exception", this);
mValidated = true;
+ Syslog::notice("code signing internal problem: unknown exception thrown by validation");
mValidationResult = errSecCSInternalError;
throw;
}
@@ -613,11 +632,12 @@ bool SecStaticCode::verifySignature()
MacOSError::check(CMSDecoderSetDetachedContent(cms, mBaseDir));
MacOSError::check(CMSDecoderFinalizeMessage(cms));
MacOSError::check(CMSDecoderSetSearchKeychain(cms, cfEmptyArray()));
- CFRef<CFArrayRef> vf_policies = verificationPolicies();
- CFRef<CFArrayRef> ts_policies = SecPolicyCreateAppleTimeStampingAndRevocationPolicies(vf_policies);
- CMSSignerStatus status;
- MacOSError::check(CMSDecoderCopySignerStatus(cms, 0, vf_policies,
- false, &status, &mTrust.aref(), NULL));
+ CFRef<CFArrayRef> vf_policies(verificationPolicies());
+ CFRef<CFArrayRef> ts_policies(SecPolicyCreateAppleTimeStampingAndRevocationPolicies(vf_policies));
+
+ CMSSignerStatus status;
+ MacOSError::check(CMSDecoderCopySignerStatus(cms, 0, vf_policies,
+ false, &status, &mTrust.aref(), NULL));
if (status != kCMSSignerValid) {
const char *reason;
@@ -633,7 +653,7 @@ bool SecStaticCode::verifySignature()
reason, (int)status);
MacOSError::throwMe(errSecCSSignatureFailed);
}
-
+
// retrieve auxiliary data bag and verify against current state
CFRef<CFDataRef> hashBag;
switch (OSStatus rc = CMSDecoderCopySignerAppleCodesigningHashAgility(cms, 0, &hashBag.aref())) {
@@ -678,13 +698,17 @@ bool SecStaticCode::verifySignature()
if (mValidationFlags & kSecCSNoNetworkAccess) {
MacOSError::check(SecTrustSetNetworkFetchAllowed(mTrust,false)); // no network?
}
+#if !SECTRUST_OSX
MacOSError::check(SecTrustSetKeychains(mTrust, cfEmptyArray())); // no keychains
-
+#else
+ MacOSError::check(SecTrustSetKeychainsAllowed(mTrust, false));
+#endif
+
CSSM_APPLE_TP_ACTION_DATA actionData = {
CSSM_APPLE_TP_ACTION_VERSION, // version of data structure
0 // action flags
};
-
+
if (!(mValidationFlags & kSecCSCheckTrustedAnchors)) {
/* no need to evaluate anchor trust when building cert chain */
MacOSError::check(SecTrustSetAnchorCertificates(mTrust, cfEmptyArray())); // no anchors
@@ -713,12 +737,13 @@ bool SecStaticCode::verifySignature()
CFRef<CFStringRef> teamIDFromCD = CFStringCreateWithCString(NULL, teamID(), kCFStringEncodingUTF8);
if (!teamIDFromCD) {
Security::Syslog::error("Could not get team identifier (%s)", teamID());
- MacOSError::throwMe(errSecCSInternalError);
+ MacOSError::throwMe(errSecCSInvalidTeamIdentifier);
}
if (CFStringCompare(teamIDFromCert, teamIDFromCD, 0) != kCFCompareEqualTo) {
- Security::Syslog::error("Team identifier in the signing certificate (%s) does not match the team identifier (%s) in the code directory", cfString(teamIDFromCert).c_str(), teamID());
- MacOSError::throwMe(errSecCSSignatureInvalid);
+ Security::Syslog::error("Team identifier in the signing certificate (%s) does not match the team identifier (%s) in the code directory",
+ cfString(teamIDFromCert).c_str(), teamID());
+ MacOSError::throwMe(errSecCSBadTeamIdentifier);
}
}
}
@@ -784,6 +809,7 @@ bool SecStaticCode::verifySignature()
// This may be a simple SecPolicyRef or a CFArray of policies.
// The caller owns the return value.
//
+#if !SECTRUST_OSX
static SecPolicyRef makeCRLPolicy()
{
CFRef<SecPolicyRef> policy;
@@ -809,23 +835,35 @@ static SecPolicyRef makeOCSPPolicy()
MacOSError::check(SecPolicySetValue(policy, &optData));
return policy.yield();
}
+#else
+static SecPolicyRef makeRevocationPolicy(CFOptionFlags flags)
+{
+ CFRef<SecPolicyRef> policy(SecPolicyCreateRevocation(flags));
+ return policy.yield();
+}
+#endif
CFArrayRef SecStaticCode::verificationPolicies()
{
CFRef<SecPolicyRef> core;
MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3,
&CSSMOID_APPLE_TP_CODE_SIGNING, &core.aref()));
- if (mValidationFlags & kSecCSNoNetworkAccess) {
- // Skips all revocation since they require network connectivity
- // therefore annihilates kSecCSEnforceRevocationChecks if present
- CFRef<SecPolicyRef> no_revoc = SecPolicyCreateRevocation(kSecRevocationNetworkAccessDisabled);
- return makeCFArray(2, core.get(), no_revoc.get());
- }
+ if (mValidationFlags & kSecCSNoNetworkAccess) {
+ // Skips all revocation since they require network connectivity
+ // therefore annihilates kSecCSEnforceRevocationChecks if present
+ CFRef<SecPolicyRef> no_revoc = makeRevocationPolicy(kSecRevocationNetworkAccessDisabled);
+ return makeCFArray(2, core.get(), no_revoc.get());
+ }
else if (mValidationFlags & kSecCSEnforceRevocationChecks) {
- // Add CRL and OCSPPolicies
+ // Add CRL and OCSP policies
+#if !SECTRUST_OSX
CFRef<SecPolicyRef> crl = makeCRLPolicy();
CFRef<SecPolicyRef> ocsp = makeOCSPPolicy();
return makeCFArray(3, core.get(), crl.get(), ocsp.get());
+#else
+ CFRef<SecPolicyRef> revoc = makeRevocationPolicy(kSecRevocationUseAnyAvailableMethod);
+ return makeCFArray(2, core.get(), revoc.get());
+#endif
} else {
return makeCFArray(1, core.get());
}
@@ -898,9 +936,10 @@ void SecStaticCode::validateExecutable()
mExecutableValidResult = err.osStatus();
throw;
} catch (...) {
- secdebug("staticCode", "%p executable validation threw non-common exception", this);
+ secinfo("staticCode", "%p executable validation threw non-common exception", this);
mExecutableValidated = true;
mExecutableValidResult = errSecCSInternalError;
+ Syslog::notice("code signing internal problem: unknown exception thrown by validation");
throw;
}
}
@@ -942,18 +981,11 @@ void SecStaticCode::validateResources(SecCSFlags flags)
}
try {
- // sanity first
- CFDictionaryRef sealedResources = resourceDictionary();
- if (this->resourceBase()) // disk has resources
- if (sealedResources)
- /* go to work below */;
- else
- MacOSError::throwMe(errSecCSResourcesNotFound);
- else // disk has no resources
- if (sealedResources)
- MacOSError::throwMe(errSecCSResourcesNotFound);
- else
- return; // no resources, not sealed - fine (no work)
+ CFDictionaryRef rules;
+ CFDictionaryRef files;
+ uint32_t version;
+ if (!loadResources(rules, files, version))
+ return; // validly no resources; nothing to do (ok)
// found resources, and they are sealed
DTRACK(CODESIGN_EVAL_STATIC_RESOURCES, this,
@@ -962,22 +994,6 @@ void SecStaticCode::validateResources(SecCSFlags flags)
// scan through the resources on disk, checking each against the resourceDirectory
mResourcesValidContext = new CollectingContext(*this); // collect all failures in here
- // use V2 resource seal if available, otherwise fall back to V1
- CFDictionaryRef rules;
- CFDictionaryRef files;
- uint32_t version;
- if (CFDictionaryGetValue(sealedResources, CFSTR("files2"))) { // have V2 signature
- rules = cfget<CFDictionaryRef>(sealedResources, "rules2");
- files = cfget<CFDictionaryRef>(sealedResources, "files2");
- version = 2;
- } else { // only V1 available
- rules = cfget<CFDictionaryRef>(sealedResources, "rules");
- files = cfget<CFDictionaryRef>(sealedResources, "files");
- version = 1;
- }
- if (!rules || !files)
- MacOSError::throwMe(errSecCSResourcesInvalid);
-
// check for weak resource rules
bool strict = flags & kSecCSStrictValidate;
if (strict) {
@@ -1014,7 +1030,7 @@ void SecStaticCode::validateResources(SecCSFlags flags)
unsigned leftovers = unsigned(CFDictionaryGetCount(resourceMap));
if (leftovers > 0) {
- secdebug("staticCode", "%d sealed resource(s) not found in code", int(leftovers));
+ secinfo("staticCode", "%d sealed resource(s) not found in code", int(leftovers));
CFDictionaryApplyFunction(resourceMap, SecStaticCode::checkOptionalResource, mResourcesValidContext);
}
@@ -1029,10 +1045,11 @@ void SecStaticCode::validateResources(SecCSFlags flags)
mResourcesValidResult = err.osStatus();
throw;
} catch (...) {
- secdebug("staticCode", "%p executable validation threw non-common exception", this);
+ secinfo("staticCode", "%p executable validation threw non-common exception", this);
mResourcesValidated = true;
mResourcesDeep = flags & kSecCSCheckNestedCode;
mResourcesValidResult = errSecCSInternalError;
+ Syslog::notice("code signing internal problem: unknown exception thrown by validation");
throw;
}
}
@@ -1044,6 +1061,38 @@ void SecStaticCode::validateResources(SecCSFlags flags)
}
+bool SecStaticCode::loadResources(CFDictionaryRef& rules, CFDictionaryRef& files, uint32_t& version)
+{
+ // sanity first
+ CFDictionaryRef sealedResources = resourceDictionary();
+ if (this->resourceBase()) { // disk has resources
+ if (sealedResources)
+ /* go to work below */;
+ else
+ MacOSError::throwMe(errSecCSResourcesNotFound);
+ } else { // disk has no resources
+ if (sealedResources)
+ MacOSError::throwMe(errSecCSResourcesNotFound);
+ else
+ return false; // no resources, not sealed - fine (no work)
+ }
+
+ // use V2 resource seal if available, otherwise fall back to V1
+ if (CFDictionaryGetValue(sealedResources, CFSTR("files2"))) { // have V2 signature
+ rules = cfget<CFDictionaryRef>(sealedResources, "rules2");
+ files = cfget<CFDictionaryRef>(sealedResources, "files2");
+ version = 2;
+ } else { // only V1 available
+ rules = cfget<CFDictionaryRef>(sealedResources, "rules");
+ files = cfget<CFDictionaryRef>(sealedResources, "files");
+ version = 1;
+ }
+ if (!rules || !files)
+ MacOSError::throwMe(errSecCSResourcesInvalid);
+ return true;
+}
+
+
void SecStaticCode::checkOptionalResource(CFTypeRef key, CFTypeRef value, void *context)
{
ValidationContext *ctx = static_cast<ValidationContext *>(context);
@@ -1075,8 +1124,10 @@ bool SecStaticCode::hasWeakResourceRules(CFDictionaryRef rulesDict, uint32_t ver
{
// compute allowed omissions
CFRef<CFArrayRef> defaultOmissions = this->diskRep()->allowedResourceOmissions();
- if (!defaultOmissions)
+ if (!defaultOmissions) {
+ Syslog::notice("code signing internal problem: diskRep returned no allowedResourceOmissions");
MacOSError::throwMe(errSecCSInternalError);
+ }
CFRef<CFMutableArrayRef> allowed = CFArrayCreateMutableCopy(NULL, 0, defaultOmissions);
if (allowedOmissions)
CFArrayAppendArray(allowed, allowedOmissions, CFRangeMake(0, CFArrayGetCount(allowedOmissions)));
@@ -1109,7 +1160,7 @@ CFDictionaryRef SecStaticCode::infoDictionary()
{
if (!mInfoDict) {
mInfoDict.take(getDictionary(cdInfoSlot, errSecCSInfoPlistFailed));
- secdebug("staticCode", "%p loaded InfoDict %p", this, mInfoDict.get());
+ secinfo("staticCode", "%p loaded InfoDict %p", this, mInfoDict.get());
}
return mInfoDict;
}
@@ -1123,7 +1174,7 @@ CFDictionaryRef SecStaticCode::entitlements()
const EntitlementBlob *blob = reinterpret_cast<const EntitlementBlob *>(CFDataGetBytePtr(entitlementData));
if (blob->validateBlob()) {
mEntitlements.take(blob->entitlements());
- secdebug("staticCode", "%p loaded Entitlements %p", this, mEntitlements.get());
+ secinfo("staticCode", "%p loaded Entitlements %p", this, mEntitlements.get());
}
// we do not consider a different blob type to be an error. We think it's a new format we don't understand
}
@@ -1137,13 +1188,31 @@ CFDictionaryRef SecStaticCode::resourceDictionary(bool check /* = true */)
return mResourceDict;
if (CFRef<CFDictionaryRef> dict = getDictionary(cdResourceDirSlot, check))
if (cfscan(dict, "{rules=%Dn,files=%Dn}")) {
- secdebug("staticCode", "%p loaded ResourceDict %p",
+ secinfo("staticCode", "%p loaded ResourceDict %p",
this, mResourceDict.get());
return mResourceDict = dict;
}
// bad format
return NULL;
}
+
+
+CFDataRef SecStaticCode::copyComponent(CodeDirectory::SpecialSlot slot, CFDataRef hash)
+{
+ const CodeDirectory* cd = this->codeDirectory();
+ if (CFCopyRef<CFDataRef> component = this->component(slot)) {
+ if (hash) {
+ const void *slotHash = (*cd)[slot];
+ if (cd->hashSize != CFDataGetLength(hash) || 0 != memcmp(slotHash, CFDataGetBytePtr(hash), cd->hashSize)) {
+ Syslog::notice("copyComponent hash mismatch slot %d length %d", slot, int(CFDataGetLength(hash)));
+ return NULL; // mismatch
+ }
+ }
+ return component.yield();
+ }
+ return NULL;
+}
+
//
@@ -1181,64 +1250,25 @@ CFDictionaryRef SecStaticCode::getDictionary(CodeDirectory::SpecialSlot slot, bo
return NULL;
}
-
-//
-// Load, validate, and return a sealed resource.
-// The resource data (loaded in to memory as a blob) is returned and becomes
-// the responsibility of the caller; it is NOT cached by SecStaticCode.
//
-// A resource that is not sealed will not be returned, and an error will be thrown.
-// A missing resource will cause an error unless it's marked optional in the Directory.
-// Under no circumstances will a corrupt resource be returned.
-// NULL will only be returned for a resource that is neither sealed nor present
-// (or that is sealed, absent, and marked optional).
-// If the ResourceDictionary itself is not sealed, this function will always fail.
//
-// There is currently no interface for partial retrieval of the resource data.
-// (Since the ResourceDirectory does not currently support segmentation, all the
-// data would have to be read anyway, but it could be read into a reusable buffer.)
//
-CFDataRef SecStaticCode::resource(string path, ValidationContext &ctx)
+CFDictionaryRef SecStaticCode::diskRepInformation()
{
- if (CFDictionaryRef rdict = resourceDictionary()) {
- if (CFTypeRef file = cfget(rdict, "files.%s", path.c_str())) {
- ResourceSeal seal(file);
- if (!resourceBase()) // no resources in DiskRep
- MacOSError::throwMe(errSecCSResourcesNotFound);
- if (seal.nested())
- MacOSError::throwMe(errSecCSResourcesNotSealed); // (it's nested code)
- CFRef<CFURLRef> fullpath = makeCFURL(path, false, resourceBase());
- if (CFRef<CFDataRef> data = cfLoadFile(fullpath)) {
- MakeHash<CodeDirectory> hasher(this->codeDirectory());
- hasher->update(CFDataGetBytePtr(data), CFDataGetLength(data));
- if (hasher->verify(seal.hash(hashAlgorithm())))
- return data.yield(); // good
- else
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered
- } else {
- if (!seal.optional())
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, fullpath); // was sealed but is now missing
- else
- return NULL; // validly missing
- }
- } else
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase()));
- return NULL;
- } else
- MacOSError::throwMe(errSecCSResourcesNotSealed);
+ return mRep->diskRepInformation();
}
-CFDataRef SecStaticCode::resource(string path)
-{
- ValidationContext ctx(*this);
- return resource(path, ctx);
-}
void SecStaticCode::validateResource(CFDictionaryRef files, string path, bool isSymlink, ValidationContext &ctx, SecCSFlags flags, uint32_t version)
{
if (!resourceBase()) // no resources in DiskRep
MacOSError::throwMe(errSecCSResourcesNotFound);
CFRef<CFURLRef> fullpath = makeCFURL(path, false, resourceBase());
+ if (version > 1 && ((flags & (kSecCSStrictValidate|kSecCSRestrictSidebandData)) == (kSecCSStrictValidate|kSecCSRestrictSidebandData))) {
+ AutoFileDesc fd(cfString(fullpath));
+ if (fd.hasExtendedAttribute(XATTR_RESOURCEFORK_NAME) || fd.hasExtendedAttribute(XATTR_FINDERINFO_NAME))
+ ctx.reportProblem(errSecCSInvalidAssociatedFileData, kSecCFErrorResourceSideband, fullpath);
+ }
if (CFTypeRef file = CFDictionaryGetValue(files, CFTempString(path))) {
ResourceSeal seal(file);
const ResourceSeal& rseal = seal;
@@ -1283,6 +1313,24 @@ void SecStaticCode::validateResource(CFDictionaryRef files, string path, bool is
ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase()));
}
+void SecStaticCode::validatePlainMemoryResource(string path, CFDataRef fileData, SecCSFlags flags)
+{
+ CFDictionaryRef rules;
+ CFDictionaryRef files;
+ uint32_t version;
+ if (!loadResources(rules, files, version))
+ MacOSError::throwMe(errSecCSResourcesNotFound); // no resources sealed; this can't be right
+ if (CFTypeRef file = CFDictionaryGetValue(files, CFTempString(path))) {
+ ResourceSeal seal(file);
+ const Byte *sealHash = seal.hash(hashAlgorithm());
+ if (sealHash) {
+ if (codeDirectory()->verifyMemoryContent(fileData, sealHash))
+ return; // success
+ }
+ }
+ MacOSError::throwMe(errSecCSBadResource);
+}
+
void SecStaticCode::validateSymlinkResource(std::string fullpath, std::string seal, ValidationContext &ctx, SecCSFlags flags)
{
static const char* const allowedDestinations[] = {
@@ -1344,7 +1392,7 @@ void SecStaticCode::validateNestedCode(CFURLRef path, const ResourceSeal &seal,
// recursively verify this nested code
try {
if (!(flags & kSecCSCheckNestedCode))
- flags |= kSecCSBasicValidateOnly;
+ flags |= kSecCSBasicValidateOnly | kSecCSQuickCheck;
SecPointer<SecStaticCode> code = new SecStaticCode(DiskRep::bestGuess(cfString(path)));
code->initializeFromParent(*this);
code->staticValidate(flags & ~kSecCSRestrictToAppLike, SecRequirement::required(req));
@@ -1397,10 +1445,7 @@ void SecStaticCode::validateOtherVersions(CFURLRef path, SecCSFlags flags, SecRe
while ((entry = scanner.getNext()) != NULL) {
std::ostringstream fullPath;
- if (entry->d_type != DT_DIR ||
- strcmp(entry->d_name, ".") == 0 ||
- strcmp(entry->d_name, "..") == 0 ||
- strcmp(entry->d_name, "Current") == 0)
+ if (entry->d_type != DT_DIR || strcmp(entry->d_name, "Current") == 0)
continue;
fullPath << versionsPath.str() << entry->d_name;
@@ -1532,9 +1577,6 @@ void SecStaticCode::validateRequirements(SecRequirementType type, SecStaticCode
/* accept it */;
}
-/* Public Key Hash for root:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority */
-static const UInt8 retryRootBytes[] = {0x00,0xd8,0x5a,0x4c,0x25,0xc1,0x22,0xe5,0x8b,0x31,0xef,0x6d,0xba,0xf3,0xcc,0x5f,0x29,0xf1,0x0d,0x61};
-
//
// Validate this StaticCode against an external Requirement
//
@@ -1544,34 +1586,6 @@ bool SecStaticCode::satisfiesRequirement(const Requirement *req, OSStatus failur
assert(req);
validateDirectory();
result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory()), failure);
- if (result == false) {
- /* Fix for rdar://problem/21437632: Work around untrusted root in validation chain */
- CFArrayRef certs = certificates();
- if (!certs || ((int)CFArrayGetCount(certs) < 1)) {
- return false;
- }
- SecCertificateRef root = cert((int)CFArrayGetCount(certs) - 1);
- if (!root) {
- return false;
- }
- CFDataRef rootHash = SecCertificateCopyPublicKeySHA1Digest(root);
- if (!rootHash) {
- return false;
- }
-
- if ((CFDataGetLength(rootHash) == sizeof(retryRootBytes)) &&
- !memcmp(CFDataGetBytePtr(rootHash), retryRootBytes, sizeof(retryRootBytes))) {
- // retry with a rebuilt certificate chain, this time evaluating anchor trust
- Security::Syslog::debug("Requirements validation failed: retrying");
- mResourcesValidated = mValidated = false;
- setValidationFlags(mValidationFlags | kSecCSCheckTrustedAnchors);
-
- validateDirectory();
- result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory()), failure);
- }
- CFRelease(rootHash);
- }
-
return result;
}
@@ -1712,14 +1726,17 @@ CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags)
// to reliably transmit through the API wall so that code outside the Security.framework
// can use it without having to play nasty tricks to get it.
//
- if (flags & kSecCSInternalInformation)
+ if (flags & kSecCSInternalInformation) {
try {
if (mDir)
CFDictionaryAddValue(dict, kSecCodeInfoCodeDirectory, mDir);
CFDictionaryAddValue(dict, kSecCodeInfoCodeOffset, CFTempNumber(mRep->signingBase()));
if (CFRef<CFDictionaryRef> rdict = getDictionary(cdResourceDirSlot, false)) // suppress validation
CFDictionaryAddValue(dict, kSecCodeInfoResourceDirectory, rdict);
+ if (CFRef<CFDictionaryRef> ddict = diskRepInformation())
+ CFDictionaryAddValue(dict, kSecCodeInfoDiskRepInfo, ddict);
} catch (...) { }
+ }
//
@@ -1877,7 +1894,7 @@ void SecStaticCode::handleOtherArchitectures(void (^handle)(SecStaticCode* other
for (Universal::Architectures::const_iterator arch = architectures.begin(); arch != architectures.end(); ++arch) {
ctx.offset = fat->archOffset(*arch);
if (ctx.offset > SIZE_MAX)
- MacOSError::throwMe(errSecCSInternalError);
+ MacOSError::throwMe(errSecCSBadObjectFormat);
ctx.size = fat->lengthOfSlice((size_t)ctx.offset);
if (ctx.offset != activeOffset) { // inactive architecture; check it
SecPointer<SecStaticCode> subcode = new SecStaticCode(DiskRep::bestGuess(this->mainExecutablePath(), &ctx));
diff --git a/OSX/libsecurity_codesigning/lib/StaticCode.h b/OSX/libsecurity_codesigning/lib/StaticCode.h
index bb73341a..5f441e24 100644
--- a/OSX/libsecurity_codesigning/lib/StaticCode.h
+++ b/OSX/libsecurity_codesigning/lib/StaticCode.h
@@ -136,13 +136,13 @@ public:
std::string signatureSource();
virtual CFDataRef component(CodeDirectory::SpecialSlot slot, OSStatus fail = errSecCSSignatureFailed);
virtual CFDictionaryRef infoDictionary();
+ CFDictionaryRef diskRepInformation();
CFDictionaryRef entitlements();
+ CFDataRef copyComponent(CodeDirectory::SpecialSlot slot, CFDataRef hash);
CFDictionaryRef resourceDictionary(bool check = true);
CFURLRef resourceBase();
- CFDataRef resource(std::string path);
- CFDataRef resource(std::string path, ValidationContext &ctx);
void validateResource(CFDictionaryRef files, std::string path, bool isSymlink, ValidationContext &ctx, SecCSFlags flags, uint32_t version);
void validateSymlinkResource(std::string fullpath, std::string seal, ValidationContext &ctx, SecCSFlags flags);
@@ -177,6 +177,8 @@ public:
void validateExecutable();
void validateNestedCode(CFURLRef path, const ResourceSeal &seal, SecCSFlags flags, bool isFramework);
+ void validatePlainMemoryResource(string path, CFDataRef fileData, SecCSFlags flags);
+
const Requirements *internalRequirements();
const Requirement *internalRequirement(SecRequirementType type);
const Requirement *designatedRequirement();
@@ -193,7 +195,7 @@ public:
CFDictionaryRef signingInformation(SecCSFlags flags); // omnibus information-gathering API (creates new dictionary)
- static bool isAppleDeveloperCert(CFArrayRef certs); // determines if this is an apple developer certificate for libraray validation
+ static bool isAppleDeveloperCert(CFArrayRef certs); // determines if this is an apple developer certificate for library validation
public:
void staticValidate(SecCSFlags flags, const SecRequirement *req);
@@ -207,6 +209,9 @@ protected:
CFDictionaryRef getDictionary(CodeDirectory::SpecialSlot slot, bool check = true); // component value as a dictionary
bool verifySignature();
CFArrayRef verificationPolicies();
+
+ // load preferred rules/files dictionaries (cached therein)
+ bool loadResources(CFDictionaryRef& rules, CFDictionaryRef& files, uint32_t& version);
static void checkOptionalResource(CFTypeRef key, CFTypeRef value, void *context);
bool hasWeakResourceRules(CFDictionaryRef rulesDict, uint32_t version, CFArrayRef allowedOmissions);
diff --git a/OSX/libsecurity_codesigning/lib/bundlediskrep.cpp b/OSX/libsecurity_codesigning/lib/bundlediskrep.cpp
index 571c33e1..ca8f62da 100644
--- a/OSX/libsecurity_codesigning/lib/bundlediskrep.cpp
+++ b/OSX/libsecurity_codesigning/lib/bundlediskrep.cpp
@@ -47,7 +47,7 @@ static std::string findDistFile(const std::string &directory);
// We make a CFBundleRef immediately, but everything else is lazy
//
BundleDiskRep::BundleDiskRep(const char *path, const Context *ctx)
- : mBundle(CFBundleCreate(NULL, CFTempURL(path)))
+ : mBundle(_CFBundleCreateUnique(NULL, CFTempURL(path)))
{
if (!mBundle)
MacOSError::throwMe(errSecCSBadBundleFormat);
@@ -74,7 +74,7 @@ void BundleDiskRep::checkMoved(CFURLRef oldPath, CFURLRef newPath)
// to their "Current" version binary in the main bundle
if (realpath(cfString(oldPath).c_str(), cOld) == NULL ||
realpath(cfString(newPath).c_str(), cNew) == NULL)
- MacOSError::throwMe(errSecCSInternalError);
+ MacOSError::throwMe(errSecCSAmbiguousBundleFormat);
if (strcmp(cOld, cNew) != 0)
recordStrictError(errSecCSAmbiguousBundleFormat);
@@ -83,16 +83,19 @@ void BundleDiskRep::checkMoved(CFURLRef oldPath, CFURLRef newPath)
// common construction code
void BundleDiskRep::setup(const Context *ctx)
{
+ mComponentsFromExecValid = false; // not yet known
mInstallerPackage = false; // default
mAppLike = false; // pessimism first
bool appDisqualified = false; // found reason to disqualify as app
-
+
// capture the path of the main executable before descending into a specific version
CFRef<CFURLRef> mainExecBefore = CFBundleCopyExecutableURL(mBundle);
CFRef<CFURLRef> infoPlistBefore = _CFBundleCopyInfoPlistURL(mBundle);
// validate the bundle root; fish around for the desired framework version
string root = cfStringRelease(copyCanonicalPath());
+ if (filehasExtendedAttribute(root, XATTR_FINDERINFO_NAME))
+ recordStrictError(errSecCSInvalidAssociatedFileData);
string contents = root + "/Contents";
string supportFiles = root + "/Support Files";
string version = root + "/Versions/"
@@ -111,7 +114,7 @@ void BundleDiskRep::setup(const Context *ctx)
// treat like a shallow bundle; do not allow Versions arbitration
appDisqualified = true;
} else if (::access(version.c_str(), F_OK) == 0) { // versioned bundle
- if (CFBundleRef versionBundle = CFBundleCreate(NULL, CFTempURL(version)))
+ if (CFBundleRef versionBundle = _CFBundleCreateUnique(NULL, CFTempURL(version)))
mBundle.take(versionBundle); // replace top bundle ref
else
MacOSError::throwMe(errSecCSStaticCodeNotFound);
@@ -145,8 +148,7 @@ void BundleDiskRep::setup(const Context *ctx)
mMainExecutableURL = mainExec;
mExecRep = DiskRep::bestFileGuess(this->mainExecutablePath(), ctx);
- if (!mExecRep->fd().isPlainFile(this->mainExecutablePath()))
- recordStrictError(errSecCSRegularFile);
+ checkPlainFile(mExecRep->fd(), this->mainExecutablePath());
CFDictionaryRef infoDict = CFBundleGetInfoDictionary(mBundle);
bool isAppBundle = false;
if (infoDict)
@@ -169,8 +171,7 @@ void BundleDiskRep::setup(const Context *ctx)
if (!mMainExecutableURL)
MacOSError::throwMe(errSecCSBadBundleFormat);
mExecRep = new FileDiskRep(this->mainExecutablePath().c_str());
- if (!mExecRep->fd().isPlainFile(this->mainExecutablePath()))
- recordStrictError(errSecCSRegularFile);
+ checkPlainFile(mExecRep->fd(), this->mainExecutablePath());
mFormat = "widget bundle";
mAppLike = true;
return;
@@ -181,8 +182,7 @@ void BundleDiskRep::setup(const Context *ctx)
// focus on the Info.plist (which we know exists) as the nominal "main executable" file
mMainExecutableURL = infoURL;
mExecRep = new FileDiskRep(this->mainExecutablePath().c_str());
- if (!mExecRep->fd().isPlainFile(this->mainExecutablePath()))
- recordStrictError(errSecCSRegularFile);
+ checkPlainFile(mExecRep->fd(), this->mainExecutablePath());
if (packageVersion) {
mInstallerPackage = true;
mFormat = "installer package bundle";
@@ -197,8 +197,7 @@ void BundleDiskRep::setup(const Context *ctx)
if (!distFile.empty()) {
mMainExecutableURL = makeCFURL(distFile);
mExecRep = new FileDiskRep(this->mainExecutablePath().c_str());
- if (!mExecRep->fd().isPlainFile(this->mainExecutablePath()))
- recordStrictError(errSecCSRegularFile);
+ checkPlainFile(mExecRep->fd(), this->mainExecutablePath());
mInstallerPackage = true;
mFormat = "installer package bundle";
return;
@@ -244,27 +243,6 @@ static std::string findDistFile(const std::string &directory)
}
-//
-// Create a path to a bundle signing resource, by name.
-// If the BUNDLEDISKREP_DIRECTORY directory exists in the bundle's support directory, files
-// will be read and written there. Otherwise, they go directly into the support directory.
-//
-string BundleDiskRep::metaPath(const char *name)
-{
- if (mMetaPath.empty()) {
- string support = cfStringRelease(CFBundleCopySupportFilesDirectoryURL(mBundle));
- mMetaPath = support + "/" BUNDLEDISKREP_DIRECTORY;
- if (::access(mMetaPath.c_str(), F_OK) == 0) {
- mMetaExists = true;
- } else {
- mMetaPath = support;
- mMetaExists = false;
- }
- }
- return mMetaPath + "/" + name;
-}
-
-
//
// Try to create the meta-file directory in our bundle.
// Does nothing if the directory already exists.
@@ -272,7 +250,7 @@ string BundleDiskRep::metaPath(const char *name)
//
void BundleDiskRep::createMeta()
{
- string meta = metaPath(BUNDLEDISKREP_DIRECTORY);
+ string meta = metaPath(NULL);
if (!mMetaExists) {
if (::mkdir(meta.c_str(), 0755) == 0) {
copyfile(cfStringRelease(copyCanonicalPath()).c_str(), meta.c_str(), NULL, COPYFILE_SECURITY);
@@ -282,7 +260,40 @@ void BundleDiskRep::createMeta()
UnixError::throwMe();
}
}
+
+
+//
+// Create a path to a bundle signing resource, by name.
+// This is in the BUNDLEDISKREP_DIRECTORY directory in the bundle's support directory.
+//
+string BundleDiskRep::metaPath(const char *name)
+{
+ if (mMetaPath.empty()) {
+ string support = cfStringRelease(CFBundleCopySupportFilesDirectoryURL(mBundle));
+ mMetaPath = support + "/" BUNDLEDISKREP_DIRECTORY;
+ mMetaExists = ::access(mMetaPath.c_str(), F_OK) == 0;
+ }
+ if (name)
+ return mMetaPath + "/" + name;
+ else
+ return mMetaPath;
+}
+
+CFDataRef BundleDiskRep::metaData(const char *name)
+{
+ return cfLoadFile(CFTempURL(metaPath(name)));
+}
+CFDataRef BundleDiskRep::metaData(CodeDirectory::SpecialSlot slot)
+{
+ if (const char *name = CodeDirectory::canonicalSlotName(slot))
+ return metaData(name);
+ else
+ return NULL;
+}
+
+
+
//
// Load's a CFURL and makes sure that it is a regular file and not a symlink (or fifo, etc.)
//
@@ -296,14 +307,13 @@ CFDataRef BundleDiskRep::loadRegularFile(CFURLRef url)
AutoFileDesc fd(path);
- if (!fd.isPlainFile(path))
- recordStrictError(errSecCSRegularFile);
+ checkPlainFile(fd, path);
data = cfLoadFile(fd, fd.fileSize());
if (!data) {
- secdebug(__PRETTY_FUNCTION__, "failed to load %s", cfString(url).c_str());
- MacOSError::throwMe(errSecCSInternalError);
+ secinfo("bundlediskrep", "failed to load %s", cfString(url).c_str());
+ MacOSError::throwMe(errSecCSInvalidSymlink);
}
return data;
@@ -313,8 +323,10 @@ CFDataRef BundleDiskRep::loadRegularFile(CFURLRef url)
// Load and return a component, by slot number.
// Info.plist components come from the bundle, always (we don't look
// for Mach-O embedded versions).
+// ResourceDirectory always comes from bundle files.
// Everything else comes from the embedded blobs of a Mach-O image, or from
-// files located in the Contents directory of the bundle.
+// files located in the Contents directory of the bundle; but we must be consistent
+// (no half-and-half situations).
//
CFDataRef BundleDiskRep::component(CodeDirectory::SpecialSlot slot)
{
@@ -325,17 +337,36 @@ CFDataRef BundleDiskRep::component(CodeDirectory::SpecialSlot slot)
return loadRegularFile(info);
else
return NULL;
- // by default, we take components from the executable image or files
- default:
- if (CFDataRef data = mExecRep->component(slot))
- return data;
- // falling through
- // but the following always come from files
case cdResourceDirSlot:
- if (const char *name = CodeDirectory::canonicalSlotName(slot))
- return metaData(name);
- else
- return NULL;
+ mUsedComponents.insert(slot);
+ return metaData(slot);
+ // by default, we take components from the executable image or files (but not both)
+ default:
+ if (CFRef<CFDataRef> data = mExecRep->component(slot)) {
+ componentFromExec(true);
+ return data.yield();
+ }
+ if (CFRef<CFDataRef> data = metaData(slot)) {
+ componentFromExec(false);
+ mUsedComponents.insert(slot);
+ return data.yield();
+ }
+ return NULL;
+ }
+}
+
+
+// Check that all components of this BundleDiskRep come from either the main
+// executable or the _CodeSignature directory (not mix-and-match).
+void BundleDiskRep::componentFromExec(bool fromExec)
+{
+ if (!mComponentsFromExecValid) {
+ // first use; set latch
+ mComponentsFromExecValid = true;
+ mComponentsFromExec = fromExec;
+ } else if (mComponentsFromExec != fromExec) {
+ // subsequent use: check latch
+ MacOSError::throwMe(errSecCSSignatureFailed);
}
}
@@ -451,6 +482,10 @@ void BundleDiskRep::flush()
mExecRep->flush();
}
+CFDictionaryRef BundleDiskRep::diskRepInformation()
+{
+ return mExecRep->diskRepInformation();
+}
//
// Defaults for signing operations
@@ -531,6 +566,7 @@ CFDictionaryRef BundleDiskRep::defaultResourceRules(const SigningContext &ctx)
"'^version.plist$' = #T" // include version.plist
"%s = #T" // include Resources
"%s = {optional=#T, weight=1000}" // make localizations optional
+ "%s = {weight=1010}" // ... except for Base.lproj which really isn't optional at all
"%s = {omit=#T, weight=1100}" // exclude all locversion.plist files
"},rules2={"
"'^.*' = #T" // include everything as a resource, with the following exceptions
@@ -544,15 +580,18 @@ CFDictionaryRef BundleDiskRep::defaultResourceRules(const SigningContext &ctx)
"'^PkgInfo$' = {omit=#T, weight=20}" // traditionally not included
"%s = {weight=20}" // Resources override default nested (widgets)
"%s = {optional=#T, weight=1000}" // make localizations optional
+ "%s = {weight=1010}" // ... except for Base.lproj which really isn't optional at all
"%s = {omit=#T, weight=1100}" // exclude all locversion.plist files
"}}",
(string("^") + resources).c_str(),
(string("^") + resources + ".*\\.lproj/").c_str(),
+ (string("^") + resources + "Base\\.lproj/").c_str(),
(string("^") + resources + ".*\\.lproj/locversion.plist$").c_str(),
(string("^") + resources).c_str(),
(string("^") + resources + ".*\\.lproj/").c_str(),
+ (string("^") + resources + "Base\\.lproj/").c_str(),
(string("^") + resources + ".*\\.lproj/locversion.plist$").c_str()
);
}
@@ -588,6 +627,14 @@ size_t BundleDiskRep::pageSize(const SigningContext &ctx)
//
void BundleDiskRep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated, SecCSFlags flags)
{
+ // scan our metadirectory (_CodeSignature) for unwanted guests
+ if (!(flags & kSecCSQuickCheck))
+ validateMetaDirectory(cd);
+
+ // check accumulated strict errors and report them
+ if (!(flags & kSecCSRestrictSidebandData)) // tolerate resource forks etc.
+ mStrictErrors.erase(errSecCSInvalidAssociatedFileData);
+
std::vector<OSStatus> fatalErrors;
set_difference(mStrictErrors.begin(), mStrictErrors.end(), tolerated.begin(), tolerated.end(), back_inserter(fatalErrors));
if (!fatalErrors.empty())
@@ -609,6 +656,45 @@ void BundleDiskRep::recordStrictError(OSStatus error)
}
+void BundleDiskRep::validateMetaDirectory(const CodeDirectory* cd)
+{
+ // we know the resource directory will be checked after this call, so we'll give it a pass here
+ if (cd->slotIsPresent(-cdResourceDirSlot))
+ mUsedComponents.insert(cdResourceDirSlot);
+
+ // make a set of allowed (regular) filenames in this directory
+ std::set<std::string> allowedFiles;
+ for (auto it = mUsedComponents.begin(); it != mUsedComponents.end(); ++it) {
+ switch (*it) {
+ case cdInfoSlot:
+ break; // always from Info.plist, not from here
+ default:
+ if (const char *name = CodeDirectory::canonicalSlotName(*it)) {
+ allowedFiles.insert(name);
+ }
+ break;
+ }
+ }
+ DirScanner scan(mMetaPath);
+ if (scan.initialized()) {
+ while (struct dirent* ent = scan.getNext()) {
+ if (!scan.isRegularFile(ent))
+ MacOSError::throwMe(errSecCSUnsealedAppRoot); // only regular files allowed
+ if (allowedFiles.find(ent->d_name) == allowedFiles.end()) { // not in expected set of files
+ if (strcmp(ent->d_name, kSecCS_SIGNATUREFILE) == 0) {
+ // special case - might be empty and unused (adhoc signature)
+ AutoFileDesc fd(metaPath(kSecCS_SIGNATUREFILE));
+ if (fd.fileSize() == 0)
+ continue; // that's okay, then
+ }
+ // not on list of needed files; it's a freeloading rogue!
+ recordStrictError(errSecCSUnsealedAppRoot); // funnel through strict set so GKOpaque can override it
+ }
+ }
+ }
+}
+
+
//
// Check framework root for unsafe symlinks and unsealed content.
//
@@ -644,6 +730,23 @@ void BundleDiskRep::validateFrameworkRoot(string root)
}
}
+
+//
+// Check a file descriptor for harmlessness. This is a strict check (only).
+//
+void BundleDiskRep::checkPlainFile(FileDesc fd, const std::string& path)
+{
+ if (!fd.isPlainFile(path))
+ recordStrictError(errSecCSRegularFile);
+ checkForks(fd);
+}
+
+void BundleDiskRep::checkForks(FileDesc fd)
+{
+ if (fd.hasExtendedAttribute(XATTR_RESOURCEFORK_NAME) || fd.hasExtendedAttribute(XATTR_FINDERINFO_NAME))
+ recordStrictError(errSecCSInvalidAssociatedFileData);
+}
+
//
// Writers
@@ -679,6 +782,7 @@ void BundleDiskRep::Writer::component(CodeDirectory::SpecialSlot slot, CFDataRef
string path = rep->metaPath(name);
AutoFileDesc fd(path, O_WRONLY | O_CREAT | O_TRUNC, 0644);
fd.writeAll(CFDataGetBytePtr(data), CFDataGetLength(data));
+ mWrittenFiles.insert(name);
} else
MacOSError::throwMe(errSecCSBadBundleFormat);
}
@@ -715,6 +819,24 @@ void BundleDiskRep::Writer::remove(CodeDirectory::SpecialSlot slot)
void BundleDiskRep::Writer::flush()
{
execWriter->flush();
+ purgeMetaDirectory();
+}
+
+
+// purge _CodeSignature of all left-over files from any previous signature
+void BundleDiskRep::Writer::purgeMetaDirectory()
+{
+ DirScanner scan(rep->mMetaPath);
+ if (scan.initialized()) {
+ while (struct dirent* ent = scan.getNext()) {
+ if (!scan.isRegularFile(ent))
+ MacOSError::throwMe(errSecCSUnsealedAppRoot); // only regular files allowed
+ if (mWrittenFiles.find(ent->d_name) == mWrittenFiles.end()) { // we didn't write this!
+ scan.unlink(ent, 0);
+ }
+ }
+ }
+
}
diff --git a/OSX/libsecurity_codesigning/lib/bundlediskrep.h b/OSX/libsecurity_codesigning/lib/bundlediskrep.h
index d0c5ee65..92269613 100644
--- a/OSX/libsecurity_codesigning/lib/bundlediskrep.h
+++ b/OSX/libsecurity_codesigning/lib/bundlediskrep.h
@@ -68,7 +68,8 @@ public:
CFArrayRef modifiedFiles();
UnixPlusPlus::FileDesc &fd();
void flush();
-
+ CFDictionaryRef diskRepInformation();
+
std::string recommendedIdentifier(const SigningContext &ctx);
CFDictionaryRef defaultResourceRules(const SigningContext &ctx);
const Requirements *defaultRequirements(const Architecture *arch, const SigningContext &ctx);
@@ -86,16 +87,21 @@ public:
protected:
std::string metaPath(const char *name);
- CFDataRef metaData(const char *name) { return cfLoadFile(CFTempURL(metaPath(name))); }
void createMeta(); // (try to) create the meta-file directory
+ CFDataRef metaData(const char *name);
+ CFDataRef metaData(CodeDirectory::SpecialSlot slot);
private:
void setup(const Context *ctx); // shared init
void checkModifiedFile(CFMutableArrayRef files, CodeDirectory::SpecialSlot slot);
CFDataRef loadRegularFile(CFURLRef url);
void recordStrictError(OSStatus error);
+ void validateMetaDirectory(const CodeDirectory* cd);
void validateFrameworkRoot(std::string root);
+ void checkPlainFile(UnixPlusPlus::FileDesc fd, const std::string& path);
+ void checkForks(UnixPlusPlus::FileDesc fd);
void checkMoved(CFURLRef oldPath, CFURLRef newPath);
+ void componentFromExec(bool fromExec);
private:
CFRef<CFBundleRef> mBundle;
@@ -106,6 +112,9 @@ private:
bool mAppLike; // is some form of app
string mFormat; // format description string
RefPointer<DiskRep> mExecRep; // DiskRep for main executable file
+ bool mComponentsFromExec; // components are drawn from main executable diskrep
+ bool mComponentsFromExecValid; // mComponentsFromExec is valid (tri-state)
+ std::set<CodeDirectory::SpecialSlot> mUsedComponents; // remember what components we've retrieved
std::set<OSStatus> mStrictErrors; // strict validation errors encountered
};
@@ -126,11 +135,13 @@ public:
protected:
DiskRep *execRep() { return rep->mExecRep; }
void remove(CodeDirectory::SpecialSlot slot);
+ void purgeMetaDirectory();
protected:
RefPointer<BundleDiskRep> rep;
RefPointer<DiskRep::Writer> execWriter;
bool mMadeMetaDirectory;
+ std::set<std::string> mWrittenFiles;
};
diff --git a/OSX/libsecurity_codesigning/lib/codedirectory.cpp b/OSX/libsecurity_codesigning/lib/codedirectory.cpp
index f675c4b8..b14b58ec 100644
--- a/OSX/libsecurity_codesigning/lib/codedirectory.cpp
+++ b/OSX/libsecurity_codesigning/lib/codedirectory.cpp
@@ -125,7 +125,7 @@ const char * const CodeDirectory::debugSlotName[] = {
"info",
"requirements",
"resources",
- "application",
+ "rep-specific",
"entitlement"
};
#endif //NDEBUG
@@ -155,7 +155,7 @@ void CodeDirectory::checkIntegrity() const
if (version < earliestVersion)
MacOSError::throwMe(errSecCSSignatureUnsupported); // too old - can't support
if (version > currentVersion)
- secdebug("codedir", "%p version 0x%x newer than current 0x%x",
+ secinfo("codedir", "%p version 0x%x newer than current 0x%x",
this, uint32_t(version), currentVersion);
// now check interior offsets for validity
@@ -199,7 +199,7 @@ void CodeDirectory::checkIntegrity() const
//
bool CodeDirectory::validateSlot(const void *data, size_t length, Slot slot) const
{
- secdebug("codedir", "%p validating slot %d", this, int(slot));
+ secinfo("codedir", "%p validating slot %d", this, int(slot));
MakeHash<CodeDirectory> hasher(this);
Hashing::Byte digest[hasher->digestLength()];
generateHash(hasher, data, length, digest);
@@ -309,6 +309,17 @@ void CodeDirectory::multipleHashFileData(FileDesc fd, size_t limit, CodeDirector
action(*it, hashers[n]);
}
}
+
+
+ //
+ // Hash data in memory using our hashAlgorithm()
+ //
+bool CodeDirectory::verifyMemoryContent(CFDataRef data, const Byte* digest) const
+{
+ RefPointer<DynamicHash> hasher = CodeDirectory::hashFor(this->hashType);
+ hasher->update(CFDataGetBytePtr(data), CFDataGetLength(data));
+ return hasher->verify(digest);
+}
//
diff --git a/OSX/libsecurity_codesigning/lib/codedirectory.h b/OSX/libsecurity_codesigning/lib/codedirectory.h
index 4b0bbbd9..381d6660 100644
--- a/OSX/libsecurity_codesigning/lib/codedirectory.h
+++ b/OSX/libsecurity_codesigning/lib/codedirectory.h
@@ -271,7 +271,8 @@ public:
CFDataRef cdhash() const;
static void multipleHashFileData(UnixPlusPlus::FileDesc fd, size_t limit, HashAlgorithms types, void (^action)(HashAlgorithm type, DynamicHash* hasher));
-
+ bool verifyMemoryContent(CFDataRef data, const Byte* digest) const;
+
static bool viableHash(HashAlgorithm type);
static HashAlgorithm bestHashOf(const HashAlgorithms& types);
diff --git a/OSX/libsecurity_codesigning/lib/cs.h b/OSX/libsecurity_codesigning/lib/cs.h
index 9e40ac8e..32f316f1 100644
--- a/OSX/libsecurity_codesigning/lib/cs.h
+++ b/OSX/libsecurity_codesigning/lib/cs.h
@@ -41,6 +41,7 @@
#include <security_utilities/errors.h>
#include <security_utilities/sqlite++.h>
#include <security_utilities/cfutilities.h>
+#include <security_utilities/logging.h>
namespace Security {
@@ -92,7 +93,7 @@ OSStatus dbError(const SQLite3::Error &err);
catch (const SQLite3::Error &err) { return dbError(err); } \
catch (const CommonError &err) { return SecKeychainErrFromOSStatus(err.osStatus()); } \
catch (const std::bad_alloc &) { return errSecAllocate; } \
- catch (...) { return errSecCSInternalError; } \
+ catch (...) { Syslog::notice("unknown exception in CSAPI"); return errSecCSInternalError; } \
return errSecSuccess;
#define END_CSAPI_ERRORS \
@@ -107,7 +108,7 @@ OSStatus dbError(const SQLite3::Error &err);
catch (const SQLite3::Error &err) { return CSError::cfError(errors, dbError(err)); } \
catch (const CommonError &err) { return CSError::cfError(errors, SecKeychainErrFromOSStatus(err.osStatus())); } \
catch (const std::bad_alloc &) { return CSError::cfError(errors, errSecAllocate); } \
- catch (...) { return CSError::cfError(errors, errSecCSInternalError); } \
+ catch (...) { Syslog::notice("unknown exception in CSAPI"); return CSError::cfError(errors, errSecCSInternalError); } \
return errSecSuccess;
#define END_CSAPI1(bad) } catch (...) { return bad; }
@@ -125,7 +126,7 @@ OSStatus dbError(const SQLite3::Error &err);
catch (const SQLite3::Error &err) { CSError::cfError(errors, dbError(err)); } \
catch (const CommonError &err) { CSError::cfError(errors, SecKeychainErrFromOSStatus(err.osStatus())); } \
catch (const std::bad_alloc &) { CSError::cfError(errors, errSecAllocate); } \
- catch (...) { CSError::cfError(errors, errSecCSInternalError); } \
+ catch (...) { Syslog::notice("unknown exception in CSAPI"); CSError::cfError(errors, errSecCSInternalError); } \
return bad;
diff --git a/OSX/libsecurity_codesigning/lib/cskernel.cpp b/OSX/libsecurity_codesigning/lib/cskernel.cpp
index 530fa722..c4d579f7 100644
--- a/OSX/libsecurity_codesigning/lib/cskernel.cpp
+++ b/OSX/libsecurity_codesigning/lib/cskernel.cpp
@@ -37,6 +37,8 @@
#include "machorep.h"
#include <libproc.h>
#include <sys/codesign.h>
+#include <bsm/libbsm.h>
+#include <security_utilities/cfmunge.h>
#include <sys/param.h> // MAXPATHLEN
namespace Security {
@@ -67,33 +69,47 @@ KernelStaticCode::KernelStaticCode()
//
// Identify our guests (UNIX processes) by attribute.
-// The only supported lookup attribute is currently the pid. (We could support
-// task ports, but those can easily be mapped to pids.)
+// We support either pid or audit token (which contains the pid). If we get both,
+// we record them both and let the kernel sort them out.
// Note that we don't actually validate the pid here; if it's invalid, we'll notice
// when we try to ask the kernel about it later.
//
SecCode *KernelCode::locateGuest(CFDictionaryRef attributes)
{
- if (CFTypeRef attr = CFDictionaryGetValue(attributes, kSecGuestAttributePid)) {
- RefPointer<PidDiskRep> diskRep = NULL;
-
- if (CFGetTypeID(attr) != CFNumberGetTypeID())
- MacOSError::throwMe(errSecCSInvalidAttributeValues);
-
- pid_t pid = cfNumber<pid_t>(CFNumberRef(attr));
-
- if (CFDictionaryGetValue(attributes, kSecGuestAttributeDynamicCode) != NULL) {
- CFDataRef infoPlist = (CFDataRef)CFDictionaryGetValue(attributes, kSecGuestAttributeDynamicCodeInfoPlist);
- if (infoPlist && CFGetTypeID(infoPlist) != CFDataGetTypeID())
- MacOSError::throwMe(errSecCSInvalidAttributeValues);
-
- try {
- diskRep = new PidDiskRep(pid, infoPlist);
- } catch (...) { }
- }
- return (new ProcessCode(cfNumber<pid_t>(CFNumberRef(attr)), diskRep))->retain();
- } else
+ CFNumberRef pidNumber = NULL;
+ CFDataRef auditData = NULL;
+ cfscan(attributes, "{%O=%NO}", kSecGuestAttributePid, &pidNumber);
+ cfscan(attributes, "{%O=%XO}", kSecGuestAttributeAudit, &auditData);
+ if (pidNumber == NULL && auditData == NULL)
MacOSError::throwMe(errSecCSUnsupportedGuestAttributes);
+
+ // Extract information from pid and audit token as presented. We need at least one.
+ // If both are specified, we pass them both to the kernel, which will fail if they
+ // don't agree.
+ if (auditData && CFDataGetLength(auditData) != sizeof(audit_token_t))
+ MacOSError::throwMe(errSecCSInvalidAttributeValues);
+ pid_t pid = 0;
+ audit_token_t* audit = NULL;
+ if (pidNumber)
+ pid = cfNumber<pid_t>(pidNumber);
+ if (auditData)
+ audit = (audit_token_t*)CFDataGetBytePtr(auditData);
+ if (audit && pid == 0)
+ pid = audit_token_to_pid(*audit);
+
+ // handle requests for server-based validation
+ RefPointer<PidDiskRep> diskRep = NULL;
+ if (CFDictionaryGetValue(attributes, kSecGuestAttributeDynamicCode) != NULL) {
+ CFDataRef infoPlist = (CFDataRef)CFDictionaryGetValue(attributes, kSecGuestAttributeDynamicCodeInfoPlist);
+ if (infoPlist && CFGetTypeID(infoPlist) != CFDataGetTypeID())
+ MacOSError::throwMe(errSecCSInvalidAttributeValues);
+
+ try {
+ diskRep = new PidDiskRep(pid, infoPlist);
+ } catch (...) { }
+ }
+
+ return (new ProcessCode(pid, audit, diskRep))->retain();
}
@@ -109,9 +125,10 @@ SecStaticCode *KernelCode::identifyGuest(SecCode *iguest, CFDataRef *cdhash)
if (guest->pidBased()) {
SecPointer<SecStaticCode> code = new ProcessDynamicCode(guest);
+ guest->pidBased()->setCredentials(code->codeDirectory());
SHA1::Digest kernelHash;
- MacOSError::check(::csops(guest->pid(), CS_OPS_CDHASH, kernelHash, sizeof(kernelHash)));
+ MacOSError::check(guest->csops(CS_OPS_CDHASH, kernelHash, sizeof(kernelHash)));
*cdhash = makeCFData(kernelHash, sizeof(kernelHash));
return code.yield();
@@ -125,7 +142,7 @@ SecStaticCode *KernelCode::identifyGuest(SecCode *iguest, CFDataRef *cdhash)
CODESIGN_GUEST_IDENTIFY_PROCESS(guest, guest->pid(), code);
if (cdhash) {
SHA1::Digest kernelHash;
- if (::csops(guest->pid(), CS_OPS_CDHASH, kernelHash, sizeof(kernelHash)) == -1)
+ if (guest->csops(CS_OPS_CDHASH, kernelHash, sizeof(kernelHash)) == -1)
switch (errno) {
case EBADEXEC: // means "no CodeDirectory hash for this program"
*cdhash = NULL;
@@ -155,7 +172,7 @@ SecCodeStatus KernelCode::getGuestStatus(SecCode *iguest)
if (ProcessCode *guest = dynamic_cast<ProcessCode *>(iguest)) {
uint32_t pFlags;
csops(guest, CS_OPS_STATUS, &pFlags);
- secdebug("kcode", "guest %p(%d) kernel status 0x%x", guest, guest->pid(), pFlags);
+ secinfo("kcode", "guest %p(%d) kernel status 0x%x", guest, guest->pid(), pFlags);
return pFlags;
} else
MacOSError::throwMe(errSecCSNoSuchCode);
@@ -204,7 +221,7 @@ void KernelCode::identify()
//
void KernelCode::csops(ProcessCode *proc, unsigned int op, void *addr, size_t length)
{
- if (::csops(proc->pid(), op, addr, length) == -1) {
+ if (proc->csops(op, addr, length) == -1) {
switch (errno) {
case ESRCH:
MacOSError::throwMe(errSecCSNoSuchCode);
diff --git a/OSX/libsecurity_codesigning/lib/csprocess.cpp b/OSX/libsecurity_codesigning/lib/csprocess.cpp
index bc406aa3..8e208c06 100644
--- a/OSX/libsecurity_codesigning/lib/csprocess.cpp
+++ b/OSX/libsecurity_codesigning/lib/csprocess.cpp
@@ -36,9 +36,13 @@ namespace CodeSigning {
//
// Construct a running process representation
//
-ProcessCode::ProcessCode(pid_t pid, PidDiskRep *pidDiskRep /*= NULL */)
+ProcessCode::ProcessCode(pid_t pid, const audit_token_t* token, PidDiskRep *pidDiskRep /*= NULL */)
: GenericCode(KernelCode::active()), mPid(pid), mPidBased(pidDiskRep)
{
+ if (token)
+ mAudit = new audit_token_t(*token);
+ else
+ mAudit = NULL;
}
@@ -46,6 +50,17 @@ mach_port_t ProcessCode::getHostingPort()
{
return SecurityServer::ClientSession().hostingPort(pid());
}
+
+
+int ProcessCode::csops(unsigned int ops, void *addr, size_t size)
+{
+ // pass pid and audit token both if we have it, or just the pid if we don't
+ if (mAudit)
+ return ::csops_audittoken(mPid, ops, addr, size, mAudit);
+ else
+ return ::csops(mPid, ops, addr, size);
+}
+
/*
*
diff --git a/OSX/libsecurity_codesigning/lib/csprocess.h b/OSX/libsecurity_codesigning/lib/csprocess.h
index f98126bd..71ee505b 100644
--- a/OSX/libsecurity_codesigning/lib/csprocess.h
+++ b/OSX/libsecurity_codesigning/lib/csprocess.h
@@ -45,16 +45,21 @@ namespace CodeSigning {
//
class ProcessCode : public GenericCode {
public:
- ProcessCode(pid_t pid, PidDiskRep *pidDiskRep = NULL);
- ~ProcessCode() throw () { }
+ ProcessCode(pid_t pid, const audit_token_t* token, PidDiskRep *pidDiskRep = NULL);
+ ~ProcessCode() throw () { delete mAudit; }
pid_t pid() const { return mPid; }
- PidDiskRep *pidBased() const { return mPidBased; }
+ const audit_token_t* audit() const { return mAudit; }
+
+ PidDiskRep *pidBased() const { return mPidBased; }
+
+ int csops(unsigned int ops, void *addr, size_t size);
mach_port_t getHostingPort();
private:
pid_t mPid;
+ audit_token_t* mAudit;
RefPointer<PidDiskRep> mPidBased;
};
diff --git a/OSX/libsecurity_codesigning/lib/csutilities.h b/OSX/libsecurity_codesigning/lib/csutilities.h
index 0cc63cb4..dcb0b130 100644
--- a/OSX/libsecurity_codesigning/lib/csutilities.h
+++ b/OSX/libsecurity_codesigning/lib/csutilities.h
@@ -153,7 +153,7 @@ private:
class UidGuard {
public:
UidGuard() : mPrevious(-1) { }
- UidGuard(uid_t uid) : mPrevious(-1) { seteuid(uid); }
+ UidGuard(uid_t uid) : mPrevious(-1) { (void)seteuid(uid); }
~UidGuard()
{
if (active())
diff --git a/OSX/libsecurity_codesigning/lib/dirscanner.cpp b/OSX/libsecurity_codesigning/lib/dirscanner.cpp
index 0d16d74f..a0cb6361 100644
--- a/OSX/libsecurity_codesigning/lib/dirscanner.cpp
+++ b/OSX/libsecurity_codesigning/lib/dirscanner.cpp
@@ -25,6 +25,7 @@
#include <unistd.h>
#include <security_utilities/cfutilities.h>
#include <security_utilities/debugging.h>
+#include <security_utilities/logging.h>
#include "dirscanner.h"
namespace Security {
@@ -69,13 +70,41 @@ void DirScanner::initialize()
struct dirent * DirScanner::getNext()
{
- return readdir(this->dp);
+ struct dirent* ent;
+ do {
+ int rc = readdir_r(this->dp, &this->entBuffer, &ent);
+ if (rc)
+ UnixError::throwMe(rc);
+ } while (ent && (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0));
+ return ent;
}
bool DirScanner::initialized()
{
return this->init;
}
+
+void DirScanner::unlink(const struct dirent* ent, int flags)
+{
+ UnixError::check(::unlinkat(dirfd(this->dp), ent->d_name, flags));
+}
+
+bool DirScanner::isRegularFile(dirent* dp)
+{
+ switch (dp->d_type) {
+ case DT_REG:
+ return true;
+ default:
+ return false;
+ case DT_UNKNOWN:
+ {
+ struct stat st;
+ MacOSError::check(::stat((this->path + "/" + dp->d_name).c_str(), &st));
+ return S_ISREG(st.st_mode);
+ }
+ }
+}
+
DirValidator::~DirValidator()
@@ -94,11 +123,11 @@ void DirValidator::validate(const string &root, OSStatus error)
Rule *rule = NULL;
switch (ent->fts_info) {
case FTS_F:
- secdebug("dirval", "file %s", ent->fts_path);
+ secinfo("dirval", "file %s", ent->fts_path);
rule = match(relpath, file, executable);
break;
case FTS_SL: {
- secdebug("dirval", "symlink %s", ent->fts_path);
+ secinfo("dirval", "symlink %s", ent->fts_path);
char target[PATH_MAX];
ssize_t len = ::readlink(ent->fts_accpath, target, sizeof(target)-1);
if (len < 0)
@@ -108,7 +137,7 @@ void DirValidator::validate(const string &root, OSStatus error)
break;
}
case FTS_D:
- secdebug("dirval", "entering %s", ent->fts_path);
+ secinfo("dirval", "entering %s", ent->fts_path);
if (ent->fts_level == FTS_ROOTLEVEL)
continue; // skip root directory
rule = match(relpath, directory, executable);
@@ -116,10 +145,10 @@ void DirValidator::validate(const string &root, OSStatus error)
fts_set(fts, ent, FTS_SKIP); // do not descend
break;
case FTS_DP:
- secdebug("dirval", "leaving %s", ent->fts_path);
+ secinfo("dirval", "leaving %s", ent->fts_path);
continue;
default:
- secdebug("dirval", "type %d (errno %d): %s", ent->fts_info, ent->fts_errno, ent->fts_path);
+ secinfo("dirval", "type %d (errno %d): %s", ent->fts_info, ent->fts_errno, ent->fts_path);
MacOSError::throwMe(error); // not a file, symlink, or directory
}
if (!rule)
@@ -128,7 +157,7 @@ void DirValidator::validate(const string &root, OSStatus error)
reqMatched.insert(rule);
}
if (reqMatched.size() != mRequireCount) {
- secdebug("dirval", "matched %d of %d required rules", reqMatched.size(), mRequireCount);
+ secinfo("dirval", "matched %lu of %d required rules", reqMatched.size(), mRequireCount);
MacOSError::throwMe(error); // not all required rules were matched
}
}
@@ -174,16 +203,20 @@ DirValidator::Rule::~Rule()
bool DirValidator::Rule::matchTarget(const char *path, const char *target) const
{
- if (!mTargetBlock)
+ if (!mTargetBlock) {
+ Syslog::notice("code signing internal problem: !mTargetBlock");
MacOSError::throwMe(errSecCSInternalError);
+ }
string pattern = mTargetBlock(path, target);
if (pattern.empty())
return true; // always match empty pattern
- secdebug("dirval", "%s: match target %s against %s", path, target, pattern.c_str());
+ secinfo("dirval", "%s: match target %s against %s", path, target, pattern.c_str());
regex_t re;
- if (::regcomp(&re, pattern.c_str(), REG_EXTENDED | REG_NOSUB))
+ if (::regcomp(&re, pattern.c_str(), REG_EXTENDED | REG_NOSUB)) {
+ Syslog::notice("code signing internal problem: failed to compile internal RE");
MacOSError::throwMe(errSecCSInternalError);
- int rv = ::regexec(&re, target, 0, NULL, 0);
+ }
+ int rv = ::regexec(&re, target, 0, NULL, 0);
::regfree(&re);
switch (rv) {
case 0:
@@ -191,6 +224,7 @@ bool DirValidator::Rule::matchTarget(const char *path, const char *target) const
case REG_NOMATCH:
return false;
default:
+ Syslog::notice("code signing internal error: regexec failed error=%d", rv);
MacOSError::throwMe(errSecCSInternalError);
}
}
diff --git a/OSX/libsecurity_codesigning/lib/dirscanner.h b/OSX/libsecurity_codesigning/lib/dirscanner.h
index ddd5e56f..44d4d381 100644
--- a/OSX/libsecurity_codesigning/lib/dirscanner.h
+++ b/OSX/libsecurity_codesigning/lib/dirscanner.h
@@ -41,10 +41,14 @@ public:
struct dirent *getNext(); // gets the next item out of this DirScanner
bool initialized(); // returns false if the constructor failed to initialize the dirent
+
+ void unlink(const struct dirent* ent, int flags);
+ bool isRegularFile(dirent* dp);
private:
string path;
DIR *dp = NULL;
+ struct dirent entBuffer;
void initialize();
bool init;
};
diff --git a/OSX/libsecurity_codesigning/lib/diskimagerep.cpp b/OSX/libsecurity_codesigning/lib/diskimagerep.cpp
index 7bc89b48..a24b9e59 100644
--- a/OSX/libsecurity_codesigning/lib/diskimagerep.cpp
+++ b/OSX/libsecurity_codesigning/lib/diskimagerep.cpp
@@ -45,24 +45,6 @@ static const int32_t udifVersion = 4; // supported image file version
//
// Temporary hack to imply a fUDIFCryptosigFieldsset at the start of the "reserved" area of an UDIF header
//
-struct UDIFSigning {
- uint64_t fCodeSignatureOffset;
- uint64_t fCodeSignatureLength;
-};
-
-UDIFSigning& sigFields(UDIFFileHeader& header);
-const UDIFSigning& sigFields(const UDIFFileHeader& header);
-
-UDIFSigning& sigFields(UDIFFileHeader& header)
-{
- return *(UDIFSigning*)&header.fReserved;
-}
-
-const UDIFSigning& sigFields(const UDIFFileHeader& header)
-{
- return *(UDIFSigning*)&header.fReserved;
-}
-
bool DiskImageRep::readHeader(FileDesc& fd, UDIFFileHeader& header)
{
// the UDIF "header" is in fact the last 512 bytes of the file, with no particular alignment
@@ -100,12 +82,12 @@ void DiskImageRep::setup()
UnixError::throwMe(errSecCSBadDiskImageFormat);
mHeaderOffset = fd().fileSize() - sizeof(UDIFFileHeader);
- size_t signatureOffset = size_t(n2h(sigFields(this->mHeader).fCodeSignatureOffset));
- size_t signatureLength = size_t(n2h(sigFields(this->mHeader).fCodeSignatureLength));
- sigFields(this->mHeader).fCodeSignatureLength = 0; // blind length (signature covers header)
+ size_t signatureOffset = size_t(n2h(this->mHeader.fUDIFCodeSignOffset));
+ size_t signatureLength = size_t(n2h(this->mHeader.fUDIFCodeSignLength));
+ this->mHeader.fUDIFCodeSignLength = 0; // blind length (signature covers header)
if (signatureOffset == 0) {
mEndOfDataOffset = mHeaderOffset;
- sigFields(mHeader).fCodeSignatureOffset = h2n(mHeaderOffset);
+ mHeader.fUDIFCodeSignOffset = h2n(mHeaderOffset);
return; // unsigned, header prepared for possible signing
} else {
mEndOfDataOffset = signatureOffset;
@@ -114,7 +96,9 @@ void DiskImageRep::setup()
// read the signature superblob
const size_t frameLength = mHeaderOffset - signatureOffset; // room to following header
if (EmbeddedSignatureBlob* blob = EmbeddedSignatureBlob::readBlob(fd(), signatureOffset, frameLength)) {
- if (blob->length() != frameLength || frameLength != signatureLength) {
+ if (blob->length() != frameLength
+ || frameLength != signatureLength
+ || !blob->strictValidateBlob(frameLength)) {
free(blob);
MacOSError::throwMe(errSecCSBadDiskImageFormat);
}
@@ -237,9 +221,10 @@ void DiskImageRep::Writer::flush()
// now (re)write disk image header after it
UDIFFileHeader fullHeader = rep->mHeader;
- sigFields(fullHeader).fCodeSignatureOffset = h2n(location);
- sigFields(fullHeader).fCodeSignatureLength = h2n(mSigningData->length());
+ fullHeader.fUDIFCodeSignOffset = h2n(location);
+ fullHeader.fUDIFCodeSignLength = h2n(mSigningData->length());
fd().writeAll(&fullHeader, sizeof(rep->mHeader));
+ fd().truncate(fd().position());
}
diff --git a/OSX/libsecurity_codesigning/lib/diskrep.cpp b/OSX/libsecurity_codesigning/lib/diskrep.cpp
index 0501e377..7663919e 100644
--- a/OSX/libsecurity_codesigning/lib/diskrep.cpp
+++ b/OSX/libsecurity_codesigning/lib/diskrep.cpp
@@ -209,6 +209,10 @@ void DiskRep::flush()
// nothing cached
}
+CFDictionaryRef DiskRep::diskRepInformation()
+{
+ return NULL;
+}
CFDictionaryRef DiskRep::defaultResourceRules(const SigningContext &)
{
diff --git a/OSX/libsecurity_codesigning/lib/diskrep.h b/OSX/libsecurity_codesigning/lib/diskrep.h
index 21d2d5a8..78239ae9 100644
--- a/OSX/libsecurity_codesigning/lib/diskrep.h
+++ b/OSX/libsecurity_codesigning/lib/diskrep.h
@@ -74,6 +74,7 @@ public:
virtual CFArrayRef modifiedFiles(); // list of files modified by signing [main execcutable only]
virtual UnixPlusPlus::FileDesc &fd() = 0; // a cached file descriptor for main executable file
virtual void flush(); // flush caches (refetch as needed)
+ virtual CFDictionaryRef diskRepInformation(); // information from diskrep
// default values for signing operations
virtual std::string recommendedIdentifier(const SigningContext &ctx) = 0; // default identifier
diff --git a/OSX/libsecurity_codesigning/lib/evaluationmanager.cpp b/OSX/libsecurity_codesigning/lib/evaluationmanager.cpp
index bb513fb3..e2c5cd42 100644
--- a/OSX/libsecurity_codesigning/lib/evaluationmanager.cpp
+++ b/OSX/libsecurity_codesigning/lib/evaluationmanager.cpp
@@ -24,6 +24,8 @@
#include "evaluationmanager.h"
#include "policyengine.h"
#include <security_utilities/cfmunge.h>
+#include <Security/SecEncodeTransform.h>
+#include <Security/SecDigestTransform.h>
#include <xpc/xpc.h>
#include <exception>
#include <vector>
@@ -34,8 +36,49 @@
namespace Security {
namespace CodeSigning {
+#pragma mark -
+
+static CFStringRef EvaluationTaskCreateKey(CFURLRef path, AuthorityType type)
+{
+ CFErrorRef errors = NULL;
+
+ /* concatenate the type and the path before hashing */
+ string pathString = std::to_string(type)+cfString(path);
+ CFRef<CFDataRef> data = makeCFData(pathString.c_str(), pathString.size());
+ CFRef<SecGroupTransformRef> group = SecTransformCreateGroupTransform();
+ CFRef<SecTransformRef> sha1 = SecDigestTransformCreate(kSecDigestSHA2, 256, &errors);
+ if( errors )
+ {
+ CFError::throwMe();
+ }
+
+ CFRef<SecTransformRef> b64 = SecEncodeTransformCreate(kSecBase64Encoding, &errors);
+ if ( errors )
+ {
+ CFError::throwMe();
+ }
+
+ SecTransformSetAttribute(sha1, kSecTransformInputAttributeName, data, &errors);
+ if ( errors )
+ {
+ CFError::throwMe();
+ }
+
+ SecTransformConnectTransforms(sha1, kSecTransformOutputAttributeName, b64, kSecTransformInputAttributeName, group, &errors);
+ if ( errors )
+ {
+ CFError::throwMe();
+ }
+
+ CFRef<CFDataRef> keyData = (CFDataRef)SecTransformExecute(group, &errors);
+ if ( errors )
+ {
+ CFError::throwMe();
+ }
+ return makeCFString(keyData);
+}
#pragma mark - EvaluationTask
@@ -56,15 +99,21 @@ public:
private:
EvaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type);
virtual ~EvaluationTask();
+
+ // Tasks cannot be copied.
+ EvaluationTask(EvaluationTask const&) = delete;
+ EvaluationTask& operator=(EvaluationTask const&) = delete;
+
void performEvaluation(SecAssessmentFlags flags, CFDictionaryRef context);
void waitForCompletion(SecAssessmentFlags flags, CFMutableDictionaryRef result);
+ void kick();
PolicyEngine *mPolicyEngine;
AuthorityType mType;
dispatch_queue_t mWorkQueue;
dispatch_queue_t mFeedbackQueue;
dispatch_semaphore_t mAssessmentLock;
- __block dispatch_once_t mAssessmentKicked;
+ dispatch_once_t mAssessmentKicked;
int32_t mReferenceCount;
int32_t mEvalCount;
// This whole thing is a pre-existing crutch and must be fixed soon.
@@ -199,16 +248,14 @@ void EvaluationTask::performEvaluation(SecAssessmentFlags flags, CFDictionaryRef
// This whole thing is a crutch and should be handled differently.
// Maybe by having just one activity that just kicks off all remaining
// background assessments, CTS determines that it's a good time.
+
+ // Convert the evaluation path and type to a base64 encoded hash to use as a key
+ // Use that to generate an xpc_activity identifier. This identifier should be smaller
+ // than 128 characters due to rdar://problem/20094806
- // reduce the bundle path name to just the app component and generate an
- // xpc_activity identifier from it. this identifier should be smaller than
- // 128 characters due to rdar://problem/20094806
- string path = cfString(mPath);
- size_t bundleNamePosition = path.rfind('/');
- const char *bundleName = "/default";
- if (bundleNamePosition != string::npos)
- bundleName = path.c_str() + bundleNamePosition;
- snprintf(mXpcActivityName, UNOFFICIAL_MAX_XPC_ID_LENGTH, "com.apple.security.assess%s", bundleName);
+ CFCopyRef<CFStringRef> cfKey(EvaluationTaskCreateKey(mPath, mType));
+ string key = cfStringRelease(cfKey);
+ snprintf(mXpcActivityName, UNOFFICIAL_MAX_XPC_ID_LENGTH, "com.apple.security.assess/%s", key.c_str());
// schedule the assessment to be permitted to run (beyond start) -- this
// will either happen once we're no longer on battery power, or
@@ -222,9 +269,9 @@ void EvaluationTask::performEvaluation(SecAssessmentFlags flags, CFDictionaryRef
xpc_dictionary_set_bool(criteria, XPC_ACTIVITY_ALLOW_BATTERY, false);
xpc_activity_register(mXpcActivityName, criteria, ^(xpc_activity_t activity) {
- dispatch_once(&mAssessmentKicked, ^{
- dispatch_semaphore_signal(mAssessmentLock);
- });
+ // We use the Evaluation Manager to get the task, as the task may be gone already
+ // (and with it, its mAssessmentKicked member).
+ EvaluationManager::globalManager()->kickTask(cfKey);
});
xpc_release(criteria);
}
@@ -234,13 +281,15 @@ void EvaluationTask::performEvaluation(SecAssessmentFlags flags, CFDictionaryRef
// with an existing task has been requested in the foreground, kick it
// immediately.
if (!lowPriority) {
- dispatch_once(&mAssessmentKicked, ^{
- dispatch_semaphore_signal(mAssessmentLock);
- });
+ kick();
}
}
-
+void EvaluationTask::kick() {
+ dispatch_once(&mAssessmentKicked, ^{
+ dispatch_semaphore_signal(mAssessmentLock);
+ });
+}
void EvaluationTask::waitForCompletion(SecAssessmentFlags flags, CFMutableDictionaryRef result)
{
@@ -319,15 +368,16 @@ EvaluationTask *EvaluationManager::evaluationTask(PolicyEngine *engine, CFURLRef
__block EvaluationTask *evalTask = NULL;
dispatch_sync(mListLockQueue, ^{
+ CFRef<CFStringRef> key = EvaluationTaskCreateKey(path, type);
// is path already being evaluated?
if (!(flags & kSecAssessmentFlagIgnoreActiveAssessments))
- evalTask = (EvaluationTask *)CFDictionaryGetValue(mCurrentEvaluations.get(), path);
+ evalTask = (EvaluationTask *)CFDictionaryGetValue(mCurrentEvaluations.get(), key.get());
if (!evalTask) {
// create a new task for the evaluation
evalTask = new EvaluationTask(engine, path, type);
if (flags & kSecAssessmentFlagIgnoreActiveAssessments)
evalTask->setUnsharable();
- CFDictionaryAddValue(mCurrentEvaluations.get(), path, evalTask);
+ CFDictionaryAddValue(mCurrentEvaluations.get(), key.get(), evalTask);
}
evalTask->mReferenceCount++;
});
@@ -354,16 +404,26 @@ void EvaluationManager::finalizeTask(EvaluationTask *task, SecAssessmentFlags fl
void EvaluationManager::removeTask(EvaluationTask *task)
{
dispatch_sync(mListLockQueue, ^{
+ CFRef<CFStringRef> key = EvaluationTaskCreateKey(task->path(), task->type());
// are we done with this evaluation task?
if (--task->mReferenceCount == 0) {
// yes -- remove it from our list and delete the object
- CFDictionaryRemoveValue(mCurrentEvaluations.get(), task->path());
+ CFDictionaryRemoveValue(mCurrentEvaluations.get(), key.get());
delete task;
}
});
}
-
+void EvaluationManager::kickTask(CFStringRef key)
+{
+ dispatch_sync(mListLockQueue, ^{
+ EvaluationTask *evalTask = (EvaluationTask*)CFDictionaryGetValue(mCurrentEvaluations.get(),
+ key);
+ if (evalTask != NULL) {
+ evalTask->kick();
+ }
+ });
+}
} // end namespace CodeSigning
} // end namespace Security
diff --git a/OSX/libsecurity_codesigning/lib/evaluationmanager.h b/OSX/libsecurity_codesigning/lib/evaluationmanager.h
index 100fa2ea..beb46398 100644
--- a/OSX/libsecurity_codesigning/lib/evaluationmanager.h
+++ b/OSX/libsecurity_codesigning/lib/evaluationmanager.h
@@ -45,6 +45,8 @@ public:
EvaluationTask *evaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
void finalizeTask(EvaluationTask *task, SecAssessmentFlags flags, CFMutableDictionaryRef result);
+ void kickTask(CFStringRef key);
+
private:
CFCopyRef<CFMutableDictionaryRef> mCurrentEvaluations;
diff --git a/OSX/libsecurity_codesigning/lib/filediskrep.cpp b/OSX/libsecurity_codesigning/lib/filediskrep.cpp
index d0e294dc..e280fc13 100644
--- a/OSX/libsecurity_codesigning/lib/filediskrep.cpp
+++ b/OSX/libsecurity_codesigning/lib/filediskrep.cpp
@@ -110,7 +110,7 @@ const Requirements *FileDiskRep::defaultRequirements(const Architecture *, const
buffer[length] = '\0';
char *cmd = buffer + 2;
cmd[strcspn(cmd, " \t\n\r\f")] = '\0';
- secdebug("filediskrep", "looks like a script for %s", cmd);
+ secinfo("filediskrep", "looks like a script for %s", cmd);
if (cmd[1])
try {
// find path on disk, get designated requirement (if signed)
@@ -125,7 +125,7 @@ const Requirements *FileDiskRep::defaultRequirements(const Architecture *, const
return maker.make();
}
} catch (...) {
- secdebug("filediskrep", "exception getting host requirement (ignored)");
+ secinfo("filediskrep", "exception getting host requirement (ignored)");
}
}
return NULL;
@@ -137,7 +137,6 @@ string FileDiskRep::format()
return "generic";
}
-
//
// FileDiskRep::Writers
//
diff --git a/OSX/libsecurity_codesigning/lib/machorep.cpp b/OSX/libsecurity_codesigning/lib/machorep.cpp
index de4b43a4..59a256b3 100644
--- a/OSX/libsecurity_codesigning/lib/machorep.cpp
+++ b/OSX/libsecurity_codesigning/lib/machorep.cpp
@@ -27,6 +27,9 @@
#include "machorep.h"
#include "StaticCode.h"
#include "reqmaker.h"
+#include <security_utilities/logging.h>
+#include <security_utilities/cfmunge.h>
+
namespace Security {
@@ -105,7 +108,8 @@ Universal *MachORep::mainExecutableImage()
void MachORep::prepareForSigning(SigningContext &context)
{
if (context.digestAlgorithms().empty()) {
- MachO *macho = mainExecutableImage()->architecture();
+ auto_ptr<MachO> macho(mainExecutableImage()->architecture());
+
if (const version_min_command *version = macho->findMinVersion()) {
uint32_t limit = 0;
switch (macho->flip(version->cmd)) {
@@ -149,6 +153,12 @@ size_t MachORep::signingBase()
{
return mainExecutableImage()->archOffset();
}
+
+size_t MachORep::signingLimit()
+{
+ auto_ptr<MachO> macho(mExecutable->architecture());
+ return macho->signingExtent();
+}
//
@@ -223,11 +233,11 @@ CFDataRef MachORep::embeddedComponent(CodeDirectory::SpecialSlot slot)
size_t offset = macho->flip(cs->dataoff);
size_t length = macho->flip(cs->datasize);
if ((mSigningData = EmbeddedSignatureBlob::readBlob(macho->fd(), macho->offset() + offset, length))) {
- secdebug("machorep", "%zd signing bytes in %d blob(s) from %s(%s)",
+ secinfo("machorep", "%zd signing bytes in %d blob(s) from %s(%s)",
mSigningData->length(), mSigningData->count(),
mainExecutablePath().c_str(), macho->architecture().name());
} else {
- secdebug("machorep", "failed to read signing bytes from %s(%s)",
+ secinfo("machorep", "failed to read signing bytes from %s(%s)",
mainExecutablePath().c_str(), macho->architecture().name());
MacOSError::throwMe(errSecCSSignatureInvalid);
}
@@ -259,7 +269,7 @@ CFDataRef MachORep::infoPlist()
}
}
} catch (...) {
- secdebug("machorep", "exception reading embedded Info.plist");
+ secinfo("machorep", "exception reading embedded Info.plist");
}
return info.yield();
}
@@ -306,6 +316,30 @@ void MachORep::flush()
mExecutable = new Universal(fd(), offset, length);
}
+CFDictionaryRef MachORep::diskRepInformation()
+{
+ auto_ptr<MachO> macho (mainExecutableImage()->architecture());
+ CFRef<CFDictionaryRef> info;
+
+ if (const version_min_command *version = macho->findMinVersion()) {
+
+ info.take(cfmake<CFMutableDictionaryRef>("{%O = %d,%O = %d,%O = %d}",
+ kSecCodeInfoDiskRepOSPlatform, macho->flip(version->cmd),
+ kSecCodeInfoDiskRepOSVersionMin, macho->flip(version->version),
+ kSecCodeInfoDiskRepOSSDKVersion, macho->flip(version->sdk)));
+
+ if (macho->flip(version->cmd) == LC_VERSION_MIN_MACOSX &&
+ macho->flip(version->sdk) < (10 << 16 | 9 << 8))
+ {
+ info.take(cfmake<CFMutableDictionaryRef>("{+%O, %O = 'OS X SDK version before 10.9 does not support Library Validation'}",
+ info.get(),
+ kSecCodeInfoDiskRepNoLibraryValidation));
+ }
+ }
+
+ return info.yield();
+}
+
//
// Return a recommended unique identifier.
@@ -359,7 +393,7 @@ Requirement *MachORep::libraryRequirements(const Architecture *arch, const Signi
size_t length = macho->flip(ldep->datasize);
if (LibraryDependencyBlob *deplist = LibraryDependencyBlob::readBlob(macho->fd(), macho->offset() + offset, length)) {
try {
- secdebug("machorep", "%zd library dependency bytes in %d blob(s) from %s(%s)",
+ secinfo("machorep", "%zd library dependency bytes in %d blob(s) from %s(%s)",
deplist->length(), deplist->count(),
mainExecutablePath().c_str(), macho->architecture().name());
unsigned count = deplist->count();
@@ -378,13 +412,13 @@ Requirement *MachORep::libraryRequirements(const Architecture *arch, const Signi
MacOSError::check(SecRequirementCopyData(areq, kSecCSDefaultFlags, &reqData.aref()));
req = Requirement::specific((const BlobCore *)CFDataGetBytePtr(reqData));
} else {
- secdebug("machorep", "unexpected blob type 0x%x in slot %d of binary dependencies", dep->magic(), n);
+ secinfo("machorep", "unexpected blob type 0x%x in slot %d of binary dependencies", dep->magic(), n);
continue;
}
chain.add();
maker.copy(req);
} else
- secdebug("machorep", "missing DR info for library index %d", n);
+ secinfo("machorep", "missing DR info for library index %d", n);
}
::free(deplist);
} catch (...) {
@@ -414,18 +448,11 @@ size_t MachORep::pageSize(const SigningContext &)
//
void MachORep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated, SecCSFlags flags)
{
- DiskRep::strictValidate(cd, tolerated, flags);
+ SingleDiskRep::strictValidate(cd, tolerated, flags);
// if the constructor found suspicious issues, fail a struct validation now
if (mExecutable->isSuspicious() && tolerated.find(errSecCSBadMainExecutable) == tolerated.end())
MacOSError::throwMe(errSecCSBadMainExecutable);
-
- // the signature's code extent must be what we would have picked (no funny hand editing)
- if (cd) {
- auto_ptr<MachO> macho(mExecutable->architecture());
- if (cd->signingLimit() != macho->signingExtent())
- MacOSError::throwMe(errSecCSSignatureInvalid);
- }
}
@@ -447,6 +474,7 @@ DiskRep::Writer *MachORep::writer()
void MachORep::Writer::component(CodeDirectory::SpecialSlot slot, CFDataRef data)
{
assert(false);
+ Syslog::notice("code signing internal error: trying to write Mach-O component directly");
MacOSError::throwMe(errSecCSInternalError);
}
diff --git a/OSX/libsecurity_codesigning/lib/machorep.h b/OSX/libsecurity_codesigning/lib/machorep.h
index 214efb6a..7692fde1 100644
--- a/OSX/libsecurity_codesigning/lib/machorep.h
+++ b/OSX/libsecurity_codesigning/lib/machorep.h
@@ -55,8 +55,10 @@ public:
Universal *mainExecutableImage();
void prepareForSigning(SigningContext &context);
size_t signingBase();
+ size_t signingLimit();
std::string format();
-
+ CFDictionaryRef diskRepInformation();
+
std::string recommendedIdentifier(const SigningContext &ctx);
const Requirements *defaultRequirements(const Architecture *arch, const SigningContext &ctx);
size_t pageSize(const SigningContext &ctx);
diff --git a/OSX/libsecurity_codesigning/lib/piddiskrep.cpp b/OSX/libsecurity_codesigning/lib/piddiskrep.cpp
index f3488088..3b54434a 100644
--- a/OSX/libsecurity_codesigning/lib/piddiskrep.cpp
+++ b/OSX/libsecurity_codesigning/lib/piddiskrep.cpp
@@ -32,10 +32,23 @@ namespace Security {
namespace CodeSigning {
using namespace UnixPlusPlus;
-
+
+
+void
+PidDiskRep::setCredentials(const Security::CodeSigning::CodeDirectory *cd)
+{
+ // save the Info.plist slot
+ if (cd->slotIsPresent(cdInfoSlot)) {
+ mInfoPlistHash.take(makeCFData((*cd)[cdInfoSlot], cd->hashSize));
+ }
+}
+
void
PidDiskRep::fetchData(void)
{
+ if (mDataFetched) // once
+ return;
+
xpc_connection_t conn = xpc_connection_create("com.apple.CodeSigningHelper",
dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0));
xpc_connection_set_event_handler(conn, ^(xpc_object_t object){ });
@@ -45,6 +58,7 @@ PidDiskRep::fetchData(void)
assert(request != NULL);
xpc_dictionary_set_string(request, "command", "fetchData");
xpc_dictionary_set_int64(request, "pid", mPid);
+ xpc_dictionary_set_data(request, "infohash", CFDataGetBytePtr(mInfoPlistHash), CFDataGetLength(mInfoPlistHash));
xpc_object_t reply = xpc_connection_send_message_with_reply_sync(conn, request);
if (reply && xpc_get_type(reply) == XPC_TYPE_DICTIONARY) {
@@ -70,10 +84,13 @@ PidDiskRep::fetchData(void)
if (!mBundleURL)
MacOSError::throwMe(errSecCSNoSuchCode);
+
+ mDataFetched = true;
}
PidDiskRep::PidDiskRep(pid_t pid, CFDataRef infoPlist)
+ : mDataFetched(false)
{
BlobCore header;
CODESIGN_DISKREP_CREATE_KERNEL(this);
@@ -81,7 +98,7 @@ PidDiskRep::PidDiskRep(pid_t pid, CFDataRef infoPlist)
mPid = pid;
mInfoPlist = infoPlist;
- fetchData();
+// fetchData();
int rcent = ::csops(pid, CS_OPS_BLOB, &header, sizeof(header));
if (rcent == 0)
@@ -112,17 +129,20 @@ PidDiskRep::~PidDiskRep()
bool PidDiskRep::supportInfoPlist()
{
+ fetchData();
return mInfoPlist;
}
CFDataRef PidDiskRep::component(CodeDirectory::SpecialSlot slot)
{
- if (slot == cdInfoSlot)
- return mInfoPlist.retain();
+ if (slot == cdInfoSlot) {
+ fetchData();
+ return mInfoPlist.retain();
+ }
- EmbeddedSignatureBlob *b = (EmbeddedSignatureBlob *)this->blob();
- return b->component(slot);
+ EmbeddedSignatureBlob *b = (EmbeddedSignatureBlob *)this->blob();
+ return b->component(slot);
}
CFDataRef PidDiskRep::identification()
@@ -133,7 +153,8 @@ CFDataRef PidDiskRep::identification()
CFURLRef PidDiskRep::copyCanonicalPath()
{
- return mBundleURL.retain();
+ fetchData();
+ return mBundleURL.retain();
}
string PidDiskRep::recommendedIdentifier(const SigningContext &)
diff --git a/OSX/libsecurity_codesigning/lib/piddiskrep.h b/OSX/libsecurity_codesigning/lib/piddiskrep.h
index fc1e3249..fddb34cf 100644
--- a/OSX/libsecurity_codesigning/lib/piddiskrep.h
+++ b/OSX/libsecurity_codesigning/lib/piddiskrep.h
@@ -50,17 +50,22 @@ public:
size_t signingLimit();
std::string format();
UnixPlusPlus::FileDesc &fd();
-
+
std::string recommendedIdentifier(const SigningContext &ctx);
bool supportInfoPlist();
+
+ void setCredentials(const CodeDirectory* cd);
+
private:
const BlobCore *blob() { return (const BlobCore *)mBuffer; }
void fetchData(void);
pid_t mPid;
uint8_t *mBuffer;
+ CFRef<CFDataRef> mInfoPlistHash;
CFRef<CFDataRef> mInfoPlist;
CFRef<CFURLRef> mBundleURL;
+ bool mDataFetched;
};
diff --git a/OSX/libsecurity_codesigning/lib/policydb.cpp b/OSX/libsecurity_codesigning/lib/policydb.cpp
index af49aa9e..94d1bbc8 100644
--- a/OSX/libsecurity_codesigning/lib/policydb.cpp
+++ b/OSX/libsecurity_codesigning/lib/policydb.cpp
@@ -282,6 +282,10 @@ void PolicyDatabase::upgradeDatabase()
"INSERT INTO authority (type, allow, flags, label, requirement) VALUES (3, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists')");
addDevID.execute();
});
+
+ simpleFeature("root_only", ^{
+ UnixError::check(::chmod(dbPath(), S_IRUSR | S_IWUSR));
+ });
}
@@ -303,7 +307,7 @@ void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfil
CFDictionaryRef content = auth.get<CFDictionaryRef>(CFSTR("authority"));
std::string authUUID = cfString(auth.get<CFStringRef>(CFSTR("uuid")));
if (authUUID.empty()) {
- secdebug("gkupgrade", "no uuid in auth file; ignoring gke.auth");
+ secinfo("gkupgrade", "no uuid in auth file; ignoring gke.auth");
return;
}
std::string dbUUID;
@@ -311,7 +315,7 @@ void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfil
if (uuidQuery.nextRow())
dbUUID = (const char *)uuidQuery[0];
if (dbUUID == authUUID) {
- secdebug("gkupgrade", "gke.auth already present, ignoring");
+ secinfo("gkupgrade", "gke.auth already present, ignoring");
return;
}
Syslog::notice("loading GKE %s (replacing %s)", authUUID.c_str(), dbUUID.empty() ? "nothing" : dbUUID.c_str());
@@ -325,7 +329,7 @@ void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfil
db.storeCode(blob, "<remote>");
count++;
}
- secdebug("gkupgrade", "%d detached signature(s) loaded from override data", count);
+ secinfo("gkupgrade", "%d detached signature(s) loaded from override data", count);
fclose(sigs);
}
@@ -350,8 +354,12 @@ void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfil
uint32_t flags = kAuthorityFlagWhitelist;
if (CFNumberRef versionRef = info.get<CFNumberRef>("version")) {
int version = cfNumber<int>(versionRef);
- if (version >= 2)
+ if (version >= 2) {
flags |= kAuthorityFlagWhitelistV2;
+ if (version >= 3) {
+ flags |= kAuthorityFlagWhitelistSHA256;
+ }
+ }
}
insert.reset();
insert.bind(":type") = cfString(info.get<CFStringRef>(CFSTR("type")));
@@ -368,9 +376,25 @@ void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfil
// update version and commit
addFeature("gke", authUUID.c_str(), "gke loaded");
loadAuth.commit();
+ /* now that we have moved to a bundle for gke files, delete any old style files we find
+ This is really just a best effort cleanup, so we don't care about errors. */
+ if (access(gkeAuthFile_old, F_OK) == 0)
+ {
+ if (unlink(gkeAuthFile_old) == 0)
+ {
+ Syslog::notice("Deleted old style gke file (%s)", gkeAuthFile_old);
+ }
+ }
+ if (access(gkeSigsFile_old, F_OK) == 0)
+ {
+ if (unlink(gkeSigsFile_old) == 0)
+ {
+ Syslog::notice("Deleted old style gke file (%s)", gkeSigsFile_old);
+ }
+ }
}
} catch (...) {
- secdebug("gkupgrade", "exception during GKE upgrade");
+ secinfo("gkupgrade", "exception during GKE upgrade");
}
}
diff --git a/OSX/libsecurity_codesigning/lib/policydb.h b/OSX/libsecurity_codesigning/lib/policydb.h
index 65dded83..a4c58920 100644
--- a/OSX/libsecurity_codesigning/lib/policydb.h
+++ b/OSX/libsecurity_codesigning/lib/policydb.h
@@ -43,8 +43,11 @@ static const char lastRejectFile[] = "/var/db/.LastGKReject";
static const char lastApprovedFile[] = "/var/db/.LastGKApp";
static const char rearmTimerFile[] = "/var/db/.GKRearmTimer";
-static const char gkeAuthFile[] = "/var/db/gke.auth";
-static const char gkeSigsFile[] = "/var/db/gke.sigs";
+static const char gkeAuthFile_old[] = "/var/db/gke.auth";
+static const char gkeSigsFile_old[] = "/var/db/gke.sigs";
+static const char gkeAuthFile[] = "/var/db/gke.bundle/Contents/Resources/gke.auth";
+static const char gkeSigsFile[] = "/var/db/gke.bundle/Contents/Resources/gke.sigs";
+
static const unsigned int gkeCheckInterval = 60; // seconds
diff --git a/OSX/libsecurity_codesigning/lib/policyengine.cpp b/OSX/libsecurity_codesigning/lib/policyengine.cpp
index 3f49aebd..f9fc17ed 100644
--- a/OSX/libsecurity_codesigning/lib/policyengine.cpp
+++ b/OSX/libsecurity_codesigning/lib/policyengine.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2011-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -100,6 +100,15 @@ void PolicyEngine::evaluate(CFURLRef path, AuthorityType type, SecAssessmentFlag
}
+//
+// Create GKE whitelist filter screens.
+// These are strings that are used to determine quickly whether unsigned code may
+// have a GKE-style whitelist entry in the authority database. The idea is to make
+// up a decent hash quickly.
+//
+// Note: We continue to use SHA1 here for compatibility of existing GKE entries.
+// These are a prescreen, backed up by code signature checks later on. Use of SHA1 here is not a security problem.
+//
static std::string createWhitelistScreen(char type, const Byte *digest, size_t length)
{
char buffer[2*length + 2];
@@ -109,6 +118,38 @@ static std::string createWhitelistScreen(char type, const Byte *digest, size_t l
return buffer;
}
+static std::string createWhitelistScreen(SecStaticCodeRef code)
+{
+ DiskRep *rep = SecStaticCode::requiredStatic(code)->diskRep();
+ std::string screen;
+ if (CFRef<CFDataRef> info = rep->component(cdInfoSlot)) {
+ // has an Info.plist - hash it
+ SHA1 hash;
+ hash.update(CFDataGetBytePtr(info), CFDataGetLength(info));
+ SHA1::Digest digest;
+ hash.finish(digest);
+ return createWhitelistScreen('I', digest, sizeof(digest));
+ } else if (CFRef<CFDataRef> repSpecific = rep->component(cdRepSpecificSlot)) {
+ // has a rep-specific slot - hash that (this catches disk images cheaply)
+ // got invented after SHA-1 deprecation, so we'll use SHA256, which is the new default
+ CCHashInstance hash(kCCDigestSHA256);
+ hash.update(CFDataGetBytePtr(repSpecific), CFDataGetLength(repSpecific));
+ Byte digest[256/8];
+ hash.finish(digest);
+ return createWhitelistScreen('R', digest, sizeof(digest));
+ } else if (rep->mainExecutableImage()) {
+ // stand-alone Mach-O executables are always candidates
+ return "N";
+ } else {
+ // if everything else fails, hash the (single) file
+ SHA1 hash;
+ hashFileData(rep->mainExecutablePath().c_str(), &hash);
+ SHA1::Digest digest;
+ hash.finish(digest);
+ return createWhitelistScreen('M', digest, sizeof(digest));
+ }
+}
+
void PolicyEngine::evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, bool nested, CFMutableDictionaryRef result)
{
@@ -154,7 +195,7 @@ void PolicyEngine::evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, Author
}
// current rule is first rule (in priority order) that matched. Apply it
- if (nested) // success, nothing to record
+ if (nested && allow) // success, nothing to record
return;
CFRef<CFDictionaryRef> info; // as needed
@@ -194,7 +235,7 @@ void PolicyEngine::evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, Author
}
}
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
- addAuthority(flags, result, label, id);
+ addAuthority(flags, result, label, id, NULL, false, ruleFlags);
return;
}
@@ -229,30 +270,7 @@ void PolicyEngine::adjustValidation(SecStaticCodeRef code)
bool PolicyEngine::temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags)
{
if (matchFlags == 0) { // playback; consult authority table for matches
- DiskRep *rep = SecStaticCode::requiredStatic(code)->diskRep();
- std::string screen;
- if (CFRef<CFDataRef> info = rep->component(cdInfoSlot)) {
- SHA1 hash;
- hash.update(CFDataGetBytePtr(info), CFDataGetLength(info));
- SHA1::Digest digest;
- hash.finish(digest);
- screen = createWhitelistScreen('I', digest, sizeof(digest));
- } else if (CFRef<CFDataRef> repSpecific = rep->component(cdRepSpecificSlot)) {
- // got invented after SHA-1 deprecation, so we'll use SHA256, which is the new default
- CCHashInstance hash(kCCDigestSHA256);
- hash.update(CFDataGetBytePtr(repSpecific), CFDataGetLength(repSpecific));
- Byte digest[256/8];
- hash.finish(digest);
- screen = createWhitelistScreen('R', digest, sizeof(digest));
- } else if (rep->mainExecutableImage()) {
- screen = "N";
- } else {
- SHA1 hash;
- hashFileData(rep->mainExecutablePath().c_str(), &hash);
- SHA1::Digest digest;
- hash.finish(digest);
- screen = createWhitelistScreen('M', digest, sizeof(digest));
- }
+ std::string screen = createWhitelistScreen(code);
SQLite::Statement query(*this,
"SELECT flags FROM authority "
"WHERE type = :type"
@@ -272,6 +290,9 @@ bool PolicyEngine::temporarySigning(SecStaticCodeRef code, AuthorityType type, C
CFRef<CFDataRef> signature = CFDataCreateMutable(NULL, 0);
CFTemp<CFMutableDictionaryRef> arguments("{%O=%O, %O=#N, %O=%d}", kSecCodeSignerDetached, signature.get(), kSecCodeSignerIdentity,
kSecCodeSignerDigestAlgorithm, (matchFlags & kAuthorityFlagWhitelistSHA256) ? kSecCodeSignatureHashSHA256 : kSecCodeSignatureHashSHA1);
+ // for modern whitelist entries, neuter the identifier since it may be derived from the filename
+ if (matchFlags & kAuthorityFlagWhitelistSHA256)
+ CFDictionaryAddValue(arguments, kSecCodeSignerIdentifier, CFSTR("ADHOC"));
CFRef<SecCodeSignerRef> signer;
MacOSError::check(SecCodeSignerCreate(arguments, (matchFlags & kAuthorityFlagWhitelistV2) ? kSecCSSignOpaque : kSecCSSignV1, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
@@ -318,9 +339,11 @@ bool PolicyEngine::temporarySigning(SecStaticCodeRef code, AuthorityType type, C
void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result, bool handleUnsigned)
{
// not really a Gatekeeper function... but reject all "hard quarantined" files because they were made from sandboxed sources without download privilege
- FileQuarantine qtn(cfString(path).c_str());
- if (qtn.flag(QTN_FLAG_HARD))
- MacOSError::throwMe(errSecCSFileHardQuarantined);
+ if (type == kAuthorityExecute) {
+ FileQuarantine qtn(cfString(path).c_str());
+ if (qtn.flag(QTN_FLAG_HARD))
+ MacOSError::throwMe(errSecCSFileHardQuarantined);
+ }
// hack: if caller passed a UTI, use that to turn off app-only checks for some well-known ones
bool appOk = false;
@@ -354,8 +377,10 @@ void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessment
}
// ad-hoc sign unsigned code
+ bool wasAdhocSigned = false;
if (rc == errSecCSUnsigned && handleUnsigned && (!overrideAssessment(flags) || SYSPOLICY_RECORDER_MODE_ENABLED())) {
if (temporarySigning(code, type, path, 0)) {
+ wasAdhocSigned = true;
rc = errSecSuccess; // clear unsigned; we are now well-signed
validationFlags |= kSecCSBasicValidateOnly; // no need to re-validate deep contents
}
@@ -363,6 +388,7 @@ void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessment
// prepare for deep traversal of (hopefully) good signatures
SecAssessmentFeedback feedback = SecAssessmentFeedback(CFDictionaryGetValue(context, kSecAssessmentContextKeyFeedback));
+ __block CFRef<CFMutableDictionaryRef> nestedFailure = NULL; // save a nested failure for later
MacOSError::check(SecStaticCodeSetCallback(code, kSecCSDefaultFlags, NULL, ^CFTypeRef (SecStaticCodeRef item, CFStringRef cfStage, CFDictionaryRef info) {
string stage = cfString(cfStage);
if (stage == "prepared") {
@@ -378,8 +404,15 @@ void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessment
SecStaticCodeSetCallback(item, kSecCSDefaultFlags, NULL, NULL); // clear callback to avoid unwanted recursion
evaluateCodeItem(item, path, type, flags, item != code, result);
if (CFTypeRef verdict = CFDictionaryGetValue(result, kSecAssessmentAssessmentVerdict))
- if (CFEqual(verdict, kCFBooleanFalse))
- return makeCFNumber(OSStatus(errSecCSVetoed)); // (signal nested-code policy failure, picked up below)
+ if (CFEqual(verdict, kCFBooleanFalse)) {
+ if (item == code)
+ return makeCFNumber(OSStatus(errSecCSVetoed)); // (signal nested-code policy failure, picked up below)
+ // nested code policy failure; save, reset, and continue
+ if (!nestedFailure)
+ nestedFailure = CFMutableDictionaryRef(CFDictionaryGetValue(result, kSecAssessmentAssessmentAuthority));
+ CFDictionaryRemoveValue(result, kSecAssessmentAssessmentAuthority);
+ CFDictionaryRemoveValue(result, kSecAssessmentAssessmentVerdict);
+ }
}
return NULL;
}));
@@ -396,6 +429,8 @@ void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessment
addAuthority(flags, result, "no usable signature");
return;
case errSecCSVetoed: // nested code rejected by rule book; result was filled out there
+ if (wasAdhocSigned)
+ addToAuthority(result, kSecAssessmentAssessmentSource, CFSTR("no usable signature")); // ad-hoc signature proved useless
return;
case errSecCSWeakResourceRules:
case errSecCSWeakResourceEnvelope:
@@ -437,6 +472,17 @@ void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessment
default:
MacOSError::throwMe(rc);
}
+
+ if (nestedFailure && CFEqual(CFDictionaryGetValue(result, kSecAssessmentAssessmentVerdict), kCFBooleanTrue)) {
+ // structure intact, top level approved, nested code failed policy
+ CFMutableDictionaryRef authority = CFMutableDictionaryRef(CFDictionaryGetValue(result, kSecAssessmentAssessmentAuthority));
+ uint64_t ruleFlags = cfNumber<uint64_t>(CFNumberRef(CFDictionaryGetValue(authority, kSecAssessmentAssessmentAuthorityFlags)));
+ if (ruleFlags & kAuthorityFlagDefault) {
+ // default rule requires positive match at each nested code - reinstate failure
+ CFDictionaryReplaceValue(result, kSecAssessmentAssessmentVerdict, kCFBooleanFalse);
+ CFDictionaryReplaceValue(result, kSecAssessmentAssessmentAuthority, nestedFailure);
+ }
+ }
}
@@ -570,6 +616,7 @@ void PolicyEngine::evaluateInstall(CFURLRef path, SecAssessmentFlags flags, CFDi
//
// Create a suitable policy array for verification of installer signatures.
//
+#if !SECTRUST_OSX
static SecPolicyRef makeCRLPolicy()
{
CFRef<SecPolicyRef> policy;
@@ -595,13 +642,24 @@ static SecPolicyRef makeOCSPPolicy()
MacOSError::check(SecPolicySetValue(policy, &optData));
return policy.yield();
}
+#else
+static SecPolicyRef makeRevocationPolicy()
+{
+ CFRef<SecPolicyRef> policy(SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod));
+ return policy.yield();
+}
+#endif
static CFTypeRef installerPolicy()
{
CFRef<SecPolicyRef> base = SecPolicyCreateBasicX509();
+#if !SECTRUST_OSX
CFRef<SecPolicyRef> crl = makeCRLPolicy();
CFRef<SecPolicyRef> ocsp = makeOCSPPolicy();
- return makeCFArray(3, base.get(), crl.get(), ocsp.get());
+#else
+ CFRef<SecPolicyRef> revoc = makeRevocationPolicy();
+#endif
+ return makeCFArray(2, base.get(), revoc.get());
}
@@ -612,8 +670,21 @@ static CFTypeRef installerPolicy()
void PolicyEngine::evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result)
{
if (context) {
+ FileQuarantine qtn(cfString(path).c_str());
+ if (CFDictionaryGetValue(context, kSecAssessmentContextKeyPrimarySignature) == kCFBooleanTrue) {
+ // Client requests that we focus on the code signature on this document and report on that.
+ // On this path, we care about the (code) signature on the document, not its risk assessment,
+ // and any exception is reported as a primary error.
+ if (qtn.flag(QTN_FLAG_ASSESSMENT_OK)) {
+ // previously added by user - hacked to say no/no usable signature to trigger proper DMG processing in XProtect
+ cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
+ addAuthority(flags, result, "no usable signature");
+ return;
+ }
+ evaluateCode(path, kAuthorityOpenDoc, flags, context, result, true);
+ return;
+ }
if (CFStringRef riskCategory = CFStringRef(CFDictionaryGetValue(context, kLSDownloadRiskCategoryKey))) {
- FileQuarantine qtn(cfString(path).c_str());
if (CFEqual(riskCategory, kLSRiskCategorySafe)
|| CFEqual(riskCategory, kLSRiskCategoryNeutral)
@@ -624,6 +695,7 @@ void PolicyEngine::evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDi
} else if (qtn.flag(QTN_FLAG_HARD)) {
MacOSError::throwMe(errSecCSFileHardQuarantined);
} else if (qtn.flag(QTN_FLAG_ASSESSMENT_OK)) {
+ // previously added by user
cfadd(result, "{%O=#T}", kSecAssessmentAssessmentVerdict);
addAuthority(flags, result, "Prior Assessment");
} else if (!overrideAssessment(flags)) { // no need to do more work if we're off
@@ -650,7 +722,7 @@ void PolicyEngine::evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDi
//
// Result-creation helpers
//
-void PolicyEngine::addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row, CFTypeRef cacheInfo, bool weak)
+void PolicyEngine::addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row, CFTypeRef cacheInfo, bool weak, uint64_t ruleFlags)
{
CFRef<CFMutableDictionaryRef> auth = makeCFMutableDictionary();
if (label && label[0])
@@ -661,6 +733,7 @@ void PolicyEngine::addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef
CFDictionaryAddValue(auth, kSecAssessmentAssessmentAuthorityOverride, kDisabledOverride);
if (cacheInfo)
CFDictionaryAddValue(auth, kSecAssessmentAssessmentFromCache, cacheInfo);
+ CFDictionaryAddValue(auth, kSecAssessmentAssessmentAuthorityFlags, CFTempNumber(ruleFlags));
if (weak) {
CFDictionaryAddValue(auth, kSecAssessmentAssessmentWeakSignature, kCFBooleanTrue);
CFDictionaryReplaceValue(parent, kSecAssessmentAssessmentAuthority, auth);
@@ -813,6 +886,9 @@ CFDictionaryRef PolicyEngine::disable(CFTypeRef target, AuthorityType type, SecA
CFDictionaryRef PolicyEngine::find(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context)
{
+ //for privacy reasons we only want to allow the admin to list the database
+ authorizeUpdate(flags, context);
+
SQLite::Statement query(*this);
selectRules(query, "SELECT scan_authority.id, scan_authority.type, scan_authority.requirement, scan_authority.allow, scan_authority.label, scan_authority.priority, scan_authority.remarks, scan_authority.expires, scan_authority.disabled, bookmarkhints.bookmark FROM scan_authority LEFT OUTER JOIN bookmarkhints ON scan_authority.id = bookmarkhints.authority",
"scan_authority", target, type, flags, context,
@@ -1062,10 +1138,7 @@ void PolicyEngine::normalizeTarget(CFRef<CFTypeRef> &target, AuthorityType type,
case errSecCSUnsigned:
if (signUnsigned && temporarySigning(code, type, path, kAuthorityFlagWhitelistV2 | kAuthorityFlagWhitelistSHA256)) { // ad-hoc sign the code temporarily
MacOSError::check(SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref()));
- CFRef<CFDictionaryRef> info;
- MacOSError::check(SecCodeCopySigningInformation(code, kSecCSInternalInformation, &info.aref()));
- if (CFDataRef cdData = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoCodeDirectory)))
- *signUnsigned = ((const CodeDirectory *)CFDataGetBytePtr(cdData))->screeningCode();
+ *signUnsigned = createWhitelistScreen(code);
break;
}
MacOSError::check(rc);
@@ -1108,17 +1181,15 @@ void PolicyEngine::normalizeTarget(CFRef<CFTypeRef> &target, AuthorityType type,
//
static bool codeInvalidityExceptions(SecStaticCodeRef code, CFMutableDictionaryRef result)
{
- if (OSAIsRecognizedExecutableURL) {
- CFRef<CFDictionaryRef> info;
- MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
- if (CFURLRef executable = CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable))) {
- SInt32 error;
- if (OSAIsRecognizedExecutableURL(executable, &error)) {
- if (result)
- CFDictionaryAddValue(result,
- kSecAssessmentAssessmentAuthorityOverride, CFSTR("ignoring known invalid applet signature"));
- return true;
- }
+ CFRef<CFDictionaryRef> info;
+ MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
+ if (CFURLRef executable = CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable))) {
+ SInt32 error;
+ if (OSAIsRecognizedExecutableURL(executable, &error)) {
+ if (result)
+ CFDictionaryAddValue(result,
+ kSecAssessmentAssessmentAuthorityOverride, CFSTR("ignoring known invalid applet signature"));
+ return true;
}
}
return false;
diff --git a/OSX/libsecurity_codesigning/lib/policyengine.h b/OSX/libsecurity_codesigning/lib/policyengine.h
index 46083083..9ba82dc2 100644
--- a/OSX/libsecurity_codesigning/lib/policyengine.h
+++ b/OSX/libsecurity_codesigning/lib/policyengine.h
@@ -65,7 +65,7 @@ public:
void recordFailure(CFDictionaryRef info);
public:
- static void addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row = 0, CFTypeRef cacheInfo = NULL, bool weak = false);
+ static void addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row = 0, CFTypeRef cacheInfo = NULL, bool weak = false, uint64_t ruleFlags = 0);
static void addToAuthority(CFMutableDictionaryRef parent, CFStringRef key, CFTypeRef value);
private:
diff --git a/OSX/libsecurity_codesigning/lib/reqinterp.cpp b/OSX/libsecurity_codesigning/lib/reqinterp.cpp
index 3837d426..3215df48 100644
--- a/OSX/libsecurity_codesigning/lib/reqinterp.cpp
+++ b/OSX/libsecurity_codesigning/lib/reqinterp.cpp
@@ -190,7 +190,7 @@ bool Requirement::Interpreter::eval(int depth)
}
}
// unrecognized opcode and no way to interpret it
- secdebug("csinterp", "opcode 0x%x cannot be handled; aborting", op);
+ secinfo("csinterp", "opcode 0x%x cannot be handled; aborting", op);
MacOSError::throwMe(errSecCSUnimplemented);
}
}
@@ -247,13 +247,14 @@ bool Requirement::Interpreter::certFieldValue(const string &key, const Match &ma
{ "subject.UID", &CSSMOID_UserID },
{ NULL, NULL }
};
-
+
// DN-component single-value match
for (const CertField *cf = certFields; cf->name; cf++)
if (cf->name == key) {
CFRef<CFStringRef> value;
- if (OSStatus rc = SecCertificateCopySubjectComponent(cert, cf->oid, &value.aref())) {
- secdebug("csinterp", "cert %p lookup for DN.%s failed rc=%d", cert, key.c_str(), (int)rc);
+ OSStatus rc = SecCertificateCopySubjectComponent(cert, cf->oid, &value.aref());
+ if (rc) {
+ secinfo("csinterp", "cert %p lookup for DN.%s failed rc=%d", cert, key.c_str(), (int)rc);
return false;
}
return match(value);
@@ -262,15 +263,16 @@ bool Requirement::Interpreter::certFieldValue(const string &key, const Match &ma
// email multi-valued match (any of...)
if (key == "email") {
CFRef<CFArrayRef> value;
- if (OSStatus rc = SecCertificateCopyEmailAddresses(cert, &value.aref())) {
- secdebug("csinterp", "cert %p lookup for email failed rc=%d", cert, (int)rc);
+ OSStatus rc = SecCertificateCopyEmailAddresses(cert, &value.aref());
+ if (rc) {
+ secinfo("csinterp", "cert %p lookup for email failed rc=%d", cert, (int)rc);
return false;
}
return match(value);
}
// unrecognized key. Fail but do not abort to promote backward compatibility down the road
- secdebug("csinterp", "cert field notation \"%s\" not understood", key.c_str());
+ secinfo("csinterp", "cert field notation \"%s\" not understood", key.c_str());
return false;
}
@@ -327,7 +329,9 @@ CFArrayRef Requirement::Interpreter::getAdditionalTrustedAnchors()
if (!configData)
return NULL;
- CFRef<CFDictionaryRef> configDict = CFDictionaryRef(IOCFUnserialize((const char *)CFDataGetBytePtr(configData), kCFAllocatorDefault, 0, NULL));
+ CFRef<CFDictionaryRef> configDict = CFDictionaryRef(IOCFUnserializeWithSize((const char *)CFDataGetBytePtr(configData),
+ (size_t)CFDataGetLength(configData),
+ kCFAllocatorDefault, 0, NULL));
if (!configDict)
return NULL;
diff --git a/OSX/libsecurity_codesigning/lib/reqparser.cpp b/OSX/libsecurity_codesigning/lib/reqparser.cpp
index 8a0c370a..e3657a19 100644
--- a/OSX/libsecurity_codesigning/lib/reqparser.cpp
+++ b/OSX/libsecurity_codesigning/lib/reqparser.cpp
@@ -30,6 +30,7 @@
#include "codesigning_dtrace.h"
#include <CoreFoundation/CoreFoundation.h>
#include <security_utilities/osxcode.h>
+#include <security_utilities/logging.h>
namespace Security {
namespace CodeSigning {
@@ -61,6 +62,7 @@ PluginHost::PluginHost()
}
// can't load plugin - fail
+ Syslog::warning("code signing problem: unable to load csparser plug-in");
MacOSError::throwMe(errSecCSInternalError);
}
diff --git a/OSX/libsecurity_codesigning/lib/resources.cpp b/OSX/libsecurity_codesigning/lib/resources.cpp
index c1efa959..4c36a387 100644
--- a/OSX/libsecurity_codesigning/lib/resources.cpp
+++ b/OSX/libsecurity_codesigning/lib/resources.cpp
@@ -74,7 +74,7 @@ ResourceBuilder::ResourceBuilder(const std::string &root, const std::string &rel
UnixError::throwMe();
mRelBase = realroot;
if (mRoot != mRelBase && mRelBase != mRoot + "/Contents")
- MacOSError::throwMe(errSecCSInternalError);
+ MacOSError::throwMe(errSecCSBadBundleFormat);
const char * paths[2] = { mRoot.c_str(), NULL };
mFTS = fts_open((char * const *)paths, FTS_PHYSICAL | FTS_COMFOLLOW | FTS_NOCHDIR, NULL);
if (!mFTS)
@@ -152,7 +152,7 @@ void ResourceBuilder::scan(Scanner next)
}
switch (ent->fts_info) {
case FTS_F:
- secdebug("rdirenum", "file %s", ent->fts_path);
+ secinfo("rdirenum", "file %s", ent->fts_path);
GKBIS_Num_files++;
// These are checks for the gatekeeper collection
@@ -169,7 +169,7 @@ void ResourceBuilder::scan(Scanner next)
break;
case FTS_SL:
// symlinks cannot ever be nested code, so quietly convert to resource file
- secdebug("rdirenum", "symlink %s", ent->fts_path);
+ secinfo("rdirenum", "symlink %s", ent->fts_path);
GKBIS_Num_symlinks++;
if (strcasecmp(ent->fts_name, ds_store) == 0)
@@ -180,7 +180,7 @@ void ResourceBuilder::scan(Scanner next)
next(ent, rule->flags & ~nested, string(relpath), rule);
break;
case FTS_D:
- secdebug("rdirenum", "entering %s", ent->fts_path);
+ secinfo("rdirenum", "entering %s", ent->fts_path);
GKBIS_Num_dirs++;
if (!first) { // skip root directory (relpath invalid)
@@ -203,15 +203,15 @@ void ResourceBuilder::scan(Scanner next)
break;
case FTS_DP:
- secdebug("rdirenum", "leaving %s", ent->fts_path);
+ secinfo("rdirenum", "leaving %s", ent->fts_path);
break;
case FTS_DNR:
- secdebug("rdirenum", "cannot read directory %s", ent->fts_path);
+ secinfo("rdirenum", "cannot read directory %s", ent->fts_path);
if (mCheckUnreadable)
MacOSError::throwMe(errSecCSSignatureNotVerifiable);
break;
default:
- secdebug("rdirenum", "type %d (errno %d): %s",
+ secinfo("rdirenum", "type %d (errno %d): %s",
ent->fts_info, ent->fts_errno, ent->fts_path);
if (mCheckUnknownType)
MacOSError::throwMe(errSecCSResourceNotSupported);
@@ -248,21 +248,21 @@ bool ResourceBuilder::includes(string path) const
ResourceBuilder::Rule *ResourceBuilder::findRule(string path) const
{
Rule *bestRule = NULL;
- secdebug("rscan", "test %s", path.c_str());
+ secinfo("rscan", "test %s", path.c_str());
for (Rules::const_iterator it = mRules.begin(); it != mRules.end(); ++it) {
Rule *rule = *it;
- secdebug("rscan", "try %s", rule->source.c_str());
+ secinfo("rscan", "try %s", rule->source.c_str());
if (rule->match(path.c_str())) {
- secdebug("rscan", "match");
+ secinfo("rscan", "match");
if (rule->flags & exclusion) {
- secdebug("rscan", "excluded");
+ secinfo("rscan", "excluded");
return rule;
}
if (!bestRule || rule->weight > bestRule->weight)
bestRule = rule;
}
}
- secdebug("rscan", "choosing %s (%d,0x%x)",
+ secinfo("rscan", "choosing %s (%d,0x%x)",
bestRule ? bestRule->source.c_str() : "NOTHING",
bestRule ? bestRule->weight : 0,
bestRule ? bestRule->flags : 0);
@@ -288,10 +288,13 @@ CFDataRef ResourceBuilder::hashFile(const char *path, CodeDirectory::HashAlgorit
//
// Hash a file to multiple hash types and return a dictionary suitable to form a resource seal
//
-CFMutableDictionaryRef ResourceBuilder::hashFile(const char *path, CodeDirectory::HashAlgorithms types)
+CFMutableDictionaryRef ResourceBuilder::hashFile(const char *path, CodeDirectory::HashAlgorithms types, bool strictCheck)
{
UnixPlusPlus::AutoFileDesc fd(path);
fd.fcntl(F_NOCACHE, true); // turn off page caching (one-pass)
+ if (strictCheck)
+ if (fd.hasExtendedAttribute(XATTR_RESOURCEFORK_NAME) || fd.hasExtendedAttribute(XATTR_FINDERINFO_NAME))
+ MacOSError::throwMe(errSecCSInvalidAssociatedFileData);
CFRef<CFMutableDictionaryRef> result = makeCFMutableDictionary();
CFMutableDictionaryRef resultRef = result;
CodeDirectory::multipleHashFileData(fd, 0, types, ^(CodeDirectory::HashAlgorithm type, Security::DynamicHash *hasher) {
@@ -325,7 +328,7 @@ ResourceBuilder::Rule::Rule(const std::string &pattern, unsigned w, uint32_t f)
{
if (::regcomp(this, pattern.c_str(), REG_EXTENDED | REG_NOSUB)) //@@@ REG_ICASE?
MacOSError::throwMe(errSecCSResourceRulesInvalid);
- secdebug("csresource", "%p rule %s added (weight %d, flags 0x%x)",
+ secinfo("csresource", "%p rule %s added (weight %d, flags 0x%x)",
this, pattern.c_str(), w, f);
}
@@ -352,7 +355,7 @@ std::string ResourceBuilder::escapeRE(const std::string &s)
string r;
for (string::const_iterator it = s.begin(); it != s.end(); ++it) {
char c = *it;
- if (strchr("\\[]{}().+*?", c))
+ if (strchr("\\[]{}().+*?^$|", c))
r.push_back('\\');
r.push_back(c);
}
diff --git a/OSX/libsecurity_codesigning/lib/resources.h b/OSX/libsecurity_codesigning/lib/resources.h
index 8d68314b..7e122587 100644
--- a/OSX/libsecurity_codesigning/lib/resources.h
+++ b/OSX/libsecurity_codesigning/lib/resources.h
@@ -88,7 +88,7 @@ public:
Rule *findRule(string path) const;
static CFDataRef hashFile(const char *path, CodeDirectory::HashAlgorithm type);
- static CFMutableDictionaryRef hashFile(const char *path, CodeDirectory::HashAlgorithms types);
+ static CFMutableDictionaryRef hashFile(const char *path, CodeDirectory::HashAlgorithms types, bool strictCheck);
static std::string hashName(CodeDirectory::HashAlgorithm type);
diff --git a/OSX/libsecurity_codesigning/lib/security_codesigning.exp b/OSX/libsecurity_codesigning/lib/security_codesigning.exp
index 160559fa..f5909556 100644
--- a/OSX/libsecurity_codesigning/lib/security_codesigning.exp
+++ b/OSX/libsecurity_codesigning/lib/security_codesigning.exp
@@ -111,6 +111,11 @@ _kSecCodeInfoUnique
_kSecCodeInfoCdHashes
_kSecCodeInfoCodeDirectory
_kSecCodeInfoCodeOffset
+_kSecCodeInfoDiskRepInfo
+_kSecCodeInfoDiskRepOSPlatform
+_kSecCodeInfoDiskRepOSVersionMin
+_kSecCodeInfoDiskRepOSSDKVersion
+_kSecCodeInfoDiskRepNoLibraryValidation
_kSecCodeInfoResourceDirectory
_kSecGuestAttributeCanonical
_kSecGuestAttributeHash
@@ -124,6 +129,7 @@ _kSecCFErrorResourceSeal
_kSecCFErrorResourceAdded
_kSecCFErrorResourceAltered
_kSecCFErrorResourceMissing
+_kSecCFErrorResourceSideband
_kSecCFErrorInfoPlist
_kSecCFErrorGuestAttributes
_kSecCFErrorRequirementSyntax
@@ -167,6 +173,7 @@ _kSecAssessmentAssessmentSource
_kSecAssessmentAssessmentVerdict
_kSecAssessmentAssessmentWeakSignature
_kSecAssessmentAssessmentCodeSigningError
+_kSecAssessmentContextKeyPrimarySignature
# gatekeeper logging
diff --git a/OSX/libsecurity_codesigning/lib/signer.cpp b/OSX/libsecurity_codesigning/lib/signer.cpp
index b0e14edb..b9d4ba9f 100644
--- a/OSX/libsecurity_codesigning/lib/signer.cpp
+++ b/OSX/libsecurity_codesigning/lib/signer.cpp
@@ -127,7 +127,7 @@ void SecCodeSigner::Signer::prepare(SecCSFlags flags)
{
// make sure the rep passes strict validation
if (strict)
- rep->strictValidate(NULL, MacOSErrorSet(), flags);
+ rep->strictValidate(NULL, MacOSErrorSet(), flags | (kSecCSQuickCheck|kSecCSRestrictSidebandData));
// initialize progress/cancellation state
code->prepareProgress(0); // totally fake workload - we don't know how many files we'll encounter
@@ -149,9 +149,9 @@ void SecCodeSigner::Signer::prepare(SecCSFlags flags)
identifier = state.mIdentifierPrefix + identifier;
if (identifier.find('.') == string::npos && isAdhoc())
identifier = identifier + "-" + uniqueName();
- secdebug("signer", "using default identifier=%s", identifier.c_str());
+ secinfo("signer", "using default identifier=%s", identifier.c_str());
} else
- secdebug("signer", "using explicit identifier=%s", identifier.c_str());
+ secinfo("signer", "using explicit identifier=%s", identifier.c_str());
teamID = state.mTeamID;
if (teamID.empty() && (inherit & kSecCodeSignerPreserveTeamIdentifier)) {
@@ -173,7 +173,7 @@ void SecCodeSigner::Signer::prepare(SecCSFlags flags)
bool haveCdFlags = false;
if (!haveCdFlags && state.mCdFlagsGiven) {
cdFlags = state.mCdFlags;
- secdebug("signer", "using explicit cdFlags=0x%x", cdFlags);
+ secinfo("signer", "using explicit cdFlags=0x%x", cdFlags);
haveCdFlags = true;
}
if (!haveCdFlags) {
@@ -182,10 +182,10 @@ void SecCodeSigner::Signer::prepare(SecCSFlags flags)
if (CFTypeRef csflags = CFDictionaryGetValue(infoDict, CFSTR("CSFlags"))) {
if (CFGetTypeID(csflags) == CFNumberGetTypeID()) {
cdFlags = cfNumber<uint32_t>(CFNumberRef(csflags));
- secdebug("signer", "using numeric cdFlags=0x%x from Info.plist", cdFlags);
+ secinfo("signer", "using numeric cdFlags=0x%x from Info.plist", cdFlags);
} else if (CFGetTypeID(csflags) == CFStringGetTypeID()) {
cdFlags = cdTextFlags(cfString(CFStringRef(csflags)));
- secdebug("signer", "using text cdFlags=0x%x from Info.plist", cdFlags);
+ secinfo("signer", "using text cdFlags=0x%x from Info.plist", cdFlags);
} else
MacOSError::throwMe(errSecCSBadDictionaryFormat);
haveCdFlags = true;
@@ -193,7 +193,7 @@ void SecCodeSigner::Signer::prepare(SecCSFlags flags)
}
if (!haveCdFlags && (inherit & kSecCodeSignerPreserveFlags)) {
cdFlags = code->codeDirectory(false)->flags & ~kSecCodeSignatureAdhoc;
- secdebug("signer", "using inherited cdFlags=0x%x", cdFlags);
+ secinfo("signer", "using inherited cdFlags=0x%x", cdFlags);
haveCdFlags = true;
}
if (!haveCdFlags)
@@ -263,15 +263,16 @@ void SecCodeSigner::Signer::prepare(SecCSFlags flags)
}
// screen and set the signing time
- CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
if (state.mSigningTime == CFDateRef(kCFNull)) {
- signingTime = 0; // no time at all
+ emitSigningTime = false; // no time at all
} else if (!state.mSigningTime) {
- signingTime = now; // default
+ emitSigningTime = true;
+ signingTime = 0; // wall clock, established later
} else {
CFAbsoluteTime time = CFDateGetAbsoluteTime(state.mSigningTime);
- if (time > now) // not allowed to post-date a signature
+ if (time > CFAbsoluteTimeGetCurrent()) // not allowed to post-date a signature
MacOSError::throwMe(errSecCSBadDictionaryFormat);
+ emitSigningTime = true;
signingTime = time;
}
@@ -301,7 +302,7 @@ void SecCodeSigner::Signer::buildResources(std::string root, std::string relBase
{
typedef ResourceBuilder::Rule Rule;
- secdebug("codesign", "start building resource directory");
+ secinfo("codesign", "start building resource directory");
__block CFRef<CFMutableDictionaryRef> result = makeCFMutableDictionary();
CFDictionaryRef rules = cfget<CFDictionaryRef>(rulesDict, "rules");
@@ -352,7 +353,7 @@ void SecCodeSigner::Signer::buildResources(std::string root, std::string relBase
target[len] = '\0';
seal.take(cfmake<CFMutableDictionaryRef>("{symlink=%s}", target));
} else {
- seal.take(resources.hashFile(accpath.c_str(), digestAlgorithms()));
+ seal.take(resources.hashFile(accpath.c_str(), digestAlgorithms(), signingFlags() & kSecCSSignStrictPreflight));
}
if (ruleFlags & ResourceBuilder::optional)
CFDictionaryAddValue(seal, CFSTR("optional"), kCFBooleanTrue);
@@ -392,11 +393,11 @@ void SecCodeSigner::Signer::buildResources(std::string root, std::string relBase
hash.take(resources.hashFile(ent->fts_accpath, kSecCodeSignatureHashSHA1));
if (ruleFlags == 0) { // default case - plain hash
cfadd(files, "{%s=%O}", relpath.c_str(), hash.get());
- secdebug("csresource", "%s added simple (rule %p)", relpath.c_str(), rule);
+ secinfo("csresource", "%s added simple (rule %p)", relpath.c_str(), rule);
} else { // more complicated - use a sub-dictionary
cfadd(files, "{%s={hash=%O,optional=%B}}",
relpath.c_str(), hash.get(), ruleFlags & ResourceBuilder::optional);
- secdebug("csresource", "%s added complex (rule %p)", relpath.c_str(), rule);
+ secinfo("csresource", "%s added complex (rule %p)", relpath.c_str(), rule);
}
}
});
@@ -419,9 +420,11 @@ CFMutableDictionaryRef SecCodeSigner::Signer::signNested(const std::string &path
if (signingFlags() & kSecCSSignNestedCode)
this->state.sign(code, signingFlags());
std::string dr = Dumper::dump(code->designatedRequirement());
- return cfmake<CFMutableDictionaryRef>("{requirement=%s,cdhash=%O}",
- Dumper::dump(code->designatedRequirement()).c_str(),
- code->cdHash());
+ if (CFDataRef hash = code->cdHash())
+ return cfmake<CFMutableDictionaryRef>("{requirement=%s,cdhash=%O}",
+ Dumper::dump(code->designatedRequirement()).c_str(),
+ hash);
+ MacOSError::throwMe(errSecCSUnsigned);
} catch (const CommonError &err) {
CSError::throwMe(err.osStatus(), kSecCFErrorPath, CFTempURL(relpath, false, this->code->resourceBase()));
}
@@ -437,9 +440,10 @@ CFMutableDictionaryRef SecCodeSigner::Signer::signNested(const std::string &path
void SecCodeSigner::Signer::signMachO(Universal *fat, const Requirement::Context &context)
{
// Mach-O executable at the core - perform multi-architecture signing
+ RefPointer<DiskRep::Writer> writer = rep->writer();
auto_ptr<ArchEditor> editor(state.mDetached
? static_cast<ArchEditor *>(new BlobEditor(*fat, *this))
- : new MachOEditor(rep->writer(), *fat, this->digestAlgorithms(), rep->mainExecutablePath()));
+ : new MachOEditor(writer, *fat, this->digestAlgorithms(), rep->mainExecutablePath()));
assert(editor->count() > 0);
if (!editor->attribute(writerNoGlobal)) // can store architecture-common components
populate(*editor);
@@ -510,8 +514,9 @@ void SecCodeSigner::Signer::signMachO(Universal *fat, const Requirement::Context
}
// done: write edit copy back over the original
- if (!state.mDryRun)
+ if (!state.mDryRun) {
editor->commit();
+ }
}
@@ -644,9 +649,10 @@ CFDataRef SecCodeSigner::Signer::signCodeDirectory(const CodeDirectory *cd, CFDa
CMSEncoderSetSignerAlgorithm(cms, kCMSEncoderDigestAlgorithmSHA256);
MacOSError::check(CMSEncoderSetHasDetachedContent(cms, true));
- if (signingTime) {
+ if (emitSigningTime) {
MacOSError::check(CMSEncoderAddSignedAttributes(cms, kCMSAttrSigningTime));
- MacOSError::check(CMSEncoderSetSigningTime(cms, signingTime));
+ CFAbsoluteTime time = signingTime ? signingTime : CFAbsoluteTimeGetCurrent();
+ MacOSError::check(CMSEncoderSetSigningTime(cms, time));
}
if (hashBag) {
diff --git a/OSX/libsecurity_codesigning/lib/signer.h b/OSX/libsecurity_codesigning/lib/signer.h
index fafa3fe3..1e92a9c7 100644
--- a/OSX/libsecurity_codesigning/lib/signer.h
+++ b/OSX/libsecurity_codesigning/lib/signer.h
@@ -101,7 +101,8 @@ private:
uint32_t cdFlags; // CodeDirectory flags
const Requirements *requirements; // internal requirements ready-to-use
size_t pagesize; // size of main executable pages
- CFAbsoluteTime signingTime; // signing time for CMS signature (0 => none)
+ CFAbsoluteTime signingTime; // signing time for CMS signature (0 => now)
+ bool emitSigningTime; // emit signing time as a signed CMS attribute
bool strict; // strict validation
private:
diff --git a/OSX/libsecurity_codesigning/lib/signerutils.cpp b/OSX/libsecurity_codesigning/lib/signerutils.cpp
index 25a327ba..855d1949 100644
--- a/OSX/libsecurity_codesigning/lib/signerutils.cpp
+++ b/OSX/libsecurity_codesigning/lib/signerutils.cpp
@@ -33,6 +33,7 @@
#include "csutilities.h"
#include "drmaker.h"
#include <security_utilities/unix++.h>
+#include <security_utilities/logging.h>
#include <security_utilities/unixchild.h>
#include <vector>
@@ -244,7 +245,7 @@ void MachOEditor::childAction()
if (mHelperOverridden)
::csops(0, CS_OPS_MARKKILL, NULL, 0); // force code integrity
- ::seteuid(0); // activate privilege if caller has it; ignore error if not
+ (void)::seteuid(0); // activate privilege if caller has it; ignore error if not
execv(mHelperPath, (char * const *)&arguments[0]);
}
@@ -275,7 +276,7 @@ void MachOEditor::write(Arch &arch, EmbeddedSignatureBlob *blob)
arch.source->writeAll(*blob);
::free(blob); // done with it
} else {
- secdebug("signer", "%p cannot find CODESIGNING section", this);
+ secinfo("signer", "%p cannot find CODESIGNING data in Mach-O", this);
MacOSError::throwMe(errSecCSInternalError);
}
}
@@ -301,7 +302,7 @@ void MachOEditor::commit()
// perform copy under root or file-owner privileges if available
UidGuard guard;
if (!guard.seteuid(0))
- guard.seteuid(st.st_uid);
+ (void)guard.seteuid(st.st_uid);
// copy metadata from original file...
copy(sourcePath.c_str(), NULL, COPYFILE_SECURITY | COPYFILE_METADATA);
@@ -315,6 +316,7 @@ void MachOEditor::commit()
UnixError::check(::rename(tempPath.c_str(), sourcePath.c_str()));
mTempMayExist = false; // we renamed it away
}
+ this->writer->flush();
}
diff --git a/OSX/libsecurity_codesigning/lib/singlediskrep.cpp b/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
index 84c5a781..0e63bde8 100644
--- a/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
+++ b/OSX/libsecurity_codesigning/lib/singlediskrep.cpp
@@ -89,7 +89,6 @@ FileDesc &SingleDiskRep::fd()
{
if (!mFd)
mFd.open(mPath, O_RDONLY);
-
return mFd;
}
@@ -101,7 +100,6 @@ void SingleDiskRep::flush()
mFd.close();
}
-
//
// The recommended identifier of a SingleDiskRep is, absent any better clue,
// the basename of its path.
@@ -118,6 +116,11 @@ string SingleDiskRep::recommendedIdentifier(const SigningContext &)
void SingleDiskRep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated, SecCSFlags flags)
{
DiskRep::strictValidate(cd, tolerated, flags);
+
+ if (flags & kSecCSRestrictSidebandData)
+ if (fd().hasExtendedAttribute(XATTR_RESOURCEFORK_NAME) || fd().hasExtendedAttribute(XATTR_FINDERINFO_NAME))
+ if (tolerated.find(errSecCSInvalidAssociatedFileData) == tolerated.end())
+ MacOSError::throwMe(errSecCSInvalidAssociatedFileData);
// code limit must cover (exactly) the entire file
if (cd && cd->signingLimit() != signingLimit())
diff --git a/OSX/libsecurity_codesigning/lib/singlediskrep.h b/OSX/libsecurity_codesigning/lib/singlediskrep.h
index cc15854c..8e9a8df3 100644
--- a/OSX/libsecurity_codesigning/lib/singlediskrep.h
+++ b/OSX/libsecurity_codesigning/lib/singlediskrep.h
@@ -49,7 +49,7 @@ public:
CFDataRef identification(); // partial file hash
std::string mainExecutablePath(); // base path
CFURLRef copyCanonicalPath(); // base path
- virtual size_t signingLimit(); // size of file
+ size_t signingLimit(); // size of file
UnixPlusPlus::FileDesc &fd(); // readable fd for this file
void flush(); // close cached fd
diff --git a/OSX/libsecurity_codesigning/lib/syspolicy.sql b/OSX/libsecurity_codesigning/lib/syspolicy.sql
index 23b5df15..9a9b8598 100644
--- a/OSX/libsecurity_codesigning/lib/syspolicy.sql
+++ b/OSX/libsecurity_codesigning/lib/syspolicy.sql
@@ -119,6 +119,8 @@ INSERT INTO feature (name, value, remarks)
VALUES ('filter_unsigned', 'present', 'builtin');
INSERT INTO feature (name, value, remarks)
VALUES ('document rules', 'present', 'builtin');
+INSERT INTO feature (name, value, remarks)
+VALUES ('root_only', 'present', 'builtin');
--
diff --git a/OSX/libsecurity_codesigning/lib/xpcengine.cpp b/OSX/libsecurity_codesigning/lib/xpcengine.cpp
index 6e415298..eb246dd8 100644
--- a/OSX/libsecurity_codesigning/lib/xpcengine.cpp
+++ b/OSX/libsecurity_codesigning/lib/xpcengine.cpp
@@ -25,6 +25,7 @@
#include <syslog.h>
#include <CoreFoundation/CoreFoundation.h>
#include <security_utilities/cfutilities.h>
+#include <security_utilities/logging.h>
#include <security_utilities/cfmunge.h>
@@ -96,8 +97,9 @@ public:
} else if (type == XPC_TYPE_ERROR) {
const char *s = xpc_copy_description(reply);
printf("Error returned: %s\n", s);
+ Syslog::notice("code signing internal problem: unexpected error from xpc: %s", s);
free((char*)s);
- MacOSError::throwMe(errSecCSInternalError);
+ MacOSError::throwMe(errSecCSInternalError);
} else {
const char *s = xpc_copy_description(reply);
printf("Unexpected type of return object: %s\n", s);
@@ -122,18 +124,21 @@ static void copyCFDictionary(const void *key, const void *value, void *ctx)
}
-static void precheckAccess(CFURLRef path, CFDictionaryRef context)
+static bool precheckAccess(CFURLRef path, CFDictionaryRef context)
{
CFTypeRef type = CFDictionaryGetValue(context, kSecAssessmentContextKeyOperation);
if (type == NULL || CFEqual(type, kSecAssessmentOperationTypeExecute)) {
CFRef<SecStaticCodeRef> code;
- MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref()));
+ OSStatus rc = SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref());
+ if (rc == errSecCSBadBundleFormat) // work around <rdar://problem/26075034>
+ return false;
CFRef<CFURLRef> exec;
MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &exec.aref()));
UnixError::check(::access(cfString(exec).c_str(), R_OK));
} else {
UnixError::check(access(cfString(path).c_str(), R_OK));
}
+ return true;
}
@@ -189,7 +194,9 @@ CFDictionaryRef xpcEngineUpdate(CFTypeRef target, SecAssessmentFlags flags, CFDi
if (CFGetTypeID(target) == CFNumberGetTypeID())
xpc_dictionary_set_uint64(msg, "rule", cfNumber<int64_t>(CFNumberRef(target)));
else if (CFGetTypeID(target) == CFURLGetTypeID()) {
- precheckAccess(CFURLRef(target), context);
+ bool good = precheckAccess(CFURLRef(target), context);
+ if (!good) // work around <rdar://problem/26075034>
+ return makeCFDictionary(0); // pretend this worked
xpc_dictionary_set_string(msg, "url", cfString(CFURLRef(target)).c_str());
} else if (CFGetTypeID(target) == SecRequirementGetTypeID()) {
CFRef<CFDataRef> data;
@@ -217,8 +224,8 @@ CFDictionaryRef xpcEngineUpdate(CFTypeRef target, SecAssessmentFlags flags, CFDi
if (localAuthorization)
AuthorizationFree(localAuthorization, kAuthorizationFlagDefaults);
- if (int64_t error = xpc_dictionary_get_int64(msg, "error"))
- MacOSError::throwMe((int)error);
+ if (int64_t error = xpc_dictionary_get_int64(msg, "error"))
+ MacOSError::throwMe((int)error);
size_t resultLength;
const void *resultData = xpc_dictionary_get_data(msg, "result", &resultLength);
@@ -244,6 +251,19 @@ void xpcEngineRecord(CFDictionaryRef info)
msg.send();
}
+void xpcEngineCheckDevID(CFBooleanRef* result)
+{
+ Message msg("check-dev-id");
+
+ msg.send();
+
+ if (int64_t error = xpc_dictionary_get_int64(msg, "error")) {
+ MacOSError::throwMe((int)error);
+ }
+
+ *result = xpc_dictionary_get_bool(msg,"result") ? kCFBooleanTrue : kCFBooleanFalse;
+}
+
} // end namespace CodeSigning
} // end namespace Security
diff --git a/OSX/libsecurity_codesigning/lib/xpcengine.h b/OSX/libsecurity_codesigning/lib/xpcengine.h
index cd70387d..4e1d485e 100644
--- a/OSX/libsecurity_codesigning/lib/xpcengine.h
+++ b/OSX/libsecurity_codesigning/lib/xpcengine.h
@@ -37,6 +37,7 @@ CFDictionaryRef xpcEngineUpdate(CFTypeRef target, SecAssessmentFlags flags, CFDi
CF_RETURNS_RETAINED;
bool xpcEngineControl(const char *name);
void xpcEngineRecord(CFDictionaryRef info);
+void xpcEngineCheckDevID(CFBooleanRef* result);
} // end namespace CodeSigning
diff --git a/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj b/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj
index edb3cacb..ff45f46c 100644
--- a/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj
@@ -12,7 +12,7 @@
buildConfigurationList = C26AC0EC143BCF01001C98CE /* Build configuration list for PBXAggregateTarget "SystemPolicy" */;
buildPhases = (
C26AC0F0143BCF18001C98CE /* ShellScript */,
- C26AC0F4143BD1C4001C98CE /* CopyFiles */,
+ 1F9152F01C7255BD009351BD /* ShellScript */,
C2F24DFE14BCBBF200309FCD /* ShellScript */,
C2578CB11579627200D4FE48 /* CopyFiles */,
C25C18CD15CB0C470007A2DE /* CopyFiles */,
@@ -98,7 +98,6 @@
C25C18D115CB0FC30007A2DE /* com.apple.gkreport.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = C25C18CF15CB0FA00007A2DE /* com.apple.gkreport.plist */; };
C26763D714FD9EBE00A46EDF /* drmaker.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C26763D514FD9EBE00A46EDF /* drmaker.cpp */; };
C26763D814FD9EBE00A46EDF /* drmaker.h in Headers */ = {isa = PBXBuildFile; fileRef = C26763D614FD9EBE00A46EDF /* drmaker.h */; };
- C26AC0F5143BD1C8001C98CE /* SystemPolicy in CopyFiles */ = {isa = PBXBuildFile; fileRef = C26AC0F3143BD1B3001C98CE /* SystemPolicy */; };
C26B45C10B8A9C0A003C0ACA /* ucspc in Frameworks */ = {isa = PBXBuildFile; fileRef = C26B45C00B8A9C00003C0ACA /* ucspc */; };
C26FF62D0E5B375A00F640A0 /* SecIntegrityLib.h in Headers */ = {isa = PBXBuildFile; fileRef = C2CC31040B8523AD005FA59D /* SecIntegrityLib.h */; settings = {ATTRIBUTES = (); }; };
C26FF62E0E5B375A00F640A0 /* SecCodeHostLib.h in Headers */ = {isa = PBXBuildFile; fileRef = C2BC1F340B580DA7003EC9DC /* SecCodeHostLib.h */; settings = {ATTRIBUTES = (); }; };
@@ -134,8 +133,8 @@
C2C3BCD30BA1E47E00E869D1 /* singlediskrep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2C3BCD10BA1E47E00E869D1 /* singlediskrep.cpp */; };
C2C931B40AB8BA1200F83950 /* SecCodeHost.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2C931B30AB8BA1200F83950 /* SecCodeHost.cpp */; };
C2CC310F0B852424005FA59D /* SecIntegrityLib.c in Sources */ = {isa = PBXBuildFile; fileRef = C2CC310E0B852424005FA59D /* SecIntegrityLib.c */; };
- C2D2967A1BCF16C000B0A29B /* diskimagerep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D296781BCF16C000B0A29B /* diskimagerep.cpp */; settings = {ASSET_TAGS = (); }; };
- C2D2967B1BCF16C000B0A29B /* diskimagerep.h in Headers */ = {isa = PBXBuildFile; fileRef = C2D296791BCF16C000B0A29B /* diskimagerep.h */; settings = {ASSET_TAGS = (); }; };
+ C2D2967A1BCF16C000B0A29B /* diskimagerep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D296781BCF16C000B0A29B /* diskimagerep.cpp */; };
+ C2D2967B1BCF16C000B0A29B /* diskimagerep.h in Headers */ = {isa = PBXBuildFile; fileRef = C2D296791BCF16C000B0A29B /* diskimagerep.h */; };
C2D3833C0A237F47005C63A2 /* bundlediskrep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D383120A237F47005C63A2 /* bundlediskrep.cpp */; };
C2D3833E0A237F47005C63A2 /* cdbuilder.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D383140A237F47005C63A2 /* cdbuilder.cpp */; };
C2D383400A237F47005C63A2 /* codedirectory.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D383160A237F47005C63A2 /* codedirectory.cpp */; };
@@ -152,6 +151,9 @@
C2D3835B0A237F47005C63A2 /* StaticCode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D383310A237F47005C63A2 /* StaticCode.cpp */; };
C2D3835D0A237F47005C63A2 /* reqparser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D383330A237F47005C63A2 /* reqparser.cpp */; };
C2D383610A237F47005C63A2 /* Requirements.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D383370A237F47005C63A2 /* Requirements.cpp */; };
+ C2D6EA3F1C8F5158009B586F /* main.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D6EA3E1C8F5158009B586F /* main.cpp */; };
+ C2D6EA451C8F5257009B586F /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = C2D6EA441C8F5257009B586F /* Security.framework */; };
+ C2D6EA481C8F5281009B586F /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = C2D6EA461C8F5265009B586F /* libsecurity_utilities.a */; };
C2DC2DCA145F594000AD2A3A /* xar++.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2353410145F1B110073F964 /* xar++.cpp */; };
C2DC2DCB145F5CD000AD2A3A /* policyengine.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C27360201432A61900A9A5FF /* policyengine.cpp */; };
C2E2873D0B5D8D80009336A0 /* SecCodeHostLib.c in Sources */ = {isa = PBXBuildFile; fileRef = C2E2873C0B5D8D80009336A0 /* SecCodeHostLib.c */; };
@@ -159,6 +161,7 @@
C2F4439A14C626D4000A01E6 /* quarantine++.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2F4439814C626D4000A01E6 /* quarantine++.cpp */; };
C2F4439B14C626D4000A01E6 /* quarantine++.h in Headers */ = {isa = PBXBuildFile; fileRef = C2F4439914C626D4000A01E6 /* quarantine++.h */; };
C2F6566E0BCBFB250078779E /* cserror.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2F6566C0BCBFB250078779E /* cserror.cpp */; };
+ DC1418651CCEE2EC00CFD769 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1418641CCEE2EC00CFD769 /* libutilities.a */; };
EB68B111150DAEEA00B4013D /* RequirementLexer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = EB68B10B150DAEBB00B4013D /* RequirementLexer.cpp */; };
EB68B112150DAEEA00B4013D /* RequirementParser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = EB68B10D150DAEBB00B4013D /* RequirementParser.cpp */; };
EB68B133150DB04400B4013D /* RequirementKeywords.h in Headers */ = {isa = PBXBuildFile; fileRef = EB68B10A150DAEBB00B4013D /* RequirementKeywords.h */; };
@@ -193,7 +196,6 @@
EB976FD21684D7C500A68EE6 /* TokenStreamRewriteEngine.cpp in Sources */ = {isa = PBXBuildFile; fileRef = EB976FB41684D77600A68EE6 /* TokenStreamRewriteEngine.cpp */; };
EB976FD31684D7C500A68EE6 /* TokenStreamSelector.cpp in Sources */ = {isa = PBXBuildFile; fileRef = EB976FB51684D77600A68EE6 /* TokenStreamSelector.cpp */; };
EB976FD41684D7C500A68EE6 /* TreeParser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = EB976FB61684D77600A68EE6 /* TreeParser.cpp */; };
- EBB9FF7A1682E51300FF9774 /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = EBB9FF791682E51300FF9774 /* main.c */; };
EBB9FF7F1682E5A200FF9774 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = EBB9FF7E1682E5A200FF9774 /* CoreFoundation.framework */; };
EBB9FFE21682E83600FF9774 /* com.apple.CodeSigningHelper.sb in CopyFiles */ = {isa = PBXBuildFile; fileRef = EBB9FF801682E65700FF9774 /* com.apple.CodeSigningHelper.sb */; };
EBDAF04F166D65FA0042CDCE /* piddiskrep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = EBDAF04D166D65FA0042CDCE /* piddiskrep.cpp */; };
@@ -322,16 +324,6 @@
);
runOnlyForDeploymentPostprocessing = 1;
};
- C26AC0F4143BD1C4001C98CE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = private/var/db;
- dstSubfolderSpec = 0;
- files = (
- C26AC0F5143BD1C8001C98CE /* SystemPolicy in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
- };
EBB9FFE11682E80A00FF9774 /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
@@ -495,6 +487,9 @@
C2D383380A237F47005C63A2 /* Requirements.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Requirements.h; sourceTree = "<group>"; };
C2D383390A237F47005C63A2 /* security_codesigning.exp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.exports; path = security_codesigning.exp; sourceTree = "<group>"; };
C2D50CDF0E155A4F0059A195 /* CSCommonPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CSCommonPriv.h; sourceTree = "<group>"; };
+ C2D6EA3E1C8F5158009B586F /* main.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = main.cpp; sourceTree = "<group>"; };
+ C2D6EA441C8F5257009B586F /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = ../../../d/workspaces/Build/Debug/Security.framework; sourceTree = "<group>"; };
+ C2D6EA461C8F5265009B586F /* libsecurity_utilities.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libsecurity_utilities.a; path = ../../../d/workspaces/Build/Debug/libsecurity_utilities.a; sourceTree = "<group>"; };
C2E2873C0B5D8D80009336A0 /* SecCodeHostLib.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = SecCodeHostLib.c; sourceTree = "<group>"; };
C2E8AF240DE25CA7000F6D3B /* SecCodePriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCodePriv.h; sourceTree = "<group>"; };
C2E8AF250DE25CA7000F6D3B /* SecRequirementPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecRequirementPriv.h; sourceTree = "<group>"; };
@@ -507,6 +502,7 @@
C2F6566C0BCBFB250078779E /* cserror.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = cserror.cpp; sourceTree = "<group>"; };
C2F6566D0BCBFB250078779E /* cserror.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cserror.h; sourceTree = "<group>"; };
CDCBE8941A1A96E8002CB2B7 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/System/Library/Frameworks/Security.framework; sourceTree = DEVELOPER_DIR; };
+ DC1418641CCEE2EC00CFD769 /* libutilities.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libutilities.a; path = "../../../Users/kmowery/Library/Developer/Xcode/DerivedData/Security-fkwwcnddijtngfaslvsedvgyzbou/Build/Products/Debug/libutilities.a"; sourceTree = "<group>"; };
EB68B10A150DAEBB00B4013D /* RequirementKeywords.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RequirementKeywords.h; sourceTree = "<group>"; };
EB68B10B150DAEBB00B4013D /* RequirementLexer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = RequirementLexer.cpp; sourceTree = "<group>"; };
EB68B10C150DAEBB00B4013D /* RequirementLexer.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; path = RequirementLexer.hpp; sourceTree = "<group>"; };
@@ -638,6 +634,7 @@
files = (
C200424D15D425D9004AE0A1 /* libsecurity_codesigning.a in Frameworks */,
C200424E15D425D9004AE0A1 /* libsecurity_utilities.a in Frameworks */,
+ DC1418651CCEE2EC00CFD769 /* libutilities.a in Frameworks */,
7ACF261219958B6F00849B25 /* CoreFoundation.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
@@ -661,6 +658,8 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ C2D6EA481C8F5281009B586F /* libsecurity_utilities.a in Frameworks */,
+ C2D6EA451C8F5257009B586F /* Security.framework in Frameworks */,
EBB9FF7F1682E5A200FF9774 /* CoreFoundation.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
@@ -871,8 +870,8 @@
C2C3BCD10BA1E47E00E869D1 /* singlediskrep.cpp */,
C28342EC0E36719D00E54360 /* detachedrep.h */,
C28342EB0E36719D00E54360 /* detachedrep.cpp */,
- EBDAF04D166D65FA0042CDCE /* piddiskrep.cpp */,
EBDAF04E166D65FA0042CDCE /* piddiskrep.h */,
+ EBDAF04D166D65FA0042CDCE /* piddiskrep.cpp */,
);
name = "Disk Representations";
sourceTree = "<group>";
@@ -933,6 +932,9 @@
C2CC30EF0B8519CF005FA59D /* Frameworks */ = {
isa = PBXGroup;
children = (
+ DC1418641CCEE2EC00CFD769 /* libutilities.a */,
+ C2D6EA461C8F5265009B586F /* libsecurity_utilities.a */,
+ C2D6EA441C8F5257009B586F /* Security.framework */,
CDCBE8941A1A96E8002CB2B7 /* Security.framework */,
C200424915D425B7004AE0A1 /* libsecurity_codesigning.a */,
C200424A15D425B7004AE0A1 /* libsecurity_utilities.a */,
@@ -1138,6 +1140,7 @@
isa = PBXGroup;
children = (
EBB9FF791682E51300FF9774 /* main.c */,
+ C2D6EA3E1C8F5158009B586F /* main.cpp */,
EBB9FF801682E65700FF9774 /* com.apple.CodeSigningHelper.sb */,
EBB9FF731682E51300FF9774 /* Supporting Files */,
);
@@ -1325,7 +1328,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C263E67909A2971B000043F1 /* Build configuration list for PBXProject "libsecurity_codesigning" */;
compatibilityVersion = "Xcode 3.2";
@@ -1393,12 +1396,38 @@
files = (
);
inputPaths = (
+ "$(SRCROOT)/",
+ "$(SRCROOT)/lib/",
+ "$(SRCROOT)/gke/",
+ "$(SRCROOT)/dtrace/",
+ "$(SRCROOT)/antlr2/",
+ "$(SRCROOT)/antlr2/contrib/",
+ "$(SRCROOT)/antlr2/contrib/bcb4/",
+ "$(SRCROOT)/antlr2/scripts/",
+ "$(SRCROOT)/antlr2/src/",
);
outputPaths = (
+ "${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "ranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
+ shellScript = "# with our source directories as input files, Xcode will only re-run this phase if there's been a source change. Also, xcode doesn't believe in recursive directory.\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
+ };
+ 1F9152F01C7255BD009351BD /* ShellScript */ = {
+ isa = PBXShellScriptBuildPhase;
+ buildActionMask = 8;
+ files = (
+ );
+ inputPaths = (
+ "$(TEMPDIR)/SystemPolicy",
+ );
+ outputPaths = (
+ "$(DSTROOT)/private/var/db/SystemPolicy",
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ shellPath = /bin/bash;
+ shellScript = "cp \"$SCRIPT_INPUT_FILE_0\" \"$SCRIPT_OUTPUT_FILE_0\"\nchmod 600 \"$SCRIPT_OUTPUT_FILE_0\"";
+ showEnvVarsInLog = 0;
};
C26AC0F0143BCF18001C98CE /* ShellScript */ = {
isa = PBXShellScriptBuildPhase;
@@ -1478,7 +1507,7 @@
);
runOnlyForDeploymentPostprocessing = 1;
shellPath = /bin/bash;
- shellScript = "cp \"$SCRIPT_INPUT_FILE_0\" \"$SCRIPT_OUTPUT_FILE_0\"\nchmod 444 \"$SCRIPT_OUTPUT_FILE_0\"";
+ shellScript = "cp \"$SCRIPT_INPUT_FILE_0\" \"$SCRIPT_OUTPUT_FILE_0\"\nchmod 400 \"$SCRIPT_OUTPUT_FILE_0\"";
showEnvVarsInLog = 0;
};
/* End PBXShellScriptBuildPhase section */
@@ -1600,7 +1629,7 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
- EBB9FF7A1682E51300FF9774 /* main.c in Sources */,
+ C2D6EA3F1C8F5158009B586F /* main.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -1733,14 +1762,23 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 184461A1146E9AD100B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
FRAMEWORK_SEARCH_PATHS = "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_PREPROCESSOR_DEFINITIONS = "SECTRUST_OSX=1";
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
HEADER_SEARCH_PATHS = (
"$(PROJECT_DIR)/../include",
"$(PROJECT_DIR)/../utilities",
@@ -1749,6 +1787,7 @@
"$(PROJECT_DIR)/lib",
/usr/local/include,
);
+ ONLY_ACTIVE_ARCH = YES;
OTHER_LDFLAGS = "";
TEMPDIR = "$(BUILT_PRODUCTS_DIR)/cstemp";
WARNING_CFLAGS = (
@@ -1764,14 +1803,22 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 184461A1146E9AD100B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
FRAMEWORK_SEARCH_PATHS = "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_PREPROCESSOR_DEFINITIONS = "SECTRUST_OSX=1";
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
HEADER_SEARCH_PATHS = (
"$(PROJECT_DIR)/../include",
"$(PROJECT_DIR)/../utilities",
@@ -1901,8 +1948,6 @@
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
- CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
- CLANG_CXX_LIBRARY = "libc++";
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
@@ -1927,6 +1972,7 @@
INSTALL_PATH = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices;
MACH_O_TYPE = mh_execute;
ONLY_ACTIVE_ARCH = YES;
+ PRODUCT_BUNDLE_IDENTIFIER = "${PRODUCT_NAME}";
PRODUCT_NAME = "com.apple.$(TARGET_NAME:rfc1034identifier)";
SKIP_INSTALL = NO;
WRAPPER_EXTENSION = xpc;
@@ -1937,8 +1983,6 @@
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
- CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
- CLANG_CXX_LIBRARY = "libc++";
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
@@ -1956,6 +2000,7 @@
INFOPLIST_FILE = "CodeSigningHelper/CodeSigningHelper-Info.plist";
INSTALL_PATH = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices;
MACH_O_TYPE = mh_execute;
+ PRODUCT_BUNDLE_IDENTIFIER = "${PRODUCT_NAME}";
PRODUCT_NAME = "com.apple.$(TARGET_NAME:rfc1034identifier)";
SKIP_INSTALL = NO;
WRAPPER_EXTENSION = xpc;
diff --git a/OSX/libsecurity_comcryption/libsecurity_comcryption.xcodeproj/project.pbxproj b/OSX/libsecurity_comcryption/libsecurity_comcryption.xcodeproj/project.pbxproj
index 71ed1f54..98200d4d 100644
--- a/OSX/libsecurity_comcryption/libsecurity_comcryption.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_comcryption/libsecurity_comcryption.xcodeproj/project.pbxproj
@@ -113,7 +113,7 @@
0FD07C9DFE8A174411CD283A /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD3240987FCDE001272E0 /* Build configuration list for PBXProject "libsecurity_comcryption" */;
compatibilityVersion = "Xcode 3.2";
@@ -165,6 +165,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB1F4146EF7C1000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -172,6 +187,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB1F4146EF7C1000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_cryptkit/lib/ckutilities.c b/OSX/libsecurity_cryptkit/lib/ckutilities.c
index bbbe252b..7ed0beea 100644
--- a/OSX/libsecurity_cryptkit/lib/ckutilities.c
+++ b/OSX/libsecurity_cryptkit/lib/ckutilities.c
@@ -154,7 +154,7 @@ void printGiant(const giant x)
printf("sign=%d cap=%d n[]=", x->sign, x->capacity);
for(i=0; i<abs(x->sign); i++) {
- printf("%u:", x->n[i]);
+ printf("%lu:", (unsigned long)x->n[i]);
}
printf("\n");
}
@@ -165,7 +165,7 @@ void printGiantHex(const giant x)
printf("sign=%d cap=%d n[]=", x->sign, x->capacity);
for(i=0; i<abs(x->sign); i++) {
- printf("%x:", x->n[i]);
+ printf("%lx:", (unsigned long)x->n[i]);
}
printf("\n");
}
@@ -181,7 +181,7 @@ void printGiantExp(const giant x)
printf("sign=%d cap=%d n[]=", x->sign, x->capacity);
for(i=0; i<size; i++) {
- printf("%u ", x->n[i]);
+ printf("%lu ", (unsigned long)x->n[i]);
if(i > 0) {
printf("* w^%d ", i);
}
diff --git a/OSX/libsecurity_cryptkit/lib/feeDigitalSignature.c b/OSX/libsecurity_cryptkit/lib/feeDigitalSignature.c
index 77851ade..c2499709 100644
--- a/OSX/libsecurity_cryptkit/lib/feeDigitalSignature.c
+++ b/OSX/libsecurity_cryptkit/lib/feeDigitalSignature.c
@@ -166,12 +166,15 @@ feeSig feeSigNewWithKey(
returnGiant(pt0.z);
}
else {
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunreachable-code"
if(SIG_CURVE == CURVE_PLUS) {
gtog(cp->x1Plus, sinst->PmX);
}
else {
gtog(cp->x1Minus, sinst->PmX);
}
+#pragma clang diagnostic pop
elliptic_simple(sinst->PmX, sinst->randGiant, cp);
}
#else /* CRYPTKIT_ELL_PROJ_ENABLE */
@@ -582,6 +585,8 @@ feeReturn feeSigVerifyNoProj(feeSig sig,
* pick a key (+/-)
* Q := P1
*/
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunreachable-code"
if(SIG_CURVE == CURVE_PLUS) {
origKey = feePubKeyPlusCurve(pubKey);
gtog(cp->x1Plus, Q);
@@ -590,6 +595,7 @@ feeReturn feeSigVerifyNoProj(feeSig sig,
origKey = feePubKeyMinusCurve(pubKey);
gtog(cp->x1Minus, Q);
}
+#pragma clang diagnostic pop
messageGiant = giant_with_data(data, dataLen); // M(ciphertext)
diff --git a/OSX/libsecurity_cryptkit/lib/feeECDSA.c b/OSX/libsecurity_cryptkit/lib/feeECDSA.c
index cbed7a4e..57736073 100644
--- a/OSX/libsecurity_cryptkit/lib/feeECDSA.c
+++ b/OSX/libsecurity_cryptkit/lib/feeECDSA.c
@@ -460,7 +460,10 @@ feeReturn feeECDSAVerify(const unsigned char *sigData,
* Verify that c and d are within [1,group_order-1]
*/
if((gcompg(cp->cOrderPlus, c) != 1) || (gcompg(cp->cOrderPlus, d) != 1) ||
- isZero(c) || isZero(d)) {
+ isZero(c) || isZero(d))
+ {
+ returnGiant(c);
+ returnGiant(d);
return FR_InvalidSignature;
}
diff --git a/OSX/libsecurity_cryptkit/lib/giantIntegers.c b/OSX/libsecurity_cryptkit/lib/giantIntegers.c
index e7872b58..734ab60e 100644
--- a/OSX/libsecurity_cryptkit/lib/giantIntegers.c
+++ b/OSX/libsecurity_cryptkit/lib/giantIntegers.c
@@ -493,7 +493,7 @@ giant copyGiant(giant x)
unsigned bitlen(giant n) {
unsigned b = GIANT_BITS_PER_DIGIT;
- giantDigit c = 1 << (GIANT_BITS_PER_DIGIT - 1);
+ giantDigit c = ((giantDigit)1) << (GIANT_BITS_PER_DIGIT - 1);
giantDigit w;
if (isZero(n)) {
@@ -512,9 +512,9 @@ unsigned bitlen(giant n) {
int bitval(giant n, int pos) {
int i = abs(pos) >> GIANT_LOG2_BITS_PER_DIGIT;
- giantDigit c = 1 << (pos & (GIANT_BITS_PER_DIGIT - 1));
+ giantDigit c = ((giantDigit)1) << (pos & (GIANT_BITS_PER_DIGIT - 1));
- return((n->n[i]) & c);
+ return ((0!=((n->n[i]) & c))?1:0);
}
int gsign(giant g)
diff --git a/OSX/libsecurity_cryptkit/lib/giantIntegers.h b/OSX/libsecurity_cryptkit/lib/giantIntegers.h
index 2352a368..34acf764 100644
--- a/OSX/libsecurity_cryptkit/lib/giantIntegers.h
+++ b/OSX/libsecurity_cryptkit/lib/giantIntegers.h
@@ -31,7 +31,7 @@ extern "C" {
/*
* Size of giant digit.
*/
-#if NeXT || __i386__ || __i486__
+#if NeXT || __i386__ || __i486__ || __x86_64__
typedef unsigned int giantDigit;
diff --git a/OSX/libsecurity_cryptkit/lib/giantPort_Generic.h b/OSX/libsecurity_cryptkit/lib/giantPort_Generic.h
index 7062b406..5f4e4cd3 100644
--- a/OSX/libsecurity_cryptkit/lib/giantPort_Generic.h
+++ b/OSX/libsecurity_cryptkit/lib/giantPort_Generic.h
@@ -113,10 +113,14 @@ static inline void giantMulDigits(
giantDigit *lowProduct, /* RETURNED, low digit */
giantDigit *hiProduct) /* RETURNED, high digit */
{
+#if GIANT_LOG2_BITS_PER_DIGIT>5
+#error "dprod is too small to represent the full result of the multiplication"
+#else
unsigned long long dprod;
+#endif
dprod = (unsigned long long)dig1 * (unsigned long long)dig2;
- *hiProduct = (giantDigit)(dprod >> GIANT_BITS_PER_DIGIT);
+ *hiProduct = (giantDigit)(dprod >> GIANT_BITS_PER_DIGIT);
*lowProduct = (giantDigit)dprod;
}
diff --git a/OSX/libsecurity_cryptkit/lib/platform.c b/OSX/libsecurity_cryptkit/lib/platform.c
index fa6c1b2e..b34746e9 100644
--- a/OSX/libsecurity_cryptkit/lib/platform.c
+++ b/OSX/libsecurity_cryptkit/lib/platform.c
@@ -28,7 +28,7 @@ void CKRaise(const char *reason) {
#if FEE_DEBUG
printf("CryptKit fatal error: %s\n", reason);
#endif
- exit(1);
+ abort();
}
#import "feeDebug.h"
@@ -83,7 +83,7 @@ void CKRaise(const char *reason) {
#if FEE_DEBUG
printf("CryptKit fatal error: %s\n", reason);
#endif
- exit(1);
+ abort();
}
extern void time(unsigned *tp);
@@ -106,12 +106,19 @@ unsigned createRandomSeed()
*/
#include <stdlib.h>
#include <time.h>
+#include <CrashReporterClient.h>
void CKRaise(const char *reason) {
#if FEE_DEBUG
printf("CryptKit fatal error: %s\n", reason);
#endif
- exit(1);
+ char * msg = NULL;
+ if(asprintf(&msg, "CryptKit fatal error: %s", reason)) {
+ CRSetCrashLogMessage(msg);
+ } else {
+ CRSetCrashLogMessage("CryptKit fatal error");
+ }
+ abort();
}
/* for X, this isn't used except for testing when SecurityServer when
@@ -170,7 +177,7 @@ void CKRaise(const char *reason) {
#if FEE_DEBUG
printf("CryptKit fatal error: %s\n", reason);
#endif
- exit(1);
+ abort();
}
#include <sys/types.h>
diff --git a/OSX/libsecurity_cryptkit/libsecurity_cryptkit.xcodeproj/project.pbxproj b/OSX/libsecurity_cryptkit/libsecurity_cryptkit.xcodeproj/project.pbxproj
index 53a83f0d..6625cb52 100644
--- a/OSX/libsecurity_cryptkit/libsecurity_cryptkit.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_cryptkit/libsecurity_cryptkit.xcodeproj/project.pbxproj
@@ -534,7 +534,7 @@
0FD07C9DFE8A174411CD283A /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD33A0987FCDE001272E0 /* Build configuration list for PBXProject "libsecurity_cryptkit" */;
compatibilityVersion = "Xcode 3.2";
@@ -713,12 +713,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB1FA146EF983000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -726,12 +735,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB1FA146EF983000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_cssm/lib/attachment.cpp b/OSX/libsecurity_cssm/lib/attachment.cpp
index de8aae2e..59ab540c 100644
--- a/OSX/libsecurity_cssm/lib/attachment.cpp
+++ b/OSX/libsecurity_cssm/lib/attachment.cpp
@@ -81,7 +81,7 @@ Attachment::Attachment(Module *parent,
&upcalls,
&spiFunctionTable)) {
// attach rejected by module
- secdebug("cssm", "attach of module %p(%s) failed",
+ secinfo("cssm", "attach of module %p(%s) failed",
&module, module.name().c_str());
CssmError::throwMe(err);
}
@@ -89,7 +89,7 @@ Attachment::Attachment(Module *parent,
if (spiFunctionTable == NULL || spiFunctionTable->ServiceType != subserviceType())
CssmError::throwMe(CSSMERR_CSSM_INVALID_ADDIN_FUNCTION_TABLE);
mIsActive = true; // now officially attached to plugin
- secdebug("cssm", "%p attached module %p(%s) (ssid %ld type %ld)",
+ secinfo("cssm", "%p attached module %p(%s) (ssid %ld type %ld)",
this, parent, parent->name().c_str(), (long)ssId, (long)ssType);
// subclass is responsible for taking spiFunctionTable and build
// whatever dispatch is needed
@@ -116,7 +116,7 @@ void Attachment::detach(bool isLocked)
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_FAILED); //@#attachment busy
if (CSSM_RETURN error = module.plugin->detach(handle()))
CssmError::throwMe(error); // I'm sorry Dave, ...
- secdebug("cssm", "%p detach module %p(%s)", this,
+ secinfo("cssm", "%p detach module %p(%s)", this,
&module, module.name().c_str());
mIsActive = false;
module.detach(this);
@@ -175,7 +175,6 @@ CSSM_RETURN Attachment::upcallCcToHandle(CSSM_CC_HANDLE handle,
CSSM_MODULE_HANDLE *modHandle)
{
BEGIN_API
-#warning Cast from CSSM_CC_HANDLE to CSSM_HANDLE
Required(modHandle) = HandleObject::find<HandleContext>((CSSM_HANDLE)handle, CSSMERR_CSSM_INVALID_ADDIN_HANDLE).attachment.handle();
END_API(CSP)
}
diff --git a/OSX/libsecurity_cssm/lib/certextensions.h b/OSX/libsecurity_cssm/lib/certextensions.h
index 39dc1a0c..d215836b 100644
--- a/OSX/libsecurity_cssm/lib/certextensions.h
+++ b/OSX/libsecurity_cssm/lib/certextensions.h
@@ -28,6 +28,9 @@
#include <Security/cssmtype.h>
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
/***
*** Structs for declaring extension-specific data.
***/
@@ -637,4 +640,6 @@ typedef struct __CE_DataAndType {
CSSM_BOOL critical;
} CE_DataAndType DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#endif /* _CERT_EXTENSIONS_H_ */
diff --git a/OSX/libsecurity_cssm/lib/cssmaci.h b/OSX/libsecurity_cssm/lib/cssmaci.h
index f71dd4b8..f1535aef 100644
--- a/OSX/libsecurity_cssm/lib/cssmaci.h
+++ b/OSX/libsecurity_cssm/lib/cssmaci.h
@@ -32,6 +32,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
typedef struct cssm_spi_ac_funcs {
CSSM_RETURN (CSSMACI *AuthCompute)
(CSSM_AC_HANDLE ACHandle,
@@ -53,6 +56,8 @@ typedef struct cssm_spi_ac_funcs {
void **OutputParams);
} CSSM_SPI_AC_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_AC_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/lib/cssmapple.h b/OSX/libsecurity_cssm/lib/cssmapple.h
index 23f383ad..632b308d 100644
--- a/OSX/libsecurity_cssm/lib/cssmapple.h
+++ b/OSX/libsecurity_cssm/lib/cssmapple.h
@@ -37,6 +37,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
/* Guids for standard Apple addin modules. */
/* CSSM itself: {87191ca0-0fc9-11d4-849a-000502b52122} */
@@ -389,6 +392,12 @@ enum {
// Make a backup of this database in a new file
CSSM_APPLEFILEDL_MAKE_BACKUP,
+
+ // Make a copy of this database
+ CSSM_APPLEFILEDL_MAKE_COPY,
+
+ // Delete this database
+ CSSM_APPLEFILEDL_DELETE_FILE,
};
/* UNLOCK_REFERRAL "type" attribute values */
@@ -701,6 +710,10 @@ enum
CSSM_APPLE_PRIVATE_CSPDL_CODE_21 = 21,
CSSM_APPLE_PRIVATE_CSPDL_CODE_22 = 22,
CSSM_APPLE_PRIVATE_CSPDL_CODE_23 = 23,
+ CSSM_APPLE_PRIVATE_CSPDL_CODE_24 = 24,
+ CSSM_APPLE_PRIVATE_CSPDL_CODE_25 = 25,
+ CSSM_APPLE_PRIVATE_CSPDL_CODE_26 = 26,
+ CSSM_APPLE_PRIVATE_CSPDL_CODE_27 = 27,
/* Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the
* associated key blob.
@@ -949,7 +962,7 @@ enum {
CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT = 0x00000001,
// enable fetch from network
CSSM_TP_ACTION_FETCH_CRL_FROM_NET = 0x00000002,
- // if set and positive OCSP verify for given cert, no further revocation
+ // if set and positive CRL verify for given cert, no further revocation
// checking need be done on that cert
CSSM_TP_ACTION_CRL_SUFFICIENT = 0x00000004,
// require CRL verification for certs which claim a CRL provider
@@ -1151,6 +1164,7 @@ typedef struct {
* (included here for lack of a better place)
*/
#define kKeychainSuffix ".keychain"
+#define kKeychainDbSuffix ".keychain-db"
#define kSystemKeychainName "System.keychain"
#define kSystemKeychainDir "/Library/Keychains/"
#define kSystemUnlockFile "/var/db/SystemKey"
@@ -1177,6 +1191,8 @@ const CSSM_OID *cssmAlgToOid(CSSM_ALGORITHMS algId);
#define errSecErrnoBase 100000
#define errSecErrnoLimit 100255
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif // __cplusplus
diff --git a/OSX/libsecurity_cssm/lib/cssmapplePriv.h b/OSX/libsecurity_cssm/lib/cssmapplePriv.h
index e3c013a2..9bf4e472 100644
--- a/OSX/libsecurity_cssm/lib/cssmapplePriv.h
+++ b/OSX/libsecurity_cssm/lib/cssmapplePriv.h
@@ -116,6 +116,18 @@ enum
// Make a backup of this database on the filesystem
CSSM_APPLECSPDL_DB_MAKE_BACKUP = CSSM_APPLE_PRIVATE_CSPDL_CODE_23,
+
+ // Make a copy of this database on the filesystem
+ CSSM_APPLECSPDL_DB_MAKE_COPY = CSSM_APPLE_PRIVATE_CSPDL_CODE_24,
+
+ // Make a clone of this database on the filesystem, and tell securityd about it
+ CSSM_APPLECSPDL_DB_CLONE = CSSM_APPLE_PRIVATE_CSPDL_CODE_25,
+
+ // Delete the file underlying this database
+ CSSM_APPLECSPDL_DB_DELETE_FILE = CSSM_APPLE_PRIVATE_CSPDL_CODE_26,
+
+ // Recoding of this database is complete
+ CSSM_APPLECSPDL_DB_RECODE_FINISHED = CSSM_APPLE_PRIVATE_CSPDL_CODE_27,
};
/* AppleCSPDL passthrough parameters */
diff --git a/OSX/libsecurity_cssm/lib/cssmcli.h b/OSX/libsecurity_cssm/lib/cssmcli.h
index 61c02bd6..504c9d7f 100644
--- a/OSX/libsecurity_cssm/lib/cssmcli.h
+++ b/OSX/libsecurity_cssm/lib/cssmcli.h
@@ -32,6 +32,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
typedef struct cssm_spi_cl_funcs {
CSSM_RETURN (CSSMCLI *CertCreateTemplate)
(CSSM_CL_HANDLE CLHandle,
@@ -235,6 +238,8 @@ typedef struct cssm_spi_cl_funcs {
void **OutputParams);
} CSSM_SPI_CL_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_CL_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/lib/cssmcspi.h b/OSX/libsecurity_cssm/lib/cssmcspi.h
index 44c9ecee..16535953 100644
--- a/OSX/libsecurity_cssm/lib/cssmcspi.h
+++ b/OSX/libsecurity_cssm/lib/cssmcspi.h
@@ -33,6 +33,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
typedef struct cssm_spi_csp_funcs {
CSSM_RETURN (CSSMCSPI *EventNotify)
(CSSM_CSP_HANDLE CSPHandle,
@@ -360,6 +363,8 @@ typedef struct cssm_spi_csp_funcs {
const CSSM_ACL_OWNER_PROTOTYPE *NewOwner);
} CSSM_SPI_CSP_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_CSP_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/lib/cssmdli.h b/OSX/libsecurity_cssm/lib/cssmdli.h
index 14848fd5..b755d0ad 100644
--- a/OSX/libsecurity_cssm/lib/cssmdli.h
+++ b/OSX/libsecurity_cssm/lib/cssmdli.h
@@ -32,6 +32,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
typedef struct cssm_spi_dl_funcs {
CSSM_RETURN (CSSMDLI *DbOpen)
(CSSM_DL_HANDLE DLHandle,
@@ -144,6 +147,8 @@ typedef struct cssm_spi_dl_funcs {
void **OutputParams);
} CSSM_SPI_DL_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_DL_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/lib/cssmkrapi.h b/OSX/libsecurity_cssm/lib/cssmkrapi.h
index 984f2f4f..06adece6 100644
--- a/OSX/libsecurity_cssm/lib/cssmkrapi.h
+++ b/OSX/libsecurity_cssm/lib/cssmkrapi.h
@@ -32,6 +32,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
typedef uint32 CSSM_KRSP_HANDLE; /* Key Recovery Service Provider Handle */
typedef struct cssm_kr_name {
@@ -236,6 +239,8 @@ CSSM_KR_PassThrough (CSSM_KRSP_HANDLE KRSPHandle,
void **OutputParams)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/lib/cssmkrspi.h b/OSX/libsecurity_cssm/lib/cssmkrspi.h
index e27c165f..5c2cf0f6 100644
--- a/OSX/libsecurity_cssm/lib/cssmkrspi.h
+++ b/OSX/libsecurity_cssm/lib/cssmkrspi.h
@@ -32,6 +32,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
/* Data types for Key Recovery SPI */
typedef struct cssm_spi_kr_funcs {
@@ -104,6 +107,8 @@ typedef struct cssm_spi_kr_funcs {
void **OutputParams);
} CSSM_SPI_KR_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_KR_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/lib/cssmspi.h b/OSX/libsecurity_cssm/lib/cssmspi.h
index 35e8ea91..69765f8a 100644
--- a/OSX/libsecurity_cssm/lib/cssmspi.h
+++ b/OSX/libsecurity_cssm/lib/cssmspi.h
@@ -32,6 +32,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
typedef CSSM_RETURN (CSSMAPI *CSSM_SPI_ModuleEventHandler)
(const CSSM_GUID *ModuleGuid,
void *CssmNotifyCallbackCtx,
@@ -124,6 +127,7 @@ CSSM_RETURN CSSMSPI
CSSM_SPI_ModuleDetach (CSSM_MODULE_HANDLE ModuleHandle)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
#ifdef __cplusplus
}
diff --git a/OSX/libsecurity_cssm/lib/cssmtpi.h b/OSX/libsecurity_cssm/lib/cssmtpi.h
index 701a5ebd..ad92b112 100644
--- a/OSX/libsecurity_cssm/lib/cssmtpi.h
+++ b/OSX/libsecurity_cssm/lib/cssmtpi.h
@@ -32,6 +32,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
typedef struct cssm_spi_tp_funcs {
CSSM_RETURN (CSSMTPI *SubmitCredRequest)
(CSSM_TP_HANDLE TPHandle,
@@ -195,6 +198,8 @@ typedef struct cssm_spi_tp_funcs {
void **OutputParams);
} CSSM_SPI_TP_FUNCS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_SPI_TP_FUNCS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/lib/cssmtype.h b/OSX/libsecurity_cssm/lib/cssmtype.h
index f9aba2af..1cddc3e4 100644
--- a/OSX/libsecurity_cssm/lib/cssmtype.h
+++ b/OSX/libsecurity_cssm/lib/cssmtype.h
@@ -38,6 +38,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
/* Handle types. */
typedef CSSM_INTPTR CSSM_HANDLE, *CSSM_HANDLE_PTR;
@@ -2073,6 +2076,8 @@ typedef struct cssm_db_schema_index_info {
CSSM_DB_INDEXED_DATA_LOCATION IndexedDataLocation;
} CSSM_DB_SCHEMA_INDEX_INFO DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_DB_SCHEMA_INDEX_INFO_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/lib/emmspi.h b/OSX/libsecurity_cssm/lib/emmspi.h
index f986952d..0981c581 100644
--- a/OSX/libsecurity_cssm/lib/emmspi.h
+++ b/OSX/libsecurity_cssm/lib/emmspi.h
@@ -32,6 +32,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
typedef struct cssm_state_funcs {
CSSM_RETURN (CSSMAPI *cssm_GetAttachFunctions)
(CSSM_MODULE_HANDLE hAddIn,
@@ -87,6 +90,8 @@ ModuleManagerAuthenticate (CSSM_KEY_HIERARCHY KeyHierarchy,
CSSM_MANAGER_REGISTRATION_INFO_PTR FunctionTable)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/lib/emmtype.h b/OSX/libsecurity_cssm/lib/emmtype.h
index 2fb04a5e..1f3c18f1 100644
--- a/OSX/libsecurity_cssm/lib/emmtype.h
+++ b/OSX/libsecurity_cssm/lib/emmtype.h
@@ -32,6 +32,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
#define CSSM_HINT_CALLBACK (1)
typedef uint32 CSSM_MANAGER_EVENT_TYPES;
@@ -46,6 +49,8 @@ typedef struct cssm_manager_event_notification {
CSSM_DATA EventData;
} CSSM_MANAGER_EVENT_NOTIFICATION DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_MANAGER_EVENT_NOTIFICATION_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/lib/manager.cpp b/OSX/libsecurity_cssm/lib/manager.cpp
index 28511ed0..c98737a2 100644
--- a/OSX/libsecurity_cssm/lib/manager.cpp
+++ b/OSX/libsecurity_cssm/lib/manager.cpp
@@ -42,7 +42,7 @@ CssmManager::CssmManager()
CssmManager::~CssmManager()
{
if (initCount > 0)
- secdebug("cssm", "CSSM forcibly shutting down");
+ secinfo("cssm", "CSSM forcibly shutting down");
}
@@ -68,7 +68,7 @@ void CssmManager::initialize (const CSSM_VERSION &version,
CssmError::throwMe(CSSMERR_CSSM_PVC_ALREADY_CONFIGURED);
}
initCount++;
- secdebug("cssm", "re-initializing CSSM (%d levels)", initCount);
+ secinfo("cssm", "re-initializing CSSM (%d levels)", initCount);
return;
}
@@ -84,7 +84,7 @@ void CssmManager::initialize (const CSSM_VERSION &version,
// we are ready now
initCount = 1;
- secdebug("cssm", "CSSM initialized");
+ secinfo("cssm", "CSSM initialized");
}
@@ -99,14 +99,14 @@ bool CssmManager::terminate()
case 0:
CssmError::throwMe(CSSMERR_CSSM_NOT_INITIALIZED);
case 1:
- secdebug("cssm", "Terminating CSSM");
+ secinfo("cssm", "Terminating CSSM");
if (!moduleMap.empty())
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_FAILED); // @#can't terminate with modules loaded
initCount = 0; // mark uninitialized
return true;
default:
initCount--; // nested INIT, just count down
- secdebug("cssm", "CSSM nested termination (%d remaining)", initCount);
+ secinfo("cssm", "CSSM nested termination (%d remaining)", initCount);
return false;
}
}
@@ -144,13 +144,13 @@ void CssmManager::loadModule(const Guid &guid,
allowed: ;
}
#endif
- secdebug("cssm", "loading module %s(%s) from %s",
+ secinfo("cssm", "loading module %s(%s) from %s",
info.name().c_str(), info.description().c_str(), info.path().c_str());
module = new Module(this, info, loader(info.path()));
moduleMap[guid] = module;
} else {
module = it->second;
- secdebug("cssm", "%p reloaded module %s(%s) at %s",
+ secinfo("cssm", "%p reloaded module %s(%s) at %s",
module, module->name().c_str(), module->description().c_str(),
module->path().c_str());
}
@@ -172,12 +172,12 @@ void CssmManager::unloadModule(const Guid &guid,
StLock<Mutex> _(mLock);
Module *module = getModule(guid);
if (module->unload(callback)) {
- secdebug("cssm", "%p module %s(%s) final unload",
+ secinfo("cssm", "%p module %s(%s) final unload",
module, module->name().c_str(), module->description().c_str());
moduleMap.erase(guid);
delete module;
} else
- secdebug("cssm", "%p module %s(%s) load count now %u", module,
+ secinfo("cssm", "%p module %s(%s) load count now %u", module,
module->name().c_str(), module->description().c_str(), module->callbackCount());
}
diff --git a/OSX/libsecurity_cssm/lib/modload_plugin.cpp b/OSX/libsecurity_cssm/lib/modload_plugin.cpp
index 14ab1293..350af350 100644
--- a/OSX/libsecurity_cssm/lib/modload_plugin.cpp
+++ b/OSX/libsecurity_cssm/lib/modload_plugin.cpp
@@ -26,6 +26,7 @@
// modload_plugin - loader interface for dynamically loaded plugin modules
//
#include "modload_plugin.h"
+#include <security_cdsa_utilities/cssmerrors.h>
namespace Security {
@@ -37,7 +38,11 @@ namespace Security {
//
LoadablePlugin::LoadablePlugin(const char *path) : LoadableBundle(path)
{
- secdebug("cssm", "LoadablePlugin(%s)", path);
+ secinfo("cssm", "LoadablePlugin(%s)", path);
+ if (!allowableModulePath(path)) {
+ secinfo("cssm", "LoadablePlugin(): not loaded; plugin in non-standard location: %s", path);
+ CssmError::throwMe(CSSMERR_CSSM_ADDIN_AUTHENTICATE_FAILED);
+ }
load();
}
@@ -47,7 +52,7 @@ LoadablePlugin::LoadablePlugin(const char *path) : LoadableBundle(path)
//
void LoadablePlugin::load()
{
- secdebug("cssm", "LoadablePlugin::load() path %s", path().c_str());
+ secinfo("cssm", "LoadablePlugin::load() path %s", path().c_str());
LoadableBundle::load();
findFunction(mFunctions.load, "CSSM_SPI_ModuleLoad");
findFunction(mFunctions.attach, "CSSM_SPI_ModuleAttach");
@@ -57,7 +62,7 @@ void LoadablePlugin::load()
void LoadablePlugin::unload()
{
- secdebug("cssm", "LoadablePlugin::unload() path %s", path().c_str());
+ secinfo("cssm", "LoadablePlugin::unload() path %s", path().c_str());
/* skipping for workaround for radar 3774226
LoadableBundle::unload(); */
}
@@ -76,7 +81,7 @@ CSSM_RETURN LoadablePlugin::load(const CSSM_GUID *CssmGuid,
CSSM_SPI_ModuleEventHandler CssmNotifyCallback,
void *CssmNotifyCallbackCtx)
{
- secdebug("cssm", "LoadablePlugin::load(guid,...) path %s", path().c_str());
+ secinfo("cssm", "LoadablePlugin::load(guid,...) path %s", path().c_str());
return mFunctions.load(CssmGuid, ModuleGuid,
CssmNotifyCallback, CssmNotifyCallbackCtx);
}
@@ -86,7 +91,7 @@ CSSM_RETURN LoadablePlugin::unload(const CSSM_GUID *CssmGuid,
CSSM_SPI_ModuleEventHandler CssmNotifyCallback,
void *CssmNotifyCallbackCtx)
{
- secdebug("cssm", "LoadablePlugin::unload(guid,...) path %s", path().c_str());
+ secinfo("cssm", "LoadablePlugin::unload(guid,...) path %s", path().c_str());
return mFunctions.unload(CssmGuid, ModuleGuid,
CssmNotifyCallback, CssmNotifyCallbackCtx);
}
@@ -114,5 +119,10 @@ CSSM_RETURN LoadablePlugin::detach(CSSM_MODULE_HANDLE ModuleHandle)
return mFunctions.detach(ModuleHandle);
}
+bool LoadablePlugin::allowableModulePath(const char *path) {
+ // True if module path is in default location
+ const char *loadablePrefix="/System/Library/Security/";
+ return (strncmp(loadablePrefix,path,strlen(loadablePrefix)) == 0);
+}
} // end namespace Security
diff --git a/OSX/libsecurity_cssm/lib/modload_plugin.h b/OSX/libsecurity_cssm/lib/modload_plugin.h
index 9d131dff..7e74ca03 100644
--- a/OSX/libsecurity_cssm/lib/modload_plugin.h
+++ b/OSX/libsecurity_cssm/lib/modload_plugin.h
@@ -56,6 +56,8 @@ private:
template <class FunctionType>
void findFunction(FunctionType * &func, const char *name)
{ func = (FunctionType *)lookupSymbol(name); }
+
+ bool allowableModulePath(const char *path);
};
diff --git a/OSX/libsecurity_cssm/lib/modloader.cpp b/OSX/libsecurity_cssm/lib/modloader.cpp
index bf99d6d1..e495f5ba 100644
--- a/OSX/libsecurity_cssm/lib/modloader.cpp
+++ b/OSX/libsecurity_cssm/lib/modloader.cpp
@@ -88,11 +88,11 @@ Plugin *ModuleLoader::operator () (const string &path)
{
Plugin * &plugin = mPlugins[path];
if (!plugin) {
- secdebug("cssm", "ModuleLoader(): creating plugin %s", path.c_str());
+ secinfo("cssm", "ModuleLoader(): creating plugin %s", path.c_str());
plugin = new LoadablePlugin(path.c_str());
}
else {
- secdebug("cssm", "ModuleLoader(): FOUND plugin %s, isLoaded %s",
+ secinfo("cssm", "ModuleLoader(): FOUND plugin %s, isLoaded %s",
path.c_str(), plugin->isLoaded() ? "TRUE" : "FALSE");
if(!plugin->isLoaded()) {
plugin->load();
diff --git a/OSX/libsecurity_cssm/lib/transition.cpp b/OSX/libsecurity_cssm/lib/transition.cpp
index 99c81b06..8f78be84 100644
--- a/OSX/libsecurity_cssm/lib/transition.cpp
+++ b/OSX/libsecurity_cssm/lib/transition.cpp
@@ -291,7 +291,6 @@ CSSM_GetContext (CSSM_CC_HANDLE CCHandle,
CSSM_CONTEXT_PTR *ContextP)
{
BEGIN_API
-#warning Cast from CSSM_CC_HANDLE to CSSM_HANDLE
HandleContext &context = HandleObject::find<HandleContext>((CSSM_HANDLE)CCHandle, CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
Context *newContext = new(context.attachment) Context(context.type(), context.algorithm());
try {
@@ -326,7 +325,6 @@ CSSM_SetContext (CSSM_CC_HANDLE CCHandle,
{
BEGIN_API
const Context &source = Context::required(ContextP);
-#warning Cast from CSSM_CC_HANDLE to CSSM_HANDLE
HandleContext &context = HandleObject::find<HandleContext>((CSSM_HANDLE)CCHandle, CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
CSSM_CONTEXT_ATTRIBUTE *oldAttributes = context.ContextAttributes;
@@ -392,7 +390,6 @@ CSSM_UpdateContextAttributes (CSSM_CC_HANDLE CCHandle,
const CSSM_CONTEXT_ATTRIBUTE *ContextAttributes)
{
BEGIN_API
-#warning Cast from CSSM_CC_HANDLE to CSSM_HANDLE
HandleContext &context = HandleObject::find<HandleContext>((CSSM_HANDLE)CCHandle, CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
context.mergeAttributes(ContextAttributes, NumberAttributes);
END_API(CSSM)
@@ -408,7 +405,6 @@ CSSM_DeleteContextAttributes (CSSM_CC_HANDLE CCHandle,
if (NumberOfAttributes == 0)
return CSSM_OK; // I suppose
Required(ContextAttributes); // preflight
-#warning Cast from CSSM_CC_HANDLE to CSSM_HANDLE
HandleContext &context = HandleObject::find<HandleContext>((CSSM_HANDLE)CCHandle, CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
for (uint32 n = 0; n < NumberOfAttributes; n++)
context.deleteAttribute(ContextAttributes[n].AttributeType);
@@ -425,7 +421,6 @@ CSSM_DigestDataClone (CSSM_CC_HANDLE ccHandle,
CSSM_CC_HANDLE *newCCHandle)
{
BEGIN_API
-#warning Cast from CSSM_CC_HANDLE to CSSM_HANDLE
HandleContext &context = HandleObject::findAndLock<HandleContext>((CSSM_HANDLE)ccHandle, CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
TransitLock _(context.attachment);
HandleContext *newContext =
diff --git a/OSX/libsecurity_cssm/lib/x509defs.h b/OSX/libsecurity_cssm/lib/x509defs.h
index 398cbc67..1affad44 100644
--- a/OSX/libsecurity_cssm/lib/x509defs.h
+++ b/OSX/libsecurity_cssm/lib/x509defs.h
@@ -32,6 +32,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
typedef uint8 CSSM_BER_TAG;
#define BER_TAG_UNKNOWN 0
#define BER_TAG_BOOLEAN 1
@@ -223,6 +226,8 @@ typedef struct cssm_x509_signed_crl {
CSSM_X509_SIGNATURE signature;
} CSSM_X509_SIGNED_CRL DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_X509_SIGNED_CRL_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_cssm/libsecurity_cssm.xcodeproj/project.pbxproj b/OSX/libsecurity_cssm/libsecurity_cssm.xcodeproj/project.pbxproj
index 4c04ddc0..462aded3 100644
--- a/OSX/libsecurity_cssm/libsecurity_cssm.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_cssm/libsecurity_cssm.xcodeproj/project.pbxproj
@@ -340,7 +340,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD3480987FCDE001272E0 /* Build configuration list for PBXProject "libsecurity_cssm" */;
compatibilityVersion = "Xcode 3.2";
@@ -465,12 +465,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1879B4A3146DAE33007E536C /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -478,12 +487,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1879B4A3146DAE33007E536C /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_filedb/lib/AppleDatabase.cpp b/OSX/libsecurity_filedb/lib/AppleDatabase.cpp
index aa307033..6155d798 100644
--- a/OSX/libsecurity_filedb/lib/AppleDatabase.cpp
+++ b/OSX/libsecurity_filedb/lib/AppleDatabase.cpp
@@ -1687,7 +1687,7 @@ DbModifier::commit()
return;
try
{
- secdebugfunc("integrity", "committing to %s", mAtomicFile.path().c_str());
+ secnotice("integrity", "committing to %s", mAtomicFile.path().c_str());
WriteSection aHeaderSection(Allocator::standard(), size_t(HeaderSize));
// Set aHeaderSection to the correct size.
@@ -2550,6 +2550,14 @@ AppleDatabase::passThrough(DbContext &dbContext,
dbMakeBackup();
break;
+ case CSSM_APPLEFILEDL_MAKE_COPY:
+ dbMakeCopy((const char *) inputParams);
+ break;
+
+ case CSSM_APPLEFILEDL_DELETE_FILE:
+ dbDeleteFile();
+ break;
+
case CSSM_APPLECSPDL_DB_RELATION_EXISTS:
{
CSSM_BOOL returnValue;
@@ -2581,11 +2589,20 @@ AppleDatabase::dbMakeBackup() {
string filename_temp(filename_temp_cstr);
filename_temp += "_backup";
- const char * dstFilename = filename_temp.c_str();
free(filename_temp_cstr);
- if(copyfile(mAtomicFile.path().c_str(), dstFilename, NULL, COPYFILE_ALL) < 0) {
+ dbMakeCopy(filename_temp.c_str());
+}
+
+void
+AppleDatabase::dbMakeCopy(const char* path) {
+ if(copyfile(mAtomicFile.path().c_str(), path, NULL, COPYFILE_UNLINK | COPYFILE_ALL) < 0) {
UnixError::throwMe(errno);
}
}
+void AppleDatabase::dbDeleteFile() {
+ if(unlink(mAtomicFile.path().c_str()) < 0) {
+ UnixError::throwMe(errno);
+ }
+}
diff --git a/OSX/libsecurity_filedb/lib/AppleDatabase.h b/OSX/libsecurity_filedb/lib/AppleDatabase.h
index c5f429d9..1ad330fd 100644
--- a/OSX/libsecurity_filedb/lib/AppleDatabase.h
+++ b/OSX/libsecurity_filedb/lib/AppleDatabase.h
@@ -635,7 +635,12 @@ public:
const AccessCredentials *inAccessCred,
const void *inOpenParameters);
+ // These two methods will throw an exception on error
virtual void dbMakeBackup();
+ virtual void dbMakeCopy(const char * path);
+
+ // Delete the file under this database
+ virtual void dbDeleteFile();
const CssmDbRecordAttributeInfo schemaRelations;
const CssmDbRecordAttributeInfo schemaAttributes;
diff --git a/OSX/libsecurity_filedb/lib/AtomicFile.cpp b/OSX/libsecurity_filedb/lib/AtomicFile.cpp
index 60c98f46..6095fb0f 100644
--- a/OSX/libsecurity_filedb/lib/AtomicFile.cpp
+++ b/OSX/libsecurity_filedb/lib/AtomicFile.cpp
@@ -98,7 +98,7 @@ AtomicFile::performDelete()
if (::unlink(mPath.c_str()) != 0)
{
int error = errno;
- secdebug("atomicfile", "unlink %s: %s", mPath.c_str(), strerror(error));
+ secnotice("atomicfile", "unlink %s: %s", mPath.c_str(), strerror(error));
if (error == ENOENT)
CssmError::throwMe(CSSMERR_DL_DATASTORE_DOESNOT_EXIST);
else
@@ -121,7 +121,7 @@ AtomicFile::rename(const std::string &inNewPath)
if (::rename(path, newPath) != 0)
{
int error = errno;
- secdebug("atomicfile", "rename(%s, %s): %s", path, newPath, strerror(error));
+ secnotice("atomicfile", "rename(%s, %s): %s", path, newPath, strerror(error));
UnixError::throwMe(error);
}
}
@@ -140,7 +140,7 @@ AtomicFile::create(mode_t mode)
if (fileRef == -1)
{
int error = errno;
- secdebug("atomicfile", "open %s: %s", path, strerror(error));
+ secnotice("atomicfile", "open %s: %s", path, strerror(error));
// Do the obvious error code translations here.
// @@@ Consider moving these up a level.
@@ -158,7 +158,7 @@ AtomicFile::create(mode_t mode)
// Now that we have created the lock and the new db file create a tempfile
// object.
RefPointer<AtomicTempFile> temp(new AtomicTempFile(*this, lock, mode));
- secdebug("atomicfile", "%p created %s", this, path);
+ secnotice("atomicfile", "%p created %s", this, path);
return temp;
}
catch (...)
@@ -166,7 +166,7 @@ AtomicFile::create(mode_t mode)
// Creating the temp file failed so remove the db file we just created too.
if (::unlink(path) == -1)
{
- secdebug("atomicfile", "unlink %s: %s", path, strerror(errno));
+ secnotice("atomicfile", "unlink %s: %s", path, strerror(errno));
}
throw;
}
@@ -202,7 +202,7 @@ AtomicFile::mode() const
if (::stat(path, &st) == -1)
{
int error = errno;
- secdebug("atomicfile", "stat %s: %s", path, strerror(error));
+ secnotice("atomicfile", "stat %s: %s", path, strerror(error));
UnixError::throwMe(error);
}
return st.st_mode;
@@ -381,8 +381,7 @@ AtomicBufferedFile::AtomicBufferedFile(const std::string &inPath, bool isLocal)
mPath(inPath),
mFileRef(-1),
mBuffer(NULL),
- mLength(0),
- mIsMapped(isLocal)
+ mLength(0)
{
}
@@ -393,12 +392,12 @@ AtomicBufferedFile::~AtomicBufferedFile()
// In release mode, the assert() is compiled out so rv may be unused.
__unused int rv = AtomicFile::rclose(mFileRef);
assert(rv == 0);
- secdebug("atomicfile", "%p closed %s", this, mPath.c_str());
+ secnotice("atomicfile", "%p closed %s", this, mPath.c_str());
}
if (mBuffer)
{
- secdebug("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
+ secnotice("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
unloadBuffer();
}
}
@@ -412,7 +411,7 @@ AtomicBufferedFile::open()
const char *path = mPath.c_str();
if (mFileRef >= 0)
{
- secdebug("atomicfile", "open %s: already open, closing and reopening", path);
+ secnotice("atomicfile", "open %s: already open, closing and reopening", path);
close();
}
@@ -420,7 +419,7 @@ AtomicBufferedFile::open()
if (mFileRef == -1)
{
int error = errno;
- secdebug("atomicfile", "open %s: %s", path, strerror(error));
+ secnotice("atomicfile", "open %s: %s", path, strerror(error));
// Do the obvious error code translations here.
// @@@ Consider moving these up a level.
@@ -441,13 +440,13 @@ AtomicBufferedFile::open()
else
{
int error = errno;
- secdebug("atomicfile", "lseek(%s, END): %s", path, strerror(error));
+ secnotice("atomicfile", "lseek(%s, END): %s", path, strerror(error));
AtomicFile::rclose(mFileRef);
mFileRef = -1;
UnixError::throwMe(error);
}
- secdebug("atomicfile", "%p opened %s: %qd bytes", this, path, mLength);
+ secnotice("atomicfile", "%p opened %s: %qd bytes", this, path, mLength);
return mLength;
}
@@ -458,69 +457,48 @@ AtomicBufferedFile::open()
void
AtomicBufferedFile::unloadBuffer()
{
- if (!mIsMapped)
- {
- delete [] mBuffer;
- }
- else
- {
- munmap(mBuffer, (size_t)mLength);
- }
+ if(mBuffer) {
+ delete [] mBuffer;
+ }
}
//
// Load the contents of the file into memory.
-// If we are on a local file system, we mmap the file. Otherwise, we
-// read it all into memory
void
AtomicBufferedFile::loadBuffer()
{
- if (!mIsMapped)
- {
- // make a buffer big enough to hold the entire file
- mBuffer = new uint8[mLength];
- lseek(mFileRef, 0, SEEK_SET);
- ssize_t pos = 0;
-
- ssize_t bytesToRead = (ssize_t)mLength;
- while (bytesToRead > 0)
- {
- ssize_t bytesRead = ::read(mFileRef, mBuffer + pos, bytesToRead);
- if (bytesRead == -1)
- {
- if (errno != EINTR)
- {
- int error = errno;
- secdebug("atomicfile", "lseek(%s, END): %s", mPath.c_str(), strerror(error));
- if (mFileRef >= 0) {
- AtomicFile::rclose(mFileRef);
- mFileRef = -1;
- }
- UnixError::throwMe(error);
- }
- }
- else
- {
- bytesToRead -= bytesRead;
- pos += bytesRead;
- }
- }
- }
- else
- {
- // mmap the buffer into place
- mBuffer = (uint8*) mmap(NULL, (size_t)mLength, PROT_READ, MAP_PRIVATE, mFileRef, 0);
- if (mBuffer == (uint8*) -1)
- {
- int error = errno;
- secdebug("atomicfile", "lseek(%s, END): %s", mPath.c_str(), strerror(error));
- if (mFileRef >= 0) {
- AtomicFile::rclose(mFileRef);
- mFileRef = -1;
- }
- UnixError::throwMe(error);
- }
- }
+ // make a buffer big enough to hold the entire file
+ mBuffer = new uint8[mLength];
+ if(lseek(mFileRef, 0, SEEK_SET) < 0) {
+ int error = errno;
+ secnotice("atomicfile", "lseek(%s, BEGINNING): %s", mPath.c_str(), strerror(error));
+ UnixError::throwMe(error);
+ }
+ ssize_t pos = 0;
+
+ ssize_t bytesToRead = (ssize_t)mLength;
+ while (bytesToRead > 0)
+ {
+ ssize_t bytesRead = ::read(mFileRef, mBuffer + pos, bytesToRead);
+ if (bytesRead == -1)
+ {
+ if (errno != EINTR)
+ {
+ int error = errno;
+ secnotice("atomicfile", "read(%s, %zd): %s", mPath.c_str(), bytesToRead, strerror(error));
+ if (mFileRef >= 0) {
+ AtomicFile::rclose(mFileRef);
+ mFileRef = -1;
+ }
+ UnixError::throwMe(error);
+ }
+ }
+ else
+ {
+ bytesToRead -= bytesRead;
+ pos += bytesRead;
+ }
+ }
}
@@ -536,20 +514,20 @@ AtomicBufferedFile::read(off_t inOffset, off_t inLength, off_t &outLength)
{
if (mFileRef < 0)
{
- secdebug("atomicfile", "read %s: file yet not opened, opening", mPath.c_str());
+ secnotice("atomicfile", "read %s: file yet not opened, opening", mPath.c_str());
open();
}
off_t bytesLeft = inLength;
if (mBuffer)
{
- secdebug("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
+ secnotice("atomicfile", "%p free %s buffer %p", this, mPath.c_str(), mBuffer);
unloadBuffer();
}
loadBuffer();
- secdebug("atomicfile", "%p allocated %s buffer %p size %qd", this, mPath.c_str(), mBuffer, bytesLeft);
+ secnotice("atomicfile", "%p allocated %s buffer %p size %qd", this, mPath.c_str(), mBuffer, bytesLeft);
off_t maxEnd = inOffset + inLength;
if (maxEnd > mLength)
@@ -567,7 +545,7 @@ AtomicBufferedFile::close()
{
if (mFileRef < 0)
{
- secdebug("atomicfile", "close %s: already closed", mPath.c_str());
+ secnotice("atomicfile", "close %s: already closed", mPath.c_str());
}
else
{
@@ -576,11 +554,11 @@ AtomicBufferedFile::close()
if (result == -1)
{
int error = errno;
- secdebug("atomicfile", "close %s: %s", mPath.c_str(), strerror(errno));
+ secnotice("atomicfile", "close %s: %s", mPath.c_str(), strerror(errno));
UnixError::throwMe(error);
}
- secdebug("atomicfile", "%p closed %s", this, mPath.c_str());
+ secnotice("atomicfile", "%p closed %s", this, mPath.c_str());
}
}
@@ -647,7 +625,7 @@ AtomicTempFile::create(mode_t mode)
if (mFileRef == -1)
{
int error = errno;
- secdebug("atomicfile", "open %s: %s", path, strerror(error));
+ secnotice("atomicfile", "open %s: %s", path, strerror(error));
// Do the obvious error code translations here.
// @@@ Consider moving these up a level.
@@ -666,12 +644,12 @@ AtomicTempFile::create(mode_t mode)
if (::fchmod(mFileRef, mode))
{
int error = errno;
- secdebug("atomicfile", "fchmod %s: %s", path, strerror(error));
+ secnotice("atomicfile", "fchmod %s: %s", path, strerror(error));
UnixError::throwMe(error);
}
}
- secdebug("atomicfile", "%p created %s", this, path);
+ secnotice("atomicfile", "%p created %s", this, path);
}
void
@@ -708,7 +686,7 @@ AtomicTempFile::write(AtomicFile::OffsetType inOffsetType, off_t inOffset, const
if (pos == -1)
{
int error = errno;
- secdebug("atomicfile", "lseek(%s, %qd): %s", mPath.c_str(), inOffset, strerror(error));
+ secnotice("atomicfile", "lseek(%s, %qd): %s", mPath.c_str(), inOffset, strerror(error));
UnixError::throwMe(error);
}
}
@@ -729,18 +707,18 @@ AtomicTempFile::write(AtomicFile::OffsetType inOffsetType, off_t inOffset, const
if (error == EINTR)
{
// We got interrupted by a signal, so try again.
- secdebug("atomicfile", "write %s: interrupted, retrying", mPath.c_str());
+ secnotice("atomicfile", "write %s: interrupted, retrying", mPath.c_str());
continue;
}
- secdebug("atomicfile", "write %s: %s", mPath.c_str(), strerror(error));
+ secnotice("atomicfile", "write %s: %s", mPath.c_str(), strerror(error));
UnixError::throwMe(error);
}
// Write returning 0 is bad mmkay.
if (bytesWritten == 0)
{
- secdebug("atomicfile", "write %s: 0 bytes written", mPath.c_str());
+ secnotice("atomicfile", "write %s: 0 bytes written", mPath.c_str());
CssmError::throwMe(CSSMERR_DL_INTERNAL_ERROR);
}
@@ -757,7 +735,7 @@ AtomicTempFile::fsync()
{
if (mFileRef < 0)
{
- secdebug("atomicfile", "fsync %s: already closed", mPath.c_str());
+ secnotice("atomicfile", "fsync %s: already closed", mPath.c_str());
}
else
{
@@ -770,11 +748,11 @@ AtomicTempFile::fsync()
if (result == -1)
{
int error = errno;
- secdebug("atomicfile", "fsync %s: %s", mPath.c_str(), strerror(errno));
+ secnotice("atomicfile", "fsync %s: %s", mPath.c_str(), strerror(errno));
UnixError::throwMe(error);
}
- secdebug("atomicfile", "%p fsynced %s", this, mPath.c_str());
+ secnotice("atomicfile", "%p fsynced %s", this, mPath.c_str());
}
}
@@ -783,7 +761,7 @@ AtomicTempFile::close()
{
if (mFileRef < 0)
{
- secdebug("atomicfile", "close %s: already closed", mPath.c_str());
+ secnotice("atomicfile", "close %s: already closed", mPath.c_str());
}
else
{
@@ -792,11 +770,11 @@ AtomicTempFile::close()
if (result == -1)
{
int error = errno;
- secdebug("atomicfile", "close %s: %s", mPath.c_str(), strerror(errno));
+ secnotice("atomicfile", "close %s: %s", mPath.c_str(), strerror(errno));
UnixError::throwMe(error);
}
- secdebug("atomicfile", "%p closed %s", this, mPath.c_str());
+ secnotice("atomicfile", "%p closed %s", this, mPath.c_str());
}
}
@@ -823,7 +801,7 @@ AtomicTempFile::commit()
s = copyfile_state_alloc();
if(copyfile(newPath, oldPath, s, COPYFILE_SECURITY | COPYFILE_NOFOLLOW) == -1) // Not fatal
- secdebug("atomicfile", "copyfile (%s, %s): %s", oldPath, newPath, strerror(errno));
+ secnotice("atomicfile", "copyfile (%s, %s): %s", oldPath, newPath, strerror(errno));
copyfile_state_free(s);
// END <rdar://problem/6991037>
@@ -833,14 +811,14 @@ AtomicTempFile::commit()
if (::rename(oldPath, newPath) == -1)
{
int error = errno;
- secdebug("atomicfile", "rename (%s, %s): %s", oldPath, newPath, strerror(errno));
+ secnotice("atomicfile", "rename (%s, %s): %s", oldPath, newPath, strerror(errno));
UnixError::throwMe(error);
}
+ secnotice("atomicfile", "%p commited %s to %s", this, oldPath, newPath);
+
// Unlock the lockfile
mLockedFile = NULL;
-
- secdebug("atomicfile", "%p commited %s", this, oldPath);
}
catch (...)
{
@@ -863,7 +841,7 @@ AtomicTempFile::rollback() throw()
const char *path = mPath.c_str();
if (::unlink(path) == -1)
{
- secdebug("atomicfile", "unlink %s: %s", path, strerror(errno));
+ secnotice("atomicfile", "unlink %s: %s", path, strerror(errno));
// rollback can't throw
}
@@ -873,7 +851,7 @@ AtomicTempFile::rollback() throw()
const char *path = mFile.path().c_str();
if (::unlink(path) == -1)
{
- secdebug("atomicfile", "unlink %s: %s", path, strerror(errno));
+ secnotice("atomicfile", "unlink %s: %s", path, strerror(errno));
// rollback can't throw
}
}
@@ -933,7 +911,7 @@ LocalFileLocker::lock(mode_t mode)
int result = flock(mLockFile, LOCK_EX);
IFDEBUG(double endTime = GetTime());
- IFDEBUG(secdebug("atomictime", "Waited %.4f milliseconds for file lock", (endTime - startTime) * 1000.0));
+ IFDEBUG(secnotice("atomictime", "Waited %.4f milliseconds for file lock", (endTime - startTime) * 1000.0));
// errors at this point are bad
if (result == -1)
@@ -1027,7 +1005,7 @@ NetworkFileLocker::unique(mode_t mode)
{
int error = errno;
::syslog(LOG_ERR, "Couldn't create temp file %s: %s", fullname.c_str(), strerror(error));
- secdebug("atomicfile", "Couldn't create temp file %s: %s", fullname.c_str(), strerror(error));
+ secnotice("atomicfile", "Couldn't create temp file %s: %s", fullname.c_str(), strerror(error));
UnixError::throwMe(error);
}
@@ -1134,7 +1112,7 @@ NetworkFileLocker::lock(mode_t mode)
else
doSyslog = true;
- secdebug("atomicfile", "Locking %s", path); /* in order to cater for clock skew: get */
+ secnotice("atomicfile", "Locking %s", path); /* in order to cater for clock skew: get */
if (!xcreat(path, mode, t)) /* time t from the filesystem */
{
/* lock acquired, hurray! */
@@ -1157,12 +1135,12 @@ NetworkFileLocker::lock(mode_t mode)
{
triedforce=true;
::syslog(LOG_ERR, "Forced unlock denied on %s", path);
- secdebug("atomicfile", "Forced unlock denied on %s", path);
+ secnotice("atomicfile", "Forced unlock denied on %s", path);
}
else
{
::syslog(LOG_ERR, "Forcing lock on %s", path);
- secdebug("atomicfile", "Forcing lock on %s", path);
+ secnotice("atomicfile", "Forcing lock on %s", path);
sleep(16 /* DEFsuspend */);
break;
}
@@ -1193,7 +1171,7 @@ NetworkFileLocker::lock(mode_t mode)
case ENAMETOOLONG: /* Filename is too long, shorten and retry */
if (mPath.size() > mDir.size() + 8)
{
- secdebug("atomicfile", "Truncating %s and retrying lock", path);
+ secnotice("atomicfile", "Truncating %s and retrying lock", path);
mPath.erase(mPath.end() - 1);
path = mPath.c_str();
/* Reset retry counter. */
@@ -1212,7 +1190,7 @@ NetworkFileLocker::lock(mode_t mode)
{
int error = errno;
::syslog(LOG_ERR, "Lock failure on %s: %s", path, strerror(error));
- secdebug("atomicfile", "Lock failure on %s: %s", path, strerror(error));
+ secnotice("atomicfile", "Lock failure on %s: %s", path, strerror(error));
UnixError::throwMe(error);
}
}
@@ -1223,7 +1201,7 @@ NetworkFileLocker::unlock()
const char *path = mPath.c_str();
if (::unlink(path) == -1)
{
- secdebug("atomicfile", "unlink %s: %s", path, strerror(errno));
+ secnotice("atomicfile", "unlink %s: %s", path, strerror(errno));
// unlock can't throw
}
}
diff --git a/OSX/libsecurity_filedb/lib/AtomicFile.h b/OSX/libsecurity_filedb/lib/AtomicFile.h
index 65d8905a..db86fd76 100644
--- a/OSX/libsecurity_filedb/lib/AtomicFile.h
+++ b/OSX/libsecurity_filedb/lib/AtomicFile.h
@@ -125,9 +125,6 @@ private:
// Length of file in bytes.
off_t mLength;
-
- // Is on a local file system
- bool mIsMapped;
};
diff --git a/OSX/libsecurity_filedb/libsecurity_filedb.xcodeproj/project.pbxproj b/OSX/libsecurity_filedb/libsecurity_filedb.xcodeproj/project.pbxproj
index 69125807..7280f5eb 100644
--- a/OSX/libsecurity_filedb/libsecurity_filedb.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_filedb/libsecurity_filedb.xcodeproj/project.pbxproj
@@ -26,13 +26,6 @@
remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42;
remoteInfo = libsecurity_cdsa_plugin;
};
- 182BB33C146F1057000BF1F3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 182BB214146F0538000BF1F3 /* libsecurity_cdsa_plugin.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = C2C38A530535EDE600D7421F;
- remoteInfo = generate;
- };
/* End PBXContainerItemProxy section */
/* Begin PBXFileReference section */
@@ -44,7 +37,7 @@
4CA1FEBE052A3C8100F22E42 /* libsecurity_filedb.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libsecurity_filedb.a; sourceTree = BUILT_PRODUCTS_DIR; };
AA827A5B0C62AD0300D7A310 /* OverUnderflowCheck.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OverUnderflowCheck.h; sourceTree = "<group>"; };
AAEA4A430E9163290043771D /* ReadWriteSection.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ReadWriteSection.cpp; sourceTree = "<group>"; };
- C28A1CED052E14480094CEF0 /* AppleDatabase.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = AppleDatabase.cpp; sourceTree = "<group>"; };
+ C28A1CED052E14480094CEF0 /* AppleDatabase.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = AppleDatabase.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C28A1CEE052E14480094CEF0 /* AppleDatabase.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = AppleDatabase.h; sourceTree = "<group>"; };
C28A1CEF052E14480094CEF0 /* AtomicFile.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = AtomicFile.cpp; sourceTree = "<group>"; };
C28A1CF0052E14480094CEF0 /* AtomicFile.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = AtomicFile.h; sourceTree = "<group>"; };
@@ -151,7 +144,6 @@
buildRules = (
);
dependencies = (
- 182BB33D146F1057000BF1F3 /* PBXTargetDependency */,
);
name = libsecurity_filedb;
productName = libsecurity_filedb;
@@ -164,7 +156,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD3600987FCDE001272E0 /* Build configuration list for PBXProject "libsecurity_filedb" */;
compatibilityVersion = "Xcode 3.2";
@@ -221,14 +213,6 @@
};
/* End PBXSourcesBuildPhase section */
-/* Begin PBXTargetDependency section */
- 182BB33D146F1057000BF1F3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = generate;
- targetProxy = 182BB33C146F1057000BF1F3 /* PBXContainerItemProxy */;
- };
-/* End PBXTargetDependency section */
-
/* Begin XCBuildConfiguration section */
C27AD35D0987FCDE001272E0 /* Debug */ = {
isa = XCBuildConfiguration;
@@ -250,13 +234,22 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB208146F043D000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -264,13 +257,20 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB208146F043D000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_keychain/lib/ACL.cpp b/OSX/libsecurity_keychain/lib/ACL.cpp
index 6dfd8f28..3c328bf4 100644
--- a/OSX/libsecurity_keychain/lib/ACL.cpp
+++ b/OSX/libsecurity_keychain/lib/ACL.cpp
@@ -185,7 +185,7 @@ bool ACL::authorizesSpecifically(AclAuthorization right)
void ACL::setIntegrity(const CssmData& digest) {
if(mForm != integrityForm) {
- secdebugfunc("integrity", "acl has incorrect form: %d", mForm);
+ secnotice("integrity", "acl has incorrect form: %d", mForm);
CssmError::throwMe(CSSMERR_CSP_INVALID_ACL_SUBJECT_VALUE);
}
@@ -230,7 +230,7 @@ void ACL::modify()
{
StLock<Mutex>_(mMutex);
if (mState == unchanged) {
- secdebug("SecAccess", "ACL %p marked modified", this);
+ secinfo("SecAccess", "ACL %p marked modified", this);
mState = modified;
}
}
@@ -248,7 +248,7 @@ void ACL::remove()
StLock<Mutex>_(mMutex);
mAppList.clear();
mForm = invalidForm;
- secdebug("SecAccess", "ACL %p marked deleted", this);
+ secinfo("SecAccess", "ACL %p marked deleted", this);
mState = deleted;
}
@@ -308,12 +308,12 @@ void ACL::setAccess(AclBearer &target, bool update,
if (isOwner()) {
switch (action) {
case unchanged:
- secdebug("SecAccess", "ACL %p owner unchanged", this);
+ secinfo("SecAccess", "ACL %p owner unchanged", this);
return;
case inserted: // means modify the initial owner
case modified:
{
- secdebug("SecAccess", "ACL %p owner modified", this);
+ secinfo("SecAccess", "ACL %p owner modified", this);
makeSubject();
assert(mSubjectForm);
AclOwnerPrototype proto(*mSubjectForm, mDelegate);
@@ -329,10 +329,10 @@ void ACL::setAccess(AclBearer &target, bool update,
// simple cases
switch (action) {
case unchanged: // ignore
- secdebug("SecAccess", "ACL %p handle 0x%lx unchanged", this, entryHandle());
+ secinfo("SecAccess", "ACL %p handle 0x%lx unchanged", this, entryHandle());
return;
case deleted: // delete
- secdebug("SecAccess", "ACL %p handle 0x%lx deleted", this, entryHandle());
+ secinfo("SecAccess", "ACL %p handle 0x%lx deleted", this, entryHandle());
target.deleteAcl(entryHandle(), cred);
return;
default:
@@ -349,12 +349,12 @@ void ACL::setAccess(AclBearer &target, bool update,
AclEntryInput input(proto);
switch (action) {
case inserted: // insert
- secdebug("SecAccess", "ACL %p inserted", this);
+ secinfo("SecAccess", "ACL %p inserted", this);
target.addAcl(input, cred);
mState = unchanged;
break;
case modified: // update
- secdebug("SecAccess", "ACL %p handle 0x%lx modified", this, entryHandle());
+ secinfo("SecAccess", "ACL %p handle 0x%lx modified", this, entryHandle());
target.changeAcl(entryHandle(), input, cred);
mState = unchanged;
break;
@@ -376,13 +376,13 @@ void ACL::parse(const TypedList &subject)
case CSSM_ACL_SUBJECT_TYPE_ANY:
// subsume an "any" as a standard form
mForm = allowAllForm;
- secdebug("SecAccess", "parsed an allowAllForm (%d) (%d)", subject.type(), mForm);
+ secinfo("SecAccess", "parsed an allowAllForm (%d) (%d)", subject.type(), mForm);
return;
case CSSM_ACL_SUBJECT_TYPE_KEYCHAIN_PROMPT:
// pure keychain prompt - interpret as applist form with no apps
parsePrompt(subject);
mForm = appListForm;
- secdebug("SecAccess", "parsed a Keychain Prompt (%d) as an appListForm (%d)", subject.type(), mForm);
+ secinfo("SecAccess", "parsed a Keychain Prompt (%d) as an appListForm (%d)", subject.type(), mForm);
return;
case CSSM_ACL_SUBJECT_TYPE_THRESHOLD:
{
@@ -401,32 +401,32 @@ void ACL::parse(const TypedList &subject)
TypedList &first = subject[3];
if (first.type() == CSSM_ACL_SUBJECT_TYPE_ANY) {
mForm = allowAllForm;
- secdebug("SecAccess", "parsed a Threshhold (%d) as an allowAllForm (%d)", subject.type(), mForm);
+ secinfo("SecAccess", "parsed a Threshhold (%d) as an allowAllForm (%d)", subject.type(), mForm);
return;
}
// parse other (code signing) elements
for (uint32 n = 0; n < count - 1; n++) {
mAppList.push_back(new TrustedApplication(TypedList(subject[n + 3].list())));
- secdebug("SecAccess", "found an application: %s", mAppList.back()->path());
+ secinfo("SecAccess", "found an application: %s", mAppList.back()->path());
}
}
mForm = appListForm;
- secdebug("SecAccess", "parsed a Threshhold (%d) as an appListForm (%d)", subject.type(), mForm);
+ secinfo("SecAccess", "parsed a Threshhold (%d) as an appListForm (%d)", subject.type(), mForm);
return;
case CSSM_ACL_SUBJECT_TYPE_PARTITION:
mForm = integrityForm;
mIntegrity.copy(subject.last()->data());
- secdebug("SecAccess", "parsed a Partition (%d) as an integrityForm (%d)", subject.type(), mForm);
+ secinfo("SecAccess", "parsed a Partition (%d) as an integrityForm (%d)", subject.type(), mForm);
return;
default:
- secdebug("SecAccess", "didn't find a type for %d, marking custom (%d)", subject.type(), mForm);
+ secinfo("SecAccess", "didn't find a type for %d, marking custom (%d)", subject.type(), mForm);
mForm = customForm;
mSubjectForm = chunkCopy(&subject);
return;
}
} catch (const ParseError &) {
- secdebug("SecAccess", "acl compile failed for type (%d); marking custom", subject.type());
+ secinfo("SecAccess", "acl compile failed for type (%d); marking custom", subject.type());
mForm = customForm;
mSubjectForm = chunkCopy(&subject);
mAppList.clear();
@@ -466,7 +466,7 @@ void ACL::makeSubject()
new(allocator) ListElement(allocator, mPromptDescription));
*mSubjectForm += new(allocator) ListElement(prompt);
}
- secdebug("SecAccess", "made an allowAllForm (%d) into a subjectForm (%d)", mForm, mSubjectForm->type());
+ secinfo("SecAccess", "made an allowAllForm (%d) into a subjectForm (%d)", mForm, mSubjectForm->type());
return;
case appListForm: {
// threshold(1 of n+1) of { app1, ..., appn, PROMPT }
@@ -483,17 +483,17 @@ void ACL::makeSubject()
new(allocator) ListElement(allocator, mPromptDescription));
*mSubjectForm += new(allocator) ListElement(prompt);
}
- secdebug("SecAccess", "made an appListForm (%d) into a subjectForm (%d)", mForm, mSubjectForm->type());
+ secinfo("SecAccess", "made an appListForm (%d) into a subjectForm (%d)", mForm, mSubjectForm->type());
return;
case integrityForm:
chunkFree(mSubjectForm, allocator);
mSubjectForm = new(allocator) TypedList(allocator, CSSM_ACL_SUBJECT_TYPE_PARTITION,
new(allocator) ListElement(allocator, mIntegrity));
- secdebug("SecAccess", "made an integrityForm (%d) into a subjectForm (%d)", mForm, mSubjectForm->type());
+ secinfo("SecAccess", "made an integrityForm (%d) into a subjectForm (%d)", mForm, mSubjectForm->type());
return;
case customForm:
assert(mSubjectForm); // already set; keep it
- secdebug("SecAccess", "have a customForm (%d), already have a subjectForm (%d)", mForm, mSubjectForm->type());
+ secinfo("SecAccess", "have a customForm (%d), already have a subjectForm (%d)", mForm, mSubjectForm->type());
return;
default:
diff --git a/OSX/libsecurity_keychain/lib/Access.cpp b/OSX/libsecurity_keychain/lib/Access.cpp
index 2aa23a18..64da867e 100644
--- a/OSX/libsecurity_keychain/lib/Access.cpp
+++ b/OSX/libsecurity_keychain/lib/Access.cpp
@@ -270,7 +270,7 @@ void Access::removeAclsForRight(AclAuthorization right) {
for (Map::const_iterator it = mAcls.begin(); it != mAcls.end(); ) {
if (it->second->authorizesSpecifically(right)) {
it = mAcls.erase(it);
- secdebugfunc("SecAccess", "%p removed an acl, %d left", this, mAcls.size());
+ secinfo("SecAccess", "%p removed an acl, %lu left", this, mAcls.size());
} else {
it++;
}
@@ -339,16 +339,16 @@ void Access::compile(const CSSM_ACL_OWNER_PROTOTYPE &owner,
StLock<Mutex>_(mMutex);
// add owner acl
mAcls[ownerHandle] = new ACL(AclOwnerPrototype::overlay(owner));
- secdebugfunc("SecAccess", "form of owner is: %d", mAcls[ownerHandle]->form());
+ secinfo("SecAccess", "form of owner is: %d", mAcls[ownerHandle]->form());
// add acl entries
const AclEntryInfo *acl = AclEntryInfo::overlay(acls);
for (uint32 n = 0; n < aclCount; n++) {
- secdebug("SecAccess", "%p compiling entry %ld", this, acl[n].handle());
+ secinfo("SecAccess", "%p compiling entry %ld", this, acl[n].handle());
mAcls[acl[n].handle()] = new ACL(acl[n]);
- secdebug("SecAccess", "form is: %d", mAcls[acl[n].handle()]->form());
+ secinfo("SecAccess", "form is: %d", mAcls[acl[n].handle()]->form());
}
- secdebug("SecAccess", "%p %ld entries compiled", this, mAcls.size());
+ secinfo("SecAccess", "%p %ld entries compiled", this, mAcls.size());
}
@@ -370,8 +370,8 @@ Access::Maker::Maker(Allocator &alloc, MakerType makerType)
mInput = AclEntryPrototype(TypedList(allocator, CSSM_ACL_SUBJECT_TYPE_PASSWORD,
new(allocator) ListElement(mKey.get())));
mInput.proto().tag(creationEntryTag);
- secdebugfunc("SecAccess", "made a CSSM_ACL_SUBJECT_TYPE_PASSWORD ACL entry for %p", this);
- secdebugfunc("SecAccess", "mInput: %p, typedList %p", &mInput, mInput.Prototype.TypedSubject);
+ secinfo("SecAccess", "made a CSSM_ACL_SUBJECT_TYPE_PASSWORD ACL entry for %p", this);
+ secinfo("SecAccess", "mInput: %p, typedList %p", &mInput, &(mInput.Prototype.TypedSubject));
// create credential sample for access
mCreds += TypedList(allocator, CSSM_SAMPLE_TYPE_PASSWORD, new(allocator) ListElement(mKey.get()));
@@ -380,7 +380,7 @@ Access::Maker::Maker(Allocator &alloc, MakerType makerType)
{
// just make it an CSSM_ACL_SUBJECT_TYPE_ANY list
mInput = AclEntryPrototype(TypedList(allocator, CSSM_ACL_SUBJECT_TYPE_ANY));
- secdebugfunc("SecAccess", "made a CSSM_ACL_SUBJECT_TYPE_ANY ACL entry for %p", this);
+ secinfo("SecAccess", "made a CSSM_ACL_SUBJECT_TYPE_ANY ACL entry for %p", this);
}
}
diff --git a/OSX/libsecurity_keychain/lib/AppleBaselineEscrowCertificates.h b/OSX/libsecurity_keychain/lib/AppleBaselineEscrowCertificates.h
index 6cf859a9..ba5e31dc 100644
--- a/OSX/libsecurity_keychain/lib/AppleBaselineEscrowCertificates.h
+++ b/OSX/libsecurity_keychain/lib/AppleBaselineEscrowCertificates.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2013-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -177,7 +177,7 @@ static const UInt8 kBaseLineACFEscrowRootGM[] = {
0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55,
0x04,0x03,0x13,0x16,0x45,0x73,0x63,0x72,0x6F,0x77,0x20,0x53,0x65,0x72,0x76,0x69,
0x63,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x35,
- 0x30,0x35,0x31,0x36,0x30,0x35,0x32,0x38,0x32,0x31,0x5A,0x17,0x0D,0x32,0x35,0x30,
+ 0x30,0x35,0x31,0x36,0x30,0x35,0x32,0x38,0x32,0x31,0x5A,0x17,0x0D,0x34,0x39,0x30,
0x35,0x31,0x36,0x30,0x35,0x32,0x38,0x32,0x31,0x5A,0x30,0x79,0x31,0x0C,0x30,0x0A,
0x06,0x03,0x55,0x04,0x05,0x13,0x03,0x31,0x30,0x31,0x31,0x0B,0x30,0x09,0x06,0x03,
0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,
@@ -212,30 +212,34 @@ static const UInt8 kBaseLineACFEscrowRootGM[] = {
0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x8C,0xC8,0x0F,0xA1,
0x55,0xB0,0x84,0x7B,0x8D,0xC1,0x99,0x8C,0xF3,0x4F,0x18,0xB5,0x0F,0x83,0x80,0x6F,
0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,
- 0x82,0x01,0x01,0x00,0x95,0xB1,0x41,0x0F,0x10,0x5F,0x4D,0x36,0x4A,0x1F,0xFF,0x7E,
- 0x77,0xC9,0x61,0xD4,0xE8,0x56,0xA0,0x5C,0x19,0xF4,0x3E,0x70,0x9B,0xFE,0x22,0xA1,
- 0x3C,0xCB,0x3C,0xD6,0xE3,0x26,0xB6,0x46,0x05,0xCE,0x2C,0xC2,0x4A,0xC9,0x6B,0x70,
- 0xA4,0x1C,0xF7,0x88,0x48,0x9F,0xAB,0x5A,0x82,0x35,0xC7,0x51,0x77,0xDF,0x7A,0x29,
- 0x48,0xB8,0x0A,0x48,0x2E,0x3E,0xEB,0x7A,0x65,0x7F,0xDC,0xCB,0x8B,0x87,0xED,0xEC,
- 0xAF,0x35,0xAF,0x52,0xE3,0x28,0x47,0xA1,0x19,0xA7,0x07,0x9E,0xD5,0xD6,0xEC,0x79,
- 0xB6,0x25,0x32,0x9A,0xCF,0x08,0x98,0xF3,0xA8,0x64,0x54,0x0B,0x48,0x70,0xE9,0xD2,
- 0x45,0x58,0x13,0xE0,0x85,0x39,0xCB,0x7F,0x5C,0x52,0xC8,0x81,0xF1,0x8F,0x02,0x8D,
- 0xD3,0xB8,0x42,0x46,0xF2,0x37,0x58,0x9A,0x51,0xB8,0xFB,0xD8,0xDB,0xD6,0xEA,0xFF,
- 0x71,0xC9,0x73,0x66,0x37,0x41,0x70,0x2D,0x7C,0xB2,0x87,0x3A,0x9B,0x12,0xEC,0x1E,
- 0xB7,0x1F,0xDD,0xD5,0x3C,0xB9,0xF3,0x77,0xEF,0xB4,0xFE,0xCA,0xD9,0xE9,0x49,0x36,
- 0x8D,0x47,0xA7,0x08,0x18,0xB5,0xA5,0x78,0x8B,0x50,0x11,0x6F,0x00,0x50,0x7C,0x58,
- 0xE0,0xC1,0xD4,0xCA,0x7D,0xE0,0x6E,0x71,0x58,0x71,0x41,0x67,0xE8,0xB2,0xA3,0x40,
- 0xFC,0xAF,0x46,0x1E,0x26,0x44,0x6D,0xC3,0x29,0x84,0xCA,0x05,0x29,0x03,0x9E,0x45,
- 0xF7,0xA2,0x18,0x58,0xC6,0x55,0x4B,0x6D,0x67,0xA8,0x09,0x98,0x4F,0xCF,0x20,0x83,
- 0x58,0x7E,0x4A,0xDE,0x8A,0x0A,0x76,0x63,0x35,0x77,0xF5,0xC3,0x43,0x38,0x50,0x10,
- 0xAD,0x95,0xCC,0x4C,
+ 0x82,0x01,0x01,0x00,0x43,0x8D,0xA8,0x86,0x77,0xB7,0xF5,0xA8,0xD8,0xE5,0x32,0xE5,
+ 0xE7,0xAA,0x99,0x04,0x4C,0xD2,0x86,0x81,0x4B,0x72,0x89,0xBA,0x40,0x14,0xAD,0x75,
+ 0xDB,0xA1,0xBF,0xC3,0x73,0x22,0xAF,0xAE,0x33,0xAC,0xB3,0x13,0x62,0xB2,0x3D,0xCA,
+ 0xD3,0xBC,0x45,0x7A,0xC2,0xBC,0x2C,0xCA,0xA1,0x3F,0xD9,0x52,0xA8,0x54,0xC2,0x44,
+ 0xB8,0x6B,0xA5,0xCA,0xF4,0x7D,0xF6,0xE3,0x0B,0x1F,0x38,0x16,0x67,0xF1,0x0B,0xA8,
+ 0x2A,0xDC,0x72,0xC8,0x87,0x3B,0x44,0x55,0xF7,0x0F,0x04,0x57,0x67,0xF1,0x11,0x91,
+ 0xA0,0xD2,0x78,0xEC,0x8C,0xBB,0x76,0x24,0x66,0x4F,0xA1,0xFE,0xBB,0xDE,0x00,0x01,
+ 0x9F,0x30,0x18,0x27,0x32,0xFF,0xFF,0xF6,0x9B,0xEA,0x43,0x36,0x67,0x2F,0x83,0x97,
+ 0x4D,0xE8,0x4E,0x9C,0xC1,0xEE,0x24,0xC8,0x21,0x72,0xFB,0x12,0xA9,0x2E,0x65,0xDE,
+ 0x84,0xB8,0xFF,0xC4,0xAB,0xDB,0x5D,0x3A,0xE9,0x3C,0x8F,0x1C,0x26,0x65,0x5F,0x34,
+ 0x50,0xB2,0x60,0x76,0x8B,0x42,0x64,0x5A,0x59,0xEA,0xD1,0x4E,0x23,0xF4,0xC8,0x28,
+ 0x8F,0x60,0xE5,0x75,0x36,0x3B,0x4C,0x38,0xC9,0x0F,0xCD,0x54,0x79,0x47,0x1D,0xC3,
+ 0x2F,0x9B,0x33,0x39,0x9F,0x50,0xD2,0x0B,0x68,0x3D,0x8A,0xCA,0x1F,0x5A,0xA5,0x5E,
+ 0x29,0x68,0x96,0xC2,0x1E,0x02,0xBA,0x8F,0x9C,0x55,0xB3,0x2E,0x24,0x2C,0x58,0xD8,
+ 0xAC,0xE4,0xF0,0x6C,0xDE,0x16,0x47,0x37,0x0D,0xA8,0x5C,0x09,0x4B,0x23,0x4D,0x21,
+ 0xFD,0xFF,0xCD,0x50,0xD5,0x59,0x0E,0x37,0x63,0xD0,0xA5,0xC7,0xBF,0xDD,0x88,0xF3,
+ 0x81,0xB1,0x3F,0x4E,
};
static struct RootRecord kBaseLineEscrowRootRecord = {sizeof(kBaseLineEscrowRootGM), (UInt8*)kBaseLineEscrowRootGM};
static struct RootRecord kBaseLineACFEscrowRootRecord = {sizeof(kBaseLineACFEscrowRootGM), (UInt8*)kBaseLineACFEscrowRootGM};
static struct RootRecord* kBaseLineEscrowRoots[] = {&kBaseLineEscrowRootRecord, &kBaseLineACFEscrowRootRecord};
+static struct RootRecord* kBaseLineEscrowBackupRoots[] = {&kBaseLineEscrowRootRecord, &kBaseLineACFEscrowRootRecord};
+static struct RootRecord* kBaseLineEscrowEnrollmentRoots[] = {&kBaseLineACFEscrowRootRecord};
static const int kNumberOfBaseLineEscrowRoots = (int)(sizeof(kBaseLineEscrowRoots)/sizeof(kBaseLineEscrowRoots[0]));
+static const int kNumberOfBaseLineEscrowBackupRoots = (int)(sizeof(kBaseLineEscrowBackupRoots)/sizeof(kBaseLineEscrowBackupRoots[0]));
+static const int kNumberOfBaseLineEscrowEnrollmentRoots = (int)(sizeof(kBaseLineEscrowEnrollmentRoots)/sizeof(kBaseLineEscrowEnrollmentRoots[0]));
static struct RootRecord kBaseLinePCSEscrowRootRecord = {sizeof(kBaseLinePCSEscrowRootGM), (UInt8*)kBaseLinePCSEscrowRootGM};
static struct RootRecord* kBaseLinePCSEscrowRoots[] = {&kBaseLinePCSEscrowRootRecord};
diff --git a/OSX/libsecurity_keychain/lib/CCallbackMgr.cp b/OSX/libsecurity_keychain/lib/CCallbackMgr.cp
index 877dc9d0..e85f9c05 100644
--- a/OSX/libsecurity_keychain/lib/CCallbackMgr.cp
+++ b/OSX/libsecurity_keychain/lib/CCallbackMgr.cp
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2000-2004,2011-2014 Apple Inc. All Rights Reserved.
- *
+ * Copyright (c) 2000-2004,2011-2016 Apple Inc. All Rights Reserved.
+ *
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -36,10 +36,13 @@
#include <list>
#include "Globals.h"
+#include <security_cdsa_utilities/Schema.h>
#include <security_keychain/SecCFTypes.h>
#include <securityd_client/SharedMemoryCommon.h>
#include <securityd_client/ssnotify.h>
+#include <utilities/SecCFRelease.h>
#include <notify.h>
+#include <Security/SecCertificatePriv.h>
using namespace KeychainCore;
using namespace CssmClient;
@@ -47,18 +50,31 @@ using namespace SecurityServer;
#pragma mark ÑÑÑÑ CallbackInfo ÑÑÑÑ
-CallbackInfo::CallbackInfo() : mCallback(NULL),mEventMask(0),mContext(NULL)
+CallbackInfo::CallbackInfo() : mCallback(NULL),mEventMask(0),mContext(NULL), mRunLoop(NULL), mActive(false)
{
}
CallbackInfo::CallbackInfo(SecKeychainCallback inCallbackFunction,
- SecKeychainEventMask inEventMask, void *inContext)
- : mCallback(inCallbackFunction), mEventMask(inEventMask), mContext(inContext)
+ SecKeychainEventMask inEventMask, void *inContext, CFRunLoopRef runLoop)
+ : mCallback(inCallbackFunction), mEventMask(inEventMask), mContext(inContext), mRunLoop(NULL), mActive(false)
{
+ mRunLoop = runLoop;
+ CFRetainSafe(mRunLoop);
+}
+
+CallbackInfo::CallbackInfo(const CallbackInfo& cb) {
+ mCallback = cb.mCallback;
+ mEventMask = cb.mEventMask;
+ mContext = cb.mContext;
+ mActive = cb.mActive;
+
+ mRunLoop = cb.mRunLoop;
+ CFRetainSafe(mRunLoop);
}
CallbackInfo::~CallbackInfo()
{
+ CFReleaseNull(mRunLoop);
}
bool CallbackInfo::operator==(const CallbackInfo& other) const
@@ -110,18 +126,16 @@ CCallbackMgr& CCallbackMgr::Instance()
return gCallbackMaker().instance();
}
-void CCallbackMgr::AddCallback( SecKeychainCallback inCallbackFunction,
+void CCallbackMgr::AddCallback( SecKeychainCallback inCallbackFunction,
SecKeychainEventMask inEventMask,
void* inContext)
{
- CallbackInfo info( inCallbackFunction, inEventMask, inContext );
- CallbackInfo existingInfo;
-
+ CallbackInfo info( inCallbackFunction, inEventMask, inContext, CFRunLoopGetCurrent() );
CallbackInfoListIterator ix = find( CCallbackMgr::Instance().mEventCallbacks.begin(),
CCallbackMgr::Instance().mEventCallbacks.end(), info );
-
+
// make sure it is not already there
if ( ix!=CCallbackMgr::Instance().mEventCallbacks.end() )
{
@@ -130,8 +144,38 @@ void CCallbackMgr::AddCallback( SecKeychainCallback inCallbackFunction,
// On Mac OS X this list is per process so this is always a duplicate
MacOSError::throwMe(errSecDuplicateCallback);
}
-
+
CCallbackMgr::Instance().mEventCallbacks.push_back(info);
+
+ // We want to deliver these notifications if the CFRunLoop we just wrote down is actually actively serviced.
+ // Otherwise, it'll be a continuous (undetectable) leak.
+ CFRunLoopTimerContext ctx;
+ memset(&ctx, 0, sizeof(ctx));
+ ctx.info = info.mRunLoop;
+
+ CFRunLoopTimerRef timerRef = CFRunLoopTimerCreate(NULL, CFAbsoluteTimeGetCurrent(), 0, 0, 0, CCallbackMgr::cfrunLoopActive, &ctx);
+ secdebug("kcnotify", "adding a activate callback on run loop %p", info.mRunLoop);
+ CFRunLoopAddTimer(info.mRunLoop, timerRef, kCFRunLoopDefaultMode);
+}
+
+void CCallbackMgr::cfrunLoopActive(CFRunLoopTimerRef timer, void* info) {
+ CFRunLoopRef runLoop = (CFRunLoopRef) info;
+ secdebug("kcnotify", "activating run loop %p", runLoop);
+
+ // Use the notification queue to serialize setting the mActive bits
+ static dispatch_queue_t notification_queue = EventListener::getNotificationQueue();
+ dispatch_async(notification_queue, ^() {
+ // Iterate through list, and activate every notification on this run loop
+ for(CallbackInfoListIterator ix = CCallbackMgr::Instance().mEventCallbacks.begin(); ix != CCallbackMgr::Instance().mEventCallbacks.end(); ix++) {
+ // pointer comparison, not CFEqual.
+ if(ix->mRunLoop == runLoop) {
+ secdebug("kcnotify", "activating callback on run loop %p", runLoop);
+ ix->mActive = true;
+ }
+ }
+ });
+
+ CFRelease(timer);
}
@@ -153,13 +197,54 @@ void CCallbackMgr::RemoveCallback(SecKeychainCallback inCallbackFunction)
MacOSError::throwMe(errSecInvalidCallback);
}
+struct CallbackMgrInfo {
+ SecKeychainEvent event;
+ SecKeychainCallbackInfo secKeychainCallbackInfo;
+ SecKeychainCallback callback;
+ void *callbackContext;
+};
+
+void CCallbackMgr::tellClient(CFRunLoopTimerRef timer, void* info) {
+ CallbackMgrInfo* cbmInfo = (CallbackMgrInfo*) info;
+ if(!cbmInfo || !(cbmInfo->callback)) {
+ return;
+ }
+
+ cbmInfo->callback(cbmInfo->event, &(cbmInfo->secKeychainCallbackInfo), cbmInfo->callbackContext);
+ if (cbmInfo->secKeychainCallbackInfo.item) CFRelease(cbmInfo->secKeychainCallbackInfo.item);
+ if (cbmInfo->secKeychainCallbackInfo.keychain) CFRelease(cbmInfo->secKeychainCallbackInfo.keychain);
+ free(cbmInfo);
+ CFRelease(timer);
+}
+
+static SecKeychainItemRef createItemReference(const Item &inItem)
+{
+ SecKeychainItemRef itemRef = (inItem) ? inItem->handle() : 0;
+ if(!itemRef) { return NULL; }
+
+#if SECTRUST_OSX
+ SecItemClass itemClass = Schema::itemClassFor(inItem->recordType());
+ if (itemClass == kSecCertificateItemClass) {
+ SecCertificateRef certRef = SecCertificateCreateFromItemImplInstance((SecCertificateRef)itemRef);
+ CFRelease(itemRef); /* certRef maintains its own internal reference to itemRef */
+ itemRef = (SecKeychainItemRef) certRef;
+ }
+#endif
+ return itemRef;
+}
+
+static SecKeychainRef createKeychainReference(const Keychain &inKeychain)
+{
+ return (inKeychain) ? inKeychain->handle() : 0;
+}
+
void CCallbackMgr::AlertClients(const list<CallbackInfo> &eventCallbacks,
SecKeychainEvent inEvent,
pid_t inPid,
const Keychain &inKeychain,
const Item &inItem)
{
- secdebug("kcnotify", "dispatch event %ld pid %d keychain %p item %p",
+ secinfo("kcnotify", "dispatch event %ld pid %d keychain %p item %p",
(unsigned long)inEvent, inPid, &inKeychain, !!inItem ? &*inItem : NULL);
// Iterate through callbacks, looking for those registered for inEvent
@@ -170,15 +255,37 @@ void CCallbackMgr::AlertClients(const list<CallbackInfo> &eventCallbacks,
if (!(ix->mEventMask & theMask))
continue;
- SecKeychainCallbackInfo cbInfo;
- cbInfo.version = 0; // @@@ kKeychainAPIVersion;
- cbInfo.item = inItem ? inItem->handle() : 0;
- cbInfo.keychain = inKeychain ? inKeychain->handle() : 0;
- cbInfo.pid = inPid;
+ if(!(ix->mActive)) {
+ // We haven't received our callback from this CFRunLoop yet. Assume it's not being pumped, and don't schedule.
+ secdebug("kcnotify", "not sending event to run loop %p", ix->mRunLoop);
+ continue;
+ }
+
+ // The previous notification system required a CFRunLoop to be executing. Schedule the client's notifications back on their CFRunLoop, just in case it's important.
+ CFRunLoopRef runLoop = ix->mRunLoop;
+ secdebug("kcnotify", "sending event to runloop %p", runLoop);
+
+ // Set up our callback structures
+ CallbackMgrInfo* cbmInfo = (CallbackMgrInfo*) calloc(sizeof(CallbackMgrInfo), 1);
+
+ cbmInfo->secKeychainCallbackInfo.version = 0; // @@@ kKeychainAPIVersion;
+ cbmInfo->secKeychainCallbackInfo.item = createItemReference(inItem);
+ cbmInfo->secKeychainCallbackInfo.keychain = createKeychainReference(inKeychain);
+ cbmInfo->secKeychainCallbackInfo.pid = inPid;
+
+ cbmInfo->event = inEvent;
+ cbmInfo->callback = ix->mCallback;
+ cbmInfo->callbackContext = ix->mContext;
+
+ CFRunLoopTimerContext ctx;
+ memset(&ctx, 0, sizeof(ctx));
+ ctx.info = cbmInfo;
+
+ // make a run loop timer
+ CFRunLoopTimerRef timerRef = CFRunLoopTimerCreate(NULL, CFAbsoluteTimeGetCurrent(), 0, 0, 0, CCallbackMgr::tellClient, &ctx);
- ix->mCallback(inEvent, &cbInfo, ix->mContext);
- if (cbInfo.item) CFRelease(cbInfo.item);
- if (cbInfo.keychain) CFRelease(cbInfo.keychain);
+ // Actually call the callback the next time the run loop fires
+ CFRunLoopAddTimer(runLoop, timerRef, kCFRunLoopDefaultMode);
}
}
diff --git a/OSX/libsecurity_keychain/lib/CCallbackMgr.h b/OSX/libsecurity_keychain/lib/CCallbackMgr.h
index 52ea8d11..602d951d 100644
--- a/OSX/libsecurity_keychain/lib/CCallbackMgr.h
+++ b/OSX/libsecurity_keychain/lib/CCallbackMgr.h
@@ -51,7 +51,8 @@ class CallbackInfo
public:
~CallbackInfo();
CallbackInfo();
- CallbackInfo(SecKeychainCallback inCallbackFunction,SecKeychainEventMask inEventMask,void *inContext);
+ CallbackInfo(SecKeychainCallback inCallbackFunction,SecKeychainEventMask inEventMask,void *inContext, CFRunLoopRef runLoop);
+ CallbackInfo(const CallbackInfo& cb);
bool operator ==(const CallbackInfo& other) const;
bool operator !=(const CallbackInfo& other) const;
@@ -59,6 +60,8 @@ public:
SecKeychainCallback mCallback;
SecKeychainEventMask mEventMask;
void *mContext;
+ CFRunLoopRef mRunLoop;
+ bool mActive;
};
// typedefs
@@ -89,9 +92,13 @@ private:
void consume (SecurityServer::NotificationDomain domain, SecurityServer::NotificationEvent whichEvent,
const CssmData &data);
- static void AlertClients(const list<CallbackInfo> &eventCallbacks, SecKeychainEvent inEvent, pid_t inPid,
+ void AlertClients(const list<CallbackInfo> &eventCallbacks, SecKeychainEvent inEvent, pid_t inPid,
const Keychain& inKeychain, const Item &inItem);
+ // Use these as a CFRunLoop callback
+ static void tellClient(CFRunLoopTimerRef timer, void* ctx);
+ static void cfrunLoopActive(CFRunLoopTimerRef timer, void* info);
+
list<CallbackInfo> mEventCallbacks;
};
diff --git a/OSX/libsecurity_keychain/lib/Certificate.cpp b/OSX/libsecurity_keychain/lib/Certificate.cpp
index 0b7cc0b2..b4b0280f 100644
--- a/OSX/libsecurity_keychain/lib/Certificate.cpp
+++ b/OSX/libsecurity_keychain/lib/Certificate.cpp
@@ -741,10 +741,10 @@ Certificate::verifyEncoding(CSSM_DATA_PTR data)
if (mHaveTypeAndEncoding) {
if (mType < CSSM_CERT_X_509v1 || mType > CSSM_CERT_X_509v3) {
- secdebug("Certificate", "verifyEncoding: certificate has custom type (%d)", (int)mType);
+ secinfo("Certificate", "verifyEncoding: certificate has custom type (%d)", (int)mType);
}
if (mEncoding < CSSM_CERT_ENCODING_BER || mEncoding > CSSM_CERT_ENCODING_DER) {
- secdebug("Certificate", "verifyEncoding: certificate has custom encoding (%d)", (int)mEncoding);
+ secinfo("Certificate", "verifyEncoding: certificate has custom encoding (%d)", (int)mEncoding);
}
}
@@ -760,16 +760,16 @@ Certificate::verifyEncoding(CSSM_DATA_PTR data)
CSSM_SIZE tagLength = (CSSM_SIZE)((uintptr_t)derInfo.content.data - (uintptr_t)der.data);
CSSM_SIZE derLength = (CSSM_SIZE)derInfo.content.length + tagLength;
if (derLength != data->Length) {
- secdebug("Certificate", "Certificate DER length is %d, but data length is %d",
+ secinfo("Certificate", "Certificate DER length is %d, but data length is %d",
(int)derLength, (int)data->Length);
// will adjust data size if DER length is positive, but smaller than actual length
if ((derLength > 0) && (derLength < data->Length)) {
verifiedLength = derLength;
- secdebug("Certificate", "Will adjust certificate data length to %d",
+ secinfo("Certificate", "Will adjust certificate data length to %d",
(int)derLength);
}
else {
- secdebug("Certificate", "Certificate encoding invalid (DER length is %d)",
+ secinfo("Certificate", "Certificate encoding invalid (DER length is %d)",
(int)derLength);
return false;
}
@@ -778,7 +778,7 @@ Certificate::verifyEncoding(CSSM_DATA_PTR data)
}
else {
// failure to decode provided data as DER sequence
- secdebug("Certificate", "Certificate not in DER encoding (error %d)",
+ secinfo("Certificate", "Certificate not in DER encoding (error %d)",
(int)drtn);
return false;
}
@@ -787,7 +787,7 @@ Certificate::verifyEncoding(CSSM_DATA_PTR data)
if (verifiedLength > 0) {
// setData acquires the mMutex lock, so we call it while not holding the lock
setData((UInt32)verifiedLength, data->Data);
- secdebug("Certificate", "Adjusted certificate data length to %d",
+ secinfo("Certificate", "Adjusted certificate data length to %d",
(int)verifiedLength);
}
@@ -797,24 +797,17 @@ Certificate::verifyEncoding(CSSM_DATA_PTR data)
const CssmData &
Certificate::data()
{
- CssmDataContainer *data = NULL;
- bool hasKeychain = false;
- bool verified = false;
- {
- StLock<Mutex>_(mMutex);
- data = mData.get();
- hasKeychain = (mKeychain != NULL);
- verified = mEncodingVerified;
- }
+ StLock<Mutex> _(mMutex);
+
+ CssmDataContainer *data = mData.get();
+ bool hasKeychain = (mKeychain != NULL);
+ bool verified = mEncodingVerified;
// If data has been set but not yet verified, verify it now.
if (!verified && data) {
// verifyEncoding might modify mData, so refresh the data container
verified = verifyEncoding(data);
- {
- StLock<Mutex>_(mMutex);
- data = mData.get();
- }
+ data = mData.get();
}
// If data isn't set at this point, try to read it from the db record
@@ -823,20 +816,16 @@ Certificate::data()
// Make sure mUniqueId is set.
dbUniqueRecord();
CssmDataContainer _data;
- {
- StLock<Mutex>_(mMutex);
- mData = NULL;
- /* new data allocated by CSPDL, implicitly freed by CssmDataContainer */
- mUniqueId->get(NULL, &_data);
- }
+
+ mData = NULL;
+ /* new data allocated by CSPDL, implicitly freed by CssmDataContainer */
+ mUniqueId->get(NULL, &_data);
+
/* this saves a copy to be freed at destruction and to be passed to caller */
setData((UInt32)_data.length(), _data.data());
// verifyEncoding might modify mData, so refresh the data container
verified = verifyEncoding(&_data);
- {
- StLock<Mutex>_(mMutex);
- data = mData.get();
- }
+ data = mData.get();
}
// If the data hasn't been set we can't return it.
diff --git a/OSX/libsecurity_keychain/lib/CertificateRequest.h b/OSX/libsecurity_keychain/lib/CertificateRequest.h
index fcecb54c..144aae80 100644
--- a/OSX/libsecurity_keychain/lib/CertificateRequest.h
+++ b/OSX/libsecurity_keychain/lib/CertificateRequest.h
@@ -37,7 +37,7 @@
#include <security_utilities/debugging.h>
#include <CoreFoundation/CoreFoundation.h>
-#define certReqDbg(args...) secdebug("certReq", ## args)
+#define certReqDbg(args...) secinfo("certReq", ## args)
namespace Security
{
diff --git a/OSX/libsecurity_keychain/lib/CertificateValues.cpp b/OSX/libsecurity_keychain/lib/CertificateValues.cpp
index 4025c9f6..7fd526d1 100644
--- a/OSX/libsecurity_keychain/lib/CertificateValues.cpp
+++ b/OSX/libsecurity_keychain/lib/CertificateValues.cpp
@@ -39,6 +39,7 @@
/* FIXME including SecCertificateInternalP.h here produces errors; investigate */
extern "C" CFDataRef SecCertificateCopyIssuerSequenceP(SecCertificateRefP certificate);
extern "C" CFDataRef SecCertificateCopySubjectSequenceP(SecCertificateRefP certificate);
+extern "C" CFDictionaryRef SecCertificateCopyAttributeDictionaryP(SecCertificateRefP certificate);
extern "C" void appendPropertyP(CFMutableArrayRef properties, CFStringRef propertyType, CFStringRef label, CFTypeRef value);
@@ -419,6 +420,18 @@ CFDataRef CertificateValues::copySubjectSequence(CFErrorRef *error)
return result;
}
+CFDictionaryRef CertificateValues::copyAttributeDictionary(CFErrorRef *error)
+{
+ CFDictionaryRef result = NULL;
+ SecCertificateRefP certificateP = getSecCertificateRefP(error);
+ if (certificateP)
+ {
+ result = SecCertificateCopyAttributeDictionaryP(certificateP);
+ CFRelease(certificateP);
+ }
+ return result;
+}
+
bool CertificateValues::isValid(CFAbsoluteTime verifyTime, CFErrorRef *error)
{
bool result = NULL;
diff --git a/OSX/libsecurity_keychain/lib/CertificateValues.h b/OSX/libsecurity_keychain/lib/CertificateValues.h
index 5f56bbe9..37de693f 100644
--- a/OSX/libsecurity_keychain/lib/CertificateValues.h
+++ b/OSX/libsecurity_keychain/lib/CertificateValues.h
@@ -53,6 +53,7 @@ public:
CFDataRef copyNormalizedSubjectContent(CFErrorRef *error);
CFDataRef copyIssuerSequence(CFErrorRef *error);
CFDataRef copySubjectSequence(CFErrorRef *error);
+ CFDictionaryRef copyAttributeDictionary(CFErrorRef *error);
bool isValid(CFAbsoluteTime verifyTime, CFErrorRef *error);
CFAbsoluteTime notValidBefore(CFErrorRef *error);
CFAbsoluteTime notValidAfter(CFErrorRef *error);
diff --git a/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp b/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp
index 4836f4dc..9e4e9df6 100644
--- a/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp
+++ b/OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp
@@ -41,6 +41,7 @@
#include <xpc/private.h>
#include <syslog.h>
#include <sandbox.h>
+#include <security_keychain/StorageManager.h>
dispatch_once_t AppSandboxChecked;
xpc_object_t KeychainHomeFromXPC;
@@ -96,7 +97,7 @@ void PasswordDBLookup::lookupInfoOnUID (uid_t uid)
mCurrent = uid;
mTime = currentTime;
- secdebug("secpref", "uid=%d caching home=%s", uid, pw->pw_dir);
+ secinfo("secpref", "uid=%d caching home=%s", uid, pw->pw_dir);
endpwent();
}
@@ -113,7 +114,7 @@ PasswordDBLookup *DLDbListCFPref::mPdbLookup = NULL;
DLDbListCFPref::DLDbListCFPref(SecPreferencesDomain domain) : mDomain(domain), mPropertyList(NULL), mChanged(false),
mSearchListSet(false), mDefaultDLDbIdentifierSet(false), mLoginDLDbIdentifierSet(false)
{
- secdebug("secpref", "New DLDbListCFPref %p for domain %d", this, domain);
+ secinfo("secpref", "New DLDbListCFPref %p for domain %d", this, domain);
loadPropertyList(true);
}
@@ -123,7 +124,7 @@ void DLDbListCFPref::set(SecPreferencesDomain domain)
mDomain = domain;
- secdebug("secpref", "DLDbListCFPref %p domain set to %d", this, domain);
+ secinfo("secpref", "DLDbListCFPref %p domain set to %d", this, domain);
if (loadPropertyList(true))
resetCachedValues();
@@ -164,7 +165,7 @@ DLDbListCFPref::loadPropertyList(bool force)
MacOSError::throwMe(errSecInvalidPrefsDomain);
}
- secdebug("secpref", "force=%s prefsPath=%s", force ? "true" : "false",
+ secinfo("secpref", "force=%s prefsPath=%s", force ? "true" : "false",
prefsPath.c_str());
CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
@@ -973,6 +974,8 @@ DLDbListCFPref::defaultDLDbIdentifier(const DLDbIdentifier &dlDbIdentifier)
}
}
+// Caution: if the backing file for the defaultDLDbIdentifier doesn't exist (or if the plist file is corrupt),
+// this will return a DLDbIdentifier with a NULL impl
const DLDbIdentifier &
DLDbListCFPref::defaultDLDbIdentifier()
{
@@ -988,9 +991,9 @@ DLDbListCFPref::defaultDLDbIdentifier()
CFDictionaryRef defaultDict = reinterpret_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(defaultArray, 0));
try
{
- secdebug("secpref", "getting default DLDbIdentifier from defaultDict");
+ secinfo("secpref", "getting default DLDbIdentifier from defaultDict");
mDefaultDLDbIdentifier = cfDictionaryRefToDLDbIdentifier(defaultDict);
- secdebug("secpref", "now we think the default keychain is %s", (mDefaultDLDbIdentifier) ? mDefaultDLDbIdentifier.dbName() : "<NULL>");
+ secinfo("secpref", "now we think the default keychain is %s", (mDefaultDLDbIdentifier) ? mDefaultDLDbIdentifier.dbName() : "<NULL>");
}
catch (...)
{
@@ -1001,26 +1004,29 @@ DLDbListCFPref::defaultDLDbIdentifier()
if (!defaultArray)
{
-
// If the Panther style login keychain actually exists we use that otherwise no
// default is set.
mDefaultDLDbIdentifier = loginDLDbIdentifier();
- secdebug("secpref", "now we think the default keychain is: %s", (mDefaultDLDbIdentifier) ? mDefaultDLDbIdentifier.dbName() :
- "Name doesn't exist");
-
+
+ //Since we might be changing the keychain filename, we have to stat the right file. Delegate the knowledge of which files to StorageManager; DLDbListCFPref should contain "login.keychain".
+ DLDbIdentifier actualIdentifier = KeychainCore::StorageManager::mungeDLDbIdentifier(mDefaultDLDbIdentifier, false);
+ secinfo("secpref", "now we think the default keychain is: %s (actual: %s)",
+ (mDefaultDLDbIdentifier) ? mDefaultDLDbIdentifier.dbName() : "Name doesn't exist",
+ (actualIdentifier) ? actualIdentifier.dbName() : "Name doesn't exist");
+
struct stat st;
int st_result = -1;
-
- if (mDefaultDLDbIdentifier.mImpl != NULL)
- {
- st_result = stat(mDefaultDLDbIdentifier.dbName(), &st);
- }
-
+
+ if (mDefaultDLDbIdentifier.mImpl != NULL && actualIdentifier.mImpl != NULL)
+ {
+ st_result = stat(actualIdentifier.dbName(), &st);
+ }
+
if (st_result)
{
- secdebug("secpref", "stat(%s) -> %d", mDefaultDLDbIdentifier.dbName(), st_result);
+ secinfo("secpref", "stat(%s) -> %d", actualIdentifier.dbName(), st_result);
mDefaultDLDbIdentifier = DLDbIdentifier(); // initialize a NULL keychain
- secdebug("secpref", "after DLDbIdentifier(), we think the default keychain is %s", static_cast<bool>(mDefaultDLDbIdentifier) ? mDefaultDLDbIdentifier.dbName() : "<NULL>");
+ secinfo("secpref", "after DLDbIdentifier(), we think the default keychain is %s", static_cast<bool>(mDefaultDLDbIdentifier) ? mDefaultDLDbIdentifier.dbName() : "<NULL>");
}
}
@@ -1055,9 +1061,9 @@ DLDbListCFPref::loginDLDbIdentifier()
CFDictionaryRef loginDict = reinterpret_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(loginArray, 0));
try
{
- secdebug("secpref", "Getting login DLDbIdentifier from loginDict");
+ secinfo("secpref", "Getting login DLDbIdentifier from loginDict");
mLoginDLDbIdentifier = cfDictionaryRefToDLDbIdentifier(loginDict);
- secdebug("secpref", "we think the login keychain is %s", static_cast<bool>(mLoginDLDbIdentifier) ? mLoginDLDbIdentifier.dbName() : "<NULL>");
+ secinfo("secpref", "we think the login keychain is %s", static_cast<bool>(mLoginDLDbIdentifier) ? mLoginDLDbIdentifier.dbName() : "<NULL>");
}
catch (...)
{
@@ -1069,7 +1075,7 @@ DLDbListCFPref::loginDLDbIdentifier()
if (!loginArray)
{
mLoginDLDbIdentifier = LoginDLDbIdentifier();
- secdebug("secpref", "after LoginDLDbIdentifier(), we think the login keychain is %s", static_cast<bool>(mLoginDLDbIdentifier) ? mLoginDLDbIdentifier.dbName() : "<NULL>");
+ secinfo("secpref", "after LoginDLDbIdentifier(), we think the login keychain is %s", static_cast<bool>(mLoginDLDbIdentifier) ? mLoginDLDbIdentifier.dbName() : "<NULL>");
}
mLoginDLDbIdentifierSet = true;
diff --git a/OSX/libsecurity_keychain/lib/DynamicDLDBList.cpp b/OSX/libsecurity_keychain/lib/DynamicDLDBList.cpp
index 0539e474..35e93069 100644
--- a/OSX/libsecurity_keychain/lib/DynamicDLDBList.cpp
+++ b/OSX/libsecurity_keychain/lib/DynamicDLDBList.cpp
@@ -140,7 +140,7 @@ DynamicDLDBList::_load()
if (serviceMask & CSSM_SERVICE_DL)
{
string moduleID = (*commonIt)->moduleID();
- secdebug("dynamic", "Loading dynamic %sDL module: %s",
+ secinfo("dynamic", "Loading dynamic %sDL module: %s",
(serviceMask & CSSM_SERVICE_CSP) ? "CSP/" : "", moduleID.c_str());
/* Register module for callbacks and load it. */
@@ -160,7 +160,7 @@ DynamicDLDBList::_load()
bool hasCSP = csp.find(MDSClient::Attribute("ModuleID") == moduleID
&& MDSClient::Attribute("SSID") == subserviceID) != csp.end();
- secdebug("dynamic", "Adding databases from %sDL SSID %lu module: %s",
+ secinfo("dynamic", "Adding databases from %sDL SSID %lu module: %s",
hasCSP ? "CSP/" : "", (unsigned long)subserviceID, moduleID.c_str());
list_changed |= _add(moduleGuid, subserviceID,
hasCSP ? CSSM_SERVICE_CSP | CSSM_SERVICE_DL : CSSM_SERVICE_DL);
@@ -190,7 +190,7 @@ void
DynamicDLDBList::callback(const Guid &guid, uint32 subserviceID,
CSSM_SERVICE_TYPE subserviceType, CSSM_MODULE_EVENT eventType)
{
- secdebug("event", "Received callback from guid: %s ssid: %lu type: %lu event: %lu",
+ secinfo("event", "Received callback from guid: %s ssid: %lu type: %lu event: %lu",
guid.toString().c_str(), (unsigned long)subserviceID, (unsigned long)subserviceType, (unsigned long)eventType);
StLock<Mutex>_(mMutex);
@@ -202,14 +202,14 @@ DynamicDLDBList::callback(const Guid &guid, uint32 subserviceID,
if (eventType == CSSM_NOTIFY_INSERT)
{
/* A DL or CSP/DL was inserted. */
- secdebug("dynamic", "%sDL module: %s SSID: %lu inserted",
+ secinfo("dynamic", "%sDL module: %s SSID: %lu inserted",
(subserviceType & CSSM_SERVICE_CSP) ? "CSP/" : "", guid.toString().c_str(), (unsigned long)subserviceID);
list_changed = _add(guid, subserviceID, subserviceType);
}
else if (eventType == CSSM_NOTIFY_REMOVE)
{
/* A DL or CSP/DL was removed. */
- secdebug("dynamic", "%sDL module: %s SSID: %lu removed",
+ secinfo("dynamic", "%sDL module: %s SSID: %lu removed",
(subserviceType & CSSM_SERVICE_CSP) ? "CSP/" : "", guid.toString().c_str(), (unsigned long)subserviceID);
list_changed = _remove(guid, subserviceID, subserviceType);
}
diff --git a/OSX/libsecurity_keychain/lib/Globals.cpp b/OSX/libsecurity_keychain/lib/Globals.cpp
index 6c299b92..fc29e3ee 100644
--- a/OSX/libsecurity_keychain/lib/Globals.cpp
+++ b/OSX/libsecurity_keychain/lib/Globals.cpp
@@ -46,6 +46,9 @@ mUI(true), mIntegrityProtection(false)
if (integrity && CFGetTypeID(integrity) == CFBooleanGetTypeID()) {
mIntegrityProtection = CFBooleanGetValue((CFBooleanRef)integrity);
CFRelease(integrity);
+ } else {
+ // preference not set: defaulting to true
+ mIntegrityProtection = true;
}
}
diff --git a/OSX/libsecurity_keychain/lib/Identity.cpp b/OSX/libsecurity_keychain/lib/Identity.cpp
index 826ed985..f11974f4 100644
--- a/OSX/libsecurity_keychain/lib/Identity.cpp
+++ b/OSX/libsecurity_keychain/lib/Identity.cpp
@@ -30,38 +30,99 @@
#include <security_keychain/KCCursor.h>
#include <string.h>
+#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
+#include <Security/SecKeychain.h>
+
using namespace KeychainCore;
Identity::Identity(const SecPointer<KeyItem> &privateKey,
+ const SecPointer<Certificate> &certificate) :
+ mPrivateKey(privateKey->handle()),
+ mCertificate(certificate)
+{
+}
+
+Identity::Identity(SecKeyRef privateKey,
const SecPointer<Certificate> &certificate) :
- mPrivateKey(privateKey),
+ mPrivateKey((SecKeyRef)CFRetain(privateKey)),
mCertificate(certificate)
{
}
Identity::Identity(const StorageManager::KeychainList &keychains, const SecPointer<Certificate> &certificate) :
- mCertificate(certificate)
+ mPrivateKey(NULL), mCertificate(certificate)
{
- // Find a key whose label matches the publicKeyHash of the public key in the certificate.
- KCCursor keyCursor(keychains, CSSM_DL_DB_RECORD_PRIVATE_KEY, NULL);
- keyCursor->add(CSSM_DB_EQUAL, KeySchema::Label, certificate->publicKeyHash());
-
- Item key;
- if (!keyCursor->next(key))
- MacOSError::throwMe(errSecItemNotFound);
-
- SecPointer<KeyItem> keyItem(static_cast<KeyItem *>(&*key));
- mPrivateKey = keyItem;
+ // Find a key whose label matches the publicKeyHash of the public key in the certificate.
+ CssmData publicKeyHash = certificate->publicKeyHash();
+ CFRef<CFDataRef> keyHash = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
+ (const UInt8 *)publicKeyHash.data(),
+ publicKeyHash.length(),
+ kCFAllocatorNull);
+ // First, try the new iOS keychain.
+ {
+ const void *keys[] = { kSecClass, kSecAttrKeyClass, kSecAttrApplicationLabel, kSecReturnRef, kSecAttrNoLegacy };
+ const void *values[] = { kSecClassKey, kSecAttrKeyClassPrivate, keyHash, kCFBooleanTrue, kCFBooleanTrue };
+ CFRef<CFDictionaryRef> query = CFDictionaryCreate(kCFAllocatorDefault, keys, values,
+ sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ OSStatus status = SecItemCopyMatching(query, (CFTypeRef *)&mPrivateKey);
+ if (status == errSecSuccess) {
+ return;
+ }
+ }
+ // Second, try the legacy OS X keychain(s).
+ {
+ mPrivateKey = NULL;
+ CFRef<CFArrayRef> dynamicKeychains;
+ SecKeychainCopyDomainSearchList(kSecPreferencesDomainDynamic, dynamicKeychains.take());
+ CFRef<CFMutableArrayRef> dynamicSearchList = CFArrayCreateMutable(kCFAllocatorDefault, (CFIndex)keychains.size(), &kCFTypeArrayCallBacks);
+ CFRef<CFMutableArrayRef> searchList = CFArrayCreateMutable(kCFAllocatorDefault, (CFIndex)keychains.size(), &kCFTypeArrayCallBacks);
+ for (StorageManager::KeychainList::const_iterator it = keychains.begin(), end = keychains.end(); it != end; ++it) {
+ if (dynamicKeychains && CFArrayGetCount(dynamicKeychains) && CFArrayContainsValue(dynamicKeychains, CFRangeMake(0, CFArrayGetCount(dynamicKeychains)), **it)) {
+ CFArrayAppendValue(dynamicSearchList, **it);
+ }
+ CFArrayAppendValue(searchList, **it);
+ }
+ const void *keys[] = { kSecClass, kSecAttrKeyClass, kSecAttrApplicationLabel, kSecReturnRef, kSecMatchSearchList };
+ const void *values[] = { kSecClassKey, kSecAttrKeyClassPrivate, keyHash, kCFBooleanTrue, searchList };
+ CFRef<CFDictionaryRef> query = CFDictionaryCreate(kCFAllocatorDefault, keys, values,
+ sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ OSStatus status = SecItemCopyMatching(query, (CFTypeRef *)&mPrivateKey);
+ if (status != errSecSuccess) {
+ if (CFArrayGetCount(dynamicSearchList)) {
+ // Legacy way is used for dynamic keychains because SmartCards keychain does not support strict CSSM queries which are generated in SecItemCopyMatching
+ // Find a key whose label matches the publicKeyHash of the public key in the certificate.
+ KCCursor keyCursor(keychains, CSSM_DL_DB_RECORD_PRIVATE_KEY, NULL);
+ keyCursor->add(CSSM_DB_EQUAL, KeySchema::Label, certificate->publicKeyHash());
+
+ Item key;
+ if (!keyCursor->next(key))
+ MacOSError::throwMe(errSecItemNotFound);
+
+ SecPointer<KeyItem> keyItem(static_cast<KeyItem *>(&*key));
+ mPrivateKey = keyItem->handle();
+ }
+ else {
+ MacOSError::throwMe(errSecItemNotFound);
+ }
+ }
+ }
}
Identity::~Identity() throw()
{
+ if (mPrivateKey)
+ CFRelease(mPrivateKey);
}
SecPointer<KeyItem>
Identity::privateKey() const
{
- return mPrivateKey;
+ return SecPointer<KeyItem>(KeyItem::required(mPrivateKey));
}
SecPointer<Certificate>
@@ -70,6 +131,12 @@ Identity::certificate() const
return mCertificate;
}
+SecKeyRef
+Identity::privateKeyRef() const
+{
+ return mPrivateKey;
+}
+
bool
Identity::operator < (const Identity &other) const
{
@@ -88,9 +155,22 @@ Identity::operator == (const Identity &other) const
bool Identity::equal(SecCFObject &other)
{
- CFHashCode this_hash = hash();
- CFHashCode other_hash = other.hash();
- return (this_hash == other_hash);
+ // Compare certificates first.
+ if (Identity *otherIdentity = dynamic_cast<Identity *>(&other)) {
+ Certificate *pCert = mCertificate.get(), *pOtherCert = otherIdentity->mCertificate.get();
+ if (pCert == NULL || pOtherCert == NULL) {
+ return pCert == pOtherCert;
+ }
+
+ if (pCert->equal(*pOtherCert)) {
+ // Compare private keys.
+ if (mPrivateKey == NULL || otherIdentity->mPrivateKey == NULL) {
+ return mPrivateKey == otherIdentity->mPrivateKey;
+ }
+ return CFEqual(mPrivateKey, otherIdentity->mPrivateKey);
+ }
+ }
+ return false;
}
CFHashCode Identity::hash()
@@ -107,12 +187,8 @@ CFHashCode Identity::hash()
struct keyAndCertHash hashes;
memset(&hashes, 0, sizeof(struct keyAndCertHash));
- KeyItem* pKeyItem = mPrivateKey.get();
- if (NULL != pKeyItem)
- {
- hashes.keyHash = pKeyItem->hash();
- }
-
+ hashes.keyHash = CFHash(mPrivateKey);
+
Certificate* pCert = mCertificate.get();
if (NULL != pCert)
{
diff --git a/OSX/libsecurity_keychain/lib/Identity.h b/OSX/libsecurity_keychain/lib/Identity.h
index 9a1d68c7..29170a27 100644
--- a/OSX/libsecurity_keychain/lib/Identity.h
+++ b/OSX/libsecurity_keychain/lib/Identity.h
@@ -43,12 +43,15 @@ public:
SECCFFUNCTIONS(Identity, SecIdentityRef, errSecInvalidItemRef, gTypes().Identity)
Identity(const SecPointer<KeyItem> &privateKey,
- const SecPointer<Certificate> &certificate);
+ const SecPointer<Certificate> &certificate);
+ Identity(const SecKeyRef privateKey,
+ const SecPointer<Certificate> &certificate);
Identity(const StorageManager::KeychainList &keychains, const SecPointer<Certificate> &certificate);
virtual ~Identity() throw();
SecPointer<KeyItem> privateKey() const;
SecPointer<Certificate> certificate() const;
+ SecKeyRef privateKeyRef() const;
bool operator < (const Identity &other) const;
bool operator == (const Identity &other) const;
@@ -57,7 +60,7 @@ public:
CFHashCode hash();
private:
- SecPointer<KeyItem> mPrivateKey;
+ SecKeyRef mPrivateKey;
SecPointer<Certificate> mCertificate;
};
diff --git a/OSX/libsecurity_keychain/lib/IdentityCursor.cpp b/OSX/libsecurity_keychain/lib/IdentityCursor.cpp
index e7f24d82..cbee7fa7 100644
--- a/OSX/libsecurity_keychain/lib/IdentityCursor.cpp
+++ b/OSX/libsecurity_keychain/lib/IdentityCursor.cpp
@@ -1,15 +1,15 @@
/*
* Copyright (c) 2002-2008,2011-2012 Apple Inc. All Rights Reserved.
- *
+ *
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*
* IdentityCursor.cpp -- Working with IdentityCursor
@@ -47,20 +47,22 @@ IdentityCursorPolicyAndID::IdentityCursorPolicyAndID(const StorageManager::Keych
mPreferredIdentityChecked(false),
mPreferredIdentity(nil)
{
- if (mPolicy)
- CFRetain(mPolicy);
-
- if (mIDString)
- CFRetain(mIDString);
+ if (mPolicy) {
+ CFRetain(mPolicy);
+ }
+ if (mIDString) {
+ CFRetain(mIDString);
+ }
}
IdentityCursorPolicyAndID::~IdentityCursorPolicyAndID() throw()
{
- if (mPolicy)
- CFRelease(mPolicy);
-
- if (mIDString)
- CFRelease(mIDString);
+ if (mPolicy) {
+ CFRelease(mPolicy);
+ }
+ if (mIDString) {
+ CFRelease(mIDString);
+ }
}
void
@@ -105,7 +107,7 @@ IdentityCursorPolicyAndID::findPreferredIdentity()
SecPointer<Identity> identity(new Identity(mSearchList /*keychains*/, certificate));
mPreferredIdentity = identity;
-
+
if (certItemRef)
CFRelease(certItemRef);
}
@@ -221,7 +223,7 @@ IdentityCursorPolicyAndID::next(SecPointer<Identity> &identity)
break;
}
} // for(;;)
-
+
if ( identityOK )
{
identity = currIdentity; // caller will release the identity
@@ -311,7 +313,7 @@ IdentityCursor::next(SecPointer<Identity> &identity)
Item key;
if (!mKeyCursor->next(key))
return false;
-
+
mCurrentKey = static_cast<KeyItem *>(key.get());
CssmClient::DbUniqueRecord uniqueId = mCurrentKey->dbUniqueRecord();
@@ -319,7 +321,7 @@ IdentityCursor::next(SecPointer<Identity> &identity)
dbAttributes.add(KeySchema::Label);
uniqueId->get(&dbAttributes, NULL);
const CssmData &keyHash = dbAttributes[0];
-
+
mCertificateCursor = KCCursor(mSearchList, CSSM_DL_DB_RECORD_X509_CERTIFICATE, NULL);
mCertificateCursor->add(CSSM_DB_EQUAL, Schema::kX509CertificatePublicKeyHash, keyHash);
@@ -337,7 +339,7 @@ IdentityCursor::next(SecPointer<Identity> &identity)
CFRelease(kerbKDCCertPubKeyHash);
}
}
-
+
Item cert;
if (mCertificateCursor->next(cert))
{
diff --git a/OSX/libsecurity_keychain/lib/Item.cpp b/OSX/libsecurity_keychain/lib/Item.cpp
index 025c8b3a..07907423 100644
--- a/OSX/libsecurity_keychain/lib/Item.cpp
+++ b/OSX/libsecurity_keychain/lib/Item.cpp
@@ -65,6 +65,31 @@ using namespace CSSMDateTimeUtils;
// ItemImpl
//
+ItemImpl *ItemImpl::required(SecKeychainItemRef ptr)
+{
+ if (ptr != NULL) {
+ if (ItemImpl *pp = optional(ptr)) {
+ return pp;
+ }
+ }
+ MacOSError::throwMe(errSecInvalidItemRef);
+}
+
+ItemImpl *ItemImpl::optional(SecKeychainItemRef ptr)
+{
+ if (SecCFObject *p = KeyItem::fromSecKeyRef(ptr)) {
+ return dynamic_cast<ItemImpl *>(p);
+ } else if (SecCFObject *p = SecCFObject::optional(ptr)) {
+ if (ItemImpl *pp = dynamic_cast<ItemImpl *>(p)) {
+ return pp;
+ } else {
+ MacOSError::throwMe(errSecInvalidItemRef);
+ }
+ } else {
+ return NULL;
+ }
+}
+
// NewItemImpl constructor
ItemImpl::ItemImpl(SecItemClass itemClass, OSType itemCreator, UInt32 length, const void* data, bool dontDoAttributes)
: mDbAttributes(new DbAttributes()),
@@ -156,7 +181,8 @@ ItemImpl::ItemImpl(ItemImpl &item) :
if (item.mKeychain) {
// get the entire source item from its keychain. This requires figuring
// out the schema for the item based on its record type.
- fillDbAttributesFromSchema(*mDbAttributes, item.recordType());
+ // Ask the remote item to fill our attributes dictionary, because it probably has an attached keychain to ask
+ item.fillDbAttributesFromSchema(*mDbAttributes, item.recordType());
item.getContent(mDbAttributes.get(), mData.get());
}
@@ -179,7 +205,7 @@ ItemImpl::~ItemImpl()
Mutex*
-ItemImpl::getMutexForObject()
+ItemImpl::getMutexForObject() const
{
if (mKeychain.get())
{
@@ -249,7 +275,7 @@ void ItemImpl::fillDbAttributesFromSchema(DbAttributes& dbAttributes, CSSM_DB_RE
SecKeychainAttributeInfo* infos;
keychain->getAttributeInfoForItemID(recordType, &infos);
- secdebugfunc("integrity", "filling %u attributes for type %u", (unsigned int)infos->count, recordType);
+ secnotice("integrity", "filling %u attributes for type %u", (unsigned int)infos->count, recordType);
for (uint32 i = 0; i < infos->count; i++) {
CSSM_DB_ATTRIBUTE_INFO info;
@@ -267,27 +293,27 @@ void ItemImpl::fillDbAttributesFromSchema(DbAttributes& dbAttributes, CSSM_DB_RE
DbAttributes* ItemImpl::getCurrentAttributes() {
DbAttributes* dbAttributes;
- secdebugfunc("integrity", "getting current attributes...");
+ secnotice("integrity", "getting current attributes...");
if(mUniqueId.get()) {
// If we have a unique id, there's an item in the database backing us. Ask for its attributes.
- dbAttributes = new DbAttributes(mUniqueId->database(), 1);
+ dbAttributes = new DbAttributes(dbUniqueRecord()->database(), 1);
fillDbAttributesFromSchema(*dbAttributes, recordType());
mUniqueId->get(dbAttributes, NULL);
// and fold in any updates.
if(mDbAttributes.get()) {
- secdebugfunc("integrity", "adding %d attributes from mDbAttributes", mDbAttributes->size());
+ secnotice("integrity", "adding %d attributes from mDbAttributes", mDbAttributes->size());
dbAttributes->updateWithDbAttributes(&(*mDbAttributes.get()));
}
} else if (mDbAttributes.get()) {
// We don't have a backing item, so all our attributes are in mDbAttributes. Copy them.
- secdebugfunc("integrity", "no unique id, using %d attributes from mDbAttributes", mDbAttributes->size());
+ secnotice("integrity", "no unique id, using %d attributes from mDbAttributes", mDbAttributes->size());
dbAttributes = new DbAttributes();
dbAttributes->updateWithDbAttributes(&(*mDbAttributes.get()));
} else {
// No attributes at all. We should maybe throw here, but let's not.
- secdebugfunc("integrity", "no attributes at all");
+ secnotice("integrity", "no attributes at all");
dbAttributes = new DbAttributes();
}
dbAttributes->recordType(recordType());
@@ -309,7 +335,7 @@ void ItemImpl::encodeAttributesFromDictionary(CssmOwnedData &attributeBlob, DbAt
CFRef<CFMutableDictionaryRef> attributes;
attributes.take(CFDictionaryCreateMutable(NULL, dbAttributes->size(), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks));
- secdebugfunc("integrity", "looking at %d attributes", dbAttributes->size());
+ secnotice("integrity", "looking at %d attributes", dbAttributes->size());
// TODO: include record type and semantic information?
for(int i = 0; i < dbAttributes->size(); i++) {
@@ -435,19 +461,19 @@ void ItemImpl::computeDigestFromDictionary(CssmOwnedData &sha2, DbAttributes* db
sha2.length(CC_SHA256_DIGEST_LENGTH);
CC_SHA256(attributeBlob.get().data(), static_cast<CC_LONG>(attributeBlob.get().length()), sha2);
- secdebugfunc("integrity", "finished: %s", sha2.get().toHex().c_str());
+ secnotice("integrity", "finished: %s", sha2.get().toHex().c_str());
} catch (MacOSError mose) {
- secdebugfunc("integrity", "MacOSError: %d", (int)mose.osStatus());
+ secnotice("integrity", "MacOSError: %d", (int)mose.osStatus());
} catch (...) {
- secdebugfunc("integrity", "unknown exception");
+ secnotice("integrity", "unknown exception");
}
}
void ItemImpl::addIntegrity(Access &access, bool force) {
- secdebugfunc("integrity", "called");
+ secnotice("integrity", "called");
if(!force && (!mKeychain || !mKeychain->hasIntegrityProtection())) {
- secdebugfunc("integrity", "skipping integrity add due to keychain version\n");
+ secnotice("integrity", "skipping integrity add due to keychain version\n");
return;
}
@@ -462,17 +488,17 @@ void ItemImpl::addIntegrity(Access &access, bool force) {
if(acls.size() >= 1) {
// Use the existing ACL
acl = acls[0];
- secdebugfunc("integrity", "previous integrity acl exists; setting integrity");
+ secnotice("integrity", "previous integrity acl exists; setting integrity");
acl->setIntegrity(digest.get());
// Delete all extra ACLs
for(int i = 1; i < acls.size(); i++) {
- secdebugfunc("integrity", "extra integrity acls exist; removing %d",i);
+ secnotice("integrity", "extra integrity acls exist; removing %d",i);
acls[i]->remove();
}
} else if(acls.size() == 0) {
// Make a new ACL
- secdebugfunc("integrity", "no previous integrity acl exists; making a new one");
+ secnotice("integrity", "no previous integrity acl exists; making a new one");
acl = new ACL(digest.get());
access.add(acl);
}
@@ -480,7 +506,7 @@ void ItemImpl::addIntegrity(Access &access, bool force) {
void ItemImpl::setIntegrity(bool force) {
if(!force && (!mKeychain || !mKeychain->hasIntegrityProtection())) {
- secdebugfunc("integrity", "skipping integrity set due to keychain version");
+ secnotice("integrity", "skipping integrity set due to keychain version");
return;
}
@@ -500,7 +526,7 @@ void ItemImpl::addIntegrity(Access &access, bool force) {
void ItemImpl::setIntegrity(AclBearer &bearer, bool force) {
if(!force && (!mKeychain || !mKeychain->hasIntegrityProtection())) {
- secdebugfunc("integrity", "skipping integrity acl set due to keychain version");
+ secnotice("integrity", "skipping integrity acl set due to keychain version");
return;
}
@@ -511,17 +537,38 @@ void ItemImpl::setIntegrity(AclBearer &bearer, bool force) {
access->setAccess(bearer, true);
}
+void ItemImpl::removeIntegrity(const AccessCredentials *cred) {
+ removeIntegrity(*group(), cred);
+}
+
+void ItemImpl::removeIntegrity(AclBearer &bearer, const AccessCredentials *cred) {
+ SecPointer<Access> access = new Access(bearer);
+ vector<ACL *> acls;
+
+ access->findSpecificAclsForRight(CSSM_ACL_AUTHORIZATION_INTEGRITY, acls);
+ for(int i = 0; i < acls.size(); i++) {
+ acls[i]->remove();
+ }
+
+ access->findSpecificAclsForRight(CSSM_ACL_AUTHORIZATION_PARTITION_ID, acls);
+ for(int i = 0; i < acls.size(); i++) {
+ acls[i]->remove();
+ }
+
+ access->editAccess(bearer, true, cred);
+}
+
bool ItemImpl::checkIntegrity() {
// Note: subclasses are responsible for checking themselves.
// If we don't have a keychain yet, we don't have any group. Return true?
if(!isPersistent()) {
- secdebugfunc("integrity", "no keychain, integrity is valid?");
+ secnotice("integrity", "no keychain, integrity is valid?");
return true;
}
if(!mKeychain || !mKeychain->hasIntegrityProtection()) {
- secdebugfunc("integrity", "skipping integrity check due to keychain version");
+ secnotice("integrity", "skipping integrity check due to keychain version");
return true;
}
@@ -538,7 +585,7 @@ bool ItemImpl::checkIntegrity() {
bool ItemImpl::checkIntegrity(AclBearer& aclBearer) {
if(!mKeychain || !mKeychain->hasIntegrityProtection()) {
- secdebugfunc("integrity", "skipping integrity check due to keychain version");
+ secnotice("integrity", "skipping integrity check due to keychain version");
return true;
}
@@ -559,7 +606,7 @@ bool ItemImpl::checkIntegrityFromDictionary(AclBearer& aclBearer, DbAttributes*
auto_ptr<ACL> acl(new ACL(info, Allocator::standard()));
for(int i = 1; i < aclInfos.count(); i++) {
- secdebugfunc("integrity", "*** DUPLICATE INTEGRITY ACL, something has gone wrong");
+ secnotice("integrity", "*** DUPLICATE INTEGRITY ACL, something has gone wrong");
}
CssmAutoData digest(Allocator::standard());
@@ -570,7 +617,7 @@ bool ItemImpl::checkIntegrityFromDictionary(AclBearer& aclBearer, DbAttributes*
}
catch (CssmError cssme) {
const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "caught CssmError: %d %s", (int) cssme.error, errStr);
+ secnotice("integrity", "caught CssmError: %d %s", (int) cssme.error, errStr);
if(cssme.error == CSSMERR_CSP_ACL_ENTRY_TAG_NOT_FOUND) {
// TODO: No entry, run migrator?
@@ -579,17 +626,18 @@ bool ItemImpl::checkIntegrityFromDictionary(AclBearer& aclBearer, DbAttributes*
if(cssme.error == CSSMERR_CSP_INVALID_ACL_SUBJECT_VALUE) {
// something went horribly wrong with fetching acl.
- secdebugfunc("integrity", "INVALID ITEM (too many integrity acls)");
+ secnotice("integrity", "INVALID ITEM (too many integrity acls)");
return false;
}
if(cssme.error == CSSMERR_CSP_VERIFY_FAILED) {
- secdebugfunc("integrity", "MAC verification failed; something has gone very wrong");
+ secnotice("integrity", "MAC verification failed; something has gone very wrong");
+ return false; // No MAC, no integrity.
}
throw cssme;
}
- secdebugfunc("integrity", "***** INVALID ITEM");
+ secnotice("integrity", "***** INVALID ITEM");
return false;
}
@@ -626,6 +674,7 @@ PrimaryKey ItemImpl::addWithCopyInfo (Keychain &keychain, bool isCopy)
}
// If the label (PrintName) attribute isn't specified, set a default label.
+ mDbAttributes->canonicalize(); // make sure we'll find the label with the thing Schema::attributeInfo returns
if (!mDoNotEncrypt && !mDbAttributes->find(Schema::attributeInfo(kSecLabelItemAttr)))
{
// if doNotEncrypt was set all of the attributes are wrapped in the data blob. Don't calculate here.
@@ -727,17 +776,31 @@ ItemImpl::add (Keychain &keychain)
Item
ItemImpl::copyTo(const Keychain &keychain, Access *newAccess)
{
+ // We'll be removing any Partition or Integrity ACLs from this item during
+ // the copy. Note that creating a new item from this one fetches the data,
+ // so this process must now be on the ACL/partition ID list for this item,
+ // and an attacker without access can't cause this removal.
+ //
+ // The integrity and partition ID acls will get re-added once the item lands
+ // in the new keychain, if it supports them. If it doesn't, removing the
+ // integrity acl as it leaves will prevent any issues if the item is
+ // modified in the unsupported keychain and then re-copied back into an
+ // integrity keychain.
+
StLock<Mutex>_(mMutex);
Item item(*this);
- if (newAccess)
+ if (newAccess) {
+ newAccess->removeAclsForRight(CSSM_ACL_AUTHORIZATION_PARTITION_ID);
+ newAccess->removeAclsForRight(CSSM_ACL_AUTHORIZATION_INTEGRITY);
item->setAccess(newAccess);
- else
- {
+ } else {
/* Attempt to copy the access from the current item to the newly created one. */
SSGroup myGroup = group();
if (myGroup)
{
SecPointer<Access> access = new Access(*myGroup);
+ access->removeAclsForRight(CSSM_ACL_AUTHORIZATION_PARTITION_ID);
+ access->removeAclsForRight(CSSM_ACL_AUTHORIZATION_INTEGRITY);
item->setAccess(access);
}
}
@@ -768,19 +831,17 @@ ItemImpl::update()
setAttribute(schema->attributeInfoFor(aRecordType, kSecModDateItemAttr), date);
}
- // Make sure that we have mUniqueId
- dbUniqueRecord();
- Db db(mUniqueId->database());
+ Db db(dbUniqueRecord()->database());
if (mDoNotEncrypt)
{
CSSM_DB_RECORD_ATTRIBUTE_DATA attrData;
memset (&attrData, 0, sizeof (attrData));
attrData.DataRecordType = aRecordType;
- mUniqueId->modifyWithoutEncryption(aRecordType,
- &attrData,
- mData.get(),
- CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
+ dbUniqueRecord()->modifyWithoutEncryption(aRecordType,
+ &attrData,
+ mData.get(),
+ CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
}
else if (useSecureStorage(db))
{
@@ -793,10 +854,10 @@ ItemImpl::update()
}
else
{
- mUniqueId->modify(aRecordType,
- mDbAttributes.get(),
- mData.get(),
- CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
+ dbUniqueRecord()->modify(aRecordType,
+ mDbAttributes.get(),
+ mData.get(),
+ CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
}
if (!mDoNotEncrypt)
@@ -820,7 +881,7 @@ ItemImpl::updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer
AclFactory aclFactory;
const AccessCredentials *nullCred = aclFactory.nullCred();
- secdebugfunc("integrity", "called");
+ secnotice("integrity", "called");
bool haveOldUniqueId = !!mUniqueId.get();
SSDbUniqueRecord ssUniqueId(NULL);
@@ -839,7 +900,7 @@ ItemImpl::updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer
// If there aren't any attributes, make up some blank ones.
if (!mDbAttributes.get())
{
- secdebugfunc("integrity", "making new dbattributes");
+ secnotice("integrity", "making new dbattributes");
mDbAttributes.reset(new DbAttributes());
mDbAttributes->recordType(mPrimaryKey->recordType());
}
@@ -857,7 +918,7 @@ ItemImpl::updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer
if ((!access) && (haveOldUniqueId)) {
// Copy the ACL from the old group.
- secdebugfunc("integrity", "copying old ACL");
+ secnotice("integrity", "copying old ACL");
access = new Access(*(ssGroup));
// We can't copy these over to the new item; they're going to be reset.
@@ -865,7 +926,7 @@ ItemImpl::updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer
access->removeAclsForRight(CSSM_ACL_AUTHORIZATION_PARTITION_ID);
access->removeAclsForRight(CSSM_ACL_AUTHORIZATION_INTEGRITY);
} else if (!access) {
- secdebugfunc("integrity", "setting up new ACL");
+ secnotice("integrity", "setting up new ACL");
// create default access controls for the new item
CssmDbAttributeData *data = mDbAttributes->find(Schema::attributeInfo(kSecLabelItemAttr));
string printName = data ? CssmData::overlay(data->Value[0]).toString() : "keychain item";
@@ -885,7 +946,7 @@ ItemImpl::updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer
}
}
} else {
- secdebugfunc("integrity", "passed an Access, use it");
+ secnotice("integrity", "passed an Access, use it");
// Access is non-null. Do nothing.
}
@@ -905,17 +966,17 @@ ItemImpl::updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer
maker.initialOwner(prototype, nullCred);
if(saveToNewSSGroup) {
- secdebugfunc("integrity", "saving to a new SSGroup");
+ secnotice("integrity", "saving to a new SSGroup");
// If we're updating an item, it has an old group and possibly an
// old mUniqueId. Delete these from the database, so we can insert
// new ones.
if(haveOldUniqueId) {
- secdebugfunc("integrity", "deleting old mUniqueId");
+ secnotice("integrity", "deleting old mUniqueId");
mUniqueId->deleteRecord();
mUniqueId.release();
} else {
- secdebugfunc("integrity", "no old mUniqueId");
+ secnotice("integrity", "no old mUniqueId");
}
// Create a new SSGroup with temporary access controls
@@ -924,8 +985,7 @@ ItemImpl::updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer
try {
doChange(keychain, recordType, ^{
- mUniqueId = ssDb->insert(recordType, mDbAttributes.get(),
- newdata, newSSGroup, cred);
+ mUniqueId = ssDb->ssInsert(recordType, mDbAttributes.get(), newdata, newSSGroup, cred);
});
// now finalize the access controls on the group
@@ -935,29 +995,32 @@ ItemImpl::updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer
// We have to reset this after we add the integrity, since it needs the attributes
mDbAttributes.reset(NULL);
- transaction.success();
+ transaction.commit();
}
catch (CssmError cssme) {
const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "caught CssmError during add: %d %s", (int) cssme.error, errStr);
- newSSGroup->deleteKey(nullCred);
+ secnotice("integrity", "caught CssmError during add: %d %s", (int) cssme.error, errStr);
+
+ // Delete the new SSGroup that we just created
+ deleteSSGroup(newSSGroup, nullCred);
throw;
}
catch (MacOSError mose) {
- secdebugfunc("integrity", "caught MacOSError during add: %d", (int) mose.osStatus());
- newSSGroup->deleteKey(nullCred);
+ secnotice("integrity", "caught MacOSError during add: %d", (int) mose.osStatus());
+
+ deleteSSGroup(newSSGroup, nullCred);
throw;
}
catch (...)
{
- secdebugfunc("integrity", "caught unknown exception during add");
- // Delete the new SSGroup that we just created
- newSSGroup->deleteKey(nullCred);
+ secnotice("integrity", "caught unknown exception during add");
+
+ deleteSSGroup(newSSGroup, nullCred);
throw;
}
} else {
// Modify the old SSGroup
- secdebugfunc("integrity", "modifying the existing SSGroup");
+ secnotice("integrity", "modifying the existing SSGroup");
try {
doChange(keychain, recordType, ^{
@@ -976,26 +1039,39 @@ ItemImpl::updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer
// We have to reset this after we add the integrity, since it needs the attributes
mDbAttributes.reset(NULL);
- transaction.success();
+ transaction.commit();
}
catch (CssmError cssme) {
const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "caught CssmError during modify: %d %s", (int) cssme.error, errStr);
+ secnotice("integrity", "caught CssmError during modify: %d %s", (int) cssme.error, errStr);
throw;
}
catch (MacOSError mose) {
- secdebugfunc("integrity", "caught MacOSError during modify: %d", (int) mose.osStatus());
+ secnotice("integrity", "caught MacOSError during modify: %d", (int) mose.osStatus());
throw;
}
catch (...)
{
- secdebugfunc("integrity", "caught unknown exception during modify");
+ secnotice("integrity", "caught unknown exception during modify");
throw;
}
}
}
+// Helper function to delete a group and swallow all errors
+void ItemImpl::deleteSSGroup(SSGroup & ssgroup, const AccessCredentials* nullCred) {
+ try{
+ ssgroup->deleteKey(nullCred);
+ } catch(CssmError error) {
+ secnotice("integrity", "caught cssm error during deletion of group: %d %s", (int) error.osStatus(), error.what());
+ } catch(MacOSError error) {
+ secnotice("integrity", "caught macos error during deletion of group: %d %s", (int) error.osStatus(), error.what());
+ } catch(UnixError error) {
+ secnotice("integrity", "caught unix error during deletion of group: %d %s", (int) error.osStatus(), error.what());
+ }
+}
+
void
ItemImpl::doChange(Keychain keychain, CSSM_DB_RECORDTYPE recordType, void (^tryChange) ())
{
@@ -1007,16 +1083,16 @@ ItemImpl::doChange(Keychain keychain, CSSM_DB_RECORDTYPE recordType, void (^tryC
// Try to extract the item and check its attributes, then try again if necessary
auto_ptr<CssmClient::DbAttributes> primaryKeyAttrs;
if(cssme.error == CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA) {
- secdebugfunc("integrity", "possible duplicate, trying to delete invalid items");
+ secnotice("integrity", "possible duplicate, trying to delete invalid items");
Keychain kc = (keychain ? keychain : mKeychain);
if(!kc) {
- secdebugfunc("integrity", "no valid keychain");
+ secnotice("integrity", "no valid keychain");
}
// Only check for corrupt items if the keychain supports them
if((!kc) || !kc->hasIntegrityProtection()) {
- secdebugfunc("integrity", "skipping integrity check for corrupt items due to keychain support");
+ secnotice("integrity", "skipping integrity check for corrupt items due to keychain support");
throw;
} else {
primaryKeyAttrs.reset(getCurrentAttributes());
@@ -1037,7 +1113,7 @@ ItemImpl::doChange(Keychain keychain, CSSM_DB_RECORDTYPE recordType, void (^tryC
// Our keychain doesn't know about any item with this primary key, so maybe
// we have a corrupt item in the database. Let's check.
- secdebugfunc("integrity", "making a cursor from primary key");
+ secnotice("integrity", "making a cursor from primary key");
CssmClient::DbCursor cursor = pk->createCursor(kc);
DbUniqueRecord uniqueId;
@@ -1051,11 +1127,11 @@ ItemImpl::doChange(Keychain keychain, CSSM_DB_RECORDTYPE recordType, void (^tryC
// Occasionally this cursor won't return the item attributes (for an unknown reason).
// However, we know the attributes any item with this primary key should have, so use those instead.
while (cursor->next(dbDupAttributes.get(), NULL, uniqueId)) {
- secdebugfunc("integrity", "got an item...");
+ secnotice("integrity", "got an item...");
SSGroup group = safer_cast<SSDbUniqueRecordImpl &>(*uniqueId).group();
if(!ItemImpl::checkIntegrityFromDictionary(*group, dbDupAttributes.get())) {
- secdebugfunc("integrity", "item is invalid! deleting...");
+ secnotice("integrity", "item is invalid! deleting...");
uniqueId->deleteRecord();
tryAgain = true;
}
@@ -1063,11 +1139,11 @@ ItemImpl::doChange(Keychain keychain, CSSM_DB_RECORDTYPE recordType, void (^tryC
}
if(tryAgain) {
- secdebugfunc("integrity", "trying again...");
+ secnotice("integrity", "trying again...");
tryChange();
} else {
// We didn't find an invalid item, the duplicate item exception is real
- secdebugfunc("integrity", "duplicate item exception is real; throwing it on");
+ secnotice("integrity", "duplicate item exception is real; throwing it on");
throw;
}
}
@@ -1152,6 +1228,16 @@ ItemImpl::dbUniqueRecord()
MacOSError::throwMe(errSecInvalidItemRef);
}
+ // Check that our Db still matches our keychain's db. If not, find this item again in the new Db.
+ // Why silly !(x == y) construction? Compiler calls operator bool() on each pointer otherwise.
+ if(!(mUniqueId->database() == keychain()->database())) {
+ secnotice("integrity", "updating db of mUniqueRecord");
+
+ DbCursor cursor(mPrimaryKey->createCursor(mKeychain));
+ if (!cursor->next(NULL, NULL, mUniqueId))
+ MacOSError::throwMe(errSecInvalidItemRef);
+ }
+
return mUniqueId;
}
@@ -1289,7 +1375,7 @@ ItemImpl::getContent(SecItemClass *itemClass, SecKeychainAttributeList *attrList
UInt32 attrCount = attrList ? attrList->count : 0;
// make a DBAttributes structure and populate it
- DbAttributes dbAttributes(mUniqueId->database(), attrCount);
+ DbAttributes dbAttributes(dbUniqueRecord()->database(), attrCount);
for (UInt32 ix = 0; ix < attrCount; ++ix)
{
dbAttributes.add(Schema::attributeInfo(attrList->attr[ix].tag));
@@ -1338,7 +1424,7 @@ ItemImpl::getContent(SecItemClass *itemClass, SecKeychainAttributeList *attrList
#if SENDACCESSNOTIFICATIONS
if (outData)
{
- secdebug("kcnotify", "ItemImpl::getContent(%p, %p, %p, %p) retrieved content",
+ secinfo("kcnotify", "ItemImpl::getContent(%p, %p, %p, %p) retrieved content",
itemClass, attrList, length, outData);
KCEventNotifier::PostKeychainEvent(kSecDataAccessEvent, mKeychain, this);
@@ -1431,7 +1517,7 @@ ItemImpl::getAttributesAndData(SecKeychainAttributeInfo *info, SecItemClass *ite
dbUniqueRecord();
UInt32 attrCount = info ? info->count : 0;
- DbAttributes dbAttributes(mUniqueId->database(), attrCount);
+ DbAttributes dbAttributes(dbUniqueRecord()->database(), attrCount);
for (UInt32 ix = 0; ix < attrCount; ix++)
{
CssmDbAttributeData &record = dbAttributes.add();
@@ -1487,7 +1573,7 @@ ItemImpl::getAttributesAndData(SecKeychainAttributeInfo *info, SecItemClass *ite
itemData.Length=0;
#if SENDACCESSNOTIFICATIONS
- secdebug("kcnotify", "ItemImpl::getAttributesAndData(%p, %p, %p, %p, %p) retrieved data",
+ secinfo("kcnotify", "ItemImpl::getAttributesAndData(%p, %p, %p, %p, %p) retrieved data",
info, itemClass, attrList, length, outData);
KCEventNotifier::PostKeychainEvent(kSecDataAccessEvent, mKeychain, this);
@@ -1535,10 +1621,9 @@ ItemImpl::getAttribute(SecKeychainAttribute& attr, UInt32 *actualLength)
if (!mKeychain)
MacOSError::throwMe(errSecNoSuchAttr);
- dbUniqueRecord();
- DbAttributes dbAttributes(mUniqueId->database(), 1);
+ DbAttributes dbAttributes(dbUniqueRecord()->database(), 1);
dbAttributes.add(Schema::attributeInfo(attr.tag));
- mUniqueId->get(&dbAttributes, NULL);
+ dbUniqueRecord()->get(&dbAttributes, NULL);
getAttributeFrom(&dbAttributes.at(0), attr, actualLength);
}
@@ -1568,7 +1653,7 @@ ItemImpl::getAttributeFrom(CssmDbAttributeData *data, SecKeychainAttribute &attr
length = sizeof(zero);
buf = &zero;
}
- else if (CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE)
+ else if (data->format() == CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE)
length = 0; // Should we throw here?
else // All other formats
length = 0;
@@ -1655,7 +1740,7 @@ ItemImpl::getData(CssmDataContainer& outData)
getContent(NULL, &outData);
#if SENDACCESSNOTIFICATIONS
- secdebug("kcnotify", "ItemImpl::getData retrieved data");
+ secinfo("kcnotify", "ItemImpl::getData retrieved data");
//%%%<might> be done elsewhere, but here is good for now
KCEventNotifier::PostKeychainEvent(kSecDataAccessEvent, mKeychain, this);
@@ -1672,7 +1757,7 @@ ItemImpl::group()
Db db(mKeychain->database());
if (useSecureStorage(db))
{
- group = safer_cast<SSDbUniqueRecordImpl &>(*mUniqueId).group();
+ group = safer_cast<SSDbUniqueRecordImpl &>(*dbUniqueRecord()).group();
}
}
@@ -1729,19 +1814,27 @@ void
ItemImpl::getContent(DbAttributes *dbAttributes, CssmDataContainer *itemData)
{
StLock<Mutex>_(mMutex);
- // Make sure mUniqueId is set.
- dbUniqueRecord();
if (itemData)
{
- Db db(mUniqueId->database());
+ Db db(dbUniqueRecord()->database());
if (mDoNotEncrypt)
{
- mUniqueId->getWithoutEncryption (dbAttributes, itemData);
+ dbUniqueRecord()->getWithoutEncryption (dbAttributes, itemData);
return;
}
if (useSecureStorage(db))
{
- SSDbUniqueRecordImpl* impl = dynamic_cast<SSDbUniqueRecordImpl *>(&(*mUniqueId));
+ try {
+ if(!checkIntegrity()) {
+ secnotice("integrity", "item has no integrity, denying access");
+ CssmError::throwMe(errSecInvalidItemRef);
+ }
+ } catch(CssmError cssme) {
+ secnotice("integrity", "error while checking integrity, denying access: %s", cssme.what());
+ throw cssme;
+ }
+
+ SSDbUniqueRecordImpl* impl = dynamic_cast<SSDbUniqueRecordImpl *>(&(*dbUniqueRecord()));
if (impl == NULL)
{
CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER);
@@ -1754,7 +1847,7 @@ ItemImpl::getContent(DbAttributes *dbAttributes, CssmDataContainer *itemData)
}
}
- mUniqueId->get(dbAttributes, itemData);
+ dbUniqueRecord()->get(dbAttributes, itemData);
}
bool
diff --git a/OSX/libsecurity_keychain/lib/Item.h b/OSX/libsecurity_keychain/lib/Item.h
index 26d7d7f2..8e9460dd 100644
--- a/OSX/libsecurity_keychain/lib/Item.h
+++ b/OSX/libsecurity_keychain/lib/Item.h
@@ -45,7 +45,10 @@ class Keychain;
class ItemImpl : public SecCFObject
{
public:
- SECCFFUNCTIONS(ItemImpl, SecKeychainItemRef, errSecInvalidItemRef, gTypes().ItemImpl)
+ SECCFFUNCTIONS_CREATABLE(ItemImpl, SecKeychainItemRef, gTypes().ItemImpl)
+
+ static ItemImpl *required(SecKeychainItemRef ptr);
+ static ItemImpl *optional(SecKeychainItemRef ptr);
friend class Item;
friend class KeychainImpl;
@@ -79,7 +82,7 @@ public:
CFDataRef getPersistentRef();
PrimaryKey addWithCopyInfo(Keychain &keychain, bool isCopy);
- Mutex* getMutexForObject();
+ Mutex* getMutexForObject() const;
// Return true iff the item integrity has not been compromised.
virtual bool checkIntegrity();
@@ -194,6 +197,9 @@ protected:
* the ACL will be copied from the old group, and the old group deleted. */
void updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer* data, Keychain keychain = NULL, SecPointer<Access> access = NULL);
+ // Helper function to abstract out error handling. Does not report any errors.
+ void deleteSSGroup(SSGroup & ssgroup, const AccessCredentials* nullCred);
+
void doChange(Keychain keychain, CSSM_DB_RECORDTYPE recordType, void (^tryChange) () );
// Add integrity acl entry to access.
@@ -208,6 +214,12 @@ protected:
// Set the integrity of this bearer to be whatever my attributes are now
virtual void setIntegrity(AclBearer &bearer, bool force = false);
+ // Call this function to remove the integrity and partition_id ACLs from
+ // this item. You're not supposed to be able to do this, so force the issue
+ // by providing credentials to this keychain.
+ virtual void removeIntegrity(const AccessCredentials *cred);
+ virtual void removeIntegrity(AclBearer &bearer, const AccessCredentials *cred);
+
// new item members
RefPointer<CssmDataContainer> mData;
auto_ptr<CssmClient::DbAttributes> mDbAttributes;
diff --git a/OSX/libsecurity_keychain/lib/KCCursor.cpp b/OSX/libsecurity_keychain/lib/KCCursor.cpp
index 1c0cdb9d..b252dd9c 100644
--- a/OSX/libsecurity_keychain/lib/KCCursor.cpp
+++ b/OSX/libsecurity_keychain/lib/KCCursor.cpp
@@ -60,6 +60,7 @@ KCCursorImpl::KCCursorImpl(const StorageManager::KeychainList &searchList, SecIt
mCurrent(mSearchList.begin()),
mAllFailed(true),
mDeleteInvalidRecords(false),
+ mIsNewKeychain(true),
mMutex(Mutex::recursive),
mKeychainReadLock(NULL)
{
@@ -117,6 +118,7 @@ KCCursorImpl::KCCursorImpl(const StorageManager::KeychainList &searchList, const
mCurrent(mSearchList.begin()),
mAllFailed(true),
mDeleteInvalidRecords(false),
+ mIsNewKeychain(true),
mMutex(Mutex::recursive),
mKeychainReadLock(NULL)
{
@@ -187,20 +189,10 @@ KCCursorImpl::next(Item &item)
DbUniqueRecord uniqueId;
OSStatus status = 0;
- // if this is true, we should perform newKeychain() on mCurrent before
- // taking any locks. Starts false because mDbCursor isn't anything yet, and
- // so the while loop will run newKeychain for us.
- bool isNewKeychain = false;
-
for (;;)
{
Item tempItem = NULL;
{
- if(isNewKeychain) {
- newKeychain(mCurrent);
- isNewKeychain = false;
- }
-
while (!mDbCursor)
{
// Do the newKeychain dance before we check our done status
@@ -229,6 +221,7 @@ KCCursorImpl::next(Item &item)
catch(const CommonError &err)
{
++mCurrent;
+ mIsNewKeychain = true;
}
}
@@ -271,7 +264,7 @@ KCCursorImpl::next(Item &item)
// we'd like to call newKeychain(mCurrent) here, but to avoid deadlock
// we need to drop the current keychain's mutex first. Use this silly
// hack to void the stack Mutex object.
- isNewKeychain = true;
+ mIsNewKeychain = true;
continue;
}
@@ -319,7 +312,7 @@ KCCursorImpl::next(Item &item)
if (mDeleteInvalidRecords) {
// This is an invalid record for some reason; delete it and restart the loop
const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "deleting corrupt record because: %d %s", (int) cssme.error, errStr);
+ secnotice("integrity", "deleting corrupt record because: %d %s", (int) cssme.error, errStr);
deleteInvalidRecord(uniqueId);
// if deleteInvalidRecord doesn't throw, we want to restart the loop
@@ -331,26 +324,6 @@ KCCursorImpl::next(Item &item)
}
// release the Keychain lock before checking item integrity to avoid deadlock
- try {
- // If the Item's attribute hash does not match, skip the item
- if(!tempItem->checkIntegrity()) {
- secdebugfunc("integrity", "item has no integrity, skipping");
- continue;
- }
- } catch(CssmError cssme) {
- if (mDeleteInvalidRecords) {
- // This is an invalid record for some reason; delete it and restart the loop
- const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "deleting corrupt record because: %d %s", (int) cssme.error, errStr);
-
- deleteInvalidRecord(uniqueId);
- // if deleteInvalidRecord doesn't throw, we want to restart the loop
- continue;
- } else {
- throw;
- }
- }
-
item = tempItem;
break;
@@ -366,7 +339,7 @@ void KCCursorImpl::deleteInvalidRecord(DbUniqueRecord& uniqueId) {
uniqueId->deleteRecord();
} catch(CssmError delcssme) {
if (delcssme.osStatus() == CSSMERR_DL_RECORD_NOT_FOUND) {
- secdebugfunc("integrity", "couldn't delete nonexistent record (this is okay)");
+ secnotice("integrity", "couldn't delete nonexistent record (this is okay)");
} else {
throw;
}
@@ -392,6 +365,11 @@ void KCCursorImpl::setDeleteInvalidRecords(bool deleteRecord) {
}
void KCCursorImpl::newKeychain(StorageManager::KeychainList::iterator kcIter) {
+ if(!mIsNewKeychain) {
+ // We've already been called on this keychain, don't bother.
+ return;
+ }
+
// Always lose the last keychain's lock
if(mKeychainReadLock) {
delete mKeychainReadLock;
@@ -400,8 +378,12 @@ void KCCursorImpl::newKeychain(StorageManager::KeychainList::iterator kcIter) {
if(kcIter != mSearchList.end()) {
(*kcIter)->performKeychainUpgradeIfNeeded();
+ (*kcIter)->tickle();
// Grab a read lock on the keychain
mKeychainReadLock = new StReadWriteLock(*((*kcIter)->getKeychainReadWriteLock()), StReadWriteLock::Read);
}
+
+ // Mark down that this function has been called
+ mIsNewKeychain = false;
}
diff --git a/OSX/libsecurity_keychain/lib/KCCursor.h b/OSX/libsecurity_keychain/lib/KCCursor.h
index c65bf060..de0fe7a3 100644
--- a/OSX/libsecurity_keychain/lib/KCCursor.h
+++ b/OSX/libsecurity_keychain/lib/KCCursor.h
@@ -68,6 +68,9 @@ private:
bool mAllFailed;
bool mDeleteInvalidRecords;
+ // Remembers if we've called newKeychain() on mCurrent.
+ bool mIsNewKeychain;
+
protected:
Mutex mMutex;
StReadWriteLock* mKeychainReadLock;
diff --git a/OSX/libsecurity_keychain/lib/KCEventNotifier.cpp b/OSX/libsecurity_keychain/lib/KCEventNotifier.cpp
index 746bab58..662e1dc4 100644
--- a/OSX/libsecurity_keychain/lib/KCEventNotifier.cpp
+++ b/OSX/libsecurity_keychain/lib/KCEventNotifier.cpp
@@ -75,7 +75,7 @@ void KCEventNotifier::PostKeychainEvent(SecKeychainEvent whichEvent,
SecurityServer::ClientSession cs (Allocator::standard(), Allocator::standard());
cs.postNotification (SecurityServer::kNotificationDomainDatabase, whichEvent, data);
- secdebug("kcnotify", "KCEventNotifier::PostKeychainEvent posted event %u", (unsigned int) whichEvent);
+ secinfo("kcnotify", "KCEventNotifier::PostKeychainEvent posted event %u", (unsigned int) whichEvent);
}
free (data.data ());
diff --git a/OSX/libsecurity_keychain/lib/KeyItem.cpp b/OSX/libsecurity_keychain/lib/KeyItem.cpp
index 0fe303ba..7829ca54 100644
--- a/OSX/libsecurity_keychain/lib/KeyItem.cpp
+++ b/OSX/libsecurity_keychain/lib/KeyItem.cpp
@@ -40,6 +40,7 @@
#include <CommonCrypto/CommonDigest.h>
#include <SecBase.h>
#include <SecBasePriv.h>
+#include <CoreFoundation/CFPriv.h>
// @@@ This needs to be shared.
#pragma clang diagnostic push
@@ -52,6 +53,58 @@ static CSSM_DB_NAME_ATTR(kInfoKeyApplicationTag, kSecKeyApplicationTag, (char*)
using namespace KeychainCore;
using namespace CssmClient;
+KeyItem *KeyItem::required(SecKeyRef ptr)
+{
+ if (KeyItem *p = optional(ptr)) {
+ return p;
+ } else {
+ MacOSError::throwMe(errSecInvalidItemRef);
+ }
+}
+
+KeyItem *KeyItem::optional(SecKeyRef ptr)
+{
+ if (ptr != NULL) {
+ if (KeyItem *pp = dynamic_cast<KeyItem *>(fromSecKeyRef(ptr))) {
+ return pp;
+ } else {
+ MacOSError::throwMe(errSecInvalidItemRef);
+ }
+ } else {
+ return NULL;
+ }
+}
+
+KeyItem::operator CFTypeRef() const throw()
+{
+ StMaybeLock<Mutex> _(this->getMutexForObject());
+
+ if (mWeakSecKeyRef != NULL) {
+ if (_CFTryRetain(mWeakSecKeyRef) == NULL) {
+ // mWeakSecKeyRef is not really valid, pointing to SecKeyRef which going to die - it is somewhere between last CFRelease and entering into mutex-protected section of SecCDSAKeyDestroy. Avoid using it, pretend that no enveloping SecKeyRef exists. But make sure that this KeyImpl is disconnected from this about-to-die SecKeyRef, because we do not want KeyImpl connected to it to be really destroyed, it will be connected to newly created SecKeyRef (see below).
+ mWeakSecKeyRef->key = NULL;
+ mWeakSecKeyRef = NULL;
+ } else {
+ // We did not really want to retain, it was just weak->strong promotion test.
+ CFRelease(mWeakSecKeyRef);
+ }
+ }
+
+ if (mWeakSecKeyRef == NULL) {
+ // Create enveloping ref on-demand. Transfer reference count from SecCFObject
+ // to newly created SecKeyRef wrapper.
+ attachSecKeyRef();
+ }
+ return mWeakSecKeyRef;
+}
+
+void KeyItem::initializeWithSecKeyRef(SecKeyRef ref)
+{
+ isNew();
+ mWeakSecKeyRef = ref;
+}
+
+
KeyItem::KeyItem(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId) :
ItemImpl(keychain, primaryKey, uniqueId),
mKey(),
@@ -121,7 +174,7 @@ KeyItem::update()
/* Update integrity on key */
setIntegrity();
- transaction.success();
+ transaction.commit();
}
Item
@@ -232,8 +285,9 @@ KeyItem::copyTo(const Keychain &keychain, Access *newAccess)
throw;
}
- /* Set the acl and owner on the unwrapped key. */
- addIntegrity(*access);
+ /* Set the acl and owner on the unwrapped key. See note in ItemImpl::copyTo about removing rights. */
+ access->removeAclsForRight(CSSM_ACL_AUTHORIZATION_PARTITION_ID);
+ access->removeAclsForRight(CSSM_ACL_AUTHORIZATION_INTEGRITY);
access->setAccess(*unwrappedKey, maker);
/* Return a keychain item which represents the new key. */
@@ -387,21 +441,50 @@ KeyItem::ssDbUniqueRecord()
return CssmClient::SSDbUniqueRecord(simpl);
}
-CssmClient::Key &
-KeyItem::key()
+CssmKey::Header
+KeyItem::unverifiedKeyHeader() {
+ return unverifiedKey()->header();
+}
+
+CssmClient::Key
+KeyItem::unverifiedKey()
{
- StLock<Mutex>_(mMutex);
+ StLock<Mutex>_(mMutex);
if (!mKey)
{
CssmClient::SSDbUniqueRecord uniqueId(ssDbUniqueRecord());
CssmDataContainer dataBlob(uniqueId->allocator());
uniqueId->get(NULL, &dataBlob);
- mKey = CssmClient::Key(uniqueId->database()->csp(), *reinterpret_cast<CssmKey *>(dataBlob.Data));
+ return CssmClient::Key(uniqueId->database()->csp(), *reinterpret_cast<CssmKey *>(dataBlob.Data));
}
return mKey;
}
+CssmClient::Key &
+KeyItem::key()
+{
+ StLock<Mutex>_(mMutex);
+ if (!mKey)
+ {
+ mKey = unverifiedKey();
+
+ try {
+ if(!ItemImpl::checkIntegrity(*mKey)) {
+ secnotice("integrity", "key has no integrity, denying access");
+ mKey.release();
+ CssmError::throwMe(errSecInvalidItemRef);
+ }
+ } catch(CssmError cssme) {
+ mKey.release();
+ secnotice("integrity", "error while checking integrity, denying access: %s", cssme.what());
+ throw cssme;
+ }
+ }
+
+ return mKey;
+}
+
CssmClient::CSP
KeyItem::csp()
{
@@ -499,6 +582,11 @@ KeyItem::getCredentials(
}
}
+CssmClient::Key
+KeyItem::publicKey() {
+ return mPublicKey;
+}
+
bool
KeyItem::operator == (KeyItem &other)
{
@@ -527,178 +615,206 @@ KeyItem::createPair(
SecPointer<KeyItem> &outPublicKey,
SecPointer<KeyItem> &outPrivateKey)
{
- bool freeKeys = false;
- bool deleteContext = false;
-
- if (!(keychain->database()->dl()->subserviceMask() & CSSM_SERVICE_CSP))
- MacOSError::throwMe(errSecInvalidKeychain);
-
- SSDbImpl* impl = dynamic_cast<SSDbImpl*>(&(*keychain->database()));
- if (impl == NULL)
- {
- CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER);
- }
-
- SSDb ssDb(impl);
- CssmClient::CSP csp(keychain->csp());
- CssmClient::CSP appleCsp(gGuidAppleCSP);
+ SSDb ssDb(NULL);
+ Access::Maker maker;
+ const AccessCredentials *cred = NULL;
+ CssmClient::CSP appleCsp(gGuidAppleCSP);
+ CssmClient::CSP csp = appleCsp;
+ ResourceControlContext rcc;
+ memset(&rcc, 0, sizeof(rcc));
+ CssmData label;
+ uint8 labelBytes[20];
+
+ if (keychain) {
+ if (!(keychain->database()->dl()->subserviceMask() & CSSM_SERVICE_CSP))
+ MacOSError::throwMe(errSecInvalidKeychain);
+
+ SSDbImpl* impl = dynamic_cast<SSDbImpl*>(&(*keychain->database()));
+ if (impl == NULL)
+ CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER);
- // Generate a random label to use initially
- CssmClient::Random random(appleCsp, CSSM_ALGID_APPLE_YARROW);
- uint8 labelBytes[20];
- CssmData label(labelBytes, sizeof(labelBytes));
- random.generate(label, (uint32)label.Length);
+ ssDb = SSDb(impl);
+ csp = CssmClient::CSP(keychain->csp());
- // Create a Access::Maker for the initial owner of the private key.
- ResourceControlContext rcc;
- memset(&rcc, 0, sizeof(rcc));
- Access::Maker maker;
- // @@@ Potentially provide a credential argument which allows us to generate keys in the csp. Currently the CSP let's anyone do this, but we might restrict this in the future, f.e. a smartcard could require out of band pin entry before a key can be generated.
- maker.initialOwner(rcc);
- // Create the cred we need to manipulate the keys until we actually set a new access control for them.
- const AccessCredentials *cred = maker.cred();
+ // Generate a random label to use initially
+ CssmClient::Random random(appleCsp, CSSM_ALGID_APPLE_YARROW);
+ label = CssmData(labelBytes, sizeof(labelBytes));
+ random.generate(label, (uint32)label.length());
- CSSM_KEY publicCssmKey, privateCssmKey;
- memset(&publicCssmKey, 0, sizeof(publicCssmKey));
- memset(&privateCssmKey, 0, sizeof(privateCssmKey));
+ // Create a Access::Maker for the initial owner of the private key.
+ // @@@ Potentially provide a credential argument which allows us to generate keys in the csp. Currently the CSP let's anyone do this, but we might restrict this in the future, f.e. a smartcard could require out of band pin entry before a key can be generated.
+ maker.initialOwner(rcc);
+ // Create the cred we need to manipulate the keys until we actually set a new access control for them.
+ cred = maker.cred();
+ }
+ CssmKey publicCssmKey, privateCssmKey;
CSSM_CC_HANDLE ccHandle = 0;
+ bool freePublicKey = false;
+ bool freePrivateKey = false;
+ bool deleteContext = false;
+ bool permanentPubKey = false;
+ bool permanentPrivKey = false;
+
SecPointer<KeyItem> publicKeyItem, privateKeyItem;
- try
- {
+ try {
CSSM_RETURN status;
- if (contextHandle)
- ccHandle = contextHandle;
- else
- {
+ if (contextHandle) {
+ ccHandle = contextHandle;
+ } else {
status = CSSM_CSP_CreateKeyGenContext(csp->handle(), algorithm, keySizeInBits, NULL, NULL, NULL, NULL, NULL, &ccHandle);
if (status)
CssmError::throwMe(status);
deleteContext = true;
}
- CSSM_DL_DB_HANDLE dldbHandle = ssDb->handle();
- CSSM_DL_DB_HANDLE_PTR dldbHandlePtr = &dldbHandle;
- CSSM_CONTEXT_ATTRIBUTE contextAttributes = { CSSM_ATTRIBUTE_DL_DB_HANDLE, sizeof(dldbHandle), { (char *)dldbHandlePtr } };
- status = CSSM_UpdateContextAttributes(ccHandle, 1, &contextAttributes);
- if (status)
- CssmError::throwMe(status);
+ if (ssDb) {
+ CSSM_DL_DB_HANDLE dldbHandle = ssDb->handle();
+ CSSM_DL_DB_HANDLE_PTR dldbHandlePtr = &dldbHandle;
+ CSSM_CONTEXT_ATTRIBUTE contextAttributes = { CSSM_ATTRIBUTE_DL_DB_HANDLE, sizeof(dldbHandle), { (char *)dldbHandlePtr } };
+ status = CSSM_UpdateContextAttributes(ccHandle, 1, &contextAttributes);
+ if (status)
+ CssmError::throwMe(status);
+ }
// Generate the keypair
status = CSSM_GenerateKeyPair(ccHandle, publicKeyUsage, publicKeyAttr, &label, &publicCssmKey, privateKeyUsage, privateKeyAttr, &label, &rcc, &privateCssmKey);
if (status)
CssmError::throwMe(status);
- freeKeys = true;
+ if ((publicKeyAttr & CSSM_KEYATTR_PERMANENT) != 0) {
+ permanentPubKey = true;
+ freePublicKey = true;
+ }
+ if ((privateKeyAttr & CSSM_KEYATTR_PERMANENT) != 0) {
+ permanentPrivKey = true;
+ freePrivateKey = true;
+ }
- // Find the keys we just generated in the DL to get SecKeyRef's to them
- // so we can change the label to be the hash of the public key, and
+ // Find the keys if we just generated them in the DL so we can change the label to be the hash of the public key, and
// fix up other attributes.
// Look up public key in the DLDB.
- DbAttributes pubDbAttributes;
- DbUniqueRecord pubUniqueId;
- SSDbCursor dbPubCursor(ssDb, 1);
- dbPubCursor->recordType(CSSM_DL_DB_RECORD_PUBLIC_KEY);
- dbPubCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, label);
- CssmClient::Key publicKey;
- if (!dbPubCursor->nextKey(&pubDbAttributes, publicKey, pubUniqueId))
- MacOSError::throwMe(errSecItemNotFound);
+ CssmClient::Key publicKey;
+ DbAttributes pubDbAttributes;
+ DbUniqueRecord pubUniqueId;
+ if (permanentPubKey) {
+ SSDbCursor dbPubCursor(ssDb, 1);
+ dbPubCursor->recordType(CSSM_DL_DB_RECORD_PUBLIC_KEY);
+ dbPubCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, label);
+ if (!dbPubCursor->nextKey(&pubDbAttributes, publicKey, pubUniqueId))
+ MacOSError::throwMe(errSecItemNotFound);
+ } else {
+ publicKey = CssmClient::Key(appleCsp, publicCssmKey);
+ outPublicKey = new KeyItem(publicKey);
+ freePublicKey = false;
+ }
// Look up private key in the DLDB.
- DbAttributes privDbAttributes;
- DbUniqueRecord privUniqueId;
- SSDbCursor dbPrivCursor(ssDb, 1);
- dbPrivCursor->recordType(CSSM_DL_DB_RECORD_PRIVATE_KEY);
- dbPrivCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, label);
- CssmClient::Key privateKey;
- if (!dbPrivCursor->nextKey(&privDbAttributes, privateKey, privUniqueId))
- MacOSError::throwMe(errSecItemNotFound);
-
- // Convert reference public key to a raw key so we can use it
- // in the appleCsp.
- CssmClient::WrapKey wrap(csp, CSSM_ALGID_NONE);
- wrap.cred(cred);
- CssmClient::Key rawPubKey = wrap(publicKey);
-
- // Calculate the hash of the public key using the appleCSP.
- CssmClient::PassThrough passThrough(appleCsp);
- void *outData;
- CssmData *cssmData;
-
- /* Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the
- * associated key blob.
- * Key is specified in CSSM_CSP_CreatePassThroughContext.
- * Hash is allocated bythe CSP, in the App's memory, and returned
- * in *outData. */
- passThrough.key(rawPubKey);
- passThrough(CSSM_APPLECSP_KEYDIGEST, NULL, &outData);
- cssmData = reinterpret_cast<CssmData *>(outData);
- CssmData &pubKeyHash = *cssmData;
-
- auto_ptr<string>privDescription;
- auto_ptr<string>pubDescription;
- try {
- privDescription.reset(new string(initialAccess->promptDescription()));
- pubDescription.reset(new string(initialAccess->promptDescription()));
- }
- catch(...) {
- /* this path taken if no promptDescription available, e.g., for complex ACLs */
- privDescription.reset(new string("Private key"));
- pubDescription.reset(new string("Public key"));
- }
+ CssmClient::Key privateKey;
+ DbAttributes privDbAttributes;
+ DbUniqueRecord privUniqueId;
+ if (permanentPrivKey) {
+ SSDbCursor dbPrivCursor(ssDb, 1);
+ dbPrivCursor->recordType(CSSM_DL_DB_RECORD_PRIVATE_KEY);
+ dbPrivCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, label);
+ if (!dbPrivCursor->nextKey(&privDbAttributes, privateKey, privUniqueId))
+ MacOSError::throwMe(errSecItemNotFound);
+ } else {
+ privateKey = CssmClient::Key(appleCsp, privateCssmKey);
+ outPrivateKey = new KeyItem(privateKey);
+ freePrivateKey = false;
+ }
- // Set the label of the public key to the public key hash.
- // Set the PrintName of the public key to the description in the acl.
- pubDbAttributes.add(kInfoKeyLabel, pubKeyHash);
- pubDbAttributes.add(kInfoKeyPrintName, *pubDescription);
- modifyUniqueId(keychain, ssDb, pubUniqueId, pubDbAttributes, CSSM_DL_DB_RECORD_PUBLIC_KEY);
+ if (ssDb) {
+ // Convert reference public key to a raw key so we can use it in the appleCsp.
+ CssmClient::WrapKey wrap(csp, CSSM_ALGID_NONE);
+ wrap.cred(cred);
+ CssmClient::Key rawPubKey = wrap(publicKey);
+
+ // Calculate the hash of the public key using the appleCSP.
+ CssmClient::PassThrough passThrough(appleCsp);
+
+ /* Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the
+ * associated key blob.
+ * Key is specified in CSSM_CSP_CreatePassThroughContext.
+ * Hash is allocated by the CSP, in the App's memory, and returned
+ * in *outData. */
+ passThrough.key(rawPubKey);
+ CssmData *pubKeyHashData;
+ passThrough(CSSM_APPLECSP_KEYDIGEST, (const void *)NULL, &pubKeyHashData);
+ CssmAutoData pubKeyHash(passThrough.allocator());
+ pubKeyHash.set(*pubKeyHashData);
+ passThrough.allocator().free(pubKeyHashData);
+
+ auto_ptr<string>privDescription;
+ auto_ptr<string>pubDescription;
+ try {
+ privDescription.reset(new string(initialAccess->promptDescription()));
+ pubDescription.reset(new string(initialAccess->promptDescription()));
+ }
+ catch (...) {
+ /* this path taken if no promptDescription available, e.g., for complex ACLs */
+ privDescription.reset(new string("Private key"));
+ pubDescription.reset(new string("Public key"));
+ }
- // Set the label of the private key to the public key hash.
- // Set the PrintName of the private key to the description in the acl.
- privDbAttributes.add(kInfoKeyLabel, pubKeyHash);
- privDbAttributes.add(kInfoKeyPrintName, *privDescription);
- modifyUniqueId(keychain, ssDb, privUniqueId, privDbAttributes, CSSM_DL_DB_RECORD_PRIVATE_KEY);
+ if (permanentPubKey) {
+ // Set the label of the public key to the public key hash.
+ // Set the PrintName of the public key to the description in the acl.
+ pubDbAttributes.add(kInfoKeyLabel, pubKeyHash.get());
+ pubDbAttributes.add(kInfoKeyPrintName, *pubDescription);
+ modifyUniqueId(keychain, ssDb, pubUniqueId, pubDbAttributes, CSSM_DL_DB_RECORD_PUBLIC_KEY);
+
+ // Create keychain item which will represent the public key.
+ publicKeyItem = dynamic_cast<KeyItem*>(keychain->item(CSSM_DL_DB_RECORD_PUBLIC_KEY, pubUniqueId).get());
+ if (!publicKeyItem) {
+ CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER);
+ }
- // @@@ Not exception safe!
- csp.allocator().free(cssmData->Data);
- csp.allocator().free(cssmData);
+ if (publicKeyAttr & CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT) {
+ /*
+ * Make the public key acl completely open.
+ * If the key was not encrypted, it already has a wide-open
+ * ACL (though that is a feature of securityd; it's not
+ * CDSA-specified behavior).
+ */
+ SecPointer<Access> pubKeyAccess(new Access());
+ publicKeyItem->addIntegrity(*pubKeyAccess);
+ pubKeyAccess->setAccess(*publicKey, maker);
+ }
+ outPublicKey = publicKeyItem;
+ }
- // Create keychain items which will represent the keys.
- publicKeyItem = dynamic_cast<KeyItem*>(keychain->item(CSSM_DL_DB_RECORD_PUBLIC_KEY, pubUniqueId).get());
- privateKeyItem = dynamic_cast<KeyItem*>(keychain->item(CSSM_DL_DB_RECORD_PRIVATE_KEY, privUniqueId).get());
+ if (permanentPrivKey) {
+ // Set the label of the private key to the public key hash.
+ // Set the PrintName of the private key to the description in the acl.
+ privDbAttributes.add(kInfoKeyLabel, pubKeyHash.get());
+ privDbAttributes.add(kInfoKeyPrintName, *privDescription);
+ modifyUniqueId(keychain, ssDb, privUniqueId, privDbAttributes, CSSM_DL_DB_RECORD_PRIVATE_KEY);
+
+ // Create keychain item which will represent the private key.
+ privateKeyItem = dynamic_cast<KeyItem*>(keychain->item(CSSM_DL_DB_RECORD_PRIVATE_KEY, privUniqueId).get());
+ if (!privateKeyItem) {
+ CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER);
+ }
- if (!publicKeyItem || !privateKeyItem)
- {
- CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER);
+ // Finally fix the acl and owner of the private key to the specified access control settings.
+ privateKeyItem->addIntegrity(*initialAccess);
+ initialAccess->setAccess(*privateKey, maker);
+ outPrivateKey = privateKeyItem;
+ }
}
-
- // Finally fix the acl and owner of the private key to the specified access control settings.
- privateKeyItem->addIntegrity(*initialAccess);
- initialAccess->setAccess(*privateKey, maker);
-
- if(publicKeyAttr & CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT) {
- /*
- * Make the public key acl completely open.
- * If the key was not encrypted, it already has a wide-open
- * ACL (though that is a feature of securityd; it's not
- * CDSA-specified behavior).
- */
- SecPointer<Access> pubKeyAccess(new Access());
- publicKeyItem->addIntegrity(*pubKeyAccess);
- pubKeyAccess->setAccess(*publicKey, maker);
- }
-
- outPublicKey = publicKeyItem;
- outPrivateKey = privateKeyItem;
+ outPrivateKey->mPublicKey = publicKey;
}
catch (...)
{
- if (freeKeys)
- {
- // Delete the keys if something goes wrong so we don't end up with inaccessible keys in the database.
- CSSM_FreeKey(csp->handle(), cred, &publicCssmKey, TRUE);
- CSSM_FreeKey(csp->handle(), cred, &privateCssmKey, TRUE);
+ // Delete the keys if something goes wrong so we don't end up with inaccessible keys in the database.
+ if (freePublicKey) {
+ CSSM_FreeKey(csp->handle(), cred, &publicCssmKey, permanentPubKey);
+ }
+ if (freePrivateKey) {
+ CSSM_FreeKey(csp->handle(), cred, &privateCssmKey, permanentPrivKey);
}
if (deleteContext)
@@ -707,19 +823,23 @@ KeyItem::createPair(
throw;
}
- if (freeKeys)
- {
+ if (freePublicKey) {
CSSM_FreeKey(csp->handle(), NULL, &publicCssmKey, FALSE);
+ }
+ if (freePrivateKey) {
CSSM_FreeKey(csp->handle(), NULL, &privateCssmKey, FALSE);
}
if (deleteContext)
CSSM_DeleteContext(ccHandle);
- if (keychain && publicKeyItem && privateKeyItem)
- {
- keychain->postEvent(kSecAddEvent, publicKeyItem);
- keychain->postEvent(kSecAddEvent, privateKeyItem);
+ if (keychain) {
+ if (permanentPubKey) {
+ keychain->postEvent(kSecAddEvent, publicKeyItem);
+ }
+ if (permanentPrivKey) {
+ keychain->postEvent(kSecAddEvent, privateKeyItem);
+ }
}
}
@@ -1139,216 +1259,6 @@ KeyItem::generate(Keychain keychain,
}
-void KeyItem::RawSign(SecPadding padding, CSSM_DATA dataToSign, const AccessCredentials *credentials, CSSM_DATA& signature)
-{
- CSSM_ALGORITHMS baseAlg = key()->header().algorithm();
-
- if ((baseAlg != CSSM_ALGID_RSA) && (baseAlg != CSSM_ALGID_ECDSA))
- {
- MacOSError::throwMe(errSecParam);
- }
-
- CSSM_ALGORITHMS paddingAlg = CSSM_PADDING_PKCS1;
-
- switch (padding)
- {
- case kSecPaddingPKCS1:
- {
- paddingAlg = CSSM_PADDING_PKCS1;
- break;
- }
-
- case kSecPaddingPKCS1MD2:
- {
- baseAlg = CSSM_ALGID_MD2WithRSA;
- break;
- }
-
- case kSecPaddingPKCS1MD5:
- {
- baseAlg = CSSM_ALGID_MD5WithRSA;
- break;
- }
-
- case kSecPaddingPKCS1SHA1:
- {
- baseAlg = CSSM_ALGID_SHA1WithRSA;
- break;
- }
-
- case kSecPaddingSigRaw:
- {
- paddingAlg = CSSM_PADDING_SIGRAW;
- break;
- }
-
- default:
- {
- paddingAlg = CSSM_PADDING_NONE;
- break;
- }
- }
-
- Sign signContext(csp(), baseAlg);
- signContext.key(key());
- signContext.cred(credentials);
- // Fields required for CSSM_CSP_CreateSignatureContext set above. Using add instead of set ensures
- // that the context is constructed before the set is attempted, which would fail silently otherwise.
- signContext.add(CSSM_ATTRIBUTE_PADDING, paddingAlg);
-
- CssmData data(dataToSign.Data, dataToSign.Length);
- signContext.sign(data);
-
- CssmData sig(signature.Data, signature.Length);
- signContext(sig); // yes, this is an accessor. Believe it, or not.
- signature.Length = sig.length();
-}
-
-
-
-void KeyItem::RawVerify(SecPadding padding, CSSM_DATA dataToVerify, const AccessCredentials *credentials, CSSM_DATA sig)
-{
- CSSM_ALGORITHMS baseAlg = key()->header().algorithm();
- if ((baseAlg != CSSM_ALGID_RSA) && (baseAlg != CSSM_ALGID_ECDSA))
- {
- MacOSError::throwMe(errSecParam);
- }
-
- CSSM_ALGORITHMS paddingAlg = CSSM_PADDING_PKCS1;
-
- switch (padding)
- {
- case kSecPaddingPKCS1:
- {
- paddingAlg = CSSM_PADDING_PKCS1;
- break;
- }
-
- case kSecPaddingPKCS1MD2:
- {
- baseAlg = CSSM_ALGID_MD2WithRSA;
- break;
- }
-
- case kSecPaddingPKCS1MD5:
- {
- baseAlg = CSSM_ALGID_MD5WithRSA;
- break;
- }
-
- case kSecPaddingPKCS1SHA1:
- {
- baseAlg = CSSM_ALGID_SHA1WithRSA;
- break;
- }
-
- case kSecPaddingSigRaw:
- {
- paddingAlg = CSSM_PADDING_SIGRAW;
- break;
- }
-
- default:
- {
- paddingAlg = CSSM_PADDING_NONE;
- break;
- }
- }
-
- Verify verifyContext(csp(), baseAlg);
- verifyContext.key(key());
- verifyContext.cred(credentials);
- // Fields required for CSSM_CSP_CreateSignatureContext set above. Using add instead of set ensures
- // that the context is constructed before the set is attempted, which would fail silently otherwise.
- verifyContext.add(CSSM_ATTRIBUTE_PADDING, paddingAlg);
-
- CssmData data(dataToVerify.Data, dataToVerify.Length);
- CssmData signature(sig.Data, sig.Length);
- verifyContext.verify(data, signature);
-}
-
-
-
-void KeyItem::Encrypt(SecPadding padding, CSSM_DATA dataToEncrypt, const AccessCredentials *credentials, CSSM_DATA& encryptedData)
-{
- CSSM_ALGORITHMS baseAlg = key()->header().algorithm();
- if (baseAlg != CSSM_ALGID_RSA)
- {
- MacOSError::throwMe(errSecParam);
- }
-
- CSSM_ALGORITHMS paddingAlg = CSSM_PADDING_PKCS1;
-
- switch (padding)
- {
- case kSecPaddingPKCS1:
- {
- paddingAlg = CSSM_PADDING_PKCS1;
- break;
- }
-
- default:
- {
- paddingAlg = CSSM_PADDING_NONE;
- break;
- }
- }
-
- CssmClient::Encrypt encryptContext(csp(), baseAlg);
- encryptContext.key(key());
- encryptContext.padding(paddingAlg);
- encryptContext.cred(credentials);
-
- CssmData inData(dataToEncrypt.Data, dataToEncrypt.Length);
- CssmData outData(encryptedData.Data, encryptedData.Length);
- CssmData remData((void*) NULL, 0);
-
- encryptedData.Length = encryptContext.encrypt(inData, outData, remData);
-}
-
-
-
-void KeyItem::Decrypt(SecPadding padding, CSSM_DATA dataToDecrypt, const AccessCredentials *credentials, CSSM_DATA& decryptedData)
-{
- CSSM_ALGORITHMS baseAlg = key()->header().algorithm();
- if (baseAlg != CSSM_ALGID_RSA)
- {
- MacOSError::throwMe(errSecParam);
- }
-
- CSSM_ALGORITHMS paddingAlg = CSSM_PADDING_PKCS1;
-
- switch (padding)
- {
- case kSecPaddingPKCS1:
- {
- paddingAlg = CSSM_PADDING_PKCS1;
- break;
- }
-
-
- default:
- {
- paddingAlg = CSSM_PADDING_NONE;
- break;
- }
- }
-
- CssmClient::Decrypt decryptContext(csp(), baseAlg);
- decryptContext.key(key());
- decryptContext.padding(paddingAlg);
- decryptContext.cred(credentials);
-
- CssmData inData(dataToDecrypt.Data, dataToDecrypt.Length);
- CssmData outData(decryptedData.Data, decryptedData.Length);
- CssmData remData((void*) NULL, 0);
- decryptedData.Length = decryptContext.decrypt(inData, outData, remData);
- if (remData.Data != NULL)
- {
- free(remData.Data);
- }
-}
-
CFHashCode KeyItem::hash()
{
CFHashCode result = 0;
@@ -1394,7 +1304,7 @@ CFHashCode KeyItem::hash()
}
void KeyItem::setIntegrity(bool force) {
- ItemImpl::setIntegrity(*key(), force);
+ ItemImpl::setIntegrity(*unverifiedKey(), force);
}
bool KeyItem::checkIntegrity() {
@@ -1402,9 +1312,19 @@ bool KeyItem::checkIntegrity() {
return true;
}
- return ItemImpl::checkIntegrity(*key());
+ try {
+ // key() checks integrity of itself, and throws if there's a problem.
+ key();
+ return true;
+ } catch (CssmError cssme) {
+ return false;
+ }
}
+ void KeyItem::removeIntegrity(const AccessCredentials *cred) {
+ ItemImpl::removeIntegrity(*key(), cred);
+ }
+
// KeyItems are a little bit special: the only modifications you can do to them
// is to change their Print Name, Label, or Application Tag.
//
@@ -1433,12 +1353,12 @@ void KeyItem::modifyUniqueId(Keychain keychain, SSDb ssDb, DbUniqueRecord& uniqu
// KeyItems only have integrity if the keychain supports it; otherwise,
// don't pre-check for duplicates
if((!keychain) || !keychain->hasIntegrityProtection()) {
- secdebugfunc("integrity", "key skipping duplicate integrity check due to keychain version");
+ secnotice("integrity", "key skipping duplicate integrity check due to keychain version");
checkForDuplicates = false;
}
if (checkForDuplicates) {
- secdebugfunc("integrity", "looking for duplicates");
+ secnotice("integrity", "looking for duplicates");
// If there are duplicates that are invalid, delete it and
// continue. Otherwise, if there are duplicates, throw errSecDuplicateItem.
DbAttributes otherDbAttributes;
@@ -1446,17 +1366,17 @@ void KeyItem::modifyUniqueId(Keychain keychain, SSDb ssDb, DbUniqueRecord& uniqu
CssmClient::Key otherKey;
while(otherDbCursor->nextKey(&otherDbAttributes, otherKey, otherUniqueId)) {
- secdebugfunc("integrity", "found a duplicate, checking integrity");
+ secnotice("integrity", "found a duplicate, checking integrity");
PrimaryKey pk = keychain->makePrimaryKey(recordType, otherUniqueId);
ItemImpl* maybeItem = keychain->_lookupItem(pk);
if(maybeItem) {
if(maybeItem->checkIntegrity()) {
- secdebugfunc("integrity", "duplicate is real, throwing error");
+ secnotice("integrity", "duplicate is real, throwing error");
MacOSError::throwMe(errSecDuplicateItem);
} else {
- secdebugfunc("integrity", "existing duplicate item is invalid, removing...");
+ secnotice("integrity", "existing duplicate item is invalid, removing...");
Item item(maybeItem);
keychain->deleteItem(item);
}
@@ -1464,10 +1384,10 @@ void KeyItem::modifyUniqueId(Keychain keychain, SSDb ssDb, DbUniqueRecord& uniqu
KeyItem temp(keychain, pk, otherUniqueId);
if(temp.checkIntegrity()) {
- secdebugfunc("integrity", "duplicate is real, throwing error");
+ secnotice("integrity", "duplicate is real, throwing error");
MacOSError::throwMe(errSecDuplicateItem);
} else {
- secdebugfunc("integrity", "duplicate is invalid, removing");
+ secnotice("integrity", "duplicate is invalid, removing");
// Keychain's idea of deleting items involves notifications and callbacks. We don't want that,
// (since this isn't a real item and it should go away quietly), so use this roundabout method.
otherUniqueId->deleteRecord();
@@ -1478,9 +1398,9 @@ void KeyItem::modifyUniqueId(Keychain keychain, SSDb ssDb, DbUniqueRecord& uniqu
}
try {
- secdebugfunc("integrity", "modifying unique id");
+ secnotice("integrity", "modifying unique id");
uniqueId->modify(recordType, &newDbAttributes, NULL, CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
- secdebugfunc("integrity", "done modifying unique id");
+ secnotice("integrity", "done modifying unique id");
} catch(CssmError e) {
// Just in case something went wrong, clean up after this add
uniqueId->deleteRecord();
diff --git a/OSX/libsecurity_keychain/lib/KeyItem.h b/OSX/libsecurity_keychain/lib/KeyItem.h
index 56776933..ede8dd64 100644
--- a/OSX/libsecurity_keychain/lib/KeyItem.h
+++ b/OSX/libsecurity_keychain/lib/KeyItem.h
@@ -40,7 +40,20 @@ class KeyItem : public ItemImpl
{
NOCOPY(KeyItem)
public:
- SECCFFUNCTIONS(KeyItem, SecKeyRef, errSecInvalidItemRef, gTypes().KeyItem)
+ SECCFFUNCTIONS_BASE(KeyItem, SecKeyRef)
+
+ // SecKeyRef is now provided by iOS implementation, so we have to hack standard accessors normally defined by
+ // SECCFUNCTIONS macro to retarget SecKeyRef to foreign object instead of normal way through SecCFObject.
+ static KeyItem *required(SecKeyRef ptr);
+ static KeyItem *optional(SecKeyRef ptr);
+ operator CFTypeRef() const throw();
+ static SecCFObject *fromSecKeyRef(CFTypeRef ref);
+ void attachSecKeyRef() const;
+ void initializeWithSecKeyRef(SecKeyRef ref);
+
+private:
+ // This weak backpointer to owning SecKeyRef instance (which is created by iOS SecKey code).
+ mutable SecKeyRef mWeakSecKeyRef;
// db item constructor
private:
@@ -68,8 +81,13 @@ public:
CssmClient::Key &key();
CssmClient::CSP csp();
+ // Returns the header of the unverified key (without checking integrity). This will skip ACL checks, but don't trust the data very much.
+ // Can't return a reference, because maybe the unverified key will get released upon return.
+ CssmKey::Header unverifiedKeyHeader();
+
const CSSM_X509_ALGORITHM_IDENTIFIER& algorithmIdentifier();
unsigned int strengthInBits(const CSSM_X509_ALGORITHM_IDENTIFIER *algid);
+ CssmClient::Key publicKey();
const AccessCredentials *getCredentials(
CSSM_ACL_AUTHORIZATION_TAG operation,
@@ -119,28 +137,38 @@ public:
virtual const CssmData &itemID();
- void RawSign(SecPadding padding, CSSM_DATA dataToSign, const AccessCredentials *credentials, CSSM_DATA& signedData);
- void RawVerify(SecPadding padding, CSSM_DATA dataToVerify, const AccessCredentials *credentials, CSSM_DATA signature);
- void Encrypt(SecPadding padding, CSSM_DATA dataToEncrypt, const AccessCredentials *credentials, CSSM_DATA& encryptedData);
- void Decrypt(SecPadding padding, CSSM_DATA dataToEncrypt, const AccessCredentials *credentials, CSSM_DATA& encryptedData);
-
virtual CFHashCode hash();
virtual void setIntegrity(bool force = false);
virtual bool checkIntegrity();
+ // Call this function to remove the integrity and partition_id ACLs from
+ // this item. You're not supposed to be able to do this, so force the issue
+ // by providing credentials to this keychain.
+ virtual void removeIntegrity(const AccessCredentials *cred);
+
static void modifyUniqueId(Keychain keychain, SSDb ssDb, DbUniqueRecord& uniqueId, DbAttributes& newDbAttributes, CSSM_DB_RECORDTYPE recordType);
protected:
virtual PrimaryKey add(Keychain &keychain);
private:
+ CssmClient::Key unverifiedKey();
+
CssmClient::Key mKey;
const CSSM_X509_ALGORITHM_IDENTIFIER *algid;
CssmAutoData mPubKeyHash;
+ CssmClient::Key mPublicKey;
};
} // end namespace KeychainCore
} // end namespace Security
+struct OpaqueSecKeyRef {
+ CFRuntimeBase _base;
+ const SecKeyDescriptor *key_class;
+ SecKeyRef cdsaKey;
+ Security::KeychainCore::KeyItem *key;
+};
+
#endif // !_SECURITY_KEYITEM_H_
diff --git a/OSX/libsecurity_keychain/lib/Keychains.cpp b/OSX/libsecurity_keychain/lib/Keychains.cpp
index de34f0b4..06c4bddc 100644
--- a/OSX/libsecurity_keychain/lib/Keychains.cpp
+++ b/OSX/libsecurity_keychain/lib/Keychains.cpp
@@ -37,6 +37,7 @@
#include <security_cdsa_utilities/cssmacl.h>
#include <security_cdsa_utilities/cssmdb.h>
#include <security_utilities/trackingallocator.h>
+#include <security_utilities/FileLockTransaction.h>
#include <security_keychain/SecCFTypes.h>
#include <securityd_client/ssblob.h>
#include <Security/TrustSettingsSchema.h>
@@ -47,6 +48,7 @@
#include <CoreFoundation/CoreFoundation.h>
#include "DLDbListCFPref.h"
#include <fcntl.h>
+#include <glob.h>
#include <sys/param.h>
#include <syslog.h>
#include <sys/stat.h>
@@ -395,7 +397,7 @@ static void check_system_keychain()
// KeychainImpl
//
KeychainImpl::KeychainImpl(const Db &db)
- : mAttemptedUpgrade(false), mDbItemMapMutex(Mutex::recursive), mDbDeletedItemMapMutex(Mutex::recursive),
+: mCacheTimer(NULL), mSuppressTickle(false), mAttemptedUpgrade(false), mDbItemMapMutex(Mutex::recursive), mDbDeletedItemMapMutex(Mutex::recursive),
mInCache(false), mDb(db), mCustomUnlockCreds (this), mIsInBatchMode (false), mMutex(Mutex::recursive)
{
dispatch_once(&SecKeychainSystemKeychainChecked, ^{
@@ -420,7 +422,7 @@ KeychainImpl::~KeychainImpl()
}
Mutex*
-KeychainImpl::getMutexForObject()
+KeychainImpl::getMutexForObject() const
{
return globals().storageManager.getStorageManagerMutex();
}
@@ -490,6 +492,9 @@ KeychainImpl::create(UInt32 passwordLength, const void *inPassword)
AclFactory::PasswordChangeCredentials pCreds (password, alloc);
AclFactory::AnyResourceContext rcc(pCreds);
create(&rcc);
+
+ // Now that we've created, trigger setting the defaultCredentials
+ mDb->open();
}
void KeychainImpl::create(ConstStringPtr inPassword)
@@ -510,6 +515,9 @@ KeychainImpl::create()
AclFactory aclFactory;
AclFactory::AnyResourceContext rcc(aclFactory.unlockCred());
create(&rcc);
+
+ // Now that we've created, trigger setting the defaultCredentials
+ mDb->open();
}
void KeychainImpl::createWithBlob(CssmData &blob)
@@ -767,8 +775,6 @@ KeychainImpl::isActive() const
void KeychainImpl::completeAdd(Item &inItem, PrimaryKey &primaryKey)
{
-
-
// The inItem shouldn't be in the cache yet
assert(!inItem->inCache());
@@ -788,7 +794,7 @@ void KeychainImpl::completeAdd(Item &inItem, PrimaryKey &primaryKey)
// uniquifying items. We really need to insert the item into the
// map before we start the add. And have the item be in an
// "is being added" state.
- secdebug("keychain", "add of new item %p somehow replaced %p",
+ secnotice("keychain", "add of new item %p somehow replaced %p",
inItem.get(), oldItem);
mDbItemMap.erase(p.first);
@@ -850,7 +856,7 @@ KeychainImpl::didUpdate(const Item &inItem, PrimaryKey &oldPK,
// uniquifying items. We really need to insert the item into
// the map with the new primary key before we start the update.
// And have the item be in an "is being updated" state.
- secdebug("keychain", "update of item %p somehow replaced %p",
+ secnotice("keychain", "update of item %p somehow replaced %p",
inItem.get(), oldItem);
mDbItemMap.erase(p.first);
@@ -861,24 +867,20 @@ KeychainImpl::didUpdate(const Item &inItem, PrimaryKey &oldPK,
}
}
- // Item updates now are technically a delete and re-add, so post these events instead of kSecUpdateEvent
- postEvent(kSecDeleteEvent, inItem);
- postEvent(kSecAddEvent, inItem);
+ // Item updates now are technically a delete and re-add, so post these events instead of kSecUpdateEvent
+ postEvent(kSecDeleteEvent, inItem, oldPK);
+ postEvent(kSecAddEvent, inItem);
}
void
KeychainImpl::deleteItem(Item &inoutItem)
{
{
- // We don't need to hold the DO mutex through event posting, and, in fact, doing so causes deadlock.
- // Hold it only as long as needed, instead.
-
-
// item must be persistent
if (!inoutItem->isPersistent())
MacOSError::throwMe(errSecInvalidItemRef);
- secdebug("kcnotify", "starting deletion of item %p", inoutItem.get());
+ secinfo("kcnotify", "starting deletion of item %p", inoutItem.get());
DbUniqueRecord uniqueId = inoutItem->dbUniqueRecord();
PrimaryKey primaryKey = inoutItem->primaryKey();
@@ -909,6 +911,13 @@ KeychainImpl::deleteItem(Item &inoutItem)
postEvent(kSecDeleteEvent, inoutItem);
}
+void KeychainImpl::changeDatabase(CssmClient::Db db)
+{
+ StLock<Mutex>_(mDbMutex);
+ mDb = db;
+ mDb->defaultCredentials(this);
+}
+
CssmClient::CSP
KeychainImpl::csp()
@@ -1020,6 +1029,7 @@ KeychainImpl::_lookupItem(const PrimaryKey &primaryKey)
ItemImpl *
KeychainImpl::_lookupDeletedItemOnly(const PrimaryKey &primaryKey)
{
+ StLock<Mutex> _(mDbDeletedItemMapMutex);
DbItemMap::iterator it = mDbDeletedItemMap.find(primaryKey);
if (it != mDbDeletedItemMap.end())
{
@@ -1043,8 +1053,7 @@ KeychainImpl::item(const PrimaryKey &primaryKey)
try
{
// We didn't find it so create a new item with just a keychain and
- // a primary key. However since we aren't holding
- // globals().apiLock anymore some other thread might have beaten
+ // a primary key. Some other thread might have beaten
// us to creating this item and adding it to the cache. If that
// happens we retry the lookup.
return Item(this, primaryKey);
@@ -1168,7 +1177,7 @@ KeychainImpl::didDeleteItem(ItemImpl *inItemImpl)
StLock<Mutex>_(mMutex);
// Called by CCallbackMgr
- secdebug("kcnotify", "%p notified that item %p was deleted", this, inItemImpl);
+ secinfo("kcnotify", "%p notified that item %p was deleted", this, inItemImpl);
removeItem(inItemImpl->primaryKey(), inItemImpl);
}
@@ -1230,14 +1239,14 @@ KeychainImpl::forceRemoveFromCache(ItemImpl* inItemImpl) {
}
} // drop mDbDeletedItemMapMutex
} catch(UnixError ue) {
- secdebugfunc("keychain", "caught UnixError: %d %s", ue.unixError(), ue.what());
+ secnotice("keychain", "caught UnixError: %d %s", ue.unixError(), ue.what());
} catch (CssmError cssme) {
const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("keychain", "caught CssmError: %d %s", (int) cssme.error, errStr);
+ secnotice("keychain", "caught CssmError: %d %s", (int) cssme.error, errStr);
} catch (MacOSError mose) {
- secdebugfunc("keychain", "MacOSError: %d", (int)mose.osStatus());
+ secnotice("keychain", "MacOSError: %d", (int)mose.osStatus());
} catch(...) {
- secdebugfunc("keychain", "Unknown error");
+ secnotice("keychain", "Unknown error");
}
}
@@ -1349,13 +1358,20 @@ KeychainImpl::setBatchMode(Boolean mode, Boolean rollback)
KCEventNotifier::PostKeychainEvent(kSecKeychainEnteredBatchModeEvent);
}
}
-
void
KeychainImpl::postEvent(SecKeychainEvent kcEvent, ItemImpl* item)
+{
+ postEvent(kcEvent, item, NULL);
+}
+
+void
+KeychainImpl::postEvent(SecKeychainEvent kcEvent, ItemImpl* item, PrimaryKey pk)
{
PrimaryKey primaryKey;
- {
+ if(pk.get()) {
+ primaryKey = pk;
+ } else {
StLock<Mutex>_(mMutex);
if (item != NULL)
@@ -1383,6 +1399,12 @@ KeychainImpl::postEvent(SecKeychainEvent kcEvent, ItemImpl* item)
}
}
+void KeychainImpl::tickle() {
+ if(!mSuppressTickle) {
+ globals().storageManager.tickleKeychain(this);
+ }
+}
+
bool KeychainImpl::performKeychainUpgradeIfNeeded() {
// Grab this keychain's mutex. This might not be sufficient, since the
@@ -1390,7 +1412,7 @@ bool KeychainImpl::performKeychainUpgradeIfNeeded() {
StLock<Mutex>_(mMutex);
if(!globals().integrityProtection()) {
- secdebugfunc("integrity", "skipping upgrade for %s due to global integrity protection being diabled", mDb->name());
+ secnotice("integrity", "skipping upgrade for %s due to global integrity protection being disabled", mDb->name());
return false;
}
@@ -1401,7 +1423,7 @@ bool KeychainImpl::performKeychainUpgradeIfNeeded() {
// We only want to upgrade file-based Apple keychains. Check the GUID.
if(mDb->dl()->guid() != gGuidAppleCSPDL) {
- secdebugfunc("integrity", "skipping upgrade for %s due to guid mismatch\n", mDb->name());
+ secnotice("integrity", "skipping upgrade for %s due to guid mismatch\n", mDb->name());
return false;
}
@@ -1412,7 +1434,7 @@ bool KeychainImpl::performKeychainUpgradeIfNeeded() {
// Don't upgrade the System root certificate keychain (to make old tp code happy)
if(strncmp(mDb->name(), SYSTEM_ROOT_STORE_PATH, strlen(SYSTEM_ROOT_STORE_PATH)) == 0) {
- secdebugfunc("integrity", "skipping upgrade for %s\n", mDb->name());
+ secnotice("integrity", "skipping upgrade for %s\n", mDb->name());
return false;
}
@@ -1424,104 +1446,262 @@ bool KeychainImpl::performKeychainUpgradeIfNeeded() {
if(cssme.error == CSSMERR_DL_DATASTORE_DOESNOT_EXIST) {
// oh well! We tried to get the blob version of a database
// that doesn't exist. It doesn't need migration, so do nothing.
- secdebugfunc("integrity", "dbBlobVersion() failed for a non-existent database");
+ secnotice("integrity", "dbBlobVersion() failed for a non-existent database");
return false;
} else {
// Some other error occurred. We can't upgrade this keychain, so fail.
const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "dbBlobVersion() failed for a CssmError: %d %s", (int) cssme.error, errStr);
+ secnotice("integrity", "dbBlobVersion() failed for a CssmError: %d %s", (int) cssme.error, errStr);
return false;
}
} catch (...) {
- secdebugfunc("integrity", "dbBlobVersion() failed for an unknown reason");
+ secnotice("integrity", "dbBlobVersion() failed for an unknown reason");
return false;
}
- if(dbBlobVersion != SecurityServer::DbBlob::currentVersion) {
- secdebugfunc("integrity", "going to upgrade %s from version %d to %d!", mDb->name(), dbBlobVersion, SecurityServer::DbBlob::currentVersion);
- // We need to opportunistically perform the upgrade/reload dance.
- //
- // If the keychain is unlocked, try to upgrade it.
- // In either case, reload the database from disk.
- // We need this keychain's read/write lock.
- // Try to grab the keychain write lock.
- StReadWriteLock lock(mRWLock, StReadWriteLock::TryWrite);
+ // Check the location of this keychain
+ string path = mDb->name();
+ string keychainDbPath = StorageManager::makeKeychainDbFilename(path);
- // If we didn't manage to grab the lock, there's readers out there
- // currently reading this keychain. Abort the upgrade.
- if(!lock.isLocked()) {
- return false;
- }
+ bool inHomeLibraryKeychains = StorageManager::pathInHomeLibraryKeychains(path);
+
+ string keychainDbSuffix = "-db";
+ bool endsWithKeychainDb = (path.size() > keychainDbSuffix.size() && (0 == path.compare(path.size() - keychainDbSuffix.size(), keychainDbSuffix.size(), keychainDbSuffix)));
+
+ bool isSystemKeychain = (0 == path.compare("/Library/Keychains/System.keychain"));
+
+ bool result = false;
+
+ if(inHomeLibraryKeychains && endsWithKeychainDb && dbBlobVersion == SecurityServer::DbBlob::version_MacOS_10_0) {
+ // something has gone horribly wrong: an old-versioned keychain has a .keychain-db name. Rename it.
+ string basePath = path;
+ basePath.erase(basePath.end()-3, basePath.end());
+
+ attemptKeychainRename(path, basePath, dbBlobVersion);
+
+ // If we moved to a good path, we might still want to perform the upgrade. Update our variables.
+ path = mDb->name();
try {
- // We can only attempt an upgrade if the keychain is currently unlocked
- // There's a TOCTTOU issue here, but it's going to be rare in practice, and the upgrade will simply fail.
- if(!mDb->isLocked()) {
- secdebugfunc("integrity", "attempting migration on database %s", mDb->name());
- // Database blob is out of date. Attempt a migration.
- uint32 convertedVersion = attemptKeychainMigration(dbBlobVersion, SecurityServer::DbBlob::currentVersion);
- if(convertedVersion == SecurityServer::DbBlob::currentVersion) {
- secdebugfunc("integrity", "conversion succeeded");
- } else {
- secdebugfunc("integrity", "conversion failed, keychain is still %d", convertedVersion);
- }
- }
+ dbBlobVersion = mDb->dbBlobVersion();
} catch (CssmError cssme) {
const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "caught CssmError: %d %s", (int) cssme.error, errStr);
+ secnotice("integrity", "dbBlobVersion() after a rename failed for a CssmError: %d %s", (int) cssme.error, errStr);
+ return false;
} catch (...) {
- // Something went wrong, but don't worry about it.
+ secnotice("integrity", "dbBlobVersion() failed for an unknown reason after a rename");
+ return false;
+ }
+
+ endsWithKeychainDb = (path.size() > keychainDbSuffix.size() && (0 == path.compare(path.size() - keychainDbSuffix.size(), keychainDbSuffix.size(), keychainDbSuffix)));
+ keychainDbPath = StorageManager::makeKeychainDbFilename(path);
+ secnotice("integrity", "after rename, our database thinks that it is %s", path.c_str());
+ }
+
+ // Migrate an old keychain in ~/Library/Keychains
+ if(inHomeLibraryKeychains && dbBlobVersion != SecurityServer::DbBlob::version_partition && !endsWithKeychainDb) {
+ // We can only attempt to migrate an unlocked keychain.
+ if(mDb->isLocked()) {
+ // However, it's possible that while we weren't doing any keychain operations, someone upgraded the keychain,
+ // and then locked it. No way around hitting the filesystem here: check for the existence of a new file and,
+ // if no new file exists, quit.
+ DLDbIdentifier mungedDLDbIdentifier = StorageManager::mungeDLDbIdentifier(mDb->dlDbIdentifier(), false);
+ string mungedPath(mungedDLDbIdentifier.dbName());
+
+ // If this matches the file we already have, skip the upgrade. Otherwise, continue.
+ if(mungedPath == path) {
+ secnotice("integrity", "skipping upgrade for locked keychain %s\n", mDb->name());
+ return false;
+ }
+ }
+
+ result = keychainMigration(path, dbBlobVersion, keychainDbPath, SecurityServer::DbBlob::version_partition);
+ } else if(inHomeLibraryKeychains && dbBlobVersion == SecurityServer::DbBlob::version_partition && !endsWithKeychainDb) {
+ // This is a new-style keychain with the wrong name, try to rename it
+ attemptKeychainRename(path, keychainDbPath, dbBlobVersion);
+ result = true;
+ } else if(isSystemKeychain && dbBlobVersion == SecurityServer::DbBlob::version_partition) {
+ // Try to "unupgrade" the system keychain, to clean up our old issues
+ secnotice("integrity", "attempting downgrade for %s version %d (%d %d %d)", path.c_str(), dbBlobVersion, inHomeLibraryKeychains, endsWithKeychainDb, isSystemKeychain);
+
+ // First step: acquire the credentials to allow for ACL modification
+ SecurityServer::SystemKeychainKey skk(kSystemUnlockFile);
+ if(skk.valid()) {
+ // We've managed to read the key; now, create credentials using it
+ CssmClient::Key systemKeychainMasterKey(csp(), skk.key(), true);
+ CssmClient::AclFactory::MasterKeyUnlockCredentials creds(systemKeychainMasterKey, Allocator::standard(Allocator::sensitive));
+
+ // Attempt the downgrade, using our master key as the ACL override
+ result = keychainMigration(path, dbBlobVersion, path, SecurityServer::DbBlob::version_MacOS_10_0, creds.getAccessCredentials());
+ } else {
+ secnotice("integrity", "Couldn't read System.keychain key, skipping update");
}
+ } else {
+ secnotice("integrity", "not attempting migration for %s version %d (%d %d %d)", path.c_str(), dbBlobVersion, inHomeLibraryKeychains, endsWithKeychainDb, isSystemKeychain);
+
+ // Since we don't believe any migration needs to be done here, mark the
+ // migration as "attempted" to short-circuit future checks.
+ mAttemptedUpgrade = true;
+ }
- // No matter if the migrator succeeded, we need to reload this keychain from disk.
- // Maybe someone else beat us to upgrading the keychain, but it's been locked since then.
- secdebugfunc("integrity", "reloading keychain");
- globals().storageManager.reloadKeychain(this);
- secdebugfunc("integrity", "database %s is version %d", mDb->name(), mDb->dbBlobVersion());
+ // We might have changed our location on disk. Let StorageManager know.
+ globals().storageManager.registerKeychainImpl(this);
+
+ // if we attempted a migration, try to clean up leftover files from <rdar://problem/23950408> XARA backup have provided me with 12GB of login keychain copies
+ if(result) {
+ string pattern = path + "_*_backup";
+ glob_t pglob = {};
+ secnotice("integrity", "globbing for %s", pattern.c_str());
+ int globresult = glob(pattern.c_str(), GLOB_MARK, NULL, &pglob);
+ if(globresult == 0) {
+ secnotice("integrity", "glob: %lu results", pglob.gl_pathc);
+ if(pglob.gl_pathc > 10) {
+ // There are more than 10 backup files, indicating a problem.
+ // Delete all but one of them. Under rdar://23950408, they should all be identical.
+ secnotice("integrity", "saving backup file: %s", pglob.gl_pathv[0]);
+ for(int i = 1; i < pglob.gl_pathc; i++) {
+ secnotice("integrity", "cleaning up backup file: %s", pglob.gl_pathv[i]);
+ // ignore return code; this is a best-effort cleanup
+ unlink(pglob.gl_pathv[i]);
+ }
+ }
+
+ struct stat st;
+ bool pathExists = (::stat(path.c_str(), &st) == 0);
+ bool keychainDbPathExists = (::stat(keychainDbPath.c_str(), &st) == 0);
+
+ if(!pathExists && keychainDbPathExists && pglob.gl_pathc >= 1) {
+ // We have a file at keychainDbPath, no file at path, and at least one backup keychain file.
+ //
+ // Move the backup file to path, to simulate the current "split-world" view,
+ // which copies from path to keychainDbPath, then modifies keychainDbPath.
+ secnotice("integrity", "moving backup file %s to %s", pglob.gl_pathv[0], path.c_str());
+ ::rename(pglob.gl_pathv[0], path.c_str());
+ }
+ }
- return true;
+ globfree(&pglob);
}
- return false;
+ return result;
}
-// Make sure you have this keychain's mutex and write lock when you call this function!
-uint32 KeychainImpl::attemptKeychainMigration(uint32 oldBlobVersion, uint32 newBlobVersion) {
- Db db = mDb; // let's not muck up our db for now
- db->takeFileLock();
+bool KeychainImpl::keychainMigration(const string oldPath, const uint32 dbBlobVersion, const string newPath, const uint32 newBlobVersion, const AccessCredentials *cred) {
+ secnotice("integrity", "going to migrate %s at version %d to", oldPath.c_str(), dbBlobVersion);
+ secnotice("integrity", " %s at version %d", newPath.c_str(), newBlobVersion);
+
+ // We need to opportunistically perform the upgrade/reload dance.
+ //
+ // If the keychain is unlocked, try to upgrade it.
+ // In either case, reload the database from disk.
+ // We need this keychain's read/write lock.
+
+ // Try to grab the keychain write lock.
+ StReadWriteLock lock(mRWLock, StReadWriteLock::TryWrite);
+
+ // If we didn't manage to grab the lock, there's readers out there
+ // currently reading this keychain. Abort the upgrade.
+ if(!lock.isLocked()) {
+ secnotice("integrity", "couldn't get read-write lock, aborting upgrade");
+ return false;
+ }
+
+ // Take the file lock on the existing database. We don't need to commit this txion, because we're not planning to
+ // change the original keychain.
+ FileLockTransaction fileLockmDb(mDb);
// Let's reload this keychain to see if someone changed it on disk
globals().storageManager.reloadKeychain(this);
+ bool result = false;
+
+ try {
+ // We can only attempt an upgrade if the keychain is currently unlocked
+ // There's a TOCTTOU issue here, but it's going to be rare in practice, and the upgrade will simply fail.
+ if(!mDb->isLocked()) {
+ secnotice("integrity", "have a plan to migrate database %s", mDb->name());
+ // Database blob is out of date. Attempt a migration.
+ uint32 convertedVersion = attemptKeychainMigration(oldPath, dbBlobVersion, newPath, newBlobVersion, cred);
+ if(convertedVersion == newBlobVersion) {
+ secnotice("integrity", "conversion succeeded");
+ result = true;
+ } else {
+ secnotice("integrity", "conversion failed, keychain is still %d", convertedVersion);
+ }
+ } else {
+ secnotice("integrity", "keychain is locked, can't upgrade");
+ }
+ } catch (CssmError cssme) {
+ const char* errStr = cssmErrorString(cssme.error);
+ secnotice("integrity", "caught CssmError: %d %s", (int) cssme.error, errStr);
+ } catch (...) {
+ // Something went wrong, but don't worry about it.
+ secnotice("integrity", "caught unknown error");
+ }
+
+ // No matter if the migrator succeeded, we need to reload this keychain from disk.
+ secnotice("integrity", "reloading keychain after migration");
+ globals().storageManager.reloadKeychain(this);
+ secnotice("integrity", "database %s is now version %d", mDb->name(), mDb->dbBlobVersion());
+
+ return result;
+}
+
+// Make sure you have this keychain's mutex and write lock when you call this function!
+uint32 KeychainImpl::attemptKeychainMigration(const string oldPath, const uint32 oldBlobVersion, const string newPath, const uint32 newBlobVersion, const AccessCredentials* cred) {
if(mDb->dbBlobVersion() == newBlobVersion) {
// Someone else upgraded this, hurray!
- secdebugfunc("integrity", "reloaded keychain version %d, quitting", mDb->dbBlobVersion());
- db->releaseFileLock(false);
+ secnotice("integrity", "reloaded keychain version %d, quitting", mDb->dbBlobVersion());
return newBlobVersion;
}
mAttemptedUpgrade = true;
uint32 newDbVersion = oldBlobVersion;
- try {
- secdebugfunc("integrity", "attempting migration from version %d to %d", oldBlobVersion, newBlobVersion);
+ if( (oldBlobVersion == SecurityServer::DbBlob::version_MacOS_10_0 && newBlobVersion == SecurityServer::DbBlob::version_partition) ||
+ (oldBlobVersion == SecurityServer::DbBlob::version_partition && newBlobVersion == SecurityServer::DbBlob::version_MacOS_10_0 && cred != NULL)) {
+ // Here's the upgrade outline:
+ //
+ // 1. Make a copy of the keychain with the new file path
+ // 2. Open that keychain database.
+ // 3. Recode it to use the new version.
+ // 4. Notify the StorageManager that the DLDB identifier for this keychain has changed.
+ //
+ // If we're creating a new keychain file, on failure, try to delete the new file. Otherwise,
+ // everyone will try to use it.
+
+ secnotice("integrity", "attempting migration from version %d to %d", oldBlobVersion, newBlobVersion);
- // First, make a backup of this database (so we never lose data if something goes wrong)
- mDb->makeBackup();
+ Db db;
+ bool newFile = (oldPath != newPath);
+
+ try {
+ DLDbIdentifier dldbi(dlDbIdentifier().ssuid(), newPath.c_str(), dlDbIdentifier().dbLocation());
+ if(newFile) {
+ secnotice("integrity", "creating a new keychain at %s", newPath.c_str());
+ db = mDb->cloneTo(dldbi);
+ } else {
+ secnotice("integrity", "using old keychain at %s", newPath.c_str());
+ db = mDb;
+ }
+ FileLockTransaction fileLockDb(db);
+
+ if(newFile) {
+ // since we're creating a completely new file, if this migration fails, delete the new file
+ fileLockDb.setDeleteOnFailure();
+ }
- if(oldBlobVersion == SecurityServer::DbBlob::version_MacOS_10_0 && newBlobVersion == SecurityServer::DbBlob::version_partition) {
// Let the upgrade begin.
newDbVersion = db->recodeDbToVersion(newBlobVersion);
if(newDbVersion != newBlobVersion) {
// Recoding failed. Don't proceed.
- secdebugfunc("integrity", "recodeDbToVersion failed, version is still %d", newDbVersion);
- db->releaseFileLock(false);
+ secnotice("integrity", "recodeDbToVersion failed, version is still %d", newDbVersion);
return newDbVersion;
}
- secdebugfunc("integrity", "recoded db successfully, adding extra integrity");
+ secnotice("integrity", "recoded db successfully, adding extra integrity");
Keychain keychain(db);
@@ -1529,6 +1709,7 @@ uint32 KeychainImpl::attemptKeychainMigration(uint32 oldBlobVersion, uint32 newB
// Don't upgrade this keychain, since we just upgraded the DB
// But the DB won't return any new data until the txion commits
keychain->mAttemptedUpgrade = true;
+ keychain->mSuppressTickle = true;
SecItemClass classes[] = {kSecGenericPasswordItemClass,
kSecInternetPasswordItemClass,
@@ -1549,14 +1730,19 @@ uint32 KeychainImpl::attemptKeychainMigration(uint32 oldBlobVersion, uint32 newB
while(kcc->next(item)) {
try {
- // Force the item to set integrity. The keychain is confused about its version because it hasn't written to disk yet,
- // but if we've reached this point, the keychain supports integrity.
- item->setIntegrity(true);
+ if(newBlobVersion == SecurityServer::DbBlob::version_partition) {
+ // Force the item to set integrity. The keychain is confused about its version because it hasn't written to disk yet,
+ // but if we've reached this point, the keychain supports integrity.
+ item->setIntegrity(true);
+ } else if(newBlobVersion == SecurityServer::DbBlob::version_MacOS_10_0) {
+ // We're downgrading this keychain. Pass in whatever credentials our caller thinks will allow this ACL modification.
+ item->removeIntegrity(cred);
+ }
} catch(CssmError cssme) {
// During recoding, we might have deleted some corrupt keys. Because of this, we might have zombie SSGroup records left in
// the database that have no matching key. If we get a DL_RECORD_NOT_FOUND error, delete the matching item record.
if (cssme.osStatus() == CSSMERR_DL_RECORD_NOT_FOUND) {
- secdebugfunc("integrity", "deleting corrupt (Not Found) record");
+ secnotice("integrity", "deleting corrupt (Not Found) record");
keychain->deleteItem(item);
} else {
throw;
@@ -1565,30 +1751,75 @@ uint32 KeychainImpl::attemptKeychainMigration(uint32 oldBlobVersion, uint32 newB
}
}
- // If we reach here, tell releaseFileLock() to commit the transaction and return the new blob version
- secdebugfunc("integrity", "releasing file lock");
- db->releaseFileLock(true);
+ // Tell securityd we're done with the upgrade, to re-enable all protections
+ db->recodeFinished();
+
+ // If we reach here, tell the file locks to commit the transaction and return the new blob version
+ fileLockDb.success();
- secdebugfunc("integrity", "success, returning version %d", newDbVersion);
+ secnotice("integrity", "success, returning version %d", newDbVersion);
return newDbVersion;
+ } catch(UnixError ue) {
+ secnotice("integrity", "caught UnixError: %d %s", ue.unixError(), ue.what());
+ } catch (CssmError cssme) {
+ const char* errStr = cssmErrorString(cssme.error);
+ secnotice("integrity", "caught CssmError: %d %s", (int) cssme.error, errStr);
+ } catch (MacOSError mose) {
+ secnotice("integrity", "MacOSError: %d", (int)mose.osStatus());
+ } catch (const std::bad_cast & e) {
+ secnotice("integrity", "***** bad cast: %s", e.what());
+ } catch (...) {
+ // We failed to migrate. We won't commit the transaction, so the blob on-disk stays the same.
+ secnotice("integrity", "***** unknown error");
}
- } catch (CssmError cssme) {
- const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "caught CssmError: %d %s", (int) cssme.error, errStr);
- db->releaseFileLock(false);
- } catch (MacOSError mose) {
- secdebugfunc("integrity", "MacOSError: %d", (int)mose.osStatus());
- db->releaseFileLock(false);
- } catch (...) {
- // We failed to migrate. We won't commit the transaction, so the blob on-disk stays the same.
- secdebugfunc("integrity", "unknown error");
- db->releaseFileLock(false);
+ } else {
+ secnotice("integrity", "no migration path for %s at version %d to", oldPath.c_str(), oldBlobVersion);
+ secnotice("integrity", " %s at version %d", newPath.c_str(), newBlobVersion);
+ return oldBlobVersion;
}
- // If we reached here, we failed the migration. Return the old version.
+ // If we reached here, the migration failed. Return the old version.
return oldBlobVersion;
}
+void KeychainImpl::attemptKeychainRename(const string oldPath, const string newPath, uint32 blobVersion) {
+ secnotice("integrity", "attempting to rename keychain (%d) from %s to %s", blobVersion, oldPath.c_str(), newPath.c_str());
+
+ // Take the file lock on this database, so other people won't try to move it before we do
+ // NOTE: during a migration from a v256 to a v512 keychain, the db is first copied from the .keychain to the
+ // .keychain-db path. Other non-migrating processes, if they open the keychain, enter this function to
+ // try to move it back. These will attempt to take the .keychain-db file lock, but they will not succeed
+ // until the migration is finished. Once they acquire that, they might try to take the .keychain file lock.
+ // This is technically lock inversion, but deadlocks will not happen since the migrating process creates the
+ // .keychain-db file lock before creating the .keychain-db file, so other processes will not try to grab the
+ // .keychain-db lock in this function before the migrating process already has it.
+ FileLockTransaction fileLockmDb(mDb);
+
+ // first, check if someone renamed this keychain while we were grabbing the file lock
+ globals().storageManager.reloadKeychain(this);
+
+ uint32 dbBlobVersion = SecurityServer::DbBlob::version_MacOS_10_0;
+
+ try {
+ dbBlobVersion = mDb->dbBlobVersion();
+ } catch (...) {
+ secnotice("integrity", "dbBlobVersion() failed for an unknown reason while renaming, aborting rename");
+ return;
+ }
+
+ if(dbBlobVersion != blobVersion) {
+ secnotice("integrity", "database version changed while we were grabbing the file lock; aborting rename");
+ return;
+ }
+
+ if(oldPath != mDb->name()) {
+ secnotice("integrity", "database location changed while we were grabbing the file lock; aborting rename");
+ return;
+ }
+
+ // we're still at the original location and version; go ahead and do the move
+ globals().storageManager.rename(this, newPath.c_str());
+}
Keychain::Keychain()
{
@@ -1663,11 +1894,11 @@ bool KeychainImpl::hasIntegrityProtection() {
if(mDb->dbBlobVersion() >= SecurityServer::DbBlob::version_partition) {
return true;
} else {
- secdebugfunc("integrity", "keychain blob version does not support integrity");
+ secnotice("integrity", "keychain blob version does not support integrity");
return false;
}
} else {
- secdebugfunc("integrity", "keychain guid does not support integrity");
+ secnotice("integrity", "keychain guid does not support integrity");
return false;
}
return false;
diff --git a/OSX/libsecurity_keychain/lib/Keychains.h b/OSX/libsecurity_keychain/lib/Keychains.h
index 334cd682..0e0c87f9 100644
--- a/OSX/libsecurity_keychain/lib/Keychains.h
+++ b/OSX/libsecurity_keychain/lib/Keychains.h
@@ -136,7 +136,7 @@ public:
virtual ~KeychainImpl();
Mutex* getKeychainMutex();
- Mutex* getMutexForObject();
+ Mutex* getMutexForObject() const;
ReadWriteLock* getKeychainReadWriteLock();
void aboutToDestruct();
@@ -184,6 +184,7 @@ public:
KCCursor createCursor(const SecKeychainAttributeList *attrList);
KCCursor createCursor(SecItemClass itemClass, const SecKeychainAttributeList *attrList);
CssmClient::Db database() { StLock<Mutex>_(mDbMutex); return mDb; }
+ void changeDatabase(CssmClient::Db db);
DLDbIdentifier dlDbIdentifier() const { return mDb->dlDbIdentifier(); }
CssmClient::CSP csp();
@@ -222,6 +223,7 @@ public:
void inCache(bool inCache) throw() { mInCache = inCache; }
void postEvent(SecKeychainEvent kcEvent, ItemImpl* item);
+ void postEvent(SecKeychainEvent kcEvent, ItemImpl* item, PrimaryKey pk);
void addItem(const PrimaryKey &primaryKey, ItemImpl *dbItemImpl);
@@ -236,8 +238,27 @@ private:
// DO NOT hold any of the keychain locks when you call this
bool performKeychainUpgradeIfNeeded();
+ // Notify the keychain that you're accessing it. Used in conjunction with
+ // the StorageManager for time-based caching.
+ void tickle();
+
+ // Used by StorageManager to remember the timer->keychain pairing
+ dispatch_source_t mCacheTimer;
+
+ // Set this to true to make tickling do nothing.
+ bool mSuppressTickle;
+
+public:
+ // Grab the locks and then call attemptKeychainMigration
+ // The access credentials are only used when downgrading version, and will be passed along with ACL edits
+ bool keychainMigration(const string oldPath, const uint32 dbBlobVersion, const string newPath, const uint32 newBlobVersion, const AccessCredentials *cred = NULL);
+
+private:
// Attempt to upgrade this keychain's database
- uint32 attemptKeychainMigration(uint32 oldBlobVersion, uint32 newBlobVersion);
+ uint32 attemptKeychainMigration(const string oldPath, const uint32 oldBlobVersion, const string newPath, const uint32 newBlobVersion, const AccessCredentials *cred);
+
+ // Attempt to rename this keychain, if someone hasn't beaten us to it
+ void attemptKeychainRename(const string oldPath, const string newPath, uint32 blobVersion);
// Remember if we've attempted to upgrade this keychain's database
bool mAttemptedUpgrade;
@@ -250,9 +271,18 @@ private:
// mDbDeletedItemMapMutex when you call this function.
void forceRemoveFromCache(ItemImpl* inItemImpl);
+ // Looks up an item in the item cache.
+ //
+ // To use this in a thread-safe manner, you must hold this keychain's mutex
+ // from before you begin this operation until you have safely completed a
+ // CFRetain on the resulting ItemImpl.
ItemImpl *_lookupItem(const PrimaryKey &primaryKey);
// Looks up a deleted item in the deleted item map. Does not check the normal map.
+ //
+ // To use this in a thread-safe manner, you must hold this keychain's mutex
+ // from before you begin this operation until you have safely completed a
+ // CFRetain on the resulting ItemImpl.
ItemImpl *_lookupDeletedItemOnly(const PrimaryKey &primaryKey);
const AccessCredentials *makeCredentials();
diff --git a/OSX/libsecurity_keychain/lib/Policies.cpp b/OSX/libsecurity_keychain/lib/Policies.cpp
index 43f5c5a5..4f0cd433 100644
--- a/OSX/libsecurity_keychain/lib/Policies.cpp
+++ b/OSX/libsecurity_keychain/lib/Policies.cpp
@@ -82,12 +82,12 @@ Policy::Policy(TP supportingTp, const CssmOid &policyOid)
mAuxValue(Allocator::standard())
{
// value is as yet unimplemented
- secdebug("policy", "Policy() this %p", this);
+ secinfo("policy", "Policy() this %p", this);
}
Policy::~Policy() throw()
{
- secdebug("policy", "~Policy() this %p", this);
+ secinfo("policy", "~Policy() this %p", this);
}
void Policy::setValue(const CssmData &value)
diff --git a/OSX/libsecurity_keychain/lib/SecAccess.cpp b/OSX/libsecurity_keychain/lib/SecAccess.cpp
index 39a8b120..ba74e379 100644
--- a/OSX/libsecurity_keychain/lib/SecAccess.cpp
+++ b/OSX/libsecurity_keychain/lib/SecAccess.cpp
@@ -30,7 +30,6 @@
#include "SecBridge.h"
#include <sys/param.h>
-#undef secdebug
#include <utilities/SecCFWrappers.h>
diff --git a/OSX/libsecurity_keychain/lib/SecAccess.h b/OSX/libsecurity_keychain/lib/SecAccess.h
index f355ab94..2ba66080 100644
--- a/OSX/libsecurity_keychain/lib/SecAccess.h
+++ b/OSX/libsecurity_keychain/lib/SecAccess.h
@@ -135,7 +135,7 @@ OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef __nullable trustedli
@param owner A pointer to a CSSM access control list owner.
@param aclCount An unsigned 32-bit integer representing the number of items in the access control list.
@param acls A pointer to the access control list.
- @param On return, a pointer to the new access reference.
+ @param accessRef On return, a pointer to the new access reference.
@result A result code. See "Security Error Codes" (SecBase.h).
@discussion For 10.7 and later please use the SecAccessCreateWithOwnerAndACL API
*/
diff --git a/OSX/libsecurity_keychain/lib/SecBasePriv.h b/OSX/libsecurity_keychain/lib/SecBasePriv.h
index 88721e24..23599b80 100644
--- a/OSX/libsecurity_keychain/lib/SecBasePriv.h
+++ b/OSX/libsecurity_keychain/lib/SecBasePriv.h
@@ -78,6 +78,7 @@ enum
errSecReturnMissingPointer = priv_errSecParam, // -34014, /* The caller passed asked for something to be returned but did not pass in a result pointer. */
errSecMatchLimitUnsupported = priv_errSecParam, // -34015, /* The caller passed in a kSecMatchLimit key to a call which does not support limits. */
errSecItemIllegalQuery = priv_errSecParam, // -34016, /* The caller passed in a query which contained too many keys. */
+ errSecMissingEntitlement = -34018, /* Internal error when a required entitlement isn't present. */
};
const char *cssmErrorString(CSSM_RETURN error);
diff --git a/OSX/libsecurity_keychain/lib/SecBridge.h b/OSX/libsecurity_keychain/lib/SecBridge.h
index 2c541baf..8486ad2a 100644
--- a/OSX/libsecurity_keychain/lib/SecBridge.h
+++ b/OSX/libsecurity_keychain/lib/SecBridge.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000-2004,2011,2013-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2011,2013-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -45,14 +45,14 @@ using namespace KeychainCore;
// END_API3(name, bad) // like END_API1, with API name as debug scope for printing function result
//
#define BEGIN_SECAPI \
- OSStatus __secapiresult = errSecSuccess; \
+ OSStatus __secapiresult = errSecSuccess; \
try {
#define END_SECAPI }\
catch (const MacOSError &err) { __secapiresult=err.osStatus(); } \
catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } \
catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } \
catch (...) { __secapiresult=errSecInternalComponent; } \
- return __secapiresult;
+ return __secapiresult;
#define END_SECAPI1(BAD_RETURN_VAL) \
} \
catch (...) \
@@ -61,30 +61,97 @@ using namespace KeychainCore;
} \
return __secapiresult;
#define END_SECAPI1(BAD_RETURN_VAL) }\
- catch (...) { __secapiresult=BAD_RETURN_VAL; } \
- return __secapiresult;
+ catch (...) { __secapiresult=BAD_RETURN_VAL; } \
+ return __secapiresult;
#define END_SECAPI0 }\
- catch (...) { return; }
+ catch (...) { return; }
+
+
+//
+// BEGIN_SECKCITEMAPI
+// Note: this macro assumes an input parameter named "itemRef"
+//
+#if SECTRUST_OSX
+#define BEGIN_SECKCITEMAPI \
+ OSStatus __secapiresult=errSecSuccess; \
+ SecKeychainItemRef __itemImplRef=NULL; \
+ bool __is_certificate=(itemRef && (CFGetTypeID(itemRef) == SecCertificateGetTypeID())); \
+ if (__is_certificate) { \
+ if (SecCertificateIsItemImplInstance((SecCertificateRef)itemRef)) { \
+ __itemImplRef=(SecKeychainItemRef)CFRetain(itemRef); \
+ } else { \
+ __itemImplRef=(SecKeychainItemRef)SecCertificateCopyKeychainItem((SecCertificateRef)itemRef); \
+ if (!__itemImplRef) { \
+ __itemImplRef=(SecKeychainItemRef)SecCertificateCreateItemImplInstance((SecCertificateRef)itemRef); \
+ (void)SecCertificateSetKeychainItem((SecCertificateRef)itemRef,__itemImplRef); \
+ } \
+ } \
+ } else { \
+ __itemImplRef=(SecKeychainItemRef)((itemRef) ? CFRetain(itemRef) : NULL); \
+ } \
+ try {
+#else
+#define BEGIN_SECKCITEMAPI \
+ OSStatus __secapiresult=errSecSuccess; \
+ SecKeychainItemRef __itemImplRef=(SecKeychainItemRef)((itemRef) ? CFRetain(itemRef) : NULL); \
+ try {
+#endif
+//
+// END_SECKCITEMAPI
+//
+#define END_SECKCITEMAPI } \
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); } \
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } \
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } \
+ catch (...) { __secapiresult=errSecInternalComponent; } \
+ if (__itemImplRef) { CFRelease(__itemImplRef); } \
+ return __secapiresult;
+
+//
+// BEGIN_SECCERTAPI
+// Note: this macro assumes an input parameter named "certificate"
+//
#if SECTRUST_OSX
#define BEGIN_SECCERTAPI \
-OSStatus __secapiresult=errSecSuccess; \
-SecCertificateRef __itemImplRef=(SecCertificateRef)SecCertificateCopyKeychainItem(certificate); \
-if (!__itemImplRef) { __itemImplRef=SecCertificateCreateItemImplInstance(certificate); } \
-try {
+ OSStatus __secapiresult=errSecSuccess; \
+ SecCertificateRef __itemImplRef=NULL; \
+ if (SecCertificateIsItemImplInstance(certificate)) { __itemImplRef=(SecCertificateRef)CFRetain(certificate); } \
+ if (!__itemImplRef && certificate) { __itemImplRef=(SecCertificateRef)SecCertificateCopyKeychainItem(certificate); } \
+ if (!__itemImplRef && certificate) { __itemImplRef=SecCertificateCreateItemImplInstance(certificate); \
+ (void)SecCertificateSetKeychainItem(certificate,__itemImplRef); } \
+ try {
#else
#define BEGIN_SECCERTAPI \
-OSStatus __secapiresult=errSecSuccess; \
-SecCertificateRef __itemImplRef=(SecCertificateRef)((certificate)?CFRetain(certificate):NULL); \
-try {
+ OSStatus __secapiresult=errSecSuccess; \
+ SecCertificateRef __itemImplRef=(SecCertificateRef)((certificate)?CFRetain(certificate):NULL); \
+ try {
#endif
-#define END_SECCERTAPI }\
-catch (const MacOSError &err) { __secapiresult=err.osStatus(); } \
-catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } \
-catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } \
-catch (...) { __secapiresult=errSecInternalComponent; } \
-if (__itemImplRef) { CFRelease(__itemImplRef); } \
-return __secapiresult;
+//
+// END_SECCERTAPI
+//
+#define END_SECCERTAPI } \
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); } \
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } \
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } \
+ catch (...) { __secapiresult=errSecInternalComponent; } \
+ if (__itemImplRef) { CFRelease(__itemImplRef); } \
+ return __secapiresult;
+
+
+//
+// BEGIN_SECKEYAPI
+//
+#define BEGIN_SECKEYAPI(resultType, resultInit) \
+resultType result = resultInit; try {
+
+extern "C" bool SecError(OSStatus status, CFErrorRef *error, CFStringRef format, ...);
+#define END_SECKEYAPI }\
+catch (const MacOSError &err) { SecError(err.osStatus(), error, CFSTR("%s"), err.what()); result = NULL; } \
+catch (const CommonError &err) { SecError(SecKeychainErrFromOSStatus(err.osStatus()), error, CFSTR("%s"), err.what()); result = NULL; } \
+catch (const std::bad_alloc &) { SecError(errSecAllocate, error, CFSTR("allocation failed")); result = NULL; } \
+catch (...) { SecError(errSecInternalComponent, error, CFSTR("internal error")); result = NULL; } \
+return result;
#endif /* !_SECURITY_SECBRIDGE_H_ */
diff --git a/OSX/libsecurity_keychain/lib/SecCFTypes.cpp b/OSX/libsecurity_keychain/lib/SecCFTypes.cpp
index 474d8206..cfbf7e8e 100644
--- a/OSX/libsecurity_keychain/lib/SecCFTypes.cpp
+++ b/OSX/libsecurity_keychain/lib/SecCFTypes.cpp
@@ -58,7 +58,6 @@ SecCFTypes::SecCFTypes() :
ItemImpl("SecKeychainItem"),
KCCursorImpl("SecKeychainSearch"),
KeychainImpl("SecKeychain"),
- KeyItem("SecKey"),
PasswordImpl("SecPassword"),
Policy("SecPolicy"),
PolicyCursor("SecPolicySearch"),
diff --git a/OSX/libsecurity_keychain/lib/SecCFTypes.h b/OSX/libsecurity_keychain/lib/SecCFTypes.h
index 18935453..c1a8e1d2 100644
--- a/OSX/libsecurity_keychain/lib/SecCFTypes.h
+++ b/OSX/libsecurity_keychain/lib/SecCFTypes.h
@@ -88,7 +88,6 @@ public:
CFClass ItemImpl;
CFClass KCCursorImpl;
CFClass KeychainImpl;
- CFClass KeyItem;
CFClass PasswordImpl;
CFClass Policy;
CFClass PolicyCursor;
diff --git a/OSX/libsecurity_keychain/lib/SecCertificate.cpp b/OSX/libsecurity_keychain/lib/SecCertificate.cpp
index 8c908f64..b9086d28 100644
--- a/OSX/libsecurity_keychain/lib/SecCertificate.cpp
+++ b/OSX/libsecurity_keychain/lib/SecCertificate.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2002-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -50,7 +50,6 @@
#include "AppleBaselineEscrowCertificates.h"
-SecCertificateRef SecCertificateCreateItemImplInstance(SecCertificateRef certificate);
OSStatus SecCertificateGetCLHandle_legacy(SecCertificateRef certificate, CSSM_CL_HANDLE *clHandle);
extern CSSM_KEYUSE ConvertArrayToKeyUsage(CFArrayRef usage);
@@ -63,9 +62,12 @@ SEC_CONST_DECL (kSecCertificateEscrowFileName, "AppleESCertificates");
using namespace CssmClient;
-#if !SECTRUST_OSX
CFTypeID
+#if SECTRUST_OSX
+static SecCertificateGetTypeID_osx(void)
+#else
SecCertificateGetTypeID(void)
+#endif
{
BEGIN_SECAPI
@@ -73,7 +75,33 @@ SecCertificateGetTypeID(void)
END_SECAPI1(_kCFRuntimeNotATypeID)
}
+
+Boolean
+SecCertificateIsItemImplInstance(SecCertificateRef certificate)
+{
+ if (certificate == NULL) {
+ return false;
+ }
+#if !SECTRUST_OSX
+ return true;
+#else
+ CFTypeID typeID = CFGetTypeID(certificate);
+
+#if 0 /* debug code to verify type IDs */
+ syslog(LOG_ERR, "SecCertificate typeID=%d [STU=%d, OSX=%d, SKI=%d]",
+ (int)typeID,
+ (int)SecCertificateGetTypeID(),
+ (int)SecCertificateGetTypeID_osx(),
+ (int)SecKeychainItemGetTypeID());
#endif
+ if (typeID == _kCFRuntimeNotATypeID) {
+ return false;
+ }
+
+ return (typeID == SecCertificateGetTypeID_osx() ||
+ typeID == SecKeychainItemGetTypeID()) ? true : false;
+#endif
+}
/* convert a new-world SecCertificateRef to an old-world ItemImpl instance */
SecCertificateRef
@@ -144,6 +172,26 @@ SecCertificateCreateFromItemImplInstance(SecCertificateRef certificate)
#endif
}
+#if !SECTRUST_OSX
+OSStatus
+SecCertificateSetKeychainItem(SecCertificateRef certificate, CFTypeRef keychain_item)
+{
+ // pre-STU, this function is a no-op since it's the same item reference
+ return errSecSuccess;
+}
+#endif
+
+#if !SECTRUST_OSX
+CFTypeRef
+SecCertificateCopyKeychainItem(SecCertificateRef certificate)
+{
+ if (certificate) {
+ CFRetain(certificate);
+ }
+ return certificate;
+}
+#endif
+
/* OS X only: DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER */
OSStatus
SecCertificateCreateFromData(const CSSM_DATA *data, CSSM_CERT_TYPE type, CSSM_CERT_ENCODING encoding, SecCertificateRef *certificate)
@@ -161,7 +209,16 @@ SecCertificateCreateFromData(const CSSM_DATA *data, CSSM_CERT_TYPE type, CSSM_CE
return errSecParam;
}
SecCertificateRef certRef = NULL;
- CFDataRef dataRef = CFDataCreate(NULL, data->Data, data->Length);
+
+ // <rdar://problem/24403998> REG: Adobe {Photoshop, InDesign} CC(2015) crashes on launch
+ // If you take the length that SecKeychainItemCopyContent gives you (a Uint32) and assign it incorrectly
+ // to a CSSM_DATA Length field (a CSSM_SIZE, i.e., a size_t), the upper 32 bits aren't set. If those bits
+ // are non-zero, the length is incredibly wrong.
+ //
+ // Assume that there will not exist a certificate > 4GiB, and fake this length field.
+ CSSM_SIZE length = data->Length & 0xfffffffful;
+
+ CFDataRef dataRef = CFDataCreate(NULL, data->Data, length);
if (dataRef) {
certRef = SecCertificateCreateWithData(NULL, dataRef);
CFRelease(dataRef);
@@ -201,7 +258,7 @@ SecCertificateCreateWithData(CFAllocatorRef allocator, CFDataRef data)
OSStatus
SecCertificateAddToKeychain(SecCertificateRef certificate, SecKeychainRef keychain)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Item item(Certificate::required(__itemImplRef));
@@ -214,12 +271,28 @@ SecCertificateAddToKeychain(SecCertificateRef certificate, SecKeychainRef keycha
OSStatus
SecCertificateGetData(SecCertificateRef certificate, CSSM_DATA_PTR data)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+#if !SECTRUST_OSX
+ BEGIN_SECAPI
+
+ Required(data) = Certificate::required(certificate)->data();
+
+ END_SECAPI
+#else
BEGIN_SECCERTAPI
- Required(data) = Certificate::required(__itemImplRef)->data();
+ if (!certificate || !data) {
+ __secapiresult=errSecParam;
+ }
+ else if (SecCertificateIsItemImplInstance(certificate)) {
+ Required(data) = Certificate::required(certificate)->data();
+ }
+ else {
+ data->Length = (CSSM_SIZE)SecCertificateGetLength(certificate);
+ data->Data = (uint8*)SecCertificateGetBytePtr(certificate);
+ }
END_SECCERTAPI
+#endif
}
#if !SECTRUST_OSX
@@ -228,7 +301,7 @@ CFDataRef
SecCertificateCopyData(SecCertificateRef certificate)
{
CFDataRef data = NULL;
- OSStatus __secapiresult = errSecSuccess;
+ OSStatus __secapiresult = errSecSuccess;
try {
CssmData output = Certificate::required(certificate)->data();
CFIndex length = (CFIndex)output.length();
@@ -241,26 +314,12 @@ SecCertificateCopyData(SecCertificateRef certificate)
catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
catch (...) { __secapiresult=errSecInternalComponent; }
- return data;
+ return data;
}
#endif
#if !SECTRUST_OSX
-CFDataRef
-SecCertificateGetSHA1Digest(SecCertificateRef certificate)
-{
- CFDataRef data = NULL;
- OSStatus __secapiresult = errSecSuccess;
- try {
- data = Certificate::required(certificate)->sha1Hash();
- }
- catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
- catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
- catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
- catch (...) { __secapiresult=errSecInternalComponent; }
- return data;
-}
-
+/* new in 10.12 */
CFDataRef
SecCertificateCopySHA256Digest(SecCertificateRef certificate)
{
@@ -268,8 +327,9 @@ SecCertificateCopySHA256Digest(SecCertificateRef certificate)
OSStatus __secapiresult = errSecSuccess;
try {
data = Certificate::required(certificate)->sha256Hash();
- if (data)
+ if (data) {
CFRetain(data);
+ }
}
catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
@@ -277,8 +337,23 @@ SecCertificateCopySHA256Digest(SecCertificateRef certificate)
catch (...) { __secapiresult=errSecInternalComponent; }
return data;
}
+#endif
-
+#if !SECTRUST_OSX
+CFDataRef
+SecCertificateGetSHA1Digest(SecCertificateRef certificate)
+{
+ CFDataRef data = NULL;
+ OSStatus __secapiresult = errSecSuccess;
+ try {
+ data = Certificate::required(certificate)->sha1Hash();
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return data;
+}
#endif
#if !SECTRUST_OSX
@@ -324,7 +399,7 @@ SecCertificateCopyDNSNames(SecCertificateRef certificate)
OSStatus
SecCertificateGetType(SecCertificateRef certificate, CSSM_CERT_TYPE *certificateType)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(certificateType) = Certificate::required(__itemImplRef)->type();
@@ -336,7 +411,7 @@ SecCertificateGetType(SecCertificateRef certificate, CSSM_CERT_TYPE *certificate
OSStatus
SecCertificateGetSubject(SecCertificateRef certificate, const CSSM_X509_NAME **subject)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(subject) = Certificate::required(__itemImplRef)->subjectName();
@@ -348,7 +423,7 @@ SecCertificateGetSubject(SecCertificateRef certificate, const CSSM_X509_NAME **s
OSStatus
SecCertificateGetIssuer(SecCertificateRef certificate, const CSSM_X509_NAME **issuer)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(issuer) = Certificate::required(__itemImplRef)->issuerName();
@@ -360,55 +435,12 @@ SecCertificateGetIssuer(SecCertificateRef certificate, const CSSM_X509_NAME **is
OSStatus
SecCertificateGetCLHandle(SecCertificateRef certificate, CSSM_CL_HANDLE *clHandle)
{
-#if !SECTRUST_OSX
- BEGIN_SECAPI
-
- Required(clHandle) = Certificate::required(certificate)->clHandle();
-
- END_SECAPI
-#else
-#if 0
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(clHandle) = Certificate::required(__itemImplRef)->clHandle();
END_SECCERTAPI
-#endif
- /* bridge code to support deprecated functionality */
- OSStatus __secapiresult=errSecSuccess;
- bool kcItem=true;
- SecCertificateRef __itemImplRef=(SecCertificateRef)SecCertificateCopyKeychainItem(certificate);
- if (!__itemImplRef) { __itemImplRef=SecCertificateCreateItemImplInstance(certificate); kcItem=false; }
- try {
- Required(clHandle) = Certificate::required(__itemImplRef)->clHandle();
- }
- catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
- catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
- catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
- catch (...) { __secapiresult=errSecInternalComponent; }
- if (__itemImplRef) {
- if (!kcItem) {
- /* we can't release the temporary certificate, or the CL handle becomes invalid.
- * for now, just stick the temporary certificate into an array.
- * TBD: use a dictionary, indexed by hash of certificate. */
- static CFMutableArrayRef sLegacyCertArray = NULL;
- if (!sLegacyCertArray) {
- sLegacyCertArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- if (!sLegacyCertArray) {
- return errSecAllocate;
- }
- }
- CFArrayAppendValue(sLegacyCertArray, __itemImplRef);
-#ifndef NDEBUG
- syslog(LOG_ERR, "WARNING: SecCertificateGetCLHandle called on certificate which is not in a keychain.");
-#endif
- }
- CFRelease(__itemImplRef);
- }
- return __secapiresult;
-
-#endif
}
/* private function; assumes input is old-style ItemImpl certificate reference,
@@ -424,7 +456,6 @@ SecCertificateGetCLHandle_legacy(SecCertificateRef certificate, CSSM_CL_HANDLE *
END_SECAPI
}
-
/*
* Private API to infer a display name for a SecCertificateRef which
* may or may not be in a keychain.
@@ -434,7 +465,7 @@ SecCertificateGetCLHandle_legacy(SecCertificateRef certificate, CSSM_CL_HANDLE *
OSStatus
SecCertificateInferLabel(SecCertificateRef certificate, CFStringRef *label)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Certificate::required(__itemImplRef)->inferLabel(false, &Required(label));
@@ -446,7 +477,7 @@ SecCertificateInferLabel(SecCertificateRef certificate, CFStringRef *label)
OSStatus
SecCertificateCopyPublicKey(SecCertificateRef certificate, SecKeyRef *key)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(key) = Certificate::required(__itemImplRef)->publicKey()->handle();
@@ -458,7 +489,7 @@ SecCertificateCopyPublicKey(SecCertificateRef certificate, SecKeyRef *key)
OSStatus
SecCertificateGetAlgorithmID(SecCertificateRef certificate, const CSSM_X509_ALGORITHM_IDENTIFIER **algid)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(algid) = Certificate::required(__itemImplRef)->algorithmID();
@@ -470,7 +501,7 @@ SecCertificateGetAlgorithmID(SecCertificateRef certificate, const CSSM_X509_ALGO
OSStatus
SecCertificateCopyCommonName(SecCertificateRef certificate, CFStringRef *commonName)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(commonName) = Certificate::required(__itemImplRef)->commonName();
@@ -484,7 +515,7 @@ CFStringRef
SecCertificateCopySubjectSummary(SecCertificateRef certificate)
{
CFStringRef summary = NULL;
- OSStatus __secapiresult;
+ OSStatus __secapiresult;
try {
Certificate::required(certificate)->inferLabel(false, &summary);
@@ -494,7 +525,7 @@ SecCertificateCopySubjectSummary(SecCertificateRef certificate)
catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
catch (...) { __secapiresult=errSecInternalComponent; }
- return summary;
+ return summary;
}
#endif
@@ -521,7 +552,7 @@ SecCertificateCopyIssuerSummary(SecCertificateRef certificate)
OSStatus
SecCertificateCopySubjectComponent(SecCertificateRef certificate, const CSSM_OID *component, CFStringRef *result)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(result) = Certificate::required(__itemImplRef)->distinguishedName(&CSSMOID_X509V1SubjectNameCStruct, component);
@@ -541,7 +572,7 @@ SecCertificateGetCommonName(SecCertificateRef certificate, CFStringRef *commonNa
OSStatus
SecCertificateGetEmailAddress(SecCertificateRef certificate, CFStringRef *emailAddress)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(emailAddress) = Certificate::required(__itemImplRef)->copyFirstEmailAddress();
@@ -553,7 +584,7 @@ SecCertificateGetEmailAddress(SecCertificateRef certificate, CFStringRef *emailA
OSStatus
SecCertificateCopyEmailAddresses(SecCertificateRef certificate, CFArrayRef *emailAddresses)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(emailAddresses) = Certificate::required(__itemImplRef)->copyEmailAddresses();
@@ -569,7 +600,7 @@ SecCertificateCopyEmailAddresses(SecCertificateRef certificate, CFArrayRef *emai
OSStatus
SecCertificateCopyFieldValues(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR **fieldValues)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(fieldValues) = Certificate::required(__itemImplRef)->copyFieldValues(Required(field));
@@ -581,7 +612,7 @@ SecCertificateCopyFieldValues(SecCertificateRef certificate, const CSSM_OID *fie
OSStatus
SecCertificateReleaseFieldValues(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR *fieldValues)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Certificate::required(__itemImplRef)->releaseFieldValues(Required(field), fieldValues);
@@ -593,7 +624,7 @@ SecCertificateReleaseFieldValues(SecCertificateRef certificate, const CSSM_OID *
OSStatus
SecCertificateCopyFirstFieldValue(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR *fieldValue)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Required(fieldValue) = Certificate::required(__itemImplRef)->copyFirstFieldValue(Required(field));
@@ -605,7 +636,7 @@ SecCertificateCopyFirstFieldValue(SecCertificateRef certificate, const CSSM_OID
OSStatus
SecCertificateReleaseFirstFieldValue(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR fieldValue)
{
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
Certificate::required(__itemImplRef)->releaseFieldValue(Required(field), fieldValue);
@@ -833,12 +864,21 @@ SecCertificateCopyPreference(
*certificate = (SecCertificateRef)certItemRef;
#if SECTRUST_OSX
+ if (certItemRef && (CFGetTypeID(certItemRef) == SecIdentityGetTypeID())) {
+ // SecKeychainItemCopyFromPersistentReference handed out an identity reference
+ *certificate = NULL;
+ status = SecIdentityCopyCertificate((SecIdentityRef)certItemRef, certificate);
+ CFRelease(certItemRef);
+ return status;
+ }
+#if 0 /* SecKeychainItemCopyFromPersistentReference now does this work for us */
// convert ItemImpl-based SecCertificateRef to new-world version before returning
CssmData certData = Certificate::required(*certificate)->data();
CFRef<CFDataRef> cfData(CFDataCreate(NULL, certData.Data, certData.Length));
SecCertificateRef tmpRef = *certificate;
*certificate = SecCertificateCreateWithData(NULL, cfData);
CFRelease(tmpRef);
+#endif
#endif
END_SECAPI
@@ -950,7 +990,7 @@ OSStatus SecCertificateSetPreference(
return SecCertificateDeletePreferenceItemWithNameAndKeyUsage(NULL, name, keyUsage);
}
- // This macro converts a new-style SecCertificateRef to an old-style ItemImpl
+ // This macro creates an ItemImpl certificate if it does not exist
BEGIN_SECCERTAPI
// determine the account attribute
@@ -1064,9 +1104,21 @@ CFDictionaryRef SecCertificateCopyValues(SecCertificateRef certificate, CFArrayR
{
CFDictionaryRef result = NULL;
OSStatus __secapiresult;
+ SecCertificateRef tmpcert = NULL;
+#if SECTRUST_OSX
+ // convert input to a new-style certificate reference if necessary,
+ // since the implementation of CertificateValues calls SecCertificate API functions
+ // which now assume a unified certificate reference.
+ if (SecCertificateIsItemImplInstance(certificate)) {
+ tmpcert = SecCertificateCreateFromItemImplInstance(certificate);
+ }
+#endif
+ if (certificate && !tmpcert) {
+ tmpcert = (SecCertificateRef) CFRetain(certificate);
+ }
try
{
- CertificateValues cv(certificate);
+ CertificateValues cv(tmpcert);
result = cv.copyFieldValues(keys,error);
__secapiresult=0;
}
@@ -1074,6 +1126,7 @@ CFDictionaryRef SecCertificateCopyValues(SecCertificateRef certificate, CFArrayR
catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
catch (...) { __secapiresult=errSecInternalComponent; }
+ if (tmpcert) { CFRelease(tmpcert); }
return result;
}
@@ -1188,6 +1241,26 @@ CFDataRef SecCertificateCopySubjectSequence(SecCertificateRef certificate)
}
#endif
+#if !SECTRUST_OSX
+CFDictionaryRef SecCertificateCopyAttributeDictionary(SecCertificateRef certificate)
+{
+ CFDictionaryRef result = NULL;
+ OSStatus status;
+ try
+ {
+ CertificateValues cv(certificate);
+ result = cv.copyAttributeDictionary(NULL);
+ status=0;
+ }
+ catch (const MacOSError &err) { status=err.osStatus(); }
+ catch (const CommonError &err) { status=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { status=errSecAllocate; }
+ catch (...) { status=errSecInternalComponent; }
+
+ return result;
+}
+#endif
+
#if !SECTRUST_OSX
bool SecCertificateIsValid(SecCertificateRef certificate, CFAbsoluteTime verifyTime)
{
diff --git a/OSX/libsecurity_keychain/lib/SecCertificate.h b/OSX/libsecurity_keychain/lib/SecCertificate.h
index 7eb01b64..aac97e5a 100644
--- a/OSX/libsecurity_keychain/lib/SecCertificate.h
+++ b/OSX/libsecurity_keychain/lib/SecCertificate.h
@@ -31,6 +31,8 @@
#ifndef _SECURITY_SECCERTIFICATE_H_
#define _SECURITY_SECCERTIFICATE_H_
+#define _SECURITY_VERSION_GREATER_THAN_57610_
+
#include <CoreFoundation/CFBase.h>
#include <CoreFoundation/CFArray.h>
#include <CoreFoundation/CFData.h>
@@ -102,7 +104,7 @@ OSStatus SecCertificateCreateFromData(const CSSM_DATA *data, CSSM_CERT_TYPE type
@function SecCertificateCreateWithData
@abstract Create a certificate reference given its DER representation as a CFData.
@param allocator CFAllocator to allocate the certificate data. Pass NULL to use the default allocator.
- @param certificate DER encoded X.509 certificate.
+ @param data DER encoded X.509 certificate.
@result On return, a reference to the certificate. Returns NULL if the passed-in data is not a valid DER-encoded X.509 certificate.
*/
__nullable
@@ -307,6 +309,39 @@ OSStatus SecCertificateSetPreference(SecCertificateRef certificate, CFStringRef
OSStatus SecCertificateSetPreferred(SecCertificateRef __nullable certificate, CFStringRef name, CFArrayRef __nullable keyUsage)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+/*!
+ @typedef SecKeyUsage
+ @abstract Flags to indicate key usages in the KeyUsage extension of a certificate
+ @constant kSecKeyUsageUnspecified No KeyUsage extension in certificate.
+ @constant kSecKeyUsageDigitalSignature DigitalSignature bit set in KeyUsage extension.
+ @constant kSecKeyUsageNonRepudiation NonRepudiation bit set in KeyUsage extension.
+ @constant kSecKeyUsageContentCommitment ContentCommitment bit set in KeyUsage extension.
+ @constant kSecKeyUsageKeyEncipherment KeyEncipherment bit set in KeyUsage extension.
+ @constant kSecKeyUsageDataEncipherment DataEncipherment bit set in KeyUsage extension.
+ @constant kSecKeyUsageKeyAgreement KeyAgreement bit set in KeyUsage extension.
+ @constant kSecKeyUsageKeyCertSign KeyCertSign bit set in KeyUsage extension.
+ @constant kSecKeyUsageCRLSign CRLSign bit set in KeyUsage extension.
+ @constant kSecKeyUsageEncipherOnly EncipherOnly bit set in KeyUsage extension.
+ @constant kSecKeyUsageDecipherOnly DecipherOnly bit set in KeyUsage extension.
+ @constant kSecKeyUsageCritical KeyUsage extension is marked critical.
+ @constant kSecKeyUsageAll For masking purposes, all SecKeyUsage values.
+ */
+typedef CF_OPTIONS(uint32_t, SecKeyUsage) {
+ kSecKeyUsageUnspecified = 0,
+ kSecKeyUsageDigitalSignature = 1 << 0,
+ kSecKeyUsageNonRepudiation = 1 << 1,
+ kSecKeyUsageContentCommitment= 1 << 1,
+ kSecKeyUsageKeyEncipherment = 1 << 2,
+ kSecKeyUsageDataEncipherment = 1 << 3,
+ kSecKeyUsageKeyAgreement = 1 << 4,
+ kSecKeyUsageKeyCertSign = 1 << 5,
+ kSecKeyUsageCRLSign = 1 << 6,
+ kSecKeyUsageEncipherOnly = 1 << 7,
+ kSecKeyUsageDecipherOnly = 1 << 8,
+ kSecKeyUsageCritical = 1 << 31,
+ kSecKeyUsageAll = 0x7FFFFFFF
+};
+
/*!
@enum kSecPropertyKey
@abstract Constants used to access dictionary entries returned by SecCertificateCopyValues
diff --git a/OSX/libsecurity_keychain/lib/SecCertificateP.c b/OSX/libsecurity_keychain/lib/SecCertificateP.c
index fc6403c9..611d9d57 100644
--- a/OSX/libsecurity_keychain/lib/SecCertificateP.c
+++ b/OSX/libsecurity_keychain/lib/SecCertificateP.c
@@ -187,21 +187,21 @@ struct __SecCertificate {
};
/* Public Constants for property list keys. */
-CFStringRef kSecPropertyKeyType = CFSTR("type");
-CFStringRef kSecPropertyKeyLabel = CFSTR("label");
-CFStringRef kSecPropertyKeyLocalizedLabel = CFSTR("localized label");
-CFStringRef kSecPropertyKeyValue = CFSTR("value");
+const CFStringRef kSecPropertyKeyType = CFSTR("type");
+const CFStringRef kSecPropertyKeyLabel = CFSTR("label");
+const CFStringRef kSecPropertyKeyLocalizedLabel = CFSTR("localized label");
+const CFStringRef kSecPropertyKeyValue = CFSTR("value");
/* Public Constants for property list values. */
-CFStringRef kSecPropertyTypeWarning = CFSTR("warning");
-CFStringRef kSecPropertyTypeError = CFSTR("error");
-CFStringRef kSecPropertyTypeSuccess = CFSTR("success");
-CFStringRef kSecPropertyTypeTitle = CFSTR("title");
-CFStringRef kSecPropertyTypeSection = CFSTR("section");
-CFStringRef kSecPropertyTypeData = CFSTR("data");
-CFStringRef kSecPropertyTypeString = CFSTR("string");
-CFStringRef kSecPropertyTypeURL = CFSTR("url");
-CFStringRef kSecPropertyTypeDate = CFSTR("date");
+const CFStringRef kSecPropertyTypeWarning = CFSTR("warning");
+const CFStringRef kSecPropertyTypeError = CFSTR("error");
+const CFStringRef kSecPropertyTypeSuccess = CFSTR("success");
+const CFStringRef kSecPropertyTypeTitle = CFSTR("title");
+const CFStringRef kSecPropertyTypeSection = CFSTR("section");
+const CFStringRef kSecPropertyTypeData = CFSTR("data");
+const CFStringRef kSecPropertyTypeString = CFSTR("string");
+const CFStringRef kSecPropertyTypeURL = CFSTR("url");
+const CFStringRef kSecPropertyTypeDate = CFSTR("date");
/* Extension parsing routine. */
typedef void (*SecCertificateExtensionParser)(SecCertificateRefP certificate,
@@ -597,7 +597,7 @@ static OSStatus parseX501Name(const DERItem *x501Name, void *context,
static void SecCEPSubjectKeyIdentifier(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
DERDecodedInfo keyIdentifier;
DERReturn drtn = DERDecodeItem(&extn->extnValue, &keyIdentifier);
require_noerr_quiet(drtn, badDER);
@@ -606,12 +606,12 @@ static void SecCEPSubjectKeyIdentifier(SecCertificateRefP certificate,
return;
badDER:
- secdebug("cert", "Invalid SubjectKeyIdentifier Extension");
+ secinfo("cert", "Invalid SubjectKeyIdentifier Extension");
}
static void SecCEPKeyUsage(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
SecKeyUsage keyUsage = extn->critical ? kSecKeyUsageCritical : 0;
DERDecodedInfo bitStringContent;
DERReturn drtn = DERDecodeItem(&extn->extnValue, &bitStringContent);
@@ -646,28 +646,28 @@ badDER:
static void SecCEPPrivateKeyUsagePeriod(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
}
static void SecCEPSubjectAltName(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
certificate->_subjectAltName = extn;
}
static void SecCEPIssuerAltName(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
}
static void SecCEPBasicConstraints(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
DERBasicConstraints basicConstraints;
require_noerr_quiet(DERParseSequence(&extn->extnValue,
DERNumBasicConstraintsItemSpecs, DERBasicConstraintsItemSpecs,
&basicConstraints, sizeof(basicConstraints)), badDER);
- require_noerr_quiet(DERParseBoolean(&basicConstraints.cA, false,
+ require_noerr_quiet(DERParseBooleanWithDefault(&basicConstraints.cA, false,
&certificate->_basicConstraints.isCA), badDER);
if (basicConstraints.pathLenConstraint.length != 0) {
require_noerr_quiet(DERParseInteger(
@@ -680,12 +680,12 @@ static void SecCEPBasicConstraints(SecCertificateRefP certificate,
return;
badDER:
certificate->_basicConstraints.present = false;
- secdebug("cert", "Invalid BasicConstraints Extension");
+ secinfo("cert", "Invalid BasicConstraints Extension");
}
static void SecCEPCrlDistributionPoints(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
}
/*
@@ -702,9 +702,11 @@ static void SecCEPCrlDistributionPoints(SecCertificateRefP certificate,
policyQualifierId PolicyQualifierId,
qualifier ANY DEFINED BY policyQualifierId }
*/
+/* maximum number of policies of 8192 seems more than adequate */
+#define MAX_CERTIFICATE_POLICIES 8192
static void SecCEPCertificatePolicies(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
DERTag tag;
DERSequence piSeq;
SecCEPolicyInformation *policies = NULL;
@@ -713,7 +715,8 @@ static void SecCEPCertificatePolicies(SecCertificateRefP certificate,
require_quiet(tag == ASN1_CONSTR_SEQUENCE, badDER);
DERDecodedInfo piContent;
DERSize policy_count = 0;
- while ((drtn = DERDecodeSeqNext(&piSeq, &piContent)) == DR_Success) {
+ while ((policy_count < MAX_CERTIFICATE_POLICIES) &&
+ (drtn = DERDecodeSeqNext(&piSeq, &piContent)) == DR_Success) {
require_quiet(piContent.tag == ASN1_CONSTR_SEQUENCE, badDER);
policy_count++;
}
@@ -722,7 +725,8 @@ static void SecCEPCertificatePolicies(SecCertificateRefP certificate,
* policy_count);
DERDecodeSeqInit(&extn->extnValue, &tag, &piSeq);
DERSize policy_ix = 0;
- while ((drtn = DERDecodeSeqNext(&piSeq, &piContent)) == DR_Success) {
+ while ((policy_ix < (policy_count > 0 ? policy_count : 1)) &&
+ (drtn = DERDecodeSeqNext(&piSeq, &piContent)) == DR_Success) {
DERPolicyInformation pi;
drtn = DERParseSequenceContent(&piContent.content,
DERNumPolicyInformationItemSpecs,
@@ -741,7 +745,7 @@ badDER:
if (policies)
free(policies);
certificate->_certificatePolicies.present = false;
- secdebug("cert", "Invalid CertificatePolicies Extension");
+ secinfo("cert", "Invalid CertificatePolicies Extension");
}
/*
@@ -754,7 +758,7 @@ badDER:
#if 0
static void SecCEPPolicyMappings(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
DERTag tag;
DERSequence pmSeq;
SecCEPolicyMapping *mappings = NULL;
@@ -792,12 +796,12 @@ badDER:
free(mappings);
CFReleaseSafe(mappings);
certificate->_policyMappings.present = false;
- secdebug("cert", "Invalid CertificatePolicies Extension");
+ secinfo("cert", "Invalid CertificatePolicies Extension");
}
#else
static void SecCEPPolicyMappings(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
DERTag tag;
DERSequence pmSeq;
CFMutableDictionaryRef mappings = NULL;
@@ -838,7 +842,7 @@ static void SecCEPPolicyMappings(SecCertificateRefP certificate,
badDER:
CFReleaseSafe(mappings);
certificate->_policyMappings = NULL;
- secdebug("cert", "Invalid CertificatePolicies Extension");
+ secinfo("cert", "Invalid CertificatePolicies Extension");
}
#endif
@@ -854,7 +858,7 @@ KeyIdentifier ::= OCTET STRING
*/
static void SecCEPAuthorityKeyIdentifier(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
DERAuthorityKeyIdentifier akid;
DERReturn drtn;
drtn = DERParseSequence(&extn->extnValue,
@@ -876,12 +880,12 @@ static void SecCEPAuthorityKeyIdentifier(SecCertificateRefP certificate,
return;
badDER:
- secdebug("cert", "Invalid AuthorityKeyIdentifier Extension");
+ secinfo("cert", "Invalid AuthorityKeyIdentifier Extension");
}
static void SecCEPPolicyConstraints(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
DERPolicyConstraints pc;
DERReturn drtn;
drtn = DERParseSequence(&extn->extnValue,
@@ -908,12 +912,12 @@ static void SecCEPPolicyConstraints(SecCertificateRefP certificate,
return;
badDER:
certificate->_policyConstraints.present = false;
- secdebug("cert", "Invalid PolicyConstraints Extension");
+ secinfo("cert", "Invalid PolicyConstraints Extension");
}
static void SecCEPExtendedKeyUsage(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
}
/*
@@ -923,14 +927,14 @@ static void SecCEPExtendedKeyUsage(SecCertificateRefP certificate,
*/
static void SecCEPInhibitAnyPolicy(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
require_noerr_quiet(DERParseInteger(
&extn->extnValue,
&certificate->_inhibitAnyPolicySkipCerts), badDER);
return;
badDER:
certificate->_inhibitAnyPolicySkipCerts = UINT32_MAX;
- secdebug("cert", "Invalid InhibitAnyPolicy Extension");
+ secinfo("cert", "Invalid InhibitAnyPolicy Extension");
}
/*
@@ -951,7 +955,7 @@ badDER:
*/
static void SecCEPAuthorityInfoAccess(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
DERTag tag;
DERSequence adSeq;
DERReturn drtn = DERDecodeSeqInit(&extn->extnValue, &tag, &adSeq);
@@ -998,7 +1002,7 @@ static void SecCEPAuthorityInfoAccess(SecCertificateRefP certificate,
break;
}
default:
- secdebug("cert", "bad general name for id-ad-ocsp AccessDescription t: 0x%02x v: %.*s",
+ secinfo("cert", "bad general name for id-ad-ocsp AccessDescription t: 0x%02llx v: %.*s",
generalNameContent.tag, (int)generalNameContent.content.length, generalNameContent.content.data);
goto badDER;
break;
@@ -1007,22 +1011,22 @@ static void SecCEPAuthorityInfoAccess(SecCertificateRefP certificate,
require_quiet(drtn == DR_EndOfSequence, badDER);
return;
badDER:
- secdebug("cert", "failed to parse Authority Information Access extension");
+ secinfo("cert", "failed to parse Authority Information Access extension");
}
static void SecCEPSubjectInfoAccess(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
}
static void SecCEPNetscapeCertType(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
}
static void SecCEPEntrustVersInfo(SecCertificateRefP certificate,
const SecCertificateExtension *extn) {
- secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ secinfo("cert", "critical: %s", extn->critical ? "yes" : "no");
}
/* Dictionary key callback for comparing to DERItems. */
@@ -1493,7 +1497,7 @@ static bool SecCertificateParse(SecCertificateRefP certificate)
require_noerr_quiet(drtn, badCert);
/* Copy stuff into certificate->extensions[ix]. */
certificate->_extensions[ix].extnID = extn.extnID;
- require_noerr_quiet(drtn = DERParseBoolean(&extn.critical, false,
+ require_noerr_quiet(drtn = DERParseBooleanWithDefault(&extn.critical, false,
&certificate->_extensions[ix].critical), badCert);
certificate->_extensions[ix].extnValue = extn.extnValue;
@@ -1504,10 +1508,10 @@ static bool SecCertificateParse(SecCertificateRefP certificate)
/* Invoke the parser. */
parser(certificate, &certificate->_extensions[ix]);
} else if (certificate->_extensions[ix].critical) {
- secdebug("cert", "Found unknown critical extension");
+ secinfo("cert", "Found unknown critical extension");
certificate->_foundUnknownCriticalExtension = true;
} else {
- secdebug("cert", "Found unknown non critical extension");
+ secinfo("cert", "Found unknown non critical extension");
}
}
}
@@ -1887,7 +1891,7 @@ CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes,
timeZoneOffset = 0;
}
- secdebug("dateparse",
+ secinfo("dateparse",
"date %.*s year: %04d-%02d-%02d %02d:%02d:%02.f %+05.f",
(int)length, bytes, (int)gdate.year, gdate.month,
gdate.day, gdate.hour, gdate.minute, gdate.second,
@@ -2167,7 +2171,7 @@ static CFStringRef copyDERThingContentDescription(CFAllocatorRef allocator,
/* @@@ Localize. */
/* "format string for undisplayed field data with a given DER tag" */
return printableOnly ? NULL : CFStringCreateWithFormat(allocator, NULL,
- CFSTR("not displayed (tag = %d; length %d)"),
+ CFSTR("not displayed (tag = %llu; length %d)"),
tag, (int)derThing->length);
}
}
@@ -2312,7 +2316,7 @@ static void appendBoolProperty(CFMutableArrayRef properties,
static void appendBooleanProperty(CFMutableArrayRef properties,
CFStringRef label, const DERItem *boolean, bool defaultValue) {
bool result;
- DERReturn drtn = DERParseBoolean(boolean, defaultValue, &result);
+ DERReturn drtn = DERParseBooleanWithDefault(boolean, defaultValue, &result);
if (drtn) {
/* Couldn't parse boolean; dump the raw unparsed data as hex. */
appendInvalidProperty(properties, label, boolean);
@@ -2413,7 +2417,7 @@ static void appendKeyUsage(CFMutableArrayRef properties,
SecKeyUsage usage = (extnValue->data[3] << 8);
if (extnValue->length == 5)
usage += extnValue->data[4];
- secdebug("keyusage", "keyusage: %04X", usage);
+ secinfo("keyusage", "keyusage: %04X", usage);
static const CFStringRef usageNames[] = {
CFSTR("Digital Signature"),
CFSTR("Non-Repudiation"),
@@ -3681,13 +3685,12 @@ OSStatus SecCertificateIsSignedByP(SecCertificateRefP certificate,
algId.parameters.Length = certificate->_tbsSigAlg.params.length;
algId.parameters.Data = certificate->_tbsSigAlg.params.data;
-#warning implementation empty
#if 0
OSStatus status = SecKeyDigestAndVerify(issuerKey, &algId,
certificate->_tbs.data, certificate->_tbs.length,
certificate->_signature.data, certificate->_signature.length);
if (status) {
- secdebug("verify", "signature verify failed: %d", status);
+ secinfo("verify", "signature verify failed: %d", status);
return errSecNotSigner;
}
#endif
@@ -3741,11 +3744,11 @@ static OSStatus SecCertificateIsIssuedBy(SecCertificateRefP certificate,
signedDataLength = DER_MD_DIGEST_INFO_LEN;
crtn = mdDigestInfo(WD_MD2, &certificate->_tbs, signedData);
} else {
- secdebug("verify", "unsupported algorithm");
+ secinfo("verify", "unsupported algorithm");
return errSecUnsupportedAlgorithm;
}
if (crtn) {
- secdebug("verify", "*DigestInfo returned: %d", crtn);
+ secinfo("verify", "*DigestInfo returned: %d", crtn);
/* FIXME: Do proper error code translation. */
return errSecUnsupportedAlgorithm;
}
@@ -3754,7 +3757,7 @@ static OSStatus SecCertificateIsIssuedBy(SecCertificateRefP certificate,
signedData, signedDataLength,
certificate->_signature.data, certificate->_signature.length);
if (status) {
- secdebug("verify", "signature verify failed: %d", status);
+ secinfo("verify", "signature verify failed: %d", status);
return errSecNotSigner;
}
@@ -3781,7 +3784,7 @@ static OSStatus _SecCertificateSetParent(SecCertificateRefP certificate,
/* We don't retain ourselves cause that would be bad mojo,
however we do record that we are properly self signed. */
certificate->_isSelfSigned = kSecSelfSignedTrue;
- secdebug("cert", "set self as parent");
+ secinfo("cert", "set self as parent");
return errSecSuccess;
}
@@ -3845,7 +3848,7 @@ static bool SecCertificateFindParent(SecCertificateRefP certificate) {
OSStatus status = SecItemCopyMatching(query, &results);
CFRelease(query);
if (status) {
- secdebug("cert", "SecCertificateFindParent: SecItemCopyMatching: %d",
+ secinfo("cert", "SecCertificateFindParent: SecItemCopyMatching: %d",
status);
return false;
}
@@ -4396,7 +4399,7 @@ CFDataRef SecDERItemCopySequenceP(DERItem *content) {
sequence_length);
CFDataSetLength(sequence, sequence_length);
uint8_t *sequence_ptr = CFDataGetMutableBytePtr(sequence);
- *sequence_ptr++ = 0x30; /* ASN1_CONSTR_SEQUENCE */
+ *sequence_ptr++ = ONE_BYTE_ASN1_CONSTR_SEQUENCE;
require_noerr_quiet(DEREncodeLength(content->length,
sequence_ptr, &seq_len_length), out);
sequence_ptr += seq_len_length;
@@ -4428,7 +4431,6 @@ const DERItem *SecCertificateGetPublicKeyDataP(SecCertificateRefP certificate) {
SecKeyRefP SecCertificateCopyPublicKeyP(SecCertificateRefP certificate) {
SecKeyRefP publicKey = NULL;
-#warning implementation empty
#if 0
const DERAlgorithmId *algId =
SecCertificateGetPublicKeyAlgorithmP(certificate);
@@ -4437,7 +4439,7 @@ SecKeyRefP SecCertificateCopyPublicKeyP(SecCertificateRefP certificate) {
publicKey = SecKeyCreateRSAPublicKey(kCFAllocatorDefault,
keyData->data, keyData->length, kSecKeyEncodingPkcs1);
} else {
- secdebug("cert", "Unsupported algorithm oid");
+ secinfo("cert", "Unsupported algorithm oid");
}
#endif
diff --git a/OSX/libsecurity_keychain/lib/SecCertificatePriv.h b/OSX/libsecurity_keychain/lib/SecCertificatePriv.h
index 1827773d..3e36b135 100644
--- a/OSX/libsecurity_keychain/lib/SecCertificatePriv.h
+++ b/OSX/libsecurity_keychain/lib/SecCertificatePriv.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2002-2004,2011-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -31,17 +31,21 @@
#include <CoreFoundation/CFArray.h>
#include <CoreFoundation/CFData.h>
#include <CoreFoundation/CFDate.h>
+#include <CoreFoundation/CFDictionary.h>
#if defined(__cplusplus)
extern "C" {
#endif
-typedef uint32_t SecCertificateEscrowRootType;
-enum {
+typedef CF_ENUM(uint32_t, SecCertificateEscrowRootType) {
kSecCertificateBaselineEscrowRoot = 0,
kSecCertificateProductionEscrowRoot = 1,
kSecCertificateBaselinePCSEscrowRoot = 2,
kSecCertificateProductionPCSEscrowRoot = 3,
+ kSecCertificateBaselineEscrowBackupRoot = 4, // v100 and v101
+ kSecCertificateProductionEscrowBackupRoot = 5,
+ kSecCertificateBaselineEscrowEnrollmentRoot = 6, // v101 only
+ kSecCertificateProductionEscrowEnrollmentRoot = 7,
};
extern const CFStringRef kSecCertificateProductionEscrowKey;
@@ -57,6 +61,9 @@ SecCertificateRef SecCertificateCreateItemImplInstance(SecCertificateRef certifi
/* Inverse of above; convert legacy Certificate instance to new ref. */
SecCertificateRef SecCertificateCreateFromItemImplInstance(SecCertificateRef certificate);
+/* Convenience function to determine type of certificate instance. */
+Boolean SecCertificateIsItemImplInstance(SecCertificateRef certificate);
+
/* Given a legacy C++ ItemImpl-based Certificate instance obtained with
SecCertificateCreateItemImplInstance, return its clHandle pointer.
@@ -69,6 +76,12 @@ OSStatus SecCertificateGetCLHandle_legacy(SecCertificateRef certificate, CSSM_CL
SecCertificateRef SecCertificateCreateWithBytes(CFAllocatorRef allocator,
const UInt8 *bytes, CFIndex length);
+/* Returns a certificate from a pem blob.
+ Return NULL if the passed-in data is not a valid DER-encoded X.509
+ certificate. */
+SecCertificateRef SecCertificateCreateWithPEM(CFAllocatorRef allocator,
+ CFDataRef pem_certificate);
+
/* Return the length of the DER representation of this certificate. */
CFIndex SecCertificateGetLength(SecCertificateRef certificate);
@@ -78,12 +91,18 @@ const UInt8 *SecCertificateGetBytePtr(SecCertificateRef certificate);
/* Return the SHA-1 hash of this certificate. */
CFDataRef SecCertificateGetSHA1Digest(SecCertificateRef certificate);
-/* Return the SHA2-256 hash of this certificate. */
+/* Return the SHA-256 hash of this certificate. */
CFDataRef SecCertificateCopySHA256Digest(SecCertificateRef certificate);
/* Return the SHA-1 hash of the public key in this certificate. */
CFDataRef SecCertificateCopyPublicKeySHA1Digest(SecCertificateRef certificate);
+/* Return the SHA-1 hash of the SubjectPublicKeyInfo sequence in this certificate. */
+CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA1Digest(SecCertificateRef certificate);
+
+/* Return the SHA-256 hash of the SubjectPublicKeyInfo sequence in this certificate. */
+CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA256Digest(SecCertificateRef certificate);
+
/* Deprecated; use SecCertificateCopyCommonName() instead. */
OSStatus SecCertificateGetCommonName(SecCertificateRef certificate, CFStringRef *commonName);
@@ -95,9 +114,22 @@ OSStatus SecCertificateGetEmailAddress(SecCertificateRef certificate, CFStringRe
certificate if any. */
CFArrayRef SecCertificateCopyDNSNames(SecCertificateRef certificate);
+/* Return an array of CFStringRefs representing the NTPrincipalNames in the
+ certificate if any. */
+CFArrayRef SecCertificateCopyNTPrincipalNames(SecCertificateRef certificate);
+
+/* Create a unified SecCertificateRef from a legacy keychain item and its data. */
SecCertificateRef SecCertificateCreateWithKeychainItem(CFAllocatorRef allocator,
CFDataRef der_certificate, CFTypeRef keychainItem);
+/* Set a legacy item instance for a unified SecCertificateRef. */
+OSStatus SecCertificateSetKeychainItem(SecCertificateRef certificate,
+ CFTypeRef keychain_item);
+
+/* Return a keychain item reference, given a unified SecCertificateRef.
+ Note: for this function to succeed, the provided certificate must have been
+ created by SecCertificateCreateWithKeychainItem, otherwise NULL is returned.
+ */
CFTypeRef SecCertificateCopyKeychainItem(SecCertificateRef certificate);
/*!
@@ -110,6 +142,13 @@ CFTypeRef SecCertificateCopyKeychainItem(SecCertificateRef certificate);
*/
CFStringRef SecCertificateCopyIssuerSummary(SecCertificateRef certificate);
+/* Return a string formatted according to RFC 2253 representing the complete
+ subject of certificate. */
+CFStringRef SecCertificateCopySubjectString(SecCertificateRef certificate);
+
+CFMutableArrayRef SecCertificateCopySummaryProperties(
+ SecCertificateRef certificate, CFAbsoluteTime verifyTime);
+
/*
* Private API to infer a display name for a SecCertificateRef which
* may or may not be in a keychain.
@@ -191,6 +230,12 @@ CFDataRef SecCertificateCopyIssuerSequence(SecCertificateRef certificate);
/* Return the DER encoded subject sequence for the certificate's subject. */
CFDataRef SecCertificateCopySubjectSequence(SecCertificateRef certificate);
+#if (SECTRUST_OSX && TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE || TARGET_IPHONE_SIMULATOR))
+CFDataRef SecCertificateGetNormalizedIssuerContent(SecCertificateRef certificate);
+CFDataRef SecCertificateGetNormalizedSubjectContent(SecCertificateRef certificate);
+CFDataRef SecCertificateCopyNormalizedIssuerSequence(SecCertificateRef certificate);
+CFDataRef SecCertificateCopyNormalizedSubjectSequence(SecCertificateRef certificate);
+#endif
/* Convenience functions for searching.
*/
@@ -265,6 +310,28 @@ CFAbsoluteTime SecCertificateNotValidAfter(SecCertificateRef certificate)
OSStatus SecCertificateIsSelfSigned(SecCertificateRef certRef, Boolean *isSelfSigned)
__OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_9_0);
+/*!
+ @function SecCertificateIsSelfSignedCA
+ @abstract Determine if the given certificate is self-signed and has a basic
+ constraints extension indicating it is a certificate authority.
+ @param certificate A certificate reference.
+ @result Returns true if the certificate is self-signed and has a basic
+ constraints extension indicating it is a certificate authority, otherwise false.
+*/
+bool SecCertificateIsSelfSignedCA(SecCertificateRef certificate)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0);
+
+/*!
+ @function SecCertificateIsCA
+ @abstract Determine if the given certificate has a basic
+ constraints extension indicating it is a certificate authority.
+ @param certificate A certificate reference.
+ @result Returns true if the certificate has a basic constraints
+ extension indicating it is a certificate authority, otherwise false.
+*/
+bool SecCertificateIsCA(SecCertificateRef certificate)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0);
+
/*!
@function SecCertificateCopyEscrowRoots
@abstract Retrieve the array of valid escrow certificates for a given root type.
@@ -274,6 +341,9 @@ OSStatus SecCertificateIsSelfSigned(SecCertificateRef certRef, Boolean *isSelfSi
CFArrayRef SecCertificateCopyEscrowRoots(SecCertificateEscrowRootType escrowRootType)
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
+/* Return an attribute dictionary used to store this item in a keychain. */
+CFDictionaryRef SecCertificateCopyAttributeDictionary(SecCertificateRef certificate)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*
* Enumerated constants for signature hash algorithms.
@@ -303,6 +373,27 @@ enum {
SecSignatureHashAlgorithm SecCertificateGetSignatureHashAlgorithm(SecCertificateRef certificate)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+/*!
+ @function SecCertificateCopyProperties
+ @abstract Return a property array for this trust certificate.
+ @param certificate A reference to the certificate to evaluate.
+ @result A property array. It is the caller's responsability to CFRelease
+ the returned array when it is no longer needed.
+ See SecTrustCopySummaryPropertiesAtIndex on how to intepret this array.
+ Unlike that function call this function returns a detailed description
+ of the certificate in question.
+*/
+CFArrayRef SecCertificateCopyProperties(SecCertificateRef certificate);
+
+CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA256Digest(SecCertificateRef certificate);
+
+/* Returns an array of CFDataRefs for all embedded SCTs */
+CFArrayRef SecCertificateCopySignedCertificateTimestamps(SecCertificateRef certificate)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0);
+
+/* Return the precert TBSCertificate DER data - used for Certificate Transparency */
+CFDataRef SecCertificateCopyPrecertTBS(SecCertificateRef certificate)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0);
#if defined(__cplusplus)
}
diff --git a/OSX/libsecurity_keychain/lib/SecCertificatePrivP.h b/OSX/libsecurity_keychain/lib/SecCertificatePrivP.h
index 1d251601..1ed8e90f 100644
--- a/OSX/libsecurity_keychain/lib/SecCertificatePrivP.h
+++ b/OSX/libsecurity_keychain/lib/SecCertificatePrivP.h
@@ -35,7 +35,7 @@
#ifndef _SECURITY_SECCERTIFICATEPRIVP_H_
#define _SECURITY_SECCERTIFICATEPRIVP_H_
-//#include <Security/SecCertificate.h>
+#include <Security/SecCertificate.h>
#include "SecCertificateP.h"
#include <CoreFoundation/CFArray.h>
#include <CoreFoundation/CFData.h>
@@ -47,23 +47,6 @@
extern "C" {
#endif
-typedef uint32_t SecKeyUsage;
-enum {
- kSecKeyUsageUnspecified = 0,
- kSecKeyUsageDigitalSignature = 1 << 0,
- kSecKeyUsageNonRepudiation = 1 << 1,
- kSecKeyUsageContentCommitment= 1 << 1,
- kSecKeyUsageKeyEncipherment = 1 << 2,
- kSecKeyUsageDataEncipherment = 1 << 3,
- kSecKeyUsageKeyAgreement = 1 << 4,
- kSecKeyUsageKeyCertSign = 1 << 5,
- kSecKeyUsageCRLSign = 1 << 6,
- kSecKeyUsageEncipherOnly = 1 << 7,
- kSecKeyUsageDecipherOnly = 1 << 8,
- kSecKeyUsageCritical = 1 << 31,
- kSecKeyUsageAll = 0x7FFFFFFF
-};
-
/* Return a certificate for the DER representation of this certificate.
Return NULL if the passed-in data is not a valid DER-encoded X.509
certificate. */
diff --git a/OSX/libsecurity_keychain/lib/SecFDERecoveryAsymmetricCrypto.cpp b/OSX/libsecurity_keychain/lib/SecFDERecoveryAsymmetricCrypto.cpp
index 8dfb57f8..c7d2d855 100644
--- a/OSX/libsecurity_keychain/lib/SecFDERecoveryAsymmetricCrypto.cpp
+++ b/OSX/libsecurity_keychain/lib/SecFDERecoveryAsymmetricCrypto.cpp
@@ -65,7 +65,7 @@ CFDataRef SecFDERecoveryUnwrapCRSKWithPrivKey(SecKeychainRef keychain, const FVP
catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
catch (...) { __secapiresult=errSecInternalComponent; }
- secdebug("FDERecovery", "SecFDERecoveryUnwrapCRSKWithPrivKey: %d", (int)__secapiresult);
+ secinfo("FDERecovery", "SecFDERecoveryUnwrapCRSKWithPrivKey: %d", (int)__secapiresult);
return result;
}
@@ -115,7 +115,7 @@ static void encodePrivateKeyHeader(const CssmData &inBlob, CFDataRef certificate
outHeader.encryptedBlobSize = (uint32_t)encrypt.encrypt(inBlob, clearBuf, remData.get());
if (outHeader.encryptedBlobSize > sizeof(outHeader.encryptedBlob))
- secdebug("FDERecovery", "encodePrivateKeyHeader: encrypted blob too big: %d", outHeader.encryptedBlobSize);
+ secinfo("FDERecovery", "encodePrivateKeyHeader: encrypted blob too big: %d", outHeader.encryptedBlobSize);
}
CFDataRef decodePrivateKeyHeader(SecKeychainRef keychain, const FVPrivateKeyHeader &inHeader)
@@ -140,8 +140,9 @@ CFDataRef decodePrivateKeyHeader(SecKeychainRef keychain, const FVPrivateKeyHead
CFRef<SecKeychainSearchRef> searchRef(_searchRef);
SecKeychainItemRef _item;
- if (SecKeychainSearchCopyNext(searchRef, &_item))
- return false;
+ if (SecKeychainSearchCopyNext(searchRef, &_item) != 0) {
+ return NULL; // XXX possibly should throw here?
+ }
CFRef<SecKeyRef> keyItem(reinterpret_cast<SecKeyRef>(_item));
throwIfError(SecKeyGetCSPHandle(keyItem, &cspHandle));
@@ -161,7 +162,7 @@ CFDataRef decodePrivateKeyHeader(SecKeychainRef keychain, const FVPrivateKeyHead
CssmAutoData remData(allocator);
size_t bytesDecrypted;
CSSM_RETURN crx = CSSM_DecryptData(cc, &cipherBuf, 1, &clearBuf.get(), 1, &bytesDecrypted, &remData.get());
- secdebug("FDERecovery", "decodePrivateKeyHeader: CSSM_DecryptData result: %d", crx);
+ secinfo("FDERecovery", "decodePrivateKeyHeader: CSSM_DecryptData result: %d", crx);
throwIfError(crx);
// throwIfError(CSSM_DecryptData(cc, &cipherBuf, 1, &clearBuf.get(), 1, &bytesDecrypted, &remData.get()));
clearBuf.length(bytesDecrypted);
diff --git a/OSX/libsecurity_keychain/lib/SecFrameworkP.c b/OSX/libsecurity_keychain/lib/SecFrameworkP.c
index 64bdd381..febe7c1b 100644
--- a/OSX/libsecurity_keychain/lib/SecFrameworkP.c
+++ b/OSX/libsecurity_keychain/lib/SecFrameworkP.c
@@ -84,7 +84,7 @@ CFURLRef SecFrameworkCopyResourceURL(CFStringRef resourceName,
url = CFBundleCopyResourceURL(kSecFrameworkBundle, resourceName,
resourceType, subDirName);
if (!url) {
- secdebug("SecFramework", "resource: %@.%@ in %@ not found", resourceName,
+ secinfo("SecFramework", "resource: %@.%@ in %@ not found", resourceName,
resourceType, subDirName);
}
}
@@ -102,7 +102,7 @@ CFDataRef SecFrameworkCopyResourceContents(CFStringRef resourceName,
SInt32 error;
if (!CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault,
url, &data, NULL, NULL, &error)) {
- secdebug("SecFramework", "read: %d", (int)error);
+ secinfo("SecFramework", "read: %d", (int)error);
}
CFRelease(url);
}
@@ -152,108 +152,3 @@ CFDataRef SecDigestCreate(CFAllocatorRef allocator,
return digest;
}
#endif
-
-#if 0
-
-/* Default random ref for /dev/random. */
-const SecRandomRef kSecRandomDefault = NULL;
-
-/* File descriptor for "/dev/random". */
-static int kSecRandomFD;
-static pthread_once_t kSecDevRandomOpen = PTHREAD_ONCE_INIT;
-
-static void SecDevRandomOpen(void) {
- kSecRandomFD = open("/dev/random", O_RDONLY);
-}
-
-int SecRandomCopyBytes(SecRandomRef rnd, size_t count, uint8_t *bytes) {
- if (rnd != kSecRandomDefault)
- return errSecParam;
- pthread_once(&kSecDevRandomOpen, SecDevRandomOpen);
- if (kSecRandomFD < 0)
- return -1;
- while (count) {
- ssize_t bytes_read = read(kSecRandomFD, bytes, count);
- if (bytes_read == -1) {
- if (errno == EINTR)
- continue;
- return -1;
- }
- if (bytes_read == 0) {
- return -1;
- }
- count -= bytes_read;
- }
-
- return 0;
-}
-
-#include <CommonCrypto/CommonDigest.h>
-#include <stdlib.h>
-
-/* FIPS rng declarations. */
-typedef struct __SecRandom *SecRandomRef;
-SecRandomRef SecRandomCreate(CFIndex randomAlg, CFIndex seedLength,
- const UInt8 *seed);
-void SecRandomCopyBytes(SecRandomRef randomref, CFIndex numBytes, UInt8 *outBytes);
-
-/* FIPS Rng implementation. */
-struct __SecRandom {
- CC_SHA1_CTX sha1;
- CFIndex bytesLeft;
- UInt8 block[64];
-};
-
-SecRandomRef SecRandomCreate(CFIndex randomAlg, CFIndex seedLength,
- const UInt8 *seed) {
- SecRandomRef result = (SecRandomRef)malloc(sizeof(struct __SecRandom));
- CC_SHA1_Init(&result->sha1);
- memset(result->block + 20, 0, 44);
- result->bytesLeft = 0;
-
- if (seedLength) {
- /* Digest the seed and put it into output. */
- CC_SHA1(seed, seedLength, result->block);
- } else {
- /* Seed 20 bytes from "/dev/srandom". */
- int fd = open("/dev/srandom", O_RDONLY);
- if (fd < 0)
- goto errOut;
-
- if (read(fd, result->block, 20) != 20)
- goto errOut;
-
- close(fd);
- }
-
- CC_SHA1_Update(&result->sha1, result->block, 64);
-
- return result;
-
-errOut:
- free(result);
- return NULL;
-}
-
-void SecRandomCopyBytes(SecRandomRef randomref, CFIndex numBytes,
- UInt8 *outBytes) {
- while (numBytes > 0) {
- if (!randomref->bytesLeft) {
- CC_SHA1_Update(&randomref->sha1, randomref->block, 64);
- OSWriteBigInt32(randomref->block, 0, randomref->sha1.h0);
- OSWriteBigInt32(randomref->block, 4, randomref->sha1.h1);
- OSWriteBigInt32(randomref->block, 8, randomref->sha1.h2);
- OSWriteBigInt32(randomref->block, 12, randomref->sha1.h3);
- OSWriteBigInt32(randomref->block, 16, randomref->sha1.h4);
- randomref->bytesLeft = 20;
- }
- CFIndex outLength = (numBytes > randomref->bytesLeft ?
- randomref->bytesLeft : numBytes);
- memcpy(outBytes, randomref->block + 20 - randomref->bytesLeft,
- outLength);
- randomref->bytesLeft -= outLength;
- outBytes += outLength;
- numBytes -= outLength;
- }
-}
-#endif
diff --git a/OSX/libsecurity_keychain/lib/SecIdentity.cpp b/OSX/libsecurity_keychain/lib/SecIdentity.cpp
index 7939d6b6..adfe8b74 100644
--- a/OSX/libsecurity_keychain/lib/SecIdentity.cpp
+++ b/OSX/libsecurity_keychain/lib/SecIdentity.cpp
@@ -121,29 +121,57 @@ SecIdentityCopyCertificate(
{
BEGIN_SECAPI
- SecPointer<Certificate> certificatePtr(Identity::required(identityRef)->certificate());
- Required(certificateRef) = certificatePtr->handle();
-
-#if SECTRUST_OSX
- /* convert outgoing item to a unified SecCertificateRef */
- CssmData certData = certificatePtr->data();
- CFDataRef data = NULL;
- if (certData.Data && certData.Length) {
- data = CFDataCreate(NULL, certData.Data, certData.Length);
+ if (!identityRef || !certificateRef) {
+ return errSecParam;
}
- if (!data) {
- *certificateRef = NULL;
- syslog(LOG_ERR, "ERROR: SecIdentityCopyCertificate failed to retrieve certificate data (length=%ld, data=0x%lX)",
- (long)certData.Length, (uintptr_t)certData.Data);
- return errSecInternal;
+ CFTypeID itemType = CFGetTypeID(identityRef);
+ if (itemType == SecIdentityGetTypeID()) {
+ SecPointer<Certificate> certificatePtr(Identity::required(identityRef)->certificate());
+ Required(certificateRef) = certificatePtr->handle();
+#if SECTRUST_OSX
+ /* convert outgoing certificate item to a unified SecCertificateRef */
+ CssmData certData = certificatePtr->data();
+ CFDataRef data = NULL;
+ if (certData.Data && certData.Length) {
+ data = CFDataCreate(NULL, certData.Data, certData.Length);
+ }
+ if (!data) {
+ *certificateRef = NULL;
+ syslog(LOG_ERR, "ERROR: SecIdentityCopyCertificate failed to retrieve certificate data (length=%ld, data=0x%lX)",
+ (long)certData.Length, (uintptr_t)certData.Data);
+ return errSecInternal;
+ }
+ SecCertificateRef tmpRef = *certificateRef;
+ *certificateRef = SecCertificateCreateWithKeychainItem(NULL, data, tmpRef);
+ if (data) {
+ CFRelease(data);
+ }
+ if (tmpRef) {
+ CFRelease(tmpRef);
+ }
+#endif
}
- SecCertificateRef tmpRef = *certificateRef;
- *certificateRef = SecCertificateCreateWithKeychainItem(NULL, data, tmpRef);
- if (data)
- CFRelease(data);
- if (tmpRef)
- CFRelease(tmpRef);
+ else if (itemType == SecCertificateGetTypeID()) {
+ // rdar://24483382
+ // reconstituting a persistent identity reference could return the certificate
+ SecCertificateRef certificate = (SecCertificateRef)identityRef;
+#if !SECTRUST_OSX
+ SecPointer<Certificate> certificatePtr(Certificate::required(certificate));
+ Required(certificateRef) = certificatePtr->handle();
+#else
+ /* convert outgoing certificate item to a unified SecCertificateRef, if needed */
+ if (SecCertificateIsItemImplInstance(certificate)) {
+ *certificateRef = SecCertificateCreateFromItemImplInstance(certificate);
+ }
+ else {
+ *certificateRef = (SecCertificateRef) CFRetain(certificate);
+ }
#endif
+ return errSecSuccess;
+ }
+ else {
+ return errSecParam;
+ }
END_SECAPI
}
@@ -156,8 +184,7 @@ SecIdentityCopyPrivateKey(
{
BEGIN_SECAPI
- SecPointer<KeyItem> keyItemPtr(Identity::required(identityRef)->privateKey());
- Required(privateKeyRef) = keyItemPtr->handle();
+ Required(privateKeyRef) = (SecKeyRef)CFRetain(Identity::required(identityRef)->privateKeyRef());
END_SECAPI
}
@@ -188,11 +215,20 @@ SecIdentityCreate(
{
SecIdentityRef identityRef = NULL;
OSStatus __secapiresult;
- SecCertificateRef __itemImplRef=SecCertificateCreateItemImplInstance(certificate);
+ SecCertificateRef __itemImplRef = NULL;
+ if (SecCertificateIsItemImplInstance(certificate)) {
+ __itemImplRef=(SecCertificateRef)CFRetain(certificate);
+ }
+ if (!__itemImplRef && certificate) {
+ __itemImplRef=(SecCertificateRef)SecCertificateCopyKeychainItem(certificate);
+ }
+ if (!__itemImplRef && certificate) {
+ __itemImplRef=SecCertificateCreateItemImplInstance(certificate);
+ (void)SecCertificateSetKeychainItem(certificate,__itemImplRef);
+ }
try {
SecPointer<Certificate> certificatePtr(Certificate::required(__itemImplRef));
- SecPointer<KeyItem> keyItemPtr(KeyItem::required(privateKey));
- SecPointer<Identity> identityPtr(new Identity(keyItemPtr, certificatePtr));
+ SecPointer<Identity> identityPtr(new Identity(privateKey, certificatePtr));
identityRef = identityPtr->handle();
__secapiresult=errSecSuccess;
@@ -201,6 +237,7 @@ SecIdentityCreate(
catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
catch (...) { __secapiresult=errSecInternalComponent; }
+ if (__itemImplRef) { CFRelease(__itemImplRef); }
return identityRef;
}
diff --git a/OSX/libsecurity_keychain/lib/SecIdentity.h b/OSX/libsecurity_keychain/lib/SecIdentity.h
index b74d2a50..50278a03 100644
--- a/OSX/libsecurity_keychain/lib/SecIdentity.h
+++ b/OSX/libsecurity_keychain/lib/SecIdentity.h
@@ -107,8 +107,7 @@ OSStatus SecIdentityCopyPreference(CFStringRef name, CSSM_KEYUSE keyUsage, CFArr
@param name A string containing a URI, RFC822 email address, DNS hostname, or other name which uniquely identifies the service requiring an identity.
@param keyUsage A CFArrayRef value, containing items defined in SecItem.h Pass NULL to ignore this parameter. (kSecAttrCanEncrypt, kSecAttrCanDecrypt, kSecAttrCanDerive, kSecAttrCanSign, kSecAttrCanVerify, kSecAttrCanWrap, kSecAttrCanUnwrap)
@param validIssuers (optional) An array of CFDataRef instances whose contents are the subject names of allowable issuers, as returned by a call to SSLCopyDistinguishedNames (SecureTransport.h). Pass NULL if any issuer is allowed.
- @param identity On return, a reference to the preferred identity, or NULL if none was found. You are responsible for releasing this reference by calling the CFRelease function.
- @result An identity or NULL. if the preferred identity has not been set. Your code should then typically perform a search for possible identities using the SecItem APIs.
+ @result An identity or NULL, if the preferred identity has not been set. Your code should then typically perform a search for possible identities using the SecItem APIs.
@discussion If a preferred identity has not been set for the supplied name, the returned identity reference will be NULL. Your code should then perform a search for possible identities, using the SecItemCopyMatching API.
*/
__nullable
diff --git a/OSX/libsecurity_keychain/lib/SecImport.cpp b/OSX/libsecurity_keychain/lib/SecImport.cpp
index 3a135656..76fedc32 100644
--- a/OSX/libsecurity_keychain/lib/SecImport.cpp
+++ b/OSX/libsecurity_keychain/lib/SecImport.cpp
@@ -31,7 +31,7 @@
#include <security_utilities/globalizer.h>
#include <Security/SecBase.h>
-#define SecImpInferDbg(args...) secdebug("SecImpInfer", ## args)
+#define SecImpInferDbg(args...) secinfo("SecImpInfer", ## args)
using namespace Security;
using namespace KeychainCore;
diff --git a/OSX/libsecurity_keychain/lib/SecImportExportOpenSSH.cpp b/OSX/libsecurity_keychain/lib/SecImportExportOpenSSH.cpp
index d066c49c..ac0e4b52 100644
--- a/OSX/libsecurity_keychain/lib/SecImportExportOpenSSH.cpp
+++ b/OSX/libsecurity_keychain/lib/SecImportExportOpenSSH.cpp
@@ -35,7 +35,7 @@
#include <security_utilities/debugging.h>
#include <security_cdsa_utils/cuCdsaUtils.h>
-#define SecSSHDbg(args...) secdebug("openssh", ## args)
+#define SecSSHDbg(args...) secinfo("openssh", ## args)
#define SSHv2_PUB_KEY_NAME "OpenSSHv2 Public Key"
#define SSHv1_PUB_KEY_NAME "OpenSSHv1 Public Key"
diff --git a/OSX/libsecurity_keychain/lib/SecImportExportPkcs8.cpp b/OSX/libsecurity_keychain/lib/SecImportExportPkcs8.cpp
index 13547958..a272a228 100644
--- a/OSX/libsecurity_keychain/lib/SecImportExportPkcs8.cpp
+++ b/OSX/libsecurity_keychain/lib/SecImportExportPkcs8.cpp
@@ -57,7 +57,7 @@
#include <assert.h>
#include <Security/SecBase.h>
-#define SecPkcs8Dbg(args...) secdebug("SecPkcs8", ## args)
+#define SecPkcs8Dbg(args...) secinfo("SecPkcs8", ## args)
#pragma mark --- PKCS5 v1.5 Key Derivation ---
diff --git a/OSX/libsecurity_keychain/lib/SecImportExportUtils.h b/OSX/libsecurity_keychain/lib/SecImportExportUtils.h
index 7b02ac0e..510fa69e 100644
--- a/OSX/libsecurity_keychain/lib/SecImportExportUtils.h
+++ b/OSX/libsecurity_keychain/lib/SecImportExportUtils.h
@@ -69,8 +69,8 @@ extern const char *impExpExtItemTypeStr(SecExternalItemType itemType);
#endif /* NDEBUG */
-#define SecImpExpDbg(args...) secdebug("SecImpExp", ## args)
-#define SecImpInferDbg(args...) secdebug("SecImpInfer", ## args)
+#define SecImpExpDbg(args...) secinfo("SecImpExp", ## args)
+#define SecImpInferDbg(args...) secinfo("SecImpInfer", ## args)
/*
* Parse file extension and attempt to map it to format and type. Returns true
diff --git a/OSX/libsecurity_keychain/lib/SecInternal.h b/OSX/libsecurity_keychain/lib/SecInternal.h
index 4bae0414..f10a5f15 100644
--- a/OSX/libsecurity_keychain/lib/SecInternal.h
+++ b/OSX/libsecurity_keychain/lib/SecInternal.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2007-2015 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -35,6 +35,7 @@
extern "C" {
#endif
+#define CFRetainSafe(CF) { CFTypeRef _cf = (CF); if (_cf) CFRetain(_cf); }
#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) CFRelease(_cf); }
#define CFReleaseNull(CF) { CFTypeRef _cf = (CF); \
if (_cf) { (CF) = NULL; CFRelease(_cf); } }
diff --git a/OSX/libsecurity_keychain/lib/SecItem.cpp b/OSX/libsecurity_keychain/lib/SecItem.cpp
index 173eb892..93635785 100644
--- a/OSX/libsecurity_keychain/lib/SecItem.cpp
+++ b/OSX/libsecurity_keychain/lib/SecItem.cpp
@@ -37,6 +37,9 @@
#include "SecCertificatePriv.h"
#include "SecCertificatePrivP.h"
#include "TrustAdditions.h"
+#include "TrustSettingsSchema.h"
+#include <Security/SecTrustPriv.h>
+#include "utilities/array_size.h"
#include <AssertMacros.h>
#include <syslog.h>
@@ -59,9 +62,9 @@ OSStatus SecItemAdd_ios(CFDictionaryRef attributes, CFTypeRef *result);
OSStatus SecItemCopyMatching_ios(CFDictionaryRef query, CFTypeRef *result);
OSStatus SecItemUpdate_ios(CFDictionaryRef query, CFDictionaryRef attributesToUpdate);
OSStatus SecItemDelete_ios(CFDictionaryRef query);
+OSStatus SecItemUpdateTokenItems_ios(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes);
-CFTypeRef SecItemCreateFromAttributeDictionary(CFDictionaryRef refAttributes);
-CFTypeRef SecItemCopyMergedResults(CFDictionaryRef query, CFTypeRef result_osx, CFTypeRef result_ios);
+CFTypeRef SecItemCreateFromAttributeDictionary_osx(CFDictionaryRef refAttributes);
OSStatus SecItemValidateAppleApplicationGroupAccess(CFStringRef group);
CFDictionaryRef SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass,
bool iOSOut, bool pruneMatch, bool pruneSync, bool pruneReturn, bool pruneData, bool pruneAccess);
@@ -2942,12 +2945,11 @@ _CreateSecItemParamsFromDictionary(CFDictionaryRef dict, OSStatus *error)
{
OSStatus status;
CFTypeRef value = NULL;
- SecItemParams *itemParams = (SecItemParams *) malloc(sizeof(SecItemParams));
+ SecItemParams *itemParams = (SecItemParams *)calloc(1, sizeof(struct SecItemParams));
require_action(itemParams != NULL, error_exit, status = errSecAllocate);
require_action(dict && (CFDictionaryGetTypeID() == CFGetTypeID(dict)), error_exit, status = errSecParam);
- memset(itemParams, 0, sizeof(SecItemParams));
itemParams->query = (CFDictionaryRef) CFRetain(dict);
// validate input search parameters
@@ -2977,6 +2979,25 @@ _CreateSecItemParamsFromDictionary(CFDictionaryRef dict, OSStatus *error)
// validate the payload (password, key or certificate data), used for SecItemAdd but not for finding items
require_noerr(status = _ValidateDictionaryEntry(dict, kSecValueData, (const void **)&itemParams->itemData, CFDataGetTypeID(), CFStringGetTypeID()), error_exit);
+ if (itemParams->itemData && CFGetTypeID(itemParams->itemData) == CFStringGetTypeID()) {
+ /* If we got a string, convert it into a data object */
+ CFStringRef string = (CFStringRef)itemParams->itemData;
+ CFIndex maxLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(string), kCFStringEncodingUTF8) + 1;
+ CFMutableDataRef data = CFDataCreateMutable(NULL, maxLength);
+ require_action(data, error_exit, status = errSecAllocate);
+
+ CFDataSetLength(data, maxLength);
+
+ if (!CFStringGetCString(string, (char *)CFDataGetMutableBytePtr(data), maxLength, kCFStringEncodingUTF8)) {
+ CFRelease(data);
+ status = errSecAllocate;
+ goto error_exit;
+ }
+
+ CFDataSetLength(data, strlen((const char *)CFDataGetBytePtr(data))); /* dont include NUL in string */
+ itemParams->itemData = data;
+ CFRelease(string);
+ }
// validate item references
require_noerr(status = _ValidateDictionaryEntry(dict, kSecValueRef, (const void **)&itemParams->itemRef, SecKeychainItemGetTypeID(), SecIdentityGetTypeID()), error_exit);
@@ -3236,7 +3257,9 @@ _FilterWithPolicy(SecPolicyRef policy, CFDateRef date, SecCertificateRef cert)
SecTrustRef trust = NULL;
SecTrustResultType trustResult;
+#if !SECTRUST_OSX
CSSM_TP_APPLE_EVIDENCE_INFO *evidence = NULL;
+#endif
Boolean needChain = false;
OSStatus status;
if (!policy || !cert) return errSecParam;
@@ -3255,12 +3278,14 @@ _FilterWithPolicy(SecPolicyRef policy, CFDateRef date, SecCertificateRef cert)
props = SecPolicyCopyProperties(policy);
if (props) {
CFTypeRef oid = (CFTypeRef) CFDictionaryGetValue(props, kSecPolicyOid);
- if (oid && CFEqual(oid, kSecPolicyAppleX509Basic)) {
+ if (oid && (CFEqual(oid, kSecPolicyAppleX509Basic) ||
+ CFEqual(oid, kSecPolicyAppleRevocation))) {
needChain = true;
}
}
if (!needChain) {
+#if !SECTRUST_OSX
/* To make the evaluation as lightweight as possible, specify an empty array
* of keychains which will be searched for certificates.
*/
@@ -3274,8 +3299,14 @@ _FilterWithPolicy(SecPolicyRef policy, CFDateRef date, SecCertificateRef cert)
anchors = CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
status = SecTrustSetAnchorCertificates(trust, anchors);
if(status) goto cleanup;
+#else
+ status = SecTrustEvaluateLeafOnly(trust, &trustResult);
+ } else {
+ status = SecTrustEvaluate(trust, &trustResult);
+#endif
}
+#if !SECTRUST_OSX
/* All parameters are locked and loaded, ready to evaluate! */
status = SecTrustEvaluate(trust, &trustResult);
if(status) goto cleanup;
@@ -3287,6 +3318,7 @@ _FilterWithPolicy(SecPolicyRef policy, CFDateRef date, SecCertificateRef cert)
*/
status = SecTrustGetResult(trust, &trustResult, &chain, &evidence);
if(status) goto cleanup;
+#endif
if (!(trustResult == kSecTrustResultProceed ||
trustResult == kSecTrustResultUnspecified ||
@@ -3385,7 +3417,7 @@ static SecKeychainItemRef
CopyResolvedKeychainItem(CFTypeRef item)
{
SecKeychainItemRef kcItem = NULL;
- OSStatus status;
+ OSStatus status = errSecSuccess;
if (item) {
if (CFGetTypeID(item) == CFDataGetTypeID()) {
// persistent reference, resolve first
@@ -3399,9 +3431,13 @@ CopyResolvedKeychainItem(CFTypeRef item)
// ask for the item's class:
// will return an error if the item has been deleted
SecItemClass itemClass;
- SecKeychainItemRef certRef = NULL;
- if (CFGetTypeID(kcItem) == SecIdentityGetTypeID()) {
- status = SecIdentityCopyCertificate((SecIdentityRef)kcItem, (SecCertificateRef *)&certRef);
+ SecCertificateRef certRef = NULL;
+ CFTypeID itemTypeID = CFGetTypeID(kcItem);
+ if (itemTypeID == SecIdentityGetTypeID()) {
+ status = SecIdentityCopyCertificate((SecIdentityRef)kcItem, &certRef);
+ }
+ else if (itemTypeID == SecCertificateGetTypeID()) {
+ certRef = (SecCertificateRef) CFRetain(kcItem);
}
if (certRef) {
// can't call SecKeychainItemCopyAttributesAndData on a SecCertificateRef
@@ -3898,22 +3934,6 @@ static SInt32 readNumber(CFTypeRef obj) {
return NULL;
}
-//
-// Function to ensure the syncable keychain is unlocked.
-// Currently, this means unlocking the login keychain,
-// which will also unlock the keybag as a side effect.
-//
-static OSStatus SecItemUnlockSynchronizableKeychain()
-{
- SecKeychainRef keychain = NULL;
- OSStatus status = SecKeychainCopyLogin(&keychain);
- if (!status) {
- status = SecKeychainUnlock(keychain, 0, NULL, false);
- }
- CFReleaseSafe(keychain);
- return status;
-}
-
//
// Function to check whether the kSecAttrSynchronizable flag is set in the query.
//
@@ -3926,28 +3946,103 @@ static Boolean SecItemSynchronizable(CFDictionaryRef query)
}
//
-// Function to check whether the kSecAttrNoLegacy flag is set in the query.
+// Function to check whether a synchronizable persistent reference was provided.
//
-static Boolean SecItemNoLegacy(CFDictionaryRef query)
+static Boolean SecItemIsIOSPersistentReference(CFTypeRef value)
{
- CFTypeRef value = CFDictionaryGetValue(query, kSecAttrNoLegacy);
- Boolean result = (value && readNumber(value));
-
- return result;
+ if (value) {
+ /* Synchronizable persistent ref consists of the sqlite rowid and 4-byte class value */
+ const CFIndex kSynchronizablePersistentRefLength = sizeof(int64_t) + 4;
+ return (CFGetTypeID(value) == CFDataGetTypeID() &&
+ CFDataGetLength((CFDataRef)value) == kSynchronizablePersistentRefLength);
+ }
+ return false;
}
+extern "C" Boolean SecKeyIsCDSAKey(SecKeyRef ref);
+
//
-// Function to check whether the kSecAttrSynchronizable flag is set in the query,
-// and has the special value of kSecAttrSynchronizableAny.
+// Function to find out which keychains are targetted by the query.
//
-static Boolean SecItemSynchronizableAny(CFDictionaryRef query)
+static OSStatus SecItemCategorizeQuery(CFDictionaryRef query, bool &can_target_ios, bool &can_target_osx)
{
- CFTypeRef value = CFDictionaryGetValue(query, kSecAttrSynchronizable);
- if (value) {
- return (CFGetTypeID(value) == CFStringGetTypeID() &&
- CFEqual(value, kSecAttrSynchronizableAny));
+ // By default, target both keychain.
+ can_target_osx = can_target_ios = true;
+
+ // Check no-legacy flag.
+ CFTypeRef value = CFDictionaryGetValue(query, kSecAttrNoLegacy);
+ if (value != NULL) {
+ can_target_ios = readNumber(value) != 0;
+ can_target_osx = !can_target_ios;
+ return errSecSuccess;
}
- return false;
+
+ // Check whether the query contains kSecValueRef and modify can_ flags according to the kind and type of the value.
+ value = CFDictionaryGetValue(query, kSecValueRef);
+ if (value != NULL) {
+ CFTypeID typeID = CFGetTypeID(value);
+ if (typeID == SecKeyGetTypeID()) {
+ can_target_osx = SecKeyIsCDSAKey((SecKeyRef)value);
+ can_target_ios = !can_target_osx;
+ } else if (typeID == SecCertificateGetTypeID()) {
+ // All types of certificates can target OSX keychains, but OSX certificates won't work on iOS
+ can_target_ios &= !SecCertificateIsItemImplInstance((SecCertificateRef)value);
+ } else if (typeID == SecKeychainItemGetTypeID()) {
+ // SecKeychainItemRef can target iOS keychain only when it has attached iOS-style persistent reference.
+ if (_SecItemGetPersistentReference(value) == NULL) {
+ can_target_ios = false;
+ }
+ }
+ }
+
+ // Check presence of kSecAttrTokenID and kSecAttrAccessControl; they are not defined for CDSA keychain.
+ if (CFDictionaryContainsKey(query, kSecAttrTokenID) || CFDictionaryContainsKey(query, kSecAttrAccessControl)) {
+ can_target_osx = false;
+ }
+
+ // Check for special token access groups. If present, redirect query to iOS keychain.
+ value = CFDictionaryGetValue(query, kSecAttrAccessGroup);
+ if (value != NULL && CFEqual(value, kSecAttrAccessGroupToken)) {
+ can_target_osx = false;
+ }
+
+ // Synchronizable items should go to iOS keychain only.
+ if (SecItemSynchronizable(query)) {
+ can_target_osx = false;
+ }
+
+ value = CFDictionaryGetValue(query, kSecValuePersistentRef);
+ if (value != NULL) {
+ if (SecItemIsIOSPersistentReference(value)) {
+ can_target_osx = false;
+ } else {
+ // Non-iOS-style persistent references should not be fed to iOS keychain queries.
+ can_target_ios = false;
+ }
+ }
+
+ // Presence of following atributes means that query is OSX-only.
+ static const CFStringRef *osx_only_items[] = {
+ &kSecMatchItemList,
+ &kSecMatchSearchList,
+ &kSecMatchSubjectStartsWith,
+ &kSecMatchSubjectEndsWith,
+ &kSecMatchSubjectWholeString,
+ &kSecMatchDiacriticInsensitive,
+ &kSecMatchWidthInsensitive,
+ &kSecUseItemList,
+ &kSecUseKeychain,
+ &kSecAttrAccess,
+ &kSecAttrPRF,
+ &kSecAttrSalt,
+ &kSecAttrRounds,
+ };
+
+ for (CFIndex i = 0; i < array_size(osx_only_items); i++) {
+ can_target_ios = can_target_ios && !CFDictionaryContainsKey(query, *osx_only_items[i]);
+ }
+
+ return (can_target_ios || can_target_osx) ? errSecSuccess : errSecParam;
}
//
@@ -3965,42 +4060,6 @@ static Boolean SecItemHasSynchronizableUpdate(Boolean synchronizable, CFDictiona
return (old_sync != new_sync);
}
-//
-// Returns true if keychain syncing is globally enabled.
-//
-static Boolean SecItemSyncEnabled()
-{
- static dispatch_once_t onceToken;
- static Boolean syncEnabled = true;
-
- //sudo defaults write /Library/Preferences/com.apple.security SecItemSynchronizable -bool YES
- dispatch_once(&onceToken, ^{
- CFTypeRef sync = (CFNumberRef)CFPreferencesCopyValue(CFSTR("SecItemSynchronizable"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
-
- if (sync && CFGetTypeID(sync) == CFBooleanGetTypeID()) {
- syncEnabled = CFBooleanGetValue((CFBooleanRef)sync);
- CFRelease(sync);
- }
- });
-
- return syncEnabled;
-}
-
-//
-// Function to check whether a synchronizable persistent reference was provided.
-//
-static Boolean SecItemHasSynchronizablePersistentReference(CFDictionaryRef query)
-{
- CFTypeRef value = CFDictionaryGetValue(query, kSecValuePersistentRef);
- if (value) {
- /* Synchronizable persistent ref consists of the sqlite rowid and 4-byte class value */
- const CFIndex kSynchronizablePersistentRefLength = sizeof(int64_t) + 4;
- return (CFGetTypeID(value) == CFDataGetTypeID() &&
- CFDataGetLength((CFDataRef)value) == kSynchronizablePersistentRefLength);
- }
- return false;
-}
-
//
// Function to apply changes to a mutable dictionary.
// (CFDictionaryApplierFunction, called by CFDictionaryApplyFunction)
@@ -4121,22 +4180,18 @@ static OSStatus SecItemChangeSynchronizability(CFDictionaryRef query, CFDictiona
extern "C" {
CFTypeRef
-SecItemCreateFromAttributeDictionary(CFDictionaryRef refAttributes) {
+SecItemCreateFromAttributeDictionary_osx(CFDictionaryRef refAttributes) {
CFTypeRef ref = NULL;
- CFStringRef key_class_string = (CFStringRef)CFDictionaryGetValue(refAttributes, kSecClass);
- SecItemClass key_class;
- bool key_class_found = false;
+ CFStringRef item_class_string = (CFStringRef)CFDictionaryGetValue(refAttributes, kSecClass);
+ SecItemClass item_class = 0;
- if (CFEqual(key_class_string, kSecClassGenericPassword)) {
- key_class = kSecGenericPasswordItemClass;
- key_class_found = true;
- }
- if (CFEqual(key_class_string, kSecClassInternetPassword)) {
- key_class = kSecInternetPasswordItemClass;
- key_class_found = true;
+ if (CFEqual(item_class_string, kSecClassGenericPassword)) {
+ item_class = kSecGenericPasswordItemClass;
+ } else if (CFEqual(item_class_string, kSecClassInternetPassword)) {
+ item_class = kSecInternetPasswordItemClass;
}
- if (key_class_found) {
+ if (item_class != 0) {
// we carry v_Data around here so the *_ios calls can find it and locate
// their own data. Putting things in the attribute list doesn't help as
// the osx keychainitem and item calls bail when they don't see a keychain
@@ -4144,71 +4199,21 @@ SecItemCreateFromAttributeDictionary(CFDictionaryRef refAttributes) {
// find a way to craft a workable keychain object. #if'ed code left below
// in case we need to go down that path.
- struct SecKeychainAttributeList *attrs = (struct SecKeychainAttributeList *)malloc(sizeof(struct SecKeychainAttributeList) + sizeof(struct SecKeychainAttribute) * 0);
- attrs->attr = (struct SecKeychainAttribute *)(attrs + 1);
- attrs->count = 0;
- CFTypeRef v;
-#if 0
- // The C++ string objects need to last at least as long as the attr struct.
- string account;
-
- v = CFDictionaryGetValue(refAttributes, CFSTR("mdat"));
- if (v) {
- attrs->attr[attrs->count].tag = kSecModDateItemAttr;
- // XXX need to convert to YYYYMMDDhhmmSSZ
- attrs->attr[attrs->count].data = (void*)"19690223140232Z";
- attrs->attr[attrs->count].length = strlen((char*)(attrs->attr[attrs->count].data));
- attrs->count++;
- }
- v = CFDictionaryGetValue(refAttributes, CFSTR("cdat"));
- if (v) {
- attrs->attr[attrs->count].tag = kSecCreationDateItemAttr;
- // XXX need to convert to YYYYMMDDhhmmSSZ
- attrs->attr[attrs->count].data = (void*)"19690223140232Z";
- attrs->attr[attrs->count].length = strlen((char*)(attrs->attr[attrs->count].data));
- attrs->count++;
- }
-
- v = CFDictionaryGetValue(refAttributes, CFSTR("acct"));
- if (v) {
- attrs->attr[attrs->count].tag = kSecAccountItemAttr;
- account = cfString((CFStringRef)v);
- attrs->attr[attrs->count].data = (void*)(account.c_str());
- attrs->attr[attrs->count].length = account.length();
- attrs->count++;
- }
-
- // class isn't treated as an attribute by the creation API
+ SecKeychainAttributeList attrs = {};
+ SecKeychainAttribute attr = {};
- v = CFDictionaryGetValue(refAttributes, CFSTR("svce"));
- if (v) {
- attrs->attr[attrs->count].tag = kSecServiceItemAttr;
- account = cfString((CFStringRef)v);
- attrs->attr[attrs->count].data = (void*)(account.c_str());
- attrs->attr[attrs->count].length = account.length();
- attrs->count++;
- }
+ attrs.attr = &attr;
+ attrs.count = 0;
+ CFTypeRef v;
- v = CFDictionaryGetValue(refAttributes, CFSTR("acct"));
- if (v) {
- attrs->attr[attrs->count].tag = kSecLabelItemAttr;
- account = cfString((CFStringRef)v);
- attrs->attr[attrs->count].data = (void*)(account.c_str());
- attrs->attr[attrs->count].length = account.length();
- attrs->count++;
- }
-#endif
- Item item = Item(key_class, attrs, 0, "");
- ItemImpl *real_item = item.get();
+ Item item = Item(item_class, &attrs, 0, "");
v = CFDictionaryGetValue(refAttributes, kSecValuePersistentRef);
if (v) {
- real_item->setPersistentRef((CFDataRef)v);
+ item->setPersistentRef((CFDataRef)v);
}
- ref = real_item->handle();
- } else {
- // keys, certs, identities are not currently sync'able.
- ref = NULL;
+ ref = item->handle();
}
+
return ref;
}
@@ -4252,6 +4257,203 @@ SecItemValidateAppleApplicationGroupAccess(CFStringRef group)
return status;
}
+static Mutex gParentCertCacheLock;
+static CFMutableDictionaryRef gParentCertCache;
+static CFMutableArrayRef gParentCertCacheList;
+#define PARENT_CACHE_SIZE 100
+
+void SecItemParentCachePurge() {
+ StLock<Mutex> _(gParentCertCacheLock);
+ CFReleaseNull(gParentCertCache);
+ CFReleaseNull(gParentCertCacheList);
+}
+
+static CFArrayRef parentCacheRead(SecCertificateRef certificate) {
+ CFArrayRef parents = NULL;
+ CFIndex ix;
+ CFDataRef digest = SecCertificateGetSHA1Digest(certificate);
+ if (!digest) return NULL;
+
+ StLock<Mutex> _(gParentCertCacheLock);
+ if (gParentCertCache && gParentCertCacheList) {
+ if (0 <= (ix = CFArrayGetFirstIndexOfValue(gParentCertCacheList,
+ CFRangeMake(0, CFArrayGetCount(gParentCertCacheList)),
+ digest))) {
+ // Cache hit. Get value and move entry to the top of the list.
+ parents = (CFArrayRef)CFDictionaryGetValue(gParentCertCache, digest);
+ CFArrayRemoveValueAtIndex(gParentCertCacheList, ix);
+ CFArrayAppendValue(gParentCertCacheList, digest);
+ }
+ }
+ CFRetainSafe(parents);
+ return parents;
+}
+
+static void parentCacheWrite(SecCertificateRef certificate, CFArrayRef parents) {
+ CFDataRef digest = SecCertificateGetSHA1Digest(certificate);
+ if (!digest) return;
+
+ StLock<Mutex> _(gParentCertCacheLock);
+ if (!gParentCertCache || !gParentCertCacheList) {
+ CFReleaseNull(gParentCertCache);
+ gParentCertCache = makeCFMutableDictionary();
+ CFReleaseNull(gParentCertCacheList);
+ gParentCertCacheList = makeCFMutableArray(0);
+ }
+
+ if (gParentCertCache && gParentCertCacheList) {
+ // check to make sure another thread didn't add this entry to the cache already
+ if (0 > CFArrayGetFirstIndexOfValue(gParentCertCacheList,
+ CFRangeMake(0, CFArrayGetCount(gParentCertCacheList)),
+ digest)) {
+ CFDictionaryAddValue(gParentCertCache, digest, parents);
+ if (PARENT_CACHE_SIZE <= CFArrayGetCount(gParentCertCacheList)) {
+ // Remove least recently used cache entry.
+ CFArrayRemoveValueAtIndex(gParentCertCacheList, 0);
+ }
+ CFArrayAppendValue(gParentCertCacheList, digest);
+ }
+ }
+}
+
+/*
+ * SecItemCopyParentCertificates returns an array of zero of more possible
+ * issuer certificates for the provided certificate. No cryptographic validation
+ * of the signature is performed in this function; its purpose is only to
+ * provide a list of candidate certificates.
+ */
+CFArrayRef
+SecItemCopyParentCertificates(SecCertificateRef certificate, void *context)
+{
+#pragma unused (context) /* for now; in future this can reference a container object */
+ /* Check for parents in keychain cache */
+ CFArrayRef parents = parentCacheRead(certificate);
+ if (parents) {
+ return parents;
+ }
+
+ /* Cache miss. Query for parents. */
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+ CFDataRef normalizedIssuer = SecCertificateCopyNormalizedIssuerContent(certificate, NULL);
+#else
+ CFDataRef normalizedIssuer = SecCertificateGetNormalizedIssuerContent(certificate);
+ CFRetainSafe(normalizedIssuer);
+#endif
+ OSStatus status;
+ CFMutableArrayRef combinedSearchList = NULL;
+
+ /* Define the array of keychains which will be searched for parents. */
+ CFArrayRef searchList = NULL;
+ status = SecKeychainCopySearchList(&searchList);
+ if (searchList) {
+ combinedSearchList = CFArrayCreateMutableCopy(kCFAllocatorDefault, 0, searchList);
+ CFRelease(searchList);
+ } else {
+ combinedSearchList = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ }
+ SecKeychainRef rootStoreKeychain = NULL;
+ status = SecKeychainOpen(SYSTEM_ROOT_STORE_PATH, &rootStoreKeychain);
+ if (rootStoreKeychain) {
+ if (combinedSearchList) {
+ CFArrayAppendValue(combinedSearchList, rootStoreKeychain);
+ }
+ CFRelease(rootStoreKeychain);
+ }
+
+ /* Create and populate a fixed-size query dictionary. */
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 5,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionaryAddValue(query, kSecClass, kSecClassCertificate);
+ CFDictionaryAddValue(query, kSecReturnData, kCFBooleanTrue);
+ CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitAll);
+ if (combinedSearchList) {
+ CFDictionaryAddValue(query, kSecMatchSearchList, combinedSearchList);
+ CFRelease(combinedSearchList);
+ }
+ CFDictionaryAddValue(query, kSecAttrSubject, normalizedIssuer);
+
+ /* Get all certificates matching our query. */
+ CFTypeRef results = NULL;
+ status = SecItemCopyMatching_osx(query, &results);
+ if ((status != errSecSuccess) && (status != errSecItemNotFound)) {
+ secitemlog(LOG_WARNING, "SecItemCopyParentCertificates: %d", (int)status);
+ }
+ CFRelease(query);
+
+ CFMutableArrayRef result = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ CFTypeID resultType = (results) ? CFGetTypeID(results) : 0;
+ if (resultType == CFArrayGetTypeID()) {
+ CFIndex index, count = CFArrayGetCount((CFArrayRef)results);
+ for (index = 0; index < count; index++) {
+ CFDataRef data = (CFDataRef) CFArrayGetValueAtIndex((CFArrayRef)results, index);
+ if (data) {
+ SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, data);
+ if (cert) {
+ CFArrayAppendValue(result, cert);
+ CFRelease(cert);
+ }
+ }
+ }
+ } else if (resultType == CFDataGetTypeID()) {
+ SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)results);
+ if (cert) {
+ CFArrayAppendValue(result, cert);
+ CFRelease(cert);
+ }
+ }
+ CFReleaseSafe(results);
+ CFReleaseSafe(normalizedIssuer);
+
+ /* Add to cache. */
+ parentCacheWrite(certificate, result);
+
+ return result;
+}
+
+SecCertificateRef SecItemCopyStoredCertificate(SecCertificateRef certificate, void *context)
+{
+#pragma unused (context) /* for now; in future this can reference a container object */
+
+ /* Certificates are unique by issuer and serial number. */
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+ CFDataRef serialNumber = SecCertificateCopySerialNumber(certificate, NULL);
+ CFDataRef normalizedIssuer = SecCertificateCopyNormalizedIssuerContent(certificate, NULL);
+#else
+ CFDataRef serialNumber = SecCertificateCopySerialNumber(certificate);
+ CFDataRef normalizedIssuer = SecCertificateGetNormalizedIssuerContent(certificate);
+ CFRetainSafe(normalizedIssuer);
+#endif
+
+ const void *keys[] = {
+ kSecClass,
+ kSecMatchLimit,
+ kSecAttrIssuer,
+ kSecAttrSerialNumber,
+ kSecReturnRef
+ },
+ *values[] = {
+ kSecClassCertificate,
+ kSecMatchLimitOne,
+ normalizedIssuer,
+ serialNumber,
+ kCFBooleanTrue
+ };
+ CFDictionaryRef query = CFDictionaryCreate(NULL, keys, values, 5, NULL, NULL);
+ CFTypeRef result = NULL;
+
+ OSStatus status = SecItemCopyMatching_osx(query, &result);
+ if ((status != errSecSuccess) && (status != errSecItemNotFound)) {
+ secitemlog(LOG_WARNING, "SecItemCopyStoredCertificate: %d", (int)status);
+ CFReleaseNull(result);
+ }
+ CFReleaseSafe(query);
+ CFReleaseSafe(serialNumber);
+ CFReleaseSafe(normalizedIssuer);
+
+ return (SecCertificateRef)result;
+}
+
/*
* SecItemCopyTranslatedAttributes accepts a user-provided attribute dictionary
* and attempts to return a sanitized copy for passing to the underlying
@@ -4338,11 +4540,6 @@ SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass,
*/
CFDictionaryRemoveValue(result, kSecUseKeychain);
- /* Remove kSecMatchPolicy (value is a SecPolicyRef);
- * TODO: need a way to externalize and restore a policy instance
- */
- CFDictionaryRemoveValue(result, kSecMatchPolicy);
-
/* Potentially translate kSecAttrAccess (value is a SecAccessRef),
* unless kSecAttrAccessGroup has already been specified.
*/
@@ -4363,15 +4560,20 @@ SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass,
CFDictionaryRemoveValue(result, kSecAttrAccess);
/* If item is specified by direct reference, and this is an iOS search,
- * replace it with a persistent reference.
+ * replace it with a persistent reference, if it was recorded inside ItemImpl.
*/
- CFTypeRef directRef = CFDictionaryGetValue(result, kSecValueRef);
- if (directRef) {
- CFDataRef persistentRef = _SecItemGetPersistentReference(directRef);
- if (persistentRef) {
- CFDictionarySetValue(result, kSecValuePersistentRef, persistentRef);
+ CFTypeRef directRef = CFDictionaryGetValue(result, kSecValueRef);
+ if (directRef != NULL) {
+ CFTypeID typeID = CFGetTypeID(directRef);
+ if ((typeID != SecKeyGetTypeID() || SecKeyIsCDSAKey((SecKeyRef)directRef)) &&
+ (typeID != SecCertificateGetTypeID() || SecCertificateIsItemImplInstance((SecCertificateRef)directRef)) &&
+ (typeID != SecIdentityGetTypeID())) {
+ CFDataRef persistentRef = _SecItemGetPersistentReference(directRef);
+ if (persistentRef) {
+ CFDictionarySetValue(result, kSecValuePersistentRef, persistentRef);
+ CFDictionaryRemoveValue(result, kSecValueRef);
+ }
}
- CFDictionaryRemoveValue(result, kSecValueRef);
}
/* If item is specified by persistent reference, and this is an iOS search,
@@ -4398,6 +4600,7 @@ SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass,
/* Remove attributes which are not part of the OS X database schema. */
CFDictionaryRemoveValue(result, kSecAttrAccessible);
+ CFDictionaryRemoveValue(result, kSecAttrAccessControl);
CFDictionaryRemoveValue(result, kSecAttrAccessGroup);
CFDictionaryRemoveValue(result, kSecAttrSynchronizable);
CFDictionaryRemoveValue(result, kSecAttrTombstone);
@@ -4409,35 +4612,73 @@ SecItemCopyTranslatedAttributes(CFDictionaryRef inOSXDict, CFTypeRef itemClass,
return result;
}
-/*
- * SecItemCopyMergedResults takes two input objects, which may be containers,
- * and returns a retained object which merges the results. Merging depends on the
- * result type. If each result is valid and is not an array, then only one match was
- * requested; in that case, the syncable (ios) match is preferred.
- *
- * FIXME: There are some edge cases still to deal with; e.g. if the OSX search specified a
- * particular keychain to search, we do not want to merge in any IOS results. Also, may need
- * to filter out duplicates if two items differ only in the sync attribute.
- */
-CFTypeRef
-SecItemCopyMergedResults(CFDictionaryRef query, CFTypeRef result_osx, CFTypeRef result_ios)
-{
- CFTypeID id_osx = (result_osx) ? CFGetTypeID(result_osx) : 0;
- CFTypeID id_ios = (result_ios) ? CFGetTypeID(result_ios) : 0;
- CFTypeID id_array = CFArrayGetTypeID();
- if ((id_osx == id_array) && (id_ios == id_array)) {
- // Fold the arrays into one.
- CFMutableArrayRef results = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendArray(results, (CFArrayRef)result_ios, CFRangeMake(0, CFArrayGetCount((CFArrayRef)result_ios)));
- CFArrayAppendArray(results, (CFArrayRef)result_osx, CFRangeMake(0, CFArrayGetCount((CFArrayRef)result_osx)));
- return results;
- }
- // Result type is not an array, so only one match can be returned.
- return (id_ios) ? CFRetain(result_ios) : CFRetain(result_osx);
-}
-
} /* extern "C" */
+static OSStatus
+SecItemMergeResults(bool can_target_ios, OSStatus status_ios, CFTypeRef result_ios,
+ bool can_target_osx, OSStatus status_osx, CFTypeRef result_osx,
+ CFTypeRef *result) {
+ // When querying both keychains and iOS keychain fails because of missing
+ // entitlements, completely ignore iOS keychain result. This is to keep
+ // backward compatibility with applications which know nothing about iOS keychain
+ // and use SecItem API to access OSX keychain which does not need any entitlements.
+ if (can_target_osx && can_target_ios && status_ios == errSecMissingEntitlement) {
+ can_target_ios = false;
+ }
+
+ if (can_target_osx && can_target_ios) {
+ // If both keychains were targetted, examine returning statuses and decide what to do.
+ if (status_ios != errSecSuccess) {
+ // iOS keychain failed to produce results because of some error, go with results from OSX keychain.
+ AssignOrReleaseResult(result_osx, result);
+ return status_osx;
+ } else if (status_osx != errSecSuccess) {
+ if (status_osx != errSecItemNotFound) {
+ // OSX failed to produce results with some failure mode (else than not_found), but iOS produced results.
+ // We have to either return OSX failure result and discard iOS results, or vice versa. For now, we just
+ // ignore OSX error and return just iOS results.
+ secitemlog(LOG_NOTICE, "SecItemMergeResults: osx_result=%d, ignoring it, iOS succeeded fine", status_osx);
+ }
+
+ // OSX failed to produce results, but we have success from iOS keychain; go with results from iOS keychain.
+ AssignOrReleaseResult(result_ios, result);
+ return errSecSuccess;
+ } else {
+ // Both searches succeeded, merge results.
+ if (result != NULL) {
+ CFTypeID id_osx = (result_osx) ? CFGetTypeID(result_osx) : 0;
+ CFTypeID id_ios = (result_ios) ? CFGetTypeID(result_ios) : 0;
+ CFTypeID id_array = CFArrayGetTypeID();
+ if ((id_osx == id_array) && (id_ios == id_array)) {
+ // Fold the arrays into one.
+ *result = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ CFArrayAppendArray((CFMutableArrayRef)*result, (CFArrayRef)result_ios,
+ CFRangeMake(0, CFArrayGetCount((CFArrayRef)result_ios)));
+ CFArrayAppendArray((CFMutableArrayRef)*result, (CFArrayRef)result_osx,
+ CFRangeMake(0, CFArrayGetCount((CFArrayRef)result_osx)));
+ } else {
+ // Result type is not an array, so only one match can be returned.
+ *result = (id_ios) ? result_ios : result_osx;
+ CFRetainSafe(*result);
+ }
+ }
+ CFReleaseSafe(result_osx);
+ CFReleaseSafe(result_ios);
+ return errSecSuccess;
+ }
+ } else if (can_target_ios) {
+ // Only iOS keychain was targetted.
+ AssignOrReleaseResult(result_ios, result);
+ return status_ios;
+ } else if (can_target_osx) {
+ // Only OSX keychain was targetted.
+ AssignOrReleaseResult(result_osx, result);
+ return status_osx;
+ } else {
+ // Query could not run at all?
+ return errSecParam;
+ }
+}
OSStatus
SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
@@ -4450,67 +4691,49 @@ SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)
OSStatus status_osx = errSecItemNotFound, status_ios = errSecItemNotFound;
CFTypeRef result_osx = NULL, result_ios = NULL;
- Boolean ios_only = SecItemNoLegacy(query);
- Boolean sync_enabled = SecItemSyncEnabled();
- Boolean search_ios = SecItemSynchronizable(query);
- Boolean merge_search = SecItemSynchronizableAny(query);
- Boolean persistref_ios = SecItemHasSynchronizablePersistentReference(query);
+ bool can_target_ios, can_target_osx;
+ OSStatus status = SecItemCategorizeQuery(query, can_target_ios, can_target_osx);
+ if (status != errSecSuccess) {
+ return status;
+ }
- if (ios_only || (sync_enabled && (merge_search || persistref_ios || search_ios))) {
+ if (can_target_ios) {
CFDictionaryRef attrs_ios = SecItemCopyTranslatedAttributes(query,
CFDictionaryGetValue(query, kSecClass), true, false, false, false, true, true);
if (!attrs_ios) {
status_ios = errSecParam;
}
else {
- SecItemUnlockSynchronizableKeychain();
- status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios);
+ status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios);
+ if(status_ios == errSecInteractionNotAllowed) {
+ // The keybag is locked. Attempt to unlock it...
+ if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+ CFReleaseNull(result_ios);
+ status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios);
+ }
+ }
CFRelease(attrs_ios);
}
secitemlog(LOG_NOTICE, "SecItemCopyMatching_ios result: %d", status_ios);
- if (ios_only || !merge_search || persistref_ios) {
- AssignOrReleaseResult(result_ios, result);
- return status_ios; // no need to search non-syncable keychains
- }
- }
-
- CFDictionaryRef attrs_osx = SecItemCopyTranslatedAttributes(query,
- CFDictionaryGetValue(query, kSecClass), false, false, true, false, true, true);
- if (!attrs_osx) {
- status_osx = errSecParam;
- }
- else {
- status_osx = SecItemCopyMatching_osx(attrs_osx, &result_osx);
- CFRelease(attrs_osx);
}
- secitemlog(LOG_NOTICE, "SecItemCopyMatching_osx result: %d", status_osx);
- // If one of the searches failed to occur or produce results, we can eliminate it
- if (result_ios == NULL) {
- AssignOrReleaseResult(result_osx, result);
- return status_osx; // we can only have non-syncable results
- }
- if (result_osx == NULL) {
- AssignOrReleaseResult(result_ios, result);
- return status_ios; // we can only have syncable results
+ if (can_target_osx) {
+ CFDictionaryRef attrs_osx = SecItemCopyTranslatedAttributes(query,
+ CFDictionaryGetValue(query, kSecClass), false, false, true, false, true, true);
+ if (!attrs_osx) {
+ status_osx = errSecParam;
+ }
+ else {
+ status_osx = SecItemCopyMatching_osx(attrs_osx, &result_osx);
+ CFRelease(attrs_osx);
+ }
+ secitemlog(LOG_NOTICE, "SecItemCopyMatching_osx result: %d", status_osx);
}
- // If we get here, need to merge results
- CFTypeRef result_merged = SecItemCopyMergedResults(query, result_osx, result_ios);
- CFReleaseSafe(result_osx);
- CFReleaseSafe(result_ios);
- AssignOrReleaseResult(result_merged, result);
-
- if (status_osx == status_ios) {
- return status_osx; // both searches produced the same result
- }
- else if (!status_osx || !status_ios) {
- return errSecSuccess; // one of the searches succeeded
- }
- else if (status_osx == errSecItemNotFound) {
- return status_ios; // this failure was more interesting
- }
- return status_osx;
+ status = SecItemMergeResults(can_target_ios, status_ios, result_ios,
+ can_target_osx, status_osx, result_osx, result);
+ secitemlog(LOG_NOTICE, "SecItemCopyMatching result: %d", status);
+ return status;
}
OSStatus
@@ -4525,46 +4748,48 @@ SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
}
secitemshow(attributes, "SecItemAdd attrs:");
- OSStatus status_osx, status_ios;
CFTypeRef result_osx = NULL, result_ios = NULL;
- Boolean ios_only = SecItemNoLegacy(attributes);
- Boolean sync_enabled = SecItemSyncEnabled();
- Boolean add_ios = SecItemSynchronizable(attributes);
+ bool can_target_ios, can_target_osx;
+ OSStatus status = SecItemCategorizeQuery(attributes, can_target_ios, can_target_osx);
+ if (status != errSecSuccess) {
+ return status;
+ }
- if (ios_only || (sync_enabled && add_ios)) {
+ // SecItemAdd cannot be really done on both keychains. In order to keep backward compatibility
+ // with existing applications, we prefer to add items into legacy keychain and fallback
+ // into iOS (modern) keychain only when the query is not suitable for legacy keychain.
+ if (!can_target_osx) {
CFDictionaryRef attrs_ios = SecItemCopyTranslatedAttributes(attributes,
NULL, true, true, false, false, false, false);
if (!attrs_ios) {
- status_ios = errSecParam;
- }
- else {
- SecItemUnlockSynchronizableKeychain();
- status_ios = SecItemAdd_ios(attrs_ios, &result_ios);
+ status = errSecParam;
+ } else {
+ status = SecItemAdd_ios(attrs_ios, &result_ios);
+ if(status == errSecInteractionNotAllowed) {
+ // The keybag is locked. Attempt to unlock it...
+ if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+ CFReleaseNull(result_ios);
+ status = SecItemAdd_ios(attrs_ios, &result_ios);
+ }
+ }
CFRelease(attrs_ios);
}
- secitemlog(LOG_NOTICE, "SecItemAdd_ios result: %d", status_ios);
- if (result)
- *result = result_ios;
- else
- CFReleaseSafe(result_ios);
- return status_ios;
- }
-
- CFDictionaryRef attrs_osx = SecItemCopyTranslatedAttributes(attributes,
- NULL, false, false, true, false, false, false);
- if (!attrs_osx) {
- status_osx = errSecParam;
- }
- else {
- status_osx = SecItemAdd_osx(attrs_osx, &result_osx);
- CFRelease(attrs_osx);
+ secitemlog(LOG_NOTICE, "SecItemAdd_ios result: %d", status);
+ AssignOrReleaseResult(result_ios, result);
+ return status;
+ } else {
+ CFDictionaryRef attrs_osx = SecItemCopyTranslatedAttributes(attributes,
+ NULL, false, false, true, false, false, false);
+ if (!attrs_osx) {
+ status = errSecParam;
+ } else {
+ status = SecItemAdd_osx(attrs_osx, &result_osx);
+ CFRelease(attrs_osx);
+ }
+ secitemlog(LOG_NOTICE, "SecItemAdd_osx result: %d", status);
+ AssignOrReleaseResult(result_osx, result);
+ return status;
}
- secitemlog(LOG_NOTICE, "SecItemAdd_osx result: %d", status_osx);
- if (result)
- *result = result_osx;
- else
- CFReleaseSafe(result_osx);
- return status_osx;
}
OSStatus
@@ -4578,65 +4803,62 @@ SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
secitemshow(attributesToUpdate, "SecItemUpdate attrs:");
OSStatus status_osx = errSecItemNotFound, status_ios = errSecItemNotFound;
- Boolean ios_only = SecItemNoLegacy(query);
- Boolean sync_enabled = SecItemSyncEnabled();
- Boolean search_ios = SecItemSynchronizable(query);
- Boolean merge_search = SecItemSynchronizableAny(query);
- Boolean persistref_ios = SecItemHasSynchronizablePersistentReference(query);
+ bool can_target_ios, can_target_osx;
+ OSStatus status = SecItemCategorizeQuery(query, can_target_ios, can_target_osx);
+ if (status != errSecSuccess) {
+ return status;
+ }
- if (ios_only || (sync_enabled && (merge_search || persistref_ios || search_ios))) {
+ if (can_target_ios) {
CFDictionaryRef attrs_ios = SecItemCopyTranslatedAttributes(query,
CFDictionaryGetValue(query, kSecClass), true, true, false, true, true, true);
if (!attrs_ios) {
status_ios = errSecParam;
}
else {
- SecItemUnlockSynchronizableKeychain();
- if (SecItemHasSynchronizableUpdate(true, attributesToUpdate))
+ if (SecItemHasSynchronizableUpdate(true, attributesToUpdate)) {
status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false);
- else
+ if(status_ios == errSecInteractionNotAllowed) {
+ // The keybag is locked. Attempt to unlock it...
+ if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+ status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false);
+ }
+ }
+ } else {
status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate);
+ if(status_ios == errSecInteractionNotAllowed) {
+ // The keybag is locked. Attempt to unlock it...
+ if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+ status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate);
+ }
+ }
+ }
CFRelease(attrs_ios);
}
secitemlog(LOG_NOTICE, "SecItemUpdate_ios result: %d", status_ios);
- if (ios_only || !merge_search || persistref_ios)
- return status_ios;
}
- CFDictionaryRef attrs_osx = SecItemCopyTranslatedAttributes(query,
- CFDictionaryGetValue(query, kSecClass), false, false, true, true, true, true);
- if (!attrs_osx) {
- status_osx = errSecParam;
- }
- else {
- if (SecItemHasSynchronizableUpdate(false, attributesToUpdate))
- status_osx = SecItemChangeSynchronizability(attrs_osx, attributesToUpdate, true);
- else
- status_osx = SecItemUpdate_osx(attrs_osx, attributesToUpdate);
-
- CFRelease(attrs_osx);
- }
- secitemlog(LOG_NOTICE, "SecItemUpdate_osx result: %d", status_osx);
- if (merge_search) {
- // Harmonize the result of the update attempts.
- if (status_osx == status_ios) {
- // both updates produced the same result
- return status_ios;
+ if (can_target_osx) {
+ CFDictionaryRef attrs_osx = SecItemCopyTranslatedAttributes(query,
+ CFDictionaryGetValue(query, kSecClass), false, false, true, true, true, true);
+ if (!attrs_osx) {
+ status_osx = errSecParam;
}
- else if (!status_osx || !status_ios) {
- // one of the updates succeeded, but the other failed
- if (status_osx == errSecItemNotFound || status_ios == errSecItemNotFound)
- return errSecSuccess; // item only found in one keychain
+ else {
+ if (SecItemHasSynchronizableUpdate(false, attributesToUpdate))
+ status_osx = SecItemChangeSynchronizability(attrs_osx, attributesToUpdate, true);
else
- return (status_osx) ? status_osx : status_ios; // return the error
- }
- else if (status_osx == errSecItemNotFound) {
- // both updates failed, status_ios failure is more interesting
- // since the item was actually found
- return status_ios;
+ status_osx = SecItemUpdate_osx(attrs_osx, attributesToUpdate);
+
+ CFRelease(attrs_osx);
}
+ secitemlog(LOG_NOTICE, "SecItemUpdate_osx result: %d", status_osx);
}
- return status_osx;
+
+ status = SecItemMergeResults(can_target_ios, status_ios, NULL,
+ can_target_osx, status_osx, NULL, NULL);
+ secitemlog(LOG_NOTICE, "SecItemUpdate result: %d", status);
+ return status;
}
OSStatus
@@ -4649,59 +4871,60 @@ SecItemDelete(CFDictionaryRef query)
secitemshow(query, "SecItemDelete query:");
OSStatus status_osx = errSecItemNotFound, status_ios = errSecItemNotFound;
- Boolean ios_only = SecItemNoLegacy(query);
- Boolean sync_enabled = SecItemSyncEnabled();
- Boolean search_ios = SecItemSynchronizable(query);
- Boolean merge_search = SecItemSynchronizableAny(query);
- Boolean persistref_ios = SecItemHasSynchronizablePersistentReference(query);
+ bool can_target_ios, can_target_osx;
+ OSStatus status = SecItemCategorizeQuery(query, can_target_ios, can_target_osx);
+ if (status != errSecSuccess) {
+ return status;
+ }
- if (ios_only || (sync_enabled && (merge_search || persistref_ios || search_ios))) {
+ if (can_target_ios) {
CFDictionaryRef attrs_ios = SecItemCopyTranslatedAttributes(query,
NULL, true, true, false, true, true, true);
if (!attrs_ios) {
status_ios = errSecParam;
- }
- else {
- SecItemUnlockSynchronizableKeychain();
+ } else {
status_ios = SecItemDelete_ios(attrs_ios);
+ if(status_ios == errSecInteractionNotAllowed) {
+ // The keybag is locked. Attempt to unlock it...
+ if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+ status_ios = SecItemDelete_ios(attrs_ios);
+ }
+ }
CFRelease(attrs_ios);
}
secitemlog(LOG_NOTICE, "SecItemDelete_ios result: %d", status_ios);
- if (ios_only || !merge_search || persistref_ios)
- return status_ios;
- }
-
- CFDictionaryRef attrs_osx = SecItemCopyTranslatedAttributes(query,
- NULL, false, false, true, true, true, true);
- if (!attrs_osx) {
- status_osx = errSecParam;
- }
- else {
- status_osx = SecItemDelete_osx(attrs_osx);
- CFRelease(attrs_osx);
}
- secitemlog(LOG_NOTICE, "SecItemDelete_osx result: %d", status_osx);
- if (merge_search) {
- // Harmonize the result of the delete attempts.
- if (status_osx == status_ios) {
- // both deletes produced the same result
- return status_ios;
- }
- else if (!status_osx || !status_ios) {
- // one of the deletes succeeded, but the other failed
- if (status_osx == errSecItemNotFound || status_ios == errSecItemNotFound)
- return errSecSuccess; // item only found in one keychain
- else
- return (status_osx) ? status_osx : status_ios; // return the error
- }
- else if (status_osx == errSecItemNotFound) {
- // both deletes failed, status_ios failure is more interesting
- // since the item was actually found
- return status_ios;
+ if (can_target_osx) {
+ CFDictionaryRef attrs_osx = SecItemCopyTranslatedAttributes(query,
+ NULL, false, false, true, true, true, true);
+ if (!attrs_osx) {
+ status_osx = errSecParam;
+ } else {
+ status_osx = SecItemDelete_osx(attrs_osx);
+ CFRelease(attrs_osx);
}
+ secitemlog(LOG_NOTICE, "SecItemDelete_osx result: %d", status_osx);
}
- return status_osx;
+
+ status = SecItemMergeResults(can_target_ios, status_ios, NULL,
+ can_target_osx, status_osx, NULL, NULL);
+ secitemlog(LOG_NOTICE, "SecItemCopyDelete result: %d", status);
+ return status;
+}
+
+OSStatus
+SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes)
+{
+ OSStatus status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes);
+ if(status == errSecInteractionNotAllowed) {
+ // The keybag is locked. Attempt to unlock it...
+ if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) {
+ status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes);
+ }
+ }
+ secitemlog(LOG_NOTICE, "SecItemUpdateTokenItems_ios result: %d", status);
+ return status;
}
OSStatus
@@ -4799,7 +5022,11 @@ SecItemAdd_osx(
// but in any case it should try to add the certificate. See <rdar://8317887>.
require_action(!itemParams->returnIdentity, error_exit, status = errSecItemInvalidValue);
- if (!itemParams->useItems) {
+ if (itemParams->useItems == NULL) {
+
+ require_action(itemParams->itemData == NULL || CFGetTypeID(itemParams->itemData) == CFDataGetTypeID(),
+ error_exit, status = errSecItemInvalidValue);
+
// create a single keychain item specified by the input attributes
status = SecKeychainItemCreateFromContent(itemParams->itemClass,
itemParams->attrList,
@@ -4927,7 +5154,7 @@ SecItemUpdate_osx(
// run the provided query to get a list of items to update
CFTypeRef results = NULL;
- OSStatus status = SecItemCopyMatching(query, &results);
+ OSStatus status = SecItemCopyMatching_osx(query, &results);
if (status != errSecSuccess)
return status; // nothing was matched, or the query was bad
diff --git a/OSX/libsecurity_keychain/lib/SecItem.h b/OSX/libsecurity_keychain/lib/SecItem.h
index 7893e2b5..9d325aff 100644
--- a/OSX/libsecurity_keychain/lib/SecItem.h
+++ b/OSX/libsecurity_keychain/lib/SecItem.h
@@ -517,6 +517,8 @@ extern const CFStringRef kSecAttrCanWrap
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
extern const CFStringRef kSecAttrCanUnwrap
__OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
+extern const CFStringRef kSecAttrTokenID
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0);
/*!
@enum kSecAttrAccessible Value Constants
@@ -742,6 +744,7 @@ extern const CFStringRef kSecAttrKeyClassSymmetric
@constant kSecAttrKeyTypeCAST
@constant kSecAttrKeyTypeECDSA (deprecated; use kSecAttrKeyTypeEC instead.)
@constant kSecAttrKeyTypeEC
+ @constant kSecAttrKeyTypeECSECPrimeRandom
*/
extern const CFStringRef kSecAttrKeyTypeRSA
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
@@ -763,6 +766,8 @@ extern const CFStringRef kSecAttrKeyTypeECDSA
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecAttrKeyTypeEC
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0);
+extern const CFStringRef kSecAttrKeyTypeECSECPrimeRandom
+ __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0);
/*!
@enum kSecAttrPRF Value Constants
@@ -1009,6 +1014,37 @@ extern const CFStringRef kSecUseAuthenticationUIFail
extern const CFStringRef kSecUseAuthenticationUISkip
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+#if !RC_HIDE_J79 && !RC_HIDE_J80
+/*!
+ @enum kSecAttrTokenID Value Constants
+ @discussion Predefined item attribute constant used to get or set values
+ in a dictionary. The kSecAttrTokenID constant is the key and its value
+ can be kSecAttrTokenIDSecureEnclave.
+ @constant kSecAttrTokenIDSecureEnclave Specifies well-known identifier of the
+ token implemented using device's Secure Enclave. The only keychain items
+ supported by the Secure Enclave token are 256-bit elliptic curve keys
+ (kSecAttrKeyTypeEC). Keys must be generated on the secure enclave using
+ SecKeyGenerateKeyPair call with kSecAttrTokenID set to
+ kSecAttrTokenIDSecureEnclave in the parameters dictionary, it is not
+ possible to import pregenerated keys to kSecAttrTokenIDSecureEnclave token.
+*/
+extern const CFStringRef kSecAttrTokenIDSecureEnclave
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0);
+#endif
+
+/*!
+ @enum kSecAttrAccessGroup Value Constants
+ @constant kSecAttrAccessGroupToken Represents well-known access group
+ which contains items provided by external token (typically smart card).
+ This may be used as a value for kSecAttrAccessGroup attribute. Every
+ application has access to this access group so it is not needed to
+ explicitly list it in keychain-access-groups entitlement, but application
+ must explicitly state this access group in keychain queries in order to
+ be able to access items from external tokens.
+*/
+extern const CFStringRef kSecAttrAccessGroupToken
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+
/*!
@function SecItemCopyMatching
@abstract Returns one or more items which match a search query.
diff --git a/OSX/libsecurity_keychain/lib/SecItemConstants.c b/OSX/libsecurity_keychain/lib/SecItemConstants.c
index 994a1fea..92e55064 100644
--- a/OSX/libsecurity_keychain/lib/SecItemConstants.c
+++ b/OSX/libsecurity_keychain/lib/SecItemConstants.c
@@ -112,6 +112,10 @@ SEC_CONST_DECL (kSecAttrSynchronizableAny, "syna");
SEC_CONST_DECL (kSecAttrTombstone, "tomb");
SEC_CONST_DECL (kSecAttrNoLegacy, "nleg");
SEC_CONST_DECL (kSecAttrMultiUser, "musr");
+SEC_CONST_DECL (kSecAttrTokenOID, "toid");
+
+/* Predefined access groups constants */
+SEC_CONST_DECL (kSecAttrAccessGroupToken, "com.apple.token");
/* Search Constants */
SEC_CONST_DECL (kSecMatchPolicy, "m_Policy");
@@ -158,6 +162,9 @@ SEC_CONST_DECL (kSecAttrAccessibleWhenUnlockedThisDeviceOnly, "aku");
SEC_CONST_DECL (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, "cku");
SEC_CONST_DECL (kSecAttrAccessibleAlwaysThisDeviceOnly, "dku");
SEC_CONST_DECL (kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, "akpu");
+/* kSecAttrAccessible Value Constants (Private). */
+SEC_CONST_DECL (kSecAttrAccessibleAlwaysPrivate, "dk");
+SEC_CONST_DECL (kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate, "dku");
/* kSecAttrProtocol Value Constants. */
SEC_CONST_DECL (kSecAttrProtocolFTP, "ftp ");
@@ -221,6 +228,7 @@ SEC_CONST_DECL (kSecAttrKeyTypeDSA, "43");
SEC_CONST_DECL (kSecAttrKeyTypeCAST, "56");
SEC_CONST_DECL (kSecAttrKeyTypeECDSA, "73");
SEC_CONST_DECL (kSecAttrKeyTypeEC, "73"); /* rdar://13326326 */
+SEC_CONST_DECL (kSecAttrKeyTypeECSECPrimeRandom, "73");
SEC_CONST_DECL (kSecAttrKeyTypeAES, "2147483649"); /* <Security/cssmapple.h> */
SEC_CONST_DECL (kSecAttrPRFHmacAlgSHA1, "hsha1");
diff --git a/OSX/libsecurity_keychain/lib/SecItemPriv.h b/OSX/libsecurity_keychain/lib/SecItemPriv.h
index 57593b81..c8065f0c 100644
--- a/OSX/libsecurity_keychain/lib/SecItemPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecItemPriv.h
@@ -2,14 +2,14 @@
* Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -34,6 +34,7 @@
#include <CoreFoundation/CFData.h>
#include <CoreFoundation/CFError.h>
#include <TargetConditionals.h>
+#include <Security/SecBase.h>
#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
#include <Security/SecTask.h>
@@ -280,10 +281,23 @@ extern const CFStringRef kSecAttrNoLegacy
__OSX_AVAILABLE(10.11) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3);
extern const CFStringRef kSecAttrSyncViewHint
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-extern const CFStringRef kSecAttrTokenID
- __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecAttrMultiUser
__OSX_AVAILABLE(10.11.5) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3);
+extern const CFStringRef kSecAttrTokenOID
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+
+/*!
+ @enum kSecAttrAccessible Value Constants (Private)
+ @constant kSecAttrAccessibleAlwaysPrivate Private alias for kSecAttrAccessibleAlways,
+ which is going to be deprecated for 3rd party use.
+ @constant kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate for kSecAttrAccessibleAlwaysThisDeviceOnly,
+ which is going to be deprecated for 3rd party use.
+*/
+extern const CFStringRef kSecAttrAccessibleAlwaysPrivate
+;//%%% __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate
+;//%%% __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/* View Hint Constants */
@@ -297,10 +311,13 @@ extern const CFStringRef kSecAttrViewHintPCSMailDrop;
extern const CFStringRef kSecAttrViewHintPCSiCloudBackup;
extern const CFStringRef kSecAttrViewHintPCSNotes;
extern const CFStringRef kSecAttrViewHintPCSiMessage;
+extern const CFStringRef kSecAttrViewHintPCSSharing;
extern const CFStringRef kSecAttrViewHintAppleTV;
extern const CFStringRef kSecAttrViewHintHomeKit;
extern const CFStringRef kSecAttrViewHintThumper;
+extern const CFStringRef kSecAttrViewHintContinuityUnlock;
+extern const CFStringRef kSecAttrViewHintAccessoryPairing;
/*!
@enum Other Constants (Private)
@@ -365,6 +382,42 @@ OSStatus SecItemCopyDisplayNames(CFArrayRef items, CFArrayRef *displayNames);
*/
OSStatus SecItemDeleteAll(void);
+
+/*!
+ @function SecItemParentCachePurge
+ @abstract Clear the cache of parent certificates used in SecItemCopyParentCertificates.
+ */
+void SecItemParentCachePurge();
+
+/*!
+ @function SecItemCopyParentCertificates
+ @abstract Retrieve an array of possible issuing certificates for a given certificate.
+ @param certificate A reference to a certificate whose issuers are being sought.
+ @param context Pass NULL in this parameter to indicate that the default certificate
+ source(s) should be searched. The default is to search all available keychains.
+ Values of context other than NULL are currently ignored.
+ @result An array of zero or more certificates whose normalized subject matches the
+ normalized issuer of the provided certificate. Note that no cryptographic validation
+ of the signature is performed by this function; its purpose is only to provide a list
+ of candidate certificates.
+*/
+CFArrayRef SecItemCopyParentCertificates(SecCertificateRef certificate, void *context)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA);
+
+/*!
+ @function SecItemCopyStoredCertificate
+ @abstract Retrieve the first stored instance of a given certificate.
+ @param certificate A reference to a certificate.
+ @param context Pass NULL in this parameter to indicate that the default certificate
+ source(s) should be searched. The default is to search all available keychains.
+ Values of context other than NULL are currently ignored.
+ @result Returns a certificate reference if the given certificate exists in a keychain,
+ or NULL if the certificate cannot be found in any keychain. The caller is responsible
+ for releasing the returned certificate reference when finished with it.
+*/
+SecCertificateRef SecItemCopyStoredCertificate(SecCertificateRef certificate, void *context)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA);
+
/*
Ensure the escrow keybag has been used to unlock the system keybag before
calling either of these APIs.
@@ -388,7 +441,7 @@ CFArrayRef _SecKeychainSyncUpdateMessage(CFDictionaryRef updates, CFErrorRef *er
CFDataRef _SecItemGetPersistentReference(CFTypeRef raw_item);
#endif
-/* Returns an OSStatus value for the given CFErrorRef, returns errSecInternal if the
+/* Returns an OSStatus value for the given CFErrorRef, returns errSecInternal if the
domain of the provided error is not recognized. Passing NULL returns errSecSuccess (0). */
OSStatus SecErrorGetOSStatus(CFErrorRef error);
@@ -398,6 +451,8 @@ CFDictionaryRef _SecSecuritydCopyWhoAmI(CFErrorRef *error);
bool _SecSyncBubbleTransfer(CFArrayRef services, CFErrorRef *error);
bool _SecSystemKeychainTransfer(CFErrorRef *error);
+OSStatus SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes);
+
__END_DECLS
#endif /* !_SECURITY_SECITEMPRIV_H_ */
diff --git a/OSX/libsecurity_keychain/lib/SecKey.cpp b/OSX/libsecurity_keychain/lib/SecKey.cpp
index cd703686..a80fe3be 100644
--- a/OSX/libsecurity_keychain/lib/SecKey.cpp
+++ b/OSX/libsecurity_keychain/lib/SecKey.cpp
@@ -44,29 +44,756 @@
#include <security_cdsa_utils/cuCdsaUtils.h>
#include <security_cdsa_client/wrapkey.h>
+#include <security_cdsa_client/genkey.h>
+#include <security_cdsa_client/signclient.h>
+#include <security_cdsa_client/cryptoclient.h>
#include "SecImportExportCrypto.h"
-/* Since there are currently two implementations of SecKey present,
- * we need a specific function to return the registered type of the
- * CFClass implementation, so we can determine which type we have.
- */
-CFTypeID
-SecKeyGetCFClassTypeID(void)
-{
- BEGIN_SECAPI
+static OSStatus
+SecCDSAKeyInit(SecKeyRef key, const uint8_t *keyData, CFIndex keyDataLength, SecKeyEncoding encoding) {
+ key->key = const_cast<KeyItem *>(reinterpret_cast<const KeyItem *>(keyData));
+ key->key->initializeWithSecKeyRef(key);
+ return errSecSuccess;
+}
+
+static void
+SecCDSAKeyDestroy(SecKeyRef keyRef) {
+ // Note: If this key is holding the last strong reference to its keychain, the keychain will be released during this operation.
+ // If we hold the keychain's mutex (the key's 'mutexForObject') during this destruction, pthread gets upset.
+ // Hold a reference to the keychain (if it exists) until after we release the keychain's mutex.
+
+ KeyItem *keyItem = keyRef->key;
+ if (keyItem == NULL) {
+ // KeyImpl::attachSecKeyRef disconnected us from KeyItem instance, there is nothing to do for us.
+ return;
+ }
+
+ Keychain kc = keyItem->keychain();
+
+ {
+ StMaybeLock<Mutex> _(keyItem->getMutexForObject());
+ keyItem = keyRef->key;
+ if (keyItem == NULL) {
+ // Second version of the check above, the definitive one because this one is performed with locked object's mutex, therefore we can be sure that KeyImpl is still connected to this keyRef instance.
+ return;
+ }
+
+ keyItem->aboutToDestruct();
+ delete keyItem;
+ }
+
+ (void) kc; // Tell the compiler we're actually using this variable. At destruction time, it'll release the keychain.
+}
+
+static size_t
+SecCDSAKeyGetBlockSize(SecKeyRef key) {
+
+ CFErrorRef *error = NULL;
+ BEGIN_SECKEYAPI(size_t,0)
+
+ const CssmKey::Header keyHeader = key->key->unverifiedKeyHeader();
+ switch(keyHeader.algorithm())
+ {
+ case CSSM_ALGID_RSA:
+ case CSSM_ALGID_DSA:
+ result = keyHeader.LogicalKeySizeInBits / 8;
+ break;
+ case CSSM_ALGID_ECDSA:
+ {
+ /* Block size is up to 9 bytes of DER encoding for sequence of 2 integers,
+ * plus both coordinates for the point used */
+#define ECDSA_KEY_SIZE_IN_BYTES(bits) (((bits) + 7) / 8)
+#define ECDSA_MAX_COORD_SIZE_IN_BYTES(n) (ECDSA_KEY_SIZE_IN_BYTES(n) + 1)
+ size_t coordSize = ECDSA_MAX_COORD_SIZE_IN_BYTES(keyHeader.LogicalKeySizeInBits);
+ assert(coordSize < 256); /* size must fit in a byte for DER */
+ size_t coordDERLen = (coordSize > 127) ? 2 : 1;
+ size_t coordLen = 1 + coordDERLen + coordSize;
+
+ size_t pointSize = 2 * coordLen;
+ assert(pointSize < 256); /* size must fit in a byte for DER */
+ size_t pointDERLen = (pointSize > 127) ? 2 : 1;
+ size_t pointLen = 1 + pointDERLen + pointSize;
+
+ result = pointLen;
+ }
+ break;
+ case CSSM_ALGID_AES:
+ result = 16; /* all AES keys use 128-bit blocks */
+ break;
+ case CSSM_ALGID_DES:
+ case CSSM_ALGID_3DES_3KEY:
+ result = 8; /* all DES keys use 64-bit blocks */
+ break;
+ default:
+ assert(0); /* some other key algorithm */
+ result = 16; /* FIXME: revisit this */
+ break;
+ }
+
+ END_SECKEYAPI
+}
- return gTypes().KeyItem.typeID;
+static CFIndex
+SecCDSAKeyGetAlgorithmId(SecKeyRef key) {
+
+ CFErrorRef *error = NULL;
+ BEGIN_SECKEYAPI(CFIndex, 0)
+
+ result = kSecNullAlgorithmID;
+ switch (key->key->unverifiedKeyHeader().AlgorithmId) {
+ case CSSM_ALGID_RSA:
+ result = kSecRSAAlgorithmID;
+ break;
+ case CSSM_ALGID_DSA:
+ result = kSecDSAAlgorithmID;
+ break;
+ case CSSM_ALGID_ECDSA:
+ result = kSecECDSAAlgorithmID;
+ break;
+ default:
+ assert(0); /* other algorithms TBA */
+ }
+
+ END_SECKEYAPI
+}
+
+static CFDataRef SecCDSAKeyCopyPublicKeyDataFromSubjectInfo(CFDataRef pubKeyInfo) {
+ // First of all, consider x509 format and try to strip SubjPubKey envelope. If it fails, do not panic
+ // and export data as is.
+ DERItem keyItem = { (DERByte *)CFDataGetBytePtr(pubKeyInfo), CFDataGetLength(pubKeyInfo) }, pubKeyItem;
+ DERByte numUnused;
+ DERSubjPubKeyInfo subjPubKey;
+ if (DERParseSequence(&keyItem, DERNumSubjPubKeyInfoItemSpecs,
+ DERSubjPubKeyInfoItemSpecs,
+ &subjPubKey, sizeof(subjPubKey)) == DR_Success &&
+ DERParseBitString(&subjPubKey.pubKey, &pubKeyItem, &numUnused) == DR_Success) {
+ return CFDataCreate(kCFAllocatorDefault, pubKeyItem.data, pubKeyItem.length);
+ }
+
+ return CFDataRef(CFRetain(pubKeyInfo));
+}
+
+static CFDataRef SecCDSAKeyCopyPublicKeyDataWithSubjectInfo(CSSM_ALGORITHMS algorithm, uint32 keySizeInBits, CFDataRef pubKeyInfo) {
+ // First check, whether X509 pubkeyinfo is already present. If not, add it according to the key type.
+ DERItem keyItem = { (DERByte *)CFDataGetBytePtr(pubKeyInfo), CFDataGetLength(pubKeyInfo) };
+ DERSubjPubKeyInfo subjPubKey;
+ if (DERParseSequence(&keyItem, DERNumSubjPubKeyInfoItemSpecs,
+ DERSubjPubKeyInfoItemSpecs,
+ &subjPubKey, sizeof(subjPubKey)) == DR_Success) {
+ return CFDataRef(CFRetain(pubKeyInfo));
+ }
+
+ // We have always size rounded to full bytes so bitstring encodes leading 00.
+ CFRef<CFMutableDataRef> bitStringPubKey = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ CFDataSetLength(bitStringPubKey, 1);
+ CFDataAppendBytes(bitStringPubKey, CFDataGetBytePtr(pubKeyInfo), CFDataGetLength(pubKeyInfo));
+ subjPubKey.pubKey.data = static_cast<DERByte *>(const_cast<UInt8 *>(CFDataGetBytePtr(bitStringPubKey)));
+ subjPubKey.pubKey.length = CFDataGetLength(bitStringPubKey);
+
+ // Encode algId according to algorithm used.
+ static const DERByte oidRSA[] = {
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
+ };
+ static const DERByte oidECsecp256[] = {
+ 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
+ };
+ static const DERByte oidECsecp384[] = {
+ 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22,
+ };
+ static const DERByte oidECsecp521[] = {
+ 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23,
+ };
+ subjPubKey.algId.length = 0;
+ if (algorithm == CSSM_ALGID_RSA) {
+ subjPubKey.algId.data = const_cast<DERByte *>(oidRSA);
+ subjPubKey.algId.length = sizeof(oidRSA);
+ } else if (algorithm == CSSM_ALGID_ECDSA) {
+ if (keySizeInBits == 256) {
+ subjPubKey.algId.data = const_cast<DERByte *>(oidECsecp256);
+ subjPubKey.algId.length = sizeof(oidECsecp256);
+ } else if (keySizeInBits == 384) {
+ subjPubKey.algId.data = const_cast<DERByte *>(oidECsecp384);
+ subjPubKey.algId.length = sizeof(oidECsecp256);
+ } if (keySizeInBits == 521) {
+ subjPubKey.algId.data = const_cast<DERByte *>(oidECsecp521);
+ subjPubKey.algId.length = sizeof(oidECsecp256);
+ }
+ }
+ DERSize size = DERLengthOfEncodedSequence(ASN1_CONSTR_SEQUENCE, &subjPubKey,
+ DERNumSubjPubKeyInfoItemSpecs, DERSubjPubKeyInfoItemSpecs);
+ CFRef<CFMutableDataRef> keyData = CFDataCreateMutable(kCFAllocatorDefault, size);
+ CFDataSetLength(keyData, size);
+ if (DEREncodeSequence(ASN1_CONSTR_SEQUENCE, &subjPubKey,
+ DERNumSubjPubKeyInfoItemSpecs, DERSubjPubKeyInfoItemSpecs,
+ static_cast<DERByte *>(CFDataGetMutableBytePtr(keyData)), &size) == DR_Success) {
+ CFDataSetLength(keyData, size);
+ } else {
+ keyData.release();
+ }
+
+ return keyData.yield();
+}
+
+static OSStatus SecCDSAKeyCopyPublicBytes(SecKeyRef key, CFDataRef *serialization) {
+
+ CFErrorRef *error = NULL;
+ BEGIN_SECKEYAPI(OSStatus, errSecSuccess)
+
+ const CssmKey::Header &header = key->key->key().header();
+ switch (header.algorithm()) {
+ case CSSM_ALGID_RSA: {
+ switch (header.keyClass()) {
+ case CSSM_KEYCLASS_PRIVATE_KEY: {
+ CFRef<CFDataRef> privKeyData;
+ result = SecItemExport(key, kSecFormatOpenSSL, 0, NULL, privKeyData.take());
+ if (result == errSecSuccess) {
+ DERItem keyItem = { (DERByte *)CFDataGetBytePtr(privKeyData), CFDataGetLength(privKeyData) };
+ DERRSAKeyPair keyPair;
+ if (DERParseSequence(&keyItem, DERNumRSAKeyPairItemSpecs, DERRSAKeyPairItemSpecs,
+ &keyPair, sizeof(keyPair)) == DR_Success) {
+ DERRSAPubKeyPKCS1 pubKey = { keyPair.n, keyPair.e };
+ DERSize size = DERLengthOfEncodedSequence(ASN1_SEQUENCE, &pubKey,
+ DERNumRSAPubKeyPKCS1ItemSpecs, DERRSAPubKeyPKCS1ItemSpecs);
+ CFRef<CFMutableDataRef> keyData = CFDataCreateMutable(kCFAllocatorDefault, size);
+ CFDataSetLength(keyData, size);
+ UInt8 *data = CFDataGetMutableBytePtr(keyData);
+ if (DEREncodeSequence(ASN1_SEQUENCE, &pubKey,
+ DERNumRSAPubKeyPKCS1ItemSpecs, DERRSAPubKeyPKCS1ItemSpecs,
+ data, &size) == DR_Success) {
+ CFDataSetLength(keyData, size);
+ *data = ONE_BYTE_ASN1_CONSTR_SEQUENCE;
+ *serialization = keyData.yield();
+ } else {
+ *serialization = NULL;
+ result = errSecParam;
+ }
+ }
+ }
+ break;
+ }
+ case CSSM_KEYCLASS_PUBLIC_KEY:
+ result = SecItemExport(key, kSecFormatBSAFE, 0, NULL, serialization);
+ break;
+ }
+ break;
+ }
+ case CSSM_ALGID_ECDSA: {
+ *serialization = NULL;
+ CFRef<CFDataRef> tempPublicData;
+ result = SecItemExport(key, kSecFormatOpenSSL, 0, NULL, tempPublicData.take());
+ if (result == errSecSuccess) {
+ *serialization = SecCDSAKeyCopyPublicKeyDataFromSubjectInfo(tempPublicData);
+ }
+ break;
+ }
+ default:
+ result = errSecUnimplemented;
+ }
- END_SECAPI1(_kCFRuntimeNotATypeID)
+ END_SECKEYAPI
}
-CFTypeID
-SecKeyGetTypeID(void)
+typedef struct {
+ DERItem privateKey;
+ DERItem publicKey;
+} DERECPrivateKey;
+
+static const DERItemSpec DERECPrivateKeyItemSpecs[] =
+{
+ { 0,
+ ASN1_INTEGER,
+ DER_DEC_SKIP },
+ { DER_OFFSET(DERECPrivateKey, privateKey),
+ ASN1_OCTET_STRING,
+ DER_DEC_NO_OPTS | DER_ENC_NO_OPTS },
+ { 0,
+ ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0,
+ DER_DEC_SKIP | DER_ENC_NO_OPTS },
+ { DER_OFFSET(DERECPrivateKey, publicKey),
+ ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1,
+ DER_DEC_NO_OPTS | DER_ENC_SIGNED_INT },
+};
+static const DERSize DERNumECPrivateKeyItemSpecs =
+sizeof(DERECPrivateKeyItemSpecs) / sizeof(DERItemSpec);
+
+typedef struct {
+ DERItem bitString;
+} DERECPrivateKeyPublicKey;
+
+static const DERItemSpec DERECPrivateKeyPublicKeyItemSpecs[] =
{
- return SecKeyGetCFClassTypeID();
+ { DER_OFFSET(DERECPrivateKeyPublicKey, bitString),
+ ASN1_BIT_STRING,
+ DER_DEC_NO_OPTS | DER_ENC_NO_OPTS },
+};
+static const DERSize DERNumECPrivateKeyPublicKeyItemSpecs =
+sizeof(DERECPrivateKeyPublicKeyItemSpecs) / sizeof(DERItemSpec);
+
+static CFDataRef
+SecCDSAKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error) {
+
+ BEGIN_SECKEYAPI(CFDataRef, NULL)
+
+ result = NULL;
+ const CssmKey::Header header = key->key->unverifiedKeyHeader();
+ CFRef<CFDataRef> keyData;
+ switch (header.algorithm()) {
+ case CSSM_ALGID_RSA:
+ MacOSError::check(SecItemExport(key, kSecFormatOpenSSL, 0, NULL, keyData.take()));
+ break;
+ case CSSM_ALGID_ECDSA: {
+ MacOSError::check(SecItemExport(key, kSecFormatOpenSSL, 0, NULL, keyData.take()));
+ if (header.keyClass() == CSSM_KEYCLASS_PRIVATE_KEY) {
+ // Convert DER format into x9.63 format, which is expected for exported key.
+ DERItem keyItem = { (DERByte *)CFDataGetBytePtr(keyData), CFDataGetLength(keyData) };
+ DERECPrivateKey privateKey;
+ DERECPrivateKeyPublicKey privateKeyPublicKey;
+ DERByte numUnused;
+ DERItem pubKeyItem;
+ if (DERParseSequence(&keyItem, DERNumECPrivateKeyItemSpecs, DERECPrivateKeyItemSpecs,
+ &privateKey, sizeof(privateKey)) == DR_Success &&
+ DERParseSequenceContent(&privateKey.publicKey, DERNumECPrivateKeyPublicKeyItemSpecs,
+ DERECPrivateKeyPublicKeyItemSpecs,
+ &privateKeyPublicKey, sizeof(privateKeyPublicKey)) == DR_Success &&
+ DERParseBitString(&privateKeyPublicKey.bitString, &pubKeyItem, &numUnused) == DR_Success) {
+ CFRef<CFMutableDataRef> key = CFDataCreateMutable(kCFAllocatorDefault,
+ pubKeyItem.length + privateKey.privateKey.length);
+ CFDataSetLength(key, pubKeyItem.length + privateKey.privateKey.length);
+ CFDataReplaceBytes(key, CFRangeMake(0, pubKeyItem.length), pubKeyItem.data, pubKeyItem.length);
+ CFDataReplaceBytes(key, CFRangeMake(pubKeyItem.length, privateKey.privateKey.length),
+ privateKey.privateKey.data, privateKey.privateKey.length);
+ keyData = key.as<CFDataRef>();
+ }
+ }
+ break;
+ }
+ default:
+ MacOSError::throwMe(errSecUnimplemented);
+ }
+
+ if (header.keyClass() == CSSM_KEYCLASS_PUBLIC_KEY) {
+ result = SecCDSAKeyCopyPublicKeyDataFromSubjectInfo(keyData);
+ } else {
+ result = keyData.yield();
+ }
+
+ END_SECKEYAPI
+}
+
+static CFDataRef SecCDSAKeyCopyLabel(SecKeyRef key) {
+ CFDataRef label = NULL;
+ if (key->key->isPersistent()) {
+ UInt32 tags[] = { kSecKeyLabel }, formats[] = { CSSM_DB_ATTRIBUTE_FORMAT_BLOB };
+ SecKeychainAttributeInfo info = { 1, tags, formats };
+ SecKeychainAttributeList *list = NULL;
+ key->key->getAttributesAndData(&info, NULL, &list, NULL, NULL);
+ if (list->count == 1) {
+ SecKeychainAttribute *attr = list->attr;
+ label = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)attr->data, (CFIndex)attr->length);
+ }
+ key->key->freeAttributesAndData(list, NULL);
+ }
+ return label;
+}
+
+static CFDictionaryRef
+SecCDSAKeyCopyAttributeDictionary(SecKeyRef key) {
+
+ CFErrorRef *error = NULL;
+ BEGIN_SECKEYAPI(CFDictionaryRef, NULL)
+
+ CFMutableDictionaryRef dict = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ CFDictionarySetValue(dict, kSecClass, kSecClassKey);
+
+ const CssmKey::Header header = key->key->unverifiedKeyHeader();
+ CFIndex sizeValue = header.LogicalKeySizeInBits;
+ CFRef<CFNumberRef> sizeInBits = CFNumberCreate(NULL, kCFNumberCFIndexType, &sizeValue);
+ CFDictionarySetValue(dict, kSecAttrKeySizeInBits, sizeInBits);
+ CFDictionarySetValue(dict, kSecAttrEffectiveKeySize, sizeInBits);
+
+ CFRef<CFDataRef> label = SecCDSAKeyCopyLabel(key);
+ if (!label) {
+ // For floating keys, calculate label as SHA1 of pubkey bytes.
+ CFRef<CFDataRef> pubKeyBlob;
+ if (SecCDSAKeyCopyPublicBytes(key, pubKeyBlob.take()) == errSecSuccess) {
+ uint8_t pubKeyHash[CC_SHA1_DIGEST_LENGTH];
+ CC_SHA1(CFDataGetBytePtr(pubKeyBlob), CC_LONG(CFDataGetLength(pubKeyBlob)), pubKeyHash);
+ label.take(CFDataCreate(kCFAllocatorDefault, pubKeyHash, sizeof(pubKeyHash)));
+ }
+ }
+
+ if (label) {
+ CFDictionarySetValue(dict, kSecAttrApplicationLabel, label);
+ }
+
+ CSSM_KEYATTR_FLAGS attrs = header.attributes();
+ CFDictionarySetValue(dict, kSecAttrIsPermanent, (attrs & CSSM_KEYATTR_PERMANENT) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrIsPrivate, (attrs & CSSM_KEYATTR_PRIVATE) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrIsModifiable, (attrs & CSSM_KEYATTR_MODIFIABLE) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrIsSensitive, (attrs & CSSM_KEYATTR_SENSITIVE) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrIsExtractable, (attrs & CSSM_KEYATTR_EXTRACTABLE) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrWasAlwaysSensitive, (attrs & CSSM_KEYATTR_ALWAYS_SENSITIVE) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrWasNeverExtractable, (attrs & CSSM_KEYATTR_NEVER_EXTRACTABLE) ? kCFBooleanTrue : kCFBooleanFalse);
+
+ CFDictionarySetValue(dict, kSecAttrCanEncrypt, (header.useFor(CSSM_KEYUSE_ENCRYPT)) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrCanDecrypt, (header.useFor(CSSM_KEYUSE_DECRYPT)) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrCanSign, (header.useFor(CSSM_KEYUSE_SIGN)) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrCanVerify, (header.useFor(CSSM_KEYUSE_VERIFY)) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrCanSignRecover, (header.useFor(CSSM_KEYUSE_SIGN_RECOVER)) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrCanVerifyRecover, (header.useFor(CSSM_KEYUSE_VERIFY_RECOVER)) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrCanWrap, (header.useFor(CSSM_KEYUSE_WRAP)) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrCanUnwrap, (header.useFor(CSSM_KEYUSE_UNWRAP)) ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(dict, kSecAttrCanDerive, (header.useFor(CSSM_KEYUSE_DERIVE)) ? kCFBooleanTrue : kCFBooleanFalse);
+
+ switch (header.keyClass()) {
+ case CSSM_KEYCLASS_PUBLIC_KEY:
+ CFDictionarySetValue(dict, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ break;
+ case CSSM_KEYCLASS_PRIVATE_KEY:
+ CFDictionarySetValue(dict, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ break;
+ }
+
+ switch (header.algorithm()) {
+ case CSSM_ALGID_RSA:
+ CFDictionarySetValue(dict, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ break;
+ case CSSM_ALGID_ECDSA:
+ CFDictionarySetValue(dict, kSecAttrKeyType, kSecAttrKeyTypeECDSA);
+ break;
+ }
+
+ CFRef<CFDataRef> keyData;
+ if (SecItemExport(key, kSecFormatOpenSSL, 0, NULL, keyData.take()) == errSecSuccess) {
+ CFDictionarySetValue(dict, kSecValueData, keyData);
+ }
+
+ if (header.algorithm() == CSSM_ALGID_RSA && header.keyClass() == CSSM_KEYCLASS_PUBLIC_KEY &&
+ header.blobType() == CSSM_KEYBLOB_RAW) {
+ const CssmData &keyData = key->key->key()->keyData();
+ DERItem keyItem = { static_cast<DERByte *>(keyData.data()), keyData.length() };
+ DERRSAPubKeyPKCS1 decodedKey;
+ if (DERParseSequence(&keyItem, DERNumRSAPubKeyPKCS1ItemSpecs,
+ DERRSAPubKeyPKCS1ItemSpecs,
+ &decodedKey, sizeof(decodedKey)) == DR_Success) {
+ CFRef<CFDataRef> modulus = CFDataCreate(kCFAllocatorDefault, decodedKey.modulus.data,
+ decodedKey.modulus.length);
+ CFDictionarySetValue(dict, CFSTR("_rsam"), modulus);
+ CFRef<CFDataRef> exponent = CFDataCreate(kCFAllocatorDefault, decodedKey.pubExponent.data,
+ decodedKey.pubExponent.length);
+ CFDictionarySetValue(dict, CFSTR("_rsae"), exponent);
+ }
+ }
+
+ result = dict;
+
+ END_SECKEYAPI
+}
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-const-variable"
+static CSSM_DB_NAME_ATTR(kInfoKeyLabel, kSecKeyLabel, (char*) "Label", 0, NULL, BLOB);
+#pragma clang diagnostic pop
+
+static SecKeyRef SecCDSAKeyCopyPublicKey(SecKeyRef privateKey) {
+ CFErrorRef *error;
+ BEGIN_SECKEYAPI(SecKeyRef, NULL)
+
+ result = NULL;
+ KeyItem *key = privateKey->key;
+ CFRef<CFDataRef> label = SecCDSAKeyCopyLabel(privateKey);
+ if (label) {
+ // Lookup public key in the database.
+ DbUniqueRecord uniqueId;
+ SSDb ssDb(dynamic_cast<SSDbImpl *>(&(*key->keychain()->database())));
+ SSDbCursor dbCursor(ssDb, 1);
+ dbCursor->recordType(CSSM_DL_DB_RECORD_PUBLIC_KEY);
+ dbCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, CssmData(CFDataRef(label)));
+ if (dbCursor->next(NULL, NULL, uniqueId)) {
+ Item publicKey = key->keychain()->item(CSSM_DL_DB_RECORD_PUBLIC_KEY, uniqueId);
+ result = reinterpret_cast<SecKeyRef>(publicKey->handle());
+ }
+ } else if (key->publicKey()) {
+ KeyItem *publicKey = new KeyItem(key->publicKey());
+ result = reinterpret_cast<SecKeyRef>(publicKey->handle());
+ }
+
+ END_SECKEYAPI
+}
+
+static KeyItem *SecCDSAKeyPrepareParameters(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm,
+ CSSM_ALGORITHMS &baseAlgorithm, CSSM_ALGORITHMS &secondaryAlgorithm,
+ CSSM_ALGORITHMS &paddingAlgorithm) {
+ KeyItem *keyItem = key->key;
+ CSSM_KEYCLASS keyClass = keyItem->key()->header().keyClass();
+ baseAlgorithm = keyItem->key()->header().algorithm();
+ switch (baseAlgorithm) {
+ case CSSM_ALGID_RSA:
+ if ((keyClass == CSSM_KEYCLASS_PRIVATE_KEY && operation == kSecKeyOperationTypeSign) ||
+ (keyClass == CSSM_KEYCLASS_PUBLIC_KEY && operation == kSecKeyOperationTypeVerify)) {
+ if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureRaw)) {
+ secondaryAlgorithm = CSSM_ALGID_NONE;
+ paddingAlgorithm = CSSM_PADDING_NONE;
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw)) {
+ secondaryAlgorithm = CSSM_ALGID_NONE;
+ paddingAlgorithm = CSSM_PADDING_PKCS1;
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1)) {
+ secondaryAlgorithm = CSSM_ALGID_SHA1;
+ paddingAlgorithm = CSSM_PADDING_PKCS1;
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224)) {
+ secondaryAlgorithm = CSSM_ALGID_SHA224;
+ paddingAlgorithm = CSSM_PADDING_PKCS1;
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256)) {
+ secondaryAlgorithm = CSSM_ALGID_SHA256;
+ paddingAlgorithm = CSSM_PADDING_PKCS1;
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384)) {
+ secondaryAlgorithm = CSSM_ALGID_SHA384;
+ paddingAlgorithm = CSSM_PADDING_PKCS1;
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512)) {
+ secondaryAlgorithm = CSSM_ALGID_SHA512;
+ paddingAlgorithm = CSSM_PADDING_PKCS1;
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5)) {
+ secondaryAlgorithm = CSSM_ALGID_MD5;
+ paddingAlgorithm = CSSM_PADDING_PKCS1;
+ } else {
+ return NULL;
+ }
+ } else if ((keyClass == CSSM_KEYCLASS_PRIVATE_KEY && operation == kSecKeyOperationTypeDecrypt) ||
+ (keyClass == CSSM_KEYCLASS_PUBLIC_KEY && operation == kSecKeyOperationTypeEncrypt)) {
+ if (CFEqual(algorithm, kSecKeyAlgorithmRSAEncryptionRaw)) {
+ secondaryAlgorithm = CSSM_ALGID_NONE;
+ paddingAlgorithm = CSSM_PADDING_NONE;
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmRSAEncryptionPKCS1)) {
+ secondaryAlgorithm = CSSM_ALGID_NONE;
+ paddingAlgorithm = CSSM_PADDING_PKCS1;
+ } else {
+ return NULL;
+ }
+ } else {
+ return NULL;
+ }
+ break;
+ case CSSM_ALGID_ECDSA:
+ if ((keyClass == CSSM_KEYCLASS_PRIVATE_KEY && operation == kSecKeyOperationTypeSign) ||
+ (keyClass == CSSM_KEYCLASS_PUBLIC_KEY && operation == kSecKeyOperationTypeVerify)) {
+ if (CFEqual(algorithm, kSecKeyAlgorithmECDSASignatureRFC4754)) {
+ secondaryAlgorithm = CSSM_ALGID_NONE;
+ paddingAlgorithm = CSSM_PADDING_SIGRAW;
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmECDSASignatureDigestX962)) {
+ secondaryAlgorithm = CSSM_ALGID_NONE;
+ paddingAlgorithm = CSSM_PADDING_PKCS1;
+ } else {
+ return NULL;
+ }
+ } else if (keyClass == CSSM_KEYCLASS_PRIVATE_KEY && operation == kSecKeyOperationTypeKeyExchange) {
+ if (CFEqual(algorithm,kSecKeyAlgorithmECDHKeyExchangeStandard) ||
+ CFEqual(algorithm, kSecKeyAlgorithmECDHKeyExchangeCofactor)) {
+ baseAlgorithm = CSSM_ALGID_ECDH;
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1) ||
+ CFEqual(algorithm, kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1)) {
+ baseAlgorithm = CSSM_ALGID_ECDH_X963_KDF;
+ } else {
+ return NULL;
+ }
+ } else {
+ return NULL;
+ }
+ break;
+ default:
+ MacOSError::throwMe(errSecParam);
+ }
+ return keyItem;
+}
+
+static CFDataRef
+SecCDSAKeyCopyPaddedPlaintext(SecKeyRef key, CFDataRef plaintext, SecKeyAlgorithm algorithm) {
+ CFIndex blockSize = key->key->key().header().LogicalKeySizeInBits / 8;
+ CFIndex plaintextLength = CFDataGetLength(plaintext);
+ if ((algorithm == kSecKeyAlgorithmRSAEncryptionRaw || algorithm == kSecKeyAlgorithmRSASignatureRaw)
+ && plaintextLength < blockSize) {
+ // Pre-pad with zeroes.
+ CFMutableDataRef result(CFDataCreateMutable(kCFAllocatorDefault, blockSize));
+ CFDataSetLength(result, blockSize);
+ CFDataReplaceBytes(result, CFRangeMake(blockSize - plaintextLength, plaintextLength),
+ CFDataGetBytePtr(plaintext), plaintextLength);
+ return result;
+ } else {
+ return CFDataRef(CFRetain(plaintext));
+ }
}
+static CFTypeRef SecCDSAKeyCopyOperationResult(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm,
+ CFArrayRef allAlgorithms, SecKeyOperationMode mode,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ BEGIN_SECKEYAPI(CFTypeRef, kCFNull)
+ CSSM_ALGORITHMS baseAlgorithm, secondaryAlgorithm, paddingAlgorithm;
+ KeyItem *keyItem = SecCDSAKeyPrepareParameters(key, operation, algorithm, baseAlgorithm, secondaryAlgorithm, paddingAlgorithm);
+ if (keyItem == NULL) {
+ // Operation/algorithm/key combination is not supported.
+ return kCFNull;
+ } else if (mode == kSecKeyOperationModeCheckIfSupported) {
+ // Operation is supported and caller wants to just know that.
+ return kCFBooleanTrue;
+ }
+
+ switch (operation) {
+ case kSecKeyOperationTypeSign: {
+ CssmClient::Sign signContext(keyItem->csp(), baseAlgorithm, secondaryAlgorithm);
+ signContext.key(keyItem->key());
+ signContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_SIGN, kSecCredentialTypeDefault));
+ signContext.add(CSSM_ATTRIBUTE_PADDING, paddingAlgorithm);
+ CFRef<CFDataRef> input = SecCDSAKeyCopyPaddedPlaintext(key, CFRef<CFDataRef>::check(in1, errSecParam), algorithm);
+ CssmAutoData signature(signContext.allocator());
+ signContext.sign(CssmData(CFDataRef(input)), signature.get());
+ result = CFDataCreate(NULL, static_cast<const UInt8 *>(signature.data()), CFIndex(signature.length()));
+ break;
+ }
+ case kSecKeyOperationTypeVerify: {
+ CssmClient::Verify verifyContext(keyItem->csp(), baseAlgorithm, secondaryAlgorithm);
+ verifyContext.key(keyItem->key());
+ verifyContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ANY, kSecCredentialTypeDefault));
+ verifyContext.add(CSSM_ATTRIBUTE_PADDING, paddingAlgorithm);
+ CFRef<CFDataRef> input = SecCDSAKeyCopyPaddedPlaintext(key, CFRef<CFDataRef>::check(in1, errSecParam), algorithm);
+ verifyContext.verify(CssmData(CFDataRef(input)), CssmData(CFRef<CFDataRef>::check(in2, errSecParam)));
+ result = kCFBooleanTrue;
+ break;
+ }
+ case kSecKeyOperationTypeEncrypt: {
+ CssmClient::Encrypt encryptContext(keyItem->csp(), baseAlgorithm);
+ encryptContext.key(keyItem->key());
+ encryptContext.padding(paddingAlgorithm);
+ encryptContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ENCRYPT, kSecCredentialTypeDefault));
+ CFRef<CFDataRef> input = SecCDSAKeyCopyPaddedPlaintext(key, CFRef<CFDataRef>::check(in1, errSecParam), algorithm);
+ CssmAutoData output(encryptContext.allocator()), remainingData(encryptContext.allocator());
+ size_t length = encryptContext.encrypt(CssmData(CFDataRef(input)), output.get(), remainingData.get());
+ result = CFDataCreateMutable(kCFAllocatorDefault, output.length() + remainingData.length());
+ CFDataAppendBytes(CFMutableDataRef(result), static_cast<const UInt8 *>(output.data()), output.length());
+ CFDataAppendBytes(CFMutableDataRef(result), static_cast<const UInt8 *>(remainingData.data()), remainingData.length());
+ CFDataSetLength(CFMutableDataRef(result), length);
+ break;
+ }
+ case kSecKeyOperationTypeDecrypt: {
+ CssmClient::Decrypt decryptContext(keyItem->csp(), baseAlgorithm);
+ decryptContext.key(keyItem->key());
+ decryptContext.padding(paddingAlgorithm);
+ decryptContext.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_DECRYPT, kSecCredentialTypeDefault));
+ CssmAutoData output(decryptContext.allocator()), remainingData(decryptContext.allocator());
+ size_t length = decryptContext.decrypt(CssmData(CFRef<CFDataRef>::check(in1, errSecParam)),
+ output.get(), remainingData.get());
+ result = CFDataCreateMutable(kCFAllocatorDefault, output.length() + remainingData.length());
+ CFDataAppendBytes(CFMutableDataRef(result), static_cast<const UInt8 *>(output.data()), output.length());
+ CFDataAppendBytes(CFMutableDataRef(result), static_cast<const UInt8 *>(remainingData.data()), remainingData.length());
+ CFDataSetLength(CFMutableDataRef(result), length);
+ break;
+ }
+ case kSecKeyOperationTypeKeyExchange: {
+ CFIndex requestedLength = 0;
+ CssmData sharedInfo;
+ switch (baseAlgorithm) {
+ case CSSM_ALGID_ECDH:
+ requestedLength = (keyItem->key().header().LogicalKeySizeInBits + 7) / 8;
+ break;
+ case CSSM_ALGID_ECDH_X963_KDF:
+ CFDictionaryRef params = CFRef<CFDictionaryRef>::check(in2, errSecParam);
+ CFTypeRef value = params ? CFDictionaryGetValue(params, kSecKeyKeyExchangeParameterRequestedSize) : NULL;
+ if (value == NULL || CFGetTypeID(value) != CFNumberGetTypeID() ||
+ !CFNumberGetValue(CFNumberRef(value), kCFNumberCFIndexType, &requestedLength)) {
+ MacOSError::throwMe(errSecParam);
+ }
+ value = CFDictionaryGetValue(params, kSecKeyKeyExchangeParameterSharedInfo);
+ if (value != NULL && CFGetTypeID(value) == CFDataGetTypeID()) {
+ sharedInfo = CssmData(CFDataRef(value));
+ }
+ break;
+ }
+
+ CssmClient::DeriveKey derive(keyItem->csp(), baseAlgorithm, CSSM_ALGID_AES, uint32(requestedLength * 8));
+ derive.key(keyItem->key());
+ derive.cred(keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_DERIVE, kSecCredentialTypeDefault));
+ derive.salt(sharedInfo);
+ CssmData param(CFRef<CFDataRef>::check(in1, errSecParam));
+ Key derivedKey = derive(¶m, KeySpec(CSSM_KEYUSE_ANY, CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE));
+
+ // Export raw data of newly derived key (by wrapping with an empty key).
+ CssmClient::WrapKey wrapper(keyItem->csp(), CSSM_ALGID_NONE);
+ Key wrappedKey = wrapper(derivedKey);
+ result = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)wrappedKey->data(), CFIndex(wrappedKey->length()));
+ break;
+ }
+ default:
+ break;
+ }
+
+ END_SECKEYAPI
+}
+
+static Boolean SecCDSAIsEqual(SecKeyRef key1, SecKeyRef key2) {
+ CFErrorRef *error;
+ BEGIN_SECKEYAPI(Boolean, false)
+
+ result = key1->key->equal(*key2->key);
+
+ END_SECKEYAPI
+}
+
+const SecKeyDescriptor kSecCDSAKeyDescriptor = {
+ .version = kSecKeyDescriptorVersion,
+ .name = "CDSAKey",
+
+ .init = SecCDSAKeyInit,
+ .destroy = SecCDSAKeyDestroy,
+ .blockSize = SecCDSAKeyGetBlockSize,
+ .getAlgorithmID = SecCDSAKeyGetAlgorithmId,
+ .copyDictionary = SecCDSAKeyCopyAttributeDictionary,
+ .copyPublic = SecCDSAKeyCopyPublicBytes,
+ .copyExternalRepresentation = SecCDSAKeyCopyExternalRepresentation,
+ .copyPublicKey = SecCDSAKeyCopyPublicKey,
+ .copyOperationResult = SecCDSAKeyCopyOperationResult,
+ .isEqual = SecCDSAIsEqual,
+};
+
+namespace Security {
+ namespace KeychainCore {
+ SecCFObject *KeyItem::fromSecKeyRef(CFTypeRef ptr) {
+ if (ptr == NULL || CFGetTypeID(ptr) != SecKeyGetTypeID()) {
+ return NULL;
+ }
+
+ SecKeyRef key = static_cast<SecKeyRef>(const_cast<void *>(ptr));
+ if (key->key_class == &kSecCDSAKeyDescriptor) {
+ return static_cast<SecCFObject *>(key->key);
+ }
+
+ if (key->cdsaKey == NULL) {
+ // Create CDSA key from exported data of existing key.
+ CFRef<CFDataRef> keyData = SecKeyCopyExternalRepresentation(key, NULL);
+ CFRef<CFDictionaryRef> keyAttributes = SecKeyCopyAttributes(key);
+ if (keyData && keyAttributes) {
+ key->cdsaKey = SecKeyCreateFromData(keyAttributes, keyData, NULL);
+ }
+ }
+
+ return (key->cdsaKey != NULL) ? key->cdsaKey->key : NULL;
+ }
+
+ // You need to hold this key's MutexForObject when you run this
+ void KeyItem::attachSecKeyRef() const {
+ SecKeyRef key = SecKeyCreate(NULL, &kSecCDSAKeyDescriptor, reinterpret_cast<const uint8_t *>(this), 0, 0);
+ key->key->mWeakSecKeyRef = key;
+ }
+
+ }
+}
+
+extern "C" Boolean SecKeyIsCDSAKey(SecKeyRef ref);
+Boolean SecKeyIsCDSAKey(SecKeyRef ref) {
+ return ref->key_class == &kSecCDSAKeyDescriptor;
+}
+
+
static OSStatus SecKeyCreatePairInternal(
SecKeychainRef keychainRef,
CSSM_ALGORITHMS algorithm,
@@ -82,24 +809,18 @@ static OSStatus SecKeyCreatePairInternal(
{
BEGIN_SECAPI
- Keychain keychain = Keychain::optional(keychainRef);
- SecPointer<Access> theAccess(initialAccess ? Access::required(initialAccess) : new Access("<key>"));
- SecPointer<KeyItem> pubItem, privItem;
-
- Mutex *keychainMutex = keychain->getKeychainMutex();
- StLock<Mutex> _(*keychainMutex);
-
- KeyItem::createPair(keychain,
- algorithm,
- keySizeInBits,
- contextHandle,
- publicKeyUsage,
- publicKeyAttr,
- privateKeyUsage,
- privateKeyAttr,
- theAccess,
- pubItem,
- privItem);
+ Keychain keychain;
+ SecPointer<Access> theAccess(initialAccess ? Access::required(initialAccess) : new Access("<key>"));
+ SecPointer<KeyItem> pubItem, privItem;
+ if (((publicKeyAttr | privateKeyAttr) & CSSM_KEYATTR_PERMANENT) != 0) {
+ keychain = Keychain::optional(keychainRef);
+ StLock<Mutex> _(*keychain->getKeychainMutex());
+ KeyItem::createPair(keychain, algorithm, keySizeInBits, contextHandle, publicKeyUsage, publicKeyAttr,
+ privateKeyUsage, privateKeyAttr, theAccess, pubItem, privItem);
+ } else {
+ KeyItem::createPair(keychain, algorithm, keySizeInBits, contextHandle, publicKeyUsage, publicKeyAttr,
+ privateKeyUsage, privateKeyAttr, theAccess, pubItem, privItem);
+ }
// Return the generated keys.
if (publicKeyRef)
@@ -164,48 +885,12 @@ SecKeyGetAlgorithmID(SecKeyRef keyRef, const CSSM_X509_ALGORITHM_IDENTIFIER **al
{
BEGIN_SECAPI
-#if SECTRUST_OSX
- if (!keyRef || (CFGetTypeID(keyRef) != SecKeyGetCFClassTypeID()))
- return errSecParam;
-#endif
SecPointer<KeyItem> keyItem(KeyItem::required(keyRef));
Required(algid) = &keyItem->algorithmIdentifier();
END_SECAPI
}
-/* new for 10.8 */
-CFIndex
-SecKeyGetAlgorithmId(SecKeyRef key)
-{
-#if SECTRUST_OSX
- if (!key) {
- return kSecNullAlgorithmID;
- }
- else if (CFGetTypeID(key) != SecKeyGetCFClassTypeID()) {
- return SecKeyGetAlgorithmIdentifier(key);
- }
- // else fall through, we have a CSSM-based key
-#endif
-
- const CSSM_KEY *cssmKey;
-
- if (SecKeyGetCSSMKey(key, &cssmKey) != errSecSuccess)
- return kSecNullAlgorithmID;
-
- switch (cssmKey->KeyHeader.AlgorithmId) {
- case CSSM_ALGID_RSA:
- return kSecRSAAlgorithmID;
- case CSSM_ALGID_DSA:
- return kSecDSAAlgorithmID;
- case CSSM_ALGID_ECDSA:
- return kSecECDSAAlgorithmID;
- default:
- assert(0); /* other algorithms TBA */
- return kSecNullAlgorithmID;
- }
-}
-
OSStatus
SecKeyGetStrengthInBits(SecKeyRef keyRef, const CSSM_X509_ALGORITHM_IDENTIFIER *algid, unsigned int *strength)
{
@@ -318,30 +1003,6 @@ SecKeyGenerate(
initialAccess, keyRef);
}
-
-/* new in 10.6 */
-/* Create a key from supplied data and parameters */
-SecKeyRef
-SecKeyCreate(CFAllocatorRef allocator,
- const SecKeyDescriptor *keyClass,
- const uint8_t *keyData,
- CFIndex keyDataLength,
- SecKeyEncoding encoding)
-{
- SecKeyRef keyRef = NULL;
- OSStatus __secapiresult;
- try {
- //FIXME: needs implementation
-
- __secapiresult=errSecSuccess;
- }
- catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
- catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
- catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
- catch (...) { __secapiresult=errSecInternalComponent; }
- return keyRef;
-}
-
/* new in 10.6 */
/* Generate a floating key reference from a CSSM_KEY */
OSStatus
@@ -363,7 +1024,7 @@ SecKeyCreateWithCSSMKey(const CSSM_KEY *cssmKey,
// Return the generated key.
if (keyRef)
- *keyRef = item->handle();
+ *keyRef = SecKeyCreate(NULL, &kSecCDSAKeyDescriptor, (const uint8_t *)item, 0, 0);
END_SECAPI
}
@@ -658,7 +1319,9 @@ static OSStatus GetKeyParameters(CFDictionaryRef parameters, int keySize, bool i
attrs = 0;
}
- attrs |= CSSM_KEYATTR_PERMANENT;
+ if (isPermanent) {
+ attrs |= CSSM_KEYATTR_PERMANENT;
+ }
return errSecSuccess;
}
@@ -785,11 +1448,26 @@ static OSStatus SetKeyLabelAndTag(SecKeyRef keyRef, CFTypeRef label, CFDataRef t
}
+static CFTypeRef GetAttributeFromParams(CFDictionaryRef parameters, CFTypeRef attr, CFTypeRef subParams) {
+ if (subParams != NULL) {
+ CFDictionaryRef subParamsDict = (CFDictionaryRef)CFDictionaryGetValue(parameters, subParams);
+ if (subParamsDict != NULL) {
+ CFTypeRef value = CFDictionaryGetValue(subParamsDict, attr);
+ if (value != NULL) {
+ return value;
+ }
+ }
+ }
+ return CFDictionaryGetValue(parameters, attr);
+}
+
+extern "C" OSStatus SecKeyGeneratePair_ios(CFDictionaryRef parameters, SecKeyRef *publicKey, SecKeyRef *privateKey);
/* new in 10.6 */
/* Generate a private/public keypair. */
-OSStatus
-SecKeyGeneratePair(
+static OSStatus
+SecKeyGeneratePairInternal(
+ bool alwaysPermanent,
CFDictionaryRef parameters,
SecKeyRef *publicKey,
SecKeyRef *privateKey)
@@ -797,8 +1475,25 @@ SecKeyGeneratePair(
BEGIN_SECAPI
Required(parameters);
- Required(publicKey);
- Required(privateKey);
+ Required(publicKey);
+ Required(privateKey);
+
+ CFTypeRef tokenID = GetAttributeFromParams(parameters, kSecAttrTokenID, NULL);
+ CFTypeRef noLegacy = GetAttributeFromParams(parameters, kSecAttrNoLegacy, NULL);
+ CFTypeRef sync = GetAttributeFromParams(parameters, kSecAttrSynchronizable, kSecPrivateKeyAttrs);
+ CFTypeRef accessControl = GetAttributeFromParams(parameters, kSecAttrAccessControl, kSecPrivateKeyAttrs) ?:
+ GetAttributeFromParams(parameters, kSecAttrAccessControl, kSecPublicKeyAttrs);
+ CFTypeRef accessGroup = GetAttributeFromParams(parameters, kSecAttrAccessGroup, kSecPrivateKeyAttrs) ?:
+ GetAttributeFromParams(parameters, kSecAttrAccessGroup, kSecPublicKeyAttrs);
+
+ // If any of these attributes are present, forward the call to iOS implementation (and create keys in iOS keychain).
+ if (tokenID != NULL ||
+ (noLegacy != NULL && CFBooleanGetValue((CFBooleanRef)noLegacy)) ||
+ (sync != NULL && CFBooleanGetValue((CFBooleanRef)sync)) ||
+ accessControl != NULL || (accessGroup != NULL && CFEqual(accessGroup, kSecAttrAccessGroupToken))) {
+ // Generate keys in iOS keychain.
+ return SecKeyGeneratePair_ios(parameters, publicKey, privateKey);
+ }
CSSM_ALGORITHMS algorithms;
uint32 keySizeInBits;
@@ -817,62 +1512,49 @@ SecKeyGeneratePair(
publicKeyAttributeTagRef, privateKeyUse, privateKeyAttr, privateKeyLabelRef, privateKeyAttributeTagRef,
initialAccess);
- if (result != errSecSuccess)
- {
+ if (result != errSecSuccess) {
return result;
}
// verify keychain parameter
- keychain = NULL;
- if (!CFDictionaryGetValueIfPresent(parameters, kSecUseKeychain, (const void **)&keychain))
- keychain = NULL;
- else if (SecKeychainGetTypeID() != CFGetTypeID(keychain))
+ keychain = (SecKeychainRef)CFDictionaryGetValue(parameters, kSecUseKeychain);
+ if (keychain != NULL && SecKeychainGetTypeID() != CFGetTypeID(keychain)) {
keychain = NULL;
+ }
+
+ if (alwaysPermanent) {
+ publicKeyAttr |= CSSM_KEYATTR_PERMANENT;
+ privateKeyAttr |= CSSM_KEYATTR_PERMANENT;
+ }
// do the key generation
result = SecKeyCreatePair(keychain, algorithms, keySizeInBits, 0, publicKeyUse, publicKeyAttr, privateKeyUse, privateKeyAttr, initialAccess, publicKey, privateKey);
- if (result != errSecSuccess)
- {
+ if (result != errSecSuccess) {
return result;
}
// set the label and print attributes on the keys
- SetKeyLabelAndTag(*publicKey, publicKeyLabelRef, publicKeyAttributeTagRef);
- SetKeyLabelAndTag(*privateKey, privateKeyLabelRef, privateKeyAttributeTagRef);
+ SetKeyLabelAndTag(*publicKey, publicKeyLabelRef, publicKeyAttributeTagRef);
+ SetKeyLabelAndTag(*privateKey, privateKeyLabelRef, privateKeyAttributeTagRef);
return result;
END_SECAPI
}
-/* new in 10.6 */
OSStatus
-SecKeyRawSign(
- SecKeyRef key,
- SecPadding padding,
- const uint8_t *dataToSign,
- size_t dataToSignLen,
- uint8_t *sig,
- size_t *sigLen)
-{
- BEGIN_SECAPI
-
- Required(key);
- SecPointer<KeyItem> keyItem(KeyItem::required(key));
- CSSM_DATA dataInput;
-
- dataInput.Data = (uint8_t*) dataToSign;
- dataInput.Length = dataToSignLen;
-
- CSSM_DATA output;
- output.Data = sig;
- output.Length = *sigLen;
-
- const AccessCredentials* credentials = keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_SIGN, kSecCredentialTypeDefault);
-
- keyItem->RawSign(padding, dataInput, credentials, output);
- *sigLen = output.Length;
+SecKeyGeneratePair(CFDictionaryRef parameters, SecKeyRef *publicKey, SecKeyRef *privateKey) {
+ return SecKeyGeneratePairInternal(true, parameters, publicKey, privateKey);
+}
- END_SECAPI
+SecKeyRef
+SecKeyCreateRandomKey(CFDictionaryRef parameters, CFErrorRef *error) {
+ SecKeyRef privateKey = NULL, publicKey = NULL;
+ OSStatus status = SecKeyGeneratePairInternal(false, parameters, &publicKey, &privateKey);
+ SecError(status, error, CFSTR("failed to generate asymmetric keypair"));
+ if (publicKey != NULL) {
+ CFRelease(publicKey);
+ }
+ return privateKey;
}
OSStatus SecKeyRawVerifyOSX(
@@ -886,146 +1568,6 @@ OSStatus SecKeyRawVerifyOSX(
return SecKeyRawVerify(key,padding,signedData,signedDataLen,sig,sigLen);
}
-/* new in 10.6 */
-OSStatus
-SecKeyRawVerify(
- SecKeyRef key,
- SecPadding padding,
- const uint8_t *signedData,
- size_t signedDataLen,
- const uint8_t *sig,
- size_t sigLen)
-{
- BEGIN_SECAPI
-
- Required(key);
-
- SecPointer<KeyItem> keyItem(KeyItem::required(key));
- CSSM_DATA dataInput;
-
- dataInput.Data = (uint8_t*) signedData;
- dataInput.Length = signedDataLen;
-
- CSSM_DATA signature;
- signature.Data = (uint8_t*) sig;
- signature.Length = sigLen;
-
- const AccessCredentials* credentials = keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ANY, kSecCredentialTypeDefault);
-
- keyItem->RawVerify(padding, dataInput, credentials, signature);
-
- END_SECAPI
-}
-
-/* new in 10.6 */
-OSStatus
-SecKeyEncrypt(
- SecKeyRef key,
- SecPadding padding,
- const uint8_t *plainText,
- size_t plainTextLen,
- uint8_t *cipherText,
- size_t *cipherTextLen)
-{
- BEGIN_SECAPI
-
- SecPointer<KeyItem> keyItem(KeyItem::required(key));
- CSSM_DATA inData, outData;
- inData.Data = (uint8*) plainText;
- inData.Length = plainTextLen;
- outData.Data = cipherText;
- outData.Length = *cipherTextLen;
-
- const AccessCredentials* credentials = keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_ENCRYPT, kSecCredentialTypeDefault);
-
- keyItem->Encrypt(padding, inData, credentials, outData);
- *cipherTextLen = outData.Length;
-
- END_SECAPI
-}
-
-/* new in 10.6 */
-OSStatus
-SecKeyDecrypt(
- SecKeyRef key, /* Private key */
- SecPadding padding, /* kSecPaddingNone, kSecPaddingPKCS1, kSecPaddingOAEP */
- const uint8_t *cipherText,
- size_t cipherTextLen, /* length of cipherText */
- uint8_t *plainText,
- size_t *plainTextLen) /* IN/OUT */
-{
- BEGIN_SECAPI
-
- SecPointer<KeyItem> keyItem(KeyItem::required(key));
- CSSM_DATA inData, outData;
- inData.Data = (uint8*) cipherText;
- inData.Length = cipherTextLen;
- outData.Data = plainText;
- outData.Length = *plainTextLen;
-
- const AccessCredentials* credentials = keyItem->getCredentials(CSSM_ACL_AUTHORIZATION_DECRYPT, kSecCredentialTypeDefault);
-
- keyItem->Decrypt(padding, inData, credentials, outData);
- *plainTextLen = outData.Length;
-
- END_SECAPI
-}
-
-/* new in 10.6 */
-size_t
-SecKeyGetBlockSize(SecKeyRef key)
-{
- size_t blockSize = 0;
- OSStatus __secapiresult;
- try {
- CSSM_KEY cssmKey = KeyItem::required(key)->key();
- switch(cssmKey.KeyHeader.AlgorithmId)
- {
- case CSSM_ALGID_RSA:
- case CSSM_ALGID_DSA:
- blockSize = cssmKey.KeyHeader.LogicalKeySizeInBits / 8;
- break;
- case CSSM_ALGID_ECDSA:
- {
- /* Block size is up to 9 bytes of DER encoding for sequence of 2 integers,
- * plus both coordinates for the point used */
- #define ECDSA_KEY_SIZE_IN_BYTES(bits) (((bits) + 7) / 8)
- #define ECDSA_MAX_COORD_SIZE_IN_BYTES(n) (ECDSA_KEY_SIZE_IN_BYTES(n) + 1)
- size_t coordSize = ECDSA_MAX_COORD_SIZE_IN_BYTES(cssmKey.KeyHeader.LogicalKeySizeInBits);
- assert(coordSize < 256); /* size must fit in a byte for DER */
- size_t coordDERLen = (coordSize > 127) ? 2 : 1;
- size_t coordLen = 1 + coordDERLen + coordSize;
-
- size_t pointSize = 2 * coordLen;
- assert(pointSize < 256); /* size must fit in a byte for DER */
- size_t pointDERLen = (pointSize > 127) ? 2 : 1;
- size_t pointLen = 1 + pointDERLen + pointSize;
-
- blockSize = pointLen;
- }
- break;
- case CSSM_ALGID_AES:
- blockSize = 16; /* all AES keys use 128-bit blocks */
- break;
- case CSSM_ALGID_DES:
- case CSSM_ALGID_3DES_3KEY:
- blockSize = 8; /* all DES keys use 64-bit blocks */
- break;
- default:
- assert(0); /* some other key algorithm */
- blockSize = 16; /* FIXME: revisit this */
- break;
- }
- __secapiresult=errSecSuccess;
- }
- catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
- catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
- catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
- catch (...) { __secapiresult=errSecInternalComponent; }
- return blockSize;
-}
-
-
/*
M4 Additions
*/
@@ -1310,14 +1852,19 @@ SecKeyCreateFromData(CFDictionaryRef parameters, CFDataRef keyData, CFErrorRef *
memset(&iparam, 0, sizeof(iparam));
iparam.keyUsage = keyUsage;
+ CFRef<CFDataRef> data;
SecExternalItemType itype;
switch (keyClass) {
case CSSM_KEYCLASS_PRIVATE_KEY:
itype = kSecItemTypePrivateKey;
break;
- case CSSM_KEYCLASS_PUBLIC_KEY:
+ case CSSM_KEYCLASS_PUBLIC_KEY: {
itype = kSecItemTypePublicKey;
- break;
+ // Public key import expects public key in SubjPublicKey X509 format. We want to accept both bare and x509 format,
+ // so we have to detect bare format here and extend to full X509 if detected.
+ data.take(SecCDSAKeyCopyPublicKeyDataWithSubjectInfo(algorithm, keySizeInBits, keyData));
+ break;
+ }
case CSSM_KEYCLASS_SESSION_KEY:
itype = kSecItemTypeSessionKey;
break;
@@ -1328,7 +1875,7 @@ SecKeyCreateFromData(CFDictionaryRef parameters, CFDataRef keyData, CFErrorRef *
CFMutableArrayRef ka = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
// NOTE: if we had a way to specify values other then kSecFormatUnknown we might be more useful.
- crtn = impExpImportRawKey(keyData, kSecFormatUnknown, itype, algorithm, NULL, cspHandle, 0, NULL, NULL, ka);
+ crtn = impExpImportRawKey(data ? CFDataRef(data) : keyData, kSecFormatUnknown, itype, algorithm, NULL, cspHandle, 0, NULL, NULL, ka);
if (crtn == CSSM_OK && CFArrayGetCount((CFArrayRef)ka)) {
SecKeyRef sk = (SecKeyRef)CFArrayGetValueAtIndex((CFArrayRef)ka, 0);
CFRetain(sk);
@@ -1483,806 +2030,3 @@ SecKeyUnwrapSymmetric(CFDataRef *keyToUnwrap, SecKeyRef unwrappingKey, CFDiction
*error = CFErrorCreate(NULL, kCFErrorDomainOSStatus, errSecUnimplemented, NULL);
return NULL;
}
-
-
-/* iOS SecKey shim functions */
-
-#define MAX_DIGEST_LEN (CC_SHA512_DIGEST_LENGTH)
-
-/* Currently length of SHA512 oid + 1 */
-#define MAX_OID_LEN (10)
-
-#define DER_MAX_DIGEST_INFO_LEN (10 + MAX_DIGEST_LEN + MAX_OID_LEN)
-
-/* Encode the digestInfo header into digestInfo and return the offset from
- digestInfo at which to put the actual digest. Returns 0 if digestInfo
- won't fit within digestInfoLength bytes.
-
- 0x30, topLen,
- 0x30, algIdLen,
- 0x06, oid.Len, oid.Data,
- 0x05, 0x00
- 0x04, digestLen
- digestData
- */
-static size_t DEREncodeDigestInfoPrefix(const SecAsn1Oid *oid,
- size_t digestLength,
- uint8_t *digestInfo,
- size_t digestInfoLength)
-{
- size_t algIdLen = oid->Length + 4;
- size_t topLen = algIdLen + digestLength + 4;
- size_t totalLen = topLen + 2;
-
- if (totalLen > digestInfoLength) {
- return 0;
- }
-
- size_t ix = 0;
- digestInfo[ix++] = (SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED);
- digestInfo[ix++] = topLen;
- digestInfo[ix++] = (SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED);
- digestInfo[ix++] = algIdLen;
- digestInfo[ix++] = SEC_ASN1_OBJECT_ID;
- digestInfo[ix++] = oid->Length;
- memcpy(&digestInfo[ix], oid->Data, oid->Length);
- ix += oid->Length;
- digestInfo[ix++] = SEC_ASN1_NULL;
- digestInfo[ix++] = 0;
- digestInfo[ix++] = SEC_ASN1_OCTET_STRING;
- digestInfo[ix++] = digestLength;
-
- return ix;
-}
-
-static OSStatus SecKeyGetDigestInfo(SecKeyRef key, const SecAsn1AlgId *algId,
- const uint8_t *data, size_t dataLen, bool digestData,
- uint8_t *digestInfo, size_t *digestInfoLen /* IN/OUT */)
-{
- unsigned char *(*digestFcn)(const void *, CC_LONG, unsigned char *);
- CFIndex keyAlgID = kSecNullAlgorithmID;
- const SecAsn1Oid *digestOid;
- size_t digestLen;
- size_t offset = 0;
-
- /* Since these oids all have the same prefix, use switch. */
- if ((algId->algorithm.Length == CSSMOID_RSA.Length) &&
- !memcmp(algId->algorithm.Data, CSSMOID_RSA.Data,
- algId->algorithm.Length - 1)) {
- keyAlgID = kSecRSAAlgorithmID;
- switch (algId->algorithm.Data[algId->algorithm.Length - 1]) {
-#if 0
- case 2: /* oidMD2WithRSA */
- digestFcn = CC_MD2;
- digestLen = CC_MD2_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD2;
- break;
- case 3: /* oidMD4WithRSA */
- digestFcn = CC_MD4;
- digestLen = CC_MD4_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD4;
- break;
- case 4: /* oidMD5WithRSA */
- digestFcn = CC_MD5;
- digestLen = CC_MD5_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD5;
- break;
-#endif /* 0 */
- case 5: /* oidSHA1WithRSA */
- digestFcn = CC_SHA1;
- digestLen = CC_SHA1_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA1;
- break;
- case 11: /* oidSHA256WithRSA */
- digestFcn = CC_SHA256;
- digestLen = CC_SHA256_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA256;
- break;
- case 12: /* oidSHA384WithRSA */
- /* pkcs1 12 */
- digestFcn = CC_SHA384;
- digestLen = CC_SHA384_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA384;
- break;
- case 13: /* oidSHA512WithRSA */
- digestFcn = CC_SHA512;
- digestLen = CC_SHA512_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA512;
- break;
- case 14: /* oidSHA224WithRSA */
- digestFcn = CC_SHA224;
- digestLen = CC_SHA224_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA224;
- break;
- default:
- secdebug("key", "unsupported rsa signature algorithm");
- return errSecUnsupportedAlgorithm;
- }
- } else if ((algId->algorithm.Length == CSSMOID_ECDSA_WithSHA224.Length) &&
- !memcmp(algId->algorithm.Data, CSSMOID_ECDSA_WithSHA224.Data,
- algId->algorithm.Length - 1)) {
- keyAlgID = kSecECDSAAlgorithmID;
- switch (algId->algorithm.Data[algId->algorithm.Length - 1]) {
- case 1: /* oidSHA224WithECDSA */
- digestFcn = CC_SHA224;
- digestLen = CC_SHA224_DIGEST_LENGTH;
- break;
- case 2: /* oidSHA256WithECDSA */
- digestFcn = CC_SHA256;
- digestLen = CC_SHA256_DIGEST_LENGTH;
- break;
- case 3: /* oidSHA384WithECDSA */
- /* pkcs1 12 */
- digestFcn = CC_SHA384;
- digestLen = CC_SHA384_DIGEST_LENGTH;
- break;
- case 4: /* oidSHA512WithECDSA */
- digestFcn = CC_SHA512;
- digestLen = CC_SHA512_DIGEST_LENGTH;
- break;
- default:
- secdebug("key", "unsupported ecdsa signature algorithm");
- return errSecUnsupportedAlgorithm;
- }
- } else if (SecAsn1OidCompare(&algId->algorithm, &CSSMOID_ECDSA_WithSHA1)) {
- keyAlgID = kSecECDSAAlgorithmID;
- digestFcn = CC_SHA1;
- digestLen = CC_SHA1_DIGEST_LENGTH;
- } else if (SecAsn1OidCompare(&algId->algorithm, &CSSMOID_SHA1)) {
- digestFcn = CC_SHA1;
- digestLen = CC_SHA1_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA1;
- } else if ((algId->algorithm.Length == CSSMOID_SHA224.Length) &&
- !memcmp(algId->algorithm.Data, CSSMOID_SHA224.Data, algId->algorithm.Length - 1))
- {
- switch (algId->algorithm.Data[algId->algorithm.Length - 1]) {
- case 4: /* OID_SHA224 */
- digestFcn = CC_SHA224;
- digestLen = CC_SHA224_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA224;
- break;
- case 1: /* OID_SHA256 */
- digestFcn = CC_SHA256;
- digestLen = CC_SHA256_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA256;
- break;
- case 2: /* OID_SHA384 */
- /* pkcs1 12 */
- digestFcn = CC_SHA384;
- digestLen = CC_SHA384_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA384;
- break;
- case 3: /* OID_SHA512 */
- digestFcn = CC_SHA512;
- digestLen = CC_SHA512_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA512;
- break;
- default:
- secdebug("key", "unsupported sha-2 signature algorithm");
- return errSecUnsupportedAlgorithm;
- }
- } else if (SecAsn1OidCompare(&algId->algorithm, &CSSMOID_MD5)) {
- digestFcn = CC_MD5;
- digestLen = CC_MD5_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD5;
- } else {
- secdebug("key", "unsupported digesting algorithm");
- return errSecUnsupportedAlgorithm;
- }
-
- /* check key is appropriate for signature (superfluous for digest only oid) */
- {
- CFIndex supportedKeyAlgID = kSecNullAlgorithmID;
- #if TARGET_OS_EMBEDDED
- supportedKeyAlgID = SecKeyGetAlgorithmID(key);
- #else
- const CSSM_KEY* temporaryKey;
- SecKeyGetCSSMKey(key, &temporaryKey);
- CSSM_ALGORITHMS tempAlgorithm = temporaryKey->KeyHeader.AlgorithmId;
- if (CSSM_ALGID_RSA == tempAlgorithm) {
- supportedKeyAlgID = kSecRSAAlgorithmID;
- } else if (CSSM_ALGID_ECDSA == tempAlgorithm) {
- supportedKeyAlgID = kSecECDSAAlgorithmID;
- }
- #endif
-
- if (keyAlgID == kSecNullAlgorithmID) {
- keyAlgID = supportedKeyAlgID;
- }
- else if (keyAlgID != supportedKeyAlgID) {
- return errSecUnsupportedAlgorithm;
- }
- }
-
- switch(keyAlgID) {
- case kSecRSAAlgorithmID:
- offset = DEREncodeDigestInfoPrefix(digestOid, digestLen,
- digestInfo, *digestInfoLen);
- if (!offset)
- return errSecBufferTooSmall;
- break;
- case kSecDSAAlgorithmID:
- if (digestOid != &CSSMOID_SHA1)
- return errSecUnsupportedAlgorithm;
- break;
- case kSecECDSAAlgorithmID:
- break;
- default:
- secdebug("key", "unsupported signature algorithm");
- return errSecUnsupportedAlgorithm;
- }
-
- if (digestData) {
- if(dataLen>UINT32_MAX) /* Check for overflow with CC_LONG cast */
- return errSecParam;
- digestFcn(data, (CC_LONG)dataLen, &digestInfo[offset]);
- *digestInfoLen = offset + digestLen;
- } else {
- if (dataLen != digestLen)
- return errSecParam;
- memcpy(&digestInfo[offset], data, dataLen);
- *digestInfoLen = offset + dataLen;
- }
-
- return errSecSuccess;
-}
-
-OSStatus SecKeyVerifyDigest(
- SecKeyRef key, /* Private key */
- const SecAsn1AlgId *algId, /* algorithm oid/params */
- const uint8_t *digestData, /* signature over this digest */
- size_t digestDataLen, /* length of dataToDigest */
- const uint8_t *sig, /* signature to verify */
- size_t sigLen) /* length of sig */
-{
- size_t digestInfoLength = DER_MAX_DIGEST_INFO_LEN;
- uint8_t digestInfo[digestInfoLength];
- OSStatus status;
-
- status = SecKeyGetDigestInfo(key, algId, digestData, digestDataLen, false /* data is digest */,
- digestInfo, &digestInfoLength);
- if (status)
- return status;
- return SecKeyRawVerify(key, kSecPaddingPKCS1,
- digestInfo, digestInfoLength, sig, sigLen);
-}
-
-OSStatus SecKeySignDigest(
- SecKeyRef key, /* Private key */
- const SecAsn1AlgId *algId, /* algorithm oid/params */
- const uint8_t *digestData, /* signature over this digest */
- size_t digestDataLen, /* length of digestData */
- uint8_t *sig, /* signature, RETURNED */
- size_t *sigLen) /* IN/OUT */
-{
- size_t digestInfoLength = DER_MAX_DIGEST_INFO_LEN;
- uint8_t digestInfo[digestInfoLength];
- OSStatus status;
-
- status = SecKeyGetDigestInfo(key, algId, digestData, digestDataLen, false,
- digestInfo, &digestInfoLength);
- if (status)
- return status;
- return SecKeyRawSign(key, kSecPaddingPKCS1,
- digestInfo, digestInfoLength, sig, sigLen);
-}
-
-/* It's debatable whether this belongs here or in the ssl code since the
- curve values come from a tls related rfc4492. */
-SecECNamedCurve SecECKeyGetNamedCurve(SecKeyRef key)
-{
- try {
- SecPointer<KeyItem> keyItem(KeyItem::required(key));
- switch (keyItem->key().header().LogicalKeySizeInBits) {
-#if 0
- case 192:
- return kSecECCurveSecp192r1;
- case 224:
- return kSecECCurveSecp224r1;
-#endif
- case 256:
- return kSecECCurveSecp256r1;
- case 384:
- return kSecECCurveSecp384r1;
- case 521:
- return kSecECCurveSecp521r1;
- }
- }
- catch (...) {}
- return kSecECCurveNone;
-}
-
-static inline CFDataRef _CFDataCreateReferenceFromRange(CFAllocatorRef allocator, CFDataRef sourceData, CFRange range)
-{
- return CFDataCreateWithBytesNoCopy(allocator,
- CFDataGetBytePtr(sourceData) + range.location, range.length,
- kCFAllocatorNull);
-}
-
-static inline CFDataRef _CFDataCreateCopyFromRange(CFAllocatorRef allocator, CFDataRef sourceData, CFRange range)
-{
- return CFDataCreate(allocator, CFDataGetBytePtr(sourceData) + range.location, range.length);
-}
-
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wunused-function"
-static inline bool _CFDataEquals(CFDataRef left, CFDataRef right)
-{
- return (left != NULL) &&
- (right != NULL) &&
- (CFDataGetLength(left) == CFDataGetLength(right)) &&
- (0 == memcmp(CFDataGetBytePtr(left), CFDataGetBytePtr(right), (size_t)CFDataGetLength(left)));
-}
-#pragma clang diagnostic pop
-
-#if ECDSA_DEBUG
-void secdump(const unsigned char *data, unsigned long len)
-{
- unsigned long i;
- char s[128];
- char t[32];
- s[0]=0;
- for(i=0;i<len;i++)
- {
- if((i&0xf)==0) {
- sprintf(t, "%04lx :", i);
- strcat(s, t);
- }
- sprintf(t, " %02x", data[i]);
- strcat(s, t);
- if((i&0xf)==0xf) {
- strcat(s, "\n");
- syslog(LOG_NOTICE, s);
- s[0]=0;
- }
- }
- strcat(s, "\n");
- syslog(LOG_NOTICE, s);
-}
-#endif
-
-OSStatus SecKeyCopyPublicBytes(SecKeyRef key, CFDataRef* publicBytes)
-{
- CFIndex keyAlgId;
-#if TARGET_OS_EMBEDDED
- keyAlgId = SecKeyGetAlgorithmID(key);
-#else
- keyAlgId = SecKeyGetAlgorithmId(key);
-#endif
-
- OSStatus ecStatus = errSecParam;
- CFDataRef tempPublicData = NULL;
- CFDataRef headerlessPublicData = NULL;
- CFIndex headerLength = 0;
- const UInt8* pData_Ptr = NULL;
-
- if (kSecRSAAlgorithmID == keyAlgId)
- {
- return SecItemExport(key, kSecFormatBSAFE, 0, NULL, publicBytes);
- }
-
- if (kSecECDSAAlgorithmID == keyAlgId)
- {
- // First export the key so there is access to the underlying key material
- ecStatus = SecItemExport(key, kSecFormatOpenSSL, 0, NULL, &tempPublicData);
- if(ecStatus != errSecSuccess)
- {
- secdebug("key", "SecKeyCopyPublicBytes: SecItemExport error (%d) for ECDSA public key %p",
- ecStatus, (uintptr_t)key);
-
- return ecStatus;
- }
-
-
- // Get a pointer to the first byte of the exported data
- pData_Ptr = CFDataGetBytePtr(tempPublicData);
-
- // the first byte should be a sequence 0x30
- if (*pData_Ptr != 0x30)
- {
- secdebug("key", "SecKeyCopyPublicBytes: exported data is invalid");
- if (NULL != tempPublicData)
- CFRelease(tempPublicData);
-
- ecStatus = errSecParam;
- return ecStatus;
- }
-
- // move past the sequence byte
- pData_Ptr++;
-
- // Check to see if the high bit is set which
- // indicates that the length will be at least
- // two bytes. If the high bit is set then
- // The lower seven bits specifies the number of
- // bytes used for the length. The additonal 1
- // is for the current byte. Otherwise just move past the
- // single length byte
- pData_Ptr += (*pData_Ptr & 0x80) ? ((*pData_Ptr & 0x7F) + 1) : 1;
-
- // The current byte should be a sequence 0x30
- if (*pData_Ptr != 0x30)
- {
- secdebug("key", "SecKeyCopyPublicBytes: Could not find the key sequence");
- if (NULL != tempPublicData) {
- CFRelease(tempPublicData);
- }
- ecStatus = errSecParam;
- return ecStatus;
- }
-
- // The next bytes will always be the same
- // 0x30 = SEQUENCE
- // XX Length Byte
- // 0x06 OBJECT ID
- // 0x07 Length Byte
- // ECDSA public KEY OID value 0x2a,0x86,0x48,0xce,0x3d,0x02,0x01
- // 0x06 OBJECT ID
- // This is a total of 12 bytes
- pData_Ptr += 12;
-
- // Next byte is the length of the ECDSA curve OID
- // Move past the length byte and the curve OID
- pData_Ptr += (((int)*pData_Ptr) + 1);
-
- // Should be at a BINARY String which is specifed by a 0x3
- if (*pData_Ptr != 0x03)
- {
- secdebug("key", "SecKeyCopyPublicBytes: Invalid key structure");
- if (NULL != tempPublicData) {
- CFRelease(tempPublicData);
- }
- ecStatus = errSecParam;
- return ecStatus;
- }
-
- // Move past the BINARY String specifier 0x03
- pData_Ptr++;
-
-
- // Check to see if the high bit is set which
- // indicates that the length will be at least
- // two bytes. If the high bit is set then
- // The lower seven bits specifies the number of
- // bytes used for the length. The additonal 1
- // is for the current byte. Otherwise just move past the
- // single length byte
- pData_Ptr += (*pData_Ptr & 0x80) ? ((*pData_Ptr & 0x7F) + 1) : 1;
-
- // Move past the beginning marker for the BINARY String 0x00
- pData_Ptr++;
-
- // pData_Ptr now points to the first bytes of the key material
- headerLength = (CFIndex)(((intptr_t)pData_Ptr) - ((intptr_t)CFDataGetBytePtr(tempPublicData)));
-
- headerlessPublicData = _CFDataCreateCopyFromRange(kCFAllocatorDefault,
- tempPublicData, CFRangeMake(headerLength, CFDataGetLength(tempPublicData) - headerLength));
-
- if (!headerlessPublicData)
- {
- printf("SecKeyCopyPublicBytes: headerlessPublicData is nil (1)\n");
- if (NULL != tempPublicData)
- CFRelease(tempPublicData);
-
- ecStatus = errSecParam;
-
- return ecStatus;
- }
-
- if (publicBytes)
- {
- *publicBytes = headerlessPublicData;
- }
-
- ecStatus = errSecSuccess;
-
- if (NULL != tempPublicData)
- CFRelease(tempPublicData);
-
- return ecStatus;
- }
-
- return errSecParam;
-}
-
-
-CFDataRef SecECKeyCopyPublicBits(SecKeyRef key)
-{
- CFDataRef exportedKey;
- if(SecKeyCopyPublicBytes(key, &exportedKey) != errSecSuccess) {
- exportedKey = NULL;
- }
- return exportedKey;
-}
-
-SecKeyRef SecKeyCreateFromPublicData(CFAllocatorRef allocator, CFIndex algorithmID, CFDataRef publicBytes)
-{
- SecExternalFormat externalFormat = kSecFormatOpenSSL;
- SecExternalItemType externalItemType = kSecItemTypePublicKey;
- CFDataRef workingData = NULL;
- CFArrayRef outArray = NULL;
- SecKeyRef retVal = NULL;
-
- if (kSecRSAAlgorithmID == algorithmID) {
- /*
- * kSecFormatBSAFE uses the original PKCS#1 definition:
- * RSAPublicKey ::= SEQUENCE {
- * modulus INTEGER, -- n
- * publicExponent INTEGER -- e
- * }
- * kSecFormatOpenSSL uses different ASN.1 encoding.
- */
- externalFormat = kSecFormatBSAFE;
- workingData = _CFDataCreateReferenceFromRange(kCFAllocatorDefault, publicBytes, CFRangeMake(0, CFDataGetLength(publicBytes)));
- } else if (kSecECDSAAlgorithmID == algorithmID) {
- CFMutableDataRef tempData;
- uint8 requiredFirstDERByte [] = {0x04};
- uint8 placeholder[1];
- uint8 headerBytes[] = { 0x30,0x59,0x30,0x13,0x06,0x07,0x2a,0x86,
- 0x48,0xce,0x3d,0x02,0x01,0x06,0x08,0x2a,
- 0x86,0x48,0xce,0x3d,0x03,0x01,0x07,0x03,
- 0x42,0x00 };
-
- /* FIXME: this code only handles one specific curve type; need to expand this */
- if(CFDataGetLength(publicBytes) != 65)
- goto cleanup;
-
- CFDataGetBytes(publicBytes, CFRangeMake(0, 1), placeholder);
-
- if(requiredFirstDERByte[0] != placeholder[0])
- goto cleanup;
-
-
- tempData = CFDataCreateMutable(kCFAllocatorDefault, 0);
- CFDataAppendBytes(tempData, headerBytes, sizeof(headerBytes));
- CFDataAppendBytes(tempData, CFDataGetBytePtr(publicBytes), CFDataGetLength(publicBytes));
-
- workingData = tempData;
- }
- if(SecItemImport(workingData, NULL, &externalFormat, &externalItemType, 0, NULL, NULL, &outArray) != errSecSuccess) {
- goto cleanup;
- }
- if(!outArray || CFArrayGetCount(outArray) == 0) {
- goto cleanup;
- }
- retVal = (SecKeyRef)CFArrayGetValueAtIndex(outArray, 0);
- CFRetain(retVal);
-
-cleanup:
- if(workingData) CFRelease(workingData);
- if(outArray) CFRelease(outArray);
- return retVal;
-}
-
-SecKeyRef SecKeyCreateRSAPublicKey(CFAllocatorRef allocator,
- const uint8_t *keyData, CFIndex keyDataLength,
- SecKeyEncoding encoding)
-{
- CFDataRef pubKeyData = NULL;
- if(kSecKeyEncodingPkcs1 == encoding) {
- /* DER-encoded according to PKCS1. */
- pubKeyData = CFDataCreate(allocator, keyData, keyDataLength);
-
- } else if(kSecKeyEncodingApplePkcs1 == encoding) {
- /* DER-encoded according to PKCS1 with Apple Extensions. */
- /* FIXME: need to actually handle extensions */
- return NULL;
-
- } else if(kSecKeyEncodingRSAPublicParams == encoding) {
- /* SecRSAPublicKeyParams format; we must encode as PKCS1. */
- SecRSAPublicKeyParams *params = (SecRSAPublicKeyParams *)keyData;
- DERSize m_size = params->modulusLength;
- DERSize e_size = params->exponentLength;
- const DERSize seq_size = DERLengthOfItem(ASN1_INTEGER, m_size) +
- DERLengthOfItem(ASN1_INTEGER, e_size);
- const DERSize result_size = DERLengthOfItem(ASN1_SEQUENCE, seq_size);
- DERSize r_size, remaining_size = result_size;
- DERReturn drtn;
-
- CFMutableDataRef pkcs1 = CFDataCreateMutable(allocator, result_size);
- if (pkcs1 == NULL) {
- return NULL;
- }
- CFDataSetLength(pkcs1, result_size);
- uint8_t *bytes = CFDataGetMutableBytePtr(pkcs1);
-
- *bytes++ = ASN1_CONSTR_SEQUENCE;
- remaining_size--;
- r_size = 4;
- drtn = DEREncodeLength(seq_size, bytes, &r_size);
- if (r_size <= remaining_size) {
- bytes += r_size;
- remaining_size -= r_size;
- }
- r_size = remaining_size;
- drtn = DEREncodeItem(ASN1_INTEGER, m_size, (const DERByte *)params->modulus, (DERByte *)bytes, &r_size);
- if (r_size <= remaining_size) {
- bytes += r_size;
- remaining_size -= r_size;
- }
- r_size = remaining_size;
- drtn = DEREncodeItem(ASN1_INTEGER, e_size, (const DERByte *)params->exponent, (DERByte *)bytes, &r_size);
-
- pubKeyData = pkcs1;
-
- } else {
- /* unsupported encoding */
- return NULL;
- }
- SecKeyRef publicKey = SecKeyCreateFromPublicData(allocator, kSecRSAAlgorithmID, pubKeyData);
- CFRelease(pubKeyData);
- return publicKey;
-}
-
-#if !TARGET_OS_EMBEDDED
-//
-// Given a CSSM public key, copy its modulus and/or exponent data.
-// Caller is responsible for releasing the returned CFDataRefs.
-//
-static
-OSStatus _SecKeyCopyRSAPublicModulusAndExponent(SecKeyRef key, CFDataRef *modulus, CFDataRef *exponent)
-{
- const CSSM_KEY *pubKey;
- const CSSM_KEYHEADER *hdr;
- CSSM_DATA pubKeyBlob;
- OSStatus result;
-
- result = SecKeyGetCSSMKey(key, &pubKey);
- if(result != errSecSuccess) {
- return result;
- }
- hdr = &pubKey->KeyHeader;
- if(hdr->KeyClass != CSSM_KEYCLASS_PUBLIC_KEY) {
- return errSSLInternal;
- }
- if(hdr->AlgorithmId != CSSM_ALGID_RSA) {
- return errSSLInternal;
- }
- switch(hdr->BlobType) {
- case CSSM_KEYBLOB_RAW:
- pubKeyBlob.Length = pubKey->KeyData.Length;
- pubKeyBlob.Data = pubKey->KeyData.Data;
- break;
- case CSSM_KEYBLOB_REFERENCE:
- // FIXME: currently SSL only uses raw public keys, obtained from the CL
- default:
- return errSSLInternal;
- }
- assert(hdr->BlobType == CSSM_KEYBLOB_RAW);
- // at this point we should have a PKCS1-encoded blob
-
- DERItem keyItem = {(DERByte *)pubKeyBlob.Data, pubKeyBlob.Length};
- DERRSAPubKeyPKCS1 decodedKey;
- if(DERParseSequence(&keyItem, DERNumRSAPubKeyPKCS1ItemSpecs,
- DERRSAPubKeyPKCS1ItemSpecs,
- &decodedKey, sizeof(decodedKey)) != DR_Success) {
- return errSecDecode;
- }
- if(modulus) {
- *modulus = CFDataCreate(kCFAllocatorDefault, decodedKey.modulus.data, decodedKey.modulus.length);
- if(*modulus == NULL) {
- return errSecDecode;
- }
- }
- if(exponent) {
- *exponent = CFDataCreate(kCFAllocatorDefault, decodedKey.pubExponent.data, decodedKey.pubExponent.length);
- if(*exponent == NULL) {
- return errSecDecode;
- }
- }
-
- return errSecSuccess;
-}
-#endif /* !TARGET_OS_EMBEDDED */
-
-CFDataRef SecKeyCopyModulus(SecKeyRef key)
-{
-#if TARGET_OS_EMBEDDED
- ccrsa_pub_ctx_t pubkey;
- pubkey.pub = key->key;
-
- size_t m_size = ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey));
-
- CFAllocatorRef allocator = CFGetAllocator(key);
- CFMutableDataRef modulusData = CFDataCreateMutable(allocator, m_size);
-
- if (modulusData == NULL)
- return NULL;
-
- CFDataSetLength(modulusData, m_size);
-
- ccn_write_uint(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey), m_size, CFDataGetMutableBytePtr(modulusData));
-#else
- CFDataRef modulusData;
- OSStatus status = _SecKeyCopyRSAPublicModulusAndExponent(key, &modulusData, NULL);
- if(status != errSecSuccess) {
- modulusData = NULL;
- }
-#endif
-
- return modulusData;
-}
-
-CFDataRef SecKeyCopyExponent(SecKeyRef key)
-{
-#if TARGET_OS_EMBEDDED
- ccrsa_pub_ctx_t pubkey;
- pubkey.pub = key->key;
-
- size_t e_size = ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_e(pubkey));
-
- CFAllocatorRef allocator = CFGetAllocator(key);
- CFMutableDataRef exponentData = CFDataCreateMutable(allocator, e_size);
-
- if (exponentData == NULL)
- return NULL;
-
- CFDataSetLength(exponentData, e_size);
-
- ccn_write_uint(ccrsa_ctx_n(pubkey), ccrsa_ctx_e(pubkey), e_size, CFDataGetMutableBytePtr(exponentData));
-#else
- CFDataRef exponentData;
- OSStatus status = _SecKeyCopyRSAPublicModulusAndExponent(key, NULL, &exponentData);
- if(status != errSecSuccess) {
- exponentData = NULL;
- }
-#endif
-
- return exponentData;
-}
-
-SecKeyRef SecKeyCreatePublicFromPrivate(SecKeyRef privateKey) {
- OSStatus status = errSecParam;
-
- CFDataRef serializedPublic = NULL;
-
- status = SecKeyCopyPublicBytes(privateKey, &serializedPublic);
- if ((status == errSecSuccess) && (serializedPublic != NULL)) {
- SecKeyRef publicKeyRef = SecKeyCreateFromPublicData(kCFAllocatorDefault, SecKeyGetAlgorithmId(privateKey), serializedPublic);
- CFRelease(serializedPublic);
- if (publicKeyRef != NULL) {
- return publicKeyRef;
- }
- }
-
- const void *keys[] = { kSecClass, kSecValueRef, kSecReturnAttributes };
- const void *values[] = { kSecClassKey, privateKey, kCFBooleanTrue };
- CFDictionaryRef query= CFDictionaryCreate(NULL, keys, values,
- (sizeof(values) / sizeof(*values)),
- &kCFTypeDictionaryKeyCallBacks,
- &kCFTypeDictionaryValueCallBacks);
- CFTypeRef foundItem = NULL;
- status = SecItemCopyMatching(query, &foundItem);
-
- if (status == errSecSuccess) {
- if (CFGetTypeID(foundItem) == CFDictionaryGetTypeID()) {
- CFMutableDictionaryRef query2 = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- CFDictionaryAddValue(query2, kSecClass, kSecClassKey);
- CFDictionaryAddValue(query2, kSecAttrKeyClass, kSecAttrKeyClassPublic);
- CFDictionaryAddValue(query2, kSecAttrApplicationLabel, CFDictionaryGetValue((CFDictionaryRef)foundItem, kSecAttrApplicationLabel));
- CFDictionaryAddValue(query2, kSecReturnRef, kCFBooleanTrue);
-
- CFTypeRef foundKey = NULL;
- status = SecItemCopyMatching(query2, &foundKey);
- if (status == errSecSuccess) {
- if (CFGetTypeID(foundKey) == SecKeyGetTypeID()) {
- CFRelease(query);
- CFRelease(query2);
- CFRelease(foundItem);
- return (SecKeyRef)foundKey;
- } else {
- status = errSecItemNotFound;
- }
- }
- CFRelease(query2);
-
- } else {
- status = errSecItemNotFound;
- }
- CFRelease(foundItem);
- }
-
- CFRelease(query);
- return NULL;
-}
-
diff --git a/OSX/libsecurity_keychain/lib/SecKey.h b/OSX/libsecurity_keychain/lib/SecKey.h
index 5ac4080d..28b30bec 100644
--- a/OSX/libsecurity_keychain/lib/SecKey.h
+++ b/OSX/libsecurity_keychain/lib/SecKey.h
@@ -39,6 +39,7 @@
#include <Security/cssmtype.h>
#include <CoreFoundation/CFBase.h>
#include <CoreFoundation/CFDictionary.h>
+#include <CoreFoundation/CFSet.h>
#include <sys/types.h>
#if defined(__cplusplus)
@@ -264,7 +265,7 @@ CFTypeID SecKeyGetTypeID(void)
@discussion This API is deprecated for 10.7. Please use the SecKeyGeneratePair API instead.
*/
OSStatus SecKeyCreatePair(
- SecKeychainRef __nullable keychainRef,
+ SecKeychainRef _Nullable keychainRef,
CSSM_ALGORITHMS algorithm,
uint32 keySizeInBits,
CSSM_CC_HANDLE contextHandle,
@@ -272,9 +273,9 @@ OSStatus SecKeyCreatePair(
uint32 publicKeyAttr,
CSSM_KEYUSE privateKeyUsage,
uint32 privateKeyAttr,
- SecAccessRef __nullable initialAccess,
- SecKeyRef* __nullable CF_RETURNS_RETAINED publicKey,
- SecKeyRef* __nullable CF_RETURNS_RETAINED privateKey)
+ SecAccessRef _Nullable initialAccess,
+ SecKeyRef* _Nullable CF_RETURNS_RETAINED publicKey,
+ SecKeyRef* _Nullable CF_RETURNS_RETAINED privateKey)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
/*!
@@ -292,14 +293,14 @@ OSStatus SecKeyCreatePair(
@discussion This API is deprecated for 10.7. Please use the SecKeyGenerateSymmetric API instead.
*/
OSStatus SecKeyGenerate(
- SecKeychainRef __nullable keychainRef,
+ SecKeychainRef _Nullable keychainRef,
CSSM_ALGORITHMS algorithm,
uint32 keySizeInBits,
CSSM_CC_HANDLE contextHandle,
CSSM_KEYUSE keyUsage,
uint32 keyAttr,
- SecAccessRef __nullable initialAccess,
- SecKeyRef* __nullable CF_RETURNS_RETAINED keyRef)
+ SecAccessRef _Nullable initialAccess,
+ SecKeyRef* _Nullable CF_RETURNS_RETAINED keyRef)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
/*!
@@ -310,7 +311,7 @@ OSStatus SecKeyGenerate(
@result A result code. See "Security Error Codes" (SecBase.h).
@discussion The CSSM_KEY is valid until the key item reference is released. This API is deprecated in 10.7. Its use should no longer be needed.
*/
-OSStatus SecKeyGetCSSMKey(SecKeyRef key, const CSSM_KEY * __nullable * __nonnull cssmKey)
+OSStatus SecKeyGetCSSMKey(SecKeyRef key, const CSSM_KEY * _Nullable * __nonnull cssmKey)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;;
/*!
@@ -337,7 +338,7 @@ OSStatus SecKeyGetCredentials(
SecKeyRef keyRef,
CSSM_ACL_AUTHORIZATION_TAG operation,
SecCredentialType credentialType,
- const CSSM_ACCESS_CREDENTIALS * __nullable * __nonnull outCredentials)
+ const CSSM_ACCESS_CREDENTIALS * _Nullable * __nonnull outCredentials)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
/*!
@@ -378,7 +379,7 @@ size_t SecKeyGetBlockSize(SecKeyRef key)
* kSecAttrLabel (a user-visible label whose value is a CFStringRef,
e.g. "My App's Encryption Key")
* kSecAttrApplicationLabel (a label defined by your application, whose
- value is a CFStringRef and which can be used to find this key in a
+ value is a CFDataRef and which can be used to find this key in a
subsequent call to SecItemCopyMatching, e.g. "ID-1234567890-9876-0151")
To specify the generated key's access control settings, set this key:
@@ -393,7 +394,7 @@ size_t SecKeyGetBlockSize(SecKeyRef key)
* kSecAttrCanUnwrap (defaults to true if not explicitly specified)
*/
-__nullable
+_Nullable
SecKeyRef SecKeyGenerateSymmetric(CFDictionaryRef parameters, CFErrorRef *error)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
@@ -422,7 +423,7 @@ SecKeyRef SecKeyGenerateSymmetric(CFDictionaryRef parameters, CFErrorRef *error)
* kSecAttrCanUnwrap (defaults to true if not explicitly specified)
*/
-__nullable
+_Nullable
SecKeyRef SecKeyCreateFromData(CFDictionaryRef parameters,
CFDataRef keyData, CFErrorRef *error)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
@@ -467,7 +468,7 @@ SecKeyRef SecKeyCreateFromData(CFDictionaryRef parameters,
*/
OSStatus SecKeyGeneratePair(CFDictionaryRef parameters,
- SecKeyRef * __nullable CF_RETURNS_RETAINED publicKey, SecKeyRef * __nullable CF_RETURNS_RETAINED privateKey)
+ SecKeyRef * _Nullable CF_RETURNS_RETAINED publicKey, SecKeyRef * _Nullable CF_RETURNS_RETAINED privateKey)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
/*!
@@ -488,7 +489,6 @@ typedef void (^SecKeyGeneratePairBlock)(SecKeyRef publicKey, SecKeyRef privateKe
@param parameters A dictionary containing one or more key-value pairs.
@param deliveryQueue A dispatch queue to be used to deliver the results.
@param result A callback function to result when the operation has completed.
- @result On success the function returns NULL.
@discussion In order to generate a keypair the parameters dictionary must
at least contain the following keys:
@@ -555,7 +555,7 @@ void SecKeyGeneratePairAsync(CFDictionaryRef parameters,
error parameter contains the reason.
*/
-__nullable
+_Nullable CF_RETURNS_RETAINED
SecKeyRef SecKeyDeriveFromPassword(CFStringRef password,
CFDictionaryRef parameters, CFErrorRef *error)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
@@ -576,7 +576,7 @@ SecKeyRef SecKeyDeriveFromPassword(CFStringRef password,
* kSecSalt - a CFData for the salt value for the encrypt.
*/
-__nullable
+_Nullable
CFDataRef SecKeyWrapSymmetric(SecKeyRef keyToWrap,
SecKeyRef wrappingKey, CFDictionaryRef parameters, CFErrorRef *error)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
@@ -597,11 +597,660 @@ CFDataRef SecKeyWrapSymmetric(SecKeyRef keyToWrap,
* kSecSalt - a CFData for the salt value for the decrypt.
*/
-__nullable
-SecKeyRef SecKeyUnwrapSymmetric(CFDataRef __nullable * __nonnull keyToUnwrap,
+_Nullable
+SecKeyRef SecKeyUnwrapSymmetric(CFDataRef _Nullable * __nonnull keyToUnwrap,
SecKeyRef unwrappingKey, CFDictionaryRef parameters, CFErrorRef *error)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+/*!
+ @function SecKeyCreateRandomKey
+ @abstract Generates a new public/private key pair.
+ @param parameters A dictionary containing one or more key-value pairs.
+ See the discussion sections below for a complete overview of options.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @return Newly generated private key. To get associated public key, use SecKeyCopyPublicKey().
+ @discussion In order to generate a keypair the parameters dictionary must
+ at least contain the following keys:
+
+ * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other
+ kSecAttrKeyType defined in SecItem.h
+ * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef
+ containing the requested key size in bits. Example sizes for RSA
+ keys are: 512, 768, 1024, 2048.
+
+ The values below may be set either in the top-level dictionary or in a
+ dictionary that is the value of the kSecPrivateKeyAttrs or
+ kSecPublicKeyAttrs key in the top-level dictionary. Setting these
+ attributes explicitly will override the defaults below. See SecItem.h
+ for detailed information on these attributes including the types of
+ the values.
+
+ * kSecAttrLabel default NULL
+ * kSecAttrIsPermanent if this key is present and has a Boolean value of true,
+ the key or key pair will be added to the default keychain.
+ * kSecAttrTokenID if this key should be generated on specified token. This
+ attribute can contain CFStringRef and can be present only in the top-level
+ parameters dictionary.
+ * kSecAttrApplicationTag default NULL
+ * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
+ * kSecAttrCanEncrypt default false for private keys, true for public keys
+ * kSecAttrCanDecrypt default true for private keys, false for public keys
+ * kSecAttrCanDerive default true
+ * kSecAttrCanSign default true for private keys, false for public keys
+ * kSecAttrCanVerify default false for private keys, true for public keys
+ * kSecAttrCanWrap default false for private keys, true for public keys
+ * kSecAttrCanUnwrap default true for private keys, false for public keys
+ */
+SecKeyRef _Nullable SecKeyCreateRandomKey(CFDictionaryRef parameters, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateWithData
+ @abstract Create a SecKey from a well-defined external representation.
+ @param keyData CFData representing the key. The format of the data depends on the type of key being created.
+ @param attributes Dictionary containing attributes describing the key to be imported. The keys in this dictionary
+ are kSecAttr* constants from SecItem.h. Mandatory attributes are:
+ * kSecAttrKeyType
+ * kSecAttrKeyClass
+ * kSecAttrKeySizeInBits
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result A SecKey object representing the key, or NULL on failure.
+ @discussion This function does not add keys to any keychain, but the SecKey object it returns can be added
+ to keychain using the SecItemAdd function.
+ The requested data format depend on the type of key (kSecAttrKeyType) being created:
+ * kSecAttrKeyTypeRSA PKCS#1 format
+ * kSecAttrKeyTypeECSECPrimeRandom SEC1 format (www.secg.org)
+ */
+SecKeyRef _Nullable SecKeyCreateWithData(CFDataRef keyData, CFDictionaryRef attributes, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyExternalRepresentation
+ @abstract Create an external representation for the given key suitable for the key's type.
+ @param key The key to be exported.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result A CFData representing the key in a format suitable for that key type.
+ @discussion This function may fail if the key is not exportable (e.g., bound to a smart card or Secure Enclave).
+ The format in which the key will be exported depends on the type of key:
+ * kSecAttrKeyTypeRSA PKCS#1 format
+ * kSecAttrKeyTypeECSECPrimeRandom SEC1 format (www.secg.org)
+ */
+CFDataRef _Nullable SecKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyAttributes
+ @abstract Retrieve keychain attributes of a key.
+ @param key The key whose attributes are to be retrieved.
+ @result Dictionary containing attributes of the key. The keys that populate this dictionary are defined
+ and discussed in SecItem.h.
+ @discussion The attributes provided by this function are:
+ * kSecAttrCanEncrypt
+ * kSecAttrCanDecrypt
+ * kSecAttrCanDerive
+ * kSecAttrCanSign
+ * kSecAttrCanVerify
+ * kSecAttrKeyClass
+ * kSecAttrKeyType
+ * kSecAttrKeySizeInBits
+ * kSecAttrTokenID
+ * kSecAttrApplicationLabel
+ Other values returned in that dictionary are RFU.
+ */
+CFDictionaryRef _Nullable SecKeyCopyAttributes(SecKeyRef key)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyPublicKey
+ @abstract Retrieve the public key from a key pair or private key.
+ @param key The key from which to retrieve a public key.
+ @result The public key or NULL if public key is not available for specified key.
+ @discussion Fails if key does not contain a public key or no public key can be computed from it.
+ */
+SecKeyRef _Nullable SecKeyCopyPublicKey(SecKeyRef key)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @enum SecKeyAlgorithm
+ @abstract Available algorithms for performing cryptographic operations with SecKey object. String representation
+ of constant can be used for logging or debugging purposes, because they contain human readable names of the algorithm.
+
+ @constant kSecKeyAlgorithmRSASignatureRaw
+ Raw RSA sign/verify operation, size of input data must be the same as value returned by SecKeyGetBlockSize().
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
+ RSA sign/verify operation, assumes that input data is digest and OID and digest algorithm as specified in PKCS# v1.5.
+ This algorithm is typically not used directly, instead use algorithm with specified digest, like
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
+ RSA signature with PKCS#1 padding, input data must be SHA-1 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
+ RSA signature with PKCS#1 padding, input data must be SHA-224 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
+ RSA signature with PKCS#1 padding, input data must be SHA-256 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
+ RSA signature with PKCS#1 padding, input data must be SHA-384 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
+ RSA signature with PKCS#1 padding, input data must be SHA-512 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
+ RSA signature with PKCS#1 padding, SHA-1 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
+ RSA signature with PKCS#1 padding, SHA-224 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
+ RSA signature with PKCS#1 padding, SHA-256 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
+ RSA signature with PKCS#1 padding, SHA-384 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
+ RSA signature with PKCS#1 padding, SHA-512 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureRFC4754
+ ECDSA algorithm, signature is concatenated r and s, big endian, data is message digest.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA1 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA224 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA256 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA384 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA512 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-1 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA224
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-224 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA256
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-256 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA384
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-384 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA512
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-512 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSAEncryptionRaw
+ Raw RSA encryption or decryption, size of data must match RSA key modulus size. Note that direct
+ use of this algorithm without padding is cryptographically very weak, it is important to always introduce
+ some kind of padding. Input data size must be less or equal to the key block size and returned block has always
+ the same size as block size, as returned by SecKeyGetBlockSize().
+
+ @constant kSecKeyAlgorithmRSAEncryptionPKCS1
+ RSA encryption or decryption, data is padded using PKCS#1 padding scheme. This algorithm should be used only for
+ backward compatibility with existing protocols and data. New implementations should choose cryptographically
+ stronger algorithm instead (see kSecKeyAlgorithmRSAEncryptionOAEP). Input data must be at most
+ "key block size - 11" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize().
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA1. Input data must be at most
+ "key block size - 42" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA224. Input data must be at most
+ "key block size - 58" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA256. Input data must be at most
+ "key block size - 66" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA384. Input data must be at most
+ "key block size - 98" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA512. Input data must be at most
+ "key block size - 130" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactor
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
+ This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandard
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
+ This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+ */
+
+typedef CFStringRef SecKeyAlgorithm CF_STRING_ENUM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRaw
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureRFC4754
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRaw
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionPKCS1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandard
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactor
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateSignature
+ @abstract Given a private key and data to sign, generate a digital signature.
+ @param key Private key with which to sign.
+ @param algorithm One of SecKeyAlgorithm constants suitable to generate signature with this key.
+ @param dataToSign The data to be signed, typically the digest of the actual data.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result The signature over dataToSign represented as a CFData, or NULL on failure.
+ @discussion Computes digital signature using specified key over input data. The operation algorithm
+ further defines the exact format of input data, operation to be performed and output signature.
+ */
+CFDataRef _Nullable SecKeyCreateSignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef dataToSign, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyVerifySignature
+ @abstract Given a public key, data which has been signed, and a signature, verify the signature.
+ @param key Public key with which to verify the signature.
+ @param algorithm One of SecKeyAlgorithm constants suitable to verify signature with this key.
+ @param signedData The data over which sig is being verified, typically the digest of the actual data.
+ @param signature The signature to verify.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result True if the signature was valid, False otherwise.
+ @discussion Verifies digital signature operation using specified key and signed data. The operation algorithm
+ further defines the exact format of input data, signature and operation to be performed.
+ */
+Boolean SecKeyVerifySignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef signedData, CFDataRef signature, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateEncryptedData
+ @abstract Encrypt a block of plaintext.
+ @param key Public key with which to encrypt the data.
+ @param algorithm One of SecKeyAlgorithm constants suitable to perform encryption with this key.
+ @param plaintext The data to encrypt. The length and format of the data must conform to chosen algorithm,
+ typically be less or equal to the value returned by SecKeyGetBlockSize().
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result The ciphertext represented as a CFData, or NULL on failure.
+ @discussion Encrypts plaintext data using specified key. The exact type of the operation including the format
+ of input and output data is specified by encryption algorithm.
+ */
+CFDataRef _Nullable SecKeyCreateEncryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef plaintext,
+ CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateDecryptedData
+ @abstract Decrypt a block of ciphertext.
+ @param key Private key with which to decrypt the data.
+ @param algorithm One of SecKeyAlgorithm constants suitable to perform decryption with this key.
+ @param ciphertext The data to decrypt. The length and format of the data must conform to chosen algorithm,
+ typically be less or equal to the value returned by SecKeyGetBlockSize().
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result The plaintext represented as a CFData, or NULL on failure.
+ @discussion Decrypts ciphertext data using specified key. The exact type of the operation including the format
+ of input and output data is specified by decryption algorithm.
+ */
+CFDataRef _Nullable SecKeyCreateDecryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef ciphertext,
+ CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @enum SecKeyKeyExchangeParameter SecKey Key Exchange parameters
+ @constant kSecKeyKeyExchangeParameterRequestedSize Contains CFNumberRef with requested result size in bytes.
+ @constant kSecKeyKeyExchangeParameterSharedInfo Contains CFDataRef with additional shared info
+ for KDF (key derivation function).
+ */
+typedef CFStringRef SecKeyKeyExchangeParameter CF_STRING_ENUM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterRequestedSize
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterSharedInfo
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyKeyExchangeResult
+ @abstract Perform Diffie-Hellman style of key exchange operation, optionally with additional key-derivation steps.
+ @param algorithm One of SecKeyAlgorithm constants suitable to perform this operation.
+ @param publicKey Remote party's public key.
+ @param parameters Dictionary with parameters, see SecKeyKeyExchangeParameter constants. Used algorithm
+ determines the set of required and optional parameters to be used.
+ @param error Pointer to an error object on failure.
+ See "Security Error Codes" (SecBase.h).
+ @result Result of key exchange operation as a CFDataRef, or NULL on failure.
+ */
+CFDataRef _Nullable SecKeyCopyKeyExchangeResult(SecKeyRef privateKey, SecKeyAlgorithm algorithm, SecKeyRef publicKey, CFDictionaryRef parameters, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @enum SecKeyOperationType
+ @abstract Defines types of cryptographic operations available with SecKey instance.
+
+ @constant kSecKeyOperationTypeSign
+ Represents SecKeyCreateSignature()
+
+ @constant kSecKeyOperationTypeVerify
+ Represents SecKeyVerifySignature()
+
+ @constant kSecKeyOperationTypeEncrypt
+ Represents SecKeyCreateEncryptedData()
+
+ @constant kSecKeyOperationTypeDecrypt
+ Represents SecKeyCreateDecryptedData()
+
+ @constant kSecKeyOperationTypeKeyExchange
+ Represents SecKeyCopyKeyExchangeResult()
+ */
+typedef CF_ENUM(CFIndex, SecKeyOperationType) {
+ kSecKeyOperationTypeSign = 0,
+ kSecKeyOperationTypeVerify = 1,
+ kSecKeyOperationTypeEncrypt = 2,
+ kSecKeyOperationTypeDecrypt = 3,
+ kSecKeyOperationTypeKeyExchange = 4,
+} __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyIsAlgorithmSupported
+ @abstract Checks whether key supports specified algorithm for specified operation.
+ @param key Key to query
+ @param operation Operation type for which the key is queried
+ @param algorithm Algorithm which is queried
+ @return True if key supports specified algorithm for specified operation, False otherwise.
+ */
+Boolean SecKeyIsAlgorithmSupported(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
CF_IMPLICIT_BRIDGING_DISABLED
CF_ASSUME_NONNULL_END
diff --git a/OSX/libsecurity_keychain/lib/SecKeyPriv.h b/OSX/libsecurity_keychain/lib/SecKeyPriv.h
index 26d9cb9b..e2b1ebc5 100644
--- a/OSX/libsecurity_keychain/lib/SecKeyPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecKeyPriv.h
@@ -39,6 +39,7 @@
#include <Security/x509defs.h>
#include <Security/SecAsn1Types.h>
#include <AvailabilityMacros.h>
+#include <CoreFoundation/CFRuntime.h>
#if defined(__cplusplus)
extern "C" {
@@ -66,14 +67,42 @@ enum {
to a SecRSAPublicKeyParams and keyDataLength is
sizeof(SecRSAPublicKeyParams). */
kSecKeyEncodingRSAPublicParams = 3,
+
+ /* RSA public key in SecRSAPublicKeyParams format. keyData is a pointer
+ to a SecRSAPublicKeyParams and keyDataLength is
+ sizeof(SecRSAPublicKeyParams). */
+ kSecDERKeyEncoding = 4,
+
+ /* Internal "encodings to send other data" */
+ kSecGenerateKey = 5,
+ kSecExtractPublicFromPrivate = 6,
+
+ /* Encoding came from SecKeyCopyPublicBytes for a public key,
+ or internally from a private key */
+ kSecKeyEncodingBytes = 7,
+
+ /* Handing in a private key from corecrypto directly. */
+ kSecKeyCoreCrypto = 8,
+};
+
+typedef uint32_t SecKeyWrapType;
+enum {
+ /* wrap key in RFC3394 (AESWrap) */
+ kSecKeyWrapRFC3394 = 0,
+
+ /* wrap key in PGP style (support EC keys only right now) */
+ kSecKeyWrapPublicKeyPGP = 1,
+
+};
+
+typedef CF_ENUM(CFIndex, SecKeyOperationMode) {
+ kSecKeyOperationModePerform = 0,
+ kSecKeyOperationModeCheckIfSupported = 1,
};
typedef OSStatus (*SecKeyInitMethod)(SecKeyRef, const uint8_t *, CFIndex,
SecKeyEncoding);
-typedef void *(*SecKeyCopyMethod)(SecKeyRef);
typedef void (*SecKeyDestroyMethod)(SecKeyRef);
-typedef void (*SecKeyDeleteMethod)(SecKeyRef);
-typedef void (*SecKeyShowMethod)(SecKeyRef);
typedef OSStatus (*SecKeyRawSignMethod)(SecKeyRef key, SecPadding padding,
const uint8_t *dataToSign, size_t dataToSignLen,
uint8_t *sig, size_t *sigLen);
@@ -86,28 +115,88 @@ typedef OSStatus (*SecKeyEncryptMethod)(SecKeyRef key, SecPadding padding,
typedef OSStatus (*SecKeyDecryptMethod)(SecKeyRef key, SecPadding padding,
const uint8_t *cipherText, size_t cipherTextLen,
uint8_t *plainText, size_t *plainTextLen);
+typedef OSStatus (*SecKeyComputeMethod)(SecKeyRef key,
+ const uint8_t *pub_key, size_t pub_key_len,
+ uint8_t *computed_key, size_t *computed_key_len);
typedef size_t (*SecKeyBlockSizeMethod)(SecKeyRef key);
typedef CFDictionaryRef (*SecKeyCopyDictionaryMethod)(SecKeyRef key);
+typedef CFIndex (*SecKeyGetAlgorithmIDMethod)(SecKeyRef key);
+typedef OSStatus (*SecKeyCopyPublicBytesMethod)(SecKeyRef key, CFDataRef *serialization);
+typedef CFDataRef (*SecKeyCopyWrapKeyMethod)(SecKeyRef key, SecKeyWrapType type, CFDataRef unwrappedKey, CFDictionaryRef parameters, CFDictionaryRef *outParam, CFErrorRef *error);
+typedef CFDataRef (*SecKeyCopyUnwrapKeyMethod)(SecKeyRef key, SecKeyWrapType type, CFDataRef wrappedKey, CFDictionaryRef parameters, CFDictionaryRef *outParam, CFErrorRef *error);
+typedef CFStringRef (*SecKeyDescribeMethod)(SecKeyRef key);
+
+typedef CFDataRef (*SecKeyCopyExternalRepresentationMethod)(SecKeyRef key, CFErrorRef *error);
+typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key);
+typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2);
+/*!
+ @abstract Performs cryptographic operation with the key.
+ @param key Key to perform the operation on.
+ @param operation Type of operation to be performed.
+ @param algorithm Algorithm identifier for the operation. Determines format of input and output data.
+ @param allAlgorithms Array of algorithms which were traversed until we got to this operation. The last member of this array is always the same as @c algorithm parameter.
+ @param mode Mode in which the operation is performed. Two available modes are checking only if the operation can be performed or actually performing the operation.
+ @param in1 First input parameter for the operation, meaningful only in ModePerform.
+ @param in2 Second input parameter for the operation, meaningful only in ModePerform.
+ @param error Error details when NULL is returned.
+ @return NULL if some failure occured. kCFNull if operation/algorithm/key combination is not supported, otherwise the result of the operation or kCFBooleanTrue in ModeCheckIfSupported.
+ */
+typedef CFTypeRef(*SecKeyCopyOperationResultMethod)(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm, CFArrayRef allAlgorithms, SecKeyOperationMode mode, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error);
+
+#define kSecKeyDescriptorVersion (4)
+
+typedef struct __SecKeyDescriptor {
+ /* Version of this SecKeyDescriptor. Must be kSecKeyDescriptorVersion. */
+ uint32_t version;
-typedef struct {
+ /* Name of this key class for use by SecKeyShow(). */
const char *name;
+
+ /* If nonzero, SecKeyCreate will allocate this many bytes for the key
+ field in the SecKeyRef it creates. If zero key is NULL and the
+ implementor can choose to dynamically allocate it in the init
+ function and free it in the destroy function. */
+ uint32_t extraBytes;
+
+ /* Called by SecKeyCreate(). */
SecKeyInitMethod init;
- SecKeyCopyMethod copy;
+ /* Called by destructor (final CFRelease() or gc if using). */
SecKeyDestroyMethod destroy;
- SecKeyDeleteMethod remove;
- SecKeyShowMethod show;
+ /* Called by SecKeyRawSign(). */
SecKeyRawSignMethod rawSign;
+ /* Called by SecKeyRawVerify(). */
SecKeyRawVerifyMethod rawVerify;
+ /* Called by SecKeyEncrypt(). */
SecKeyEncryptMethod encrypt;
+ /* Called by SecKeyDecrypt(). */
SecKeyDecryptMethod decrypt;
+ /* Reserved for future use. */
+ SecKeyComputeMethod compute;
+ /* Called by SecKeyGetBlockSize(). */
SecKeyBlockSizeMethod blockSize;
+ /* Called by SecKeyCopyAttributeDictionary(), which is private. */
SecKeyCopyDictionaryMethod copyDictionary;
- /* If known, the number of bytes to allocate for the key field in the SecKey struct. */
- int extraBytes;
+ /* Called by SecKeyDescribeMethod(). */
+ SecKeyDescribeMethod describe;
+#if kSecKeyDescriptorVersion > 0
+ /* Called by SecKeyCopyAttributeDictionary(), which is private. */
+ SecKeyGetAlgorithmIDMethod getAlgorithmID;
+#endif
+#if kSecKeyDescriptorVersion > 1
+ SecKeyCopyPublicBytesMethod copyPublic;
+#endif
+#if kSecKeyDescriptorVersion > 2
+ SecKeyCopyWrapKeyMethod copyWrapKey;
+ SecKeyCopyUnwrapKeyMethod copyUnwrapKey;
+#endif
+#if kSecKeyDescriptorVersion > 3
+ SecKeyCopyExternalRepresentationMethod copyExternalRepresentation;
+ SecKeyCopyPublicKeyMethod copyPublicKey;
+ SecKeyCopyOperationResultMethod copyOperationResult;
+ SecKeyIsEqualMethod isEqual;
+#endif
} SecKeyDescriptor;
-CFTypeID SecKeyGetCFClassTypeID(void);
-
/*!
@function SecKeyGetAlgorithmID
@abstract Returns a pointer to a CSSM_X509_ALGORITHM_IDENTIFIER structure for the given key.
@@ -389,6 +478,77 @@ OSStatus SecKeyRawVerifyOSX(
const uint8_t *sig,
size_t sigLen);
+/*!
+ @enum SecKeyAttestationKeyType
+ @abstract Defines types of builtin attestation keys.
+*/
+typedef CF_ENUM(uint32_t, SecKeyAttestationKeyType)
+{
+ kSecKeyAttestationKeyTypeSIK = 0,
+ kSecKeyAttestationKeyTypeGID
+} __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyAttestationKey
+ @abstract Returns a copy of a builtin attestation key.
+
+ @param keyType Type of the requested builtin key.
+ @param error An optional pointer to a CFErrorRef. This value is set if an error occurred.
+
+ @result On success a SecKeyRef containing the requested key is returned, on failure it returns NULL.
+*/
+SecKeyRef SecKeyCopyAttestationKey(SecKeyAttestationKeyType keyType, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateAttestation
+ @abstract Attests a key with another key.
+
+ @param key The attesting key.
+ @param keyToAttest The key which is to be attested.
+ @param error An optional pointer to a CFErrorRef. This value is set if an error occurred.
+
+ @result On success a CFDataRef containing the attestation data is returned, on failure it returns NULL.
+
+ @discussion Key attestation only works for CTK SEP keys, i.e. keys created with kSecAttrTokenID=kSecAttrTokenIDSecureEnclave.
+*/
+CFDataRef SecKeyCreateAttestation(SecKeyRef key, SecKeyRef keyToAttest, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeySetParameter
+ @abstract Sets unspecified key parameter for the backend.
+
+ @param key Key to set the parameter to.
+ @param name Identifies parameter to be set.
+ @param value New value for the parameter.
+ @param error Error which gathers more information when something went wrong.
+
+ @discussion Serves as channel between SecKey client and backend for passing additional sideband data send from SecKey caller
+ to SecKey implementation backend (currently only CTK-based token backend is supported). Parameter names and types are
+ a contract between SecKey user (application) and backend and are not interpreted by SecKey layer in any way.
+ */
+Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ Algorithms for converting between bigendian and core-crypto ccunit data representation.
+ */
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRawCCUnit;
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRawCCUnit;
+
+/*!
+ Internal algorithm for RSA-MD5. We do not want to export MD5 in new API, but we need it
+ for implementing legacy interfaces.
+ */
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5;
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5;
+
+/*!
+ Algorithms for interoperability with libaks smartcard support.
+ */
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionAKSSmartCard;
+
#if defined(__cplusplus)
}
#endif
diff --git a/OSX/libsecurity_keychain/lib/SecKeychain.cpp b/OSX/libsecurity_keychain/lib/SecKeychain.cpp
index 9580a994..d307e2bd 100644
--- a/OSX/libsecurity_keychain/lib/SecKeychain.cpp
+++ b/OSX/libsecurity_keychain/lib/SecKeychain.cpp
@@ -35,6 +35,9 @@
#include <security_cdsa_utilities/Schema.h>
#include <security_cdsa_client/mdsclient.h>
#include <pwd.h>
+#include <Security/AuthorizationTagsPriv.h>
+#include <Security/Authorization.h>
+#include "TokenLogin.h"
OSStatus
SecKeychainMDSInstall()
@@ -96,7 +99,7 @@ SecKeychainOpenWithGuid(const CSSM_GUID *guid, uint32 subserviceId, uint32 subse
DLDbIdentifier dLDbIdentifier(ssuid, dbName, dbLocation);
// make a keychain from the supplied info
- RequiredParam(keychain) = globals().storageManager.makeKeychain(dLDbIdentifier, false)->handle ();
+ RequiredParam(keychain) = globals().storageManager.makeKeychain(dLDbIdentifier, false, false)->handle ();
END_SECAPI
}
@@ -109,7 +112,7 @@ SecKeychainCreate(const char *pathName, UInt32 passwordLength, const void *passw
BEGIN_SECAPI
KCThrowParamErrIf_(!pathName);
- Keychain keychain = globals().storageManager.make(pathName);
+ Keychain keychain = globals().storageManager.make(pathName, true, true);
// @@@ the call to StorageManager::make above leaves keychain the the cache.
// If the create below fails we should probably remove it.
@@ -246,7 +249,7 @@ OSStatus SecKeychainResetLogin(UInt32 passwordLength, const void* password, Bool
globals().storageManager.resetKeychain(resetSearchList);
// Create the login keychain without UI
- globals().storageManager.login((UInt32)userName.length(), userName.c_str(), passwordLength, password);
+ globals().storageManager.login((UInt32)userName.length(), userName.c_str(), passwordLength, password, true);
// Set it as the default
Keychain keychain = globals().storageManager.loginKeychain();
@@ -256,7 +259,7 @@ OSStatus SecKeychainResetLogin(UInt32 passwordLength, const void* password, Bool
{
// Create the login keychain, prompting for password
// (implicitly calls resetKeychain, login, and defaultKeychain)
- globals().storageManager.makeLoginAuthUI(NULL);
+ globals().storageManager.makeLoginAuthUI(NULL, true);
}
// Post a "list changed" event after a reset, so apps can refresh their list.
@@ -420,6 +423,35 @@ SecKeychainGetKeychainVersion(SecKeychainRef keychainRef, UInt32* version)
END_SECAPI
}
+OSStatus
+SecKeychainAttemptMigrationWithMasterKey(SecKeychainRef keychain, UInt32 version, const char* masterKeyFilename)
+{
+ BEGIN_SECAPI
+
+ RequiredParam(masterKeyFilename);
+ Keychain kc = Keychain::optional(keychain);
+
+ SecurityServer::SystemKeychainKey keychainKey(masterKeyFilename);
+ if(keychainKey.valid()) {
+ // We've managed to read the key; now, create credentials using it
+ string path = kc->name();
+
+ CssmClient::Key keychainMasterKey(kc->csp(), keychainKey.key(), true);
+ CssmClient::AclFactory::MasterKeyUnlockCredentials creds(keychainMasterKey, Allocator::standard(Allocator::sensitive));
+
+ // Attempt the migrate, using our master key as the ACL override
+ bool result = kc->keychainMigration(path, kc->database()->dbBlobVersion(), path, version, creds.getAccessCredentials());
+ if(!result) {
+ return errSecBadReq;
+ }
+ return (kc->database()->dbBlobVersion() == version ? errSecSuccess : errSecBadReq);
+ } else {
+ return errSecBadReq;
+ }
+
+ END_SECAPI
+}
+
// @@@ Deprecated
UInt16
@@ -627,9 +659,13 @@ SecKeychainFindInternetPassword(CFTypeRef keychainOrArray, UInt32 serverNameLeng
{
CssmDataContainer outData;
item->getData(outData);
- *passwordLength=(UInt32)outData.length();
+ if (passwordLength) {
+ *passwordLength=(UInt32)outData.length();
+ }
outData.Length=0;
- *passwordData=outData.data();
+ if (passwordData) {
+ *passwordData=outData.data();
+ }
outData.Data=NULL;
}
@@ -726,9 +762,13 @@ SecKeychainFindGenericPassword(CFTypeRef keychainOrArray, UInt32 serviceNameLeng
{
CssmDataContainer outData;
item->getData(outData);
- *passwordLength=(UInt32)outData.length();
+ if (passwordLength) {
+ *passwordLength=(UInt32)outData.length();
+ }
outData.Length=0;
- *passwordData=outData.data();
+ if (passwordData) {
+ *passwordData=outData.data();
+ }
outData.Data=NULL;
}
@@ -845,7 +885,7 @@ SecKeychainLogin(UInt32 nameLength, const void* name, UInt32 passwordLength, con
try
{
if (password) {
- globals().storageManager.login(nameLength, name, passwordLength, password);
+ globals().storageManager.login(nameLength, name, passwordLength, password, false);
} else {
globals().storageManager.stashLogin();
}
@@ -1187,9 +1227,9 @@ static OSStatus SecKeychainGetMasterKey(SecKeychainRef userKeychainRef, CFDataRe
cred += TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
new(alloc) ListElement(CSSM_SAMPLE_TYPE_PASSWORD),
new(alloc) ListElement(StringData(passphrase)));
- db->accessCredentials(&cred);
-
- CSSM_DL_DB_HANDLE dlDb = db->handle();
+ db->authenticate(CSSM_DB_ACCESS_READ, &cred);
+
+ CSSM_DL_DB_HANDLE dlDb = db->handle();
CssmData dlDbData = CssmData::wrap(dlDb);
CssmKey refKey;
KeySpec spec(CSSM_KEYUSE_ANY,
@@ -1208,6 +1248,81 @@ static OSStatus SecKeychainGetMasterKey(SecKeychainRef userKeychainRef, CFDataRe
END_SECAPI
}
+static const char *kAutologinPWFilePath = "/etc/kcpassword";
+static const uint32_t kObfuscatedPasswordSizeMultiple = 12;
+static const uint32_t buffer_size = 512;
+static const uint8_t kObfuscationKey[] = {0x7d, 0x89, 0x52, 0x23, 0xd2, 0xbc, 0xdd, 0xea, 0xa3, 0xb9, 0x1f};
+
+static void obfuscate(void *buffer, size_t bufferLength)
+{
+ uint8_t *pBuf = (uint8_t *) buffer;
+ const uint8_t *pKey = kObfuscationKey, *eKey = pKey + sizeof( kObfuscationKey );
+
+ while (bufferLength--) {
+ *pBuf = *pBuf ^ *pKey;
+ ++pKey;
+ ++pBuf;
+ if (pKey == eKey)
+ pKey = kObfuscationKey;
+ }
+}
+
+static bool _SASetAutologinPW(CFStringRef inAutologinPW)
+{
+ bool result = false;
+ struct stat sb;
+
+ // Delete the kcpassword file if it exists already
+ if (stat(kAutologinPWFilePath, &sb) == 0)
+ unlink( kAutologinPWFilePath );
+
+ // NIL incoming password ==> clear auto login password (above) without setting a new one. In other words: turn auto login off.
+ if (inAutologinPW != NULL) {
+ char buffer[buffer_size];
+ const char *pwAsUTF8String = CFStringGetCStringPtr(inAutologinPW, kCFStringEncodingUTF8);
+ if (pwAsUTF8String == NULL) {
+ if (CFStringGetCString(inAutologinPW, buffer, buffer_size, kCFStringEncodingUTF8)) pwAsUTF8String = buffer;
+ }
+
+ if (pwAsUTF8String != NULL) {
+ size_t pwLength = strlen(pwAsUTF8String) + 1;
+ size_t obfuscatedPWLength;
+ char *obfuscatedPWBuffer;
+
+ // The size of the obfuscated password should be the smallest multiple of
+ // kObfuscatedPasswordSizeMultiple greater than or equal to pwLength.
+ obfuscatedPWLength = (((pwLength - 1) / kObfuscatedPasswordSizeMultiple) + 1) * kObfuscatedPasswordSizeMultiple;
+ obfuscatedPWBuffer = (char *) malloc(obfuscatedPWLength);
+
+ // Copy the password (including null terminator) to beginning of obfuscatedPWBuffer
+ bcopy(pwAsUTF8String, obfuscatedPWBuffer, pwLength);
+
+ // Pad remainder of obfuscatedPWBuffer with random bytes
+ {
+ char *p;
+ char *endOfBuffer = obfuscatedPWBuffer + obfuscatedPWLength;
+
+ for (p = obfuscatedPWBuffer + pwLength; p < endOfBuffer; ++p)
+ *p = random() & 0x000000FF;
+ }
+
+ obfuscate(obfuscatedPWBuffer, obfuscatedPWLength);
+
+ int pwFile = open(kAutologinPWFilePath, O_CREAT | O_WRONLY | O_NOFOLLOW, S_IRUSR | S_IWUSR);
+ if (pwFile >= 0) {
+ size_t wrote = write(pwFile, obfuscatedPWBuffer, obfuscatedPWLength);
+ if (wrote == obfuscatedPWLength)
+ result = true;
+ close(pwFile);
+ }
+
+ chmod(kAutologinPWFilePath, S_IRUSR | S_IWUSR);
+ free(obfuscatedPWBuffer);
+ }
+ }
+
+ return result;
+}
OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRef systemKeychainRef, CFStringRef username, CFStringRef password) {
SecTrustedApplicationRef itemPath;
@@ -1215,6 +1330,14 @@ OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRe
OSStatus result = errSecParam;
+ if (userKeychainRef == NULL) {
+ // We don't have a specific user keychain, fall back
+ if (_SASetAutologinPW(password))
+ result = errSecSuccess;
+
+ return result;
+ }
+
CFDataRef masterKey = NULL;
result = SecKeychainGetMasterKey(userKeychainRef, &masterKey, password);
if (errSecSuccess != result) {
@@ -1223,18 +1346,21 @@ OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRe
result = SecKeychainStash();
if (errSecSuccess != result) {
- if (NULL != masterKey) CFRelease(masterKey);
+ if (masterKey != NULL) CFRelease(masterKey);
return result;
}
CFMutableArrayRef trustedApplications = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- if ( noErr == SecTrustedApplicationCreateApplicationGroup("com.apple.security.auto-login", NULL, &itemPath) && itemPath )
+ if (noErr == SecTrustedApplicationCreateApplicationGroup("com.apple.security.auto-login", NULL, &itemPath) && itemPath)
CFArrayAppendValue(trustedApplications, itemPath);
- if ( trustedApplications && (CFArrayGetCount(trustedApplications) > 0)) {
+ if (trustedApplications && (CFArrayGetCount(trustedApplications) > 0)) {
if (errSecSuccess == (result = SecAccessCreate(CFSTR("Auto-Login applications"), trustedApplications, &ourAccessRef))) {
+ SecKeychainRef internalSystemKeychainRef = NULL;
if (NULL == systemKeychainRef) {
- SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, &systemKeychainRef);
+ SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, &internalSystemKeychainRef);
+ } else {
+ internalSystemKeychainRef = systemKeychainRef;
}
const void *queryKeys[] = { kSecClass,
@@ -1245,7 +1371,7 @@ OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRe
const void *queryValues[] = { kSecClassGenericPassword,
CFSTR("com.apple.loginwindow.auto-login"),
username,
- systemKeychainRef,
+ internalSystemKeychainRef,
};
const void *updateKeys[] = { kSecAttrAccess,
@@ -1271,7 +1397,7 @@ OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRe
const void *addValues[] = { kSecClassGenericPassword,
CFSTR("com.apple.loginwindow.auto-login"),
username,
- systemKeychainRef,
+ internalSystemKeychainRef,
ourAccessRef,
masterKey,
};
@@ -1283,13 +1409,122 @@ OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRe
if (NULL != query) CFRelease(query);
if (NULL != update) CFRelease(update);
+
+ // If the caller wanted us to locate the system keychain reference, it's okay to go ahead and free our magically created one
+ if (systemKeychainRef == NULL) CFRelease(internalSystemKeychainRef);
}
}
if (NULL != masterKey) CFRelease(masterKey);
if (NULL != trustedApplications) CFRelease(trustedApplications);
if (NULL != ourAccessRef) CFRelease(ourAccessRef);
- if (NULL != systemKeychainRef) CFRelease(systemKeychainRef);
return result;
}
+
+OSStatus SecKeychainGetUserPromptAttempts(uint32_t * attempts)
+{
+ BEGIN_SECAPI
+
+ if(attempts) {
+ SecurityServer::ClientSession().getUserPromptAttempts(*attempts);
+ }
+
+ END_SECAPI
+}
+
+OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringRef tokenID, CFDataRef wrapPubKeyHash,
+ SecKeychainRef userKeychain, CFStringRef password)
+{
+ CFRef<CFStringRef> pwd;
+ OSStatus result;
+
+ if (password == NULL || CFStringGetLength(password) == 0) {
+ AuthorizationRef authorizationRef;
+ result = AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &authorizationRef);
+ if (result != errAuthorizationSuccess) {
+ secinfo("SecKeychain", "failed to create authorization");
+ return result;
+ }
+
+ AuthorizationItem myItems = {"com.apple.ctk.pair", 0, NULL, 0};
+ AuthorizationRights myRights = {1, &myItems};
+ AuthorizationRights *authorizedRights = NULL;
+
+ char pathName[PATH_MAX];
+ UInt32 pathLength = PATH_MAX;
+ result = SecKeychainGetPath(userKeychain, &pathLength, pathName);
+ if (result != errSecSuccess) {
+ secinfo("SecKeychain", "Failed to get kc path: %d", (int) result);
+ return result;
+ }
+
+ Boolean checkPwd = TRUE;
+ AuthorizationItem envItems[] = {
+ {AGENT_HINT_KEYCHAIN_PATH, pathLength, pathName, 0},
+ {AGENT_HINT_KEYCHAIN_CHECK, sizeof(checkPwd), &checkPwd}
+ };
+
+ AuthorizationEnvironment environment = {2, envItems};
+ AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights;
+ result = AuthorizationCopyRights(authorizationRef, &myRights, &environment, flags, &authorizedRights);
+ if (authorizedRights)
+ AuthorizationFreeItemSet(authorizedRights);
+
+ if (result == errAuthorizationSuccess) {
+ AuthorizationItemSet *items;
+ result = AuthorizationCopyInfo(authorizationRef, kAuthorizationEnvironmentPassword, &items);
+ if (result == errAuthorizationSuccess) {
+ if (items->count > 0) {
+ pwd = CFStringCreateWithCString(kCFAllocatorDefault, (const char *)items->items[0].value, kCFStringEncodingUTF8);
+ }
+ AuthorizationFreeItemSet(items);
+ }
+ }
+ AuthorizationFree(authorizationRef, kAuthorizationFlagDefaults);
+ if (result != errAuthorizationSuccess) {
+ secinfo("SecKeychain", "did not get authorization to pair the card");
+ return result;
+ }
+ } else {
+ pwd.take(password);
+ }
+
+ if (!pwd) {
+ secinfo("SecKeychain", "did not get kcpass");
+ return errSecInternalComponent;
+ }
+
+ CFRef<CFDataRef> masterKey;
+ result = SecKeychainGetMasterKey(userKeychain, masterKey.take(), pwd);
+ if (result != errSecSuccess) {
+ secnotice("SecKeychain", "Failed to get master key: %d", (int) result);
+ return result;
+ }
+
+ CFRef<CFDataRef> scBlob;
+ result = TokenLoginGetScBlob(wrapPubKeyHash, tokenID, pwd, scBlob.take());
+ if (result != errSecSuccess) {
+ secnotice("SecKeychain", "Failed to get stash: %d", (int) result);
+ return result;
+ }
+
+ result = TokenLoginCreateLoginData(tokenID, pubKeyHash, wrapPubKeyHash, masterKey, scBlob);
+ if (result != errSecSuccess) {
+ secnotice("SecKeychain", "Failed to create login data: %d", (int) result);
+ return result;
+ }
+
+ secnotice("SecKeychain", "SecKeychainStoreUnlockKeyWithPubKeyHash result %d", (int) result);
+ return result;
+}
+
+OSStatus SecKeychainEraseUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash)
+{
+ OSStatus result = TokenLoginDeleteUnlockData(pubKeyHash);
+ if (result != errSecSuccess) {
+ secnotice("SecKeychain", "Failed to erase stored wrapped unlock key: %d", (int) result);
+ }
+ return result;
+}
+
diff --git a/OSX/libsecurity_keychain/lib/SecKeychain.h b/OSX/libsecurity_keychain/lib/SecKeychain.h
index 9062d613..a27af901 100644
--- a/OSX/libsecurity_keychain/lib/SecKeychain.h
+++ b/OSX/libsecurity_keychain/lib/SecKeychain.h
@@ -416,7 +416,7 @@ OSStatus SecKeychainGetStatus(SecKeychainRef __nullable keychain, SecKeychainSta
@function SecKeychainGetPath
@abstract Get the path of the specified keychain.
@param keychain A reference to a keychain.
- @param ioPathLength On input, a pointer to the size or the buffer pointed to by pathName. On return, the size of the buffer without the zero termination.
+ @param ioPathLength On input, a pointer to the size of the buffer pointed to by pathName. On return, the size of the buffer without the zero termination.
@param pathName On return, the POSIX path to the keychain.
@result A result code. See "Security Error Codes" (SecBase.h).
*/
@@ -603,7 +603,7 @@ OSStatus SecKeychainGetDLDBHandle(SecKeychainRef __nullable keychain, CSSM_DL_DB
@function SecKeychainCopyAccess
@abstract Retrieves the access for a keychain.
@param keychain A reference to the keychain from which to copy the access.
- @param accessRef On return, a pointer to the access reference.
+ @param access On return, a pointer to the access reference.
@result A result code. See "Security Error Codes" (SecBase.h).
*/
OSStatus SecKeychainCopyAccess(SecKeychainRef __nullable keychain, SecAccessRef * __nonnull CF_RETURNS_RETAINED access);
@@ -612,7 +612,7 @@ OSStatus SecKeychainCopyAccess(SecKeychainRef __nullable keychain, SecAccessRef
@function SecKeychainSetAccess
@abstract Sets the access for a keychain.
@param keychain A reference to the keychain for which to set the access.
- @param accessRef An access reference.
+ @param access An access reference.
@result A result code. See "Security Error Codes" (SecBase.h).
*/
OSStatus SecKeychainSetAccess(SecKeychainRef __nullable keychain, SecAccessRef access);
diff --git a/OSX/libsecurity_keychain/lib/SecKeychainItem.cpp b/OSX/libsecurity_keychain/lib/SecKeychainItem.cpp
index e606a191..fedf2f1f 100644
--- a/OSX/libsecurity_keychain/lib/SecKeychainItem.cpp
+++ b/OSX/libsecurity_keychain/lib/SecKeychainItem.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000-2004,2011-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2011-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -25,6 +25,7 @@
#include <Security/SecKeychainItem.h>
#include <Security/SecKeychainItemPriv.h>
#include <Security/SecCertificatePriv.h>
+#include <Security/SecItemPriv.h>
#include <security_keychain/Keychains.h>
#include <security_keychain/KeyItem.h>
@@ -43,6 +44,7 @@
#include "Access.h"
#include "SecKeychainItemExtendedAttributes.h"
+extern "C" Boolean SecKeyIsCDSAKey(SecKeyRef ref);
//
// Given a polymorphic Sec type object, return
@@ -59,7 +61,7 @@ RefPointer<AclBearer> aclBearer(CFTypeRef itemRef)
// keychain item. If it's in a protected group, return the group key
if (SSGroup group = ItemImpl::required(SecKeychainItemRef(itemRef))->group())
return &*group;
- } else if (id == gTypes().KeyItem.typeID) {
+ } else if (id == SecKeyGetTypeID() && SecKeyIsCDSAKey((SecKeyRef)itemRef)) {
// key item, return the key itself.
if (CssmClient::Key key = KeyItem::required(SecKeyRef(itemRef))->key())
return &*key;
@@ -88,29 +90,32 @@ SecKeychainItemCreateFromContent(SecItemClass itemClass, SecKeychainAttributeLis
UInt32 length, const void *data, SecKeychainRef keychainRef,
SecAccessRef initialAccess, SecKeychainItemRef *itemRef)
{
- BEGIN_SECAPI
- KCThrowParamErrIf_(length!=0 && data==NULL);
- Item item(itemClass, attrList, length, data);
- if (initialAccess)
- item->setAccess(Access::required(initialAccess));
-
- Keychain keychain = nil;
- try
- {
- keychain = Keychain::optional(keychainRef);
- if ( !keychain->exists() )
- {
- MacOSError::throwMe(errSecNoSuchKeychain); // Might be deleted or not available at this time.
- }
- }
- catch(...)
- {
- keychain = globals().storageManager.defaultKeychainUI(item);
- }
+ BEGIN_SECAPI
+
+ KCThrowParamErrIf_(length!=0 && data==NULL);
+ Item item(itemClass, attrList, length, data);
+ if (initialAccess) {
+ item->setAccess(Access::required(initialAccess));
+ }
+ Keychain keychain = nil;
+ try
+ {
+ keychain = Keychain::optional(keychainRef);
+ if ( !keychain->exists() )
+ {
+ MacOSError::throwMe(errSecNoSuchKeychain); // Might be deleted or not available at this time.
+ }
+ }
+ catch(...)
+ {
+ keychain = globals().storageManager.defaultKeychainUI(item);
+ }
+
+ keychain->add(item);
+ if (itemRef) {
+ *itemRef = item->handle();
+ }
- keychain->add(item);
- if (itemRef)
- *itemRef = item->handle();
END_SECAPI
}
@@ -118,69 +123,24 @@ SecKeychainItemCreateFromContent(SecItemClass itemClass, SecKeychainAttributeLis
OSStatus
SecKeychainItemModifyContent(SecKeychainItemRef itemRef, const SecKeychainAttributeList *attrList, UInt32 length, const void *data)
{
- BEGIN_SECAPI
- Item item = ItemImpl::required(itemRef);
- item->modifyContent(attrList, length, data);
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ Item item = ItemImpl::required(__itemImplRef);
+ item->modifyContent(attrList, length, data);
+
+ END_SECKCITEMAPI
}
OSStatus
SecKeychainItemCopyContent(SecKeychainItemRef itemRef, SecItemClass *itemClass, SecKeychainAttributeList *attrList, UInt32 *length, void **outData)
{
-#if !SECTRUST_OSX
- BEGIN_SECAPI
- Item item = ItemImpl::required(itemRef);
- item->getContent(itemClass, attrList, length, outData);
- END_SECAPI
-#else
- OSStatus __secapiresult;
- bool isCertificate = false;
- SecKeychainItemRef itemImplRef;
- if (itemRef && CFGetTypeID(itemRef) == SecCertificateGetTypeID()) {
- // TODO: determine whether we need to actually look up the cert in a keychain here
- itemImplRef = (SecKeychainItemRef) SecCertificateCopyKeychainItem((SecCertificateRef)itemRef);
- if (!itemImplRef) {
- itemImplRef = (SecKeychainItemRef) SecCertificateCreateItemImplInstance((SecCertificateRef)itemRef);
- }
- isCertificate = true;
- }
- else {
- itemImplRef = (SecKeychainItemRef)((itemRef) ? CFRetain(itemRef) : NULL);
- }
+ BEGIN_SECKCITEMAPI
- try
- {
- Item item = ItemImpl::required(itemImplRef);
- item->getContent(itemClass, attrList, (isCertificate) ? NULL : length, (isCertificate) ? NULL : outData);
- __secapiresult=0;
- }
- catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
- catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
- catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
- catch (...) { __secapiresult=errSecInternalComponent; }
+ Item item = ItemImpl::required(__itemImplRef);
+ item->getContent(itemClass, attrList, length, outData);
- if (isCertificate && outData && *outData == NULL) {
- // copy the data here
- __secapiresult = errSecAllocate;
- CFDataRef dataRef = SecCertificateCopyData((SecCertificateRef)itemRef);
- if (dataRef) {
- CFIndex dataLen = CFDataGetLength(dataRef);
- const UInt8 *bytePtr = CFDataGetBytePtr(dataRef);
- if ((bytePtr != NULL) && (dataLen > 0)) {
- *outData = malloc(dataLen);
- memcpy(*outData, bytePtr, dataLen);
- *length = (UInt32)dataLen;
- __secapiresult = errSecSuccess;
- }
- CFRelease(dataRef);
- }
- }
- if (itemImplRef) {
- CFRelease(itemImplRef);
- }
- return __secapiresult;
-#endif
+ END_SECKCITEMAPI
}
@@ -188,7 +148,9 @@ OSStatus
SecKeychainItemFreeContent(SecKeychainAttributeList *attrList, void *data)
{
BEGIN_SECAPI
- ItemImpl::freeContent(attrList, data);
+
+ ItemImpl::freeContent(attrList, data);
+
END_SECAPI
}
@@ -196,52 +158,24 @@ SecKeychainItemFreeContent(SecKeychainAttributeList *attrList, void *data)
OSStatus
SecKeychainItemModifyAttributesAndData(SecKeychainItemRef itemRef, const SecKeychainAttributeList *attrList, UInt32 length, const void *data)
{
- BEGIN_SECAPI
- Item item = ItemImpl::required(itemRef);
- item->modifyAttributesAndData(attrList, length, data);
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ Item item = ItemImpl::required(__itemImplRef);
+ item->modifyAttributesAndData(attrList, length, data);
+
+ END_SECKCITEMAPI
}
OSStatus
SecKeychainItemCopyAttributesAndData(SecKeychainItemRef itemRef, SecKeychainAttributeInfo *info, SecItemClass *itemClass, SecKeychainAttributeList **attrList, UInt32 *length, void **outData)
{
-#if !SECTRUST_OSX
- BEGIN_SECAPI
- Item item = ItemImpl::required(itemRef);
- item->getAttributesAndData(info, itemClass, attrList, length, outData);
- END_SECAPI
-#else
- // if the item is a SecCertificateRef, must convert to an ItemImpl-based instance
- // TODO: determine whether we need to actually look up the cert in a keychain here
- OSStatus __secapiresult;
- SecKeychainItemRef itemImplRef;
- if (itemRef && CFGetTypeID(itemRef) == SecCertificateGetTypeID()) {
- itemImplRef = (SecKeychainItemRef) SecCertificateCopyKeychainItem((SecCertificateRef)itemRef);
- if (!itemImplRef) {
- itemImplRef = (SecKeychainItemRef) SecCertificateCreateItemImplInstance((SecCertificateRef)itemRef);
- }
- }
- else {
- itemImplRef = (SecKeychainItemRef)((itemRef) ? CFRetain(itemRef) : NULL);
- }
+ BEGIN_SECKCITEMAPI
- try
- {
- Item item = ItemImpl::required(itemImplRef);
- item->getAttributesAndData(info, itemClass, attrList, length, outData);
- __secapiresult=0;
- }
- catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
- catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
- catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
- catch (...) { __secapiresult=errSecInternalComponent; }
+ Item item = ItemImpl::required(__itemImplRef);
+ item->getAttributesAndData(info, itemClass, attrList, length, outData);
- if (itemImplRef) {
- CFRelease(itemImplRef);
- }
- return __secapiresult;
-#endif
+ END_SECKCITEMAPI
}
@@ -249,7 +183,9 @@ OSStatus
SecKeychainItemFreeAttributesAndData(SecKeychainAttributeList *attrList, void *data)
{
BEGIN_SECAPI
- ItemImpl::freeAttributesAndData(attrList, data);
+
+ ItemImpl::freeAttributesAndData(attrList, data);
+
END_SECAPI
}
@@ -257,136 +193,50 @@ SecKeychainItemFreeAttributesAndData(SecKeychainAttributeList *attrList, void *d
OSStatus
SecKeychainItemDelete(SecKeychainItemRef itemRef)
{
-#if !SECTRUST_OSX
- BEGIN_SECAPI
- Item item = ItemImpl::required( itemRef );
- Keychain keychain = item->keychain();
- // item must be persistent.
- KCThrowIf_( !keychain, errSecInvalidItemRef );
-
- /*
- * Before deleting the item, delete any existing Extended Attributes.
- */
- OSStatus ortn;
- CFArrayRef attrNames = NULL;
- ortn = SecKeychainItemCopyAllExtendedAttributes(itemRef, &attrNames, NULL);
- if(ortn == errSecSuccess) {
- CFIndex numAttrs = CFArrayGetCount(attrNames);
- for(CFIndex dex=0; dex<numAttrs; dex++) {
- CFStringRef attrName = (CFStringRef)CFArrayGetValueAtIndex(attrNames, dex);
- /* setting value to NULL ==> delete */
- SecKeychainItemSetExtendedAttribute(itemRef, attrName, NULL);
- }
- }
-
- /* now delete the item */
- keychain->deleteItem( item );
- END_SECAPI
-#else
- // if the item is a SecCertificateRef, must convert to an ItemImpl-based instance
- // TODO: determine whether we need to actually look up the cert in a keychain here
- OSStatus __secapiresult;
- SecKeychainItemRef itemImplRef;
- if (itemRef && CFGetTypeID(itemRef) == SecCertificateGetTypeID()) {
- itemImplRef = (SecKeychainItemRef) SecCertificateCopyKeychainItem((SecCertificateRef)itemRef);
- if (!itemImplRef) {
- itemImplRef = (SecKeychainItemRef) SecCertificateCreateItemImplInstance((SecCertificateRef)itemRef);
+ BEGIN_SECKCITEMAPI
+
+ Item item = ItemImpl::required(__itemImplRef);
+ Keychain keychain = item->keychain();
+ // item must be persistent.
+ KCThrowIf_( !keychain, errSecInvalidItemRef );
+
+ /*
+ * Before deleting the item, delete any existing Extended Attributes.
+ */
+ OSStatus ortn;
+ CFArrayRef attrNames = NULL;
+ ortn = SecKeychainItemCopyAllExtendedAttributes(__itemImplRef, &attrNames, NULL);
+ if(ortn == errSecSuccess) {
+ CFIndex numAttrs = CFArrayGetCount(attrNames);
+ for(CFIndex dex=0; dex<numAttrs; dex++) {
+ CFStringRef attrName = (CFStringRef)CFArrayGetValueAtIndex(attrNames, dex);
+ /* setting value to NULL ==> delete */
+ SecKeychainItemSetExtendedAttribute(__itemImplRef, attrName, NULL);
}
}
- else {
- itemImplRef = (SecKeychainItemRef)((itemRef) ? CFRetain(itemRef) : NULL);
- }
-
- try
- {
- Item item = ItemImpl::required( itemImplRef );
- Keychain keychain = item->keychain();
- // item must be persistent.
- KCThrowIf_( !keychain, errSecInvalidItemRef );
-
- /*
- * Before deleting the item, delete any existing Extended Attributes.
- */
- OSStatus ortn;
- CFArrayRef attrNames = NULL;
- ortn = SecKeychainItemCopyAllExtendedAttributes(itemImplRef, &attrNames, NULL);
- if(ortn == errSecSuccess) {
- CFIndex numAttrs = CFArrayGetCount(attrNames);
- for(CFIndex dex=0; dex<numAttrs; dex++) {
- CFStringRef attrName = (CFStringRef)CFArrayGetValueAtIndex(attrNames, dex);
- /* setting value to NULL ==> delete */
- SecKeychainItemSetExtendedAttribute(itemImplRef, attrName, NULL);
- }
- }
- /* now delete the item */
- keychain->deleteItem( item );
- __secapiresult=0;
- }
- catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
- catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
- catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
- catch (...) { __secapiresult=errSecInternalComponent; }
+ /* now delete the item */
+ keychain->deleteItem( item );
- if (itemImplRef) {
- CFRelease(itemImplRef);
- }
- return __secapiresult;
-#endif
+ END_SECKCITEMAPI
}
OSStatus
SecKeychainItemCopyKeychain(SecKeychainItemRef itemRef, SecKeychainRef* keychainRef)
{
-#if !SECTRUST_OSX
- BEGIN_SECAPI
- // make sure this item has a keychain
- Keychain kc = ItemImpl::required(itemRef)->keychain ();
- if (kc == NULL)
- {
- MacOSError::throwMe(errSecNoSuchKeychain);
- }
-
- Required(keychainRef) = kc->handle();
- END_SECAPI
-#else
- // if the item is a SecCertificateRef, must convert to an ItemImpl-based instance
- // TODO: determine whether we need to actually look up the cert in a keychain here
- OSStatus __secapiresult;
- SecKeychainItemRef itemImplRef;
- if (itemRef && CFGetTypeID(itemRef) == SecCertificateGetTypeID()) {
- itemImplRef = (SecKeychainItemRef) SecCertificateCopyKeychainItem((SecCertificateRef)itemRef);
- if (!itemImplRef) {
- itemImplRef = (SecKeychainItemRef) SecCertificateCreateItemImplInstance((SecCertificateRef)itemRef);
- }
- }
- else {
- itemImplRef = (SecKeychainItemRef)((itemRef) ? CFRetain(itemRef) : NULL);
- }
+ BEGIN_SECKCITEMAPI
- try
+ // make sure this item has a keychain
+ Keychain kc = ItemImpl::required(__itemImplRef)->keychain();
+ if (kc == NULL)
{
- // make sure this item has a keychain
- Keychain kc = ItemImpl::required(itemImplRef)->keychain();
- if (kc == NULL)
- {
- MacOSError::throwMe(errSecNoSuchKeychain);
- }
-
- Required(keychainRef) = kc->handle();
- __secapiresult=0;
+ MacOSError::throwMe(errSecNoSuchKeychain);
}
- catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
- catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
- catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
- catch (...) { __secapiresult=errSecInternalComponent; }
- if (itemImplRef) {
- CFRelease(itemImplRef);
- }
- return __secapiresult;
-#endif
+ Required(keychainRef) = kc->handle();
+
+ END_SECKCITEMAPI
}
@@ -394,36 +244,36 @@ OSStatus
SecKeychainItemCreateCopy(SecKeychainItemRef itemRef, SecKeychainRef destKeychainRef,
SecAccessRef initialAccess, SecKeychainItemRef *itemCopy)
{
-#if SECTRUST_OSX
- // bridge code for certificate items
- if (itemRef && CFGetTypeID(itemRef) == SecCertificateGetTypeID()) {
- return SecCertificateAddToKeychain((SecCertificateRef)itemRef, destKeychainRef);
+ BEGIN_SECKCITEMAPI
+
+ Item copy = ItemImpl::required(__itemImplRef)->copyTo(Keychain::optional(destKeychainRef), Access::optional(initialAccess));
+ if (itemCopy) {
+ *itemCopy = copy->handle();
}
-#endif
- BEGIN_SECAPI
- Item copy = ItemImpl::required(itemRef)->copyTo(Keychain::optional(destKeychainRef), Access::optional(initialAccess));
- if (itemCopy)
- *itemCopy = copy->handle();
- END_SECAPI
+ END_SECKCITEMAPI
}
OSStatus
SecKeychainItemGetUniqueRecordID(SecKeychainItemRef itemRef, const CSSM_DB_UNIQUE_RECORD **uniqueRecordID)
{
- BEGIN_SECAPI
- Required(uniqueRecordID) = ItemImpl::required(itemRef)->dbUniqueRecord();
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ Required(uniqueRecordID) = ItemImpl::required(__itemImplRef)->dbUniqueRecord();
+
+ END_SECKCITEMAPI
}
OSStatus
SecKeychainItemGetDLDBHandle(SecKeychainItemRef itemRef, CSSM_DL_DB_HANDLE* dldbHandle)
{
- BEGIN_SECAPI
- *dldbHandle = ItemImpl::required(itemRef)->keychain()->database()->handle();
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ *dldbHandle = ItemImpl::required(__itemImplRef)->keychain()->database()->handle();
+
+ END_SECKCITEMAPI
}
#if 0
@@ -432,9 +282,11 @@ OSStatus SecAccessCreateFromObject(CFTypeRef sourceRef,
SecAccessRef *accessRef)
{
BEGIN_SECAPI
+
Required(accessRef); // preflight
SecPointer<Access> access = new Access(*aclBearer(sourceRef));
*accessRef = access->handle();
+
END_SECAPI
}
@@ -445,7 +297,9 @@ static
OSStatus SecAccessModifyObject(SecAccessRef accessRef, CFTypeRef sourceRef)
{
BEGIN_SECAPI
+
Access::required(accessRef)->setAccess(*aclBearer(sourceRef), true);
+
END_SECAPI
}
#endif
@@ -453,36 +307,37 @@ OSStatus SecAccessModifyObject(SecAccessRef accessRef, CFTypeRef sourceRef)
OSStatus
SecKeychainItemCopyAccess(SecKeychainItemRef itemRef, SecAccessRef* accessRef)
{
- BEGIN_SECAPI
+ BEGIN_SECKCITEMAPI
Required(accessRef); // preflight
- SecPointer<Access> access = new Access(*aclBearer(reinterpret_cast<CFTypeRef>(itemRef)));
+ SecPointer<Access> access = new Access(*aclBearer(reinterpret_cast<CFTypeRef>(__itemImplRef)));
*accessRef = access->handle();
- END_SECAPI
+ END_SECKCITEMAPI
}
OSStatus
SecKeychainItemSetAccess(SecKeychainItemRef itemRef, SecAccessRef accessRef)
{
- BEGIN_SECAPI
+ BEGIN_SECKCITEMAPI
- Access::required(accessRef)->setAccess(*aclBearer(reinterpret_cast<CFTypeRef>(itemRef)), true);
+ Access::required(accessRef)->setAccess(*aclBearer(reinterpret_cast<CFTypeRef>(__itemImplRef)), true);
- ItemImpl::required(itemRef)->postItemEvent (kSecUpdateEvent);
+ ItemImpl::required(__itemImplRef)->postItemEvent(kSecUpdateEvent);
- END_SECAPI
+ END_SECKCITEMAPI
}
-OSStatus SecKeychainItemSetAccessWithPassword(SecKeychainItemRef itemRef, SecAccessRef accessRef, UInt32 passwordLength, const void * password) {
- BEGIN_SECAPI
+OSStatus SecKeychainItemSetAccessWithPassword(SecKeychainItemRef itemRef, SecAccessRef accessRef, UInt32 passwordLength, const void * password)
+{
+ BEGIN_SECKCITEMAPI
OSStatus result;
// try to unlock the keychain with this password first
SecKeychainRef kc = NULL;
- result = SecKeychainItemCopyKeychain(itemRef, &kc);
+ result = SecKeychainItemCopyKeychain(__itemImplRef, &kc);
if(!result) {
SecKeychainUnlock(kc, passwordLength, password, true);
if(kc) {
@@ -494,10 +349,10 @@ OSStatus SecKeychainItemSetAccessWithPassword(SecKeychainItemRef itemRef, SecAcc
CssmAutoData data(Allocator::standard(), password, passwordLength);
AclFactory::PassphraseUnlockCredentials cred(data, Allocator::standard());
- Access::required(accessRef)->editAccess(*aclBearer(reinterpret_cast<CFTypeRef>(itemRef)), true, cred.getAccessCredentials());
+ Access::required(accessRef)->editAccess(*aclBearer(reinterpret_cast<CFTypeRef>(__itemImplRef)), true, cred.getAccessCredentials());
ItemImpl::required(itemRef)->postItemEvent (kSecUpdateEvent);
- END_SECAPI
+ END_SECKCITEMAPI
}
@@ -507,9 +362,11 @@ OSStatus SecKeychainItemSetAccessWithPassword(SecKeychainItemRef itemRef, SecAcc
*/
OSStatus SecKeychainItemSetData(SecKeychainItemRef itemRef, UInt32 length, const void* data)
{
- BEGIN_SECAPI
- ItemImpl::required(itemRef)->setData(length, data);
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ ItemImpl::required(__itemImplRef)->setData(length, data);
+
+ END_SECKCITEMAPI
}
/* Gets an item's data for legacy "KC" CoreServices APIs.
@@ -517,24 +374,28 @@ OSStatus SecKeychainItemSetData(SecKeychainItemRef itemRef, UInt32 length, const
*/
OSStatus SecKeychainItemGetData(SecKeychainItemRef itemRef, UInt32 maxLength, void* data, UInt32* actualLength)
{
- BEGIN_SECAPI
- /* The caller either needs to specify data and maxLength or an actualLength, so we return either the data itself or the actual length of the data or both. */
- if (!((data && maxLength) || actualLength))
- MacOSError::throwMe(errSecParam);
+ BEGIN_SECKCITEMAPI
- CssmDataContainer aData;
- ItemImpl::required(itemRef)->getData(aData);
- if (actualLength)
- *actualLength = (UInt32)aData.length();
-
- if (data)
- {
- // Make sure the buffer is big enough
- if (aData.length() > maxLength)
- MacOSError::throwMe(errSecBufferTooSmall);
- memcpy(data, aData.data(), aData.length());
+ /* The caller either needs to specify data and maxLength or an actualLength,
+ * so we return either the data itself or the actual length of the data or both.
+ */
+ if (!((data && maxLength) || actualLength)) {
+ MacOSError::throwMe(errSecParam);
+ }
+ CssmDataContainer aData;
+ ItemImpl::required(__itemImplRef)->getData(aData);
+ if (actualLength) {
+ *actualLength = (UInt32)aData.length();
+ }
+ if (data) {
+ // Make sure the buffer is big enough
+ if (aData.length() > maxLength) {
+ MacOSError::throwMe(errSecBufferTooSmall);
}
- END_SECAPI
+ memcpy(data, aData.data(), aData.length());
+ }
+
+ END_SECKCITEMAPI
}
/* Update a keychain item for legacy "KC" CoreServices APIs.
@@ -542,38 +403,46 @@ OSStatus SecKeychainItemGetData(SecKeychainItemRef itemRef, UInt32 maxLength, vo
*/
OSStatus SecKeychainItemUpdate(SecKeychainItemRef itemRef)
{
- BEGIN_SECAPI
- ItemImpl::required(itemRef)->update();
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ ItemImpl::required(__itemImplRef)->update();
+
+ END_SECKCITEMAPI
}
/* Add a 'floating' keychain item without UI for legacy "KC" CoreServices APIs.
*/
OSStatus SecKeychainItemAddNoUI(SecKeychainRef keychainRef, SecKeychainItemRef itemRef)
{
- BEGIN_SECAPI
- Item item = ItemImpl::required(itemRef);
- Keychain::optional(keychainRef)->add(item);
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ Item item = ItemImpl::required(__itemImplRef);
+ Keychain::optional(keychainRef)->add(item);
+
+ END_SECKCITEMAPI
}
/* Add a 'floating' keychain item to the default keychain with possible UI for legacy "KC" Carbon APIs.
*/
OSStatus SecKeychainItemAdd(SecKeychainItemRef itemRef)
{
- BEGIN_SECAPI
- Item item = ItemImpl::required(itemRef);
- Keychain defaultKeychain = globals().storageManager.defaultKeychainUI(item);
- defaultKeychain->add(item);
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ Item item = ItemImpl::required(__itemImplRef);
+ Keychain defaultKeychain = globals().storageManager.defaultKeychainUI(item);
+ defaultKeychain->add(item);
+
+ END_SECKCITEMAPI
}
/* Creates a floating keychain item for legacy "KC" CoreServices APIs
*/
OSStatus SecKeychainItemCreateNew(SecItemClass itemClass, OSType itemCreator, UInt32 length, const void* data, SecKeychainItemRef* itemRef)
{
- BEGIN_SECAPI
- RequiredParam(itemRef) = Item(itemClass, itemCreator, length, data, false)->handle();
+ BEGIN_SECAPI
+
+ RequiredParam(itemRef) = Item(itemClass, itemCreator, length, data, false)->handle();
+
END_SECAPI
}
@@ -581,18 +450,22 @@ OSStatus SecKeychainItemCreateNew(SecItemClass itemClass, OSType itemCreator, UI
*/
OSStatus SecKeychainItemGetAttribute(SecKeychainItemRef itemRef, SecKeychainAttribute* attribute, UInt32* actualLength)
{
- BEGIN_SECAPI
- ItemImpl::required(itemRef)->getAttribute(RequiredParam(attribute), actualLength);
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ ItemImpl::required(__itemImplRef)->getAttribute(RequiredParam(attribute), actualLength);
+
+ END_SECKCITEMAPI
}
/* Sets an individual attribute for legacy "KC" CoreServices APIs
*/
OSStatus SecKeychainItemSetAttribute(SecKeychainItemRef itemRef, SecKeychainAttribute* attribute)
{
- BEGIN_SECAPI
- ItemImpl::required(itemRef)->setAttribute(RequiredParam(attribute));
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ ItemImpl::required(__itemImplRef)->setAttribute(RequiredParam(attribute));
+
+ END_SECKCITEMAPI
}
/* Finds a keychain item for legacy "KC" CoreServices APIs.
@@ -602,45 +475,83 @@ OSStatus SecKeychainItemSetAttribute(SecKeychainItemRef itemRef, SecKeychainAttr
*/
OSStatus SecKeychainItemFindFirst(SecKeychainRef keychainRef, const SecKeychainAttributeList *attrList, SecKeychainSearchRef *searchRef, SecKeychainItemRef *itemRef)
{
- BEGIN_SECAPI
- KCCursor cursor;
- if (keychainRef)
- cursor = KeychainImpl::required(keychainRef)->createCursor(attrList);
- else
- cursor = globals().storageManager.createCursor(attrList);
-
- Item item;
- if (!cursor->next(item))
- return errSecItemNotFound;
-
- *itemRef=item->handle();
- if (searchRef)
- *searchRef=cursor->handle();
+ BEGIN_SECAPI
+
+ KCCursor cursor;
+ if (keychainRef) {
+ cursor = KeychainImpl::required(keychainRef)->createCursor(attrList);
+ } else {
+ cursor = globals().storageManager.createCursor(attrList);
+ }
+
+ Item item;
+ if (!cursor->next(item))
+ return errSecItemNotFound;
+
+ *itemRef=item->handle();
+ if (searchRef) {
+ *searchRef=cursor->handle();
+ }
+
END_SECAPI
}
#if SECTRUST_OSX
static OSStatus SecKeychainItemCreatePersistentReferenceFromCertificate(SecCertificateRef certRef,
- CFDataRef *persistentItemRef)
+ CFDataRef *persistentItemRef, Boolean isIdentity)
{
- if (!certRef || !persistentItemRef)
+ OSStatus __secapiresult;
+ if (!certRef || !persistentItemRef) {
return errSecParam;
+ }
+
+ // If we already have a keychain item, we won't need to look it up by serial and issuer
+ SecKeychainItemRef kcItem = NULL;
+ if (SecCertificateIsItemImplInstance(certRef)) {
+ kcItem = (SecKeychainItemRef) CFRetain(certRef);
+ }
+ else {
+ kcItem = (SecKeychainItemRef) SecCertificateCopyKeychainItem(certRef);
+ }
+ if (kcItem) {
+ __secapiresult = errSecParam;
+ try {
+ Item item = ItemImpl::required((kcItem));
+ item->copyPersistentReference(*persistentItemRef, isIdentity);
+ __secapiresult = errSecSuccess;
+ }
+ catch(...) {}
+ CFRelease(kcItem);
+ if (__secapiresult == errSecSuccess) {
+ return __secapiresult;
+ }
+ }
+
+ // Certificate does not have a keychain item reference; look it up by serial and issuer
+ SecCertificateRef certItem = NULL;
+ if (SecCertificateIsItemImplInstance(certRef)) {
+ certItem = SecCertificateCreateFromItemImplInstance(certRef);
+ }
+ else {
+ certItem = (SecCertificateRef) CFRetain(certRef);
+ }
- OSStatus __secapiresult;
CFErrorRef errorRef = NULL;
- CFDataRef serialData = SecCertificateCopySerialNumber(certRef, &errorRef);
+ CFDataRef serialData = SecCertificateCopySerialNumber(certItem, &errorRef);
if (errorRef) {
CFIndex err = CFErrorGetCode(errorRef);
CFRelease(errorRef);
if (serialData) { CFRelease(serialData); }
+ if (certItem) { CFRelease(certItem); }
return (OSStatus)err;
}
- CFDataRef issuerData = SecCertificateCopyNormalizedIssuerContent(certRef, &errorRef);
+ CFDataRef issuerData = SecCertificateCopyNormalizedIssuerContent(certItem, &errorRef);
if (errorRef) {
CFIndex err = CFErrorGetCode(errorRef);
CFRelease(errorRef);
if (serialData) { CFRelease(serialData); }
if (issuerData) { CFRelease(issuerData); }
+ if (certItem) { CFRelease(certItem); }
return (OSStatus)err;
}
@@ -665,6 +576,8 @@ static OSStatus SecKeychainItemCreatePersistentReferenceFromCertificate(SecCerti
CFRelease(serialData);
if (issuerData)
CFRelease(issuerData);
+ if (certItem)
+ CFRelease(certItem);
return __secapiresult;
}
@@ -677,8 +590,9 @@ OSStatus SecKeychainItemCreatePersistentReference(SecKeychainItemRef itemRef, CF
KCThrowParamErrIf_(!itemRef || !persistentItemRef);
Item item;
- bool isIdentityRef = (CFGetTypeID(itemRef) == SecIdentityGetTypeID()) ? true : false;
- bool isCertificateRef = (CFGetTypeID(itemRef) == SecCertificateGetTypeID()) ? true : false;
+ CFTypeID itemType = (itemRef) ? CFGetTypeID(itemRef) ? 0;
+ bool isIdentityRef = (itemType == SecIdentityGetTypeID()) ? true : false;
+ bool isCertificateRef = (itemType == SecCertificateGetTypeID()) ? true : false;
if (isIdentityRef) {
SecPointer<Certificate> certificatePtr(Identity::required((SecIdentityRef)itemRef)->certificate());
SecCertificateRef certificateRef = certificatePtr->handle(false);
@@ -700,17 +614,32 @@ OSStatus SecKeychainItemCreatePersistentReference(SecKeychainItemRef itemRef, CF
if (!itemRef || !persistentItemRef) {
return errSecParam;
}
- bool isIdentityRef = (CFGetTypeID(itemRef) == SecIdentityGetTypeID()) ? true : false;
- bool isCertificateRef = (CFGetTypeID(itemRef) == SecCertificateGetTypeID()) ? true : false;
+ // first, query the iOS keychain
+ {
+ const void *keys[] = { kSecValueRef, kSecReturnPersistentRef, kSecAttrNoLegacy };
+ const void *values[] = { itemRef, kCFBooleanTrue, kCFBooleanTrue };
+ CFRef<CFDictionaryRef> query = CFDictionaryCreate(kCFAllocatorDefault, keys, values,
+ sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ OSStatus status = SecItemCopyMatching(query, (CFTypeRef *)persistentItemRef);
+ if (status == errSecSuccess) {
+ return status;
+ }
+ }
+ // otherwise, handle certificate
SecCertificateRef certRef = NULL;
- if (isIdentityRef) {
+ CFTypeID itemType = CFGetTypeID(itemRef);
+ bool isIdentity = false;
+ if (itemType == SecIdentityGetTypeID()) {
SecIdentityCopyCertificate((SecIdentityRef)itemRef, &certRef);
+ isIdentity = true;
}
- else if (isCertificateRef) {
+ else if (itemType == SecCertificateGetTypeID()) {
certRef = (SecCertificateRef) CFRetain(itemRef);
}
if (certRef) {
- OSStatus status = SecKeychainItemCreatePersistentReferenceFromCertificate(certRef, persistentItemRef);
+ OSStatus status = SecKeychainItemCreatePersistentReferenceFromCertificate(certRef, persistentItemRef, isIdentity);
CFRelease(certRef);
return status;
}
@@ -729,6 +658,20 @@ OSStatus SecKeychainItemCopyFromPersistentReference(CFDataRef persistentItemRef,
BEGIN_SECAPI
KCThrowParamErrIf_(!persistentItemRef || !itemRef);
+ // first, query the iOS keychain
+ {
+ const void *keys[] = { kSecValuePersistentRef, kSecReturnRef, kSecAttrNoLegacy};
+ const void *values[] = { persistentItemRef, kCFBooleanTrue, kCFBooleanTrue };
+ CFRef<CFDictionaryRef> query = CFDictionaryCreate(kCFAllocatorDefault, keys, values,
+ sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ OSStatus status = SecItemCopyMatching(query, (CFTypeRef *)itemRef);
+ if (status == errSecSuccess) {
+ return status;
+ }
+ }
+ // otherwise, proceed as usual for keychain item
CFTypeRef result = NULL;
bool isIdentityRef = false;
Item item = ItemImpl::makeFromPersistentReference(persistentItemRef, &isIdentityRef);
@@ -749,7 +692,7 @@ OSStatus SecKeychainItemCopyFromPersistentReference(CFDataRef persistentItemRef,
#if SECTRUST_OSX
/* see if we should convert outgoing item to a unified SecCertificateRef */
SecItemClass tmpItemClass = Schema::itemClassFor(item->recordType());
- if (tmpItemClass == kSecCertificateItemClass) {
+ if (tmpItemClass == kSecCertificateItemClass && !isIdentityRef) {
SecPointer<Certificate> certificate(static_cast<Certificate *>(&*item));
CssmData certData = certificate->data();
CFDataRef data = NULL;
@@ -783,14 +726,16 @@ OSStatus SecKeychainItemCopyFromPersistentReference(CFDataRef persistentItemRef,
OSStatus SecKeychainItemCopyRecordIdentifier(SecKeychainItemRef itemRef, CFDataRef *recordIdentifier)
{
- BEGIN_SECAPI
- CSSM_DATA data;
- RequiredParam (recordIdentifier);
- Item item = ItemImpl::required(itemRef);
- item->copyRecordIdentifier (data);
- *recordIdentifier = ::CFDataCreate(kCFAllocatorDefault, (UInt8*) data.Data, data.Length);
- free (data.Data);
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ CSSM_DATA data;
+ RequiredParam (recordIdentifier);
+ Item item = ItemImpl::required(__itemImplRef);
+ item->copyRecordIdentifier (data);
+ *recordIdentifier = ::CFDataCreate(kCFAllocatorDefault, (UInt8*) data.Data, data.Length);
+ free (data.Data);
+
+ END_SECKCITEMAPI
}
OSStatus
@@ -799,51 +744,53 @@ SecKeychainItemCopyFromRecordIdentifier(SecKeychainRef keychainRef,
CFDataRef recordIdentifier)
{
BEGIN_SECAPI
- // make a local Keychain reference
- RequiredParam (keychainRef);
- Keychain keychain = KeychainImpl::optional (keychainRef);
- RequiredParam (itemRef);
- RequiredParam (recordIdentifier);
-
- Db db(keychain->database());
-
- // make a raw database call to get the data
- CSSM_DL_DB_HANDLE dbHandle = db.handle ();
- CSSM_DB_UNIQUE_RECORD uniqueRecord;
-
- // according to source, we should be able to reconsitute the uniqueRecord
- // from the data we earlier retained
-
- // prepare the record id
- memset (&uniqueRecord, 0, sizeof (uniqueRecord));
- uniqueRecord.RecordIdentifier.Data = (uint8*) CFDataGetBytePtr (recordIdentifier);
- uniqueRecord.RecordIdentifier.Length = CFDataGetLength (recordIdentifier);
-
- // convert this unique id to a CSSM_DB_UNIQUE_RECORD that works for the CSP/DL
- CSSM_DB_UNIQUE_RECORD_PTR outputUniqueRecordPtr;
- CSSM_RETURN result;
- result = CSSM_DL_PassThrough (dbHandle, CSSM_APPLECSPDL_DB_CONVERT_RECORD_IDENTIFIER, &uniqueRecord, (void**) &outputUniqueRecordPtr);
- KCThrowIf_(result != 0, errSecItemNotFound);
-
- // from this, get the record type
- CSSM_DB_RECORD_ATTRIBUTE_DATA attributeData;
- memset (&attributeData, 0, sizeof (attributeData));
-
- result = CSSM_DL_DataGetFromUniqueRecordId (dbHandle, outputUniqueRecordPtr, &attributeData, NULL);
- KCThrowIf_(result != 0, errSecItemNotFound);
- CSSM_DB_RECORDTYPE recordType = attributeData.DataRecordType;
-
- // make the unique record item -- precursor to creation of a SecKeychainItemRef
- DbUniqueRecord unique(db);
- CSSM_DB_UNIQUE_RECORD_PTR *uniquePtr = unique;
- *uniquePtr = outputUniqueRecordPtr;
-
- unique->activate ();
- Item item = keychain->item (recordType, unique);
- if (itemRef)
- {
- *itemRef = item->handle();
- }
+
+ // make a local Keychain reference
+ RequiredParam (keychainRef);
+ Keychain keychain = KeychainImpl::optional (keychainRef);
+ RequiredParam (itemRef);
+ RequiredParam (recordIdentifier);
+
+ Db db(keychain->database());
+
+ // make a raw database call to get the data
+ CSSM_DL_DB_HANDLE dbHandle = db.handle ();
+ CSSM_DB_UNIQUE_RECORD uniqueRecord;
+
+ // according to source, we should be able to reconsitute the uniqueRecord
+ // from the data we earlier retained
+
+ // prepare the record id
+ memset (&uniqueRecord, 0, sizeof (uniqueRecord));
+ uniqueRecord.RecordIdentifier.Data = (uint8*) CFDataGetBytePtr (recordIdentifier);
+ uniqueRecord.RecordIdentifier.Length = CFDataGetLength (recordIdentifier);
+
+ // convert this unique id to a CSSM_DB_UNIQUE_RECORD that works for the CSP/DL
+ CSSM_DB_UNIQUE_RECORD_PTR outputUniqueRecordPtr;
+ CSSM_RETURN result;
+ result = CSSM_DL_PassThrough (dbHandle, CSSM_APPLECSPDL_DB_CONVERT_RECORD_IDENTIFIER, &uniqueRecord, (void**) &outputUniqueRecordPtr);
+ KCThrowIf_(result != 0, errSecItemNotFound);
+
+ // from this, get the record type
+ CSSM_DB_RECORD_ATTRIBUTE_DATA attributeData;
+ memset (&attributeData, 0, sizeof (attributeData));
+
+ result = CSSM_DL_DataGetFromUniqueRecordId (dbHandle, outputUniqueRecordPtr, &attributeData, NULL);
+ KCThrowIf_(result != 0, errSecItemNotFound);
+ CSSM_DB_RECORDTYPE recordType = attributeData.DataRecordType;
+
+ // make the unique record item -- precursor to creation of a SecKeychainItemRef
+ DbUniqueRecord unique(db);
+ CSSM_DB_UNIQUE_RECORD_PTR *uniquePtr = unique;
+ *uniquePtr = outputUniqueRecordPtr;
+
+ unique->activate ();
+ Item item = keychain->item (recordType, unique);
+ if (itemRef)
+ {
+ *itemRef = item->handle();
+ }
+
END_SECAPI
}
@@ -851,44 +798,44 @@ OSStatus SecKeychainItemCreateFromEncryptedContent(SecItemClass itemClass,
UInt32 length, const void *data, SecKeychainRef keychainRef,
SecAccessRef initialAccess, SecKeychainItemRef *itemRef, CFDataRef *localID)
{
- BEGIN_SECAPI
- KCThrowParamErrIf_(length!=0 && data==NULL);
+ BEGIN_SECAPI
- RequiredParam (localID);
- RequiredParam (keychainRef);
+ KCThrowParamErrIf_(length!=0 && data==NULL);
+ RequiredParam (localID);
+ RequiredParam (keychainRef);
- Item item(itemClass, (uint32) 0, length, data, true);
- if (initialAccess)
- item->setAccess(Access::required(initialAccess));
+ Item item(itemClass, (uint32) 0, length, data, true);
+ if (initialAccess)
+ item->setAccess(Access::required(initialAccess));
- Keychain keychain = Keychain::optional(keychainRef);
- if (!keychain->exists())
- {
- MacOSError::throwMe(errSecNoSuchKeychain); // Might be deleted or not available at this time.
- }
+ Keychain keychain = Keychain::optional(keychainRef);
+ if (!keychain->exists())
+ {
+ MacOSError::throwMe(errSecNoSuchKeychain); // Might be deleted or not available at this time.
+ }
- item->doNotEncrypt ();
- try
- {
- keychain->add(item);
- }
- catch (const CommonError &err)
+ item->doNotEncrypt ();
+ try
+ {
+ keychain->add(item);
+ }
+ catch (const CommonError &err)
+ {
+ if (err.osStatus () == errSecNoSuchClass)
{
- if (err.osStatus () == errSecNoSuchClass)
+ // the only time this should happen is if the item is a certificate (for keychain syncing)
+ if (itemClass == CSSM_DL_DB_RECORD_X509_CERTIFICATE)
{
- // the only time this should happen is if the item is a certificate (for keychain syncing)
- if (itemClass == CSSM_DL_DB_RECORD_X509_CERTIFICATE)
- {
- // create the certificate relation
- Db db(keychain->database());
+ // create the certificate relation
+ Db db(keychain->database());
- db->createRelation(CSSM_DL_DB_RECORD_X509_CERTIFICATE,
+ db->createRelation(CSSM_DL_DB_RECORD_X509_CERTIFICATE,
"CSSM_DL_DB_RECORD_X509_CERTIFICATE",
Schema::X509CertificateSchemaAttributeCount,
Schema::X509CertificateSchemaAttributeList,
Schema::X509CertificateSchemaIndexCount,
Schema::X509CertificateSchemaIndexList);
- keychain->keychainSchema()->didCreateRelation(
+ keychain->keychainSchema()->didCreateRelation(
CSSM_DL_DB_RECORD_X509_CERTIFICATE,
"CSSM_DL_DB_RECORD_X509_CERTIFICATE",
Schema::X509CertificateSchemaAttributeCount,
@@ -896,24 +843,25 @@ OSStatus SecKeychainItemCreateFromEncryptedContent(SecItemClass itemClass,
Schema::X509CertificateSchemaIndexCount,
Schema::X509CertificateSchemaIndexList);
- // add the item again
- keychain->add(item);
- }
- }
- else
- {
- throw;
+ // add the item again
+ keychain->add(item);
}
}
+ else
+ {
+ throw;
+ }
+ }
- if (itemRef)
- *itemRef = item->handle();
+ if (itemRef)
+ *itemRef = item->handle();
- CSSM_DATA recordID;
- item->copyRecordIdentifier (recordID);
+ CSSM_DATA recordID;
+ item->copyRecordIdentifier (recordID);
+
+ *localID = CFDataCreate(kCFAllocatorDefault, (UInt8*) recordID.Data, recordID.Length);
+ free (recordID.Data);
- *localID = CFDataCreate(kCFAllocatorDefault, (UInt8*) recordID.Data, recordID.Length);
- free (recordID.Data);
END_SECAPI
}
@@ -921,18 +869,22 @@ OSStatus SecKeychainItemCopyAttributesAndEncryptedData(SecKeychainItemRef itemRe
SecItemClass *itemClass, SecKeychainAttributeList **attrList,
UInt32 *length, void **outData)
{
- BEGIN_SECAPI
- Item item = ItemImpl::required(itemRef);
- item->doNotEncrypt ();
- item->getAttributesAndData(info, itemClass, attrList, length, outData);
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ Item item = ItemImpl::required(__itemImplRef);
+ item->doNotEncrypt ();
+ item->getAttributesAndData(info, itemClass, attrList, length, outData);
+
+ END_SECKCITEMAPI
}
OSStatus SecKeychainItemModifyEncryptedData(SecKeychainItemRef itemRef, UInt32 length, const void *data)
{
- BEGIN_SECAPI
- Item item = ItemImpl::required(itemRef);
- item->doNotEncrypt ();
- item->modifyAttributesAndData(NULL, length, data);
- END_SECAPI
+ BEGIN_SECKCITEMAPI
+
+ Item item = ItemImpl::required(__itemImplRef);
+ item->doNotEncrypt ();
+ item->modifyAttributesAndData(NULL, length, data);
+
+ END_SECKCITEMAPI
}
diff --git a/OSX/libsecurity_keychain/lib/SecKeychainItem.h b/OSX/libsecurity_keychain/lib/SecKeychainItem.h
index a83533de..4b579812 100644
--- a/OSX/libsecurity_keychain/lib/SecKeychainItem.h
+++ b/OSX/libsecurity_keychain/lib/SecKeychainItem.h
@@ -259,7 +259,7 @@ OSStatus SecKeychainItemCopyKeychain(SecKeychainItemRef itemRef, SecKeychainRef
@result A result code. See "Security Error Codes" (SecBase.h).
*/
OSStatus SecKeychainItemCreateCopy(SecKeychainItemRef itemRef, SecKeychainRef __nullable destKeychainRef,
- SecAccessRef initialAccess, SecKeychainItemRef * __nonnull CF_RETURNS_RETAINED itemCopy);
+ SecAccessRef __nullable initialAccess, SecKeychainItemRef * __nonnull CF_RETURNS_RETAINED itemCopy);
/*!
@function SecKeychainItemCreatePersistentReference
diff --git a/OSX/libsecurity_keychain/lib/SecKeychainItemExtendedAttributes.cpp b/OSX/libsecurity_keychain/lib/SecKeychainItemExtendedAttributes.cpp
index 1f7e0061..0f34defe 100644
--- a/OSX/libsecurity_keychain/lib/SecKeychainItemExtendedAttributes.cpp
+++ b/OSX/libsecurity_keychain/lib/SecKeychainItemExtendedAttributes.cpp
@@ -42,6 +42,8 @@ static CFTypeID SecKeychainItemExtendedAttributesGetTypeID(void)
}
#endif
+extern "C" Boolean SecKeyIsCDSAKey(SecKeyRef ref);
+
/*
* Determine if incoming itemRef can be considered for
* this mechanism; throw if not.
@@ -52,7 +54,7 @@ static void isItemRefCapable(
CFTypeID id = CFGetTypeID(itemRef);
if((id == gTypes().ItemImpl.typeID) ||
(id == gTypes().Certificate.typeID) ||
- (id == gTypes().KeyItem.typeID)) {
+ (id == SecKeyGetTypeID() && SecKeyIsCDSAKey((SecKeyRef)itemRef))) {
return;
}
else {
@@ -140,9 +142,9 @@ OSStatus SecKeychainItemSetExtendedAttribute(
CFStringRef attrName,
CFDataRef attrValue) /* NULL means delete the attribute */
{
-#if SECTRUST_OSX
-#warning This needs to detect SecCertificateRef items, and when it does, SecKeychainItemDelete must be updated
-#endif
+ // <rdar://25635468>
+ //%%% This needs to detect SecCertificateRef items, and when it does, SecKeychainItemDelete must be updated
+
BEGIN_SECAPI
if((itemRef == NULL) || (attrName == NULL)) {
@@ -190,9 +192,9 @@ OSStatus SecKeychainItemCopyExtendedAttribute(
CFStringRef attrName,
CFDataRef *attrValue) /* RETURNED */
{
-#if SECTRUST_OSX
-#warning This needs to detect SecCertificateRef items
-#endif
+ // <rdar://25635468>
+ //%%% This needs to detect SecCertificateRef items
+
BEGIN_SECAPI
if((itemRef == NULL) || (attrName == NULL) || (attrValue == NULL)) {
@@ -231,9 +233,9 @@ OSStatus SecKeychainItemCopyAllExtendedAttributes(
CFArrayRef *attrValues) /* optional, RETURNED, each element is a
* CFDataRef */
{
-#if SECTRUST_OSX
-#warning This needs to detect SecCertificateRef items, and when it does, SecKeychainItemDelete must be updated
-#endif
+ // <rdar://25635468>
+ //%%% This needs to detect SecCertificateRef items, and when it does, SecKeychainItemDelete must be updated
+
BEGIN_SECAPI
if((itemRef == NULL) || (attrNames == NULL)) {
diff --git a/OSX/libsecurity_keychain/lib/SecKeychainPriv.h b/OSX/libsecurity_keychain/lib/SecKeychainPriv.h
index e9650f96..d504b4a1 100644
--- a/OSX/libsecurity_keychain/lib/SecKeychainPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecKeychainPriv.h
@@ -114,10 +114,26 @@ OSStatus SecKeychainSystemKeychainCheckWouldDeadlock()
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRef systemKeychainRef, CFStringRef username, CFStringRef password)
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_NA);
+OSStatus SecKeychainEraseUnlockKey(SecKeychainRef systemKeychainRef, CFStringRef username)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA);
+/* Token login support */
+OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringRef tokenID, CFDataRef wrapPubKeyHash, SecKeychainRef userKeychain, CFStringRef password)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA);
+OSStatus SecKeychainEraseUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA);
+
+/* calls to interact with keychain versions */
OSStatus SecKeychainGetKeychainVersion(SecKeychainRef keychain, UInt32* version)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_NA);
+OSStatus SecKeychainAttemptMigrationWithMasterKey(SecKeychainRef keychain, UInt32 version, const char* masterKeyFilename)
+ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_NA);
+
+/* calls for testing only */
+OSStatus SecKeychainGetUserPromptAttempts(uint32_t* attempts)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA);
+
/*!
@function SecKeychainMDSInstall
Set up MDS.
diff --git a/OSX/libsecurity_keychain/lib/SecKeychainSearch.cpp b/OSX/libsecurity_keychain/lib/SecKeychainSearch.cpp
index 68eb54a0..2ba38d91 100644
--- a/OSX/libsecurity_keychain/lib/SecKeychainSearch.cpp
+++ b/OSX/libsecurity_keychain/lib/SecKeychainSearch.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000-2004,2011-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2011-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -80,7 +80,7 @@ SecKeychainSearchCreateFromAttributesExtended(CFTypeRef keychainOrArray, SecItem
OSStatus
SecKeychainSearchCopyNext(SecKeychainSearchRef searchRef, SecKeychainItemRef *itemRef)
{
- BEGIN_SECAPI
+ BEGIN_SECAPI
RequiredParam(itemRef);
Item item;
@@ -104,8 +104,10 @@ SecKeychainSearchCopyNext(SecKeychainSearchRef searchRef, SecKeychainItemRef *it
}
if (!data) {
/* zero-length or otherwise bad cert data; skip to next item */
- CFRelease(*itemRef);
- *itemRef = NULL;
+ if (*itemRef) {
+ CFRelease(*itemRef);
+ *itemRef = NULL;
+ }
if (!itemCursor->next(item))
return errSecItemNotFound;
*itemRef=item->handle();
@@ -117,12 +119,24 @@ SecKeychainSearchCopyNext(SecKeychainSearchRef searchRef, SecKeychainItemRef *it
CFRelease(data);
if (tmpRef)
CFRelease(tmpRef);
+ if (NULL == *itemRef) {
+ /* unable to create unified certificate item; skip to next item */
+ if (!itemCursor->next(item))
+ return errSecItemNotFound;
+ *itemRef=item->handle();
+ continue;
+ }
itemChecked = true;
- }
+ }
else {
itemChecked = true;
}
} while (!itemChecked);
+
+ if (NULL == *itemRef) {
+ /* never permit a NULL item reference to be returned without an error result */
+ return errSecItemNotFound;
+ }
#endif
END_SECAPI
diff --git a/OSX/libsecurity_keychain/lib/SecPassword.cpp b/OSX/libsecurity_keychain/lib/SecPassword.cpp
index c5989d05..477c9bac 100644
--- a/OSX/libsecurity_keychain/lib/SecPassword.cpp
+++ b/OSX/libsecurity_keychain/lib/SecPassword.cpp
@@ -179,7 +179,7 @@ SecPasswordAction(SecPasswordRef itemRef, CFTypeRef message, UInt32 flags, UInt3
AuthorizationItemSet envSet = { sizeof(envRights) / sizeof(*envRights), envRights };
- secdebug("SecPassword", "dialog(%s)%s%s%s.", right.name, tries?" retry":"", keychain?" show-add-keychain":"", addToKeychain?" save-to-keychain":"");
+ secinfo("SecPassword", "dialog(%s)%s%s%s.", right.name, tries?" retry":"", keychain?" show-add-keychain":"", addToKeychain?" save-to-keychain":"");
status = AuthorizationCopyRights(authRef, &rightSet, &envSet, kAuthorizationFlagDefaults|kAuthorizationFlagInteractionAllowed|kAuthorizationFlagExtendRights, NULL);
@@ -224,14 +224,14 @@ SecPasswordAction(SecPasswordRef itemRef, CFTypeRef message, UInt32 flags, UInt3
if (data)
*data = passwordData;
- secdebug("SecPassword", "Got password (%u,%p).", (unsigned int)passwordLength, passwordData);
+ secinfo("SecPassword", "Got password (%u,%p).", (unsigned int)passwordLength, passwordData);
}
else if (!strcmp(AGENT_ADD_TO_KEYCHAIN, item.name))
{
bool remember = (item.value && item.valueLength == strlen("YES") && !memcmp("YES", static_cast<char *>(item.value), item.valueLength));
passwordRef->setRememberInKeychain(remember);
if (remember)
- secdebug("SecPassword", "User wants to add the password to the Keychain.");
+ secinfo("SecPassword", "User wants to add the password to the Keychain.");
}
}
}
diff --git a/OSX/libsecurity_keychain/lib/SecPolicy.cpp b/OSX/libsecurity_keychain/lib/SecPolicy.cpp
index e4515732..9c89e06d 100644
--- a/OSX/libsecurity_keychain/lib/SecPolicy.cpp
+++ b/OSX/libsecurity_keychain/lib/SecPolicy.cpp
@@ -1,3 +1,4 @@
+
/*
* Copyright (c) 2002-2015 Apple Inc. All Rights Reserved.
*
@@ -40,6 +41,7 @@
#define SEC_CONST_DECL(k,v) const CFStringRef k = CFSTR(v);
+#if !SECTRUST_OSX
SEC_CONST_DECL (kSecPolicyAppleX509Basic, "1.2.840.113635.100.1.2");
SEC_CONST_DECL (kSecPolicyAppleSSL, "1.2.840.113635.100.1.3");
SEC_CONST_DECL (kSecPolicyAppleSMIME, "1.2.840.113635.100.1.8");
@@ -61,46 +63,36 @@ SEC_CONST_DECL (kSecPolicyAppleEscrowService, "1.2.840.113635.100.1.24");
SEC_CONST_DECL (kSecPolicyAppleProfileSigner, "1.2.840.113635.100.1.25");
SEC_CONST_DECL (kSecPolicyAppleQAProfileSigner, "1.2.840.113635.100.1.26");
SEC_CONST_DECL (kSecPolicyAppleTestMobileStore, "1.2.840.113635.100.1.27");
-#if TARGET_OS_IPHONE
SEC_CONST_DECL (kSecPolicyAppleOTAPKISigner, "1.2.840.113635.100.1.28");
SEC_CONST_DECL (kSecPolicyAppleTestOTAPKISigner, "1.2.840.113635.100.1.29");
/* FIXME: this policy name should be deprecated and replaced with "kSecPolicyAppleIDValidationRecordSigning" */
-SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigningPolicy, "1.2.840.113625.100.1.30");
-SEC_CONST_DECL (kSecPolicyAppleSMPEncryption, "1.2.840.113625.100.1.31");
-SEC_CONST_DECL (kSecPolicyAppleTestSMPEncryption, "1.2.840.113625.100.1.32");
-#endif
+SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigningPolicy, "1.2.840.113635.100.1.30");
+SEC_CONST_DECL (kSecPolicyAppleSMPEncryption, "1.2.840.113635.100.1.31");
+SEC_CONST_DECL (kSecPolicyAppleTestSMPEncryption, "1.2.840.113635.100.1.32");
SEC_CONST_DECL (kSecPolicyAppleServerAuthentication, "1.2.840.113635.100.1.33");
SEC_CONST_DECL (kSecPolicyApplePCSEscrowService, "1.2.840.113635.100.1.34");
-SEC_CONST_DECL (kSecPolicyApplePPQSigning, "1.2.840.113625.100.1.35");
-SEC_CONST_DECL (kSecPolicyAppleTestPPQSigning, "1.2.840.113625.100.1.36");
-SEC_CONST_DECL (kSecPolicyAppleATVAppSigning, "1.2.840.113625.100.1.37");
-SEC_CONST_DECL (kSecPolicyAppleTestATVAppSigning, "1.2.840.113625.100.1.38");
-SEC_CONST_DECL (kSecPolicyApplePayIssuerEncryption, "1.2.840.113625.100.1.39");
-SEC_CONST_DECL (kSecPolicyAppleOSXProvisioningProfileSigning, "1.2.840.113625.100.1.40");
-SEC_CONST_DECL (kSecPolicyAppleAST2DiagnosticsServerAuth, "1.2.840.113625.100.1.42");
+SEC_CONST_DECL (kSecPolicyApplePPQSigning, "1.2.840.113635.100.1.35");
+SEC_CONST_DECL (kSecPolicyAppleTestPPQSigning, "1.2.840.113635.100.1.36");
+SEC_CONST_DECL (kSecPolicyApplePayIssuerEncryption, "1.2.840.113635.100.1.39");
+SEC_CONST_DECL (kSecPolicyAppleOSXProvisioningProfileSigning, "1.2.840.113635.100.1.40");
+SEC_CONST_DECL (kSecPolicyAppleAST2DiagnosticsServerAuth, "1.2.840.113635.100.1.42");
+SEC_CONST_DECL (kSecPolicyAppleEscrowProxyServerAuth, "1.2.840.113635.100.1.43");
+SEC_CONST_DECL (kSecPolicyAppleFMiPServerAuth, "1.2.840.113635.100.1.44");
SEC_CONST_DECL (kSecPolicyOid, "SecPolicyOid");
SEC_CONST_DECL (kSecPolicyName, "SecPolicyName");
SEC_CONST_DECL (kSecPolicyClient, "SecPolicyClient");
SEC_CONST_DECL (kSecPolicyRevocationFlags, "SecPolicyRevocationFlags");
SEC_CONST_DECL (kSecPolicyTeamIdentifier, "SecPolicyTeamIdentifier");
-
-SEC_CONST_DECL (kSecPolicyKU_DigitalSignature, "CE_KU_DigitalSignature");
-SEC_CONST_DECL (kSecPolicyKU_NonRepudiation, "CE_KU_NonRepudiation");
-SEC_CONST_DECL (kSecPolicyKU_KeyEncipherment, "CE_KU_KeyEncipherment");
-SEC_CONST_DECL (kSecPolicyKU_DataEncipherment, "CE_KU_DataEncipherment");
-SEC_CONST_DECL (kSecPolicyKU_KeyAgreement, "CE_KU_KeyAgreement");
-SEC_CONST_DECL (kSecPolicyKU_KeyCertSign, "CE_KU_KeyCertSign");
-SEC_CONST_DECL (kSecPolicyKU_CRLSign, "CE_KU_CRLSign");
-SEC_CONST_DECL (kSecPolicyKU_EncipherOnly, "CE_KU_EncipherOnly");
-SEC_CONST_DECL (kSecPolicyKU_DecipherOnly, "CE_KU_DecipherOnly");
+#else
+/* Some of these aren't defined in SecPolicy.c, but used here. */
+SEC_CONST_DECL (kSecPolicyAppleiChat, "1.2.840.113635.100.1.12");
+#endif
// Private functions
extern "C" {
-CFArrayRef SecPolicyCopyEscrowRootCertificates(void);
#if SECTRUST_OSX
-CFStringRef SecPolicyGetOidString(SecPolicyRef policy);
CFDictionaryRef SecPolicyGetOptions(SecPolicyRef policy);
void SecPolicySetOptionsValue(SecPolicyRef policy, CFStringRef key, CFTypeRef value);
#endif
@@ -163,6 +155,34 @@ const oidmap_entry_t oidmap[] = {
{ kSecPolicyAppleOSXProvisioningProfileSigning, &CSSMOID_APPLE_TP_PROVISIONING_PROFILE_SIGNING },
};
+#if SECTRUST_OSX
+const oidmap_entry_t oidmap_priv[] = {
+ { CFSTR("basicX509"), &CSSMOID_APPLE_X509_BASIC },
+ { CFSTR("sslServer"), &CSSMOID_APPLE_TP_SSL },
+ { CFSTR("sslClient"), &CSSMOID_APPLE_TP_SSL },
+ { CFSTR("SMIME"), &CSSMOID_APPLE_TP_SMIME },
+ { CFSTR("eapServer"), &CSSMOID_APPLE_TP_EAP },
+ { CFSTR("eapClient"), &CSSMOID_APPLE_TP_EAP },
+ { CFSTR("AppleSWUpdateSigning"), &CSSMOID_APPLE_TP_SW_UPDATE_SIGNING },
+ { CFSTR("ipsecServer"), &CSSMOID_APPLE_TP_IP_SEC },
+ { CFSTR("ipsecClient"), &CSSMOID_APPLE_TP_IP_SEC },
+ { CFSTR("CodeSigning"), &CSSMOID_APPLE_TP_CODE_SIGNING },
+ { CFSTR("PackageSigning"), &CSSMOID_APPLE_TP_PACKAGE_SIGNING },
+ { CFSTR("AppleIDAuthority"), &CSSMOID_APPLE_TP_APPLEID_SHARING },
+ { CFSTR("MacAppStoreReceipt"), &CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT },
+ { CFSTR("AppleTimeStamping"), &CSSMOID_APPLE_TP_TIMESTAMPING },
+ { CFSTR("revocation"), &CSSMOID_APPLE_TP_REVOCATION },
+ { CFSTR("ApplePassbook"), &CSSMOID_APPLE_TP_PASSBOOK_SIGNING },
+ { CFSTR("AppleMobileStore"), &CSSMOID_APPLE_TP_MOBILE_STORE },
+ { CFSTR("AppleEscrowService"), &CSSMOID_APPLE_TP_ESCROW_SERVICE },
+ { CFSTR("AppleProfileSigner"), &CSSMOID_APPLE_TP_PROFILE_SIGNING },
+ { CFSTR("AppleQAProfileSigner"), &CSSMOID_APPLE_TP_QA_PROFILE_SIGNING },
+ { CFSTR("AppleTestMobileStore"), &CSSMOID_APPLE_TP_TEST_MOBILE_STORE },
+ { CFSTR("ApplePCSEscrowService"), &CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE },
+ { CFSTR("AppleOSXProvisioningProfileSigning"), &CSSMOID_APPLE_TP_PROVISIONING_PROFILE_SIGNING },
+};
+#endif
+
//
// CF boilerplate
//
@@ -391,7 +411,6 @@ SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
OSStatus status = errSecSuccess;
CFDataRef data = NULL;
CFStringRef name = NULL;
- CFNumberRef cnum = NULL;
CFStringRef oid = (CFStringRef) SecPolicyGetOidString(policyRef);
if (!oid) {
syslog(LOG_ERR, "SecPolicySetValue: unknown policy OID");
@@ -463,27 +482,27 @@ SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
CSSM_APPLE_TP_CRL_OPTIONS *opts = (CSSM_APPLE_TP_CRL_OPTIONS *)value->Data;
if (opts->Version == CSSM_APPLE_TP_CRL_OPTS_VERSION) {
CSSM_APPLE_TP_CRL_OPT_FLAGS crlFlags = opts->CrlFlags;
- CFOptionFlags revocationFlags = 0;
if ((crlFlags & CSSM_TP_ACTION_FETCH_CRL_FROM_NET) == 0) {
/* disable network access */
- revocationFlags |= kSecRevocationNetworkAccessDisabled;
+ SecPolicySetOptionsValue(policyRef, CFSTR("NoNetworkAccess") /*kSecPolicyCheckNoNetworkAccess*/, kCFBooleanTrue);
}
if ((crlFlags & CSSM_TP_ACTION_CRL_SUFFICIENT) == 0) {
- /* if OCSP method is not sufficient, must use CRL */
- revocationFlags |= (kSecRevocationCRLMethod | kSecRevocationPreferCRL);
+ /* if CRL method is not sufficient, must use OCSP */
+ SecPolicySetOptionsValue(policyRef, CFSTR("Revocation") /*kSecPolicyCheckRevocation*/,
+ CFSTR("OCSP")/*kSecPolicyCheckRevocationOCSP*/);
} else {
/* either method is sufficient */
- revocationFlags |= kSecRevocationUseAnyAvailableMethod;
+ SecPolicySetOptionsValue(policyRef, CFSTR("Revocation") /*kSecPolicyCheckRevocation*/,
+ CFSTR("AnyRevocationMethod") /*kSecPolicyCheckRevocationAny*/);
}
+
if ((crlFlags & CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT) != 0) {
/* require a response */
- revocationFlags |= kSecRevocationRequirePositiveResponse;
+ SecPolicySetOptionsValue(policyRef,
+ CFSTR("RevocationResponseRequired") /*kSecPolicyCheckRevocationResponseRequired*/,
+ kCFBooleanTrue);
}
- cnum = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &revocationFlags);
- if (cnum) {
- SecPolicySetOptionsValue(policyRef, kSecPolicyRevocationFlags, cnum);
- }
- }
+ }
}
else {
syslog(LOG_ERR, "SecPolicySetValue: unrecognized policy OID");
@@ -491,7 +510,6 @@ SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
}
if (data) { CFRelease(data); }
if (name) { CFRelease(name); }
- if (cnum) { CFRelease(cnum); }
return status;
#endif
}
@@ -810,71 +828,84 @@ SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
}
#endif
-/* OS X only: deprecated SPI entry point */
-/* new in 10.9 ***FIXME*** TO BE REMOVED */
-CFArrayRef SecPolicyCopyEscrowRootCertificates(void)
-{
- return SecCertificateCopyEscrowRoots(kSecCertificateProductionEscrowRoot);
-}
-
+#if !SECTRUST_OSX
SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname)
{
return SecPolicyCreateSSL(true, hostname);
}
+#endif
+#if !SECTRUST_OSX
SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef __unused context)
{
return SecPolicyCreateSSL(true, hostname);
}
+#endif
+#if !SECTRUST_OSX
SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef __unused context)
{
return SecPolicyCreateSSL(true, hostname);
}
+#endif
+#if !SECTRUST_OSX
SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname)
{
return SecPolicyCreateSSL(true, hostname);
}
+#endif
+#if !SECTRUST_OSX
SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef __unused context)
{
return SecPolicyCreateSSL(true, hostname);
}
+#endif
+#if !SECTRUST_OSX
SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef __unused context)
{
return SecPolicyCreateSSL(true, hostname);
}
+#endif
+#if !SECTRUST_OSX
SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef __unused context)
{
return SecPolicyCreateSSL(true, hostname);
}
+#endif
+#if !SECTRUST_OSX
+/* new in 10.11.4 */
SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef __unused context)
{
return SecPolicyCreateSSL(true, hostname);
}
+#endif
-SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
+#if !SECTRUST_OSX
+/* new in 10.12 */
+SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDictionaryRef __unused context)
{
return SecPolicyCreateSSL(true, hostname);
}
+#endif
#if !SECTRUST_OSX
-/* new in 10.11 */
-SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)
+/* new in 10.12 */
+SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryRef __unused context)
{
- return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
+ return SecPolicyCreateSSL(true, hostname);
}
#endif
#if !SECTRUST_OSX
-/* new in 10.11 */
-SecPolicyRef SecPolicyCreateTestAppleATVAppSigning(void)
+/* new in 10.11.4 */
+SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
{
- return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
+ return SecPolicyCreateSSL(true, hostname);
}
#endif
@@ -969,16 +1000,17 @@ SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray)
};
#else
/* implement with unified SecPolicyRef instances */
- /* %%% FIXME revisit this since SecPolicyCreateWithOID is OSX-only; */
- /* should use SecPolicyCreateWithProperties instead */
SecPolicyRef policy = NULL;
CFMutableArrayRef resultPolicyArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- policy = SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping);
+ if (!resultPolicyArray) {
+ return NULL;
+ }
+ policy = SecPolicyCreateWithProperties(kSecPolicyAppleTimeStamping, NULL);
if (policy) {
CFArrayAppendValue(resultPolicyArray, policy);
CFReleaseNull(policy);
}
- policy = SecPolicyCreateWithOID(kSecPolicyAppleRevocation);
+ policy = SecPolicyCreateWithProperties(kSecPolicyAppleRevocation, NULL);
if (policy) {
CFArrayAppendValue(resultPolicyArray, policy);
CFReleaseNull(policy);
diff --git a/OSX/libsecurity_keychain/lib/SecPolicy.h b/OSX/libsecurity_keychain/lib/SecPolicy.h
index 5e80bc92..eceb7c89 100644
--- a/OSX/libsecurity_keychain/lib/SecPolicy.h
+++ b/OSX/libsecurity_keychain/lib/SecPolicy.h
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2002-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2002-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -25,7 +25,7 @@
@header SecPolicy
The functions provided in SecPolicy.h provide an interface to various
X.509 certificate trust policies.
-*/
+ */
#ifndef _SECURITY_SECPOLICY_H_
#define _SECURITY_SECPOLICY_H_
@@ -34,9 +34,7 @@
#include <CoreFoundation/CFDictionary.h>
#include <Security/SecBase.h>
-#if defined(__cplusplus)
-extern "C" {
-#endif
+__BEGIN_DECLS
CF_ASSUME_NONNULL_BEGIN
CF_IMPLICIT_BRIDGING_ENABLED
@@ -48,8 +46,8 @@ CF_IMPLICIT_BRIDGING_ENABLED
@constant kSecPolicyAppleSSL
@constant kSecPolicyAppleSMIME
@constant kSecPolicyAppleEAP
- @constant kSecPolicyAppleIPsec
@constant kSecPolicyAppleiChat
+ @constant kSecPolicyAppleIPsec
@constant kSecPolicyApplePKINITClient
@constant kSecPolicyApplePKINITServer
@constant kSecPolicyAppleCodeSigning
@@ -58,8 +56,8 @@ CF_IMPLICIT_BRIDGING_ENABLED
@constant kSecPolicyAppleTimeStamping
@constant kSecPolicyAppleRevocation
@constant kSecPolicyApplePassbookSigning
- @constant kSecPolicyApplePayIssuerEncryption
-*/
+ @constant kSecPolicyApplePayIssuerEncryption
+ */
extern const CFStringRef kSecPolicyAppleX509Basic
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleSSL
@@ -70,8 +68,10 @@ extern const CFStringRef kSecPolicyAppleEAP
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleIPsec
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
extern const CFStringRef kSecPolicyAppleiChat
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
+#endif
extern const CFStringRef kSecPolicyApplePKINITClient
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecPolicyApplePKINITServer
@@ -91,11 +91,10 @@ extern const CFStringRef kSecPolicyApplePassbookSigning
extern const CFStringRef kSecPolicyApplePayIssuerEncryption
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-
/*!
@enum Policy Value Constants
@abstract Predefined property key constants used to get or set values in
- a dictionary for a policy instance.
+ a dictionary for a policy instance.
@discussion
All policies will have the following read-only value:
kSecPolicyOid (the policy object identifier)
@@ -104,14 +103,16 @@ extern const CFStringRef kSecPolicyApplePayIssuerEncryption
kSecPolicyName (name which must be matched)
kSecPolicyClient (evaluate for client, rather than server)
kSecPolicyRevocationFlags (only valid for a revocation policy)
+ kSecPolicyRevocationFlags (only valid for a revocation policy)
+ kSecPolicyTeamIdentifier (only valid for a Passbook signing policy)
@constant kSecPolicyOid Specifies the policy OID (value is a CFStringRef)
@constant kSecPolicyName Specifies a CFStringRef (or CFArrayRef of same)
containing a name which must be matched in the certificate to satisfy
this policy. For SSL/TLS, EAP, and IPSec policies, this specifies the
server name which must match the common name of the certificate.
- For S/MIME, this specifies the RFC822 email address.
- For Passbook signing, this specifies the pass signer.
+ For S/MIME, this specifies the RFC822 email address. For Passbook
+ signing, this specifies the pass signer.
@constant kSecPolicyClient Specifies a CFBooleanRef value that indicates
this evaluation should be for a client certificate. If not set (or
false), the policy evaluates the certificate as a server certificate.
@@ -124,60 +125,61 @@ extern const CFStringRef kSecPolicyApplePayIssuerEncryption
the Organizational Unit field of the certificate subject.
*/
extern const CFStringRef kSecPolicyOid
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern const CFStringRef kSecPolicyName
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern const CFStringRef kSecPolicyClient
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern const CFStringRef kSecPolicyRevocationFlags
- __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyTeamIdentifier
- __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
/*!
- @function SecPolicyGetTypeID
- @abstract Returns the type identifier of SecPolicy instances.
- @result The CFTypeID of SecPolicy instances.
-*/
+ @function SecPolicyGetTypeID
+ @abstract Returns the type identifier of SecPolicy instances.
+ @result The CFTypeID of SecPolicy instances.
+ */
CFTypeID SecPolicyGetTypeID(void)
- __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0);
/*!
- @function SecPolicyCopyProperties
- @abstract Returns a dictionary of this policy's properties.
- @param policyRef A policy reference.
- @result A properties dictionary. See "Policy Value Constants" for a list
- of currently defined property keys. It is the caller's responsibility to
- CFRelease this reference when it is no longer needed.
- @result A result code. See "Security Error Codes" (SecBase.h).
- @discussion This function returns the properties for a policy, as set by the
- policy's construction function or by a prior call to SecPolicySetProperties.
-*/
+ @function SecPolicyCopyProperties
+ @abstract Returns a dictionary of this policy's properties.
+ @param policyRef A policy reference.
+ @result A properties dictionary. See "Policy Value Constants" for a list
+ of currently defined property keys. It is the caller's responsibility to
+ CFRelease this reference when it is no longer needed.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This function returns the properties for a policy, as set by the
+ policy's construction function or by a prior call to SecPolicySetProperties.
+ */
+__nullable
CFDictionaryRef SecPolicyCopyProperties(SecPolicyRef policyRef)
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
/*!
- @function SecPolicyCreateBasicX509
- @abstract Returns a policy object for the default X.509 policy.
- @result A policy object. The caller is responsible for calling CFRelease
- on this when it is no longer needed.
-*/
+ @function SecPolicyCreateBasicX509
+ @abstract Returns a policy object for the default X.509 policy.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
SecPolicyRef SecPolicyCreateBasicX509(void)
- __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
/*!
- @function SecPolicyCreateSSL
- @abstract Returns a policy object for evaluating SSL certificate chains.
- @param server Passing true for this parameter creates a policy for SSL
- server certificates.
- @param hostname (Optional) If present, the policy will require the specified
- hostname to match the hostname in the leaf certificate.
- @result A policy object. The caller is responsible for calling CFRelease
- on this when it is no longer needed.
-*/
+ @function SecPolicyCreateSSL
+ @abstract Returns a policy object for evaluating SSL certificate chains.
+ @param server Passing true for this parameter creates a policy for SSL
+ server certificates.
+ @param hostname (Optional) If present, the policy will require the specified
+ hostname to match the hostname in the leaf certificate.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
SecPolicyRef SecPolicyCreateSSL(Boolean server, CFStringRef __nullable hostname)
- __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0);
/*!
@enum Revocation Policy Constants
@@ -200,14 +202,14 @@ SecPolicyRef SecPolicyCreateSSL(Boolean server, CFStringRef __nullable hostname)
OCSP or CRL may be used, depending on the method(s) specified in the
certificate and the value of kSecRevocationPreferCRL.
*/
-enum {
- kSecRevocationOCSPMethod = (1 << 0),
- kSecRevocationCRLMethod = (1 << 1),
- kSecRevocationPreferCRL = (1 << 2),
- kSecRevocationRequirePositiveResponse = (1 << 3),
- kSecRevocationNetworkAccessDisabled = (1 << 4),
- kSecRevocationUseAnyAvailableMethod = (kSecRevocationOCSPMethod |
- kSecRevocationCRLMethod)
+CF_ENUM(CFOptionFlags) {
+ kSecRevocationOCSPMethod = (1 << 0),
+ kSecRevocationCRLMethod = (1 << 1),
+ kSecRevocationPreferCRL = (1 << 2),
+ kSecRevocationRequirePositiveResponse = (1 << 3),
+ kSecRevocationNetworkAccessDisabled = (1 << 4),
+ kSecRevocationUseAnyAvailableMethod = (kSecRevocationOCSPMethod |
+ kSecRevocationCRLMethod)
};
/*!
@@ -222,9 +224,10 @@ enum {
create a revocation policy yourself unless you wish to override default
system behavior (e.g. to force a particular method, or to disable
revocation checking entirely.)
-*/
+ */
+__nullable
SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
- __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
/*!
@function SecPolicyCreateWithProperties
@@ -236,11 +239,11 @@ SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
Constants" for a list of currently defined property keys.
@result The returned policy reference, or NULL if the policy could not be
created.
-*/
+ */
__nullable
SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
- CFDictionaryRef __nullable properties)
- __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
+ CFDictionaryRef __nullable properties)
+ __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
CF_IMPLICIT_BRIDGING_DISABLED
CF_ASSUME_NONNULL_END
@@ -310,23 +313,23 @@ CF_IMPLICIT_BRIDGING_ENABLED
have a key usage that permits it to be used for decryption only.
*/
extern const CFStringRef kSecPolicyKU_DigitalSignature
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecPolicyKU_NonRepudiation
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecPolicyKU_KeyEncipherment
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecPolicyKU_DataEncipherment
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecPolicyKU_KeyAgreement
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecPolicyKU_KeyCertSign
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecPolicyKU_CRLSign
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecPolicyKU_EncipherOnly
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecPolicyKU_DecipherOnly
- __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
/*!
@function SecPolicyCreateWithOID
@@ -339,10 +342,10 @@ extern const CFStringRef kSecPolicyKU_DecipherOnly
@discussion This function is deprecated in Mac OS X 10.9 and later;
use SecPolicyCreateWithProperties (or a more specific policy creation
function) instead.
-*/
+ */
__nullable
SecPolicyRef SecPolicyCreateWithOID(CFTypeRef policyOID)
- __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
/*!
@function SecPolicyGetOID
@@ -352,9 +355,9 @@ SecPolicyRef SecPolicyCreateWithOID(CFTypeRef policyOID)
@result A result code. See "Security Error Codes" (SecBase.h).
@discussion This function is deprecated in Mac OS X 10.7 and later;
use SecPolicyCopyProperties instead.
-*/
+ */
OSStatus SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID *oid)
- __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
/*!
@function SecPolicyGetValue
@@ -364,9 +367,9 @@ OSStatus SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID *oid)
@result A result code. See "Security Error Codes" (SecBase.h).
@discussion This function is deprecated in Mac OS X 10.7 and later;
use SecPolicyCopyProperties instead.
-*/
+ */
OSStatus SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA *value)
- __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
/*!
@function SecPolicySetValue
@@ -379,9 +382,9 @@ OSStatus SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA *value)
instances should be considered read-only; in cases where your code would
consider changing properties of a policy, it should instead create a new
policy instance with the desired properties.
-*/
+ */
OSStatus SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
- __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
/*!
@function SecPolicySetProperties
@@ -396,10 +399,10 @@ OSStatus SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
instances should be considered read-only; in cases where your code would
consider changing properties of a policy, it should instead create a new
policy instance with the desired properties.
-*/
+ */
OSStatus SecPolicySetProperties(SecPolicyRef policyRef,
- CFDictionaryRef properties)
- __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
+ CFDictionaryRef properties)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
/*!
@function SecPolicyGetTPHandle
@@ -408,17 +411,15 @@ OSStatus SecPolicySetProperties(SecPolicyRef policyRef,
@param tpHandle On return, a pointer to a value of type CSSM_TP_HANDLE.
@result A result code. See "Security Error Codes" (SecBase.h).
@discussion This function is deprecated in Mac OS X 10.7 and later.
-*/
+ */
OSStatus SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE *tpHandle)
- __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
CF_IMPLICIT_BRIDGING_DISABLED
CF_ASSUME_NONNULL_END
-
+
#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
-#if defined(__cplusplus)
-}
-#endif
+__END_DECLS
#endif /* !_SECURITY_SECPOLICY_H_ */
diff --git a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h
index bb4a6023..7eb06b4c 100644
--- a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2003-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -22,20 +22,24 @@
*/
/*!
- @header SecPolicyPriv
- Private part of SecPolicy.h
-*/
+ @header SecPolicyPriv
+ The functions provided in SecPolicyPriv provide an interface to various
+ X.509 certificate trust policies.
+ */
#ifndef _SECURITY_SECPOLICYPRIV_H_
#define _SECURITY_SECPOLICYPRIV_H_
#include <Security/SecPolicy.h>
+#include <Security/SecCertificate.h>
#include <CoreFoundation/CFArray.h>
+#include <CoreFoundation/CFString.h>
+#include <Availability.h>
+__BEGIN_DECLS
-#if defined(__cplusplus)
-extern "C" {
-#endif
+CF_ASSUME_NONNULL_BEGIN
+CF_IMPLICIT_BRIDGING_ENABLED
/*!
@enum Policy Constants (Private)
@@ -55,12 +59,43 @@ extern "C" {
@constant kSecPolicyApplePPQSigning
@constant kSecPolicyAppleTestPPQSigning
@constant kSecPolicyAppleSWUpdateSigning
- @constant kSecPolicyAppleATVAppSigning
- @constant kSecPolicyAppleTestATVAppSigning
+ @constant kSecPolicyApplePackageSigning
@constant kSecPolicyAppleOSXProvisioningProfileSigning
@constant kSecPolicyAppleATVVPNProfileSigning
-
-*/
+ @constant kSecPolicyAppleAST2DiagnosticsServerAuth
+ @constant kSecPolicyAppleEscrowProxyServerAuth
+ @constant kSecPolicyAppleFMiPServerAuth
+ @constant kSecPolicyAppleMMCService
+ @constant kSecPolicyAppleGSService
+ @constant kSecPolicyApplePPQService
+ @constant kSecPolicyAppleHomeKitServerAuth
+ @constant kSecPolicyAppleiPhoneActivation
+ @constant kSecPolicyAppleiPhoneDeviceCertificate
+ @constant kSecPolicyAppleFactoryDeviceCertificate
+ @constant kSecPolicyAppleiAP
+ @constant kSecPolicyAppleiTunesStoreURLBag
+ @constant kSecPolicyAppleiPhoneApplicationSigning
+ @constant kSecPolicyAppleiPhoneProfileApplicationSigning
+ @constant kSecPolicyAppleiPhoneProvisioningProfileSigning
+ @constant kSecPolicyAppleLockdownPairing
+ @constant kSecPolicyAppleURLBag
+ @constant kSecPolicyAppleOTATasking
+ @constant kSecPolicyAppleMobileAsset
+ @constant kSecPolicyAppleIDAuthority
+ @constant kSecPolicyAppleGenericApplePinned
+ @constant kSecPolicyAppleGenericAppleSSLPinned
+ @constant kSecPolicyAppleSoftwareSigning
+ @constant kSecPolicyAppleExternalDeveloper
+ @constant kSecPolicyAppleOCSPSigner
+ @constant kSecPolicyAppleIDSService
+ @constant kSecPolicyAppleIDSServiceContext
+ @constant kSecPolicyApplePushService
+ @constant kSecPolicyAppleLegacyPushService
+ @constant kSecPolicyAppleTVOSApplicationSigning
+ @constant kSecPolicyAppleUniqueDeviceIdentifierCertificate
+ @constant kSecPolicyAppleEscrowProxyCompatibilityServerAuth
+ @constant kSecPolicyAppleMMCSCompatibilityServerAuth
+ */
extern const CFStringRef kSecPolicyAppleMobileStore
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleTestMobileStore
@@ -73,29 +108,27 @@ extern const CFStringRef kSecPolicyAppleQAProfileSigner
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleServerAuthentication
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
-#if TARGET_OS_IPHONE
extern const CFStringRef kSecPolicyAppleOTAPKISigner
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleTestOTAPKISigner
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_NA, __MAC_NA, __IPHONE_7_0, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleIDValidationRecordSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleSMPEncryption
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
extern const CFStringRef kSecPolicyAppleTestSMPEncryption
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
-#endif
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
extern const CFStringRef kSecPolicyApplePCSEscrowService
- __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_7_0);
extern const CFStringRef kSecPolicyApplePPQSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleTestPPQSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleSWUpdateSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-extern const CFStringRef kSecPolicyAppleATVAppSigning
- __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-extern const CFStringRef kSecPolicyAppleTestATVAppSigning
+extern const CFStringRef kSecPolicyApplePackageSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleOSXProvisioningProfileSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
@@ -103,157 +136,1077 @@ extern const CFStringRef kSecPolicyAppleATVVPNProfileSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleAST2DiagnosticsServerAuth
__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
+extern const CFStringRef kSecPolicyAppleEscrowProxyServerAuth
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleFMiPServerAuth
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleMMCService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleGSService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyApplePPQService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleHomeKitServerAuth
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiPhoneActivation
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiPhoneDeviceCertificate
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleFactoryDeviceCertificate
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiAP
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiTunesStoreURLBag
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiPhoneApplicationSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiPhoneProfileApplicationSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiPhoneProvisioningProfileSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleLockdownPairing
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleURLBag
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleOTATasking
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleMobileAsset
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleIDAuthority
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleGenericApplePinned
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleGenericAppleSSLPinned
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleSoftwareSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleExternalDeveloper
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleOCSPSigner
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleIDSService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleIDSServiceContext
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyApplePushService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleLegacyPushService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleTVOSApplicationSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleUniqueDeviceIdentifierCertificate
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleEscrowProxyCompatibilityServerAuth
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleMMCSCompatibilityServerAuth
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+
+/*!
+ @enum Policy Value Constants
+ @abstract Predefined property key constants used to get or set values in
+ a dictionary for a policy instance.
+ @discussion
+ All policies will have the following read-only value:
+ kSecPolicyOid (the policy object identifier)
+
+ Additional policy values which your code can optionally set:
+ kSecPolicyName (name which must be matched)
+ kSecPolicyClient (evaluate for client, rather than server)
+ kSecPolicyRevocationFlags (only valid for a revocation policy)
+ kSecPolicyRevocationFlags (only valid for a revocation policy)
+ kSecPolicyTeamIdentifier (only valid for a Passbook signing policy)
+ kSecPolicyContext (valid for policies below that take a context parameter)
+ kSecPolicyPolicyName (only valid for GenericApplePinned or
+ GenericAppleSSLPinned policies)
+ kSecPolicyIntermediateMarkerOid (only valid for GenericApplePinned or
+ GenericAppleSSLPinned policies)
+ kSecPolicyLeafMarkerOid (only valid for GenericApplePinned or
+ GenericAppleSSLPinned policies)
+ kSecPolicyRootDigest (only valid for the UniqueDeviceCertificate policy)
+
+ @constant kSecPolicyContext Specifies a CFDictionaryRef with keys and values
+ specified by the particular SecPolicyCreate function.
+ @constant kSecPolicyPolicyName Specifies a CFStringRef of the name of the
+ desired policy result.
+ @constant kSecPolicyIntermediateMarkerOid Specifies a CFStringRef of the
+ marker OID (in decimal format) required in the intermediate certificate.
+ @constant kSecPolicyLeafMarkerOid Specifies a CFStringRef of the
+ marker OID (in decimal format) required in the leaf certificate.
+ @constant kSecPolicyRootDigest Specifies a CFDataRef of digest required to
+ match the SHA-256 of the root certificate.
+ */
+extern const CFStringRef kSecPolicyContext
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyPolicyName
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyIntermediateMarkerOid
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyLeafMarkerOid
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyRootDigest
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
- @function SecPolicyCopy
- @abstract Returns a copy of a policy reference based on certificate type and OID.
- @param certificateType A certificate type.
- @param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs.
- @param policy The returned policy reference. This is a required parameter.
- @result A result code. See "Security Error Codes" (SecBase.h).
- @discussion This function is deprecated in Mac OS X 10.7 and later;
- to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h.
-*/
-OSStatus SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef* policy)
- __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
+ @function SecPolicyCreateApplePinned
+ @abstract Returns a policy object for verifying Apple certificates.
+ @param policyName A string that identifies the policy name.
+ @param intermediateMarkerOID A string containing the decimal representation of the
+ extension OID in the intermediate certificate.
+ @param leafMarkerOID A string containing the decimal representation of the extension OID
+ in the leaf certificate.
+ @discussion The resulting policy uses the Basic X.509 policy with validity check and
+ pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+ the chain to be anchored to Test Apple Root CAs if the value true is set for the key
+ "ApplePinningAllowTestCerts%@" (where %@ is the policyName parameter) in the
+ com.apple.security preferences for the user of the calling application.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID matching the intermediateMarkerOID
+ parameter.
+ * The leaf has a marker extension with OID matching the leafMarkerOID parameter.
+ * Revocation is checked via OCSP or CRL.
+ * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName,
+ CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
/*!
- @function SecPolicyCopyAll
- @abstract Returns an array of all known policies based on certificate type.
- @param certificateType A certificate type. This is a optional parameter. Pass CSSM_CERT_UNKNOWN if the certificate type is unknown.
- @param policies The returned array of policies. This is a required parameter.
- @result A result code. See "Security Error Codes" (SecBase.h).
- @discussion This function is deprecated in Mac OS X 10.7 and later;
- to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. (Note: there is normally
- no reason to iterate over multiple disjointed policies, except to provide a way to edit trust settings for each
- policy, as is done in certain certificate UI views. In that specific case, your code should call SecPolicyCreateWithOID
- for each desired policy from the list of supported OID constants in SecPolicy.h.)
-*/
-OSStatus SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef* policies)
- __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
+ @function SecPolicyCreateAppleSSLPinned
+ @abstract Returns a policy object for verifying Apple SSL certificates.
+ @param policyName A string that identifies the service/policy name.
+ @param hostname hostname to verify the certificate name against.
+ @param intermediateMarkerOID A string containing the decimal representation of the
+ extension OID in the intermediate certificate. If NULL is passed, the default OID of
+ 1.2.840.113635.100.6.2.12 is checked.
+ @param leafMarkerOID A string containing the decimal representation of the extension OID
+ in the leaf certificate.
+ @discussion The resulting policy uses the Basic X.509 policy with validity check and
+ pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+ the chain to be anchored to Test Apple Root CAs if the value true is set for the key
+ "ApplePinningAllowTestCerts%@" (where %@ is the policyName parameter) in the
+ com.apple.security preferences for the user of the calling application.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID matching the intermediateMarkerOID
+ parameter, or 1.2.840.113635.100.6.2.12 if NULL is passed.
+ * The leaf has a marker extension with OID matching the leafMarkerOID parameter.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP or CRL.
+ * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ For developers who need to disable pinning this function is equivalent to SecPolicyCreateSSL
+ on internal releases if the value true is set for the key "AppleServerAuthenticationNoPinning%@"
+ (where %@ is the policyName parameter) in the com.apple.Security preferences for the user
+ of the calling application.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef hostname,
+ CFStringRef __nullable intermediateMarkerOID, CFStringRef leafMarkerOID)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
-/* Given a unified SecPolicyRef, return a copy with a legacy
- C++ ItemImpl-based Policy instance. Only for internal use;
- legacy references cannot be used by SecPolicy API functions. */
-SecPolicyRef SecPolicyCreateItemImplInstance(SecPolicyRef policy);
+/*!
+ @function SecPolicyCreateiPhoneActivation
+ @abstract Returns a policy object for verifying iPhone Activation
+ certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in chain.
+ * The intermediate has Common Name "Apple iPhone Certification Authority".
+ * The leaf has Common Name "iPhone Activation".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateiPhoneActivation(void);
-/* Given a CSSM_OID pointer, return a string which can be passed
- to SecPolicyCreateWithProperties. The return value can be NULL
- if no supported policy was found for the OID argument. */
-CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid);
+/*!
+ @function SecPolicyCreateiPhoneDeviceCertificate
+ @abstract Returns a policy object for verifying iPhone Device certificate
+ chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * There are exactly 4 certs in chain.
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The first intermediate has Common Name "Apple iPhone Device CA".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);
+
+/*!
+ @function SecPolicyCreateFactoryDeviceCertificate
+ @abstract Returns a policy object for verifying Factory Device certificate
+ chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to the Factory Device CA.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);
+
+/*!
+ @function SecPolicyCreateiAP
+ @abstract Returns a policy object for verifying iAP certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The leaf has notBefore date after 5/31/2006 midnight GMT.
+ * The leaf has Common Name beginning with "IPA_".
+ The intended use of this policy is that the caller pass in the
+ intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateiAP(void);
+
+/*!
+ @function SecPolicyCreateiTunesStoreURLBag
+ @abstract Returns a policy object for verifying iTunes Store URL bag
+ certificates.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to the iTMS CA.
+ * There are exactly 2 certs in the chain.
+ * The leaf has Organization "Apple Inc.".
+ * The leaf has Common Name "iTunes Store URL Bag".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
+
+/*!
+ @function SecPolicyCreateEAP
+ @abstract Returns a policy object for verifying for 802.1x/EAP certificates.
+ @param server Passing true for this parameter create a policy for EAP
+ server certificates.
+ @param trustedServerNames Optional; if present, the hostname in the leaf
+ certificate must be in the trustedServerNames list. Note that contrary
+ to all other policies the trustedServerNames list entries can have wildcards
+ whilst the certificate cannot. This matches the existing deployments.
+ @discussion This policy uses the Basic X.509 policy with validity check but
+ disallowing network fetching. If trustedServerNames param is non-null, the
+ ExtendedKeyUsage extension, if present, of the leaf certificate is verified
+ to contain either the ServerAuth OID, if the server param is true or
+ ClientAuth OID, otherwise.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedServerNames);
+
+/*!
+ @function SecPolicyCreateIPSec
+ @abstract Returns a policy object for evaluating IPSec certificate chains.
+ @param server Passing true for this parameter create a policy for IPSec
+ server certificates.
+ @param hostname Optional; if present, the policy will require the specified
+ hostname or ip address to match the hostname in the leaf certificate.
+ @discussion This policy uses the Basic X.509 policy with validity check.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable hostname);
+
+/*!
+ @function SecPolicyCreateAppleSWUpdateSigning
+ @abstract Returns a policy object for evaluating SW update signing certs.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void);
+
+/*!
+ @function SecPolicyCreateApplePackageSigning
+ @abstract Returns a policy object for evaluating installer package signing certs.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateApplePackageSigning(void);
+
+/*!
+ @function SecPolicyCreateiPhoneApplicationSigning
+ @abstract Returns a policy object for evaluating signed application
+ signatures. This is for apps signed directly by the app store.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple iPhone Certification Authority".
+ * The leaf has Common Name "Apple iPhone OS Application Signing".
+ * If the device is not a production device and is running an internal
+ release, the leaf may have the Common Name "TEST Apple iPhone OS
+ Application Signing TEST".
+ * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
+ or the CodeSigning OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);
+
+/*!
+ @function SecPolicyCreateiPhoneProfileApplicationSigning
+ @abstract Returns a policy object for evaluating signed application
+ signatures. This policy is for certificates inside a UPP or regular
+ profile.
+ @discussion This policy only verifies that the leaf is temporally valid
+ and not revoked.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);
+
+/*!
+ @function SecPolicyCreateiPhoneProvisioningProfileSigning
+ @abstract Returns a policy object for evaluating provisioning profile signatures.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple iPhone Certification Authority".
+ * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing".
+ * If the device is not a production device and is running an internal
+ release, the leaf may have the Common Name "TEST Apple iPhone OS
+ Provisioning Profile Signing TEST".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
+
+/*!
+ @function SecPolicyCreateAppleTVOSApplicationSigning
+ @abstract Returns a policy object for evaluating signed application
+ signatures. This is for apps signed directly by the Apple TV app store,
+ and allows for both the prod and the dev/test certs.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs.
+ Test roots are never permitted.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
+ * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or
+ the CodeSigning OID.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID
+ 1.2.840.113635.100.6.1.24.1.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void);
+
+/*!
+ @function SecPolicyCreateOCSPSigner
+ @abstract Returns a policy object for evaluating ocsp response signers.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ requires the leaf to have an ExtendedKeyUsage of OCSPSigning.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateOCSPSigner(void);
+
+
+enum {
+ kSecSignSMIMEUsage = (1 << 0),
+ kSecKeyEncryptSMIMEUsage = (1 << 1),
+ kSecDataEncryptSMIMEUsage = (1 << 2),
+ kSecKeyExchangeDecryptSMIMEUsage = (1 << 3),
+ kSecKeyExchangeEncryptSMIMEUsage = (1 << 4),
+ kSecKeyExchangeBothSMIMEUsage = (1 << 5),
+ kSecAnyEncryptSMIME = kSecKeyEncryptSMIMEUsage | kSecDataEncryptSMIMEUsage |
+ kSecKeyExchangeDecryptSMIMEUsage | kSecKeyExchangeEncryptSMIMEUsage
+};
+
+/*!
+ @function SecPolicyCreateSMIME
+ @abstract Returns a policy object for evaluating S/MIME certificate chains.
+ @param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
+ flags, to indicate the intended usage of this certificate.
+ @param email Optional; if present, the policy will require the specified
+ email to match the email in the leaf certificate.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ requires the leaf to have
+ * a KeyUsage matching the smimeUsage,
+ * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the
+ EmailProtection OID, and
+ * if the email param is specified, the email address in the RFC822Name in the
+ SubjectAlternativeName extension or in the Email Address field of the
+ Subject Name.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable email);
+
+/*!
+ @function SecPolicyCreateCodeSigning
+ @abstract Returns a policy object for evaluating code signing certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ requires the leaf to have
+ * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and
+ * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateCodeSigning(void);
+
+/*!
+ @function SecPolicyCreateLockdownPairing
+ @abstract basic x509 policy for checking lockdown pairing certificate chains.
+ @disucssion This policy checks some of the Basic X.509 policy options with no
+ validity check. It explicitly allows for empty subjects.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateLockdownPairing(void);
+
+/*!
+ @function SecPolicyCreateURLBag
+ @abstract Returns a policy object for evaluating certificate chains for signing URL bags.
+ @discussion This policy uses the Basic X.509 policy with no validity check and requires
+ that the leaf has ExtendedKeyUsage extension with the CodeSigning OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateURLBag(void);
+
+/*!
+ @function SecPolicyCreateOTATasking
+ @abstract Returns a policy object for evaluating certificate chains for signing OTA Tasking.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The leaf has Common Name "OTA Task Signing".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateOTATasking(void);
+
+/*!
+ @function SecPolicyCreateMobileAsset
+ @abstract Returns a policy object for evaluating certificate chains for signing Mobile Assets.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The leaf has Common Name "Asset Manifest Signing".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateMobileAsset(void);
+
+/*!
+ @function SecPolicyCreateAppleIDAuthorityPolicy
+ @abstract Returns a policy object for evaluating certificate chains for Apple ID Authority.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
+ or OID 1.2.840.113635.100.6.2.7.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.4.7.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void);
+
+/*!
+ @function SecPolicyCreateMacAppStoreReceipt
+ @abstract Returns a policy object for evaluating certificate chains for signing
+ Mac App Store Receipts.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void);
+
+/*!
+ @function SecPolicyCreatePassbookCardSigner
+ @abstract Returns a policy object for evaluating certificate chains for signing Passbook cards.
+ @param cardIssuer Required; must match name in marker extension.
+ @param teamIdentifier Optional; if present, the policy will require the specified
+ team ID to match the organizationalUnit field in the leaf certificate's subject.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.16 and containing the
+ cardIssuer.
+ * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.14.
+ * The leaf has a Organizational Unit matching the TeamID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer,
+ CFStringRef __nullable teamIdentifier);
+
+/*!
+ @function SecPolicyCreateMobileStoreSigner
+ @abstract Returns a policy object for evaluating Mobile Store certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
+ * The leaf has KeyUsage with the DigitalSignature bit set.
+ * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateMobileStoreSigner(void);
+
+/*!
+ @function SecPolicyCreateTestMobileStoreSigner
+ @abstract Returns a policy object for evaluating Test Mobile Store certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
+ * The leaf has KeyUsage with the DigitalSignature bit set.
+ * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.1.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateTestMobileStoreSigner(void);
+
+/*!
+ @function SecPolicyCreateEscrowServiceSigner
+ @abstract Returns a policy object for evaluating Escrow Service certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to the current Escrow Roots in the OTAPKI asset.
+ * There are exactly 2 certs in the chain.
+ * The leaf has KeyUsage with the KeyEncipherment bit set.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateEscrowServiceSigner(void);
+
+/*!
+ @function SecPolicyCreatePCSEscrowServiceSigner
+ @abstract Returns a policy object for evaluating PCS Escrow Service certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to the current PCS Escrow Roots in the OTAPKI asset.
+ * There are exactly 2 certs in the chain.
+ * The leaf has KeyUsage with the KeyEncipherment bit set.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void);
+
+/*!
+ @function SecPolicyCreateOSXProvisioningProfileSigning
+ @abstract Returns a policy object for evaluating certificate chains for signing OS X
+ Provisioning Profiles.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
+ * The leaf has KeyUsage with the DigitalSignature bit set.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.4.11.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void);
+
+/*!
+ @function SecPolicyCreateConfigurationProfileSigner
+ @abstract Returns a policy object for evaluating certificate chains for signing
+ Configuration Profiles.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.16.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void);
+
+/*!
+ @function SecPolicyCreateQAConfigurationProfileSigner
+ @abstract Returns a policy object for evaluating certificate chains for signing
+ QA Configuration Profiles.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.17.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void);
+
+/*!
+ @function SecPolicyCreateOTAPKISigner
+ @abstract Returns a policy object for evaluating OTA PKI certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to Apple PKI Settings CA.
+ * There are exactly 2 certs in the chain.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateOTAPKISigner(void);
+
+/*!
+ @function SecPolicyCreateTestOTAPKISigner
+ @abstract Returns a policy object for evaluating OTA PKI certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to Apple Test PKI Settings CA.
+ * There are exactly 2 certs in the chain.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateTestOTAPKISigner(void);
+
+/*!
+ @function SecPolicyCreateAppleIDValidationRecordSigningPolicy
+ @abstract Returns a policy object for evaluating certificate chains for signing
+ Apple ID Validation Records.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
+ or OID 1.2.840.113635.100.6.2.10.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.25.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
+
+/*!
+ @function SecPolicyCreateAppleSMPEncryption
+ @abstract Returns a policy object for evaluating SMP certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA - ECC" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.13.
+ * The leaf has KeyUsage with the KeyEncipherment bit set.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.30.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleSMPEncryption(void);
+
+/*!
+ @function SecPolicyCreateTestAppleSMPEncryption
+ @abstract Returns a policy object for evaluating Test SMP certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to a Test Apple Root with ECC public key certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Test Apple System Integration CA - ECC".
+ * The leaf has KeyUsage with the KeyEncipherment bit set.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void);
+
+/*!
+ @function SecPolicyCreateApplePPQSigning
+ @abstract Returns a policy object for verifying production PPQ Signing certificates.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple System Integration 2 Certification
+ Authority".
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
+ * The leaf has KeyUsage with the DigitalSignature bit set.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.2.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateApplePPQSigning(void);
+
+/*!
+ @function SecPolicyCreateTestApplePPQSigning
+ @abstract Returns a policy object for verifying test PPQ Signing certificates.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple System Integration 2 Certification
+ Authority".
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
+ * The leaf has KeyUsage with the DigitalSignature bit set.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.1.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateTestApplePPQSigning(void);
/*!
@function SecPolicyCreateAppleIDSService
@abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
+ @discussion This policy uses the SSL server policy.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef __nullable hostname);
/*!
- @function SecPolicyCreateAppleIDSService
+ @function SecPolicyCreateAppleIDSServiceContext
@abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATIDS" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted only on internal releases either using the context dictionary or with
+ defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.4.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef context);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef __nullable context);
/*!
@function SecPolicyCreateApplePushService
- @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
+ @abstract Ensure we're appropriately pinned to the Apple Push service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATAPN" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted only on internal releases either using the context dictionary or with
+ defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.5.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.5.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef context);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef __nullable context);
/*!
@function SecPolicyCreateApplePushServiceLegacy
- @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
+ @abstract Ensure we're appropriately pinned to the Push service (via Entrust)
+ @param hostname Required; hostname to verify the certificate name against.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to an Entrust Intermediate.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname);
/*!
@function SecPolicyCreateAppleMMCSService
- @abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
+ @abstract Ensure we're appropriately pinned to the MMCS service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATMMCS" with value
+ Boolean true will allow Test Apple rotos and test OIDs on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or, if
+ enabled, OID 1.2.840.113635.100.6.27.11.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via any available method.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef context);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef __nullable context);
+
+/*!
+ @function SecPolicyCreateAppleCompatibilityMMCSService
+ @abstract Ensure we're appropriately pinned to the MMCS service using compatibility certs
+ @param hostname Required; hostname to verify the certificate name against.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to the GeoTrust Global CA
+ * The intermediate has a subject public key info hash matching the public key of
+ the Apple IST CA G1 intermediate.
+ * The chain length is 3.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or
+ OID 1.2.840.113635.100.6.27.11.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
@function SecPolicyCreateAppleGSService
@abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATGS" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted only on internal releases either using the context dictionary or with
+ defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.2.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef context)
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
/*!
@function SecPolicyCreateApplePPQService
@abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATPPQ" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted only on internal releases either using the context dictionary or with
+ defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.3.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.3.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef context);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef __nullable context)
+ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
/*!
@function SecPolicyCreateAppleAST2Service
@abstract Ensure we're appropriately pinned to the AST2 Diagnostic service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATAST2" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted either using the context dictionary or with defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.8.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.8.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef context)
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
/*!
- @function SecPolicyCreateAppleSSLService
- @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
+ @function SecPolicyCreateAppleEscrowProxyService
+ @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATEscrow" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs via full certificate
+ comparison. Test Apple Root CAs are permitted only on internal releases either
+ using the context dictionary or with defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.7.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via CRL.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDictionaryRef __nullable context)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
- @function SecPolicyCreateAppleTimeStampingAndRevocationPolicies
- @abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior
- @param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef
+ @function SecPolicyCreateAppleFMiPService
+ @abstract Ensure we're appropriately pinned to the Find My iPhone service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATFMiP" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs via full certificate
+ comparison. Test Apple Root CAs are permitted only on internal releases either
+ using the context dictionary or with defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.6.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.6.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via CRL.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryRef __nullable context)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
- @function SecPolicyCreateAppleATVAppSigning
- @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
- and apple anchor.
- Leaf cert must have Digital Signature usage.
- Leaf cert must have Apple ATV App Signing marker OID (1.2.840.113635.100.6.1.24).
- Leaf cert must have 'Apple TVOS Application Signing' common name.
+ @function SecPolicyCreateAppleSSLService
+ @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
+ @param hostname Optional; hostname to verify the certificate name against.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.1
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage, if any, with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)
- __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef __nullable hostname);
/*!
- @function SecPolicyCreateTestAppleATVAppSigning
- @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
- and apple anchor.
- Leaf cert must have Digital Signature usage.
- Leaf cert must have Apple ATV App Signing Test marker OID (1.2.840.113635.100.6.1.24.1).
- Leaf cert must have 'TEST Apple TVOS Application Signing TEST' common name.
+ @function SecPolicyCreateAppleTimeStamping
+ @abstract Returns a policy object for evaluating time stamping certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and requires the leaf has ExtendedKeyUsage with the TimeStamping OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateTestAppleATVAppSigning(void)
- __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleTimeStamping(void);
/*!
@function SecPolicyCreateApplePayIssuerEncryption
- @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations CA - G2' by name,
- and apple anchor.
- Leaf cert must have Key Encipherment and Key Agreement usage.
- Leaf cert must have Apple Pay Issuer Encryption marker OID (1.2.840.113635.100.6.39).
+ @abstract Returns a policy object for evaluating Apple Pay Issuer Encryption certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA - ECC" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple Worldwide Developer Relations CA - G2".
+ * The leaf has KeyUsage with the KeyEncipherment bit set.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.39.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-/*!
- @function SecPolicyCreateOSXProvisioningProfileSigning
- @abstract Check for leaf marker OID 1.2.840.113635.100.4.11,
- intermediate marker OID 1.2.840.113635.100.6.2.1,
- chains to Apple Root CA
-*/
-SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void)
- __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-
-
/*!
@function SecPolicyCreateAppleATVVPNProfileSigning
- @abstract Check for leaf marker OID 1.2.840.113635.100.6.43,
- intermediate marker OID 1.2.840.113635.100.6.2.10,
- chains to Apple Root CA, path length 3
+ @abstract Returns a policy object for evaluating Apple TV VPN Profile certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted only on internal releases.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.43.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
@@ -275,11 +1228,170 @@ SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
-#if defined(__cplusplus)
-}
-#endif
+/*!
+ @function SecPolicyCreateAppleExternalDeveloper
+ @abstract Returns a policy object for verifying Apple-issued external developer
+ certificates.
+ @discussion The resulting policy uses the Basic X.509 policy with validity check and
+ pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+ the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID matching 1.2.840.113635.100.6.2.1
+ (WWDR CA) or 1.2.840.113635.100.6.2.6 (Developer ID CA).
+ * The leaf has a marker extension with OID matching one of the following:
+ * 1.2.840.113635.100.6.1.2 ("iPhone Developer" leaf)
+ * 1.2.840.113635.100.6.1.4 ("iPhone Distribution" leaf)
+ * 1.2.840.113635.100.6.1.5 ("Safari Developer" leaf)
+ * 1.2.840.113635.100.6.1.7 ("3rd Party Mac Developer Application" leaf)
+ * 1.2.840.113635.100.6.1.8 ("3rd Party Mac Developer Installer" leaf)
+ * 1.2.840.113635.100.6.1.12 ("Mac Developer" leaf)
+ * 1.2.840.113635.100.6.1.13 ("Developer ID Application" leaf)
+ * 1.2.840.113635.100.6.1.14 ("Developer ID Installer" leaf)
+ * The leaf has an ExtendedKeyUsage OID matching one of the following:
+ * 1.3.6.1.5.5.7.3.3 (CodeSigning EKU)
+ * 1.2.840.113635.100.4.8 ("Safari Developer" EKU)
+ * 1.2.840.113635.100.4.9 ("3rd Party Mac Developer Installer" EKU)
+ * 1.2.840.113635.100.4.13 ("Developer ID Installer" EKU)
+ * Revocation is checked via OCSP or CRL.
+ * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecPolicyCreateAppleSoftwareSigning
+ @abstract Returns a policy object for verifying the Apple Software Signing certificate.
+ @discussion The resulting policy uses the Basic X.509 policy with validity check and
+ pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+ the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has the Common Name "Apple Code Signing Certification Authority".
+ * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.22.
+ * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (Code Signing).
+ * Revocation is checked via OCSP or CRL.
+ * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleSoftwareSigning(void)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecPolicyGetName
+ @abstract Returns a policy's name.
+ @param policy A policy reference.
+ @result A policy name.
+ */
+__nullable CFStringRef SecPolicyGetName(SecPolicyRef policy)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecPolicyGetOidString
+ @abstract Returns a policy's oid in string decimal format.
+ @param policy A policy reference.
+ @result A policy oid.
+ */
+CFStringRef SecPolicyGetOidString(SecPolicyRef policy)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecPolicyCreateAppleUniqueDeviceCertificate
+ @abstract Returns a policy object for verifying Unique Device Identifier Certificates.
+ @param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning.
+ @discussion The resulting policy uses the Basic X.509 policy with no validity check and
+ pinning options:
+ * The chain is anchored to the SEP Root CA. Internal releases allow the chain to be
+ anchored to the testRootHash input if the value true is set for the key
+ "ApplePinningAllowTestCertsUCRT" in the com.apple.security preferences for the user
+ of the calling application.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has an extension with OID matching 1.2.840.113635.100.6.44 and value
+ of "ucrt".
+ * The leaf has a marker extension with OID matching 1.2.840.113635.100.10.1.
+ * RSA key sizes are are disallowed. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef __nullable testRootHash)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+CF_IMPLICIT_BRIDGING_DISABLED
+CF_ASSUME_NONNULL_END
+
+/*
+ * Legacy functions (OS X only)
+ */
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+
+CF_ASSUME_NONNULL_BEGIN
+CF_IMPLICIT_BRIDGING_ENABLED
+
+/*!
+ @function SecPolicyCopy
+ @abstract Returns a copy of a policy reference based on certificate type and OID.
+ @param certificateType A certificate type.
+ @param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs.
+ @param policy The returned policy reference. This is a required parameter.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This function is deprecated in Mac OS X 10.7 and later;
+ to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h.
+ */
+OSStatus SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef * __nonnull CF_RETURNS_RETAINED policy)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
+
+/*!
+ @function SecPolicyCopyAll
+ @abstract Returns an array of all known policies based on certificate type.
+ @param certificateType A certificate type. This is a optional parameter. Pass CSSM_CERT_UNKNOWN if the certificate type is unknown.
+ @param policies The returned array of policies. This is a required parameter.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This function is deprecated in Mac OS X 10.7 and later;
+ to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. (Note: there is normally
+ no reason to iterate over multiple disjointed policies, except to provide a way to edit trust settings for each
+ policy, as is done in certain certificate UI views. In that specific case, your code should call SecPolicyCreateWithOID
+ for each desired policy from the list of supported OID constants in SecPolicy.h.)
+ */
+OSStatus SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef * __nonnull CF_RETURNS_RETAINED policies)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
+
+/* Given a unified SecPolicyRef, return a copy with a legacy
+ C++ ItemImpl-based Policy instance. Only for internal use;
+ legacy references cannot be used by SecPolicy API functions. */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateItemImplInstance(SecPolicyRef policy);
+
+/* Given a CSSM_OID pointer, return a string which can be passed
+ to SecPolicyCreateWithProperties. The return value can be NULL
+ if no supported policy was found for the OID argument. */
+__nullable
+CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid);
+
+/*!
+ @function SecPolicyCreateAppleTimeStampingAndRevocationPolicies
+ @abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior
+ @param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef
+ @discussion This function is soon to be deprecated. Callers should create an array of the non-deprecated timestamping
+ and revocation policies.
+ */
+__nullable CF_RETURNS_RETAINED
+CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray);
+
+CF_IMPLICIT_BRIDGING_DISABLED
+CF_ASSUME_NONNULL_END
+
+#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
+
+__END_DECLS
#endif /* !_SECURITY_SECPOLICYPRIV_H_ */
diff --git a/OSX/libsecurity_keychain/lib/SecRandom.h b/OSX/libsecurity_keychain/lib/SecRandom.h
index 8890a259..d15cbbec 100644
--- a/OSX/libsecurity_keychain/lib/SecRandom.h
+++ b/OSX/libsecurity_keychain/lib/SecRandom.h
@@ -55,10 +55,12 @@ extern const SecRandomRef kSecRandomDefault
/*!
@function SecRandomCopyBytes
@abstract Return count random bytes in *bytes, allocated by the caller.
+ It is critical to check the return value for error
@result Return 0 on success or -1 if something went wrong, check errno
to find out the real error.
*/
int SecRandomCopyBytes(SecRandomRef __nullable rnd, size_t count, uint8_t *bytes)
+ __attribute__ ((warn_unused_result))
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
CF_IMPLICIT_BRIDGING_DISABLED
diff --git a/OSX/libsecurity_keychain/lib/SecTrust.cpp b/OSX/libsecurity_keychain/lib/SecTrust.cpp
index ae0d4c93..8feae2cc 100644
--- a/OSX/libsecurity_keychain/lib/SecTrust.cpp
+++ b/OSX/libsecurity_keychain/lib/SecTrust.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2002-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -24,12 +24,12 @@
#include "SecTrust.h"
#include "SecTrustPriv.h"
#include "Trust.h"
-#include <security_keychain/SecTrustSettingsPriv.h>
#include "SecBase.h"
#include "SecBridge.h"
#include "SecInternal.h"
#include "SecInternalP.h"
#include "SecTrustSettings.h"
+#include "SecTrustSettingsPriv.h"
#include "SecCertificatePriv.h"
#include "SecCertificateP.h"
#include "SecCertificatePrivP.h"
@@ -44,6 +44,11 @@
CFArrayRef SecTrustCopyDetails(SecTrustRef trust);
static CFDictionaryRef SecTrustGetExceptionForCertificateAtIndex(SecTrustRef trust, CFIndex ix);
static void SecTrustCheckException(const void *key, const void *value, void *context);
+#else
+CFArrayRef SecTrustCopyInputCertificates(SecTrustRef trust);
+CFArrayRef SecTrustCopyInputAnchors(SecTrustRef trust);
+CFArrayRef SecTrustCopyConstructedChain(SecTrustRef trust);
+static CSSM_TP_APPLE_EVIDENCE_INFO * SecTrustGetEvidenceInfo(SecTrustRef trust);
#endif
typedef struct SecTrustCheckExceptionContext {
@@ -61,6 +66,68 @@ const CFStringRef kSecTrustRevocationReason = CFSTR("TrustRevocationReas
const CFStringRef kSecTrustRevocationValidUntilDate = CFSTR("TrustExpirationDate");
const CFStringRef kSecTrustResultDetails = CFSTR("TrustResultDetails");
+// Policy check string to CSSM_RETURN mapping
+
+struct resultmap_entry_s {
+ const CFStringRef checkstr;
+ const CSSM_RETURN resultcode;
+};
+typedef struct resultmap_entry_s resultmap_entry_t;
+
+#if SECTRUST_OSX
+const resultmap_entry_t cssmresultmap[] = {
+ { CFSTR("SSLHostname"), CSSMERR_APPLETP_HOSTNAME_MISMATCH },
+ { CFSTR("email"), CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND },
+ { CFSTR("IssuerCommonName"), CSSMERR_APPLETP_IDENTIFIER_MISSING },
+ { CFSTR("SubjectCommonName"), CSSMERR_APPLETP_IDENTIFIER_MISSING },
+ { CFSTR("SubjectCommonNamePrefix"), CSSMERR_APPLETP_IDENTIFIER_MISSING },
+ { CFSTR("SubjectCommonNameTEST"), CSSMERR_APPLETP_IDENTIFIER_MISSING },
+ { CFSTR("SubjectOrganization"), CSSMERR_APPLETP_IDENTIFIER_MISSING },
+ { CFSTR("SubjectOrganizationalUnit"), CSSMERR_APPLETP_IDENTIFIER_MISSING },
+ { CFSTR("EAPTrustedServerNames"), CSSMERR_APPLETP_HOSTNAME_MISMATCH },
+ { CFSTR("CertificatePolicy"), CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION },
+ { CFSTR("KeyUsage"), CSSMERR_APPLETP_INVALID_KEY_USAGE },
+ { CFSTR("ExtendedKeyUsage"), CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE },
+ { CFSTR("BasicConstraints"), CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS },
+ { CFSTR("QualifiedCertStatements"), CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT },
+ { CFSTR("IntermediateSPKISHA256"), CSSMERR_APPLETP_IDENTIFIER_MISSING },
+ { CFSTR("IntermediateEKU"), CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE },
+ { CFSTR("AnchorSHA1"), CSSMERR_TP_NOT_TRUSTED },
+ { CFSTR("AnchorSHA256"), CSSMERR_TP_NOT_TRUSTED },
+ { CFSTR("AnchorTrusted"), CSSMERR_TP_NOT_TRUSTED },
+ { CFSTR("AnchorApple"), CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH },
+ { CFSTR("NonEmptySubject"), CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT },
+ { CFSTR("IdLinkage"), CSSMERR_APPLETP_INVALID_AUTHORITY_ID },
+ { CFSTR("WeakIntermediates"), CSSMERR_TP_INVALID_CERTIFICATE },
+ { CFSTR("WeakLeaf"), CSSMERR_TP_INVALID_CERTIFICATE },
+ { CFSTR("WeakRoot"), CSSMERR_TP_INVALID_CERTIFICATE },
+ { CFSTR("KeySize"), CSSMERR_CSP_UNSUPPORTED_KEY_SIZE },
+ { CFSTR("SignatureHashAlgorithms"), CSSMERR_CSP_ALGID_MISMATCH },
+ { CFSTR("CriticalExtensions"), CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN },
+ { CFSTR("ChainLength"), CSSMERR_APPLETP_PATH_LEN_CONSTRAINT },
+ { CFSTR("BasicCertificateProcessing"), CSSMERR_TP_INVALID_CERTIFICATE },
+ { CFSTR("ExtendedValidation"), CSSMERR_TP_NOT_TRUSTED },
+ { CFSTR("Revocation"), CSSMERR_TP_CERT_REVOKED },
+ { CFSTR("RevocationResponseRequired"), CSSMERR_TP_VERIFY_ACTION_FAILED },
+ { CFSTR("CertificateTransparency"), CSSMERR_TP_NOT_TRUSTED },
+ { CFSTR("BlackListedLeaf"), CSSMERR_TP_CERT_REVOKED },
+ { CFSTR("GrayListedLeaf"), CSSMERR_TP_NOT_TRUSTED },
+ { CFSTR("GrayListedKey"), CSSMERR_TP_NOT_TRUSTED },
+ { CFSTR("BlackListedKey"), CSSMERR_TP_CERT_REVOKED },
+ { CFSTR("CheckLeafMarkerOid"), CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION },
+ { CFSTR("CheckLeafMarkerOidNoValueCheck"), CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION },
+ { CFSTR("CheckIntermediateMarkerOid"), CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION },
+ { CFSTR("UsageConstraints"), CSSMERR_APPLETP_TRUST_SETTING_DENY },
+ { CFSTR("NotValidBefore"), CSSMERR_TP_CERT_NOT_VALID_YET },
+ { CFSTR("ValidIntermediates"), CSSMERR_TP_CERT_EXPIRED },
+ { CFSTR("ValidLeaf"), CSSMERR_TP_CERT_EXPIRED },
+ { CFSTR("ValidRoot"), CSSMERR_TP_CERT_EXPIRED },
+// { CFSTR("AnchorAppleTestRoots"), },
+// { CFSTR("AnchorAppleTestRootsOnProduction"), },
+// { CFSTR("NoNetworkAccess"), },
+};
+#endif
+
//
// CF boilerplate
//
@@ -101,6 +168,111 @@ SecTrustSetPolicies(SecTrustRef trustRef, CFTypeRef policies)
}
#endif
+#if SECTRUST_OSX
+typedef struct {
+ SecTrustOptionFlags flags;
+ CFIndex certIX;
+ SecTrustRef trustRef;
+ CFMutableDictionaryRef filteredException;
+ CFDictionaryRef oldException;
+} SecExceptionFilterContext;
+
+#if 0
+//%%%FIXME SecCFWrappers produces some conflicting definitions on OSX
+#include <utilities/SecCFWrappers.h>
+#else
+// inline function from SecCFWrappers.h
+static inline char *CFStringToCString(CFStringRef inStr)
+{
+ if (!inStr)
+ return (char *)strdup("");
+ CFRetain(inStr); // compensate for release on exit
+
+ // need to extract into buffer
+ CFIndex length = CFStringGetLength(inStr); // in 16-bit character units
+ size_t len = CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8);
+ char *buffer = (char *)malloc(len); // pessimistic
+ if (!CFStringGetCString(inStr, buffer, len, kCFStringEncodingUTF8))
+ buffer[0] = 0;
+
+ CFRelease(inStr);
+ return buffer;
+}
+#endif
+
+static void
+filter_exception(const void *key, const void *value, void *context)
+{
+ SecExceptionFilterContext *ctx = (SecExceptionFilterContext *)context;
+ if (!ctx) { return; }
+
+ SecTrustOptionFlags options = ctx->flags;
+ CFMutableDictionaryRef filteredException = ctx->filteredException;
+ CFStringRef keystr = (CFStringRef)key;
+
+ if (ctx->oldException && CFDictionaryContainsKey(ctx->oldException, key)) {
+ // Keep existing exception in filtered dictionary, regardless of options
+ CFDictionaryAddValue(filteredException, key, CFDictionaryGetValue(ctx->oldException, key));
+ return;
+ }
+
+ bool allowed = false;
+
+ if (CFEqual(keystr, CFSTR("SHA1Digest"))) {
+ allowed = true; // this key is informational and always permitted
+ }
+ else if (CFEqual(keystr, CFSTR("NotValidBefore"))) {
+ allowed = ((options & kSecTrustOptionAllowExpired) != 0);
+ }
+ else if (CFEqual(keystr, CFSTR("ValidLeaf"))) {
+ allowed = ((options & kSecTrustOptionAllowExpired) != 0);
+ }
+ else if (CFEqual(keystr, CFSTR("ValidIntermediates"))) {
+ allowed = ((options & kSecTrustOptionAllowExpired) != 0);
+ }
+ else if (CFEqual(keystr, CFSTR("ValidRoot"))) {
+ if (((options & kSecTrustOptionAllowExpired) != 0) ||
+ ((options & kSecTrustOptionAllowExpiredRoot) != 0)) {
+ allowed = true;
+ }
+ }
+ else if (CFEqual(keystr, CFSTR("AnchorTrusted"))) {
+ bool implicitAnchors = ((options & kSecTrustOptionImplicitAnchors) != 0);
+ // Implicit anchors option only filters exceptions for self-signed certs
+ if (implicitAnchors && ctx->trustRef &&
+ (ctx->certIX < SecTrustGetCertificateCount(ctx->trustRef))) {
+ Boolean isSelfSigned = false;
+ SecCertificateRef cert = SecTrustGetCertificateAtIndex(ctx->trustRef, ctx->certIX);
+ if (cert && (errSecSuccess == SecCertificateIsSelfSigned(cert, &isSelfSigned)) &&
+ isSelfSigned) {
+ allowed = true;
+ }
+ }
+ }
+ else if (CFEqual(keystr, CFSTR("KeyUsage")) ||
+ CFEqual(keystr, CFSTR("ExtendedKeyUsage")) ||
+ CFEqual(keystr, CFSTR("BasicConstraints")) ||
+ CFEqual(keystr, CFSTR("NonEmptySubject")) ||
+ CFEqual(keystr, CFSTR("IdLinkage"))) {
+ // Cannot override these exceptions
+ allowed = false;
+ }
+ else {
+ // Unhandled exceptions should not be overridden,
+ // but we want to know which ones we're missing
+ char *cstr = CFStringToCString(keystr);
+ syslog(LOG_ERR, "Unfiltered exception: %s", (cstr) ? cstr : "<NULL>");
+ if (cstr) { free(cstr); }
+ allowed = false;
+ }
+
+ if (allowed) {
+ CFDictionaryAddValue(filteredException, key, value);
+ }
+}
+
+#endif
+
/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA) */
OSStatus
SecTrustSetOptions(SecTrustRef trustRef, SecTrustOptionFlags options)
@@ -122,31 +294,80 @@ SecTrustSetOptions(SecTrustRef trustRef, SecTrustOptionFlags options)
#else
/* bridge to support API functionality for legacy callers */
OSStatus status = errSecSuccess;
-#if 1
-#warning STU: <rdar://21328005>
-//%%% need to ensure that the exception covers only the requested options
-#else
- CFArrayRef details = SecTrustGetDetails(trustRef); // NOTE: performs the evaluation if not done already
- CFIndex pathLength = details ? CFArrayGetCount(details) : 0;
- CFIndex ix;
- for (ix = 0; ix < pathLength; ++ix) {
- CFDictionaryRef detail = (CFDictionaryRef)CFArrayGetValueAtIndex(details, ix);
- CFIndex detailCount = CFDictionaryGetCount(detail);
- if (detailCount > 0) {
- // see if we can ignore this error
- syslog(LOG_ERR, "SecTrustSetOptions: examining detail dictionary items at ix %ld", (long)ix);
- CFShow(detail);
+ CFDataRef encodedExceptions = SecTrustCopyExceptions(trustRef);
+ CFArrayRef exceptions = NULL,
+ oldExceptions = SecTrustGetTrustExceptionsArray(trustRef);
+
+ if (encodedExceptions) {
+ exceptions = (CFArrayRef)CFPropertyListCreateWithData(kCFAllocatorDefault,
+ encodedExceptions, kCFPropertyListImmutable, NULL, NULL);
+ CFRelease(encodedExceptions);
+ encodedExceptions = NULL;
+ }
+
+ if (exceptions && CFGetTypeID(exceptions) != CFArrayGetTypeID()) {
+ CFRelease(exceptions);
+ exceptions = NULL;
+ }
+
+ if (oldExceptions && exceptions &&
+ CFArrayGetCount(oldExceptions) > CFArrayGetCount(exceptions)) {
+ oldExceptions = NULL;
+ }
+
+ /* verify both exceptions are for the same leaf */
+ if (oldExceptions && exceptions && CFArrayGetCount(oldExceptions) > 0) {
+ CFDictionaryRef oldLeafExceptions = (CFDictionaryRef)CFArrayGetValueAtIndex(oldExceptions, 0);
+ CFDictionaryRef leafExceptions = (CFDictionaryRef)CFArrayGetValueAtIndex(exceptions, 0);
+ CFDataRef oldDigest = (CFDataRef)CFDictionaryGetValue(oldLeafExceptions, CFSTR("SHA1Digest"));
+ CFDataRef digest = (CFDataRef)CFDictionaryGetValue(leafExceptions, CFSTR("SHA1Digest"));
+ if (!oldDigest || !digest || !CFEqual(oldDigest, digest)) {
+ oldExceptions = NULL;
}
}
- syslog(LOG_ERR, "SecTrustSetOptions: creating trust exception");
-#endif
- CFDataRef exceptions = SecTrustCopyExceptions(trustRef);
+
+ /* add only those exceptions which are allowed by the supplied options */
if (exceptions) {
- SecTrustSetExceptions(trustRef, exceptions);
+ CFMutableArrayRef filteredExceptions = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ CFIndex i, exceptionCount = (filteredExceptions) ? CFArrayGetCount(exceptions) : 0;
+
+ for (i = 0; i < exceptionCount; ++i) {
+ CFDictionaryRef exception = (CFDictionaryRef)CFArrayGetValueAtIndex(exceptions, i);
+ CFDictionaryRef oldException = NULL;
+ if (oldExceptions && i < CFArrayGetCount(oldExceptions)) {
+ oldException = (CFDictionaryRef)CFArrayGetValueAtIndex(oldExceptions, i);
+ }
+ CFMutableDictionaryRef filteredException = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ if (exception && filteredException) {
+ SecExceptionFilterContext filterContext = { options, i, trustRef, filteredException, oldException };
+ CFDictionaryApplyFunction(exception, filter_exception, &filterContext);
+ CFArrayAppendValue(filteredExceptions, filteredException);
+ CFRelease(filteredException);
+ }
+ }
+
+ if (filteredExceptions) {
+ CFIndex filteredCount = CFArrayGetCount(filteredExceptions);
+ /* remove empty trailing entries to match iOS behavior */
+ for (i = filteredCount; i-- > 1;) {
+ CFDictionaryRef exception = (CFDictionaryRef)CFArrayGetValueAtIndex(filteredExceptions, i);
+ if (CFDictionaryGetCount(exception) == 0) {
+ CFArrayRemoveValueAtIndex(filteredExceptions, i);
+ } else {
+ break;
+ }
+ }
+ encodedExceptions = CFPropertyListCreateData(kCFAllocatorDefault,
+ filteredExceptions, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
+ CFRelease(filteredExceptions);
+
+ SecTrustSetExceptions(trustRef, encodedExceptions);
+ CFRelease(encodedExceptions);
+ }
CFRelease(exceptions);
}
-
#if SECTRUST_DEPRECATION_WARNINGS
bool displayModifyMsg = false;
bool displayNetworkMsg = false;
@@ -341,7 +562,7 @@ OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *resultP)
}
- secdebug("SecTrustEvaluate", "SecTrustEvaluate trust result = %d", (int)trustResult);
+ secnotice("SecTrustEvaluate", "SecTrustEvaluate trust result = %d", (int)trustResult);
if (resultP) {
*resultP = trustResult;
}
@@ -389,112 +610,21 @@ OSStatus SecTrustGetResult(
#else
/* bridge to support old functionality */
#if SECTRUST_DEPRECATION_WARNINGS
- syslog(LOG_ERR, "WARNING: SecTrustGetResult has been deprecated since 10.7, and may not return a statusChain in 10.11. Please use SecTrustGetTrustResult instead.");
+ syslog(LOG_ERR, "WARNING: SecTrustGetResult has been deprecated since 10.7. Please use SecTrustGetTrustResult instead.");
#endif
- SecTrustResultType trustResult;
- OSStatus status = SecTrustGetTrustResult(trustRef, &trustResult);
+ SecTrustResultType trustResult;
+ OSStatus status = SecTrustGetTrustResult(trustRef, &trustResult);
+ if (status != errSecSuccess) {
+ return status;
+ }
if (result) {
*result = trustResult;
}
- if (certChain && !statusChain) {
- /* This is the easy case; caller only wants cert chain and not status chain. */
- CFMutableArrayRef certArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFIndex idx, count = SecTrustGetCertificateCount(trustRef);
- for (idx=0; idx < count; idx++) {
- SecCertificateRef certificate = SecTrustGetCertificateAtIndex(trustRef, idx);
- if (certificate) {
- CFArrayAppendValue(certArray, certificate);
- }
- }
- *certChain = certArray;
- }
- else if (certChain && statusChain) {
- /*
- * Here is where backward compatibility gets ugly. CSSM_TP_APPLE_EVIDENCE_INFO* is tied to a
- * Trust object and does not exist in the new unified world. Unfortunately, some clients are
- * still calling this legacy API and grubbing through the info for StatusBits and StatusCodes.
- * If they want this info, then we have to do a legacy evaluation to get it. The info struct
- * goes away once the old-style object does, so we must keep the old-style object alive after
- * returning from the function.
- *
- * TODO: keep a dictionary and figure out how to expire entries when no longer needed.,
- * or build the evidence info ourselves: rdar://21005914
- */
- static CFMutableArrayRef sTrustArray = NULL;
-
- // make array of Certificate instances from unified SecCertificateRefs
- CFMutableArrayRef certArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFIndex idx, count = SecTrustGetCertificateCount(trustRef);
- for (idx=0; idx < count; idx++) {
- SecCertificateRef certificate = SecTrustGetCertificateAtIndex(trustRef, idx);
- if (certificate) {
- SecCertificateRef itemImplRef = SecCertificateCreateItemImplInstance(certificate);
- if (itemImplRef) {
- CFArrayAppendValue(certArray, itemImplRef);
- CFRelease(itemImplRef);
- }
- }
- }
- // make array of Policy instances from unified SecPolicyRefs
- CFMutableArrayRef policyArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayRef policies = NULL;
- status = SecTrustCopyPolicies(trustRef, &policies);
- count = (!status && policies) ? CFArrayGetCount(policies) : 0;
- for (idx=0; idx < count; idx++) {
- SecPolicyRef policy = (SecPolicyRef) CFArrayGetValueAtIndex(policies, idx);
- if (policy) {
- SecPolicyRef itemImplRef = SecPolicyCreateItemImplInstance(policy);
- if (itemImplRef) {
- CFArrayAppendValue(policyArray, itemImplRef);
- CFRelease(itemImplRef);
- }
- }
- }
- // now make a Trust instance and evaluate it
- try {
- Trust *trustObj = new Trust(certArray, policyArray);
- SecTrustRef trust = trustObj->handle();
- if (!trust) {
- MacOSError::throwMe(errSecTrustNotAvailable);
- }
- if (!sTrustArray) {
- sTrustArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- if (!sTrustArray) {
- MacOSError::throwMe(errSecAllocate);
- }
- }
- // fetch the built cert chain and status chain
- CFArrayRef itemImplCertArray = NULL;
- trustObj->evaluate();
- trustObj->buildEvidence(itemImplCertArray, TPEvidenceInfo::overlayVar(*statusChain));
-
- // convert each Certificate in the built chain to a unified SecCertificateRef
- CFMutableArrayRef outCertChain = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFIndex idx, count = (itemImplCertArray) ? CFArrayGetCount(itemImplCertArray) : 0;
- for (idx=0; idx < count; idx++) {
- SecCertificateRef inCert = (SecCertificateRef) CFArrayGetValueAtIndex(itemImplCertArray, idx);
- SecCertificateRef outCert = SecCertificateCreateFromItemImplInstance(inCert);
- if (outCert) {
- CFArrayAppendValue(outCertChain, outCert);
- CFRelease(outCert);
- }
- }
- *certChain = outCertChain;
- if (itemImplCertArray) {
- CFRelease(itemImplCertArray);
- }
- CFArrayAppendValue(sTrustArray, trust);
- status = errSecSuccess;
- }
- catch (const MacOSError &err) { status=err.osStatus(); }
- catch (const CommonError &err) { status=SecKeychainErrFromOSStatus(err.osStatus()); }
- catch (const std::bad_alloc &) { status=errSecAllocate; }
- catch (...) { status=errSecInternalComponent; }
-
- if (policyArray)
- CFRelease(policyArray);
- if (certArray)
- CFRelease(certArray);
+ if (certChain) {
+ *certChain = SecTrustCopyConstructedChain(trustRef);
+ }
+ if (statusChain) {
+ *statusChain = SecTrustGetEvidenceInfo(trustRef);
}
return status;
#endif
@@ -564,29 +694,146 @@ OSStatus SecTrustGetCssmResult(SecTrustRef trust, CSSM_TP_VERIFY_CONTEXT_RESULT_
}
#if SECTRUST_OSX
-static void applyPropertyToCssmResultCode(const void *_key, const void *_value, void *context) {
- CFStringRef key = (CFStringRef)_key;
- CFStringRef value = (CFStringRef)_value;
- OSStatus *result = (OSStatus *)context;
- if (CFGetTypeID(_value) != CFStringGetTypeID()) {
- return;
+//
+// Returns a malloced array of CSSM_RETURN values, with the length in numStatusCodes,
+// for the certificate specified by chain index in the given SecTrustRef.
+//
+// To match legacy behavior, the array actually allocates one element more than the
+// value of numStatusCodes; if the certificate is revoked, the additional element
+// at the end contains the CrlReason value.
+//
+// Caller must free the returned pointer.
+//
+static CSSM_RETURN *copyCssmStatusCodes(SecTrustRef trust,
+ unsigned int index, unsigned int *numStatusCodes)
+{
+ if (!trust || !numStatusCodes) {
+ return NULL;
}
- if (!CFEqual(CFSTR("value"), key)) {
- return;
+ *numStatusCodes = 0;
+ CFArrayRef details = SecTrustGetDetails(trust);
+ CFIndex chainLength = (details) ? CFArrayGetCount(details) : 0;
+ if (!(index < chainLength)) {
+ return NULL;
}
- if (CFEqual(CFSTR("Invalid certificate chain linkage."), value)) {
- *result = CSSMERR_APPLETP_INVALID_ID_LINKAGE;
- } else if (CFEqual(CFSTR("One or more unsupported critical extensions found."), value)) {
- *result = CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN;
- } else if (CFEqual(CFSTR("Root certificate is not trusted."), value)) {
- *result = CSSMERR_TP_NOT_TRUSTED;
- } else if (CFEqual(CFSTR("Hostname mismatch."), value)) {
- *result = CSSMERR_APPLETP_HOSTNAME_MISMATCH;
- } else if (CFEqual(CFSTR("One or more certificates have expired or are not valid yet."), value)) {
- *result = CSSMERR_TP_CERT_EXPIRED;
- } else if (CFEqual(CFSTR("Policy requirements not met."), value)) {
- *result = CSSMERR_TP_VERIFY_ACTION_FAILED;
+ CFDictionaryRef detail = (CFDictionaryRef)CFArrayGetValueAtIndex(details, index);
+ CFIndex ix, detailCount = CFDictionaryGetCount(detail);
+ *numStatusCodes = (unsigned int)detailCount;
+
+ // Allocate one more entry than we need; this is used to store a CrlReason
+ // at the end of the array.
+ CSSM_RETURN *statusCodes = (CSSM_RETURN*)malloc((detailCount+1) * sizeof(CSSM_RETURN));
+ statusCodes[*numStatusCodes] = 0;
+
+ const unsigned int resultmaplen = sizeof(cssmresultmap) / sizeof(resultmap_entry_t);
+ const void *keys[detailCount];
+ CFDictionaryGetKeysAndValues(detail, &keys[0], NULL);
+ for (ix = 0; ix < detailCount; ix++) {
+ CFStringRef key = (CFStringRef)keys[ix];
+ CSSM_RETURN statusCode = CSSM_OK;
+ for (unsigned int mapix = 0; mapix < resultmaplen; mapix++) {
+ CFStringRef str = (CFStringRef) cssmresultmap[mapix].checkstr;
+ if (CFStringCompare(str, key, 0) == kCFCompareEqualTo) {
+ statusCode = (CSSM_RETURN) cssmresultmap[mapix].resultcode;
+ break;
+ }
+ }
+ if (statusCode == CSSMERR_TP_CERT_REVOKED) {
+ SInt32 reason;
+ CFNumberRef number = (CFNumberRef)CFDictionaryGetValue(detail, key);
+ if (number && CFNumberGetValue(number, kCFNumberSInt32Type, &reason)) {
+ statusCodes[*numStatusCodes] = (CSSM_RETURN)reason;
+ }
+ }
+ statusCodes[ix] = statusCode;
}
+
+ return statusCodes;
+}
+
+static uint8_t convertCssmResultToPriority(CSSM_RETURN resultCode) {
+ switch (resultCode) {
+ /* explicitly not trusted */
+ case CSSMERR_TP_CERT_REVOKED:
+ case CSSMERR_APPLETP_TRUST_SETTING_DENY:
+ return 1;
+ /* failure to comply with X.509 */
+ case CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS:
+ case CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT:
+ case CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT:
+ case CSSMERR_APPLETP_INVALID_AUTHORITY_ID:
+ case CSSMERR_TP_INVALID_CERTIFICATE:
+ case CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN:
+ return 2;
+ case CSSMERR_TP_CERT_EXPIRED:
+ return 3;
+ /* doesn't chain to trusted root */
+ case CSSMERR_TP_NOT_TRUSTED:
+ case CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH:
+ return 4;
+ /* all others are policy-specific failures */
+ default:
+ return 5;
+ }
+}
+
+#include <libDER/oidsPriv.h>
+#include <Security/oidscert.h>
+static bool isSoftwareUpdateDevelopment(SecTrustRef trust) {
+ bool isPolicy = false, isEKU = false;
+ CFArrayRef policies = NULL;
+
+ /* Policy used to evaluate was SWUpdateSigning */
+ SecTrustCopyPolicies(trust, &policies);
+ if (policies) {
+ SecPolicyRef swUpdatePolicy = SecPolicyCreateAppleSWUpdateSigning();
+ if (swUpdatePolicy && CFArrayContainsValue(policies, CFRangeMake(0, CFArrayGetCount(policies)),
+ swUpdatePolicy)) {
+ isPolicy = true;
+ }
+ if (swUpdatePolicy) { CFRelease(swUpdatePolicy); }
+ CFRelease(policies);
+ }
+ if (!isPolicy) {
+ return false;
+ }
+
+ /* Only error was EKU on the leaf */
+ CFArrayRef details = SecTrustGetDetails(trust);
+ CFIndex ix, count = CFArrayGetCount(details);
+ for (ix = 0; ix < count; ix++) {
+ CFDictionaryRef detail = (CFDictionaryRef)CFArrayGetValueAtIndex(details, ix);
+ if (ix == 0) { // Leaf
+ if (CFDictionaryGetCount(detail) != 1 || // One error
+ CFDictionaryGetValue(detail, CFSTR("ExtendedKeyUsage")) != kCFBooleanFalse) // kSecPolicyCheckExtendedKeyUsage
+ return false;
+ } else {
+ if (CFDictionaryGetCount(detail) > 0) { // No errors on other certs
+ return false;
+ }
+ }
+ }
+
+ /* EKU on the leaf is the Apple Development Code Signing OID */
+ SecCertificateRef leaf = SecTrustGetCertificateAtIndex(trust, 0);
+ CSSM_DATA *fieldValue = NULL;
+ if (errSecSuccess != SecCertificateCopyFirstFieldValue(leaf, &CSSMOID_ExtendedKeyUsage, &fieldValue)) {
+ return false;
+ }
+ if (fieldValue && fieldValue->Data && fieldValue->Length == sizeof(CSSM_X509_EXTENSION)) {
+ const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)fieldValue->Data;
+ if (ext->format == CSSM_X509_DATAFORMAT_PARSED) {
+ const CE_ExtendedKeyUsage *ekus = (const CE_ExtendedKeyUsage *)ext->value.parsedValue;
+ if (ekus && (ekus->numPurposes == 1) && ekus->purposes[0].Data &&
+ (ekus->purposes[0].Length == CSSMOID_APPLE_EKU_CODE_SIGNING_DEV.Length) &&
+ (memcmp(ekus->purposes[0].Data, CSSMOID_APPLE_EKU_CODE_SIGNING_DEV.Data,
+ ekus->purposes[0].Length) == 0)) {
+ isEKU = true;
+ }
+ }
+ }
+ SecCertificateReleaseFirstFieldValue(leaf, &CSSMOID_ExtendedKeyUsage, fieldValue);
+ return isEKU;
}
#endif
@@ -612,24 +859,48 @@ OSStatus SecTrustGetCssmResultCode(SecTrustRef trustRef, OSStatus *result)
if (!trustRef || !result) {
return errSecParam;
}
- CFArrayRef properties = SecTrustCopyProperties(trustRef);
- if (!properties) {
- *result = 0;
- return errSecSuccess;
- }
- OSStatus cssmResultCode = 0;
- CFIndex ix, count = CFArrayGetCount(properties);
- for (ix = 0; ix < count; ++ix) {
- CFDictionaryRef property = (CFDictionaryRef)
- CFArrayGetValueAtIndex(properties, ix);
- CFDictionaryApplyFunction(property, applyPropertyToCssmResultCode, &cssmResultCode);
- }
+
+ SecTrustResultType trustResult = kSecTrustResultInvalid;
+ (void) SecTrustGetTrustResult(trustRef, &trustResult);
+ if (trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified) {
+ if (result) { *result = 0; }
+ return errSecSuccess;
+ }
+
+ /* Development Software Update certs return a special error code when evaluated
+ * against the AppleSWUpdateSigning policy. See <rdar://27362805>. */
+ if (isSoftwareUpdateDevelopment(trustRef)) {
+ if (result) {
+ *result = CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT;
+ }
+ return errSecSuccess;
+ }
+
+ OSStatus cssmResultCode = errSecSuccess;
+ uint8_t resultCodePriority = 0xFF;
+ CFIndex ix, count = SecTrustGetCertificateCount(trustRef);
+ for (ix = 0; ix < count; ix++) {
+ unsigned int numStatusCodes;
+ CSSM_RETURN *statusCodes = NULL;
+ statusCodes = copyCssmStatusCodes(trustRef, (uint32_t)ix, &numStatusCodes);
+ if (statusCodes && numStatusCodes > 0) {
+ unsigned int statusIX;
+ for (statusIX = 0; statusIX < numStatusCodes; statusIX++) {
+ CSSM_RETURN currStatus = statusCodes[statusIX];
+ uint8_t currPriotiy = convertCssmResultToPriority(currStatus);
+ if (resultCodePriority > currPriotiy) {
+ cssmResultCode = currStatus;
+ resultCodePriority = currPriotiy;
+ }
+ }
+ }
+ if (statusCodes) { free(statusCodes); }
+ if (resultCodePriority == 1) { break; }
+ }
+
if (result) {
*result = cssmResultCode;
}
- if (properties) {
- CFRelease(properties);
- }
return errSecSuccess;
#endif
}
@@ -884,6 +1155,312 @@ SecCertificateRef SecTrustGetCertificateAtIndex(SecTrustRef trust, CFIndex ix)
}
#endif
+// cannot link against the new iOS SecTrust from this implementation,
+// so there are no possible accessors for the fields of this struct
+typedef struct __TSecTrust {
+ CFRuntimeBase _base;
+ CFArrayRef _certificates;
+ CFArrayRef _anchors;
+ CFTypeRef _policies;
+ CFArrayRef _responses;
+ CFArrayRef _SCTs;
+ CFArrayRef _trustedLogs;
+ CFDateRef _verifyDate;
+ CFTypeRef _chain;
+ SecKeyRef _publicKey;
+ CFArrayRef _details;
+ CFDictionaryRef _info;
+ CFArrayRef _exceptions;
+ SecTrustResultType _trustResult;
+ bool _anchorsOnly;
+ bool _keychainsAllowed;
+ void* _legacy_info_array;
+ void* _legacy_status_array;
+ SecTrustResultType _trustResultBeforeExceptions;
+} TSecTrust;
+
+#if SECTRUST_OSX
+CFArrayRef SecTrustCopyInputCertificates(SecTrustRef trust)
+{
+ if (!trust) { return NULL; };
+ TSecTrust *secTrust = (TSecTrust *)trust;
+ if (secTrust->_certificates) {
+ CFRetain(secTrust->_certificates);
+ }
+ return secTrust->_certificates;
+}
+#endif
+
+#if SECTRUST_OSX
+CFArrayRef SecTrustCopyInputAnchors(SecTrustRef trust)
+{
+ if (!trust) { return NULL; };
+ TSecTrust *secTrust = (TSecTrust *)trust;
+ if (secTrust->_anchors) {
+ CFRetain(secTrust->_anchors);
+ }
+ return secTrust->_anchors;
+}
+#endif
+
+#if SECTRUST_OSX
+// Return the constructed certificate chain for this trust reference,
+// making output certificates pointer-equivalent to any provided input
+// certificates (where possible) for legacy behavioral compatibility.
+// Caller must release this array.
+//
+CFArrayRef SecTrustCopyConstructedChain(SecTrustRef trust)
+{
+ CFMutableArrayRef certChain = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ CFIndex idx, count = SecTrustGetCertificateCount(trust);
+ for (idx=0; idx < count; idx++) {
+ SecCertificateRef certificate = SecTrustGetCertificateAtIndex(trust, idx);
+ if (certificate) {
+ CFArrayAppendValue(certChain, certificate);
+ }
+ }
+ // <rdar://24393060>
+ // Some callers make the assumption that the certificates in
+ // this chain are pointer-equivalent to ones they passed to the
+ // SecTrustCreateWithCertificates function. We'll maintain that
+ // behavior here for compatibility.
+ //
+ CFArrayRef inputCertArray = SecTrustCopyInputCertificates(trust);
+ CFArrayRef inputAnchorArray = SecTrustCopyInputAnchors(trust);
+ CFIndex inputCertIdx, inputCertCount = (inputCertArray) ? CFArrayGetCount(inputCertArray) : 0;
+ CFIndex inputAnchorIdx, inputAnchorCount = (inputAnchorArray) ? CFArrayGetCount(inputAnchorArray) : 0;
+ for (idx=0; idx < count; idx++) {
+ SecCertificateRef tmpCert = (SecCertificateRef) CFArrayGetValueAtIndex(certChain, idx);
+ if (tmpCert) {
+ SecCertificateRef matchCert = NULL;
+ for (inputCertIdx=0; inputCertIdx < inputCertCount && !matchCert; inputCertIdx++) {
+ SecCertificateRef inputCert = (SecCertificateRef) CFArrayGetValueAtIndex(inputCertArray, inputCertIdx);
+ if (inputCert && CFEqual(inputCert, tmpCert)) {
+ matchCert = inputCert;
+ }
+ }
+ for (inputAnchorIdx=0; inputAnchorIdx < inputAnchorCount && !matchCert; inputAnchorIdx++) {
+ SecCertificateRef inputAnchor = (SecCertificateRef) CFArrayGetValueAtIndex(inputAnchorArray, inputAnchorIdx);
+ if (inputAnchor && CFEqual(inputAnchor, tmpCert)) {
+ matchCert = inputAnchor;
+ }
+ }
+ if (matchCert) {
+ CFArraySetValueAtIndex(certChain, idx, matchCert);
+ }
+ }
+ }
+ if (inputCertArray) {
+ CFRelease(inputCertArray);
+ }
+ if (inputAnchorArray) {
+ CFRelease(inputAnchorArray);
+ }
+ return certChain;
+}
+#endif
+
+#if SECTRUST_OSX
+//
+// Here is where backward compatibility gets ugly. CSSM_TP_APPLE_EVIDENCE_INFO does not exist
+// in the unified SecTrust world. Unfortunately, some clients are still calling legacy APIs
+// (e.g. SecTrustGetResult) and grubbing through the info for StatusBits and StatusCodes.
+// SecTrustGetEvidenceInfo builds the legacy evidence info structure as needed, and returns
+// a pointer to it. The evidence data is allocated here and set in the _legacy_* fields
+// of the TSecTrust; the trust object subsequently owns it. The returned pointer is expected
+// to be valid for the lifetime of the SecTrustRef, or until the trust parameters are changed,
+// which would force re-evaluation.
+//
+static CSSM_TP_APPLE_EVIDENCE_INFO *
+SecTrustGetEvidenceInfo(SecTrustRef trust)
+{
+ TSecTrust *secTrust = (TSecTrust *)trust;
+ if (!secTrust) {
+ return NULL;
+ }
+ if (secTrust->_trustResult != kSecTrustSettingsResultInvalid &&
+ secTrust->_legacy_info_array) {
+ // we've already got valid evidence info, return it now.
+ return (CSSM_TP_APPLE_EVIDENCE_INFO *)secTrust->_legacy_info_array;
+ }
+
+ // Getting the count implicitly evaluates the chain if necessary.
+ CFIndex idx, count = SecTrustGetCertificateCount(trust);
+ CFArrayRef inputCertArray = SecTrustCopyInputCertificates(trust);
+ CFArrayRef inputAnchorArray = SecTrustCopyInputAnchors(trust);
+ CFIndex inputCertIdx, inputCertCount = (inputCertArray) ? CFArrayGetCount(inputCertArray) : 0;
+ CFIndex inputAnchorIdx, inputAnchorCount = (inputAnchorArray) ? CFArrayGetCount(inputAnchorArray) : 0;
+
+ CSSM_TP_APPLE_EVIDENCE_INFO *infoArray = (CSSM_TP_APPLE_EVIDENCE_INFO *)calloc(count, sizeof(CSSM_TP_APPLE_EVIDENCE_INFO));
+ CSSM_RETURN *statusArray = NULL;
+ unsigned int numStatusCodes = 0;
+
+ // Set status codes for each certificate in the constructed chain
+ for (idx=0; idx < count; idx++) {
+ SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, idx);
+ if (!cert) {
+ continue;
+ }
+ CSSM_TP_APPLE_EVIDENCE_INFO *evInfo = &infoArray[idx];
+
+ /* first the booleans (StatusBits flags) */
+ CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
+ if (secTrust->_verifyDate) {
+ now = CFDateGetAbsoluteTime(secTrust->_verifyDate);
+ }
+ CFAbsoluteTime na = SecCertificateNotValidAfter(cert);
+ if (na < now) {
+ evInfo->StatusBits |= CSSM_CERT_STATUS_EXPIRED;
+ }
+ CFAbsoluteTime nb = SecCertificateNotValidBefore(cert);
+ if (nb > now) {
+ evInfo->StatusBits |= CSSM_CERT_STATUS_NOT_VALID_YET;
+ }
+ for (inputAnchorIdx=0; inputAnchorIdx < inputAnchorCount; inputAnchorIdx++) {
+ SecCertificateRef inputAnchor = (SecCertificateRef) CFArrayGetValueAtIndex(inputAnchorArray, inputAnchorIdx);
+ if (inputAnchor && CFEqual(inputAnchor, cert)) {
+ evInfo->StatusBits |= CSSM_CERT_STATUS_IS_IN_ANCHORS;
+ break;
+ }
+ }
+ for (inputCertIdx=0; inputCertIdx < inputCertCount; inputCertIdx++) {
+ SecCertificateRef inputCert = (SecCertificateRef) CFArrayGetValueAtIndex(inputCertArray, inputCertIdx);
+ if (inputCert && CFEqual(inputCert, cert)) {
+ evInfo->StatusBits |= CSSM_CERT_STATUS_IS_IN_INPUT_CERTS;
+ break;
+ }
+ }
+
+ /* See if there are trust settings for this certificate. */
+ CFStringRef hashStr = SecTrustSettingsCertHashStrFromCert(cert);
+ bool foundMatch = false;
+ bool foundAny = false;
+ CSSM_RETURN *errors = NULL;
+ uint32 errorCount = 0;
+ OSStatus status = 0;
+ SecTrustSettingsDomain foundDomain = 0;
+ SecTrustSettingsResult foundResult = kSecTrustSettingsResultInvalid;
+ bool isSelfSigned = false;
+ if ((count - 1) == idx) {
+ // Only the last cert in the chain needs to be considered
+ Boolean selfSigned;
+ status = SecCertificateIsSelfSigned(cert, &selfSigned);
+ isSelfSigned = (status) ? false : ((selfSigned) ? true : false);
+ if (isSelfSigned) {
+ evInfo->StatusBits |= CSSM_CERT_STATUS_IS_ROOT;
+ }
+ }
+ // STU: rdar://25554967
+ // %%% need to get policyOID, policyString, and keyUsage here!
+
+ status = SecTrustSettingsEvaluateCert(
+ hashStr, /* certHashStr */
+ NULL, /* policyOID (optional) */
+ NULL, /* policyString (optional) */
+ 0, /* policyStringLen */
+ 0, /* keyUsage */
+ isSelfSigned, /* isRootCert */
+ &foundDomain, /* foundDomain */
+ &errors, /* allowedErrors -- MUST FREE */
+ &errorCount, /* numAllowedErrors */
+ &foundResult, /* resultType */
+ &foundMatch, /* foundMatchingEntry */
+ &foundAny); /* foundAnyEntry */
+
+ if (status == errSecSuccess) {
+ if (foundMatch) {
+ switch (foundResult) {
+ case kSecTrustSettingsResultTrustRoot:
+ case kSecTrustSettingsResultTrustAsRoot:
+ /* these two can be disambiguated by IS_ROOT */
+ evInfo->StatusBits |= CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST;
+ break;
+ case kSecTrustSettingsResultDeny:
+ evInfo->StatusBits |= CSSM_CERT_STATUS_TRUST_SETTINGS_DENY;
+ break;
+ case kSecTrustSettingsResultUnspecified:
+ case kSecTrustSettingsResultInvalid:
+ default:
+ break;
+ }
+ }
+ }
+ if (errors) {
+ free(errors);
+ }
+ if (hashStr) {
+ CFRelease(hashStr);
+ }
+
+ unsigned int numCodes=0;
+ CSSM_RETURN *statusCodes = copyCssmStatusCodes(trust, (unsigned int)idx, &numCodes);
+ if (statusCodes) {
+ // Realloc space for these status codes at end of our status codes block.
+ // Two important things to note:
+ // 1. the actual length is numCodes+1 because copyCssmStatusCodes
+ // allocates one more element at the end for the CrlReason value.
+ // 2. realloc may cause the pointer to move, which means we will
+ // need to fix up the StatusCodes fields after we're done with this loop.
+ unsigned int totalStatusCodes = numStatusCodes + numCodes + 1;
+ statusArray = (CSSM_RETURN *)realloc(statusArray, totalStatusCodes * sizeof(CSSM_RETURN));
+ evInfo->StatusCodes = &statusArray[numStatusCodes];
+ evInfo->NumStatusCodes = numCodes;
+ // Copy the new codes (plus one) into place
+ for (unsigned int cpix = 0; cpix <= numCodes; cpix++) {
+ evInfo->StatusCodes[cpix] = statusCodes[cpix];
+ }
+ numStatusCodes = totalStatusCodes;
+ free(statusCodes);
+ }
+
+ if(evInfo->StatusBits & (CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST |
+ CSSM_CERT_STATUS_TRUST_SETTINGS_DENY |
+ CSSM_CERT_STATUS_TRUST_SETTINGS_IGNORED_ERROR)) {
+ /* Something noteworthy happened involving TrustSettings */
+ uint32 whichDomain = 0;
+ switch(foundDomain) {
+ case kSecTrustSettingsDomainUser:
+ whichDomain = CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_USER;
+ break;
+ case kSecTrustSettingsDomainAdmin:
+ whichDomain = CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_ADMIN;
+ break;
+ case kSecTrustSettingsDomainSystem:
+ whichDomain = CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_SYSTEM;
+ break;
+ }
+ evInfo->StatusBits |= whichDomain;
+ }
+
+ /* index into raw cert group or AnchorCerts depending on IS_IN_ANCHORS */
+ //evInfo->Index = certInfo->index();
+ /* nonzero if cert came from a DLDB */
+ //evInfo->DlDbHandle = certInfo->dlDbHandle();
+ //evInfo->UniqueRecord = certInfo->uniqueRecord();
+ }
+
+ // Now that all the status codes have been allocated in a contiguous block,
+ // refresh the StatusCodes pointer in each array element.
+ numStatusCodes = 0;
+ for (idx=0; idx < count; idx++) {
+ CSSM_TP_APPLE_EVIDENCE_INFO *evInfo = &infoArray[idx];
+ evInfo->StatusCodes = &statusArray[numStatusCodes];
+ numStatusCodes += evInfo->NumStatusCodes + 1;
+ }
+
+ secTrust->_legacy_info_array = infoArray;
+ secTrust->_legacy_status_array = statusArray;
+
+ if (inputCertArray) {
+ CFRelease(inputCertArray);
+ }
+ if (inputAnchorArray) {
+ CFRelease(inputAnchorArray);
+ }
+
+ return (CSSM_TP_APPLE_EVIDENCE_INFO *)secTrust->_legacy_info_array;
+}
+#endif
#if !SECTRUST_OSX
static CFStringRef kSecCertificateDetailSHA1Digest = CFSTR("SHA1Digest");
@@ -1074,9 +1651,13 @@ CFDataRef SecTrustCopyExceptions(SecTrustRef trust)
/* new in 10.9 */
bool SecTrustSetExceptions(SecTrustRef trust, CFDataRef encodedExceptions)
{
- CFArrayRef exceptions;
- exceptions = (CFArrayRef)CFPropertyListCreateWithData(kCFAllocatorDefault,
- encodedExceptions, kCFPropertyListImmutable, NULL, NULL);
+ CFArrayRef exceptions = NULL;
+
+ if (NULL != encodedExceptions) {
+ exceptions = (CFArrayRef)CFPropertyListCreateWithData(kCFAllocatorDefault,
+ encodedExceptions, kCFPropertyListImmutable, NULL, NULL);
+ }
+
if (exceptions && CFGetTypeID(exceptions) != CFArrayGetTypeID()) {
CFRelease(exceptions);
exceptions = NULL;
@@ -1084,6 +1665,8 @@ bool SecTrustSetExceptions(SecTrustRef trust, CFDataRef encodedExceptions)
OSStatus __secapiresult = errSecSuccess;
try {
+ /* Exceptions are being set or cleared, we'll need to re-evaluate trust either way. */
+ Trust::required(trust)->setResult(kSecTrustResultInvalid);
Trust::required(trust)->exceptions(exceptions);
}
catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
@@ -1153,6 +1736,59 @@ SecTrustCopyProperties(SecTrustRef trust)
}
return result;
}
+#else
+CFArrayRef SecTrustCopyProperties(SecTrustRef trust) {
+ /* OS X creates a completely different structure with one dictionary for each certificate */
+ CFIndex ix, count = SecTrustGetCertificateCount(trust);
+
+ CFMutableArrayRef properties = CFArrayCreateMutable(kCFAllocatorDefault, count,
+ &kCFTypeArrayCallBacks);
+
+ for (ix = 0; ix < count; ix++) {
+ CFMutableDictionaryRef certDict = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ /* Populate the certificate title */
+ SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, ix);
+ if (cert) {
+ CFStringRef subjectSummary = SecCertificateCopySubjectSummary(cert);
+ if (subjectSummary) {
+ CFDictionaryAddValue(certDict, kSecPropertyTypeTitle, subjectSummary);
+ CFRelease(subjectSummary);
+ }
+ }
+
+ /* Populate a revocation reason if the cert was revoked */
+ unsigned int numStatusCodes;
+ CSSM_RETURN *statusCodes = NULL;
+ statusCodes = copyCssmStatusCodes(trust, (uint32_t)ix, &numStatusCodes);
+ if (statusCodes) {
+ int32_t reason = statusCodes[numStatusCodes]; // stored at end of status codes array
+ if (reason > 0) {
+ CFNumberRef cfreason = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &reason);
+ if (cfreason) {
+ CFDictionarySetValue(certDict, kSecTrustRevocationReason, cfreason);
+ CFRelease(cfreason);
+ }
+ }
+ free(statusCodes);
+ }
+
+ /* Populate the error in the leaf dictionary */
+ if (ix == 0) {
+ OSStatus error = errSecSuccess;
+ (void)SecTrustGetCssmResultCode(trust, &error);
+ CFStringRef errorStr = SecCopyErrorMessageString(error, NULL);
+ if (errorStr) {
+ CFDictionarySetValue(certDict, kSecPropertyTypeError, errorStr);
+ CFRelease(errorStr);
+ }
+ }
+
+ CFArrayAppendValue(properties, certDict);
+ }
+
+ return properties;
+}
#endif
/* deprecated in 10.5 */
diff --git a/OSX/libsecurity_keychain/lib/SecTrust.h b/OSX/libsecurity_keychain/lib/SecTrust.h
index 86ae0fc3..d8ec764c 100644
--- a/OSX/libsecurity_keychain/lib/SecTrust.h
+++ b/OSX/libsecurity_keychain/lib/SecTrust.h
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2002-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2002-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -34,9 +34,7 @@
#include <CoreFoundation/CoreFoundation.h>
#include <AvailabilityMacros.h>
-#if defined(__cplusplus)
-extern "C" {
-#endif
+__BEGIN_DECLS
CF_ASSUME_NONNULL_BEGIN
CF_IMPLICIT_BRIDGING_ENABLED
@@ -82,17 +80,15 @@ CF_IMPLICIT_BRIDGING_ENABLED
of trust evaluation. This value may be returned by the SecTrustEvaluate
function but not stored as part of the user trust settings.
*/
-
-typedef uint32_t SecTrustResultType;
-enum {
- kSecTrustResultInvalid = 0,
- kSecTrustResultProceed = 1,
- kSecTrustResultConfirm CF_ENUM_DEPRECATED(10_0, 10_9, NA, NA) = 2,
- kSecTrustResultDeny = 3,
- kSecTrustResultUnspecified = 4,
- kSecTrustResultRecoverableTrustFailure = 5,
- kSecTrustResultFatalTrustFailure = 6,
- kSecTrustResultOtherError = 7
+typedef CF_ENUM(uint32_t, SecTrustResultType) {
+ kSecTrustResultInvalid CF_ENUM_AVAILABLE(10_3, 2_0) = 0,
+ kSecTrustResultProceed CF_ENUM_AVAILABLE(10_3, 2_0) = 1,
+ kSecTrustResultConfirm CF_ENUM_DEPRECATED(10_3, 10_9, 2_0, 7_0) = 2,
+ kSecTrustResultDeny CF_ENUM_AVAILABLE(10_3, 2_0) = 3,
+ kSecTrustResultUnspecified CF_ENUM_AVAILABLE(10_3, 2_0) = 4,
+ kSecTrustResultRecoverableTrustFailure CF_ENUM_AVAILABLE(10_3, 2_0) = 5,
+ kSecTrustResultFatalTrustFailure CF_ENUM_AVAILABLE(10_3, 2_0) = 6,
+ kSecTrustResultOtherError CF_ENUM_AVAILABLE(10_3, 2_0) = 7
};
/*!
@@ -150,6 +146,12 @@ extern const CFStringRef kSecPropertyTypeError
value of kCFBooleanTrue. The value will be a CFDateRef representing
the earliest date at which the revocation info for one of the
certificates in this chain might change.
+ @constant kSecTrustCertificateTransparency
+ This key will be present and have a value of kCFBooleanTrue
+ if this chain is CT qualified.
+ @constant kSecTrustCertificateTransparencyWhiteList
+ This key will be present and have a value of kCFBooleanTrue
+ if this chain is EV, not CT qualified, but included of the CT WhiteList.
*/
extern const CFStringRef kSecTrustEvaluationDate
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
@@ -163,6 +165,10 @@ extern const CFStringRef kSecTrustRevocationChecked
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecTrustRevocationValidUntilDate
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
+extern const CFStringRef kSecTrustCertificateTransparency
+ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+extern const CFStringRef kSecTrustCertificateTransparencyWhiteList
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
#ifdef __BLOCKS__
/*!
@@ -318,7 +324,7 @@ OSStatus SecTrustSetVerifyDate(SecTrustRef trust, CFDateRef verifyDate)
/*!
@function SecTrustGetVerifyTime
@abstract Returns the verify time.
- 4
+ @param trust A reference to the trust object being verified.
@result A CFAbsoluteTime value representing the time at which certificates
should be checked for validity.
@discussion This function retrieves the verification time for the given
@@ -441,8 +447,9 @@ CFDataRef SecTrustCopyExceptions(SecTrustRef trust)
@abstract Set a trust cookie to be used for evaluating this certificate chain.
@param trust A reference to a trust object.
@param exceptions An exceptions cookie as returned by a call to
- SecTrustCopyExceptions() in the past.
- @result Upon calling SecTrustEvaluate(), any failures that where present at the
+ SecTrustCopyExceptions() in the past. You may pass NULL to clear any
+ exceptions which have been previously set on this trust reference.
+ @result Upon calling SecTrustEvaluate(), any failures that were present at the
time the exceptions object was created are ignored, and instead of returning
kSecTrustResultRecoverableTrustFailure, kSecTrustResultProceed will be returned
(if the certificate for which exceptions was created matches the current leaf
@@ -459,7 +466,7 @@ CFDataRef SecTrustCopyExceptions(SecTrustRef trust)
of the wireless network for which this cert is needed, the account for which
this cert should be considered valid, and so on.
*/
-bool SecTrustSetExceptions(SecTrustRef trust, CFDataRef exceptions)
+bool SecTrustSetExceptions(SecTrustRef trust, CFDataRef __nullable exceptions)
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0);
/*!
@@ -625,7 +632,7 @@ OSStatus SecTrustSetKeychains(SecTrustRef trust, CFTypeRef __nullable keychainOr
for the evaluation, use SecTrustGetTrustResult.
*/
OSStatus SecTrustGetResult(SecTrustRef trustRef, SecTrustResultType * __nullable result,
- CFArrayRef * __nonnull CF_RETURNS_RETAINED certChain, CSSM_TP_APPLE_EVIDENCE_INFO * __nullable * __nonnull statusChain)
+ CFArrayRef * __nullable CF_RETURNS_RETAINED certChain, CSSM_TP_APPLE_EVIDENCE_INFO * __nullable * __nullable statusChain)
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
/*!
@@ -693,8 +700,6 @@ CF_ASSUME_NONNULL_END
#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
-#if defined(__cplusplus)
-}
-#endif
+__END_DECLS
#endif /* !_SECURITY_SECTRUST_H_ */
diff --git a/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp b/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp
new file mode 100644
index 00000000..55c09939
--- /dev/null
+++ b/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp
@@ -0,0 +1,290 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * SecTrustOSXEntryPoints - Interface for unified SecTrust into OS X Security
+ * Framework.
+ */
+
+#include "SecTrustOSXEntryPoints.h"
+
+#include <Security/Security.h>
+#include <Security/cssmtype.h>
+#include <Security/SecKeychain.h>
+#include <Security/SecItemPriv.h>
+#include <Security/SecTrustSettingsPriv.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecImportExport.h>
+#include <security_keychain/SecImportExportPem.h>
+#include <security_utilities/debugging.h>
+
+#include <security_ocspd/ocspdClient.h>
+#include <security_ocspd/ocspdUtils.h>
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <CoreFoundation/CFRunLoop.h>
+#include <dispatch/dispatch.h>
+#include <AssertMacros.h>
+#include <pthread.h>
+
+/*
+ * MARK: CFRunloop
+ */
+
+static OSStatus SecLegacySourceChanged(__unused SecKeychainEvent keychainEvent, __unused SecKeychainCallbackInfo *info, __unused void *context) {
+ // Purge keychain parent cache
+ SecItemParentCachePurge();
+ // Purge unrestricted roots cache
+ SecTrustSettingsPurgeUserAdminCertsCache();
+ return 0;
+}
+
+static void *SecTrustOSXCFRunloop(__unused void *unused) {
+ CFRunLoopTimerRef timer = CFRunLoopTimerCreateWithHandler(kCFAllocatorDefault, (CFTimeInterval) UINT_MAX, 0, 0, 0, ^(__unused CFRunLoopTimerRef _timer) {
+ /* do nothing */
+ });
+
+ /* add a timer to force the runloop to stay running */
+ CFRunLoopAddTimer(CFRunLoopGetCurrent(), timer, kCFRunLoopDefaultMode);
+ /* add keychain callback before we initiate a runloop to avoid it exiting due to no sources */
+
+ SecKeychainEventMask trustdMask = (kSecAddEventMask | kSecDeleteEventMask | kSecUpdateEventMask |
+ kSecDefaultChangedEventMask | kSecKeychainListChangedMask |
+ kSecTrustSettingsChangedEventMask);
+ SecKeychainAddCallback(SecLegacySourceChanged, trustdMask, NULL);
+
+ try {
+ CFRunLoopRun();
+ }
+ catch (...) {
+ /* An exception was rethrown from the runloop. Since we can't reliably
+ * obtain info about changes to keychains or trust settings anymore,
+ * just exit and respawn the process when needed. */
+
+ secerror("Exception occurred in CFRunLoopRun; exiting");
+ exit(0);
+ }
+ CFRelease(timer);
+ return NULL;
+}
+
+void SecTrustLegacySourcesEventRunloopCreate(void) {
+ /* A runloop is currently necessary to receive notifications about changes in the
+ * legacy keychains and trust settings. */
+ static dispatch_once_t once;
+
+ dispatch_once(&once, ^{
+ pthread_attr_t attrs;
+ pthread_t thread;
+
+ pthread_attr_init(&attrs);
+ pthread_attr_setdetachstate(&attrs, PTHREAD_CREATE_DETACHED);
+
+ /* we do this with traditional pthread to avoid impacting our 512 WQ thread limit since this is a parked thread */
+ pthread_create(&thread, &attrs, SecTrustOSXCFRunloop, NULL);
+ });
+}
+
+/*
+ * MARK: ocspd CRL Interface
+ */
+/* lengths of time strings without trailing NULL */
+#define CSSM_TIME_STRLEN 14 /* no trailing 'Z' */
+#define GENERALIZED_TIME_STRLEN 15
+
+OSStatus SecTrustLegacyCRLStatus(SecCertificateRef cert, CFArrayRef chain, CFURLRef currCRLDP);
+OSStatus SecTrustLegacyCRLFetch(CFURLRef currCRLDP, CFAbsoluteTime verifyTime);
+
+static OSStatus cssmReturnToOSStatus(CSSM_RETURN crtn) {
+ OSStatus status = errSecInternalComponent;
+
+ switch (crtn) {
+ case CSSM_OK:
+ status = errSecSuccess;
+ break;
+ case CSSMERR_TP_CERT_REVOKED:
+ status = errSecCertificateRevoked;
+ break;
+ case CSSMERR_APPLETP_NETWORK_FAILURE:
+ status = errSecNetworkFailure;
+ break;
+ case CSSMERR_APPLETP_CRL_NOT_FOUND:
+ status = errSecCRLNotFound;
+ break;
+ default:
+ status = errSecInternalComponent;
+ }
+ return status;
+}
+
+#define PEM_STRING_X509 "CERTIFICATE"
+static CFDataRef serializedPathToPemSequences(CFArrayRef certs) {
+ CFMutableDataRef result = NULL;
+ CFIndex certIX, certCount;
+ require_quiet(certs, out);
+ certCount = CFArrayGetCount(certs);
+ require_quiet(certCount > 0, out);
+ require_quiet(result = CFDataCreateMutable(NULL, 0), out);
+ for (certIX = 0; certIX < certCount; certIX++) {
+ CFDataRef certData = (CFDataRef)CFArrayGetValueAtIndex(certs, certIX);
+ require_noerr_quiet(impExpPemEncodeExportRep(certData, PEM_STRING_X509,
+ NULL, result), out);
+ }
+out:
+ return result;
+}
+
+OSStatus SecTrustLegacyCRLStatus(SecCertificateRef cert, CFArrayRef chain, CFURLRef currCRLDP) {
+ OSStatus result = errSecParam;
+ CSSM_RETURN crtn = CSSMERR_TP_INTERNAL_ERROR;
+ CFDataRef serialData = NULL, pemIssuers = NULL, crlDP = NULL;
+ CFMutableArrayRef issuersArray = NULL;
+
+ if (!cert || !chain) {
+ return result;
+ }
+
+ /* serialNumber is a CSSM_DATA with the value from the TBS Certificate. */
+ CSSM_DATA serialNumber = { 0, NULL };
+ serialData = SecCertificateCopySerialNumber(cert, NULL);
+ if (serialData) {
+ serialNumber.Data = (uint8_t *)CFDataGetBytePtr(serialData);
+ serialNumber.Length = CFDataGetLength(serialData);
+ }
+
+ /* issuers is CSSM_DATA containing pem sequence of all issuers in the chain */
+ CSSM_DATA issuers = { 0, NULL };
+ issuersArray = CFArrayCreateMutableCopy(NULL, 0, chain);
+ if (issuersArray) {
+ CFArrayRemoveValueAtIndex(issuersArray, 0);
+ pemIssuers = serializedPathToPemSequences(issuersArray);
+ }
+ if (pemIssuers) {
+ issuers.Data = (uint8_t *)CFDataGetBytePtr(pemIssuers);
+ issuers.Length = CFDataGetLength(pemIssuers);
+ }
+
+ /* crlUrl is CSSM_DATA with the CRLDP url*/
+ CSSM_DATA crlUrl = { 0, NULL };
+ crlDP = CFURLCreateData(NULL, currCRLDP, kCFStringEncodingASCII, true);
+ if (crlDP) {
+ crlUrl.Data = (uint8_t *)CFDataGetBytePtr(crlDP);
+ crlUrl.Length = CFDataGetLength(crlDP);
+ }
+
+ if (serialNumber.Data && issuers.Data && crlUrl.Data) {
+ crtn = ocspdCRLStatus(serialNumber, issuers, NULL, &crlUrl);
+ }
+
+ result = cssmReturnToOSStatus(crtn);
+
+ if (serialData) { CFRelease(serialData); }
+ if (issuersArray) { CFRelease(issuersArray); }
+ if (pemIssuers) { CFRelease(pemIssuers); }
+ if (crlDP) { CFRelease(crlDP); }
+ return result;
+}
+
+static CSSM_RETURN ocspdCRLFetchToCache(const CSSM_DATA &crlURL,
+ CSSM_TIMESTRING verifyTime) {
+ Allocator &alloc(Allocator::standard(Allocator::normal));
+ CSSM_DATA crlData = { 0, NULL };
+ CSSM_RETURN crtn;
+
+ crtn = ocspdCRLFetch(alloc, crlURL, NULL, true, true, verifyTime, crlData);
+ if (crlData.Data) { alloc.free(crlData.Data); }
+ return crtn;
+}
+
+static OSStatus fetchCRL(CFURLRef currCRLDP, CFAbsoluteTime verifyTime) {
+ OSStatus result = errSecParam;
+ CSSM_RETURN crtn = CSSMERR_TP_INTERNAL_ERROR;
+ CFDataRef crlDP = NULL;
+ char *cssmTime = NULL, *genTime = NULL;
+
+ if (!currCRLDP) {
+ return result;
+ }
+
+ /* crlUrl is CSSM_DATA with the CRLDP url*/
+ CSSM_DATA crlUrl = { 0, NULL };
+ crlDP = CFURLCreateData(NULL, currCRLDP, kCFStringEncodingASCII, true);
+ if (crlDP) {
+ crlUrl.Data = (uint8_t *)CFDataGetBytePtr(crlDP);
+ crlUrl.Length = CFDataGetLength(crlDP);
+ }
+
+ /* determine verification time */
+ cssmTime = (char *)malloc(CSSM_TIME_STRLEN + 1);
+ genTime = (char *)malloc(GENERAL_TIME_STRLEN + 1);
+ if (cssmTime && genTime) {
+ if (verifyTime != 0.0) {
+ cfAbsTimeToGgenTime(verifyTime, genTime);
+ } else {
+ cfAbsTimeToGgenTime(CFAbsoluteTimeGetCurrent(), genTime);
+ }
+ memmove(cssmTime, genTime, GENERAL_TIME_STRLEN - 1); // don't copy the Z
+ cssmTime[CSSM_TIME_STRLEN] = '\0';
+ }
+
+ if (crlUrl.Data && cssmTime) {
+ crtn = ocspdCRLFetchToCache(crlUrl, (CSSM_TIMESTRING)cssmTime);
+ }
+
+ result = cssmReturnToOSStatus(crtn);
+
+ if (crlDP) { CFRelease(crlDP); }
+ if (cssmTime) { free(cssmTime); }
+ if (genTime) { free(genTime); }
+ return result;
+}
+
+/*
+ * MARK: async_ocspd methods
+ */
+static void async_ocspd_complete(async_ocspd_t *ocspd) {
+ if (ocspd->completed) {
+ ocspd->completed(ocspd);
+ }
+}
+
+/* Return true, iff we didn't schedule any work, return false if we did. */
+bool SecTrustLegacyCRLFetch(async_ocspd_t *ocspd,
+ CFURLRef currCRLDP, CFAbsoluteTime verifyTime,
+ SecCertificateRef cert, CFArrayRef chain) {
+ dispatch_async(ocspd->queue, ^ {
+ OSStatus status = fetchCRL(currCRLDP, verifyTime);
+ switch (status) {
+ case errSecSuccess:
+ ocspd->response= SecTrustLegacyCRLStatus(cert, chain, currCRLDP);
+ break;
+ default:
+ ocspd->response = status;
+ break;
+ }
+ async_ocspd_complete(ocspd);
+ if (chain) { CFRelease(chain); }
+ });
+
+ return false; /* false -> something was scheduled. */
+}
diff --git a/OSX/libsecurity_keychain/lib/SecTrustPriv.h b/OSX/libsecurity_keychain/lib/SecTrustPriv.h
index 0a2b017b..437d847c 100644
--- a/OSX/libsecurity_keychain/lib/SecTrustPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecTrustPriv.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003-2012,2014-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2003-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -23,30 +23,317 @@
/*!
@header SecTrustPriv
- Private part of SecTrust.h
-*/
+ The functions and data types in SecTrustPriv implement trust computation
+ and allow the user to apply trust decisions to the trust configuration.
+ */
-#ifndef _SECURITY_SECTRUST_PRIV_H_
-#define _SECURITY_SECTRUST_PRIV_H_
+#ifndef _SECURITY_SECTRUSTPRIV_H_
+#define _SECURITY_SECTRUSTPRIV_H_
#include <Security/SecTrust.h>
#include <CoreFoundation/CFString.h>
+#include <CoreFoundation/CFData.h>
#include <CoreFoundation/CFDictionary.h>
+__BEGIN_DECLS
+
+CF_ASSUME_NONNULL_BEGIN
+CF_IMPLICIT_BRIDGING_ENABLED
+
+/* Constants used as keys in property lists. See
+ SecTrustCopySummaryPropertiesAtIndex for more information. */
+extern const CFStringRef kSecPropertyKeyType;
+extern const CFStringRef kSecPropertyKeyLabel;
+extern const CFStringRef kSecPropertyKeyLocalizedLabel;
+extern const CFStringRef kSecPropertyKeyValue;
+
+extern const CFStringRef kSecPropertyTypeWarning;
+extern const CFStringRef kSecPropertyTypeSuccess;
+extern const CFStringRef kSecPropertyTypeSection;
+extern const CFStringRef kSecPropertyTypeData;
+extern const CFStringRef kSecPropertyTypeString;
+extern const CFStringRef kSecPropertyTypeURL;
+extern const CFStringRef kSecPropertyTypeDate;
+
+/* Constants used as keys in the dictionary returned by SecTrustCopyInfo. */
+extern const CFStringRef kSecTrustInfoExtendedValidationKey;
+extern const CFStringRef kSecTrustInfoCompanyNameKey;
+extern const CFStringRef kSecTrustInfoRevocationKey;
+extern const CFStringRef kSecTrustInfoRevocationValidUntilKey;
+extern const CFStringRef kSecTrustInfoCertificateTransparencyKey;
+extern const CFStringRef kSecTrustInfoCertificateTransparencyWhiteListKey;
-#if defined(__cplusplus)
-extern "C" {
-#endif
+/*!
+ @enum Trust Result Constants
+ @discussion Predefined key constants used to obtain values in a
+ dictionary of trust evaluation results for a certificate chain,
+ as retrieved from a call to SecTrustCopyResult.
+
+ @constant kSecTrustResultDetails
+ This key will be present if a trust evaluation has been performed.
+ Its value is a CFArrayRef of CFDictionaryRef representing detailed
+ status info for each certificate in the completed chain.
+ @constant kSecTrustRevocationReason
+ This key will be present iff this chain had its revocation checked,
+ and a "revoked" response was received. The value of this key will
+ be a CFNumberRef indicating the reason for revocation. The possible
+ reason code values are described in RFC 5280, section 5.3.1.
+ */
+extern const CFStringRef kSecTrustResultDetails;
+/*__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_9_0);*/
+extern const CFStringRef kSecTrustRevocationReason;
+/*__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);*/
+
+/*!
+ @function SecTrustCopySummaryPropertiesAtIndex
+ @abstract Return a property array for the certificate.
+ @param trust A reference to the trust object to evaluate.
+ @param ix The index of the requested certificate. Indices run from 0
+ (leaf) to the anchor (or last certificate found if no anchor was found).
+ @result A property array. It is the caller's responsibility to CFRelease
+ the returned array when it is no longer needed. This function returns a
+ short summary description of the certificate in question. The property
+ at index 0 of the array might also include general information about the
+ entire chain's validity in the context of this trust evaluation.
+
+ @discussion Returns a property array for this trust certificate. A property
+ array is an array of CFDictionaryRefs. Each dictionary (we call it a
+ property for short) has the following keys:
+
+ kSecPropertyKeyType This key's value determines how this property
+ should be displayed. Its associated value is one of the
+ following:
+ kSecPropertyTypeWarning
+ The kSecPropertyKeyLocalizedLabel and kSecPropertyKeyLabel keys are not
+ set. The kSecPropertyKeyValue is a CFStringRef which should
+ be displayed in yellow with a warning triangle.
+ kSecPropertyTypeError
+ The kSecPropertyKeyLocalizedLabel and kSecPropertyKeyLabel keys are not
+ set. The kSecPropertyKeyValue is a CFStringRef which should
+ be displayed in red with an error X.
+ kSecPropertyTypeSuccess
+ The kSecPropertyKeyLocalizedLabel and kSecPropertyKeyLabel keys are not
+ set. The kSecPropertyKeyValue is a CFStringRef which should
+ be displayed in green with a checkmark in front of it.
+ kSecPropertyTypeTitle
+ The kSecPropertyKeyLocalizedLabel and kSecPropertyKeyLabel keys are not
+ set. The kSecPropertyKeyValue is a CFStringRef which should
+ be displayed in a larger bold font.
+ kSecPropertyTypeSection
+ The optional kSecPropertyKeyLocalizedLabel is a CFStringRef with the name
+ of the next section to display. The value of the
+ kSecPropertyKeyValue key is a CFArrayRef which is a property
+ array as defined here.
+ kSecPropertyTypeData
+ The optional kSecPropertyKeyLocalizedLabel is a CFStringRef containing
+ the localized label for the value for the kSecPropertyKeyValue.
+ The type of this value is a CFDataRef. Its contents should be
+ displayed as: "bytes length_of_data : hexdump_of_data". Ideally
+ the UI will only show one line of hex dump data and have a
+ disclosure arrow to see the remainder.
+ kSecPropertyTypeString
+ The optional kSecPropertyKeyLocalizedLabel is a CFStringRef containing
+ the localized label for the value for the kSecPropertyKeyValue.
+ The type of this value is a CFStringRef. It's contents should be
+ displayed in the normal font.
+ kSecPropertyTypeURL
+ The optional kSecPropertyKeyLocalizedLabel is a CFStringRef containing
+ the localized label for the value for the kSecPropertyKeyValue.
+ The type of this value is a CFURLRef. It's contents should be
+ displayed as a hyperlink.
+ kSecPropertyTypeDate
+ The optional kSecPropertyKeyLocalizedLabel is a CFStringRef containing
+ the localized label for the value for the kSecPropertyKeyValue.
+ The type of this value is a CFDateRef. It's contents should be
+ displayed in human readable form (probably in the current
+ timezone).
+ kSecPropertyKeyLocalizedLabel
+ Human readable localized label for a given property.
+ kSecPropertyKeyValue
+ See description of kSecPropertyKeyType to determine what the value
+ for this key is.
+ kSecPropertyKeyLabel
+ Non localized key (label) for this value. This is only
+ present for properties with fixed label names.
+ @param certificate A reference to the certificate to evaluate.
+ @result A property array. It is the caller's responsability to CFRelease
+ the returned array when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+CFArrayRef SecTrustCopySummaryPropertiesAtIndex(SecTrustRef trust, CFIndex ix);
+
+/*!
+ @function SecTrustCopyDetailedPropertiesAtIndex
+ @abstract Return a property array for the certificate.
+ @param trust A reference to the trust object to evaluate.
+ @param ix The index of the requested certificate. Indices run from 0
+ (leaf) to the anchor (or last certificate found if no anchor was found).
+ @result A property array. It is the caller's responsibility to CFRelease
+ the returned array when it is no longer needed.
+ See SecTrustCopySummaryPropertiesAtIndex on how to intepret this array.
+ Unlike that function call this function returns a detailed description
+ of the certificate in question.
+ */
+__nullable CF_RETURNS_RETAINED
+CFArrayRef SecTrustCopyDetailedPropertiesAtIndex(SecTrustRef trust, CFIndex ix);
+
+/*!
+ @function SecTrustCopyInfo
+ @abstract Return a dictionary with additional information about the
+ evaluated certificate chain for use by clients.
+ @param trust A reference to an evaluated trust object.
+ @discussion Returns a dictionary for this trust evaluation. This
+ dictionary may have the following keys:
+
+ kSecTrustInfoExtendedValidationKey this key will be present and have
+ a value of kCFBooleanTrue if this chain was validated for EV.
+ kSecTrustInfoCompanyNameKey Company name field of subject of leaf
+ certificate, this field is meant to be displayed to the user
+ if the kSecTrustInfoExtendedValidationKey is present.
+ kSecTrustInfoRevocationKey this key will be present iff this chain
+ had its revocation checked. The value will be a kCFBooleanTrue
+ if revocation checking was successful and none of the
+ certificates in the chain were revoked.
+ The value will be kCFBooleanFalse if no current revocation status
+ could be obtained for one or more certificates in the chain due
+ to connection problems or timeouts etc. This is a hint to a
+ client to retry revocation checking at a later time.
+ kSecTrustInfoRevocationValidUntilKey this key will be present iff
+ kSecTrustInfoRevocationKey has a value of kCFBooleanTrue.
+ The value will be a CFDateRef representing the earliest date at
+ which the revocation info for one of the certificates in this chain
+ might change.
+
+ @result A dictionary with various fields that can be displayed to the user,
+ or NULL if no additional info is available or the trust has not yet been
+ validated. The caller is responsible for calling CFRelease on the value
+ returned when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+CFDictionaryRef SecTrustCopyInfo(SecTrustRef trust);
+
+/* For debugging purposes. */
+__nullable CF_RETURNS_RETAINED
+CFArrayRef SecTrustGetDetails(SecTrustRef trust);
+
+/* For debugging purposes. */
+__nullable CF_RETURNS_RETAINED
+CFStringRef SecTrustCopyFailureDescription(SecTrustRef trust);
+
+OSStatus SecTrustGetOTAPKIAssetVersionNumber(int* versionNumber);
+
+OSStatus SecTrustOTAPKIGetUpdatedAsset(int* didUpdateAsset);
+
+/*!
+ @function SecTrustSignedCertificateTimestampList
+ @abstract Attach SignedCertificateTimestampList data to a trust object.
+ @param trust A reference to a trust object.
+ @param sctArray is a CFArray of CFData objects each containing a SCT (per RFC 6962).
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion Allows the caller to provide SCT data (which may be
+ obtained during a TLS/SSL handshake, per RFC 6962) as input to a trust
+ evaluation.
+ */
+OSStatus SecTrustSetSignedCertificateTimestamps(SecTrustRef trust, CFArrayRef sctArray);
+
+/*!
+ @function SecTrustSetTrustedLogs
+ @abstract Sets the trusted CT logs for a given trust.
+ @param trust A reference to a trust object.
+ @param trustedLogs An array of trusted logs.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion trustedLog is a CFArray of CFData containing the DER-encode SubjectPublicKeyInfo
+ of the trusted CT logs.
+ */
+OSStatus SecTrustSetTrustedLogs(SecTrustRef trust, CFArrayRef trustedLogs);
+
+/* Keychain searches are allowed by default. Use this to turn off seaching of
+ -keychain search list (i.e. login.keychain, system.keychain)
+ -Local Items/iCloud Keychain
+ -user- and admin-trusted roots
+ -network-fetched issuers
+ User must provide all necessary certificates in the input certificates and/or anchors. */
+OSStatus SecTrustSetKeychainsAllowed(SecTrustRef trust, Boolean allowed)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+/* Get the keychain search policy for the trust object. */
+OSStatus SecTrustGetKeychainsAllowed(SecTrustRef trust, Boolean * __nonnull allowed)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+/*!
+ @function SecTrustEvaluateLeafOnly
+ @abstract Evaluates the leaf of the trust reference synchronously.
+ @param trust A reference to the trust object to evaluate.
+ @param result A pointer to a result type.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This function will only evaluate the trust of the leaf certificate.
+ No chain will be built and only those aspects of the SecPolicyRef that address
+ the expected contents of the leaf will be checked. This function does not honor
+ any set exceptions or usage constraints.
+ */
+OSStatus SecTrustEvaluateLeafOnly(SecTrustRef trust, SecTrustResultType * __nonnull result)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+/*!
+ @function SecTrustSerialize
+ @abstract Creates a serialized version of the trust object
+ @param trust A reference to the trust object to serialize.
+ @param error A pointer to an error.
+ @result The serialized trust object.
+ @discussion This function is intended to be used to share SecTrustRefs between
+ processes. Saving the results to disk or sending them over network channels
+ may cause unexpected behavior.
+ */
+__nullable CF_RETURNS_RETAINED
+CFDataRef SecTrustSerialize(SecTrustRef trust, CFErrorRef *error)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+/*!
+ @function SecTrustDeserialize
+ @abstract Creates a trust object from the serialized data
+ @param serialiedTrust A reference to the serialized trust object
+ @param error A pointer to an error.
+ @result A trust object
+ @discussion This function is intended to be used to share SecTrustRefs between
+ processes. Saving the results to disk or sending them over network channels
+ may cause unexpected behavior.
+ */
+__nullable CF_RETURNS_RETAINED
+SecTrustRef SecTrustDeserialize(CFDataRef serializedTrust, CFErrorRef *error)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+/*!
+ @function SecTrustGetTrustExceptionsArray
+ @abstract Return the exceptions array current set in the trust object
+ @param trust A reference to the trust object
+ @result The array of exceptions.
+ @discussion This function returns an array of exceptions that was previously set
+ using SecTrustSetExceptions, unlike SecTrustCopyExceptions which returns the
+ exceptions which could be set using SecTrustSetExceptions.
+ */
+__nullable CFArrayRef SecTrustGetTrustExceptionsArray(SecTrustRef trust)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+CF_IMPLICIT_BRIDGING_DISABLED
+CF_ASSUME_NONNULL_END
+
+/*
+ * Legacy functions (OS X only)
+ */
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+
+CF_ASSUME_NONNULL_BEGIN
+CF_IMPLICIT_BRIDGING_ENABLED
/*
unique keychain item attributes for user trust records.
-*/
+ */
enum {
kSecTrustCertAttr = 'tcrt',
kSecTrustPolicyAttr = 'tpol',
- /* Leopard and later */
- kSecTrustPubKeyAttr = 'tpbk',
- kSecTrustSignatureAttr = 'tsig'
+ /* Leopard and later */
+ kSecTrustPubKeyAttr = 'tpbk',
+ kSecTrustSignatureAttr = 'tsig'
};
/*!
@@ -57,9 +344,9 @@ enum {
@param trustSetting On return, a pointer to the user specified trust settings.
@result A result code. See "Security Error Codes" (SecBase.h).
@availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5.
-*/
-OSStatus SecTrustGetUserTrust(SecCertificateRef certificate, SecPolicyRef policy, SecTrustUserSetting *trustSetting)
- /*DEPRECATED_IN_MAC_OS_X_VERSION_10_5_AND_LATER*/;
+ */
+OSStatus SecTrustGetUserTrust(SecCertificateRef __nullable certificate, SecPolicyRef __nullable policy, SecTrustUserSetting * __nullable trustSetting)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_4, __MAC_10_5, __IPHONE_NA, __IPHONE_NA);
/*!
@function SecTrustSetUserTrust
@@ -70,10 +357,10 @@ OSStatus SecTrustGetUserTrust(SecCertificateRef certificate, SecPolicyRef policy
@result A result code. See "Security Error Codes" (SecBase.h).
@availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5.
@discussion as of Mac OS version 10.5, this will result in a call to
- SecTrustSettingsSetTrustSettings().
-*/
-OSStatus SecTrustSetUserTrust(SecCertificateRef certificate, SecPolicyRef policy, SecTrustUserSetting trustSetting)
- /*DEPRECATED_IN_MAC_OS_X_VERSION_10_5_AND_LATER*/;
+ SecTrustSettingsSetTrustSettings().
+ */
+OSStatus SecTrustSetUserTrust(SecCertificateRef __nullable certificate, SecPolicyRef __nullable policy, SecTrustUserSetting trustSetting)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_4, __MAC_10_5, __IPHONE_NA, __IPHONE_NA);
/*!
@function SecTrustSetUserTrustLegacy
@@ -84,10 +371,11 @@ OSStatus SecTrustSetUserTrust(SecCertificateRef certificate, SecPolicyRef policy
@result A result code. See "Security Error Codes" (SecBase.h).
@This is the private version of what used to be SecTrustSetUserTrust(); it operates
- on UserTrust entries as that function used to. The current SecTrustSetUserTrust()
- function operated on Trust Settings.
-*/
-OSStatus SecTrustSetUserTrustLegacy(SecCertificateRef certificate, SecPolicyRef policy, SecTrustUserSetting trustSetting);
+ on UserTrust entries as that function used to. The current SecTrustSetUserTrust()
+ function operated on Trust Settings.
+ */
+OSStatus SecTrustSetUserTrustLegacy(SecCertificateRef __nullable certificate, SecPolicyRef __nullable policy, SecTrustUserSetting trustSetting)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_5, __MAC_10_12, __IPHONE_NA, __IPHONE_NA);
/*!
@function SecTrustGetCSSMAnchorCertificates
@@ -96,9 +384,9 @@ OSStatus SecTrustSetUserTrustLegacy(SecCertificateRef certificate, SecPolicyRef
@param cssmAnchorCount A pointer to the number of certificates in anchors.
@result A result code. See "Security Error Codes" (SecBase.h).
@availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5.
-*/
-OSStatus SecTrustGetCSSMAnchorCertificates(const CSSM_DATA **cssmAnchors, uint32 *cssmAnchorCount)
- /*DEPRECATED_IN_MAC_OS_X_VERSION_10_5_AND_LATER*/;
+ */
+OSStatus SecTrustGetCSSMAnchorCertificates(const CSSM_DATA * __nullable * __nullable cssmAnchors, uint32 *cssmAnchorCount)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_4, __MAC_10_5, __IPHONE_NA, __IPHONE_NA);
/*!
@function SecTrustCopyExtendedResult
@@ -114,31 +402,9 @@ OSStatus SecTrustGetCSSMAnchorCertificates(const CSSM_DATA **cssmAnchors, uint32
Note: this function will be deprecated in a future release of OS X. Your
code should use SecTrustCopyResult to obtain the trust results dictionary.
-*/
-OSStatus SecTrustCopyExtendedResult(SecTrustRef trust, CFDictionaryRef *result)
- __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA);
-
-
-/*!
- @enum Trust Result Constants
- @discussion Predefined key constants used to obtain values in a
- dictionary of trust evaluation results for a certificate chain,
- as retrieved from a call to SecTrustCopyResult.
-
- @constant kSecTrustResultDetails
- This key will be present if a trust evaluation has been performed.
- Its value is a CFArrayRef of CFDictionaryRef representing detailed
- status info for each certificate in the completed chain.
- @constant kSecTrustRevocationReason
- This key will be present iff this chain had its revocation checked,
- and a "revoked" response was received. The value of this key will
- be a CFNumberRef indicating the reason for revocation. The possible
- reason code values are described in RFC 5280, section 5.3.1.
*/
-extern const CFStringRef kSecTrustResultDetails;
- /*__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_NA);*/
-extern const CFStringRef kSecTrustRevocationReason;
- /*__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);*/
+OSStatus SecTrustCopyExtendedResult(SecTrustRef trust, CFDictionaryRef * __nonnull CF_RETURNS_RETAINED result)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_5, __MAC_10_12, __IPHONE_NA, __IPHONE_NA);
/*
* Preference-related strings for Revocation policies.
@@ -148,34 +414,37 @@ extern const CFStringRef kSecTrustRevocationReason;
* Preference domain, i.e., the name of a plist in ~/Library/Preferences or in
* /Library/Preferences
*/
-#define kSecRevocationDomain "com.apple.security.revocation"
+#define kSecRevocationDomain "com.apple.security.revocation"
/* OCSP and CRL style keys, followed by values used for both of them */
-#define kSecRevocationOcspStyle CFSTR("OCSPStyle")
-#define kSecRevocationCrlStyle CFSTR("CRLStyle")
- #define kSecRevocationOff CFSTR("None")
- #define kSecRevocationBestAttempt CFSTR("BestAttempt")
- #define kSecRevocationRequireIfPresent CFSTR("RequireIfPresent")
- #define kSecRevocationRequireForAll CFSTR("RequireForAll")
+#define kSecRevocationOcspStyle CFSTR("OCSPStyle")
+#define kSecRevocationCrlStyle CFSTR("CRLStyle")
+#define kSecRevocationOff CFSTR("None")
+#define kSecRevocationBestAttempt CFSTR("BestAttempt")
+#define kSecRevocationRequireIfPresent CFSTR("RequireIfPresent")
+#define kSecRevocationRequireForAll CFSTR("RequireForAll")
/* Which first if both enabled? */
-#define kSecRevocationWhichFirst CFSTR("RevocationFirst")
- #define kSecRevocationOcspFirst CFSTR("OCSP")
- #define kSecRevocationCrlFirst CFSTR("CRL")
+#define kSecRevocationWhichFirst CFSTR("RevocationFirst")
+#define kSecRevocationOcspFirst CFSTR("OCSP")
+#define kSecRevocationCrlFirst CFSTR("CRL")
/* boolean: A "this policy is sufficient per cert" for each */
-#define kSecRevocationOCSPSufficientPerCert CFSTR("OCSPSufficientPerCert")
-#define kSecRevocationCRLSufficientPerCert CFSTR("CRLSufficientPerCert")
+#define kSecRevocationOCSPSufficientPerCert CFSTR("OCSPSufficientPerCert")
+#define kSecRevocationCRLSufficientPerCert CFSTR("CRLSufficientPerCert")
/* local OCSP responder URI, value arbitrary string value */
-#define kSecOCSPLocalResponder CFSTR("OCSPLocalResponder")
+#define kSecOCSPLocalResponder CFSTR("OCSPLocalResponder")
/* Extended trust result keys (now in public API) */
-#define kSecEVOrganizationName kSecTrustOrganizationName
-#define kSecTrustExpirationDate kSecTrustRevocationValidUntilDate
+#define kSecEVOrganizationName kSecTrustOrganizationName
+#define kSecTrustExpirationDate kSecTrustRevocationValidUntilDate
+
+CF_IMPLICIT_BRIDGING_DISABLED
+CF_ASSUME_NONNULL_END
+
+#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
-#if defined(__cplusplus)
-}
-#endif
+__END_DECLS
-#endif /* !_SECURITY_SECTRUST_PRIV_H_ */
+#endif /* !_SECURITY_SECTRUSTPRIV_H_ */
diff --git a/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp b/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp
index 5e292c98..aa0c5ab1 100644
--- a/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp
+++ b/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005,2011-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005,2011-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -54,9 +54,8 @@
#include <vector>
#include <CommonCrypto/CommonDigest.h>
#include <CoreFoundation/CFPreferences.h>
-#include <CoreServices/CoreServicesPriv.h> /* for _CSCheckFix */
-#define trustSettingsDbg(args...) secdebug("trustSettings", ## args)
+#define trustSettingsDbg(args...) secinfo("trustSettings", ## args)
/*
* Ideally we'd like to implement our own lock to protect the state of the cert stores
@@ -390,9 +389,9 @@ static OSStatus tsCopyCertsCommon(
&kCFTypeArrayCallBacks));
/*
- * Search all keychains - user's, System.keychain, system root store,
- * system intermdiates as appropriate
- */
+ * Search all keychains - user's keychain list, System.keychain,
+ * and system root store
+ */
StorageManager::KeychainList keychains;
Keychain adminKc;
if(user) {
@@ -404,8 +403,6 @@ static OSStatus tsCopyCertsCommon(
}
Keychain sysRootKc = globals().storageManager.make(SYSTEM_ROOT_STORE_PATH, false);
keychains.push_back(sysRootKc);
- Keychain sysCertKc = globals().storageManager.make(SYSTEM_CERT_STORE_PATH, false);
- keychains.push_back(sysCertKc);
assert(kSecTrustSettingsDomainUser == 0);
for(unsigned domain=0; domain<TRUST_SETTINGS_NUM_DOMAINS; domain++) {
@@ -432,68 +429,34 @@ static OSStatus tsCopyCertsCommon(
return errSecSuccess;
}
-#if TARGET_OS_MAC && !TARGET_IPHONE_SIMULATOR && !TARGET_OS_IPHONE && !TARGET_OS_NANO
-/*
- * _CSCheckFix is implemented in CarbonCore and exported via CoreServices.
- * To avoid a circular dependency with Security, load this symbol dynamically.
- */
-typedef Boolean (*CSCheckFix_f)(CFStringRef str);
-
-static dispatch_once_t sTSInitializeOnce = 0;
-static void * sCSCheckFixLibrary = NULL;
-static CSCheckFix_f sCSCheckFix_f = NULL;
-
-static OSStatus _tsEnsuredInitialized(void);
-
-static OSStatus _tsEnsuredInitialized(void)
-{
- __block OSStatus status = errSecNotAvailable;
-
- dispatch_once(&sTSInitializeOnce, ^{
- sCSCheckFixLibrary = dlopen("/System/Library/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Versions/A/CarbonCore", RTLD_LAZY | RTLD_LOCAL);
- assert(sCSCheckFixLibrary);
- if (sCSCheckFixLibrary) {
- sCSCheckFix_f = (CSCheckFix_f)(uintptr_t) dlsym(sCSCheckFixLibrary, "_CSCheckFix");
- }
- });
-
- if (sCSCheckFix_f) {
- status = noErr;
- }
- return status;
-}
-#endif
-
static void tsAddConditionalCerts(CFMutableArrayRef certArray)
{
#if TARGET_OS_MAC && !TARGET_IPHONE_SIMULATOR && !TARGET_OS_IPHONE && !TARGET_OS_NANO
struct certmap_entry_s {
+ CFStringRef bundleId;
const UInt8* data;
const CFIndex length;
};
typedef struct certmap_entry_s certmap_entry_t;
- if (!certArray) { return; }
-
- OSStatus status = _tsEnsuredInitialized();
- if (status == 0 && sCSCheckFix_f(CFSTR("21946795"))) {
- // conditionally include these 1024-bit roots
- const certmap_entry_t certmap[] = {
- { _EquifaxSecureCA, sizeof(_EquifaxSecureCA) },
- { _GTECyberTrustGlobalRootCA, sizeof(_GTECyberTrustGlobalRootCA) },
- { _ThawtePremiumServerCA, sizeof(_ThawtePremiumServerCA) },
- { _ThawteServerCA, sizeof(_ThawteServerCA) },
- { _VeriSignClass3CA, sizeof(_VeriSignClass3CA) },
- };
- unsigned int i, certmaplen = sizeof(certmap) / sizeof(certmap_entry_t);
- for (i=0; i<certmaplen; i++) {
- SecCertificateRef cert = SecCertificateCreateWithBytes(NULL,
- certmap[i].data, certmap[i].length);
- if (cert) {
- CFArrayAppendValue(certArray, cert);
- CFRelease(cert);
- cert = NULL;
- }
+ CFBundleRef bundle = CFBundleGetMainBundle();
+ CFStringRef bundleIdentifier = (bundle) ? CFBundleGetIdentifier(bundle) : NULL;
+ if (!bundleIdentifier || !certArray) { return; }
+
+ // conditionally include 1024-bit compatibility roots for specific apps
+ const certmap_entry_t certmap[] = {
+ { CFSTR("com.autodesk.AdSSO"), _GTECyberTrustGlobalRootCA, sizeof(_GTECyberTrustGlobalRootCA) }, // rdar://25916338
+ { CFSTR("com.clo3d.MD5"), _ThawtePremiumServerCA, sizeof(_ThawtePremiumServerCA) }, // rdar://26281864
+ };
+
+ unsigned int i, certmaplen = sizeof(certmap) / sizeof(certmap_entry_t);
+ for (i=0; i<certmaplen; i++) {
+ if (CFStringCompare(bundleIdentifier, certmap[i].bundleId, 0) == kCFCompareEqualTo) {
+ SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, certmap[i].data, certmap[i].length);
+ if (!cert) { continue; }
+ CFArrayAppendValue(certArray, cert);
+ CFRelease(cert);
+ cert = NULL;
}
}
#else
@@ -670,11 +633,13 @@ OSStatus SecTrustSettingsCopyUnrestrictedRoots(
{
BEGIN_RCSAPI
- return tsCopyCertsCommon(NULL, NULL, NULL, /* no constraints */
+ OSStatus status = tsCopyCertsCommon(NULL, NULL, NULL, /* no constraints */
true, /* onlyRoots */
user, admin, system,
certArray);
+ return status;
+
END_RCSAPI
}
@@ -888,12 +853,10 @@ OSStatus SecTrustSettingsCopyCertificates(
CFMutableArrayRef outArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
/*
- * Keychains to search: user's search list, System.keychain, system root store,
- * system intermediates, as appropriate
+ * Keychains to search: user's search list, System.keychain, system root store
*/
StorageManager::KeychainList keychains;
Keychain adminKc;
- Keychain sysCertKc;
Keychain sysRootKc;
switch(domain) {
case kSecTrustSettingsDomainUser:
@@ -904,9 +867,6 @@ OSStatus SecTrustSettingsCopyCertificates(
/* admin certs in system keychain */
adminKc = globals().storageManager.make(ADMIN_CERT_STORE_PATH, false);
keychains.push_back(adminKc);
- /* system-wide intermediate certs */
- sysCertKc = globals().storageManager.make(SYSTEM_CERT_STORE_PATH, false);
- keychains.push_back(sysCertKc);
/* drop thru to next case */
case kSecTrustSettingsDomainSystem:
/* and, for all cases, immutable system root store */
@@ -921,11 +881,79 @@ OSStatus SecTrustSettingsCopyCertificates(
CFRelease(outArray);
return errSecNoTrustSettings;
}
- tsAddConditionalCerts(outArray);
+ if (kSecTrustSettingsDomainSystem == domain) {
+ tsAddConditionalCerts(outArray);
+ }
*certArray = outArray;
END_RCSAPI
}
+static CFArrayRef gUserAdminCerts = NULL;
+static ReadWriteLock gUserAdminCertsLock;
+
+void SecTrustSettingsPurgeUserAdminCertsCache(void) {
+ StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Write);
+ if (gUserAdminCerts) {
+ CFRelease(gUserAdminCerts);
+ gUserAdminCerts = NULL;
+ }
+}
+
+OSStatus SecTrustSettingsCopyCertificatesForUserAdminDomains(
+ CFArrayRef *certArray)
+{
+ TS_REQUIRED(certArray);
+ OSStatus result = errSecSuccess;
+
+ { /* Only hold the lock for the check */
+ StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Read);
+ if (gUserAdminCerts) {
+ *certArray = (CFArrayRef)CFRetain(gUserAdminCerts);
+ return errSecSuccess;
+ }
+ }
+
+ CFMutableArrayRef outArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ if (!outArray) {
+ return errSecAllocate;
+ }
+
+ CFArrayRef userTrusted = NULL, adminTrusted = NULL;
+ OSStatus userStatus = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainUser, &userTrusted);
+ if ((userStatus == errSecSuccess) && (userTrusted != NULL)) {
+ CFArrayAppendArray(outArray, userTrusted, CFRangeMake(0, CFArrayGetCount(userTrusted)));
+ CFRelease(userTrusted);
+ }
+
+ OSStatus adminStatus = SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainAdmin, &adminTrusted);
+ if ((adminStatus == errSecSuccess) && (adminTrusted != NULL)) {
+ CFArrayAppendArray(outArray, adminTrusted, CFRangeMake(0, CFArrayGetCount(adminTrusted)));
+ CFRelease(adminTrusted);
+ }
+
+ /* Lack of trust settings for a domain results in an error. Only fail
+ * if we weren't able to get trust settings for both domains. */
+ if (userStatus != errSecSuccess && adminStatus != errSecSuccess) {
+ result = userStatus;
+ }
+
+ if (result != errSecSuccess && outArray) {
+ CFRelease(outArray);
+ outArray = NULL;
+ }
+
+ *certArray = outArray;
+
+ if (certArray && *certArray) {
+ StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Write);
+ if (!gUserAdminCerts) {
+ gUserAdminCerts = (CFArrayRef)CFRetain(*certArray);
+ }
+ }
+
+ return result;
+}
+
/*
* Obtain an external, portable representation of the specified
* domain's TrustSettings. Caller must CFRelease the returned data.
diff --git a/OSX/libsecurity_keychain/lib/SecTrustSettings.h b/OSX/libsecurity_keychain/lib/SecTrustSettings.h
index 323a82bf..6e0740c2 100644
--- a/OSX/libsecurity_keychain/lib/SecTrustSettings.h
+++ b/OSX/libsecurity_keychain/lib/SecTrustSettings.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006,2011,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006,2011,2014-2015 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -230,7 +230,7 @@ typedef CF_ENUM(uint32, SecTrustSettingsDomain) {
* SecTrustSettingsResult for that default Trust Setting (if not
* kSecTrustSettingsResultUnspecified) will apply.
*
- * This can be used e.g. by a system administrator to explicilty distrust all
+ * This can be used e.g. by a system administrator to explicitly distrust all
* of the root certs in the (immutable) system domain for a specific policy.
*
* This const is passed as the 'SecCertificateRef certRef' argument to
diff --git a/OSX/libsecurity_keychain/lib/SecTrustSettingsCertificates.h b/OSX/libsecurity_keychain/lib/SecTrustSettingsCertificates.h
index f4814eae..4205afce 100644
--- a/OSX/libsecurity_keychain/lib/SecTrustSettingsCertificates.h
+++ b/OSX/libsecurity_keychain/lib/SecTrustSettingsCertificates.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -24,177 +24,18 @@
/*
* SecTrustSettingsCertificates.h
*
- * Contains some CA certificates which may be included in results
- * returned by SecTrustSettingsCopyCertificates as a workaround for
- * issues in client applications when the original self-signed root is
+ * Contains some legacy CA certificates which may be included in results
+ * returned by the SecTrustSettingsCopyCertificates API as a workaround for
+ * issues in client applications when the original self-signed root CA is
* no longer present, e.g. when providing anchor certificates to OpenSSL code.
- * Note that these CAs are not generally trusted by the system, they are just
- * returned from the SecTrustSettingsCopyCertificates function.
+ * Note that these CAs are not generally trusted by the system, and they are
+ * only returned from the SecTrustSettingsCopyCertificates function for certain
+ * applications whose bundle identifiers appear in AppWorkaround.plist.
*/
#ifndef _SEC_TRUST_SETTINGS_CERTIFICATES_H_
#define _SEC_TRUST_SETTINGS_CERTIFICATES_H_
-#if 0
-/* SHA1 Fingerprint=4D:34:EA:92:76:4B:3A:31:49:11:99:52:F4:19:30:CA:11:34:83:61 */
-/* subject:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root */
-/* issuer :/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root */
-/* 2048-bit RSA */
-unsigned char _BaltimoreCyberTrustCSICA[1049]={
-0x30,0x82,0x04,0x15,0x30,0x82,0x03,0x7E,0xA0,0x03,0x02,0x01,0x02,0x02,0x04,0x07,
-0x27,0x8E,0xED,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
-0x05,0x00,0x30,0x75,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,
-0x53,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,0x0A,0x13,0x0F,0x47,0x54,0x45,0x20,
-0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,0x74,0x69,0x6F,0x6E,0x31,0x27,0x30,0x25,0x06,
-0x03,0x55,0x04,0x0B,0x13,0x1E,0x47,0x54,0x45,0x20,0x43,0x79,0x62,0x65,0x72,0x54,
-0x72,0x75,0x73,0x74,0x20,0x53,0x6F,0x6C,0x75,0x74,0x69,0x6F,0x6E,0x73,0x2C,0x20,
-0x49,0x6E,0x63,0x2E,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x03,0x13,0x1A,0x47,
-0x54,0x45,0x20,0x43,0x79,0x62,0x65,0x72,0x54,0x72,0x75,0x73,0x74,0x20,0x47,0x6C,
-0x6F,0x62,0x61,0x6C,0x20,0x52,0x6F,0x6F,0x74,0x30,0x1E,0x17,0x0D,0x31,0x32,0x30,
-0x34,0x31,0x38,0x31,0x36,0x33,0x36,0x31,0x38,0x5A,0x17,0x0D,0x31,0x38,0x30,0x38,
-0x31,0x33,0x31,0x36,0x33,0x35,0x31,0x37,0x5A,0x30,0x5A,0x31,0x0B,0x30,0x09,0x06,
-0x03,0x55,0x04,0x06,0x13,0x02,0x49,0x45,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,
-0x0A,0x13,0x09,0x42,0x61,0x6C,0x74,0x69,0x6D,0x6F,0x72,0x65,0x31,0x13,0x30,0x11,
-0x06,0x03,0x55,0x04,0x0B,0x13,0x0A,0x43,0x79,0x62,0x65,0x72,0x54,0x72,0x75,0x73,
-0x74,0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x03,0x13,0x19,0x42,0x61,0x6C,0x74,
-0x69,0x6D,0x6F,0x72,0x65,0x20,0x43,0x79,0x62,0x65,0x72,0x54,0x72,0x75,0x73,0x74,
-0x20,0x52,0x6F,0x6F,0x74,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
-0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,
-0x0A,0x02,0x82,0x01,0x01,0x00,0xA3,0x04,0xBB,0x22,0xAB,0x98,0x3D,0x57,0xE8,0x26,
-0x72,0x9A,0xB5,0x79,0xD4,0x29,0xE2,0xE1,0xE8,0x95,0x80,0xB1,0xB0,0xE3,0x5B,0x8E,
-0x2B,0x29,0x9A,0x64,0xDF,0xA1,0x5D,0xED,0xB0,0x09,0x05,0x6D,0xDB,0x28,0x2E,0xCE,
-0x62,0xA2,0x62,0xFE,0xB4,0x88,0xDA,0x12,0xEB,0x38,0xEB,0x21,0x9D,0xC0,0x41,0x2B,
-0x01,0x52,0x7B,0x88,0x77,0xD3,0x1C,0x8F,0xC7,0xBA,0xB9,0x88,0xB5,0x6A,0x09,0xE7,
-0x73,0xE8,0x11,0x40,0xA7,0xD1,0xCC,0xCA,0x62,0x8D,0x2D,0xE5,0x8F,0x0B,0xA6,0x50,
-0xD2,0xA8,0x50,0xC3,0x28,0xEA,0xF5,0xAB,0x25,0x87,0x8A,0x9A,0x96,0x1C,0xA9,0x67,
-0xB8,0x3F,0x0C,0xD5,0xF7,0xF9,0x52,0x13,0x2F,0xC2,0x1B,0xD5,0x70,0x70,0xF0,0x8F,
-0xC0,0x12,0xCA,0x06,0xCB,0x9A,0xE1,0xD9,0xCA,0x33,0x7A,0x77,0xD6,0xF8,0xEC,0xB9,
-0xF1,0x68,0x44,0x42,0x48,0x13,0xD2,0xC0,0xC2,0xA4,0xAE,0x5E,0x60,0xFE,0xB6,0xA6,
-0x05,0xFC,0xB4,0xDD,0x07,0x59,0x02,0xD4,0x59,0x18,0x98,0x63,0xF5,0xA5,0x63,0xE0,
-0x90,0x0C,0x7D,0x5D,0xB2,0x06,0x7A,0xF3,0x85,0xEA,0xEB,0xD4,0x03,0xAE,0x5E,0x84,
-0x3E,0x5F,0xFF,0x15,0xED,0x69,0xBC,0xF9,0x39,0x36,0x72,0x75,0xCF,0x77,0x52,0x4D,
-0xF3,0xC9,0x90,0x2C,0xB9,0x3D,0xE5,0xC9,0x23,0x53,0x3F,0x1F,0x24,0x98,0x21,0x5C,
-0x07,0x99,0x29,0xBD,0xC6,0x3A,0xEC,0xE7,0x6E,0x86,0x3A,0x6B,0x97,0x74,0x63,0x33,
-0xBD,0x68,0x18,0x31,0xF0,0x78,0x8D,0x76,0xBF,0xFC,0x9E,0x8E,0x5D,0x2A,0x86,0xA7,
-0x4D,0x90,0xDC,0x27,0x1A,0x39,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0x47,0x30,
-0x82,0x01,0x43,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x08,0x30,
-0x06,0x01,0x01,0xFF,0x02,0x01,0x03,0x30,0x4A,0x06,0x03,0x55,0x1D,0x20,0x04,0x43,
-0x30,0x41,0x30,0x3F,0x06,0x04,0x55,0x1D,0x20,0x00,0x30,0x37,0x30,0x35,0x06,0x08,
-0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x29,0x68,0x74,0x74,0x70,0x3A,0x2F,
-0x2F,0x63,0x79,0x62,0x65,0x72,0x74,0x72,0x75,0x73,0x74,0x2E,0x6F,0x6D,0x6E,0x69,
-0x72,0x6F,0x6F,0x74,0x2E,0x63,0x6F,0x6D,0x2F,0x72,0x65,0x70,0x6F,0x73,0x69,0x74,
-0x6F,0x72,0x79,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,
-0x02,0x01,0x06,0x30,0x81,0x89,0x06,0x03,0x55,0x1D,0x23,0x04,0x81,0x81,0x30,0x7F,
-0xA1,0x79,0xA4,0x77,0x30,0x75,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
-0x02,0x55,0x53,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,0x0A,0x13,0x0F,0x47,0x54,
-0x45,0x20,0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,0x74,0x69,0x6F,0x6E,0x31,0x27,0x30,
-0x25,0x06,0x03,0x55,0x04,0x0B,0x13,0x1E,0x47,0x54,0x45,0x20,0x43,0x79,0x62,0x65,
-0x72,0x54,0x72,0x75,0x73,0x74,0x20,0x53,0x6F,0x6C,0x75,0x74,0x69,0x6F,0x6E,0x73,
-0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x03,0x13,
-0x1A,0x47,0x54,0x45,0x20,0x43,0x79,0x62,0x65,0x72,0x54,0x72,0x75,0x73,0x74,0x20,
-0x47,0x6C,0x6F,0x62,0x61,0x6C,0x20,0x52,0x6F,0x6F,0x74,0x82,0x02,0x01,0xA5,0x30,
-0x45,0x06,0x03,0x55,0x1D,0x1F,0x04,0x3E,0x30,0x3C,0x30,0x3A,0xA0,0x38,0xA0,0x36,
-0x86,0x34,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x70,0x75,0x62,
-0x6C,0x69,0x63,0x2D,0x74,0x72,0x75,0x73,0x74,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x67,
-0x69,0x2D,0x62,0x69,0x6E,0x2F,0x43,0x52,0x4C,0x2F,0x32,0x30,0x31,0x38,0x2F,0x63,
-0x64,0x70,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
-0x01,0x01,0x05,0x05,0x00,0x03,0x81,0x81,0x00,0x93,0x1D,0xFE,0x8B,0xAE,0x46,0xEC,
-0xCB,0xA9,0x0F,0xAB,0xE5,0xEF,0xCA,0xB2,0x68,0x16,0x68,0xD8,0x8F,0xFA,0x13,0xA9,
-0xAF,0xB3,0xCB,0x2D,0xE7,0x4B,0x6E,0x8E,0x69,0x2A,0xC2,0x2B,0x10,0x0A,0x8D,0xF6,
-0xAE,0x73,0xB6,0xB9,0xFB,0x14,0xFD,0x5F,0x6D,0xB8,0x50,0xB6,0xC4,0x8A,0xD6,0x40,
-0x7E,0xD7,0xC3,0xCB,0x73,0xDC,0xC9,0x5D,0x5B,0xAF,0xB0,0x41,0xB5,0x37,0xEB,0xEA,
-0xDC,0x20,0x91,0xC4,0x34,0x6A,0xF4,0xA1,0xF3,0x96,0x9D,0x37,0x86,0x97,0xE1,0x71,
-0xA4,0xDD,0x7D,0xFA,0x44,0x84,0x94,0xAE,0xD7,0x09,0x04,0x22,0x76,0x0F,0x64,0x51,
-0x35,0xA9,0x24,0x0F,0xF9,0x0B,0xDB,0x32,0xDA,0xC2,0xFE,0xC1,0xB9,0x2A,0x5C,0x7A,
-0x27,0x13,0xCA,0xB1,0x48,0x3A,0x71,0xD0,0x43,
-};
-
-/* SHA1 Fingerprint=32:F3:08:82:62:2B:87:CF:88:56:C6:3D:B8:73:DF:08:53:B4:DD:27 */
-/* subject:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 */
-/* issuer :/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority */
-/* 2048-bit RSA */
-unsigned char _VeriSignG5CSICA[1236]={
-0x30,0x82,0x04,0xD0,0x30,0x82,0x04,0x39,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x25,
-0x0C,0xE8,0xE0,0x30,0x61,0x2E,0x9F,0x2B,0x89,0xF7,0x05,0x4D,0x7C,0xF8,0xFD,0x30,
-0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x5F,
-0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x17,0x30,
-0x15,0x06,0x03,0x55,0x04,0x0A,0x13,0x0E,0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6E,
-0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x37,0x30,0x35,0x06,0x03,0x55,0x04,0x0B,0x13,
-0x2E,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x20,
-0x50,0x72,0x69,0x6D,0x61,0x72,0x79,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,
-0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,
-0x1E,0x17,0x0D,0x30,0x36,0x31,0x31,0x30,0x38,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,
-0x17,0x0D,0x32,0x31,0x31,0x31,0x30,0x37,0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,
-0x81,0xCA,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,
-0x17,0x30,0x15,0x06,0x03,0x55,0x04,0x0A,0x13,0x0E,0x56,0x65,0x72,0x69,0x53,0x69,
-0x67,0x6E,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55,0x04,
-0x0B,0x13,0x16,0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x54,0x72,0x75,0x73,
-0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x3A,0x30,0x38,0x06,0x03,0x55,
-0x04,0x0B,0x13,0x31,0x28,0x63,0x29,0x20,0x32,0x30,0x30,0x36,0x20,0x56,0x65,0x72,
-0x69,0x53,0x69,0x67,0x6E,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x20,0x2D,0x20,0x46,0x6F,
-0x72,0x20,0x61,0x75,0x74,0x68,0x6F,0x72,0x69,0x7A,0x65,0x64,0x20,0x75,0x73,0x65,
-0x20,0x6F,0x6E,0x6C,0x79,0x31,0x45,0x30,0x43,0x06,0x03,0x55,0x04,0x03,0x13,0x3C,
-0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6E,0x20,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,
-0x20,0x50,0x75,0x62,0x6C,0x69,0x63,0x20,0x50,0x72,0x69,0x6D,0x61,0x72,0x79,0x20,
-0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,
-0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,0x47,0x35,0x30,0x82,0x01,0x22,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
-0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xAF,0x24,0x08,
-0x08,0x29,0x7A,0x35,0x9E,0x60,0x0C,0xAA,0xE7,0x4B,0x3B,0x4E,0xDC,0x7C,0xBC,0x3C,
-0x45,0x1C,0xBB,0x2B,0xE0,0xFE,0x29,0x02,0xF9,0x57,0x08,0xA3,0x64,0x85,0x15,0x27,
-0xF5,0xF1,0xAD,0xC8,0x31,0x89,0x5D,0x22,0xE8,0x2A,0xAA,0xA6,0x42,0xB3,0x8F,0xF8,
-0xB9,0x55,0xB7,0xB1,0xB7,0x4B,0xB3,0xFE,0x8F,0x7E,0x07,0x57,0xEC,0xEF,0x43,0xDB,
-0x66,0x62,0x15,0x61,0xCF,0x60,0x0D,0xA4,0xD8,0xDE,0xF8,0xE0,0xC3,0x62,0x08,0x3D,
-0x54,0x13,0xEB,0x49,0xCA,0x59,0x54,0x85,0x26,0xE5,0x2B,0x8F,0x1B,0x9F,0xEB,0xF5,
-0xA1,0x91,0xC2,0x33,0x49,0xD8,0x43,0x63,0x6A,0x52,0x4B,0xD2,0x8F,0xE8,0x70,0x51,
-0x4D,0xD1,0x89,0x69,0x7B,0xC7,0x70,0xF6,0xB3,0xDC,0x12,0x74,0xDB,0x7B,0x5D,0x4B,
-0x56,0xD3,0x96,0xBF,0x15,0x77,0xA1,0xB0,0xF4,0xA2,0x25,0xF2,0xAF,0x1C,0x92,0x67,
-0x18,0xE5,0xF4,0x06,0x04,0xEF,0x90,0xB9,0xE4,0x00,0xE4,0xDD,0x3A,0xB5,0x19,0xFF,
-0x02,0xBA,0xF4,0x3C,0xEE,0xE0,0x8B,0xEB,0x37,0x8B,0xEC,0xF4,0xD7,0xAC,0xF2,0xF6,
-0xF0,0x3D,0xAF,0xDD,0x75,0x91,0x33,0x19,0x1D,0x1C,0x40,0xCB,0x74,0x24,0x19,0x21,
-0x93,0xD9,0x14,0xFE,0xAC,0x2A,0x52,0xC7,0x8F,0xD5,0x04,0x49,0xE4,0x8D,0x63,0x47,
-0x88,0x3C,0x69,0x83,0xCB,0xFE,0x47,0xBD,0x2B,0x7E,0x4F,0xC5,0x95,0xAE,0x0E,0x9D,
-0xD4,0xD1,0x43,0xC0,0x67,0x73,0xE3,0x14,0x08,0x7E,0xE5,0x3F,0x9F,0x73,0xB8,0x33,
-0x0A,0xCF,0x5D,0x3F,0x34,0x87,0x96,0x8A,0xEE,0x53,0xE8,0x25,0x15,0x02,0x03,0x01,
-0x00,0x01,0xA3,0x82,0x01,0x9B,0x30,0x82,0x01,0x97,0x30,0x0F,0x06,0x03,0x55,0x1D,
-0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x31,0x06,0x03,0x55,
-0x1D,0x1F,0x04,0x2A,0x30,0x28,0x30,0x26,0xA0,0x24,0xA0,0x22,0x86,0x20,0x68,0x74,
-0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x76,0x65,0x72,0x69,0x73,0x69,0x67,
-0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x70,0x63,0x61,0x33,0x2E,0x63,0x72,0x6C,0x30,0x0E,
-0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x3D,
-0x06,0x03,0x55,0x1D,0x20,0x04,0x36,0x30,0x34,0x30,0x32,0x06,0x04,0x55,0x1D,0x20,
-0x00,0x30,0x2A,0x30,0x28,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,
-0x1C,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x76,0x65,0x72,
-0x69,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x70,0x73,0x30,0x1D,0x06,
-0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x7F,0xD3,0x65,0xA7,0xC2,0xDD,0xEC,0xBB,
-0xF0,0x30,0x09,0xF3,0x43,0x39,0xFA,0x02,0xAF,0x33,0x31,0x33,0x30,0x6D,0x06,0x08,
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0C,0x04,0x61,0x30,0x5F,0xA1,0x5D,0xA0,0x5B,
-0x30,0x59,0x30,0x57,0x30,0x55,0x16,0x09,0x69,0x6D,0x61,0x67,0x65,0x2F,0x67,0x69,
-0x66,0x30,0x21,0x30,0x1F,0x30,0x07,0x06,0x05,0x2B,0x0E,0x03,0x02,0x1A,0x04,0x14,
-0x8F,0xE5,0xD3,0x1A,0x86,0xAC,0x8D,0x8E,0x6B,0xC3,0xCF,0x80,0x6A,0xD4,0x48,0x18,
-0x2C,0x7B,0x19,0x2E,0x30,0x25,0x16,0x23,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6C,
-0x6F,0x67,0x6F,0x2E,0x76,0x65,0x72,0x69,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,0x6D,
-0x2F,0x76,0x73,0x6C,0x6F,0x67,0x6F,0x2E,0x67,0x69,0x66,0x30,0x34,0x06,0x08,0x2B,
-0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x28,0x30,0x26,0x30,0x24,0x06,0x08,0x2B,
-0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x18,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
-0x6F,0x63,0x73,0x70,0x2E,0x76,0x65,0x72,0x69,0x73,0x69,0x67,0x6E,0x2E,0x63,0x6F,
-0x6D,0x30,0x3E,0x06,0x03,0x55,0x1D,0x25,0x04,0x37,0x30,0x35,0x06,0x08,0x2B,0x06,
-0x01,0x05,0x05,0x07,0x03,0x01,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,
-0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,0x06,0x09,0x60,0x86,0x48,0x01,
-0x86,0xF8,0x42,0x04,0x01,0x06,0x0A,0x60,0x86,0x48,0x01,0x86,0xF8,0x45,0x01,0x08,
-0x01,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,
-0x03,0x81,0x81,0x00,0x13,0x02,0xDD,0xF8,0xE8,0x86,0x00,0xF2,0x5A,0xF8,0xF8,0x20,
-0x0C,0x59,0x88,0x62,0x07,0xCE,0xCE,0xF7,0x4E,0xF9,0xBB,0x59,0xA1,0x98,0xE5,0xE1,
-0x38,0xDD,0x4E,0xBC,0x66,0x18,0xD3,0xAD,0xEB,0x18,0xF2,0x0D,0xC9,0x6D,0x3E,0x4A,
-0x94,0x20,0xC3,0x3C,0xBA,0xBD,0x65,0x54,0xC6,0xAF,0x44,0xB3,0x10,0xAD,0x2C,0x6B,
-0x3E,0xAB,0xD7,0x07,0xB6,0xB8,0x81,0x63,0xC5,0xF9,0x5E,0x2E,0xE5,0x2A,0x67,0xCE,
-0xCD,0x33,0x0C,0x2A,0xD7,0x89,0x56,0x03,0x23,0x1F,0xB3,0xBE,0xE8,0x3A,0x08,0x59,
-0xB4,0xEC,0x45,0x35,0xF7,0x8A,0x5B,0xFF,0x66,0xCF,0x50,0xAF,0xC6,0x6D,0x57,0x8D,
-0x19,0x78,0xB7,0xB9,0xA2,0xD1,0x57,0xEA,0x1F,0x9A,0x4B,0xAF,0xBA,0xC9,0x8E,0x12,
-0x7E,0xC6,0xBD,0xFF,
-};
-#endif
-
/* SHA1 Fingerprint=D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A */
/* subject:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority */
/* issuer :/C=US/O=Equifax/OU=Equifax Secure Certificate Authority */
diff --git a/OSX/libsecurity_keychain/lib/SecTrustSettingsPriv.h b/OSX/libsecurity_keychain/lib/SecTrustSettingsPriv.h
index af8a1aec..b663df1e 100644
--- a/OSX/libsecurity_keychain/lib/SecTrustSettingsPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecTrustSettingsPriv.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006,2011,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006,2011,2014-2015 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -38,6 +38,11 @@
extern "C" {
#endif
+/*
+ * A private key in the Usage Contraints dictionary.
+ */
+#define kSecTrustSettingsPolicyName CFSTR("kSecTrustSettingsPolicyName")
+
/*
* Fundamental routine used by TP to ascertain status of one cert.
*
@@ -89,7 +94,7 @@ OSStatus SecTrustSettingsCopyQualifiedCerts(
uint32 policyStringLen,
SecTrustSettingsKeyUsage keyUsage, /* optional */
CFArrayRef *certArray); /* RETURNED */
-
+
/*
* Obtain unrestricted root certificates from the specified domain(s).
* Only returns root certificates with no usage constraints.
@@ -135,6 +140,18 @@ OSStatus SecTrustSettingsSetTrustSettingsExternal(
CFTypeRef trustSettingsDictOrArray, /* optional */
CFDataRef *settingsOut); /* RETURNED */
+/*
+ * Purge the cache of User and Admin Certs
+ */
+void SecTrustSettingsPurgeUserAdminCertsCache(void);
+
+/*
+ * A wrapper around SecTrustSettingsCopyCertificates that combines user and admin
+ * domain outputs.
+ */
+OSStatus SecTrustSettingsCopyCertificatesForUserAdminDomains(
+ CFArrayRef CF_RETURNS_RETAINED *certArray);
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_keychain/lib/StorageManager.cpp b/OSX/libsecurity_keychain/lib/StorageManager.cpp
index 55176915..74041838 100644
--- a/OSX/libsecurity_keychain/lib/StorageManager.cpp
+++ b/OSX/libsecurity_keychain/lib/StorageManager.cpp
@@ -40,11 +40,8 @@
#include <algorithm>
#include <string>
#include <stdio.h>
-//#include <Security/AuthorizationTags.h>
-//#include <Security/AuthSession.h>
#include <security_utilities/debugging.h>
#include <security_keychain/SecCFTypes.h>
-//#include <Security/SecurityAgentClient.h>
#include <securityd_client/ssclient.h>
#include <Security/AuthorizationTags.h>
#include <Security/AuthorizationTagsPriv.h>
@@ -53,6 +50,8 @@
#include "TrustSettingsSchema.h"
#include <security_cdsa_client/wrapkey.h>
#include <securityd_client/ssblob.h>
+#include <SecBasePriv.h>
+#include "TokenLogin.h"
//%%% add this to AuthorizationTagsPriv.h later
#ifndef AGENT_HINT_LOGIN_KC_SUPPRESS_RESET_PANEL
@@ -76,7 +75,7 @@ static SecPreferencesDomain defaultPreferenceDomain()
{
SessionAttributeBits sessionAttrs;
if (gServerMode) {
- secdebug("servermode", "StorageManager initialized in server mode");
+ secnotice("servermode", "StorageManager initialized in server mode");
sessionAttrs = sessionIsRoot;
} else {
MacOSError::check(SessionGetInfo(callerSecuritySession, NULL, &sessionAttrs));
@@ -87,7 +86,7 @@ static SecPreferencesDomain defaultPreferenceDomain()
// that has graphics access. Ignore that to help testing.)
if ((sessionAttrs & sessionIsRoot)
IFDEBUG( && !(sessionAttrs & sessionHasGraphicAccess))) {
- secdebug("storagemgr", "using system preferences");
+ secnotice("storagemgr", "using system preferences");
return kSecPreferencesDomainSystem;
}
@@ -154,28 +153,39 @@ StorageManager::keychain(const DLDbIdentifier &dLDbIdentifier)
if (!dLDbIdentifier)
return Keychain();
- KeychainMap::iterator it = mKeychains.find(dLDbIdentifier);
- if (it != mKeychains.end())
+ DLDbIdentifier dldbi = mungeDLDbIdentifier(dLDbIdentifier, false);
+
+ KeychainMap::iterator it = mKeychainMap.find(dldbi);
+ if (it != mKeychainMap.end())
{
return it->second;
}
+ // If we have a keychain object for the un/demunged keychain, return that.
+ // We might be in the middle of an upgrade...
+ DLDbIdentifier demunge_dldbi = demungeDLDbIdentifier(dLDbIdentifier);
+ it = mKeychainMap.find(demunge_dldbi);
+ if (it != mKeychainMap.end()) {
+ secnotice("integrity", "returning unmunged keychain ref");
+ return it->second;
+ }
+
if (gServerMode) {
- secdebug("servermode", "keychain reference in server mode");
+ secnotice("servermode", "keychain reference in server mode");
return Keychain();
}
// The keychain is not in our cache. Create it.
- Db db(makeDb(dLDbIdentifier));
+ Db db(makeDb(dldbi));
Keychain keychain(db);
// Add the keychain to the cache.
- mKeychains.insert(KeychainMap::value_type(dLDbIdentifier, &*keychain));
- keychain->inCache(true);
+ registerKeychain(keychain);
return keychain;
}
+// Note: this must be a munged DLDbidentifier.
CssmClient::Db
StorageManager::makeDb(DLDbIdentifier dLDbIdentifier) {
Module module(dLDbIdentifier.ssuid().guid());
@@ -194,38 +204,131 @@ StorageManager::makeDb(DLDbIdentifier dLDbIdentifier) {
return db;
}
+// StorageManager is responsible for silently switching to newer-style keychains.
+// If the keychain requested is in ~/Library/Keychains/, and there is a
+// newer keychain available (with extension ".keychain-db"), open that one
+// instead of the one requested.
+//
+// Because of backwards compatibility reasons, we can't update the plist
+// files on disk to point to the upgraded keychains. We will be asked to
+// load "/Users/account/Library/Keychains/login.keychain", hence this
+// modification to 'login.keychain-db'.
+DLDbIdentifier
+StorageManager::mungeDLDbIdentifier(const DLDbIdentifier& dLDbIdentifier, bool isReset) {
+ if(!dLDbIdentifier.dbName()) {
+ // If this DLDbIdentifier doesn't have a filename, don't munge it
+ return dLDbIdentifier;
+ }
+
+ string path = dLDbIdentifier.dbName();
+
+ bool shouldCreateProtected = globals().integrityProtection();
+
+ // If we don't have a DLDbIdentifier, we can't return one
+ if(dLDbIdentifier.mImpl == NULL) {
+ return DLDbIdentifier();
+ }
+
+ // Ensure we're in ~/Library/Keychains
+ if(pathInHomeLibraryKeychains(path)) {
+ string pathdb = makeKeychainDbFilename(path);
+
+ struct stat st;
+ int stat_result;
+ stat_result = ::stat(path.c_str(), &st);
+ bool path_exists = (stat_result == 0);
+
+ stat_result = ::stat(pathdb.c_str(), &st);
+ bool pathdb_exists = (stat_result == 0);
+
+ // If protections are off, don't change the requested filename.
+ // If protictions are on and the -db file exists, always use it.
+ //
+ // If we're resetting, and we're creating a new-style keychain, use the -db path.
+ // If we're resetting, and we're creating an old-style keychain, use the original path.
+ //
+ // Protection pathdb_exists path_exists resetting Result
+ // DISABLED X X X original
+ // ENABLED 1 X X -db
+ // ENABLED 0 0 X -db
+ // ENABLED 0 1 0 original
+ // ENABLED 0 1 1 -db
+ //
+ bool switchPaths = shouldCreateProtected && (pathdb_exists || (!pathdb_exists && !path_exists) || isReset);
+
+ if(switchPaths) {
+ secnotice("integrity", "switching to keychain-db: %s from %s (%d %d %d %d)", pathdb.c_str(), path.c_str(), isReset, shouldCreateProtected, path_exists, pathdb_exists);
+ path = pathdb;
+ } else {
+ secnotice("integrity", "not switching: %s from %s (%d %d %d %d)", pathdb.c_str(), path.c_str(), isReset, shouldCreateProtected, path_exists, pathdb_exists);
+ }
+ } else {
+ secnotice("integrity", "not switching as we're not in ~/Library/Keychains/: %s (%d)", path.c_str(), isReset);
+ }
+
+ DLDbIdentifier id(dLDbIdentifier.ssuid(), path.c_str(), dLDbIdentifier.dbLocation());
+ return id;
+}
+
+DLDbIdentifier
+StorageManager::demungeDLDbIdentifier(const DLDbIdentifier& dLDbIdentifier) {
+ if(dLDbIdentifier.dbName() == NULL) {
+ return dLDbIdentifier;
+ }
+
+ string path = dLDbIdentifier.dbName();
+ string dbSuffix = "-db";
+ bool endsWithKeychainDb = (path.size() > dbSuffix.size() && (0 == path.compare(path.size() - dbSuffix.size(), dbSuffix.size(), dbSuffix)));
+
+ // Ensure we're in ~/Library/Keychains, and that the path ends in "-db"
+ if(pathInHomeLibraryKeychains(path) && endsWithKeychainDb) {
+ // remove "-db" from the end.
+ path.erase(path.end() - 3, path.end());
+ }
+
+ DLDbIdentifier id(dLDbIdentifier.ssuid(), path.c_str(), dLDbIdentifier.dbLocation());
+ return id;
+}
+
+string
+StorageManager::makeKeychainDbFilename(const string& filename) {
+ string keychainDbSuffix = "-db";
+ bool endsWithKeychainDb = (filename.size() > keychainDbSuffix.size() && (0 == filename.compare(filename.size() - keychainDbSuffix.size(), keychainDbSuffix.size(), keychainDbSuffix)));
+
+ if(endsWithKeychainDb) {
+ return filename;
+ } else {
+ return filename + keychainDbSuffix;
+ }
+}
+
+bool
+StorageManager::pathInHomeLibraryKeychains(const string& path) {
+ return SecurityServer::CommonBlob::pathInHomeLibraryKeychains(path);
+}
+
void
StorageManager::reloadKeychain(Keychain keychain) {
StLock<Mutex>_(mKeychainMapMutex);
DLDbIdentifier dLDbIdentifier = keychain->database()->dlDbIdentifier();
- // Since we're going to reload this database and switch over the keychain's
- // mDb, grab its mDb mutex
- {
- StLock<Mutex>__(keychain->mDbMutex);
-
- CssmClient::Db db(makeDb(dLDbIdentifier));
- keychain->mDb = db;
- }
+ keychain->changeDatabase(makeDb(mungeDLDbIdentifier(dLDbIdentifier, false)));
- // Since this new database is based on the exact same dLDbIdentifier, we
- // don't need to update the mKeychains map.
+ // This keychain might have a different dldbidentifier now, depending on what
+ // other processes have been doing to the keychain files. Let's re-register it, just
+ // to be sure.
+ registerKeychain(keychain);
}
void
StorageManager::removeKeychain(const DLDbIdentifier &dLDbIdentifier,
KeychainImpl *keychainImpl)
{
- // Lock the recursive mutex
-
- StLock<Mutex>_(mKeychainMapMutex);
-
- KeychainMap::iterator it = mKeychains.find(dLDbIdentifier);
- if (it != mKeychains.end() && (KeychainImpl*) it->second == keychainImpl)
- mKeychains.erase(it);
+ StLock<Mutex>_(mKeychainMapMutex);
- keychainImpl->inCache(false);
+ // Don't trust this dldbidentifier. Just look for the keychain and delete it.
+ forceRemoveFromCache(keychainImpl);
}
void
@@ -235,20 +338,87 @@ StorageManager::didRemoveKeychain(const DLDbIdentifier &dLDbIdentifier)
StLock<Mutex>_(mKeychainMapMutex);
- KeychainMap::iterator it = mKeychains.find(dLDbIdentifier);
- if (it != mKeychains.end())
+ KeychainMap::iterator it = mKeychainMap.find(dLDbIdentifier);
+ if (it != mKeychainMap.end())
{
- mKeychains.erase(it);
+ it->second->inCache(false);
+ mKeychainMap.erase(it);
}
}
+// If the client does not keep references to keychains, they are destroyed on
+// every API exit, and recreated on every API entrance.
+//
+// To improve performance, we'll cache keychains for some short period of time.
+// We'll do this by CFRetaining the keychain object, and setting a timer to
+// CFRelease it when time's up. This way, the client can still recover all its
+// memory if it doesn't want the keychains around, but repeated API calls will
+// be significantly faster.
+//
+void
+StorageManager::tickleKeychain(KeychainImpl *keychainImpl) {
+ static dispatch_once_t onceToken = 0;
+ static dispatch_queue_t release_queue = NULL;
+ dispatch_once(&onceToken, ^{
+ release_queue = dispatch_queue_create("com.apple.security.keychain-cache-queue", DISPATCH_QUEUE_SERIAL);
+ });
+
+ __block KeychainImpl* kcImpl = keychainImpl;
+
+ if(!kcImpl) {
+ return;
+ }
+
+ // We really only want to cache CSPDL file-based keychains
+ if(kcImpl->dlDbIdentifier().ssuid().guid() != gGuidAppleCSPDL) {
+ return;
+ }
+
+ // Make a one-shot timer to release the keychain
+ uint32_t seconds = 1;
+
+ const string path = kcImpl->name();
+ bool isSystemKeychain = (0 == path.compare("/Library/Keychains/System.keychain"));
+ if(pathInHomeLibraryKeychains(path) || isSystemKeychain) {
+ // These keychains are important and likely aren't on removable media.
+ // Cache them longer.
+ seconds = 5;
+ }
+
+ __block CFTypeRef kcHandle = kcImpl->handle(); // calls retain; this keychain object will stay around until our dispatch block fires.
+
+ dispatch_async(release_queue, ^() {
+ if(kcImpl->mCacheTimer) {
+ // Update the cache timer to be seconds from now
+ dispatch_source_set_timer(kcImpl->mCacheTimer, dispatch_time(DISPATCH_TIME_NOW, seconds * NSEC_PER_SEC), DISPATCH_TIME_FOREVER, NSEC_PER_SEC/2);
+
+ // We've added an extra retain to this keychain right before invoking this block. Release it.
+ CFRelease(kcHandle);
+
+ } else {
+ // No cache timer; make one.
+ kcImpl->mCacheTimer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, release_queue);
+ dispatch_source_set_timer(kcImpl->mCacheTimer, dispatch_time(DISPATCH_TIME_NOW, seconds * NSEC_PER_SEC), DISPATCH_TIME_FOREVER, NSEC_PER_SEC/2);
+
+ dispatch_source_set_event_handler(kcImpl->mCacheTimer, ^{
+ dispatch_source_cancel(kcImpl->mCacheTimer);
+ dispatch_release(kcImpl->mCacheTimer);
+ kcImpl->mCacheTimer = NULL;
+ CFRelease(kcHandle);
+ });
+
+ dispatch_resume(kcImpl->mCacheTimer);
+ }
+ });
+}
+
// Create keychain if it doesn't exist, and optionally add it to the search list.
Keychain
-StorageManager::makeKeychain(const DLDbIdentifier &dLDbIdentifier, bool add)
+StorageManager::makeKeychain(const DLDbIdentifier &dLDbIdentifier, bool add, bool isReset)
{
StLock<Mutex>_(mKeychainMapMutex);
- Keychain theKeychain = keychain(dLDbIdentifier);
+ Keychain theKeychain = keychain(mungeDLDbIdentifier(dLDbIdentifier, isReset));
bool post = false;
bool updateList = (add && shouldAddToSearchList(dLDbIdentifier));
@@ -256,12 +426,12 @@ StorageManager::makeKeychain(const DLDbIdentifier &dLDbIdentifier, bool add)
{
mSavedList.revert(false);
DLDbList searchList = mSavedList.searchList();
- if (find(searchList.begin(), searchList.end(), dLDbIdentifier) != searchList.end())
+ if (find(searchList.begin(), searchList.end(), demungeDLDbIdentifier(dLDbIdentifier)) != searchList.end())
return theKeychain; // theKeychain is already in the searchList.
mCommonList.revert(false);
searchList = mCommonList.searchList();
- if (find(searchList.begin(), searchList.end(), dLDbIdentifier) != searchList.end())
+ if (find(searchList.begin(), searchList.end(), demungeDLDbIdentifier(dLDbIdentifier)) != searchList.end())
return theKeychain; // theKeychain is already in the commonList don't add it to the searchList.
// If theKeychain doesn't exist don't bother adding it to the search list yet.
@@ -271,7 +441,7 @@ StorageManager::makeKeychain(const DLDbIdentifier &dLDbIdentifier, bool add)
// theKeychain exists and is not in our search list, so add it to the
// search list.
mSavedList.revert(true);
- mSavedList.add(dLDbIdentifier);
+ mSavedList.add(demungeDLDbIdentifier(dLDbIdentifier));
mSavedList.save();
post = true;
}
@@ -303,12 +473,12 @@ StorageManager::created(const Keychain &keychain)
// keychain the default.
if (!mSavedList.defaultDLDbIdentifier())
{
- mSavedList.defaultDLDbIdentifier(dLDbIdentifier);
+ mSavedList.defaultDLDbIdentifier(demungeDLDbIdentifier(dLDbIdentifier));
defaultChanged = true;
}
// Add the keychain to the search list prefs.
- mSavedList.add(dLDbIdentifier);
+ mSavedList.add(demungeDLDbIdentifier(dLDbIdentifier));
mSavedList.save();
// Make sure we are not holding mLock when we post these events.
@@ -390,7 +560,7 @@ StorageManager::defaultKeychain(const Keychain &keychain)
{
oldDefaultId = mSavedList.defaultDLDbIdentifier();
mSavedList.revert(true);
- mSavedList.defaultDLDbIdentifier(newDefaultId);
+ mSavedList.defaultDLDbIdentifier(demungeDLDbIdentifier(newDefaultId));
mSavedList.save();
}
@@ -462,7 +632,7 @@ StorageManager::loginKeychain(Keychain keychain)
StLock<Mutex>_(mMutex);
mSavedList.revert(true);
- mSavedList.loginDLDbIdentifier(keychain->dlDbIdentifier());
+ mSavedList.loginDLDbIdentifier(demungeDLDbIdentifier(keychain->dlDbIdentifier()));
mSavedList.save();
}
@@ -521,59 +691,34 @@ void StorageManager::rename(Keychain keychain, const char* newName)
// Find the keychain object for the given ref
DLDbIdentifier dLDbIdentifier = keychain->dlDbIdentifier();
- // Actually rename the database on disk.
- keychain->database()->rename(newName);
+ if(!keychain->database()->isLocked()) {
+ // Bring our unlock state with us
+ DLDbIdentifier dldbi(dLDbIdentifier.ssuid(), newName, dLDbIdentifier.dbLocation());
+ keychain->database()->transferTo(dldbi);
+ } else {
+ keychain->database()->rename(newName);
+ }
- if (dLDbIdentifier == defaultId)
+ if (demungeDLDbIdentifier(dLDbIdentifier) == defaultId)
changedDefault=true;
newDLDbIdentifier = keychain->dlDbIdentifier();
// Rename the keychain in the search list.
- mSavedList.rename(dLDbIdentifier, newDLDbIdentifier);
+ mSavedList.rename(demungeDLDbIdentifier(dLDbIdentifier), demungeDLDbIdentifier(newDLDbIdentifier));
// If this was the default keychain change it accordingly
if (changedDefault)
- mSavedList.defaultDLDbIdentifier(newDLDbIdentifier);
+ mSavedList.defaultDLDbIdentifier(demungeDLDbIdentifier(newDLDbIdentifier));
mSavedList.save();
- // we aren't worried about a weak reference here, because we have to
- // hold a lock on an item in order to do the rename
-
- // Now update the Keychain cache
- if (keychain->inCache())
- {
- KeychainMap::iterator it = mKeychains.find(dLDbIdentifier);
- if (it != mKeychains.end() && (KeychainImpl*) it->second == keychain.get())
- {
- // Remove the keychain from the cache under its old
- // dLDbIdentifier
- mKeychains.erase(it);
- }
- }
-
- // If we renamed this keychain on top of an existing one we should
- // drop the old one from the cache.
- KeychainMap::iterator it = mKeychains.find(newDLDbIdentifier);
- if (it != mKeychains.end())
- {
- Keychain oldKeychain(it->second);
- oldKeychain->inCache(false);
- // @@@ Ideally we should invalidate or fault this keychain object.
- }
-
- if (keychain->inCache())
- {
- // If the keychain wasn't in the cache to being with let's not put
- // it there now. There was probably a good reason it wasn't in it.
- // If the keychain was in the cache, update it to use
- // newDLDbIdentifier.
- mKeychains.insert(KeychainMap::value_type(newDLDbIdentifier,
- keychain));
- }
- }
+ // If the keychain wasn't in the cache, don't touch the cache.
+ // Otherwise, update the cache to use its current identifier.
+ if(keychain->inCache()) {
+ registerKeychain(keychain);
+ }
+ }
- // Make sure we are not holding mLock when we post these events.
KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
if (changedDefault)
@@ -581,7 +726,63 @@ void StorageManager::rename(Keychain keychain, const char* newName)
newDLDbIdentifier);
}
-void StorageManager::renameUnique(Keychain keychain, CFStringRef newName)
+void StorageManager::registerKeychain(Keychain& kc) {
+ registerKeychainImpl(kc.get());
+}
+
+void StorageManager::registerKeychainImpl(KeychainImpl* kcimpl) {
+ if(!kcimpl) {
+ return;
+ }
+
+ {
+ StLock<Mutex> _(mKeychainMapMutex);
+
+ // First, iterate through the cache to see if this keychain is there. If so, remove it.
+ forceRemoveFromCache(kcimpl);
+
+ // If we renamed this keychain on top of an existing one, let's drop the old one from the cache.
+ KeychainMap::iterator it = mKeychainMap.find(kcimpl->dlDbIdentifier());
+ if (it != mKeychainMap.end())
+ {
+ Keychain oldKeychain(it->second);
+ oldKeychain->inCache(false);
+ // @@@ Ideally we should invalidate or fault this keychain object.
+ }
+
+ mKeychainMap.insert(KeychainMap::value_type(kcimpl->dlDbIdentifier(), kcimpl));
+ kcimpl->inCache(true);
+ } // drop mKeychainMapMutex
+}
+
+void StorageManager::forceRemoveFromCache(KeychainImpl* inKeychainImpl) {
+ try {
+ // Wrap all this in a try-block and ignore all errors - we're trying to clean up these maps
+ {
+ StLock<Mutex> _(mKeychainMapMutex);
+ for(KeychainMap::iterator it = mKeychainMap.begin(); it != mKeychainMap.end(); ) {
+ if(it->second == inKeychainImpl) {
+ // Increment the iterator, but use its pre-increment value for the erase
+ it->second->inCache(false);
+ mKeychainMap.erase(it++);
+ } else {
+ it++;
+ }
+ }
+ } // drop mKeychainMapMutex
+ } catch(UnixError ue) {
+ secnotice("storagemgr", "caught UnixError: %d %s", ue.unixError(), ue.what());
+ } catch (CssmError cssme) {
+ const char* errStr = cssmErrorString(cssme.error);
+ secnotice("storagemgr", "caught CssmError: %d %s", (int) cssme.error, errStr);
+ } catch (MacOSError mose) {
+ secnotice("storagemgr", "MacOSError: %d", (int)mose.osStatus());
+ } catch(...) {
+ secnotice("storagemgr", "Unknown error");
+ }
+}
+
+void StorageManager::renameUnique(Keychain keychain, CFStringRef newName, bool appendDbSuffix)
{
StLock<Mutex>_(mMutex);
@@ -599,7 +800,11 @@ void StorageManager::renameUnique(Keychain keychain, CFStringRef newName)
if ( newNameCFStr )
{
CFStringAppendFormat(newNameCFStr, NULL, CFSTR("%s%d"), newNameCString, index);
- CFStringAppend(newNameCFStr, CFSTR(kKeychainSuffix)); // add .keychain
+ if(appendDbSuffix) {
+ CFStringAppend(newNameCFStr, CFSTR(kKeychainDbSuffix));
+ } else {
+ CFStringAppend(newNameCFStr, CFSTR(kKeychainSuffix)); // add .keychain
+ }
char toUseBuff2[MAXPATHLEN];
if ( CFStringGetCString(newNameCFStr, toUseBuff2, MAXPATHLEN, kCFStringEncodingUTF8) ) // make sure it fits in MAXPATHLEN, etc.
{
@@ -741,9 +946,10 @@ void StorageManager::remove(const KeychainList &kcsToRemove, bool deleteDb)
DLDbIdentifier dLDbIdentifier = theKeychain->dlDbIdentifier();
// Remove it from the saved list
- mSavedList.remove(dLDbIdentifier);
- if (dLDbIdentifier == defaultId)
+ mSavedList.remove(demungeDLDbIdentifier(dLDbIdentifier));
+ if (demungeDLDbIdentifier(dLDbIdentifier) == defaultId) {
unsetDefault=true;
+ }
if (deleteDb)
{
@@ -755,7 +961,7 @@ void StorageManager::remove(const KeychainList &kcsToRemove, bool deleteDb)
}
if (unsetDefault)
- mSavedList.defaultDLDbIdentifier(DLDbIdentifier());
+ mSavedList.defaultDLDbIdentifier(DLDbIdentifier());
mSavedList.save();
}
@@ -833,30 +1039,32 @@ StorageManager::setSearchList(const KeychainList &keychainList)
{
StLock<Mutex>_(mMutex);
- DLDbList commonList = mCommonList.searchList();
-
- // Strip out the common list part from the end of the search list.
- KeychainList::const_iterator it_end = keychainList.end();
- DLDbList::const_reverse_iterator end_common = commonList.rend();
- for (DLDbList::const_reverse_iterator it_common = commonList.rbegin(); it_common != end_common; ++it_common)
+ DLDbList searchList, oldSearchList(mSavedList.searchList());
+ for (KeychainList::const_iterator it = keychainList.begin(); it != keychainList.end(); ++it)
{
- // Eliminate common entries from the end of the passed in keychainList.
- if (it_end == keychainList.begin())
- break;
+ DLDbIdentifier dldbi = demungeDLDbIdentifier((*it)->dlDbIdentifier());
+
+ // If this keychain is not in the common or dynamic lists, add it to the new search list
+ DLDbList commonList = mCommonList.searchList();
+ bool found = false;
+ for(DLDbList::const_iterator jt = commonList.begin(); jt != commonList.end(); ++jt) {
+ if((*jt) == dldbi) {
+ found = true;
+ }
+ }
- --it_end;
- if (!((*it_end)->dlDbIdentifier() == *it_common))
- {
- ++it_end;
- break;
- }
- }
+ DLDbList dynamicList = mDynamicList.searchList();
+ for(DLDbList::const_iterator jt = dynamicList.begin(); jt != dynamicList.end(); ++jt) {
+ if((*jt) == dldbi) {
+ found = true;
+ }
+ }
- /* it_end now points one past the last element in keychainList which is not in commonList. */
- DLDbList searchList, oldSearchList(mSavedList.searchList());
- for (KeychainList::const_iterator it = keychainList.begin(); it != it_end; ++it)
- {
- searchList.push_back((*it)->dlDbIdentifier());
+ if(found) {
+ continue;
+ }
+
+ searchList.push_back(dldbi);
}
{
@@ -952,11 +1160,11 @@ StorageManager::domain(SecPreferencesDomain domain)
switch (domain)
{
case kSecPreferencesDomainSystem:
- secdebug("storagemgr", "switching to system domain"); break;
+ secnotice("storagemgr", "switching to system domain"); break;
case kSecPreferencesDomainUser:
- secdebug("storagemgr", "switching to user domain (uid %d)", getuid()); break;
+ secnotice("storagemgr", "switching to user domain (uid %d)", getuid()); break;
default:
- secdebug("storagemgr", "switching to weird prefs domain %d", domain); break;
+ secnotice("storagemgr", "switching to weird prefs domain %d", domain); break;
}
#endif
@@ -1023,7 +1231,7 @@ void StorageManager::convertList(DLDbList &ids, const KeychainList &kcs)
result.reserve(kcs.size());
for (KeychainList::const_iterator ix = kcs.begin(); ix != kcs.end(); ++ix)
{
- result.push_back((*ix)->dlDbIdentifier());
+ result.push_back(demungeDLDbIdentifier((*ix)->dlDbIdentifier()));
}
ids.swap(result);
}
@@ -1043,7 +1251,7 @@ void StorageManager::convertList(KeychainList &kcs, const DLDbList &ids)
#pragma mark ____ Login Functions ____
-void StorageManager::login(AuthorizationRef authRef, UInt32 nameLength, const char* name)
+void StorageManager::login(AuthorizationRef authRef, UInt32 nameLength, const char* name, bool isReset)
{
StLock<Mutex>_(mMutex);
@@ -1062,7 +1270,7 @@ void StorageManager::login(AuthorizationRef authRef, UInt32 nameLength, const ch
// creates the login keychain with the specified password
try
{
- login(nameLength, name, (UInt32)currItem->valueLength, currItem->value);
+ login(nameLength, name, (UInt32)currItem->valueLength, currItem->value, isReset);
created = true;
}
catch(...)
@@ -1087,15 +1295,15 @@ void StorageManager::login(ConstStringPtr name, ConstStringPtr password)
if ( name == NULL || password == NULL )
MacOSError::throwMe(errSecParam);
- login(name[0], name + 1, password[0], password + 1);
+ login(name[0], name + 1, password[0], password + 1, false);
}
void StorageManager::login(UInt32 nameLength, const void *name,
- UInt32 passwordLength, const void *password)
+ UInt32 passwordLength, const void *password, bool isReset)
{
if (passwordLength != 0 && password == NULL)
{
- secdebug("KCLogin", "StorageManager::login: invalid argument (NULL password)");
+ secnotice("KCLogin", "StorageManager::login: invalid argument (NULL password)");
MacOSError::throwMe(errSecParam);
}
@@ -1105,7 +1313,7 @@ void StorageManager::login(UInt32 nameLength, const void *name,
loginDLDbIdentifier = mSavedList.loginDLDbIdentifier();
}
- secdebug("KCLogin", "StorageManager::login: loginDLDbIdentifier is %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
+ secnotice("KCLogin", "StorageManager::login: loginDLDbIdentifier is %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
if (!loginDLDbIdentifier)
MacOSError::throwMe(errSecNoSuchKeychain);
@@ -1118,7 +1326,7 @@ void StorageManager::login(UInt32 nameLength, const void *name,
int uid = geteuid();
struct passwd *pw = getpwuid(uid);
if (pw == NULL) {
- secdebug("KCLogin", "StorageManager::login: invalid argument (NULL uid)");
+ secnotice("KCLogin", "StorageManager::login: invalid argument (NULL uid)");
MacOSError::throwMe(errSecParam);
}
char *userName = pw->pw_name;
@@ -1129,12 +1337,14 @@ void StorageManager::login(UInt32 nameLength, const void *name,
std::string shortnameDotKeychain = shortnameKeychain + ".keychain";
std::string loginDotKeychain = keychainPath + "login.keychain";
std::string loginRenamed1Keychain = keychainPath + "login_renamed1.keychain";
+ std::string loginKeychainDb = keychainPath + "login.keychain-db";
// check for existence of keychain files
bool shortnameKeychainExists = false;
bool shortnameDotKeychainExists = false;
bool loginKeychainExists = false;
bool loginRenamed1KeychainExists = false;
+ bool loginKeychainDbExists = false;
{
struct stat st;
int stat_result;
@@ -1146,8 +1356,14 @@ void StorageManager::login(UInt32 nameLength, const void *name,
loginKeychainExists = (stat_result == 0);
stat_result = ::stat(loginRenamed1Keychain.c_str(), &st);
loginRenamed1KeychainExists = (stat_result == 0);
+ stat_result = ::stat(loginKeychainDb.c_str(), &st);
+ loginKeychainDbExists = (stat_result == 0);
}
+ // login.keychain-db is considered to be the same as login.keychain.
+ // Our transparent keychain promotion on open will handle opening the right version of this file.
+ loginKeychainExists |= loginKeychainDbExists;
+
bool loginUnlocked = false;
// make the keychain identifiers
@@ -1210,11 +1426,11 @@ void StorageManager::login(UInt32 nameLength, const void *name,
// "shortname.keychain" if it is not.
if (loginRenamed1KeychainExists && (!loginKeychainExists ||
- (mSavedList.searchList().size() == 1 && mSavedList.member(loginDLDbIdentifier)) )) {
+ (mSavedList.searchList().size() == 1 && mSavedList.member(demungeDLDbIdentifier(loginDLDbIdentifier))) )) {
try
{
Keychain loginRenamed1KC(keychain(loginRenamed1DLDbIdentifier));
- secdebug("KCLogin", "Attempting to unlock %s with %d-character password",
+ secnotice("KCLogin", "Attempting to unlock %s with %d-character password",
(loginRenamed1KC) ? loginRenamed1KC->name() : "<NULL>", (unsigned int)passwordLength);
loginRenamed1KC->unlock(CssmData(const_cast<void *>(password), passwordLength));
// if we get here, we unlocked it
@@ -1251,11 +1467,12 @@ void StorageManager::login(UInt32 nameLength, const void *name,
}
// if login.keychain does not exist at this point, create it
- if (!loginKeychainExists) {
- Keychain theKeychain(keychain(loginDLDbIdentifier));
- secdebug("KCLogin", "Creating login keychain %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
+ if (!loginKeychainExists || (isReset && !loginKeychainDbExists)) {
+ // but don't add it to the search list yet; we'll do that later
+ Keychain theKeychain = makeKeychain(loginDLDbIdentifier, false, true);
+ secnotice("KCLogin", "Creating login keychain %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
theKeychain->create(passwordLength, password);
- secdebug("KCLogin", "Login keychain created successfully");
+ secnotice("KCLogin", "Login keychain created successfully");
loginKeychainExists = true;
// Set the prefs for this new login keychain.
loginKeychain(theKeychain);
@@ -1270,24 +1487,26 @@ void StorageManager::login(UInt32 nameLength, const void *name,
//***************************************************************
// if the shortname keychain exists in the search list, either rename or remove the entry
- if (mSavedList.member(shortnameDLDbIdentifier)) {
- if (shortnameDotKeychainExists && !mSavedList.member(shortnameDotDLDbIdentifier)) {
+ if (mSavedList.member(demungeDLDbIdentifier(shortnameDLDbIdentifier))) {
+ if (shortnameDotKeychainExists && !mSavedList.member(demungeDLDbIdentifier(shortnameDotDLDbIdentifier))) {
// change shortname to shortname.keychain (login.keychain will be added later if not present)
- secdebug("KCLogin", "Renaming %s to %s in keychain search list",
+ secnotice("KCLogin", "Renaming %s to %s in keychain search list",
(shortnameDLDbIdentifier) ? shortnameDLDbIdentifier.dbName() : "<NULL>",
(shortnameDotDLDbIdentifier) ? shortnameDotDLDbIdentifier.dbName() : "<NULL>");
- mSavedList.rename(shortnameDLDbIdentifier, shortnameDotDLDbIdentifier);
- } else if (!mSavedList.member(loginDLDbIdentifier)) {
+ mSavedList.rename(demungeDLDbIdentifier(shortnameDLDbIdentifier),
+ demungeDLDbIdentifier(shortnameDotDLDbIdentifier));
+ } else if (!mSavedList.member(demungeDLDbIdentifier(loginDLDbIdentifier))) {
// change shortname to login.keychain
- secdebug("KCLogin", "Renaming %s to %s in keychain search list",
+ secnotice("KCLogin", "Renaming %s to %s in keychain search list",
(shortnameDLDbIdentifier) ? shortnameDLDbIdentifier.dbName() : "<NULL>",
(loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- mSavedList.rename(shortnameDLDbIdentifier, loginDLDbIdentifier);
+ mSavedList.rename(demungeDLDbIdentifier(shortnameDLDbIdentifier),
+ demungeDLDbIdentifier(loginDLDbIdentifier));
} else {
// already have login.keychain in list, and renaming to shortname.keychain isn't an option,
// so just remove the entry
- secdebug("KCLogin", "Removing %s from keychain search list", (shortnameDLDbIdentifier) ? shortnameDLDbIdentifier.dbName() : "<NULL>");
- mSavedList.remove(shortnameDLDbIdentifier);
+ secnotice("KCLogin", "Removing %s from keychain search list", (shortnameDLDbIdentifier) ? shortnameDLDbIdentifier.dbName() : "<NULL>");
+ mSavedList.remove(demungeDLDbIdentifier(shortnameDLDbIdentifier));
}
// note: save() will cause the plist to be unlinked if the only remaining entry is for login.keychain
@@ -1296,24 +1515,24 @@ void StorageManager::login(UInt32 nameLength, const void *name,
}
// make sure that login.keychain is in the search list
- if (!mSavedList.member(loginDLDbIdentifier)) {
- secdebug("KCLogin", "Adding %s to keychain search list", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- mSavedList.add(loginDLDbIdentifier);
+ if (!mSavedList.member(demungeDLDbIdentifier(loginDLDbIdentifier))) {
+ secnotice("KCLogin", "Adding %s to keychain search list", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
+ mSavedList.add(demungeDLDbIdentifier(loginDLDbIdentifier));
mSavedList.save();
mSavedList.revert(true);
}
// if we have a shortname.keychain, always include it in the plist (after login.keychain)
- if (shortnameDotKeychainExists && !mSavedList.member(shortnameDotDLDbIdentifier)) {
- mSavedList.add(shortnameDotDLDbIdentifier);
+ if (shortnameDotKeychainExists && !mSavedList.member(demungeDLDbIdentifier(shortnameDotDLDbIdentifier))) {
+ mSavedList.add(demungeDLDbIdentifier(shortnameDotDLDbIdentifier));
mSavedList.save();
mSavedList.revert(true);
}
// make sure that the default keychain is in the search list; if not, reset the default to login.keychain
if (!mSavedList.member(mSavedList.defaultDLDbIdentifier())) {
- secdebug("KCLogin", "Changing default keychain to %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
- mSavedList.defaultDLDbIdentifier(loginDLDbIdentifier);
+ secnotice("KCLogin", "Changing default keychain to %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
+ mSavedList.defaultDLDbIdentifier(demungeDLDbIdentifier(loginDLDbIdentifier));
mSavedList.save();
mSavedList.revert(true);
}
@@ -1328,8 +1547,8 @@ void StorageManager::login(UInt32 nameLength, const void *name,
try
{
Keychain theKeychain(keychain(loginDLDbIdentifier));
- secdebug("KCLogin", "Attempting to unlock login keychain \"%s\" with %d-character password",
- (theKeychain) ? theKeychain->name() : "<NULL>", (unsigned int)passwordLength);
+ secnotice("KCLogin", "Attempting to unlock login keychain \"%s\"",
+ (theKeychain) ? theKeychain->name() : "<NULL>");
theKeychain->unlock(CssmData(const_cast<void *>(password), passwordLength));
loginUnlocked = true;
}
@@ -1339,55 +1558,110 @@ void StorageManager::login(UInt32 nameLength, const void *name,
}
}
- if (!loginUnlocked) {
- try {
- loginResult = errSecSuccess;
- Keychain theKeychain(keychain(loginDLDbIdentifier));
+ // is it token login?
+ CFRef<CFDictionaryRef> tokenLoginContext;
+ OSStatus status = TokenLoginGetContext(password, passwordLength, tokenLoginContext.take());
+ if (!loginUnlocked || status == errSecSuccess) {
+ Keychain theKeychain(keychain(loginDLDbIdentifier));
+ bool tokenLoginDataUpdated = false;
+
+ for (UInt32 i = 0; i < 2; i++) {
+ loginResult = errSecSuccess;
+
+ CFRef<CFDictionaryRef> tokenLoginData;
+ if (tokenLoginContext) {
+ status = TokenLoginGetLoginData(tokenLoginContext, tokenLoginData.take());
+ if (status != errSecSuccess) {
+ if (tokenLoginDataUpdated) {
+ loginResult = status;
+ break;
+ }
+ // updating unlock key fails if it is not token login
+ secnotice("KCLogin", "Error %d, reconstructing unlock data", (int)status);
+ status = TokenLoginUpdateUnlockData(tokenLoginContext);
+ if (status == errSecSuccess) {
+ loginResult = TokenLoginGetLoginData(tokenLoginContext, tokenLoginData.take());
+ if (loginResult != errSecSuccess) {
+ break;
+ }
+ tokenLoginDataUpdated = true;
+ }
+ }
+ }
- // build a fake key
- CssmKey key;
- key.header().BlobType = CSSM_KEYBLOB_RAW;
- key.header().Format = CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING;
- key.header().AlgorithmId = CSSM_ALGID_3DES_3KEY;
- key.header().KeyClass = CSSM_KEYCLASS_SESSION_KEY;
- key.header().KeyUsage = CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_DECRYPT | CSSM_KEYATTR_EXTRACTABLE;
- key.header().KeyAttr = 0;
- key.KeyData = CssmData(const_cast<void *>(password), passwordLength);
-
- // unwrap it into the CSP (but keep it raw)
- UnwrapKey unwrap(theKeychain->csp(), CSSM_ALGID_NONE);
- CssmKey masterKey;
- CssmData descriptiveData;
- unwrap(key,
- KeySpec(CSSM_KEYUSE_ANY, CSSM_KEYATTR_EXTRACTABLE),
- masterKey, &descriptiveData, NULL);
-
- CssmClient::Db db = theKeychain->database();
-
- // create the keychain, using appropriate credentials
- Allocator &alloc = db->allocator();
- AutoCredentials cred(alloc); // will leak, but we're quitting soon :-)
-
- // use this passphrase
- cred += TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
- new(alloc) ListElement(CSSM_SAMPLE_TYPE_SYMMETRIC_KEY),
- new(alloc) ListElement(CssmData::wrap(theKeychain->csp()->handle())),
- new(alloc) ListElement(CssmData::wrap(masterKey)),
- new(alloc) ListElement(CssmData()));
- db->authenticate(CSSM_DB_ACCESS_READ, &cred);
- db->unlock();
- loginUnlocked = true;
- } catch (const CssmError &e) {
- loginResult = e.osStatus();
+ try {
+ // first try to unlock login keychain because if this fails, token keychain unlock fails as well
+ if (tokenLoginData) {
+ secnotice("KCLogin", "Going to unlock keybag using scBlob");
+ status = TokenLoginUnlockKeybag(tokenLoginContext, tokenLoginData);
+ secnotice("KCLogin", "Keybag unlock result %d", (int)status);
+ if (status)
+ CssmError::throwMe(status); // to trigger login data regeneration
+ }
+
+ // build a fake key
+ CssmKey key;
+ key.header().BlobType = CSSM_KEYBLOB_RAW;
+ key.header().Format = CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING;
+ key.header().AlgorithmId = CSSM_ALGID_3DES_3KEY;
+ key.header().KeyClass = CSSM_KEYCLASS_SESSION_KEY;
+ key.header().KeyUsage = CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_DECRYPT | CSSM_KEYATTR_EXTRACTABLE;
+ key.header().KeyAttr = 0;
+ CFRef<CFDataRef> tokenLoginUnlockKey;
+ if (tokenLoginData) {
+ status = TokenLoginGetUnlockKey(tokenLoginContext, tokenLoginUnlockKey.take());
+ if (status)
+ CssmError::throwMe(status); // to trigger login data regeneration
+ key.KeyData = CssmData(tokenLoginUnlockKey.get());
+ } else {
+ key.KeyData = CssmData(const_cast<void *>(password), passwordLength);
+ }
+ // unwrap it into the CSP (but keep it raw)
+ UnwrapKey unwrap(theKeychain->csp(), CSSM_ALGID_NONE);
+ CssmKey masterKey;
+ CssmData descriptiveData;
+ unwrap(key,
+ KeySpec(CSSM_KEYUSE_ANY, CSSM_KEYATTR_EXTRACTABLE),
+ masterKey, &descriptiveData, NULL);
+
+ CssmClient::Db db = theKeychain->database();
+
+ // create the keychain, using appropriate credentials
+ Allocator &alloc = db->allocator();
+ AutoCredentials cred(alloc); // will leak, but we're quitting soon :-)
+
+ // use this passphrase
+ cred += TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
+ new(alloc) ListElement(CSSM_SAMPLE_TYPE_SYMMETRIC_KEY),
+ new(alloc) ListElement(CssmData::wrap(theKeychain->csp()->handle())),
+ new(alloc) ListElement(CssmData::wrap(masterKey)),
+ new(alloc) ListElement(CssmData()));
+ db->authenticate(CSSM_DB_ACCESS_READ, &cred);
+ db->unlock();
+ loginUnlocked = true;
+ } catch (const CssmError &e) {
+ if (tokenLoginData && !tokenLoginDataUpdated) {
+ // token login unlock key was invalid
+ loginResult = TokenLoginUpdateUnlockData(tokenLoginContext);
+ if (loginResult == errSecSuccess) {
+ tokenLoginDataUpdated = true;
+ continue;
+ }
+ }
+ else {
+ loginResult = e.osStatus();
+ }
+ }
+ break;
}
}
// if "shortname.keychain" exists and is in the search list, attempt to auto-unlock it with the same password
- if (shortnameDotKeychainExists && mSavedList.member(shortnameDotDLDbIdentifier)) {
+ if (shortnameDotKeychainExists && mSavedList.member(demungeDLDbIdentifier(shortnameDotDLDbIdentifier))) {
try
{
Keychain shortnameDotKC(keychain(shortnameDotDLDbIdentifier));
- secdebug("KCLogin", "Attempting to unlock %s",
+ secnotice("KCLogin", "Attempting to unlock %s",
(shortnameDotKC) ? shortnameDotKC->name() : "<NULL>");
shortnameDotKC->unlock(CssmData(const_cast<void *>(password), passwordLength));
}
@@ -1412,7 +1686,7 @@ void StorageManager::stashLogin()
loginDLDbIdentifier = mSavedList.loginDLDbIdentifier();
}
- secdebug("KCLogin", "StorageManager::stash: loginDLDbIdentifier is %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
+ secnotice("KCLogin", "StorageManager::stash: loginDLDbIdentifier is %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
if (!loginDLDbIdentifier)
MacOSError::throwMe(errSecNoSuchKeychain);
@@ -1420,7 +1694,7 @@ void StorageManager::stashLogin()
{
CssmData empty;
Keychain theKeychain(keychain(loginDLDbIdentifier));
- secdebug("KCLogin", "Attempting to use stash for login keychain \"%s\"",
+ secnotice("KCLogin", "Attempting to use stash for login keychain \"%s\"",
(theKeychain) ? theKeychain->name() : "<NULL>");
theKeychain->stashCheck();
}
@@ -1445,14 +1719,14 @@ void StorageManager::stashKeychain()
loginDLDbIdentifier = mSavedList.loginDLDbIdentifier();
}
- secdebug("KCLogin", "StorageManager::stash: loginDLDbIdentifier is %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
+ secnotice("KCLogin", "StorageManager::stash: loginDLDbIdentifier is %s", (loginDLDbIdentifier) ? loginDLDbIdentifier.dbName() : "<NULL>");
if (!loginDLDbIdentifier)
MacOSError::throwMe(errSecNoSuchKeychain);
try
{
Keychain theKeychain(keychain(loginDLDbIdentifier));
- secdebug("KCLogin", "Attempting to stash login keychain \"%s\"",
+ secnotice("KCLogin", "Attempting to stash login keychain \"%s\"",
(theKeychain) ? theKeychain->name() : "<NULL>");
theKeychain->stash();
}
@@ -1477,7 +1751,7 @@ void StorageManager::changeLoginPassword(ConstStringPtr oldPassword, ConstString
StLock<Mutex>_(mMutex);
loginKeychain()->changePassphrase(oldPassword, newPassword);
- secdebug("KClogin", "Changed login keychain password successfully");
+ secnotice("KClogin", "Changed login keychain password successfully");
}
@@ -1486,7 +1760,7 @@ void StorageManager::changeLoginPassword(UInt32 oldPasswordLength, const void *o
StLock<Mutex>_(mMutex);
loginKeychain()->changePassphrase(oldPasswordLength, oldPassword, newPasswordLength, newPassword);
- secdebug("KClogin", "Changed login keychain password successfully");
+ secnotice("KClogin", "Changed login keychain password successfully");
}
// Clear out the keychain search list and rename the existing login.keychain.
@@ -1518,15 +1792,23 @@ void StorageManager::resetKeychain(Boolean resetSearchList)
{
CFStringAppend(newName, currName);
CFStringRef kcSuffix = CFSTR(kKeychainSuffix);
+ CFStringRef kcDbSuffix = CFSTR(kKeychainDbSuffix);
+ bool hasDbSuffix = false;
if ( CFStringHasSuffix(newName, kcSuffix) ) // remove the .keychain extension
{
CFRange suffixRange = CFStringFind(newName, kcSuffix, 0);
CFStringFindAndReplace(newName, kcSuffix, CFSTR(""), suffixRange, 0);
}
+ if (CFStringHasSuffix(newName, kcDbSuffix)) {
+ hasDbSuffix = true;
+ CFRange suffixRange = CFStringFind(newName, kcDbSuffix, 0);
+ CFStringFindAndReplace(newName, kcDbSuffix, CFSTR(""), suffixRange, 0);
+ }
+
CFStringAppend(newName, CFSTR(kKeychainRenamedSuffix)); // add "_renamed_"
try
{
- renameUnique(keychain, newName);
+ renameUnique(keychain, newName, hasDbSuffix);
}
catch(...)
{
@@ -1554,7 +1836,11 @@ Keychain StorageManager::make(const char *pathName)
Keychain StorageManager::make(const char *pathName, bool add)
{
- return makeKeychain(makeDLDbIdentifier(pathName), add);
+ return make(pathName, add, false);
+}
+
+Keychain StorageManager::make(const char *pathName, bool add, bool isReset) {
+ return makeKeychain(makeDLDbIdentifier(pathName), add, isReset);
}
DLDbIdentifier StorageManager::makeDLDbIdentifier(const char *pathName) {
@@ -1606,7 +1892,7 @@ DLDbIdentifier StorageManager::makeDLDbIdentifier(const char *pathName) {
return dlDbIdentifier;
}
-Keychain StorageManager::makeLoginAuthUI(const Item *item)
+Keychain StorageManager::makeLoginAuthUI(const Item *item, bool isReset)
{
StLock<Mutex>_(mMutex);
@@ -1772,7 +2058,7 @@ Keychain StorageManager::makeLoginAuthUI(const Item *item)
catch (...) // can throw if no existing login.keychain is found
{
}
- login(authRef, (UInt32)userName.length(), userName.c_str()); // Create login.keychain
+ login(authRef, (UInt32)userName.length(), userName.c_str(), isReset); // Create login.keychain
keychain = loginKeychain(); // Get newly-created login keychain
defaultKeychain(keychain); // Set it to be the default
@@ -1809,7 +2095,7 @@ Keychain StorageManager::defaultKeychainUI(Item &item)
}
if ( globals().getUserInteractionAllowed() )
{
- returnedKeychain = makeLoginAuthUI(&item); // If no Keychains is present, one will be created.
+ returnedKeychain = makeLoginAuthUI(&item, false); // If no Keychains is present, one will be created.
if ( !returnedKeychain )
MacOSError::throwMe(errSecInvalidKeychain); // Something went wrong...
}
@@ -1838,7 +2124,7 @@ StorageManager::addToDomainList(SecPreferencesDomain domain,
// manipulate the user's list
{
mSavedList.revert(true);
- mSavedList.add(id);
+ mSavedList.add(demungeDLDbIdentifier(id));
mSavedList.save();
}
@@ -1868,11 +2154,11 @@ StorageManager::isInDomainList(SecPreferencesDomain domain,
bool result;
if (domain == mDomain)
{
- result = mSavedList.member(id);
+ result = mSavedList.member(demungeDLDbIdentifier(id));
}
else
{
- result = DLDbListCFPref(domain).member(id);
+ result = DLDbListCFPref(domain).member(demungeDLDbIdentifier(id));
}
// do the search
@@ -1901,7 +2187,7 @@ StorageManager::removeFromDomainList(SecPreferencesDomain domain,
// manipulate the user's list
{
mSavedList.revert(true);
- mSavedList.remove(id);
+ mSavedList.remove(demungeDLDbIdentifier(id));
mSavedList.save();
}
diff --git a/OSX/libsecurity_keychain/lib/StorageManager.h b/OSX/libsecurity_keychain/lib/StorageManager.h
index b1f82cf4..33f03033 100644
--- a/OSX/libsecurity_keychain/lib/StorageManager.h
+++ b/OSX/libsecurity_keychain/lib/StorageManager.h
@@ -62,7 +62,8 @@ public:
// These will call addAndNotify() if the specified keychain already exists
Keychain make(const char *fullPathName);
Keychain make(const char *fullPathName, bool add);
- Keychain makeLoginAuthUI(const Item *item);
+ Keychain make(const char *fullPathName, bool add, bool isReset);
+ Keychain makeLoginAuthUI(const Item *item, bool isReset);
void created(const Keychain &keychain); // Be notified a Keychain just got created.
// Misc
@@ -90,11 +91,15 @@ public:
void didRemoveKeychain(const DLDbIdentifier &dLDbIdentifier);
// Create KC if it doesn't exist, add it to the search list if it exists and is not already on it.
- Keychain makeKeychain(const DLDbIdentifier &dLDbIdentifier, bool add = true);
+ Keychain makeKeychain(const DLDbIdentifier &dLDbIdentifier, bool add, bool isReset);
// Reload a keychain from the on-disk database
void reloadKeychain(Keychain keychain);
+ // Register a keychain in the keychain cache
+ void registerKeychain(Keychain& kc);
+ void registerKeychainImpl(KeychainImpl* kc);
+
// Keychain list maintenance
// remove kcsToRemove from the search list
@@ -108,7 +113,7 @@ public:
void setSearchList(SecPreferencesDomain domain, const KeychainList &keychainList);
void rename(Keychain keychain, const char* newName);
- void renameUnique(Keychain keychain, CFStringRef newName);
+ void renameUnique(Keychain keychain, CFStringRef newName, bool appendDbSuffix);
// Iff keychainOrArray is NULL return the default KeychainList in keychainList otherwise
// if keychainOrArray is a CFArrayRef containing SecKeychainRef's convernt it to KeychainList,
@@ -122,15 +127,19 @@ public:
static CFArrayRef convertFromKeychainList(const KeychainList &keychainList);
// Login keychain support
- void login(AuthorizationRef authRef, UInt32 nameLength, const char* name);
+ void login(AuthorizationRef authRef, UInt32 nameLength, const char* name, bool isReset);
void login(ConstStringPtr name, ConstStringPtr password);
- void login(UInt32 nameLength, const void *name, UInt32 passwordLength, const void *password);
+ void login(UInt32 nameLength, const void *name, UInt32 passwordLength, const void *password, bool isReset);
void stashLogin();
void stashKeychain();
void logout();
void changeLoginPassword(ConstStringPtr oldPassword, ConstStringPtr newPassword);
void changeLoginPassword(UInt32 oldPasswordLength, const void *oldPassword, UInt32 newPasswordLength, const void *newPassword);
+ // Token login support
+ CFDataRef getTokenLoginMasterKey(UInt32 passwordLength, const void *password);
+ CFDataRef unwrapTokenLoginMasterKey(CFDictionaryRef masterKeyData, CFStringRef tokenID, CFStringRef pin);
+
void resetKeychain(Boolean resetSearchList);
Keychain defaultKeychain();
@@ -160,6 +169,37 @@ private:
DLDbIdentifier makeDLDbIdentifier(const char* pathName);
CssmClient::Db makeDb(DLDbIdentifier dLDbIdentifier);
+ // Use this when you want to be extra sure this keychain is removed from the
+ // cache. Iterates over the whole cache to find all instances. This function
+ // will take the cache map mutex.
+ void forceRemoveFromCache(KeychainImpl* inItemImpl);
+
+public:
+ // Change the DLDBIdentifier to reflect the files on-disk. Currently:
+ // If the keychain is in ~/Library/Keychains and either
+ // the .keychain-db version of the file exists or
+ // (global integrity protection is on AND isReset is true)
+ // then change the filename to include ".keychain-db".
+ //
+ // Otherwise, leave it alone.
+ static DLDbIdentifier mungeDLDbIdentifier(const DLDbIdentifier& dLDbIdentifier, bool isReset);
+
+ // Due to compatibility requirements, we need the DLDbListCFPref lists to
+ // never see a ".keychain-db" filename. Call this function to give them what
+ // they need.
+ static DLDbIdentifier demungeDLDbIdentifier(const DLDbIdentifier& dLDbIdentifier);
+
+ // Take a filename, and give it the extension .keychain-db
+ static string makeKeychainDbFilename(const string& filename);
+
+ // Check if a keychain path is in some user's ~/Library/Keychains/ folder.
+ static bool pathInHomeLibraryKeychains(const string& path);
+
+ // Notify the StorageManager that you're accessing this keychain. Used for
+ // time-based caching purposes.
+ void tickleKeychain(KeychainImpl *keychainImpl);
+
+private:
// Only add if not there yet. Writes out CFPref and broadcasts KCPrefListChanged notification
void addAndNotify(const Keychain& keychainToAdd);
@@ -169,7 +209,7 @@ private:
typedef map<DLDbIdentifier, KeychainImpl *> KeychainMap;
// Reference map of all keychains we know about that aren't deleted
// or removed
- KeychainMap mKeychains;
+ KeychainMap mKeychainMap;
// The dynamic search list.
DynamicDLDBList mDynamicList;
diff --git a/OSX/libsecurity_keychain/lib/TokenLogin.cpp b/OSX/libsecurity_keychain/lib/TokenLogin.cpp
new file mode 100644
index 00000000..03255cd2
--- /dev/null
+++ b/OSX/libsecurity_keychain/lib/TokenLogin.cpp
@@ -0,0 +1,614 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include "TokenLogin.h"
+
+#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
+#include <Security/SecKeyPriv.h>
+#include "SecBase64P.h"
+#include <Security/SecIdentity.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecKeychainPriv.h>
+#include <security_utilities/cfutilities.h>
+#include <libaks.h>
+#include <libaks_smartcard.h>
+
+extern "C" {
+#include <ctkclient.h>
+#include <coreauthd_spi.h>
+}
+
+#define kSecTokenLoginDomain CFSTR("com.apple.security.tokenlogin")
+
+static CFStringRef cfDataToHex(CFDataRef bin)
+{
+ size_t len = CFDataGetLength(bin) * 2;
+ CFMutableStringRef str = CFStringCreateMutable(NULL, len);
+
+ static const char* digits[] = {"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "A", "B", "C", "D", "E", "F"};
+
+ const uint8_t* data = CFDataGetBytePtr(bin);
+ for (size_t i = 0; i < CFDataGetLength(bin); i++) {
+ CFStringAppendCString(str, digits[data[i] >> 4], 1);
+ CFStringAppendCString(str, digits[data[i] & 0xf], 1);
+ }
+ return str;
+}
+
+static CFStringRef getPin(CFDictionaryRef context)
+{
+ if (!context) {
+ return NULL;
+ }
+
+ CFStringRef pin = (CFStringRef)CFDictionaryGetValue(context, kSecAttrService);
+ if (!pin || CFGetTypeID(pin) != CFStringGetTypeID()) {
+ return NULL;
+ }
+ return pin;
+}
+
+static CFStringRef getTokenId(CFDictionaryRef context)
+{
+ if (!context) {
+ return NULL;
+ }
+
+ CFStringRef tokenId = (CFStringRef)CFDictionaryGetValue(context, kSecAttrTokenID);
+ if (!tokenId || CFGetTypeID(tokenId) != CFStringGetTypeID()) {
+ secinfo("TokenLogin", "Invalid tokenId");
+ return NULL;
+ }
+ return tokenId;
+}
+
+static CFDataRef getPubKeyHash(CFDictionaryRef context)
+{
+ if (!context) {
+ return NULL;
+ }
+
+ CFDataRef pubKeyHash = (CFDataRef)CFDictionaryGetValue(context, kSecAttrPublicKeyHash);
+ if (!pubKeyHash || CFGetTypeID(pubKeyHash) != CFDataGetTypeID()) {
+ secinfo("TokenLogin", "Invalid pubkeyhash");
+ return NULL;
+ }
+ return pubKeyHash;
+}
+
+static CFDataRef getPubKeyHashWrap(CFDictionaryRef context)
+{
+ if (!context) {
+ return NULL;
+ }
+
+ CFDataRef pubKeyHashWrap = (CFDataRef)CFDictionaryGetValue(context, kSecAttrAccount);
+ if (!pubKeyHashWrap || CFGetTypeID(pubKeyHashWrap) != CFDataGetTypeID()) {
+ secinfo("TokenLogin", "Invalid pubkeyhashwrap");
+ return NULL;
+ }
+ return pubKeyHashWrap;
+}
+
+static OSStatus privKeyForPubKeyHash(CFDictionaryRef context, SecKeyRef *privKey, CFTypeRef *laCtx)
+{
+ if (!context) {
+ return errSecParam;
+ }
+
+ CFRef<CFMutableDictionaryRef> tokenAttributes = makeCFMutableDictionary(1, kSecAttrTokenID, getTokenId(context));
+ CFRef<CFErrorRef> error;
+
+ CFStringRef pin = getPin(context);
+ if (pin) {
+ CFRef<CFDictionaryRef> LAParams = makeCFDictionary(1, CFSTR("useDaemon"), kCFBooleanFalse);
+ CFRef<CFTypeRef> LAContext = LACreateNewContextWithACMContext(LAParams.as<CFDataRef>(), error.take());
+ if (!LAContext) {
+ secinfo("TokenLogin", "Failed to LA Context: %@", error.get());
+ return errSecParam;
+ }
+ if (laCtx)
+ *laCtx = (CFTypeRef)CFRetain(LAContext);
+ CFRef<CFDataRef> externalizedContext = LACopyACMContext(LAContext, error.take());
+ if (!externalizedContext) {
+ secinfo("TokenLogin", "Failed to get externalized context: %@", error.get());
+ return errSecParam;
+ }
+ CFDictionarySetValue(tokenAttributes, kSecUseCredentialReference, externalizedContext.get());
+ CFDictionarySetValue(tokenAttributes, CFSTR("PIN"), pin);
+ }
+
+ CFRef<TKTokenRef> token = TKTokenCreate(tokenAttributes, error.take());
+ if (!token) {
+ secinfo("TokenLogin", "Failed to create token: %@", error.get());
+ return errSecParam;
+ }
+
+ CFRef<CFArrayRef> identities = TKTokenCopyIdentities(token, TKTokenKeyUsageAny, error.take());
+ if (!identities || !CFArrayGetCount(identities)) {
+ secinfo("TokenLogin", "No identities found for token: %@", error.get());
+ return errSecParam;
+ }
+
+ CFDataRef desiredHash = getPubKeyHashWrap(context);
+ CFIndex idx, count = CFArrayGetCount(identities);
+ for (idx = 0; idx < count; ++idx) {
+ SecIdentityRef identity = (SecIdentityRef)CFArrayGetValueAtIndex(identities, idx);
+ CFRef<SecCertificateRef> certificate;
+ OSStatus result = SecIdentityCopyCertificate(identity, certificate.take());
+ if (result != errSecSuccess) {
+ secinfo("TokenLogin", "Failed to get certificate for identity: %d", (int) result);
+ continue;
+ }
+
+ CFRef<CFDataRef> identityHash = SecCertificateCopyPublicKeySHA1Digest(certificate);
+ if (identityHash && CFEqual(desiredHash, identityHash)) {
+ result = SecIdentityCopyPrivateKey(identity, privKey);
+ if (result != errSecSuccess) {
+ secinfo("TokenLogin", "Failed to get identity private key: %d", (int) result);
+ }
+ return result;
+ }
+ }
+
+ return errSecParam;
+}
+
+OSStatus TokenLoginGetContext(const void *base64TokenLoginData, UInt32 base64TokenLoginDataLength, CFDictionaryRef *context)
+{
+ if (!base64TokenLoginData || !context) {
+ return errSecParam;
+ }
+
+ // Token data are base64 encoded in password.
+ size_t dataLen = SecBase64Decode((const char *)base64TokenLoginData, base64TokenLoginDataLength, NULL, 0);
+ if (!dataLen) {
+ secinfo("TokenLogin", "Invalid base64 encoded token data");
+ return errSecParam;
+ }
+
+ CFRef<CFMutableDataRef> data = CFDataCreateMutable(kCFAllocatorDefault, dataLen);
+ dataLen = SecBase64Decode((const char *)base64TokenLoginData, base64TokenLoginDataLength, CFDataGetMutableBytePtr(data), dataLen);
+ if (!dataLen) {
+ secinfo("TokenLogin", "Invalid base64 encoded token data");
+ return errSecParam;
+ }
+ CFDataSetLength(data, dataLen);
+
+ // Content of the password consists of a serialized dictionary containing token ID, PIN, wrap key hash etc.
+ CFRef<CFErrorRef> error;
+ *context = (CFDictionaryRef)CFPropertyListCreateWithData(kCFAllocatorDefault,
+ data,
+ kCFPropertyListImmutable,
+ NULL,
+ error.take());
+ if (!*context || CFGetTypeID(*context) != CFDictionaryGetTypeID()) {
+ secinfo("TokenLogin", "Invalid token login data property list, %@", error.get());
+ return errSecParam;
+ }
+
+ if (!getPin(*context) || !getTokenId(*context) || !getPubKeyHash(*context) || !getPubKeyHashWrap(*context)) {
+ secinfo("TokenLogin", "Invalid token login data context, %@", error.get());
+ return errSecParam;
+ }
+
+ return errSecSuccess;
+}
+
+OSStatus TokenLoginGetUnlockKey(CFDictionaryRef context, CFDataRef *unlockKey)
+{
+ if (!context || !unlockKey) {
+ return errSecParam;
+ }
+
+ CFRef<CFDictionaryRef> loginData;
+ OSStatus result = TokenLoginGetLoginData(context, loginData.take());
+ if (result != errSecSuccess) {
+ secinfo("TokenLogin", "Failed to get login data: %d", (int)result);
+ return result;
+ }
+
+ CFDataRef wrappedUnlockKey = (CFDataRef)CFDictionaryGetValue(loginData, kSecValueData);
+ if (!wrappedUnlockKey) {
+ secinfo("TokenLogin", "Wrapped unlock key not found in unlock key data");
+ return errSecParam;
+ }
+ SecKeyAlgorithm algorithm = (SecKeyAlgorithm)CFDictionaryGetValue(loginData, kSecAttrService);
+ if (!algorithm) {
+ secinfo("TokenLogin", "Algorithm not found in unlock key data");
+ return errSecParam;
+ }
+
+ CFRef<SecKeyRef> privKey;
+ CFRef<CFTypeRef> LAContext;
+ result = privKeyForPubKeyHash(context, privKey.take(), LAContext.take());
+ if (result != errSecSuccess) {
+ secinfo("TokenLogin", "Failed to get private key for public key hash: %d", (int)result);
+ return result;
+ }
+
+ CFRef<SecKeyRef> pubKey = SecKeyCopyPublicKey(privKey);
+ if (!pubKey) {
+ secinfo("TokenLogin", "Failed to get public key from private key");
+ return errSecParam;
+ }
+ CFRef<CFErrorRef> error;
+ *unlockKey = SecKeyCreateDecryptedData(privKey,
+ algorithm,
+ wrappedUnlockKey,
+ error.take());
+ if (!*unlockKey) {
+ secinfo("TokenLogin", "Failed to unwrap unlock key: %@", error.get());
+ return errSecDecode;
+ }
+
+ // we need to re-wrap already unwrapped data to avoid capturing and reusing communication with the smartcard
+ CFRef<CFDataRef> reWrappedUnlockKey = SecKeyCreateEncryptedData(pubKey, algorithm, *unlockKey, error.take());
+ if (!reWrappedUnlockKey) {
+ secinfo("TokenLogin", "Failed to rewrap unlock key: %@", error.get());
+ TokenLoginDeleteUnlockData(getPubKeyHash(context));
+ return errSecParam;
+ }
+
+ CFRef<CFMutableDictionaryRef> newDict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 4, loginData);
+ if (newDict) {
+ CFDictionarySetValue(newDict, kSecValueData, reWrappedUnlockKey);
+ TokenLoginStoreUnlockData(context, newDict);
+ }
+
+ return errSecSuccess;
+}
+
+OSStatus TokenLoginGetLoginData(CFDictionaryRef context, CFDictionaryRef *loginData)
+{
+ if (!loginData || !context) {
+ return errSecParam;
+ }
+
+ CFRef<CFStringRef> pubKeyHashHex = cfDataToHex(getPubKeyHash(context));
+ CFPreferencesSynchronize(kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
+ CFRef<CFDataRef> storedData = (CFDataRef)CFPreferencesCopyValue(pubKeyHashHex, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
+ if (!storedData) {
+ secinfo("TokenLogin", "Failed to read token login plist");
+ return errSecIO;
+ }
+
+ CFRef<CFErrorRef> error;
+ *loginData = (CFDictionaryRef)CFPropertyListCreateWithData(kCFAllocatorDefault,
+ storedData,
+ kCFPropertyListImmutable,
+ NULL,
+ error.take());
+ if (!*loginData || CFGetTypeID(*loginData) != CFDictionaryGetTypeID()) {
+ secinfo("TokenLogin", "Failed to deserialize unlock key data: %@", error.get());
+ return errSecParam;
+ }
+
+ return errSecSuccess;
+}
+
+OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context)
+{
+ if (!context) {
+ return errSecParam;
+ }
+
+ CFRef<SecKeychainRef> loginKeychain;
+ OSStatus result = SecKeychainCopyLogin(loginKeychain.take());
+ if (result != errSecSuccess) {
+ secinfo("TokenLogin", "Failed to get user keychain: %d", (int) result);
+ return result;
+ }
+
+ return SecKeychainStoreUnlockKeyWithPubKeyHash(getPubKeyHash(context), getTokenId(context), getPubKeyHashWrap(context), loginKeychain, NULL);
+}
+
+OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CFDataRef pubKeyHashWrap, CFDataRef unlockKey, CFDataRef scBlob)
+{
+ if (!tokenId || !pubKeyHash || !pubKeyHashWrap || !unlockKey || !scBlob)
+ return errSecParam;
+
+ CFRef<CFDictionaryRef> ctx = makeCFDictionary(3,
+ kSecAttrTokenID, tokenId,
+ kSecAttrPublicKeyHash, pubKeyHash,
+ kSecAttrAccount, pubKeyHashWrap
+ );
+ CFRef<SecKeyRef> privKey;
+ OSStatus result = privKeyForPubKeyHash(ctx, privKey.take(), NULL);
+ if (result != errSecSuccess) {
+ secinfo("TokenLogin", "Failed to get private key for public key hash: %d", (int) result);
+ return result;
+ }
+
+ CFRef<SecKeyRef> pubKey = SecKeyCopyPublicKey(privKey);
+ if (!pubKey) {
+ secinfo("TokenLogin", "Failed to get public key from private key");
+ return errSecParam;
+ }
+
+ SecKeyAlgorithm algorithms[] = {
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
+ };
+
+ SecKeyAlgorithm algorithm = NULL;
+ for (size_t i = 0; i < sizeof(algorithms) / sizeof(*algorithms); i++) {
+ if (SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeEncrypt, algorithms[i])
+ && SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeDecrypt, algorithms[i])) {
+ algorithm = algorithms[i];
+ break;
+ }
+ }
+ if (algorithm == NULL) {
+ secinfo("SecKeychain", "Failed to find supported wrap algorithm");
+ return errSecParam;
+ }
+
+ CFRef<CFErrorRef> error;
+ CFRef<CFDataRef> wrappedUnlockKey = SecKeyCreateEncryptedData(pubKey, algorithm, unlockKey, error.take());
+ if (!wrappedUnlockKey) {
+ secinfo("TokenLogin", "Failed to wrap unlock key: %@", error.get());
+ return errSecParam;
+ }
+
+ CFRef<CFDictionaryRef> loginData = makeCFDictionary(4,
+ kSecAttrService, algorithm,
+ kSecAttrPublicKeyHash, pubKeyHashWrap,
+ kSecValueData, wrappedUnlockKey.get(),
+ kSecClassKey, scBlob
+ );
+ return TokenLoginStoreUnlockData(ctx, loginData);
+}
+
+OSStatus TokenLoginStoreUnlockData(CFDictionaryRef context, CFDictionaryRef loginData)
+{
+
+ CFRef<CFErrorRef> error;
+ CFRef<CFDataRef> data = CFPropertyListCreateData(kCFAllocatorDefault,
+ loginData,
+ kCFPropertyListBinaryFormat_v1_0,
+ 0,
+ error.take());
+ if (!data) {
+ secdebug("TokenLogin", "Failed to create unlock data: %@", error.get());
+ return errSecInternal;
+ }
+ CFRef<CFStringRef> pubKeyHashHex = cfDataToHex(getPubKeyHash(context));
+ CFPreferencesSetValue(pubKeyHashHex, data, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
+ CFPreferencesSynchronize(kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
+ CFRef<CFDataRef> storedData = (CFDataRef)CFPreferencesCopyValue(pubKeyHashHex, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
+
+ if (!storedData || !CFEqual(storedData, data)) {
+ secinfo("TokenLogin", "Failed to write token login plist");
+ return errSecIO;
+ }
+
+ return errSecSuccess;
+}
+
+OSStatus TokenLoginDeleteUnlockData(CFDataRef pubKeyHash)
+{
+ CFRef<CFStringRef> pubKeyHashHex = cfDataToHex(pubKeyHash);
+ CFPreferencesSetValue(pubKeyHashHex, NULL, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
+ CFPreferencesSynchronize(kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
+ CFRef<CFDataRef> storedData = (CFDataRef)CFPreferencesCopyValue(pubKeyHashHex, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
+
+ if (storedData) {
+ secinfo("TokenLogin", "Failed to remove unlock data");
+ return errSecIO;
+ }
+
+ return errSecSuccess;
+}
+
+OSStatus TokenLoginGetScBlob(CFDataRef pubKeyHashWrap, CFStringRef tokenId, CFStringRef password, CFDataRef *scBlob)
+{
+ if (scBlob == NULL || password == NULL || pubKeyHashWrap == NULL || tokenId == NULL) {
+ secinfo("TokenLogin", "TokenLoginGetScBlob wrong params");
+ return errSecParam;
+ }
+
+ CFRef<CFDictionaryRef> ctx = makeCFDictionary(2,
+ kSecAttrTokenID, tokenId,
+ kSecAttrAccount, pubKeyHashWrap
+ );
+
+ CFRef<SecKeyRef> privKey;
+ OSStatus retval = privKeyForPubKeyHash(ctx, privKey.take(), NULL);
+ if (retval != errSecSuccess) {
+ secinfo("TokenLogin", "TokenLoginGetScBlob failed to get private key for public key hash: %d", (int) retval);
+ return retval;
+ }
+
+ CFRef<SecKeyRef> pubKey = SecKeyCopyPublicKey(privKey);
+ if (!pubKey) {
+ secinfo("TokenLogin", "TokenLoginGetScBlob no pubkey");
+ return errSecInternal;
+ }
+
+ CFRef<CFDictionaryRef> attributes = SecKeyCopyAttributes(pubKey);
+ if (!attributes) {
+ secinfo("TokenLogin", "TokenLoginGetScBlob no attributes");
+ return errSecInternal;
+ }
+
+ aks_smartcard_mode_t mode;
+ CFRef<CFStringRef> type = (CFStringRef)CFDictionaryGetValue(attributes, kSecAttrKeyType);
+ if (CFEqual(type, kSecAttrKeyTypeRSA))
+ mode = AKS_SMARTCARD_MODE_RSA;
+ else if (CFEqual(type, kSecAttrKeyTypeEC))
+ mode = AKS_SMARTCARD_MODE_ECDH;
+ else {
+ secinfo("TokenLogin", "TokenLoginGetScBlob bad type");
+ return errSecNotAvailable;
+ }
+
+ CFRef<CFDataRef> publicBytes = SecKeyCopyExternalRepresentation(pubKey, NULL);
+ if (!publicBytes) {
+ secinfo("TokenLogin", "TokenLoginGetScBlob cannot get public bytes");
+ return retval;
+ }
+
+ CFIndex maxLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(password), kCFStringEncodingUTF8) + 1;
+ char* buf = (char*)malloc(maxLength);
+ if (buf == NULL) {
+ secinfo("TokenLogin", "TokenLoginGetScBlob no mem for buffer");
+ return retval;
+ }
+
+ if (CFStringGetCString(password, buf, maxLength, kCFStringEncodingUTF8) == FALSE) {
+ secinfo("TokenLogin", "TokenLoginGetScBlob no pwd cstr");
+ free(buf);
+ return retval;
+ }
+
+ void *sc_blob = NULL;
+ size_t sc_len = 0;
+ aks_smartcard_unregister(session_keybag_handle); // just to be sure no previous registration exist
+ kern_return_t aks_retval = aks_smartcard_register(session_keybag_handle, (uint8_t *)buf, strlen(buf), mode, (uint8_t *)CFDataGetBytePtr(publicBytes), (size_t)CFDataGetLength(publicBytes), &sc_blob, &sc_len);
+ free(buf);
+ secinfo("TokenLogin", "TokenLoginGetScBlob register result %d", aks_retval);
+
+ if (sc_blob) {
+ *scBlob = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)sc_blob, (CFIndex)sc_len);
+ free(sc_blob);
+ }
+ return aks_retval;
+}
+
+OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginData)
+{
+ if (!loginData || !context) {
+ return errSecParam;
+ }
+
+ CFDataRef scBlob = (CFDataRef)CFDictionaryGetValue(loginData, kSecClassKey);
+ if (scBlob == NULL) {
+ secinfo("TokenLogin", "Failed to get scblob");
+ return errSecInternal;
+ }
+
+ CFRef<CFErrorRef> error;
+ CFRef<SecKeyRef> privKey;
+ CFRef<CFTypeRef> LAContext;
+ OSStatus retval = privKeyForPubKeyHash(context, privKey.take(), LAContext.take());
+ if (retval != errSecSuccess) {
+ secinfo("TokenLogin", "Failed to get private key for public key hash: %d", (int) retval);
+ return retval;
+ }
+
+ CFRef<SecKeyRef> pubKey = SecKeyCopyPublicKey(privKey);
+ if (!pubKey) {
+ secinfo("TokenLogin", "Failed to get pubkey");
+ return retval;
+ }
+
+ CFRef<CFDictionaryRef> attributes = SecKeyCopyAttributes(pubKey);
+ if (!attributes) {
+ secinfo("TokenLogin", "TokenLoginUnlockKeybag no attributes");
+ return errSecInternal;
+ }
+
+ aks_smartcard_mode_t mode;
+ CFStringRef type = (CFStringRef)CFDictionaryGetValue(attributes, kSecAttrKeyType);
+ if (CFEqual(type, kSecAttrKeyTypeRSA))
+ mode = AKS_SMARTCARD_MODE_RSA;
+ else if (CFEqual(type, kSecAttrKeyTypeEC))
+ mode = AKS_SMARTCARD_MODE_ECDH;
+ else {
+ secinfo("TokenLogin", "TokenLoginUnlockKeybag bad type");
+ return errSecNotAvailable;
+ }
+
+ void *scChallenge = NULL;
+ size_t scChallengeLen = 0;
+ int res = aks_smartcard_request_unlock(session_keybag_handle, (uint8_t *)CFDataGetBytePtr(scBlob), (size_t)CFDataGetLength(scBlob), &scChallenge, &scChallengeLen);
+ if (res != 0) {
+ secinfo("TokenLogin", "TokenLoginUnlockKeybag cannot request unlock: %x", res);
+ return errSecInternal;
+ }
+ const void *scUsk = NULL;
+ size_t scUskLen = 0;
+ res = aks_smartcard_get_sc_usk(scChallenge, scChallengeLen, &scUsk, &scUskLen);
+
+ if (res != 0 || scUsk == NULL) {
+ free(scChallenge);
+ secinfo("TokenLogin", "TokenLoginUnlockKeybag cannot get usk: %x", res);
+ return errSecInternal;
+ }
+
+ CFRef<CFTypeRef> wrappedUsk;
+ if (mode == AKS_SMARTCARD_MODE_ECDH) {
+ const void *ecPub = NULL;
+ size_t ecPubLen = 0;
+ res = aks_smartcard_get_ec_pub(scChallenge, scChallengeLen, &ecPub, &ecPubLen);
+ if (res != 0 || ecPub == NULL) {
+ free(scChallenge);
+ secinfo("TokenLogin", "TokenLoginUnlockKeybag cannot get ecpub: %x", res);
+ return errSecInternal;
+ }
+ wrappedUsk = CFDataCreateMutable(kCFAllocatorDefault, ecPubLen + scUskLen);
+ if (!wrappedUsk) {
+ free(scChallenge);
+ secinfo("TokenLogin", "TokenLoginUnlockKeybag no mem for ecpubusk");
+ return errSecInternal;
+ }
+ CFDataAppendBytes((CFMutableDataRef)wrappedUsk.get(), (const UInt8 *)ecPub, (CFIndex)ecPubLen);
+ CFDataAppendBytes((CFMutableDataRef)wrappedUsk.get(), (const UInt8 *)scUsk, (CFIndex)scUskLen);
+ } else {
+ wrappedUsk = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)scUsk, (CFIndex)scUskLen);
+ }
+ free(scChallenge);
+ // decrypt Usk with SC
+ CFRef<CFDataRef> unwrappedUsk = SecKeyCreateDecryptedData(privKey,
+ mode == AKS_SMARTCARD_MODE_RSA ? kSecKeyAlgorithmRSAEncryptionOAEPSHA256 : kSecKeyAlgorithmECIESEncryptionAKSSmartCard,
+ (CFDataRef)wrappedUsk.get(),
+ error.take());
+ if (!unwrappedUsk) {
+ secinfo("TokenLogin", "TokenLoginUnlockKeybag failed to unwrap blob: %@", error.get());
+ return errSecInternal;
+ }
+
+ void *scNewBlob = NULL;
+ size_t scNewLen = 0;
+ res = aks_smartcard_unlock(session_keybag_handle, (uint8_t *)CFDataGetBytePtr(scBlob), (size_t)CFDataGetLength(scBlob), (uint8_t *)CFDataGetBytePtr(unwrappedUsk), (size_t)CFDataGetLength(unwrappedUsk), &scNewBlob, &scNewLen);
+ if (scNewBlob) {
+ CFRef<CFDataRef> newBlobData = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)scNewBlob, (CFIndex)scNewLen);
+ free(scNewBlob);
+ CFRef<CFMutableDictionaryRef> newDict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 4, loginData);
+ if (newDict) {
+ CFDictionarySetValue(newDict, kSecClassKey, newBlobData.get());
+ TokenLoginStoreUnlockData(context, newDict);
+ }
+ }
+ return res;
+}
diff --git a/OSX/libsecurity_keychain/lib/TokenLogin.h b/OSX/libsecurity_keychain/lib/TokenLogin.h
new file mode 100644
index 00000000..b7976bf8
--- /dev/null
+++ b/OSX/libsecurity_keychain/lib/TokenLogin.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#ifndef TokenLogin_h
+#define TokenLogin_h
+
+#include <CoreFoundation/CoreFoundation.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+OSStatus TokenLoginGetContext(const void *base64TokenLoginData, UInt32 base64TokenLoginDataLength, CFDictionaryRef *context);
+OSStatus TokenLoginGetLoginData(CFDictionaryRef context, CFDictionaryRef *loginData);
+
+OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CFDataRef pubKeyHashWrap, CFDataRef unlockKey, CFDataRef scBlob);
+OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context);
+OSStatus TokenLoginStoreUnlockData(CFDictionaryRef context, CFDictionaryRef loginData);
+OSStatus TokenLoginDeleteUnlockData(CFDataRef pubKeyHash);
+
+OSStatus TokenLoginGetUnlockKey(CFDictionaryRef context, CFDataRef *unlockKey);
+OSStatus TokenLoginGetScBlob(CFDataRef pubKeyHash, CFStringRef tokenId, CFStringRef password, CFDataRef *scBlob);
+OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginData);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* TokenLogin_h */
diff --git a/OSX/libsecurity_keychain/lib/Trust.cpp b/OSX/libsecurity_keychain/lib/Trust.cpp
index 45a28a49..a10e0528 100644
--- a/OSX/libsecurity_keychain/lib/Trust.cpp
+++ b/OSX/libsecurity_keychain/lib/Trust.cpp
@@ -96,6 +96,21 @@ TrustKeychains::TrustKeychains() :
mRootStoreHandle = (*mRootStore)->database()->handle();
}
+TrustKeychains::~TrustKeychains() {
+ if(mRootStoreDL) {
+ delete mRootStoreDL;
+ mRootStoreDL = NULL;
+ }
+ if(mRootStoreDb) {
+ delete mRootStoreDb;
+ mRootStoreDb = NULL;
+ }
+ if(mRootStore) {
+ delete mRootStore;
+ mRootStore = NULL;
+ }
+}
+
RecursiveMutex& SecTrustKeychainsGetMutex()
{
return trustKeychainsMutex();
@@ -223,11 +238,11 @@ void Trust::evaluate(bool disableEV)
}
CFArrayRef filteredCerts = NULL;
if (isEVCandidate) {
- secdebug("evTrust", "Trust::evaluate() certificate is EV candidate");
+ secinfo("evTrust", "Trust::evaluate() certificate is EV candidate");
filteredCerts = potentialEVChainWithCertificates(mCerts);
mCerts = filteredCerts;
} else {
- secdebug("evTrust", "Trust::evaluate() performing standard evaluation");
+ secinfo("evTrust", "Trust::evaluate() performing standard evaluation");
if (mCerts) {
filteredCerts = CFArrayCreateMutableCopy(NULL, 0, mCerts);
}
@@ -247,7 +262,7 @@ void Trust::evaluate(bool disableEV)
if (mAllowedAnchors)
{
- secdebug("trusteval", "Trust::evaluate: anchors: %ld", CFArrayGetCount(mAllowedAnchors));
+ secinfo("trusteval", "Trust::evaluate: anchors: %ld", CFArrayGetCount(mAllowedAnchors));
#if !defined(NDEBUG)
CFArrayApplyFunction(mAllowedAnchors, CFRangeMake(0, CFArrayGetCount(mAllowedAnchors)), showCertSKID, NULL);
#endif
@@ -328,7 +343,7 @@ void Trust::evaluate(bool disableEV)
allPolicies = convertRevocationPolicy(numRevocationAdded, context.allocator);
if (allPolicies) {
// caller has explicitly set the revocation policy they want to use
- secdebug("evTrust", "Trust::evaluate() using explicit revocation policy (%d)",
+ secinfo("evTrust", "Trust::evaluate() using explicit revocation policy (%d)",
numRevocationAdded);
if (numRevocationAdded == 0)
isEVCandidate = false;
@@ -337,13 +352,13 @@ void Trust::evaluate(bool disableEV)
// caller explicitly provided empty anchors and no keychain list,
// and did not explicitly specify the revocation policy;
// override global revocation check setting for this evaluation
- secdebug("evTrust", "Trust::evaluate() has empty anchors and no keychains");
+ secinfo("evTrust", "Trust::evaluate() has empty anchors and no keychains");
allPolicies = NULL; // use only mPolicies
isEVCandidate = false;
}
else if (isEVCandidate || requirePerCert) {
// force revocation checking for this evaluation
- secdebug("evTrust", "Trust::evaluate() forcing OCSP/CRL revocation check");
+ secinfo("evTrust", "Trust::evaluate() forcing OCSP/CRL revocation check");
allPolicies = forceRevocationPolicies(true, requirePerCert,
numRevocationAdded, context.allocator, requirePerCert);
}
@@ -354,7 +369,7 @@ void Trust::evaluate(bool disableEV)
}
if (allPolicies == NULL) {
// use mPolicies; no revocation checking will be performed
- secdebug("evTrust", "Trust::evaluate() will not perform revocation check");
+ secinfo("evTrust", "Trust::evaluate() will not perform revocation check");
CFIndex numPolicies = CFArrayGetCount(mPolicies);
CFAllocatorRef allocator = CFGetAllocator(mPolicies);
allPolicies = CFArrayCreateMutableCopy(allocator, numPolicies, mPolicies);
@@ -375,14 +390,14 @@ void Trust::evaluate(bool disableEV)
// no anchor certificates were provided;
// built-in anchors will be trusted unless explicitly disabled.
mUsingTrustSettings = (mAnchorPolicy < useAnchorsOnly);
- secdebug("userTrust", "Trust::evaluate() %s",
+ secinfo("userTrust", "Trust::evaluate() %s",
(mUsingTrustSettings) ? "using UserTrust" : "has no trusted anchors!");
}
else {
// anchor certificates were provided;
// built-in anchors will NOT also be trusted unless explicitly enabled.
mUsingTrustSettings = (mAnchorPolicy == useAnchorsAndBuiltIns);
- secdebug("userTrust", "Trust::evaluate() using %s %s anchors",
+ secinfo("userTrust", "Trust::evaluate() using %s %s anchors",
(mUsingTrustSettings) ? "UserTrust AND" : "only",
(isEVCandidate) ? "EV" : "caller");
context.anchors(roots, roots);
@@ -465,7 +480,7 @@ void Trust::evaluate(bool disableEV)
mTpReturn = errSecSuccess;
} catch (CommonError &err) {
mTpReturn = err.osStatus();
- secdebug("trusteval", "certGroupVerify exception: %d", (int)mTpReturn);
+ secinfo("trusteval", "certGroupVerify exception: %d", (int)mTpReturn);
}
mResult = diagnoseOutcome();
@@ -480,7 +495,7 @@ void Trust::evaluate(bool disableEV)
mTpResult[2].as<CSSM_TP_APPLE_EVIDENCE_INFO>(), anchors);
} else {
// unexpected evidence information. Can't use it
- secdebug("trusteval", "unexpected evidence ignored");
+ secinfo("trusteval", "unexpected evidence ignored");
}
/* do post-processing for the evaluated certificate chain */
@@ -623,7 +638,7 @@ void Trust::evaluateUserTrust(const CertGroup &chain,
if (info.recordId()) {
Keychain keychain = keychainByDLDb(info.DlDbHandle);
DbUniqueRecord uniqueId(keychain->database()->newDbUniqueRecord());
- secdebug("trusteval", "evidence %lu from keychain \"%s\"", (unsigned long)n, keychain->name());
+ secinfo("trusteval", "evidence %lu from keychain \"%s\"", (unsigned long)n, keychain->name());
*static_cast<CSSM_DB_UNIQUE_RECORD_PTR *>(uniqueId) = info.UniqueRecord;
uniqueId->activate(); // transfers ownership
Item ii = keychain->item(CSSM_DL_DB_RECORD_X509_CERTIFICATE, uniqueId);
@@ -633,20 +648,20 @@ void Trust::evaluateUserTrust(const CertGroup &chain,
}
mCertChain[n] = cert;
} else if (info.status(CSSM_CERT_STATUS_IS_IN_INPUT_CERTS)) {
- secdebug("trusteval", "evidence %lu from input cert %lu", (unsigned long)n, (unsigned long)info.index());
+ secinfo("trusteval", "evidence %lu from input cert %lu", (unsigned long)n, (unsigned long)info.index());
assert(info.index() < uint32(CFArrayGetCount(mCerts)));
SecCertificateRef cert = SecCertificateRef(CFArrayGetValueAtIndex(mCerts,
info.index()));
mCertChain[n] = Certificate::required(cert);
} else if (info.status(CSSM_CERT_STATUS_IS_IN_ANCHORS)) {
- secdebug("trusteval", "evidence %lu from anchor cert %lu", (unsigned long)n, (unsigned long)info.index());
+ secinfo("trusteval", "evidence %lu from anchor cert %lu", (unsigned long)n, (unsigned long)info.index());
assert(info.index() < uint32(CFArrayGetCount(anchors)));
SecCertificateRef cert = SecCertificateRef(CFArrayGetValueAtIndex(anchors,
info.index()));
mCertChain[n] = Certificate::required(cert);
} else {
// unknown source; make a new Certificate for it
- secdebug("trusteval", "evidence %lu from unknown source", (unsigned long)n);
+ secinfo("trusteval", "evidence %lu from unknown source", (unsigned long)n);
mCertChain[n] =
new Certificate(chain.blobCerts()[n],
CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_BER);
@@ -665,7 +680,7 @@ void Trust::evaluateUserTrust(const CertGroup &chain,
continue;
}
mResult = store.find(mCertChain[mResultIndex], policy, searchLibs());
- secdebug("trusteval", "trustResult=%d from cert %d", (int)mResult, (int)mResultIndex);
+ secinfo("trusteval", "trustResult=%d from cert %d", (int)mResult, (int)mResultIndex);
}
}
@@ -698,12 +713,12 @@ void Trust::releaseTPEvidence(TPVerifyResult &result, Allocator &allocator)
allocator.free(evidence[n].StatusCodes);
allocator.free(result[2].data()); // array of (flat) info structs
} else {
- secdebug("trusteval", "unrecognized Apple TP evidence format");
+ secinfo("trusteval", "unrecognized Apple TP evidence format");
// drop it -- better leak than kill
}
} else {
// unknown format -- blindly assume flat blobs
- secdebug("trusteval", "destroying unknown TP evidence format");
+ secinfo("trusteval", "destroying unknown TP evidence format");
for (uint32 n = 0; n < result.count(); n++)
{
allocator.free(result[n].data());
@@ -724,6 +739,7 @@ void Trust::clearResults()
if (mResult != kSecTrustResultInvalid) {
releaseTPEvidence(mTpResult, mTP.allocator());
mResult = kSecTrustResultInvalid;
+ mExtendedResult = NULL;
}
}
diff --git a/OSX/libsecurity_keychain/lib/Trust.h b/OSX/libsecurity_keychain/lib/Trust.h
index 3ebdf780..db05aea2 100644
--- a/OSX/libsecurity_keychain/lib/Trust.h
+++ b/OSX/libsecurity_keychain/lib/Trust.h
@@ -194,7 +194,7 @@ class TrustKeychains
{
public:
TrustKeychains();
- ~TrustKeychains() {}
+ ~TrustKeychains();
CSSM_DL_DB_HANDLE rootStoreHandle() { return mRootStoreHandle; }
CSSM_DL_DB_HANDLE systemKcHandle() { return mSystem ? mSystem->database()->handle() : nullCSSMDLDBHandle; }
Keychain &systemKc() { return mSystem; }
diff --git a/OSX/libsecurity_keychain/lib/TrustAdditions.cpp b/OSX/libsecurity_keychain/lib/TrustAdditions.cpp
index a5b3da47..a79bfaff 100644
--- a/OSX/libsecurity_keychain/lib/TrustAdditions.cpp
+++ b/OSX/libsecurity_keychain/lib/TrustAdditions.cpp
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2002-2009,2011-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2002-2009,2011-2015 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -65,7 +65,7 @@
#ifdef NDEBUG
/* this actually compiles to nothing */
-#define trustDebug(args...) secdebug("trust", ## args)
+#define trustDebug(args...) secinfo("trust", ## args)
#else
#define trustDebug(args...) printf(args)
#endif
@@ -334,7 +334,7 @@ CFArrayRef potentialEVChainWithCertificates(CFArrayRef certificates)
// intermediate from the returned certificate array.
CFIndex chainIndex, chainLen = (certificates) ? CFArrayGetCount(certificates) : 0;
- secdebug("trusteval", "potentialEVChainWithCertificates: chainLen: %ld", chainLen);
+ secinfo("trusteval", "potentialEVChainWithCertificates: chainLen: %ld", chainLen);
if (chainLen < 2) {
if (certificates) {
CFRetain(certificates);
@@ -346,24 +346,24 @@ CFArrayRef potentialEVChainWithCertificates(CFArrayRef certificates)
for (chainIndex = 0; chainIndex < chainLen; chainIndex++) {
SecCertificateRef aCert = (SecCertificateRef) CFArrayGetValueAtIndex(certificates, chainIndex);
SecCertificateRef replacementCert = NULL;
- secdebug("trusteval", "potentialEVChainWithCertificates: examining chainIndex: %ld", chainIndex);
+ secinfo("trusteval", "potentialEVChainWithCertificates: examining chainIndex: %ld", chainIndex);
if (chainIndex > 0) {
// if this is not the leaf, then look for a possible replacement root to end the chain
// Try lookup using Subject Key ID first
replacementCert = _rootCertificateWithSubjectKeyIDOfCertificate(aCert);
if (!replacementCert)
{
- secdebug("trusteval", " not found using SKID, try by subject");
+ secinfo("trusteval", " not found using SKID, try by subject");
replacementCert = _rootCertificateWithSubjectOfCertificate(aCert);
}
}
if (!replacementCert) {
- secdebug("trusteval", " No replacement found using SKID or subject; keeping original intermediate");
+ secinfo("trusteval", " No replacement found using SKID or subject; keeping original intermediate");
CFArrayAppendValue(certArray, aCert);
}
SafeCFRelease(&replacementCert);
}
- secdebug("trusteval", "potentialEVChainWithCertificates: exit: new chainLen: %ld", CFArrayGetCount(certArray));
+ secinfo("trusteval", "potentialEVChainWithCertificates: exit: new chainLen: %ld", CFArrayGetCount(certArray));
#if !defined(NDEBUG)
CFArrayApplyFunction(certArray, CFRangeMake(0, CFArrayGetCount(certArray)), showCertSKID, NULL);
#endif
@@ -496,7 +496,7 @@ static void logSKID(const char *msg, const CssmData &subjectKeyID)
sprintf(bytes, "%02X", px[ix]);
strcat(buffer, bytes);
}
- secdebug("trusteval", " SKID: %s",buffer);
+ secinfo("trusteval", " SKID: %s",buffer);
}
}
@@ -572,7 +572,7 @@ CFArrayRef _possibleRootCertificatesForOidString(CFStringRef oidString)
CFMutableArrayRef possibleRootCertificates = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
CFIndex hashCount = CFArrayGetCount(possibleCertificateHashes);
- secdebug("evTrust", "_possibleRootCertificatesForOidString: %d possible hashes", (int)hashCount);
+ secinfo("evTrust", "_possibleRootCertificatesForOidString: %d possible hashes", (int)hashCount);
OSStatus status = errSecSuccess;
SecKeychainSearchRef searchRef = NULL;
@@ -677,7 +677,7 @@ CFArrayRef _allowedRootCertificatesForOidString(CFStringRef oidString)
&foundAny); /* foundAnyEntry */
if (status == errSecSuccess) {
- secdebug("evTrust", "_allowedRootCertificatesForOidString: cert %lu has result %d from domain %d",
+ secinfo("evTrust", "_allowedRootCertificatesForOidString: cert %lu has result %d from domain %d",
idx, (int)result, (int)foundDomain);
// Root certificates must be trusted by the system (and not have
// any explicit trust overrides) to be allowed for EV use.
@@ -686,7 +686,7 @@ CFArrayRef _allowedRootCertificatesForOidString(CFStringRef oidString)
CFArrayAppendValue(allowedRootCertificates, cert);
}
} else {
- secdebug("evTrust", "_allowedRootCertificatesForOidString: cert %lu SecTrustSettingsEvaluateCert error %d",
+ secinfo("evTrust", "_allowedRootCertificatesForOidString: cert %lu SecTrustSettingsEvaluateCert error %d",
idx, (int)status);
}
if (errors) {
@@ -916,7 +916,7 @@ CFArrayRef allowedEVRootsForLeafCertificate(CFArrayRef certificates)
// Fetch the allowed root CA certificates for this OID, if any
CFArrayRef allowedRoots = (oidString) ? _allowedRootCertificatesForOidString(oidString) : NULL;
CFIndex rootCount = (allowedRoots) ? CFArrayGetCount(allowedRoots) : 0;
- secdebug("evTrust", "allowedEVRootsForLeafCertificate: found %d allowed roots", (int)rootCount);
+ secinfo("evTrust", "allowedEVRootsForLeafCertificate: found %d allowed roots", (int)rootCount);
SafeCFRelease(&oidString);
if (!allowedRoots || !rootCount) {
SafeCFRelease(&allowedRoots);
@@ -1021,7 +1021,7 @@ CFDictionaryRef extendedValidationResults(CFArrayRef certChain, SecTrustResultTy
// check leaf certificate for wildcard names
if (hasWildcardDNSName((SecCertificateRef) CFArrayGetValueAtIndex(certChain, 0))) {
- trustDebug("has wildcard name (does not meet EV criteria)");
+ trustDebug("has wildcard name (does not meet EV criteria)\n");
return NULL;
}
@@ -1073,7 +1073,7 @@ CFDictionaryRef extendedValidationResults(CFArrayRef certChain, SecTrustResultTy
CFMutableDictionaryRef resultDict = CFDictionaryCreateMutable(NULL, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionaryAddValue(resultDict, kSecEVOrganizationName, organizationName);
- trustDebug("[EV] extended validation succeeded");
+ trustDebug("[EV] extended validation succeeded\n");
SafeCFRelease(&organizationName);
return resultDict;
}
@@ -1123,10 +1123,10 @@ static CFDictionaryRef _evCAOidDict()
static CFDictionaryRef s_evCAOidDict = NULL;
if (s_evCAOidDict) {
CFRetain(s_evCAOidDict);
- secdebug("evTrust", "_evCAOidDict: returning static instance (rc=%d)", (int)CFGetRetainCount(s_evCAOidDict));
+ secinfo("evTrust", "_evCAOidDict: returning static instance (rc=%d)", (int)CFGetRetainCount(s_evCAOidDict));
return s_evCAOidDict;
}
- secdebug("evTrust", "_evCAOidDict: initializing static instance");
+ secinfo("evTrust", "_evCAOidDict: initializing static instance");
s_evCAOidDict = dictionaryWithContentsOfPlistFile(EV_ROOTS_PLIST_SYSTEM_PATH);
if (!s_evCAOidDict)
@@ -1142,14 +1142,14 @@ static CFDictionaryRef _evCAOidDict()
CFDataRef hashData = CFDataCreate(NULL, hashBytes, sizeof(hashBytes));
CFIndex hashCount = CFArrayGetCount(hashes);
if (hashData && CFArrayContainsValue(hashes, CFRangeMake(0, hashCount), hashData)) {
- secdebug("evTrust", "_evCAOidDict: added hardcoded hash value");
+ secinfo("evTrust", "_evCAOidDict: added hardcoded hash value");
CFArrayAppendValue(hashes, hashData);
}
SafeCFRelease(&hashData);
}
#endif
CFRetain(s_evCAOidDict);
- secdebug("evTrust", "_evCAOidDict: returning static instance (rc=%d)", (int)CFGetRetainCount(s_evCAOidDict));
+ secinfo("evTrust", "_evCAOidDict: returning static instance (rc=%d)", (int)CFGetRetainCount(s_evCAOidDict));
return s_evCAOidDict;
}
@@ -1190,7 +1190,7 @@ static CFStringRef _decimalStringForOid(CSSM_OID_PTR oid)
char *nameBuf = (char *)malloc(bufLen);
if (!CFStringGetCString(str, nameBuf, bufLen-1, kCFStringEncodingUTF8))
nameBuf[0]=0;
- secdebug("evTrust", "_decimalStringForOid: \"%s\"", nameBuf);
+ secinfo("evTrust", "_decimalStringForOid: \"%s\"", nameBuf);
free(nameBuf);
#endif
@@ -1217,13 +1217,13 @@ static CFStringRef _oidStringForCertificatePolicies(const CE_CertPolicies *certP
// in an intermediate CA.)
if (!certPolicies) {
- secdebug("evTrust", "oidStringForCertificatePolicies: missing certPolicies!");
+ secinfo("evTrust", "oidStringForCertificatePolicies: missing certPolicies!");
return NULL;
}
CFDictionaryRef evOidDict = _evCAOidDict();
if (!evOidDict) {
- secdebug("evTrust", "oidStringForCertificatePolicies: nil OID dictionary!");
+ secinfo("evTrust", "oidStringForCertificatePolicies: nil OID dictionary!");
return NULL;
}
diff --git a/OSX/libsecurity_keychain/lib/TrustItem.cpp b/OSX/libsecurity_keychain/lib/TrustItem.cpp
index 4c2e3632..ac8567ff 100644
--- a/OSX/libsecurity_keychain/lib/TrustItem.cpp
+++ b/OSX/libsecurity_keychain/lib/TrustItem.cpp
@@ -47,7 +47,7 @@ UserTrustItem::UserTrustItem(Certificate *cert, Policy *policy, const TrustData
reinterpret_cast<const void *>(&trustData)),
mCertificate(cert), mPolicy(policy)
{
- secdebug("usertrust", "%p create(%p,%p) = %d",
+ secinfo("usertrust", "%p create(%p,%p) = %d",
this, cert, policy, SecTrustUserSetting(trustData.trust));
}
@@ -57,7 +57,7 @@ UserTrustItem::UserTrustItem(Certificate *cert, Policy *policy, const TrustData
//
UserTrustItem::~UserTrustItem()
{
- secdebug("usertrust", "%p destroyed", this);
+ secinfo("usertrust", "%p destroyed", this);
}
@@ -94,7 +94,7 @@ PrimaryKey UserTrustItem::add(Keychain &keychain)
try
{
mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get());
- secdebug("usertrust", "%p inserted", this);
+ secinfo("usertrust", "%p inserted", this);
}
catch (const CssmError &e)
{
@@ -102,7 +102,7 @@ PrimaryKey UserTrustItem::add(Keychain &keychain)
throw;
// Create the trust relation and try again.
- secdebug("usertrust", "adding schema relation for user trusts");
+ secinfo("usertrust", "adding schema relation for user trusts");
db->createRelation(CSSM_DL_DB_RECORD_USER_TRUST, "CSSM_DL_DB_RECORD_USER_TRUST",
Schema::UserTrustSchemaAttributeCount,
Schema::UserTrustSchemaAttributeList,
@@ -117,7 +117,7 @@ PrimaryKey UserTrustItem::add(Keychain &keychain)
Schema::UserTrustSchemaIndexList);
mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get());
- secdebug("usertrust", "%p inserted now", this);
+ secinfo("usertrust", "%p inserted now", this);
}
mPrimaryKey = keychain->makePrimaryKey(recordType, mUniqueId);
diff --git a/OSX/libsecurity_keychain/lib/TrustSettings.cpp b/OSX/libsecurity_keychain/lib/TrustSettings.cpp
index bcd2d033..4d602799 100644
--- a/OSX/libsecurity_keychain/lib/TrustSettings.cpp
+++ b/OSX/libsecurity_keychain/lib/TrustSettings.cpp
@@ -40,6 +40,7 @@
#include <security_utilities/logging.h>
#include <security_utilities/cfutilities.h>
#include <security_utilities/alloc.h>
+#include <Security/Authorization.h>
#include <Security/cssmapplePriv.h>
#include <Security/oidscert.h>
#include <Security/SecCertificatePriv.h>
@@ -48,11 +49,17 @@
#include <security_ocspd/ocspdClient.h>
#include <CoreFoundation/CoreFoundation.h>
#include <assert.h>
-#include <Security/Authorization.h>
+#include <dispatch/dispatch.h>
#include <sys/stat.h>
+#include <syslog.h>
-#define trustSettingsDbg(args...) secdebug("trustSettings", ## args)
-#define trustSettingsEvalDbg(args...) secdebug("trustSettingsEval", ## args)
+#if 0
+#define trustSettingsDbg(args...) syslog(LOG_ERR, ## args)
+#define trustSettingsEvalDbg(args...) syslog(LOG_ERR, ## args)
+#else
+#define trustSettingsDbg(args...) secinfo("trustSettings", ## args)
+#define trustSettingsEvalDbg(args...) secinfo("trustSettingsEval", ## args)
+#endif
/*
* Common error return for "malformed TrustSettings record"
@@ -108,7 +115,7 @@ static bool tsCheckApp(
OSStatus ortn;
ortn = SecTrustedApplicationCreateWithExternalRepresentation(certApp, &appRef);
if(ortn) {
- trustSettingsDbg("tsCheckApp: bad trustedApp data\n");
+ trustSettingsDbg("tsCheckApp: bad trustedApp data");
return false;
}
ortn = SecTrustedApplicationValidateWithPath(appRef, NULL);
@@ -803,17 +810,23 @@ void TrustSettings::findQualifiedCerts(
KCCursor cursor(keychains, CSSM_DL_DB_RECORD_X509_CERTIFICATE, NULL);
Item certItem;
bool found;
+ unsigned int total=0, entries=0, qualified=0;
do {
found = cursor->next(certItem);
if(!found) {
break;
}
+ ++total;
#if !SECTRUST_OSX
CFRef<SecCertificateRef> certRef((SecCertificateRef)certItem->handle());
#else
/* must convert to unified SecCertificateRef */
SecPointer<Certificate> certificate(static_cast<Certificate *>(&*certItem));
- CssmData certCssmData = certificate->data();
+ CssmData certCssmData;
+ try {
+ certCssmData = certificate->data();
+ }
+ catch (...) {}
if (!(certCssmData.Data && certCssmData.Length)) {
continue;
}
@@ -826,6 +839,7 @@ void TrustSettings::findQualifiedCerts(
if(certDict == NULL) {
continue;
}
+ ++entries;
if(!findAll) {
/* qualify */
@@ -834,6 +848,7 @@ void TrustSettings::findQualifiedCerts(
continue;
}
}
+ ++qualified;
/* see if we already have this one - get in CFData form */
CSSM_DATA certData;
@@ -843,7 +858,7 @@ void TrustSettings::findQualifiedCerts(
continue;
}
CFRef<CFDataRef> cfData(CFDataCreate(NULL, certData.Data, certData.Length));
- CFDataRef cfd = cfData;
+ CFDataRef cfd = cfData.get();
if(CFSetContainsValue(certSet, cfd)) {
trustSettingsEvalDbg("findQualifiedCerts: dup cert");
continue;
@@ -855,6 +870,9 @@ void TrustSettings::findQualifiedCerts(
CFArrayAppendValue(certArray, certRef);
}
} while(found);
+
+ trustSettingsEvalDbg("findQualifiedCerts: examined %d certs, qualified %d of %d",
+ total, qualified, entries);
}
/*
@@ -893,7 +911,8 @@ CFArrayRef TrustSettings::copyTrustSettings(
/* already validated... */
assert(CFGetTypeID(diskTsDict) == CFDictionaryGetTypeID());
- CFDataRef certPolicy = (CFDataRef) CFDictionaryGetValue(diskTsDict, kSecTrustSettingsPolicy);
+ CFTypeRef certPolicy = (CFTypeRef) CFDictionaryGetValue(diskTsDict, kSecTrustSettingsPolicy);
+ CFStringRef policyName = (CFStringRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsPolicyName);
CFDataRef certApp = (CFDataRef) CFDictionaryGetValue(diskTsDict, kSecTrustSettingsApplication);
CFStringRef policyStr = (CFStringRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsPolicyString);
CFNumberRef allowedErr = (CFNumberRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsAllowedError);
@@ -915,17 +934,33 @@ CFArrayRef TrustSettings::copyTrustSettings(
&kCFTypeDictionaryValueCallBacks));
if(certPolicy != NULL) {
- /* convert OID as CFDataRef to SecPolicyRef */
SecPolicyRef policyRef = NULL;
- CSSM_OID policyOid = { CFDataGetLength(certPolicy),
- (uint8 *)CFDataGetBytePtr(certPolicy) };
- OSStatus ortn = SecPolicyCopy(CSSM_CERT_X_509v3, &policyOid, &policyRef);
- if(ortn) {
- trustSettingsDbg("copyTrustSettings: OID conversion error");
- abort("Bad Policy OID in trusted root list", errSecInvalidTrustedRootRecord);
+ if (CFDataGetTypeID() == CFGetTypeID(certPolicy)) {
+ /* convert OID as CFDataRef to SecPolicyRef */
+ CSSM_OID policyOid = { CFDataGetLength((CFDataRef)certPolicy),
+ (uint8 *)CFDataGetBytePtr((CFDataRef)certPolicy) };
+ OSStatus ortn = SecPolicyCopy(CSSM_CERT_X_509v3, &policyOid, &policyRef);
+ if(ortn) {
+ trustSettingsDbg("copyTrustSettings: OID conversion error");
+ abort("Bad Policy OID in trusted root list", errSecInvalidTrustedRootRecord);
+ }
+ } else if (CFStringGetTypeID() == CFGetTypeID(certPolicy)) {
+ policyRef = SecPolicyCreateWithProperties(certPolicy, NULL);
}
- CFDictionaryAddValue(outTsDict, kSecTrustSettingsPolicy, policyRef);
- CFRelease(policyRef); // owned by dictionary
+ if (policyRef) {
+ CFDictionaryAddValue(outTsDict, kSecTrustSettingsPolicy, policyRef);
+ CFRelease(policyRef); // owned by dictionary
+ }
+ }
+
+ if (policyName != NULL) {
+ /*
+ * copy, since policyName is in our mutable dictionary and could change out from
+ * under the caller
+ */
+ CFStringRef str = CFStringCreateCopy(NULL, policyName);
+ CFDictionaryAddValue(outTsDict, kSecTrustSettingsPolicyName, str);
+ CFRelease(str); // owned by dictionary
}
if(certApp != NULL) {
@@ -1135,7 +1170,7 @@ CFDictionaryRef TrustSettings::findDictionaryForCert(
return NULL;
}
- return findDictionaryForCertHash(static_cast<CFStringRef>(certHashStr));
+ return findDictionaryForCertHash(static_cast<CFStringRef>(certHashStr.get()));
}
/*
@@ -1163,15 +1198,11 @@ CFArrayRef TrustSettings::validateApiTrustSettings(
CFArrayRef tmpInArray = NULL;
if(trustSettingsDictOrArray == NULL) {
-#if SECTRUST_OSX
-#warning STU: temporarily unblocking build
-#else
/* trivial case, only valid for roots */
if(!isSelfSigned) {
trustSettingsDbg("validateApiUsageConstraints: !isSelfSigned, no settings");
MacOSError::throwMe(errSecParam);
}
-#endif
return CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
}
else if(CFGetTypeID(trustSettingsDictOrArray) == CFDictionaryGetTypeID()) {
@@ -1198,7 +1229,8 @@ CFArrayRef TrustSettings::validateApiTrustSettings(
/* convert */
for(CFIndex dex=0; dex<numSpecs; dex++) {
- CFDataRef oidData = NULL;
+ CFTypeRef oidData = NULL;
+ CFStringRef policyName = NULL;
CFDataRef appData = NULL;
CFStringRef policyStr = NULL;
CFNumberRef allowedErr = NULL;
@@ -1224,11 +1256,18 @@ CFArrayRef TrustSettings::validateApiTrustSettings(
break;
}
ortn = SecPolicyGetOID(certPolicy, &oid);
- if(ortn) {
+ if (ortn) {
+ /* newer policies don't have CSSM OIDs but they do have string OIDs */
+ oidData = CFRetain(SecPolicyGetOidString(certPolicy));
+ } else {
+ oidData = CFDataCreate(NULL, oid.Data, oid.Length);
+ }
+
+ if (!oidData) {
trustSettingsDbg("validateAppPolicyArray: SecPolicyGetOID error");
break;
}
- oidData = CFDataCreate(NULL, oid.Data, oid.Length);
+ policyName = SecPolicyGetName(certPolicy);
}
/* application - optional */
@@ -1292,6 +1331,10 @@ CFArrayRef TrustSettings::validateApiTrustSettings(
CFDictionaryAddValue(outDict, kSecTrustSettingsPolicy, oidData);
CFRelease(oidData); // owned by dictionary
}
+ if(policyName) {
+ CFDictionaryAddValue(outDict, kSecTrustSettingsPolicyName, policyName);
+ /* still owned by ucDict */
+ }
if(appData) {
CFDictionaryAddValue(outDict, kSecTrustSettingsApplication, appData);
CFRelease(appData); // owned by dictionary
@@ -1303,10 +1346,9 @@ CFArrayRef TrustSettings::validateApiTrustSettings(
if(allowedErr) {
CFDictionaryAddValue(outDict, kSecTrustSettingsAllowedError, allowedErr);
}
-#if SECTRUST_OSX
-#warning STU: temporarily unblocking build
+
ortn = errSecSuccess;
-#else
+
if(resultType) {
/* let's be really picky on this one */
switch(result) {
@@ -1346,7 +1388,7 @@ CFArrayRef TrustSettings::validateApiTrustSettings(
break;
}
}
-#endif
+
if(keyUsage) {
CFDictionaryAddValue(outDict, kSecTrustSettingsKeyUsage, keyUsage);
}
diff --git a/OSX/libsecurity_keychain/lib/TrustSettingsSchema.h b/OSX/libsecurity_keychain/lib/TrustSettingsSchema.h
index 2310dc43..68915444 100644
--- a/OSX/libsecurity_keychain/lib/TrustSettingsSchema.h
+++ b/OSX/libsecurity_keychain/lib/TrustSettingsSchema.h
@@ -58,7 +58,8 @@
* A usageConstraints dictionary is like so (all elements are optional). These key
* strings are defined in SecUserTrust.h.
*
- * key = kSecTrustSettingsPolicy value = policy OID as CFData
+ * key = kSecTrustSettingsPolicy value = policy OID as CFData or CFString
+ * key = kSecTrustSettingsPolicyName value = policy name as CFString
* key = kSecTrustSettingsApplication value = application as CFData
* key = kSecTrustSettingsPolicyString value = CFString, policy-specific
* key = kSecTrustSettingsAllowedError value = CFNumber, an SInt32 CSSM_RETURN
diff --git a/OSX/libsecurity_keychain/lib/TrustStore.cpp b/OSX/libsecurity_keychain/lib/TrustStore.cpp
index c703d431..521c3fa6 100644
--- a/OSX/libsecurity_keychain/lib/TrustStore.cpp
+++ b/OSX/libsecurity_keychain/lib/TrustStore.cpp
@@ -65,14 +65,14 @@ SecTrustUserSetting TrustStore::find(Certificate *cert, Policy *policy,
try {
cert->copyTo(location); // add cert to the trust item's keychain
} catch (...) {
- secdebug("trusteval", "failed to add certificate %p to keychain \"%s\"",
+ secinfo("trusteval", "failed to add certificate %p to keychain \"%s\"",
cert, location->name());
try {
if (&*location != &*defaultKeychain)
cert->copyTo(defaultKeychain); // try the default (if it's not the same)
} catch (...) {
// unable to add the certificate
- secdebug("trusteval", "failed to add certificate %p to keychain \"%s\"",
+ secinfo("trusteval", "failed to add certificate %p to keychain \"%s\"",
cert, defaultKeychain->name());
}
}
@@ -138,14 +138,14 @@ void TrustStore::assign(Certificate *cert, Policy *policy, SecTrustUserSetting t
try {
cert->copyTo(trustLocation); // add cert to the trust item's keychain
} catch (...) {
- secdebug("trusteval", "failed to add certificate %p to keychain \"%s\"",
+ secinfo("trusteval", "failed to add certificate %p to keychain \"%s\"",
cert, trustLocation->name());
try {
if (&*trustLocation != &*defaultKeychain)
cert->copyTo(defaultKeychain); // try the default (if it's not the same)
} catch (...) {
// unable to add the certificate
- secdebug("trusteval", "failed to add certificate %p to keychain \"%s\"",
+ secinfo("trusteval", "failed to add certificate %p to keychain \"%s\"",
cert, defaultKeychain->name());
}
}
@@ -170,6 +170,7 @@ Item TrustStore::findItem(Certificate *cert, Policy *policy,
// we no longer need or want to look for them anymore.
return ((ItemImpl*)NULL);
+#if 0
StLock<Mutex> _(mMutex);
try {
@@ -192,6 +193,7 @@ Item TrustStore::findItem(Certificate *cert, Policy *policy,
catch (const CommonError &error) {}
return ((ItemImpl*)NULL); // no trust schema, no records, no error
+#endif
}
void TrustStore::getCssmRootCertificates(CertGroup &rootCerts)
@@ -252,7 +254,7 @@ void TrustStore::loadRootCertificates()
base += certData.Length;
}
- secdebug("anchors", "%ld anchors loaded", (long)numCerts);
+ secinfo("anchors", "%ld anchors loaded", (long)numCerts);
mRootsValid = true; // ready to roll
}
diff --git a/OSX/libsecurity_keychain/lib/TrustedApplication.cpp b/OSX/libsecurity_keychain/lib/TrustedApplication.cpp
index 977eba37..a07da4f1 100644
--- a/OSX/libsecurity_keychain/lib/TrustedApplication.cpp
+++ b/OSX/libsecurity_keychain/lib/TrustedApplication.cpp
@@ -44,7 +44,7 @@ TrustedApplication::TrustedApplication(const TypedList &subject)
try {
CodeSignatureAclSubject::Maker maker;
mForm = maker.make(subject);
- secdebug("trustedapp", "%p created from list form", this);
+ secinfo("trustedapp", "%p created from list form", this);
IFDUMPING("codesign", mForm->AclSubject::dump("STApp created from list"));
} catch (...) {
throw ACL::ParseError();
@@ -59,7 +59,7 @@ TrustedApplication::TrustedApplication(const std::string &path)
{
RefPointer<OSXCode> code(OSXCode::at(path));
mForm = new CodeSignatureAclSubject(OSXVerifier(code));
- secdebug("trustedapp", "%p created from path %s", this, path.c_str());
+ secinfo("trustedapp", "%p created from path %s", this, path.c_str());
IFDUMPING("codesign", mForm->AclSubject::dump("STApp created from path"));
}
@@ -72,7 +72,7 @@ TrustedApplication::TrustedApplication()
//@@@@ should use CS's idea of "self"
RefPointer<OSXCode> me(OSXCode::main());
mForm = new CodeSignatureAclSubject(OSXVerifier(me));
- secdebug("trustedapp", "%p created from self", this);
+ secinfo("trustedapp", "%p created from self", this);
IFDUMPING("codesign", mForm->AclSubject::dump("STApp created from self"));
}
@@ -88,7 +88,7 @@ TrustedApplication::TrustedApplication(const std::string &path, SecRequirementRe
MacOSError::check(SecRequirementCopyData(reqRef, kSecCSDefaultFlags, &reqData.aref()));
mForm = new CodeSignatureAclSubject(NULL, path);
mForm->add((const BlobCore *)CFDataGetBytePtr(reqData));
- secdebug("trustedapp", "%p created from path %s and requirement %p",
+ secinfo("trustedapp", "%p created from path %s and requirement %p",
this, path.c_str(), reqRef);
IFDUMPING("codesign", mForm->debugDump());
}
@@ -142,7 +142,7 @@ void TrustedApplication::data(CFDataRef data)
bool TrustedApplication::verifyToDisk(const char *path)
{
if (SecRequirementRef requirement = mForm->requirement()) {
- secdebug("trustedapp", "%p validating requirement against path %s", this, path);
+ secinfo("trustedapp", "%p validating requirement against path %s", this, path);
CFRef<SecStaticCodeRef> ondisk;
if (path)
MacOSError::check(SecStaticCodeCreateWithPath(CFTempURL(path),
@@ -151,7 +151,7 @@ bool TrustedApplication::verifyToDisk(const char *path)
MacOSError::check(SecCodeCopySelf(kSecCSDefaultFlags, (SecCodeRef *)&ondisk.aref()));
return SecStaticCodeCheckValidity(ondisk, kSecCSDefaultFlags, requirement) == errSecSuccess;
} else {
- secdebug("trustedapp", "%p validating hash against path %s", this, path);
+ secinfo("trustedapp", "%p validating hash against path %s", this, path);
RefPointer<OSXCode> code = path ? OSXCode::at(path) : OSXCode::main();
SHA1::Digest ondiskDigest;
OSXVerifier::makeLegacyHash(code, ondiskDigest);
diff --git a/OSX/libsecurity_keychain/lib/UnlockReferralItem.cpp b/OSX/libsecurity_keychain/lib/UnlockReferralItem.cpp
index f9b004a3..382ed8f4 100644
--- a/OSX/libsecurity_keychain/lib/UnlockReferralItem.cpp
+++ b/OSX/libsecurity_keychain/lib/UnlockReferralItem.cpp
@@ -42,7 +42,7 @@ UnlockReferralItem::UnlockReferralItem() :
UInt32(0/*size*/),
NULL/*data*/)
{
- secdebug("referral", "create %p", this);
+ secinfo("referral", "create %p", this);
}
@@ -51,7 +51,7 @@ UnlockReferralItem::UnlockReferralItem() :
//
UnlockReferralItem::~UnlockReferralItem()
{
- secdebug("referral", "destroy %p", this);
+ secinfo("referral", "destroy %p", this);
}
@@ -74,7 +74,7 @@ PrimaryKey UnlockReferralItem::add(Keychain &keychain)
try
{
mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get());
- secdebug("usertrust", "%p inserted", this);
+ secinfo("usertrust", "%p inserted", this);
}
catch (const CssmError &e)
{
@@ -82,7 +82,7 @@ PrimaryKey UnlockReferralItem::add(Keychain &keychain)
throw;
// Create the referral relation and try again.
- secdebug("usertrust", "adding schema relation for user trusts");
+ secinfo("usertrust", "adding schema relation for user trusts");
#if 0
db->createRelation(CSSM_DL_DB_RECORD_UNLOCK_REFERRAL,
"CSSM_DL_DB_RECORD_UNLOCK_REFERRAL",
@@ -101,7 +101,7 @@ PrimaryKey UnlockReferralItem::add(Keychain &keychain)
//keychain->resetSchema();
mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get());
- secdebug("usertrust", "%p inserted now", this);
+ secinfo("usertrust", "%p inserted now", this);
}
mPrimaryKey = keychain->makePrimaryKey(recordType, mUniqueId);
diff --git a/OSX/libsecurity_keychain/lib/defaultcreds.cpp b/OSX/libsecurity_keychain/lib/defaultcreds.cpp
index 5188b0e0..cee6e780 100644
--- a/OSX/libsecurity_keychain/lib/defaultcreds.cpp
+++ b/OSX/libsecurity_keychain/lib/defaultcreds.cpp
@@ -78,15 +78,15 @@ bool DefaultCredentials::operator () (Db database)
keyReferral(**it);
break;
default:
- secdebug("kcreferral", "referral type %lu (to %s) not supported",
+ secinfo("kcreferral", "referral type %lu (to %s) not supported",
(unsigned long)(*it)->type(), (*it)->dbName().c_str());
break;
}
}
}
- secdebug("kcreferral", "%lu samples generated", (unsigned long)size());
+ secinfo("kcreferral", "%lu samples generated", (unsigned long)size());
} catch (...) {
- secdebug("kcreferral", "exception setting default credentials for %s; using standard value", database->name());
+ secinfo("kcreferral", "exception setting default credentials for %s; using standard value", database->name());
}
mMade = true;
}
@@ -101,7 +101,7 @@ bool DefaultCredentials::operator () (Db database)
//
void DefaultCredentials::keyReferral(const UnlockReferralRecord &ref)
{
- secdebug("kcreferral", "processing type %ld referral to %s",
+ secinfo("kcreferral", "processing type %ld referral to %s",
(long)ref.type(), ref.dbName().c_str());
DLDbIdentifier identifier(ref.dbName().c_str(), ref.dbGuid(), ref.dbSSID(), ref.dbSSType());
@@ -115,12 +115,12 @@ void DefaultCredentials::keyReferral(const UnlockReferralRecord &ref)
// try the entire search list (just in case)
try {
- secdebug("kcreferral", "no joy with %s; trying the entire keychain list for guid %s",
+ secinfo("kcreferral", "no joy with %s; trying the entire keychain list for guid %s",
ref.dbName().c_str(), ref.dbGuid().toString().c_str());
unlockKey(ref, fallbackSearchList(identifier));
return;
} catch (...) { }
- secdebug("kcreferral", "no luck at all; we'll skip this record");
+ secinfo("kcreferral", "no luck at all; we'll skip this record");
}
@@ -140,7 +140,7 @@ bool DefaultCredentials::unlockKey(const UnlockReferralRecord &ref, const Keycha
Item keyItem;
while (cursor->next(keyItem)) {
- secdebug("kcreferral", "located source key in %s", keyItem->keychain()->name());
+ secinfo("kcreferral", "located source key in %s", keyItem->keychain()->name());
// get a reference to the key in the provider keychain
CssmClient::Key key = dynamic_cast<KeyItem &>(*keyItem).key();
diff --git a/OSX/libsecurity_keychain/lib/security_keychain.exp b/OSX/libsecurity_keychain/lib/security_keychain.exp
index e0fcb27d..e2b051de 100644
--- a/OSX/libsecurity_keychain/lib/security_keychain.exp
+++ b/OSX/libsecurity_keychain/lib/security_keychain.exp
@@ -110,6 +110,7 @@ _kSecAttrHasCustomIcon
_kSecAttrCRLType
_kSecAttrCRLEncoding
_kSecAttrAccessGroup
+_kSecAttrAccessGroupToken
_kSecAttrSynchronizable
_kSecAttrSyncViewHint
_kSecMatchPolicy
@@ -212,12 +213,12 @@ _kSecPolicyAppleProfileSigner
_kSecPolicyAppleQAProfileSigner
_kSecPolicyAppleTestMobileStore
_kSecPolicyAppleServerAuthentication
-_kSecPolicyAppleATVAppSigning
-_kSecPolicyAppleTestATVAppSigning
_kSecPolicyApplePayIssuerEncryption
_kSecPolicyAppleOSXProvisioningProfileSigning
_kSecPolicyAppleATVVPNProfileSigning
_kSecPolicyAppleAST2DiagnosticsServerAuth
+_kSecPolicyAppleEscrowProxyServerAuth
+_kSecPolicyAppleFMiPServerAuth
_kSecPolicyOid
_kSecPolicyName
_kSecPolicyClient
@@ -406,6 +407,8 @@ _SecCertificateCopyFirstFieldValue
_SecCertificateCopyPreference
_SecCertificateCopyPreferred
_SecCertificateCopyPublicKey
+_SecCertificateCopySubjectPublicKeyInfoSHA1Digest
+_SecCertificateCopySubjectPublicKeyInfoSHA256Digest
_SecCertificateCopySubjectSummary
_SecCertificateCopyDNSNames
_SecCertificateCreateItemImplInstance
@@ -430,7 +433,9 @@ _SecCertificateGetSubject
_SecCertificateGetType
_SecCertificateGetTypeID
_SecCertificateInferLabel
+_SecCertificateIsCA
_SecCertificateIsSelfSigned
+_SecCertificateIsSelfSignedCA
_SecCertificateRequestCreate
_SecCertificateRequestGetTypeID
_SecCertificateRequestSubmit
@@ -472,6 +477,8 @@ _SecInferLabelFromX509Name
_SecItemAdd
_SecItemCopyDisplayNames
_SecItemCopyMatching
+_SecItemCopyParentCertificates
+_SecItemCopyStoredCertificate
_SecItemDelete
_SecItemUpdate
_kSecAttrKeyTypeRSA
@@ -484,6 +491,7 @@ _kSecAttrKeyTypeRC2
_kSecAttrKeyTypeCAST
_kSecAttrKeyTypeECDSA
_kSecAttrKeyTypeEC
+_kSecAttrKeyTypeECSECPrimeRandom
_kSecAttrPRF
_kSecAttrPRFHmacAlgSHA1
_kSecAttrPRFHmacAlgSHA224
@@ -495,7 +503,9 @@ _kSecAttrRounds
_SecECKeyGetNamedCurve
_SecItemExport
_SecItemImport
+_SecKeyCopyAttestationKey
_SecKeyCreate
+_SecKeyCreateAttestation
_SecKeyCreatePair
_SecKeyCreateWithCSSMKey
_SecKeyDecrypt
@@ -527,6 +537,7 @@ _SecKeychainAddGenericPassword
_SecKeychainAddIToolsPassword
_SecKeychainAddInternetPassword
_SecKeychainAttributeInfoForItemID
+_SecKeychainAttemptMigrationWithMasterKey
_SecKeychainChangePassword
_SecKeychainCopyAccess
_SecKeychainCopyBlob
@@ -555,6 +566,7 @@ _SecKeychainGetTypeID
_SecKeychainGetUserInteractionAllowed
_SecKeychainGetVersion
_SecKeychainGetKeychainVersion
+_SecKeychainGetUserPromptAttempts
_SecKeychainIsValid
_SecKeychainMDSInstall
_SecKeychainItemAdd
@@ -638,8 +650,8 @@ _SecPolicyCreateApplePushService
_SecPolicyCreateAppleMMCSService
_SecPolicyCreateApplePPQService
_SecPolicyCreateAppleAST2Service
-_SecPolicyCreateAppleATVAppSigning
-_SecPolicyCreateTestAppleATVAppSigning
+_SecPolicyCreateAppleEscrowProxyService
+_SecPolicyCreateAppleFMiPService
_SecPolicyCreateAppleATVVPNProfileSigning
_SecPolicyCreateApplePayIssuerEncryption
_SecPolicyCreateAppleSSLService
@@ -686,6 +698,9 @@ _SecTrustGetTPHandle
_SecTrustGetTypeID
_SecTrustGetUserTrust
_SecTrustGetVerifyTime
+_SecTrustLegacySourcesEventRunloopCreate
+_SecTrustLegacyCRLFetch
+_SecTrustLegacyCRLStatus
_SecTrustSetAnchorCertificates
_SecTrustSetAnchorCertificatesOnly
_SecTrustSetExceptions
@@ -768,3 +783,4 @@ _SecFDERecoveryUnwrapCRSKWithPrivKey
_SecKeychainSearchCreateForCertificateByIssuerAndSN_CF
_SecRandomCopyBytes
_SecRandomCopyData
+_SecItemUpdateTokenItems
diff --git a/OSX/libsecurity_keychain/libDER/Tests/parseTicket.c b/OSX/libsecurity_keychain/libDER/Tests/parseTicket.c
index a55cee53..1d707341 100644
--- a/OSX/libsecurity_keychain/libDER/Tests/parseTicket.c
+++ b/OSX/libsecurity_keychain/libDER/Tests/parseTicket.c
@@ -257,29 +257,6 @@ dumpBytes( const char *title, const unsigned char *data, int len, int nonewline
printf("\n");
}
-static void
-readFile(char *filename, unsigned char **data, unsigned *len)
-{
- int size = 0;
- FILE *file = NULL;
- if ((file = fopen(filename, "r")) == NULL) {
- fprintf(stderr, "could not open file=%s", filename);
- return;
- }
- fseek(file, 0, SEEK_END);
- size = ftell(file);
- *len = size;
- *data = (unsigned char*)malloc(*len);
- if (!*data) {
- fprintf(stderr, "Out of memory");
- fclose(file);
- return;
- }
- rewind(file);
- (void)fread(*data, size, 1, file);
- fclose(file);
-}
-
static void
writeFile( char* filename, unsigned char* buf, int len )
{
diff --git a/OSX/libsecurity_keychain/libDER/config/base.xcconfig b/OSX/libsecurity_keychain/libDER/config/base.xcconfig
index b6aaf1bc..04320bd9 100644
--- a/OSX/libsecurity_keychain/libDER/config/base.xcconfig
+++ b/OSX/libsecurity_keychain/libDER/config/base.xcconfig
@@ -5,7 +5,7 @@ CURRENT_PROJECT_VERSION = $(RC_ProjectSourceVersion)
VERSIONING_SYSTEM = apple-generic;
DEAD_CODE_STRIPPING = YES;
-ARCHS = $(ARCHS_STANDARD_32_64_BIT)
+ARCHS[sdk=macosx*] = $(ARCHS_STANDARD_32_64_BIT)
// Debug symbols should be on obviously
GCC_GENERATE_DEBUGGING_SYMBOLS = YES
@@ -14,3 +14,4 @@ STRIP_STYLE = debugging
STRIP_INSTALLED_PRODUCT = NO
WARNING_CFLAGS = -Wglobal-constructors -Wno-deprecated-declarations $(inherited)
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/OSX/libsecurity_keychain/libDER/config/lib.xcconfig b/OSX/libsecurity_keychain/libDER/config/lib.xcconfig
index 18b501cb..18995ac2 100644
--- a/OSX/libsecurity_keychain/libDER/config/lib.xcconfig
+++ b/OSX/libsecurity_keychain/libDER/config/lib.xcconfig
@@ -7,11 +7,12 @@ CODE_SIGN_IDENTITY =
HEADER_SEARCH_PATHS[sdk=macosx*] = $(PROJECT_DIR) $(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers $(inherited)
-HEADER_SEARCH_PATHS[sdk=iphone*] = $(PROJECT_DIR) $(BUILT_PRODUCTS_DIR)$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include $(inherited)
+HEADER_SEARCH_PATHS[sdk=embedded*] = $(PROJECT_DIR) $(BUILT_PRODUCTS_DIR)/usr/local/include $(inherited)
INSTALL_PATH = /usr/local/lib
-SKIP_INSTALL[sdk=macosx*] = NO
-SKIP_INSTALL[sdk=iphone*] = YES
+PUBLIC_HEADERS_FOLDER_PATH = /usr/local/include/security_libDER/libDER
+
+SKIP_INSTALL = YES
ALWAYS_SEARCH_USER_PATHS = NO
@@ -29,6 +30,4 @@ GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES
GCC_WARN_ABOUT_RETURN_TYPE = YES
GCC_WARN_UNUSED_VARIABLE = YES
-SUPPORTED_PLATFORMS = macosx iphoneos iphonesimulator
-
-GCC_PREPROCESSOR_DEFINITIONS[sdk=iphonesimulator*] = INDIGO=1 $(inherited)
\ No newline at end of file
+SUPPORTED_PLATFORMS = macosx iphoneos iphonesimulator appletvos appletvsimulator watchos watchsimulator
diff --git a/OSX/libsecurity_keychain/libDER/libDER.xcodeproj/project.pbxproj b/OSX/libsecurity_keychain/libDER/libDER.xcodeproj/project.pbxproj
index f14c162a..ee9390e8 100644
--- a/OSX/libsecurity_keychain/libDER/libDER.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_keychain/libDER/libDER.xcodeproj/project.pbxproj
@@ -22,6 +22,31 @@
name = World;
productName = World;
};
+ D46B07A51C8FB22900B5939A /* libDERInstall */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = D46B07A81C8FB22900B5939A /* Build configuration list for PBXAggregateTarget "libDERInstall" */;
+ buildPhases = (
+ D46B07AB1C8FB23500B5939A /* Copy Static Library File */,
+ );
+ dependencies = (
+ D46B08741C8FC18700B5939A /* PBXTargetDependency */,
+ D46B07FD1C8FBE1900B5939A /* PBXTargetDependency */,
+ );
+ name = libDERInstall;
+ productName = libDERInstall;
+ };
+ D46B07EB1C8FBDC600B5939A /* libDERHeaders */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = D46B07EC1C8FBDC600B5939A /* Build configuration list for PBXAggregateTarget "libDERHeaders" */;
+ buildPhases = (
+ D46B07EF1C8FBDD700B5939A /* Copy Headers */,
+ );
+ dependencies = (
+ D46B07FB1C8FBE0B00B5939A /* PBXTargetDependency */,
+ );
+ name = libDERHeaders;
+ productName = libDERHeaders;
+ };
/* End PBXAggregateTarget section */
/* Begin PBXBuildFile section */
@@ -46,7 +71,7 @@
058F15C20922B73F009FA1C5 /* printFields.h in Headers */ = {isa = PBXBuildFile; fileRef = 058F15C00922B73F009FA1C5 /* printFields.h */; };
058F15C30922B73F009FA1C5 /* printFields.c in Sources */ = {isa = PBXBuildFile; fileRef = 058F15C10922B73F009FA1C5 /* printFields.c */; };
058F163109250D16009FA1C5 /* oids.c in Sources */ = {isa = PBXBuildFile; fileRef = 058F162D09250D0D009FA1C5 /* oids.c */; };
- 058F163209250D17009FA1C5 /* oids.h in Headers */ = {isa = PBXBuildFile; fileRef = 058F162E09250D0D009FA1C5 /* oids.h */; settings = {ATTRIBUTES = (Public, ); }; };
+ 058F163209250D17009FA1C5 /* oids.h in Headers */ = {isa = PBXBuildFile; fileRef = 058F162E09250D0D009FA1C5 /* oids.h */; };
058F1659092513A7009FA1C5 /* parseCrl.c in Sources */ = {isa = PBXBuildFile; fileRef = 058F1658092513A7009FA1C5 /* parseCrl.c */; };
058F16710925230E009FA1C5 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 053BA314091C00BF00A7007A /* libDER.a */; };
058F16720925230F009FA1C5 /* libDERUtils.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 053BA46B091FE63E00A7007A /* libDERUtils.a */; };
@@ -57,6 +82,17 @@
4C96C8E2113F4232005483E8 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 053BA314091C00BF00A7007A /* libDER.a */; };
4C96C8ED113F42D1005483E8 /* libcrypto.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C96C8EC113F42C4005483E8 /* libcrypto.dylib */; };
D467903C1B39FDB500D26E2F /* oidsPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = D467903B1B39FDB500D26E2F /* oidsPriv.h */; };
+ D46B07EA1C8FBDAF00B5939A /* libDER.a in Copy Static Library File */ = {isa = PBXBuildFile; fileRef = 053BA314091C00BF00A7007A /* libDER.a */; };
+ D46B07F01C8FBDFC00B5939A /* DER_Keys.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 058ECD340920F5E30050AA30 /* DER_Keys.h */; };
+ D46B07F11C8FBDFC00B5939A /* asn1Types.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 053BA342091C089B00A7007A /* asn1Types.h */; };
+ D46B07F21C8FBDFC00B5939A /* DER_CertCrl.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 053BA398091C258100A7007A /* DER_CertCrl.h */; };
+ D46B07F31C8FBDFC00B5939A /* DER_Decode.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 053BA321091C02B700A7007A /* DER_Decode.h */; };
+ D46B07F41C8FBDFC00B5939A /* DER_Encode.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 0544AE9F0940939C00DD6C0B /* DER_Encode.h */; };
+ D46B07F51C8FBDFC00B5939A /* libDER_config.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 053BA322091C02B700A7007A /* libDER_config.h */; };
+ D46B07F61C8FBDFC00B5939A /* libDER.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 053BA323091C02B700A7007A /* libDER.h */; };
+ D46B07F71C8FBDFC00B5939A /* DER_Digest.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 05E0E40509228A5E005F4693 /* DER_Digest.h */; };
+ D46B07F81C8FBDFC00B5939A /* oids.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = 058F162E09250D0D009FA1C5 /* oids.h */; };
+ D46B07F91C8FBDFC00B5939A /* oidsPriv.h in Copy Headers */ = {isa = PBXBuildFile; fileRef = D467903B1B39FDB500D26E2F /* oidsPriv.h */; };
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
@@ -130,8 +166,63 @@
remoteGlobalIDString = 053BA313091C00BF00A7007A;
remoteInfo = libDER;
};
+ D46B07FA1C8FBE0B00B5939A /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 053BA30A091C00A400A7007A /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 053BA313091C00BF00A7007A;
+ remoteInfo = libDER;
+ };
+ D46B07FC1C8FBE1900B5939A /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 053BA30A091C00A400A7007A /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = D46B07EB1C8FBDC600B5939A;
+ remoteInfo = libDERHeaders;
+ };
+ D46B08731C8FC18700B5939A /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 053BA30A091C00A400A7007A /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 053BA313091C00BF00A7007A;
+ remoteInfo = libDER;
+ };
/* End PBXContainerItemProxy section */
+/* Begin PBXCopyFilesBuildPhase section */
+ D46B07AB1C8FB23500B5939A /* Copy Static Library File */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /usr/local/lib;
+ dstSubfolderSpec = 0;
+ files = (
+ D46B07EA1C8FBDAF00B5939A /* libDER.a in Copy Static Library File */,
+ );
+ name = "Copy Static Library File";
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ D46B07EF1C8FBDD700B5939A /* Copy Headers */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /usr/local/include/security_libDER/libDER;
+ dstSubfolderSpec = 0;
+ files = (
+ D46B07F01C8FBDFC00B5939A /* DER_Keys.h in Copy Headers */,
+ D46B07F11C8FBDFC00B5939A /* asn1Types.h in Copy Headers */,
+ D46B07F21C8FBDFC00B5939A /* DER_CertCrl.h in Copy Headers */,
+ D46B07F31C8FBDFC00B5939A /* DER_Decode.h in Copy Headers */,
+ D46B07F41C8FBDFC00B5939A /* DER_Encode.h in Copy Headers */,
+ D46B07F51C8FBDFC00B5939A /* libDER_config.h in Copy Headers */,
+ D46B07F61C8FBDFC00B5939A /* libDER.h in Copy Headers */,
+ D46B07F71C8FBDFC00B5939A /* DER_Digest.h in Copy Headers */,
+ D46B07F81C8FBDFC00B5939A /* oids.h in Copy Headers */,
+ D46B07F91C8FBDFC00B5939A /* oidsPriv.h in Copy Headers */,
+ );
+ name = "Copy Headers";
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+/* End PBXCopyFilesBuildPhase section */
+
/* Begin PBXFileReference section */
053BA314091C00BF00A7007A /* libDER.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libDER.a; sourceTree = BUILT_PRODUCTS_DIR; };
053BA321091C02B700A7007A /* DER_Decode.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DER_Decode.h; sourceTree = "<group>"; };
@@ -317,16 +408,16 @@
isa = PBXHeadersBuildPhase;
buildActionMask = 2147483647;
files = (
+ 053BA325091C02B700A7007A /* libDER_config.h in Headers */,
D467903C1B39FDB500D26E2F /* oidsPriv.h in Headers */,
053BA326091C02B700A7007A /* libDER.h in Headers */,
- 053BA325091C02B700A7007A /* libDER_config.h in Headers */,
- 058F163209250D17009FA1C5 /* oids.h in Headers */,
053BA324091C02B700A7007A /* DER_Decode.h in Headers */,
- 053BA344091C089B00A7007A /* asn1Types.h in Headers */,
053BA39A091C258100A7007A /* DER_CertCrl.h in Headers */,
- 058ECD360920F5E30050AA30 /* DER_Keys.h in Headers */,
05E0E40709228A5E005F4693 /* DER_Digest.h in Headers */,
0544AEA10940939C00DD6C0B /* DER_Encode.h in Headers */,
+ 058ECD360920F5E30050AA30 /* DER_Keys.h in Headers */,
+ 058F163209250D17009FA1C5 /* oids.h in Headers */,
+ 053BA344091C089B00A7007A /* asn1Types.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -436,7 +527,15 @@
053BA30A091C00A400A7007A /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
+ TargetAttributes = {
+ D46B07A51C8FB22900B5939A = {
+ CreatedOnToolsVersion = 7.3;
+ };
+ D46B07EB1C8FBDC600B5939A = {
+ CreatedOnToolsVersion = 7.3;
+ };
+ };
};
buildConfigurationList = 4CD81A7109BE1FD2000A9641 /* Build configuration list for PBXProject "libDER" */;
compatibilityVersion = "Xcode 3.2";
@@ -454,6 +553,8 @@
projectRoot = "";
targets = (
053BA30F091C00B100A7007A /* World */,
+ D46B07A51C8FB22900B5939A /* libDERInstall */,
+ D46B07EB1C8FBDC600B5939A /* libDERHeaders */,
053BA313091C00BF00A7007A /* libDER */,
053BA444091FE58C00A7007A /* parseCert */,
053BA46A091FE63E00A7007A /* libDERUtils */,
@@ -565,6 +666,21 @@
target = 053BA313091C00BF00A7007A /* libDER */;
targetProxy = 4C96C8E0113F4223005483E8 /* PBXContainerItemProxy */;
};
+ D46B07FB1C8FBE0B00B5939A /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ target = 053BA313091C00BF00A7007A /* libDER */;
+ targetProxy = D46B07FA1C8FBE0B00B5939A /* PBXContainerItemProxy */;
+ };
+ D46B07FD1C8FBE1900B5939A /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ target = D46B07EB1C8FBDC600B5939A /* libDERHeaders */;
+ targetProxy = D46B07FC1C8FBE1900B5939A /* PBXContainerItemProxy */;
+ };
+ D46B08741C8FC18700B5939A /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ target = 053BA313091C00BF00A7007A /* libDER */;
+ targetProxy = D46B08731C8FC18700B5939A /* PBXContainerItemProxy */;
+ };
/* End PBXTargetDependency section */
/* Begin XCBuildConfiguration section */
@@ -587,7 +703,6 @@
baseConfigurationReference = 1828EAA114E334E200BE00C2 /* debug.xcconfig */;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
- SDKROOT = macosx.internal;
};
name = Debug;
};
@@ -596,7 +711,6 @@
baseConfigurationReference = 1828EAA314E334E200BE00C2 /* release.xcconfig */;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
- SDKROOT = macosx.internal;
};
name = Release;
};
@@ -605,6 +719,7 @@
baseConfigurationReference = 1828EAA114E334E200BE00C2 /* debug.xcconfig */;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
+ SDKROOT = macosx.internal;
};
name = Debug;
};
@@ -613,6 +728,7 @@
baseConfigurationReference = 1828EAA314E334E200BE00C2 /* release.xcconfig */;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
+ SDKROOT = macosx.internal;
};
name = Release;
};
@@ -664,6 +780,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1828EAA214E334E200BE00C2 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
CLANG_STATIC_ANALYZER_MODE = deep;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
@@ -673,9 +790,12 @@
CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
RUN_CLANG_STATIC_ANALYZER = YES;
SDKROOT = macosx.internal;
};
@@ -685,6 +805,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1828EAA214E334E200BE00C2 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
CLANG_STATIC_ANALYZER_MODE = deep;
CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
@@ -694,6 +815,7 @@
CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
GCC_WARN_UNUSED_FUNCTION = YES;
@@ -702,6 +824,34 @@
};
name = Release;
};
+ D46B07A61C8FB22900B5939A /* Debug */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Debug;
+ };
+ D46B07A71C8FB22900B5939A /* Release */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Release;
+ };
+ D46B07ED1C8FBDC600B5939A /* Debug */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Debug;
+ };
+ D46B07EE1C8FBDC600B5939A /* Release */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ };
+ name = Release;
+ };
/* End XCBuildConfiguration section */
/* Begin XCConfigurationList section */
@@ -768,6 +918,24 @@
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
+ D46B07A81C8FB22900B5939A /* Build configuration list for PBXAggregateTarget "libDERInstall" */ = {
+ isa = XCConfigurationList;
+ buildConfigurations = (
+ D46B07A61C8FB22900B5939A /* Debug */,
+ D46B07A71C8FB22900B5939A /* Release */,
+ );
+ defaultConfigurationIsVisible = 0;
+ defaultConfigurationName = Release;
+ };
+ D46B07EC1C8FBDC600B5939A /* Build configuration list for PBXAggregateTarget "libDERHeaders" */ = {
+ isa = XCConfigurationList;
+ buildConfigurations = (
+ D46B07ED1C8FBDC600B5939A /* Debug */,
+ D46B07EE1C8FBDC600B5939A /* Release */,
+ );
+ defaultConfigurationIsVisible = 0;
+ defaultConfigurationName = Release;
+ };
/* End XCConfigurationList section */
};
rootObject = 053BA30A091C00A400A7007A /* Project object */;
diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.h b/OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.h
index 6e3c4e63..db36e5cc 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2009,2011,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -30,13 +30,11 @@
#ifndef _DER_CERT_CRL_H_
#define _DER_CERT_CRL_H_
-#ifdef __cplusplus
-extern "C" {
-#endif
-
#include <libDER/libDER.h>
#include <libDER/DER_Decode.h>
+__BEGIN_DECLS
+
/*
* Top level cert or CRL - the two are identical at this level - three
* components. The tbs field is saved in full DER form for sig verify.
@@ -271,9 +269,7 @@ typedef struct {
extern const DERItemSpec DERRevokedCertItemSpecs[];
extern const DERSize DERNumRevokedCertItemSpecs;
-#ifdef __cplusplus
-}
-#endif
+__END_DECLS
#endif /* _DER_CERT_CRL_H_ */
diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.c b/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.c
index 78df3f10..6e8802b4 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.c
+++ b/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2012 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -53,41 +53,64 @@
/*
* Basic decoding primitive. Only works with:
*
- * -- definite length encoding
- * -- one-byte tags
+ * -- definite length encoding
+ * -- one-byte tags (unless DER_MULTIBYTE_TAGS is defined)
* -- max content length fits in a DERSize
*
- * No malloc or copy of the contents is performed; the returned
+ * No malloc or copy of the contents is performed; the returned
* content->content.data is a pointer into the incoming der data.
*/
DERReturn DERDecodeItem(
+ const DERItem *der, /* data to decode */
+ DERDecodedInfo *decoded) /* RETURNED */
+{
+ return DERDecodeItemPartialBuffer(der, decoded, false);
+}
+
+/*
+ * Basic decoding primitive. Allows for decoding with a partial buffer.
+ * if allowPartialBuffer is true. A partial buffer would normally fail
+ * because the encoded length would be greater than the size of the buffer passed in.
+ * Only works with:
+ *
+ * -- definite length encoding
+ * -- one-byte tags (unless DER_MULTIBYTE_TAGS is defined)
+ * -- max content length fits in a DERSize
+ *
+ * No malloc or copy of the contents is performed; the returned
+ * content->content.data is a pointer into the incoming der data.
+ */
+DERReturn DERDecodeItemPartialBuffer(
const DERItem *der, /* data to decode */
- DERDecodedInfo *decoded) /* RETURNED */
+ DERDecodedInfo *decoded, /* RETURNED */
+ bool allowPartialBuffer)
{
- DERByte tag1; /* first tag byte */
- DERByte len1; /* first length byte */
- DERTag tagNumber; /* tag number without class and method bits */
- DERByte *derPtr = der->data;
- DERSize derLen = der->length;
-
+ DERByte tag1; /* first tag byte */
+ DERByte len1; /* first length byte */
+ DERTag tagNumber; /* tag number without class and method bits */
+ DERByte *derPtr = der->data;
+ DERSize derLen = der->length;
+
/* The tag decoding below is fully BER complient. We support a max tag
- value of 2 ^ ((sizeof(DERTag) * 8) - 3) - 1 so for tag size 1 byte we
- support tag values from 0 - 0x1F. For tag size 2 tag values
- from 0 - 0x1FFF and for tag size 4 values from 0 - 0x1FFFFFFF. */
- if(derLen < 2) {
- return DR_DecodeError;
- }
+ value of 2 ^ ((sizeof(DERTag) * 8) - 3) - 1 so for tag size 1 byte we
+ support tag values from 0 - 0x1F. For tag size 2 tag values
+ from 0 - 0x1FFF and for tag size 4 values from 0 - 0x1FFFFFFF. */
+ if(derLen < 2) {
+ return DR_DecodeError;
+ }
/* Grab the first byte of the tag. */
- tag1 = *derPtr++;
- derLen--;
- tagNumber = tag1 & 0x1F;
- if(tagNumber == 0x1F) {
+ tag1 = *derPtr++;
+ derLen--;
+ tagNumber = tag1 & 0x1F;
+ if(tagNumber == 0x1F) {
#ifdef DER_MULTIBYTE_TAGS
/* Long tag form: bit 8 of each octet shall be set to one unless it is
- the last octet of the tag */
+ the last octet of the tag */
const DERTag overflowMask = ((DERTag)0x7F << (sizeof(DERTag) * 8 - 7));
DERByte tagByte;
tagNumber = 0;
+ if (*derPtr == 0x80 || *derPtr < 0x1F)
+ return DR_DecodeError;
do {
if(derLen < 2 || (tagNumber & overflowMask) != 0) {
return DR_DecodeError;
@@ -96,55 +119,55 @@ DERReturn DERDecodeItem(
derLen--;
tagNumber = (tagNumber << 7) | (tagByte & 0x7F);
} while((tagByte & 0x80) != 0);
-
+
/* Check for any of the top 3 reserved bits being set. */
if ((tagNumber & (overflowMask << 4)) != 0)
#endif
return DR_DecodeError;
- }
+ }
/* Returned tag, top 3 bits are class/method remaining bits are number. */
decoded->tag = ((DERTag)(tag1 & 0xE0) << ((sizeof(DERTag) - 1) * 8)) | tagNumber;
/* Tag decoding above ensured we have at least one more input byte left. */
- len1 = *derPtr++;
- derLen--;
- if(len1 & 0x80) {
- /* long length form - first byte is length of length */
- DERSize longLen = 0; /* long form length */
- unsigned dex;
-
- len1 &= 0x7f;
- if((len1 > sizeof(DERSize)) || (len1 > derLen)) {
- /* no can do */
- return DR_DecodeError;
- }
- for(dex=0; dex<len1; dex++) {
- longLen <<= 8;
- longLen |= *derPtr++;
- derLen--;
- }
- if(longLen > derLen) {
- /* not enough data left for this encoding */
- return DR_DecodeError;
- }
- decoded->content.data = derPtr;
- decoded->content.length = longLen;
- }
- else {
- /* short length form, len1 is the length */
- if(len1 > derLen) {
- /* not enough data left for this encoding */
- return DR_DecodeError;
- }
- decoded->content.data = derPtr;
- decoded->content.length = len1;
- }
+ len1 = *derPtr++;
+ derLen--;
+ if(len1 & 0x80) {
+ /* long length form - first byte is length of length */
+ DERSize longLen = 0; /* long form length */
- return DR_Success;
- }
+ unsigned dex;
+ len1 &= 0x7f;
+ if((len1 > sizeof(DERSize)) || (len1 > derLen) || len1 == 0 || *derPtr == 0) {
+ /* no can do */
+ return DR_DecodeError;
+ }
+ for(dex=0; dex<len1; dex++) {
+ longLen <<= 8;
+ longLen |= *derPtr++;
+ derLen--;
+ }
+ if(longLen > derLen && !allowPartialBuffer) {
+ /* not enough data left for this encoding */
+ return DR_DecodeError;
+ }
+ decoded->content.data = derPtr;
+ decoded->content.length = longLen;
+ }
+ else {
+ /* short length form, len1 is the length */
+ if(len1 > derLen && !allowPartialBuffer) {
+ /* not enough data left for this encoding */
+ return DR_DecodeError;
+ }
+ decoded->content.data = derPtr;
+ decoded->content.length = len1;
+ }
-/*
- * Given a BIT_STRING, in the form of its raw content bytes,
+ return DR_Success;
+}
+
+/*
+ * Given a BIT_STRING, in the form of its raw content bytes,
* obtain the number of unused bits and the raw bit string bytes.
*/
DERReturn DERParseBitString(
@@ -171,12 +194,7 @@ DERReturn DERParseBitString(
*/
DERReturn DERParseBoolean(
const DERItem *contents,
- bool defaultValue,
bool *value) { /* RETURNED */
- if (contents->length == 0) {
- *value = defaultValue;
- return DR_Success;
- }
if (contents->length != 1 ||
(contents->data[0] != 0 && contents->data[0] != 0xFF))
return DR_DecodeError;
@@ -185,13 +203,53 @@ DERReturn DERParseBoolean(
return DR_Success;
}
+/*
+ * Given a BOOLEAN, in the form of its raw content bytes,
+ * obtain it's value.
+ */
+DERReturn DERParseBooleanWithDefault(
+ const DERItem *contents,
+ bool defaultValue,
+ bool *value) { /* RETURNED */
+ if (contents->length == 0) {
+ *value = defaultValue;
+ return DR_Success;
+ }
+ return DERParseBoolean(contents, value);
+}
+
+
DERReturn DERParseInteger(
- const DERItem *contents,
- uint32_t *result) { /* RETURNED */
+ const DERItem *contents,
+ uint32_t *result) { /* RETURNED */
+ uint64_t value;
+ DERReturn drtn = DERParseInteger64(contents, &value);
+ if (drtn == DR_Success) {
+ if (value > UINT32_MAX)
+ drtn = DR_BufOverflow;
+ else
+ *result = (uint32_t)value;
+ }
+ return drtn;
+}
+
+DERReturn DERParseInteger64(
+ const DERItem *contents,
+ uint64_t *result) { /* RETURNED */
DERSize ix, length = contents->length;
- if (length > 4)
+ if (length == 0)
+ return DR_DecodeError;
+ if (contents->data[0] & 0x80)
+ return DR_DecodeError;
+ if (contents->data[0] == 0) {
+ if (length > 1 && (contents->data[1] & 0x80) == 0)
+ return DR_DecodeError;
+ if (length > sizeof(*result) + 1)
+ return DR_BufOverflow;
+ } else if (length > sizeof(*result)) {
return DR_BufOverflow;
- uint32_t value = 0;
+ }
+ uint64_t value = 0;
for (ix = 0; ix < length; ++ix) {
value <<= 8;
value += contents->data[ix];
@@ -262,7 +320,7 @@ DERReturn DERDecodeSeqNext(
/* decode next item */
item.data = derSeq->nextItem;
- item.length = derSeq->end - derSeq->nextItem;
+ item.length = (DERSize) (derSeq->end - derSeq->nextItem);
drtn = DERDecodeItem(&item, decoded);
if(drtn) {
return drtn;
@@ -358,12 +416,12 @@ DERReturn DERParseSequenceContent(
* over optional items.
*/
foundTag = currDecoded.tag;
- derDecDbg1("--- foundTag 0x%x\n", foundTag);
+ derDecDbg1("--- foundTag 0x%llx\n", foundTag);
for(i=itemDex; i<numItems; i++) {
const DERItemSpec *currItemSpec = &itemSpecs[i];
DERShort currOptions = currItemSpec->options;
- derDecDbg3("--- currItem %u expectTag 0x%x currOptions 0x%x\n",
+ derDecDbg3("--- currItem %u expectTag 0x%llx currOptions 0x%x\n",
i, currItemSpec->tag, currOptions);
if((currOptions & DER_DEC_ASN_ANY) ||
@@ -427,11 +485,12 @@ DERReturn DERParseSequenceContent(
/* else on to next item */
} /* main loop */
- /*
- * If we get here, there appears to be more to process, but we've
- * given the caller everything they want.
- */
- return DR_Success;
+ /* Template has 0 items if we get here. */
+ /* normal termination if we consumed everything, (the sequence was empty) */
+ if (derSeq.nextItem == derSeq.end)
+ return DR_Success;
+ else
+ return DR_DecodeError;
}
#if 0
diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.h b/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.h
index 827c2bcf..048739fa 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2011 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -28,13 +28,11 @@
#ifndef _DER_DECODE_H_
#define _DER_DECODE_H_
-#ifdef __cplusplus
-extern "C" {
-#endif
-
#include <libDER/libDER.h>
#include <stdbool.h>
+__BEGIN_DECLS
+
/*
* Decoding one item consists of extracting its tag, a pointer
* to the actual content, and the length of the content. Those
@@ -59,6 +57,24 @@ DERReturn DERDecodeItem(
const DERItem *der, /* data to decode */
DERDecodedInfo *decoded); /* RETURNED */
+/*
+ * Basic decoding primitive. Allows for decoding with a partial buffer.
+ * if allowPartialBuffer is true. A partial buffer would normally fail
+ * because the encoded length would be greater than the size of the buffer passed in.
+ * Only works with:
+ *
+ * -- definite length encoding
+ * -- one-byte tags (unless DER_MULTIBYTE_TAGS is defined)
+ * -- max content length fits in a DERSize
+ *
+ * No malloc or copy of the contents is performed; the returned
+ * content->content.data is a pointer into the incoming der data.
+ */
+DERReturn DERDecodeItemPartialBuffer(
+ const DERItem *der, /* data to decode */
+ DERDecodedInfo *decoded, /* RETURNED */
+ bool allowPartialBuffer);
+
/*
* Given a BIT_STRING, in the form of its raw content bytes,
* obtain the number of unused bits and the raw bit string bytes.
@@ -73,14 +89,27 @@ DERReturn DERParseBitString(
* obtain it's value.
*/
DERReturn DERParseBoolean(
- const DERItem *contents,
- bool defaultValue,
- bool *value); /* RETURNED */
+ const DERItem *contents,
+ bool *value); /* RETURNED */
+
+DERReturn DERParseBooleanWithDefault(
+ const DERItem *contents,
+ bool defaultValue,
+ bool *value); /* RETURNED */
+/*
+ * Given a positive INTEGER, in the form of its raw content bytes,
+ * obtain it's value as a 32 bit or 64 bit quantity.
+ * Returns DR_BufOverflow if the value is too large to fit in the return type
+ */
DERReturn DERParseInteger(
const DERItem *contents,
uint32_t *value); /* RETURNED */
+DERReturn DERParseInteger64(
+ const DERItem *contents,
+ uint64_t *value); /* RETURNED */
+
/*
* Sequence/set decode support.
*/
@@ -187,9 +216,7 @@ DERReturn DERParseSequenceContent(
void *dest, /* DERDecodedInfo(s) here RETURNED */
DERSize sizeToZero); /* optional */
-#ifdef __cplusplus
-}
-#endif
+__END_DECLS
#endif /* _DER_DECODE_H_ */
diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Digest.h b/OSX/libsecurity_keychain/libDER/libDER/DER_Digest.h
index 68503a35..734d752c 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/DER_Digest.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/DER_Digest.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2008,2010-2011,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -30,12 +30,10 @@
#ifndef _DER_DIGEST_H_
#define _DER_DIGEST_H_
-#ifdef __cplusplus
-extern "C" {
-#endif
-
#include <libDER/libDER.h>
+__BEGIN_DECLS
+
/*
* Create an encoded DigestInfo based on the specified SHA1 digest.
* The incoming digest must be 20 bytes long.
@@ -87,9 +85,7 @@ DERReturn DEREncodeMDDigestInfo(
#define DER_MAX_DIGEST_LEN DER_SHA256_DIGEST_LEN
#define DER_MAX_ENCODED_INFO_LEN DER_SHA256_DIGEST_INFO_LEN
-#ifdef __cplusplus
-}
-#endif
+__END_DECLS
#endif /* _DER_DIGEST_H_ */
diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.c b/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.c
index 9b694617..bd8e607a 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.c
+++ b/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2007,2011,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -72,7 +72,7 @@ static DERReturn DEREncodeTag(
if(outLen == 1) {
/* short form */
- *buf = tag1 | tagNumber;
+ *buf = (DERByte)(tag1 | tagNumber);
}
else {
/* long form */
@@ -180,6 +180,7 @@ DERReturn DEREncodeItem(
bytesLeft -= itemLen;
DERMemmove(currPtr, src, length);
+ // Silence unused variable warning.
(void) bytesLeft;
return DR_Success;
@@ -341,7 +342,7 @@ DERReturn DEREncodeSequence(
currPtr += itemSrc->length;
bytesLeft -= itemSrc->length;
}
- *inOutLen = (currPtr - derOut);
+ *inOutLen = (DERSize)(currPtr - derOut);
return DR_Success;
}
diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.h b/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.h
index 6dc3d636..bcde9757 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2007,2011,2013-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -30,12 +30,10 @@
#ifndef _DER_ENCODE_H_
#define _DER_ENCODE_H_
-#ifdef __cplusplus
-extern "C" {
-#endif
-
#include <libDER/libDER.h>
+__BEGIN_DECLS
+
/*
* Max size of an encoded item given its length.
* This includes a possible leading zero prepended to a signed integer
@@ -116,9 +114,6 @@ DERSize DERLengthOfEncodedSequence(
const DERItemSpec *itemSpecs);
-#ifdef __cplusplus
-}
-#endif
+__END_DECLS
#endif /* _DER_ENCODE_H_ */
-
diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Keys.h b/OSX/libsecurity_keychain/libDER/libDER/DER_Keys.h
index 849974fc..41f24d67 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/DER_Keys.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/DER_Keys.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2007,2011,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -30,13 +30,11 @@
#ifndef _DER_KEYS_H_
#define _DER_KEYS_H_
-#ifdef __cplusplus
-extern "C" {
-#endif
-
#include <libDER/libDER.h>
#include <libDER/DER_Decode.h>
+__BEGIN_DECLS
+
/* Algorithm Identifier components */
typedef struct {
DERItem oid; /* OID */
@@ -117,9 +115,7 @@ typedef struct {
extern const DERItemSpec DERRSAKeyPairItemSpecs[];
extern const DERSize DERNumRSAKeyPairItemSpecs;
-#ifdef __cplusplus
-}
-#endif
+__END_DECLS
#endif /* _DER_KEYS_H_ */
diff --git a/OSX/libsecurity_keychain/libDER/libDER/asn1Types.h b/OSX/libsecurity_keychain/libDER/libDER/asn1Types.h
index 5275af3c..e1e9510c 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/asn1Types.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/asn1Types.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2007,2011,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -30,12 +30,15 @@
#ifndef _ASN1_TYPES_H_
#define _ASN1_TYPES_H_
-#ifdef __cplusplus
-extern "C" {
-#endif
+#include <sys/cdefs.h>
+
+#include <libDER/libDER_config.h>
+
+__BEGIN_DECLS
/* copied from libsecurity_asn1 project */
+/* Type tag numbers */
#define ASN1_BOOLEAN 0x01
#define ASN1_INTEGER 0x02
#define ASN1_BIT_STRING 0x03
@@ -69,8 +72,7 @@ extern "C" {
#define ASN1_HIGH_TAG_NUMBER 0x1f
#define ASN1_TELETEX_STRING ASN1_T61_STRING
-#ifdef DER_MULTIBYTE_TAGS
-
+/* Tag modifiers */
#define ASN1_TAG_MASK ((DERTag)~0)
#define ASN1_TAGNUM_MASK ((DERTag)~((DERTag)7 << (sizeof(DERTag) * 8 - 3)))
@@ -84,29 +86,26 @@ extern "C" {
#define ASN1_CONTEXT_SPECIFIC ((DERTag)2 << (sizeof(DERTag) * 8 - 2))
#define ASN1_PRIVATE ((DERTag)3 << (sizeof(DERTag) * 8 - 2))
-#else /* DER_MULTIBYTE_TAGS */
-
-#define ASN1_TAG_MASK 0xff
-#define ASN1_TAGNUM_MASK 0x1f
-#define ASN1_METHOD_MASK 0x20
-#define ASN1_PRIMITIVE 0x00
-#define ASN1_CONSTRUCTED 0x20
+/* One-byte tag modifiers */
+#define ONE_BYTE_ASN1_TAG_MASK 0xff
+#define ONE_BYTE_ASN1_TAGNUM_MASK 0x1f
+#define ONE_BYTE_ASN1_METHOD_MASK 0x20
+#define ONE_BYTE_ASN1_PRIMITIVE 0x00
+#define ONE_BYTE_ASN1_CONSTRUCTED 0x20
-#define ASN1_CLASS_MASK 0xc0
-#define ASN1_UNIVERSAL 0x00
-#define ASN1_APPLICATION 0x40
-#define ASN1_CONTEXT_SPECIFIC 0x80
-#define ASN1_PRIVATE 0xc0
-
-#endif /* !DER_MULTIBYTE_TAGS */
+#define ONE_BYTE_ASN1_CLASS_MASK 0xc0
+#define ONE_BYTE_ASN1_UNIVERSAL 0x00
+#define ONE_BYTE_ASN1_APPLICATION 0x40
+#define ONE_BYTE_ASN1_CONTEXT_SPECIFIC 0x80
+#define ONE_BYTE_ASN1_PRIVATE 0xc0
/* sequence and set appear as the following */
-#define ASN1_CONSTR_SEQUENCE (ASN1_CONSTRUCTED | ASN1_SEQUENCE)
-#define ASN1_CONSTR_SET (ASN1_CONSTRUCTED | ASN1_SET)
+#define ASN1_CONSTR_SEQUENCE ((DERTag)(ASN1_CONSTRUCTED | ASN1_SEQUENCE))
+#define ASN1_CONSTR_SET ((DERTag)(ASN1_CONSTRUCTED | ASN1_SET))
-#ifdef __cplusplus
-}
-#endif
+#define ONE_BYTE_ASN1_CONSTR_SEQUENCE ((uint8_t)(ONE_BYTE_ASN1_CONSTRUCTED | ASN1_SEQUENCE))
+#define ONE_BYTE_ASN1_CONSTR_SET ((uint8_t)(ONE_BYTE_ASN1_CONSTRUCTED | ASN1_SET))
-#endif /* _ASN1_TYPES_H_ */
+__END_DECLS
+#endif /* _ASN1_TYPES_H_ */
diff --git a/OSX/libsecurity_keychain/libDER/libDER/libDER.h b/OSX/libsecurity_keychain/libDER/libDER/libDER.h
index b17e4ba3..e5e4b127 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/libDER.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/libDER.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2007,2011,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -30,16 +30,15 @@
#ifndef _LIB_DER_H_
#define _LIB_DER_H_
-#ifdef __cplusplus
-extern "C" {
-#endif
-
#include <libDER/libDER_config.h>
+
+__BEGIN_DECLS
+
/*
* Error returns generated by this library.
*/
typedef enum {
- DR_Success,
+ DR_Success = 0,
DR_EndOfSequence, /* end of sequence or set */
DR_UnexpectedTag, /* unexpected tag found while decoding */
DR_DecodeError, /* misc. decoding error (badly formatted DER) */
@@ -70,9 +69,7 @@ typedef struct {
*/
#define DER_OFFSET(type, field) ((DERSize)(&((type *)0)->field))
-#ifdef __cplusplus
-}
-#endif
+__END_DECLS
#endif /* _LIB_DER_H_ */
diff --git a/OSX/libsecurity_keychain/libDER/libDER/libDER_config.h b/OSX/libsecurity_keychain/libDER/libDER/libDER_config.h
index 976af6c0..6280ee3f 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/libDER_config.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/libDER_config.h
@@ -36,9 +36,7 @@
/* include defintion of DERSize and DERByte */
#include "libDER/oids.h"
-#ifdef __cplusplus
-extern "C" {
-#endif
+__BEGIN_DECLS
/*
* Basic data types: unsigned 8-bit integer, unsigned 32-bit integer
@@ -74,9 +72,8 @@ typedef uint16_t DERShort;
#ifndef DER_TAG_SIZE
/* Iff DER_MULTIBYTE_TAGS is 1 this is the sizeof(DERTag) in bytes. Note that
tags are still encoded and decoded from a minimally encoded DER
- represantation. This value determines how big each DERItemSpecs is, we
- choose 2 since that makes DERItemSpecs 8 bytes wide. */
-#define DER_TAG_SIZE 2
+ represantation. This value maintains compatibility with libImg4Decode/Encode. */
+#define DER_TAG_SIZE 8
#endif
@@ -108,8 +105,6 @@ typedef uint64_t DERTag;
typedef DERByte DERTag;
#endif /* !DER_MULTIBYTE_TAGS */
-#ifdef __cplusplus
-}
-#endif
+__END_DECLS
#endif /* _LIB_DER_CONFIG_H_ */
diff --git a/OSX/libsecurity_keychain/libDER/libDER/oids.c b/OSX/libsecurity_keychain/libDER/libDER/oids.c
index 58bb7dd2..7e62427e 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/oids.c
+++ b/OSX/libsecurity_keychain/libDER/libDER/oids.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2009,2011-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2009,2011-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -65,9 +65,14 @@
/* ANSI X9.62 */
#define OID_ANSI_X9_62 OID_US, 206, 61
#define OID_PUBLIC_KEY_TYPE OID_ANSI_X9_62, 2
+#define OID_EC_CURVE OID_ANSI_X9_62, 3, 1
#define OID_EC_SIG_TYPE OID_ANSI_X9_62, 4
#define OID_ECDSA_WITH_SHA2 OID_EC_SIG_TYPE, 3
+/* Certicom */
+#define OID_CERTICOM OID_ISO_IDENTIFIED_ORG, 132
+#define OID_CERTICOM_EC_CURVE OID_CERTICOM, 0
+
/* ANSI X9.42 */
#define OID_ANSI_X9_42 OID_US, 206, 62, 2
#define OID_ANSI_X9_42_SCHEME OID_ANSI_X9_42, 3
@@ -256,6 +261,9 @@
/* Secure Boot Embedded Image3 value,
co-opted by desktop for "Apple Released Code Signature", without value */
#define APPLE_SBOOT_CERT_EXTEN_SBOOT_SPEC_OID APPLE_CERT_EXTENSION_CODESIGNING, 1
+#define APPLE_SBOOT_CERT_EXTEN_SBOOT_TICKET_SPEC_OID APPLE_CERT_EXTENSION_CODESIGNING, 11
+#define APPLE_SBOOT_CERT_EXTEN_IMG4_MANIFEST_SPEC_OID APPLE_CERT_EXTENSION_CODESIGNING, 15
+
/* iPhone Provisioning Profile Signing leaf - on the intermediate marker arc? */
#define APPLE_PROVISIONING_PROFILE_OID APPLE_CERT_EXT_INTERMEDIATE_MARKER, 1
/* iPhone Application Signing leaf */
@@ -320,6 +328,20 @@
#define APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_TEST APPLE_SERVER_AUTHENTICATION, 8, 1
#define APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PROD APPLE_SERVER_AUTHENTICATION, 8, 2
+/* Escrow Proxy Server Authentication
+ * Test Marker OID 1.2.840.113635.100.6.27.7.1
+ * Prod Marker OID 1.2.840.113635.100.6.27.7.2
+ */
+#define APPLE_CERT_EXT_ESCROW_PROXY_SERVER_AUTH_TEST APPLE_SERVER_AUTHENTICATION, 7, 1
+#define APPLE_CERT_EXT_ESCROW_PROXY_SERVER_AUTH_PROD APPLE_SERVER_AUTHENTICATION, 7, 2
+
+/* FMiP Server Authentication
+ * Test Marker OID 1.2.840.113635.100.6.27.6.1
+ * Prod Marker OID 1.2.840.113635.100.6.27.6.2
+ */
+#define APPLE_CERT_EXT_FMIP_SERVER_AUTH_TEST APPLE_SERVER_AUTHENTICATION, 6, 1
+#define APPLE_CERT_EXT_FMIP_SERVER_AUTH_PROD APPLE_SERVER_AUTHENTICATION, 6, 2
+
/* HomeKit Server Authentication
* Intermediate Marker OID: 1.2.840.113635.100.6.2.16
* Leaf Marker OID: 1.2.840.113635.100.6.27.9
@@ -327,6 +349,13 @@
#define APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_HOME_KIT_SERVER_AUTH APPLE_CERT_EXT_INTERMEDIATE_MARKER, 16
#define APPLE_CERT_EXT_HOME_KIT_SERVER_AUTH APPLE_SERVER_AUTHENTICATION, 9
+/* MMCS Server Authentication
+ * Test Marker OID 1.2.840.113635.100.6.27.11.1
+ * Prod Marker OID 1.2.840.113635.100.6.27.11.2
+ */
+#define APPLE_CERT_EXT_MMCS_SERVER_AUTH_TEST APPLE_SERVER_AUTHENTICATION, 11, 1
+#define APPLE_CERT_EXT_MMCS_SERVER_AUTH_PROD APPLE_SERVER_AUTHENTICATION, 11, 2
+
/*
* Netscape OIDs.
*/
@@ -375,10 +404,10 @@ static const DERByte
_oidMd4Rsa[] = { OID_PKCS_1, 3 },
_oidMd5Rsa[] = { OID_PKCS_1, 4 },
_oidSha1Rsa[] = { OID_PKCS_1, 5 },
- _oidSha256Rsa[] = { OID_PKCS_1, 11 },
- _oidSha384Rsa[] = { OID_PKCS_1, 12 },
- _oidSha512Rsa[] = { OID_PKCS_1, 13 },
- _oidSha224Rsa[] = { OID_PKCS_1, 14 },
+ _oidSha256Rsa[] = { OID_PKCS_1, 11 }, /* rfc5754 */
+ _oidSha384Rsa[] = { OID_PKCS_1, 12 }, /* rfc5754 */
+ _oidSha512Rsa[] = { OID_PKCS_1, 13 }, /* rfc5754 */
+ _oidSha224Rsa[] = { OID_PKCS_1, 14 }, /* rfc5754 */
_oidEcPubKey[] = { OID_PUBLIC_KEY_TYPE, 1 },
_oidSha1Ecdsa[] = { OID_EC_SIG_TYPE, 1 }, /* rfc3279 */
_oidSha224Ecdsa[] = { OID_ECDSA_WITH_SHA2, 1 }, /* rfc5758 */
@@ -399,7 +428,11 @@ static const DERByte
_oidSha224[] = { OID_NIST_HASHALG, 4 },
_oidFee[] = { APPLE_ALG_OID, 1 },
_oidMd5Fee[] = { APPLE_ALG_OID, 3 },
- _oidSha1Fee[] = { APPLE_ALG_OID, 4 };
+ _oidSha1Fee[] = { APPLE_ALG_OID, 4 },
+ _oidEcPrime192v1[] = { OID_EC_CURVE, 1 },
+ _oidEcPrime256v1[] = { OID_EC_CURVE, 7 },
+ _oidAnsip384r1[] = { OID_CERTICOM_EC_CURVE, 34 },
+ _oidAnsip521r1[] = { OID_CERTICOM_EC_CURVE, 35 };
const DERItem
oidRsa = { (DERByte *)_oidRsa,
@@ -461,7 +494,15 @@ const DERItem
oidMd5Fee = { (DERByte *)_oidMd5Fee,
sizeof(_oidMd5Fee) },
oidSha1Fee = { (DERByte *)_oidSha1Fee,
- sizeof(_oidSha1Fee) };
+ sizeof(_oidSha1Fee) },
+ oidEcPrime192v1 = { (DERByte *)_oidEcPrime192v1,
+ sizeof(_oidEcPrime192v1) },
+ oidEcPrime256v1 = { (DERByte *)_oidEcPrime256v1,
+ sizeof(_oidEcPrime256v1) },
+ oidAnsip384r1 = { (DERByte *)_oidAnsip384r1,
+ sizeof(_oidAnsip384r1) },
+ oidAnsip521r1 = { (DERByte *)_oidAnsip521r1,
+ sizeof(_oidAnsip521r1) };
/* Extension OIDs. */
@@ -513,6 +554,8 @@ __unused static const DERByte
_oidExtendedKeyUsageMicrosoftSGC[] = { MICROSOFT_BASE_OID, 10, 3, 3 },
_oidExtendedKeyUsageNetscapeSGC[] = { NETSCAPE_CERT_POLICY, 1 },
_oidAppleSecureBootCertSpec[] = { APPLE_SBOOT_CERT_EXTEN_SBOOT_SPEC_OID },
+ _oidAppleSecureBootTicketCertSpec[] = { APPLE_SBOOT_CERT_EXTEN_SBOOT_TICKET_SPEC_OID },
+ _oidAppleImg4ManifestCertSpec[] = { APPLE_SBOOT_CERT_EXTEN_IMG4_MANIFEST_SPEC_OID },
_oidAppleProvisioningProfile[] = {APPLE_PROVISIONING_PROFILE_OID },
_oidAppleApplicationSigning[] = { APPLE_APP_SIGNING_OID },
_oidAppleInstallerPackagingSigningExternal[] = { APPLE_INSTALLER_PACKAGE_SIGNING_EXTERNAL_OID },
@@ -555,8 +598,14 @@ __unused static const DERByte
_oidAppleCertExtCryptoServicesExtEncryption[] = {APPLE_CERT_EXT_CRYPTO_SERVICES_EXT_ENCRYPTION},
_oidAppleCertExtAST2DiagnosticsServerAuthTest[] = {APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_TEST},
_oidAppleCertExtAST2DiagnosticsServerAuthProd[] = {APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PROD},
+ _oidAppleCertExtEscrowProxyServerAuthTest[] = {APPLE_CERT_EXT_ESCROW_PROXY_SERVER_AUTH_TEST},
+ _oidAppleCertExtEscrowProxyServerAuthProd[] = {APPLE_CERT_EXT_ESCROW_PROXY_SERVER_AUTH_PROD},
+ _oidAppleCertExtFMiPServerAuthTest[] = {APPLE_CERT_EXT_FMIP_SERVER_AUTH_TEST},
+ _oidAppleCertExtFMiPServerAuthProd[] = {APPLE_CERT_EXT_FMIP_SERVER_AUTH_PROD},
_oidAppleCertExtHomeKitServerAuth[] = {APPLE_CERT_EXT_HOME_KIT_SERVER_AUTH},
- _oidAppleIntmMarkerAppleHomeKitServerCA[] = {APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_HOME_KIT_SERVER_AUTH};
+ _oidAppleIntmMarkerAppleHomeKitServerCA[] = {APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_HOME_KIT_SERVER_AUTH},
+ _oidAppleCertExtMMCSServerAuthTest[] = {APPLE_CERT_EXT_MMCS_SERVER_AUTH_TEST},
+ _oidAppleCertExtMMCSServerAuthProd[] = {APPLE_CERT_EXT_MMCS_SERVER_AUTH_PROD};
__unused const DERItem
oidSubjectKeyIdentifier = { (DERByte *)_oidSubjectKeyIdentifier,
@@ -651,6 +700,10 @@ __unused const DERItem
sizeof(_oidExtendedKeyUsageNetscapeSGC) },
oidAppleSecureBootCertSpec = { (DERByte *)_oidAppleSecureBootCertSpec,
sizeof(_oidAppleSecureBootCertSpec) },
+ oidAppleSecureBootTicketCertSpec = { (DERByte *)_oidAppleSecureBootTicketCertSpec,
+ sizeof(_oidAppleSecureBootTicketCertSpec) },
+ oidAppleImg4ManifestCertSpec = { (DERByte *)_oidAppleImg4ManifestCertSpec,
+ sizeof(_oidAppleImg4ManifestCertSpec) },
oidAppleProvisioningProfile = { (DERByte *)_oidAppleProvisioningProfile,
sizeof(_oidAppleProvisioningProfile) },
oidAppleApplicationSigning = { (DERByte *)_oidAppleApplicationSigning,
@@ -748,10 +801,24 @@ __unused const DERItem
sizeof(_oidAppleCertExtAST2DiagnosticsServerAuthTest)},
oidAppleCertExtAST2DiagnosticsServerAuthProd = { (DERByte *)_oidAppleCertExtAST2DiagnosticsServerAuthProd,
sizeof(_oidAppleCertExtAST2DiagnosticsServerAuthProd)},
+ oidAppleCertExtEscrowProxyServerAuthTest = { (DERByte *)_oidAppleCertExtEscrowProxyServerAuthTest,
+ sizeof(_oidAppleCertExtEscrowProxyServerAuthTest)},
+ oidAppleCertExtEscrowProxyServerAuthProd = { (DERByte *)_oidAppleCertExtEscrowProxyServerAuthProd,
+ sizeof(_oidAppleCertExtEscrowProxyServerAuthProd)},
+ oidAppleCertExtFMiPServerAuthTest = { (DERByte *)_oidAppleCertExtFMiPServerAuthTest,
+ sizeof(_oidAppleCertExtFMiPServerAuthTest)},
+ oidAppleCertExtFMiPServerAuthProd = { (DERByte *)_oidAppleCertExtFMiPServerAuthProd,
+ sizeof(_oidAppleCertExtFMiPServerAuthProd)},
oidAppleCertExtHomeKitServerAuth = { (DERByte *)_oidAppleCertExtHomeKitServerAuth,
sizeof(_oidAppleCertExtHomeKitServerAuth)},
oidAppleIntmMarkerAppleHomeKitServerCA = { (DERByte *)_oidAppleIntmMarkerAppleHomeKitServerCA,
- sizeof(_oidAppleIntmMarkerAppleHomeKitServerCA) };
+ sizeof(_oidAppleIntmMarkerAppleHomeKitServerCA) },
+ oidAppleCertExtAppleServerAuthenticationMMCSTest
+ = { (DERByte *)_oidAppleCertExtMMCSServerAuthTest,
+ sizeof(_oidAppleCertExtMMCSServerAuthTest) },
+ oidAppleCertExtAppleServerAuthenticationMMCSProd
+ = { (DERByte *)_oidAppleCertExtMMCSServerAuthProd,
+ sizeof(_oidAppleCertExtMMCSServerAuthProd) };
diff --git a/OSX/libsecurity_keychain/libDER/libDER/oids.h b/OSX/libsecurity_keychain/libDER/libDER/oids.h
index 094200d0..7f78053d 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/oids.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/oids.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2009,2011-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2009,2011-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -33,9 +33,7 @@
#include <stdint.h>
#include <string.h>
-#ifdef __cplusplus
-extern "C" {
-#endif
+__BEGIN_DECLS
/*
* Basic data types
@@ -82,7 +80,11 @@ extern const DERItem
oidSha224, /* OID_NIST_HASHALG 4 */
oidFee, /* APPLE_ALG_OID 1 */
oidMd5Fee, /* APPLE_ALG_OID 3 */
- oidSha1Fee; /* APPLE_ALG_OID 4 */
+ oidSha1Fee, /* APPLE_ALG_OID 4 */
+ oidEcPrime192v1, /* OID_EC_CURVE 1 prime192v1/secp192r1/ansiX9p192r1*/
+ oidEcPrime256v1, /* OID_EC_CURVE 7 prime256v1/secp256r1*/
+ oidAnsip384r1, /* OID_CERTICOM_EC_CURVE 34 ansip384r1/secp384r1*/
+ oidAnsip521r1; /* OID_CERTICOM_EC_CURVE 35 ansip521r1/secp521r1*/
/* Standard X.509 Cert and CRL extensions. */
extern const DERItem
@@ -145,8 +147,6 @@ extern const DERItem
oidGoogleEmbeddedSignedCertificateTimestamp,
oidGoogleOCSPSignedCertificateTimestamp;
-#ifdef __cplusplus
-}
-#endif
+__END_DECLS
#endif /* _LIB_DER_OIDS_H_ */
diff --git a/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h b/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h
index 8fa2f0b3..71c11568 100644
--- a/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2009,2011-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2005-2009,2011-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -33,13 +33,13 @@
#include <libDER/oids.h>
#include <stdbool.h>
-#ifdef __cplusplus
-extern "C" {
-#endif
+__BEGIN_DECLS
/* Apple Oids */
extern const DERItem
oidAppleSecureBootCertSpec,
+ oidAppleSecureBootTicketCertSpec,
+ oidAppleImg4ManifestCertSpec,
oidAppleProvisioningProfile,
oidAppleApplicationSigning,
oidAppleTVOSApplicationSigningProd,
@@ -80,14 +80,18 @@ extern const DERItem
oidAppleCertExtCryptoServicesExtEncryption,
oidAppleCertExtAST2DiagnosticsServerAuthTest,
oidAppleCertExtAST2DiagnosticsServerAuthProd,
+ oidAppleCertExtEscrowProxyServerAuthTest,
+ oidAppleCertExtEscrowProxyServerAuthProd,
+ oidAppleCertExtFMiPServerAuthTest,
+ oidAppleCertExtFMiPServerAuthProd,
oidAppleCertExtHomeKitServerAuth,
- oidAppleIntmMarkerAppleHomeKitServerCA;
+ oidAppleIntmMarkerAppleHomeKitServerCA,
+ oidAppleCertExtAppleServerAuthenticationMMCSTest,
+ oidAppleCertExtAppleServerAuthenticationMMCSProd;
/* Compare two decoded OIDs. Returns true iff they are equivalent. */
bool DEROidCompare(const DERItem *oid1, const DERItem *oid2);
-#ifdef __cplusplus
-}
-#endif
+__END_DECLS
#endif /* _LIB_DER_UTILS_H_ */
diff --git a/OSX/libsecurity_keychain/libsecurity_keychain.xcodeproj/project.pbxproj b/OSX/libsecurity_keychain/libsecurity_keychain.xcodeproj/project.pbxproj
index 57e98c0b..7ea76c9f 100644
--- a/OSX/libsecurity_keychain/libsecurity_keychain.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_keychain/libsecurity_keychain.xcodeproj/project.pbxproj
@@ -41,12 +41,14 @@
05AE954A0AA748580076501C /* SecImportExportOpenSSH.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 05AE95480AA748570076501C /* SecImportExportOpenSSH.cpp */; };
05FB016805E54A3A00A5194C /* SecNetscapeTemplates.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 05FB016605E54A3A00A5194C /* SecNetscapeTemplates.cpp */; };
05FB016905E54A3A00A5194C /* SecNetscapeTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 05FB016705E54A3A00A5194C /* SecNetscapeTemplates.h */; };
- 0CBD509A16C3246D00713B6C /* kc-40-seckey.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CBD509816C3246D00713B6C /* kc-40-seckey.c */; };
- 0CBD509B16C3246D00713B6C /* kc-41-sececkey.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CBD509916C3246D00713B6C /* kc-41-sececkey.c */; };
+ 0CBD509A16C3246D00713B6C /* kc-40-seckey.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CBD509816C3246D00713B6C /* kc-40-seckey.m */; };
+ 0CBD509B16C3246D00713B6C /* kc-41-sececkey.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CBD509916C3246D00713B6C /* kc-41-sececkey.m */; };
182BB5CD146FF72B000BF1F3 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5297A731112CB13800EAA0C0 /* libDER.a */; };
188BB546171DD8B5009D22CE /* si-33-keychain-backup.c in Sources */ = {isa = PBXBuildFile; fileRef = 188BB53F171DD774009D22CE /* si-33-keychain-backup.c */; };
1B11967B062F4C1800F3B659 /* SecKeychainSearchPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 1B11967A062F4C1800F3B659 /* SecKeychainSearchPriv.h */; settings = {ATTRIBUTES = (); }; };
30E17F5B062B0A25004208EB /* SecIdentitySearchPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 30E17F5A062B0A25004208EB /* SecIdentitySearchPriv.h */; settings = {ATTRIBUTES = (); }; };
+ 3A353D7D1CC50583000446F4 /* TokenLogin.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 3A353D7B1CC50583000446F4 /* TokenLogin.cpp */; };
+ 3A353D7E1CC50583000446F4 /* TokenLogin.h in Headers */ = {isa = PBXBuildFile; fileRef = 3A353D7C1CC50583000446F4 /* TokenLogin.h */; };
407AC2C0066661620030E07D /* SecPassword.h in Headers */ = {isa = PBXBuildFile; fileRef = 407AC2BE066661620030E07D /* SecPassword.h */; settings = {ATTRIBUTES = (); }; };
407AC2C1066661620030E07D /* SecPassword.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 407AC2BF066661620030E07D /* SecPassword.cpp */; };
407AC2C5066798420030E07D /* Password.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 407AC2C3066798420030E07D /* Password.cpp */; };
@@ -103,6 +105,7 @@
52E950CD1509B47000DA6511 /* tsaDERUtilities.c in Sources */ = {isa = PBXBuildFile; fileRef = 52E950CC1509B47000DA6511 /* tsaDERUtilities.c */; };
52E950D61509B48D00DA6511 /* tsaDERUtilities.h in Headers */ = {isa = PBXBuildFile; fileRef = 52E950D51509B48D00DA6511 /* tsaDERUtilities.h */; settings = {ATTRIBUTES = (Private, ); }; };
52FB44A91146D769006D3B0A /* SecCertificateOIDs.h in Headers */ = {isa = PBXBuildFile; fileRef = 52FB44A81146D769006D3B0A /* SecCertificateOIDs.h */; settings = {ATTRIBUTES = (); }; };
+ 87701A8E1C4B91E300CB437B /* kc-43-seckey-interop.m in Sources */ = {isa = PBXBuildFile; fileRef = 87701A841C4B91D000CB437B /* kc-43-seckey-interop.m */; };
AA31456F134B716B00133245 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = AA31456E134B716B00133245 /* CoreFoundation.framework */; };
AC9ADAD3199AD6BA00BDAF54 /* kc-42-trust-revocation.c in Sources */ = {isa = PBXBuildFile; fileRef = AC9ADAD2199AD6BA00BDAF54 /* kc-42-trust-revocation.c */; };
BE296DBF0EAC299C00FD22BE /* SecImportExport.c in Sources */ = {isa = PBXBuildFile; fileRef = BE296DBE0EAC299C00FD22BE /* SecImportExport.c */; };
@@ -157,10 +160,45 @@
C2AA2C22052E099D006D0211 /* TrustStore.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2AA2BB2052E099D006D0211 /* TrustStore.cpp */; };
C2FD26380731CEFB0027896A /* defaultcreds.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2FD26370731CEE60027896A /* defaultcreds.cpp */; };
C429431E053B2F8B00470431 /* KCUtilities.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C429431C053B2F8B00470431 /* KCUtilities.cpp */; };
+ D4486BCF1C65528B0040880D /* SecTrustOSXEntryPoints.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D4486BCD1C65528B0040880D /* SecTrustOSXEntryPoints.cpp */; };
+ D45FA39C1C6578CE003DBB97 /* SecTrustOSXEntryPoints.h in Headers */ = {isa = PBXBuildFile; fileRef = D45FA39B1C6578CE003DBB97 /* SecTrustOSXEntryPoints.h */; };
D4A2FC821BC8A65B00BF6E56 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D4A2FC811BC8A65B00BF6E56 /* Security.framework */; };
D6095E960A94F17C0026C68B /* KCEventNotifier.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D6E1457B0A632A5A008AA7E8 /* KCEventNotifier.cpp */; };
+ DC196F691CBD70B400A66F4B /* kc-12-key-create-symmetric-and-use.m in Sources */ = {isa = PBXBuildFile; fileRef = DC7EFCA61CBD6ADC005F9624 /* kc-12-key-create-symmetric-and-use.m */; };
+ DC196F6A1CBD70C100A66F4B /* kc-12-key-create-symmetric.c in Sources */ = {isa = PBXBuildFile; fileRef = DC7EFCA71CBD6ADC005F9624 /* kc-12-key-create-symmetric.c */; };
+ DC196F6D1CBD77CD00A66F4B /* kc-15-key-update-valueref.c in Sources */ = {isa = PBXBuildFile; fileRef = DC196F6B1CBD77C300A66F4B /* kc-15-key-update-valueref.c */; };
+ DC19708A1CBEC2FA00A66F4B /* kc-15-item-update-label-skimaad.m in Sources */ = {isa = PBXBuildFile; fileRef = DC1970801CBEC2EE00A66F4B /* kc-15-item-update-label-skimaad.m */; };
+ DC19708D1CBEE43E00A66F4B /* kc-16-item-update-password.c in Sources */ = {isa = PBXBuildFile; fileRef = DC19708B1CBEE43600A66F4B /* kc-16-item-update-password.c */; };
+ DC247FDB1CBF22AD00527D67 /* kc-27-key-non-extractable.c in Sources */ = {isa = PBXBuildFile; fileRef = DC247FD91CBF1FF800527D67 /* kc-27-key-non-extractable.c */; };
+ DC2480511CC1B58B00527D67 /* kc-21-item-use-callback.c in Sources */ = {isa = PBXBuildFile; fileRef = DC2480471CC1B58200527D67 /* kc-21-item-use-callback.c */; };
+ DC336B3C1D246E4C00D24F15 /* kc-20-identity-find-stress.c in Sources */ = {isa = PBXBuildFile; fileRef = DC336B3B1D246E4C00D24F15 /* kc-20-identity-find-stress.c */; };
DC3C16001BAB76B50041A23A /* kc-30-xara.c in Sources */ = {isa = PBXBuildFile; fileRef = DC3C15F81BAB6FE20041A23A /* kc-30-xara.c */; };
+ DC6B46641C90EE1200D899C6 /* kc-01-keychain-creation.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B46421C90E36900D899C6 /* kc-01-keychain-creation.c */; };
+ DC6B46651C90EE1200D899C6 /* kc-02-unlock-noui.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B46431C90E36900D899C6 /* kc-02-unlock-noui.c */; };
+ DC6B46661C90EE1A00D899C6 /* kc-03-status.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B46441C90E36900D899C6 /* kc-03-status.c */; };
+ DC6B46671C90EE1A00D899C6 /* kc-10-item-add-generic.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B46451C90E36900D899C6 /* kc-10-item-add-generic.c */; };
+ DC6B46681C90EE1A00D899C6 /* kc-10-item-add-certificate.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B46461C90E36900D899C6 /* kc-10-item-add-certificate.c */; };
+ DC6B46691C90EE1A00D899C6 /* kc-12-item-create-keypair.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B46471C90E36900D899C6 /* kc-12-item-create-keypair.c */; };
+ DC6B466A1C90EE1A00D899C6 /* kc-10-item-add-internet.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B46481C90E36900D899C6 /* kc-10-item-add-internet.c */; };
+ DC6B466B1C90EE1A00D899C6 /* kc-19-item-copy-internet.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B46491C90E36900D899C6 /* kc-19-item-copy-internet.c */; };
+ DC6B466C1C90EE1A00D899C6 /* kc-21-item-use-callback.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B464A1C90E36900D899C6 /* kc-21-item-use-callback.c */; };
+ DC6B466E1C90EE1A00D899C6 /* kc-04-is-valid.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B464E1C90E36900D899C6 /* kc-04-is-valid.c */; };
+ DC6B466F1C90EE1A00D899C6 /* kc-18-find-combined.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6B464F1C90E36900D899C6 /* kc-18-find-combined.c */; };
+ DC7EFBA91CBC4448005F9624 /* kc-06-cert-search-email.m in Sources */ = {isa = PBXBuildFile; fileRef = DC7EFBA71CBC4443005F9624 /* kc-06-cert-search-email.m */; };
+ DC840D871CBEF5CB0083F55C /* kc-20-identity-persistent-refs.c in Sources */ = {isa = PBXBuildFile; fileRef = DC19708E1CBEF00F00A66F4B /* kc-20-identity-persistent-refs.c */; };
+ DC840D8A1CBEFC6A0083F55C /* kc-20-identity-key-attributes.c in Sources */ = {isa = PBXBuildFile; fileRef = DC840D881CBEFC640083F55C /* kc-20-identity-key-attributes.c */; };
+ DC840D8E1CBF13C00083F55C /* kc-23-key-export-symmetric.m in Sources */ = {isa = PBXBuildFile; fileRef = DC840D8C1CBF121F0083F55C /* kc-23-key-export-symmetric.m */; };
+ DC840D911CBF17AF0083F55C /* kc-26-key-import-public.m in Sources */ = {isa = PBXBuildFile; fileRef = DC840D8F1CBF179C0083F55C /* kc-26-key-import-public.m */; };
+ DC9642751D25F4650073E0C5 /* kc-20-item-find-stress.c in Sources */ = {isa = PBXBuildFile; fileRef = DC9642741D25F4650073E0C5 /* kc-20-item-find-stress.c */; };
+ DC9642771D25F5DD0073E0C5 /* kc-20-key-find-stress.c in Sources */ = {isa = PBXBuildFile; fileRef = DC9642761D25F5DD0073E0C5 /* kc-20-key-find-stress.c */; };
+ DC9A61A21CCA9279002793D6 /* kc-03-keychain-list.c in Sources */ = {isa = PBXBuildFile; fileRef = DC9A61A01CCA9273002793D6 /* kc-03-keychain-list.c */; };
+ DC9A61AF1CCAA4CF002793D6 /* kc-24-key-copy-keychains.c in Sources */ = {isa = PBXBuildFile; fileRef = DC9A61A51CCAA0A1002793D6 /* kc-24-key-copy-keychains.c */; };
+ DC9A61B21CCAAE05002793D6 /* kc-28-cert-sign.c in Sources */ = {isa = PBXBuildFile; fileRef = DC9A61B01CCAA91F002793D6 /* kc-28-cert-sign.c */; };
+ DC9A61B51CCABD1F002793D6 /* kc-21-item-xattrs.c in Sources */ = {isa = PBXBuildFile; fileRef = DC9A61B31CCABD18002793D6 /* kc-21-item-xattrs.c */; };
+ DCA424031CB81EF20095B7DF /* kc-05-find-existing-items.c in Sources */ = {isa = PBXBuildFile; fileRef = DCA424021CB81EF20095B7DF /* kc-05-find-existing-items.c */; };
+ DCBD63151CC86028008C27FC /* kc-28-p12-import.m in Sources */ = {isa = PBXBuildFile; fileRef = DCBD630B1CC86020008C27FC /* kc-28-p12-import.m */; };
DCD20F421BCDA8260046D8EB /* kc-30-xara-upgrade-helpers.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD20F411BCDA8260046D8EB /* kc-30-xara-upgrade-helpers.h */; };
+ DCE537591D2EE36800A12A95 /* kc-05-find-existing-items-locked.c in Sources */ = {isa = PBXBuildFile; fileRef = DCE537581D2EE36800A12A95 /* kc-05-find-existing-items-locked.c */; };
F92321381ACF69EE00634C21 /* si-34-one-true-keychain.c in Sources */ = {isa = PBXBuildFile; fileRef = F92321371ACF69EE00634C21 /* si-34-one-true-keychain.c */; };
/* End PBXBuildFile section */
@@ -172,13 +210,6 @@
remoteGlobalIDString = 4CA2A53A0523D32800978A7B;
remoteInfo = libsecurity_utilities;
};
- 182BB340146F106C000BF1F3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 182BB30C146F0AE6000BF1F3 /* libsecurity_utilities.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = C2C9C69D0CECBE8400B3FE07;
- remoteInfo = libsecurity_utilitiesDTrace;
- };
521FBA8B112CB465002BEF54 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 5297A586112B78BB00EAA0C0 /* libDER.xcodeproj */;
@@ -231,7 +262,7 @@
051A053205DAC86400E02A64 /* SecImportExportPem.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SecImportExportPem.cpp; sourceTree = "<group>"; };
052AF722060A3472003FEB8D /* SecWrappedKeys.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SecWrappedKeys.cpp; sourceTree = "<group>"; };
054F90AD05E2860E0013C1D1 /* SecImportExportUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SecImportExportUtils.cpp; sourceTree = "<group>"; };
- 054F90AF05E286180013C1D1 /* SecImportExportUtils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecImportExportUtils.h; sourceTree = "<group>"; };
+ 054F90AF05E286180013C1D1 /* SecImportExportUtils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = SecImportExportUtils.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
055EA6B006AC5C13005079CE /* TrustRevocation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TrustRevocation.cpp; sourceTree = "<group>"; };
056CDA3805FD573B00820BC3 /* SecImportExportPkcs8.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SecImportExportPkcs8.cpp; sourceTree = "<group>"; };
056CDA5C05FD5AEB00820BC3 /* SecPkcs8Templates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecPkcs8Templates.h; sourceTree = "<group>"; };
@@ -245,8 +276,8 @@
058AAA9105D97EAE00F543ED /* SecImportExportPem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecImportExportPem.h; sourceTree = "<group>"; };
058C796F09F56CCB00DB7E98 /* SecTrustSettings.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SecTrustSettings.h; sourceTree = "<group>"; };
058C797009F56CCB00DB7E98 /* SecTrustSettingsPriv.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SecTrustSettingsPriv.h; sourceTree = "<group>"; };
- 058C797509F56CFB00DB7E98 /* SecTrustSettings.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SecTrustSettings.cpp; sourceTree = "<group>"; };
- 058C797709F56D1400DB7E98 /* TrustSettings.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = TrustSettings.cpp; sourceTree = "<group>"; };
+ 058C797509F56CFB00DB7E98 /* SecTrustSettings.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SecTrustSettings.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
+ 058C797709F56D1400DB7E98 /* TrustSettings.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = TrustSettings.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
058C797809F56D1400DB7E98 /* TrustSettings.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = TrustSettings.h; sourceTree = "<group>"; };
058C797909F56D1400DB7E98 /* TrustSettingsSchema.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = TrustSettingsSchema.h; sourceTree = "<group>"; };
058C797A09F56D1400DB7E98 /* TrustSettingsUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = TrustSettingsUtils.cpp; sourceTree = "<group>"; };
@@ -260,8 +291,8 @@
05FB016605E54A3A00A5194C /* SecNetscapeTemplates.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SecNetscapeTemplates.cpp; sourceTree = "<group>"; };
05FB016705E54A3A00A5194C /* SecNetscapeTemplates.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SecNetscapeTemplates.h; sourceTree = "<group>"; };
0CBD509716C3242200713B6C /* libsecurity_keychain_regressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurity_keychain_regressions.a; sourceTree = BUILT_PRODUCTS_DIR; };
- 0CBD509816C3246D00713B6C /* kc-40-seckey.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-40-seckey.c"; path = "regressions/kc-40-seckey.c"; sourceTree = "<group>"; };
- 0CBD509916C3246D00713B6C /* kc-41-sececkey.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-41-sececkey.c"; path = "regressions/kc-41-sececkey.c"; sourceTree = "<group>"; };
+ 0CBD509816C3246D00713B6C /* kc-40-seckey.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "kc-40-seckey.m"; path = "regressions/kc-40-seckey.m"; sourceTree = "<group>"; };
+ 0CBD509916C3246D00713B6C /* kc-41-sececkey.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "kc-41-sececkey.m"; path = "regressions/kc-41-sececkey.m"; sourceTree = "<group>"; };
0CBD509C16C324B100713B6C /* keychain_regressions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = keychain_regressions.h; path = regressions/keychain_regressions.h; sourceTree = "<group>"; };
182BB224146F063C000BF1F3 /* base.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = base.xcconfig; sourceTree = "<group>"; };
182BB225146F063C000BF1F3 /* debug.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = debug.xcconfig; sourceTree = "<group>"; };
@@ -271,8 +302,10 @@
188BB53F171DD774009D22CE /* si-33-keychain-backup.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; name = "si-33-keychain-backup.c"; path = "regressions/si-33-keychain-backup.c"; sourceTree = "<group>"; };
1B11967A062F4C1800F3B659 /* SecKeychainSearchPriv.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SecKeychainSearchPriv.h; sourceTree = "<group>"; };
30E17F5A062B0A25004208EB /* SecIdentitySearchPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecIdentitySearchPriv.h; path = lib/SecIdentitySearchPriv.h; sourceTree = SOURCE_ROOT; };
+ 3A353D7B1CC50583000446F4 /* TokenLogin.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = TokenLogin.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
+ 3A353D7C1CC50583000446F4 /* TokenLogin.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TokenLogin.h; sourceTree = "<group>"; };
407AC2BE066661620030E07D /* SecPassword.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecPassword.h; sourceTree = "<group>"; };
- 407AC2BF066661620030E07D /* SecPassword.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SecPassword.cpp; sourceTree = "<group>"; };
+ 407AC2BF066661620030E07D /* SecPassword.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SecPassword.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
407AC2C2066798420030E07D /* Password.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Password.h; sourceTree = "<group>"; };
407AC2C3066798420030E07D /* Password.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Password.cpp; sourceTree = "<group>"; };
4885CFF611C8182D0093ECF6 /* SecRecoveryPassword.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecRecoveryPassword.c; sourceTree = "<group>"; };
@@ -291,12 +324,11 @@
4CFDC28306CD9C6A007BEE7E /* DynamicDLDBList.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = DynamicDLDBList.cpp; sourceTree = "<group>"; };
4CFDC28406CD9C6A007BEE7E /* DynamicDLDBList.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = DynamicDLDBList.h; sourceTree = "<group>"; };
52008C6311496BD200E8CA78 /* SecCertificateInternalP.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCertificateInternalP.h; sourceTree = "<group>"; };
- 521DC57D1125FEE300937BF2 /* SecCertificateP.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecCertificateP.c; sourceTree = "<group>"; };
+ 521DC57D1125FEE300937BF2 /* SecCertificateP.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = SecCertificateP.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
521DC57E1125FEE300937BF2 /* SecCertificateP.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCertificateP.h; sourceTree = "<group>"; };
52200F8F14F2B88000F7F6E7 /* XPCTimeStampingService.xpc */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = XPCTimeStampingService.xpc; sourceTree = BUILT_PRODUCTS_DIR; };
52200F9B14F2B93700F7F6E7 /* XPCTimeStampingService-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "XPCTimeStampingService-Info.plist"; sourceTree = "<group>"; };
5261C289112F0D570047EF8B /* SecFrameworkP.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecFrameworkP.c; sourceTree = "<group>"; };
- 5261C2E1112F19BA0047EF8B /* debuggingP.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = debuggingP.c; sourceTree = "<group>"; };
5261C30F112F1C560047EF8B /* SecBase64P.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecBase64P.c; sourceTree = "<group>"; };
527067DB070246B300C5D30E /* iToolsTrustedApps.plist */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text.plist.xml; name = iToolsTrustedApps.plist; path = plist/iToolsTrustedApps.plist; sourceTree = SOURCE_ROOT; };
5297A586112B78BB00EAA0C0 /* libDER.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libDER.xcodeproj; path = libDER/libDER.xcodeproj; sourceTree = "<group>"; };
@@ -311,14 +343,14 @@
52C23EF71135AE5100E079D2 /* SecCertificatePrivP.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCertificatePrivP.h; sourceTree = "<group>"; };
52E950CC1509B47000DA6511 /* tsaDERUtilities.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = tsaDERUtilities.c; sourceTree = "<group>"; };
52E950D51509B48D00DA6511 /* tsaDERUtilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = tsaDERUtilities.h; sourceTree = "<group>"; };
- 52FB42C1113F056D006D3B0A /* debuggingP.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = debuggingP.h; sourceTree = "<group>"; };
52FB44A81146D769006D3B0A /* SecCertificateOIDs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCertificateOIDs.h; sourceTree = "<group>"; };
+ 87701A841C4B91D000CB437B /* kc-43-seckey-interop.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "kc-43-seckey-interop.m"; path = "regressions/kc-43-seckey-interop.m"; sourceTree = "<group>"; };
AA31456E134B716B00133245 /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = /System/Library/Frameworks/CoreFoundation.framework; sourceTree = "<absolute>"; };
AC9ADAD2199AD6BA00BDAF54 /* kc-42-trust-revocation.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-42-trust-revocation.c"; path = "regressions/kc-42-trust-revocation.c"; sourceTree = "<group>"; };
BE0FAED51B967FB30017DAC9 /* si-20-sectrust-provisioning.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "si-20-sectrust-provisioning.h"; path = "regressions/si-20-sectrust-provisioning.h"; sourceTree = "<group>"; };
BE296DBE0EAC299C00FD22BE /* SecImportExport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecImportExport.c; sourceTree = "<group>"; };
BE296DC40EAC2B5600FD22BE /* SecInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecInternal.h; sourceTree = "<group>"; };
- BE50AE650F687AB900D28C54 /* TrustAdditions.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TrustAdditions.cpp; sourceTree = "<group>"; };
+ BE50AE650F687AB900D28C54 /* TrustAdditions.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = TrustAdditions.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
BE50AE660F687AB900D28C54 /* TrustAdditions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TrustAdditions.h; sourceTree = "<group>"; };
BECE5140106B056C0091E644 /* TrustKeychains.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TrustKeychains.h; sourceTree = "<group>"; };
BED2BCA11B96217B006CF43A /* si-20-sectrust-provisioning.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "si-20-sectrust-provisioning.c"; path = "regressions/si-20-sectrust-provisioning.c"; sourceTree = "<group>"; };
@@ -326,14 +358,14 @@
BEE896E10A61F0BB00BF88A5 /* SecItemPriv.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SecItemPriv.h; sourceTree = "<group>"; };
BEE896E60A61F12300BF88A5 /* SecItem.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SecItem.cpp; sourceTree = "<group>"; usesTabs = 1; };
BEE897100A62CDD800BF88A5 /* SecItemConstants.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = SecItemConstants.c; sourceTree = "<group>"; };
- C26BA9FE072580AE0049AF3C /* UnlockReferralItem.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = UnlockReferralItem.cpp; path = lib/UnlockReferralItem.cpp; sourceTree = SOURCE_ROOT; };
+ C26BA9FE072580AE0049AF3C /* UnlockReferralItem.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; name = UnlockReferralItem.cpp; path = lib/UnlockReferralItem.cpp; sourceTree = SOURCE_ROOT; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2975B9B072580DC00AFECAD /* UnlockReferralItem.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = UnlockReferralItem.h; path = lib/UnlockReferralItem.h; sourceTree = SOURCE_ROOT; };
- C2AA2B42052E099D006D0211 /* Access.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = Access.cpp; sourceTree = "<group>"; };
+ C2AA2B42052E099D006D0211 /* Access.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = Access.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2B43052E099D006D0211 /* Access.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Access.h; sourceTree = "<group>"; };
- C2AA2B44052E099D006D0211 /* ACL.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = ACL.cpp; sourceTree = "<group>"; };
+ C2AA2B44052E099D006D0211 /* ACL.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = ACL.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2B45052E099D006D0211 /* ACL.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = ACL.h; sourceTree = "<group>"; };
C2AA2B46052E099D006D0211 /* CCallbackMgr.cp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = CCallbackMgr.cp; sourceTree = "<group>"; };
- C2AA2B47052E099D006D0211 /* CCallbackMgr.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = CCallbackMgr.h; sourceTree = "<group>"; };
+ C2AA2B47052E099D006D0211 /* CCallbackMgr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CCallbackMgr.h; sourceTree = "<group>"; };
C2AA2B48052E099D006D0211 /* Certificate.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = Certificate.cpp; sourceTree = "<group>"; };
C2AA2B49052E099D006D0211 /* Certificate.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Certificate.h; sourceTree = "<group>"; };
C2AA2B4A052E099D006D0211 /* CertificateRequest.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = CertificateRequest.cpp; sourceTree = "<group>"; };
@@ -349,16 +381,16 @@
C2AA2B59052E099D006D0211 /* Identity.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Identity.h; sourceTree = "<group>"; };
C2AA2B5A052E099D006D0211 /* IdentityCursor.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = IdentityCursor.cpp; sourceTree = "<group>"; };
C2AA2B5B052E099D006D0211 /* IdentityCursor.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = IdentityCursor.h; sourceTree = "<group>"; };
- C2AA2B5C052E099D006D0211 /* Item.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = Item.cpp; sourceTree = "<group>"; };
+ C2AA2B5C052E099D006D0211 /* Item.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = Item.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2B5D052E099D006D0211 /* Item.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Item.h; sourceTree = "<group>"; };
- C2AA2B5E052E099D006D0211 /* KCCursor.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = KCCursor.cpp; sourceTree = "<group>"; };
+ C2AA2B5E052E099D006D0211 /* KCCursor.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = KCCursor.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2B5F052E099D006D0211 /* KCCursor.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = KCCursor.h; sourceTree = "<group>"; };
C2AA2B64052E099D006D0211 /* KCExceptions.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = KCExceptions.h; sourceTree = "<group>"; };
- C2AA2B67052E099D006D0211 /* Keychains.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = Keychains.cpp; sourceTree = "<group>"; };
+ C2AA2B67052E099D006D0211 /* Keychains.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = Keychains.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2B68052E099D006D0211 /* Keychains.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Keychains.h; sourceTree = "<group>"; };
- C2AA2B69052E099D006D0211 /* KeyItem.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = KeyItem.cpp; sourceTree = "<group>"; };
+ C2AA2B69052E099D006D0211 /* KeyItem.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = KeyItem.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2B6A052E099D006D0211 /* KeyItem.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = KeyItem.h; sourceTree = "<group>"; };
- C2AA2B6B052E099D006D0211 /* Policies.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = Policies.cpp; sourceTree = "<group>"; };
+ C2AA2B6B052E099D006D0211 /* Policies.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = Policies.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2B6C052E099D006D0211 /* Policies.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Policies.h; sourceTree = "<group>"; };
C2AA2B6D052E099D006D0211 /* PolicyCursor.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = PolicyCursor.cpp; sourceTree = "<group>"; };
C2AA2B6E052E099D006D0211 /* PolicyCursor.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = PolicyCursor.h; sourceTree = "<group>"; };
@@ -407,30 +439,70 @@
C2AA2BA3052E099D006D0211 /* SecTrustedApplicationPriv.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SecTrustedApplicationPriv.h; sourceTree = "<group>"; };
C2AA2BA4052E099D006D0211 /* SecTrustPriv.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SecTrustPriv.h; sourceTree = "<group>"; };
C2AA2BA5052E099D006D0211 /* Security.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Security.h; sourceTree = "<group>"; };
- C2AA2BAA052E099D006D0211 /* StorageManager.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = StorageManager.cpp; sourceTree = "<group>"; };
+ C2AA2BAA052E099D006D0211 /* StorageManager.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = StorageManager.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2BAB052E099D006D0211 /* StorageManager.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = StorageManager.h; sourceTree = "<group>"; };
- C2AA2BAC052E099D006D0211 /* Trust.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = Trust.cpp; sourceTree = "<group>"; };
+ C2AA2BAC052E099D006D0211 /* Trust.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = Trust.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2BAD052E099D006D0211 /* Trust.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = Trust.h; sourceTree = "<group>"; };
- C2AA2BAE052E099D006D0211 /* TrustedApplication.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = TrustedApplication.cpp; sourceTree = "<group>"; };
+ C2AA2BAE052E099D006D0211 /* TrustedApplication.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = TrustedApplication.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2BAF052E099D006D0211 /* TrustedApplication.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = TrustedApplication.h; sourceTree = "<group>"; };
- C2AA2BB0052E099D006D0211 /* TrustItem.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = TrustItem.cpp; sourceTree = "<group>"; };
+ C2AA2BB0052E099D006D0211 /* TrustItem.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = TrustItem.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2BB1052E099D006D0211 /* TrustItem.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = TrustItem.h; sourceTree = "<group>"; };
- C2AA2BB2052E099D006D0211 /* TrustStore.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = TrustStore.cpp; sourceTree = "<group>"; };
+ C2AA2BB2052E099D006D0211 /* TrustStore.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = TrustStore.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2AA2BB3052E099D006D0211 /* TrustStore.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = TrustStore.h; sourceTree = "<group>"; };
C2FD262F0731CEB40027896A /* defaultcreds.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = defaultcreds.h; path = lib/defaultcreds.h; sourceTree = SOURCE_ROOT; };
- C2FD26370731CEE60027896A /* defaultcreds.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = defaultcreds.cpp; path = lib/defaultcreds.cpp; sourceTree = SOURCE_ROOT; };
+ C2FD26370731CEE60027896A /* defaultcreds.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; name = defaultcreds.cpp; path = lib/defaultcreds.cpp; sourceTree = SOURCE_ROOT; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C429431C053B2F8B00470431 /* KCUtilities.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = KCUtilities.cpp; sourceTree = "<group>"; };
C429431D053B2F8B00470431 /* KCUtilities.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = KCUtilities.h; sourceTree = "<group>"; };
C4A397A1053B1D50000E1B34 /* SecKeychainPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecKeychainPriv.h; sourceTree = "<group>"; };
C4A397FA053B21F9000E1B34 /* SecKeychainItemPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecKeychainItemPriv.h; sourceTree = "<group>"; };
+ D4486BCD1C65528B0040880D /* SecTrustOSXEntryPoints.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SecTrustOSXEntryPoints.cpp; sourceTree = "<group>"; };
+ D45FA39B1C6578CE003DBB97 /* SecTrustOSXEntryPoints.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTrustOSXEntryPoints.h; path = ../../trustd/SecTrustOSXEntryPoints.h; sourceTree = "<group>"; };
D4A2FC811BC8A65B00BF6E56 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = System/Library/Frameworks/Security.framework; sourceTree = SDKROOT; };
D6E1457B0A632A5A008AA7E8 /* KCEventNotifier.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = KCEventNotifier.cpp; sourceTree = "<group>"; };
D6E1457C0A632A5A008AA7E8 /* KCEventNotifier.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = KCEventNotifier.h; sourceTree = "<group>"; };
- DC3C15F81BAB6FE20041A23A /* kc-30-xara.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-30-xara.c"; path = "regressions/kc-30-xara.c"; sourceTree = "<group>"; };
- DC6949791BC71B2300AB4DC3 /* kc-30-xara-item-helpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "kc-30-xara-item-helpers.h"; path = "regressions/kc-30-xara-item-helpers.h"; sourceTree = "<group>"; };
- DC6949801BC71B3B00AB4DC3 /* kc-30-xara-key-helpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "kc-30-xara-key-helpers.h"; path = "regressions/kc-30-xara-key-helpers.h"; sourceTree = "<group>"; };
+ DC196F6B1CBD77C300A66F4B /* kc-15-key-update-valueref.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-15-key-update-valueref.c"; path = "regressions/kc-15-key-update-valueref.c"; sourceTree = "<group>"; };
+ DC1970801CBEC2EE00A66F4B /* kc-15-item-update-label-skimaad.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "kc-15-item-update-label-skimaad.m"; path = "regressions/kc-15-item-update-label-skimaad.m"; sourceTree = "<group>"; };
+ DC19708B1CBEE43600A66F4B /* kc-16-item-update-password.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-16-item-update-password.c"; path = "regressions/kc-16-item-update-password.c"; sourceTree = "<group>"; };
+ DC19708E1CBEF00F00A66F4B /* kc-20-identity-persistent-refs.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-20-identity-persistent-refs.c"; path = "regressions/kc-20-identity-persistent-refs.c"; sourceTree = "<group>"; };
+ DC247FD91CBF1FF800527D67 /* kc-27-key-non-extractable.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-27-key-non-extractable.c"; path = "regressions/kc-27-key-non-extractable.c"; sourceTree = "<group>"; };
+ DC2480471CC1B58200527D67 /* kc-21-item-use-callback.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-21-item-use-callback.c"; path = "regressions/kc-21-item-use-callback.c"; sourceTree = "<group>"; };
+ DC336B3B1D246E4C00D24F15 /* kc-20-identity-find-stress.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-20-identity-find-stress.c"; path = "regressions/kc-20-identity-find-stress.c"; sourceTree = "<group>"; };
+ DC3C15F81BAB6FE20041A23A /* kc-30-xara.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; name = "kc-30-xara.c"; path = "regressions/kc-30-xara.c"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
+ DC6949791BC71B2300AB4DC3 /* kc-30-xara-item-helpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; name = "kc-30-xara-item-helpers.h"; path = "regressions/kc-30-xara-item-helpers.h"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
+ DC6949801BC71B3B00AB4DC3 /* kc-30-xara-key-helpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; name = "kc-30-xara-key-helpers.h"; path = "regressions/kc-30-xara-key-helpers.h"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
DC6949821BC71C7600AB4DC3 /* kc-30-xara-helpers.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "kc-30-xara-helpers.h"; path = "regressions/kc-30-xara-helpers.h"; sourceTree = "<group>"; };
+ DC6B46421C90E36900D899C6 /* kc-01-keychain-creation.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-01-keychain-creation.c"; path = "regressions/kc-01-keychain-creation.c"; sourceTree = "<group>"; };
+ DC6B46431C90E36900D899C6 /* kc-02-unlock-noui.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-02-unlock-noui.c"; path = "regressions/kc-02-unlock-noui.c"; sourceTree = "<group>"; };
+ DC6B46441C90E36900D899C6 /* kc-03-status.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-03-status.c"; path = "regressions/kc-03-status.c"; sourceTree = "<group>"; };
+ DC6B46451C90E36900D899C6 /* kc-10-item-add-generic.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-10-item-add-generic.c"; path = "regressions/kc-10-item-add-generic.c"; sourceTree = "<group>"; };
+ DC6B46461C90E36900D899C6 /* kc-10-item-add-certificate.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-10-item-add-certificate.c"; path = "regressions/kc-10-item-add-certificate.c"; sourceTree = "<group>"; };
+ DC6B46471C90E36900D899C6 /* kc-12-item-create-keypair.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-12-item-create-keypair.c"; path = "regressions/kc-12-item-create-keypair.c"; sourceTree = "<group>"; };
+ DC6B46481C90E36900D899C6 /* kc-10-item-add-internet.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-10-item-add-internet.c"; path = "regressions/kc-10-item-add-internet.c"; sourceTree = "<group>"; };
+ DC6B46491C90E36900D899C6 /* kc-19-item-copy-internet.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-19-item-copy-internet.c"; path = "regressions/kc-19-item-copy-internet.c"; sourceTree = "<group>"; };
+ DC6B464A1C90E36900D899C6 /* kc-21-item-use-callback.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-21-item-use-callback.c"; path = "regressions/kc-21-item-use-callback.c"; sourceTree = "<group>"; };
+ DC6B464E1C90E36900D899C6 /* kc-04-is-valid.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-04-is-valid.c"; path = "regressions/kc-04-is-valid.c"; sourceTree = "<group>"; };
+ DC6B464F1C90E36900D899C6 /* kc-18-find-combined.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-18-find-combined.c"; path = "regressions/kc-18-find-combined.c"; sourceTree = "<group>"; };
+ DC6B46701C90F2C100D899C6 /* kc-helpers.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "kc-helpers.h"; path = "regressions/kc-helpers.h"; sourceTree = "<group>"; };
+ DC7EFBA71CBC4443005F9624 /* kc-06-cert-search-email.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "kc-06-cert-search-email.m"; path = "regressions/kc-06-cert-search-email.m"; sourceTree = "<group>"; };
+ DC7EFCA61CBD6ADC005F9624 /* kc-12-key-create-symmetric-and-use.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "kc-12-key-create-symmetric-and-use.m"; path = "regressions/kc-12-key-create-symmetric-and-use.m"; sourceTree = "<group>"; };
+ DC7EFCA71CBD6ADC005F9624 /* kc-12-key-create-symmetric.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-12-key-create-symmetric.c"; path = "regressions/kc-12-key-create-symmetric.c"; sourceTree = "<group>"; };
+ DC840D881CBEFC640083F55C /* kc-20-identity-key-attributes.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-20-identity-key-attributes.c"; path = "regressions/kc-20-identity-key-attributes.c"; sourceTree = "<group>"; };
+ DC840D8B1CBEFCAD0083F55C /* kc-identity-helpers.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "kc-identity-helpers.h"; path = "regressions/kc-identity-helpers.h"; sourceTree = "<group>"; };
+ DC840D8C1CBF121F0083F55C /* kc-23-key-export-symmetric.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "kc-23-key-export-symmetric.m"; path = "regressions/kc-23-key-export-symmetric.m"; sourceTree = "<group>"; };
+ DC840D8F1CBF179C0083F55C /* kc-26-key-import-public.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "kc-26-key-import-public.m"; path = "regressions/kc-26-key-import-public.m"; sourceTree = "<group>"; };
+ DC9642741D25F4650073E0C5 /* kc-20-item-find-stress.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-20-item-find-stress.c"; path = "regressions/kc-20-item-find-stress.c"; sourceTree = "<group>"; };
+ DC9642761D25F5DD0073E0C5 /* kc-20-key-find-stress.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-20-key-find-stress.c"; path = "regressions/kc-20-key-find-stress.c"; sourceTree = "<group>"; };
+ DC9A61A01CCA9273002793D6 /* kc-03-keychain-list.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-03-keychain-list.c"; path = "regressions/kc-03-keychain-list.c"; sourceTree = "<group>"; };
+ DC9A61A51CCAA0A1002793D6 /* kc-24-key-copy-keychains.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-24-key-copy-keychains.c"; path = "regressions/kc-24-key-copy-keychains.c"; sourceTree = "<group>"; };
+ DC9A61B01CCAA91F002793D6 /* kc-28-cert-sign.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-28-cert-sign.c"; path = "regressions/kc-28-cert-sign.c"; sourceTree = "<group>"; };
+ DC9A61B31CCABD18002793D6 /* kc-21-item-xattrs.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-21-item-xattrs.c"; path = "regressions/kc-21-item-xattrs.c"; sourceTree = "<group>"; };
+ DCA424021CB81EF20095B7DF /* kc-05-find-existing-items.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-05-find-existing-items.c"; path = "regressions/kc-05-find-existing-items.c"; sourceTree = "<group>"; };
+ DCA4240C1CB81FE90095B7DF /* kc-keychain-file-helpers.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "kc-keychain-file-helpers.h"; path = "regressions/kc-keychain-file-helpers.h"; sourceTree = "<group>"; };
+ DCA4240D1CB8240E0095B7DF /* kc-item-helpers.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "kc-item-helpers.h"; path = "regressions/kc-item-helpers.h"; sourceTree = "<group>"; };
+ DCA4240E1CB828D80095B7DF /* kc-key-helpers.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "kc-key-helpers.h"; path = "regressions/kc-key-helpers.h"; sourceTree = "<group>"; };
+ DCBD630B1CC86020008C27FC /* kc-28-p12-import.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "kc-28-p12-import.m"; path = "regressions/kc-28-p12-import.m"; sourceTree = "<group>"; };
DCD20F411BCDA8260046D8EB /* kc-30-xara-upgrade-helpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "kc-30-xara-upgrade-helpers.h"; path = "regressions/kc-30-xara-upgrade-helpers.h"; sourceTree = "<group>"; };
+ DCE537581D2EE36800A12A95 /* kc-05-find-existing-items-locked.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-05-find-existing-items-locked.c"; path = "regressions/kc-05-find-existing-items-locked.c"; sourceTree = "<group>"; };
F92321371ACF69EE00634C21 /* si-34-one-true-keychain.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "si-34-one-true-keychain.c"; path = "regressions/si-34-one-true-keychain.c"; sourceTree = "<group>"; };
/* End PBXFileReference section */
@@ -592,6 +664,8 @@
058C797709F56D1400DB7E98 /* TrustSettings.cpp */,
058C797809F56D1400DB7E98 /* TrustSettings.h */,
BECE5140106B056C0091E644 /* TrustKeychains.h */,
+ D4486BCD1C65528B0040880D /* SecTrustOSXEntryPoints.cpp */,
+ D45FA39B1C6578CE003DBB97 /* SecTrustOSXEntryPoints.h */,
);
name = "API Classes";
sourceTree = "<group>";
@@ -630,10 +704,8 @@
C2975B9B072580DC00AFECAD /* UnlockReferralItem.h */,
058C797A09F56D1400DB7E98 /* TrustSettingsUtils.cpp */,
058C797B09F56D1400DB7E98 /* TrustSettingsUtils.h */,
- 52FB42C1113F056D006D3B0A /* debuggingP.h */,
52C23EF71135AE5100E079D2 /* SecCertificatePrivP.h */,
5261C30F112F1C560047EF8B /* SecBase64P.c */,
- 5261C2E1112F19BA0047EF8B /* debuggingP.c */,
5261C289112F0D570047EF8B /* SecFrameworkP.c */,
521DC57D1125FEE300937BF2 /* SecCertificateP.c */,
521DC57E1125FEE300937BF2 /* SecCertificateP.h */,
@@ -642,6 +714,8 @@
C2AA2B55052E099D006D0211 /* generateErrStrings.pl */,
52E950CC1509B47000DA6511 /* tsaDERUtilities.c */,
52E950D51509B48D00DA6511 /* tsaDERUtilities.h */,
+ 3A353D7B1CC50583000446F4 /* TokenLogin.cpp */,
+ 3A353D7C1CC50583000446F4 /* TokenLogin.h */,
);
name = Internal;
sourceTree = "<group>";
@@ -679,13 +753,51 @@
isa = PBXGroup;
children = (
0CBD509C16C324B100713B6C /* keychain_regressions.h */,
+ DC6B46701C90F2C100D899C6 /* kc-helpers.h */,
+ DCA4240D1CB8240E0095B7DF /* kc-item-helpers.h */,
+ DCA4240E1CB828D80095B7DF /* kc-key-helpers.h */,
+ DC840D8B1CBEFCAD0083F55C /* kc-identity-helpers.h */,
+ DCA4240C1CB81FE90095B7DF /* kc-keychain-file-helpers.h */,
+ DC6B46421C90E36900D899C6 /* kc-01-keychain-creation.c */,
+ DC6B46431C90E36900D899C6 /* kc-02-unlock-noui.c */,
+ DC6B46441C90E36900D899C6 /* kc-03-status.c */,
+ DC9A61A01CCA9273002793D6 /* kc-03-keychain-list.c */,
+ DC6B464E1C90E36900D899C6 /* kc-04-is-valid.c */,
+ DCA424021CB81EF20095B7DF /* kc-05-find-existing-items.c */,
+ DCE537581D2EE36800A12A95 /* kc-05-find-existing-items-locked.c */,
+ DC7EFBA71CBC4443005F9624 /* kc-06-cert-search-email.m */,
+ DC6B46451C90E36900D899C6 /* kc-10-item-add-generic.c */,
+ DC6B46481C90E36900D899C6 /* kc-10-item-add-internet.c */,
+ DC6B46461C90E36900D899C6 /* kc-10-item-add-certificate.c */,
+ DC7EFCA71CBD6ADC005F9624 /* kc-12-key-create-symmetric.c */,
+ DC7EFCA61CBD6ADC005F9624 /* kc-12-key-create-symmetric-and-use.m */,
+ DC6B46471C90E36900D899C6 /* kc-12-item-create-keypair.c */,
+ DC196F6B1CBD77C300A66F4B /* kc-15-key-update-valueref.c */,
+ DC1970801CBEC2EE00A66F4B /* kc-15-item-update-label-skimaad.m */,
+ DC19708B1CBEE43600A66F4B /* kc-16-item-update-password.c */,
+ DC6B464F1C90E36900D899C6 /* kc-18-find-combined.c */,
+ DC6B46491C90E36900D899C6 /* kc-19-item-copy-internet.c */,
+ DC19708E1CBEF00F00A66F4B /* kc-20-identity-persistent-refs.c */,
+ DC840D881CBEFC640083F55C /* kc-20-identity-key-attributes.c */,
+ DC9642741D25F4650073E0C5 /* kc-20-item-find-stress.c */,
+ DC9642761D25F5DD0073E0C5 /* kc-20-key-find-stress.c */,
+ DC336B3B1D246E4C00D24F15 /* kc-20-identity-find-stress.c */,
+ DC6B464A1C90E36900D899C6 /* kc-21-item-use-callback.c */,
+ DC9A61B31CCABD18002793D6 /* kc-21-item-xattrs.c */,
+ DC840D8C1CBF121F0083F55C /* kc-23-key-export-symmetric.m */,
+ DC9A61A51CCAA0A1002793D6 /* kc-24-key-copy-keychains.c */,
+ DC840D8F1CBF179C0083F55C /* kc-26-key-import-public.m */,
+ DC247FD91CBF1FF800527D67 /* kc-27-key-non-extractable.c */,
+ DCBD630B1CC86020008C27FC /* kc-28-p12-import.m */,
+ DC9A61B01CCAA91F002793D6 /* kc-28-cert-sign.c */,
DC3C15F81BAB6FE20041A23A /* kc-30-xara.c */,
DC6949821BC71C7600AB4DC3 /* kc-30-xara-helpers.h */,
DCD20F411BCDA8260046D8EB /* kc-30-xara-upgrade-helpers.h */,
DC6949791BC71B2300AB4DC3 /* kc-30-xara-item-helpers.h */,
DC6949801BC71B3B00AB4DC3 /* kc-30-xara-key-helpers.h */,
- 0CBD509816C3246D00713B6C /* kc-40-seckey.c */,
- 0CBD509916C3246D00713B6C /* kc-41-sececkey.c */,
+ 0CBD509816C3246D00713B6C /* kc-40-seckey.m */,
+ 0CBD509916C3246D00713B6C /* kc-41-sececkey.m */,
+ 87701A841C4B91D000CB437B /* kc-43-seckey-interop.m */,
AC9ADAD2199AD6BA00BDAF54 /* kc-42-trust-revocation.c */,
BED2BCA11B96217B006CF43A /* si-20-sectrust-provisioning.c */,
BE0FAED51B967FB30017DAC9 /* si-20-sectrust-provisioning.h */,
@@ -801,6 +913,7 @@
4CF36F680581376700834D11 /* SecACL.h in Headers */,
4CF36F6A0581376700834D11 /* SecBase.h in Headers */,
4CF36F690581376700834D11 /* SecCertificate.h in Headers */,
+ 3A353D7E1CC50583000446F4 /* TokenLogin.h in Headers */,
4CF36F6C0581376700834D11 /* SecIdentity.h in Headers */,
4CF36F670581376700834D11 /* SecIdentitySearch.h in Headers */,
BEE896E20A61F0BB00BF88A5 /* SecItem.h in Headers */,
@@ -846,6 +959,7 @@
058C797209F56CCC00DB7E98 /* SecTrustSettingsPriv.h in Headers */,
058C797D09F56D1400DB7E98 /* TrustSettings.h in Headers */,
058C797E09F56D1400DB7E98 /* TrustSettingsSchema.h in Headers */,
+ D45FA39C1C6578CE003DBB97 /* SecTrustOSXEntryPoints.h in Headers */,
058C798009F56D1400DB7E98 /* TrustSettingsUtils.h in Headers */,
BEE896E30A61F0BB00BF88A5 /* SecItemPriv.h in Headers */,
05A83C380AAF591100906F28 /* SecKeychainItemExtendedAttributes.h in Headers */,
@@ -905,7 +1019,6 @@
buildRules = (
);
dependencies = (
- 182BB341146F106C000BF1F3 /* PBXTargetDependency */,
521FBA8C112CB465002BEF54 /* PBXTargetDependency */,
);
name = libsecurity_keychain;
@@ -935,7 +1048,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD3810987FCDE001272E0 /* Build configuration list for PBXProject "libsecurity_keychain" */;
compatibilityVersion = "Xcode 3.2";
@@ -1020,13 +1133,47 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
+ DC6B46641C90EE1200D899C6 /* kc-01-keychain-creation.c in Sources */,
+ DC196F691CBD70B400A66F4B /* kc-12-key-create-symmetric-and-use.m in Sources */,
+ DC9A61A21CCA9279002793D6 /* kc-03-keychain-list.c in Sources */,
+ DC6B46651C90EE1200D899C6 /* kc-02-unlock-noui.c in Sources */,
+ DC840D8A1CBEFC6A0083F55C /* kc-20-identity-key-attributes.c in Sources */,
+ DC6B46661C90EE1A00D899C6 /* kc-03-status.c in Sources */,
+ DCBD63151CC86028008C27FC /* kc-28-p12-import.m in Sources */,
+ DC6B46671C90EE1A00D899C6 /* kc-10-item-add-generic.c in Sources */,
+ DC6B46681C90EE1A00D899C6 /* kc-10-item-add-certificate.c in Sources */,
+ DC6B46691C90EE1A00D899C6 /* kc-12-item-create-keypair.c in Sources */,
+ DC196F6D1CBD77CD00A66F4B /* kc-15-key-update-valueref.c in Sources */,
+ DC6B466A1C90EE1A00D899C6 /* kc-10-item-add-internet.c in Sources */,
+ DC6B466B1C90EE1A00D899C6 /* kc-19-item-copy-internet.c in Sources */,
+ DC6B466C1C90EE1A00D899C6 /* kc-21-item-use-callback.c in Sources */,
+ DC6B466E1C90EE1A00D899C6 /* kc-04-is-valid.c in Sources */,
+ DC6B466F1C90EE1A00D899C6 /* kc-18-find-combined.c in Sources */,
+ DC336B3C1D246E4C00D24F15 /* kc-20-identity-find-stress.c in Sources */,
+ 87701A8E1C4B91E300CB437B /* kc-43-seckey-interop.m in Sources */,
+ DC9A61B51CCABD1F002793D6 /* kc-21-item-xattrs.c in Sources */,
DC3C16001BAB76B50041A23A /* kc-30-xara.c in Sources */,
AC9ADAD3199AD6BA00BDAF54 /* kc-42-trust-revocation.c in Sources */,
- 0CBD509B16C3246D00713B6C /* kc-41-sececkey.c in Sources */,
+ DC2480511CC1B58B00527D67 /* kc-21-item-use-callback.c in Sources */,
+ DCE537591D2EE36800A12A95 /* kc-05-find-existing-items-locked.c in Sources */,
+ 0CBD509B16C3246D00713B6C /* kc-41-sececkey.m in Sources */,
+ DC19708A1CBEC2FA00A66F4B /* kc-15-item-update-label-skimaad.m in Sources */,
188BB546171DD8B5009D22CE /* si-33-keychain-backup.c in Sources */,
+ DC840D871CBEF5CB0083F55C /* kc-20-identity-persistent-refs.c in Sources */,
+ DC19708D1CBEE43E00A66F4B /* kc-16-item-update-password.c in Sources */,
+ DC9642751D25F4650073E0C5 /* kc-20-item-find-stress.c in Sources */,
+ DC9A61AF1CCAA4CF002793D6 /* kc-24-key-copy-keychains.c in Sources */,
BED2BCA21B96217B006CF43A /* si-20-sectrust-provisioning.c in Sources */,
+ DC840D8E1CBF13C00083F55C /* kc-23-key-export-symmetric.m in Sources */,
+ DC840D911CBF17AF0083F55C /* kc-26-key-import-public.m in Sources */,
+ DC247FDB1CBF22AD00527D67 /* kc-27-key-non-extractable.c in Sources */,
F92321381ACF69EE00634C21 /* si-34-one-true-keychain.c in Sources */,
- 0CBD509A16C3246D00713B6C /* kc-40-seckey.c in Sources */,
+ DC9642771D25F5DD0073E0C5 /* kc-20-key-find-stress.c in Sources */,
+ DC196F6A1CBD70C100A66F4B /* kc-12-key-create-symmetric.c in Sources */,
+ DC7EFBA91CBC4448005F9624 /* kc-06-cert-search-email.m in Sources */,
+ 0CBD509A16C3246D00713B6C /* kc-40-seckey.m in Sources */,
+ DCA424031CB81EF20095B7DF /* kc-05-find-existing-items.c in Sources */,
+ DC9A61B21CCAAE05002793D6 /* kc-28-cert-sign.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -1101,6 +1248,7 @@
05012D46060B94A000C044CB /* SecImportExportCrypto.cpp in Sources */,
055EA6B106AC5C13005079CE /* TrustRevocation.cpp in Sources */,
C26BA9FF072580AE0049AF3C /* UnlockReferralItem.cpp in Sources */,
+ 3A353D7D1CC50583000446F4 /* TokenLogin.cpp in Sources */,
058C797609F56CFB00DB7E98 /* SecTrustSettings.cpp in Sources */,
058C797C09F56D1400DB7E98 /* TrustSettings.cpp in Sources */,
058C797F09F56D1400DB7E98 /* TrustSettingsUtils.cpp in Sources */,
@@ -1119,6 +1267,7 @@
52B88DFB11DD0D2D005BCA6B /* SecFDERecoveryAsymmetricCrypto.cpp in Sources */,
48E66AE3120254D700E878AD /* SecRandom.c in Sources */,
52E950CD1509B47000DA6511 /* tsaDERUtilities.c in Sources */,
+ D4486BCF1C65528B0040880D /* SecTrustOSXEntryPoints.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -1134,11 +1283,6 @@
/* End PBXSourcesBuildPhase section */
/* Begin PBXTargetDependency section */
- 182BB341146F106C000BF1F3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurity_utilitiesDTrace;
- targetProxy = 182BB340146F106C000BF1F3 /* PBXContainerItemProxy */;
- };
521FBA8C112CB465002BEF54 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
name = libDER;
@@ -1152,6 +1296,15 @@
baseConfigurationReference = 182BB225146F063C000BF1F3 /* debug.xcconfig */;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
+ HEADER_SEARCH_PATHS = (
+ "$(PROJECT_DIR)/../regressions",
+ "$(PROJECT_DIR)/../include",
+ "$(BUILT_PRODUCTS_DIR)/derived_src",
+ "$(BUILT_PRODUCTS_DIR)",
+ "$(PROJECT_DIR)/lib",
+ "$(PROJECT_DIR)/../utilities",
+ "$(inherited)",
+ );
WARNING_CFLAGS = (
"$(inherited)",
"-Wno-error=overloaded-virtual",
@@ -1180,6 +1333,7 @@
GCC_MODEL_TUNING = G5;
INFOPLIST_FILE = "xpc/XPCKeychainSandboxCheck-Info.plist";
INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices";
+ PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = XPCKeychainSandboxCheck;
PROVISIONING_PROFILE = "";
SKIP_INSTALL = NO;
@@ -1196,6 +1350,7 @@
GCC_MODEL_TUNING = G5;
INFOPLIST_FILE = "xpc/XPCKeychainSandboxCheck-Info.plist";
INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices";
+ PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = XPCKeychainSandboxCheck;
PROVISIONING_PROFILE = "";
SKIP_INSTALL = NO;
@@ -1212,6 +1367,7 @@
GCC_MODEL_TUNING = G5;
INFOPLIST_FILE = "xpc-tsa/XPCTimeStampingService-Info.plist";
INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices";
+ PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = XPCTimeStampingService;
PROVISIONING_PROFILE = "";
SKIP_INSTALL = NO;
@@ -1228,6 +1384,7 @@
GCC_MODEL_TUNING = G5;
INFOPLIST_FILE = "xpc-tsa/XPCTimeStampingService-Info.plist";
INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices";
+ PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = XPCTimeStampingService;
PROVISIONING_PROFILE = "";
SKIP_INSTALL = NO;
@@ -1242,11 +1399,7 @@
COMBINE_HIDPI_IMAGES = YES;
GCC_PREPROCESSOR_DEFINITIONS = (
"$(inherited)",
- "SECTRUST_OSX=0",
- );
- HEADER_SEARCH_PATHS = (
- "$(inherited)",
- "$(PROJECT_DIR)/libDER",
+ "SECTRUST_OSX=1",
);
WARNING_CFLAGS = (
"$(inherited)",
@@ -1262,11 +1415,7 @@
COMBINE_HIDPI_IMAGES = YES;
GCC_PREPROCESSOR_DEFINITIONS = (
"$(inherited)",
- "SECTRUST_OSX=0",
- );
- HEADER_SEARCH_PATHS = (
- "$(inherited)",
- "$(PROJECT_DIR)/libDER",
+ "SECTRUST_OSX=1",
);
WARNING_CFLAGS = (
"$(inherited)",
@@ -1279,13 +1428,32 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB226146F063C000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ HEADER_SEARCH_PATHS = (
+ "$(PROJECT_DIR)/../regressions",
+ "$(PROJECT_DIR)/../include",
+ "$(BUILT_PRODUCTS_DIR)/derived_src",
+ "$(BUILT_PRODUCTS_DIR)",
+ "$(PROJECT_DIR)/lib",
+ "$(PROJECT_DIR)/../utilities",
+ "$(PROJECT_DIR)/libDER",
+ "$(inherited)",
+ );
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -1293,13 +1461,30 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB226146F063C000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ HEADER_SEARCH_PATHS = (
+ "$(PROJECT_DIR)/../regressions",
+ "$(PROJECT_DIR)/../include",
+ "$(BUILT_PRODUCTS_DIR)/derived_src",
+ "$(BUILT_PRODUCTS_DIR)",
+ "$(PROJECT_DIR)/lib",
+ "$(PROJECT_DIR)/../utilities",
+ "$(PROJECT_DIR)/libDER",
+ "$(inherited)",
+ );
};
name = Release;
};
diff --git a/OSX/libsecurity_keychain/regressions/kc-01-keychain-creation.c b/OSX/libsecurity_keychain/regressions/kc-01-keychain-creation.c
new file mode 100644
index 00000000..c07b0517
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-01-keychain-creation.c
@@ -0,0 +1,35 @@
+#include <stdlib.h>
+#include <Security/SecKeychain.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+
+int kc_01_keychain_creation(int argc, char *const *argv)
+{
+ plan_tests(9);
+
+ ok_status(SecKeychainSetUserInteractionAllowed(FALSE), "disable ui");
+ SecKeychainRef keychain = createNewKeychain("test", "test");
+ SKIP: {
+ skip("can't continue without keychain", 2, ok(keychain, "keychain not NULL"));
+
+ is(CFGetRetainCount(keychain), 1, "retaincount of created keychain is 1");
+ }
+
+ SecKeychainRef keychain2 = NULL;
+ ok_status(SecKeychainOpen("test", &keychain2), "SecKeychainOpen");
+ SKIP: {
+ skip("can't continue without keychain", 2, ok(keychain, "keychain not NULL"));
+ CFIndex retCount = CFGetRetainCount(keychain2);
+ is(retCount, 2, "retaincount of created+opened keychain is 2"); // 2, because we opened and created the same keychain.
+ }
+
+ is(keychain, keychain2, "SecKeychainCreate and SecKeychainOpen returned a different handle for the same keychain");
+
+ ok_status(SecKeychainDelete(keychain), "SecKeychainDelete");
+
+ CFRelease(keychain);
+ CFRelease(keychain2);
+
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-02-unlock-noui.c b/OSX/libsecurity_keychain/regressions/kc-02-unlock-noui.c
new file mode 100644
index 00000000..c7b310bb
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-02-unlock-noui.c
@@ -0,0 +1,36 @@
+#include <Security/SecKeychain.h>
+#include <Security/SecKeychainPriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+
+int kc_02_unlock_noui(int argc, char *const *argv)
+{
+ plan_tests(12);
+
+ initializeKeychainTests(__FUNCTION__);
+
+ ok_status(SecKeychainSetUserInteractionAllowed(FALSE), "SecKeychainSetUserInteractionAllowed(FALSE)");
+
+ SecKeychainRef keychain = createNewKeychain("test", "test");
+ ok_status(SecKeychainLock(keychain), "SecKeychainLock");
+
+ is_status(SecKeychainUnlock(keychain, 0, NULL, FALSE), errSecAuthFailed, "SecKeychainUnlock");
+
+ checkPrompts(0, "Unexpected keychain access prompt unlocking after SecKeychainCreate");
+
+ ok_status(SecKeychainLock(keychain), "SecKeychainLock");
+ CFRelease(keychain);
+
+ ok_status(SecKeychainOpen("test", &keychain), "SecKeychainOpen locked kc");
+
+ is_status(SecKeychainUnlock(keychain, 0, NULL, FALSE), errSecAuthFailed, "SecKeychainUnlock");
+
+ checkPrompts(0, "Unexpected keychain access prompt unlocking after SecKeychainCreate");
+
+ ok_status(SecKeychainDelete(keychain), "%s: SecKeychainDelete", testName);
+ CFRelease(keychain);
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-03-keychain-list.c b/OSX/libsecurity_keychain/regressions/kc-03-keychain-list.c
new file mode 100644
index 00000000..a2b41130
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-03-keychain-list.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+
+static void dumpSearchList(char * label, CFArrayRef searchList) {
+ printf("%s:\n", label);
+
+ for(int i = 0; i < CFArrayGetCount(searchList); i++) {
+ char pathName[300];
+ UInt32 len = sizeof(pathName);
+
+ SecKeychainGetPath((SecKeychainRef) CFArrayGetValueAtIndex(searchList, i), &len, pathName);
+ printf(" %s\n", pathName);
+ }
+ printf("\n");
+}
+
+static CFComparisonResult compare(const void* first, const void* second, void* context) {
+ SecKeychainRef k1 = (SecKeychainRef) first;
+ SecKeychainRef k2 = (SecKeychainRef) second;
+
+ char path1[200];
+ char path2[200];
+ UInt32 l1 = 200, l2 = 200;
+
+ SecKeychainGetPath(k1, &l1, path1);
+ SecKeychainGetPath(k2, &l2, path2);
+
+ return strcmp(path1, path2);
+}
+
+// Checks that these lists are equal modulo order
+static bool keychainListsEqual(CFArrayRef list1, CFArrayRef list2) {
+
+ CFIndex size1 = CFArrayGetCount(list1);
+ CFIndex size2 = CFArrayGetCount(list2);
+
+ if(size1 != size2) {
+ return false;
+ }
+
+ CFMutableArrayRef m1 = CFArrayCreateMutableCopy(NULL, 0, list1);
+ CFMutableArrayRef m2 = CFArrayCreateMutableCopy(NULL, 0, list2);
+
+ CFArraySortValues(m1, CFRangeMake(0, size1), &compare, NULL);
+ CFArraySortValues(m2, CFRangeMake(0, size2), &compare, NULL);
+
+ bool result = CFEqual(m1, m2);
+
+ CFRelease(m1);
+ CFRelease(m2);
+
+ return result;
+}
+
+static void tests()
+{
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ CFArrayRef searchList = NULL;
+ ok_status(SecKeychainCopySearchList(&searchList), "%s: SecKeychainCopySearchList", testName);
+ dumpSearchList("initial", searchList);
+
+ CFMutableArrayRef mutableSearchList = CFArrayCreateMutableCopy(NULL, CFArrayGetCount(searchList) + 1, searchList);
+ CFArrayAppendValue(mutableSearchList, kc);
+ ok_status(SecKeychainSetSearchList(mutableSearchList), "%s: SecKeychainSetSearchList", testName);
+ dumpSearchList("to set", mutableSearchList);
+
+ CFArrayRef midSearchList = NULL;
+ ok_status(SecKeychainCopySearchList(&midSearchList), "%s: SecKeychainCopySearchList (mid)", testName);
+ dumpSearchList("after set", midSearchList);
+
+ ok(keychainListsEqual(mutableSearchList, midSearchList), "%s: retrieved search list equal to set search list", testName);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+
+ CFArrayRef finalSearchList = NULL;
+ ok_status(SecKeychainCopySearchList(&finalSearchList), "%s: SecKeychainCopySearchList (final)", testName);
+ dumpSearchList("final", finalSearchList);
+
+ ok(keychainListsEqual(finalSearchList, searchList), "%s: final search list equal to initial search list", testName);
+
+ CFRelease(searchList);
+ CFRelease(mutableSearchList);
+ CFRelease(midSearchList);
+ CFRelease(finalSearchList);
+}
+
+int kc_03_keychain_list(int argc, char *const *argv)
+{
+ plan_tests(9);
+ initializeKeychainTests(__FUNCTION__);
+
+ tests();
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/SecurityTests/regressions/kc/kc-12-status.c b/OSX/libsecurity_keychain/regressions/kc-03-status.c
old mode 100755
new mode 100644
similarity index 81%
rename from SecurityTests/regressions/kc/kc-12-status.c
rename to OSX/libsecurity_keychain/regressions/kc-03-status.c
index 68fb14af..696b0c9d
--- a/SecurityTests/regressions/kc/kc-12-status.c
+++ b/OSX/libsecurity_keychain/regressions/kc-03-status.c
@@ -3,9 +3,8 @@
#include <sys/stat.h>
#include <sys/types.h>
-#include "testmore.h"
-#include "testenv.h"
-#include "testleaks.h"
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
static void tests(void)
{
@@ -16,10 +15,9 @@ static void tests(void)
if (!home || strlen(home) > 200)
plan_skip_all("home too big");
- sprintf(kcname1, "%s/kc1/kc1", home);
+ sprintf(kcname1, "%s/kctests/kc1/kc1", home);
SecKeychainRef kc1 = NULL, kc2 = NULL;
- ok_status(SecKeychainCreate(kcname1, 4, "test", FALSE, NULL, &kc1),
- "SecKeychainCreate kc1");
+ kc1 = createNewKeychainAt(kcname1, "test");
ok_status(SecKeychainGetStatus(kc1, &status1), "get kc1 status");
is(status1, kSecUnlockStateStatus|kSecReadPermStatus|kSecWritePermStatus,
@@ -36,7 +34,7 @@ static void tests(void)
/* Make keychain non writable. */
char kcdir1[256];
- sprintf(kcdir1, "%s/kc1", home);
+ sprintf(kcdir1, "%s/kctests/kc1", home);
ok_unix(chmod(kcdir1, 0555), "chmod kcdir1 0555");
ok_status(SecKeychainGetStatus(kc1, &status1), "get kc1 status");
@@ -64,12 +62,8 @@ static void tests(void)
"status unlocked readable");
}
- sprintf(kcname2, "%s/kc2/kc2", home);
- ok_status(SecKeychainOpen(kcname2, &kc2), "SecKeychainOpen kc2");
- is_status(SecKeychainGetStatus(kc2, &status2), errSecNoSuchKeychain,
- "get kc2 status");
- ok_status(SecKeychainCreate(kcname2, 4, "test", FALSE, NULL, &kc2),
- "SecKeychainCreate kc2");
+ sprintf(kcname2, "%s/kctests/kc2/kc2", home);
+ kc2 = createNewKeychainAt(kcname2, "test");
ok_unix(chmod(kcname2, 0444), "chmod kc2 0444");
ok_status(SecKeychainGetStatus(kc2, &status2), "get kc2 status");
is(status2, kSecUnlockStateStatus|kSecReadPermStatus|kSecWritePermStatus,
@@ -85,13 +79,13 @@ static void tests(void)
/* Restore dir to writable so cleanup code will work ok. */
ok_unix(chmod(kcdir1, 0755), "chmod kcdir1 0755");
+ ok_status(SecKeychainDelete(kc1), "%s: SecKeychainDelete", testName);
CFRelease(kc1);
+ ok_status(SecKeychainDelete(kc2), "%s: SecKeychainDelete", testName);
CFRelease(kc2);
bool testWithFreshlyCreatedKeychain = true;
- SecKeychainRef keychain;
- ok_status(SecKeychainCreate("test", 4, "test", FALSE, NULL, &keychain),
- "SecKeychainCreate");
+ SecKeychainRef keychain = createNewKeychain("test", "test");
ok_status(SecKeychainLock(keychain), "SecKeychainLock");
do {
@@ -106,33 +100,32 @@ static void tests(void)
is( (keychainStatus & kSecUnlockStateStatus), kSecUnlockStateStatus, "Check it's unlocked");
ok_status(SecKeychainLock(keychain), "SecKeychainLock");
- CFRelease(keychain);
-
+
if (testWithFreshlyCreatedKeychain)
{
+ CFRelease(keychain);
testWithFreshlyCreatedKeychain = false;
ok_status(SecKeychainOpen("test", &keychain), "SecKeychainOpen");
}
- else
+ else {
testWithFreshlyCreatedKeychain = true;
+
+ ok_status(SecKeychainDelete(keychain), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(keychain);
+ }
}
while(!testWithFreshlyCreatedKeychain);
- tests_end(1);
}
-int main(int argc, char *const *argv)
+int kc_03_status(int argc, char *const *argv)
{
plan_tests(43);
- if (!tests_begin(argc, argv))
- BAIL_OUT("tests_begin failed");
tests();
- ok_leaks("leaks");
-
return 0;
}
diff --git a/SecurityTests/regressions/kc/kc-26-is-valid.c b/OSX/libsecurity_keychain/regressions/kc-04-is-valid.c
old mode 100755
new mode 100644
similarity index 68%
rename from SecurityTests/regressions/kc/kc-26-is-valid.c
rename to OSX/libsecurity_keychain/regressions/kc-04-is-valid.c
index d17b05a2..eab88ad6
--- a/SecurityTests/regressions/kc/kc-26-is-valid.c
+++ b/OSX/libsecurity_keychain/regressions/kc-04-is-valid.c
@@ -6,9 +6,8 @@
#include <sys/types.h>
#include <unistd.h>
-#include "testmore.h"
-#include "testenv.h"
-#include "testleaks.h"
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
static void tests(void)
{
@@ -18,17 +17,18 @@ static void tests(void)
if (!home || strlen(home) > 200)
plan_skip_all("home too big");
- sprintf(kcname1, "%s/kc1", home);
+ sprintf(kcname1, "%s/kctests/kc1-16-is-valid", home);
SecKeychainRef kc1 = NULL, kc2 = NULL;
Boolean kc1valid, kc2valid;
- ok_status(SecKeychainCreate(kcname1, 4, "test", FALSE, NULL, &kc1),
- "SecKeychainCreate kc1");
+ kc1 = createNewKeychainAt(kcname1, "test");
ok_status(SecKeychainIsValid(kc1, &kc1valid), "SecKeychainIsValid kc1");
is(kc1valid, TRUE, "is kc1 valid");
+
+ ok_status(SecKeychainDelete(kc1), "%s: SecKeychainDelete", testName);
CFRelease(kc1);
int fd;
- sprintf(kcname2, "%s/kc2", home);
+ sprintf(kcname2, "%s/kctests/kc2-16-is-valid", home);
ok_unix(fd = open(kcname2, O_CREAT|O_WRONLY|O_TRUNC, 0600),
"create invalid kc2 file");
ok_unix(close(fd), "close the kc2 file");
@@ -40,20 +40,17 @@ static void tests(void)
"TRUE");
is(kc2valid, FALSE, "is kc2 not valid");
}
- CFRelease(kc2);
- tests_end(1);
+ ok_status(SecKeychainDelete(kc2), "%s: SecKeychainDelete", testName);
+ CFRelease(kc2);
}
-int main(int argc, char *const *argv)
+int kc_04_is_valid(int argc, char *const *argv)
{
- plan_tests(9);
- if (!tests_begin(argc, argv))
- BAIL_OUT("tests_begin failed");
+ plan_tests(11);
tests();
- ok_leaks("leaks");
-
+ deleteTestFiles();
return 0;
}
diff --git a/OSX/libsecurity_keychain/regressions/kc-05-find-existing-items-locked.c b/OSX/libsecurity_keychain/regressions/kc-05-find-existing-items-locked.c
new file mode 100644
index 00000000..3813e5a3
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-05-find-existing-items-locked.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-item-helpers.h"
+#include "kc-key-helpers.h"
+
+static void tests()
+{
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ CFMutableDictionaryRef query = NULL;
+ SecKeychainItemRef item = NULL;
+
+ // Perform keychain upgrade so future calls will check integrity, then lock keychain
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service"), CFSTR("test_service"));
+ item = checkN(testName, query, 1);
+
+ ok_status(SecKeychainLock(kc), "%s: SecKeychainLock", testName);
+
+ // Find passwords
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service"), CFSTR("test_service"));
+ item = checkN(testName, query, 1);
+ readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // keychain is locked; AuthFailed is what securityd throws if UI access is not allowed
+ CFReleaseNull(item);
+ checkPrompts(0, "after reading a password in locked keychain without UI"); // this should be 1, but is 0 due to how denying UI access works in Credentials
+
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service_restrictive_acl"), CFSTR("test_service_restrictive_acl"));
+ item = checkN(testName, query, 1);
+ readPasswordContentsWithResult(item, errSecAuthFailed, NULL);
+ CFReleaseNull(item);
+ checkPrompts(0, "trying to read password in locked keychain without UI");
+
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassGenericPassword, CFSTR("test_service"), CFSTR("test_service"));
+ item = checkN(testName, query, 1);
+ readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // keychain is locked
+ CFReleaseNull(item);
+ checkPrompts(0, "after reading a password in locked keychain without UI");
+
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassGenericPassword, CFSTR("test_service_restrictive_acl"), CFSTR("test_service_restrictive_acl"));
+ item = checkN(testName, query, 1);
+ readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // we don't expect to be able to read this
+ CFReleaseNull(item);
+ checkPrompts(0, "trying to read password in locked keychain without UI");
+
+ // Find symmetric keys
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric);
+ item = checkN(testName, query, 2);
+ CFReleaseNull(item);
+
+ // Find asymmetric keys
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic);
+ item = checkN(testName, query, 2);
+ CFReleaseNull(item);
+
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate);
+ item = checkN(testName, query, 2);
+ CFReleaseNull(item);
+
+ // Find certificates
+ query = makeBaseQueryDictionary(kc, kSecClassCertificate);
+ item = checkN(testName, query, 3);
+ CFReleaseNull(item);
+
+ // ensure we can pull data from a certificate
+ query = makeBaseQueryDictionary(kc, kSecClassCertificate);
+ CFDictionarySetValue(query, kSecMatchSubjectWholeString, CFSTR("test_codesigning"));
+ item = checkN(testName, query, 1);
+ const unsigned char expectedSHA1[] = { 0x94, 0xdf, 0x22, 0x4a, 0x4d, 0x49, 0x33, 0x27, 0x9e, 0xc5, 0x7e, 0x91, 0x95, 0xcc, 0xbd, 0x51, 0x3d, 0x59, 0xae, 0x34 };
+ CFDataRef expectedSHAData = CFDataCreateWithBytesNoCopy(NULL, expectedSHA1, sizeof(expectedSHA1), kCFAllocatorNull);
+ eq_cf(SecCertificateGetSHA1Digest((SecCertificateRef) item), expectedSHAData, "%s: expected SHA1 of certificate does not match", testName);
+ CFReleaseNull(item);
+ CFReleaseNull(expectedSHAData);
+
+ checkPrompts(0, "searching keys and certificates");
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+}
+#define nTests (getPopulatedTestKeychainTests + checkNTests + 1 + \
+checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
+checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
+checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
+checkNTests + readPasswordContentsWithResultTests + checkPromptsTests + \
+checkNTests + \
+checkNTests + \
+checkNTests + \
+checkNTests + \
+checkNTests + 1 + \
+checkPromptsTests + 1)
+
+int kc_05_find_existing_items_locked(int argc, char *const *argv)
+{
+ plan_tests(nTests);
+ initializeKeychainTests(__FUNCTION__);
+
+ tests();
+
+ deleteTestFiles();
+
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-05-find-existing-items.c b/OSX/libsecurity_keychain/regressions/kc-05-find-existing-items.c
new file mode 100644
index 00000000..bd37c96e
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-05-find-existing-items.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-item-helpers.h"
+#include "kc-key-helpers.h"
+
+static void tests()
+{
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ CFMutableDictionaryRef query = NULL;
+ SecKeychainItemRef item = NULL;
+
+ // Find passwords
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service"), CFSTR("test_service"));
+ item = checkN(testName, query, 1);
+ readPasswordContents(item, CFSTR("test_password"));
+ CFReleaseNull(item);
+ checkPrompts(0, "after reading a password");
+
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service_restrictive_acl"), CFSTR("test_service_restrictive_acl"));
+ item = checkN(testName, query, 1);
+ readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // we don't expect to be able to read this
+ CFReleaseNull(item);
+ checkPrompts(1, "trying to read password without access");
+
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassGenericPassword, CFSTR("test_service"), CFSTR("test_service"));
+ item = checkN(testName, query, 1);
+ readPasswordContents(item, CFSTR("test_password"));
+ CFReleaseNull(item);
+ checkPrompts(0, "after reading a password");
+
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassGenericPassword, CFSTR("test_service_restrictive_acl"), CFSTR("test_service_restrictive_acl"));
+ item = checkN(testName, query, 1);
+ readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // we don't expect to be able to read this
+ CFReleaseNull(item);
+ checkPrompts(1, "trying to read password without access");
+
+ // Find symmetric keys
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric);
+ item = checkN(testName, query, 2);
+ CFReleaseNull(item);
+
+ // Find asymmetric keys
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic);
+ item = checkN(testName, query, 2);
+ CFReleaseNull(item);
+
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate);
+ item = checkN(testName, query, 2);
+ CFReleaseNull(item);
+
+ // Find certificates
+ query = makeBaseQueryDictionary(kc, kSecClassCertificate);
+ item = checkN(testName, query, 3);
+ CFReleaseNull(item);
+
+ // ensure we can pull data from a certificate
+ query = makeBaseQueryDictionary(kc, kSecClassCertificate);
+ CFDictionarySetValue(query, kSecMatchSubjectWholeString, CFSTR("test_codesigning"));
+ item = checkN(testName, query, 1);
+ const unsigned char expectedSHA1[] = { 0x94, 0xdf, 0x22, 0x4a, 0x4d, 0x49, 0x33, 0x27, 0x9e, 0xc5, 0x7e, 0x91, 0x95, 0xcc, 0xbd, 0x51, 0x3d, 0x59, 0xae, 0x34 };
+ CFDataRef expectedSHAData = CFDataCreateWithBytesNoCopy(NULL, expectedSHA1, sizeof(expectedSHA1), kCFAllocatorNull);
+ eq_cf(SecCertificateGetSHA1Digest((SecCertificateRef) item), expectedSHAData, "%s: expected SHA1 of certificate does not match", testName);
+ CFReleaseNull(item);
+ CFReleaseNull(expectedSHAData);
+
+ checkPrompts(0, "searching keys and certificates");
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+}
+#define nTests (getPopulatedTestKeychainTests + \
+ checkNTests + readPasswordContentsTests + checkPromptsTests + \
+ checkNTests + readPasswordContentsTests + checkPromptsTests + \
+ checkNTests + readPasswordContentsTests + checkPromptsTests + \
+ checkNTests + readPasswordContentsTests + checkPromptsTests + \
+ checkNTests + \
+ checkNTests + \
+ checkNTests + \
+ checkNTests + \
+ checkNTests + 1 + \
+ checkPromptsTests + 1)
+
+int kc_05_find_existing_items(int argc, char *const *argv)
+{
+ plan_tests(nTests);
+ initializeKeychainTests(__FUNCTION__);
+
+ tests();
+
+ deleteTestFiles();
+
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-06-cert-search-email.m b/OSX/libsecurity_keychain/regressions/kc-06-cert-search-email.m
new file mode 100644
index 00000000..3f04c49f
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-06-cert-search-email.m
@@ -0,0 +1,207 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-item-helpers.h"
+#include "kc-key-helpers.h"
+
+#import <Foundation/Foundation.h>
+
+#include <Security/SecCertificate.h>
+#include <Security/SecPolicyPriv.h>
+#include <Security/SecPolicySearch.h>
+#include <Security/SecIdentity.h>
+#include <Security/SecIdentityPriv.h>
+#include <Security/SecIdentitySearch.h>
+#include <Security/SecIdentitySearchPriv.h>
+#include <Security/SecTrust.h>
+#include <Security/SecKeychain.h>
+#include <Security/SecKeychainItem.h>
+#include <Security/SecKeychainItemPriv.h>
+#include <SecurityFoundation/SFCertificateData.h>
+#include <Security/oidsalg.h>
+
+
+static NSString* printDataAsHex(
+ const CSSM_DATA *d)
+{
+ if (!d || !d->Data) return NULL;
+
+ unsigned int i;
+ CSSM_SIZE len = d->Length;
+ uint8 *cp = d->Data;
+ NSString *str = [NSString string];
+
+ for(i=0; i<len; i++) {
+ str = [str stringByAppendingFormat:@"%02X", ((unsigned char *)cp)[i]];
+ }
+ return str;
+}
+
+static NSString* printDigest(
+ CSSM_ALGORITHMS digestAlgorithm,
+ const CSSM_DATA* thingToDigest)
+{
+ CSSM_RETURN crtn;
+ CSSM_DATA digest;
+ uint8 buf[64]; // we really only expect 16 or 20 byte digests, but...
+
+ digest.Data = buf;
+ digest.Length = sizeof(buf);
+ crtn = SecDigestGetData (digestAlgorithm, &digest, thingToDigest);
+
+ if (crtn || !digest.Length) return NULL;
+ return printDataAsHex(&digest);
+}
+
+static void printCertificate(SecCertificateRef certificate, SecPolicyRef policy, int ordinalValue)
+{
+ CSSM_DATA certData = { 0, nil };
+ (void) SecCertificateGetData(certificate, &certData);
+ NSString *digestStr = printDigest(CSSM_ALGID_MD5, &certData);
+ const char *digest = [digestStr UTF8String];
+ fprintf(stdout, "%3d) %s", ordinalValue, (digest) ? digest : "!-- unable to get md5 digest --!");
+
+ CFStringRef label=nil;
+ OSStatus status = SecCertificateInferLabel(certificate, &label);
+ if (!status && label)
+ {
+ char buf[1024];
+ if (!CFStringGetCString(label, buf, 1024-1, kCFStringEncodingUTF8))
+ buf[0]=0;
+ fprintf(stdout, " \"%s\"", buf);
+ CFRelease(label);
+ }
+
+ // Default to X.509 Basic if no policy was specified
+ if (!policy) {
+ SecPolicySearchRef policySearch = NULL;
+ if (SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_X509_BASIC, NULL, &policySearch)==noErr) {
+ SecPolicySearchCopyNext(policySearch, &policy);
+ }
+ [(id)policySearch release];
+ } else {
+ [(id)policy retain];
+ }
+
+ // Create a trust reference, given policy and certificates
+ SecTrustRef trust=nil;
+ NSArray *certificates = [NSArray arrayWithObject:(id)certificate];
+ status = SecTrustCreateWithCertificates((CFArrayRef)certificates, policy, &trust);
+
+ SFCertificateData *sfCertData = [[SFCertificateData alloc] initWithCertificate:certificate trust:trust parse:NO];
+ const char *statusStr = [[sfCertData statusString] UTF8String];
+ // Skip the status string if the certificate is valid, but print it otherwise
+ if (statusStr && (strcmp(statusStr, "This certificate is valid") != 0))
+ fprintf(stdout, " (%s)", statusStr);
+ fprintf(stdout, "\n");
+ [sfCertData release];
+
+ [(id)trust release];
+ [(id)policy release];
+}
+
+static BOOL certificateHasExpired(SecCertificateRef certificate)
+{
+ SFCertificateData *sfCertData = [[SFCertificateData alloc] initWithCertificate:certificate trust:nil parse:NO];
+ BOOL result = [sfCertData expired];
+ [sfCertData release];
+
+ return result;
+}
+
+static void doCertificateSearchForEmailAddress(SecKeychainRef kc, const char *emailAddr, bool showAll)
+{
+ OSStatus status = errSecSuccess;
+
+ // Enumerate matching certificates
+ fprintf(stdout, "%s certificates matching \"%s\":\n", (showAll) ? "All" : "Valid", emailAddr);
+ SecKeychainSearchRef searchRef;
+ status = SecKeychainSearchCreateForCertificateByEmail(kc, emailAddr, &searchRef);
+ ok_status(status, "%s: SecKeychainSearchCreateForCertificateByEmail", testName);
+
+ SecCertificateRef preferredCert = nil;
+ CFStringRef emailStr = (emailAddr) ? CFStringCreateWithCStringNoCopy(NULL, emailAddr, kCFStringEncodingUTF8, kCFAllocatorNull) : NULL;
+
+ if (!status) {
+ SecKeychainItemRef itemRef=nil;
+ unsigned int i=0;
+ while (SecKeychainSearchCopyNext(searchRef, &itemRef)==noErr) {
+ if (showAll || !certificateHasExpired((SecCertificateRef)itemRef)) {
+ printCertificate((SecCertificateRef)itemRef, nil, ++i);
+ }
+
+ // Set this certificate as preferred for this email address
+ ok_status(SecCertificateSetPreferred((SecCertificateRef)itemRef, emailStr, 0), "%s: SecCertificateSetPreferred", testName);
+
+ CFRelease(itemRef);
+ }
+ is(i, 1, "%s: Wrong number of certificates found", testName);
+
+ CFRelease(searchRef);
+ }
+
+ // Check that our certificate is new preferred
+ status = SecCertificateCopyPreference(emailStr, (CSSM_KEYUSE) 0, &preferredCert);
+ ok_status(status, "%s: SecCertificateCopyPreference", testName);
+
+ if (preferredCert)
+ CFRelease(preferredCert);
+ if (emailStr)
+ CFRelease(emailStr);
+}
+
+int kc_06_cert_search_email(int argc, char *const *argv)
+{
+ NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
+ unsigned int i;
+ const char *emailAddr = NULL;
+ bool showAll = false;
+
+ plan_tests(7);
+ initializeKeychainTests(__FUNCTION__);
+
+ // Delete any existing preferences for our certificate, but don't test
+ // status since maybe it doesn't exist yet
+ CFMutableDictionaryRef q = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(q, kSecClass, kSecClassGenericPassword);
+ q = addLabel(q, CFSTR("nobody_certificate@apple.com"));
+ SecItemDelete(q);
+
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+ addToSearchList(kc);
+
+ doCertificateSearchForEmailAddress(kc, "nobody_certificate@apple.com", showAll);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+
+ deleteTestFiles();
+ [pool release];
+ return 0;
+}
diff --git a/SecurityTests/regressions/kc/kc-16-item-add-certificate.c b/OSX/libsecurity_keychain/regressions/kc-10-item-add-certificate.c
similarity index 95%
rename from SecurityTests/regressions/kc/kc-16-item-add-certificate.c
rename to OSX/libsecurity_keychain/regressions/kc-10-item-add-certificate.c
index f3d44c4e..1e0b3bcc 100644
--- a/SecurityTests/regressions/kc/kc-16-item-add-certificate.c
+++ b/OSX/libsecurity_keychain/regressions/kc-10-item-add-certificate.c
@@ -28,8 +28,8 @@
#include <Security/SecKeychain.h>
#include <Security/SecKeychainItem.h>
-#include "testmore.h"
-#include "testenv.h"
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
/* Cert File Name: keybank_v3.101.cer */
static const uint8 keybank_der_bytes[] =
@@ -193,23 +193,18 @@ certTests(SecKeychainRef keychain)
}
int
-main(int argc, char * const *argv)
+kc_10_item_add_certificate(int argc, char * const *argv)
{
plan_tests(33);
- if (!tests_begin(argc, argv))
- return 255;
/* Test with autocommit on. */
- SecKeychainRef keychain = NULL;
- ok_status(SecKeychainCreate("test.keychain", 4, "test", FALSE, NULL,
- &keychain), "SecKeychainCreate");
+ SecKeychainRef keychain = createNewKeychain("test.keychain", "test");
ok(keychain, "keychain non NULL");
certTests(keychain);
/* Test with autocommit off. */
keychain = NULL;
- ok_status(SecKeychainCreate("test2.keychain", 4, "test", FALSE, NULL,
- &keychain), "SecKeychainCreate");
+ keychain = createNewKeychain("test2.keychain", "test");
ok(keychain, "keychain non NULL");
CSSM_DL_DB_HANDLE cspdl_dldb = {};
ok_status(SecKeychainGetDLDBHandle(keychain, &cspdl_dldb),
@@ -223,5 +218,6 @@ main(int argc, char * const *argv)
(const void *)FALSE, NULL), "autocommit off");
certTests(keychain);
- return !tests_end(1);
+ deleteTestFiles();
+ return 0;
}
diff --git a/SecurityTests/regressions/kc/kc-15-item-add-generic.c b/OSX/libsecurity_keychain/regressions/kc-10-item-add-generic.c
old mode 100755
new mode 100644
similarity index 73%
rename from SecurityTests/regressions/kc/kc-15-item-add-generic.c
rename to OSX/libsecurity_keychain/regressions/kc-10-item-add-generic.c
index c9f778cc..f22e12f8
--- a/SecurityTests/regressions/kc/kc-15-item-add-generic.c
+++ b/OSX/libsecurity_keychain/regressions/kc-10-item-add-generic.c
@@ -3,15 +3,12 @@
#include <stdlib.h>
#include <unistd.h>
-#include "testmore.h"
-#include "testenv.h"
-#include "testleaks.h"
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
-void tests(void)
+static void tests(void)
{
- SecKeychainRef keychain;
- ok_status(SecKeychainCreate("test", 4, "test", FALSE, NULL, &keychain),
- "create keychain");
+ SecKeychainRef keychain = getPopulatedTestKeychain();
SecKeychainItemRef item = NULL;
ok_status(SecKeychainAddGenericPassword(keychain, 7, "service", 7,
"account", 4, "test", &item), "add generic password");
@@ -32,7 +29,8 @@ void tests(void)
UInt32 length = 0;
void *data = NULL;
ok_status(SecKeychainItemCopyContent(item, &itemClass, &attrList, &length, &data), "SecKeychainItemCopyContent");
- ok_status(SecKeychainItemFreeContent(&attrList, data), "SecKeychainItemCopyContent");
+ eq_string(data, "test", "Item data is wrong");
+ ok_status(SecKeychainItemFreeContent(&attrList, data), "SecKeychainItemCopyContent");
is(CFGetRetainCount(item), 1, "item retaincount is 1");
is(CFGetRetainCount(keychain), 2, "keychain retaincount is 2");
@@ -42,16 +40,13 @@ void tests(void)
CFRelease(keychain);
}
-int main(int argc, char *const *argv)
+int kc_10_item_add_generic(int argc, char *const *argv)
{
+ initializeKeychainTests("kc-10-item-add-generic");
plan_tests(13);
- if (!tests_begin(argc, argv))
- BAIL_OUT("tests_begin failed");
-
tests();
- ok(tests_end(1), "cleanup");
- ok_leaks("no leaks");
+ deleteTestFiles();
return 0;
}
diff --git a/SecurityTests/regressions/kc/kc-18-item-find-internet.c b/OSX/libsecurity_keychain/regressions/kc-10-item-add-internet.c
old mode 100755
new mode 100644
similarity index 77%
rename from SecurityTests/regressions/kc/kc-18-item-find-internet.c
rename to OSX/libsecurity_keychain/regressions/kc-10-item-add-internet.c
index 49899b66..1619e65a
--- a/SecurityTests/regressions/kc/kc-18-item-find-internet.c
+++ b/OSX/libsecurity_keychain/regressions/kc-10-item-add-internet.c
@@ -3,15 +3,12 @@
#include <stdlib.h>
#include <unistd.h>
-#include "testmore.h"
-#include "testenv.h"
-#include "testleaks.h"
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
-void tests(int dont_skip)
+static void tests()
{
- SecKeychainRef keychain;
- ok_status(SecKeychainCreate("test", 4, "test", FALSE, NULL, &keychain),
- "create keychain");
+ SecKeychainRef keychain = createNewKeychain("test", "test");
SecKeychainItemRef item = NULL;
ok_status(SecKeychainAddInternetPassword(keychain,
19, "members.spamcop.net",
@@ -35,7 +32,7 @@ void tests(int dont_skip)
CFRelease(item);
item = NULL;
- ok_status(SecKeychainFindInternetPassword(NULL,
+ ok_status(SecKeychainFindInternetPassword(keychain,
19, "members.spamcop.net",
0, NULL,
0, NULL,
@@ -84,31 +81,25 @@ void tests(int dont_skip)
};
SKIP: {
skip("<rdar://problem/3298182> 6L60 Malloc/free misuse in "
- "SecKeychainItemCopyContent()", 1, dont_skip);
+ "SecKeychainItemCopyContent()", 1, 1);
is_status(SecKeychainItemCopyContent(item, &itemClass, &attrList2,
NULL, NULL), errSecNoSuchAttr, "SecKeychainItemCopyContent fails");
}
is(CFGetRetainCount(item), 1, "item retaincount is 1");
- is(CFGetRetainCount(keychain), 2, "keychain retaincount is 2");
+ cmp_ok(CFGetRetainCount(keychain), >=, 2, "keychain retaincount is at least 2");
CFRelease(item);
- is(CFGetRetainCount(keychain), 1, "keychain retaincount is 1");
+ cmp_ok(CFGetRetainCount(keychain), >=, 1, "keychain retaincount is at least 1");
ok_status(SecKeychainDelete(keychain), "delete keychain");
CFRelease(keychain);
}
-int main(int argc, char *const *argv)
+int kc_10_item_add_internet(int argc, char *const *argv)
{
- int dont_skip = argc > 1 && !strcmp(argv[1], "-s");
+ plan_tests(19);
- plan_tests(21);
-
- if (!tests_begin(argc, argv))
- BAIL_OUT("tests_begin failed");
-
- tests(dont_skip);
- ok(tests_end(1), "cleanup");
- ok_leaks("no leaks");
+ tests();
+ deleteTestFiles();
return 0;
}
diff --git a/SecurityTests/regressions/kc/kc-17-item-find-key.c b/OSX/libsecurity_keychain/regressions/kc-12-item-create-keypair.c
old mode 100755
new mode 100644
similarity index 87%
rename from SecurityTests/regressions/kc/kc-17-item-find-key.c
rename to OSX/libsecurity_keychain/regressions/kc-12-item-create-keypair.c
index eb4024d8..84744f8d
--- a/SecurityTests/regressions/kc/kc-17-item-find-key.c
+++ b/OSX/libsecurity_keychain/regressions/kc-12-item-create-keypair.c
@@ -4,15 +4,12 @@
#include <stdlib.h>
#include <unistd.h>
-#include "testmore.h"
-#include "testenv.h"
-#include "testleaks.h"
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
-void tests(void)
+static void tests(void)
{
- SecKeychainRef keychain;
- ok_status(SecKeychainCreate("test", 4, "test", FALSE, NULL, &keychain),
- "create keychain");
+ SecKeychainRef keychain = createNewKeychain("test", "test");
SecKeyRef pub_crypt = NULL, prv_crypt = NULL;
ok_status(SecKeyCreatePair(keychain, CSSM_ALGID_RSA, 256,
0 /* contextHandle */,
@@ -82,20 +79,17 @@ void tests(void)
CFRelease(prv_crypt);
CFRelease(pub_sign);
CFRelease(prv_sign);
- CFRelease(keychain);
- ok(tests_end(1), "cleanup");
+ ok_status(SecKeychainDelete(keychain), "%s: SecKeychainDelete", testName);
+ CFRelease(keychain);
}
-int main(int argc, char *const *argv)
+int kc_17_item_find_key(int argc, char *const *argv)
{
- plan_tests(14);
-
- if (!tests_begin(argc, argv))
- BAIL_OUT("tests_begin failed");
+ plan_tests(13);
tests();
- ok_leaks("no leaks");
+ deleteTestFiles();
return 0;
}
diff --git a/OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric-and-use.m b/OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric-and-use.m
new file mode 100644
index 00000000..3cbfec92
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric-and-use.m
@@ -0,0 +1,258 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#define nullptr NULL
+
+#import <Foundation/Foundation.h>
+
+static NSString * const EncryptionKeyLabel = @"Test Encryption Key";
+
+//
+// This function allows finer-grained access control settings;
+// the given application list is trusted only for one specific authorization
+// (e.g. kSecACLAuthorizationDecrypt). Note that if trustedApplications
+// is NULL, this means "allow any application", while an empty (zero-length)
+// list means "no applications have access".
+// Returns true if the ACL was modified successfully, otherwise false.
+//
+static bool setTrustedApplicationsForACLAuthorization(SecAccessRef access,
+ CFTypeRef authorizationTag, NSArray* trustedApplications)
+{
+ // get the access control list for this authorization tag)
+ CFArrayRef aclList = SecAccessCopyMatchingACLList(access, authorizationTag);
+ if (!aclList)
+ return false;
+
+ // get the first entry in the access control list
+ SecACLRef aclRef=(SecACLRef)CFArrayGetValueAtIndex(aclList, 0);
+ CFArrayRef appList=nil;
+ CFStringRef promptDescription=nil;
+ SecKeychainPromptSelector promptSelector;
+ OSStatus err = SecACLCopyContents(aclRef, &appList, &promptDescription, &promptSelector);
+ ok_status(err, "%s: SecACLCopyContents", testName);
+
+ if (!trustedApplications) // "allow all applications to access this item"
+ {
+ // change the ACL to not require the passphrase, and have a nil application list.
+ promptSelector &= ~kSecKeychainPromptRequirePassphase;
+ err = SecACLSetContents(aclRef, NULL, promptDescription, promptSelector);
+ ok_status(err, "%s: SecACLSetContents (allow all)", testName);
+ }
+ else // "allow access by these applications"
+ {
+ // modify the application list
+ err = SecACLSetContents(aclRef, (CFArrayRef)trustedApplications, promptDescription, promptSelector);
+ ok_status(err, "%s: SecACLSetContents", testName);
+ }
+
+ if (appList) CFRelease(appList);
+ if (promptDescription) CFRelease(promptDescription);
+
+ CFRelease(aclList);
+ return (!err);
+}
+
+//
+// This function returns a SecAccessRef, which the caller owns and must release.
+// Note that if the provided item is not NULL, its existing access reference is returned,
+// otherwise a new access reference is created.
+//
+static SecAccessRef createAccess(SecKeychainItemRef item, NSString *accessLabel, BOOL allowAny)
+{
+ OSStatus err;
+ SecAccessRef access=nil;
+ NSArray *trustedApplications=nil;
+
+ if (!allowAny) // use default access ("confirm access")
+ {
+ // make an exception list of applications you want to trust,
+ // which are allowed to access the item without requiring user confirmation
+ SecTrustedApplicationRef myself, someOther;
+ err = SecTrustedApplicationCreateFromPath(NULL, &myself);
+ ok_status(err, "%s: SecTrustedApplicationCreateFromPath (1)", testName);
+ err = SecTrustedApplicationCreateFromPath("/Applications/Safari.app", &someOther);
+ ok_status(err, "%s: SecTrustedApplicationCreateFromPath (2)", testName);
+ trustedApplications = [NSArray arrayWithObjects:(id)myself, (id)someOther, nil];
+ }
+
+ // If the keychain item already exists, use its access reference; otherwise, create a new one
+ if (item) {
+ err = SecKeychainItemCopyAccess(item, &access);
+ ok_status(err, "%s: SecKeychainItemCopyAccess", testName);
+ } else {
+ err = SecAccessCreate((CFStringRef)accessLabel, (CFArrayRef)trustedApplications, &access);
+ ok_status(err, "%s: SecAccessCreate", testName);
+ }
+
+ if (err) return nil;
+
+ // At this point we have a SecAccessRef which permits "decrypt" access to the item
+ // only by apps in our trustedApplications list. We could return at this point.
+ //
+ // To set up other types of access, we need to do more work.
+ // In this example, we'll explicitly set the access control for decrypt and encrypt operations.
+ //
+ setTrustedApplicationsForACLAuthorization(access, kSecACLAuthorizationEncrypt, (allowAny) ? NULL : trustedApplications);
+ setTrustedApplicationsForACLAuthorization(access, kSecACLAuthorizationDecrypt, (allowAny) ? NULL : trustedApplications);
+
+ return access;
+}
+
+static SecKeyRef findExistingEncryptionKey(SecKeychainRef kc)
+{
+ SecKeyRef key;
+ NSArray* searchList = @[(__bridge id) kc];
+ NSDictionary *query = @{ (__bridge id)kSecMatchSearchList: searchList,
+ (__bridge id)kSecClass: (__bridge id)kSecClassKey,
+ (__bridge id)kSecAttrApplicationLabel: EncryptionKeyLabel,
+ (__bridge id)kSecReturnRef: @YES };
+ if (!SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef*)&key))
+ return key;
+
+ return nullptr;
+}
+
+static SecKeyRef generateEncryptionKey(SecKeychainRef kc)
+{
+ SecAccessRef access = createAccess(nil, EncryptionKeyLabel, false);
+ if (!access) {
+ NSLog(@"Creating an access object failed.");
+ return nullptr;
+ }
+
+ CFErrorRef error = NULL;
+ NSDictionary *keyParameters = @{ (__bridge id)kSecUseKeychain: (__bridge id)kc,
+ (__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeAES,
+ (__bridge id)kSecAttrKeySizeInBits: @(256),
+ (__bridge id)kSecAttrCanEncrypt: @YES,
+ (__bridge id)kSecAttrCanDecrypt: @YES,
+ (__bridge id)kSecAttrIsPermanent: @YES,
+ (__bridge id)kSecAttrAccess: (__bridge id)access,
+ (__bridge id)kSecAttrLabel: EncryptionKeyLabel,
+ (__bridge id)kSecAttrApplicationLabel: EncryptionKeyLabel };
+ SecKeyRef key = SecKeyGenerateSymmetric((__bridge CFDictionaryRef)keyParameters, &error);
+
+ is(error, NULL, "%s: SecKeyGenerateSymmetric", testName);
+ ok(key, "%s: SecKeyGenerateSymmetric returned a key", testName);
+
+ if (!key)
+ NSLog(@"Creating encryption key failed: %@", error);
+
+ CFRelease(access);
+ return key;
+}
+
+static SecKeyRef findOrGenerateEncryptionKey(SecKeychainRef kc)
+{
+ SecKeyRef key = findExistingEncryptionKey(kc);
+ if (key)
+ return key;
+
+ return generateEncryptionKey(kc);
+}
+
+static SecKeyRef encryptionKey(SecKeychainRef kc)
+{
+ static SecKeyRef key = NULL;
+ if (!key) {
+ key = findOrGenerateEncryptionKey(kc);
+ }
+ return key;
+}
+
+static NSData *encryptData(SecKeychainRef kc, NSData *plainTextData)
+{
+ SecTransformRef transform = SecEncryptTransformCreate(encryptionKey(kc), nullptr);
+ SecTransformSetAttribute(transform, kSecPaddingKey, kSecPaddingPKCS7Key, nullptr);
+ SecTransformSetAttribute(transform, kSecEncryptionMode, kSecModeCBCKey, nullptr);
+ SecTransformSetAttribute(transform, kSecTransformInputAttributeName, (__bridge CFDataRef)plainTextData, nullptr);
+
+ CFErrorRef error = 0;
+ NSData *result = CFBridgingRelease(SecTransformExecute(transform, &error));
+ CFRelease(transform);
+ is(error, NULL, "%s: SecTransformExecute (encrypt)", testName);
+
+ if (!result) {
+ NSLog(@"Encrypting data failed: %@", error);
+ CFRelease(error);
+ return nil;
+ }
+
+ return result;
+}
+
+static NSData *decryptData(SecKeychainRef kc, NSData *cipherTextData)
+{
+ SecTransformRef transform = SecDecryptTransformCreate(encryptionKey(kc), nullptr);
+ SecTransformSetAttribute(transform, kSecPaddingKey, kSecPaddingPKCS7Key, nullptr);
+ SecTransformSetAttribute(transform, kSecEncryptionMode, kSecModeCBCKey, nullptr);
+ SecTransformSetAttribute(transform, kSecTransformInputAttributeName, (__bridge CFDataRef)cipherTextData, nullptr);
+
+ CFErrorRef error = 0;
+ NSData *result = CFBridgingRelease(SecTransformExecute(transform, &error));
+ is(error, NULL, "%s: SecTransformExecute (decrypt)", testName);
+
+ CFRelease(transform);
+ if (!result) {
+ NSLog(@"Decrypting data failed: %@", error);
+ CFRelease(error);
+ return nil;
+ }
+
+ return result;
+}
+
+int kc_12_key_create_symmetric_and_use(int argc, char *const *argv)
+{
+ plan_tests(17);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ @autoreleasepool {
+ NSData *data = [@"Hello, world!" dataUsingEncoding:NSUTF8StringEncoding];
+ NSLog(@" Original: %@", data);
+ NSData *encryptedData = encryptData(kc, data);
+ NSLog(@"Encrypted: %@", encryptedData);
+ if (encryptedData) {
+ NSData *roundtrippedData = decryptData(kc, encryptedData);
+
+ eq_cf(roundtrippedData, data, "%s: Round-tripped data does not match original data", testName);
+ NSLog(@"Decrypted: %@", roundtrippedData);
+ }
+ }
+
+ checkPrompts(0, "no prompts during test");
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+
+ deleteTestFiles();
+ return 0;
+}
+
diff --git a/OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric.c b/OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric.c
new file mode 100644
index 00000000..9c3b6eb4
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric.c
@@ -0,0 +1,77 @@
+#include <Security/SecKeychain.h>
+#include <Security/SecKeyPriv.h>
+#include <Security/SecKeychainSearch.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+
+static void tests()
+{
+ SecKeychainRef keychain = createNewKeychain("test", "test");
+
+ /* Symmetric key tests. */
+
+ ok_status(SecKeyGenerate(keychain, CSSM_ALGID_AES, 128,
+ 0 /* contextHandle */,
+ CSSM_KEYUSE_DECRYPT | CSSM_KEYUSE_ENCRYPT,
+ CSSM_KEYATTR_EXTRACTABLE,
+ NULL, NULL), "SecKeyGenerate");
+
+ uint32 btrue = 1;
+ SecKeychainAttribute sym_attrs[] =
+ {
+ { kSecKeyEncrypt, sizeof(btrue), &btrue }
+ };
+ SecKeychainAttributeList sym_attr_list =
+ { sizeof(sym_attrs) / sizeof(*sym_attrs), sym_attrs };
+ SecKeychainSearchRef search = NULL;
+ ok_status(SecKeychainSearchCreateFromAttributes(keychain,
+ CSSM_DL_DB_RECORD_SYMMETRIC_KEY, &sym_attr_list, &search),
+ "create symmetric encryption key search");
+ SecKeychainItemRef item = NULL;
+ ok_status(SecKeychainSearchCopyNext(search, &item), "get first key");
+
+ if (item) CFRelease(item);
+ is_status(SecKeychainSearchCopyNext(search, &item),
+ errSecItemNotFound, "copy next returns no more keys");
+ CFRelease(search);
+
+ ok_status(SecKeychainSearchCreateFromAttributes(keychain,
+ CSSM_DL_DB_RECORD_ANY, NULL, &search),
+ "create any item search");
+ item = NULL;
+
+ ok_status(SecKeychainSearchCopyNext(search, &item), "get first key");
+
+ if (item) CFRelease(item);
+
+ is_status(SecKeychainSearchCopyNext(search, &item),
+ errSecItemNotFound, "copy next returns no more keys");
+ CFRelease(search);
+
+ SecKeyRef aes_key2 = NULL;
+ ok_status(SecKeyGenerate(keychain, CSSM_ALGID_AES, 128,
+ 0 /* contextHandle */,
+ CSSM_KEYUSE_DECRYPT | CSSM_KEYUSE_ENCRYPT,
+ CSSM_KEYATTR_EXTRACTABLE,
+ NULL, &aes_key2), "SecKeyGenerate and get key");
+
+ is(CFGetRetainCount(aes_key2), 1, "retain count is 1");
+ CFRelease(aes_key2);
+
+
+ ok_status(SecKeychainDelete(keychain), "%s: SecKeychainDelete", testName);
+ CFRelease(keychain);
+}
+
+int kc_12_key_create_symmetric(int argc, char *const *argv)
+{
+ plan_tests(11);
+
+ tests();
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-15-item-update-label-skimaad.m b/OSX/libsecurity_keychain/regressions/kc-15-item-update-label-skimaad.m
new file mode 100644
index 00000000..81870078
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-15-item-update-label-skimaad.m
@@ -0,0 +1,169 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+// <rdar://3425797>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-item-helpers.h"
+
+#import <Foundation/Foundation.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <CoreServices/CoreServices.h>
+
+//Call SecKeychainAddGenericPassword to add a new password to the keychain:
+static OSStatus StorePasswordKeychain (SecKeychainRef keychain, void* password,UInt32 passwordLength)
+{
+ OSStatus status;
+ status = SecKeychainAddGenericPassword (
+ keychain,
+ 10, // length of service name
+ "SurfWriter", // service name
+ 10, // length of account name
+ "MyUserAcct", // account name
+ passwordLength, // length of password
+ password, // pointer to password data
+ NULL // the item reference
+ );
+
+ ok_status(status, "%s: SecKeychainAddGenericPassword", testName);
+ return (status);
+}
+
+//Call SecKeychainFindGenericPassword to get a password from the keychain:
+static OSStatus GetPasswordKeychain (SecKeychainRef keychain, void *passwordData,UInt32 *passwordLength,SecKeychainItemRef *itemRef)
+{
+ OSStatus status;
+
+
+ status = SecKeychainFindGenericPassword (
+ keychain,
+ 10, // length of service name
+ "SurfWriter", // service name
+ 10, // length of account name
+ "MyUserAcct", // account name
+ passwordLength, // length of password
+ passwordData, // pointer to password data
+ itemRef // the item reference
+ );
+ ok_status(status, "%s: SecKeychainFindGenericPassword", testName);
+ return (status);
+}
+
+//Call SecKeychainItemModifyAttributesAndData to change the password for an item already in the keychain:
+static OSStatus ChangePasswordKeychain (SecKeychainItemRef itemRef)
+{
+ OSStatus status;
+ void * password = "myNewP4sSw0rD";
+ UInt32 passwordLength = (UInt32) strlen(password);
+ void * label = "New Item Label";
+ UInt32 labelLength = (UInt32) strlen(label);
+
+ NSString *account = @"New Account";
+ NSString *service = @"New Service";
+ const char *serviceUTF8 = [service UTF8String];
+ const char *accountUTF8 = [account UTF8String];
+
+//%%% IMPORTANT: While SecKeychainItemCreateFromContent() will accept a kSecLabelItemAttr, it cannot
+// be changed later via SecKeychainItemModifyAttributesAndData(). ##### THIS IS A BUG. #####
+// To work around the bug, pass 7 instead of kSecLabelItemAttr. This value is the index of the label
+// attribute in the database schema (and in the SecItemAttr enumeration).
+//
+//#define LABEL_ITEM_ATTR_TAG 7
+#define LABEL_ITEM_ATTR_TAG kSecLabelItemAttr
+
+ // set up attribute vector (each attribute consists of {tag, length, pointer})
+ SecKeychainAttribute attrs[] = {
+ { LABEL_ITEM_ATTR_TAG, labelLength, (char *)label },
+ { kSecAccountItemAttr, (UInt32) strlen(accountUTF8), (char *)accountUTF8 },
+ { kSecServiceItemAttr, (UInt32) strlen(serviceUTF8), (char *)serviceUTF8 } };
+ const SecKeychainAttributeList attributes = { sizeof(attrs) / sizeof(attrs[0]), attrs };
+
+
+ status = SecKeychainItemModifyAttributesAndData (
+ itemRef, // the item reference
+ &attributes, // attributes to change
+ passwordLength, // length of password
+ password // pointer to password data
+ );
+ ok_status(status, "%s: SecKeychainItemModifyAttributesAndData", testName);
+ return (status);
+}
+
+int kc_15_item_update_label_skimaad(int argc, char *const *argv)
+{
+ plan_tests(27);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef keychain = getPopulatedTestKeychain();
+
+ NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
+ OSStatus status;
+ OSStatus status1;
+ SInt32 status3;
+ CFStringRef theLabel = CFSTR("Notice");
+
+ CFStringRef theStatusStr = nil;
+
+ void * myPassword = "myP4sSw0rD";
+ UInt32 myPasswordLength = (UInt32) strlen(myPassword);
+ void *passwordData = nil; // will be allocated and filled in by SecKeychainFindGenericPassword
+ UInt32 passwordLength = 0;
+ SecKeychainItemRef itemRef = nil;
+
+ StorePasswordKeychain(keychain, myPassword, myPasswordLength);
+
+ itemRef = checkN(testName, makeQueryCustomItemDictionaryWithService(keychain, kSecClassGenericPassword, CFSTR("SurfWriter"), CFSTR("SurfWriter")), 1);
+ checkN(testName, makeQueryCustomItemDictionaryWithService(keychain, kSecClassGenericPassword, CFSTR("New Item Label"), CFSTR("New Service")), 0);
+ readPasswordContents(itemRef, CFSTR("myP4sSw0rD"));
+ CFReleaseNull(itemRef);
+
+ GetPasswordKeychain (keychain, &passwordData,&passwordLength,&itemRef); //Call SecKeychainFindGenericPassword
+
+ /*
+ free the data allocated by SecKeychainFindGenericPassword:
+ */
+ status = SecKeychainItemFreeContent (
+ NULL, //No attribute data to release
+ passwordData //Release data buffer allocated by SecKeychainFindGenericPassword
+ );
+ ok_status(status, "%s: SecKeychainItemFreeContent", testName);
+
+ ChangePasswordKeychain(itemRef);
+
+ checkN(testName, makeQueryCustomItemDictionaryWithService(keychain, kSecClassGenericPassword, CFSTR("SurfWriter"), CFSTR("SurfWriter")), 0);
+ itemRef = checkN(testName, makeQueryCustomItemDictionaryWithService(keychain, kSecClassGenericPassword, CFSTR("New Item Label"), CFSTR("New Service")), 1);
+ readPasswordContents(itemRef, CFSTR("myNewP4sSw0rD"));
+ CFReleaseNull(itemRef);
+
+ [pool release];
+
+ checkPrompts(0, "no prompts during test");
+
+ ok_status(SecKeychainDelete(keychain), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(keychain);
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-15-key-update-valueref.c b/OSX/libsecurity_keychain/regressions/kc-15-key-update-valueref.c
new file mode 100644
index 00000000..5d8f4682
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-15-key-update-valueref.c
@@ -0,0 +1,301 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// Tests the SecItemUpdate function.
+// Currently this is a simple test to determine whether the correct item
+// is updated when specified by a kSecValueRef (see <rdar://10358577>).
+//
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-item-helpers.h"
+#include "kc-key-helpers.h"
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <CoreServices/CoreServices.h>
+#include <Security/Security.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <time.h>
+#include <sys/param.h>
+
+static int quiet = 0;
+static int debug = 1;
+static int verbose = 1;
+
+#define MAXNAMELEN MAXPATHLEN
+#define MAXITEMS INT32_MAX
+
+#pragma mark -- Utility Functions --
+
+
+static void PrintTestResult(char *testStr, OSStatus status, OSStatus expected)
+{
+ if (verbose) {
+ fprintf(stdout, "%s: %s (result=%d, expected=%d)\n", testStr,
+ (status==expected) ? "OK" : "FAILED",
+ (int)status, (int)expected);
+ }
+ if (debug) {
+ fprintf(stdout, "\n");
+ }
+ fflush(stdout);
+}
+
+static void PrintCFStringWithFormat(const char *formatStr, CFStringRef inStr)
+{
+ char *buf = (char*)malloc(MAXNAMELEN);
+ if (buf) {
+ if (CFStringGetCString(inStr, buf, (CFIndex)MAXNAMELEN, kCFStringEncodingUTF8)) {
+ fprintf(stdout, formatStr, buf);
+ fflush(stdout);
+ }
+ free(buf);
+ }
+}
+
+const CFStringRef gPrefix = CFSTR("Test Key");
+const CFStringRef gLabel = CFSTR("Test AES Encryption Key");
+const CFStringRef gUUID = CFSTR("550e8400-e29b-41d4-a716-446655441234");
+
+// CreateSymmetricKey will create a new AES-128 symmetric encryption key
+// with the provided label, application label, and application tag.
+// Each of those attributes is optional, but only the latter two
+// (application label and application tag) are considered part of the
+// key's "unique" attribute set. Previously, if you attempted to create a
+// key which differs only in the label attribute (but not in the other two)
+// then the attempt would fail and leave a "turd" key with no label in your
+// keychain: <rdar://8289559>, fixed in 11A268a.
+
+static int CreateSymmetricKey(
+ SecKeychainRef inKeychain,
+ CFStringRef keyLabel,
+ CFStringRef keyAppLabel,
+ CFStringRef keyAppTag,
+ OSStatus expected)
+{
+ OSStatus status;
+ int keySizeValue = 128;
+ CFNumberRef keySize = CFNumberCreate(NULL, kCFNumberIntType, &keySizeValue);
+
+ // get a SecKeychainRef for the keychain in which we want the key to be created
+ // (this step is optional, but if omitted, the key is NOT saved in any keychain!)
+ SecKeychainRef keychain = NULL;
+ if (inKeychain == NULL)
+ status = SecKeychainCopyDefault(&keychain);
+ else
+ keychain = (SecKeychainRef) CFRetain(inKeychain);
+
+ // create a SecAccessRef to set up the initial access control settings for this key
+ // (this step is optional; if omitted, the creating application has access to the key)
+ // note: the access descriptor should be the same string as will be used for the item's label,
+ // since it's the string that is displayed by the access confirmation dialog to describe the item.
+ SecAccessRef access = NULL;
+ status = SecAccessCreate(gLabel, NULL, &access);
+
+ // create a dictionary of parameters describing the key we want to create
+ CFMutableDictionaryRef params = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ CFDictionaryAddValue( params, kSecClass, kSecClassKey );
+ CFDictionaryAddValue( params, kSecUseKeychain, keychain );
+ CFDictionaryAddValue( params, kSecAttrAccess, access );
+ CFDictionaryAddValue( params, kSecAttrKeyClass, kSecAttrKeyClassSymmetric );
+ CFDictionaryAddValue( params, kSecAttrKeyType, kSecAttrKeyTypeAES );
+ CFDictionaryAddValue( params, kSecAttrKeySizeInBits, keySize );
+ CFDictionaryAddValue( params, kSecAttrIsPermanent, kCFBooleanTrue );
+ CFDictionaryAddValue( params, kSecAttrCanEncrypt, kCFBooleanTrue );
+ CFDictionaryAddValue( params, kSecAttrCanDecrypt, kCFBooleanTrue );
+ CFDictionaryAddValue( params, kSecAttrCanWrap, kCFBooleanFalse );
+ CFDictionaryAddValue( params, kSecAttrCanUnwrap, kCFBooleanFalse );
+ if (keyLabel)
+ CFDictionaryAddValue( params, kSecAttrLabel, keyLabel );
+ if (keyAppLabel)
+ CFDictionaryAddValue( params, kSecAttrApplicationLabel, keyAppLabel );
+ if (keyAppTag)
+ CFDictionaryAddValue( params, kSecAttrApplicationTag, keyAppTag );
+
+ // generate the key
+ CFErrorRef error = NULL;
+ SecKeyRef key = SecKeyGenerateSymmetric(params, &error);
+
+ // print result and clean up
+ if (debug) {
+ if (key == NULL) {
+ CFStringRef desc = (error) ? CFErrorCopyDescription(error) : CFRetain(CFSTR("(no result!"));
+ PrintCFStringWithFormat("SecKeyGenerateSymmetric failed: %s\n", desc);
+ CFRelease(desc);
+ }
+ else {
+ CFStringRef desc = CFCopyDescription(key);
+ PrintCFStringWithFormat("SecKeyGenerateSymmetric succeeded: %s\n", desc);
+ CFRelease(desc);
+ }
+ }
+ status = (error) ? (OSStatus) CFErrorGetCode(error) : noErr;
+// if (status == errSecDuplicateItem)
+// status = noErr; // it's OK if the key already exists
+
+ if (key) CFRelease(key);
+ if (error) CFRelease(error);
+ if (params) CFRelease(params);
+ if (keychain) CFRelease(keychain);
+ if (access) CFRelease(access);
+
+ PrintTestResult("CreateSymmetricKey", status, expected);
+
+ return status;
+}
+
+static int TestUpdateItems(SecKeychainRef keychain)
+{
+ int result = 0;
+ OSStatus status = errSecSuccess;
+
+ // first, create a symmetric key
+ CFGregorianDate curGDate = CFAbsoluteTimeGetGregorianDate(CFAbsoluteTimeGetCurrent(), NULL);
+ CFStringRef curDateLabel = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@ (%4d-%02d-%02d)"),
+ gPrefix, (int) (curGDate.year), (int) (curGDate.month), (int) (curGDate.day));
+ CFStringRef curAppTag = CFSTR("SecItemUpdate");
+
+ status = CreateSymmetricKey(keychain, curDateLabel, gUUID, curAppTag, noErr);
+ if (status && status != errSecDuplicateItem)
+ ++result;
+
+ CFStringRef keyLabel = CFSTR("iMessage test key");
+ CFStringRef newLabel = CFSTR("iMessage test PRIVATE key");
+
+ // create a new 1024-bit RSA key pair
+ SecKeyRef publicKey = NULL;
+ SecKeyRef privateKey = NULL;
+ CFMutableDictionaryRef params = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ int keySizeValue = 1024;
+ CFNumberRef keySize = CFNumberCreate(NULL, kCFNumberIntType, &keySizeValue);
+
+ CFDictionaryAddValue( params, kSecAttrKeyType, kSecAttrKeyTypeRSA );
+ CFDictionaryAddValue( params, kSecAttrKeySizeInBits, keySize );
+ CFDictionaryAddValue( params, kSecAttrLabel, keyLabel );
+// CFDictionaryAddValue( params, kSecAttrAccess, access );
+// %%% note that SecKeyGeneratePair will create the key pair in the default keychain
+// if a keychain is not given via the kSecUseKeychain parameter.
+ CFDictionaryAddValue( params, kSecUseKeychain, keychain );
+
+ status = SecKeyGeneratePair(params, &publicKey, &privateKey);
+ ok_status(status, "%s: SecKeyGeneratePair", testName);
+ if (status != noErr) {
+ ++result;
+ }
+ PrintTestResult("TestUpdateItems: generating key pair", status, noErr);
+
+ // Make sure we have the key of interest
+ checkN(testName, makeQueryKeyDictionaryWithLabel(keychain, kSecAttrKeyClassPrivate, keyLabel), 1);
+ checkN(testName, makeQueryKeyDictionaryWithLabel(keychain, kSecAttrKeyClassPrivate, newLabel), 0);
+
+ // create a query which will match just the private key item (based on its known reference)
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+// CFArrayRef itemList = CFArrayCreate(NULL, (const void**) &privateKey, 1, &kCFTypeArrayCallBacks);
+// %%% note that kSecClass seems to be a required query parameter even though
+// kSecMatchItemList is provided; that looks like it could be a bug...
+ CFDictionaryAddValue( query, kSecClass, kSecClassKey );
+// CFDictionaryAddValue( query, kSecAttrKeyClass, kSecAttrKeyClassPrivate );
+
+// %%% pass the private key ref, instead of the item list, to test <rdar://problem/10358577>
+// CFDictionaryAddValue( query, kSecMatchItemList, itemList );
+ CFDictionaryAddValue( query, kSecValueRef, privateKey );
+
+ // create dictionary of changed attributes for the private key
+ CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ SecAccessRef access = NULL;
+
+ status = SecAccessCreate(newLabel, NULL, &access);
+ ok_status(status, "%s: SecAccessCreate", testName);
+ if (status != noErr) {
+ ++result;
+ }
+ PrintTestResult("TestUpdateItems: creating access", status, noErr);
+
+//%%% note that changing the access for this key causes a dialog,
+// so leave this out for the moment (uncomment to test that access change works).
+// Normally the desired access should be passed into the SecKeyGeneratePair function.
+// so there is no need for a dialog later.
+// CFDictionaryAddValue( attrs, kSecAttrAccess, access );
+ CFDictionaryAddValue( attrs, kSecAttrLabel, newLabel );
+
+ // update the private key with the new attributes
+ status = SecItemUpdate( query, attrs );
+ ok_status(status, "%s: SecItemUpdate", testName);
+
+ if (status != noErr) {
+ ++result;
+ }
+ PrintTestResult("TestUpdateItems: updating item", status, noErr);
+
+ // Make sure label changed
+ checkN(testName, makeQueryKeyDictionaryWithLabel(keychain, kSecAttrKeyClassPrivate, keyLabel), 0);
+ checkN(testName, makeQueryKeyDictionaryWithLabel(keychain, kSecAttrKeyClassPrivate, newLabel), 1);
+
+ if (publicKey)
+ CFRelease(publicKey);
+ if (privateKey)
+ CFRelease(privateKey);
+ if (access)
+ CFRelease(access);
+
+ if (params)
+ CFRelease(params);
+ if (query)
+ CFRelease(query);
+ if (attrs)
+ CFRelease(attrs);
+
+ return result;
+}
+
+int kc_15_key_update_valueref(int argc, char *const *argv)
+{
+ plan_tests(20);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef keychain = getPopulatedTestKeychain();
+
+ TestUpdateItems(keychain);
+
+ checkPrompts(0, "no prompts during test");
+
+ ok_status(SecKeychainDelete(keychain), "%s: SecKeychainDelete", testName);
+ CFRelease(keychain);
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-16-item-update-password.c b/OSX/libsecurity_keychain/regressions/kc-16-item-update-password.c
new file mode 100644
index 00000000..50ad886b
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-16-item-update-password.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-item-helpers.h"
+
+static void tests()
+{
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ CFMutableDictionaryRef query = NULL;
+ SecKeychainItemRef item = NULL;
+
+ // Find passwords
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service"), CFSTR("test_service"));
+ item = checkN(testName, query, 1);
+ readPasswordContents(item, CFSTR("test_password")); checkPrompts(0, "after reading a password");
+ changePasswordContents(item, CFSTR("new_password")); checkPrompts(0, "changing a internet password");
+ readPasswordContents(item, CFSTR("new_password")); checkPrompts(0, "reading a changed internet password");
+ CFReleaseNull(item);
+
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service_restrictive_acl"), CFSTR("test_service_restrictive_acl"));
+ item = checkN(testName, query, 1);
+ readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // we don't expect to be able to read this
+ checkPrompts(1, "trying to read internet password without access");
+
+ changePasswordContents(item, CFSTR("new_password"));
+ checkPrompts(0, "after changing a internet password without access"); // NOTE: we expect this write to succeed, even though we're not on the ACL. Therefore, we should see 0 prompts for this step.
+ readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // we don't expect to be able to read this
+ checkPrompts(1, "after changing a internet password without access");
+ CFReleaseNull(item);
+
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassGenericPassword, CFSTR("test_service"), CFSTR("test_service"));
+ item = checkN(testName, query, 1);
+ readPasswordContents(item, CFSTR("test_password")); checkPrompts(0, "after reading a generic password");
+ changePasswordContents(item, CFSTR("new_password")); checkPrompts(0, "changing a generic password");
+ readPasswordContents(item, CFSTR("new_password")); checkPrompts(0, "after changing a generic password");
+ CFReleaseNull(item);
+
+ query = makeQueryCustomItemDictionaryWithService(kc, kSecClassGenericPassword, CFSTR("test_service_restrictive_acl"), CFSTR("test_service_restrictive_acl"));
+ item = checkN(testName, query, 1);
+ readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // we don't expect to be able to read this
+ checkPrompts(1, "trying to read generic password without access");
+
+ changePasswordContents(item, CFSTR("new_password"));
+ checkPrompts(0, "changing a generic password without access"); // NOTE: we expect this write to succeed, even though we're not on the ACL. Therefore, we should see 0 prompts for this step.
+ readPasswordContentsWithResult(item, errSecAuthFailed, NULL); // we don't expect to be able to read this
+ checkPrompts(1, "after changing a generic password without access");
+ CFReleaseNull(item);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+}
+#define numTests (getPopulatedTestKeychainTests + \
+checkNTests + readPasswordContentsTests + checkPromptsTests + changePasswordContentsTests + checkPromptsTests + readPasswordContentsTests + checkPromptsTests + \
+checkNTests + readPasswordContentsTests + checkPromptsTests + changePasswordContentsTests + checkPromptsTests + readPasswordContentsTests + checkPromptsTests + \
+checkNTests + readPasswordContentsTests + checkPromptsTests + changePasswordContentsTests + checkPromptsTests + readPasswordContentsTests + checkPromptsTests + \
+checkNTests + readPasswordContentsTests + checkPromptsTests + changePasswordContentsTests + checkPromptsTests + readPasswordContentsTests + checkPromptsTests + \
++ 1)
+
+int kc_16_item_update_password(int argc, char *const *argv)
+{
+ plan_tests(numTests);
+ initializeKeychainTests(__FUNCTION__);
+
+ tests();
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/SecurityTests/regressions/kc/kc-51-testSecItemFind.c b/OSX/libsecurity_keychain/regressions/kc-18-find-combined.c
similarity index 59%
rename from SecurityTests/regressions/kc/kc-51-testSecItemFind.c
rename to OSX/libsecurity_keychain/regressions/kc-18-find-combined.c
index 26e40ec3..c19ac9d2 100644
--- a/SecurityTests/regressions/kc/kc-51-testSecItemFind.c
+++ b/OSX/libsecurity_keychain/regressions/kc-18-find-combined.c
@@ -1,5 +1,26 @@
-//
-// testSecItemFind.c
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
//
// Tests the ability of SecItemCopyMatching to replace the following
// deprecated keychain search functions:
@@ -17,25 +38,11 @@
// - SecItemDelete
// - SecKeyGenerateSymmetric
//
-//
-// To build and run this tool (from Terminal):
-// cc -framework Security -framework CoreFoundation -o testSecItemFind testSecItemFind.c
-// ./testSecItemFind
-//
-// IMPORTANT: when building this code yourself, make sure that the AUTO_TEST
-// symbol is undefined (or defined to 0) below. If the AUTO_TEST symbol is
-// defined and non-zero, it is assumed that this tool is being built as part of
-// an automated regression test suite by internal Security test harness code.
-//
-//
-// Last modified: Tue Nov 16 2010 (kcm)
-
-
-#define AUTO_TEST 1
#include <CoreFoundation/CoreFoundation.h>
#include <CoreServices/CoreServices.h>
#include <Security/Security.h>
+#include <Security/SecPolicyPriv.h>
#include <stdlib.h>
#include <string.h>
@@ -43,17 +50,11 @@
#include <unistd.h>
#include <time.h>
#include <sys/param.h>
+#include "test/testenv.h"
+#include "utilities/SecCFRelease.h"
-#if AUTO_TEST
-#import "testmore.h"
-#import "testenv.h"
-#import "testleaks.h"
-#else
-#define tests_begin(ARGC, ARGV) /* no-op */
-#define tests_end(RESULT) /* no-op */
-#define plan_tests(COUNT) /* no-op */
-#define ok(RESULT, REASON) /* no-op */
-#endif
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
/* Following is a 3-element certificate chain
* (ROOT_CERT, INTERMEDIATE_CERT, LEAF_CERT)
@@ -261,502 +262,410 @@ unsigned char LEAF_CERT[1037]={
/* Test certificate for Code Signing policy
*/
-unsigned char Test_codesign[1017]={
- 0x30,0x82,0x03,0xF5,0x30,0x82,0x02,0xDD,0xA0,0x03,0x02,0x01,0x02,0x02,0x04,0x77,
- 0xCE,0xF5,0x3D,0x30,0x0B,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
- 0x30,0x81,0xA5,0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x03,0x0C,0x19,0x54,0x65,
- 0x73,0x74,0x2D,0x35,0x36,0x38,0x35,0x33,0x31,0x36,0x2D,0x49,0x4E,0x54,0x45,0x52,
- 0x4D,0x45,0x44,0x49,0x41,0x54,0x45,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,
- 0x0C,0x05,0x41,0x70,0x70,0x6C,0x65,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0B,
- 0x0C,0x0B,0x43,0x6F,0x72,0x65,0x20,0x43,0x72,0x79,0x70,0x74,0x6F,0x31,0x0B,0x30,
- 0x09,0x06,0x03,0x55,0x04,0x08,0x0C,0x02,0x43,0x41,0x31,0x0B,0x30,0x09,0x06,0x03,
- 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,
- 0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x2B,0x30,0x29,0x06,
- 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,0x16,0x1C,0x73,0x65,0x63,0x75,
- 0x72,0x69,0x74,0x79,0x2D,0x64,0x65,0x76,0x40,0x67,0x72,0x6F,0x75,0x70,0x2E,0x61,
- 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x1E,0x17,0x0D,0x31,0x30,0x30,0x35,
- 0x32,0x30,0x30,0x31,0x32,0x35,0x33,0x32,0x5A,0x17,0x0D,0x31,0x31,0x30,0x35,0x32,
- 0x30,0x30,0x31,0x32,0x35,0x33,0x32,0x5A,0x30,0x81,0xA8,0x31,0x24,0x30,0x22,0x06,
- 0x03,0x55,0x04,0x03,0x0C,0x1B,0x54,0x65,0x73,0x74,0x2D,0x37,0x38,0x37,0x35,0x38,
- 0x30,0x31,0x20,0x28,0x43,0x6F,0x64,0x65,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,0x67,
- 0x29,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,
- 0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x10,0x30,0x0E,0x06,0x03,0x55,0x04,0x0B,0x0C,
- 0x07,0x43,0x6F,0x72,0x65,0x20,0x4F,0x53,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x08,0x0C,0x02,0x43,0x41,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
- 0x55,0x53,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,
- 0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x2B,0x30,0x29,0x06,0x09,0x2A,0x86,0x48,0x86,
- 0xF7,0x0D,0x01,0x09,0x01,0x16,0x1C,0x73,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x2D,
- 0x64,0x65,0x76,0x40,0x67,0x72,0x6F,0x75,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,
- 0x63,0x6F,0x6D,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,
- 0x82,0x01,0x01,0x00,0xC0,0x5E,0x52,0x53,0xB0,0x05,0x8D,0x9E,0xF2,0xBF,0x2E,0xA1,
- 0x95,0xD5,0x10,0x97,0xFC,0x8E,0x77,0x6E,0x63,0x7A,0x7D,0xD2,0x56,0x05,0xE9,0xEE,
- 0x3D,0xEE,0xCA,0xA4,0xBB,0x99,0x42,0xA2,0x55,0x67,0x97,0x15,0xFB,0x94,0x6D,0x22,
- 0x39,0x7F,0xE9,0xC0,0x72,0x41,0x8F,0xF5,0x76,0x55,0x65,0x3B,0x39,0x5F,0x31,0x15,
- 0x72,0x2A,0xB4,0x2F,0xED,0xB7,0x6A,0x3E,0xE9,0x3A,0x1C,0x50,0xD4,0x31,0x6D,0x7A,
- 0x71,0x28,0x98,0x8D,0x8A,0xBF,0x90,0x01,0x8A,0xFF,0x42,0x62,0xEB,0xE5,0xC8,0x5A,
- 0xB2,0x5A,0xB8,0x46,0x27,0xDA,0xD5,0x70,0xAF,0xD4,0xF6,0xF2,0xEC,0xD6,0x43,0x7E,
- 0x25,0x31,0xED,0xA2,0x1E,0xFA,0x77,0xF4,0x59,0xBF,0x3F,0x11,0xAE,0xF1,0x0E,0xC9,
- 0xFD,0x56,0xCA,0xA0,0x3E,0x8B,0xA5,0xE9,0xF6,0x91,0x82,0xE0,0xC6,0x5E,0x35,0x92,
- 0x3F,0x0E,0x77,0x23,0x88,0x6F,0x33,0x91,0xAC,0x98,0xC5,0xF5,0x52,0x12,0xB2,0x3A,
- 0x08,0x66,0xEB,0xC8,0x14,0x8E,0xED,0x0F,0xE5,0x76,0xCE,0x36,0xE8,0xED,0xB6,0x41,
- 0xD6,0xF3,0x1C,0x24,0xBA,0xCC,0xEE,0x28,0xF8,0xC8,0xAE,0x87,0x15,0x1D,0x33,0x47,
- 0xEA,0x5B,0x7D,0xE2,0x80,0xA9,0x6B,0xE3,0x8B,0x36,0xD0,0x25,0x2C,0x32,0xDA,0xFF,
- 0x7C,0x85,0x28,0x48,0xDB,0x35,0x2A,0x1A,0xBE,0x7F,0xCD,0xE1,0xA6,0x79,0x35,0xB3,
- 0x79,0xA3,0xB9,0x15,0xC6,0x31,0xA1,0xB4,0x63,0xD8,0x05,0x1D,0xDD,0x11,0x74,0xCD,
- 0xCF,0xBD,0x27,0x02,0xB7,0xD8,0xA9,0xA1,0x1D,0xFB,0xA1,0xEC,0x44,0x8D,0x21,0x64,
- 0x84,0x2E,0x6B,0x3B,0x02,0x03,0x01,0x00,0x01,0xA3,0x2A,0x30,0x28,0x30,0x0E,0x06,
- 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x16,0x06,
- 0x03,0x55,0x1D,0x25,0x01,0x01,0xFF,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,
- 0x05,0x05,0x07,0x03,0x03,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
- 0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x80,0xC4,0xB6,0x9D,0xBE,0x72,0x30,
- 0x72,0xFD,0x49,0x43,0x8F,0x3B,0xFE,0xC6,0xF1,0x4D,0xAA,0xB3,0xD1,0xD6,0x0C,0x54,
- 0x9D,0x24,0xDF,0x86,0x9B,0x0A,0x68,0x55,0x4B,0x5A,0x20,0x53,0xC0,0xBF,0x82,0xAF,
- 0xC7,0x19,0x19,0x43,0xA1,0xA4,0x53,0xF4,0xE5,0x33,0xE6,0xF7,0xAD,0x8E,0x6D,0xD8,
- 0x94,0x23,0xEB,0x3E,0x6A,0xCF,0xDA,0x4B,0x09,0x6E,0x26,0x2B,0x62,0x70,0x98,0x0A,
- 0xCE,0x58,0x70,0xA6,0xAD,0x08,0x45,0xAB,0x9E,0x89,0xBB,0xF8,0x84,0x6F,0x0D,0x9B,
- 0x77,0xBA,0x60,0x9E,0xB8,0xA6,0xB6,0x7D,0x20,0xE9,0x83,0x72,0xE1,0xE9,0xB0,0x0E,
- 0x0D,0x27,0xFB,0xD0,0x4C,0x81,0x88,0xAF,0x82,0x8F,0xB9,0x82,0xAD,0x1D,0x1B,0x54,
- 0x11,0x84,0x16,0xFC,0x0B,0x53,0xB8,0xED,0x71,0xA2,0x6A,0xD9,0xC7,0x88,0xEE,0xD6,
- 0x0C,0x5E,0xAD,0x2E,0x50,0xBA,0x56,0x12,0x95,0x5C,0x7F,0xF1,0x3B,0x48,0xB5,0x17,
- 0x53,0xA9,0xC5,0x4C,0xD6,0x8C,0x39,0xCB,0x1A,0x5B,0xB6,0x4B,0x73,0x67,0x1E,0xB5,
- 0x7D,0x13,0xAE,0x6B,0xD5,0xF4,0x59,0xE3,0xA1,0x4C,0x6A,0xEC,0xA5,0x27,0x07,0x9D,
- 0x93,0x8F,0xF5,0xBB,0x50,0x28,0x00,0x05,0x25,0xCD,0xED,0xF7,0xA9,0x11,0x22,0x7E,
- 0x92,0x4D,0xF5,0x7C,0x55,0xF4,0x1C,0x7A,0xA3,0xBC,0x24,0xC7,0xFB,0xED,0x6A,0x0A,
- 0x1E,0xD5,0x9D,0x63,0xE0,0x2B,0x91,0x59,0x48,0xF2,0xF6,0xEB,0xF9,0xEB,0x9E,0x4D,
- 0x3E,0xAE,0x44,0x9D,0xF9,0x93,0xB5,0x44,0xA1,0x36,0x3E,0x4E,0xC7,0xD9,0x47,0x83,
- 0xCE,0xDD,0xA0,0x7C,0xA1,0xB4,0x75,0x1F,0xC8,
+unsigned char Test_codesign[]={
+ 0x30, 0x82, 0x03, 0xe3, 0x30, 0x82, 0x02, 0xcb, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x03, 0x01, 0xc8, 0x60, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x9d, 0x31, 0x24, 0x30, 0x22,
+ 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1b, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x37, 0x38, 0x37, 0x35, 0x38, 0x30, 0x31, 0x20,
+ 0x28, 0x43, 0x6f, 0x64, 0x65, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x29, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03,
+ 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e,
+ 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x43, 0x6f, 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+ 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
+ 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62,
+ 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30,
+ 0x34, 0x30, 0x34, 0x32, 0x32, 0x35, 0x35, 0x33, 0x32, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x30, 0x32, 0x32, 0x32,
+ 0x35, 0x35, 0x33, 0x32, 0x5a, 0x30, 0x81, 0x9d, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1b, 0x54,
+ 0x65, 0x73, 0x74, 0x2d, 0x37, 0x38, 0x37, 0x35, 0x38, 0x30, 0x31, 0x20, 0x28, 0x43, 0x6f, 0x64, 0x65, 0x20, 0x53, 0x69,
+ 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x29, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70,
+ 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x43,
+ 0x6f, 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31,
+ 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
+ 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c,
+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb0, 0x78,
+ 0x41, 0xd5, 0xc0, 0x71, 0x1d, 0x02, 0xc8, 0x57, 0x46, 0xf8, 0xc4, 0x3c, 0x7c, 0xa2, 0x13, 0x45, 0x8a, 0x1b, 0xef, 0x16,
+ 0xa6, 0x6f, 0xfe, 0x97, 0xe4, 0x8b, 0x6a, 0x7b, 0x89, 0xd2, 0x50, 0xcb, 0x6b, 0xcc, 0x47, 0x32, 0x9a, 0xd3, 0xf4, 0x19,
+ 0x62, 0x70, 0xe6, 0x27, 0xc4, 0x13, 0x5a, 0x60, 0x20, 0x8c, 0xb1, 0xc4, 0xf1, 0x76, 0xcd, 0x06, 0xb3, 0x60, 0x78, 0x4d,
+ 0xb2, 0x30, 0xb1, 0x1c, 0x53, 0x36, 0x98, 0x44, 0x84, 0x35, 0x57, 0xe9, 0xbc, 0xb7, 0x2d, 0x17, 0xd7, 0x0c, 0xbc, 0x52,
+ 0x9e, 0xfd, 0xe5, 0x32, 0x2a, 0xad, 0x28, 0x36, 0x24, 0x81, 0x87, 0x56, 0xd2, 0x39, 0x66, 0x13, 0x9e, 0x26, 0x44, 0x32,
+ 0xa3, 0xa7, 0x8b, 0xe7, 0x33, 0x25, 0xa3, 0x8e, 0x25, 0x14, 0x91, 0xf4, 0x32, 0x1a, 0x97, 0x82, 0xd3, 0x5a, 0xb5, 0x68,
+ 0x24, 0x0c, 0x46, 0x89, 0x00, 0x6f, 0xfa, 0x27, 0x03, 0xc6, 0x0b, 0xa2, 0xf0, 0xad, 0xd2, 0xec, 0x35, 0xca, 0x1a, 0xc5,
+ 0x76, 0xd4, 0xb2, 0x48, 0x72, 0xf0, 0x34, 0x48, 0xd6, 0x8e, 0xae, 0x37, 0x35, 0x87, 0x60, 0x25, 0x16, 0x71, 0xda, 0x0c,
+ 0x71, 0xaa, 0x95, 0xc2, 0xe4, 0x09, 0x91, 0xd9, 0x38, 0x62, 0xee, 0x0c, 0x26, 0x34, 0x7b, 0x6b, 0xbb, 0xf8, 0x33, 0xa1,
+ 0x08, 0x71, 0xc1, 0x4a, 0x5f, 0x7d, 0x17, 0x31, 0x25, 0xb7, 0xbe, 0x66, 0xab, 0x28, 0x6e, 0x58, 0x3c, 0xd1, 0x5f, 0xbf,
+ 0x8f, 0x48, 0x6e, 0x42, 0x8f, 0x85, 0x1a, 0x9e, 0x6b, 0x79, 0xbf, 0x43, 0xd9, 0xeb, 0x20, 0xa8, 0x1e, 0xf6, 0xe4, 0xaa,
+ 0xdb, 0x62, 0x87, 0x02, 0x43, 0xd0, 0x75, 0xa4, 0x14, 0x1d, 0x33, 0x3e, 0x81, 0x5d, 0x7a, 0x7c, 0x4a, 0xdf, 0x3e, 0x79,
+ 0x70, 0xca, 0xf5, 0xb6, 0xd8, 0x6d, 0x8e, 0xc7, 0x7f, 0xc7, 0xa0, 0x72, 0x6e, 0x95, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
+ 0x2a, 0x30, 0x28, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30,
+ 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
+ 0x07, 0x03, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
+ 0x01, 0x01, 0x00, 0x98, 0x03, 0xa7, 0x17, 0x66, 0x1a, 0xf3, 0x19, 0xd5, 0x7f, 0xac, 0x74, 0x8e, 0xa7, 0x43, 0x6a, 0x14,
+ 0xca, 0x5d, 0xa8, 0xf9, 0x8d, 0x22, 0x38, 0x48, 0x1c, 0x10, 0xd8, 0xe6, 0xfe, 0x0e, 0x8e, 0xd4, 0xb5, 0x8e, 0x89, 0xd9,
+ 0x95, 0x01, 0xba, 0x11, 0x4c, 0x7b, 0x7c, 0x64, 0x98, 0xd8, 0x4a, 0x11, 0x43, 0x0d, 0x71, 0xbd, 0x9f, 0xd9, 0x33, 0x84,
+ 0xa0, 0x3e, 0x9d, 0x6d, 0xa7, 0x72, 0xf0, 0x8d, 0x62, 0x9e, 0x45, 0xc2, 0x91, 0xfe, 0xbb, 0xbf, 0x08, 0x8b, 0x37, 0xd7,
+ 0x38, 0x71, 0x8f, 0x17, 0x2d, 0x98, 0x81, 0x16, 0x2d, 0xf6, 0x90, 0x6d, 0x57, 0x64, 0x6b, 0xa0, 0xbc, 0x02, 0xd8, 0xeb,
+ 0x63, 0x65, 0x1d, 0x1b, 0x20, 0xe7, 0x73, 0x8f, 0xe0, 0x82, 0x8d, 0x8f, 0xf6, 0x36, 0x08, 0x9d, 0xf3, 0xfd, 0x33, 0x4f,
+ 0xd2, 0xb0, 0x6d, 0xb8, 0x50, 0x02, 0x43, 0x2f, 0x90, 0x16, 0xe9, 0xb0, 0x1f, 0x9b, 0x2e, 0x70, 0x10, 0x89, 0xaa, 0xdc,
+ 0x18, 0xd7, 0xda, 0x3a, 0xce, 0xb8, 0x8f, 0xa4, 0x42, 0x4e, 0x50, 0x50, 0xa9, 0x19, 0x42, 0x0b, 0x07, 0x7c, 0x33, 0xe5,
+ 0x47, 0x40, 0x6a, 0x14, 0x02, 0x1f, 0x1e, 0xcf, 0x66, 0xb2, 0x76, 0x88, 0x0d, 0x49, 0x3a, 0xa5, 0xde, 0xfb, 0x99, 0xfa,
+ 0x70, 0xd4, 0x5e, 0xa1, 0x3e, 0x6d, 0x7f, 0x6b, 0x8c, 0x71, 0x79, 0x94, 0xb3, 0x1f, 0xcf, 0xdd, 0x9a, 0x31, 0xfd, 0x26,
+ 0x82, 0xa9, 0x94, 0x55, 0x87, 0x17, 0x33, 0xd0, 0x35, 0x3e, 0x80, 0x53, 0x8e, 0xb7, 0x18, 0x86, 0x5b, 0x8b, 0xee, 0x29,
+ 0xcf, 0xdf, 0x0e, 0x3f, 0x31, 0x9e, 0x29, 0x44, 0xa8, 0x99, 0xf7, 0xbe, 0x51, 0x3b, 0x53, 0xcd, 0x55, 0xfc, 0xb7, 0x6e,
+ 0x50, 0x21, 0xf2, 0xcc, 0x9c, 0x09, 0xe2, 0x6f, 0x4d, 0x15, 0x2f, 0x98, 0xa1, 0x04, 0xc0, 0xeb, 0x4c, 0x98, 0x93
};
+unsigned int Test_7875801__Code_Signing__cer_len = 999;
-/* Test certificate for S/MIME policy (encrypt only, no sign)
+/* Test certificate for S/MIME policy (encrypt only, no sign), expires April 2026
*/
-unsigned char Test_smime_encryptonly[1060]={
- 0x30,0x82,0x04,0x20,0x30,0x82,0x03,0x08,0xA0,0x03,0x02,0x01,0x02,0x02,0x04,0x77,
- 0xCF,0x46,0x7D,0x30,0x0B,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
- 0x30,0x81,0xA5,0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x03,0x0C,0x19,0x54,0x65,
- 0x73,0x74,0x2D,0x35,0x36,0x38,0x35,0x33,0x31,0x36,0x2D,0x49,0x4E,0x54,0x45,0x52,
- 0x4D,0x45,0x44,0x49,0x41,0x54,0x45,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,
- 0x0C,0x05,0x41,0x70,0x70,0x6C,0x65,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0B,
- 0x0C,0x0B,0x43,0x6F,0x72,0x65,0x20,0x43,0x72,0x79,0x70,0x74,0x6F,0x31,0x0B,0x30,
- 0x09,0x06,0x03,0x55,0x04,0x08,0x0C,0x02,0x43,0x41,0x31,0x0B,0x30,0x09,0x06,0x03,
- 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,
- 0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x2B,0x30,0x29,0x06,
- 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,0x16,0x1C,0x73,0x65,0x63,0x75,
- 0x72,0x69,0x74,0x79,0x2D,0x64,0x65,0x76,0x40,0x67,0x72,0x6F,0x75,0x70,0x2E,0x61,
- 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x1E,0x17,0x0D,0x31,0x30,0x30,0x37,
- 0x32,0x37,0x32,0x30,0x35,0x39,0x35,0x38,0x5A,0x17,0x0D,0x31,0x32,0x30,0x37,0x32,
- 0x37,0x32,0x30,0x35,0x39,0x35,0x38,0x5A,0x30,0x81,0xB2,0x31,0x21,0x30,0x1F,0x06,
- 0x03,0x55,0x04,0x03,0x0C,0x18,0x54,0x65,0x73,0x74,0x2D,0x45,0x6E,0x63,0x72,0x79,
- 0x70,0x74,0x69,0x6F,0x6E,0x20,0x28,0x53,0x2F,0x4D,0x49,0x4D,0x45,0x29,0x31,0x13,
- 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
- 0x6E,0x63,0x2E,0x31,0x25,0x30,0x23,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1C,0x43,0x6F,
- 0x72,0x65,0x20,0x4F,0x53,0x20,0x49,0x6E,0x66,0x6F,0x72,0x6D,0x61,0x74,0x69,0x6F,
- 0x6E,0x20,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x31,0x0B,0x30,0x09,0x06,0x03,
- 0x55,0x04,0x08,0x0C,0x02,0x43,0x41,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
- 0x13,0x02,0x55,0x53,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,
- 0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x23,0x30,0x21,0x06,0x09,0x2A,0x86,
- 0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,0x16,0x14,0x73,0x6D,0x69,0x6D,0x65,0x2D,0x74,
- 0x65,0x73,0x74,0x40,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x82,0x01,
- 0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
- 0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xBB,0x8F,
- 0xC3,0x01,0xD7,0x8A,0x62,0xE2,0xDD,0x26,0xE3,0x13,0x3E,0x61,0xC7,0x90,0xDE,0x98,
- 0xCB,0x4A,0xC6,0x80,0xB3,0x36,0x99,0x8A,0xDE,0x6D,0xCF,0x60,0x7B,0x38,0x2E,0x86,
- 0x0F,0x9E,0x9F,0xB0,0xCB,0x23,0xB1,0x52,0x0E,0x6E,0x70,0xD5,0x8D,0x56,0x32,0x36,
- 0x35,0x7D,0x59,0x32,0xE6,0x3F,0x67,0x2F,0xC0,0x0F,0x2B,0x85,0x47,0x20,0x70,0x22,
- 0xE5,0xB0,0x3C,0xF7,0xE3,0x4A,0x40,0xA5,0xB2,0x28,0xE5,0xB1,0x85,0x47,0x54,0x03,
- 0xD1,0xB6,0x96,0x3E,0xDB,0x8D,0xD0,0x0E,0x5E,0x7A,0x65,0x2A,0x8A,0xBE,0xF7,0xB0,
- 0x28,0x70,0x42,0x55,0x5A,0xAE,0xE6,0x58,0x91,0x20,0x5D,0x5B,0xFF,0x9B,0xF0,0x0C,
- 0x49,0x94,0x55,0x68,0x46,0x34,0x2A,0xE4,0xA1,0x69,0x89,0xC8,0xB1,0xE7,0x07,0xB7,
- 0xEC,0x2C,0x8A,0x65,0xF0,0xC6,0x51,0x3F,0x7C,0xC9,0x6F,0x42,0x71,0x15,0x30,0x9F,
- 0xB5,0xA7,0xA5,0xD1,0xFE,0x2B,0x46,0x4F,0x3D,0xFD,0xCD,0xA8,0x1B,0x82,0x7B,0xA0,
- 0x7B,0x9F,0x34,0x00,0xB7,0xC5,0x9F,0xCC,0x74,0xB4,0x35,0xC6,0x31,0x38,0x8D,0x91,
- 0x79,0xE8,0xAF,0xCB,0xE4,0x17,0x78,0x11,0x7A,0x41,0xB1,0xF8,0x4D,0x2C,0xEE,0x7E,
- 0x8D,0xEB,0x09,0x89,0xDC,0x74,0x2B,0xC1,0x25,0x57,0x3E,0x55,0x79,0x98,0x8B,0x5C,
- 0xCF,0x05,0x38,0x69,0xF9,0x99,0x07,0x42,0x6D,0x99,0x1B,0x5E,0x89,0xBD,0xB6,0x4B,
- 0x52,0x0F,0xDD,0xF9,0x67,0x53,0xDF,0xE2,0x25,0xBC,0x6C,0x72,0x19,0x6A,0x28,0xCE,
- 0x6A,0xB4,0x22,0x93,0x20,0xDE,0xB6,0xF5,0x83,0x6A,0xC6,0x82,0x36,0x2B,0x02,0x03,
- 0x01,0x00,0x01,0xA3,0x4B,0x30,0x49,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,
- 0xFF,0x04,0x04,0x03,0x02,0x05,0x20,0x30,0x16,0x06,0x03,0x55,0x1D,0x25,0x01,0x01,
- 0xFF,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x04,0x30,
- 0x1F,0x06,0x03,0x55,0x1D,0x11,0x04,0x18,0x30,0x16,0x81,0x14,0x73,0x6D,0x69,0x6D,
- 0x65,0x2D,0x74,0x65,0x73,0x74,0x40,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
- 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,
- 0x82,0x01,0x01,0x00,0x7D,0xB4,0x4B,0x4B,0xE1,0xB3,0x29,0x22,0x72,0x7E,0x66,0xEA,
- 0x78,0x51,0xBB,0x38,0xA0,0x44,0x6E,0xAE,0xB7,0xFE,0x43,0x24,0x78,0xAE,0x93,0x3B,
- 0xF0,0x2B,0xAB,0x31,0x61,0x9F,0x6E,0x1F,0x89,0x0F,0x2C,0xD0,0xC4,0x29,0xE0,0x1C,
- 0x4C,0x7B,0x96,0x82,0x0D,0x29,0x08,0x1F,0xDE,0x35,0xA2,0x12,0x0D,0xB4,0xA0,0x5D,
- 0xE4,0xE8,0x38,0xC3,0x5C,0x99,0xFD,0x2E,0xE9,0x3B,0xC7,0xFC,0x67,0x3D,0xBD,0x1E,
- 0x46,0x3A,0xDD,0xFB,0x24,0xF0,0x83,0x77,0x4F,0xA0,0x63,0x40,0x58,0x28,0x3C,0x32,
- 0x3B,0xEB,0x8B,0x20,0x29,0xFD,0x22,0x4A,0xEC,0x3C,0x78,0xE2,0xD5,0xD3,0x54,0x35,
- 0x8F,0x4D,0x48,0x61,0x2E,0xB6,0xC1,0xE5,0x3A,0x95,0xCD,0xBF,0x73,0xA2,0x1A,0x15,
- 0xC3,0x24,0x0F,0xDB,0x86,0x08,0x55,0x01,0xBC,0x8C,0x4F,0x83,0x4E,0x90,0x55,0x84,
- 0xF8,0x82,0xB1,0x1E,0x9F,0x70,0xD3,0xE8,0xE8,0xD3,0xDB,0x97,0xE0,0x66,0xAA,0x54,
- 0x58,0x32,0x16,0x56,0xA3,0xF3,0x9B,0xCE,0xC4,0xA3,0x65,0x66,0x71,0xFD,0x20,0x87,
- 0x3A,0x34,0x74,0xAB,0x6B,0x26,0xB8,0x18,0x8A,0x77,0xFF,0x77,0x21,0x6A,0xF0,0x38,
- 0x12,0x74,0x45,0x1F,0x67,0x3D,0xBD,0xDF,0xBF,0x32,0x82,0x8E,0x4D,0xC5,0x3D,0x59,
- 0x07,0xCD,0x1A,0x05,0xB6,0x96,0xD7,0x95,0xDB,0x44,0x81,0x59,0xD7,0x2A,0x88,0x0D,
- 0x3C,0xD8,0xD5,0x2B,0x92,0xA8,0xC1,0x8D,0xDE,0x60,0x6F,0x98,0xE4,0x3C,0xB8,0xEC,
- 0x52,0x2A,0x56,0x6E,0xF1,0x76,0x56,0x64,0x3D,0xD9,0x09,0xB9,0x4B,0x73,0xEF,0x11,
- 0x78,0xFB,0xA6,0x9A,
+unsigned char Test_smime_encryptonly[]={
+ 0x30, 0x82, 0x04, 0x07, 0x30, 0x82, 0x02, 0xef, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x02, 0xb8, 0x95, 0x23, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x9e, 0x31, 0x21, 0x30,
+ 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
+ 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x53, 0x2f, 0x4d, 0x49, 0x4d, 0x45, 0x29, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04,
+ 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
+ 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x43, 0x6f, 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12,
+ 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x23,
+ 0x30, 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x14, 0x73, 0x6d, 0x69, 0x6d, 0x65,
+ 0x2d, 0x74, 0x65, 0x73, 0x74, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31,
+ 0x36, 0x30, 0x34, 0x30, 0x34, 0x32, 0x32, 0x32, 0x32, 0x33, 0x36, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x30, 0x32,
+ 0x32, 0x32, 0x32, 0x32, 0x33, 0x36, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+ 0x18, 0x54, 0x65, 0x73, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x53, 0x2f,
+ 0x4d, 0x49, 0x4d, 0x45, 0x29, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c,
+ 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x07, 0x43, 0x6f,
+ 0x72, 0x65, 0x20, 0x4f, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b,
+ 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07,
+ 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x23, 0x30, 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x14, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
+ 0x00, 0xc6, 0x5a, 0xe9, 0x94, 0x4a, 0x9e, 0x4d, 0x47, 0xa3, 0x9d, 0x06, 0xb3, 0xd5, 0x05, 0xad, 0x05, 0x71, 0xaf, 0x93,
+ 0x42, 0x9d, 0x02, 0x58, 0x33, 0x30, 0xee, 0xcb, 0xe4, 0x96, 0x24, 0x4b, 0x35, 0x0b, 0x6a, 0x58, 0xd0, 0xe7, 0x13, 0x5b,
+ 0xd5, 0xd3, 0xa1, 0x99, 0x55, 0xff, 0xe9, 0x3b, 0xe7, 0x20, 0x4e, 0x9e, 0x6b, 0xcd, 0x86, 0x47, 0xd7, 0xf6, 0x67, 0xc2,
+ 0xde, 0x51, 0xbc, 0x58, 0xd8, 0xc8, 0xe1, 0xb6, 0x42, 0xc5, 0xe9, 0x9e, 0x65, 0x3a, 0x04, 0xab, 0x47, 0x1b, 0xc8, 0xfe,
+ 0xb6, 0xb2, 0x47, 0x03, 0xc4, 0xa4, 0xb8, 0xaf, 0x31, 0xe7, 0x10, 0x7b, 0x4a, 0x4b, 0x29, 0x09, 0x91, 0xc2, 0xd2, 0x1f,
+ 0x42, 0x9a, 0x77, 0xc2, 0x08, 0x98, 0x53, 0x32, 0x8f, 0x8c, 0xa7, 0x06, 0xa5, 0x05, 0x9e, 0xeb, 0xc9, 0x5b, 0x7a, 0x5c,
+ 0xb3, 0xd7, 0x91, 0x6f, 0xea, 0xa1, 0x4f, 0x93, 0x9b, 0xa6, 0xf5, 0xdb, 0x32, 0x3b, 0x71, 0xfd, 0x07, 0xa4, 0x30, 0x30,
+ 0x35, 0xfa, 0x6c, 0x77, 0x76, 0x98, 0x99, 0x3a, 0x19, 0xcd, 0x7c, 0x5d, 0xc5, 0x70, 0x86, 0xaf, 0xf9, 0x9e, 0xa1, 0x45,
+ 0x5e, 0x6d, 0x03, 0x63, 0x3b, 0x4a, 0xcc, 0x14, 0xda, 0x75, 0xc2, 0xf1, 0x8f, 0x51, 0xd3, 0x80, 0x5f, 0xf7, 0x52, 0xd0,
+ 0x04, 0x1b, 0x37, 0x6e, 0x3a, 0xfe, 0xcc, 0x5d, 0xba, 0xbe, 0x0f, 0x1a, 0xd8, 0x31, 0xd4, 0x7b, 0xf2, 0x20, 0x22, 0x56,
+ 0xd1, 0x84, 0x8f, 0x12, 0x4a, 0x81, 0xa5, 0xeb, 0x7f, 0x8b, 0x4b, 0x21, 0x02, 0xeb, 0xb4, 0x6e, 0xb6, 0x3c, 0x3c, 0x15,
+ 0x09, 0xa4, 0x79, 0x7c, 0x3e, 0x45, 0xf3, 0xe7, 0x84, 0x10, 0xc9, 0x45, 0x86, 0xd5, 0xda, 0x9e, 0xdf, 0x7d, 0x05, 0xcc,
+ 0xdf, 0x1a, 0x30, 0x8f, 0xea, 0x57, 0x9a, 0x72, 0xb0, 0x58, 0x95, 0x6b, 0x9e, 0xe8, 0x94, 0xf2, 0x8d, 0x02, 0x03, 0x01,
+ 0x00, 0x01, 0xa3, 0x4b, 0x30, 0x49, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02,
+ 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06,
+ 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x18, 0x30, 0x16, 0x81, 0x14, 0x73,
+ 0x6d, 0x69, 0x6d, 0x65, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x79,
+ 0xc0, 0x92, 0xf8, 0xfd, 0xac, 0x3f, 0x21, 0x3a, 0x1b, 0x7c, 0x2b, 0xc9, 0x0a, 0x62, 0xb6, 0xe2, 0x1d, 0x3b, 0x67, 0x4b,
+ 0x4b, 0xf8, 0xe8, 0xbe, 0xd8, 0x8e, 0x71, 0x07, 0x4a, 0x6e, 0xbd, 0x07, 0xc8, 0xd0, 0x86, 0x9c, 0xdb, 0xd5, 0x43, 0x23,
+ 0xc3, 0x56, 0x03, 0x45, 0xa6, 0xab, 0xf8, 0xba, 0xc2, 0xba, 0xd8, 0x78, 0x33, 0x49, 0xaa, 0x82, 0xb4, 0x0c, 0x6c, 0x9b,
+ 0x4c, 0x5b, 0x9d, 0x4f, 0xb5, 0xd8, 0xd9, 0x0f, 0x33, 0x21, 0x27, 0x8c, 0x99, 0xa0, 0xb6, 0xe0, 0xfb, 0x40, 0x4e, 0x88,
+ 0x36, 0x91, 0x42, 0x3f, 0xcc, 0x52, 0x3f, 0x39, 0x82, 0x3d, 0xbd, 0x43, 0x45, 0xf4, 0x1c, 0x17, 0x4c, 0x29, 0x63, 0x5d,
+ 0x12, 0xdd, 0x16, 0x8a, 0xa3, 0x6a, 0x81, 0x21, 0xbc, 0x55, 0x10, 0xfa, 0x88, 0x95, 0x80, 0x5d, 0x6a, 0xeb, 0x96, 0x54,
+ 0x37, 0x94, 0x07, 0x28, 0x06, 0x0f, 0x62, 0x7e, 0x6f, 0x3d, 0x9e, 0xe7, 0x1d, 0x0e, 0x35, 0xb5, 0x89, 0x07, 0x04, 0xd6,
+ 0x70, 0x69, 0x43, 0x8b, 0x44, 0xdb, 0xb5, 0x0b, 0xc8, 0x80, 0xc5, 0xe9, 0x8f, 0xe4, 0xa7, 0x75, 0x32, 0xa6, 0x47, 0xdc,
+ 0xc9, 0x68, 0x26, 0x85, 0x96, 0x8c, 0x15, 0x47, 0xe0, 0x4f, 0x13, 0x81, 0x97, 0xae, 0x7c, 0xc5, 0x1c, 0xda, 0x22, 0xef,
+ 0x39, 0xef, 0xe8, 0x8f, 0xbb, 0x33, 0xd3, 0x40, 0x12, 0x45, 0xcd, 0x05, 0x81, 0x39, 0xdc, 0x88, 0x9f, 0xd2, 0x3e, 0x20,
+ 0xe5, 0xec, 0xf9, 0x39, 0xc5, 0x55, 0xeb, 0x97, 0x7f, 0x67, 0x36, 0x80, 0xfa, 0x2a, 0xe1, 0xf4, 0x36, 0x03, 0xe5, 0xe2,
+ 0xa8, 0x75, 0x0e, 0x58, 0x21, 0xdf, 0x86, 0x38, 0x49, 0x19, 0x6f, 0x00, 0x3b, 0x8c, 0x57, 0x8c, 0xa7, 0x60, 0xf8, 0xda,
+ 0x01, 0xbc, 0xbc, 0xe5, 0x77, 0x81, 0xeb, 0xda, 0xd6, 0xd6, 0x6e, 0xa4, 0x1a, 0x09, 0x3c
};
+unsigned int Test_Encryption__S_MIME__cer_len = 1035;
/* Test identity for S/MIME policy (sign only, no encrypt)
*/
-unsigned char Test_smime_signonly_p12[2761] = {
- 0x30,0x82,0x0a,0xc5,0x02,0x01,0x03,0x30,0x82,0x0a,0x8c,0x06,0x09,0x2a,0x86,0x48,
- 0x86,0xf7,0x0d,0x01,0x07,0x01,0xa0,0x82,0x0a,0x7d,0x04,0x82,0x0a,0x79,0x30,0x82,
- 0x0a,0x75,0x30,0x82,0x04,0xef,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x07,
- 0x06,0xa0,0x82,0x04,0xe0,0x30,0x82,0x04,0xdc,0x02,0x01,0x00,0x30,0x82,0x04,0xd5,
- 0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x07,0x01,0x30,0x1c,0x06,0x0a,0x2a,
- 0x86,0x48,0x86,0xf7,0x0d,0x01,0x0c,0x01,0x06,0x30,0x0e,0x04,0x08,0x03,0x00,0x56,
- 0xda,0x33,0x28,0xb6,0xbc,0x02,0x02,0x08,0x00,0x80,0x82,0x04,0xa8,0x36,0xa9,0x2d,
- 0xab,0xcc,0x17,0x76,0x6e,0x1c,0xf2,0x82,0xb1,0xc1,0xac,0x19,0xbe,0xb3,0x71,0x4f,
- 0x1a,0xe6,0x0f,0x2d,0x7e,0xd4,0x66,0x0a,0x70,0x85,0x41,0xa5,0x92,0x06,0x02,0x71,
- 0x0f,0x7a,0xed,0xef,0x52,0x96,0xd2,0x67,0xf4,0xa8,0x5b,0xde,0x6e,0xc6,0xdc,0xc6,
- 0xe8,0x6e,0x86,0x11,0x94,0x60,0x0d,0xa1,0x24,0x57,0x1f,0x51,0xd8,0x7d,0x28,0xf9,
- 0x10,0xcb,0x68,0x1b,0x32,0xe4,0xa3,0x60,0x7c,0xb2,0x2b,0x33,0x4e,0x23,0xec,0x60,
- 0x4c,0xe0,0x1a,0x39,0x03,0x60,0xb7,0x09,0x4d,0xb7,0x8c,0x94,0x91,0x44,0xa7,0xc7,
- 0x3b,0xd7,0xc5,0xc5,0x0f,0x4a,0x54,0xe5,0xee,0x41,0xd5,0x32,0xf2,0xfc,0x7a,0x4d,
- 0x68,0x5d,0xfc,0xe9,0xab,0xa0,0x74,0xb9,0x6f,0x68,0xc4,0x68,0xa1,0x91,0x5d,0x74,
- 0x2b,0x06,0xfc,0xa7,0x93,0x2c,0xc3,0x8e,0xaf,0x12,0x84,0x09,0x1f,0xa8,0xd7,0xb3,
- 0xf2,0x13,0x33,0xdf,0xd2,0xa5,0x34,0xa5,0x08,0x73,0xea,0x8f,0xc3,0x88,0xd4,0xa1,
- 0xce,0xa9,0x56,0xc4,0x4f,0xc9,0x48,0xfb,0x84,0x26,0x16,0xc8,0x1a,0x15,0x6d,0x10,
- 0x8e,0x4e,0x85,0xfc,0x8b,0xb7,0xfc,0x69,0x6a,0x79,0xc0,0xff,0xed,0xfd,0x7b,0x0b,
- 0x7f,0x5b,0x8d,0x89,0x4e,0xb6,0x25,0x0e,0x04,0x42,0xdb,0x15,0x7b,0xbc,0x7b,0x75,
- 0x91,0x12,0x7c,0x0f,0x22,0xfd,0xd4,0x4d,0x3c,0x9c,0x6c,0x10,0x40,0x9e,0x3e,0x0b,
- 0xfd,0x2e,0x2d,0x23,0x27,0x96,0x86,0x85,0x44,0xdd,0xc4,0x44,0xbf,0x74,0x09,0x2f,
- 0x90,0x48,0x3d,0x8a,0x05,0xbe,0x44,0xe5,0x75,0x1f,0x4e,0xbc,0x91,0xfd,0xf5,0x1a,
- 0xde,0xd4,0x99,0xf4,0xbe,0x2f,0x28,0xbf,0x47,0x49,0x90,0xb5,0xea,0xd6,0x48,0xcb,
- 0x7b,0xde,0xea,0x3d,0x07,0x8d,0xf4,0x7c,0xd7,0x4d,0xcb,0xc1,0xcb,0xa3,0x30,0x2f,
- 0x7c,0x59,0x09,0xad,0xb3,0x27,0x66,0x2a,0x87,0x51,0xd7,0x7b,0xbb,0xb1,0x6d,0x4e,
- 0x0e,0x1a,0x6a,0x7a,0xf8,0x31,0x99,0xa8,0x1c,0x06,0x1a,0x4e,0x83,0xa8,0xac,0xaf,
- 0x72,0xdb,0x89,0x1b,0xe1,0x9d,0x52,0x22,0x94,0xaf,0x6a,0xe0,0x5c,0x60,0xd5,0xf2,
- 0x6a,0xde,0x1f,0x51,0xb0,0x19,0x13,0xff,0xb9,0xfe,0x15,0xeb,0x4a,0x5c,0x44,0xe6,
- 0xbd,0x3d,0xbd,0xdc,0xb2,0xa8,0x96,0xa2,0x05,0x7e,0xdc,0x39,0x15,0x7a,0xc9,0xdc,
- 0xb3,0x2b,0xa2,0x1c,0xe1,0x78,0xfb,0x5b,0x12,0x35,0xc2,0x05,0xed,0x59,0xa2,0xf1,
- 0x8d,0x5b,0xe2,0xf8,0x95,0xc7,0xdd,0x20,0xf9,0xcc,0xfd,0x43,0xbe,0x03,0x0f,0xdb,
- 0xa1,0x21,0x7b,0x86,0x0e,0x0b,0x26,0xbd,0x38,0x10,0x62,0xbc,0x5c,0x43,0x48,0x6f,
- 0xbc,0x6c,0x68,0x83,0xd4,0x54,0x5b,0x80,0x25,0x13,0x69,0x18,0xce,0x8e,0xe9,0x3f,
- 0xfb,0x81,0x51,0x92,0x19,0x3f,0x4b,0x41,0x53,0x39,0x3e,0xa2,0xef,0x90,0x59,0x5c,
- 0x30,0x22,0x36,0xed,0x78,0x78,0xc5,0x70,0x9c,0x8b,0x96,0x8d,0xe8,0x7a,0x9b,0x27,
- 0xdc,0x9b,0x4f,0x2b,0x30,0x86,0x27,0x95,0x70,0x8f,0xc0,0xd5,0xd4,0x79,0x9f,0x0f,
- 0x38,0x49,0x1d,0xe9,0x76,0xcf,0x6c,0x34,0x06,0xc0,0xfa,0xa0,0xab,0x41,0x1c,0x26,
- 0x04,0x18,0x0f,0xa8,0x45,0xf5,0xdc,0x82,0x5d,0x8a,0xe6,0x2b,0x84,0xe9,0xaa,0xa2,
- 0xbd,0xf4,0xc6,0x94,0xa6,0xbb,0x6f,0x35,0x3c,0x5f,0x9a,0x45,0xd3,0x3e,0x6b,0x75,
- 0x54,0x10,0x5a,0x6f,0x0c,0x26,0xe7,0xb1,0x92,0x6c,0x93,0xf1,0xce,0x02,0x97,0xbe,
- 0xf8,0x76,0xbc,0x9b,0xff,0x09,0xe2,0x8a,0x62,0xdc,0x19,0xfa,0x33,0x94,0x07,0x4b,
- 0x7d,0x62,0xe3,0xca,0xc6,0x1e,0xc4,0x18,0xd7,0xa8,0xbb,0x79,0xd1,0x4e,0x2e,0x37,
- 0xa4,0x02,0x06,0x80,0xa4,0xed,0xbf,0x3e,0x8b,0xc7,0xcd,0xf2,0xa5,0x8f,0x68,0x1e,
- 0xb2,0x72,0xc2,0xa2,0xa7,0x8d,0x03,0x51,0x0f,0xe2,0x7a,0x04,0x03,0x83,0x2f,0x71,
- 0x16,0x85,0x7e,0xf3,0x29,0xc7,0x31,0x27,0x24,0xae,0x8b,0x08,0xe7,0x6b,0x7d,0x5f,
- 0x27,0xdd,0xdb,0x28,0x63,0x65,0xbb,0x2a,0x6e,0x63,0xc4,0xa4,0x90,0x36,0x8e,0xc4,
- 0x8b,0x55,0x6f,0x99,0x4f,0xf3,0x63,0xef,0xc7,0x3a,0xd5,0x55,0xf3,0x98,0xaa,0x9c,
- 0x20,0x9d,0x9b,0x07,0x44,0x92,0x27,0x2c,0xc5,0x22,0x78,0x85,0x66,0x71,0xd5,0x0f,
- 0xea,0xa7,0xdc,0x0c,0xad,0x07,0x2a,0xa5,0x34,0xca,0xbc,0x8e,0xff,0xfd,0x0b,0xb0,
- 0x9d,0x21,0x16,0x9d,0xfa,0x21,0xaf,0xec,0x25,0x6a,0xd7,0x7d,0xff,0xe6,0x73,0xe3,
- 0x6c,0x4e,0x9c,0xe0,0xeb,0x0c,0x56,0x32,0xa9,0xbb,0x48,0xe5,0xa7,0x4b,0x59,0x1d,
- 0x70,0x31,0xf2,0x79,0x88,0x50,0xc4,0x59,0x01,0x3c,0xc2,0x61,0xbe,0xe7,0xbc,0xc0,
- 0x6f,0xb4,0x27,0x90,0xcd,0x4f,0x44,0x60,0x9f,0x02,0x5a,0x68,0x81,0xb6,0x6f,0x78,
- 0x10,0xd3,0x3e,0xb3,0xb4,0xc5,0x6f,0xa6,0x3e,0x77,0x30,0x29,0xd7,0xa7,0xda,0x5f,
- 0xb4,0x3e,0x3f,0xf9,0xb3,0x04,0xd8,0xe5,0x75,0xc5,0x1e,0xcf,0xa6,0x85,0x4c,0x57,
- 0xf6,0xbb,0x8f,0xda,0x80,0x02,0x4b,0x79,0x0f,0x94,0xed,0x98,0xdb,0x64,0x8d,0x8f,
- 0x8e,0x90,0x5b,0x31,0x80,0x1b,0x50,0x8b,0x99,0x7b,0x23,0x94,0xf2,0x1e,0x8e,0xe6,
- 0xce,0x7f,0x2f,0x16,0x64,0x7f,0xdb,0x16,0x08,0x97,0x78,0x5c,0x4d,0xef,0x9c,0x63,
- 0x0f,0x37,0x14,0x58,0x68,0x57,0x29,0x42,0xd3,0x4d,0x97,0x62,0xe8,0x08,0xe4,0x60,
- 0x87,0x07,0x73,0x11,0x21,0x5e,0x8c,0x97,0x78,0xdb,0x2f,0x81,0xb3,0xa0,0xfd,0x17,
- 0x0b,0xf0,0x29,0x88,0x1a,0x39,0xec,0x0c,0xfb,0x30,0x0d,0x0a,0x9a,0x60,0xe2,0xaf,
- 0xf9,0xb3,0x9c,0xdd,0xa6,0x2e,0x7c,0x90,0xf7,0x31,0x3c,0x35,0xe8,0x2f,0xdd,0x54,
- 0xdf,0x45,0x54,0xcf,0xdd,0xfc,0xf6,0x36,0x3f,0x36,0x8a,0x23,0x60,0xd0,0x4b,0xe2,
- 0x0b,0xb5,0x90,0xc4,0xbe,0xaf,0xa1,0xd6,0xc2,0x69,0x0a,0x5b,0x74,0xae,0xa5,0xb3,
- 0x12,0xaf,0x06,0x98,0xfe,0xc3,0x52,0xbb,0xf0,0xde,0x67,0xd4,0x8d,0x2a,0xf4,0x35,
- 0x71,0xaf,0x5e,0x24,0xc4,0x2a,0x48,0xa6,0x42,0x32,0x10,0xb0,0x09,0x74,0x83,0x9e,
- 0x3c,0x50,0x15,0x74,0xeb,0x2e,0x29,0x64,0x3e,0xe5,0x6e,0x13,0xc0,0x5b,0x9b,0x5b,
- 0x1f,0x8f,0xe5,0x49,0x25,0x36,0x57,0x90,0x81,0xce,0x27,0xf4,0x8d,0x42,0x5d,0x04,
- 0x2c,0x44,0x7a,0xeb,0xe0,0x10,0x4e,0xba,0x21,0xf3,0x1d,0xdf,0xb0,0xe4,0x56,0xf9,
- 0x5a,0xbe,0xfe,0x1a,0x6d,0xeb,0x2d,0xe2,0x93,0x5f,0xa1,0x74,0x86,0x0c,0x64,0x68,
- 0xf4,0x67,0xf3,0xe0,0xfa,0xe6,0x9d,0x6a,0xfe,0xb6,0x5f,0x58,0x2d,0xa7,0x77,0x07,
- 0x58,0xc8,0x79,0x51,0xa5,0x8e,0xbd,0x4c,0x61,0x80,0x9d,0x91,0xda,0x32,0xee,0x09,
- 0x02,0xca,0x14,0xf8,0xfa,0x08,0xf3,0x4a,0xf5,0x6a,0x50,0xcd,0x98,0x21,0xbd,0xb4,
- 0x5e,0x4c,0x20,0x8f,0x0a,0x94,0xd0,0x6c,0x96,0xf1,0xa2,0xff,0xf6,0x1f,0x15,0xd5,
- 0x1d,0x64,0x92,0x82,0xaf,0x01,0xca,0xa0,0x38,0xe9,0x80,0xea,0xe9,0xb3,0xdf,0xed,
- 0xa8,0x03,0x31,0x5e,0x05,0x12,0xcd,0x29,0x33,0x59,0xf9,0xf2,0xbc,0x7f,0x05,0x86,
- 0x9e,0x96,0xc4,0x52,0x2d,0x1f,0x1e,0x29,0x05,0x68,0xde,0xf1,0x3c,0x2d,0x65,0x97,
- 0x7c,0xde,0x28,0x88,0xab,0xd3,0x12,0x5e,0x3d,0x15,0x45,0xc3,0x05,0x47,0x13,0x03,
- 0x65,0xad,0x49,0x5f,0x8a,0x15,0xf5,0x27,0xc1,0x13,0xa5,0x16,0x85,0x13,0x11,0xf6,
- 0x71,0x03,0x2c,0xaf,0xce,0xc4,0x36,0x17,0x0b,0xfd,0x4a,0x4c,0xce,0x9e,0x0d,0xcc,
- 0xa5,0xa3,0x30,0xce,0x61,0x30,0x82,0x05,0x7e,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,
- 0x0d,0x01,0x07,0x01,0xa0,0x82,0x05,0x6f,0x04,0x82,0x05,0x6b,0x30,0x82,0x05,0x67,
- 0x30,0x82,0x05,0x63,0x06,0x0b,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x0c,0x0a,0x01,
- 0x02,0xa0,0x82,0x04,0xee,0x30,0x82,0x04,0xea,0x30,0x1c,0x06,0x0a,0x2a,0x86,0x48,
- 0x86,0xf7,0x0d,0x01,0x0c,0x01,0x03,0x30,0x0e,0x04,0x08,0xb1,0xca,0xab,0x81,0x75,
- 0x32,0xf4,0x2c,0x02,0x02,0x08,0x00,0x04,0x82,0x04,0xc8,0xc8,0xe4,0x07,0x32,0x15,
- 0x32,0xb1,0xce,0xca,0xa4,0x03,0x84,0x91,0xbc,0x74,0x45,0x63,0x46,0xa8,0x20,0xcf,
- 0xa2,0x2d,0x0e,0xfb,0xf7,0xfa,0x3d,0xad,0x72,0xa4,0x97,0xc9,0x14,0xb9,0x55,0x00,
- 0x5e,0xb6,0x17,0xf9,0xba,0xe4,0xf4,0x4b,0x36,0x31,0xbb,0xfc,0x4a,0xb3,0xfe,0xd7,
- 0xf5,0xd0,0xe8,0x63,0x43,0x6b,0x7e,0xfe,0xcc,0xa8,0x2f,0x8a,0x8a,0xf3,0xfb,0x23,
- 0x0c,0xed,0x03,0x20,0x66,0xe2,0x90,0x9b,0x68,0x71,0xfb,0x44,0x68,0xe5,0x87,0x97,
- 0x0a,0x97,0x63,0x53,0x3c,0x07,0x86,0x63,0xb2,0x0f,0x8e,0xe8,0xb5,0x0a,0x0c,0xe2,
- 0x12,0x6d,0x33,0xa1,0xa5,0xc5,0xc4,0xab,0xf7,0x23,0x35,0x53,0x69,0xc1,0x37,0x28,
- 0x86,0x42,0xa1,0x9c,0xe4,0xf5,0x2e,0x8c,0x92,0x1a,0xeb,0x67,0x10,0xcb,0x24,0xb5,
- 0xd6,0x75,0x33,0x7a,0x5f,0x20,0x8f,0x1e,0x13,0x4c,0x4c,0xa1,0x53,0x87,0x8c,0xad,
- 0x04,0x28,0xe0,0x21,0x65,0xf0,0x1b,0x62,0x15,0x95,0x36,0xd1,0x21,0xe1,0x50,0x0d,
- 0xe4,0xed,0x07,0x8d,0x37,0xd3,0x06,0x2d,0x88,0x46,0x0f,0x54,0x16,0x19,0xac,0xc7,
- 0x0b,0xcf,0x83,0xe9,0x49,0xbc,0x9e,0x7f,0x38,0xed,0xe4,0xf1,0x84,0x6a,0x0e,0xd1,
- 0x92,0x39,0x61,0x36,0xa3,0x12,0xfc,0x31,0x4c,0xde,0x9d,0xcf,0xa0,0x90,0xd0,0x17,
- 0x29,0x51,0x93,0x04,0xb1,0xe9,0xab,0x5e,0x5d,0x9e,0x2f,0x99,0xe9,0x53,0x95,0x27,
- 0x39,0x5a,0x48,0x64,0x56,0x7b,0x97,0x9e,0x5d,0xf0,0xc9,0xd5,0x6b,0x57,0x0e,0xdc,
- 0x69,0x7f,0x2d,0x6e,0xd7,0x3a,0xd8,0x31,0xcb,0x14,0xf4,0x3b,0x33,0xaf,0x62,0x95,
- 0xbe,0x6b,0xe9,0xd7,0x2a,0x17,0x6c,0x9d,0x65,0x6c,0x2a,0xf5,0x38,0x39,0x95,0x8c,
- 0xc6,0x97,0xc9,0xa1,0xe8,0x07,0x09,0x62,0x71,0x92,0xc2,0x4f,0xb1,0x25,0x83,0x90,
- 0x44,0x54,0xcd,0x5c,0x3d,0x7b,0x0f,0xf1,0xdf,0x00,0xe2,0x4a,0x0e,0xd4,0xfe,0xa8,
- 0x3e,0x81,0x4e,0x6c,0x92,0x49,0xa0,0x49,0xc4,0x3a,0x80,0x78,0x1d,0xb2,0x43,0xbd,
- 0x21,0x5a,0xe0,0xbd,0x99,0xe0,0x77,0xd1,0xe6,0x2d,0x73,0xd4,0x4b,0xa9,0x07,0xcc,
- 0xbd,0x12,0xa2,0x06,0x08,0x60,0xbd,0x99,0xfd,0x9f,0xcc,0x23,0x6f,0xd2,0xd0,0xdf,
- 0xbe,0x63,0xef,0xe9,0x15,0x24,0x54,0x55,0x73,0x85,0x9e,0x26,0x62,0xd8,0xc1,0x14,
- 0xce,0xcc,0x3b,0xf6,0x87,0x68,0xfa,0x3d,0x6e,0xb1,0x1c,0x5e,0x4e,0x05,0xe4,0xbc,
- 0x95,0x1b,0xb4,0xd5,0xa1,0xfb,0xe2,0x25,0x48,0xe9,0x63,0x36,0xdf,0x33,0x8e,0xed,
- 0x1d,0xdf,0x63,0x1a,0xfd,0xb6,0xc9,0x09,0x3a,0xc2,0x9f,0x1d,0xd4,0x45,0x00,0x2a,
- 0x86,0x09,0x9c,0x30,0x4e,0xc0,0x81,0x9c,0x30,0x14,0x6b,0x4c,0x52,0xfd,0xca,0x36,
- 0xef,0x99,0x2e,0xd1,0x86,0xc0,0xdf,0x9d,0x6a,0xb5,0xfa,0xa3,0x12,0xe0,0x5f,0x73,
- 0xb4,0xfd,0xd7,0x59,0x23,0x6d,0xa8,0x77,0x8f,0x65,0x4a,0x65,0x46,0x5e,0x56,0xe0,
- 0x23,0xbb,0xc5,0x38,0xff,0xf0,0x4a,0x2e,0xab,0x20,0x75,0x02,0xc5,0x85,0x7e,0x6b,
- 0x3f,0xa4,0x00,0xf5,0x39,0x88,0xd1,0x9c,0xc9,0xe9,0x77,0xeb,0x8d,0xce,0x2e,0x74,
- 0x5c,0xb9,0x6c,0xb0,0x6d,0x9e,0x5f,0x7b,0x93,0x7b,0x22,0x0e,0xb3,0x55,0x65,0xca,
- 0x64,0xec,0xc0,0xa5,0xff,0x19,0x0a,0x2d,0x1c,0xc9,0xd3,0xe3,0xb6,0x18,0xe3,0x8c,
- 0x83,0xd8,0x43,0x01,0xf8,0x6e,0x64,0x07,0xb9,0xac,0x20,0x29,0xeb,0x36,0xf5,0x04,
- 0xd8,0x41,0xeb,0x8d,0x23,0x39,0x21,0x83,0xb6,0x82,0xbd,0x18,0xac,0xc6,0xb7,0x5b,
- 0xf7,0x4d,0x80,0x7a,0xf6,0xdc,0x40,0x04,0x9c,0xec,0xb2,0xea,0xd6,0xf1,0x5d,0xa4,
- 0x62,0x43,0x05,0x0b,0xba,0x29,0x36,0xeb,0xbd,0x23,0xb6,0x02,0xf6,0x62,0x4e,0xf3,
- 0xff,0xee,0x3d,0x92,0xbe,0x65,0xc0,0x4a,0xb1,0x60,0x60,0x46,0x23,0x85,0x67,0x71,
- 0xe4,0x25,0x6b,0x58,0xdc,0x91,0x4c,0x05,0x54,0xfa,0x4b,0xa5,0x60,0x82,0x3e,0xa2,
- 0x4f,0x3e,0xc7,0xe5,0xf0,0x2b,0xa6,0x9d,0x55,0xdc,0x98,0x46,0xd7,0xec,0x3e,0x47,
- 0x5b,0x4c,0x02,0x46,0x9c,0x2d,0x25,0x6d,0x55,0x25,0xfc,0x67,0xc2,0xe9,0xbf,0xa1,
- 0xb0,0x5b,0x97,0xf8,0x4f,0xae,0xdf,0xab,0x50,0xa0,0x0b,0x5b,0xc8,0x78,0xcc,0xcd,
- 0x50,0x55,0xc6,0x46,0x21,0x01,0x7e,0xac,0x38,0xe2,0x10,0x34,0x0b,0x22,0x64,0xa7,
- 0xa5,0xe4,0x7f,0x60,0x51,0x75,0xdf,0x32,0x87,0xd4,0xa6,0x06,0x4f,0x8c,0x60,0x15,
- 0xd0,0x1f,0xc1,0xbb,0xa4,0xca,0x4a,0xac,0x80,0xf1,0x7f,0x3a,0xfc,0x4a,0xe7,0x4e,
- 0xb8,0xc2,0xdb,0x84,0xd8,0x5c,0xeb,0x44,0x23,0xec,0x9e,0x92,0x72,0xb7,0x45,0x02,
- 0xee,0x52,0x08,0x47,0xb6,0x09,0x5d,0xdc,0xe5,0x26,0xae,0x61,0x42,0x77,0x13,0x85,
- 0xa2,0x4f,0xf0,0xb0,0x46,0x88,0x2a,0x3c,0x09,0x98,0x89,0xe3,0xf1,0x69,0x89,0x0a,
- 0x76,0xd9,0x8e,0x7e,0x0c,0xd7,0xcc,0x16,0xda,0xfd,0xfb,0x96,0x2b,0xd7,0xe2,0x8d,
- 0x54,0x3f,0x75,0x2f,0x66,0x6b,0x72,0x8f,0xbd,0x5c,0x3c,0x05,0xa7,0xe4,0x11,0x06,
- 0xcf,0x4a,0xd6,0x32,0x95,0x42,0x71,0xc6,0x2b,0xf9,0x8b,0xe6,0xda,0x0c,0x37,0xa8,
- 0xed,0x7b,0x71,0x9a,0xea,0x8e,0xa1,0xbd,0x27,0x8f,0x45,0x00,0x48,0x40,0xba,0xf4,
- 0x41,0x0e,0xb6,0x98,0x88,0xed,0xc7,0x3d,0xbd,0x59,0x52,0xc4,0xeb,0xbc,0xb8,0x0b,
- 0x22,0x5e,0x68,0x79,0xc9,0x71,0x3d,0xd7,0x31,0x4c,0x55,0x40,0xcd,0x1f,0x41,0x0c,
- 0xd7,0xb0,0x02,0x47,0xb0,0x9f,0xfa,0xb2,0x60,0xd4,0x3c,0x64,0xe8,0xc5,0xae,0xe8,
- 0x12,0xad,0x84,0xc3,0xe1,0xfd,0x1e,0x20,0x6f,0x20,0x2e,0xbe,0xa9,0xd4,0x30,0xb6,
- 0x6c,0xa5,0xf0,0x03,0x75,0xae,0x1b,0xb1,0x15,0x36,0x8d,0xba,0x0f,0x1e,0xb7,0x74,
- 0x8b,0xa4,0x41,0xfd,0x13,0x7a,0xa9,0x16,0x22,0x54,0xe4,0x60,0x38,0x52,0xb6,0x60,
- 0x8b,0x7f,0x7a,0xb9,0x2a,0xb0,0x28,0x63,0x71,0xeb,0x29,0x52,0xab,0x66,0x70,0x66,
- 0x72,0x12,0xe9,0x4d,0xf4,0x01,0xba,0x88,0xb6,0x15,0xe1,0xb9,0x67,0x10,0x0a,0x59,
- 0xc8,0x12,0x1b,0x81,0x6a,0x4c,0x79,0x0f,0x94,0xd7,0xa7,0xa8,0x4c,0x25,0xf2,0xd3,
- 0x4d,0x23,0x6c,0x9d,0x65,0x81,0x75,0x72,0xd9,0xca,0xa5,0x32,0xa5,0x9a,0xcc,0xef,
- 0xfe,0xb2,0x30,0x2f,0x6c,0x17,0x53,0xac,0x9d,0xc6,0xd5,0x6a,0x85,0x35,0xfa,0x17,
- 0xe4,0xfa,0xb8,0x93,0x18,0xc6,0x82,0x42,0xa4,0xaf,0x72,0x7d,0xd4,0xbd,0xf2,0xe3,
- 0x7b,0x6e,0x56,0x2d,0x25,0xeb,0xeb,0x53,0x4e,0x34,0xaa,0x86,0x5d,0xcb,0xe1,0xd6,
- 0x22,0x4d,0x74,0xee,0x37,0xbd,0x8d,0x43,0xf8,0x3b,0xdb,0xf6,0x9a,0xef,0xe9,0x7f,
- 0x3d,0x7f,0x74,0xe6,0x25,0xbb,0xf9,0x4a,0xf8,0x20,0x07,0x94,0x30,0x43,0x48,0xab,
- 0x0e,0x1d,0x97,0xd6,0x01,0xa1,0x5b,0x9e,0x92,0xa2,0xeb,0xbe,0x22,0xe8,0x2f,0xb0,
- 0x31,0x24,0xb4,0xb5,0x2b,0x73,0xf2,0xdd,0x29,0x5b,0xfd,0x1b,0x18,0x3e,0x3a,0xe6,
- 0xa3,0x4b,0x0b,0x19,0xe3,0x4c,0x83,0x8b,0xe3,0x5f,0x94,0xd7,0x5a,0x33,0xb3,0x3d,
- 0x3c,0x3f,0xf2,0x16,0x39,0x84,0x48,0x6b,0xc4,0x21,0x87,0x68,0xa7,0xe7,0x94,0xb4,
- 0x4f,0x36,0x97,0x28,0x9a,0xbd,0xd4,0x5c,0xf5,0x89,0x5a,0x46,0xf4,0x4b,0x1f,0xe9,
- 0x5c,0x48,0xae,0x51,0xe5,0x6f,0xb3,0xea,0xe2,0x6e,0x4e,0x72,0x2d,0x87,0x8c,0x5d,
- 0x07,0x3e,0xfb,0x1c,0x95,0x88,0x9e,0xde,0xec,0xc2,0xd1,0x7c,0xef,0x6d,0x4e,0x19,
- 0x0c,0xbc,0x6f,0x9f,0xd1,0xa0,0x8e,0x71,0xc8,0x13,0xe6,0xc9,0x21,0xcb,0x31,0x77,
- 0x13,0x38,0x14,0xe9,0x25,0xea,0x5c,0x35,0x48,0x06,0x2c,0x4d,0xbe,0x53,0x76,0x51,
- 0x1d,0x7a,0x88,0x31,0x62,0x30,0x3b,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,
- 0x09,0x14,0x31,0x2e,0x1e,0x2c,0x00,0x54,0x00,0x65,0x00,0x73,0x00,0x74,0x00,0x2d,
- 0x00,0x53,0x00,0x69,0x00,0x67,0x00,0x6e,0x00,0x4f,0x00,0x6e,0x00,0x6c,0x00,0x79,
- 0x00,0x20,0x00,0x28,0x00,0x53,0x00,0x2f,0x00,0x4d,0x00,0x49,0x00,0x4d,0x00,0x45,
- 0x00,0x29,0x30,0x23,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x09,0x15,0x31,
- 0x16,0x04,0x14,0x6f,0x7c,0x20,0x36,0xbe,0x29,0x2b,0xca,0x1a,0xbf,0x51,0xb7,0x15,
- 0x8a,0xf9,0x7c,0x2b,0x4e,0x04,0xe8,0x30,0x30,0x30,0x21,0x30,0x09,0x06,0x05,0x2b,
- 0x0e,0x03,0x02,0x1a,0x05,0x00,0x04,0x14,0x0e,0xb5,0xcf,0xf5,0x4e,0x2b,0x2c,0x5d,
- 0x2e,0x43,0xc9,0x60,0xf2,0x16,0x0f,0xd2,0xe6,0x50,0x93,0x0b,0x04,0x08,0xf0,0x18,
- 0xb1,0xdb,0x61,0x97,0x53,0xcb,0x02,0x01,0x01
-};
-
-/* Test identity (PKCS12 data)
+unsigned char Test_smime_signonly_p12[] = {
+ 0x30, 0x82, 0x0a, 0xdd, 0x02, 0x01, 0x03, 0x30, 0x82, 0x0a, 0xa4, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x07, 0x01, 0xa0, 0x82, 0x0a, 0x95, 0x04, 0x82, 0x0a, 0x91, 0x30, 0x82, 0x0a, 0x8d, 0x30, 0x82, 0x05, 0x07, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x06, 0xa0, 0x82, 0x04, 0xf8, 0x30, 0x82, 0x04, 0xf4, 0x02, 0x01, 0x00,
+ 0x30, 0x82, 0x04, 0xed, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x0a, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x06, 0x30, 0x0e, 0x04, 0x08, 0xa7, 0xf8, 0xe5, 0x65, 0x62, 0x31, 0xe0,
+ 0xa6, 0x02, 0x02, 0x08, 0x00, 0x80, 0x82, 0x04, 0xc0, 0x2b, 0xf6, 0xdc, 0x0d, 0x1c, 0xce, 0x0d, 0x2a, 0xa8, 0x50, 0x94,
+ 0xc5, 0x52, 0x04, 0xa0, 0x07, 0x8b, 0xf2, 0x31, 0x4e, 0x5e, 0xfe, 0xe7, 0x8f, 0x53, 0xac, 0x98, 0x1a, 0x04, 0x08, 0xdc,
+ 0xd9, 0xc6, 0xd5, 0xee, 0xbd, 0x43, 0x15, 0x55, 0xf8, 0x03, 0xa7, 0x05, 0x31, 0x7f, 0xee, 0x36, 0xa8, 0x43, 0xdb, 0x09,
+ 0x25, 0x61, 0x8e, 0x1c, 0xd2, 0x84, 0x22, 0xc2, 0xf5, 0x2f, 0x29, 0x4b, 0x97, 0xfd, 0x38, 0xb8, 0x4d, 0xde, 0x76, 0x28,
+ 0xe9, 0xd9, 0xf7, 0xf1, 0x77, 0xdd, 0x7d, 0x6f, 0x35, 0xf7, 0x73, 0x94, 0xeb, 0x39, 0x5d, 0xaf, 0x92, 0xca, 0x07, 0x39,
+ 0xa2, 0x8a, 0xd2, 0xcd, 0xe0, 0x69, 0x5b, 0x2f, 0xc3, 0x29, 0x1c, 0xbb, 0x27, 0x01, 0x83, 0x49, 0xfe, 0x55, 0x75, 0x1f,
+ 0x56, 0xf4, 0xf8, 0xed, 0x60, 0xe3, 0xee, 0x10, 0x40, 0x4d, 0x67, 0xdb, 0x1b, 0x4e, 0x0b, 0x03, 0x65, 0xfc, 0x10, 0x9f,
+ 0x40, 0x19, 0xcd, 0xe7, 0x5b, 0x6f, 0x8d, 0xf4, 0x21, 0x80, 0x1e, 0x81, 0xae, 0x34, 0xac, 0x70, 0xf5, 0xdd, 0x59, 0xb7,
+ 0xd8, 0x31, 0x9f, 0xd9, 0xec, 0x54, 0x8c, 0x93, 0x73, 0x78, 0xbf, 0x5c, 0xf9, 0x29, 0x8b, 0x32, 0xdd, 0x3d, 0xb5, 0xe8,
+ 0xdf, 0xe6, 0x78, 0xd2, 0xbe, 0x9d, 0x55, 0x2d, 0xde, 0x23, 0xe4, 0x14, 0xc2, 0x7b, 0x38, 0xce, 0x27, 0x22, 0x0b, 0x6a,
+ 0x05, 0x22, 0x27, 0x39, 0x04, 0x99, 0x6f, 0x02, 0x74, 0xc0, 0xc8, 0xcd, 0x8d, 0xa7, 0x76, 0x9f, 0x41, 0x76, 0x6b, 0x97,
+ 0x5f, 0x40, 0xc4, 0xa4, 0x77, 0x85, 0x2b, 0x18, 0x94, 0x79, 0xa3, 0x2a, 0x8d, 0x72, 0x5c, 0x8a, 0x15, 0xad, 0x57, 0x87,
+ 0xc3, 0x72, 0x83, 0x89, 0x4a, 0xec, 0x92, 0xb6, 0xad, 0xb0, 0x5a, 0xb6, 0x1a, 0x53, 0x61, 0x28, 0x66, 0xfc, 0x9c, 0x4a,
+ 0x4f, 0xfd, 0x38, 0x2a, 0x00, 0x55, 0x56, 0x03, 0xff, 0x09, 0xb0, 0xff, 0xbc, 0xa6, 0x78, 0x43, 0x0c, 0x90, 0xc7, 0x6d,
+ 0x25, 0x45, 0x73, 0x61, 0x55, 0x24, 0x5d, 0x93, 0x2c, 0x38, 0x4f, 0x8d, 0x68, 0x41, 0xfe, 0xeb, 0xbc, 0xae, 0xee, 0x92,
+ 0xa5, 0xbd, 0x6c, 0x1f, 0x4c, 0xe2, 0xb2, 0xc8, 0x42, 0x50, 0x5c, 0xa9, 0xa3, 0x53, 0x46, 0x6b, 0xa1, 0x4e, 0x69, 0x6f,
+ 0xe0, 0x12, 0xc4, 0x03, 0x1e, 0xe5, 0xc1, 0xad, 0x8d, 0x57, 0x95, 0xfd, 0x24, 0x85, 0xd7, 0x2b, 0x5d, 0xbb, 0x72, 0x5b,
+ 0x62, 0x72, 0x97, 0xdd, 0xb8, 0xb1, 0x7a, 0xf7, 0x42, 0x2c, 0x9f, 0xe2, 0x6e, 0x57, 0x7d, 0xee, 0x72, 0x67, 0xec, 0x98,
+ 0x3a, 0x63, 0x44, 0x28, 0x75, 0xce, 0x9b, 0x5e, 0x95, 0xe6, 0x34, 0x7c, 0x1e, 0x56, 0x33, 0x3d, 0x31, 0x69, 0xd6, 0xf7,
+ 0x62, 0xa9, 0x7c, 0x0e, 0xf7, 0x9d, 0xf8, 0x7d, 0xfe, 0x86, 0x12, 0x62, 0x18, 0xf1, 0xdd, 0xbf, 0x37, 0x73, 0xb2, 0x0b,
+ 0x81, 0xb4, 0x38, 0xcb, 0x93, 0x8c, 0x3a, 0xe6, 0xd6, 0x72, 0x39, 0x09, 0x84, 0x09, 0xd7, 0x14, 0xc1, 0x67, 0x78, 0xc4,
+ 0x5a, 0xa3, 0xa6, 0x0b, 0x0c, 0xd8, 0xd4, 0xda, 0xd7, 0xb8, 0x3a, 0x86, 0xcc, 0x44, 0x7d, 0xf6, 0x30, 0x4f, 0x07, 0x9f,
+ 0x8a, 0x28, 0x22, 0x89, 0x34, 0xd3, 0x7b, 0xe6, 0x1b, 0xac, 0x9a, 0x11, 0xdd, 0x06, 0x72, 0x6e, 0x3f, 0x39, 0x3f, 0x18,
+ 0x92, 0xc8, 0x93, 0xbb, 0x7c, 0x4a, 0x65, 0xad, 0xba, 0xfb, 0x6b, 0x29, 0xe3, 0xd5, 0x0d, 0xfc, 0xf1, 0x05, 0x91, 0x9d,
+ 0x3f, 0x86, 0x86, 0xd3, 0xf3, 0x48, 0x8b, 0xba, 0x97, 0x59, 0xaf, 0xfb, 0x06, 0x34, 0x6e, 0x09, 0x5b, 0x4f, 0x4a, 0xdf,
+ 0x3c, 0x94, 0xc7, 0x18, 0xb0, 0xf0, 0x23, 0xaf, 0x2f, 0x4e, 0x29, 0xd2, 0x99, 0xc3, 0x5f, 0x43, 0x52, 0xd2, 0x93, 0x1b,
+ 0x8c, 0x13, 0x08, 0x5c, 0xa3, 0x5a, 0x68, 0x14, 0x7d, 0xda, 0xad, 0x92, 0xb5, 0xd0, 0x13, 0xe6, 0x21, 0xbc, 0x5b, 0xd5,
+ 0xfa, 0x4e, 0xd7, 0x01, 0x8b, 0xa0, 0x9a, 0xfd, 0x02, 0x02, 0xc3, 0x9e, 0x7f, 0xfc, 0xc0, 0x90, 0x2a, 0xdd, 0xac, 0xa0,
+ 0x01, 0x92, 0x39, 0x23, 0xb4, 0x3b, 0x2a, 0x13, 0x56, 0xcb, 0x78, 0xf5, 0xe1, 0xac, 0x15, 0x7f, 0x22, 0x38, 0x77, 0x0c,
+ 0xa8, 0xfc, 0x46, 0x14, 0x02, 0xbe, 0x28, 0xf2, 0xa4, 0x59, 0x68, 0x01, 0x73, 0x4a, 0x52, 0xea, 0xfe, 0xb8, 0x8e, 0x59,
+ 0xf2, 0x41, 0xaa, 0x04, 0x77, 0x20, 0xc6, 0x57, 0x62, 0x60, 0xb3, 0xc0, 0x6b, 0x2b, 0x5b, 0x4d, 0x64, 0x0c, 0xfe, 0x09,
+ 0x92, 0x35, 0x9f, 0xde, 0xfe, 0xad, 0x8e, 0xd6, 0xf3, 0x8f, 0xb9, 0xf4, 0x77, 0x0f, 0xed, 0x47, 0x0d, 0x77, 0x59, 0x9c,
+ 0xda, 0x7f, 0x40, 0xa1, 0xee, 0x6c, 0xaf, 0x66, 0x69, 0x12, 0x3a, 0x42, 0x98, 0x55, 0x91, 0x34, 0xf8, 0x02, 0x57, 0xf9,
+ 0xf1, 0x9c, 0x5e, 0x7f, 0xec, 0x44, 0x14, 0x21, 0x8b, 0x21, 0x98, 0xe8, 0x62, 0x00, 0x0b, 0x9b, 0xe2, 0xc8, 0xff, 0xfe,
+ 0xf5, 0xa0, 0xc5, 0x6a, 0x61, 0x75, 0x6f, 0xbf, 0x1f, 0x8d, 0x72, 0xbe, 0x48, 0x1f, 0xdf, 0x58, 0xba, 0x13, 0x33, 0x60,
+ 0x8f, 0xc4, 0x5b, 0xf3, 0x70, 0x94, 0xee, 0x25, 0x98, 0x5e, 0x30, 0x40, 0x7f, 0x1c, 0xf6, 0x34, 0xb5, 0x6d, 0x5c, 0xc2,
+ 0x45, 0xad, 0x1b, 0x88, 0x9e, 0x10, 0x59, 0x86, 0xcf, 0x49, 0xaa, 0xa4, 0x72, 0xee, 0x1c, 0xeb, 0x21, 0x85, 0x78, 0x5c,
+ 0x1a, 0x08, 0x33, 0x6d, 0x52, 0xf3, 0xde, 0x86, 0x64, 0x2a, 0x34, 0x9e, 0x17, 0x16, 0xc5, 0xaf, 0xc9, 0x5a, 0xb0, 0x69,
+ 0xcb, 0xdf, 0x6f, 0x23, 0x67, 0xe7, 0x02, 0x93, 0xf8, 0x79, 0x3d, 0xc1, 0x7f, 0x7e, 0xe7, 0x9a, 0xb2, 0xa8, 0x5b, 0x11,
+ 0x64, 0x8c, 0x4b, 0x71, 0x29, 0xc4, 0x8c, 0xa5, 0x3b, 0xcf, 0x42, 0x48, 0x41, 0x2b, 0x29, 0x31, 0xc4, 0xfc, 0x21, 0x69,
+ 0x10, 0x1e, 0x8c, 0xde, 0x02, 0x45, 0x43, 0x30, 0x4a, 0x9f, 0x4b, 0x8f, 0x4f, 0xf5, 0x63, 0x4f, 0x6d, 0xed, 0x7c, 0x37,
+ 0x3f, 0x88, 0x43, 0x01, 0x95, 0xba, 0x49, 0x03, 0xa1, 0xe0, 0xe6, 0xf9, 0x58, 0x3a, 0x50, 0xf3, 0x3f, 0xcf, 0x15, 0xc7,
+ 0x30, 0x4b, 0x56, 0xad, 0x74, 0x9e, 0x1d, 0xe1, 0x1f, 0x33, 0x33, 0x10, 0x9f, 0x55, 0xf6, 0xad, 0xf2, 0x07, 0x32, 0x39,
+ 0xd4, 0x6e, 0x32, 0xd2, 0xc5, 0xbb, 0x67, 0x7d, 0x77, 0xd3, 0x21, 0xb5, 0xce, 0x5f, 0x07, 0xc4, 0x61, 0x6b, 0x67, 0x1d,
+ 0x58, 0x56, 0xf7, 0xa3, 0x99, 0x4f, 0x7a, 0x9d, 0xd3, 0x78, 0x07, 0x7f, 0x4e, 0x24, 0x94, 0x2e, 0x75, 0x46, 0xd0, 0x1e,
+ 0x76, 0x77, 0xf1, 0x18, 0x1c, 0xbf, 0x3e, 0xe5, 0x42, 0x45, 0x9c, 0x30, 0x78, 0x64, 0x5e, 0x55, 0x43, 0x42, 0x4e, 0x60,
+ 0x1f, 0x57, 0xc3, 0xd3, 0xe3, 0xf4, 0x8b, 0x4c, 0xaf, 0x18, 0xc0, 0xa9, 0xf8, 0xe5, 0xd3, 0x96, 0xe0, 0xd2, 0x0a, 0x05,
+ 0xc5, 0x2a, 0x42, 0x16, 0xc9, 0x1d, 0x90, 0xfb, 0x4b, 0x2d, 0x3b, 0xbf, 0x14, 0xfc, 0x7b, 0x47, 0x11, 0xf7, 0x46, 0x7b,
+ 0x31, 0xb4, 0x2f, 0x25, 0x89, 0xed, 0x5d, 0x95, 0x7c, 0x0b, 0xe9, 0x89, 0x7a, 0x0a, 0x83, 0xc2, 0x08, 0xcc, 0x61, 0x8d,
+ 0x7a, 0xf3, 0x3a, 0x7e, 0x7e, 0xa4, 0x16, 0x36, 0x0e, 0x9e, 0xac, 0xd3, 0x01, 0x0d, 0x60, 0x0c, 0x5e, 0xca, 0x2d, 0xcc,
+ 0x59, 0xd8, 0x9d, 0x67, 0xb6, 0xc0, 0x81, 0xa7, 0xcb, 0x64, 0x8f, 0x03, 0x18, 0xc8, 0xba, 0x2b, 0x3d, 0x83, 0x37, 0x7e,
+ 0xe2, 0x24, 0x9e, 0xff, 0xef, 0x78, 0x0c, 0x24, 0xaf, 0x90, 0x83, 0x45, 0x29, 0xfd, 0x1c, 0x1e, 0xc3, 0xf9, 0x49, 0x88,
+ 0x48, 0xf3, 0xae, 0x22, 0x26, 0x07, 0xa6, 0xc6, 0x50, 0xed, 0xda, 0xb7, 0xb8, 0x4e, 0x1f, 0x6c, 0x7f, 0x9c, 0x54, 0x77,
+ 0x0c, 0x66, 0x0b, 0x65, 0x4b, 0xdd, 0x9a, 0x9f, 0x69, 0xdc, 0x9a, 0x3a, 0xfc, 0xa8, 0x1c, 0xb5, 0xcf, 0xfd, 0x9a, 0x9d,
+ 0x49, 0x5e, 0xcb, 0xd5, 0xa8, 0xcd, 0x89, 0xa6, 0xd3, 0x26, 0xfd, 0xa3, 0x8f, 0x46, 0xb8, 0x98, 0x63, 0x0d, 0x0a, 0xd8,
+ 0x21, 0xed, 0xa5, 0x5f, 0x0a, 0x6e, 0x8b, 0xd1, 0xd7, 0x93, 0xca, 0xa8, 0xc2, 0x54, 0x6d, 0x8e, 0x4a, 0x3a, 0x87, 0x50,
+ 0x23, 0x6c, 0x98, 0x4d, 0x61, 0xc9, 0x21, 0xca, 0xfa, 0xe9, 0x14, 0xaf, 0x85, 0x07, 0x66, 0x40, 0xe4, 0x3c, 0x78, 0xcf,
+ 0x8f, 0x0d, 0x06, 0xe2, 0xce, 0x5b, 0x38, 0xdd, 0x6c, 0x99, 0x95, 0x7a, 0x3a, 0xaf, 0xfb, 0x82, 0xdb, 0x94, 0x51, 0x6d,
+ 0x99, 0xd6, 0x47, 0x41, 0x16, 0x8c, 0x7e, 0x30, 0xb4, 0x86, 0x42, 0xe7, 0xad, 0x38, 0x16, 0x12, 0x3e, 0x6b, 0xcf, 0xb8,
+ 0x8f, 0x08, 0x8c, 0xce, 0xc9, 0xf5, 0x5a, 0x6d, 0x6d, 0x1c, 0xef, 0xa3, 0xee, 0x44, 0x1e, 0x48, 0xe4, 0x41, 0xc6, 0xfa,
+ 0x38, 0x63, 0xf6, 0x7d, 0x50, 0x59, 0x36, 0x9b, 0x8a, 0xbc, 0x66, 0x9d, 0x3d, 0xac, 0xe0, 0x4a, 0x2b, 0x27, 0xd4, 0x0a,
+ 0x5e, 0x8c, 0xd2, 0x03, 0xde, 0x30, 0x82, 0x05, 0x7e, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01,
+ 0xa0, 0x82, 0x05, 0x6f, 0x04, 0x82, 0x05, 0x6b, 0x30, 0x82, 0x05, 0x67, 0x30, 0x82, 0x05, 0x63, 0x06, 0x0b, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x82, 0x04, 0xee, 0x30, 0x82, 0x04, 0xea, 0x30, 0x1c, 0x06,
+ 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30, 0x0e, 0x04, 0x08, 0xe8, 0xe9, 0xa0, 0xff, 0x46,
+ 0xbd, 0xb7, 0xbe, 0x02, 0x02, 0x08, 0x00, 0x04, 0x82, 0x04, 0xc8, 0xb7, 0xe8, 0x82, 0xae, 0xfd, 0x43, 0x15, 0xbb, 0xf4,
+ 0x94, 0x2d, 0x8d, 0x28, 0x5c, 0x66, 0xc4, 0x78, 0x5b, 0x0f, 0x41, 0xf9, 0x8e, 0x65, 0x3f, 0xf3, 0x06, 0x99, 0x36, 0x70,
+ 0xeb, 0x99, 0x38, 0x29, 0x49, 0xea, 0x28, 0xc4, 0x84, 0x11, 0x8c, 0x4f, 0x5e, 0x61, 0x7c, 0x3f, 0xc3, 0x61, 0x16, 0x1b,
+ 0xce, 0x50, 0xc9, 0xd6, 0x3e, 0x0e, 0x96, 0x93, 0xd1, 0xf7, 0x1a, 0x79, 0x86, 0x86, 0x22, 0x7e, 0x39, 0xc0, 0x15, 0x49,
+ 0x69, 0xc5, 0x56, 0xf9, 0xb6, 0xeb, 0xe0, 0x36, 0x53, 0x01, 0xc1, 0xb9, 0x2d, 0x31, 0xdb, 0xdc, 0x12, 0xe0, 0x1b, 0x85,
+ 0x4b, 0x11, 0xfa, 0x74, 0xd5, 0x5b, 0x4a, 0x84, 0xbc, 0x7e, 0x1f, 0xf4, 0x1e, 0x04, 0x75, 0x5e, 0x75, 0x6b, 0xb0, 0x6f,
+ 0xc0, 0xb6, 0x5c, 0x0b, 0x93, 0xe7, 0x96, 0x94, 0x4c, 0x17, 0x97, 0xce, 0x4e, 0x2c, 0xe8, 0x48, 0xff, 0x89, 0xd5, 0x8c,
+ 0x41, 0xe1, 0x0d, 0xed, 0xb2, 0x82, 0x7a, 0x75, 0x49, 0xbf, 0x0e, 0xf2, 0xec, 0x06, 0x8b, 0xa7, 0x86, 0xd8, 0x95, 0x4a,
+ 0x3e, 0x5a, 0x78, 0xea, 0xf3, 0xee, 0xff, 0x5b, 0xc9, 0x21, 0x58, 0x88, 0x2c, 0x84, 0xab, 0x1f, 0x79, 0x07, 0xae, 0x98,
+ 0x6a, 0xa0, 0xc9, 0x93, 0x3d, 0x74, 0x67, 0x43, 0x5b, 0x2d, 0xfb, 0x57, 0xc8, 0x24, 0x8e, 0xe6, 0x74, 0x0f, 0x11, 0x53,
+ 0x8d, 0x2b, 0xd9, 0xa6, 0x44, 0x11, 0x32, 0xab, 0xec, 0x08, 0xe4, 0x63, 0xb3, 0x19, 0x5d, 0xd2, 0xff, 0x7d, 0x29, 0xb2,
+ 0x4e, 0xc0, 0x44, 0x0b, 0xd2, 0x68, 0x4d, 0xc0, 0xbf, 0x24, 0xcd, 0x01, 0x26, 0x31, 0x52, 0xcf, 0x1c, 0x14, 0x8f, 0x70,
+ 0x31, 0x1f, 0x68, 0x19, 0xfd, 0x81, 0x09, 0xef, 0xbd, 0xc0, 0xa7, 0xcd, 0xd9, 0x6c, 0xff, 0xf7, 0xb1, 0x11, 0xbb, 0xfa,
+ 0x8b, 0x73, 0x22, 0xd9, 0x3a, 0x74, 0xa3, 0x49, 0x54, 0xd7, 0x52, 0x53, 0xd5, 0xaa, 0x1b, 0x72, 0xbd, 0xa6, 0x44, 0x7d,
+ 0xed, 0x97, 0xe9, 0xfd, 0xcf, 0x26, 0x2b, 0x3c, 0x3a, 0x00, 0xf7, 0x3f, 0xf7, 0xdc, 0x91, 0x3a, 0x65, 0x5b, 0xcb, 0xba,
+ 0x79, 0x5c, 0xb7, 0xfb, 0x79, 0x15, 0xe7, 0x7d, 0x1c, 0xd8, 0xf5, 0x89, 0x0f, 0xb1, 0x5e, 0x8d, 0x96, 0xa2, 0xef, 0x3f,
+ 0x8d, 0x27, 0x38, 0x36, 0xd5, 0xcf, 0xe5, 0x67, 0xd0, 0xa9, 0xa5, 0xde, 0x16, 0xe7, 0xe7, 0x62, 0x04, 0x55, 0x66, 0xfd,
+ 0x9f, 0xa4, 0x10, 0xcb, 0x30, 0x12, 0x10, 0x24, 0xb4, 0x7f, 0x63, 0x6a, 0x38, 0xd0, 0x9b, 0x77, 0x93, 0x27, 0xda, 0x72,
+ 0xeb, 0xdb, 0x79, 0x26, 0x92, 0x60, 0xc5, 0x41, 0xb9, 0xe6, 0xce, 0x08, 0xaf, 0x3e, 0x0f, 0xe6, 0x8d, 0x17, 0x7e, 0x3b,
+ 0xbc, 0x37, 0x57, 0x16, 0x54, 0xbe, 0x8c, 0x6a, 0xda, 0xb1, 0x7c, 0x46, 0xee, 0xc7, 0xed, 0x26, 0x76, 0x91, 0x01, 0xd5,
+ 0x9c, 0x7b, 0xc2, 0xb7, 0x6f, 0x8c, 0xa1, 0xd1, 0x93, 0x50, 0x0c, 0x27, 0x0c, 0x74, 0xa4, 0x80, 0x7c, 0x3d, 0x28, 0x93,
+ 0x21, 0xbe, 0xc9, 0x9f, 0xb5, 0x0a, 0xc8, 0x31, 0x12, 0x25, 0x90, 0x3f, 0x9a, 0x6d, 0x20, 0x02, 0xa0, 0xd6, 0x21, 0x53,
+ 0x10, 0x55, 0x19, 0x48, 0x57, 0xf8, 0x2a, 0x48, 0xc4, 0xb5, 0xa1, 0x79, 0xac, 0x53, 0xbd, 0x2b, 0xde, 0x4d, 0xa4, 0x77,
+ 0xe4, 0x1f, 0x87, 0x9f, 0x9f, 0xd1, 0x9c, 0x00, 0x8d, 0x7b, 0x83, 0x4a, 0xc4, 0x25, 0xf2, 0xb7, 0xfc, 0xb8, 0x0e, 0x97,
+ 0x26, 0x70, 0x26, 0x89, 0x86, 0xe6, 0x15, 0xaa, 0x8f, 0x5e, 0x76, 0xb3, 0x3f, 0x8b, 0x01, 0xda, 0xf5, 0x99, 0x01, 0x32,
+ 0xc3, 0x76, 0x19, 0x93, 0xca, 0xda, 0x27, 0xb1, 0x74, 0x0e, 0x84, 0x4b, 0x02, 0x4b, 0x50, 0x31, 0x64, 0x69, 0xd9, 0xa4,
+ 0x21, 0x85, 0xfd, 0xab, 0x69, 0xf3, 0x66, 0x40, 0x43, 0x13, 0x4f, 0x58, 0xf5, 0x03, 0x3b, 0xc1, 0xea, 0x40, 0xeb, 0xe4,
+ 0xca, 0x63, 0x29, 0xca, 0x41, 0x64, 0x7a, 0x0e, 0xb9, 0x46, 0xf2, 0xcb, 0xa0, 0xf3, 0x3e, 0x35, 0xaf, 0xe1, 0x81, 0xa9,
+ 0xd3, 0x0c, 0xef, 0xe9, 0x2d, 0xc4, 0x10, 0x46, 0x24, 0xd0, 0x6d, 0xab, 0xb1, 0xd3, 0xe0, 0x4a, 0x43, 0xcd, 0x3f, 0xa4,
+ 0xe4, 0xdc, 0x3e, 0x70, 0x07, 0x62, 0x93, 0x27, 0x32, 0x46, 0x57, 0x85, 0x45, 0x6a, 0xcf, 0x0d, 0xec, 0x08, 0xf0, 0x07,
+ 0x6c, 0xb8, 0x87, 0xd1, 0xc5, 0xa3, 0xf0, 0xd6, 0xaf, 0x37, 0x09, 0xff, 0xbc, 0x15, 0x56, 0x60, 0xfc, 0x2a, 0xec, 0xbf,
+ 0x8c, 0x22, 0x1c, 0xef, 0xaa, 0xfe, 0x6a, 0x42, 0xa0, 0x41, 0xdd, 0x8d, 0x7d, 0xa8, 0x74, 0xa8, 0xb4, 0xfc, 0x12, 0x2e,
+ 0xf2, 0xe6, 0xbe, 0xa6, 0xbc, 0x31, 0x01, 0x40, 0xa4, 0x27, 0xc2, 0x75, 0xbb, 0x12, 0x91, 0xc9, 0x84, 0xa0, 0xd5, 0xff,
+ 0xaa, 0x8d, 0x8f, 0x22, 0xd0, 0x05, 0x05, 0x63, 0xe1, 0xa3, 0xa0, 0xfc, 0x7d, 0xb4, 0xd9, 0x26, 0xcf, 0x77, 0x46, 0x36,
+ 0x9a, 0xdd, 0x97, 0x8f, 0xc6, 0x79, 0x99, 0x81, 0x47, 0x91, 0x00, 0xe3, 0x88, 0xe4, 0x09, 0xca, 0xb9, 0x2c, 0x66, 0x70,
+ 0xa2, 0x1c, 0xc7, 0xb9, 0xfe, 0xd3, 0x3e, 0x8f, 0x52, 0x5a, 0xfb, 0x63, 0x8d, 0x06, 0x36, 0xd9, 0x40, 0xf6, 0x4a, 0x99,
+ 0xcf, 0xf6, 0x60, 0x02, 0xb2, 0xff, 0x81, 0x51, 0x44, 0xf7, 0x69, 0x7a, 0xc6, 0xf9, 0x6a, 0xe3, 0x3a, 0xc5, 0x11, 0xc3,
+ 0x61, 0xe7, 0x09, 0xdd, 0x88, 0x04, 0x0c, 0x41, 0xbf, 0x41, 0x6e, 0x20, 0x5c, 0xf0, 0x6b, 0x3c, 0x57, 0x3b, 0x03, 0x16,
+ 0x25, 0xc7, 0x39, 0x42, 0x4d, 0x32, 0x30, 0xd3, 0x12, 0xbf, 0x85, 0x3b, 0x90, 0x9a, 0x38, 0xe1, 0x6c, 0x32, 0x5b, 0xe5,
+ 0xa0, 0x8e, 0xab, 0x7f, 0xcc, 0x36, 0x91, 0x7b, 0xd3, 0x45, 0x47, 0xa5, 0x14, 0x47, 0xb0, 0x0a, 0x0f, 0x29, 0xcd, 0xbc,
+ 0x72, 0x2c, 0xc9, 0x47, 0xf4, 0xd7, 0x3e, 0x5c, 0x25, 0x85, 0x9b, 0x7d, 0xa9, 0xf7, 0xdc, 0xec, 0xfe, 0x7b, 0x6b, 0xad,
+ 0x00, 0x24, 0xd2, 0x84, 0xd8, 0xd1, 0xc1, 0x2a, 0xde, 0x0d, 0x14, 0x46, 0x87, 0xa6, 0x83, 0x59, 0x6b, 0xde, 0x06, 0xf8,
+ 0x1c, 0x81, 0x04, 0x3e, 0x14, 0xac, 0x9a, 0xe4, 0xc4, 0xe1, 0x51, 0xbb, 0xcf, 0xe0, 0xf5, 0xc3, 0x40, 0xdd, 0x1e, 0xae,
+ 0x3e, 0x06, 0x45, 0x80, 0x7a, 0x6b, 0x07, 0x58, 0xc1, 0xcf, 0xb3, 0x22, 0xd4, 0xfe, 0xc0, 0x01, 0x86, 0x16, 0x48, 0x5a,
+ 0x04, 0xe9, 0x3c, 0xa0, 0xdb, 0x2d, 0x57, 0xec, 0x6f, 0x83, 0x4e, 0x14, 0xcc, 0xf8, 0x01, 0x3b, 0x46, 0x6a, 0xec, 0xd0,
+ 0xd3, 0x13, 0x29, 0xf5, 0x61, 0x38, 0x7a, 0x41, 0xd6, 0xca, 0x87, 0x4e, 0x91, 0x67, 0x3a, 0x7f, 0x4e, 0x1e, 0x40, 0x07,
+ 0xad, 0x0d, 0x80, 0xac, 0x83, 0xd2, 0x4d, 0xee, 0xc6, 0x81, 0xab, 0x86, 0x58, 0xd0, 0x86, 0x3e, 0x97, 0x95, 0xef, 0xec,
+ 0xbe, 0xd6, 0xe9, 0xc1, 0xce, 0x2e, 0xa5, 0xd1, 0x71, 0x1c, 0x7e, 0xb9, 0xa4, 0x5f, 0xcc, 0x12, 0x96, 0x13, 0x50, 0x6d,
+ 0x07, 0x8c, 0xa3, 0xa5, 0x40, 0x73, 0xb3, 0x90, 0x70, 0x92, 0x4b, 0x48, 0x95, 0xb7, 0x38, 0x72, 0xe3, 0x9c, 0x1d, 0x1d,
+ 0x6b, 0x4a, 0x29, 0xf3, 0xf5, 0x77, 0xfb, 0x5e, 0x44, 0x4e, 0x2b, 0xec, 0xc2, 0x65, 0xd2, 0x4c, 0x6c, 0xad, 0xac, 0xb7,
+ 0x64, 0x9a, 0xd2, 0xbf, 0x10, 0x53, 0xdd, 0x2d, 0x48, 0x55, 0x45, 0x9d, 0x64, 0x1d, 0x00, 0x15, 0xd2, 0x20, 0x15, 0x9f,
+ 0xcf, 0xc0, 0x72, 0x20, 0xec, 0xf3, 0x55, 0x86, 0x36, 0x8b, 0xac, 0x8f, 0x71, 0x04, 0xc5, 0x17, 0x3b, 0x98, 0x8d, 0x96,
+ 0xd9, 0x56, 0x1c, 0x48, 0x5f, 0xd4, 0x32, 0x3d, 0x41, 0x94, 0x54, 0x7b, 0xa8, 0x44, 0xfd, 0x99, 0x9e, 0xbb, 0x22, 0x6d,
+ 0x36, 0x57, 0x86, 0x19, 0xc5, 0x09, 0x73, 0x5e, 0x4a, 0xb7, 0x99, 0x2c, 0x51, 0x9d, 0xf3, 0x0e, 0x40, 0x82, 0x9a, 0xc3,
+ 0x5e, 0x00, 0x85, 0xf1, 0xa1, 0xe0, 0xe7, 0xf2, 0xcd, 0x7d, 0x6a, 0x3a, 0x10, 0x42, 0x1d, 0x95, 0xb1, 0xc5, 0x9e, 0x76,
+ 0x2a, 0x22, 0x00, 0x48, 0x52, 0x07, 0xc7, 0x49, 0xab, 0xa1, 0xd5, 0xa6, 0xe2, 0xc5, 0x51, 0x47, 0x31, 0x80, 0x37, 0xbd,
+ 0xb6, 0x91, 0xab, 0xa3, 0x9c, 0xee, 0x9c, 0x1e, 0x69, 0xc7, 0x15, 0x29, 0xf5, 0x8f, 0x12, 0x4f, 0xf4, 0x99, 0xaf, 0x58,
+ 0x68, 0x5b, 0x2e, 0x0d, 0x99, 0x25, 0x13, 0xc1, 0xe4, 0xe7, 0x7f, 0x58, 0x16, 0xaa, 0x02, 0xf1, 0xce, 0xde, 0x90, 0x33,
+ 0x80, 0x5b, 0xb3, 0xdb, 0xb6, 0x6b, 0xda, 0x77, 0x4b, 0x45, 0xff, 0x73, 0x27, 0x02, 0x79, 0xb3, 0x01, 0xe9, 0x11, 0x64,
+ 0x0b, 0x93, 0x17, 0xd5, 0x71, 0x23, 0xdb, 0x2d, 0xbd, 0x06, 0xb5, 0x8a, 0x1e, 0xfd, 0x13, 0xe4, 0x0c, 0xfb, 0x5f, 0xd5,
+ 0x68, 0x04, 0xd7, 0xd2, 0xeb, 0x63, 0xc2, 0x2f, 0x7d, 0xfe, 0x9b, 0x24, 0x92, 0xb7, 0x46, 0xab, 0x0e, 0x7c, 0x15, 0xfa,
+ 0x0d, 0x1a, 0xdc, 0x65, 0x99, 0xdb, 0xa1, 0x6f, 0x55, 0x90, 0x76, 0xb5, 0x20, 0x8b, 0x6f, 0x31, 0x62, 0x30, 0x3b, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, 0x2e, 0x1e, 0x2c, 0x00, 0x54, 0x00, 0x65, 0x00, 0x73,
+ 0x00, 0x74, 0x00, 0x2d, 0x00, 0x53, 0x00, 0x69, 0x00, 0x67, 0x00, 0x6e, 0x00, 0x4f, 0x00, 0x6e, 0x00, 0x6c, 0x00, 0x79,
+ 0x00, 0x20, 0x00, 0x28, 0x00, 0x53, 0x00, 0x2f, 0x00, 0x4d, 0x00, 0x49, 0x00, 0x4d, 0x00, 0x45, 0x00, 0x29, 0x30, 0x23,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15, 0x31, 0x16, 0x04, 0x14, 0x60, 0x94, 0x0b, 0x09, 0xd9,
+ 0x9c, 0x09, 0x22, 0xc2, 0x15, 0x0e, 0xf8, 0x47, 0x4c, 0x8f, 0xbe, 0xaa, 0x65, 0x51, 0x76, 0x30, 0x30, 0x30, 0x21, 0x30,
+ 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0x76, 0xa4, 0x2d, 0xf1, 0x67, 0x61, 0x56, 0x63,
+ 0xd0, 0x39, 0x34, 0xe3, 0xb4, 0x1c, 0x96, 0xa3, 0xc0, 0x5a, 0xf7, 0xff, 0x04, 0x08, 0x06, 0xe1, 0x19, 0x07, 0xbf, 0xf2,
+ 0xb9, 0xbf, 0x02, 0x01, 0x01
+};
+unsigned int test_sign_only_smime_p12_len = 2785;
+
+
+/* Test SSL User identity (PKCS12 data), expires in 2026
*/
-unsigned char Test_p12[2721] = {
- 0x30,0x82,0x0a,0x9d,0x02,0x01,0x03,0x30,0x82,0x0a,0x64,0x06,0x09,0x2a,0x86,0x48,
- 0x86,0xf7,0x0d,0x01,0x07,0x01,0xa0,0x82,0x0a,0x55,0x04,0x82,0x0a,0x51,0x30,0x82,
- 0x0a,0x4d,0x30,0x82,0x04,0xd7,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x07,
- 0x06,0xa0,0x82,0x04,0xc8,0x30,0x82,0x04,0xc4,0x02,0x01,0x00,0x30,0x82,0x04,0xbd,
- 0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x07,0x01,0x30,0x1c,0x06,0x0a,0x2a,
- 0x86,0x48,0x86,0xf7,0x0d,0x01,0x0c,0x01,0x06,0x30,0x0e,0x04,0x08,0xba,0x25,0x0b,
- 0x36,0xab,0xc2,0xe7,0x34,0x02,0x02,0x08,0x00,0x80,0x82,0x04,0x90,0xe2,0x74,0x80,
- 0xf1,0xf9,0xff,0xb5,0x9a,0xa4,0xe2,0x43,0x70,0x41,0xa1,0x90,0x19,0xb2,0xd5,0x8e,
- 0x00,0x4b,0xfc,0x07,0xd6,0x72,0x99,0x9c,0x89,0xa8,0x0c,0x97,0x4a,0x9c,0x10,0x30,
- 0x11,0x80,0xc1,0x42,0xda,0x56,0xdd,0x1b,0xfa,0x9e,0x5f,0x85,0x72,0x1d,0xde,0xdf,
- 0x78,0x8f,0xd4,0x69,0xf0,0x39,0xfb,0xf1,0xf4,0x96,0xc1,0x2d,0x97,0x20,0x98,0xe2,
- 0x38,0xd0,0xe1,0xda,0x01,0x59,0x64,0x71,0xd6,0xd9,0xa2,0x46,0x38,0x87,0x54,0x4c,
- 0x4d,0x3f,0x8a,0x9b,0x75,0xf4,0x98,0xec,0xf1,0xe4,0x01,0x60,0x8d,0x04,0x54,0x28,
- 0x4c,0xbb,0x90,0x08,0x98,0xb1,0x6b,0x61,0xe3,0x03,0xcd,0x00,0x19,0x87,0xa2,0xc2,
- 0xb5,0x7b,0x57,0xd4,0x22,0x77,0xd1,0x68,0x9a,0xfe,0xe3,0x43,0xef,0x2b,0xb6,0x11,
- 0x7c,0x63,0x9c,0x28,0xab,0x86,0xdf,0x1b,0x95,0x58,0x54,0xa5,0x3d,0x18,0xb0,0xad,
- 0x20,0x76,0x92,0xf5,0xef,0x20,0x8a,0x0c,0x21,0xdb,0x83,0x15,0x1e,0xa5,0x6f,0xeb,
- 0xd3,0xc8,0x40,0x14,0x7f,0x69,0x46,0x73,0x20,0x60,0x2b,0x3e,0x27,0xd7,0xb9,0x33,
- 0x8c,0xe6,0x43,0xc8,0xf6,0xa5,0x53,0xa7,0x36,0x03,0x3d,0xa9,0xdd,0x85,0x59,0xde,
- 0x70,0xc2,0x65,0x38,0x06,0x04,0x00,0x01,0xcc,0xed,0xdf,0x1f,0xab,0x83,0xed,0xeb,
- 0xc0,0x3d,0x33,0x4e,0x99,0x22,0xcc,0x63,0xc7,0x14,0x9c,0x50,0x60,0x38,0xc3,0xa5,
- 0xe2,0xfe,0x78,0x04,0x01,0x0f,0x1d,0xde,0xe0,0x3e,0x86,0x05,0x02,0xfc,0x3c,0x7f,
- 0x38,0xf7,0xb0,0xd0,0xbb,0x0c,0xe1,0x1b,0xdc,0x6e,0xb0,0x12,0x7a,0xae,0x13,0x5d,
- 0x80,0xd7,0x0e,0xb2,0xe8,0x5d,0x2a,0xbf,0x2e,0x67,0xc3,0xd8,0x8d,0xa1,0x9f,0x2c,
- 0xbb,0xc4,0x33,0xca,0xf4,0x43,0x89,0xbd,0x4e,0x19,0xa5,0x71,0x1c,0x5f,0x6b,0x4d,
- 0xd4,0xf7,0xdd,0xd3,0xfd,0x13,0xdc,0xde,0x76,0x2c,0x38,0x8e,0xef,0xb2,0x00,0x9c,
- 0xfd,0xa5,0x52,0xa0,0xec,0xa3,0xfe,0xcc,0x80,0xee,0x8d,0xed,0x25,0xf9,0xa8,0x30,
- 0x99,0x04,0x6f,0x61,0x4e,0x2f,0x08,0x6c,0xa5,0xe2,0x5b,0x15,0xae,0x58,0xbd,0xbd,
- 0xa1,0x36,0xa9,0xa1,0xb5,0xed,0x1e,0x95,0xf5,0x90,0x35,0xa2,0x5c,0xc3,0x9b,0x1f,
- 0x98,0x5d,0xdd,0xcf,0xd4,0x08,0xd4,0xb7,0x90,0x58,0xb8,0xc7,0x9d,0x60,0x25,0x57,
- 0xa1,0x39,0xc3,0x2c,0x75,0x07,0xd9,0x4c,0xdd,0x2f,0xc8,0xf5,0x7a,0xee,0x06,0xcf,
- 0xdc,0xc3,0x22,0x89,0x37,0xa0,0x9f,0x9f,0x45,0x46,0x2d,0x98,0xac,0xdb,0x33,0x80,
- 0xb3,0x29,0x76,0x6f,0x1b,0x9e,0x71,0xc7,0x41,0x9f,0x12,0x00,0x4e,0x09,0x0c,0xab,
- 0xc7,0xda,0x58,0x60,0x6c,0x0a,0x6e,0x09,0xbe,0x2e,0x2f,0x4f,0x0a,0x63,0x38,0x60,
- 0xca,0xc9,0xe9,0x67,0x70,0xcb,0x4e,0xed,0xa9,0xd3,0xd4,0xbc,0xa2,0x69,0x32,0xcb,
- 0x62,0x69,0xa0,0x32,0x36,0x09,0x96,0x1f,0xdc,0xea,0x73,0xe6,0x84,0x3d,0x84,0xbf,
- 0x62,0x82,0x4d,0x23,0xb1,0xc5,0x64,0xa8,0x57,0x07,0x37,0x3c,0x54,0x63,0x61,0xe1,
- 0x24,0xeb,0xd9,0xdd,0x2e,0xb8,0x8f,0xbd,0xa9,0x3e,0x55,0xd7,0xea,0xfb,0x5a,0xc9,
- 0x68,0xd9,0x9d,0x0e,0x75,0xb1,0x86,0xf0,0xa4,0xb2,0x3f,0xd7,0x77,0x7d,0x5f,0x5f,
- 0x87,0x00,0x07,0x24,0x16,0x20,0x0a,0x5b,0x4b,0x52,0xb6,0x1a,0x39,0xd6,0x32,0x43,
- 0x7a,0xb4,0xf8,0x81,0x59,0xec,0xbd,0x97,0xb6,0xe7,0x41,0x2b,0x68,0x19,0xb4,0x06,
- 0xec,0xbf,0x34,0x36,0xa2,0x9a,0x7f,0xa0,0xa9,0x16,0x9e,0x98,0x40,0x37,0x22,0x21,
- 0x3e,0x43,0xe3,0xaf,0x30,0x6e,0x50,0xf5,0xba,0xe4,0x00,0x14,0x25,0x08,0xbf,0xa8,
- 0xdf,0x71,0x4b,0x3d,0x27,0x8b,0x44,0xbb,0xed,0x2c,0xcb,0x75,0x6a,0x1d,0xb8,0x8b,
- 0xe9,0xe2,0x99,0x0b,0xe5,0xcd,0x0e,0x24,0xa8,0x68,0x91,0xca,0xc9,0x48,0x5c,0xdb,
- 0x60,0xa0,0x43,0x52,0x82,0x74,0x17,0xd7,0x47,0x91,0xd7,0x92,0x04,0xba,0x3f,0xe4,
- 0x54,0xc9,0x41,0xb9,0xa4,0xcf,0x2f,0x0f,0x7e,0xce,0xa2,0x82,0xe7,0xed,0x3a,0x48,
- 0x83,0xdb,0xdb,0x9f,0x1d,0xa2,0x44,0x56,0xf0,0x76,0x7a,0x20,0x6b,0xd7,0x8e,0xc1,
- 0x34,0x67,0x28,0xc3,0x1e,0x8d,0x03,0xf0,0x91,0x87,0x83,0xeb,0x26,0xa3,0x38,0xe0,
- 0xc6,0xd9,0x1d,0x3a,0xa6,0xe4,0xf0,0x31,0xe9,0x23,0xce,0x6c,0x0a,0xe4,0xab,0x3c,
- 0x3c,0xf2,0x68,0x8a,0x41,0xda,0x19,0x5b,0x40,0x9c,0xde,0xc7,0x84,0x0b,0x2b,0xa7,
- 0xfd,0x95,0x37,0xf7,0x42,0x17,0xac,0x90,0x6e,0x11,0x53,0xfb,0x75,0x4b,0x37,0x88,
- 0xd2,0x1f,0xaa,0x73,0x98,0x0d,0x74,0xb3,0x69,0x54,0x2b,0x9e,0x5f,0xaf,0x93,0x21,
- 0x07,0x05,0x60,0xc6,0x61,0x4e,0x5d,0xaf,0x36,0x79,0xca,0x85,0x4a,0x6c,0x58,0xeb,
- 0xcf,0xaf,0x99,0xd9,0xb5,0x82,0x46,0xb4,0x73,0x95,0x1a,0xbc,0x78,0xdd,0xb7,0x47,
- 0x10,0xeb,0x03,0x50,0x63,0x06,0x73,0xdc,0xc4,0xa1,0xa8,0xa3,0x44,0xc1,0x4d,0xc9,
- 0x2c,0x73,0x75,0x0f,0xb0,0xe0,0xa5,0x43,0xd1,0x8a,0x29,0xa9,0x60,0x71,0x4d,0x82,
- 0xae,0x5c,0xa5,0x87,0x93,0x4c,0xa2,0xfd,0xb5,0xb3,0xda,0xf4,0x90,0x61,0x87,0x6e,
- 0xe8,0x8d,0xfc,0x52,0x17,0x06,0x87,0x32,0x37,0x6a,0xff,0xe7,0x58,0xa2,0x46,0x25,
- 0xd0,0x3a,0xd8,0xf7,0xc4,0x1b,0xda,0x58,0x5d,0xb8,0xa2,0x5d,0x4d,0x8b,0x1a,0x90,
- 0x20,0x12,0x00,0xf3,0x7f,0xb0,0x53,0x97,0x6d,0xfb,0xa0,0x5c,0x4a,0x6c,0xb5,0xb5,
- 0xc3,0xb0,0x3a,0x32,0x71,0xbc,0x61,0xe5,0x37,0x60,0xea,0x4a,0xf5,0xd8,0x05,0xc2,
- 0xd4,0x62,0xb2,0x94,0xb0,0x73,0xd6,0x82,0x08,0x60,0x71,0xee,0x7e,0xd5,0xf7,0x30,
- 0x89,0xe8,0xb5,0x1a,0x08,0xb8,0xea,0x11,0x57,0x9d,0x99,0x2d,0xef,0xd0,0x5a,0xb7,
- 0x24,0xc8,0x1d,0x87,0x81,0x70,0xbb,0xb9,0x88,0xed,0x04,0x32,0xab,0x55,0x7e,0xea,
- 0x1a,0x77,0x80,0x7a,0x88,0x08,0xc7,0xa1,0x53,0x05,0xb1,0x85,0x43,0x5a,0x11,0x4f,
- 0x2a,0x7e,0xda,0xfe,0x83,0x12,0x47,0xc4,0xd7,0x6b,0xfb,0x8a,0x0c,0x90,0x77,0x84,
- 0xc0,0xb3,0xa6,0x60,0x96,0xd3,0x2f,0x5f,0x3f,0x62,0xe4,0xda,0x13,0xf4,0x35,0x50,
- 0x20,0x5b,0x1a,0xd0,0xc7,0x39,0x06,0x08,0x6a,0x0d,0x5e,0xb7,0x8b,0x37,0x56,0x1c,
- 0x52,0x7c,0x9b,0x6a,0xd6,0x7e,0x8e,0xb0,0x36,0xb7,0x44,0x36,0x30,0xb9,0x0f,0x39,
- 0x51,0x48,0xc3,0xa3,0xa1,0x98,0x57,0x6b,0xba,0xf6,0x62,0xaf,0xf4,0x2b,0x6c,0x50,
- 0xa1,0x55,0xf4,0x58,0x37,0xc4,0x4a,0xd2,0xcb,0xb6,0x59,0x19,0x82,0x3d,0x5e,0x3d,
- 0x38,0xc3,0x74,0xab,0x0c,0xd0,0xb2,0xc5,0xb0,0x87,0x30,0xa2,0xef,0x0a,0x85,0xb0,
- 0xe5,0x6c,0x39,0x13,0x8f,0x54,0xfe,0xf4,0x3c,0x16,0x4b,0xfd,0xfa,0x2a,0xef,0x66,
- 0xa8,0x2a,0x8d,0xc0,0x7b,0x53,0x55,0x4b,0xba,0x19,0xa3,0xa3,0x5f,0x16,0xb4,0x06,
- 0xb2,0x56,0xa7,0xca,0xfa,0x6a,0x1f,0xf2,0x0f,0xe5,0x58,0x8a,0x6d,0x45,0x43,0xb3,
- 0xd5,0xd2,0x35,0x4f,0x52,0x75,0x47,0x74,0x6f,0x7c,0x25,0x98,0xb2,0xa9,0xef,0x37,
- 0x8e,0xa9,0x89,0xff,0x18,0xb6,0x56,0x75,0x32,0x8e,0x98,0xed,0x35,0x8b,0xca,0xad,
- 0x91,0xaf,0xdd,0xd4,0xdf,0xff,0x23,0x99,0x45,0x30,0xad,0x9d,0xec,0xce,0x94,0x4a,
- 0x6d,0xaa,0xd7,0x6b,0x73,0xa3,0x33,0x0d,0x8b,0x1d,0xd0,0xde,0xc6,0x30,0x82,0x05,
- 0x6e,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x07,0x01,0xa0,0x82,0x05,0x5f,
- 0x04,0x82,0x05,0x5b,0x30,0x82,0x05,0x57,0x30,0x82,0x05,0x53,0x06,0x0b,0x2a,0x86,
- 0x48,0x86,0xf7,0x0d,0x01,0x0c,0x0a,0x01,0x02,0xa0,0x82,0x04,0xee,0x30,0x82,0x04,
- 0xea,0x30,0x1c,0x06,0x0a,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x0c,0x01,0x03,0x30,
- 0x0e,0x04,0x08,0xe9,0x3c,0x06,0x49,0x97,0xcf,0x08,0xfe,0x02,0x02,0x08,0x00,0x04,
- 0x82,0x04,0xc8,0x95,0xff,0x56,0xf1,0x44,0xdd,0xe9,0x3d,0x50,0x22,0xbd,0xda,0x8c,
- 0x1d,0x0f,0x6f,0xde,0x2d,0x96,0x46,0x21,0x32,0xc9,0xde,0x6d,0x96,0x45,0xfd,0x05,
- 0x67,0xde,0x46,0x22,0x87,0xc3,0xbe,0xb9,0xb1,0x30,0x9d,0x8b,0xb0,0x6b,0x35,0xd9,
- 0xa0,0x09,0x49,0x43,0x77,0x93,0x3b,0x6f,0xdd,0xc9,0xba,0xdd,0xa4,0xf9,0x81,0xb0,
- 0xc8,0x61,0x2e,0xd8,0xe9,0xd0,0xb4,0xa4,0xe8,0x49,0x5a,0x48,0xe7,0x88,0x21,0xdc,
- 0x1d,0x84,0x12,0x08,0x08,0x74,0x52,0x36,0x4a,0x30,0x6b,0xb0,0x57,0x91,0x71,0x0c,
- 0x56,0x64,0xc8,0x6d,0x4e,0xfa,0xc6,0xdf,0xec,0xc6,0xc6,0x97,0x76,0xe0,0x5d,0x14,
- 0xb7,0x67,0xdc,0xec,0xc9,0x83,0xec,0x8e,0xae,0x3d,0x3d,0x85,0xd2,0x26,0xc9,0x8c,
- 0x2a,0xb1,0xf1,0xd7,0xc6,0xe3,0x64,0xf8,0x31,0x59,0xf5,0x6d,0x29,0xd3,0xce,0x29,
- 0x8c,0xaa,0x0e,0x3d,0x5d,0x8f,0x9e,0x00,0xb6,0xfd,0xfb,0x7a,0x3a,0x2f,0xaa,0x1e,
- 0x01,0x0a,0xd6,0xb5,0xdf,0x34,0x60,0x60,0xe0,0x5a,0x94,0x68,0x6d,0x87,0x26,0x3e,
- 0x85,0x83,0x1a,0xb9,0x82,0x71,0xc5,0xb1,0x28,0x67,0x9e,0x2c,0xbe,0x07,0x4a,0x8b,
- 0xd2,0xa1,0x2e,0x5c,0xb1,0xff,0x26,0xae,0x2e,0xc9,0xc2,0x3a,0x78,0x12,0x50,0x0b,
- 0xbd,0x01,0x48,0x41,0x89,0x1f,0xa1,0x74,0xe8,0xe0,0xc7,0x70,0x88,0xac,0xa2,0x04,
- 0x21,0x82,0x4b,0x8f,0x2a,0x81,0x13,0x4a,0xbb,0x80,0x59,0x7c,0xef,0xc4,0x26,0xb8,
- 0x9d,0x43,0x76,0xef,0x2e,0x53,0xc3,0x10,0xd8,0xd8,0x76,0x2b,0xf0,0x00,0xca,0xf3,
- 0xf7,0xa5,0xff,0x2a,0x7d,0x2b,0x9e,0xec,0x2d,0xf4,0x0c,0x1c,0x0e,0xa5,0xef,0x92,
- 0xd5,0x26,0x2d,0x22,0xf8,0x67,0xcf,0x9d,0xc3,0x06,0xd7,0xdf,0x9a,0x91,0x94,0xaa,
- 0x73,0x70,0x6b,0xf9,0xa6,0x32,0x21,0xb2,0x8a,0x2a,0xe2,0x6c,0x9b,0x6e,0x8d,0xc7,
- 0xa5,0x18,0xa3,0xf4,0x8f,0xaf,0x6e,0xe3,0x4c,0x76,0xe9,0xe6,0x81,0x7f,0xa1,0x3b,
- 0x53,0x3f,0xb1,0x0f,0x94,0x5b,0x57,0x23,0xfe,0x19,0x51,0xf8,0xc5,0xd6,0x6d,0xa9,
- 0x55,0x53,0xb6,0xf8,0x93,0x29,0xe8,0x4b,0xca,0x1f,0x9c,0xe5,0xdb,0x30,0xa2,0x13,
- 0x26,0xed,0x90,0xea,0x5e,0xa5,0xc8,0xf6,0x04,0xf3,0xc0,0xd0,0x0d,0x7c,0x33,0x66,
- 0x8d,0xfd,0x69,0x70,0x91,0x96,0xe4,0x9f,0x70,0xfa,0x4b,0xbc,0x07,0xbf,0xf7,0x0e,
- 0x9f,0xcc,0x3a,0xef,0x5a,0xc8,0x5f,0xd7,0x17,0x5a,0xaa,0x35,0x68,0x09,0xb7,0x5a,
- 0xc9,0xab,0x33,0x40,0x17,0xb7,0xd2,0x66,0xe6,0xea,0x74,0xca,0xd5,0x71,0x89,0x8b,
- 0x95,0x07,0x2c,0xbd,0x43,0xc9,0x7a,0xa3,0xb5,0x8b,0x11,0x61,0x95,0x4e,0x39,0xeb,
- 0x66,0xfb,0x06,0xfb,0xf2,0xd4,0x56,0xb5,0x2b,0xca,0x93,0xde,0x22,0xbe,0xc2,0x62,
- 0xbd,0xbc,0x58,0x0d,0x49,0x4d,0x08,0x82,0x8a,0x63,0x74,0x7c,0x64,0x0d,0xf5,0x36,
- 0x82,0xc2,0x14,0x6a,0xa1,0x34,0x34,0x94,0x55,0x74,0xc6,0x69,0xe6,0xd4,0x3c,0x6c,
- 0x03,0x0f,0xa5,0xa5,0x23,0x58,0xbb,0x97,0x75,0x97,0x70,0x4e,0x6a,0x94,0x57,0xba,
- 0x5a,0xbb,0xab,0x3f,0xfe,0x8f,0x1d,0x5a,0x1f,0x7a,0x6d,0x79,0xaa,0x67,0xd8,0xdc,
- 0x03,0x88,0x2f,0x2c,0xa7,0x79,0xc0,0xd7,0x85,0x42,0xf9,0xc3,0x23,0x67,0x09,0x22,
- 0x3a,0xb8,0x04,0x5c,0xa9,0x75,0x18,0x35,0x16,0x39,0x7a,0xf2,0x01,0xb7,0x5e,0xe6,
- 0xa1,0xc8,0x2b,0x29,0x9c,0x38,0xb1,0x8b,0x50,0xd8,0xe9,0x8b,0x6a,0x38,0x5b,0xe0,
- 0xfe,0x88,0x21,0xb6,0xc9,0xf6,0x6a,0x66,0x17,0xe7,0x37,0x42,0xe9,0x62,0x63,0x41,
- 0xca,0xa1,0xc7,0x0c,0x5c,0xf6,0xdc,0xf5,0xf4,0x5f,0xc1,0x84,0xc5,0x8f,0xe8,0x87,
- 0x5e,0xb2,0xf5,0x0a,0x9f,0x8f,0x8d,0x71,0x25,0x3b,0x54,0xb8,0xd2,0x15,0x3f,0x69,
- 0x27,0x9b,0xea,0xf7,0x83,0xf5,0xf2,0x24,0xd9,0xd8,0xd6,0x62,0x13,0x43,0xe5,0x64,
- 0xb3,0xf2,0x49,0x70,0x02,0xf4,0x76,0x42,0xae,0xed,0x00,0xbf,0x18,0x5b,0xe0,0x1c,
- 0x41,0x37,0x0e,0xbd,0x13,0x2d,0xa1,0x31,0x0c,0x8c,0xd6,0xc4,0x27,0xe4,0x2a,0x74,
- 0xa3,0x90,0x63,0x56,0x05,0x59,0x6a,0xdc,0x45,0x9e,0x04,0x14,0xd3,0x32,0x77,0xff,
- 0xb2,0x50,0x73,0xba,0x2a,0xd3,0x70,0x69,0xbe,0xec,0xf6,0xee,0xed,0xf9,0x88,0x65,
- 0x4e,0x61,0x32,0x09,0x73,0xdc,0x16,0x16,0x8a,0xec,0x09,0x44,0xcb,0x2c,0x03,0x44,
- 0xaf,0xd7,0xcd,0x0d,0x91,0x52,0xf1,0xba,0xed,0x64,0x7b,0xd9,0xa1,0x1a,0x40,0xdb,
- 0xf8,0x46,0x86,0x74,0x30,0x2d,0x72,0x62,0x2a,0x8c,0xd0,0xa2,0x6f,0xcd,0x21,0x02,
- 0xc9,0xc4,0xd0,0x81,0x23,0x1c,0x81,0xd9,0x71,0xc1,0xee,0x70,0x37,0x8e,0x23,0x9d,
- 0x2c,0xd6,0x4b,0x2b,0x08,0x92,0x95,0xbb,0xf4,0xae,0x78,0x14,0xa6,0x16,0xdc,0xf7,
- 0xba,0xc1,0x18,0x96,0x13,0x5a,0xa4,0x12,0xcd,0x96,0x2b,0xb3,0x21,0x0a,0xd6,0x7e,
- 0x25,0xd8,0xe9,0x59,0xd5,0x18,0x91,0x85,0xc1,0xe3,0xee,0xf8,0x9b,0x4f,0x42,0x04,
- 0x03,0x7d,0xe8,0xcc,0x2a,0xa3,0x8e,0x95,0x9b,0x47,0xb0,0x89,0x7f,0xd5,0x53,0xbd,
- 0x54,0x7b,0x73,0xa2,0x0a,0x62,0x51,0x34,0x3b,0xc5,0x41,0x5d,0xa5,0x5c,0x94,0x69,
- 0xd5,0xfd,0x5e,0x71,0xc1,0x6e,0x18,0x80,0x1f,0xab,0x94,0xcd,0x0d,0x44,0x47,0xd4,
- 0xa9,0xf3,0x3a,0xfd,0xf8,0x47,0xe4,0x9c,0xd7,0x5d,0x54,0x6f,0x4b,0xea,0xf1,0x8f,
- 0x9f,0xca,0x3c,0x24,0xe6,0x8b,0xa5,0x29,0x5b,0x07,0x05,0x60,0x41,0xce,0x77,0x2b,
- 0xfe,0xe0,0x4e,0x47,0x92,0x2d,0xca,0x5b,0x6e,0x08,0xcc,0x25,0x8e,0xc8,0x93,0x96,
- 0x49,0x6d,0x3f,0x25,0xbf,0x8e,0x37,0xe3,0xdf,0xb9,0xea,0xf0,0x2b,0x56,0xc8,0x30,
- 0x7d,0xff,0x32,0xfa,0x9c,0xf1,0x35,0x6b,0x68,0xf2,0xfd,0x1e,0x23,0xf2,0x95,0x81,
- 0x68,0xd8,0xec,0x95,0x5b,0x85,0xa8,0x42,0xa6,0xcc,0xf5,0x03,0x95,0xf1,0x3f,0xd2,
- 0x86,0x3a,0x1f,0x11,0xd2,0xcf,0x4b,0x32,0xf2,0xb9,0x46,0x3e,0xf5,0xbb,0x0d,0xa0,
- 0x5b,0x85,0xea,0xe0,0xbd,0x7c,0x3b,0x75,0x80,0x1c,0x8a,0x6d,0x92,0x39,0x27,0xbf,
- 0xc5,0x8e,0xb4,0x5a,0xaf,0xd5,0x8b,0x34,0x53,0x85,0x76,0x60,0xe6,0xd4,0xb8,0xe2,
- 0x2f,0x9e,0x66,0x24,0x28,0x66,0x06,0x25,0x62,0x77,0x35,0xce,0x36,0x68,0x2a,0xdc,
- 0x82,0x94,0xd8,0x21,0x96,0x7b,0x05,0x10,0x3b,0xcc,0xfb,0x43,0x11,0xd0,0x25,0xfc,
- 0x1c,0x5a,0x1c,0xee,0x3d,0x1c,0x75,0xf8,0x41,0xa7,0x10,0x48,0xd7,0xee,0x9e,0xa4,
- 0x62,0xb0,0x64,0xaa,0x55,0xd9,0xd7,0xb6,0x4b,0xe9,0x84,0xa8,0x64,0xcc,0xb3,0x3a,
- 0xe7,0x83,0xf0,0x8a,0xd3,0xe3,0x86,0xda,0xb5,0xc7,0x8e,0x9c,0x84,0xde,0x06,0x5d,
- 0x8f,0x4d,0x68,0x35,0x69,0x88,0xc2,0xd1,0xea,0xab,0x1b,0xa7,0xf0,0x8e,0x05,0x3d,
- 0xdb,0x8b,0x27,0x20,0xd2,0xb1,0x20,0xab,0x9a,0xda,0x4d,0x03,0xbd,0xa4,0x17,0xf6,
- 0x01,0xb5,0x25,0x62,0x02,0xe5,0x17,0xdd,0x71,0x8a,0xe8,0x2b,0x01,0x56,0x35,0x31,
- 0x79,0x6f,0x7f,0x98,0x3f,0x5c,0x3d,0x0d,0x11,0x43,0x44,0x31,0xe0,0x94,0xa0,0x6a,
- 0xaa,0x8e,0x24,0x0d,0x8f,0xe2,0x81,0x75,0x0d,0x9f,0x54,0xf8,0x0e,0x23,0x19,0xb9,
- 0xa9,0x6e,0x11,0xfc,0x08,0xb4,0x73,0x77,0xda,0x3b,0x00,0x63,0xc4,0xb8,0x79,0xb4,
- 0xf9,0xb2,0x41,0x55,0xd5,0xb6,0xd3,0x91,0x4d,0x77,0xeb,0xc9,0xb9,0x42,0xba,0xef,
- 0x05,0xae,0x2f,0xc3,0x1a,0x7d,0x9b,0x01,0xef,0xee,0x8f,0x0b,0x2c,0x68,0xab,0xc6,
- 0x43,0xb3,0x87,0x1f,0xca,0xba,0xe7,0x30,0xe9,0x7a,0xda,0x55,0xec,0x77,0xd1,0xb6,
- 0x44,0xcb,0x91,0x43,0xa9,0x2b,0xc1,0x26,0xed,0x14,0x85,0x31,0x52,0x30,0x2b,0x06,
- 0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x09,0x14,0x31,0x1e,0x1e,0x1c,0x00,0x54,
- 0x00,0x65,0x00,0x73,0x00,0x74,0x00,0x20,0x00,0x53,0x00,0x53,0x00,0x4c,0x00,0x20,
- 0x00,0x55,0x00,0x73,0x00,0x65,0x00,0x72,0x00,0x00,0x30,0x23,0x06,0x09,0x2a,0x86,
- 0x48,0x86,0xf7,0x0d,0x01,0x09,0x15,0x31,0x16,0x04,0x14,0xf1,0x1b,0x6e,0xf2,0x3a,
- 0xc4,0x3a,0xe1,0xd6,0x4b,0x7d,0x31,0xf3,0x2c,0xd4,0x63,0x06,0x66,0x37,0xe0,0x30,
- 0x30,0x30,0x21,0x30,0x09,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1a,0x05,0x00,0x04,0x14,
- 0x85,0xed,0x34,0x3d,0xde,0xa1,0x8a,0x94,0xcd,0x12,0x95,0xf7,0x2d,0xb2,0x60,0xfd,
- 0xbd,0x67,0xe9,0x2d,0x04,0x08,0x71,0xfc,0x54,0xf2,0x12,0x3c,0x22,0xf1,0x02,0x01,
- 0x01
+unsigned char Test_ssl_user_p12[] = {
+ 0x30, 0x82, 0x0a, 0x83, 0x02, 0x01, 0x03, 0x30, 0x82, 0x0a, 0x4a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x07, 0x01, 0xa0, 0x82, 0x0a, 0x3b, 0x04, 0x82, 0x0a, 0x37, 0x30, 0x82, 0x0a, 0x33, 0x30, 0x82, 0x04, 0xbf, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x06, 0xa0, 0x82, 0x04, 0xb0, 0x30, 0x82, 0x04, 0xac, 0x02, 0x01, 0x00,
+ 0x30, 0x82, 0x04, 0xa5, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x0a, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x06, 0x30, 0x0e, 0x04, 0x08, 0xe2, 0xcf, 0xcc, 0x9d, 0x17, 0xcd, 0x62,
+ 0xa4, 0x02, 0x02, 0x08, 0x00, 0x80, 0x82, 0x04, 0x78, 0xe0, 0x0c, 0xd8, 0xf5, 0x7c, 0xf7, 0x2f, 0x1e, 0xbf, 0x95, 0x6b,
+ 0xc1, 0x43, 0x35, 0x3e, 0x8d, 0xdf, 0x65, 0x9b, 0xd8, 0xa0, 0xb2, 0x86, 0xec, 0x38, 0x39, 0x04, 0x72, 0x39, 0x3b, 0xf1,
+ 0x5c, 0x1d, 0x1c, 0xac, 0xe6, 0x67, 0xea, 0xce, 0xb2, 0x15, 0xe5, 0xd4, 0xee, 0xe8, 0xf1, 0xad, 0x45, 0x75, 0x6a, 0x07,
+ 0xbd, 0xe5, 0x2b, 0x55, 0x89, 0x24, 0xed, 0x65, 0xc7, 0x8e, 0x50, 0xf8, 0x38, 0xef, 0x9c, 0x79, 0x1b, 0xb7, 0xb5, 0x34,
+ 0x32, 0x36, 0xa9, 0x1a, 0x65, 0x0f, 0xc4, 0x22, 0x9c, 0x9f, 0xd8, 0x70, 0xe9, 0x8e, 0x59, 0x88, 0x95, 0x86, 0xb0, 0x2c,
+ 0xb2, 0xc5, 0x4d, 0x5a, 0x3d, 0x6a, 0xbf, 0x1a, 0x3a, 0x60, 0xbe, 0xde, 0x33, 0xb4, 0x21, 0x86, 0x8b, 0x02, 0x38, 0xf4,
+ 0x77, 0x7e, 0x40, 0x9f, 0x0c, 0x55, 0xed, 0x76, 0xfd, 0x60, 0x70, 0x94, 0x3e, 0xf9, 0x01, 0x42, 0xa7, 0x84, 0x0f, 0xfd,
+ 0xc0, 0x93, 0x4e, 0xe2, 0x78, 0x13, 0x5d, 0x56, 0x1a, 0x76, 0xf0, 0x99, 0x34, 0x92, 0x0c, 0x3f, 0x19, 0x81, 0x5c, 0x0a,
+ 0x6b, 0xcc, 0x19, 0x65, 0x06, 0x88, 0xc9, 0x9c, 0x76, 0xaa, 0xa2, 0x0c, 0x5c, 0x4a, 0x38, 0xcf, 0x6d, 0x79, 0xf6, 0xde,
+ 0x39, 0x7a, 0xc9, 0xe6, 0x6c, 0x42, 0xfe, 0xaa, 0xc4, 0xc0, 0x62, 0xa3, 0xda, 0xe1, 0x08, 0x86, 0x79, 0x2d, 0x80, 0x6a,
+ 0x5f, 0xa9, 0x79, 0x43, 0xfe, 0xfc, 0xed, 0x08, 0xb3, 0x80, 0x91, 0xa6, 0xe7, 0x9a, 0xc8, 0x77, 0xc7, 0x4c, 0x7e, 0x6a,
+ 0x79, 0x76, 0x9f, 0x28, 0x0f, 0x24, 0xd2, 0xee, 0x5e, 0x4f, 0x76, 0xe8, 0xa9, 0xd3, 0x1a, 0xf1, 0xe4, 0x0d, 0xb8, 0x26,
+ 0x95, 0x63, 0xd3, 0x59, 0xfb, 0x03, 0x08, 0xea, 0x59, 0x4e, 0xe2, 0x6d, 0x74, 0x47, 0xa2, 0x8b, 0x1c, 0x21, 0x9f, 0x1c,
+ 0x68, 0x54, 0x76, 0x78, 0x8a, 0xfa, 0xa3, 0x65, 0x87, 0xd4, 0x6c, 0x16, 0x38, 0xaa, 0xc9, 0x11, 0x58, 0x25, 0x05, 0xba,
+ 0x68, 0x92, 0xd8, 0x06, 0x85, 0x19, 0x1e, 0xcc, 0xdb, 0x07, 0x27, 0xa8, 0xe9, 0xec, 0xfb, 0xb9, 0xbd, 0x5e, 0x67, 0x22,
+ 0xae, 0xcd, 0xbd, 0xe6, 0xdc, 0x8d, 0x5a, 0xf2, 0x3c, 0xf4, 0x06, 0xa6, 0x0e, 0x98, 0xfc, 0xec, 0x64, 0x05, 0xb8, 0xa5,
+ 0xfe, 0x5b, 0x27, 0x41, 0x90, 0xe4, 0x2c, 0x93, 0x38, 0xec, 0xc6, 0xa2, 0x08, 0xe4, 0xab, 0xb2, 0xb5, 0x7b, 0xa6, 0xe0,
+ 0x89, 0x97, 0xb6, 0xc0, 0xd4, 0xa8, 0x1f, 0xcb, 0xf4, 0xc6, 0x59, 0xcd, 0xaa, 0x99, 0x40, 0xc6, 0x41, 0x18, 0x3a, 0x95,
+ 0x3a, 0x71, 0x06, 0x5c, 0x0d, 0x4c, 0xdf, 0xc2, 0x37, 0x37, 0x78, 0x33, 0x5d, 0x35, 0x7c, 0x0e, 0x33, 0x7c, 0xfd, 0x97,
+ 0x18, 0x07, 0xad, 0x54, 0xf0, 0x83, 0xed, 0x20, 0x6c, 0x8a, 0x28, 0x48, 0x29, 0x5c, 0x2c, 0x61, 0x25, 0x87, 0x0b, 0xfc,
+ 0x96, 0x8a, 0x51, 0x74, 0x8d, 0x21, 0x0b, 0x6d, 0x6a, 0x88, 0x6c, 0xa5, 0xc0, 0xd7, 0x9a, 0xe7, 0x16, 0x49, 0x66, 0xbf,
+ 0xb3, 0x96, 0x73, 0x4d, 0x61, 0x9e, 0x7f, 0x3b, 0x6d, 0x37, 0x5d, 0x31, 0x3f, 0x00, 0x5c, 0x92, 0x20, 0x6e, 0xab, 0x25,
+ 0xb3, 0xe9, 0x7a, 0xba, 0xeb, 0xaa, 0x9e, 0xb4, 0xdb, 0xf5, 0x85, 0x51, 0x71, 0xed, 0x5e, 0x4d, 0x04, 0xdc, 0x4d, 0x5d,
+ 0x0d, 0x24, 0x74, 0xa4, 0xaf, 0x30, 0x3f, 0x82, 0x0c, 0xe3, 0xfa, 0x21, 0x82, 0x25, 0x29, 0xda, 0x0f, 0x4b, 0x2e, 0x1c,
+ 0xb2, 0x06, 0xe7, 0x36, 0x56, 0xb7, 0x4c, 0xf6, 0x37, 0x2c, 0x80, 0xa3, 0x21, 0xdc, 0x3b, 0xa5, 0xed, 0x24, 0x0e, 0x69,
+ 0x15, 0xc2, 0x96, 0x0b, 0xa2, 0x72, 0x7a, 0xa4, 0xf8, 0xab, 0x6b, 0xa4, 0xa5, 0x7e, 0x6e, 0x3a, 0xf3, 0x4d, 0x92, 0xba,
+ 0x90, 0xf0, 0x9d, 0x20, 0x9f, 0xf4, 0x5c, 0xf6, 0x44, 0x74, 0x6a, 0xc3, 0xc4, 0xed, 0x6d, 0x95, 0x81, 0x53, 0x60, 0xb4,
+ 0x80, 0xf4, 0xd3, 0x5f, 0xad, 0xb6, 0x57, 0x9c, 0xb7, 0x59, 0xcc, 0x51, 0x54, 0x5f, 0x67, 0x32, 0x69, 0x63, 0x80, 0x77,
+ 0x03, 0x23, 0x07, 0x4f, 0xff, 0x27, 0xd4, 0x52, 0xce, 0xac, 0xba, 0xd5, 0x8d, 0xab, 0xf8, 0xc9, 0x48, 0x01, 0xf7, 0xea,
+ 0xf7, 0x76, 0x2e, 0xbc, 0xdd, 0x7b, 0x7f, 0x60, 0x12, 0x72, 0x4f, 0x04, 0x0e, 0x93, 0x5e, 0x7e, 0x15, 0x09, 0x2b, 0xa1,
+ 0x2c, 0xa5, 0x9d, 0x36, 0xd4, 0xbf, 0x5c, 0xb1, 0x19, 0xd4, 0x0e, 0x00, 0x0e, 0x05, 0x7a, 0x84, 0xb0, 0xba, 0xe9, 0x8e,
+ 0x15, 0x0a, 0xad, 0x4d, 0x8d, 0x1e, 0xff, 0x10, 0x01, 0x43, 0xbf, 0xa9, 0xbf, 0x3b, 0xdf, 0x86, 0x6b, 0xef, 0x86, 0x63,
+ 0xfa, 0x9e, 0x28, 0xda, 0xb7, 0x03, 0x2b, 0x0b, 0xce, 0x12, 0x5f, 0xd8, 0x42, 0xfc, 0x4f, 0x63, 0x93, 0xbe, 0xef, 0x11,
+ 0x73, 0xd4, 0xc0, 0xbc, 0x23, 0xc2, 0x99, 0xbc, 0x29, 0xe1, 0xd7, 0x4d, 0xc2, 0xe8, 0x3e, 0xb0, 0xaa, 0x96, 0xed, 0xf8,
+ 0x48, 0x20, 0x3d, 0xa6, 0xed, 0xc6, 0xa2, 0x8f, 0x89, 0x45, 0x70, 0xbf, 0xf7, 0xee, 0x6f, 0x2a, 0xd1, 0x93, 0xce, 0xad,
+ 0x55, 0xfe, 0xe9, 0xa8, 0xfc, 0x94, 0x24, 0x91, 0x98, 0x0a, 0xac, 0x90, 0xa6, 0xa7, 0x27, 0x05, 0x55, 0xb3, 0x3e, 0xa7,
+ 0x08, 0xb0, 0x4b, 0x31, 0xb5, 0xe8, 0x9f, 0x67, 0x74, 0x73, 0x3c, 0x42, 0x84, 0x67, 0x84, 0x97, 0x95, 0x33, 0x00, 0xfe,
+ 0x69, 0x61, 0x52, 0x05, 0x4c, 0x8b, 0x65, 0x8e, 0x00, 0xf8, 0xd8, 0xe3, 0x40, 0x66, 0x04, 0x06, 0x09, 0x05, 0x93, 0x49,
+ 0x18, 0xa5, 0x41, 0x6f, 0xc3, 0x28, 0xaf, 0x30, 0xaf, 0x43, 0xaa, 0x74, 0x73, 0x9f, 0xdc, 0x58, 0x83, 0xe9, 0x42, 0xa8,
+ 0x16, 0xdd, 0xce, 0xf9, 0xbe, 0xe9, 0x33, 0xf8, 0xbf, 0x51, 0x08, 0x25, 0xdf, 0x7a, 0xbe, 0x00, 0x8a, 0xd6, 0x82, 0xf3,
+ 0xdb, 0xd0, 0x21, 0x48, 0x5c, 0xd5, 0xea, 0x86, 0xd7, 0xff, 0xe0, 0x2f, 0x93, 0xfc, 0x3e, 0xc8, 0xdd, 0xb8, 0x3e, 0x79,
+ 0xd4, 0x22, 0xa3, 0xaa, 0xeb, 0x47, 0xec, 0xaf, 0xd8, 0xf1, 0xa8, 0x71, 0x7e, 0xae, 0x85, 0xff, 0xe1, 0x98, 0x7f, 0x59,
+ 0x88, 0x1d, 0xaa, 0x11, 0x89, 0xbe, 0x6e, 0x4e, 0xdc, 0x77, 0xf4, 0xe1, 0x14, 0xcc, 0x1c, 0xd4, 0x8a, 0xc3, 0x0c, 0xff,
+ 0xb9, 0x12, 0xc1, 0xf3, 0xb6, 0xcc, 0xa2, 0x01, 0x49, 0xad, 0x59, 0x47, 0x17, 0x4a, 0x1a, 0x90, 0xd0, 0x77, 0x77, 0x3e,
+ 0xad, 0xdd, 0x58, 0x08, 0x40, 0x92, 0xb6, 0xcf, 0x84, 0x64, 0x72, 0x84, 0x8d, 0x98, 0x9f, 0x64, 0x28, 0x45, 0x1a, 0xb0,
+ 0x88, 0x08, 0xaa, 0x7b, 0x11, 0x15, 0x08, 0xc3, 0x56, 0xa5, 0x0d, 0x7e, 0x04, 0x37, 0xe0, 0x62, 0xbb, 0x34, 0xe9, 0x84,
+ 0xb2, 0xd0, 0x1a, 0xec, 0xa9, 0x74, 0x9b, 0xf1, 0x0e, 0x30, 0x84, 0xb0, 0x62, 0x17, 0x92, 0x31, 0x0c, 0x11, 0x9e, 0xa0,
+ 0xa7, 0x48, 0x9a, 0xd7, 0xa4, 0x29, 0x05, 0xea, 0xf4, 0x11, 0x21, 0xdd, 0x8e, 0x9b, 0x79, 0x4a, 0x9b, 0x5c, 0xeb, 0x8b,
+ 0x55, 0x0b, 0x0d, 0x0d, 0x7e, 0xe0, 0x79, 0x2f, 0x03, 0x52, 0xec, 0x4c, 0x63, 0xa0, 0xa8, 0xc2, 0x66, 0x63, 0xda, 0x18,
+ 0xad, 0x93, 0xde, 0xb3, 0xb1, 0xe8, 0x08, 0xf8, 0x98, 0x5d, 0x19, 0x40, 0xae, 0xcd, 0x3e, 0xcd, 0x82, 0x09, 0x0c, 0x05,
+ 0x5b, 0x84, 0x77, 0xd4, 0xf8, 0x1b, 0x53, 0xa6, 0xf0, 0x93, 0x85, 0x9c, 0x79, 0x43, 0x71, 0x4c, 0x8f, 0x66, 0x05, 0x7f,
+ 0xc4, 0x20, 0x95, 0xfe, 0x1b, 0xd6, 0xf4, 0x2d, 0x4d, 0x42, 0xc6, 0x7f, 0x69, 0x69, 0x1e, 0xad, 0xf5, 0x26, 0xdf, 0x85,
+ 0x26, 0xed, 0xf3, 0xe1, 0x5c, 0x1a, 0x86, 0x03, 0xbe, 0xd8, 0x96, 0x77, 0x52, 0xd5, 0x4a, 0xb4, 0xf5, 0xfc, 0x0a, 0xb0,
+ 0xee, 0xb5, 0x21, 0x8c, 0xa4, 0x56, 0xf9, 0xf9, 0x05, 0x27, 0x49, 0x2d, 0x5d, 0x11, 0xac, 0xa5, 0x33, 0xe6, 0x55, 0x73,
+ 0x54, 0xb9, 0xd1, 0x2a, 0xf8, 0x9a, 0x1d, 0xd3, 0x30, 0x90, 0x41, 0x3f, 0x0c, 0xf1, 0x0c, 0xa9, 0xae, 0xd0, 0x4d, 0xec,
+ 0x66, 0x66, 0xc8, 0xb5, 0x57, 0xbc, 0xf4, 0xc0, 0xeb, 0x23, 0xb9, 0xc8, 0x8b, 0x43, 0x70, 0x96, 0x2e, 0x20, 0x14, 0x3a,
+ 0x70, 0x3a, 0xf7, 0x83, 0xa9, 0x7b, 0x80, 0x6d, 0xc4, 0x76, 0xa5, 0x83, 0xf0, 0x55, 0xa0, 0x78, 0xc4, 0x7f, 0xc4, 0xae,
+ 0xf0, 0xa9, 0x65, 0x5c, 0xd5, 0xda, 0xe1, 0xe1, 0x90, 0xb8, 0xa6, 0x07, 0x2e, 0x30, 0x82, 0x05, 0x6c, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x05, 0x5d, 0x04, 0x82, 0x05, 0x59, 0x30, 0x82, 0x05, 0x55,
+ 0x30, 0x82, 0x05, 0x51, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x82, 0x04,
+ 0xee, 0x30, 0x82, 0x04, 0xea, 0x30, 0x1c, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30,
+ 0x0e, 0x04, 0x08, 0x33, 0x8e, 0xe4, 0x7e, 0x74, 0x9d, 0xf7, 0xfa, 0x02, 0x02, 0x08, 0x00, 0x04, 0x82, 0x04, 0xc8, 0x10,
+ 0x10, 0x9b, 0xe5, 0xa8, 0xe1, 0x82, 0x43, 0x54, 0xc5, 0xda, 0xfb, 0x4b, 0x57, 0x45, 0xd3, 0x38, 0xfe, 0x8f, 0x95, 0xf7,
+ 0x86, 0x7f, 0x50, 0x15, 0x3a, 0x1a, 0xee, 0xcf, 0x8a, 0xa4, 0x67, 0x2a, 0x62, 0x1e, 0x2d, 0x05, 0xab, 0x21, 0x93, 0xdc,
+ 0x37, 0xe3, 0xdb, 0x5c, 0xb9, 0x86, 0x7c, 0x78, 0xab, 0x62, 0x1a, 0xea, 0x7d, 0x51, 0x01, 0x72, 0x3f, 0xcd, 0x40, 0x0b,
+ 0x97, 0xae, 0x89, 0xe3, 0x97, 0x81, 0x0e, 0x1f, 0x27, 0x36, 0x46, 0x7b, 0x17, 0xd3, 0xe3, 0x93, 0x8c, 0xde, 0xc3, 0xf1,
+ 0x05, 0x0f, 0x0c, 0x40, 0x45, 0x53, 0xe9, 0xf5, 0xa9, 0x42, 0xc9, 0x22, 0x8e, 0xa5, 0xd0, 0x3b, 0xbe, 0xf0, 0x1e, 0x39,
+ 0x11, 0xc5, 0xf7, 0x19, 0x27, 0x65, 0x56, 0xb4, 0x4d, 0xe8, 0xee, 0xd3, 0x81, 0x21, 0xb4, 0x43, 0x9d, 0x82, 0x24, 0x03,
+ 0x81, 0x06, 0xc5, 0xe2, 0x9c, 0x4e, 0x10, 0x4c, 0x5d, 0xda, 0x1a, 0xc0, 0x8b, 0x54, 0x42, 0x3f, 0x6a, 0x9c, 0x9e, 0xad,
+ 0xfd, 0xce, 0x62, 0x30, 0xb9, 0xaf, 0x99, 0xc8, 0xea, 0xd7, 0x3c, 0x8d, 0x81, 0x9a, 0xa4, 0x13, 0x11, 0x56, 0x6a, 0x99,
+ 0x18, 0x40, 0x95, 0x65, 0x61, 0x54, 0x94, 0x91, 0x69, 0x37, 0x99, 0xa5, 0xd1, 0xce, 0x76, 0x3d, 0x63, 0x52, 0xb9, 0x8a,
+ 0x4e, 0xcb, 0x21, 0x8f, 0x6b, 0xe3, 0xe1, 0x2a, 0x6d, 0xdc, 0x58, 0xf7, 0x1b, 0x9b, 0x9b, 0xa1, 0x6a, 0xe4, 0x60, 0xc6,
+ 0x6b, 0x55, 0x35, 0x8c, 0x90, 0xfe, 0x12, 0xe2, 0x4a, 0xd3, 0x5d, 0x55, 0xd1, 0x19, 0x47, 0xcd, 0x3a, 0x74, 0xfb, 0xc8,
+ 0xfe, 0xb1, 0x82, 0xe9, 0x50, 0xb9, 0x80, 0x77, 0x4a, 0x18, 0xc5, 0xe0, 0x3d, 0x45, 0xe8, 0xf7, 0xd3, 0x96, 0x0f, 0x88,
+ 0x09, 0xf0, 0x49, 0xe7, 0xcf, 0x44, 0xfd, 0xe8, 0x33, 0x22, 0x98, 0x7f, 0x06, 0x1b, 0xf7, 0x54, 0xf6, 0xd1, 0xd1, 0x05,
+ 0xa8, 0x17, 0x94, 0x41, 0xbf, 0x2b, 0x80, 0xca, 0x41, 0xc5, 0xdc, 0xeb, 0xee, 0x1b, 0xad, 0xbe, 0xae, 0xcf, 0x67, 0x9b,
+ 0xfb, 0x88, 0x3d, 0xc0, 0x70, 0xb2, 0xbe, 0x16, 0x7c, 0x35, 0xa9, 0xc5, 0xdc, 0xa0, 0x2d, 0x0a, 0x59, 0x9a, 0x59, 0x51,
+ 0x76, 0x35, 0x85, 0x8f, 0xc7, 0xf7, 0x56, 0x0c, 0xdc, 0xc6, 0xe4, 0x6a, 0xe8, 0x26, 0x6f, 0xd4, 0x4e, 0x0a, 0xa5, 0x99,
+ 0x3b, 0xcc, 0x0a, 0xa3, 0x44, 0x24, 0x31, 0x28, 0x4f, 0x84, 0xeb, 0x5b, 0x00, 0xf4, 0xa2, 0xf0, 0xdd, 0xfe, 0xe0, 0x57,
+ 0x5a, 0x9a, 0xc0, 0x64, 0x9f, 0x9c, 0x5e, 0xf8, 0x42, 0x74, 0x54, 0xe8, 0xc4, 0x3b, 0x70, 0xe3, 0xd3, 0x08, 0x9e, 0x13,
+ 0xbd, 0xeb, 0x5f, 0x01, 0xe6, 0x08, 0xb8, 0x6a, 0xae, 0xe8, 0xe3, 0x9a, 0x89, 0x29, 0xb8, 0x2d, 0xb3, 0x29, 0x19, 0xee,
+ 0x6e, 0x3d, 0x66, 0xa1, 0x04, 0xbb, 0x17, 0xe1, 0x5b, 0xb7, 0xaa, 0x87, 0x76, 0xe5, 0x88, 0x6c, 0x24, 0x26, 0xdf, 0x69,
+ 0x6b, 0x40, 0xd6, 0x42, 0x13, 0xc4, 0x0a, 0x09, 0xfb, 0x92, 0x41, 0x34, 0x85, 0x6a, 0xd9, 0xb2, 0xa6, 0x3b, 0xb2, 0xbd,
+ 0xae, 0x50, 0x9a, 0x1a, 0xc4, 0xe1, 0xd7, 0x86, 0x3c, 0xb9, 0xf5, 0x5f, 0x99, 0x2a, 0x2a, 0xfb, 0x64, 0x2e, 0x33, 0xb2,
+ 0x2b, 0xb5, 0x0b, 0x87, 0x19, 0x7f, 0xc1, 0xfa, 0xa3, 0x0f, 0x8c, 0xff, 0xda, 0x64, 0x48, 0xa7, 0xe8, 0x85, 0x10, 0x2a,
+ 0x61, 0x1d, 0x59, 0xf8, 0x1b, 0x46, 0x8a, 0x7a, 0xa2, 0x44, 0x90, 0xd9, 0x1d, 0xe6, 0xe7, 0x69, 0x53, 0x1c, 0xd6, 0x02,
+ 0x27, 0x2c, 0x86, 0xed, 0xbc, 0xe8, 0xf8, 0xb9, 0xbd, 0x8c, 0xd4, 0x12, 0xf0, 0xb9, 0x66, 0x61, 0xf8, 0xda, 0x7c, 0x7c,
+ 0xb6, 0x72, 0xa4, 0xd6, 0xd8, 0x84, 0x0b, 0x06, 0x85, 0x25, 0x5e, 0xf8, 0x4d, 0xad, 0xcc, 0x60, 0x00, 0x61, 0xf0, 0xf0,
+ 0x38, 0x65, 0xe5, 0x4e, 0xfc, 0xd3, 0x8b, 0x3e, 0xae, 0xf1, 0x29, 0x2e, 0x9f, 0xb1, 0x59, 0x0c, 0x65, 0x03, 0x2e, 0x1f,
+ 0x95, 0xd8, 0x07, 0x19, 0x3d, 0x85, 0x27, 0xfa, 0xc5, 0x35, 0xec, 0x69, 0xda, 0x2f, 0x9e, 0x40, 0xa7, 0x5c, 0x0b, 0xed,
+ 0xac, 0xc4, 0x99, 0xa3, 0x63, 0xef, 0x73, 0x24, 0x9c, 0x43, 0x1c, 0x45, 0x36, 0xb9, 0x33, 0xf4, 0x2e, 0xbd, 0x7e, 0xb6,
+ 0xf0, 0xd1, 0xf6, 0x86, 0xf4, 0x2c, 0x1d, 0xc2, 0xc6, 0x62, 0xcf, 0x6d, 0x70, 0x89, 0x9f, 0x36, 0x26, 0xbe, 0xa3, 0x4b,
+ 0x23, 0x00, 0xbc, 0x62, 0x85, 0x35, 0xa4, 0x25, 0x23, 0xae, 0x60, 0x82, 0x02, 0x25, 0xfd, 0x5b, 0x6a, 0xa1, 0x6b, 0x1b,
+ 0xcf, 0x42, 0x40, 0xca, 0xee, 0x95, 0x08, 0xd4, 0x5b, 0xa7, 0xc8, 0x29, 0x0b, 0xea, 0xe3, 0x19, 0xb4, 0x85, 0xb7, 0x0d,
+ 0xcf, 0x3a, 0x0f, 0x51, 0x15, 0x84, 0x4a, 0x1d, 0xad, 0x7f, 0xd0, 0x41, 0x93, 0x10, 0x31, 0xb1, 0x54, 0xfb, 0x19, 0xad,
+ 0x96, 0x09, 0xb8, 0x65, 0x3f, 0xe2, 0x57, 0x40, 0xb5, 0x0c, 0xc9, 0x89, 0x52, 0x56, 0x10, 0xda, 0xe0, 0x10, 0x18, 0x91,
+ 0xbb, 0xe2, 0xe3, 0x2c, 0x8e, 0xd7, 0x43, 0x7a, 0xdc, 0xbb, 0x76, 0x67, 0x25, 0x9c, 0x81, 0xec, 0x59, 0x7c, 0xdc, 0xea,
+ 0x02, 0x29, 0x80, 0xdf, 0x20, 0xaf, 0xba, 0x26, 0xe1, 0x49, 0xcf, 0x7e, 0x69, 0x36, 0x77, 0xad, 0x0b, 0xcc, 0x7d, 0x10,
+ 0x3f, 0x31, 0x60, 0x0e, 0x17, 0x36, 0x8c, 0xbd, 0x4d, 0x80, 0xe8, 0xe7, 0x7a, 0x7a, 0x1e, 0x17, 0x77, 0x79, 0x9a, 0x1f,
+ 0xd7, 0x2f, 0x76, 0xf2, 0x4a, 0x52, 0xd9, 0x9f, 0x02, 0x2c, 0xc7, 0xd5, 0x0f, 0x05, 0x8b, 0x59, 0xd9, 0x13, 0xdc, 0x57,
+ 0xbb, 0x56, 0xd0, 0xc4, 0x13, 0xac, 0x34, 0x05, 0x19, 0x92, 0xb6, 0x18, 0x12, 0x26, 0xe1, 0xe6, 0xe9, 0x8d, 0x6a, 0xad,
+ 0x83, 0x95, 0xcf, 0x7f, 0x91, 0xad, 0xe3, 0x9f, 0x15, 0x05, 0x95, 0x96, 0x8d, 0x80, 0xc3, 0x13, 0x09, 0xac, 0xa4, 0xd9,
+ 0xfe, 0xb1, 0xb3, 0x9d, 0x94, 0x49, 0xb9, 0x2d, 0x84, 0x64, 0x4d, 0x75, 0xb8, 0x58, 0x75, 0xec, 0x30, 0x0a, 0xf7, 0x96,
+ 0xf3, 0xc8, 0x19, 0xa8, 0xbd, 0x62, 0x14, 0x00, 0xb4, 0x26, 0x35, 0x3f, 0x78, 0x43, 0xb1, 0xab, 0x8f, 0xab, 0xa1, 0xf3,
+ 0x43, 0x87, 0xb3, 0x88, 0x1f, 0xc1, 0x89, 0x6c, 0xcf, 0x1f, 0x38, 0x1c, 0xe0, 0x68, 0xcc, 0x93, 0x46, 0x8c, 0xde, 0x4c,
+ 0x2c, 0x27, 0x6d, 0xb6, 0x91, 0xa8, 0xc5, 0xee, 0xf7, 0x47, 0x17, 0x5a, 0x11, 0xb2, 0x3a, 0xbc, 0x35, 0xee, 0x05, 0xc3,
+ 0x17, 0x63, 0x69, 0x77, 0xbd, 0x43, 0x80, 0x71, 0xe9, 0xd6, 0x8c, 0xdd, 0xef, 0x0a, 0xf8, 0x59, 0x1d, 0x61, 0xd6, 0x19,
+ 0x64, 0x71, 0xe7, 0x3c, 0x36, 0xd8, 0x07, 0x5d, 0x6c, 0x0f, 0x28, 0x99, 0xa6, 0x9e, 0x01, 0x1b, 0x4c, 0x9a, 0x5f, 0xde,
+ 0x96, 0xb0, 0x61, 0x0a, 0x9c, 0xeb, 0x2a, 0x29, 0x09, 0x1b, 0xaa, 0x62, 0x75, 0x5e, 0xd5, 0x9f, 0xe1, 0x12, 0x69, 0xa2,
+ 0x1d, 0xbd, 0x97, 0x10, 0xdd, 0x62, 0xf9, 0x27, 0x47, 0xf2, 0x64, 0x12, 0xce, 0x95, 0xc0, 0xdc, 0xd6, 0x92, 0x48, 0xb4,
+ 0xb2, 0x18, 0x78, 0x2e, 0xaf, 0xb0, 0xd7, 0x48, 0x98, 0x29, 0x1b, 0xb9, 0x50, 0xf7, 0x95, 0x26, 0x53, 0xc4, 0xd6, 0x6f,
+ 0x26, 0x5f, 0x95, 0x9f, 0x51, 0xf3, 0x96, 0xbc, 0xca, 0xff, 0x0d, 0x8a, 0x69, 0xa5, 0xb0, 0x82, 0x02, 0x3e, 0x77, 0xb7,
+ 0x87, 0xea, 0x2a, 0xc0, 0x2e, 0xc7, 0xb6, 0x2c, 0x06, 0x19, 0x8f, 0x84, 0x46, 0xd6, 0x58, 0xf2, 0xb8, 0x8a, 0xdb, 0xd2,
+ 0x72, 0xe0, 0xc1, 0xa7, 0xb5, 0xb0, 0xb0, 0x2b, 0x83, 0xbb, 0x3b, 0x85, 0x3d, 0xcc, 0xc2, 0x89, 0x77, 0x65, 0x8d, 0x3c,
+ 0x03, 0xbe, 0x84, 0x78, 0xf7, 0x2a, 0x32, 0x9c, 0x02, 0x23, 0x7b, 0x25, 0x42, 0xec, 0x4f, 0x29, 0x77, 0x79, 0xc1, 0x48,
+ 0x46, 0xde, 0x76, 0xdb, 0x23, 0x9b, 0x5a, 0xee, 0xc7, 0xd1, 0x40, 0x73, 0x39, 0xa5, 0x23, 0x41, 0x66, 0x4c, 0x24, 0x1f,
+ 0xaa, 0xd8, 0xc7, 0x3c, 0xc4, 0xd5, 0xd7, 0x3b, 0x2d, 0x00, 0x1c, 0x49, 0x17, 0x7a, 0xb5, 0x90, 0x6c, 0x6b, 0x43, 0x2f,
+ 0x61, 0x6b, 0x8a, 0xdc, 0xb9, 0x58, 0xa8, 0x92, 0x49, 0x3e, 0xe9, 0x32, 0xc9, 0x3c, 0x4e, 0xeb, 0x2e, 0x15, 0xb8, 0x78,
+ 0x9f, 0x30, 0x05, 0xd7, 0x4d, 0x71, 0xe8, 0xd0, 0x98, 0x7c, 0xe5, 0x3b, 0xc7, 0x65, 0x27, 0x5b, 0x16, 0x35, 0x77, 0xfc,
+ 0x97, 0xf8, 0x1a, 0x07, 0xc2, 0x50, 0x67, 0x71, 0x7d, 0xd4, 0xd6, 0x55, 0x83, 0x8b, 0x15, 0xb1, 0xac, 0xba, 0xba, 0x8c,
+ 0x73, 0x6e, 0x58, 0xf9, 0x1a, 0x3a, 0x1b, 0xc0, 0xe5, 0x90, 0x5a, 0xae, 0x96, 0xeb, 0x05, 0xe1, 0x37, 0xaa, 0xeb, 0x0c,
+ 0xb9, 0xf2, 0xd4, 0x24, 0x82, 0x70, 0x64, 0x7a, 0x9b, 0x13, 0x27, 0xab, 0xb9, 0x18, 0xc8, 0xc7, 0xa3, 0x36, 0x5c, 0x7d,
+ 0xff, 0xb8, 0xde, 0xbb, 0x9b, 0xc8, 0x78, 0xdf, 0xc8, 0x99, 0x39, 0x9e, 0xce, 0x1b, 0xe0, 0x09, 0x53, 0x00, 0x7d, 0xad,
+ 0x86, 0x87, 0x8a, 0x31, 0x50, 0x30, 0x29, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, 0x1c,
+ 0x1e, 0x1a, 0x00, 0x54, 0x00, 0x65, 0x00, 0x73, 0x00, 0x74, 0x00, 0x20, 0x00, 0x53, 0x00, 0x53, 0x00, 0x4c, 0x00, 0x20,
+ 0x00, 0x55, 0x00, 0x73, 0x00, 0x65, 0x00, 0x72, 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09,
+ 0x15, 0x31, 0x16, 0x04, 0x14, 0xa6, 0x63, 0xd5, 0xb2, 0xb4, 0x24, 0x91, 0x4c, 0x75, 0xa8, 0x11, 0x34, 0xd7, 0x7f, 0xb0,
+ 0xa3, 0x55, 0xd4, 0xfd, 0x9a, 0x30, 0x30, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00,
+ 0x04, 0x14, 0x2f, 0xc5, 0x73, 0xe2, 0xe4, 0xb4, 0x77, 0xfb, 0xb5, 0x49, 0x80, 0xcf, 0x13, 0xbe, 0x63, 0x7e, 0xaf, 0xdc,
+ 0x2b, 0xae, 0x04, 0x08, 0xdc, 0x37, 0x8d, 0x3f, 0x8d, 0xc5, 0x94, 0x54, 0x02, 0x01, 0x01
};
+unsigned int Test_ssl_user_p12_len = 2695;
+
/* Test identity (PKCS12 data), SMIME cert, expired in 2008
*/
-unsigned char TestIDSMIME2007_p12[2805] = {
+unsigned char TestIDSMIME2007_p12[2805] = {
0x30,0x82,0x0a,0xf1,0x02,0x01,0x03,0x30,0x82,0x0a,0xb8,0x06,0x09,0x2a,0x86,0x48,
0x86,0xf7,0x0d,0x01,0x07,0x01,0xa0,0x82,0x0a,0xa9,0x04,0x82,0x0a,0xa5,0x30,0x82,
0x0a,0xa1,0x30,0x82,0x05,0x17,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x07,
@@ -937,7 +846,7 @@ unsigned char TestIDSMIME2007_p12[2805] = {
/* Test identity (PKCS12 data), SSL cert, expired in 2008
*/
-unsigned char TestIDSSL2007_p12[2753] = {
+unsigned char TestIDSSL2007_p12[2753] = {
0x30,0x82,0x0a,0xbd,0x02,0x01,0x03,0x30,0x82,0x0a,0x84,0x06,0x09,0x2a,0x86,0x48,
0x86,0xf7,0x0d,0x01,0x07,0x01,0xa0,0x82,0x0a,0x75,0x04,0x82,0x0a,0x71,0x30,0x82,
0x0a,0x6d,0x30,0x82,0x04,0xe7,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x07,
@@ -1116,7 +1025,6 @@ unsigned char TestIDSSL2007_p12[2753] = {
static int quiet = 0;
static int debug = 0;
-static int verbose = 0;
#define MAXNAMELEN MAXPATHLEN
#define MAXITEMS INT32_MAX
@@ -1124,21 +1032,14 @@ static int verbose = 0;
#pragma mark -- Utility Functions --
-void PrintTestResult(char *testStr, OSStatus status, OSStatus expected)
+static void PrintTestResult(char *testStr, OSStatus status, OSStatus expected)
{
- if (verbose) {
- fprintf(stdout, "%s: %s (result=%d, expected=%d)\n", testStr,
- (status==expected) ? "OK" : "FAILED",
- (int)status, (int)expected);
- }
- if (debug) {
- fprintf(stdout, "\n");
- }
+ is(status, expected, "%s", testStr);
fflush(stdout);
}
-void PrintStringToMatch(CFStringRef nameStr)
+static void PrintStringToMatch(CFStringRef nameStr)
{
char *buf = (char*)malloc(MAXNAMELEN);
if (buf) {
@@ -1151,7 +1052,7 @@ void PrintStringToMatch(CFStringRef nameStr)
}
-void PrintSecCertificate(SecCertificateRef certificate)
+static void PrintSecCertificate(SecCertificateRef certificate)
{
CFStringRef nameStr;
OSStatus status = SecCertificateCopyCommonName(certificate, &nameStr);
@@ -1171,7 +1072,7 @@ void PrintSecCertificate(SecCertificateRef certificate)
}
-void PrintSecIdentity(SecIdentityRef identity)
+static void PrintSecIdentity(SecIdentityRef identity)
{
SecCertificateRef certRef;
OSStatus status = SecIdentityCopyCertificate(identity, &certRef);
@@ -1185,7 +1086,7 @@ void PrintSecIdentity(SecIdentityRef identity)
}
-void PrintCFStringWithFormat(const char *formatStr, CFStringRef inStr)
+static void PrintCFStringWithFormat(const char *formatStr, CFStringRef inStr)
{
char *buf = (char*)malloc(MAXNAMELEN);
if (buf) {
@@ -1198,7 +1099,7 @@ void PrintCFStringWithFormat(const char *formatStr, CFStringRef inStr)
}
-void PrintCFThing(CFTypeRef thing)
+static void PrintCFThing(CFTypeRef thing)
{
fprintf(stderr, "### Results: %p\n", (void*)thing);
@@ -1226,98 +1127,65 @@ void PrintCFThing(CFTypeRef thing)
}
//%%% FIXME need to break this up into separate functions
-int TestAddItems()
+static int TestAddItems(SecKeychainRef keychain)
{
SecCertificateRef certs[5];
- SecKeychainRef keychain;
CFDataRef tmpData;
OSStatus status;
-#if AUTO_TEST
- /* the regression suite environment does not have a keychain; must create one */
- status = SecKeychainCreate("SecItemTest.keychain", 4, "test", FALSE, NULL, &keychain);
-#else
- status = SecKeychainCopyDefault(&keychain);
-#endif
- if (status) {
- fprintf(stderr, "Unable to get default keychain: error %d\n", (int)status);
- goto error_exit;
- }
-
/* add test leaf */
tmpData = CFDataCreateWithBytesNoCopy(NULL, LEAF_CERT, sizeof(LEAF_CERT), kCFAllocatorNull);
certs[0] = SecCertificateCreateWithData(NULL, tmpData);
CFRelease(tmpData);
-// will add this below using SecItemAdd instead of SecCertificateAddToKeychain
-#if 0
- status = SecCertificateAddToKeychain(certs[0], keychain);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add test leaf certificate: error %d\n", (int)status);
- goto error_exit;
- }
-#endif
+
/* add test intermediate */
tmpData = CFDataCreateWithBytesNoCopy(NULL, INTERMEDIATE_CERT, sizeof(INTERMEDIATE_CERT), kCFAllocatorNull);
certs[1] = SecCertificateCreateWithData(NULL, tmpData);
CFRelease(tmpData);
-// will add this below using SecItemAdd instead of SecCertificateAddToKeychain
-#if 0
- status = SecCertificateAddToKeychain(certs[1], keychain);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add test intermediate certificate: error %d\n", (int)status);
- goto error_exit;
- }
-#endif
+
/* add test root */
tmpData = CFDataCreateWithBytesNoCopy(NULL, ROOT_CERT, sizeof(ROOT_CERT), kCFAllocatorNull);
certs[2] = SecCertificateCreateWithData(NULL, tmpData);
CFRelease(tmpData);
// will add this below using SecItemAdd instead of SecCertificateAddToKeychain
-#if 0
- status = SecCertificateAddToKeychain(certs[2], keychain);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add test root certificate: error %d\n", (int)status);
- goto error_exit;
- }
-#endif
/* use SecItemAdd to add an array containing certs 1-3 */
CFArrayRef certArray = CFArrayCreate(NULL, (const void**) certs, 3, &kCFTypeArrayCallBacks);
CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionaryAddValue(attrs, kSecClass, kSecClassCertificate); // we are adding certificates
CFDictionaryAddValue(attrs, kSecUseItemList, certArray); // add these items (to default keychain, since we aren't specifying one)
+ CFDictionaryAddValue(attrs, kSecUseKeychain, keychain); // add these to the test keychain
status = SecItemAdd(attrs, NULL);
CFRelease(attrs);
CFRelease(certArray);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add 3 test certificates: error %d\n", (int)status);
+ ok_status(status, "Unable to add 3 test certificates: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
- }
-
+ }
/* add test cert for S/MIME policy (encrypt only, no sign) */
tmpData = CFDataCreateWithBytesNoCopy(NULL, Test_smime_encryptonly, sizeof(Test_smime_encryptonly), kCFAllocatorNull);
certs[3] = SecCertificateCreateWithData(NULL, tmpData);
CFRelease(tmpData);
status = SecCertificateAddToKeychain(certs[3], keychain);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add test S/MIME certificate: error %d\n", (int)status);
+ ok_status(status, "Unable to add test S/MIME certificate: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
- }
+ }
/* add test cert for Code Signing policy */
tmpData = CFDataCreateWithBytesNoCopy(NULL, Test_codesign, sizeof(Test_codesign), kCFAllocatorNull);
certs[4] = SecCertificateCreateWithData(NULL, tmpData);
CFRelease(tmpData);
status = SecCertificateAddToKeychain(certs[4], keychain);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add test Code Signing certificate: error %d\n", (int)status);
+ ok_status(status, "Unable to add test Code Signing certificate: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
- }
+ }
/* import test SSL identity */
{
- CFDataRef p12DataRef = CFDataCreateWithBytesNoCopy(NULL, Test_p12, (CFIndex)sizeof(Test_p12), kCFAllocatorNull);
+ CFDataRef p12DataRef = CFDataCreateWithBytesNoCopy(NULL, Test_ssl_user_p12, (CFIndex)sizeof(Test_ssl_user_p12), kCFAllocatorNull);
SecExternalFormat format = kSecFormatPKCS12;
SecExternalItemType itemType = kSecItemTypeAggregate;
SecItemImportExportFlags flags = 0;
@@ -1355,10 +1223,10 @@ int TestAddItems()
CFRelease(keyUsagesArray);
CFRelease(keyAttrsArray);
#endif
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to import test SSL identity: error %d\n", (int)status);
+ ok_status(status, "Unable to import test SSL identity: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
- }
+ }
}
/* import test S/MIME signing identity */
@@ -1401,12 +1269,12 @@ int TestAddItems()
CFRelease(keyUsagesArray);
CFRelease(keyAttrsArray);
#endif
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to import test S/MIME identity: error %d\n", (int)status);
+ ok_status(status, "Unable to import test S/MIME identity: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
}
}
-
+
/* import expired SSL identity */
{
CFDataRef p12DataRef = CFDataCreateWithBytesNoCopy(NULL, TestIDSSL2007_p12, (CFIndex)sizeof(TestIDSSL2007_p12), kCFAllocatorNull);
@@ -1431,8 +1299,8 @@ int TestAddItems()
NULL, &format, &itemType, flags, &keyParams, keychain, NULL);
CFRelease(keyUsagesArray);
CFRelease(keyAttrsArray);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to import TestIDSSL2007_p12 identity: error %d\n", (int)status);
+ ok_status(status, "Unable to import TestIDSSL2007_p12 identity: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
}
}
@@ -1461,20 +1329,20 @@ int TestAddItems()
NULL, &format, &itemType, flags, &keyParams, keychain, NULL);
CFRelease(keyUsagesArray);
CFRelease(keyAttrsArray);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to import TestIDSMIME2007_p12 identity: error %d\n", (int)status);
+ ok_status(status, "Unable to import TestIDSMIME2007_p12 identity: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
}
}
-
+
/* add generic password items */
status = SecKeychainAddGenericPassword(keychain,
strlen("Test Service 42"), "Test Service 42",
strlen("nobody"), "nobody",
strlen("weakpass"), "weakpass",
NULL);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add \"Test Service 42\" generic password: error %d\n", (int)status);
+ ok_status(status, "Unable to add \"Test Service 42\" generic password: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
}
status = SecKeychainAddGenericPassword(keychain,
@@ -1482,11 +1350,11 @@ int TestAddItems()
strlen("nobody"), "nobody",
strlen("weakpass"), "weakpass",
NULL);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add \"Test Service 69\" generic password: error %d\n", (int)status);
+ ok_status(status, "Unable to add \"Test Service 69\" generic password: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
}
-
+
/* add internet password items */
status = SecKeychainAddInternetPassword(keychain,
strlen("test1.subdomain.apple.com"), "test1.subdomain.apple.com",
@@ -1496,8 +1364,8 @@ int TestAddItems()
80, kSecProtocolTypeHTTP, kSecAuthenticationTypeDefault,
strlen("weakpass"), "weakpass",
NULL);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add \"test1.subdomain.apple.com\" internet password: error %d\n", (int)status);
+ ok_status(status, "Unable to add \"test1.subdomain.apple.com\" internet password: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
}
status = SecKeychainAddInternetPassword(keychain,
@@ -1508,8 +1376,8 @@ int TestAddItems()
443, kSecProtocolTypeHTTPS, kSecAuthenticationTypeDefault,
strlen("weakpass"), "weakpass",
NULL);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add \"test2.subdomain.apple.com\" internet password: error %d\n", (int)status);
+ ok_status(status, "Unable to add \"test2.subdomain.apple.com\" internet password: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
}
@@ -1522,8 +1390,8 @@ int TestAddItems()
143, kSecProtocolTypeIMAP, kSecAuthenticationTypeDefault,
strlen("testpass"), "testpass",
NULL);
- if (status && status != errSecDuplicateItem) { // ignore error if duplicate
- fprintf(stderr, "Unable to add \"mail.apple.com\" internet password: error %d\n", (int)status);
+ ok_status(status, "Unable to add \"mail.apple.com\" internet password: error %d\n", (int)status);
+ if (status && status != errSecDuplicateItem) {
goto error_exit;
}
@@ -1535,12 +1403,12 @@ error_exit:
if (keychain) CFRelease(keychain);
PrintTestResult("TestAddItems", status, noErr);
-
+
return (int)status;
}
-int CheckResults(CFTypeRef results, CFIndex minMatchesExpected, CFIndex maxMatchesExpected)
+static int CheckResults(CFTypeRef results, CFIndex minMatchesExpected, CFIndex maxMatchesExpected)
{
OSStatus status = noErr;
if (debug) {
@@ -1569,6 +1437,13 @@ int CheckResults(CFTypeRef results, CFIndex minMatchesExpected, CFIndex maxMatch
/* should not happen, unless SecItemCopyMatching has a bug */
status = errSecInternalError;
}
+ if(matchesFound < minMatchesExpected) {
+ fail("CheckResults: %ld < %ld (minimum required)", matchesFound, minMatchesExpected);
+ } else if(matchesFound > maxMatchesExpected) {
+ fail("CheckResults: %ld > %ld (maximum allowed", matchesFound, maxMatchesExpected);
+ } else {
+ pass("CheckResults: matches found fall within requirements: %ld <= %ld <= %ld", minMatchesExpected, matchesFound, maxMatchesExpected);
+ }
}
return (int)status;
}
@@ -1577,7 +1452,8 @@ int CheckResults(CFTypeRef results, CFIndex minMatchesExpected, CFIndex maxMatch
#pragma mark -- Individual Test Cases --
-int FindCertificateByEmail(CFStringRef emailStr,
+static int FindCertificateByEmail(SecKeychainRef keychain,
+ CFStringRef emailStr,
CFTypeRef returnType,
CFTypeRef matchLimit,
CFIndex minMatchesExpected,
@@ -1593,6 +1469,10 @@ int FindCertificateByEmail(CFStringRef emailStr,
CFDictionaryAddValue( query, kSecMatchLimit, matchLimit );
CFDictionaryAddValue( query, returnType, kCFBooleanTrue );
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
CFTypeRef results = NULL;
if (debug) {
PrintStringToMatch(emailStr);
@@ -1608,12 +1488,13 @@ int FindCertificateByEmail(CFStringRef emailStr,
CFRelease(query);
PrintTestResult("FindCertificateByEmail", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindCertificateByLabel(CFStringRef labelStr,
+static int FindCertificateByLabel(SecKeychainRef keychain,
+ CFStringRef labelStr,
CFTypeRef returnType,
CFTypeRef matchLimit,
CFIndex minMatchesExpected,
@@ -1630,6 +1511,10 @@ int FindCertificateByLabel(CFStringRef labelStr,
CFDictionaryAddValue( query, kSecMatchLimit, matchLimit );
CFDictionaryAddValue( query, returnType, kCFBooleanTrue );
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
CFTypeRef results = NULL;
if (debug) {
PrintStringToMatch(labelStr);
@@ -1643,14 +1528,15 @@ int FindCertificateByLabel(CFStringRef labelStr,
}
if (query)
CFRelease(query);
-
+
PrintTestResult("FindCertificateByLabel", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindCertificateByNameInSubject(CFStringRef nameStr,
+static int FindCertificateByNameInSubject(SecKeychainRef keychain,
+ CFStringRef nameStr,
CFTypeRef matchType,
CFTypeRef returnType,
CFTypeRef matchLimit,
@@ -1667,6 +1553,10 @@ int FindCertificateByNameInSubject(CFStringRef nameStr,
CFDictionaryAddValue( query, kSecMatchLimit, matchLimit );
CFDictionaryAddValue( query, returnType, kCFBooleanTrue );
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
CFTypeRef results = NULL;
if (debug) {
PrintStringToMatch(nameStr);
@@ -1687,30 +1577,19 @@ int FindCertificateByNameInSubject(CFStringRef nameStr,
}
-int FindCertificateByNameAndPolicy(CFStringRef nameStr,
- CFTypeRef policyIdentifier,
- Boolean isClientPolicy,
+static int FindCertificateByNameAndPolicy(SecKeychainRef keychain,
+ CFStringRef nameStr,
+ SecPolicyRef policy,
CFTypeRef returnType,
CFTypeRef matchLimit,
- CFIndex minMatchesExpected,
+ CFIndex matchesExpected,
OSStatus expected)
{
- /* given the policy OID, create a SecPolicyRef */
- SecPolicyRef policy = SecPolicyCreateWithOID(policyIdentifier);
- if (policy == NULL)
- return errSecPolicyNotFound;
- if (isClientPolicy == TRUE) {
- /* specify the kSecPolicyClient property key for this policy */
- const void *keys[] = { kSecPolicyClient };
- const void *values[] = { kCFBooleanTrue };
- CFDictionaryRef properties = CFDictionaryCreate(NULL, keys, values,
- sizeof(keys) / sizeof(*keys),
- &kCFTypeDictionaryKeyCallBacks,
- &kCFTypeDictionaryValueCallBacks);
- SecPolicySetProperties(policy, properties);
- }
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
const void *keys[] = {
+ kSecMatchSearchList,
kSecClass,
kSecMatchSubjectContains,
kSecMatchPolicy,
@@ -1718,6 +1597,7 @@ int FindCertificateByNameAndPolicy(CFStringRef nameStr,
returnType
};
const void *values[] = {
+ searchList,
kSecClassCertificate,
nameStr,
policy,
@@ -1734,27 +1614,26 @@ int FindCertificateByNameAndPolicy(CFStringRef nameStr,
if (debug) {
PrintStringToMatch(nameStr);
- PrintStringToMatch(CFCopyDescription(policyIdentifier));
+ PrintStringToMatch(SecPolicyGetName(policy));
}
status = SecItemCopyMatching(query, &results);
if (!status && results) {
- status = CheckResults(results, minMatchesExpected, MAXITEMS);
+ status = CheckResults(results, matchesExpected, matchesExpected);
CFRelease(results);
}
if (query)
CFRelease(query);
- if (policy)
- CFRelease(policy);
-
+
PrintTestResult("FindCertificateByNameAndPolicy", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindCertificateByNameAndValidDate(CFStringRef nameStr,
+static int FindCertificateByNameAndValidDate(SecKeychainRef keychain,
+ CFStringRef nameStr,
CFTypeRef validOnDate,
CFTypeRef returnType,
CFTypeRef matchLimit,
@@ -1772,6 +1651,10 @@ int FindCertificateByNameAndValidDate(CFStringRef nameStr,
CFDictionaryAddValue( query, kSecMatchLimit, matchLimit );
CFDictionaryAddValue( query, returnType, kCFBooleanTrue );
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
CFTypeRef results = NULL;
if (debug) {
PrintStringToMatch(nameStr);
@@ -1786,14 +1669,15 @@ int FindCertificateByNameAndValidDate(CFStringRef nameStr,
}
if (query)
CFRelease(query);
-
+
PrintTestResult("FindCertificateByNameAndValidDate", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindCertificateForSMIMEEncryption(CFStringRef emailAddr,
+static int FindCertificateForSMIMEEncryption(SecKeychainRef keychain,
+ CFStringRef emailAddr,
CFTypeRef validOnDate,
CFTypeRef returnType,
CFTypeRef matchLimit,
@@ -1820,6 +1704,10 @@ int FindCertificateForSMIMEEncryption(CFStringRef emailAddr,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
/* set up the query */
CFDictionaryAddValue( query, kSecClass, kSecClassCertificate );
CFDictionaryAddValue( query, kSecMatchPolicy, policy );
@@ -1846,15 +1734,15 @@ int FindCertificateForSMIMEEncryption(CFStringRef emailAddr,
CFRelease(policy);
if (properties)
CFRelease(properties);
-
+
PrintTestResult("FindCertificateForSMIMEEncryption", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindPreferredCertificateForSMIMEEncryption(CFStringRef emailAddr,
- CFTypeRef validOnDate)
+static int FindPreferredCertificateForSMIMEEncryption(SecKeychainRef keychain,
+ CFStringRef emailAddr, CFTypeRef validOnDate)
{
// Note: this function assumes that a preferred certificate has been set up
// previously for the given email address. This is handled in the calling
@@ -1885,7 +1773,7 @@ int FindPreferredCertificateForSMIMEEncryption(CFStringRef emailAddr,
CFDictionaryRef properties = CFDictionaryCreate(kCFAllocatorDefault, (const void **)&kSecPolicyKU_KeyEncipherment, (const void **)&kCFBooleanTrue, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
status = SecPolicySetProperties(policy, properties);
CFRelease(properties);
-
+
// set up an item list consisting of just our preferred certificate
CFArrayRef itemList = CFArrayCreate(kCFAllocatorDefault, (const void **)&preferredCertificate, 1, &kCFTypeArrayCallBacks);
@@ -1898,6 +1786,10 @@ int FindPreferredCertificateForSMIMEEncryption(CFStringRef emailAddr,
CFDictionaryAddValue( query, kSecMatchLimit, kSecMatchLimitOne ); // only need to match one item!
CFDictionaryAddValue( query, kSecReturnRef, kCFBooleanTrue );
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
if (debug) {
PrintStringToMatch(emailAddr);
PrintStringToMatch(CFCopyDescription(validOnDate));
@@ -1921,14 +1813,14 @@ int FindPreferredCertificateForSMIMEEncryption(CFStringRef emailAddr,
if (preferredCertificate)
CFRelease(preferredCertificate);
-
+
PrintTestResult("FindPreferredCertificateForSMIMEEncryption", status, noErr);
-
+
return (status==noErr) ? (int)noErr : (int)status;
}
-int SetPreferredCertificateForSMIMEEncryption(CFStringRef nameStr,
+static int SetPreferredCertificateForSMIMEEncryption(SecKeychainRef keychain, CFStringRef nameStr,
CFStringRef emailAddr)
{
// find the certificate exactly matching the given common name
@@ -1936,6 +1828,10 @@ int SetPreferredCertificateForSMIMEEncryption(CFStringRef nameStr,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
CFDictionaryAddValue( query, kSecClass, kSecClassCertificate );
CFDictionaryAddValue( query, kSecMatchSubjectWholeString, nameStr );
CFDictionaryAddValue( query, kSecMatchLimit, kSecMatchLimitOne );
@@ -1943,10 +1839,10 @@ int SetPreferredCertificateForSMIMEEncryption(CFStringRef nameStr,
CFTypeRef results = NULL;
OSStatus status = SecItemCopyMatching(query, &results);
-
+
if (!quiet && status)
fprintf(stderr, "SetPreferredCertificateForSMIMEEncryption: SecItemCopyMatching error %d\n", (int)status);
-
+
if (!status && results) {
// since we asked for kSecMatchLimitOne, the result is a single item
SecCertificateRef certificate = (SecCertificateRef) results;
@@ -1971,19 +1867,25 @@ int SetPreferredCertificateForSMIMEEncryption(CFStringRef nameStr,
}
-int FindIdentityByName(CFStringRef nameStr,
+static int FindIdentityByName(SecKeychainRef keychain,
+ CFStringRef nameStr,
CFTypeRef returnType,
CFTypeRef matchLimit,
- CFIndex minMatchesExpected,
+ CFIndex matchesExpected,
OSStatus expected)
{
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+
const void *keys[] = {
+ kSecMatchSearchList,
kSecClass,
kSecMatchSubjectContains,
kSecMatchLimit,
returnType
};
const void *values[] = {
+ searchList,
kSecClassIdentity,
nameStr,
matchLimit,
@@ -2002,47 +1904,37 @@ int FindIdentityByName(CFStringRef nameStr,
status = SecItemCopyMatching(query, &results);
if (!status && results) {
- status = CheckResults(results, minMatchesExpected, MAXITEMS);
+ status = CheckResults(results, matchesExpected, matchesExpected);
CFRelease(results);
}
if (query)
CFRelease(query);
PrintTestResult("FindIdentityByName", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindIdentityByPolicy(CFTypeRef policyIdentifier,
- Boolean isClientPolicy,
+static int FindIdentityByPolicy(SecKeychainRef keychain,
+ SecPolicyRef policy,
CFTypeRef returnType,
CFTypeRef matchLimit,
CFIndex minMatchesExpected,
OSStatus expected)
{
- /* given the policy OID, create a SecPolicyRef */
- SecPolicyRef policy = SecPolicyCreateWithOID(policyIdentifier);
- if (policy == NULL)
- return errSecPolicyNotFound;
- if (isClientPolicy == TRUE) {
- /* specify the kSecPolicyClient property key for this policy */
- const void *keys[] = { kSecPolicyClient };
- const void *values[] = { kCFBooleanTrue };
- CFDictionaryRef properties = CFDictionaryCreate(NULL, keys, values,
- sizeof(keys) / sizeof(*keys),
- &kCFTypeDictionaryKeyCallBacks,
- &kCFTypeDictionaryValueCallBacks);
- SecPolicySetProperties(policy, properties);
- }
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
const void *keys[] = {
+ kSecMatchSearchList,
kSecClass,
kSecMatchPolicy,
kSecMatchLimit,
returnType
};
const void *values[] = {
+ searchList,
kSecClassIdentity,
policy,
matchLimit,
@@ -2056,7 +1948,7 @@ int FindIdentityByPolicy(CFTypeRef policyIdentifier,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
- if (debug) PrintStringToMatch(CFCopyDescription(policyIdentifier));
+ if (debug) PrintStringToMatch(SecPolicyGetName(policy));
status = SecItemCopyMatching(query, &results);
@@ -2066,22 +1958,21 @@ int FindIdentityByPolicy(CFTypeRef policyIdentifier,
}
if (query)
CFRelease(query);
- if (policy)
- CFRelease(policy);
-
+
PrintTestResult("FindIdentityByPolicy", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindIdentityByPolicyAndValidDate(CFTypeRef policyIdentifier,
+static int FindIdentityByPolicyAndValidDate(SecKeychainRef keychain,
+ CFTypeRef policyIdentifier,
Boolean isClientPolicy,
CFTypeRef validOnDate,
CFStringRef forbidStr,
CFTypeRef returnType,
CFTypeRef matchLimit,
- CFIndex minMatchesExpected,
+ CFIndex matchesExpected,
OSStatus expected)
{
/* given the policy OID, create a SecPolicyRef */
@@ -2099,7 +1990,11 @@ int FindIdentityByPolicyAndValidDate(CFTypeRef policyIdentifier,
SecPolicySetProperties(policy, properties);
}
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+
const void *keys[] = {
+ kSecMatchSearchList,
kSecClass,
kSecMatchPolicy,
kSecMatchValidOnDate,
@@ -2107,6 +2002,7 @@ int FindIdentityByPolicyAndValidDate(CFTypeRef policyIdentifier,
returnType
};
const void *values[] = {
+ searchList,
kSecClassIdentity,
policy,
validOnDate,
@@ -2124,7 +2020,7 @@ int FindIdentityByPolicyAndValidDate(CFTypeRef policyIdentifier,
if (debug) PrintStringToMatch(CFCopyDescription(policyIdentifier));
status = SecItemCopyMatching(query, &results);
-
+
// check returned items for forbidStr as a substring in the label attribute;
// return errSecInternalError if found
if (!status && results && forbidStr) {
@@ -2150,21 +2046,22 @@ int FindIdentityByPolicyAndValidDate(CFTypeRef policyIdentifier,
if (!status && results) {
- status = CheckResults(results, minMatchesExpected, MAXITEMS);
+ status = CheckResults(results, matchesExpected, matchesExpected);
CFRelease(results);
}
if (query)
CFRelease(query);
if (policy)
CFRelease(policy);
-
+
PrintTestResult("FindIdentityByPolicyAndValidDate", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindIdentityByNameAndValidDate(CFStringRef nameStr,
+static int FindIdentityByNameAndValidDate(SecKeychainRef keychain,
+ CFStringRef nameStr,
CFTypeRef validOnDate,
CFTypeRef returnType,
CFTypeRef matchLimit,
@@ -2175,6 +2072,10 @@ int FindIdentityByNameAndValidDate(CFStringRef nameStr,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
/* set up the query */
CFDictionaryAddValue( query, kSecClass, kSecClassIdentity );
CFDictionaryAddValue( query, kSecMatchSubjectContains, nameStr );
@@ -2196,14 +2097,14 @@ int FindIdentityByNameAndValidDate(CFStringRef nameStr,
}
if (query)
CFRelease(query);
-
+
PrintTestResult("FindIdentityByNameAndValidDate", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindPreferredIdentityForSMIMESigning(CFStringRef emailAddr,
+static int FindPreferredIdentityForSMIMESigning(SecKeychainRef keychain, CFStringRef emailAddr,
CFTypeRef validOnDate)
{
// Note: this function assumes that a preferred identity has been set up
@@ -2213,17 +2114,21 @@ int FindPreferredIdentityForSMIMESigning(CFStringRef emailAddr,
OSStatus status = noErr;
SecIdentityRef preferredIdentity = NULL;
SecIdentityRef validatedIdentity = NULL;
-
+
// Pass an explicit key usage value to SecIdentityCopyPreferred to test <rdar://8192797>
CFArrayRef keyUsage = CFArrayCreate(kCFAllocatorDefault, (const void **)&kSecAttrCanSign, 1, &kCFTypeArrayCallBacks);
-
+
preferredIdentity = SecIdentityCopyPreferred(emailAddr, keyUsage, NULL);
+ isnt(preferredIdentity, NULL, "FindPreferredIdentityForSMIMESigning: SecIdentityCopyPreferred");
+
if (!preferredIdentity)
status = errSecItemNotFound; // our test expects a preferred identity to exist, so we return an error
if (keyUsage)
CFRelease(keyUsage);
if (!status && preferredIdentity) {
+ pass("FindPreferredIdentityForSMIMESigning: found a preferred identity");
+
// We found a preferred identity, but it may have expired.
// Verify the preferred identity by looking up all identities which
// are valid for SMIME signing, and using the kSecMatchItemList query
@@ -2231,11 +2136,8 @@ int FindPreferredIdentityForSMIMESigning(CFStringRef emailAddr,
// we end up with 0 results, the preferred identity wasn't valid.
// set up the S/MIME policy first to check for Digital Signature key usage
- SecPolicyRef policy = SecPolicyCreateWithOID(kSecPolicyAppleSMIME);
- CFDictionaryRef properties = CFDictionaryCreate(kCFAllocatorDefault, (const void **)&kSecPolicyKU_DigitalSignature, (const void **)&kCFBooleanTrue, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- status = SecPolicySetProperties(policy, properties);
- CFRelease(properties);
-
+ SecPolicyRef policy = SecPolicyCreateSMIME(kSecSignSMIMEUsage, emailAddr);
+
// set up an item list consisting of just our preferred identity
CFArrayRef itemList = CFArrayCreate(kCFAllocatorDefault, (const void **)&preferredIdentity, 1, &kCFTypeArrayCallBacks);
@@ -2248,12 +2150,17 @@ int FindPreferredIdentityForSMIMESigning(CFStringRef emailAddr,
CFDictionaryAddValue( query, kSecMatchLimit, kSecMatchLimitOne ); // only need to match one item!
CFDictionaryAddValue( query, kSecReturnRef, kCFBooleanTrue );
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
if (debug) {
PrintStringToMatch(emailAddr);
PrintStringToMatch(CFCopyDescription(validOnDate));
}
status = SecItemCopyMatching(query, (CFTypeRef*)&validatedIdentity);
+ ok_status(status, "FindPreferredIdentityForSMIMESigning: SecItemCopyMatching");
if (!status && validatedIdentity) {
status = CheckResults(validatedIdentity, 1, 1); // expect exactly 1 result
@@ -2266,19 +2173,20 @@ int FindPreferredIdentityForSMIMESigning(CFStringRef emailAddr,
if (itemList)
CFRelease(itemList);
}
- else if (!quiet)
- fprintf(stderr, "FindPreferredIdentityForSMIMESigning: unexpected error %d\n", (int)status);
+ else {
+ fail("FindPreferredIdentityForSMIMESigning: unexpected error %d\n", (int)status);
+ }
if (preferredIdentity)
CFRelease(preferredIdentity);
-
+
PrintTestResult("FindPreferredIdentityForSMIMESigning", status, noErr);
-
+
return (status==noErr) ? (int)noErr : (int)status;
}
-int SetPreferredIdentityForSMIMESigning(CFStringRef nameStr,
+static int SetPreferredIdentityForSMIMESigning(SecKeychainRef keychain, CFStringRef nameStr,
CFStringRef emailAddr)
{
// find the identity exactly matching the given common name
@@ -2286,6 +2194,10 @@ int SetPreferredIdentityForSMIMESigning(CFStringRef nameStr,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
CFDictionaryAddValue( query, kSecClass, kSecClassIdentity );
CFDictionaryAddValue( query, kSecMatchSubjectWholeString, nameStr );
CFDictionaryAddValue( query, kSecMatchLimit, kSecMatchLimitOne );
@@ -2293,25 +2205,22 @@ int SetPreferredIdentityForSMIMESigning(CFStringRef nameStr,
CFTypeRef results = NULL;
OSStatus status = SecItemCopyMatching(query, &results);
-
- if (!quiet && status)
- fprintf(stderr, "SetPreferredIdentityForSMIMESigning: SecItemCopyMatching error %d\n", (int)status);
-
+
+ ok_status(status, "SetPreferredIdentityForSMIMESigning: SecItemCopyMatching error %d\n", (int)status);
+
if (!status && results) {
// since we asked for kSecMatchLimitOne, the result is a single SecIdentityRef
SecIdentityRef identity = (SecIdentityRef) results;
- if (SecIdentityGetTypeID() != CFGetTypeID(identity)) {
- fprintf(stderr, "SetPreferredCertificateForSMIMEEncryption: unexpected result type!\n");
- }
- else {
- // Pass an explicit key usage value to SecIdentitySetPreferred to test <rdar://8192797>
- CFArrayRef keyUsage = CFArrayCreate(kCFAllocatorDefault, (const void **)&kSecAttrCanSign, 1, &kCFTypeArrayCallBacks);
- status = SecIdentitySetPreferred(identity, emailAddr, keyUsage);
- if (!quiet && status)
- fprintf(stderr, "SetPreferredIdentityForSMIMESigning: SecIdentitySetPreferred error %d\n", (int)status);
- if (keyUsage)
- CFRelease(keyUsage);
- }
+
+ is(SecIdentityGetTypeID(),CFGetTypeID(identity), "SetPreferredCertificateForSMIMEEncryption: unexpected result type!\n");
+
+ // Pass an explicit key usage value to SecIdentitySetPreferred to test <rdar://8192797>
+ CFArrayRef keyUsage = CFArrayCreate(kCFAllocatorDefault, (const void **)&kSecAttrCanSign, 1, &kCFTypeArrayCallBacks);
+ status = SecIdentitySetPreferred(identity, emailAddr, keyUsage);
+ ok_status(status, "SetPreferredIdentityForSMIMESigning: SecIdentitySetPreferred error %d\n", (int)status);
+ if (keyUsage)
+ CFRelease(keyUsage);
+
CFRelease(results);
}
if (query)
@@ -2321,19 +2230,25 @@ int SetPreferredIdentityForSMIMESigning(CFStringRef nameStr,
}
-int FindGenericPasswordByAccount(CFStringRef accountStr,
+static int FindGenericPasswordByAccount(SecKeychainRef keychain,
+ CFStringRef accountStr,
CFTypeRef returnType,
CFTypeRef matchLimit,
CFIndex minMatchesExpected,
OSStatus expected)
{
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+
const void *keys[] = {
+ kSecMatchSearchList,
kSecClass,
kSecAttrAccount,
kSecMatchLimit,
returnType
};
const void *values[] = {
+ searchList,
kSecClassGenericPassword,
accountStr,
matchLimit,
@@ -2350,6 +2265,7 @@ int FindGenericPasswordByAccount(CFStringRef accountStr,
if (debug) PrintStringToMatch(accountStr);
status = SecItemCopyMatching(query, &results);
+ ok_status(status, "FindGenericPasswordByAccount: SecItemCopyMatching");
if (!status && results) {
status = CheckResults(results, minMatchesExpected, MAXITEMS);
@@ -2359,19 +2275,24 @@ int FindGenericPasswordByAccount(CFStringRef accountStr,
CFRelease(query);
PrintTestResult("FindGenericPasswordByAccount", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindGenericPasswordByAccountAndService(CFStringRef accountStr,
+static int FindGenericPasswordByAccountAndService(SecKeychainRef keychain,
+ CFStringRef accountStr,
CFStringRef serviceStr,
CFTypeRef returnType,
CFTypeRef matchLimit,
CFIndex minMatchesExpected,
OSStatus expected)
{
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+
const void *keys[] = {
+ kSecMatchSearchList,
kSecClass,
kSecAttrAccount,
kSecAttrService,
@@ -2379,6 +2300,7 @@ int FindGenericPasswordByAccountAndService(CFStringRef accountStr,
returnType
};
const void *values[] = {
+ searchList,
kSecClassGenericPassword,
accountStr,
serviceStr,
@@ -2398,6 +2320,7 @@ int FindGenericPasswordByAccountAndService(CFStringRef accountStr,
PrintStringToMatch(serviceStr);
}
status = SecItemCopyMatching(query, &results);
+ ok_status(status, "FindGenericPasswordByAccountAndService: SecItemCopyMatching");
if (!status && results) {
status = CheckResults(results, minMatchesExpected, MAXITEMS);
@@ -2407,24 +2330,30 @@ int FindGenericPasswordByAccountAndService(CFStringRef accountStr,
CFRelease(query);
PrintTestResult("FindGenericPasswordByAccountAndService", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindInternetPasswordByAccount(CFStringRef accountStr,
+static int FindInternetPasswordByAccount(SecKeychainRef keychain,
+ CFStringRef accountStr,
CFTypeRef returnType,
CFTypeRef matchLimit,
CFIndex minMatchesExpected,
OSStatus expected)
{
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+
const void *keys[] = {
+ kSecMatchSearchList,
kSecClass,
kSecAttrAccount,
kSecMatchLimit,
returnType
};
const void *values[] = {
+ searchList,
kSecClassInternetPassword,
accountStr,
matchLimit,
@@ -2441,6 +2370,7 @@ int FindInternetPasswordByAccount(CFStringRef accountStr,
if (debug) PrintStringToMatch(accountStr);
status = SecItemCopyMatching(query, &results);
+ ok_status(status, "FindInternetPasswordByAccount: SecItemCopyMatching");
if (!status && results) {
status = CheckResults(results, minMatchesExpected, MAXITEMS);
@@ -2450,19 +2380,24 @@ int FindInternetPasswordByAccount(CFStringRef accountStr,
CFRelease(query);
PrintTestResult("FindInternetPasswordByAccount", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindInternetPasswordByAccountAndServer(CFStringRef accountStr,
+static int FindInternetPasswordByAccountAndServer(SecKeychainRef keychain,
+ CFStringRef accountStr,
CFStringRef serverStr,
CFTypeRef returnType,
CFTypeRef matchLimit,
CFIndex minMatchesExpected,
OSStatus expected)
{
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+
const void *keys[] = {
+ kSecMatchSearchList,
kSecClass,
kSecAttrAccount,
kSecAttrServer,
@@ -2470,6 +2405,7 @@ int FindInternetPasswordByAccountAndServer(CFStringRef accountStr,
returnType
};
const void *values[] = {
+ searchList,
kSecClassInternetPassword,
accountStr,
serverStr,
@@ -2489,6 +2425,7 @@ int FindInternetPasswordByAccountAndServer(CFStringRef accountStr,
PrintStringToMatch(serverStr);
}
status = SecItemCopyMatching(query, &results);
+ ok_status(status, "FindInternetPasswordByAccountAndServer: SecItemCopyMatching");
if (!status && results) {
status = CheckResults(results, minMatchesExpected, MAXITEMS);
@@ -2498,22 +2435,22 @@ int FindInternetPasswordByAccountAndServer(CFStringRef accountStr,
CFRelease(query);
PrintTestResult("FindInternetPasswordByAccountAndServer", status, expected);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
-int FindMailPassword(
+static int FindMailPassword(SecKeychainRef keychain,
CFStringRef account,
CFStringRef server)
{
CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
-
+
SInt16 port = 143;
CFNumberRef portNumber = CFNumberCreate(NULL, kCFNumberSInt16Type, &port);
-
+
// set up query for a Mail password (IMAP, port 143) for given account and server
CFDictionaryAddValue( query, kSecClass, kSecClassInternetPassword );
CFDictionaryAddValue( query, kSecAttrAccount, account );
@@ -2523,21 +2460,21 @@ int FindMailPassword(
CFDictionaryAddValue( query, kSecMatchLimit, kSecMatchLimitOne );
CFDictionaryAddValue( query, kSecReturnData, kCFBooleanTrue );
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionaryAddValue(query, kSecMatchSearchList, searchList);
+
CFTypeRef results = NULL;
OSStatus status = SecItemCopyMatching(query, &results);
-
- if (!quiet && status)
- fprintf(stderr, "FindMailPassword: SecItemCopyMatching error %d\n", (int)status);
-
+ ok_status(status, "FindMailPassword: SecItemCopyMatching error %d\n", (int)status);
+
if (!status && results) {
// since we asked for kSecMatchLimitOne w/kSecReturnData, the result is the found password
CFDataRef password = (CFDataRef) results;
- if (CFDataGetTypeID() != CFGetTypeID(password)) {
- fprintf(stderr, "FindMailPassword: unexpected result type!\n");
- }
- else {
- if (debug) CFShow(password);
- }
+ is(CFDataGetTypeID(), CFGetTypeID(password), "FindMailPassword: unexpected result type!\n");
+
+ if (debug) CFShow(password);
+
CFRelease(results);
}
if (query)
@@ -2563,7 +2500,8 @@ const CFStringRef gUUID = CFSTR("550e8400-e29b-41d4-a716-446655441234");
// then the attempt would fail and leave a "turd" key with no label in your
// keychain: <rdar://8289559>, fixed in 11A268a.
-int CreateSymmetricKey(
+static int CreateSymmetricKey(
+ SecKeychainRef keychain,
CFStringRef keyLabel,
CFStringRef keyAppLabel,
CFStringRef keyAppTag,
@@ -2573,11 +2511,6 @@ int CreateSymmetricKey(
int keySizeValue = 128;
CFNumberRef keySize = CFNumberCreate(NULL, kCFNumberIntType, &keySizeValue);
- // get a SecKeychainRef for the keychain in which we want the key to be created
- // (this step is optional, but if omitted, the key is NOT saved in any keychain!)
- SecKeychainRef keychain = NULL;
- status = SecKeychainCopyDefault(&keychain);
-
// create a SecAccessRef to set up the initial access control settings for this key
// (this step is optional; if omitted, the creating application has access to the key)
// note: the access descriptor should be the same string as will be used for the item's label,
@@ -2628,20 +2561,21 @@ int CreateSymmetricKey(
status = (error) ? (OSStatus) CFErrorGetCode(error) : noErr;
// if (status == errSecDuplicateItem)
// status = noErr; // it's OK if the key already exists
-
+
if (key) CFRelease(key);
if (error) CFRelease(error);
if (params) CFRelease(params);
if (keychain) CFRelease(keychain);
if (access) CFRelease(access);
-
+
PrintTestResult("CreateSymmetricKey", status, expected);
-
+
return status;
}
-int FindSymmetricKey(
+static int FindSymmetricKey(
+ SecKeychainRef keychain,
CFStringRef keyLabel,
CFStringRef keyAppLabel,
CFStringRef keyAppTag,
@@ -2653,6 +2587,10 @@ int FindSymmetricKey(
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
CFDictionaryAddValue( query, kSecClass, kSecClassKey );
CFDictionaryAddValue( query, kSecAttrKeyClass, kSecAttrKeyClassSymmetric );
CFDictionaryAddValue( query, kSecMatchLimit, kSecMatchLimitOne ); // we only want the first match
@@ -2667,6 +2605,11 @@ int FindSymmetricKey(
CFTypeRef result = NULL;
OSStatus status = SecItemCopyMatching(query, &result);
+ if(expected == errSecSuccess) {
+ ok_status(status, "FindSymmetricKey: SecItemCopyMatching");
+ } else {
+ is(status, expected, "FindSymmetricKey: SecItemCopyMatching");
+ }
// print result and clean up
if (debug) {
@@ -2695,14 +2638,15 @@ int FindSymmetricKey(
if (key) CFRelease(key);
if (query) CFRelease(query);
-
+
PrintTestResult("FindSymmetricKey", status, expected);
-
+
return status;
}
-int FindAndDeleteItemsByName(
+static int FindAndDeleteItemsByName(
+ SecKeychainRef keychain,
CFStringRef nameStr,
CFStringRef accountStr,
CFTypeRef itemClass,
@@ -2714,6 +2658,10 @@ int FindAndDeleteItemsByName(
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
CFTypeRef nameMatchKey;
if (CFEqual(itemClass, kSecClassCertificate) ||
CFEqual(itemClass, kSecClassIdentity)) {
@@ -2737,13 +2685,14 @@ int FindAndDeleteItemsByName(
}
OSStatus status = SecItemCopyMatching(query, &results);
+ ok_status(status, "FindAndDeleteItemsByName: SecItemCopyMatching");
if (!status) {
/* Make sure that we found the items we expected to find */
status = CheckResults(results, minMatchesExpected, MAXITEMS);
CFRelease(results);
}
-
+
if (!status) {
/* OK, now the real reason we're here... the same query must work for SecItemDelete */
status = SecItemDelete(query);
@@ -2757,17 +2706,17 @@ int FindAndDeleteItemsByName(
if (!status) {
/* oops... we still found matches using this query */
int count = (int)CFArrayGetCount(results);
- fprintf(stderr, "### still found %d items, expected 0\n", count);
+ is(count, 0, "### FindAndDeleteItemsByName: still found %d items, expected 0\n", count);
CFRelease(results);
}
PrintTestResult("FindAndDeleteItemsByName: find after delete", status, errSecItemNotFound);
-
+
status = (status == errSecItemNotFound) ? expected : errSecInternalError;
}
if (query)
CFRelease(query);
-
+
return (status==expected) ? (int)noErr : (int)status;
}
@@ -2775,79 +2724,90 @@ int FindAndDeleteItemsByName(
#pragma mark -- Test Functions --
-int TestIdentityLookup()
+static int TestIdentityLookup(SecKeychainRef keychain)
{
int result = 0;
// look up identity by name, want first result as a SecIdentityRef
- result += FindIdentityByName(CFSTR("Test SSL User"), kSecReturnRef, kSecMatchLimitOne, 1, noErr);
+ result += FindIdentityByName(keychain, CFSTR("Test SSL User"), kSecReturnRef, kSecMatchLimitOne, 1, noErr);
// look up existing non-identity certificate by name, expect errSecItemNotFound error
- result += FindIdentityByName(CFSTR("Test-5685316-LEAF"), kSecReturnRef, kSecMatchLimitOne, 0, errSecItemNotFound);
+ result += FindIdentityByName(keychain, CFSTR("Test-5685316-LEAF"), kSecReturnRef, kSecMatchLimitOne, 0, errSecItemNotFound);
// look up non-existent identity by name, expect errSecItemNotFound error
- result += FindIdentityByName(CFSTR("myxlpytk"), kSecReturnRef, kSecMatchLimitOne, 0, errSecItemNotFound);
-
+ result += FindIdentityByName(keychain, CFSTR("myxlpytk"), kSecReturnRef, kSecMatchLimitOne, 0, errSecItemNotFound);
+
+ /* given the policy OID, create a SecPolicyRef */
+ const void *keys[] = { kSecPolicyClient };
+ const void *values[] = { kCFBooleanTrue };
+ CFDictionaryRef properties = CFDictionaryCreate(NULL, keys, values,
+ sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ SecPolicyRef sslPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleSSL, properties);
+ SecPolicyRef codeSigningPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleCodeSigning, NULL);
+
// look up identity by policy, want first result as a SecIdentityRef (should find "Test SSL User" identity)
- result += FindIdentityByPolicy(kSecPolicyAppleSSL, TRUE, kSecReturnRef, kSecMatchLimitOne, 1, noErr);
+ result += FindIdentityByPolicy(keychain, sslPolicy, kSecReturnRef, kSecMatchLimitOne, 1, noErr);
// look up identity by policy, want first result as a CFDictionary of attributes (should find "Test SSL User" identity)
- result += FindIdentityByPolicy(kSecPolicyAppleSSL, TRUE, kSecReturnAttributes, kSecMatchLimitOne, 1, noErr);
-
+ result += FindIdentityByPolicy(keychain, sslPolicy, kSecReturnAttributes, kSecMatchLimitOne, 1, noErr);
+
// look up identity by policy, expect errSecItemNotFound error (this assumes no code signing identity is present!)
- result += FindIdentityByPolicy(kSecPolicyAppleCodeSigning, FALSE, kSecReturnRef, kSecMatchLimitOne, 0, errSecItemNotFound);
+ result += FindIdentityByPolicy(keychain, codeSigningPolicy, kSecReturnRef, kSecMatchLimitOne, 0, errSecItemNotFound);
// -------------------------
// test kSecMatchValidOnDate
// -------------------------
// make a valid date which will match at least some identities we used to populate the keychain
- CFGregorianDate aCurrentGDate = { 2010, 7, 20, 12, 0, 0 }; // Jul 20 2010 12:00 PM
+ CFGregorianDate aCurrentGDate = { 2016, 7, 20, 12, 0, 0 }; // Jul 20 2016 12:00 PM
CFDateRef aCurrentDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aCurrentGDate, NULL));
- if (FindIdentityByNameAndValidDate(CFSTR("Test SSL User"), aCurrentDate, kSecReturnRef, kSecMatchLimitAll, 1, noErr))
+ if (FindIdentityByNameAndValidDate(keychain, CFSTR("Test SSL User"), aCurrentDate, kSecReturnRef, kSecMatchLimitAll, 1, noErr))
++result;
if(aCurrentDate) CFRelease(aCurrentDate);
-
+
// make a date in the past which should NOT match any identities (expect errSecItemNotFound)
CFGregorianDate aPastGDate = { 1984, 7, 20, 12, 0, 0 }; // Jul 20 1984 12:00 PM
CFDateRef aPastDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aPastGDate, NULL));
- if (FindIdentityByNameAndValidDate(CFSTR("Test SSL User"), aPastDate, kSecReturnRef, kSecMatchLimitAll, 0, errSecItemNotFound))
+ if (FindIdentityByNameAndValidDate(keychain, CFSTR("Test SSL User"), aPastDate, kSecReturnRef, kSecMatchLimitAll, 0, errSecItemNotFound))
++result;
if(aPastDate) CFRelease(aPastDate);
// make a date in the future which should NOT match any identities yet (expect errSecItemNotFound)
CFGregorianDate aFutureGDate = { 2034, 7, 20, 12, 0, 0 }; // Jul 20 2034 12:00 PM
CFDateRef aFutureDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aFutureGDate, NULL));
- if (FindIdentityByNameAndValidDate(CFSTR("Test SSL User"), aFutureDate, kSecReturnRef, kSecMatchLimitAll, 0, errSecItemNotFound))
+ if (FindIdentityByNameAndValidDate(keychain, CFSTR("Test SSL User"), aFutureDate, kSecReturnRef, kSecMatchLimitAll, 0, errSecItemNotFound))
++result;
if(aFutureDate) CFRelease(aFutureDate);
// make a date in the past which SHOULD match 2 identities we used to populate the keychain
CFGregorianDate aPastValidGDate = { 2007, 12, 20, 12, 0, 0 }; // Dec 20 2007 12:00 PM
CFDateRef aPastValidDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aPastValidGDate, NULL));
- if (FindIdentityByNameAndValidDate(CFSTR(" 2007"), aPastValidDate, kSecReturnRef, kSecMatchLimitAll, 0, noErr))
+ if (FindIdentityByNameAndValidDate(keychain, CFSTR(" 2007"), aPastValidDate, kSecReturnRef, kSecMatchLimitAll, 0, noErr))
++result;
// test the ability of kCFNull to denote "currently valid" (should not find anything, since the " 2007" certs are expired)
- if (FindIdentityByNameAndValidDate(CFSTR(" 2007"), kCFNull, kSecReturnRef, kSecMatchLimitAll, 0, errSecItemNotFound))
+ if (FindIdentityByNameAndValidDate(keychain, CFSTR(" 2007"), kCFNull, kSecReturnRef, kSecMatchLimitAll, 0, errSecItemNotFound))
++result;
-
+
// test Ian's bug: <rdar://8197632>; the 4th argument is a string which should NOT be present in any found items
- if (FindIdentityByPolicyAndValidDate(kSecPolicyAppleSMIME, FALSE, kCFNull, CFSTR(" 2007"), kSecReturnAttributes, kSecMatchLimitAll, 0, noErr))
+ if (FindIdentityByPolicyAndValidDate(keychain, kSecPolicyAppleSMIME, FALSE, kCFNull, CFSTR(" 2007"), kSecReturnAttributes, kSecMatchLimitAll, 0, errSecSuccess))
++result;
-
+
return result;
}
-int TestCertificateLookup()
+static int TestCertificateLookup(SecKeychainRef keychain)
{
int result = 0;
-
+
//======================================================================
// item attribute tests (kSecItemAttr* keys)
//======================================================================
-
+
// %%%TBA: need to flesh out this section with all certificate attributes
// ------------------------------------------
@@ -2872,7 +2832,7 @@ int TestCertificateLookup()
// ------------------
// look up cert by label, want array of all results (expect only 1) as SecCertificateRef
- result += FindCertificateByLabel(CFSTR("com.apple.kerberos.kdc"),
+ result += FindCertificateByLabel(keychain, CFSTR("Test-5685316-LEAF"),
kSecReturnRef, kSecMatchLimitAll, 1, 1, noErr);
@@ -2883,57 +2843,57 @@ int TestCertificateLookup()
// -----------------------------------
// test kSecMatchEmailAddressIfPresent
// -----------------------------------
-
+
// look up cert by email, want first result as a SecCertificateRef
- result += FindCertificateByEmail(CFSTR("security-dev@group.apple.com"),
+ result += FindCertificateByEmail(keychain, CFSTR("security-dev@group.apple.com"),
kSecReturnRef, kSecMatchLimitOne, 0, noErr);
// look up cert by email, want first result as a CFDictionaryRef of attributes
- result += FindCertificateByEmail(CFSTR("security-dev@group.apple.com"),
+ result += FindCertificateByEmail(keychain, CFSTR("security-dev@group.apple.com"),
kSecReturnAttributes, kSecMatchLimitOne, 0, noErr);
// -----------------------------
// test kSecMatchSubjectContains
// -----------------------------
- // look up cert containing name, want array of all results (expect at least 3) as SecCertificateRef
- result += FindCertificateByNameInSubject(CFSTR("Test-5685316"),
+ // look up cert containing name, want array of all results (expect at least 3) as SecCertificateRef
+ result += FindCertificateByNameInSubject(keychain, CFSTR("Test-5685316"),
kSecMatchSubjectContains, kSecReturnRef, kSecMatchLimitAll, 3, noErr);
// look up non-existent cert by name, expect errSecItemNotFound error
- result += FindCertificateByNameInSubject(CFSTR("myxlpytk"),
+ result += FindCertificateByNameInSubject(keychain, CFSTR("myxlpytk"),
kSecMatchSubjectContains, kSecReturnRef, kSecMatchLimitOne, 0, errSecItemNotFound);
// look up cert by name, want array of all results (expect at least 2) as CFDataRef
- result += FindCertificateByNameInSubject(CFSTR("Test-5685316"),
+ result += FindCertificateByNameInSubject(keychain, CFSTR("Test-5685316"),
kSecMatchSubjectContains, kSecReturnData, kSecMatchLimitAll, 2, noErr);
// look up cert by name, want array of all results (expect at least 2) as CFDictionaryRef of attributes
- result += FindCertificateByNameInSubject(CFSTR("Test-5685316"),
+ result += FindCertificateByNameInSubject(keychain, CFSTR("Test-5685316"),
kSecMatchSubjectContains, kSecReturnAttributes, kSecMatchLimitAll, 2, noErr);
// -------------------------------
// test kSecMatchSubjectStartsWith
// -------------------------------
- // look up cert starting with name, want array of all results (expect at least 3) as SecCertificateRef
- result += FindCertificateByNameInSubject(CFSTR("Test-568"),
+ // look up cert starting with name, want array of all results (expect at least 3) as SecCertificateRef
+ result += FindCertificateByNameInSubject(keychain, CFSTR("Test-568"),
kSecMatchSubjectStartsWith, kSecReturnRef, kSecMatchLimitAll, 3, noErr);
// look up cert starting with a name which isn't at start, expect errSecItemNotFound error
- result += FindCertificateByNameInSubject(CFSTR("5685316"),
+ result += FindCertificateByNameInSubject(keychain, CFSTR("5685316"),
kSecMatchSubjectStartsWith, kSecReturnRef, kSecMatchLimitOne, 0, errSecItemNotFound);
// -----------------------------
// test kSecMatchSubjectEndsWith
// -----------------------------
- // look up cert ending with name, want array of all results (expect at least 1) as SecCertificateRef
- result += FindCertificateByNameInSubject(CFSTR("LEAF"),
+ // look up cert ending with name, want array of all results (expect at least 1) as SecCertificateRef
+ result += FindCertificateByNameInSubject(keychain, CFSTR("LEAF"),
kSecMatchSubjectEndsWith, kSecReturnRef, kSecMatchLimitAll, 1, noErr);
// look up cert ending with a name which isn't at end, expect errSecItemNotFound error
- result += FindCertificateByNameInSubject(CFSTR("Test-"),
+ result += FindCertificateByNameInSubject(keychain, CFSTR("Test-"),
kSecMatchSubjectEndsWith, kSecReturnRef, kSecMatchLimitOne, 0, errSecItemNotFound);
// --------------------------------
@@ -2941,39 +2901,58 @@ int TestCertificateLookup()
// --------------------------------
// look up cert by whole name, want first result (expecting 1) as a SecCertificateRef
- result += FindCertificateByNameInSubject(CFSTR("Test-5685316-LEAF"),
+ result += FindCertificateByNameInSubject(keychain, CFSTR("Test-5685316-LEAF"),
kSecMatchSubjectWholeString, kSecReturnRef, kSecMatchLimitOne, 1, noErr);
// look up cert by whole name (which is a substring in other certs), expect errSecItemNotFound error
- result += FindCertificateByNameInSubject(CFSTR("Test-568"),
+ result += FindCertificateByNameInSubject(keychain, CFSTR("Test-568"),
kSecMatchSubjectWholeString, kSecReturnRef, kSecMatchLimitOne, 0, errSecItemNotFound);
// --------------------
// test kSecMatchPolicy
// --------------------
+ const void *keys[] = { kSecPolicyClient };
+ const void *values[] = { kCFBooleanTrue };
+ CFDictionaryRef properties = CFDictionaryCreate(NULL, keys, values,
+ sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ SecPolicyRef sslPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleSSL, properties);
+ SecPolicyRef codeSigningPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleCodeSigning, NULL);
+ SecPolicyRef smimePolicy = SecPolicyCreateWithProperties(kSecPolicyAppleSMIME, NULL);
+
// look up cert by name and policy (Code Signing), want first result as a SecCertificateRef
- result += FindCertificateByNameAndPolicy(CFSTR("Test-7875801"),
- kSecPolicyAppleCodeSigning, FALSE,
- kSecReturnRef, kSecMatchLimitOne, 0, noErr);
+ result += FindCertificateByNameAndPolicy(keychain, CFSTR("Test-7875801"),
+ codeSigningPolicy,
+ kSecReturnRef, kSecMatchLimitOne, 1, noErr);
// look up cert by name and policy (S/MIME), want first result as a SecCertificateRef
- result += FindCertificateByNameAndPolicy(CFSTR("Test-"),
- kSecPolicyAppleSMIME, FALSE,
- kSecReturnRef, kSecMatchLimitOne, 0, noErr);
+ result += FindCertificateByNameAndPolicy(keychain, CFSTR("Test-"),
+ smimePolicy,
+ kSecReturnRef, kSecMatchLimitOne, 1, noErr);
+
+ // look up cert by name and policy (SSL), want first result as a SecCertificateRef
+ result += FindCertificateByNameAndPolicy(keychain, CFSTR("Test "),
+ sslPolicy,
+ kSecReturnRef, kSecMatchLimitOne, 1, noErr);
// look up cert by name and policy, want array of all results as SecCertificateRef
- // (note that we expect an error here, since if all went well, there will be only 1 cert
- // matching both name and policy parameters, but we asked for a minimum of 2 matches.)
- result += FindCertificateByNameAndPolicy(CFSTR("Test-7875801"),
- kSecPolicyAppleCodeSigning, FALSE,
- kSecReturnAttributes, kSecMatchLimitAll, 2, errSecInternalError);
-
+ result += FindCertificateByNameAndPolicy(keychain, CFSTR("Test-7875801"),
+ codeSigningPolicy,
+ kSecReturnAttributes, kSecMatchLimitAll, 1, noErr);
+
// look up cert by email address for SMIME encryption, date valid today, want array of all results as SecCertificateRef
// (note that a date value of kCFNull is interpreted as the current date)
- result += FindCertificateForSMIMEEncryption(CFSTR("smime-test@apple.com"), kCFNull,
+ result += FindCertificateForSMIMEEncryption(keychain, CFSTR("smime-test@apple.com"), kCFNull,
kSecReturnRef, kSecMatchLimitAll, 1, noErr);
+ CFReleaseSafe(sslPolicy);
+ CFReleaseSafe(codeSigningPolicy);
+ CFReleaseSafe(smimePolicy);
+ CFReleaseSafe(properties);
+
// -------------------------
// test kSecMatchValidOnDate
// -------------------------
@@ -2981,21 +2960,21 @@ int TestCertificateLookup()
// make a valid date which will match at least 2 certificates we used to populate the keychain
CFGregorianDate aCurrentGDate = { 2010, 7, 20, 12, 0, 0 }; // Jul 20 2010 12:00 PM
CFDateRef aCurrentDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aCurrentGDate, NULL));
- if (FindCertificateByNameAndValidDate(CFSTR("Test-"), aCurrentDate, kSecReturnRef, kSecMatchLimitAll, 2, noErr))
+ if (FindCertificateByNameAndValidDate(keychain, CFSTR("Test-"), aCurrentDate, kSecReturnRef, kSecMatchLimitAll, 2, noErr))
++result;
if(aCurrentDate) CFRelease(aCurrentDate);
-
+
// make a date in the past which should NOT match any certificates (expect errSecItemNotFound)
CFGregorianDate aPastGDate = { 1984, 7, 20, 12, 0, 0 }; // Jul 20 1984 12:00 PM
CFDateRef aPastDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aPastGDate, NULL));
- if (FindCertificateByNameAndValidDate(CFSTR("Test-"), aPastDate, kSecReturnRef, kSecMatchLimitAll, 2, errSecItemNotFound))
+ if (FindCertificateByNameAndValidDate(keychain, CFSTR("Test-"), aPastDate, kSecReturnRef, kSecMatchLimitAll, 2, errSecItemNotFound))
++result;
if(aPastDate) CFRelease(aPastDate);
// make a date in the future which should NOT match any certificates yet (expect errSecItemNotFound)
CFGregorianDate aFutureGDate = { 2034, 7, 20, 12, 0, 0 }; // Jul 20 2034 12:00 PM
CFDateRef aFutureDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aFutureGDate, NULL));
- if (FindCertificateByNameAndValidDate(CFSTR("Test-"), aFutureDate, kSecReturnRef, kSecMatchLimitAll, 2, errSecItemNotFound))
+ if (FindCertificateByNameAndValidDate(keychain, CFSTR("Test-"), aFutureDate, kSecReturnRef, kSecMatchLimitAll, 2, errSecItemNotFound))
++result;
if(aFutureDate) CFRelease(aFutureDate);
@@ -3003,71 +2982,70 @@ int TestCertificateLookup()
}
-int TestPreferredIdentityLookup()
+static int TestPreferredIdentityLookup(SecKeychainRef keychain)
{
int result = 0;
-
+
// set a preferred identity first
- if (SetPreferredIdentityForSMIMESigning(CFSTR("Test-SignOnly (S/MIME)"), CFSTR("smime-test@apple.com")))
+ if (SetPreferredIdentityForSMIMESigning(keychain, CFSTR("Test-SignOnly (S/MIME)"), CFSTR("smime-test@apple.com")))
++result;
-
+
// define a valid date for this preferred identity (typically this would just be kCFNull in a real program, meaning "now")
- CFGregorianDate aCurrentGDate = { 2010, 7, 27, 21, 0, 0 }; // Jul 27 2010 9:00 PM
+ CFGregorianDate aCurrentGDate = { 2016, 7, 27, 21, 0, 0 }; // Jul 27 2016 9:00 PM
CFDateRef aCurrentDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aCurrentGDate, NULL));
- if (FindPreferredIdentityForSMIMESigning(CFSTR("smime-test@apple.com"), aCurrentDate))
+ if (FindPreferredIdentityForSMIMESigning(keychain, CFSTR("smime-test@apple.com"), aCurrentDate))
++result;
if(aCurrentDate) CFRelease(aCurrentDate);
// delete identity preference(s) for this email address by setting a NULL identity
- if (SecIdentitySetPreferred(NULL, CFSTR("smime-test@apple.com"), 0) != noErr)
- ++result;
-
+ ok_status(SecIdentitySetPreferred(NULL, CFSTR("smime-test@apple.com"), 0), "TestPreferredIdentityLookup: SecIdentitySetPreferred");
+
return result;
}
-int TestPreferredCertificateLookup()
+static int TestPreferredCertificateLookup(SecKeychainRef keychain)
{
int result = 0;
-
+
// set a preferred certificate first
- if (SetPreferredCertificateForSMIMEEncryption(CFSTR("Test-Encryption (S/MIME)"), CFSTR("smime-test@apple.com")))
+ if (SetPreferredCertificateForSMIMEEncryption(keychain, CFSTR("Test-Encryption (S/MIME)"), CFSTR("smime-test@apple.com")))
++result;
-
+
// define a valid date for this preferred certificate (typically this would just be kCFNull in a real program, meaning "now")
- CFGregorianDate aCurrentGDate = { 2010, 7, 27, 21, 0, 0 }; // Jul 27 2010 9:00 PM
+ CFGregorianDate aCurrentGDate = { 2016, 7, 27, 21, 0, 0 }; // Jul 27 2016 9:00 PM
CFDateRef aCurrentDate = CFDateCreate(kCFAllocatorDefault, CFGregorianDateGetAbsoluteTime(aCurrentGDate, NULL));
- if (FindPreferredCertificateForSMIMEEncryption(CFSTR("smime-test@apple.com"), aCurrentDate))
+ if (FindPreferredCertificateForSMIMEEncryption(keychain, CFSTR("smime-test@apple.com"), aCurrentDate))
++result;
if(aCurrentDate) CFRelease(aCurrentDate);
// delete certificate preference(s) for this email address by setting a NULL identity
- if (SecCertificateSetPreferred(NULL, CFSTR("smime-test@apple.com"), 0) != noErr)
- ++result;
+ ok_status(SecCertificateSetPreferred(NULL, CFSTR("smime-test@apple.com"), 0), "TestPreferredCertificateLookup: SecCertificateSetPreferred");
return result;
}
-int TestSymmetricKeyLookup()
+static int TestSymmetricKeyLookup(SecKeychainRef keychain)
{
int result = 0;
// look up our symmetric key by label and UUID (it might not exist yet)
- if (FindSymmetricKey(gLabel, gUUID, NULL, errSecItemNotFound) != errSecSuccess) {
+ if (FindSymmetricKey(keychain, gLabel, gUUID, NULL, errSecItemNotFound) != errSecSuccess) {
// create test key (unique by UUID only)
- if (CreateSymmetricKey(gLabel, gUUID, NULL, errSecSuccess) != errSecSuccess)
+ if (CreateSymmetricKey(keychain, gLabel, gUUID, NULL, errSecSuccess) != errSecSuccess)
++result;
// look it up again (it should exist now!)
- if (FindSymmetricKey(gLabel, gUUID, NULL, errSecSuccess) != errSecSuccess)
+ if (FindSymmetricKey(keychain, gLabel, gUUID, NULL, errSecSuccess) != errSecSuccess)
++result;
}
-
+
// now look up a key whose name is derived from today's date
// (so we can make sure on a daily basis that SecKeyGenerateSymmetric is still working)
CFGregorianDate curGDate = CFAbsoluteTimeGetGregorianDate(CFAbsoluteTimeGetCurrent(), NULL);
CFStringRef curDateLabel = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@ (%4d-%02d-%02d)"),
- gPrefix, curGDate.year, curGDate.month, curGDate.day);
+ gPrefix, (int32_t) curGDate.year, (int8_t) curGDate.month, (int8_t) curGDate.day);
+
//
//%%% FIXME Creating a symmetric key with attributes that would duplicate an existing
// key item currently results in a broken <unknown> key which can't be found: <rdar://8289559>
@@ -3076,17 +3054,17 @@ int TestSymmetricKeyLookup()
CFStringRef curAppTag = CFSTR("SecItemFind");
// look up our date-based symmetric key by label, UUID, and tag (it might not exist yet)
- if (FindSymmetricKey(curDateLabel, gUUID, curAppTag, errSecItemNotFound) != errSecSuccess) {
+ if (FindSymmetricKey(keychain, curDateLabel, gUUID, curAppTag, errSecItemNotFound) != errSecSuccess) {
// create test key (unique by combination of UUID and application tag)
- if (CreateSymmetricKey(curDateLabel, gUUID, curAppTag, errSecSuccess) != errSecSuccess)
+ if (CreateSymmetricKey(keychain, curDateLabel, gUUID, curAppTag, errSecSuccess) != errSecSuccess)
++result;
// look it up again (it should exist now!)
- if (FindSymmetricKey(curDateLabel, gUUID, curAppTag, errSecSuccess) != errSecSuccess)
+ if (FindSymmetricKey(keychain, curDateLabel, gUUID, curAppTag, errSecSuccess) != errSecSuccess)
++result;
}
// test handling of duplicate symmetric key items (<rdar://8289559>)
- if (CreateSymmetricKey(curDateLabel, gUUID, curAppTag, errSecDuplicateItem) != errSecDuplicateItem)
+ if (CreateSymmetricKey(keychain, curDateLabel, gUUID, curAppTag, errSecDuplicateItem) != errSecDuplicateItem)
++result;
CFRelease(curDateLabel);
@@ -3095,50 +3073,50 @@ int TestSymmetricKeyLookup()
}
-int TestInternetPasswordLookup()
+static int TestInternetPasswordLookup(SecKeychainRef keychain)
{
int result = 0;
// look up internet password by account and server, want first result as data
- if (FindInternetPasswordByAccountAndServer(CFSTR("nobody"),
+ if (FindInternetPasswordByAccountAndServer(keychain, CFSTR("nobody"),
CFSTR("test2.subdomain.apple.com"), kSecReturnData, kSecMatchLimitOne, 1, noErr))
++result;
// look up internet password by account and server, want dictionary of the item's attributes
- if (FindInternetPasswordByAccountAndServer(CFSTR("nobody"),
+ if (FindInternetPasswordByAccountAndServer(keychain, CFSTR("nobody"),
CFSTR("test2.subdomain.apple.com"), kSecReturnAttributes, kSecMatchLimitOne, 1, noErr))
++result;
// look up internet passwords by account, want array of SecKeychainItemRef results
- if (FindInternetPasswordByAccount(CFSTR("nobody"),
+ if (FindInternetPasswordByAccount(keychain, CFSTR("nobody"),
kSecReturnRef, kSecMatchLimitAll, 1, noErr))
++result;
-
+
// look up a Mail password for an IMAP account, replacing SecKeychainFindInternetPassword
// (see <rdar://8347516>)
- if (FindMailPassword(CFSTR("testacct"), CFSTR("mail.apple.com")))
+ if (FindMailPassword(keychain, CFSTR("testacct"), CFSTR("mail.apple.com")))
++result;
return result;
}
-int TestGenericPasswordLookup()
+static int TestGenericPasswordLookup(SecKeychainRef keychain)
{
int result = 0;
// look up generic password by account and service, want first result as data
- if (FindGenericPasswordByAccountAndService(CFSTR("nobody"),
+ if (FindGenericPasswordByAccountAndService(keychain, CFSTR("nobody"),
CFSTR("Test Service 42"), kSecReturnData, kSecMatchLimitOne, 1, noErr))
++result;
// look up generic password by account and service, dictionary of the item's attributes
- if (FindGenericPasswordByAccountAndService(CFSTR("nobody"),
+ if (FindGenericPasswordByAccountAndService(keychain, CFSTR("nobody"),
CFSTR("Test Service 42"), kSecReturnAttributes, kSecMatchLimitOne, 1, noErr))
++result;
// look up generic passwords by account, want array of SecKeychainItemRef results
- if (FindGenericPasswordByAccount(CFSTR("nobody"),
+ if (FindGenericPasswordByAccount(keychain, CFSTR("nobody"),
kSecReturnRef, kSecMatchLimitAll, 1, noErr))
++result;
@@ -3146,7 +3124,7 @@ int TestGenericPasswordLookup()
}
-int TestUpdateItems()
+static int TestUpdateItems(SecKeychainRef keychain)
{
int result = 0;
@@ -3163,7 +3141,7 @@ int TestUpdateItems()
CFDictionaryAddValue( params, kSecAttrKeyType, kSecAttrKeyTypeRSA );
CFDictionaryAddValue( params, kSecAttrKeySizeInBits, keySize );
CFDictionaryAddValue( params, kSecAttrLabel, keyLabel );
-// CFDictionaryAddValue( params, kSecUseKeychain, keychain );
+ CFDictionaryAddValue( params, kSecUseKeychain, keychain );
// CFDictionaryAddValue( params, kSecAttrAccess, access );
// %%% note that SecKeyGeneratePair will create the key pair in the default keychain
// if a keychain is not given via the kSecUseKeychain parameter.
@@ -3172,7 +3150,7 @@ int TestUpdateItems()
++result;
}
PrintTestResult("TestUpdateItems: generating key pair", status, noErr);
-
+
// create a query which will match just the private key item (based on its known reference)
CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0,
&kCFTypeDictionaryKeyCallBacks,
@@ -3184,6 +3162,10 @@ int TestUpdateItems()
// CFDictionaryAddValue( query, kSecAttrKeyClass, kSecAttrKeyClassPrivate );
CFDictionaryAddValue( query, kSecMatchItemList, itemList );
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
// create dictionary of changed attributes for the private key
CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(NULL, 0,
&kCFTypeDictionaryKeyCallBacks,
@@ -3227,133 +3209,87 @@ int TestUpdateItems()
}
-int TestDeleteItems()
+static int TestDeleteItems(SecKeychainRef keychain)
{
int result = 0;
-
+
// delete our 3 test certificates that start with "Test-5685316-"
- if (FindAndDeleteItemsByName(CFSTR("Test-5685316-"), NULL, kSecClassCertificate, kSecMatchLimitAll, 3, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("Test-5685316-"), NULL, kSecClassCertificate, kSecMatchLimitAll, 3, noErr))
++result;
-
+
// delete our 2 test identities that start with "Test Identity S" (fixed by <rdar://8317856>)
- if (FindAndDeleteItemsByName(CFSTR("Test Identity S"), NULL, kSecClassIdentity, kSecMatchLimitAll, 2, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("Test Identity S"), NULL, kSecClassIdentity, kSecMatchLimitAll, 2, noErr))
++result;
// delete the "Test-SignOnly (S/MIME)" identity
- if (FindAndDeleteItemsByName(CFSTR("Test-SignOnly (S/MIME)"), NULL, kSecClassIdentity, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("Test-SignOnly (S/MIME)"), NULL, kSecClassIdentity, kSecMatchLimitAll, 1, noErr))
++result;
// delete the "Test-Encryption (S/MIME)" certificate
- if (FindAndDeleteItemsByName(CFSTR("Test-Encryption (S/MIME)"), NULL, kSecClassCertificate, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("Test-Encryption (S/MIME)"), NULL, kSecClassCertificate, kSecMatchLimitAll, 1, noErr))
++result;
// delete the "Test-7875801 (Code Signing)" certificate
- if (FindAndDeleteItemsByName(CFSTR("Test-7875801 (Code Signing)"), NULL, kSecClassCertificate, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("Test-7875801 (Code Signing)"), NULL, kSecClassCertificate, kSecMatchLimitAll, 1, noErr))
++result;
-
+
// delete our test passwords (no partial string matching for password items! need an ER Radar...)
- if (FindAndDeleteItemsByName(CFSTR("Test Service 42"), NULL, kSecClassGenericPassword, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("Test Service 42"), NULL, kSecClassGenericPassword, kSecMatchLimitAll, 1, noErr))
++result;
- if (FindAndDeleteItemsByName(CFSTR("Test Service 69"), NULL, kSecClassGenericPassword, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("Test Service 69"), NULL, kSecClassGenericPassword, kSecMatchLimitAll, 1, noErr))
++result;
- if (FindAndDeleteItemsByName(CFSTR("test1.subdomain.apple.com"), NULL, kSecClassInternetPassword, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("test1.subdomain.apple.com"), NULL, kSecClassInternetPassword, kSecMatchLimitAll, 1, noErr))
++result;
- if (FindAndDeleteItemsByName(CFSTR("test2.subdomain.apple.com"), NULL, kSecClassInternetPassword, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("test2.subdomain.apple.com"), NULL, kSecClassInternetPassword, kSecMatchLimitAll, 1, noErr))
++result;
- if (FindAndDeleteItemsByName(CFSTR("mail.apple.com"), CFSTR("testacct"), kSecClassInternetPassword, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("mail.apple.com"), CFSTR("testacct"), kSecClassInternetPassword, kSecMatchLimitAll, 1, noErr))
++result;
// delete our test symmetric keys (no partial string matching for key items! need an ER Radar...)
- if (FindAndDeleteItemsByName(gLabel, NULL, kSecClassKey, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, gLabel, NULL, kSecClassKey, kSecMatchLimitAll, 1, noErr))
++result;
CFGregorianDate curGDate = CFAbsoluteTimeGetGregorianDate(CFAbsoluteTimeGetCurrent(), NULL);
CFStringRef curDateLabel = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@ (%4d-%02d-%02d)"),
- gPrefix, curGDate.year, curGDate.month, curGDate.day);
- if (FindAndDeleteItemsByName(curDateLabel, NULL, kSecClassKey, kSecMatchLimitAll, 1, noErr))
+ gPrefix, (int32_t) curGDate.year, (int8_t) curGDate.month, (int8_t) curGDate.day);
+ if (FindAndDeleteItemsByName(keychain, curDateLabel, NULL, kSecClassKey, kSecMatchLimitAll, 1, noErr))
++result;
CFRelease(curDateLabel);
// delete our test asymmetric key pair (remember we renamed the private key...)
- if (FindAndDeleteItemsByName(CFSTR("AppleID 8658820 test key"), NULL, kSecClassKey, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("AppleID 8658820 test key"), NULL, kSecClassKey, kSecMatchLimitAll, 1, noErr))
++result;
- if (FindAndDeleteItemsByName(CFSTR("AppleID 8658820 test PRIVATE key"), NULL, kSecClassKey, kSecMatchLimitAll, 1, noErr))
+ if (FindAndDeleteItemsByName(keychain, CFSTR("AppleID 8658820 test PRIVATE key"), NULL, kSecClassKey, kSecMatchLimitAll, 1, noErr))
++result;
return result;
}
-void usage(const char *arg0)
+int kc_18_find_combined (int argc, char *const *argv)
{
- fprintf(stdout, "Usage: %s [-q] [-d]\n", arg0);
- fprintf(stdout, "Options:\n");
- fprintf(stdout, " -q : (quiet) suppress output of pass/fail lines\n");
- fprintf(stdout, " -d : (debug) show debug output\n");
-}
+ plan_tests(167);
+ printf("Getting -25308 or -25293? Try unlocking your default keychain; that's where identity and certificate preferences are stored (with no other option).\n");
-int main (int argc, const char * argv[])
-{
- int n, i, c, e;
-
- /* validate arguments */
- if (argc > 3)
- {
- usage(argv[0]);
- exit(1);
- }
-
- for (i=1; i<argc; i++)
- {
- if (!strcmp(argv[i], "-q") || !strcmp(argv[i], "q"))
- quiet = 1;
- else if (!strcmp(argv[i], "-d") || !strcmp(argv[i], "d"))
- debug = 1;
- else if (!strcmp(argv[i], "-v") || !strcmp(argv[i], "v"))
- verbose = 1;
- else {
- usage(argv[0]);
- exit(1);
- }
- }
- if (!quiet && !debug && !verbose) {
- fprintf(stdout, "Note: use -d and -v option flags to show debug output and verbose results\n");
- }
-
- c = 0; /* count */
- e = 0; /* errors */
-
- n = 10; /* number of tests we are doing below */
-
- plan_tests(n);
- tests_begin(argc, (char * const *) argv);
-
- /* run tests */
- if (!quiet) {
- fprintf(stdout, "=== Starting SecItem tests\n");
- }
- #define TEST(FUNC, NAME) { \
- if (!quiet) fprintf(stdout,"=== TEST %d: %s\n", ++c, NAME); \
- int r=FUNC; if(r) ++e; ok(!r, NAME); \
- }
-
- TEST( TestAddItems(), "TestAddItems" );
- TEST( TestGenericPasswordLookup(), "TestGenericPasswordLookup" );
- TEST( TestInternetPasswordLookup(), "TestInternetPasswordLookup" );
- TEST( TestSymmetricKeyLookup(), "TestSymmetricKeyLookup" );
- TEST( TestIdentityLookup(), "TestIdentityLookup" );
- TEST( TestCertificateLookup(), "TestCertificateLookup" );
- TEST( TestPreferredIdentityLookup(), "TestPreferredIdentityLookup" );
- TEST( TestPreferredCertificateLookup(), "TestPreferredCertificateLookup" );
- TEST( TestUpdateItems(), "TestUpdateItems" );
- TEST( TestDeleteItems(), "TestDeleteItems" );
-
- if (!quiet) {
- fprintf(stdout, "=== %d of %d tests succeeded ===\n", c-e, c);
- }
- fflush(stdout);
+ debug = test_verbose;
+
+ SecKeychainRef keychain = createNewKeychain("SecItemTest.keychain", "test");
+ addToSearchList(keychain);
+
+ TestAddItems(keychain);
+ TestGenericPasswordLookup(keychain);
+ TestInternetPasswordLookup(keychain);
+ TestSymmetricKeyLookup(keychain);
+ TestCertificateLookup(keychain);
+ TestIdentityLookup(keychain);
+ TestPreferredIdentityLookup(keychain);
+ TestPreferredCertificateLookup(keychain);
+ TestUpdateItems(keychain);
+ TestDeleteItems(keychain);
+
+ ok_status(SecKeychainDelete(keychain), "SecKeychainDelete");
+ CFReleaseNull(keychain);
- tests_end(1);
-
- return (e) ? 1 : 0;
+ deleteTestFiles();
+ return 0;
}
diff --git a/SecurityTests/regressions/kc/kc-19-item-copy-internet.c b/OSX/libsecurity_keychain/regressions/kc-19-item-copy-internet.c
old mode 100755
new mode 100644
similarity index 63%
rename from SecurityTests/regressions/kc/kc-19-item-copy-internet.c
rename to OSX/libsecurity_keychain/regressions/kc-19-item-copy-internet.c
index f3a2e20c..0f7adeec
--- a/SecurityTests/regressions/kc/kc-19-item-copy-internet.c
+++ b/OSX/libsecurity_keychain/regressions/kc-19-item-copy-internet.c
@@ -3,17 +3,14 @@
#include <stdlib.h>
#include <unistd.h>
-#include "testmore.h"
-#include "testenv.h"
-#include "testleaks.h"
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
-void tests(int dont_skip)
+static void tests()
{
SecKeychainRef source, dest;
- ok_status(SecKeychainCreate("source", 4, "test", FALSE, NULL, &source),
- "create source keychain");
- ok_status(SecKeychainCreate("dest", 4, "test", FALSE, NULL, &dest),
- "create dest keychain");
+ source = createNewKeychain("source", "test");
+ dest = createNewKeychain("dest", "test");
SecKeychainItemRef original = NULL;
ok_status(SecKeychainAddInternetPassword(source,
19, "members.spamcop.net",
@@ -60,22 +57,17 @@ void tests(int dont_skip)
is(origAttrs[0].length, copyAttrs[0].length, "creation date length same");
is(origAttrs[1].length, copyAttrs[1].length, "mod date length same");
- TODO: {
- todo("<rdar://problem/3731664> Moving/copying a keychain item "
- "between keychains erroneously updates dates");
+ diag("original creation: %.*s copy creation: %.*s",
+ (int)origAttrs[0].length, (const char *)origAttrs[0].data,
+ (int)copyAttrs[0].length, (const char *)copyAttrs[0].data);
+ ok(!memcmp(origAttrs[0].data, copyAttrs[0].data, origAttrs[0].length),
+ "creation date same");
- diag("original creation: %.*s copy creation: %.*s",
- (int)origAttrs[0].length, (const char *)origAttrs[0].data,
- (int)copyAttrs[0].length, (const char *)copyAttrs[0].data);
- ok(!memcmp(origAttrs[0].data, copyAttrs[0].data, origAttrs[0].length),
- "creation date same");
-
- diag("original mod: %.*s copy mod: %.*s",
- (int)origAttrs[1].length, (const char *)origAttrs[1].data,
- (int)copyAttrs[1].length, (const char *)copyAttrs[1].data);
- ok(!memcmp(origAttrs[1].data, copyAttrs[1].data, origAttrs[1].length),
- "mod date same");
- }
+ diag("original mod: %.*s copy mod: %.*s",
+ (int)origAttrs[1].length, (const char *)origAttrs[1].data,
+ (int)copyAttrs[1].length, (const char *)copyAttrs[1].data);
+ ok(!memcmp(origAttrs[1].data, copyAttrs[1].data, origAttrs[1].length),
+ "mod date same");
ok_status(SecKeychainItemFreeContent(&origAttrList, NULL),
"SecKeychainItemCopyContent");
@@ -92,21 +84,14 @@ void tests(int dont_skip)
ok_status(SecKeychainDelete(dest), "delete keychain dest");
is(CFGetRetainCount(dest), 1, "dest retaincount is 1");
CFRelease(dest);
-
- ok(tests_end(1), "cleanup");
}
-int main(int argc, char *const *argv)
+int kc_19_item_copy_internet(int argc, char *const *argv)
{
- int dont_skip = argc > 1 && !strcmp(argv[1], "-s");
-
- plan_tests(22);
-
- if (!tests_begin(argc, argv))
- BAIL_OUT("tests_begin failed");
+ plan_tests(20);
- tests(dont_skip);
- ok_leaks("no leaks");
+ tests();
+ deleteTestFiles();
return 0;
}
diff --git a/OSX/libsecurity_keychain/regressions/kc-20-identity-find-stress.c b/OSX/libsecurity_keychain/regressions/kc-20-identity-find-stress.c
new file mode 100644
index 00000000..88fbfb69
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-20-identity-find-stress.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-identity-helpers.h"
+
+#include <Security/Security.h>
+#include <stdlib.h>
+
+#define BLOCKS 7000
+
+static void tests() {
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ SecIdentityRef identity = NULL;
+ SecCertificateRef certRef = NULL;
+ SecKeyRef keyRef = NULL;
+
+ identity = copyFirstIdentity(kc);
+ ok_status(SecIdentityCopyCertificate(identity, &certRef), "%s: SecIdentityCopyCertificate", testName);
+ ok_status(SecIdentityCopyPrivateKey(identity, &keyRef), "%s: SecIdentityCopyPrivateKey", testName);
+
+ CFReleaseNull(identity);
+ CFReleaseNull(keyRef);
+
+ static dispatch_once_t onceToken = 0;
+ static dispatch_queue_t release_queue = NULL;
+ dispatch_once(&onceToken, ^{
+ release_queue = dispatch_queue_create("com.apple.security.identity-search-queue", DISPATCH_QUEUE_CONCURRENT);
+ });
+ dispatch_group_t g = dispatch_group_create();
+
+ for(int i = 0; i < BLOCKS; i++) {
+ dispatch_group_async(g, release_queue, ^() {
+ SecIdentityRef blockId = NULL;
+ SecKeyRef blockKeyRef = NULL;
+
+ ok_status(SecIdentityCreateWithCertificate(kc, certRef, &blockId), "%s: SecIdentityCreateWithCertificate", testName);
+ ok_status(SecIdentityCopyPrivateKey(blockId, &blockKeyRef), "%s: SecIdentityCopyPrivateKey", testName);
+
+ CFReleaseNull(blockKeyRef);
+ CFReleaseNull(blockId);
+ });
+ }
+
+ dispatch_group_wait(g, DISPATCH_TIME_FOREVER);
+ CFReleaseNull(certRef);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+}
+
+int kc_20_identity_find_stress(int argc, char *const *argv)
+{
+ plan_tests(2*BLOCKS + 6);
+ initializeKeychainTests(__FUNCTION__);
+
+ tests();
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-20-identity-key-attributes.c b/OSX/libsecurity_keychain/regressions/kc-20-identity-key-attributes.c
new file mode 100644
index 00000000..6b9c3d1c
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-20-identity-key-attributes.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-identity-helpers.h"
+
+
+// Example of looking up a SecIdentityRef in the keychain,
+// then getting the attributes of its private key.
+//
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <CoreServices/CoreServices.h>
+#include <Security/Security.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <time.h>
+#include <sys/param.h>
+
+static void PrintPrivateKeyAttributes(SecKeyRef keyRef)
+{
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ /* set up the query: find specified item, return attributes */
+ //CFDictionaryAddValue( query, kSecClass, kSecClassKey );
+ CFDictionaryAddValue( query, kSecValueRef, keyRef );
+ CFDictionaryAddValue( query, kSecReturnAttributes, kCFBooleanTrue );
+
+ CFTypeRef result = NULL;
+ OSStatus status = SecItemCopyMatching(query, &result);
+ ok_status(status, "%s: SecItemCopyMatching", testName);
+
+ if (query)
+ CFRelease(query);
+
+ if(result) {
+ CFShow(result);
+ }
+}
+
+static void tests(SecKeychainRef kc)
+{
+ SecIdentityRef identity=NULL;
+ SecKeyRef privateKeyRef=NULL;
+ OSStatus status;
+
+ identity = copyFirstIdentity(kc);
+ status = SecIdentityCopyPrivateKey(identity, &privateKeyRef);
+ ok_status(status, "%s: SecIdentityCopyPrivateKey", testName);
+
+ if (privateKeyRef) {
+ PrintPrivateKeyAttributes(privateKeyRef);
+ CFRelease(privateKeyRef);
+ }
+ CFReleaseNull(identity);
+}
+
+int kc_20_identity_key_attributes(int argc, char *const *argv)
+{
+ plan_tests(6);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ tests(kc);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-20-identity-persistent-refs.c b/OSX/libsecurity_keychain/regressions/kc-20-identity-persistent-refs.c
new file mode 100644
index 00000000..c70b56f6
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-20-identity-persistent-refs.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+
+// Tests the ability of SecItemCopyMatching to return a persistent ref for either a
+// SecIdentityRef or a SecCertificateRef which happens to be part of an identity,
+// then reconstitute the appropriate type of ref from the persistent reference.
+//
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <CoreServices/CoreServices.h>
+#include <Security/Security.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <time.h>
+#include <sys/param.h>
+#include "kc-identity-helpers.h"
+
+#define MAXNAMELEN MAXPATHLEN
+#define MAXITEMS INT32_MAX
+
+static CFDataRef
+copyPersistentReferenceForItem(CFTypeRef item)
+{
+ // Given either a SecIdentityRef or SecCertificateRef item reference,
+ // return a persistent reference. Caller must release the reference.
+
+ OSStatus status;
+ CFDataRef persistentRef = NULL;
+ CFDictionaryRef query = NULL;
+
+ const void *keys[] = { kSecReturnPersistentRef, kSecValueRef };
+ const void *values[] = { kCFBooleanTrue, item };
+
+ query = CFDictionaryCreate(NULL, keys, values,
+ (sizeof(keys) / sizeof(*keys)), NULL, NULL);
+ status = SecItemCopyMatching(query, (CFTypeRef *)&persistentRef);
+ ok_status(status, "%s: SecItemCopyMatching (copyPersistentReferenceForItem)", testName);
+ CFRelease(query);
+ return persistentRef;
+}
+
+static CFTypeRef
+copyItemForPersistentReference(CFDataRef persistentRef)
+{
+ // Given a persistent reference, reconstitute it into an item
+ // reference. Depending on whether the persistent reference was
+ // originally made to a SecIdentityRef or SecCertificateRef, this
+ // should return the same item type as the original.
+ // Caller must release the reference.
+
+ OSStatus status;
+ CFTypeRef itemRef = NULL;
+ CFDictionaryRef query = NULL;
+ const void *keys[] = { kSecReturnRef, kSecValuePersistentRef };
+ const void *values[] = { kCFBooleanTrue, persistentRef };
+
+ query = CFDictionaryCreate(NULL, keys, values,
+ (sizeof(keys) / sizeof(*keys)), NULL, NULL);
+ status = SecItemCopyMatching(query, &itemRef);
+ ok_status(status, "%s: SecItemCopyMatching (copyItemForPersistentReference)", testName);
+ CFRelease(query);
+ return itemRef;
+}
+
+static void
+testIdentityPersistence(SecKeychainRef kc)
+{
+ startTest(__FUNCTION__);
+
+ // Step 1: get a SecIdentityRef
+ SecIdentityRef identity = copyFirstIdentity(kc);
+ is(CFGetTypeID(identity), SecIdentityGetTypeID(), "%s: retrieved identity is an identity", testName);
+
+ // Step 2: make a persistent reference for it
+ CFDataRef data = copyPersistentReferenceForItem((CFTypeRef)identity);
+
+ // Step 3: reconstitute the persistent reference
+ SecIdentityRef identity2 = (SecIdentityRef) copyItemForPersistentReference(data);
+ CFReleaseNull(data);
+
+ ok(identity2, "%s: retrieved an identity", testName);
+ if(identity2) {
+ is(CFGetTypeID(identity2), SecIdentityGetTypeID(), "%s: retrieved identity is an identity", testName);
+ } else {
+ fail("%s: no identity to test", testName);
+ }
+ eq_cf(identity2, identity, "%s: identities are equal", testName);
+
+ CFReleaseNull(identity);
+ CFReleaseNull(identity2);
+}
+
+static void
+testCertificatePersistence(SecKeychainRef kc)
+{
+ startTest(__FUNCTION__);
+
+ // Step 1: get a SecIdentityRef
+ SecIdentityRef identity = copyFirstIdentity(kc);
+
+ // Step 2: get a SecCertificateRef from it
+ SecCertificateRef cert = NULL, cert2 = NULL;
+ OSStatus status = SecIdentityCopyCertificate(identity, &cert);
+ ok_status(status, "%s: SecIdentityCopyCertificate", testName);
+ ok(cert, "%s: No certificate returned from SecIdentityCopyCertificate", testName);
+ CFReleaseNull(identity);
+
+ // Step 3: make a persistent reference for it
+ CFDataRef data = (CFDataRef) copyPersistentReferenceForItem(cert);
+
+ // Step 4: reconstitute the persistent reference
+ cert2 = (SecCertificateRef) copyItemForPersistentReference(data);
+
+ ok(cert2, "%s: retrieved a certificate", testName);
+ if(cert2) {
+ is(CFGetTypeID(cert2), SecCertificateGetTypeID(), "%s: returned value is a certificate", testName);
+ } else {
+ fail("%s: no certificate to test", testName);
+ }
+
+ eq_cf(cert2, cert, "%s: Certificates are equal", testName);
+
+ CFReleaseNull(data);
+ CFReleaseNull(cert);
+ CFReleaseNull(cert2);
+}
+
+int kc_20_identity_persistent_refs(int argc, char *const *argv)
+{
+ plan_tests(18);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ // You cannot reconsitute a Persistent Reference for an identity if the keychain is not in the search list.
+ addToSearchList(kc);
+
+ testCertificatePersistence(kc);
+ testIdentityPersistence(kc);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-20-item-find-stress.c b/OSX/libsecurity_keychain/regressions/kc-20-item-find-stress.c
new file mode 100644
index 00000000..7f044612
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-20-item-find-stress.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-item-helpers.h"
+
+#include <Security/Security.h>
+#include <stdlib.h>
+
+#define BLOCKS 7000
+
+static void tests() {
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ static dispatch_once_t onceToken = 0;
+ static dispatch_queue_t release_queue = NULL;
+ dispatch_once(&onceToken, ^{
+ release_queue = dispatch_queue_create("com.apple.security.identity-search-queue", DISPATCH_QUEUE_CONCURRENT);
+ });
+ dispatch_group_t g = dispatch_group_create();
+
+ for(int i = 0; i < BLOCKS; i++) {
+ dispatch_group_async(g, release_queue, ^() {
+ SecKeychainItemRef blockItem = NULL;
+
+ CFMutableDictionaryRef query = makeQueryCustomItemDictionaryWithService(kc, kSecClassInternetPassword, CFSTR("test_service"), CFSTR("test_service"));
+ CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitOne);
+
+ ok_status(SecItemCopyMatching(query, (CFTypeRef*) &blockItem), "%s: SecItemCopyMatching(%d)", testName, i);
+
+ CFReleaseNull(blockItem);
+ });
+ }
+
+ dispatch_group_wait(g, DISPATCH_TIME_FOREVER);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+}
+
+int kc_20_item_find_stress(int argc, char *const *argv)
+{
+ plan_tests((1)*BLOCKS + getPopulatedTestKeychainTests + 1);
+ initializeKeychainTests(__FUNCTION__);
+
+ tests();
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-20-key-find-stress.c b/OSX/libsecurity_keychain/regressions/kc-20-key-find-stress.c
new file mode 100644
index 00000000..334de5d7
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-20-key-find-stress.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-key-helpers.h"
+
+#include <Security/Security.h>
+#include <stdlib.h>
+
+#define BLOCKS 7000
+
+static void tests() {
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ static dispatch_once_t onceToken = 0;
+ static dispatch_queue_t release_queue = NULL;
+ dispatch_once(&onceToken, ^{
+ release_queue = dispatch_queue_create("com.apple.security.identity-search-queue", DISPATCH_QUEUE_CONCURRENT);
+ });
+ dispatch_group_t g = dispatch_group_create();
+
+ for(int i = 0; i < BLOCKS; i++) {
+ dispatch_group_async(g, release_queue, ^() {
+ SecKeychainItemRef blockItem = NULL;
+
+ CFMutableDictionaryRef query = makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric);
+ CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitOne);
+
+ ok_status(SecItemCopyMatching(query, (CFTypeRef*) &blockItem), "%s: SecItemCopyMatching(%d)", testName, i);
+
+ CFReleaseNull(blockItem);
+ });
+ }
+
+ dispatch_group_wait(g, DISPATCH_TIME_FOREVER);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+}
+
+int kc_20_key_find_stress(int argc, char *const *argv)
+{
+ plan_tests((1)*BLOCKS + 3);
+ initializeKeychainTests(__FUNCTION__);
+
+ tests();
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/SecurityTests/regressions/kc/kc-21-item-use-callback.c b/OSX/libsecurity_keychain/regressions/kc-21-item-use-callback.c
similarity index 54%
rename from SecurityTests/regressions/kc/kc-21-item-use-callback.c
rename to OSX/libsecurity_keychain/regressions/kc-21-item-use-callback.c
index 3d522600..808c93ab 100644
--- a/SecurityTests/regressions/kc/kc-21-item-use-callback.c
+++ b/OSX/libsecurity_keychain/regressions/kc-21-item-use-callback.c
@@ -1,16 +1,15 @@
#include <Security/SecKeychainItem.h>
#include <Security/SecKeychain.h>
#include <CoreFoundation/CFRunLoop.h>
-#include <assert.h>
#include <unistd.h>
-#include "testmore.h"
-#include "testenv.h"
-#include "testleaks.h"
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
static char account[] = "account";
static char service[] = "service";
static char password[] = "password";
+static bool callbackCalled = false;
static void checkContent(SecKeychainItemRef itemRef)
{
@@ -28,25 +27,13 @@ static void checkContent(SecKeychainItemRef itemRef)
UInt32 length;
void *data;
-#if 1
ok_status(SecKeychainItemCopyContent(itemRef, &itemClass, &attrList,
&length, &data), "get item data in callback");
- SKIP: {
- skip("length mismatch", 1,
- is(length, sizeof(password), "<rdar://problem/3867900> "
- "SecKeychainItemCopyContent() returns bad data on items "
- "from notifications"));
-
- ok(!memcmp(password, data, length), "password data matches.");
- }
-#else
- if (length != sizeof(password) || memcmp(password, data, length))
- {
- fprintf(stderr, "password '%.*s' not same as '%.*s'\n",
- (int)sizeof(password), password,
- (int)length, (char *)data);
- }
-#endif
+ is(length, sizeof(password), "<rdar://problem/3867900> "
+ "SecKeychainItemCopyContent() returns bad data on items "
+ "from notifications");
+
+ ok(!memcmp(password, data, length), "password data matches.");
ok_status(SecKeychainItemFreeContent(&attrList, data),
"free item data in callback");
@@ -55,31 +42,35 @@ static void checkContent(SecKeychainItemRef itemRef)
static OSStatus callbackFunction(SecKeychainEvent keychainEvent,
SecKeychainCallbackInfo *info, void *context)
{
- assert(keychainEvent == kSecAddEvent && context != NULL);
- assert(info != NULL);
- assert(info->item != NULL);
+ is(keychainEvent, kSecAddEvent, "Got an incorrect keychain event");
+ ok(context != NULL, "context is null");
+ ok(info != NULL, "info is NULL");
+ ok(info->item != NULL, "info-<item is NULL");
checkContent(info->item);
*((UInt32 *)context) = 1;
ok_status(SecKeychainItemDelete(info->item), "delete item");
+
+ // We processed an item, quit the run loop
+ callbackCalled = true;
+ CFRunLoopStop(CFRunLoopGetCurrent());
return 0;
}
int
-main(int argc, char *const *argv)
+kc_21_item_use_callback(int argc, char *const *argv)
{
- plan_tests(6);
+ plan_tests(14);
- ok(tests_begin(argc, argv), "setup");
+ // Run the CFRunLoop to clear out existing notifications
+ CFRunLoopRunInMode(kCFRunLoopDefaultMode, 1.0, false);
UInt32 didGetNotification = 0;
ok_status(SecKeychainAddCallback(callbackFunction, kSecAddEventMask,
&didGetNotification), "add callback");
- SecKeychainRef keychain;
- ok_status(SecKeychainCreate("test", 4, "test", FALSE, NULL, &keychain),
- "create keychain");
+ SecKeychainRef keychain = createNewKeychain("test", "test");
SecKeychainItemRef itemRef;
ok_status(SecKeychainAddGenericPassword(keychain,
sizeof(account), account,
@@ -87,16 +78,16 @@ main(int argc, char *const *argv)
sizeof(password), password,
&itemRef),
"add generic password, release and wait for callback");
- //checkContent(itemRef);
+
+ // Run the CFRunLoop to process events (and call our callback)
+ CFRunLoopRunInMode(kCFRunLoopDefaultMode, 10.0, false);
+ is(callbackCalled, true, "Keychain callback function was not called or did not finish");
+
CFRelease(itemRef);
- CFRelease(keychain);
- if (argc > 1 && !strcmp(argv[1], "-l")) {
- printf("pid: %d\n", getpid());
- sleep(100);
- }
- ok(tests_end(1), "cleanup");
- ok_leaks("leaks");
+ ok_status(SecKeychainDelete(keychain), "%s: SecKeychainDelete", testName);
+ CFRelease(keychain);
+ deleteTestFiles();
return 0;
}
diff --git a/OSX/libsecurity_keychain/regressions/kc-21-item-xattrs.c b/OSX/libsecurity_keychain/regressions/kc-21-item-xattrs.c
new file mode 100644
index 00000000..5628d9cf
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-21-item-xattrs.c
@@ -0,0 +1,404 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-keychain-file-helpers.h"
+#include "test/testenv.h"
+//
+// testKeychainXattrs.c
+//
+// Basic test of SecKeychainItemExtendedAttributes functionality
+// to store arbitrary data in the extended attributes of a keychain
+// item.
+//
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <CoreServices/CoreServices.h>
+#include <Security/Security.h>
+#include <Security/SecKeychainItemExtendedAttributes.h> /* private */
+
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <time.h>
+#include <sys/param.h>
+
+static int TestAddItems(SecKeychainRef keychain)
+{
+ int result = 0;
+ OSStatus status;
+ SecKeychainItemRef item = NULL;
+ CFDataRef blob = NULL;
+
+ /* add generic password item */
+ status = SecKeychainAddGenericPassword(keychain,
+ strlen("Test Cloud Service 42"), "Test Cloud Service 42",
+ strlen("nobody"), "nobody",
+ strlen("weakpass"), "weakpass",
+ &item);
+ ok_status(status, "%s: SecKeychainAddGenericPassword", testName);
+
+ if (status && status != errSecDuplicateItem) { // ignore error if duplicate
+ result++;
+ }
+ /* add an extended CFDataRef attribute to this item */
+ UInt8 buf1[6] = { 's', 'e', 'c', 'r', 'e', 't' };
+ blob = CFDataCreate(NULL, buf1, sizeof(buf1));
+ status = SecKeychainItemSetExtendedAttribute(item, CFSTR("CloudyGoodness"), blob);
+ ok_status(status, "%s: SecKeychainItemSetExtendedAttribute (generic)", testName);
+
+ if (status) {
+ result++;
+ }
+ if (blob) {
+ CFRelease(blob);
+ blob = NULL;
+ }
+ if (item) {
+ CFRelease(item);
+ item = NULL;
+ }
+
+ /* add internet password item */
+ status = SecKeychainAddInternetPassword(keychain,
+ strlen("test42.icloud.com"), "test42.icloud.com",
+ 0, NULL,
+ strlen("nobody"), "nobody",
+ 0, NULL,
+ 80, kSecProtocolTypeHTTP, kSecAuthenticationTypeDefault,
+ strlen("weakpass"), "weakpass",
+ &item);
+ ok_status(status, "%s: SecKeychainAddInternetPassword", testName);
+ if (status && status != errSecDuplicateItem) { // ignore error if duplicate
+ result++;
+ }
+ /* add an extended CFDataRef attribute to this item */
+ UInt8 buf2[5] = { 'm', 'a', 'g', 'i', 'c' };
+ blob = CFDataCreate(NULL, buf2, sizeof(buf2));
+ status = SecKeychainItemSetExtendedAttribute(item, CFSTR("CloudyGoodness"), blob);
+ ok_status(status, "%s: SecKeychainItemSetExtendedAttribute (internet)", testName);
+
+ if (status) {
+ result++;
+ }
+ if (blob) {
+ CFRelease(blob);
+ blob = NULL;
+ }
+ if (item) {
+ CFRelease(item);
+ item = NULL;
+ }
+
+
+ return result;
+}
+
+static int TestFindItems(SecKeychainRef keychain)
+{
+ int result = 0;
+
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+
+ /* find generic password we added previously */
+ {
+ const void *keys[] = {
+ kSecMatchSearchList,
+ kSecClass,
+ kSecAttrAccount,
+ kSecAttrService,
+ kSecMatchLimit,
+ kSecReturnRef
+ };
+ const void *values[] = {
+ searchList,
+ kSecClassGenericPassword,
+ CFSTR("nobody"),
+ CFSTR("Test Cloud Service 42"),
+ kSecMatchLimitOne,
+ kCFBooleanTrue
+ };
+
+ OSStatus status = noErr;
+ CFTypeRef results = NULL;
+ CFDictionaryRef query = CFDictionaryCreate(NULL, keys, values,
+ sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ status = SecItemCopyMatching(query, &results);
+ ok_status(status, "%s: SecItemCopyMatching (generic password)", testName);
+
+ if (status) {
+ fprintf(stderr, "Unable to find \"Test Cloud Service 42\" generic password: error %d\n", (int)status);
+ result++;
+ }
+ if (results) {
+ /* found the item; since we asked for one item and a ref, this is a SecKeychainItemRef */
+ SecKeychainItemRef item = (SecKeychainItemRef) results;
+ CFDataRef blob = NULL;
+ status = SecKeychainItemCopyExtendedAttribute(item, CFSTR("CloudyGoodness"), &blob);
+ ok_status(status, "%s: SecKeychainItemCopyExtendedAttribute", testName);
+
+ if (status) {
+ fprintf(stderr, "Unable to retrieve xattr from \"Test Cloud Service 42\" generic password: error %d\n", (int)status);
+ result++;
+ }
+ else {
+ const UInt8 *dataPtr = CFDataGetBytePtr(blob);
+
+ eq_stringn( (const char *) dataPtr, strlen((const char *)dataPtr), "secret", strlen("secret"), "%s: Retrieved xattr value matches expected value", testName);
+ if (memcmp(dataPtr, "secret", strlen("secret"))) {
+ result++;
+ }
+ }
+ if (blob) {
+ CFRelease(blob);
+ }
+ CFRelease(results);
+ }
+ if (query) {
+ CFRelease(query);
+ }
+ }
+
+ /* find internet password we added previously */
+ {
+ const void *keys[] = {
+ kSecMatchSearchList,
+ kSecClass,
+ kSecAttrAccount,
+ kSecAttrServer,
+ kSecMatchLimit,
+ kSecReturnRef
+ };
+ const void *values[] = {
+ searchList,
+ kSecClassInternetPassword,
+ CFSTR("nobody"),
+ CFSTR("test42.icloud.com"),
+ kSecMatchLimitOne,
+ kCFBooleanTrue
+ };
+
+ OSStatus status = noErr;
+ CFTypeRef results = NULL;
+ CFDictionaryRef query = CFDictionaryCreate(NULL, keys, values,
+ sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ status = SecItemCopyMatching(query, &results);
+ ok_status(status, "%s: SecItemCopyMatching (internet password)", testName);
+ if (status) {
+ fprintf(stderr, "Unable to find \"test42.icloud.com\" internet password: error %d\n", (int)status);
+ result++;
+ }
+ if (results) {
+ /* found the item; since we asked for one item and a ref, this is a SecKeychainItemRef */
+ SecKeychainItemRef item = (SecKeychainItemRef) results;
+ CFDataRef blob = NULL;
+ status = SecKeychainItemCopyExtendedAttribute(item, CFSTR("CloudyGoodness"), &blob);
+ ok_status(status, "%s: SecKeychainItemCopyExtendedAttribute", testName);
+ if (status) {
+ fprintf(stderr, "Unable to retrieve xattr from \"test42.icloud.com2\" internet password: error %d\n", (int)status);
+ result++;
+ }
+ else {
+ const UInt8 *dataPtr = CFDataGetBytePtr(blob);
+ eq_stringn( (const char *) dataPtr, strlen((const char *)dataPtr), "magic", strlen("magic"), "%s: Retrieved xattr value matches expected value", testName);
+
+ if (memcmp(dataPtr, "magic", strlen("magic"))) {
+ fprintf(stderr, "Retrieved xattr value did not match expected value!\n");
+ result++;
+ }
+ }
+ if (blob) {
+ CFRelease(blob);
+ }
+ CFRelease(results);
+ }
+ if (query) {
+ CFRelease(query);
+ }
+ }
+
+ return result;
+}
+
+static int TestDeleteItems(SecKeychainRef keychain)
+{
+ int result = 0;
+
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, keychain);
+
+ /* find generic password we added previously */
+ {
+ const void *keys[] = {
+ kSecMatchSearchList,
+ kSecClass,
+ kSecAttrAccount,
+ kSecAttrService,
+ kSecMatchLimit,
+ kSecReturnRef
+ };
+ const void *values[] = {
+ searchList,
+ kSecClassGenericPassword,
+ CFSTR("nobody"),
+ CFSTR("Test Cloud Service 42"),
+ kSecMatchLimitOne,
+ kCFBooleanTrue
+ };
+
+ OSStatus status = noErr;
+ CFTypeRef results = NULL;
+ CFDictionaryRef query = CFDictionaryCreate(NULL, keys, values,
+ sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ status = SecItemCopyMatching(query, &results);
+ ok_status(status, "%s: SecItemCopyMatching (Test Cloud Service 42)", testName);
+
+ if (status) {
+ fprintf(stderr, "Unable to find \"Test Cloud Service 42\" generic password: error %d\n", (int)status);
+ result++;
+ }
+ if (results) {
+ /* found the item; since we asked for one item and a ref, this is a SecKeychainItemRef */
+ SecKeychainItemRef item = (SecKeychainItemRef) results;
+
+ /* set the xattr to NULL in order to delete it */
+ status = SecKeychainItemSetExtendedAttribute(item, CFSTR("CloudyGoodness"), NULL);
+ ok_status( status, "%s: SecKeychainItemSetExtendedAttribute (generic password, null data)", testName);
+
+ if (status) {
+ fprintf(stderr, "Unable to remove xattr from \"Test Cloud Service 42\" generic password: error %d\n", (int)status);
+ result++;
+ }
+
+ /* delete the item itself */
+ status = SecKeychainItemDelete(item);
+ ok_status(status, "%s: SecKeychainItemDelete (generic password)", testName);
+
+ if (status) {
+ fprintf(stderr, "Unable to delete \"Test Cloud Service 42\" generic password: error %d\n", (int)status);
+ result++;
+ }
+
+ CFRelease(results);
+ }
+ if (query) {
+ CFRelease(query);
+ }
+ }
+
+ /* find internet password we added previously */
+ {
+ const void *keys[] = {
+ kSecMatchSearchList,
+ kSecClass,
+ kSecAttrAccount,
+ kSecAttrServer,
+ kSecMatchLimit,
+ kSecReturnRef
+ };
+ const void *values[] = {
+ searchList,
+ kSecClassInternetPassword,
+ CFSTR("nobody"),
+ CFSTR("test42.icloud.com"),
+ kSecMatchLimitOne,
+ kCFBooleanTrue
+ };
+
+ OSStatus status = noErr;
+ CFTypeRef results = NULL;
+ CFDictionaryRef query = CFDictionaryCreate(NULL, keys, values,
+ sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ status = SecItemCopyMatching(query, &results);
+ ok_status(status, "%s: SecItemCopyMatching (test42.icloud.com)", testName);
+
+ if (status) {
+ fprintf(stderr, "Unable to find \"test42.icloud.com\" internet password: error %d\n", (int)status);
+ result++;
+ }
+ if (results) {
+ /* found the item; since we asked for one item and a ref, this is a SecKeychainItemRef */
+ SecKeychainItemRef item = (SecKeychainItemRef) results;
+
+ /* set the xattr to NULL in order to delete it */
+ status = SecKeychainItemSetExtendedAttribute(item, CFSTR("CloudyGoodness"), NULL);
+ ok_status( status, "%s: SecKeychainItemSetExtendedAttribute (internet password, null data)", testName);
+
+ if (status) {
+ fprintf(stderr, "Unable to remove xattr from \"test42.icloud.com2\" internet password: error %d\n", (int)status);
+ result++;
+ }
+
+ /* delete the item itself */
+ status = SecKeychainItemDelete(item);
+ ok_status(status, "%s: SecKeychainItemDelete (generic password)", testName);
+
+ if (status) {
+ fprintf(stderr, "Unable to delete \"test42.icloud.com2\" internet password: error %d\n", (int)status);
+ result++;
+ }
+
+ CFRelease(results);
+ }
+ if (query) {
+ CFRelease(query);
+ }
+ }
+
+ return result;
+}
+
+int kc_21_item_xattrs(int argc, char *const *argv)
+{
+ plan_tests(21);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef keychain = getPopulatedTestKeychain();
+
+ TestAddItems(keychain);
+ TestFindItems(keychain);
+ TestDeleteItems(keychain);
+
+ ok_status(SecKeychainDelete(keychain), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(keychain);
+ checkPrompts(0, "No prompts");
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-23-key-export-symmetric.m b/OSX/libsecurity_keychain/regressions/kc-23-key-export-symmetric.m
new file mode 100644
index 00000000..6fc075ee
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-23-key-export-symmetric.m
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+
+#import <Cocoa/Cocoa.h>
+#import <Security/SecTransform.h>
+#import <Security/SecItemPriv.h>
+#import <Security/CMSEncoder.h>
+#import <Security/CMSDecoder.h>
+#import <Foundation/NSData_Private.h>
+#import <SecurityFoundation/SFCertificateAuthority.h>
+#import <SecurityFoundation/SFCertificateAuthorityPriv.h>
+#import <SecurityFoundation/CACertInfo.h>
+#import <SecurityFoundation/CAKeyUsageExtension.h>
+#import <SecurityFoundation/CAExtendedKeyUsageExtension.h>
+
+#if 0
+static void checkCryptoError(OSStatus status, NSString *functionName) {
+ if (status != errSecSuccess) {
+ NSError *underlyingError = [[NSError alloc] initWithDomain:NSOSStatusErrorDomain code:status userInfo:nil];
+ NSDictionary *userInfo = [[NSDictionary alloc] initWithObjectsAndKeys:underlyingError, NSUnderlyingErrorKey, nil];
+
+ [underlyingError release];
+
+ CFStringRef message = SecCopyErrorMessageString(status, NULL);
+
+ NSLog(@"%@ failed with error %d: %@: %@: %@", functionName, (int)status, underlyingError, userInfo, message);
+
+ CFRelease(message);
+
+ cssmPerror([functionName UTF8String], status);
+
+ exit(EXIT_FAILURE);
+ }
+}
+#endif
+
+static SecKeyRef generateSymmetricKey(SecKeychainRef keychainRef, CFStringRef label)
+{
+ CFMutableDictionaryRef parameters;
+ int32_t rawnum;
+ CFNumberRef num;
+ CFErrorRef error = NULL;
+ SecKeyRef cryptokey;
+
+ rawnum = 256;
+
+ // Type
+ parameters = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(parameters, kSecAttrKeyType, kSecAttrKeyTypeAES);
+
+ num = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &rawnum);
+ CFDictionarySetValue(parameters, kSecAttrKeySizeInBits, num);
+
+ // Store in keychain
+ CFDictionarySetValue(parameters, kSecUseKeychain, keychainRef);
+ CFDictionarySetValue(parameters, kSecAttrApplicationLabel, label);
+ CFDictionarySetValue(parameters, kSecAttrLabel, label);
+
+
+ // Extractable and permanent
+ CFDictionarySetValue(parameters, kSecAttrIsExtractable, kCFBooleanTrue);
+ CFDictionarySetValue(parameters, kSecAttrIsPermanent, kCFBooleanTrue);
+
+
+ cryptokey = SecKeyGenerateSymmetric(parameters, &error);
+ is(error, NULL, "%s: SecKeyGenerateSymmetric: %s", testName, (error) ? CFStringGetCStringPtr(CFErrorCopyDescription(error), kCFStringEncodingUTF8) : "no error");
+ if (error) {
+ return NULL;
+ }
+
+ return cryptokey;
+}
+
+int kc_23_key_export_symmetric(int argc, char *const *argv)
+{
+ plan_tests(6);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
+ SecKeyRef cryptokey;
+ OSStatus status;
+
+ CFStringRef label = (CFStringRef)([NSString stringWithFormat:@"Symmetric Cryptotest %ld %d", (long)time(NULL), arc4random(), nil]);
+ cryptokey = generateSymmetricKey(kc, label);
+
+ // Using SecItemExport
+ CFMutableArrayRef keyUsage = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue(keyUsage, kSecAttrCanEncrypt);
+ CFArrayAppendValue(keyUsage, kSecAttrCanDecrypt);
+ CFMutableArrayRef keyAttributes = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ SecItemImportExportKeyParameters exportParams;
+ exportParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ exportParams.flags = 0;
+ exportParams.passphrase = NULL;
+ exportParams.alertTitle = NULL;
+ exportParams.alertPrompt = NULL;
+ exportParams.accessRef = NULL;
+ exportParams.keyUsage = keyUsage;
+ exportParams.keyAttributes = keyAttributes;
+ CFDataRef exportedKey2;
+ status = SecItemExport(cryptokey, kSecFormatRawKey, 0, &exportParams, (CFDataRef *)&exportedKey2);
+ ok_status(status, "%s: SecItemExport", testName);
+
+ is(CFDataGetLength(exportedKey2), 32, "%s: wrong AES-256 key size", testName);
+
+ CFRelease(exportedKey2);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+
+ [pool drain];
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-24-key-copy-keychains.c b/OSX/libsecurity_keychain/regressions/kc-24-key-copy-keychains.c
new file mode 100644
index 00000000..2797dc6f
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-24-key-copy-keychains.c
@@ -0,0 +1,290 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-key-helpers.h"
+#include "kc-keychain-file-helpers.h"
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+
+/****************************************************************/
+
+static OSStatus GenerateRSAKeyPair(
+ SecKeychainRef keychain,
+ CFStringRef keyLabel,
+ int keySizeValue,
+ Boolean *extractable,
+ SecKeyRef *publicKeyRef,
+ SecKeyRef *privateKeyRef)
+{
+ OSStatus status;
+ CFNumberRef keySize = CFNumberCreate(NULL, kCFNumberIntType, &keySizeValue);
+
+ // create a SecAccessRef to set up the initial access control settings for this key
+ // (this step is optional; if omitted, the creating application has access to the key)
+ // note: the access descriptor should be the same string as will be used for the item's label,
+ // since it's the string that is displayed by the access confirmation dialog to describe the item.
+ SecAccessRef access = NULL;
+ status = SecAccessCreate(keyLabel, NULL, &access);
+
+ // create a dictionary of parameters describing the key we want to create
+ CFMutableDictionaryRef params = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+/*
+ From the header doc for SecKeyGeneratePair (seems to be incomplete...):
+ * kSecAttrLabel default NULL
+ * kSecAttrIsPermanent if this key is present and has a Boolean
+ value of true, the key or key pair will be added to the default
+ keychain.
+ * kSecAttrApplicationTag default NULL
+ * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
+ * kSecAttrCanEncrypt default false for private keys, true for public keys
+ * kSecAttrCanDecrypt default true for private keys, false for public keys
+ * kSecAttrCanDerive default true
+ * kSecAttrCanSign default true for private keys, false for public keys
+ * kSecAttrCanVerify default false for private keys, true for public keys
+ * kSecAttrCanWrap default false for private keys, true for public keys
+ * kSecAttrCanUnwrap default true for private keys, false for public keys
+*/
+ CFDictionaryAddValue( params, kSecUseKeychain, keychain );
+ CFDictionaryAddValue( params, kSecAttrAccess, access );
+ CFDictionaryAddValue( params, kSecAttrKeyType, kSecAttrKeyTypeRSA );
+ CFDictionaryAddValue( params, kSecAttrKeySizeInBits, keySize );
+ CFDictionaryAddValue( params, kSecAttrIsPermanent, kCFBooleanTrue );
+
+ if (extractable)
+ CFDictionaryAddValue( params, kSecAttrIsExtractable, (*extractable) ? kCFBooleanTrue : kCFBooleanFalse );
+ if (keyLabel)
+ CFDictionaryAddValue( params, kSecAttrLabel, keyLabel );
+
+ // generate the key
+ status = SecKeyGeneratePair(params, publicKeyRef, privateKeyRef);
+
+ ok_status(status, "%s: SecKeyGeneratePair", testName);
+
+ if (params) CFRelease(params);
+ if (keychain) CFRelease(keychain);
+ if (access) CFRelease(access);
+
+ return status;
+}
+
+static SecAccessRef MakeNewAccess(SecKeychainItemRef item, CFStringRef accessLabel, Boolean allowAny)
+{
+ OSStatus status;
+ SecAccessRef access = NULL;
+ CFMutableArrayRef trustedApplications = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+
+ if (!allowAny) // use default access control ("confirm access")
+ {
+ // Make an exception list of applications you want to trust,
+ // which are allowed to access the item without requiring user confirmation.
+ // In this example, the calling app and Mail will have access.
+ SecTrustedApplicationRef myself = NULL, someOther = NULL;
+ status = SecTrustedApplicationCreateFromPath(NULL, &myself);
+ ok_status(status, "%s: MakeNewAccess: SecTrustedApplicationCreateFromPath (self)", testName);
+
+ if (!status && myself) {
+ CFArrayAppendValue(trustedApplications, myself);
+ CFRelease(myself);
+ }
+ status = SecTrustedApplicationCreateFromPath("/Applications/Mail.app", &someOther);
+ ok_status(status, "%s: MakeNewAccess: SecTrustedApplicationCreateFromPath (Mail.app)", testName);
+
+ if (!status && someOther) {
+ CFArrayAppendValue(trustedApplications, someOther);
+ CFRelease(someOther);
+ }
+ }
+
+ // If the keychain item already exists, use its access reference; otherwise, create a new one
+ if (item) {
+ status = SecKeychainItemCopyAccess(item, &access);
+ ok_status(status, "%s: MakeNewAccess: SecKeychainItemCopyAccess", testName);
+ } else {
+ status = SecAccessCreate(accessLabel, trustedApplications, &access);
+ ok_status(status, "%s: MakeNewAccess: SecAccessCreate", testName);
+ }
+ if (status) return NULL;
+
+ // get the access control list for decryption operations (this controls access to an item's data)
+ CFArrayRef aclList = NULL;
+ status = SecAccessCopySelectedACLList(access, CSSM_ACL_AUTHORIZATION_DECRYPT, &aclList);
+ ok_status(status, "%s: MakeNewAccess: SecAccessCopySelectedACLList", testName);
+ if (!status)
+ {
+ // get the first entry in the access control list
+ SecACLRef aclRef = (SecACLRef)CFArrayGetValueAtIndex(aclList, 0);
+ CFArrayRef appList = NULL;
+ CFStringRef promptDescription = NULL;
+ CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector;
+ status = SecACLCopySimpleContents(aclRef, &appList, &promptDescription, &promptSelector);
+ ok_status(status, "%s: MakeNewAccess: SecAccessCopySimpleContents", testName);
+
+ if (allowAny) // "allow all applications to access this item"
+ {
+ // change the decryption ACL to not require the passphrase, and have a NULL application list.
+ promptSelector.flags &= ~CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE;
+ status = SecACLSetSimpleContents(aclRef, NULL, promptDescription, &promptSelector);
+ ok_status(status, "%s: MakeNewAccess: SecACLSetSimpleContents", testName);
+ }
+ else // "allow access by these applications"
+ {
+ // modify the application list
+ status = SecACLSetSimpleContents(aclRef, trustedApplications, promptDescription, &promptSelector);
+ ok_status(status, "%s: MakeNewAccess: SecACLSetSimpleContents", testName);
+ }
+
+ if (appList) CFRelease(appList);
+ if (promptDescription) CFRelease(promptDescription);
+ }
+ if (aclList) CFRelease(aclList);
+ if (trustedApplications) CFRelease(trustedApplications);
+
+ return access;
+}
+
+static int testCopyKey(SecKeychainRef userKeychain, SecKeychainRef tempKeychain)
+{
+ OSStatus status;
+ SecAccessRef access = NULL;
+ SecKeyRef publicKeyRef = NULL;
+ SecKeyRef privateKeyRef = NULL;
+ CFStringRef label = CFSTR("Test Key Copied To Keychain");
+
+ if (!tempKeychain) {
+ warnc(EXIT_FAILURE, "Failed to make a new temporary keychain!");
+ }
+
+ // generate key pair in temporary keychain
+ status = GenerateRSAKeyPair(tempKeychain,
+ label,
+ 2048, // size
+ NULL, // implicitly extractable
+ &publicKeyRef,
+ &privateKeyRef);
+
+ if (status != errSecSuccess) {
+ warnc(EXIT_FAILURE, "Unable to get key pair (error %d)", (int)status);
+ }
+
+ // export private key from temp keychain to a wrapped data blob
+ CFDataRef exportedData = NULL;
+ CFStringRef tempPassword = CFSTR("MY_TEMPORARY_PASSWORD");
+
+ SecItemImportExportKeyParameters keyParams;
+ memset(&keyParams, 0, sizeof(keyParams));
+ keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ keyParams.passphrase = tempPassword;
+
+ status = SecItemExport(privateKeyRef, kSecFormatWrappedPKCS8, 0, &keyParams, &exportedData);
+ ok_status(status, "%s: SecItemExport", testName);
+
+ if (!exportedData || status != noErr) {
+ warnc(EXIT_FAILURE, "Unable to export key! (error %d)", (int)status);
+ }
+
+ // set up an explicit access control instance for the imported key
+ // (this example allows unrestricted access to any application)
+ access = MakeNewAccess(NULL, label, true);
+ keyParams.accessRef = access;
+
+ // import wrapped data blob to user keychain
+ SecExternalFormat format = kSecFormatWrappedPKCS8;
+ SecExternalItemType itemType = kSecItemTypePrivateKey;
+
+ CFArrayRef importedItems = NULL;
+ status = SecItemImport(exportedData, NULL, &format, &itemType, 0, &keyParams, userKeychain, &importedItems);
+ ok_status(status, "%s: SecItemImport", testName);
+
+ if (status != noErr) {
+ warnc(EXIT_FAILURE, "Unable to import key! (error %d)", (int)status);
+ }
+ if (importedItems) {
+
+ // make sure to set a label on our newly imported key, since a label is not part of the PKCS8 format.
+ SecKeyRef importedKey = (SecKeyRef) CFArrayGetValueAtIndex(importedItems, 0);
+ if (CFGetTypeID(importedKey) == SecKeyGetTypeID()) {
+ // set up a query defining the item(s) to be operated on, in this case, one item uniquely identified by reference
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionaryAddValue( query, kSecClass, kSecClassKey ); // item class is a required attribute in any query
+ CFDictionaryAddValue( query, kSecValueRef, importedKey );
+
+ // define the attributes to be updated, in this case the label
+ CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionaryAddValue( attrs, kSecAttrLabel, label );
+
+ // do the update
+ status = SecItemUpdate( query, attrs );
+ ok_status(status, "%s: SecItemUpdate", testName);
+
+ if (status != errSecSuccess) {
+ warnc(EXIT_FAILURE, "Failed to update label of imported key! (error %d)", (int)status);
+ }
+
+ CFRelease(query);
+ CFRelease(attrs);
+ }
+ CFRelease(importedItems);
+ }
+
+ // ensure that key was copied, and its label changed
+ checkN(testName, makeQueryKeyDictionaryWithLabel(userKeychain, kSecAttrKeyClassPrivate, label), 1);
+
+ if (access) CFRelease(access);
+
+ return 0;
+}
+
+
+int kc_24_key_copy_keychain(int argc, char *const *argv)
+{
+ plan_tests(18);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef keychain = getPopulatedTestKeychain();
+ SecKeychainRef blankKeychain = createNewKeychain("forKeys", "password");
+
+ testCopyKey(keychain, blankKeychain);
+
+ ok_status(SecKeychainDelete(keychain), "%s: SecKeychainDelete", testName);
+ ok_status(SecKeychainDelete(blankKeychain), "%s: SecKeychainDelete", testName);
+
+ CFReleaseNull(keychain);
+ CFReleaseNull(blankKeychain);
+
+ checkPrompts(0, "No prompts while importing items");
+
+ deleteTestFiles();
+ return 0;
+}
+
diff --git a/OSX/libsecurity_keychain/regressions/kc-26-key-import-public.m b/OSX/libsecurity_keychain/regressions/kc-26-key-import-public.m
new file mode 100644
index 00000000..49b3c6c8
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-26-key-import-public.m
@@ -0,0 +1,222 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-variable"
+#pragma clang diagnostic ignored "-Wunused-function"
+
+//
+// testPubKeyImport
+// <rdar://problem/10473567>
+//
+
+#import <Foundation/Foundation.h>
+#import <Security/Security.h>
+
+#include <libDER/asn1Types.h>
+#include <libDER/DER_Encode.h>
+#include <libDER/DER_Decode.h>
+#include <libDER/DER_Keys.h>
+
+
+/* test RSA public key to import */
+static const uint8_t kPublicKey[] =
+{
+ 0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE7,0xD7,0x44,0xF2,0xA2,0xE2,0x78,
+ 0x8B,0x6C,0x1F,0x55,0xA0,0x8E,0xB7,0x05,0x44,0xA8,0xFA,0x79,0x45,0xAA,0x8B,0xE6,
+ 0xC6,0x2C,0xE5,0xF5,0x1C,0xBD,0xD4,0xDC,0x68,0x42,0xFE,0x3D,0x10,0x83,0xDD,0x2E,
+ 0xDE,0xC1,0xBF,0xD4,0x25,0x2D,0xC0,0x2E,0x6F,0x39,0x8B,0xDF,0x0E,0x61,0x48,0xEA,
+ 0x84,0x85,0x5E,0x2E,0x44,0x2D,0xA6,0xD6,0x26,0x64,0xF6,0x74,0xA1,0xF3,0x04,0x92,
+ 0x9A,0xDE,0x4F,0x68,0x93,0xEF,0x2D,0xF6,0xE7,0x11,0xA8,0xC7,0x7A,0x0D,0x91,0xC9,
+ 0xD9,0x80,0x82,0x2E,0x50,0xD1,0x29,0x22,0xAF,0xEA,0x40,0xEA,0x9F,0x0E,0x14,0xC0,
+ 0xF7,0x69,0x38,0xC5,0xF3,0x88,0x2F,0xC0,0x32,0x3D,0xD9,0xFE,0x55,0x15,0x5F,0x51,
+ 0xBB,0x59,0x21,0xC2,0x01,0x62,0x9F,0xD7,0x33,0x52,0xD5,0xE2,0xEF,0xAA,0xBF,0x9B,
+ 0xA0,0x48,0xD7,0xB8,0x13,0xA2,0xB6,0x76,0x7F,0x6C,0x3C,0xCF,0x1E,0xB4,0xCE,0x67,
+ 0x3D,0x03,0x7B,0x0D,0x2E,0xA3,0x0C,0x5F,0xFF,0xEB,0x06,0xF8,0xD0,0x8A,0xDD,0xE4,
+ 0x09,0x57,0x1A,0x9C,0x68,0x9F,0xEF,0x10,0x72,0x88,0x55,0xDD,0x8C,0xFB,0x9A,0x8B,
+ 0xEF,0x5C,0x89,0x43,0xEF,0x3B,0x5F,0xAA,0x15,0xDD,0xE6,0x98,0xBE,0xDD,0xF3,0x59,
+ 0x96,0x03,0xEB,0x3E,0x6F,0x61,0x37,0x2B,0xB6,0x28,0xF6,0x55,0x9F,0x59,0x9A,0x78,
+ 0xBF,0x50,0x06,0x87,0xAA,0x7F,0x49,0x76,0xC0,0x56,0x2D,0x41,0x29,0x56,0xF8,0x98,
+ 0x9E,0x18,0xA6,0x35,0x5B,0xD8,0x15,0x97,0x82,0x5E,0x0F,0xC8,0x75,0x34,0x3E,0xC7,
+ 0x82,0x11,0x76,0x25,0xCD,0xBF,0x98,0x44,0x7B,0x02,0x03,0x01,0x00,0x01,0xD4,0x9D
+};
+
+#if 0
+static const uint8_t k512PublicKeyModulus[] =
+{
+ 0x00,
+ 0xE2,0x7E,0x6C,0xDE,0xF4,0x45,0x8E,0x69,0xFF,0x9B,0x39,0x76,0x41,0x44,0x2E,0x2E,
+ 0x61,0x27,0x07,0x0F,0x56,0xC9,0x6F,0x3F,0x71,0x82,0x67,0x1F,0xEB,0x0B,0xED,0x65,
+ 0x09,0x9B,0x12,0x29,0x61,0x1D,0x66,0x3B,0x8C,0x63,0x0F,0x30,0x5C,0x00,0x42,0x85,
+ 0x6F,0xD5,0xFB,0xF5,0x3D,0x63,0x99,0xC1,0xDE,0xD7,0x42,0x30,0x51,0x42,0xF3,0xD9
+};
+
+static const uint8_t k512PublicKeyExponent[] = { 0x01,0x00,0x01 }; // 65537
+#endif
+
+static const uint8_t k1024PublicKeyModulus[] =
+{
+ 0x00,
+ 0xBF,0x53,0x5F,0x27,0x26,0x28,0xD1,0x02,0x52,0x75,0x54,0xFB,0x5F,0xF1,0xBE,0x94,
+ 0xB0,0x3B,0x33,0xB0,0x36,0xF6,0xF8,0x14,0xB9,0x62,0xEC,0xFC,0x31,0xF2,0xAB,0x60,
+ 0x59,0x02,0xB7,0x68,0x6C,0x91,0x91,0x9E,0xE8,0x08,0xF0,0x49,0xD9,0xBD,0x24,0x5A,
+ 0xB9,0xD6,0x08,0x89,0xA0,0xF1,0xBC,0xC7,0xB4,0x55,0xB5,0x0E,0x1A,0xA5,0xCC,0x94,
+ 0x4E,0x57,0xB6,0xA9,0x6B,0x5C,0x90,0x28,0x6F,0xBD,0x8C,0x12,0xF9,0x59,0x5E,0x47,
+ 0xDB,0x4C,0x7F,0x4D,0xB8,0x12,0x0A,0x36,0x9B,0x6F,0x8B,0xCC,0xB3,0x0F,0x60,0x23,
+ 0xED,0x91,0x78,0x28,0x0A,0x5E,0xF4,0x24,0xC6,0xDD,0x80,0x50,0xC4,0xCD,0xF6,0x52,
+ 0x6B,0xDD,0x35,0x82,0xCE,0xF2,0x7B,0xA4,0x73,0xD9,0x5F,0x75,0x2D,0xB6,0x77,0xAD
+};
+
+static const uint8_t k1024PublicKeyExponent[] = { 0x01,0x00,0x01 }; // 65537
+
+
+static void
+testPubKeyImport(void)
+{
+ OSStatus status = errSecSuccess;
+ NSArray* outputItems = nil;
+ SecKeychainRef keychain = NULL;
+ NSData* keyData = [NSData dataWithBytes:kPublicKey length:sizeof(kPublicKey)];
+ SecExternalFormat format = kSecFormatUnknown;
+ SecExternalItemType keyType = kSecItemTypePublicKey;
+
+ status = SecKeychainCopyDefault(&keychain);
+ // ignoring error
+
+ status = SecItemImport((CFDataRef)keyData,
+ NULL, &format, &keyType, 0, NULL,
+ keychain, (CFArrayRef *)&outputItems);
+
+ NSLog(@"SecItemImport result = %d", (int)status);
+
+ if (keychain) CFRelease(keychain);
+ if (outputItems) CFRelease(outputItems);
+}
+
+static void
+testPubKeyImportWithModulusAndExponent(SecKeychainRef keychain)
+{
+ OSStatus status = errSecSuccess;
+
+ typedef struct SecRSAPublicKeyParams {
+ uint8_t *modulus; /* modulus */
+ CFIndex modulusLength;
+ uint8_t *exponent; /* public exponent */
+ CFIndex exponentLength;
+ } SecRSAPublicKeyParams;
+#if 0
+ SecRSAPublicKeyParams pubKeyParams = {
+ .modulus = (uint8_t *)k512PublicKeyModulus,
+ .modulusLength = sizeof(k512PublicKeyModulus),
+ .exponent = (uint8_t *)k512PublicKeyExponent,
+ .exponentLength = sizeof(k512PublicKeyExponent),
+ };
+#else
+ SecRSAPublicKeyParams pubKeyParams = {
+ .modulus = (uint8_t *)k1024PublicKeyModulus,
+ .modulusLength = sizeof(k1024PublicKeyModulus),
+ .exponent = (uint8_t *)k1024PublicKeyExponent,
+ .exponentLength = sizeof(k1024PublicKeyExponent),
+ };
+#endif
+// SecKeyRef key = SecKeyCreateRSAPublicKey(NULL, (const uint8_t *)&pubKeyParams,
+// sizeof(pubKeyParams), kSecKeyEncodingRSAPublicParams);
+
+ // wrap as PKCS1
+ DERSize m_size = pubKeyParams.modulusLength;
+ DERSize e_size = pubKeyParams.exponentLength;
+ const DERSize seq_size = DERLengthOfItem(ASN1_INTEGER, m_size) +
+ DERLengthOfItem(ASN1_INTEGER, e_size);
+ const DERSize result_size = DERLengthOfItem(ASN1_SEQUENCE, seq_size);
+ DERSize r_size, remaining_size = result_size;
+ DERReturn drtn;
+
+ CFMutableDataRef pkcs1 = CFDataCreateMutable(NULL, result_size);
+ ok(pkcs1, "%s: create CFData", testName);
+ if (pkcs1 == NULL) {
+ NSLog(@"CFDataCreateMutable failed");
+ return;
+ }
+ CFDataSetLength(pkcs1, result_size);
+ uint8_t *bytes = CFDataGetMutableBytePtr(pkcs1);
+
+ *bytes++ = ONE_BYTE_ASN1_CONSTR_SEQUENCE;
+ remaining_size--;
+ r_size = 4;
+ drtn = DEREncodeLength(seq_size, bytes, &r_size);
+ if (r_size <= remaining_size) {
+ bytes += r_size;
+ remaining_size -= r_size;
+ }
+ r_size = remaining_size;
+ drtn = DEREncodeItem(ASN1_INTEGER, m_size, (const DERByte *)pubKeyParams.modulus, (DERByte *)bytes, &r_size);
+ if (r_size <= remaining_size) {
+ bytes += r_size;
+ remaining_size -= r_size;
+ }
+ r_size = remaining_size;
+ drtn = DEREncodeItem(ASN1_INTEGER, e_size, (const DERByte *)pubKeyParams.exponent, (DERByte *)bytes, &r_size);
+
+
+ SecExternalFormat externalFormat = kSecFormatBSAFE; //kSecFormatOpenSSL;
+ SecExternalItemType externalItemType = kSecItemTypePublicKey;
+ CFArrayRef outArray = NULL;
+
+ status = SecItemImport(pkcs1, NULL, &externalFormat, &externalItemType, 0, NULL, keychain, &outArray);
+ ok_status(status, "%s: SecItemImport", testName);
+ if (status != errSecSuccess) {
+ NSLog(@"SecItemImport result = %d", (int)status);
+ return;
+ }
+
+ // TODO: encrypt something with this key and check the result
+
+ if (outArray) CFRelease(outArray);
+}
+
+int kc_26_key_import_public(int argc, char *const *argv)
+{
+ plan_tests(5);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
+// testPubKeyImport();
+ testPubKeyImportWithModulusAndExponent(kc);
+ [pool drain];
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+
+ deleteTestFiles();
+ return 0;
+}
+
+#pragma clang diagnostic pop
diff --git a/OSX/libsecurity_keychain/regressions/kc-27-key-non-extractable.c b/OSX/libsecurity_keychain/regressions/kc-27-key-non-extractable.c
new file mode 100644
index 00000000..8dd17e33
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-27-key-non-extractable.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#import <Security/SecCertificatePriv.h>
+
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+
+//
+// Test for <rdar://9251635>
+//
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <Security/SecItemPriv.h>
+
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
+/*
+ Note: the following will show all private keys with their label
+ and extractable attribute value (in attribute 0x00000010):
+
+ $ security dump | grep -A 16 "0x00000000 <uint32>=0x00000010" | grep -e ^\ *0x000000[01][01] -e --
+*/
+
+
+static OSStatus GenerateRSAKeyPair(
+ SecKeychainRef keychain,
+ CFStringRef keyLabel,
+ int keySizeValue,
+ Boolean *extractable,
+ SecKeyRef *publicKeyRef,
+ SecKeyRef *privateKeyRef)
+{
+ OSStatus status;
+ CFNumberRef keySize = CFNumberCreate(NULL, kCFNumberIntType, &keySizeValue);
+
+ // create a SecAccessRef to set up the initial access control settings for this key
+ // (this step is optional; if omitted, the creating application has access to the key)
+ // note: the access descriptor should be the same string as will be used for the item's label,
+ // since it's the string that is displayed by the access confirmation dialog to describe the item.
+ SecAccessRef access = NULL;
+ status = SecAccessCreate(keyLabel, NULL, &access);
+
+ // create a dictionary of parameters describing the key we want to create
+ CFMutableDictionaryRef params = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+/*
+ From the header doc for SecKeyGeneratePair (seems to be incomplete...):
+ * kSecAttrLabel default NULL
+ * kSecAttrIsPermanent if this key is present and has a Boolean
+ value of true, the key or key pair will be added to the default
+ keychain.
+ * kSecAttrApplicationTag default NULL
+ * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
+ * kSecAttrCanEncrypt default false for private keys, true for public keys
+ * kSecAttrCanDecrypt default true for private keys, false for public keys
+ * kSecAttrCanDerive default true
+ * kSecAttrCanSign default true for private keys, false for public keys
+ * kSecAttrCanVerify default false for private keys, true for public keys
+ * kSecAttrCanWrap default false for private keys, true for public keys
+ * kSecAttrCanUnwrap default true for private keys, false for public keys
+*/
+ CFDictionaryAddValue( params, kSecUseKeychain, keychain );
+ CFDictionaryAddValue( params, kSecAttrAccess, access );
+ CFDictionaryAddValue( params, kSecAttrKeyType, kSecAttrKeyTypeRSA );
+ CFDictionaryAddValue( params, kSecAttrKeySizeInBits, keySize );
+ CFDictionaryAddValue( params, kSecAttrIsPermanent, kCFBooleanTrue );
+
+ if (extractable)
+ CFDictionaryAddValue( params, kSecAttrIsExtractable, (*extractable) ? kCFBooleanTrue : kCFBooleanFalse );
+ if (keyLabel)
+ CFDictionaryAddValue( params, kSecAttrLabel, keyLabel );
+
+ // generate the key
+ status = SecKeyGeneratePair(params, publicKeyRef, privateKeyRef);
+ ok_status(status, "%s: SecKeyGeneratePair", testName);
+
+ if (params) CFRelease(params);
+ if (access) CFRelease(access);
+
+ return status;
+}
+
+static int testExtractable(
+ SecKeychainRef keychain,
+ Boolean extractable,
+ Boolean explicit)
+{
+ OSStatus status;
+ SecKeyRef publicKeyRef = NULL;
+ SecKeyRef privateKeyRef = NULL;
+ CFStringRef label = (extractable) ? CFSTR("test-extractable-YES") : CFSTR("test-extractable-NO");
+ Boolean *extractablePtr = (explicit) ? &extractable : NULL;
+
+ status = GenerateRSAKeyPair(keychain,
+ label,
+ 1024, // size
+ extractablePtr,
+ &publicKeyRef,
+ &privateKeyRef);
+
+ if (status != noErr) {
+ //errx(EXIT_FAILURE, "Unable to get key pair (err = %d)", status);
+ return status;
+ }
+
+ // check that the attributes of the generated private key are what we think they are
+ const CSSM_KEY *cssmPrivKey;
+ status = SecKeyGetCSSMKey(privateKeyRef, &cssmPrivKey);
+ ok_status(status, "%s: SecKeyGetCSSMKey", testName);
+
+ if (status != noErr) {
+ //errx(EXIT_FAILURE, "Unable to get CSSM reference key (err = %d)", status);
+ return status;
+ }
+ if (extractable) {
+ ok(cssmPrivKey->KeyHeader.KeyAttr & CSSM_KEYATTR_EXTRACTABLE, "%s: check private key marked as extractable (as requested)", testName);
+ if (!(cssmPrivKey->KeyHeader.KeyAttr & CSSM_KEYATTR_EXTRACTABLE)) {
+ //errx(EXIT_FAILURE, "Oops! the private key was not marked as extractable!");
+ return 1;
+ }
+ }
+ else {
+ ok(!(cssmPrivKey->KeyHeader.KeyAttr & CSSM_KEYATTR_EXTRACTABLE), "%s: check private key marked as non-extractable (as requested)", testName);
+ if (cssmPrivKey->KeyHeader.KeyAttr & CSSM_KEYATTR_EXTRACTABLE) {
+ //errx(EXIT_FAILURE, "Oops! the private key was marked as extractable!");
+ return 1;
+ }
+ }
+
+ SecKeyImportExportParameters keyParams;
+ memset(&keyParams, 0, sizeof(keyParams));
+ keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ keyParams.passphrase = CFSTR("borken");
+
+ CFDataRef exportedData = NULL;
+
+ status = SecKeychainItemExport(privateKeyRef, kSecFormatWrappedPKCS8, 0, &keyParams, &exportedData);
+ if(extractable) {
+ ok_status(status, "%s: SecKeychainItemExport (PKCS8) (and we expected it to succeed)", testName);
+ } else {
+ is(status, errSecDataNotAvailable, "%s: SecKeychainItemExport (PKCS8) (and we expected this to fail with errSecDataNotAvailable)", testName);
+ }
+
+ status = SecKeychainItemExport(privateKeyRef, kSecFormatPKCS12, 0, &keyParams, &exportedData);
+ if(extractable) {
+ ok_status(status, "%s: SecKeychainItemExport(and we expected it to succeed)", testName);
+ } else {
+ is(status, errSecDataNotAvailable, "%s: SecKeychainItemExport (PKCS12) (and we expected this to fail with errSecDataNotAvailable)", testName);
+ }
+
+ if (status != noErr) {
+ if (extractable) {
+ //errx(EXIT_FAILURE, "Unable to export extractable key! (err = %d)", status);
+ return 1;
+ }
+ else {
+ status = 0; // wasn't extractable, so this is the expected result
+ }
+ }
+ else if (status == noErr && !extractable) {
+ //errx(EXIT_FAILURE, "Was able to export non-extractable key! (err = %d)", status);
+ return 1;
+ }
+
+ status = SecKeychainItemDelete((SecKeychainItemRef)publicKeyRef);
+ ok_status(status, "%s: SecKeychainItemDelete", testName);
+ if (status != noErr) {
+ warnx("Unable to delete created public key from keychain (err = %d)", (int)status);
+ }
+
+ status = SecKeychainItemDelete((SecKeychainItemRef)privateKeyRef);
+ ok_status(status, "%s: SecKeychainItemDelete", testName);
+ if (status != noErr) {
+ warnx("Unable to delete created private key from keychain (err = %d)", (int)status);
+ }
+
+ CFRelease(publicKeyRef);
+ CFRelease(privateKeyRef);
+
+ return 0;
+}
+
+
+int kc_27_key_non_extractable(int argc, char *const *argv)
+{
+ plan_tests(24);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ // test case 1: extractable
+ startTest("Extract extractable key");
+ testExtractable(kc, TRUE, TRUE);
+
+ // test case 2: non-extractable
+ startTest("Extract non-extractable key");
+ testExtractable(kc, FALSE, TRUE);
+
+ // test case 3: extractable (when not explicitly specified)
+ startTest("Extract implicitly extractable key");
+ testExtractable(kc, TRUE, FALSE);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFRelease(kc);
+
+ deleteTestFiles();
+ return 0;
+}
+
diff --git a/OSX/libsecurity_keychain/regressions/kc-28-cert-sign.c b/OSX/libsecurity_keychain/regressions/kc-28-cert-sign.c
new file mode 100644
index 00000000..19f48da1
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-28-cert-sign.c
@@ -0,0 +1,733 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-keychain-file-helpers.h"
+#include "test/testenv.h"
+
+//
+// Test for Radar 17159227
+//
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <Security/SecIdentityPriv.h> // for SecIdentityCreate
+#include <CoreServices/CoreServices.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <time.h>
+
+/* Test CA certificate
+ */
+unsigned char coreOSTestCA[995]={
+ 0x30,0x82,0x03,0xDF,0x30,0x82,0x02,0xC7,0xA0,0x03,0x02,0x01,0x02,0x02,0x04,0x78,
+ 0x0C,0x4B,0x30,0x30,0x0B,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
+ 0x30,0x81,0x9F,0x31,0x31,0x30,0x2F,0x06,0x03,0x55,0x04,0x03,0x0C,0x28,0x43,0x6F,
+ 0x72,0x65,0x20,0x4F,0x53,0x20,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x43,
+ 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,
+ 0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
+ 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x27,0x30,0x25,0x06,
+ 0x03,0x55,0x04,0x0B,0x0C,0x1E,0x43,0x6F,0x72,0x65,0x20,0x4F,0x53,0x20,0x2D,0x20,
+ 0x44,0x45,0x56,0x45,0x4C,0x4F,0x50,0x4D,0x45,0x4E,0x54,0x20,0x55,0x53,0x45,0x20,
+ 0x4F,0x4E,0x4C,0x59,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x08,0x0C,0x02,0x43,
+ 0x41,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x12,
+ 0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,
+ 0x6E,0x6F,0x30,0x1E,0x17,0x0D,0x31,0x34,0x30,0x37,0x31,0x37,0x30,0x31,0x33,0x35,
+ 0x30,0x37,0x5A,0x17,0x0D,0x31,0x36,0x30,0x37,0x31,0x37,0x30,0x31,0x33,0x35,0x30,
+ 0x37,0x5A,0x30,0x81,0x9F,0x31,0x31,0x30,0x2F,0x06,0x03,0x55,0x04,0x03,0x0C,0x28,
+ 0x43,0x6F,0x72,0x65,0x20,0x4F,0x53,0x20,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,
+ 0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
+ 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
+ 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x27,0x30,
+ 0x25,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1E,0x43,0x6F,0x72,0x65,0x20,0x4F,0x53,0x20,
+ 0x2D,0x20,0x44,0x45,0x56,0x45,0x4C,0x4F,0x50,0x4D,0x45,0x4E,0x54,0x20,0x55,0x53,
+ 0x45,0x20,0x4F,0x4E,0x4C,0x59,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x08,0x0C,
+ 0x02,0x43,0x41,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,
+ 0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,
+ 0x74,0x69,0x6E,0x6F,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,
+ 0x02,0x82,0x01,0x01,0x00,0xE3,0xC9,0x79,0xA2,0x1F,0xC8,0xFC,0x4F,0xF4,0x70,0x07,
+ 0xAA,0x8A,0xFA,0xB2,0x60,0xEE,0x3E,0x9D,0xD6,0xA4,0x4F,0x4B,0x17,0x68,0x63,0x54,
+ 0xC1,0x1C,0x12,0xE1,0x7A,0x93,0x5A,0x04,0x48,0x56,0x1B,0xDD,0x9C,0xC5,0x09,0xB0,
+ 0x5F,0x39,0xE2,0xB0,0x86,0x60,0xAF,0x13,0x7A,0x8F,0x97,0x35,0x02,0xCC,0xC0,0x83,
+ 0x90,0xAC,0x5C,0x44,0xFE,0xF2,0xC1,0xAB,0xB6,0x01,0xFF,0x57,0x7F,0x0B,0xF5,0xA9,
+ 0x7B,0x5E,0xF0,0x99,0x1D,0xAE,0xA9,0x56,0xC6,0x32,0x71,0xB5,0x7E,0xEA,0xAB,0xBD,
+ 0x01,0xFE,0xF8,0x35,0xFE,0xE6,0xB2,0x83,0x32,0x00,0x9D,0x51,0x74,0x64,0x00,0xDA,
+ 0x58,0xD6,0x73,0xB4,0x11,0x8B,0xB6,0x7C,0x86,0x60,0x54,0x42,0x24,0xF9,0xC4,0xAD,
+ 0x70,0x07,0xB1,0x05,0x29,0x1E,0x57,0x3B,0x97,0xDC,0x2F,0x51,0x4C,0xBB,0x3A,0x1D,
+ 0x30,0xB5,0xC9,0x69,0x85,0x3D,0xFE,0x9B,0xE8,0x96,0xD9,0xC3,0xC0,0xB4,0xEB,0xB8,
+ 0x48,0x90,0x74,0xDC,0xC0,0x65,0x50,0x01,0x36,0xCF,0x10,0x8A,0xBF,0xDA,0x9D,0x00,
+ 0x07,0x2D,0xE9,0x9F,0x58,0x0D,0xF1,0x07,0x55,0xAE,0xC2,0x0F,0xE2,0x2D,0xB8,0xCF,
+ 0xF5,0x79,0x1D,0x05,0xFD,0xE3,0xE9,0xB1,0x4D,0xD8,0xAA,0xB6,0x26,0xC2,0xC2,0x6E,
+ 0x72,0xA2,0x18,0xA4,0x81,0x39,0x80,0xA6,0x6B,0x6D,0x16,0x4F,0xB5,0xA0,0xE3,0x20,
+ 0xE2,0x5B,0x0E,0xE0,0x2D,0x31,0xAD,0x92,0xD6,0x4C,0x13,0x3D,0x81,0x55,0xD1,0xB3,
+ 0x36,0xC0,0xFB,0xDD,0xCF,0x01,0x9F,0xED,0xCE,0x3B,0x47,0x70,0x59,0xE4,0x25,0x69,
+ 0x99,0x5C,0x21,0x0C,0x13,0x02,0x03,0x01,0x00,0x01,0xA3,0x23,0x30,0x21,0x30,0x0F,
+ 0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,
+ 0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x86,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
+ 0x01,0x01,0x00,0xA1,0xFD,0xD2,0x4A,0xCC,0x63,0x5F,0x5C,0xC3,0xBD,0x59,0x47,0x53,
+ 0x92,0xE9,0x7C,0x66,0xF6,0x17,0xC3,0x96,0x27,0xB3,0xE1,0xD3,0x52,0x40,0xF6,0xAA,
+ 0xA3,0x96,0xC4,0xE2,0x76,0x7B,0xE3,0xA6,0xCD,0x6C,0xA1,0x49,0x52,0x82,0x09,0x77,
+ 0xC6,0x87,0x1D,0x44,0x6E,0x47,0x8F,0x34,0xE2,0xB6,0x4B,0x1E,0x13,0x31,0x9E,0x93,
+ 0x3E,0xF2,0x7B,0x56,0xEC,0x88,0x93,0x81,0x99,0x55,0x26,0x54,0x72,0x6E,0xD3,0x02,
+ 0x45,0x9F,0x51,0x67,0xC2,0x7D,0x46,0xA1,0x4E,0xE5,0x37,0x3F,0x88,0xAB,0x4F,0xD6,
+ 0x87,0xBC,0xEE,0xBA,0x29,0x07,0x10,0xCC,0x1E,0x3A,0xD6,0x38,0x5F,0x9D,0x12,0xE6,
+ 0x8A,0x9B,0xD0,0xEB,0x5A,0x88,0xC0,0xE8,0x90,0x78,0xCB,0x8A,0x8A,0xBB,0x63,0xA1,
+ 0x58,0x1C,0x32,0x8E,0xF0,0xB3,0xA5,0xB5,0x93,0x65,0xA1,0xE2,0x18,0xB1,0xE3,0x2C,
+ 0xF8,0xF1,0x6C,0xC8,0xCD,0x7B,0xA8,0x8B,0x84,0x42,0xD0,0x5F,0x9A,0x72,0x4A,0x2C,
+ 0x97,0x50,0x44,0x70,0x0D,0x95,0x86,0xE8,0xDF,0xA4,0x52,0xEB,0xE4,0x87,0xF2,0x69,
+ 0xD6,0x78,0xA3,0x96,0x37,0x55,0x3D,0x5B,0x86,0x5B,0xED,0xF9,0x93,0x2A,0x75,0xE2,
+ 0x1A,0x7D,0xF5,0xC9,0x34,0x76,0x80,0x37,0x0D,0x77,0x2B,0x37,0xCA,0x19,0x3D,0xB6,
+ 0xB4,0xEB,0xC9,0xC8,0x76,0x75,0x07,0xE5,0x24,0x8C,0xB1,0xA3,0x29,0x53,0x54,0x43,
+ 0xFC,0xE3,0x40,0x5B,0x31,0xC6,0x43,0x13,0x62,0xA8,0x1B,0xB9,0xE2,0xED,0x33,0x40,
+ 0x0A,0xAB,0x43,0x69,0x31,0x4A,0x13,0x7B,0xCB,0xC8,0x33,0x93,0xDE,0x70,0xAD,0x80,
+ 0x29,0xBF,0x9E,
+};
+
+/* Normal code signing certificate, issued by CA above
+ */
+unsigned char leafSigningCertificate[1007]={
+ 0x30,0x82,0x03,0xEB,0x30,0x82,0x02,0xD3,0xA0,0x03,0x02,0x01,0x02,0x02,0x04,0x78,
+ 0x0C,0xC5,0xD9,0x30,0x0B,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
+ 0x30,0x81,0x9F,0x31,0x31,0x30,0x2F,0x06,0x03,0x55,0x04,0x03,0x0C,0x28,0x43,0x6F,
+ 0x72,0x65,0x20,0x4F,0x53,0x20,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x43,
+ 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,
+ 0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
+ 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x27,0x30,0x25,0x06,
+ 0x03,0x55,0x04,0x0B,0x0C,0x1E,0x43,0x6F,0x72,0x65,0x20,0x4F,0x53,0x20,0x2D,0x20,
+ 0x44,0x45,0x56,0x45,0x4C,0x4F,0x50,0x4D,0x45,0x4E,0x54,0x20,0x55,0x53,0x45,0x20,
+ 0x4F,0x4E,0x4C,0x59,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x08,0x0C,0x02,0x43,
+ 0x41,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x12,
+ 0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,
+ 0x6E,0x6F,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x30,0x33,0x30,0x32,0x32,0x34,0x37,
+ 0x32,0x30,0x5A,0x17,0x0D,0x31,0x35,0x31,0x30,0x33,0x30,0x32,0x32,0x34,0x37,0x32,
+ 0x30,0x5A,0x30,0x81,0xA4,0x31,0x17,0x30,0x15,0x06,0x03,0x55,0x04,0x03,0x0C,0x0E,
+ 0x52,0x61,0x64,0x61,0x72,0x20,0x31,0x37,0x31,0x35,0x39,0x32,0x32,0x37,0x31,0x13,
+ 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
+ 0x6E,0x63,0x2E,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0B,0x0C,0x10,0x43,0x6F,
+ 0x72,0x65,0x20,0x4F,0x53,0x20,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x31,0x0B,
+ 0x30,0x09,0x06,0x03,0x55,0x04,0x08,0x0C,0x02,0x43,0x41,0x31,0x0B,0x30,0x09,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,
+ 0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x2B,0x30,0x29,
+ 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,0x16,0x1C,0x73,0x65,0x63,
+ 0x75,0x72,0x69,0x74,0x79,0x2D,0x64,0x65,0x76,0x40,0x67,0x72,0x6F,0x75,0x70,0x2E,
+ 0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,
+ 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,
+ 0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xD0,0x6A,0xA3,0x00,0xEE,0xFC,
+ 0x30,0x30,0x8C,0x4F,0xC1,0x51,0x7C,0x6E,0xF6,0x45,0x3C,0xE5,0x41,0xAB,0x77,0xDB,
+ 0xEE,0x73,0x9E,0xE3,0x21,0xBF,0x89,0x3F,0xA7,0xBF,0x23,0x0B,0x3F,0x68,0xF6,0xA4,
+ 0x80,0xB7,0xF4,0xE3,0xF0,0x10,0x21,0xF0,0xF6,0xBB,0x97,0x08,0x9E,0xA9,0xD0,0x9F,
+ 0xAB,0xC8,0xF8,0xE9,0xFB,0x9A,0x89,0x2C,0x3C,0x30,0x93,0x92,0x9D,0x08,0x2C,0x0F,
+ 0x63,0x1C,0xCC,0x4E,0x69,0x0E,0x62,0x9F,0xA6,0x3E,0xAE,0x8B,0x76,0x60,0x6F,0xD9,
+ 0x5D,0xD2,0xBD,0x38,0x95,0xAA,0x22,0xFD,0xCE,0xDF,0x41,0x15,0x79,0x5E,0x4C,0xAB,
+ 0x51,0x90,0x3D,0xD7,0x41,0xC3,0x90,0x41,0x58,0xEC,0xB4,0xB5,0x5A,0xBD,0x58,0x1B,
+ 0x38,0x5D,0xFE,0xB6,0x55,0xA0,0xDA,0x67,0xDF,0x34,0x4F,0x3E,0xE2,0x1A,0xF1,0x8C,
+ 0x44,0x57,0x2E,0xBB,0xE3,0x19,0xFA,0x08,0xE3,0xF1,0x9C,0x17,0xA2,0xDE,0x74,0xF4,
+ 0xF7,0x5D,0x6B,0xA2,0xE8,0x2B,0xB3,0xF0,0x3B,0x77,0x4C,0xAE,0x63,0xCA,0xAD,0xB1,
+ 0xBB,0x32,0x71,0xE0,0xC2,0x8D,0x6B,0x7B,0x3E,0xB4,0xAC,0x61,0xCA,0x40,0xDC,0xEA,
+ 0xE4,0xA7,0x2C,0xA4,0xE4,0x40,0xCC,0xD1,0x1F,0xE9,0x05,0x91,0xA9,0x44,0x54,0xB2,
+ 0x96,0x66,0xC5,0xF2,0x28,0xBF,0xA6,0xDA,0xA5,0xD8,0x09,0x53,0x08,0xF6,0x7D,0x09,
+ 0xA3,0x6C,0x40,0x7B,0x3C,0x8D,0x09,0xE8,0xED,0xD2,0x55,0x86,0x1B,0x42,0x1C,0x72,
+ 0xAB,0xAB,0xF2,0x6F,0x0B,0xB4,0x6F,0xCB,0xE7,0x59,0x29,0xFB,0x6A,0x4A,0x91,0xF4,
+ 0x8C,0xFC,0xA0,0xF8,0x8B,0x55,0x4A,0xD3,0x3A,0x41,0x02,0x03,0x01,0x00,0x01,0xA3,
+ 0x2A,0x30,0x28,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,
+ 0x02,0x07,0x80,0x30,0x16,0x06,0x03,0x55,0x1D,0x25,0x01,0x01,0xFF,0x04,0x0C,0x30,
+ 0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,0x30,0x0D,0x06,0x09,0x2A,
+ 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x60,
+ 0xF9,0x1C,0xE5,0x5E,0xCE,0x79,0x57,0x7E,0x24,0xC1,0x7E,0x07,0x87,0xC6,0x55,0x6E,
+ 0x38,0xBB,0x17,0x0B,0xAE,0xBC,0xDB,0x72,0xBD,0xA0,0x47,0x2F,0x54,0x34,0x53,0xE7,
+ 0x21,0xD7,0x04,0x8B,0x06,0x84,0x76,0x81,0x2A,0x6A,0x75,0x06,0xB4,0x62,0xA0,0xBC,
+ 0xC3,0x78,0x08,0x50,0x3D,0x63,0x44,0x32,0xEA,0xDA,0xFA,0x66,0xDF,0xF9,0xC2,0xE8,
+ 0xEF,0x72,0x83,0xAF,0x3E,0x2F,0x20,0x83,0x08,0x61,0xD8,0x6A,0x1A,0x71,0x68,0xB8,
+ 0x21,0x1F,0x0E,0xA8,0x2A,0xDA,0xF0,0x87,0xB1,0xAC,0xCE,0xAB,0xFB,0x9C,0xBC,0x43,
+ 0x04,0xE5,0x2F,0xF3,0x7D,0xAD,0x78,0x43,0x00,0x74,0x65,0x28,0x8D,0x3F,0x27,0x8F,
+ 0x33,0x7B,0x36,0xCD,0xAF,0x35,0x33,0xAF,0x06,0xF5,0x22,0x67,0xC7,0xD1,0x88,0x9B,
+ 0x55,0xE8,0x0E,0x48,0x5F,0x9A,0x30,0x5A,0xF5,0x93,0x53,0x78,0x44,0x8B,0x3A,0xB6,
+ 0x24,0x7F,0x5D,0x6E,0xDB,0x68,0x72,0x15,0xAD,0xB8,0x3E,0x66,0xE7,0x0E,0x99,0xEB,
+ 0xAB,0x1D,0x91,0xC8,0xEF,0x5A,0x32,0xA9,0x3E,0x0B,0x82,0x4E,0x5A,0x64,0xC1,0xC5,
+ 0xFD,0xD0,0x93,0xE0,0x82,0x39,0x7C,0x94,0x78,0x23,0x5D,0x5E,0x65,0x67,0xB9,0x83,
+ 0xEB,0x3A,0xC6,0x6C,0x65,0x8A,0xC6,0x83,0x2F,0x90,0x4C,0x75,0x7F,0x7A,0x2F,0x3E,
+ 0xA8,0xAA,0x16,0xF5,0x67,0x5D,0x50,0xC7,0x0E,0x7F,0x7C,0xA2,0xC8,0x10,0x67,0xFD,
+ 0x3E,0x91,0xA4,0xD5,0xA0,0xF6,0x9D,0x5A,0x0E,0x56,0xC0,0xCA,0xBA,0xB4,0x8B,0xB1,
+ 0xB5,0x3A,0x22,0xC0,0xEC,0xF8,0x8F,0xD7,0x49,0xBE,0x8D,0x98,0xE0,0x30,0x0E,
+};
+
+/* This certificate is longer than the length claimed in its top-level ASN.1 sequence.
+ It is only supposed to be 1007 bytes, but has 16 extra bytes tacked onto the end.
+ */
+unsigned char bogusTrailingBytesSigningCertificate[1023]={
+ 0x30,0x82,0x03,0xEB,0x30,0x82,0x02,0xD3,0xA0,0x03,0x02,0x01,0x02,0x02,0x04,0x78,
+ 0x0C,0xC5,0xD9,0x30,0x0B,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
+ 0x30,0x81,0x9F,0x31,0x31,0x30,0x2F,0x06,0x03,0x55,0x04,0x03,0x0C,0x28,0x43,0x6F,
+ 0x72,0x65,0x20,0x4F,0x53,0x20,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x43,
+ 0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,
+ 0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
+ 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x27,0x30,0x25,0x06,
+ 0x03,0x55,0x04,0x0B,0x0C,0x1E,0x43,0x6F,0x72,0x65,0x20,0x4F,0x53,0x20,0x2D,0x20,
+ 0x44,0x45,0x56,0x45,0x4C,0x4F,0x50,0x4D,0x45,0x4E,0x54,0x20,0x55,0x53,0x45,0x20,
+ 0x4F,0x4E,0x4C,0x59,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x08,0x0C,0x02,0x43,
+ 0x41,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x12,
+ 0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,
+ 0x6E,0x6F,0x30,0x1E,0x17,0x0D,0x31,0x34,0x31,0x30,0x33,0x30,0x32,0x32,0x34,0x37,
+ 0x32,0x30,0x5A,0x17,0x0D,0x31,0x35,0x31,0x30,0x33,0x30,0x32,0x32,0x34,0x37,0x32,
+ 0x30,0x5A,0x30,0x81,0xA4,0x31,0x17,0x30,0x15,0x06,0x03,0x55,0x04,0x03,0x0C,0x0E,
+ 0x52,0x61,0x64,0x61,0x72,0x20,0x31,0x37,0x31,0x35,0x39,0x32,0x32,0x37,0x31,0x13,
+ 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
+ 0x6E,0x63,0x2E,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,0x0B,0x0C,0x10,0x43,0x6F,
+ 0x72,0x65,0x20,0x4F,0x53,0x20,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x31,0x0B,
+ 0x30,0x09,0x06,0x03,0x55,0x04,0x08,0x0C,0x02,0x43,0x41,0x31,0x0B,0x30,0x09,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,
+ 0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x2B,0x30,0x29,
+ 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,0x16,0x1C,0x73,0x65,0x63,
+ 0x75,0x72,0x69,0x74,0x79,0x2D,0x64,0x65,0x76,0x40,0x67,0x72,0x6F,0x75,0x70,0x2E,
+ 0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,
+ 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,
+ 0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xD0,0x6A,0xA3,0x00,0xEE,0xFC,
+ 0x30,0x30,0x8C,0x4F,0xC1,0x51,0x7C,0x6E,0xF6,0x45,0x3C,0xE5,0x41,0xAB,0x77,0xDB,
+ 0xEE,0x73,0x9E,0xE3,0x21,0xBF,0x89,0x3F,0xA7,0xBF,0x23,0x0B,0x3F,0x68,0xF6,0xA4,
+ 0x80,0xB7,0xF4,0xE3,0xF0,0x10,0x21,0xF0,0xF6,0xBB,0x97,0x08,0x9E,0xA9,0xD0,0x9F,
+ 0xAB,0xC8,0xF8,0xE9,0xFB,0x9A,0x89,0x2C,0x3C,0x30,0x93,0x92,0x9D,0x08,0x2C,0x0F,
+ 0x63,0x1C,0xCC,0x4E,0x69,0x0E,0x62,0x9F,0xA6,0x3E,0xAE,0x8B,0x76,0x60,0x6F,0xD9,
+ 0x5D,0xD2,0xBD,0x38,0x95,0xAA,0x22,0xFD,0xCE,0xDF,0x41,0x15,0x79,0x5E,0x4C,0xAB,
+ 0x51,0x90,0x3D,0xD7,0x41,0xC3,0x90,0x41,0x58,0xEC,0xB4,0xB5,0x5A,0xBD,0x58,0x1B,
+ 0x38,0x5D,0xFE,0xB6,0x55,0xA0,0xDA,0x67,0xDF,0x34,0x4F,0x3E,0xE2,0x1A,0xF1,0x8C,
+ 0x44,0x57,0x2E,0xBB,0xE3,0x19,0xFA,0x08,0xE3,0xF1,0x9C,0x17,0xA2,0xDE,0x74,0xF4,
+ 0xF7,0x5D,0x6B,0xA2,0xE8,0x2B,0xB3,0xF0,0x3B,0x77,0x4C,0xAE,0x63,0xCA,0xAD,0xB1,
+ 0xBB,0x32,0x71,0xE0,0xC2,0x8D,0x6B,0x7B,0x3E,0xB4,0xAC,0x61,0xCA,0x40,0xDC,0xEA,
+ 0xE4,0xA7,0x2C,0xA4,0xE4,0x40,0xCC,0xD1,0x1F,0xE9,0x05,0x91,0xA9,0x44,0x54,0xB2,
+ 0x96,0x66,0xC5,0xF2,0x28,0xBF,0xA6,0xDA,0xA5,0xD8,0x09,0x53,0x08,0xF6,0x7D,0x09,
+ 0xA3,0x6C,0x40,0x7B,0x3C,0x8D,0x09,0xE8,0xED,0xD2,0x55,0x86,0x1B,0x42,0x1C,0x72,
+ 0xAB,0xAB,0xF2,0x6F,0x0B,0xB4,0x6F,0xCB,0xE7,0x59,0x29,0xFB,0x6A,0x4A,0x91,0xF4,
+ 0x8C,0xFC,0xA0,0xF8,0x8B,0x55,0x4A,0xD3,0x3A,0x41,0x02,0x03,0x01,0x00,0x01,0xA3,
+ 0x2A,0x30,0x28,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,
+ 0x02,0x07,0x80,0x30,0x16,0x06,0x03,0x55,0x1D,0x25,0x01,0x01,0xFF,0x04,0x0C,0x30,
+ 0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,0x30,0x0D,0x06,0x09,0x2A,
+ 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x60,
+ 0xF9,0x1C,0xE5,0x5E,0xCE,0x79,0x57,0x7E,0x24,0xC1,0x7E,0x07,0x87,0xC6,0x55,0x6E,
+ 0x38,0xBB,0x17,0x0B,0xAE,0xBC,0xDB,0x72,0xBD,0xA0,0x47,0x2F,0x54,0x34,0x53,0xE7,
+ 0x21,0xD7,0x04,0x8B,0x06,0x84,0x76,0x81,0x2A,0x6A,0x75,0x06,0xB4,0x62,0xA0,0xBC,
+ 0xC3,0x78,0x08,0x50,0x3D,0x63,0x44,0x32,0xEA,0xDA,0xFA,0x66,0xDF,0xF9,0xC2,0xE8,
+ 0xEF,0x72,0x83,0xAF,0x3E,0x2F,0x20,0x83,0x08,0x61,0xD8,0x6A,0x1A,0x71,0x68,0xB8,
+ 0x21,0x1F,0x0E,0xA8,0x2A,0xDA,0xF0,0x87,0xB1,0xAC,0xCE,0xAB,0xFB,0x9C,0xBC,0x43,
+ 0x04,0xE5,0x2F,0xF3,0x7D,0xAD,0x78,0x43,0x00,0x74,0x65,0x28,0x8D,0x3F,0x27,0x8F,
+ 0x33,0x7B,0x36,0xCD,0xAF,0x35,0x33,0xAF,0x06,0xF5,0x22,0x67,0xC7,0xD1,0x88,0x9B,
+ 0x55,0xE8,0x0E,0x48,0x5F,0x9A,0x30,0x5A,0xF5,0x93,0x53,0x78,0x44,0x8B,0x3A,0xB6,
+ 0x24,0x7F,0x5D,0x6E,0xDB,0x68,0x72,0x15,0xAD,0xB8,0x3E,0x66,0xE7,0x0E,0x99,0xEB,
+ 0xAB,0x1D,0x91,0xC8,0xEF,0x5A,0x32,0xA9,0x3E,0x0B,0x82,0x4E,0x5A,0x64,0xC1,0xC5,
+ 0xFD,0xD0,0x93,0xE0,0x82,0x39,0x7C,0x94,0x78,0x23,0x5D,0x5E,0x65,0x67,0xB9,0x83,
+ 0xEB,0x3A,0xC6,0x6C,0x65,0x8A,0xC6,0x83,0x2F,0x90,0x4C,0x75,0x7F,0x7A,0x2F,0x3E,
+ 0xA8,0xAA,0x16,0xF5,0x67,0x5D,0x50,0xC7,0x0E,0x7F,0x7C,0xA2,0xC8,0x10,0x67,0xFD,
+ 0x3E,0x91,0xA4,0xD5,0xA0,0xF6,0x9D,0x5A,0x0E,0x56,0xC0,0xCA,0xBA,0xB4,0x8B,0xB1,
+ 0xB5,0x3A,0x22,0xC0,0xEC,0xF8,0x8F,0xD7,0x49,0xBE,0x8D,0x98,0xE0,0x30,0x0E,0x45,
+ 0x4E,0x44,0x43,0x45,0x52,0x54,0x49,0x46,0x49,0x43,0x41,0x54,0x41,0x3D,0x3D
+};
+
+unsigned char TestIdentity_p12[2697] = {
+ 0x30, 0x82, 0x0a, 0x85, 0x02, 0x01, 0x03, 0x30, 0x82, 0x0a, 0x4c, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82,
+ 0x0a, 0x3d, 0x04, 0x82, 0x0a, 0x39, 0x30, 0x82, 0x0a, 0x35, 0x30, 0x82,
+ 0x04, 0xbf, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
+ 0x06, 0xa0, 0x82, 0x04, 0xb0, 0x30, 0x82, 0x04, 0xac, 0x02, 0x01, 0x00,
+ 0x30, 0x82, 0x04, 0xa5, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x0c, 0x01, 0x06, 0x30, 0x0e, 0x04, 0x08, 0x6c, 0x66, 0xc0,
+ 0x46, 0x37, 0xb4, 0x92, 0x0b, 0x02, 0x02, 0x08, 0x00, 0x80, 0x82, 0x04,
+ 0x78, 0x6d, 0xb4, 0x7c, 0xb4, 0x7f, 0x50, 0xfb, 0x09, 0x7a, 0xb5, 0x77,
+ 0x13, 0x05, 0x98, 0x98, 0x04, 0x34, 0xd1, 0xc9, 0xca, 0x97, 0x69, 0x33,
+ 0x28, 0xda, 0x58, 0xa6, 0x82, 0x0e, 0x1e, 0x05, 0x46, 0x47, 0x77, 0x90,
+ 0xa1, 0xd6, 0x2b, 0xb9, 0x18, 0x89, 0x3c, 0x8a, 0x2e, 0xec, 0xd3, 0x98,
+ 0x0b, 0x7b, 0x63, 0x12, 0xf3, 0x5d, 0x62, 0xc4, 0x8d, 0x52, 0xaa, 0xab,
+ 0x67, 0xde, 0x46, 0x93, 0xdc, 0x9d, 0x1d, 0x29, 0xfb, 0x34, 0x7b, 0x84,
+ 0xfa, 0x1f, 0x5b, 0x53, 0x1d, 0xab, 0x9e, 0x62, 0x4f, 0x48, 0x4e, 0xd0,
+ 0x99, 0x1a, 0xfc, 0x60, 0x99, 0x71, 0x3f, 0xe2, 0xd7, 0xc5, 0xb2, 0x34,
+ 0x24, 0x85, 0x3f, 0x3a, 0x4a, 0x40, 0x34, 0xa8, 0xc5, 0xbc, 0xa3, 0xfe,
+ 0x3a, 0x7c, 0xdc, 0x96, 0xf3, 0x34, 0x8b, 0xc1, 0xb0, 0xb0, 0x3f, 0x51,
+ 0xe2, 0x6d, 0x5e, 0x76, 0xb8, 0x44, 0x8d, 0xff, 0x65, 0xe3, 0x42, 0x05,
+ 0x30, 0xa0, 0x78, 0x7f, 0x69, 0xc7, 0x6f, 0x82, 0x05, 0x20, 0x69, 0x64,
+ 0x59, 0x84, 0xe1, 0x42, 0x37, 0x41, 0xc5, 0x78, 0x15, 0x2b, 0x77, 0x20,
+ 0xb8, 0x31, 0x4b, 0x4d, 0xbd, 0x2d, 0xa5, 0xce, 0x65, 0x56, 0xfb, 0x5a,
+ 0xfc, 0xe1, 0xdb, 0x60, 0x20, 0x1b, 0x5a, 0x91, 0x53, 0x36, 0x62, 0xdf,
+ 0xb5, 0x4e, 0xf2, 0xc9, 0xce, 0xeb, 0xd4, 0x85, 0xf9, 0xe6, 0x8b, 0x60,
+ 0xf3, 0x99, 0xfa, 0x4c, 0x13, 0x35, 0x8f, 0x17, 0x3b, 0xe3, 0x74, 0xc7,
+ 0x7e, 0xb1, 0xf6, 0x8f, 0x4d, 0xdd, 0x40, 0xd6, 0x31, 0x84, 0x83, 0x54,
+ 0x75, 0x7a, 0xc0, 0xa7, 0xc4, 0x3a, 0xc8, 0x17, 0x87, 0x0d, 0x8f, 0x4f,
+ 0x0f, 0x8e, 0x6e, 0x08, 0xb8, 0x0a, 0x86, 0x61, 0x03, 0x18, 0xad, 0xd3,
+ 0x43, 0xe7, 0x87, 0x62, 0x3e, 0x6c, 0xb5, 0x30, 0x81, 0xe0, 0x69, 0xe3,
+ 0x6a, 0x1f, 0x3c, 0x5f, 0x48, 0xa6, 0x38, 0x06, 0xbf, 0x5e, 0x43, 0x05,
+ 0xc8, 0x66, 0x97, 0xdd, 0x1c, 0x25, 0xba, 0x20, 0x44, 0xc6, 0x05, 0x31,
+ 0xdd, 0x6a, 0xc1, 0x10, 0xe0, 0x63, 0x80, 0xac, 0x0b, 0x55, 0x83, 0x75,
+ 0xc2, 0xb3, 0x39, 0xb7, 0x6b, 0x7c, 0xf6, 0x69, 0x3d, 0x6c, 0xcd, 0x35,
+ 0xaf, 0x25, 0xb0, 0xb2, 0x0a, 0xff, 0x33, 0xf3, 0x41, 0x38, 0x39, 0xa6,
+ 0xd0, 0x38, 0xb5, 0x89, 0xd5, 0xf0, 0x3c, 0x5c, 0x29, 0x8f, 0xc8, 0x1c,
+ 0x74, 0xe9, 0x35, 0xc8, 0x9e, 0x3a, 0xcd, 0x84, 0xdb, 0x95, 0x55, 0x57,
+ 0xa8, 0xe7, 0xc5, 0x58, 0xa8, 0xe6, 0xb0, 0x34, 0xbd, 0xa4, 0x00, 0x0c,
+ 0xb3, 0x1a, 0x00, 0xb2, 0x7d, 0xcd, 0x74, 0x22, 0xaa, 0x8f, 0x0d, 0xe4,
+ 0x99, 0x26, 0xcd, 0x81, 0x4f, 0xe1, 0xe1, 0x96, 0x41, 0xc6, 0x08, 0x1b,
+ 0x2c, 0xc7, 0x9e, 0xe6, 0x63, 0x4a, 0x1c, 0x4d, 0xbb, 0x44, 0xeb, 0xb9,
+ 0xd5, 0x7a, 0x55, 0xd2, 0x58, 0xa0, 0x8f, 0x4b, 0xf1, 0xdf, 0xc6, 0x67,
+ 0x7c, 0xe8, 0xf5, 0x65, 0xca, 0x52, 0xdd, 0xa6, 0x7c, 0xa9, 0x0d, 0x7e,
+ 0xec, 0x12, 0x57, 0xef, 0x09, 0x78, 0xdf, 0x40, 0x48, 0xb3, 0x6c, 0xad,
+ 0xef, 0x5a, 0x81, 0x44, 0xdc, 0x1f, 0x66, 0xf6, 0x2c, 0xbe, 0xf6, 0x07,
+ 0xc8, 0xb8, 0xff, 0xf3, 0x52, 0xe5, 0x15, 0xc8, 0xe0, 0xc9, 0x60, 0xea,
+ 0x26, 0x21, 0xa3, 0x21, 0x99, 0x00, 0x84, 0x18, 0x5c, 0x84, 0x16, 0xd0,
+ 0xf1, 0x63, 0x56, 0x7b, 0xf6, 0x66, 0x43, 0xcc, 0x1e, 0x3c, 0x1a, 0x8d,
+ 0x8d, 0x3f, 0xf6, 0xf1, 0xcf, 0x04, 0xbf, 0xfb, 0x96, 0x63, 0x50, 0x61,
+ 0xfd, 0x59, 0x66, 0x2e, 0xd7, 0xb4, 0xd8, 0x63, 0x94, 0xe1, 0x59, 0x96,
+ 0x9c, 0x31, 0x8a, 0x7a, 0x6d, 0x3a, 0x79, 0xb6, 0xb9, 0xb3, 0xc3, 0xc3,
+ 0xb8, 0xd3, 0x01, 0x02, 0x94, 0xec, 0x3a, 0x0c, 0x0e, 0x43, 0xef, 0x67,
+ 0x95, 0xe6, 0xef, 0xa3, 0x98, 0x03, 0x8e, 0x7d, 0x38, 0xd4, 0xaa, 0xd3,
+ 0xb1, 0x2c, 0x2b, 0x02, 0x76, 0x48, 0x7c, 0x5d, 0x74, 0x0e, 0x43, 0x00,
+ 0xf8, 0xc7, 0x65, 0xb3, 0x0d, 0xd3, 0xc3, 0x06, 0xe1, 0x77, 0xa7, 0x54,
+ 0x85, 0x81, 0xcb, 0xfd, 0x79, 0x0a, 0xe2, 0x9f, 0xe9, 0xe6, 0x9d, 0xc6,
+ 0xa7, 0x5b, 0xc6, 0xb1, 0x2a, 0xe1, 0x9c, 0x79, 0x81, 0xa6, 0xac, 0x57,
+ 0xa7, 0xe5, 0x96, 0x3e, 0xb7, 0x49, 0xc2, 0xcf, 0x71, 0x5b, 0x90, 0x3b,
+ 0x59, 0x9a, 0x69, 0x24, 0x5f, 0xb7, 0x73, 0xad, 0x2c, 0x35, 0xbe, 0xcc,
+ 0xd2, 0xb0, 0xe5, 0x3e, 0x86, 0x72, 0xbb, 0xe5, 0x0f, 0x34, 0x1c, 0xd5,
+ 0x33, 0x78, 0x41, 0xf3, 0xb8, 0x3b, 0x2f, 0x63, 0x87, 0x48, 0x05, 0xc4,
+ 0x29, 0x98, 0x60, 0x2f, 0xab, 0x87, 0x65, 0xdd, 0x22, 0x30, 0x48, 0xc5,
+ 0x68, 0x29, 0xbf, 0x0d, 0x53, 0x10, 0x0f, 0x9e, 0x6d, 0xff, 0x4f, 0x9e,
+ 0xab, 0x27, 0xb9, 0xca, 0xa8, 0x69, 0x5c, 0x36, 0x25, 0x48, 0xac, 0x84,
+ 0xcb, 0x65, 0x75, 0xec, 0xc4, 0x21, 0xf5, 0x02, 0x9d, 0x4d, 0xa9, 0x58,
+ 0x20, 0xae, 0x03, 0x14, 0xe4, 0x99, 0xe1, 0x22, 0x41, 0x49, 0x6b, 0x5b,
+ 0x8e, 0x22, 0xb8, 0x12, 0x7e, 0x79, 0xe6, 0x74, 0x91, 0xaa, 0xf3, 0x98,
+ 0xd8, 0x4c, 0xc1, 0xb6, 0xd7, 0x21, 0x94, 0x38, 0xa1, 0xd1, 0xa7, 0x18,
+ 0x90, 0xf1, 0x60, 0xef, 0x69, 0x05, 0x26, 0xbe, 0x76, 0xd1, 0xd5, 0x56,
+ 0x08, 0x02, 0x86, 0x33, 0x7f, 0x7d, 0xc5, 0xf4, 0x62, 0x0b, 0x5f, 0xbf,
+ 0x6f, 0x58, 0x31, 0xa7, 0xce, 0xe6, 0xeb, 0x5c, 0x68, 0x97, 0xd5, 0x7d,
+ 0xf3, 0xfb, 0x69, 0x03, 0x50, 0xac, 0x6d, 0x79, 0x83, 0x04, 0x31, 0x6e,
+ 0x5b, 0x8b, 0x0a, 0x47, 0x14, 0xc1, 0xd2, 0xa2, 0x9d, 0xae, 0x4c, 0xa6,
+ 0xe9, 0xa6, 0xb1, 0x6d, 0x9b, 0x71, 0x49, 0x89, 0x71, 0x8a, 0x9f, 0xdd,
+ 0xc8, 0xc1, 0x95, 0x14, 0x69, 0x69, 0x66, 0xd8, 0xd9, 0xa4, 0x37, 0x1a,
+ 0xdd, 0x47, 0x2c, 0xfb, 0x4a, 0x75, 0x9b, 0x02, 0x9f, 0x56, 0xdd, 0xf2,
+ 0xbb, 0x24, 0x38, 0x8f, 0x97, 0x9a, 0x0a, 0x61, 0xfa, 0x3b, 0xe6, 0x43,
+ 0xa9, 0x88, 0xd0, 0x0d, 0x65, 0x1c, 0x55, 0x67, 0x5e, 0x37, 0xd6, 0x50,
+ 0x0f, 0x58, 0x2e, 0x62, 0xac, 0x02, 0xbc, 0xdb, 0xf3, 0xea, 0xc4, 0x97,
+ 0x33, 0xf6, 0x48, 0x19, 0xb5, 0x59, 0x76, 0xd0, 0xb1, 0x5c, 0x0f, 0x02,
+ 0x6b, 0x8b, 0xf8, 0x91, 0x17, 0x15, 0xcb, 0xaf, 0xa7, 0x4f, 0xfe, 0x5a,
+ 0x04, 0x6f, 0xd8, 0x15, 0xae, 0x59, 0x8e, 0xd4, 0xfc, 0xcd, 0x21, 0xfd,
+ 0x2a, 0x50, 0x4b, 0x4b, 0x2b, 0x0e, 0xcd, 0xd4, 0x66, 0x99, 0xe8, 0x3d,
+ 0x6b, 0xad, 0x60, 0x4d, 0x40, 0xd5, 0xf5, 0xe5, 0x85, 0x19, 0xa6, 0xe0,
+ 0x7e, 0x1c, 0x21, 0x00, 0x04, 0x4a, 0xd2, 0x90, 0xa6, 0xf5, 0xbf, 0xa4,
+ 0xaf, 0x85, 0x8f, 0xec, 0xdf, 0x6d, 0xae, 0x88, 0xd5, 0x6b, 0x82, 0x8b,
+ 0x6c, 0xc8, 0xb7, 0x7b, 0x70, 0x16, 0x30, 0xda, 0x97, 0x33, 0x0c, 0x21,
+ 0x32, 0x54, 0x76, 0xe3, 0x63, 0x45, 0x8a, 0xdf, 0x07, 0xea, 0x23, 0x9b,
+ 0xf8, 0xbd, 0x91, 0xe2, 0x47, 0x44, 0x55, 0x8e, 0xd2, 0xff, 0x1c, 0xef,
+ 0x40, 0xe5, 0x69, 0xba, 0xfd, 0x4d, 0x34, 0x96, 0x80, 0x6c, 0x23, 0xbc,
+ 0x0f, 0x6d, 0xac, 0x6b, 0xa4, 0x69, 0xf8, 0x4a, 0x6e, 0xe6, 0x7a, 0xa9,
+ 0x1d, 0xf1, 0x51, 0xfe, 0xb5, 0x00, 0x86, 0xb7, 0x8b, 0x72, 0xb3, 0x56,
+ 0x9d, 0x44, 0xde, 0x38, 0xe7, 0x34, 0xa9, 0xe9, 0x27, 0xfa, 0x48, 0x3f,
+ 0xc7, 0x17, 0xe2, 0x8c, 0x28, 0xc1, 0xec, 0x90, 0xfe, 0x31, 0xb8, 0xd7,
+ 0x11, 0x69, 0xf8, 0xa6, 0x61, 0xa8, 0x4b, 0xeb, 0xa4, 0x0d, 0xae, 0x1c,
+ 0x50, 0xc1, 0x4e, 0x5b, 0xd5, 0xc5, 0x66, 0x89, 0x32, 0x88, 0x3a, 0x40,
+ 0x0d, 0x6e, 0xb4, 0xf4, 0x29, 0xf9, 0xc8, 0x85, 0xe3, 0x0a, 0xe0, 0xb6,
+ 0xb3, 0x49, 0x70, 0xf6, 0x5d, 0xd2, 0x62, 0x41, 0x92, 0x6e, 0xb5, 0x5d,
+ 0x85, 0xf0, 0x1e, 0xb8, 0xca, 0xbb, 0x07, 0x88, 0x6f, 0x69, 0xea, 0xe4,
+ 0xbb, 0x58, 0xb2, 0x6c, 0x86, 0x43, 0x04, 0xb7, 0xef, 0xc0, 0xc2, 0xeb,
+ 0x82, 0x33, 0xb7, 0x3c, 0xd7, 0x24, 0x40, 0x96, 0x30, 0x60, 0x82, 0xe2,
+ 0x00, 0x63, 0xd6, 0x06, 0x51, 0xc8, 0x3c, 0x77, 0x6c, 0x33, 0x02, 0x9a,
+ 0xf4, 0xc5, 0xb7, 0x25, 0x4a, 0x4a, 0x65, 0x8f, 0x04, 0xfb, 0x22, 0xbb,
+ 0xf0, 0x0f, 0x7e, 0x8b, 0x50, 0x74, 0x2a, 0xcf, 0xc4, 0xcf, 0xe0, 0xe6,
+ 0x35, 0xf5, 0x89, 0x8f, 0xe0, 0x30, 0x82, 0x05, 0x6e, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x05, 0x5f,
+ 0x04, 0x82, 0x05, 0x5b, 0x30, 0x82, 0x05, 0x57, 0x30, 0x82, 0x05, 0x53,
+ 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01,
+ 0x02, 0xa0, 0x82, 0x04, 0xee, 0x30, 0x82, 0x04, 0xea, 0x30, 0x1c, 0x06,
+ 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30,
+ 0x0e, 0x04, 0x08, 0x38, 0xc0, 0x89, 0x4d, 0x2c, 0xbc, 0x90, 0xef, 0x02,
+ 0x02, 0x08, 0x00, 0x04, 0x82, 0x04, 0xc8, 0x63, 0xb1, 0xd7, 0x6a, 0x1a,
+ 0x2f, 0xd9, 0xee, 0x2b, 0xf6, 0x92, 0x2d, 0xf8, 0x90, 0x04, 0x0e, 0x62,
+ 0xa4, 0x0a, 0x96, 0x12, 0x57, 0xe5, 0x95, 0x12, 0x61, 0xc8, 0x3e, 0x7f,
+ 0xe4, 0x2e, 0xbb, 0xa0, 0xdc, 0x6b, 0x77, 0x58, 0x39, 0xf0, 0xb7, 0x20,
+ 0xc6, 0x24, 0x6f, 0x24, 0xd9, 0xc4, 0x42, 0xb2, 0x1b, 0x97, 0xf9, 0x71,
+ 0x70, 0x8d, 0x08, 0x75, 0x65, 0xb8, 0x16, 0xbf, 0x29, 0x1e, 0x1e, 0x42,
+ 0x1e, 0xa4, 0xda, 0x7e, 0x78, 0xc5, 0x98, 0x9a, 0x79, 0xf4, 0x89, 0x2c,
+ 0x0e, 0xfa, 0x72, 0x21, 0xde, 0x75, 0x34, 0x55, 0xfb, 0xa1, 0x3a, 0x6a,
+ 0xc7, 0x0e, 0x68, 0xd8, 0x4b, 0xe4, 0x47, 0x04, 0xa2, 0x92, 0x68, 0xd0,
+ 0x01, 0xcc, 0x42, 0x1f, 0xdf, 0x24, 0xba, 0xac, 0x05, 0x91, 0x23, 0x96,
+ 0xf2, 0x94, 0x2d, 0xcb, 0x6f, 0xac, 0xea, 0x7a, 0x52, 0x7c, 0x00, 0xe5,
+ 0x7c, 0x73, 0xf1, 0xdd, 0x89, 0x05, 0x16, 0x87, 0x08, 0x7a, 0x3d, 0xa9,
+ 0x48, 0x99, 0x60, 0x01, 0xd7, 0x34, 0xf6, 0x7a, 0x90, 0xc8, 0x00, 0xa0,
+ 0xc3, 0x97, 0x62, 0x06, 0xab, 0x14, 0x4c, 0x0b, 0x0f, 0x88, 0x59, 0x3c,
+ 0x40, 0x47, 0x97, 0xcc, 0xa2, 0x6c, 0x5b, 0x09, 0x9c, 0x2d, 0xa2, 0x60,
+ 0xb4, 0xfe, 0x86, 0x58, 0x22, 0xeb, 0x7e, 0xab, 0xdb, 0x90, 0x00, 0x8d,
+ 0x59, 0xb5, 0xfa, 0x8d, 0x3f, 0x7a, 0x02, 0x4b, 0x5e, 0x11, 0x24, 0x95,
+ 0x6f, 0xad, 0x2c, 0x15, 0xd7, 0x76, 0xa3, 0x8c, 0xfa, 0x38, 0xf5, 0x5a,
+ 0x2e, 0xd8, 0xee, 0x7d, 0xd7, 0xde, 0x67, 0x7c, 0x27, 0xd0, 0x4a, 0x18,
+ 0xbb, 0x7c, 0x15, 0x13, 0x37, 0xd2, 0xce, 0x9d, 0xf9, 0xf6, 0x10, 0xb8,
+ 0xbd, 0x39, 0xa3, 0x27, 0xf2, 0x93, 0x8a, 0x6f, 0x4c, 0xe2, 0xca, 0x13,
+ 0xf1, 0x2c, 0x22, 0x3b, 0x8a, 0x45, 0xf9, 0x06, 0x23, 0x9f, 0x8d, 0xa1,
+ 0xd9, 0x35, 0x08, 0xb4, 0xdb, 0x48, 0x86, 0x64, 0x42, 0x0f, 0x4e, 0x5d,
+ 0xa9, 0xf2, 0x2c, 0xbd, 0x22, 0xcb, 0xa5, 0xbf, 0x40, 0xdd, 0x21, 0x80,
+ 0x23, 0xa4, 0xee, 0xc2, 0x9d, 0xb8, 0x78, 0x49, 0x82, 0x5e, 0x32, 0x85,
+ 0xb5, 0xfe, 0x28, 0x61, 0x13, 0xb3, 0x1e, 0x66, 0xad, 0xcc, 0x10, 0x7f,
+ 0x9e, 0x2f, 0x12, 0x38, 0x79, 0x6d, 0x59, 0x6b, 0xd6, 0x9d, 0xa7, 0xb7,
+ 0xec, 0x55, 0xb6, 0x98, 0xb6, 0x63, 0xd1, 0x3c, 0x35, 0x4a, 0x0b, 0xc1,
+ 0x4f, 0x5b, 0xca, 0x13, 0x7f, 0xe6, 0xc3, 0xc5, 0x89, 0x02, 0xf6, 0xfd,
+ 0x33, 0x79, 0x53, 0x07, 0xe6, 0xdf, 0xc1, 0x01, 0xb4, 0x74, 0x2c, 0x72,
+ 0x3d, 0x3c, 0xf6, 0xfa, 0x28, 0x73, 0x48, 0x08, 0x55, 0x4f, 0xc5, 0xb2,
+ 0x73, 0xd6, 0xa1, 0x27, 0xee, 0xdf, 0x89, 0x1c, 0x7c, 0x90, 0x2a, 0x9c,
+ 0x0f, 0x15, 0x19, 0x6f, 0x53, 0x5f, 0x99, 0xc6, 0x9b, 0x7a, 0x19, 0x08,
+ 0x1c, 0xe2, 0x7e, 0x22, 0x53, 0xd9, 0xe1, 0x1e, 0x35, 0xe4, 0xb1, 0xbd,
+ 0xdc, 0xcd, 0xf3, 0x0e, 0x31, 0x7e, 0x14, 0xea, 0x6e, 0x7f, 0x9f, 0xc7,
+ 0x94, 0x23, 0x42, 0x10, 0xa0, 0x32, 0x9c, 0x94, 0x09, 0xae, 0x79, 0xa2,
+ 0x6b, 0x6b, 0x1a, 0xf5, 0xda, 0xaf, 0xe9, 0xb3, 0xf5, 0xac, 0x75, 0xec,
+ 0xdb, 0xcb, 0x5c, 0x21, 0xc5, 0x7f, 0x57, 0x9e, 0xbe, 0x2d, 0xea, 0x59,
+ 0x8e, 0x5d, 0x88, 0x15, 0x1a, 0xfe, 0xc5, 0xaa, 0xc6, 0x68, 0x90, 0x79,
+ 0xd1, 0xba, 0x5d, 0xdd, 0x05, 0x90, 0xdf, 0x3c, 0x0f, 0x69, 0x11, 0x33,
+ 0x57, 0x6b, 0x99, 0xf7, 0x9a, 0x35, 0x07, 0x07, 0x7d, 0x28, 0x19, 0xba,
+ 0xac, 0x24, 0x15, 0xbd, 0x18, 0x20, 0x0b, 0xe1, 0x0b, 0x22, 0xfa, 0x03,
+ 0x14, 0xc8, 0x9d, 0x0e, 0x2a, 0xa4, 0x1d, 0x15, 0x91, 0x8a, 0x06, 0x02,
+ 0x1d, 0xe7, 0xfe, 0x2b, 0x97, 0xd1, 0x7a, 0xbb, 0x5a, 0xc1, 0x76, 0xfd,
+ 0x4f, 0xda, 0x87, 0xbb, 0xd4, 0xcc, 0x32, 0x12, 0xb1, 0xeb, 0xc9, 0xaa,
+ 0xd1, 0xe3, 0x32, 0x5d, 0xde, 0x1f, 0x4a, 0x31, 0x4d, 0x25, 0x03, 0xe2,
+ 0xc8, 0x44, 0xe5, 0x48, 0xab, 0x45, 0xf4, 0xe4, 0x4d, 0xd7, 0x7b, 0x0b,
+ 0x46, 0x80, 0xca, 0x38, 0x3b, 0x40, 0x31, 0x15, 0x5e, 0x90, 0x60, 0x0b,
+ 0x21, 0x29, 0xff, 0x39, 0x59, 0xaa, 0x71, 0x0b, 0xfc, 0xda, 0x23, 0xbb,
+ 0xdb, 0x2a, 0xe2, 0x9c, 0x8c, 0xf0, 0xf0, 0x33, 0x67, 0xff, 0xd1, 0x29,
+ 0x0d, 0xe2, 0xc4, 0x36, 0x4c, 0x35, 0x87, 0x8f, 0xb4, 0x61, 0x32, 0x07,
+ 0x56, 0x77, 0x31, 0x36, 0x6e, 0x62, 0xe8, 0x95, 0xee, 0x93, 0x05, 0x48,
+ 0xa3, 0xd9, 0x85, 0x42, 0xd4, 0x1f, 0x84, 0x75, 0x1d, 0x31, 0x88, 0x08,
+ 0xc7, 0x5c, 0xae, 0x00, 0xcf, 0x8b, 0x18, 0x36, 0x40, 0x98, 0x57, 0x5f,
+ 0xb2, 0x09, 0xeb, 0xd7, 0xc6, 0xbd, 0x4f, 0xa4, 0x50, 0x31, 0xb2, 0x2d,
+ 0x7a, 0x62, 0x7a, 0x69, 0x45, 0x3d, 0x22, 0x65, 0x7b, 0x92, 0x50, 0xfa,
+ 0xaa, 0x9d, 0x97, 0xb3, 0x40, 0x5f, 0x79, 0x72, 0x77, 0x24, 0x4d, 0x81,
+ 0x7d, 0x98, 0xeb, 0x1f, 0x39, 0x90, 0x5d, 0x94, 0x70, 0xe5, 0xc5, 0x00,
+ 0xb0, 0xfe, 0x0f, 0x45, 0x0e, 0xdb, 0x25, 0x1d, 0xe9, 0xa0, 0x1d, 0x29,
+ 0x2a, 0x0c, 0x9d, 0x6a, 0x19, 0xbd, 0x39, 0xe3, 0x5c, 0x0f, 0xc8, 0x29,
+ 0xb5, 0xd8, 0xf7, 0x57, 0xfd, 0x3c, 0x8c, 0xcb, 0x8b, 0x09, 0x5e, 0xe0,
+ 0x6c, 0xfe, 0xf2, 0x7c, 0x34, 0x8b, 0x07, 0x5e, 0x80, 0x9c, 0xc0, 0xe4,
+ 0x54, 0x54, 0xbc, 0xc5, 0x82, 0x30, 0x2c, 0xe5, 0xfe, 0xf0, 0x4e, 0xd1,
+ 0x6a, 0x5f, 0x70, 0x77, 0x3f, 0x2e, 0x57, 0x7f, 0x9e, 0x28, 0x34, 0x78,
+ 0x15, 0xb1, 0xd6, 0xa6, 0xfb, 0x08, 0x11, 0x2a, 0xd6, 0xa5, 0xb4, 0x24,
+ 0x6a, 0xd0, 0x8d, 0x4b, 0xa9, 0x54, 0x8f, 0x65, 0xb9, 0x2b, 0x3e, 0x13,
+ 0x80, 0x05, 0x6c, 0x83, 0x90, 0x33, 0x48, 0x1f, 0xe5, 0x4d, 0xef, 0x22,
+ 0x48, 0xa0, 0xbe, 0xf7, 0x4d, 0x91, 0x3d, 0xea, 0x07, 0x72, 0x83, 0x33,
+ 0xa4, 0x7a, 0x66, 0x2e, 0xce, 0x09, 0x10, 0xe2, 0xeb, 0xc5, 0xfa, 0x70,
+ 0x11, 0x52, 0x36, 0xd6, 0xc7, 0x72, 0x65, 0x9f, 0xdd, 0xdc, 0x6a, 0x19,
+ 0x3e, 0x14, 0x25, 0x59, 0x00, 0x20, 0xf0, 0xc2, 0x51, 0x14, 0x14, 0x16,
+ 0x9b, 0xeb, 0x18, 0x01, 0x4e, 0x93, 0xbf, 0xe8, 0xc0, 0x46, 0xec, 0x97,
+ 0xc6, 0x54, 0x3e, 0x56, 0xd3, 0x04, 0x6e, 0xa5, 0xba, 0xe9, 0xa8, 0x71,
+ 0x49, 0x83, 0xea, 0x0d, 0x83, 0x4e, 0x43, 0x96, 0x1e, 0x7d, 0x4b, 0x60,
+ 0x06, 0xd7, 0xb3, 0x48, 0xa2, 0xd8, 0xa4, 0x78, 0x1e, 0x23, 0x07, 0xb9,
+ 0xb4, 0x6b, 0xfd, 0xde, 0x1d, 0x01, 0xd0, 0x5b, 0x41, 0x87, 0xc5, 0xa4,
+ 0x0c, 0x5a, 0x0f, 0x17, 0x1c, 0x19, 0x79, 0xf3, 0x79, 0x55, 0x0a, 0x3d,
+ 0x67, 0xf8, 0x83, 0x02, 0xa3, 0xb3, 0xc6, 0xdc, 0x7c, 0xf0, 0x42, 0xfc,
+ 0x27, 0x9e, 0x02, 0xbe, 0x57, 0x9f, 0xcf, 0x5d, 0x7a, 0x14, 0xa9, 0xb1,
+ 0x2b, 0xc8, 0x91, 0x4c, 0x9f, 0x09, 0x9c, 0x44, 0xbd, 0xb7, 0x9f, 0x7b,
+ 0x3a, 0xa8, 0xec, 0x7f, 0xac, 0x0b, 0xf6, 0xdd, 0xb8, 0x23, 0xf6, 0x07,
+ 0xab, 0x6b, 0x7d, 0xbf, 0x1b, 0x33, 0xf2, 0x1e, 0x38, 0x0e, 0x47, 0x0f,
+ 0xfe, 0x3e, 0x26, 0x07, 0x8a, 0xb4, 0x3d, 0xc7, 0x02, 0x0f, 0x75, 0xb5,
+ 0x84, 0x74, 0x2d, 0x84, 0x43, 0x53, 0x79, 0x2e, 0xfe, 0xdd, 0xaf, 0x74,
+ 0x1b, 0x39, 0xb1, 0x20, 0x55, 0x97, 0xdc, 0x7c, 0x5f, 0x03, 0x9b, 0x97,
+ 0xd6, 0x26, 0x84, 0x81, 0x4d, 0xc1, 0x76, 0x6f, 0xaf, 0xd0, 0xee, 0x2b,
+ 0xee, 0x55, 0x11, 0x40, 0xfd, 0x93, 0xa0, 0x6c, 0x03, 0x47, 0x2c, 0xe8,
+ 0x3a, 0x36, 0xfd, 0xec, 0xa0, 0xbf, 0xeb, 0x59, 0xa9, 0x85, 0x79, 0xdf,
+ 0xfa, 0x70, 0x9b, 0xca, 0x78, 0x38, 0x57, 0x38, 0xed, 0x9b, 0xf6, 0xa2,
+ 0xa2, 0xfe, 0xd9, 0x31, 0x25, 0x80, 0xda, 0x0d, 0xb9, 0x33, 0x90, 0x17,
+ 0xe6, 0x5a, 0xa2, 0x04, 0xa1, 0x05, 0x74, 0x9a, 0x2d, 0x00, 0xde, 0x68,
+ 0x81, 0x68, 0x91, 0xe5, 0x6d, 0x55, 0xf4, 0x57, 0xd1, 0x71, 0x87, 0xd6,
+ 0x4b, 0xdb, 0x65, 0x53, 0x05, 0xfd, 0x78, 0x91, 0x78, 0xc0, 0xdf, 0xb9,
+ 0x39, 0xb2, 0x02, 0x79, 0x25, 0x3b, 0x26, 0x45, 0x6a, 0x2f, 0x87, 0x68,
+ 0xf6, 0x13, 0x14, 0xa6, 0xef, 0xf4, 0x39, 0xf7, 0x51, 0x2f, 0xcb, 0x2c,
+ 0xea, 0x7c, 0xa6, 0x43, 0x91, 0x8c, 0x33, 0xa3, 0x64, 0x45, 0x2b, 0x11,
+ 0x57, 0x3c, 0x60, 0xf5, 0xf0, 0x23, 0x0f, 0xd4, 0xe0, 0x6b, 0xd1, 0x97,
+ 0xeb, 0x77, 0x3a, 0xa3, 0x53, 0x9f, 0xa0, 0xe5, 0x9f, 0x17, 0x0a, 0xbd,
+ 0x2b, 0xc3, 0x04, 0xe7, 0x22, 0xcc, 0xed, 0x8a, 0xe9, 0xa3, 0x1c, 0xfe,
+ 0x2a, 0x8d, 0x29, 0x81, 0xb6, 0x78, 0x3e, 0x20, 0x91, 0x58, 0xb4, 0xc5,
+ 0x6d, 0x6a, 0xf2, 0x1d, 0x4b, 0xf7, 0x52, 0x28, 0x3a, 0xea, 0x8a, 0x10,
+ 0xf6, 0x3c, 0x06, 0x19, 0x6b, 0x14, 0xb2, 0xf9, 0x2e, 0xb6, 0x58, 0x86,
+ 0x57, 0xfa, 0xf0, 0x8f, 0x2c, 0xa5, 0x0b, 0x31, 0x52, 0x30, 0x2b, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, 0x1e,
+ 0x1e, 0x1c, 0x00, 0x52, 0x00, 0x61, 0x00, 0x64, 0x00, 0x61, 0x00, 0x72,
+ 0x00, 0x20, 0x00, 0x31, 0x00, 0x37, 0x00, 0x31, 0x00, 0x35, 0x00, 0x39,
+ 0x00, 0x32, 0x00, 0x32, 0x00, 0x37, 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15, 0x31, 0x16, 0x04, 0x14, 0x91,
+ 0xe9, 0x30, 0xa4, 0xec, 0x77, 0x61, 0x86, 0x5c, 0x44, 0x3d, 0xf0, 0x08,
+ 0xc3, 0xdc, 0x9f, 0x6f, 0x20, 0x21, 0xba, 0x30, 0x30, 0x30, 0x21, 0x30,
+ 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14,
+ 0xc4, 0xc3, 0xdb, 0x6c, 0x25, 0xc2, 0xdb, 0x25, 0xbb, 0x9b, 0x1b, 0xab,
+ 0x04, 0x66, 0x32, 0x08, 0x46, 0x04, 0x94, 0xe6, 0x04, 0x08, 0xc8, 0x12,
+ 0xa3, 0x2a, 0xbd, 0x3f, 0xce, 0x3d, 0x02, 0x01, 0x01
+};
+
+int verbose = 0;
+
+static int TestSignAndVerifyDataWithIdentity(SecIdentityRef identity)
+{
+ CMSEncoderRef encoder = NULL;
+ CMSDecoderRef decoder = NULL;
+ CFDataRef signedData = NULL;
+ OSStatus status;
+ int result = 0;
+
+ status = CMSEncoderCreate(&encoder);
+ ok_status(status, "%s: CMSEncoderCreate", testName);
+ if (status) {
+ fprintf(stderr, "Unable to create encoder: error %d\n", (int)status);
+ return (++result);
+ }
+
+ status = CMSEncoderAddSigners(encoder, identity);
+ ok_status(status, "%s: CMSEncodingAddSigners", testName);
+ if (status) {
+ fprintf(stderr, "Unable to add signers: error %d\n", (int)status);
+ return (++result);
+ }
+
+ status = CMSEncoderSetCertificateChainMode(encoder, kCMSCertificateSignerOnly);
+ ok_status(status, "%s: CMSEncoderSetCertificateChainMode", testName);
+ if (status) {
+ fprintf(stderr, "Unable to set chain mode: error %d\n", (int)status);
+ return (++result);
+ }
+
+ const uint8_t blob[12] = {'j','a','b','b','e','r','w','o','c','k','y','\0'};
+
+ status = CMSEncoderUpdateContent(encoder, blob, sizeof(blob));
+ ok_status(status, "%s: CMSEncoderUpdateContent", testName);
+ if (status) {
+ fprintf(stderr, "Unable to update content: error %d\n", (int)status);
+ return (++result);
+ }
+
+ status = CMSEncoderCopyEncodedContent(encoder, &signedData);
+ ok_status(status, "%s: CMSEncoderCopyEncodedContent", testName);
+ if (status || !signedData) {
+ fprintf(stderr, "Unable to encode content: error %d\n", (int)status);
+ return (++result);
+ }
+
+ /* Verify the content... */
+ status = CMSDecoderCreate(&decoder);
+ ok_status(status, "%s: CMSDecoderCreate", testName);
+ if (status) {
+ fprintf(stderr, "Unable to create decoder: error %d\n", (int)status);
+ return (++result);
+ }
+
+ status = CMSDecoderUpdateMessage(decoder, (const void*)CFDataGetBytePtr(signedData), (size_t)CFDataGetLength(signedData));
+ ok_status(status, "%s: CMSDecoderUpdateMessage", testName);
+ if (status) {
+ fprintf(stderr, "Unable to decode message: error %d\n", (int)status);
+ return (++result);
+ }
+
+ status = CMSDecoderFinalizeMessage(decoder);
+ ok_status(status, "%s: CMSDecoderFinalizeMessage", testName);
+ if (status) {
+ fprintf(stderr, "Unable to finalize message: error %d\n", (int)status);
+ return (++result);
+ }
+
+ CMSSignerStatus signerStatus=0;
+ OSStatus verifyResult=0;
+ SecPolicyRef policy = SecPolicyCreateBasicX509();
+ status = CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, NULL, &verifyResult);
+ ok_status(status, "%s: CMSDecoderCopySignerStatus", testName);
+ if (status) {
+ fprintf(stderr, "Unable to copy signer status: error %d\n", (int)status);
+ return (++result);
+ }
+
+ if (verbose) {
+ fprintf(stdout, "Signer status: %d\n", (int)signerStatus);
+ }
+
+ is(signerStatus, kCMSSignerValid, "%s: CMS signature verified correctly", testName);
+
+ if (decoder) CFRelease(decoder);
+ if (encoder) CFRelease(encoder);
+ if (signedData) CFRelease(signedData);
+ return result;
+}
+
+static int Test()
+{
+ SecKeychainRef goodKeychain=NULL;
+ SecKeychainRef badKeychain=NULL;
+ SecCertificateRef goodLeaf=NULL, badLeaf=NULL, root=NULL;
+ CFDataRef tmpData=NULL;
+ CFArrayRef items=NULL;
+ SecKeyRef privateKey=NULL;
+ SecIdentityRef identity=NULL;
+ OSStatus status;
+ int result = 0;
+
+ goodKeychain = createNewKeychain("test_rdar17159227_good.keychain", "password");
+ badKeychain = createNewKeychain("test_rdar17159227_bad.keychain", "password");
+
+ /* get certificates */
+ tmpData = CFDataCreateWithBytesNoCopy(NULL, leafSigningCertificate,
+ sizeof(leafSigningCertificate), kCFAllocatorNull);
+ goodLeaf = SecCertificateCreateWithData(NULL, tmpData);
+ CFRelease(tmpData);
+
+ tmpData = CFDataCreateWithBytesNoCopy(NULL, bogusTrailingBytesSigningCertificate,
+ sizeof(bogusTrailingBytesSigningCertificate), kCFAllocatorNull);
+ badLeaf = SecCertificateCreateWithData(NULL, tmpData);
+ CFRelease(tmpData);
+
+ tmpData = CFDataCreateWithBytesNoCopy(NULL, coreOSTestCA,
+ sizeof(coreOSTestCA), kCFAllocatorNull);
+ root = SecCertificateCreateWithData(NULL, tmpData);
+ CFRelease(tmpData);
+
+ ok_status(SecCertificateAddToKeychain(root, goodKeychain), "%s: SecCertificateAddToKeychain (root)", testName);
+ ok_status(SecCertificateAddToKeychain(goodLeaf, goodKeychain), "%s: SecCertificateAddToKeychain (goodLeaf)", testName);
+ ok_status(SecCertificateAddToKeychain(badLeaf, badKeychain), "%s: SecCertificateAddToKeychain (badLeaf)", testName);
+
+ /* import P12 container */
+ {
+ CFDataRef p12DataRef = CFDataCreateWithBytesNoCopy(NULL, TestIdentity_p12,
+ sizeof(TestIdentity_p12), kCFAllocatorNull);
+ SecExternalFormat format = kSecFormatPKCS12;
+ SecExternalItemType itemType = kSecItemTypeAggregate;
+ SecItemImportExportFlags flags = 0;
+
+
+ CFTypeRef keyUsages[1] = { kSecAttrCanSign };
+ CFArrayRef keyUsagesArray = CFArrayCreate(NULL, keyUsages, 1, &kCFTypeArrayCallBacks);
+ CFTypeRef keyAttrs[1] = { kSecAttrIsPermanent };
+ CFArrayRef keyAttrsArray = CFArrayCreate(NULL, keyAttrs, 1, &kCFTypeArrayCallBacks);
+ SecItemImportExportKeyParameters keyParams = {
+ SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION, // uint32_t version
+ 0, // SecKeyImportExportFlags flags
+ CFSTR("test"), // CFTypeRef passphrase
+ NULL, //CFSTR("title"), // CFStringRef alertTitle
+ NULL, //CFSTR("pw:"), // CFStringRef alertPrompt
+ NULL, // SecAccessRef accessRef (unspecified, use default)
+ keyUsagesArray, // CFArrayRef keyUsages
+ keyAttrsArray // CFArrayRef keyAttributes
+ };
+ status = SecItemImport(p12DataRef,
+ NULL, &format, &itemType, flags, &keyParams, goodKeychain, &items);
+ ok_status(status, "%s: SecItemImport", testName);
+
+ CFRelease(keyUsagesArray);
+ CFRelease(keyAttrsArray);
+ if (status) {
+ fprintf(stderr, "Unable to import identity: error %d\n", (int)status);
+ ++result;
+ }
+ }
+ if (!items || CFArrayGetCount(items) < 1) {
+ // Private key import succeeded but was not returned, need to look up key
+ CFTypeRef results = NULL;
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionaryAddValue( query, kSecClass, kSecClassKey );
+ CFDictionaryAddValue( query, kSecAttrKeyClass, kSecAttrKeyClassPrivate );
+ CFDictionaryAddValue( query, kSecAttrLabel, CFSTR("Radar 17159227") );
+ CFDictionaryAddValue( query, kSecReturnRef, kCFBooleanTrue );
+
+ status = SecItemCopyMatching(query, &results);
+ ok_status(status, "%s: SecItemCopyMatching for private key", testName);
+
+ privateKey = (SecKeyRef)results;
+ if (status || !results) {
+ fprintf(stderr, "Unable to find private key: error %d\n", (int)status);
+ } else if (verbose) {
+ fprintf(stdout, "Private key found in search: %p\n", privateKey);
+ }
+ }
+ else {
+ identity=(SecIdentityRef)CFArrayGetValueAtIndex(items,0);
+ if (identity) CFRetain(identity);
+ if (verbose) {
+ fprintf(stdout, "Identity was imported: %p\n", identity);
+ }
+ }
+ if (items) CFRelease(items);
+
+ status = SecIdentityCopyPrivateKey(identity, &privateKey);
+ ok_status(status, "%s: SecItentityCopyPrivateKey", testName);
+
+ /* Case 1: good leaf certificate, expected to always succeed */
+ if (verbose) {
+ fprintf(stdout, "### cert 1 ###\n");
+ }
+ identity = SecIdentityCreate(kCFAllocatorDefault, goodLeaf, privateKey);
+
+ if (status) {
+ identity = NULL;
+ }
+ if (!identity) {
+ fprintf(stderr, "Failed to create identity #1: error %d\n", (int)status);
+ ++result;
+ }
+ result += TestSignAndVerifyDataWithIdentity(identity);
+ if (identity) CFRelease(identity);
+
+ /* Case 2: bad leaf certificate, expected to succeed with the fix for rdar://17159227, but fail without it */
+ if (verbose) {
+ fprintf(stdout, "### cert 2 ###\n");
+ }
+ identity = SecIdentityCreate(kCFAllocatorDefault, badLeaf, privateKey);
+ if (status) {
+ identity = NULL;
+ }
+ if (!identity) {
+ fprintf(stderr, "Failed to create identity #2: error %d\n", (int)status);
+ ++result;
+ }
+ result += TestSignAndVerifyDataWithIdentity(identity);
+ if (identity) CFRelease(identity);
+
+ if (privateKey) CFRelease(privateKey);
+
+
+ /* clean up temporary keychains before we leave */
+ if (goodKeychain) {
+ ok_status(SecKeychainDelete(goodKeychain), "%s: SecKeychainDelete", testName);
+ CFRelease(goodKeychain);
+ }
+ if (badKeychain) {
+ ok_status(SecKeychainDelete(badKeychain), "%s: SecKeychainDelete", testName);
+ CFRelease(badKeychain);
+ }
+
+ return result;
+}
+
+
+int kc_28_cert_sign(int argc, char *const *argv)
+{
+ plan_tests(31);
+ initializeKeychainTests(__FUNCTION__);
+
+ verbose = test_verbose;
+
+ Test();
+
+ checkPrompts(0, "No prompts");
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-28-p12-import.m b/OSX/libsecurity_keychain/regressions/kc-28-p12-import.m
new file mode 100644
index 00000000..c12776d0
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-28-p12-import.m
@@ -0,0 +1,268 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the xLicense.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#import <Security/Security.h>
+#include "keychain_regressions.h"
+#include "kc-helpers.h"
+#include "kc-item-helpers.h"
+#include "kc-key-helpers.h"
+#include "kc-identity-helpers.h"
+
+#import <Foundation/Foundation.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <Security/oidscert.h>
+#include <Security/oidsattr.h>
+#include <Security/oidsalg.h>
+#include <Security/x509defs.h>
+#include <Security/cssmapi.h>
+#include <Security/cssmapple.h>
+#include <Security/certextensions.h>
+
+#include <Security/SecKeychain.h>
+#include <Security/SecKeychainItem.h>
+#include <Security/SecImportExport.h>
+#include <Security/SecIdentity.h>
+#include <Security/SecIdentitySearch.h>
+#include <Security/SecKey.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecItem.h>
+
+// Turn off deprecated API warnings
+//#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
+static void
+verifyPrivateKeyExtractability(BOOL extractable, NSArray *items)
+{
+ // After importing items, check that private keys (if any) have
+ // the expected extractable attribute value.
+
+ CFIndex count = [items count];
+ is(count, 1, "One identity added");
+
+ for (id item in items)
+ {
+ OSStatus status;
+ SecKeyRef aKey = NULL;
+ if (SecKeyGetTypeID() == CFGetTypeID((CFTypeRef)item)) {
+ aKey = (SecKeyRef) CFRetain((CFTypeRef)item);
+ fprintf(stdout, "Verifying imported SecKey\n");
+ }
+ else if (SecIdentityGetTypeID() == CFGetTypeID((CFTypeRef)item)) {
+ status = SecIdentityCopyPrivateKey((SecIdentityRef)item, &aKey);
+ ok_status(status, "%s: SecIdentityCopyPrivateKey", testName);
+ }
+
+ ok(aKey, "%s: Have a key to test", testName);
+
+ if (aKey)
+ {
+ const CSSM_KEY *cssmKey;
+ OSStatus status = SecKeyGetCSSMKey(aKey, &cssmKey);
+ ok_status(status, "%s: SecKeyGetCSSMKey", testName);
+ if (status != noErr) {
+ continue;
+ }
+ is(cssmKey->KeyHeader.KeyClass, CSSM_KEYCLASS_PRIVATE_KEY, "%s: key is private key", testName);
+
+ if (!(cssmKey->KeyHeader.KeyClass == CSSM_KEYCLASS_PRIVATE_KEY)) {
+ fprintf(stdout, "Skipping non-private key (KeyClass=%d)\n", cssmKey->KeyHeader.KeyClass);
+ continue; // only checking private keys
+ }
+ BOOL isExtractable = (cssmKey->KeyHeader.KeyAttr & CSSM_KEYATTR_EXTRACTABLE) ? YES : NO;
+ is(isExtractable, extractable, "%s: key extractability matches expectations", testName);
+
+ CFRelease(aKey);
+ }
+ }
+}
+
+static void
+setIdentityPreferenceForImportedIdentity(SecKeychainRef importKeychain, NSString *name, NSArray *items)
+{
+ CFArrayRef importedItems = (CFArrayRef)items;
+
+ if (importedItems)
+ {
+ SecIdentityRef importedIdRef = NULL;
+ CFIndex dex, numItems = CFArrayGetCount(importedItems);
+ for(dex=0; dex<numItems; dex++)
+ {
+ CFTypeRef item = CFArrayGetValueAtIndex(importedItems, dex);
+ if(CFGetTypeID(item) == SecIdentityGetTypeID())
+ {
+ OSStatus status = noErr;
+ importedIdRef = (SecIdentityRef)item;
+
+ status = SecIdentitySetPreference(importedIdRef, (CFStringRef)name, (CSSM_KEYUSE)0);
+ ok_status(status, "%s: SecIdentitySetPreference", testName);
+ break;
+ }
+ }
+ ok(importedIdRef, "%s: identity found?", testName);
+ }
+ else
+ {
+ fail("%s: no items passed to setIdentityPreferenceForImportedIdentity", testName);
+ pass("test numbers match");
+ }
+}
+
+static void removeIdentityPreference(bool test) {
+ // Clean up the identity preference, since it's in the default keychain
+ CFMutableDictionaryRef q = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(q, kSecClass, kSecClassGenericPassword);
+ q = addLabel(q, CFSTR("kc-28-p12-import@apple.com"));
+
+ if(test) {
+ ok_status(SecItemDelete(q), "%s: SecItemDelete (identity preference)", testName);
+ } else {
+ // Our caller doesn't care if this works or not.
+ SecItemDelete(q);
+ }
+ CFReleaseNull(q);
+}
+
+
+static OSStatus
+testP12Import(BOOL extractable, SecKeychainRef keychain, const char *p12Path, CFStringRef password, bool useDeprecatedAPI)
+{
+ OSStatus status = paramErr;
+
+ NSString *file = [NSString stringWithUTF8String:p12Path];
+ NSData *p12Data = [[NSData alloc] initWithContentsOfFile:file];
+ NSArray *keyAttrs = nil;
+ NSArray *outItems = nil;
+
+ SecExternalFormat externFormat = kSecFormatPKCS12;
+ SecExternalItemType itemType = kSecItemTypeAggregate; // certificates and keys
+
+ // Decide which parameter structure to use.
+ SecKeyImportExportParameters keyParamsOld; // for SecKeychainItemImport, deprecated as of 10.7
+ SecItemImportExportKeyParameters keyParamsNew; // for SecItemImport, 10.7 and later
+
+ void *keyParamsPtr = (useDeprecatedAPI) ? (void*)&keyParamsOld : (void*)&keyParamsNew;
+
+ if (useDeprecatedAPI) // SecKeychainItemImport, deprecated as of 10.7
+ {
+ SecKeyImportExportParameters *keyParams = (SecKeyImportExportParameters *)keyParamsPtr;
+ memset(keyParams, 0, sizeof(SecKeyImportExportParameters));
+ keyParams->version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ keyParams->passphrase = password;
+ if (!extractable)
+ {
+ // explicitly set the key attributes, omitting the CSSM_KEYATTR_EXTRACTABLE bit
+ keyParams->keyAttributes = CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_SENSITIVE;
+ }
+ }
+ else // SecItemImport, 10.7 and later (preferred interface)
+ {
+ SecItemImportExportKeyParameters *keyParams = (SecItemImportExportKeyParameters *)keyParamsPtr;
+ memset(keyParams, 0, sizeof(SecItemImportExportKeyParameters));
+ keyParams->version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ keyParams->passphrase = password;
+ if (!extractable)
+ {
+ // explicitly set the key attributes, omitting kSecAttrIsExtractable
+ keyAttrs = [[NSArray alloc] initWithObjects: (id) kSecAttrIsPermanent, kSecAttrIsSensitive, nil];
+ keyParams->keyAttributes = (CFArrayRef) keyAttrs;
+ }
+ }
+
+ if (useDeprecatedAPI) // SecKeychainItemImport, deprecated as of 10.7
+ {
+ SecKeyImportExportParameters *keyParams = (SecKeyImportExportParameters *)keyParamsPtr;
+
+ status = SecKeychainItemImport((CFDataRef)p12Data,
+ NULL,
+ &externFormat,
+ &itemType,
+ 0, /* flags not used (yet) */
+ keyParamsPtr,
+ keychain,
+ (CFArrayRef*)&outItems);
+ ok_status(status, "%s: SecKeychainItemImport", testName);
+ }
+ else // SecItemImport
+ {
+ SecItemImportExportKeyParameters *keyParams = (SecItemImportExportKeyParameters *)keyParamsPtr;
+
+ status = SecItemImport((CFDataRef)p12Data,
+ NULL,
+ &externFormat,
+ &itemType,
+ 0, /* flags not used (yet) */
+ keyParamsPtr,
+ keychain,
+ (CFArrayRef*)&outItems);
+ ok_status(status, "%s: SecItemImport", testName);
+ }
+
+ verifyPrivateKeyExtractability(extractable, outItems);
+
+ checkN(testName, makeQueryKeyDictionaryWithLabel(keychain, kSecAttrKeyClassPrivate, CFSTR("test_import")), 1);
+ checkN(testName, addLabel(makeBaseQueryDictionary(keychain, kSecClassCertificate), CFSTR("test_import")), 1);
+
+ setIdentityPreferenceForImportedIdentity(keychain, @"kc-28-p12-import@apple.com", outItems);
+
+ deleteItems((__bridge CFArrayRef) outItems);
+
+ [keyAttrs release];
+ [p12Data release];
+ [outItems release];
+
+ return status;
+}
+
+int kc_28_p12_import(int argc, char *const *argv)
+{
+ plan_tests(70);
+ initializeKeychainTests(__FUNCTION__);
+
+ SecKeychainRef kc = getPopulatedTestKeychain();
+
+ NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
+
+ removeIdentityPreference(false); // if there's still an identity preference in the keychain, we'll get prompts. Delete it pre-emptively (but don't test about it)
+
+ writeFile(keychainTempFile, test_import_p12, test_import_p12_len);
+ testP12Import(true, kc, keychainTempFile, CFSTR("password"), false);
+ testP12Import(true, kc, keychainTempFile, CFSTR("password"), true);
+
+ testP12Import(false, kc, keychainTempFile, CFSTR("password"), false);
+ testP12Import(false, kc, keychainTempFile, CFSTR("password"), true);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", testName);
+ CFReleaseNull(kc);
+
+ removeIdentityPreference(true);
+
+ checkPrompts(0, "No prompts while importing items");
+
+ [pool release];
+
+ deleteTestFiles();
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-30-xara-helpers.h b/OSX/libsecurity_keychain/regressions/kc-30-xara-helpers.h
index e5e89a0c..05c329c2 100644
--- a/OSX/libsecurity_keychain/regressions/kc-30-xara-helpers.h
+++ b/OSX/libsecurity_keychain/regressions/kc-30-xara-helpers.h
@@ -28,9 +28,7 @@
#include <Security/cssmapi.h>
#include <security_utilities/debugging.h>
#include "utilities/SecCFRelease.h"
-
-static char keychainFile[1000];
-static char keychainName[1000];
+#include "kc-helpers.h"
#if TARGET_OS_MAC
@@ -45,11 +43,24 @@ static SecKeychainRef newKeychain(const char * name) {
// Kill the test keychain if it exists.
unlink(keychainFile);
+ unlink(keychainDbFile);
+
+ // Delete from CDSA-land? No tests, here, it'll work or it won't.
+ SecKeychainOpen(keychainName, &kc);
+ if(kc) {
+ SecKeychainDelete(kc);
+ CFReleaseNull(kc);
+ }
ok_status(SecKeychainCreate(keychainName, (UInt32) strlen(password), password, false, NULL, &kc), "%s: SecKeychainCreate", name);
+
+ char path[400];
+ UInt32 len = sizeof(path);
+ ok_status(SecKeychainGetPath(kc, &len, path), "%s: SecKeychainGetPath", name);
+ eq_stringn(path, len, keychainDbFile, strlen(keychainDbFile), "%s: paths do not match", name);
return kc;
}
-#define newKeychainTests 1
+#define newKeychainTests 3
/* name is the name of the test, not the name of the keychain */
static SecKeychainRef newCustomKeychain(const char * name, const char * path, const char * password) {
@@ -78,10 +89,48 @@ static SecKeychainRef openCustomKeychain(const char * name, const char * path, c
#define openCustomKeychainTests 2
static SecKeychainRef openKeychain(const char * name) {
- return openCustomKeychain(name, "test.keychain", NULL);
+ return openCustomKeychain(name, keychainName, NULL);
}
#define openKeychainTests (openCustomKeychainTests)
+#define checkPartitionIDsTests 3
+static void checkPartitionIDs(const char* name, SecKeychainItemRef item, uint32_t n) {
+ if(!item) {
+ for(int i = 0; i < checkPartitionIDsTests; i++) {
+ fail("%s: checkNoPartitionIDs not passed an item", name);
+ }
+ return;
+ }
+ SecAccessRef access = NULL;
+ ok_status(SecKeychainItemCopyAccess(item, &access), "%s: SecKeychainItemCopyAccess", name);
+
+ CFArrayRef acllist = NULL;
+ ok_status(SecAccessCopyACLList(access, &acllist), "%s: SecAccessCopyACLList", name);
+
+ int partitionIDsFound = 0;
+ CFStringRef output = NULL;
+
+ if(acllist) {
+ for(int i = 0; i < CFArrayGetCount(acllist); i++) {
+ SecACLRef acl = (SecACLRef) CFArrayGetValueAtIndex(acllist, i);
+
+ CFArrayRef auths = SecACLCopyAuthorizations(acl);
+ CFRange searchrange = {0, CFArrayGetCount(auths)};
+ if(CFArrayContainsValue(auths, searchrange, kSecACLAuthorizationPartitionID)) {
+
+ // found a hash. match it.
+ partitionIDsFound++;
+ }
+
+ CFReleaseNull(auths);
+ }
+
+ CFReleaseNull(acllist);
+ }
+
+ is(partitionIDsFound, n, "%s: Wrong number of partition IDs found", name);
+}
+
#define getIntegrityHashTests 3
static CFStringRef getIntegrityHash(const char* name, SecKeychainItemRef item) {
if(!item) {
@@ -145,6 +194,10 @@ static void checkIntegrityHash(const char* name, SecKeychainItemRef item, CFStri
printf("%s: Hashes didn't match. Was: ", name);
fflush(stdout);
CFShow(hash);
+ printf(" expected: ");
+ fflush(stdout);
+ CFShow(expectedHash);
+ fflush(stdout);
fail("Hashes don't match");
}
}
@@ -172,36 +225,6 @@ static void checkHashesMatch(const char* name, SecKeychainItemRef item, SecKeych
}
#define checkHashesMatchTests (getIntegrityHashTests + getIntegrityHashTests + 1)
-/* Checks to be sure there are N elements in this search, and returns the first
- * if it exists. */
-static SecKeychainItemRef checkN(char* testName, const CFDictionaryRef query, uint32_t n) {
- CFArrayRef results = NULL;
- if(n > 0) {
- ok_status(SecItemCopyMatching(query, (CFTypeRef*) &results), "%s: SecItemCopyMatching", testName);
- } else {
- is(SecItemCopyMatching(query, (CFTypeRef*) &results), errSecItemNotFound, "%s: SecItemCopyMatching (for no items)", testName);
- }
- CFRelease(query);
-
- SecKeychainItemRef item = NULL;
- if(results) {
- is(CFArrayGetCount(results), n, "%s: Wrong number of results", testName);
- if(n >= 1) {
- ok(item = (SecKeychainItemRef) CFArrayGetValueAtIndex(results, 0), "%s: Couldn't get item", testName);
- } else {
- pass("make test numbers match");
- }
- } else if((!results) && n == 0) {
- pass("%s: no results found (and none expected)", testName);
- pass("make test numbers match");
- } else {
- fail("%s: no results found (and %d expected)", testName, n);
- pass("make test numbers match");
- }
- return item;
-}
-#define checkNTests 3
-
#pragma clang pop
#else
diff --git a/OSX/libsecurity_keychain/regressions/kc-30-xara-item-helpers.h b/OSX/libsecurity_keychain/regressions/kc-30-xara-item-helpers.h
index e2f523c1..b6f776c6 100644
--- a/OSX/libsecurity_keychain/regressions/kc-30-xara-item-helpers.h
+++ b/OSX/libsecurity_keychain/regressions/kc-30-xara-item-helpers.h
@@ -22,6 +22,7 @@
*/
#include "kc-30-xara-helpers.h"
+#include "kc-item-helpers.h"
#ifndef kc_30_xara_item_helpers_h
#define kc_30_xara_item_helpers_h
@@ -32,98 +33,14 @@
#pragma clang diagnostic ignored "-Wunused-variable"
#pragma clang diagnostic ignored "-Wunused-function"
-
-static CFMutableDictionaryRef makeBaseItemDictionary(CFStringRef itemclass) {
- CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);
- CFDictionarySetValue(query, kSecClass, itemclass);
-
- if(CFEqual(itemclass, kSecClassInternetPassword)) {
- CFDictionarySetValue(query, kSecAttrServer, CFSTR("test_service"));
- CFDictionarySetValue(query, kSecAttrAuthenticationType, CFSTR("dflt")); // Default, I guess?
- } else {
- // Generic passwords have services
- CFDictionarySetValue(query, kSecAttrService, CFSTR("test_service"));
- }
- return query;
-}
-
-static CFMutableDictionaryRef makeQueryItemDictionary(SecKeychainRef kc, CFStringRef itemclass) {
- CFMutableDictionaryRef query = makeBaseItemDictionary(itemclass);
-
- CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
- CFArrayAppendValue((CFMutableArrayRef)searchList, kc);
- CFDictionarySetValue(query, kSecMatchSearchList, searchList);
-
- CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
-
- return query;
-}
-
-static CFMutableDictionaryRef makeQueryCustomItemDictionary(SecKeychainRef kc, CFStringRef itemclass, CFStringRef label) {
- CFMutableDictionaryRef query = makeQueryItemDictionary(kc, itemclass);
- CFDictionarySetValue(query, kSecAttrLabel, label);
- return query;
-}
-
-static CFMutableDictionaryRef makeAddCustomItemDictionary(SecKeychainRef kc, CFStringRef itemclass, CFStringRef label, CFStringRef account) {
- CFMutableDictionaryRef query = makeBaseItemDictionary(itemclass);
-
- CFDictionaryAddValue(query, kSecUseKeychain, kc);
- CFDictionarySetValue(query, kSecAttrAccount, account);
- CFDictionarySetValue(query, kSecAttrComment, CFSTR("a comment"));
- CFDictionarySetValue(query, kSecAttrLabel, label);
- CFDictionarySetValue(query, kSecValueData, CFDataCreate(NULL, (void*)"data", 4));
- return query;
-}
-
-static CFMutableDictionaryRef makeAddItemDictionary(SecKeychainRef kc, CFStringRef itemclass, CFStringRef label) {
- return makeAddCustomItemDictionary(kc, itemclass, label, CFSTR("test_account"));
-}
-
-static SecKeychainItemRef makeCustomItem(const char* name, SecKeychainRef kc, CFDictionaryRef addDictionary) {
- CFTypeRef result = NULL;
- ok_status(SecItemAdd(addDictionary, &result), "%s: SecItemAdd", name);
- ok(result != NULL, "%s: SecItemAdd returned a result", name);
-
- SecKeychainItemRef item = (SecKeychainItemRef) result;
- ok(item != NULL, "%s: Couldn't convert into SecKeychainItemRef", name);
-
- return item;
-}
-#define makeCustomItemTests 3
-
-static SecKeychainItemRef makeItem(const char* name, SecKeychainRef kc, CFStringRef itemclass, CFStringRef label) {
- CFMutableDictionaryRef query = makeAddItemDictionary(kc, itemclass, label);
-
- SecKeychainItemRef item = makeCustomItem(name, kc, query);
-
- CFReleaseNull(query);
- return item;
-}
-#define makeItemTests makeCustomItemTests
-
-static void makeCustomDuplicateItem(const char* name, SecKeychainRef kc, CFStringRef itemclass, CFStringRef label) {
- CFMutableDictionaryRef query = makeAddItemDictionary(kc, itemclass, label);
-
- CFTypeRef result = NULL;
- is(SecItemAdd(query, &result), errSecDuplicateItem, "%s: SecItemAdd (duplicate)", name);
-
- CFReleaseNull(query);
-}
-#define makeCustomDuplicateItemTests 1
-
-static void makeDuplicateItem(const char* name, SecKeychainRef kc, CFStringRef itemclass) {
- return makeCustomDuplicateItem(name, kc, itemclass, CFSTR("test_label"));
-}
-#define makeDuplicateItemTests makeCustomDuplicateItemTests
-
static void makeCustomItemWithIntegrity(const char* name, SecKeychainRef kc, CFStringRef itemclass, CFStringRef label, CFStringRef expectedHash) {
SecKeychainItemRef item = makeItem(name, kc, itemclass, label);
checkIntegrityHash(name, item, expectedHash);
+ checkPartitionIDs(name, (SecKeychainItemRef) item, 1);
+
CFReleaseNull(item);
}
-#define makeCustomItemWithIntegrityTests (makeItemTests + checkIntegrityHashTests)
+#define makeCustomItemWithIntegrityTests (makeItemTests + checkIntegrityHashTests + checkPartitionIDsTests)
static void makeItemWithIntegrity(const char* name, SecKeychainRef kc, CFStringRef itemclass, CFStringRef expectedHash) {
makeCustomItemWithIntegrity(name, kc, itemclass, CFSTR("test_label"), expectedHash);
@@ -133,19 +50,20 @@ static void makeItemWithIntegrity(const char* name, SecKeychainRef kc, CFStringR
static void testAddItem(CFStringRef itemclass, CFStringRef expectedHash) {
char name[100];
sprintf(name, "testAddItem[%s]", CFStringGetCStringPtr(itemclass, kCFStringEncodingUTF8));
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
makeItemWithIntegrity(name, kc, itemclass, expectedHash);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testAddItemTests (newKeychainTests + makeItemWithIntegrityTests + 1)
static void testCopyMatchingItem(CFStringRef itemclass, CFStringRef expectedHash) {
char name[100];
sprintf(name, "testCopyMatchingItem[%s]", CFStringGetCStringPtr(itemclass, kCFStringEncodingUTF8));
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
makeItemWithIntegrity(name, kc, itemclass, expectedHash);
@@ -153,13 +71,14 @@ static void testCopyMatchingItem(CFStringRef itemclass, CFStringRef expectedHash
SecKeychainItemRef item = checkN(name, makeQueryItemDictionary(kc, itemclass), 1);
checkIntegrityHash(name, item, expectedHash);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testCopyMatchingItemTests (newKeychainTests + makeItemWithIntegrityTests + checkNTests + checkIntegrityHashTests + 1)
static void testUpdateItem(CFStringRef itemclass, CFStringRef expectedHashOrig, CFStringRef expectedHashAfter) {
char name[100];
sprintf(name, "testUpdateItem[%s]", CFStringGetCStringPtr(itemclass, kCFStringEncodingUTF8));
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
makeItemWithIntegrity(name, kc, itemclass, expectedHashOrig);
@@ -184,21 +103,23 @@ static void testUpdateItem(CFStringRef itemclass, CFStringRef expectedHashOrig,
item = checkN(name, makeQueryItemDictionary(kc, itemclass), 1);
checkIntegrityHash(name, item, expectedHashAfter);
+ checkPartitionIDs(name, item, 1);
CFReleaseNull(query);
CFReleaseNull(update);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testUpdateItemTests (newKeychainTests + makeItemWithIntegrityTests \
+ 1 + checkNTests + checkIntegrityHashTests \
- + 1 + checkNTests + checkIntegrityHashTests \
+ + 1 + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests \
+ 1)
static void testAddDuplicateItem(CFStringRef itemclass, CFStringRef expectedHash) {
char name[100];
sprintf(name, "testAddDuplicateItem[%s]", CFStringGetCStringPtr(itemclass, kCFStringEncodingUTF8));
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
makeItemWithIntegrity(name, kc, itemclass, expectedHash);
@@ -206,13 +127,14 @@ static void testAddDuplicateItem(CFStringRef itemclass, CFStringRef expectedHash
makeDuplicateItem(name, kc, itemclass);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testAddDuplicateItemTests (newKeychainTests + makeItemWithIntegrityTests + makeDuplicateItemTests + 1)
static void testDeleteItem(CFStringRef itemclass, CFStringRef expectedHash) {
char name[100];
sprintf(name, "testDeleteItem[%s]", CFStringGetCStringPtr(itemclass, kCFStringEncodingUTF8));
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
makeItemWithIntegrity(name, kc, itemclass, expectedHash);
@@ -223,6 +145,7 @@ static void testDeleteItem(CFStringRef itemclass, CFStringRef expectedHash) {
ok_status(SecKeychainItemDelete(item), "%s: SecKeychainItemDelete", name);
checkN(name, makeQueryItemDictionary(kc, itemclass), 0);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testDeleteItemTests (newKeychainTests + makeItemWithIntegrityTests + checkNTests + checkIntegrityHashTests + 1 + checkNTests + 1)
@@ -241,34 +164,35 @@ static void writeEmptyV512Keychain(const char* name, const char* keychainFile);
static void testUpdateRetainedItem(CFStringRef itemclass) {
char name[100];
sprintf(name, "testUpdateRetainedItem[%s]", CFStringGetCStringPtr(itemclass, kCFStringEncodingUTF8));
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
- writeEmptyV512Keychain(name, keychainFile);
- SecKeychainRef kc = openCustomKeychain(name, "test.keychain", "password");
+ writeEmptyV512Keychain(name, keychainDbFile);
+ SecKeychainRef kc = openCustomKeychain(name, keychainName, "password");
SecKeychainItemRef item = makeCustomItem(name, kc, makeAddCustomItemDictionary(kc, itemclass, CFSTR("test_label"), CFSTR("account1")));
CFRelease(checkN(name, makeQueryCustomItemDictionary(kc, itemclass, CFSTR("test_label")), 1));
- is(CFGetRetainCount(item), 1, "%s: CFGetRetainCount(item)", name);
+ cmp_ok(CFGetRetainCount(item), >=, 1, "%s: CFGetRetainCount(item)", name);
// Bump our local database version number a few times, so we'll re-read the database when we reset it later
CFReleaseSafe(makeCustomItem(name, kc, makeAddCustomItemDictionary(kc, itemclass, CFSTR("version"), CFSTR("version"))));
CFReleaseSafe(makeCustomItem(name, kc, makeAddCustomItemDictionary(kc, itemclass, CFSTR("bump"), CFSTR("bump"))));
// Simulate another process deleting the items we just made, and us not receiving the notification
- writeEmptyV512Keychain(name, keychainFile);
+ writeEmptyV512Keychain(name, keychainDbFile);
// Generate some keychain notifications on a different keychain so the AppleDatabase will reload test.keychain
SecKeychainRef kc2 = newCustomKeychain(name, "unrelated.keychain", "password");
CFReleaseSafe(makeCustomItem(name, kc2, makeAddCustomItemDictionary(kc, itemclass, CFSTR("unrelated1_label"), CFSTR("unrelated1"))));
ok_status(SecKeychainDelete(kc2), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc2);
- secdebugfunc("integrity", "************************************* should reload database\n");
+ secnotice("integrity", "************************************* should reload database\n");
SecKeychainItemRef item2 = makeCustomItem(name, kc, makeAddCustomItemDictionary(kc, itemclass, CFSTR("not_a_test_label"), CFSTR("account2")));
CFReleaseSafe(checkN(name, makeQueryCustomItemDictionary(kc, itemclass, CFSTR("not_a_test_label")), 1));
- is(CFGetRetainCount(item2), 1, "%s: CFGetRetainCount(item2)", name);
+ cmp_ok(CFGetRetainCount(item2), >=, 1, "%s: CFGetRetainCount(item2)", name);
// Now, update the second item so it would collide with the first
CFMutableDictionaryRef query = makeQueryCustomItemDictionary(kc, itemclass, CFSTR("not_a_test_label"));
@@ -277,12 +201,13 @@ static void testUpdateRetainedItem(CFStringRef itemclass) {
CFDictionarySetValue(update, kSecAttrLabel, CFSTR("test_label"));
ok_status(SecItemUpdate(query, update), "%s: SecItemUpdate", name);
- is(CFGetRetainCount(item), 1, "%s: CFGetRetainCount(item)", name);
+ cmp_ok(CFGetRetainCount(item), >=, 1, "%s: CFGetRetainCount(item)", name);
CFReleaseNull(item);
SecKeychainItemRef result = checkN(name, makeQueryCustomItemDictionary(kc, itemclass, CFSTR("test_label")), 1);
CFReleaseNull(result);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testUpdateRetainedItemTests (openCustomKeychainTests + makeCustomItemTests + checkNTests \
+ 1 + makeCustomItemTests + makeCustomItemTests \
diff --git a/OSX/libsecurity_keychain/regressions/kc-30-xara-key-helpers.h b/OSX/libsecurity_keychain/regressions/kc-30-xara-key-helpers.h
index d9593f19..6ffa8e63 100644
--- a/OSX/libsecurity_keychain/regressions/kc-30-xara-key-helpers.h
+++ b/OSX/libsecurity_keychain/regressions/kc-30-xara-key-helpers.h
@@ -22,107 +22,26 @@
*/
#include "kc-30-xara-helpers.h"
+#include "kc-key-helpers.h"
#ifndef kc_30_xara_key_helpers_h
#define kc_30_xara_key_helpers_h
#if TARGET_OS_MAC
-static CFMutableDictionaryRef makeBaseKeyDictionary() {
- CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- CFDictionarySetValue(query, kSecClass, kSecClassKey);
- return query;
-}
-
-static CFMutableDictionaryRef makeQueryKeyDictionary(SecKeychainRef kc, CFStringRef keyClass) {
- CFMutableDictionaryRef query = makeBaseKeyDictionary();
-
- CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
- CFArrayAppendValue((CFMutableArrayRef)searchList, kc);
- CFDictionarySetValue(query, kSecMatchSearchList, searchList);
-
- CFDictionarySetValue(query, kSecAttrKeyClass, keyClass);
-
- CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
- return query;
-}
-
-static CFMutableDictionaryRef makeAddKeyDictionary(SecKeychainRef kc, CFStringRef keyClass, CFStringRef label) {
- CFMutableDictionaryRef query = makeBaseKeyDictionary();
- CFDictionaryAddValue(query, kSecUseKeychain, kc);
-
- CFDictionarySetValue(query, kSecAttrLabel, label);
- CFDictionarySetValue(query, kSecAttrApplicationLabel, CFSTR("test_application")); // without setting this, it uses the current datetime.
-
- int32_t n = 0;
- if(CFEqual(keyClass, kSecAttrKeyClassSymmetric)) {
- CFDictionarySetValue(query, kSecAttrKeyType, kSecAttrKeyTypeAES);
- n = 128;
- } else if(CFEqual(keyClass, kSecAttrKeyClassPublic) ||
- CFEqual(keyClass, kSecAttrKeyClassPrivate)) {
- CFDictionarySetValue(query, kSecAttrKeyType, kSecAttrKeyTypeRSA);
- n = 1024;
- }
- CFNumberRef num = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &n);
- CFDictionarySetValue(query, kSecAttrKeySizeInBits, num);
-
- return query;
-}
-
-static SecKeyRef makeCustomKey(const char* name, SecKeychainRef kc, CFStringRef label) {
- CFMutableDictionaryRef query = makeAddKeyDictionary(kc, kSecAttrKeyClassSymmetric, label);
-
- CFErrorRef error = NULL;
- SecKeyRef item = SecKeyGenerateSymmetric(query, &error);
- ok(item != NULL, "%s: SecKeyGenerateSymmetric errored: %ld", name, error ? CFErrorGetCode(error) : -1);
-
- CFReleaseNull(query);
- return item;
-}
-#define makeCustomKeyTests 1
-
-static SecKeyRef makeKey(const char* name, SecKeychainRef kc) {
- return makeCustomKey(name, kc, CFSTR("test_key"));
-}
-#define makeKeyTests makeCustomKeyTests
-
-
static void makeCustomKeyWithIntegrity(const char* name, SecKeychainRef kc, CFStringRef label, CFStringRef expectedHash) {
SecKeyRef key = makeCustomKey(name, kc, label);
checkIntegrityHash(name, (SecKeychainItemRef) key, expectedHash);
+ checkPartitionIDs(name, (SecKeychainItemRef) key, 1);
CFReleaseNull(key);
}
-#define makeCustomKeyWithIntegrityTests (makeCustomKeyTests + checkIntegrityHashTests)
+#define makeCustomKeyWithIntegrityTests (makeCustomKeyTests + checkIntegrityHashTests + checkPartitionIDsTests)
static void makeKeyWithIntegrity(const char* name, SecKeychainRef kc, CFStringRef expectedHash) {
makeCustomKeyWithIntegrity(name, kc, CFSTR("test_key"), expectedHash);
}
#define makeKeyWithIntegrityTests makeCustomKeyWithIntegrityTests
-static void makeCustomKeyPair(const char* name, SecKeychainRef kc, CFStringRef label, SecKeyRef* aPub, SecKeyRef* aPriv) {
- CFMutableDictionaryRef query = makeAddKeyDictionary(kc, kSecAttrKeyClassPublic, label);
-
- CFErrorRef error = NULL;
- SecKeyRef pub;
- SecKeyRef priv;
- ok_status(SecKeyGeneratePair(query, &pub, &priv), "%s: SecKeyGeneratePair returned a result", name);
-
- if(aPub) {
- *aPub = pub;
- }
- if(aPriv) {
- *aPriv = priv;
- }
-
- CFReleaseNull(query);
-}
-#define makeCustomKeyPairTests 1
-
-static void makeKeyPair(const char* name, SecKeychainRef kc, SecKeyRef* aPub, SecKeyRef* aPriv) {
- makeCustomKeyPair(name, kc, CFSTR("test_key"), aPub, aPriv);
-}
-#define makeKeyPairTests makeCustomKeyPairTests
-
// Note that this is nearly useless, as key pairs will never have stable hashes
static void makeKeyPairWithIntegrity(const char* name, SecKeychainRef kc, CFStringRef expectedPubHash, CFStringRef expectedPrivHash) {
SecKeyRef pub;
@@ -134,88 +53,6 @@ static void makeKeyPairWithIntegrity(const char* name, SecKeychainRef kc, CFStri
}
#define makeKeyPairWithIntegrityTests (makeKeyTests + checkIntegrityHashTests)
-// This only works for symmetric keys; key pairs cannot ever generate a duplicate (due to setting kSecKeyLabel to the hash of the public key)
-static void makeCustomDuplicateKey(const char* name, SecKeychainRef kc, CFStringRef label) {
- CFMutableDictionaryRef query;
-
- query = makeAddKeyDictionary(kc, kSecAttrKeyClassSymmetric, label);
- CFErrorRef error = NULL;
- SecKeyRef item = SecKeyGenerateSymmetric(query, &error);
- is(CFErrorGetCode(error), errSecDuplicateItem, "%s: SecKeyGenerateSymmetric (duplicate) errored: %ld", name, error ? CFErrorGetCode(error) : -1);
-
- CFReleaseNull(query);
-}
-#define makeCustomDuplicateKeyTests 1
-
-static void makeDuplicateKey(const char* name, SecKeychainRef kc) {
- makeCustomDuplicateKey(name, kc, CFSTR("test_key"));
-}
-#define makeDuplicateKeyTests makeCustomDuplicateKeyTests
-
-static SecKeyRef makeCustomFreeKey(const char* name, SecKeychainRef kc, CFStringRef label) {
- SecKeyRef symkey;
-
- ok_status(SecKeyGenerate(
- NULL,
- CSSM_ALGID_AES, 128,
- 0, /* contextHandle */
- CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_DECRYPT,
- CSSM_KEYATTR_EXTRACTABLE,
- NULL, /* initialAccess */
- &symkey), "%s: SecKeyGenerate", name);;
-
- CFMutableDictionaryRef query = makeAddKeyDictionary(kc, kSecAttrKeyClassSymmetric, label);
-
- CFMutableArrayRef itemList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
- CFArrayAppendValue((CFMutableArrayRef)itemList, symkey);
-
- CFDictionarySetValue(query, kSecUseItemList, itemList);
-
- CFTypeRef result = NULL;
- ok_status(SecItemAdd(query, &result), "%s: SecItemAdd", name);
- ok(result != NULL, "%s: SecItemAdd returned a result", name);
- CFReleaseNull(symkey);
- return (SecKeyRef) result;
-}
-#define makeCustomFreeKeyTests 3
-
-static SecKeyRef makeFreeKey(const char* name, SecKeychainRef kc) {
- return makeCustomFreeKey(name, kc, CFSTR("test_free_key"));
-}
-#define makeFreeKeyTests makeCustomFreeKeyTests
-
-static SecKeyRef makeCustomDuplicateFreeKey(const char* name, SecKeychainRef kc, CFStringRef label) {
- SecKeyRef symkey;
-
- ok_status(SecKeyGenerate(
- NULL,
- CSSM_ALGID_AES, 128,
- 0, /* contextHandle */
- CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_DECRYPT,
- CSSM_KEYATTR_EXTRACTABLE,
- NULL, /* initialAccess */
- &symkey), "%s: SecKeyGenerate", name);;
-
- CFMutableDictionaryRef query = makeAddKeyDictionary(kc, kSecAttrKeyClassSymmetric, label);
-
- CFMutableArrayRef itemList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
- CFArrayAppendValue((CFMutableArrayRef)itemList, symkey);
-
- CFDictionarySetValue(query, kSecUseItemList, itemList);
-
- CFTypeRef result = NULL;
- is(SecItemAdd(query, &result), errSecDuplicateItem, "%s: SecItemAdd (duplicate)", name);
- CFReleaseNull(symkey);
- return (SecKeyRef) result;
-}
-#define makeCustomDuplicateFreeKeyTests 2
-
-static SecKeyRef makeDuplicateFreeKey(const char* name, SecKeychainRef kc) {
- return makeCustomFreeKey(name, kc, CFSTR("test_free_key"));
-}
-#define makeDuplicateFreeKeyTests makeCustomDuplicateFreeKeyTests
-
-
// And now for the actual tests
static void testAddKey(CFStringRef expectedHash) {
@@ -223,6 +60,7 @@ static void testAddKey(CFStringRef expectedHash) {
SecKeychainRef kc = newKeychain(name);
makeKeyWithIntegrity(name, kc, expectedHash);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testAddKeyTests (newKeychainTests + makeKeyWithIntegrityTests + 1)
@@ -236,13 +74,14 @@ static void testAddFreeKey(CFStringRef expectedHash) {
//checkIntegrityHash(name, (SecKeychainItemRef) key, expectedHash);
//ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ //CFReleaseNull(kc);
}
//#define testAddFreeKeyTests (newKeychainTests + makeFreeKeyTests + checkIntegrityHashTests + 1)
#define testAddFreeKeyTests 0
static void testCopyMatchingKey(CFStringRef expectedHash) {
char* name = "testCopyMatchingKey";
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 0);
@@ -252,13 +91,14 @@ static void testCopyMatchingKey(CFStringRef expectedHash) {
SecKeyRef item = (SecKeyRef) checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
checkIntegrityHash(name, (SecKeychainItemRef) item, expectedHash);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testCopyMatchingKeyTests (newKeychainTests + checkNTests + makeKeyWithIntegrityTests + checkNTests + checkIntegrityHashTests + 1)
static void testUpdateKey(CFStringRef expectedHash, CFStringRef expectedHashAfter) {
char * name = "testUpdateKey";
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
makeKeyWithIntegrity(name, kc, expectedHash);
@@ -281,6 +121,7 @@ static void testUpdateKey(CFStringRef expectedHash, CFStringRef expectedHashAfte
item = checkN(name, query, 1);
checkIntegrityHash(name, item, expectedHashAfter);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testUpdateKeyTests (newKeychainTests + makeKeyWithIntegrityTests + checkNTests + 1 + checkNTests + checkIntegrityHashTests + 1)
@@ -292,7 +133,7 @@ static void testUpdateKey(CFStringRef expectedHash, CFStringRef expectedHashAfte
static void testKeyPair() {
char* name = "testKeyPair";
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 0);
@@ -305,24 +146,62 @@ static void testKeyPair() {
// Now that we have the key pair, make sure we can pull the individual keys
// out (and the hashes match)
+ CFStringRef label = CFSTR("a modified label");
+ CFMutableDictionaryRef query;
+ CFMutableDictionaryRef update;
+
+ // Ensure that the public key still exists and can be updated
+
SecKeyRef item;
item = (SecKeyRef) checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 1);
checkHashesMatch(name, (SecKeychainItemRef)pub, (SecKeychainItemRef)item);
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic);
+ CFDictionarySetValue(query, kSecAttrLabel, label);
+ item = (SecKeyRef) checkN(name, query, 0);
+
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic);
+ update = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(update, kSecAttrLabel, label);
+ ok_status(SecItemUpdate(query, update), "%s: SecItemUpdate (public key)", name);
+
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic);
+ CFDictionarySetValue(query, kSecAttrLabel, label);
+ item = (SecKeyRef) checkN(name, query, 1);
+ CFReleaseNull(item);
+
+ // Ensure that the private key still exists and can be updated
+
item = (SecKeyRef) checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 1);
checkHashesMatch(name, (SecKeychainItemRef)priv, (SecKeychainItemRef)item);
- // TODO: is there a way to test SecItemUpdate?
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate);
+ CFDictionarySetValue(query, kSecAttrLabel, label);
+ item = (SecKeyRef) checkN(name, query, 0);
+
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate);
+ update = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(update, kSecAttrLabel, label);
+ ok_status(SecItemUpdate(query, update), "%s: SecItemUpdate (private key)", name);
+
+ query = makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate);
+ CFDictionarySetValue(query, kSecAttrLabel, label);
+ item = (SecKeyRef) checkN(name, query, 1);
+ CFReleaseNull(item);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testKeyPairTests (newKeychainTests + checkNTests + checkNTests + makeKeyPairTests \
+ checkNTests + checkHashesMatchTests \
- + checkNTests + checkHashesMatchTests + 1)
+ + checkNTests + 1 + checkNTests \
+ + checkNTests + checkHashesMatchTests \
+ + checkNTests + 1 + checkNTests \
+ + 1)
static void testAddDuplicateKey(CFStringRef expectedHash) {
char * name = "testAddDuplicateKey";
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 0);
@@ -334,6 +213,7 @@ static void testAddDuplicateKey(CFStringRef expectedHash) {
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testAddDuplicateKeyTests (newKeychainTests + checkNTests +makeKeyWithIntegrityTests + checkNTests + makeDuplicateKeyTests + checkNTests + 1)
@@ -341,7 +221,7 @@ static void testAddDuplicateFreeKey(CFStringRef expectedHash) {
// Due to <rdar://problem/8431281> SecItemAdd() will not add a generated symmetric key to the keychain
// we can't actually run this test. Code is included here as a reference.
//char * name = "testAddDuplicateFreeKey";
- //secdebugfunc("integrity", "************************************* %s", name);
+ //secnotice("integrity", "************************************* %s", name);
//SecKeychainRef kc = newKeychain(name);
//checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 0);
@@ -353,6 +233,7 @@ static void testAddDuplicateFreeKey(CFStringRef expectedHash) {
//checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
//ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ //CFReleaseNull(kc);
}
//#define testAddDuplicateFreeKeyTests (newKeychainTests + checkNTests + makeFreeKeyTests + checkIntegrityHashTests + checkNTests \
// + makeDuplicateKeyTests + checkNTests + 1)
@@ -367,7 +248,7 @@ static void testAddDuplicateFreeKey(CFStringRef expectedHash) {
static void testExportImportKeyPair() {
char* name = "testExportImportKeyPair";
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 0);
@@ -411,7 +292,7 @@ static void testExportImportKeyPair() {
CFDataRef keyData = NULL;
ok_status(SecItemExport(pub, kSecFormatPEMSequence, kSecItemPemArmour, &keyParams, &keyData), "%s: SecItemExport", name);
- ok_status(SecKeychainItemDelete((SecKeychainItemRef)pub), "%s: SecKeychainDelete", name);;
+ ok_status(SecKeychainItemDelete((SecKeychainItemRef)pub), "%s: SecKeychainItemDelete", name);;
CFRelease(pub);
pub = NULL;
@@ -421,7 +302,7 @@ static void testExportImportKeyPair() {
ok_status(SecItemExport(priv, kSecFormatPEMSequence, kSecItemPemArmour, &keyParams, &keyData), "%s: SecItemExport", name);
- ok_status(SecKeychainItemDelete((SecKeychainItemRef)priv), "%s: SecKeychainDelete", name);;
+ ok_status(SecKeychainItemDelete((SecKeychainItemRef)priv), "%s: SecKeychainItemDelete", name);;
CFRelease(priv);
priv = NULL;
@@ -454,6 +335,7 @@ static void testExportImportKeyPair() {
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 1);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testExportImportKeyPairTests (newKeychainTests + checkNTests + checkNTests + makeKeyPairTests \
+ checkNTests + checkHashesMatchTests \
diff --git a/OSX/libsecurity_keychain/regressions/kc-30-xara-upgrade-helpers.h b/OSX/libsecurity_keychain/regressions/kc-30-xara-upgrade-helpers.h
index e76f69af..ab3cc06f 100644
--- a/OSX/libsecurity_keychain/regressions/kc-30-xara-upgrade-helpers.h
+++ b/OSX/libsecurity_keychain/regressions/kc-30-xara-upgrade-helpers.h
@@ -29,6 +29,7 @@
#include "kc-30-xara-helpers.h"
#include "kc-30-xara-item-helpers.h"
#include "kc-30-xara-key-helpers.h"
+#include "kc-keychain-file-helpers.h"
static void makeOldKeychainBlob() {
char* name = "makeOldKeychainBlob";
@@ -1411,7 +1412,6 @@ uint8_t old_keychain[OLD_KEYCHAIN_SIZE] = {
0xce, 0x81, 0xbe, 0x3a, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f,
};
-
#define EMPTY_V512_SIZE 20460
uint8_t empty_v512[EMPTY_V512_SIZE] = {
0x6b, 0x79, 0x63, 0x68, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
@@ -2439,17 +2439,1493 @@ uint8_t empty_v512[EMPTY_V512_SIZE] = {
0xd5, 0x0a, 0x04, 0x32, 0xa8, 0x84, 0xff, 0x6e, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
};
-
-static void writeOldKeychain(const char* testname, const char * path) {
- FILE * fp = fopen(path, "w+");
- fwrite(old_keychain, sizeof(uint8_t), OLD_KEYCHAIN_SIZE, fp);
- fclose(fp);
-}
-
-static void writeEmptyV512Keychain(const char* testname, const char * path) {
- FILE * fp = fopen(path, "w+");
- fwrite(empty_v512, sizeof(uint8_t), EMPTY_V512_SIZE, fp);
- fclose(fp);
+#define FULL_V512_SIZE 29212
+uint8_t full_v512[FULL_V512_SIZE] = {
+ 0x6b, 0x79, 0x63, 0x68, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x72, 0x04, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x18, 0x74,
+ 0x00, 0x00, 0x47, 0xfc, 0x00, 0x00, 0x48, 0x24, 0x00, 0x00, 0x4e, 0xd8, 0x00, 0x00, 0x58, 0x74, 0x00, 0x00, 0x6b, 0xa4,
+ 0x00, 0x00, 0x6d, 0x64, 0x00, 0x00, 0x70, 0x5c, 0x00, 0x00, 0x71, 0x1c, 0x00, 0x00, 0x02, 0xdc, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x02, 0xd4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b,
+ 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0xcc, 0x00, 0x00, 0x01, 0x10, 0x00, 0x00, 0x01, 0x58,
+ 0x00, 0x00, 0x01, 0x80, 0x00, 0x00, 0x01, 0xa8, 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x44,
+ 0x00, 0x00, 0x02, 0x8c, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x16, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f, 0x44, 0x42, 0x5f, 0x53, 0x43, 0x48, 0x45, 0x4d,
+ 0x41, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x1c, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f, 0x44, 0x42, 0x5f, 0x53,
+ 0x43, 0x48, 0x45, 0x4d, 0x41, 0x5f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x53, 0x00, 0x00, 0x00, 0x44,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x19, 0x43, 0x53, 0x53, 0x4d,
+ 0x5f, 0x44, 0x4c, 0x5f, 0x44, 0x42, 0x5f, 0x53, 0x43, 0x48, 0x45, 0x4d, 0x41, 0x5f, 0x49, 0x4e, 0x44, 0x45, 0x58, 0x45,
+ 0x53, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x20, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f, 0x44, 0x42, 0x5f, 0x53, 0x43, 0x48, 0x45, 0x4d,
+ 0x41, 0x5f, 0x50, 0x41, 0x52, 0x53, 0x49, 0x4e, 0x47, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x00, 0x00, 0x00, 0x28,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30,
+ 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x06, 0x44, 0x42, 0x42, 0x6c,
+ 0x6f, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x1c, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f, 0x44, 0x42, 0x5f, 0x52, 0x45, 0x43, 0x4f, 0x52,
+ 0x44, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x09,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21,
+ 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x1d, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f,
+ 0x44, 0x42, 0x5f, 0x52, 0x45, 0x43, 0x4f, 0x52, 0x44, 0x5f, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x5f, 0x4b, 0x45,
+ 0x59, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x1f, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f, 0x44, 0x42, 0x5f, 0x52, 0x45, 0x43, 0x4f, 0x52,
+ 0x44, 0x5f, 0x53, 0x59, 0x4d, 0x4d, 0x45, 0x54, 0x52, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x64, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x01, 0x5c,
+ 0x00, 0x00, 0x15, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x01, 0x5c, 0x00, 0x00, 0x01, 0x9c,
+ 0x00, 0x00, 0x01, 0xdc, 0x00, 0x00, 0x02, 0x1c, 0x00, 0x00, 0x02, 0x5c, 0x00, 0x00, 0x02, 0x9c, 0x00, 0x00, 0x02, 0xdc,
+ 0x00, 0x00, 0x03, 0x1c, 0x00, 0x00, 0x03, 0x5c, 0x00, 0x00, 0x03, 0x9c, 0x00, 0x00, 0x03, 0xdc, 0x00, 0x00, 0x04, 0x1c,
+ 0x00, 0x00, 0x04, 0x5c, 0x00, 0x00, 0x04, 0x9c, 0x00, 0x00, 0x04, 0xdc, 0x00, 0x00, 0x05, 0x1c, 0x00, 0x00, 0x05, 0x5c,
+ 0x00, 0x00, 0x05, 0x9c, 0x00, 0x00, 0x05, 0xdc, 0x00, 0x00, 0x06, 0x1c, 0x00, 0x00, 0x06, 0x5c, 0x00, 0x00, 0x06, 0x9c,
+ 0x00, 0x00, 0x06, 0xdc, 0x00, 0x00, 0x07, 0x1c, 0x00, 0x00, 0x07, 0x5c, 0x00, 0x00, 0x07, 0x9c, 0x00, 0x00, 0x07, 0xdc,
+ 0x00, 0x00, 0x08, 0x1c, 0x00, 0x00, 0x08, 0x5c, 0x00, 0x00, 0x08, 0x9c, 0x00, 0x00, 0x08, 0xdc, 0x00, 0x00, 0x09, 0x1c,
+ 0x00, 0x00, 0x09, 0x5c, 0x00, 0x00, 0x09, 0x9c, 0x00, 0x00, 0x09, 0xdc, 0x00, 0x00, 0x0a, 0x1c, 0x00, 0x00, 0x0a, 0x5c,
+ 0x00, 0x00, 0x0a, 0x9c, 0x00, 0x00, 0x0a, 0xdc, 0x00, 0x00, 0x0b, 0x1c, 0x00, 0x00, 0x0b, 0x5c, 0x00, 0x00, 0x0b, 0x9c,
+ 0x00, 0x00, 0x0b, 0xdc, 0x00, 0x00, 0x0c, 0x1c, 0x00, 0x00, 0x0c, 0x5c, 0x00, 0x00, 0x0c, 0x9c, 0x00, 0x00, 0x0c, 0xdc,
+ 0x00, 0x00, 0x0d, 0x1c, 0x00, 0x00, 0x0d, 0x5c, 0x00, 0x00, 0x0d, 0x9c, 0x00, 0x00, 0x0d, 0xdc, 0x00, 0x00, 0x0e, 0x1c,
+ 0x00, 0x00, 0x0e, 0x5c, 0x00, 0x00, 0x0e, 0x9c, 0x00, 0x00, 0x0e, 0xdc, 0x00, 0x00, 0x0f, 0x1c, 0x00, 0x00, 0x0f, 0x5c,
+ 0x00, 0x00, 0x0f, 0x9c, 0x00, 0x00, 0x0f, 0xdc, 0x00, 0x00, 0x10, 0x1c, 0x00, 0x00, 0x10, 0x5c, 0x00, 0x00, 0x10, 0x9c,
+ 0x00, 0x00, 0x10, 0xdc, 0x00, 0x00, 0x11, 0x1c, 0x00, 0x00, 0x11, 0x5c, 0x00, 0x00, 0x11, 0x9c, 0x00, 0x00, 0x11, 0xdc,
+ 0x00, 0x00, 0x12, 0x1c, 0x00, 0x00, 0x12, 0x5c, 0x00, 0x00, 0x12, 0x9c, 0x00, 0x00, 0x12, 0xdc, 0x00, 0x00, 0x13, 0x1c,
+ 0x00, 0x00, 0x13, 0x5c, 0x00, 0x00, 0x13, 0x9c, 0x00, 0x00, 0x13, 0xdc, 0x00, 0x00, 0x14, 0x1c, 0x00, 0x00, 0x14, 0x5c,
+ 0x00, 0x00, 0x14, 0x9c, 0x00, 0x00, 0x14, 0xdc, 0x00, 0x00, 0x15, 0x1c, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x73, 0x76, 0x63, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x73, 0x76, 0x63, 0x65,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
+ 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x76, 0x6c, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x61, 0x64, 0x64, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x73, 0x73, 0x69, 0x67, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x61, 0x63, 0x63, 0x74,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x76, 0x6c, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0a,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x07, 0x61, 0x64, 0x64, 0x72, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x73, 0x73, 0x69, 0x67, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x73, 0x64, 0x6d, 0x6e,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x73, 0x72, 0x76, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x70, 0x74, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x61, 0x74, 0x79, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x70, 0x6f, 0x72, 0x74, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x70, 0x61, 0x74, 0x68,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08,
+ 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x14,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x09, 0x73, 0x64, 0x6d, 0x6e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0a, 0x73, 0x72, 0x76, 0x72, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0b, 0x70, 0x74, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0c, 0x61, 0x74, 0x79, 0x70,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0d,
+ 0x70, 0x6f, 0x72, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x19,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x0e, 0x70, 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1d, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1e,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x23,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x15,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x27, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x28,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x1a,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x32,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x12,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x37,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x17,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x41,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x46,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x14,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x4b,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x19,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x4f, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0a,
+ 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x2f, 0x88, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x00, 0x02, 0x88, 0x00, 0x00, 0x2f, 0x80,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x00, 0x02, 0x88, 0x00, 0x00, 0x02, 0xd8, 0x00, 0x00, 0x03, 0x28,
+ 0x00, 0x00, 0x03, 0x78, 0x00, 0x00, 0x03, 0xc8, 0x00, 0x00, 0x04, 0x20, 0x00, 0x00, 0x04, 0x74, 0x00, 0x00, 0x04, 0xc8,
+ 0x00, 0x00, 0x05, 0x1c, 0x00, 0x00, 0x05, 0x6c, 0x00, 0x00, 0x05, 0xb8, 0x00, 0x00, 0x06, 0x08, 0x00, 0x00, 0x06, 0x58,
+ 0x00, 0x00, 0x06, 0xb0, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x07, 0x50, 0x00, 0x00, 0x07, 0x9c, 0x00, 0x00, 0x07, 0xec,
+ 0x00, 0x00, 0x08, 0x34, 0x00, 0x00, 0x08, 0x88, 0x00, 0x00, 0x08, 0xc8, 0x00, 0x00, 0x09, 0x08, 0x00, 0x00, 0x09, 0x48,
+ 0x00, 0x00, 0x09, 0x88, 0x00, 0x00, 0x09, 0xc8, 0x00, 0x00, 0x0a, 0x08, 0x00, 0x00, 0x0a, 0x48, 0x00, 0x00, 0x0a, 0x98,
+ 0x00, 0x00, 0x0a, 0xe4, 0x00, 0x00, 0x0b, 0x24, 0x00, 0x00, 0x0b, 0x64, 0x00, 0x00, 0x0b, 0xa4, 0x00, 0x00, 0x0b, 0xe4,
+ 0x00, 0x00, 0x0c, 0x24, 0x00, 0x00, 0x0c, 0x64, 0x00, 0x00, 0x0c, 0xa4, 0x00, 0x00, 0x0c, 0xe4, 0x00, 0x00, 0x0d, 0x24,
+ 0x00, 0x00, 0x0d, 0x64, 0x00, 0x00, 0x0d, 0xa4, 0x00, 0x00, 0x0d, 0xe4, 0x00, 0x00, 0x0e, 0x24, 0x00, 0x00, 0x0e, 0x64,
+ 0x00, 0x00, 0x0e, 0xb4, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0f, 0x40, 0x00, 0x00, 0x0f, 0x80, 0x00, 0x00, 0x0f, 0xc0,
+ 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x40, 0x00, 0x00, 0x10, 0x80, 0x00, 0x00, 0x10, 0xc0, 0x00, 0x00, 0x11, 0x00,
+ 0x00, 0x00, 0x11, 0x40, 0x00, 0x00, 0x11, 0x80, 0x00, 0x00, 0x11, 0xc0, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x12, 0x40,
+ 0x00, 0x00, 0x12, 0x80, 0x00, 0x00, 0x12, 0xc0, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x13, 0x40, 0x00, 0x00, 0x13, 0x90,
+ 0x00, 0x00, 0x13, 0xdc, 0x00, 0x00, 0x14, 0x1c, 0x00, 0x00, 0x14, 0x5c, 0x00, 0x00, 0x14, 0x9c, 0x00, 0x00, 0x14, 0xdc,
+ 0x00, 0x00, 0x15, 0x1c, 0x00, 0x00, 0x15, 0x5c, 0x00, 0x00, 0x15, 0x9c, 0x00, 0x00, 0x15, 0xdc, 0x00, 0x00, 0x16, 0x1c,
+ 0x00, 0x00, 0x16, 0x5c, 0x00, 0x00, 0x16, 0x9c, 0x00, 0x00, 0x16, 0xe8, 0x00, 0x00, 0x17, 0x38, 0x00, 0x00, 0x17, 0x84,
+ 0x00, 0x00, 0x17, 0xd4, 0x00, 0x00, 0x18, 0x20, 0x00, 0x00, 0x18, 0x70, 0x00, 0x00, 0x18, 0xbc, 0x00, 0x00, 0x19, 0x10,
+ 0x00, 0x00, 0x19, 0x60, 0x00, 0x00, 0x19, 0xac, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x1a, 0x54, 0x00, 0x00, 0x1a, 0xa4,
+ 0x00, 0x00, 0x1a, 0xf0, 0x00, 0x00, 0x1b, 0x40, 0x00, 0x00, 0x1b, 0x94, 0x00, 0x00, 0x1b, 0xe4, 0x00, 0x00, 0x1c, 0x38,
+ 0x00, 0x00, 0x1c, 0x84, 0x00, 0x00, 0x1c, 0xd0, 0x00, 0x00, 0x1d, 0x1c, 0x00, 0x00, 0x1d, 0x64, 0x00, 0x00, 0x1d, 0xb0,
+ 0x00, 0x00, 0x1e, 0x00, 0x00, 0x00, 0x1e, 0x54, 0x00, 0x00, 0x1e, 0x9c, 0x00, 0x00, 0x1e, 0xe8, 0x00, 0x00, 0x1f, 0x34,
+ 0x00, 0x00, 0x1f, 0x84, 0x00, 0x00, 0x1f, 0xd0, 0x00, 0x00, 0x20, 0x20, 0x00, 0x00, 0x20, 0x6c, 0x00, 0x00, 0x20, 0xbc,
+ 0x00, 0x00, 0x21, 0x08, 0x00, 0x00, 0x21, 0x5c, 0x00, 0x00, 0x21, 0xac, 0x00, 0x00, 0x21, 0xf8, 0x00, 0x00, 0x22, 0x4c,
+ 0x00, 0x00, 0x22, 0xa0, 0x00, 0x00, 0x22, 0xf0, 0x00, 0x00, 0x23, 0x3c, 0x00, 0x00, 0x23, 0x8c, 0x00, 0x00, 0x23, 0xe0,
+ 0x00, 0x00, 0x24, 0x30, 0x00, 0x00, 0x24, 0x84, 0x00, 0x00, 0x24, 0xd0, 0x00, 0x00, 0x25, 0x1c, 0x00, 0x00, 0x25, 0x68,
+ 0x00, 0x00, 0x25, 0xb0, 0x00, 0x00, 0x25, 0xfc, 0x00, 0x00, 0x26, 0x4c, 0x00, 0x00, 0x26, 0xa0, 0x00, 0x00, 0x26, 0xe8,
+ 0x00, 0x00, 0x27, 0x34, 0x00, 0x00, 0x27, 0x80, 0x00, 0x00, 0x27, 0xd0, 0x00, 0x00, 0x28, 0x1c, 0x00, 0x00, 0x28, 0x6c,
+ 0x00, 0x00, 0x28, 0xb8, 0x00, 0x00, 0x29, 0x08, 0x00, 0x00, 0x29, 0x54, 0x00, 0x00, 0x29, 0xa8, 0x00, 0x00, 0x29, 0xf8,
+ 0x00, 0x00, 0x2a, 0x44, 0x00, 0x00, 0x2a, 0x98, 0x00, 0x00, 0x2a, 0xec, 0x00, 0x00, 0x2b, 0x3c, 0x00, 0x00, 0x2b, 0x88,
+ 0x00, 0x00, 0x2b, 0xd8, 0x00, 0x00, 0x2c, 0x2c, 0x00, 0x00, 0x2c, 0x7c, 0x00, 0x00, 0x2c, 0xd0, 0x00, 0x00, 0x2d, 0x1c,
+ 0x00, 0x00, 0x2d, 0x68, 0x00, 0x00, 0x2d, 0xb4, 0x00, 0x00, 0x2d, 0xfc, 0x00, 0x00, 0x2e, 0x48, 0x00, 0x00, 0x2e, 0x98,
+ 0x00, 0x00, 0x2e, 0xec, 0x00, 0x00, 0x2f, 0x34, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+ 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+ 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+ 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74,
+ 0x65, 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74,
+ 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x46, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d,
+ 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0f, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x46, 0x6f, 0x72,
+ 0x6d, 0x61, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+ 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x49, 0x44, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x49, 0x44, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x65, 0x64, 0x44, 0x61, 0x74, 0x61, 0x4c,
+ 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x0d,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x52, 0x65, 0x6c, 0x61,
+ 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x0e,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x41, 0x74, 0x74, 0x72,
+ 0x69, 0x62, 0x75, 0x74, 0x65, 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x4d, 0x6f, 0x64, 0x75,
+ 0x6c, 0x65, 0x49, 0x44, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x41, 0x64, 0x64, 0x69, 0x6e, 0x56, 0x65, 0x72,
+ 0x73, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x53, 0x53, 0x49, 0x44, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0e, 0x53, 0x75, 0x62, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x63, 0x64, 0x61, 0x74,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00,
+ 0x6d, 0x64, 0x61, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x15,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x00, 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x69, 0x63, 0x6d, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x63, 0x72, 0x74, 0x72, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x74, 0x79, 0x70, 0x65,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00,
+ 0x73, 0x63, 0x72, 0x70, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x1a,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d,
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e,
+ 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x1b,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61,
+ 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00,
+ 0x69, 0x6e, 0x76, 0x69, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1d,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x00, 0x6e, 0x65, 0x67, 0x61, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x63, 0x75, 0x73, 0x69, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x70, 0x72, 0x6f, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x61, 0x63, 0x63, 0x74,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00,
+ 0x73, 0x76, 0x63, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x22,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x00, 0x67, 0x65, 0x6e, 0x61, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x63, 0x64, 0x61, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x6d, 0x64, 0x61, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x64, 0x65, 0x73, 0x63,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02,
+ 0x69, 0x63, 0x6d, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x27,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x02, 0x63, 0x72, 0x74, 0x72, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x74, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x73, 0x63, 0x72, 0x70, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x2b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x69, 0x6e, 0x76, 0x69, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x6e, 0x65, 0x67, 0x61,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02,
+ 0x63, 0x75, 0x73, 0x69, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2f,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x02, 0x70, 0x72, 0x6f, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x76, 0x6c, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x73, 0x72, 0x76, 0x72,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02,
+ 0x70, 0x74, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x34,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x02, 0x61, 0x64, 0x64, 0x72, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x73, 0x73, 0x69, 0x67, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x63, 0x64, 0x61, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x37, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x6d, 0x64, 0x61, 0x74,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x69, 0x63, 0x6d, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x63, 0x72, 0x74, 0x72, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x74, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x73, 0x63, 0x72, 0x70,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e, 0x74, 0x4e, 0x61, 0x6d,
+ 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x3e, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x69, 0x6e, 0x76, 0x69,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x6e, 0x65, 0x67, 0x61, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x41,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x63, 0x75, 0x73, 0x69, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x70, 0x72, 0x6f, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x73, 0x64, 0x6d, 0x6e,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x73, 0x72, 0x76, 0x72, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x46,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x70, 0x74, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x61, 0x74, 0x79, 0x70, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x70, 0x6f, 0x72, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x70, 0x61, 0x74, 0x68,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x4b, 0x65, 0x79, 0x43, 0x6c, 0x61, 0x73, 0x73,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x4b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x09, 0x50, 0x65, 0x72, 0x6d, 0x61, 0x6e, 0x65, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x07, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50,
+ 0x00, 0x00, 0x00, 0x4f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0a,
+ 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05,
+ 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x51,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0e, 0x41, 0x70, 0x70, 0x6c,
+ 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x61, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50,
+ 0x00, 0x00, 0x00, 0x52, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0a,
+ 0x4b, 0x65, 0x79, 0x43, 0x72, 0x65, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07,
+ 0x4b, 0x65, 0x79, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x4b, 0x65, 0x79, 0x53,
+ 0x69, 0x7a, 0x65, 0x49, 0x6e, 0x42, 0x69, 0x74, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x55, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10,
+ 0x45, 0x66, 0x66, 0x65, 0x63, 0x74, 0x69, 0x76, 0x65, 0x4b, 0x65, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x56, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x09, 0x53, 0x74, 0x61, 0x72, 0x74, 0x44, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x64, 0x44, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50,
+ 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09,
+ 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0f,
+ 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x5a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0b, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x5b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x10, 0x4e, 0x65, 0x76, 0x65, 0x72, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x61, 0x62, 0x6c, 0x65,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x12,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x07, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x5e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x44, 0x65, 0x72, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x5f,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x53, 0x69, 0x67, 0x6e,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x16,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0b, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x62, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0d, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x63, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x19,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x57, 0x72, 0x61, 0x70, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x55, 0x6e, 0x77, 0x72, 0x61, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x65,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x4b, 0x65, 0x79, 0x43,
+ 0x6c, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e, 0x74, 0x4e, 0x61, 0x6d,
+ 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x67, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x50, 0x65, 0x72, 0x6d, 0x61, 0x6e, 0x65, 0x6e, 0x74, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x69, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0a, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x05, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0e,
+ 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x61, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x6d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0a, 0x4b, 0x65, 0x79, 0x43, 0x72, 0x65, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x07, 0x4b, 0x65, 0x79, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x6f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0d,
+ 0x4b, 0x65, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x49, 0x6e, 0x42, 0x69, 0x74, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x10, 0x45, 0x66, 0x66, 0x65, 0x63, 0x74, 0x69, 0x76, 0x65, 0x4b, 0x65, 0x79, 0x53, 0x69, 0x7a, 0x65,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x71, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x53, 0x74, 0x61, 0x72, 0x74, 0x44, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0d,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x64, 0x44, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x09, 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0f, 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x76, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10, 0x4e, 0x65, 0x76, 0x65, 0x72, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74,
+ 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x77, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x13,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x44, 0x65, 0x72, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x48,
+ 0x00, 0x00, 0x00, 0x7a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04,
+ 0x53, 0x69, 0x67, 0x6e, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x17,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x7d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65,
+ 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x7e, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x57, 0x72, 0x61, 0x70, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x55, 0x6e, 0x77, 0x72, 0x61, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08,
+ 0x4b, 0x65, 0x79, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x81,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e,
+ 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x82,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61,
+ 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x83, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x50, 0x65, 0x72, 0x6d, 0x61, 0x6e, 0x65, 0x6e,
+ 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x84, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x85, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x86, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x87, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0e, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x61, 0x67, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x4b, 0x65, 0x79, 0x43, 0x72, 0x65, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x89, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x09,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x4b, 0x65, 0x79, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x8a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0d, 0x4b, 0x65, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x49, 0x6e, 0x42, 0x69, 0x74, 0x73, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x8b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0b,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10, 0x45, 0x66, 0x66, 0x65, 0x63, 0x74, 0x69, 0x76, 0x65, 0x4b, 0x65, 0x79,
+ 0x53, 0x69, 0x7a, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x53, 0x74, 0x61, 0x72, 0x74, 0x44, 0x61, 0x74,
+ 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x8d, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x64, 0x44, 0x61, 0x74, 0x65, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x8e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0e,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x8f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74,
+ 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x61,
+ 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x91, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10, 0x4e, 0x65, 0x76, 0x65, 0x72, 0x45, 0x78, 0x74,
+ 0x72, 0x61, 0x63, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x92,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x63, 0x72,
+ 0x79, 0x70, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x93, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x44, 0x65, 0x72, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x95, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x04, 0x53, 0x69, 0x67, 0x6e, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x96,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x56, 0x65, 0x72, 0x69,
+ 0x66, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x97, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x63, 0x6f,
+ 0x76, 0x65, 0x72, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x98, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52, 0x65,
+ 0x63, 0x6f, 0x76, 0x65, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x99,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x57, 0x72, 0x61, 0x70,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x1a,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x55, 0x6e, 0x77, 0x72, 0x61, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x1d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0xb4, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20,
+ 0x00, 0x00, 0x04, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x02, 0xcc,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x51, 0x00, 0x00, 0x03, 0x55, 0x00, 0x00, 0x03, 0x61, 0x00, 0x00, 0x03, 0x65,
+ 0x00, 0x00, 0x03, 0x69, 0x00, 0x00, 0x03, 0x6d, 0x00, 0x00, 0x03, 0x71, 0x00, 0x00, 0x03, 0x89, 0x00, 0x00, 0x03, 0x8d,
+ 0x00, 0x00, 0x03, 0xb9, 0x00, 0x00, 0x03, 0xbd, 0x00, 0x00, 0x03, 0xc1, 0x00, 0x00, 0x03, 0xc5, 0x00, 0x00, 0x03, 0xd1,
+ 0x00, 0x00, 0x03, 0xdd, 0x00, 0x00, 0x03, 0xe1, 0x00, 0x00, 0x03, 0xe5, 0x00, 0x00, 0x03, 0xe9, 0x00, 0x00, 0x03, 0xed,
+ 0x00, 0x00, 0x03, 0xf1, 0x00, 0x00, 0x03, 0xf5, 0x00, 0x00, 0x03, 0xf9, 0x00, 0x00, 0x03, 0xfd, 0x00, 0x00, 0x04, 0x01,
+ 0x00, 0x00, 0x04, 0x05, 0x00, 0x00, 0x04, 0x09, 0x00, 0x00, 0x04, 0x0d, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x02, 0x00,
+ 0x00, 0x00, 0x02, 0x40, 0x00, 0x00, 0x02, 0xcc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x21,
+ 0x00, 0x00, 0x01, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x74, 0x65, 0x78, 0x74, 0x20, 0x70, 0x75,
+ 0x62, 0x6c, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x63, 0x6c, 0x3a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x01, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x20, 0xd2, 0x7e, 0xe2, 0xbe, 0x49, 0x20, 0xd5, 0xb6, 0xf4, 0x7f, 0x6b, 0x19,
+ 0x69, 0x6d, 0x09, 0xc9, 0xa6, 0xc1, 0xa5, 0xd8, 0x0c, 0x6f, 0x14, 0x8f, 0x77, 0x8d, 0xb2, 0x7b, 0x4b, 0xa9, 0x9d, 0x9a,
+ 0x5f, 0x5f, 0x5f, 0x49, 0x4e, 0x54, 0x45, 0x47, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x5f, 0x5f, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x00, 0x01, 0x29,
+ 0x3c, 0x3f, 0x78, 0x6d, 0x6c, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x22, 0x20,
+ 0x65, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x3d, 0x22, 0x55, 0x54, 0x46, 0x2d, 0x38, 0x22, 0x3f, 0x3e, 0x0a, 0x3c,
+ 0x21, 0x44, 0x4f, 0x43, 0x54, 0x59, 0x50, 0x45, 0x20, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x20, 0x50, 0x55, 0x42, 0x4c, 0x49,
+ 0x43, 0x20, 0x22, 0x2d, 0x2f, 0x2f, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2f, 0x2f, 0x44, 0x54, 0x44, 0x20, 0x50, 0x4c, 0x49,
+ 0x53, 0x54, 0x20, 0x31, 0x2e, 0x30, 0x2f, 0x2f, 0x45, 0x4e, 0x22, 0x20, 0x22, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
+ 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x44, 0x54, 0x44, 0x73, 0x2f, 0x50,
+ 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x2d, 0x31, 0x2e, 0x30, 0x2e, 0x64, 0x74, 0x64, 0x22,
+ 0x3e, 0x0a, 0x3c, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31, 0x2e,
+ 0x30, 0x22, 0x3e, 0x0a, 0x3c, 0x64, 0x69, 0x63, 0x74, 0x3e, 0x0a, 0x09, 0x3c, 0x6b, 0x65, 0x79, 0x3e, 0x50, 0x61, 0x72,
+ 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x3c, 0x2f, 0x6b, 0x65, 0x79, 0x3e, 0x0a, 0x09, 0x3c, 0x61, 0x72, 0x72, 0x61,
+ 0x79, 0x3e, 0x0a, 0x09, 0x09, 0x3c, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x3e, 0x63, 0x64, 0x68, 0x61, 0x73, 0x68, 0x3a,
+ 0x30, 0x37, 0x35, 0x61, 0x64, 0x63, 0x30, 0x34, 0x64, 0x61, 0x32, 0x38, 0x37, 0x62, 0x61, 0x65, 0x30, 0x35, 0x37, 0x31,
+ 0x33, 0x31, 0x32, 0x36, 0x62, 0x36, 0x37, 0x61, 0x66, 0x64, 0x33, 0x33, 0x30, 0x66, 0x37, 0x62, 0x33, 0x33, 0x36, 0x39,
+ 0x3c, 0x2f, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x3e, 0x0a, 0x09, 0x3c, 0x2f, 0x61, 0x72, 0x72, 0x61, 0x79, 0x3e, 0x0a,
+ 0x3c, 0x2f, 0x64, 0x69, 0x63, 0x74, 0x3e, 0x0a, 0x3c, 0x2f, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x3e, 0x0a, 0x20, 0xa4, 0x75,
+ 0x5f, 0x5f, 0x5f, 0x50, 0x41, 0x52, 0x54, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x5f, 0x5f, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x02, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xc4, 0xb4, 0x70, 0x79, 0x38,
+ 0x48, 0x9b, 0xc6, 0x71, 0x63, 0x6e, 0x21, 0x71, 0x3b, 0x0f, 0xb0, 0xb3, 0xb5, 0x44, 0x13, 0x04, 0xae, 0xbb, 0x40, 0x29,
+ 0x05, 0xc7, 0x4f, 0xfc, 0x02, 0xed, 0xd2, 0x2c, 0x6a, 0x0f, 0xd8, 0xf6, 0xef, 0x23, 0x1d, 0xd1, 0x41, 0xc6, 0x00, 0x3d,
+ 0x50, 0x96, 0x6a, 0xfd, 0xa2, 0x01, 0xd8, 0xd6, 0xb0, 0x41, 0x19, 0x9b, 0x6d, 0x64, 0x51, 0xe7, 0xde, 0x23, 0xa2, 0x88,
+ 0x9c, 0x8e, 0x4c, 0x42, 0x74, 0xf7, 0x43, 0x40, 0xe5, 0xf8, 0xb4, 0xac, 0x2f, 0xb6, 0x97, 0x63, 0xf8, 0xc2, 0x74, 0x0e,
+ 0x33, 0x20, 0x40, 0x1c, 0x2b, 0x45, 0x0f, 0x3c, 0x98, 0x7c, 0x35, 0x75, 0xdc, 0x2d, 0x42, 0x86, 0x6e, 0x90, 0x8f, 0x59,
+ 0x94, 0x82, 0xaf, 0xda, 0x42, 0xaa, 0x41, 0x46, 0xdc, 0x93, 0xbd, 0x58, 0x76, 0xa8, 0xa3, 0x0e, 0xaf, 0x68, 0x47, 0x99,
+ 0x0e, 0x84, 0x73, 0x02, 0x03, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x08, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x14, 0xea, 0x39, 0x1c, 0x40, 0x28, 0xaa, 0xcd, 0xcb, 0x89, 0x9d, 0x06, 0x84, 0x47, 0x26, 0x51, 0xa8,
+ 0xb4, 0x3c, 0x84, 0x9d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61,
+ 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30,
+ 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x04, 0x00,
+ 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x02, 0x84, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x04, 0x64, 0x00, 0x00, 0x05, 0x10, 0x00, 0x00, 0x05, 0x4c,
+ 0x00, 0x00, 0x05, 0x74, 0x00, 0x00, 0x05, 0x9c, 0x00, 0x00, 0x05, 0xc4, 0x00, 0x00, 0x05, 0xec, 0x00, 0x00, 0x06, 0x14,
+ 0x00, 0x00, 0x06, 0x3c, 0x00, 0x00, 0x06, 0x64, 0x00, 0x00, 0x06, 0x8c, 0x00, 0x00, 0x00, 0xac, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x0d,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x04, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14,
+ 0xea, 0x39, 0x1c, 0x40, 0x28, 0xaa, 0xcd, 0xcb, 0x89, 0x9d, 0x06, 0x84, 0x47, 0x26, 0x51, 0xa8, 0xb4, 0x3c, 0x84, 0x9d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66,
+ 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62,
+ 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x05, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x14, 0xea, 0x39, 0x1c, 0x40, 0x28, 0xaa, 0xcd, 0xcb, 0x89, 0x9d, 0x06, 0x84, 0x47, 0x26, 0x51, 0xa8,
+ 0xb4, 0x3c, 0x84, 0x9d, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x05, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x05, 0x94, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x05, 0xbc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x05, 0xe4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x06, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x06, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x06, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x06, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x06, 0xac, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x9c, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20,
+ 0x00, 0x00, 0x07, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x06, 0xf8,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x05, 0xb4, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x06, 0x39, 0x00, 0x00, 0x06, 0x3d, 0x00, 0x00, 0x06, 0x49, 0x00, 0x00, 0x06, 0x4d, 0x00, 0x00, 0x06, 0x51,
+ 0x00, 0x00, 0x06, 0x55, 0x00, 0x00, 0x06, 0x59, 0x00, 0x00, 0x06, 0x71, 0x00, 0x00, 0x06, 0x75, 0x00, 0x00, 0x06, 0xa1,
+ 0x00, 0x00, 0x06, 0xa5, 0x00, 0x00, 0x06, 0xa9, 0x00, 0x00, 0x06, 0xad, 0x00, 0x00, 0x06, 0xb9, 0x00, 0x00, 0x06, 0xc5,
+ 0x00, 0x00, 0x06, 0xc9, 0x00, 0x00, 0x06, 0xcd, 0x00, 0x00, 0x06, 0xd1, 0x00, 0x00, 0x06, 0xd5, 0x00, 0x00, 0x06, 0xd9,
+ 0x00, 0x00, 0x06, 0xdd, 0x00, 0x00, 0x06, 0xe1, 0x00, 0x00, 0x06, 0xe5, 0x00, 0x00, 0x06, 0xe9, 0x00, 0x00, 0x06, 0xed,
+ 0x00, 0x00, 0x06, 0xf1, 0x00, 0x00, 0x06, 0xf5, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x24,
+ 0x00, 0x00, 0x05, 0xb4, 0x90, 0xb1, 0xa9, 0x5a, 0xfd, 0xf3, 0x48, 0x3b, 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2,
+ 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x01, 0x86,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x06, 0x9d, 0x19, 0x10, 0xe4, 0x91, 0xac, 0xc8, 0x58, 0x5e, 0xd0, 0x9b, 0x0f, 0xfb, 0x99, 0xb5, 0xf5,
+ 0xc7, 0x0e, 0x54, 0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x3c, 0x6b, 0x65, 0x79, 0x3e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x3c, 0x6b, 0x65, 0x79, 0x3e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14,
+ 0xec, 0x1f, 0x49, 0x31, 0xc8, 0x75, 0x58, 0x7d, 0x62, 0xff, 0xbc, 0x5e, 0x77, 0x07, 0xac, 0x84, 0x61, 0xe2, 0x6c, 0xa1,
+ 0x00, 0x00, 0x00, 0x40, 0x2f, 0x55, 0x73, 0x65, 0x72, 0x73, 0x2f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x2f, 0x73, 0x65, 0x63,
+ 0x74, 0x65, 0x73, 0x74, 0x73, 0x00, 0x00, 0x00, 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x14, 0x07, 0x5a, 0xdc, 0x04, 0xda, 0x28, 0x7b, 0xae, 0x05, 0x71, 0x31, 0x26,
+ 0xb6, 0x7a, 0xfd, 0x33, 0x0f, 0x7b, 0x33, 0x69, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x3c, 0x6b, 0x65, 0x79,
+ 0x3e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x73,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x20, 0x4b, 0x3f, 0x7b, 0xd7, 0xf9, 0xe4, 0x8d, 0xc7,
+ 0x10, 0x06, 0xce, 0x67, 0x09, 0x90, 0xae, 0xd9, 0xdb, 0xa6, 0xd5, 0x08, 0x9b, 0x84, 0xd4, 0x11, 0x31, 0x21, 0xba, 0xb4,
+ 0x1d, 0x0a, 0x32, 0x28, 0x5f, 0x5f, 0x5f, 0x49, 0x4e, 0x54, 0x45, 0x47, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x5f, 0x5f, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c,
+ 0x00, 0x00, 0x01, 0x29, 0x3c, 0x3f, 0x78, 0x6d, 0x6c, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31,
+ 0x2e, 0x30, 0x22, 0x20, 0x65, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x3d, 0x22, 0x55, 0x54, 0x46, 0x2d, 0x38, 0x22,
+ 0x3f, 0x3e, 0x0a, 0x3c, 0x21, 0x44, 0x4f, 0x43, 0x54, 0x59, 0x50, 0x45, 0x20, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x20, 0x50,
+ 0x55, 0x42, 0x4c, 0x49, 0x43, 0x20, 0x22, 0x2d, 0x2f, 0x2f, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2f, 0x2f, 0x44, 0x54, 0x44,
+ 0x20, 0x50, 0x4c, 0x49, 0x53, 0x54, 0x20, 0x31, 0x2e, 0x30, 0x2f, 0x2f, 0x45, 0x4e, 0x22, 0x20, 0x22, 0x68, 0x74, 0x74,
+ 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x44, 0x54,
+ 0x44, 0x73, 0x2f, 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x2d, 0x31, 0x2e, 0x30, 0x2e,
+ 0x64, 0x74, 0x64, 0x22, 0x3e, 0x0a, 0x3c, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
+ 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x22, 0x3e, 0x0a, 0x3c, 0x64, 0x69, 0x63, 0x74, 0x3e, 0x0a, 0x09, 0x3c, 0x6b, 0x65, 0x79,
+ 0x3e, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x3c, 0x2f, 0x6b, 0x65, 0x79, 0x3e, 0x0a, 0x09, 0x3c,
+ 0x61, 0x72, 0x72, 0x61, 0x79, 0x3e, 0x0a, 0x09, 0x09, 0x3c, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x3e, 0x63, 0x64, 0x68,
+ 0x61, 0x73, 0x68, 0x3a, 0x30, 0x37, 0x35, 0x61, 0x64, 0x63, 0x30, 0x34, 0x64, 0x61, 0x32, 0x38, 0x37, 0x62, 0x61, 0x65,
+ 0x30, 0x35, 0x37, 0x31, 0x33, 0x31, 0x32, 0x36, 0x62, 0x36, 0x37, 0x61, 0x66, 0x64, 0x33, 0x33, 0x30, 0x66, 0x37, 0x62,
+ 0x33, 0x33, 0x36, 0x39, 0x3c, 0x2f, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x3e, 0x0a, 0x09, 0x3c, 0x2f, 0x61, 0x72, 0x72,
+ 0x61, 0x79, 0x3e, 0x0a, 0x3c, 0x2f, 0x64, 0x69, 0x63, 0x74, 0x3e, 0x0a, 0x3c, 0x2f, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x3e,
+ 0x0a, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x5f, 0x50, 0x41, 0x52, 0x54, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x5f, 0x5f, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x02, 0x6d, 0x82, 0x6b, 0x8c, 0x86, 0xc4, 0xf4, 0x08,
+ 0xd0, 0x94, 0x59, 0x94, 0x28, 0x90, 0x9e, 0x0a, 0x7d, 0x89, 0xef, 0x12, 0x58, 0xae, 0xec, 0x4a, 0x0a, 0xb7, 0xf1, 0x1c,
+ 0x2b, 0xad, 0xc4, 0xe0, 0xc1, 0x5a, 0x80, 0xec, 0x7a, 0x38, 0xa3, 0x01, 0x2f, 0x2b, 0x92, 0xac, 0x9a, 0x27, 0xb6, 0x92,
+ 0x25, 0xe3, 0x3d, 0xa7, 0x95, 0xfc, 0x4a, 0xbd, 0x17, 0xc2, 0x35, 0xaf, 0xe3, 0x16, 0x7e, 0xf4, 0x4c, 0x43, 0x8e, 0x5f,
+ 0xdc, 0x51, 0x1e, 0x0d, 0x67, 0xca, 0x2c, 0xdb, 0xc1, 0x0c, 0xa0, 0x7d, 0xbb, 0x78, 0x88, 0xac, 0xea, 0x66, 0x37, 0x50,
+ 0x99, 0x5f, 0x59, 0xf5, 0xc5, 0x0e, 0x19, 0xd9, 0xf2, 0x94, 0xfb, 0xea, 0x42, 0x29, 0x19, 0x49, 0x80, 0xab, 0x7e, 0x8d,
+ 0xbc, 0x40, 0xd4, 0xf9, 0x16, 0xc1, 0xcf, 0xa7, 0xaa, 0xa8, 0xd1, 0xe8, 0xbd, 0x57, 0x7b, 0x0e, 0x64, 0xc3, 0xb7, 0xc5,
+ 0xe9, 0x5e, 0xa9, 0xaf, 0x7f, 0x63, 0xdd, 0x6d, 0x04, 0xfb, 0xf9, 0x3a, 0xa3, 0x8c, 0x57, 0xb2, 0xa4, 0xce, 0x90, 0x06,
+ 0x1f, 0xa9, 0xd8, 0xd1, 0xcb, 0x5b, 0xc8, 0x23, 0x2f, 0xa9, 0x09, 0x28, 0xe1, 0x8c, 0x5f, 0xa5, 0xa1, 0xb9, 0x9c, 0xfb,
+ 0x4a, 0x30, 0x34, 0xae, 0xac, 0xdd, 0xa1, 0xe1, 0xdf, 0x63, 0xb1, 0xba, 0xac, 0xe8, 0xa6, 0x12, 0x2a, 0xb5, 0x59, 0x42,
+ 0x45, 0xfa, 0x00, 0x27, 0x23, 0xf2, 0x4e, 0x6a, 0xa4, 0x31, 0xdf, 0x6c, 0xbb, 0x18, 0xdd, 0xfa, 0x25, 0xcc, 0x2c, 0x61,
+ 0x4f, 0x15, 0xc6, 0x46, 0x7f, 0x7d, 0x16, 0xc4, 0xe0, 0xca, 0x2d, 0x48, 0x2c, 0x86, 0xa1, 0xbf, 0xf6, 0x10, 0x84, 0xe9,
+ 0xfc, 0xe5, 0x21, 0x10, 0x9e, 0x22, 0x22, 0x04, 0x64, 0xc2, 0x8e, 0x90, 0x5a, 0x83, 0x8c, 0x85, 0xba, 0x31, 0x6d, 0x0a,
+ 0x0a, 0x73, 0x0a, 0xee, 0x02, 0x0c, 0xb3, 0x43, 0x55, 0xb4, 0x2d, 0x81, 0xa4, 0x4c, 0xff, 0x0c, 0x40, 0x56, 0x5c, 0x18,
+ 0x36, 0x8d, 0x7f, 0x91, 0x06, 0x08, 0x90, 0x51, 0x5c, 0x20, 0xbe, 0x6b, 0x62, 0xe3, 0xc3, 0x0b, 0x64, 0x45, 0x09, 0x5e,
+ 0xde, 0x62, 0x0b, 0x43, 0xbb, 0x18, 0x36, 0xac, 0xa5, 0x2e, 0xd1, 0xb9, 0x4b, 0x4b, 0xe9, 0x8c, 0x0b, 0xdb, 0x7d, 0xd4,
+ 0xee, 0x21, 0x67, 0x91, 0xd0, 0x13, 0x6d, 0x84, 0x02, 0xde, 0xfb, 0x09, 0x5f, 0xa0, 0x15, 0x6b, 0x7c, 0x27, 0x78, 0xfb,
+ 0x25, 0xda, 0x2f, 0x1e, 0xcb, 0x9a, 0xa0, 0x63, 0xb5, 0x9f, 0x0d, 0xb8, 0xec, 0x7d, 0x55, 0x34, 0xb1, 0x98, 0xbe, 0xbd,
+ 0xa6, 0x76, 0xb5, 0x87, 0x49, 0x0e, 0x21, 0x35, 0xeb, 0xc8, 0x5e, 0xf5, 0xb4, 0x39, 0x7e, 0x20, 0xbc, 0xec, 0x7a, 0x51,
+ 0xb7, 0x90, 0x40, 0x5d, 0x9c, 0xaf, 0xd9, 0xea, 0x4a, 0x52, 0x1d, 0x5b, 0x6e, 0xab, 0x0b, 0xcf, 0x1b, 0x37, 0x00, 0xed,
+ 0xb7, 0x71, 0xad, 0xcd, 0x41, 0x03, 0x70, 0xce, 0xd0, 0x75, 0xcd, 0xa4, 0xda, 0x26, 0xcd, 0xe3, 0xde, 0x7b, 0x80, 0x0c,
+ 0x9a, 0x02, 0xa7, 0xdb, 0xa9, 0x50, 0x53, 0x6f, 0x4e, 0x37, 0x35, 0x6e, 0x67, 0x15, 0x97, 0x54, 0x40, 0xa3, 0xc2, 0x12,
+ 0x30, 0x2a, 0x74, 0x3e, 0x69, 0x2b, 0x0a, 0x9b, 0x65, 0x51, 0x8e, 0xac, 0xf0, 0x61, 0x93, 0xba, 0xc6, 0x83, 0x06, 0x35,
+ 0xb9, 0xc6, 0xe1, 0x8a, 0xe4, 0x60, 0xef, 0xfc, 0x6d, 0xa3, 0x98, 0x9b, 0xa2, 0x49, 0x33, 0x3c, 0xd1, 0xdc, 0xbf, 0x15,
+ 0x27, 0xcd, 0x23, 0x6b, 0x79, 0x88, 0x72, 0xeb, 0x1c, 0x92, 0xca, 0x23, 0x12, 0xe4, 0x0a, 0x42, 0x2b, 0x25, 0x53, 0x59,
+ 0x4f, 0x6a, 0xa6, 0xab, 0x7e, 0x35, 0xc4, 0x1a, 0x89, 0xda, 0xe1, 0x98, 0x12, 0x26, 0xe8, 0x93, 0x30, 0xc3, 0xca, 0xb0,
+ 0x40, 0x4f, 0xf0, 0x4a, 0x3b, 0xc3, 0x9a, 0xfc, 0x0e, 0x85, 0xf2, 0xf7, 0xa3, 0x17, 0xe4, 0x6a, 0x56, 0x4b, 0x07, 0xaa,
+ 0xcb, 0x5c, 0xc5, 0x56, 0x97, 0x35, 0x11, 0x0d, 0x43, 0xb5, 0xdf, 0xc0, 0x69, 0x9d, 0xbf, 0x01, 0x4e, 0x0d, 0x97, 0xdb,
+ 0x5f, 0x1e, 0x46, 0x7e, 0x6d, 0xb0, 0xc3, 0xf6, 0x28, 0x49, 0xfc, 0x48, 0x7b, 0x5e, 0xac, 0xaf, 0xe3, 0x1e, 0xa2, 0xf4,
+ 0x2c, 0xab, 0xe4, 0x8d, 0x48, 0x60, 0xa2, 0xaa, 0x48, 0x37, 0xfb, 0x71, 0xa4, 0x81, 0x2c, 0xf6, 0xef, 0x41, 0xd6, 0x31,
+ 0x02, 0xef, 0x51, 0xe3, 0x1f, 0x48, 0x9b, 0x88, 0xfd, 0x5d, 0x15, 0x53, 0x66, 0xbf, 0x58, 0xd7, 0x05, 0xeb, 0x3f, 0x91,
+ 0xd5, 0xa9, 0x4c, 0xb7, 0xa0, 0xf3, 0xce, 0x66, 0xfc, 0x66, 0xcf, 0x44, 0x89, 0x0d, 0xf2, 0x89, 0xc8, 0x89, 0xb8, 0xf2,
+ 0x10, 0xdd, 0xef, 0xad, 0xa3, 0x94, 0x02, 0x73, 0x75, 0xa8, 0xe3, 0x06, 0x88, 0x4c, 0xeb, 0x15, 0x0c, 0x2e, 0xd7, 0x9d,
+ 0xd1, 0xa1, 0x63, 0x07, 0xee, 0xca, 0x5f, 0x4e, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x08, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x14, 0xea, 0x39, 0x1c, 0x40, 0x28, 0xaa, 0xcd, 0xcb, 0x89, 0x9d, 0x06, 0x84, 0x47, 0x26, 0x51, 0xa8,
+ 0xb4, 0x3c, 0x84, 0x9d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61,
+ 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30,
+ 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x04, 0x00,
+ 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x02, 0x84, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x07, 0x4c, 0x00, 0x00, 0x07, 0xf8, 0x00, 0x00, 0x08, 0x34,
+ 0x00, 0x00, 0x08, 0x5c, 0x00, 0x00, 0x08, 0x84, 0x00, 0x00, 0x08, 0xac, 0x00, 0x00, 0x08, 0xd4, 0x00, 0x00, 0x08, 0xfc,
+ 0x00, 0x00, 0x09, 0x24, 0x00, 0x00, 0x09, 0x4c, 0x00, 0x00, 0x09, 0x74, 0x00, 0x00, 0x00, 0xac, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x0d,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x07, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14,
+ 0xea, 0x39, 0x1c, 0x40, 0x28, 0xaa, 0xcd, 0xcb, 0x89, 0x9d, 0x06, 0x84, 0x47, 0x26, 0x51, 0xa8, 0xb4, 0x3c, 0x84, 0x9d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66,
+ 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62,
+ 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x08, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x14, 0xea, 0x39, 0x1c, 0x40, 0x28, 0xaa, 0xcd, 0xcb, 0x89, 0x9d, 0x06, 0x84, 0x47, 0x26, 0x51, 0xa8,
+ 0xb4, 0x3c, 0x84, 0x9d, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x08, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x08, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x08, 0xa4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x08, 0xcc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x08, 0xf4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x09, 0x1c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x09, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x09, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x09, 0x94, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x13, 0x30, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x28,
+ 0x00, 0x00, 0x0e, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x04, 0xe4,
+ 0x00, 0x00, 0x09, 0xa0, 0x00, 0x00, 0x04, 0xbc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x03, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0xf1, 0x00, 0x00, 0x03, 0xf5, 0x00, 0x00, 0x04, 0x0d,
+ 0x00, 0x00, 0x04, 0x11, 0x00, 0x00, 0x04, 0x15, 0x00, 0x00, 0x04, 0x19, 0x00, 0x00, 0x04, 0x1d, 0x00, 0x00, 0x04, 0x35,
+ 0x00, 0x00, 0x04, 0x39, 0x00, 0x00, 0x04, 0x65, 0x00, 0x00, 0x04, 0x69, 0x00, 0x00, 0x04, 0x6d, 0x00, 0x00, 0x04, 0x71,
+ 0x00, 0x00, 0x04, 0x7d, 0x00, 0x00, 0x04, 0x89, 0x00, 0x00, 0x04, 0x8d, 0x00, 0x00, 0x04, 0x91, 0x00, 0x00, 0x04, 0x95,
+ 0x00, 0x00, 0x04, 0x99, 0x00, 0x00, 0x04, 0x9d, 0x00, 0x00, 0x04, 0xa1, 0x00, 0x00, 0x04, 0xa5, 0x00, 0x00, 0x04, 0xa9,
+ 0x00, 0x00, 0x04, 0xad, 0x00, 0x00, 0x04, 0xb1, 0x00, 0x00, 0x04, 0xb5, 0x00, 0x00, 0x04, 0xb9, 0xfa, 0xde, 0x07, 0x11,
+ 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x3c, 0x00, 0x00, 0x03, 0x6c, 0xef, 0x42, 0xf5, 0xa0, 0x6a, 0xeb, 0xa5, 0x08,
+ 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xc0,
+ 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06, 0xdc, 0x2f, 0x52, 0x8d, 0x7e, 0xdf, 0x65, 0xe2,
+ 0x8e, 0xd3, 0x41, 0x88, 0x5b, 0x38, 0x9f, 0x3d, 0x2e, 0x0a, 0x94, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x00, 0x9a, 0x00, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00,
+ 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x14, 0xec, 0x1f, 0x49, 0x31, 0xc8, 0x75, 0x58, 0x7d, 0x62, 0xff, 0xbc, 0x5e, 0x77, 0x07, 0xac, 0x84,
+ 0x61, 0xe2, 0x6c, 0xa1, 0x00, 0x00, 0x00, 0x40, 0x2f, 0x55, 0x73, 0x65, 0x72, 0x73, 0x2f, 0x6c, 0x6f, 0x63, 0x61, 0x6c,
+ 0x2f, 0x73, 0x65, 0x63, 0x74, 0x65, 0x73, 0x74, 0x73, 0x00, 0x00, 0x00, 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x28,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x14, 0x07, 0x5a, 0xdc, 0x04, 0xda, 0x28, 0x7b, 0xae,
+ 0x05, 0x71, 0x31, 0x26, 0xb6, 0x7a, 0xfd, 0x33, 0x0f, 0x7b, 0x33, 0x69, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x00, 0xe0, 0x5e, 0x86, 0x00, 0x3e, 0xec, 0xeb,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x25,
+ 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c,
+ 0x00, 0x00, 0x00, 0x20, 0x6b, 0xa8, 0xd9, 0xf7, 0x7d, 0xdb, 0xa5, 0x4d, 0x93, 0x73, 0xb1, 0x1a, 0xe5, 0xc8, 0xf7, 0xb5,
+ 0x5a, 0x5e, 0x81, 0xda, 0x27, 0xe0, 0x5e, 0x86, 0x72, 0x3e, 0xec, 0xeb, 0x0a, 0x9a, 0x8e, 0x0c, 0x5f, 0x5f, 0x5f, 0x49,
+ 0x4e, 0x54, 0x45, 0x47, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x5f, 0x5f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x01, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x00, 0x01, 0x29, 0x3c, 0x3f, 0x78, 0x6d,
+ 0x6c, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x22, 0x20, 0x65, 0x6e, 0x63, 0x6f,
+ 0x64, 0x69, 0x6e, 0x67, 0x3d, 0x22, 0x55, 0x54, 0x46, 0x2d, 0x38, 0x22, 0x3f, 0x3e, 0x0a, 0x3c, 0x21, 0x44, 0x4f, 0x43,
+ 0x54, 0x59, 0x50, 0x45, 0x20, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x20, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x20, 0x22, 0x2d,
+ 0x2f, 0x2f, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2f, 0x2f, 0x44, 0x54, 0x44, 0x20, 0x50, 0x4c, 0x49, 0x53, 0x54, 0x20, 0x31,
+ 0x2e, 0x30, 0x2f, 0x2f, 0x45, 0x4e, 0x22, 0x20, 0x22, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x44, 0x54, 0x44, 0x73, 0x2f, 0x50, 0x72, 0x6f, 0x70, 0x65,
+ 0x72, 0x74, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x2d, 0x31, 0x2e, 0x30, 0x2e, 0x64, 0x74, 0x64, 0x22, 0x3e, 0x0a, 0x3c, 0x70,
+ 0x6c, 0x69, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x22, 0x3e, 0x0a,
+ 0x3c, 0x64, 0x69, 0x63, 0x74, 0x3e, 0x0a, 0x09, 0x3c, 0x6b, 0x65, 0x79, 0x3e, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69,
+ 0x6f, 0x6e, 0x73, 0x3c, 0x2f, 0x6b, 0x65, 0x79, 0x3e, 0x0a, 0x09, 0x3c, 0x61, 0x72, 0x72, 0x61, 0x79, 0x3e, 0x0a, 0x09,
+ 0x09, 0x3c, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x3e, 0x63, 0x64, 0x68, 0x61, 0x73, 0x68, 0x3a, 0x30, 0x37, 0x35, 0x61,
+ 0x64, 0x63, 0x30, 0x34, 0x64, 0x61, 0x32, 0x38, 0x37, 0x62, 0x61, 0x65, 0x30, 0x35, 0x37, 0x31, 0x33, 0x31, 0x32, 0x36,
+ 0x62, 0x36, 0x37, 0x61, 0x66, 0x64, 0x33, 0x33, 0x30, 0x66, 0x37, 0x62, 0x33, 0x33, 0x36, 0x39, 0x3c, 0x2f, 0x73, 0x74,
+ 0x72, 0x69, 0x6e, 0x67, 0x3e, 0x0a, 0x09, 0x3c, 0x2f, 0x61, 0x72, 0x72, 0x61, 0x79, 0x3e, 0x0a, 0x3c, 0x2f, 0x64, 0x69,
+ 0x63, 0x74, 0x3e, 0x0a, 0x3c, 0x2f, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x3e, 0x0a, 0xa9, 0x38, 0xd3, 0x5f, 0x5f, 0x5f, 0x50,
+ 0x41, 0x52, 0x54, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x5f, 0x5f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x01, 0x00, 0x02, 0xdd, 0x3d, 0x35, 0x3d, 0x72, 0xf0, 0xad, 0xd2, 0x36, 0x78, 0x53, 0xf8, 0x02, 0x36, 0x1a, 0x64,
+ 0x40, 0xe8, 0xf0, 0x6b, 0x67, 0x97, 0xc4, 0x84, 0xfd, 0x4a, 0x8c, 0xc8, 0xf1, 0x1a, 0x07, 0x8a, 0x52, 0x03, 0x04, 0xd5,
+ 0xc8, 0xb4, 0xa9, 0x7e, 0x30, 0x4d, 0xf5, 0xab, 0x7c, 0xe4, 0x96, 0x7b, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14,
+ 0x73, 0x73, 0x67, 0x70, 0x7b, 0xed, 0x8a, 0xda, 0xa1, 0x85, 0xd0, 0xef, 0xe0, 0x87, 0xec, 0xa4, 0x1d, 0xcf, 0x0b, 0x22,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14,
+ 0x73, 0x73, 0x67, 0x70, 0x7b, 0xed, 0x8a, 0xda, 0xa1, 0x85, 0xd0, 0xef, 0xe0, 0x87, 0xec, 0xa4, 0x1d, 0xcf, 0x0b, 0x22,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66,
+ 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62,
+ 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0xbc,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x03, 0x6c, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x03, 0xf1, 0x00, 0x00, 0x03, 0xf5, 0x00, 0x00, 0x04, 0x0d, 0x00, 0x00, 0x04, 0x11, 0x00, 0x00, 0x04, 0x15,
+ 0x00, 0x00, 0x04, 0x19, 0x00, 0x00, 0x04, 0x1d, 0x00, 0x00, 0x04, 0x35, 0x00, 0x00, 0x04, 0x39, 0x00, 0x00, 0x04, 0x65,
+ 0x00, 0x00, 0x04, 0x69, 0x00, 0x00, 0x04, 0x6d, 0x00, 0x00, 0x04, 0x71, 0x00, 0x00, 0x04, 0x7d, 0x00, 0x00, 0x04, 0x89,
+ 0x00, 0x00, 0x04, 0x8d, 0x00, 0x00, 0x04, 0x91, 0x00, 0x00, 0x04, 0x95, 0x00, 0x00, 0x04, 0x99, 0x00, 0x00, 0x04, 0x9d,
+ 0x00, 0x00, 0x04, 0xa1, 0x00, 0x00, 0x04, 0xa5, 0x00, 0x00, 0x04, 0xa9, 0x00, 0x00, 0x04, 0xad, 0x00, 0x00, 0x04, 0xb1,
+ 0x00, 0x00, 0x04, 0xb5, 0x00, 0x00, 0x04, 0xb9, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x3c,
+ 0x00, 0x00, 0x03, 0x6c, 0xdf, 0xbc, 0xd2, 0x72, 0x51, 0xfe, 0x37, 0x8f, 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2,
+ 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x06, 0x42, 0x28, 0x33, 0xc0, 0xfe, 0x5d, 0xc9, 0x6d, 0xce, 0xdf, 0x2c, 0x4a, 0xef, 0xf7, 0x7c, 0xe2,
+ 0x4e, 0x5c, 0xa6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+ 0x74, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14, 0xec, 0x1f, 0x49, 0x31,
+ 0xc8, 0x75, 0x58, 0x7d, 0x62, 0xff, 0xbc, 0x5e, 0x77, 0x07, 0xac, 0x84, 0x61, 0xe2, 0x6c, 0xa1, 0x00, 0x00, 0x00, 0x40,
+ 0x2f, 0x55, 0x73, 0x65, 0x72, 0x73, 0x2f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x2f, 0x73, 0x65, 0x63, 0x74, 0x65, 0x73, 0x74,
+ 0x73, 0x00, 0x00, 0x00, 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x14, 0x07, 0x5a, 0xdc, 0x04, 0xda, 0x28, 0x7b, 0xae, 0x05, 0x71, 0x31, 0x26, 0xb6, 0x7a, 0xfd, 0x33,
+ 0x0f, 0x7b, 0x33, 0x69, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x69, 0x6e, 0x74,
+ 0x65, 0x72, 0x6e, 0x65, 0x74, 0x00, 0x35, 0x59, 0x00, 0xa5, 0x72, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b,
+ 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x20, 0x63, 0x0a, 0x9f, 0xe4,
+ 0xf0, 0x19, 0x1d, 0xb8, 0xa9, 0x9d, 0x6e, 0x84, 0x55, 0xe7, 0x11, 0x4f, 0x62, 0x8c, 0xe8, 0xf0, 0xf9, 0xeb, 0x35, 0x59,
+ 0xef, 0xa5, 0x72, 0xa9, 0x88, 0x77, 0xa2, 0xb2, 0x5f, 0x5f, 0x5f, 0x49, 0x4e, 0x54, 0x45, 0x47, 0x52, 0x49, 0x54, 0x59,
+ 0x5f, 0x5f, 0x5f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x01, 0x00, 0x0c, 0x00, 0x00, 0x01, 0x29, 0x3c, 0x3f, 0x78, 0x6d, 0x6c, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f,
+ 0x6e, 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x22, 0x20, 0x65, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x3d, 0x22, 0x55, 0x54,
+ 0x46, 0x2d, 0x38, 0x22, 0x3f, 0x3e, 0x0a, 0x3c, 0x21, 0x44, 0x4f, 0x43, 0x54, 0x59, 0x50, 0x45, 0x20, 0x70, 0x6c, 0x69,
+ 0x73, 0x74, 0x20, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x20, 0x22, 0x2d, 0x2f, 0x2f, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2f,
+ 0x2f, 0x44, 0x54, 0x44, 0x20, 0x50, 0x4c, 0x49, 0x53, 0x54, 0x20, 0x31, 0x2e, 0x30, 0x2f, 0x2f, 0x45, 0x4e, 0x22, 0x20,
+ 0x22, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f,
+ 0x6d, 0x2f, 0x44, 0x54, 0x44, 0x73, 0x2f, 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x2d,
+ 0x31, 0x2e, 0x30, 0x2e, 0x64, 0x74, 0x64, 0x22, 0x3e, 0x0a, 0x3c, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72,
+ 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x22, 0x3e, 0x0a, 0x3c, 0x64, 0x69, 0x63, 0x74, 0x3e, 0x0a, 0x09,
+ 0x3c, 0x6b, 0x65, 0x79, 0x3e, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x3c, 0x2f, 0x6b, 0x65, 0x79,
+ 0x3e, 0x0a, 0x09, 0x3c, 0x61, 0x72, 0x72, 0x61, 0x79, 0x3e, 0x0a, 0x09, 0x09, 0x3c, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67,
+ 0x3e, 0x63, 0x64, 0x68, 0x61, 0x73, 0x68, 0x3a, 0x30, 0x37, 0x35, 0x61, 0x64, 0x63, 0x30, 0x34, 0x64, 0x61, 0x32, 0x38,
+ 0x37, 0x62, 0x61, 0x65, 0x30, 0x35, 0x37, 0x31, 0x33, 0x31, 0x32, 0x36, 0x62, 0x36, 0x37, 0x61, 0x66, 0x64, 0x33, 0x33,
+ 0x30, 0x66, 0x37, 0x62, 0x33, 0x33, 0x36, 0x39, 0x3c, 0x2f, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x3e, 0x0a, 0x09, 0x3c,
+ 0x2f, 0x61, 0x72, 0x72, 0x61, 0x79, 0x3e, 0x0a, 0x3c, 0x2f, 0x64, 0x69, 0x63, 0x74, 0x3e, 0x0a, 0x3c, 0x2f, 0x70, 0x6c,
+ 0x69, 0x73, 0x74, 0x3e, 0x0a, 0xfe, 0xc0, 0x49, 0x5f, 0x5f, 0x5f, 0x50, 0x41, 0x52, 0x54, 0x49, 0x54, 0x49, 0x4f, 0x4e,
+ 0x5f, 0x5f, 0x5f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x02, 0xa2, 0x5c, 0x56, 0xd4,
+ 0xbe, 0x00, 0xb5, 0x12, 0xe7, 0x31, 0x27, 0x24, 0x18, 0x52, 0x27, 0xab, 0x56, 0x69, 0xa0, 0x0b, 0x91, 0x56, 0x72, 0x11,
+ 0x8b, 0xdf, 0x2e, 0xf9, 0x0f, 0x09, 0x5c, 0xff, 0x66, 0x0e, 0x97, 0x66, 0xd6, 0x04, 0xcd, 0x0d, 0xb1, 0xc1, 0x87, 0x88,
+ 0xfd, 0x46, 0xfa, 0x76, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0xff, 0x99, 0x34, 0xae,
+ 0x3e, 0x01, 0x20, 0x7c, 0x07, 0x76, 0xda, 0x52, 0x41, 0xe7, 0xbb, 0xee, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0xff, 0x99, 0x34, 0xae,
+ 0x3e, 0x01, 0x20, 0x7c, 0x07, 0x76, 0xda, 0x52, 0x41, 0xe7, 0xbb, 0xee, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27,
+ 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d,
+ 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0xbc, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x03, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, 0x04, 0x05,
+ 0x00, 0x00, 0x04, 0x11, 0x00, 0x00, 0x04, 0x15, 0x00, 0x00, 0x04, 0x19, 0x00, 0x00, 0x04, 0x1d, 0x00, 0x00, 0x04, 0x21,
+ 0x00, 0x00, 0x04, 0x35, 0x00, 0x00, 0x04, 0x39, 0x00, 0x00, 0x04, 0x65, 0x00, 0x00, 0x04, 0x69, 0x00, 0x00, 0x04, 0x6d,
+ 0x00, 0x00, 0x04, 0x71, 0x00, 0x00, 0x04, 0x7d, 0x00, 0x00, 0x04, 0x89, 0x00, 0x00, 0x04, 0x8d, 0x00, 0x00, 0x04, 0x91,
+ 0x00, 0x00, 0x04, 0x95, 0x00, 0x00, 0x04, 0x99, 0x00, 0x00, 0x04, 0x9d, 0x00, 0x00, 0x04, 0xa1, 0x00, 0x00, 0x04, 0xa5,
+ 0x00, 0x00, 0x04, 0xa9, 0x00, 0x00, 0x04, 0xad, 0x00, 0x00, 0x04, 0xb1, 0x00, 0x00, 0x04, 0xb5, 0x00, 0x00, 0x04, 0xb9,
+ 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x54, 0x00, 0x00, 0x03, 0x7c, 0x89, 0x4b, 0xff, 0x28,
+ 0x68, 0xa0, 0xff, 0x21, 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05,
+ 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0xcf, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06, 0x5d, 0xa4, 0xa0, 0x3a,
+ 0x08, 0x0c, 0xf0, 0xb4, 0xea, 0x9a, 0xa6, 0x3d, 0x77, 0xdd, 0xba, 0xc9, 0x26, 0xf7, 0x04, 0xaf, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+ 0xa8, 0xfb, 0x16, 0xec, 0xee, 0x43, 0xa7, 0xd3, 0xeb, 0x71, 0x9f, 0x77, 0xe8, 0x24, 0xea, 0x24, 0x71, 0x5c, 0x96, 0x91,
+ 0xf4, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14, 0xec, 0x1f, 0x49, 0x31,
+ 0xc8, 0x75, 0x58, 0x7d, 0x62, 0xff, 0xbc, 0x5e, 0x77, 0x07, 0xac, 0x84, 0x61, 0xe2, 0x6c, 0xa1, 0x00, 0x00, 0x00, 0x40,
+ 0x2f, 0x55, 0x73, 0x65, 0x72, 0x73, 0x2f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x2f, 0x73, 0x65, 0x63, 0x74, 0x65, 0x73, 0x74,
+ 0x73, 0x00, 0x00, 0x00, 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x14, 0x07, 0x5a, 0xdc, 0x04, 0xda, 0x28, 0x7b, 0xae, 0x05, 0x71, 0x31, 0x26, 0xb6, 0x7a, 0xfd, 0x33,
+ 0x0f, 0x7b, 0x33, 0x69, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0xa8, 0xfb, 0x16, 0xec, 0xee, 0x43, 0xa7, 0xd3,
+ 0xeb, 0x71, 0x9f, 0x77, 0xe8, 0x24, 0xea, 0x24, 0x71, 0x5c, 0x96, 0x91, 0xf4, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x25,
+ 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+ 0xa8, 0xfb, 0x16, 0xec, 0xee, 0x43, 0xa7, 0xd3, 0xeb, 0x71, 0x9f, 0x77, 0xe8, 0x24, 0xea, 0x24, 0x71, 0x5c, 0x96, 0x91,
+ 0xf4, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x23,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x20, 0x44, 0xf1, 0x0f, 0x6b, 0xb5, 0x08, 0xd4, 0x7f,
+ 0x89, 0x05, 0x85, 0x9e, 0xfc, 0x06, 0xea, 0xee, 0x50, 0x03, 0x04, 0xbc, 0x4d, 0xa4, 0x08, 0xb1, 0xf4, 0xd2, 0xa5, 0x8c,
+ 0x65, 0x02, 0x14, 0x7b, 0x5f, 0x5f, 0x5f, 0x49, 0x4e, 0x54, 0x45, 0x47, 0x52, 0x49, 0x54, 0x59, 0x5f, 0x5f, 0x5f, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0c,
+ 0x00, 0x00, 0x01, 0x29, 0x3c, 0x3f, 0x78, 0x6d, 0x6c, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x3d, 0x22, 0x31,
+ 0x2e, 0x30, 0x22, 0x20, 0x65, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x3d, 0x22, 0x55, 0x54, 0x46, 0x2d, 0x38, 0x22,
+ 0x3f, 0x3e, 0x0a, 0x3c, 0x21, 0x44, 0x4f, 0x43, 0x54, 0x59, 0x50, 0x45, 0x20, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x20, 0x50,
+ 0x55, 0x42, 0x4c, 0x49, 0x43, 0x20, 0x22, 0x2d, 0x2f, 0x2f, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2f, 0x2f, 0x44, 0x54, 0x44,
+ 0x20, 0x50, 0x4c, 0x49, 0x53, 0x54, 0x20, 0x31, 0x2e, 0x30, 0x2f, 0x2f, 0x45, 0x4e, 0x22, 0x20, 0x22, 0x68, 0x74, 0x74,
+ 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x44, 0x54,
+ 0x44, 0x73, 0x2f, 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, 0x79, 0x4c, 0x69, 0x73, 0x74, 0x2d, 0x31, 0x2e, 0x30, 0x2e,
+ 0x64, 0x74, 0x64, 0x22, 0x3e, 0x0a, 0x3c, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x20, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
+ 0x3d, 0x22, 0x31, 0x2e, 0x30, 0x22, 0x3e, 0x0a, 0x3c, 0x64, 0x69, 0x63, 0x74, 0x3e, 0x0a, 0x09, 0x3c, 0x6b, 0x65, 0x79,
+ 0x3e, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x3c, 0x2f, 0x6b, 0x65, 0x79, 0x3e, 0x0a, 0x09, 0x3c,
+ 0x61, 0x72, 0x72, 0x61, 0x79, 0x3e, 0x0a, 0x09, 0x09, 0x3c, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x3e, 0x63, 0x64, 0x68,
+ 0x61, 0x73, 0x68, 0x3a, 0x30, 0x37, 0x35, 0x61, 0x64, 0x63, 0x30, 0x34, 0x64, 0x61, 0x32, 0x38, 0x37, 0x62, 0x61, 0x65,
+ 0x30, 0x35, 0x37, 0x31, 0x33, 0x31, 0x32, 0x36, 0x62, 0x36, 0x37, 0x61, 0x66, 0x64, 0x33, 0x33, 0x30, 0x66, 0x37, 0x62,
+ 0x33, 0x33, 0x36, 0x39, 0x3c, 0x2f, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x3e, 0x0a, 0x09, 0x3c, 0x2f, 0x61, 0x72, 0x72,
+ 0x61, 0x79, 0x3e, 0x0a, 0x3c, 0x2f, 0x64, 0x69, 0x63, 0x74, 0x3e, 0x0a, 0x3c, 0x2f, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x3e,
+ 0x0a, 0x00, 0x00, 0x00, 0x5f, 0x5f, 0x5f, 0x50, 0x41, 0x52, 0x54, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x5f, 0x5f, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x02, 0x0d, 0xb7, 0x4d, 0x14, 0x7b, 0x98, 0x46, 0x8e,
+ 0x10, 0x5e, 0x43, 0x19, 0x80, 0x53, 0xfd, 0xcd, 0xc4, 0xf9, 0x89, 0xf1, 0x55, 0xb4, 0x46, 0xb2, 0xc4, 0x7e, 0x8b, 0x33,
+ 0x56, 0xdb, 0xe2, 0xd9, 0xc0, 0x79, 0x08, 0xc1, 0xf6, 0xdc, 0x7c, 0x4c, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x08,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61,
+ 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61,
+ 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30,
+ 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x80,
+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x04, 0xd4, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x0e, 0x90, 0x00, 0x00, 0x10, 0x28, 0x00, 0x00, 0x10, 0xa8,
+ 0x00, 0x00, 0x10, 0xf0, 0x00, 0x00, 0x11, 0x38, 0x00, 0x00, 0x11, 0x80, 0x00, 0x00, 0x11, 0xc8, 0x00, 0x00, 0x12, 0x10,
+ 0x00, 0x00, 0x12, 0x58, 0x00, 0x00, 0x12, 0xa0, 0x00, 0x00, 0x12, 0xe8, 0x00, 0x00, 0x01, 0x98, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x0d,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x0e, 0xdc, 0x00, 0x00, 0x0f, 0x4c, 0x00, 0x00, 0x0f, 0xbc, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70,
+ 0x7b, 0xed, 0x8a, 0xda, 0xa1, 0x85, 0xd0, 0xef, 0xe0, 0x87, 0xec, 0xa4, 0x1d, 0xcf, 0x0b, 0x22, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31,
+ 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32,
+ 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0xff, 0x99, 0x34, 0xae, 0x3e, 0x01, 0x20, 0x7c,
+ 0x07, 0x76, 0xda, 0x52, 0x41, 0xe7, 0xbb, 0xee, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31,
+ 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61,
+ 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x10,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31,
+ 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32,
+ 0x32, 0x7d, 0x00, 0x00, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x10, 0x58, 0x00, 0x00, 0x10, 0x74, 0x00, 0x00, 0x10, 0x90, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70,
+ 0x7b, 0xed, 0x8a, 0xda, 0xa1, 0x85, 0xd0, 0xef, 0xe0, 0x87, 0xec, 0xa4, 0x1d, 0xcf, 0x0b, 0x22, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0xff, 0x99, 0x34, 0xae, 0x3e, 0x01, 0x20, 0x7c, 0x07, 0x76, 0xda, 0x52,
+ 0x41, 0xe7, 0xbb, 0xee, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x70, 0x70,
+ 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x10, 0xd8, 0x00, 0x00, 0x10, 0xe0,
+ 0x00, 0x00, 0x10, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x13,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x11, 0x20, 0x00, 0x00, 0x11, 0x28, 0x00, 0x00, 0x11, 0x30, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x11, 0x68,
+ 0x00, 0x00, 0x11, 0x70, 0x00, 0x00, 0x11, 0x78, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x11, 0xb0, 0x00, 0x00, 0x11, 0xb8, 0x00, 0x00, 0x11, 0xc0,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x48,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x11, 0xf8, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x12, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x12, 0x40, 0x00, 0x00, 0x12, 0x48,
+ 0x00, 0x00, 0x12, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x12, 0x88, 0x00, 0x00, 0x12, 0x90, 0x00, 0x00, 0x12, 0x98, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x09,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x12, 0xd0,
+ 0x00, 0x00, 0x12, 0xd8, 0x00, 0x00, 0x12, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x13, 0x18, 0x00, 0x00, 0x13, 0x20, 0x00, 0x00, 0x13, 0x28,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0xc0,
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0xfc, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7d, 0x00, 0x00, 0x00, 0x8d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xad, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbd, 0x00, 0x00, 0x00, 0xcd, 0x00, 0x00, 0x00, 0x00, 0x73, 0x73, 0x67, 0x70,
+ 0x7b, 0xed, 0x8a, 0xda, 0xa1, 0x85, 0xd0, 0xef, 0xe0, 0x87, 0xec, 0xa4, 0x1d, 0xcf, 0x0b, 0x22, 0x64, 0x23, 0x55, 0xfb,
+ 0x1c, 0xc1, 0x1a, 0x17, 0x20, 0xbf, 0x30, 0xd7, 0x43, 0x41, 0xa9, 0x59, 0x32, 0x30, 0x31, 0x36, 0x30, 0x32, 0x31, 0x36,
+ 0x30, 0x32, 0x30, 0x36, 0x32, 0x37, 0x5a, 0x00, 0x32, 0x30, 0x31, 0x36, 0x30, 0x32, 0x31, 0x36, 0x30, 0x32, 0x30, 0x36,
+ 0x32, 0x37, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x09, 0x61, 0x20, 0x63, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x00, 0x00, 0x00, 0x0c,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0xc4, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x01, 0x10,
+ 0x00, 0x00, 0x01, 0x58, 0x00, 0x00, 0x01, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02, 0x61, 0x63, 0x63, 0x74, 0x73, 0x76, 0x63, 0x65, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x34,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63,
+ 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+ 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x61, 0x63, 0x63, 0x74,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x78, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x73, 0x76, 0x63, 0x65, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0xac,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72,
+ 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x02, 0xf8, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20,
+ 0x00, 0x00, 0x01, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x01, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x8d, 0x00, 0x00, 0x00, 0x9d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xad, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbd, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd1, 0x00, 0x00, 0x00, 0xe1,
+ 0x00, 0x00, 0x00, 0xe5, 0x00, 0x00, 0x00, 0xf5, 0x00, 0x00, 0x00, 0xf9, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x05,
+ 0x73, 0x73, 0x67, 0x70, 0xff, 0x99, 0x34, 0xae, 0x3e, 0x01, 0x20, 0x7c, 0x07, 0x76, 0xda, 0x52, 0x41, 0xe7, 0xbb, 0xee,
+ 0x1d, 0x1f, 0x57, 0x42, 0x58, 0x09, 0x6a, 0x38, 0xc7, 0xd0, 0x2b, 0xa2, 0xbd, 0x98, 0xef, 0xeb, 0x32, 0x30, 0x31, 0x36,
+ 0x30, 0x32, 0x31, 0x36, 0x30, 0x32, 0x30, 0x36, 0x32, 0x37, 0x5a, 0x00, 0x32, 0x30, 0x31, 0x36, 0x30, 0x32, 0x31, 0x36,
+ 0x30, 0x32, 0x30, 0x36, 0x32, 0x37, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x09, 0x61, 0x20, 0x63, 0x6f, 0x6d, 0x6d, 0x65, 0x6e,
+ 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+ 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x64, 0x66, 0x6c, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x01, 0xd0, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x01, 0x50, 0x00, 0x00, 0x01, 0xc4, 0x00, 0x00, 0x01, 0xf8,
+ 0x00, 0x00, 0x02, 0x20, 0x00, 0x00, 0x02, 0x54, 0x00, 0x00, 0x02, 0x7c, 0x00, 0x00, 0x02, 0xa8, 0x00, 0x00, 0x02, 0xd0,
+ 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x61, 0x63, 0x63, 0x74,
+ 0x73, 0x64, 0x6d, 0x6e, 0x73, 0x72, 0x76, 0x72, 0x70, 0x74, 0x63, 0x6c, 0x61, 0x74, 0x79, 0x70, 0x70, 0x6f, 0x72, 0x74,
+ 0x70, 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38,
+ 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x64, 0x66, 0x6c, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x01, 0xe4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x73, 0x64, 0x6d, 0x6e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0x18, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x73, 0x72, 0x76, 0x72, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0x40, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+ 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x70, 0x74, 0x63, 0x6c,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x61, 0x74, 0x79, 0x70,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x04,
+ 0x64, 0x66, 0x6c, 0x74, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x70, 0x6f, 0x72, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x70, 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x02, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20,
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x1d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x3c, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0x90,
+ 0x00, 0x00, 0x00, 0xa8, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x61, 0x63, 0x63, 0x74, 0x76, 0x6c, 0x6d, 0x65, 0x61, 0x64, 0x64, 0x72, 0x73, 0x73, 0x69, 0x67, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x61, 0x63, 0x63, 0x74,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x76, 0x6c, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x61, 0x64, 0x64, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x73, 0x73, 0x69, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe8,
+ 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0xe0, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa8, 0x00, 0x00, 0x00, 0x00, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x02, 0x00,
+ 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0xa8, 0xb6, 0x68, 0x7e, 0xb7, 0x0a, 0x4a, 0xfa, 0x2d, 0x87, 0x91, 0x6b, 0xd9,
+ 0xfc, 0x82, 0xea, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x2c, 0x01, 0x00, 0x00, 0x00, 0x8f, 0x89, 0x89, 0x0a,
+ 0x29, 0xf3, 0x34, 0x62, 0xed, 0x14, 0x1b, 0x2e, 0x52, 0x23, 0x4b, 0x05, 0xeb, 0x93, 0xdf, 0x92, 0x58, 0x36, 0x27, 0xc2,
+ 0x36, 0xa5, 0x60, 0x75, 0xd9, 0xc1, 0x94, 0xe4, 0xb2, 0xbb, 0xca, 0x4a, 0x41, 0x84, 0x97, 0x47, 0x37, 0x96, 0x1f, 0xc1,
+ 0xcf, 0x28, 0xc3, 0xa6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x25, 0x2e, 0x33, 0x01, 0x00, 0x00, 0x00, 0xb4, 0x90, 0xac, 0x1a, 0x44, 0xd4, 0xc6, 0x0f,
+ 0x4a, 0x82, 0xe5, 0xb8, 0x72, 0x0b, 0x97, 0xf3, 0x99, 0x20, 0x30, 0x02, 0xec, 0x1d, 0x19, 0x51, 0x4b, 0xed, 0x3a, 0x27,
+ 0x41, 0x19, 0x47, 0xd4, 0x72, 0xce, 0xf4, 0xff, 0x7e, 0x40, 0x82, 0x15, 0x9e, 0xb6, 0xee, 0xec, 0x5c, 0xcf, 0x88, 0x5c,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15,
+};
+
+// This is the master key and random signature for full_v512
+uint8_t full_v512_keyfile[] = {
+ 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x00, 0x00,
+ 0x37, 0x0e, 0x3a, 0xf9, 0xde, 0x93, 0xda, 0xac, 0x5d, 0x6e, 0xa0, 0x7a, 0x76, 0x75, 0xdb, 0xca, 0x06, 0x9e, 0x41, 0x77, 0xa8, 0x3c, 0xdb, 0xdf,
+ 0xb6, 0x68, 0x7e, 0xb7, 0x0a, 0x4a, 0xfa, 0x2d, 0x87, 0x91, 0x6b, 0xd9, 0xfc, 0x82, 0xea, 0x3c,
+};
+#define FULL_V512_KEYFILE_SIZE sizeof(full_v512_keyfile)
+
+static void writeOldKeychain(const char* testname, const char * path) {
+ writeFile(path, old_keychain, OLD_KEYCHAIN_SIZE);
+}
+
+static void writeEmptyV512Keychain(const char* testname, const char * path) {
+ writeFile(path, empty_v512, EMPTY_V512_SIZE);
+}
+
+static void writeFullV512Keychain(const char* testname, const char * path) {
+ writeFile(path, full_v512, FULL_V512_SIZE);
+}
+
+static void writeFullV512Keyfile(const char* testname, const char * path) {
+ writeFile(path, full_v512_keyfile, FULL_V512_KEYFILE_SIZE);
}
#else
diff --git a/OSX/libsecurity_keychain/regressions/kc-30-xara.c b/OSX/libsecurity_keychain/regressions/kc-30-xara.c
index 469aab65..ffbfd0b9 100644
--- a/OSX/libsecurity_keychain/regressions/kc-30-xara.c
+++ b/OSX/libsecurity_keychain/regressions/kc-30-xara.c
@@ -31,6 +31,9 @@
#include <TargetConditionals.h>
#include <Security/cssmapi.h>
#include <stdlib.h>
+#include <sys/stat.h>
+#include <copyfile.h>
+#include <unistd.h>
#include "kc-30-xara-item-helpers.h"
#include "kc-30-xara-key-helpers.h"
@@ -54,7 +57,7 @@ static CSSM_API_MEMORY_FUNCS memFuncs = { cssmMalloc, cssmFree, cssmRealloc, css
static CSSM_DL_DB_HANDLE initializeDL() {
CSSM_VERSION version = { 2, 0 };
- CSSM_DL_DB_HANDLE dldbHandle;
+ CSSM_DL_DB_HANDLE dldbHandle = { 0, 0 };
CSSM_GUID myGuid = { 0xFADE, 0, 0, { 1, 2, 3, 4, 5, 6, 7, 0 } };
CSSM_PVC_MODE pvcPolicy = CSSM_PVC_NONE;
@@ -121,48 +124,59 @@ static void modifyAttributeInKeychain(char * name, CSSM_DL_DB_HANDLE dldbHandle,
static void testAttackItem(CSSM_DL_DB_HANDLE dldbHandle) {
char * name = "testAttackItem";
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 0);
makeItemWithIntegrity(name, kc, kSecClassGenericPassword, CFSTR("265438ea6807b509c9c6962df3f5033fd1af118f76c5f550e3ed90cb0d3ffce4"));
SecKeychainItemRef item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ CFReleaseNull(item);
CFReleaseNull(kc);
char * modification = "evil_application";
- modifyAttributeInKeychain(name, dldbHandle, keychainFile, CSSM_DL_DB_RECORD_GENERIC_PASSWORD, "PrintName", modification, strlen(modification));
+ modifyAttributeInKeychain(name, dldbHandle, keychainDbFile, CSSM_DL_DB_RECORD_GENERIC_PASSWORD, "PrintName", modification, strlen(modification));
kc = openKeychain(name);
- checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 0);
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ readPasswordContentsWithResult(item, errSecInvalidItemRef, NULL);
+
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
-#define testAttackItemTests (newKeychainTests + checkNTests + makeItemWithIntegrityTests + checkNTests + modifyAttributeInKeychainTests + openKeychainTests + checkNTests + 1)
+#define testAttackItemTests (newKeychainTests + checkNTests + makeItemWithIntegrityTests + checkNTests + modifyAttributeInKeychainTests + openKeychainTests + checkNTests + readPasswordContentsWithResultTests + 1)
static void testAttackKey(CSSM_DL_DB_HANDLE dldbHandle) {
char * name = "testAttackKey";
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 0);
makeKeyWithIntegrity(name, kc, CFSTR("44f10f6bb508d47f8905859efc06eaee500304bc4da408b1f4d2a58c6502147b"));
SecKeychainItemRef item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
+
+ checkKeyUse((SecKeyRef) item, errSecSuccess);
+
+ CFReleaseNull(item);
CFReleaseNull(kc);
char * modification = "evil_application";
- modifyAttributeInKeychain(name, dldbHandle, keychainFile, CSSM_DL_DB_RECORD_SYMMETRIC_KEY, "Label", modification, strlen(modification));
+ modifyAttributeInKeychain(name, dldbHandle, keychainDbFile, CSSM_DL_DB_RECORD_SYMMETRIC_KEY, "Label", modification, strlen(modification));
kc = openKeychain(name);
- checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 0);
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
+ checkKeyUse((SecKeyRef) item, errSecInvalidItemRef);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
-#define testAttackKeyTests (newKeychainTests + checkNTests + makeKeyWithIntegrityTests + checkNTests + modifyAttributeInKeychainTests + openKeychainTests + checkNTests + 1)
+#define testAttackKeyTests (newKeychainTests + checkNTests + makeKeyWithIntegrityTests + checkNTests + checkKeyUseTests + modifyAttributeInKeychainTests \
+ + openKeychainTests + checkNTests + checkKeyUseTests + 1)
static void testAddAfterCorruptItem(CSSM_DL_DB_HANDLE dldbHandle) {
char * name = "testAddAfterCorruptItem";
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 0);
@@ -175,22 +189,26 @@ static void testAddAfterCorruptItem(CSSM_DL_DB_HANDLE dldbHandle) {
CFReleaseNull(kc);
char * modification = "evil_application";
- modifyAttributeInKeychain(name, dldbHandle, keychainFile, CSSM_DL_DB_RECORD_GENERIC_PASSWORD, "PrintName", modification, strlen(modification));
+ modifyAttributeInKeychain(name, dldbHandle, keychainDbFile, CSSM_DL_DB_RECORD_GENERIC_PASSWORD, "PrintName", modification, strlen(modification));
kc = openKeychain(name);
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ deleteItem(item);
checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 0);
makeCustomItemWithIntegrity(name, kc, kSecClassGenericPassword, CFSTR("evil_application"), CFSTR("d2aa97b30a1f96f9e61fcade2b00d9f4284976a83a5b68392251ee5ec827f8cc"));
checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
makeCustomDuplicateItem(name, kc, kSecClassGenericPassword, CFSTR("evil_application"));
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testAddAfterCorruptItemTests (newKeychainTests + checkNTests + makeCustomItemWithIntegrityTests + checkNTests + makeDuplicateItemTests \
- + modifyAttributeInKeychainTests + openKeychainTests + checkNTests + makeCustomItemWithIntegrityTests + checkNTests + makeCustomDuplicateItemTests + 1)
+ + modifyAttributeInKeychainTests + openKeychainTests + checkNTests + deleteItemTests \
+ + checkNTests + makeCustomItemWithIntegrityTests + checkNTests + makeCustomDuplicateItemTests + 1)
static void testAddAfterCorruptKey(CSSM_DL_DB_HANDLE dldbHandle) {
char * name = "testAddAfterCorruptKey";
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecKeychainRef kc = newKeychain(name);
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 0);
@@ -216,13 +234,22 @@ static void testAddAfterCorruptKey(CSSM_DL_DB_HANDLE dldbHandle) {
ok_status(SecKeychainListRemoveKeychain(&kc), "%s: SecKeychainListRemoveKeychain", name);
char * modification = "evil_application";
- modifyAttributeInKeychain(name, dldbHandle, keychainFile, CSSM_DL_DB_RECORD_SYMMETRIC_KEY, "PrintName", modification, strlen(modification));
- modifyAttributeInKeychain(name, dldbHandle, keychainFile, CSSM_DL_DB_RECORD_PUBLIC_KEY, "PrintName", modification, strlen(modification));
- modifyAttributeInKeychain(name, dldbHandle, keychainFile, CSSM_DL_DB_RECORD_PRIVATE_KEY, "PrintName", modification, strlen(modification));
+ modifyAttributeInKeychain(name, dldbHandle, keychainDbFile, CSSM_DL_DB_RECORD_SYMMETRIC_KEY, "PrintName", modification, strlen(modification));
+ modifyAttributeInKeychain(name, dldbHandle, keychainDbFile, CSSM_DL_DB_RECORD_PUBLIC_KEY, "PrintName", modification, strlen(modification));
+ modifyAttributeInKeychain(name, dldbHandle, keychainDbFile, CSSM_DL_DB_RECORD_PRIVATE_KEY, "PrintName", modification, strlen(modification));
kc = openKeychain(name);
+
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
+ deleteItem(item);
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 0);
+
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 1);
+ deleteItem(item);
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 0);
+
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 1);
+ deleteItem(item);
checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 0);
makeCustomKeyWithIntegrity(name, kc, CFSTR("evil_application"), CFSTR("ca6d90a0b053113e43bbb67f64030230c96537f77601f66bdf821d8684431dfc"));
@@ -238,6 +265,7 @@ static void testAddAfterCorruptKey(CSSM_DL_DB_HANDLE dldbHandle) {
CFReleaseNull(item);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testAddAfterCorruptKeyTests (newKeychainTests \
+ checkNTests + checkNTests + checkNTests \
@@ -248,76 +276,459 @@ static void testAddAfterCorruptKey(CSSM_DL_DB_HANDLE dldbHandle) {
+ modifyAttributeInKeychainTests \
+ modifyAttributeInKeychainTests \
+ openKeychainTests \
- + checkNTests + checkNTests + checkNTests \
+ + checkNTests + deleteItemTests + checkNTests \
+ + checkNTests + deleteItemTests + checkNTests \
+ + checkNTests + deleteItemTests + checkNTests \
+ makeCustomKeyWithIntegrityTests + checkNTests \
+ makeCustomDuplicateKeyTests \
+ makeCustomKeyPairTests + checkNTests + checkNTests \
+ 1)
+// These constants are in CommonBlob, but we're in C and can't access them
+#define version_MacOS_10_0 0x00000100
+#define version_partition 0x00000200
+
static void testKeychainUpgrade() {
char name[100];
sprintf(name, "testKeychainUpgrade");
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
+ UInt32 version;
+ char* path = malloc(sizeof(char) * 400);
+ UInt32 len = 400;
+
+ // To test multi-threading, we want the upgrade to take a while. Add a bunch of passwords...
+ char oldkcFile[100];
+ sprintf(oldkcFile, "%s/Library/test.keychain", getenv("HOME"));
+ unlink(oldkcFile);
+ writeOldKeychain(name, oldkcFile);
+
+ SecKeychainRef kc = openCustomKeychain(name, oldkcFile, "password");
+
+ for(int i = 0; i < 200; i++) {
+ CFTypeRef result = NULL;
+ CFStringRef cflabel = CFStringCreateWithFormat(NULL, NULL, CFSTR("item%d"), i);
+ CFMutableDictionaryRef query = makeAddCustomItemDictionaryWithService(kc, kSecClassInternetPassword, cflabel, cflabel, CFSTR("no service"));
+ SecItemAdd(query, &result); // don't particuluarly care if this fails...
+ CFReleaseNull(query);
+ CFReleaseNull(cflabel);
+ CFReleaseNull(result);
+ }
- writeOldKeychain(name, keychainFile);
- SecKeychainRef kc = openCustomKeychain(name, "test.keychain", "password");
+ CFReleaseNull(kc);
+
+ ok_status(copyfile(oldkcFile, keychainFile, NULL, COPYFILE_UNLINK | COPYFILE_ALL), "%s: copyfile", name);
+ unlink(oldkcFile);
+ unlink(keychainDbFile);
+ static dispatch_once_t onceToken = 0;
+ static dispatch_queue_t release_queue = NULL;
+ dispatch_once(&onceToken, ^{
+ release_queue = dispatch_queue_create("com.apple.security.keychain-upgrade-queue", DISPATCH_QUEUE_CONCURRENT);
+ });
+
+ dispatch_group_t g = dispatch_group_create();
SecKeychainItemRef item;
+ char* __block blockName = NULL;
+ asprintf(&blockName, "%s", name);
+
+ kc = openCustomKeychain(name, keychainName, "password");
+
+ // Directly after an upgrade, no items should have partition ID lists
+ dispatch_group_async(g, release_queue, ^() {
+ secerror("beginning 1\n");
+ SecKeychainRef blockKc;
+ SecKeychainOpen(keychainName, &blockKc);
+ SecKeychainItemRef item = checkN(blockName, makeQueryItemDictionary(blockKc, kSecClassGenericPassword), 1);
+ checkIntegrityHash(blockName, item, CFSTR("39c56eadd3e3b496b6099e5f3d5ff88eaee9ca2e3a50c1be8319807a72e451e5"));
+ checkPartitionIDs(blockName, item, 0);
+ CFReleaseSafe(blockKc);
+ CFReleaseSafe(item);
+ secerror("ending 1\n");
+ });
+
+ dispatch_group_async(g, release_queue, ^() {
+ usleep(0.1 * USEC_PER_SEC); // use different timings to try to find multithreaded upgrade bugs
+ secerror("beginning 2\n");
+ SecKeychainRef blockKc;
+ SecKeychainOpen(keychainName, &blockKc);
+ SecKeychainItemRef item = checkN(blockName, makeQueryItemDictionaryWithService(blockKc, kSecClassInternetPassword, CFSTR("test_service")), 1);
+ checkIntegrityHash(blockName, item, CFSTR("4f1b64e3c156968916e72d8ff3f1a8eb78b32abe0b2b43f0578eb07c722aaf03"));
+ checkPartitionIDs(blockName, item, 0);
+ CFReleaseSafe(blockKc);
+ CFReleaseSafe(item);
+ secerror("ending 2\n");
+ });
+
+ dispatch_group_async(g, release_queue, ^() {
+ usleep(0.3 * USEC_PER_SEC);
+ secerror("beginning 3\n");
+ SecKeychainRef blockKc;
+ SecKeychainOpen(keychainName, &blockKc);
+ SecKeychainItemRef item = checkN(blockName, makeQueryKeyDictionary(blockKc, kSecAttrKeyClassSymmetric), 1);
+ checkIntegrityHash(blockName, (SecKeychainItemRef) item, CFSTR("44f10f6bb508d47f8905859efc06eaee500304bc4da408b1f4d2a58c6502147b"));
+ checkPartitionIDs(blockName, (SecKeychainItemRef) item, 0);
+ CFReleaseSafe(blockKc);
+ CFReleaseSafe(item);
+ secerror("ending 3\n");
+ });
+
+ dispatch_group_async(g, release_queue, ^() {
+ usleep(0.5 * USEC_PER_SEC);
+ secerror("beginning 4\n");
+ SecKeychainRef blockKc;
+ SecKeychainOpen(keychainName, &blockKc);
+ SecKeychainItemRef item = checkN(blockName, makeQueryKeyDictionary(blockKc, kSecAttrKeyClassPublic), 1);
+ checkIntegrityHash(blockName, (SecKeychainItemRef) item, CFSTR("42d29fd5e9935edffcf6d0261eabddb00782ec775caa93716119e8e553ab5578"));
+ checkPartitionIDs(blockName, (SecKeychainItemRef) item, 0);
+ CFReleaseSafe(blockKc);
+ CFReleaseSafe(item);
+ secerror("ending 4\n");
+ });
+
+ dispatch_group_async(g, release_queue, ^() {
+ usleep(1 * USEC_PER_SEC);
+ secerror("beginning 5\n");
+ SecKeychainRef blockKc;
+ SecKeychainOpen(keychainName, &blockKc);
+ SecKeychainItemRef item = checkN(blockName, makeQueryKeyDictionary(blockKc, kSecAttrKeyClassPrivate), 1);
+ checkIntegrityHash(blockName, (SecKeychainItemRef) item, CFSTR("bdf219cdbc2dc6c4521cf39d1beda2e3491ef0330ba59eb41229dd909632f48d"));
+ checkPartitionIDs(blockName, (SecKeychainItemRef) item, 0);
+ CFReleaseSafe(blockKc);
+ CFReleaseSafe(item);
+ secerror("ending 5\n");
+ });
+
+ dispatch_group_wait(g, DISPATCH_TIME_FOREVER);
+
+ // @@@ I'm worried that there are still some thread issues in AppleDatabase; if these are run in the blocks above
+ // you can sometimes get CSSMERR_DL_INVALID_RECORD_UID/errSecInvalidRecord instead of errSecDuplicateItem
+ // <rdar://problem/27085024> Multi-threading duplicate item creation sometimes returns -67701
+ makeCustomDuplicateItem(name, kc, kSecClassGenericPassword, CFSTR("test_generic"));
+ makeCustomDuplicateItem(name, kc, kSecClassInternetPassword, CFSTR("test_internet"));
+
+ // Check the keychain's version and path
+ ok_status(SecKeychainGetKeychainVersion(kc, &version), "%s: SecKeychainGetKeychainVersion", name);
+ is(version, version_partition, "%s: version of upgraded keychain is incorrect", name);
+ ok_status(SecKeychainGetPath(kc, &len, path), "%s: SecKeychainGetKeychainPath", name);
+ eq_stringn(path, len, keychainDbFile, strlen(keychainDbFile), "%s: paths do not match", name);
+ free(path);
+
+ // Now close the keychain and open it again
+ CFReleaseNull(kc);
+ kc = openCustomKeychain(name, keychainName, "password");
+
item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
checkIntegrityHash(name, item, CFSTR("39c56eadd3e3b496b6099e5f3d5ff88eaee9ca2e3a50c1be8319807a72e451e5"));
+ checkPartitionIDs(name, item, 0);
makeCustomDuplicateItem(name, kc, kSecClassGenericPassword, CFSTR("test_generic"));
item = checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 1);
checkIntegrityHash(name, item, CFSTR("4f1b64e3c156968916e72d8ff3f1a8eb78b32abe0b2b43f0578eb07c722aaf03"));
+ checkPartitionIDs(name, item, 0);
makeCustomDuplicateItem(name, kc, kSecClassInternetPassword, CFSTR("test_internet"));
item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
checkIntegrityHash(name, (SecKeychainItemRef) item, CFSTR("44f10f6bb508d47f8905859efc06eaee500304bc4da408b1f4d2a58c6502147b"));
+ checkPartitionIDs(name, (SecKeychainItemRef) item, 0);
item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 1);
checkIntegrityHash(name, (SecKeychainItemRef) item, CFSTR("42d29fd5e9935edffcf6d0261eabddb00782ec775caa93716119e8e553ab5578"));
+ checkPartitionIDs(name, (SecKeychainItemRef) item, 0);
item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 1);
checkIntegrityHash(name, (SecKeychainItemRef) item, CFSTR("bdf219cdbc2dc6c4521cf39d1beda2e3491ef0330ba59eb41229dd909632f48d"));
+ checkPartitionIDs(name, (SecKeychainItemRef) item, 0);
- // Now close the keychain and open it again
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
CFReleaseNull(kc);
- kc = openCustomKeychain(name, "test.keychain", "password");
+
+ // make sure we clean up any files left over
+ unlink(keychainDbFile);
+ unlink(keychainFile);
+ unlink(oldkcFile);
+}
+#define testKeychainUpgradeTests (openCustomKeychainTests + 1 + openCustomKeychainTests + 4 \
+ + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests + makeCustomDuplicateItemTests \
+ + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests + makeCustomDuplicateItemTests \
+ + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests \
+ + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests \
+ + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests \
+ + openCustomKeychainTests \
+ + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests + makeCustomDuplicateItemTests \
+ + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests + makeCustomDuplicateItemTests \
+ + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests \
+ + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests \
+ + checkNTests + checkIntegrityHashTests + checkPartitionIDsTests \
+ + 1)
+
+// tests that SecKeychainCreate over an old .keychain file returns an empty keychain
+static void testKeychainCreateOver() {
+ char name[100];
+ sprintf(name, "testKeychainCreateOver");
+ secnotice("integrity", "************************************* %s", name);
+ UInt32 version;
+ char* path = malloc(sizeof(char) * 400);
+ UInt32 len = 400;
+
+ writeOldKeychain(name, keychainFile);
+ unlink(keychainDbFile);
+
+ SecKeychainItemRef item = NULL;
+
+ // Check that we upgrade on SecKeychainOpen
+ SecKeychainRef kc = openCustomKeychain(name, keychainName, "password");
item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
checkIntegrityHash(name, item, CFSTR("39c56eadd3e3b496b6099e5f3d5ff88eaee9ca2e3a50c1be8319807a72e451e5"));
+
+ ok_status(SecKeychainDelete(kc));
+ CFReleaseNull(kc);
+
+ // the old file should still exist, but the -db file should not.
+ struct stat filebuf;
+ is(stat(keychainFile, &filebuf), 0, "%s: check %s exists", name, keychainFile);
+ isnt(stat(keychainDbFile, &filebuf), 0, "%s: check %s does not exist", name, keychainDbFile);
+
+ // Now create a new keychain over the old remnants.
+ ok_status(SecKeychainCreate(keychainFile, (UInt32) strlen("password"), "password", false, NULL, &kc), "%s: SecKeychainCreate", name);
+
+ // Directly after creating a keychain, there shouldn't be any items (even though an old keychain exists underneath)
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 0);
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 0);
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 0);
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 0);
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 0);
+
+ // Check the keychain's version and path
+ ok_status(SecKeychainGetKeychainVersion(kc, &version), "%s: SecKeychainGetKeychainVersion", name);
+ is(version, version_partition, "%s: version of upgraded keychain is incorrect", name);
+ ok_status(SecKeychainGetPath(kc, &len, path), "%s: SecKeychainGetKeychainPath", name);
+ eq_stringn(path, len, keychainDbFile, strlen(keychainDbFile), "%s: paths do not match", name);
+ free(path);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
+
+ // final check that the files on-disk are as we expect
+ is(stat(keychainFile, &filebuf), 0, "%s: check %s exists", name, keychainFile);
+ isnt(stat(keychainDbFile, &filebuf), 0, "%s: check %s does not exist", name, keychainDbFile);
+
+ // make sure we clean up any files left over
+ unlink(keychainDbFile);
+ unlink(keychainFile);
+}
+#define testKeychainCreateOverTests (openCustomKeychainTests + \
++ checkNTests + checkIntegrityHashTests \
++ 1 + 2 + 1 \
++ checkNTests \
++ checkNTests \
++ checkNTests \
++ checkNTests \
++ checkNTests \
++ 4 + 1 + 2)
+
+static void testKeychainDowngrade() {
+ char *name = "testKeychainDowngrade";
+ secnotice("integrity", "************************************* %s", name);
+
+ // For now, don't worry about filenames
+ writeFullV512Keychain(name, keychainDbFile);
+ unlink(keychainFile);
+ writeFullV512Keyfile(name, keychainTempFile);
+
+ SecKeychainRef kc = openCustomKeychain(name, keychainName, "password");
+ UInt32 version;
+
+ ok_status(SecKeychainGetKeychainVersion(kc, &version), "%s: SecKeychainGetKeychainVersion", name);
+ is(version, version_partition, "%s: version of initial keychain is incorrect", name);
+
+ SecKeychainItemRef item;
+
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ checkIntegrityHash(name, item, CFSTR("6ba8d9f77ddba54d9373b11ae5c8f7b55a5e81da27e05e86723eeceb0a9a8e0c"));
makeCustomDuplicateItem(name, kc, kSecClassGenericPassword, CFSTR("test_generic"));
item = checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 1);
- checkIntegrityHash(name, item, CFSTR("4f1b64e3c156968916e72d8ff3f1a8eb78b32abe0b2b43f0578eb07c722aaf03"));
+ checkIntegrityHash(name, item, CFSTR("630a9fe4f0191db8a99d6e8455e7114f628ce8f0f9eb3559efa572a98877a2b2"));
makeCustomDuplicateItem(name, kc, kSecClassInternetPassword, CFSTR("test_internet"));
item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
checkIntegrityHash(name, (SecKeychainItemRef) item, CFSTR("44f10f6bb508d47f8905859efc06eaee500304bc4da408b1f4d2a58c6502147b"));
item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 1);
- checkIntegrityHash(name, (SecKeychainItemRef) item, CFSTR("42d29fd5e9935edffcf6d0261eabddb00782ec775caa93716119e8e553ab5578"));
+ checkIntegrityHash(name, (SecKeychainItemRef) item, CFSTR("d27ee2be4920d5b6f47f6b19696d09c9a6c1a5d80c6f148f778db27b4ba99d9a"));
item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 1);
- checkIntegrityHash(name, (SecKeychainItemRef) item, CFSTR("bdf219cdbc2dc6c4521cf39d1beda2e3491ef0330ba59eb41229dd909632f48d"));
+ checkIntegrityHash(name, (SecKeychainItemRef) item, CFSTR("4b3f7bd7f9e48dc71006ce670990aed9dba6d5089b84d4113121bab41d0a3228"));
+
+
+
+ ok_status(SecKeychainAttemptMigrationWithMasterKey(kc, version_MacOS_10_0, keychainTempFile), "%s: SecKeychainAttemptKeychainMigrationWithMasterKey", name);
+ ok_status(SecKeychainGetKeychainVersion(kc, &version), "%s: SecKeychainGetKeychainVersion", name);
+ is(version, version_MacOS_10_0, "%s: version of downgraded keychain is incorrect", name);
+
+ checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ makeCustomDuplicateItem(name, kc, kSecClassGenericPassword, CFSTR("test_generic"));
+ checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 1);
+ makeCustomDuplicateItem(name, kc, kSecClassInternetPassword, CFSTR("test_internet"));
+
+ checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
+ checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 1);
+ checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 1);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
+
+ // make sure we clean up
+ unlink(keychainTempFile);
+ unlink(keychainDbFile);
+ unlink(keychainFile);
}
-#define testKeychainUpgradeTests (openCustomKeychainTests \
- + checkNTests + checkIntegrityHashTests + makeCustomDuplicateItemTests \
- + checkNTests + checkIntegrityHashTests + makeCustomDuplicateItemTests \
- + checkNTests + checkIntegrityHashTests + \
- + checkNTests + checkIntegrityHashTests + \
- + checkNTests + checkIntegrityHashTests + \
- + openCustomKeychainTests \
+#define testKeychainDowngradeTests (openCustomKeychainTests + 2 \
+ checkNTests + checkIntegrityHashTests + makeCustomDuplicateItemTests \
+ checkNTests + checkIntegrityHashTests + makeCustomDuplicateItemTests \
+ checkNTests + checkIntegrityHashTests +\
+ checkNTests + checkIntegrityHashTests +\
+ checkNTests + checkIntegrityHashTests +\
- 1)
+ + 3 + \
+ + checkNTests + makeCustomDuplicateItemTests \
+ + checkNTests + makeCustomDuplicateItemTests \
+ + checkNTests \
+ + checkNTests \
+ + checkNTests \
+ + 1)\
+
+// Test opening and upgrading a v256 keychain at a -db filename.
+static void testKeychainWrongFile256() {
+ char name[100];
+ sprintf(name, "testKeychainWrongFile256");
+ secnotice("integrity", "************************************* %s", name);
+ UInt32 version;
+
+ unlink(keychainFile);
+ writeOldKeychain(name, keychainDbFile);
+
+ // Only keychainDb file should exist
+ struct stat filebuf;
+ isnt(stat(keychainFile, &filebuf), 0, "%s: %s exists and shouldn't", name, keychainFile);
+ is(stat(keychainDbFile, &filebuf), 0, "%s: %s does not exist", name, keychainDbFile);
+
+ SecKeychainRef kc = openCustomKeychain(name, keychainName, "password");
+
+ SecKeychainItemRef item;
+
+ // Iterate over the keychain to trigger upgrade
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ makeCustomDuplicateItem(name, kc, kSecClassGenericPassword, CFSTR("test_generic"));
+
+ // We should have created keychainFile, check for it
+ is(stat(keychainFile, &filebuf), 0, "%s: %s does not exist", name, keychainFile);
+ is(stat(keychainDbFile, &filebuf), 0, "%s: %s does not exist", name, keychainDbFile);
+
+ // Check the keychain's version and path
+ char path[400];
+ UInt32 len = sizeof(path);
+
+ ok_status(SecKeychainGetKeychainVersion(kc, &version), "%s: SecKeychainGetKeychainVersion", name);
+ is(version, version_partition, "%s: version of re-upgraded keychain is incorrect", name);
+ ok_status(SecKeychainGetPath(kc, &len, path), "%s: SecKeychainGetPath", name);
+ eq_stringn(path, len, keychainDbFile, strlen(keychainDbFile), "%s: paths do not match", name);
+
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ makeCustomDuplicateItem(name, kc, kSecClassGenericPassword, CFSTR("test_generic"));
+
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 1);
+ makeCustomDuplicateItem(name, kc, kSecClassInternetPassword, CFSTR("test_internet"));
+
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 1);
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 1);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
+
+ // make sure we clean up any files left over
+ unlink(keychainDbFile);
+ unlink(keychainFile);
+}
+#define testKeychainWrongFile256Tests (2 + openCustomKeychainTests \
+ + checkNTests + makeCustomDuplicateItemTests \
+ + 2 + 4 \
+ + checkNTests + makeCustomDuplicateItemTests \
+ + checkNTests + makeCustomDuplicateItemTests \
+ + checkNTests \
+ + checkNTests \
+ + checkNTests \
+ + 1)
+
+// Test opening and upgrading a v512 keychain at a .keychain filename.
+static void testKeychainWrongFile512() {
+ char name[100];
+ sprintf(name, "testKeychainWrongFile512");
+ secnotice("integrity", "************************************* %s", name);
+ UInt32 version;
+
+ writeFullV512Keychain(name, keychainFile);
+ unlink(keychainDbFile);
+
+ // Only keychain file should exist
+ struct stat filebuf;
+ isnt(stat(keychainDbFile, &filebuf), 0, "%s: %s exists and shouldn't", name, keychainFile);
+ is(stat(keychainFile, &filebuf), 0, "%s: %s does not exist", name, keychainDbFile);
+
+ SecKeychainRef kc = openCustomKeychain(name, keychainName, "password");
+
+ SecKeychainItemRef item;
+
+ // Iterate over the keychain to trigger upgrade
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ makeCustomDuplicateItem(name, kc, kSecClassGenericPassword, CFSTR("test_generic"));
+
+ // We should have move the keychain to keychainDbFile, check for it
+ isnt(stat(keychainFile, &filebuf), 0, "%s: %s still exists", name, keychainFile);
+ is(stat(keychainDbFile, &filebuf), 0, "%s: %s does not exist", name, keychainDbFile);
+
+ // Check the keychain's version and path
+ char path[400];
+ UInt32 len = sizeof(path);
+
+ ok_status(SecKeychainGetKeychainVersion(kc, &version), "%s: SecKeychainGetKeychainVersion", name);
+ is(version, version_partition, "%s: version of moved keychain is incorrect", name);
+ ok_status(SecKeychainGetPath(kc, &len, path), "%s: SecKeychainGetPath", name);
+ eq_stringn(path, len, keychainDbFile, strlen(keychainDbFile), "%s: paths do not match", name);
+
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ makeCustomDuplicateItem(name, kc, kSecClassGenericPassword, CFSTR("test_generic"));
+
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 1);
+ makeCustomDuplicateItem(name, kc, kSecClassInternetPassword, CFSTR("test_internet"));
+
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 1);
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 1);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
+
+ // make sure we clean up any files left over
+ unlink(keychainDbFile);
+ unlink(keychainFile);
+}
+#define testKeychainWrongFile512Tests (2 + openCustomKeychainTests \
++ checkNTests + makeCustomDuplicateItemTests \
++ 2 + 4 \
++ checkNTests + makeCustomDuplicateItemTests \
++ checkNTests + makeCustomDuplicateItemTests \
++ checkNTests \
++ checkNTests \
++ checkNTests \
++ 1)
+
+
+#undef version_partition
+#undef version_MacOS_10_0
static SecAccessRef makeUidAccess(uid_t uid)
{
@@ -399,7 +810,7 @@ static void checkAccessLength(const char * name, SecAccessRef access, int expect
static void testUidAccess() {
char name[100];
sprintf(name, "testUidAccess");
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecAccessRef access = makeUidAccess(getuid());
@@ -429,6 +840,7 @@ static void testUidAccess() {
checkAccessLength(name, access, 2);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testUidAccessTests (newKeychainTests + 2 + checkNTests + 1 + checkNTests + 1 + checkAccessLengthTests \
+ 2 + checkAccessLengthTests + 1)
@@ -495,7 +907,7 @@ static SecAccessRef makeMultipleUidAccess(uid_t* uids, uint32 count)
static void testMultipleUidAccess() {
char name[100];
sprintf(name, "testMultipleUidAccess");
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
uid_t uids[5];
uids[0] = getuid();
@@ -517,13 +929,14 @@ static void testMultipleUidAccess() {
checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testMultipleUidAccessTests (newKeychainTests + checkNTests + 3)
static void testRootUidAccess() {
char name[100];
sprintf(name, "testRootUidAccess");
- secdebugfunc("integrity", "************************************* %s", name);
+ secnotice("integrity", "************************************* %s", name);
SecAccessRef access = SecAccessCreateWithOwnerAndACL(getuid(), 0, (kSecUseOnlyUID | kSecHonorRoot), NULL, NULL);
@@ -543,9 +956,97 @@ static void testRootUidAccess() {
checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
}
#define testRootUidAccessTests (newKeychainTests + checkNTests + 4 + checkNTests)
+static void testBadACL() {
+ char name[100];
+ sprintf(name, "testBadACL");
+ secnotice("integrity", "************************************* %s", name);
+
+ SecKeychainItemRef item = NULL;
+
+ unlink(keychainFile);
+ writeFullV512Keychain(name, keychainDbFile);
+
+ SecKeychainRef kc = openCustomKeychain(name, keychainName, "password");
+
+ // Check that these exist in this keychain...
+ checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 1);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFRelease(kc);
+
+ // Corrupt all the ACLs, by changing the partition id plist entry
+ uint8_t * fileBuffer = (uint8_t*) malloc(FULL_V512_SIZE);
+ memcpy(fileBuffer, full_v512, FULL_V512_SIZE);
+
+ void* p;
+ char * str = "<key>Partitions</key>";
+ while( (p = memmem(fileBuffer, FULL_V512_SIZE, (void*) str, strlen(str))) ) {
+ *(uint8_t*) p = 0;
+ }
+ writeFile(keychainDbFile, fileBuffer, FULL_V512_SIZE);
+ free(fileBuffer);
+
+ kc = openCustomKeychain(name, keychainName, "password");
+
+ // These items exist in this keychain, but their ACL is corrupted. We should be able to find them, but not fetch data.
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ readPasswordContentsWithResult(item, errSecInvalidItemRef, NULL); // we don't expect to be able to read this
+ deleteItem(item);
+ checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 0);
+
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 1);
+ readPasswordContentsWithResult(item, errSecInvalidItemRef, NULL); // we don't expect to be able to read this
+ deleteItem(item);
+ checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 0);
+
+ // These should work
+ makeItem(name, kc, kSecClassGenericPassword, CFSTR("test_generic"));
+ makeItem(name, kc, kSecClassInternetPassword, CFSTR("test_internet"));
+
+ // And now the items should exist
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ readPasswordContents(item, CFSTR("data"));
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 1);
+ readPasswordContents(item, CFSTR("data"));
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
+}
+#define testBadACLTests (openCustomKeychainTests + checkNTests * 2 + 1 + openCustomKeychainTests \
+ + 2*(checkNTests + readPasswordContentsWithResultTests + deleteItemTests + checkNTests) \
+ + makeItemTests*2 + checkNTests*2 + readPasswordContentsTests*2 + 1)
+
+static void testIterateLockedKeychain() {
+ char name[100];
+ sprintf(name, "testIterateLockedKeychain");
+ secnotice("integrity", "************************************* %s", name);
+
+ SecKeychainItemRef item = NULL;
+
+ unlink(keychainFile);
+ writeFullV512Keychain(name, keychainDbFile);
+
+ SecKeychainRef kc = openCustomKeychain(name, keychainName, "password");
+
+ ok_status(SecKeychainLock(kc), "%s: SecKeychainLock", name);
+
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassGenericPassword), 1);
+ item = checkN(name, makeQueryItemDictionary(kc, kSecClassInternetPassword), 1);
+
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassSymmetric), 1);
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPublic), 1);
+ item = checkN(name, makeQueryKeyDictionary(kc, kSecAttrKeyClassPrivate), 1);
+
+ ok_status(SecKeychainDelete(kc), "%s: SecKeychainDelete", name);
+ CFReleaseNull(kc);
+}
+#define testIterateLockedKeychainTests (openCustomKeychainTests + 1 + checkNTests*5 + 1)
+
#define kTestCount (0 \
+ testAddItemTests \
+ testAddItemTests \
@@ -576,16 +1077,20 @@ static void testRootUidAccess() {
+ unloadDLTests \
\
+ testKeychainUpgradeTests \
+ + testKeychainCreateOverTests \
+ + testKeychainDowngradeTests \
+ + testKeychainWrongFile256Tests \
+ + testKeychainWrongFile512Tests \
+ testUidAccessTests \
+ testMultipleUidAccessTests \
+ testRootUidAccessTests \
+ + testBadACLTests \
+ + testIterateLockedKeychainTests \
)
static void tests(void)
{
- const char *home_dir = getenv("HOME");
- sprintf(keychainFile, "%s/Library/Keychains/test.keychain", home_dir);
- sprintf(keychainName, "test.keychain");
+ initializeKeychainTests("kc-30-xara");
testAddItem(kSecClassGenericPassword, CFSTR("265438ea6807b509c9c6962df3f5033fd1af118f76c5f550e3ed90cb0d3ffce4"));
testAddItem(kSecClassInternetPassword, CFSTR("be34c4562153063ce9cdefc2c34451d5e6e98a447f293d68a67349c1b5d1164f"));
@@ -627,9 +1132,15 @@ static void tests(void)
unloadDL(&dldbHandle);
testKeychainUpgrade();
+ testKeychainCreateOver();
+ testKeychainDowngrade();
+ testKeychainWrongFile256();
+ testKeychainWrongFile512();
testUidAccess();
testMultipleUidAccess();
testRootUidAccess();
+ testBadACL();
+ testIterateLockedKeychain();
//makeOldKeychainBlob();
}
@@ -653,5 +1164,6 @@ int kc_30_xara(int argc, char *const *argv)
tests();
+ deleteTestFiles();
return 0;
}
diff --git a/OSX/libsecurity_keychain/regressions/kc-40-seckey.c b/OSX/libsecurity_keychain/regressions/kc-40-seckey.c
deleted file mode 100644
index 289080af..00000000
--- a/OSX/libsecurity_keychain/regressions/kc-40-seckey.c
+++ /dev/null
@@ -1,609 +0,0 @@
-/*
- * Copyright (c) 2007-2009,2013-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#include <TargetConditionals.h>
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-#include <Security/SecRandom.h>
-#include <CommonCrypto/CommonDigest.h>
-#include <Security/SecKeyPriv.h>
-#include <Security/SecItem.h>
-
-#if 0
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificateInternal.h>
-#include <Security/SecKey.h>
-#include <Security/SecItem.h>
-#include <Security/SecAsn1Types.h>
-#include <Security/oidsalg.h>
-#include <libDER/libDER.h>
-#include <stdlib.h>
-#include <unistd.h>
-#endif
-
-#include "keychain_regressions.h"
-#include "utilities/SecCFRelease.h"
-
-#if TARGET_OS_IPHONE
-static void testdigestandsignalg(SecKeyRef privKey, SecKeyRef pubKey, const SecAsn1AlgId *algId) {
- uint8_t dataToDigest[256];
- size_t dataToDigestLen = sizeof(dataToDigest);
- size_t sigLen = SecKeyGetSize(privKey, kSecKeySignatureSize);
- uint8_t sig[sigLen];
-
- DERItem oid;
- oid.length = algId->algorithm.Length;
- oid.data = algId->algorithm.Data;
-
- /* Get the oid in decimal for display purposes. */
- CFStringRef oidStr = SecDERItemCopyOIDDecimalRepresentation(kCFAllocatorDefault, &oid);
- char oidBuf[40];
- CFStringGetCString(oidStr, oidBuf, sizeof(oidBuf), kCFStringEncodingUTF8);
- CFRelease(oidStr);
-
- SKIP: {
- OSStatus status;
-
- /* Time to sign. */
- ok_status(status = SecKeyDigestAndSign(privKey, algId, dataToDigest, dataToDigestLen,
- sig, &sigLen), "digest and sign %s with %ld bit RSA key", oidBuf, sigLen * 8);
-
- skip("SecKeyDigestAndSign failed", 3, status == errSecSuccess);
-
- /* Verify the signature we just made. */
- ok_status(SecKeyDigestAndVerify(pubKey, algId, dataToDigest, dataToDigestLen,
- sig, sigLen), "digest and verify");
- /* Invalidate the signature. */
- sig[0] ^= 0xff;
- is_status(SecKeyDigestAndVerify(pubKey, algId, dataToDigest, dataToDigestLen,
- sig, sigLen), errSSLCrypto, "digest and verify bad sig");
- sig[0] ^= 0xff;
- dataToDigest[0] ^= 0xff;
- is_status(SecKeyDigestAndVerify(pubKey, algId, dataToDigest, dataToDigestLen,
- sig, sigLen), errSSLCrypto, "digest and verify bad digest");
- }
-}
-
-static void testdigestandsign(SecKeyRef privKey, SecKeyRef pubKey) {
- static const SecAsn1Oid *oids[] = {
- &CSSMOID_SHA1WithRSA,
- &CSSMOID_SHA224WithRSA,
- &CSSMOID_SHA256WithRSA,
- &CSSMOID_SHA384WithRSA,
- &CSSMOID_SHA512WithRSA,
-#if 0
- &CSSMOID_SHA1WithRSA_OIW,
- &CSSMOID_SHA1WithDSA, // BSAFE
- &CSSMOID_SHA1WithDSA_CMS, // X509/CMS
- &CSSMOID_SHA1WithDSA_JDK, // JDK 1.1
-#endif
- };
-
-
- uint32_t ix;
- SecAsn1AlgId algId = {};
- for (ix = 0; ix < sizeof(oids) / sizeof(*oids); ++ix) {
- if (oids[ix]) {
- algId.algorithm = *oids[ix];
- } else {
- algId.algorithm.Length = 0;
- algId.algorithm.Data = NULL;
- }
-
- testdigestandsignalg(privKey, pubKey, &algId);
- }
-}
-#endif
-
-#if 0
-static void dump_bytes(uint8_t* bytes, size_t amount)
-{
- while (amount > 0) {
- printf("0x%02x ", *bytes);
- ++bytes;
- --amount;
- }
-}
-#endif
-
-
-#if !TARGET_OS_IPHONE
-#define kEncryptDecryptTestCount 0
-#else
-#define kEncryptDecryptTestCount 5
-static void test_encrypt_decrypt(SecKeyRef pubKey, SecKeyRef privKey, uint32_t padding, size_t keySizeInBytes)
-{
- SKIP: {
- size_t max_len = keySizeInBytes;
- switch (padding) {
- case kSecPaddingNone: max_len = keySizeInBytes; break;
- case kSecPaddingOAEP: max_len = keySizeInBytes - 2 - 2 * CC_SHA1_DIGEST_LENGTH; break;
- case kSecPaddingPKCS1: max_len = keySizeInBytes - 11; break;
- default: skip("what is the max_len for this padding?", 5, false);
- }
-
- uint8_t secret[max_len + 1], encrypted_secret[keySizeInBytes], decrypted_secret[keySizeInBytes];
- uint8_t *secret_ptr = secret;
- size_t secret_len = max_len;
- size_t encrypted_secret_len = sizeof(encrypted_secret);
- size_t decrypted_secret_len = sizeof(decrypted_secret);
- memset(decrypted_secret, 0xff, decrypted_secret_len);
- SecRandomCopyBytes(kSecRandomDefault, sizeof(secret), secret);
-
- // zero pad, no accidental second zero byte
- if (padding == kSecPaddingNone) {
- secret[0] = 0;
- secret[1] = 128;
- }
-
- is_status(SecKeyEncrypt(pubKey, padding,
- secret, sizeof(secret),
- encrypted_secret, &encrypted_secret_len), errSecParam, "encrypt secret (overflow)");
- ok_status(SecKeyEncrypt(pubKey, padding,
- secret, secret_len,
- encrypted_secret, &encrypted_secret_len), "encrypt secret");
-
- ok_status(SecKeyDecrypt(privKey, padding,
- encrypted_secret, encrypted_secret_len,
- decrypted_secret, &decrypted_secret_len), "decrypt secret");
-
- // zero padding is removed on decode
- if (padding == kSecPaddingNone) {
- secret_len--;
- secret_ptr++;
- }
-
- ok(decrypted_secret_len == secret_len, "correct length");
- ok_status(memcmp(secret_ptr, decrypted_secret, secret_len), "verify secret");
- }
-}
-#endif
-
-
-
-#if !TARGET_OS_IPHONE
-/* This is part of Security.framework on iOS */
-
-enum {
- // kSecKeyKeySizeInBits = 0, // already exists on osx
- kSecKeySignatureSize = 101,
- kSecKeyEncryptedDataSize = 102,
- // More might belong here, but we aren't settled on how
- // to take into account padding and/or digest types.
-};
-
-static
-size_t SecKeyGetSize(SecKeyRef key, int whichSize)
-{
- size_t result = SecKeyGetBlockSize(key);
-
- /* This is only RSA */
- if (whichSize == kSecKeyKeySizeInBits)
- result *= 8;
-
- return result;
-}
-#endif
-
-#define kKeyGenTestCount (11 + (3*kEncryptDecryptTestCount))
-static void testkeygen(size_t keySizeInBits) {
- SecKeyRef pubKey = NULL, privKey = NULL;
- size_t keySizeInBytes = (keySizeInBits + 7) / 8;
- CFNumberRef kzib;
-
- kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keySizeInBits);
- CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
- CFDictionaryAddValue(kgp, kSecAttrKeySizeInBits, kzib);
-
- OSStatus status;
- ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
- "Generate %ld bit (%ld byte) RSA keypair", keySizeInBits,
- keySizeInBytes);
- CFRelease(kzib);
- CFRelease(kgp);
-
- SKIP: {
- skip("keygen failed", 8, status == errSecSuccess);
- ok(pubKey, "pubkey returned");
- ok(privKey, "privKey returned");
- is(SecKeyGetSize(pubKey, kSecKeyKeySizeInBits), (size_t) keySizeInBits, "public key size is ok");
- is(SecKeyGetSize(privKey, kSecKeyKeySizeInBits), (size_t) keySizeInBits, "private key size is ok");
-
- /* Sign something. */
- uint8_t something[keySizeInBytes];
- size_t something_len = keySizeInBytes - 11;
- SecRandomCopyBytes(kSecRandomDefault, sizeof(something), something);
- uint8_t sig[keySizeInBytes];
- size_t sigLen = sizeof(sig);
-#if TARGET_OS_IPHONE
- /* TODO: This is returning another error on OS X */
- is_status(SecKeyRawSign(privKey, kSecPaddingPKCS1,
- something, something_len + 1, sig, &sigLen),
- errSecParam, "sign overflow");
-#endif
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1,
- something, something_len, sig, &sigLen), "sign something");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1,
- something, something_len, sig, sigLen), "verify sig on something");
-
- // Torture test ASN.1 encoder by setting high bit to 1.
- uint8_t digest[CC_SHA512_DIGEST_LENGTH] = {
- 0x80, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
- 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
- 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
- 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
- 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
- };
-#if TARGET_OS_IPHONE
- /* Thoses tests are making sure that MD2 and MD5 are NOT supported,
- but they still are on OS X */
-
- //CC_MD2(something, sizeof(something), digest);
- ok_status(!SecKeyRawSign(privKey, kSecPaddingPKCS1MD2,
- digest, CC_MD2_DIGEST_LENGTH, sig, &sigLen),
- "don't sign md2 digest"); //FAIL
- ok_status(!SecKeyRawVerify(pubKey, kSecPaddingPKCS1MD2,
- digest, CC_MD2_DIGEST_LENGTH, sig, sigLen),
- "verify sig on md2 digest fails"); //FAIL
-
- //CC_MD5(something, sizeof(something), digest);
- sigLen = sizeof(sig);
- ok_status(!SecKeyRawSign(privKey, kSecPaddingPKCS1MD5,
- digest, CC_MD5_DIGEST_LENGTH, sig, &sigLen),
- "don't sign md5 digest"); //FAIL
- ok_status(!SecKeyRawVerify(pubKey, kSecPaddingPKCS1MD5,
- digest, CC_MD5_DIGEST_LENGTH, sig, sigLen),
- "verify sig on md5 digest fails"); //FAIL
-#endif
-
- //CCDigest(kCCDigestSHA1, something, sizeof(something), digest);
- sigLen = sizeof(sig);
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA1,
- digest, CC_SHA1_DIGEST_LENGTH, sig, &sigLen),
- "sign sha1 digest");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA1,
- digest, CC_SHA1_DIGEST_LENGTH, sig, sigLen),
- "verify sig on sha1 digest");
-
-#if TARGET_OS_IPHONE
- /* The assumptions in these tests are just wrong on OS X */
- uint8_t signature[keySizeInBytes], *ptr = signature;
- size_t signature_len = sizeof(signature);
- ok_status(SecKeyEncrypt(pubKey, kSecPaddingNone, sig, sigLen, signature, &signature_len), "inspect signature");
- is(signature_len, keySizeInBytes - 1, "got signature"); // FAIL for 2056
- while(*ptr && ((size_t)(ptr - signature) < signature_len)) ptr++;
- is(signature + signature_len - ptr, 16 /* length(\0 || OID_SHA1) */ + CC_SHA1_DIGEST_LENGTH, "successful decode");
-#endif
-
-#if TARGET_OS_IPHONE
- /* Those are not supported on OS X */
- /* PKCS1 padding is 00 01 PAD * 8 or more 00 data.
- data is SEQ { SEQ { OID NULL } BIT STRING 00 DIGEST }
- So min data + pad overhead is 11 + 9 + oidlen
- oidlen = 11 for the sha2 family of oids, so we have 29 bytes; or
- 232 bits of minimum overhead. */
- const size_t pkcs1Overhead = 232;
- if (keySizeInBits > 224 + pkcs1Overhead) {
- //CC_SHA224(something, sizeof(something), digest);
- sigLen = sizeof(sig);
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA224,
- digest, CC_SHA224_DIGEST_LENGTH, sig, &sigLen),
- "sign sha224 digest");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA224,
- digest, CC_SHA224_DIGEST_LENGTH, sig, sigLen),
- "verify sig on sha224 digest");
- }
-
- if (keySizeInBits > 256 + pkcs1Overhead) {
- //CC_SHA256(something, sizeof(something), digest);
- sigLen = sizeof(sig);
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA256,
- digest, CC_SHA256_DIGEST_LENGTH, sig, &sigLen),
- "sign sha256 digest");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA256,
- digest, CC_SHA256_DIGEST_LENGTH, sig, sigLen),
- "verify sig on sha256 digest");
- }
-
- if (keySizeInBits > 384 + pkcs1Overhead) {
- //CC_SHA384(something, sizeof(something), digest);
- sigLen = sizeof(sig);
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA384,
- digest, CC_SHA384_DIGEST_LENGTH, sig, &sigLen),
- "sign sha384 digest");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA384,
- digest, CC_SHA384_DIGEST_LENGTH, sig, sigLen),
- "verify sig on sha384 digest");
- }
-
- if (keySizeInBits > 512 + pkcs1Overhead) {
- //CC_SHA512(something, sizeof(something), digest);
- sigLen = sizeof(sig);
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA512,
- digest, CC_SHA512_DIGEST_LENGTH, sig, &sigLen),
- "sign sha512 digest");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA512,
- digest, CC_SHA512_DIGEST_LENGTH, sig, sigLen),
- "verify sig on sha512 digest");
- }
-
- test_encrypt_decrypt(pubKey, privKey, kSecPaddingNone, keySizeInBytes);
- test_encrypt_decrypt(pubKey, privKey, kSecPaddingPKCS1, keySizeInBytes);
- test_encrypt_decrypt(pubKey, privKey, kSecPaddingOAEP, keySizeInBytes);
-
- testdigestandsign(privKey, pubKey);
-#endif
-
- const void *privkeys[] = {
- kSecValueRef
- };
- const void *privvalues[] = {
- privKey
- };
- CFDictionaryRef privitem = CFDictionaryCreate(NULL, privkeys, privvalues,
- sizeof(privkeys) / sizeof(*privkeys), NULL, NULL);
-#if TARGET_OS_IPHONE
- /* OS X: keys are always added to the keychain when generated */
- ok_status(SecItemAdd(privitem, NULL), "add private key"); //FAIL
-#endif
- ok_status(SecItemDelete(privitem), "delete private key");
- CFReleaseNull(privitem);
-
- const void *pubkeys[] = {
- kSecValueRef
- };
- const void *pubvalues[] = {
- pubKey
- };
- CFDictionaryRef pubitem = CFDictionaryCreate(NULL, pubkeys, pubvalues,
- sizeof(pubkeys) / sizeof(*pubkeys), NULL, NULL);
-#if TARGET_OS_IPHONE
- /* OS X: keys are always added to the keychain when generated */
- ok_status(SecItemAdd(pubitem, NULL), "add public key"); //FAIL
-#endif
- ok_status(SecItemDelete(pubitem), "delete public key");
- CFReleaseNull(pubitem);
-
- /* Cleanup. */
- CFReleaseNull(pubKey);
- CFReleaseNull(privKey);
- }
-}
-
-#define kKeyGen2TestCount 11
-static void testkeygen2(size_t keySizeInBits) {
- SecKeyRef pubKey = NULL, privKey = NULL;
- size_t keySizeInBytes = (keySizeInBits + 7) / 8;
- CFNumberRef kzib;
-
- CFUUIDRef ourUUID = CFUUIDCreate(kCFAllocatorDefault);
- CFStringRef uuidString = CFUUIDCreateString(kCFAllocatorDefault, ourUUID);
- CFMutableStringRef publicName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
- CFMutableStringRef privateName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
-
- CFReleaseNull(ourUUID);
- CFReleaseNull(uuidString);
-
- CFStringAppend(publicName, CFSTR("-Public-40"));
- CFStringAppend(privateName, CFSTR("-Private-40"));
- CFMutableDictionaryRef pubd = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFMutableDictionaryRef privd = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- CFDictionaryAddValue(pubd, kSecAttrLabel, publicName);
- CFDictionaryAddValue(privd, kSecAttrLabel, privateName);
-
- kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keySizeInBits);
- CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
- CFDictionaryAddValue(kgp, kSecAttrKeySizeInBits, kzib);
- CFDictionaryAddValue(kgp, kSecAttrIsPermanent, kCFBooleanTrue);
- CFDictionaryAddValue(kgp, kSecPublicKeyAttrs, pubd);
- CFDictionaryAddValue(kgp, kSecPrivateKeyAttrs, privd);
-
- OSStatus status;
- ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
- "Generate %ld bit (%ld byte) persistent RSA keypair",
- keySizeInBits, keySizeInBytes);
- CFRelease(kzib);
- CFRelease(kgp);
-
- SKIP: {
- skip("keygen failed", 8, status == errSecSuccess);
- ok(pubKey, "pubkey returned");
- ok(privKey, "privKey returned");
- is(SecKeyGetSize(pubKey, kSecKeyKeySizeInBits), (size_t) keySizeInBits, "public key size is ok");
- is(SecKeyGetSize(privKey, kSecKeyKeySizeInBits), (size_t) keySizeInBits, "private key size is ok");
-
- SecKeyRef pubKey2, privKey2;
- CFDictionaryAddValue(pubd, kSecClass, kSecClassKey);
- CFDictionaryAddValue(pubd, kSecReturnRef, kCFBooleanTrue);
- CFDictionaryAddValue(privd, kSecClass, kSecClassKey);
- CFDictionaryAddValue(privd, kSecReturnRef, kCFBooleanTrue);
- CFDictionaryAddValue(privd, kSecAttrCanSign, kCFBooleanTrue);
- ok_status(SecItemCopyMatching(pubd, (CFTypeRef *)&pubKey2),
- "retrieve pub key by label");
- ok_status(SecItemCopyMatching(privd, (CFTypeRef *)&privKey2),
- "retrieve priv key by label and kSecAttrCanSign");
-
- /* Sign something. */
- uint8_t something[50] = {0x80, 0xbe, 0xef, 0xba, 0xd0, };
- uint8_t sig[keySizeInBytes];
- size_t sigLen = keySizeInBytes;
- ok_status(SecKeyRawSign(privKey2, kSecPaddingPKCS1,
- something, sizeof(something), sig, &sigLen), "sign something");
- ok_status(SecKeyRawVerify(pubKey2, kSecPaddingPKCS1,
- something, sizeof(something), sig, sigLen), "verify sig on something");
-
-#if TARGET_OS_IPHONE
- /* SecKeyEncrypt does not return errSecParam on OS X in that case */
- sigLen = keySizeInBytes;
- is_status(SecKeyEncrypt(pubKey2, kSecPaddingPKCS1SHA1,
- something, sizeof(something), sig, &sigLen), errSecParam,
- "encrypt something with invalid padding");
-#endif
-
- /* Cleanup. */
- CFReleaseNull(pubKey2);
- CFReleaseNull(privKey2);
-
- /* delete from keychain - note: do it before releasing publicName and privateName
- because pubd and privd have no retain/release callbacks */
- ok_status(SecItemDelete(pubd), "delete generated pub key");
- ok_status(SecItemDelete(privd), "delete generated priv key");
- }
-
- /* Cleanup. */
- CFReleaseNull(pubKey);
- CFReleaseNull(privKey);
-
- CFReleaseNull(publicName);
- CFReleaseNull(privateName);
-
- CFRelease(pubd);
- CFRelease(privd);
-}
-
-
-#if !TARGET_OS_IPHONE
-// Only exists currently in MacOSX
-typedef struct KDFVector_t {
- char *password;
- char *salt;
- int rounds;
- int alg;
- int dklen;
- char *expectedstr;
- int expected_failure;
-} KDFVector;
-
-static KDFVector kdfv[] = {
- // Test Case PBKDF2 - HMACSHA1 http://tools.ietf.org/html/draft-josefsson-pbkdf2-test-vectors-00
- { "password", "salt", 1, 1, 160, "0c60c80f961f0e71f3a9b524af6012062fe037a6", 0 },
- { "password", "salt", 2, 1, 160, "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957", 0 },
- { "password", "salt", 4096, 1, 160, "4b007901b765489abead49d926f721d065a429c1", 0 },
- { "password", "salt", 1, 0, 160, NULL, -1} // This crashed
-};
-
-static size_t kdfvLen = sizeof(kdfv) / sizeof(KDFVector);
-
-static int testSecKDF(CFStringRef password, CFDataRef salt, CFNumberRef rounds, CFStringRef alg, CFNumberRef dklen, CFDataRef expected, int expected_failure) {
- CFMutableDictionaryRef parameters = CFDictionaryCreateMutable(kCFAllocatorDefault, 4, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- int retval = 0;
-
- CFDictionaryAddValue(parameters, kSecAttrSalt, salt);
- CFDictionaryAddValue(parameters, kSecAttrKeySizeInBits, dklen);
- CFDictionaryAddValue(parameters, kSecAttrPRF, alg);
- CFDictionaryAddValue(parameters, kSecAttrRounds, rounds);
-
- SecKeyRef derivedKey = SecKeyDeriveFromPassword(password, parameters, NULL);
- if(derivedKey == NULL && expected_failure) {
- ok(1, "Correctly failed to produce a key");
- goto errOut;
- } else if(derivedKey == NULL) {
- ok(0, "Could not generate a key when we should have");
- goto errOut;
- }
- ok(1, "Made a new key");
- retval = 1;
- // NEEDS Fix -- ok(status = expectedEqualsComputed(expected, derivedKey), "Derived key is as expected");
-errOut:
- if(parameters) CFRelease(parameters);
- if(derivedKey) CFRelease(derivedKey);
- return retval;
-}
-
-static CFDataRef CFDataCreateFromHexBytes(char *s) {
- if(!s) return NULL;
- size_t len = strlen(s);
- if(len%2) return NULL;
- len /= 2;
- uint8_t buf[len];
- for(size_t i=0; i<len; i++) {
- buf[i] = s[i*2] * 16 + s[i*2+1];
- }
- CFDataRef retval = CFDataCreate(NULL, buf, len);
- return retval;
-}
-
-
-static int
-PBKDF2Test(KDFVector *kdfvec)
-{
- CFDataRef expectedBytes = CFDataCreateFromHexBytes(kdfvec->expectedstr);
- CFStringRef password = CFStringCreateWithCString(NULL, kdfvec->password, kCFStringEncodingUTF8);
- CFDataRef salt = CFDataCreate(NULL, (const UInt8 *)kdfvec->salt, strlen(kdfvec->salt));
- CFNumberRef rounds = CFNumberCreate(NULL, kCFNumberIntType, &kdfvec->rounds);
- CFNumberRef dklen = CFNumberCreate(NULL, kCFNumberIntType, &kdfvec->dklen);
- int status = 1;
-
- ok(testSecKDF(password, salt, rounds, kSecAttrPRFHmacAlgSHA1, dklen, expectedBytes, kdfvec->expected_failure), "Test SecKeyDeriveFromPassword PBKDF2");
-
- if(expectedBytes) CFRelease(expectedBytes);
- return status;
-}
-
-
-static void testkeyderivation() {
- for(size_t testcase = 0; testcase < kdfvLen; testcase++) {
- // diag("Test %lu\n", testcase + 1);
- ok(PBKDF2Test(&kdfv[testcase]), "Successful full test of KDF Vector");
- }
-}
-
-#else
-static size_t kdfvLen = 0; // no kdf functions in Sec for iphone
-#endif /* !TARGET_OS_IPHONE */
-
-
-/* Test basic add delete update copy matching stuff. */
-#define kTestCount ((2 * kKeyGenTestCount) + kKeyGen2TestCount + (int) (kdfvLen*3))
-static void tests(void)
-{
- /* Comment out lines below for testing generating all common key sizes,
- disabled now for speed reasons. */
- //testkeygen(512);
- //testkeygen(768);
- testkeygen(1024);
- testkeygen(2056); // Stranged sized for edge cases in padding.
- //testkeygen(2048);
- //testkeygen(4096);
-
- testkeygen2(1024); // lots of FAIL!
-#if !TARGET_OS_IPHONE
- testkeyderivation();
-#endif
-}
-
-int kc_40_seckey(int argc, char *const *argv)
-{
- plan_tests(kTestCount);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/libsecurity_keychain/regressions/kc-40-seckey.m b/OSX/libsecurity_keychain/regressions/kc-40-seckey.m
new file mode 100644
index 00000000..bfe25496
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-40-seckey.m
@@ -0,0 +1,1415 @@
+/*
+ * Copyright (c) 2007-2009,2013-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#include <TargetConditionals.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Foundation/Foundation.h>
+#include <Security/Security.h>
+#include <Security/SecRandom.h>
+#include <CommonCrypto/CommonDigest.h>
+#include <Security/SecKeyPriv.h>
+#include <Security/SecItem.h>
+#include <Security/SecCertificatePriv.h>
+
+#include <corecrypto/ccsha1.h>
+#include <corecrypto/ccsha2.h>
+
+#include "keychain_regressions.h"
+#include "utilities/SecCFRelease.h"
+#include "utilities/array_size.h"
+
+#if TARGET_OS_IPHONE
+static void testdigestandsignalg(SecKeyRef privKey, SecKeyRef pubKey, const SecAsn1AlgId *algId) {
+ uint8_t dataToDigest[256];
+ size_t dataToDigestLen = sizeof(dataToDigest);
+ size_t sigLen = SecKeyGetSize(privKey, kSecKeySignatureSize);
+ uint8_t sig[sigLen];
+
+ DERItem oid;
+ oid.length = algId->algorithm.Length;
+ oid.data = algId->algorithm.Data;
+
+ /* Get the oid in decimal for display purposes. */
+ CFStringRef oidStr = SecDERItemCopyOIDDecimalRepresentation(kCFAllocatorDefault, &oid);
+ char oidBuf[40];
+ CFStringGetCString(oidStr, oidBuf, sizeof(oidBuf), kCFStringEncodingUTF8);
+ CFRelease(oidStr);
+
+ SKIP: {
+ OSStatus status;
+
+ /* Time to sign. */
+ ok_status(status = SecKeyDigestAndSign(privKey, algId, dataToDigest, dataToDigestLen,
+ sig, &sigLen), "digest and sign %s with %ld bit RSA key", oidBuf, sigLen * 8);
+
+ skip("SecKeyDigestAndSign failed", 3, status == errSecSuccess);
+
+ /* Verify the signature we just made. */
+ ok_status(SecKeyDigestAndVerify(pubKey, algId, dataToDigest, dataToDigestLen,
+ sig, sigLen), "digest and verify");
+ /* Invalidate the signature. */
+ sig[0] ^= 0xff;
+ is_status(SecKeyDigestAndVerify(pubKey, algId, dataToDigest, dataToDigestLen,
+ sig, sigLen), errSSLCrypto, "digest and verify bad sig");
+ sig[0] ^= 0xff;
+ dataToDigest[0] ^= 0xff;
+ is_status(SecKeyDigestAndVerify(pubKey, algId, dataToDigest, dataToDigestLen,
+ sig, sigLen), errSSLCrypto, "digest and verify bad digest");
+ }
+}
+
+static void testdigestandsign(SecKeyRef privKey, SecKeyRef pubKey) {
+ static const SecAsn1Oid *oids[] = {
+ &CSSMOID_SHA1WithRSA,
+ &CSSMOID_SHA224WithRSA,
+ &CSSMOID_SHA256WithRSA,
+ &CSSMOID_SHA384WithRSA,
+ &CSSMOID_SHA512WithRSA,
+#if 0
+ &CSSMOID_SHA1WithRSA_OIW,
+ &CSSMOID_SHA1WithDSA, // BSAFE
+ &CSSMOID_SHA1WithDSA_CMS, // X509/CMS
+ &CSSMOID_SHA1WithDSA_JDK, // JDK 1.1
+#endif
+ };
+
+
+ uint32_t ix;
+ SecAsn1AlgId algId = {};
+ for (ix = 0; ix < sizeof(oids) / sizeof(*oids); ++ix) {
+ if (oids[ix]) {
+ algId.algorithm = *oids[ix];
+ } else {
+ algId.algorithm.Length = 0;
+ algId.algorithm.Data = NULL;
+ }
+
+ testdigestandsignalg(privKey, pubKey, &algId);
+ }
+}
+#endif
+
+#if 0
+static void dump_bytes(uint8_t* bytes, size_t amount)
+{
+ while (amount > 0) {
+ printf("0x%02x ", *bytes);
+ ++bytes;
+ --amount;
+ }
+}
+#endif
+
+
+#if !TARGET_OS_IPHONE
+#define kEncryptDecryptTestCount 0
+#else
+#define kEncryptDecryptTestCount 6
+static void test_encrypt_decrypt(SecKeyRef pubKey, SecKeyRef privKey, uint32_t padding, size_t keySizeInBytes)
+{
+ SKIP: {
+ size_t max_len = keySizeInBytes;
+ switch (padding) {
+ case kSecPaddingNone: max_len = keySizeInBytes; break;
+ case kSecPaddingOAEP: max_len = keySizeInBytes - 2 - 2 * CC_SHA1_DIGEST_LENGTH; break;
+ case kSecPaddingPKCS1: max_len = keySizeInBytes - 11; break;
+ default: skip("what is the max_len for this padding?", 5, false);
+ }
+
+ uint8_t secret[max_len + 1], encrypted_secret[keySizeInBytes], decrypted_secret[keySizeInBytes];
+ uint8_t *secret_ptr = secret;
+ size_t secret_len = max_len;
+ size_t encrypted_secret_len = sizeof(encrypted_secret);
+ size_t decrypted_secret_len = sizeof(decrypted_secret);
+ memset(decrypted_secret, 0xff, decrypted_secret_len);
+ ok_status(SecRandomCopyBytes(kSecRandomDefault, sizeof(secret), secret),"rng");
+
+ // zero pad, no accidental second zero byte
+ if (padding == kSecPaddingNone) {
+ secret[0] = 0;
+ secret[1] = 128;
+ }
+
+ is_status(SecKeyEncrypt(pubKey, padding,
+ secret, sizeof(secret),
+ encrypted_secret, &encrypted_secret_len), errSecParam, "encrypt secret (overflow)");
+ ok_status(SecKeyEncrypt(pubKey, padding,
+ secret, secret_len,
+ encrypted_secret, &encrypted_secret_len), "encrypt secret");
+
+ ok_status(SecKeyDecrypt(privKey, padding,
+ encrypted_secret, encrypted_secret_len,
+ decrypted_secret, &decrypted_secret_len), "decrypt secret");
+
+ // zero padding is removed on decode
+ if (padding == kSecPaddingNone) {
+ secret_len--;
+ secret_ptr++;
+ }
+
+ ok(decrypted_secret_len == secret_len, "correct length");
+ ok_status(memcmp(secret_ptr, decrypted_secret, secret_len), "verify secret");
+ }
+}
+#endif
+
+#define kKeyGenTestCount (12 + (3*kEncryptDecryptTestCount))
+static void testkeygen(size_t keySizeInBits) {
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ CFNumberRef kzib;
+
+ kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keySizeInBits);
+ CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
+ CFDictionaryAddValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionaryAddValue(kgp, kSecAttrKeySizeInBits, kzib);
+
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) RSA keypair", keySizeInBits,
+ keySizeInBytes);
+ CFRelease(kzib);
+ CFRelease(kgp);
+
+ SKIP: {
+ skip("keygen failed", 8, status == errSecSuccess);
+ ok(pubKey, "pubkey returned");
+ ok(privKey, "privKey returned");
+ is(SecKeyGetBlockSize(pubKey) * 8, (size_t) keySizeInBits, "public key size is ok");
+ is(SecKeyGetBlockSize(privKey) * 8, (size_t) keySizeInBits, "private key size is ok");
+
+ /* Sign something. */
+ uint8_t something[keySizeInBytes];
+ size_t something_len = keySizeInBytes - 11;
+ ok_status(SecRandomCopyBytes(kSecRandomDefault, sizeof(something), something), "rng");
+ uint8_t sig[keySizeInBytes];
+ size_t sigLen = sizeof(sig);
+#if TARGET_OS_IPHONE
+ /* TODO: This is returning another error on OS X */
+ is_status(SecKeyRawSign(privKey, kSecPaddingPKCS1,
+ something, something_len + 1, sig, &sigLen),
+ errSecParam, "sign overflow");
+#endif
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1,
+ something, something_len, sig, &sigLen), "sign something");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1,
+ something, something_len, sig, sigLen), "verify sig on something");
+
+ // Torture test ASN.1 encoder by setting high bit to 1.
+ uint8_t digest[CC_SHA512_DIGEST_LENGTH] = {
+ 0x80, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+ };
+#if TARGET_OS_IPHONE
+ /* Thoses tests are making sure that MD2 and MD5 are NOT supported,
+ but they still are on OS X */
+
+ //CC_MD2(something, sizeof(something), digest);
+ ok_status(!SecKeyRawSign(privKey, kSecPaddingPKCS1MD2,
+ digest, CC_MD2_DIGEST_LENGTH, sig, &sigLen),
+ "don't sign md2 digest"); //FAIL
+ ok_status(!SecKeyRawVerify(pubKey, kSecPaddingPKCS1MD2,
+ digest, CC_MD2_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on md2 digest fails"); //FAIL
+
+ //CC_MD5(something, sizeof(something), digest);
+ sigLen = sizeof(sig);
+ ok_status(!SecKeyRawSign(privKey, kSecPaddingPKCS1MD5,
+ digest, CC_MD5_DIGEST_LENGTH, sig, &sigLen),
+ "don't sign md5 digest"); //FAIL
+ ok_status(!SecKeyRawVerify(pubKey, kSecPaddingPKCS1MD5,
+ digest, CC_MD5_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on md5 digest fails"); //FAIL
+#endif
+
+ //CCDigest(kCCDigestSHA1, something, sizeof(something), digest);
+ sigLen = sizeof(sig);
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA1,
+ digest, CC_SHA1_DIGEST_LENGTH, sig, &sigLen),
+ "sign sha1 digest");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA1,
+ digest, CC_SHA1_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on sha1 digest");
+
+#if TARGET_OS_IPHONE
+ /* The assumptions in these tests are just wrong on OS X */
+ uint8_t signature[keySizeInBytes], *ptr = signature;
+ size_t signature_len = sizeof(signature);
+ ok_status(SecKeyEncrypt(pubKey, kSecPaddingNone, sig, sigLen, signature, &signature_len), "inspect signature");
+ is(signature_len, keySizeInBytes - 1, "got signature"); // FAIL for 2056
+ while(*ptr && ((size_t)(ptr - signature) < signature_len)) ptr++;
+ is(signature + signature_len - ptr, 16 /* length(\0 || OID_SHA1) */ + CC_SHA1_DIGEST_LENGTH, "successful decode");
+#endif
+
+#if TARGET_OS_IPHONE
+ /* Those are not supported on OS X */
+ /* PKCS1 padding is 00 01 PAD * 8 or more 00 data.
+ data is SEQ { SEQ { OID NULL } BIT STRING 00 DIGEST }
+ So min data + pad overhead is 11 + 9 + oidlen
+ oidlen = 11 for the sha2 family of oids, so we have 29 bytes; or
+ 232 bits of minimum overhead. */
+ const size_t pkcs1Overhead = 232;
+ if (keySizeInBits > 224 + pkcs1Overhead) {
+ //CC_SHA224(something, sizeof(something), digest);
+ sigLen = sizeof(sig);
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA224,
+ digest, CC_SHA224_DIGEST_LENGTH, sig, &sigLen),
+ "sign sha224 digest");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA224,
+ digest, CC_SHA224_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on sha224 digest");
+ }
+
+ if (keySizeInBits > 256 + pkcs1Overhead) {
+ //CC_SHA256(something, sizeof(something), digest);
+ sigLen = sizeof(sig);
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA256,
+ digest, CC_SHA256_DIGEST_LENGTH, sig, &sigLen),
+ "sign sha256 digest");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA256,
+ digest, CC_SHA256_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on sha256 digest");
+ }
+
+ if (keySizeInBits > 384 + pkcs1Overhead) {
+ //CC_SHA384(something, sizeof(something), digest);
+ sigLen = sizeof(sig);
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA384,
+ digest, CC_SHA384_DIGEST_LENGTH, sig, &sigLen),
+ "sign sha384 digest");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA384,
+ digest, CC_SHA384_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on sha384 digest");
+ }
+
+ if (keySizeInBits > 512 + pkcs1Overhead) {
+ //CC_SHA512(something, sizeof(something), digest);
+ sigLen = sizeof(sig);
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA512,
+ digest, CC_SHA512_DIGEST_LENGTH, sig, &sigLen),
+ "sign sha512 digest");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA512,
+ digest, CC_SHA512_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on sha512 digest");
+ }
+
+ test_encrypt_decrypt(pubKey, privKey, kSecPaddingNone, keySizeInBytes);
+ test_encrypt_decrypt(pubKey, privKey, kSecPaddingPKCS1, keySizeInBytes);
+ test_encrypt_decrypt(pubKey, privKey, kSecPaddingOAEP, keySizeInBytes);
+
+ testdigestandsign(privKey, pubKey);
+#endif
+
+ const void *privkeys[] = {
+ kSecValueRef
+ };
+ const void *privvalues[] = {
+ privKey
+ };
+ CFDictionaryRef privitem = CFDictionaryCreate(NULL, privkeys, privvalues,
+ sizeof(privkeys) / sizeof(*privkeys), NULL, NULL);
+#if TARGET_OS_IPHONE
+ /* OS X: keys are always added to the keychain when generated */
+ ok_status(SecItemAdd(privitem, NULL), "add private key"); //FAIL
+#endif
+ ok_status(SecItemDelete(privitem), "delete private key");
+ CFReleaseNull(privitem);
+
+ const void *pubkeys[] = {
+ kSecValueRef
+ };
+ const void *pubvalues[] = {
+ pubKey
+ };
+ CFDictionaryRef pubitem = CFDictionaryCreate(NULL, pubkeys, pubvalues,
+ sizeof(pubkeys) / sizeof(*pubkeys), NULL, NULL);
+#if TARGET_OS_IPHONE
+ /* OS X: keys are always added to the keychain when generated */
+ ok_status(SecItemAdd(pubitem, NULL), "add public key"); //FAIL
+#endif
+ ok_status(SecItemDelete(pubitem), "delete public key");
+ CFReleaseNull(pubitem);
+
+ /* Cleanup. */
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+ }
+}
+
+#define kKeyGen2TestCount 11
+static void testkeygen2(size_t keySizeInBits) {
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ CFNumberRef kzib;
+
+ CFUUIDRef ourUUID = CFUUIDCreate(kCFAllocatorDefault);
+ CFStringRef uuidString = CFUUIDCreateString(kCFAllocatorDefault, ourUUID);
+ CFMutableStringRef publicName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
+ CFMutableStringRef privateName = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, uuidString);
+
+ CFReleaseNull(ourUUID);
+ CFReleaseNull(uuidString);
+
+ CFStringAppend(publicName, CFSTR("-Public-40"));
+ CFStringAppend(privateName, CFSTR("-Private-40"));
+ CFMutableDictionaryRef pubd = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
+ CFMutableDictionaryRef privd = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
+
+ CFDictionaryAddValue(pubd, kSecAttrLabel, publicName);
+ CFDictionaryAddValue(privd, kSecAttrLabel, privateName);
+
+ kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keySizeInBits);
+ CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
+ CFDictionaryAddValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionaryAddValue(kgp, kSecAttrKeySizeInBits, kzib);
+ CFDictionaryAddValue(kgp, kSecAttrIsPermanent, kCFBooleanTrue);
+ CFDictionaryAddValue(kgp, kSecPublicKeyAttrs, pubd);
+ CFDictionaryAddValue(kgp, kSecPrivateKeyAttrs, privd);
+
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) persistent RSA keypair",
+ keySizeInBits, keySizeInBytes);
+ CFRelease(kzib);
+ CFRelease(kgp);
+
+ SKIP: {
+ skip("keygen failed", 8, status == errSecSuccess);
+ ok(pubKey, "pubkey returned");
+ ok(privKey, "privKey returned");
+ is(SecKeyGetBlockSize(pubKey) * 8, (size_t) keySizeInBits, "public key size is ok");
+ is(SecKeyGetBlockSize(privKey) * 8, (size_t) keySizeInBits, "private key size is ok");
+
+ SecKeyRef pubKey2, privKey2;
+ CFDictionaryAddValue(pubd, kSecClass, kSecClassKey);
+ CFDictionaryAddValue(pubd, kSecReturnRef, kCFBooleanTrue);
+ CFDictionaryAddValue(privd, kSecClass, kSecClassKey);
+ CFDictionaryAddValue(privd, kSecReturnRef, kCFBooleanTrue);
+ CFDictionaryAddValue(privd, kSecAttrCanSign, kCFBooleanTrue);
+ ok_status(SecItemCopyMatching(pubd, (CFTypeRef *)&pubKey2),
+ "retrieve pub key by label");
+ ok_status(SecItemCopyMatching(privd, (CFTypeRef *)&privKey2),
+ "retrieve priv key by label and kSecAttrCanSign");
+
+ /* Sign something. */
+ uint8_t something[50] = {0x80, 0xbe, 0xef, 0xba, 0xd0, };
+ uint8_t sig[keySizeInBytes];
+ size_t sigLen = keySizeInBytes;
+ ok_status(SecKeyRawSign(privKey2, kSecPaddingPKCS1,
+ something, sizeof(something), sig, &sigLen), "sign something");
+ ok_status(SecKeyRawVerify(pubKey2, kSecPaddingPKCS1,
+ something, sizeof(something), sig, sigLen), "verify sig on something");
+
+#if TARGET_OS_IPHONE
+ /* SecKeyEncrypt does not return errSecParam on OS X in that case */
+ sigLen = keySizeInBytes;
+ is_status(SecKeyEncrypt(pubKey2, kSecPaddingPKCS1SHA1,
+ something, sizeof(something), sig, &sigLen), errSecParam,
+ "encrypt something with invalid padding");
+#endif
+
+ /* Cleanup. */
+ CFReleaseNull(pubKey2);
+ CFReleaseNull(privKey2);
+
+ /* delete from keychain - note: do it before releasing publicName and privateName
+ because pubd and privd have no retain/release callbacks */
+ ok_status(SecItemDelete(pubd), "delete generated pub key");
+ ok_status(SecItemDelete(privd), "delete generated priv key");
+ }
+
+ /* Cleanup. */
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+
+ CFReleaseNull(publicName);
+ CFReleaseNull(privateName);
+
+ CFRelease(pubd);
+ CFRelease(privd);
+}
+
+
+#if !TARGET_OS_IPHONE
+// Only exists currently in MacOSX
+typedef struct KDFVector_t {
+ char *password;
+ char *salt;
+ int rounds;
+ int alg;
+ int dklen;
+ char *expectedstr;
+ int expected_failure;
+} KDFVector;
+
+static KDFVector kdfv[] = {
+ // Test Case PBKDF2 - HMACSHA1 http://tools.ietf.org/html/draft-josefsson-pbkdf2-test-vectors-00
+ { "password", "salt", 1, 1, 160, "0c60c80f961f0e71f3a9b524af6012062fe037a6", 0 },
+ { "password", "salt", 2, 1, 160, "ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957", 0 },
+ { "password", "salt", 4096, 1, 160, "4b007901b765489abead49d926f721d065a429c1", 0 },
+ { "password", "salt", 1, 0, 160, NULL, -1} // This crashed
+};
+
+static size_t kdfvLen = sizeof(kdfv) / sizeof(KDFVector);
+
+static int testSecKDF(CFStringRef password, CFDataRef salt, CFNumberRef rounds, CFStringRef alg, CFNumberRef dklen, CFDataRef expected, int expected_failure) {
+ CFMutableDictionaryRef parameters = CFDictionaryCreateMutable(kCFAllocatorDefault, 4, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ int retval = 0;
+
+ CFDictionaryAddValue(parameters, kSecAttrSalt, salt);
+ CFDictionaryAddValue(parameters, kSecAttrKeySizeInBits, dklen);
+ CFDictionaryAddValue(parameters, kSecAttrPRF, alg);
+ CFDictionaryAddValue(parameters, kSecAttrRounds, rounds);
+
+ SecKeyRef derivedKey = SecKeyDeriveFromPassword(password, parameters, NULL);
+ if(derivedKey == NULL && expected_failure) {
+ ok(1, "Correctly failed to produce a key");
+ goto errOut;
+ } else if(derivedKey == NULL) {
+ ok(0, "Could not generate a key when we should have");
+ goto errOut;
+ }
+ ok(1, "Made a new key");
+ retval = 1;
+ // NEEDS Fix -- ok(status = expectedEqualsComputed(expected, derivedKey), "Derived key is as expected");
+errOut:
+ if(parameters) CFRelease(parameters);
+ if(derivedKey) CFRelease(derivedKey);
+ return retval;
+}
+
+static CFDataRef CFDataCreateFromHexBytes(char *s) {
+ if(!s) return NULL;
+ size_t len = strlen(s);
+ if(len%2) return NULL;
+ len /= 2;
+ uint8_t buf[len];
+ for(size_t i=0; i<len; i++) {
+ buf[i] = s[i*2] * 16 + s[i*2+1];
+ }
+ CFDataRef retval = CFDataCreate(NULL, buf, len);
+ return retval;
+}
+
+
+static int
+PBKDF2Test(KDFVector *kdfvec)
+{
+ CFDataRef expectedBytes = CFDataCreateFromHexBytes(kdfvec->expectedstr);
+ CFStringRef password = CFStringCreateWithCString(NULL, kdfvec->password, kCFStringEncodingUTF8);
+ CFDataRef salt = CFDataCreate(NULL, (const UInt8 *)kdfvec->salt, strlen(kdfvec->salt));
+ CFNumberRef rounds = CFNumberCreate(NULL, kCFNumberIntType, &kdfvec->rounds);
+ CFNumberRef dklen = CFNumberCreate(NULL, kCFNumberIntType, &kdfvec->dklen);
+ int status = 1;
+
+ ok(testSecKDF(password, salt, rounds, kSecAttrPRFHmacAlgSHA1, dklen, expectedBytes, kdfvec->expected_failure), "Test SecKeyDeriveFromPassword PBKDF2");
+
+ if(expectedBytes) CFRelease(expectedBytes);
+ return status;
+}
+
+
+static void testkeyderivation() {
+ for(size_t testcase = 0; testcase < kdfvLen; testcase++) {
+ // diag("Test %lu\n", testcase + 1);
+ ok(PBKDF2Test(&kdfv[testcase]), "Successful full test of KDF Vector");
+ }
+}
+
+#else
+static size_t kdfvLen = 0; // no kdf functions in Sec for iphone
+#endif /* !TARGET_OS_IPHONE */
+
+static void delete_key(SecKeyRef *key) {
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(query, kSecValueRef, *key);
+ SecItemDelete(query);
+ CFReleaseNull(query);
+ CFReleaseNull(*key);
+}
+
+static const int kTestSupportedCount = 3 + (4 * 12) + 2 + (4 * 10) + 2;
+static void testsupportedalgos(size_t keySizeInBits)
+{
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ CFNumberRef kzib;
+
+ int32_t iKeySizeInBits = (int32_t) keySizeInBits;
+ kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &iKeySizeInBits);
+ CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
+ CFDictionaryAddValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionaryAddValue(kgp, kSecAttrKeySizeInBits, kzib);
+
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) persistent RSA keypair",
+ keySizeInBits, keySizeInBytes);
+ CFRelease(kzib);
+ CFRelease(kgp);
+
+ is(SecKeyGetBlockSize(pubKey) * 8, (size_t) keySizeInBits, "public key size is ok");
+ is(SecKeyGetBlockSize(privKey) * 8, (size_t) keySizeInBits, "private key size is ok");
+
+ const SecKeyAlgorithm sign[] = {
+ kSecKeyAlgorithmRSASignatureRaw,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512,
+ };
+
+ for (size_t i = 0; i < array_size(sign); i++) {
+ SecKeyAlgorithm algorithm = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@"), sign[i]);
+ ok(SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeSign, algorithm),
+ "privKey supports sign algorithm %@", algorithm);
+ ok(SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeVerify, algorithm),
+ "pubKey supports verify algorithm %@", algorithm);
+ // Since private key supports RSA decryption, our verify adapters happily accepts it.
+ ok(SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeVerify, algorithm),
+ "privKey supports verify algorithm %@", algorithm);
+ ok(!SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeSign, algorithm),
+ "pubKey doesn't support sign algorithm %@", algorithm);
+ CFReleaseNull(algorithm);
+ }
+ ok(!SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeSign, kSecKeyAlgorithmECDSASignatureDigestX962),
+ "RSA privKey does not support ECDSA algorithm");
+ ok(!SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeVerify, kSecKeyAlgorithmECDSASignatureDigestX962),
+ "RSA pubKey does not support ECDSA algorithm");
+
+ const SecKeyAlgorithm crypt[] = {
+ kSecKeyAlgorithmRSAEncryptionRaw,
+ kSecKeyAlgorithmRSAEncryptionPKCS1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM,
+// kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
+ };
+ for (size_t i = 0; i < array_size(crypt); i++) {
+ SecKeyAlgorithm algorithm = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@"), crypt[i]);
+ ok(SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeDecrypt, algorithm),
+ "privKey supports decrypt algorithm %@", algorithm);
+ ok(SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeEncrypt, algorithm),
+ "pubKey supports encrypt algorithm %@", algorithm);
+ ok(!SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeEncrypt, algorithm),
+ "privKey doesn't supports encrypt algorithm %@", algorithm);
+ ok(!SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeDecrypt, algorithm),
+ "pubKey doesn't support decrypt algorithm %@", algorithm);
+ CFReleaseNull(algorithm);
+ }
+ ok(!SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeDecrypt, kSecKeyAlgorithmRSAEncryptionOAEPSHA512),
+ "privKey doesn't support decrypt algorithm %@", kSecKeyAlgorithmRSAEncryptionOAEPSHA512);
+ ok(!SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeDecrypt, kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM),
+ "privKey doesn't support decrypt algorithm %@", kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM);
+
+ /* Cleanup. */
+ delete_key(&pubKey);
+ delete_key(&privKey);
+}
+
+#if 0
+#define kTestSupportedCount 15
+static void testsupportedalgos(size_t keySizeInBits)
+{
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ CFNumberRef kzib;
+
+ int32_t iKeySizeInBits = (int32_t) keySizeInBits;
+ kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &iKeySizeInBits);
+ CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
+ CFDictionaryAddValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionaryAddValue(kgp, kSecAttrKeySizeInBits, kzib);
+ CFDictionaryAddValue(kgp, kSecAttrLabel, CFSTR("sectests:testsupportedalgos"));
+
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) persistent RSA keypair",
+ keySizeInBits, keySizeInBytes);
+ CFRelease(kzib);
+ CFRelease(kgp);
+
+ is(SecKeyGetBlockSize(pubKey) * 8, (size_t) keySizeInBits, "public key size is ok");
+ is(SecKeyGetBlockSize(privKey) * 8, (size_t) keySizeInBits, "private key size is ok");
+
+ CFSetRef keySet, expectedSet;
+
+ CFIndex value = kSecKeyAlgorithmECDSASignatureDigestX962;
+ CFNumberRef ECDSAX962 = CFNumberCreate(NULL, kCFNumberCFIndexType, &value);
+ value = kSecKeyAlgorithmRSAEncryptionRaw;
+ CFNumberRef RSARaw = CFNumberCreate(NULL, kCFNumberCFIndexType, &value);
+
+ { // privkey
+ keySet = SecKeyCopySupportedAlgorithms(privKey, kSecKeyOperationTypeSign);
+ const SecKeyAlgorithm sign[] = {
+ kSecKeyAlgorithmRSASignatureRaw,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512,
+ };
+ expectedSet = createAlgorithmSet(sign, array_size(sign));
+ ok(CFSetIsSubset(expectedSet, keySet), "privkey contains expecting algos for signing");
+ ok(!CFSetContainsValue(keySet, ECDSAX962));
+ CFReleaseNull(keySet);
+ CFReleaseNull(expectedSet);
+
+ keySet = SecKeyCopySupportedAlgorithms(privKey, kSecKeyOperationTypeVerify);
+ expectedSet = createAlgorithmSet(sign, array_size(sign));
+ ok(CFSetIsSubset(expectedSet, keySet), "privkey contains expecting algos for verification");
+ ok(!CFSetContainsValue(keySet, ECDSAX962));
+ CFReleaseNull(keySet);
+ CFReleaseNull(expectedSet);
+
+ keySet = SecKeyCopySupportedAlgorithms(privKey, kSecKeyOperationTypeDecrypt);
+ const SecKeyAlgorithm decrypt[] = {
+ kSecKeyAlgorithmRSAEncryptionRaw,
+ kSecKeyAlgorithmRSAEncryptionPKCS1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
+ };
+ expectedSet = createAlgorithmSet(decrypt, array_size(decrypt));
+ ok(CFSetIsSubset(expectedSet, keySet), "privkey contains expecting algos for decryption");
+ CFReleaseNull(keySet);
+ CFReleaseNull(expectedSet);
+
+ keySet = SecKeyCopySupportedAlgorithms(privKey, kSecKeyOperationTypeEncrypt);
+ expectedSet = CFSetCreate(NULL, NULL, 0, &kCFTypeSetCallBacks);
+ is(CFSetGetCount(keySet), 0, "privkey contains no algos for encryption");
+ CFReleaseNull(keySet);
+ CFReleaseNull(expectedSet);
+ }
+
+ { // pubkey
+ keySet = SecKeyCopySupportedAlgorithms(pubKey, kSecKeyOperationTypeVerify);
+ const SecKeyAlgorithm verify[] = {
+ kSecKeyAlgorithmRSASignatureRaw,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512,
+ };
+ expectedSet = createAlgorithmSet(verify, array_size(verify));
+ ok(CFSetIsSubset(expectedSet, keySet), "pubkey contains expecting algos for verification");
+ ok(!CFSetContainsValue(keySet, ECDSAX962),
+ "pubkey does not contain ECDSA algorithms for verification");
+ ok(!CFSetContainsValue(keySet, RSARaw),
+ "pubkey does not contain encryption-specific algorithm for verification");
+ CFReleaseNull(keySet);
+ CFReleaseNull(expectedSet);
+
+ keySet = SecKeyCopySupportedAlgorithms(pubKey, kSecKeyOperationTypeSign);
+ expectedSet = CFSetCreate(NULL, NULL, 0, &kCFTypeSetCallBacks);
+ is(CFSetGetCount(keySet), 0, "pubkey contains no algos for signing");
+ CFReleaseNull(keySet);
+ CFReleaseNull(expectedSet);
+
+ const SecKeyAlgorithm crypt[] = {
+ kSecKeyAlgorithmRSAEncryptionRaw,
+ kSecKeyAlgorithmRSAEncryptionPKCS1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
+ };
+ expectedSet = createAlgorithmSet(crypt, array_size(crypt));
+ keySet = SecKeyCopySupportedAlgorithms(pubKey, kSecKeyOperationTypeDecrypt);
+#if TARGET_OS_IPHONE
+ ok(CFSetIsSubset(expectedSet, keySet), "pubkey contains expecting algos for decryption");
+#else
+ ok(CFSetGetCount(keySet) == 0, "pubkey cannot decrypt");
+#endif
+ CFReleaseNull(keySet);
+ CFReleaseNull(expectedSet);
+
+ keySet = SecKeyCopySupportedAlgorithms(pubKey, kSecKeyOperationTypeEncrypt);
+ expectedSet = createAlgorithmSet(crypt, array_size(crypt));
+ ok(CFSetIsSubset(expectedSet, keySet), "pubkey contains expecting algos for encryption");
+ CFReleaseNull(keySet);
+ CFReleaseNull(expectedSet);
+ }
+
+ /* Cleanup. */
+ CFReleaseNull(RSARaw);
+ CFReleaseNull(ECDSAX962);
+ delete_key(&pubKey);
+ delete_key(&privKey);
+}
+#endif
+
+#if !TARGET_OS_IPHONE
+static inline bool CFEqualSafe(CFTypeRef left, CFTypeRef right)
+{
+ if (left == NULL || right == NULL)
+ return left == right;
+ else
+ return CFEqual(left, right);
+}
+#endif
+
+#define kCreateWithDataTestCount 13
+static void testcreatewithdata(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionarySetValue(kgp, kSecAttrKeySizeInBits, kzib);
+ CFDictionarySetValue(kgp, kSecAttrIsPermanent, kCFBooleanFalse);
+ CFDictionarySetValue(kgp, kSecAttrLabel, CFSTR("sectests:createwithdata"));
+
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) RSA keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ CFMutableDictionaryRef kcwd = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);;
+ CFDictionarySetValue(kcwd, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionarySetValue(kcwd, kSecAttrKeySizeInBits, kzib);
+ CFDictionarySetValue(kcwd, kSecAttrIsPermanent, kCFBooleanFalse);
+ CFReleaseNull(kzib);
+
+ CFErrorRef error = NULL;
+ CFDataRef privExternalData = NULL, pubExternalData = NULL;
+ SecKeyRef dataKey = NULL;
+
+ { // privKey
+ privExternalData = SecKeyCopyExternalRepresentation(privKey, &error);
+ ok(privExternalData && CFGetTypeID(privExternalData) == CFDataGetTypeID(),
+ "priv key SecKeyCopyExternalRepresentation failed");
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid priv key external data", 4, privExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(privExternalData, kcwd, &error);
+ ok(dataKey, "priv key SecKeyCreateWithData failed");
+ CFReleaseNull(error);
+
+ eq_cf(privExternalData, SecKeyCopyExternalRepresentation(dataKey, NULL), "priv keys differ");
+ CFReleaseNull(dataKey);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(privExternalData, kcwd, &error);
+ ok(!dataKey, "priv key SecKeyCreateWithData succeeded with invalid kSecAttrKeyClass");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFMutableDataRef modifiedExternalData = CFDataCreateMutableCopy(kCFAllocatorDefault, 0, privExternalData);
+ *CFDataGetMutableBytePtr(modifiedExternalData) ^= 0xff;
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(modifiedExternalData, kcwd, &error);
+ ok(!dataKey, "priv key SecKeyCreateWithData succeeded with invalid external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(modifiedExternalData);
+ }
+ }
+
+ { // pubKey
+ pubExternalData = SecKeyCopyExternalRepresentation(pubKey, &error);
+ ok(pubExternalData && CFGetTypeID(pubExternalData) == CFDataGetTypeID(),
+ "pub key SecKeyCopyExternalRepresentation failed");
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid pub key external data", 4, pubExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(pubExternalData, kcwd, &error);
+ ok(dataKey, "pub key SecKeyCreateWithData failed");
+ CFReleaseNull(error);
+
+ eq_cf(pubExternalData, SecKeyCopyExternalRepresentation(dataKey, NULL), "pub keys differ");
+ CFReleaseNull(dataKey);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(pubExternalData, kcwd, &error);
+ ok(!dataKey, "pub key SecKeyCreateWithData succeeded with invalid kSecAttrKeyClass");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFMutableDataRef modifiedExternalData = CFDataCreateMutableCopy(kCFAllocatorDefault, 0, pubExternalData);
+ *CFDataGetMutableBytePtr(modifiedExternalData) ^= 0xff;
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(modifiedExternalData, kcwd, &error);
+ ok(!dataKey, "pub key SecKeyCreateWithData succeeded with invalid external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(modifiedExternalData);
+ }
+ }
+
+SKIP: {
+ skip("invalid pub key external data", 1, pubExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(pubExternalData, kcwd, &error);
+ ok(!dataKey, "priv key SecKeyCreateWithData succeeded with public external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(pubExternalData);
+}
+
+SKIP: {
+ skip("invalid priv key external data", 1, privExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(privExternalData, kcwd, &error);
+ ok(!dataKey, "pub key SecKeyCreateWithData succeeded with private external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(privExternalData);
+}
+
+ CFReleaseNull(kcwd);
+ delete_key(&pubKey);
+ delete_key(&privKey);
+}
+
+#define kCopyAttributesTestCount 20
+static void testcopyattributes(unsigned long keySizeInBits, bool extractable)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionarySetValue(kgp, kSecAttrKeySizeInBits, kzib);
+ CFDictionarySetValue(kgp, kSecAttrIsExtractable, extractable ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(kgp, kSecAttrLabel, CFSTR("sectests:copyattributes"));
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) RSA keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ CFDictionaryRef attributes;
+ CFTypeRef attrValue = NULL, privAppLabel = NULL, pubAppLabel = NULL;
+
+ { // privKey
+ attributes = SecKeyCopyAttributes(privKey);
+ ok(attributes && CFGetTypeID(attributes) == CFDictionaryGetTypeID(),
+ "priv key SecKeyCopyAttributes failed");
+
+ SKIP: {
+ skip("invalid attributes", 8, attributes);
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanEncrypt);
+ eq_cf(attrValue, kCFBooleanFalse, "invalid priv key kSecAttrCanEncrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDecrypt);
+ eq_cf(attrValue, kCFBooleanTrue, "invalid priv key kSecAttrCanDecrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDerive);
+ eq_cf(attrValue, kCFBooleanTrue, "invalid priv key kSecAttrCanDerive");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanSign);
+ eq_cf(attrValue, kCFBooleanTrue, "invalid priv key kSecAttrCanSign");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanVerify);
+ eq_cf(attrValue, kCFBooleanFalse, "invalid priv key kSecAttrCanVerify");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyClass);
+ eq_cf(attrValue, kSecAttrKeyClassPrivate, "priv key invalid kSecAttrKeyClass");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyType);
+ eq_cf(attrValue, kSecAttrKeyTypeRSA, "invalid priv key kSecAttrKeyType");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeySizeInBits);
+ eq_cf(attrValue, kzib, "invalid priv key kSecAttrKeySizeInBits");
+
+ privAppLabel = CFDictionaryGetValue(attributes, kSecAttrApplicationLabel);
+ CFRetainSafe(privAppLabel);
+
+ CFReleaseNull(attributes);
+ }
+ }
+
+ { // pubKey
+ attributes = SecKeyCopyAttributes(pubKey);
+ ok(attributes && CFGetTypeID(attributes) == CFDictionaryGetTypeID(),
+ "pub key SecKeyCopyAttributes failed");
+
+ SKIP: {
+ skip("invalid attributes", 8, attributes);
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanEncrypt);
+ eq_cf(attrValue, kCFBooleanTrue, "pub key invalid kSecAttrCanEncrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDecrypt);
+ eq_cf(attrValue, kCFBooleanFalse, "pub key invalid kSecAttrCanDecrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDerive);
+ eq_cf(attrValue, kCFBooleanTrue, "pub key invalid kSecAttrCanDerive");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanSign);
+ eq_cf(attrValue, kCFBooleanFalse, "pub key invalid kSecAttrCanSign");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanVerify);
+ eq_cf(attrValue, kCFBooleanTrue, "pub key invalid kSecAttrCanVerify");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyClass);
+ eq_cf(attrValue, kSecAttrKeyClassPublic, "pub key invalid kSecAttrKeyClass");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyType);
+ eq_cf(attrValue, kSecAttrKeyTypeRSA, "pub key invalid kSecAttrKeyType");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeySizeInBits);
+ eq_cf(attrValue, kzib, "pub key invalid kSecAttrKeySizeInBits");
+
+ pubAppLabel = CFDictionaryGetValue(attributes, kSecAttrApplicationLabel);
+ CFRetainSafe(pubAppLabel);
+
+ CFReleaseNull(attributes);
+ }
+ }
+
+ eq_cf(privAppLabel, pubAppLabel, "priv key and pub key kSecAttrApplicationLabel differ");
+
+ CFReleaseNull(privAppLabel);
+ CFReleaseNull(pubAppLabel);
+ CFReleaseNull(kzib);
+ delete_key(&pubKey);
+ delete_key(&privKey);
+}
+
+#define kCopyPublicKeyTestCount 5
+static void testcopypublickey(unsigned long keySizeInBits, bool extractable, bool permanent) {
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionarySetValue(kgp, kSecAttrKeySizeInBits, kzib);
+ CFDictionarySetValue(kgp, kSecAttrIsPermanent, permanent ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(kgp, kSecAttrIsExtractable, extractable ? kCFBooleanTrue : kCFBooleanFalse);
+ CFDictionarySetValue(kgp, kSecAttrLabel, CFSTR("sectests:copypublickey"));
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ if (permanent) {
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) RSA keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ } else {
+ NSError *error = nil;
+ privKey = SecKeyCreateRandomKey(kgp, (void *)&error);
+ pubKey = SecKeyCopyPublicKey(privKey);
+ ok(privKey != NULL && pubKey != NULL, "Generate %ld bit (%ld byte) RSA keypair (error %@)",
+ keySizeInBits, keySizeInBytes, error);
+ }
+ CFReleaseNull(kgp);
+ CFReleaseNull(kzib);
+
+ CFDataRef pubKeyData = SecKeyCopyExternalRepresentation(pubKey, NULL);
+
+ SecKeyRef pubKeyCopy = NULL;
+
+ { // privKey
+ pubKeyCopy = SecKeyCopyPublicKey(privKey);
+ ok(pubKeyCopy, "priv key SecKeyCopyPublicKey failed");
+ CFDataRef pubKeyCopyData = SecKeyCopyExternalRepresentation(pubKeyCopy, NULL);
+ eq_cf(pubKeyCopyData, pubKeyData, "pub key from priv key SecKeyCopyPublicKey and pub key differ");
+ CFReleaseNull(pubKeyCopy);
+ CFReleaseNull(pubKeyCopyData);
+ }
+
+ { // pubKey
+ pubKeyCopy = SecKeyCopyPublicKey(pubKey);
+ ok(pubKeyCopy, "pub key SecKeyCopyPublicKey failed");
+ CFDataRef pubKeyCopyData = SecKeyCopyExternalRepresentation(pubKeyCopy, NULL);
+ eq_cf(pubKeyCopyData, pubKeyData, "pub key from pub key SecKeyCopyPublicKey and pub key differ");
+ CFReleaseNull(pubKeyCopy);
+ CFReleaseNull(pubKeyCopyData);
+ }
+
+ CFReleaseNull(pubKeyData);
+ if (permanent) {
+ delete_key(&pubKey);
+ delete_key(&privKey);
+ } else {
+ CFReleaseSafe(pubKey);
+ CFReleaseSafe(privKey);
+ }
+}
+
+static const char *kCertWithPubK = "\
+MIIELjCCAxagAwIBAgIJALJlcYRBqZlZMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzELMAkG\
+A1UECBMCQ0ExEjAQBgNVBAcTCUN1cGVydGlubzETMBEGA1UEChMKQXBwbGUgSW5jLjEPMA0GA1UECxMG\
+Q29yZU9TMRwwGgYDVQQDExNBcHBsZSBUZXN0IENBMSBDZXJ0MSAwHgYJKoZIhvcNAQkBFhF2a3V6ZWxh\
+QGFwcGxlLmNvbTAeFw0xNTA0MjkwODMyMDBaFw0yNTA0MjYwODMyMDBaMIGPMQswCQYDVQQGEwJVUzEL\
+MAkGA1UECBMCQ0ExEjAQBgNVBAcTCUN1cGVydGlubzETMBEGA1UEChMKQXBwbGUgSW5jLjEQMA4GA1UE\
+CxMHQ29yZSBPUzEWMBQGA1UEAxMNRmlsaXAgU3Rva2xhczEgMB4GCSqGSIb3DQEJARYRc3Rva2xhc0Bh\
+cHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZcPMvjpu7i/2SkNDCrSC4Wa8m\
+j3r6Lgn0crL4AgU+g3apptyy1eFf4RpNRJTGJ9ZMApbRZ0b7wX87Dq6UlCJUI9RJPOy+/TW0FM6mUVaF\
+VSY+P+KMdRYGIOMLVI+LR6lRTf8MWbxZ238cqAIVnLHaE9HrXjyIrgX2IufJjt69WhwsJZuan7jmeXJS\
+0AnESB31wS5NOn0tFDtzNAAQmoP8N8q6ZNC85tPVWBM61YLNjwSYl74y14QfX401P2pQRvwxTortRImk\
+xjN4DBprG23e59UW2IBxYsqUA61jhA0yVy8gxYpCGa4bEBslhrnkAoSv+Zlyk7u2GyO13AC1dfRxAgMB\
+AAGjgYUwgYIwPwYDVR0RBDgwNqAhBgorBgEEAYI3FAIDoBMMEXN0b2tsYXNAYXBwbGUuY29tgRFzdG9r\
+bGFzQGFwcGxlLmNvbTA/BgNVHREEODA2oCEGCisGAQQBgjcUAgOgEwwRc3Rva2xhc0BhcHBsZS5jb22B\
+EXN0b2tsYXNAYXBwbGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQB87bZdl4XEDFA7UdPouhR3dKRl6evS\
+MfC9/0jVcdB+P1mNJ/vIZdOZMY0asieOXhsI91nEcHUjbBCnu18mu2jR6SGiJsS/zr6enkpQMcztulMU\
+kcjuSjT1hEzRv0LvEgWPOK+VpVqk6N0ZhybBQYVH2ECf7OU48CkFQFg9eLv6VaSK9+FqcBWpq8fXyOa7\
+bL58bO5A3URHcmMWibv9/j+lpVeQBxt1UUwqBZT7DSLPw3QCj/zXfAGEu3izvEYaWwsQDhItwQJ6g6pp\
+DLO741C7K8eKgvGs8ptna4RSosQda9bdnhZwT+g0UcorsVTUo+sR9+LW7INJ1zovRCL7NXit";
+
+static const char *kPubK = "\
+MIIBCgKCAQEA2XDzL46bu4v9kpDQwq0guFmvJo96+i4J9HKy+AIFPoN2qabcstXhX+EaTUSUxifWTAKW\
+0WdG+8F/Ow6ulJQiVCPUSTzsvv01tBTOplFWhVUmPj/ijHUWBiDjC1SPi0epUU3/DFm8Wdt/HKgCFZyx\
+2hPR6148iK4F9iLnyY7evVocLCWbmp+45nlyUtAJxEgd9cEuTTp9LRQ7czQAEJqD/DfKumTQvObT1VgT\
+OtWCzY8EmJe+MteEH1+NNT9qUEb8MU6K7USJpMYzeAwaaxtt3ufVFtiAcWLKlAOtY4QNMlcvIMWKQhmu\
+GxAbJYa55AKEr/mZcpO7thsjtdwAtXX0cQIDAQAB";
+
+static const int kTestCountCopyPubKFromCert = 2;
+static void testcopypubkfromcert() {
+ NSData *certData = [[NSData alloc] initWithBase64EncodedString:[NSString stringWithUTF8String:kCertWithPubK]
+ options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ NSData *pubKData = [[NSData alloc] initWithBase64EncodedString:[NSString stringWithUTF8String:kPubK]
+ options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)certData);
+ SecKeyRef pubKey = NULL;
+ ok_status(SecCertificateCopyPublicKey(cert, &pubKey), "export public key from certificate");
+ NSData *pubKeyData = (NSData *)SecKeyCopyExternalRepresentation(pubKey, NULL);
+ eq_cf(pubKeyData, pubKData, "public key exports itself into expected data");
+ CFReleaseNull(pubKey);
+ CFReleaseNull(cert);
+}
+
+static inline CFDataRef CFDataCreateWithHash(CFAllocatorRef allocator, const struct ccdigest_info *di, const uint8_t *buffer, const uint8_t length) {
+ CFMutableDataRef result = CFDataCreateMutable(allocator, di->output_size);
+ CFDataSetLength(result, di->output_size);
+
+ ccdigest(di, length, buffer, CFDataGetMutableBytePtr(result));
+
+ return result;
+}
+
+#define kSignAndVerifyTestCount 130
+static void testsignverify(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionarySetValue(kgp, kSecAttrKeySizeInBits, kzib);
+ CFDictionarySetValue(kgp, kSecAttrIsPermanent, kCFBooleanFalse);
+ CFDictionarySetValue(kgp, kSecAttrLabel, CFSTR("sectests:signverify"));
+ SecKeyRef pubKey = NULL, privKey = NULL, pubKeyIOS = NULL, privKeyIOS = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) RSA keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+ CFReleaseNull(kzib);
+
+ CFDataRef privKeyData = SecKeyCopyExternalRepresentation(privKey, NULL);
+ CFDictionaryRef privKeyAttrs = SecKeyCopyAttributes(privKey);
+ privKeyIOS = SecKeyCreateWithData(privKeyData, privKeyAttrs, NULL);
+ CFReleaseNull(privKeyData);
+ CFReleaseNull(privKeyAttrs);
+ ok(privKeyIOS, "create IOS version of the private key");
+
+ CFDataRef pubKeyData = SecKeyCopyExternalRepresentation(pubKey, NULL);
+ CFDictionaryRef pubKeyAttrs = SecKeyCopyAttributes(pubKey);
+ pubKeyIOS = SecKeyCreateWithData(pubKeyData, pubKeyAttrs, NULL);
+ CFReleaseNull(pubKeyData);
+ CFReleaseNull(pubKeyAttrs);
+ ok(pubKeyIOS, "create IOS version of the public key");
+
+ SecKeyAlgorithm algorithms[] = {
+ kSecKeyAlgorithmRSASignatureRaw,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512,
+ };
+
+ CFDataRef testData = CFStringCreateExternalRepresentation(kCFAllocatorDefault, CFSTR("test"), kCFStringEncodingUTF8, 0);
+ ok(testData, "creating test data failed");
+
+SKIP: {
+ skip("invalid test data", 71, testData);
+
+ CFErrorRef error = NULL;
+
+ for (uint32_t ix = 0; ix < array_size(algorithms); ++ix) {
+ SecKeyAlgorithm algorithm = algorithms[ix];
+ SecKeyAlgorithm incompatibleAlgorithm = (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureRaw)) ?
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1 : kSecKeyAlgorithmRSASignatureRaw;
+
+ CFDataRef dataToSign = NULL;
+ if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha1_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %@", algorithm);
+ }
+ else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha224_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %@", algorithm);
+ }
+ else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha256_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %@", algorithm);
+ }
+ else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha384_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %@", algorithm);
+ }
+ else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha512_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %@", algorithm);
+ }
+ else {
+ CFRetainAssign(dataToSign, testData);
+ }
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid data to sign", 7, dataToSign);
+
+ CFDataRef signature = SecKeyCreateSignature(pubKey, algorithm, dataToSign, &error);
+ ok(!signature, "SecKeyCopySignature succeeded with pub key for algorithm %@", algorithm);
+ CFReleaseNull(error);
+ CFReleaseNull(signature);
+
+ signature = SecKeyCreateSignature(privKey, algorithm, dataToSign, &error);
+ ok(signature, "SecKeyCopySignature failed for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ CFDataRef iosSignature = SecKeyCreateSignature(privKeyIOS, algorithm, dataToSign, &error);
+ ok(iosSignature, "SecKeyCopySignature(ios) failed for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid signature", 4, signature);
+
+ ok(!SecKeyVerifySignature(privKey, algorithm, dataToSign, signature, &error),
+ "SecKeyVerifySignature succeeded with priv key for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ ok(!SecKeyVerifySignature(pubKey, incompatibleAlgorithm, dataToSign, signature, &error),
+ "SecKeyVerifySignature succeeded with wrong algorithm for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ ok(SecKeyVerifySignature(pubKey, algorithm, dataToSign, signature, &error),
+ "SecKeyVerifySignature(osx) failed osx-signature for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ ok(SecKeyVerifySignature(pubKeyIOS, algorithm, dataToSign, signature, &error),
+ "SecKeyVerifySignature(ios) failed for osx-signature for algorithm %@", algorithm);
+
+ ok(SecKeyVerifySignature(pubKey, algorithm, dataToSign, iosSignature, &error),
+ "SecKeyVerifySignature(osx) failed for ios-signature for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ ok(SecKeyVerifySignature(pubKeyIOS, algorithm, dataToSign, iosSignature, &error),
+ "SecKeyVerifySignature(ios) failed for ios-signature for algorithm %@", algorithm);
+
+ CFMutableDataRef modifiedSignature = CFDataCreateMutableCopy(kCFAllocatorDefault, 0, signature);
+ *CFDataGetMutableBytePtr(modifiedSignature) ^= 0xff;
+
+ ok(!SecKeyVerifySignature(pubKey, algorithm, dataToSign, modifiedSignature, &error),
+ "SecKeyVerifySignature succeeded with bad signature for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ CFMutableDataRef modifiedDataToSign = CFDataCreateMutableCopy(kCFAllocatorDefault, 0, dataToSign);
+ *CFDataGetMutableBytePtr(modifiedDataToSign) ^= 0xff;
+
+ ok(!SecKeyVerifySignature(pubKey, algorithm, modifiedDataToSign, signature, &error),
+ "SecKeyVerifySignature succeeded with bad data for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ CFReleaseNull(modifiedDataToSign);
+ CFReleaseNull(modifiedSignature);
+ CFReleaseNull(signature);
+ CFReleaseNull(iosSignature);
+ }
+ CFReleaseNull(dataToSign);
+ }
+ }
+ CFReleaseNull(testData);
+}
+
+ delete_key(&pubKey);
+ delete_key(&privKey);
+ CFReleaseNull(pubKeyIOS);
+ CFReleaseNull(privKeyIOS);
+}
+
+#define kNonExtractableTestCount 6
+static void testnonextractable(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionarySetValue(kgp, kSecAttrKeySizeInBits, kzib);
+ CFDictionarySetValue(kgp, kSecAttrIsPermanent, kCFBooleanTrue);
+ CFDictionarySetValue(kgp, kSecAttrIsExtractable, kCFBooleanFalse);
+ CFStringRef label = CFSTR("sectests:nonextractable");
+ CFDictionarySetValue(kgp, kSecAttrLabel, label);
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) RSA keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+ CFReleaseNull(kzib);
+
+ // Get attributes, verify that ApplicationLabel is set and equals for both keys.
+ CFDictionaryRef privAttrs = SecKeyCopyAttributes(privKey);
+ CFDictionaryRef pubAttrs = SecKeyCopyAttributes(pubKey);
+
+ ok(privAttrs, "able to get private key attributes");
+ ok(pubAttrs, "able to get public key attributes");
+
+ CFDataRef privLabel = CFDictionaryGetValue(privAttrs, kSecAttrApplicationLabel);
+ CFDataRef pubLabel = CFDictionaryGetValue(pubAttrs, kSecAttrApplicationLabel);
+
+ ok(privLabel && CFGetTypeID(privLabel) == CFDataGetTypeID() && CFDataGetLength(privLabel) == 20,
+ "priv appLabel is present and of correct type");
+ ok(pubLabel && CFGetTypeID(pubLabel) == CFDataGetTypeID() && CFDataGetLength(pubLabel) == 20,
+ "priv appLabel is present and of correct type");
+ eq_cf(privLabel, pubLabel, "applabels of pub and priv keys are equal");
+
+ CFReleaseNull(pubAttrs);
+ CFReleaseNull(privAttrs);
+
+ delete_key(&pubKey);
+ delete_key(&privKey);
+}
+
+#define kTestCount ((2 * kKeyGenTestCount) + kKeyGen2TestCount + (int) (kdfvLen*3)) + \
+ kTestSupportedCount + kCreateWithDataTestCount + (kCopyAttributesTestCount * 2) + (kCopyPublicKeyTestCount * 4) + \
+ kSignAndVerifyTestCount + kNonExtractableTestCount + \
+ kTestCountCopyPubKFromCert
+
+static void tests(void)
+{
+ /* Comment out lines below for testing generating all common key sizes,
+ disabled now for speed reasons. */
+ //testkeygen(512);
+ //testkeygen(768);
+ testkeygen(1024);
+ testkeygen(2056); // Stranged sized for edge cases in padding.
+ //testkeygen(2048);
+ //testkeygen(4096);
+
+ testkeygen2(1024); // lots of FAIL!
+
+ testsupportedalgos(1024);
+ testcreatewithdata(1024);
+ testcopyattributes(1024, true);
+ testcopyattributes(1024, false);
+ testcopypublickey(1024, true, true);
+ testcopypublickey(1024, false, true);
+ testcopypublickey(1024, true, false);
+ testcopypublickey(1024, false, false);
+ testsignverify(1024);
+ testnonextractable(1024);
+
+#if !TARGET_OS_IPHONE
+ testkeyderivation();
+#endif
+
+ testcopypubkfromcert();
+}
+
+int kc_40_seckey(int argc, char *const *argv)
+{
+ plan_tests(kTestCount);
+
+ tests();
+
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-41-sececkey.c b/OSX/libsecurity_keychain/regressions/kc-41-sececkey.m
similarity index 83%
rename from OSX/libsecurity_keychain/regressions/kc-41-sececkey.c
rename to OSX/libsecurity_keychain/regressions/kc-41-sececkey.m
index d51554ae..c82f0a6d 100644
--- a/OSX/libsecurity_keychain/regressions/kc-41-sececkey.c
+++ b/OSX/libsecurity_keychain/regressions/kc-41-sececkey.m
@@ -29,10 +29,20 @@
* Copyright (c) 2007-2009,2013-2014 Apple Inc. All Rights Reserved.
*
*/
+
+/*
+ * This is to fool os services to not provide the Keychain manager
+ * interface that doens't work since we don't have unified headers
+ * between iOS and OS X. rdar://23405418/
+ */
+#define __KEYCHAINCORE__ 1
+#import <Foundation/Foundation.h>
+
#include <TargetConditionals.h>
#include <CoreFoundation/CoreFoundation.h>
#include <Security/Security.h>
#include <Security/SecKeyPriv.h>
+#include <Security/SecItemPriv.h>
#include <Security/SecItem.h>
#include <Security/SecKey.h>
@@ -56,6 +66,7 @@
#include "keychain_regressions.h"
#include "utilities/SecCFRelease.h"
+#include "utilities/array_size.h"
#if TARGET_OS_IPHONE
@@ -486,6 +497,97 @@ static void testsignformat(void)
CFReleaseNull(KeyArrayPriv);
}
+#if !TARGET_OS_IPHONE
+static inline bool CFEqualSafe(CFTypeRef left, CFTypeRef right)
+{
+ if (left == NULL || right == NULL)
+ return left == right;
+ else
+ return CFEqual(left, right);
+}
+#endif
+
+static void testkeyexchange(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ OSStatus status;
+
+ SecKeyRef pubKey1 = NULL, privKey1 = NULL;
+ NSDictionary *kgp1 = @{
+ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeEC,
+ (id)kSecAttrKeySizeInBits: @(keySizeInBits),
+ (id)kSecAttrIsPermanent: @NO,
+ (id)kSecAttrLabel: @"sectests:kc-41-sececkey:testkeyexchange",
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(status = SecKeyGeneratePair((CFDictionaryRef)kgp1, &pubKey1, &privKey1),
+ "Generate %ld bit (%ld byte) EC keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+
+ SecKeyRef pubKey2 = NULL, privKey2 = NULL;
+ NSDictionary *kgp2 = @{
+ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeEC,
+ (id)kSecAttrKeySizeInBits: @(keySizeInBits),
+ (id)kSecAttrIsPermanent: @NO,
+ (id)kSecAttrLabel: @"sectests:kc-41-sececkey:testkeyexchange",
+ (id)kSecAttrNoLegacy: @NO,
+ };
+ ok_status(status = SecKeyGeneratePair((CFDictionaryRef)kgp2, &pubKey2, &privKey2),
+ "Generate %ld bit (%ld byte) EC keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+
+ const SecKeyAlgorithm algos[] = {
+ kSecKeyAlgorithmECDHKeyExchangeStandard,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512,
+ kSecKeyAlgorithmECDHKeyExchangeCofactor,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512,
+ };
+
+ // Strange size to test borderline conditions.
+ const CFIndex requestedSize = 273;
+ NSDictionary *params = @{
+ (id)kSecKeyKeyExchangeParameterRequestedSize: @(requestedSize),
+ (id)kSecKeyKeyExchangeParameterSharedInfo: [NSData dataWithBytes:"shared" length:5],
+ };
+
+ for (size_t ix = 0; ix < array_size(algos); ++ix) {
+ CFErrorRef error = NULL;
+
+ NSData *secret1 = (NSData *)SecKeyCopyKeyExchangeResult(privKey1, algos[ix], pubKey2, (CFDictionaryRef)params, &error);
+ ok(secret1 != NULL && CFGetTypeID(secret1) == CFDataGetTypeID());
+ CFReleaseNull(error);
+
+ NSData *secret2 = (NSData *)SecKeyCopyKeyExchangeResult(privKey2, algos[ix], pubKey1, (CFDictionaryRef)params, &error);
+ ok(secret2 != NULL && CFGetTypeID(secret2) == CFDataGetTypeID());
+ CFReleaseNull(error);
+
+ eq_cf(secret1, secret2, "results of key exchange are equal");
+ if (algos[ix] != kSecKeyAlgorithmECDHKeyExchangeCofactor && algos[ix] != kSecKeyAlgorithmECDHKeyExchangeStandard) {
+ is(secret1.length, requestedSize, "generated response has expected length");
+ }
+
+ CFReleaseNull(secret1);
+ CFReleaseNull(secret2);
+ }
+
+ CFReleaseNull(privKey1);
+ CFReleaseNull(pubKey1);
+ CFReleaseNull(privKey2);
+ CFReleaseNull(pubKey2);
+
+ SecItemDelete((CFDictionaryRef)@{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrLabel: @"sectests:kc-41-sececkey:testkeyexchange",
+ });
+}
/* Test basic add delete update copy matching stuff. */
static void tests(void)
@@ -508,15 +610,14 @@ static void tests(void)
testkeygen2(384);
testkeygen2(521);
+ testkeyexchange(256);
+ testkeyexchange(384);
+ testkeyexchange(521);
}
int kc_41_sececkey(int argc, char *const *argv)
{
-#if TARGET_OS_IPHONE
- plan_tests(141);
-#else
- plan_tests(101);
-#endif
+ plan_tests(245);
tests();
diff --git a/OSX/libsecurity_keychain/regressions/kc-42-trust-revocation.c b/OSX/libsecurity_keychain/regressions/kc-42-trust-revocation.c
index 77f288fb..522ee277 100644
--- a/OSX/libsecurity_keychain/regressions/kc-42-trust-revocation.c
+++ b/OSX/libsecurity_keychain/regressions/kc-42-trust-revocation.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2014-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -29,6 +29,12 @@
#include "utilities/SecCFRelease.h"
#include "utilities/SecCFWrappers.h"
+// TBD: ensure that this symbol is defined in every build context.
+// Currently forcing this to be enabled if we do not have it defined.
+#ifndef SECTRUST_OSX
+#define SECTRUST_OSX 1
+#endif
+
/* s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=3014267/C=US/postalCode=95131-2021/ST=California/L=San Jose/street=2211 N 1st St/O=PayPal, Inc./OU=CDN Support/CN=www.paypal.com */
/* i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 */
/* SHA1 Fingerprint=A5:AF:1D:73:96:A7:74:F8:8B:B7:43:FD:07:7A:97:47:D3:FA:EF:2F */
@@ -513,21 +519,20 @@ static void tests(void)
/*
* 1) Test explicit revocation with no OCSP/CRL
- * Side note: cache is stored in /var/db/crls/ocspcache.db crlcache.db etc...
*/
OSStatus status;
- SecPolicyRef policy_default = SecPolicyCreateBasicX509();
- SecPolicyRef policy_revoc = SecPolicyCreateRevocation(kSecRevocationNetworkAccessDisabled);
+ SecPolicyRef policy_ssl_default = SecPolicyCreateSSL(true, CFSTR("www.paypal.com"));
+ SecPolicyRef policy_revoc_disabled = SecPolicyCreateRevocation(kSecRevocationNetworkAccessDisabled);
// Default Policies
- CFMutableArrayRef DefaultPolicy = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(DefaultPolicy, policy_default);
+ CFMutableArrayRef DefaultSSLPolicy = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue(DefaultSSLPolicy, policy_ssl_default);
- // Default Policies + explicit revocation
- CFMutableArrayRef DefaultPolicyWithRevocation = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(DefaultPolicyWithRevocation, policy_default);
- CFArrayAppendValue(DefaultPolicyWithRevocation, policy_revoc);
+ // Default Policies + explicit revocation disabled
+ CFMutableArrayRef DefaultSSLPolicyWithNoRevocation = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue(DefaultSSLPolicyWithNoRevocation, policy_ssl_default);
+ CFArrayAppendValue(DefaultSSLPolicyWithNoRevocation, policy_revoc_disabled);
// Valid chain of Cert (leaf + CA)
CFMutableArrayRef CertFullChain = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
@@ -541,8 +546,8 @@ static void tests(void)
// Free Resources since all are in arrays
CFReleaseSafe(leaf_cert);
CFReleaseSafe(CA_cert);
- CFReleaseSafe(policy_default);
- CFReleaseSafe(policy_revoc);
+ CFReleaseSafe(policy_ssl_default);
+ CFReleaseSafe(policy_revoc_disabled);
// a) First evaluate an entire EV certificate chain with default policy
// OCSP/CRL performed (online/from cache)
@@ -553,7 +558,7 @@ static void tests(void)
SecTrustResultType trust_result;
// Proceed to trust evaluation in two steps
- ok_status(status = SecTrustCreateWithCertificates(CertFullChain, DefaultPolicy, &trust),
+ ok_status(status = SecTrustCreateWithCertificates(CertFullChain, DefaultSSLPolicy, &trust),
"SecTrustCreateWithCertificates");
ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate");
@@ -568,7 +573,7 @@ static void tests(void)
CFReleaseNull(trust);
}
- // b) Set explicit revocation policy to disable network access
+ // b) Set explicit revocation policy to disable revocation checking,
// and now expect EV marker to be dropped.
// Network packet logging can be used to confirm no OCSP/CRL message is sent.
{
@@ -576,7 +581,7 @@ static void tests(void)
SecTrustResultType trust_result;
// Proceed to trust evaluation in two steps
- ok_status(status = SecTrustCreateWithCertificates(CertFullChain, DefaultPolicyWithRevocation, &trust),
+ ok_status(status = SecTrustCreateWithCertificates(CertFullChain, DefaultSSLPolicyWithNoRevocation, &trust),
"SecTrustCreateWithCertificates");
ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate");
@@ -585,7 +590,16 @@ static void tests(void)
CFDictionaryRef TrustResultsDict = SecTrustCopyResult(trust);
CFBooleanRef ev = (CFBooleanRef)CFDictionaryGetValue(TrustResultsDict,
kSecTrustExtendedValidation);
+#if SECTRUST_OSX
+ // With SecTrust Unification, the OCSP response is cached by the previous evaluation.
+ // FIXME The semantics of the input to SecPolicyCreateRevocation are technically not honored,
+ // since if neither the OCSP or CRL bits are set, we should not be using either. Unfortunately,
+ // the iOS implementation treats this as a no-op, which for EV certs means an OCSP check by default.
+
+ ok(ev && CFEqual(kCFBooleanTrue, ev), "Expect success even if unable to use network, due to caching");
+#else
ok(!ev || (ev && CFEqual(kCFBooleanFalse, ev)), "Expect no extended validation because of lack of revocation");
+#endif
CFReleaseNull(TrustResultsDict);
CFReleaseNull(trust);
@@ -601,7 +615,7 @@ static void tests(void)
SecTrustResultType trust_result;
// Proceed to trust evaluation in two steps
- ok_status(status = SecTrustCreateWithCertificates(CertMissingIssuer, DefaultPolicy, &trust),
+ ok_status(status = SecTrustCreateWithCertificates(CertMissingIssuer, DefaultSSLPolicy, &trust),
"SecTrustCreateWithCertificates");
ok_status(status = SecTrustSetNetworkFetchAllowed(trust,true), "SecTrustSetNetworkFetchAllowed");
ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate");
@@ -624,13 +638,21 @@ static void tests(void)
SecTrustResultType trust_result;
// Proceed to trust evaluation in two steps, forcing no network allowed
- ok_status(status = SecTrustCreateWithCertificates(CertMissingIssuer, DefaultPolicy, &trust),
+ ok_status(status = SecTrustCreateWithCertificates(CertMissingIssuer, DefaultSSLPolicy, &trust),
"SecTrustCreateWithCertificates");
ok_status(status = SecTrustSetNetworkFetchAllowed(trust,false), "SecTrustSetNetworkFetchAllowed");
ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate");
// Check results
- is_status(trust_result, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultProceed");
+#if SECTRUST_OSX
+ // with SecTrust Unification, the issuing cert may or may not be cached from the previous test
+ if (trust_result == kSecTrustResultUnspecified)
+ trust_result = kSecTrustResultRecoverableTrustFailure;
+ is_status(trust_result, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure");
+#else
+ // previously, no automatic caching of intermediates fetched from the network
+ is_status(trust_result, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure");
+#endif
CFReleaseNull(trust);
}
@@ -722,8 +744,8 @@ static void tests(void)
}
// Free remaining resources
- CFReleaseSafe(DefaultPolicy);
- CFReleaseSafe(DefaultPolicyWithRevocation);
+ CFReleaseSafe(DefaultSSLPolicy);
+ CFReleaseSafe(DefaultSSLPolicyWithNoRevocation);
CFReleaseSafe(CertFullChain);
CFReleaseSafe(CertMissingIssuer);
diff --git a/OSX/libsecurity_keychain/regressions/kc-43-seckey-interop.m b/OSX/libsecurity_keychain/regressions/kc-43-seckey-interop.m
new file mode 100644
index 00000000..88fbdb72
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-43-seckey-interop.m
@@ -0,0 +1,603 @@
+/*
+ * Copyright (c) 2007-2009,2013-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#include <TargetConditionals.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Foundation/Foundation.h>
+#include <Security/Security.h>
+#include <Security/SecRandom.h>
+#include <Security/SecKeyPriv.h>
+#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
+#include <Security/SecIdentityPriv.h>
+#include <Security/SecKeychainItem.h>
+
+#include "keychain_regressions.h"
+#include "utilities/SecCFRelease.h"
+#include "utilities/array_size.h"
+
+#if !TARGET_OS_IPHONE
+static inline bool CFEqualSafe(CFTypeRef left, CFTypeRef right)
+{
+ if (left == NULL || right == NULL)
+ return left == right;
+ else
+ return CFEqual(left, right);
+}
+#endif
+
+static const int kTestGenerateNoLegacyCount = 11;
+static void test_generate_nolegacy() {
+ NSDictionary *query, *params = @{
+ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA,
+ (id)kSecAttrKeySizeInBits: @1024,
+ (id)kSecAttrNoLegacy: @YES,
+ (id)kSecAttrIsPermanent: @YES,
+ (id)kSecAttrLabel: @"sectests:generate-no-legacy",
+ };
+
+ SecKeyRef pubKey = NULL, privKey = NULL, key = NULL;
+ ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)params, &pubKey, &privKey));
+
+ query = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrLabel: @"sectests:generate-no-legacy",
+ (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPublic,
+ (id)kSecAttrNoLegacy: @YES,
+ (id)kSecReturnRef: @YES,
+ };
+ ok_status(SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&key));
+ eq_cf(key, pubKey);
+ CFReleaseNull(key);
+
+ query = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrLabel: @"sectests:generate-no-legacy",
+ (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
+ (id)kSecAttrNoLegacy: @YES,
+ (id)kSecReturnRef: @YES,
+ };
+ ok_status(SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&key));
+ eq_cf(key, privKey);
+ CFReleaseNull(key);
+
+ query = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrLabel: @"sectests:generate-no-legacy",
+ (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPublic,
+ (id)kSecAttrNoLegacy: @YES,
+ (id)kSecReturnRef: @YES,
+ };
+ ok_status(SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&key));
+ eq_cf(key, pubKey);
+ CFReleaseNull(key);
+
+ query = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrLabel: @"sectests:generate-no-legacy",
+ (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
+ (id)kSecAttrNoLegacy: @YES,
+ (id)kSecReturnRef: @YES,
+ };
+ ok_status(SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&key));
+ eq_cf(key, privKey);
+ CFReleaseNull(key);
+
+ query = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrLabel: @"sectests:generate-no-legacy",
+ (id)kSecMatchLimit: (id)kSecMatchLimitAll,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemDelete((__bridge CFDictionaryRef)query));
+ is_status(SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL), errSecItemNotFound);
+
+ CFReleaseNull(privKey);
+ CFReleaseNull(pubKey);
+}
+
+#if !RC_HIDE_J79 && !RC_HIDE_J80
+static const int kTestGenerateAccessControlCount = 4;
+static void test_generate_access_control() {
+ SecAccessControlRef ac = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleAlways,
+ 0 /* | kSecAccessControlPrivateKeyUsage */, NULL);
+ NSDictionary *params = @{
+ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA,
+ (id)kSecAttrKeySizeInBits: @1024,
+ (id)kSecAttrAccessControl: (id)ac,
+ (id)kSecAttrIsPermanent: @YES,
+ (id)kSecAttrLabel: @"sectests:generate-access-control",
+ };
+
+ SecKeyRef pubKey, privKey;
+ ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)params, &pubKey, &privKey));
+
+ NSDictionary *query = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrLabel: @"sectests:generate-access-control",
+ (id)kSecMatchLimit: (id)kSecMatchLimitAll,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL));
+
+ ok_status(SecItemDelete((__bridge CFDictionaryRef)query));
+
+ is_status(SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL), errSecItemNotFound);
+
+ CFReleaseSafe(ac);
+ CFReleaseSafe(privKey);
+ CFReleaseSafe(pubKey);
+}
+#else
+static const int kTestGenerateAccessControlCount = 0;
+#endif
+
+static const int kTestAddIOSKeyCount = 6;
+static void test_add_ios_key() {
+ NSDictionary *params = @{
+ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA,
+ (id)kSecAttrKeySizeInBits: @1024,
+ (id)kSecAttrNoLegacy: @YES,
+ (id)kSecAttrIsPermanent: @NO,
+ };
+
+ SecKeyRef pubKey, privKey;
+ ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)params, &pubKey, &privKey));
+
+ NSDictionary *attrs = @{
+ (id)kSecValueRef: (id)privKey,
+ (id)kSecAttrLabel: @"sectests:add-ios-key",
+ };
+ ok_status(SecItemAdd((__bridge CFDictionaryRef)attrs, NULL));
+
+ NSDictionary *query = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrLabel: @"sectests:add-ios-key",
+ (id)kSecAttrNoLegacy: @YES,
+ (id)kSecReturnRef: @YES,
+ };
+ SecKeyRef key = NULL;
+ ok_status(SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&key));
+ eq_cf(key, privKey);
+ CFReleaseNull(key);
+
+ query = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrLabel: @"sectests:add-ios-key",
+ (id)kSecMatchLimit: (id)kSecMatchLimitAll,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemDelete((__bridge CFDictionaryRef)query));
+ is_status(SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL), errSecItemNotFound);
+
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
+static const char *certDataBase64 = "\
+MIIEQjCCAyqgAwIBAgIJAJdFadWqNIfiMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNVBAYTAkNaMQ8wDQYD\
+VQQHEwZQcmFndWUxFTATBgNVBAoTDENvc21vcywgSW5jLjEXMBUGA1UEAxMOc3VuLmNvc21vcy5nb2Qx\
+IzAhBgkqhkiG9w0BCQEWFHRoaW5nQHN1bi5jb3Ntb3MuZ29kMB4XDTE2MDIyNjE0NTQ0OVoXDTE4MTEy\
+MjE0NTQ0OVowczELMAkGA1UEBhMCQ1oxDzANBgNVBAcTBlByYWd1ZTEVMBMGA1UEChMMQ29zbW9zLCBJ\
+bmMuMRcwFQYDVQQDEw5zdW4uY29zbW9zLmdvZDEjMCEGCSqGSIb3DQEJARYUdGhpbmdAc3VuLmNvc21v\
+cy5nb2QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5u9gnYEDzQIVu7yC40VcXTZ01D9CJ\
+oD/mH62tebEHEdfVPLWKeq+uAHnJ6fTIJQvksaISOxwiOosFjtI30mbe6LZ/oK22wYX+OUwKhAYjZQPy\
+RYfuaJe/52F0zmfUSJ+KTbUZrXbVVFma4xPfpg4bptvtGkFJWnufvEEHimOGmO5O69lXA0Hit1yLU0/A\
+MQrIMmZT8gb8LMZGPZearT90KhCbTHAxjcBfswZYeL8q3xuEVHXC7EMs6mq8IgZL7mzSBmrCfmBAIO0V\
+jW2kvmy0NFxkjIeHUShtYb11oYYyfHuz+1vr1y6FIoLmDejKVnwfcuNb545m26o+z/m9Lv9bAgMBAAGj\
+gdgwgdUwHQYDVR0OBBYEFGDdpPELS92xT+Hkh/7lcc+4G56VMIGlBgNVHSMEgZ0wgZqAFGDdpPELS92x\
+T+Hkh/7lcc+4G56VoXekdTBzMQswCQYDVQQGEwJDWjEPMA0GA1UEBxMGUHJhZ3VlMRUwEwYDVQQKEwxD\
+b3Ntb3MsIEluYy4xFzAVBgNVBAMTDnN1bi5jb3Ntb3MuZ29kMSMwIQYJKoZIhvcNAQkBFhR0aGluZ0Bz\
+dW4uY29zbW9zLmdvZIIJAJdFadWqNIfiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFYi\
+Zu/dfAMOrD51bYxP88Wu6iDGBe9nMG/0lkKgnX5JQKCxfxFMk875rfa+pljdUMOaPxegOXq1DrYmQB9O\
+/pHI+t7ozuWHRj2zKkVgMWAygNWDPcoqBEus53BdAgA644aPN2JvnE4NEPCllOMKftPoIWbd/5ZjCx3a\
+bCuxBdXq5YSmiEnOdGfKeXjeeEiIDgARb4tLgH5rkOpB1uH/ZCWn1hkiajBhrGhhPhpA0zbkZg2Ug+8g\
+XPlx1yQB1VOJkj2Z8dUEXCaRRijInCJ2eU+pgJvwLV7mxmSED7DEJ+b+opxJKYrsdKBU6RmYpPrDa+KC\
+/Yfu88P9hKKj0LmBiREA\
+";
+
+static const char *keyDataBase64 = "\
+MIIEogIBAAKCAQEAubvYJ2BA80CFbu8guNFXF02dNQ/QiaA/5h+trXmxBxHX1Ty1inqvrgB5yen0yCUL\
+5LGiEjscIjqLBY7SN9Jm3ui2f6CttsGF/jlMCoQGI2UD8kWH7miXv+dhdM5n1Eifik21Ga121VRZmuMT\
+36YOG6bb7RpBSVp7n7xBB4pjhpjuTuvZVwNB4rdci1NPwDEKyDJmU/IG/CzGRj2Xmq0/dCoQm0xwMY3A\
+X7MGWHi/Kt8bhFR1wuxDLOpqvCIGS+5s0gZqwn5gQCDtFY1tpL5stDRcZIyHh1EobWG9daGGMnx7s/tb\
+69cuhSKC5g3oylZ8H3LjW+eOZtuqPs/5vS7/WwIDAQABAoIBAGcwmQAPdyZus3OVwa1NCUD2KyB+39KG\
+yNmWwgx+br9Jx4s+RnJghVh8BS4MIKZOBtSRaEUOuCvAMNrupZbD+8leq34vDDRcQpCizr+M6Egj6FRj\
+Ewl+7Mh+yeN2hbMoghL552MTv9D4Iyxteu4nuPDd/JQ3oQwbDFIL6mlBFtiBDUr9ndemmcJ0WKuzor6a\
+3rgsygLs8SPyMefwIKjh5rJZls+iv3AyVEoBdCbHBz0HKgLVE9ZNmY/gWqda2dzAcJxxMdafeNVwHovv\
+BtyyRGnA7Yikx2XT4WLgKfuUsYLnDWs4GdAa738uxPBfiddQNeRjN7jRT1GZIWCk0P29rMECgYEA8jWi\
+g1Dph+4VlESPOffTEt1aCYQQWtHs13Qex95HrXX/L49fs6cOE7pvBh7nVzaKwBnPRh5+3bCPsPmRVb7h\
+k/GreOriCjTZtyt2XGp8eIfstfirofB7c1lNBjT61BhgjJ8Moii5c2ksNIOOZnKtD53n47mf7hiarYkw\
+xFEgU6ECgYEAxE8Js3gIPOBjsSw47XHuvsjP880nZZx/oiQ4IeJb/0rkoDMVJjU69WQu1HTNNAnMg4/u\
+RXo31h+gDZOlE9t9vSXHdrn3at67KAVmoTbRknGxZ+8tYpRJpPj1hyufynBGcKwevv3eHJHnE5eDqbHx\
+ynZFkXemzT9aMy3R4CCFMXsCgYAYyZpnG/m6WohE0zthMFaeoJ6dSLGvyboWVqDrzXjCbMf/4wllRlxv\
+cm34T2NXjpJmlH2c7HQJVg9uiivwfYdyb5If3tHhP4VkdIM5dABnCWoVOWy/NvA7XtE+KF/fItuGqKRP\
+WCGaiRHoEeqZ23SQm5VmvdF7OXNi/R5LiQ3o4QKBgAGX8qg2TTrRR33ksgGbbyi1UJrWC3/TqWWTjbEY\
+uU51OS3jvEQ3ImdjjM3EtPW7LqHSxUhjGZjvYMk7bZefrIGgkOHx2IRRkotcn9ynKURbD+mcE249beuc\
+6cFTJVTrXGcFvqomPWtV895A2JzECQZvt1ja88uuu/i2YoHDQdGJAoGAL2TEgiMXiunb6PzYMMKKa+mx\
+mFnagF0Ek3UJ9ByXKoLz3HFEl7cADIkqyenXFsAER/ifMyCoZp/PDBd6ZkpqLTdH0jQ2Yo4SllLykoiZ\
+fBWMfjRu4iw9E0MbPB3blmtzfv53BtWKy0LUOlN4juvpqryA7TgaUlZkfMT+T1TC7xU=\
+";
+
+static const int kTestStoreCertToIOS = 5;
+static void test_store_cert_to_ios() {
+ // Create certificate instance.
+ NSData *certData = [[NSData alloc] initWithBase64EncodedString:[NSString stringWithUTF8String:certDataBase64]
+ options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)certData);
+ ok(cert != NULL, "create certificate from data");
+
+ // Store certificate to modern keychain.
+ NSDictionary *attrs = @{
+ (id)kSecValueRef: (id)cert,
+ (id)kSecAttrLabel: @"sectests:store_cert_to_ios",
+ (id)kSecAttrNoLegacy: @YES,
+ (id)kSecReturnPersistentRef: @YES,
+ };
+ id persistentRef;
+ ok_status(SecItemAdd((CFDictionaryRef)attrs, (void *)&persistentRef), "store certificate into iOS keychain");
+
+ // Query certificate, without specification of the keychain.
+ NSDictionary *query = @{
+ (id)kSecClass: (id)kSecClassCertificate,
+ (id)kSecAttrLabel: @"sectests:store_cert_to_ios",
+ (id)kSecReturnRef: @YES,
+ };
+ SecCertificateRef queriedCert = NULL;
+ ok_status(SecItemCopyMatching((CFDictionaryRef)query, (void *)&queriedCert), "query certificate back");
+ eq_cf(cert, queriedCert, "stored and retrieved certificates are the same");
+
+ ok_status(SecItemDelete((CFDictionaryRef)@{ (id)kSecValuePersistentRef: persistentRef }),
+ "delete certificate from keychain");
+ CFReleaseNull(cert);
+}
+
+static const int kTestStoreIdentityToIOS = 6;
+static void test_store_identity_to_ios() {
+ // Create certificate instance.
+ NSData *certData = [[NSData alloc] initWithBase64EncodedString:[NSString stringWithUTF8String:certDataBase64]
+ options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ SecCertificateRef certificate = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)certData);
+ ok(certificate != NULL, "create certificate from data");
+
+ // Create private key instance.
+ NSData *keyData = [[NSData alloc] initWithBase64EncodedString:[NSString stringWithUTF8String:keyDataBase64]
+ options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ NSDictionary *keyAttrs = @{ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @2048,
+ (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate };
+ SecKeyRef privateKey = SecKeyCreateWithData((CFDataRef)keyData, (CFDictionaryRef)keyAttrs, NULL);
+ ok(privateKey != NULL, "create private key from data");
+
+ // Create identity from certificate and private key.
+ SecIdentityRef identity = SecIdentityCreate(kCFAllocatorDefault, certificate, privateKey);
+
+ // Store identity to the iOS keychain.
+ NSDictionary *attrs = @{
+ (id)kSecValueRef: (id)identity,
+ (id)kSecAttrLabel: @"sectests:store_identity_to_ios",
+ (id)kSecAttrNoLegacy: @YES,
+ (id)kSecReturnPersistentRef: @YES,
+ };
+ id persistentRef;
+ ok_status(SecItemAdd((CFDictionaryRef)attrs, (void *)&persistentRef), "store identity into iOS keychain");
+
+ NSDictionary *query = @{
+ (id)kSecClass: (id)kSecClassIdentity,
+ (id)kSecAttrLabel: @"sectests:store_identity_to_ios",
+ (id)kSecReturnRef: @YES,
+ };
+ SecIdentityRef queriedIdentity = NULL;
+ ok_status(SecItemCopyMatching((CFDictionaryRef)query, (void *)&queriedIdentity), "query identity from keychain");
+ eq_cf(identity, queriedIdentity, "stored and retrieved identities are identical");
+
+ // Cleanup identity.
+ ok_status(SecItemDelete((CFDictionaryRef)@{ (id)kSecValuePersistentRef: persistentRef}),
+ "delete identity from iOS keychain");
+
+ CFReleaseNull(identity);
+ CFReleaseNull(privateKey);
+ CFReleaseNull(certificate);
+}
+
+static const int kTestTransformWithIOSKey = 9;
+static void test_transform_with_ioskey() {
+ // Create private key instance.
+ NSData *keyData = [[NSData alloc] initWithBase64EncodedString:[NSString stringWithUTF8String:keyDataBase64]
+ options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ NSDictionary *keyAttrs = @{ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @2048,
+ (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate };
+ SecKeyRef privateKey = SecKeyCreateWithData((CFDataRef)keyData, (CFDictionaryRef)keyAttrs, NULL);
+ ok(privateKey != NULL, "create private key from data");
+
+ // Create signature transform with private key
+ NSData *testData = [NSData dataWithBytes:"test" length:4];
+ SecTransformRef signer = SecSignTransformCreate(privateKey, NULL);
+ ok(signer != NULL, "create signing transform");
+ ok(SecTransformSetAttribute(signer, kSecTransformInputAttributeName, (CFDataRef)testData, NULL),
+ "set input data to verify transform");
+ NSData *signature = (NSData *)SecTransformExecute(signer, NULL);
+ ok(signature != nil, "create signature with transform");
+
+ // Create verify transform with public key.
+ SecKeyRef publicKey = SecKeyCopyPublicKey(privateKey);
+ ok(publicKey != NULL, "get public key from private key");
+ SecTransformRef verifier = SecVerifyTransformCreate(publicKey, (CFDataRef)signature, NULL);
+ ok(verifier, "create verification transform");
+ ok(SecTransformSetAttribute(verifier, kSecTransformInputAttributeName, (CFDataRef)testData, NULL),
+ "set input data to verify transform");
+
+ NSNumber *result = (NSNumber *)SecTransformExecute(verifier, NULL);
+ ok(result != nil, "transform execution succeeded");
+ ok(result.boolValue, "transform verified signature");
+
+ CFReleaseNull(signer);
+ CFReleaseNull(verifier);
+ CFReleaseNull(publicKey);
+ CFReleaseNull(privateKey);
+}
+
+static const int kTestConvertKeyToPersistentRef = 11;
+static void test_convert_key_to_persistent_ref() {
+ NSString *label = @"sectests:convert-key-to-persistent-ref";
+
+ // Create
+ SecKeyRef privKey = NULL;
+ {
+ NSDictionary *query = @{
+ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA,
+ (id)kSecAttrKeySizeInBits: @1024,
+ (id)kSecAttrNoLegacy: @YES,
+ (id)kSecAttrIsPermanent: @NO,
+ };
+ SecKeyRef pubKey = NULL;
+ ok_status(SecKeyGeneratePair((CFDictionaryRef)query, &pubKey, &privKey));
+ CFReleaseNull(pubKey);
+ }
+
+ // Store
+ {
+ NSDictionary *query = @{
+ (id)kSecAttrLabel: label,
+ (id)kSecValueRef: (id)privKey,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemAdd((CFDictionaryRef)query, NULL));
+ }
+
+ // Convert & Compare
+ CFDataRef queriedPersistentKeyRef = NULL;
+ SecKeyRef queriedKeyRef = NULL;
+ {
+ NSDictionary *query = @{
+ (id)kSecValueRef: (id)privKey,
+ (id)kSecReturnPersistentRef: @YES,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef *)&queriedPersistentKeyRef));
+ }{
+ NSDictionary *query = @{
+ (id)kSecValuePersistentRef: (id)queriedPersistentKeyRef,
+ (id)kSecReturnRef: @YES,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef *)&queriedKeyRef));
+ }{
+ CFDataRef persistentKeyRef = NULL;
+ SecKeychainItemRef keyRef = NULL;
+ ok_status(SecKeychainItemCreatePersistentReference((SecKeychainItemRef)privKey, &persistentKeyRef));
+ ok_status(SecKeychainItemCopyFromPersistentReference(persistentKeyRef, &keyRef));
+ eq_cf(privKey, queriedKeyRef);
+ eq_cf(keyRef, privKey);
+ eq_cf(persistentKeyRef, queriedPersistentKeyRef);
+ CFReleaseNull(persistentKeyRef);
+ CFReleaseNull(keyRef);
+ }
+ CFReleaseNull(queriedPersistentKeyRef);
+ CFReleaseNull(queriedKeyRef);
+
+ // Cleanup
+ CFReleaseNull(privKey);
+ {
+ NSDictionary *query = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrLabel: label,
+ (id)kSecMatchLimit: (id)kSecMatchLimitAll,
+ };
+ ok_status(SecItemDelete((CFDictionaryRef)query));
+ is_status(SecItemCopyMatching((CFDictionaryRef)query, NULL), errSecItemNotFound);
+ }
+}
+
+static const int kTestConvertCertToPersistentRef = 11;
+static void test_convert_cert_to_persistent_ref() {
+ NSString *label = @"sectests:convert-cert-to-persistent-ref";
+
+ // Create
+ SecCertificateRef cert = NULL;
+ {
+ NSData *certData = [[NSData alloc] initWithBase64EncodedString:[NSString stringWithUTF8String:certDataBase64]
+ options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ cert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)certData);
+ ok(cert);
+ }
+
+ // Store
+ {
+ NSDictionary *query = @{
+ (id)kSecAttrLabel: label,
+ (id)kSecValueRef: (id)cert,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemAdd((CFDictionaryRef)query, NULL));
+ }
+
+ // Convert & Compare
+ CFDataRef queriedPersistentCertRef = NULL;
+ SecCertificateRef queriedCertRef = NULL;
+ {
+ NSDictionary *query = @{
+ (id)kSecValueRef: (id)cert,
+ (id)kSecReturnPersistentRef: @YES,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef *)&queriedPersistentCertRef));
+ }{
+ NSDictionary *query = @{
+ (id)kSecValuePersistentRef: (id)queriedPersistentCertRef,
+ (id)kSecReturnRef: @YES,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef *)&queriedCertRef));
+ }{
+ CFDataRef persistentCertRef = NULL;
+ SecKeychainItemRef certRef = NULL;
+ ok_status(SecKeychainItemCreatePersistentReference((SecKeychainItemRef)cert, &persistentCertRef));
+ ok_status(SecKeychainItemCopyFromPersistentReference(persistentCertRef, &certRef));
+ eq_cf(cert, queriedCertRef);
+ eq_cf(certRef, cert);
+ eq_cf(persistentCertRef, queriedPersistentCertRef);
+ CFReleaseNull(persistentCertRef);
+ CFReleaseNull(certRef);
+ }
+ CFReleaseNull(queriedPersistentCertRef);
+ CFReleaseNull(queriedCertRef);
+
+ // Cleanup
+ CFReleaseNull(cert);
+ {
+ NSDictionary *query = @{
+ (id)kSecClass: (id)kSecClassCertificate,
+ (id)kSecAttrLabel: label,
+ (id)kSecMatchLimit: (id)kSecMatchLimitAll,
+ };
+ ok_status(SecItemDelete((CFDictionaryRef)query));
+ is_status(SecItemCopyMatching((CFDictionaryRef)query, NULL), errSecItemNotFound);
+ }
+}
+
+static const int kTestConvertIdentityToPersistentRef = 12;
+static void test_convert_identity_to_persistent_ref() {
+ NSString *label = @"sectests:convert-identity-to-persistent-ref";
+
+ // Create
+ SecIdentityRef idnt = NULL;
+ {
+ NSData *certData = [[NSData alloc] initWithBase64EncodedString:[NSString stringWithUTF8String:certDataBase64]
+ options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)certData);
+ ok(cert);
+ NSData *keyData = [[NSData alloc] initWithBase64EncodedString:[NSString stringWithUTF8String:keyDataBase64]
+ options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ NSDictionary *keyAttrs = @{ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA,
+ (id)kSecAttrKeySizeInBits: @2048,
+ (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate };
+ SecKeyRef privKey = SecKeyCreateWithData((CFDataRef)keyData, (CFDictionaryRef)keyAttrs, NULL);
+ ok(privKey);
+ idnt = SecIdentityCreate(kCFAllocatorDefault, cert, privKey);
+ CFReleaseNull(cert);
+ CFReleaseNull(privKey);
+ }
+
+ // Store
+ {
+ NSDictionary *query = @{
+ (id)kSecAttrLabel: label,
+ (id)kSecValueRef: (id)idnt,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemAdd((CFDictionaryRef)query, NULL));
+ }
+
+ // Convert & Compare
+ CFDataRef queriedPersistentIdntRef = NULL;
+ SecIdentityRef queriedIdntRef = NULL;
+ {
+ NSDictionary *query = @{
+ (id)kSecValueRef: (id)idnt,
+ (id)kSecReturnPersistentRef: @YES,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef *)&queriedPersistentIdntRef));
+ }{
+ NSDictionary *query = @{
+ (id)kSecValuePersistentRef: (id)queriedPersistentIdntRef,
+ (id)kSecReturnRef: @YES,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef *)&queriedIdntRef));
+ }{
+ CFDataRef persistentIdntRef = NULL;
+ SecKeychainItemRef idntRef = NULL;
+ ok_status(SecKeychainItemCreatePersistentReference((SecKeychainItemRef)idnt, &persistentIdntRef));
+ ok_status(SecKeychainItemCopyFromPersistentReference(persistentIdntRef, &idntRef));
+ eq_cf(idnt, queriedIdntRef);
+ eq_cf(idntRef, idnt);
+ eq_cf(persistentIdntRef, queriedPersistentIdntRef);
+ CFReleaseNull(persistentIdntRef);
+ CFReleaseNull(idntRef);
+ }
+ CFReleaseNull(queriedPersistentIdntRef);
+ CFReleaseNull(queriedIdntRef);
+
+ // Cleanup
+ {
+ NSDictionary *query = @{
+ // identities can't be filtered out using 'label', so we will use directly the ValueRef here:
+ (id)kSecValueRef: (id)idnt,
+ (id)kSecAttrNoLegacy: @YES,
+ };
+ ok_status(SecItemDelete((CFDictionaryRef)query));
+ is_status(SecItemCopyMatching((CFDictionaryRef)query, NULL), errSecItemNotFound);
+ }
+ CFReleaseNull(idnt);
+}
+
+static const int kTestCount =
+ kTestGenerateNoLegacyCount +
+ kTestGenerateAccessControlCount +
+ kTestAddIOSKeyCount +
+ kTestStoreCertToIOS +
+ kTestStoreIdentityToIOS +
+ kTestTransformWithIOSKey +
+ kTestConvertKeyToPersistentRef +
+ kTestConvertCertToPersistentRef +
+ kTestConvertIdentityToPersistentRef;
+
+int kc_43_seckey_interop(int argc, char *const *argv) {
+ plan_tests(kTestCount);
+
+ test_generate_nolegacy();
+#if !RC_HIDE_J79 && !RC_HIDE_J80
+ test_generate_access_control();
+#endif
+ test_add_ios_key();
+ test_store_cert_to_ios();
+ test_store_identity_to_ios();
+ test_transform_with_ioskey();
+ test_convert_key_to_persistent_ref();
+ test_convert_cert_to_persistent_ref();
+ test_convert_identity_to_persistent_ref();
+
+ return 0;
+}
diff --git a/OSX/libsecurity_keychain/regressions/kc-helpers.h b/OSX/libsecurity_keychain/regressions/kc-helpers.h
new file mode 100644
index 00000000..f5402b3e
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-helpers.h
@@ -0,0 +1,253 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#ifndef kc_helpers_h
+#define kc_helpers_h
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <Security/Security.h>
+#include <Security/SecKeychainPriv.h>
+#include "utilities/SecCFRelease.h"
+
+#include "kc-keychain-file-helpers.h"
+
+/* redefine this since the headers are mixed up */
+static inline bool CFEqualSafe(CFTypeRef left, CFTypeRef right)
+{
+ if (left == NULL || right == NULL)
+ return left == right;
+ else
+ return CFEqual(left, right);
+}
+
+static char keychainFile[1000];
+static char keychainDbFile[1000];
+static char keychainTempFile[1000];
+static char keychainName[1000];
+static char testName[1000];
+static uint32_t promptAttempts;
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-variable"
+#pragma clang diagnostic ignored "-Wunused-function"
+
+static void startTest(const char* thisTestName) {
+ strlcpy(testName, thisTestName, sizeof(testName));
+}
+
+static void initializeKeychainTests(const char* thisTestName) {
+ const char *home_dir = getenv("HOME");
+ sprintf(keychainName, "test-%s.asdf", thisTestName);
+ sprintf(keychainFile, "%s/Library/Keychains/%s", home_dir, keychainName);
+ sprintf(keychainDbFile, "%s/Library/Keychains/%s-db", home_dir, keychainName);
+ sprintf(keychainTempFile, "%s/Library/Keychains/test_temp", home_dir);
+
+ deleteKeychainFiles(keychainFile);
+
+ startTest(thisTestName);
+
+ SecKeychainGetUserPromptAttempts(&promptAttempts);
+ SecKeychainSetUserInteractionAllowed(FALSE);
+}
+
+// Use this at the bottom of every test to make sure everything is gone
+static void deleteTestFiles() {
+ deleteKeychainFiles(keychainFile);
+}
+
+static SecKeychainRef getPopulatedTestKeychain() {
+ deleteKeychainFiles(keychainFile);
+
+ writeFile(keychainFile, test_keychain, sizeof(test_keychain));
+
+ SecKeychainRef kc = NULL;
+ ok_status(SecKeychainOpen(keychainFile, &kc), "%s: getPopulatedTestKeychain: SecKeychainOpen", testName);
+ ok_status(SecKeychainUnlock(kc, (UInt32) strlen(test_keychain_password), test_keychain_password, true), "%s: getPopulatedTestKeychain: SecKeychainUnlock", testName);
+ return kc;
+}
+#define getPopulatedTestKeychainTests 2
+
+static void addToSearchList(SecKeychainRef keychain) {
+ CFArrayRef searchList = NULL;
+ SecKeychainCopySearchList(&searchList);
+ CFMutableArrayRef mutableSearchList = CFArrayCreateMutableCopy(NULL, CFArrayGetCount(searchList) + 1, searchList);
+ CFArrayAppendValue(mutableSearchList, keychain);
+ SecKeychainSetSearchList(mutableSearchList);
+ CFRelease(searchList);
+ CFRelease(mutableSearchList);
+}
+
+
+/* Checks to be sure there are N elements in this search, and returns the first
+ * if it exists. */
+static SecKeychainItemRef checkN(char* testName, const CFDictionaryRef query, uint32_t n) {
+ CFArrayRef results = NULL;
+ if(n > 0) {
+ ok_status(SecItemCopyMatching(query, (CFTypeRef*) &results), "%s: SecItemCopyMatching", testName);
+ } else {
+ is(SecItemCopyMatching(query, (CFTypeRef*) &results), errSecItemNotFound, "%s: SecItemCopyMatching (for no items)", testName);
+ }
+
+ SecKeychainItemRef item = NULL;
+ if(results) {
+ is(CFArrayGetCount(results), n, "%s: Wrong number of results", testName);
+ if(n >= 1) {
+ ok(item = (SecKeychainItemRef) CFArrayGetValueAtIndex(results, 0), "%s: Couldn't get item", testName);
+ } else {
+ pass("make test numbers match");
+ }
+ } else if((!results) && n == 0) {
+ pass("%s: no results found (and none expected)", testName);
+ pass("make test numbers match");
+ } else {
+ fail("%s: no results found (and %d expected)", testName, n);
+ fflush(stdout); CFShow(query); fflush(stdout);
+ pass("make test numbers match");
+ }
+
+ CFRelease(query);
+ return item;
+}
+#define checkNTests 3
+
+
+static void readPasswordContentsWithResult(SecKeychainItemRef item, OSStatus expectedResult, CFStringRef expectedContents) {
+ if(!item) {
+ fail("no item passed to readPasswordContentsWithResult");
+ fail("Match test numbers");
+ fail("Match test numbers");
+ return;
+ }
+
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+
+ CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitOne);
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
+
+ CFMutableArrayRef itemList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)itemList, item);
+ CFDictionarySetValue(query, kSecUseItemList, itemList);
+
+ CFTypeRef results = NULL;
+ if(expectedContents) {
+ is(SecItemCopyMatching(query, (CFTypeRef*) &results), expectedResult, "%s: readPasswordContents: SecItemCopyMatching", testName);
+ CFReleaseNull(query);
+
+ if(results) {
+ ok(CFGetTypeID(results) == CFDataGetTypeID(), "%s: result is not a data", testName);
+
+ CFDataRef data = (CFDataRef) results;
+ CFStringRef str = CFStringCreateWithBytes(NULL, CFDataGetBytePtr(data), CFDataGetLength(data), kCFStringEncodingUTF8, false);
+ eq_cf(str, expectedContents, "%s: contents do not match", testName);
+ CFReleaseNull(str);
+ CFReleaseNull(results);
+ } else {
+ fail("Didn't get any results");
+ fail("Match test numbers");
+ }
+ } else {
+ is(SecItemCopyMatching(query, (CFTypeRef*) &results), expectedResult, "%s: readPasswordContents: expecting error %d", testName, (int) expectedResult);
+ pass("Match test numbers");
+ pass("Match test numbers");
+ }
+}
+#define readPasswordContentsWithResultTests 3
+
+static void readPasswordContents(SecKeychainItemRef item, CFStringRef expectedContents) {
+ return readPasswordContentsWithResult(item, errSecSuccess, expectedContents);
+}
+#define readPasswordContentsTests readPasswordContentsWithResultTests
+
+static void changePasswordContents(SecKeychainItemRef item, CFStringRef newPassword) {
+ if(!item) {
+ fail("no item passed to changePasswordContents");
+ return;
+ }
+
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+
+ CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitOne);
+
+ CFMutableArrayRef itemList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)itemList, item);
+ CFDictionarySetValue(query, kSecUseItemList, itemList);
+
+ CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(attrs, kSecValueData, CFDataCreate(NULL, (const UInt8*) CFStringGetCStringPtr(newPassword, kCFStringEncodingUTF8), CFStringGetLength(newPassword)));
+
+ ok_status(SecItemUpdate(query, attrs), "%s: SecItemUpdate", testName);
+}
+#define changePasswordContentsTests 1
+
+static void deleteItem(SecKeychainItemRef item) {
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+
+ CFMutableArrayRef itemList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)itemList, item);
+ CFDictionarySetValue(query, kSecUseItemList, itemList);
+
+ ok_status(SecItemDelete(query), "%s: SecItemDelete single item", testName);
+ CFReleaseNull(query);
+}
+#define deleteItemTests 1
+
+static void deleteItems(CFArrayRef items) {
+ if(!items) {
+ fail("no items passed to deleteItems");
+ return;
+ }
+
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(query, kSecUseItemList, items);
+
+ size_t count = (size_t) CFArrayGetCount(items);
+ if(count > 0) {
+ ok_status(SecItemDelete(query), "%s: SecItemDelete %ld items", testName, count);
+ } else {
+ is(SecItemDelete(query), errSecItemNotFound, "%s: SecItemDelete no items", testName);
+ }
+ CFReleaseNull(query);
+}
+#define deleteItemsTests 1
+
+/* Checks in with securityd to see how many prompts were generated since the last call to this function, and tests against the number expected.
+ Returns the number generated since the last call. */
+static uint32_t checkPrompts(uint32_t expectedSinceLastCall, char* explanation) {
+ uint32_t currentPrompts = UINT_MAX;
+ uint32_t newPrompts = UINT_MAX;
+ ok_status(SecKeychainGetUserPromptAttempts(¤tPrompts), "%s: SecKeychainGetUserPromptAttempts", testName);
+
+ newPrompts = currentPrompts - promptAttempts;
+
+ is(newPrompts, expectedSinceLastCall, "%s: wrong number of prompts: %s", testName, explanation);
+ promptAttempts = currentPrompts;
+
+ return newPrompts;
+}
+#define checkPromptsTests 2
+
+#pragma clang diagnostic pop
+
+#endif /* kc_helpers_h */
diff --git a/OSX/libsecurity_keychain/regressions/kc-identity-helpers.h b/OSX/libsecurity_keychain/regressions/kc-identity-helpers.h
new file mode 100644
index 00000000..60c14cff
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-identity-helpers.h
@@ -0,0 +1,270 @@
+/*
+ * Copyright (c) 2015 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include "kc-helpers.h"
+#include <Security/Security.h>
+
+#ifndef kc_identity_helpers_h
+#define kc_identity_helpers_h
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-variable"
+#pragma clang diagnostic ignored "-Wunused-function"
+
+static SecIdentityRef
+copyFirstIdentity(SecKeychainRef kc)
+{
+ // Returns the first SecIdentityRef we can find.
+ // This should always succeed since we can fall back on the system identity.
+ // Caller must release the reference.
+
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ /* set up the query */
+ CFDictionaryAddValue( query, kSecClass, kSecClassIdentity );
+ CFDictionaryAddValue( query, kSecMatchLimit, kSecMatchLimitAll );
+ CFDictionaryAddValue( query, kSecReturnRef, kCFBooleanTrue );
+
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, kc);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
+ CFTypeRef results = NULL;
+ OSStatus status = SecItemCopyMatching(query, &results);
+ ok_status(status, "%s: SecItemCopyMatching", testName);
+ CFRelease(query);
+
+ if (status) {
+ return NULL;
+ }
+ if (results) {
+ CFArrayRef resultArray = (CFArrayRef)results;
+ SecIdentityRef identity = (SecIdentityRef)CFArrayGetValueAtIndex(resultArray, 0);
+ CFRetain(identity); // since we will return it
+ CFRelease(results);
+ return identity;
+ }
+ return NULL;
+}
+#define copyFirstIdentityTests 1
+
+// findIdentity
+// - returns a SecIdentityRef for the first identity in the given keychain
+// which matches the provided certificate.
+//
+static SecIdentityRef
+findIdentity(SecKeychainRef keychain, SecCertificateRef cert)
+{
+ OSStatus status = noErr;
+ SecIdentitySearchRef searchRef = NULL;
+ CSSM_DATA certData = { 0, NULL };
+
+ SecIdentityRef outIdentity = NULL;
+
+ if (!keychain || !cert) {
+ return NULL;
+ }
+
+ // note: we should be using CFEqual on certificate references instead of
+ // comparing the certificate data, but that is currently broken
+ status = SecCertificateGetData(cert, &certData);
+ ok_status(status, "%s: findIdentity: SecCertificateGetData", testName);
+ if (status) {
+ return NULL;
+ }
+
+ status = SecIdentitySearchCreate(keychain, (CSSM_KEYUSE)0, &searchRef);
+ while (!status) {
+ SecIdentityRef identityRef = NULL;
+ status = SecIdentitySearchCopyNext(searchRef, &identityRef);
+ if (!status) {
+ SecCertificateRef aCert = NULL;
+ status = SecIdentityCopyCertificate(identityRef, &aCert);
+ if (!status) {
+ CSSM_DATA aCertData = { 0, NULL };
+ status = SecCertificateGetData(aCert, &aCertData);
+ if (!status) {
+ if (aCertData.Length == certData.Length &&
+ !memcmp(aCertData.Data, certData.Data, certData.Length)) {
+ // we found the identity
+ CFRelease(aCert);
+ outIdentity = identityRef;
+ break;
+ }
+ }
+ }
+ if (aCert) {
+ CFRelease(aCert);
+ }
+ }
+ if (identityRef) {
+ CFRelease(identityRef);
+ }
+ }
+
+ ok(outIdentity, "%s: findIdentity: found an identity", testName);
+
+ if (searchRef) {
+ CFRelease(searchRef);
+ }
+
+ return outIdentity;
+}
+#define findIdentityTests 2
+
+unsigned char test_import_p12[] = {
+ 0x30, 0x82, 0x09, 0xbf, 0x02, 0x01, 0x03, 0x30, 0x82, 0x09, 0x86, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x07, 0x01, 0xa0, 0x82, 0x09, 0x77, 0x04, 0x82, 0x09, 0x73, 0x30, 0x82, 0x09, 0x6f, 0x30, 0x82, 0x03, 0xff, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x06, 0xa0, 0x82, 0x03, 0xf0, 0x30, 0x82, 0x03, 0xec, 0x02, 0x01, 0x00,
+ 0x30, 0x82, 0x03, 0xe5, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x0a, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x06, 0x30, 0x0e, 0x04, 0x08, 0xcb, 0xa2, 0x8c, 0x60, 0xc2, 0x36, 0x55,
+ 0x05, 0x02, 0x02, 0x08, 0x00, 0x80, 0x82, 0x03, 0xb8, 0x57, 0x1d, 0x4c, 0x1f, 0xc7, 0x4c, 0x00, 0x82, 0xa3, 0xc9, 0x6f,
+ 0x2e, 0x00, 0x03, 0x1b, 0x55, 0xaa, 0xe5, 0x89, 0x58, 0x18, 0x71, 0xb8, 0xff, 0x40, 0x13, 0xd5, 0xac, 0x7f, 0xf1, 0x48,
+ 0xb2, 0x7e, 0x6e, 0xeb, 0x6e, 0xde, 0xe8, 0x35, 0x22, 0xa5, 0x45, 0x5a, 0xa6, 0x2e, 0xed, 0x0d, 0xe0, 0x8f, 0x2f, 0x60,
+ 0x5c, 0xd8, 0x49, 0x89, 0x26, 0x42, 0xd6, 0xe0, 0x24, 0x1c, 0x59, 0x9c, 0xe0, 0xbf, 0x98, 0x0c, 0xc3, 0x81, 0x20, 0x47,
+ 0x03, 0x03, 0xe2, 0x73, 0x90, 0x13, 0x6e, 0x96, 0x31, 0x68, 0xb7, 0x8f, 0xaa, 0x25, 0x4b, 0x27, 0x95, 0x3f, 0xef, 0xa3,
+ 0x2b, 0x96, 0x10, 0x85, 0xf3, 0x49, 0x3c, 0x6f, 0x9a, 0x20, 0x02, 0x17, 0x42, 0xe9, 0x9c, 0x5e, 0x5d, 0x4b, 0x3c, 0x88,
+ 0x65, 0xf5, 0x67, 0x61, 0x3e, 0xa6, 0x1a, 0x0f, 0x5b, 0x1e, 0x35, 0x18, 0x4e, 0xf3, 0x98, 0x93, 0x7e, 0x76, 0x77, 0x31,
+ 0x3b, 0x00, 0x78, 0x8c, 0x50, 0x28, 0x76, 0xca, 0xc8, 0x39, 0xc5, 0xf5, 0x79, 0x23, 0x4a, 0xea, 0x9a, 0xf0, 0xb5, 0xb6,
+ 0x50, 0x8d, 0x16, 0xd9, 0x39, 0x74, 0x36, 0x1d, 0x26, 0xcb, 0xbf, 0xb7, 0x72, 0x5e, 0x77, 0xf5, 0xb8, 0x35, 0xfc, 0x66,
+ 0x4d, 0xdc, 0xd6, 0x20, 0x50, 0x70, 0xc6, 0xf7, 0x13, 0x55, 0xb1, 0x97, 0x7e, 0x1d, 0x6a, 0x7d, 0x73, 0xc2, 0x71, 0x49,
+ 0xd1, 0x15, 0xe7, 0x30, 0xa7, 0x52, 0x1f, 0x24, 0xe8, 0x7b, 0xd7, 0x81, 0x53, 0x27, 0x94, 0xd0, 0x31, 0xe5, 0x11, 0xe4,
+ 0x90, 0x8a, 0x02, 0x46, 0x70, 0x82, 0xe7, 0xc4, 0xfe, 0xb5, 0xed, 0xb0, 0x1b, 0xcb, 0xa2, 0x23, 0x5c, 0xd2, 0x95, 0xe6,
+ 0x2c, 0x5f, 0x2d, 0x07, 0xb1, 0xd8, 0xe8, 0xa0, 0x39, 0xe7, 0xdd, 0x2e, 0x36, 0xac, 0x38, 0xfc, 0x65, 0x99, 0x2c, 0xda,
+ 0x3d, 0x26, 0x5d, 0x1e, 0x2f, 0xbc, 0x31, 0x36, 0x3e, 0x87, 0x55, 0x5f, 0x40, 0xf1, 0x77, 0x7a, 0x15, 0xa2, 0xc3, 0xe4,
+ 0x21, 0xc0, 0xe1, 0x11, 0x15, 0x31, 0xf4, 0x7a, 0x51, 0xc3, 0x78, 0x70, 0xfc, 0x3b, 0xed, 0x04, 0x7f, 0x5c, 0xaf, 0x22,
+ 0x37, 0x1c, 0x80, 0xb6, 0x7b, 0xdf, 0x11, 0x90, 0x52, 0xc1, 0x0d, 0xfb, 0xaa, 0xd0, 0x43, 0x47, 0xe9, 0xdb, 0x31, 0xb7,
+ 0xfc, 0x35, 0xbf, 0xce, 0x00, 0x15, 0x0d, 0x51, 0xb1, 0x78, 0x99, 0x55, 0x91, 0x1f, 0xf1, 0x4c, 0x36, 0xfa, 0xc1, 0xa0,
+ 0xce, 0x86, 0xc9, 0x79, 0x60, 0x07, 0x58, 0xa7, 0xe5, 0x28, 0x28, 0x84, 0x92, 0x03, 0x2c, 0x43, 0xda, 0x69, 0xce, 0x75,
+ 0x25, 0x01, 0x51, 0x37, 0xd4, 0xfd, 0xa2, 0xc4, 0x09, 0xfb, 0xa0, 0xf5, 0x1f, 0x23, 0x7b, 0xd6, 0x63, 0xd1, 0xb5, 0x5b,
+ 0xc5, 0xd9, 0xbc, 0xe7, 0xd4, 0x5e, 0x8b, 0x62, 0xee, 0xdb, 0xb7, 0x1e, 0xd2, 0x8b, 0x6e, 0xe4, 0x8c, 0xfd, 0x11, 0x25,
+ 0xda, 0xac, 0x2a, 0x7a, 0x9a, 0xad, 0x6c, 0x29, 0xe1, 0x1c, 0x68, 0x4f, 0xb3, 0x99, 0x06, 0xb4, 0x72, 0x2a, 0x5a, 0x70,
+ 0xd6, 0xf6, 0x7c, 0x22, 0x0f, 0x85, 0xf1, 0xc4, 0x30, 0x9f, 0x32, 0x53, 0xa1, 0xb2, 0x1a, 0x41, 0x01, 0xa2, 0x92, 0x58,
+ 0xa2, 0x27, 0xe8, 0x09, 0xed, 0x75, 0x84, 0x41, 0xcd, 0x19, 0x46, 0x47, 0x86, 0x7d, 0xa0, 0x49, 0xc4, 0x72, 0x94, 0x9f,
+ 0x43, 0xf2, 0x09, 0x3a, 0x59, 0x56, 0x7c, 0x3b, 0x34, 0x79, 0x1b, 0x58, 0x82, 0xc7, 0x64, 0x19, 0x7c, 0x32, 0x7b, 0x42,
+ 0x66, 0x9f, 0x32, 0xef, 0x48, 0xb4, 0xf7, 0xd0, 0x74, 0x1f, 0x1c, 0xbe, 0xd4, 0x7a, 0x2a, 0x02, 0xb2, 0x3d, 0x47, 0x15,
+ 0x40, 0xa8, 0xd5, 0x57, 0xc8, 0xe7, 0x7d, 0x8d, 0xa6, 0xea, 0xe5, 0x21, 0x6a, 0xbe, 0x39, 0x8c, 0xfd, 0x78, 0x26, 0xaf,
+ 0x31, 0x93, 0x0f, 0x94, 0x07, 0x87, 0x6c, 0xa8, 0x56, 0xd8, 0xc6, 0x79, 0xcf, 0x1d, 0x36, 0xee, 0xab, 0x33, 0x5b, 0x63,
+ 0xe8, 0x34, 0x00, 0x0c, 0x95, 0x48, 0x34, 0xac, 0xe2, 0xda, 0x61, 0x7a, 0x97, 0x3e, 0x41, 0xe4, 0xb7, 0x30, 0xb0, 0xb3,
+ 0x96, 0xed, 0x91, 0xb8, 0x5b, 0x20, 0x30, 0xfa, 0xf0, 0xfa, 0xc7, 0xc2, 0x97, 0x14, 0x9b, 0x81, 0xa9, 0x70, 0x8a, 0x10,
+ 0xf1, 0x75, 0xe4, 0xec, 0x54, 0x3e, 0xd9, 0xa8, 0x94, 0xcd, 0x3a, 0x82, 0xf7, 0xe3, 0xb8, 0x75, 0xd7, 0x49, 0x6c, 0x80,
+ 0x97, 0xd8, 0xdf, 0x56, 0x66, 0x93, 0xe6, 0xef, 0xa3, 0xc3, 0xd6, 0x34, 0xb7, 0x6f, 0x9b, 0x51, 0xaa, 0x7c, 0x1e, 0x16,
+ 0x8f, 0x21, 0x8a, 0x0a, 0x9f, 0x0e, 0xbe, 0x6b, 0x96, 0x8b, 0x95, 0x95, 0x5d, 0x11, 0x39, 0x15, 0x8c, 0xca, 0x9d, 0xec,
+ 0x26, 0x39, 0x49, 0x1e, 0xf6, 0x16, 0x09, 0x36, 0x95, 0xae, 0xa0, 0x55, 0xbf, 0x94, 0xf2, 0x6f, 0x1b, 0x74, 0x93, 0x97,
+ 0x6d, 0xd8, 0x00, 0x0c, 0xf0, 0x9e, 0x24, 0xb9, 0xfe, 0x04, 0xfa, 0x30, 0x63, 0x90, 0x28, 0xcb, 0x0d, 0x8e, 0xe8, 0xf0,
+ 0x7f, 0x9a, 0x69, 0x54, 0xf2, 0xbc, 0x9f, 0x24, 0x0b, 0xd1, 0xda, 0x2f, 0x22, 0x81, 0x22, 0x31, 0x03, 0xc2, 0x60, 0x41,
+ 0x2e, 0xe0, 0xc6, 0x52, 0x7b, 0x5a, 0x35, 0xbc, 0x00, 0xfd, 0x71, 0x00, 0x19, 0xd3, 0xa4, 0xa8, 0x5b, 0xbc, 0xfc, 0xae,
+ 0x24, 0x10, 0xb4, 0x21, 0x8c, 0x3c, 0x15, 0xad, 0x2d, 0x1e, 0x33, 0x09, 0x58, 0x93, 0xb4, 0x29, 0x3a, 0xbc, 0x6f, 0x7d,
+ 0x51, 0x3b, 0x5b, 0x97, 0xfe, 0x67, 0xe1, 0x9e, 0xff, 0x6b, 0xdc, 0xf2, 0xb0, 0x6f, 0xa1, 0x4e, 0x4b, 0xf2, 0xdf, 0xd6,
+ 0xa4, 0xec, 0x8d, 0x19, 0x6d, 0x30, 0x67, 0xde, 0x04, 0x5e, 0xaf, 0xd7, 0xd4, 0x42, 0xf8, 0xbc, 0xca, 0xfc, 0x49, 0xc0,
+ 0xe7, 0xcd, 0xfc, 0xab, 0xca, 0x3f, 0x67, 0xff, 0xfb, 0x41, 0xc0, 0xe4, 0xe8, 0x0c, 0xe8, 0x2e, 0xca, 0x43, 0xfb, 0xec,
+ 0xe0, 0xeb, 0xea, 0x30, 0x14, 0xca, 0x30, 0x8d, 0x49, 0xaa, 0x99, 0x71, 0xcb, 0x85, 0xa4, 0x68, 0xda, 0xd1, 0xbe, 0xa9,
+ 0xc6, 0xee, 0x26, 0xdf, 0x3f, 0xde, 0x39, 0x29, 0x6c, 0x45, 0x9e, 0x41, 0x88, 0x63, 0xd8, 0x31, 0x47, 0x8e, 0xdc, 0xc8,
+ 0xe4, 0x28, 0x25, 0x75, 0x11, 0x99, 0xdd, 0x28, 0x25, 0xa7, 0x5e, 0xac, 0x7f, 0x0c, 0xb5, 0x2b, 0x62, 0x9d, 0xe0, 0xda,
+ 0xe3, 0xc2, 0xd8, 0x8d, 0xc6, 0x25, 0x5f, 0x08, 0x6e, 0xfc, 0xcd, 0xae, 0x4c, 0x99, 0x41, 0xc4, 0x75, 0x3e, 0x5e, 0x51,
+ 0xa1, 0x76, 0x47, 0x93, 0x4a, 0x83, 0x51, 0x91, 0xf3, 0x92, 0xd0, 0x29, 0xa6, 0x44, 0x3c, 0x2a, 0x91, 0x3f, 0x01, 0x75,
+ 0xeb, 0x6f, 0xf3, 0x3c, 0x04, 0xd3, 0x74, 0x7a, 0xfc, 0x7a, 0x39, 0x70, 0xc8, 0x3a, 0x89, 0x93, 0xbd, 0xfd, 0xd7, 0x41,
+ 0x2c, 0xb0, 0xd3, 0xef, 0xd0, 0xd5, 0x75, 0x24, 0xb1, 0x0e, 0x3d, 0x89, 0x8e, 0xde, 0xa7, 0x40, 0x80, 0xd2, 0x05, 0xe5,
+ 0x18, 0xa2, 0xf3, 0x30, 0x22, 0x56, 0x0b, 0xbc, 0x05, 0xb0, 0x48, 0x9a, 0x42, 0xb7, 0xe1, 0x32, 0xba, 0x52, 0x99, 0x22,
+ 0xf6, 0x30, 0x82, 0x05, 0x68, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x05, 0x59,
+ 0x04, 0x82, 0x05, 0x55, 0x30, 0x82, 0x05, 0x51, 0x30, 0x82, 0x05, 0x4d, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x82, 0x04, 0xee, 0x30, 0x82, 0x04, 0xea, 0x30, 0x1c, 0x06, 0x0a, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30, 0x0e, 0x04, 0x08, 0x8e, 0x7e, 0x90, 0x94, 0xaf, 0x09, 0xc5, 0xbc, 0x02,
+ 0x02, 0x08, 0x00, 0x04, 0x82, 0x04, 0xc8, 0x0c, 0x7c, 0x7f, 0x58, 0x8b, 0x41, 0x9a, 0xb8, 0x70, 0xbf, 0x6c, 0x4c, 0xb8,
+ 0x7d, 0x72, 0xa5, 0x50, 0xe6, 0xc4, 0xaf, 0x74, 0x0e, 0x88, 0xbf, 0x83, 0x51, 0xbc, 0xe1, 0x66, 0x8a, 0x9f, 0x42, 0x11,
+ 0x2b, 0x3d, 0x8c, 0x10, 0xa3, 0xc2, 0xdf, 0xb9, 0x36, 0x74, 0xc1, 0x18, 0x23, 0x1e, 0x9a, 0xbf, 0x8d, 0x0a, 0x4b, 0x63,
+ 0xd5, 0x20, 0x1b, 0xae, 0xb0, 0x64, 0xfc, 0xe1, 0x5c, 0xe7, 0xde, 0xa3, 0x6f, 0x8e, 0xe3, 0xc9, 0x8d, 0x18, 0x63, 0x7f,
+ 0x26, 0x4a, 0x3d, 0x41, 0x76, 0xa6, 0xaa, 0x3f, 0x27, 0x75, 0xec, 0x2f, 0x78, 0xd2, 0x40, 0x28, 0xe7, 0xf5, 0xee, 0x61,
+ 0x6d, 0x49, 0xe0, 0x64, 0x33, 0xc9, 0x9e, 0xf6, 0xda, 0x86, 0x3a, 0xad, 0x47, 0x13, 0xe2, 0x8a, 0x0b, 0x98, 0xe7, 0x73,
+ 0xea, 0x08, 0x59, 0xfe, 0x74, 0x6f, 0x10, 0x7d, 0xbc, 0x0b, 0xb9, 0xcf, 0xe7, 0xe7, 0x28, 0xe8, 0xfe, 0x20, 0x8a, 0x98,
+ 0x40, 0x00, 0x52, 0xa0, 0x0c, 0x5c, 0xfa, 0x48, 0x5b, 0xf4, 0x3c, 0x76, 0x5d, 0xf4, 0x33, 0x53, 0xd4, 0x51, 0x43, 0x47,
+ 0x29, 0xda, 0xff, 0xbd, 0xfe, 0x71, 0x5b, 0x50, 0xa1, 0xa5, 0x25, 0xe9, 0xcc, 0x68, 0x74, 0x9f, 0x7f, 0x39, 0x65, 0x5e,
+ 0xb9, 0x71, 0x8f, 0x25, 0x68, 0xe6, 0x71, 0x06, 0x10, 0xa2, 0xfb, 0x08, 0x54, 0x21, 0xca, 0x28, 0xfc, 0xf1, 0x89, 0xb9,
+ 0x29, 0x11, 0x67, 0x00, 0x19, 0xdd, 0x00, 0xd8, 0x48, 0x89, 0x46, 0x0d, 0x39, 0x0c, 0x7e, 0x94, 0x02, 0x80, 0x37, 0xa0,
+ 0x01, 0x45, 0x25, 0xbd, 0x8b, 0x44, 0xcc, 0xdf, 0x43, 0xa1, 0x1d, 0xf5, 0x59, 0x4b, 0x07, 0xe6, 0xab, 0x15, 0x93, 0x3d,
+ 0xea, 0x7d, 0xd6, 0xaa, 0xb0, 0x97, 0xed, 0x1d, 0x5e, 0xc2, 0xf0, 0xea, 0x1b, 0xc2, 0xcc, 0x88, 0x47, 0x3e, 0xe4, 0x54,
+ 0xc3, 0x02, 0xac, 0x5e, 0x88, 0xb9, 0x2f, 0x82, 0xd4, 0xd0, 0x5d, 0xb2, 0x2a, 0xee, 0x94, 0x3d, 0xdb, 0x82, 0x93, 0xc6,
+ 0x69, 0x5f, 0x40, 0x83, 0xf0, 0x07, 0x8d, 0x9f, 0x7f, 0x29, 0x3f, 0x4d, 0x3b, 0x08, 0xd9, 0x29, 0xf5, 0x1c, 0x0f, 0x18,
+ 0x42, 0x4b, 0xd9, 0x01, 0xda, 0x71, 0x92, 0xa8, 0x32, 0xa7, 0x53, 0x6f, 0xd0, 0x74, 0x4a, 0xee, 0x39, 0x04, 0xf1, 0x2d,
+ 0xee, 0x50, 0xbe, 0x48, 0xb1, 0x90, 0x21, 0x24, 0x28, 0x40, 0xa9, 0x85, 0xe1, 0x81, 0x77, 0x37, 0xa8, 0x86, 0x15, 0x7d,
+ 0x16, 0xb2, 0xe7, 0xcc, 0xe0, 0xa2, 0x7e, 0x58, 0xb3, 0xdc, 0xf9, 0x41, 0xae, 0x36, 0xba, 0x55, 0x87, 0x64, 0x01, 0xfd,
+ 0xc9, 0x0e, 0xa1, 0xfe, 0x55, 0xc3, 0x2a, 0x66, 0xd5, 0x83, 0x39, 0x7e, 0x5a, 0xe8, 0x28, 0x76, 0x36, 0xbb, 0x39, 0xa9,
+ 0xb7, 0xc6, 0xcf, 0x99, 0x56, 0xe5, 0xbf, 0x4d, 0xb2, 0xa0, 0xac, 0x64, 0x00, 0xc9, 0x42, 0x79, 0x47, 0x46, 0xd7, 0x9c,
+ 0x4a, 0x33, 0x03, 0x55, 0x07, 0x7f, 0x05, 0x23, 0xe3, 0x51, 0x35, 0xa9, 0x32, 0xe9, 0xa6, 0xf2, 0xe2, 0x42, 0x4d, 0x00,
+ 0xbb, 0xdb, 0xc3, 0x85, 0x05, 0xcb, 0xe4, 0xb1, 0x0a, 0x03, 0xf4, 0xe5, 0x27, 0x28, 0x12, 0xec, 0x1e, 0xd4, 0xd7, 0x43,
+ 0xe3, 0x05, 0xc7, 0x92, 0xd2, 0x8e, 0xf7, 0xae, 0x55, 0x1a, 0x50, 0x88, 0x2f, 0x91, 0x05, 0x65, 0x4b, 0xe3, 0xba, 0xc0,
+ 0x42, 0x86, 0x19, 0x2b, 0x64, 0xfc, 0x46, 0x31, 0x9b, 0xd2, 0x88, 0x32, 0xf8, 0x4d, 0x91, 0xd4, 0xc6, 0x77, 0xcb, 0x29,
+ 0x00, 0x5e, 0xd2, 0x48, 0x99, 0x0e, 0x3f, 0x2d, 0x4f, 0xdb, 0x9b, 0x05, 0xea, 0xa1, 0x3d, 0x9f, 0x21, 0x83, 0x6f, 0xcf,
+ 0xe9, 0x1c, 0x65, 0x40, 0x3c, 0x8b, 0x2a, 0x38, 0x8f, 0x1b, 0x5a, 0x3c, 0x73, 0x7a, 0xfc, 0x81, 0x69, 0xb3, 0xff, 0xb6,
+ 0x25, 0x12, 0x3f, 0xda, 0x50, 0xe7, 0xde, 0xfe, 0xd3, 0x31, 0x2f, 0xb4, 0x99, 0x87, 0xae, 0x17, 0xaf, 0xe4, 0xb8, 0x35,
+ 0xf7, 0x3c, 0xc0, 0x99, 0x0e, 0x75, 0x72, 0xb6, 0x46, 0xa1, 0x55, 0xef, 0xff, 0x48, 0x3b, 0x5c, 0x85, 0xf7, 0xc3, 0x03,
+ 0x0a, 0x49, 0x0f, 0x11, 0x48, 0x13, 0x8b, 0x90, 0x73, 0x33, 0xb6, 0x22, 0x35, 0x45, 0x07, 0x80, 0x1a, 0xf9, 0x91, 0x80,
+ 0x9d, 0x8b, 0xc7, 0x8e, 0xcc, 0x3a, 0x52, 0x93, 0x8f, 0xf6, 0x59, 0x3c, 0x69, 0xf7, 0x52, 0x9a, 0x8d, 0x8e, 0xfe, 0x8a,
+ 0x41, 0xb0, 0x43, 0x74, 0x04, 0xe8, 0x0e, 0xf5, 0xc1, 0x4c, 0xa3, 0x8d, 0xe3, 0x98, 0x25, 0xf6, 0xd5, 0x0d, 0xa9, 0x2d,
+ 0xb7, 0x6f, 0x52, 0x22, 0x43, 0x59, 0x30, 0x6d, 0x54, 0xb6, 0xad, 0x73, 0xa1, 0xe8, 0xee, 0x10, 0xbd, 0x55, 0xa4, 0x7f,
+ 0xc3, 0x1d, 0xad, 0x8e, 0x72, 0xf1, 0x26, 0x6d, 0xa1, 0xaf, 0xda, 0x82, 0x37, 0xa1, 0x6d, 0xfe, 0x78, 0xd1, 0x88, 0x65,
+ 0x6a, 0xb2, 0x33, 0x23, 0xcd, 0xba, 0xbe, 0x09, 0x66, 0x61, 0x33, 0xdc, 0x69, 0xed, 0x4f, 0xe6, 0xfb, 0x2f, 0x7d, 0xd0,
+ 0xfd, 0x7a, 0x21, 0x69, 0x2d, 0x1f, 0xd4, 0xc4, 0x93, 0x7c, 0x34, 0x7d, 0x67, 0x2c, 0xe9, 0x2a, 0x9a, 0x53, 0xc2, 0xbf,
+ 0xf9, 0x06, 0x10, 0xa6, 0xa8, 0x60, 0xe3, 0x01, 0xcb, 0x2b, 0x03, 0xdb, 0xb7, 0x27, 0xe9, 0x86, 0xe8, 0x7d, 0x75, 0xce,
+ 0x80, 0xdb, 0xaf, 0xe9, 0x7e, 0x75, 0xad, 0xe3, 0xd4, 0xc4, 0xf3, 0x10, 0x89, 0x16, 0xcb, 0xc6, 0x23, 0x5a, 0x58, 0x66,
+ 0xb6, 0x2a, 0xd7, 0xc9, 0x69, 0xd3, 0x7f, 0xa2, 0x9a, 0x5c, 0x1c, 0xd4, 0xf8, 0xe3, 0xe0, 0x63, 0x01, 0x88, 0x14, 0xb3,
+ 0x20, 0xe3, 0x22, 0x45, 0x3d, 0xae, 0xaf, 0x0b, 0x55, 0xa1, 0x65, 0xec, 0x16, 0x0b, 0x35, 0x37, 0x6f, 0x12, 0x5f, 0x29,
+ 0x47, 0xee, 0xdd, 0xbb, 0xcf, 0x9f, 0x87, 0xaf, 0x7d, 0xaa, 0xf4, 0x01, 0x45, 0xea, 0x5f, 0x00, 0x87, 0x1e, 0xeb, 0x2f,
+ 0x77, 0x2b, 0x92, 0x42, 0x04, 0x45, 0x33, 0xf2, 0xfb, 0x6b, 0xac, 0xca, 0x98, 0x79, 0x56, 0x6f, 0xe7, 0x5b, 0xbd, 0x63,
+ 0xc7, 0x3a, 0x8c, 0xfd, 0x93, 0xb1, 0x13, 0x4e, 0xc2, 0x05, 0x7f, 0xde, 0x44, 0xa8, 0xb7, 0xc4, 0x9c, 0xba, 0x57, 0x58,
+ 0x3b, 0xba, 0xb5, 0x74, 0x73, 0x97, 0x20, 0x53, 0x70, 0x70, 0x65, 0xf1, 0x81, 0xea, 0x07, 0xc2, 0xbe, 0x57, 0x71, 0x62,
+ 0x3b, 0xc0, 0x3c, 0x07, 0x65, 0xf4, 0x22, 0xfb, 0xd3, 0xf9, 0x2d, 0xb3, 0x20, 0xdd, 0x66, 0x51, 0x89, 0x54, 0x57, 0xcd,
+ 0xd7, 0xc7, 0x1a, 0xd9, 0xfe, 0xe0, 0x13, 0x9d, 0x7d, 0xe7, 0xe3, 0x2f, 0x65, 0x3e, 0xf0, 0xb2, 0xd9, 0x0c, 0x1a, 0xa9,
+ 0xaa, 0xba, 0x3b, 0x79, 0x86, 0xed, 0x6c, 0xbf, 0x9e, 0x9b, 0xb5, 0x78, 0xd8, 0x9e, 0x2f, 0x95, 0xcc, 0x31, 0xb4, 0x5f,
+ 0xd3, 0x63, 0xff, 0xb9, 0x62, 0x34, 0xfd, 0x78, 0x1f, 0xac, 0xe7, 0xbd, 0x29, 0x09, 0x2a, 0x1c, 0x94, 0xc5, 0x28, 0x6c,
+ 0x04, 0x59, 0xeb, 0xd6, 0x7c, 0x0d, 0x45, 0x07, 0xd9, 0xde, 0x89, 0xa1, 0xd8, 0x38, 0x8a, 0x2b, 0x9f, 0xc3, 0xdb, 0x55,
+ 0x89, 0x90, 0xc6, 0x75, 0xd0, 0x2f, 0x85, 0x9b, 0x0a, 0x5e, 0x04, 0xa1, 0xf9, 0xf7, 0x16, 0x35, 0x9d, 0x97, 0xfe, 0x7c,
+ 0x4b, 0x27, 0x4c, 0xc3, 0x8a, 0x2a, 0x56, 0x6a, 0x41, 0xe5, 0xd3, 0x82, 0xeb, 0xd2, 0x62, 0x4e, 0x11, 0x1e, 0x4e, 0xae,
+ 0xa4, 0x79, 0x89, 0x20, 0x82, 0x6e, 0x39, 0x7d, 0x70, 0xf8, 0x17, 0xd6, 0xe3, 0x67, 0x9a, 0x14, 0xd7, 0xc8, 0x80, 0xbe,
+ 0x62, 0x52, 0xe7, 0x69, 0xab, 0x98, 0xa9, 0x14, 0x98, 0xbd, 0x30, 0xf4, 0xab, 0x2c, 0x22, 0x6b, 0x5f, 0xee, 0x58, 0xf3,
+ 0x6f, 0x15, 0xea, 0xce, 0xd3, 0x1b, 0x07, 0xfa, 0xe6, 0x4c, 0xeb, 0xeb, 0x30, 0xa6, 0xff, 0x03, 0xc9, 0x75, 0x94, 0xa5,
+ 0x5b, 0x68, 0xd3, 0x42, 0x85, 0x3f, 0xa4, 0x87, 0xee, 0x3f, 0x14, 0x63, 0x16, 0x52, 0x26, 0x3b, 0x1a, 0xee, 0x48, 0x77,
+ 0x6e, 0x4a, 0x56, 0x01, 0x53, 0x54, 0x1b, 0xa6, 0xd7, 0x72, 0x98, 0x89, 0xd5, 0xf7, 0x11, 0x3a, 0x86, 0xac, 0x64, 0xe6,
+ 0x59, 0xba, 0x07, 0xea, 0x23, 0x21, 0x05, 0xd6, 0x14, 0xed, 0x88, 0x2e, 0x96, 0xb3, 0x90, 0xc3, 0xb7, 0xc4, 0x5b, 0x8f,
+ 0x0e, 0xcd, 0x56, 0xba, 0xb8, 0x4b, 0x7b, 0xfd, 0xd4, 0x7d, 0x0c, 0xcb, 0xe1, 0xff, 0xaf, 0x3e, 0x2a, 0x7c, 0x1a, 0xe5,
+ 0x66, 0x65, 0x59, 0x42, 0xd7, 0x3b, 0xd2, 0x2e, 0x89, 0x1d, 0x64, 0xc0, 0xbd, 0xec, 0x8c, 0xaa, 0x06, 0xb8, 0x5a, 0x7c,
+ 0xb8, 0xd0, 0xa5, 0xef, 0x5a, 0xf3, 0x92, 0x4c, 0x2f, 0x60, 0x98, 0x34, 0x73, 0x49, 0x92, 0x7a, 0x5d, 0x7c, 0x2c, 0xcd,
+ 0x0b, 0xfb, 0x28, 0xd9, 0x3e, 0xfa, 0xbd, 0x76, 0x0f, 0xaa, 0x71, 0xfa, 0x98, 0x36, 0x94, 0x97, 0xaa, 0x97, 0x1f, 0x34,
+ 0x21, 0x72, 0xc6, 0x19, 0xb4, 0xe3, 0xaa, 0x05, 0x16, 0xda, 0xaa, 0x92, 0x04, 0x49, 0xc7, 0x97, 0x42, 0x58, 0xd0, 0x80,
+ 0xdc, 0x9e, 0xcf, 0xfa, 0x5f, 0x4b, 0xbc, 0x78, 0xff, 0x95, 0x39, 0x31, 0x4c, 0x30, 0x25, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, 0x18, 0x1e, 0x16, 0x00, 0x74, 0x00, 0x65, 0x00, 0x73, 0x00, 0x74, 0x00, 0x5f,
+ 0x00, 0x69, 0x00, 0x6d, 0x00, 0x70, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x74, 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x09, 0x15, 0x31, 0x16, 0x04, 0x14, 0xf6, 0x4d, 0x65, 0x40, 0x9d, 0xff, 0x26, 0x84, 0x3f, 0x6e, 0x6b,
+ 0x99, 0x75, 0xb0, 0xae, 0x60, 0x01, 0x8c, 0xf0, 0xf9, 0x30, 0x30, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03,
+ 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0x3d, 0xbb, 0x58, 0x44, 0x6c, 0xa3, 0x3c, 0x48, 0xaa, 0x52, 0x76, 0xd1, 0xef, 0x3a,
+ 0xe2, 0xa4, 0x23, 0xcc, 0x4d, 0x38, 0x04, 0x08, 0x11, 0xa4, 0xda, 0x79, 0x3e, 0xdd, 0xba, 0xfa, 0x02, 0x01, 0x01
+};
+unsigned int test_import_p12_len = 2499;
+
+// test_import_p12's password: "password"
+
+#pragma clang diagnostic pop
+
+#endif /* kc_identity_helpers_h */
diff --git a/OSX/libsecurity_keychain/regressions/kc-item-helpers.h b/OSX/libsecurity_keychain/regressions/kc-item-helpers.h
new file mode 100644
index 00000000..1a4c901e
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-item-helpers.h
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 2015 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include "kc-helpers.h"
+#include "utilities/SecCFRelease.h"
+
+#ifndef kc_item_helpers_h
+#define kc_item_helpers_h
+
+#if TARGET_OS_MAC
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-variable"
+#pragma clang diagnostic ignored "-Wunused-function"
+
+static CFMutableDictionaryRef makeBaseDictionary(CFStringRef itemclass) {
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);
+ CFDictionarySetValue(query, kSecClass, itemclass);
+
+ return query;
+}
+
+static CFMutableDictionaryRef convertToQuery(CFMutableDictionaryRef query, SecKeychainRef kc) {
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, kc);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
+ CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
+
+ return query;
+}
+
+static CFMutableDictionaryRef addLabel(CFMutableDictionaryRef query, CFStringRef label) {
+ CFDictionarySetValue(query, kSecAttrLabel, label);
+ return query;
+}
+
+static CFMutableDictionaryRef makeBaseItemDictionary(CFStringRef itemclass, CFStringRef service) {
+ CFMutableDictionaryRef query = makeBaseDictionary(itemclass);
+
+ if(CFEqual(itemclass, kSecClassInternetPassword)) {
+ CFDictionarySetValue(query, kSecAttrServer, service == NULL ? CFSTR("test_service") : service);
+ CFDictionarySetValue(query, kSecAttrAuthenticationType, CFSTR("dflt")); // Default, I guess?
+ } else {
+ // Generic passwords have services
+ CFDictionarySetValue(query, kSecAttrService, service == NULL ? CFSTR("test_service") : service);
+ }
+ return query;
+}
+
+static CFMutableDictionaryRef makeQueryItemDictionaryWithService(SecKeychainRef kc, CFStringRef itemclass, CFStringRef service) {
+ return convertToQuery(makeBaseItemDictionary(itemclass, service), kc);
+}
+static CFMutableDictionaryRef makeQueryItemDictionary(SecKeychainRef kc, CFStringRef itemclass) {
+ return makeQueryItemDictionaryWithService(kc, itemclass, NULL);
+}
+
+static CFMutableDictionaryRef makeBaseQueryDictionary(SecKeychainRef kc, CFStringRef itemclass) {
+ return convertToQuery(makeBaseDictionary(itemclass), kc);
+}
+
+static CFMutableDictionaryRef makeQueryCustomItemDictionaryWithService(SecKeychainRef kc, CFStringRef itemclass, CFStringRef label, CFStringRef service) {
+ CFMutableDictionaryRef query = makeQueryItemDictionaryWithService(kc, itemclass, service);
+ CFDictionarySetValue(query, kSecAttrLabel, label);
+ return query;
+}
+static CFMutableDictionaryRef makeQueryCustomItemDictionary(SecKeychainRef kc, CFStringRef itemclass, CFStringRef label) {
+ return makeQueryCustomItemDictionaryWithService(kc, itemclass, label, NULL);
+}
+
+static CFMutableDictionaryRef makeAddCustomItemDictionaryWithService(SecKeychainRef kc, CFStringRef itemclass, CFStringRef label, CFStringRef account, CFStringRef service) {
+ CFMutableDictionaryRef query = makeBaseItemDictionary(itemclass, service);
+
+ CFDictionaryAddValue(query, kSecUseKeychain, kc);
+ CFDictionarySetValue(query, kSecAttrAccount, account);
+ CFDictionarySetValue(query, kSecAttrComment, CFSTR("a comment"));
+ CFDictionarySetValue(query, kSecAttrLabel, label);
+ CFDictionarySetValue(query, kSecValueData, CFDataCreate(NULL, (void*)"data", 4));
+ return query;
+}
+static CFMutableDictionaryRef makeAddCustomItemDictionary(SecKeychainRef kc, CFStringRef itemclass, CFStringRef label, CFStringRef account) {
+ return makeAddCustomItemDictionaryWithService(kc, itemclass, label, account, NULL);
+}
+
+static CFMutableDictionaryRef makeAddItemDictionary(SecKeychainRef kc, CFStringRef itemclass, CFStringRef label) {
+ return makeAddCustomItemDictionary(kc, itemclass, label, CFSTR("test_account"));
+}
+
+static SecKeychainItemRef makeCustomItem(const char* name, SecKeychainRef kc, CFDictionaryRef addDictionary) {
+ CFTypeRef result = NULL;
+ ok_status(SecItemAdd(addDictionary, &result), "%s: SecItemAdd", name);
+ ok(result != NULL, "%s: SecItemAdd returned a result", name);
+
+ SecKeychainItemRef item = (SecKeychainItemRef) result;
+ ok(item != NULL, "%s: Couldn't convert into SecKeychainItemRef", name);
+
+ return item;
+}
+#define makeCustomItemTests 3
+
+static SecKeychainItemRef makeItem(const char* name, SecKeychainRef kc, CFStringRef itemclass, CFStringRef label) {
+ CFMutableDictionaryRef query = makeAddItemDictionary(kc, itemclass, label);
+
+ SecKeychainItemRef item = makeCustomItem(name, kc, query);
+
+ CFReleaseNull(query);
+ return item;
+}
+#define makeItemTests makeCustomItemTests
+
+static void makeCustomDuplicateItem(const char* name, SecKeychainRef kc, CFStringRef itemclass, CFStringRef label) {
+ CFMutableDictionaryRef query = makeAddItemDictionary(kc, itemclass, label);
+
+ CFTypeRef result = NULL;
+ is(SecItemAdd(query, &result), errSecDuplicateItem, "%s: SecItemAdd (duplicate)", name);
+
+ CFReleaseNull(query);
+}
+#define makeCustomDuplicateItemTests 1
+
+static void makeDuplicateItem(const char* name, SecKeychainRef kc, CFStringRef itemclass) {
+ return makeCustomDuplicateItem(name, kc, itemclass, CFSTR("test_label"));
+}
+#define makeDuplicateItemTests makeCustomDuplicateItemTests
+
+
+#pragma clang pop
+#else
+
+#endif /* TARGET_OS_MAC */
+
+#endif /* kc_item_helpers_h */
diff --git a/OSX/libsecurity_keychain/regressions/kc-key-helpers.h b/OSX/libsecurity_keychain/regressions/kc-key-helpers.h
new file mode 100644
index 00000000..08095c8a
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-key-helpers.h
@@ -0,0 +1,283 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#ifndef kc_key_helpers_h
+#define kc_key_helpers_h
+
+#include "kc-helpers.h"
+#include "utilities/SecCFRelease.h"
+
+#if TARGET_OS_MAC
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-variable"
+#pragma clang diagnostic ignored "-Wunused-function"
+
+static CFMutableDictionaryRef makeBaseKeyDictionary() {
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(query, kSecClass, kSecClassKey);
+ return query;
+}
+
+static CFMutableDictionaryRef makeQueryKeyDictionary(SecKeychainRef kc, CFStringRef keyClass) {
+ CFMutableDictionaryRef query = makeBaseKeyDictionary();
+
+ CFMutableArrayRef searchList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)searchList, kc);
+ CFDictionarySetValue(query, kSecMatchSearchList, searchList);
+
+ CFDictionarySetValue(query, kSecAttrKeyClass, keyClass);
+
+ CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
+ return query;
+}
+
+static CFMutableDictionaryRef makeQueryKeyDictionaryWithLabel(SecKeychainRef kc, CFStringRef keyClass, CFStringRef label) {
+ CFMutableDictionaryRef query = makeQueryKeyDictionary(kc, keyClass);
+ CFDictionarySetValue(query, kSecAttrLabel, label);
+ return query;
+}
+
+static CFMutableDictionaryRef makeAddKeyDictionaryWithApplicationLabel(SecKeychainRef kc, CFStringRef keyClass, CFStringRef label, CFStringRef applicationLabel) {
+ CFMutableDictionaryRef query = makeBaseKeyDictionary();
+ CFDictionaryAddValue(query, kSecUseKeychain, kc);
+
+ CFDictionarySetValue(query, kSecAttrLabel, label);
+ if(applicationLabel) {
+ CFDictionarySetValue(query, kSecAttrApplicationLabel, applicationLabel);
+ } else {
+ CFDictionarySetValue(query, kSecAttrApplicationLabel, CFSTR("test_application")); // without setting this, it uses the current datetime.
+ }
+
+ int32_t n = 0;
+ if(CFEqual(keyClass, kSecAttrKeyClassSymmetric)) {
+ CFDictionarySetValue(query, kSecAttrKeyType, kSecAttrKeyTypeAES);
+ n = 128;
+ } else if(CFEqual(keyClass, kSecAttrKeyClassPublic) ||
+ CFEqual(keyClass, kSecAttrKeyClassPrivate)) {
+ CFDictionarySetValue(query, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ n = 1024;
+ }
+ CFNumberRef num = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &n);
+ CFDictionarySetValue(query, kSecAttrKeySizeInBits, num);
+
+ return query;
+}
+static CFMutableDictionaryRef makeAddKeyDictionary(SecKeychainRef kc, CFStringRef keyClass, CFStringRef label) {
+ return makeAddKeyDictionaryWithApplicationLabel(kc, keyClass, label, NULL);
+}
+
+static SecKeyRef makeCustomKeyWithApplicationLabel(const char* name, SecKeychainRef kc, CFStringRef label, CFStringRef applicationLabel) {
+ CFMutableDictionaryRef query = makeAddKeyDictionaryWithApplicationLabel(kc, kSecAttrKeyClassSymmetric, label, applicationLabel);
+
+ CFErrorRef error = NULL;
+ SecKeyRef item = SecKeyGenerateSymmetric(query, &error);
+ ok(item != NULL, "%s: SecKeyGenerateSymmetric: %ld", name, error ? CFErrorGetCode(error) : 0);
+
+ CFReleaseNull(query);
+ return item;
+}
+#define makeCustomKeyWithApplicationLabelTests 1
+
+static SecKeyRef makeCustomKey(const char* name, SecKeychainRef kc, CFStringRef label) {
+ return makeCustomKeyWithApplicationLabel(name, kc, label, NULL);
+}
+#define makeCustomKeyTests makeCustomKeyWithApplicationLabelTests
+
+static SecKeyRef makeKey(const char* name, SecKeychainRef kc) {
+ return makeCustomKey(name, kc, CFSTR("test_key"));
+}
+#define makeKeyTests makeCustomKeyTests
+
+static void makeCustomKeyPair(const char* name, SecKeychainRef kc, CFStringRef label, SecKeyRef* aPub, SecKeyRef* aPriv) {
+ CFMutableDictionaryRef query = makeAddKeyDictionary(kc, kSecAttrKeyClassPublic, label);
+
+ SecKeyRef pub;
+ SecKeyRef priv;
+ ok_status(SecKeyGeneratePair(query, &pub, &priv), "%s: SecKeyGeneratePair returned a result", name);
+
+ if(aPub) {
+ *aPub = pub;
+ }
+ if(aPriv) {
+ *aPriv = priv;
+ }
+
+ CFReleaseNull(query);
+}
+#define makeCustomKeyPairTests 1
+
+static void makeKeyPair(const char* name, SecKeychainRef kc, SecKeyRef* aPub, SecKeyRef* aPriv) {
+ makeCustomKeyPair(name, kc, CFSTR("test_key"), aPub, aPriv);
+}
+#define makeKeyPairTests makeCustomKeyPairTests
+
+// This only works for symmetric keys; key pairs cannot ever generate a duplicate (due to setting kSecKeyLabel to the hash of the public key)
+static void makeCustomDuplicateKey(const char* name, SecKeychainRef kc, CFStringRef label) {
+ CFMutableDictionaryRef query;
+
+ query = makeAddKeyDictionary(kc, kSecAttrKeyClassSymmetric, label);
+ CFErrorRef error = NULL;
+ CFReleaseSafe(SecKeyGenerateSymmetric(query, &error));
+ is(CFErrorGetCode(error), errSecDuplicateItem, "%s: SecKeyGenerateSymmetric (duplicate) errored: %ld", name, error ? CFErrorGetCode(error) : -1);
+
+ CFReleaseNull(query);
+}
+#define makeCustomDuplicateKeyTests 1
+
+static void makeDuplicateKey(const char* name, SecKeychainRef kc) {
+ makeCustomDuplicateKey(name, kc, CFSTR("test_key"));
+}
+#define makeDuplicateKeyTests makeCustomDuplicateKeyTests
+
+static SecKeyRef makeCustomFreeKey(const char* name, SecKeychainRef kc, CFStringRef label) {
+ SecKeyRef symkey;
+
+ ok_status(SecKeyGenerate(
+ NULL,
+ CSSM_ALGID_AES, 128,
+ 0, /* contextHandle */
+ CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_DECRYPT,
+ CSSM_KEYATTR_EXTRACTABLE,
+ NULL, /* initialAccess */
+ &symkey), "%s: SecKeyGenerate", name);;
+
+ CFMutableDictionaryRef query = makeAddKeyDictionary(kc, kSecAttrKeyClassSymmetric, label);
+
+ CFMutableArrayRef itemList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)itemList, symkey);
+
+ CFDictionarySetValue(query, kSecUseItemList, itemList);
+
+ CFTypeRef result = NULL;
+ ok_status(SecItemAdd(query, &result), "%s: SecItemAdd", name);
+ ok(result != NULL, "%s: SecItemAdd returned a result", name);
+ CFReleaseNull(symkey);
+ return (SecKeyRef) result;
+}
+#define makeCustomFreeKeyTests 3
+
+static SecKeyRef makeFreeKey(const char* name, SecKeychainRef kc) {
+ return makeCustomFreeKey(name, kc, CFSTR("test_free_key"));
+}
+#define makeFreeKeyTests makeCustomFreeKeyTests
+
+static SecKeyRef makeCustomDuplicateFreeKey(const char* name, SecKeychainRef kc, CFStringRef label) {
+ SecKeyRef symkey;
+
+ ok_status(SecKeyGenerate(
+ NULL,
+ CSSM_ALGID_AES, 128,
+ 0, /* contextHandle */
+ CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_DECRYPT,
+ CSSM_KEYATTR_EXTRACTABLE,
+ NULL, /* initialAccess */
+ &symkey), "%s: SecKeyGenerate", name);;
+
+ CFMutableDictionaryRef query = makeAddKeyDictionary(kc, kSecAttrKeyClassSymmetric, label);
+
+ CFMutableArrayRef itemList = (CFMutableArrayRef) CFArrayCreateMutable(kCFAllocatorDefault, 1, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue((CFMutableArrayRef)itemList, symkey);
+
+ CFDictionarySetValue(query, kSecUseItemList, itemList);
+
+ CFTypeRef result = NULL;
+ is(SecItemAdd(query, &result), errSecDuplicateItem, "%s: SecItemAdd (duplicate)", name);
+ CFReleaseNull(symkey);
+ return (SecKeyRef) result;
+}
+#define makeCustomDuplicateFreeKeyTests 2
+
+static SecKeyRef makeDuplicateFreeKey(const char* name, SecKeychainRef kc) {
+ return makeCustomFreeKey(name, kc, CFSTR("test_free_key"));
+}
+#define makeDuplicateFreeKeyTests makeCustomDuplicateFreeKeyTests
+
+#define checkKeyUseTests 4
+static void checkKeyUse(SecKeyRef key, OSStatus expectedStatus) {
+ CFStringRef plaintext = CFSTR("A short story: the string goes into the encryptor, and returns unrecognizable. The decryptor reverses.");
+ CFDataRef plaintextData = CFDataCreate(NULL, (uint8_t*) CFStringGetCStringPtr(plaintext, kCFStringEncodingUTF8), CFStringGetLength(plaintext));
+
+ /* encrypt first */
+ SecTransformRef transform = SecEncryptTransformCreate(key, NULL);
+ SecTransformSetAttribute(transform, kSecPaddingKey, kSecPaddingPKCS7Key, NULL);
+ SecTransformSetAttribute(transform, kSecEncryptionMode, kSecModeCBCKey, NULL);
+ SecTransformSetAttribute(transform, kSecTransformInputAttributeName, plaintextData, NULL);
+
+ CFErrorRef error = NULL;
+ CFDataRef ciphertextData = SecTransformExecute(transform, &error);
+
+ if(error) {
+ is(CFErrorGetCode(error), expectedStatus, "%s: Encrypting data failed: %d %s (and expected %d)", testName, (int) CFErrorGetCode(error), CFStringGetCStringPtr(CFErrorCopyDescription(error), kCFStringEncodingUTF8), (int) expectedStatus);
+
+ if(expectedStatus != errSecSuccess) {
+ // make test numbers match and quit
+ for(int i = 1; i < checkKeyUseTests; i++) {
+ pass("test numbers match");
+ }
+ return;
+ }
+
+ } else {
+ pass("%s: transform executed", testName);
+ }
+
+ CFReleaseSafe(transform);
+
+ /* and now decrypt */
+ transform = SecDecryptTransformCreate(key, NULL);
+ SecTransformSetAttribute(transform, kSecPaddingKey, kSecPaddingPKCS7Key, NULL);
+ SecTransformSetAttribute(transform, kSecEncryptionMode, kSecModeCBCKey, NULL);
+ SecTransformSetAttribute(transform, kSecTransformInputAttributeName, ciphertextData, NULL);
+
+ CFDataRef roundtripData = SecTransformExecute(transform, &error);
+ is(error, NULL, "%s: checkKeyUse: SecTransformExecute (decrypt)", testName);
+
+ if(error) {
+ CFStringRef errorStr = CFErrorCopyDescription(error);
+ fail("%s: Decrypting data failed: %d %s", testName, (int) CFErrorGetCode(error), CFStringGetCStringPtr(errorStr, kCFStringEncodingUTF8));
+ CFRelease(errorStr);
+ } else {
+ pass("%s: make test numbers match", testName);
+ }
+
+ CFReleaseSafe(transform);
+
+ eq_cf(plaintextData, roundtripData, "%s: checkKeyUse: roundtripped data is input data", testName);
+
+ CFReleaseSafe(plaintext);
+ CFReleaseSafe(plaintextData);
+ CFReleaseSafe(ciphertextData);
+ CFReleaseSafe(roundtripData);
+}
+
+
+
+#pragma clang diagnostic pop
+
+#else
+
+#endif /* TARGET_OS_MAC */
+
+
+#endif /* kc_key_helpers_h */
diff --git a/OSX/libsecurity_keychain/regressions/kc-keychain-file-helpers.h b/OSX/libsecurity_keychain/regressions/kc-keychain-file-helpers.h
new file mode 100644
index 00000000..f6d99a41
--- /dev/null
+++ b/OSX/libsecurity_keychain/regressions/kc-keychain-file-helpers.h
@@ -0,0 +1,2384 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#ifndef kc_file_helpers_h
+#define kc_file_helpers_h
+
+#include <stdlib.h>
+#include <unistd.h>
+
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-variable"
+#pragma clang diagnostic ignored "-Wunused-function"
+
+/* Deletes any keychain files that might exist at this location, and ignore any errors */
+static void deleteKeychainFiles(const char* basename) {
+ // remove the keychain if it exists, but ignore any errors
+ unlink(basename);
+ char * dbFilename = NULL;
+ asprintf(&dbFilename, "%s-db", basename);
+ unlink(dbFilename);
+ free(dbFilename);
+}
+
+static SecKeychainRef createNewKeychainAt(const char * filename, const char * password) {
+ deleteKeychainFiles(filename);
+
+ SecKeychainRef keychain = NULL;
+ ok_status(SecKeychainCreate(filename, (UInt32) strlen(password), password, FALSE, NULL, &keychain), "SecKeychainCreate");
+ return keychain;
+}
+
+static SecKeychainRef createNewKeychain(const char * name, const char * password) {
+ const char *home_dir = getenv("HOME");
+ char * filename;
+
+ asprintf(&filename, "%s/Library/Keychains/%s", home_dir, name);
+ SecKeychainRef keychain = createNewKeychainAt(filename, password);
+ free(filename);
+ return keychain;
+}
+
+static void writeFile(const char* path, uint8_t* buf, size_t len) {
+ FILE * fp = fopen(path, "w+");
+ fwrite(buf, sizeof(uint8_t), len, fp);
+ fclose(fp);
+}
+
+// The following keychain includes:
+//
+// security add-internet-password -s test_service_restrictive_acl -a test_account -j "a useful comment" -r "htps" -t dflt -w test_password test.keychain
+// security add-internet-password -s test_service -a test_account -j "a useful comment" -r "htps" -t dflt -w test_password -A test.keychain
+// security add-generic-password -a test_account -s test_service -j "another useful comment" -w test_password -A test.keychain
+// security add-generic-password -a test_account -s test_service_restrictive_acl -j "another useful comment" -w test_password test.keychain
+
+// With certificate assistant, added a:
+// Code Signing identity
+// S/MIME identity
+
+const char * test_keychain_password = "password";
+
+unsigned char test_keychain[] = {
+ 0x6b, 0x79, 0x63, 0x68, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xb3, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x03, 0x64, 0x00, 0x00, 0x1b, 0x70,
+ 0x00, 0x00, 0x4d, 0xe8, 0x00, 0x00, 0x4e, 0x10, 0x00, 0x00, 0x57, 0xe0, 0x00, 0x00, 0x6c, 0x88, 0x00, 0x00, 0x8b, 0x44,
+ 0x00, 0x00, 0x91, 0x20, 0x00, 0x00, 0x96, 0x4c, 0x00, 0x00, 0x97, 0x0c, 0x00, 0x00, 0xb2, 0x28, 0x00, 0x00, 0x03, 0x2c,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x03, 0x24, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x8c, 0x00, 0x00, 0x00, 0xd0, 0x00, 0x00, 0x01, 0x14,
+ 0x00, 0x00, 0x01, 0x5c, 0x00, 0x00, 0x01, 0x84, 0x00, 0x00, 0x01, 0xac, 0x00, 0x00, 0x01, 0xd4, 0x00, 0x00, 0x02, 0x04,
+ 0x00, 0x00, 0x02, 0x48, 0x00, 0x00, 0x02, 0x90, 0x00, 0x00, 0x02, 0xd8, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21,
+ 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f,
+ 0x44, 0x42, 0x5f, 0x53, 0x43, 0x48, 0x45, 0x4d, 0x41, 0x5f, 0x49, 0x4e, 0x46, 0x4f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x1c, 0x43, 0x53, 0x53, 0x4d,
+ 0x5f, 0x44, 0x4c, 0x5f, 0x44, 0x42, 0x5f, 0x53, 0x43, 0x48, 0x45, 0x4d, 0x41, 0x5f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42,
+ 0x55, 0x54, 0x45, 0x53, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x19, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f, 0x44, 0x42, 0x5f, 0x53, 0x43, 0x48, 0x45, 0x4d,
+ 0x41, 0x5f, 0x49, 0x4e, 0x44, 0x45, 0x58, 0x45, 0x53, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21,
+ 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x20, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f,
+ 0x44, 0x42, 0x5f, 0x53, 0x43, 0x48, 0x45, 0x4d, 0x41, 0x5f, 0x50, 0x41, 0x52, 0x53, 0x49, 0x4e, 0x47, 0x5f, 0x4d, 0x4f,
+ 0x44, 0x55, 0x4c, 0x45, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x80, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x80, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x80, 0x00, 0x80, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x44, 0x42, 0x42, 0x6c, 0x6f, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21,
+ 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x1c, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f,
+ 0x44, 0x42, 0x5f, 0x52, 0x45, 0x43, 0x4f, 0x52, 0x44, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59,
+ 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x1d,
+ 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f, 0x44, 0x42, 0x5f, 0x52, 0x45, 0x43, 0x4f, 0x52, 0x44, 0x5f, 0x50, 0x52,
+ 0x49, 0x56, 0x41, 0x54, 0x45, 0x5f, 0x4b, 0x45, 0x59, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x0a,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21,
+ 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x1f, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f,
+ 0x44, 0x42, 0x5f, 0x52, 0x45, 0x43, 0x4f, 0x52, 0x44, 0x5f, 0x53, 0x59, 0x4d, 0x4d, 0x45, 0x54, 0x52, 0x49, 0x43, 0x5f,
+ 0x4b, 0x45, 0x59, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x25, 0x80, 0x00, 0x10, 0x00,
+ 0x00, 0x00, 0x00, 0x22, 0x43, 0x53, 0x53, 0x4d, 0x5f, 0x44, 0x4c, 0x5f, 0x44, 0x42, 0x5f, 0x52, 0x45, 0x43, 0x4f, 0x52,
+ 0x44, 0x5f, 0x58, 0x35, 0x30, 0x39, 0x5f, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x0c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x5a,
+ 0x00, 0x00, 0x01, 0x84, 0x00, 0x00, 0x18, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5a, 0x00, 0x00, 0x01, 0x84,
+ 0x00, 0x00, 0x01, 0xc4, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x02, 0x44, 0x00, 0x00, 0x02, 0x84, 0x00, 0x00, 0x02, 0xc4,
+ 0x00, 0x00, 0x03, 0x04, 0x00, 0x00, 0x03, 0x44, 0x00, 0x00, 0x03, 0x84, 0x00, 0x00, 0x03, 0xc4, 0x00, 0x00, 0x04, 0x04,
+ 0x00, 0x00, 0x04, 0x44, 0x00, 0x00, 0x04, 0x84, 0x00, 0x00, 0x04, 0xc4, 0x00, 0x00, 0x05, 0x04, 0x00, 0x00, 0x05, 0x44,
+ 0x00, 0x00, 0x05, 0x84, 0x00, 0x00, 0x05, 0xc4, 0x00, 0x00, 0x06, 0x04, 0x00, 0x00, 0x06, 0x44, 0x00, 0x00, 0x06, 0x84,
+ 0x00, 0x00, 0x06, 0xc4, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x07, 0x44, 0x00, 0x00, 0x07, 0x84, 0x00, 0x00, 0x07, 0xc4,
+ 0x00, 0x00, 0x08, 0x04, 0x00, 0x00, 0x08, 0x44, 0x00, 0x00, 0x08, 0x84, 0x00, 0x00, 0x08, 0xc4, 0x00, 0x00, 0x09, 0x04,
+ 0x00, 0x00, 0x09, 0x44, 0x00, 0x00, 0x09, 0x84, 0x00, 0x00, 0x09, 0xc4, 0x00, 0x00, 0x0a, 0x04, 0x00, 0x00, 0x0a, 0x44,
+ 0x00, 0x00, 0x0a, 0x84, 0x00, 0x00, 0x0a, 0xc4, 0x00, 0x00, 0x0b, 0x04, 0x00, 0x00, 0x0b, 0x44, 0x00, 0x00, 0x0b, 0x84,
+ 0x00, 0x00, 0x0b, 0xc4, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x0c, 0x44, 0x00, 0x00, 0x0c, 0x84, 0x00, 0x00, 0x0c, 0xc4,
+ 0x00, 0x00, 0x0d, 0x04, 0x00, 0x00, 0x0d, 0x44, 0x00, 0x00, 0x0d, 0x84, 0x00, 0x00, 0x0d, 0xc4, 0x00, 0x00, 0x0e, 0x04,
+ 0x00, 0x00, 0x0e, 0x44, 0x00, 0x00, 0x0e, 0x84, 0x00, 0x00, 0x0e, 0xc4, 0x00, 0x00, 0x0f, 0x04, 0x00, 0x00, 0x0f, 0x44,
+ 0x00, 0x00, 0x0f, 0x84, 0x00, 0x00, 0x0f, 0xc4, 0x00, 0x00, 0x10, 0x04, 0x00, 0x00, 0x10, 0x44, 0x00, 0x00, 0x10, 0x84,
+ 0x00, 0x00, 0x10, 0xc4, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, 0x11, 0x44, 0x00, 0x00, 0x11, 0x84, 0x00, 0x00, 0x11, 0xc4,
+ 0x00, 0x00, 0x12, 0x04, 0x00, 0x00, 0x12, 0x44, 0x00, 0x00, 0x12, 0x84, 0x00, 0x00, 0x12, 0xc4, 0x00, 0x00, 0x13, 0x04,
+ 0x00, 0x00, 0x13, 0x44, 0x00, 0x00, 0x13, 0x84, 0x00, 0x00, 0x13, 0xc4, 0x00, 0x00, 0x14, 0x04, 0x00, 0x00, 0x14, 0x44,
+ 0x00, 0x00, 0x14, 0x84, 0x00, 0x00, 0x14, 0xc4, 0x00, 0x00, 0x15, 0x04, 0x00, 0x00, 0x15, 0x44, 0x00, 0x00, 0x15, 0x84,
+ 0x00, 0x00, 0x15, 0xc4, 0x00, 0x00, 0x16, 0x04, 0x00, 0x00, 0x16, 0x44, 0x00, 0x00, 0x16, 0x84, 0x00, 0x00, 0x16, 0xc4,
+ 0x00, 0x00, 0x17, 0x04, 0x00, 0x00, 0x17, 0x44, 0x00, 0x00, 0x17, 0x84, 0x00, 0x00, 0x17, 0xc4, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x73, 0x76, 0x63, 0x65, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x61, 0x63, 0x63, 0x74,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x73, 0x76, 0x63, 0x65, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x76, 0x6c, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x61, 0x64, 0x64, 0x72, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x73, 0x73, 0x69, 0x67,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05,
+ 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x09,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x76, 0x6c, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x61, 0x64, 0x64, 0x72, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x73, 0x73, 0x69, 0x67, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x61, 0x63, 0x63, 0x74,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x73, 0x64, 0x6d, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0e,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x73, 0x72, 0x76, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x70, 0x74, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x61, 0x74, 0x79, 0x70, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x70, 0x6f, 0x72, 0x74,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x70, 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x13,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x08, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x09, 0x73, 0x64, 0x6d, 0x6e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0a, 0x73, 0x72, 0x76, 0x72, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0b, 0x70, 0x74, 0x63, 0x6c,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0c,
+ 0x61, 0x74, 0x79, 0x70, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x0d, 0x70, 0x6f, 0x72, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0e, 0x70, 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1d,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x22,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x14,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x27,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x19,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2b, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0a,
+ 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2c,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x36,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x37, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x16,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x07,
+ 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3b,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x3c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x45,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x13,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x4a,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x4b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x09,
+ 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x4f,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, 0x74, 0x79, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x69, 0x73, 0x73, 0x75, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x52, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x73, 0x6e, 0x62, 0x72,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x17,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x63, 0x74, 0x79, 0x70, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x10, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x61, 0x6c, 0x69, 0x73, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x55, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x03, 0x73, 0x75, 0x62, 0x6a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x56, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x69, 0x73, 0x73, 0x75, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x05, 0x73, 0x6e, 0x62, 0x72,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x17,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x73, 0x6b, 0x69, 0x64, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x59,
+ 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x10, 0x00,
+ 0x00, 0x00, 0x00, 0x07, 0x68, 0x70, 0x6b, 0x79, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x32, 0x78, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x02, 0xac,
+ 0x00, 0x00, 0x32, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x02, 0xac, 0x00, 0x00, 0x02, 0xfc,
+ 0x00, 0x00, 0x03, 0x4c, 0x00, 0x00, 0x03, 0x9c, 0x00, 0x00, 0x03, 0xec, 0x00, 0x00, 0x04, 0x44, 0x00, 0x00, 0x04, 0x98,
+ 0x00, 0x00, 0x04, 0xec, 0x00, 0x00, 0x05, 0x40, 0x00, 0x00, 0x05, 0x90, 0x00, 0x00, 0x05, 0xdc, 0x00, 0x00, 0x06, 0x2c,
+ 0x00, 0x00, 0x06, 0x7c, 0x00, 0x00, 0x06, 0xd4, 0x00, 0x00, 0x07, 0x24, 0x00, 0x00, 0x07, 0x74, 0x00, 0x00, 0x07, 0xc0,
+ 0x00, 0x00, 0x08, 0x10, 0x00, 0x00, 0x08, 0x58, 0x00, 0x00, 0x08, 0xac, 0x00, 0x00, 0x08, 0xec, 0x00, 0x00, 0x09, 0x2c,
+ 0x00, 0x00, 0x09, 0x6c, 0x00, 0x00, 0x09, 0xac, 0x00, 0x00, 0x09, 0xec, 0x00, 0x00, 0x0a, 0x2c, 0x00, 0x00, 0x0a, 0x6c,
+ 0x00, 0x00, 0x0a, 0xbc, 0x00, 0x00, 0x0b, 0x08, 0x00, 0x00, 0x0b, 0x48, 0x00, 0x00, 0x0b, 0x88, 0x00, 0x00, 0x0b, 0xc8,
+ 0x00, 0x00, 0x0c, 0x08, 0x00, 0x00, 0x0c, 0x48, 0x00, 0x00, 0x0c, 0x88, 0x00, 0x00, 0x0c, 0xc8, 0x00, 0x00, 0x0d, 0x08,
+ 0x00, 0x00, 0x0d, 0x48, 0x00, 0x00, 0x0d, 0x88, 0x00, 0x00, 0x0d, 0xc8, 0x00, 0x00, 0x0e, 0x08, 0x00, 0x00, 0x0e, 0x48,
+ 0x00, 0x00, 0x0e, 0x88, 0x00, 0x00, 0x0e, 0xd8, 0x00, 0x00, 0x0f, 0x24, 0x00, 0x00, 0x0f, 0x64, 0x00, 0x00, 0x0f, 0xa4,
+ 0x00, 0x00, 0x0f, 0xe4, 0x00, 0x00, 0x10, 0x24, 0x00, 0x00, 0x10, 0x64, 0x00, 0x00, 0x10, 0xa4, 0x00, 0x00, 0x10, 0xe4,
+ 0x00, 0x00, 0x11, 0x24, 0x00, 0x00, 0x11, 0x64, 0x00, 0x00, 0x11, 0xa4, 0x00, 0x00, 0x11, 0xe4, 0x00, 0x00, 0x12, 0x24,
+ 0x00, 0x00, 0x12, 0x64, 0x00, 0x00, 0x12, 0xa4, 0x00, 0x00, 0x12, 0xe4, 0x00, 0x00, 0x13, 0x24, 0x00, 0x00, 0x13, 0x64,
+ 0x00, 0x00, 0x13, 0xb4, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x14, 0x40, 0x00, 0x00, 0x14, 0x80, 0x00, 0x00, 0x14, 0xc0,
+ 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x15, 0x40, 0x00, 0x00, 0x15, 0x80, 0x00, 0x00, 0x15, 0xc0, 0x00, 0x00, 0x16, 0x00,
+ 0x00, 0x00, 0x16, 0x40, 0x00, 0x00, 0x16, 0x80, 0x00, 0x00, 0x16, 0xc0, 0x00, 0x00, 0x17, 0x0c, 0x00, 0x00, 0x17, 0x5c,
+ 0x00, 0x00, 0x17, 0xa8, 0x00, 0x00, 0x17, 0xf8, 0x00, 0x00, 0x18, 0x44, 0x00, 0x00, 0x18, 0x94, 0x00, 0x00, 0x18, 0xe0,
+ 0x00, 0x00, 0x19, 0x34, 0x00, 0x00, 0x19, 0x84, 0x00, 0x00, 0x19, 0xd0, 0x00, 0x00, 0x1a, 0x24, 0x00, 0x00, 0x1a, 0x78,
+ 0x00, 0x00, 0x1a, 0xc8, 0x00, 0x00, 0x1b, 0x14, 0x00, 0x00, 0x1b, 0x64, 0x00, 0x00, 0x1b, 0xb8, 0x00, 0x00, 0x1c, 0x08,
+ 0x00, 0x00, 0x1c, 0x5c, 0x00, 0x00, 0x1c, 0xa8, 0x00, 0x00, 0x1c, 0xf4, 0x00, 0x00, 0x1d, 0x40, 0x00, 0x00, 0x1d, 0x88,
+ 0x00, 0x00, 0x1d, 0xd4, 0x00, 0x00, 0x1e, 0x24, 0x00, 0x00, 0x1e, 0x78, 0x00, 0x00, 0x1e, 0xc0, 0x00, 0x00, 0x1f, 0x0c,
+ 0x00, 0x00, 0x1f, 0x58, 0x00, 0x00, 0x1f, 0xa8, 0x00, 0x00, 0x1f, 0xf4, 0x00, 0x00, 0x20, 0x44, 0x00, 0x00, 0x20, 0x90,
+ 0x00, 0x00, 0x20, 0xe0, 0x00, 0x00, 0x21, 0x2c, 0x00, 0x00, 0x21, 0x80, 0x00, 0x00, 0x21, 0xd0, 0x00, 0x00, 0x22, 0x1c,
+ 0x00, 0x00, 0x22, 0x70, 0x00, 0x00, 0x22, 0xc4, 0x00, 0x00, 0x23, 0x14, 0x00, 0x00, 0x23, 0x60, 0x00, 0x00, 0x23, 0xb0,
+ 0x00, 0x00, 0x24, 0x04, 0x00, 0x00, 0x24, 0x54, 0x00, 0x00, 0x24, 0xa8, 0x00, 0x00, 0x24, 0xf4, 0x00, 0x00, 0x25, 0x40,
+ 0x00, 0x00, 0x25, 0x8c, 0x00, 0x00, 0x25, 0xd4, 0x00, 0x00, 0x26, 0x20, 0x00, 0x00, 0x26, 0x70, 0x00, 0x00, 0x26, 0xc4,
+ 0x00, 0x00, 0x27, 0x0c, 0x00, 0x00, 0x27, 0x58, 0x00, 0x00, 0x27, 0xa4, 0x00, 0x00, 0x27, 0xf4, 0x00, 0x00, 0x28, 0x40,
+ 0x00, 0x00, 0x28, 0x90, 0x00, 0x00, 0x28, 0xdc, 0x00, 0x00, 0x29, 0x2c, 0x00, 0x00, 0x29, 0x78, 0x00, 0x00, 0x29, 0xcc,
+ 0x00, 0x00, 0x2a, 0x1c, 0x00, 0x00, 0x2a, 0x68, 0x00, 0x00, 0x2a, 0xbc, 0x00, 0x00, 0x2b, 0x10, 0x00, 0x00, 0x2b, 0x60,
+ 0x00, 0x00, 0x2b, 0xac, 0x00, 0x00, 0x2b, 0xfc, 0x00, 0x00, 0x2c, 0x50, 0x00, 0x00, 0x2c, 0xa0, 0x00, 0x00, 0x2c, 0xf4,
+ 0x00, 0x00, 0x2d, 0x40, 0x00, 0x00, 0x2d, 0x8c, 0x00, 0x00, 0x2d, 0xd8, 0x00, 0x00, 0x2e, 0x20, 0x00, 0x00, 0x2e, 0x6c,
+ 0x00, 0x00, 0x2e, 0xbc, 0x00, 0x00, 0x2f, 0x10, 0x00, 0x00, 0x2f, 0x58, 0x00, 0x00, 0x2f, 0xa4, 0x00, 0x00, 0x2f, 0xf0,
+ 0x00, 0x00, 0x30, 0x40, 0x00, 0x00, 0x30, 0x90, 0x00, 0x00, 0x30, 0xdc, 0x00, 0x00, 0x31, 0x28, 0x00, 0x00, 0x31, 0x74,
+ 0x00, 0x00, 0x31, 0xc4, 0x00, 0x00, 0x32, 0x1c, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+ 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+ 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+ 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74,
+ 0x65, 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74,
+ 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x46, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d,
+ 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0f, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x46, 0x6f, 0x72,
+ 0x6d, 0x61, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+ 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x49, 0x44, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x49, 0x44, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x65, 0x64, 0x44, 0x61, 0x74, 0x61, 0x4c,
+ 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x0d,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x52, 0x65, 0x6c, 0x61,
+ 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x0e,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x41, 0x74, 0x74, 0x72,
+ 0x69, 0x62, 0x75, 0x74, 0x65, 0x49, 0x44, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x4d, 0x6f, 0x64, 0x75,
+ 0x6c, 0x65, 0x49, 0x44, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x41, 0x64, 0x64, 0x69, 0x6e, 0x56, 0x65, 0x72,
+ 0x73, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x53, 0x53, 0x49, 0x44, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0e, 0x53, 0x75, 0x62, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x63, 0x64, 0x61, 0x74,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00,
+ 0x6d, 0x64, 0x61, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x15,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x00, 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x69, 0x63, 0x6d, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x63, 0x72, 0x74, 0x72, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x74, 0x79, 0x70, 0x65,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00,
+ 0x73, 0x63, 0x72, 0x70, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x1a,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d,
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e,
+ 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x1b,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61,
+ 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00,
+ 0x69, 0x6e, 0x76, 0x69, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1d,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x00, 0x6e, 0x65, 0x67, 0x61, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x63, 0x75, 0x73, 0x69, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x70, 0x72, 0x6f, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x61, 0x63, 0x63, 0x74,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x00,
+ 0x73, 0x76, 0x63, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x22,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x00, 0x67, 0x65, 0x6e, 0x61, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x63, 0x64, 0x61, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x6d, 0x64, 0x61, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x64, 0x65, 0x73, 0x63,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02,
+ 0x69, 0x63, 0x6d, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x27,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x02, 0x63, 0x72, 0x74, 0x72, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x74, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x73, 0x63, 0x72, 0x70, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x2b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x69, 0x6e, 0x76, 0x69, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x6e, 0x65, 0x67, 0x61,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02,
+ 0x63, 0x75, 0x73, 0x69, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x2f,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x02, 0x70, 0x72, 0x6f, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x76, 0x6c, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x73, 0x72, 0x76, 0x72,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02,
+ 0x70, 0x74, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x34,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x02, 0x61, 0x64, 0x64, 0x72, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x02, 0x73, 0x73, 0x69, 0x67, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x63, 0x64, 0x61, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x37, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x6d, 0x64, 0x61, 0x74,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x64, 0x65, 0x73, 0x63, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x69, 0x63, 0x6d, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x63, 0x72, 0x74, 0x72, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x74, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x73, 0x63, 0x72, 0x70,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e, 0x74, 0x4e, 0x61, 0x6d,
+ 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x3e, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x69, 0x6e, 0x76, 0x69,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x6e, 0x65, 0x67, 0x61, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x41,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x63, 0x75, 0x73, 0x69, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x70, 0x72, 0x6f, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x73, 0x64, 0x6d, 0x6e,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01,
+ 0x73, 0x72, 0x76, 0x72, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x46,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d,
+ 0x80, 0x00, 0x00, 0x01, 0x70, 0x74, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40,
+ 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x61, 0x74, 0x79, 0x70, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x70, 0x6f, 0x72, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x80, 0x00, 0x00, 0x01, 0x70, 0x61, 0x74, 0x68,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x4a, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x4b, 0x65, 0x79, 0x43, 0x6c, 0x61, 0x73, 0x73,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x4b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x09, 0x50, 0x65, 0x72, 0x6d, 0x61, 0x6e, 0x65, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x07, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50,
+ 0x00, 0x00, 0x00, 0x4f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0a,
+ 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05,
+ 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x51,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0e, 0x41, 0x70, 0x70, 0x6c,
+ 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x61, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50,
+ 0x00, 0x00, 0x00, 0x52, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0a,
+ 0x4b, 0x65, 0x79, 0x43, 0x72, 0x65, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07,
+ 0x4b, 0x65, 0x79, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x4b, 0x65, 0x79, 0x53,
+ 0x69, 0x7a, 0x65, 0x49, 0x6e, 0x42, 0x69, 0x74, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x55, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10,
+ 0x45, 0x66, 0x66, 0x65, 0x63, 0x74, 0x69, 0x76, 0x65, 0x4b, 0x65, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x56, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x09, 0x53, 0x74, 0x61, 0x72, 0x74, 0x44, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x64, 0x44, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50,
+ 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09,
+ 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0f,
+ 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x5a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0b, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x5b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x10, 0x4e, 0x65, 0x76, 0x65, 0x72, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x61, 0x62, 0x6c, 0x65,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x12,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x5d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x07, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x5e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x44, 0x65, 0x72, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x5f,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45,
+ 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x53, 0x69, 0x67, 0x6e,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x16,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0b, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x62, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0d, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x63, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x19,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x57, 0x72, 0x61, 0x70, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06,
+ 0x55, 0x6e, 0x77, 0x72, 0x61, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x65,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x4b, 0x65, 0x79, 0x43,
+ 0x6c, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e, 0x74, 0x4e, 0x61, 0x6d,
+ 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x67, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61, 0x73, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x50, 0x65, 0x72, 0x6d, 0x61, 0x6e, 0x65, 0x6e, 0x74, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x69, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0a, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x05, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0e,
+ 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x61, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x6d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0a, 0x4b, 0x65, 0x79, 0x43, 0x72, 0x65, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x07, 0x4b, 0x65, 0x79, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54,
+ 0x00, 0x00, 0x00, 0x6f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0d,
+ 0x4b, 0x65, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x49, 0x6e, 0x42, 0x69, 0x74, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x10, 0x45, 0x66, 0x66, 0x65, 0x63, 0x74, 0x69, 0x76, 0x65, 0x4b, 0x65, 0x79, 0x53, 0x69, 0x7a, 0x65,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x71, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x53, 0x74, 0x61, 0x72, 0x74, 0x44, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0d,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x64, 0x44, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x09, 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0f, 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x76, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10, 0x4e, 0x65, 0x76, 0x65, 0x72, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74,
+ 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x77, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x13,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x44, 0x65, 0x72, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x48,
+ 0x00, 0x00, 0x00, 0x7a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04,
+ 0x53, 0x69, 0x67, 0x6e, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x17,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x7d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52, 0x65, 0x63, 0x6f, 0x76, 0x65,
+ 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x7e, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x57, 0x72, 0x61, 0x70, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x06, 0x55, 0x6e, 0x77, 0x72, 0x61, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08,
+ 0x4b, 0x65, 0x79, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x81,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x50, 0x72, 0x69, 0x6e,
+ 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x82,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x41, 0x6c, 0x69, 0x61,
+ 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x83, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x50, 0x65, 0x72, 0x6d, 0x61, 0x6e, 0x65, 0x6e,
+ 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x84, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x85, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x86, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x87, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0e, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x61, 0x67, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x4b, 0x65, 0x79, 0x43, 0x72, 0x65, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x89, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x09,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x4b, 0x65, 0x79, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x8a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0d, 0x4b, 0x65, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x49, 0x6e, 0x42, 0x69, 0x74, 0x73, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x8b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0b,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10, 0x45, 0x66, 0x66, 0x65, 0x63, 0x74, 0x69, 0x76, 0x65, 0x4b, 0x65, 0x79,
+ 0x53, 0x69, 0x7a, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x53, 0x74, 0x61, 0x72, 0x74, 0x44, 0x61, 0x74,
+ 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x8d, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x64, 0x44, 0x61, 0x74, 0x65, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x8e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0e,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x8f, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0f,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x53, 0x65, 0x6e, 0x73, 0x69, 0x74,
+ 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x45, 0x78, 0x74, 0x72, 0x61, 0x63, 0x74, 0x61,
+ 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x91, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10, 0x4e, 0x65, 0x76, 0x65, 0x72, 0x45, 0x78, 0x74,
+ 0x72, 0x61, 0x63, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x92,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x45, 0x6e, 0x63, 0x72,
+ 0x79, 0x70, 0x74, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x93, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x44, 0x65, 0x72, 0x69, 0x76, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x95, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x04, 0x53, 0x69, 0x67, 0x6e, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x96,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x56, 0x65, 0x72, 0x69,
+ 0x66, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x97, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x63, 0x6f,
+ 0x76, 0x65, 0x72, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x98, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52, 0x65,
+ 0x63, 0x6f, 0x76, 0x65, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x99,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x57, 0x72, 0x61, 0x70,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x9a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x1a,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x55, 0x6e, 0x77, 0x72, 0x61, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x9b, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x80, 0x00, 0x10, 0x00, 0x63, 0x74, 0x79, 0x70, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x08, 0x43, 0x65, 0x72, 0x74, 0x54, 0x79, 0x70, 0x65, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50,
+ 0x00, 0x00, 0x00, 0x9c, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x4d, 0x80, 0x00, 0x10, 0x00, 0x63, 0x65, 0x6e, 0x63, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0c,
+ 0x43, 0x65, 0x72, 0x74, 0x45, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x50,
+ 0x00, 0x00, 0x00, 0x9d, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x4d, 0x80, 0x00, 0x10, 0x00, 0x6c, 0x61, 0x62, 0x6c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09,
+ 0x50, 0x72, 0x69, 0x6e, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c,
+ 0x00, 0x00, 0x00, 0x9e, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x49, 0x80, 0x00, 0x10, 0x00, 0x61, 0x6c, 0x69, 0x73, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x05,
+ 0x41, 0x6c, 0x69, 0x61, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x9f,
+ 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,
+ 0x80, 0x00, 0x10, 0x00, 0x73, 0x75, 0x62, 0x6a, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x53, 0x75, 0x62, 0x6a,
+ 0x65, 0x63, 0x74, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x17,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35,
+ 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x80, 0x00, 0x10, 0x00,
+ 0x69, 0x73, 0x73, 0x75, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x49, 0x73, 0x73, 0x75, 0x65, 0x72, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0xa1, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x80, 0x00, 0x10, 0x00, 0x73, 0x6e, 0x62, 0x72,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0c, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0xa2, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39,
+ 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x80, 0x00, 0x10, 0x00, 0x73, 0x6b, 0x69, 0x64,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x14, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4b, 0x65, 0x79, 0x49, 0x64,
+ 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0xa3,
+ 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31,
+ 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51,
+ 0x80, 0x00, 0x10, 0x00, 0x68, 0x70, 0x6b, 0x79, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x50, 0x75, 0x62, 0x6c,
+ 0x69, 0x63, 0x4b, 0x65, 0x79, 0x48, 0x61, 0x73, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20,
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x1d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0xd0, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x24,
+ 0x00, 0x00, 0x06, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x03, 0x20,
+ 0x00, 0x00, 0x02, 0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0xb2,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x39, 0x00, 0x00, 0x02, 0x3d, 0x00, 0x00, 0x02, 0x4d, 0x00, 0x00, 0x02, 0x51,
+ 0x00, 0x00, 0x02, 0x55, 0x00, 0x00, 0x02, 0x59, 0x00, 0x00, 0x02, 0x5d, 0x00, 0x00, 0x02, 0x75, 0x00, 0x00, 0x02, 0x79,
+ 0x00, 0x00, 0x02, 0xa5, 0x00, 0x00, 0x02, 0xa9, 0x00, 0x00, 0x02, 0xad, 0x00, 0x00, 0x02, 0xb1, 0x00, 0x00, 0x02, 0xbd,
+ 0x00, 0x00, 0x02, 0xc9, 0x00, 0x00, 0x02, 0xcd, 0x00, 0x00, 0x02, 0xd1, 0x00, 0x00, 0x02, 0xd5, 0x00, 0x00, 0x02, 0xd9,
+ 0x00, 0x00, 0x02, 0xdd, 0x00, 0x00, 0x02, 0xe1, 0x00, 0x00, 0x02, 0xe5, 0x00, 0x00, 0x02, 0xe9, 0x00, 0x00, 0x02, 0xed,
+ 0x00, 0x00, 0x02, 0xf1, 0x00, 0x00, 0x02, 0xf5, 0x00, 0x00, 0x02, 0xf9, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x01, 0x00,
+ 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x01, 0xb2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x21,
+ 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x74, 0x65, 0x78, 0x74, 0x20, 0x70, 0x75,
+ 0x62, 0x6c, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x7f, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x30, 0x82, 0x01, 0x0a,
+ 0x02, 0x82, 0x01, 0x01, 0x00, 0xb3, 0xaa, 0xa8, 0x77, 0xe7, 0x3e, 0x2d, 0x0c, 0xf4, 0x83, 0x55, 0xc2, 0x9e, 0x50, 0x10,
+ 0xc9, 0xef, 0xc8, 0x48, 0x38, 0xe4, 0x43, 0x96, 0xfa, 0x93, 0x32, 0xbf, 0x66, 0xad, 0x84, 0xa2, 0x8b, 0x6b, 0x07, 0x8c,
+ 0xc6, 0x93, 0x8c, 0x4d, 0x65, 0x0f, 0xad, 0x76, 0x73, 0x0c, 0x4d, 0x43, 0xee, 0x35, 0xd4, 0x68, 0x4a, 0x9a, 0x6d, 0x4d,
+ 0xa5, 0xae, 0x66, 0xcf, 0xfb, 0xbb, 0x93, 0xd3, 0x6a, 0xe3, 0xfc, 0x41, 0x97, 0xae, 0x90, 0xc3, 0xd8, 0x83, 0xfb, 0x8d,
+ 0x67, 0x84, 0xc1, 0xd5, 0x7d, 0x1d, 0x12, 0xca, 0x0c, 0xb5, 0xae, 0xf0, 0xe3, 0x36, 0x39, 0xf1, 0x68, 0x92, 0x6f, 0xda,
+ 0x2d, 0x48, 0x87, 0xf0, 0x4b, 0x15, 0x4e, 0x4f, 0x7a, 0x3a, 0x16, 0xb9, 0x02, 0x89, 0x95, 0x98, 0xab, 0xb2, 0x58, 0x5b,
+ 0x31, 0x7f, 0x49, 0x90, 0x48, 0xfd, 0x8d, 0x8a, 0x37, 0x3a, 0x4e, 0xd8, 0x00, 0x4a, 0xdc, 0xd4, 0x02, 0x9f, 0xcd, 0x4b,
+ 0xde, 0x75, 0x4a, 0xb2, 0x27, 0x8e, 0xe6, 0x2d, 0xea, 0x35, 0x89, 0x85, 0x8a, 0x37, 0x59, 0xd6, 0xd1, 0xf8, 0x36, 0x7c,
+ 0x93, 0x9e, 0xd6, 0xd1, 0xc3, 0xd9, 0x75, 0xa4, 0x4f, 0x40, 0x24, 0xe9, 0xc0, 0xde, 0xeb, 0xc0, 0x5e, 0xd6, 0x04, 0xe1,
+ 0xd0, 0x07, 0x29, 0xc1, 0x9d, 0x6f, 0x78, 0x2d, 0x5a, 0xef, 0xe6, 0xff, 0x25, 0x16, 0xcf, 0x60, 0x77, 0xa2, 0x10, 0x2b,
+ 0xa4, 0x2a, 0xff, 0x74, 0x3b, 0xe6, 0x4d, 0xc1, 0x13, 0xba, 0x8b, 0xe8, 0x15, 0x8e, 0xc7, 0xc3, 0xd4, 0x31, 0xb0, 0x99,
+ 0x51, 0x32, 0x30, 0x03, 0x0b, 0x1c, 0xa0, 0x0a, 0x17, 0x15, 0x34, 0x57, 0x38, 0xd3, 0x08, 0x13, 0xc4, 0xd6, 0x7c, 0x24,
+ 0x16, 0xd0, 0x2f, 0x00, 0x88, 0xd7, 0xd9, 0xca, 0x1e, 0x6b, 0x50, 0x3b, 0x5f, 0xb6, 0x08, 0xb1, 0x29, 0x42, 0x70, 0xf1,
+ 0x89, 0x02, 0x03, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0a, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0xc9, 0x58, 0x3f, 0x54, 0xf7, 0x9c, 0x21, 0xee, 0x29, 0x26, 0x07, 0x8d,
+ 0x1b, 0xb4, 0x93, 0xc4, 0x3e, 0xfd, 0x6a, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31,
+ 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61,
+ 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a,
+ 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x01, 0xb2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x39, 0x00, 0x00, 0x02, 0x3d, 0x00, 0x00, 0x02, 0x51,
+ 0x00, 0x00, 0x02, 0x55, 0x00, 0x00, 0x02, 0x59, 0x00, 0x00, 0x02, 0x5d, 0x00, 0x00, 0x02, 0x61, 0x00, 0x00, 0x02, 0x79,
+ 0x00, 0x00, 0x02, 0x7d, 0x00, 0x00, 0x02, 0xa9, 0x00, 0x00, 0x02, 0xad, 0x00, 0x00, 0x02, 0xb1, 0x00, 0x00, 0x02, 0xb5,
+ 0x00, 0x00, 0x02, 0xc1, 0x00, 0x00, 0x02, 0xcd, 0x00, 0x00, 0x02, 0xd1, 0x00, 0x00, 0x02, 0xd5, 0x00, 0x00, 0x02, 0xd9,
+ 0x00, 0x00, 0x02, 0xdd, 0x00, 0x00, 0x02, 0xe1, 0x00, 0x00, 0x02, 0xe5, 0x00, 0x00, 0x02, 0xe9, 0x00, 0x00, 0x02, 0xed,
+ 0x00, 0x00, 0x02, 0xf1, 0x00, 0x00, 0x02, 0xf5, 0x00, 0x00, 0x02, 0xf9, 0x00, 0x00, 0x02, 0xfd, 0xfa, 0xde, 0x07, 0x11,
+ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x01, 0xb2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00,
+ 0x00, 0x00, 0x00, 0x21, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x74, 0x65, 0x78,
+ 0x74, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x48, 0x39, 0x92, 0x01, 0x00, 0x00, 0x00,
+ 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb6, 0x07, 0xac, 0x5c, 0xc6, 0xcb, 0xf0, 0xb7, 0x97, 0x0d, 0x43,
+ 0x1a, 0xe9, 0x61, 0xe7, 0x34, 0x63, 0x6a, 0x26, 0x0d, 0x77, 0xba, 0x25, 0xaa, 0xc8, 0x46, 0xf8, 0xc9, 0xdd, 0x21, 0xb4,
+ 0x3e, 0x2e, 0x11, 0x8e, 0xb6, 0x72, 0xf2, 0x01, 0x16, 0x07, 0xcf, 0x88, 0x91, 0xc4, 0xc0, 0x48, 0x64, 0x41, 0x91, 0xf7,
+ 0x63, 0x72, 0xd5, 0x37, 0xef, 0x37, 0x62, 0xed, 0x33, 0xb3, 0xf9, 0x6e, 0x31, 0xd1, 0x68, 0xe7, 0xde, 0x62, 0x9f, 0x82,
+ 0xb8, 0x9e, 0x11, 0xe7, 0x66, 0x91, 0xc1, 0xbe, 0xe5, 0x5c, 0xd6, 0x71, 0x83, 0x91, 0xbc, 0x0f, 0xa8, 0x06, 0xc3, 0xe9,
+ 0xb6, 0x76, 0x16, 0xae, 0x69, 0x0a, 0x47, 0xe4, 0x65, 0xaa, 0x13, 0x71, 0x48, 0xb3, 0x5c, 0x25, 0xa5, 0x1a, 0xd0, 0x2a,
+ 0x57, 0x57, 0xf9, 0xb7, 0x13, 0xbd, 0xf4, 0x13, 0x5a, 0x11, 0x1b, 0xcc, 0xd8, 0x9a, 0x5f, 0x82, 0x3f, 0xa7, 0x6b, 0x64,
+ 0x47, 0x54, 0xb6, 0x81, 0xaf, 0xcb, 0x4b, 0x94, 0x39, 0x65, 0x15, 0xba, 0x6a, 0x02, 0x7c, 0x71, 0x30, 0x60, 0x21, 0x12,
+ 0x63, 0x28, 0xe0, 0x85, 0xca, 0xcc, 0x07, 0xb1, 0x13, 0x40, 0x19, 0x72, 0x02, 0x35, 0x0e, 0x2d, 0x4b, 0x8a, 0xcd, 0x1d,
+ 0x09, 0x65, 0xb0, 0x81, 0x49, 0xea, 0x70, 0x15, 0x92, 0x19, 0x7b, 0xfe, 0x15, 0xf7, 0x4a, 0x3f, 0x1e, 0x3c, 0x63, 0x7a,
+ 0x0f, 0x17, 0x32, 0x1a, 0xb7, 0x26, 0xa1, 0xa0, 0x9b, 0x3f, 0x4e, 0x7c, 0x38, 0xe6, 0x27, 0xbf, 0xa8, 0x1b, 0xf7, 0xbd,
+ 0x2d, 0xfd, 0x9b, 0x05, 0x0c, 0xaa, 0x81, 0xb8, 0x09, 0xd4, 0xe2, 0xe3, 0xbd, 0x6c, 0x70, 0xc0, 0x7e, 0x95, 0xd4, 0x0b,
+ 0x13, 0xab, 0xb8, 0xdd, 0x3d, 0x4c, 0x59, 0xf0, 0xc7, 0x8e, 0x47, 0xb5, 0xd8, 0x31, 0x78, 0x80, 0xd2, 0x5f, 0x0c, 0x0b,
+ 0xae, 0x22, 0xe7, 0x9e, 0xd3, 0x02, 0x03, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x10,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0xc7, 0xc5, 0x36, 0xbc,
+ 0xce, 0x8e, 0x86, 0xa8, 0x02, 0x33, 0x38, 0xb5, 0x23, 0xb6, 0xef, 0x97, 0x20, 0x1e, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31,
+ 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32,
+ 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xb0, 0x00, 0x00, 0x00, 0x0b,
+ 0x00, 0x00, 0x06, 0x54, 0x00, 0x00, 0x07, 0x78, 0x00, 0x00, 0x07, 0xd8, 0x00, 0x00, 0x08, 0x10, 0x00, 0x00, 0x08, 0x48,
+ 0x00, 0x00, 0x08, 0x80, 0x00, 0x00, 0x08, 0xb8, 0x00, 0x00, 0x08, 0xf0, 0x00, 0x00, 0x09, 0x28, 0x00, 0x00, 0x09, 0x60,
+ 0x00, 0x00, 0x09, 0x98, 0x00, 0x00, 0x01, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0a,
+ 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x06, 0x98,
+ 0x00, 0x00, 0x07, 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14,
+ 0xc7, 0xc5, 0x36, 0xbc, 0xce, 0x8e, 0x86, 0xa8, 0x02, 0x33, 0x38, 0xb5, 0x23, 0xb6, 0xef, 0x97, 0x20, 0x1e, 0x00, 0x7c,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66,
+ 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62,
+ 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14, 0xc9, 0x58, 0x3f, 0x54, 0xf7, 0x9c, 0x21, 0xee,
+ 0x29, 0x26, 0x07, 0x8d, 0x1b, 0xb4, 0x93, 0xc4, 0x3e, 0xfd, 0x6a, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27,
+ 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d,
+ 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x07, 0xa0, 0x00, 0x00, 0x07, 0xbc, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x14, 0xc7, 0xc5, 0x36, 0xbc, 0xce, 0x8e, 0x86, 0xa8, 0x02, 0x33, 0x38, 0xb5, 0x23, 0xb6, 0xef, 0x97,
+ 0x20, 0x1e, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14, 0xc9, 0x58, 0x3f, 0x54, 0xf7, 0x9c, 0x21, 0xee,
+ 0x29, 0x26, 0x07, 0x8d, 0x1b, 0xb4, 0x93, 0xc4, 0x3e, 0xfd, 0x6a, 0x65, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x08, 0x00,
+ 0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x08, 0x38, 0x00, 0x00, 0x08, 0x40,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x08, 0x70, 0x00, 0x00, 0x08, 0x78, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x15,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x08, 0xa8, 0x00, 0x00, 0x08, 0xb0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x08, 0xe0, 0x00, 0x00, 0x08, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x07,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x09, 0x18,
+ 0x00, 0x00, 0x09, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x09, 0x50, 0x00, 0x00, 0x09, 0x58,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x09, 0x88, 0x00, 0x00, 0x09, 0x90, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1a,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x09, 0xc0, 0x00, 0x00, 0x09, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x14, 0xa8,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x10, 0xf8, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x06, 0xe8, 0x00, 0x00, 0x06, 0xc4, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x05, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x01,
+ 0x00, 0x00, 0x06, 0x05, 0x00, 0x00, 0x06, 0x15, 0x00, 0x00, 0x06, 0x19, 0x00, 0x00, 0x06, 0x1d, 0x00, 0x00, 0x06, 0x21,
+ 0x00, 0x00, 0x06, 0x25, 0x00, 0x00, 0x06, 0x3d, 0x00, 0x00, 0x06, 0x41, 0x00, 0x00, 0x06, 0x6d, 0x00, 0x00, 0x06, 0x71,
+ 0x00, 0x00, 0x06, 0x75, 0x00, 0x00, 0x06, 0x79, 0x00, 0x00, 0x06, 0x85, 0x00, 0x00, 0x06, 0x91, 0x00, 0x00, 0x06, 0x95,
+ 0x00, 0x00, 0x06, 0x99, 0x00, 0x00, 0x06, 0x9d, 0x00, 0x00, 0x06, 0xa1, 0x00, 0x00, 0x06, 0xa5, 0x00, 0x00, 0x06, 0xa9,
+ 0x00, 0x00, 0x06, 0xad, 0x00, 0x00, 0x06, 0xb1, 0x00, 0x00, 0x06, 0xb5, 0x00, 0x00, 0x06, 0xb9, 0x00, 0x00, 0x06, 0xbd,
+ 0x00, 0x00, 0x06, 0xc1, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x05, 0x7c,
+ 0xce, 0x5e, 0x64, 0x56, 0xc9, 0x2c, 0x8c, 0xbb, 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4,
+ 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x39, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06,
+ 0x39, 0xf9, 0x47, 0x1e, 0xec, 0x0d, 0xb8, 0x07, 0x55, 0xbc, 0xbf, 0x6e, 0xd7, 0xa7, 0xc4, 0x53, 0x73, 0x06, 0xa9, 0x05,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x7f, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x22, 0xc0, 0x79, 0x0d, 0x4e, 0xd3, 0x15, 0x14, 0x9a, 0x46, 0xeb, 0x6d,
+ 0x81, 0xe0, 0xa8, 0x43, 0x02, 0x74, 0x53, 0x4b, 0x3a, 0x23, 0xf7, 0x6d, 0x16, 0x6f, 0x5d, 0x5a, 0xa9, 0x97, 0x54, 0x37,
+ 0xd0, 0x44, 0xd1, 0x9c, 0x15, 0x33, 0x05, 0xdb, 0x6b, 0xcb, 0x5c, 0xcd, 0x23, 0xc9, 0x65, 0x07, 0x79, 0x1b, 0x60, 0x2d,
+ 0xd6, 0x17, 0x2b, 0x45, 0x20, 0x8f, 0xb6, 0x31, 0x91, 0xc0, 0x59, 0x53, 0x87, 0xa0, 0x3c, 0xd1, 0x77, 0x97, 0x91, 0xd8,
+ 0x9c, 0xfc, 0x51, 0x4f, 0xfd, 0x21, 0x6a, 0x71, 0x12, 0x5a, 0x6e, 0x10, 0xd1, 0x5c, 0xe9, 0x7e, 0x24, 0xb8, 0xf3, 0x5d,
+ 0xab, 0x51, 0x2f, 0x67, 0xa7, 0x65, 0x5c, 0x27, 0xb8, 0xe2, 0x06, 0x98, 0xd2, 0x57, 0xb8, 0xc7, 0x4e, 0xea, 0x28, 0x23,
+ 0x6e, 0x90, 0x25, 0x2e, 0xb6, 0xf3, 0x5c, 0x18, 0xe8, 0x94, 0xa5, 0x7c, 0x55, 0xbf, 0x22, 0x94, 0xfc, 0x0e, 0xe7, 0x15,
+ 0xde, 0xe3, 0x72, 0x80, 0xe7, 0xf1, 0xfd, 0xd4, 0x0e, 0x2a, 0xda, 0x53, 0x56, 0xcb, 0xdb, 0xe3, 0x71, 0xc7, 0xc5, 0xd7,
+ 0x35, 0x95, 0x39, 0xf8, 0xee, 0x16, 0x22, 0x3c, 0x19, 0x3e, 0xd4, 0x03, 0x49, 0xe7, 0xf6, 0xb9, 0x50, 0x9f, 0x18, 0xee,
+ 0xdf, 0x7b, 0x79, 0xc4, 0x3f, 0xd4, 0x41, 0x45, 0xf2, 0xea, 0xdd, 0x5f, 0xda, 0x17, 0xd3, 0xb0, 0x50, 0xfc, 0x2c, 0xe9,
+ 0x6a, 0xb6, 0x35, 0xf3, 0xd7, 0xfd, 0xe6, 0x62, 0x51, 0x16, 0x5c, 0x8d, 0x26, 0xc3, 0x18, 0x9c, 0xf0, 0xb9, 0xe5, 0xa9,
+ 0x46, 0xd9, 0xe3, 0x80, 0x6c, 0xe3, 0x66, 0x70, 0xed, 0x4e, 0xfd, 0xf9, 0x8b, 0xdb, 0x06, 0x56, 0x3f, 0x2d, 0xfe, 0x74,
+ 0xee, 0x66, 0x75, 0x2a, 0xad, 0x1e, 0x41, 0x6c, 0x1b, 0x6a, 0xe4, 0x90, 0x76, 0x48, 0x27, 0x73, 0x4b, 0x13, 0xda, 0x72,
+ 0xa6, 0x7f, 0xc2, 0x7c, 0xb5, 0xca, 0x4c, 0x15, 0x64, 0x27, 0x9e, 0xc4, 0x9e, 0x3a, 0xb4, 0x13, 0x9d, 0xb8, 0x02, 0x3f,
+ 0x92, 0x6c, 0xe5, 0x73, 0x3e, 0x61, 0xbb, 0x01, 0xec, 0x81, 0x9b, 0x64, 0x59, 0x11, 0x4e, 0x42, 0x8b, 0x31, 0x97, 0x16,
+ 0x18, 0x53, 0x98, 0x82, 0x6e, 0xa5, 0x44, 0x7f, 0xcf, 0x05, 0x9c, 0x2c, 0x9d, 0x8f, 0xe3, 0x45, 0x57, 0xb2, 0xb5, 0x7a,
+ 0x71, 0x62, 0x25, 0x41, 0x8b, 0xed, 0xe9, 0x08, 0x46, 0x44, 0xda, 0xe3, 0xa3, 0xdf, 0x4b, 0x66, 0x77, 0x19, 0xc2, 0x4f,
+ 0xbb, 0xa7, 0xde, 0x4b, 0xa0, 0xbd, 0x95, 0x0f, 0xe1, 0x10, 0x49, 0x13, 0xa3, 0xec, 0x80, 0x27, 0xbb, 0x8b, 0xc8, 0xed,
+ 0x7a, 0x3a, 0x70, 0x5d, 0xea, 0x93, 0x6c, 0x0c, 0xc7, 0x2f, 0x41, 0x15, 0x64, 0x3d, 0x3a, 0x65, 0x02, 0x72, 0x78, 0xc9,
+ 0x35, 0x61, 0xe8, 0xd9, 0x63, 0x3f, 0x45, 0x7f, 0x04, 0xaf, 0x0b, 0x37, 0x7a, 0x66, 0x4e, 0x49, 0x3d, 0x6c, 0x3d, 0x2a,
+ 0xda, 0x0b, 0x81, 0x6d, 0x9f, 0x51, 0xea, 0xf6, 0x23, 0x6d, 0x7f, 0xcb, 0x75, 0x02, 0x49, 0x5e, 0x69, 0x57, 0x5b, 0x14,
+ 0xcb, 0xc2, 0xc8, 0xd4, 0xe4, 0x68, 0xab, 0xec, 0x51, 0x19, 0x80, 0xe4, 0xc1, 0xc7, 0x9b, 0x99, 0x15, 0xe1, 0x25, 0xf9,
+ 0x58, 0x18, 0x45, 0x0c, 0xde, 0xa7, 0x14, 0xe6, 0x96, 0xd5, 0xb8, 0x36, 0x83, 0x35, 0xfe, 0x77, 0x51, 0x4a, 0x57, 0x2e,
+ 0xaa, 0x26, 0x13, 0x23, 0x5d, 0x7d, 0xcf, 0x93, 0xce, 0x4a, 0x9a, 0xff, 0x03, 0x48, 0xf7, 0x10, 0x09, 0xe2, 0x01, 0xbb,
+ 0x17, 0xb6, 0x9d, 0xc7, 0x27, 0xe2, 0xd1, 0x26, 0xf1, 0x7c, 0xd0, 0x53, 0xf6, 0x53, 0x76, 0xfd, 0x39, 0x58, 0xd2, 0xc8,
+ 0xa8, 0x90, 0xa9, 0x75, 0x16, 0xaf, 0xe2, 0x91, 0x40, 0x53, 0x2e, 0x08, 0xdd, 0xb9, 0xfb, 0x17, 0x51, 0x51, 0x1b, 0xb9,
+ 0x12, 0xf0, 0x31, 0xd8, 0x48, 0x8f, 0x7d, 0x08, 0x9d, 0x1d, 0x2a, 0xb5, 0xcd, 0x46, 0x23, 0x2c, 0xf3, 0xb5, 0x11, 0x91,
+ 0x7f, 0x3c, 0x7a, 0x5e, 0x75, 0x90, 0x0e, 0xc0, 0xc0, 0x4f, 0x5e, 0xcb, 0xbc, 0x33, 0x09, 0x88, 0x4e, 0x68, 0xac, 0xba,
+ 0x46, 0x31, 0x41, 0x98, 0xf5, 0x75, 0x87, 0xf6, 0x0c, 0x0c, 0xaa, 0x84, 0x75, 0xe4, 0xfa, 0xa3, 0x1e, 0xe1, 0xe2, 0x88,
+ 0x09, 0xf0, 0x57, 0x8b, 0xdc, 0x47, 0x7b, 0xff, 0x39, 0xac, 0x51, 0x8b, 0x00, 0x08, 0xc0, 0x9f, 0xd4, 0xa4, 0xbe, 0xe5,
+ 0x41, 0x8b, 0xc5, 0x66, 0xdb, 0xed, 0x08, 0x0b, 0xdf, 0xa4, 0x2b, 0x5a, 0x59, 0xde, 0x0e, 0x9c, 0x8b, 0x7f, 0xd1, 0x80,
+ 0x4d, 0xf9, 0x22, 0x60, 0x2c, 0xd4, 0xf9, 0x1c, 0xd7, 0xf5, 0xbd, 0x64, 0x7f, 0x4f, 0xeb, 0xf8, 0xa5, 0xb2, 0x34, 0x3d,
+ 0xfa, 0x07, 0xef, 0x44, 0x3c, 0x00, 0x2c, 0xec, 0x36, 0x36, 0xdd, 0xd5, 0x5c, 0xbd, 0x6b, 0x27, 0xba, 0x13, 0x91, 0x90,
+ 0x58, 0xe7, 0x75, 0x89, 0x00, 0x6b, 0x5a, 0x0c, 0x35, 0x9c, 0xe3, 0x8a, 0xd8, 0x46, 0xd2, 0x15, 0x14, 0x8b, 0x8b, 0xff,
+ 0x6a, 0x35, 0xf9, 0xd7, 0x65, 0x67, 0x56, 0x6d, 0xd5, 0x2d, 0x9c, 0xd6, 0xb1, 0xe2, 0x9a, 0xb0, 0xfa, 0x0e, 0xa2, 0xd5,
+ 0x5d, 0x30, 0x15, 0x8e, 0x48, 0x59, 0xd0, 0x13, 0xa7, 0x2b, 0x40, 0x97, 0x8c, 0xe4, 0x02, 0x38, 0x28, 0x54, 0x53, 0x6c,
+ 0x1c, 0xc7, 0x38, 0x06, 0xe9, 0xfc, 0x2d, 0xd5, 0x59, 0x74, 0x77, 0x62, 0x14, 0xf2, 0xa7, 0x7e, 0xfe, 0x59, 0xbf, 0xdf,
+ 0x8b, 0x6e, 0xd7, 0x66, 0xd1, 0x6a, 0xb9, 0xe6, 0x35, 0x98, 0xc6, 0x76, 0x44, 0x38, 0xb4, 0xe8, 0x3c, 0xf5, 0x3c, 0x27,
+ 0xb9, 0xa1, 0x21, 0x7d, 0x17, 0xf9, 0xb3, 0x1e, 0x30, 0xe7, 0xab, 0xd5, 0x2d, 0x8c, 0x02, 0xc3, 0xa4, 0x3c, 0xf4, 0x09,
+ 0x9f, 0x17, 0xc1, 0xce, 0xc9, 0xf5, 0xdf, 0xdb, 0x8b, 0xf5, 0x05, 0x14, 0x6d, 0x74, 0xdf, 0xa9, 0x0b, 0x87, 0x98, 0x17,
+ 0xf3, 0x68, 0x8d, 0xb3, 0xbc, 0x86, 0x3a, 0x47, 0x1d, 0x29, 0x80, 0x40, 0xba, 0xb0, 0x3d, 0x65, 0x0d, 0xd7, 0x95, 0x4a,
+ 0x79, 0x0d, 0x34, 0x20, 0x72, 0x25, 0xaa, 0x71, 0x43, 0x5c, 0x52, 0x0b, 0x69, 0xde, 0xf7, 0xc5, 0xfd, 0xdb, 0x41, 0x05,
+ 0xb1, 0xde, 0x94, 0xdb, 0xc4, 0xe4, 0x85, 0xf2, 0x6c, 0xc5, 0xd1, 0x04, 0xcd, 0xd7, 0x84, 0x0b, 0xd8, 0xa8, 0x2c, 0x68,
+ 0xfd, 0xe7, 0x30, 0xaf, 0x6e, 0xae, 0x02, 0x3f, 0xea, 0x13, 0x68, 0xb0, 0xd1, 0xef, 0x6d, 0x78, 0xf8, 0x77, 0x3e, 0xe8,
+ 0x03, 0x05, 0x6e, 0x00, 0x59, 0xf1, 0xde, 0x57, 0xbe, 0xfa, 0x6b, 0xde, 0x47, 0x86, 0x21, 0xa0, 0x8e, 0xcc, 0x0b, 0x15,
+ 0x7e, 0x7d, 0xd2, 0x59, 0x37, 0x7f, 0x74, 0xc5, 0x79, 0x8e, 0xf0, 0x37, 0x9b, 0xb3, 0x0e, 0x7f, 0x14, 0x91, 0x0e, 0xe5,
+ 0xe8, 0xdf, 0xf7, 0xdf, 0x6b, 0x59, 0x79, 0x37, 0x90, 0x99, 0xc8, 0xff, 0xb2, 0xe9, 0xe4, 0x35, 0x8c, 0x20, 0xde, 0x8c,
+ 0x6c, 0xb8, 0x87, 0x16, 0xdd, 0xc4, 0x4b, 0x5e, 0x93, 0x38, 0x06, 0x0f, 0x4a, 0xb0, 0xba, 0xe1, 0xc5, 0xb1, 0x5d, 0x5f,
+ 0x3a, 0x2e, 0x84, 0x56, 0x72, 0x13, 0xb2, 0xb4, 0xdf, 0xc0, 0x36, 0xe6, 0xf2, 0xee, 0x77, 0x93, 0xc1, 0xc7, 0xc5, 0xe5,
+ 0x58, 0x66, 0x3e, 0x8c, 0x5d, 0xe3, 0x5d, 0xbd, 0x43, 0xf6, 0x72, 0x51, 0xe7, 0x4c, 0xd4, 0x2f, 0x46, 0x12, 0x66, 0xc2,
+ 0x7a, 0xd4, 0xd9, 0x75, 0x25, 0xa5, 0x63, 0x60, 0x9c, 0xc4, 0xff, 0x0a, 0xec, 0x8d, 0x13, 0x22, 0x3e, 0x95, 0xe8, 0xd9,
+ 0xd4, 0xa4, 0x12, 0xba, 0x46, 0x93, 0x1f, 0x6b, 0x9f, 0xb2, 0xba, 0xca, 0x39, 0xda, 0x32, 0xe5, 0x5c, 0xb3, 0x86, 0xc9,
+ 0x86, 0xb9, 0x9c, 0x92, 0x72, 0xe4, 0xa7, 0x53, 0xe4, 0x39, 0x07, 0x96, 0xc6, 0x18, 0xbc, 0xfc, 0x2e, 0x5f, 0xd6, 0x15,
+ 0x2c, 0x73, 0x01, 0x05, 0x74, 0xd7, 0x9a, 0x34, 0x35, 0x56, 0x32, 0xb7, 0x50, 0x22, 0x76, 0x66, 0x4d, 0x6f, 0xd1, 0x19,
+ 0x6a, 0x79, 0xc1, 0x3f, 0x15, 0x21, 0x04, 0x14, 0x34, 0xc9, 0x9a, 0xdb, 0x25, 0x0d, 0xfb, 0xa9, 0x53, 0xc0, 0x5f, 0xac,
+ 0xb7, 0xec, 0x67, 0xac, 0x8e, 0x46, 0x4c, 0xd7, 0x1b, 0x9b, 0x25, 0x87, 0x97, 0x73, 0xd9, 0xc8, 0xb3, 0x65, 0x22, 0x3b,
+ 0x35, 0xc0, 0x2f, 0xf5, 0x7d, 0xa4, 0x9b, 0x79, 0x92, 0xfb, 0xb6, 0x0b, 0xc9, 0xf9, 0x88, 0xc5, 0x5b, 0x88, 0x21, 0x0d,
+ 0xcf, 0xd9, 0x83, 0x6d, 0xae, 0x58, 0x3f, 0xac, 0x88, 0x16, 0xae, 0x3f, 0xb5, 0xdb, 0x78, 0x1c, 0x03, 0x3a, 0x19, 0xf1,
+ 0xbe, 0xc6, 0x46, 0x12, 0x6b, 0x18, 0x0b, 0x70, 0x83, 0x2d, 0x2f, 0x16, 0xac, 0xa9, 0x31, 0x2d, 0xf3, 0xe5, 0xd7, 0xe1,
+ 0x0e, 0x0e, 0x23, 0xb3, 0x9e, 0xc5, 0x6e, 0x35, 0xb7, 0xc4, 0x7f, 0xac, 0x60, 0x92, 0xde, 0x73, 0x3b, 0x02, 0xb6, 0xf5,
+ 0x97, 0xe6, 0xe1, 0x55, 0x50, 0x72, 0xd2, 0xb4, 0xbd, 0xcd, 0x7e, 0x11, 0xe4, 0x7b, 0x4b, 0xa5, 0x6b, 0x7e, 0xbf, 0xb8,
+ 0x4a, 0x1f, 0xf6, 0x34, 0x29, 0xee, 0x28, 0xb0, 0x45, 0x7d, 0x48, 0xc2, 0x18, 0xb2, 0x15, 0x0c, 0xe5, 0x5a, 0x3e, 0xee,
+ 0xdd, 0x1f, 0x20, 0x7b, 0xe6, 0x79, 0x60, 0xee, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0a, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0xc9, 0x58, 0x3f, 0x54, 0xf7, 0x9c, 0x21, 0xee, 0x29, 0x26, 0x07, 0x8d,
+ 0x1b, 0xb4, 0x93, 0xc4, 0x3e, 0xfd, 0x6a, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31,
+ 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61,
+ 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a,
+ 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0a, 0x10, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x08, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x49, 0x00, 0x00, 0x09, 0x4d, 0x00, 0x00, 0x09, 0x61,
+ 0x00, 0x00, 0x09, 0x65, 0x00, 0x00, 0x09, 0x69, 0x00, 0x00, 0x09, 0x6d, 0x00, 0x00, 0x09, 0x71, 0x00, 0x00, 0x09, 0x89,
+ 0x00, 0x00, 0x09, 0x8d, 0x00, 0x00, 0x09, 0xb9, 0x00, 0x00, 0x09, 0xbd, 0x00, 0x00, 0x09, 0xc1, 0x00, 0x00, 0x09, 0xc5,
+ 0x00, 0x00, 0x09, 0xd1, 0x00, 0x00, 0x09, 0xdd, 0x00, 0x00, 0x09, 0xe1, 0x00, 0x00, 0x09, 0xe5, 0x00, 0x00, 0x09, 0xe9,
+ 0x00, 0x00, 0x09, 0xed, 0x00, 0x00, 0x09, 0xf1, 0x00, 0x00, 0x09, 0xf5, 0x00, 0x00, 0x09, 0xf9, 0x00, 0x00, 0x09, 0xfd,
+ 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x0a, 0x05, 0x00, 0x00, 0x0a, 0x09, 0x00, 0x00, 0x0a, 0x0d, 0xfa, 0xde, 0x07, 0x11,
+ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0xec, 0x00, 0x00, 0x08, 0xc4, 0x7a, 0x50, 0x55, 0x75, 0xed, 0x3d, 0xfc, 0x68,
+ 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x08, 0x00,
+ 0x00, 0x00, 0x00, 0x39, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06, 0xb4, 0x4e, 0xa3, 0xa8, 0x86, 0x4f, 0x76, 0xe9,
+ 0x0f, 0x06, 0x2d, 0xca, 0x91, 0x26, 0x8e, 0x86, 0x1a, 0x1f, 0xb9, 0xf9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x00, 0x65, 0x73, 0x74, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67,
+ 0x6e, 0x69, 0x6e, 0x67, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14, 0xf7, 0xc4, 0x67, 0x03, 0x4c, 0xab, 0x35, 0xae,
+ 0x20, 0x64, 0x45, 0xf0, 0xe3, 0x48, 0xbc, 0xba, 0x5f, 0xac, 0x81, 0xda, 0x00, 0x00, 0x00, 0x74, 0x2f, 0x53, 0x79, 0x73,
+ 0x74, 0x65, 0x6d, 0x2f, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x2f, 0x43, 0x6f, 0x72, 0x65, 0x53, 0x65, 0x72, 0x76,
+ 0x69, 0x63, 0x65, 0x73, 0x2f, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x73, 0x73,
+ 0x69, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x2e, 0x61, 0x70, 0x70, 0x00, 0x00, 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x3c,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x1e, 0x63, 0x6f, 0x6d, 0x2e,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x73, 0x73,
+ 0x69, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x14, 0xf7, 0xc4, 0x67, 0x03, 0x4c, 0xab, 0x35, 0xae, 0x20, 0x64, 0x45, 0xf0, 0xe3, 0x48, 0xbc, 0xba,
+ 0x5f, 0xac, 0x81, 0xda, 0x00, 0x00, 0x00, 0x74, 0x2f, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2f, 0x4c, 0x69, 0x62, 0x72,
+ 0x61, 0x72, 0x79, 0x2f, 0x43, 0x6f, 0x72, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2f, 0x43, 0x65, 0x72,
+ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x73, 0x73, 0x69, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x2e, 0x61,
+ 0x70, 0x70, 0x00, 0x00, 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x1e, 0x63, 0x6f, 0x6d, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x43, 0x65,
+ 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x73, 0x73, 0x69, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14, 0x10, 0x49, 0xe1, 0x42,
+ 0x39, 0xee, 0xe2, 0xbd, 0x76, 0x61, 0x00, 0x6f, 0xe5, 0xf4, 0xbe, 0xdb, 0xbc, 0x89, 0xbe, 0x56, 0x00, 0x00, 0x00, 0x44,
+ 0x2f, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x4d, 0x61, 0x69, 0x6c, 0x2e, 0x61,
+ 0x70, 0x70, 0x00, 0x00, 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0e, 0x63, 0x6f, 0x6d, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x6d, 0x61,
+ 0x69, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14,
+ 0x55, 0x29, 0x46, 0xa2, 0xfb, 0x92, 0xda, 0xe4, 0xf8, 0x4c, 0x7d, 0xdd, 0xc3, 0x4e, 0x52, 0x62, 0xff, 0x0f, 0xd2, 0x04,
+ 0x00, 0x00, 0x00, 0x40, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x72, 0x61, 0x63, 0x6f, 0x6f, 0x6e,
+ 0x00, 0x00, 0x00, 0x00, 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10, 0x63, 0x6f, 0x6d, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x72, 0x61,
+ 0x63, 0x6f, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x5c, 0x63, 0x6f, 0x6d, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+ 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x44, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0xfa, 0xde, 0x0c, 0x00,
+ 0x00, 0x00, 0x00, 0x3c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x1d,
+ 0x63, 0x6f, 0x6d, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4d, 0x61, 0x6e, 0x61,
+ 0x67, 0x65, 0x72, 0x44, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x01, 0x01, 0x00, 0x00,
+ 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67,
+ 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x73,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
+ 0x35, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x84, 0x5f, 0xda, 0x57, 0x4e, 0xc0, 0xb5, 0x32, 0xdf, 0xc4, 0x87, 0x7f, 0x8c, 0x04, 0x1f, 0x65, 0xa2, 0x23, 0x20, 0x8c,
+ 0xab, 0x49, 0x2f, 0xff, 0x12, 0xfa, 0x57, 0x33, 0xf8, 0xcb, 0x7a, 0xcd, 0xc4, 0x7b, 0xc0, 0xf6, 0xf7, 0xe7, 0x2f, 0x7d,
+ 0x3f, 0xec, 0xf5, 0x8a, 0xee, 0x1e, 0x26, 0xe9, 0x12, 0x96, 0xdb, 0xa2, 0x2a, 0xf6, 0xb9, 0x3c, 0x68, 0x14, 0x49, 0x86,
+ 0x00, 0xc0, 0xaa, 0x29, 0xd3, 0xad, 0x4b, 0x48, 0xca, 0x48, 0x3f, 0xdb, 0x36, 0xdd, 0x3d, 0x3b, 0x18, 0x59, 0x26, 0x2a,
+ 0x9e, 0x5f, 0x86, 0xe9, 0x4b, 0xaa, 0x83, 0x60, 0x20, 0x36, 0x1e, 0x59, 0x17, 0x33, 0x5b, 0x20, 0x42, 0x7a, 0x59, 0xfd,
+ 0xb3, 0xa2, 0x5f, 0x2b, 0xdb, 0x63, 0x7e, 0x66, 0xee, 0x5e, 0xf5, 0x22, 0x0c, 0x10, 0x61, 0xd3, 0x9e, 0x3d, 0xce, 0x62,
+ 0x6b, 0xc3, 0x97, 0x86, 0x68, 0x61, 0x2a, 0x31, 0xaa, 0x7d, 0x5d, 0x18, 0x1f, 0xe9, 0xc3, 0x12, 0xb7, 0x0d, 0x14, 0x84,
+ 0x5c, 0xa0, 0x84, 0x0c, 0x07, 0xef, 0x01, 0xf4, 0xd3, 0xa1, 0x14, 0xa8, 0x5a, 0xb8, 0x15, 0xb7, 0x1b, 0x7a, 0x4a, 0x12,
+ 0x2f, 0x9d, 0x8f, 0x79, 0xb1, 0x74, 0x3e, 0x50, 0xd5, 0x99, 0x9c, 0x26, 0x7d, 0x37, 0xaf, 0xc7, 0x7b, 0x15, 0x8c, 0x07,
+ 0xae, 0x74, 0xef, 0xc3, 0xb1, 0x6a, 0xa2, 0x76, 0xf9, 0x6d, 0x6e, 0xc2, 0x6a, 0x01, 0x9a, 0x5f, 0x23, 0xf4, 0xd5, 0xe3,
+ 0x6a, 0x34, 0x86, 0x1e, 0x9d, 0xed, 0x5c, 0x09, 0xd3, 0xba, 0xff, 0x2d, 0xbe, 0x4b, 0xbb, 0x6c, 0x6a, 0x20, 0xc9, 0x8b,
+ 0x51, 0xcd, 0x4c, 0x91, 0x51, 0x6d, 0xf5, 0x80, 0x42, 0x31, 0xc1, 0x3a, 0x10, 0xdc, 0xb4, 0x92, 0x97, 0x18, 0xcc, 0x26,
+ 0xf1, 0xe6, 0x18, 0xe1, 0x97, 0x21, 0x94, 0x3d, 0xca, 0xa7, 0xb5, 0xcd, 0xce, 0x53, 0x7b, 0x16, 0x0b, 0x80, 0x8d, 0x4c,
+ 0xc8, 0x28, 0xc8, 0x55, 0xcf, 0xc7, 0xba, 0xd1, 0x05, 0x6a, 0x66, 0x72, 0x51, 0xb2, 0xd4, 0x3d, 0x81, 0x8d, 0xc5, 0xb3,
+ 0x86, 0xa6, 0x02, 0x53, 0x16, 0x2a, 0x2a, 0x40, 0xf1, 0x8d, 0xff, 0x42, 0x9a, 0x12, 0xd2, 0x46, 0x1d, 0x42, 0x98, 0x1f,
+ 0x1c, 0x52, 0x3f, 0x11, 0xa7, 0x12, 0xa7, 0xba, 0xb7, 0x84, 0xba, 0x80, 0xdf, 0x3e, 0x89, 0xcd, 0x81, 0x05, 0x98, 0x0a,
+ 0x92, 0x3e, 0x4b, 0x61, 0x44, 0x2f, 0xb8, 0xfe, 0x86, 0x56, 0x6b, 0xe1, 0xc0, 0xb4, 0x09, 0x52, 0x6c, 0xb2, 0xff, 0x1f,
+ 0xe7, 0x74, 0x98, 0xb6, 0x65, 0x47, 0x31, 0x5a, 0x33, 0x3a, 0x8c, 0x05, 0x18, 0xa5, 0x25, 0xc6, 0xb7, 0x18, 0x29, 0xf9,
+ 0x87, 0x7c, 0x3c, 0x3d, 0x70, 0x56, 0x60, 0xfe, 0x0c, 0xb9, 0x17, 0x89, 0xa0, 0x72, 0xe6, 0xa5, 0x2f, 0xa6, 0xa9, 0xc4,
+ 0x34, 0x5a, 0xbe, 0x0d, 0xa5, 0xf3, 0xac, 0xe8, 0x69, 0xa8, 0x2e, 0x50, 0xa2, 0xc1, 0x99, 0x7e, 0x7c, 0xd2, 0xd7, 0x60,
+ 0x1b, 0x41, 0xe4, 0x1f, 0x76, 0x5c, 0xeb, 0x1b, 0x28, 0x53, 0xd3, 0xab, 0x48, 0xd0, 0x7f, 0xb8, 0x9d, 0x70, 0x39, 0x8a,
+ 0xcd, 0x3c, 0x0f, 0x03, 0x5e, 0xe8, 0xa9, 0x95, 0x60, 0x54, 0x93, 0xfa, 0xd1, 0x9b, 0x49, 0xdb, 0x34, 0x32, 0x36, 0x38,
+ 0x56, 0xbb, 0xbf, 0xcf, 0x54, 0xe6, 0x5c, 0xa2, 0x8a, 0x9e, 0x73, 0x83, 0xa0, 0x53, 0x71, 0xfd, 0xef, 0x49, 0x1a, 0xa7,
+ 0x06, 0xca, 0x90, 0xd5, 0x2f, 0x31, 0xb4, 0x52, 0x0f, 0xaf, 0xfe, 0x6c, 0x19, 0x6d, 0xca, 0x11, 0xaa, 0xaf, 0x24, 0x21,
+ 0x47, 0x7f, 0x15, 0x47, 0x51, 0x96, 0x59, 0x3b, 0x27, 0x13, 0xc6, 0x50, 0x7b, 0x1c, 0x84, 0x0d, 0x61, 0x3d, 0x51, 0x58,
+ 0x9c, 0xe4, 0x65, 0x06, 0x1f, 0x7b, 0x91, 0x98, 0x7d, 0x35, 0x8c, 0x9f, 0xba, 0x38, 0x90, 0x89, 0xa2, 0xae, 0x68, 0x68,
+ 0x4b, 0x11, 0x2f, 0xea, 0x4d, 0xcb, 0x01, 0x59, 0x94, 0x26, 0x52, 0x37, 0x01, 0x6e, 0xfb, 0x01, 0x8b, 0x61, 0x59, 0x5b,
+ 0x49, 0xdf, 0xf2, 0x1c, 0x48, 0xbc, 0xed, 0x98, 0x8f, 0x09, 0x38, 0xa2, 0xf8, 0x27, 0xbb, 0x1a, 0x04, 0xcf, 0xd0, 0x4a,
+ 0x93, 0x32, 0xb8, 0x9d, 0x2f, 0x9c, 0xf3, 0xb2, 0xa8, 0x56, 0x47, 0xff, 0xa1, 0x28, 0x60, 0x6b, 0xc2, 0x3c, 0x1b, 0x48,
+ 0x5d, 0xc9, 0x05, 0x39, 0x98, 0xe5, 0x98, 0xfb, 0x17, 0x3f, 0x6d, 0x41, 0x8d, 0xc5, 0xa1, 0xee, 0x31, 0x19, 0x00, 0x2d,
+ 0xfb, 0x1e, 0x8f, 0x5f, 0x72, 0x6a, 0x92, 0x64, 0x01, 0xad, 0xcc, 0x90, 0x14, 0x48, 0x83, 0x88, 0x2e, 0xc1, 0x58, 0xe5,
+ 0x33, 0xa4, 0x19, 0xc3, 0x1d, 0xee, 0x06, 0xb6, 0x96, 0xb7, 0x57, 0x04, 0xa5, 0x4a, 0xa0, 0xa5, 0x1b, 0xa5, 0xda, 0x91,
+ 0xb7, 0x2c, 0xcd, 0x6d, 0x81, 0xff, 0x9f, 0xac, 0xc9, 0x05, 0x26, 0x8f, 0xb2, 0x37, 0x3c, 0xb8, 0x53, 0xab, 0x2b, 0xaf,
+ 0x9e, 0x22, 0xd2, 0xcd, 0xf4, 0x65, 0xf3, 0x84, 0x68, 0x83, 0xc2, 0xf8, 0xb7, 0x05, 0x25, 0xfe, 0x08, 0x2c, 0xb2, 0xb4,
+ 0xf3, 0x95, 0x63, 0x9a, 0xcc, 0x9d, 0xb1, 0xee, 0x5c, 0x53, 0x3b, 0x6b, 0xab, 0x0e, 0x95, 0x50, 0xcc, 0x8e, 0xc3, 0x97,
+ 0x43, 0x67, 0xe5, 0x49, 0xd0, 0x20, 0xbd, 0xda, 0x45, 0x6c, 0xef, 0x9a, 0xc7, 0x47, 0xdc, 0x7f, 0xda, 0xab, 0xf2, 0x8a,
+ 0xc5, 0x4f, 0xc5, 0xdb, 0xba, 0x87, 0x5f, 0xc1, 0xe0, 0x12, 0xc0, 0xb1, 0x3e, 0x1b, 0x72, 0x34, 0x00, 0x9f, 0x0a, 0xb4,
+ 0x99, 0xf8, 0x33, 0xe7, 0xb7, 0xc6, 0xc0, 0xed, 0xe6, 0x2c, 0x1b, 0x29, 0x9c, 0xfd, 0xeb, 0x6f, 0x9b, 0x0a, 0x55, 0xd2,
+ 0x09, 0xa2, 0x64, 0x49, 0x39, 0x30, 0x33, 0xb2, 0x77, 0x31, 0x32, 0x81, 0x25, 0x58, 0x66, 0x4d, 0xd2, 0xc2, 0xa6, 0x18,
+ 0xdc, 0xfc, 0x0a, 0x73, 0x5f, 0xbc, 0xcc, 0xef, 0xfe, 0xee, 0x1d, 0x3d, 0xb8, 0x21, 0xfb, 0x52, 0x25, 0x6f, 0xc3, 0x99,
+ 0x67, 0xa1, 0x69, 0x20, 0xb3, 0x01, 0xb4, 0x75, 0xbe, 0x08, 0x49, 0x2e, 0xe3, 0x6f, 0x1a, 0xd0, 0xe9, 0x7c, 0xec, 0xbf,
+ 0x98, 0x45, 0x82, 0xf8, 0xc4, 0x77, 0x74, 0x20, 0xc9, 0x5f, 0xa1, 0x8b, 0xf4, 0xa8, 0x4d, 0x12, 0xd5, 0x92, 0xd1, 0xe1,
+ 0x42, 0x4b, 0xa2, 0x45, 0x18, 0x60, 0xaf, 0x9a, 0xf2, 0xe4, 0xcf, 0x3e, 0x66, 0x87, 0x12, 0x0e, 0xa7, 0x55, 0x53, 0x96,
+ 0xcb, 0xcf, 0xd3, 0x34, 0xab, 0xdd, 0x20, 0x0f, 0x62, 0x9a, 0xb4, 0x86, 0x2f, 0x9f, 0x01, 0xda, 0xd6, 0xe6, 0x2b, 0xe2,
+ 0x5b, 0xb9, 0x74, 0xd8, 0x28, 0xad, 0x94, 0x89, 0x3e, 0x3a, 0x2a, 0x82, 0xa2, 0x0a, 0x7b, 0x4b, 0x4f, 0x3f, 0xed, 0x7f,
+ 0x2a, 0x3a, 0x06, 0xc8, 0xd4, 0x65, 0xcd, 0x60, 0x19, 0x79, 0x36, 0x31, 0x4c, 0xc1, 0x1e, 0x55, 0x22, 0x4f, 0x6e, 0xe0,
+ 0x1b, 0xab, 0x0b, 0x49, 0xa8, 0x9f, 0xf9, 0xc9, 0x6c, 0xd4, 0xd6, 0xfa, 0x07, 0xcd, 0xf5, 0xe7, 0x94, 0x51, 0x1b, 0x3d,
+ 0xc5, 0x00, 0x79, 0x38, 0xaf, 0xc0, 0x23, 0x60, 0x2b, 0x92, 0xda, 0x76, 0x69, 0xf7, 0xda, 0x23, 0xf9, 0xa6, 0x21, 0x34,
+ 0xc6, 0xf3, 0xc3, 0x69, 0xa6, 0x25, 0x87, 0x70, 0x5c, 0x0c, 0xc1, 0xfc, 0x9c, 0x30, 0xbc, 0xdf, 0x26, 0xbe, 0x4b, 0x49,
+ 0x44, 0xdd, 0x2f, 0x21, 0xc1, 0xa8, 0xcd, 0x54, 0x7a, 0xa4, 0x1b, 0xae, 0x82, 0xce, 0x05, 0x50, 0x9c, 0xb6, 0x85, 0x5d,
+ 0xf9, 0xbd, 0xdd, 0x4a, 0x56, 0x51, 0x32, 0x50, 0xdd, 0xaa, 0x55, 0xfe, 0x26, 0x3c, 0xee, 0x36, 0xa4, 0xa8, 0x53, 0x66,
+ 0x72, 0x89, 0xf6, 0xa3, 0x25, 0x7a, 0x23, 0x53, 0x29, 0x4d, 0x34, 0x29, 0x62, 0x94, 0x4f, 0x4f, 0x1b, 0x53, 0xcb, 0xc1,
+ 0x7c, 0xd1, 0x50, 0x8e, 0xa3, 0x19, 0x89, 0xfa, 0x90, 0x42, 0x69, 0x16, 0xd0, 0x6f, 0xf8, 0x7a, 0xc2, 0x9e, 0x67, 0xe8,
+ 0xe8, 0xff, 0xf1, 0x61, 0x7b, 0x31, 0x19, 0xcf, 0xf1, 0x27, 0xee, 0xab, 0x63, 0xe8, 0xdb, 0xf7, 0x4c, 0xbf, 0xcf, 0x2f,
+ 0xe7, 0x83, 0x92, 0xf8, 0x6d, 0x15, 0x9e, 0x1d, 0x77, 0xef, 0x40, 0x79, 0x58, 0xe4, 0xf9, 0xa7, 0x3d, 0xb6, 0x2d, 0xd0,
+ 0xfc, 0x01, 0x66, 0x20, 0x2c, 0xd1, 0x29, 0x86, 0x9b, 0x88, 0xcd, 0x98, 0xb4, 0x66, 0x61, 0x94, 0x58, 0x56, 0xf4, 0xff,
+ 0x60, 0x90, 0xf2, 0x8c, 0x07, 0x1c, 0x0b, 0x13, 0xfe, 0xb6, 0x58, 0x15, 0x6a, 0x8a, 0xd7, 0x98, 0xb2, 0x3e, 0xee, 0x49,
+ 0xdb, 0x3a, 0x0f, 0x98, 0x27, 0xc6, 0x88, 0xc5, 0x15, 0xe5, 0x67, 0x08, 0x09, 0xfc, 0x63, 0x6c, 0x8f, 0x30, 0xf4, 0x95,
+ 0xb7, 0x69, 0xd4, 0x47, 0x93, 0xe5, 0xa6, 0xf9, 0x73, 0xdd, 0x98, 0xb4, 0x66, 0x02, 0x1f, 0x3b, 0xe7, 0x53, 0x9f, 0x54,
+ 0x44, 0x0b, 0x9b, 0xdb, 0xe8, 0xaa, 0x77, 0xc3, 0x89, 0x65, 0x12, 0xb2, 0xc5, 0x2f, 0x5e, 0xaa, 0xff, 0xab, 0x72, 0x1f,
+ 0xf1, 0xd3, 0xdc, 0x8f, 0xaf, 0x13, 0x31, 0xaa, 0x5d, 0x48, 0x5a, 0x1b, 0x31, 0x61, 0x0b, 0x48, 0x9b, 0xe6, 0x75, 0x2e,
+ 0xd5, 0xdb, 0xd3, 0x22, 0xb5, 0x77, 0x9b, 0x45, 0xc2, 0x9d, 0x1b, 0xe2, 0x2b, 0x8c, 0x14, 0x99, 0x10, 0x7c, 0x24, 0x18,
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67,
+ 0x6e, 0x69, 0x6e, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x14, 0xc7, 0xc5, 0x36, 0xbc, 0xce, 0x8e, 0x86, 0xa8, 0x02, 0x33, 0x38, 0xb5, 0x23, 0xb6, 0xef, 0x97,
+ 0x20, 0x1e, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61,
+ 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30,
+ 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x08, 0x00,
+ 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x03, 0xb0, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x11, 0x2c, 0x00, 0x00, 0x12, 0x50, 0x00, 0x00, 0x12, 0xb0,
+ 0x00, 0x00, 0x12, 0xe8, 0x00, 0x00, 0x13, 0x20, 0x00, 0x00, 0x13, 0x58, 0x00, 0x00, 0x13, 0x90, 0x00, 0x00, 0x13, 0xc8,
+ 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x14, 0x38, 0x00, 0x00, 0x14, 0x70, 0x00, 0x00, 0x01, 0x24, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x0d,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x11, 0x70, 0x00, 0x00, 0x11, 0xe0, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14, 0xc7, 0xc5, 0x36, 0xbc, 0xce, 0x8e, 0x86, 0xa8, 0x02, 0x33, 0x38, 0xb5,
+ 0x23, 0xb6, 0xef, 0x97, 0x20, 0x1e, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31,
+ 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61,
+ 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a,
+ 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14,
+ 0xc9, 0x58, 0x3f, 0x54, 0xf7, 0x9c, 0x21, 0xee, 0x29, 0x26, 0x07, 0x8d, 0x1b, 0xb4, 0x93, 0xc4, 0x3e, 0xfd, 0x6a, 0x65,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66,
+ 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62,
+ 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x08, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x12, 0x78, 0x00, 0x00, 0x12, 0x94, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14, 0xc7, 0xc5, 0x36, 0xbc, 0xce, 0x8e, 0x86, 0xa8,
+ 0x02, 0x33, 0x38, 0xb5, 0x23, 0xb6, 0xef, 0x97, 0x20, 0x1e, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14,
+ 0xc9, 0x58, 0x3f, 0x54, 0xf7, 0x9c, 0x21, 0xee, 0x29, 0x26, 0x07, 0x8d, 0x1b, 0xb4, 0x93, 0xc4, 0x3e, 0xfd, 0x6a, 0x65,
+ 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x12,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x12, 0xd8, 0x00, 0x00, 0x12, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x13, 0x10, 0x00, 0x00, 0x13, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x13, 0x48,
+ 0x00, 0x00, 0x13, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x13, 0x80, 0x00, 0x00, 0x13, 0x88,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x13, 0xb8, 0x00, 0x00, 0x13, 0xc0, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x17,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x13, 0xf0, 0x00, 0x00, 0x13, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x14, 0x28, 0x00, 0x00, 0x14, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x09,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x14, 0x60,
+ 0x00, 0x00, 0x14, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x14, 0x98, 0x00, 0x00, 0x14, 0xa0,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x1e, 0xbc, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x38,
+ 0x00, 0x00, 0x15, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x02, 0xf8,
+ 0x00, 0x00, 0x05, 0xe4, 0x00, 0x00, 0x08, 0xa4, 0x00, 0x00, 0x0e, 0xfc, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x11, 0xe4,
+ 0x00, 0x00, 0x02, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x01, 0x70,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xf5, 0x00, 0x00, 0x01, 0xf9, 0x00, 0x00, 0x02, 0x11, 0x00, 0x00, 0x02, 0x15,
+ 0x00, 0x00, 0x02, 0x19, 0x00, 0x00, 0x02, 0x1d, 0x00, 0x00, 0x02, 0x21, 0x00, 0x00, 0x02, 0x39, 0x00, 0x00, 0x02, 0x3d,
+ 0x00, 0x00, 0x02, 0x69, 0x00, 0x00, 0x02, 0x6d, 0x00, 0x00, 0x02, 0x71, 0x00, 0x00, 0x02, 0x75, 0x00, 0x00, 0x02, 0x81,
+ 0x00, 0x00, 0x02, 0x8d, 0x00, 0x00, 0x02, 0x91, 0x00, 0x00, 0x02, 0x95, 0x00, 0x00, 0x02, 0x99, 0x00, 0x00, 0x02, 0x9d,
+ 0x00, 0x00, 0x02, 0xa1, 0x00, 0x00, 0x02, 0xa5, 0x00, 0x00, 0x02, 0xa9, 0x00, 0x00, 0x02, 0xad, 0x00, 0x00, 0x02, 0xb1,
+ 0x00, 0x00, 0x02, 0xb5, 0x00, 0x00, 0x02, 0xb9, 0x00, 0x00, 0x02, 0xbd, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x01, 0x00,
+ 0x00, 0x00, 0x01, 0x40, 0x00, 0x00, 0x01, 0x70, 0xea, 0x6d, 0x4d, 0x2b, 0x42, 0xd6, 0x1d, 0xa7, 0x00, 0x00, 0x00, 0x02,
+ 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x59,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x64,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06, 0x59, 0x1b, 0x38, 0x6f, 0x83, 0xff, 0xcf, 0x13, 0x00, 0xc5, 0x58, 0x14,
+ 0x81, 0x60, 0xd5, 0xf2, 0x76, 0x2d, 0x7b, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72,
+ 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x25,
+ 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x73, 0xe5, 0x1f, 0x40, 0x4b, 0xde, 0x16, 0xe0, 0x41,
+ 0xc5, 0xdc, 0x68, 0x83, 0xfb, 0x0f, 0x7b, 0xad, 0x62, 0x9d, 0xa3, 0xee, 0xea, 0xa9, 0x6b, 0x27, 0x69, 0x1e, 0xea, 0xc7,
+ 0x1c, 0xf7, 0x06, 0xa5, 0x76, 0xcd, 0x9d, 0x65, 0x3c, 0xb1, 0x30, 0x6a, 0x30, 0xd1, 0x31, 0xbd, 0x8a, 0x19, 0x90, 0x89,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0xce, 0x31, 0x50, 0xc1, 0x8c, 0xde, 0x4b, 0xa0,
+ 0xca, 0xfd, 0x36, 0x98, 0x33, 0x59, 0x99, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0xce, 0x31, 0x50, 0xc1, 0x8c, 0xde, 0x4b, 0xa0,
+ 0xca, 0xfd, 0x36, 0x98, 0x33, 0x59, 0x99, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31,
+ 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61,
+ 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xec, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x01, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x21, 0x00, 0x00, 0x02, 0x25, 0x00, 0x00, 0x02, 0x3d,
+ 0x00, 0x00, 0x02, 0x41, 0x00, 0x00, 0x02, 0x45, 0x00, 0x00, 0x02, 0x49, 0x00, 0x00, 0x02, 0x4d, 0x00, 0x00, 0x02, 0x65,
+ 0x00, 0x00, 0x02, 0x69, 0x00, 0x00, 0x02, 0x95, 0x00, 0x00, 0x02, 0x99, 0x00, 0x00, 0x02, 0x9d, 0x00, 0x00, 0x02, 0xa1,
+ 0x00, 0x00, 0x02, 0xad, 0x00, 0x00, 0x02, 0xb9, 0x00, 0x00, 0x02, 0xbd, 0x00, 0x00, 0x02, 0xc1, 0x00, 0x00, 0x02, 0xc5,
+ 0x00, 0x00, 0x02, 0xc9, 0x00, 0x00, 0x02, 0xcd, 0x00, 0x00, 0x02, 0xd1, 0x00, 0x00, 0x02, 0xd5, 0x00, 0x00, 0x02, 0xd9,
+ 0x00, 0x00, 0x02, 0xdd, 0x00, 0x00, 0x02, 0xe1, 0x00, 0x00, 0x02, 0xe5, 0x00, 0x00, 0x02, 0xe9, 0xfa, 0xde, 0x07, 0x11,
+ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x6c, 0x00, 0x00, 0x01, 0x9c, 0x8b, 0x41, 0x4a, 0x57, 0xa6, 0xf2, 0x36, 0xc2,
+ 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xc0,
+ 0x00, 0x00, 0x00, 0x79, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06, 0x9a, 0xfe, 0xce, 0x76, 0xf7, 0x40, 0x3a, 0x9f,
+ 0xd2, 0xc5, 0x69, 0x65, 0x60, 0xea, 0x1a, 0x98, 0xc7, 0xed, 0x28, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65,
+ 0x5f, 0x61, 0x63, 0x6c, 0x00, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63,
+ 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72,
+ 0x76, 0x69, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c,
+ 0x00, 0x00, 0x0c, 0x00, 0x00, 0x5a, 0x4c, 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x73,
+ 0x83, 0x67, 0xc1, 0x00, 0xdf, 0x03, 0x66, 0xb0, 0xbb, 0x20, 0xb3, 0x39, 0x84, 0xf0, 0x07, 0xc3, 0x17, 0x75, 0x8a, 0x1b,
+ 0xce, 0x2a, 0xb7, 0xc3, 0x31, 0xd7, 0xea, 0xba, 0xa4, 0x38, 0xf5, 0x78, 0x94, 0xa5, 0xff, 0x08, 0x6d, 0x36, 0x41, 0xa5,
+ 0x8d, 0x6e, 0xf7, 0x55, 0x1f, 0x6f, 0xe9, 0x3c, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70,
+ 0x66, 0x4e, 0xf9, 0x51, 0xc5, 0xeb, 0x28, 0x0b, 0xca, 0x0c, 0x15, 0x2f, 0x22, 0x80, 0x18, 0x7b, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70,
+ 0x66, 0x4e, 0xf9, 0x51, 0xc5, 0xeb, 0x28, 0x0b, 0xca, 0x0c, 0x15, 0x2f, 0x22, 0x80, 0x18, 0x7b, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31,
+ 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32,
+ 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xc0, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x01, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xf5,
+ 0x00, 0x00, 0x01, 0xf9, 0x00, 0x00, 0x02, 0x11, 0x00, 0x00, 0x02, 0x15, 0x00, 0x00, 0x02, 0x19, 0x00, 0x00, 0x02, 0x1d,
+ 0x00, 0x00, 0x02, 0x21, 0x00, 0x00, 0x02, 0x39, 0x00, 0x00, 0x02, 0x3d, 0x00, 0x00, 0x02, 0x69, 0x00, 0x00, 0x02, 0x6d,
+ 0x00, 0x00, 0x02, 0x71, 0x00, 0x00, 0x02, 0x75, 0x00, 0x00, 0x02, 0x81, 0x00, 0x00, 0x02, 0x8d, 0x00, 0x00, 0x02, 0x91,
+ 0x00, 0x00, 0x02, 0x95, 0x00, 0x00, 0x02, 0x99, 0x00, 0x00, 0x02, 0x9d, 0x00, 0x00, 0x02, 0xa1, 0x00, 0x00, 0x02, 0xa5,
+ 0x00, 0x00, 0x02, 0xa9, 0x00, 0x00, 0x02, 0xad, 0x00, 0x00, 0x02, 0xb1, 0x00, 0x00, 0x02, 0xb5, 0x00, 0x00, 0x02, 0xb9,
+ 0x00, 0x00, 0x02, 0xbd, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x40, 0x00, 0x00, 0x01, 0x70,
+ 0x44, 0x1d, 0x55, 0x6f, 0xda, 0x1b, 0x4a, 0x43, 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4,
+ 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06,
+ 0x23, 0x07, 0xb7, 0x3f, 0xb3, 0x23, 0xad, 0xb2, 0xa9, 0x7f, 0x10, 0x8b, 0x76, 0x89, 0x68, 0x1b, 0x42, 0xb4, 0x45, 0x98,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00,
+ 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72,
+ 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b,
+ 0x00, 0x00, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72,
+ 0x76, 0x69, 0x63, 0x65, 0x00, 0x7f, 0x00, 0x00, 0x00, 0xc5, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x23, 0xe5, 0x14, 0x64, 0x77, 0x35, 0x5f, 0x79, 0x3e, 0x4c, 0x4d, 0x5e, 0xee, 0xa7, 0x26, 0x39, 0x7d,
+ 0x28, 0x18, 0xd5, 0xf5, 0x08, 0x07, 0x99, 0x37, 0xb1, 0xea, 0x83, 0x7c, 0xbc, 0xeb, 0x64, 0x47, 0xc6, 0xe1, 0x82, 0xfe,
+ 0x1f, 0x20, 0x67, 0x1e, 0x37, 0x92, 0x57, 0xaa, 0xbe, 0x4f, 0xac, 0x5f, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14,
+ 0x73, 0x73, 0x67, 0x70, 0xea, 0xa1, 0xad, 0x3e, 0x49, 0xa8, 0x35, 0x7b, 0xce, 0x5d, 0x8c, 0xd6, 0xdf, 0x25, 0xe4, 0x2d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14,
+ 0x73, 0x73, 0x67, 0x70, 0xea, 0xa1, 0xad, 0x3e, 0x49, 0xa8, 0x35, 0x7b, 0xce, 0x5d, 0x8c, 0xd6, 0xdf, 0x25, 0xe4, 0x2d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66,
+ 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62,
+ 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x5c,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x02, 0x0c, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x02, 0x91, 0x00, 0x00, 0x02, 0x95, 0x00, 0x00, 0x02, 0xad, 0x00, 0x00, 0x02, 0xb1, 0x00, 0x00, 0x02, 0xb5,
+ 0x00, 0x00, 0x02, 0xb9, 0x00, 0x00, 0x02, 0xbd, 0x00, 0x00, 0x02, 0xd5, 0x00, 0x00, 0x02, 0xd9, 0x00, 0x00, 0x03, 0x05,
+ 0x00, 0x00, 0x03, 0x09, 0x00, 0x00, 0x03, 0x0d, 0x00, 0x00, 0x03, 0x11, 0x00, 0x00, 0x03, 0x1d, 0x00, 0x00, 0x03, 0x29,
+ 0x00, 0x00, 0x03, 0x2d, 0x00, 0x00, 0x03, 0x31, 0x00, 0x00, 0x03, 0x35, 0x00, 0x00, 0x03, 0x39, 0x00, 0x00, 0x03, 0x3d,
+ 0x00, 0x00, 0x03, 0x41, 0x00, 0x00, 0x03, 0x45, 0x00, 0x00, 0x03, 0x49, 0x00, 0x00, 0x03, 0x4d, 0x00, 0x00, 0x03, 0x51,
+ 0x00, 0x00, 0x03, 0x55, 0x00, 0x00, 0x03, 0x59, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0xdc,
+ 0x00, 0x00, 0x02, 0x0c, 0x52, 0x60, 0x55, 0x9c, 0x4a, 0x26, 0x30, 0x1b, 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2,
+ 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x06, 0x93, 0x56, 0x67, 0xd4, 0x00, 0x07, 0x17, 0xac, 0xc1, 0xbd, 0xea, 0x93, 0x3b, 0xd3, 0x28, 0xa0,
+ 0x57, 0xe5, 0x77, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+ 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72,
+ 0x76, 0x69, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c,
+ 0x00, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x23,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x74,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14, 0x9d, 0x01, 0xd2, 0x67, 0xcc, 0xce, 0x6d, 0x38, 0xee, 0x87, 0xc1, 0xcc,
+ 0x32, 0xbb, 0xee, 0x47, 0xfa, 0x77, 0x9b, 0xdf, 0x00, 0x00, 0x00, 0x44, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x62, 0x69, 0x6e,
+ 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x00, 0x00, 0x00, 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x30,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x12, 0x63, 0x6f, 0x6d, 0x2e,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
+ 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+ 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x1c,
+ 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x73, 0x74, 0x72, 0x69, 0x63,
+ 0x74, 0x69, 0x76, 0x65, 0xad, 0xa7, 0xd1, 0x01, 0x67, 0x9c, 0xc4, 0xea, 0xc3, 0xdf, 0x8e, 0xc4, 0x08, 0x5b, 0x35, 0x71,
+ 0x96, 0xc4, 0xb0, 0x57, 0x19, 0x46, 0xb5, 0x63, 0xce, 0xbb, 0x8e, 0xe7, 0x35, 0x53, 0x02, 0xe2, 0xb2, 0x8d, 0xfa, 0xf4,
+ 0x08, 0xdd, 0x5f, 0xda, 0x2e, 0x3e, 0xf4, 0x8c, 0x14, 0x02, 0xe2, 0x53, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14,
+ 0x73, 0x73, 0x67, 0x70, 0x10, 0x34, 0x14, 0x76, 0xa3, 0xc3, 0x9d, 0x60, 0x91, 0x3d, 0xda, 0x7c, 0x59, 0x37, 0xec, 0x91,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14,
+ 0x73, 0x73, 0x67, 0x70, 0x10, 0x34, 0x14, 0x76, 0xa3, 0xc3, 0x9d, 0x60, 0x91, 0x3d, 0xda, 0x7c, 0x59, 0x37, 0xec, 0x91,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66,
+ 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62,
+ 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xfc,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x01, 0xa4, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x02, 0x29, 0x00, 0x00, 0x02, 0x2d, 0x00, 0x00, 0x02, 0x49, 0x00, 0x00, 0x02, 0x4d, 0x00, 0x00, 0x02, 0x51,
+ 0x00, 0x00, 0x02, 0x55, 0x00, 0x00, 0x02, 0x59, 0x00, 0x00, 0x02, 0x75, 0x00, 0x00, 0x02, 0x79, 0x00, 0x00, 0x02, 0xa5,
+ 0x00, 0x00, 0x02, 0xa9, 0x00, 0x00, 0x02, 0xad, 0x00, 0x00, 0x02, 0xb1, 0x00, 0x00, 0x02, 0xbd, 0x00, 0x00, 0x02, 0xc9,
+ 0x00, 0x00, 0x02, 0xcd, 0x00, 0x00, 0x02, 0xd1, 0x00, 0x00, 0x02, 0xd5, 0x00, 0x00, 0x02, 0xd9, 0x00, 0x00, 0x02, 0xdd,
+ 0x00, 0x00, 0x02, 0xe1, 0x00, 0x00, 0x02, 0xe5, 0x00, 0x00, 0x02, 0xe9, 0x00, 0x00, 0x02, 0xed, 0x00, 0x00, 0x02, 0xf1,
+ 0x00, 0x00, 0x02, 0xf5, 0x00, 0x00, 0x02, 0xf9, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x7c,
+ 0x00, 0x00, 0x01, 0xa4, 0x3b, 0xaf, 0x30, 0xf6, 0xce, 0x08, 0x47, 0xad, 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2,
+ 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
+ 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0xcf,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x06, 0xeb, 0x22, 0x2e, 0xd0, 0xa1, 0x2a, 0x8b, 0xd2, 0x11, 0xac, 0x9f, 0x5b, 0x27, 0x35, 0x5d, 0xd8,
+ 0x58, 0x6d, 0x84, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0xa8, 0x12, 0x5f, 0x3d, 0x91, 0x36, 0x30, 0x1a, 0x76, 0x25, 0x8c, 0xbf,
+ 0x1f, 0x58, 0xcb, 0x76, 0xd6, 0xbb, 0xff, 0xb1, 0xff, 0xff, 0xff, 0xff, 0x98, 0xb9, 0x89, 0x06, 0x01, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0xa8, 0x12, 0x5f, 0x3d, 0x91, 0x36, 0x30, 0x1a,
+ 0x76, 0x25, 0x8c, 0xbf, 0x1f, 0x58, 0xcb, 0x76, 0xd6, 0xbb, 0xff, 0xb1, 0xff, 0xff, 0xff, 0xff, 0x98, 0xb9, 0x89, 0x06,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x23,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00,
+ 0x01, 0x01, 0x00, 0x00, 0xc2, 0xa8, 0x12, 0x5f, 0x3d, 0xc2, 0x91, 0x36, 0x30, 0x1a, 0x76, 0x25, 0xc2, 0x8c, 0xc2, 0xbf,
+ 0x1f, 0x58, 0xc3, 0x8b, 0x76, 0xc3, 0x96, 0xc2, 0xbb, 0xc3, 0xbf, 0xc2, 0xb1, 0xc3, 0xbf, 0xc3, 0xbf, 0xc3, 0xbf, 0xc3,
+ 0xbf, 0xc2, 0x98, 0xc2, 0xb9, 0xc2, 0x89, 0x06, 0x01, 0x00, 0xff, 0xff, 0x00, 0x54, 0x55, 0x4d, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x26,
+ 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x73, 0xe6, 0x50, 0x17, 0x0a, 0x9f, 0xb9, 0xab, 0x61, 0x5d, 0x77, 0x39, 0x8b,
+ 0x76, 0x2d, 0x3f, 0x20, 0xb2, 0xec, 0x7c, 0xbc, 0xa1, 0x54, 0xac, 0x1b, 0x1c, 0x6d, 0x6b, 0x88, 0x3b, 0xd2, 0x7b, 0x6b,
+ 0x24, 0x84, 0x7c, 0xca, 0xc7, 0xe8, 0x66, 0x8e, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x18, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17,
+ 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74,
+ 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61,
+ 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30,
+ 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x80,
+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x02, 0xe8, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x01, 0xa8,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x2d, 0x00, 0x00, 0x02, 0x31, 0x00, 0x00, 0x02, 0x3d, 0x00, 0x00, 0x02, 0x41,
+ 0x00, 0x00, 0x02, 0x45, 0x00, 0x00, 0x02, 0x49, 0x00, 0x00, 0x02, 0x4d, 0x00, 0x00, 0x02, 0x61, 0x00, 0x00, 0x02, 0x65,
+ 0x00, 0x00, 0x02, 0x91, 0x00, 0x00, 0x02, 0x95, 0x00, 0x00, 0x02, 0x99, 0x00, 0x00, 0x02, 0x9d, 0x00, 0x00, 0x02, 0xa9,
+ 0x00, 0x00, 0x02, 0xb5, 0x00, 0x00, 0x02, 0xb9, 0x00, 0x00, 0x02, 0xbd, 0x00, 0x00, 0x02, 0xc1, 0x00, 0x00, 0x02, 0xc5,
+ 0x00, 0x00, 0x02, 0xc9, 0x00, 0x00, 0x02, 0xcd, 0x00, 0x00, 0x02, 0xd1, 0x00, 0x00, 0x02, 0xd5, 0x00, 0x00, 0x02, 0xd9,
+ 0x00, 0x00, 0x02, 0xdd, 0x00, 0x00, 0x02, 0xe1, 0x00, 0x00, 0x02, 0xe5, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x01, 0x00,
+ 0x00, 0x00, 0x01, 0x80, 0x00, 0x00, 0x01, 0xa8, 0xf4, 0x8e, 0xca, 0x78, 0x14, 0xb8, 0x41, 0x73, 0x00, 0x00, 0x00, 0x02,
+ 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x21,
+ 0x00, 0x00, 0x00, 0xcf, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x64,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06, 0x72, 0x3a, 0x27, 0x07, 0x00, 0xae, 0x19, 0xfc, 0x71, 0x1c, 0x6f, 0x2f,
+ 0xe2, 0x2b, 0x78, 0x9a, 0xdc, 0x88, 0xc1, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0xc9, 0x22, 0xdf, 0x1e, 0x94, 0x1b, 0x4d, 0x42,
+ 0x21, 0x42, 0x85, 0xcd, 0x32, 0xec, 0xe5, 0xd7, 0xf9, 0x61, 0x38, 0xe1, 0xff, 0xff, 0xff, 0xff, 0x98, 0xb9, 0x89, 0x06,
+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0xc9, 0x22, 0xdf, 0x1e,
+ 0x94, 0x1b, 0x4d, 0x42, 0x21, 0x42, 0x85, 0xcd, 0x32, 0xec, 0xe5, 0xd7, 0xf9, 0x61, 0x38, 0xe1, 0xff, 0xff, 0xff, 0xff,
+ 0x98, 0xb9, 0x89, 0x06, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0xc3, 0x89, 0x22, 0xc3, 0x9f, 0x1e, 0xc2, 0x94,
+ 0x1b, 0x4d, 0x42, 0x21, 0x42, 0xc2, 0x85, 0xc3, 0x8d, 0x32, 0xc3, 0xac, 0xc3, 0xa5, 0xc3, 0x97, 0xc3, 0xb9, 0x61, 0x38,
+ 0xc3, 0xa1, 0xc3, 0xbf, 0xc3, 0xbf, 0xc3, 0xbf, 0xc3, 0xbf, 0xc2, 0x98, 0xc2, 0xb9, 0xc2, 0x89, 0x06, 0x01, 0x00, 0x4d,
+ 0x00, 0x54, 0x55, 0x4d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x1c,
+ 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x73, 0x7b, 0x74, 0x34, 0xf2,
+ 0x79, 0x55, 0x24, 0x13, 0xc5, 0x6c, 0xdd, 0xe2, 0xe7, 0xd5, 0xbf, 0x4e, 0xaa, 0xc8, 0x50, 0xa3, 0xc6, 0x46, 0x67, 0x62,
+ 0x08, 0x04, 0x0d, 0xe7, 0x54, 0xe1, 0xb5, 0x0a, 0x53, 0x0d, 0x90, 0xbc, 0xd7, 0x2e, 0x5f, 0x6d, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0x08, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x70, 0x70,
+ 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31,
+ 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61,
+ 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0x4c, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x01, 0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x81, 0x00, 0x00, 0x02, 0x85, 0x00, 0x00, 0x02, 0x9d,
+ 0x00, 0x00, 0x02, 0xa1, 0x00, 0x00, 0x02, 0xa5, 0x00, 0x00, 0x02, 0xa9, 0x00, 0x00, 0x02, 0xad, 0x00, 0x00, 0x02, 0xc5,
+ 0x00, 0x00, 0x02, 0xc9, 0x00, 0x00, 0x02, 0xf5, 0x00, 0x00, 0x02, 0xf9, 0x00, 0x00, 0x02, 0xfd, 0x00, 0x00, 0x03, 0x01,
+ 0x00, 0x00, 0x03, 0x0d, 0x00, 0x00, 0x03, 0x19, 0x00, 0x00, 0x03, 0x1d, 0x00, 0x00, 0x03, 0x21, 0x00, 0x00, 0x03, 0x25,
+ 0x00, 0x00, 0x03, 0x29, 0x00, 0x00, 0x03, 0x2d, 0x00, 0x00, 0x03, 0x31, 0x00, 0x00, 0x03, 0x35, 0x00, 0x00, 0x03, 0x39,
+ 0x00, 0x00, 0x03, 0x3d, 0x00, 0x00, 0x03, 0x41, 0x00, 0x00, 0x03, 0x45, 0x00, 0x00, 0x03, 0x49, 0xfa, 0xde, 0x07, 0x11,
+ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0xcc, 0x00, 0x00, 0x01, 0xfc, 0x1a, 0xe7, 0x86, 0xc7, 0x8e, 0x0c, 0x7b, 0xed,
+ 0x00, 0x00, 0x00, 0x02, 0x87, 0x19, 0x1c, 0xa2, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05, 0x02, 0xb5, 0x21, 0x22,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xc0,
+ 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x06, 0xbb, 0x34, 0xae, 0xf4, 0x96, 0x00, 0x3a, 0xa9,
+ 0x6c, 0x3b, 0x6c, 0xa6, 0x1b, 0xa0, 0xfd, 0x0d, 0x0b, 0x7b, 0xc1, 0xef, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x6e, 0x6f, 0x62, 0x6f,
+ 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14, 0x50, 0x81, 0xee, 0xbe, 0x1f, 0x36, 0xff, 0x64,
+ 0xa1, 0x66, 0x43, 0xd7, 0xdc, 0x0e, 0x61, 0xf0, 0x17, 0xaf, 0x60, 0x35, 0x00, 0x00, 0x00, 0x60, 0x2f, 0x41, 0x70, 0x70,
+ 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x55, 0x74, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x2f,
+ 0x4b, 0x65, 0x79, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x61, 0x70, 0x70, 0x00,
+ 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x18, 0x63, 0x6f, 0x6d, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x6b, 0x65, 0x79, 0x63, 0x68, 0x61,
+ 0x69, 0x6e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x00, 0x00, 0x00, 0x03, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
+ 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x60,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x1c,
+ 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x3b, 0x00, 0x00, 0x00, 0x73, 0xb8, 0x58, 0xf2, 0xef,
+ 0xb1, 0x4e, 0x1e, 0x2e, 0x15, 0xe0, 0x0f, 0xb5, 0xea, 0xd4, 0xf5, 0x1e, 0x45, 0x79, 0x80, 0x58, 0xe2, 0xb2, 0x93, 0xf6,
+ 0x1c, 0xbf, 0x8c, 0x2b, 0x1d, 0xdb, 0xed, 0x58, 0xd3, 0x90, 0x91, 0xfd, 0x86, 0xbe, 0x01, 0xdd, 0x76, 0x36, 0x01, 0xf0,
+ 0x1a, 0x4f, 0xd8, 0x7d, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0x88, 0x63, 0xaf, 0x56,
+ 0xf7, 0x5a, 0x1f, 0xa9, 0xf0, 0x1f, 0x26, 0xc0, 0x6c, 0x8d, 0x8a, 0xb4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0x88, 0x63, 0xaf, 0x56,
+ 0xf7, 0x5a, 0x1f, 0xa9, 0xf0, 0x1f, 0x26, 0xc0, 0x6c, 0x8d, 0x8a, 0xb4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27,
+ 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d,
+ 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x8c, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x15, 0x64,
+ 0x00, 0x00, 0x18, 0xe0, 0x00, 0x00, 0x19, 0xf4, 0x00, 0x00, 0x1a, 0x7c, 0x00, 0x00, 0x1b, 0x04, 0x00, 0x00, 0x1b, 0x8c,
+ 0x00, 0x00, 0x1c, 0x14, 0x00, 0x00, 0x1c, 0x9c, 0x00, 0x00, 0x1d, 0x24, 0x00, 0x00, 0x1d, 0xac, 0x00, 0x00, 0x1e, 0x34,
+ 0x00, 0x00, 0x03, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x0b,
+ 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x15, 0xd0, 0x00, 0x00, 0x16, 0x44,
+ 0x00, 0x00, 0x16, 0xb4, 0x00, 0x00, 0x17, 0x24, 0x00, 0x00, 0x17, 0x94, 0x00, 0x00, 0x18, 0x04, 0x00, 0x00, 0x18, 0x74,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 0x17, 0x72, 0x65, 0x73, 0x74,
+ 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66,
+ 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62,
+ 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0x10, 0x34, 0x14, 0x76,
+ 0xa3, 0xc3, 0x9d, 0x60, 0x91, 0x3d, 0xda, 0x7c, 0x59, 0x37, 0xec, 0x91, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27,
+ 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d,
+ 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c,
+ 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0x66, 0x4e, 0xf9, 0x51, 0xc5, 0xeb, 0x28, 0x0b, 0xca, 0x0c, 0x15, 0x2f,
+ 0x22, 0x80, 0x18, 0x7b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61,
+ 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30,
+ 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0,
+ 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70,
+ 0x88, 0x63, 0xaf, 0x56, 0xf7, 0x5a, 0x1f, 0xa9, 0xf0, 0x1f, 0x26, 0xc0, 0x6c, 0x8d, 0x8a, 0xb4, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31,
+ 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32,
+ 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0xce, 0x31, 0x50, 0xc1, 0x8c, 0xde, 0x4b, 0xa0,
+ 0xca, 0xfd, 0x36, 0x98, 0x33, 0x59, 0x99, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31,
+ 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61,
+ 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11,
+ 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x00, 0x00, 0x00, 0x14,
+ 0x73, 0x73, 0x67, 0x70, 0xea, 0xa1, 0xad, 0x3e, 0x49, 0xa8, 0x35, 0x7b, 0xce, 0x5d, 0x8c, 0xd6, 0xdf, 0x25, 0xe4, 0x2d,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31, 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66,
+ 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61, 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62,
+ 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0xc0,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x70, 0x70,
+ 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x7b, 0x38, 0x37, 0x31,
+ 0x39, 0x31, 0x63, 0x61, 0x32, 0x2d, 0x30, 0x66, 0x63, 0x39, 0x2d, 0x31, 0x31, 0x64, 0x34, 0x2d, 0x38, 0x34, 0x39, 0x61,
+ 0x2d, 0x30, 0x30, 0x30, 0x35, 0x30, 0x32, 0x62, 0x35, 0x32, 0x31, 0x32, 0x32, 0x7d, 0x00, 0x00, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x14, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x19, 0x30,
+ 0x00, 0x00, 0x19, 0x50, 0x00, 0x00, 0x19, 0x6c, 0x00, 0x00, 0x19, 0x88, 0x00, 0x00, 0x19, 0xa4, 0x00, 0x00, 0x19, 0xc0,
+ 0x00, 0x00, 0x19, 0xdc, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x17,
+ 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74,
+ 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0x10, 0x34, 0x14, 0x76,
+ 0xa3, 0xc3, 0x9d, 0x60, 0x91, 0x3d, 0xda, 0x7c, 0x59, 0x37, 0xec, 0x91, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14,
+ 0x73, 0x73, 0x67, 0x70, 0x66, 0x4e, 0xf9, 0x51, 0xc5, 0xeb, 0x28, 0x0b, 0xca, 0x0c, 0x15, 0x2f, 0x22, 0x80, 0x18, 0x7b,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0x88, 0x63, 0xaf, 0x56, 0xf7, 0x5a, 0x1f, 0xa9,
+ 0xf0, 0x1f, 0x26, 0xc0, 0x6c, 0x8d, 0x8a, 0xb4, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70,
+ 0xce, 0x31, 0x50, 0xc1, 0x8c, 0xde, 0x4b, 0xa0, 0xca, 0xfd, 0x36, 0x98, 0x33, 0x59, 0x99, 0x39, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x14, 0x73, 0x73, 0x67, 0x70, 0xea, 0xa1, 0xad, 0x3e, 0x49, 0xa8, 0x35, 0x7b, 0xce, 0x5d, 0x8c, 0xd6,
+ 0xdf, 0x25, 0xe4, 0x2d, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x70, 0x70,
+ 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x1a, 0x44, 0x00, 0x00, 0x1a, 0x4c,
+ 0x00, 0x00, 0x1a, 0x54, 0x00, 0x00, 0x1a, 0x5c, 0x00, 0x00, 0x1a, 0x64, 0x00, 0x00, 0x1a, 0x6c, 0x00, 0x00, 0x1a, 0x74,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x1a, 0xcc, 0x00, 0x00, 0x1a, 0xd4, 0x00, 0x00, 0x1a, 0xdc,
+ 0x00, 0x00, 0x1a, 0xe4, 0x00, 0x00, 0x1a, 0xec, 0x00, 0x00, 0x1a, 0xf4, 0x00, 0x00, 0x1a, 0xfc, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14,
+ 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x1b, 0x54, 0x00, 0x00, 0x1b, 0x5c, 0x00, 0x00, 0x1b, 0x64, 0x00, 0x00, 0x1b, 0x6c,
+ 0x00, 0x00, 0x1b, 0x74, 0x00, 0x00, 0x1b, 0x7c, 0x00, 0x00, 0x1b, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88,
+ 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x07,
+ 0x00, 0x00, 0x1b, 0xdc, 0x00, 0x00, 0x1b, 0xe4, 0x00, 0x00, 0x1b, 0xec, 0x00, 0x00, 0x1b, 0xf4, 0x00, 0x00, 0x1b, 0xfc,
+ 0x00, 0x00, 0x1c, 0x04, 0x00, 0x00, 0x1c, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x1c, 0x64,
+ 0x00, 0x00, 0x1c, 0x6c, 0x00, 0x00, 0x1c, 0x74, 0x00, 0x00, 0x1c, 0x7c, 0x00, 0x00, 0x1c, 0x84, 0x00, 0x00, 0x1c, 0x8c,
+ 0x00, 0x00, 0x1c, 0x94, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x1c, 0xec, 0x00, 0x00, 0x1c, 0xf4,
+ 0x00, 0x00, 0x1c, 0xfc, 0x00, 0x00, 0x1d, 0x04, 0x00, 0x00, 0x1d, 0x0c, 0x00, 0x00, 0x1d, 0x14, 0x00, 0x00, 0x1d, 0x1c,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x1d, 0x74, 0x00, 0x00, 0x1d, 0x7c, 0x00, 0x00, 0x1d, 0x84,
+ 0x00, 0x00, 0x1d, 0x8c, 0x00, 0x00, 0x1d, 0x94, 0x00, 0x00, 0x1d, 0x9c, 0x00, 0x00, 0x1d, 0xa4, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x19,
+ 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x1d, 0xfc, 0x00, 0x00, 0x1e, 0x04, 0x00, 0x00, 0x1e, 0x0c, 0x00, 0x00, 0x1e, 0x14,
+ 0x00, 0x00, 0x1e, 0x1c, 0x00, 0x00, 0x1e, 0x24, 0x00, 0x00, 0x1e, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x88,
+ 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x07,
+ 0x00, 0x00, 0x1e, 0x84, 0x00, 0x00, 0x1e, 0x8c, 0x00, 0x00, 0x1e, 0x94, 0x00, 0x00, 0x1e, 0x9c, 0x00, 0x00, 0x1e, 0xa4,
+ 0x00, 0x00, 0x1e, 0xac, 0x00, 0x00, 0x1e, 0xb4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x05, 0xdc, 0x80, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x04, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x01, 0x20, 0x00, 0x00, 0x02, 0x38, 0x00, 0x00, 0x00, 0xf8, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85,
+ 0x00, 0x00, 0x00, 0x95, 0x00, 0x00, 0x00, 0xa5, 0x00, 0x00, 0x00, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd5, 0x00, 0x00, 0x00, 0xe5, 0x00, 0x00, 0x00, 0xf5,
+ 0x73, 0x73, 0x67, 0x70, 0xea, 0xa1, 0xad, 0x3e, 0x49, 0xa8, 0x35, 0x7b, 0xce, 0x5d, 0x8c, 0xd6, 0xdf, 0x25, 0xe4, 0x2d,
+ 0x4a, 0x16, 0x48, 0x81, 0x4a, 0xfb, 0x22, 0x80, 0x56, 0xd0, 0x65, 0x2b, 0x3e, 0x11, 0x11, 0xe2, 0x12, 0x2b, 0xc6, 0x87,
+ 0xa1, 0xd0, 0x14, 0x1e, 0x32, 0x30, 0x31, 0x36, 0x30, 0x34, 0x30, 0x38, 0x31, 0x38, 0x35, 0x31, 0x30, 0x36, 0x5a, 0x00,
+ 0x32, 0x30, 0x31, 0x36, 0x30, 0x34, 0x30, 0x38, 0x31, 0x38, 0x35, 0x31, 0x30, 0x36, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x16, 0x61, 0x6e, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20, 0x75, 0x73, 0x65, 0x66, 0x75, 0x6c, 0x20, 0x63,
+ 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72,
+ 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74,
+ 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x01, 0x18, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x00, 0x00, 0x00, 0x95, 0x00, 0x00, 0x00, 0xa5, 0x00, 0x00, 0x00, 0xa9,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc5, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe5,
+ 0x00, 0x00, 0x00, 0xf5, 0x00, 0x00, 0x01, 0x15, 0x73, 0x73, 0x67, 0x70, 0x10, 0x34, 0x14, 0x76, 0xa3, 0xc3, 0x9d, 0x60,
+ 0x91, 0x3d, 0xda, 0x7c, 0x59, 0x37, 0xec, 0x91, 0xfd, 0xc0, 0xab, 0x3b, 0xfc, 0x61, 0xe6, 0xd5, 0xdd, 0xcf, 0x26, 0x91,
+ 0xe5, 0xe9, 0xfb, 0x2c, 0xc0, 0x8d, 0xfe, 0x4c, 0x96, 0xf5, 0x08, 0x64, 0x32, 0x30, 0x31, 0x36, 0x30, 0x34, 0x30, 0x38,
+ 0x31, 0x38, 0x35, 0x31, 0x31, 0x37, 0x5a, 0x00, 0x32, 0x30, 0x31, 0x36, 0x30, 0x34, 0x30, 0x38, 0x31, 0x38, 0x35, 0x31,
+ 0x31, 0x37, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x61, 0x6e, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
+ 0x75, 0x73, 0x65, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63,
+ 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63,
+ 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x1c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+ 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x01, 0xf0, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x95, 0x00, 0x00, 0x00, 0x99, 0x00, 0x00, 0x00, 0x9d, 0x00, 0x00, 0x00, 0xa1, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb5,
+ 0x00, 0x00, 0x00, 0xc5, 0x00, 0x00, 0x00, 0xd9, 0x73, 0x73, 0x67, 0x70, 0x88, 0x63, 0xaf, 0x56, 0xf7, 0x5a, 0x1f, 0xa9,
+ 0xf0, 0x1f, 0x26, 0xc0, 0x6c, 0x8d, 0x8a, 0xb4, 0xdc, 0xaf, 0x18, 0xfa, 0xad, 0xad, 0x06, 0xf6, 0x32, 0x30, 0x31, 0x36,
+ 0x30, 0x34, 0x31, 0x31, 0x32, 0x31, 0x35, 0x31, 0x31, 0x35, 0x5a, 0x00, 0x32, 0x30, 0x31, 0x36, 0x30, 0x34, 0x31, 0x31,
+ 0x32, 0x31, 0x35, 0x31, 0x31, 0x35, 0x5a, 0x00, 0x61, 0x61, 0x70, 0x6c, 0x69, 0x70, 0x72, 0x66, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+ 0x00, 0x00, 0x00, 0x0b, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x20, 0x00, 0x00, 0x00, 0x00, 0x10,
+ 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x01, 0x11,
+ 0x73, 0x73, 0x75, 0x69, 0x00, 0x00, 0x00, 0x20, 0x87, 0x19, 0x1c, 0xa3, 0x0f, 0xc9, 0x11, 0xd4, 0x84, 0x9a, 0x00, 0x05,
+ 0x02, 0xb5, 0x21, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
+ 0x64, 0x62, 0x6e, 0x6d, 0x00, 0x00, 0x00, 0x21, 0x7e, 0x2f, 0x4c, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x2f, 0x4b, 0x65,
+ 0x79, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x73, 0x2f, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x61, 0x73, 0x64, 0x66, 0x2d, 0x64, 0x62,
+ 0x00, 0x69, 0x74, 0x65, 0x6d, 0x00, 0x00, 0x00, 0xb8, 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0xa0, 0x30, 0x81, 0x9d, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x74,
+ 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b,
+ 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b,
+ 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53,
+ 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31,
+ 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
+ 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c,
+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x04, 0x56, 0x81, 0x44, 0xc1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xb4,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x04, 0x3c, 0x00, 0x00, 0x04, 0xf0, 0x00, 0x00, 0x05, 0x5c, 0x00, 0x00, 0x00, 0xb4,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x61, 0x63, 0x63, 0x74, 0x73, 0x76, 0x63, 0x65,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x04, 0x70, 0x00, 0x00, 0x04, 0x94, 0x00, 0x00, 0x04, 0xc8, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72,
+ 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63,
+ 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x1c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+ 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x24,
+ 0x00, 0x00, 0x00, 0x0b, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x20, 0x00, 0x00, 0x00, 0x00, 0x10,
+ 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x6c,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x05, 0x20, 0x00, 0x00, 0x05, 0x34, 0x00, 0x00, 0x05, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63,
+ 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63,
+ 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0b, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69,
+ 0x6d, 0x65, 0x20, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x73, 0x76, 0x63, 0x65, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x05, 0x8c, 0x00, 0x00, 0x05, 0xa4, 0x00, 0x00, 0x05, 0xb8,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x10,
+ 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x10,
+ 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x20,
+ 0x00, 0x00, 0x00, 0x1c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x73,
+ 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c, 0x00, 0x00, 0x05, 0x2c, 0x80, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x02, 0x6c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x01, 0x58, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x01, 0x34, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x00, 0x00, 0x00, 0xa5,
+ 0x00, 0x00, 0x00, 0xb5, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xcd, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xed, 0x00, 0x00, 0x00, 0xfd, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x21,
+ 0x00, 0x00, 0x01, 0x25, 0x00, 0x00, 0x01, 0x2d, 0x00, 0x00, 0x01, 0x31, 0x73, 0x73, 0x67, 0x70, 0x66, 0x4e, 0xf9, 0x51,
+ 0xc5, 0xeb, 0x28, 0x0b, 0xca, 0x0c, 0x15, 0x2f, 0x22, 0x80, 0x18, 0x7b, 0xce, 0x58, 0x3c, 0x63, 0xf0, 0xe1, 0x4b, 0xfc,
+ 0xee, 0x88, 0x20, 0xa4, 0xc4, 0x20, 0xc4, 0x8c, 0xaf, 0x9d, 0xe6, 0x89, 0x39, 0xe3, 0xcc, 0x27, 0x32, 0x30, 0x31, 0x36,
+ 0x30, 0x34, 0x30, 0x38, 0x31, 0x38, 0x34, 0x39, 0x33, 0x34, 0x5a, 0x00, 0x32, 0x30, 0x31, 0x36, 0x30, 0x34, 0x30, 0x38,
+ 0x31, 0x38, 0x34, 0x39, 0x33, 0x34, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x61, 0x20, 0x75, 0x73,
+ 0x65, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x1c, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65,
+ 0x5f, 0x61, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+ 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c, 0x68, 0x74, 0x70, 0x73,
+ 0x00, 0x00, 0x00, 0x04, 0x64, 0x66, 0x6c, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x14,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x95, 0x00, 0x00, 0x00, 0xa5, 0x00, 0x00, 0x00, 0xb5, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xcd, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xdd, 0x00, 0x00, 0x00, 0xed,
+ 0x00, 0x00, 0x00, 0xf1, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x05, 0x00, 0x00, 0x01, 0x0d, 0x00, 0x00, 0x01, 0x11,
+ 0x73, 0x73, 0x67, 0x70, 0xce, 0x31, 0x50, 0xc1, 0x8c, 0xde, 0x4b, 0xa0, 0xca, 0xfd, 0x36, 0x98, 0x33, 0x59, 0x99, 0x39,
+ 0x60, 0x88, 0xd4, 0xf3, 0x53, 0x7d, 0x89, 0x6e, 0xc1, 0x4f, 0xfd, 0x7b, 0x4b, 0x9d, 0x0d, 0xe0, 0xe9, 0xd6, 0x84, 0xdf,
+ 0x0f, 0x23, 0x90, 0x0b, 0x32, 0x30, 0x31, 0x36, 0x30, 0x34, 0x30, 0x38, 0x31, 0x38, 0x34, 0x39, 0x34, 0x33, 0x5a, 0x00,
+ 0x32, 0x30, 0x31, 0x36, 0x30, 0x34, 0x30, 0x38, 0x31, 0x38, 0x34, 0x39, 0x34, 0x33, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x10, 0x61, 0x20, 0x75, 0x73, 0x65, 0x66, 0x75, 0x6c, 0x20, 0x63, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74,
+ 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x0c,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x68, 0x74, 0x70, 0x73, 0x00, 0x00, 0x00, 0x04,
+ 0x64, 0x66, 0x6c, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xc0, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x02, 0x94, 0x00, 0x00, 0x03, 0x5c, 0x00, 0x00, 0x03, 0xac, 0x00, 0x00, 0x03, 0xe4, 0x00, 0x00, 0x04, 0x44,
+ 0x00, 0x00, 0x04, 0x7c, 0x00, 0x00, 0x04, 0xbc, 0x00, 0x00, 0x04, 0xf4, 0x00, 0x00, 0x00, 0xc8, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x61, 0x63, 0x63, 0x74, 0x73, 0x64, 0x6d, 0x6e, 0x73, 0x72, 0x76, 0x72,
+ 0x70, 0x74, 0x63, 0x6c, 0x61, 0x74, 0x79, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x70, 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x02,
+ 0x00, 0x00, 0x02, 0xd4, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x38,
+ 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x68, 0x74, 0x70, 0x73,
+ 0x00, 0x00, 0x00, 0x04, 0x64, 0x66, 0x6c, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48,
+ 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x1c, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x73,
+ 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x61, 0x63, 0x6c, 0x68, 0x74, 0x70, 0x73, 0x00, 0x00, 0x00, 0x04,
+ 0x64, 0x66, 0x6c, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x03, 0x84,
+ 0x00, 0x00, 0x03, 0x98, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c,
+ 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x09,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x73, 0x64, 0x6d, 0x6e, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x03, 0xd4,
+ 0x00, 0x00, 0x03, 0xdc, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x73, 0x72, 0x76, 0x72, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x04, 0x0c, 0x00, 0x00, 0x04, 0x20,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x1c, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x76, 0x65,
+ 0x5f, 0x61, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x70, 0x74, 0x63, 0x6c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x04, 0x6c, 0x00, 0x00, 0x04, 0x74, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x68, 0x74, 0x70, 0x73, 0x00, 0x00, 0x00, 0x04, 0x68, 0x74, 0x70, 0x73,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x61, 0x74, 0x79, 0x70,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x04, 0xa4, 0x00, 0x00, 0x04, 0xb0, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x04, 0x64, 0x66, 0x6c, 0x74, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x04,
+ 0x64, 0x66, 0x6c, 0x74, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x70, 0x6f, 0x72, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x04, 0xe4, 0x00, 0x00, 0x04, 0xec, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x70, 0x61, 0x74, 0x68,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x05, 0x1c, 0x00, 0x00, 0x05, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
+ 0x80, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x1d,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x3c,
+ 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0xa8, 0x00, 0x00, 0x00, 0x24,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x61, 0x63, 0x63, 0x74, 0x76, 0x6c, 0x6d, 0x65,
+ 0x61, 0x64, 0x64, 0x72, 0x73, 0x73, 0x69, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x05,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x61, 0x63, 0x63, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18,
+ 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x76, 0x6c, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x61, 0x64, 0x64, 0x72,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x73, 0x73, 0x69, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1b, 0x1c, 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x12, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x28,
+ 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x0b, 0xd8, 0x00, 0x00, 0x05, 0xd8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x45, 0x00, 0x00, 0x04, 0x49,
+ 0x00, 0x00, 0x04, 0x4d, 0x00, 0x00, 0x04, 0x5d, 0x00, 0x00, 0x04, 0x71, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x05, 0xb9,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0xc1, 0x30, 0x82, 0x04, 0x01, 0x30, 0x82, 0x02, 0xe9, 0xa0, 0x03, 0x02, 0x01,
+ 0x02, 0x02, 0x04, 0x56, 0x81, 0x44, 0xc1, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+ 0x05, 0x00, 0x30, 0x81, 0x9d, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x74, 0x65, 0x73, 0x74,
+ 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70,
+ 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46,
+ 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f,
+ 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09,
+ 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
+ 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63,
+ 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x30, 0x38, 0x31, 0x38, 0x35, 0x35, 0x33, 0x32, 0x5a, 0x17,
+ 0x0d, 0x32, 0x36, 0x30, 0x34, 0x30, 0x36, 0x31, 0x38, 0x35, 0x35, 0x33, 0x32, 0x5a, 0x30, 0x81, 0x9d, 0x31, 0x13, 0x30,
+ 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c,
+ 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06,
+ 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e,
+ 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f,
+ 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb3, 0xaa, 0xa8, 0x77, 0xe7, 0x3e, 0x2d, 0x0c, 0xf4, 0x83, 0x55, 0xc2, 0x9e,
+ 0x50, 0x10, 0xc9, 0xef, 0xc8, 0x48, 0x38, 0xe4, 0x43, 0x96, 0xfa, 0x93, 0x32, 0xbf, 0x66, 0xad, 0x84, 0xa2, 0x8b, 0x6b,
+ 0x07, 0x8c, 0xc6, 0x93, 0x8c, 0x4d, 0x65, 0x0f, 0xad, 0x76, 0x73, 0x0c, 0x4d, 0x43, 0xee, 0x35, 0xd4, 0x68, 0x4a, 0x9a,
+ 0x6d, 0x4d, 0xa5, 0xae, 0x66, 0xcf, 0xfb, 0xbb, 0x93, 0xd3, 0x6a, 0xe3, 0xfc, 0x41, 0x97, 0xae, 0x90, 0xc3, 0xd8, 0x83,
+ 0xfb, 0x8d, 0x67, 0x84, 0xc1, 0xd5, 0x7d, 0x1d, 0x12, 0xca, 0x0c, 0xb5, 0xae, 0xf0, 0xe3, 0x36, 0x39, 0xf1, 0x68, 0x92,
+ 0x6f, 0xda, 0x2d, 0x48, 0x87, 0xf0, 0x4b, 0x15, 0x4e, 0x4f, 0x7a, 0x3a, 0x16, 0xb9, 0x02, 0x89, 0x95, 0x98, 0xab, 0xb2,
+ 0x58, 0x5b, 0x31, 0x7f, 0x49, 0x90, 0x48, 0xfd, 0x8d, 0x8a, 0x37, 0x3a, 0x4e, 0xd8, 0x00, 0x4a, 0xdc, 0xd4, 0x02, 0x9f,
+ 0xcd, 0x4b, 0xde, 0x75, 0x4a, 0xb2, 0x27, 0x8e, 0xe6, 0x2d, 0xea, 0x35, 0x89, 0x85, 0x8a, 0x37, 0x59, 0xd6, 0xd1, 0xf8,
+ 0x36, 0x7c, 0x93, 0x9e, 0xd6, 0xd1, 0xc3, 0xd9, 0x75, 0xa4, 0x4f, 0x40, 0x24, 0xe9, 0xc0, 0xde, 0xeb, 0xc0, 0x5e, 0xd6,
+ 0x04, 0xe1, 0xd0, 0x07, 0x29, 0xc1, 0x9d, 0x6f, 0x78, 0x2d, 0x5a, 0xef, 0xe6, 0xff, 0x25, 0x16, 0xcf, 0x60, 0x77, 0xa2,
+ 0x10, 0x2b, 0xa4, 0x2a, 0xff, 0x74, 0x3b, 0xe6, 0x4d, 0xc1, 0x13, 0xba, 0x8b, 0xe8, 0x15, 0x8e, 0xc7, 0xc3, 0xd4, 0x31,
+ 0xb0, 0x99, 0x51, 0x32, 0x30, 0x03, 0x0b, 0x1c, 0xa0, 0x0a, 0x17, 0x15, 0x34, 0x57, 0x38, 0xd3, 0x08, 0x13, 0xc4, 0xd6,
+ 0x7c, 0x24, 0x16, 0xd0, 0x2f, 0x00, 0x88, 0xd7, 0xd9, 0xca, 0x1e, 0x6b, 0x50, 0x3b, 0x5f, 0xb6, 0x08, 0xb1, 0x29, 0x42,
+ 0x70, 0xf1, 0x89, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x47, 0x30, 0x45, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01,
+ 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c,
+ 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04,
+ 0x14, 0x30, 0x12, 0x81, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f,
+ 0x6d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01,
+ 0x00, 0x00, 0xa3, 0x3e, 0x5c, 0x33, 0x06, 0x0b, 0x74, 0xf7, 0x59, 0x56, 0x2e, 0x26, 0x18, 0xe0, 0x59, 0xc9, 0x20, 0x9d,
+ 0xaa, 0xf2, 0xfb, 0xa0, 0xf8, 0x11, 0x00, 0x71, 0x53, 0x3d, 0xfa, 0xdc, 0xe9, 0x12, 0x4c, 0x8a, 0xa1, 0x1c, 0x7c, 0xb3,
+ 0x4b, 0xa5, 0xa0, 0xfa, 0x03, 0xc5, 0x82, 0x1c, 0xab, 0x44, 0xf6, 0xcb, 0x59, 0x4b, 0x80, 0xeb, 0xc0, 0xa8, 0x0e, 0xc6,
+ 0x93, 0xea, 0xbf, 0x67, 0x41, 0xa9, 0x64, 0xcb, 0xb4, 0x3e, 0xf7, 0x64, 0xcf, 0x4c, 0xef, 0x24, 0x62, 0x73, 0x2d, 0xed,
+ 0xb4, 0xec, 0x30, 0x97, 0x91, 0x9f, 0x18, 0xe9, 0x12, 0x93, 0x18, 0x83, 0x70, 0xb0, 0xc4, 0x35, 0x33, 0x67, 0x17, 0xb0,
+ 0x8b, 0xbe, 0x45, 0xde, 0x98, 0x23, 0xf2, 0x02, 0x77, 0x79, 0x55, 0x53, 0xc4, 0xd7, 0x67, 0x81, 0xde, 0xa1, 0x3f, 0x63,
+ 0xb5, 0x87, 0xb6, 0x20, 0x8d, 0x4f, 0x5e, 0x7e, 0x27, 0x30, 0x99, 0xe0, 0xff, 0x91, 0x8b, 0x00, 0x8d, 0x7d, 0xe5, 0x57,
+ 0x57, 0xd8, 0xd9, 0x7d, 0x6f, 0xc6, 0xb8, 0x6f, 0x84, 0xed, 0x84, 0x9d, 0xd9, 0xac, 0x13, 0xd8, 0x4a, 0x96, 0x55, 0x2d,
+ 0x8e, 0x21, 0x11, 0xc9, 0xa4, 0x81, 0x10, 0x7a, 0x0a, 0x15, 0xce, 0x99, 0x98, 0x09, 0xdd, 0xec, 0x8d, 0x1b, 0xfb, 0x17,
+ 0x55, 0x03, 0xa6, 0x44, 0xb5, 0xc9, 0xa9, 0x1f, 0x52, 0xd7, 0x35, 0x06, 0x8d, 0x0a, 0x5a, 0x01, 0x2a, 0xb0, 0xd2, 0x0c,
+ 0xfa, 0xd9, 0x66, 0xfa, 0x35, 0x6e, 0xa0, 0xbc, 0x21, 0xe4, 0xe1, 0xe0, 0x3c, 0x3b, 0x7a, 0xef, 0x7d, 0xe1, 0x34, 0x2e,
+ 0xe3, 0x9c, 0xc0, 0xa9, 0x4c, 0x16, 0xab, 0x00, 0x60, 0xe0, 0x44, 0xeb, 0x62, 0xcc, 0x1d, 0x27, 0x84, 0x0f, 0x33, 0x37,
+ 0x9d, 0xc5, 0xc4, 0xa1, 0xd3, 0xe8, 0x38, 0xff, 0xf2, 0xdf, 0xcd, 0x7c, 0xbb, 0xc3, 0xa1, 0xae, 0x4d, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0a, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69,
+ 0x6d, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0xa0, 0x30, 0x81, 0x9d, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03,
+ 0x0c, 0x0a, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04,
+ 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03,
+ 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54,
+ 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02,
+ 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06,
+ 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0xa0, 0x30, 0x81, 0x9d, 0x31, 0x13, 0x30, 0x11, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x31, 0x14, 0x30, 0x12,
+ 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x21,
+ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x50,
+ 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+ 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31,
+ 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f,
+ 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x04, 0x56, 0x81, 0x44, 0xc1,
+ 0x00, 0x00, 0x00, 0x14, 0xc9, 0x58, 0x3f, 0x54, 0xf7, 0x9c, 0x21, 0xee, 0x29, 0x26, 0x07, 0x8d, 0x1b, 0xb4, 0x93, 0xc4,
+ 0x3e, 0xfd, 0x6a, 0x65, 0x00, 0x00, 0x05, 0xd8, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x03, 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x31, 0x00, 0x00, 0x04, 0x35, 0x00, 0x00, 0x04, 0x39,
+ 0x00, 0x00, 0x04, 0x4d, 0x00, 0x00, 0x04, 0x61, 0x00, 0x00, 0x05, 0x0d, 0x00, 0x00, 0x05, 0xb9, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x05, 0xc1, 0x30, 0x82, 0x03, 0xee, 0x30, 0x82, 0x02, 0xd6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x06,
+ 0xe0, 0x2a, 0x1d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81,
+ 0xa2, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64,
+ 0x65, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41,
+ 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
+ 0x17, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20,
+ 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30,
+ 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c,
+ 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e,
+ 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x30, 0x38, 0x31, 0x38, 0x35, 0x36, 0x34, 0x36, 0x5a,
+ 0x17, 0x0d, 0x32, 0x36, 0x30, 0x34, 0x30, 0x36, 0x31, 0x38, 0x35, 0x36, 0x34, 0x36, 0x5a, 0x30, 0x81, 0xa2, 0x31, 0x19,
+ 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69,
+ 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c,
+ 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x17, 0x46, 0x4f,
+ 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c,
+ 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
+ 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
+ 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb6, 0x07, 0xac, 0x5c, 0xc6, 0xcb, 0xf0,
+ 0xb7, 0x97, 0x0d, 0x43, 0x1a, 0xe9, 0x61, 0xe7, 0x34, 0x63, 0x6a, 0x26, 0x0d, 0x77, 0xba, 0x25, 0xaa, 0xc8, 0x46, 0xf8,
+ 0xc9, 0xdd, 0x21, 0xb4, 0x3e, 0x2e, 0x11, 0x8e, 0xb6, 0x72, 0xf2, 0x01, 0x16, 0x07, 0xcf, 0x88, 0x91, 0xc4, 0xc0, 0x48,
+ 0x64, 0x41, 0x91, 0xf7, 0x63, 0x72, 0xd5, 0x37, 0xef, 0x37, 0x62, 0xed, 0x33, 0xb3, 0xf9, 0x6e, 0x31, 0xd1, 0x68, 0xe7,
+ 0xde, 0x62, 0x9f, 0x82, 0xb8, 0x9e, 0x11, 0xe7, 0x66, 0x91, 0xc1, 0xbe, 0xe5, 0x5c, 0xd6, 0x71, 0x83, 0x91, 0xbc, 0x0f,
+ 0xa8, 0x06, 0xc3, 0xe9, 0xb6, 0x76, 0x16, 0xae, 0x69, 0x0a, 0x47, 0xe4, 0x65, 0xaa, 0x13, 0x71, 0x48, 0xb3, 0x5c, 0x25,
+ 0xa5, 0x1a, 0xd0, 0x2a, 0x57, 0x57, 0xf9, 0xb7, 0x13, 0xbd, 0xf4, 0x13, 0x5a, 0x11, 0x1b, 0xcc, 0xd8, 0x9a, 0x5f, 0x82,
+ 0x3f, 0xa7, 0x6b, 0x64, 0x47, 0x54, 0xb6, 0x81, 0xaf, 0xcb, 0x4b, 0x94, 0x39, 0x65, 0x15, 0xba, 0x6a, 0x02, 0x7c, 0x71,
+ 0x30, 0x60, 0x21, 0x12, 0x63, 0x28, 0xe0, 0x85, 0xca, 0xcc, 0x07, 0xb1, 0x13, 0x40, 0x19, 0x72, 0x02, 0x35, 0x0e, 0x2d,
+ 0x4b, 0x8a, 0xcd, 0x1d, 0x09, 0x65, 0xb0, 0x81, 0x49, 0xea, 0x70, 0x15, 0x92, 0x19, 0x7b, 0xfe, 0x15, 0xf7, 0x4a, 0x3f,
+ 0x1e, 0x3c, 0x63, 0x7a, 0x0f, 0x17, 0x32, 0x1a, 0xb7, 0x26, 0xa1, 0xa0, 0x9b, 0x3f, 0x4e, 0x7c, 0x38, 0xe6, 0x27, 0xbf,
+ 0xa8, 0x1b, 0xf7, 0xbd, 0x2d, 0xfd, 0x9b, 0x05, 0x0c, 0xaa, 0x81, 0xb8, 0x09, 0xd4, 0xe2, 0xe3, 0xbd, 0x6c, 0x70, 0xc0,
+ 0x7e, 0x95, 0xd4, 0x0b, 0x13, 0xab, 0xb8, 0xdd, 0x3d, 0x4c, 0x59, 0xf0, 0xc7, 0x8e, 0x47, 0xb5, 0xd8, 0x31, 0x78, 0x80,
+ 0xd2, 0x5f, 0x0c, 0x0b, 0xae, 0x22, 0xe7, 0x9e, 0xd3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x2a, 0x30, 0x28, 0x30, 0x0e,
+ 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d,
+ 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0xaf, 0xe3,
+ 0x41, 0xaa, 0x63, 0xdc, 0x3e, 0xd1, 0x46, 0x1e, 0x7a, 0x09, 0x04, 0x4a, 0xfd, 0x54, 0xc7, 0xd9, 0x25, 0x2f, 0xce, 0x8e,
+ 0x5d, 0x34, 0x96, 0x04, 0x67, 0xbc, 0x6f, 0xb6, 0x99, 0x35, 0xc2, 0x16, 0x1c, 0x2a, 0xc3, 0x5f, 0xdf, 0x6e, 0xe2, 0xe4,
+ 0x2e, 0xbb, 0x64, 0x1c, 0x0a, 0xff, 0x62, 0x79, 0x70, 0x7c, 0xc6, 0x8e, 0xd9, 0x95, 0xb6, 0x8a, 0x3d, 0xf6, 0xdd, 0x79,
+ 0x1c, 0xeb, 0x73, 0x05, 0x2f, 0x7e, 0x38, 0xb8, 0x9c, 0xfc, 0x06, 0x8f, 0x5f, 0xd7, 0xec, 0xd3, 0x23, 0xae, 0x75, 0x0f,
+ 0x8e, 0x70, 0xb2, 0xd8, 0x88, 0xa0, 0x4f, 0x53, 0x0a, 0xcc, 0xee, 0x18, 0xf2, 0x5b, 0xf8, 0xe1, 0x22, 0x6b, 0xeb, 0x4d,
+ 0x9d, 0x2a, 0xa1, 0x46, 0xf4, 0xc7, 0x99, 0x26, 0x5b, 0xaf, 0x92, 0x54, 0x72, 0xe7, 0xea, 0x49, 0x34, 0x98, 0x8d, 0x93,
+ 0x18, 0xc5, 0x6e, 0x79, 0x79, 0xb3, 0x63, 0x76, 0xf7, 0x84, 0x49, 0x06, 0x58, 0x14, 0x1a, 0x86, 0xbd, 0xe5, 0x5a, 0xf8,
+ 0x81, 0x06, 0x15, 0x0c, 0xf7, 0x57, 0x4e, 0xeb, 0xbe, 0xc9, 0xe6, 0x09, 0xa3, 0x1d, 0xcc, 0xc6, 0x08, 0xbc, 0x71, 0x4b,
+ 0x62, 0x1a, 0xec, 0xdd, 0xad, 0xe3, 0x00, 0xd9, 0xf3, 0x98, 0x94, 0x75, 0xb5, 0xc2, 0x64, 0xec, 0xec, 0xe1, 0x88, 0x5b,
+ 0x24, 0xd6, 0xa2, 0x27, 0x86, 0x10, 0xc4, 0xfc, 0xf7, 0x8d, 0x79, 0x95, 0x20, 0x3e, 0xc5, 0x7a, 0xdc, 0x57, 0xc8, 0x2e,
+ 0x78, 0x63, 0xd5, 0x09, 0xc3, 0xa9, 0xa4, 0xd9, 0x83, 0x99, 0xbe, 0x17, 0xdc, 0x22, 0x85, 0x98, 0x0b, 0xe1, 0xf6, 0x67,
+ 0x47, 0xf7, 0x1d, 0xed, 0x40, 0xe4, 0x5c, 0x5e, 0x58, 0xf1, 0x27, 0x5b, 0xe2, 0x7b, 0xb0, 0xf5, 0xbf, 0x37, 0xc3, 0xe2,
+ 0x73, 0xa8, 0xd6, 0xf1, 0x42, 0xb2, 0x56, 0x90, 0x00, 0xa4, 0x35, 0x4a, 0x5a, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67,
+ 0x6e, 0x69, 0x6e, 0x67, 0x00, 0x00, 0x00, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0xa5, 0x30, 0x81, 0xa2, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03,
+ 0x0c, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x17, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c,
+ 0x4f, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+ 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
+ 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62,
+ 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa5,
+ 0x30, 0x81, 0xa2, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63,
+ 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
+ 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04,
+ 0x0b, 0x0c, 0x17, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53,
+ 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31,
+ 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
+ 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c,
+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x06, 0xe0, 0x2a, 0x1d, 0x00, 0x00, 0x00, 0x14,
+ 0xc7, 0xc5, 0x36, 0xbc, 0xce, 0x8e, 0x86, 0xa8, 0x02, 0x33, 0x38, 0xb5, 0x23, 0xb6, 0xef, 0x97, 0x20, 0x1e, 0x00, 0x7c,
+ 0x00, 0x00, 0x06, 0x5c, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x41,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x81, 0x00, 0x00, 0x04, 0x85, 0x00, 0x00, 0x04, 0x89, 0x00, 0x00, 0x04, 0xa5,
+ 0x00, 0x00, 0x04, 0xc5, 0x00, 0x00, 0x05, 0x81, 0x00, 0x00, 0x06, 0x3d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x45,
+ 0x30, 0x82, 0x04, 0x3d, 0x30, 0x82, 0x03, 0x25, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x00, 0xfb, 0xff, 0xa8, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0xb5, 0x31, 0x1f, 0x30,
+ 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x5f, 0x63,
+ 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
+ 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04,
+ 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55,
+ 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41,
+ 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55,
+ 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x1c, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x5f, 0x63, 0x65, 0x72,
+ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e,
+ 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x31, 0x32, 0x32, 0x34, 0x30, 0x32, 0x36, 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x30,
+ 0x34, 0x30, 0x39, 0x32, 0x32, 0x34, 0x30, 0x32, 0x36, 0x5a, 0x30, 0x81, 0xb5, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x16, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69,
+ 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70,
+ 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46,
+ 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f,
+ 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09,
+ 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
+ 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x1c, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
+ 0x63, 0x61, 0x74, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc3, 0xe8, 0xe0, 0x34, 0xff, 0x63, 0x08, 0xce, 0x36, 0x82, 0x02, 0xe7, 0x91,
+ 0x0b, 0x73, 0x84, 0xb9, 0xad, 0xd8, 0x79, 0x92, 0x34, 0x20, 0x96, 0xd1, 0x3a, 0xc7, 0x7f, 0x19, 0xd7, 0xcf, 0x9f, 0xab,
+ 0x2b, 0xc0, 0x0c, 0xe1, 0xf6, 0x0e, 0x9e, 0x9f, 0x73, 0x42, 0x95, 0xf1, 0x2c, 0x63, 0xff, 0x3f, 0x31, 0xb1, 0xe3, 0x24,
+ 0x1a, 0x75, 0x7d, 0x50, 0x2c, 0x23, 0x59, 0x53, 0x2c, 0xab, 0xaf, 0xd7, 0x5c, 0xf1, 0x27, 0xd2, 0xe9, 0xf5, 0x8f, 0x76,
+ 0xc4, 0x96, 0x74, 0x3c, 0xda, 0x65, 0xd4, 0x9e, 0xde, 0x33, 0x25, 0x5d, 0xed, 0x04, 0x94, 0x2c, 0xb5, 0x18, 0xeb, 0x64,
+ 0x8e, 0xf4, 0xd4, 0xe0, 0xb6, 0xfc, 0xcc, 0xd7, 0xfb, 0x90, 0x9c, 0xc1, 0xe6, 0x09, 0xb9, 0x8c, 0xc9, 0xba, 0x91, 0x4d,
+ 0x63, 0x5f, 0xa1, 0x75, 0x13, 0x11, 0x7d, 0x13, 0xa9, 0x2c, 0x07, 0xbd, 0xcb, 0x5d, 0xc5, 0xb0, 0x4f, 0xed, 0x95, 0xc6,
+ 0x8c, 0xe9, 0x78, 0xa2, 0xa5, 0x42, 0x15, 0x5a, 0xd0, 0x9c, 0x9c, 0x85, 0x85, 0x6e, 0x50, 0xae, 0x19, 0xd5, 0x91, 0x13,
+ 0x62, 0x96, 0xd9, 0x4a, 0x47, 0xe3, 0xfe, 0x8f, 0x7d, 0x47, 0xbd, 0xbe, 0xaa, 0x37, 0x64, 0xe3, 0xf0, 0xa3, 0xa4, 0xd0,
+ 0xef, 0xef, 0x2a, 0xa7, 0x45, 0xbf, 0x21, 0x79, 0xb8, 0x5c, 0x04, 0x8a, 0x2f, 0x7b, 0xe0, 0xe2, 0x32, 0x58, 0x75, 0xec,
+ 0xec, 0x2f, 0x78, 0xa5, 0x9a, 0x7b, 0xa3, 0x3c, 0xf6, 0x67, 0x00, 0x83, 0xe5, 0x77, 0x1d, 0x2b, 0xdd, 0x74, 0xd0, 0x45,
+ 0xcf, 0xa4, 0x0c, 0xf2, 0xe2, 0x60, 0xa8, 0x70, 0x87, 0x05, 0x0b, 0x7c, 0xef, 0x88, 0x09, 0x23, 0x15, 0xdf, 0xdb, 0x9f,
+ 0xc2, 0x80, 0x1f, 0x0a, 0x12, 0xcb, 0x00, 0xa4, 0x8a, 0x77, 0xa7, 0x54, 0x8f, 0xcb, 0x91, 0xbb, 0x55, 0x52, 0x51, 0x8f,
+ 0xca, 0xf6, 0x01, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01,
+ 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c,
+ 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, 0x30, 0x27, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04,
+ 0x20, 0x30, 0x1e, 0x81, 0x1c, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
+ 0x61, 0x74, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8c, 0x44, 0x70, 0xda, 0xd9, 0x65, 0x52,
+ 0xfd, 0x46, 0x0e, 0xab, 0xbb, 0xb5, 0x1c, 0x46, 0x0a, 0xcb, 0x3d, 0xc3, 0x71, 0x79, 0xa8, 0x5f, 0x3b, 0x45, 0x49, 0x29,
+ 0x0c, 0xf5, 0x69, 0xb4, 0x27, 0x4d, 0x79, 0xad, 0xa9, 0x93, 0x11, 0x7b, 0xad, 0x45, 0xc6, 0x49, 0x54, 0x8b, 0x5d, 0x5f,
+ 0xcc, 0x9d, 0xd9, 0xe4, 0x8f, 0xff, 0x21, 0x0f, 0x7a, 0x40, 0xf2, 0xd6, 0xce, 0xe1, 0x97, 0x5f, 0x7d, 0x9c, 0x76, 0x22,
+ 0x73, 0x30, 0x3b, 0xb4, 0x5b, 0xa0, 0x07, 0x70, 0x96, 0x97, 0x84, 0xe1, 0x47, 0x5b, 0x3e, 0xd2, 0xed, 0x3f, 0xca, 0x97,
+ 0x3a, 0x33, 0x52, 0xb8, 0x22, 0x89, 0xe2, 0x2e, 0x61, 0x5e, 0x20, 0x1a, 0xf9, 0x4f, 0x9a, 0x18, 0xde, 0xf3, 0x8e, 0x11,
+ 0x3b, 0x19, 0x09, 0xce, 0x8e, 0xb9, 0x28, 0x5f, 0x64, 0x54, 0xc1, 0x33, 0x19, 0x68, 0x96, 0x54, 0x53, 0x84, 0xb6, 0xf2,
+ 0xdb, 0xb3, 0x6b, 0xca, 0x36, 0x08, 0xb1, 0xa3, 0x0d, 0x19, 0x4e, 0xac, 0x17, 0x25, 0x96, 0x0d, 0x4c, 0x9e, 0xc5, 0xa0,
+ 0xcc, 0xe4, 0x52, 0x98, 0x1c, 0xcf, 0x0a, 0x77, 0x91, 0xf2, 0xc8, 0xae, 0x8c, 0x1c, 0x1d, 0xae, 0x79, 0xf6, 0x0c, 0x65,
+ 0xf0, 0xb4, 0xdd, 0x0c, 0x6f, 0x35, 0x12, 0x93, 0xb7, 0x20, 0xd1, 0x29, 0xa3, 0x40, 0xb5, 0x66, 0x67, 0x69, 0xdd, 0x97,
+ 0xcf, 0x48, 0x9f, 0xe9, 0x00, 0x33, 0x0e, 0x8e, 0xae, 0xc6, 0x40, 0xe3, 0x40, 0xdb, 0xab, 0x8b, 0x1e, 0x34, 0xbb, 0x0b,
+ 0xb7, 0x42, 0xd4, 0x0d, 0x9e, 0x86, 0x99, 0x3c, 0xbd, 0x34, 0xc5, 0xba, 0xac, 0x03, 0x8b, 0xcd, 0xa3, 0xee, 0x36, 0x52,
+ 0x28, 0x59, 0x7a, 0x29, 0xd7, 0x1f, 0xa1, 0x18, 0xc5, 0xba, 0x7a, 0xc4, 0xf0, 0x67, 0x4a, 0x61, 0x5c, 0x83, 0xad, 0x6c,
+ 0x89, 0x0b, 0xdd, 0x40, 0xf8, 0xfd, 0x8c, 0xce, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x00, 0x16, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69,
+ 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x5f, 0x63,
+ 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+ 0x00, 0x00, 0x00, 0xb8, 0x30, 0x81, 0xb5, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x74, 0x65,
+ 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
+ 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e,
+ 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56,
+ 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30,
+ 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74,
+ 0x69, 0x6e, 0x6f, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x1c,
+ 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0xb8, 0x30, 0x81, 0xb5, 0x31, 0x1f, 0x30, 0x1d, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x5f, 0x63, 0x65, 0x72,
+ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41,
+ 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
+ 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45,
+ 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b,
+ 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07,
+ 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x1c, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69,
+ 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x04,
+ 0x00, 0xfb, 0xff, 0xa8, 0x00, 0x00, 0x00, 0x14, 0xd7, 0x58, 0x0b, 0xdf, 0xe7, 0x97, 0x49, 0x7e, 0xd7, 0x44, 0x80, 0x01,
+ 0xf5, 0xf3, 0x7f, 0xf6, 0x1d, 0x5c, 0x24, 0x16, 0x00, 0x00, 0x08, 0xe8, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x12, 0x5c,
+ 0x00, 0x00, 0x14, 0xd0, 0x00, 0x00, 0x15, 0x18, 0x00, 0x00, 0x15, 0x9c, 0x00, 0x00, 0x17, 0xe4, 0x00, 0x00, 0x1a, 0x2c,
+ 0x00, 0x00, 0x1a, 0x80, 0x00, 0x00, 0x1a, 0x98, 0x00, 0x00, 0x02, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x03, 0x63, 0x74, 0x79, 0x70, 0x69, 0x73, 0x73, 0x75, 0x73, 0x6e, 0x62, 0x72, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x12, 0x94, 0x00, 0x00, 0x13, 0x48, 0x00, 0x00, 0x14, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xb0, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xa0, 0x30, 0x81, 0x9d, 0x31,
+ 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65,
+ 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e,
+ 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56,
+ 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30,
+ 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74,
+ 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10,
+ 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x04,
+ 0x56, 0x81, 0x44, 0xc1, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xa5, 0x30, 0x81, 0xa2, 0x31,
+ 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73,
+ 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70,
+ 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x17, 0x46,
+ 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e,
+ 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06,
+ 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43,
+ 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f,
+ 0x6d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x06, 0xe0, 0x2a, 0x1d, 0x00, 0x00, 0x00, 0xc8, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0xb8, 0x30, 0x81, 0xb5, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x74, 0x65,
+ 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
+ 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e,
+ 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56,
+ 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30,
+ 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74,
+ 0x69, 0x6e, 0x6f, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x1c,
+ 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x04, 0x00, 0xfb, 0xff, 0xa8, 0x00, 0x00, 0x00, 0x48,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x63, 0x74, 0x79, 0x70, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x15, 0x08, 0x00, 0x00, 0x15, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x84, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x61, 0x6c, 0x69, 0x73, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x15, 0x48, 0x00, 0x00, 0x15, 0x60,
+ 0x00, 0x00, 0x15, 0x78, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x14,
+ 0x00, 0x00, 0x00, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+ 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x1c, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x5f, 0x63,
+ 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+ 0x00, 0x00, 0x02, 0x48, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x73, 0x75, 0x62, 0x6a,
+ 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x15, 0xcc, 0x00, 0x00, 0x16, 0x74, 0x00, 0x00, 0x17, 0x24, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0xa0, 0x30, 0x81, 0x9d, 0x31,
+ 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65,
+ 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e,
+ 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56,
+ 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30,
+ 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74,
+ 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10,
+ 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0xac,
+ 0x00, 0x00, 0x00, 0xa5, 0x30, 0x81, 0xa2, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x74, 0x65,
+ 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03,
+ 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x20, 0x30, 0x1e,
+ 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x17, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x4d, 0x45, 0x4e,
+ 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
+ 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10,
+ 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbc, 0x00, 0x00, 0x00, 0xb8,
+ 0x30, 0x81, 0xb5, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73,
+ 0x6d, 0x69, 0x6d, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x31, 0x14, 0x30, 0x12,
+ 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x21,
+ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x50,
+ 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+ 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31,
+ 0x2b, 0x30, 0x29, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x1c, 0x6e, 0x6f, 0x62, 0x6f,
+ 0x64, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x02, 0x48, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x69, 0x73, 0x73, 0x75, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x18, 0x14, 0x00, 0x00, 0x18, 0xbc, 0x00, 0x00, 0x19, 0x6c,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0xa0,
+ 0x30, 0x81, 0x9d, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0a, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x73,
+ 0x6d, 0x69, 0x6d, 0x65, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65,
+ 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52,
+ 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c,
+ 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
+ 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
+ 0x00, 0x00, 0x00, 0xac, 0x00, 0x00, 0x00, 0xa5, 0x30, 0x81, 0xa2, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03,
+ 0x0c, 0x10, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x17, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56, 0x45, 0x4c,
+ 0x4f, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+ 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
+ 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x6e, 0x6f, 0x62,
+ 0x6f, 0x64, 0x79, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbc,
+ 0x00, 0x00, 0x00, 0xb8, 0x30, 0x81, 0xb5, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x16, 0x74, 0x65,
+ 0x73, 0x74, 0x5f, 0x73, 0x6d, 0x69, 0x6d, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
+ 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e,
+ 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x18, 0x46, 0x4f, 0x52, 0x20, 0x44, 0x45, 0x56,
+ 0x45, 0x4c, 0x4f, 0x50, 0x4d, 0x45, 0x4e, 0x54, 0x20, 0x55, 0x53, 0x45, 0x20, 0x4f, 0x4e, 0x4c, 0x59, 0x31, 0x0b, 0x30,
+ 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x43, 0x41, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74,
+ 0x69, 0x6e, 0x6f, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x1c,
+ 0x6e, 0x6f, 0x62, 0x6f, 0x64, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x73, 0x6e, 0x62, 0x72, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x1a, 0x5c, 0x00, 0x00, 0x1a, 0x68,
+ 0x00, 0x00, 0x1a, 0x74, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+ 0x00, 0x00, 0x00, 0x04, 0x00, 0xfb, 0xff, 0xa8, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x04, 0x06, 0xe0, 0x2a, 0x1d,
+ 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x04, 0x56, 0x81, 0x44, 0xc1, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x06,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x73, 0x6b, 0x69, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x84,
+ 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x68, 0x70, 0x6b, 0x79, 0x00, 0x00, 0x00, 0x03,
+ 0x00, 0x00, 0x1a, 0xc8, 0x00, 0x00, 0x1a, 0xe4, 0x00, 0x00, 0x1b, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14, 0xc7, 0xc5, 0x36, 0xbc, 0xce, 0x8e, 0x86, 0xa8,
+ 0x02, 0x33, 0x38, 0xb5, 0x23, 0xb6, 0xef, 0x97, 0x20, 0x1e, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14,
+ 0xc9, 0x58, 0x3f, 0x54, 0xf7, 0x9c, 0x21, 0xee, 0x29, 0x26, 0x07, 0x8d, 0x1b, 0xb4, 0x93, 0xc4, 0x3e, 0xfd, 0x6a, 0x65,
+ 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x14, 0xd7, 0x58, 0x0b, 0xdf, 0xe7, 0x97, 0x49, 0x7e, 0xd7, 0x44, 0x80, 0x01,
+ 0xf5, 0xf3, 0x7f, 0xf6, 0x1d, 0x5c, 0x24, 0x16, 0x00, 0x00, 0x00, 0xe8, 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20,
+ 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xa8,
+ 0x00, 0x00, 0x00, 0x00, 0xfa, 0xde, 0x07, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0xa8,
+ 0x52, 0xba, 0xd6, 0xe8, 0x80, 0xd9, 0x0e, 0xbb, 0x2e, 0x64, 0x65, 0xce, 0xcd, 0xe6, 0xa9, 0x71, 0x00, 0x00, 0x00, 0x00,
+ 0x7f, 0xff, 0xff, 0xff, 0x00, 0x7f, 0x00, 0x00, 0x58, 0xcc, 0x46, 0xd5, 0x94, 0x46, 0x74, 0xb1, 0x30, 0x40, 0x9b, 0x78,
+ 0xb0, 0x30, 0x4b, 0x1a, 0xa1, 0x93, 0x58, 0x1f, 0x48, 0xd4, 0x81, 0x1e, 0x1e, 0x1e, 0xe2, 0xaf, 0xda, 0x6a, 0x3e, 0x6e,
+ 0x08, 0x90, 0x5e, 0xd5, 0xf1, 0xce, 0x8b, 0x78, 0x8a, 0x5e, 0xe2, 0x36, 0x45, 0x92, 0xee, 0xeb, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x7f, 0x00, 0x00,
+ 0x01, 0x00, 0x00, 0x00, 0xe6, 0xb4, 0xf8, 0xd6, 0xa3, 0x68, 0x66, 0xde, 0x70, 0xd4, 0xe0, 0xd6, 0x9a, 0x46, 0x5d, 0xbd,
+ 0x60, 0x41, 0x2b, 0x19, 0x2b, 0x4b, 0x55, 0x64, 0x60, 0xe4, 0x91, 0x17, 0x5e, 0xa2, 0x08, 0xe0, 0x1c, 0x6e, 0xbd, 0xf1,
+ 0x08, 0xfd, 0x2d, 0x7b, 0x42, 0x6a, 0x7c, 0xa3, 0x73, 0x6d, 0xb0, 0xfd, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x48
+};
+unsigned int test_keychain_len = 45864;
+
+
+
+#pragma clang diagnostic pop
+
+#endif /* kc_file_helpers_h */
diff --git a/OSX/libsecurity_keychain/regressions/keychain_regressions.h b/OSX/libsecurity_keychain/regressions/keychain_regressions.h
index 89ab2b02..74b23a55 100644
--- a/OSX/libsecurity_keychain/regressions/keychain_regressions.h
+++ b/OSX/libsecurity_keychain/regressions/keychain_regressions.h
@@ -4,10 +4,43 @@
*/
#include <test/testmore.h>
+ONE_TEST(kc_01_keychain_creation)
+ONE_TEST(kc_02_unlock_noui)
+ONE_TEST(kc_03_status)
+ONE_TEST(kc_03_keychain_list)
+ONE_TEST(kc_04_is_valid)
+ONE_TEST(kc_05_find_existing_items)
+ONE_TEST(kc_05_find_existing_items_locked)
+ONE_TEST(kc_06_cert_search_email)
+ONE_TEST(kc_10_item_add_generic)
+ONE_TEST(kc_10_item_add_internet)
+ONE_TEST(kc_10_item_add_certificate)
+ONE_TEST(kc_12_key_create_symmetric)
+ONE_TEST(kc_12_key_create_symmetric_and_use)
+ONE_TEST(kc_15_key_update_valueref)
+ONE_TEST(kc_15_item_update_label_skimaad)
+ONE_TEST(kc_16_item_update_password)
+ONE_TEST(kc_17_item_find_key)
+ONE_TEST(kc_18_find_combined)
+ONE_TEST(kc_19_item_copy_internet)
+ONE_TEST(kc_20_identity_persistent_refs)
+ONE_TEST(kc_20_identity_key_attributes)
+ONE_TEST(kc_20_identity_find_stress)
+ONE_TEST(kc_20_key_find_stress)
+ONE_TEST(kc_20_item_find_stress)
+ONE_TEST(kc_21_item_use_callback)
+ONE_TEST(kc_21_item_xattrs)
+ONE_TEST(kc_23_key_export_symmetric)
+ONE_TEST(kc_24_key_copy_keychain)
+ONE_TEST(kc_26_key_import_public)
+ONE_TEST(kc_27_key_non_extractable)
+ONE_TEST(kc_28_p12_import)
+ONE_TEST(kc_28_cert_sign)
ONE_TEST(kc_30_xara)
ONE_TEST(kc_40_seckey)
ONE_TEST(kc_41_sececkey)
ONE_TEST(kc_42_trust_revocation)
+ONE_TEST(kc_43_seckey_interop)
ONE_TEST(si_20_sectrust_provisioning)
ONE_TEST(si_33_keychain_backup)
ONE_TEST(si_34_one_true_keychain)
diff --git a/OSX/libsecurity_keychain/regressions/si-34-one-true-keychain.c b/OSX/libsecurity_keychain/regressions/si-34-one-true-keychain.c
index 15747439..0242d399 100644
--- a/OSX/libsecurity_keychain/regressions/si-34-one-true-keychain.c
+++ b/OSX/libsecurity_keychain/regressions/si-34-one-true-keychain.c
@@ -97,16 +97,16 @@ static void tests(void)
ok_status(SecItemAdd(noLegacyQuery, &result), "add internet password in iOS keychain");
CFDictionaryRemoveValue(noLegacyQuery, kSecValueData);
- is_status(SecItemCopyMatching(query, &result), errSecItemNotFound, "do not find the ios item");
+ ok_status(SecItemCopyMatching(query, &result), "find the ios item with generic query");
CFReleaseNull(result);
ok_status(SecItemCopyMatching(noLegacyQuery, &result), "find the ios item with noLegacy");
CFReleaseNull(result);
- is_status(SecItemCopyMatching(syncAnyQuery, &result), errSecItemNotFound, "do not find the ios item with synchronizableAny");
+ ok_status(SecItemCopyMatching(syncAnyQuery, &result), "find the ios item with synchronizableAny");
CFReleaseNull(result);
is_status(SecItemCopyMatching(syncQuery, &result), errSecItemNotFound, "do not find the ios item with synchronizable");
CFReleaseNull(result);
- is_status(SecItemUpdate(query, toUpdate), errSecItemNotFound, "do not update the ios item");
+ ok_status(SecItemUpdate(query, toUpdate), "update the ios item without any flags");
ok_status(SecItemUpdate(noLegacyQuery, toUpdate), "update the ios item with noLegacy");
ok_status(SecItemUpdate(syncAnyQuery, toUpdate), "update the ios item with synchronizableAny");
diff --git a/OSX/libsecurity_keychain/xpc-tsa/XPCTimeStampingService-Info.plist b/OSX/libsecurity_keychain/xpc-tsa/XPCTimeStampingService-Info.plist
index dfe876f3..8d13a776 100644
--- a/OSX/libsecurity_keychain/xpc-tsa/XPCTimeStampingService-Info.plist
+++ b/OSX/libsecurity_keychain/xpc-tsa/XPCTimeStampingService-Info.plist
@@ -11,7 +11,7 @@
<key>CFBundleIconFile</key>
<string></string>
<key>CFBundleIdentifier</key>
- <string>com.apple.security.${PRODUCT_NAME:rfc1034identifier}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/OSX/libsecurity_keychain/xpc-tsa/main-tsa.m b/OSX/libsecurity_keychain/xpc-tsa/main-tsa.m
index f32836de..807b1f28 100644
--- a/OSX/libsecurity_keychain/xpc-tsa/main-tsa.m
+++ b/OSX/libsecurity_keychain/xpc-tsa/main-tsa.m
@@ -44,7 +44,7 @@ void handle_connection_event(const xpc_connection_t peer);
void handle_request_event(struct connection_info *info, xpc_object_t event);
#ifndef NDEBUG
- #define xpctsa_secdebug(format...) \
+ #define xpctsa_secinfo(format...) \
do { \
syslog(LOG_WARNING, format); \
} while (0)
@@ -55,10 +55,10 @@ void handle_request_event(struct connection_info *info, xpc_object_t event);
#else
//empty
- #define xpctsa_secdebug(format...)
+ #define xpctsa_secinfo(format...)
#define xpctsaNSLog(format...)
#endif
-#define xpctsaDebug(args...) xpctsa_secdebug(args)
+#define xpctsaDebug(args...) xpctsa_secinfo(args)
/*
These came from:
diff --git a/OSX/libsecurity_keychain/xpc/XPCKeychainSandboxCheck-Info.plist b/OSX/libsecurity_keychain/xpc/XPCKeychainSandboxCheck-Info.plist
index dfe876f3..8d13a776 100644
--- a/OSX/libsecurity_keychain/xpc/XPCKeychainSandboxCheck-Info.plist
+++ b/OSX/libsecurity_keychain/xpc/XPCKeychainSandboxCheck-Info.plist
@@ -11,7 +11,7 @@
<key>CFBundleIconFile</key>
<string></string>
<key>CFBundleIdentifier</key>
- <string>com.apple.security.${PRODUCT_NAME:rfc1034identifier}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/OSX/libsecurity_manifest/lib/AppleManifest.cpp b/OSX/libsecurity_manifest/lib/AppleManifest.cpp
index 31db9426..448b42fa 100644
--- a/OSX/libsecurity_manifest/lib/AppleManifest.cpp
+++ b/OSX/libsecurity_manifest/lib/AppleManifest.cpp
@@ -52,7 +52,7 @@ static void ConvertUInt64ToBytes (UInt64 length, UInt8* bytes)
static void WriteLengthAndUpdate (CFMutableDataRef data, UInt64 length, CFIndex location)
{
// back patch the length of the list
- secdebug ("manifest", "Length was %lld, patched at location %lld", length, (UInt64) location);
+ secinfo ("manifest", "Length was %lld, patched at location %lld", length, (UInt64) location);
UInt8 lengthBytes[kLengthLength];
ConvertUInt64ToBytes (length, lengthBytes);
@@ -115,7 +115,7 @@ static void WriteFileSystemItemHeader (CFMutableDataRef data, const FileSystemEn
{
// write the name
const char* name = fsi->GetName ();
- secdebug ("manifest", "\tAdding header for %s", name);
+ secinfo ("manifest", "\tAdding header for %s", name);
uint16_t len = (uint16_t)strlen (name);
AppendUInt16 (data, len);
CFDataAppendBytes (data, (UInt8*) name, len);
@@ -148,7 +148,7 @@ AppleManifest::~AppleManifest ()
void AppleManifest::AddDirectoryToManifest (CFMutableDataRef manifest, ManifestDirectoryItem* directory)
{
- secdebug ("manifest", "Adding directory %s to manifest", directory->GetName ());
+ secinfo ("manifest", "Adding directory %s to manifest", directory->GetName ());
CFIndex currentIndex = GetCurrentLengthAndExtend (manifest);
AppendUInt16 (manifest, (UInt16) kManifestDirectoryItemType);
@@ -334,7 +334,7 @@ CFDataRef AppleManifest::Export (ManifestInternal& manifest)
// there had better be at least one signer
if (mSignerList.size () == 0)
{
- secdebug ("manifest", "No signers found");
+ secinfo ("manifest", "No signers found");
MacOSError::throwMe (errSecManifestNoSigners);
}
@@ -480,7 +480,7 @@ static void ReconstructFileSystemHeader (uint32& finger, const uint8* data, File
name[length] = 0;
item->SetName (name);
- secdebug ("manifest", " File item name is %s", name);
+ secinfo ("manifest", " File item name is %s", name);
finger += length;
@@ -488,9 +488,9 @@ static void ReconstructFileSystemHeader (uint32& finger, const uint8* data, File
gid_t gid = (gid_t) ReconstructUInt32 (finger, data);
mode_t mode = (mode_t) ReconstructUInt32 (finger, data);
- secdebug ("manifest", " File item uid is %d", uid);
- secdebug ("manifest", " File item gid is %d", gid);
- secdebug ("manifest", " File item mode is %d", mode);
+ secinfo ("manifest", " File item uid is %d", uid);
+ secinfo ("manifest", " File item gid is %d", gid);
+ secinfo ("manifest", " File item mode is %d", mode);
item->SetUID (uid);
item->SetGID (gid);
@@ -511,7 +511,7 @@ static void ParseItemHeader (uint32 &finger, const uint8* data, ManifestItemType
void AppleManifest::ReconstructDataBlob (uint32 &finger, const uint8* data, ManifestDataBlobItem*& item)
{
- secdebug ("manifest", "Reconstructing data blob.");
+ secinfo ("manifest", "Reconstructing data blob.");
item = new ManifestDataBlobItem ();
u_int64_t length = ReconstructUInt64 (finger, data);
item->SetLength ((size_t)length);
@@ -524,7 +524,7 @@ void AppleManifest::ReconstructDataBlob (uint32 &finger, const uint8* data, Mani
void AppleManifest::ReconstructDirectory (uint32 &finger, const uint8* data, ManifestDirectoryItem*& directory)
{
// make the directory
- secdebug ("manifest", "Reconstructing directory.");
+ secinfo ("manifest", "Reconstructing directory.");
directory = new ManifestDirectoryItem ();
ReconstructFileSystemHeader (finger, data, directory);
@@ -535,7 +535,7 @@ void AppleManifest::ReconstructDirectory (uint32 &finger, const uint8* data, Man
void AppleManifest::ReconstructFile (uint32& finger, const uint8* data, ManifestFileItem *& file)
{
- secdebug ("manifest", "Reconstructing file.");
+ secinfo ("manifest", "Reconstructing file.");
// make the file
file = new ManifestFileItem ();
ReconstructFileSystemHeader (finger, data, file);
@@ -563,7 +563,7 @@ void AppleManifest::ReconstructFile (uint32& finger, const uint8* data, Manifest
void AppleManifest::ReconstructSymLink (uint32& finger, const uint8* data, ManifestSymLinkItem*& file)
{
- secdebug ("manifest", "Reconstructing symlink.");
+ secinfo ("manifest", "Reconstructing symlink.");
file = new ManifestSymLinkItem ();
ReconstructFileSystemHeader (finger, data, file);
@@ -575,7 +575,7 @@ void AppleManifest::ReconstructSymLink (uint32& finger, const uint8* data, Manif
void AppleManifest::ReconstructOther (uint32& finger, const uint8* data, ManifestOtherItem*& other)
{
- secdebug ("manifest", "Reconstructing other.");
+ secinfo ("manifest", "Reconstructing other.");
other = new ManifestOtherItem ();
ReconstructFileSystemHeader (finger, data, other);
}
@@ -585,10 +585,12 @@ void AppleManifest::ReconstructOther (uint32& finger, const uint8* data, Manifes
void AppleManifest::ReconstructManifestItemList (uint32 &finger, const uint8* data, ManifestItemList &itemList)
{
uint32 start = finger;
- u_int64_t length = ReconstructUInt64 (finger, data);
-#warning Casting from uint64 to uint32, this is ripe for overflow.
- uint32 end = (uint32)(start + length);
-
+ uint64_t length = ReconstructUInt64 (finger, data);
+ uint32 end = (uint32)(start + length);
+
+ if (length > UINT32_MAX || (length + (uint64_t)start) > (uint64_t)UINT32_MAX)
+ MacOSError::throwMe (errSecManifestDamaged);
+
while (finger < end)
{
u_int64_t itemEnd;
diff --git a/OSX/libsecurity_manifest/lib/ManifestInternal.cpp b/OSX/libsecurity_manifest/lib/ManifestInternal.cpp
index 9ce1aedc..df1bfa14 100644
--- a/OSX/libsecurity_manifest/lib/ManifestInternal.cpp
+++ b/OSX/libsecurity_manifest/lib/ManifestInternal.cpp
@@ -108,7 +108,7 @@ void ManifestItemList::AddFileSystemObject (char* path, StringSet& exceptions, b
StringSet::iterator it = exceptions.find (path);
if (it != exceptions.end ())
{
- secdebug ("manifest", "Did not add %s to the manifest.", path);
+ secinfo ("manifest", "Did not add %s to the manifest.", path);
return;
}
@@ -223,13 +223,13 @@ void ManifestItemList::ConvertToStringSet (const char* path, CFArrayRef exceptio
// always prepend the prefix -- the spec says that all items in the exception list are relative to the root
std::string s = prefix + cfString (CFStringRef (dataRef));
- secdebug ("manifest", "Uncanonicalized path is %s", s.c_str ());
+ secinfo ("manifest", "Uncanonicalized path is %s", s.c_str ());
// canonicalize the path and insert if successful.
char realPath [PATH_MAX];
if (realpath (s.c_str (), realPath) != NULL)
{
- secdebug ("manifest", "Inserted path %s as an exception", realPath);
+ secinfo ("manifest", "Inserted path %s as an exception", realPath);
exceptions.insert (realPath);
}
}
@@ -362,7 +362,7 @@ ManifestInternal::ManifestInternal ()
ManifestInternal::~ManifestInternal ()
{
- secdebug ("manifest", "Destroyed manifest internal %p", this);
+ secinfo ("manifest", "Destroyed manifest internal %p", this);
}
@@ -493,7 +493,7 @@ void FileSystemEntryItem::SetPath (char* path)
// while we are at it, extract that last name of the path name and save it off as the name
mName = StringTail (path);
- secdebug ("manifest", "Created file item for %s with name %s", mPath.c_str (), mName.c_str ());
+ secinfo ("manifest", "Created file item for %s with name %s", mPath.c_str (), mName.c_str ());
}
@@ -577,7 +577,7 @@ bool ManifestFileItem::FileSystemHasTrueForks (char* pathToFile)
int result = statfs (pathToFile, &st);
if (result != 0)
{
- secdebug ("manifest", "Could not get statfs (error was %s)", strerror (errno));
+ secinfo ("manifest", "Could not get statfs (error was %s)", strerror (errno));
UnixError::throwMe ();
}
@@ -632,7 +632,7 @@ ManifestFileItem::ManifestFileItem () : mNumForks (1)
ManifestFileItem::~ManifestFileItem ()
{
- secdebug ("manifest", "Destroyed manifest item %p for path %s", this, mPath.c_str ());
+ secinfo ("manifest", "Destroyed manifest item %p for path %s", this, mPath.c_str ());
}
@@ -734,7 +734,7 @@ static u_int32_t ExtractUInt32 (u_int8_t *&finger)
void ManifestFileItem::ComputeDigestForAppleDoubleResourceFork (char* name, SHA1Digest &digest, size_t &fileLength)
{
- secdebug ("manifest", "Creating digest for AppleDouble resource fork %s", name);
+ secinfo ("manifest", "Creating digest for AppleDouble resource fork %s", name);
CC_SHA1_CTX digestContext;
CC_SHA1_Init (&digestContext);
@@ -760,7 +760,7 @@ void ManifestFileItem::ComputeDigestForAppleDoubleResourceFork (char* name, SHA1
if (bytesRead != st.st_size)
{
- delete [] buffer;
+ delete[] buffer;
UnixError::throwMe ();
}
@@ -801,14 +801,14 @@ void ManifestFileItem::ComputeDigestForAppleDoubleResourceFork (char* name, SHA1
// compute the SHA1 hash
CC_SHA1_Final (digest, &digestContext);
- delete [] buffer;
+ delete[] buffer;
}
void ManifestFileItem::ComputeDigestForFile (char* name, SHA1Digest &digest, size_t &fileLength, struct stat &st)
{
- secdebug ("manifest", "Creating digest for %s", name);
+ secinfo ("manifest", "Creating digest for %s", name);
// create a context for the digest operation
CC_SHA1_CTX digestContext;
@@ -865,7 +865,7 @@ void ManifestFileItem::Compare (ManifestItem *manifestItem, bool compareOwnerAnd
ManifestFileItem* item = static_cast< ManifestFileItem*>(manifestItem);
- secdebug ("manifest", "Comparing file item %s against %s", GetName (), item->GetName ());
+ secinfo ("manifest", "Comparing file item %s against %s", GetName (), item->GetName ());
// the number of forks should be equal
if (mNumForks != item->mNumForks)
@@ -903,7 +903,7 @@ ManifestDirectoryItem::ManifestDirectoryItem ()
ManifestDirectoryItem::~ManifestDirectoryItem ()
{
- secdebug ("manifest", "Destroyed directory item %p for path %s", this, mPath.c_str ());
+ secinfo ("manifest", "Destroyed directory item %p for path %s", this, mPath.c_str ());
}
@@ -995,7 +995,7 @@ void ManifestDirectoryItem::SetPath (char* path, StringSet &exceptions, bool isR
FileSystemEntryItem::SetPath (path);
}
- secdebug ("manifest", "Added directory entry for %s with name %s", mPath.c_str (), mName.c_str ());
+ secinfo ("manifest", "Added directory entry for %s with name %s", mPath.c_str (), mName.c_str ());
// enumerate the contents of the directory.
char* path_argv[] = { path, NULL };
@@ -1050,7 +1050,7 @@ void ManifestDirectoryItem::Compare (ManifestItem* a, bool compareOwnerAndGroup)
{
FileSystemEntryItem::Compare (a, compareOwnerAndGroup);
ManifestDirectoryItem* aa = static_cast<ManifestDirectoryItem*>(a);
- secdebug ("manifest", "Comparing directory item %s against %s", GetName (), aa->GetName ());
+ secinfo ("manifest", "Comparing directory item %s against %s", GetName (), aa->GetName ());
mDirectoryItems.Compare (aa->mDirectoryItems, compareOwnerAndGroup);
}
@@ -1068,7 +1068,7 @@ ManifestSymLinkItem::ManifestSymLinkItem ()
ManifestSymLinkItem::~ManifestSymLinkItem ()
{
- secdebug ("manifest", "Destroyed symlink item for %s", mPath.c_str ());
+ secinfo ("manifest", "Destroyed symlink item for %s", mPath.c_str ());
}
@@ -1077,7 +1077,7 @@ void ManifestSymLinkItem::ComputeRepresentation ()
{
char path [FILENAME_MAX];
int result = (int)readlink (mPath.c_str (), path, sizeof (path));
- secdebug ("manifest", "Read content %s for %s", path, mPath.c_str ());
+ secinfo ("manifest", "Read content %s for %s", path, mPath.c_str ());
// create a digest context
CC_SHA1_CTX digestContext;
@@ -1119,7 +1119,7 @@ void ManifestSymLinkItem::Compare (ManifestItem *a, bool compareOwnerAndGroup)
{
FileSystemEntryItem::Compare (a, compareOwnerAndGroup);
ManifestSymLinkItem* aa = static_cast<ManifestSymLinkItem*>(a);
- secdebug ("manifest", "Comparing symlink item %s against %s", GetName (), aa->GetName ());
+ secinfo ("manifest", "Comparing symlink item %s against %s", GetName (), aa->GetName ());
// now compare the data
if (memcmp (&mDigest, &aa->mDigest, kSHA1DigestSize) != 0)
@@ -1142,7 +1142,7 @@ ManifestOtherItem::ManifestOtherItem ()
ManifestOtherItem::~ManifestOtherItem ()
{
- secdebug ("manifest", "Destroyed other item for path %s", mPath.c_str ());
+ secinfo ("manifest", "Destroyed other item for path %s", mPath.c_str ());
}
@@ -1157,5 +1157,5 @@ ManifestItemType ManifestOtherItem::GetItemType ()
void ManifestOtherItem::Compare (ManifestItem *a, bool compareOwnerAndGroup)
{
FileSystemEntryItem::Compare (a, compareOwnerAndGroup);
- secdebug ("manifest", "Comparing other item %s against %s", GetName (), static_cast<FileSystemEntryItem*>(a)->GetName ());
+ secinfo ("manifest", "Comparing other item %s against %s", GetName (), static_cast<FileSystemEntryItem*>(a)->GetName ());
}
diff --git a/OSX/libsecurity_manifest/lib/SecManifest.cpp b/OSX/libsecurity_manifest/lib/SecManifest.cpp
index fb0b6bdb..401c193b 100644
--- a/OSX/libsecurity_manifest/lib/SecManifest.cpp
+++ b/OSX/libsecurity_manifest/lib/SecManifest.cpp
@@ -45,7 +45,7 @@
OSStatus SecManifestGetVersion (UInt32 *version)
{
- secdebug ("manifest", "SecManifestGetVersion");
+ secinfo ("manifest", "SecManifestGetVersion");
*version = 0x01000000;
return errSecSuccess;
}
@@ -59,7 +59,7 @@ OSStatus SecManifestCreate(SecManifestRef *manifest)
Manifest* manifestPtr = new Manifest ();
*manifest = (SecManifestRef) manifestPtr;
- secdebug ("manifest", "SecManifestCreate(%p)", manifest);
+ secinfo ("manifest", "SecManifestCreate(%p)", manifest);
API_END
}
@@ -71,12 +71,14 @@ void SecManifestRelease (SecManifestRef manifest)
delete (Manifest*) manifest;
}
-
-
+// On release builds, this function isn't called (due to how secinfo works). Assure the compiler this is okay.
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-function"
static const char* GetDescription (CFTypeRef object)
{
return CFStringGetCStringPtr (CFCopyDescription (object), kCFStringEncodingMacRoman);
}
+#pragma clang pop
@@ -103,7 +105,7 @@ OSStatus SecManifestVerifySignatureWithPolicy (CFDataRef data,
{
API_BEGIN
- secdebug ("manifest", "SecManifestVerifySignature (%s, %p, %p, %p, %p)", GetDescription (data), setupCallback, setupContext, evaluateCallback, evaluateContext);
+ secinfo ("manifest", "SecManifestVerifySignature (%s, %p, %p, %p, %p)", GetDescription (data), setupCallback, setupContext, evaluateCallback, evaluateContext);
Required (setupCallback);
Required (evaluateCallback);
@@ -143,7 +145,7 @@ OSStatus SecManifestCreateSignature(SecManifestRef manifest, UInt32 options, CFD
{
API_BEGIN
- secdebug ("manifest", "SecManifestCreateSignature(%p, %ul, %p)", manifest, (unsigned int) options, data);
+ secinfo ("manifest", "SecManifestCreateSignature(%p, %ul, %p)", manifest, (unsigned int) options, data);
Manifest* manifestPtr = (Manifest*) manifest;
if (options != 0)
@@ -170,7 +172,7 @@ OSStatus SecManifestAddObject(SecManifestRef manifest, CFTypeRef object, CFArray
{
API_BEGIN
- secdebug ("manifest", "SecManifestAddObject(%p), %s, %s",
+ secinfo ("manifest", "SecManifestAddObject(%p), %s, %s",
manifest, GetDescription (object),
exceptionList ? GetDescription (exceptionList) : "NULL");
@@ -186,7 +188,7 @@ OSStatus SecManifestCompare(SecManifestRef manifest1, SecManifestRef manifest2,
{
API_BEGIN
- secdebug ("manifest", "SecManifestVerify(%p, %p, %d)", manifest1, manifest2, (int) options);
+ secinfo ("manifest", "SecManifestVerify(%p, %p, %d)", manifest1, manifest2, (int) options);
ManifestInternal &m1 = ((Manifest*) (manifest1))->GetManifestInternal ();
ManifestInternal &m2 = ((Manifest*) (manifest2))->GetManifestInternal ();
@@ -202,7 +204,7 @@ OSStatus SecManifestAddSigner(SecManifestRef manifest, SecIdentityRef identity)
{
API_BEGIN
- secdebug ("manifest", "SecManifestAddSigner(%p, %p)", manifest, identity);
+ secinfo ("manifest", "SecManifestAddSigner(%p, %p)", manifest, identity);
Manifest* manifestPtr = (Manifest*) (manifest);
// check to see if there is a serializer present
diff --git a/OSX/libsecurity_manifest/libsecurity_manifest.xcodeproj/project.pbxproj b/OSX/libsecurity_manifest/libsecurity_manifest.xcodeproj/project.pbxproj
index 4e2157cc..6c31b8c5 100644
--- a/OSX/libsecurity_manifest/libsecurity_manifest.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_manifest/libsecurity_manifest.xcodeproj/project.pbxproj
@@ -55,16 +55,16 @@
D60C834809F5AD980069DF6D /* SecureDownloadInternal.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = SecureDownloadInternal.c; path = lib/SecureDownloadInternal.c; sourceTree = "<group>"; };
D60C834909F5AD980069DF6D /* SecureDownloadInternal.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = SecureDownloadInternal.h; path = lib/SecureDownloadInternal.h; sourceTree = "<group>"; };
D637ECC205DA85AD0096F1E6 /* Manifest.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = Manifest.cpp; path = lib/Manifest.cpp; sourceTree = "<group>"; };
- D637ECC305DA85AD0096F1E6 /* SecManifest.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = SecManifest.cpp; path = lib/SecManifest.cpp; sourceTree = "<group>"; };
+ D637ECC305DA85AD0096F1E6 /* SecManifest.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; name = SecManifest.cpp; path = lib/SecManifest.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
D658622605DA860900E7380F /* Manifest.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = Manifest.h; path = lib/Manifest.h; sourceTree = "<group>"; };
D658622705DA860900E7380F /* SecManifest.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = SecManifest.h; path = lib/SecManifest.h; sourceTree = "<group>"; };
D658622E05DA866200E7380F /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = /System/Library/Frameworks/CoreFoundation.framework; sourceTree = "<absolute>"; };
D658627305DA867300E7380F /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = /System/Library/Frameworks/Security.framework; sourceTree = "<absolute>"; };
D6C8AFAE05DD2430003DB724 /* libsecurity_manifest.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurity_manifest.a; sourceTree = BUILT_PRODUCTS_DIR; };
D6C8AFE005DD2FF8003DB724 /* security_manifest.exp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.exports; name = security_manifest.exp; path = lib/security_manifest.exp; sourceTree = "<group>"; };
- D6CDE5B805E3DBD9006C8558 /* AppleManifest.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = AppleManifest.cpp; path = lib/AppleManifest.cpp; sourceTree = "<group>"; };
+ D6CDE5B805E3DBD9006C8558 /* AppleManifest.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; name = AppleManifest.cpp; path = lib/AppleManifest.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
D6CDE5B905E3DBD9006C8558 /* AppleManifest.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = AppleManifest.h; path = lib/AppleManifest.h; sourceTree = "<group>"; };
- D6E7672205F3F8B6007C5669 /* ManifestInternal.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = ManifestInternal.cpp; path = lib/ManifestInternal.cpp; sourceTree = "<group>"; };
+ D6E7672205F3F8B6007C5669 /* ManifestInternal.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; name = ManifestInternal.cpp; path = lib/ManifestInternal.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
D6E7672305F3F8B6007C5669 /* ManifestInternal.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = ManifestInternal.h; path = lib/ManifestInternal.h; sourceTree = "<group>"; };
D6E7672405F3F8B6007C5669 /* ManifestSigner.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = ManifestSigner.cpp; path = lib/ManifestSigner.cpp; sourceTree = "<group>"; };
D6E7672505F3F8B6007C5669 /* ManifestSigner.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = ManifestSigner.h; path = lib/ManifestSigner.h; sourceTree = "<group>"; };
@@ -194,7 +194,6 @@
buildRules = (
);
dependencies = (
- 182BB32B146F0F8B000BF1F3 /* PBXTargetDependency */,
);
name = libsecurity_manifest;
productName = libsecurity_manifest;
@@ -207,7 +206,7 @@
0867D690FE84028FC02AAC07 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD39A0987FCDE001272E0 /* Build configuration list for PBXProject "libsecurity_manifest" */;
compatibilityVersion = "Xcode 3.2";
@@ -308,12 +307,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB31F146F0F07000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -321,12 +329,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB31F146F0F07000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_mds/lib/MDSAttrParser.cpp b/OSX/libsecurity_mds/lib/MDSAttrParser.cpp
index 1a8a9650..27b9261d 100644
--- a/OSX/libsecurity_mds/lib/MDSAttrParser.cpp
+++ b/OSX/libsecurity_mds/lib/MDSAttrParser.cpp
@@ -29,6 +29,7 @@
#include "MDSAttrUtils.h"
#include "MDSDictionary.h"
#include <security_utilities/logging.h>
+#include <security_utilities/cfutilities.h>
#include <Security/mds_schema.h>
namespace Security
@@ -101,10 +102,10 @@ Parsing bundle {
void MDSAttrParser::parseAttrs(CFStringRef subdir)
{
/* get all *.mdsinfo files */
- CFArrayRef bundleInfoFiles = CFBundleCopyResourceURLsOfType(mBundle,
+ CFRef<CFArrayRef> bundleInfoFiles = CFBundleCopyResourceURLsOfType(mBundle,
CFSTR(MDS_INFO_TYPE),
subdir);
- if(bundleInfoFiles == NULL) {
+ if(!bundleInfoFiles) {
Syslog::alert("MDSAttrParser: no mdsattr files for %s", mPath);
return;
}
@@ -128,7 +129,7 @@ void MDSAttrParser::parseAttrs(CFStringRef subdir)
}
// @@@ Workaround for 4234967: skip any filename beginning with "._"
- CFStringRef lastComponent = CFURLCopyLastPathComponent(infoUrl);
+ CFRef<CFStringRef> lastComponent = CFURLCopyLastPathComponent(infoUrl);
if (lastComponent) {
CFStringRef resFilePfx = CFSTR("._");
// setting the search length and location like this permits,
@@ -140,7 +141,6 @@ void MDSAttrParser::parseAttrs(CFStringRef subdir)
range,
0/*options*/,
NULL/*returned substr*/);
- CFRelease(lastComponent);
if (skip == true) {
Syslog::warning("MDSAttrParser: ignoring resource file");
continue;
@@ -149,7 +149,6 @@ void MDSAttrParser::parseAttrs(CFStringRef subdir)
parseFile(infoUrl, subdir);
} /* for each mdsinfo */
- CF_RELEASE(bundleInfoFiles);
}
void MDSAttrParser::parseFile(CFURLRef infoUrl, CFStringRef subdir)
@@ -438,14 +437,11 @@ void MDSAttrParser::parseCspCapabilitiesRecord(
mdsDict->lookupAttributes(&CSPCapabilitiesDict1RelInfo, outAttrs,
numTopLevelAttrs);
- bool fetchedFromDisk = false;
-
/* obtain Capabilities array */
- CFArrayRef capArray = (CFArrayRef)mdsDict->lookupWithIndirect("Capabilities",
+ CFRef<CFArrayRef> capArray = (CFArrayRef)mdsDict->lookupWithIndirect("Capabilities",
mBundle,
- CFArrayGetTypeID(),
- fetchedFromDisk);
- if(capArray == NULL) {
+ CFArrayGetTypeID());
+ if(!capArray) {
/* well we did not get very far.... */
MPDebug("parseCspCapabilitiesRecord: no (or bad) Capabilities");
delete [] outAttrs;
@@ -543,9 +539,6 @@ void MDSAttrParser::parseCspCapabilitiesRecord(
MDSFreeDbRecordAttrs(outAttrs, numTopLevelAttrs);
delete [] outAttrs;
- if(fetchedFromDisk) {
- CF_RELEASE(capArray);
- }
}
/*
diff --git a/OSX/libsecurity_mds/lib/MDSAttrUtils.h b/OSX/libsecurity_mds/lib/MDSAttrUtils.h
index 8ad06a4f..346d209b 100644
--- a/OSX/libsecurity_mds/lib/MDSAttrUtils.h
+++ b/OSX/libsecurity_mds/lib/MDSAttrUtils.h
@@ -34,10 +34,10 @@
#include "MDSSession.h"
/* log parsing events */
-#define MPDebug(args...) secdebug("MDS_Parse", ## args)
+#define MPDebug(args...) secinfo("MDS_Parse", ## args)
/* log scanning events */
-#define MSDebug(args...) secdebug("MDS_Scan", ## args)
+#define MSDebug(args...) secinfo("MDS_Scan", ## args)
/*
* I can't believe that CFRelease does not do this...
diff --git a/OSX/libsecurity_mds/lib/MDSDatabase.cpp b/OSX/libsecurity_mds/lib/MDSDatabase.cpp
index fb388dae..b9c2bfe5 100644
--- a/OSX/libsecurity_mds/lib/MDSDatabase.cpp
+++ b/OSX/libsecurity_mds/lib/MDSDatabase.cpp
@@ -48,7 +48,7 @@ MDSDatabase::~MDSDatabase ()
DbContext *
MDSDatabase::makeDbContext (DatabaseSession &inDatabaseSession,
CSSM_DB_ACCESS_TYPE inAccessRequest,
- const CSSM_ACCESS_CREDENTIALS *inAccessCred,
+ const AccessCredentials *inAccessCred,
const void *inOpenParameters)
{
return new DbContext (*this, inDatabaseSession, inAccessRequest,
@@ -75,7 +75,7 @@ MDSDatabase::createRelation(DbContext &dbContext,
CSSM_DB_RECORDTYPE inRelationID,
const char *inRelationName,
uint32 inNumberOfAttributes,
- const CSSM_DB_SCHEMA_ATTRIBUTE_INFO &inAttributeInfo,
+ const CSSM_DB_SCHEMA_ATTRIBUTE_INFO *inAttributeInfo,
uint32 inNumberOfIndexes,
const CSSM_DB_SCHEMA_INDEX_INFO &inIndexInfo)
{
@@ -176,7 +176,7 @@ MDSDatabase::dbCreate (DbContext &inDbContext, const CSSM_DBINFO &inDBInfo,
void
MDSDatabase::dbDelete (DatabaseSession &inDatabaseSession,
- const CSSM_ACCESS_CREDENTIALS *inAccessCred)
+ const AccessCredentials *inAccessCred)
{
CssmError ::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
@@ -184,7 +184,7 @@ MDSDatabase::dbDelete (DatabaseSession &inDatabaseSession,
void
MDSDatabase::authenticate(DbContext &dbContext,
CSSM_DB_ACCESS_TYPE inAccessRequest,
- const CSSM_ACCESS_CREDENTIALS &inAccessCred)
+ const AccessCredentials &inAccessCred)
{
CssmError ::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
@@ -200,7 +200,7 @@ MDSDatabase::getDbAcl(DbContext &dbContext,
void
MDSDatabase::changeDbAcl(DbContext &dbContext,
- const CSSM_ACCESS_CREDENTIALS &inAccessCred,
+ const AccessCredentials &inAccessCred,
const CSSM_ACL_EDIT &inAclEdit)
{
CssmError ::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
@@ -214,7 +214,7 @@ MDSDatabase::getDbOwner(DbContext &dbContext, CSSM_ACL_OWNER_PROTOTYPE &outOwner
void
MDSDatabase::changeDbOwner(DbContext &dbContext,
- const CSSM_ACCESS_CREDENTIALS &inAccessCred,
+ const AccessCredentials &inAccessCred,
const CSSM_ACL_OWNER_PROTOTYPE &inNewOwner)
{
CssmError ::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
diff --git a/OSX/libsecurity_mds/lib/MDSDatabase.h b/OSX/libsecurity_mds/lib/MDSDatabase.h
index 0849fe5a..500af73b 100644
--- a/OSX/libsecurity_mds/lib/MDSDatabase.h
+++ b/OSX/libsecurity_mds/lib/MDSDatabase.h
@@ -52,7 +52,7 @@ public:
DbContext *
makeDbContext(DatabaseSession &inDatabaseSession,
CSSM_DB_ACCESS_TYPE inAccessRequest,
- const CSSM_ACCESS_CREDENTIALS *inAccessCred,
+ const AccessCredentials *inAccessCred,
const void *inOpenParameters);
virtual void
@@ -67,14 +67,14 @@ public:
virtual void
dbDelete(DatabaseSession &inDatabaseSession,
- const CSSM_ACCESS_CREDENTIALS *inAccessCred);
+ const AccessCredentials *inAccessCred);
virtual void
createRelation (DbContext &dbContext,
CSSM_DB_RECORDTYPE inRelationID,
const char *inRelationName,
uint32 inNumberOfAttributes,
- const CSSM_DB_SCHEMA_ATTRIBUTE_INFO &inAttributeInfo,
+ const CSSM_DB_SCHEMA_ATTRIBUTE_INFO *inAttributeInfo,
uint32 inNumberOfIndexes,
const CSSM_DB_SCHEMA_INDEX_INFO &inIndexInfo);
@@ -84,7 +84,7 @@ public:
virtual void
authenticate(DbContext &dbContext,
CSSM_DB_ACCESS_TYPE inAccessRequest,
- const CSSM_ACCESS_CREDENTIALS &inAccessCred);
+ const AccessCredentials &inAccessCred);
virtual void
getDbAcl(DbContext &dbContext,
@@ -94,7 +94,7 @@ public:
virtual void
changeDbAcl(DbContext &dbContext,
- const CSSM_ACCESS_CREDENTIALS &inAccessCred,
+ const AccessCredentials &inAccessCred,
const CSSM_ACL_EDIT &inAclEdit);
virtual void
@@ -102,7 +102,7 @@ public:
virtual void
changeDbOwner(DbContext &dbContext,
- const CSSM_ACCESS_CREDENTIALS &inAccessCred,
+ const AccessCredentials &inAccessCred,
const CSSM_ACL_OWNER_PROTOTYPE &inNewOwner);
virtual char *
diff --git a/OSX/libsecurity_mds/lib/MDSDictionary.cpp b/OSX/libsecurity_mds/lib/MDSDictionary.cpp
index 604e0403..6bae2b8e 100644
--- a/OSX/libsecurity_mds/lib/MDSDictionary.cpp
+++ b/OSX/libsecurity_mds/lib/MDSDictionary.cpp
@@ -387,10 +387,7 @@ void MDSDictionary::lookupAttributes(
const CFPropertyListRef MDSDictionary::lookupWithIndirect(
const char *key,
CFBundleRef bundle,
- CFTypeID desiredType,
- bool &fetchedFromDisk) // true --> caller must CFRelease the returned
- // value
- // false -> it's part of this dictionary
+ CFTypeID desiredType)
{
CFPropertyListRef ourRtn = NULL;
CFDataRef dictData = NULL;
@@ -402,8 +399,6 @@ const CFPropertyListRef MDSDictionary::lookupWithIndirect(
assert(key != NULL);
assert(bundle != NULL);
- fetchedFromDisk = false;
-
/* basic local lookup */
CFStringRef cfKey = CFStringCreateWithCString(NULL,
key,
@@ -412,22 +407,22 @@ const CFPropertyListRef MDSDictionary::lookupWithIndirect(
MPDebug("CFStringCreateWithCString error");
return NULL;
}
- const void *rtn = CFDictionaryGetValue(mDict, cfKey);
+ CFCopyRef<CFStringRef> rtn = (CFStringRef)CFDictionaryGetValue(mDict, cfKey);
CFRelease(cfKey);
- if(rtn == NULL) {
+ if(!rtn) {
return NULL;
}
- CFTypeID foundType = CFGetTypeID((CFTypeRef)rtn);
+ CFTypeID foundType = CFGetTypeID(rtn);
if(foundType == desiredType) {
/* found what we're looking for; done */
- return (CFPropertyListRef)rtn;
+ return (CFPropertyListRef)rtn.yield();
}
/* is it a string which starts with "file:"? */
if(foundType != CFStringGetTypeID()) {
return NULL;
}
- const char *cVal = MDSCFStringToCString((CFStringRef)rtn);
+ const char *cVal = MDSCFStringToCString(rtn);
if(cVal == NULL) {
MPDebug("MDSCFStringToCString error in lookupWithIndirect");
return NULL;
@@ -490,8 +485,7 @@ const CFPropertyListRef MDSDictionary::lookupWithIndirect(
}
MPDebug("lookupWithIndirect: resource %s FOUND", cVal);
- fetchedFromDisk = true;
-
+
abort:
delete [] cVal;
CF_RELEASE(cfFileName);
diff --git a/OSX/libsecurity_mds/lib/MDSDictionary.h b/OSX/libsecurity_mds/lib/MDSDictionary.h
index 25839526..04916659 100644
--- a/OSX/libsecurity_mds/lib/MDSDictionary.h
+++ b/OSX/libsecurity_mds/lib/MDSDictionary.h
@@ -107,11 +107,7 @@ public:
const CFPropertyListRef lookupWithIndirect(
const char *key,
CFBundleRef bundle,
- CFTypeID desiredType,
- bool &fetchedFromDisk); // true --> caller must CFRelease the returned
- // value
- // false -> it's part of this dictionary
-
+ CFTypeID desiredType);
void setDefaults(const MDS_InstallDefaults *defaults);
private:
diff --git a/OSX/libsecurity_mds/lib/MDSModule.cpp b/OSX/libsecurity_mds/lib/MDSModule.cpp
index ebf050cb..4a3716a1 100644
--- a/OSX/libsecurity_mds/lib/MDSModule.cpp
+++ b/OSX/libsecurity_mds/lib/MDSModule.cpp
@@ -127,7 +127,7 @@ void MDSModule::setDbPath(const char *path)
void MDSModule::setServerMode()
{
- secdebug("MDSModule", "setting global server mode");
+ secinfo("MDSModule", "setting global server mode");
mServerMode = true;
}
diff --git a/OSX/libsecurity_mds/lib/MDSSession.cpp b/OSX/libsecurity_mds/lib/MDSSession.cpp
index 93c13f4f..d91669a5 100644
--- a/OSX/libsecurity_mds/lib/MDSSession.cpp
+++ b/OSX/libsecurity_mds/lib/MDSSession.cpp
@@ -126,10 +126,10 @@ namespace Security
#define MDS_SCAN_INTERVAL 5
/* trace file I/O */
-#define MSIoDbg(args...) secdebug("MDS_IO", ## args)
+#define MSIoDbg(args...) secinfo("MDS_IO", ## args)
/* Trace cleanDir() */
-#define MSCleanDirDbg(args...) secdebug("MDS_CleanDir", ## args)
+#define MSCleanDirDbg(args...) secinfo("MDS_CleanDir", ## args)
static std::string GetMDSBaseDBDir(bool isRoot)
{
@@ -766,11 +766,11 @@ MDSSession::LockHelper::obtainLock(
{
mFD = -1;
for(;;) {
- secdebug("mdslock", "obtainLock: calling open(%s)", lockFile);
+ secinfo("mdslock", "obtainLock: calling open(%s)", lockFile);
mFD = open(lockFile, O_EXLOCK | O_CREAT | O_RDWR, 0644);
if(mFD == -1) {
int err = errno;
- secdebug("mdslock", "obtainLock: open error %d", errno);
+ secinfo("mdslock", "obtainLock: open error %d", errno);
if(err == EINTR) {
/* got a signal, go again */
continue;
@@ -781,7 +781,7 @@ MDSSession::LockHelper::obtainLock(
}
}
else {
- secdebug("mdslock", "obtainLock: success");
+ secinfo("mdslock", "obtainLock: success");
return true;
}
}
@@ -797,7 +797,7 @@ MDSSession::LockHelper::obtainLock(
MDSSession::LockHelper::~LockHelper()
{
- secdebug("mdslock", "releaseLock");
+ secinfo("mdslock", "releaseLock");
if (mFD == -1)
{
return;
diff --git a/OSX/libsecurity_mds/lib/mds.h b/OSX/libsecurity_mds/lib/mds.h
index cc75ad2e..c2d590e4 100644
--- a/OSX/libsecurity_mds/lib/mds.h
+++ b/OSX/libsecurity_mds/lib/mds.h
@@ -33,6 +33,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
typedef CSSM_DL_HANDLE MDS_HANDLE;
typedef CSSM_DL_DB_HANDLE MDS_DB_HANDLE;
@@ -146,6 +149,8 @@ CSSM_RETURN CSSMAPI
MDS_Uninstall (MDS_HANDLE MdsHandle)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+#pragma clang diagnostic pop
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_mds/lib/mdsapi.cpp b/OSX/libsecurity_mds/lib/mdsapi.cpp
index a23fe744..d594fa9b 100644
--- a/OSX/libsecurity_mds/lib/mdsapi.cpp
+++ b/OSX/libsecurity_mds/lib/mdsapi.cpp
@@ -37,7 +37,7 @@
#include <security_utilities/globalizer.h>
#include <security_utilities/threading.h>
-#define MSApiDebug(args...) secdebug("MDS_API", ## args)
+#define MSApiDebug(args...) secinfo("MDS_API", ## args)
/* Protects access to AppleDataBase */
ModuleNexus<Mutex> adbMutex;
diff --git a/OSX/libsecurity_mds/libsecurity_mds.xcodeproj/project.pbxproj b/OSX/libsecurity_mds/libsecurity_mds.xcodeproj/project.pbxproj
index a7569125..195b6bba 100644
--- a/OSX/libsecurity_mds/libsecurity_mds.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_mds/libsecurity_mds.xcodeproj/project.pbxproj
@@ -37,13 +37,6 @@
remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42;
remoteInfo = libsecurity_cdsa_plugin;
};
- 182BB369146F1259000BF1F3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 182BB362146F1255000BF1F3 /* libsecurity_cdsa_plugin.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = C2C38A530535EDE600D7421F;
- remoteInfo = libsecurity_cdsa_plugin_generate;
- };
/* End PBXContainerItemProxy section */
/* Begin PBXFileReference section */
@@ -52,22 +45,22 @@
182BB360146F11F1000BF1F3 /* lib.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = lib.xcconfig; sourceTree = "<group>"; };
182BB361146F11F1000BF1F3 /* release.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = release.xcconfig; sourceTree = "<group>"; };
182BB362146F1255000BF1F3 /* libsecurity_cdsa_plugin.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_cdsa_plugin.xcodeproj; path = ../libsecurity_cdsa_plugin/libsecurity_cdsa_plugin.xcodeproj; sourceTree = "<group>"; };
- 4C308389053237100028A8C6 /* mdsapi.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = mdsapi.cpp; sourceTree = "<group>"; };
+ 4C308389053237100028A8C6 /* mdsapi.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = mdsapi.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4C30838A053237100028A8C6 /* MDSAttrParser.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = MDSAttrParser.cpp; sourceTree = "<group>"; };
4C30838B053237100028A8C6 /* MDSAttrParser.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = MDSAttrParser.h; sourceTree = "<group>"; };
4C30838C053237100028A8C6 /* MDSAttrStrings.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = MDSAttrStrings.cpp; sourceTree = "<group>"; };
4C30838D053237100028A8C6 /* MDSAttrStrings.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = MDSAttrStrings.h; sourceTree = "<group>"; };
4C30838E053237100028A8C6 /* MDSAttrUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = MDSAttrUtils.cpp; sourceTree = "<group>"; };
- 4C30838F053237100028A8C6 /* MDSAttrUtils.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = MDSAttrUtils.h; sourceTree = "<group>"; };
+ 4C30838F053237100028A8C6 /* MDSAttrUtils.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = MDSAttrUtils.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
4C308390053237100028A8C6 /* MDSDatabase.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = MDSDatabase.cpp; sourceTree = "<group>"; };
4C308391053237100028A8C6 /* MDSDatabase.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = MDSDatabase.h; sourceTree = "<group>"; };
4C308392053237100028A8C6 /* MDSDictionary.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = MDSDictionary.cpp; sourceTree = "<group>"; };
4C308393053237100028A8C6 /* MDSDictionary.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = MDSDictionary.h; sourceTree = "<group>"; };
- 4C308394053237100028A8C6 /* MDSModule.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = MDSModule.cpp; sourceTree = "<group>"; };
+ 4C308394053237100028A8C6 /* MDSModule.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = MDSModule.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4C308395053237100028A8C6 /* MDSModule.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = MDSModule.h; sourceTree = "<group>"; };
4C308398053237100028A8C6 /* MDSSchema.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = MDSSchema.cpp; sourceTree = "<group>"; };
4C308399053237100028A8C6 /* MDSSchema.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = MDSSchema.h; sourceTree = "<group>"; };
- 4C30839A053237100028A8C6 /* MDSSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = MDSSession.cpp; sourceTree = "<group>"; usesTabs = 1; };
+ 4C30839A053237100028A8C6 /* MDSSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = MDSSession.cpp; sourceTree = "<group>"; usesTabs = 1; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4C30839B053237100028A8C6 /* MDSSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = MDSSession.h; sourceTree = "<group>"; };
4CA1FEBE052A3C8100F22E42 /* libsecurity_mds.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libsecurity_mds.a; sourceTree = BUILT_PRODUCTS_DIR; };
4CCB008B05800B0B00981D43 /* security_mds.exp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.exports; path = security_mds.exp; sourceTree = "<group>"; };
@@ -188,7 +181,6 @@
buildRules = (
);
dependencies = (
- 182BB36A146F1259000BF1F3 /* PBXTargetDependency */,
);
name = libsecurity_mds;
productName = libsecurity_mds;
@@ -201,7 +193,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD3A80987FCDE001272E0 /* Build configuration list for PBXProject "libsecurity_mds" */;
compatibilityVersion = "Xcode 3.2";
@@ -255,14 +247,6 @@
};
/* End PBXSourcesBuildPhase section */
-/* Begin PBXTargetDependency section */
- 182BB36A146F1259000BF1F3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurity_cdsa_plugin_generate;
- targetProxy = 182BB369146F1259000BF1F3 /* PBXContainerItemProxy */;
- };
-/* End PBXTargetDependency section */
-
/* Begin XCBuildConfiguration section */
C27AD3A50987FCDE001272E0 /* Debug */ = {
isa = XCBuildConfiguration;
@@ -292,13 +276,22 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB360146F11F1000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -306,13 +299,20 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB360146F11F1000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_ocspd/common/ocspdDebug.h b/OSX/libsecurity_ocspd/common/ocspdDebug.h
index 65f5b6d3..4a25566c 100644
--- a/OSX/libsecurity_ocspd/common/ocspdDebug.h
+++ b/OSX/libsecurity_ocspd/common/ocspdDebug.h
@@ -26,41 +26,13 @@
#include <security_utilities/debugging.h>
-/* If OCSP_USE_SYSLOG is defined and not 0, use syslog() for debug
- * logging in addition to invoking the secdebug macro (which, as of
- * Snow Leopard, emits a static dtrace probe instead of an actual
- * log message.)
- */
-#ifndef OCSP_USE_SYSLOG
-#define OCSP_USE_SYSLOG 0
-#endif
-
-#if OCSP_USE_SYSLOG
-#include <syslog.h>
-#define ocsp_secdebug(scope, format...) \
-{ \
- syslog(LOG_NOTICE, format); \
- secdebug(scope, format); \
-}
-#else
-#define ocsp_secdebug(scope, format...) \
- secdebug(scope, format)
-#endif
-
-#ifdef NDEBUG
-/* this actually compiles to nothing */
-#define ocspdErrorLog(args...) ocsp_secdebug("ocspdError", ## args)
-#else
-/*#define ocspdErrorLog(args...) printf(args)*/
-#define ocspdErrorLog(args...) ocsp_secdebug("ocspdError", ## args)
-#endif
-
-#define ocspdDebug(args...) ocsp_secdebug("ocspd", ## args)
-#define ocspdDbDebug(args...) ocsp_secdebug("ocspdDb", ## args)
-#define ocspdCrlDebug(args...) ocsp_secdebug("ocspdCrlDebug", ## args)
-#define ocspdTrustDebug(args...) ocsp_secdebug("ocspdTrustDebug", ## args)
-#define ocspdHttpDebug(args...) ocsp_secdebug("ocspdHttp", ## args)
-#define ocspdLdapDebug(args...) ocsp_secdebug("ocspdLdap", ## args)
+#define ocspdErrorLog(args...) secnotice("ocspdError", ## args)
+#define ocspdDebug(args...) secinfo("ocspd", ## args)
+#define ocspdDbDebug(args...) secinfo("ocspdDb", ## args)
+#define ocspdCrlDebug(args...) secinfo("ocspdCrlDebug", ## args)
+#define ocspdTrustDebug(args...) secinfo("ocspdTrustDebug", ## args)
+#define ocspdHttpDebug(args...) secinfo("ocspdHttp", ## args)
+#define ocspdLdapDebug(args...) secinfo("ocspdLdap", ## args)
#endif /* _OCSPD_DEBUGGING_H_ */
diff --git a/OSX/libsecurity_ocspd/libsecurity_ocspd.xcodeproj/project.pbxproj b/OSX/libsecurity_ocspd/libsecurity_ocspd.xcodeproj/project.pbxproj
index 20bcbb03..dc39772d 100644
--- a/OSX/libsecurity_ocspd/libsecurity_ocspd.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_ocspd/libsecurity_ocspd.xcodeproj/project.pbxproj
@@ -52,7 +52,7 @@
051BDB6D069B36CD00F9D07E /* mig.mk */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = mig.mk; sourceTree = "<group>"; };
051BDB6E069B36CD00F9D07E /* ocspd.defs */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.mig; path = ocspd.defs; sourceTree = "<group>"; };
051BDB71069B36EA00F9D07E /* ocspd_client.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = ocspd_client.cpp; path = derived_src/security_ocspd/ocspd_client.cpp; sourceTree = BUILT_PRODUCTS_DIR; };
- 056FCCE6069B389300F710C4 /* ocspdDebug.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = ocspdDebug.h; path = common/ocspdDebug.h; sourceTree = SOURCE_ROOT; };
+ 056FCCE6069B389300F710C4 /* ocspdDebug.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; lineEnding = 0; name = ocspdDebug.h; path = common/ocspdDebug.h; sourceTree = SOURCE_ROOT; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
056FCCEE069B390A00F710C4 /* ocspd.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = ocspd.h; path = derived_src/security_ocspd/ocspd.h; sourceTree = BUILT_PRODUCTS_DIR; };
056FCCEF069B390A00F710C4 /* ocspd_server.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = ocspd_server.cpp; path = derived_src/security_ocspd/ocspd_server.cpp; sourceTree = BUILT_PRODUCTS_DIR; };
056FCDBE069B429900F710C4 /* ocspdTypes.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = ocspdTypes.h; sourceTree = "<group>"; };
@@ -220,7 +220,6 @@
buildRules = (
);
dependencies = (
- 182BB3C3146F1D93000BF1F3 /* PBXTargetDependency */,
18446129146E88C600B12992 /* PBXTargetDependency */,
);
name = libsecurity_ocspd;
@@ -235,7 +234,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD3BA0987FCDF001272E0 /* Build configuration list for PBXProject "libsecurity_ocspd" */;
compatibilityVersion = "Xcode 3.2";
@@ -278,12 +277,17 @@
files = (
);
inputPaths = (
+ "$(SRCROOT)/",
+ "$(SRCROOT)/mig/",
+ "$(SRCROOT)/client/",
+ "$(SRCROOT)/common/",
);
outputPaths = (
+ "${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "nmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
+ shellScript = "# with our source directories as input files, Xcode will only re-run this phase if there's been a source change\nnmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
};
/* End PBXShellScriptBuildPhase section */
@@ -358,13 +362,22 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1844612D146E894C00B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -372,13 +385,20 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 1844612D146E894C00B12992 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_pkcs12/lib/pkcs12Debug.h b/OSX/libsecurity_pkcs12/lib/pkcs12Debug.h
index 7e0b97cd..066e3f11 100644
--- a/OSX/libsecurity_pkcs12/lib/pkcs12Debug.h
+++ b/OSX/libsecurity_pkcs12/lib/pkcs12Debug.h
@@ -32,7 +32,7 @@
#ifdef NDEBUG
/* this actually compiles to nothing */
-#define p12ErrorLog(args...) secdebug("p12Error", ## args)
+#define p12ErrorLog(args...) secinfo("p12Error", ## args)
#define p12LogCssmError(op, err)
#else
#define p12ErrorLog(args...) printf(args)
@@ -40,9 +40,9 @@
#endif
/* individual debug loggers */
-#define p12DecodeLog(args...) secdebug("p12Decode", ## args)
-#define p12EncodeLog(args...) secdebug("p12Encode", ## args)
-#define p12CryptoLog(args...) secdebug("p12Crypto", ## args)
+#define p12DecodeLog(args...) secinfo("p12Decode", ## args)
+#define p12EncodeLog(args...) secinfo("p12Encode", ## args)
+#define p12CryptoLog(args...) secinfo("p12Crypto", ## args)
#endif /* _PKCS12_TEMPLATES_H_ */
diff --git a/OSX/libsecurity_pkcs12/lib/pkcs12Utils.cpp b/OSX/libsecurity_pkcs12/lib/pkcs12Utils.cpp
index 7ad4593c..618ea3de 100644
--- a/OSX/libsecurity_pkcs12/lib/pkcs12Utils.cpp
+++ b/OSX/libsecurity_pkcs12/lib/pkcs12Utils.cpp
@@ -133,14 +133,18 @@ CSSM_DATA_PTR p12StringToUtf8(
if(cfStr == NULL) {
return NULL;
}
- CFIndex strLen = CFStringGetLength(cfStr);
+
+ CFIndex strLen = 0;
+ CFRange range = { 0, CFStringGetLength(cfStr) };
+ CFStringGetBytes(cfStr, range, kCFStringEncodingUTF8, 0, FALSE, NULL, 0, &strLen);
if(strLen == 0) {
return NULL;
}
+
CSSM_DATA_PTR rtn = coder.mallocn<CSSM_DATA>();
- coder.allocItem(*rtn, strLen + 1);
- if(!CFStringGetCString(cfStr, (char *)rtn->Data,strLen + 1,
- kCFStringEncodingUTF8)) {
+ coder.allocItem(*rtn, strLen);
+
+ if(!CFStringGetBytes(cfStr, range, kCFStringEncodingUTF8, 0, FALSE, (UInt8*)rtn->Data, strLen, &strLen)) {
/* not convertible from native Unicode to UTF8 */
return NULL;
}
diff --git a/OSX/libsecurity_pkcs12/libsecurity_pkcs12.xcodeproj/project.pbxproj b/OSX/libsecurity_pkcs12/libsecurity_pkcs12.xcodeproj/project.pbxproj
index 907bb45b..7df8b7ca 100644
--- a/OSX/libsecurity_pkcs12/libsecurity_pkcs12.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_pkcs12/libsecurity_pkcs12.xcodeproj/project.pbxproj
@@ -48,7 +48,7 @@
/* Begin PBXFileReference section */
05396DB50417A34400003D05 /* pkcs12BagAttrs.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = pkcs12BagAttrs.cpp; sourceTree = "<group>"; };
- 05396DB90417B81000003D05 /* pkcs12Debug.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pkcs12Debug.h; sourceTree = "<group>"; };
+ 05396DB90417B81000003D05 /* pkcs12Debug.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = pkcs12Debug.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
054289210416A4EA00003D05 /* pkcs12SafeBag.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pkcs12SafeBag.h; sourceTree = "<group>"; };
054289230416A5A800003D05 /* pkcs12BagAttrs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pkcs12BagAttrs.h; sourceTree = "<group>"; };
054289250416AA2F00003D05 /* pkcs12Coder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pkcs12Coder.h; sourceTree = "<group>"; };
@@ -184,7 +184,6 @@
buildRules = (
);
dependencies = (
- 182BB3E3146F204A000BF1F3 /* PBXTargetDependency */,
);
name = libsecurity_pkcs12;
productInstallPath = /usr/local/lib;
@@ -198,7 +197,7 @@
0592AC85041551E100003D05 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD3C80987FCDF001272E0 /* Build configuration list for PBXProject "libsecurity_pkcs12" */;
compatibilityVersion = "Xcode 3.2";
@@ -283,12 +282,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB3D9146F1F86000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -296,12 +304,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB3D9146F1F86000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_sd_cspdl/lib/SDCSPDLPlugin.cpp b/OSX/libsecurity_sd_cspdl/lib/SDCSPDLPlugin.cpp
index 7b37b9f8..1d267ac6 100644
--- a/OSX/libsecurity_sd_cspdl/lib/SDCSPDLPlugin.cpp
+++ b/OSX/libsecurity_sd_cspdl/lib/SDCSPDLPlugin.cpp
@@ -101,8 +101,8 @@ void SDCSPDLPlugin::consume(NotificationDomain domain, NotificationEvent event,
if (const NameValuePair *uidp = nvd.FindByName(SSUID_KEY)) {
CssmSubserviceUid *uid = (CssmSubserviceUid *)uidp->Value().data();
assert(uid);
- secdebug("sdcspdl", "sending callback %d upstream", event);
+ secinfo("sdcspdl", "sending callback %d upstream", event);
sendCallback(event, n2h (uid->subserviceId()), CSSM_SERVICE_DL | CSSM_SERVICE_CSP);
} else
- secdebug("sdcspdl", "callback event %d has no SSUID data", event);
+ secinfo("sdcspdl", "callback event %d has no SSUID data", event);
}
diff --git a/OSX/libsecurity_sd_cspdl/lib/SDCSPSession.cpp b/OSX/libsecurity_sd_cspdl/lib/SDCSPSession.cpp
index 8a29dba7..b72e2e52 100644
--- a/OSX/libsecurity_sd_cspdl/lib/SDCSPSession.cpp
+++ b/OSX/libsecurity_sd_cspdl/lib/SDCSPSession.cpp
@@ -337,8 +337,8 @@ SDCSPSession::ObtainPrivateKeyFromPublicKey(const CssmKey &PublicKey,
void
SDCSPSession::QueryKeySizeInBits(CSSM_CC_HANDLE CCHandle,
- const Context &Context,
- const CssmKey &Key,
+ const Context *Context,
+ const CssmKey *Key,
CSSM_KEY_SIZE &KeySize)
{
unimplemented();
@@ -361,7 +361,7 @@ SDCSPSession::FreeKey(const AccessCredentials *accessCred,
// Find the key in the map. Tell tell the key to free itself
// (when the auto_ptr deletes the key it removes itself from the map).
- secdebug("freeKey", "CSPDL FreeKey");
+ secinfo("freeKey", "CSPDL FreeKey");
auto_ptr<SDKey> ssKey(&mSDCSPDLSession.find<SDKey>(ioKey));
ssKey->free(accessCred, ioKey, deleteKey);
}
diff --git a/OSX/libsecurity_sd_cspdl/lib/SDCSPSession.h b/OSX/libsecurity_sd_cspdl/lib/SDCSPSession.h
index 530bbd23..5b9f0e99 100644
--- a/OSX/libsecurity_sd_cspdl/lib/SDCSPSession.h
+++ b/OSX/libsecurity_sd_cspdl/lib/SDCSPSession.h
@@ -126,8 +126,8 @@ public:
void ObtainPrivateKeyFromPublicKey(const CssmKey &PublicKey,
CssmKey &PrivateKey);
void QueryKeySizeInBits(CSSM_CC_HANDLE CCHandle,
- const Context &Context,
- const CssmKey &Key,
+ const Context *Context,
+ const CssmKey *Key,
CSSM_KEY_SIZE &KeySize);
void FreeKey(const AccessCredentials *AccessCred,
CssmKey &key, CSSM_BOOL Delete);
diff --git a/OSX/libsecurity_sd_cspdl/lib/SDContext.cpp b/OSX/libsecurity_sd_cspdl/lib/SDContext.cpp
index b6ebdc87..1717eaf5 100644
--- a/OSX/libsecurity_sd_cspdl/lib/SDContext.cpp
+++ b/OSX/libsecurity_sd_cspdl/lib/SDContext.cpp
@@ -31,7 +31,7 @@
#include "SDKey.h"
#include <security_utilities/debugging.h>
-#define ssCryptDebug(args...) secdebug("ssCrypt", ## args)
+#define ssCryptDebug(args...) secinfo("ssCrypt", ## args)
using namespace SecurityServer;
diff --git a/OSX/libsecurity_sd_cspdl/lib/SDDLSession.cpp b/OSX/libsecurity_sd_cspdl/lib/SDDLSession.cpp
index a3aafbee..5a4f09c9 100644
--- a/OSX/libsecurity_sd_cspdl/lib/SDDLSession.cpp
+++ b/OSX/libsecurity_sd_cspdl/lib/SDDLSession.cpp
@@ -262,18 +262,18 @@ SDDLSession::postGetRecord(RecordHandle record, U32HandleObject::Handle resultsH
catch (...)
{
try { mClientSession.releaseRecord(record); }
- catch(...) { secdebug("ssCrypt", "releaseRecord threw during catch"); }
+ catch(...) { secinfo("ssCrypt", "releaseRecord threw during catch"); }
if (resultsHandle != CSSM_INVALID_HANDLE)
{
try { mClientSession.releaseSearch(resultsHandle); }
- catch(...) { secdebug("ssCrypt", "releaseSearch threw during catch"); }
+ catch(...) { secinfo("ssCrypt", "releaseSearch threw during catch"); }
}
throw;
}
} else { // not a key
if (hKey != noKey) {
try { mClientSession.releaseRecord(record); }
- catch(...) { secdebug("ssCrypt", "failed releasing bogus key handle"); }
+ catch(...) { secinfo("ssCrypt", "failed releasing bogus key handle"); }
CssmError::throwMe(CSSMERR_CSP_INVALID_KEY);
}
}
@@ -452,7 +452,7 @@ SDDLSession::PassThrough(CSSM_DB_HANDLE inDbHandle,
const AclEntryInfo &slot = acls.at(0);
if (acls.size() > 1)
- secdebug("acl",
+ secinfo("acl",
"Using entry handle %ld from %d total candidates",
slot.handle(), acls.size());
AclEdit edit(slot.handle(), slot.proto());
diff --git a/OSX/libsecurity_sd_cspdl/libsecurity_sd_cspdl.xcodeproj/project.pbxproj b/OSX/libsecurity_sd_cspdl/libsecurity_sd_cspdl.xcodeproj/project.pbxproj
index f0f8d639..89e7ed41 100644
--- a/OSX/libsecurity_sd_cspdl/libsecurity_sd_cspdl.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_sd_cspdl/libsecurity_sd_cspdl.xcodeproj/project.pbxproj
@@ -34,13 +34,6 @@
remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42;
remoteInfo = libsecurity_cdsa_plugin;
};
- 182BB3D3146F1E6D000BF1F3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 182BB3CC146F1E61000BF1F3 /* libsecurity_cdsa_plugin.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = C2C38A530535EDE600D7421F;
- remoteInfo = libsecurity_cdsa_plugin_generate;
- };
/* End PBXContainerItemProxy section */
/* Begin PBXFileReference section */
@@ -52,18 +45,18 @@
4094B0AB057EA69D00B44BCC /* sd_cspdl_common.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text.xml; path = sd_cspdl_common.mdsinfo; sourceTree = "<group>"; };
4C2741E905D463310072C0F2 /* APPLE_LICENSE */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = APPLE_LICENSE; sourceTree = "<group>"; };
4CA1FEBE052A3C8100F22E42 /* libsecurity_sd_cspdl.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libsecurity_sd_cspdl.a; sourceTree = BUILT_PRODUCTS_DIR; };
- 4CC3A0A805D45BC200484B20 /* SDContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SDContext.cpp; sourceTree = "<group>"; };
+ 4CC3A0A805D45BC200484B20 /* SDContext.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SDContext.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CC3A0A905D45BC200484B20 /* SDContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SDContext.h; sourceTree = "<group>"; };
4CC3A0AA05D45BC200484B20 /* SDCSPDLBuiltin.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SDCSPDLBuiltin.cpp; sourceTree = "<group>"; };
4CC3A0AB05D45BC200484B20 /* SDCSPDLDatabase.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SDCSPDLDatabase.cpp; sourceTree = "<group>"; };
4CC3A0AC05D45BC200484B20 /* SDCSPDLDatabase.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SDCSPDLDatabase.h; sourceTree = "<group>"; };
- 4CC3A0AD05D45BC200484B20 /* SDCSPDLPlugin.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SDCSPDLPlugin.cpp; sourceTree = "<group>"; };
+ 4CC3A0AD05D45BC200484B20 /* SDCSPDLPlugin.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SDCSPDLPlugin.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CC3A0AE05D45BC200484B20 /* SDCSPDLPlugin.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SDCSPDLPlugin.h; sourceTree = "<group>"; };
4CC3A0AF05D45BC200484B20 /* SDCSPDLSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SDCSPDLSession.cpp; sourceTree = "<group>"; };
4CC3A0B005D45BC200484B20 /* SDCSPDLSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SDCSPDLSession.h; sourceTree = "<group>"; };
- 4CC3A0B105D45BC200484B20 /* SDCSPSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SDCSPSession.cpp; sourceTree = "<group>"; };
+ 4CC3A0B105D45BC200484B20 /* SDCSPSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SDCSPSession.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CC3A0B205D45BC200484B20 /* SDCSPSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SDCSPSession.h; sourceTree = "<group>"; };
- 4CC3A0B505D45BC200484B20 /* SDDLSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SDDLSession.cpp; sourceTree = "<group>"; };
+ 4CC3A0B505D45BC200484B20 /* SDDLSession.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SDDLSession.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CC3A0B605D45BC200484B20 /* SDDLSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SDDLSession.h; sourceTree = "<group>"; };
4CC3A0B705D45BC200484B20 /* SDFactory.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = SDFactory.cpp; sourceTree = "<group>"; };
4CC3A0B805D45BC200484B20 /* SDFactory.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SDFactory.h; sourceTree = "<group>"; };
@@ -186,7 +179,6 @@
buildRules = (
);
dependencies = (
- 182BB3D4146F1E6D000BF1F3 /* PBXTargetDependency */,
);
name = libsecurity_sd_cspdl;
productInstallPath = /usr/local/lib;
@@ -200,7 +192,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD3DE0987FCDF001272E0 /* Build configuration list for PBXProject "libsecurity_sd_cspdl" */;
compatibilityVersion = "Xcode 3.2";
@@ -254,14 +246,6 @@
};
/* End PBXSourcesBuildPhase section */
-/* Begin PBXTargetDependency section */
- 182BB3D4146F1E6D000BF1F3 /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- name = libsecurity_cdsa_plugin_generate;
- targetProxy = 182BB3D3146F1E6D000BF1F3 /* PBXContainerItemProxy */;
- };
-/* End PBXTargetDependency section */
-
/* Begin XCBuildConfiguration section */
C27AD3D70987FCDF001272E0 /* Debug */ = {
isa = XCBuildConfiguration;
@@ -291,12 +275,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB3C9146F1DE0000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -304,12 +297,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB3C9146F1DE0000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
CLANG_WARN_CONSTANT_CONVERSION = YES;
CLANG_WARN_EMPTY_BODY = YES;
CLANG_WARN_ENUM_CONVERSION = YES;
CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_smime/TODO b/OSX/libsecurity_smime/TODO
deleted file mode 100644
index 9c9564f0..00000000
--- a/OSX/libsecurity_smime/TODO
+++ /dev/null
@@ -1,9 +0,0 @@
-cmsattr.c
-cmsdecode.c
-cmsdigest.c
-cmsrecinfo.c
-cmssigdata.c
-cmssiginfo.c
-
-* Support NSS_CMSRecipientInfo_Encode
- cmst.h and cms.h changes.
diff --git a/OSX/libsecurity_smime/lib/SecCMS.c b/OSX/libsecurity_smime/lib/SecCMS.c
index bcb2552a..0bf6f89f 100644
--- a/OSX/libsecurity_smime/lib/SecCMS.c
+++ b/OSX/libsecurity_smime/lib/SecCMS.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2014-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -24,16 +24,381 @@
#include <AssertMacros.h>
-#include <Security/SecCmsDecoder.h>
+#include <security_asn1/secasn1.h>
+
+#include <Security/SecCmsBase.h>
#include <Security/SecCmsMessage.h>
-#include <Security/SecCmsContentInfo.h>
#include <Security/SecCmsSignedData.h>
+#include <Security/SecCmsContentInfo.h>
+#include <Security/SecCmsSignerInfo.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
+#include <Security/SecCmsDecoder.h>
+#include <Security/SecCmsEncoder.h>
+#include <Security/SecCmsDigestContext.h>
+#include <secitem.h>
+#include <cmslocal.h>
+#include "cmstpriv.h"
+#include "cmspriv.h"
#include <SecCMS.h>
+CFTypeRef kSecCMSSignDigest = CFSTR("kSecCMSSignDigest");
+CFTypeRef kSecCMSSignDetached = CFSTR("kSecCMSSignDetached");
+CFTypeRef kSecCMSCertChainMode = CFSTR("kSecCMSCertChainMode");
+CFTypeRef kSecCMSAdditionalCerts = CFSTR("kSecCMSAdditionalCerts");
+CFTypeRef kSecCMSSignedAttributes = CFSTR("kSecCMSSignedAttributes");
+CFTypeRef kSecCMSSignDate = CFSTR("kSecCMSSignDate");
+CFTypeRef kSecCMSAllCerts = CFSTR("kSecCMSAllCerts");
+
+CFTypeRef kSecCMSSignHashAlgorithm = CFSTR("kSecCMSSignHashAlgorithm");
+CFTypeRef kSecCMSHashingAlgorithmSHA1 = CFSTR("kSecCMSHashingAlgorithmSHA1");
+CFTypeRef kSecCMSHashingAlgorithmSHA256 = CFSTR("kSecCMSHashingAlgorithmSHA256");
+CFTypeRef kSecCMSHashingAlgorithmSHA384 = CFSTR("kSecCMSHashingAlgorithmSHA384");
+CFTypeRef kSecCMSHashingAlgorithmSHA512 = CFSTR("kSecCMSHashingAlgorithmSHA512");
+
+static SecCmsAttribute *
+make_attr(PLArenaPool *poolp, SecAsn1Item *type, SecAsn1Item *value, bool encoded)
+{
+ SecAsn1Item * copiedvalue;
+ SecCmsAttribute *attr = (SecCmsAttribute *)PORT_ArenaZAlloc(poolp, sizeof(SecCmsAttribute));
+ if (attr == NULL)
+ goto loser;
+
+ if (SECITEM_CopyItem(poolp, &(attr->type), type) != SECSuccess)
+ goto loser;
+
+ if (value != NULL) {
+ if ((copiedvalue = SECITEM_AllocItem(poolp, NULL, value->Length)) == NULL)
+ goto loser;
+
+ if (SECITEM_CopyItem(poolp, copiedvalue, value) != SECSuccess)
+ goto loser;
+
+ if (SecCmsArrayAdd(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess)
+ goto loser;
+ }
+
+ attr->encoded = encoded;
+
+loser:
+ return attr;
+}
+
+static void
+signerinfo_add_auth_attr(SecCmsSignerInfoRef signerinfo, /*SECOidTag oidtag*/
+ SecAsn1Item *oid, SecAsn1Item *value, bool encoded)
+{
+ PLArenaPool *poolp = signerinfo->cmsg->poolp;
+ PORT_Assert (poolp != NULL);
+ void *mark = PORT_ArenaMark (poolp);
+
+ SecCmsAttribute *attr = make_attr(poolp, oid, value, encoded);
+ if (!attr || SecCmsAttributeArrayAddAttr(poolp, &(signerinfo->authAttr), attr) != SECSuccess)
+ goto loser;
+
+ PORT_ArenaUnmark (poolp, mark);
+ return;
+
+loser:
+ PORT_Assert (mark != NULL);
+ PORT_ArenaRelease (poolp, mark);
+ return;
+}
+
+static void sign_all_attributes(const void *key, const void *value, void *context)
+{
+ SecAsn1Item oid = { CFDataGetLength(key), (uint8_t*)CFDataGetBytePtr(key) },
+ oid_value = { CFDataGetLength(value), (uint8_t*)CFDataGetBytePtr(value) };
+
+ signerinfo_add_auth_attr((SecCmsSignerInfoRef)context, &oid, &oid_value, true);
+}
+
+static OSStatus SecCMSSignDataOrDigestAndAttributes(SecIdentityRef identity,
+ CFDataRef data, bool detached, bool data_is_digest, SECOidTag sign_algorithm,
+ CFMutableDataRef signed_data, CFDictionaryRef signed_attributes, SecCmsCertChainMode chainMode, CFArrayRef additional_certs)
+{
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsContentInfoRef cinfo;
+ SecCmsSignedDataRef sigd = NULL;
+ SecCmsSignerInfoRef signerinfo;
+ OSStatus status = errSecParam;
+ PLArenaPool *arena = NULL;
+
+ require(!data_is_digest || detached /* if digest, must be detached */, out);
+
+ require(cmsg = SecCmsMessageCreate(NULL), out);
+ require(sigd = SecCmsSignedDataCreate(cmsg), out);
+ require(cinfo = SecCmsMessageGetContentInfo(cmsg), out);
+ require_noerr(SecCmsContentInfoSetContentSignedData(cmsg, cinfo, sigd), out);
+ require(cinfo = SecCmsSignedDataGetContentInfo(sigd), out);
+ require_noerr(SecCmsContentInfoSetContentData(cmsg, cinfo, NULL, detached), out);
+ require(signerinfo = SecCmsSignerInfoCreate(cmsg, identity, sign_algorithm), out);
+ if (additional_certs)
+ require_noerr(SecCmsSignedDataAddCertList(sigd, additional_certs), out);
+ require_noerr(SecCmsSignerInfoIncludeCerts(signerinfo, chainMode, certUsageAnyCA), out);
+ require_noerr(SecCmsSignerInfoAddSigningTime(signerinfo, CFAbsoluteTimeGetCurrent()), out);
+
+ if (signed_attributes)
+ CFDictionaryApplyFunction(signed_attributes, sign_all_attributes, signerinfo);
+
+ SecAsn1Item input = {};
+ if (data) {
+ input.Length = CFDataGetLength(data);
+ input.Data = (uint8_t*)CFDataGetBytePtr(data);
+ }
+
+ CSSM_DATA cssm_signed_data = {0, NULL};
+ // make an encoder context
+ if ((arena = PORT_NewArena(1024)) == NULL) {
+ goto out;
+ }
+ if (data_is_digest) {
+ require_noerr(SecCmsSignedDataSetDigestValue(sigd, sign_algorithm, &input), out);
+ require_noerr(SecCmsMessageEncode(cmsg, NULL, (SecArenaPoolRef)arena, &cssm_signed_data), out);
+ }
+ else
+ require_noerr(SecCmsMessageEncode(cmsg,(data && input.Length) ? &input : NULL,
+ (SecArenaPoolRef)arena, &cssm_signed_data), out);
+
+ if (signed_data && cssm_signed_data.Data) {
+ CFDataAppendBytes(signed_data, cssm_signed_data.Data, cssm_signed_data.Length);
+ }
+
+ status = errSecSuccess;
+out:
+ if (arena) PORT_FreeArena(arena, PR_FALSE);
+ if (cmsg) SecCmsMessageDestroy(cmsg);
+ return status;
+}
+
+OSStatus SecCMSCreateSignedData(SecIdentityRef identity, CFDataRef data,
+ CFDictionaryRef parameters, CFDictionaryRef signed_attributes,
+ CFMutableDataRef signed_data)
+{
+ bool is_digest = false, is_detached = false;
+ CFStringRef algorithm_name = NULL;
+ SecCmsCertChainMode chain_mode = SecCmsCMCertChain;
+ CFArrayRef additional_certs = NULL;
+
+ if (parameters) {
+ is_digest = CFDictionaryGetValueIfPresent(parameters,
+ kSecCMSSignDigest, NULL);
+ is_detached = CFDictionaryGetValueIfPresent(parameters,
+ kSecCMSSignDetached, NULL);
+ algorithm_name = CFDictionaryGetValue(parameters,
+ kSecCMSSignHashAlgorithm);
+
+ CFTypeRef chain_mode_param = CFDictionaryGetValue(parameters, kSecCMSCertChainMode);
+ if (chain_mode_param && (CFGetTypeID(chain_mode_param) == CFStringGetTypeID()))
+ chain_mode = CFStringGetIntValue(chain_mode_param);
+
+ CFTypeRef additional_certs_param = CFDictionaryGetValue(parameters, kSecCMSAdditionalCerts);
+ if (additional_certs_param && (CFGetTypeID(additional_certs_param) == CFArrayGetTypeID()))
+ additional_certs = (CFArrayRef)additional_certs_param;
+ }
+
+ SECOidTag algorithm = SEC_OID_SHA1;
+ if (algorithm_name) {
+ if (CFEqual(kSecCMSHashingAlgorithmSHA1, algorithm_name)) {
+ algorithm = SEC_OID_SHA1;
+ } else if (CFEqual(kSecCMSHashingAlgorithmSHA256, algorithm_name)) {
+ algorithm = SEC_OID_SHA256;
+ } else if (CFEqual(kSecCMSHashingAlgorithmSHA384, algorithm_name)) {
+ algorithm = SEC_OID_SHA384;
+ } else if (CFEqual(kSecCMSHashingAlgorithmSHA512, algorithm_name)) {
+ algorithm = SEC_OID_SHA512;
+ } else {
+ // signing with MD5 is no longer allowed
+ algorithm = SEC_OID_UNKNOWN;
+ }
+ }
+
+ return SecCMSSignDataOrDigestAndAttributes(identity, data,
+ is_detached, is_digest, algorithm,
+ signed_data, signed_attributes, chain_mode, additional_certs);
+}
+
+static OSStatus
+SecCmsSignedDataSetDigestContext(SecCmsSignedDataRef sigd,
+ SecCmsDigestContextRef digestContext)
+{
+ SecAsn1Item * *digests;
+
+ PLArenaPool *arena = NULL;
+
+ if ((arena = PORT_NewArena(1024)) == NULL)
+ goto loser;
+
+ if (SecCmsDigestContextFinishMultiple(digestContext, (SecArenaPoolRef)arena, &digests) != SECSuccess)
+ goto loser;
+
+ SECAlgorithmID **digestAlgorithms = SecCmsSignedDataGetDigestAlgs(sigd);
+ if(digestAlgorithms == NULL) {
+ goto loser;
+ }
+
+ if (SecCmsSignedDataSetDigests(sigd, digestAlgorithms, digests) != SECSuccess)
+ goto loser;
+
+ return 0;
+loser:
+ if (arena)
+ PORT_FreeArena(arena, PR_FALSE);
+ return PORT_GetError();
+}
+
+static CFMutableArrayRef copy_signed_attribute_values(SecCmsAttribute *attr)
+{
+ CFMutableArrayRef array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ SecAsn1Item **item = attr->values;
+ if (item) while (*item) {
+ CFDataRef asn1data = CFDataCreate(kCFAllocatorDefault, (*item)->Data, (*item)->Length);
+ if (asn1data) {
+ CFArrayAppendValue(array, asn1data);
+ CFRelease(asn1data);
+ }
+ item++;
+ }
+ return array;
+}
+
+static OSStatus SecCMSVerifySignedData_internal(CFDataRef message, CFDataRef detached_contents,
+ CFTypeRef policy, SecTrustRef *trustref, CFArrayRef additional_certs,
+ CFDataRef *attached_contents, CFDictionaryRef *signed_attributes)
+{
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsContentInfoRef cinfo;
+ SecCmsSignedDataRef sigd = NULL;
+ OSStatus status = errSecParam;
+
+ SecAsn1Item encoded_message = { CFDataGetLength(message), (uint8_t*)CFDataGetBytePtr(message) };
+ require_noerr_action_quiet(SecCmsMessageDecode(&encoded_message, NULL, NULL, NULL, NULL, NULL, NULL, &cmsg),
+ out, status = errSecDecode);
+ /* expected to be a signed data message at the top level */
+ require_quiet(cinfo = SecCmsMessageContentLevel(cmsg, 0), out);
+ require_quiet(SecCmsContentInfoGetContentTypeTag(cinfo) == SEC_OID_PKCS7_SIGNED_DATA, out);
+ require_quiet(sigd = (SecCmsSignedDataRef)SecCmsContentInfoGetContent(cinfo), out);
+
+ if (detached_contents)
+ {
+ require_quiet(!SecCmsSignedDataHasDigests(sigd), out);
+ SECAlgorithmID **digestalgs = SecCmsSignedDataGetDigestAlgs(sigd);
+ SecCmsDigestContextRef digcx = SecCmsDigestContextStartMultiple(digestalgs);
+ SecCmsDigestContextUpdate(digcx, CFDataGetBytePtr(detached_contents), CFDataGetLength(detached_contents));
+ SecCmsSignedDataSetDigestContext(sigd, digcx);
+ }
+
+ if (additional_certs)
+ require_noerr_quiet(SecCmsSignedDataAddCertList(sigd, additional_certs), out);
+
+ if (policy) { /* if no policy is given skip verification */
+ /* find out about signers */
+ int nsigners = SecCmsSignedDataSignerInfoCount(sigd);
+ require_quiet(nsigners == 1, out);
+ require_noerr_action_quiet(SecCmsSignedDataVerifySignerInfo(sigd, 0, NULL, policy, trustref),
+ out, status = errSecAuthFailed);
+ }
+
+ status = errSecSuccess;
+
+ if (attached_contents) {
+ const SecAsn1Item *content = SecCmsMessageGetContent(cmsg);
+ if (content)
+ *attached_contents = CFDataCreate(kCFAllocatorDefault, content->Data, content->Length);
+ else
+ *attached_contents = NULL;
+ }
+
+ if (signed_attributes) {
+ CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(kCFAllocatorDefault,
+ 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ require_quiet(attrs, out);
+ SecCmsAttribute **signed_attrs = sigd->signerInfos[0]->authAttr;
+ if (signed_attrs) while (*signed_attrs) {
+ CFDataRef type = CFDataCreate(kCFAllocatorDefault, (*signed_attrs)->type.Data, (*signed_attrs)->type.Length);
+ if (type) {
+ CFMutableArrayRef attr = copy_signed_attribute_values(*signed_attrs);
+ if (attr) {
+ CFMutableArrayRef existing_attrs = (CFMutableArrayRef)CFDictionaryGetValue(attrs, type);
+ if (existing_attrs) {
+ CFIndex count = CFArrayGetCount(attr);
+ if (count)
+ CFArrayAppendArray(existing_attrs, attr, CFRangeMake(0, count));
+ } else
+ CFDictionarySetValue(attrs, type, attr);
+ CFRelease(attr);
+ }
+ CFRelease(type);
+ }
+ signed_attrs++;
+ }
+ CFMutableArrayRef certs = NULL;
+
+ SecAsn1Item **cert_datas = SecCmsSignedDataGetCertificateList(sigd);
+ certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ SecAsn1Item *cert_data;
+ if (cert_datas) while ((cert_data = *cert_datas) != NULL) {
+ SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, cert_data->Data, cert_data->Length);
+ if (cert) {
+ CFArrayAppendValue(certs, cert);
+ CFRelease(cert);
+ }
+ cert_datas++;
+ }
+
+ CFDictionaryAddValue(attrs, kSecCMSAllCerts, certs);
+
+ /* Add "cooked" values separately */
+ CFAbsoluteTime signing_time;
+ if (errSecSuccess == SecCmsSignerInfoGetSigningTime(sigd->signerInfos[0], &signing_time)) {
+ CFDateRef signing_date = CFDateCreate(kCFAllocatorDefault, signing_time);
+ if (signing_date){
+ CFDictionarySetValue(attrs, kSecCMSSignDate, signing_date);
+ if (signing_date) CFRelease(signing_date);
+ }
+ }
+
+ *signed_attributes = attrs;
+ if (certs) CFRelease(certs);
+ }
+
+
+out:
+ if (cmsg) SecCmsMessageDestroy(cmsg);
+ return status;
+}
+
+OSStatus SecCMSVerifyCopyDataAndAttributes(CFDataRef message, CFDataRef detached_contents,
+ CFTypeRef policy, SecTrustRef *trustref,
+ CFDataRef *attached_contents, CFDictionaryRef *signed_attributes)
+{
+ OSStatus status = SecCMSVerifySignedData_internal(message, detached_contents, policy, trustref, NULL, attached_contents, signed_attributes);
+
+ return status;
+}
+
+OSStatus SecCMSVerifySignedData(CFDataRef message, CFDataRef detached_contents,
+ CFTypeRef policy, SecTrustRef *trustref, CFArrayRef additional_certificates,
+ CFDataRef *attached_contents, CFDictionaryRef *message_attributes)
+{
+ CFDictionaryRef signed_attributes = NULL;
+ OSStatus status = SecCMSVerifySignedData_internal(message, detached_contents, policy, trustref, additional_certificates, attached_contents, &signed_attributes);
+ if (!status && signed_attributes && message_attributes) {
+ *message_attributes = CFDictionaryCreate(kCFAllocatorDefault, &kSecCMSSignedAttributes, (const void **)&signed_attributes, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ }
+ if (signed_attributes) CFRelease(signed_attributes);
+
+ return status;
+}
+
+OSStatus SecCMSVerify(CFDataRef message, CFDataRef detached_contents,
+ CFTypeRef policy, SecTrustRef *trustref,
+ CFDataRef *attached_contents) {
+ return SecCMSVerifySignedData_internal(message, detached_contents, policy, trustref, NULL, attached_contents, NULL);
+}
+
/* Designed to match the sec submodule implementation available for iOS */
CFArrayRef SecCMSCertificatesOnlyMessageCopyCertificates(CFDataRef message) {
SecCmsMessageRef cmsg = NULL;
@@ -72,6 +437,71 @@ out:
}
+extern const SecAsn1Template SecCmsMessageTemplate[];
+
+CFDataRef SecCMSCreateCertificatesOnlyMessage(CFTypeRef cert_or_array_thereof) {
+ OSStatus status = errSecParam;
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsContentInfoRef cinfo;
+ SecCmsSignedDataRef sigd = NULL;
+ CFMutableDataRef cert_only_signed_data = NULL;
+ CFArrayRef cert_array = NULL;
+ CFIndex cert_array_count = 0;
+ SecCertificateRef cert = NULL;
+
+ require(cert_or_array_thereof, out);
+
+ require(cmsg = SecCmsMessageCreate(NULL), out);
+ require(sigd = SecCmsSignedDataCreate(cmsg), out);
+ require_noerr(SecCmsContentInfoSetContentData(cmsg, &(sigd->contentInfo), NULL, PR_TRUE), out);
+ require(cinfo = SecCmsMessageGetContentInfo(cmsg), out);
+ require_noerr(SecCmsContentInfoSetContentSignedData(cmsg, cinfo, sigd), out);
+ long version = SEC_CMS_SIGNED_DATA_VERSION_BASIC;
+ require(SEC_ASN1EncodeInteger(cmsg->poolp, &(sigd->version), version), out);
+
+ if (CFGetTypeID(cert_or_array_thereof) == SecCertificateGetTypeID()) {
+ cert_array = CFArrayCreate(kCFAllocatorDefault, &cert_or_array_thereof, 1, &kCFTypeArrayCallBacks);
+ } else if (CFGetTypeID(cert_or_array_thereof) == CFArrayGetTypeID()) {
+ cert_array = CFArrayCreateCopy(kCFAllocatorDefault, (CFArrayRef)cert_or_array_thereof);
+ }
+
+ require(cert_array, out);
+ cert_array_count = CFArrayGetCount(cert_array);
+ require(cert_array_count > 0, out);
+
+ sigd->rawCerts = (SecAsn1Item * *)PORT_ArenaAlloc(cmsg->poolp, (cert_array_count + 1) * sizeof(SecAsn1Item *));
+ require(sigd->rawCerts, out);
+ CFIndex ix;
+ for (ix = 0; ix < cert_array_count; ix++) {
+ cert = (SecCertificateRef)CFArrayGetValueAtIndex(cert_array, ix);
+ require(cert, out);
+
+ sigd->rawCerts[ix] = PORT_ArenaZAlloc(cmsg->poolp, sizeof(SecAsn1Item));
+ SecAsn1Item cert_data = { SecCertificateGetLength(cert),
+ (uint8_t *)SecCertificateGetBytePtr(cert) };
+ *(sigd->rawCerts[ix]) = cert_data;
+ }
+ sigd->rawCerts[ix] = NULL;
+
+ /* this is a SET OF, so we need to sort them guys - we have the DER already, though */
+ if (cert_array_count > 1)
+ SecCmsArraySort((void **)sigd->rawCerts, SecCmsUtilDERCompare, NULL, NULL);
+
+ cert_only_signed_data = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ SecAsn1Item cert_only_signed_data_item = {};
+ require_quiet(SEC_ASN1EncodeItem(cmsg->poolp, &cert_only_signed_data_item,
+ cmsg, SecCmsMessageTemplate), out);
+ CFDataAppendBytes(cert_only_signed_data, cert_only_signed_data_item.Data,
+ cert_only_signed_data_item.Length);
+
+ status = errSecSuccess;
+out:
+ if (cert_array) { CFRelease(cert_array); }
+ if (status && cert_only_signed_data) { CFRelease(cert_only_signed_data); }
+ if (cmsg) SecCmsMessageDestroy(cmsg);
+ return cert_only_signed_data;
+}
+
CFDataRef SecCMSCreateCertificatesOnlyMessageIAP(SecCertificateRef cert)
{
static const uint8_t header[] = {
@@ -135,6 +565,3 @@ out:
}
return message;
}
-
-
-
diff --git a/OSX/libsecurity_smime/lib/SecCMS.h b/OSX/libsecurity_smime/lib/SecCMS.h
index 574dae1b..cb88a9ba 100644
--- a/OSX/libsecurity_smime/lib/SecCMS.h
+++ b/OSX/libsecurity_smime/lib/SecCMS.h
@@ -27,6 +27,21 @@
#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecBase.h>
+#include <Security/SecTrust.h>
+
+extern const void * kSecCMSSignDigest;
+extern const void * kSecCMSSignDetached;
+extern const void * kSecCMSSignHashAlgorithm;
+extern const void * kSecCMSCertChainMode;
+extern const void * kSecCMSAdditionalCerts;
+extern const void * kSecCMSSignedAttributes;
+extern const void * kSecCMSSignDate;
+extern const void * kSecCMSAllCerts;
+
+extern const void * kSecCMSHashingAlgorithmSHA1;
+extern const void * kSecCMSHashingAlgorithmSHA256;
+extern const void * kSecCMSHashingAlgorithmSHA384;
+extern const void * kSecCMSHashingAlgorithmSHA512;
/* Return an array of certificates contained in message, if message is of the
type SignedData and has no signers, return NULL otherwise. Not that if
@@ -37,7 +52,59 @@
CFArrayRef SecCMSCertificatesOnlyMessageCopyCertificates(CFDataRef message);
/* Create a degenerate PKCS#7 containing a cert or a CFArray of certs. */
+CFDataRef SecCMSCreateCertificatesOnlyMessage(CFTypeRef cert_or_array_thereof);
CFDataRef SecCMSCreateCertificatesOnlyMessageIAP(SecCertificateRef cert);
+/*!
+ @function SecCMSVerifyCopyDataAndAttributes
+ @abstract verify a signed data cms blob.
+ @param message the cms message to be parsed
+ @param detached_contents to pass detached contents (optional)
+ @param policy specifies policy or array thereof should be used (optional).
+ if none is passed the blob will **not** be verified and only
+ the attached contents will be returned.
+ @param trustref (output/optional) if specified, the trust chain built during
+ verification will not be evaluated but returned to the caller to do so.
+ @param attached_contents (output/optional) return a copy of the attached
+ contents.
+ @param signed_attributes (output/optional) return a copy of the signed
+ attributes as a CFDictionary from oids (CFData) to values
+ (CFArray of CFData).
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ errSecDecode not a CMS message we can parse,
+ errSecAuthFailed bad signature, or untrusted signer if caller doesn't
+ ask for trustref,
+ errSecParam garbage in, garbage out.
+ */
+OSStatus SecCMSVerifyCopyDataAndAttributes(CFDataRef message, CFDataRef detached_contents,
+ CFTypeRef policy, SecTrustRef *trustref,
+ CFDataRef *attached_contents, CFDictionaryRef *signed_attributes);
+
+/*!
+ @function SecCMSVerify
+ @abstract same as SecCMSVerifyCopyDataAndAttributes, for binary compatibility.
+ */
+OSStatus SecCMSVerify(CFDataRef message, CFDataRef detached_contents,
+ CFTypeRef policy, SecTrustRef *trustref, CFDataRef *attached_contents);
+
+OSStatus SecCMSVerifySignedData(CFDataRef message, CFDataRef detached_contents,
+ CFTypeRef policy, SecTrustRef *trustref, CFArrayRef additional_certificates,
+ CFDataRef *attached_contents, CFDictionaryRef *message_attributes);
+
+/*!
+ @function SecCMSCreateSignedData
+ @abstract create a signed data cms blob.
+ @param identity signer
+ @param data SHA-1 digest or message to be signed
+ @param parameters (input/optional) specify algorithm, detached, digest
+ @param signed_attributes (input/optional) signed attributes to insert
+ as a CFDictionary from oids (CFData) to value (CFData).
+ @param signed_data (output) return signed message.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ errSecParam garbage in, garbage out.
+ */
+OSStatus SecCMSCreateSignedData(SecIdentityRef identity, CFDataRef data,
+ CFDictionaryRef parameters, CFDictionaryRef signed_attributes,
+ CFMutableDataRef signed_data);
#endif
diff --git a/OSX/libsecurity_smime/lib/cmscinfo.c b/OSX/libsecurity_smime/lib/cmscinfo.c
index e13acbe8..e7fecb2c 100644
--- a/OSX/libsecurity_smime/lib/cmscinfo.c
+++ b/OSX/libsecurity_smime/lib/cmscinfo.c
@@ -66,6 +66,8 @@ SecCmsContentInfoDestroy(SecCmsContentInfoRef cinfo)
{
SECOidTag kind;
+ if(!cinfo) return;
+
kind = SecCmsContentInfoGetContentTypeTag(cinfo);
switch (kind) {
case SEC_OID_PKCS7_ENVELOPED_DATA:
diff --git a/OSX/libsecurity_smime/lib/cmscipher.c b/OSX/libsecurity_smime/lib/cmscipher.c
index 02ec0873..a0016873 100644
--- a/OSX/libsecurity_smime/lib/cmscipher.c
+++ b/OSX/libsecurity_smime/lib/cmscipher.c
@@ -283,6 +283,7 @@ SecCmsCipherContextStart(PRArenaPool *poolp, SecSymmetricKeyRef key, SECAlgorith
newParams = SEC_ASN1EncodeItem (poolp, &algid->parameters, &rc2,
sec_rc2cbc_parameter_template);
PORT_Free(rc2.rc2ParameterVersion.Data);
+ rc2.rc2ParameterVersion.Data = NULL;
if (newParams == NULL)
goto loser;
break;
@@ -322,10 +323,12 @@ SecCmsCipherContextStart(PRArenaPool *poolp, SecSymmetricKeyRef key, SECAlgorith
goto loser;
if (initVector.Length != iv.Length) {
PORT_Free(iv.Data);
+ iv.Data = NULL;
goto loser;
}
memcpy(initVector.Data, iv.Data, initVector.Length);
PORT_Free(iv.Data);
+ iv.Data = NULL;
break;
}
case SEC_OID_RC2_CBC:
@@ -340,14 +343,18 @@ SecCmsCipherContextStart(PRArenaPool *poolp, SecSymmetricKeyRef key, SECAlgorith
if (initVector.Length != rc2.iv.Length) {
PORT_Free(rc2.iv.Data);
+ rc2.iv.Data = NULL;
PORT_Free(rc2.rc2ParameterVersion.Data);
+ rc2.rc2ParameterVersion.Data = NULL;
goto loser;
}
memcpy(initVector.Data, rc2.iv.Data, initVector.Length);
PORT_Free(rc2.iv.Data);
+ rc2.iv.Data = NULL;
ulEffectiveBits = rc2_map(&rc2.rc2ParameterVersion);
PORT_Free(rc2.rc2ParameterVersion.Data);
+ rc2.rc2ParameterVersion.Data = NULL;
if (ulEffectiveBits != cssmKey->KeyHeader.LogicalKeySizeInBits)
goto loser;
break;
diff --git a/OSX/libsecurity_smime/lib/cmsdecode.c b/OSX/libsecurity_smime/lib/cmsdecode.c
index 765a1685..f6112e78 100644
--- a/OSX/libsecurity_smime/lib/cmsdecode.c
+++ b/OSX/libsecurity_smime/lib/cmsdecode.c
@@ -676,9 +676,16 @@ SecCmsDecoderDestroy(SecCmsDecoderRef p7dcx)
{
/* XXXX what about inner decoders? running digests? decryption? */
/* XXXX there's a leak here! */
- SecCmsMessageDestroy(p7dcx->cmsg);
- if (p7dcx->dcx)
+ if (p7dcx->cmsg) {
+ SecCmsMessageDestroy(p7dcx->cmsg);
+ }
+ if (p7dcx->dcx) {
(void)SEC_ASN1DecoderFinish(p7dcx->dcx);
+ }
+ /* Clear out references */
+ p7dcx->cmsg = NULL;
+ p7dcx->dcx = NULL;
+ p7dcx->childp7dcx = NULL;
PORT_Free(p7dcx);
}
@@ -696,7 +703,9 @@ SecCmsDecoderFinish(SecCmsDecoderRef p7dcx, SecCmsMessageRef *outMessage)
if (p7dcx->dcx == NULL || SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess ||
nss_cms_after_end(p7dcx) != SECSuccess)
{
- SecCmsMessageDestroy(cmsg); /* needs to get rid of pool if it's ours */
+ if (p7dcx->cmsg) {
+ SecCmsMessageDestroy(cmsg); /* needs to get rid of pool if it's ours */
+ }
result = PORT_GetError();
goto loser;
}
@@ -705,6 +714,10 @@ SecCmsDecoderFinish(SecCmsDecoderRef p7dcx, SecCmsMessageRef *outMessage)
result = noErr;
loser:
+ /* Clear out references */
+ p7dcx->cmsg = NULL;
+ p7dcx->dcx = NULL;
+ p7dcx->childp7dcx = NULL;
PORT_Free(p7dcx);
return result;
}
diff --git a/OSX/libsecurity_smime/lib/cmsdigdata.c b/OSX/libsecurity_smime/lib/cmsdigdata.c
index 8fb7d5e5..d850ece4 100644
--- a/OSX/libsecurity_smime/lib/cmsdigdata.c
+++ b/OSX/libsecurity_smime/lib/cmsdigdata.c
@@ -89,6 +89,9 @@ loser:
void
SecCmsDigestedDataDestroy(SecCmsDigestedDataRef digd)
{
+ if (digd == NULL) {
+ return;
+ }
/* everything's in a pool, so don't worry about the storage */
SecCmsContentInfoDestroy(&(digd->contentInfo));
return;
@@ -218,6 +221,9 @@ SecCmsDigestedDataDecodeAfterData(SecCmsDigestedDataRef digd)
OSStatus
SecCmsDigestedDataDecodeAfterEnd(SecCmsDigestedDataRef digd)
{
+ if (!digd) {
+ return SECFailure;
+ }
/* did we have digest calculation going on? */
if (digd->cdigest.Length != 0) {
/* XXX comparision btw digest & cdigest */
diff --git a/OSX/libsecurity_smime/lib/cmsdigest.c b/OSX/libsecurity_smime/lib/cmsdigest.c
index 0c16686e..52e07480 100644
--- a/OSX/libsecurity_smime/lib/cmsdigest.c
+++ b/OSX/libsecurity_smime/lib/cmsdigest.c
@@ -68,7 +68,7 @@ SecCmsDigestContextStartMultiple(SECAlgorithmID **digestalgs)
digcnt = (digestalgs == NULL) ? 0 : SecCmsArrayCount((void **)digestalgs);
- cmsdigcx = (SecCmsDigestContextRef)PORT_Alloc(sizeof(struct SecCmsDigestContextStr));
+ cmsdigcx = (SecCmsDigestContextRef)PORT_ZAlloc(sizeof(struct SecCmsDigestContextStr));
if (cmsdigcx == NULL)
return NULL;
@@ -77,7 +77,7 @@ SecCmsDigestContextStartMultiple(SECAlgorithmID **digestalgs)
if (digcnt >= (int)(INT_MAX/sizeof(CSSM_CC_HANDLE))) {
goto loser;
}
- cmsdigcx->digobjs = (CSSM_CC_HANDLE *)PORT_Alloc(digcnt * sizeof(CSSM_CC_HANDLE));
+ cmsdigcx->digobjs = (CSSM_CC_HANDLE *)PORT_ZAlloc(digcnt * sizeof(CSSM_CC_HANDLE));
if (cmsdigcx->digobjs == NULL)
goto loser;
}
@@ -117,8 +117,11 @@ SecCmsDigestContextStartMultiple(SECAlgorithmID **digestalgs)
loser:
if (cmsdigcx) {
- if (cmsdigcx->digobjs)
+ if (cmsdigcx->digobjs) {
PORT_Free(cmsdigcx->digobjs);
+ cmsdigcx->digobjs = NULL;
+ cmsdigcx->digcnt = 0;
+ }
}
return NULL;
}
@@ -149,7 +152,7 @@ SecCmsDigestContextUpdate(SecCmsDigestContextRef cmsdigcx, const unsigned char *
dataBuf.Data = (uint8 *)data;
cmsdigcx->saw_contents = PR_TRUE;
for (i = 0; i < cmsdigcx->digcnt; i++)
- if (cmsdigcx->digobjs[i])
+ if (cmsdigcx->digobjs && cmsdigcx->digobjs[i])
CSSM_DigestDataUpdate(cmsdigcx->digobjs[i], &dataBuf, 1);
}
@@ -162,8 +165,10 @@ SecCmsDigestContextCancel(SecCmsDigestContextRef cmsdigcx)
int i;
for (i = 0; i < cmsdigcx->digcnt; i++)
- if (cmsdigcx->digobjs[i])
+ if (cmsdigcx->digobjs && cmsdigcx->digobjs[i]) {
CSSM_DeleteContext(cmsdigcx->digobjs[i]);
+ cmsdigcx->digobjs[i] = 0;
+ }
}
/*
@@ -183,8 +188,10 @@ SecCmsDigestContextFinishMultiple(SecCmsDigestContextRef cmsdigcx, SecArenaPoolR
/* no contents? do not update digests */
if (digestsp == NULL || !cmsdigcx->saw_contents) {
for (i = 0; i < cmsdigcx->digcnt; i++)
- if (cmsdigcx->digobjs[i])
+ if (cmsdigcx->digobjs && cmsdigcx->digobjs[i]) {
CSSM_DeleteContext(cmsdigcx->digobjs[i]);
+ cmsdigcx->digobjs[i] = 0;
+ }
rv = SECSuccess;
if (digestsp)
*digestsp = NULL;
@@ -205,7 +212,12 @@ SecCmsDigestContextFinishMultiple(SecCmsDigestContextRef cmsdigcx, SecArenaPoolR
}
for (i = 0; i < cmsdigcx->digcnt; i++, digest++) {
- digobj = cmsdigcx->digobjs[i];
+ if (cmsdigcx->digobjs) {
+ digobj = cmsdigcx->digobjs[i];
+ } else {
+ digobj = 0;
+ }
+
CSSM_QUERY_SIZE_DATA dataSize;
rv = CSSM_QuerySize(digobj, CSSM_FALSE, 1, &dataSize);
if (rv != CSSM_OK)
@@ -228,6 +240,7 @@ SecCmsDigestContextFinishMultiple(SecCmsDigestContextRef cmsdigcx, SecArenaPoolR
}
CSSM_DeleteContext(digobj);
+ cmsdigcx->digobjs[i] = 0;
}
else
{
@@ -251,6 +264,8 @@ loser:
cleanup:
if (cmsdigcx->digcnt > 0) {
PORT_Free(cmsdigcx->digobjs);
+ cmsdigcx->digobjs = NULL;
+ cmsdigcx->digcnt = 0;
}
PORT_Free(cmsdigcx);
diff --git a/OSX/libsecurity_smime/lib/cmsencdata.c b/OSX/libsecurity_smime/lib/cmsencdata.c
index 895b5085..0bdf3fee 100644
--- a/OSX/libsecurity_smime/lib/cmsencdata.c
+++ b/OSX/libsecurity_smime/lib/cmsencdata.c
@@ -116,6 +116,9 @@ loser:
void
SecCmsEncryptedDataDestroy(SecCmsEncryptedDataRef encd)
{
+ if (encd == NULL) {
+ return;
+ }
/* everything's in a pool, so don't worry about the storage */
SecCmsContentInfoDestroy(&(encd->contentInfo));
return;
diff --git a/OSX/libsecurity_smime/lib/cmsmessage.c b/OSX/libsecurity_smime/lib/cmsmessage.c
index 816ce4af..75512389 100644
--- a/OSX/libsecurity_smime/lib/cmsmessage.c
+++ b/OSX/libsecurity_smime/lib/cmsmessage.c
@@ -135,8 +135,10 @@ SecCmsMessageDestroy(SecCmsMessageRef cmsg)
SecCmsContentInfoDestroy(&(cmsg->contentInfo));
/* if poolp is not NULL, cmsg is the owner of its arena */
- if (cmsg->poolp_is_ours)
+ if (cmsg->poolp_is_ours) {
PORT_FreeArena (cmsg->poolp, PR_FALSE); /* XXX clear it? */
+ cmsg->poolp = NULL;
+ }
}
/*
diff --git a/OSX/libsecurity_smime/lib/cmspubkey.c b/OSX/libsecurity_smime/lib/cmspubkey.c
index a42f322b..19ff2065 100644
--- a/OSX/libsecurity_smime/lib/cmspubkey.c
+++ b/OSX/libsecurity_smime/lib/cmspubkey.c
@@ -45,12 +45,16 @@
#include <security_asn1/secerr.h>
#include <Security/SecCertificatePriv.h>
#include <Security/SecKeyPriv.h>
+#include <Security/SecItemPriv.h>
#include <Security/Security.h>
#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
#include <Security/SecCmsBase.h>
#include <Security/secasn1t.h>
#include <security_asn1/plarenas.h>
#include <Security/keyTemplates.h>
+#include <CommonCrypto/CommonCryptor.h>
+#include <CommonCrypto/CommonRandomSPI.h>
+#include <CommonCrypto/CommonRandom.h>
/* ====== RSA ======================================================================= */
@@ -68,7 +72,11 @@ SecCmsUtilEncryptSymKeyRSA(PLArenaPool *poolp, SecCertificateRef cert,
OSStatus rv;
SecPublicKeyRef publickey;
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
rv = SecCertificateCopyPublicKey(cert,&publickey);
+#else
+ publickey = SecCertificateCopyPublicKey(cert);
+#endif
if (publickey == NULL)
return SECFailure;
@@ -100,12 +108,16 @@ SecCmsUtilEncryptSymKeyRSAPubKey(PLArenaPool *poolp,
}
#endif
/* allocate memory for the encrypted key */
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
rv = SecKeyGetStrengthInBits(publickey, NULL, &data_len);
if (rv)
- goto loser;
-
+ goto loser;
// Convert length to bytes;
- data_len >>= 2;
+ data_len = data_len / 8;
+#else
+ data_len = SecKeyGetSize(publickey, kSecKeyEncryptedDataSize);
+#endif
+
encKey->Data = (unsigned char*)PORT_ArenaAlloc(poolp, data_len);
encKey->Length = data_len;
if (encKey->Data == NULL)
@@ -648,59 +660,6 @@ typedef enum {
CAT_Ptr
} ContextAttrType;
-static CSSM_RETURN cmsAddContextAttribute(
- CSSM_CC_HANDLE CCHandle,
- uint32 AttributeType,
- uint32 AttributeLength,
- ContextAttrType attrType,
- /* specify exactly one of these */
- const void *AttributePtr,
- uint32 attributeInt)
-{
- CSSM_CONTEXT_ATTRIBUTE newAttr;
- CSSM_RETURN crtn;
-
- newAttr.AttributeType = AttributeType;
- newAttr.AttributeLength = AttributeLength;
- if(attrType == CAT_Uint32) {
- newAttr.Attribute.Uint32 = attributeInt;
- }
- else {
- /* this is a union of a bunch of different pointers...*/
- newAttr.Attribute.Data = (CSSM_DATA_PTR)AttributePtr;
- }
- crtn = CSSM_UpdateContextAttributes(CCHandle, 1, &newAttr);
- if(crtn) {
- CSSM_PERROR("CSSM_UpdateContextAttributes", crtn);
- }
- return crtn;
-}
-
-static CSSM_RETURN cmsGenRand(
- CSSM_CSP_HANDLE cspHand,
- CSSM_SIZE len,
- uint8 *randOut)
-{
- CSSM_CC_HANDLE ccHand = 0;
- CSSM_DATA randData = {len, randOut};
-
- CSSM_RETURN crtn = CSSM_CSP_CreateRandomGenContext(cspHand,
- CSSM_ALGID_APPLE_YARROW,
- NULL, /* seed*/
- len,
- &ccHand);
- if(crtn) {
- CSSM_PERROR("CSSM_CSP_CreateRandomGenContext", crtn);
- return crtn;
- }
- crtn = CSSM_GenerateRandom(ccHand, &randData);
- CSSM_DeleteContext(ccHand);
- if(crtn) {
- CSSM_PERROR("CSSM_GenerateRandom", crtn);
- }
- return crtn;
-}
-
/* convert uint32 to big-endian 4 bytes */
static void int32ToBytes(
uint32_t i,
@@ -713,68 +672,6 @@ static void int32ToBytes(
}
}
-/*
- * NULL wrap a ref key to raw key in default format.
- */
-static OSStatus cmsNullWrapKey(
- CSSM_CSP_HANDLE cspHand,
- const CSSM_KEY *refKey,
- CSSM_KEY_PTR rawKey)
-{
- CSSM_DATA descData = {0, 0};
- CSSM_RETURN crtn;
- CSSM_CC_HANDLE ccHand;
- CSSM_ACCESS_CREDENTIALS creds;
- uint32 keyAttr;
-
- memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
- memset(rawKey, 0, sizeof(CSSM_KEY));
-
- crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
- CSSM_ALGID_NONE,
- CSSM_ALGMODE_NONE,
- &creds,
- NULL, // unwrappingKey
- NULL, // initVector
- CSSM_PADDING_NONE,
- 0, // Params
- &ccHand);
- if(crtn) {
- CSSM_PERROR("CSSM_CSP_CreateSymmetricContext", crtn);
- return crtn;
- }
-
- keyAttr = rawKey->KeyHeader.KeyAttr;
- keyAttr &= ~(CSSM_KEYATTR_ALWAYS_SENSITIVE | CSSM_KEYATTR_NEVER_EXTRACTABLE |
- CSSM_KEYATTR_MODIFIABLE);
- keyAttr |= CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE;
- crtn = CSSM_WrapKey(ccHand,
- &creds,
- refKey,
- &descData,
- rawKey);
- if(crtn != CSSM_OK) {
- CSSM_PERROR("CSSM_WrapKey", crtn);
- }
- CSSM_DeleteContext(ccHand);
- return crtn;
-}
-
-/*
- * Free memory via specified plugin's app-level allocator
- */
-static void cmsFreeCssmMemory(
- CSSM_HANDLE hand,
- void *p)
-{
- CSSM_API_MEMORY_FUNCS memFuncs;
- CSSM_RETURN crtn = CSSM_GetAPIMemoryFunctions(hand, &memFuncs);
- if(crtn) {
- return;
- }
- memFuncs.free_func(p, memFuncs.AllocRef);
-}
-
/*
* Given an OID tag, return key size and mode.
* NOTE: ciphers with variable key sizes, like RC2, RC4, and RC5 cannot
@@ -784,60 +681,63 @@ static void cmsFreeCssmMemory(
static OSStatus encrAlgInfo(
SECOidTag oidTag,
uint32 *keySizeBits, /* RETURNED */
- CSSM_ENCRYPT_MODE *mode) /* RETURNED */
+ CCAlgorithm *algorithm, /* RETURNED */
+ CCOptions *options) /* RETURNED */
{
*keySizeBits = 64; /* default */
- *mode = CSSM_ALGMODE_CBCPadIV8; /* default */
+ *options = kCCOptionPKCS7Padding; /* default */
switch(oidTag) {
- case SEC_OID_RC2_CBC:
- case SEC_OID_RC4:
- case SEC_OID_RC5_CBC_PAD:
- dprintf("encrAlgInfo: key size unknowable\n");
- return errSecDataNotAvailable;
-
- case SEC_OID_DES_EDE3_CBC:
- *keySizeBits = 192;
- break;
- case SEC_OID_DES_EDE:
- /* Not sure about this; SecCmsCipherContextStart() treats this
- * like SEC_OID_DES_EDE3_CBC... */
- case SEC_OID_DES_ECB:
- *mode = CSSM_ALGMODE_ECB;
- break;
- case SEC_OID_DES_CBC:
- *mode = CSSM_ALGMODE_CBC;
- break;
- case SEC_OID_AES_128_CBC:
- *keySizeBits = 128;
- break;
- case SEC_OID_AES_192_CBC:
- *keySizeBits = 192;
- break;
- case SEC_OID_AES_256_CBC:
- *keySizeBits = 256;
- break;
- case SEC_OID_AES_128_ECB:
- *keySizeBits = 128;
- *mode = CSSM_ALGMODE_ECB;
- break;
- case SEC_OID_AES_192_ECB:
- *keySizeBits = 192;
- *mode = CSSM_ALGMODE_ECB;
- break;
- case SEC_OID_AES_256_ECB:
- *keySizeBits = 256;
- *mode = CSSM_ALGMODE_ECB;
- break;
- case SEC_OID_DES_OFB:
- *mode = CSSM_ALGMODE_OFB;
- break;
- case SEC_OID_DES_CFB:
- *mode = CSSM_ALGMODE_CFB;
- break;
- default:
- dprintf("encrAlgInfo: unknown alg tag (%d)\n", (int)oidTag);
- return errSecDataNotAvailable;
+ case SEC_OID_RC2_CBC:
+ case SEC_OID_RC4:
+ case SEC_OID_RC5_CBC_PAD:
+ dprintf("encrAlgInfo: key size unknowable\n");
+ return errSecDataNotAvailable;
+ case SEC_OID_DES_EDE:
+ /* Not sure about this; SecCmsCipherContextStart() treats this
+ * like SEC_OID_DES_EDE3_CBC... */
+ *options = kCCOptionECBMode;
+ // fall through
+ case SEC_OID_DES_EDE3_CBC:
+ *keySizeBits = 192;
+ *algorithm = kCCAlgorithm3DES;
+ break;
+ case SEC_OID_DES_ECB:
+ *options = kCCOptionECBMode;
+ // fall through
+ case SEC_OID_DES_CBC:
+ *algorithm = kCCAlgorithmDES;
+ break;
+ case SEC_OID_AES_128_CBC:
+ *keySizeBits = 128;
+ *algorithm = kCCAlgorithmAES;
+ break;
+ case SEC_OID_AES_192_CBC:
+ *keySizeBits = 192;
+ *algorithm = kCCAlgorithmAES;
+ break;
+ case SEC_OID_AES_256_CBC:
+ *keySizeBits = 256;
+ *algorithm = kCCAlgorithmAES;
+ break;
+ case SEC_OID_AES_128_ECB:
+ *keySizeBits = 128;
+ *algorithm = kCCAlgorithmAES;
+ *options = kCCOptionECBMode;
+ break;
+ case SEC_OID_AES_192_ECB:
+ *keySizeBits = 192;
+ *algorithm = kCCAlgorithmAES;
+ *options = kCCOptionECBMode;
+ break;
+ case SEC_OID_AES_256_ECB:
+ *keySizeBits = 256;
+ *algorithm = kCCAlgorithmAES;
+ *options = kCCOptionECBMode;
+ break;
+ default:
+ dprintf("encrAlgInfo: unknown alg tag (%d)\n", (int)oidTag);
+ return errSecDataNotAvailable;
}
return noErr;
}
@@ -861,216 +761,124 @@ SecCmsUtilEncryptSymKeyECDH(
* KeyAgreeRecipientInfo.originator.OriginatorPublicKey */
{
OSStatus rv = noErr;
- CSSM_KEY ourPrivKeyCssm;
- CSSM_KEY ourPubKeyCssm;
- SecKeyRef theirPubKeyRef = NULL;
- CSSM_KEY_PTR theirPubKeyCssm = NULL;
- const CSSM_KEY *cekCssmRef = NULL;
- uint32 ecdhKeySizeBits;
- CSSM_CSP_HANDLE rawCspHand = SecCspHandleForAlgorithm(CSSM_ALGID_ECDH);
- CSSM_CC_HANDLE ccHand = 0;
- CSSM_RETURN crtn;
- CSSM_DATA keyLabel = {8, (uint8 *)"tempKey"};
+ SecKeyRef theirPubKey = NULL, ourPubKey = NULL, ourPrivKey = NULL;
+ CFDictionaryRef theirKeyAttrs = NULL, ourKeyParams = NULL, kekParams = NULL;
+ uint8_t iv[ECDH_KEK_IV_LEN_BYTES];
+ CSSM_DATA ivData = { ECDH_KEK_IV_LEN_BYTES, iv };
SECAlgorithmID kekAlgId;
- uint8 iv[ECDH_KEK_IV_LEN_BYTES];
- CSSM_DATA ivData = {ECDH_KEK_IV_LEN_BYTES, iv};
SECOidData *kekOid;
ECC_CMS_SharedInfo sharedInfo;
CSSM_DATA sharedInfoEnc = {0, NULL};
uint8 nullData[2] = {SEC_ASN1_NULL, 0};
uint8 keyLenAsBytes[4];
- CSSM_KEY kekDerive;
- CSSM_DATA certData;
- CSSM_CL_HANDLE clHand;
- CSSM_ACCESS_CREDENTIALS creds;
- CSSM_DATA paramData = {0, NULL};
- CSSM_KEY cekCssm;
- CSSM_CSP_HANDLE refCspHand;
- CSSM_SIZE bytesEncrypted;
- CSSM_DATA remData = {0, NULL};
- CSSM_DATA ctext = {0, NULL};
- CSSM_X509_SUBJECT_PUBLIC_KEY_INFO subjPubKey;
-
- if(rawCspHand == 0) {
- return internalComponentErr;
- }
-
- memset(&ourPrivKeyCssm, 0, sizeof(CSSM_KEY));
- memset(&ourPubKeyCssm, 0, sizeof(CSSM_KEY));
- memset(&cekCssm, 0, sizeof(CSSM_KEY));
- memset(&kekDerive, 0, sizeof(kekDerive));
-
+ CFDataRef sharedInfoData = NULL, kekData = NULL, ourPubData = NULL;
+ CFNumberRef kekLen = NULL;
+ CFErrorRef error = NULL;
+ CCCryptorRef ciphercc = NULL;
+
encKey->Data = NULL;
encKey->Length = 0;
-
- /*
- * Create our ECDH key pair matching the recipient's key.
- * Get the public key in "read-only" OCTET_STRING format, which
- * is the ECPoint we put in
- * KeyAgreeRecipientInfo.originator.OriginatorPublicKey.
- */
- rv = SecCertificateGetData(cert, &certData);
- if(rv) {
- CSSM_PERROR("SecCertificateGetData", rv);
- return rv;
- }
- rv = SecCertificateGetCLHandle(cert, &clHand);
- if(rv) {
- CSSM_PERROR("SecCertificateGetCLHandle", rv);
- return rv;
- }
- rv = CSSM_CL_CertGetKeyInfo(clHand, &certData, &theirPubKeyCssm);
- if(rv) {
- CSSM_PERROR("CSSM_CL_CertGetKeyInfo", rv);
- return rv;
- }
-
- /*
- * Verify the EC curve of the recipient's public key. It's in the
- * public key's AlgId.parameters as an OID. The key we were
- * given is in CSSM_X509_SUBJECT_PUBLIC_KEY_INFO form.
- */
- memset(&subjPubKey, 0, sizeof(subjPubKey));
- if(SEC_ASN1DecodeItem(poolp, &subjPubKey, kSecAsn1SubjectPublicKeyInfoTemplate,
- &theirPubKeyCssm->KeyData)) {
- dprintf("SecCmsUtilEncryptSymKeyECDH: error decoding SubjPubKey\n");
- /* oh well, keep going */
- }
- else {
- if(subjPubKey.algorithm.parameters.Data != NULL) {
- CSSM_DATA curveOid;
- if(SEC_ASN1DecodeItem(poolp, &curveOid, kSecAsn1ObjectIDTemplate,
- &subjPubKey.algorithm.parameters)) {
- dprintf("SecCmsUtilEncryptSymKeyECDH: error decoding curveOid\n");
- /* oh well, keep going */
- }
- else {
- /* We have the curve OID. Any other errors are fatal. */
- SECOidTag oidTag = SECOID_FindOIDTag(&curveOid);
- switch(oidTag) {
- case SEC_OID_SECP_256_R1:
- case SEC_OID_SECP_384_R1:
- case SEC_OID_SECP_521_R1:
- break;
- default:
- dprintf("SecCmsUtilEncryptSymKeyECDH: unsupported curveOid\n");
- rv = CSSMERR_CSP_INVALID_KEY;
- goto loser;
- }
- }
- }
+
+ /* Copy the recipient's static public ECDH key */
+#if TARGET_OS_IPHONE
+ theirPubKey = SecCertificateCopyPublicKey(cert);
+#else
+ rv = SecCertificateCopyPublicKey(cert, &theirPubKey);
+#endif
+ if (rv || !theirPubKey) {
+ dprintf("SecCmsUtilEncryptSymKeyECDH: failed to get public key from cert, %d\n", (int)rv);
+ goto out;
}
-
- ecdhKeySizeBits = theirPubKeyCssm->KeyHeader.LogicalKeySizeInBits;
- crtn = CSSM_CSP_CreateKeyGenContext(rawCspHand,
- CSSM_ALGID_ECDSA,
- ecdhKeySizeBits,
- NULL, // Seed
- NULL, // Salt
- NULL, // StartDate
- NULL, // EndDate
- NULL, // Params
- &ccHand);
- if(crtn) {
- CSSM_PERROR("CSSM_CSP_CreateKeyGenContext", crtn);
- rv = crtn;
- goto loser;
+
+ theirKeyAttrs = SecKeyCopyAttributes(theirPubKey);
+ if (!theirKeyAttrs) {
+ dprintf("SecCmsUtilEncryptSymKeyECDH: failed to get key attributes\n");
+ goto out;
}
- crtn = cmsAddContextAttribute(ccHand,
- CSSM_ATTRIBUTE_PUBLIC_KEY_FORMAT,
- sizeof(uint32),
- CAT_Uint32,
- NULL,
- CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING);
- if(crtn) {
- CSSM_PERROR("AddContextAttribute(CSSM_ATTRIBUTE_PUBLIC_KEY_FORMAT)", crtn);
- rv = crtn;
- goto loser;
+
+ CFStringRef keyType = NULL;
+ CFNumberRef keySizeNum = NULL;
+ keyType = CFDictionaryGetValue(theirKeyAttrs, kSecAttrKeyType);
+ keySizeNum = CFDictionaryGetValue(theirKeyAttrs, kSecAttrKeySizeInBits);
+
+ if (!CFEqual(kSecAttrKeyTypeECSECPrimeRandom, keyType)) {
+ dprintf("SecCmsUtilEncryptSymKeyECDH: unsupported key type\n");
+ rv = CSSMERR_CSP_INVALID_KEY;
+ goto out;
}
- crtn = CSSM_GenerateKeyPair(ccHand,
- CSSM_KEYUSE_DERIVE,
- CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE,
- &keyLabel,
- &ourPubKeyCssm,
- CSSM_KEYUSE_DERIVE,
- CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE,
- &keyLabel,
- NULL, // CredAndAclEntry
- &ourPrivKeyCssm);
- CSSM_DeleteContext(ccHand);
- ccHand = 0;
- if(crtn) {
- CSSM_PERROR("CSSM_GenerateKeyPair", crtn);
- rv = crtn;
- goto loser;
+ /* Generate ephemeral ECDH key */
+ const void *keys[] = { kSecAttrKeyType, kSecAttrKeySizeInBits, kSecAttrNoLegacy};
+ const void *values[] = { keyType, keySizeNum, kCFBooleanTrue };
+ ourKeyParams = CFDictionaryCreate(NULL, keys, values, 3,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ rv = SecKeyGeneratePair(ourKeyParams, &ourPubKey, &ourPrivKey);
+ if (rv || !ourPubKey || !ourPrivKey) {
+ dprintf("SecKeyGeneratePair: unable to generate ECDH key pair, %d\n", (int)rv);
+ goto out;
}
- pubKey->Length = ourPubKeyCssm.KeyData.Length;
- pubKey->Data = (uint8 *)PORT_ArenaAlloc(poolp, pubKey->Length);
- memmove(pubKey->Data, ourPubKeyCssm.KeyData.Data, pubKey->Length);
- dumpBuf("sender's public key", pubKey);
-
- /*
- * Cook up random UKM
- */
- ukm->Data = (uint8 *)PORT_ArenaAlloc(poolp, UKM_LENGTH);
+
+ /* Generate UKM */
+ ukm->Data = PORT_Alloc(UKM_LENGTH);
ukm->Length = UKM_LENGTH;
- crtn = cmsGenRand(rawCspHand, UKM_LENGTH, ukm->Data);
- if(crtn) {
- goto loser;
+ rv = CCRandomCopyBytes(kCCRandomDefault, ukm->Data, UKM_LENGTH);
+ if (rv || !ukm->Data) {
+ dprintf("CCRandomGenerateBytes failed, %d", (int)rv);
+ goto out;
}
- dumpBuf("sender UKM", ukm);
-
+
/*
* OK, we have to set up a weird SECAlgorithmID.
* algorithm = dhSinglePass-stdDH-sha1kdf-scheme
- * params = an encoded SECAlgorithmID representing the KEK algorithm, with
+ * params = an encoded SECAlgorithmID representing the KEK algorithm, with
* algorithm = whatever we pick
* parameters = IV as octet string (though I haven't seen that specified
* anywhere; it's how the CEK IV is encoded)
- *
- * First, the 8-byte random IV, encoded as octet string
*/
- crtn = cmsGenRand(rawCspHand, ECDH_KEK_IV_LEN_BYTES, iv);
- if(crtn) {
- goto loser;
+
+ /* Generate 8-byte IV */
+ rv = CCRandomCopyBytes(kCCRandomDefault, iv, ECDH_KEK_IV_LEN_BYTES);
+ if (rv) {
+ dprintf("CCRandomGenerateBytes failed, %d", (int)rv);
+ goto out;
}
dumpBuf("sender IV", &ivData);
-
+
memset(&kekAlgId, 0, sizeof(kekAlgId));
if (!SEC_ASN1EncodeItem(poolp, &kekAlgId.parameters,
- &ivData, kSecAsn1OctetStringTemplate)) {
- rv = internalComponentErr;
- goto loser;
+ &ivData, kSecAsn1OctetStringTemplate)) {
+ rv = internalComponentErr;
+ goto out;
}
/* Drop in the KEK OID and encode the whole thing */
kekOid = SECOID_FindOIDByTag(ECDH_KEK_ALG_TAG);
if(kekOid == NULL) {
- dprintf("SecCmsUtilEncryptSymKeyECDH: OID screwup\n");
- rv = internalComponentErr;
- goto loser;
+ dprintf("SecCmsUtilEncryptSymKeyECDH: OID screwup\n");
+ rv = internalComponentErr;
+ goto out;
}
kekAlgId.algorithm = kekOid->oid;
memset(keyEncAlg, 0, sizeof(*keyEncAlg));
if (!SEC_ASN1EncodeItem(poolp, &keyEncAlg->parameters,
- &kekAlgId, SECOID_AlgorithmIDTemplate)) {
- rv = internalComponentErr;
- goto loser;
+ &kekAlgId, SECOID_AlgorithmIDTemplate)) {
+ rv = internalComponentErr;
+ goto out;
}
kekOid = SECOID_FindOIDByTag(SEC_OID_DH_SINGLE_STD_SHA1KDF);
if(kekOid == NULL) {
- dprintf("SecCmsUtilEncryptSymKeyECDH: OID screwup\n");
- rv = internalComponentErr;
- goto loser;
+ dprintf("SecCmsUtilEncryptSymKeyECDH: OID screwup\n");
+ rv = internalComponentErr;
+ goto out;
}
keyEncAlg->algorithm = kekOid->oid;
-
- /*
- * Now in order to derive the KEK proper, we have to create a
+
+ /*
+ * Now in order to derive the KEK proper, we have to create a
* ECC-CMS-SharedInfo, which does not appear in the message, and DER
- * encode that struct, the result of which is used as the
- * SharedInfo value in the KEK key derive.
+ * encode that struct, the result of which is used as the
+ * SharedInfo value in the KEK key derive.
*/
memset(&sharedInfo, 0, sizeof(sharedInfo));
kekOid = SECOID_FindOIDByTag(ECDH_KEK_ALG_TAG);
@@ -1082,146 +890,102 @@ SecCmsUtilEncryptSymKeyECDH(
sharedInfo.suppPubInfo.Length = 4;
sharedInfo.suppPubInfo.Data = keyLenAsBytes;
if (!SEC_ASN1EncodeItem(poolp, &sharedInfoEnc,
- &sharedInfo, ECC_CMS_SharedInfoTemplate)) {
- rv = internalComponentErr;
- goto loser;
+ &sharedInfo, ECC_CMS_SharedInfoTemplate)) {
+ rv = internalComponentErr;
+ goto out;
}
dumpBuf("sender encoded SharedInfo", &sharedInfoEnc);
-
- /*
- * Since we're using the raw CSP here, we can provide the "other" public
- * key as an actual CSSM_KEY. When unwrapping, we won't be able to do that
- * since we'll be using our private key obtained from a SecIdentityRef.
- */
- memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
- crtn = CSSM_CSP_CreateDeriveKeyContext(rawCspHand,
- CSSM_ALGID_ECDH_X963_KDF,
- ECDH_KEK_KEY_CSSM_ALGID, // algorithm of the KEK
- ECDH_KEK_KEY_LEN_BYTES * 8,
- &creds,
- &ourPrivKeyCssm, // BaseKey
- 0, // IterationCount
- &sharedInfoEnc, // Salt
- 0, // Seed
- &ccHand);
- if(crtn) {
- CSSM_PERROR("CSSM_CSP_CreateDeriveKeyContext", crtn);
- rv = crtn;
- goto loser;
- }
-
- /* add recipient's pub key as a context attr */
- crtn = cmsAddContextAttribute(ccHand,
- CSSM_ATTRIBUTE_PUBLIC_KEY,
- sizeof(CSSM_KEY),
- CAT_Ptr,
- (void *)theirPubKeyCssm,
- 0);
- if(crtn) {
- rv = crtn;
- goto loser;
- }
-
- /* Derive the KEK */
- crtn = CSSM_DeriveKey(ccHand,
- ¶mData,
- CSSM_KEYUSE_ANY,
- CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE,
- &keyLabel,
- NULL, // cread/acl
- &kekDerive);
- if(crtn) {
- CSSM_PERROR("CSSM_DeriveKey", crtn);
- rv = crtn;
- goto loser;
- }
- CSSM_DeleteContext(ccHand);
- ccHand = 0;
-
- /*
- * Obtain the raw CEK bits.
- */
- rv = SecKeyGetCSSMKey(key, &cekCssmRef);
- if(rv) {
- CSSM_PERROR("SecKeyGetCSSMKey", rv);
- goto loser;
- }
- rv = SecKeyGetCSPHandle(key, &refCspHand);
- if(rv) {
- CSSM_PERROR("SecKeyGetCSPHandle", rv);
- goto loser;
- }
- rv = cmsNullWrapKey(refCspHand, cekCssmRef, &cekCssm);
- if(rv) {
- goto loser;
+
+ /* Derive KEK */
+ sharedInfoData = CFDataCreate(NULL, sharedInfoEnc.Data, sharedInfoEnc.Length);
+ int32_t ecdh_key_key_len = ECDH_KEK_KEY_LEN_BYTES;
+ kekLen = CFNumberCreate(NULL, kCFNumberSInt32Type, &ecdh_key_key_len);
+ const void *kekKeys[] = { kSecKeyKeyExchangeParameterRequestedSize, kSecKeyKeyExchangeParameterSharedInfo };
+ const void *kekValues[] = { kekLen, sharedInfoData };
+ kekParams = CFDictionaryCreate(NULL, kekKeys, kekValues, 2,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ kekData = SecKeyCopyKeyExchangeResult(ourPrivKey, kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1,
+ theirPubKey, kekParams, &error);
+ if (error) {
+ dprintf("SecKeyCopyKeyExchangeResult: failed\n");
+ goto out;
}
-
- /*
- * Finally, encrypt the raw CEK bits with the KEK we just derived
+
+ /*
+ * Encrypt the raw CEK bits with the KEK we just derived
*/
- crtn = CSSM_CSP_CreateSymmetricContext(rawCspHand,
- ECDH_KEK_ENCR_CSSM_ALGID,
- CSSM_ALGMODE_CBCPadIV8,
- NULL, // access cred
- &kekDerive,
- &ivData, // InitVector
- CSSM_PADDING_PKCS7,
- NULL, // Params
- &ccHand);
- if(rv) {
- CSSM_PERROR("CSSM_CSP_CreateSymmetricContext", rv);
- goto loser;
- }
- rv = CSSM_EncryptData(ccHand,
- &cekCssm.KeyData,
- 1,
- &ctext,
- 1,
- &bytesEncrypted,
- &remData);
- if(rv) {
- CSSM_PERROR("CSSM_EncryptData", rv);
- goto loser;
- }
- encKey->Data = PORT_ArenaAlloc(poolp, bytesEncrypted);
- encKey->Length = bytesEncrypted;
- memmove(encKey->Data, ctext.Data, ctext.Length);
- if(bytesEncrypted != ctext.Length) {
- memmove(encKey->Data + ctext.Length, remData.Data, remData.Length);
- }
- dumpBuf("sender encKey", encKey);
-
-loser:
- if(ccHand) {
- CSSM_DeleteContext(ccHand);
- }
- CFRELEASE(theirPubKeyRef);
- if(ourPubKeyCssm.KeyData.Data) {
- CSSM_FreeKey(rawCspHand, NULL, &ourPubKeyCssm, CSSM_FALSE);
- }
- if(ourPrivKeyCssm.KeyData.Data) {
- CSSM_FreeKey(rawCspHand, NULL, &ourPrivKeyCssm, CSSM_FALSE);
- }
- if(ctext.Data) {
- cmsFreeCssmMemory(rawCspHand, ctext.Data);
- }
- if(remData.Data) {
- cmsFreeCssmMemory(rawCspHand, remData.Data);
+ rv = CCCryptorCreate(kCCEncrypt, kCCAlgorithm3DES, kCCOptionPKCS7Padding,
+ CFDataGetBytePtr(kekData), CFDataGetLength(kekData), iv, &ciphercc);
+ if (rv) {
+ dprintf("CCCryptorCreate failed: %d\n", (int)rv);
+ goto out;
}
- if(cekCssm.KeyData.Data) {
- CSSM_FreeKey(refCspHand, NULL, &cekCssm, CSSM_FALSE);
+ CSSM_KEY cek;
+ rv = cmsNullWrapKey(key, &cek);
+ if (rv) {
+ dprintf("SecKeyGetCSSMKey failed: %d\n", (int)rv);
+ goto out;
}
- if(kekDerive.KeyData.Data) {
- CSSM_FreeKey(rawCspHand, NULL, &kekDerive, CSSM_FALSE);
+ size_t expectedEncKeyLength = CCCryptorGetOutputLength(ciphercc, cek.KeyData.Length, true);
+ encKey->Data = PORT_ArenaAlloc(poolp, expectedEncKeyLength);
+ size_t bytes_output = 0;
+ rv = CCCryptorUpdate(ciphercc, cek.KeyData.Data, cek.KeyData.Length, encKey->Data, expectedEncKeyLength, &bytes_output);
+ if (rv) {
+ dprintf("CCCryptorUpdate failed: %d\n", (int)rv);
+ goto out;
}
- if(theirPubKeyCssm) {
- /* Allocated by CL */
- cmsFreeCssmMemory(clHand, theirPubKeyCssm->KeyData.Data);
- cmsFreeCssmMemory(clHand, theirPubKeyCssm);
+ size_t final_bytes_output = 0;
+ rv = CCCryptorFinal(ciphercc, encKey->Data+bytes_output, expectedEncKeyLength - bytes_output, &final_bytes_output);
+ if (rv) {
+ dprintf("CCCryptorFinal failed: %d\n", (int)rv);
+ goto out;
+ }
+ encKey->Length = bytes_output + final_bytes_output;
+
+ /* Provide our ephemeral public key to the caller */
+ ourPubData = SecKeyCopyExternalRepresentation(ourPubKey, &error);
+ if (error) {
+ dprintf("SecKeyCopyExternalRepresentation failed\n");
+ goto out;
+ }
+ pubKey->Length = CFDataGetLength(ourPubData);
+ pubKey->Data = malloc(pubKey->Length);
+ if (pubKey->Data) {
+ memcpy(pubKey->Data, CFDataGetBytePtr(ourPubData), pubKey->Length);
+ } else {
+ rv = errSecAllocate;
+ }
+ /* pubKey is bit string, convert here */
+ pubKey->Length <<= 3;
+
+out:
+ if (theirPubKey) { CFRelease(theirPubKey); }
+ if (theirKeyAttrs) { CFRelease(theirKeyAttrs); }
+ if (ourKeyParams) { CFRelease(ourKeyParams); }
+ if (ourPubKey) { CFRelease(ourPubKey); }
+ if (ourPrivKey) { CFRelease(ourPrivKey); }
+ if (sharedInfoData) { CFRelease(sharedInfoData); }
+ if (kekLen) { CFRelease(kekLen); }
+ if (kekParams) { CFRelease(kekParams); }
+ if (kekData) { CFRelease(kekData); }
+ if (error) { CFRelease(error); }
+ if (ciphercc) { CCCryptorRelease(ciphercc); }
+ if (ourPubData) { CFRelease(ourPubData); }
+ if (rv && encKey->Data) {
+ PORT_Free(encKey->Data);
+ encKey->Data = NULL;
+ encKey->Length = 0;
+ }
+ if (rv && ukm->Data) {
+ PORT_Free(ukm->Data);
+ ukm->Data = NULL;
+ ukm->Length = 0;
}
return rv;
}
+
#pragma mark ---- ECDH CEK key unwrap ----
SecSymmetricKeyRef
@@ -1234,11 +998,9 @@ SecCmsUtilDecryptSymKeyECDH(
SECOidTag bulkalgtag, /* algorithm of returned key */
CSSM_DATA_PTR pubKey) /* sender's pub key as ECPoint from
* KeyAgreeRecipientInfo.originator.OriginatorPublicKey */
-
{
SecSymmetricKeyRef outKey = NULL;
OSStatus rv = noErr;
- const CSSM_KEY *ourPrivKeyCssm;
PLArenaPool *pool = NULL;
SECAlgorithmID keyAlgParam;
SECOidData *kekOid = NULL;
@@ -1247,70 +1009,58 @@ SecCmsUtilDecryptSymKeyECDH(
CSSM_DATA sharedInfoEnc = {0, NULL};
uint8 nullData[2] = {SEC_ASN1_NULL, 0};
uint8 keyLenAsBytes[4];
- CSSM_ENCRYPT_MODE kekMode;
uint32 kekSizeBits;
- CSSM_KEY kekDerive;
- CSSM_RETURN crtn;
- CSSM_ACCESS_CREDENTIALS creds;
- CSSM_CSP_HANDLE refCspHand;
- CSSM_CC_HANDLE ccHand = 0;
- CSSM_DATA keyLabel = {8, (uint8 *)"tempKey"};
- const CSSM_ACCESS_CREDENTIALS *accessCred;
- CSSM_KEY wrappedKey;
- CSSM_KEY unwrappedKey;
- CSSM_ALGORITHMS bulkAlg;
- CSSM_DATA descriptiveData = {0, NULL};
-
- dumpBuf("receiver encKey", encKey);
-
- memset(&kekDerive, 0, sizeof(kekDerive));
+ SecKeyRef theirPubKey = NULL;
+ CFStringRef keyType = NULL;
+ CFDictionaryRef theirKeyAttrs = NULL, kekParams = NULL;
+ CFMutableDictionaryRef cekParams = NULL;
+ CFDataRef sharedInfoData = NULL, theirPubData= NULL, kekData = NULL, cekData = NULL;
+ CFNumberRef kekLen = NULL, theirKeyLen = NULL;
+ CFErrorRef error = NULL;
+ CCAlgorithm alg;
+ CCOptions options = 0;
+ CCCryptorRef ciphercc = NULL;
+ size_t theirKeySizeInBits = 0;
- /* our private key in CSSM form */
- rv = SecKeyGetCSSMKey(privkey, &ourPrivKeyCssm);
- if(rv) {
- CSSM_PERROR("SecKeyGetCSSMKey", rv);
- goto loser;
- }
-
- /*
+ /*
* Decode keyEncAlg.params to get KEK algorithm and IV
- */
+ */
pool = PORT_NewArena(1024);
if(pool == NULL) {
- goto loser;
+ goto out;
}
memset(&keyAlgParam, 0, sizeof(keyAlgParam));
- if(SEC_ASN1DecodeItem(pool, &keyAlgParam, SECOID_AlgorithmIDTemplate,
- &keyEncAlg->parameters)) {
- dprintf("SecCmsUtilDecryptSymKeyECDH: error decoding keyAlgParams\n");
- goto loser;
+ if(SEC_ASN1DecodeItem(pool, &keyAlgParam, SECOID_AlgorithmIDTemplate,
+ &keyEncAlg->parameters)) {
+ dprintf("SecCmsUtilDecryptSymKeyECDH: error decoding keyAlgParams\n");
+ goto out;
}
kekOid = SECOID_FindOID(&keyAlgParam.algorithm);
if(kekOid == NULL) {
- dprintf("SecCmsUtilDecryptSymKeyECDH: unknown KEK enc OID\n");
- goto loser;
+ dprintf("SecCmsUtilDecryptSymKeyECDH: unknown KEK enc OID\n");
+ goto out;
}
- rv = encrAlgInfo(kekOid->offset, &kekSizeBits, &kekMode);
+ rv = encrAlgInfo(kekOid->offset, &kekSizeBits, &alg, &options);
if(rv) {
- goto loser;
+ goto out;
}
/* IV is OCTET STRING in the alg params */
- if(SEC_ASN1DecodeItem(pool, &iv, kSecAsn1OctetStringTemplate,
- &keyAlgParam.parameters)) {
- /*
- * Not sure here - is it legal to have no IV? I haven't seen this
- * addressed in any spec. Maybe we should condition the behavior
- * here on the KEK algorithm.
- */
- dprintf("SecCmsUtilDecryptSymKeyECDH: no KEK IV\n");
- goto loser;
+ if(SEC_ASN1DecodeItem(pool, &iv, kSecAsn1OctetStringTemplate,
+ &keyAlgParam.parameters)) {
+ /*
+ * Not sure here - is it legal to have no IV? I haven't seen this
+ * addressed in any spec. Maybe we should condition the behavior
+ * here on the KEK algorithm.
+ */
+ dprintf("SecCmsUtilDecryptSymKeyECDH: no KEK IV\n");
+ goto out;
}
-
- /*
- * Now in order to derive the KEK proper, we have to create a
+
+ /*
+ * Now in order to derive the KEK proper, we have to create a
* ECC-CMS-SharedInfo, which does not appear in the message, and DER
- * encode that struct, the result of which is used as the
- * SharedInfo value in the KEK key derive.
+ * encode that struct, the result of which is used as the
+ * SharedInfo value in the KEK key derive.
*/
memset(&sharedInfo, 0, sizeof(sharedInfo));
sharedInfo.algId.algorithm = kekOid->oid;
@@ -1321,129 +1071,107 @@ SecCmsUtilDecryptSymKeyECDH(
sharedInfo.suppPubInfo.Length = 4;
sharedInfo.suppPubInfo.Data = keyLenAsBytes;
if (!SEC_ASN1EncodeItem(pool, &sharedInfoEnc,
- &sharedInfo, ECC_CMS_SharedInfoTemplate)) {
- rv = internalComponentErr;
- goto loser;
+ &sharedInfo, ECC_CMS_SharedInfoTemplate)) {
+ rv = internalComponentErr;
+ goto out;
}
dumpBuf("receiver encoded SharedInfo", &sharedInfoEnc);
dumpBuf("receiver IV", &iv);
dumpBuf("receiver UKM", ukm);
dumpBuf("sender's public key", pubKey);
- /*
- * Using the Sec-layer CSPDL, "other's" public key specified as ECPOint param. Which
- * is fortunate because that's what we have...
- */
- memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
- rv = SecKeyGetCSPHandle(privkey, &refCspHand);
- if(rv) {
- CSSM_PERROR("SecKeyGetCSPHandle", rv);
- goto loser;
+ /* pubKey is bit string, convert here */
+ theirKeySizeInBits = pubKey->Length;
+ pubKey->Length = (theirKeySizeInBits + 7) >> 3;
+ theirPubData = CFDataCreate(NULL, pubKey->Data, pubKey->Length);
+ theirKeyLen = CFNumberCreate(NULL, kCFNumberSInt32Type, &theirKeySizeInBits);
+ const void *keys[] = { kSecAttrKeyType, kSecAttrKeyClass, kSecAttrKeySizeInBits };
+ const void *values[] = { kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeyClassPublic, theirKeyLen};
+ theirKeyAttrs = CFDictionaryCreate(NULL, keys, values, 3,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ theirPubKey = SecKeyCreateWithData(theirPubData, theirKeyAttrs, &error);
+ if (error) {
+ dprintf("SecKeyCreateWithData: failed\n");
+ goto out;
+ }
+
+ /* Derive KEK */
+ sharedInfoData = CFDataCreate(NULL, sharedInfoEnc.Data, sharedInfoEnc.Length);
+ int32_t ecdh_key_key_len = (kekSizeBits + 7) >> 3;
+ kekLen = CFNumberCreate(NULL, kCFNumberSInt32Type, &ecdh_key_key_len);
+ const void *kekKeys[] = { kSecKeyKeyExchangeParameterRequestedSize, kSecKeyKeyExchangeParameterSharedInfo };
+ const void *kekValues[] = { kekLen, sharedInfoData };
+ kekParams = CFDictionaryCreate(NULL, kekKeys, kekValues, 2,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ kekData = SecKeyCopyKeyExchangeResult(privkey, kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1,
+ theirPubKey, kekParams, &error);
+ if (error) {
+ dprintf("SecKeyCopyKeyExchangeResult: failed\n");
+ goto out;
}
- rv = SecKeyGetCredentials(privkey,
- CSSM_ACL_AUTHORIZATION_DERIVE,
- kSecCredentialTypeDefault,
- &accessCred);
+
+ /*
+ * Decrypt the raw CEK bits with the KEK we just derived
+ */
+ CSSM_DATA cek = { 0, NULL };
+ rv = CCCryptorCreate(kCCDecrypt, alg, options,
+ CFDataGetBytePtr(kekData), CFDataGetLength(kekData), iv.Data, &ciphercc);
if (rv) {
- CSSM_PERROR("SecKeyGetCredentials", rv);
- goto loser;
- }
- crtn = CSSM_CSP_CreateDeriveKeyContext(refCspHand,
- CSSM_ALGID_ECDH_X963_KDF,
- kekOid->cssmAlgorithm, // algorithm of the KEK
- kekSizeBits,
- &creds,
- ourPrivKeyCssm, // BaseKey
- 0, // IterationCount
- &sharedInfoEnc, // Salt
- 0, // Seed
- &ccHand);
- if(crtn) {
- CSSM_PERROR("CSSM_CSP_CreateDeriveKeyContext", crtn);
- goto loser;
+ dprintf("CCCryptorCreate failed: %d\n", (int)rv);
+ goto out;
}
- crtn = CSSM_DeriveKey(ccHand,
- pubKey, // param
- CSSM_KEYUSE_ANY,
- CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE,
- &keyLabel,
- NULL, // cred/acl
- &kekDerive);
- CSSM_DeleteContext(ccHand);
- ccHand = 0;
- if(crtn) {
- CSSM_PERROR("CSSM_DeriveKey", crtn);
- goto loser;
+ size_t expectedKeyLength = CCCryptorGetOutputLength(ciphercc, encKey->Length, true);
+ cek.Data = PORT_ArenaAlloc(pool, expectedKeyLength);
+ size_t bytes_output = 0;
+ rv = CCCryptorUpdate(ciphercc, encKey->Data, encKey->Length, cek.Data, expectedKeyLength, &bytes_output);
+ if (rv) {
+ dprintf("CCCryptorUpdate failed: %d\n", (int)rv);
+ goto out;
}
-
- /*
- * Decrypt the encrypted key bits with the KEK key.
- */
- crtn = CSSM_CSP_CreateSymmetricContext(refCspHand,
- kekOid->cssmAlgorithm,
- kekMode,
- NULL, // access cred
- &kekDerive,
- &iv, // InitVector
- /* FIXME is this variable too? */
- CSSM_PADDING_PKCS7,
- NULL, // Params
- &ccHand);
- if(rv) {
- CSSM_PERROR("CSSM_CSP_CreateSymmetricContext", rv);
- goto loser;
+ size_t final_bytes_output = 0;
+ rv = CCCryptorFinal(ciphercc, cek.Data+bytes_output, expectedKeyLength - bytes_output, &final_bytes_output);
+ if (rv) {
+ dprintf("CCCryptorFinal failed: %d\n", (int)rv);
+ goto out;
}
-
- memset(&wrappedKey, 0, sizeof(CSSM_KEY));
- memset(&unwrappedKey, 0, sizeof(CSSM_KEY));
+ cek.Length = bytes_output + final_bytes_output;
- bulkAlg = SECOID_FindyCssmAlgorithmByTag(bulkalgtag);
- if(bulkAlg == CSSM_ALGID_NONE) {
- dprintf("SecCmsUtilDecryptSymKeyECDH: unknown bulk alg\n");
- goto loser;
- }
-
- wrappedKey.KeyHeader.HeaderVersion = CSSM_KEYHEADER_VERSION;
- wrappedKey.KeyHeader.BlobType = CSSM_KEYBLOB_WRAPPED;
- wrappedKey.KeyHeader.Format = CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS7;
- wrappedKey.KeyHeader.AlgorithmId = bulkAlg;
- wrappedKey.KeyHeader.KeyClass = CSSM_KEYCLASS_SESSION_KEY;
- wrappedKey.KeyHeader.WrapAlgorithmId = kekOid->cssmAlgorithm;
- wrappedKey.KeyHeader.WrapMode = CSSM_ALGMODE_NONE;
- wrappedKey.KeyData = *encKey;
-
- crtn = CSSM_UnwrapKey(ccHand,
- NULL, /* publicKey */
- &wrappedKey,
- CSSM_KEYUSE_DECRYPT,
- CSSM_KEYATTR_EXTRACTABLE,
- &keyLabel,
- NULL, /* rcc */
- &unwrappedKey,
- &descriptiveData);
- CSSM_DeleteContext(ccHand);
- ccHand = 0;
- if(crtn) {
- CSSM_PERROR("CSSM_UnwrapKey", crtn);
- goto loser;
+ /* create the SecSymmetricKeyRef */
+ cekData = CFDataCreate(NULL, cek.Data, cek.Length);
+ keyType = SECOID_CopyKeyTypeByTag(bulkalgtag);
+ if (!keyType) {
+ goto out;
}
- rv = SecKeyCreateWithCSSMKey(&unwrappedKey, &outKey);
- if (rv) {
- CSSM_PERROR("SecKeyCreateWithCSSMKey", rv);
+ cekParams = CFDictionaryCreateMutable(NULL, 1,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ if (!cekParams) {
+ goto out;
}
-
-loser:
+ CFDictionaryAddValue(cekParams, kSecAttrKeyType, keyType);
+ outKey = SecKeyCreateFromData(cekParams, cekData, NULL);
+
+out:
if(pool != NULL) {
- PORT_FreeArena(pool, PR_FALSE);
- }
- if(kekDerive.KeyData.Data) {
- CSSM_FreeKey(refCspHand, NULL, &kekDerive, CSSM_FALSE);
- }
+ PORT_FreeArena(pool, PR_FALSE);
+ }
+ if (theirPubData) { CFRelease(theirPubData); }
+ if (theirKeyLen) { CFRelease(theirKeyLen); }
+ if (theirPubKey) { CFRelease(theirPubKey); }
+ if (theirKeyAttrs) { CFRelease(theirKeyAttrs); }
+ if (sharedInfoData) { CFRelease(sharedInfoData); }
+ if (kekLen) { CFRelease(kekLen); }
+ if (kekParams) { CFRelease(kekParams); }
+ if (kekData) { CFRelease(kekData); }
+ if (error) { CFRelease(error); }
+ if (ciphercc) { CCCryptorRelease(ciphercc); }
+ if (cekData) { CFRelease(cekData); }
+ if (keyType) { CFRelease(keyType); }
+ if (cekParams) { CFRelease(cekParams); }
if(outKey == NULL) {
- PORT_SetError(SEC_ERROR_NO_KEY);
+ PORT_SetError(SEC_ERROR_NO_KEY);
}
return outKey;
}
-
-
-
diff --git a/OSX/libsecurity_smime/lib/cmsrecinfo.c b/OSX/libsecurity_smime/lib/cmsrecinfo.c
index 2d5e39e2..3eb0effb 100644
--- a/OSX/libsecurity_smime/lib/cmsrecinfo.c
+++ b/OSX/libsecurity_smime/lib/cmsrecinfo.c
@@ -599,8 +599,6 @@ SecCmsRecipientInfoWrapBulkKey(SecCmsRecipientInfoRef ri, SecSymmetricKeyRef bul
&kari->ukm,
&kari->keyEncAlg,
&oiok->id.originatorPublicKey.publicKey);
- /* this is a BIT STRING */
- oiok->id.originatorPublicKey.publicKey.Length <<= 3;
break;
default:
@@ -688,8 +686,6 @@ SecCmsRecipientInfoUnwrapBulkKey(SecCmsRecipientInfoRef ri, int subIndex,
SecCmsOriginatorPublicKey *opk = &oiok->id.originatorPublicKey;
/* FIXME - verify opk->algorithmIdentifier here? */
CSSM_DATA senderPubKey = opk->publicKey;
- /* Bit string, convert here */
- senderPubKey.Length = (senderPubKey.Length + 7) >> 3;
CSSM_DATA_PTR ukm = &kari->ukm;
bulkkey = SecCmsUtilDecryptSymKeyECDH(privkey, enckey, ukm, encalg, bulkalgtag, &senderPubKey);
break;
diff --git a/OSX/libsecurity_smime/lib/cmsreclist.c b/OSX/libsecurity_smime/lib/cmsreclist.c
index f9b194bc..cfadee8c 100644
--- a/OSX/libsecurity_smime/lib/cmsreclist.c
+++ b/OSX/libsecurity_smime/lib/cmsreclist.c
@@ -172,6 +172,7 @@ nss_cms_recipient_list_destroy(SecCmsRecipient **recipient_list)
PK11_FreeSlot(recipient->slot);
#endif
PORT_Free(recipient);
+ recipient_list[i] = NULL;
}
PORT_Free(recipient_list);
}
diff --git a/OSX/libsecurity_smime/lib/cmssigdata.c b/OSX/libsecurity_smime/lib/cmssigdata.c
index 6e85d7b5..ebdc1bab 100644
--- a/OSX/libsecurity_smime/lib/cmssigdata.c
+++ b/OSX/libsecurity_smime/lib/cmssigdata.c
@@ -634,6 +634,10 @@ SecCmsSignedDataDecodeAfterEnd(SecCmsSignedDataRef sigd)
SecCmsSignerInfoRef *signerinfos;
int i;
+ if (!sigd) {
+ return SECFailure;
+ }
+
signerinfos = sigd->signerInfos;
/* set cmsg and sigd backpointers for all the signerinfos */
@@ -772,16 +776,7 @@ SecCmsSignedDataVerifySignerInfo(SecCmsSignedDataRef sigd, int i,
contentType = SecCmsContentInfoGetContentTypeOID(cinfo);
/* verify signature */
-#if SECTRUST_OSX
-#warning STU: <rdar://21328501>
- // timestamp policy is currently unsupported; use codesign policy only
- #if !NDEBUG
- syslog(LOG_ERR, "SecCmsSignedDataVerifySignerInfo: using codesign policy without timestamp verification");
- #endif
- CFTypeRef timeStampPolicies=SecPolicyCreateWithProperties(kSecPolicyAppleCodeSigning, NULL);
-#else
CFTypeRef timeStampPolicies=SecPolicyCreateAppleTimeStampingAndRevocationPolicies(policies);
-#endif
status = SecCmsSignerInfoVerifyWithPolicy(signerinfo, timeStampPolicies, digest, contentType);
CFReleaseSafe(timeStampPolicies);
@@ -790,10 +785,6 @@ SecCmsSignedDataVerifySignerInfo(SecCmsSignedDataRef sigd, int i,
status2 = SecCmsSignerInfoVerifyCertificate(signerinfo, keychainOrArray,
policies, trustRef);
dprintf("SecCmsSignedDataVerifySignerInfo: status %d status2 %d\n", (int) status, (int)status2);
- if(status || status2) {
- syslog(LOG_ERR,"SecCmsSignedDataVerifySignerInfo: status %d status2 %d.", (int) status, (int)status2);
- syslog(LOG_ERR,"SecCmsSignedDataVerifySignerInfo: verify status %d", signerinfo->verificationStatus);
- }
/* The error from SecCmsSignerInfoVerify() supercedes error from SecCmsSignerInfoVerifyCertificate(). */
if (status)
return status;
@@ -969,7 +960,7 @@ SecCmsSignedDataGetDigestByAlgTag(SecCmsSignedDataRef sigd, SECOidTag algtag)
return NULL;
}
idx = SecCmsAlgArrayGetIndexByAlgTag(sigd->digestAlgorithms, algtag);
- return sigd->digests[idx];
+ return (idx >= 0) ? sigd->digests[idx] : NULL;
}
/*
diff --git a/OSX/libsecurity_smime/lib/cmssiginfo.c b/OSX/libsecurity_smime/lib/cmssiginfo.c
index c2111395..1bc932dc 100644
--- a/OSX/libsecurity_smime/lib/cmssiginfo.c
+++ b/OSX/libsecurity_smime/lib/cmssiginfo.c
@@ -501,11 +501,6 @@ loser:
SECITEM_FreeItem (&signature, PR_FALSE);
if (privkey)
SECKEY_DestroyPrivateKey(privkey);
- if((algID != NULL) & (algID != &freeAlgID)) {
- /* this is dicey - this was actually mallocd by either SecCertificate or
- * by SecKey...it all boils down to a free() in the end though. */
- SECOID_DestroyAlgorithmID((SECAlgorithmID *)algID, PR_FALSE);
- }
if (tmppoolp)
PORT_FreeArena(tmppoolp, PR_FALSE);
return SECFailure;
@@ -671,7 +666,6 @@ SecCmsSignerInfoVerifyWithPolicy(SecCmsSignerInfoRef signerinfo,CFTypeRef timeSt
}
if ((poolp = PORT_NewArena (1024)) == NULL) {
- syslog(LOG_ERR, "SecCmsSignerInfoVerifyWithPolicy: failed to make new Arena %d", PORT_GetError());
vs = SecCmsVSProcessingError;
goto loser;
}
@@ -689,7 +683,6 @@ SecCmsSignerInfoVerifyWithPolicy(SecCmsSignerInfoRef signerinfo,CFTypeRef timeSt
if (SecCmsAttributeArrayEncode(poolp, &(signerinfo->authAttr), &encoded_attrs) == NULL ||
encoded_attrs.Data == NULL || encoded_attrs.Length == 0)
{
- syslog(LOG_ERR, "SecCmsSignerInfoVerifyWithPolicy: failed to encode attributes");
vs = SecCmsVSProcessingError;
goto loser;
}
diff --git a/OSX/libsecurity_smime/lib/cmsutil.c b/OSX/libsecurity_smime/lib/cmsutil.c
index 73587d85..c0f89054 100644
--- a/OSX/libsecurity_smime/lib/cmsutil.c
+++ b/OSX/libsecurity_smime/lib/cmsutil.c
@@ -269,12 +269,18 @@ SecCmsUtilMakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg)
}
case SEC_OID_EC_PUBLIC_KEY:
switch(hashalg) {
- /*
+ /*
* Note this is only used when signing and verifying signed attributes,
* In which case we really do want the combined ECDSA_WithSHA1 alg...
*/
case SEC_OID_SHA1:
return SEC_OID_ECDSA_WithSHA1;
+ case SEC_OID_SHA256:
+ return SEC_OID_ECDSA_WITH_SHA256;
+ case SEC_OID_SHA384:
+ return SEC_OID_ECDSA_WITH_SHA384;
+ case SEC_OID_SHA512:
+ return SEC_OID_ECDSA_WITH_SHA512;
default:
return SEC_OID_UNKNOWN;
}
diff --git a/OSX/libsecurity_smime/lib/cryptohi.c b/OSX/libsecurity_smime/lib/cryptohi.c
index d80963c0..4f39abf4 100644
--- a/OSX/libsecurity_smime/lib/cryptohi.c
+++ b/OSX/libsecurity_smime/lib/cryptohi.c
@@ -43,6 +43,18 @@
#include <Security/SecKeyPriv.h>
#include <Security/cssmapple.h>
+#if !USE_CDSA_CRYPTO
+#include <Security/SecItem.h>
+#endif
+
+#ifdef NDEBUG
+#define CSSM_PERROR(f, r)
+#define dprintf(args...)
+#else
+#define CSSM_PERROR(f, r) cssmPerror(f, r)
+#define dprintf(args...) fprintf(stderr, args)
+#endif
+
static CSSM_CSP_HANDLE gCsp = 0;
static char gCssmInitialized = 0;
@@ -92,6 +104,63 @@ loser:
return gCsp;
}
+OSStatus cmsNullWrapKey(SecKeyRef refKey,
+ CSSM_KEY_PTR rawKey)
+{
+ CSSM_DATA descData = {0, 0};
+ CSSM_RETURN crtn;
+ CSSM_CC_HANDLE ccHand;
+ CSSM_ACCESS_CREDENTIALS creds;
+ CSSM_CSP_HANDLE refCspHand = CSSM_INVALID_HANDLE;
+ const CSSM_KEY *cssmKey = NULL;
+ uint32 keyAttr;
+
+ memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
+ memset(rawKey, 0, sizeof(CSSM_KEY));
+
+ crtn = SecKeyGetCSSMKey(refKey, &cssmKey);
+ if(crtn) {
+ CSSM_PERROR("SecKeyGetCSSMKey", crtn);
+ goto loser;
+ }
+ crtn = SecKeyGetCSPHandle(refKey, &refCspHand);
+ if(crtn) {
+ CSSM_PERROR("SecKeyGetCSPHandle", crtn);
+ goto loser;
+ }
+
+ crtn = CSSM_CSP_CreateSymmetricContext(refCspHand,
+ CSSM_ALGID_NONE,
+ CSSM_ALGMODE_NONE,
+ &creds,
+ NULL, // unwrappingKey
+ NULL, // initVector
+ CSSM_PADDING_NONE,
+ 0, // Params
+ &ccHand);
+ if(crtn) {
+ CSSM_PERROR("CSSM_CSP_CreateSymmetricContext", crtn);
+ return crtn;
+ }
+
+ keyAttr = rawKey->KeyHeader.KeyAttr;
+ keyAttr &= ~(CSSM_KEYATTR_ALWAYS_SENSITIVE | CSSM_KEYATTR_NEVER_EXTRACTABLE |
+ CSSM_KEYATTR_MODIFIABLE);
+ keyAttr |= CSSM_KEYATTR_RETURN_DATA | CSSM_KEYATTR_EXTRACTABLE;
+ crtn = CSSM_WrapKey(ccHand,
+ &creds,
+ cssmKey,
+ &descData,
+ rawKey);
+ if(crtn != CSSM_OK) {
+ CSSM_PERROR("CSSM_WrapKey", crtn);
+ }
+ CSSM_DeleteContext(ccHand);
+
+loser:
+ return crtn;
+}
+
CSSM_ALGORITHMS
SECOID_FindyCssmAlgorithmByTag(SECOidTag algTag)
{
@@ -99,140 +168,263 @@ SECOID_FindyCssmAlgorithmByTag(SECOidTag algTag)
return oidData ? oidData->cssmAlgorithm : CSSM_ALGID_NONE;
}
-static SECStatus SEC_CssmRtnToSECStatus(CSSM_RETURN rv)
-{
- CSSM_RETURN crtn = CSSM_ERRCODE(rv);
- switch(crtn) {
- case CSSM_ERRCODE_USER_CANCELED:
- case CSSM_ERRCODE_OPERATION_AUTH_DENIED:
- case CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED:
- return SEC_ERROR_USER_CANCELLED;
- case CSSM_ERRCODE_NO_USER_INTERACTION:
- return SEC_ERROR_NO_USER_INTERACTION;
- case CSSMERR_CSP_KEY_USAGE_INCORRECT:
- return SEC_ERROR_INADEQUATE_KEY_USAGE;
- default:
- fprintf(stderr, "CSSM_SignData returned: %08X\n", (uint32_t)rv);
- return SEC_ERROR_LIBRARY_FAILURE;
+
+static void SEC_PrintCFError(CFErrorRef CF_RELEASES_ARGUMENT error) {
+ if (error) {
+ CFStringRef errorDesc = CFErrorCopyDescription(error);
+ fprintf(stderr, "SecKey API returned: %ld, %s", CFErrorGetCode(error),
+ errorDesc ? CFStringGetCStringPtr(errorDesc, kCFStringEncodingUTF8) : "");
+ CFRelease(error);
+ if (errorDesc) { CFRelease(errorDesc); }
}
-}
-SECStatus
-SEC_SignData(SECItem *result, unsigned char *buf, int len,
- SecPrivateKeyRef pk, SECOidTag digAlgTag, SECOidTag sigAlgTag)
-{
- const CSSM_ACCESS_CREDENTIALS *accessCred;
- CSSM_ALGORITHMS algorithm;
- CSSM_CC_HANDLE cc = 0;
- CSSM_CSP_HANDLE csp;
- OSStatus rv;
- CSSM_DATA dataBuf = { (uint32)len, (uint8 *)buf };
- CSSM_DATA sig = {};
- const CSSM_KEY *key;
+}
- algorithm = SECOID_FindyCssmAlgorithmByTag(SecCmsUtilMakeSignatureAlgorithm(digAlgTag, sigAlgTag));
- if (!algorithm)
- {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- rv = SECFailure;
- goto loser;
+/* The new SecKey API has made this very painful */
+static SecKeyAlgorithm SECOID_FindSecKeyAlgorithmByTags(SECOidTag sigAlgTag, SECOidTag digAlgTag, bool isDigest) {
+ switch(sigAlgTag) {
+ case(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION):
+ if (digAlgTag == SEC_OID_MD5) {
+ return ((isDigest) ? kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5 :
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5);
+ }
+ break;
+ case(SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION):
+ if (digAlgTag == SEC_OID_SHA1) {
+ return ((isDigest) ? kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
+ : kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1);
+ }
+ break;
+ case(SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION):
+ if (digAlgTag == SEC_OID_SHA256) {
+ return ((isDigest) ? kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
+ : kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256);
+ }
+ break;
+ case(SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION):
+ if (digAlgTag == SEC_OID_SHA384) {
+ return ((isDigest) ? kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
+ : kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384);
+ }
+ break;
+ case(SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION):
+ if (digAlgTag == SEC_OID_SHA512) {
+ return ((isDigest) ? kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
+ : kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512);
+ }
+ break;
+ case(SEC_OID_PKCS1_RSA_ENCRYPTION):
+ switch (digAlgTag) {
+ case (SEC_OID_MD5):
+ return ((isDigest) ? kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5 :
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5);
+ case(SEC_OID_SHA1):
+ return ((isDigest) ? kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
+ : kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1);
+ case(SEC_OID_SHA256):
+ return ((isDigest) ? kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
+ : kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256);
+ case(SEC_OID_SHA384):
+ return ((isDigest) ? kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
+ : kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384);
+ case(SEC_OID_SHA512):
+ return ((isDigest) ? kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
+ : kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512);
+ default:
+ return NULL;
+ }
+ case(SEC_OID_ECDSA_WithSHA1):
+ if (digAlgTag == SEC_OID_SHA1) {
+ return ((isDigest) ? kSecKeyAlgorithmECDSASignatureDigestX962
+ : kSecKeyAlgorithmECDSASignatureMessageX962SHA1);
+ }
+ break;
+ case(SEC_OID_ECDSA_WITH_SHA256):
+ if (digAlgTag == SEC_OID_SHA256) {
+ return ((isDigest) ? kSecKeyAlgorithmECDSASignatureDigestX962
+ : kSecKeyAlgorithmECDSASignatureMessageX962SHA256);
+ }
+ break;
+ case(SEC_OID_ECDSA_WITH_SHA384):
+ if (digAlgTag == SEC_OID_SHA384) {
+ return ((isDigest) ? kSecKeyAlgorithmECDSASignatureDigestX962
+ : kSecKeyAlgorithmECDSASignatureMessageX962SHA384);
+ }
+ break;
+ case(SEC_OID_ECDSA_WITH_SHA512):
+ if (digAlgTag == SEC_OID_SHA512) {
+ return ((isDigest) ? kSecKeyAlgorithmECDSASignatureDigestX962
+ : kSecKeyAlgorithmECDSASignatureMessageX962SHA512);
+ }
+ break;
+ case(SEC_OID_EC_PUBLIC_KEY):
+ case(SEC_OID_SECP_256_R1):
+ case(SEC_OID_SECP_384_R1):
+ case(SEC_OID_SECP_521_R1):
+ switch (digAlgTag) {
+ case(SEC_OID_SHA1):
+ return ((isDigest) ? kSecKeyAlgorithmECDSASignatureDigestX962
+ : kSecKeyAlgorithmECDSASignatureMessageX962SHA1);
+ case(SEC_OID_SHA256):
+ return ((isDigest) ? kSecKeyAlgorithmECDSASignatureDigestX962
+ : kSecKeyAlgorithmECDSASignatureMessageX962SHA256);
+ case(SEC_OID_SHA384):
+ return ((isDigest) ? kSecKeyAlgorithmECDSASignatureDigestX962
+ : kSecKeyAlgorithmECDSASignatureMessageX962SHA384);
+ case(SEC_OID_SHA512):
+ return ((isDigest) ? kSecKeyAlgorithmECDSASignatureDigestX962
+ : kSecKeyAlgorithmECDSASignatureMessageX962SHA512);
+ default:
+ return NULL;
+ }
+ default:
+ return NULL;
}
+ return NULL;
+}
- rv = SecKeyGetCSPHandle(pk, &csp);
- if (rv) {
- PORT_SetError(SEC_ERROR_BAD_KEY);
- goto loser;
+CFStringRef SECOID_CopyKeyTypeByTag(SECOidTag tag) {
+ CFStringRef keyType = NULL;
+
+ switch(tag) {
+ case(SEC_OID_RC2_CBC):
+ case(SEC_OID_CMS_RC2_KEY_WRAP):
+ keyType = kSecAttrKeyTypeRC2;
+ break;
+ case(SEC_OID_RC4):
+ keyType = kSecAttrKeyTypeRC4;
+ break;
+ case(SEC_OID_DES_ECB):
+ case(SEC_OID_DES_CBC):
+ case(SEC_OID_DES_OFB):
+ case(SEC_OID_DES_CFB):
+ keyType = kSecAttrKeyTypeDES;
+ break;
+ case(SEC_OID_DES_EDE):
+ case(SEC_OID_DES_EDE3_CBC):
+ case(SEC_OID_CMS_3DES_KEY_WRAP):
+ keyType = kSecAttrKeyType3DES;
+ break;
+ case(SEC_OID_AES_128_ECB):
+ case(SEC_OID_AES_128_CBC):
+ case(SEC_OID_AES_192_ECB):
+ case(SEC_OID_AES_192_CBC):
+ case(SEC_OID_AES_256_ECB):
+ case(SEC_OID_AES_256_CBC):
+ case(SEC_OID_AES_128_KEY_WRAP):
+ case(SEC_OID_AES_192_KEY_WRAP):
+ case(SEC_OID_AES_256_KEY_WRAP):
+ keyType = kSecAttrKeyTypeAES;
+ break;
+ default:
+ keyType = NULL;
}
- rv = SecKeyGetCSSMKey(pk, &key);
- if (rv) {
- PORT_SetError(SEC_ERROR_BAD_KEY);
- goto loser;
+
+ return keyType;
+}
+
+static SECStatus SGN_SignAll(uint8_t *buf, size_t len,
+ SecPrivateKeyRef pk, SECItem *resultSignature,
+ SECOidTag digAlgTag, SECOidTag sigAlgTag,
+ bool isDigest) {
+ OSStatus rv = SECFailure;
+ CFDataRef signature = NULL, dataToSign = NULL;
+ CFErrorRef error = NULL;
+ SecKeyAlgorithm keyAlg = NULL;
+
+ keyAlg = SECOID_FindSecKeyAlgorithmByTags(sigAlgTag, digAlgTag, isDigest);
+
+ /* we no longer support signing with MD5 */
+ if (keyAlg == kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5 ||
+ keyAlg == kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5) {
+ fprintf(stderr, "CMS signature failed: MD5 algorithm is disallowed for generating signatures.");
+ rv = SEC_ERROR_INVALID_ALGORITHM;
+ goto out;
}
- rv = SecKeyGetCredentials(pk, CSSM_ACL_AUTHORIZATION_SIGN, kSecCredentialTypeDefault, &accessCred);
- if (rv) {
- PORT_SetError(SEC_ERROR_BAD_KEY);
- goto loser;
+
+ if (keyAlg == NULL) {
+ rv = SEC_ERROR_INVALID_ALGORITHM;
+ goto out;
}
- rv = CSSM_CSP_CreateSignatureContext(csp, algorithm, accessCred, key, &cc);
- if (rv) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- goto loser;
+ dataToSign = CFDataCreate(NULL, buf, len);
+ if (!dataToSign) {
+ goto out;
}
- rv = CSSM_SignData(cc, &dataBuf, 1, CSSM_ALGID_NONE, &sig);
- if (rv) {
- SECErrorCodes code = SEC_CssmRtnToSECStatus(rv);
- PORT_SetError(code);
- goto loser;
+ signature = SecKeyCreateSignature(pk, keyAlg, dataToSign, &error);
+ if (!signature) {
+ goto out;
}
- result->Length = sig.Length;
- result->Data = sig.Data;
+ CFIndex signatureLength = CFDataGetLength(signature);
+ if (signatureLength < 0 || signatureLength > 1024) {
+ goto out;
+ }
+ resultSignature->Data = (uint8_t *)malloc(signatureLength);
+ if (!resultSignature->Data) {
+ goto out;
+ }
-loser:
- if (cc)
- CSSM_DeleteContext(cc);
+ memcpy(resultSignature->Data, CFDataGetBytePtr(signature), signatureLength);
+ resultSignature->Length = signatureLength;
+ rv = SECSuccess;
+out:
+ if (signature) { CFRelease(signature); }
+ if (dataToSign) {CFRelease(dataToSign); }
+ SEC_PrintCFError(error);
+ if (rv) {
+ PORT_SetError(rv);
+ }
return rv;
}
+SECStatus
+SEC_SignData(SECItem *result, unsigned char *buf, int len,
+ SecPrivateKeyRef pk, SECOidTag digAlgTag, SECOidTag sigAlgTag)
+{
+ return SGN_SignAll(buf, len, pk, result, digAlgTag, sigAlgTag, false);
+}
+
SECStatus
SGN_Digest(SecPrivateKeyRef pk, SECOidTag digAlgTag, SECOidTag sigAlgTag, SECItem *result, SECItem *digest)
{
- const CSSM_ACCESS_CREDENTIALS *accessCred;
- CSSM_ALGORITHMS digalg, sigalg;
- CSSM_CC_HANDLE cc = 0;
- CSSM_CSP_HANDLE csp;
- const CSSM_KEY *key;
- CSSM_DATA sig = {};
- OSStatus rv;
+ return SGN_SignAll(digest->Data, digest->Length, pk, result, digAlgTag, sigAlgTag, true);
+}
- digalg = SECOID_FindyCssmAlgorithmByTag(digAlgTag);
- sigalg = SECOID_FindyCssmAlgorithmByTag(sigAlgTag);
- if (!digalg || !sigalg)
- {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- rv = SECFailure;
- goto loser;
+static SECStatus VFY_VerifyAll(uint8_t *buf, size_t len,
+ SecPublicKeyRef pk, SECItem *sig,
+ SECOidTag digAlgTag, SECOidTag sigAlgTag,
+ bool isDigest) {
+ OSStatus rv = SECFailure;
+ CFDataRef signature = NULL, data = NULL;
+ CFErrorRef error = NULL;
+ SecKeyAlgorithm keyAlg = NULL;
+
+ signature = CFDataCreate(NULL, sig->Data, sig->Length);
+ data = CFDataCreate(NULL, buf, len);
+ if (!signature || !data) {
+ goto out;
}
- rv = SecKeyGetCSPHandle(pk, &csp);
- if (rv) {
- PORT_SetError(SEC_ERROR_BAD_KEY);
- goto loser;
- }
- rv = SecKeyGetCSSMKey(pk, &key);
- if (rv) {
- PORT_SetError(SEC_ERROR_BAD_KEY);
- goto loser;
- }
- rv = SecKeyGetCredentials(pk, CSSM_ACL_AUTHORIZATION_SIGN, kSecCredentialTypeDefault, &accessCred);
- if (rv) {
- PORT_SetError(SEC_ERROR_BAD_KEY);
- goto loser;
+ keyAlg = SECOID_FindSecKeyAlgorithmByTags(sigAlgTag, digAlgTag, isDigest);
+ if (keyAlg == NULL) {
+ rv = SEC_ERROR_INVALID_ALGORITHM;
+ goto out;
}
- rv = CSSM_CSP_CreateSignatureContext(csp, sigalg, accessCred, key, &cc);
- if (rv) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- goto loser;
+ if(SecKeyVerifySignature(pk, keyAlg, data, signature, &error)) {
+ rv = SECSuccess;
}
- rv = CSSM_SignData(cc, digest, 1, digalg, &sig);
+out:
+ if (signature) { CFRelease(signature); }
+ if (data) { CFRelease(data); }
+ SEC_PrintCFError(error);
if (rv) {
- SECErrorCodes code = SEC_CssmRtnToSECStatus(rv);
- PORT_SetError(code);
- goto loser;
+ PORT_SetError(rv);
}
-
- result->Length = sig.Length;
- result->Data = sig.Data;
-
-loser:
- if (cc)
- CSSM_DeleteContext(cc);
-
return rv;
}
@@ -241,78 +433,16 @@ VFY_VerifyData(unsigned char *buf, int len,
SecPublicKeyRef pk, SECItem *sig,
SECOidTag digAlgTag, SECOidTag sigAlgTag, void *wincx)
{
- SECOidTag algTag;
- CSSM_ALGORITHMS algorithm;
- CSSM_CC_HANDLE cc = 0;
- CSSM_CSP_HANDLE csp;
- OSStatus rv = SECFailure;
- CSSM_DATA dataBuf = { (uint32)len, (uint8 *)buf };
- const CSSM_KEY *key;
-
- algTag = SecCmsUtilMakeSignatureAlgorithm(digAlgTag, sigAlgTag);
- algorithm = SECOID_FindyCssmAlgorithmByTag(algTag);
- if (!algorithm)
- {
- rv = algTag == SEC_OID_UNKNOWN ? SecCmsVSSignatureAlgorithmUnknown : SecCmsVSSignatureAlgorithmUnsupported;
- goto loser;
- }
-
- rv = SecKeyGetCSPHandle(pk, &csp);
- if (rv)
- goto loser;
- rv = SecKeyGetCSSMKey(pk, &key);
- if (rv)
- goto loser;
-
- rv = CSSM_CSP_CreateSignatureContext(csp, algorithm, NULL, key, &cc);
- if (rv)
- goto loser;
-
- rv = CSSM_VerifyData(cc, &dataBuf, 1, CSSM_ALGID_NONE, sig);
-
-loser:
- if (cc)
- CSSM_DeleteContext(cc);
-
- return rv;
+ return VFY_VerifyAll(buf, len, pk, sig,
+ digAlgTag, sigAlgTag, false);
}
SECStatus
VFY_VerifyDigest(SECItem *digest, SecPublicKeyRef pk,
SECItem *sig, SECOidTag digAlgTag, SECOidTag sigAlgTag, void *wincx)
{
- CSSM_ALGORITHMS sigalg, digalg;
- CSSM_CC_HANDLE cc = 0;
- CSSM_CSP_HANDLE csp;
- const CSSM_KEY *key;
- OSStatus rv;
-
- digalg = SECOID_FindyCssmAlgorithmByTag(digAlgTag);
- sigalg = SECOID_FindyCssmAlgorithmByTag(sigAlgTag);
- if (!digalg || !sigalg)
- {
- rv = digAlgTag == SEC_OID_UNKNOWN || sigAlgTag == SEC_OID_UNKNOWN ? SecCmsVSSignatureAlgorithmUnknown : SecCmsVSSignatureAlgorithmUnsupported;
- goto loser;
- }
-
- rv = SecKeyGetCSPHandle(pk, &csp);
- if (rv)
- goto loser;
- rv = SecKeyGetCSSMKey(pk, &key);
- if (rv)
- goto loser;
-
- rv = CSSM_CSP_CreateSignatureContext(csp, sigalg, NULL, key, &cc);
- if (rv)
- goto loser;
-
- rv = CSSM_VerifyData(cc, digest, 1, digalg, sig);
-
-loser:
- if (cc)
- CSSM_DeleteContext(cc);
-
- return rv;
+ return VFY_VerifyAll(digest->Data, digest->Length, pk, sig,
+ digAlgTag, sigAlgTag, true);
}
SECStatus
@@ -320,233 +450,61 @@ WRAP_PubWrapSymKey(SecPublicKeyRef publickey,
SecSymmetricKeyRef bulkkey,
CSSM_DATA_PTR encKey)
{
- CSSM_WRAP_KEY wrappedKey = {};
- //CSSM_WRAP_KEY wrappedPk = {}
- //CSSM_KEY upk = {};
- CSSM_CC_HANDLE cc = 0;
- CSSM_CSP_HANDLE pkCsp, bkCsp;
- const CSSM_KEY *pk, *bk, *pubkey;
OSStatus rv;
- CSSM_ACCESS_CREDENTIALS accessCred = {};
-
- rv = SecKeyGetCSPHandle(publickey, &pkCsp);
- if (rv)
- goto loser;
- rv = SecKeyGetCSSMKey(publickey, &pk);
- if (rv)
- goto loser;
-
- rv = SecKeyGetCSPHandle(bulkkey, &bkCsp);
- if (rv)
- goto loser;
- rv = SecKeyGetCSSMKey(bulkkey, &bk);
- if (rv)
- goto loser;
-
-#if 1
- pubkey = pk;
-#else
- /* We need to get the publickey out of it's pkCsp and into the bkCsp so we can operate with it. */
-
- /* Make a NULL wrap symmetric context to extract the public key from pkCsp. */
- rv = CSSM_CSP_CreateSymmetricContext(pkCsp,
- CSSM_ALGID_NONE,
- CSSM_MODE_NONE,
- NULL, /* accessCred */
- NULL, /* key */
- NULL, /* iv */
- CSSM_PADDING_NONE,
- NULL, /* reserved */
- &cc);
- if (rv)
- goto loser;
- rv = CSSM_WrapKey(cc,
- NULL /* accessCred */,
- pk,
- NULL /* descriptiveData */,
- &wrappedPk);
- CSSM_DeleteContext(cc);
- cc = 0;
-
- /* Make a NULL unwrap symmetric context to import the public key into bkCsp. */
- rv = CSSM_CSP_CreateSymmetricContext(bkCsp,
- CSSM_ALGID_NONE,
- CSSM_MODE_NONE,
- NULL, /* accessCred */
- NULL, /* key */
- NULL, /* iv */
- CSSM_PADDING_NONE,
- NULL, /* reserved */
- &cc);
- if (rv)
- goto loser;
- rv = CSSM_UnwrapKey(cc, NULL, &wrappedPk, usage, attr, NULL /* label */, NULL /* rcc */, &upk, NULL /* descriptiveData */);
- CSSM_DeleteContext(cc);
- cc = 0;
-
- pubkey = &upk;
-#endif
+ CSSM_KEY bk;
- rv = CSSM_CSP_CreateAsymmetricContext(bkCsp,
- pubkey->KeyHeader.AlgorithmId,
- &accessCred,
- pubkey,
- CSSM_PADDING_PKCS1,
- &cc);
- if (rv)
- goto loser;
-
- {
- /* Set the wrapped key format to indicate we want just the raw bits encrypted. */
- CSSM_CONTEXT_ATTRIBUTE contextAttribute = { CSSM_ATTRIBUTE_WRAPPED_KEY_FORMAT, sizeof(uint32) };
- contextAttribute.Attribute.Uint32 = CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS7;
- rv = CSSM_UpdateContextAttributes(cc, 1, &contextAttribute);
- if (rv)
- goto loser;
- }
-
- {
- /* Set the mode to CSSM_ALGMODE_PKCS1_EME_V15. */
- CSSM_CONTEXT_ATTRIBUTE contextAttribute = { CSSM_ATTRIBUTE_MODE, sizeof(uint32) };
- contextAttribute.Attribute.Uint32 = CSSM_ALGMODE_NONE; /* CSSM_ALGMODE_PKCS1_EME_V15 */
- rv = CSSM_UpdateContextAttributes(cc, 1, &contextAttribute);
- if (rv)
- goto loser;
- }
-
- {
- // @@@ Stick in an empty initVector to work around a csp bug.
- CSSM_DATA initVector = {};
- CSSM_CONTEXT_ATTRIBUTE contextAttribute = { CSSM_ATTRIBUTE_INIT_VECTOR, sizeof(CSSM_DATA_PTR) };
- contextAttribute.Attribute.Data = &initVector;
- rv = CSSM_UpdateContextAttributes(cc, 1, &contextAttribute);
- if (rv)
- goto loser;
+ rv = cmsNullWrapKey(bulkkey, &bk);
+ if (rv) {
+ return rv;
}
- rv = CSSM_WrapKey(cc,
- &accessCred,
- bk,
- NULL, /* descriptiveData */
- &wrappedKey);
- if (rv)
- goto loser;
-
- // @@@ Fix leaks!
- if (encKey->Length < wrappedKey.KeyData.Length)
- abort();
- encKey->Length = wrappedKey.KeyData.Length;
- memcpy(encKey->Data, wrappedKey.KeyData.Data, encKey->Length);
- CSSM_FreeKey(bkCsp, NULL /* credentials */, &wrappedKey, FALSE);
-
-loser:
- if (cc)
- CSSM_DeleteContext(cc);
-
- return rv;
+ return SecKeyEncrypt(publickey, kSecPaddingPKCS1,
+ bk.KeyData.Data, bk.KeyData.Length,
+ encKey->Data, &encKey->Length);
}
+
SecSymmetricKeyRef
WRAP_PubUnwrapSymKey(SecPrivateKeyRef privkey, CSSM_DATA_PTR encKey, SECOidTag bulkalgtag)
{
- SecSymmetricKeyRef bulkkey = NULL;
- CSSM_WRAP_KEY wrappedKey = {};
- CSSM_CC_HANDLE cc = 0;
- CSSM_CSP_HANDLE pkCsp;
- const CSSM_KEY *pk;
- CSSM_KEY unwrappedKey = {};
- const CSSM_ACCESS_CREDENTIALS *accessCred;
- CSSM_DATA descriptiveData = {};
- CSSM_ALGORITHMS bulkalg;
- OSStatus rv;
-
- rv = SecKeyGetCSPHandle(privkey, &pkCsp);
- if (rv)
- goto loser;
- rv = SecKeyGetCSSMKey(privkey, &pk);
- if (rv)
- goto loser;
- rv = SecKeyGetCredentials(privkey,
- CSSM_ACL_AUTHORIZATION_DECRYPT, /* @@@ Should be UNWRAP */
- kSecCredentialTypeDefault,
- &accessCred);
- if (rv)
- goto loser;
-
- bulkalg = SECOID_FindyCssmAlgorithmByTag(bulkalgtag);
- if (!bulkalg)
- {
- rv = SEC_ERROR_INVALID_ALGORITHM;
- goto loser;
+ CFDataRef encryptedKey = NULL, bulkkey = NULL;
+ CFMutableDictionaryRef keyparams = NULL;
+ CFStringRef keyType = NULL;
+ CFErrorRef error = NULL;
+ SecSymmetricKeyRef bk = NULL;
+
+ /* decrypt the key */
+ encryptedKey = CFDataCreate(NULL, encKey->Data, encKey->Length);
+ if (!encryptedKey) {
+ goto out;
}
- rv = CSSM_CSP_CreateAsymmetricContext(pkCsp,
- pk->KeyHeader.AlgorithmId,
- accessCred,
- pk,
- CSSM_PADDING_PKCS1,
- &cc);
- if (rv)
- goto loser;
-
- {
- // @@@ Stick in an empty initvector to work around a csp bug.
- CSSM_DATA initVector = {};
- CSSM_CONTEXT_ATTRIBUTE contextAttribute = { CSSM_ATTRIBUTE_INIT_VECTOR, sizeof(CSSM_DATA_PTR) };
- contextAttribute.Attribute.Data = &initVector;
- rv = CSSM_UpdateContextAttributes(cc, 1, &contextAttribute);
- if (rv)
- goto loser;
+ bulkkey = SecKeyCreateDecryptedData(privkey, kSecKeyAlgorithmRSAEncryptionPKCS1, encryptedKey, &error);
+ if (!bulkkey) {
+ goto out;
}
- wrappedKey.KeyHeader.HeaderVersion = CSSM_KEYHEADER_VERSION;
- wrappedKey.KeyHeader.BlobType = CSSM_KEYBLOB_WRAPPED;
- wrappedKey.KeyHeader.Format = CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS7;
- wrappedKey.KeyHeader.AlgorithmId = bulkalg;
- wrappedKey.KeyHeader.KeyClass = CSSM_KEYCLASS_SESSION_KEY;
- wrappedKey.KeyHeader.WrapAlgorithmId = pk->KeyHeader.AlgorithmId;
- wrappedKey.KeyHeader.WrapMode = CSSM_ALGMODE_NONE; /* CSSM_ALGMODE_PKCS1_EME_V15 */
- wrappedKey.KeyData = *encKey;
-
- rv = CSSM_UnwrapKey(cc,
- NULL, /* publicKey */
- &wrappedKey,
- CSSM_KEYUSE_DECRYPT,
- CSSM_KEYATTR_EXTRACTABLE /* | CSSM_KEYATTR_RETURN_DATA */,
- NULL, /* keyLabel */
- NULL, /* rcc */
- &unwrappedKey,
- &descriptiveData);
- if (rv) {
- SECErrorCodes code;
- if (CSSM_ERRCODE(rv) == CSSM_ERRCODE_USER_CANCELED
- || CSSM_ERRCODE(rv) == CSSM_ERRCODE_OPERATION_AUTH_DENIED
- || CSSM_ERRCODE(rv) == CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED)
- code = SEC_ERROR_USER_CANCELLED;
- else if (CSSM_ERRCODE(rv) == CSSM_ERRCODE_NO_USER_INTERACTION
- || rv == CSSMERR_CSP_KEY_USAGE_INCORRECT)
- code = SEC_ERROR_INADEQUATE_KEY_USAGE;
- else
- {
- fprintf(stderr, "CSSM_UnwrapKey returned: %08X\n", (uint32_t)rv);
- code = SEC_ERROR_LIBRARY_FAILURE;
- }
-
- PORT_SetError(code);
- goto loser;
+ /* create the SecSymmetricKeyRef */
+ keyType = SECOID_CopyKeyTypeByTag(bulkalgtag);
+ if (!keyType) {
+ goto out;
}
- // @@@ Export this key from the csp/dl and import it to the standard csp
- rv = SecKeyCreateWithCSSMKey(&unwrappedKey, &bulkkey);
- if (rv)
- goto loser;
-
-loser:
- if (rv)
- PORT_SetError(rv);
+ keyparams = CFDictionaryCreateMutable(NULL, 1,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ if (!keyparams) {
+ goto out;
+ }
- if (cc)
- CSSM_DeleteContext(cc);
+ CFDictionaryAddValue(keyparams, kSecAttrKeyType, keyType);
+ bk = SecKeyCreateFromData(keyparams, bulkkey, NULL);
- return bulkkey;
+out:
+ if (encryptedKey) { CFRelease(encryptedKey); }
+ if (bulkkey) { CFRelease(bulkkey); }
+ if (keyparams) { CFRelease(keyparams); }
+ if (keyType) { CFRelease(keyType); }
+ SEC_PrintCFError(error);
+ return bk;
}
diff --git a/OSX/libsecurity_smime/lib/cryptohi.h b/OSX/libsecurity_smime/lib/cryptohi.h
index f140c4ca..749c755a 100644
--- a/OSX/libsecurity_smime/lib/cryptohi.h
+++ b/OSX/libsecurity_smime/lib/cryptohi.h
@@ -137,6 +137,14 @@ extern SECStatus WRAP_PubWrapSymKey(SecPublicKeyRef publickey,
extern SecSymmetricKeyRef WRAP_PubUnwrapSymKey(SecPrivateKeyRef privkey, CSSM_DATA_PTR encKey, SECOidTag bulkalgtag);
+CFStringRef SECOID_CopyKeyTypeByTag(SECOidTag tag);
+
+/*
+ * NULL wrap a ref key to raw key in default format.
+ * The utility of this function is that it rescues the actual data content
+ * of the SecSymmetricKeyRef so that we can encrypt it.
+ */
+OSStatus cmsNullWrapKey(SecKeyRef refKey, CSSM_KEY_PTR rawKey);
SEC_END_PROTOS
diff --git a/OSX/libsecurity_smime/lib/smimeutil.c b/OSX/libsecurity_smime/lib/smimeutil.c
index eacec1a0..989d27d5 100644
--- a/OSX/libsecurity_smime/lib/smimeutil.c
+++ b/OSX/libsecurity_smime/lib/smimeutil.c
@@ -366,6 +366,8 @@ nss_SMIME_FindCipherForSMIMECap(NSSSMIMECapability *cap)
return smime_cipher_map[i].cipher; /* match found, point to cipher */
}
+static int smime_keysize_by_cipher (unsigned long which);
+
/*
* smime_choose_cipher - choose a cipher that works for all the recipients
*
@@ -509,6 +511,10 @@ done:
if (poolp != NULL)
PORT_FreeArena (poolp, PR_FALSE);
+ if (smime_keysize_by_cipher(chosen_cipher) < 128) {
+ /* you're going to use strong(er) crypto whether you like it or not */
+ chosen_cipher = SMIME_DES_EDE3_168;
+ }
return chosen_cipher;
}
diff --git a/OSX/libsecurity_smime/lib/tsaSupport.c b/OSX/libsecurity_smime/lib/tsaSupport.c
index 46c3eee3..df2be402 100644
--- a/OSX/libsecurity_smime/lib/tsaSupport.c
+++ b/OSX/libsecurity_smime/lib/tsaSupport.c
@@ -48,6 +48,7 @@
#include <security_keychain/SecCertificateP.h>
#include <security_keychain/SecCertificatePrivP.h>
#include <utilities/SecCFRelease.h>
+#include <utilities/SecDispatchRelease.h>
#include "tsaSupport.h"
#include "tsaSupportPriv.h"
@@ -90,16 +91,16 @@ extern OSStatus impExpImportCertCommon(
fprintf(stderr, "%s " fmt, buf, ## __VA_ARGS__); \
syslog(LOG_ERR, " " fmt, ## __VA_ARGS__); \
} } while (0)
- #define tsa_secdebug(scope, format...) \
+ #define tsa_secinfo(scope, format...) \
{ \
syslog(LOG_NOTICE, format); \
- secdebug(scope, format); \
+ secinfo(scope, format); \
printf(format); \
}
#else
- #define tsaDebug(args...) tsa_secdebug("tsa", ## args)
-#define tsa_secdebug(scope, format...) \
- secdebug(scope, format)
+ #define tsaDebug(args...) tsa_secinfo("tsa", ## args)
+#define tsa_secinfo(scope, format...) \
+ secinfo(scope, format)
#endif
#ifndef NDEBUG
@@ -524,9 +525,9 @@ static OSStatus sendTSARequestWithXPC(const unsigned char *tsaReq, size_t tsaReq
xpc_connection_send_message_with_reply(con, message, xpc_queue, ^(xpc_object_t reply)
{
tsaDebug("xpc_connection_send_message_with_reply handler called back\n");
- dispatch_retain(waitSemaphore);
+ dispatch_retain_safe(waitSemaphore);
- xpc_type_t xtype = xpc_get_type(reply);
+ xpc_type_t xtype = xpc_get_type(reply);
if (XPC_TYPE_ERROR == xtype)
{ tsaDebug("message error: %s\n", xpc_dictionary_get_string(reply, XPC_ERROR_KEY_DESCRIPTION)); }
else if (XPC_TYPE_CONNECTION == xtype)
@@ -595,15 +596,13 @@ static OSStatus sendTSARequestWithXPC(const unsigned char *tsaReq, size_t tsaReq
}
else
{ tsaDebug("unexpected message reply type %p\n", xtype); }
-
- dispatch_semaphore_signal(waitSemaphore);
- dispatch_release(waitSemaphore);
+ if (waitSemaphore) { dispatch_semaphore_signal(waitSemaphore); }
+ dispatch_release_null(waitSemaphore);
});
-
{ tsaDebug("waiting up to %d seconds for response from XPC\n", timeoutInSeconds); }
- dispatch_semaphore_wait(waitSemaphore, finishTime);
+ if (waitSemaphore) { dispatch_semaphore_wait(waitSemaphore, finishTime); }
- dispatch_release(waitSemaphore);
+ dispatch_release_null(waitSemaphore);
xpc_release(tsaReqData);
xpc_release(message);
@@ -780,13 +779,22 @@ OSStatus SecCmsTSADefaultCallback(CFTypeRef context, void *messageImprintV, uint
#endif
}
- CFStringRef url = (CFStringRef)CFDictionaryGetValue((CFDictionaryRef)context, kTSAContextKeyURL);
+ CFTypeRef url = CFDictionaryGetValue((CFDictionaryRef)context, kTSAContextKeyURL);
if (!url)
{
tsaDebug("[TSA] missing URL for TSA (key: %s)\n", "kTSAContextKeyURL");
goto xit;
}
+ CFStringRef urlStr = NULL;
+ if (CFURLGetTypeID() == CFGetTypeID(url)) {
+ urlStr = CFURLGetString(url);
+ } else {
+ require_quiet(CFStringGetTypeID() == CFGetTypeID(url), xit);
+ urlStr = url;
+ }
+ require_quiet(urlStr, xit);
+
/*
If debugging, look at special values in the context to mess things up
*/
@@ -799,9 +807,9 @@ OSStatus SecCmsTSADefaultCallback(CFTypeRef context, void *messageImprintV, uint
}
// need to extract into buffer
- CFIndex length = CFStringGetLength(url); // in 16-bit character units
+ CFIndex length = CFStringGetLength(urlStr); // in 16-bit character units
tsaURL = malloc(6 * length + 1); // pessimistic
- if (!CFStringGetCString(url, (char *)tsaURL, 6 * length + 1, kCFStringEncodingUTF8))
+ if (!CFStringGetCString(urlStr, (char *)tsaURL, 6 * length + 1, kCFStringEncodingUTF8))
goto xit;
tsaDebug("[TSA] URL for timestamp server: %s\n", tsaURL);
diff --git a/OSX/libsecurity_smime/libsecurity_smime.xcodeproj/project.pbxproj b/OSX/libsecurity_smime/libsecurity_smime.xcodeproj/project.pbxproj
index 101f10bc..0ea47bb6 100644
--- a/OSX/libsecurity_smime/libsecurity_smime.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_smime/libsecurity_smime.xcodeproj/project.pbxproj
@@ -80,6 +80,8 @@
ACA9CE4A18BC4543005AD855 /* SecCMS.h in Headers */ = {isa = PBXBuildFile; fileRef = ACBEE90D18B415B60021712D /* SecCMS.h */; };
ACBEE90C18B403470021712D /* SecCMS.c in Sources */ = {isa = PBXBuildFile; fileRef = ACBEE90B18B403470021712D /* SecCMS.c */; };
ACBEE90E18B415B60021712D /* SecCMS.h in Headers */ = {isa = PBXBuildFile; fileRef = ACBEE90D18B415B60021712D /* SecCMS.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ D421AF641CA45E8C00A8E512 /* cms-01-basic.c in Sources */ = {isa = PBXBuildFile; fileRef = D421AF601CA45E4900A8E512 /* cms-01-basic.c */; };
+ D421AF651CA45E9700A8E512 /* cms-01-basic.h in Headers */ = {isa = PBXBuildFile; fileRef = D421AF611CA45E4900A8E512 /* cms-01-basic.h */; };
F64399010420118A01CA2DCC /* cert.h in Headers */ = {isa = PBXBuildFile; fileRef = F64398FF0420118A01CA2DCC /* cert.h */; };
F64399020420118A01CA2DCC /* cert.c in Sources */ = {isa = PBXBuildFile; fileRef = F64399000420118A01CA2DCC /* cert.c */; };
/* End PBXBuildFile section */
@@ -177,13 +179,15 @@
5232A821150AD71A00E6BB48 /* tsaSupportPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = tsaSupportPriv.h; sourceTree = "<group>"; };
52B609D314F4665700134209 /* tsaTemplates.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = tsaTemplates.c; sourceTree = "<group>"; };
52B609D414F4665700134209 /* tsaTemplates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = tsaTemplates.h; sourceTree = "<group>"; };
- 52D7A24915092A0600CF48F7 /* tsaSupport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = tsaSupport.c; sourceTree = "<group>"; };
+ 52D7A24915092A0600CF48F7 /* tsaSupport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = tsaSupport.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
52D7A24C15092AAD00CF48F7 /* tsaSupport.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = tsaSupport.h; sourceTree = "<group>"; };
AC62F5F018B4356A00704BBD /* libsecurity_smime_regressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurity_smime_regressions.a; sourceTree = BUILT_PRODUCTS_DIR; };
ACBEE90B18B403470021712D /* SecCMS.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecCMS.c; sourceTree = "<group>"; };
ACBEE90D18B415B60021712D /* SecCMS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCMS.h; sourceTree = "<group>"; };
ACBEE91018B420BC0021712D /* smime-cms-test.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "smime-cms-test.c"; sourceTree = "<group>"; };
ACBEE91318B421890021712D /* smime_regressions.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = smime_regressions.h; sourceTree = "<group>"; };
+ D421AF601CA45E4900A8E512 /* cms-01-basic.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "cms-01-basic.c"; sourceTree = "<group>"; };
+ D421AF611CA45E4900A8E512 /* cms-01-basic.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "cms-01-basic.h"; sourceTree = "<group>"; };
F64398FF0420118A01CA2DCC /* cert.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cert.h; sourceTree = "<group>"; tabWidth = 8; };
F64399000420118A01CA2DCC /* cert.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = cert.c; sourceTree = "<group>"; tabWidth = 8; };
/* End PBXFileReference section */
@@ -315,6 +319,8 @@
ACBEE90F18B41FB80021712D /* regressions */ = {
isa = PBXGroup;
children = (
+ D421AF601CA45E4900A8E512 /* cms-01-basic.c */,
+ D421AF611CA45E4900A8E512 /* cms-01-basic.h */,
ACBEE91018B420BC0021712D /* smime-cms-test.c */,
ACBEE91318B421890021712D /* smime_regressions.h */,
);
@@ -362,6 +368,7 @@
isa = PBXHeadersBuildPhase;
buildActionMask = 2147483647;
files = (
+ D421AF651CA45E9700A8E512 /* cms-01-basic.h in Headers */,
ACA9CE4A18BC4543005AD855 /* SecCMS.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
@@ -411,7 +418,7 @@
4C2741E803E9FBAF00A80181 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C23B0CD909A298C100B7FCED /* Build configuration list for PBXProject "libsecurity_smime" */;
compatibilityVersion = "Xcode 3.2";
@@ -476,6 +483,7 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
+ D421AF641CA45E8C00A8E512 /* cms-01-basic.c in Sources */,
AC62F5F418B4358B00704BBD /* smime-cms-test.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
@@ -582,7 +590,7 @@
COMBINE_HIDPI_IMAGES = YES;
GCC_PREPROCESSOR_DEFINITIONS = (
"$(inherited)",
- "SECTRUST_OSX=0",
+ "SECTRUST_OSX=1",
);
};
name = Debug;
@@ -594,7 +602,7 @@
COMBINE_HIDPI_IMAGES = YES;
GCC_PREPROCESSOR_DEFINITIONS = (
"$(inherited)",
- "SECTRUST_OSX=0",
+ "SECTRUST_OSX=1",
);
};
name = Release;
@@ -603,6 +611,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB3A0146F1A68000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -610,6 +633,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB3A0146F1A68000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurity_smime/regressions/cms-01-basic.c b/OSX/libsecurity_smime/regressions/cms-01-basic.c
new file mode 100644
index 00000000..40f66899
--- /dev/null
+++ b/OSX/libsecurity_smime/regressions/cms-01-basic.c
@@ -0,0 +1,501 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include "cms-01-basic.h"
+#include "smime_regressions.h"
+
+#include <AssertMacros.h>
+
+#include <utilities/SecCFRelease.h>
+
+#include <Security/SecBase.h>
+#include <Security/SecImportExport.h>
+#include <Security/SecKeychain.h>
+#include <Security/SecIdentity.h>
+#include <Security/SecPolicy.h>
+
+#include <Security/SecCmsMessage.h>
+#include <Security/SecCmsSignedData.h>
+#include <Security/SecCmsContentInfo.h>
+#include <Security/SecCmsSignerInfo.h>
+#include <Security/SecCmsEncoder.h>
+#include <Security/SecCmsDecoder.h>
+#include <Security/SecCmsEnvelopedData.h>
+#include <Security/SecCmsRecipientInfo.h>
+
+#include <security_asn1/secerr.h>
+#include <security_asn1/seccomon.h>
+
+#define TMP_KEYCHAIN_PATH "/tmp/cms_01_test.keychain"
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-variable"
+#pragma clang diagnostic ignored "-Wunused-function"
+
+#define kNumberSetupTests 10
+static SecKeychainRef setup_keychain(const uint8_t *p12, size_t p12_len, SecIdentityRef *identity, SecCertificateRef *cert) {
+ CFDataRef p12Data = NULL;
+ CFArrayRef imported_items = NULL, oldSearchList = NULL;
+ CFMutableArrayRef newSearchList = NULL;
+ SecKeychainRef keychain = NULL;
+ SecExternalFormat sef = kSecFormatPKCS12;
+ SecItemImportExportKeyParameters keyParams = {
+ .passphrase = CFSTR("password")
+ };
+
+ /* Create keychain and add to search list (for decryption) */
+ unlink(TMP_KEYCHAIN_PATH);
+ ok_status(SecKeychainCopySearchList(&oldSearchList),
+ "Copy keychain search list");
+ require(oldSearchList, out);
+ ok(newSearchList = CFArrayCreateMutableCopy(NULL, CFArrayGetCount(oldSearchList)+1, oldSearchList),
+ "Create new search list");
+ ok_status(SecKeychainCreate(TMP_KEYCHAIN_PATH, 8, "password", false, NULL, &keychain),
+ "Create keychain for identity");
+ require(keychain, out);
+ CFArrayAppendValue(newSearchList, keychain);
+ ok_status(SecKeychainSetSearchList(newSearchList),
+ "Set keychain search list");
+
+ /* Load identity and set as signer */
+ ok(p12Data = CFDataCreate(NULL, p12, p12_len),
+ "Create p12 data");
+ ok_status(SecItemImport(p12Data, NULL, &sef, NULL, 0, &keyParams, keychain, &imported_items),
+ "Import identity");
+ is(CFArrayGetCount(imported_items),1,"Imported 1 items");
+ is(CFGetTypeID(CFArrayGetValueAtIndex(imported_items, 0)), SecIdentityGetTypeID(),
+ "Got back an identity");
+ ok(*identity = (SecIdentityRef) CFRetainSafe(CFArrayGetValueAtIndex(imported_items, 0)),
+ "Retrieve identity");
+ ok_status(SecIdentityCopyCertificate(*identity, cert),
+ "Copy certificate");
+
+ CFReleaseNull(p12Data);
+ CFReleaseNull(imported_items);
+
+out:
+ return keychain;
+}
+
+#define kNumberCleanupTests 1
+static void cleanup_keychain(SecKeychainRef keychain, SecIdentityRef identity, SecCertificateRef cert) {
+ /* Delete keychain - from the search list and from disk */
+ ok_status(SecKeychainDelete(keychain), "Delete temporary keychain");
+ CFReleaseNull(keychain);
+ CFReleaseNull(cert);
+ CFReleaseNull(identity);
+}
+
+static OSStatus sign_please(SecIdentityRef identity, SECOidTag digestAlgTag, bool withAttrs, uint8_t *expected_output, size_t expected_len) {
+
+ OSStatus status = SECFailure;
+
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsSignedDataRef sigd = NULL;
+ SecCmsContentInfoRef cinfo = NULL;
+ SecCmsSignerInfoRef signerInfo = NULL;
+ SecCmsEncoderRef encoder = NULL;
+ SecArenaPoolRef arena = NULL;
+ CSSM_DATA cms_data = {
+ .Data = NULL,
+ .Length = 0
+ };
+ uint8_t string_to_sign[] = "This message is signed. Ain't it pretty?";
+
+ /* setup the message */
+ require_action_string(cmsg = SecCmsMessageCreate(NULL), out,
+ status = errSecAllocate, "Failed to create message");
+ require_action_string(sigd = SecCmsSignedDataCreate(cmsg), out,
+ status = errSecAllocate, "Failed to create signed data");
+ require_action_string(cinfo = SecCmsMessageGetContentInfo(cmsg), out,
+ status = errSecParam, "Failed to get cms content info");
+ require_noerr_string(status = SecCmsContentInfoSetContentSignedData(cmsg, cinfo, sigd), out,
+ "Failed to set signed data into content info");
+ require_action_string(cinfo = SecCmsSignedDataGetContentInfo(sigd), out,
+ status = errSecParam, "Failed to get content info from signed data");
+ require_noerr_string(status = SecCmsContentInfoSetContentData(cmsg, cinfo, NULL, false), out,
+ "Failed to set signed data content info");
+ require_action_string(signerInfo = SecCmsSignerInfoCreate(cmsg, identity, digestAlgTag), out,
+ status = errSecAllocate, "Failed to create signer info");
+ require_noerr_string(status = SecCmsSignerInfoIncludeCerts(signerInfo, SecCmsCMCertOnly,
+ certUsageEmailSigner), out,
+ "Failed to put certs in signer info");
+
+ if(withAttrs) {
+ require_noerr_string(status = SecCmsSignerInfoAddSigningTime(signerInfo, 480000000.0), out,
+ "Couldn't add an attribute");
+ }
+ require_noerr_string(status = SecCmsSignedDataAddSignerInfo(sigd, signerInfo), out,
+ "Couldn't add signer info to signed data");
+
+ /* encode now */
+ require_noerr_string(status = SecArenaPoolCreate(1024, &arena), out,
+ "Failed to create arena");
+ require_noerr_string(status = SecCmsEncoderCreate(cmsg, NULL, NULL, &cms_data, arena, NULL, NULL,
+ NULL, NULL, NULL, NULL, &encoder), out,
+ "Failed to create encoder");
+ require_noerr_string(status = SecCmsEncoderUpdate(encoder, string_to_sign, sizeof(string_to_sign)), out,
+ "Failed to add data ");
+ status = SecCmsEncoderFinish(encoder);
+ encoder = NULL; // SecCmsEncoderFinish always frees the encoder but doesn't NULL it.
+ require_noerr_quiet(status, out);
+
+ /* verify the output matches expected results */
+ if (expected_output) {
+ require_action_string(expected_len == cms_data.Length, out,
+ status = -1, "Output size differs from expected");
+ require_noerr_action_string(memcmp(expected_output, cms_data.Data, expected_len), out,
+ status = -1, "Output differs from expected");
+ }
+
+out:
+ if (encoder) {
+ SecCmsEncoderDestroy(encoder);
+ }
+ if (arena) {
+ SecArenaPoolFree(arena, false);
+ }
+ if (cmsg) {
+ SecCmsMessageDestroy(cmsg);
+ }
+ return status;
+
+}
+
+static OSStatus verify_please(SecKeychainRef keychain, uint8_t *data_to_verify, size_t length) {
+ OSStatus status = SECFailure;
+ SecCmsDecoderRef decoder = NULL;
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsContentInfoRef cinfo = NULL;
+ SecCmsSignedDataRef sigd = NULL;
+ SecPolicyRef policy = NULL;
+ SecTrustRef trust = NULL;
+
+ if (!data_to_verify) {
+ return errSecSuccess; // reasons...
+ }
+
+ require_noerr_string(status = SecCmsDecoderCreate(NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL, &decoder), out,
+ "Failed to create decoder");
+ require_noerr_string(status = SecCmsDecoderUpdate(decoder, data_to_verify, length), out,
+ "Failed to add data ");
+ status = SecCmsDecoderFinish(decoder, &cmsg);
+ decoder = NULL; // SecCmsDecoderFinish always frees the decoder
+ require_noerr_quiet(status, out);
+
+ require_action_string(cinfo = SecCmsMessageContentLevel(cmsg, 0), out,
+ status = errSecDecode, "Failed to get content info");
+ require_action_string(SEC_OID_PKCS7_SIGNED_DATA == SecCmsContentInfoGetContentTypeTag(cinfo), out,
+ status = errSecDecode, "Content type was pkcs7 signed data");
+ require_action_string(sigd = (SecCmsSignedDataRef)SecCmsContentInfoGetContent(cinfo), out,
+ status = errSecDecode, "Failed to get signed data");
+ require_action_string(policy = SecPolicyCreateBasicX509(), out,
+ status = errSecAllocate, "Failed to create basic policy");
+ status = SecCmsSignedDataVerifySignerInfo(sigd, 0, keychain, policy, &trust);
+
+out:
+ if (decoder) {
+ SecCmsDecoderDestroy(decoder);
+ }
+ if (cmsg) {
+ SecCmsMessageDestroy(cmsg);
+ }
+ CFReleaseNull(policy);
+ CFReleaseNull(trust);
+ return status;
+}
+
+static uint8_t *invalidate_signature(uint8_t *cms_data, size_t length) {
+ if (!cms_data || !length || (length < 10)) {
+ return NULL;
+ }
+ uint8_t *invalid_cms = NULL;
+
+ invalid_cms = malloc(length);
+ if (invalid_cms) {
+ memcpy(invalid_cms, cms_data, length);
+ /* This modifies the signature part of the test cms binaries */
+ invalid_cms[length - 10] = 0x00;
+ }
+
+ return invalid_cms;
+}
+
+static OSStatus invalidate_and_verify(SecKeychainRef kc, uint8_t *cms_data, size_t length) {
+ OSStatus status = SECFailure;
+ uint8_t *invalid_cms_data = NULL;
+
+ if (!cms_data) {
+ return SECFailure; // reasons...
+ }
+
+ require_action_string(invalid_cms_data = invalidate_signature(cms_data, length), out,
+ status = errSecAllocate, "Unable to allocate buffer for invalid cms data");
+ status = verify_please(kc, invalid_cms_data, length);
+
+out:
+ if (invalid_cms_data) {
+ free(invalid_cms_data);
+ }
+ return status;
+}
+
+/* forward declaration */
+static OSStatus decrypt_please(uint8_t *data_to_decrypt, size_t length);
+
+static OSStatus encrypt_please(SecCertificateRef recipient, SECOidTag encAlg, int keysize) {
+ OSStatus status = SECFailure;
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsEnvelopedDataRef envd = NULL;
+ SecCmsContentInfoRef cinfo = NULL;
+ SecCmsRecipientInfoRef rinfo = NULL;
+ SecArenaPoolRef arena = NULL;
+ SecCmsEncoderRef encoder = NULL;
+ CSSM_DATA cms_data = {
+ .Data = NULL,
+ .Length = 0
+ };
+ const uint8_t data_to_encrypt[] = "This data is encrypted. Is cool, no?";
+
+ /* set up the message */
+ require_action_string(cmsg = SecCmsMessageCreate(NULL), out,
+ status = errSecAllocate, "Failed to create message");
+ require_action_string(envd = SecCmsEnvelopedDataCreate(cmsg, encAlg, keysize), out,
+ status = errSecAllocate, "Failed to create enveloped data");
+ require_action_string(cinfo = SecCmsMessageGetContentInfo(cmsg), out,
+ status = errSecParam, "Failed to get content info from cms message");
+ require_noerr_string(status = SecCmsContentInfoSetContentEnvelopedData(cmsg, cinfo, envd), out,
+ "Failed to set enveloped data in cms message");
+ require_action_string(cinfo = SecCmsEnvelopedDataGetContentInfo(envd), out,
+ status = errSecParam, "Failed to get content info from enveloped data");
+ require_noerr_string(status = SecCmsContentInfoSetContentData(cmsg, cinfo, NULL, false), out,
+ "Failed to set data type in envelope");
+ require_action_string(rinfo = SecCmsRecipientInfoCreate(cmsg, recipient), out,
+ status = errSecAllocate, "Failed to create recipient info");
+ require_noerr_string(status = SecCmsEnvelopedDataAddRecipient(envd, rinfo), out,
+ "Failed to add recipient info to envelope");
+
+ /* encode the message */
+ require_noerr_string(status = SecArenaPoolCreate(1024, &arena), out,
+ "Failed to create arena");
+ require_noerr_string(status = SecCmsEncoderCreate(cmsg, NULL, NULL, &cms_data, arena, NULL, NULL,
+ NULL, NULL, NULL, NULL, &encoder), out,
+ "Failed to create encoder");
+ require_noerr_string(status = SecCmsEncoderUpdate(encoder, data_to_encrypt, sizeof(data_to_encrypt)), out,
+ "Failed to update encoder with data");
+ status = SecCmsEncoderFinish(encoder);
+ encoder = NULL; // SecCmsEncoderFinish always frees the encoder but doesn't NULL it.
+ require_noerr_quiet(status, out);
+
+ require_noerr_string(status = decrypt_please(cms_data.Data, cms_data.Length), out,
+ "Failed to decrypt the data we just encrypted");
+
+out:
+ if (encoder) {
+ SecCmsEncoderDestroy(encoder);
+ }
+ if (arena) {
+ SecArenaPoolFree(arena, false);
+ }
+ if (cmsg) {
+ SecCmsMessageDestroy(cmsg);
+ }
+ return status;
+}
+
+static OSStatus decrypt_please(uint8_t *data_to_decrypt, size_t length) {
+ OSStatus status = SECFailure;
+ SecCmsDecoderRef decoder = NULL;
+ SecCmsMessageRef cmsg = NULL;
+ CSSM_DATA_PTR content = NULL;
+ const uint8_t encrypted_string[] = "This data is encrypted. Is cool, no?";
+
+ require_noerr_string(status = SecCmsDecoderCreate(NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL, &decoder), out,
+ "Failed to create decoder");
+ require_noerr_string(status = SecCmsDecoderUpdate(decoder, data_to_decrypt, length), out,
+ "Failed to add data ");
+ status = SecCmsDecoderFinish(decoder, &cmsg);
+ decoder = NULL; // SecCmsDecoderFinish always frees the decoder
+ require_noerr_quiet(status, out);
+ require_action_string(content = SecCmsMessageGetContent(cmsg), out,
+ status = errSecDecode, "Unable to get message contents");
+
+ /* verify the output matches expected results */
+ require_action_string(sizeof(encrypted_string) == content->Length, out,
+ status = -1, "Output size differs from expected");
+ require_noerr_action_string(memcmp(encrypted_string, content->Data, content->Length), out,
+ status = -1, "Output differs from expected");
+
+out:
+ if (cmsg) {
+ SecCmsMessageDestroy(cmsg);
+ }
+ return status;
+}
+
+/* Signing with attributes goes through a different code path than signing without,
+ * so we need to test both. */
+#define kNumberSignTests 10
+static void sign_tests(SecIdentityRef identity, bool isRSA) {
+
+ /* no attributes */
+ is(sign_please(identity, SEC_OID_MD5, false, NULL, 0),
+ SEC_ERROR_INVALID_ALGORITHM, "Signed with MD5. Not cool.");
+ is(sign_please(identity, SEC_OID_SHA1, false, (isRSA) ? rsa_sha1 : NULL,
+ (isRSA) ? sizeof(rsa_sha1) : 0),
+ errSecSuccess, "Signed with SHA-1");
+ is(sign_please(identity, SEC_OID_SHA256, false, (isRSA) ? rsa_sha256 : NULL,
+ (isRSA) ? sizeof(rsa_sha256) : 0),
+ errSecSuccess, "Signed with SHA-256");
+ is(sign_please(identity, SEC_OID_SHA384, false, NULL, 0), errSecSuccess, "Signed with SHA-384");
+ is(sign_please(identity, SEC_OID_SHA512, false, NULL, 0), errSecSuccess, "Signed with SHA-512");
+
+ /* with attributes */
+ is(sign_please(identity, SEC_OID_MD5, true, NULL, 0),
+ SEC_ERROR_INVALID_ALGORITHM, "Signed with MD5 and attributes. Not cool.");
+ is(sign_please(identity, SEC_OID_SHA1, true, (isRSA) ? rsa_sha1_attr : NULL,
+ (isRSA) ? sizeof(rsa_sha1_attr) : 0),
+ errSecSuccess, "Signed with SHA-1 and attributes");
+ is(sign_please(identity, SEC_OID_SHA256, true, (isRSA) ? rsa_sha256_attr : NULL,
+ (isRSA) ? sizeof(rsa_sha256_attr) : 0),
+ errSecSuccess, "Signed with SHA-256 and attributes");
+ is(sign_please(identity, SEC_OID_SHA384, true, NULL, 0),
+ errSecSuccess, "Signed with SHA-384 and attributes");
+ is(sign_please(identity, SEC_OID_SHA512, true, NULL, 0),
+ errSecSuccess, "Signed with SHA-512 and attributes");
+}
+
+/* Verifying with attributes goes through a different code path than verifying without,
+ * so we need to test both. */
+#define kNumberVerifyTests 12
+static void verify_tests(SecKeychainRef kc, bool isRsa) {
+ /* no attributes */
+ is(verify_please(kc, (isRsa) ? rsa_md5 : ec_md5,
+ (isRsa) ? sizeof(rsa_md5) : sizeof(ec_md5)),
+ (isRsa) ? errSecSuccess : SECFailure,
+ "Verify MD5, no attributes");
+ is(verify_please(kc, (isRsa) ? rsa_sha1 : ec_sha1,
+ (isRsa) ? sizeof(rsa_sha1) : sizeof(ec_sha1)),
+ errSecSuccess, "Verify SHA1, no attributes");
+ is(verify_please(kc, (isRsa) ? rsa_sha256 : ec_sha256,
+ (isRsa) ? sizeof(rsa_sha256) : sizeof(ec_sha256)),
+ errSecSuccess, "Verify SHA256, no attributes");
+
+ /* with attributes */
+ is(verify_please(kc, (isRsa) ? rsa_md5_attr : NULL,
+ (isRsa) ? sizeof(rsa_md5_attr) : 0),
+ errSecSuccess, "Verify MD5, with attributes");
+ is(verify_please(kc, (isRsa) ? rsa_sha1_attr : ec_sha1_attr,
+ (isRsa) ? sizeof(rsa_sha1_attr) : sizeof(ec_sha1_attr)),
+ errSecSuccess, "Verify SHA1, with attributes");
+ is(verify_please(kc, (isRsa) ? rsa_sha256_attr : ec_sha256_attr,
+ (isRsa) ? sizeof(rsa_sha256_attr) : sizeof(ec_sha256_attr)),
+ errSecSuccess, "Verify SHA256, with attributes");
+
+ /***** Once more, with validation errors *****/
+
+ /* no attributes */
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_md5 : ec_md5,
+ (isRsa) ? sizeof(rsa_md5) : sizeof(ec_md5)),
+ SECFailure, "Verify invalid MD5, no attributes");
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_sha1 : ec_sha1,
+ (isRsa) ? sizeof(rsa_sha1) : sizeof(ec_sha1)),
+ SECFailure, "Verify invalid SHA1, no attributes");
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_sha256 : ec_sha256,
+ (isRsa) ? sizeof(rsa_sha256) : sizeof(ec_sha256)),
+ SECFailure, "Verify invalid SHA256, no attributes");
+
+ /* with attributes */
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_md5_attr : NULL,
+ (isRsa) ? sizeof(rsa_md5_attr) : 0),
+ SECFailure, "Verify invalid MD5, with attributes");
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_sha1_attr : ec_sha1_attr,
+ (isRsa) ? sizeof(rsa_sha1_attr) : sizeof(ec_sha1_attr)),
+ SECFailure, "Verify invalid SHA1, with attributes");
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_sha256_attr : ec_sha256_attr,
+ (isRsa) ? sizeof(rsa_sha256_attr) : sizeof(ec_sha256_attr)),
+ SECFailure, "Verify invalid SHA256, with attributes");
+}
+
+#define kNumberEncryptTests 5
+static void encrypt_tests(SecCertificateRef certificate) {
+ is(encrypt_please(certificate, SEC_OID_DES_EDE3_CBC, 192),
+ errSecSuccess, "Encrypt with 3DES");
+ is(encrypt_please(certificate, SEC_OID_RC2_CBC, 128),
+ errSecSuccess, "Encrypt with 128-bit RC2");
+ is(encrypt_please(certificate, SEC_OID_AES_128_CBC, 128),
+ errSecSuccess, "Encrypt with 128-bit AES");
+ is(encrypt_please(certificate, SEC_OID_AES_192_CBC, 192),
+ errSecSuccess, "Encrypt with 192-bit AES");
+ is(encrypt_please(certificate, SEC_OID_AES_256_CBC, 256),
+ errSecSuccess, "Encrypt with 256-bit AES");
+}
+
+#define kNumberDecryptTests 5
+static void decrypt_tests(bool isRsa) {
+ is(decrypt_please((isRsa) ? rsa_3DES : ec_3DES,
+ (isRsa) ? sizeof(rsa_3DES) : sizeof(ec_3DES)),
+ errSecSuccess, "Decrypt 3DES");
+ is(decrypt_please((isRsa) ? rsa_RC2 : ec_RC2,
+ (isRsa) ? sizeof(rsa_RC2) : sizeof(ec_RC2)),
+ errSecSuccess, "Decrypt 128-bit RC2");
+ is(decrypt_please((isRsa) ? rsa_AES_128 : ec_AES_128,
+ (isRsa) ? sizeof(rsa_AES_128) : sizeof(ec_AES_128)),
+ errSecSuccess, "Decrypt 128-bit AES");
+ is(decrypt_please((isRsa) ? rsa_AES_192 : ec_AES_192,
+ (isRsa) ? sizeof(rsa_AES_192) : sizeof(ec_AES_192)),
+ errSecSuccess, "Decrypt 192-bit AES");
+ is(decrypt_please((isRsa) ? rsa_AES_256 : ec_AES_256,
+ (isRsa) ? sizeof(rsa_AES_256) : sizeof(ec_AES_256)),
+ errSecSuccess, "Decrypt 256-bit AES");
+}
+
+int cms_01_basic(int argc, char *const *argv)
+{
+ plan_tests(2*(kNumberSetupTests + kNumberSignTests + kNumberVerifyTests +
+ kNumberEncryptTests + kNumberDecryptTests + kNumberCleanupTests));
+
+ SecKeychainRef kc = NULL;
+ SecIdentityRef identity = NULL;
+ SecCertificateRef certificate = NULL;
+
+ /* RSA tests */
+ kc = setup_keychain(_rsa_identity, sizeof(_rsa_identity), &identity, &certificate);
+ sign_tests(identity, true);
+ verify_tests(kc, true);
+ encrypt_tests(certificate);
+ decrypt_tests(true);
+ cleanup_keychain(kc, identity, certificate);
+
+ /* EC tests */
+ kc = setup_keychain(_ec_identity, sizeof(_ec_identity), &identity, &certificate);
+ sign_tests(identity, false);
+ verify_tests(kc, false);
+ encrypt_tests(certificate);
+ decrypt_tests(false);
+ cleanup_keychain(kc, identity, certificate);
+
+ return 0;
+}
\ No newline at end of file
diff --git a/OSX/libsecurity_smime/regressions/cms-01-basic.h b/OSX/libsecurity_smime/regressions/cms-01-basic.h
new file mode 100644
index 00000000..dc46feeb
--- /dev/null
+++ b/OSX/libsecurity_smime/regressions/cms-01-basic.h
@@ -0,0 +1,1341 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#ifndef cms_01_test_h
+#define cms_01_test_h
+
+/*
+ * MARK: Identities
+ */
+unsigned char _rsa_identity[] = {
+ 0x30, 0x82, 0x0a, 0x83, 0x02, 0x01, 0x03, 0x30, 0x82, 0x0a, 0x4a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x07, 0x01, 0xa0, 0x82, 0x0a, 0x3b, 0x04, 0x82, 0x0a, 0x37, 0x30, 0x82, 0x0a, 0x33, 0x30, 0x82, 0x04, 0xbf, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x06, 0xa0, 0x82, 0x04, 0xb0, 0x30, 0x82, 0x04, 0xac, 0x02, 0x01, 0x00,
+ 0x30, 0x82, 0x04, 0xa5, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x0a, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x06, 0x30, 0x0e, 0x04, 0x08, 0xef, 0x13, 0x69, 0xa2, 0xe0, 0xb7, 0x4d,
+ 0xf3, 0x02, 0x02, 0x08, 0x00, 0x80, 0x82, 0x04, 0x78, 0x24, 0x38, 0x74, 0x0e, 0x93, 0x67, 0x0b, 0xc4, 0x24, 0x58, 0x1c,
+ 0x1c, 0x63, 0x3a, 0xcb, 0xfb, 0x88, 0x8b, 0x95, 0xe8, 0x8b, 0x40, 0x33, 0xa1, 0x10, 0x72, 0xd6, 0x3b, 0x36, 0x52, 0xef,
+ 0xe8, 0xec, 0x27, 0xf1, 0xe2, 0xb6, 0x3d, 0x7a, 0x67, 0x28, 0x59, 0xf2, 0xa9, 0x9f, 0xf2, 0x33, 0x21, 0x26, 0xe6, 0x2f,
+ 0xbc, 0xeb, 0x39, 0xa2, 0x8a, 0x8d, 0xa0, 0xd8, 0x6e, 0xfc, 0xf9, 0x80, 0x63, 0x02, 0x68, 0x6c, 0x97, 0x43, 0x56, 0x8b,
+ 0xab, 0x1e, 0xac, 0xea, 0x6d, 0x9a, 0xdd, 0xdf, 0x67, 0x4d, 0xfb, 0xf0, 0x0b, 0x58, 0x9e, 0xc0, 0x2b, 0x06, 0x8b, 0xca,
+ 0x01, 0xcd, 0xcc, 0x79, 0xb6, 0xb1, 0xa1, 0x22, 0x00, 0x22, 0x46, 0x9f, 0x20, 0x7d, 0xd4, 0x3e, 0x1a, 0x16, 0x73, 0xfa,
+ 0x61, 0xaa, 0xaa, 0xc9, 0x9e, 0xc1, 0x66, 0x17, 0x74, 0xc8, 0x96, 0xc8, 0xab, 0x0d, 0xb3, 0x41, 0x11, 0xe6, 0x1b, 0x3d,
+ 0x1f, 0xad, 0x02, 0x0d, 0x7d, 0x68, 0xbc, 0x80, 0xeb, 0xaf, 0x1e, 0x77, 0x9e, 0xc8, 0x8c, 0xc2, 0xce, 0x15, 0x4a, 0xba,
+ 0xa3, 0xba, 0x11, 0x82, 0xcc, 0xc4, 0x8e, 0x47, 0xa4, 0x2d, 0x95, 0x00, 0x46, 0xcb, 0x45, 0x19, 0x8d, 0x8f, 0xa7, 0x47,
+ 0x4b, 0xb6, 0xd6, 0x0f, 0x33, 0x5a, 0xf6, 0xba, 0x2d, 0x6a, 0xde, 0x19, 0x22, 0x4e, 0x48, 0xf4, 0x98, 0x54, 0x6e, 0xed,
+ 0xd6, 0xf4, 0xd8, 0xaf, 0x63, 0x83, 0x72, 0x01, 0x43, 0x0d, 0x33, 0x06, 0x30, 0x15, 0x3f, 0x0b, 0xc8, 0x4f, 0x8f, 0x8f,
+ 0x04, 0x6c, 0x1c, 0x92, 0xf3, 0xb3, 0x4e, 0xb0, 0xaa, 0x19, 0x27, 0x84, 0xfc, 0xb5, 0xde, 0xed, 0xb0, 0xea, 0x42, 0xc0,
+ 0xb0, 0x25, 0xfc, 0x25, 0x59, 0xf5, 0x8a, 0xfc, 0x35, 0x8c, 0xe3, 0x47, 0xab, 0x9f, 0xd7, 0x52, 0xac, 0x57, 0x5d, 0x0f,
+ 0xc8, 0x28, 0x19, 0xf7, 0x11, 0xe5, 0x34, 0xfb, 0x80, 0x32, 0xa1, 0x63, 0xa8, 0x79, 0xcf, 0xc2, 0xbd, 0xe3, 0x9e, 0x7e,
+ 0xf1, 0x62, 0xa4, 0x38, 0x3a, 0x6a, 0xf2, 0xd5, 0xdb, 0xe2, 0x01, 0x4e, 0x58, 0x1c, 0xb1, 0x8c, 0xf4, 0x71, 0x9c, 0x1b,
+ 0xdf, 0x32, 0xa8, 0xab, 0xa0, 0xd9, 0xe3, 0x10, 0x9e, 0xe8, 0x70, 0x7f, 0x1d, 0x8d, 0x2b, 0xe4, 0x70, 0x21, 0x01, 0x88,
+ 0x26, 0x1a, 0x53, 0xcd, 0x62, 0xf2, 0x18, 0xa1, 0xe5, 0xfa, 0xbb, 0x59, 0x77, 0x46, 0xac, 0xda, 0xbe, 0x38, 0xe9, 0x69,
+ 0x48, 0x24, 0x86, 0x82, 0x8a, 0x21, 0xce, 0xbc, 0xe1, 0xef, 0xfc, 0x35, 0xd2, 0x17, 0x8e, 0x34, 0xf2, 0x52, 0x8a, 0x74,
+ 0x5d, 0x0e, 0xff, 0xf4, 0x79, 0x7b, 0x97, 0x43, 0xc2, 0xc7, 0x50, 0x70, 0x14, 0x9d, 0xc2, 0xb4, 0x42, 0xb2, 0xc2, 0xdb,
+ 0x5c, 0x99, 0xf1, 0x6f, 0xe2, 0x4f, 0xc0, 0xd3, 0xc3, 0x4a, 0xe0, 0xdf, 0xfc, 0x0a, 0xd3, 0xfb, 0x4d, 0x5f, 0x5f, 0xbe,
+ 0x68, 0x88, 0x36, 0xd8, 0x29, 0x83, 0xa6, 0x44, 0xb7, 0x13, 0x60, 0x3e, 0xb2, 0xc0, 0xce, 0xb9, 0x0a, 0xb3, 0xd3, 0xd7,
+ 0x6b, 0xa0, 0xae, 0x2c, 0x54, 0x96, 0xa6, 0x57, 0x54, 0x52, 0xe2, 0xe5, 0xd9, 0x11, 0xff, 0x94, 0xd7, 0x06, 0x87, 0x67,
+ 0x80, 0xb5, 0x44, 0xea, 0x9b, 0xfd, 0x77, 0x28, 0x57, 0x72, 0xd3, 0x6d, 0x8b, 0x0a, 0xbc, 0x94, 0xa6, 0xd6, 0x23, 0xfa,
+ 0xf3, 0x58, 0x18, 0x28, 0x6d, 0x81, 0x56, 0x05, 0x0a, 0x9c, 0x34, 0xf7, 0xb1, 0x64, 0xa4, 0xe1, 0x0b, 0x50, 0x39, 0x4b,
+ 0xfb, 0x51, 0xa1, 0x29, 0x19, 0x61, 0x6c, 0x72, 0xc9, 0xf6, 0xd3, 0xa0, 0x98, 0x66, 0x4b, 0x14, 0xd5, 0x26, 0x41, 0xd1,
+ 0x03, 0x47, 0x02, 0xde, 0x9c, 0x5f, 0x72, 0x9c, 0xbb, 0x68, 0x47, 0x23, 0xfb, 0xd7, 0xfc, 0x85, 0xa7, 0x01, 0xd8, 0x48,
+ 0x94, 0xc3, 0xf1, 0x67, 0xd9, 0xa0, 0xce, 0x1b, 0x66, 0x80, 0x70, 0x52, 0x99, 0x9c, 0x82, 0x27, 0xec, 0x65, 0x0a, 0x72,
+ 0x3e, 0xf8, 0xd1, 0x70, 0xd3, 0xce, 0x3d, 0x52, 0x1f, 0xbb, 0x18, 0x1f, 0x10, 0x49, 0x4c, 0x42, 0x67, 0x0c, 0xa3, 0xaa,
+ 0x58, 0xdb, 0x56, 0xcf, 0x39, 0x68, 0x43, 0x8e, 0xc9, 0x8d, 0xaa, 0xeb, 0x94, 0x4a, 0x1f, 0x96, 0x98, 0xa2, 0xd1, 0xcf,
+ 0x1f, 0xc5, 0xe0, 0xcf, 0x5f, 0x29, 0xf6, 0xe5, 0x80, 0x89, 0xb9, 0xb1, 0x4c, 0x2e, 0x6e, 0xbb, 0xeb, 0x43, 0xdf, 0xff,
+ 0x24, 0x42, 0xc9, 0x08, 0x98, 0x42, 0x55, 0xcb, 0x4c, 0x9e, 0xae, 0x02, 0x57, 0x81, 0x10, 0xb4, 0x2b, 0xc4, 0xfc, 0xd8,
+ 0xd2, 0x6c, 0x5c, 0x47, 0xe9, 0xc3, 0x49, 0x8b, 0x1f, 0x8e, 0xbe, 0x78, 0x08, 0x06, 0xe2, 0xab, 0xa7, 0x5c, 0x22, 0xa1,
+ 0x5a, 0xb2, 0x38, 0x8a, 0xc4, 0xd7, 0x73, 0x28, 0xe2, 0x87, 0x80, 0xac, 0x1c, 0x73, 0xdf, 0x06, 0xa0, 0xfe, 0x59, 0x30,
+ 0xd4, 0x9f, 0x58, 0x93, 0xc1, 0xbd, 0x54, 0xdb, 0xbc, 0xb1, 0x19, 0x6a, 0x57, 0x25, 0x73, 0xab, 0xd0, 0xcf, 0x26, 0x9c,
+ 0x1c, 0x6b, 0xe6, 0x89, 0x16, 0x9b, 0x34, 0x63, 0xfe, 0x95, 0x47, 0x5e, 0x3b, 0x78, 0x29, 0xda, 0x1f, 0x6f, 0xb0, 0x7a,
+ 0x5c, 0x07, 0xa8, 0x8f, 0x83, 0xc6, 0x69, 0x18, 0x12, 0x39, 0x7a, 0xb3, 0x61, 0xe4, 0x86, 0x76, 0xbf, 0xe1, 0x99, 0xc7,
+ 0xc7, 0x4c, 0x9f, 0x95, 0xc5, 0xe7, 0x88, 0x97, 0xcf, 0xd7, 0xf5, 0x20, 0xbf, 0x97, 0x6c, 0xec, 0x04, 0xb5, 0x3d, 0x07,
+ 0xc8, 0x0e, 0xe9, 0x51, 0xe2, 0x93, 0x35, 0x57, 0xdf, 0xe9, 0xfd, 0x5f, 0x83, 0x95, 0x75, 0xb1, 0xa5, 0xbe, 0xdc, 0xc1,
+ 0xa0, 0x60, 0x93, 0x38, 0xae, 0xa6, 0x20, 0xf0, 0xb5, 0x32, 0x58, 0xb2, 0x04, 0x59, 0x24, 0x5f, 0x5b, 0xd7, 0x4b, 0x45,
+ 0x9b, 0x37, 0x39, 0x95, 0xd9, 0x85, 0x2a, 0xdc, 0xe9, 0xd8, 0x09, 0xc4, 0x99, 0x41, 0x28, 0xb1, 0x97, 0x48, 0x62, 0xd0,
+ 0xc5, 0xb2, 0x75, 0x64, 0x47, 0x02, 0xec, 0x72, 0x40, 0xd1, 0x2c, 0x07, 0x0e, 0x91, 0x3e, 0x70, 0x17, 0x75, 0xb0, 0x9f,
+ 0x81, 0xcd, 0x1a, 0x03, 0xb6, 0x64, 0xd0, 0xe2, 0x62, 0x3a, 0x92, 0x7c, 0xc1, 0x0d, 0x4a, 0xfa, 0x55, 0xf8, 0xa2, 0xb7,
+ 0xf7, 0xa5, 0xaf, 0xb6, 0xd6, 0xce, 0xe9, 0x9f, 0x06, 0x15, 0x41, 0x4e, 0x50, 0x43, 0x98, 0x4c, 0xe3, 0x20, 0x83, 0x37,
+ 0xaf, 0x93, 0x6a, 0xe6, 0xc0, 0x4b, 0x93, 0x06, 0x0c, 0x2f, 0xc7, 0x10, 0x4d, 0x2e, 0x55, 0x3f, 0xd8, 0xdf, 0xab, 0x74,
+ 0x4e, 0xcc, 0x09, 0x42, 0xa3, 0x18, 0x7a, 0x55, 0x84, 0xa7, 0xba, 0x74, 0xe5, 0x29, 0xcb, 0x37, 0x19, 0xe3, 0xd8, 0x02,
+ 0xcc, 0xf4, 0x18, 0x3e, 0x58, 0x52, 0x41, 0xde, 0xba, 0x12, 0x5c, 0x89, 0xb4, 0x28, 0x04, 0x33, 0x8d, 0xe5, 0x1a, 0x30,
+ 0x97, 0x05, 0x3f, 0x19, 0xaf, 0xef, 0x07, 0x3a, 0xe2, 0xa5, 0x71, 0xfb, 0xb5, 0x87, 0x00, 0x3d, 0x53, 0x6b, 0x4c, 0x3d,
+ 0x4d, 0xc8, 0x4c, 0x94, 0xd5, 0xa5, 0x14, 0x29, 0x53, 0x80, 0x99, 0x70, 0xcf, 0x11, 0x8b, 0xb0, 0x19, 0x38, 0x0d, 0x04,
+ 0x4f, 0x47, 0xc7, 0x4c, 0x20, 0x8f, 0x06, 0xf0, 0x49, 0xc2, 0x4a, 0xc8, 0xe6, 0x95, 0x27, 0x6c, 0xd4, 0xbb, 0x2e, 0x8c,
+ 0x1b, 0xd6, 0x83, 0xa6, 0x26, 0x1d, 0x69, 0x8a, 0xf5, 0x7d, 0x34, 0x4c, 0xeb, 0xf4, 0x66, 0x70, 0x4d, 0x41, 0xa5, 0xce,
+ 0x1e, 0xbc, 0xa0, 0xc5, 0xed, 0x48, 0x1a, 0xcb, 0xf7, 0xae, 0x66, 0x5d, 0x12, 0x83, 0xa2, 0xf3, 0x4b, 0x8b, 0xa6, 0x88,
+ 0x90, 0x4f, 0x70, 0x3b, 0xbd, 0x9a, 0x8a, 0x82, 0x33, 0x40, 0x32, 0x15, 0x0b, 0x3b, 0x3d, 0xac, 0x83, 0xd9, 0xde, 0x0a,
+ 0x94, 0x13, 0x53, 0x17, 0xba, 0xdb, 0x73, 0x4f, 0xf2, 0xec, 0x56, 0xce, 0x32, 0xd6, 0x9a, 0xf7, 0xda, 0x35, 0x00, 0x46,
+ 0x0f, 0x74, 0xa5, 0x71, 0x4b, 0x4f, 0x0d, 0x8a, 0xa2, 0xd3, 0xbb, 0x2c, 0xb5, 0xe9, 0x75, 0x08, 0x94, 0xfc, 0xcb, 0xdf,
+ 0x05, 0x48, 0x32, 0x56, 0x57, 0x39, 0xfb, 0xfa, 0xe5, 0xbd, 0x85, 0x3f, 0xb2, 0xd4, 0x9e, 0xf3, 0xd6, 0x71, 0xf3, 0x33,
+ 0x60, 0x46, 0x32, 0xbc, 0x52, 0x6d, 0xfd, 0x9e, 0x71, 0xdb, 0x6d, 0x27, 0xe4, 0xc3, 0x9e, 0x99, 0x07, 0x3c, 0x49, 0x91,
+ 0xce, 0x01, 0x7f, 0x47, 0x26, 0x35, 0xd0, 0x21, 0x3c, 0x97, 0x81, 0x1e, 0x22, 0x4e, 0xb6, 0x79, 0x9c, 0x61, 0x51, 0xaf,
+ 0x3c, 0x27, 0x03, 0x6b, 0xb1, 0x4c, 0xe0, 0x21, 0x87, 0x4e, 0x03, 0xf1, 0xf5, 0x30, 0x82, 0x05, 0x6c, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x05, 0x5d, 0x04, 0x82, 0x05, 0x59, 0x30, 0x82, 0x05, 0x55,
+ 0x30, 0x82, 0x05, 0x51, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x82, 0x04,
+ 0xee, 0x30, 0x82, 0x04, 0xea, 0x30, 0x1c, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30,
+ 0x0e, 0x04, 0x08, 0xe9, 0xa1, 0x13, 0x54, 0xfb, 0x10, 0xe0, 0x7d, 0x02, 0x02, 0x08, 0x00, 0x04, 0x82, 0x04, 0xc8, 0x69,
+ 0x8d, 0x27, 0x9a, 0xd6, 0x8e, 0xa9, 0xe1, 0x3f, 0xd4, 0x8c, 0xb8, 0x48, 0xbb, 0x4e, 0xb6, 0x7f, 0xc6, 0x01, 0x54, 0x23,
+ 0x72, 0x8b, 0x5f, 0x1d, 0x1a, 0x0c, 0x4a, 0xbd, 0x89, 0x76, 0x00, 0x98, 0x9c, 0xbd, 0xbc, 0x54, 0x16, 0x5f, 0x86, 0xea,
+ 0x73, 0x74, 0x27, 0x1b, 0x63, 0x69, 0xdb, 0xed, 0xd4, 0x79, 0xd6, 0xef, 0x33, 0x50, 0x4a, 0x36, 0x57, 0x5c, 0xca, 0xa6,
+ 0x17, 0xc4, 0x12, 0x84, 0x42, 0xf7, 0x1b, 0x7c, 0xd8, 0x5e, 0x6e, 0x7e, 0x86, 0x21, 0x6c, 0xeb, 0xe9, 0xb9, 0xf4, 0x77,
+ 0xe3, 0xf4, 0x3d, 0x50, 0x09, 0x86, 0x24, 0xca, 0x98, 0x3d, 0x88, 0x28, 0xc6, 0x5a, 0xfe, 0x52, 0x86, 0x14, 0xe1, 0x36,
+ 0x46, 0x6f, 0xa9, 0x55, 0xf9, 0x8b, 0xfb, 0x49, 0xa1, 0xe5, 0x52, 0xc6, 0x19, 0x25, 0x7e, 0x96, 0x26, 0xaf, 0xf3, 0x84,
+ 0x44, 0x3b, 0x8a, 0xe5, 0x0a, 0xf6, 0x86, 0xcd, 0x20, 0xf4, 0x4f, 0x78, 0xfc, 0x04, 0x15, 0xf3, 0x47, 0x80, 0x5e, 0x1b,
+ 0x25, 0x9a, 0x85, 0xf0, 0xc3, 0x1c, 0xd3, 0x45, 0xb5, 0xe2, 0x6c, 0xd8, 0xd0, 0x50, 0x50, 0xa0, 0xc2, 0x55, 0xc1, 0xab,
+ 0x4b, 0x07, 0xa2, 0xec, 0x00, 0xe7, 0x80, 0xe8, 0xc9, 0x1a, 0xb8, 0xab, 0xe1, 0x0c, 0x9e, 0x3b, 0x7e, 0xf7, 0x64, 0xae,
+ 0x03, 0x92, 0x40, 0x72, 0x24, 0x94, 0x0c, 0x27, 0xe6, 0x88, 0x44, 0x84, 0x29, 0x8d, 0xe1, 0x18, 0xab, 0xf5, 0xef, 0xaf,
+ 0xdb, 0x70, 0xf7, 0x81, 0xf6, 0x9f, 0x97, 0x8c, 0xb0, 0x70, 0xf5, 0xb3, 0x8c, 0x0e, 0xda, 0xd0, 0xb0, 0x75, 0x93, 0x39,
+ 0x9c, 0x5d, 0xe4, 0x42, 0xfa, 0x37, 0x24, 0x3f, 0x57, 0xba, 0x0b, 0xc6, 0x3f, 0x92, 0x5c, 0x93, 0x80, 0x7e, 0xe3, 0x3f,
+ 0x7a, 0xc8, 0x40, 0x9c, 0xe8, 0xf7, 0x3a, 0x66, 0xe6, 0x75, 0x0e, 0x7d, 0x20, 0x7b, 0xf5, 0xa1, 0x6f, 0x8b, 0x8b, 0xb8,
+ 0x56, 0xf8, 0x96, 0xb4, 0xab, 0xf9, 0xcc, 0x4f, 0x8a, 0x92, 0x64, 0x1e, 0x90, 0xe0, 0xee, 0x08, 0xc9, 0xf9, 0x71, 0x73,
+ 0x9b, 0x25, 0x4c, 0x6c, 0xef, 0x61, 0x31, 0x24, 0x98, 0x69, 0x3f, 0xdb, 0x10, 0x24, 0xdc, 0xfd, 0x2a, 0x54, 0xbf, 0xa5,
+ 0x76, 0xfc, 0xab, 0xe1, 0xf2, 0x72, 0x87, 0x74, 0xb1, 0x9d, 0x98, 0xcf, 0xe8, 0x3c, 0xf4, 0x03, 0x3f, 0x6b, 0x69, 0xa5,
+ 0x79, 0x4a, 0xb8, 0xbf, 0x5d, 0xb7, 0x89, 0xcc, 0x44, 0xc7, 0x7e, 0x11, 0x8e, 0x46, 0xb2, 0x47, 0x80, 0xbe, 0xc5, 0xfc,
+ 0x64, 0x35, 0x1d, 0x6b, 0x77, 0xe6, 0x01, 0x51, 0xbc, 0x6e, 0xab, 0xf5, 0x2b, 0x35, 0x65, 0x41, 0x44, 0x54, 0x60, 0x82,
+ 0xbe, 0x09, 0x53, 0x5e, 0xa0, 0x4f, 0xf7, 0xe6, 0x8b, 0xed, 0x33, 0xd4, 0x8a, 0xf8, 0x61, 0x87, 0x13, 0x2e, 0xdb, 0x4b,
+ 0x5a, 0x9d, 0xee, 0xd5, 0x2d, 0x58, 0xa7, 0xb4, 0x0b, 0xf4, 0x3b, 0xf8, 0x2f, 0xbf, 0xe7, 0x47, 0xde, 0xc0, 0x33, 0x0c,
+ 0xab, 0x44, 0xd7, 0x6e, 0x71, 0x49, 0xd4, 0x4f, 0x9b, 0x1b, 0xf2, 0xac, 0xa2, 0x35, 0x77, 0x6e, 0x71, 0xa9, 0xc3, 0xfc,
+ 0xa3, 0x66, 0x19, 0x58, 0x3d, 0xbc, 0x41, 0xfa, 0x8f, 0x15, 0x36, 0xb4, 0x04, 0x2e, 0x21, 0x7d, 0x6a, 0x25, 0xcd, 0xca,
+ 0x82, 0x11, 0x05, 0x64, 0x07, 0x94, 0x45, 0xf3, 0x9b, 0xbc, 0x95, 0xa7, 0x3e, 0x0a, 0x78, 0xad, 0x28, 0x62, 0x13, 0xff,
+ 0x38, 0x10, 0x03, 0x1a, 0x9f, 0xed, 0xc5, 0x78, 0xa2, 0xd3, 0xb0, 0x3c, 0x8f, 0x4f, 0xf6, 0x93, 0x7b, 0xf2, 0xdc, 0xe5,
+ 0xe3, 0xe2, 0x56, 0x26, 0x74, 0xb1, 0xef, 0x26, 0xc5, 0x66, 0x55, 0xb2, 0x03, 0xba, 0x58, 0x87, 0x4e, 0x7d, 0x32, 0xa5,
+ 0x78, 0x82, 0x6c, 0x49, 0x5c, 0xc7, 0xee, 0x32, 0x4a, 0x15, 0x82, 0x9e, 0xee, 0xb0, 0xc6, 0xf4, 0xf3, 0x23, 0x84, 0x09,
+ 0x76, 0xb3, 0xa4, 0x7f, 0xe9, 0x7a, 0xd3, 0x75, 0xc9, 0x18, 0x5e, 0xb1, 0x56, 0x38, 0x25, 0x6e, 0xcd, 0x7d, 0x97, 0x57,
+ 0xbd, 0x5f, 0xf1, 0x14, 0xbc, 0x37, 0xf1, 0x42, 0x23, 0x1b, 0xaf, 0x67, 0x55, 0x77, 0xff, 0x5f, 0xe2, 0x0a, 0x05, 0x09,
+ 0x23, 0xfd, 0x75, 0xcd, 0xde, 0x6a, 0x36, 0x06, 0x89, 0x69, 0x3d, 0x3c, 0x80, 0x26, 0x71, 0xce, 0x74, 0xdf, 0xff, 0x42,
+ 0x1e, 0xcc, 0x49, 0x60, 0x43, 0x98, 0x50, 0x7d, 0x4d, 0xbd, 0x1c, 0x6f, 0x89, 0xe6, 0xba, 0x82, 0x8c, 0x64, 0x57, 0x24,
+ 0x10, 0x7d, 0xb1, 0x1a, 0x17, 0x48, 0x55, 0xdd, 0x1b, 0xc8, 0xfb, 0xd6, 0x8b, 0xe5, 0x1e, 0x62, 0xdc, 0x7d, 0xfe, 0x5c,
+ 0x3e, 0x9b, 0xcd, 0x20, 0x6f, 0xa0, 0xae, 0x85, 0x39, 0xcd, 0xf4, 0xae, 0x66, 0x7d, 0x54, 0xe3, 0x16, 0x87, 0x13, 0x28,
+ 0xd2, 0x8c, 0x67, 0x20, 0xbb, 0x9e, 0x76, 0x3a, 0x3b, 0x89, 0xf2, 0xd2, 0xe3, 0xd0, 0xbe, 0xb8, 0x03, 0xfa, 0x11, 0x88,
+ 0x5e, 0x47, 0x0b, 0xba, 0xfa, 0x69, 0x73, 0x14, 0x30, 0xb3, 0xcb, 0x77, 0x4f, 0x24, 0x57, 0xcb, 0xd4, 0x1b, 0x62, 0x60,
+ 0xdf, 0xcb, 0xf8, 0x5d, 0x3c, 0xa4, 0xd9, 0xb5, 0xa4, 0xaa, 0x44, 0x0a, 0x9e, 0x99, 0x03, 0xab, 0xdd, 0xbc, 0xe3, 0x32,
+ 0xd7, 0x24, 0x19, 0x59, 0x8f, 0x28, 0x55, 0x1b, 0x53, 0x29, 0xb5, 0xbc, 0xbd, 0x8b, 0x20, 0x25, 0xf0, 0x49, 0xee, 0x3f,
+ 0xaf, 0x74, 0xad, 0x9a, 0x10, 0x2a, 0x04, 0xab, 0x5a, 0x40, 0xf3, 0x2f, 0x37, 0x57, 0xe7, 0xdb, 0x6b, 0x8e, 0x19, 0xab,
+ 0x29, 0x78, 0x37, 0x04, 0xdb, 0xe5, 0x7b, 0x5a, 0x80, 0x74, 0xae, 0x50, 0xef, 0x25, 0xf3, 0xb5, 0xf2, 0xc8, 0x4b, 0xf6,
+ 0x67, 0x91, 0xd5, 0x95, 0xe1, 0x96, 0x65, 0xf3, 0xe3, 0x92, 0xb6, 0xd8, 0x6d, 0xf6, 0xf0, 0x2a, 0x6d, 0x5f, 0xfd, 0x16,
+ 0x11, 0x43, 0x22, 0x7b, 0xa3, 0x5c, 0x05, 0xdc, 0x68, 0x21, 0x50, 0x54, 0xe0, 0x37, 0x41, 0x9e, 0x20, 0x4d, 0x72, 0xfb,
+ 0xee, 0x91, 0x9d, 0x72, 0xa9, 0xc6, 0x7d, 0x77, 0x30, 0xe2, 0x1e, 0xec, 0xad, 0x1e, 0x5c, 0xe3, 0x0a, 0xb7, 0x32, 0xcf,
+ 0x90, 0x12, 0x14, 0xcf, 0x19, 0xdf, 0xf8, 0x76, 0x93, 0x27, 0x4a, 0xeb, 0x44, 0x85, 0xc7, 0xfd, 0x60, 0x72, 0xa3, 0x60,
+ 0x78, 0x4d, 0x0c, 0xec, 0xfa, 0xee, 0x57, 0xf6, 0xe2, 0x0f, 0x2b, 0xcf, 0x83, 0x5d, 0xae, 0xe5, 0x77, 0x59, 0xc9, 0x57,
+ 0xa9, 0x9e, 0x07, 0x08, 0xf5, 0x06, 0x27, 0x82, 0x92, 0x3e, 0x62, 0xbf, 0xdb, 0xa3, 0x94, 0xc1, 0xee, 0xf6, 0x59, 0xe5,
+ 0xaf, 0x67, 0x78, 0x51, 0x0d, 0x76, 0xaa, 0x0e, 0x96, 0xf3, 0xe3, 0x22, 0x7a, 0x51, 0x01, 0xcb, 0x11, 0x60, 0x0e, 0x02,
+ 0x9a, 0x32, 0xcf, 0xb2, 0x75, 0x69, 0x53, 0x89, 0x1c, 0x7a, 0x27, 0x93, 0xd0, 0x80, 0x82, 0xf1, 0x5e, 0x64, 0xe0, 0xc4,
+ 0xc6, 0x34, 0x59, 0x4d, 0xe2, 0xb7, 0xf0, 0x1c, 0xf6, 0x2a, 0xdb, 0x25, 0xf7, 0x10, 0xe0, 0x25, 0x56, 0x25, 0x74, 0xa2,
+ 0xbe, 0xec, 0x1e, 0x46, 0xe9, 0x42, 0x0a, 0x5f, 0x46, 0xf3, 0xa8, 0xd6, 0x6e, 0x59, 0x77, 0x11, 0xde, 0x60, 0x17, 0x5d,
+ 0xce, 0xa5, 0x94, 0x4b, 0x93, 0x6f, 0x01, 0xe6, 0xcb, 0x3f, 0xfb, 0x58, 0x10, 0xea, 0xae, 0xd6, 0x37, 0xa9, 0xd1, 0x12,
+ 0x98, 0xc7, 0x86, 0xd4, 0xc1, 0x03, 0x33, 0x8d, 0x41, 0xc2, 0x38, 0x2c, 0xc4, 0x4b, 0x22, 0xc5, 0xb6, 0x48, 0x38, 0x29,
+ 0xe8, 0xe7, 0x5d, 0x22, 0x5f, 0x74, 0x1a, 0xdb, 0x51, 0xda, 0x1d, 0x41, 0xcb, 0x89, 0xc8, 0xd4, 0x44, 0x58, 0x72, 0x3b,
+ 0x84, 0x39, 0xd3, 0x6f, 0x66, 0x40, 0xbb, 0xe0, 0xe6, 0xfd, 0x6f, 0xcf, 0x6b, 0xcb, 0x9e, 0x02, 0x7d, 0xf2, 0xe0, 0x9e,
+ 0x65, 0xa9, 0xb7, 0xea, 0x57, 0x8a, 0xbc, 0x99, 0xc0, 0xfc, 0x3e, 0x74, 0xe1, 0x2a, 0x48, 0x96, 0xc0, 0xd3, 0x85, 0x76,
+ 0xf4, 0x63, 0x3e, 0x2e, 0x24, 0xdd, 0x4c, 0x50, 0x4e, 0x6e, 0x5c, 0x0d, 0x45, 0x6d, 0x55, 0x77, 0x28, 0x37, 0x62, 0x85,
+ 0x85, 0x9d, 0xf4, 0x2f, 0x09, 0xad, 0x6a, 0xc4, 0x0d, 0xa1, 0x8b, 0x63, 0x49, 0xc9, 0x2f, 0x05, 0x28, 0x80, 0x4c, 0xc3,
+ 0x30, 0xf3, 0x4f, 0xa8, 0xea, 0xf7, 0xcc, 0xe7, 0xe6, 0x95, 0xb1, 0x35, 0x63, 0x3e, 0xfd, 0xd2, 0x8e, 0xf6, 0x59, 0xaf,
+ 0x8a, 0xbc, 0x57, 0x89, 0x8b, 0x3d, 0x61, 0x60, 0x59, 0x44, 0xc6, 0xc1, 0x37, 0x34, 0x5c, 0x22, 0x32, 0x9f, 0x82, 0xde,
+ 0x22, 0x70, 0x9b, 0x94, 0x3c, 0x39, 0x3a, 0xa4, 0x7f, 0xc2, 0x28, 0x21, 0x2b, 0xbe, 0xf2, 0xe2, 0xfa, 0x28, 0xc2, 0xaa,
+ 0x9f, 0xb8, 0x77, 0x8e, 0x0a, 0x76, 0xf9, 0xe0, 0x9d, 0x62, 0x56, 0x78, 0xf4, 0xa4, 0x1c, 0x8c, 0xd0, 0x34, 0x37, 0x5d,
+ 0x24, 0x65, 0x91, 0x42, 0xaf, 0x90, 0xda, 0xb8, 0xee, 0x6e, 0x84, 0xd6, 0x47, 0x4f, 0x72, 0xf1, 0xcc, 0x38, 0x3c, 0x5f,
+ 0x88, 0xf1, 0xef, 0xfb, 0xae, 0xcb, 0xc3, 0xca, 0x1d, 0xd0, 0x0a, 0xf6, 0xc4, 0x7e, 0x7d, 0xc3, 0x2d, 0xf9, 0xb5, 0x51,
+ 0xe6, 0x18, 0xb4, 0x31, 0x50, 0x30, 0x29, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, 0x1c,
+ 0x1e, 0x1a, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x53, 0x00, 0x20, 0x00, 0x52, 0x00, 0x53, 0x00, 0x41, 0x00, 0x20, 0x00, 0x74,
+ 0x00, 0x65, 0x00, 0x73, 0x00, 0x74, 0x00, 0x00, 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09,
+ 0x15, 0x31, 0x16, 0x04, 0x14, 0x32, 0xee, 0x79, 0x16, 0x2f, 0x60, 0x4a, 0xad, 0x6c, 0xf7, 0xcd, 0x55, 0x45, 0x5b, 0x1a,
+ 0x44, 0x40, 0x97, 0x4d, 0x10, 0x30, 0x30, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00,
+ 0x04, 0x14, 0xe0, 0x6f, 0xbb, 0xf2, 0x68, 0xc1, 0x65, 0xf7, 0xe4, 0x60, 0xe3, 0x17, 0xce, 0x09, 0xfb, 0xe9, 0x35, 0x92,
+ 0x95, 0x91, 0x04, 0x08, 0xb7, 0x0b, 0x82, 0x9e, 0xd4, 0x9f, 0x8e, 0xfd, 0x02, 0x01, 0x01
+};
+
+unsigned char _ec_identity[] = {
+ 0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x03, 0x30, 0x82, 0x04, 0x85, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x07, 0x01, 0xa0, 0x82, 0x04, 0x76, 0x04, 0x82, 0x04, 0x72, 0x30, 0x82, 0x04, 0x6e, 0x30, 0x82, 0x03, 0x2f, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x06, 0xa0, 0x82, 0x03, 0x20, 0x30, 0x82, 0x03, 0x1c, 0x02, 0x01, 0x00,
+ 0x30, 0x82, 0x03, 0x15, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x0a, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x06, 0x30, 0x0e, 0x04, 0x08, 0x82, 0x45, 0xec, 0x50, 0xa0, 0x4e, 0xec,
+ 0x6d, 0x02, 0x02, 0x08, 0x00, 0x80, 0x82, 0x02, 0xe8, 0x88, 0xd8, 0xd8, 0xc0, 0x6a, 0x39, 0x55, 0x4a, 0x65, 0x53, 0x7a,
+ 0x44, 0x9d, 0x95, 0x87, 0x84, 0x46, 0xc5, 0xa8, 0x94, 0xd3, 0xd4, 0x8f, 0xfe, 0x69, 0x13, 0x0e, 0xb0, 0x55, 0x4b, 0x88,
+ 0x7a, 0x37, 0x5d, 0x17, 0x97, 0x03, 0x47, 0x65, 0x83, 0x41, 0x2b, 0xbc, 0xbc, 0x22, 0x3e, 0xe9, 0x62, 0xbe, 0x51, 0x72,
+ 0x39, 0x7d, 0xfd, 0x96, 0x40, 0x85, 0x6b, 0x28, 0xee, 0xf6, 0x0c, 0x87, 0xeb, 0xd6, 0x19, 0x42, 0xfa, 0xcf, 0x30, 0x74,
+ 0xba, 0xca, 0x87, 0xf3, 0x0f, 0x83, 0x28, 0xc5, 0xbf, 0xbe, 0x29, 0x4b, 0x5d, 0x70, 0xcc, 0x9d, 0x26, 0x88, 0xe2, 0x84,
+ 0xbf, 0x11, 0x3e, 0x42, 0x23, 0x78, 0x46, 0x4f, 0x8b, 0xf3, 0xaf, 0xc7, 0x33, 0x6e, 0x4b, 0x83, 0x85, 0x44, 0xe3, 0x03,
+ 0xd1, 0xb5, 0x98, 0xad, 0x36, 0x5b, 0x37, 0xf0, 0x15, 0x12, 0xfb, 0x17, 0xa7, 0x92, 0xf9, 0x90, 0x5e, 0x8e, 0x12, 0xea,
+ 0x02, 0xbd, 0x9b, 0x9c, 0x9e, 0x29, 0x4d, 0x80, 0x13, 0x94, 0xcf, 0xf5, 0xc4, 0x12, 0x54, 0x87, 0x50, 0x90, 0x2b, 0xc7,
+ 0x43, 0x58, 0x2a, 0x85, 0xf3, 0x36, 0xb7, 0x88, 0xfb, 0x63, 0xe6, 0x58, 0xac, 0xd5, 0x22, 0xdc, 0x1c, 0x43, 0x2a, 0x0d,
+ 0x28, 0xb7, 0x14, 0x93, 0x2a, 0x5d, 0x41, 0x6d, 0xcb, 0xc8, 0xcb, 0xed, 0x17, 0x81, 0xd9, 0x73, 0x1b, 0xe1, 0x26, 0x69,
+ 0x5a, 0x52, 0x7f, 0x60, 0x08, 0x52, 0x85, 0x08, 0xe5, 0x3b, 0x66, 0x70, 0x0d, 0x84, 0x29, 0x34, 0xb4, 0xf4, 0x62, 0x41,
+ 0xca, 0xc2, 0xf8, 0x4b, 0xcd, 0x29, 0xcd, 0xb7, 0xc8, 0x7c, 0x3c, 0x8b, 0x28, 0x3e, 0x5d, 0xa8, 0x23, 0xab, 0xe6, 0x73,
+ 0x9e, 0x83, 0xc8, 0x81, 0xd0, 0x51, 0x16, 0xd0, 0xaf, 0x1d, 0xc8, 0x86, 0xb8, 0x9f, 0x08, 0x26, 0x20, 0x97, 0x69, 0xdf,
+ 0x30, 0x34, 0xd6, 0x00, 0xcd, 0x40, 0x7f, 0xe4, 0x97, 0x0c, 0x3b, 0x48, 0xa4, 0x81, 0x18, 0xca, 0x63, 0x09, 0xf8, 0xf0,
+ 0x4e, 0x95, 0x67, 0x65, 0x0a, 0xb5, 0xd6, 0xc7, 0xf7, 0xdf, 0x8d, 0x08, 0xb3, 0x10, 0x8f, 0xd2, 0x0f, 0xa9, 0x58, 0x20,
+ 0x75, 0x9e, 0xbb, 0x28, 0x70, 0x38, 0x45, 0x74, 0xc4, 0x8c, 0xa4, 0x31, 0x09, 0x2c, 0x17, 0x8a, 0xea, 0xcb, 0xff, 0x5d,
+ 0x3a, 0xd6, 0x13, 0x40, 0xd4, 0x51, 0x85, 0x9b, 0x7f, 0xe4, 0x0f, 0xc1, 0xf9, 0x51, 0xae, 0x26, 0x0f, 0x58, 0x31, 0x55,
+ 0x1f, 0x87, 0x08, 0x0d, 0x96, 0x4b, 0x1f, 0xf4, 0xa4, 0x3b, 0xa2, 0x31, 0x24, 0x93, 0x1d, 0xbf, 0xa8, 0xc7, 0x19, 0x77,
+ 0xef, 0xc4, 0xf5, 0xf5, 0x94, 0xbc, 0x24, 0xfa, 0xf5, 0x18, 0xb3, 0xe6, 0x33, 0x5c, 0x3d, 0xed, 0x30, 0xac, 0x4b, 0x8b,
+ 0x13, 0x5f, 0x8e, 0x0f, 0xb5, 0xd1, 0x25, 0x19, 0x06, 0x09, 0x4f, 0x35, 0xb9, 0x74, 0x00, 0x1c, 0x51, 0xc6, 0xd9, 0xdf,
+ 0x68, 0xbd, 0x3f, 0x83, 0x02, 0xc1, 0xf9, 0xfc, 0x9e, 0x6c, 0xce, 0xf5, 0x18, 0xd1, 0xe6, 0x07, 0x0d, 0x5d, 0x44, 0x68,
+ 0xc3, 0xe3, 0x4a, 0x22, 0x17, 0x56, 0xff, 0xe1, 0xa6, 0x19, 0x92, 0x8e, 0x82, 0x39, 0x07, 0xd7, 0xf1, 0xfc, 0x21, 0x54,
+ 0x3c, 0x39, 0x01, 0x76, 0x09, 0xe6, 0xf8, 0xd9, 0x1d, 0x28, 0x1e, 0xa6, 0x54, 0xc4, 0xe8, 0x49, 0x20, 0x7b, 0x01, 0x58,
+ 0xa9, 0x78, 0x1e, 0x49, 0x35, 0x84, 0x16, 0x04, 0x74, 0x73, 0x5f, 0xa6, 0xc9, 0xe0, 0xb5, 0x59, 0x70, 0x13, 0x9c, 0x52,
+ 0x11, 0x59, 0x76, 0x9f, 0x29, 0x68, 0x47, 0x78, 0xb3, 0x11, 0xdc, 0xcc, 0xb2, 0xd8, 0xa9, 0x8f, 0x4f, 0xa9, 0xa5, 0xa5,
+ 0x6c, 0x6d, 0x89, 0xa2, 0x53, 0x40, 0xed, 0x74, 0xf4, 0x78, 0xb4, 0x7c, 0xc1, 0x79, 0x41, 0x38, 0xe7, 0xea, 0xb3, 0x21,
+ 0xfd, 0x9c, 0x43, 0x98, 0x13, 0x05, 0x6b, 0x35, 0x77, 0xd9, 0x49, 0xa6, 0x3e, 0x89, 0x9b, 0x97, 0x03, 0x40, 0x91, 0xaa,
+ 0x9f, 0x10, 0xf7, 0xd7, 0x99, 0xc2, 0xa0, 0x58, 0x74, 0xae, 0x77, 0x5f, 0xba, 0x72, 0x1d, 0xbb, 0xd5, 0x93, 0x0c, 0x52,
+ 0x85, 0xe2, 0x79, 0x06, 0x43, 0x0e, 0xb7, 0x98, 0xd6, 0x5b, 0xa8, 0x67, 0x1b, 0xe2, 0x33, 0xd7, 0x05, 0xb7, 0x30, 0x30,
+ 0x2a, 0xb7, 0x9d, 0xcb, 0x68, 0xc8, 0x9a, 0xc7, 0xa2, 0x4e, 0x6c, 0x92, 0x5e, 0x93, 0x45, 0x6a, 0x40, 0x4a, 0xb9, 0xcf,
+ 0x54, 0x93, 0xf8, 0x29, 0xdd, 0x50, 0x34, 0x22, 0xec, 0xfe, 0xc5, 0xa5, 0x17, 0x8b, 0x2a, 0x9c, 0x10, 0xd5, 0x8f, 0x61,
+ 0x65, 0x8d, 0x02, 0x8c, 0x0a, 0x59, 0x85, 0x23, 0x24, 0x87, 0xab, 0x14, 0xa4, 0x5e, 0x7a, 0xfc, 0xab, 0x09, 0x52, 0x1a,
+ 0x8f, 0xd4, 0x43, 0x88, 0xbe, 0xc3, 0x40, 0xfe, 0xde, 0xad, 0x58, 0x79, 0x22, 0xb8, 0xe0, 0xdf, 0xfc, 0xf6, 0x41, 0xe0,
+ 0xc4, 0x5f, 0x9b, 0xca, 0xfb, 0x3a, 0x82, 0xc5, 0xbf, 0x87, 0x68, 0x62, 0x7e, 0x77, 0xb3, 0xf1, 0xcf, 0x4e, 0x99, 0x75,
+ 0x73, 0xf0, 0x14, 0x62, 0x92, 0x82, 0xb0, 0x6b, 0x61, 0xb5, 0xb4, 0x0c, 0x3b, 0x2c, 0xe4, 0x72, 0x3e, 0xd9, 0xce, 0xab,
+ 0xce, 0x3b, 0x43, 0x1f, 0xe0, 0xa9, 0xc3, 0x51, 0xf4, 0x65, 0xae, 0xcc, 0x41, 0x5e, 0xc6, 0xdc, 0x75, 0x70, 0xb9, 0xd9,
+ 0x4b, 0x91, 0xfb, 0x8a, 0x07, 0xf8, 0x8a, 0xe5, 0x9e, 0x7e, 0x7b, 0x6f, 0x0b, 0x44, 0x68, 0x85, 0xa2, 0x0e, 0xa6, 0xaa,
+ 0x3e, 0x02, 0x79, 0xaa, 0x80, 0x13, 0x0e, 0x7c, 0x63, 0xb7, 0x37, 0x6c, 0x2a, 0x30, 0x82, 0x01, 0x37, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x01, 0x28, 0x04, 0x82, 0x01, 0x24, 0x30, 0x82, 0x01, 0x20,
+ 0x30, 0x82, 0x01, 0x1c, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x81, 0xbc,
+ 0x30, 0x81, 0xb9, 0x30, 0x1c, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30, 0x0e, 0x04,
+ 0x08, 0xfc, 0x17, 0x87, 0x42, 0xb4, 0x69, 0xe7, 0x51, 0x02, 0x02, 0x08, 0x00, 0x04, 0x81, 0x98, 0xf6, 0xe7, 0x7c, 0x12,
+ 0x5f, 0x2a, 0x64, 0xc2, 0x3e, 0xa5, 0xd5, 0xe8, 0xd5, 0xc3, 0x5b, 0x8b, 0xbb, 0xbe, 0x7d, 0xd3, 0xc3, 0xfe, 0xed, 0x56,
+ 0xb4, 0x0f, 0x8a, 0xa3, 0x9e, 0x76, 0xb4, 0x6c, 0xec, 0x39, 0x23, 0xce, 0xa6, 0x4d, 0x4a, 0x9a, 0x9a, 0x50, 0x4f, 0x51,
+ 0xbd, 0x40, 0x95, 0x5a, 0x1c, 0x7d, 0x78, 0xd2, 0xc1, 0x2c, 0xeb, 0x03, 0x39, 0x9c, 0xa6, 0x96, 0x3f, 0xff, 0x1f, 0x6d,
+ 0x25, 0xf1, 0x6b, 0x17, 0xb6, 0x46, 0xbb, 0x8d, 0xc5, 0xd8, 0x52, 0x4a, 0x81, 0x14, 0xc8, 0xfd, 0x37, 0x9a, 0x89, 0x28,
+ 0x21, 0x61, 0xa1, 0x5e, 0xc1, 0x2e, 0x60, 0x82, 0xc0, 0x84, 0x37, 0x9f, 0xa8, 0xa5, 0x60, 0xba, 0x5e, 0x0b, 0x68, 0x0e,
+ 0x7e, 0x12, 0xa1, 0x83, 0x45, 0x16, 0x32, 0x0b, 0x01, 0xc6, 0x91, 0x4b, 0xcd, 0x47, 0x5a, 0xe5, 0x34, 0x57, 0x43, 0x6f,
+ 0xd5, 0x5e, 0x76, 0x99, 0xe3, 0x9e, 0xc3, 0xa7, 0xf5, 0xb3, 0x7b, 0x49, 0x2d, 0x74, 0x17, 0x70, 0xaf, 0x24, 0xc9, 0x0e,
+ 0xcc, 0x23, 0xe6, 0x80, 0xfc, 0x2e, 0x0b, 0xa7, 0x31, 0x4e, 0x30, 0x27, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x09, 0x14, 0x31, 0x1a, 0x1e, 0x18, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x53, 0x00, 0x20, 0x00, 0x45, 0x00, 0x43, 0x00,
+ 0x20, 0x00, 0x54, 0x00, 0x65, 0x00, 0x73, 0x00, 0x74, 0x00, 0x00, 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x15, 0x31, 0x16, 0x04, 0x14, 0x23, 0xa4, 0x22, 0x91, 0xad, 0x83, 0x47, 0x86, 0xf2, 0x1f, 0x18, 0x0d,
+ 0x62, 0x70, 0x5c, 0x45, 0x40, 0x00, 0x30, 0xc6, 0x30, 0x30, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02,
+ 0x1a, 0x05, 0x00, 0x04, 0x14, 0xf6, 0xff, 0x21, 0x16, 0x00, 0x67, 0x5b, 0xc1, 0x78, 0xcc, 0x05, 0x18, 0x77, 0x60, 0x45,
+ 0xa4, 0xd9, 0x79, 0xcf, 0xea, 0x04, 0x08, 0x3d, 0x07, 0x4e, 0x1e, 0xcb, 0x39, 0xda, 0x8a, 0x02, 0x01, 0x01
+};
+
+/*
+ * MARK: RSA-signed messages (no attributes)
+ */
+unsigned char rsa_md5[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20,
+ 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41,
+ 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xa0, 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+ 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
+ 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53,
+ 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65,
+ 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63,
+ 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e,
+ 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65,
+ 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34,
+ 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38, 0x32,
+ 0x39, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20,
+ 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70,
+ 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53,
+ 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20,
+ 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11,
+ 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30,
+ 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61,
+ 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
+ 0x02, 0x82, 0x01, 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3, 0xf4,
+ 0x24, 0x8d, 0x25, 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd, 0xb0,
+ 0x72, 0xe9, 0xa9, 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b, 0xf7,
+ 0x7d, 0x59, 0xe9, 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3, 0xcf,
+ 0xf7, 0x21, 0x88, 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e, 0x54,
+ 0x59, 0x4d, 0xce, 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e, 0x00,
+ 0x6f, 0x6e, 0xf8, 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57, 0xba,
+ 0xcc, 0x29, 0xbe, 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a, 0xb1,
+ 0xc3, 0x68, 0xd5, 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70, 0xad,
+ 0x41, 0xfb, 0x61, 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10, 0x86,
+ 0x8a, 0x1e, 0x3b, 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c, 0x6a,
+ 0x1b, 0xea, 0x1a, 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a, 0x0b,
+ 0x70, 0x90, 0x60, 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2, 0x52,
+ 0x8f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff,
+ 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+ 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c, 0xd5,
+ 0x6e, 0x8b, 0x04, 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39, 0x09,
+ 0xa7, 0x6c, 0x2d, 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60, 0xbf,
+ 0x57, 0x6f, 0xd8, 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3, 0xa4,
+ 0xca, 0xde, 0x3f, 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab, 0x94,
+ 0x0e, 0xb9, 0x70, 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12, 0x60,
+ 0xe5, 0x91, 0xec, 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7, 0x61,
+ 0x51, 0x57, 0x73, 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25, 0x77,
+ 0x35, 0xe9, 0x3e, 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72, 0xaf,
+ 0x06, 0x44, 0x1e, 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7, 0x63,
+ 0x7a, 0x32, 0xda, 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3, 0x63,
+ 0xf3, 0x5c, 0x45, 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91, 0xa1,
+ 0xd0, 0x30, 0x29, 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f, 0xca,
+ 0x3f, 0xb5, 0x54, 0x31, 0x82, 0x01, 0xdb, 0x30, 0x82, 0x01, 0xd7, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7,
+ 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+ 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x44, 0x4f, 0x1c, 0x4f, 0x73, 0x46, 0xb4, 0x67, 0x86, 0x53, 0x6e, 0x09, 0x4a, 0x18,
+ 0x89, 0x82, 0xb0, 0x9d, 0xf5, 0xa9, 0x81, 0x21, 0x97, 0x2d, 0x1c, 0x61, 0x4a, 0xa0, 0x9a, 0xa1, 0x6d, 0xb0, 0xb2, 0xbe,
+ 0xc8, 0x27, 0x4a, 0x0e, 0xbd, 0x52, 0xf2, 0x56, 0x8a, 0xb6, 0x41, 0x45, 0xfc, 0xf6, 0x09, 0xb7, 0x83, 0x89, 0x87, 0xc6,
+ 0x5c, 0xfb, 0xe0, 0x22, 0x75, 0x9b, 0xa2, 0x24, 0x65, 0xd0, 0x51, 0xe0, 0xc6, 0x00, 0xad, 0x39, 0x50, 0x84, 0x31, 0x5c,
+ 0x63, 0x54, 0x8c, 0x3c, 0xa3, 0x69, 0x7f, 0xb2, 0x2c, 0x60, 0xa1, 0x5d, 0x6a, 0xac, 0xb2, 0x02, 0x26, 0x5b, 0x82, 0x61,
+ 0x2e, 0xb0, 0x32, 0xf7, 0x4e, 0xa3, 0x31, 0x00, 0xa7, 0x29, 0x4b, 0xdc, 0x30, 0x7f, 0x33, 0x14, 0x5a, 0xf1, 0x58, 0x5e,
+ 0x90, 0x77, 0xf3, 0x9c, 0x68, 0xbe, 0xe9, 0x4c, 0xf6, 0x33, 0x64, 0xdf, 0x3f, 0xf4, 0xb9, 0x6b, 0xd5, 0x54, 0xb8, 0x4a,
+ 0x8f, 0xbb, 0xce, 0xde, 0x4a, 0x58, 0x9e, 0xad, 0x67, 0x99, 0xbe, 0xe7, 0x0a, 0x54, 0x2b, 0x19, 0x0c, 0x45, 0x45, 0x41,
+ 0x9e, 0x56, 0x07, 0x45, 0x95, 0x56, 0x92, 0xa8, 0xd6, 0x8f, 0xab, 0xb0, 0x9b, 0x39, 0xcb, 0x5a, 0x0d, 0x29, 0x2d, 0x8b,
+ 0x53, 0xf4, 0x85, 0xb1, 0xec, 0x6f, 0x95, 0xd2, 0x6e, 0xd5, 0x36, 0x65, 0xd4, 0x30, 0x4d, 0x26, 0x37, 0x8b, 0x06, 0x39,
+ 0xf5, 0xe6, 0xde, 0x8c, 0xf0, 0x84, 0x69, 0x96, 0xd7, 0xb9, 0x22, 0x24, 0xf5, 0x74, 0x69, 0x4e, 0x2b, 0xea, 0x9d, 0x5a,
+ 0xd7, 0xfc, 0xea, 0x7d, 0x8f, 0xd7, 0x34, 0x7f, 0x4f, 0x8a, 0x5c, 0xb6, 0x73, 0x9a, 0x8f, 0xa0, 0x74, 0x5e, 0xca, 0xdc,
+ 0xc9, 0x78, 0x85, 0x46, 0xb8, 0x79, 0x29, 0x10, 0xa5, 0x6c, 0x1e, 0x4e, 0xac, 0xba, 0x8e, 0xa2, 0x2d, 0xf8, 0x40, 0x2d,
+ 0xde, 0xf7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_sha1[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0b, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20, 0x6d, 0x65, 0x73,
+ 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41, 0x69, 0x6e, 0x27,
+ 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0,
+ 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x74, 0x3f,
+ 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0xa7,
+ 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31,
+ 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x30,
+ 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41,
+ 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c,
+ 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75,
+ 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64,
+ 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
+ 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3, 0xf4, 0x24, 0x8d, 0x25,
+ 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd, 0xb0, 0x72, 0xe9, 0xa9,
+ 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b, 0xf7, 0x7d, 0x59, 0xe9,
+ 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3, 0xcf, 0xf7, 0x21, 0x88,
+ 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e, 0x54, 0x59, 0x4d, 0xce,
+ 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e, 0x00, 0x6f, 0x6e, 0xf8,
+ 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57, 0xba, 0xcc, 0x29, 0xbe,
+ 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a, 0xb1, 0xc3, 0x68, 0xd5,
+ 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70, 0xad, 0x41, 0xfb, 0x61,
+ 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10, 0x86, 0x8a, 0x1e, 0x3b,
+ 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c, 0x6a, 0x1b, 0xea, 0x1a,
+ 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a, 0x0b, 0x70, 0x90, 0x60,
+ 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2, 0x52, 0x8f, 0x02, 0x03,
+ 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30,
+ 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
+ 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c, 0xd5, 0x6e, 0x8b, 0x04,
+ 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39, 0x09, 0xa7, 0x6c, 0x2d,
+ 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60, 0xbf, 0x57, 0x6f, 0xd8,
+ 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3, 0xa4, 0xca, 0xde, 0x3f,
+ 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab, 0x94, 0x0e, 0xb9, 0x70,
+ 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12, 0x60, 0xe5, 0x91, 0xec,
+ 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7, 0x61, 0x51, 0x57, 0x73,
+ 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25, 0x77, 0x35, 0xe9, 0x3e,
+ 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72, 0xaf, 0x06, 0x44, 0x1e,
+ 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7, 0x63, 0x7a, 0x32, 0xda,
+ 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3, 0x63, 0xf3, 0x5c, 0x45,
+ 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91, 0xa1, 0xd0, 0x30, 0x29,
+ 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f, 0xca, 0x3f, 0xb5, 0x54,
+ 0x31, 0x82, 0x01, 0xd8, 0x30, 0x82, 0x01, 0xd4, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
+ 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00,
+ 0x29, 0xbb, 0xc2, 0xc1, 0x17, 0xb9, 0x7d, 0x8b, 0x43, 0xc6, 0x25, 0xad, 0xf1, 0xae, 0xb6, 0x26, 0x78, 0x9c, 0x92, 0x47,
+ 0x77, 0xf8, 0xac, 0x53, 0xca, 0x17, 0x58, 0x4a, 0x8d, 0x66, 0x44, 0x99, 0x14, 0x3f, 0x63, 0x98, 0x3a, 0x7c, 0xe6, 0x65,
+ 0xf0, 0x2a, 0x5e, 0x49, 0xbe, 0xdd, 0x40, 0x6e, 0x21, 0x43, 0xe1, 0xb9, 0x13, 0xa8, 0x31, 0xbf, 0x12, 0xb2, 0x78, 0x97,
+ 0xda, 0x00, 0x5d, 0x7f, 0xf3, 0x2e, 0xea, 0x6f, 0x8b, 0x98, 0xb6, 0x7e, 0x63, 0x75, 0x3b, 0xd0, 0xfc, 0x69, 0xa8, 0x0d,
+ 0x8f, 0xe3, 0xc0, 0x7c, 0xc4, 0xa4, 0x2e, 0x66, 0x63, 0x7f, 0xae, 0x4e, 0xb8, 0xc3, 0xcd, 0x53, 0xf6, 0x7b, 0xf1, 0x7b,
+ 0xfa, 0x89, 0x6f, 0xb6, 0x81, 0x65, 0x13, 0xc4, 0x2d, 0xdd, 0x7a, 0x52, 0x3d, 0x77, 0xd1, 0x78, 0x48, 0x70, 0x17, 0x58,
+ 0x1e, 0x58, 0x5c, 0xb8, 0xcf, 0x22, 0x3a, 0x1f, 0x95, 0x99, 0xe5, 0x5e, 0x91, 0xb4, 0x0f, 0x2e, 0x17, 0xeb, 0x5d, 0x20,
+ 0x80, 0xfe, 0x75, 0x07, 0x75, 0x9b, 0xda, 0x26, 0xa0, 0xb4, 0x1f, 0xe2, 0x8b, 0x94, 0x90, 0xad, 0x05, 0x75, 0xef, 0xe3,
+ 0x35, 0xa4, 0x6f, 0x50, 0x11, 0x40, 0xd5, 0x20, 0x1c, 0x32, 0xed, 0x24, 0xd6, 0x1e, 0x76, 0x95, 0x96, 0x35, 0xa2, 0x7c,
+ 0x81, 0x42, 0x95, 0x32, 0x58, 0xd8, 0x68, 0xf8, 0x2e, 0x06, 0x5e, 0x99, 0x8f, 0xc2, 0x43, 0x5e, 0x84, 0x21, 0x8a, 0x87,
+ 0xfc, 0x36, 0xff, 0x10, 0x81, 0x52, 0xe7, 0xb0, 0xbd, 0x5d, 0x5e, 0xb3, 0x24, 0xb2, 0x06, 0x04, 0xb7, 0x6f, 0xb2, 0x6d,
+ 0x83, 0x3f, 0xe0, 0xc6, 0x3d, 0x29, 0xf3, 0x90, 0xa3, 0x3a, 0xcc, 0x5c, 0x64, 0x34, 0x22, 0x9c, 0xfb, 0x86, 0x83, 0xd1,
+ 0x48, 0x6f, 0xea, 0x1d, 0xca, 0x2c, 0x4f, 0x13, 0xc7, 0x94, 0x82, 0x38, 0xc2, 0xbd, 0x6b, 0xd4, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00
+};
+
+unsigned char rsa_sha256[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73,
+ 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20,
+ 0x41, 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xa0, 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+ 0x00, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52,
+ 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+ 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c,
+ 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65,
+ 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06,
+ 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d,
+ 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31,
+ 0x34, 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38,
+ 0x32, 0x39, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53,
+ 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70,
+ 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67,
+ 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30,
+ 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21,
+ 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e,
+ 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
+ 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3,
+ 0xf4, 0x24, 0x8d, 0x25, 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd,
+ 0xb0, 0x72, 0xe9, 0xa9, 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b,
+ 0xf7, 0x7d, 0x59, 0xe9, 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3,
+ 0xcf, 0xf7, 0x21, 0x88, 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e,
+ 0x54, 0x59, 0x4d, 0xce, 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e,
+ 0x00, 0x6f, 0x6e, 0xf8, 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57,
+ 0xba, 0xcc, 0x29, 0xbe, 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a,
+ 0xb1, 0xc3, 0x68, 0xd5, 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70,
+ 0xad, 0x41, 0xfb, 0x61, 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10,
+ 0x86, 0x8a, 0x1e, 0x3b, 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c,
+ 0x6a, 0x1b, 0xea, 0x1a, 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a,
+ 0x0b, 0x70, 0x90, 0x60, 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2,
+ 0x52, 0x8f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01,
+ 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c,
+ 0xd5, 0x6e, 0x8b, 0x04, 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39,
+ 0x09, 0xa7, 0x6c, 0x2d, 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60,
+ 0xbf, 0x57, 0x6f, 0xd8, 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3,
+ 0xa4, 0xca, 0xde, 0x3f, 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab,
+ 0x94, 0x0e, 0xb9, 0x70, 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12,
+ 0x60, 0xe5, 0x91, 0xec, 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7,
+ 0x61, 0x51, 0x57, 0x73, 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25,
+ 0x77, 0x35, 0xe9, 0x3e, 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72,
+ 0xaf, 0x06, 0x44, 0x1e, 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7,
+ 0x63, 0x7a, 0x32, 0xda, 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3,
+ 0x63, 0xf3, 0x5c, 0x45, 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91,
+ 0xa1, 0xd0, 0x30, 0x29, 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f,
+ 0xca, 0x3f, 0xb5, 0x54, 0x31, 0x82, 0x01, 0xdc, 0x30, 0x82, 0x01, 0xd8, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81,
+ 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xc9, 0x25, 0xbe, 0xb8, 0xf2, 0x2c, 0x7f, 0xc8, 0x3a, 0xc3, 0xc2, 0x4b,
+ 0xac, 0x54, 0xcf, 0xa6, 0x75, 0xaa, 0xeb, 0x40, 0x68, 0xee, 0xe2, 0xb1, 0xa8, 0x70, 0x9e, 0xe9, 0x8b, 0xf1, 0x0a, 0x85,
+ 0x88, 0x40, 0xef, 0xb8, 0xa5, 0x04, 0x87, 0x63, 0x03, 0xf5, 0x41, 0x81, 0x29, 0x42, 0x7f, 0x31, 0x8f, 0x5b, 0xde, 0xe8,
+ 0x15, 0xc1, 0xa3, 0x45, 0xf1, 0xbc, 0xff, 0x81, 0x58, 0xbd, 0xac, 0x4c, 0xa5, 0xb3, 0x30, 0x9a, 0xb8, 0x9e, 0x69, 0x10,
+ 0xad, 0x44, 0x7b, 0x93, 0x28, 0xba, 0xca, 0x6f, 0x2e, 0xf8, 0x1b, 0x03, 0xc2, 0x0a, 0x4a, 0x06, 0x32, 0x4d, 0x30, 0x50,
+ 0xb7, 0x9c, 0x57, 0x4d, 0x4b, 0x6c, 0x34, 0x53, 0xd8, 0xf5, 0xca, 0x91, 0xa5, 0xdf, 0xa6, 0x67, 0x0a, 0x2e, 0x02, 0x47,
+ 0x1c, 0x1c, 0xd6, 0x2b, 0xe2, 0x85, 0xc1, 0xda, 0x79, 0xa2, 0xe2, 0x1e, 0xf8, 0x5e, 0xf9, 0x76, 0x55, 0xaf, 0x61, 0xaf,
+ 0xde, 0x0a, 0x7b, 0xeb, 0xa1, 0xa8, 0xc6, 0xef, 0x76, 0x2f, 0x50, 0xd1, 0x0a, 0xce, 0xdb, 0x14, 0xc3, 0x13, 0x72, 0xe5,
+ 0x26, 0x67, 0x90, 0x19, 0x15, 0x7b, 0x79, 0x05, 0xeb, 0x20, 0xb3, 0x5a, 0x4e, 0x78, 0xae, 0x2d, 0x9c, 0xd1, 0x31, 0xfd,
+ 0x2e, 0xcb, 0x84, 0xb9, 0x67, 0xea, 0xaf, 0xb3, 0xc2, 0x5f, 0xf5, 0xcd, 0x7b, 0x66, 0x3f, 0xdf, 0xf7, 0xe7, 0x76, 0x46,
+ 0x57, 0xd9, 0xee, 0x4b, 0xb2, 0xc8, 0x7b, 0xf9, 0x88, 0xab, 0x8e, 0xca, 0xfc, 0x39, 0xd1, 0x8e, 0x1c, 0xba, 0x3e, 0x63,
+ 0xb7, 0xe8, 0x0e, 0x2f, 0xde, 0x6b, 0x76, 0x81, 0xbf, 0x78, 0x26, 0x0c, 0xa0, 0x2c, 0x35, 0x21, 0xde, 0xb4, 0x45, 0x0a,
+ 0x84, 0xea, 0x68, 0xa5, 0x37, 0xe8, 0x4a, 0xbc, 0xa6, 0xcf, 0x24, 0x85, 0x46, 0x33, 0x9e, 0xd9, 0xba, 0x58, 0x75, 0xd7,
+ 0x45, 0xc2, 0x99, 0xe5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * MARK: RSA-signed messages (with attributes)
+ */
+unsigned char rsa_md5_attr[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20,
+ 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41,
+ 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xa0, 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+ 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
+ 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53,
+ 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65,
+ 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63,
+ 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e,
+ 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65,
+ 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34,
+ 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38, 0x32,
+ 0x39, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20,
+ 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70,
+ 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53,
+ 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20,
+ 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11,
+ 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30,
+ 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61,
+ 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
+ 0x02, 0x82, 0x01, 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3, 0xf4,
+ 0x24, 0x8d, 0x25, 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd, 0xb0,
+ 0x72, 0xe9, 0xa9, 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b, 0xf7,
+ 0x7d, 0x59, 0xe9, 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3, 0xcf,
+ 0xf7, 0x21, 0x88, 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e, 0x54,
+ 0x59, 0x4d, 0xce, 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e, 0x00,
+ 0x6f, 0x6e, 0xf8, 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57, 0xba,
+ 0xcc, 0x29, 0xbe, 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a, 0xb1,
+ 0xc3, 0x68, 0xd5, 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70, 0xad,
+ 0x41, 0xfb, 0x61, 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10, 0x86,
+ 0x8a, 0x1e, 0x3b, 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c, 0x6a,
+ 0x1b, 0xea, 0x1a, 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a, 0x0b,
+ 0x70, 0x90, 0x60, 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2, 0x52,
+ 0x8f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff,
+ 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+ 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c, 0xd5,
+ 0x6e, 0x8b, 0x04, 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39, 0x09,
+ 0xa7, 0x6c, 0x2d, 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60, 0xbf,
+ 0x57, 0x6f, 0xd8, 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3, 0xa4,
+ 0xca, 0xde, 0x3f, 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab, 0x94,
+ 0x0e, 0xb9, 0x70, 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12, 0x60,
+ 0xe5, 0x91, 0xec, 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7, 0x61,
+ 0x51, 0x57, 0x73, 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25, 0x77,
+ 0x35, 0xe9, 0x3e, 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72, 0xaf,
+ 0x06, 0x44, 0x1e, 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7, 0x63,
+ 0x7a, 0x32, 0xda, 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3, 0x63,
+ 0xf3, 0x5c, 0x45, 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91, 0xa1,
+ 0xd0, 0x30, 0x29, 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f, 0xca,
+ 0x3f, 0xb5, 0x54, 0x31, 0x82, 0x02, 0x36, 0x30, 0x82, 0x02, 0x32, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7,
+ 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0xa0, 0x59, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x09, 0x03, 0x31, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x38, 0x31, 0x33,
+ 0x32, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x12,
+ 0x04, 0x10, 0xed, 0xa3, 0x75, 0x22, 0xef, 0xdc, 0x73, 0x52, 0x7f, 0xff, 0x56, 0x77, 0xdd, 0x1b, 0xaa, 0xae, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x8f, 0x71, 0x05,
+ 0x7b, 0x53, 0xb1, 0x1d, 0xd3, 0xc5, 0x17, 0xc1, 0x65, 0x6d, 0xa6, 0xa2, 0x14, 0xd6, 0x07, 0xaa, 0xa1, 0x33, 0x3d, 0x30,
+ 0x4c, 0x2e, 0x62, 0x66, 0x5f, 0x43, 0x7e, 0x57, 0x65, 0x5f, 0xa2, 0x71, 0x2a, 0x20, 0x48, 0xc3, 0xef, 0x82, 0x6b, 0xcb,
+ 0xb9, 0xf4, 0xae, 0x8d, 0x90, 0x7a, 0x47, 0x1d, 0x28, 0xec, 0x66, 0x3c, 0x2a, 0x5c, 0xa1, 0x74, 0xce, 0x85, 0x8e, 0x37,
+ 0x45, 0x9e, 0xf0, 0xed, 0x67, 0x4a, 0xf8, 0x3e, 0xa4, 0xcb, 0xac, 0xdb, 0x35, 0x82, 0x71, 0xbf, 0xfb, 0xc6, 0xcc, 0x89,
+ 0x17, 0xb6, 0xaf, 0xfb, 0x1c, 0x4b, 0x92, 0x21, 0x88, 0xc1, 0x8e, 0x0e, 0xf6, 0x05, 0xb6, 0x70, 0x7b, 0x34, 0x98, 0x27,
+ 0xe2, 0xa9, 0x3b, 0xf2, 0x72, 0xba, 0xd4, 0x33, 0x21, 0x72, 0x55, 0x91, 0x4c, 0x03, 0xda, 0x18, 0x36, 0xe7, 0xdb, 0x77,
+ 0x9e, 0xdb, 0x0f, 0x0a, 0x0c, 0xff, 0x45, 0x46, 0x5e, 0x8b, 0xd8, 0x4b, 0x5f, 0xdd, 0xa0, 0x16, 0xc8, 0xdd, 0xf2, 0x30,
+ 0xea, 0x54, 0x6a, 0x05, 0x94, 0x4e, 0x75, 0xc6, 0x38, 0x96, 0xd2, 0x73, 0x92, 0xff, 0xe3, 0xc6, 0x73, 0xd4, 0xb2, 0x9e,
+ 0xf8, 0xc1, 0xa5, 0x4d, 0x0a, 0x49, 0xdd, 0x41, 0x8f, 0x06, 0xd5, 0x6e, 0xe1, 0x51, 0x4a, 0xb7, 0x88, 0xec, 0xe3, 0x3e,
+ 0xcd, 0xfd, 0x54, 0x0d, 0x91, 0x75, 0xa2, 0xa0, 0x77, 0x82, 0x2b, 0xa1, 0xb6, 0x4f, 0x15, 0x44, 0xa2, 0xdf, 0xd2, 0x5b,
+ 0xf7, 0xd1, 0x91, 0xf3, 0x24, 0x29, 0x0b, 0xef, 0x71, 0xf5, 0xee, 0xfa, 0x21, 0xa1, 0xfb, 0xab, 0x78, 0x4d, 0x87, 0x97,
+ 0xb8, 0x91, 0x9d, 0xd9, 0x9e, 0x3b, 0x9f, 0xcc, 0xcb, 0x0b, 0x38, 0xd9, 0x84, 0xf4, 0xd4, 0x1d, 0xee, 0xab, 0x88, 0x9d,
+ 0xd5, 0xff, 0xe3, 0x2f, 0x93, 0x75, 0xfd, 0x77, 0xff, 0xab, 0x41, 0x55, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_sha1_attr[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0b, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20, 0x6d, 0x65, 0x73,
+ 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41, 0x69, 0x6e, 0x27,
+ 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0,
+ 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x74, 0x3f,
+ 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0xa7,
+ 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31,
+ 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x30,
+ 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41,
+ 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c,
+ 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75,
+ 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64,
+ 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
+ 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3, 0xf4, 0x24, 0x8d, 0x25,
+ 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd, 0xb0, 0x72, 0xe9, 0xa9,
+ 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b, 0xf7, 0x7d, 0x59, 0xe9,
+ 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3, 0xcf, 0xf7, 0x21, 0x88,
+ 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e, 0x54, 0x59, 0x4d, 0xce,
+ 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e, 0x00, 0x6f, 0x6e, 0xf8,
+ 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57, 0xba, 0xcc, 0x29, 0xbe,
+ 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a, 0xb1, 0xc3, 0x68, 0xd5,
+ 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70, 0xad, 0x41, 0xfb, 0x61,
+ 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10, 0x86, 0x8a, 0x1e, 0x3b,
+ 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c, 0x6a, 0x1b, 0xea, 0x1a,
+ 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a, 0x0b, 0x70, 0x90, 0x60,
+ 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2, 0x52, 0x8f, 0x02, 0x03,
+ 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30,
+ 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
+ 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c, 0xd5, 0x6e, 0x8b, 0x04,
+ 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39, 0x09, 0xa7, 0x6c, 0x2d,
+ 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60, 0xbf, 0x57, 0x6f, 0xd8,
+ 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3, 0xa4, 0xca, 0xde, 0x3f,
+ 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab, 0x94, 0x0e, 0xb9, 0x70,
+ 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12, 0x60, 0xe5, 0x91, 0xec,
+ 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7, 0x61, 0x51, 0x57, 0x73,
+ 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25, 0x77, 0x35, 0xe9, 0x3e,
+ 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72, 0xaf, 0x06, 0x44, 0x1e,
+ 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7, 0x63, 0x7a, 0x32, 0xda,
+ 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3, 0x63, 0xf3, 0x5c, 0x45,
+ 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91, 0xa1, 0xd0, 0x30, 0x29,
+ 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f, 0xca, 0x3f, 0xb5, 0x54,
+ 0x31, 0x82, 0x02, 0x37, 0x30, 0x82, 0x02, 0x33, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
+ 0x00, 0xa0, 0x5d, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0b, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x38, 0x31, 0x33, 0x32, 0x30, 0x30, 0x30, 0x5a, 0x30,
+ 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x16, 0x04, 0x14, 0xef, 0x53, 0x0b, 0xfa,
+ 0xcf, 0x34, 0x18, 0xb3, 0x30, 0xff, 0xf8, 0x9e, 0x09, 0xb3, 0xb6, 0x21, 0xd6, 0x83, 0xb9, 0xe9, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x52, 0xbd, 0xa1, 0x0a, 0x41,
+ 0xce, 0xc1, 0xe8, 0xe8, 0x2f, 0x2e, 0x1f, 0x73, 0xd1, 0x2f, 0x2e, 0x53, 0x53, 0x21, 0xec, 0x88, 0x30, 0x6a, 0x9d, 0x58,
+ 0x64, 0x95, 0xef, 0xf2, 0x20, 0x55, 0xb0, 0x15, 0x64, 0x02, 0x1d, 0xf9, 0x44, 0xdd, 0xcb, 0x7a, 0x9c, 0x50, 0x10, 0xea,
+ 0xfa, 0x6f, 0x07, 0x64, 0xaf, 0x30, 0x6e, 0xe2, 0xc1, 0x34, 0x55, 0xd0, 0x6a, 0x6e, 0xe1, 0x09, 0x91, 0xb7, 0xe3, 0x7b,
+ 0x02, 0x19, 0x3d, 0xfc, 0xdd, 0xab, 0x45, 0xe7, 0xf4, 0xeb, 0xfd, 0xa2, 0x17, 0x3e, 0xf2, 0xae, 0x8a, 0x07, 0x84, 0x98,
+ 0xe7, 0xee, 0x42, 0x0c, 0x74, 0x08, 0xf6, 0xc0, 0xfc, 0x29, 0xc3, 0x8a, 0xbe, 0x6c, 0x0b, 0x1e, 0x4a, 0xa8, 0x43, 0x3c,
+ 0x94, 0xdb, 0x26, 0xdb, 0x8c, 0x28, 0x68, 0xea, 0x53, 0x39, 0x89, 0xe8, 0xfe, 0x94, 0x60, 0x1f, 0x23, 0xf7, 0x1f, 0x3a,
+ 0x40, 0xdf, 0xe1, 0x4b, 0x9a, 0x66, 0x11, 0x9e, 0x45, 0x68, 0x85, 0x15, 0x64, 0x5f, 0xe6, 0xc8, 0x2a, 0xca, 0x07, 0x66,
+ 0x23, 0x01, 0x00, 0xa8, 0x90, 0x68, 0x05, 0xfd, 0x3a, 0x96, 0x7f, 0x86, 0x55, 0x6d, 0xe4, 0x92, 0x12, 0xe9, 0x07, 0x51,
+ 0x54, 0xfb, 0x79, 0x55, 0x13, 0xca, 0xdf, 0xb9, 0xb5, 0x79, 0x9f, 0xf0, 0x5d, 0xb0, 0xfd, 0xe8, 0xa2, 0xf3, 0x15, 0x02,
+ 0xfb, 0xe0, 0x25, 0xd6, 0xd6, 0x9c, 0x87, 0xfd, 0xee, 0x11, 0x5a, 0x62, 0xe3, 0xfe, 0xea, 0xff, 0xd2, 0xde, 0x4c, 0x03,
+ 0xfe, 0x3c, 0x66, 0xcc, 0x54, 0x3c, 0xe2, 0x0d, 0xde, 0x3e, 0x0e, 0x38, 0x7b, 0x67, 0xe5, 0xd1, 0xea, 0x78, 0x4f, 0xb2,
+ 0x8e, 0x8f, 0x2b, 0xc9, 0x76, 0x2c, 0xa9, 0xcc, 0x1d, 0xdb, 0x71, 0x40, 0x8a, 0x67, 0xbe, 0x6f, 0x3d, 0xa3, 0xba, 0x9a,
+ 0xa4, 0x4b, 0x74, 0x57, 0xd9, 0xcb, 0x4e, 0xff, 0xc2, 0xb4, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_sha256_attr[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73,
+ 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20,
+ 0x41, 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xa0, 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+ 0x00, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52,
+ 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+ 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c,
+ 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65,
+ 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06,
+ 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d,
+ 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31,
+ 0x34, 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38,
+ 0x32, 0x39, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53,
+ 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70,
+ 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67,
+ 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30,
+ 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21,
+ 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e,
+ 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
+ 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3,
+ 0xf4, 0x24, 0x8d, 0x25, 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd,
+ 0xb0, 0x72, 0xe9, 0xa9, 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b,
+ 0xf7, 0x7d, 0x59, 0xe9, 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3,
+ 0xcf, 0xf7, 0x21, 0x88, 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e,
+ 0x54, 0x59, 0x4d, 0xce, 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e,
+ 0x00, 0x6f, 0x6e, 0xf8, 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57,
+ 0xba, 0xcc, 0x29, 0xbe, 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a,
+ 0xb1, 0xc3, 0x68, 0xd5, 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70,
+ 0xad, 0x41, 0xfb, 0x61, 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10,
+ 0x86, 0x8a, 0x1e, 0x3b, 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c,
+ 0x6a, 0x1b, 0xea, 0x1a, 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a,
+ 0x0b, 0x70, 0x90, 0x60, 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2,
+ 0x52, 0x8f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01,
+ 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c,
+ 0xd5, 0x6e, 0x8b, 0x04, 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39,
+ 0x09, 0xa7, 0x6c, 0x2d, 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60,
+ 0xbf, 0x57, 0x6f, 0xd8, 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3,
+ 0xa4, 0xca, 0xde, 0x3f, 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab,
+ 0x94, 0x0e, 0xb9, 0x70, 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12,
+ 0x60, 0xe5, 0x91, 0xec, 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7,
+ 0x61, 0x51, 0x57, 0x73, 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25,
+ 0x77, 0x35, 0xe9, 0x3e, 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72,
+ 0xaf, 0x06, 0x44, 0x1e, 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7,
+ 0x63, 0x7a, 0x32, 0xda, 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3,
+ 0x63, 0xf3, 0x5c, 0x45, 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91,
+ 0xa1, 0xd0, 0x30, 0x29, 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f,
+ 0xca, 0x3f, 0xb5, 0x54, 0x31, 0x82, 0x02, 0x47, 0x30, 0x82, 0x02, 0x43, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81,
+ 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa0, 0x69, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x38,
+ 0x31, 0x33, 0x32, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x2f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04,
+ 0x31, 0x22, 0x04, 0x20, 0x33, 0x1f, 0x3a, 0xc4, 0x95, 0x97, 0x64, 0x1c, 0x99, 0x9b, 0x37, 0xc8, 0xf2, 0xba, 0xd0, 0xb4,
+ 0x38, 0xa5, 0x9c, 0x3a, 0xa3, 0x78, 0xf9, 0xfb, 0x66, 0x28, 0x4e, 0x6a, 0x90, 0xcc, 0x0e, 0x4c, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xae, 0x6d, 0xa9, 0xa7, 0xee,
+ 0x0c, 0x94, 0x1b, 0xf3, 0x93, 0x40, 0x43, 0x11, 0x41, 0x20, 0x11, 0x60, 0xd9, 0x4e, 0xb6, 0x2d, 0x3e, 0x98, 0xfe, 0x06,
+ 0xd2, 0xc4, 0xe4, 0x0a, 0x66, 0xdc, 0xbb, 0xbd, 0x4d, 0x8e, 0xcb, 0xe1, 0x87, 0x39, 0x3f, 0xb3, 0x4b, 0xf8, 0xe7, 0x18,
+ 0x6f, 0x39, 0xad, 0x01, 0xd4, 0xe8, 0x85, 0x8c, 0x84, 0x96, 0x2c, 0x3a, 0xd4, 0xcf, 0x3c, 0xe5, 0x05, 0xdd, 0xc7, 0xc0,
+ 0xb7, 0x72, 0x7b, 0x32, 0xa1, 0xff, 0x69, 0x51, 0xd4, 0xc9, 0x3e, 0x1f, 0x89, 0x71, 0x39, 0xd9, 0x99, 0x1e, 0xa9, 0x33,
+ 0x83, 0xc1, 0x37, 0x3e, 0xf2, 0xbd, 0xad, 0x8f, 0xa9, 0x24, 0x82, 0xad, 0x7d, 0x54, 0x8f, 0x6f, 0x8a, 0xdb, 0xbf, 0xd4,
+ 0xd4, 0x9c, 0x0a, 0x11, 0x8a, 0xb2, 0x0c, 0xd9, 0x32, 0xf1, 0xe6, 0x76, 0x4a, 0x09, 0x1a, 0x6a, 0xdf, 0x48, 0x2f, 0xf4,
+ 0x89, 0x73, 0xc8, 0x37, 0xb0, 0x14, 0xa9, 0x59, 0xc3, 0x94, 0x63, 0x6c, 0xfd, 0x90, 0x2c, 0x3a, 0x58, 0xa4, 0x5e, 0xbb,
+ 0x2f, 0x5e, 0x1d, 0xdc, 0x57, 0x47, 0x09, 0x77, 0xbc, 0x2b, 0x76, 0xfa, 0x97, 0x85, 0x63, 0x4b, 0xd6, 0x32, 0xac, 0x7e,
+ 0xa0, 0x41, 0xd1, 0xc7, 0x1a, 0x59, 0x3f, 0x39, 0xd1, 0xa7, 0x3f, 0xa7, 0x3f, 0x23, 0x11, 0x3e, 0x19, 0x6d, 0x63, 0xa1,
+ 0x4c, 0xcd, 0x03, 0x22, 0x07, 0x72, 0x4c, 0x44, 0x07, 0xd9, 0x85, 0x18, 0x63, 0x8c, 0x96, 0x29, 0x20, 0xc4, 0x1b, 0xac,
+ 0x6e, 0x4f, 0x95, 0x7d, 0x97, 0x9f, 0xcc, 0x94, 0xf4, 0xfe, 0x8b, 0x08, 0x1c, 0x8a, 0x9d, 0x19, 0x6d, 0x42, 0x92, 0x73,
+ 0xa9, 0xd0, 0xb3, 0x4c, 0x46, 0x40, 0x88, 0xcb, 0x51, 0x2f, 0x73, 0xec, 0x43, 0x4c, 0x09, 0xa7, 0xb5, 0x89, 0x4b, 0xe4,
+ 0xbc, 0xdc, 0x1d, 0x17, 0xf9, 0x55, 0xe5, 0x59, 0xea, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * MARK: EC-signed messages (no attributes)
+ */
+unsigned char ec_md5[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20,
+ 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41,
+ 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xa0, 0x82, 0x02, 0x57, 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+ 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81, 0xa6,
+ 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65,
+ 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+ 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e,
+ 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
+ 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72,
+ 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
+ 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70,
+ 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31, 0x39,
+ 0x35, 0x36, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01,
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x39, 0x79, 0x59, 0x3f, 0x88,
+ 0x07, 0x03, 0x42, 0x1a, 0x09, 0x93, 0x0d, 0xcd, 0x1b, 0x5a, 0xa7, 0x2f, 0x7d, 0x5f, 0xc2, 0x7b, 0xd9, 0x81, 0xb8, 0x81,
+ 0xa1, 0x4e, 0xc5, 0x36, 0xae, 0xc7, 0xe1, 0xa4, 0xf0, 0x0f, 0x4e, 0x75, 0x34, 0xbc, 0xb0, 0xc8, 0xf3, 0xe6, 0x87, 0x6c,
+ 0xc4, 0xcd, 0x8c, 0x8f, 0x1c, 0xbc, 0xb1, 0x16, 0x46, 0x22, 0x6f, 0xfa, 0x00, 0xfc, 0xac, 0x57, 0x65, 0xe1, 0xa3, 0x13,
+ 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
+ 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0x81,
+ 0x1b, 0xed, 0x5a, 0x08, 0x6d, 0xdb, 0x89, 0xef, 0x27, 0x9b, 0x8d, 0xe6, 0x6f, 0xd0, 0x56, 0xfd, 0xb9, 0x33, 0xe4, 0x85,
+ 0x7a, 0x2f, 0x65, 0x39, 0x6c, 0x0d, 0xef, 0xd5, 0x82, 0xc9, 0x7d, 0x02, 0x20, 0x34, 0x18, 0xb8, 0xaf, 0xf2, 0x05, 0xcb,
+ 0xeb, 0xf7, 0x1c, 0x73, 0x77, 0x8d, 0x03, 0xcc, 0xc7, 0x80, 0x34, 0x44, 0x8f, 0x51, 0x6a, 0x6d, 0x80, 0x46, 0xce, 0xf5,
+ 0xbe, 0x85, 0x40, 0x5a, 0xdd, 0x31, 0x82, 0x01, 0x1b, 0x30, 0x82, 0x01, 0x17, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaf, 0x30,
+ 0x81, 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x30, 0x09, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x04,
+ 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xa2, 0x9f, 0x73, 0x2d, 0x2a, 0xa0, 0xca, 0xb4, 0xf6, 0xc9, 0xfd, 0x68, 0xd2, 0xe7,
+ 0x8d, 0x07, 0xdd, 0x60, 0xcc, 0xe1, 0xb6, 0xfe, 0xa9, 0x11, 0xd8, 0xb7, 0x68, 0xa4, 0xe3, 0xed, 0x1b, 0x42, 0x02, 0x20,
+ 0x4b, 0x64, 0x3e, 0xe0, 0x50, 0x29, 0x89, 0x30, 0xd0, 0x32, 0x2d, 0xfc, 0xd3, 0x6b, 0xe8, 0x06, 0x15, 0xe2, 0x91, 0x99,
+ 0x7b, 0x26, 0xc4, 0xa3, 0x85, 0xf0, 0x05, 0x95, 0x4d, 0xf9, 0x51, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_sha1[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0b, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20, 0x6d, 0x65, 0x73,
+ 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41, 0x69, 0x6e, 0x27,
+ 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0,
+ 0x82, 0x02, 0x57, 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x50, 0x2b,
+ 0xa2, 0xa7, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81, 0xa6, 0x31, 0x19, 0x30,
+ 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20,
+ 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30,
+ 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
+ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45,
+ 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69,
+ 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61,
+ 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e,
+ 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a,
+ 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a, 0x30, 0x81, 0xa6, 0x31, 0x19,
+ 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
+ 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x39, 0x79, 0x59, 0x3f, 0x88, 0x07, 0x03, 0x42,
+ 0x1a, 0x09, 0x93, 0x0d, 0xcd, 0x1b, 0x5a, 0xa7, 0x2f, 0x7d, 0x5f, 0xc2, 0x7b, 0xd9, 0x81, 0xb8, 0x81, 0xa1, 0x4e, 0xc5,
+ 0x36, 0xae, 0xc7, 0xe1, 0xa4, 0xf0, 0x0f, 0x4e, 0x75, 0x34, 0xbc, 0xb0, 0xc8, 0xf3, 0xe6, 0x87, 0x6c, 0xc4, 0xcd, 0x8c,
+ 0x8f, 0x1c, 0xbc, 0xb1, 0x16, 0x46, 0x22, 0x6f, 0xfa, 0x00, 0xfc, 0xac, 0x57, 0x65, 0xe1, 0xa3, 0x13, 0x30, 0x11, 0x30,
+ 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0x81, 0x1b, 0xed, 0x5a,
+ 0x08, 0x6d, 0xdb, 0x89, 0xef, 0x27, 0x9b, 0x8d, 0xe6, 0x6f, 0xd0, 0x56, 0xfd, 0xb9, 0x33, 0xe4, 0x85, 0x7a, 0x2f, 0x65,
+ 0x39, 0x6c, 0x0d, 0xef, 0xd5, 0x82, 0xc9, 0x7d, 0x02, 0x20, 0x34, 0x18, 0xb8, 0xaf, 0xf2, 0x05, 0xcb, 0xeb, 0xf7, 0x1c,
+ 0x73, 0x77, 0x8d, 0x03, 0xcc, 0xc7, 0x80, 0x34, 0x44, 0x8f, 0x51, 0x6a, 0x6d, 0x80, 0x46, 0xce, 0xf5, 0xbe, 0x85, 0x40,
+ 0x5a, 0xdd, 0x31, 0x82, 0x01, 0x19, 0x30, 0x82, 0x01, 0x15, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaf, 0x30, 0x81, 0xa6, 0x31,
+ 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73,
+ 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+ 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63,
+ 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79,
+ 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63,
+ 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a,
+ 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c,
+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a,
+ 0x05, 0x00, 0x30, 0x09, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x04, 0x48, 0x30, 0x46, 0x02, 0x21, 0x00,
+ 0xd4, 0xce, 0xa5, 0xcc, 0x15, 0x91, 0x6e, 0xa9, 0x98, 0x77, 0xaa, 0xda, 0x65, 0xa0, 0xf6, 0xa0, 0xcc, 0xb1, 0xcc, 0x2c,
+ 0x26, 0x9f, 0xd0, 0x05, 0x17, 0x90, 0xed, 0x57, 0xb0, 0x2d, 0x59, 0xfb, 0x02, 0x21, 0x00, 0x8d, 0xc2, 0x5c, 0x85, 0xbb,
+ 0x13, 0x25, 0x8f, 0x8e, 0x6a, 0x9b, 0x81, 0x80, 0x5b, 0x13, 0xec, 0x2c, 0x2d, 0xc1, 0x3b, 0x14, 0x03, 0x19, 0x03, 0xdd,
+ 0x5c, 0xa8, 0x8e, 0x79, 0x5d, 0xa6, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_sha256[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73,
+ 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20,
+ 0x41, 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xa0, 0x82, 0x02, 0x57, 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31,
+ 0x39, 0x35, 0x36, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a, 0x30,
+ 0x81, 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x39, 0x79, 0x59, 0x3f,
+ 0x88, 0x07, 0x03, 0x42, 0x1a, 0x09, 0x93, 0x0d, 0xcd, 0x1b, 0x5a, 0xa7, 0x2f, 0x7d, 0x5f, 0xc2, 0x7b, 0xd9, 0x81, 0xb8,
+ 0x81, 0xa1, 0x4e, 0xc5, 0x36, 0xae, 0xc7, 0xe1, 0xa4, 0xf0, 0x0f, 0x4e, 0x75, 0x34, 0xbc, 0xb0, 0xc8, 0xf3, 0xe6, 0x87,
+ 0x6c, 0xc4, 0xcd, 0x8c, 0x8f, 0x1c, 0xbc, 0xb1, 0x16, 0x46, 0x22, 0x6f, 0xfa, 0x00, 0xfc, 0xac, 0x57, 0x65, 0xe1, 0xa3,
+ 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
+ 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00,
+ 0x81, 0x1b, 0xed, 0x5a, 0x08, 0x6d, 0xdb, 0x89, 0xef, 0x27, 0x9b, 0x8d, 0xe6, 0x6f, 0xd0, 0x56, 0xfd, 0xb9, 0x33, 0xe4,
+ 0x85, 0x7a, 0x2f, 0x65, 0x39, 0x6c, 0x0d, 0xef, 0xd5, 0x82, 0xc9, 0x7d, 0x02, 0x20, 0x34, 0x18, 0xb8, 0xaf, 0xf2, 0x05,
+ 0xcb, 0xeb, 0xf7, 0x1c, 0x73, 0x77, 0x8d, 0x03, 0xcc, 0xc7, 0x80, 0x34, 0x44, 0x8f, 0x51, 0x6a, 0x6d, 0x80, 0x46, 0xce,
+ 0xf5, 0xbe, 0x85, 0x40, 0x5a, 0xdd, 0x31, 0x82, 0x01, 0x1c, 0x30, 0x82, 0x01, 0x18, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaf,
+ 0x30, 0x81, 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43,
+ 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c,
+ 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75,
+ 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64,
+ 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0d, 0x06, 0x09, 0x60,
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x09, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+ 0x01, 0x04, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xa7, 0xb6, 0xd0, 0x7d, 0x38, 0x8c, 0x77, 0x1d, 0xa9, 0x57, 0x99, 0x8f,
+ 0x4b, 0x13, 0xca, 0x9d, 0x6d, 0xf7, 0x41, 0x3f, 0xd7, 0xa8, 0x7e, 0x53, 0x90, 0x53, 0x87, 0x4f, 0x9e, 0x23, 0xdb, 0x47,
+ 0x02, 0x20, 0x25, 0xe4, 0xca, 0x33, 0x86, 0x21, 0x65, 0xc2, 0x2a, 0xc7, 0x8d, 0x58, 0x36, 0x50, 0x07, 0xf3, 0x6b, 0x35,
+ 0x2e, 0xd5, 0x4d, 0x31, 0xa3, 0x87, 0x30, 0xf8, 0x72, 0x99, 0x39, 0x2a, 0xba, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * MARK: EC-signed messages (with attributes)
+ */
+unsigned char ec_sha1_attr[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0b, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20, 0x6d, 0x65, 0x73,
+ 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41, 0x69, 0x6e, 0x27,
+ 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0,
+ 0x82, 0x02, 0x57, 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x50, 0x2b,
+ 0xa2, 0xa7, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81, 0xa6, 0x31, 0x19, 0x30,
+ 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20,
+ 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30,
+ 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
+ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45,
+ 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69,
+ 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61,
+ 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e,
+ 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a,
+ 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a, 0x30, 0x81, 0xa6, 0x31, 0x19,
+ 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
+ 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x39, 0x79, 0x59, 0x3f, 0x88, 0x07, 0x03, 0x42,
+ 0x1a, 0x09, 0x93, 0x0d, 0xcd, 0x1b, 0x5a, 0xa7, 0x2f, 0x7d, 0x5f, 0xc2, 0x7b, 0xd9, 0x81, 0xb8, 0x81, 0xa1, 0x4e, 0xc5,
+ 0x36, 0xae, 0xc7, 0xe1, 0xa4, 0xf0, 0x0f, 0x4e, 0x75, 0x34, 0xbc, 0xb0, 0xc8, 0xf3, 0xe6, 0x87, 0x6c, 0xc4, 0xcd, 0x8c,
+ 0x8f, 0x1c, 0xbc, 0xb1, 0x16, 0x46, 0x22, 0x6f, 0xfa, 0x00, 0xfc, 0xac, 0x57, 0x65, 0xe1, 0xa3, 0x13, 0x30, 0x11, 0x30,
+ 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0x81, 0x1b, 0xed, 0x5a,
+ 0x08, 0x6d, 0xdb, 0x89, 0xef, 0x27, 0x9b, 0x8d, 0xe6, 0x6f, 0xd0, 0x56, 0xfd, 0xb9, 0x33, 0xe4, 0x85, 0x7a, 0x2f, 0x65,
+ 0x39, 0x6c, 0x0d, 0xef, 0xd5, 0x82, 0xc9, 0x7d, 0x02, 0x20, 0x34, 0x18, 0xb8, 0xaf, 0xf2, 0x05, 0xcb, 0xeb, 0xf7, 0x1c,
+ 0x73, 0x77, 0x8d, 0x03, 0xcc, 0xc7, 0x80, 0x34, 0x44, 0x8f, 0x51, 0x6a, 0x6d, 0x80, 0x46, 0xce, 0xf5, 0xbe, 0x85, 0x40,
+ 0x5a, 0xdd, 0x31, 0x82, 0x01, 0x76, 0x30, 0x82, 0x01, 0x72, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaf, 0x30, 0x81, 0xa6, 0x31,
+ 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73,
+ 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+ 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63,
+ 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79,
+ 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63,
+ 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a,
+ 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c,
+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a,
+ 0x05, 0x00, 0xa0, 0x5d, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0b, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x38, 0x31, 0x33, 0x32, 0x30, 0x30, 0x30, 0x5a,
+ 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x16, 0x04, 0x14, 0xef, 0x53, 0x0b,
+ 0xfa, 0xcf, 0x34, 0x18, 0xb3, 0x30, 0xff, 0xf8, 0x9e, 0x09, 0xb3, 0xb6, 0x21, 0xd6, 0x83, 0xb9, 0xe9, 0x30, 0x09, 0x06,
+ 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x04, 0x46, 0x30, 0x44, 0x02, 0x20, 0x27, 0xfc, 0x20, 0xc2, 0x9e, 0xf7,
+ 0x26, 0xa7, 0x9d, 0x78, 0x7e, 0xc6, 0x1c, 0xd6, 0x29, 0x90, 0x81, 0x6b, 0x17, 0x85, 0xac, 0x44, 0xb8, 0x56, 0x95, 0xe8,
+ 0x35, 0x12, 0x31, 0xde, 0xb1, 0x91, 0x02, 0x20, 0x08, 0xe0, 0xd4, 0x58, 0x0d, 0x79, 0x60, 0xc1, 0x20, 0x3b, 0x1c, 0x0c,
+ 0xda, 0x46, 0x91, 0x73, 0x21, 0x38, 0x77, 0xe8, 0x97, 0xe1, 0xa8, 0xe8, 0x2d, 0x38, 0xd2, 0xa3, 0x72, 0xfb, 0xe3, 0xa4,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_sha256_attr[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73,
+ 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20,
+ 0x41, 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xa0, 0x82, 0x02, 0x57, 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31,
+ 0x39, 0x35, 0x36, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a, 0x30,
+ 0x81, 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x39, 0x79, 0x59, 0x3f,
+ 0x88, 0x07, 0x03, 0x42, 0x1a, 0x09, 0x93, 0x0d, 0xcd, 0x1b, 0x5a, 0xa7, 0x2f, 0x7d, 0x5f, 0xc2, 0x7b, 0xd9, 0x81, 0xb8,
+ 0x81, 0xa1, 0x4e, 0xc5, 0x36, 0xae, 0xc7, 0xe1, 0xa4, 0xf0, 0x0f, 0x4e, 0x75, 0x34, 0xbc, 0xb0, 0xc8, 0xf3, 0xe6, 0x87,
+ 0x6c, 0xc4, 0xcd, 0x8c, 0x8f, 0x1c, 0xbc, 0xb1, 0x16, 0x46, 0x22, 0x6f, 0xfa, 0x00, 0xfc, 0xac, 0x57, 0x65, 0xe1, 0xa3,
+ 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
+ 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00,
+ 0x81, 0x1b, 0xed, 0x5a, 0x08, 0x6d, 0xdb, 0x89, 0xef, 0x27, 0x9b, 0x8d, 0xe6, 0x6f, 0xd0, 0x56, 0xfd, 0xb9, 0x33, 0xe4,
+ 0x85, 0x7a, 0x2f, 0x65, 0x39, 0x6c, 0x0d, 0xef, 0xd5, 0x82, 0xc9, 0x7d, 0x02, 0x20, 0x34, 0x18, 0xb8, 0xaf, 0xf2, 0x05,
+ 0xcb, 0xeb, 0xf7, 0x1c, 0x73, 0x77, 0x8d, 0x03, 0xcc, 0xc7, 0x80, 0x34, 0x44, 0x8f, 0x51, 0x6a, 0x6d, 0x80, 0x46, 0xce,
+ 0xf5, 0xbe, 0x85, 0x40, 0x5a, 0xdd, 0x31, 0x82, 0x01, 0x86, 0x30, 0x82, 0x01, 0x82, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaf,
+ 0x30, 0x81, 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43,
+ 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c,
+ 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75,
+ 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64,
+ 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0d, 0x06, 0x09, 0x60,
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa0, 0x69, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31,
+ 0x38, 0x31, 0x33, 0x32, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x2f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09,
+ 0x04, 0x31, 0x22, 0x04, 0x20, 0x33, 0x1f, 0x3a, 0xc4, 0x95, 0x97, 0x64, 0x1c, 0x99, 0x9b, 0x37, 0xc8, 0xf2, 0xba, 0xd0,
+ 0xb4, 0x38, 0xa5, 0x9c, 0x3a, 0xa3, 0x78, 0xf9, 0xfb, 0x66, 0x28, 0x4e, 0x6a, 0x90, 0xcc, 0x0e, 0x4c, 0x30, 0x09, 0x06,
+ 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x04, 0x46, 0x30, 0x44, 0x02, 0x20, 0x76, 0x40, 0x7c, 0xf7, 0x6a, 0x21,
+ 0x2b, 0x45, 0x88, 0xb7, 0x3f, 0x90, 0x22, 0x80, 0x52, 0x36, 0x8b, 0x95, 0xf7, 0x79, 0x4c, 0xf8, 0x2d, 0x20, 0x48, 0x10,
+ 0xad, 0x0d, 0x59, 0x48, 0x50, 0xb0, 0x02, 0x20, 0x31, 0xa2, 0x19, 0x75, 0x17, 0xf3, 0x0b, 0x5f, 0x35, 0xf9, 0xac, 0xa2,
+ 0x7f, 0x50, 0x94, 0x9b, 0x08, 0x86, 0x40, 0xf9, 0x56, 0xdf, 0xdd, 0x0a, 0x6c, 0xdd, 0x7d, 0x67, 0xf0, 0xa5, 0x2d, 0x5a,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * MARK: RSA encrypted
+ */
+unsigned char rsa_3DES[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x00,
+ 0x31, 0x82, 0x01, 0xcd, 0x30, 0x82, 0x01, 0xc9, 0x02, 0x01, 0x00, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xd8, 0xc9, 0x64, 0x49, 0x02, 0x4b, 0x6c, 0x18, 0x92, 0x5b, 0x0a,
+ 0xcc, 0x8e, 0x2b, 0x81, 0xb8, 0x35, 0xff, 0x0e, 0x19, 0x92, 0x24, 0x4b, 0x7e, 0x40, 0x0e, 0xcb, 0x25, 0xee, 0x74, 0x2a,
+ 0x8c, 0xe5, 0xa2, 0xcf, 0xd7, 0xd3, 0x1d, 0x6e, 0xa2, 0x45, 0x98, 0x22, 0xf7, 0x7d, 0xd4, 0x2d, 0x35, 0x7e, 0x68, 0xb6,
+ 0xc6, 0x21, 0x84, 0x70, 0x50, 0xfb, 0x35, 0xe7, 0x41, 0xc6, 0x99, 0xc0, 0x91, 0x3e, 0x05, 0x30, 0x71, 0x7a, 0xb4, 0x12,
+ 0x32, 0x9f, 0x6a, 0x22, 0x35, 0x5e, 0x85, 0x12, 0x81, 0x0a, 0x28, 0x46, 0x79, 0xab, 0x0e, 0x87, 0xd5, 0xb8, 0x33, 0x0a,
+ 0xe0, 0x68, 0xfd, 0xd4, 0x3b, 0xd9, 0x01, 0xaa, 0xfb, 0xf3, 0x89, 0x78, 0x35, 0x55, 0x37, 0x72, 0x65, 0x54, 0xa6, 0xb5,
+ 0x44, 0x48, 0x82, 0xcc, 0xbe, 0x77, 0x56, 0x7c, 0xae, 0xb2, 0x49, 0x34, 0xb7, 0x8e, 0x86, 0xd0, 0xcb, 0xdc, 0x55, 0x1f,
+ 0xd0, 0xdf, 0x0c, 0x40, 0x7b, 0xef, 0xd9, 0x11, 0x76, 0x26, 0x2a, 0xa0, 0xcc, 0xf7, 0x7e, 0x2d, 0x8e, 0x3f, 0xfe, 0x1e,
+ 0xfd, 0x4e, 0x6f, 0xed, 0x0d, 0xe3, 0x5c, 0xc7, 0x8f, 0x3f, 0x44, 0xd7, 0xaa, 0xc4, 0xaf, 0x5a, 0xb6, 0xa8, 0xcb, 0xf9,
+ 0x18, 0x1d, 0xac, 0x99, 0x33, 0x64, 0xdc, 0x9c, 0x79, 0x70, 0xd1, 0x8e, 0xe1, 0x91, 0xe8, 0x4a, 0x9a, 0xd4, 0xbb, 0xd6,
+ 0x49, 0xaa, 0xe2, 0xc0, 0x37, 0x7e, 0x01, 0xf8, 0x79, 0xea, 0xaa, 0x3f, 0xcf, 0x00, 0xdb, 0xb6, 0x29, 0xa3, 0x01, 0x9a,
+ 0x5c, 0x51, 0x5e, 0x0a, 0x15, 0x61, 0x34, 0xf9, 0x15, 0x43, 0x2f, 0x4f, 0x0f, 0xc8, 0x87, 0xaf, 0x20, 0x71, 0xbb, 0x08,
+ 0x31, 0x09, 0x23, 0x87, 0xb3, 0x18, 0xaf, 0x5a, 0xfa, 0x09, 0x69, 0xcb, 0x1f, 0xca, 0x6c, 0xcd, 0x04, 0xe6, 0x64, 0xb1,
+ 0xfb, 0x17, 0x54, 0xb7, 0x29, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x14,
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04, 0x08, 0x40, 0x70, 0xf8, 0x8a, 0xcd, 0x13, 0xbe, 0xcf,
+ 0xa0, 0x80, 0x04, 0x20, 0x14, 0xf3, 0xb8, 0x0f, 0x06, 0xbc, 0x80, 0xf6, 0x20, 0xa2, 0x83, 0xb0, 0x45, 0x23, 0x5f, 0xc8,
+ 0xe1, 0xee, 0xb4, 0x04, 0x2d, 0xcb, 0x1e, 0xe9, 0x97, 0x33, 0x79, 0x56, 0x2b, 0x8c, 0x47, 0x99, 0x04, 0x08, 0x72, 0xe3,
+ 0x41, 0xa0, 0xe7, 0x71, 0x0a, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_RC2[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x00,
+ 0x31, 0x82, 0x01, 0xcd, 0x30, 0x82, 0x01, 0xc9, 0x02, 0x01, 0x00, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xc4, 0x99, 0x34, 0xf9, 0x35, 0xb8, 0xf3, 0xc4, 0xae, 0x00, 0x1a,
+ 0x61, 0x88, 0xd1, 0x6f, 0xb9, 0x6e, 0x2d, 0x4e, 0x77, 0x58, 0xbf, 0x7c, 0x21, 0xb4, 0x85, 0xc3, 0x39, 0x84, 0xbd, 0x19,
+ 0x24, 0x73, 0x9b, 0x80, 0xdf, 0xcc, 0xc2, 0x8a, 0xc1, 0xa1, 0x20, 0xa2, 0xf5, 0x47, 0x9f, 0x36, 0x80, 0x4a, 0x5a, 0x69,
+ 0x1f, 0x0d, 0x3e, 0xf1, 0x68, 0x57, 0x12, 0x31, 0x59, 0x6a, 0xf4, 0xbd, 0x5d, 0x98, 0x94, 0xca, 0x96, 0x9c, 0xd7, 0x51,
+ 0xcd, 0x55, 0x44, 0x24, 0x57, 0x4c, 0xe7, 0x11, 0xb5, 0x53, 0x19, 0x79, 0x72, 0xda, 0x19, 0xc9, 0xbd, 0xae, 0x74, 0xc0,
+ 0xbe, 0x71, 0xa7, 0x62, 0x1a, 0xf9, 0x7f, 0x40, 0x2b, 0xf3, 0xdf, 0x15, 0x68, 0x89, 0xf0, 0xb8, 0x84, 0x96, 0x42, 0x0b,
+ 0x37, 0x26, 0x9a, 0x73, 0xd5, 0x47, 0x23, 0xf7, 0x3e, 0xfa, 0x5f, 0x91, 0xea, 0x82, 0x8f, 0x0c, 0x71, 0xa3, 0xdf, 0x6a,
+ 0x9a, 0xe1, 0xe6, 0xd3, 0xf9, 0x5a, 0xfc, 0x5d, 0x55, 0x95, 0x6e, 0xa9, 0x2f, 0xdf, 0x79, 0x06, 0x62, 0x0b, 0x55, 0x68,
+ 0xfc, 0x0f, 0xad, 0x2a, 0x34, 0x6e, 0xc8, 0xc3, 0x09, 0x68, 0x03, 0xba, 0xc2, 0x92, 0x13, 0x91, 0x50, 0x3d, 0xc4, 0x79,
+ 0xe9, 0x69, 0x2a, 0x25, 0x2a, 0x8f, 0x56, 0xce, 0xe6, 0x0f, 0xc5, 0x9e, 0x3f, 0xcc, 0x42, 0xb3, 0x27, 0xd5, 0xe8, 0x4b,
+ 0xba, 0x10, 0x33, 0xfb, 0x75, 0x67, 0x85, 0xa3, 0xc6, 0x93, 0xb1, 0xea, 0xfb, 0x8c, 0x4b, 0x25, 0x18, 0x24, 0xcf, 0x30,
+ 0xe9, 0x29, 0xde, 0x4a, 0xeb, 0xd3, 0xab, 0x3c, 0xf1, 0xfb, 0x57, 0x55, 0x30, 0xf0, 0xc0, 0x1e, 0x25, 0xbc, 0xe9, 0x1e,
+ 0x92, 0x73, 0xb6, 0xd5, 0xe3, 0xa3, 0xf6, 0x52, 0x72, 0x04, 0x96, 0x1e, 0x26, 0xda, 0x70, 0xb4, 0xba, 0x1c, 0xc4, 0xc4,
+ 0x76, 0xdd, 0x6d, 0xbc, 0x71, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x19,
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x02, 0x30, 0x0d, 0x02, 0x01, 0x3a, 0x04, 0x08, 0x15, 0xea, 0x8f,
+ 0x86, 0x56, 0x06, 0x50, 0x78, 0xa0, 0x80, 0x04, 0x20, 0xc8, 0x6c, 0x6c, 0xfb, 0x40, 0xcd, 0x3d, 0x23, 0x79, 0xba, 0x7e,
+ 0x40, 0xad, 0xa8, 0x01, 0x3b, 0x63, 0xdf, 0x29, 0xe0, 0x5e, 0x82, 0xfb, 0x20, 0x3c, 0x2b, 0xc1, 0x12, 0x57, 0xd0, 0x04,
+ 0xd2, 0x04, 0x08, 0x21, 0x53, 0x34, 0x58, 0x2e, 0x5a, 0xd3, 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00
+};
+
+unsigned char rsa_AES_128[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x00,
+ 0x31, 0x82, 0x01, 0xcd, 0x30, 0x82, 0x01, 0xc9, 0x02, 0x01, 0x00, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x61, 0x0b, 0xaa, 0xa7, 0xce, 0xe7, 0x74, 0xe6, 0x13, 0x91, 0xf4,
+ 0x9f, 0x83, 0x2d, 0x85, 0xef, 0x23, 0x1b, 0x6a, 0x90, 0x2d, 0x03, 0x61, 0x60, 0xf6, 0xa0, 0xa3, 0x84, 0x43, 0x04, 0xdf,
+ 0x08, 0x7a, 0x10, 0xaf, 0x6d, 0x9e, 0x4e, 0x57, 0xf9, 0x59, 0xe2, 0x12, 0xc6, 0xbf, 0x30, 0x46, 0x27, 0x03, 0x74, 0x12,
+ 0x5e, 0x4a, 0xe9, 0xf0, 0xdb, 0x4c, 0xf5, 0x91, 0xaa, 0x87, 0xf4, 0x1a, 0x93, 0xc7, 0xde, 0xf1, 0xde, 0x56, 0x28, 0x5e,
+ 0x3f, 0x95, 0x8b, 0xb2, 0x02, 0x17, 0x91, 0x26, 0x0f, 0x60, 0x95, 0x56, 0xe9, 0xdd, 0x19, 0xdb, 0xfc, 0xba, 0x35, 0x02,
+ 0x15, 0x3e, 0xb4, 0x76, 0x6d, 0x11, 0xf6, 0xab, 0xb7, 0x06, 0x9c, 0x7a, 0xb2, 0xcd, 0xef, 0x01, 0xef, 0x17, 0x36, 0x39,
+ 0x44, 0x51, 0x55, 0xb8, 0xee, 0xf3, 0xea, 0xdd, 0x31, 0xea, 0x25, 0xa4, 0x5c, 0xc1, 0x24, 0xf0, 0xd1, 0x46, 0xbf, 0xba,
+ 0x9f, 0xc3, 0x9c, 0x82, 0xa9, 0x2a, 0x00, 0xad, 0x7f, 0xb3, 0xec, 0x37, 0x27, 0x3e, 0x35, 0x4b, 0xe9, 0xef, 0xab, 0x96,
+ 0x40, 0xeb, 0xc3, 0xf1, 0x06, 0xad, 0x43, 0x27, 0x58, 0x53, 0xee, 0xe9, 0x6f, 0x32, 0x00, 0x8a, 0xc1, 0x6e, 0x41, 0xc9,
+ 0x93, 0xe2, 0xc3, 0xec, 0xf5, 0xd6, 0x8c, 0xe6, 0x23, 0x0c, 0xa6, 0x69, 0x3d, 0x26, 0xd0, 0xff, 0xf0, 0xdd, 0xcc, 0x2c,
+ 0xe2, 0xac, 0xf4, 0x6c, 0xe2, 0xd8, 0x50, 0x50, 0xac, 0x18, 0x25, 0x41, 0x5b, 0xf2, 0xd7, 0xf6, 0x7e, 0xe4, 0x96, 0x78,
+ 0x34, 0x3b, 0x68, 0x05, 0x87, 0x65, 0x3c, 0x86, 0xfa, 0x7b, 0x71, 0xc4, 0xfd, 0x84, 0x91, 0x21, 0x5b, 0x2f, 0x14, 0x59,
+ 0x2b, 0x5e, 0xf6, 0x67, 0x4c, 0x54, 0x47, 0x04, 0xf0, 0x03, 0x6b, 0x58, 0x56, 0x44, 0x5b, 0x9e, 0xbc, 0x62, 0x0d, 0xcf,
+ 0x60, 0x62, 0xba, 0x86, 0x36, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1d,
+ 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x02, 0x04, 0x10, 0xa9, 0x7a, 0x30, 0x37, 0x44, 0x04, 0x37,
+ 0x12, 0x9c, 0xa6, 0xc9, 0xbe, 0x97, 0x3f, 0x5a, 0x57, 0xa0, 0x80, 0x04, 0x20, 0xa6, 0x84, 0xcc, 0x53, 0x40, 0xb5, 0x96,
+ 0x19, 0x67, 0x3a, 0x52, 0xa2, 0x42, 0x88, 0xe8, 0xea, 0x57, 0xea, 0x72, 0xc1, 0x8d, 0x09, 0xed, 0x36, 0x87, 0xf8, 0xf8,
+ 0x79, 0x19, 0x94, 0x87, 0x51, 0x04, 0x10, 0x40, 0x40, 0x80, 0x6a, 0x65, 0x21, 0x00, 0xde, 0x95, 0xa9, 0xcd, 0xe8, 0xea,
+ 0x2e, 0xbc, 0x8d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_AES_192[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x00,
+ 0x31, 0x82, 0x01, 0xcd, 0x30, 0x82, 0x01, 0xc9, 0x02, 0x01, 0x00, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xb5, 0x1e, 0x33, 0xe7, 0x51, 0xaf, 0x12, 0xda, 0xed, 0x3c, 0x81,
+ 0x81, 0x0a, 0xfd, 0x7e, 0xe0, 0x6b, 0x11, 0x9d, 0xed, 0xca, 0x31, 0xd8, 0x43, 0xe9, 0x28, 0xd6, 0x47, 0x69, 0x81, 0x3d,
+ 0x69, 0x64, 0x3f, 0xa1, 0x41, 0x00, 0xa9, 0x90, 0x90, 0x8f, 0x90, 0x50, 0xad, 0xd7, 0x46, 0xe4, 0x5b, 0xf2, 0x81, 0x39,
+ 0xe3, 0xa0, 0x91, 0x21, 0x54, 0x10, 0xb6, 0x61, 0x4a, 0xb4, 0xdc, 0xf8, 0x4d, 0xbb, 0x48, 0x8c, 0x95, 0xac, 0x95, 0xb0,
+ 0x81, 0x59, 0xfa, 0xeb, 0xc2, 0x46, 0xd1, 0xf7, 0x02, 0xff, 0x4c, 0x9d, 0xc8, 0x9a, 0x1c, 0x10, 0xe5, 0x8a, 0x4c, 0xaf,
+ 0x6d, 0xa8, 0xe0, 0xdb, 0xfd, 0x52, 0x71, 0x1a, 0xc7, 0x1b, 0x8a, 0xc8, 0xf8, 0x29, 0x51, 0x51, 0xee, 0xfd, 0x73, 0x1b,
+ 0x13, 0xb4, 0xa1, 0xdc, 0x2a, 0x44, 0x25, 0x92, 0xd9, 0x16, 0xae, 0x7a, 0x89, 0x30, 0x92, 0xff, 0x7d, 0x4a, 0x8e, 0xe2,
+ 0xb7, 0xad, 0x92, 0xc9, 0xc9, 0x97, 0x7b, 0x71, 0x5a, 0x28, 0xbe, 0x80, 0x55, 0xc6, 0x61, 0xd4, 0x74, 0xdc, 0xca, 0x45,
+ 0x09, 0x3c, 0x4c, 0x4f, 0xe5, 0x5a, 0x0a, 0x5d, 0xe5, 0x07, 0xc0, 0x7c, 0x92, 0x4d, 0xca, 0x67, 0x94, 0x88, 0x56, 0x71,
+ 0x8d, 0xc8, 0xb3, 0x17, 0x2e, 0x11, 0x3b, 0xab, 0x33, 0xa1, 0x1a, 0xdb, 0x26, 0x2c, 0x72, 0x6f, 0xd5, 0x5b, 0xa7, 0x01,
+ 0x78, 0xae, 0xf6, 0x39, 0xa6, 0xbf, 0x34, 0xfb, 0xc3, 0xcc, 0xd5, 0xb0, 0xda, 0x2f, 0x8b, 0x0a, 0x54, 0x14, 0x2b, 0xd7,
+ 0xbb, 0x66, 0x4e, 0x3d, 0xd1, 0x26, 0x45, 0xa4, 0x01, 0xf3, 0xb3, 0x0a, 0x9f, 0xf7, 0x2b, 0xd7, 0x9b, 0x69, 0xc3, 0x36,
+ 0x58, 0x38, 0xec, 0xdf, 0xce, 0xa6, 0x66, 0xdb, 0xe3, 0xce, 0x2d, 0xcb, 0xd0, 0x40, 0xc3, 0x7a, 0xb4, 0xdf, 0x99, 0xb5,
+ 0xfc, 0x9c, 0x85, 0xb7, 0x69, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1d,
+ 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x16, 0x04, 0x10, 0x48, 0xce, 0x27, 0x89, 0x24, 0xcc, 0x5e,
+ 0x2a, 0x56, 0x94, 0x8a, 0x5a, 0xb8, 0x94, 0xc0, 0x2a, 0xa0, 0x80, 0x04, 0x20, 0xcb, 0x2e, 0x26, 0xf5, 0x81, 0x51, 0xdd,
+ 0x9d, 0x5d, 0x65, 0x1b, 0x8c, 0xc5, 0x71, 0x44, 0x14, 0x14, 0x2d, 0x39, 0xf2, 0x7d, 0xfb, 0x93, 0x48, 0xb5, 0xf7, 0x5b,
+ 0xed, 0x75, 0xa3, 0xfb, 0x28, 0x04, 0x10, 0x6c, 0xfa, 0xab, 0x37, 0x9f, 0xbe, 0xae, 0x97, 0x58, 0x86, 0x55, 0x1d, 0x09,
+ 0xf8, 0x22, 0x9e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_AES_256[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x00,
+ 0x31, 0x82, 0x01, 0xcd, 0x30, 0x82, 0x01, 0xc9, 0x02, 0x01, 0x00, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xb6, 0x78, 0xdd, 0x6f, 0x1d, 0x43, 0x80, 0xed, 0x26, 0x31, 0xed,
+ 0x03, 0x60, 0xd7, 0x73, 0x86, 0xf6, 0x0a, 0x73, 0xa1, 0x15, 0xe5, 0xa5, 0x6b, 0xd4, 0xcf, 0x66, 0x64, 0xfb, 0x5b, 0xdc,
+ 0xc5, 0x40, 0x6b, 0xc8, 0x95, 0xcb, 0xad, 0xa6, 0x2a, 0x0d, 0xed, 0xfb, 0xb1, 0xd9, 0xff, 0xd2, 0xd4, 0x26, 0x61, 0xcc,
+ 0xc5, 0xbf, 0x2c, 0x87, 0x96, 0x1b, 0x12, 0xb0, 0x71, 0x7a, 0xc5, 0x1d, 0x93, 0x89, 0x14, 0x67, 0x8a, 0xa3, 0x58, 0xbb,
+ 0x75, 0xca, 0x61, 0x67, 0x09, 0xbb, 0x91, 0x55, 0x45, 0x55, 0xff, 0xff, 0xb6, 0xa9, 0x76, 0x93, 0xc2, 0x15, 0xc2, 0x37,
+ 0x21, 0x01, 0x98, 0x90, 0x82, 0x8a, 0x49, 0x1b, 0x7e, 0x79, 0x87, 0x3c, 0xbe, 0x03, 0xba, 0x80, 0xac, 0xa9, 0x3a, 0x90,
+ 0xf2, 0x85, 0xf5, 0xb7, 0x87, 0xa4, 0x20, 0x9f, 0x0f, 0xc4, 0x76, 0xce, 0x8c, 0x6a, 0x6d, 0x6a, 0xc1, 0x9a, 0xc1, 0x39,
+ 0xba, 0x6a, 0xdb, 0xe8, 0x63, 0xdb, 0xfd, 0xde, 0x65, 0x1c, 0x73, 0x73, 0xdd, 0x6a, 0x44, 0x17, 0x30, 0xe6, 0x5d, 0x35,
+ 0x1b, 0x48, 0xe3, 0x66, 0x87, 0xa7, 0x0c, 0x0f, 0xcc, 0xe0, 0x02, 0x9d, 0xb1, 0x0d, 0xe5, 0x3a, 0x34, 0x9f, 0x24, 0x15,
+ 0x71, 0x38, 0x21, 0xc2, 0x64, 0x26, 0x5a, 0x6e, 0x56, 0x60, 0x1b, 0x4b, 0xa7, 0x09, 0x7f, 0xc8, 0xb6, 0xcc, 0x3e, 0x6b,
+ 0x9d, 0x1e, 0x93, 0x28, 0x58, 0x79, 0xeb, 0x66, 0xbb, 0xf3, 0xa5, 0x5a, 0x85, 0xcd, 0x94, 0x55, 0x49, 0x48, 0xe6, 0x0b,
+ 0xde, 0x27, 0x97, 0xd3, 0xa7, 0xac, 0x43, 0x39, 0x9d, 0x0f, 0x82, 0x98, 0x2d, 0xbb, 0xef, 0x0f, 0xf0, 0xb6, 0x6a, 0xeb,
+ 0x46, 0xe0, 0x1e, 0xfb, 0x98, 0xfa, 0x5b, 0x7b, 0x7c, 0xb2, 0x67, 0x5e, 0x32, 0x00, 0x11, 0x9d, 0xe6, 0xed, 0x79, 0xd0,
+ 0xc6, 0x7a, 0xa5, 0x78, 0xf4, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1d,
+ 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a, 0x04, 0x10, 0xbc, 0x87, 0x6d, 0xcb, 0x49, 0xeb, 0x09,
+ 0x09, 0x2a, 0xb1, 0xe4, 0xd8, 0x90, 0x7a, 0xee, 0xec, 0xa0, 0x80, 0x04, 0x20, 0xc1, 0x71, 0xaf, 0xa6, 0xd4, 0x0a, 0xea,
+ 0xa7, 0xd2, 0x5e, 0x00, 0x62, 0x1d, 0x9d, 0x8c, 0xc2, 0x72, 0xba, 0x24, 0xbb, 0x54, 0xb8, 0x0d, 0xe7, 0xed, 0x83, 0x67,
+ 0xbb, 0xb8, 0x43, 0x93, 0x03, 0x04, 0x10, 0xae, 0x0f, 0xc0, 0xaf, 0x22, 0xab, 0xb8, 0x54, 0xbf, 0x88, 0xff, 0xef, 0x3c,
+ 0x8c, 0xd5, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * MARK: EC encrypted
+ */
+unsigned char ec_3DES[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x02,
+ 0x31, 0x82, 0x01, 0x6b, 0xa1, 0x82, 0x01, 0x67, 0x30, 0x82, 0x01, 0x63, 0x02, 0x01, 0x03, 0xa0, 0x55, 0xa1, 0x53, 0x30,
+ 0x51, 0x30, 0x0b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x05, 0x00, 0x03, 0x42, 0x00, 0x04, 0x6e, 0x8e,
+ 0x7a, 0x5f, 0x8b, 0x92, 0x84, 0xea, 0x7a, 0x9c, 0x00, 0x25, 0xef, 0xba, 0xe1, 0x3c, 0x1e, 0x54, 0xcc, 0xfb, 0x8f, 0x4a,
+ 0xc4, 0xfe, 0x9f, 0x13, 0xaf, 0x7d, 0x19, 0x21, 0x31, 0x0a, 0xb6, 0x9f, 0xcd, 0x86, 0x4f, 0xac, 0x4e, 0x58, 0xa2, 0x43,
+ 0x41, 0xf2, 0x87, 0xd9, 0x09, 0x31, 0xaf, 0x52, 0xb7, 0x7d, 0x5e, 0xef, 0x94, 0xa6, 0x60, 0xb0, 0x90, 0x19, 0xd8, 0xd6,
+ 0x6d, 0xe4, 0xa1, 0x0a, 0x04, 0x08, 0xb3, 0x0f, 0xa8, 0x09, 0xbb, 0x40, 0x00, 0x2f, 0x30, 0x21, 0x06, 0x09, 0x2b, 0x81,
+ 0x05, 0x10, 0x86, 0x48, 0x3f, 0x00, 0x02, 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04,
+ 0x08, 0xa5, 0x6f, 0xb2, 0xab, 0xdc, 0x28, 0x07, 0xa3, 0x30, 0x81, 0xd7, 0x30, 0x81, 0xd4, 0x30, 0x81, 0xaf, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x04, 0x20, 0x25, 0x53, 0x52, 0x49, 0xc7,
+ 0x54, 0xfc, 0xb7, 0xc9, 0x45, 0x0a, 0x65, 0xd1, 0x2e, 0x74, 0x68, 0x82, 0x40, 0x0f, 0xf2, 0x23, 0x71, 0x3d, 0xfe, 0x1f,
+ 0x29, 0xcb, 0x8d, 0x3a, 0x3b, 0x31, 0x99, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01,
+ 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04, 0x08, 0x8d, 0xff, 0xae, 0x19, 0xfa, 0x5f,
+ 0xac, 0x17, 0xa0, 0x80, 0x04, 0x20, 0x21, 0x72, 0x77, 0x5a, 0x8c, 0xba, 0x15, 0xb7, 0x05, 0x4e, 0x05, 0x26, 0x12, 0xef,
+ 0x0a, 0xd8, 0x8b, 0x82, 0x09, 0x05, 0x4b, 0xd5, 0xdc, 0x9e, 0xd6, 0x83, 0x5c, 0xd0, 0xeb, 0xac, 0x96, 0x51, 0x04, 0x08,
+ 0xbc, 0x4c, 0x7a, 0x8b, 0xfe, 0xea, 0x75, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_RC2[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x02,
+ 0x31, 0x82, 0x01, 0x63, 0xa1, 0x82, 0x01, 0x5f, 0x30, 0x82, 0x01, 0x5b, 0x02, 0x01, 0x03, 0xa0, 0x55, 0xa1, 0x53, 0x30,
+ 0x51, 0x30, 0x0b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x05, 0x00, 0x03, 0x42, 0x00, 0x04, 0xe7, 0x2b,
+ 0xa7, 0x9d, 0x50, 0xb8, 0x53, 0x3a, 0x9a, 0xb4, 0x96, 0x26, 0xff, 0x34, 0x1f, 0xad, 0xa8, 0x9f, 0xc7, 0xeb, 0x85, 0x4d,
+ 0x87, 0x2a, 0x52, 0xcf, 0xb7, 0x9b, 0xb2, 0x7e, 0x45, 0xa1, 0x32, 0x8e, 0x73, 0x46, 0xf8, 0x70, 0xa1, 0xe8, 0x2c, 0x85,
+ 0x05, 0x87, 0xe3, 0x60, 0xce, 0xcb, 0x10, 0xa7, 0x70, 0x7f, 0xde, 0x1c, 0x14, 0xfd, 0x37, 0x1b, 0xd5, 0x1c, 0xe9, 0x7e,
+ 0x04, 0xf0, 0xa1, 0x0a, 0x04, 0x08, 0x4d, 0xeb, 0x81, 0xb0, 0x6b, 0xab, 0x37, 0x97, 0x30, 0x21, 0x06, 0x09, 0x2b, 0x81,
+ 0x05, 0x10, 0x86, 0x48, 0x3f, 0x00, 0x02, 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04,
+ 0x08, 0x8b, 0x55, 0xd5, 0xac, 0x91, 0x46, 0xd4, 0xc1, 0x30, 0x81, 0xcf, 0x30, 0x81, 0xcc, 0x30, 0x81, 0xaf, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x04, 0x18, 0xad, 0x29, 0xc4, 0x57, 0x7e,
+ 0xc6, 0x8b, 0x25, 0xb9, 0x68, 0x67, 0x34, 0x6a, 0xda, 0xb6, 0x69, 0x3f, 0xa5, 0x83, 0x6c, 0x7d, 0xb7, 0x2f, 0x14, 0x30,
+ 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x19, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x03, 0x02, 0x30, 0x0d, 0x02, 0x01, 0x3a, 0x04, 0x08, 0xf2, 0x82, 0xe9, 0x5e, 0xcd, 0x8f, 0xe5, 0x24, 0xa0,
+ 0x80, 0x04, 0x20, 0x5b, 0x89, 0x81, 0xa2, 0x22, 0x48, 0x8c, 0x89, 0x71, 0xf3, 0x30, 0x7e, 0x9a, 0x22, 0x77, 0x1d, 0xee,
+ 0x78, 0x0e, 0x9a, 0x43, 0xe2, 0xe9, 0xf7, 0x9e, 0xae, 0xe3, 0xd8, 0xf5, 0x37, 0xeb, 0x74, 0x04, 0x08, 0xdf, 0x23, 0x14,
+ 0xd2, 0x65, 0xb3, 0xe3, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_AES_128[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x02,
+ 0x31, 0x82, 0x01, 0x63, 0xa1, 0x82, 0x01, 0x5f, 0x30, 0x82, 0x01, 0x5b, 0x02, 0x01, 0x03, 0xa0, 0x55, 0xa1, 0x53, 0x30,
+ 0x51, 0x30, 0x0b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x05, 0x00, 0x03, 0x42, 0x00, 0x04, 0xd7, 0x78,
+ 0x2a, 0xf6, 0xce, 0x5e, 0xc4, 0x86, 0x08, 0x29, 0xa6, 0x71, 0xe3, 0x95, 0x64, 0x50, 0x29, 0x7d, 0x6c, 0xed, 0xcd, 0x50,
+ 0xb9, 0x00, 0x31, 0xa3, 0x22, 0x44, 0x68, 0x2b, 0x1b, 0x20, 0x16, 0x8b, 0x98, 0x06, 0x2a, 0xb6, 0xfc, 0x09, 0xba, 0x98,
+ 0x65, 0xfd, 0xc7, 0x22, 0x16, 0x53, 0xa2, 0xf0, 0x6e, 0xea, 0xc5, 0x1b, 0x52, 0x4a, 0x3c, 0xd7, 0x34, 0x87, 0x37, 0x10,
+ 0x79, 0x86, 0xa1, 0x0a, 0x04, 0x08, 0x3c, 0x7d, 0x8c, 0x77, 0xe5, 0x3a, 0x51, 0xa1, 0x30, 0x21, 0x06, 0x09, 0x2b, 0x81,
+ 0x05, 0x10, 0x86, 0x48, 0x3f, 0x00, 0x02, 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04,
+ 0x08, 0x2d, 0xae, 0x3c, 0xc8, 0x8e, 0x8c, 0xe8, 0xb2, 0x30, 0x81, 0xcf, 0x30, 0x81, 0xcc, 0x30, 0x81, 0xaf, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x04, 0x18, 0xa9, 0x8d, 0xfd, 0xd2, 0x2f,
+ 0x1b, 0xbf, 0x89, 0x5d, 0xbe, 0x34, 0x93, 0x69, 0xdb, 0x71, 0x0c, 0xd1, 0x86, 0x87, 0x3e, 0xb3, 0x4f, 0x9e, 0x19, 0x30,
+ 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+ 0x65, 0x03, 0x04, 0x01, 0x02, 0x04, 0x10, 0xa3, 0x3d, 0x9e, 0x01, 0x59, 0xcd, 0x0f, 0xcb, 0xf5, 0x6e, 0xda, 0xa6, 0xc7,
+ 0xb1, 0x42, 0xec, 0xa0, 0x80, 0x04, 0x20, 0x1d, 0xbf, 0xbd, 0xea, 0x30, 0xac, 0xeb, 0x24, 0xc4, 0x52, 0xfc, 0x2e, 0x3b,
+ 0x95, 0x6c, 0x2b, 0xf4, 0x4b, 0xee, 0xf6, 0x7a, 0x52, 0x06, 0x1d, 0x89, 0x78, 0x6d, 0x62, 0x11, 0x4b, 0xdc, 0x35, 0x04,
+ 0x10, 0x77, 0x65, 0xaf, 0x79, 0x76, 0xa8, 0x6c, 0xc1, 0x32, 0x62, 0xc8, 0xde, 0xfe, 0x8a, 0xf4, 0xd1, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_AES_192[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x02,
+ 0x31, 0x82, 0x01, 0x6b, 0xa1, 0x82, 0x01, 0x67, 0x30, 0x82, 0x01, 0x63, 0x02, 0x01, 0x03, 0xa0, 0x55, 0xa1, 0x53, 0x30,
+ 0x51, 0x30, 0x0b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x05, 0x00, 0x03, 0x42, 0x00, 0x04, 0x6a, 0x3b,
+ 0xb5, 0x42, 0x6a, 0x4f, 0x29, 0x5c, 0x21, 0xe7, 0xd2, 0x6f, 0x41, 0x65, 0x72, 0x26, 0x7c, 0x99, 0xe2, 0xd3, 0x54, 0x60,
+ 0xbd, 0x92, 0xff, 0x4a, 0xa0, 0x00, 0xf7, 0xf2, 0x75, 0xd8, 0x10, 0xfd, 0xea, 0x93, 0x7d, 0x20, 0xa1, 0x21, 0xa6, 0x57,
+ 0x44, 0x45, 0x47, 0x8f, 0x90, 0x2f, 0xc9, 0x11, 0xf7, 0xb3, 0x7e, 0xbe, 0x61, 0x6a, 0xe9, 0x5f, 0xbe, 0xb4, 0x08, 0xbf,
+ 0x0f, 0x13, 0xa1, 0x0a, 0x04, 0x08, 0xbf, 0xe2, 0xbe, 0xa4, 0x54, 0x91, 0xbe, 0x0b, 0x30, 0x21, 0x06, 0x09, 0x2b, 0x81,
+ 0x05, 0x10, 0x86, 0x48, 0x3f, 0x00, 0x02, 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04,
+ 0x08, 0x5c, 0x40, 0xe0, 0x4e, 0x20, 0xbc, 0xb9, 0xed, 0x30, 0x81, 0xd7, 0x30, 0x81, 0xd4, 0x30, 0x81, 0xaf, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x04, 0x20, 0xcd, 0x66, 0x20, 0x4b, 0x82,
+ 0x06, 0x6a, 0x0b, 0x24, 0x94, 0xf6, 0x62, 0xcd, 0x5e, 0x61, 0x3e, 0xb1, 0x81, 0x2b, 0x39, 0xcf, 0xd8, 0x95, 0x71, 0x24,
+ 0x9b, 0xbe, 0xc2, 0x2e, 0x72, 0x5b, 0x2f, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01,
+ 0x30, 0x1d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x16, 0x04, 0x10, 0x7c, 0xbc, 0x78, 0xc9, 0x75,
+ 0x2f, 0xb8, 0xdb, 0x78, 0xee, 0xcc, 0x90, 0x2b, 0x77, 0x19, 0xc3, 0xa0, 0x80, 0x04, 0x20, 0xa7, 0x18, 0x7f, 0x3b, 0x5c,
+ 0x99, 0xc7, 0x18, 0x57, 0xca, 0x51, 0xa8, 0x14, 0x34, 0xd3, 0x1f, 0x60, 0xb2, 0xfd, 0xdf, 0xcd, 0x33, 0x18, 0xd0, 0x41,
+ 0xc6, 0x0f, 0x88, 0x37, 0x3d, 0xc4, 0xb4, 0x04, 0x10, 0x9e, 0xdd, 0x92, 0x67, 0x60, 0xb1, 0x73, 0x20, 0xa4, 0xad, 0x15,
+ 0x80, 0x08, 0x50, 0xc8, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_AES_256[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x02,
+ 0x31, 0x82, 0x01, 0x73, 0xa1, 0x82, 0x01, 0x6f, 0x30, 0x82, 0x01, 0x6b, 0x02, 0x01, 0x03, 0xa0, 0x55, 0xa1, 0x53, 0x30,
+ 0x51, 0x30, 0x0b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x05, 0x00, 0x03, 0x42, 0x00, 0x04, 0x51, 0xf6,
+ 0x31, 0x78, 0xba, 0x47, 0x10, 0xd3, 0xe7, 0x3e, 0x03, 0x47, 0x51, 0x40, 0xcd, 0xf1, 0x77, 0xbb, 0x80, 0x28, 0xba, 0x9e,
+ 0x85, 0x96, 0x67, 0x28, 0xb5, 0x41, 0xa3, 0xf0, 0x4d, 0x64, 0xef, 0x5c, 0xcb, 0xd7, 0x87, 0x49, 0x6d, 0xf1, 0xeb, 0xd7,
+ 0x70, 0xd5, 0xe9, 0xef, 0xf2, 0xfa, 0x13, 0xe0, 0xf8, 0xed, 0x36, 0xea, 0xaa, 0x77, 0xed, 0xcb, 0xfd, 0x5a, 0x24, 0x4f,
+ 0x47, 0xf1, 0xa1, 0x0a, 0x04, 0x08, 0xf6, 0x65, 0x06, 0x57, 0x1a, 0x33, 0x5f, 0x4d, 0x30, 0x21, 0x06, 0x09, 0x2b, 0x81,
+ 0x05, 0x10, 0x86, 0x48, 0x3f, 0x00, 0x02, 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04,
+ 0x08, 0x29, 0xe6, 0x26, 0xd9, 0x55, 0x3f, 0x80, 0x5d, 0x30, 0x81, 0xdf, 0x30, 0x81, 0xdc, 0x30, 0x81, 0xaf, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x04, 0x28, 0xbc, 0xbe, 0x49, 0x1e, 0xd3,
+ 0x65, 0xf5, 0xb5, 0xb9, 0x25, 0x25, 0xac, 0xa6, 0xcf, 0x99, 0x08, 0xe6, 0x36, 0x02, 0xf0, 0x33, 0xc0, 0x42, 0x9a, 0x5d,
+ 0x06, 0xde, 0x37, 0xd4, 0xf1, 0x51, 0x52, 0xab, 0xbb, 0xd2, 0xda, 0x07, 0x33, 0x86, 0x55, 0x30, 0x80, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01,
+ 0x2a, 0x04, 0x10, 0x58, 0xf6, 0xd7, 0x84, 0xe2, 0xe6, 0x8f, 0x12, 0xe1, 0x81, 0xfb, 0xe9, 0x9f, 0x02, 0xf4, 0x5b, 0xa0,
+ 0x80, 0x04, 0x20, 0xf3, 0x04, 0x59, 0x33, 0x99, 0x87, 0x13, 0x67, 0xce, 0xcd, 0x8a, 0x35, 0x0f, 0x86, 0x3a, 0xa5, 0x95,
+ 0xae, 0x6f, 0x75, 0x77, 0xb0, 0x87, 0x63, 0xf9, 0xfc, 0x86, 0x5d, 0x30, 0xf4, 0xa8, 0xb8, 0x04, 0x10, 0x71, 0x74, 0x33,
+ 0x6a, 0x63, 0x01, 0x59, 0x32, 0xeb, 0x66, 0x9e, 0x46, 0x2d, 0x33, 0xbf, 0x7a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00
+};
+
+#endif /* cms_01_test_h */
diff --git a/OSX/libsecurity_smime/regressions/smime-cms-test.c b/OSX/libsecurity_smime/regressions/smime-cms-test.c
index 6083a213..b2ad45e8 100644
--- a/OSX/libsecurity_smime/regressions/smime-cms-test.c
+++ b/OSX/libsecurity_smime/regressions/smime-cms-test.c
@@ -384,7 +384,7 @@ const uint8_t gkIPACCG2DevCertClass87 [] =
}; // gkIPACCG2DevCertClass87 []
// Concatenated blob of 2 DER certificat
-const uint8_t TestDoubleCerts [] =
+const uint8_t TestDoubleCerts1 [] =
{
0x30, 0x82, 0x01, 0xbe, 0x30, 0x82, 0x01, 0x27, 0x02, 0x01, 0x01, 0x30,
0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
@@ -423,7 +423,12 @@ const uint8_t TestDoubleCerts [] =
0x30, 0x0a, 0xff, 0xdb, 0x7a, 0x72, 0xf6, 0x89, 0x51, 0x01, 0x81, 0x3b,
0x97, 0x46, 0x99, 0x8a, 0x52, 0x42, 0xaf, 0x63, 0xa2, 0x1d, 0xc0, 0xae,
0x09, 0xa6, 0x6c, 0x7c, 0x7f, 0x93, 0xc7, 0xd0, 0x18, 0x97, 0x6b, 0x59,
- 0xa9, 0x23, 0x84, 0x65, 0xf9, 0xfd, 0x30, 0x82, 0x01, 0xbf, 0x30, 0x82,
+ 0xa9, 0x23, 0x84, 0x65, 0xf9, 0xfd,
+};
+
+const uint8_t TestDoubleCerts2 [] =
+{
+ 0x30, 0x82, 0x01, 0xbf, 0x30, 0x82,
0x01, 0x28, 0x02, 0x02, 0x03, 0xe9, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x25, 0x31,
0x23, 0x30, 0x21, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x1a, 0x53, 0x65,
@@ -462,7 +467,7 @@ const uint8_t TestDoubleCerts [] =
0xea, 0x9c, 0x85, 0xc9, 0x32, 0xde, 0xa9, 0x62, 0xcb, 0x3c, 0xb7, 0xbd,
0x8d, 0x16, 0xec, 0xcf, 0x52, 0x17, 0xc8, 0x47, 0x99, 0x94, 0xe1, 0x4c,
0x39
-}; // Test with 2certs []
+};
/* Basic processing of input */
@@ -490,6 +495,7 @@ static void tests(void)
SecCertificateRef another_cert = NULL;
+ CFMutableArrayRef input_certs = NULL;
// Process a single raw certificate and make it a message
isnt(another_cert = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)),
@@ -499,29 +505,34 @@ static void tests(void)
"SecCMSCertificatesOnlyMessageCopyCertificates");
is(CFArrayGetCount(certs), 1, "certificate count is 1");
- // Process two raw certificates (concatenated DER blobs) and make it a message
- isnt(another_cert = SecCertificateCreateWithBytes(NULL, TestDoubleCerts, sizeof(TestDoubleCerts)),
+ // Process two raw certificates and make it a message
+ input_certs = CFArrayCreateMutable(NULL, 3, &kCFTypeArrayCallBacks);
+ isnt(another_cert = SecCertificateCreateWithBytes(NULL, TestDoubleCerts1, sizeof(TestDoubleCerts1)),
NULL, "create certificate");
- ok(message = SecCMSCreateCertificatesOnlyMessageIAP(another_cert), "create iAP specific cert only message (2certs)");
+ CFArrayAppendValue(input_certs, another_cert);
+ CFReleaseNull(another_cert);
+ isnt(another_cert = SecCertificateCreateWithBytes(NULL, TestDoubleCerts2, sizeof(TestDoubleCerts2)),
+ NULL, "create certificate");
+ CFArrayAppendValue(input_certs, another_cert);
+ CFReleaseNull(another_cert);
+
+ ok(message = SecCMSCreateCertificatesOnlyMessage(input_certs), "create cert only message (2certs)");
ok(certs = SecCMSCertificatesOnlyMessageCopyCertificates(message),
"SecCMSCertificatesOnlyMessageCopyCertificates");
- // FIXME: SecCMSCreateCertificatesOnlyMessageIAP should be changed to take a CFArrayRef argument.
- // Note that a SecCertificateRef can only contain the data of a single certificate.
- // If the fix for rdar://17159227 is present, the message will only contain one certificate.
count = (certs) ? CFArrayGetCount(certs) : 0;
- ok(count > 0 && count < 3, "certificate count is 1 or 2");
+ ok(count == 2, "certificate count is 2");
// Clean up
CFReleaseNull(another_cert);
CFReleaseNull(message);
-
+ CFReleaseNull(input_certs);
CFReleaseNull(certs);
}
int smime_cms_test(int argc, char *const *argv)
{
- plan_tests(12);
+ plan_tests(13);
tests();
diff --git a/OSX/libsecurity_smime/regressions/smime_regressions.h b/OSX/libsecurity_smime/regressions/smime_regressions.h
index 2d4d93c6..13843842 100644
--- a/OSX/libsecurity_smime/regressions/smime_regressions.h
+++ b/OSX/libsecurity_smime/regressions/smime_regressions.h
@@ -26,4 +26,5 @@
#include <test/testmore.h>
ONE_TEST(smime_cms_test)
+ONE_TEST(cms_01_basic)
diff --git a/OSX/libsecurity_ssl/config/base.xcconfig b/OSX/libsecurity_ssl/config/base.xcconfig
index 28ce35c7..ae70ec41 100644
--- a/OSX/libsecurity_ssl/config/base.xcconfig
+++ b/OSX/libsecurity_ssl/config/base.xcconfig
@@ -6,7 +6,7 @@ CURRENT_PROJECT_VERSION = $(RC_ProjectSourceVersion)
VERSIONING_SYSTEM = apple-generic;
DEAD_CODE_STRIPPING = YES;
-ARCHS = $(ARCHS_STANDARD_32_64_BIT)
+ARCHS[sdk=macosx*] = $(ARCHS_STANDARD_32_64_BIT)
// Debug symbols should be on obviously
GCC_GENERATE_DEBUGGING_SYMBOLS = YES
@@ -15,3 +15,4 @@ STRIP_STYLE = debugging
STRIP_INSTALLED_PRODUCT = NO
WARNING_CFLAGS = -Wglobal-constructors -Wno-deprecated-declarations $(inherited)
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/OSX/libsecurity_ssl/config/kext.xcconfig b/OSX/libsecurity_ssl/config/kext.xcconfig
index 1cafefd5..ef36c7e2 100644
--- a/OSX/libsecurity_ssl/config/kext.xcconfig
+++ b/OSX/libsecurity_ssl/config/kext.xcconfig
@@ -26,4 +26,4 @@ GCC_WARN_UNUSED_VARIABLE = YES
LINK_WITH_STANDARD_LIBRARIES = NO
-SUPPORTED_PLATFORMS = macosx iphoneos
+SUPPORTED_PLATFORMS = macosx iphoneos appletvos watchos
diff --git a/OSX/libsecurity_ssl/config/lib.xcconfig b/OSX/libsecurity_ssl/config/lib.xcconfig
index 700aa696..1cb93673 100644
--- a/OSX/libsecurity_ssl/config/lib.xcconfig
+++ b/OSX/libsecurity_ssl/config/lib.xcconfig
@@ -7,7 +7,7 @@ CODE_SIGN_IDENTITY =
HEADER_SEARCH_PATHS[sdk=macosx*] = $(PROJECT_DIR) $(PROJECT_DIR)/../regressions $(PROJECT_DIR)/../include $(BUILT_PRODUCTS_DIR)/derived_src $(PROJECT_DIR)/../utilities $(PROJECT_DIR)/../libsecurity_keychain/ $(PROJECT_DIR)/../libsecurity_keychain/libDER $(BUILT_PRODUCTS_DIR) $(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers $(inherited)
-HEADER_SEARCH_PATHS[sdk=iphone*] = $(PROJECT_DIR) $(PROJECT_DIR)/../regressions $(PROJECT_DIR)/../utilities $(PROJECT_DIR)/../libsecurity_asn1 $(PROJECT_DIR)/../libsecurity_keychain/libDER $(PROJECT_DIR)/../sec $(BUILT_PRODUCTS_DIR)$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include $(inherited)
+HEADER_SEARCH_PATHS[sdk=embedded*] = $(PROJECT_DIR) $(PROJECT_DIR)/../regressions $(PROJECT_DIR)/../utilities $(PROJECT_DIR)/../libsecurity_asn1 $(PROJECT_DIR)/../libsecurity_keychain/libDER $(PROJECT_DIR)/../sec $(BUILT_PRODUCTS_DIR)/usr/local/include $(inherited)
SKIP_INSTALL = YES
@@ -25,6 +25,4 @@ GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES
GCC_WARN_ABOUT_RETURN_TYPE = YES
GCC_WARN_UNUSED_VARIABLE = YES
-SUPPORTED_PLATFORMS = macosx iphoneos iphonesimulator
-
-GCC_PREPROCESSOR_DEFINITIONS[sdk=iphonesimulator*] = INDIGO=1 $(inherited)
+SUPPORTED_PLATFORMS = macosx iphoneos iphonesimulator appletvos appletvsimulator watchos watchsimulator
diff --git a/OSX/libsecurity_ssl/config/tests.xcconfig b/OSX/libsecurity_ssl/config/tests.xcconfig
index 21233a21..c09f5ab7 100644
--- a/OSX/libsecurity_ssl/config/tests.xcconfig
+++ b/OSX/libsecurity_ssl/config/tests.xcconfig
@@ -17,15 +17,8 @@ GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES
GCC_WARN_ABOUT_RETURN_TYPE = YES
GCC_WARN_UNUSED_VARIABLE = YES
-SUPPORTED_PLATFORMS = macosx iphoneos iphonesimulator
+SUPPORTED_PLATFORMS = macosx iphoneos iphonesimulator appletvos appletvsimulator watchos watchsimulator
-GCC_PREPROCESSOR_DEFINITIONS[sdk=iphonesimulator*] = INDIGO=1 $(inherited)
-
-#include "<DEVELOPER_DIR>/AppleInternal/XcodeConfig/SimulatorSupport.xcconfig"
-
-// Set INSTALL_PATH_ACTUAL to whatever INSTALL_PATH would normally be
-INSTALL_PATH_ACTUAL = /usr/local/bin
-
-// Set INSTALL_PATH[sdk=macosx*] when SimulatorSupport.xcconfig is unavailable
-INSTALL_PATH[sdk=macosx*] = $(INSTALL_PATH_ACTUAL)
+INSTALL_PATH = /usr/local/bin
+HEADER_SEARCH_PATHS = $(PROJECT_DIR)/../utilities $(inherited)
diff --git a/OSX/libsecurity_ssl/dtlsEcho/dtlsEchoClient.c b/OSX/libsecurity_ssl/dtlsEcho/dtlsEchoClient.c
deleted file mode 100644
index 304df3b7..00000000
--- a/OSX/libsecurity_ssl/dtlsEcho/dtlsEchoClient.c
+++ /dev/null
@@ -1,310 +0,0 @@
-/*
- * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#include <Security/Security.h>
-#include <Security/SecBase.h>
-
-#include "../sslViewer/sslAppUtils.h"
-
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-#include <errno.h>
-#include <unistd.h> /* close() */
-#include <string.h> /* memset() */
-#include <fcntl.h>
-#include <time.h>
-
-#ifdef NO_SERVER
-#include <securityd/spi.h>
-#endif
-
-#include "ssl-utils.h"
-
-#define SERVER "127.0.0.1"
-//#define SERVER "17.201.58.114"
-#define PORT 23232
-#define BUFLEN 128
-#define COUNT 10
-
-#if 0
-static void dumppacket(const unsigned char *data, unsigned long len)
-{
- unsigned long i;
- for(i=0;i<len;i++)
- {
- if((i&0xf)==0) printf("%04lx :",i);
- printf(" %02x", data[i]);
- if((i&0xf)==0xf) printf("\n");
- }
- printf("\n");
-}
-#endif
-
-/* 2K should be enough for everybody */
-#define MTU 2048
-static unsigned char readBuffer[MTU];
-static unsigned int readOff=0;
-static size_t readLeft=0;
-
-static
-OSStatus SocketRead(
- SSLConnectionRef connection,
- void *data,
- size_t *dataLength)
-{
- int fd = (int)connection;
- ssize_t len;
- uint8_t *d=readBuffer;
-
- if(readLeft==0)
- {
- len = read(fd, readBuffer, MTU);
-
- if(len>0) {
- readOff=0;
- readLeft=(size_t) len;
- printf("SocketRead: %ld bytes... epoch: %02x seq=%02x%02x\n",
- len, d[4], d[9], d[10]);
-
- } else {
- int theErr = errno;
- switch(theErr) {
- case EAGAIN:
- //printf("SocketRead: EAGAIN\n");
- *dataLength=0;
- /* nonblocking, no data */
- return errSSLWouldBlock;
- default:
- perror("SocketRead");
- return errSecIO;
- }
- }
- }
-
- if(readLeft<*dataLength) {
- *dataLength=readLeft;
- }
-
- memcpy(data, readBuffer+readOff, *dataLength);
- readLeft-=*dataLength;
- readOff+=*dataLength;
-
- return errSecSuccess;
-
-}
-
-static
-OSStatus SocketWrite(
- SSLConnectionRef connection,
- const void *data,
- size_t *dataLength) /* IN/OUT */
-{
- int fd = (int)connection;
- ssize_t len;
- OSStatus err = errSecSuccess;
- const uint8_t *d=data;
-
-#if 0
- if((rand()&3)==1) {
-
- /* drop 1/8th packets */
- printf("SocketWrite: Drop %ld bytes... epoch: %02x seq=%02x%02x\n",
- *dataLength, d[4], d[9], d[10]);
- return errSecSuccess;
-
- }
-#endif
-
- len = send(fd, data, *dataLength, 0);
-
- if(len>0) {
- *dataLength=(size_t)len;
- printf("SocketWrite: Sent %ld bytes... epoch: %02x seq=%02x%02x\n",
- len, d[4], d[9], d[10]);
- return err;
- }
-
- int theErr = errno;
- switch(theErr) {
- case EAGAIN:
- /* nonblocking, no data */
- err = errSSLWouldBlock;
- break;
- default:
- perror("SocketWrite");
- err = errSecIO;
- break;
- }
-
- return err;
-
-}
-
-
-int main(int argc, char **argv)
-{
- int fd;
- struct sockaddr_in sa;
-
- if ((fd=socket(AF_INET, SOCK_DGRAM, 0))==-1) {
- perror("socket");
- exit(-1);
- }
-
-#ifdef NO_SERVER
-# if DEBUG
- securityd_init();
-# endif
-#endif
-
- memset((char *) &sa, 0, sizeof(sa));
- sa.sin_family = AF_INET;
- sa.sin_port = htons(PORT);
- if (inet_aton(SERVER, &sa.sin_addr)==0) {
- fprintf(stderr, "inet_aton() failed\n");
- exit(1);
- }
-
- time_t seed=time(NULL);
-// time_t seed=1298952499;
- srand((unsigned)seed);
- printf("Random drop initialized with seed = %lu\n", seed);
-
- if(connect(fd, (struct sockaddr *)&sa, sizeof(sa))==-1)
- {
- perror("connect");
- return errno;
- }
-
- /* Change to non blocking io */
- fcntl(fd, F_SETFL, O_NONBLOCK);
-
- SSLConnectionRef c=(SSLConnectionRef)(intptr_t)fd;
-
-
- OSStatus ortn;
- SSLContextRef ctx = NULL;
-
- SSLClientCertificateState certState;
- SSLCipherSuite negCipher;
- SSLProtocol negVersion;
-
- /*
- * Set up a SecureTransport session.
- */
- ortn = SSLNewDatagramContext(false, &ctx);
- if(ortn) {
- printSslErrStr("SSLNewDatagramContext", ortn);
- return ortn;
- }
- ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
- if(ortn) {
- printSslErrStr("SSLSetIOFuncs", ortn);
- return ortn;
- }
-
- ortn = SSLSetConnection(ctx, c);
- if(ortn) {
- printSslErrStr("SSLSetConnection", ortn);
- return ortn;
- }
-
- ortn = SSLSetMaxDatagramRecordSize(ctx, 400);
- if(ortn) {
- printSslErrStr("SSLSetMaxDatagramRecordSize", ortn);
- return ortn;
- }
-
- /* Lets not verify the cert, which is a random test cert */
- ortn = SSLSetEnableCertVerify(ctx, false);
- if(ortn) {
- printSslErrStr("SSLSetEnableCertVerify", ortn);
- return ortn;
- }
-
- ortn = SSLSetCertificate(ctx, server_chain());
- if(ortn) {
- printSslErrStr("SSLSetCertificate", ortn);
- return ortn;
- }
-
- do {
- ortn = SSLHandshake(ctx);
- if(ortn == errSSLWouldBlock) {
- /* keep UI responsive */
- sslOutputDot();
- }
- } while (ortn == errSSLWouldBlock);
-
-
- SSLGetClientCertificateState(ctx, &certState);
- SSLGetNegotiatedCipher(ctx, &negCipher);
- SSLGetNegotiatedProtocolVersion(ctx, &negVersion);
-
- int count;
- size_t len, readLen, writeLen;
- char buffer[BUFLEN];
-
- count = 0;
- while(count<COUNT) {
- int timeout = 10000;
-
- snprintf(buffer, BUFLEN, "Message %d", count);
- len = strlen(buffer);
-
- ortn=SSLWrite(ctx, buffer, len, &writeLen);
- if(ortn) {
- printSslErrStr("SSLWrite", ortn);
- break;
- }
- printf("Wrote %lu bytes\n", writeLen);
-
- count++;
-
- do {
- ortn=SSLRead(ctx, buffer, BUFLEN, &readLen);
- } while((ortn==errSSLWouldBlock) && (timeout--));
- if(ortn==errSSLWouldBlock) {
- printf("Echo timeout...\n");
- continue;
- }
- if(ortn) {
- printSslErrStr("SSLRead", ortn);
- break;
- }
- buffer[readLen]=0;
- printf("Received %lu bytes: %s\n", readLen, buffer);
-
- }
-
- SSLClose(ctx);
-
- SSLDisposeContext(ctx);
-
- return ortn;
-}
diff --git a/OSX/libsecurity_ssl/dtlsEcho/dtlsEchoServer.c b/OSX/libsecurity_ssl/dtlsEcho/dtlsEchoServer.c
deleted file mode 100644
index 53aeb383..00000000
--- a/OSX/libsecurity_ssl/dtlsEcho/dtlsEchoServer.c
+++ /dev/null
@@ -1,325 +0,0 @@
-/*
- * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#include <Security/Security.h>
-#include <Security/SecBase.h>
-
-#include "../sslViewer/sslAppUtils.h"
-
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-#include <errno.h>
-#include <unistd.h> /* close() */
-#include <string.h> /* memset() */
-#include <fcntl.h>
-#include <time.h>
-
-#ifdef NO_SERVER
-#include <securityd/spi.h>
-#endif
-
-#define PORT 23232
-
-#include "ssl-utils.h"
-
-static void dumppacket(const unsigned char *data, unsigned long len)
-{
- unsigned long i;
- for(i=0;i<len;i++)
- {
- if((i&0xf)==0) printf("%04lx :",i);
- printf(" %02x", data[i]);
- if((i&0xf)==0xf) printf("\n");
- }
- printf("\n");
-}
-
-
-/* 2K should be enough for everybody */
-#define MTU 2048
-static unsigned char readBuffer[MTU];
-static unsigned int readOff=0;
-static size_t readLeft=0;
-
-static
-OSStatus SocketRead(
- SSLConnectionRef connection,
- void *data,
- size_t *dataLength)
-{
- int fd = (int)connection;
- ssize_t len;
- uint8_t *d=readBuffer;
-
- if(readLeft==0)
- {
- len = read(fd, readBuffer, MTU);
-
- if(len>0) {
- readOff=0;
- readLeft=(size_t) len;
- printf("SocketRead: %ld bytes... epoch: %02x seq=%02x%02x\n",
- len, d[4], d[9], d[10]);
- } else {
- int theErr = errno;
- switch(theErr) {
- case EAGAIN:
- // printf("SocketRead: EAGAIN\n");
- *dataLength=0;
- /* nonblocking, no data */
- return errSSLWouldBlock;
- default:
- perror("SocketRead");
- return errSecIO;
- }
- }
- }
-
- if(readLeft<*dataLength) {
- *dataLength=readLeft;
- }
-
- memcpy(data, readBuffer+readOff, *dataLength);
- readLeft-=*dataLength;
- readOff+=*dataLength;
-
-
- return errSecSuccess;
-
-}
-
-
-static
-OSStatus SocketWrite(
- SSLConnectionRef connection,
- const void *data,
- size_t *dataLength) /* IN/OUT */
-{
- int fd = (int)connection;
- ssize_t len;
- OSStatus err = errSecSuccess;
- const uint8_t *d=data;
-
-#if 1
- if((rand()&3)==1) {
- /* drop 1/8 packets */
- printf("SocketWrite: Drop %ld bytes... epoch: %02x seq=%02x%02x\n",
- *dataLength, d[4], d[9], d[10]);
- return errSecSuccess;
- }
-#endif
-
- len = send(fd, data, *dataLength, 0);
-
- if(len>0) {
- *dataLength=(size_t)len;
-
- printf("SocketWrite: Sent %ld bytes... epoch: %02x seq=%02x%02x\n",
- len, d[4], d[9], d[10]);
-
- return err;
- }
-
- int theErr = errno;
- switch(theErr) {
- case EAGAIN:
- /* nonblocking, no data */
- err = errSSLWouldBlock;
- break;
- default:
- perror("SocketWrite");
- err = errSecIO;
- break;
- }
-
- return err;
-
-}
-
-
-int main(int argc, char **argv)
-{
- struct sockaddr_in sa; /* server address for bind */
- struct sockaddr_in ca; /* client address for connect */
- int fd;
- ssize_t l;
-
-#ifdef NO_SERVER
-# if DEBUG
- securityd_init();
-# endif
-#endif
-
- if ((fd=socket(AF_INET, SOCK_DGRAM, 0))==-1) {
- perror("socket");
- return errno;
- }
-
- time_t seed=time(NULL);
-// time_t seed=1298952496;
- srand((unsigned)seed);
- printf("Random drop initialized with seed = %lu\n", seed);
-
- memset((char *) &sa, 0, sizeof(sa));
- sa.sin_family = AF_INET;
- sa.sin_port = htons(PORT);
- sa.sin_addr.s_addr = htonl(INADDR_ANY);
-
- if(bind (fd, (struct sockaddr *)&sa, sizeof(sa))==-1)
- {
- perror("bind");
- return errno;
- }
-
- printf("Waiting for first packet...\n");
- /* PEEK only... */
- socklen_t slen=sizeof(ca);
- char b;
- if((l=recvfrom(fd, &b, 1, MSG_PEEK, (struct sockaddr *)&ca, &slen))==-1)
- {
- perror("recvfrom");
- return errno;
- }
-
- printf("Received packet from %s (%ld), connecting...\n", inet_ntoa(ca.sin_addr), l);
-
- if(connect(fd, (struct sockaddr *)&ca, sizeof(ca))==-1)
- {
- perror("connect");
- return errno;
- }
-
- /* Change to non blocking */
- fcntl(fd, F_SETFL, O_NONBLOCK);
-
-
- SSLConnectionRef c=(SSLConnectionRef)(intptr_t)fd;
-
-
- OSStatus ortn;
- SSLContextRef ctx = NULL;
-
- SSLClientCertificateState certState;
- SSLCipherSuite negCipher;
-
- /*
- * Set up a SecureTransport session.
- */
- ortn = SSLNewDatagramContext(true, &ctx);
- if(ortn) {
- printSslErrStr("SSLNewDatagramContext", ortn);
- return ortn;
- }
-
- ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
- if(ortn) {
- printSslErrStr("SSLSetIOFuncs", ortn);
- return ortn;
- }
-
- ortn = SSLSetConnection(ctx, c);
- if(ortn) {
- printSslErrStr("SSLSetConnection", ortn);
- return ortn;
- }
-
- ortn = SSLSetDatagramHelloCookie(ctx, &ca, 32);
- if(ortn) {
- printSslErrStr("SSLSetDatagramHelloCookie", ortn);
- return ortn;
- }
-
- ortn = SSLSetMaxDatagramRecordSize(ctx, 400);
- if(ortn) {
- printSslErrStr("SSLSetMaxDatagramRecordSize", ortn);
- return ortn;
- }
-
- /* Lets not verify the cert, which is a random test cert */
- ortn = SSLSetEnableCertVerify(ctx, false);
- if(ortn) {
- printSslErrStr("SSLSetEnableCertVerify", ortn);
- return ortn;
- }
-
- ortn = SSLSetCertificate(ctx, server_chain());
- if(ortn) {
- printSslErrStr("SSLSetCertificate", ortn);
- return ortn;
- }
-
- ortn = SSLSetClientSideAuthenticate(ctx, kAlwaysAuthenticate);
- if(ortn) {
- printSslErrStr("SSLSetCertificate", ortn);
- return ortn;
- }
-
- printf("Server Handshake...\n");
- do {
- ortn = SSLHandshake(ctx);
- if(ortn == errSSLWouldBlock) {
- /* keep UI responsive */
- sslOutputDot();
- }
- } while (ortn == errSSLWouldBlock);
-
- if(ortn) {
- printSslErrStr("SSLHandshake", ortn);
- return ortn;
- }
-
- SSLGetClientCertificateState(ctx, &certState);
- SSLGetNegotiatedCipher(ctx, &negCipher);
-
- printf("Server Handshake done. Cipher is %s\n", sslGetCipherSuiteString(negCipher));
-
- unsigned char buffer[MTU];
- size_t len, readLen;
-
- while(1) {
- while((ortn=SSLRead(ctx, buffer, MTU, &readLen))==errSSLWouldBlock);
- if(ortn) {
- printSslErrStr("SSLRead", ortn);
- break;
- }
- buffer[readLen]=0;
- printf("Received %lu bytes:\n", readLen);
- dumppacket(buffer, readLen);
-
- ortn=SSLWrite(ctx, buffer, readLen, &len);
- if(ortn) {
- printSslErrStr("SSLRead", ortn);
- break;
- }
- printf("Echoing %lu bytes\n", len);
- }
-
- SSLDisposeContext(ctx);
-
- return ortn;
-}
diff --git a/OSX/libsecurity_ssl/lib/SSLRecordInternal.c b/OSX/libsecurity_ssl/lib/SSLRecordInternal.c
index 9b000871..8e494509 100644
--- a/OSX/libsecurity_ssl/lib/SSLRecordInternal.c
+++ b/OSX/libsecurity_ssl/lib/SSLRecordInternal.c
@@ -28,7 +28,6 @@
#include "SSLRecordInternal.h"
#include "sslDebug.h"
#include "cipherSpecs.h"
-#include "sslUtils.h"
#include "tls_record_internal.h"
#include <AssertMacros.h>
@@ -136,6 +135,7 @@ static int SSLRecordReadInternal(SSLRecordContextRef ref, SSLRecord *rec)
tls_record_parse_header(ctx->filter, header, &contentLen, &content_type);
if(content_type&0x80) {
+ sslDebugLog("Detected SSL2 record in SSLReadRecordInternal");
// Looks like SSL2 record, reset expectations.
head = 2;
err=tls_record_parse_ssl2_header(ctx->filter, header, &contentLen, &content_type);
@@ -144,17 +144,23 @@ static int SSLRecordReadInternal(SSLRecordContextRef ref, SSLRecord *rec)
check(ctx->partialReadBuffer.length>=head+contentLen);
- if(head+contentLen>ctx->partialReadBuffer.length)
+ if(head+contentLen>ctx->partialReadBuffer.length) {
+ sslDebugLog("overflow in SSLReadRecordInternal");
return errSSLRecordRecordOverflow;
+ }
if (ctx->amountRead < head + contentLen)
- { readData.length = head + contentLen - ctx->amountRead;
+ {
+ readData.length = head + contentLen - ctx->amountRead;
readData.data = ctx->partialReadBuffer.data + ctx->amountRead;
len = readData.length;
err = sslIoRead(readData, &len, ctx);
if(err != 0)
- { if (err == errSSLRecordWouldBlock)
- ctx->amountRead += len;
+ {
+ if (err == errSSLRecordWouldBlock)
+ {
+ ctx->amountRead += len;
+ }
return err;
}
ctx->amountRead += len;
@@ -179,7 +185,7 @@ static int SSLRecordReadInternal(SSLRecordContextRef ref, SSLRecord *rec)
/* There was an underflow - For TLS, we return errSSLRecordClosedAbort for historical reason - see ssl-44-crashes test */
if(sz==0) {
sslErrorLog("underflow in SSLReadRecordInternal");
- if(ctx->dtls) {
+ if(ctx->sslCtx->isDTLS) {
// For DTLS, we should just drop it.
return errSSLRecordUnexpectedRecord;
} else {
diff --git a/OSX/libsecurity_ssl/lib/SecureTransport.h b/OSX/libsecurity_ssl/lib/SecureTransport.h
index 061ae594..89afee8c 100644
--- a/OSX/libsecurity_ssl/lib/SecureTransport.h
+++ b/OSX/libsecurity_ssl/lib/SecureTransport.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999-2002,2005-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 1999-2002,2005-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -147,6 +147,10 @@ typedef CF_ENUM(int, SSLSessionOption) {
* Set this option to break from a client hello in order to check for SNI
*/
kSSLSessionOptionBreakOnClientHello = 7,
+ /*
+ * Set this option to Allow renegotations. False by default.
+ */
+ kSSLSessionOptionAllowRenegotiation = 8,
};
@@ -171,13 +175,13 @@ typedef CF_ENUM(int, SSLClientCertificateState) {
/*
* Server side: We asked for a cert, client sent one, we validated
* it OK. App can inspect the cert via
- * SSLGetPeerCertificates().
+ * SSLCopyPeerCertificates().
* Client side: server asked for one, we sent it.
*/
kSSLClientCertSent,
/*
* Client sent a cert but failed validation. Server side only.
- * Server app can inspect the cert via SSLGetPeerCertificates().
+ * Server app can inspect the cert via SSLCopyPeerCertificates().
*/
kSSLClientCertRejected
} ;
@@ -303,6 +307,31 @@ typedef CF_ENUM(int, SSLConnectionType)
kSSLDatagramType
};
+/*
+ * Predefined TLS configurations constants
+ */
+
+/* Default configuration - currently same as kSSLSessionConfig_standard */
+extern const CFStringRef kSSLSessionConfig_default;
+/* ATS v1 Config: TLS v1.2, only PFS ciphersuites */
+extern const CFStringRef kSSLSessionConfig_ATSv1;
+/* ATS v1 Config without PFS: TLS v1.2, include non PFS ciphersuites */
+extern const CFStringRef kSSLSessionConfig_ATSv1_noPFS;
+/* TLS v1.2 to TLS v1.0, with default ciphersuites (no RC4) */
+extern const CFStringRef kSSLSessionConfig_standard;
+/* TLS v1.2 to TLS v1.0, with defaults ciphersuites + RC4 */
+extern const CFStringRef kSSLSessionConfig_RC4_fallback;
+/* TLS v1.0 only, with defaults ciphersuites + fallback SCSV */
+extern const CFStringRef kSSLSessionConfig_TLSv1_fallback;
+/* TLS v1.0, with defaults ciphersuites + RC4 + fallback SCSV */
+extern const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback;
+/* TLS v1.2 to TLS v1.0, defaults + RC4 + DHE ciphersuites */
+extern const CFStringRef kSSLSessionConfig_legacy;
+/* TLS v1.2 to TLS v1.0, defaults + RC4 + DHE ciphersuites */
+extern const CFStringRef kSSLSessionConfig_legacy_DHE;
+/* TLS v1.2, anonymous ciphersuites only */
+extern const CFStringRef kSSLSessionConfig_anonymous;
+
/******************
*** Public API ***
@@ -410,6 +439,19 @@ SSLSetIOFuncs (SSLContextRef context,
SSLWriteFunc writeFunc)
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/*
+ * Set a predefined configuration for the SSL Session
+ *
+ * This currently affect enabled protocol versions,
+ * enabled ciphersuites, and the kSSLSessionOptionFallback
+ * session option.
+ */
+OSStatus
+SSLSetSessionConfig(SSLContextRef context,
+ CFStringRef config)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+
/*
* Set the minimum SSL protocol version allowed. Optional.
* The default is the lower supported protocol.
@@ -444,13 +486,13 @@ SSLGetProtocolVersionMin (SSLContextRef context,
*
* This can only be called when no session is active.
*
- * For TLS contexts, legal values for minVersion are :
+ * For TLS contexts, legal values for maxVersion are :
* kSSLProtocol3
* kTLSProtocol1
* kTLSProtocol11
* kTLSProtocol12
*
- * For DTLS contexts, legal values for minVersion are :
+ * For DTLS contexts, legal values for maxVersion are :
* kDTLSProtocol1
*/
OSStatus
@@ -576,7 +618,7 @@ SSLGetProtocolVersion (SSLContextRef context,
*/
OSStatus
SSLSetCertificate (SSLContextRef context,
- CFArrayRef certRefs)
+ CFArrayRef _Nullable certRefs)
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
/*
@@ -629,6 +671,25 @@ SSLGetPeerDomainName (SSLContextRef context,
size_t *peerNameLen) // IN/OUT
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+
+/*
+ * Determine the buffer size needed for SSLCopyRequestedPeerNameLength().
+ */
+OSStatus
+SSLCopyRequestedPeerName (SSLContextRef context,
+ char *peerName,
+ size_t *peerNameLen)
+ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+
+/*
+ * Server Only: obtain the hostname specified by the client in the ServerName extension (SNI)
+ */
+OSStatus
+SSLCopyRequestedPeerNameLength (SSLContextRef ctx,
+ size_t *peerNameLen)
+ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+
+
/*
* Specify the Datagram TLS Hello Cookie.
* This is to be called for server side only and is optional.
@@ -719,19 +780,6 @@ SSLGetEnabledCiphers (SSLContextRef context,
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
-/* Deprecated, does nothing */
-typedef CF_ENUM(int, SSLSessionStrengthPolicy)
-{
- kSSLSessionStrengthPolicyDefault,
- kSSLSessionStrengthPolicyATSv1,
- kSSLSessionStrengthPolicyATSv1_noPFS,
-};
-
-OSStatus
-SSLSetSessionStrengthPolicy(SSLContextRef context,
- SSLSessionStrengthPolicy policyStrength);
-
-
#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
/*
* Enable/disable peer certificate chain validation. Default is enabled.
@@ -1298,6 +1346,17 @@ OSStatus
SSLHandshake (SSLContextRef context)
__OSX_AVAILABLE_STARTING(__MAC_10_2, __IPHONE_5_0);
+/*
+ * Server Only: Request renegotation.
+ * This will return an error if the server is already renegotiating, or if the session is closed.
+ * After this return without error, the application should call SSLHandshake() and/or SSLRead() as
+ * for the original handshake.
+ */
+OSStatus
+SSLReHandshake (SSLContextRef context)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+
+
/*
* Normal application-level read/write. On both of these, a errSSLWouldBlock
* return and a partially completed transfer - or even zero bytes transferred -
diff --git a/OSX/libsecurity_ssl/lib/SecureTransportPriv.h b/OSX/libsecurity_ssl/lib/SecureTransportPriv.h
index 703a8e74..66f8b845 100644
--- a/OSX/libsecurity_ssl/lib/SecureTransportPriv.h
+++ b/OSX/libsecurity_ssl/lib/SecureTransportPriv.h
@@ -146,6 +146,7 @@ SSLGetClientSideAuthenticate (
SSLContextRef context,
SSLAuthenticate *auth); // RETURNED
+#if !TARGET_OS_IPHONE
/*
* Get/set array of trusted leaf certificates.
*
@@ -161,7 +162,7 @@ OSStatus
SSLCopyTrustedLeafCertificates (
SSLContextRef context,
CFArrayRef *certRefs); // RETURNED, caller must release
-
+#endif
/*
* Get/set enable of anonymous ciphers. This is deprecated and now a no-op.
*/
@@ -375,10 +376,10 @@ extern OSStatus SSLGetClientAuthTypes(
unsigned *numTypes); /* IN/OUT */
/*
- * Obtain the SSLClientAuthenticationType actually performed.
- * Only valid if client certificate state is kSSLClientCertSent
- * or kSSLClientCertRejected; SSLClientAuthNone is returned as
- * the negotiated auth type otherwise.
+ * -- DEPRECATED --
+ * This is not actually useful. Currently return errSecUnimplemented.
+ * The client auth type is fully determined by the type of private key used by
+ * the client.
*/
extern OSStatus SSLGetNegotiatedClientAuthType(
SSLContextRef ctx,
@@ -440,25 +441,6 @@ OSStatus SSLSetDHEEnabled(SSLContextRef ctx, bool enabled);
OSStatus SSLGetDHEEnabled(SSLContextRef ctx, bool *enabled);
-extern const CFStringRef kSSLSessionConfig_default;
-extern const CFStringRef kSSLSessionConfig_ATSv1;
-extern const CFStringRef kSSLSessionConfig_ATSv1_noPFS;
-extern const CFStringRef kSSLSessionConfig_legacy;
-extern const CFStringRef kSSLSessionConfig_standard;
-extern const CFStringRef kSSLSessionConfig_RC4_fallback;
-extern const CFStringRef kSSLSessionConfig_TLSv1_fallback;
-extern const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback;
-extern const CFStringRef kSSLSessionConfig_legacy_DHE;
-
-OSStatus
-SSLSetSessionConfig(SSLContextRef context,
- CFStringRef config);
-
-OSStatus
-SSLGetSessionConfig(SSLContextRef context,
- CFStringRef *config);
-
-
#if TARGET_OS_IPHONE
/* Following are SPIs on iOS */
@@ -843,16 +825,6 @@ SSLGetALPNData (SSLContextRef context,
// end of ALPN
-OSStatus
-SSLCopyRequestedPeerName (SSLContextRef context,
- char *peerName,
- size_t *peerNameLen);
-
-OSStatus
-SSLCopyRequestedPeerNameLength (SSLContextRef ctx,
- size_t *peerNameLen);
-
-
#ifdef __cplusplus
}
#endif
diff --git a/OSX/libsecurity_ssl/lib/appleSession.c b/OSX/libsecurity_ssl/lib/appleSession.c
deleted file mode 100644
index 941a473b..00000000
--- a/OSX/libsecurity_ssl/lib/appleSession.c
+++ /dev/null
@@ -1,470 +0,0 @@
-/*
- * Copyright (c) 1999-2001,2005-2008,2010-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * appleSession.c - Session storage module, Apple CDSA version.
- */
-
-/*
- * The current implementation stores sessions in a linked list, a member of a
- * SessionCache object for which we keep a single global instance. It is
- * expected that at a given time, only a small number of sessions will be
- * cached, so the random insertion access provided by a map<> is unnecessary.
- * New entries are placed in the head of the list, assuming a LIFO usage
- * tendency.
- *
- * Entries in this cache have a time to live of SESSION_CACHE_TTL, currently
- * ten minutes. Entries are tested for being stale upon lookup; also, the global
- * sslCleanupSession() tests all entries in the cache, deleting entries which
- * are stale. This function is currently called whenever an SSLContext is deleted.
- * The current design does not provide any asynchronous timed callouts to perform
- * further cache cleanup; it was decided that the thread overhead of this would
- * outweight the benefits (again assuming a small number of entries in the
- * cache).
- *
- * When a session is added via sslAddSession, and a cache entry already
- * exists for the specifed key (sessionID), the sessionData for the existing
- * cache entry is updated with the new sessionData. The entry's expiration
- * time is unchanged (thus a given session entry can only be used for a finite
- * time no mattter how often it is re-used),
- */
-
-#include "ssl.h"
-#include "sslMemory.h"
-#include "sslDebug.h"
-#include "appleSession.h"
-
-#include <CoreFoundation/CFDate.h>
-#include <pthread.h>
-#include <string.h>
-
-#include <utilities/SecIOFormat.h>
-
-/* default time-to-live in cache, in seconds */
-#define QUICK_CACHE_TEST 0
-#if QUICK_CACHE_TEST
-#define SESSION_CACHE_TTL ((CFTimeInterval)5)
-#else
-#define SESSION_CACHE_TTL ((CFTimeInterval)(10 * 60))
-#endif /* QUICK_CACHE_TEST */
-
-#define CACHE_PRINT 0
-#if CACHE_PRINT
-#define DUMP_ALL_CACHE 0
-
-static void cachePrint(
- const void *entry,
- const SSLBuffer *key,
- const SSLBuffer *data)
-{
- printf("entry: %p ", entry);
- unsigned char *kd = key->data;
- if(data != NULL) {
- unsigned char *dd = data->data;
- printf(" key: %02X%02X%02X%02X%02X%02X%02X%02X"
- " data: %02X%02X%02X%02X... (len %d)\n",
- kd[0],kd[1],kd[2],kd[3], kd[4],kd[5],kd[6],kd[7],
- dd[0],dd[1],dd[2],dd[3], (unsigned)data->length);
- }
- else {
- /* just print key */
- printf(" key: %02X%02X%02X%02X%02X%02X%02X%02X\n",
- kd[0],kd[1],kd[2],kd[3], kd[4],kd[5],kd[6],kd[7]);
- }
-}
-#else /* !CACHE_PRINT */
-#define cachePrint(e, k, d)
-#define DUMP_ALL_CACHE 0
-#endif /* CACHE_PRINT */
-
-#if DUMP_ALL_CACHE
-static void dumpAllCache(void);
-#else
-#define dumpAllCache()
-#endif
-
-/*
- * One entry (value) in SessionCache.
- */
-typedef struct SessionCacheEntry SessionCacheEntry;
-struct SessionCacheEntry {
- /* Linked list of SessionCacheEntries. */
- SessionCacheEntry *next;
-
- SSLBuffer mKey;
- SSLBuffer mSessionData;
-
- /* this entry to be removed from session map at this time */
- CFAbsoluteTime mExpiration;
-};
-
-/*
- * Note: the caller passes in the expiration time solely to accomodate the
- * instantiation of a single const Time::Interval for use in calculating
- * TTL. This const, SessionCache.mTimeToLive, is in the singleton gSession Cache.
- */
-/*
- * This constructor, the only one, allocs copies of the key and value
- * SSLBuffers.
- */
-static SessionCacheEntry *SessionCacheEntryCreate(
- const SSLBuffer *key,
- const SSLBuffer *sessionData,
- CFAbsoluteTime expirationTime)
-{
- OSStatus serr;
-
- SessionCacheEntry *entry = sslMalloc(sizeof(SessionCacheEntry));
- if (entry == NULL)
- return NULL;
-
- serr = SSLCopyBuffer(key, &entry->mKey);
- if(serr) {
- sslFree (entry);
- return NULL;
- }
- serr = SSLCopyBuffer(sessionData, &entry->mSessionData);
- if(serr) {
- SSLFreeBuffer(&entry->mKey);
- sslFree (entry);
- return NULL;
- }
-
- sslLogSessCacheDebug("SessionCacheEntryCreate(buf,buf) %p", entry);
- entry->mExpiration = expirationTime;
-
- return entry;
-}
-
-static void SessionCacheEntryDelete(SessionCacheEntry *entry)
-{
- sslLogSessCacheDebug("~SessionCacheEntryDelete() %p", entry);
- SSLFreeBuffer(&entry->mKey); // no SSLContext
- SSLFreeBuffer(&entry->mSessionData);
- sslFree(entry);
-}
-
-/* basic lookup/match function */
-static bool SessionCacheEntryMatchKey(SessionCacheEntry *entry,
- const SSLBuffer *key)
-{
- if(key->length != entry->mKey.length) {
- return false;
- }
- if((key->data == NULL) || (entry->mKey.data == NULL)) {
- return false;
- }
- return (memcmp(key->data, entry->mKey.data, entry->mKey.length) == 0);
-}
-
-static bool SessionCacheEntryIsStale(SessionCacheEntry *entry,
- CFAbsoluteTime now)
-{
- return now > entry->mExpiration;
-}
-
-/* has this expired? */
-static bool SessionCacheEntryIsStaleNow(SessionCacheEntry *entry)
-{
- return SessionCacheEntryIsStale(entry, CFAbsoluteTimeGetCurrent());
-}
-
-/* replace existing mSessionData */
-static OSStatus SessionCacheEntrySetSessionData(SessionCacheEntry *entry,
- const SSLBuffer *data)
-{
- SSLFreeBuffer(&entry->mSessionData);
- return SSLCopyBuffer(data, &entry->mSessionData);
-}
-
-/*
- * Global list of sessions and associated state. We maintain a singleton of
- * this.
- */
-typedef struct SessionCache {
- SessionCacheEntry *head;
- CFTimeInterval mTimeToLive; /* default time-to-live in seconds */
-} SessionCache;
-
-static pthread_mutex_t gSessionCacheLock = PTHREAD_MUTEX_INITIALIZER;
-static SessionCache *gSessionCache = NULL;
-
-static void SessionCacheInit(void) {
- gSessionCache = sslMalloc(sizeof(SessionCache));
- gSessionCache->head = NULL;
- gSessionCache->mTimeToLive = SESSION_CACHE_TTL;
-}
-
-static SessionCache *SessionCacheGetLockedInstance(void) {
- pthread_mutex_lock(&gSessionCacheLock);
- if (!gSessionCache) {
- /* We could use pthread_once, but we already have a mutex for other
- reasons. */
- SessionCacheInit();
- }
-
- return gSessionCache;
-}
-
-/* these three correspond to the C functions exported by this file */
-static OSStatus SessionCacheAddEntry(
- SessionCache *cache,
- const SSLBuffer *sessionKey,
- const SSLBuffer *sessionData,
- uint32_t timeToLive) /* optional time-to-live in seconds; 0 ==> default */
-{
- SessionCacheEntry *entry = NULL;
- SessionCacheEntry **current;
- CFTimeInterval expireTime;
-
- for (current = &(cache->head); *current; current = &((*current)->next)) {
- entry = *current;
- if (SessionCacheEntryMatchKey(entry, sessionKey)) {
- /* cache hit - just update this entry's sessionData if necessary */
- /* Note we leave expiration time and position in queue unchanged
- - OK? */
- /* What if the entry has already expired? */
- if((entry->mSessionData.length == sessionData->length) &&
- (memcmp(entry->mSessionData.data, sessionData->data,
- sessionData->length) == 0)) {
- /*
- * These usually match, and a memcmp is a lot cheaper than
- * a malloc and a free, hence this quick optimization.....
- */
- sslLogSessCacheDebug("SessionCache::addEntry CACHE HIT "
- "entry = %p", entry);
- return errSecSuccess;
- }
- else {
- sslLogSessCacheDebug("SessionCache::addEntry CACHE REPLACE "
- "entry = %p", entry);
- return SessionCacheEntrySetSessionData(entry, sessionData);
- }
- }
- }
-
- expireTime = CFAbsoluteTimeGetCurrent();
- if(timeToLive) {
- /* caller-specified */
- expireTime += (CFTimeInterval)timeToLive;
- }
- else {
- /* default */
- expireTime += cache->mTimeToLive;
- }
- /* this allocs new copy of incoming sessionKey and sessionData */
- entry = SessionCacheEntryCreate(sessionKey, sessionData, expireTime);
-
- sslLogSessCacheDebug("SessionCache::addEntry %p", entry);
- cachePrint(entry, sessionKey, sessionData);
- dumpAllCache();
-
- /* add to head of queue for LIFO caching */
- entry->next = cache->head;
- cache->head = entry;
-
- return errSecSuccess;
-}
-
-static OSStatus SessionCacheLookupEntry(
- SessionCache *cache,
- const SSLBuffer *sessionKey,
- SSLBuffer *sessionData)
-{
- SessionCacheEntry *entry = NULL;
- SessionCacheEntry **current;
- for (current = &(cache->head); *current; current = &((*current)->next)) {
- entry = *current;
- if (SessionCacheEntryMatchKey(entry, sessionKey))
- break;
- }
-
- if (*current == NULL)
- return errSSLSessionNotFound;
-
- if (SessionCacheEntryIsStaleNow(entry)) {
- sslLogSessCacheDebug("SessionCache::lookupEntry %p: STALE "
- "entry, deleting; current %p, entry->next %p",
- entry, current, entry->next);
- cachePrint(entry, sessionKey, &entry->mSessionData);
- *current = entry->next;
- SessionCacheEntryDelete(entry);
- return errSSLSessionNotFound;
- }
-
- /* alloc/copy sessionData from existing entry (caller must free) */
- return SSLCopyBuffer(&entry->mSessionData, sessionData);
-}
-
-static OSStatus SessionCacheDeleteEntry(
- SessionCache *cache,
- const SSLBuffer *sessionKey)
-{
- SessionCacheEntry **current;
-
- for (current = &(cache->head); *current; current = &((*current)->next)) {
- SessionCacheEntry *entry = *current;
- if (SessionCacheEntryMatchKey(entry, sessionKey)) {
- #ifndef DEBUG
- sslLogSessCacheDebug("...SessionCacheDeleteEntry: deleting "
- "cached session (%p)", entry);
- cachePrint(entry, &entry->mKey, &entry->mSessionData);
- #endif
- *current = entry->next;
- SessionCacheEntryDelete(entry);
- return errSecSuccess;
- }
- }
-
- return errSecSuccess;
-}
-
-/* cleanup, delete stale entries */
-static bool SessionCacheCleanup(SessionCache *cache)
-{
- bool brtn = false;
- CFAbsoluteTime rightNow = CFAbsoluteTimeGetCurrent();
- SessionCacheEntry **current;
-
- for (current = &(cache->head); *current;) {
- SessionCacheEntry *entry = *current;
- if(SessionCacheEntryIsStale(entry, rightNow)) {
- #ifndef DEBUG
- sslLogSessCacheDebug("...SessionCacheCleanup: deleting "
- "cached session (%p)", entry);
- cachePrint(entry, &entry->mKey, &entry->mSessionData);
- #endif
- *current = entry->next;
- SessionCacheEntryDelete(entry);
- }
- else {
- current = &((*current)->next);
- /* we're leaving one in the map */
- brtn = true;
- }
- }
- return brtn;
-}
-
-#if DUMP_ALL_CACHE
-static void dumpAllCache(void)
-{
- SessionCache *cache = gSessionCache;
- SessionCacheEntry *entry;
-
- printf("Contents of sessionCache:\n");
- for(entry = cache->head; entry; entry = entry->next) {
- cachePrint(entry, &entry->mKey, &entry->mSessionData);
- }
-}
-#endif /* DUMP_ALL_CACHE */
-
-/*
- * Store opaque sessionData, associated with opaque sessionKey.
- */
-OSStatus sslAddSession (
- const SSLBuffer sessionKey,
- const SSLBuffer sessionData,
- uint32_t timeToLive) /* optional time-to-live in seconds; 0 ==> default */
-{
- SessionCache *cache = SessionCacheGetLockedInstance();
- OSStatus serr;
- if (!cache)
- serr = errSSLSessionNotFound;
- else
- {
- serr = SessionCacheAddEntry(cache, &sessionKey, &sessionData, timeToLive);
-
- dumpAllCache();
- }
-
- pthread_mutex_unlock(&gSessionCacheLock);
- return serr;
-}
-
-/*
- * Given an opaque sessionKey, alloc & retrieve associated sessionData.
- */
-OSStatus sslCopySession (
- const SSLBuffer sessionKey,
- SSLBuffer *sessionData)
-{
- SessionCache *cache = SessionCacheGetLockedInstance();
- OSStatus serr;
- if (!cache)
- serr = errSSLSessionNotFound;
- else
- {
- serr = SessionCacheLookupEntry(cache, &sessionKey, sessionData);
-
- sslLogSessCacheDebug("sslGetSession(%d, %p): %d",
- (int)sessionKey.length, sessionKey.data,
- (int)serr);
- if(!serr) {
- cachePrint(NULL, &sessionKey, sessionData);
- }
- else {
- cachePrint(NULL, &sessionKey, NULL);
- }
- dumpAllCache();
- }
-
- pthread_mutex_unlock(&gSessionCacheLock);
-
- return serr;
-}
-
-OSStatus sslDeleteSession (
- const SSLBuffer sessionKey)
-{
- SessionCache *cache = SessionCacheGetLockedInstance();
- OSStatus serr;
- if (!cache)
- serr = errSSLSessionNotFound;
- else
- {
- serr = SessionCacheDeleteEntry(cache, &sessionKey);
- }
-
- pthread_mutex_unlock(&gSessionCacheLock);
- return serr;
-}
-
-/* cleanup up session cache, deleting stale entries. */
-OSStatus sslCleanupSession(void)
-{
- SessionCache *cache = SessionCacheGetLockedInstance();
- OSStatus serr = errSecSuccess;
- bool moreToGo = false;
-
- if (!cache)
- serr = errSSLSessionNotFound;
- else
- {
- moreToGo = SessionCacheCleanup(cache);
- }
- /* Possible TBD: if moreToGo, schedule a timed callback to this function */
-
- pthread_mutex_unlock(&gSessionCacheLock);
- return serr;
-}
diff --git a/OSX/libsecurity_ssl/lib/security_ssl.exp b/OSX/libsecurity_ssl/lib/security_ssl.exp
index e49ea120..624a672f 100644
--- a/OSX/libsecurity_ssl/lib/security_ssl.exp
+++ b/OSX/libsecurity_ssl/lib/security_ssl.exp
@@ -48,6 +48,7 @@ _SSLInternal_PRF
_SSLNewContext
_SSLNewDatagramContext
_SSLRead
+_SSLReHandshake
_SSLSetAllowsAnyRoot
_SSLSetAllowsExpiredCerts
_SSLSetAllowsExpiredRoots
@@ -90,7 +91,5 @@ _SSLGetClientAuthTypes
_SSLGetNegotiatedClientAuthType
_SSLSetMinimumDHGroupSize
_SSLGetMinimumDHGroupSize
-_SSLSetSessionStrengthPolicy
_SSLSetSessionConfig
-_SSLGetSessionConfig
diff --git a/OSX/libsecurity_ssl/lib/sslCipherSpecs.c b/OSX/libsecurity_ssl/lib/sslCipherSpecs.c
index d9bf5c4c..144d585e 100644
--- a/OSX/libsecurity_ssl/lib/sslCipherSpecs.c
+++ b/OSX/libsecurity_ssl/lib/sslCipherSpecs.c
@@ -31,7 +31,6 @@
#include "sslDebug.h"
#include "sslMemory.h"
#include "sslDebug.h"
-#include "sslUtils.h"
#include "sslPriv.h"
#include <tls_handshake.h>
@@ -302,9 +301,12 @@ SSLGetEnabledCiphers (SSLContextRef ctx,
err = tls_handshake_get_ciphersuites(ctx->hdsk, &ciphersuites, &n);
- return cipherSuitesToCipherSuites(n,
- ciphersuites,
- ciphers,
- numCiphers);
-
+ if(err) {
+ return err;
+ } else {
+ return cipherSuitesToCipherSuites(n,
+ ciphersuites,
+ ciphers,
+ numCiphers);
+ }
}
diff --git a/OSX/libsecurity_ssl/lib/sslContext.c b/OSX/libsecurity_ssl/lib/sslContext.c
index 653cbe32..89f89687 100644
--- a/OSX/libsecurity_ssl/lib/sslContext.c
+++ b/OSX/libsecurity_ssl/lib/sslContext.c
@@ -29,7 +29,6 @@
#include "SSLRecordInternal.h"
#include "SecureTransportPriv.h"
-#include "appleSession.h"
#include "ssl.h"
#include "sslCipherSpecs.h"
#include "sslContext.h"
@@ -37,7 +36,6 @@
#include "sslDebug.h"
#include "sslKeychain.h"
#include "sslMemory.h"
-#include "sslUtils.h"
#include "tlsCallbacks.h"
@@ -78,26 +76,6 @@ static void sslFreeDnList(SSLContext *ctx)
ctx->acceptableDNList = NULL;
}
-/*
- This frees ctx->localCert, which is allocated in parseIncomingCert.
- This is structured as a list, but all the SSLCertificates structs are
- allocated as a single array, so there is only on sslFree(localCert).
- */
-static void sslFreeLocalCert(SSLContext *ctx)
-{
- SSLCertificate *cert;
-
- cert = ctx->localCert;
- while (cert)
- {
- SSLFreeBuffer(&cert->derCert);
- cert = cert->next;
- }
- sslFree(ctx->localCert);
- ctx->localCert = NULL;
-}
-
-
Boolean sslIsSessionActive(const SSLContext *ctx)
{
assert(ctx != NULL);
@@ -134,15 +112,20 @@ Boolean sslIsSessionActive(const SSLContext *ctx)
#define MIN_ALLOWED_DTLS_MTU 64 /* this ensure than there will be no integer
underflow when calculating max write size */
-int kSplitDefaultValue;
+/* Preferences values */
CFIndex kMinDhGroupSizeDefaultValue;
+CFIndex kMinProtocolVersionDefaultValue;
+CFStringRef kSSLSessionConfigDefaultValue;
+Boolean kSSLDisableRecordSplittingDefaultValue;
+
+static tls_cache_t g_session_cache = NULL;
#if TARGET_OS_IPHONE
/*
* Instead of using CFPropertyListReadFromFile we use a
* CFPropertyListCreateWithStream directly
* here. CFPropertyListReadFromFile() uses
- * CFURLCopyResourcePropertyForKey() andCF pulls in CoreServices for
+ * CFURLCopyResourcePropertyForKey() and CF pulls in CoreServices for
* CFURLCopyResourcePropertyForKey() and that doesn't work in install
* enviroment.
*/
@@ -161,55 +144,91 @@ CopyPlistFromFile(CFURLRef url)
#endif
-static void _SSLContextReadDefault()
+static
+CFTypeRef SSLPreferencesCopyValue(CFStringRef key, CFPropertyListRef managed_prefs)
{
- /* 0 = disabled, 1 = split every write, 2 = split second and subsequent writes */
- /* Enabled by default, this may cause some interop issues, see <rdar://problem/12307662> and <rdar://problem/12323307> */
- const int defaultSplitDefaultValue = 2;
-
- CFTypeRef value = (CFTypeRef)CFPreferencesCopyValue(CFSTR("SSLWriteSplit"),
- CFSTR("com.apple.security"),
- kCFPreferencesAnyUser,
- kCFPreferencesCurrentHost);
- if (value) {
- if (CFGetTypeID(value) == CFBooleanGetTypeID())
- kSplitDefaultValue = CFBooleanGetValue((CFBooleanRef)value) ? 1 : 0;
- else if (CFGetTypeID(value) == CFNumberGetTypeID()) {
- if (!CFNumberGetValue((CFNumberRef)value, kCFNumberIntType, &kSplitDefaultValue))
- kSplitDefaultValue = defaultSplitDefaultValue;
- }
- if (kSplitDefaultValue < 0 || kSplitDefaultValue > 2) {
- kSplitDefaultValue = defaultSplitDefaultValue;
- }
- CFRelease(value);
- }
- else {
- kSplitDefaultValue = defaultSplitDefaultValue;
- }
+ CFTypeRef value = (CFTypeRef) CFPreferencesCopyAppValue(CFSTR("SSLSessionConfig"), kCFPreferencesCurrentApplication);
- /* Min DH Group Size */
- kMinDhGroupSizeDefaultValue = CFPreferencesGetAppIntegerValue(CFSTR("SSLMinDhGroupSize"), kCFPreferencesCurrentApplication, NULL);
+ if(!value && managed_prefs) {
+ value = CFDictionaryGetValue(managed_prefs, key);
+ }
+
+ return value;
+}
+
+static
+CFIndex SSLPreferencesGetInteger(CFStringRef key, CFPropertyListRef managed_prefs)
+{
+ CFTypeRef value = SSLPreferencesCopyValue(key, managed_prefs);
+ CFIndex int_value = 0;
+ if (isNumber(value)) {
+ CFNumberGetValue(value, kCFNumberCFIndexType, &int_value);
+ }
+ CFReleaseSafe(value);
+ return int_value;
+}
+
+static
+Boolean SSLPreferencesGetBoolean(CFStringRef key, CFPropertyListRef managed_prefs)
+{
+ CFTypeRef value = SSLPreferencesCopyValue(key, managed_prefs);
+ Boolean bool_value = FALSE;
+ if (isBoolean(value)) {
+ bool_value = CFBooleanGetValue(value);
+ }
+
+ CFReleaseSafe(value);
+ return bool_value;
+}
+
+static
+CFStringRef SSLPreferencesCopyString(CFStringRef key, CFPropertyListRef managed_prefs)
+{
+ CFTypeRef value = SSLPreferencesCopyValue(key, managed_prefs);
+ if (isString(value)) {
+ return value;
+ } else {
+ CFReleaseSafe(value);
+ return NULL;
+ }
+}
+
+static void _SSLContextReadDefault()
+{
+ CFPropertyListRef managed_prefs = NULL;
#if TARGET_OS_IPHONE
- /* on iOS, if the above returned nothing, we manually look into mobile's Managed Preferences */
+ /* on iOS, we also look for preferences from mobile's Managed Preferences */
/* Note that if the process is running as mobile, the above call will already have read the Managed Preference plist.
- As a result, if you have some preferences set manually with defaults, which preference applies may be different for mobile vs not-mobile. */
- if(kMinDhGroupSizeDefaultValue == 0) {
- CFURLRef prefURL = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, CFSTR("/Library/Managed Preferences/mobile/.GlobalPreferences.plist"), kCFURLPOSIXPathStyle, false);
- if(prefURL) {
- CFPropertyListRef plist = CopyPlistFromFile(prefURL);
- if (plist) {
- value = CFDictionaryGetValue(plist, CFSTR("SSLMinDhGroupSize"));
- if (isNumber(value)) {
- CFNumberGetValue(value, kCFNumberCFIndexType, &kMinDhGroupSizeDefaultValue);
- }
- }
- CFReleaseSafe(plist);
- }
- CFReleaseSafe(prefURL);
+ As a result, if you have some preferences set manually with defaults, which preference applies may be different for mobile vs not-mobile. */
+ CFURLRef prefURL = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, CFSTR("/Library/Managed Preferences/mobile/.GlobalPreferences.plist"), kCFURLPOSIXPathStyle, false);
+ if(prefURL) {
+ managed_prefs = CopyPlistFromFile(prefURL);
}
+ CFReleaseSafe(prefURL);
#endif
+ /* Disable record splitting */
+ /* Enabled by default, this may cause some interop issues, see <rdar://problem/12307662> and <rdar://problem/12323307> */
+ kSSLDisableRecordSplittingDefaultValue = SSLPreferencesGetBoolean(CFSTR("SSLDisableRecordSplitting"), managed_prefs);
+
+ /* Min DH Group Size */
+ kMinDhGroupSizeDefaultValue = SSLPreferencesGetInteger(CFSTR("SSLMinDhGroupSize"), managed_prefs);
+
+ /* Default Min Prototcol Version */
+ kMinProtocolVersionDefaultValue = SSLPreferencesGetInteger(CFSTR("SSLMinProtocolVersion"), managed_prefs);
+
+ /* Default Config */
+ kSSLSessionConfigDefaultValue = SSLPreferencesCopyString(CFSTR("SSLSessionConfig"), managed_prefs);
+
+ CFReleaseSafe(managed_prefs);
+}
+
+/* This functions initialize global variables, run once per process */
+static void SSLContextOnce(void)
+{
+ _SSLContextReadDefault();
+ g_session_cache = tls_cache_create();
}
CFGiblisWithHashFor(SSLContext)
@@ -269,6 +288,13 @@ SSLContextRef SSLCreateContextWithRecordFuncs(CFAllocatorRef alloc, SSLProtocolS
return NULL;
}
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ SSLContextOnce();
+ });
+
+ ctx->cache = g_session_cache;
+
tls_handshake_set_callbacks(ctx->hdsk,
&tls_handshake_callbacks,
ctx);
@@ -297,33 +323,24 @@ SSLContextRef SSLCreateContextWithRecordFuncs(CFAllocatorRef alloc, SSLProtocolS
/* Default for RSA blinding is ENABLED */
ctx->rsaBlindingEnable = true;
- /* Default for sending one-byte app data record is DISABLED */
- ctx->oneByteRecordEnable = false;
+ /* Default for sending one-byte app data record is ENABLED */
+ ctx->oneByteRecordEnable = !kSSLDisableRecordSplittingDefaultValue;
/* Dont enable fallback behavior by default */
ctx->fallbackEnabled = false;
- /* Consult global system preference for default behavior:
- * 0 = disabled, 1 = split every write, 2 = split second and subsequent writes
- * (caller can override by setting kSSLSessionOptionSendOneByteRecord)
- */
- static pthread_once_t sReadDefault = PTHREAD_ONCE_INIT;
- pthread_once(&sReadDefault, _SSLContextReadDefault);
- if (kSplitDefaultValue > 0) {
- ctx->oneByteRecordEnable = true;
- }
-
- /* Default for server is DHE enabled, default for client is disabled */
- if(ctx->protocolSide == kSSLServerSide) {
- SSLSetDHEEnabled(ctx, true);
- } else {
- SSLSetDHEEnabled(ctx, false);
+ if(kSSLSessionConfigDefaultValue) {
+ SSLSetSessionConfig(ctx, kSSLSessionConfigDefaultValue);
}
if(kMinDhGroupSizeDefaultValue) {
tls_handshake_set_min_dh_group_size(ctx->hdsk, (unsigned)kMinDhGroupSizeDefaultValue);
}
+ if(kMinProtocolVersionDefaultValue) {
+ SSLSetProtocolVersionMin(ctx, (unsigned)kMinProtocolVersionDefaultValue);
+ }
+
/* default for anonymous ciphers is DISABLED */
ctx->anonCipherEnable = false;
@@ -334,8 +351,6 @@ SSLContextRef SSLCreateContextWithRecordFuncs(CFAllocatorRef alloc, SSLProtocolS
ctx->signalCertRequest = false;
ctx->signalClientAuth = false;
- ctx->negAuthType = SSLClientAuthNone; /* ditto */
-
return ctx;
}
@@ -406,16 +421,14 @@ void SSLContextDestroy(CFTypeRef arg)
SSLFreeBuffer(&ctx->receivedDataBuffer);
CFReleaseSafe(ctx->acceptableCAs);
+#if !TARGET_OS_IPHONE
CFReleaseSafe(ctx->trustedLeafCerts);
+#endif
CFReleaseSafe(ctx->localCertArray);
CFReleaseSafe(ctx->encryptCertArray);
- CFReleaseSafe(ctx->peerCert);
CFReleaseSafe(ctx->trustedCerts);
CFReleaseSafe(ctx->peerSecTrust);
- sslFreePrivKey(&ctx->signingPrivKeyRef);
-
- sslFreeLocalCert(ctx);
sslFreeDnList(ctx);
SSLFreeBuffer(&ctx->ownVerifyData);
@@ -426,9 +439,10 @@ void SSLContextDestroy(CFTypeRef arg)
SSLFreeBuffer(&ctx->dhParamsEncoded);
- memset(((uint8_t*) ctx) + sizeof(CFRuntimeBase), 0, sizeof(SSLContext) - sizeof(CFRuntimeBase));
+ if(ctx->cache)
+ tls_cache_cleanup(ctx->cache);
- sslCleanupSession();
+ memset(((uint8_t*) ctx) + sizeof(CFRuntimeBase), 0, sizeof(SSLContext) - sizeof(CFRuntimeBase));
}
/*
@@ -512,6 +526,9 @@ SSLSetSessionOption (SSLContextRef context,
case kSSLSessionOptionAllowServerIdentityChange:
tls_handshake_set_server_identity_change(context->hdsk, value);
break;
+ case kSSLSessionOptionAllowRenegotiation:
+ tls_handshake_set_renegotiation(context->hdsk, value);
+ break;
default:
return errSecParam;
}
@@ -1331,56 +1348,32 @@ OSStatus
SSLSetAllowsExpiredCerts(SSLContextRef ctx,
Boolean allowExpired)
{
- if(ctx == NULL) {
- return errSecParam;
- }
- sslCertDebug("SSLSetAllowsExpiredCerts %s",
- allowExpired ? "true" : "false");
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return errSecBadReq;
- }
- ctx->allowExpiredCerts = allowExpired;
- return errSecSuccess;
+ /* This has been deprecated since 10.9, and non-functional since at least 10.10 */
+ return 0;
}
OSStatus
SSLGetAllowsExpiredCerts (SSLContextRef ctx,
Boolean *allowExpired)
{
- if(ctx == NULL) {
- return errSecParam;
- }
- *allowExpired = ctx->allowExpiredCerts;
- return errSecSuccess;
+ /* This has been deprecated since 10.9, and non-functional since at least 10.10 */
+ return errSecUnimplemented;
}
OSStatus
SSLSetAllowsExpiredRoots(SSLContextRef ctx,
Boolean allowExpired)
{
- if(ctx == NULL) {
- return errSecParam;
- }
- sslCertDebug("SSLSetAllowsExpiredRoots %s",
- allowExpired ? "true" : "false");
- if(sslIsSessionActive(ctx)) {
- /* can't do this with an active session */
- return errSecBadReq;
- }
- ctx->allowExpiredRoots = allowExpired;
- return errSecSuccess;
+ /* This has been deprecated since 10.9, and non-functional since at least 10.10 */
+ return 0;
}
OSStatus
SSLGetAllowsExpiredRoots (SSLContextRef ctx,
Boolean *allowExpired)
{
- if(ctx == NULL) {
- return errSecParam;
- }
- *allowExpired = ctx->allowExpiredRoots;
- return errSecSuccess;
+ /* This has been deprecated since 10.9, and non-functional since at least 10.10 */
+ return errSecUnimplemented;
}
OSStatus SSLSetAllowsAnyRoot(
@@ -1483,6 +1476,7 @@ SSLCopyTrustedRoots (SSLContextRef ctx,
#endif
}
+#if !TARGET_OS_IPHONE
OSStatus
SSLSetTrustedLeafCertificates (SSLContextRef ctx,
CFArrayRef trustedCerts)
@@ -1498,8 +1492,7 @@ SSLSetTrustedLeafCertificates (SSLContextRef ctx,
if(ctx->trustedLeafCerts) {
CFRelease(ctx->trustedLeafCerts);
}
- ctx->trustedLeafCerts = trustedCerts;
- CFRetain(trustedCerts);
+ ctx->trustedLeafCerts = CFRetainSafe(trustedCerts);
return errSecSuccess;
}
@@ -1518,6 +1511,7 @@ SSLCopyTrustedLeafCertificates (SSLContextRef ctx,
*trustedCerts = NULL;
return errSecSuccess;
}
+#endif
OSStatus
SSLSetClientSideAuthenticate (SSLContext *ctx,
@@ -1568,7 +1562,7 @@ SSLGetClientCertificateState (SSLContextRef ctx,
*clientState = kSSLClientCertNone;
break;
case kSSLClientCertRequested:
- if(ctx->localCert) {
+ if(ctx->localCertArray) {
*clientState = kSSLClientCertSent;
} else {
*clientState = kSSLClientCertRequested;
@@ -1587,7 +1581,7 @@ SSLGetClientCertificateState (SSLContextRef ctx,
*clientState = ctx->clientCertState;
break;
case kSSLClientCertRequested:
- if(ctx->peerCert) {
+ if(ctx->peerSecTrust) {
*clientState = kSSLClientCertSent;
} else {
*clientState = kSSLClientCertRequested;
@@ -1602,10 +1596,13 @@ SSLGetClientCertificateState (SSLContextRef ctx,
return errSecSuccess;
}
+#include <tls_helpers.h>
+
OSStatus
SSLSetCertificate (SSLContextRef ctx,
- CFArrayRef certRefs)
+ CFArrayRef _Nullable certRefs)
{
+ OSStatus ortn;
/*
* -- free localCerts if we have any
* -- Get raw cert data, convert to ctx->localCert
@@ -1617,23 +1614,17 @@ SSLSetCertificate (SSLContextRef ctx,
}
CFReleaseNull(ctx->localCertArray);
- /* changing the client cert invalidates negotiated auth type */
- ctx->negAuthType = SSLClientAuthNone;
if(certRefs == NULL) {
return errSecSuccess; // we have cleared the cert, as requested
}
- sslFreeLocalCert(ctx);
- OSStatus ortn = parseIncomingCerts(ctx,
- certRefs,
- &ctx->localCert,
- &ctx->signingPrivKeyRef);
- if(ortn == errSecSuccess) {
- ctx->localCertArray = certRefs;
- CFRetain(certRefs);
- if(ctx->protocolSide==kSSLClientSide)
- SSLUpdateNegotiatedClientAuthType(ctx);
- tls_handshake_set_identity(ctx->hdsk, ctx->localCert, ctx->signingPrivKeyRef);
+
+ ortn = tls_helper_set_identity_from_array(ctx->hdsk, certRefs);
+
+ if(ortn == noErr) {
+ ctx->localCertArray = certRefs;
+ CFRetain(certRefs);
}
+
return ortn;
}
@@ -1931,46 +1922,34 @@ SSLCopyDistinguishedNames (SSLContextRef ctx,
/*
* Request peer certificates. Valid anytime, subsequent to
* a handshake attempt.
- * Common code for SSLGetPeerCertificates() and SSLCopyPeerCertificates().
- * TODO: the 'legacy' argument is not used anymore.
*/
-static OSStatus
-sslCopyPeerCertificates (SSLContextRef ctx,
- CFArrayRef *certs,
- Boolean legacy)
+OSStatus
+SSLCopyPeerCertificates (SSLContextRef ctx, CFArrayRef *certs)
{
if(ctx == NULL) {
return errSecParam;
}
- if (!ctx->peerCert) {
+ if (!ctx->peerSecTrust) {
*certs = NULL;
return errSecBadReq;
}
- CFArrayRef ca = CFArrayCreateCopy(kCFAllocatorDefault, ctx->peerCert);
- *certs = ca;
+ CFIndex count = SecTrustGetCertificateCount(ctx->peerSecTrust);
+ CFMutableArrayRef ca = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks);
if (ca == NULL) {
return errSecAllocate;
}
- if (legacy) {
- CFIndex ix, count = CFArrayGetCount(ca);
- for (ix = 0; ix < count; ++ix) {
- CFRetain(CFArrayGetValueAtIndex(ca, ix));
- }
- }
+ for (CFIndex ix = 0; ix < count; ++ix) {
+ CFArrayAppendValue(ca, SecTrustGetCertificateAtIndex(ctx->peerSecTrust, ix));
+ }
+ *certs = ca;
+
return errSecSuccess;
}
-OSStatus
-SSLCopyPeerCertificates (SSLContextRef ctx,
- CFArrayRef *certs)
-{
- return sslCopyPeerCertificates(ctx, certs, false);
-}
-
#if !TARGET_OS_IPHONE
// Permanently removing from iOS, keep for OSX (deprecated), removed from headers.
// <rdar://problem/14215831> Mailsmith Crashes While Getting New Mail Under Mavericks Developer Preview
@@ -1981,7 +1960,7 @@ OSStatus
SSLGetPeerCertificates (SSLContextRef ctx,
CFArrayRef *certs)
{
- return sslCopyPeerCertificates(ctx, certs, true);
+ return errSecUnimplemented;
}
#endif
@@ -2105,12 +2084,8 @@ SSLCopyPeerTrust(
/* Create a SecTrustRef if this was a resumed session and we
didn't have one yet. */
- if (!ctx->peerCert) {
- ctx->peerCert = tls_get_peer_certs(tls_handshake_get_peer_certificates(ctx->hdsk));
- }
- if (!ctx->peerSecTrust && ctx->peerCert) {
- status = sslCreateSecTrust(ctx, ctx->peerCert,
- &ctx->peerSecTrust);
+ if (!ctx->peerSecTrust) {
+ status = sslCreateSecTrust(ctx, &ctx->peerSecTrust);
}
*trust = ctx->peerSecTrust;
@@ -2130,9 +2105,8 @@ OSStatus SSLGetPeerSecTrust(
/* Create a SecTrustRef if this was a resumed session and we
didn't have one yet. */
- if (!ctx->peerSecTrust && ctx->peerCert) {
- status = sslCreateSecTrust(ctx, ctx->peerCert,
- &ctx->peerSecTrust);
+ if (!ctx->peerSecTrust) {
+ status = sslCreateSecTrust(ctx, &ctx->peerSecTrust);
}
*trust = ctx->peerSecTrust;
@@ -2454,92 +2428,13 @@ OSStatus SSLGetClientAuthTypes(
}
/*
- * Obtain the SSLClientAuthenticationType actually performed.
- * Only valid if client certificate state is kSSLClientCertSent
- * or kSSLClientCertRejected; returns errSecParam otherwise.
+ * -- DEPRECATED -- Return errSecUnimplemented.
*/
OSStatus SSLGetNegotiatedClientAuthType(
SSLContextRef ctx,
SSLClientAuthenticationType *authType) /* RETURNED */
{
- if(ctx == NULL) {
- return errSecParam;
- }
-
- *authType = ctx->negAuthType;
-
- return errSecSuccess;
-}
-
-/*
- * Update the negotiated client authentication type.
- * This function may be called at any time; however, note that
- * the negotiated authentication type will be SSLClientAuthNone
- * until both of the following have taken place (in either order):
- * - a CertificateRequest message from the server has been processed
- * - a client certificate has been specified
- * As such, this function (only) needs to be called from (both)
- * SSLProcessCertificateRequest and SSLSetCertificate.
- */
-OSStatus SSLUpdateNegotiatedClientAuthType(
- SSLContextRef ctx)
-{
- if(ctx == NULL) {
- return errSecParam;
- }
- assert(ctx->protocolSide==kSSLClientSide);
- /*
- * See if we have a signing cert that matches one of the
- * allowed auth types. The x509Requested flag indicates "we
- * have a cert that we think the server will accept".
- */
- ctx->x509Requested = 0;
- ctx->negAuthType = SSLClientAuthNone;
- if(ctx->signingPrivKeyRef != NULL) {
- CFIndex ourKeyAlg = sslPrivKeyGetAlgorithmID((SecKeyRef)tls_private_key_get_context(ctx->signingPrivKeyRef));
-
- unsigned i;
- for(i=0; i<ctx->numAuthTypes; i++) {
- switch(ctx->clientAuthTypes[i]) {
- case SSLClientAuth_RSASign:
- if(ourKeyAlg == kSecRSAAlgorithmID) {
- ctx->x509Requested = 1;
- ctx->negAuthType = SSLClientAuth_RSASign;
- }
- break;
- case SSLClientAuth_ECDSASign:
- #if SSL_ENABLE_ECDSA_FIXED_ECDH_AUTH
- case SSLClientAuth_ECDSAFixedECDH:
- #endif
- if(ourKeyAlg == kSecECDSAAlgorithmID) {
- ctx->x509Requested = 1;
- ctx->negAuthType = ctx->clientAuthTypes[i];
- }
- break;
- #if SSL_ENABLE_RSA_FIXED_ECDH_AUTH
- case SSLClientAuth_RSAFixedECDH:
- /* Odd case, we differ from our signer */
- if((ourKeyAlg == kSecECDSAAlgorithmID) &&
- (ctx->ourSignerAlg == kSecRSAAlgorithmID)) {
- ctx->x509Requested = 1;
- ctx->negAuthType = SSLClientAuth_RSAFixedECDH;
- }
- break;
- #endif
- default:
- /* None others supported */
- break;
- }
- if(ctx->x509Requested) {
- sslLogNegotiateDebug("===CHOOSING authType %d", (int)ctx->negAuthType);
- break;
- }
- } /* parsing authTypes */
- } /* we have a signing key */
-
- tls_handshake_set_client_auth_type(ctx->hdsk, ctx->negAuthType);
-
- return errSecSuccess;
+ return errSecUnimplemented;
}
OSStatus SSLGetNumberOfSignatureAlgorithms(
@@ -2642,14 +2537,6 @@ OSStatus SSLInternal_PRF(
vout, outLen);
}
-/* To be implemented */
-OSStatus
-SSLSetSessionStrengthPolicy(SSLContextRef context,
- SSLSessionStrengthPolicy policyStrength)
-{
- return errSecSuccess;
-}
-
const CFStringRef kSSLSessionConfig_default = CFSTR("default");
const CFStringRef kSSLSessionConfig_ATSv1 = CFSTR("ATSv1");
const CFStringRef kSSLSessionConfig_ATSv1_noPFS = CFSTR("ATSv1_noPFS");
@@ -2659,61 +2546,36 @@ const CFStringRef kSSLSessionConfig_RC4_fallback = CFSTR("RC4_fallback");
const CFStringRef kSSLSessionConfig_TLSv1_fallback = CFSTR("TLSv1_fallback");
const CFStringRef kSSLSessionConfig_TLSv1_RC4_fallback = CFSTR("TLSv1_RC4_fallback");
const CFStringRef kSSLSessionConfig_legacy_DHE = CFSTR("legacy_DHE");
+const CFStringRef kSSLSessionConfig_anonymous = CFSTR("anonymous");
static
tls_handshake_config_t SSLSessionConfig_to_tls_handshake_config(CFStringRef config)
{
if(CFEqual(config, kSSLSessionConfig_ATSv1)){
return tls_handshake_config_ATSv1;
- } else if(CFEqual(config, kSSLSessionConfig_ATSv1_noPFS)){
+ } else if(CFEqual(config, kSSLSessionConfig_ATSv1_noPFS)){
return tls_handshake_config_ATSv1_noPFS;
- } else if(CFEqual(config, kSSLSessionConfig_standard)){
+ } else if(CFEqual(config, kSSLSessionConfig_standard)){
return tls_handshake_config_standard;
- } else if(CFEqual(config, kSSLSessionConfig_TLSv1_fallback)){
+ } else if(CFEqual(config, kSSLSessionConfig_TLSv1_fallback)){
return tls_handshake_config_TLSv1_fallback;
- } else if(CFEqual(config, kSSLSessionConfig_TLSv1_RC4_fallback)){
+ } else if(CFEqual(config, kSSLSessionConfig_TLSv1_RC4_fallback)){
return tls_handshake_config_TLSv1_RC4_fallback;
- } else if(CFEqual(config, kSSLSessionConfig_RC4_fallback)){
+ } else if(CFEqual(config, kSSLSessionConfig_RC4_fallback)){
return tls_handshake_config_RC4_fallback;
- } else if(CFEqual(config, kSSLSessionConfig_legacy)){
+ } else if(CFEqual(config, kSSLSessionConfig_legacy)){
return tls_handshake_config_legacy;
- } else if(CFEqual(config, kSSLSessionConfig_legacy_DHE)){
+ } else if(CFEqual(config, kSSLSessionConfig_legacy_DHE)){
return tls_handshake_config_legacy_DHE;
- } else if(CFEqual(config, kSSLSessionConfig_default)){
+ } else if(CFEqual(config, kSSLSessionConfig_anonymous)){
+ return tls_handshake_config_anonymous;
+ } else if(CFEqual(config, kSSLSessionConfig_default)){
return tls_handshake_config_default;
} else {
return tls_handshake_config_none;
}
}
-static
-const CFStringRef tls_handshake_config_to_SSLSessionConfig(tls_handshake_config_t config)
-{
- switch(config) {
- case tls_handshake_config_ATSv1:
- return kSSLSessionConfig_ATSv1;
- case tls_handshake_config_ATSv1_noPFS:
- return kSSLSessionConfig_ATSv1_noPFS;
- case tls_handshake_config_standard:
- return kSSLSessionConfig_standard;
- case tls_handshake_config_RC4_fallback:
- return kSSLSessionConfig_RC4_fallback;
- case tls_handshake_config_TLSv1_fallback:
- return kSSLSessionConfig_TLSv1_fallback;
- case tls_handshake_config_TLSv1_RC4_fallback:
- return kSSLSessionConfig_TLSv1_RC4_fallback;
- case tls_handshake_config_legacy:
- return kSSLSessionConfig_legacy;
- case tls_handshake_config_legacy_DHE:
- return kSSLSessionConfig_legacy_DHE;
- case tls_handshake_config_default:
- return kSSLSessionConfig_default;
- case tls_handshake_config_none:
- return NULL;
- }
-}
-
-
/* Set Predefined TLS Configuration */
OSStatus
SSLSetSessionConfig(SSLContextRef context,
@@ -2726,19 +2588,3 @@ SSLSetSessionConfig(SSLContextRef context,
return errSecParam;
}
}
-
-OSStatus
-SSLGetSessionConfig(SSLContextRef context,
- CFStringRef *config)
-{
- tls_handshake_config_t cfg;
- OSStatus err = tls_handshake_get_config(context->hdsk, &cfg);
- if(err) {
- return err;
- }
-
- *config = tls_handshake_config_to_SSLSessionConfig(cfg);
-
- return noErr;
-}
-
diff --git a/OSX/libsecurity_ssl/lib/sslContext.h b/OSX/libsecurity_ssl/lib/sslContext.h
index 10579dc6..590efcb3 100644
--- a/OSX/libsecurity_ssl/lib/sslContext.h
+++ b/OSX/libsecurity_ssl/lib/sslContext.h
@@ -34,6 +34,7 @@
#include <tls_handshake.h>
#include <tls_record.h>
#include <tls_stream_parser.h>
+#include <tls_cache.h>
#ifdef USE_CDSA_CRYPTO
#include <Security/cssmtype.h>
@@ -86,12 +87,11 @@ struct SSLContext
CFRuntimeBase _base;
IOContext ioCtx;
-
const struct SSLRecordFuncs *recFuncs;
SSLRecordContextRef recCtx;
tls_handshake_t hdsk;
-
+ tls_cache_t cache;
int readCipher_ready;
int writeCipher_ready;
@@ -123,20 +123,9 @@ struct SSLContext
uint16_t selectedCipher; /* currently selected */
-
- tls_private_key_t signingPrivKeyRef; /* our private key */
-
-
/* Server DH Parameters */
SSLBuffer dhParamsEncoded; /* PKCS3 encoded blob - prime + generator */
- /*
- * Local and Peer cert chains.
- * For both, the root is the last in the chain.
- */
- SSLCertificate *localCert;
- CFArrayRef peerCert;
-
/*
* The arrays we are given via SSLSetCertificate() and SSLSetEncryptionCertificate().
* We keep them here, refcounted, solely for the associated getter.
@@ -150,10 +139,12 @@ struct SSLContext
CFMutableArrayRef trustedCerts;
Boolean trustedCertsOnly;
+#if !TARGET_OS_IPHONE
/*
* trusted leaf certs as specified in SSLSetTrustedLeafCertificates()
*/
CFArrayRef trustedLeafCerts;
+#endif
Boolean allowExpiredCerts;
Boolean allowExpiredRoots;
@@ -163,14 +154,11 @@ struct SSLContext
SSLBuffer peerID;
SSLBuffer resumableSession; /* We keep a copy for now - but eventually this should go away if we get refcounted SSLBuffers */
-
-
uint16_t *ecdhCurves;
unsigned ecdhNumCurves;
/* server-side only */
SSLAuthenticate clientAuth; /* kNeverAuthenticate, etc. */
- //Boolean tryClientAuth;
/* client and server */
SSLClientCertificateState clientCertState;
@@ -229,9 +217,6 @@ struct SSLContext
unsigned numAuthTypes;
const tls_client_auth_type *clientAuthTypes;
- /* client auth type actually negotiated */
- tls_client_auth_type negAuthType;
-
/* Timeout for DTLS retransmit */
CFAbsoluteTime timeout_deadline;
CFAbsoluteTime timeout_duration;
diff --git a/OSX/libsecurity_ssl/lib/sslCrypto.c b/OSX/libsecurity_ssl/lib/sslCrypto.c
index df6d9707..1142c7f9 100644
--- a/OSX/libsecurity_ssl/lib/sslCrypto.c
+++ b/OSX/libsecurity_ssl/lib/sslCrypto.c
@@ -28,7 +28,6 @@
#include "sslCrypto.h"
#include "sslContext.h"
#include "sslMemory.h"
-#include "sslUtils.h"
#include "sslDebug.h"
#include <string.h>
@@ -47,6 +46,8 @@
#include <Security/SecECKey.h>
#endif
+#include <tls_helpers.h>
+
/*
* Get algorithm id for a SSLPubKey object.
*/
@@ -71,120 +72,37 @@ CFIndex sslPrivKeyGetAlgorithmID(SecKeyRef privKey)
#endif
}
-static
-OSStatus sslCreateCFArrayFromList(const tls_buffer_list_t *list, CFArrayRef *cfArray)
-{
- int err;
- CFMutableArrayRef array = NULL;
- CFDataRef data = NULL;
-
- err = errSSLInternal;
-
- array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- require(array, out);
-
- while(list) {
- require((data = CFDataCreate(kCFAllocatorDefault, list->buffer.data, list->buffer.length)), out);
- CFArrayAppendValue(array, data);
- CFReleaseNull(data);
- list=list->next;
- }
-
- *cfArray = array;
- return errSecSuccess;
-
-out:
- CFReleaseSafe(data);
- CFReleaseSafe(array);
- return err;
-}
OSStatus
sslCreateSecTrust(
SSLContext *ctx,
- CFArrayRef certChain,
SecTrustRef *pTrust) /* RETURNED */
{
OSStatus status = errSecAllocate;
- CFStringRef peerDomainName = NULL;
- CFTypeRef policies = NULL;
SecTrustRef trust = NULL;
- const char *peerDomainNameData = NULL;
- size_t peerDomainNameLen = 0;
- if(ctx->protocolSide==kSSLClientSide) {
- tls_handshake_get_peer_hostname(ctx->hdsk, &peerDomainNameData, &peerDomainNameLen);
- }
-
- if (CFArrayGetCount(certChain) == 0) {
- status = errSSLBadCert;
- goto errOut;
- }
-
- if (peerDomainNameLen && peerDomainNameData) {
- CFIndex len = peerDomainNameLen;
- if (peerDomainNameData[len - 1] == 0) {
- len--;
- //secwarning("peerDomainName is zero terminated!");
- }
- /* @@@ Double check that this is the correct encoding. */
- require(peerDomainName = CFStringCreateWithBytes(kCFAllocatorDefault,
- (const UInt8 *)peerDomainNameData, len,
- kCFStringEncodingUTF8, false), errOut);
- }
-
- /* If we are the client, our peer certificates must satisfy the
- ssl server policy. */
- bool use_server_policy = (ctx->protocolSide == kSSLClientSide);
- require(policies = SecPolicyCreateSSL(use_server_policy, peerDomainName), errOut);
-
- require_noerr(status = SecTrustCreateWithCertificates(certChain, policies,
- &trust), errOut);
-
- /* If we are the client, let's see if we have OCSP responses and SCTs in the TLS handshake */
- if(ctx->protocolSide == kSSLClientSide) {
- const tls_buffer_list_t *sct_list = tls_handshake_get_peer_sct_list(ctx->hdsk);
- const tls_buffer *ocsp_response = tls_handshake_get_peer_ocsp_response(ctx->hdsk);
-
- if(ocsp_response) {
- CFDataRef responseData = CFDataCreate(kCFAllocatorDefault, ocsp_response->data, ocsp_response->length);
- status = SecTrustSetOCSPResponse(trust, responseData);
- CFReleaseSafe(responseData);
- require_noerr(status, errOut);
- }
-
- if(sct_list) {
- CFArrayRef sctArray = NULL;
- require_noerr(status = sslCreateCFArrayFromList(sct_list, &sctArray), errOut);
-#if TARGET_OS_IPHONE
- status = SecTrustSetSignedCertificateTimestamps(trust, sctArray);
-#else
- status = noErr;
-#endif
- CFReleaseSafe(sctArray);
- require_noerr(status, errOut);
- }
- }
+ require_noerr(status = tls_helper_create_peer_trust(ctx->hdsk, ctx->protocolSide==kSSLServerSide, &trust), errOut);
/* If we have trustedAnchors we set them here. */
- if (ctx->trustedCerts) {
- require_noerr(status = SecTrustSetAnchorCertificates(trust,
- ctx->trustedCerts), errOut);
- require_noerr(status = SecTrustSetAnchorCertificatesOnly(trust,
- ctx->trustedCertsOnly), errOut);
+ if (trust && ctx->trustedCerts) {
+ require_noerr(status = SecTrustSetAnchorCertificates(trust, ctx->trustedCerts), errOut);
+ require_noerr(status = SecTrustSetAnchorCertificatesOnly(trust, ctx->trustedCertsOnly), errOut);
}
status = errSecSuccess;
errOut:
- CFReleaseSafe(peerDomainName);
- CFReleaseSafe(policies);
-
- *pTrust = trust;
+ if(status != noErr) {
+ CFReleaseSafe(trust);
+ *pTrust = NULL;
+ } else {
+ *pTrust = trust;
+ }
return status;
}
+#if !TARGET_OS_IPHONE
/* Return the first certificate reference from the supplied array
* whose data matches the given certificate, or NULL if none match.
*/
@@ -218,13 +136,13 @@ sslGetMatchingCertInArray(
return matchedCert;
}
+#endif
/*
* Verify a chain of DER-encoded certs.
*/
static OSStatus sslVerifyCertChain(
- SSLContext *ctx,
- CFArrayRef certChain)
+ SSLContext *ctx)
{
OSStatus status;
SecTrustRef trust = NULL;
@@ -232,7 +150,10 @@ static OSStatus sslVerifyCertChain(
/* renegotiate - start with a new SecTrustRef */
CFReleaseNull(ctx->peerSecTrust);
- if(certChain==NULL) {
+ /* on failure, we always return trust==NULL, so we don't check the returned status here */
+ sslCreateSecTrust(ctx, &trust);
+
+ if(trust==NULL) {
if(ctx->protocolSide == kSSLClientSide) {
/* No cert chain is always a trust failure on the server side */
status = errSSLXCertChainInvalid;
@@ -249,7 +170,6 @@ static OSStatus sslVerifyCertChain(
goto errOut;
}
- status = sslCreateSecTrust(ctx, certChain, &trust);
if (!ctx->enableCertVerify) {
/* trivial case, this is caller's responsibility */
@@ -275,16 +195,18 @@ static OSStatus sslVerifyCertChain(
status = errSecSuccess;
}
else {
+#if !TARGET_OS_IPHONE
/*
* If the caller provided a list of trusted leaf certs, check them here
*/
- if(ctx->trustedLeafCerts) {
- if (sslGetMatchingCertInArray((SecCertificateRef)CFArrayGetValueAtIndex(certChain, 0),
- ctx->trustedLeafCerts)) {
- status = errSecSuccess;
- goto errOut;
- }
- }
+ if(ctx->trustedLeafCerts) {
+ if (sslGetMatchingCertInArray(SecTrustGetCertificateAtIndex(trust, 0),
+ ctx->trustedLeafCerts)) {
+ status = errSecSuccess;
+ goto errOut;
+ }
+ }
+#endif
status = errSSLXCertChainInvalid;
}
/* Do we really need to return things like:
@@ -306,144 +228,6 @@ errOut:
return status;
}
-/* Extract public SecKeyRef from Certificate Chain */
-static
-int sslCopyPeerPubKey(const SSLCertificate *certchain,
- SecKeyRef *pubKey)
-{
- int err;
- check(pubKey);
- SecTrustRef trust = NULL;
- const SSLCertificate *cert;
- CFMutableArrayRef certArray = NULL;
- CFDataRef certData = NULL;
- SecCertificateRef cfCert = NULL;
-
- err = errSSLInternal;
-
- certArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- cert = certchain;
- while(cert) {
- require((certData = CFDataCreate(kCFAllocatorDefault, cert->derCert.data, cert->derCert.length)), out);
- require_action((cfCert = SecCertificateCreateWithData(kCFAllocatorDefault, certData)), out, err=errSSLBadCert);
- CFArrayAppendValue(certArray, cfCert);
- CFReleaseNull(cfCert);
- CFReleaseNull(certData);
- cert=cert->next;
- }
-
- require_noerr((err=SecTrustCreateWithCertificates(certArray, NULL, &trust)), out);
- SecKeyRef key = SecTrustCopyPublicKey(trust);
- require_action(key, out, err=errSSLBadCert);
-
- *pubKey = key;
-
- err = errSecSuccess;
-
-out:
- CFReleaseSafe(certData);
- CFReleaseSafe(cfCert);
- CFReleaseSafe(trust);
- CFReleaseSafe(certArray);
-
- return err;
-}
-
-/* Extract the pubkey from a cert chain, and send it to the tls_handshake context */
-int tls_set_peer_pubkey(SSLContext *ctx)
-{
- int err;
- CFIndex algId;
- SecKeyRef pubkey = NULL;
- CFDataRef modulus = NULL;
- CFDataRef exponent = NULL;
- CFDataRef ecpubdata = NULL;
- const SSLCertificate *certchain = NULL;
-
- certchain = tls_handshake_get_peer_certificates(ctx->hdsk);
- CFReleaseNull(ctx->peerCert);
-
- /* If there is no certchain, then we don't need to set the pubkey in coreTLS */
- /* We should really set it to "NULL" or none, but we need to fix the coreTLS API */
- /* See: <rdar://problem/19723662> coreTLS: replace tls_handshake_set_peer_rsa_public_key and tls_handshake_set_peer_ec_public_key with a common function */
- if(!certchain)
- return 0;
-
- ctx->peerCert = tls_get_peer_certs(certchain);
-
-#if 0
- { /* dump certs */
- int i=0;
- int j;
- const SSLCertificate *tmp = certchain;
- while(tmp) {
- printf("cert%d[] = {", i);
- for(j=0; j<tmp->derCert.length; j++) {
- if((j&0xf)==0)
- printf("\n");
- printf("0x%02x, ", tmp->derCert.data[j]);
- }
- printf("}\n");
- tmp=tmp->next;
- i++;
- }
- }
-#endif
-
- require_noerr((err=sslCopyPeerPubKey(certchain, &pubkey)), errOut);
-
-#if TARGET_OS_IPHONE
- algId = SecKeyGetAlgorithmID(pubkey);
-#else
- algId = SecKeyGetAlgorithmId(pubkey);
-#endif
-
- err = errSSLCrypto;
-
- switch(algId) {
- case kSecRSAAlgorithmID:
- {
- require((modulus = SecKeyCopyModulus(pubkey)), errOut);
- require((exponent = SecKeyCopyExponent(pubkey)), errOut);
-
- tls_buffer mod;
- tls_buffer exp;
-
- mod.data = (uint8_t *)CFDataGetBytePtr(modulus);
- mod.length = CFDataGetLength(modulus);
-
- exp.data = (uint8_t *)CFDataGetBytePtr(exponent);
- exp.length = CFDataGetLength(exponent);
-
- err = tls_handshake_set_peer_rsa_public_key(ctx->hdsk, &mod, &exp);
- break;
- }
- case kSecECDSAAlgorithmID:
- {
- tls_named_curve curve = SecECKeyGetNamedCurve(pubkey);
- require((ecpubdata = SecECKeyCopyPublicBits(pubkey)), errOut);
-
- tls_buffer pubdata;
- pubdata.data = (uint8_t *)CFDataGetBytePtr(ecpubdata);
- pubdata.length = CFDataGetLength(ecpubdata);
-
- err = tls_handshake_set_peer_ec_public_key(ctx->hdsk, curve, &pubdata);
-
- break;
- }
- default:
- break;
- }
-
-errOut:
- CFReleaseSafe(pubkey);
- CFReleaseSafe(modulus);
- CFReleaseSafe(exponent);
- CFReleaseSafe(ecpubdata);
-
- return err;
-}
-
/* Convert cert in DER format into an CFArray of SecCertificateRef */
CFArrayRef
tls_get_peer_certs(const SSLCertificate *certs)
@@ -487,7 +271,7 @@ tls_verify_peer_cert(SSLContext *ctx)
call to tls_handshake_set_peer_trust(). In some case a verification failure here is
normal, for example if there is no cert (eg: PSK and Anon DH ciphersuites) */
- st = sslVerifyCertChain(ctx, ctx->peerCert);
+ st = sslVerifyCertChain(ctx);
tls_handshake_trust_t trust;
switch (st) {
case errSecSuccess:
@@ -519,7 +303,7 @@ tls_verify_peer_cert(SSLContext *ctx)
if (ctx->breakOnClientAuth) {
err = errSSLClientAuthCompleted;
}
- } else if(ctx->peerCert) {
+ } else if(ctx->peerSecTrust) {
/*
* Schedule return to the caller to verify the server's identity.
* This will only return if a server cert was sent. In other cases
diff --git a/OSX/libsecurity_ssl/lib/sslCrypto.h b/OSX/libsecurity_ssl/lib/sslCrypto.h
index 52fb833d..007fa969 100644
--- a/OSX/libsecurity_ssl/lib/sslCrypto.h
+++ b/OSX/libsecurity_ssl/lib/sslCrypto.h
@@ -58,7 +58,6 @@ CFIndex sslPrivKeyGetAlgorithmID(SecKeyRef privKey);
OSStatus
sslCreateSecTrust(
SSLContext *ctx,
- CFArrayRef certChain,
SecTrustRef *trust); /* RETURNED */
OSStatus sslVerifySelectedCipher(
diff --git a/OSX/libsecurity_ssl/lib/sslDebug.h b/OSX/libsecurity_ssl/lib/sslDebug.h
index b42e4c01..00dc5cda 100644
--- a/OSX/libsecurity_ssl/lib/sslDebug.h
+++ b/OSX/libsecurity_ssl/lib/sslDebug.h
@@ -29,8 +29,8 @@
#define _SSL_DEBUG_H_
#ifdef KERNEL
-/* TODO: support secdebug in the kernel */
-#define secdebug(x...)
+/* TODO: support secinfo in the kernel */
+#define secinfo(x...)
#else /* KERNEL */
#include <utilities/debugging.h>
#endif
@@ -40,43 +40,43 @@
#endif
-#define ssl_secdebug secdebug
+#define ssl_secinfo secinfo
#ifndef NDEBUG
/* log changes in handshake state */
-#define sslHdskStateDebug(args...) ssl_secdebug("sslHdskState", ## args)
+#define sslHdskStateDebug(args...) ssl_secinfo("sslHdskState", ## args)
/* log handshake and alert messages */
-#define sslHdskMsgDebug(args...) ssl_secdebug("sslHdskMsg", ## args)
+#define sslHdskMsgDebug(args...) ssl_secinfo("sslHdskMsg", ## args)
/* log negotiated handshake parameters */
-#define sslLogNegotiateDebug(args...) ssl_secdebug("sslLogNegotiate", ## args)
+#define sslLogNegotiateDebug(args...) ssl_secinfo("sslLogNegotiate", ## args)
/* log received protocol messsages */
-#define sslLogRxProtocolDebug(msgType) ssl_secdebug("sslLogRxProtocol", \
+#define sslLogRxProtocolDebug(msgType) ssl_secinfo("sslLogRxProtocol", \
"---received protoMsg %s", msgType)
/* log resumable session info */
-#define sslLogResumSessDebug(args...) ssl_secdebug("sslResumSession", ## args)
+#define sslLogResumSessDebug(args...) ssl_secinfo("sslResumSession", ## args)
/* log low-level session info in appleSession.c */
-#define sslLogSessCacheDebug(args...) ssl_secdebug("sslSessionCache", ## args)
+#define sslLogSessCacheDebug(args...) ssl_secinfo("sslSessionCache", ## args)
/* log record-level I/O (SSLRead, SSLWrite) */
-#define sslLogRecordIo(args...) ssl_secdebug("sslRecordIo", ## args)
+#define sslLogRecordIo(args...) ssl_secinfo("sslRecordIo", ## args)
/* cert-related info */
-#define sslCertDebug(args...) ssl_secdebug("sslCert", ## args)
+#define sslCertDebug(args...) ssl_secinfo("sslCert", ## args)
/* Diffie-Hellman */
-#define sslDhDebug(args...) ssl_secdebug("sslDh", ## args)
+#define sslDhDebug(args...) ssl_secinfo("sslDh", ## args)
/* EAP-FAST PAC-based session resumption */
-#define sslEapDebug(args...) ssl_secdebug("sslEap", ## args)
+#define sslEapDebug(args...) ssl_secinfo("sslEap", ## args)
/* ECDSA */
-#define sslEcdsaDebug(args...) ssl_secdebug("sslEcdsa", ## args)
+#define sslEcdsaDebug(args...) ssl_secinfo("sslEcdsa", ## args)
#else /* NDEBUG */
@@ -110,13 +110,13 @@ extern void SSLDump(const unsigned char *data, unsigned long len);
/* extra debug logging of non-error conditions, if SSL_DEBUG is defined */
#if SSL_DEBUG
//#define sslDebugLog(args...) printf(args)
-#define sslDebugLog(args...) ssl_secdebug("sslDebug", ## args)
+#define sslDebugLog(args...) ssl_secinfo("sslDebug", ## args)
#else
#define sslDebugLog(args...)
#endif
/* all errors logged to stdout for DEBUG config only */
//#define sslErrorLog(args...) printf(args)
-#define sslErrorLog(args...) ssl_secdebug("sslError", ## args)
+#define sslErrorLog(args...) ssl_secinfo("sslError", ## args)
#define sslDump(d, l) SSLDump((d), (l))
#endif /* NDEBUG */
diff --git a/OSX/libsecurity_ssl/lib/sslKeychain.c b/OSX/libsecurity_ssl/lib/sslKeychain.c
index c561c0a2..feadf29a 100644
--- a/OSX/libsecurity_ssl/lib/sslKeychain.c
+++ b/OSX/libsecurity_ssl/lib/sslKeychain.c
@@ -40,7 +40,6 @@
#include "sslDebug.h"
#include "sslKeychain.h"
-#include "sslUtils.h"
#include <string.h>
#include <assert.h>
diff --git a/OSX/libsecurity_ssl/lib/sslRecord.c b/OSX/libsecurity_ssl/lib/sslRecord.c
index 601761f4..d5ec8974 100644
--- a/OSX/libsecurity_ssl/lib/sslRecord.c
+++ b/OSX/libsecurity_ssl/lib/sslRecord.c
@@ -31,7 +31,6 @@
#include "sslMemory.h"
#include "sslContext.h"
#include "sslDebug.h"
-#include "sslUtils.h"
#include "SSLRecordInternal.h"
#include <string.h>
diff --git a/OSX/libsecurity_ssl/lib/sslTransport.c b/OSX/libsecurity_ssl/lib/sslTransport.c
index 8bd50bca..0be0d389 100644
--- a/OSX/libsecurity_ssl/lib/sslTransport.c
+++ b/OSX/libsecurity_ssl/lib/sslTransport.c
@@ -31,12 +31,15 @@
#include "sslRecord.h"
#include "sslDebug.h"
#include "sslCipherSpecs.h"
-#include "sslUtils.h"
#include <assert.h>
#include <string.h>
#include <utilities/SecIOFormat.h>
+#include <utilities/SecCFWrappers.h>
+
+#include <CommonCrypto/CommonDigest.h>
+#include <Security/SecCertificatePriv.h>
#ifndef NDEBUG
static inline void sslIoTrace(
@@ -57,7 +60,6 @@ extern int kSplitDefaultValue;
static OSStatus SSLProcessProtocolMessage(SSLRecord *rec, SSLContext *ctx);
static OSStatus SSLHandshakeProceed(SSLContext *ctx);
-//static OSStatus SSLInitConnection(SSLContext *ctx);
OSStatus
SSLWrite(
@@ -75,7 +77,6 @@ SSLWrite(
return errSecParam;
}
dataLen = dataLength;
- processed = 0; /* Initialize in case we return with errSSLWouldBlock */
*bytesWritten = 0;
switch(ctx->state) {
@@ -98,7 +99,6 @@ SSLWrite(
/* First, we have to wait until the session is ready to send data,
so the encryption keys and such have been established. */
- err = errSecSuccess;
while (!(ctx->writeCipher_ready))
{ if ((err = SSLHandshakeProceed(ctx)) != 0)
goto exit;
@@ -113,7 +113,6 @@ SSLWrite(
/* Skip empty writes, fragmentation is done at the coreTLS layer */
if(dataLen) {
rec.contentType = SSL_RecordTypeAppData;
- rec.protocolVersion = ctx->negProtocolVersion;
rec.contents.data = ((uint8_t *)data) + processed;
rec.contents.length = dataLen;
if ((err = SSLWriteRecord(rec, ctx)) != 0)
@@ -133,13 +132,14 @@ exit:
case errSSLUnexpectedRecord:
case errSSLServerAuthCompleted: /* == errSSLClientAuthCompleted */
case errSSLClientCertRequested:
- case errSSLClosedGraceful:
- break;
- default:
- sslErrorLog("SSLWrite: going to state errorClose due to err %d\n",
- (int)err);
- SSLChangeHdskState(ctx, SSL_HdskStateErrorClose);
- break;
+ case errSSLClientHelloReceived:
+ case errSSLClosedGraceful:
+ break;
+ default:
+ sslErrorLog("SSLWrite: going to state errorClose due to err %d\n",
+ (int)err);
+ SSLChangeHdskState(ctx, SSL_HdskStateErrorClose);
+ break;
}
abort:
sslIoTrace(ctx, "SSLWrite(2)", dataLength, *bytesWritten, err);
@@ -183,25 +183,31 @@ readRetry:
/* First, we have to wait until the session is ready to receive data,
so the encryption keys and such have been established. */
- err = errSecSuccess;
while (ctx->readCipher_ready == 0) {
if ((err = SSLHandshakeProceed(ctx)) != 0) {
goto exit;
}
}
+ /* Need this to handle the case were SSLRead returned
+ errSSLClientHelloReceived as readCipher_ready is not set yet in that case */
+ if ((err = tls_handshake_continue(ctx->hdsk)) != 0)
+ return err;
+
/* Attempt to service the write queue */
if ((err = SSLServiceWriteQueue(ctx)) != 0) {
if (err != errSSLWouldBlock) {
goto exit;
}
- err = errSecSuccess; /* Write blocking shouldn't stop attempts to read */
}
remaining = bufSize;
charPtr = (uint8_t *)data;
+
+ /* If we have data in the buffer, use that first */
if (ctx->receivedDataBuffer.data)
- { count = ctx->receivedDataBuffer.length - ctx->receivedDataPos;
+ {
+ count = ctx->receivedDataBuffer.length - ctx->receivedDataPos;
if (count > bufSize)
count = bufSize;
memcpy(data, ctx->receivedDataBuffer.data + ctx->receivedDataPos, count);
@@ -217,29 +223,27 @@ readRetry:
if (ctx->receivedDataBuffer.data != 0 &&
ctx->receivedDataPos >= ctx->receivedDataBuffer.length)
- { SSLFreeBuffer(&ctx->receivedDataBuffer);
+ {
+ SSLFreeBuffer(&ctx->receivedDataBuffer);
ctx->receivedDataBuffer.data = 0;
ctx->receivedDataPos = 0;
}
/*
- * This while statement causes a hang when using nonblocking low-level I/O!
- while (remaining > 0 && ctx->state != SSL_HdskStateGracefulClose)
- ..what we really have to do is just return as soon as we read one
- record. A performance hit in the nonblocking case, but that is
- the only way this code can work in both modes...
+ * If we didnt fill up the users buffer, get some more data
*/
if (remaining > 0 && ctx->state != SSL_HdskStateGracefulClose)
- { assert(ctx->receivedDataBuffer.data == 0);
+ {
+ assert(ctx->receivedDataBuffer.data == 0);
if ((err = SSLReadRecord(&rec, ctx)) != 0) {
goto exit;
}
if (rec.contentType == SSL_RecordTypeAppData ||
rec.contentType == SSL_RecordTypeV2_0)
- { if (rec.contents.length <= remaining)
- { memcpy(charPtr, rec.contents.data, rec.contents.length);
- remaining -= rec.contents.length;
- charPtr += rec.contents.length;
+ {
+ if (rec.contents.length <= remaining)
+ { /* Copy all we got in the user's buffer */
+ memcpy(charPtr, rec.contents.data, rec.contents.length);
*processed += rec.contents.length;
{
if ((err = SSLFreeRecord(rec, ctx))) {
@@ -248,12 +252,11 @@ readRetry:
}
}
else
- { memcpy(charPtr, rec.contents.data, remaining);
- charPtr += remaining;
+ { /* Copy what we can in the user's buffer, keep the rest for next SSLRead. */
+ memcpy(charPtr, rec.contents.data, remaining);
*processed += remaining;
ctx->receivedDataBuffer = rec.contents;
ctx->receivedDataPos = remaining;
- remaining = 0;
}
}
else {
@@ -262,7 +265,7 @@ readRetry:
process the write queue. This replicate exactly the behavior
before the coreTLS adoption */
if(err == errSSLClosedGraceful) {
- err = SSLClose(ctx);
+ SSLClose(ctx);
} else {
goto exit;
}
@@ -282,20 +285,21 @@ exit:
goto readRetry;
}
/* shut down on serious errors */
- switch(err) {
- case errSecSuccess:
- case errSSLWouldBlock:
+ switch(err) {
+ case errSecSuccess:
+ case errSSLWouldBlock:
case errSSLUnexpectedRecord:
- case errSSLServerAuthCompleted: /* == errSSLClientAuthCompleted */
- case errSSLClientCertRequested:
- case errSSLClosedGraceful:
- case errSSLClosedNoNotify:
- break;
- default:
- sslErrorLog("SSLRead: going to state errorClose due to err %d\n",
- (int)err);
- SSLChangeHdskState(ctx, SSL_HdskStateErrorClose);
- break;
+ case errSSLServerAuthCompleted: /* == errSSLClientAuthCompleted */
+ case errSSLClientCertRequested:
+ case errSSLClientHelloReceived:
+ case errSSLClosedGraceful:
+ case errSSLClosedNoNotify:
+ break;
+ default:
+ sslErrorLog("SSLRead: going to state errorClose due to err %d\n",
+ (int)err);
+ SSLChangeHdskState(ctx, SSL_HdskStateErrorClose);
+ break;
}
abort:
sslIoTrace(ctx, "SSLRead returns", dataLength, *processed, err);
@@ -306,6 +310,85 @@ abort:
#include "sslCrypto.h"
#endif
+
+
+static void get_extended_peer_id(SSLContext *ctx, tls_buffer *extended_peer_id)
+{
+ uint8_t md[CC_SHA256_DIGEST_LENGTH];
+ __block CC_SHA256_CTX hash_ctx;
+
+ CC_SHA256_Init(&hash_ctx);
+
+ CC_SHA256_Update(&hash_ctx, &ctx->allowAnyRoot, sizeof(ctx->allowAnyRoot));
+
+#if !TARGET_OS_IPHONE
+ if(ctx->trustedLeafCerts) {
+ CFArrayForEach(ctx->trustedLeafCerts, ^(const void *value) {
+ SecCertificateRef cert = (SecCertificateRef) value;
+ CC_SHA256_Update(&hash_ctx, SecCertificateGetBytePtr(cert), (CC_LONG)SecCertificateGetLength(cert));
+ });
+ }
+#endif
+
+ CC_SHA256_Update(&hash_ctx, &ctx->trustedCertsOnly, sizeof(ctx->trustedCertsOnly));
+
+
+ if(ctx->trustedCerts) {
+ CFArrayForEach(ctx->trustedCerts, ^(const void *value) {
+ SecCertificateRef cert = (SecCertificateRef) value;
+ CC_SHA256_Update(&hash_ctx, SecCertificateGetBytePtr(cert), (CC_LONG)SecCertificateGetLength(cert));
+ });
+ }
+
+ CC_SHA256_Final(md, &hash_ctx);
+
+ extended_peer_id->length = ctx->peerID.length + sizeof(md);
+ extended_peer_id->data = sslMalloc(extended_peer_id->length);
+ memcpy(extended_peer_id->data, ctx->peerID.data, ctx->peerID.length);
+ memcpy(extended_peer_id->data+ctx->peerID.length, md, sizeof(md));
+}
+
+/* Send the initial client hello */
+static OSStatus
+SSLHandshakeStart(SSLContext *ctx)
+{
+ int err;
+ tls_buffer extended_peer_id;
+ get_extended_peer_id(ctx, &extended_peer_id);
+ err = tls_handshake_negotiate(ctx->hdsk, &extended_peer_id);
+ free(extended_peer_id.data);
+ if(err)
+ return err;
+
+ ctx->readCipher_ready = 0;
+ ctx->writeCipher_ready = 0;
+ SSLChangeHdskState(ctx, SSL_HdskStatePending);
+
+ return noErr;
+}
+
+OSStatus
+SSLReHandshake(SSLContext *ctx)
+{
+ if(ctx == NULL) {
+ return errSecParam;
+ }
+
+ if (ctx->state == SSL_HdskStateGracefulClose)
+ return errSSLClosedGraceful;
+ if (ctx->state == SSL_HdskStateErrorClose)
+ return errSSLClosedAbort;
+ if (ctx->state == SSL_HdskStatePending)
+ return errSecBadReq;
+
+ /* If we are the client, we start the negotiation */
+ if(ctx->protocolSide == kSSLClientSide) {
+ return SSLHandshakeStart(ctx);
+ } else {
+ return tls_handshake_request_renegotiation(ctx->hdsk);
+ }
+}
+
OSStatus
SSLHandshake(SSLContext *ctx)
{
@@ -319,8 +402,6 @@ SSLHandshake(SSLContext *ctx)
if (ctx->state == SSL_HdskStateErrorClose)
return errSSLClosedAbort;
- err = errSecSuccess;
-
if(ctx->isDTLS && ctx->timeout_deadline) {
CFAbsoluteTime current = CFAbsoluteTimeGetCurrent();
@@ -333,12 +414,23 @@ SSLHandshake(SSLContext *ctx)
}
}
- while (ctx->readCipher_ready == 0 || ctx->writeCipher_ready == 0)
- {
+ /* Initial Client Hello */
+ if(ctx->state==SSL_HdskStateUninit) {
+ /* If we are the client, we start the negotiation */
+ if(ctx->protocolSide == kSSLClientSide) {
+ err = SSLHandshakeStart(ctx);
+ if(err) {
+ return err;
+ }
+ }
+ SSLChangeHdskState(ctx, SSL_HdskStatePending);
+ }
+
+ do {
err = SSLHandshakeProceed(ctx);
if((err != 0) && (err != errSSLUnexpectedRecord))
return err;
- }
+ } while (ctx->readCipher_ready == 0 || ctx->writeCipher_ready == 0);
/* one more flush at completion of successful handshake */
if ((err = SSLServiceWriteQueue(ctx)) != 0) {
@@ -391,10 +483,10 @@ static void ad_log_SecureTransport_early_fail(long signature)
CFStringRef key = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("com.apple.SecureTransport.early_fail.%ld"), signature);
- if(key)
+ if(key) {
gADClientAddValueForScalarKey(key, 1);
-
- CFRelease(key);
+ CFRelease(key);
+ }
}
}
@@ -431,22 +523,12 @@ static void log_SecureTransport_early_fail(long signature)
#endif
}
+
static OSStatus
SSLHandshakeProceed(SSLContext *ctx)
{
OSStatus err;
-
- if(ctx->state==SSL_HdskStateUninit) {
- /* If we are the client, we start the negotiation */
- if(ctx->protocolSide == kSSLClientSide) {
- err = tls_handshake_negotiate(ctx->hdsk, &ctx->peerID);
- if(err)
- return err;
- }
- SSLChangeHdskState(ctx, SSL_HdskStatePending);
- }
-
if ((err = tls_handshake_continue(ctx->hdsk)) != 0)
return err;
diff --git a/OSX/libsecurity_ssl/lib/sslTypes.h b/OSX/libsecurity_ssl/lib/sslTypes.h
index d3a56ba8..2c9d3f08 100644
--- a/OSX/libsecurity_ssl/lib/sslTypes.h
+++ b/OSX/libsecurity_ssl/lib/sslTypes.h
@@ -96,7 +96,6 @@ struct
typedef struct
{
uint8_t contentType;
- SSLProtocolVersion protocolVersion;
SSLBuffer contents;
} SSLRecord;
diff --git a/OSX/libsecurity_ssl/lib/sslUtils.c b/OSX/libsecurity_ssl/lib/sslUtils.c
deleted file mode 100644
index 0390dc78..00000000
--- a/OSX/libsecurity_ssl/lib/sslUtils.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * Copyright (c) 1999-2001,2005-2008,2010-2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * sslUtils.c - Misc. OS independant SSL utility functions
- */
-
-/* THIS FILE CONTAINS KERNEL CODE */
-
-#include "sslUtils.h"
-#include "sslTypes.h"
-#include "sslDebug.h"
-
-#include <AssertMacros.h>
-
-#ifndef NDEBUG
-void SSLDump(const unsigned char *data, unsigned long len)
-{
- unsigned long i;
- for(i=0;i<len;i++)
- {
- if((i&0xf)==0) printf("%04lx :",i);
- printf(" %02x", data[i]);
- if((i&0xf)==0xf) printf("\n");
- }
- printf("\n");
-}
-#endif
-
-unsigned int
-SSLDecodeInt(const uint8_t *p, size_t length)
-{
- unsigned int val = 0;
- check(length > 0 && length <= 4); //anything else would be an internal error.
- while (length--)
- val = (val << 8) | *p++;
- return val;
-}
-
-uint8_t *
-SSLEncodeInt(uint8_t *p, size_t value, size_t length)
-{
- unsigned char *retVal = p + length; /* Return pointer to char after int */
- check(length > 0 && length <= 4); //anything else would be an internal error.
- while (length--) /* Assemble backwards */
- { p[length] = (uint8_t)value; /* Implicit masking to low byte */
- value >>= 8;
- }
- return retVal;
-}
-
-size_t
-SSLDecodeSize(const uint8_t *p, size_t length)
-{
- unsigned int val = 0;
- check(length > 0 && length <= 4); //anything else would be an internal error.
- while (length--)
- val = (val << 8) | *p++;
- return val;
-}
-
-uint8_t *
-SSLEncodeSize(uint8_t *p, size_t value, size_t length)
-{
- unsigned char *retVal = p + length; /* Return pointer to char after int */
- check(length > 0 && length <= 4); //anything else would be an internal error.
- while (length--) /* Assemble backwards */
- { p[length] = (uint8_t)value; /* Implicit masking to low byte */
- value >>= 8;
- }
- return retVal;
-}
-
-
-uint8_t *
-SSLEncodeUInt64(uint8_t *p, uint64_t value)
-{
- p = SSLEncodeInt(p, (value>>32)&0xffffffff, 4);
- return SSLEncodeInt(p, value&0xffffffff, 4);
-}
-
-
-void
-IncrementUInt64(sslUint64 *v)
-{
- (*v)++;
-}
-
-void
-SSLDecodeUInt64(const uint8_t *p, size_t length, uint64_t *v)
-{
- check(length > 0 && length <= 8);
- if(length<=4) {
- *v=SSLDecodeInt(p, length);
- } else {
- *v=((uint64_t)SSLDecodeInt(p, length-4))<<32 | SSLDecodeInt(p+length-4, 4);
- }
-}
-
-
-#if SSL_DEBUG
-
-const char *protocolVersStr(SSLProtocolVersion prot)
-{
- switch(prot) {
- case SSL_Version_Undetermined: return "SSL_Version_Undetermined";
- case SSL_Version_2_0: return "SSL_Version_2_0";
- case SSL_Version_3_0: return "SSL_Version_3_0";
- case TLS_Version_1_0: return "TLS_Version_1_0";
- case TLS_Version_1_1: return "TLS_Version_1_1";
- case TLS_Version_1_2: return "TLS_Version_1_2";
- default: sslErrorLog("protocolVersStr: bad prot\n"); return "BAD PROTOCOL";
- }
- return NULL; /* NOT REACHED */
-}
-
-#endif /* SSL_DEBUG */
-
-
-
diff --git a/OSX/libsecurity_ssl/lib/sslUtils.h b/OSX/libsecurity_ssl/lib/sslUtils.h
deleted file mode 100644
index 992b6ffd..00000000
--- a/OSX/libsecurity_ssl/lib/sslUtils.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (c) 2000-2001,2005-2007,2010-2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * sslUtils.h - - Misc. OS independant SSL utility functions
- */
-
-#ifndef _SSLUTILS_H_
-#define _SSLUTILS_H_ 1
-
-#include "sslTypes.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-uint32_t SSLDecodeInt(
- const uint8_t * p,
- size_t length);
-uint8_t *SSLEncodeInt(
- uint8_t *p,
- size_t value,
- size_t length);
-
-/* Same, but the value to encode is a size_t */
-size_t SSLDecodeSize(
- const uint8_t * p,
- size_t length);
-uint8_t *SSLEncodeSize(
- uint8_t *p,
- size_t value,
- size_t length);
-
-/* Same but for 64bits int */
-uint8_t* SSLEncodeUInt64(
- uint8_t *p,
- sslUint64 value);
-void IncrementUInt64(
- sslUint64 *v);
-void SSLDecodeUInt64(
- const uint8_t *p,
- size_t length,
- sslUint64 *v);
-
-static inline
-int SSLHandshakeHeaderSize(SSLRecord *rec)
-{
- if(rec->protocolVersion==DTLS_Version_1_0)
- return 12;
- else
- return 4;
-}
-
-#ifndef NDEBUG
-extern const char *protocolVersStr(SSLProtocolVersion prot);
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/OSX/libsecurity_ssl/lib/tlsCallbacks.c b/OSX/libsecurity_ssl/lib/tlsCallbacks.c
index 95827179..5bad6e77 100644
--- a/OSX/libsecurity_ssl/lib/tlsCallbacks.c
+++ b/OSX/libsecurity_ssl/lib/tlsCallbacks.c
@@ -28,11 +28,12 @@
#include "sslCrypto.h"
#include "sslDebug.h"
#include "sslMemory.h"
-#include "appleSession.h"
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
#include "utilities/SecCFRelease.h"
+#include <tls_helpers.h>
+#include <tls_cache.h>
static
int tls_handshake_write_callback(tls_handshake_ctx_t ctx, const SSLBuffer data, uint8_t content_type)
@@ -65,8 +66,7 @@ tls_handshake_message_callback(tls_handshake_ctx_t ctx, tls_handshake_message_t
// Need to call this here, in case SetCertificate was already called.
myCtx->clientCertState = kSSLClientCertRequested;
myCtx->clientAuthTypes = tls_handshake_get_peer_acceptable_client_auth_type(myCtx->hdsk, &myCtx->numAuthTypes);
- SSLUpdateNegotiatedClientAuthType(myCtx);
- if (myCtx->breakOnCertRequest && (myCtx->localCert==NULL)) {
+ if (myCtx->breakOnCertRequest && (myCtx->localCertArray==NULL)) {
myCtx->signalCertRequest = true;
err = errSSLClientCertRequested;
}
@@ -93,7 +93,7 @@ tls_handshake_message_callback(tls_handshake_ctx_t ctx, tls_handshake_message_t
case tls_handshake_message_certificate:
/* For clients, we only check the cert when we receive the ServerHelloDone message.
For servers, we check the client's cert right here. For both we set the public key */
- err = tls_set_peer_pubkey(myCtx);
+ err = tls_helper_set_peer_pubkey(myCtx->hdsk);
if(!err && (myCtx->protocolSide == kSSLServerSide)) {
err = tls_verify_peer_cert(myCtx);
}
@@ -199,22 +199,28 @@ int tls_handshake_set_protocol_version_callback(tls_handshake_ctx_t ctx,
static int
tls_handshake_save_session_data_callback(tls_handshake_ctx_t ctx, SSLBuffer sessionKey, SSLBuffer sessionData)
{
+ int err = errSSLSessionNotFound;
SSLContext *myCtx = (SSLContext *)ctx;
+
sslDebugLog("%s: %p, key len=%zd, k[0]=%02x, data len=%zd\n", __FUNCTION__, myCtx, sessionKey.length, sessionKey.data[0], sessionData.length);
- return sslAddSession(sessionKey, sessionData, myCtx->sessionCacheTimeout);
+
+ if(myCtx->cache) {
+ err = tls_cache_save_session_data(myCtx->cache, &sessionKey, &sessionData, myCtx->sessionCacheTimeout);
+ }
+ return err;
}
static int
tls_handshake_load_session_data_callback(tls_handshake_ctx_t ctx, SSLBuffer sessionKey, SSLBuffer *sessionData)
{
SSLContext *myCtx = (SSLContext *)ctx;
- int err;
+ int err = errSSLSessionNotFound;
SSLFreeBuffer(&myCtx->resumableSession);
- err = sslCopySession(sessionKey, &myCtx->resumableSession);
-
+ if(myCtx->cache) {
+ err = tls_cache_load_session_data(myCtx->cache, &sessionKey, &myCtx->resumableSession);
+ }
sslDebugLog("%p, key len=%zd, data len=%zd, err=%d\n", ctx, sessionKey.length, sessionData->length, err);
-
*sessionData = myCtx->resumableSession;
return err;
@@ -223,16 +229,26 @@ tls_handshake_load_session_data_callback(tls_handshake_ctx_t ctx, SSLBuffer sess
static int
tls_handshake_delete_session_data_callback(tls_handshake_ctx_t ctx, SSLBuffer sessionKey)
{
+ int err = errSSLSessionNotFound;
+ SSLContext *myCtx = (SSLContext *)ctx;
+
sslDebugLog("%p, key len=%zd k[0]=%02x\n", ctx, sessionKey.length, sessionKey.data[0]);
- return sslDeleteSession(sessionKey);
+ if(myCtx->cache) {
+ err = tls_cache_delete_session_data(myCtx->cache, &sessionKey);
+ }
+ return err;
}
static int
tls_handshake_delete_all_sessions_callback(tls_handshake_ctx_t ctx)
{
+ SSLContext *myCtx = (SSLContext *)ctx;
sslDebugLog("%p\n", ctx);
- return sslCleanupSession();
+ if(myCtx->cache) {
+ tls_cache_empty(myCtx->cache);
+ }
+ return 0;
}
tls_handshake_callbacks_t tls_handshake_callbacks = {
@@ -250,5 +266,3 @@ tls_handshake_callbacks_t tls_handshake_callbacks = {
.advance_read_cipher = tls_handshake_advance_read_cipher_callback,
.set_protocol_version = tls_handshake_set_protocol_version_callback,
};
-
-
diff --git a/OSX/libsecurity_ssl/lib/tls_record_internal.h b/OSX/libsecurity_ssl/lib/tls_record_internal.h
index 76fa58b3..00c8facc 100644
--- a/OSX/libsecurity_ssl/lib/tls_record_internal.h
+++ b/OSX/libsecurity_ssl/lib/tls_record_internal.h
@@ -60,7 +60,6 @@ typedef struct WaitingRecord
struct SSLRecordInternalContext
{
tls_record_t filter;
- bool dtls;
/* Reference back to the SSLContext */
SSLContextRef sslCtx;
diff --git a/OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/project.pbxproj b/OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/project.pbxproj
index ae2f87c0..fd242111 100644
--- a/OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/project.pbxproj
@@ -63,8 +63,8 @@
0C80AB1317E9025B008F7F5B /* sslCrypto.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C80AB1217E9025B008F7F5B /* sslCrypto.c */; };
0C86A5FD19705A08009B006A /* ssl-52-noconn.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C86A5FC19705A08009B006A /* ssl-52-noconn.c */; };
0C8DD1561B1CF75400D43050 /* ssl-54-dhe.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C8DD1531B1CEE9A00D43050 /* ssl-54-dhe.c */; };
+ 0C9A76A81CB478D7002111EE /* ssl-56-renegotiate.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CD3A1951CB466DB00667E3F /* ssl-56-renegotiate.c */; };
0CA9800617E3925A00205D87 /* sslKeychain.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CAFF4230534D89900303760 /* sslKeychain.c */; };
- 0CA9800917E7734000205D87 /* appleSession.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CAFF3FF0534D89900303760 /* appleSession.c */; };
0CA9803417E7899B00205D87 /* SSLRecordInternal.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CCA413A15C75863002AEC4C /* SSLRecordInternal.c */; };
0CB3EC4818AEDB6B00647921 /* ssl-48-split.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CB3EC4718AEDB6B00647921 /* ssl-48-split.c */; };
0CCA417915C89EA3002AEC4C /* ssl-39-echo.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CCA416815C89EA3002AEC4C /* ssl-39-echo.c */; };
@@ -84,7 +84,6 @@
4CAFF4540534D89900303760 /* sslContext.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CAFF41A0534D89900303760 /* sslContext.c */; };
4CAFF4640534D89900303760 /* sslRecord.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CAFF42A0534D89900303760 /* sslRecord.c */; };
4CAFF4680534D89900303760 /* sslTransport.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CAFF42E0534D89900303760 /* sslTransport.c */; };
- 4CAFF4690534D89900303760 /* sslUtils.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CAFF42F0534D89900303760 /* sslUtils.c */; };
AAB589F216CACE540071FE64 /* ssl-44-crashes.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CC954F0161A62AE005D3D4A /* ssl-44-crashes.c */; };
/* End PBXBuildFile section */
@@ -190,11 +189,10 @@
0CCA42EB15C8A71A002AEC4C /* sslAppUtils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sslAppUtils.h; path = sslViewer/sslAppUtils.h; sourceTree = SOURCE_ROOT; };
0CCAB6191B3C93E100C97526 /* ssl-55-sessioncache.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "ssl-55-sessioncache.c"; sourceTree = "<group>"; };
0CCF28B7166D5F5000AFA37C /* ssl-47-falsestart.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "ssl-47-falsestart.c"; sourceTree = "<group>"; };
+ 0CD3A1951CB466DB00667E3F /* ssl-56-renegotiate.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "ssl-56-renegotiate.c"; sourceTree = "<group>"; };
0CDDC9A6195CD44400E93A27 /* ssl-51-state.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "ssl-51-state.c"; sourceTree = "<group>"; };
0CEA459218CF71AE00BD32A9 /* ssl-49-sni.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "ssl-49-sni.c"; sourceTree = "<group>"; };
4CA1FEBE052A3C8100F22E42 /* libsecurity_ssl.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libsecurity_ssl.a; sourceTree = BUILT_PRODUCTS_DIR; };
- 4CAFF3FF0534D89900303760 /* appleSession.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = appleSession.c; sourceTree = "<group>"; };
- 4CAFF4000534D89900303760 /* appleSession.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = appleSession.h; sourceTree = "<group>"; };
4CAFF4020534D89900303760 /* cipherSpecs.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cipherSpecs.h; sourceTree = "<group>"; };
4CAFF4030534D89900303760 /* CipherSuite.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = CipherSuite.h; sourceTree = "<group>"; };
4CAFF4090534D89900303760 /* SecureTransport.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SecureTransport.h; sourceTree = "<group>"; };
@@ -202,7 +200,7 @@
4CAFF4170534D89900303760 /* sslBuildFlags.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = sslBuildFlags.h; sourceTree = "<group>"; };
4CAFF41A0534D89900303760 /* sslContext.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = sslContext.c; sourceTree = "<group>"; };
4CAFF41B0534D89900303760 /* sslContext.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = sslContext.h; sourceTree = "<group>"; };
- 4CAFF41C0534D89900303760 /* sslDebug.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = sslDebug.h; sourceTree = "<group>"; };
+ 4CAFF41C0534D89900303760 /* sslDebug.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = sslDebug.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
4CAFF4230534D89900303760 /* sslKeychain.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = sslKeychain.c; sourceTree = "<group>"; };
4CAFF4240534D89900303760 /* sslKeychain.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = sslKeychain.h; sourceTree = "<group>"; };
4CAFF4260534D89900303760 /* sslMemory.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = sslMemory.c; sourceTree = "<group>"; };
@@ -260,7 +258,6 @@
050651C7056A83F3008AD683 /* Apple Custom */ = {
isa = PBXGroup;
children = (
- 4CAFF3FF0534D89900303760 /* appleSession.c */,
4CAFF4230534D89900303760 /* sslKeychain.c */,
);
name = "Apple Custom";
@@ -368,6 +365,7 @@
0C4B8F391A895D6E00AE503B /* ssl-53-clientauth.c */,
0C8DD1531B1CEE9A00D43050 /* ssl-54-dhe.c */,
0CCAB6191B3C93E100C97526 /* ssl-55-sessioncache.c */,
+ 0CD3A1951CB466DB00667E3F /* ssl-56-renegotiate.c */,
0C6C634215D1BDCF00BC68CD /* ssl-utils.c */,
0C6C634415D1BE3900BC68CD /* ssl-utils.h */,
0C0E0469162CA288009F7C71 /* ssl_regressions.h */,
@@ -445,7 +443,6 @@
0CCA413715C75863002AEC4C /* sslCipherSpecs.h */,
0CCA413B15C75863002AEC4C /* SSLRecordInternal.h */,
0CCA414215C75863002AEC4C /* tls_record_internal.h */,
- 4CAFF4000534D89900303760 /* appleSession.h */,
4CAFF4020534D89900303760 /* cipherSpecs.h */,
4CAFF40B0534D89900303760 /* ssl.h */,
4CAFF4170534D89900303760 /* sslBuildFlags.h */,
@@ -572,7 +569,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD4040987FCDF001272E0 /* Build configuration list for PBXProject "libsecurity_ssl" */;
compatibilityVersion = "Xcode 3.2";
@@ -618,6 +615,7 @@
0C8DD1561B1CF75400D43050 /* ssl-54-dhe.c in Sources */,
0CCAB61A1B3C93E100C97526 /* ssl-55-sessioncache.c in Sources */,
0C0F140B191AC0A200481BA2 /* ssl-50-server.c in Sources */,
+ 0C9A76A81CB478D7002111EE /* ssl-56-renegotiate.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -648,14 +646,12 @@
0C1F06F7189B1F0600E65030 /* sslMemory.c in Sources */,
0C80AB1317E9025B008F7F5B /* sslCrypto.c in Sources */,
0CA9803417E7899B00205D87 /* SSLRecordInternal.c in Sources */,
- 0CA9800917E7734000205D87 /* appleSession.c in Sources */,
0CA9800617E3925A00205D87 /* sslKeychain.c in Sources */,
0C03D65917DFD8C00087643B /* sslCipherSpecs.c in Sources */,
4CAFF4540534D89900303760 /* sslContext.c in Sources */,
0C03D65B17DFE67E0087643B /* tlsCallbacks.c in Sources */,
4CAFF4640534D89900303760 /* sslRecord.c in Sources */,
4CAFF4680534D89900303760 /* sslTransport.c in Sources */,
- 4CAFF4690534D89900303760 /* sslUtils.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -755,6 +751,9 @@
isa = XCBuildConfiguration;
baseConfigurationReference = BE6A959D14E3700A00C158E0 /* debug.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ ENABLE_TESTABILITY = YES;
+ ONLY_ACTIVE_ARCH = YES;
SDKROOT = macosx.internal;
};
name = Debug;
@@ -763,6 +762,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = BE6A959F14E3700A00C158E0 /* release.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
SDKROOT = macosx.internal;
};
name = Release;
diff --git a/OSX/libsecurity_ssl/regressions/ssl-39-echo.c b/OSX/libsecurity_ssl/regressions/ssl-39-echo.c
index 10fa94f6..80020471 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-39-echo.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-39-echo.c
@@ -625,7 +625,7 @@ static void *securetransport_ssl_thread(void *arg)
unsigned char ibuf[4096], obuf[4096];
size_t len;
if (ssl->is_server) {
- SecRandomCopyBytes(kSecRandomDefault, sizeof(obuf), obuf);
+ require_action(errSecSuccess==SecRandomCopyBytes(kSecRandomDefault, sizeof(obuf), obuf),out, ortn = -1);
require_noerr_quiet(ortn = SSLWrite(ctx, obuf, sizeof(obuf), &len), out);
require_action_quiet(len == sizeof(obuf), out, ortn = -1);
}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-41-clientauth.c b/OSX/libsecurity_ssl/regressions/ssl-41-clientauth.c
index b9f63642..35ddfc4b 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-41-clientauth.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-41-clientauth.c
@@ -13,6 +13,7 @@
#include <utilities/array_size.h>
#include <stdlib.h>
#include <unistd.h>
+#include <AssertMacros.h>
#if TARGET_OS_IPHONE
#include <Security/SecRSAKey.h>
@@ -333,6 +334,7 @@ static void tests(void)
is(CFGetRetainCount(privKey), 1, "privKey rc = 1");
ok(ctx=SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType), "SSLNewContext");
+ require(ctx, errOut);
ok_status(SSLSetCertificate(ctx, trust_chain), "SSLSetCertificate");
CFReleaseSafe(ctx);
@@ -343,6 +345,7 @@ static void tests(void)
is(CFGetRetainCount(privKey), 1, "privKey rc = 1");
ok(ctx=SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType), "SSLCreateContext");
+ require(ctx, errOut);
ok_status(SSLSetCertificate(ctx, trust_chain), "SSLSetCertificate");
CFReleaseSafe(ctx);
@@ -353,6 +356,7 @@ static void tests(void)
is(CFGetRetainCount(privKey), 1, "privKey rc = 1");
ok(ctx=SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType), "SSLCreateContext");
+ require(ctx, errOut);
ok_status(SSLSetCertificate(ctx, trust_chain), "SSLSetCertificate");
ok_status(SSLSetCertificate(ctx, trust_chain), "SSLSetCertificate");
CFReleaseSafe(ctx);
@@ -363,6 +367,7 @@ static void tests(void)
is(CFGetRetainCount(cert2), 1, "cert2 rc = 1");
is(CFGetRetainCount(privKey), 1, "privKey rc = 1");
+errOut:
CFReleaseNull(trust_chain);
}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c b/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c
index c07b4126..c5c27d6f 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c
@@ -74,7 +74,8 @@ static const SSLCipherSuite SupportedCipherSuites[] = {
TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
- // TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ /* RC4 */
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_MD5,
@@ -90,6 +91,12 @@ static const SSLCipherSuite SupportedCipherSuites[] = {
SSL_DH_anon_WITH_RC4_128_MD5,
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_anon_WITH_NULL_SHA,
+ TLS_ECDH_anon_WITH_RC4_128_SHA,
+ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+
TLS_ECDHE_ECDSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_NULL_SHA,
diff --git a/OSX/libsecurity_ssl/regressions/ssl-43-ciphers.c b/OSX/libsecurity_ssl/regressions/ssl-43-ciphers.c
index 47250db0..e7d89c94 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-43-ciphers.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-43-ciphers.c
@@ -89,10 +89,13 @@
*/
-#define OPENSSL_SERVER "ariadne.apple.com"
+
+//#define OPENSSL_SERVER "ariadne.apple.com"
+//#define GNUTLS_SERVER "ariadne.apple.com"
//#define OPENSSL_SERVER "kuip.apple.com"
-#define GNUTLS_SERVER "ariadne.apple.com"
//#define GNUTLS_SERVER "kuip.apple.com"
+#define OPENSSL_SERVER "192.168.2.1"
+#define GNUTLS_SERVER "192.168.2.1"
static struct {
const char *host;
@@ -185,26 +188,6 @@ const CipherSuiteName ciphers[] = {
CIPHER(3, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, {0, 0, 0, 0}, false) // Not supported by either gnutls or openssl
#endif
-#if 1
- /* ECDH_ECDSA cipher suites */
- CIPHER(1, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, {4, 0, 0, 1}, false)
- CIPHER(1, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, {4, 0, 0, 1}, false)
- CIPHER(1, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, {4, 0, 0, 1}, false)
- CIPHER(3, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, {0, 0, 0, 1}, false)
- CIPHER(1, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, {4, 0, 0, 1}, false)
- CIPHER(3, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, {0, 0, 0, 1}, false)
-#endif
-
-#if 1
- /* ECDH_RSA cipher suites */
- CIPHER(1, TLS_ECDH_RSA_WITH_RC4_128_SHA, {3, 0, 0, 1}, false)
- CIPHER(1, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, {3, 0, 0, 1}, false)
- CIPHER(1, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, {3, 0, 0, 1}, false)
- CIPHER(3, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, {0, 0, 0, 1}, false)
- CIPHER(1, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, {3, 0, 0, 1}, false)
- CIPHER(3, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, {0, 0, 0, 1}, false)
-#endif
-
#if 0
CIPHER(1, TLS_PSK_WITH_RC4_128_SHA, {1, 1, 0, 0}, true)
CIPHER(1, TLS_PSK_WITH_3DES_EDE_CBC_SHA, {1, 1, 0, 0}, true)
@@ -227,12 +210,6 @@ const CipherSuiteName ciphers[] = {
CIPHER(3, TLS_DH_anon_WITH_AES_128_GCM_SHA256, {1, 1, 0, 0}, true)
CIPHER(3, TLS_DH_anon_WITH_AES_256_GCM_SHA384, {1, 0, 0, 0}, true)
- CIPHER(3, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, {3, 0, 0, 0}, false)
- CIPHER(3, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, {3, 0, 0, 0}, false)
-
- CIPHER(3, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, {4, 0, 0, 0}, false)
- CIPHER(3, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, {4, 0, 0, 0}, false)
-
CIPHER(3, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, {1, 1, 0, 0}, false)
CIPHER(3, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, {1, 1, 0, 0}, false)
@@ -505,6 +482,8 @@ static OSStatus securetransport(ssl_test_handle * ssl)
SSLContextRef ctx = ssl->st;
SecTrustRef trust = NULL;
bool got_server_auth = false, got_client_cert_req = false;
+ CFMutableArrayRef peer_cert_array = NULL;
+ CFMutableArrayRef orig_peer_cert_array = NULL;
//uint64_t start = mach_absolute_time();
do {
@@ -524,8 +503,8 @@ static OSStatus securetransport(ssl_test_handle * ssl)
CFIndex n_certs = SecTrustGetCertificateCount(trust);
/*fprintf(stderr, "%ld certs; trust_eval: %d\n", n_certs, trust_result); */
- CFMutableArrayRef peer_cert_array = CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks);
- CFMutableArrayRef orig_peer_cert_array = CFArrayCreateMutableCopy(NULL, n_certs, ssl->certs);
+ peer_cert_array = CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks);
+ orig_peer_cert_array = CFArrayCreateMutableCopy(NULL, n_certs, ssl->certs);
while (n_certs--)
CFArrayInsertValueAtIndex(peer_cert_array, 0,
SecTrustGetCertificateAtIndex(trust, n_certs));
@@ -539,8 +518,6 @@ static OSStatus securetransport(ssl_test_handle * ssl)
#if 0
require(CFEqual(orig_peer_cert_array, peer_cert_array), out);
#endif
- CFRelease(orig_peer_cert_array);
- CFRelease(peer_cert_array);
/*
CFStringRef cert_name = SecCertificateCopySubjectSummary(cert);
@@ -610,6 +587,8 @@ static OSStatus securetransport(ssl_test_handle * ssl)
#endif
out:
+ CFReleaseSafe(orig_peer_cert_array);
+ CFReleaseSafe(peer_cert_array);
SSLClose(ctx);
SSLDisposeContext(ctx);
if (trust) CFRelease(trust);
@@ -688,6 +667,7 @@ tests(void)
ok(!ok, "Handshake failed: %40s to %s:%d proto=%d", ciphers[i].name, servers[p].host, port, pr);
close(s);
+ free(client);
} /* SKIP block */
}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-44-crashes.c b/OSX/libsecurity_ssl/regressions/ssl-44-crashes.c
index dda31178..0967e6dc 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-44-crashes.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-44-crashes.c
@@ -206,7 +206,7 @@ static void *securetransport_ssl_thread(void *arg)
unsigned char ibuf[8], obuf[8];
size_t len;
if (ssl->is_server) {
- SecRandomCopyBytes(kSecRandomDefault, sizeof(obuf), obuf);
+ require_action_quiet(errSecSuccess==SecRandomCopyBytes(kSecRandomDefault, sizeof(obuf), obuf), out, ortn = -1);
require_noerr_quiet(ortn = SSLWrite(ctx, obuf, sizeof(obuf), &len), out);
require_action_quiet(len == sizeof(obuf), out, ortn = -1);
} else {
@@ -296,17 +296,9 @@ tests(void)
pthread_join(client_thread, (void*)&client_err);
pthread_join(server_thread, (void*)&server_err);
- // errors expected for TARGET_OS_IPHONE implementation
- int expected_client_error3 = errSSLBadCert;
- int expected_server_error3 = errSSLClosedGraceful;
-
- // allow OS X errors if we are not yet using unified SecTrust
- if (server_err == errSSLProtocol) { expected_server_error3 = errSSLProtocol; }
- if (client_err == errSSLIllegalParam) { expected_client_error3 = errSSLIllegalParam; }
-
- ok(server_err==((i==3)?expected_server_error3:0), "Server error = %d (i=%d)", server_err, i);
- /* tests 0/1 should cause errSSLClosedAbort, 2 should cause errSSLBadRecordMac, 3 should cause errSSLBadCert */
- ok(client_err==((i==3)?expected_client_error3:(i==2)?errSSLBadRecordMac:errSSLClosedAbort), "Client error = %d (i=%d)", client_err, i);
+ ok(server_err==((i==3)?errSSLPeerCertUnknown:0), "Server error = %d (i=%d)", server_err, i);
+ /* tests 0/1 should cause errSSLClosedAbort, 2 should cause errSSLBadRecordMac, 3 should cause errSSLXCertChainInvalid */
+ ok(client_err==((i==3)?errSSLXCertChainInvalid:(i==2)?errSSLBadRecordMac:errSSLClosedAbort), "Client error = %d (i=%d)", client_err, i);
out:
free(client);
diff --git a/OSX/libsecurity_ssl/regressions/ssl-45-tls12.c b/OSX/libsecurity_ssl/regressions/ssl-45-tls12.c
index 67e2ea4a..9708d7c7 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-45-tls12.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-45-tls12.c
@@ -97,31 +97,17 @@ static int SocketConnect(const char *hostName, int port)
int err;
struct hostent *ent;
- if (hostName[0] >= '0' && hostName[0] <= '9')
- {
+ if (hostName[0] >= '0' && hostName[0] <= '9') {
host.s_addr = inet_addr(hostName);
- }
- else {
- unsigned dex;
-#define GETHOST_RETRIES 5
- /* seeing a lot of soft failures here that I really don't want to track down */
- for(dex=0; dex<GETHOST_RETRIES; dex++) {
- if(dex != 0) {
- printf("\n...retrying gethostbyname(%s)", hostName);
- }
- ent = gethostbyname(hostName);
- if(ent != NULL) {
- break;
- }
- }
+ } else {
+ ent = gethostbyname(hostName);
if(ent == NULL) {
printf("\n***gethostbyname(%s) returned: %s\n", hostName, hstrerror(h_errno));
- return -1;
+ return -2;
}
memcpy(&host, ent->h_addr, sizeof(struct in_addr));
}
-
sock = socket(AF_INET, SOCK_STREAM, 0);
addr.sin_addr = host;
addr.sin_port = htons((u_short)port);
@@ -132,7 +118,7 @@ static int SocketConnect(const char *hostName, int port)
if(err!=0)
{
perror("connect failed");
- return err;
+ return -1;
}
return sock;
@@ -268,12 +254,17 @@ out:
+#define CONNECT_TRIES 3
+
static ssl_test_handle *
ssl_test_handle_create(struct s_server *server)
{
- int comm;
+ int comm = -1;
+
+ for(int try = 0; comm<0 && try<CONNECT_TRIES; try++) {
+ comm=SocketConnect(server->host, server->port);
+ }
- comm=SocketConnect(server->host, server->port);
if(comm<0) {
fail("connect failed with err=%d - %s:%d", comm, server->host, server->port);
return NULL;
@@ -307,7 +298,7 @@ struct s_server servers[] = {
{"www.amazon.com",443, kTLSProtocol12 },
//{"www.mikestoolbox.org",443, kTLSProtocol12 },
/* servers with issues */
- {"vpp.visa.co.uk", 443, kTLSProtocol12 }, // Doesnt like SSL 3.0 in initial record layer version
+ // This server went offline as of May 2016 -- {"vpp.visa.co.uk", 443, kTLSProtocol12 }, // Doesnt like SSL 3.0 in initial record layer version
{"imap.softbank.jp",993, kTLSProtocol12 }, // softbank imap server, there are multiple servers behind this, one of them is not able to handle downgrading to TLS 1.2 properly (126.240.66.17).
{"mobile.charter.net",993, kTLSProtocol12 }, // Support 1.2 but fail to negotiate properly
{"mybill.vodafone.com.au", 443, kTLSProtocol1 }, /* 2056 bit server key */
diff --git a/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c b/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
index cf3b3b3f..2ed75a8b 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c
@@ -241,6 +241,14 @@ const SSLCipherSuite TLSv1_fallback_ciphersuites[] = {
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
};
+const SSLCipherSuite anonymous_ciphersuites[] = {
+ TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+ TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+ TLS_DH_anon_WITH_AES_256_CBC_SHA256,
+ TLS_DH_anon_WITH_AES_256_CBC_SHA,
+ TLS_DH_anon_WITH_AES_128_CBC_SHA256,
+ TLS_DH_anon_WITH_AES_128_CBC_SHA
+};
static int test_GetEnabledCiphers(SSLContextRef ssl, unsigned expected_num_ciphers, const SSLCipherSuite *expected_ciphers)
@@ -251,8 +259,8 @@ static int test_GetEnabledCiphers(SSLContextRef ssl, unsigned expected_num_ciphe
SSLCipherSuite *ciphers = NULL;
OSStatus err;
- err=SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite);
- err=SSLSetConnection(ssl, NULL);
+ require_noerr(SSLSetIOFuncs(ssl, &SocketRead, &SocketWrite), out);
+ require_noerr(SSLSetConnection(ssl, NULL), out);
require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_ciphers), out);
require_string(num_ciphers==expected_num_ciphers, out, "wrong ciphersuites number");
@@ -268,8 +276,8 @@ static int test_GetEnabledCiphers(SSLContextRef ssl, unsigned expected_num_ciphe
free(ciphers);
ciphers = NULL;
- err=SSLHandshake(ssl);
-
+ err = SSLHandshake(ssl);
+ require(err == errSSLWouldBlock, out);
require_noerr(SSLGetNumberEnabledCiphers(ssl, &num_ciphers), out);
require_string(num_ciphers==expected_num_ciphers, out, "wrong ciphersuites number");
@@ -373,17 +381,47 @@ out:
if(ssl) CFRelease(ssl);
}
+static void
+test_default(SSLProtocolSide side)
+{
+ SSLContextRef ssl = NULL;
+ bool server = (side == kSSLServerSide);
+
+ ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
+ ok(ssl, "test_config: SSLCreateContext(1) failed (%s)", server?"server":"client");
+ require(ssl, out);
+
+ /* The order of this tests does matter, be careful when adding tests */
+ ok(!test_GetSupportedCiphers(ssl, server), "test_default: GetSupportedCiphers test failed (%s)", server?"server":"client");
+ ok(!test_GetEnabledCiphers(ssl, sizeof(standard_ciphersuites)/sizeof(SSLCipherSuite), standard_ciphersuites), "test_default: GetEnabledCiphers test failed (%s)", server?"server":"client");
+
+ CFRelease(ssl); ssl=NULL;
+
+ ssl=SSLCreateContext(kCFAllocatorDefault, side, kSSLStreamType);
+ ok(ssl, "test_default: SSLCreateContext(2) failed (%s)", server?"server":"client");
+ require(ssl, out);
+
+ ok(!test_SetEnabledCiphers(ssl), "test_config: SetEnabledCiphers test failed (%s)", server?"server":"client");
+
+out:
+ if(ssl) CFRelease(ssl);
+}
+
+
int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
{
- plan_tests(132);
+ plan_tests(154);
test_dhe(kSSLClientSide, true);
test_dhe(kSSLServerSide, true);
test_dhe(kSSLClientSide, false);
test_dhe(kSSLServerSide, false);
+ test_default(kSSLClientSide);
+ test_default(kSSLServerSide);
+
#define TEST_CONFIG(x, y) do { \
test_config(kSSLClientSide, x, sizeof(y)/sizeof(SSLCipherSuite), y); \
test_config(kSSLServerSide, x, sizeof(y)/sizeof(SSLCipherSuite), y); \
@@ -397,7 +435,8 @@ int ssl_46_SSLGetSupportedCiphers(int argc, char *const *argv)
TEST_CONFIG(kSSLSessionConfig_RC4_fallback, legacy_ciphersuites);
TEST_CONFIG(kSSLSessionConfig_TLSv1_fallback, standard_ciphersuites);
TEST_CONFIG(kSSLSessionConfig_TLSv1_RC4_fallback, legacy_ciphersuites);
- TEST_CONFIG(kSSLSessionConfig_default, legacy_ciphersuites);
+ TEST_CONFIG(kSSLSessionConfig_default, standard_ciphersuites);
+ TEST_CONFIG(kSSLSessionConfig_anonymous, anonymous_ciphersuites);
return 0;
}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-47-falsestart.c b/OSX/libsecurity_ssl/regressions/ssl-47-falsestart.c
index 90e7d6c2..d7c43e00 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-47-falsestart.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-47-falsestart.c
@@ -81,35 +81,21 @@ static int SocketConnect(const char *hostName, int port)
{
struct sockaddr_in addr;
struct in_addr host;
- int sock;
+ int sock;
int err;
struct hostent *ent;
- if (hostName[0] >= '0' && hostName[0] <= '9')
- {
+ if (hostName[0] >= '0' && hostName[0] <= '9') {
host.s_addr = inet_addr(hostName);
- }
- else {
- unsigned dex;
-#define GETHOST_RETRIES 5
- /* seeing a lot of soft failures here that I really don't want to track down */
- for(dex=0; dex<GETHOST_RETRIES; dex++) {
- if(dex != 0) {
- printf("\n...retrying gethostbyname(%s)", hostName);
- }
- ent = gethostbyname(hostName);
- if(ent != NULL) {
- break;
- }
- }
+ } else {
+ ent = gethostbyname(hostName);
if(ent == NULL) {
- printf("\n***gethostbyname(%s) returned: %s\n", hostName, hstrerror(h_errno));
- return -1;
+ printf("\n***gethostbyname(%s) returned: %s\n", hostName, hstrerror(h_errno));
+ return -2;
}
memcpy(&host, ent->h_addr, sizeof(struct in_addr));
}
-
sock = socket(AF_INET, SOCK_STREAM, 0);
addr.sin_addr = host;
addr.sin_port = htons((u_short)port);
@@ -120,17 +106,15 @@ static int SocketConnect(const char *hostName, int port)
if(err!=0)
{
perror("connect failed");
- return err;
+ return -1;
}
/* make non blocking */
fcntl(sock, F_SETFL, O_NONBLOCK);
-
return sock;
}
-
static OSStatus SocketWrite(SSLConnectionRef conn, const void *data, size_t *length)
{
size_t len = *length;
@@ -224,8 +208,9 @@ static OSStatus securetransport(ssl_test_handle * ssl)
bool got_server_auth = false, got_client_cert_req = false;
ortn = SSLHandshake(ctx);
- //fprintf(stderr, "Fell out of SSLHandshake with error: %ld\n", (long)ortn);
-
+
+ require_action_quiet(ortn==errSSLWouldBlock, out, printf("SSLHandshake failed with err %ld\n", (long)ortn));
+
size_t sent, received;
const char *r=request;
size_t l=sizeof(request);
@@ -306,6 +291,7 @@ struct s_server {
#define NSERVERS (int)(sizeof(servers)/sizeof(servers[0]))
#define NLOOPS 1
+#define CONNECT_TRIES 3
static void
tests(void)
@@ -318,11 +304,13 @@ tests(void)
for(fs=0;fs<2; fs++) {
ssl_test_handle *client;
-
- int s;
OSStatus r;
+ int s = -1;
+
+ for(int try = 0; s<0 && try<CONNECT_TRIES; try++) {
+ s=SocketConnect(servers[p].host, servers[p].port);
+ }
- s=SocketConnect(servers[p].host, servers[p].port);
if(s<0) {
fail("connect failed with err=%d - %s:%d (try %d)", s, servers[p].host, servers[p].port, loops);
break;
diff --git a/OSX/libsecurity_ssl/regressions/ssl-48-split.c b/OSX/libsecurity_ssl/regressions/ssl-48-split.c
index 44930a78..dee2038b 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-48-split.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-48-split.c
@@ -173,7 +173,7 @@ static void *securetransport_ssl_thread(void *arg)
if (ssl->is_server) {
size_t len;
- SecRandomCopyBytes(kSecRandomDefault, ssl->write_size, obuf);
+ require_action(errSecSuccess==SecRandomCopyBytes(kSecRandomDefault, ssl->write_size, obuf), out, ortn = -1);
require_noerr(ortn = SSLWrite(ctx, obuf, ssl->write_size, &len), out);
require_action(len == ssl->write_size, out, ortn = -1);
require_noerr(ortn = SSLWrite(ctx, obuf, ssl->write_size, &len), out);
diff --git a/OSX/libsecurity_ssl/regressions/ssl-49-sni.c b/OSX/libsecurity_ssl/regressions/ssl-49-sni.c
index 0afdde59..2a661339 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-49-sni.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-49-sni.c
@@ -147,12 +147,14 @@ static void *securetransport_server_thread(void *arg)
"SNI does not match");
}
require_noerr(SSLSetCertificate(ctx, server_certs), out);
+ free(sni);
}
out:
SSLClose(ctx);
SSLDisposeContext(ctx);
close(ssl->comm);
+ CFReleaseSafe(server_certs);
pthread_exit((void *)(intptr_t)ortn);
return NULL;
@@ -214,7 +216,8 @@ ssl_test_handle_create(uint32_t session_id, bool server, int comm)
return handle;
out:
- if (ctx) CFRelease(ctx);
+ if (handle) free(handle);
+ if (ctx) CFRelease(ctx);
return NULL;
}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-51-state.c b/OSX/libsecurity_ssl/regressions/ssl-51-state.c
index 66790429..91a48385 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-51-state.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-51-state.c
@@ -172,6 +172,7 @@ static int process(tls_stream_parser_ctx_t ctx, tls_buffer record)
test_printf("%s: %p processed, err=%d\n", __FUNCTION__, ctx, err);
errOut:
+ free(decrypted.data);
return err;
}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-52-noconn.c b/OSX/libsecurity_ssl/regressions/ssl-52-noconn.c
index d0e329ea..b3e3028f 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-52-noconn.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-52-noconn.c
@@ -28,6 +28,8 @@ void tests()
ortn = SSLHandshake(ctx);
is(ortn, errSSLWouldBlock, "SSLHandshake unexpected return\n");
+
+ CFRelease(ctx);
}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-53-clientauth.c b/OSX/libsecurity_ssl/regressions/ssl-53-clientauth.c
index 47d19094..bd0aaea6 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-53-clientauth.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-53-clientauth.c
@@ -393,8 +393,6 @@ tests(void)
ssl_server_handle_destroy(server);
ssl_client_handle_destroy(client);
- close(sp[0]);
- close(sp[1]);
CFReleaseSafe(client_certs);
}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-54-dhe.c b/OSX/libsecurity_ssl/regressions/ssl-54-dhe.c
index 55fb18d3..d1ef7824 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-54-dhe.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-54-dhe.c
@@ -389,9 +389,6 @@ tests(void)
ssl_server_handle_destroy(server);
ssl_client_handle_destroy(client);
- close(sp[0]);
- close(sp[1]);
-
}
}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-55-sessioncache.c b/OSX/libsecurity_ssl/regressions/ssl-55-sessioncache.c
index 9563d7ec..8f9add5b 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-55-sessioncache.c
+++ b/OSX/libsecurity_ssl/regressions/ssl-55-sessioncache.c
@@ -100,7 +100,7 @@ typedef struct {
} ssl_client_handle;
static ssl_client_handle *
-ssl_client_handle_create(int comm, CFArrayRef trustedCA, uint32_t cache_ttl, uintptr_t peerID)
+ssl_client_handle_create(int comm, bool anyRoot, CFArrayRef trustedCA, bool trustedCAOnly, CFArrayRef trustedLeafs, uint32_t cache_ttl, uintptr_t peerID)
{
ssl_client_handle *handle = calloc(1, sizeof(ssl_client_handle));
SSLContextRef ctx = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
@@ -115,7 +115,11 @@ ssl_client_handle_create(int comm, CFArrayRef trustedCA, uint32_t cache_ttl, uin
require_noerr(SSLSetPeerDomainName(ctx, peer_domain_name,
strlen(peer_domain_name)), out);
- require_noerr(SSLSetTrustedRoots(ctx, trustedCA, true), out);
+ require_noerr(SSLSetAllowsAnyRoot(ctx, anyRoot), out);
+ require_noerr(SSLSetTrustedRoots(ctx, trustedCA, trustedCAOnly), out);
+#if !TARGET_OS_IPHONE
+ require_noerr(SSLSetTrustedLeafCertificates(ctx, trustedLeafs), out);
+#endif
require_noerr(SSLSetSessionCacheTimeout(ctx, cache_ttl), out);
@@ -263,35 +267,35 @@ out:
static void
-tests(void)
+tests_cache_ttl(void)
{
pthread_t client_thread, server_thread;
CFArrayRef server_certs = server_chain();
CFArrayRef trusted_ca = trusted_roots();
- ok(server_certs, "got server certs");
- ok(trusted_ca, "got trusted roots");
+ ok(server_certs, "ttl: got server certs");
+ ok(trusted_ca, "ttl: got trusted roots");
int i, j, k;
- for (i=0; i<2; i++) {
- for (j=0; j<2; j++) {
+ for (i=0; i<2; i++) { // client cache TTL
+ for (j=0; j<2; j++) { // Server cache TTL
for (k=0; k<2; k++) {
+ ssl_client_handle *client = NULL;
+ ssl_server_handle *server = NULL;
int sp[2];
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) exit(errno);
fcntl(sp[0], F_SETNOSIGPIPE, 1);
fcntl(sp[1], F_SETNOSIGPIPE, 1);
- ssl_client_handle *client;
- client = ssl_client_handle_create(sp[0], trusted_ca, i, (i<<8)|(j+1));
- ok(client!=NULL, "could not create client handle (%d:%d:%d)", i, j, k);
-
+ client = ssl_client_handle_create(sp[0], false, trusted_ca, true, NULL, i, (i<<8)|(j+1));
+ ok(client!=NULL, "ttl: could not create client handle (%d:%d:%d)", i, j, k);
+ require(client, errOut);
- ssl_server_handle *server;
server = ssl_server_handle_create(sp[1], server_certs, j);
- ok(server!=NULL, "could not create server handle (%d:%d:%d)", i, j, k);
-
+ ok(server!=NULL, "ttl: could not create server handle (%d:%d:%d)", i, j, k);
+ require(server, errOut);
pthread_create(&client_thread, NULL, securetransport_ssl_client_thread, client);
pthread_create(&server_thread, NULL, securetransport_ssl_server_thread, server);
@@ -304,19 +308,18 @@ tests(void)
unsigned char sessionID[32];
size_t sessionIDLength = sizeof(sessionID);
- ok(client_err==0, "unexpected error %ld (client %d:%d:%d)", client_err, i, j, k);
- ok(server_err==0, "unexpected error %ld (server %d:%d:%d)", server_err, i, j, k);
+ ok(client_err==0, "ttl: unexpected error %ld (client %d:%d:%d)", client_err, i, j, k);
+ ok(server_err==0, "ttl: unexpected error %ld (server %d:%d:%d)", server_err, i, j, k);
ok_status(SSLGetResumableSessionInfo(client->st, &resumed, sessionID, &sessionIDLength), "SSLGetResumableSessionInfo");
- ok(i || j || (!k) || resumed, "Unexpected resumption state=%d (%d:%d:%d)", resumed, i, j, k);
+ ok((bool)resumed == (bool)(k && (!i) && (!j)), "ttl: Unexpected resumption state=%d (%d:%d:%d)", resumed, i, j, k);
+ errOut:
ssl_server_handle_destroy(server);
ssl_client_handle_destroy(client);
- close(sp[0]);
- close(sp[1]);
- /* Sleep one second so that Session cache TTL can expire */
- sleep(1);
+ /* Sleep two seconds so that Session cache TTL can expire */
+ sleep(2);
}
}
}
@@ -325,13 +328,96 @@ tests(void)
CFReleaseSafe(trusted_ca);
}
+static void
+tests_cache_trust(void)
+{
+ pthread_t client_thread, server_thread;
+ CFArrayRef server_certs = server_chain();
+ CFArrayRef trusted_ca = trusted_roots();
+ CFMutableArrayRef trusted_ca2 = CFArrayCreateMutableCopy(kCFAllocatorDefault, 0, trusted_ca);
+ CFArrayAppendArray(trusted_ca2, trusted_ca, CFRangeMake(0, CFArrayGetCount(trusted_ca)));
+
+ ok(server_certs, "trust: got server certs");
+ ok(trusted_ca, "trust: got trusted roots");
+ ok(trusted_ca2, "trust: got trusted roots extra");
+
+ int any, ca, caonly, leaf, k;
+
+ // Test cache and trust options:
+
+
+ for (any=0; any<2; any++) // any root ?
+ for (ca=0; ca<2; ca++) // trustedCA ?
+ for (caonly=0; caonly<2; caonly++) // leaf>
+#if TARGET_OS_IPHONE
+ {
+ leaf = 0;
+#else
+ for (leaf=0; leaf<2; leaf++)
+ {
+#endif
+ // attempt initial connection, then resumed connection, but all with same peer id (0xdeadbeef)
+ for (k=0; k<2; k++) {
+ ssl_client_handle *client = NULL;
+ ssl_server_handle *server = NULL;
+
+ int sp[2];
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) exit(errno);
+ fcntl(sp[0], F_SETNOSIGPIPE, 1);
+ fcntl(sp[1], F_SETNOSIGPIPE, 1);
+
+ client = ssl_client_handle_create(sp[0], any, ca?trusted_ca:trusted_ca2, caonly, leaf?NULL:trusted_ca, 300, 0xdeadbeef);
+ ok(client!=NULL, "trust: could not create client handle (%d:%d:%d:%d:%d)", any, ca, caonly, leaf, k);
+ require(client, errOut);
+
+ server = ssl_server_handle_create(sp[1], server_certs, 300);
+ ok(server!=NULL, "trust: could not create server handle (%d:%d:%d:%d:%d)", any, ca, caonly, leaf, k);
+ require(server, errOut);
+
+ pthread_create(&client_thread, NULL, securetransport_ssl_client_thread, client);
+ pthread_create(&server_thread, NULL, securetransport_ssl_server_thread, server);
+
+ intptr_t server_err, client_err;
+
+ pthread_join(client_thread, (void*)&client_err);
+ pthread_join(server_thread, (void*)&server_err);
+
+ Boolean resumed;
+ unsigned char sessionID[32];
+ size_t sessionIDLength = sizeof(sessionID);
+
+ ok(client_err==0, "trust: unexpected error %ld (client %d:%d:%d:%d:%d)", client_err, any, ca, caonly, leaf, k);
+ ok(server_err==0, "trust: unexpected error %ld (server %d:%d:%d:%d:%d)", server_err, any, ca, caonly, leaf, k);
+ ok_status(SSLGetResumableSessionInfo(client->st, &resumed, sessionID, &sessionIDLength), "SSLGetResumableSessionInfo");
+
+ ok((bool)resumed == (bool)(k), "trust: Unexpected resumption state=%d (%d:%d:%d:%d:%d)", resumed, any, ca, caonly, leaf, k);
+
+ errOut:
+ ssl_server_handle_destroy(server);
+ ssl_client_handle_destroy(client);
+
+ }
+ }
+
+ CFReleaseSafe(server_certs);
+ CFReleaseSafe(trusted_ca);
+}
+
int ssl_55_sessioncache(int argc, char *const *argv)
{
- plan_tests(6 * 8 + 2 /*cert*/);
+#if TARGET_OS_IPHONE
+#define N_TRUST_TESTS 8
+#else
+#define N_TRUST_TESTS 16
+#endif
+
+ plan_tests(/*ttl :*/ 6 * 8 + 2 + /* trust:*/ N_TRUST_TESTS*6*2 + 3);
+
+ tests_cache_ttl();
- tests();
+ tests_cache_trust();
return 0;
}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-56-renegotiate.c b/OSX/libsecurity_ssl/regressions/ssl-56-renegotiate.c
new file mode 100644
index 00000000..a6525dbf
--- /dev/null
+++ b/OSX/libsecurity_ssl/regressions/ssl-56-renegotiate.c
@@ -0,0 +1,464 @@
+
+#include <stdbool.h>
+#include <pthread.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#include <CoreFoundation/CoreFoundation.h>
+
+#include <AssertMacros.h>
+#include <Security/SecureTransportPriv.h> /* SSLSetOption */
+#include <Security/SecureTransport.h>
+#include <Security/SecPolicy.h>
+#include <Security/SecTrust.h>
+#include <Security/SecIdentity.h>
+#include <Security/SecIdentityPriv.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecKeyPriv.h>
+#include <Security/SecItem.h>
+#include <Security/SecRandom.h>
+
+#include <utilities/array_size.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <mach/mach_time.h>
+
+#if TARGET_OS_IPHONE
+#include <Security/SecRSAKey.h>
+#endif
+
+#include "ssl_regressions.h"
+#include "ssl-utils.h"
+
+/*
+ SSL Renegotiation tests:
+
+ Test both the client and server side.
+
+ Test Goal:
+ - Make sure that renegotiation works on both client and server.
+
+ Behavior to verify:
+ - handshake pass or fail
+
+*/
+
+
+static OSStatus SocketWrite(SSLConnectionRef conn, const void *data, size_t *length)
+{
+ size_t len = *length;
+ uint8_t *ptr = (uint8_t *)data;
+
+ do {
+ ssize_t ret;
+ do {
+ ret = write((int)conn, ptr, len);
+ } while ((ret < 0) && (errno == EAGAIN || errno == EINTR));
+ if (ret > 0) {
+ len -= ret;
+ ptr += ret;
+ }
+ else
+ return -36;
+ } while (len > 0);
+
+ *length = *length - len;
+ return errSecSuccess;
+}
+
+static OSStatus SocketRead(SSLConnectionRef conn, void *data, size_t *length)
+{
+ size_t len = *length;
+ uint8_t *ptr = (uint8_t *)data;
+
+ do {
+ ssize_t ret;
+ do {
+ ret = read((int)conn, ptr, len);
+ } while ((ret < 0) && (errno == EINPROGRESS || errno == EAGAIN || errno == EINTR));
+ if (ret > 0) {
+ len -= ret;
+ ptr += ret;
+ } else {
+ printf("read error(%d): ret=%zd, errno=%d\n", (int)conn, ret, errno);
+ return -errno;
+ }
+ } while (len > 0);
+
+ *length = *length - len;
+ return errSecSuccess;
+}
+
+typedef struct {
+ SSLContextRef st;
+ int comm;
+ unsigned dhe_size;
+ bool renegotiate;
+} ssl_client_handle;
+
+static ssl_client_handle *
+ssl_client_handle_create(int comm, bool renegotiate)
+{
+ ssl_client_handle *handle = calloc(1, sizeof(ssl_client_handle));
+ SSLContextRef ctx = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
+
+ require(handle, out);
+ require(ctx, out);
+
+ require_noerr(SSLSetIOFuncs(ctx,
+ (SSLReadFunc)SocketRead, (SSLWriteFunc)SocketWrite), out);
+ require_noerr(SSLSetConnection(ctx, (SSLConnectionRef)(intptr_t)comm), out);
+ static const char *peer_domain_name = "localhost";
+ require_noerr(SSLSetPeerDomainName(ctx, peer_domain_name,
+ strlen(peer_domain_name)), out);
+
+ require_noerr(SSLSetSessionOption(ctx, kSSLSessionOptionBreakOnServerAuth, TRUE), out);
+
+ require_noerr(SSLSetAllowsAnyRoot(ctx, TRUE), out);
+
+
+ handle->comm = comm;
+ handle->st = ctx;
+ handle->renegotiate = renegotiate;
+
+ return handle;
+
+out:
+ if (ctx)
+ CFRelease(ctx);
+ if (handle)
+ free(handle);
+
+ return NULL;
+}
+
+static void
+ssl_client_handle_destroy(ssl_client_handle *handle)
+{
+ if(handle) {
+ SSLClose(handle->st);
+ CFRelease(handle->st);
+ free(handle);
+ }
+}
+
+static void *securetransport_ssl_client_thread(void *arg)
+{
+ OSStatus ortn;
+ ssl_client_handle * ssl = (ssl_client_handle *)arg;
+ SSLContextRef ctx = ssl->st;
+ SSLSessionState ssl_state;
+ bool peer_auth_received = false;
+
+ pthread_setname_np("client thread");
+
+ require_noerr(ortn=SSLGetSessionState(ctx,&ssl_state), out);
+ require_action(ssl_state==kSSLIdle, out, ortn = -1);
+
+ do {
+ ortn = SSLHandshake(ctx);
+ require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
+
+ if (ortn == errSSLPeerAuthCompleted) {
+ require_action(!peer_auth_received, out, ortn = -1);
+ peer_auth_received = true;
+ }
+ if (ortn == errSSLWouldBlock) {
+ require_string(ssl_state==kSSLHandshake, out, "Wrong client handshake state after errSSLWouldBlock");
+ }
+ } while (ortn == errSSLWouldBlock || ortn == errSSLPeerAuthCompleted);
+
+ require_noerr(ortn, out);
+ require_action(ssl_state==kSSLConnected, out, ortn = -1);
+ require_action(peer_auth_received, out, ortn = -1);
+
+ if(ssl->renegotiate) {
+ // Renegotiate then write
+ require_noerr(SSLReHandshake(ctx), out);
+
+ peer_auth_received = false;
+
+ do {
+ ortn = SSLHandshake(ctx);
+ require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
+ if (ortn == errSSLPeerAuthCompleted) {
+ require_action(!peer_auth_received, out, ortn = -1);
+ peer_auth_received = true;
+ }
+ if (ortn == errSSLWouldBlock) {
+ require_action(ssl_state==kSSLHandshake, out, ortn = -1);
+ }
+ } while (ortn == errSSLWouldBlock || ortn == errSSLPeerAuthCompleted);
+
+ require_noerr(ortn, out);
+ require_action(ssl_state==kSSLConnected, out, ortn = -1);
+ require_action(peer_auth_received, out, ortn = -1);
+
+ unsigned char obuf[100];
+
+ size_t len = sizeof(obuf);
+ size_t olen;
+ unsigned char *p = obuf;
+
+ require_action(errSecSuccess==SecRandomCopyBytes(kSecRandomDefault, len, p), out, ortn = -1);
+
+ while (len) {
+ require_noerr(ortn = SSLWrite(ctx, p, len, &olen), out);
+ len -= olen;
+ p += olen;
+ }
+ } else {
+ // just read.
+ unsigned char ibuf[100];
+
+ peer_auth_received = false;
+
+ size_t len = sizeof(ibuf);
+ size_t olen;
+ unsigned char *p = ibuf;
+ while (len) {
+ ortn = SSLRead(ctx, p, len, &olen);
+
+ require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
+
+ if (ortn == errSSLPeerAuthCompleted) {
+ require_action(!peer_auth_received, out, ortn = -1);
+ peer_auth_received = true;
+ } else {
+ require_noerr(ortn, out);
+ }
+
+ /* If we get data, we should have renegotiated */
+ if(olen) {
+ require_noerr(ortn, out);
+ require_action(ssl_state==kSSLConnected, out, ortn = -1);
+ require_action(peer_auth_received, out, ortn = -1);
+ }
+
+ len -= olen;
+ p += olen;
+ }
+ }
+
+out:
+ SSLClose(ssl->st);
+ close(ssl->comm);
+ pthread_exit((void *)(intptr_t)ortn);
+ return NULL;
+}
+
+
+typedef struct {
+ SSLContextRef st;
+ int comm;
+ CFArrayRef certs;
+ bool renegotiate;
+} ssl_server_handle;
+
+static ssl_server_handle *
+ssl_server_handle_create(int comm, CFArrayRef certs, bool renegotiate)
+{
+ ssl_server_handle *handle = calloc(1, sizeof(ssl_server_handle));
+ SSLContextRef ctx = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide, kSSLStreamType);
+ SSLCipherSuite cipher = TLS_RSA_WITH_AES_256_CBC_SHA256;
+
+ require(handle, out);
+ require(ctx, out);
+
+ require_noerr(SSLSetIOFuncs(ctx,
+ (SSLReadFunc)SocketRead, (SSLWriteFunc)SocketWrite), out);
+ require_noerr(SSLSetConnection(ctx, (SSLConnectionRef)(intptr_t)comm), out);
+
+ require_noerr(SSLSetCertificate(ctx, certs), out);
+
+ require_noerr(SSLSetEnabledCiphers(ctx, &cipher, 1), out);
+
+ require_noerr(SSLSetSessionOption(ctx, kSSLSessionOptionBreakOnClientHello, TRUE), out);
+ require_noerr(SSLSetSessionOption(ctx, kSSLSessionOptionAllowRenegotiation, TRUE), out);
+
+ handle->comm = comm;
+ handle->certs = certs;
+ handle->st = ctx;
+ handle->renegotiate = renegotiate;
+
+ return handle;
+
+out:
+ if (ctx)
+ CFRelease(ctx);
+ if (handle)
+ free(handle);
+
+ return NULL;
+}
+
+static void
+ssl_server_handle_destroy(ssl_server_handle *handle)
+{
+ if(handle) {
+ SSLClose(handle->st);
+ CFRelease(handle->st);
+ free(handle);
+ }
+}
+
+static void *securetransport_ssl_server_thread(void *arg)
+{
+ OSStatus ortn;
+ ssl_server_handle * ssl = (ssl_server_handle *)arg;
+ SSLContextRef ctx = ssl->st;
+ SSLSessionState ssl_state;
+ bool client_hello_received = false;
+
+ pthread_setname_np("server thread");
+
+ require_noerr(ortn=SSLGetSessionState(ctx,&ssl_state), out);
+ require_action(ssl_state==kSSLIdle, out, ortn = -1);
+
+ do {
+ ortn = SSLHandshake(ctx);
+ require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
+ if (ortn == errSSLClientHelloReceived) {
+ require_action(!client_hello_received, out, ortn = -1);
+ client_hello_received = true;
+ }
+ if (ortn == errSSLWouldBlock) {
+ require_action(ssl_state==kSSLHandshake, out, ortn = -1);
+ }
+ } while (ortn == errSSLWouldBlock || ortn == errSSLClientHelloReceived);
+
+ require_noerr(ortn, out);
+ require_action(ssl_state==kSSLConnected, out, ortn = -1);
+ require_action(client_hello_received, out, ortn = -1);
+
+ if(ssl->renegotiate) {
+ // Renegotiate then write
+ require_noerr(SSLReHandshake(ctx), out);
+
+ client_hello_received = false;
+
+ do {
+ ortn = SSLHandshake(ctx);
+ require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
+ if (ortn == errSSLClientHelloReceived) {
+ require_action(!client_hello_received, out, ortn = -1);
+ client_hello_received = true;
+ }
+ if (ortn == errSSLWouldBlock) {
+ require_action(ssl_state==kSSLHandshake, out, ortn = -1);
+ }
+ } while (ortn == errSSLWouldBlock || ortn == errSSLClientHelloReceived);
+
+ require_noerr(ortn, out);
+ require_action(ssl_state==kSSLConnected, out, ortn = -1);
+ require_action(client_hello_received, out, ortn = -1);
+
+ unsigned char obuf[100];
+
+ size_t len = sizeof(obuf);
+ size_t olen;
+ unsigned char *p = obuf;
+
+ require_action(errSecSuccess==SecRandomCopyBytes(kSecRandomDefault, len, p), out, ortn = -1);
+
+ while (len) {
+ require_noerr(ortn = SSLWrite(ctx, p, len, &olen), out);
+ len -= olen;
+ p += olen;
+ }
+ } else {
+ // just read
+ unsigned char ibuf[100];
+
+ client_hello_received = false;
+
+ size_t len = sizeof(ibuf);
+ size_t olen;
+ unsigned char *p = ibuf;
+ while (len) {
+ ortn = SSLRead(ctx, p, len, &olen);
+
+ require_noerr(SSLGetSessionState(ctx,&ssl_state), out);
+
+ if (ortn == errSSLClientHelloReceived) {
+ require_action(!client_hello_received, out, ortn = -1);
+ client_hello_received = true;
+ } else {
+ require_noerr(ortn, out);
+ }
+
+ /* If we get data, we should have renegotiated */
+ if(olen) {
+ require_noerr(ortn, out);
+ require_action(ssl_state==kSSLConnected, out, ortn = -1);
+ require_action(client_hello_received, out, ortn = -1);
+ }
+
+ len -= olen;
+ p += olen;
+ }
+ }
+
+out:
+ SSLClose(ssl->st);
+ close(ssl->comm);
+ pthread_exit((void *)(intptr_t)ortn);
+ return NULL;
+}
+
+
+static void
+test_renego(bool client_renego)
+{
+ pthread_t client_thread, server_thread;
+ CFArrayRef server_certs = server_chain();
+
+ ok(server_certs, "renego: got server certs");
+
+
+ int sp[2];
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) exit(errno);
+ fcntl(sp[0], F_SETNOSIGPIPE, 1);
+ fcntl(sp[1], F_SETNOSIGPIPE, 1);
+
+ ssl_client_handle *client;
+ client = ssl_client_handle_create(sp[0], client_renego);
+ ok(client!=NULL, "renego: could not create client handle");
+
+
+ ssl_server_handle *server;
+ server = ssl_server_handle_create(sp[1], server_certs, !client_renego);
+ ok(server!=NULL, "renego: could not create server handle");
+
+ pthread_create(&client_thread, NULL, securetransport_ssl_client_thread, client);
+ pthread_create(&server_thread, NULL, securetransport_ssl_server_thread, server);
+
+ intptr_t server_err, client_err;
+
+ pthread_join(client_thread, (void*)&client_err);
+ pthread_join(server_thread, (void*)&server_err);
+
+ ok(client_err==0, "renego: unexpected error %ld (client)", client_err);
+ ok(server_err==0, "renego: unexpected error %ld (server)", server_err);
+
+ ssl_server_handle_destroy(server);
+ ssl_client_handle_destroy(client);
+
+
+ CFReleaseSafe(server_certs);
+}
+
+
+int ssl_56_renegotiate(int argc, char *const *argv)
+{
+ plan_tests(10);
+
+ test_renego(false); // server side trigger renego.
+ test_renego(true); // client side trigger renego.
+
+ return 0;
+}
diff --git a/OSX/libsecurity_ssl/regressions/ssl-utils.h b/OSX/libsecurity_ssl/regressions/ssl-utils.h
index 3878afe4..68016da6 100644
--- a/OSX/libsecurity_ssl/regressions/ssl-utils.h
+++ b/OSX/libsecurity_ssl/regressions/ssl-utils.h
@@ -30,12 +30,12 @@
#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) { CFRelease(_cf); } }
#define CFReleaseNull(CF) { CFTypeRef _cf = (CF); if (_cf) { (CF) = NULL; CFRelease(_cf); } }
-CFArrayRef trusted_roots(void);
-CFArrayRef server_chain(void);
-CFArrayRef server_ec_chain(void);
-CFArrayRef trusted_client_chain(void);
-CFArrayRef trusted_ec_client_chain(void);
-CFArrayRef untrusted_client_chain(void);
+CFArrayRef CF_RETURNS_RETAINED trusted_roots(void);
+CFArrayRef CF_RETURNS_RETAINED server_chain(void);
+CFArrayRef CF_RETURNS_RETAINED server_ec_chain(void);
+CFArrayRef CF_RETURNS_RETAINED trusted_client_chain(void);
+CFArrayRef CF_RETURNS_RETAINED trusted_ec_client_chain(void);
+CFArrayRef CF_RETURNS_RETAINED untrusted_client_chain(void);
#define client_chain trusted_client_chain
diff --git a/OSX/libsecurity_ssl/regressions/ssl_regressions.h b/OSX/libsecurity_ssl/regressions/ssl_regressions.h
index f4c4e7f3..4c1203b3 100644
--- a/OSX/libsecurity_ssl/regressions/ssl_regressions.h
+++ b/OSX/libsecurity_ssl/regressions/ssl_regressions.h
@@ -32,4 +32,5 @@ ONE_TEST(ssl_52_noconn)
ONE_TEST(ssl_53_clientauth)
ONE_TEST(ssl_54_dhe)
ONE_TEST(ssl_55_sessioncache)
+ONE_TEST(ssl_56_renegotiate)
diff --git a/OSX/libsecurity_ssl/sslViewer/fileIo.c b/OSX/libsecurity_ssl/sslViewer/fileIo.c
deleted file mode 100644
index 802de34e..00000000
--- a/OSX/libsecurity_ssl/sslViewer/fileIo.c
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Copyright (c) 2001-2003,2006-2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * fileIo.c - simple file read/write utilities
- */
-
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include "fileIo.h"
-
-int writeFile(
- const char *fileName,
- const unsigned char *bytes,
- unsigned numBytes)
-{
- int rtn;
- int fd;
-
- fd = open(fileName, O_RDWR | O_CREAT | O_TRUNC, 0600);
- if(fd < 0) {
- return errno;
- }
- rtn = lseek(fd, 0, SEEK_SET);
- if(rtn < 0) {
- return errno;
- }
- rtn = write(fd, bytes, (size_t)numBytes);
- if(rtn != (int)numBytes) {
- if(rtn >= 0) {
- printf("writeFile: short write\n");
- }
- rtn = EIO;
- }
- else {
- rtn = 0;
- }
- close(fd);
- return rtn;
-}
-
-/*
- * Read entire file.
- */
-int readFile(
- const char *fileName,
- unsigned char **bytes, // mallocd and returned
- unsigned *numBytes) // returned
-{
- int rtn;
- int fd;
- unsigned char *buf;
- struct stat sb;
- unsigned size;
-
- *numBytes = 0;
- *bytes = NULL;
- fd = open(fileName, O_RDONLY, 0);
- if(fd < 0) {
- return errno;
- }
- rtn = fstat(fd, &sb);
- if(rtn) {
- goto errOut;
- }
- size = sb.st_size;
- buf = malloc(size);
- if(buf == NULL) {
- rtn = ENOMEM;
- goto errOut;
- }
- rtn = lseek(fd, 0, SEEK_SET);
- if(rtn < 0) {
- goto errOut;
- }
- rtn = read(fd, buf, (size_t)size);
- if(rtn != (int)size) {
- if(rtn >= 0) {
- printf("readFile: short read\n");
- }
- rtn = EIO;
- }
- else {
- rtn = 0;
- *bytes = buf;
- *numBytes = size;
- }
-errOut:
- close(fd);
- return rtn;
-}
diff --git a/OSX/libsecurity_ssl/sslViewer/ioSock.c b/OSX/libsecurity_ssl/sslViewer/ioSock.c
deleted file mode 100644
index 3c9b12db..00000000
--- a/OSX/libsecurity_ssl/sslViewer/ioSock.c
+++ /dev/null
@@ -1,502 +0,0 @@
-/*
- * Copyright (c) 2006-2008,2010-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * ioSock.c - socket-based I/O routines for use with Secure Transport
- */
-
-#include "ioSock.h"
-#include <errno.h>
-#include <stdio.h>
-
-#include <unistd.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-#include <netdb.h>
-#include <arpa/inet.h>
-#include <fcntl.h>
-
-#include <Security/SecBase.h>
-#include <time.h>
-#include <strings.h>
-
-/* debugging for this module */
-#define SSL_OT_DEBUG 1
-
-/* log errors to stdout */
-#define SSL_OT_ERRLOG 1
-
-/* trace all low-level network I/O */
-#define SSL_OT_IO_TRACE 0
-
-/* if SSL_OT_IO_TRACE, only log non-zero length transfers */
-#define SSL_OT_IO_TRACE_NZ 1
-
-/* pause after each I/O (only meaningful if SSL_OT_IO_TRACE == 1) */
-#define SSL_OT_IO_PAUSE 0
-
-/* print a stream of dots while I/O pending */
-#define SSL_OT_DOT 1
-
-/* dump some bytes of each I/O (only meaningful if SSL_OT_IO_TRACE == 1) */
-#define SSL_OT_IO_DUMP 0
-#define SSL_OT_IO_DUMP_SIZE 256
-
-/* indicate errSSLWouldBlock with a '.' */
-#define SSL_DISPL_WOULD_BLOCK 0
-
-/* general, not-too-verbose debugging */
-#if SSL_OT_DEBUG
-#define dprintf(s) printf s
-#else
-#define dprintf(s)
-#endif
-
-/* errors --> stdout */
-#if SSL_OT_ERRLOG
-#define eprintf(s) printf s
-#else
-#define eprintf(s)
-#endif
-
-/* trace completion of every r/w */
-#if SSL_OT_IO_TRACE
-static void tprintf(
- const char *str,
- UInt32 req,
- UInt32 act,
- const UInt8 *buf)
-{
- #if SSL_OT_IO_TRACE_NZ
- if(act == 0) {
- return;
- }
- #endif
- printf("%s(%u): moved (%u) bytes\n", str, (unsigned)req, (unsigned)act);
- #if SSL_OT_IO_DUMP
- {
- unsigned i;
-
- for(i=0; i<act; i++) {
- printf("%02X ", buf[i]);
- if(i >= (SSL_OT_IO_DUMP_SIZE - 1)) {
- break;
- }
- }
- printf("\n");
- }
- #endif
- #if SSL_OT_IO_PAUSE
- {
- char instr[20];
- printf("CR to continue: ");
- gets(instr);
- }
- #endif
-}
-
-#else
-#define tprintf(str, req, act, buf)
-#endif /* SSL_OT_IO_TRACE */
-
-/*
- * If SSL_OT_DOT, output a '.' every so often while waiting for
- * connection. This gives user a chance to do something else with the
- * UI.
- */
-
-#if SSL_OT_DOT
-
-static time_t lastTime = (time_t)0;
-#define TIME_INTERVAL 3
-
-static void outputDot()
-{
- time_t thisTime = time(0);
-
- if((thisTime - lastTime) >= TIME_INTERVAL) {
- printf("."); fflush(stdout);
- lastTime = thisTime;
- }
-}
-#else
-#define outputDot()
-#endif
-
-
-/*
- * One-time only init.
- */
-void initSslOt(void)
-{
-
-}
-
-/*
- * Connect to server.
- */
-#define GETHOST_RETRIES 3
-
-OSStatus MakeServerConnection(
- const char *hostName,
- int port,
- int nonBlocking, // 0 or 1
- otSocket *socketNo, // RETURNED
- PeerSpec *peer) // RETURNED
-{
- struct sockaddr_in addr;
- struct hostent *ent;
- struct in_addr host;
- int sock = 0;
-
- *socketNo = 0;
- if (hostName[0] >= '0' && hostName[0] <= '9')
- {
- host.s_addr = inet_addr(hostName);
- }
- else {
- unsigned dex;
- /* seeing a lot of soft failures here that I really don't want to track down */
- for(dex=0; dex<GETHOST_RETRIES; dex++) {
- if(dex != 0) {
- printf("\n...retrying gethostbyname(%s)", hostName);
- }
- ent = gethostbyname(hostName);
- if(ent != NULL) {
- break;
- }
- }
- if(ent == NULL) {
- printf("\n***gethostbyname(%s) returned: %s\n", hostName, hstrerror(h_errno));
- return errSecIO;
- }
- memcpy(&host, ent->h_addr, sizeof(struct in_addr));
- }
- sock = socket(AF_INET, SOCK_STREAM, 0);
- addr.sin_addr = host;
- addr.sin_port = htons((u_short)port);
-
- addr.sin_family = AF_INET;
- if (connect(sock, (struct sockaddr *) &addr, sizeof(struct sockaddr_in)) != 0)
- { printf("connect returned error\n");
- return errSecIO;
- }
-
- if(nonBlocking) {
- /* OK to do this after connect? */
- int rtn = fcntl(sock, F_SETFL, O_NONBLOCK);
- if(rtn == -1) {
- perror("fctnl(O_NONBLOCK)");
- return errSecIO;
- }
- }
-
- peer->ipAddr = addr.sin_addr.s_addr;
- peer->port = htons((u_short)port);
- *socketNo = (otSocket)sock;
- return errSecSuccess;
-}
-
-/*
- * Set up an otSocket to listen for client connections. Call once, then
- * use multiple AcceptClientConnection calls.
- */
-OSStatus ListenForClients(
- int port,
- int nonBlocking, // 0 or 1
- otSocket *socketNo) // RETURNED
-{
- struct sockaddr_in addr;
- struct hostent *ent;
- int len;
- int sock;
-
- sock = socket(AF_INET, SOCK_STREAM, 0);
- if(sock < 1) {
- perror("socket");
- return errSecIO;
- }
-
- int reuse = 1;
- int err = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &reuse, sizeof(reuse));
- if (err != 0) {
- perror("setsockopt");
- return err;
- }
-
- ent = gethostbyname("localhost");
- if (!ent) {
- perror("gethostbyname");
- return errSecIO;
- }
- memcpy(&addr.sin_addr, ent->h_addr, sizeof(struct in_addr));
-
- addr.sin_port = htons((u_short)port);
- addr.sin_addr.s_addr = INADDR_ANY;
- addr.sin_family = AF_INET;
- len = sizeof(struct sockaddr_in);
- if (bind(sock, (struct sockaddr *) &addr, len)) {
- int theErr = errno;
- perror("bind");
- if(theErr == EADDRINUSE) {
- return errSecOpWr;
- }
- else {
- return errSecIO;
- }
- }
- if(nonBlocking) {
- int rtn = fcntl(sock, F_SETFL, O_NONBLOCK);
- if(rtn == -1) {
- perror("fctnl(O_NONBLOCK)");
- return errSecIO;
- }
- }
-
- for(;;) {
- int rtn = listen(sock, 1);
- switch(rtn) {
- case 0:
- *socketNo = (otSocket)sock;
- rtn = errSecSuccess;
- break;
- case EWOULDBLOCK:
- continue;
- default:
- perror("listen");
- rtn = errSecIO;
- break;
- }
- return rtn;
- }
- /* NOT REACHED */
- return 0;
-}
-
-/*
- * Accept a client connection.
- */
-
-/*
- * Currently we always get back a different peer port number on successive
- * connections, no matter what the client is doing. To test for resumable
- * session support, force peer port = 0.
- */
-#define FORCE_ACCEPT_PEER_PORT_ZERO 1
-
-OSStatus AcceptClientConnection(
- otSocket listenSock, // obtained from ListenForClients
- otSocket *acceptSock, // RETURNED
- PeerSpec *peer) // RETURNED
-{
- struct sockaddr_in addr;
- int sock;
- socklen_t len;
-
- len = sizeof(struct sockaddr_in);
- do {
- sock = accept((int)listenSock, (struct sockaddr *) &addr, &len);
- if (sock < 0) {
- if(errno == EAGAIN) {
- /* nonblocking, no connection yet */
- continue;
- }
- else {
- perror("accept");
- return errSecIO;
- }
- }
- else {
- break;
- }
- } while(1);
- *acceptSock = (otSocket)sock;
- peer->ipAddr = addr.sin_addr.s_addr;
- #if FORCE_ACCEPT_PEER_PORT_ZERO
- peer->port = 0;
- #else
- peer->port = ntohs(addr.sin_port);
- #endif
- return errSecSuccess;
-}
-
-/*
- * Shut down a connection.
- */
-void endpointShutdown(
- otSocket sock)
-{
- close((int)sock);
-}
-
-/*
- * R/W. Called out from SSL.
- */
-OSStatus SocketRead(
- SSLConnectionRef connection,
- void *data, /* owned by
- * caller, data
- * RETURNED */
- size_t *dataLength) /* IN/OUT */
-{
- UInt32 bytesToGo = *dataLength;
- UInt32 initLen = bytesToGo;
- UInt8 *currData = (UInt8 *)data;
- int sock = (int)((long)connection);
- OSStatus rtn = errSecSuccess;
- UInt32 bytesRead;
- ssize_t rrtn;
-
- *dataLength = 0;
-
- for(;;) {
- bytesRead = 0;
- /* paranoid check, ensure errno is getting written */
- errno = -555;
- rrtn = recv(sock, currData, bytesToGo, 0);
- if (rrtn <= 0) {
- if(rrtn == 0) {
- /* closed, EOF */
- rtn = errSSLClosedGraceful;
- break;
- }
- int theErr = errno;
- switch(theErr) {
- case ENOENT:
- /*
- * Undocumented but I definitely see this.
- * Non-blocking sockets only. Definitely retriable
- * just like an EAGAIN.
- */
- dprintf(("SocketRead RETRYING on ENOENT, rrtn %d\n",
- (int)rrtn));
- /* normal... */
- //rtn = errSSLWouldBlock;
- /* ...for temp testing.... */
- rtn = errSecIO;
- break;
- case ECONNRESET:
- /* explicit peer abort */
- rtn = errSSLClosedAbort;
- break;
- case EAGAIN:
- /* nonblocking, no data */
- rtn = errSSLWouldBlock;
- break;
- default:
- dprintf(("SocketRead: read(%u) error %d, rrtn %d\n",
- (unsigned)bytesToGo, theErr, (int)rrtn));
- rtn = errSecIO;
- break;
- }
- /* in any case, we're done with this call if rrtn <= 0 */
- break;
- }
- bytesRead = rrtn;
- bytesToGo -= bytesRead;
- currData += bytesRead;
-
- if(bytesToGo == 0) {
- /* filled buffer with incoming data, done */
- break;
- }
- }
- *dataLength = initLen - bytesToGo;
- tprintf("SocketRead", initLen, *dataLength, (UInt8 *)data);
-
- #if SSL_OT_DOT || (SSL_OT_DEBUG && !SSL_OT_IO_TRACE)
- if((rtn == 0) && (*dataLength == 0)) {
- /* keep UI alive */
- outputDot();
- }
- #endif
- #if SSL_DISPL_WOULD_BLOCK
- if(rtn == errSSLWouldBlock) {
- printf("."); fflush(stdout);
- }
- #endif
- return rtn;
-}
-
-int oneAtATime = 0;
-
-OSStatus SocketWrite(
- SSLConnectionRef connection,
- const void *data,
- size_t *dataLength) /* IN/OUT */
-{
- size_t bytesSent = 0;
- int sock = (int)((long)connection);
- int length;
- size_t dataLen = *dataLength;
- const UInt8 *dataPtr = (UInt8 *)data;
- OSStatus ortn;
-
- if(oneAtATime && (*dataLength > 1)) {
- size_t i;
- size_t outLen;
- size_t thisMove;
-
- outLen = 0;
- for(i=0; i<dataLen; i++) {
- thisMove = 1;
- ortn = SocketWrite(connection, dataPtr, &thisMove);
- outLen += thisMove;
- dataPtr++;
- if(ortn) {
- return ortn;
- }
- }
- return errSecSuccess;
- }
- *dataLength = 0;
-
- do {
- length = write(sock,
- (char*)dataPtr + bytesSent,
- dataLen - bytesSent);
- } while ((length > 0) &&
- ( (bytesSent += length) < dataLen) );
-
- if(length <= 0) {
- int theErr = errno;
- switch(theErr) {
- case EAGAIN:
- ortn = errSSLWouldBlock; break;
- case EPIPE:
- ortn = errSSLClosedAbort; break;
- default:
- dprintf(("SocketWrite: write(%u) error %d\n",
- (unsigned)(dataLen - bytesSent), theErr));
- ortn = errSecIO;
- break;
- }
- }
- else {
- ortn = errSecSuccess;
- }
- tprintf("SocketWrite", dataLen, bytesSent, dataPtr);
- *dataLength = bytesSent;
- return ortn;
-}
diff --git a/OSX/libsecurity_ssl/sslViewer/ioSock.h b/OSX/libsecurity_ssl/sslViewer/ioSock.h
deleted file mode 100644
index 1faf47b4..00000000
--- a/OSX/libsecurity_ssl/sslViewer/ioSock.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Copyright (c) 2006-2008,2010-2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * ioSock.h - socket-based I/O routines for use with Secure Transport
- */
-
-#ifndef _IO_SOCK_H_
-#define _IO_SOCK_H_
-
-#include <Security/SecureTransport.h>
-#include <sys/types.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * Opaque reference to an Open Transport connection.
- */
-typedef int otSocket;
-
-/*
- * info about a peer returned from MakeServerConnection() and
- * AcceptClientConnection().
- */
-typedef struct
-{ UInt32 ipAddr;
- int port;
-} PeerSpec;
-
-/*
- * Ont-time only init.
- */
-void initSslOt(void);
-
-/*
- * Connect to server.
- */
-extern OSStatus MakeServerConnection(
- const char *hostName,
- int port,
- int nonBlocking, // 0 or 1
- otSocket *socketNo, // RETURNED
- PeerSpec *peer); // RETURNED
-
-/*
- * Set up an otSocket to listen for client connections. Call once, then
- * use multiple AcceptClientConnection calls.
- */
-OSStatus ListenForClients(
- int port,
- int nonBlocking, // 0 or 1
- otSocket *socketNo); // RETURNED
-
-/*
- * Accept a client connection. Call endpointShutdown() for each successful;
- * return from this function.
- */
-OSStatus AcceptClientConnection(
- otSocket listenSock, // obtained from ListenForClients
- otSocket *acceptSock, // RETURNED
- PeerSpec *peer); // RETURNED
-
-/*
- * Shut down a connection.
- */
-void endpointShutdown(
- otSocket socket);
-
-/*
- * R/W. Called out from SSL.
- */
-OSStatus SocketRead(
- SSLConnectionRef connection,
- void *data, /* owned by
- * caller, data
- * RETURNED */
- size_t *dataLength); /* IN/OUT */
-
-OSStatus SocketWrite(
- SSLConnectionRef connection,
- const void *data,
- size_t *dataLength); /* IN/OUT */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _IO_SOCK_H_ */
diff --git a/OSX/libsecurity_ssl/sslViewer/printCert.c b/OSX/libsecurity_ssl/sslViewer/printCert.c
deleted file mode 100644
index 9857fe0a..00000000
--- a/OSX/libsecurity_ssl/sslViewer/printCert.c
+++ /dev/null
@@ -1,218 +0,0 @@
-/*
- * Copyright (c) 2003-2008,2011-2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * printCert.c - utility functions for printing certificate info
- */
-
-#include "printCert.h"
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecTrustPriv.h>
-
-void fprint_string(CFStringRef string, FILE *file) {
- UInt8 buf[256];
- CFRange range = { .location = 0 };
- range.length = CFStringGetLength(string);
- while (range.length > 0) {
- CFIndex bytesUsed = 0;
- CFIndex converted = CFStringGetBytes(string, range, kCFStringEncodingUTF8, 0, false, buf, sizeof(buf), &bytesUsed);
- fwrite(buf, 1, bytesUsed, file);
- range.length -= converted;
- range.location += converted;
- }
-}
-
-void print_line(CFStringRef line) {
- fprint_string(line, stdout);
- fputc('\n', stdout);
-}
-
-static void printPlist(CFArrayRef plist, CFIndex indent, CFIndex maxWidth) {
- CFIndex count = CFArrayGetCount(plist);
- CFIndex ix;
- for (ix = 0; ix < count ; ++ix) {
- CFDictionaryRef prop = (CFDictionaryRef)CFArrayGetValueAtIndex(plist,
- ix);
- CFStringRef pType = (CFStringRef)CFDictionaryGetValue(prop,
- kSecPropertyKeyType);
- CFStringRef label = (CFStringRef)CFDictionaryGetValue(prop,
- kSecPropertyKeyLabel);
- CFStringRef llabel = (CFStringRef)CFDictionaryGetValue(prop,
- kSecPropertyKeyLocalizedLabel);
- CFTypeRef value = (CFTypeRef)CFDictionaryGetValue(prop,
- kSecPropertyKeyValue);
-
- bool isSection = CFEqual(pType, kSecPropertyTypeSection);
- CFMutableStringRef line = CFStringCreateMutable(NULL, 0);
- CFIndex jx = 0;
- for (jx = 0; jx < indent; ++jx) {
- CFStringAppend(line, CFSTR(" "));
- }
- if (llabel) {
- CFStringAppend(line, llabel);
- if (!isSection) {
- for (jx = CFStringGetLength(llabel) + indent * 4;
- jx < maxWidth; ++jx) {
- CFStringAppend(line, CFSTR(" "));
- }
- CFStringAppend(line, CFSTR(" : "));
- }
- }
- if (CFEqual(pType, kSecPropertyTypeWarning)) {
- CFStringAppend(line, CFSTR("*WARNING* "));
- CFStringAppend(line, (CFStringRef)value);
- } else if (CFEqual(pType, kSecPropertyTypeError)) {
- CFStringAppend(line, CFSTR("*ERROR* "));
- CFStringAppend(line, (CFStringRef)value);
- } else if (CFEqual(pType, kSecPropertyTypeSuccess)) {
- CFStringAppend(line, CFSTR("*OK* "));
- CFStringAppend(line, (CFStringRef)value);
- } else if (CFEqual(pType, kSecPropertyTypeTitle)) {
- CFStringAppend(line, CFSTR("*"));
- CFStringAppend(line, (CFStringRef)value);
- CFStringAppend(line, CFSTR("*"));
- } else if (CFEqual(pType, kSecPropertyTypeSection)) {
- } else if (CFEqual(pType, kSecPropertyTypeData)) {
- CFDataRef data = (CFDataRef)value;
- CFIndex length = CFDataGetLength(data);
- if (length > 20)
- CFStringAppendFormat(line, NULL, CFSTR("[%d bytes] "), length);
- const UInt8 *bytes = CFDataGetBytePtr(data);
- for (jx = 0; jx < length; ++jx) {
- if (jx == 0)
- CFStringAppendFormat(line, NULL, CFSTR("%02X"), bytes[jx]);
- else if (jx < 15 || length <= 20)
- CFStringAppendFormat(line, NULL, CFSTR(" %02X"),
- bytes[jx]);
- else {
- CFStringAppend(line, CFSTR(" ..."));
- break;
- }
- }
- } else if (CFEqual(pType, kSecPropertyTypeString)) {
- CFStringAppend(line, (CFStringRef)value);
- } else if (CFEqual(pType, kSecPropertyTypeDate)) {
- CFDateRef date = (CFDateRef)value;
- CFLocaleRef lc = CFLocaleCopyCurrent();
- CFDateFormatterRef df = CFDateFormatterCreate(NULL, lc, kCFDateFormatterMediumStyle, kCFDateFormatterLongStyle);
- CFStringRef ds;
- if (df) {
- CFTimeZoneRef tz = CFTimeZoneCreateWithTimeIntervalFromGMT(NULL, 0.0);
- CFDateFormatterSetProperty(df, kCFDateFormatterTimeZone, tz);
- CFRelease(tz);
- ds = CFDateFormatterCreateStringWithDate(NULL, df, date);
- CFRelease(df);
- } else {
- ds = CFStringCreateWithFormat(NULL, NULL, CFSTR("%g"), CFDateGetAbsoluteTime(date));
- }
- CFStringAppend(line, ds);
- CFRelease(ds);
- CFRelease(lc);
- } else if (CFEqual(pType, kSecPropertyTypeURL)) {
- CFURLRef url = (CFURLRef)value;
- CFStringAppend(line, CFSTR("<"));
- CFStringAppend(line, CFURLGetString(url));
- CFStringAppend(line, CFSTR(">"));
- } else {
- CFStringAppendFormat(line, NULL, CFSTR("*unknown type %@* = %@"),
- pType, value);
- }
-
- if (!isSection || label)
- print_line(line);
- CFRelease(line);
- if (isSection) {
- printPlist((CFArrayRef)value, indent + 1, maxWidth);
- }
- }
-}
-
-static CFIndex maxLabelWidth(CFArrayRef plist, CFIndex indent) {
- CFIndex count = CFArrayGetCount(plist);
- CFIndex ix;
- CFIndex maxWidth = 0;
- for (ix = 0; ix < count ; ++ix) {
- CFDictionaryRef prop = (CFDictionaryRef)CFArrayGetValueAtIndex(plist,
- ix);
- CFStringRef pType = (CFStringRef)CFDictionaryGetValue(prop,
- kSecPropertyKeyType);
- CFStringRef llabel = (CFStringRef)CFDictionaryGetValue(prop,
- kSecPropertyKeyLocalizedLabel);
- CFTypeRef value = (CFTypeRef)CFDictionaryGetValue(prop,
- kSecPropertyKeyValue);
-
- if (CFEqual(pType, kSecPropertyTypeSection)) {
- CFIndex width = maxLabelWidth((CFArrayRef)value, indent + 1);
- if (width > maxWidth)
- maxWidth = width;
- } else if (llabel) {
- CFIndex width = indent * 4 + CFStringGetLength(llabel);
- if (width > maxWidth)
- maxWidth = width;
- }
- }
-
- return maxWidth;
-}
-
-void print_plist(CFArrayRef plist) {
- if (plist)
- printPlist(plist, 0, maxLabelWidth(plist, 0));
- else
- printf("NULL plist\n");
-}
-
-void print_cert(SecCertificateRef cert, bool verbose) {
-// TODO: merge these when all SecCertificate APIs are present on both iOS and OS X
-#if TARGET_OS_IOS
- CFArrayRef plist;
- if (verbose)
- plist = SecCertificateCopyProperties(cert);
- else {
- CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
- plist = SecCertificateCopySummaryProperties(cert, now);
- }
-
- CFStringRef subject = SecCertificateCopySubjectString(cert);
- if (subject) {
- print_line(subject);
- CFRelease(subject);
- } else {
- print_line(CFSTR("no subject"));
- }
-
- print_plist(plist);
- CFRelease(plist);
-#else
- CFStringRef certName = NULL;
- OSStatus status = SecCertificateInferLabel(cert, &certName);
- if (certName) {
- print_line(certName);
- CFRelease(certName);
- }
- else {
- fprintf(stdout, "ERROR: unable to read certificate name\n");
- }
-#endif
-}
diff --git a/OSX/libsecurity_ssl/sslViewer/sslAppUtils.cpp b/OSX/libsecurity_ssl/sslViewer/sslAppUtils.cpp
deleted file mode 100644
index e3ba62d1..00000000
--- a/OSX/libsecurity_ssl/sslViewer/sslAppUtils.cpp
+++ /dev/null
@@ -1,1592 +0,0 @@
-/*
- * Copyright (c) 2006-2008,2010-2014 Apple Inc. All Rights Reserved.
- */
-
-#include "sslAppUtils.h"
-#include "fileIo.h"
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/param.h>
-#include <Security/SecBase.h>
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-#include <Security/SecIdentityPriv.h>
-#include <AssertMacros.h>
-
-#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) CFRelease(_cf); }
-
-const char *sslGetCipherSuiteString(SSLCipherSuite cs)
-{
- static char noSuite[40];
-
- switch (cs) {
- /* TLS cipher suites, RFC 2246 */
- case SSL_NULL_WITH_NULL_NULL: return "TLS_NULL_WITH_NULL_NULL";
- case SSL_RSA_WITH_NULL_MD5: return "TLS_RSA_WITH_NULL_MD5";
- case SSL_RSA_WITH_NULL_SHA: return "TLS_RSA_WITH_NULL_SHA";
- case SSL_RSA_EXPORT_WITH_RC4_40_MD5: return "TLS_RSA_EXPORT_WITH_RC4_40_MD5";
- case SSL_RSA_WITH_RC4_128_MD5: return "TLS_RSA_WITH_RC4_128_MD5";
- case SSL_RSA_WITH_RC4_128_SHA: return "TLS_RSA_WITH_RC4_128_SHA";
- case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5: return "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5";
- case SSL_RSA_WITH_IDEA_CBC_SHA: return "TLS_RSA_WITH_IDEA_CBC_SHA";
- case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA: return "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_RSA_WITH_DES_CBC_SHA: return "TLS_RSA_WITH_DES_CBC_SHA";
- case SSL_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
- case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_DH_DSS_WITH_DES_CBC_SHA: return "TLS_DH_DSS_WITH_DES_CBC_SHA";
- case SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA: return "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
- case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_DH_RSA_WITH_DES_CBC_SHA: return "TLS_DH_RSA_WITH_DES_CBC_SHA";
- case SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
- case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_DHE_DSS_WITH_DES_CBC_SHA: return "TLS_DHE_DSS_WITH_DES_CBC_SHA";
- case SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA: return "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
- case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_DHE_RSA_WITH_DES_CBC_SHA: return "TLS_DHE_RSA_WITH_DES_CBC_SHA";
- case SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
- case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5: return "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5";
- case SSL_DH_anon_WITH_RC4_128_MD5: return "TLS_DH_anon_WITH_RC4_128_MD5";
- case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA: return "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA";
- case SSL_DH_anon_WITH_DES_CBC_SHA: return "TLS_DH_anon_WITH_DES_CBC_SHA";
- case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA: return "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
-
- /* SSLv3 Fortezza cipher suites, from NSS */
- case SSL_FORTEZZA_DMS_WITH_NULL_SHA: return "SSL_FORTEZZA_DMS_WITH_NULL_SHA";
- case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:return "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA";
-
- /* TLS addenda using AES-CBC, RFC 3268 */
- case TLS_RSA_WITH_AES_128_CBC_SHA: return "TLS_RSA_WITH_AES_128_CBC_SHA";
- case TLS_DH_DSS_WITH_AES_128_CBC_SHA: return "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
- case TLS_DH_RSA_WITH_AES_128_CBC_SHA: return "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
- case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
- case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
- case TLS_DH_anon_WITH_AES_128_CBC_SHA: return "TLS_DH_anon_WITH_AES_128_CBC_SHA";
- case TLS_RSA_WITH_AES_256_CBC_SHA: return "TLS_RSA_WITH_AES_256_CBC_SHA";
- case TLS_DH_DSS_WITH_AES_256_CBC_SHA: return "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
- case TLS_DH_RSA_WITH_AES_256_CBC_SHA: return "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
- case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
- case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
- case TLS_DH_anon_WITH_AES_256_CBC_SHA: return "TLS_DH_anon_WITH_AES_256_CBC_SHA";
-
- /* ECDSA addenda, RFC 4492 */
- case TLS_ECDH_ECDSA_WITH_NULL_SHA: return "TLS_ECDH_ECDSA_WITH_NULL_SHA";
- case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
- case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
- case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
- case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
- case TLS_ECDHE_ECDSA_WITH_NULL_SHA: return "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
- case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
- case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
- case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
- case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
- case TLS_ECDH_RSA_WITH_NULL_SHA: return "TLS_ECDH_RSA_WITH_NULL_SHA";
- case TLS_ECDH_RSA_WITH_RC4_128_SHA: return "TLS_ECDH_RSA_WITH_RC4_128_SHA";
- case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
- case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
- case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
- case TLS_ECDHE_RSA_WITH_NULL_SHA: return "TLS_ECDHE_RSA_WITH_NULL_SHA";
- case TLS_ECDHE_RSA_WITH_RC4_128_SHA: return "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
- case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
- case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
- case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
- case TLS_ECDH_anon_WITH_NULL_SHA: return "TLS_ECDH_anon_WITH_NULL_SHA";
- case TLS_ECDH_anon_WITH_RC4_128_SHA: return "TLS_ECDH_anon_WITH_RC4_128_SHA";
- case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA: return "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
- case TLS_ECDH_anon_WITH_AES_128_CBC_SHA: return "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
- case TLS_ECDH_anon_WITH_AES_256_CBC_SHA: return "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
-
- /* TLS 1.2 addenda, RFC 5246 */
- case TLS_RSA_WITH_AES_128_CBC_SHA256: return "TLS_RSA_WITH_AES_128_CBC_SHA256";
- case TLS_RSA_WITH_AES_256_CBC_SHA256: return "TLS_RSA_WITH_AES_256_CBC_SHA256";
- case TLS_DH_DSS_WITH_AES_128_CBC_SHA256: return "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
- case TLS_DH_RSA_WITH_AES_128_CBC_SHA256: return "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
- case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
- case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
- case TLS_DH_DSS_WITH_AES_256_CBC_SHA256: return "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
- case TLS_DH_RSA_WITH_AES_256_CBC_SHA256: return "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
- case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
- case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
- case TLS_DH_anon_WITH_AES_128_CBC_SHA256: return "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
- case TLS_DH_anon_WITH_AES_256_CBC_SHA256: return "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
-
- /* TLS addenda using AES-GCM, RFC 5288 */
- case TLS_RSA_WITH_AES_128_GCM_SHA256: return "TLS_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_RSA_WITH_AES_256_GCM_SHA384: return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
- case TLS_DH_RSA_WITH_AES_128_GCM_SHA256: return "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_DH_RSA_WITH_AES_256_GCM_SHA384: return "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
- case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: return "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
- case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: return "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
- case TLS_DH_DSS_WITH_AES_128_GCM_SHA256: return "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
- case TLS_DH_DSS_WITH_AES_256_GCM_SHA384: return "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
- case TLS_DH_anon_WITH_AES_128_GCM_SHA256: return "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
- case TLS_DH_anon_WITH_AES_256_GCM_SHA384: return "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
-
- /* ECDSA addenda, RFC 5289 */
- case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
- case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
- case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
- case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
- case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
- case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
- case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
- case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
- case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
- case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
- case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
- case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
- case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
- case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
- case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
-
- /*
- * Tags for SSL 2 cipher kinds which are not specified for SSL 3.
- */
- case SSL_RSA_WITH_RC2_CBC_MD5: return "TLS_RSA_WITH_RC2_CBC_MD5";
- case SSL_RSA_WITH_IDEA_CBC_MD5: return "TLS_RSA_WITH_IDEA_CBC_MD5";
- case SSL_RSA_WITH_DES_CBC_MD5: return "TLS_RSA_WITH_DES_CBC_MD5";
- case SSL_RSA_WITH_3DES_EDE_CBC_MD5: return "TLS_RSA_WITH_3DES_EDE_CBC_MD5";
- case SSL_NO_SUCH_CIPHERSUITE: return "SSL_NO_SUCH_CIPHERSUITE";
-
- default:
- snprintf(noSuite, sizeof(noSuite), "Unknown ciphersuite 0x%04x", (unsigned)cs);
- return noSuite;
- }
-}
-
-/*
- * Given a SSLProtocolVersion - typically from SSLGetProtocolVersion -
- * return a string representation.
- */
-const char *sslGetProtocolVersionString(SSLProtocol prot)
-{
- static char noProt[20];
-
- switch(prot) {
- case kSSLProtocolUnknown: return "kSSLProtocolUnknown";
- case kSSLProtocol2: return "kSSLProtocol2";
- case kSSLProtocol3: return "kSSLProtocol3";
- case kSSLProtocol3Only: return "kSSLProtocol3Only";
- case kTLSProtocol1: return "kTLSProtocol1";
- case kTLSProtocol1Only: return "kTLSProtocol1Only";
- case kTLSProtocol11: return "kTLSProtocol11";
- case kTLSProtocol12: return "kTLSProtocol12";
- default:
- sprintf(noProt, "Unknown (%d)", (unsigned)prot);
- return noProt;
- }
-}
-
-/*
- * Return string representation of SecureTransport-related OSStatus.
- */
-const char *sslGetSSLErrString(OSStatus err)
-{
- static char errSecSuccessStr[20];
-
- switch(err) {
- case errSecSuccess: return "errSecSuccess";
- case errSecAllocate: return "errSecAllocate";
- case errSecParam: return "errSecParam";
- case errSecUnimplemented: return "errSecUnimplemented";
- case errSecIO: return "errSecIO";
- case errSecBadReq: return "errSecBadReq";
- /* SSL errors */
- case errSSLProtocol: return "errSSLProtocol";
- case errSSLNegotiation: return "errSSLNegotiation";
- case errSSLFatalAlert: return "errSSLFatalAlert";
- case errSSLWouldBlock: return "errSSLWouldBlock";
- case errSSLSessionNotFound: return "errSSLSessionNotFound";
- case errSSLClosedGraceful: return "errSSLClosedGraceful";
- case errSSLClosedAbort: return "errSSLClosedAbort";
- case errSSLXCertChainInvalid: return "errSSLXCertChainInvalid";
- case errSSLBadCert: return "errSSLBadCert";
- case errSSLCrypto: return "errSSLCrypto";
- case errSSLInternal: return "errSSLInternal";
- case errSSLModuleAttach: return "errSSLModuleAttach";
- case errSSLUnknownRootCert: return "errSSLUnknownRootCert";
- case errSSLNoRootCert: return "errSSLNoRootCert";
- case errSSLCertExpired: return "errSSLCertExpired";
- case errSSLCertNotYetValid: return "errSSLCertNotYetValid";
- case errSSLClosedNoNotify: return "errSSLClosedNoNotify";
- case errSSLBufferOverflow: return "errSSLBufferOverflow";
- case errSSLBadCipherSuite: return "errSSLBadCipherSuite";
- /* TLS/Panther addenda */
- case errSSLPeerUnexpectedMsg: return "errSSLPeerUnexpectedMsg";
- case errSSLPeerBadRecordMac: return "errSSLPeerBadRecordMac";
- case errSSLPeerDecryptionFail: return "errSSLPeerDecryptionFail";
- case errSSLPeerRecordOverflow: return "errSSLPeerRecordOverflow";
- case errSSLPeerDecompressFail: return "errSSLPeerDecompressFail";
- case errSSLPeerHandshakeFail: return "errSSLPeerHandshakeFail";
- case errSSLPeerBadCert: return "errSSLPeerBadCert";
- case errSSLPeerUnsupportedCert: return "errSSLPeerUnsupportedCert";
- case errSSLPeerCertRevoked: return "errSSLPeerCertRevoked";
- case errSSLPeerCertExpired: return "errSSLPeerCertExpired";
- case errSSLPeerCertUnknown: return "errSSLPeerCertUnknown";
- case errSSLIllegalParam: return "errSSLIllegalParam";
- case errSSLPeerUnknownCA: return "errSSLPeerUnknownCA";
- case errSSLPeerAccessDenied: return "errSSLPeerAccessDenied";
- case errSSLPeerDecodeError: return "errSSLPeerDecodeError";
- case errSSLPeerDecryptError: return "errSSLPeerDecryptError";
- case errSSLPeerExportRestriction: return "errSSLPeerExportRestriction";
- case errSSLPeerProtocolVersion: return "errSSLPeerProtocolVersion";
- case errSSLPeerInsufficientSecurity:return "errSSLPeerInsufficientSecurity";
- case errSSLPeerInternalError: return "errSSLPeerInternalError";
- case errSSLPeerUserCancelled: return "errSSLPeerUserCancelled";
- case errSSLPeerNoRenegotiation: return "errSSLPeerNoRenegotiation";
- case errSSLHostNameMismatch: return "errSSLHostNameMismatch";
- case errSSLConnectionRefused: return "errSSLConnectionRefused";
- case errSSLDecryptionFail: return "errSSLDecryptionFail";
- case errSSLBadRecordMac: return "errSSLBadRecordMac";
- case errSSLRecordOverflow: return "errSSLRecordOverflow";
- case errSSLBadConfiguration: return "errSSLBadConfiguration";
-
- /* some from the Sec layer */
- case errSecNotAvailable: return "errSecNotAvailable";
- case errSecDuplicateItem: return "errSecDuplicateItem";
- case errSecItemNotFound: return "errSecItemNotFound";
-#if !TARGET_OS_IPHONE
- case errSecReadOnly: return "errSecReadOnly";
- case errSecAuthFailed: return "errSecAuthFailed";
- case errSecNoSuchKeychain: return "errSecNoSuchKeychain";
- case errSecInvalidKeychain: return "errSecInvalidKeychain";
- case errSecNoSuchAttr: return "errSecNoSuchAttr";
- case errSecInvalidItemRef: return "errSecInvalidItemRef";
- case errSecInvalidSearchRef: return "errSecInvalidSearchRef";
- case errSecNoSuchClass: return "errSecNoSuchClass";
- case errSecNoDefaultKeychain: return "errSecNoDefaultKeychain";
- case errSecWrongSecVersion: return "errSecWrongSecVersion";
- case errSecInvalidTrustSettings: return "errSecInvalidTrustSettings";
- case errSecNoTrustSettings: return "errSecNoTrustSettings";
-#endif
- default:
-#if 0
- if (err < (CSSM_BASE_ERROR +
- (CSSM_ERRORCODE_MODULE_EXTENT * 8)))
- {
- /* assume CSSM error */
- return cssmErrToStr(err);
- }
- else
-#endif
- {
- sprintf(errSecSuccessStr, "Unknown (%d)", (unsigned)err);
- return errSecSuccessStr;
- }
- }
-}
-
-void printSslErrStr(
- const char *op,
- OSStatus err)
-{
- printf("*** %s: %s\n", op, sslGetSSLErrString(err));
-}
-
-const char *sslGetClientCertStateString(SSLClientCertificateState state)
-{
- static char noState[20];
-
- switch(state) {
- case kSSLClientCertNone: return "ClientCertNone";
- case kSSLClientCertRequested: return "CertRequested";
- case kSSLClientCertSent: return "ClientCertSent";
- case kSSLClientCertRejected: return "ClientCertRejected";
- default:
- sprintf(noState, "Unknown (%d)", (unsigned)state);
- return noState;
- }
-
-}
-
-const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType)
-{
- static char noType[20];
-
- switch(authType) {
- case SSLClientAuthNone: return "None";
- case SSLClientAuth_RSASign: return "RSASign";
- case SSLClientAuth_DSSSign: return "DSSSign";
- case SSLClientAuth_RSAFixedDH: return "RSAFixedDH";
- case SSLClientAuth_DSS_FixedDH: return "DSS_FixedDH";
- case SSLClientAuth_ECDSASign: return "ECDSASign";
- case SSLClientAuth_RSAFixedECDH: return "RSAFixedECDH";
- case SSLClientAuth_ECDSAFixedECDH: return "ECDSAFixedECDH";
- default:
- sprintf(noType, "Unknown (%d)", (unsigned)authType);
- return noType;
- }
-}
-
-/*
- * Convert a keychain name (which may be NULL) into the CFArrayRef required
- * by SSLSetCertificate. This is a bare-bones example of this operation,
- * since it requires and assumes that there is exactly one SecIdentity
- * in the keychain - i.e., there is exactly one matching cert/private key
- * pair. A real world server would probably search a keychain for a SecIdentity
- * matching some specific criteria.
- */
-CFArrayRef getSslCerts(
- const char *kcName, // may be NULL, i.e., use default
- bool encryptOnly,
- bool completeCertChain,
- const char *anchorFile, // optional trusted anchor
- SecKeychainRef *pKcRef) // RETURNED
-{
-#if 0
- SecKeychainRef kcRef = nil;
- OSStatus ortn;
-
- *pKcRef = nil;
-
- /* pick a keychain */
- if(kcName) {
- ortn = SecKeychainOpen(kcName, &kcRef);
- if(ortn) {
- printf("SecKeychainOpen returned %d.\n", (int)ortn);
- printf("Cannot open keychain at %s. Aborting.\n", kcName);
- return NULL;
- }
- }
- else {
- /* use default keychain */
- ortn = SecKeychainCopyDefault(&kcRef);
- if(ortn) {
- printf("SecKeychainCopyDefault returned %d; aborting.\n", (int)ortn);
- return nil;
- }
- }
- *pKcRef = kcRef;
- return sslKcRefToCertArray(kcRef, encryptOnly, completeCertChain, anchorFile);
-#elif TARGET_OS_IOS
- SecCertificateRef cert = NULL;
- SecIdentityRef identity = NULL;
- CFMutableArrayRef certificates = NULL, result = NULL;
- CFMutableDictionaryRef certQuery = NULL, keyQuery = NULL, keyResult = NULL;
- SecTrustRef trust = NULL;
- SecKeyRef key = NULL;
- CFTypeRef pkdigest = NULL;
-
- // Find the first private key in the keychain and return both its
- // attributes and a ref to it.
- require(keyQuery = CFDictionaryCreateMutable(NULL, 0, NULL, NULL), errOut);
- CFDictionaryAddValue(keyQuery, kSecClass, kSecClassKey);
- CFDictionaryAddValue(keyQuery, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
- CFDictionaryAddValue(keyQuery, kSecReturnRef, kCFBooleanTrue);
- CFDictionaryAddValue(keyQuery, kSecReturnAttributes, kCFBooleanTrue);
- require_noerr(SecItemCopyMatching(keyQuery, (CFTypeRef *)&keyResult),
- errOut);
- require(key = (SecKeyRef)CFDictionaryGetValue(keyResult, kSecValueRef),
- errOut);
- require(pkdigest = CFDictionaryGetValue(keyResult, kSecAttrApplicationLabel),
- errOut);
-
- // Find the first certificate that has the same public key hash as the
- // returned private key and return it as a ref.
- require(certQuery = CFDictionaryCreateMutable(NULL, 0, NULL, NULL), errOut);
- CFDictionaryAddValue(certQuery, kSecClass, kSecClassCertificate);
- CFDictionaryAddValue(certQuery, kSecAttrPublicKeyHash, pkdigest);
- CFDictionaryAddValue(certQuery, kSecReturnRef, kCFBooleanTrue);
- require_noerr(SecItemCopyMatching(certQuery, (CFTypeRef *)&cert), errOut);
-
- // Create an identity from the key and certificate.
- require(identity = SecIdentityCreate(NULL, cert, key), errOut);
-
- // Build a (partial) certificate chain from cert
- require(certificates = CFArrayCreateMutable(NULL, 0,
- &kCFTypeArrayCallBacks), errOut);
- CFArrayAppendValue(certificates, cert);
- require_noerr(SecTrustCreateWithCertificates(certificates, NULL, &trust),
- errOut);
- SecTrustResultType tresult;
- require_noerr(SecTrustEvaluate(trust, &tresult), errOut);
-
- CFIndex certCount, ix;
- // We need at least 1 certificate
- require(certCount = SecTrustGetCertificateCount(trust), errOut);
-
- // Build a result where element 0 is the identity and the other elements
- // are the certs in the chain starting at the first intermediate up to the
- // anchor, if we found one, or as far as we were able to build the chain
- // if not.
- require(result = CFArrayCreateMutable(NULL, certCount, &kCFTypeArrayCallBacks),
- errOut);
-
- // We are commited to returning a result now, so do not use require below
- // this line without setting result to NULL again.
- CFArrayAppendValue(result, identity);
- for (ix = 1; ix < certCount; ++ix) {
- CFArrayAppendValue(result, SecTrustGetCertificateAtIndex(trust, ix));
- }
-
-errOut:
- CFReleaseSafe(trust);
- CFReleaseSafe(certificates);
- CFReleaseSafe(identity);
- CFReleaseSafe(cert);
- CFReleaseSafe(certQuery);
- CFReleaseSafe(keyResult);
- CFReleaseSafe(keyQuery);
-
- return result;
-
-#else /* !TARGET_OS_IOS */
- SecIdentityRef identity = NULL;
- CFMutableDictionaryRef query = NULL;
- CFArrayRef items = NULL;
- require(query = CFDictionaryCreateMutable(NULL, 0, NULL, NULL), errOut);
- CFDictionaryAddValue(query, kSecClass, kSecClassIdentity);
- CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);
- require_noerr(SecItemCopyMatching(query, (CFTypeRef *)&identity), errOut);
-
- items = CFArrayCreate(kCFAllocatorDefault,
- (const void **)&identity, 1, &kCFTypeArrayCallBacks);
-
-errOut:
- CFReleaseSafe(identity);
- CFReleaseSafe(query);
-
- return items;
-
-#endif
-
-}
-
-#if 0
-/*
- * Determine if specified SecCertificateRef is a self-signed cert.
- * We do this by comparing the subject and issuerr names; no cryptographic
- * verification is performed.
- *
- * Returns true if the cert appears to be a root.
- */
-static bool isCertRefRoot(
- SecCertificateRef certRef)
-{
- bool brtn = false;
-#if 0
- /* just search for the two attrs we want */
- UInt32 tags[2] = {kSecSubjectItemAttr, kSecIssuerItemAttr};
- SecKeychainAttributeInfo attrInfo;
- attrInfo.count = 2;
- attrInfo.tag = tags;
- attrInfo.format = NULL;
- SecKeychainAttributeList *attrList = NULL;
- SecKeychainAttribute *attr1 = NULL;
- SecKeychainAttribute *attr2 = NULL;
-
- OSStatus ortn = SecKeychainItemCopyAttributesAndData(
- (SecKeychainItemRef)certRef,
- &attrInfo,
- NULL, // itemClass
- &attrList,
- NULL, // length - don't need the data
- NULL); // outData
- if(ortn) {
- cssmPerror("SecKeychainItemCopyAttributesAndData", ortn);
- /* may want to be a bit more robust here, but this should
- * never happen */
- return false;
- }
- /* subsequent errors to errOut: */
-
- if((attrList == NULL) || (attrList->count != 2)) {
- printf("***Unexpected result fetching label attr\n");
- goto errOut;
- }
-
- /* rootness is just byte-for-byte compare of the two names */
- attr1 = &attrList->attr[0];
- attr2 = &attrList->attr[1];
- if(attr1->length == attr2->length) {
- if(memcmp(attr1->data, attr2->data, attr1->length) == 0) {
- brtn = true;
- }
- }
-errOut:
- SecKeychainItemFreeAttributesAndData(attrList, NULL);
-#endif
- return brtn;
-}
-#endif
-
-#if 0
-/*
- * Given a SecIdentityRef, do our best to construct a complete, ordered, and
- * verified cert chain, returning the result in a CFArrayRef. The result is
- * suitable for use when calling SSLSetCertificate().
- */
-OSStatus sslCompleteCertChain(
- SecIdentityRef identity,
- SecCertificateRef trustedAnchor, // optional additional trusted anchor
- bool includeRoot, // include the root in outArray
- CFArrayRef *outArray) // created and RETURNED
-{
- CFMutableArrayRef certArray;
- SecTrustRef secTrust = NULL;
- SecPolicyRef policy = NULL;
- SecPolicySearchRef policySearch = NULL;
- SecTrustResultType secTrustResult;
- CSSM_TP_APPLE_EVIDENCE_INFO *dummyEv; // not used
- CFArrayRef certChain = NULL; // constructed chain
- CFIndex numResCerts;
-
- certArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(certArray, identity);
-
- /*
- * Case 1: identity is a root; we're done. Note that this case
- * overrides the includeRoot argument.
- */
- SecCertificateRef certRef;
- OSStatus ortn = SecIdentityCopyCertificate(identity, &certRef);
- if(ortn) {
- /* should never happen */
- cssmPerror("SecIdentityCopyCertificate", ortn);
- return ortn;
- }
- bool isRoot = isCertRefRoot(certRef);
- if(isRoot) {
- *outArray = certArray;
- CFRelease(certRef);
- return errSecSuccess;
- }
-
- /*
- * Now use SecTrust to get a complete cert chain, using all of the
- * user's keychains to look for intermediate certs.
- * NOTE this does NOT handle root certs which are not in the system
- * root cert DB. (The above case, where the identity is a root cert, does.)
- */
- CFMutableArrayRef subjCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks);
- CFArraySetValueAtIndex(subjCerts, 0, certRef);
-
- /* the array owns the subject cert ref now */
- CFRelease(certRef);
-
- /* Get a SecPolicyRef for generic X509 cert chain verification */
- ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
- &CSSMOID_APPLE_X509_BASIC,
- NULL, // value
- &policySearch);
- if(ortn) {
- cssmPerror("SecPolicySearchCreate", ortn);
- goto errOut;
- }
- ortn = SecPolicySearchCopyNext(policySearch, &policy);
- if(ortn) {
- cssmPerror("SecPolicySearchCopyNext", ortn);
- goto errOut;
- }
-
- /* build a SecTrustRef for specified policy and certs */
- ortn = SecTrustCreateWithCertificates(subjCerts,
- policy, &secTrust);
- if(ortn) {
- cssmPerror("SecTrustCreateWithCertificates", ortn);
- goto errOut;
- }
-
- if(trustedAnchor) {
- /*
- * Tell SecTrust to trust this one in addition to the current
- * trusted system-wide anchors.
- */
- CFMutableArrayRef newAnchors;
- CFArrayRef currAnchors;
-
- ortn = SecTrustCopyAnchorCertificates(&currAnchors);
- if(ortn) {
- /* should never happen */
- cssmPerror("SecTrustCopyAnchorCertificates", ortn);
- goto errOut;
- }
- newAnchors = CFArrayCreateMutableCopy(NULL,
- CFArrayGetCount(currAnchors) + 1,
- currAnchors);
- CFRelease(currAnchors);
- CFArrayAppendValue(newAnchors, trustedAnchor);
- ortn = SecTrustSetAnchorCertificates(secTrust, newAnchors);
- CFRelease(newAnchors);
- if(ortn) {
- cssmPerror("SecTrustSetAnchorCertificates", ortn);
- goto errOut;
- }
- }
- /* evaluate: GO */
- ortn = SecTrustEvaluate(secTrust, &secTrustResult);
- if(ortn) {
- cssmPerror("SecTrustEvaluate", ortn);
- goto errOut;
- }
- switch(secTrustResult) {
- case kSecTrustResultUnspecified:
- /* cert chain valid, no special UserTrust assignments */
- case kSecTrustResultProceed:
- /* cert chain valid AND user explicitly trusts this */
- break;
- default:
- /*
- * Cert chain construction failed.
- * Just go with the single subject cert we were given.
- */
- printf("***Warning: could not construct completed cert chain\n");
- ortn = errSecSuccess;
- goto errOut;
- }
-
- /* get resulting constructed cert chain */
- ortn = SecTrustGetResult(secTrust, &secTrustResult, &certChain, &dummyEv);
- if(ortn) {
- cssmPerror("SecTrustEvaluate", ortn);
- goto errOut;
- }
-
- /*
- * Copy certs from constructed chain to our result array, skipping
- * the leaf (which is already there, as a SecIdentityRef) and possibly
- * a root.
- */
- numResCerts = CFArrayGetCount(certChain);
- if(numResCerts < 2) {
- /*
- * Can't happen: if subject was a root, we'd already have returned.
- * If chain doesn't verify to a root, we'd have bailed after
- * SecTrustEvaluate().
- */
- printf("***sslCompleteCertChain screwup: numResCerts %d\n",
- (int)numResCerts);
- ortn = errSecSuccess;
- goto errOut;
- }
- if(!includeRoot) {
- /* skip the last (root) cert) */
- numResCerts--;
- }
- for(CFIndex dex=1; dex<numResCerts; dex++) {
- certRef = (SecCertificateRef)CFArrayGetValueAtIndex(certChain, dex);
- CFArrayAppendValue(certArray, certRef);
- }
-errOut:
- /* clean up */
- if(secTrust) {
- CFRelease(secTrust);
- }
- if(subjCerts) {
- CFRelease(subjCerts);
- }
- if(policy) {
- CFRelease(policy);
- }
- if(policySearch) {
- CFRelease(policySearch);
- }
- *outArray = certArray;
- return ortn;
-}
-
-
-/*
- * Given an open keychain, find a SecIdentityRef and munge it into
- * a CFArrayRef required by SSLSetCertificate().
- */
-CFArrayRef sslKcRefToCertArray(
- SecKeychainRef kcRef,
- bool encryptOnly,
- bool completeCertChain,
- const char *trustedAnchorFile)
-{
- /* quick check to make sure the keychain exists */
- SecKeychainStatus kcStat;
- OSStatus ortn = SecKeychainGetStatus(kcRef, &kcStat);
- if(ortn) {
- printSslErrStr("SecKeychainGetStatus", ortn);
- printf("Can not open keychain. Aborting.\n");
- return nil;
- }
-
- /*
- * Search for "any" identity matching specified key use;
- * in this app, we expect there to be exactly one.
- */
- SecIdentitySearchRef srchRef = nil;
- ortn = SecIdentitySearchCreate(kcRef,
- encryptOnly ? CSSM_KEYUSE_DECRYPT : CSSM_KEYUSE_SIGN,
- &srchRef);
- if(ortn) {
- printf("SecIdentitySearchCreate returned %d.\n", (int)ortn);
- printf("Cannot find signing key in keychain. Aborting.\n");
- return nil;
- }
- SecIdentityRef identity = nil;
- ortn = SecIdentitySearchCopyNext(srchRef, &identity);
- if(ortn) {
- printf("SecIdentitySearchCopyNext returned %d.\n", (int)ortn);
- printf("Cannot find signing key in keychain. Aborting.\n");
- return nil;
- }
- if(CFGetTypeID(identity) != SecIdentityGetTypeID()) {
- printf("SecIdentitySearchCopyNext CFTypeID failure!\n");
- return nil;
- }
-
- /*
- * Found one.
- */
- if(completeCertChain) {
- /*
- * Place it and the other certs needed to verify it -
- * up to but not including the root - in a CFArray.
- */
- SecCertificateRef anchorCert = NULL;
- if(trustedAnchorFile) {
- ortn = sslReadAnchor(trustedAnchorFile, &anchorCert);
- if(ortn) {
- printf("***Error reading anchor file\n");
- }
- }
- CFArrayRef ca;
- ortn = sslCompleteCertChain(identity, anchorCert, false, &ca);
- if(anchorCert) {
- CFRelease(anchorCert);
- }
- return ca;
- }
- else {
- /* simple case, just this one identity */
- CFArrayRef ca = CFArrayCreate(NULL,
- (const void **)&identity,
- 1,
- NULL);
- if(ca == nil) {
- printf("CFArrayCreate error\n");
- }
- return ca;
- }
-}
-#endif
-
-OSStatus addTrustedSecCert(
- SSLContextRef ctx,
- SecCertificateRef secCert,
- bool replaceAnchors)
-{
- OSStatus ortn;
- CFMutableArrayRef array;
-
- if(secCert == NULL) {
- printf("***addTrustedSecCert screwup\n");
- return errSecParam;
- }
- array = CFArrayCreateMutable(kCFAllocatorDefault,
- (CFIndex)1, &kCFTypeArrayCallBacks);
- if(array == NULL) {
- return errSecAllocate;
- }
- CFArrayAppendValue(array, secCert);
- ortn = SSLSetTrustedRoots(ctx, array, replaceAnchors ? true : false);
- if(ortn) {
- printSslErrStr("SSLSetTrustedRoots", ortn);
- }
- CFRelease(array);
- return ortn;
-}
-
-OSStatus sslReadAnchor(
- const char *anchorFile,
- SecCertificateRef *certRef)
-{
- SecCertificateRef secCert;
- unsigned char *certData;
- unsigned certLen;
- CFDataRef dataRef;
-
- if(readFile(anchorFile, &certData, &certLen)) {
- return -1;
- }
- dataRef = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
- (const UInt8 *)certData, (CFIndex)certLen, kCFAllocatorNull);
- secCert = SecCertificateCreateWithData(kCFAllocatorDefault, dataRef);
- CFReleaseSafe(dataRef);
- free(certData);
- if(!secCert) {
- printf("***SecCertificateCreateWithData returned NULL\n");
- return errSecParam;
- }
- if (certRef) {
- *certRef = secCert;
- }
- return errSecSuccess;
-}
-
-OSStatus sslAddTrustedRoot(
- SSLContextRef ctx,
- const char *anchorFile,
- bool replaceAnchors)
-{
- return 0;
-}
-
-OSStatus addIdentityAsTrustedRoot(
- SSLContextRef ctx,
- CFArrayRef identArray)
-{
- return errSecSuccess;
-}
-
-/*
- * Lists of SSLCipherSuites used in sslSetCipherRestrictions. Note that the
- * SecureTransport library does not implement all of these; we only specify
- * the ones it claims to support.
- */
-const SSLCipherSuite suites40[] = {
- SSL_RSA_EXPORT_WITH_RC4_40_MD5,
- SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDES[] = {
- SSL_RSA_WITH_DES_CBC_SHA,
- SSL_DH_DSS_WITH_DES_CBC_SHA,
- SSL_DH_RSA_WITH_DES_CBC_SHA,
- SSL_DHE_DSS_WITH_DES_CBC_SHA,
- SSL_DHE_RSA_WITH_DES_CBC_SHA,
- SSL_DH_anon_WITH_DES_CBC_SHA,
- SSL_RSA_WITH_DES_CBC_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDES40[] = {
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suites3DES[] = {
- SSL_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
- SSL_RSA_WITH_3DES_EDE_CBC_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesRC4[] = {
- SSL_RSA_WITH_RC4_128_MD5,
- SSL_RSA_WITH_RC4_128_SHA,
- SSL_DH_anon_WITH_RC4_128_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesRC4_40[] = {
- SSL_RSA_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesRC2[] = {
- SSL_RSA_WITH_RC2_CBC_MD5,
- SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesAES128[] = {
- TLS_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_DSS_WITH_AES_128_CBC_SHA,
- TLS_DH_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_anon_WITH_AES_128_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesAES256[] = {
- TLS_RSA_WITH_AES_256_CBC_SHA,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA,
- TLS_DH_RSA_WITH_AES_256_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_DH_anon_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDH[] = {
- SSL_DH_DSS_WITH_DES_CBC_SHA,
- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_RSA_WITH_DES_CBC_SHA,
- SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_DSS_WITH_DES_CBC_SHA,
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_WITH_DES_CBC_SHA,
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_anon_WITH_RC4_128_MD5,
- SSL_DH_anon_WITH_DES_CBC_SHA,
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
- TLS_DH_DSS_WITH_AES_128_CBC_SHA,
- TLS_DH_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_anon_WITH_AES_128_CBC_SHA,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA,
- TLS_DH_RSA_WITH_AES_256_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_DH_anon_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDHAnon[] = {
- SSL_DH_anon_WITH_RC4_128_MD5,
- SSL_DH_anon_WITH_DES_CBC_SHA,
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
- TLS_DH_anon_WITH_AES_128_CBC_SHA,
- TLS_DH_anon_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDH_RSA[] = {
- SSL_DH_RSA_WITH_DES_CBC_SHA,
- SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_RSA_WITH_DES_CBC_SHA,
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- TLS_DH_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_RSA_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suitesDH_DSS[] = {
- SSL_DH_DSS_WITH_DES_CBC_SHA,
- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_DSS_WITH_DES_CBC_SHA,
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
- TLS_DH_DSS_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suites_SHA1[] = {
- SSL_RSA_WITH_RC4_128_SHA,
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_RSA_WITH_IDEA_CBC_SHA,
- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_RSA_WITH_DES_CBC_SHA,
- SSL_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_DSS_WITH_DES_CBC_SHA,
- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_RSA_WITH_DES_CBC_SHA,
- SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_DSS_WITH_DES_CBC_SHA,
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_WITH_DES_CBC_SHA,
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_anon_WITH_DES_CBC_SHA,
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
- SSL_FORTEZZA_DMS_WITH_NULL_SHA,
- SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
- TLS_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_DSS_WITH_AES_128_CBC_SHA,
- TLS_DH_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_anon_WITH_AES_128_CBC_SHA,
- TLS_RSA_WITH_AES_256_CBC_SHA,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA,
- TLS_DH_RSA_WITH_AES_256_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_DH_anon_WITH_AES_256_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suites_MD5[] = {
- SSL_RSA_EXPORT_WITH_RC4_40_MD5,
- SSL_RSA_WITH_RC4_128_MD5,
- SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_WITH_RC4_128_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-const SSLCipherSuite suites_NULL[] = {
- SSL_RSA_WITH_NULL_MD5,
- SSL_NO_SUCH_CIPHERSUITE
-};
-
-const SSLCipherSuite suites_ECDHE[] = {
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_ECDHE_RSA_WITH_RC4_128_SHA,
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-
-const SSLCipherSuite suites_ECDH[] = {
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
- TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
- TLS_ECDH_RSA_WITH_RC4_128_SHA,
- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
- SSL_NO_SUCH_CIPHERSUITE
-};
-
-/*
- * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
- * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
- * supports and do a SSLSetEnabledCiphers() specifying those.
- */
-OSStatus sslSetEnabledCiphers(
- SSLContextRef ctx,
- const SSLCipherSuite *ciphers)
-{
- size_t numSupported;
- OSStatus ortn;
- SSLCipherSuite *supported = NULL;
- SSLCipherSuite *enabled = NULL;
- unsigned enabledDex = 0; // index into enabled
- unsigned supportedDex = 0; // index into supported
- unsigned inDex = 0; // index into ciphers
-
- /* first get all the supported ciphers */
- ortn = SSLGetNumberSupportedCiphers(ctx, &numSupported);
- if(ortn) {
- printSslErrStr("SSLGetNumberSupportedCiphers", ortn);
- return ortn;
- }
- supported = (SSLCipherSuite *)malloc(numSupported * sizeof(SSLCipherSuite));
- ortn = SSLGetSupportedCiphers(ctx, supported, &numSupported);
- if(ortn) {
- printSslErrStr("SSLGetSupportedCiphers", ortn);
- return ortn;
- }
-
- /*
- * Malloc an array we'll use for SSLGetEnabledCiphers - this will be
- * bigger than the number of suites we actually specify
- */
- enabled = (SSLCipherSuite *)malloc(numSupported * sizeof(SSLCipherSuite));
-
- /*
- * For each valid suite in ciphers, see if it's in the list of
- * supported ciphers. If it is, add it to the list of ciphers to be
- * enabled.
- */
- for(inDex=0; ciphers[inDex] != SSL_NO_SUCH_CIPHERSUITE; inDex++) {
- for(supportedDex=0; supportedDex<numSupported; supportedDex++) {
- if(ciphers[inDex] == supported[supportedDex]) {
- enabled[enabledDex++] = ciphers[inDex];
- break;
- }
- }
- }
-
- /* send it on down. */
- ortn = SSLSetEnabledCiphers(ctx, enabled, enabledDex);
- if(ortn) {
- printSslErrStr("SSLSetEnabledCiphers", ortn);
- }
- free(enabled);
- free(supported);
- return ortn;
-}
-
-/*
- * Specify a restricted set of cipherspecs.
- */
-OSStatus sslSetCipherRestrictions(
- SSLContextRef ctx,
- char cipherRestrict)
-{
- OSStatus ortn;
-
- if(cipherRestrict == '\0') {
- return errSecSuccess; // actually should not have been called
- }
- switch(cipherRestrict) {
- case 'e':
- ortn = sslSetEnabledCiphers(ctx, suites40);
- break;
- case 'd':
- ortn = sslSetEnabledCiphers(ctx, suitesDES);
- break;
- case 'D':
- ortn = sslSetEnabledCiphers(ctx, suitesDES40);
- break;
- case '3':
- ortn = sslSetEnabledCiphers(ctx, suites3DES);
- break;
- case '4':
- ortn = sslSetEnabledCiphers(ctx, suitesRC4);
- break;
- case '$':
- ortn = sslSetEnabledCiphers(ctx, suitesRC4_40);
- break;
- case '2':
- ortn = sslSetEnabledCiphers(ctx, suitesRC2);
- break;
- case 'a':
- ortn = sslSetEnabledCiphers(ctx, suitesAES128);
- break;
- case 'A':
- ortn = sslSetEnabledCiphers(ctx, suitesAES256);
- break;
- case 'h':
- ortn = sslSetEnabledCiphers(ctx, suitesDH);
- break;
- case 'H':
- ortn = sslSetEnabledCiphers(ctx, suitesDHAnon);
- break;
- case 'r':
- ortn = sslSetEnabledCiphers(ctx, suitesDH_RSA);
- break;
- case 's':
- ortn = sslSetEnabledCiphers(ctx, suitesDH_DSS);
- break;
- case 'n':
- ortn = sslSetEnabledCiphers(ctx, suites_NULL);
- break;
- case 'E':
- ortn = sslSetEnabledCiphers(ctx, suites_ECDHE);
- break;
- case 'F':
- ortn = sslSetEnabledCiphers(ctx, suites_ECDH);
- break;
- default:
- printf("***bad cipherSpec***\n");
- exit(1);
- }
- return ortn;
-}
-
-#if 0
-int sslVerifyClientCertState(
- const char *whichSide, // "client" or "server"
- SSLClientCertificateState expectState,
- SSLClientCertificateState gotState)
-{
- if(expectState == SSL_CLIENT_CERT_IGNORE) {
- /* app says "don't bother checking" */
- return 0;
- }
- if(expectState == gotState) {
- return 0;
- }
- printf("***%s: Expected clientCertState %s; got %s\n", whichSide,
- sslGetClientCertStateString(expectState),
- sslGetClientCertStateString(gotState));
- return 1;
-}
-
-int sslVerifyRtn(
- char *whichSide, // "client" or "server"
- OSStatus expectRtn,
- OSStatus gotRtn)
-{
- if(expectRtn == gotRtn) {
- return 0;
- }
- printf("***%s: Expected return %s; got %s\n", whichSide,
- sslGetSSLErrString(expectRtn),
- sslGetSSLErrString(gotRtn));
- return 1;
-}
-
-int sslVerifyProtVers(
- char *whichSide, // "client" or "server"
- SSLProtocol expectProt,
- SSLProtocol gotProt)
-{
- if(expectProt == SSL_PROTOCOL_IGNORE) {
- /* app says "don't bopther checking" */
- return 0;
- }
- if(expectProt == gotProt) {
- return 0;
- }
- printf("***%s: Expected return %s; got %s\n", whichSide,
- sslGetProtocolVersionString(expectProt),
- sslGetProtocolVersionString(gotProt));
- return 1;
-}
-
-int sslVerifyCipher(
- char *whichSide, // "client" or "server"
- SSLCipherSuite expectCipher,
- SSLCipherSuite gotCipher)
-{
- if(expectCipher == SSL_CIPHER_IGNORE) {
- /* app says "don't bopther checking" */
- return 0;
- }
- if(expectCipher == gotCipher) {
- return 0;
- }
- printf("***%s: Expected return %s; got %s\n", whichSide,
- sslGetCipherSuiteString(expectCipher),
- sslGetCipherSuiteString(gotCipher));
- return 1;
-}
-
-
-OSStatus sslSetProtocols(
- SSLContextRef ctx,
- const char *acceptedProts,
- SSLProtocol tryVersion) // only used if acceptedProts NULL
-{
- OSStatus ortn;
-
- if(acceptedProts) {
- ortn = SSLSetProtocolVersionEnabled(ctx, kSSLProtocolAll, false);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersionEnabled(all off)", ortn);
- return ortn;
- }
- for(const char *cp = acceptedProts; *cp; cp++) {
- SSLProtocol prot;
- switch(*cp) {
- case '2':
- prot = kSSLProtocol2;
- break;
- case '3':
- prot = kSSLProtocol3;
- break;
- case 't':
- prot = kTLSProtocol1;
- break;
- default:
- printf("***BRRZAP! Bad acceptedProts string %s. Aborting.\n", acceptedProts);
- exit(1);
- }
- ortn = SSLSetProtocolVersionEnabled(ctx, prot, true);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersionEnabled", ortn);
- return ortn;
- }
- }
- }
- else {
- ortn = SSLSetProtocolVersion(ctx, tryVersion);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersion", ortn);
- return ortn;
- }
- }
- return errSecSuccess;
-}
-
-void sslShowResult(
- const char *whichSide, // "client" or "server"
- SslAppTestParams *params)
-{
- printf("%s status:\n", whichSide);
- if(params->acceptedProts) {
- printf(" Allowed SSL versions : %s\n", params->acceptedProts);
- }
- else {
- printf(" Attempted SSL version : %s\n",
- sslGetProtocolVersionString(params->tryVersion));
- }
- printf(" Result : %s\n", sslGetSSLErrString(params->ortn));
- printf(" Negotiated SSL version : %s\n",
- sslGetProtocolVersionString(params->negVersion));
- printf(" Negotiated CipherSuite : %s\n",
- sslGetCipherSuiteString(params->negCipher));
- if(params->certState != kSSLClientCertNone) {
- printf(" Client Cert State : %s\n",
- sslGetClientCertStateString(params->certState));
- }
-}
-#endif
-
-/* print a '.' every few seconds to keep UI alive while connecting */
-static CFAbsoluteTime lastTime = (CFAbsoluteTime)0.0;
-#define TIME_INTERVAL 3.0
-
-void sslOutputDot()
-{
- CFAbsoluteTime thisTime = CFAbsoluteTimeGetCurrent();
-
- // throttle down.
- usleep(1000);
-
- if(lastTime == 0.0) {
- /* avoid printing first time thru */
- lastTime = thisTime;
- return;
- }
- if((thisTime - lastTime) >= TIME_INTERVAL) {
- printf("."); fflush(stdout);
- lastTime = thisTime;
- }
-}
-
-#if 0
-/* main server pthread body */
-static void *sslServerThread(void *arg)
-{
- SslAppTestParams *testParams = (SslAppTestParams *)arg;
- OSStatus status;
-
- status = sslAppServe(testParams);
- pthread_exit((void*)status);
- /* NOT REACHED */
- return (void *)status;
-}
-
-/*
- * Run one session, with the server in a separate thread.
- * On entry, serverParams->port is the port we attempt to run on;
- * the server thread may overwrite that with a different port if it's
- * unable to open the port we specify. Whatever is left in
- * serverParams->port is what's used for the client side.
- */
-#define CLIENT_WAIT_SECONDS 1
-int sslRunSession(
- SslAppTestParams*serverParams,
- SslAppTestParams *clientParams,
- const char *testDesc)
-{
- pthread_t serverPthread;
- OSStatus clientRtn;
- void *serverRtn;
-
- if(testDesc && !clientParams->quiet) {
- printf("===== %s =====\n", testDesc);
- }
-
- if(pthread_mutex_init(&serverParams->pthreadMutex, NULL)) {
- printf("***Error initializing mutex; aborting.\n");
- return -1;
- }
- if(pthread_cond_init(&serverParams->pthreadCond, NULL)) {
- printf("***Error initializing pthreadCond; aborting.\n");
- return -1;
- }
- serverParams->serverReady = false; // server sets true
-
- int result = pthread_create(&serverPthread, NULL,
- sslServerThread, serverParams);
- if(result) {
- printf("***Error starting up server thread; aborting.\n");
- return result;
- }
-
- /* wait for server to set up a socket we can connect to */
- if(pthread_mutex_lock(&serverParams->pthreadMutex)) {
- printf("***Error acquiring server lock; aborting.\n");
- return -1;
- }
- while(!serverParams->serverReady) {
- if(pthread_cond_wait(&serverParams->pthreadCond, &serverParams->pthreadMutex)) {
- printf("***Error waiting server thread; aborting.\n");
- return -1;
- }
- }
- pthread_mutex_unlock(&serverParams->pthreadMutex);
- pthread_cond_destroy(&serverParams->pthreadCond);
- pthread_mutex_destroy(&serverParams->pthreadMutex);
-
- clientParams->port = serverParams->port;
- clientRtn = sslAppClient(clientParams);
- /* server doesn't shut down its socket until it sees this */
- serverParams->clientDone = 1;
- result = pthread_join(serverPthread, &serverRtn);
- if(result) {
- printf("***pthread_join returned %d, aborting\n", result);
- return result;
- }
-
- if(serverParams->verbose) {
- sslShowResult("server", serverParams);
- }
- if(clientParams->verbose) {
- sslShowResult("client", clientParams);
- }
-
- /* verify results */
- int ourRtn = 0;
- ourRtn += sslVerifyRtn("server", serverParams->expectRtn, serverParams->ortn);
- ourRtn += sslVerifyRtn("client", clientParams->expectRtn, clientParams->ortn);
- ourRtn += sslVerifyProtVers("server", serverParams->expectVersion,
- serverParams->negVersion);
- ourRtn += sslVerifyProtVers("client", clientParams->expectVersion,
- clientParams->negVersion);
- ourRtn += sslVerifyClientCertState("server", serverParams->expectCertState,
- serverParams->certState);
- ourRtn += sslVerifyClientCertState("client", clientParams->expectCertState,
- clientParams->certState);
- if(serverParams->ortn == errSecSuccess) {
- ourRtn += sslVerifyCipher("server", serverParams->expectCipher,
- serverParams->negCipher);
- }
- if(clientParams->ortn == errSecSuccess) {
- ourRtn += sslVerifyCipher("client", clientParams->expectCipher,
- clientParams->negCipher);
- }
- return ourRtn;
-}
-
-/*
- * Add all of the roots in a given KC to SSL ctx's trusted anchors.
- */
-OSStatus sslAddTrustedRoots(
- SSLContextRef ctx,
- SecKeychainRef keychain,
- bool *foundOne) // RETURNED, true if we found
- // at least one root cert
-{
- OSStatus ortn;
- SecCertificateRef secCert;
- SecKeychainSearchRef srch;
-
- *foundOne = false;
- ortn = SecKeychainSearchCreateFromAttributes(keychain,
- kSecCertificateItemClass,
- NULL, // any attrs
- &srch);
- if(ortn) {
- printSslErrStr("SecKeychainSearchCreateFromAttributes", ortn);
- return ortn;
- }
-
- /*
- * Only use root certs. Not an error if we don't find any.
- */
- do {
- ortn = SecKeychainSearchCopyNext(srch,
- (SecKeychainItemRef *)&secCert);
- if(ortn) {
- break;
- }
-
- /* see if it's a root */
- if(!isCertRoot(secCert)) {
- continue;
- }
-
- /* Tell Secure Transport to trust this one. */
- ortn = addTrustedSecCert(ctx, secCert, false);
- if(ortn) {
- /* fatal */
- printSslErrStr("addTrustedSecCert", ortn);
- return ortn;
- }
- CFRelease(secCert);
- *foundOne = true;
- } while(ortn == errSecSuccess);
- CFRelease(srch);
- return errSecSuccess;
-}
-
-/*
- * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
- */
-OSStatus sslIdentityPicker(
- SecKeychainRef kcRef, // NULL means use default list
- const char *trustedAnchor, // optional additional trusted anchor
- bool includeRoot, // true --> root is appended to outArray
- // false --> root not included
- CFArrayRef *outArray) // created and RETURNED
-{
- SecCertificateRef trustedCert = NULL;
- OSStatus ortn;
-
- if(trustedAnchor) {
- ortn = sslReadAnchor(trustedAnchor, &trustedCert);
- if(ortn) {
- printf("***Error reading %s. sslIdentityPicker proceeding with no anchor.\n",
- trustedAnchor);
- trustedCert = NULL;
- }
- }
- ortn = sslIdentPicker(kcRef, trustedCert, includeRoot, outArray);
- if(trustedCert) {
- CFRelease(trustedCert);
- }
- return ortn;
-}
-
-/*
- * Given a keychain name, convert it into a full path using the "SSL regression
- * test suite algorithm". The Sec layer by default locates root root's keychains
- * in different places depending on whether we're actually logged in as root
- * or running via e.g. cron, so we force the location of root keychains to
- * a hard-coded path. User keychain names we leave alone.
- */
-void sslKeychainPath(
- const char *kcName,
- char *kcPath) // allocd by caller, MAXPATHLEN
-{
- if(kcName[0] == '\0') {
- kcPath[0] = '\0';
- }
- else if(geteuid() == 0) {
- /* root */
- sprintf(kcPath, "/Library/Keychains/%s", kcName);
- }
- else {
- /* user, leave alone */
- strcpy(kcPath, kcName);
- }
-}
-
-/* Verify presence of required file. Returns nonzero if not found. */
-int sslCheckFile(const char *path)
-{
- struct stat sb;
-
- if(stat(path, &sb)) {
- printf("***Can't find file %s.\n", path);
- printf(" Try running in the build directory, perhaps after running the\n"
- " makeLocalCert script.\n");
- return 1;
- }
- return 0;
-}
-
-#endif
-
-/* Stringify a SSL_ECDSA_NamedCurve */
-extern const char *sslCurveString(
- SSL_ECDSA_NamedCurve namedCurve)
-{
- static char unk[100];
-
- switch(namedCurve) {
- case SSL_Curve_None: return "Curve_None";
- case SSL_Curve_secp256r1: return "secp256r1";
- case SSL_Curve_secp384r1: return "secp384r1";
- case SSL_Curve_secp521r1: return "secp521r1";
- default:
- sprintf(unk, "Unknown <%d>", (int)namedCurve);
- return unk;
- }
-}
diff --git a/OSX/libsecurity_ssl/sslViewer/sslAppUtils.h b/OSX/libsecurity_ssl/sslViewer/sslAppUtils.h
deleted file mode 100644
index 5448105e..00000000
--- a/OSX/libsecurity_ssl/sslViewer/sslAppUtils.h
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * Copyright (c) 2006-2008,2010-2012,2014 Apple Inc. All Rights Reserved.
- */
-
-#ifndef _SSLS_APP_UTILS_H_
-#define _SSLS_APP_UTILS_H_ 1
-
-#include <Security/SecureTransport.h>
-#include <Security/SecureTransportPriv.h>
-#include <CoreFoundation/CFArray.h>
-#include <stdbool.h>
-#include <Security/SecCertificate.h>
-
-#include <TargetConditionals.h>
-
-#if TARGET_OS_IPHONE
-typedef void *SecKeychainRef;
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-const char *sslGetCipherSuiteString(SSLCipherSuite cs);
-const char *sslGetProtocolVersionString(SSLProtocol prot);
-const char *sslGetSSLErrString(OSStatus err);
-void printSslErrStr(const char *op, OSStatus err);
-const char *sslGetClientCertStateString(SSLClientCertificateState state);
-const char *sslGetClientAuthTypeString(SSLClientAuthenticationType authType);
-
-CFArrayRef getSslCerts(
- const char *kcName, // may be NULL, i.e., use default
- bool encryptOnly,
- bool completeCertChain,
- const char *anchorFile, // optional trusted anchor
- SecKeychainRef *pKcRef); // RETURNED
-OSStatus sslCompleteCertChain(
- SecIdentityRef identity,
- SecCertificateRef trustedAnchor, // optional additional trusted anchor
- bool includeRoot, // include the root in outArray
-// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
- CFArrayRef *outArray); // created and RETURNED
-CFArrayRef sslKcRefToCertArray(
- SecKeychainRef kcRef,
- bool encryptOnly,
- bool completeCertChain,
-// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL policy to complete
- const char *trustedAnchorFile);
-
-OSStatus addTrustedSecCert(
- SSLContextRef ctx,
- SecCertificateRef secCert,
- bool replaceAnchors);
-OSStatus sslReadAnchor(
- const char *anchorFile,
- SecCertificateRef *certRef);
-OSStatus sslAddTrustedRoot(
- SSLContextRef ctx,
- const char *anchorFile,
- bool replaceAnchors);
-
-/*
- * Assume incoming identity contains a root (e.g., created by
- * certtool) and add that cert to ST's trusted anchors. This
- * enables ST's verify of the incoming chain to succeed without
- * a kludgy "AllowAnyRoot" specification.
- */
-OSStatus addIdentityAsTrustedRoot(
- SSLContextRef ctx,
- CFArrayRef identArray);
-
-OSStatus sslAddTrustedRoots(
- SSLContextRef ctx,
- SecKeychainRef keychain,
- bool *foundOne);
-
-void sslOutputDot();
-
-/*
- * Lists of SSLCipherSuites used in sslSetCipherRestrictions.
- */
-extern const SSLCipherSuite suites40[];
-extern const SSLCipherSuite suitesDES[];
-extern const SSLCipherSuite suitesDES40[];
-extern const SSLCipherSuite suites3DES[];
-extern const SSLCipherSuite suitesRC4[];
-extern const SSLCipherSuite suitesRC4_40[];
-extern const SSLCipherSuite suitesRC2[];
-extern const SSLCipherSuite suitesAES128[];
-extern const SSLCipherSuite suitesAES256[];
-extern const SSLCipherSuite suitesDH[];
-extern const SSLCipherSuite suitesDHAnon[];
-extern const SSLCipherSuite suitesDH_RSA[];
-extern const SSLCipherSuite suitesDH_DSS[];
-extern const SSLCipherSuite suites_SHA1[];
-extern const SSLCipherSuite suites_MD5[];
-extern const SSLCipherSuite suites_ECDHE[];
-extern const SSLCipherSuite suites_ECDH[];
-
-/*
- * Given an SSLContextRef and an array of SSLCipherSuites, terminated by
- * SSL_NO_SUCH_CIPHERSUITE, select those SSLCipherSuites which the library
- * supports and do a SSLSetEnabledCiphers() specifying those.
- */
-OSStatus sslSetEnabledCiphers(
- SSLContextRef ctx,
- const SSLCipherSuite *ciphers);
-
-/*
- * Specify restricted sets of cipherspecs and protocols.
- */
-OSStatus sslSetCipherRestrictions(
- SSLContextRef ctx,
- char cipherRestrict);
-
-#ifndef SPHINX
-OSStatus sslSetProtocols(
- SSLContextRef ctx,
- const char *acceptedProts,
- SSLProtocol tryVersion); // only used if acceptedProts NULL
-#endif
-
-int sslVerifyRtn(
- const char *whichSide, // "client" or "server"
- OSStatus expectRtn,
- OSStatus gotRtn);
-int sslVerifyProtVers(
- const char *whichSide, // "client" or "server"
- SSLProtocol expectProt,
- SSLProtocol gotProt);
-int sslVerifyClientCertState(
- const char *whichSide, // "client" or "server"
- SSLClientCertificateState expectState,
- SSLClientCertificateState gotState);
-int sslVerifyCipher(
- const char *whichSide, // "client" or "server"
- SSLCipherSuite expectCipher,
- SSLCipherSuite gotCipher);
-
-
-/*
- * Wrapper for sslIdentPicker, with optional trusted anchor specified as a filename.
- */
-OSStatus sslIdentityPicker(
- SecKeychainRef kcRef, // NULL means use default list
- const char *trustedAnchor, // optional additional trusted anchor
- bool includeRoot, // true --> root is appended to outArray
- // false --> root not included
-// const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
- CFArrayRef *outArray); // created and RETURNED
-
-void sslKeychainPath(
- const char *kcName,
- char *kcPath); // allocd by caller, MAXPATHLEN
-
-/* Verify presence of required file. Returns nonzero if not found. */
-int sslCheckFile(const char *path);
-
-/* Stringify a SSL_ECDSA_NamedCurve */
-extern const char *sslCurveString(
- SSL_ECDSA_NamedCurve namedCurve);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _SSLS_APP_UTILS_H_ */
diff --git a/OSX/libsecurity_ssl/sslViewer/sslServer.1 b/OSX/libsecurity_ssl/sslViewer/sslServer.1
deleted file mode 100644
index e46751b0..00000000
--- a/OSX/libsecurity_ssl/sslViewer/sslServer.1
+++ /dev/null
@@ -1,79 +0,0 @@
-.\"Modified from man(1) of FreeBSD, the NetBSD mdoc.template, and mdoc.samples.
-.\"See Also:
-.\"man mdoc.samples for a complete listing of options
-.\"man mdoc for the short list of editing options
-.\"/usr/share/misc/mdoc.template
-.Dd 5/2/12 \" DATE
-.Dt sslServer 1 \" Program name and manual section number
-.Os Darwin
-.Sh NAME \" Section Header - required - don't modify
-.Nm sslServer,
-.\" The following lines are read in generating the apropos(man -k) database. Use only key
-.\" words here as the database is built based on the words here and in the .ND line.
-.Nm Other_name_for_same_program(),
-.Nm Yet another name for the same program.
-.\" Use .Nm macro to designate other names for the documented program.
-.Nd This line parsed for whatis database.
-.Sh SYNOPSIS \" Section Header - required - don't modify
-.Nm
-.Op Fl abcd \" [-abcd]
-.Op Fl a Ar path \" [-a path]
-.Op Ar file \" [file]
-.Op Ar \" [file ...]
-.Ar arg0 \" Underlined argument - use .Ar anywhere to underline
-arg2 ... \" Arguments
-.Sh DESCRIPTION \" Section Header - required - don't modify
-Use the .Nm macro to refer to your program throughout the man page like such:
-.Nm
-Underlining is accomplished with the .Ar macro like this:
-.Ar underlined text .
-.Pp \" Inserts a space
-A list of items with descriptions:
-.Bl -tag -width -indent \" Begins a tagged list
-.It item a \" Each item preceded by .It macro
-Description of item a
-.It item b
-Description of item b
-.El \" Ends the list
-.Pp
-A list of flags and their descriptions:
-.Bl -tag -width -indent \" Differs from above in tag removed
-.It Fl a \"-a flag as a list item
-Description of -a flag
-.It Fl b
-Description of -b flag
-.El \" Ends the list
-.Pp
-.\" .Sh ENVIRONMENT \" May not be needed
-.\" .Bl -tag -width "ENV_VAR_1" -indent \" ENV_VAR_1 is width of the string ENV_VAR_1
-.\" .It Ev ENV_VAR_1
-.\" Description of ENV_VAR_1
-.\" .It Ev ENV_VAR_2
-.\" Description of ENV_VAR_2
-.\" .El
-.Sh FILES \" File used or created by the topic of the man page
-.Bl -tag -width "/Users/joeuser/Library/really_long_file_name" -compact
-.It Pa /usr/share/file_name
-FILE_1 description
-.It Pa /Users/joeuser/Library/really_long_file_name
-FILE_2 description
-.El \" Ends the list
-.\" .Sh DIAGNOSTICS \" May not be needed
-.\" .Bl -diag
-.\" .It Diagnostic Tag
-.\" Diagnostic informtion here.
-.\" .It Diagnostic Tag
-.\" Diagnostic informtion here.
-.\" .El
-.Sh SEE ALSO
-.\" List links in ascending order by section, alphabetically within a section.
-.\" Please do not reference files that do not exist without filing a bug report
-.Xr a 1 ,
-.Xr b 1 ,
-.Xr c 1 ,
-.Xr a 2 ,
-.Xr b 2 ,
-.Xr a 3 ,
-.Xr b 3
-.\" .Sh BUGS \" Document known, unremedied bugs
-.\" .Sh HISTORY \" Document history if command behaves in a unique manner
\ No newline at end of file
diff --git a/OSX/libsecurity_ssl/sslViewer/sslServer.cpp b/OSX/libsecurity_ssl/sslViewer/sslServer.cpp
deleted file mode 100644
index c8fe63e3..00000000
--- a/OSX/libsecurity_ssl/sslViewer/sslServer.cpp
+++ /dev/null
@@ -1,1061 +0,0 @@
-/*
- * Copyright (c) 2008-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * Trivial SSL server example, using SecureTransport / OS X version.
- *
- */
-
-#include <Security/SecureTransport.h>
-#include <Security/SecureTransportPriv.h>
-#include "sslAppUtils.h"
-#include "ioSock.h"
-#include "fileIo.h"
-
-#include <Security/SecBase.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <ctype.h>
-#include <sys/param.h>
-
-#include <Security/Security.h>
-#include <Security/SecCertificatePriv.h>
-
-#include <CoreFoundation/CoreFoundation.h>
-#include "printCert.h"
-
-#if NO_SERVER
-#include <securityd/spi.h>
-#endif
-
-/* Set true when PR-3074739 is merged to TOT */
-#define SET_DH_PARAMS_ENABLE 1
-
-/* true when using SSLCopyPeerCertificates() per Radar 3311892 */
-#define USE_COPY_PEER_CERTS 1
-
-/*
- * Defaults, overridable by user.
- */
-#define SERVER_MESSAGE "HTTP/1.0 200 OK\015\012Content-Type: text/html\015\012\015\012" \
- "<HTML><HEAD><TITLE>SecureTransport Test Server</TITLE></HEAD>" \
- "<BODY><H2>Secure connection established.</H2>" \
- "Message from the 'sslServer' sample application.\015\012</BODY>" \
- "</HTML>\015\012"
-
-/* For ease of debugging, pick a non-privileged port */
-#define DEFAULT_PORT 1200
-// #define DEFAULT_PORT 443
-
-#define DEFAULT_HOST "localhost"
-
-#define DEFAULT_KC "certkc"
-
-static void usage(char **argv)
-{
- printf("Usage: %s [option ...]\n", argv[0]);
- printf("Options:\n");
- printf(" P=port Port to listen on; default is %d\n", DEFAULT_PORT);
- printf(" k=keychain Contains server cert and keys.\n");
- printf(" y=keychain Encryption-only cert and keys.\n");
- printf(" e Allow Expired Certs\n");
- printf(" r Allow any root cert\n");
- printf(" E Allow Expired Roots\n");
- printf(" x Disable Cert Verification\n");
- printf(" f=fileBase Write Peer Certs to fileBase*\n");
- printf(" c Display peer certs\n");
- printf(" d Display received data\n");
- printf(" C=cipherSuite (e=40-bit d=DES D=40-bit DES 3=3DES 4=RC4 $=40-bit RC4\n"
- " 2=RC2 a=AES128 A=AES256 h=DH H=Anon DH r=DHE/RSA s=DH/DSS\n"
- " n=RSA/NULL\n");
- printf(" 2 SSLv2 only (default is best fit)\n");
- printf(" 3 SSLv3 only (default is best fit)\n");
- printf(" t TLSv1 only (default is best fit)\n");
- printf(" o TLSv1, SSLv3 use kSSLProtocol__X__Only\n");
- printf(" g={prot...} Specify legal protocols; prot = any combo of [23t]\n");
- printf(" T=[nrsj] Verify client cert state = "
- "none/requested/sent/rejected\n");
- printf(" R Disable resumable session support\n");
- printf(" i=timeout Session cache timeout\n");
- printf(" u=[nat] Authentication: n=never; a=always; t=try\n");
- printf(" b Non-blocking I/O\n");
- printf(" a fileNmae Add fileName to list of trusted roots\n");
- printf(" A fileName fileName is ONLY trusted root\n");
- printf(" U filename Add filename to acceptable DNList (multiple times OK)\n");
- printf(" D filename Diffie-Hellman parameters from filename\n");
- printf(" z=password Unlock server keychain with password.\n");
- printf(" H Do SecIdentityRef search instead of specific keychain\n");
- printf(" M Complete cert chain (default assumes that our identity is root)\n");
- printf(" 4 Disable anonymous ciphers\n");
- printf(" p Pause after each phase\n");
- printf(" l[=loops] Loop, performing multiple transactions\n");
- printf(" q Quiet/diagnostic mode (site names and errors only)\n");
- printf(" h Help\n");
- exit(1);
-}
-
-/* snag a copy of current connection's peer certs so we can
- * examine them later after the connection is closed */
-static OSStatus copyPeerCerts(
- SSLContext *ctx,
- CFArrayRef *peerCerts) // mallocd & RETURNED
-{
- #if USE_COPY_PEER_CERTS
- OSStatus ortn = SSLCopyPeerCertificates(ctx, peerCerts);
- #else
- OSStatus ortn = SSLGetPeerCertificates(ctx, peerCerts);
- #endif
- if(ortn) {
- printf("***Error obtaining peer certs: %s\n",
- sslGetSSLErrString(ortn));
- }
- return ortn;
-}
-
-/* free the cert array obtained via SSLGetPeerCertificates() */
-static void freePeerCerts(
- CFArrayRef peerCerts)
-{
- if(peerCerts == NULL) {
- return;
- }
-
- #if USE_COPY_PEER_CERTS
-
- /* Voila! Problem fixed. */
- CFRelease(peerCerts);
- return;
-
- #else
-
- CFIndex numCerts;
- SecCertificateRef certData;
- CFIndex i;
-
- numCerts = CFArrayGetCount(peerCerts);
- for(i=0; i<numCerts; i++) {
- certData = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
- CFRelease(certData);
- }
- CFRelease(peerCerts);
- #endif
-}
-
-/* print reply received from server */
-static void dumpAscii(
- uint8_t *rcvBuf,
- uint32_t len)
-{
- char *cp = (char *)rcvBuf;
- uint32_t i;
- char c;
-
- for(i=0; i<len; i++) {
- c = *cp++;
- if(c == '\0') {
- break;
- }
- switch(c) {
- case '\n':
- printf("\\n");
- break;
- case '\r':
- printf("\\r");
- break;
- default:
- if(isprint(c) && (c != '\n')) {
- printf("%c", c);
- }
- else {
- printf("<%02X>", ((unsigned)c) & 0xff);
- }
- break;
- }
-
- }
- printf("\n");
-}
-
-static void doPause(const char *prompt) {
- if(prompt) {
- printf("%s. ", prompt);
- }
- fpurge(stdin);
- printf("Continue (n/anything)? ");
- char c = getchar();
- if(c == 'n') {
- exit(0);
- }
-}
-
-/*
- * Perform one SSL diagnostic server-side session. Returns nonzero on error.
- * Normally no output to stdout except initial "waiting for connection" message,
- * unless there is a really screwed up error (i.e., something not directly related
- * to the SSL connection).
- */
-#define RCV_BUF_SIZE 256
-
-static OSStatus sslServe(
- otSocket listenSock,
- unsigned short portNum,
- SSLProtocol tryVersion, // only used if acceptedProts NULL
- const char *acceptedProts,
- CFArrayRef serverCerts, // required
- char *password, // optional
- CFArrayRef encryptServerCerts, // optional
- bool allowExpired,
- bool allowAnyRoot,
- bool allowExpiredRoot,
- bool disableCertVerify,
- char *anchorFile,
- bool replaceAnchors,
- char cipherRestrict, // '2', 'd'. etc...'\0' for no
- // restriction
- SSLAuthenticate authenticate,
- unsigned char *dhParams, // optional D-H parameters
- unsigned dhParamsLen,
- CFArrayRef acceptableDNList, // optional
- bool resumableEnable,
- uint32_t sessionCacheTimeout,// optional
- bool disableAnonCiphers,
- bool silent, // no stdout
- bool pause,
- SSLProtocol *negVersion, // RETURNED
- SSLCipherSuite *negCipher, // RETURNED
- SSLClientCertificateState *certState, // RETURNED
- Boolean *sessionWasResumed, // RETURNED
- unsigned char *sessionID, // mallocd by caller, RETURNED
- size_t *sessionIDLength, // RETURNED
- CFArrayRef *peerCerts, // mallocd & RETURNED
- char **argv)
-{
- otSocket acceptSock;
- PeerSpec peerId;
- OSStatus ortn;
- SSLContextRef ctx = NULL;
- size_t length;
- uint8_t rcvBuf[RCV_BUF_SIZE];
- const char *outMsg = SERVER_MESSAGE;
-
- *negVersion = kSSLProtocolUnknown;
- *negCipher = SSL_NULL_WITH_NULL_NULL;
- *peerCerts = NULL;
-
- #if IGNORE_SIGPIPE
- signal(SIGPIPE, sigpipe);
- #endif
-
- /* first wait for a connection */
- if(!silent) {
- printf("Waiting for client connection on port %u...", portNum);
- fflush(stdout);
- }
- ortn = AcceptClientConnection(listenSock, &acceptSock, &peerId);
- if(ortn) {
- printf("AcceptClientConnection returned %d; aborting\n", (int)ortn);
- return ortn;
- }
-
- /*
- * Set up a SecureTransport session.
- * First the standard calls.
- */
- ortn = SSLNewContext(true, &ctx);
- if(ortn) {
- printSslErrStr("SSLNewContext", ortn);
- goto cleanup;
- }
- ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
- if(ortn) {
- printSslErrStr("SSLSetIOFuncs", ortn);
- goto cleanup;
- }
- ortn = SSLSetConnection(ctx, (SSLConnectionRef)acceptSock);
- if(ortn) {
- printSslErrStr("SSLSetConnection", ortn);
- goto cleanup;
- }
-
- /* have to do these options befor setting server certs */
- if(allowExpired) {
- ortn = SSLSetAllowsExpiredCerts(ctx, true);
- if(ortn) {
- printSslErrStr("SSLSetAllowExpiredCerts", ortn);
- goto cleanup;
- }
- }
- if(allowAnyRoot) {
- ortn = SSLSetAllowsAnyRoot(ctx, true);
- if(ortn) {
- printSslErrStr("SSLSetAllowAnyRoot", ortn);
- goto cleanup;
- }
- }
-
- if(anchorFile) {
- ortn = sslAddTrustedRoot(ctx, anchorFile, replaceAnchors);
- if(ortn) {
- printf("***Error obtaining anchor file %s\n", anchorFile);
- goto cleanup;
- }
- }
- if(serverCerts != NULL) {
- if(anchorFile == NULL) {
- /* no specific anchors, so assume we want to trust this one */
- ortn = addIdentityAsTrustedRoot(ctx, serverCerts);
- if(ortn) {
- goto cleanup;
- }
- }
- ortn = SSLSetCertificate(ctx, serverCerts);
- if(ortn) {
- printSslErrStr("SSLSetCertificate", ortn);
- goto cleanup;
- }
- }
- if(encryptServerCerts) {
- ortn = SSLSetEncryptionCertificate(ctx, encryptServerCerts);
- if(ortn) {
- printSslErrStr("SSLSetEncryptionCertificate", ortn);
- goto cleanup;
- }
- }
- if(allowExpiredRoot) {
- ortn = SSLSetAllowsExpiredRoots(ctx, true);
- if(ortn) {
- printSslErrStr("SSLSetAllowsExpiredRoots", ortn);
- goto cleanup;
- }
- }
- if(disableCertVerify) {
- ortn = SSLSetEnableCertVerify(ctx, false);
- if(ortn) {
- printSslErrStr("SSLSetEnableCertVerify", ortn);
- goto cleanup;
- }
- }
-
- /*
- * SecureTransport options.
- */
- if(acceptedProts) {
- ortn = SSLSetProtocolVersionEnabled(ctx, kSSLProtocolAll, false);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersionEnabled(all off)", ortn);
- goto cleanup;
- }
- for(const char *cp = acceptedProts; *cp; cp++) {
- SSLProtocol prot = kSSLProtocolUnknown;
- switch(*cp) {
- case '2':
- prot = kSSLProtocol2;
- break;
- case '3':
- prot = kSSLProtocol3;
- break;
- case 't':
- prot = kTLSProtocol1;
- break;
- default:
- usage(argv);
- }
- ortn = SSLSetProtocolVersionEnabled(ctx, prot, true);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersionEnabled", ortn);
- goto cleanup;
- }
- }
- }
- else {
- ortn = SSLSetProtocolVersion(ctx, tryVersion);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersion", ortn);
- goto cleanup;
- }
- }
- if(resumableEnable) {
- ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
- if(ortn) {
- printSslErrStr("SSLSetPeerID", ortn);
- goto cleanup;
- }
- }
- if(cipherRestrict != '\0') {
- ortn = sslSetCipherRestrictions(ctx, cipherRestrict);
- if(ortn) {
- goto cleanup;
- }
- }
- if(authenticate != kNeverAuthenticate) {
- ortn = SSLSetClientSideAuthenticate(ctx, authenticate);
- if(ortn) {
- printSslErrStr("SSLSetClientSideAuthenticate", ortn);
- goto cleanup;
- }
- }
- if(dhParams) {
- ortn = SSLSetDiffieHellmanParams(ctx, dhParams, dhParamsLen);
- if(ortn) {
- printSslErrStr("SSLSetDiffieHellmanParams", ortn);
- goto cleanup;
- }
- }
- if(sessionCacheTimeout) {
- ortn = SSLSetSessionCacheTimeout(ctx, sessionCacheTimeout);
- if(ortn) {
- printSslErrStr("SSLSetSessionCacheTimeout", ortn);
- goto cleanup;
- }
- }
- if(disableAnonCiphers) {
- ortn = SSLSetAllowAnonymousCiphers(ctx, false);
- if(ortn) {
- printSslErrStr("SSLSetAllowAnonymousCiphers", ortn);
- goto cleanup;
- }
- /* quickie test of the getter */
- Boolean e;
- ortn = SSLGetAllowAnonymousCiphers(ctx, &e);
- if(ortn) {
- printSslErrStr("SSLGetAllowAnonymousCiphers", ortn);
- goto cleanup;
- }
- if(e) {
- printf("***SSLGetAllowAnonymousCiphers() returned true; expected false\n");
- ortn = errSecIO;
- goto cleanup;
- }
- }
-/* XXX/cs
- if(acceptableDNList) {
- ortn = SSLSetCertificateAuthorities(ctx, acceptableDNList, TRUE);
- if(ortn) {
- printSslErrStr("SSLSetCertificateAuthorities", ortn);
- goto cleanup;
- }
- }
-*/
- /* end options */
-
- if(pause) {
- doPause("SSLContext initialized");
- }
-
- /* Perform SSL/TLS handshake */
- do
- { ortn = SSLHandshake(ctx);
- if((ortn == errSSLWouldBlock) && !silent) {
- /* keep UI responsive */
- sslOutputDot();
- }
- } while (ortn == errSSLWouldBlock);
-
- /* this works even if handshake failed due to cert chain invalid */
- copyPeerCerts(ctx, peerCerts);
-
- SSLGetClientCertificateState(ctx, certState);
- SSLGetNegotiatedCipher(ctx, negCipher);
- SSLGetNegotiatedProtocolVersion(ctx, negVersion);
- *sessionIDLength = MAX_SESSION_ID_LENGTH;
- SSLGetResumableSessionInfo(ctx, sessionWasResumed, sessionID,
- sessionIDLength);
-
- if(!silent) {
- printf("\n");
- }
- if(ortn) {
- goto cleanup;
- }
- if(pause) {
- doPause("SSLContext handshake complete");
- }
-
- /* wait for one complete line or user says they've had enough */
- while(ortn == errSecSuccess) {
- length = sizeof(rcvBuf);
- ortn = SSLRead(ctx, rcvBuf, length, &length);
- if(length == 0) {
- /* keep UI responsive */
- sslOutputDot();
- }
- else {
- /* print what we have */
- printf("client request: ");
- dumpAscii(rcvBuf, length);
- }
- if(pause) {
- /* allow user to bail */
- char resp;
-
- fpurge(stdin);
- printf("\nMore client request (y/anything): ");
- resp = getchar();
- if(resp != 'y') {
- break;
- }
- }
-
- /* poor person's line completion scan */
- for(unsigned i=0; i<length; i++) {
- if((rcvBuf[i] == '\n') || (rcvBuf[i] == '\r')) {
- /* a labelled break would be nice here.... */
- goto serverResp;
- }
- }
- if (ortn == errSSLWouldBlock) {
- ortn = errSecSuccess;
- }
- }
-
-serverResp:
- if(pause) {
- doPause("Client GET msg received");
- }
-
- /* send out canned response */
- length = strlen(outMsg);
- ortn = SSLWrite(ctx, outMsg, length, &length);
- if(ortn) {
- printSslErrStr("SSLWrite", ortn);
- }
- if(pause) {
- doPause("Server response sent");
- }
-cleanup:
- /*
- * always do close, even on error - to flush outgoing write queue
- */
- OSStatus cerr = SSLClose(ctx);
- if(ortn == errSecSuccess) {
- ortn = cerr;
- }
- if(acceptSock) {
- endpointShutdown(acceptSock);
- }
- if(ctx) {
- SSLDisposeContext(ctx);
- }
- /* FIXME - dispose of serverCerts */
- return ortn;
-}
-
-static void showPeerCerts(
- CFArrayRef peerCerts,
- bool verbose)
-{
- CFIndex numCerts;
- SecCertificateRef certRef;
- CFIndex i;
-
- if(peerCerts == NULL) {
- return;
- }
- numCerts = CFArrayGetCount(peerCerts);
- for(i=0; i<numCerts; i++) {
- certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
- printf("\n================== Server Cert %lu ===================\n\n", i);
- print_cert(certRef, verbose);
- printf("\n=============== End of Server Cert %lu ===============\n", i);
- }
-}
-
-static void writePeerCerts(
- CFArrayRef peerCerts,
- const char *fileBase)
-{
- CFIndex numCerts;
- SecCertificateRef certRef;
- CFIndex i;
- char fileName[100];
-
- if(peerCerts == NULL) {
- return;
- }
- numCerts = CFArrayGetCount(peerCerts);
- for(i=0; i<numCerts; i++) {
- sprintf(fileName, "%s%02d.cer", fileBase, (int)i);
- certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
- writeFile(fileName, SecCertificateGetBytePtr(certRef),
- SecCertificateGetLength(certRef));
- }
- printf("...wrote %lu certs to fileBase %s\n", numCerts, fileBase);
-}
-
-static void showSSLResult(
- SSLProtocol tryVersion,
- char *acceptedProts,
- OSStatus err,
- SSLProtocol negVersion,
- SSLCipherSuite negCipher,
- Boolean sessionWasResumed,
- unsigned char *sessionID,
- size_t sessionIDLength,
- CFArrayRef peerCerts,
- bool displayPeerCerts,
- SSLClientCertificateState certState,
- char *fileBase) // non-NULL: write certs to file
-{
- CFIndex numPeerCerts;
-
- printf("\n");
- if(acceptedProts) {
- printf(" Allowed SSL versions : %s\n", acceptedProts);
- }
- else {
- printf(" Attempted SSL version : %s\n",
- sslGetProtocolVersionString(tryVersion));
- }
- printf(" Result : %s\n", sslGetSSLErrString(err));
- printf(" Negotiated SSL version : %s\n",
- sslGetProtocolVersionString(negVersion));
- printf(" Negotiated CipherSuite : %s\n",
- sslGetCipherSuiteString(negCipher));
- if(certState != kSSLClientCertNone) {
- printf(" Client Cert State : %s\n",
- sslGetClientCertStateString(certState));
- }
- printf(" Resumed Session : ");
- if(sessionWasResumed) {
- for(unsigned dex=0; dex<sessionIDLength; dex++) {
- printf("%02X ", sessionID[dex]);
- if(((dex % 8) == 7) && (dex != (sessionIDLength - 1))) {
- printf("\n ");
- }
- }
- printf("\n");
- }
- else {
- printf("NOT RESUMED\n");
- }
- if(peerCerts == NULL) {
- numPeerCerts = 0;
- }
- else {
- numPeerCerts = CFArrayGetCount(peerCerts);
- }
- printf(" Number of peer certs : %lu\n", numPeerCerts);
- if(numPeerCerts != 0) {
- if(displayPeerCerts) {
- showPeerCerts(peerCerts, false);
- }
- if(fileBase != NULL) {
- writePeerCerts(peerCerts, fileBase);
- }
- }
- printf("\n");
-}
-
-static int verifyClientCertState(
- bool verifyCertState,
- SSLClientCertificateState expectState,
- SSLClientCertificateState gotState)
-{
- if(!verifyCertState) {
- return 0;
- }
- if(expectState == gotState) {
- return 0;
- }
- printf("***Expected clientCertState %s; got %s\n",
- sslGetClientCertStateString(expectState),
- sslGetClientCertStateString(gotState));
- return 1;
-}
-
-int main(int argc, char **argv)
-{
- OSStatus err;
- int arg;
- char fullFileBase[100];
- SSLProtocol negVersion;
- SSLCipherSuite negCipher;
- Boolean sessionWasResumed;
- unsigned char sessionID[MAX_SESSION_ID_LENGTH];
- size_t sessionIDLength;
- CFArrayRef peerCerts = NULL;
- char *argp;
- otSocket listenSock;
- CFArrayRef serverCerts = nil; // required
- CFArrayRef encryptCerts = nil; // optional
- SecKeychainRef serverKc = nil;
- SecKeychainRef encryptKc = nil;
- int loopNum;
- int errCount = 0;
- SSLClientCertificateState certState; // obtained from sslServe
-
- /* user-spec'd parameters */
- unsigned short portNum = DEFAULT_PORT;
- bool allowExpired = false;
- bool allowAnyRoot = false;
- char *fileBase = NULL;
- bool displayRxData = false;
- bool displayCerts = false;
- char cipherRestrict = '\0';
- SSLProtocol attemptProt = kTLSProtocol1;
- bool protXOnly = false; // kSSLProtocol3Only,
- // kTLSProtocol1Only
- char *acceptedProts = NULL; // "23t" ==> SSLSetProtocolVersionEnabled
- bool quiet = false;
- bool resumableEnable = true;
- bool pause = false;
- char *keyChainName = NULL;
- char *encryptKeyChainName = NULL;
- int loops = 1;
- SSLAuthenticate authenticate = kNeverAuthenticate;
- bool nonBlocking = false;
- bool allowExpiredRoot = false;
- bool disableCertVerify = false;
- char *anchorFile = NULL;
- bool replaceAnchors = false;
- bool vfyCertState = false;
- SSLClientCertificateState expectCertState = kSSLClientCertNone;
- char *password = NULL;
- char *dhParamsFile = NULL;
- unsigned char *dhParams = NULL;
- unsigned dhParamsLen = 0;
- bool doIdSearch = false;
- bool completeCertChain = false;
- uint32_t sessionCacheTimeout = 0;
- bool disableAnonCiphers = false;
- CFMutableArrayRef acceptableDNList = NULL;
-
- for(arg=1; arg<argc; arg++) {
- argp = argv[arg];
- switch(argp[0]) {
- case 'P':
- portNum = atoi(&argp[2]);
- break;
- case 'k':
- keyChainName = &argp[2];
- break;
- case 'y':
- encryptKeyChainName = &argp[2];
- break;
- case 'e':
- allowExpired = true;
- break;
- case 'E':
- allowExpiredRoot = true;
- break;
- case 'x':
- disableCertVerify = true;
- break;
- case 'a':
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- anchorFile = argv[arg];
- break;
- case 'A':
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- anchorFile = argv[arg];
- replaceAnchors = true;
- break;
- case 'T':
- if(argp[1] != '=') {
- usage(argv);
- }
- vfyCertState = true;
- switch(argp[2]) {
- case 'n':
- expectCertState = kSSLClientCertNone;
- break;
- case 'r':
- expectCertState = kSSLClientCertRequested;
- break;
- case 's':
- expectCertState = kSSLClientCertSent;
- break;
- case 'j':
- expectCertState = kSSLClientCertRejected;
- break;
- default:
- usage(argv);
- }
- break;
- case 'r':
- allowAnyRoot = true;
- break;
- case 'd':
- displayRxData = true;
- break;
- case 'c':
- displayCerts = true;
- break;
- case 'f':
- fileBase = &argp[2];
- break;
- case 'C':
- cipherRestrict = argp[2];
- break;
- case '2':
- attemptProt = kSSLProtocol2;
- break;
- case '3':
- attemptProt = kSSLProtocol3;
- break;
- case 't':
- attemptProt = kTLSProtocol1;
- break;
- case 'o':
- protXOnly = true;
- break;
- case 'g':
- if(argp[1] != '=') {
- usage(argv);
- }
- acceptedProts = &argp[2];
- break;
- case 'R':
- resumableEnable = false;
- break;
- case 'b':
- nonBlocking = true;
- break;
- case 'u':
- if(argp[1] != '=') {
- usage(argv);
- }
- switch(argp[2]) {
- case 'a': authenticate = kAlwaysAuthenticate; break;
- case 'n': authenticate = kNeverAuthenticate; break;
- case 't': authenticate = kTryAuthenticate; break;
- default: usage(argv);
- }
- break;
- case 'D':
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- dhParamsFile = argv[arg];
- break;
- case 'z':
- password = &argp[2];
- break;
- case 'H':
- doIdSearch = true;
- break;
- case 'M':
- completeCertChain = true;
- break;
- case 'i':
- sessionCacheTimeout = atoi(&argp[2]);
- break;
- case '4':
- disableAnonCiphers = true;
- break;
- case 'p':
- pause = true;
- break;
- case 'q':
- quiet = true;
- break;
-#if 0
- case 'U':
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- if(cspReadFile(argv[arg], &caCert, &caCertLen)) {
- printf("***Error reading file %s. Aborting.\n", argv[arg]);
- exit(1);
- }
- if(acceptableDNList == NULL) {
- acceptableDNList = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- }
- certData.Data = caCert;
- certData.Length = caCertLen;
- ortn = SecCertificateCreateFromData(&certData,
- CSSM_CERT_X_509v3,
- CSSM_CERT_ENCODING_DER,
- &secCert);
- if(ortn) {
- cssmPerror("SecCertificateCreateFromData", ortn);
- exit(1);
- }
- CFArrayAppendValue(acceptableDNList, secCert);
- CFRelease(secCert);
- break;
-#endif
- case 'l':
- if(argp[1] == '\0') {
- /* no loop count --> loop forever */
- loops = 0;
- break;
- }
- else if(argp[1] != '=') {
- usage(argv);
- }
- loops = atoi(&argp[2]);
- break;
- default:
- usage(argv);
- }
- }
-
-#if NO_SERVER
-# if DEBUG
- securityd_init();
-# endif
-#endif
-
- /* get server cert and optional encryption cert as CFArrayRef */
- if(keyChainName) {
- serverCerts = getSslCerts(keyChainName, false, completeCertChain,
- anchorFile, &serverKc);
- if(serverCerts == nil) {
- exit(1);
- }
- }
- else
-#if 0
- if(doIdSearch) {
- OSStatus ortn = sslIdentityPicker(NULL, anchorFile, true, NULL, &serverCerts);
- if(ortn) {
- printf("***IdentitySearch failure; aborting.\n");
- exit(1);
- }
- }
- if(password) {
- OSStatus ortn = SecKeychainUnlock(serverKc, strlen(password), password, true);
- if(ortn) {
- printf("SecKeychainUnlock returned %d\n", (int)ortn);
- /* oh well */
- }
- }
- if(encryptKeyChainName) {
- encryptCerts = getSslCerts(encryptKeyChainName, true, completeCertChain,
- anchorFile, &encryptKc);
- if(encryptCerts == nil) {
- exit(1);
- }
- }
-#endif
- if(protXOnly) {
- switch(attemptProt) {
- case kTLSProtocol1:
- attemptProt = kTLSProtocol1Only;
- break;
- case kSSLProtocol3:
- attemptProt = kSSLProtocol3Only;
- break;
- default:
- break;
- }
- }
-#if 0
- if(dhParamsFile) {
- int r = cspReadFile(dhParamsFile, &dhParams, &dhParamsLen);
- if(r) {
- printf("***Error reading diffie-hellman params from %s; aborting\n",
- dhParamsFile);
- }
- }
-#endif
-
- /* one-time only server port setup */
- err = ListenForClients(portNum, nonBlocking, &listenSock);
- if(err) {
- printf("ListenForClients returned %d; aborting\n", (int)err);
- exit(1);
- }
-
- for(loopNum=1; ; loopNum++) {
- err = sslServe(listenSock,
- portNum,
- attemptProt,
- acceptedProts,
- serverCerts,
- password,
- encryptCerts,
- allowExpired,
- allowAnyRoot,
- allowExpiredRoot,
- disableCertVerify,
- anchorFile,
- replaceAnchors,
- cipherRestrict,
- authenticate,
- dhParams,
- dhParamsLen,
- acceptableDNList,
- resumableEnable,
- sessionCacheTimeout,
- disableAnonCiphers,
- quiet,
- pause,
- &negVersion,
- &negCipher,
- &certState,
- &sessionWasResumed,
- sessionID,
- &sessionIDLength,
- &peerCerts,
- argv);
- if(err) {
- errCount++;
- }
- if(!quiet) {
- SSLProtocol tryProt = attemptProt;
- showSSLResult(tryProt,
- acceptedProts,
- err,
- negVersion,
- negCipher,
- sessionWasResumed,
- sessionID,
- sessionIDLength,
- peerCerts,
- displayCerts,
- certState,
- fileBase ? fullFileBase : NULL);
- }
- errCount += verifyClientCertState(vfyCertState, expectCertState,
- certState);
- freePeerCerts(peerCerts);
- if(loops && (loopNum == loops)) {
- break;
- }
- };
-
- endpointShutdown(listenSock);
-
- if(serverKc) {
- CFRelease(serverKc);
- }
- if(encryptKc) {
- CFRelease(encryptKc);
- }
- return errCount;
-
-}
-
-
diff --git a/OSX/libsecurity_ssl/sslViewer/sslViewer.1 b/OSX/libsecurity_ssl/sslViewer/sslViewer.1
deleted file mode 100644
index 00e88081..00000000
--- a/OSX/libsecurity_ssl/sslViewer/sslViewer.1
+++ /dev/null
@@ -1,79 +0,0 @@
-.\"Modified from man(1) of FreeBSD, the NetBSD mdoc.template, and mdoc.samples.
-.\"See Also:
-.\"man mdoc.samples for a complete listing of options
-.\"man mdoc for the short list of editing options
-.\"/usr/share/misc/mdoc.template
-.Dd 5/2/12 \" DATE
-.Dt sslViewer 1 \" Program name and manual section number
-.Os Darwin
-.Sh NAME \" Section Header - required - don't modify
-.Nm sslViewer,
-.\" The following lines are read in generating the apropos(man -k) database. Use only key
-.\" words here as the database is built based on the words here and in the .ND line.
-.Nm Other_name_for_same_program(),
-.Nm Yet another name for the same program.
-.\" Use .Nm macro to designate other names for the documented program.
-.Nd This line parsed for whatis database.
-.Sh SYNOPSIS \" Section Header - required - don't modify
-.Nm
-.Op Fl abcd \" [-abcd]
-.Op Fl a Ar path \" [-a path]
-.Op Ar file \" [file]
-.Op Ar \" [file ...]
-.Ar arg0 \" Underlined argument - use .Ar anywhere to underline
-arg2 ... \" Arguments
-.Sh DESCRIPTION \" Section Header - required - don't modify
-Use the .Nm macro to refer to your program throughout the man page like such:
-.Nm
-Underlining is accomplished with the .Ar macro like this:
-.Ar underlined text .
-.Pp \" Inserts a space
-A list of items with descriptions:
-.Bl -tag -width -indent \" Begins a tagged list
-.It item a \" Each item preceded by .It macro
-Description of item a
-.It item b
-Description of item b
-.El \" Ends the list
-.Pp
-A list of flags and their descriptions:
-.Bl -tag -width -indent \" Differs from above in tag removed
-.It Fl a \"-a flag as a list item
-Description of -a flag
-.It Fl b
-Description of -b flag
-.El \" Ends the list
-.Pp
-.\" .Sh ENVIRONMENT \" May not be needed
-.\" .Bl -tag -width "ENV_VAR_1" -indent \" ENV_VAR_1 is width of the string ENV_VAR_1
-.\" .It Ev ENV_VAR_1
-.\" Description of ENV_VAR_1
-.\" .It Ev ENV_VAR_2
-.\" Description of ENV_VAR_2
-.\" .El
-.Sh FILES \" File used or created by the topic of the man page
-.Bl -tag -width "/Users/joeuser/Library/really_long_file_name" -compact
-.It Pa /usr/share/file_name
-FILE_1 description
-.It Pa /Users/joeuser/Library/really_long_file_name
-FILE_2 description
-.El \" Ends the list
-.\" .Sh DIAGNOSTICS \" May not be needed
-.\" .Bl -diag
-.\" .It Diagnostic Tag
-.\" Diagnostic informtion here.
-.\" .It Diagnostic Tag
-.\" Diagnostic informtion here.
-.\" .El
-.Sh SEE ALSO
-.\" List links in ascending order by section, alphabetically within a section.
-.\" Please do not reference files that do not exist without filing a bug report
-.Xr a 1 ,
-.Xr b 1 ,
-.Xr c 1 ,
-.Xr a 2 ,
-.Xr b 2 ,
-.Xr a 3 ,
-.Xr b 3
-.\" .Sh BUGS \" Document known, unremedied bugs
-.\" .Sh HISTORY \" Document history if command behaves in a unique manner
\ No newline at end of file
diff --git a/OSX/libsecurity_ssl/sslViewer/sslViewer.cpp b/OSX/libsecurity_ssl/sslViewer/sslViewer.cpp
deleted file mode 100644
index eca0ed36..00000000
--- a/OSX/libsecurity_ssl/sslViewer/sslViewer.cpp
+++ /dev/null
@@ -1,1870 +0,0 @@
-/*
- * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved.
- *
- * SSL viewer tool, Secure Transport.
- */
-
-#include "SecureTransport.h"
-
-#include <Security/SecureTransport.h>
-#include <Security/SecureTransportPriv.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecTrust.h>
-#include <Security/SecTrustPriv.h>
-#include "sslAppUtils.h"
-#include "printCert.h"
-#include "ioSock.h"
-#include "fileIo.h"
-
-#include <Security/SecBase.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <ctype.h>
-#include <CoreFoundation/CoreFoundation.h>
-
-#if NO_SERVER
-#include <securityd/spi.h>
-#endif
-
-#define DEFAULT_GETMSG "GET"
-#define DEFAULT_PATH "/"
-#define DEFAULT_GET_SUFFIX "HTTP/1.0\r\n\r\n"
-
-#define DEFAULT_HOST "store.apple.com"
-#define DEFAULT_PORT 443
-
-#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) CFRelease(_cf); }
-#define CFReleaseNull(CF) { CFTypeRef _cf = (CF); \
- if (_cf) { (CF) = NULL; CFRelease(_cf); } }
-
-static void usageNorm(char **argv)
-{
- printf("Usage: %s [hostname|-] [path] [option ...]\n", argv[0]);
- printf(" %s hostname [path] [option ...]\n", argv[0]);
- printf("Specifying '-' for hostname, or no args, uses default of %s.\n",
- DEFAULT_HOST);
- printf("Optional path argument must start with leading '/'.\n");
- printf("Options:\n");
- printf(" e Allow Expired Certs\n");
- printf(" E Allow Expired Roots\n");
- printf(" r Allow any root cert\n");
- printf(" c Display peer certs\n");
- printf(" cc Display peer SecTrust\n");
- printf(" d Display received data\n");
- printf(" S Display enabled cipher suites\n");
- printf(" 2 SSLv2 only\n");
- printf(" 3 SSLv3 only\n");
- printf(" tls10 | t TLSv1 only\n");
- printf(" tls11 TLSv1.1 only\n");
- printf(" tls12 TLSv1.2 only\n");
- printf(" L all - TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2 (default = TLSv1.2)\n");
- printf(" g={prot...} Specify legal protocols; prot = any combo of"
- " [2|3|t|tls10|tls11|tls12]\n");
- printf(" k=keychain Contains (client|server) cert and keys. Optional.\n");
- printf(" l=loopCount Perform loopCount ops (default = 1)\n");
- printf(" P=port Default = %d\n", DEFAULT_PORT);
- printf(" p Pause after each loop\n");
- printf(" q Quiet/diagnostic mode (site names and errors"
- " only)\n");
- printf(" a fileName Add fileName to list of trusted roots\n");
- printf(" A fileName fileName is ONLY trusted root\n");
- printf(" Z fileName fileName is a trusted leaf cert\n");
- printf(" x Disable Cert Verification\n");
- printf(" z=password Unlock client keychain with password.\n");
- printf(" 8 Complete cert chains (default is out cert is a root)\n");
- printf(" s Silent\n");
- printf(" V Verbose\n");
- printf(" h Help\n");
- printf(" hv More, verbose help\n");
-}
-
-static void usageVerbose(char **argv) __attribute__((noreturn));
-static void usageVerbose(char **argv)
-{
- usageNorm(argv);
- printf("Obscure Usage:\n");
- printf(" u kSSLProtocolUnknown only (TLSv1)\n");
- printf(" M Manual cert verification via "
- "SecTrustEvaluate\n");
- printf(" f fileBase Write Peer Certs to fileBase*\n");
- printf(" o TLSv1, SSLv3 use kSSLProtocol__X__Only\n");
- printf(" C=cipherSuite (e=40-bit d=DES D=40-bit DES 3=3DES 4=RC4 "
- "$=40-bit RC4\n"
- " 2=RC2 a=AES128 A=AES256 h=DH H=Anon DH r=DHE/RSA s=DH/DSS\n");
- printf(" y=keychain Encryption-only cert and keys. Optional.\n");
- printf(" K Keep connected until server disconnects\n");
- printf(" n Require closure notify message in TLSv1, "
- "SSLv3 mode (implies K)\n");
- printf(" R Disable resumable session support\n");
- printf(" b Non-blocking I/O\n");
- printf(" v Verify negotiated protocol equals attempted\n");
- printf(" m=[23t] Max protocol supported as specified; implies "
- "v\n");
- printf(" T=[nrsj] Verify client cert state = "
- "none/requested/sent/rejected\n");
- printf(" H allow hostname spoofing\n");
- printf(" F=vfyHost Verify certs with specified host name\n");
- printf(" G=getMsg Specify entire GET, POST, etc.\n");
- printf(" N Log handshake timing\n");
- printf(" 7 Pause only after first loop\n");
- exit(1);
-}
-
-static void usage(char **argv) __attribute__((noreturn));
-static void usage(char **argv)
-{
- usageNorm(argv);
- exit(1);
-}
-
-/*
- * Arguments to top-level sslPing()
- */
-typedef struct {
- SSLProtocol tryVersion; // only used if acceptedProts NULL
- // uses SSLSetProtocolVersion
- char *acceptedProts; // optional, any combo of {2,3,t}
- // uses SSLSetProtocolVersionEnabled
- const char *hostName; // e.g., "store.apple.com"
- const char *vfyHostName; // use this for cert vfy if non-NULL,
- // else use hostName
- unsigned short port;
- const char *getMsg; // e.g.,
- // "GET / HTTP/1.0\r\n\r\n"
- bool allowExpired;
- bool allowAnyRoot;
- bool allowExpiredRoot;
- bool disableCertVerify;
- bool manualCertVerify;
- bool dumpRxData; // display server data
- char cipherRestrict; // '2', 'd'. etc...; '\0' for
- // no restriction
- bool keepConnected;
- bool requireNotify; // require closure notify
- // in V3 mode
- bool resumableEnable;
- bool allowHostnameSpoof;
- bool nonBlocking;
- char *anchorFile;
- char *trustedLeafFile;
- bool replaceAnchors;
- bool interactiveAuth;
- CFArrayRef clientCerts; // optional
- CFArrayRef encryptClientCerts; // optional
- uint32 sessionCacheTimeout;// optional
- bool disableAnonCiphers;
- bool showCipherSuites;
- bool quiet; // minimal stdout
- bool silent; // no stdout
- bool verbose;
- SSLProtocol negVersion; // RETURNED
- SSLCipherSuite negCipher; // RETURNED
- CFArrayRef peerCerts; // mallocd & RETURNED
- SecTrustRef peerTrust; // RETURNED
- SSLClientCertificateState certState; // RETURNED
-#if TARGET_OS_MAC && MAC_OS_X_VERSION_MAX_ALLOWED < 1060
- int authType;
-#else
- SSLClientAuthenticationType authType; // RETURNED
-#endif
- CFArrayRef dnList; // RETURNED
- char *password; // optional to open clientCerts
- char **argv;
- Boolean sessionWasResumed;
- unsigned char sessionID[MAX_SESSION_ID_LENGTH];
- size_t sessionIDLength;
- CFAbsoluteTime handshakeTimeOp; // time for this op
- CFAbsoluteTime handshakeTimeFirst; // time for FIRST op, not averaged
- CFAbsoluteTime handshakeTimeTotal; // time for all ops except first
- unsigned numHandshakes;
-
-} sslPingArgs;
-
-#include <signal.h>
-static void sigpipe(int sig)
-{
- fflush(stdin);
- printf("***SIGPIPE***\n");
-}
-
-/*
- * Snag a copy of current connection's peer certs so we can
- * examine them later after the connection is closed.
- * SecureTransport actually does the create and retain for us.
- */
-static OSStatus copyPeerCerts(
- SSLContext *ctx,
- CFArrayRef *peerCerts) // mallocd & RETURNED
-{
- OSStatus ortn = SSLCopyPeerCertificates(ctx, peerCerts);
- if(ortn) {
- printf("***Error obtaining peer certs: %s\n",
- sslGetSSLErrString(ortn));
- }
- return ortn;
-}
-
-/*
- * Manually evaluate session's SecTrustRef.
- */
-
-static OSStatus sslEvaluateTrust(
- SSLContext *ctx,
- bool verbose,
- bool silent,
- CFArrayRef *peerCerts) // fetched and retained
-{
- OSStatus ortn = errSecSuccess;
-#if USE_CDSA_CRYPTO
- SecTrustRef secTrust = NULL;
- ortn = SSLGetPeerSecTrust(ctx, &secTrust);
- if(ortn) {
- printf("\n***Error obtaining peer SecTrustRef: %s\n",
- sslGetSSLErrString(ortn));
- return ortn;
- }
- if(secTrust == NULL) {
- /* this is the normal case for resumed sessions, in which
- * no cert evaluation is performed */
- if(!silent) {
- printf("...No SecTrust available - this is a resumed session, right?\n");
- }
- return errSecSuccess;
- }
- SecTrustResultType secTrustResult;
- ortn = SecTrustEvaluate(secTrust, &secTrustResult);
- if(ortn) {
- printf("\n***Error on SecTrustEvaluate: %d\n", (int)ortn);
- return ortn;
- }
- if(verbose) {
- const char *res = NULL;
- switch(secTrustResult) {
- case kSecTrustResultInvalid:
- res = "kSecTrustResultInvalid"; break;
- case kSecTrustResultProceed:
- res = "kSecTrustResultProceed"; break;
- case kSecTrustResultConfirm:
- res = "kSecTrustResultConfirm"; break;
- case kSecTrustResultDeny:
- res = "kSecTrustResultDeny"; break;
- case kSecTrustResultUnspecified:
- res = "kSecTrustResultUnspecified"; break;
- case kSecTrustResultRecoverableTrustFailure:
- res = "kSecTrustResultRecoverableTrustFailure"; break;
- case kSecTrustResultFatalTrustFailure:
- res = "kSecTrustResultFatalTrustFailure"; break;
- case kSecTrustResultOtherError:
- res = "kSecTrustResultOtherError"; break;
- default:
- res = "UNKNOWN"; break;
- }
- printf("\nSecTrustEvaluate(): secTrustResult %s\n", res);
- }
-
- switch(secTrustResult) {
- case kSecTrustResultUnspecified:
- /* cert chain valid, no special UserTrust assignments */
- case kSecTrustResultProceed:
- /* cert chain valid AND user explicitly trusts this */
- break;
- default:
- printf("\n***SecTrustEvaluate reported secTrustResult %d\n",
- (int)secTrustResult);
- ortn = errSSLXCertChainInvalid;
- break;
- }
-#endif
-
- *peerCerts = NULL;
-
-#ifdef USE_CDSA_CRYPTO
- /* one more thing - get peer certs in the form of an evidence chain */
- CSSM_TP_APPLE_EVIDENCE_INFO *dummyEv;
- OSStatus thisRtn = SecTrustGetResult(secTrust, &secTrustResult,
- peerCerts, &dummyEv);
- if(thisRtn) {
- printSslErrStr("SecTrustGetResult", thisRtn);
- }
-#endif
- return ortn;
-}
-
-static void sslShowEnabledCipherSuites(
- SSLContextRef ctx)
-{
- OSStatus status;
- SSLCipherSuite *ciphers;
- size_t numCiphers, totalCiphers;
- unsigned int i;
-
- status = SSLGetNumberSupportedCiphers(ctx, &totalCiphers);
- status = SSLGetNumberEnabledCiphers(ctx, &numCiphers);
- ciphers = (SSLCipherSuite *)malloc(sizeof(SSLCipherSuite) * numCiphers);
- status = SSLGetEnabledCiphers(ctx, ciphers, &numCiphers);
-
- printf(" Total enabled ciphers : %ld of %ld\n", numCiphers, totalCiphers);
-
- for(i=0; i<numCiphers; i++) {
- printf(" %s (0x%04X)\n", sslGetCipherSuiteString(ciphers[i]), ciphers[i]);
- fflush(stdout);
- }
- free(ciphers);
-}
-
-/* print reply received from server, safely */
-static void dumpAscii(
- uint8_t *rcvBuf,
- uint32_t len)
-{
- char *cp = (char *)rcvBuf;
- uint32_t i;
- char c;
-
- for(i=0; i<len; i++) {
- c = *cp++;
- if(c == '\0') {
- break;
- }
- switch(c) {
- case '\n':
- printf("\\n");
- break;
- case '\r':
- printf("\\r");
- break;
- default:
- if(isprint(c) && (c != '\n')) {
- printf("%c", c);
- }
- else {
- printf("<%02X>", ((unsigned)c) & 0xff);
- }
- break;
- }
-
- }
- printf("\n");
-}
-
-/*
- * Perform one SSL diagnostic session. Returns nonzero on error. Normally no
- * output to stdout except initial "connecting to" message, unless there
- * is a really screwed up error (i.e., something not directly related
- * to the SSL connection).
- */
-#define RCV_BUF_SIZE 256
-
-static OSStatus sslPing(
- sslPingArgs *pargs)
-{
- PeerSpec peerId;
- otSocket sock = 0;
- OSStatus ortn;
- SSLContextRef ctx = NULL;
- size_t length;
- size_t actLen;
- uint8_t rcvBuf[RCV_BUF_SIZE];
- CFAbsoluteTime startHandshake;
- CFAbsoluteTime endHandshake;
-
- pargs->negVersion = kSSLProtocolUnknown;
- pargs->negCipher = SSL_NULL_WITH_NULL_NULL;
- pargs->peerCerts = NULL;
-
- /* first make sure requested server is there */
- ortn = MakeServerConnection(pargs->hostName, pargs->port, pargs->nonBlocking,
- &sock, &peerId);
- if(ortn) {
- printf("MakeServerConnection returned %d; aborting\n", (int)ortn);
- return ortn;
- }
- if(pargs->verbose) {
- printf("...connected to server; starting SecureTransport\n");
- }
-
- /*
- * Set up a SecureTransport session.
- * First the standard calls.
- */
- ortn = SSLNewContext(false, &ctx);
- if(ortn) {
- printSslErrStr("SSLNewContext", ortn);
- goto cleanup;
- }
- ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
- if(ortn) {
- printSslErrStr("SSLSetIOFuncs", ortn);
- goto cleanup;
- }
- ortn = SSLSetConnection(ctx, (SSLConnectionRef)sock);
- if(ortn) {
- printSslErrStr("SSLSetConnection", ortn);
- goto cleanup;
- }
- SSLConnectionRef getConn;
- ortn = SSLGetConnection(ctx, &getConn);
- if(ortn) {
- printSslErrStr("SSLGetConnection", ortn);
- goto cleanup;
- }
- if(getConn != (SSLConnectionRef)sock) {
- printf("***SSLGetConnection error\n");
- ortn = errSecParam;
- goto cleanup;
- }
- if(!pargs->allowHostnameSpoof) {
- /* if this isn't set, it isn't checked by AppleX509TP */
- const char *vfyHost = pargs->hostName;
- if(pargs->vfyHostName) {
- /* generally means we're expecting an error */
- vfyHost = pargs->vfyHostName;
- }
- ortn = SSLSetPeerDomainName(ctx, vfyHost, strlen(vfyHost));
- if(ortn) {
- printSslErrStr("SSLSetPeerDomainName", ortn);
- goto cleanup;
- }
- }
-
- /*
- * SecureTransport options.
- */
- if(pargs->acceptedProts) {
- ortn = SSLSetProtocolVersionEnabled(ctx, kSSLProtocolAll, false);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersionEnabled(all off)", ortn);
- goto cleanup;
- }
- for(const char *cp = pargs->acceptedProts; *cp; cp++) {
- SSLProtocol prot;
- switch(*cp) {
- case '2':
- prot = kSSLProtocol2;
- break;
- case '3':
- prot = kSSLProtocol3;
- break;
- case 't':
- prot = kTLSProtocol1;
- if (cp[1] == 'l' && cp[2] == 's' && cp[3] == '1') {
- cp += 3;
- if (cp[1] == '1') {
- cp++;
- prot = kTLSProtocol11;
- }
- else if (cp[1] == '2') {
- cp++;
- prot = kTLSProtocol12;
- }
- }
- break;
- default:
- usage(pargs->argv);
- }
- ortn = SSLSetProtocolVersionEnabled(ctx, prot, true);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersionEnabled", ortn);
- goto cleanup;
- }
- }
- }
- else {
- ortn = SSLSetProtocolVersion(ctx, pargs->tryVersion);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersion", ortn);
- goto cleanup;
- }
- SSLProtocol getVers;
- ortn = SSLGetProtocolVersion(ctx, &getVers);
- if(ortn) {
- printSslErrStr("SSLGetProtocolVersion", ortn);
- goto cleanup;
- }
- if(getVers != pargs->tryVersion && getVers != kSSLProtocolAll) {
- printf("***SSLGetProtocolVersion screwup: try %s get %s\n",
- sslGetProtocolVersionString(pargs->tryVersion),
- sslGetProtocolVersionString(getVers));
- ortn = errSecParam;
- goto cleanup;
- }
- }
- if(pargs->resumableEnable) {
- const void *rtnId = NULL;
- size_t rtnIdLen = 0;
-
- ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
- if(ortn) {
- printSslErrStr("SSLSetPeerID", ortn);
- goto cleanup;
- }
- /* quick test of the get fcn */
- ortn = SSLGetPeerID(ctx, &rtnId, &rtnIdLen);
- if(ortn) {
- printSslErrStr("SSLGetPeerID", ortn);
- goto cleanup;
- }
- if((rtnId == NULL) || (rtnIdLen != sizeof(PeerSpec))) {
- printf("***SSLGetPeerID screwup\n");
- }
- else if(memcmp(&peerId, rtnId, rtnIdLen) != 0) {
- printf("***SSLGetPeerID data mismatch\n");
- }
- }
- if(pargs->allowExpired) {
- ortn = SSLSetAllowsExpiredCerts(ctx, true);
- if(ortn) {
- printSslErrStr("SSLSetAllowExpiredCerts", ortn);
- goto cleanup;
- }
- }
- if(pargs->allowExpiredRoot) {
- ortn = SSLSetAllowsExpiredRoots(ctx, true);
- if(ortn) {
- printSslErrStr("SSLSetAllowsExpiredRoots", ortn);
- goto cleanup;
- }
- }
- if(pargs->disableCertVerify) {
- ortn = SSLSetEnableCertVerify(ctx, false);
- if(ortn) {
- printSslErrStr("SSLSetEnableCertVerify", ortn);
- goto cleanup;
- }
- }
- if(pargs->allowAnyRoot) {
- ortn = SSLSetAllowsAnyRoot(ctx, true);
- if(ortn) {
- printSslErrStr("SSLSetAllowAnyRoot", ortn);
- goto cleanup;
- }
- }
- if(pargs->cipherRestrict != '\0') {
- ortn = sslSetCipherRestrictions(ctx, pargs->cipherRestrict);
- if(ortn) {
- goto cleanup;
- }
- }
- if(pargs->anchorFile) {
- ortn = sslAddTrustedRoot(ctx, pargs->anchorFile, pargs->replaceAnchors);
- if(ortn) {
- printf("***Error obtaining anchor file %s\n", pargs->anchorFile);
- goto cleanup;
- }
- }
- if(pargs->trustedLeafFile) {
- SecCertificateRef leafCertRef = NULL;
- CFMutableArrayRef leafCerts = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- /* sslReadAnchor is a misnomer; it just creates a SecCertificateRef from a file */
- ortn = sslReadAnchor(pargs->trustedLeafFile, &leafCertRef);
- if (!ortn) {
- CFArrayAppendValue(leafCerts, leafCertRef);
- CFRelease(leafCertRef);
- ortn = SSLSetTrustedLeafCertificates(ctx, leafCerts);
- CFRelease(leafCerts);
- }
- if(ortn) {
- goto cleanup;
- }
- }
- if(pargs->interactiveAuth) {
- /* we want to get errSSLServerAuthCompleted from SSLHandshake on server auth completion */
- SSLSetSessionOption(ctx, kSSLSessionOptionBreakOnServerAuth, true);
- /* we want to get errSSLClientCertRequested from SSLHandshake on client auth request */
- SSLSetSessionOption(ctx, kSSLSessionOptionBreakOnCertRequested, true);
- }
- else if(pargs->clientCerts) {
- CFArrayRef dummy;
- if(pargs->anchorFile == NULL) {
- /* assume this is a root we want to implicitly trust */
- ortn = addIdentityAsTrustedRoot(ctx, pargs->clientCerts);
- if(ortn) {
- goto cleanup;
- }
- }
- ortn = SSLSetCertificate(ctx, pargs->clientCerts);
- if(ortn) {
- printSslErrStr("SSLSetCertificate", ortn);
- goto cleanup;
- }
- /* quickie test for this new function */
- ortn = SSLGetCertificate(ctx, &dummy);
- if(ortn) {
- printSslErrStr("SSLGetCertificate", ortn);
- goto cleanup;
- }
- if(dummy != pargs->clientCerts) {
- printf("***SSLGetCertificate error\n");
- ortn = errSecIO;
- goto cleanup;
- }
- }
- if(pargs->encryptClientCerts) {
- if(pargs->anchorFile == NULL) {
- ortn = addIdentityAsTrustedRoot(ctx, pargs->encryptClientCerts);
- if(ortn) {
- goto cleanup;
- }
- }
- ortn = SSLSetEncryptionCertificate(ctx, pargs->encryptClientCerts);
- if(ortn) {
- printSslErrStr("SSLSetEncryptionCertificate", ortn);
- goto cleanup;
- }
- }
- if(pargs->sessionCacheTimeout) {
- ortn = SSLSetSessionCacheTimeout(ctx, pargs->sessionCacheTimeout);
- if(ortn) {
- printSslErrStr("SSLSetSessionCacheTimeout", ortn);
- goto cleanup;
- }
- }
- if(!pargs->disableAnonCiphers) {
- ortn = SSLSetAllowAnonymousCiphers(ctx, true);
- if(ortn) {
- printSslErrStr("SSLSetAllowAnonymousCiphers", ortn);
- goto cleanup;
- }
- /* quickie test of the getter */
- Boolean e;
- ortn = SSLGetAllowAnonymousCiphers(ctx, &e);
- if(ortn) {
- printSslErrStr("SSLGetAllowAnonymousCiphers", ortn);
- goto cleanup;
- }
- if(!e) {
- printf("***SSLGetAllowAnonymousCiphers() returned false; expected true\n");
- ortn = errSecIO;
- goto cleanup;
- }
- }
- if(pargs->showCipherSuites) {
- sslShowEnabledCipherSuites(ctx);
- }
- /*** end options ***/
-
- if(pargs->verbose) {
- printf("...starting SSL handshake\n");
- }
- startHandshake = CFAbsoluteTimeGetCurrent();
-
- do
- { ortn = SSLHandshake(ctx);
- if((ortn == errSSLWouldBlock) && !pargs->silent) {
- /* keep UI responsive */
- sslOutputDot();
- }
- else if(ortn == errSSLServerAuthCompleted) {
- if(pargs->verbose) {
- printf("...server authentication completed\n");
- }
- }
- else if(ortn == errSSLClientCertRequested) {
- if(pargs->verbose) {
- printf("...received client cert request\n");
- }
- /* %%% could prompt interactively here for client cert to use;
- * for now, just use the client cert passed on the command line
- */
- if(pargs->clientCerts) {
- CFArrayRef dummy;
- if(pargs->anchorFile == NULL) {
- /* assume this is a root we want to implicitly trust */
- ortn = addIdentityAsTrustedRoot(ctx, pargs->clientCerts);
- if(ortn) {
- goto cleanup;
- }
- }
- if(pargs->verbose) {
- printf("...setting client certificate\n");
- }
- ortn = SSLSetCertificate(ctx, pargs->clientCerts);
- if(ortn) {
- printSslErrStr("SSLSetCertificate", ortn);
- goto cleanup;
- }
- /* quickie test for this new function */
- ortn = SSLGetCertificate(ctx, &dummy);
- if(ortn) {
- printSslErrStr("SSLGetCertificate", ortn);
- goto cleanup;
- }
- if(dummy != pargs->clientCerts) {
- printf("***SSLGetCertificate error\n");
- ortn = errSecIO;
- goto cleanup;
- }
- }
- else {
- printf("***no client certificate specified!\n");
- }
- }
- } while (ortn == errSSLWouldBlock ||
- ortn == errSSLServerAuthCompleted ||
- ortn == errSSLClientCertRequested);
-
- endHandshake = CFAbsoluteTimeGetCurrent();
- pargs->handshakeTimeOp = endHandshake - startHandshake;
- if(pargs->numHandshakes == 0) {
- /* special case, this one is always way longer */
- pargs->handshakeTimeFirst = pargs->handshakeTimeOp;
- }
- else {
- /* normal running total */
- pargs->handshakeTimeTotal += pargs->handshakeTimeOp;
- }
- pargs->numHandshakes++;
-
- /* this works even if handshake failed due to cert chain invalid */
- CFReleaseSafe(pargs->peerCerts);
- if(!pargs->manualCertVerify) {
- copyPeerCerts(ctx, &pargs->peerCerts);
- }
- else {
- /* else fetched via SecTrust later */
- pargs->peerCerts = NULL;
- }
-
- ortn = SSLCopyPeerTrust(ctx, &pargs->peerTrust);
- if(ortn) {
- printf("***SSLCopyPeerTrust error %d\n", (int)ortn);
- pargs->peerTrust = NULL;
- }
-
- /* ditto */
- SSLGetClientCertificateState(ctx, &pargs->certState);
-#if TARGET_OS_MAC && MAC_OS_X_VERSION_MAX_ALLOWED >= 1060
- SSLGetNegotiatedClientAuthType(ctx, &pargs->authType);
-#endif
- SSLGetNegotiatedCipher(ctx, &pargs->negCipher);
- SSLGetNegotiatedProtocolVersion(ctx, &pargs->negVersion);
- CFReleaseSafe(pargs->dnList);
- SSLCopyDistinguishedNames(ctx, &pargs->dnList);
- pargs->sessionIDLength = MAX_SESSION_ID_LENGTH;
- SSLGetResumableSessionInfo(ctx, &pargs->sessionWasResumed, pargs->sessionID,
- &pargs->sessionIDLength);
- if(pargs->manualCertVerify) {
- OSStatus certRtn = sslEvaluateTrust(ctx, pargs->verbose, pargs->silent,
- &pargs->peerCerts);
- if(certRtn && !ortn ) {
- ortn = certRtn;
- }
- }
-
- if(ortn) {
- if(!pargs->silent) {
- printf("\n");
- }
- goto cleanup;
- }
-
- if(pargs->verbose) {
- printf("...SSL handshake complete\n");
- }
-
- /* Write our GET request */
- length = strlen(pargs->getMsg);
- ortn = SSLWrite(ctx, pargs->getMsg, length, &actLen);
- if(ortn) {
- printf("***SSLWrite error: %d\n", (int)ortn);
- } else if((actLen > 0) && pargs->dumpRxData) {
- dumpAscii((uint8_t*)pargs->getMsg, actLen);
- }
-
- /*
- * Try to snag RCV_BUF_SIZE bytes. Exit if (!keepConnected and we get any data
- * at all), or (keepConnected and err != (none, wouldBlock)).
- */
- while (ortn == errSecSuccess) {
- actLen = 0;
- if(pargs->dumpRxData) {
- size_t avail = 0;
-
- ortn = SSLGetBufferedReadSize(ctx, &avail);
- if(ortn) {
- printf("***SSLGetBufferedReadSize error\n");
- break;
- }
- if(avail != 0) {
- printf("\n%d bytes available: ", (int)avail);
- }
- }
- ortn = SSLRead(ctx, rcvBuf, RCV_BUF_SIZE, &actLen);
- if((actLen == 0) && !pargs->silent) {
- sslOutputDot();
- }
- if((actLen == 0) && (ortn == errSecSuccess)) {
- printf("***Radar 2984932 confirmed***\n");
- }
- if (ortn == errSSLWouldBlock) {
- /* for this loop, these are identical */
- ortn = errSecSuccess;
- }
- if(ortn == errSSLServerAuthCompleted ||
- ortn == errSSLClientCertRequested) {
- /* should never get these once the handshake is complete */
- printf("***SSLRead returned unexpected handshake error!\n");
- }
-
- if((actLen > 0) && pargs->dumpRxData) {
- dumpAscii(rcvBuf, actLen);
- }
- if(ortn != errSecSuccess) {
- /* connection closed by server or by error */
- break;
- }
- if(!pargs->keepConnected && (actLen > 0)) {
- /* good enough, we connected */
- break;
- }
- }
- if(!pargs->silent) {
- printf("\n");
- }
-
- /* snag these again in case of renegotiate */
- SSLGetClientCertificateState(ctx, &pargs->certState);
- SSLGetNegotiatedCipher(ctx, &pargs->negCipher);
- SSLGetNegotiatedProtocolVersion(ctx, &pargs->negVersion);
- CFReleaseSafe(pargs->dnList);
- SSLCopyDistinguishedNames(ctx, &pargs->dnList);
-
- /* convert normal "shutdown" into zero err rtn */
- if(ortn == errSSLClosedGraceful) {
- ortn = errSecSuccess;
- }
- if((ortn == errSSLClosedNoNotify) && !pargs->requireNotify) {
- /* relaxed disconnect rules */
- ortn = errSecSuccess;
- }
-cleanup:
- /*
- * always do close, even on error - to flush outgoing write queue
- */
- OSStatus cerr = SSLClose(ctx);
- if(ortn == errSecSuccess) {
- ortn = cerr;
- }
- if(sock) {
- endpointShutdown(sock);
- }
- if(ctx) {
- SSLDisposeContext(ctx);
- }
- return ortn;
-}
-
-static void add_key(const void *key, const void *value, void *context) {
- CFArrayAppendValue((CFMutableArrayRef)context, key);
-}
-
-static void showInfo(CFDictionaryRef info) {
- CFIndex dict_count, key_ix, key_count;
- CFMutableArrayRef keys = NULL;
- CFIndex maxWidth = 20; /* Maybe precompute this or grab from context? */
-
- dict_count = CFDictionaryGetCount(info);
- keys = CFArrayCreateMutable(kCFAllocatorDefault, dict_count,
- &kCFTypeArrayCallBacks);
- CFDictionaryApplyFunction(info, add_key, keys);
- key_count = CFArrayGetCount(keys);
- CFArraySortValues(keys, CFRangeMake(0, key_count),
- (CFComparatorFunction)CFStringCompare, 0);
-
- for (key_ix = 0; key_ix < key_count; ++key_ix) {
- CFStringRef key = (CFStringRef)CFArrayGetValueAtIndex(keys, key_ix);
- CFTypeRef value = CFDictionaryGetValue(info, key);
- CFMutableStringRef line = CFStringCreateMutable(NULL, 0);
-
- CFStringAppend(line, key);
- CFIndex jx;
- for (jx = CFStringGetLength(key);
- jx < maxWidth; ++jx) {
- CFStringAppend(line, CFSTR(" "));
- }
- CFStringAppend(line, CFSTR(" : "));
- if (CFStringGetTypeID() == CFGetTypeID(value)) {
- CFStringAppend(line, (CFStringRef)value);
- } else if (CFDateGetTypeID() == CFGetTypeID(value)) {
- CFLocaleRef lc = CFLocaleCopyCurrent();
- CFDateFormatterRef df = CFDateFormatterCreate(NULL, lc,
- kCFDateFormatterFullStyle, kCFDateFormatterFullStyle);
- CFDateRef date = (CFDateRef)value;
- CFStringRef ds = CFDateFormatterCreateStringWithDate(NULL, df,
- date);
- CFStringAppend(line, ds);
- CFRelease(ds);
- CFRelease(df);
- CFRelease(lc);
- } else if (CFURLGetTypeID() == CFGetTypeID(value)) {
- CFURLRef url = (CFURLRef)value;
- CFStringAppend(line, CFSTR("<"));
- CFStringAppend(line, CFURLGetString(url));
- CFStringAppend(line, CFSTR(">"));
- } else if (CFDataGetTypeID() == CFGetTypeID(value)) {
- CFDataRef v_d = (CFDataRef)value;
- CFStringRef v_s = CFStringCreateFromExternalRepresentation(
- kCFAllocatorDefault, v_d, kCFStringEncodingUTF8);
- if (v_s) {
- CFStringAppend(line, CFSTR("/"));
- CFStringAppend(line, v_s);
- CFStringAppend(line, CFSTR("/ "));
- CFRelease(v_s);
- }
- const uint8_t *bytes = CFDataGetBytePtr(v_d);
- CFIndex len = CFDataGetLength(v_d);
- for (jx = 0; jx < len; ++jx) {
- CFStringAppendFormat(line, NULL, CFSTR("%.02X"), bytes[jx]);
- }
- } else {
- CFStringAppendFormat(line, NULL, CFSTR("%@"), value);
- }
- print_line(line);
- CFRelease(line);
- }
- CFRelease(keys);
-}
-
-static void showPeerTrust(SecTrustRef peerTrust, bool verbose) {
- CFIndex numCerts;
- CFIndex i;
-
- if(peerTrust == NULL) {
- return;
- }
-#if TARGET_OS_EMBEDDED
- printf("\n=============== Peer Trust Properties ===============\n");
- CFArrayRef plist = SecTrustCopyProperties(peerTrust);
- if (plist) {
- print_plist(plist);
- CFRelease(plist);
- }
-
- printf("\n================== Peer Trust Info ==================\n");
- CFDictionaryRef info = SecTrustCopyInfo(peerTrust);
- if (info && CFDictionaryGetCount(info)) {
- showInfo(info);
- CFRelease(info);
- }
-
- numCerts = SecTrustGetCertificateCount(peerTrust);
- for(i=0; i<numCerts; i++) {
- plist = SecTrustCopySummaryPropertiesAtIndex(peerTrust, i);
- printf("\n============= Peer Trust Cert %lu Summary =============\n\n", i);
- print_plist(plist);
- if (plist)
- CFRelease(plist);
- printf("\n============= Peer Trust Cert %lu Details =============\n\n", i);
- plist = SecTrustCopyDetailedPropertiesAtIndex(peerTrust, i);
- print_plist(plist);
- if (plist)
- CFRelease(plist);
- printf("\n============= End of Peer Trust Cert %lu ==============\n", i);
- }
-#endif
-}
-
-static void showPeerCerts(
- CFArrayRef peerCerts,
- bool verbose)
-{
- CFIndex numCerts;
- SecCertificateRef certRef;
- CFIndex i;
-
- if(peerCerts == NULL) {
- return;
- }
- numCerts = CFArrayGetCount(peerCerts);
- for(i=0; i<numCerts; i++) {
- certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
- printf("\n==================== Peer Cert %lu ====================\n\n", i);
- print_cert(certRef, verbose);
- printf("\n================ End of Peer Cert %lu =================\n", i);
- }
-}
-
-static void writePeerCerts(
- CFArrayRef peerCerts,
- const char *fileBase)
-{
- CFIndex numCerts;
- SecCertificateRef certRef;
- CFIndex i;
- char fileName[100];
-
- if(peerCerts == NULL) {
- return;
- }
- numCerts = CFArrayGetCount(peerCerts);
- for(i=0; i<numCerts; i++) {
- sprintf(fileName, "%s%02d.cer", fileBase, (int)i);
- certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
- CFDataRef derCert = SecCertificateCopyData(certRef);
- if (derCert) {
- writeFile(fileName, CFDataGetBytePtr(derCert),
- CFDataGetLength(derCert));
- }
- CFRelease(derCert);
- }
- printf("...wrote %lu certs to fileBase %s\n", numCerts, fileBase);
-}
-
-static void writeDnList(
- CFArrayRef dnList,
- const char *fileBase)
-{
- CFIndex numDns;
- CFDataRef cfDn;
- CFIndex i;
- char fileName[100];
-
- if(dnList == NULL) {
- return;
- }
- numDns = CFArrayGetCount(dnList);
- for(i=0; i<numDns; i++) {
- sprintf(fileName, "%s%02d.der", fileBase, (int)i);
- cfDn = (CFDataRef)CFArrayGetValueAtIndex(dnList, i);
- writeFile(fileName, CFDataGetBytePtr(cfDn), CFDataGetLength(cfDn));
- }
- printf("...wrote %lu RDNs to fileBase %s\n", numDns, fileBase);
-}
-
-/*
- * Show result of an sslPing().
- * Assumes the following from sslPingArgs:
- *
- * verbose
- * tryVersion
- * acceptedProts
- * negVersion
- * negCipher
- * peerCerts
- * certState
- * authType
- * sessionWasResumed
- * sessionID
- * sessionIDLength
- * handshakeTime
- */
-static void showSSLResult(
- const sslPingArgs &pargs,
- OSStatus err,
- int displayPeerCerts,
- const char *fileBase, // non-NULL: write certs to file
- const char *dnFileBase) // non-NULL: write DNList to file
-{
- CFIndex numPeerCerts;
-
- printf("\n");
-
- if(pargs.acceptedProts) {
- printf(" Allowed SSL versions : %s\n", pargs.acceptedProts);
- }
- else {
- printf(" Attempted SSL version : %s\n",
- sslGetProtocolVersionString(pargs.tryVersion));
- }
-
- printf(" Result : %s\n", sslGetSSLErrString(err));
- printf(" Negotiated SSL version : %s\n",
- sslGetProtocolVersionString(pargs.negVersion));
- printf(" Negotiated CipherSuite : %s\n",
- sslGetCipherSuiteString(pargs.negCipher));
- if(pargs.certState != kSSLClientCertNone) {
- printf(" Client Cert State : %s\n",
- sslGetClientCertStateString(pargs.certState));
-#if TARGET_OS_MAC && MAC_OS_X_VERSION_MAX_ALLOWED >= 1060
- printf(" Client Auth Type : %s\n",
- sslGetClientAuthTypeString(pargs.authType));
-#endif
- }
- if(pargs.verbose) {
- printf(" Resumed Session : ");
- if(pargs.sessionWasResumed) {
- for(unsigned dex=0; dex<pargs.sessionIDLength; dex++) {
- printf("%02X ", pargs.sessionID[dex]);
- if(((dex % 8) == 7) && (dex != (pargs.sessionIDLength - 1))) {
- printf("\n ");
- }
- }
- printf("\n");
- }
- else {
- printf("NOT RESUMED\n");
- }
- printf(" Handshake time : %f seconds\n", pargs.handshakeTimeOp);
- }
- if(pargs.peerCerts == NULL) {
- numPeerCerts = 0;
- }
- else {
- numPeerCerts = CFArrayGetCount(pargs.peerCerts);
- }
- printf(" Number of peer certs : %lu\n", numPeerCerts);
- if(numPeerCerts != 0) {
- if (displayPeerCerts == 1) {
- showPeerCerts(pargs.peerCerts, false);
- } else if (displayPeerCerts == 2) {
- showPeerTrust(pargs.peerTrust, false);
- }
- if(fileBase != NULL) {
- writePeerCerts(pargs.peerCerts, fileBase);
- }
- }
- if(dnFileBase != NULL) {
- writeDnList(pargs.dnList, dnFileBase);
- }
-
- printf("\n");
-}
-
-static int verifyProtocol(
- bool verifyProt,
- SSLProtocol maxProtocol,
- SSLProtocol reqProtocol,
- SSLProtocol negProtocol)
-{
- if(!verifyProt) {
- return 0;
- }
- if(reqProtocol > maxProtocol) {
- /* known not to support this attempt, relax */
- reqProtocol = maxProtocol;
- }
- if(reqProtocol != negProtocol) {
- printf("***Expected protocol %s; negotiated %s\n",
- sslGetProtocolVersionString(reqProtocol),
- sslGetProtocolVersionString(negProtocol));
- return 1;
- }
- else {
- return 0;
- }
-}
-
-static int verifyClientCertState(
- bool verifyCertState,
- SSLClientCertificateState expectState,
- SSLClientCertificateState gotState)
-{
- if(!verifyCertState) {
- return 0;
- }
- if(expectState == gotState) {
- return 0;
- }
- printf("***Expected clientCertState %s; got %s\n",
- sslGetClientCertStateString(expectState),
- sslGetClientCertStateString(gotState));
- return 1;
-}
-
-/*
- * Free everything allocated by sslPing in an sslPingArgs.
- * Mainly for looping and malloc debugging.
- */
-static void freePingArgs(
- sslPingArgs *pargs)
-{
- CFReleaseNull(pargs->peerCerts);
- CFReleaseNull(pargs->peerTrust);
- CFReleaseNull(pargs->dnList);
- /* more, later, for client retry/identity fetch */
-}
-
-static SSLProtocol strToProt(
- const char *c, // 2, 3, t, tls10, tls11, tls12
- char **argv)
-{
- if (c == NULL)
- return kSSLProtocolUnknown;
-
- switch(c[0]) {
- case '2':
- return kSSLProtocol2;
- case '3':
- return kSSLProtocol3;
- case 't':
- if (c[1] == '\0')
- return kTLSProtocol1;
- if (c[1] == 'l' && c[2] == 's' && c[3] == '1') {
- if (c[4] == '0')
- return kTLSProtocol1;
- if (c[4] == '1')
- return kTLSProtocol11;
- if (c[4] == '2')
- return kTLSProtocol12;
- }
- default:
- usage(argv);
- }
- /* NOT REACHED */
- return kSSLProtocolUnknown;
-}
-
-int main(int argc, char **argv)
-{
- OSStatus err;
- int arg;
- char *argp;
- char getMsg[300];
- char fullFileBase[100];
- int ourRtn = 0; // exit status - sum of all errors
- unsigned loop;
- SecKeychainRef serverKc = nil;
- SecKeychainRef encryptKc = nil;
- sslPingArgs pargs;
-
- /* user-spec'd parameters */
- char *getPath = (char *)DEFAULT_PATH;
- char *fileBase = NULL;
- bool displayCerts = false;
- bool doSslV2 = false;
- bool doSslV3 = false;
- bool doTlsV1 = true;
- bool doTlsV11 = true;
- bool doTlsV12 = true;
- bool protXOnly = false; // kSSLProtocol3Only, kTLSProtocol1Only
- bool doProtUnknown = false;
- unsigned loopCount = 1;
- bool doPause = false;
- bool pauseFirstLoop = false;
- bool verifyProt = false;
- SSLProtocol maxProtocol = kTLSProtocol12; // for verifying negotiated
- // protocol
- char *acceptedProts = NULL;
- char *keyChainName = NULL;
- char *encryptKeyChainName = NULL;
- char *getMsgSpec = NULL;
- bool vfyCertState = false;
- SSLClientCertificateState expectCertState = kSSLClientCertNone;
- bool displayHandshakeTimes = false;
- bool completeCertChain = false;
- char *dnFileBase = NULL;
-
- /* special case - one arg of "h" or "-h" or "hv" */
- if(argc == 2) {
- if((strcmp(argv[1], "h") == 0) || (strcmp(argv[1], "-h") == 0)) {
- usage(argv);
- }
- if(strcmp(argv[1], "hv") == 0) {
- usageVerbose(argv);
- }
- }
-
- /* set up defaults */
- memset(&pargs, 0, sizeof(sslPingArgs));
- pargs.hostName = DEFAULT_HOST;
- pargs.port = DEFAULT_PORT;
- pargs.resumableEnable = true;
- pargs.argv = argv;
-
- for(arg=1; arg<argc; arg++) {
- argp = argv[arg];
- if(arg == 1) {
- /* first arg, is always hostname; '-' means default */
- if(argp[0] != '-') {
- pargs.hostName = argp;
- }
- continue;
- }
- if(argp[0] == '/') {
- /* path always starts with leading slash */
- getPath = argp;
- continue;
- }
- /* options */
- switch(argp[0]) {
- case 'e':
- pargs.allowExpired = true;
- break;
- case 'E':
- pargs.allowExpiredRoot = true;
- break;
- case 'x':
- pargs.disableCertVerify = true;
- break;
- case 'M':
- pargs.disableCertVerify = true; // implied
- pargs.manualCertVerify = true;
- break;
- case 'I':
- pargs.interactiveAuth = true;
- break;
- case 'a':
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- pargs.anchorFile = argv[arg];
- break;
- case 'A':
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- pargs.anchorFile = argv[arg];
- pargs.replaceAnchors = true;
- break;
- case 'Z':
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- pargs.trustedLeafFile = argv[arg];
- break;
- case 'r':
- pargs.allowAnyRoot = true;
- break;
- case 'd':
- pargs.dumpRxData = true;
- break;
- case 'c':
- displayCerts = 1;
- if (argp[1] == 'c')
- ++displayCerts;
- break;
- case 'f':
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- fileBase = argv[arg];
- break;
- case 'C':
- pargs.cipherRestrict = argp[2];
- break;
- case 'S':
- pargs.showCipherSuites = true;
- break;
- case '2':
- doSslV3 = doTlsV1 = doTlsV11 = false;
- doSslV2 = true;
- break;
- case '3':
- doSslV2 = doTlsV1 = doTlsV11 = doTlsV12 = false;
- doSslV3 = true;
- break;
- case 't':
- if (argp[1] == 'l' && argp[2] == 's' && argp[3] == '1') {
- if (argp[4] == '0') {
- doSslV2 = doSslV3 = doTlsV11 = doTlsV12 = false;
- doTlsV1 = true;
- break;
- }
- if (argp[4] == '1') {
- doSslV2 = doSslV3 = doTlsV1 = doTlsV12 = false;
- doTlsV11 = true;
- break;
- }
- else if (argp[4] == '2') {
- doSslV2 = doSslV3 = doTlsV1 = doTlsV11 = false;
- doTlsV12 = true;
- break;
- }
- }
- if (argp[1] != '\0') {
- usage(argv);
- }
- doSslV2 = doSslV3 = doTlsV11 = doTlsV12 = false;
- doTlsV1 = true;
- break;
- case 'L':
- doSslV2 = doSslV3 = doTlsV1 = doTlsV11 = doTlsV12 = true;
- break;
- case 'o':
- protXOnly = true;
- break;
- case 'u':
- doSslV2 = doSslV3 = doTlsV1 = doTlsV11 = doTlsV12 = false;
- doProtUnknown = true;
- break;
- case 'K':
- pargs.keepConnected = true;
- break;
- case 'n':
- pargs.requireNotify = true;
- pargs.keepConnected = true;
- break;
- case 'R':
- pargs.resumableEnable = false;
- break;
- case 'b':
- pargs.nonBlocking = true;
- break;
- case 'v':
- verifyProt = true;
- break;
- case 'm':
- if(argp[1] != '=') {
- usage(argv);
- }
- verifyProt = true; // implied
- maxProtocol = strToProt(&argp[2], argv);
- break;
- case 'g':
- if(argp[1] != '=') {
- usage(argv);
- }
- acceptedProts = &argp[2];
- doSslV3 = doSslV2 = doTlsV1 = doTlsV11 = doTlsV12 = false;
- break;
- case 'l':
- loopCount = atoi(&argp[2]);
- if(loopCount == 0) {
- printf("***bad loopCount\n");
- usage(argv);
- }
- break;
- case 'P':
- pargs.port = atoi(&argp[2]);
- break;
- case 'H':
- pargs.allowHostnameSpoof = true;
- break;
- case 'F':
- pargs.vfyHostName = &argp[2];
- break;
- case 'k':
- keyChainName = &argp[2];
- break;
- case 'y':
- encryptKeyChainName = &argp[2];
- break;
- case 'G':
- getMsgSpec = &argp[2];
- break;
- case 'T':
- if(argp[1] != '=') {
- usage(argv);
- }
- vfyCertState = true;
- switch(argp[2]) {
- case 'n':
- expectCertState = kSSLClientCertNone;
- break;
- case 'r':
- expectCertState = kSSLClientCertRequested;
- break;
- case 's':
- expectCertState = kSSLClientCertSent;
- break;
- case 'j':
- expectCertState = kSSLClientCertRejected;
- break;
- default:
- usage(argv);
- }
- break;
- case 'z':
- pargs.password = &argp[2];
- break;
- case 'p':
- doPause = true;
- break;
- case '7':
- pauseFirstLoop = true;
- break;
- case 'q':
- pargs.quiet = true;
- break;
- case 'V':
- pargs.verbose = true;
- break;
- case 's':
- pargs.silent = pargs.quiet = true;
- break;
- case 'N':
- displayHandshakeTimes = true;
- break;
- case '8':
- completeCertChain = true;
- break;
- case 'i':
- pargs.sessionCacheTimeout = atoi(&argp[2]);
- break;
- case '4':
- pargs.disableAnonCiphers = true;
- break;
- case 'D':
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- dnFileBase = argv[arg];
- break;
- case 'h':
- if(pargs.verbose || (argp[1] == 'v')) {
- usageVerbose(argv);
- }
- else {
- usage(argv);
- }
- default:
- usage(argv);
- }
- }
- if(getMsgSpec) {
- pargs.getMsg = getMsgSpec;
- }
- else {
- sprintf(getMsg, "%s %s %s",
- DEFAULT_GETMSG, getPath, DEFAULT_GET_SUFFIX);
- pargs.getMsg = getMsg;
- }
-
-#if NO_SERVER
-# if DEBUG
- securityd_init();
-# endif
-#endif
-
- /* get client cert and optional encryption cert as CFArrayRef */
- if(keyChainName) {
- pargs.clientCerts = getSslCerts(keyChainName, false, completeCertChain,
- pargs.anchorFile, &serverKc);
- if(pargs.clientCerts == nil) {
- exit(1);
- }
-#ifdef USE_CDSA_CRYPTO
- if(pargs.password) {
- OSStatus ortn = SecKeychainUnlock(serverKc,
- strlen(pargs.password), pargs.password, true);
- if(ortn) {
- printf("SecKeychainUnlock returned %d\n", (int)ortn);
- /* oh well */
- }
- }
-#endif
- }
- if(encryptKeyChainName) {
- pargs.encryptClientCerts = getSslCerts(encryptKeyChainName, true,
- completeCertChain, pargs.anchorFile, &encryptKc);
- if(pargs.encryptClientCerts == nil) {
- exit(1);
- }
- }
- signal(SIGPIPE, sigpipe);
-
- for(loop=0; loop<loopCount; loop++) {
- /*
- * One pass for each protocol version, skipping any explicit version if
- * an attempt at a higher version and succeeded in doing so successfully fell
- * back.
- */
- if(doTlsV12) {
- pargs.tryVersion = kTLSProtocol12;
- pargs.acceptedProts = NULL;
- if(!pargs.silent) {
- printf("Connecting to host %s with TLS V1.2\n", pargs.hostName);
- }
- fflush(stdout);
- err = sslPing(&pargs);
- if(err) {
- ourRtn++;
- }
- if(!pargs.quiet) {
- if(fileBase) {
- sprintf(fullFileBase, "%s_v3.1", fileBase);
- }
- showSSLResult(pargs,
- err,
- displayCerts,
- fileBase ? fullFileBase : NULL,
- dnFileBase);
- }
- freePingArgs(&pargs);
- if(!err) {
- /* deal with fallbacks, skipping redundant tests */
- switch(pargs.negVersion) {
- case kTLSProtocol11:
- doTlsV11 =false;
- break;
- case kTLSProtocol1:
- doTlsV11 =false;
- doTlsV1 =false;
- break;
- case kSSLProtocol3:
- doTlsV11 =false;
- doTlsV1 =false;
- doSslV3 = false;
- break;
- case kSSLProtocol2:
- doTlsV11 =false;
- doTlsV1 =false;
- doSslV3 = false;
- doSslV2 = false;
- break;
- default:
- break;
- }
- ourRtn += verifyProtocol(verifyProt, maxProtocol, kTLSProtocol12,
- pargs.negVersion);
- }
- /* note we do this regardless since the client state might be
- * the cause of a failure */
- ourRtn += verifyClientCertState(vfyCertState, expectCertState,
- pargs.certState);
- }
- if(doTlsV11) {
- pargs.tryVersion = kTLSProtocol11;
- pargs.acceptedProts = NULL;
- if(!pargs.silent) {
- printf("Connecting to host %s with TLS V1.1\n", pargs.hostName);
- }
- fflush(stdout);
- err = sslPing(&pargs);
- if(err) {
- ourRtn++;
- }
- if(!pargs.quiet) {
- if(fileBase) {
- sprintf(fullFileBase, "%s_v3.1", fileBase);
- }
- showSSLResult(pargs,
- err,
- displayCerts,
- fileBase ? fullFileBase : NULL,
- dnFileBase);
- }
- freePingArgs(&pargs);
- if(!err) {
- /* deal with fallbacks, skipping redundant tests */
- switch(pargs.negVersion) {
- case kTLSProtocol1:
- doTlsV1 =false;
- break;
- case kSSLProtocol3:
- doTlsV1 =false;
- doSslV3 = false;
- break;
- case kSSLProtocol2:
- doTlsV1 =false;
- doSslV3 = false;
- doSslV2 = false;
- break;
- default:
- break;
- }
- ourRtn += verifyProtocol(verifyProt, maxProtocol, kTLSProtocol11,
- pargs.negVersion);
- }
- /* note we do this regardless since the client state might be
- * the cause of a failure */
- ourRtn += verifyClientCertState(vfyCertState, expectCertState,
- pargs.certState);
- }
- if(doTlsV1) {
- pargs.tryVersion =
- protXOnly ? kTLSProtocol1Only : kTLSProtocol1;
- pargs.acceptedProts = NULL;
- if(!pargs.silent) {
- printf("Connecting to host %s with TLS V1.0\n", pargs.hostName);
- }
- fflush(stdout);
- err = sslPing(&pargs);
- if(err) {
- ourRtn++;
- }
- if(!pargs.quiet) {
- if(fileBase) {
- sprintf(fullFileBase, "%s_v3.1", fileBase);
- }
- showSSLResult(pargs,
- err,
- displayCerts,
- fileBase ? fullFileBase : NULL,
- dnFileBase);
- }
- freePingArgs(&pargs);
- if(!err) {
- /* deal with fallbacks, skipping redundant tests */
- switch(pargs.negVersion) {
- case kSSLProtocol3:
- doSslV3 = false;
- break;
- case kSSLProtocol2:
- doSslV3 = false;
- doSslV2 = false;
- break;
- default:
- break;
- }
- ourRtn += verifyProtocol(verifyProt, maxProtocol, kTLSProtocol1,
- pargs.negVersion);
- }
- /* note we do this regardless since the client state might be
- * the cause of a failure */
- ourRtn += verifyClientCertState(vfyCertState, expectCertState,
- pargs.certState);
- }
- if(doSslV3) {
- pargs.tryVersion = protXOnly ? kSSLProtocol3Only : kSSLProtocol3;
- pargs.acceptedProts = NULL;
- if(!pargs.silent) {
- printf("Connecting to host %s with SSL V3\n", pargs.hostName);
- }
- fflush(stdout);
- err = sslPing(&pargs);
- if(err) {
- ourRtn++;
- }
- if(!pargs.quiet) {
- if(fileBase) {
- sprintf(fullFileBase, "%s_v3.0", fileBase);
- }
- showSSLResult(pargs,
- err,
- displayCerts,
- fileBase ? fullFileBase : NULL,
- dnFileBase);
- }
- freePingArgs(&pargs);
- if(!err) {
- /* deal with fallbacks, skipping redundant tests */
- switch(pargs.negVersion) {
- case kSSLProtocol2:
- doSslV2 = false;
- break;
- default:
- break;
- }
- ourRtn += verifyProtocol(verifyProt, maxProtocol, kSSLProtocol3,
- pargs.negVersion);
- }
- /* note we do this regardless since the client state might be
- * the cause of a failure */
- ourRtn += verifyClientCertState(vfyCertState, expectCertState,
- pargs.certState);
- }
-
- if(doSslV2) {
- if(fileBase) {
- sprintf(fullFileBase, "%s_v2", fileBase);
- }
- if(!pargs.silent) {
- printf("Connecting to host %s with SSL V2\n", pargs.hostName);
- }
- fflush(stdout);
- pargs.tryVersion = kSSLProtocol2;
- pargs.acceptedProts = NULL;
- err = sslPing(&pargs);
- if(err) {
- ourRtn++;
- }
- if(!pargs.quiet) {
- if(fileBase) {
- sprintf(fullFileBase, "%s_v2", fileBase);
- }
- showSSLResult(pargs,
- err,
- displayCerts,
- fileBase ? fullFileBase : NULL,
- dnFileBase);
- }
- freePingArgs(&pargs);
- if(!err) {
- ourRtn += verifyProtocol(verifyProt, maxProtocol, kSSLProtocol2,
- pargs.negVersion);
- }
- /* note we do this regardless since the client state might be
- * the cause of a failure */
- ourRtn += verifyClientCertState(vfyCertState, expectCertState,
- pargs.certState);
- }
- if(doProtUnknown) {
- if(!pargs.silent) {
- printf("Connecting to host %s with kSSLProtocolUnknown\n",
- pargs.hostName);
- }
- fflush(stdout);
- pargs.tryVersion = kSSLProtocolUnknown;
- pargs.acceptedProts = NULL;
- err = sslPing(&pargs);
- if(err) {
- ourRtn++;
- }
- if(!pargs.quiet) {
- if(fileBase) {
- sprintf(fullFileBase, "%s_def", fileBase);
- }
- showSSLResult(pargs,
- err,
- displayCerts,
- fileBase ? fullFileBase : NULL,
- dnFileBase);
- }
- freePingArgs(&pargs);
- }
- if(acceptedProts != NULL) {
- pargs.acceptedProts = acceptedProts;
- pargs.tryVersion = kSSLProtocolUnknown; // not used
- if(!pargs.silent) {
- printf("Connecting to host %s with acceptedProts %s\n",
- pargs.hostName, pargs.acceptedProts);
- }
- fflush(stdout);
- err = sslPing(&pargs);
- if(err) {
- ourRtn++;
- }
- if(!pargs.quiet) {
- if(fileBase) {
- sprintf(fullFileBase, "%s_def", fileBase);
- }
- showSSLResult(pargs,
- err,
- displayCerts,
- fileBase ? fullFileBase : NULL,
- dnFileBase);
- }
- freePingArgs(&pargs);
- }
- if(doPause ||
- (pauseFirstLoop &&
- /* pause after first, before last to grab trace */
- ((loop == 0) || (loop == loopCount - 1))
- )
- ) {
- char resp;
- fpurge(stdin);
- printf("a to abort, c to continue: ");
- resp = getchar();
- if(resp == 'a') {
- break;
- }
- }
- } /* main loop */
- if(displayHandshakeTimes) {
- CFAbsoluteTime totalTime;
- unsigned numHandshakes;
- if(pargs.numHandshakes == 1) {
- /* just display the first one */
- totalTime = pargs.handshakeTimeFirst;
- numHandshakes = 1;
- }
- else {
- /* skip the first one */
- totalTime = pargs.handshakeTimeTotal;
- numHandshakes = pargs.numHandshakes - 1;
- }
- if(numHandshakes != 0) {
- printf(" %u handshakes in %f seconds; %f seconds per handshake\n",
- numHandshakes, totalTime,
- (totalTime / numHandshakes));
- }
- }
- //printCertShutdown();
- if(ourRtn) {
- printf("===%s exiting with %d %s for host %s\n", argv[0], ourRtn,
- (ourRtn > 1) ? "errors" : "error", pargs.hostName);
- }
- return ourRtn;
-
-}
-
-
diff --git a/OSX/libsecurity_ssl/sslViewer/sslViewer.xcodeproj/project.pbxproj b/OSX/libsecurity_ssl/sslViewer/sslViewer.xcodeproj/project.pbxproj
deleted file mode 100644
index 28692e94..00000000
--- a/OSX/libsecurity_ssl/sslViewer/sslViewer.xcodeproj/project.pbxproj
+++ /dev/null
@@ -1,454 +0,0 @@
-// !$*UTF8*$!
-{
- archiveVersion = 1;
- classes = {
- };
- objectVersion = 46;
- objects = {
-
-/* Begin PBXAggregateTarget section */
- BEF16C401553365F0074AFAD /* world */ = {
- isa = PBXAggregateTarget;
- buildConfigurationList = BEF16C431553365F0074AFAD /* Build configuration list for PBXAggregateTarget "world" */;
- buildPhases = (
- );
- dependencies = (
- BEF16C4B155343F10074AFAD /* PBXTargetDependency */,
- BEF16C4E155343F30074AFAD /* PBXTargetDependency */,
- );
- name = world;
- productName = world;
- };
-/* End PBXAggregateTarget section */
-
-/* Begin PBXBuildFile section */
- BE022AF51552191100564DFE /* sslServer.1 in CopyFiles */ = {isa = PBXBuildFile; fileRef = BE022AF41552191100564DFE /* sslServer.1 */; };
- BE022AF9155219D300564DFE /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BE4E516815520B380015140F /* CFNetwork.framework */; };
- BE022AFA155219D500564DFE /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BE4E516615520B2F0015140F /* CoreFoundation.framework */; };
- BE022AFB155219D700564DFE /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BE4E516415520AE20015140F /* Security.framework */; };
- BE022AFD15521A1900564DFE /* sslServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BE022AFC15521A1900564DFE /* sslServer.cpp */; };
- BE022AFE15521A2100564DFE /* fileIo.c in Sources */ = {isa = PBXBuildFile; fileRef = BE4E516A15520CF00015140F /* fileIo.c */; };
- BE022AFF15521A2400564DFE /* ioSock.c in Sources */ = {isa = PBXBuildFile; fileRef = BE4E515E15520AC30015140F /* ioSock.c */; };
- BE022B0015521A2800564DFE /* printCert.c in Sources */ = {isa = PBXBuildFile; fileRef = BE4E516215520AD30015140F /* printCert.c */; };
- BE022B0115521A2B00564DFE /* sslAppUtils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BE4E516015520AC80015140F /* sslAppUtils.cpp */; };
- BE43DE031552106C004BE474 /* fileIo.c in Sources */ = {isa = PBXBuildFile; fileRef = BE4E516A15520CF00015140F /* fileIo.c */; };
- BE4E515115520A150015140F /* sslViewer.1 in CopyFiles */ = {isa = PBXBuildFile; fileRef = BE4E515015520A150015140F /* sslViewer.1 */; };
- BE4E516515520AE20015140F /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BE4E516415520AE20015140F /* Security.framework */; };
- BE4E516715520B2F0015140F /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BE4E516615520B2F0015140F /* CoreFoundation.framework */; };
- BE4E516915520B380015140F /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = BE4E516815520B380015140F /* CFNetwork.framework */; };
- BE4E516E15520D460015140F /* sslViewer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BE4E515C15520AB90015140F /* sslViewer.cpp */; };
- BE4E516F15520D480015140F /* sslAppUtils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BE4E516015520AC80015140F /* sslAppUtils.cpp */; };
- BE4E517115520D530015140F /* ioSock.c in Sources */ = {isa = PBXBuildFile; fileRef = BE4E515E15520AC30015140F /* ioSock.c */; };
- BE4E517215520D570015140F /* printCert.c in Sources */ = {isa = PBXBuildFile; fileRef = BE4E516215520AD30015140F /* printCert.c */; };
-/* End PBXBuildFile section */
-
-/* Begin PBXContainerItemProxy section */
- BEF16C4A155343F10074AFAD /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = BE4E514115520A150015140F /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = BE4E514915520A150015140F;
- remoteInfo = sslViewer;
- };
- BEF16C4D155343F30074AFAD /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = BE4E514115520A150015140F /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = BE022AEE1552191100564DFE;
- remoteInfo = sslServer;
- };
-/* End PBXContainerItemProxy section */
-
-/* Begin PBXCopyFilesBuildPhase section */
- BE022AED1552191100564DFE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = /usr/share/man/man1/;
- dstSubfolderSpec = 0;
- files = (
- BE022AF51552191100564DFE /* sslServer.1 in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
- };
- BE4E514815520A150015140F /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = /usr/share/man/man1/;
- dstSubfolderSpec = 0;
- files = (
- BE4E515115520A150015140F /* sslViewer.1 in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
- };
-/* End PBXCopyFilesBuildPhase section */
-
-/* Begin PBXFileReference section */
- BE022AEF1552191100564DFE /* sslServer */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = sslServer; sourceTree = BUILT_PRODUCTS_DIR; };
- BE022AF41552191100564DFE /* sslServer.1 */ = {isa = PBXFileReference; lastKnownFileType = text.man; path = sslServer.1; sourceTree = SOURCE_ROOT; };
- BE022AFC15521A1900564DFE /* sslServer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = sslServer.cpp; sourceTree = SOURCE_ROOT; };
- BE4E514A15520A150015140F /* sslViewer */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = sslViewer; sourceTree = BUILT_PRODUCTS_DIR; };
- BE4E515015520A150015140F /* sslViewer.1 */ = {isa = PBXFileReference; lastKnownFileType = text.man; path = sslViewer.1; sourceTree = SOURCE_ROOT; };
- BE4E515C15520AB90015140F /* sslViewer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = sslViewer.cpp; sourceTree = SOURCE_ROOT; };
- BE4E515E15520AC30015140F /* ioSock.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ioSock.c; sourceTree = SOURCE_ROOT; };
- BE4E516015520AC80015140F /* sslAppUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = sslAppUtils.cpp; sourceTree = SOURCE_ROOT; };
- BE4E516215520AD30015140F /* printCert.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = printCert.c; sourceTree = SOURCE_ROOT; };
- BE4E516415520AE20015140F /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = System/Library/Frameworks/Security.framework; sourceTree = SDKROOT; };
- BE4E516615520B2F0015140F /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = System/Library/Frameworks/CoreFoundation.framework; sourceTree = SDKROOT; };
- BE4E516815520B380015140F /* CFNetwork.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CFNetwork.framework; path = System/Library/Frameworks/CFNetwork.framework; sourceTree = SDKROOT; };
- BE4E516A15520CF00015140F /* fileIo.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = fileIo.c; sourceTree = SOURCE_ROOT; };
-/* End PBXFileReference section */
-
-/* Begin PBXFrameworksBuildPhase section */
- BE022AEC1552191100564DFE /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- BE022AF9155219D300564DFE /* CFNetwork.framework in Frameworks */,
- BE022AFA155219D500564DFE /* CoreFoundation.framework in Frameworks */,
- BE022AFB155219D700564DFE /* Security.framework in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- BE4E514715520A150015140F /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- BE4E516515520AE20015140F /* Security.framework in Frameworks */,
- BE4E516715520B2F0015140F /* CoreFoundation.framework in Frameworks */,
- BE4E516915520B380015140F /* CFNetwork.framework in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
-/* End PBXFrameworksBuildPhase section */
-
-/* Begin PBXGroup section */
- BE022AF11552191100564DFE /* sslServer */ = {
- isa = PBXGroup;
- children = (
- BE022AFC15521A1900564DFE /* sslServer.cpp */,
- BE022AF41552191100564DFE /* sslServer.1 */,
- );
- path = sslServer;
- sourceTree = SOURCE_ROOT;
- };
- BE4E513F15520A150015140F = {
- isa = PBXGroup;
- children = (
- BE7168DA1552154E00483067 /* sslUtils */,
- BE4E514D15520A150015140F /* sslViewer */,
- BE022AF11552191100564DFE /* sslServer */,
- BE7168D8155214F800483067 /* Frameworks */,
- BE4E514B15520A150015140F /* Products */,
- );
- sourceTree = "<group>";
- };
- BE4E514B15520A150015140F /* Products */ = {
- isa = PBXGroup;
- children = (
- BE4E514A15520A150015140F /* sslViewer */,
- BE022AEF1552191100564DFE /* sslServer */,
- );
- name = Products;
- sourceTree = "<group>";
- };
- BE4E514D15520A150015140F /* sslViewer */ = {
- isa = PBXGroup;
- children = (
- BE4E515C15520AB90015140F /* sslViewer.cpp */,
- BE4E515015520A150015140F /* sslViewer.1 */,
- );
- path = sslViewer;
- sourceTree = "<group>";
- };
- BE7168D8155214F800483067 /* Frameworks */ = {
- isa = PBXGroup;
- children = (
- BE4E516815520B380015140F /* CFNetwork.framework */,
- BE4E516615520B2F0015140F /* CoreFoundation.framework */,
- BE4E516415520AE20015140F /* Security.framework */,
- );
- name = Frameworks;
- sourceTree = "<group>";
- };
- BE7168DA1552154E00483067 /* sslUtils */ = {
- isa = PBXGroup;
- children = (
- BE4E516A15520CF00015140F /* fileIo.c */,
- BE4E515E15520AC30015140F /* ioSock.c */,
- BE4E516215520AD30015140F /* printCert.c */,
- BE4E516015520AC80015140F /* sslAppUtils.cpp */,
- );
- name = sslUtils;
- sourceTree = "<group>";
- };
-/* End PBXGroup section */
-
-/* Begin PBXNativeTarget section */
- BE022AEE1552191100564DFE /* sslServer */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = BE022AF61552191100564DFE /* Build configuration list for PBXNativeTarget "sslServer" */;
- buildPhases = (
- BE022AEB1552191100564DFE /* Sources */,
- BE022AEC1552191100564DFE /* Frameworks */,
- BE022AED1552191100564DFE /* CopyFiles */,
- );
- buildRules = (
- );
- dependencies = (
- );
- name = sslServer;
- productName = sslServer;
- productReference = BE022AEF1552191100564DFE /* sslServer */;
- productType = "com.apple.product-type.tool";
- };
- BE4E514915520A150015140F /* sslViewer */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = BE4E515415520A150015140F /* Build configuration list for PBXNativeTarget "sslViewer" */;
- buildPhases = (
- BE4E514615520A150015140F /* Sources */,
- BE4E514715520A150015140F /* Frameworks */,
- BE4E514815520A150015140F /* CopyFiles */,
- );
- buildRules = (
- );
- dependencies = (
- );
- name = sslViewer;
- productName = sslViewer;
- productReference = BE4E514A15520A150015140F /* sslViewer */;
- productType = "com.apple.product-type.tool";
- };
-/* End PBXNativeTarget section */
-
-/* Begin PBXProject section */
- BE4E514115520A150015140F /* Project object */ = {
- isa = PBXProject;
- attributes = {
- LastUpgradeCheck = 0440;
- };
- buildConfigurationList = BE4E514415520A150015140F /* Build configuration list for PBXProject "sslViewer" */;
- compatibilityVersion = "Xcode 3.2";
- developmentRegion = English;
- hasScannedForEncodings = 0;
- knownRegions = (
- en,
- );
- mainGroup = BE4E513F15520A150015140F;
- productRefGroup = BE4E514B15520A150015140F /* Products */;
- projectDirPath = "";
- projectRoot = "";
- targets = (
- BEF16C401553365F0074AFAD /* world */,
- BE4E514915520A150015140F /* sslViewer */,
- BE022AEE1552191100564DFE /* sslServer */,
- );
- };
-/* End PBXProject section */
-
-/* Begin PBXSourcesBuildPhase section */
- BE022AEB1552191100564DFE /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- BE022AFD15521A1900564DFE /* sslServer.cpp in Sources */,
- BE022B0115521A2B00564DFE /* sslAppUtils.cpp in Sources */,
- BE022AFE15521A2100564DFE /* fileIo.c in Sources */,
- BE022AFF15521A2400564DFE /* ioSock.c in Sources */,
- BE022B0015521A2800564DFE /* printCert.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- BE4E514615520A150015140F /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- BE4E516E15520D460015140F /* sslViewer.cpp in Sources */,
- BE4E516F15520D480015140F /* sslAppUtils.cpp in Sources */,
- BE43DE031552106C004BE474 /* fileIo.c in Sources */,
- BE4E517115520D530015140F /* ioSock.c in Sources */,
- BE4E517215520D570015140F /* printCert.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
-/* End PBXSourcesBuildPhase section */
-
-/* Begin PBXTargetDependency section */
- BEF16C4B155343F10074AFAD /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = BE4E514915520A150015140F /* sslViewer */;
- targetProxy = BEF16C4A155343F10074AFAD /* PBXContainerItemProxy */;
- };
- BEF16C4E155343F30074AFAD /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = BE022AEE1552191100564DFE /* sslServer */;
- targetProxy = BEF16C4D155343F30074AFAD /* PBXContainerItemProxy */;
- };
-/* End PBXTargetDependency section */
-
-/* Begin XCBuildConfiguration section */
- BE022AF71552191100564DFE /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- "HEADER_SEARCH_PATHS[arch=*]" = (
- "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers",
- "$(HEADER_SEARCH_PATHS)",
- );
- PRODUCT_NAME = "$(TARGET_NAME)";
- SDKROOT = "";
- };
- name = Debug;
- };
- BE022AF81552191100564DFE /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- "HEADER_SEARCH_PATHS[arch=*]" = (
- "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers",
- "$(HEADER_SEARCH_PATHS)",
- );
- PRODUCT_NAME = "$(TARGET_NAME)";
- SDKROOT = "";
- };
- name = Release;
- };
- BE4E515215520A150015140F /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ALWAYS_SEARCH_USER_PATHS = NO;
- ARCHS = "$(ARCHS_STANDARD_64_BIT)";
- CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
- COMBINE_HIDPI_IMAGES = YES;
- COPY_PHASE_STRIP = NO;
- GCC_C_LANGUAGE_STANDARD = gnu99;
- GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
- GCC_OPTIMIZATION_LEVEL = 0;
- GCC_PREPROCESSOR_DEFINITIONS = (
- "DEBUG=1",
- "$(inherited)",
- );
- GCC_SYMBOLS_PRIVATE_EXTERN = NO;
- GCC_VERSION = com.apple.compilers.llvm.clang.1_0;
- GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES;
- GCC_WARN_UNINITIALIZED_AUTOS = YES;
- GCC_WARN_UNUSED_VARIABLE = YES;
- "HEADER_SEARCH_PATHS[arch=*]" = (
- "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers",
- "$(HEADER_SEARCH_PATHS)",
- "$(PROJECT_DIR)/../Security",
- );
- MACOSX_DEPLOYMENT_TARGET = 10.8;
- ONLY_ACTIVE_ARCH = YES;
- SDKROOT = "";
- };
- name = Debug;
- };
- BE4E515315520A150015140F /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ALWAYS_SEARCH_USER_PATHS = NO;
- ARCHS = "$(ARCHS_STANDARD_64_BIT)";
- CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
- COMBINE_HIDPI_IMAGES = YES;
- COPY_PHASE_STRIP = YES;
- DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
- GCC_C_LANGUAGE_STANDARD = gnu99;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
- GCC_VERSION = com.apple.compilers.llvm.clang.1_0;
- GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES;
- GCC_WARN_UNINITIALIZED_AUTOS = YES;
- GCC_WARN_UNUSED_VARIABLE = YES;
- "HEADER_SEARCH_PATHS[arch=*]" = (
- "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers",
- "$(HEADER_SEARCH_PATHS)",
- "$(PROJECT_DIR)/../Security",
- );
- MACOSX_DEPLOYMENT_TARGET = 10.8;
- SDKROOT = "";
- };
- name = Release;
- };
- BE4E515515520A150015140F /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- "HEADER_SEARCH_PATHS[arch=*]" = (
- "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers",
- "$(HEADER_SEARCH_PATHS)",
- "$(PROJECT_DIR)",
- );
- PRODUCT_NAME = "$(TARGET_NAME)";
- SDKROOT = "";
- };
- name = Debug;
- };
- BE4E515615520A150015140F /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- "HEADER_SEARCH_PATHS[arch=*]" = (
- "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers",
- "$(HEADER_SEARCH_PATHS)",
- "$(PROJECT_DIR)",
- );
- PRODUCT_NAME = "$(TARGET_NAME)";
- SDKROOT = "";
- };
- name = Release;
- };
- BEF16C411553365F0074AFAD /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Debug;
- };
- BEF16C421553365F0074AFAD /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Release;
- };
-/* End XCBuildConfiguration section */
-
-/* Begin XCConfigurationList section */
- BE022AF61552191100564DFE /* Build configuration list for PBXNativeTarget "sslServer" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- BE022AF71552191100564DFE /* Debug */,
- BE022AF81552191100564DFE /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
- BE4E514415520A150015140F /* Build configuration list for PBXProject "sslViewer" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- BE4E515215520A150015140F /* Debug */,
- BE4E515315520A150015140F /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
- BE4E515415520A150015140F /* Build configuration list for PBXNativeTarget "sslViewer" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- BE4E515515520A150015140F /* Debug */,
- BE4E515615520A150015140F /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
- BEF16C431553365F0074AFAD /* Build configuration list for PBXAggregateTarget "world" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- BEF16C411553365F0074AFAD /* Debug */,
- BEF16C421553365F0074AFAD /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
-/* End XCConfigurationList section */
- };
- rootObject = BE4E514115520A150015140F /* Project object */;
-}
diff --git a/OSX/libsecurity_transform/Configurations/libsecurity_transform_core.xcconfig b/OSX/libsecurity_transform/Configurations/libsecurity_transform_core.xcconfig
index 80001ccd..2a6db42c 100644
--- a/OSX/libsecurity_transform/Configurations/libsecurity_transform_core.xcconfig
+++ b/OSX/libsecurity_transform/Configurations/libsecurity_transform_core.xcconfig
@@ -24,3 +24,4 @@ OTHER_LDFLAGS_normal = $(OPT_LDFLAGS) $(OTHER_LDFLAGS)
OTHER_LDFLAGS_profile = $(OPT_LDFLAGS) $(OTHER_LDFLAGS) -pg
GCC_ENABLE_CPP_EXCEPTIONS = NO
GCC_ENABLE_CPP_RTTI = NO
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/OSX/libsecurity_transform/Configurations/security_transform_Default.xcconfig b/OSX/libsecurity_transform/Configurations/security_transform_Default.xcconfig
index 9ef6111a..cb2357ee 100644
--- a/OSX/libsecurity_transform/Configurations/security_transform_Default.xcconfig
+++ b/OSX/libsecurity_transform/Configurations/security_transform_Default.xcconfig
@@ -6,3 +6,4 @@ WRAPPER_EXTENSION = framework
EXECUTABLE_SUFFIX =
GCC_ENABLE_CPP_EXCEPTIONS = NO
GCC_ENABLE_CPP_RTTI = NO
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/OSX/libsecurity_transform/Configurations/security_transform_Deployment.xcconfig b/OSX/libsecurity_transform/Configurations/security_transform_Deployment.xcconfig
index fd75ed9b..d79ea3fc 100644
--- a/OSX/libsecurity_transform/Configurations/security_transform_Deployment.xcconfig
+++ b/OSX/libsecurity_transform/Configurations/security_transform_Deployment.xcconfig
@@ -8,3 +8,4 @@ EXECUTABLE_SUFFIX =
ZERO_LINK = NO
GCC_ENABLE_CPP_EXCEPTIONS = NO
GCC_ENABLE_CPP_RTTI = NO
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/OSX/libsecurity_transform/Configurations/security_transform_Development.xcconfig b/OSX/libsecurity_transform/Configurations/security_transform_Development.xcconfig
index 2dd2c64c..0d2deb5a 100644
--- a/OSX/libsecurity_transform/Configurations/security_transform_Development.xcconfig
+++ b/OSX/libsecurity_transform/Configurations/security_transform_Development.xcconfig
@@ -11,3 +11,4 @@ GCC_GENERATE_DEBUGGING_SYMBOLS = YES
ZERO_LINK = YES
GCC_ENABLE_CPP_EXCEPTIONS = NO
GCC_ENABLE_CPP_RTTI = NO
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/OSX/libsecurity_transform/custom.h b/OSX/libsecurity_transform/custom.h
index fc5a9464..3e308d53 100644
--- a/OSX/libsecurity_transform/custom.h
+++ b/OSX/libsecurity_transform/custom.h
@@ -22,10 +22,10 @@
*/
-#import <SenTestingKit/SenTestingKit.h>
+#import <XCTest/XCTest.h>
-@interface custom : SenTestCase {
+@interface custom : XCTestCase {
}
diff --git a/OSX/libsecurity_transform/lib/SecDigestTransform.h b/OSX/libsecurity_transform/lib/SecDigestTransform.h
index cb6dfa65..83415105 100644
--- a/OSX/libsecurity_transform/lib/SecDigestTransform.h
+++ b/OSX/libsecurity_transform/lib/SecDigestTransform.h
@@ -93,7 +93,7 @@ extern const CFStringRef kSecDigestTypeAttribute;
/*!
@constant kSecDigestLengthAttribute
Used with SecTransformGetAttribute to query the length attribute.
- Returns a CFNumberRef that contains the length.
+ Returns a CFNumberRef that contains the length in bytes.
*/
extern const CFStringRef kSecDigestLengthAttribute;
diff --git a/OSX/libsecurity_transform/lib/c++utils.cpp b/OSX/libsecurity_transform/lib/c++utils.cpp
index cb00ea23..798ea84f 100644
--- a/OSX/libsecurity_transform/lib/c++utils.cpp
+++ b/OSX/libsecurity_transform/lib/c++utils.cpp
@@ -24,7 +24,7 @@ std::string StringFromCFString(CFStringRef theString)
CFStringGetCString(theString, buffer, maxLength, 0);
string result(buffer);
- delete [] buffer;
+ delete[] buffer;
return result;
}
diff --git a/OSX/libsecurity_transform/libsecurity_transform.xcodeproj/project.pbxproj b/OSX/libsecurity_transform/libsecurity_transform.xcodeproj/project.pbxproj
index fcd899c4..a48f2532 100644
--- a/OSX/libsecurity_transform/libsecurity_transform.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_transform/libsecurity_transform.xcodeproj/project.pbxproj
@@ -8,7 +8,6 @@
/* Begin PBXBuildFile section */
18C5A961148442000010EF34 /* libsecurity_transform.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CA1FEBE052A3C8100F22E42 /* libsecurity_transform.a */; };
- 18C5A964148443F00010EF34 /* SenTestingKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18C5A963148443F00010EF34 /* SenTestingKit.framework */; };
18C5A9661484440D0010EF34 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18C5A9651484440D0010EF34 /* Foundation.framework */; };
4C010B9B121AE9960094CB72 /* speed-test.mm in Sources */ = {isa = PBXBuildFile; fileRef = 4C010B9A121AE9960094CB72 /* speed-test.mm */; };
4C010BBB121AECF10094CB72 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5D16D6FB114EA1000096BD75 /* Security.framework */; };
@@ -111,7 +110,6 @@
18BBC73B1471F6DF00F2B224 /* lib.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = lib.xcconfig; sourceTree = "<group>"; };
18BBC73C1471F6DF00F2B224 /* release.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = release.xcconfig; sourceTree = "<group>"; };
18BBC73D1471F6DF00F2B224 /* security.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = security.xcconfig; sourceTree = "<group>"; };
- 18C5A963148443F00010EF34 /* SenTestingKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SenTestingKit.framework; path = Library/Frameworks/SenTestingKit.framework; sourceTree = DEVELOPER_DIR; };
18C5A9651484440D0010EF34 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
4C010B87121AE8DF0094CB72 /* input-speed-test */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = "input-speed-test"; sourceTree = BUILT_PRODUCTS_DIR; };
4C010B99121AE9960094CB72 /* speed-test.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "speed-test.h"; path = "misc/speed-test.h"; sourceTree = "<group>"; };
@@ -129,7 +127,7 @@
4C6E5965116D4E3E00A70E8F /* misc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = misc.h; sourceTree = "<group>"; };
4C73822B112DCC4800EA003B /* SecCustomTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCustomTransform.h; sourceTree = "<group>"; };
4C73822C112DCC4800EA003B /* SecCustomTransform.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = SecCustomTransform.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
- 4C738257112DF65200EA003B /* unit-tests.octest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = "unit-tests.octest"; sourceTree = BUILT_PRODUCTS_DIR; };
+ 4C738257112DF65200EA003B /* unit-tests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = "unit-tests.xctest"; sourceTree = BUILT_PRODUCTS_DIR; };
4C738258112DF65200EA003B /* unit-tests-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "unit-tests-Info.plist"; sourceTree = "<group>"; };
4C738260112DF68900EA003B /* custom.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = custom.h; sourceTree = "<group>"; };
4CA1FEBE052A3C8100F22E42 /* libsecurity_transform.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libsecurity_transform.a; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -216,7 +214,6 @@
buildActionMask = 2147483647;
files = (
18C5A9661484440D0010EF34 /* Foundation.framework in Frameworks */,
- 18C5A964148443F00010EF34 /* SenTestingKit.framework in Frameworks */,
18C5A961148442000010EF34 /* libsecurity_transform.a in Frameworks */,
4CD6A669113F41990094F287 /* libz.dylib in Frameworks */,
4CC4A8B21264D22300075C8F /* Security.framework in Frameworks */,
@@ -269,7 +266,6 @@
isa = PBXGroup;
children = (
18C5A9651484440D0010EF34 /* Foundation.framework */,
- 18C5A963148443F00010EF34 /* SenTestingKit.framework */,
18BBC7381471F6DF00F2B224 /* config */,
4C27A37414F2D66C007FCA66 /* libcorecrypto.dylib */,
4C010BBE121AED340094CB72 /* libc++.dylib */,
@@ -290,7 +286,7 @@
isa = PBXGroup;
children = (
4CA1FEBE052A3C8100F22E42 /* libsecurity_transform.a */,
- 4C738257112DF65200EA003B /* unit-tests.octest */,
+ 4C738257112DF65200EA003B /* unit-tests.xctest */,
4CBCBEB61130A2D700CC18E9 /* 100-sha2 */,
4C010B87121AE8DF0094CB72 /* input-speed-test */,
);
@@ -468,8 +464,8 @@
);
name = "unit-tests";
productName = "unit-tests";
- productReference = 4C738257112DF65200EA003B /* unit-tests.octest */;
- productType = "com.apple.product-type.bundle.ocunit-test";
+ productReference = 4C738257112DF65200EA003B /* unit-tests.xctest */;
+ productType = "com.apple.product-type.bundle.unit-test";
};
4CA1FEBD052A3C8100F22E42 /* libsecurity_transform */ = {
isa = PBXNativeTarget;
@@ -511,8 +507,8 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastTestingUpgradeCheck = 0700;
- LastUpgradeCheck = 0700;
+ LastTestingUpgradeCheck = 0730;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD4040987FCDF001272E0 /* Build configuration list for PBXProject "libsecurity_transform" */;
compatibilityVersion = "Xcode 3.2";
@@ -699,8 +695,8 @@
"$(inherited)",
/usr/lib/system,
);
+ PRODUCT_BUNDLE_IDENTIFIER = "com.yourcompany.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = "unit-tests";
- WRAPPER_EXTENSION = octest;
};
name = Debug;
};
@@ -718,8 +714,8 @@
"$(inherited)",
/usr/lib/system,
);
+ PRODUCT_BUNDLE_IDENTIFIER = "com.yourcompany.${PRODUCT_NAME:rfc1034identifier}";
PRODUCT_NAME = "unit-tests";
- WRAPPER_EXTENSION = octest;
};
name = Release;
};
@@ -806,6 +802,10 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18BBC73A1471F6DF00F2B224 /* debug.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ ENABLE_TESTABILITY = YES;
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ ONLY_ACTIVE_ARCH = YES;
SDKROOT = macosx.internal;
};
name = Debug;
@@ -814,6 +814,8 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18BBC73C1471F6DF00F2B224 /* release.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
SDKROOT = macosx.internal;
};
name = Release;
diff --git a/OSX/libsecurity_transform/unit-tests-Info.plist b/OSX/libsecurity_transform/unit-tests-Info.plist
index c285a472..66a5a8a2 100644
--- a/OSX/libsecurity_transform/unit-tests-Info.plist
+++ b/OSX/libsecurity_transform/unit-tests-Info.plist
@@ -7,7 +7,7 @@
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
- <string>com.yourcompany.${PRODUCT_NAME:rfc1034identifier}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundlePackageType</key>
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocate.cpp b/OSX/libsecurity_translocate/lib/SecTranslocate.cpp
new file mode 100644
index 00000000..a86aa4c8
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocate.cpp
@@ -0,0 +1,500 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <stdio.h>
+#include <sys/param.h>
+#include <sys/mount.h>
+
+#include <string>
+#include <vector>
+
+#include <security_utilities/cfutilities.h>
+#include <security_utilities/unix++.h>
+#include <security_utilities/logging.h>
+
+#include "SecTranslocate.h"
+#include "SecTranslocateShared.hpp"
+#include "SecTranslocateInterface.hpp"
+#include "SecTranslocateUtilities.hpp"
+
+
+/* Strategy:
+
+ This library exists to create and destroy app translocation points. To ensure that a given
+ process using this library is only making or destroying one mountpoint at a time, the two
+ interface functions are sychronized on a dispatch queue.
+
+ **** App Translocation Strategy w/o a destination path ****
+ (This functionality is implemented in SecTranslocateShared.hpp/cpp)
+
+ To create a translocation mountpoint, if no destination path is provided, first the app
+ path to be translocated is realpathed to ensure it exists and there are no symlink's in
+ the path we work with. Then the calling user's _CS_DARWIN_USER_TEMP_DIR is found. This
+ is used to calculate the user's AppTranslocation directory. The formula is:
+ User's App Translocation Directory = realpath(confstr(_CS_DARWIN_USER_TEMP_DIR))+/AppTranslocation/
+
+ Then the mount table is checked to see whether or not a translocation point already exists
+ for this user for the app being requested. The rule for an already existing mount is that
+ there must exist a mountpoint in the user's app translocation directory that is mounted
+ from realpath of the requested app.
+
+ If a mount exists already for this user, then the path to the app in that mountpoint is
+ calculated and sanity checked.
+
+ The rules to create the app path inside the mountpoint are:
+
+ original app path = /some/path/<app name>
+ new app path = realpath(confstr(_CS_DARWIN_USER_TEMP_DIR))+/AppTranslocation/<UUID>/d/<app name>
+
+ The sanity check for the new app path is that:
+ 1. new app path exists
+ 2. new app path is in a nullfs mount
+ 3. new app path is already completely resolved.
+
+ If the sanity checks pass for the new app path, then that path is returned to the caller.
+
+ If no translocation mount point exists already per the mount table then an AppTranslocation
+ directory is created within the temp dir if it doesn't already exist. After that a UUID is
+ generated, that UUID is used as the name of a new directory in the AppTranslocation directory.
+ Once the new directory has been created and sanity checked, mount is called to create the
+ translocation between the original path and the new directory. Then the new path to the app
+ within the mountpoint is calculated and sanity checked.
+
+ The sanity check rules for the mountpoint before the mount are:
+ 1. Something exists at the expected path
+ 2. That something is a directory
+ 3. That something is not already a mountpoint
+ 4. The expected path is fully resolved
+
+ The sanity check for the new app path is listed above (for the mountpoint exists case).
+
+ **** App Translocation strategy w/ a destination path ****
+ (This functionality is implemented in SecTranslocateShared.hpp/cpp)
+
+ If a destination path is provided, a sequence similar to that described above is followed
+ with the following modifications.
+
+ The destination path is expected to be of the same form as new app path. This expectation
+ is verified.
+
+ First we verify that the destination path ends with /d/<app name> and that the <app name>
+ component of the destination path matches the <app name> of the original app app path
+ requested. If not, an error occurs. Everything before the /d/ is treated becomes the
+ requested destination mount point.
+
+ After the user's app translocation directory is calculated, we ensure that the requested
+ destination mount point is prefixed by the translocation directory, and contains only one
+ path component after the user's app translocation path, otherwise an error occurs.
+
+ When we check the mount table, we make sure that if the a translocation of the app already
+ exists for the user, then the translocation path must exactly match the requested
+ destination path, otherwise an error occurs.
+
+ If no mountpoint exists for the app, then we attempt to create the requested directory within
+ the user's app translocation directory. This becomes the mount point, and the mount point
+ sanity checks listed above are applied.
+
+ If the requested destination mountpoint is successfully created, the flow continues as above
+ to create the mount and verify the requested path within the mountpoint. The only extra step
+ here is that at the end, the requested app path, must exactly equal the created app path.
+
+ **** App Translocation error cleanup ****
+ (This functionality is implemented in SecTranslocateShared.hpp/cpp)
+
+ The error cleanup strategy for translocation creation is to try to destroy any directories
+ or mount points in the user's translocation directory that were created before an error
+ was detected. This means tracking whether we created a directory, or it already existed when
+ a caller asked for it. Clean up is considered best effort.
+
+ **** Deleting an App Translocation point ****
+ (This functionality is implemented in SecTranslocateShared.hpp/cpp)
+
+ To destroy an app translocation point, the first thing we do is calculate the user's app
+ translocation directory to ensure that the requested path is actually within that directory.
+ We also verify that it is in fact a nullfs mount point. If it is, then we attempt to unmount and
+ remove the translocation point.
+
+ Regardless of whether or not the requested path is a translocation point, we opportunistically
+ attempt to cleanup the app translocation directory. Clean up means, looping through all the
+ directories currently in the user's app translocation directory and checking whether or not
+ they are a mount point. If a directory inside the user's app translocation directory is not
+ a mountpoint, then we attempt to delete it.
+
+ **** Quarantine considerations ****
+ (This functionality is implemented in SecTranslocateShared.hpp/cpp and SecTranslocateUtilities.hpp/cpp)
+
+ If the original app path includes files with quarantine extended attributes, then those extended
+ attributes will be readable through the created app translocation mountpoint. nullfs does not
+ support removing or setting extended attributes on its vnodes. Changes to the quarantine
+ attributes at the original path will be reflected in the app translocation mountpoint without
+ creating a new mount point.
+
+ If the original app path is inside a quarantined mountpoint (such as a quarantined dmg), then
+ that the quarantine information for that mountpoint is read from the original app path's
+ mountpoint and applied to the created app translocation mountpoint.
+
+ **** Concurrency considerations ****
+ This library treats the kernel as the source of truth for the status of the file system.
+ Unfortunately it has no way to lock the state of the file system and mount table while
+ it is operating. Because of this, there are two potential areas that have race windows.
+
+ First, if any other system entity (thread within the same process, or other process
+ within the system) is adding or removing entries from the mount table while
+ SecTranslocateCreateSecureDirectoryForURL is executing, then there is the possibility that
+ an incorrect decision will be made about the current existence of a mount point for a user
+ for an app. This is because getfsstat gets a snapshot of the mount table state rather than a
+ locked window into the kernel and because we make two seperate calls to getfsstat, one to get
+ the number of mountpoints, and a second to actually read the mountpoint data. If more than
+ one process is using this library for the same user, then both processes could attempt to
+ create a translocation for the same app, and this could result in more than one translocation
+ for that app for the user. This shouldn't effect the user other than using additional
+ system resources. We attempt to mitigate this by allocating double the required memory from
+ the first call and then trying the process again (once) if the initial memory was filled.
+
+ Second, if more than one process is using this library simultaneously and one process calls
+ SecTranslocateDeleteSecureDirectory for a user and the other calls
+ SecTranslocateCreateSecureDirectoryForURL for that same user, then the call to
+ SecTranslocateDeleteSecureDirectory may cause SecTranslocateCreateSecureDirectoryForURL to
+ fail. This will occur if the loop checking for unmounted directories in the user's app
+ translocation directory deletes a newly created directory before the mount call finishes. This
+ race condition will probably result in a failed app launch. A second attempt to launch the app
+ will probably succeed.
+
+ Concurrency is now split between SecTranslocateClient.hpp/cpp, SecTranslocateServer.hpp/cpp,
+ SecTranslocateDANotification.hpp/cpp, SecTranslocateLSNotification.hpp/cpp, and
+ SecTranslocateXPCServer.hpp/cpp. Each of these represent different ways of entering translocation
+ functionality.
+
+ **** Logging Strategy ****
+ Use warning logging for interesting conditions (e.g. translocation point created or destroyed).
+ Use error logging for non-fatal failures. Use critical logging for fatal failures.
+ */
+
+/* Make a CFError from an POSIX error code */
+static CFErrorRef SecTranslocateMakePosixError(CFIndex errorCode)
+{
+ return CFErrorCreate(NULL, kCFErrorDomainPOSIX, errorCode, NULL);
+}
+
+/* must be called before any other function in this SPI if the process is intended to be the server */
+Boolean SecTranslocateStartListening(CFErrorRef* __nullable error)
+{
+ Boolean result = false;
+ CFIndex errorCode = 0;
+ try
+ {
+ /* ask getTranslocator for the server */
+ result = Security::SecTranslocate::getTranslocator(true) != NULL;
+ }
+ catch (Security::UnixError err)
+ {
+ errorCode = err.unixError();
+ }
+ catch(...)
+ {
+ Syslog::critical("SecTranslocate: uncaught exception during server initialization");
+ errorCode = EINVAL;
+ }
+
+ if (error && errorCode)
+ {
+ *error = SecTranslocateMakePosixError(errorCode);
+ }
+
+ return result;
+}
+
+/* placeholder api for now to allow for future options at startup */
+Boolean SecTranslocateStartListeningWithOptions(CFDictionaryRef __unused options, CFErrorRef * __nullable outError)
+{
+ return SecTranslocateStartListening(outError);
+}
+
+/* Register that a (translocated) pid has launched */
+void SecTranslocateAppLaunchCheckin(pid_t pid)
+{
+ try
+ {
+ Security::SecTranslocate::getTranslocator()->appLaunchCheckin(pid);
+ }
+ catch (...)
+ {
+ Syslog::error("SecTranslocate: error in SecTranslocateAppLaunchCheckin");
+ }
+}
+
+/* Create an app translocation point given the original path and an optional destination path. */
+CFURLRef __nullable SecTranslocateCreateSecureDirectoryForURL (CFURLRef pathToTranslocate,
+ CFURLRef __nullable destinationPath,
+ CFErrorRef* __nullable error)
+{
+ CFURLRef result = NULL;
+ CFIndex errorCode = 0;
+
+ try
+ {
+ string sourcePath = cfString(pathToTranslocate); // returns an absolute path
+
+ Security::SecTranslocate::TranslocationPath toTranslocatePath(sourcePath);
+
+ if(!toTranslocatePath.shouldTranslocate())
+ {
+ /* We shouldn't translocate so, just retain so that the return value can be treated as a copy */
+ CFRetain(pathToTranslocate);
+ return pathToTranslocate;
+ }
+
+ /* We need to translocate so keep going */
+ string destPath;
+
+ if(destinationPath)
+ {
+ destPath = cfString(destinationPath); //returns an absolute path
+ }
+
+ string out_path = Security::SecTranslocate::getTranslocator()->translocatePathForUser(toTranslocatePath, destPath);
+
+ if(!out_path.empty())
+ {
+ result = makeCFURL(out_path, true);
+ }
+ else
+ {
+ Syslog::error("SecTranslocateCreateSecureDirectoryForURL: No mountpoint and no prior exception. Shouldn't be here");
+ UnixError::throwMe(EINVAL);
+ }
+
+ }
+ catch (Security::UnixError err)
+ {
+ errorCode = err.unixError();
+ }
+ catch(...)
+ {
+ Syslog::critical("SecTranslocate: uncaught exception during mountpoint creation");
+ errorCode = EACCES;
+ }
+
+ if (error && errorCode)
+ {
+ *error = SecTranslocateMakePosixError(errorCode);
+ }
+ return result;
+}
+
+/* Destroy the specified translocated path, and clean up the user's translocation directory. */
+Boolean SecTranslocateDeleteSecureDirectory(CFURLRef translocatedPath, CFErrorRef* __nullable error)
+{
+ bool result = false;
+ int errorCode = 0;
+
+ if(translocatedPath == NULL)
+ {
+ errorCode = EINVAL;
+ goto end;
+ }
+
+ try
+ {
+ string pathToDestroy = cfString(translocatedPath);
+ result = Security::SecTranslocate::getTranslocator()->destroyTranslocatedPathForUser(pathToDestroy);
+ }
+ catch (Security::UnixError err)
+ {
+ errorCode = err.unixError();
+ }
+ catch(...)
+ {
+ Syslog::critical("SecTranslocate: uncaught exception during mountpoint deletion");
+ errorCode = EACCES;
+ }
+end:
+ if (error && errorCode)
+ {
+ *error = SecTranslocateMakePosixError(errorCode);
+ }
+
+ return result;
+}
+
+/* Decide whether we need to translocate */
+Boolean SecTranslocateURLShouldRunTranslocated(CFURLRef path, bool* shouldTranslocate, CFErrorRef* __nullable error)
+{
+ bool result = false;
+ int errorCode = 0;
+
+ if(path == NULL || shouldTranslocate == NULL)
+ {
+ errorCode = EINVAL;
+ goto end;
+ }
+
+ try
+ {
+ string pathToCheck = cfString(path);
+ Security::SecTranslocate::TranslocationPath tPath(pathToCheck);
+ *shouldTranslocate = tPath.shouldTranslocate();
+ result = true;
+ }
+ catch (Security::UnixError err)
+ {
+ errorCode = err.unixError();
+ }
+ catch(...)
+ {
+ Syslog::critical("SecTranslocate: uncaught exception during policy check");
+ errorCode = EACCES;
+ }
+
+end:
+ if (error && errorCode)
+ {
+ *error = SecTranslocateMakePosixError(errorCode);
+ }
+
+ return result;
+}
+
+/* Answer whether or not the passed in URL is a nullfs URL. This just checks nullfs rather than
+ nullfs + in the user's translocation path to allow callers like LaunchServices to apply special
+ handling to nullfs mounts regardless of the calling user (i.e. root lsd can identify all translocated
+ mount points for all users).
+ */
+Boolean SecTranslocateIsTranslocatedURL(CFURLRef path, bool* isTranslocated, CFErrorRef* __nullable error)
+{
+ bool result = false;
+ int errorCode = 0;
+
+ if(path == NULL || isTranslocated == NULL)
+ {
+ if(error)
+ {
+ *error = SecTranslocateMakePosixError(EINVAL);
+ }
+ return result;
+ }
+
+ *isTranslocated = false;
+
+ try
+ {
+ string cpp_path = cfString(path);
+ /* "/" i.e. the root volume, cannot be translocated (or mounted on by other file system after boot)
+ so don't bother to make system calls if "/" is what is being asked about.
+ This is an optimization to help LaunchServices which expects to use SecTranslocateIsTranslocatedURL
+ on every App Launch.
+ */
+ if (cpp_path != "/")
+ {
+ /* to avoid AppSandbox violations, use a path based check here.
+ We only look for nullfs file type anyway. */
+ struct statfs sfb;
+ if (statfs(cpp_path.c_str(), &sfb) == 0)
+ {
+ *isTranslocated = (strcmp(sfb.f_fstypename, NULLFS_FSTYPE) == 0);
+ result = true;
+ }
+ else
+ {
+ errorCode = errno;
+ Syslog::error("SecTranslocate: can not access %s, error: %s", cpp_path.c_str(), strerror(errorCode));
+ }
+ }
+ else
+ {
+ result = true;
+ }
+ }
+ catch (Security::UnixError err)
+ {
+ errorCode = err.unixError();
+ }
+ catch(...)
+ {
+ Syslog::critical("SecTranslocate: uncaught exception during policy check");
+ errorCode = EACCES;
+ }
+
+ if (error && errorCode)
+ {
+ *error = SecTranslocateMakePosixError(errorCode);
+ }
+
+ return result;
+}
+
+/* Find the original path for translocation mounts belonging to the calling user.
+ if the url isn't on a nullfs volume then returned a retained copy of the passed in url.
+ if the url is on a nullfs volume but that volume doesn't belong to the user, or another
+ error occurs then null is returned */
+CFURLRef __nullable SecTranslocateCreateOriginalPathForURL(CFURLRef translocatedPath, CFErrorRef* __nullable error)
+{
+ CFURLRef result = NULL;
+ int errorCode = 0;
+
+ if(translocatedPath == NULL)
+ {
+ errorCode = EINVAL;
+ goto end;
+ }
+ try
+ {
+ string path = cfString(translocatedPath);
+ Security::SecTranslocate::ExtendedAutoFileDesc fd(path);
+
+ if(fd.isFileSystemType(NULLFS_FSTYPE))
+ {
+ bool isDir = false;
+ string out_path = Security::SecTranslocate::getOriginalPath(fd, &isDir);
+ if(!out_path.empty())
+ {
+ result = makeCFURL(out_path, isDir);
+ }
+ else
+ {
+ Syslog::error("SecTranslocateCreateOriginalPath: No original and no prior exception. Shouldn't be here");
+ UnixError::throwMe(EINVAL);
+ }
+ }
+ else
+ {
+ result = translocatedPath;
+ CFRetain(result);
+ }
+ }
+ catch (Security::UnixError err)
+ {
+ errorCode = err.unixError();
+ }
+ catch(...)
+ {
+ Syslog::critical("SecTranslocate: uncaught exception during policy check");
+ errorCode = EACCES;
+ }
+end:
+ if (error && errorCode)
+ {
+ *error = SecTranslocateMakePosixError(errorCode);
+ }
+ return result;
+}
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocate.h b/OSX/libsecurity_translocate/lib/SecTranslocate.h
new file mode 100644
index 00000000..ba5a8136
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocate.h
@@ -0,0 +1,218 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#ifndef H_LIBSECURITY_TRANSLOCATE
+#define H_LIBSECURITY_TRANSLOCATE
+
+#include <CoreFoundation/CoreFoundation.h>
+
+CF_ASSUME_NONNULL_BEGIN
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*!
+ @function SecTranslocateStartListening
+
+ @abstract Initialize the SecTranslocate Library as the XPC Server, Disk Arbitration Listener, and Launch Services Notification listener
+
+ @param error On error will be populated with an error object describing the failure (a posix domain error such as EINVAL)
+
+ @result True on success False on failure
+ */
+Boolean SecTranslocateStartListening(CFErrorRef* __nullable error)
+__OSX_AVAILABLE(10.12);
+
+/*!
+ @function SecTranslocateStartListeningWithOptions
+
+ @abstract Initialize the SecTranslocate Library as the XPC Server, Disk Arbitration Listener, and Launch Services Notification listener
+
+ @param option (currently unused) A dictionary of options that could impact server startup
+ @param outError On error will be populated with an error object describing the failure (a posix domain error such as EINVAL)
+
+ @result True on success False on failure
+ */
+Boolean SecTranslocateStartListeningWithOptions(CFDictionaryRef options, CFErrorRef * __nullable outError)
+__OSX_AVAILABLE(10.12);
+
+/*!
+ @function SecTranslocateCreateSecureDirectoryForURL
+
+ @abstract Create a CFURL pointing to a translocated location from which to access the directory specified by pathToTranslocate.
+
+ @param pathToTranslocate URL of the directory to be accessed from a translocated location.
+ @param destinationPath URL where the directory of interest should be translocated, or NULL for a random UUID location
+ @param error On error will be populated with an error object describing the failure (a posix domain error such as EINVAL)
+
+ @result A CFURL pointing to the translocated location of the directory.
+
+ @discussion
+ Calls to this function and SecTranslocateDeleteSecureDirectory are serialized to ensure only one call to either
+ is operating at a time.
+ Translocations will be created in the calling users's DARWIN_USER_TEMPDIR/AppTranslocation/<UUID>
+
+ pathToTranslocated is expected to be of the form /some/dir/myApp.app
+ destinationPath is expected to be of the form /<DARWIN_USER_TEMPDIR>/AppTranslocation/<DIR>/d/myApp.app
+
+ Resulting translocations are of the form /<DARWIN_USER_TEMPDIR>/AppTranslocation/<DIR>/d/myApp.app
+ <DIR> will be a UUID if destinationPath isn't specified.
+
+ If pathToTranslocate is in a quarantined mountpoint, the quarantine attributes will be propagated to the
+ translocated location.
+
+ pathToTranslocate will cause a failure if it doesn't resolve to a path that exists, or it exceeds MAXPATHLEN
+
+ destinationPath will cause a failure if
+ 1. it doesn't match the app (last directory) specified by path to translocate
+ 2. it differs from an already existing mount location for pathToTranslocate
+ 3. It isn't in the user's current temp dir
+ 4. someone created a file with the same name as the provided path
+ 5. It doesn't match the form /<DARWIN_USER_TEMPDIR>/AppTranslocation/<DIR>/d/myApp.app
+
+ pathToTranslocate is returned if it should not be translocated based on policy. It is retained if so it can be treated as a copy.
+
+ This function can be run from any process. If the process is not the xpc server, then an xpc call is made.
+ */
+CFURLRef __nullable SecTranslocateCreateSecureDirectoryForURL (CFURLRef pathToTranslocate, CFURLRef __nullable destinationPath, CFErrorRef* __nullable error)
+__OSX_AVAILABLE(10.12);
+
+/*!
+ @function SecTranslocateAppLaunchCheckin
+
+ @abstract Register that a translocated pid is running
+
+ @param pid the pid to register
+
+ @discussion this function will log if there is a problem. The actual work is either sent to the server via xpc, or dispatched async.
+
+ This function can be run from any process. If the process is not the xpc server, then an xpc call is made.
+ */
+void SecTranslocateAppLaunchCheckin(pid_t pid)
+__OSX_AVAILABLE(10.12);
+
+/*!
+ @function SecTranslocateURLShouldRunTranslocated
+
+ @abstract Implements policy to decide whether the entity defined by path should be run translocated
+
+ @param path URL to the entity in question
+
+ @param shouldTranslocate true if the path should be translocated, false otherwise
+
+ @param error On error will be populated with an error object describing the failure (a posix domain error such as EINVAL)
+
+ @result true on success, false on failure (on failure error is set if provided). shouldTranslocate gives the answer
+
+ @discussion The policy is as follows:
+ 1. If path is already on a nullfs mountpoint - no translocation
+ 2. No quarantine attributes - no translocation
+ 3. If QTN_FLAG_DO_NOT_TRANSLOCATE is set or QTN_FLAG_TRANSLOCATE is not set - no translocations
+ 4. Otherwise, if QTN_FLAG_TRANSLOCATE is set - translocation
+
+ This function can be called from any process or thread.
+ */
+Boolean SecTranslocateURLShouldRunTranslocated(CFURLRef path, bool* shouldTranslocate, CFErrorRef* __nullable error)
+__OSX_AVAILABLE(10.12);
+
+/*!
+ @function SecTranslocateIsTranslocatedURL
+
+ @abstract indicates whether the provided path is an original path or a translocated path
+
+ @param path path to check
+
+ @param isTranslocated true if the path is translocated, false otherwise
+
+ @param error On error will be populated with an error object describing the failure (a posix domain error such as EINVAL)
+
+ @result true on success, false on failure (on failure error is set if provided). isTranslocated gives the answer
+
+ @discussion will return
+ 1. false and EPERM if the caller doesn't have read access to the path
+ 2. false and ENOENT if the path doesn't exist
+ 3. false and ENINVAL if the parameters are broken
+ 4. true and isTranslocated = true if the path is on a nullfs mount
+ 5. true and isTranslocated = false if the path is not on a nullfs mount
+
+ If path is a symlink, the results will reflect whatever the symlink actually points to.
+
+ This function can be called from any process or thread.
+*/
+Boolean SecTranslocateIsTranslocatedURL(CFURLRef path, bool* isTranslocated, CFErrorRef* __nullable error)
+__OSX_AVAILABLE(10.12);
+
+/*!
+ @function SecTranslocateCreateOriginalPathForURL
+
+ @abstract finds the original path to a file given a translocated path
+
+ @param translocatedPath the path to look up
+
+ @param error On error will be populated with an error object describing the failure (a posix domain error such as EINVAL)
+
+ @result A valid, existant path, or NULL on error
+
+ @discussion will return
+ 1. NULL and EPERM if the caller doesn't have read access to the path
+ 2. NULL and ENOENT if the path doesn't exist
+ 3. NULL and ENINVAL if the parameters are broken
+ 4. A retained copy of translocatedPath if it isn't translocated
+ 5. The real path to original untranslocated file/directory.
+
+ If translocatedPath is a symlink, the results will reflect whatever the symlink actually points to.
+
+ This function can be called from any process or thread.
+*/
+CFURLRef __nullable SecTranslocateCreateOriginalPathForURL(CFURLRef translocatedPath, CFErrorRef* __nullable error)
+__OSX_AVAILABLE(10.12);
+
+/*!
+ @function SecTranslocateDeleteSecureDirectory
+
+ @abstract Unmount the translocated directory structure and delete the mount point directory.
+
+ @param translocatedPath a CFURL pointing to a translocated location.
+
+ @param error On error will be populated with an error object describing the failure (a posix domain error such as EINVAL).
+
+ @result true on success, false on error.
+
+ @discussion This function will make sure that the translocatedPath belongs to the calling user before unmounting.
+ After an unmount, this function will iterate through all the directories in the user's AppTranslocation directory
+ and delete any that aren't currently mounted on.
+ This function can only be called from the XPC Server. An error will be returned if this is called from any other process.
+
+ */
+Boolean SecTranslocateDeleteSecureDirectory(CFURLRef translocatedPath, CFErrorRef* __nullable error)
+__OSX_AVAILABLE(10.12);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+CF_ASSUME_NONNULL_END
+
+#endif /* H_LIBSECURITY_TRANSLOCATE */
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateClient.cpp b/OSX/libsecurity_translocate/lib/SecTranslocateClient.cpp
new file mode 100644
index 00000000..670f6c18
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateClient.cpp
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <string>
+
+#include <dispatch/dispatch.h>
+#include <xpc/xpc.h>
+#include <unistd.h>
+
+#include <security_utilities/unix++.h>
+#include <security_utilities/logging.h>
+
+#include "SecTranslocateClient.hpp"
+#include "SecTranslocateShared.hpp"
+#include "SecTranslocateInterface.hpp"
+
+namespace Security {
+
+namespace SecTranslocate {
+
+using namespace std;
+
+TranslocatorClient::TranslocatorClient(dispatch_queue_t q):syncQ(q)
+{
+ if(syncQ == NULL)
+ {
+ Syslog::critical("SecTranslocate::TranslocatorClient initialized without a queue.");
+ UnixError::throwMe(EINVAL);
+ }
+
+ uint64_t flags = 0;
+ uid_t euid = geteuid();
+
+ /* 0 - is root so it gets the root lsd
+ 1-300 = are treated by launch services as "role users" They share a copy of the LS Database with root
+ and thus must be sent to the root lsd. */
+ if (euid <= 300)
+ {
+ flags |= XPC_CONNECTION_MACH_SERVICE_PRIVILEGED; //forces call to the root lsd
+ }
+
+ service = xpc_connection_create_mach_service(SECTRANSLOCATE_XPC_SERVICE_NAME,
+ syncQ,
+ flags);
+ if (service == NULL)
+ {
+ Syslog::critical("SecTranslocate: TranslocatorClient, failed to create xpc mach service");
+ UnixError::throwMe(ENOMEM);
+ }
+ xpc_connection_set_event_handler(service, ^(xpc_object_t event) {
+ xpc_type_t type = xpc_get_type(event);
+ if (type == XPC_TYPE_ERROR)
+ {
+ Syslog::error("SecTranslocate, client, xpc error: %s", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
+ }
+ else
+ {
+ char* description = xpc_copy_description(event);
+ Syslog::error("SecTranslocate, client, xpc unexpected type: %s", description);
+ free(description);
+ }
+ });
+
+ dispatch_retain(syncQ);
+ xpc_connection_resume(service);
+}
+
+TranslocatorClient::~TranslocatorClient()
+{
+ xpc_connection_cancel(service);
+ dispatch_release(syncQ);
+}
+
+string TranslocatorClient::translocatePathForUser(const TranslocationPath &originalPath, const string &destPath)
+{
+ string outPath;
+
+ if (!originalPath.shouldTranslocate())
+ {
+ return originalPath.getOriginalRealPath(); //return original path if we shouldn't translocate
+ }
+
+ //We should run translocated, so get a translocation point
+ xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
+
+ if( msg == NULL)
+ {
+ Syslog::error("SecTranslocate: TranslocatorClient, failed to allocate message to send");
+ UnixError::throwMe(ENOMEM);
+ }
+
+ xpc_dictionary_set_string(msg, kSecTranslocateXPCMessageFunction, kSecTranslocateXPCFuncCreate);
+ /* send the original real path rather than the calculated path to let the server do all the work */
+ xpc_dictionary_set_string(msg, kSecTranslocateXPCMessageOriginalPath, originalPath.getOriginalRealPath().c_str());
+ if(!destPath.empty())
+ {
+ xpc_dictionary_set_string(msg, kSecTranslocateXPCMessageDestinationPath, destPath.c_str());
+ }
+
+ xpc_object_t reply = xpc_connection_send_message_with_reply_sync(service, msg);
+ xpc_release(msg);
+
+ if(reply == NULL)
+ {
+ Syslog::error("SecTranslocate, TranslocatorClient, create, no reply returned");
+ UnixError::throwMe(ENOMEM);
+ }
+
+ xpc_type_t type = xpc_get_type(reply);
+ if (type == XPC_TYPE_DICTIONARY)
+ {
+ if(int64_t error = xpc_dictionary_get_int64(reply, kSecTranslocateXPCReplyError))
+ {
+ Syslog::error("SecTranslocate, TranslocatorClient, create, error received %lld", error);
+ xpc_release(reply);
+ UnixError::throwMe((int)error);
+ }
+ const char * result = xpc_dictionary_get_string(reply, kSecTranslocateXPCReplySecurePath);
+ if (result == NULL)
+ {
+ Syslog::error("SecTranslocate, TranslocatorClient, create, no result path received");
+ xpc_release(reply);
+ UnixError::throwMe(EINVAL);
+ }
+ outPath=result;
+ xpc_release(reply);
+ }
+ else
+ {
+ const char* errorMsg = NULL;
+ if (type == XPC_TYPE_ERROR)
+ {
+ errorMsg = "SecTranslocate, TranslocatorClient, create, xpc error returned: %s";
+ }
+ else
+ {
+ errorMsg = "SecTranslocate, TranslocatorClient, create, unexpected type of return object: %s";
+ }
+ const char *s = xpc_copy_description(reply);
+ Syslog::error(errorMsg, s);
+ free((char*)s);
+ xpc_release(reply);
+ UnixError::throwMe(EINVAL);
+ }
+
+ return outPath;
+}
+
+void TranslocatorClient::appLaunchCheckin(pid_t pid)
+{
+ xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
+
+ xpc_dictionary_set_string(msg, kSecTranslocateXPCMessageFunction, kSecTranslocateXPCFuncCheckIn);
+ xpc_dictionary_set_int64(msg, kSecTranslocateXPCMessagePid, pid);
+
+ /* no reply expected so just send the message and move along */
+ xpc_connection_send_message(service, msg);
+
+ xpc_release(msg);
+}
+
+bool TranslocatorClient::destroyTranslocatedPathForUser(const string &translocatedPath)
+{
+ Syslog::error("SecTranslocate, TranslocatorClient, delete operation not allowed");
+ UnixError::throwMe(EPERM);
+ return false;
+}
+
+} //namespace SecTranslocate
+} //namespace Security
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateClient.hpp b/OSX/libsecurity_translocate/lib/SecTranslocateClient.hpp
new file mode 100644
index 00000000..bff27ef0
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateClient.hpp
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/* Purpose:
+ This header defines the client side interface (xpc client for translocation)
+ */
+
+#ifndef SecTranslocateClient_hpp
+#define SecTranslocateClient_hpp
+
+#include <string>
+#include <dispatch/dispatch.h>
+
+#include "SecTranslocateInterface.hpp"
+#include "SecTranslocateShared.hpp"
+
+namespace Security {
+
+namespace SecTranslocate {
+
+using namespace std;
+
+class TranslocatorClient: public Translocator
+{
+public:
+ TranslocatorClient(dispatch_queue_t q);
+ ~TranslocatorClient();
+
+ string translocatePathForUser(const TranslocationPath &originalPath, const string &destPath) override;
+ bool destroyTranslocatedPathForUser(const string &translocatedPath) override;
+ void appLaunchCheckin(pid_t pid) override;
+
+private:
+ TranslocatorClient() = delete;
+ TranslocatorClient(const TranslocatorClient &that) = delete;
+ dispatch_queue_t syncQ;
+ xpc_connection_t service;
+};
+
+} //namespace SecTranslocate
+} //namespace Security
+
+#endif /* SecTranslocateClient_hpp */
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateDANotification.cpp b/OSX/libsecurity_translocate/lib/SecTranslocateDANotification.cpp
new file mode 100644
index 00000000..f8dfaa16
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateDANotification.cpp
@@ -0,0 +1,221 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <exception>
+#include <dlfcn.h>
+#include <dispatch/dispatch.h>
+#include <DiskArbitration/DiskArbitration.h>
+
+#include <security_utilities/logging.h>
+#include <security_utilities/cfutilities.h>
+#include <security_utilities/unix++.h>
+
+#include "SecTranslocateDANotification.hpp"
+#include "SecTranslocateShared.hpp"
+#include "SectranslocateUtilities.hpp"
+
+#define DA_FRAMEWORK_PATH "/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration"
+
+namespace Security {
+namespace SecTranslocate {
+
+typedef CFDictionaryRef (*DiskCopyDescription_t)(DADiskRef);
+typedef DASessionRef (*SessionCreate_t) (CFAllocatorRef);
+typedef void (*SessionSetDispatchQueue_t)(DASessionRef,dispatch_queue_t);
+typedef void (*RegisterDiskDisappearedCallback_t) (DASessionRef, CFDictionaryRef, DADiskDisappearedCallback, void*);
+typedef void (*RegisterDiskUnmountApprovalCallback_t) (DASessionRef, CFDictionaryRef, DADiskUnmountApprovalCallback, void*);
+typedef void (*UnregisterCallback_t)(DASessionRef, void*, void*);
+
+class DiskArbitrationProxy
+{
+public:
+ static DiskArbitrationProxy* get();
+
+ inline CFDictionaryRef diskCopyDescription(DADiskRef disk) const
+ { return pDiskCopyDescription ? pDiskCopyDescription(disk) : NULL; };
+ inline DASessionRef sessionCreate (CFAllocatorRef allocator) const
+ { return pSessionCreate ? pSessionCreate(allocator) : NULL; };
+ inline void sessionSetDispatchQueue (DASessionRef s, dispatch_queue_t q) const
+ { if(pSessionSetDispatchQueue) pSessionSetDispatchQueue(s,q); };
+ inline void registerDiskDisappearedCallback (DASessionRef s, CFDictionaryRef d, DADiskDisappearedCallback c, void* x) const
+ { if(pRegisterDiskDisappearedCallback) pRegisterDiskDisappearedCallback(s,d,c,x); };
+ inline void registerDiskUnmountApprovalCallback (DASessionRef s, CFDictionaryRef d, DADiskUnmountApprovalCallback c, void* x) const
+ { if(pRegisterDiskUnmountApprovalCallback) pRegisterDiskUnmountApprovalCallback(s,d,c,x); };
+ inline void unregisterCallback (DASessionRef s, void* c, void* x) const
+ { if(pUnregisterCallback) pUnregisterCallback(s,c,x); };
+ inline CFDictionaryRef diskDescriptionMatchVolumeMountable() const
+ { return pDiskDescriptionMatchVolumeMountable ? *pDiskDescriptionMatchVolumeMountable : NULL; };
+ inline CFStringRef diskDescriptionVolumePathKey() const
+ { return pDiskDescriptionVolumePathKey ? *pDiskDescriptionVolumePathKey : NULL; };
+
+private:
+ DiskArbitrationProxy();
+
+ void* handle;
+ DiskCopyDescription_t pDiskCopyDescription;
+ SessionCreate_t pSessionCreate;
+ SessionSetDispatchQueue_t pSessionSetDispatchQueue;
+ RegisterDiskDisappearedCallback_t pRegisterDiskDisappearedCallback;
+ RegisterDiskUnmountApprovalCallback_t pRegisterDiskUnmountApprovalCallback;
+ UnregisterCallback_t pUnregisterCallback;
+ CFDictionaryRef* pDiskDescriptionMatchVolumeMountable;
+ CFStringRef* pDiskDescriptionVolumePathKey;
+};
+
+DiskArbitrationProxy::DiskArbitrationProxy()
+{
+ handle = checkedDlopen(DA_FRAMEWORK_PATH, RTLD_LAZY | RTLD_NOLOAD);
+
+ pDiskCopyDescription = (DiskCopyDescription_t) checkedDlsym(handle, "DADiskCopyDescription");
+ pSessionCreate = (SessionCreate_t) checkedDlsym(handle, "DASessionCreate");
+
+ pSessionSetDispatchQueue = (SessionSetDispatchQueue_t) checkedDlsym(handle, "DASessionSetDispatchQueue");
+ pRegisterDiskDisappearedCallback = (RegisterDiskDisappearedCallback_t) checkedDlsym(handle, "DARegisterDiskDisappearedCallback");
+ pRegisterDiskUnmountApprovalCallback = (RegisterDiskUnmountApprovalCallback_t) checkedDlsym(handle, "DARegisterDiskUnmountApprovalCallback");
+ pUnregisterCallback = (UnregisterCallback_t) checkedDlsym(handle, "DAUnregisterCallback");
+ pDiskDescriptionMatchVolumeMountable = (CFDictionaryRef*) checkedDlsym(handle, "kDADiskDescriptionMatchVolumeMountable");
+ pDiskDescriptionVolumePathKey = (CFStringRef*) checkedDlsym(handle, "kDADiskDescriptionVolumePathKey");
+}
+
+DiskArbitrationProxy* DiskArbitrationProxy::get()
+{
+ static dispatch_once_t initialized;
+ static DiskArbitrationProxy* me = NULL;
+ __block exception_ptr exception(0);
+
+ dispatch_once(&initialized, ^{
+ try
+ {
+ me = new DiskArbitrationProxy();
+ }
+ catch (...)
+ {
+ Syslog::critical("SecTranslocate: error while creating DiskArbitrationProxy");
+ exception = current_exception();
+ }
+ });
+
+ if (me == NULL)
+ {
+ if(exception)
+ {
+ rethrow_exception(exception); //already logged in this case
+ }
+ else
+ {
+ Syslog::critical("SecTranslocate: DiskArbitrationProxy initialization has failed");
+ UnixError::throwMe(EINVAL);
+ }
+ }
+
+ return me;
+}
+/*
+ For Disk Arbitration need to
+ 1. create a session and hold on to it.
+ 2. associate it with a queue
+ 3. register for call backs (DADiskDisappearedCallback and DADiskUnmountApprovalCallback)
+ 4. provide a function to get the mounton path from DADiskref
+ 5. Return a dissenter if unmount is gonna fail because something is in use (i.e. if my unmount fails)
+ */
+
+/* Returns false if we failed an unmount call. anything else returns true */
+static bool cleanupDisksOnVolume(DADiskRef disk)
+{
+ bool result = true;
+ string fspathString;
+ try
+ {
+ DiskArbitrationProxy *dap = DiskArbitrationProxy::get();
+ CFRef<CFDictionaryRef> dict = dap->diskCopyDescription(disk);
+
+ if(!dict)
+ {
+ Syslog::error("SecTranslocate:disk cleanup, failed to get disk description");
+ UnixError::throwMe(EINVAL);
+ }
+
+ CFURLRef fspath = (CFURLRef)CFDictionaryGetValue(dict, dap->diskDescriptionVolumePathKey());
+
+ if(fspath)
+ {
+ //For the disk disappeared call back, it looks like we won't get a volume path so we'll keep the empty string
+ fspathString = cfString(fspath);
+ }
+
+ result = destroyTranslocatedPathsForUserOnVolume(fspathString);
+ }
+ catch (...)
+ {
+ // This function is called from inside a DiskArbitration callback so we need to consume the exception
+ // more specific errors are assumed to be logged by the thrower
+ Syslog::error("SecTranslocate: DiskArbitration callback: failed to clean up mountpoint(s) related to volume: %s",
+ fspathString.empty() ? "unknown" : fspathString.c_str());
+ }
+
+ return result;
+}
+
+static void diskDisappearedCallback(DADiskRef disk, void* context)
+{
+ (void)cleanupDisksOnVolume(disk);
+}
+
+static DADissenterRef unmountApprovalCallback(DADiskRef disk, void *context)
+{
+ (void)cleanupDisksOnVolume(disk);
+ return NULL; //For now, we won't raise a dissent, just let the unmount fail. The dissent text would get used by UI.
+}
+
+DANotificationMonitor::DANotificationMonitor(dispatch_queue_t q)
+{
+ DiskArbitrationProxy *dap = DiskArbitrationProxy::get();
+ if (q == NULL)
+ {
+ Syslog::critical("SecTranslocate::DANotificationMonitor initialized without a queue.");
+ UnixError::throwMe(EINVAL);
+ }
+
+ diskArbitrationSession = dap->sessionCreate(kCFAllocatorDefault);
+ if(!diskArbitrationSession)
+ {
+ Syslog::critical("SecTranslocate: Failed to create the disk arbitration session");
+ UnixError::throwMe(ENOMEM);
+ }
+
+ dap->sessionSetDispatchQueue(diskArbitrationSession, q);
+ /* register so we can cleanup from force unmounts */
+ dap->registerDiskDisappearedCallback( diskArbitrationSession, dap->diskDescriptionMatchVolumeMountable(), diskDisappearedCallback, NULL );
+ /* register so we can clean up pre-unmount */
+ dap->registerDiskUnmountApprovalCallback( diskArbitrationSession, dap->diskDescriptionMatchVolumeMountable(), unmountApprovalCallback, NULL );
+}
+
+DANotificationMonitor::~DANotificationMonitor()
+{
+ DiskArbitrationProxy::get()->unregisterCallback(diskArbitrationSession,(void*)diskDisappearedCallback, NULL);
+ DiskArbitrationProxy::get()->unregisterCallback(diskArbitrationSession,(void*)unmountApprovalCallback, NULL);
+ CFRelease(diskArbitrationSession);
+}
+
+} //namespace SecTranslocate
+} //namespace Security
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateDANotification.hpp b/OSX/libsecurity_translocate/lib/SecTranslocateDANotification.hpp
new file mode 100644
index 00000000..8899e47a
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateDANotification.hpp
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/* Purpose: This header defines the Disk Arbitration monitor for translocation */
+
+#ifndef SecTranslocateDANotification_hpp
+#define SecTranslocateDANotification_hpp
+
+#include <dispatch/dispatch.h>
+#include <DiskArbitration/DiskArbitration.h>
+
+namespace Security {
+namespace SecTranslocate {
+
+class DANotificationMonitor {
+public:
+ DANotificationMonitor(dispatch_queue_t q); //throws
+ ~DANotificationMonitor();
+private:
+ DANotificationMonitor() = delete;
+ DANotificationMonitor(const DANotificationMonitor& that) = delete;
+
+ DASessionRef diskArbitrationSession;
+};
+
+} //namespace SecTranslocate
+} //namespace Security
+
+
+#endif /* SecTranslocateDANotification_hpp */
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateInterface.cpp b/OSX/libsecurity_translocate/lib/SecTranslocateInterface.cpp
new file mode 100644
index 00000000..73a69c43
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateInterface.cpp
@@ -0,0 +1,95 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <exception>
+#include <dispatch/dispatch.h>
+
+#include <security_utilities/unix++.h>
+#include <security_utilities/logging.h>
+
+#include "SecTranslocateInterface.hpp"
+#include "SecTranslocateServer.hpp"
+#include "SecTranslocateClient.hpp"
+
+namespace Security {
+namespace SecTranslocate {
+
+using namespace std;
+
+Translocator* getTranslocator(bool isServer)
+{
+ static dispatch_once_t initialized;
+ static Translocator* me = NULL;
+ static dispatch_queue_t q;
+ __block exception_ptr exception(0);
+
+ if(isServer && me)
+ {
+ Syslog::critical("SecTranslocate: getTranslocator, asked for server but previously intialized as client");
+ UnixError::throwMe(EINVAL);
+ }
+
+ dispatch_once(&initialized, ^{
+ try
+ {
+ q = dispatch_queue_create(isServer?"com.apple.security.translocate":"com.apple.security.translocate-client", DISPATCH_QUEUE_SERIAL);
+ if(q == NULL)
+ {
+ Syslog::critical("SecTranslocate: getTranslocator, failed to create queue");
+ UnixError::throwMe(ENOMEM);
+ }
+
+ if(isServer)
+ {
+ me = new TranslocatorServer(q);
+ }
+ else
+ {
+ me = new TranslocatorClient(q);
+ }
+ }
+ catch (...)
+ {
+ Syslog::critical("SecTranslocate: error while creating Translocator");
+ exception = current_exception();
+ }
+ });
+
+ if (me == NULL)
+ {
+ if (exception)
+ {
+ rethrow_exception(exception); //we already logged in this case.
+ }
+ else
+ {
+ Syslog::critical("SecTranslocate: Translocator initialization failed");
+ UnixError::throwMe(EINVAL);
+ }
+ }
+
+ return me;
+}
+
+} //namespace SecTranslocate
+} //namespace Security
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateInterface.hpp b/OSX/libsecurity_translocate/lib/SecTranslocateInterface.hpp
new file mode 100644
index 00000000..8ed15544
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateInterface.hpp
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/* Purpose: This header defines the generic Translocator interface, implemented by the client and server,
+ and the Translocator factory method to make a client or server object
+ */
+
+#ifndef SecTranslocateInterface_h
+#define SecTranslocateInterface_h
+
+#include <string>
+#include <unistd.h>
+
+#include "SecTranslocateShared.hpp"
+
+namespace Security {
+namespace SecTranslocate {
+
+using namespace std;
+
+#define SECTRANSLOCATE_XPC_SERVICE_NAME "com.apple.security.translocation"
+
+class Translocator
+{
+public:
+ virtual ~Translocator() {};
+ virtual string translocatePathForUser(const TranslocationPath &originalPath, const string &destPath) = 0;
+ virtual bool destroyTranslocatedPathForUser(const string &translocatedPath) = 0;
+ virtual void appLaunchCheckin(pid_t pid) = 0;
+};
+
+Translocator* getTranslocator(bool isServer=false);
+
+} //namespace SecTranslocate
+} //namespace Security
+#endif /* SecTranslocateInterface_h */
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateLSNotification.cpp b/OSX/libsecurity_translocate/lib/SecTranslocateLSNotification.cpp
new file mode 100644
index 00000000..c4354e90
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateLSNotification.cpp
@@ -0,0 +1,282 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <string>
+#include <exception>
+
+#include <dlfcn.h>
+#include <dispatch/dispatch.h>
+#include <CoreServices/CoreServicesPriv.h>
+
+#include <security_utilities/cfutilities.h>
+#include <security_utilities/unix++.h>
+#include <security_utilities/logging.h>
+
+#include "SecTranslocate.h"
+#include "SecTranslocateLSNotification.hpp"
+#include "SecTranslocateUtilities.hpp"
+#include "SecTranslocateShared.hpp"
+
+#define LS_FRAMEWORK_PATH "/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices"
+
+namespace Security {
+namespace SecTranslocate {
+
+/* Types for the LaunchServices symbols that I am Pseudo weak linking */
+typedef void (^LSNotificationHandler_t) (LSNotificationCode, CFAbsoluteTime, CFTypeRef, LSASNRef, LSSessionID, LSNotificationID);
+typedef LSNotificationID (*ScheduleNotificationOnQueueWithBlock_t) (LSSessionID, CFTypeRef, dispatch_queue_t,LSNotificationHandler_t);
+typedef OSStatus (*ModifyNotification_t)(LSNotificationID, UInt32, const LSNotificationCode *, UInt32, const LSNotificationCode *, CFTypeRef, CFTypeRef);
+typedef OSStatus (*UnscheduleNotificationFunction_t)(LSNotificationID);
+typedef LSASNRef (*ASNCreateWithPid_t)(CFAllocatorRef, int);
+typedef uint64_t (*ASNToUInt64_t)(LSASNRef);
+typedef Boolean (*IsApplicationRunning_t)(LSSessionID, LSASNRef);
+
+/* Class to contain all the Launch Services functions I need to weak link */
+class LaunchServicesProxy
+{
+public:
+ static LaunchServicesProxy* get();
+
+ inline LSNotificationID scheduleNotificationOnQueueWithBlock (LSSessionID s, CFTypeRef r, dispatch_queue_t q,LSNotificationHandler_t b) const
+ { return pScheduleNotificationOnQueueWithBlock ? pScheduleNotificationOnQueueWithBlock(s,r,q,b) : (LSNotificationID)kLSNotificationInvalidID; };
+ inline OSStatus modifyNotification(LSNotificationID i, UInt32 c, const LSNotificationCode * s, UInt32 l, const LSNotificationCode *n, CFTypeRef a, CFTypeRef r) const
+ { return pModifyNotification ? pModifyNotification(i,c,s,l,n,a,r) : kLSUnknownErr; };
+ inline OSStatus unscheduleNotificationFunction(LSNotificationID i) const
+ { return pUnscheduleNotificationFunction ? pUnscheduleNotificationFunction(i) : kLSUnknownErr; };
+ inline LSASNRef asnCreateWithPid(CFAllocatorRef a, int p) const
+ { return pASNCreateWithPid ? pASNCreateWithPid(a,p) : NULL; };
+ inline uint64_t asnToUInt64 (LSASNRef a) const
+ { return pASNToUInt64 ? pASNToUInt64(a) : 0; };
+ inline CFStringRef bundlePathKey() const { return pBundlePathKey ? *pBundlePathKey : NULL;};
+ inline Boolean isApplicationRunning(LSSessionID i, LSASNRef a) const {return pIsApplicationRunning ? pIsApplicationRunning(i,a): false;};
+
+private:
+ LaunchServicesProxy();
+
+ void* handle;
+ ScheduleNotificationOnQueueWithBlock_t pScheduleNotificationOnQueueWithBlock;
+ ModifyNotification_t pModifyNotification;
+ UnscheduleNotificationFunction_t pUnscheduleNotificationFunction;
+ ASNCreateWithPid_t pASNCreateWithPid;
+ ASNToUInt64_t pASNToUInt64;
+ CFStringRef *pBundlePathKey;
+ IsApplicationRunning_t pIsApplicationRunning;
+};
+
+/* resolve all the symbols. Throws if something isn't found. */
+LaunchServicesProxy::LaunchServicesProxy()
+{
+ handle = checkedDlopen(LS_FRAMEWORK_PATH, RTLD_LAZY | RTLD_NOLOAD);
+
+ pScheduleNotificationOnQueueWithBlock = (ScheduleNotificationOnQueueWithBlock_t) checkedDlsym(handle, "_LSScheduleNotificationOnQueueWithBlock");
+ pModifyNotification = (ModifyNotification_t) checkedDlsym(handle, "_LSModifyNotification");
+ pUnscheduleNotificationFunction = (UnscheduleNotificationFunction_t) checkedDlsym(handle, "_LSUnscheduleNotificationFunction");
+ pASNCreateWithPid = (ASNCreateWithPid_t) checkedDlsym(handle, "_LSASNCreateWithPid");
+ pASNToUInt64 = (ASNToUInt64_t) checkedDlsym(handle, "_LSASNToUInt64");
+ pBundlePathKey = (CFStringRef*) checkedDlsym(handle, "_kLSBundlePathKey");
+ pIsApplicationRunning = (IsApplicationRunning_t) checkedDlsym(handle, "_LSIsApplicationRunning");
+}
+
+/* Singleton getter for the proxy */
+LaunchServicesProxy* LaunchServicesProxy::get()
+{
+ static dispatch_once_t initialized;
+ static LaunchServicesProxy* me = NULL;
+ __block exception_ptr exception(0);
+
+ dispatch_once(&initialized, ^{
+ try
+ {
+ me = new LaunchServicesProxy();
+ }
+ catch (...)
+ {
+ Syslog::critical("SecTranslocate: error while creating LaunchServicesProxy");
+ exception = current_exception();
+ }
+ });
+
+ if (me == NULL)
+ {
+ if(exception)
+ {
+ rethrow_exception(exception); //already logged in this case
+ }
+ else
+ {
+ Syslog::critical("SecTranslocate: LaunchServicesProxy initialization has failed");
+ UnixError::throwMe(EINVAL);
+ }
+ }
+
+ return me;
+}
+
+/* Save the notification queue so we can do things async later */
+LSNotificationMonitor::LSNotificationMonitor(dispatch_queue_t q): notificationQ(q)
+{
+ if (notificationQ == NULL)
+ {
+ Syslog::critical("SecTranslocate::LSNotificationMonitor initialized without a queue.");
+ UnixError::throwMe(EINVAL);
+ }
+
+ dispatch_retain(notificationQ);
+}
+
+/* Release the dispatch queue if this ever gets destroyed */
+LSNotificationMonitor::~LSNotificationMonitor()
+{
+ dispatch_release(notificationQ);
+}
+
+/* Check to see if a path is translocated. If it isn't or no path is provided then return
+ an empty string. If it is, return the path as a c++ string. */
+string LSNotificationMonitor::stringIfTranslocated(CFStringRef appPath)
+{
+ if(appPath == NULL)
+ {
+ Syslog::error("SecTranslocate: no appPath provided");
+ return "";
+ }
+
+ CFRef<CFURLRef> appURL = makeCFURL(appPath);
+ bool isTranslocated = false;
+
+ string out = cfString(appURL);
+
+ if (!SecTranslocateIsTranslocatedURL(appURL, &isTranslocated, NULL))
+ {
+ Syslog::error("SecTranslocate: path for asn doesn't exist or isn't accessible: %s",out.c_str());
+ return "";
+ }
+
+ if(!isTranslocated)
+ {
+ Syslog::error("SecTranslocate: asn is not translocated: %s",out.c_str());
+ return "";
+ }
+
+ return out;
+}
+
+/* register for a notification about the death of the requested PID with launch services if the pid is translocated */
+void LSNotificationMonitor::checkIn(pid_t pid)
+{
+ dispatch_async(notificationQ, ^(){
+ try
+ {
+ LaunchServicesProxy* lsp = LaunchServicesProxy::get();
+
+ CFRef<LSASNRef> asn = lsp->asnCreateWithPid(kCFAllocatorDefault, pid);
+
+ if(lsp->isApplicationRunning(kLSDefaultSessionID, asn))
+ {
+ LSNotificationID nid = lsp->scheduleNotificationOnQueueWithBlock(kLSDefaultSessionID,
+ cfEmptyArray(),
+ notificationQ,
+ ^ (LSNotificationCode notification,
+ CFAbsoluteTime notificationTime,
+ CFTypeRef dataRef,
+ LSASNRef affectedASNRef,
+ LSSessionID session,
+ LSNotificationID notificationID){
+ if( notification == kLSNotifyApplicationDeath && dataRef)
+ {
+ this->asnDied(dataRef);
+ }
+
+ lsp->unscheduleNotificationFunction(notificationID);
+ });
+ LSNotificationCode notificationCode = kLSNotifyApplicationDeath;
+ lsp->modifyNotification(nid, 1, ¬ificationCode, 0, NULL, asn, NULL);
+ }
+ else
+ {
+ Syslog::warning("SecTranslocate: pid %d checked in, but it is not running",pid);
+ }
+ }
+ catch(...)
+ {
+ Syslog::error("SecTranslocate: checkin failed for pid %d",pid);
+ }
+ });
+}
+
+/* use the supplied dictionary to perform volume cleanup. If the dictionary contains a bundle path
+ and that bundle path still exists and is translocated, then unmount it. Otherwise trigger a
+ unmount of any translocation point that doesn't point to an existant volume. */
+void LSNotificationMonitor::asnDied(CFTypeRef data) const
+{
+ string path;
+ try
+ {
+ CFDictionaryRef dict = NULL;
+ if(CFGetTypeID(data) == CFDictionaryGetTypeID())
+ {
+ dict = (CFDictionaryRef)data;
+ }
+ else
+ {
+ Syslog::error("SecTranslocate: no data dictionary at app death");
+ return;
+ }
+
+ LaunchServicesProxy* lsp = LaunchServicesProxy::get();
+ path = stringIfTranslocated((CFStringRef)CFDictionaryGetValue(dict,lsp->bundlePathKey()));
+ }
+ catch(...)
+ {
+ Syslog::error("SecTranslocate: asn death processing failed");
+ return;
+ }
+
+ /* wait 5 seconds after death */
+ dispatch_time_t when = dispatch_time(DISPATCH_TIME_NOW, 5LL * NSEC_PER_SEC);
+
+ dispatch_after(when, notificationQ, ^() {
+ try
+ {
+ if(path.empty())
+ {
+ /* we got an asn death notification but the path either wasn't translocated or didn't exist
+ in case it didn't exist try to clean up stale translocation points.
+ Calling this function with no parameter defaults to a blank volume which causes
+ only translocation points that point to non-existant volumes to be cleaned up. */
+ destroyTranslocatedPathsForUserOnVolume();
+ }
+ else
+ {
+ /* remove the translocation point for the app */
+ destroyTranslocatedPathForUser(path);
+ }
+ }
+ catch(...)
+ {
+ Syslog::error("SecTranslocate: problem deleting translocation after app death: %s", path.c_str());
+ }
+ });
+}
+
+} //namespace SecTranslocate
+} //namespace Security
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateLSNotification.hpp b/OSX/libsecurity_translocate/lib/SecTranslocateLSNotification.hpp
new file mode 100644
index 00000000..c17a3b53
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateLSNotification.hpp
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/* Purpose: This header defines the Launch Services Notification Monitor for translocation */
+
+#ifndef SecTranslocateLSNotification_hpp
+#define SecTranslocateLSNotification_hpp
+
+#include <security_utilities/cfutilities.h>
+#include <CoreServices/CoreServicesPriv.h>
+#include <unistd.h>
+#include <dispatch/dispatch.h>
+
+namespace Security {
+namespace SecTranslocate {
+
+class LSNotificationMonitor {
+public:
+ LSNotificationMonitor(dispatch_queue_t q); //throws
+ void checkIn(pid_t pid);
+ ~LSNotificationMonitor();
+private:
+ LSNotificationMonitor() = delete;
+ LSNotificationMonitor(const LSNotificationMonitor& that) = delete;
+
+ void asnDied(CFTypeRef data) const;
+ static string stringIfTranslocated(CFStringRef appPath);
+
+ dispatch_queue_t notificationQ;
+
+};
+
+} //namespace SecTranslocate
+} //namespace Security
+
+#endif /* SecTranslocateLSNotification_hpp */
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateServer.cpp b/OSX/libsecurity_translocate/lib/SecTranslocateServer.cpp
new file mode 100644
index 00000000..a515ba69
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateServer.cpp
@@ -0,0 +1,167 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <string>
+#include <vector>
+#include <exception>
+#include <dispatch/dispatch.h>
+
+#include "SecTranslocateShared.hpp"
+#include "SecTranslocateServer.hpp"
+#include "SecTranslocateUtilities.hpp"
+#include "SecTranslocateDANotification.hpp"
+#include "SecTranslocateXPCServer.hpp"
+#include "SecTranslocateLSNotification.hpp"
+#undef check //The CoreServices code pulls in a check macro that we don't want
+
+#include <security_utilities/unix++.h>
+#include <security_utilities/logging.h>
+
+namespace Security {
+
+using namespace Security::UnixPlusPlus;
+
+namespace SecTranslocate {
+
+using namespace std;
+
+/* Try to cleanup every 12 hrs */
+#define TRANSLOCATION_CLEANUP_INTERVAL 12ULL * 60ULL * 60ULL * NSEC_PER_SEC
+#define TRANSLOCATION_CLEANUP_LEEWAY TRANSLOCATION_CLEANUP_INTERVAL/2ULL
+
+/* Initialize a dispatch queue to serialize operations */
+TranslocatorServer::TranslocatorServer(dispatch_queue_t q):syncQ(q), da(q), ls(q),xpc(q)
+{
+ if (!q)
+ {
+ Syslog::critical("SecTranslocate: TranslocatorServer failed to create the dispatch queue");
+ UnixError::throwMe(ENOMEM);
+ }
+ dispatch_retain(syncQ);
+
+ setupPeriodicCleanup();
+
+ Syslog::warning("SecTranslocate: Server started");
+}
+
+/* Destroy the dispatch queue and listeners when they are no longer needed */
+TranslocatorServer::~TranslocatorServer()
+{
+ if( syncQ )
+ {
+ dispatch_release(syncQ);
+ }
+
+ if(cleanupTimer)
+ {
+ dispatch_source_cancel(cleanupTimer);
+ cleanupTimer = NULL;
+ }
+}
+
+// This is intended for use by the host process of the server if necessary
+// Create a translocation for original path if appropriate
+string TranslocatorServer::translocatePathForUser(const TranslocationPath &originalPath, const string &destPath)
+{
+ __block string newPath;
+ __block exception_ptr exception(0);
+
+ dispatch_sync(syncQ, ^{
+ try
+ {
+ newPath = Security::SecTranslocate::translocatePathForUser(originalPath,destPath);
+ }
+ catch (...)
+ {
+ exception = current_exception();
+ }
+ });
+ if (exception)
+ {
+ rethrow_exception(exception);
+ }
+ return newPath;
+}
+
+// This is intended for use by the host process of the server if necessary
+// Destroy the translocation mount at translocatedPath if allowed
+bool TranslocatorServer::destroyTranslocatedPathForUser(const string &translocatedPath)
+{
+ __block bool result = false;
+ __block exception_ptr exception(0);
+ dispatch_sync(syncQ, ^{
+ try
+ {
+ result = Security::SecTranslocate::destroyTranslocatedPathForUser(translocatedPath);
+ }
+ catch (...)
+ {
+ exception = current_exception();
+ }
+ });
+ if (exception)
+ {
+ rethrow_exception(exception);
+ }
+ return result;
+}
+
+void TranslocatorServer::appLaunchCheckin(pid_t pid)
+{
+ //This is thrown on the queue as an async task in the call so don't need to do anything extra.
+ ls.checkIn(pid);
+}
+
+void TranslocatorServer::setupPeriodicCleanup()
+{
+ cleanupTimer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, syncQ);
+
+ dispatch_time_t when = dispatch_time(DISPATCH_TIME_NOW, TRANSLOCATION_CLEANUP_INTERVAL);
+ dispatch_source_set_timer(cleanupTimer, when, TRANSLOCATION_CLEANUP_INTERVAL, TRANSLOCATION_CLEANUP_LEEWAY);
+
+ dispatch_source_set_cancel_handler(cleanupTimer, ^{
+ dispatch_release(cleanupTimer);
+ });
+
+ dispatch_source_set_event_handler(cleanupTimer, ^{
+ try
+ {
+ Syslog::notice("SecTranslocate: attempting to cleanup unused translocation points");
+ tryToDestroyUnusedTranslocationMounts();
+ }
+ catch (Security::UnixError err)
+ {
+ int error = err.unixError();
+ Syslog::error("SecTranslocate: got unix error[ %d : %s ] while trying to cleanup translocation points.",error, strerror(error));
+ }
+ catch (...)
+ {
+ Syslog::error("SecTranslocate: unknown error while trying to cleanup translocation points.");
+ }
+ });
+
+ dispatch_resume(cleanupTimer);
+}
+
+} //namespace SecTranslocate
+} //namespace SecTranslocate
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateServer.hpp b/OSX/libsecurity_translocate/lib/SecTranslocateServer.hpp
new file mode 100644
index 00000000..b8cf62ec
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateServer.hpp
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/* Purpose: This header defines the Translocation "Server" it houses the XPC Listener, Disk Arbitration Monitor,
+ Launch Services Notification monitor, and interfaces for the process housing the server to request translocation
+ services.
+ */
+
+#ifndef SecTranslocateServer_hpp
+#define SecTranslocateServer_hpp
+
+#include <string>
+#include <dispatch/dispatch.h>
+
+#include "SecTranslocateInterface.hpp"
+#include "SecTranslocateUtilities.hpp"
+#include "SecTranslocateLSNotification.hpp"
+#include "SecTranslocateDANotification.hpp"
+#include "SecTranslocateXPCServer.hpp"
+
+
+namespace Security {
+
+namespace SecTranslocate {
+
+using namespace std;
+
+class TranslocatorServer: public Translocator
+{
+public:
+ TranslocatorServer(dispatch_queue_t q);
+ ~TranslocatorServer();
+
+ string translocatePathForUser(const TranslocationPath &originalPath, const string &destPath) override;
+ bool destroyTranslocatedPathForUser(const string &translocatedPath) override;
+ void appLaunchCheckin(pid_t pid) override;
+
+private:
+ TranslocatorServer() = delete;
+ TranslocatorServer(const TranslocatorServer &that) = delete;
+ dispatch_queue_t syncQ;
+ DANotificationMonitor da;
+ LSNotificationMonitor ls;
+ XPCServer xpc;
+ dispatch_source_t cleanupTimer;
+
+ void setupPeriodicCleanup();
+};
+
+} //namespace SecTranslocate
+} //namespace Security
+
+#endif /* SecTranslocateServer_hpp */
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateShared.cpp b/OSX/libsecurity_translocate/lib/SecTranslocateShared.cpp
new file mode 100644
index 00000000..f03c070e
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateShared.cpp
@@ -0,0 +1,1023 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <vector>
+#include <string>
+#include <exception>
+
+#include <sys/stat.h>
+#include <unistd.h>
+#include <sys/param.h>
+#include <sys/mount.h>
+#include <sys/ucred.h>
+#include <dispatch/dispatch.h>
+#include <string.h>
+#include <dirent.h>
+
+#define __APPLE_API_PRIVATE
+#include <quarantine.h>
+#undef __APPLE_API_PRIVATE
+
+#include <security_utilities/cfutilities.h>
+#include <security_utilities/unix++.h>
+#include <security_utilities/logging.h>
+#include <Security/SecStaticCode.h>
+
+#include "SecTranslocateShared.hpp"
+#include "SecTranslocateUtilities.hpp"
+
+
+namespace Security {
+
+namespace SecTranslocate {
+
+using namespace std;
+
+/* String Constants for XPC dictionary passing */
+/* XPC Function keys */
+const char* kSecTranslocateXPCFuncCreate = "create";
+const char* kSecTranslocateXPCFuncCheckIn = "check-in";
+
+/* XPC message argument keys */
+const char* kSecTranslocateXPCMessageFunction = "function";
+const char* kSecTranslocateXPCMessageOriginalPath = "original";
+const char* kSecTranslocateXPCMessageDestinationPath = "dest";
+const char* kSecTranslocateXPCMessagePid = "pid";
+
+/*XPC message reply keys */
+const char* kSecTranslocateXPCReplyError = "error";
+const char* kSecTranslocateXPCReplySecurePath = "result";
+
+//Functions used only within this file
+static void setMountPointQuarantineIfNecessary(const string &mountPoint, const string &originalPath);
+static string getMountpointFromAppPath(const string &appPath, const string &originalPath);
+
+static vector<struct statfs> getMountTableSnapshot();
+static string mountExistsForUser(const string &translationDirForUser, const string &originalPath, const string &destMount);
+static void validateMountpoint(const string &mountpoint, bool owned=false);
+static string makeNewMountpoint(const string &translationDir);
+static string newAppPath (const string &mountPoint, const TranslocationPath &originalPath);
+static void cleanupTranslocationDirForUser(const string &userDir);
+static int removeMountPoint(const string &mountpoint, bool force = false);
+
+/* calculate whether a translocation should occur and where from */
+TranslocationPath::TranslocationPath(string originalPath)
+{
+
+ /* To support testing of translocation the policy is as follows:
+ 1. When the quarantine translocation sysctl is off, always translocate
+ if we aren't already on a translocated mount point.
+ 2. When the quarantine translocation sysctl is on, use the quarantine
+ bits to decide.
+ when asking if a path should run translocated need to:
+ check the current quarantine state of the path asked about
+ if it is already on a nullfs mount
+ do not translocate
+ else if it is unquarantined
+ do not translocate
+ else
+ if not QTN_FLAG_TRANSLOCATE or QTN_FLAG_DO_NOT_TRANSLOCATE
+ do not translocate
+ else
+ find the outermost acceptable code bundle
+ if not QTN_FLAG_TRANSLOCATE or QTN_FLAG_DO_NOT_TRANSLOCATE
+ don't translocate
+ else
+ translocate
+
+ See findOuterMostCodeBundleForFD for more info about what an acceptable outermost bundle is
+ in particular it should be noted that the outermost acceptable bundle for a quarantined inner
+ bundle can not be unquarantined. If the inner bundle is quarantined then any bundle containing it
+ must also have been quarantined.
+ */
+
+ ExtendedAutoFileDesc fd(originalPath);
+
+ should = false;
+ realOriginalPath = fd.getRealPath();
+
+ /* don't translocate if it already is */
+ /* only consider translocation if the thing being asked about is marked for translocation */
+ if(!fd.isFileSystemType(NULLFS_FSTYPE) && fd.isQuarantined() && fd.shouldTranslocate())
+ {
+ ExtendedAutoFileDesc &&outermost = findOuterMostCodeBundleForFD(fd);
+
+ should = outermost.isQuarantined() && outermost.shouldTranslocate();
+ pathToTranslocate = outermost.getRealPath();
+
+ /* Calculate the path that will be needed to give the caller the path they asked for originally but in the translocated place */
+ if (should)
+ {
+ vector<string> originalComponents = splitPath(realOriginalPath);
+ vector<string> toTranslocateComponents = splitPath(pathToTranslocate);
+
+ if (toTranslocateComponents.size() == 0 ||
+ toTranslocateComponents.size() > originalComponents.size())
+ {
+ Syslog::error("SecTranslocate, TranslocationPath, path calculation failed:\n\toriginal: %s\n\tcalculated: %s",
+ realOriginalPath.c_str(),
+ pathToTranslocate.c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ for(size_t cnt = 0; cnt < originalComponents.size(); cnt++)
+ {
+ if (cnt < toTranslocateComponents.size())
+ {
+ if (toTranslocateComponents[cnt] != originalComponents[cnt])
+ {
+ Syslog::error("SecTranslocate, TranslocationPath, translocation path calculation failed:\n\toriginal: %s\n\tcalculated: %s",
+ realOriginalPath.c_str(),
+ pathToTranslocate.c_str());
+ UnixError::throwMe(EINVAL);
+ }
+ }
+ else
+ {
+ /*
+ want pathInsideTranslocationPoint to look like:
+ a/b/c
+ i.e. internal / but not at the front or back.
+ */
+ if(pathInsideTranslocationPoint.empty())
+ {
+ pathInsideTranslocationPoint = originalComponents[cnt];
+ }
+ else
+ {
+ pathInsideTranslocationPoint += "/" + originalComponents[cnt];
+ }
+ }
+ }
+ }
+ }
+}
+
+/* if we should translocate and a stored path inside the translocation point exists, then add it to the
+ passed in string. If no path inside is stored, then return the passed in string if translocation
+ should occur, and the original path for the TranslocationPath if translocation shouldn't occur */
+string TranslocationPath::getTranslocatedPathToOriginalPath(const string &translocationPoint) const
+{
+ string seperator = translocationPoint.back() != '/' ? "/" : "";
+
+ if (should)
+ {
+ if(!pathInsideTranslocationPoint.empty())
+ {
+ return translocationPoint + seperator + pathInsideTranslocationPoint;
+ }
+ else
+ {
+ return translocationPoint;
+ }
+ }
+ else
+ {
+ //If we weren't supposed to translocate return the original path.
+ return realOriginalPath;
+ }
+}
+
+/* Given an fd for a path find the outermost acceptable code bundle and return an fd for that.
+ an acceptable outermost bundle is quarantined, user approved, and a code bundle.
+ If nothing is found outside the path to the fd provided, then passed in fd or a copy there of is returned.*/
+ExtendedAutoFileDesc TranslocationPath::findOuterMostCodeBundleForFD(ExtendedAutoFileDesc &fd)
+{
+ if( fd.isMountPoint() || !fd.isQuarantined())
+ {
+ return fd;
+ }
+ vector<string> path = splitPath(fd.getRealPath());
+ size_t currentIndex = path.size() - 1;
+ size_t lastGoodIndex = currentIndex;
+
+ string pathToCheck = joinPathUpTo(path, currentIndex);
+ /*
+ Proposed algorithm (pseudo-code):
+ lastGood := path := canonicalized path to be launched
+
+ while path is not a mount point
+ if path is quarantined and not user-approved then exit loop # Gatekeeper has not cleared this code
+ if SecStaticCodeCreateWithPath(path) succeeds # used as an âis a code bundleâ oracle
+ then lastGood := path
+ path := parent directory of path
+ return lastGood
+ */
+ while(currentIndex)
+ {
+ ExtendedAutoFileDesc currFd(pathToCheck);
+
+ if (currFd.isMountPoint() || !currFd.isQuarantined() || !currFd.isUserApproved())
+ {
+ break;
+ }
+
+ SecStaticCodeRef staticCodeRef = NULL;
+
+ if( SecStaticCodeCreateWithPath(CFTempURL(currFd.getRealPath()), kSecCSDefaultFlags, &staticCodeRef) == errSecSuccess)
+ {
+ lastGoodIndex = currentIndex;
+ CFRelease(staticCodeRef);
+ }
+
+ currentIndex--;
+ pathToCheck = joinPathUpTo(path, currentIndex);
+ }
+
+ return ExtendedAutoFileDesc(joinPathUpTo(path, lastGoodIndex));
+}
+
+/* Given an fd to a translocated file, build the path to the original file
+ Throws if the fd isn't in a nullfs mount for the calling user. */
+string getOriginalPath(const ExtendedAutoFileDesc& fd, bool* isDir)
+{
+ if (!fd.isFileSystemType(NULLFS_FSTYPE) ||
+ isDir == NULL ||
+ !fd.isInPrefixDir(fd.getMountPoint()))
+ {
+ Syslog::error("SecTranslocate::getOriginalPath called with invalid params: fs_type = %s, isDir = %p, realPath = %s, mountpoint = %s",
+ fd.getFsType().c_str(),
+ isDir,
+ fd.getRealPath().c_str(),
+ fd.getMountPoint().c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ string translocationBaseDir = translocationDirForUser();
+
+ if(!fd.isInPrefixDir(translocationBaseDir))
+ {
+ Syslog::error("SecTranslocate::getOriginal path called with path (%s) that doesn't belong to user (%d)",
+ fd.getRealPath().c_str(),
+ getuid());
+ UnixError::throwMe(EPERM);
+ }
+
+ *isDir = fd.isA(S_IFDIR);
+
+ vector<string> mountFromPath = splitPath(fd.getMountFromPath());
+ vector<string> mountPointPath = splitPath(fd.getMountPoint());
+ vector<string> translocatedRealPath = splitPath(fd.getRealPath());
+
+ if (mountPointPath.size() > translocatedRealPath.size())
+ {
+ Syslog::warning("SecTranslocate: invalid translocated path %s", fd.getRealPath().c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ string originalPath = fd.getMountFromPath();
+
+ int i;
+
+ for( i = 0; i<translocatedRealPath.size(); i++)
+ {
+ /* match the mount point directories to the real path directories */
+ if( i < mountPointPath.size())
+ {
+ if(translocatedRealPath[i] != mountPointPath[i])
+ {
+ Syslog::error("SecTranslocate: invalid translocated path %s", fd.getRealPath().c_str());
+ UnixError::throwMe(EINVAL);
+ }
+ }
+ /* check for the d directory */
+ else if( i == mountPointPath.size())
+ {
+ if( translocatedRealPath[i] != "d")
+ {
+ Syslog::error("SecTranslocate: invalid translocated path %s", fd.getRealPath().c_str());
+ UnixError::throwMe(EINVAL);
+ }
+ }
+ /* check for the app name */
+ else if( i == mountPointPath.size() + 1)
+ {
+ if( translocatedRealPath[i] != mountFromPath.back())
+ {
+ Syslog::error("SecTranslocate: invalid translocated path %s", fd.getRealPath().c_str());
+ UnixError::throwMe(EINVAL);
+ }
+ }
+ /* we are past the app name so add what ever is left */
+ else
+ {
+ originalPath +="/"+translocatedRealPath[i];
+ }
+ }
+
+ if( i == mountPointPath.size() || i == mountPointPath.size() + 1)
+ {
+ //Asked for the original path of the mountpoint or /d/
+ Syslog::warning("SecTranslocate: asked for the original path of a virtual directory: %s", fd.getRealPath().c_str());
+ UnixError::throwMe(ENOENT);
+ }
+
+ /* Make sure what we built actually exists */
+ ExtendedAutoFileDesc originalFD(originalPath);
+ if(!originalFD.pathIsAbsolute())
+ {
+ Syslog::error("SecTranslocate: Calculated original path contains symlinks:\n\tExpected: %s\n\tRequested: %s",
+ originalFD.getRealPath().c_str(),
+ originalPath.c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ return originalPath;
+}
+
+/* Given a path that should be a translocation path, and the path to an app do the following:
+ 1. Validate that the translocation path (appPath) is a valid translocation path
+ 2. Validate that the translocation path (appPath) is valid for the app specified by originalPath
+ 3. Calculate what the mountpoint path would be given the app path
+ */
+static string getMountpointFromAppPath(const string &appPath, const string &originalPath)
+{
+ /* assume that appPath looks like:
+ /my/user/temp/dir/AppTranslocation/MY-UUID/d/foo.app
+
+ and assume original path looks like:
+ /my/user/dir/foo.app
+
+ In this function we find and return /my/user/temp/dir/AppTranslocation/MY-UUID/
+ we also verify that the stuff after that in appPath was /d/foo.app if the last directory
+ in originalPath was /foo.app
+ */
+ string result;
+
+ vector<string> app = splitPath(appPath); // throws if empty or not absolute
+ vector<string> original = splitPath(originalPath); //throws if empty or not absolute
+
+ if (original.size() == 0) // had to have at least one directory, can't null mount /
+ {
+ Syslog::error("SecTranslocate: invalid original path: %s", originalPath.c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ if (app.size() >= 3 && //the app path must have at least 3 directories, can't null mount onto /
+ app.back() == original.back()) //last directory of both match
+ {
+ app.pop_back();
+ if(app.back() == "d") //last directory of app path is preceded by /d/
+ {
+ app.pop_back();
+ result = joinPath(app);
+ goto end;
+ }
+ }
+
+ Syslog::error("SecTranslocate: invalid app path: %s", appPath.c_str());
+ UnixError::throwMe(EINVAL);
+
+end:
+ return result;
+}
+
+/* Read the mount table and return it in a vector */
+static vector<struct statfs> getMountTableSnapshot()
+{
+ vector<struct statfs> mntInfo;
+ int fs_cnt_first = 0;
+ int fs_cnt_second = 0;
+ int retry = 2;
+
+ /*Strategy here is:
+ 1. check the current mount table size
+ 2. allocate double the required space
+ 3. actually read the mount table
+ 4. if the read actually filled up that double size try again once otherwise we are done
+ */
+
+ while(retry)
+ {
+ fs_cnt_first = getfsstat(NULL, 0 , MNT_WAIT);
+ if(fs_cnt_first <= 0)
+ {
+ Syslog::warning("SecTranslocate: error(%d) getting mount table info.", errno);
+ UnixError::throwMe();
+ }
+
+ if( fs_cnt_first == fs_cnt_second)
+ {
+ /* this path only applies on a retry. If our second attempt to get the size is
+ the same as what we already read then break. */
+ break;
+ }
+
+ mntInfo.resize(fs_cnt_first*2);
+
+ fs_cnt_second = getfsstat(mntInfo.data(), (int)(mntInfo.size() * sizeof(struct statfs)), MNT_WAIT);
+ if (fs_cnt_second <= 0)
+ {
+ Syslog::warning("SecTranslocate: error(%d) getting mount table info.", errno);
+ UnixError::throwMe();
+ }
+
+ if( fs_cnt_second == mntInfo.size())
+ {
+ retry--;
+ }
+ else
+ {
+ mntInfo.resize(fs_cnt_second); // trim the vector to what we actually need
+ break;
+ }
+ }
+
+ if( retry == 0)
+ {
+ Syslog::warning("SecTranslocate: mount table is growing very quickly");
+ }
+
+ return mntInfo;
+}
+
+/* Given the directory where app translocations go for this user, the path to the app to be translocated
+ and an optional destination mountpoint path. Check the mount table to see if a mount point already
+ user, for this app. If a destMountPoint is provided, make sure it is for this user, and that
+ exists for this the mountpoint found in the mount table is the same as the one requested */
+static string mountExistsForUser(const string &translationDirForUser, const string &originalPath, const string &destMountPoint)
+{
+ string result; // start empty
+
+ if(!destMountPoint.empty())
+ {
+ /* Validate that destMountPoint path is well formed and for this user
+ well formed means it is === translationDirForUser/<1 directory>
+ */
+ vector<string> splitDestMount = splitPath(destMountPoint);
+
+ if(splitDestMount.size() < 2) //translationDirForUser is never /
+ {
+ Syslog::warning("SecTranslocate: invalid destination mount point: %s",
+ destMountPoint.c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ splitDestMount.pop_back(); // knock off one directory
+
+ string destBaseDir = joinPath(splitDestMount)+"/"; //translationDirForUser has a / at the end
+
+ if (translationDirForUser != destBaseDir)
+ {
+ Syslog::warning("SecTranslocate: invalid destination mount point for user\n\tExpected: %s\n\tRequested: %s",
+ translationDirForUser.c_str(),
+ destBaseDir.c_str());
+ /* requested destination isn't valid for the user */
+ UnixError::throwMe(EINVAL);
+ }
+ }
+
+ vector <struct statfs> mntbuf = getMountTableSnapshot();
+
+ for (auto &i : mntbuf)
+ {
+ string mountOnName = i.f_mntonname;
+ size_t lastNonSlashPos = mountOnName.length() - 1; //start at the end of the string
+
+ /* find the last position of the last non slash character */
+ for(; lastNonSlashPos != 0 && mountOnName[lastNonSlashPos] == '/' ; lastNonSlashPos--);
+
+ /* we want an exact match for originalPath and a prefix match for translationDirForUser
+ also make sure that this is a nullfs mount and that the mount point name is longer than the
+ translation directory with something other than / */
+
+ if (i.f_mntfromname == originalPath && //mount is for the requested path
+ strcmp(i.f_fstypename, NULLFS_FSTYPE) == 0 && // mount is a nullfs mount
+ lastNonSlashPos > translationDirForUser.length()-1 && // no shenanigans, there must be more directory here than just the translation dir
+ strncmp(i.f_mntonname, translationDirForUser.c_str(), translationDirForUser.length()) == 0) //mount is inside the translocation dir
+ {
+ if(!destMountPoint.empty())
+ {
+ if (mountOnName != destMountPoint)
+ {
+ /* a mount exists for this path, but its not the one requested */
+ Syslog::warning("SecTranslocate: requested destination doesn't match existing\n\tExpected: %s\n\tRequested: %s",
+ i.f_mntonname,
+ destMountPoint.c_str());
+ UnixError::throwMe(EEXIST);
+ }
+ }
+ result = mountOnName;
+ break;
+ }
+ }
+
+ return result;
+}
+
+/* Given what we think is a valid mountpoint, perform a sanity check, and clean up if we are wrong */
+static void validateMountpoint(const string &mountpoint, bool owned)
+{
+ /* Requirements:
+ 1. can be opened
+ 2. is a directory
+ 3. is not already a mountpoint
+ 4. is an absolute path
+ */
+ bool isDir = false;
+ bool isMount = false;
+ bool isEmpty = true;
+
+ try {
+ /* first make sure this is a directory and that it is empty
+ (it could be dangerous to mount over a directory that contains something,
+ unfortunately this is still racy, and mount() is path based so we can't lock
+ down the directory until the mount succeeds (lock down is because of the entitlement
+ checks in nullfs))*/
+ DIR* dir = opendir(mountpoint.c_str());
+ int error = 0;
+
+ if (dir == NULL)
+ {
+ error = errno;
+ Syslog::warning("SecTranslocate: mountpoint is not a directory or doesn't exist: %s",
+ mountpoint.c_str());
+ UnixError::throwMe(error);
+ }
+
+ isDir = true;
+
+ struct dirent *d;
+ struct dirent dirbuf;
+ int cnt = 0;
+ int err = 0;
+ while(((err = readdir_r(dir, &dirbuf, &d)) == 0) &&
+ d != NULL)
+ {
+ /* skip . and .. but break if there is more than that */
+ if(++cnt > 2)
+ {
+ isEmpty = false;
+ break;
+ }
+ }
+
+ error = errno;
+ (void)closedir(dir);
+
+ if(err)
+ {
+ Syslog::warning("SecTranslocate: error while checking that mountpoint is empty");
+ UnixError::throwMe(error);
+ }
+
+ if(!isEmpty)
+ {
+ Syslog::warning("Sectranslocate: mountpoint is not empty: %s",
+ mountpoint.c_str());
+ UnixError::throwMe(EBUSY);
+ }
+
+ /* now check that the path is not a mountpoint */
+ ExtendedAutoFileDesc fd(mountpoint);
+
+ if(!fd.pathIsAbsolute())
+ {
+ Syslog::warning("SecTranslocate: mountpoint isn't fully resolved\n\tExpected: %s\n\tActual: %s",
+ fd.getRealPath().c_str(),
+ mountpoint.c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ isMount = fd.isMountPoint();
+
+ if(isMount)
+ {
+ Syslog::warning("SecTranslocate:Translocation failed, new mountpoint is already a mountpoint (%s)",
+ mountpoint.c_str());
+ UnixError::throwMe(EINVAL);
+ }
+ }
+ catch(...)
+ {
+ if(owned)
+ {
+ if (!isMount)
+ {
+ if (isDir)
+ {
+ if(isEmpty)
+ {
+ rmdir(mountpoint.c_str());
+ }
+ /* Already logged the else case above */
+ }
+ else
+ {
+ Syslog::warning("SecTranslocate: unexpected file detected at mountpoint location (%s). Deleting.",
+ mountpoint.c_str());
+ unlink(mountpoint.c_str());
+ }
+ }
+ }
+ rethrow_exception(current_exception());
+ }
+}
+
+/* Create and validate the directory that we should mount at but don't create the mount yet */
+static string makeNewMountpoint(const string &translationDir)
+{
+ AutoFileDesc fd(getFDForDirectory(translationDir));
+
+ string uuid = makeUUID();
+
+ UnixError::check(mkdirat(fd, uuid.c_str(), 0500));
+
+ string mountpoint = translationDir+uuid;
+
+ validateMountpoint(mountpoint);
+
+ return mountpoint;
+}
+
+/* If the original path has mountpoint quarantine info, apply it to the new mountpoint*/
+static void setMountPointQuarantineIfNecessary(const string &mountPoint, const string &originalPath)
+{
+ struct statfs sfsbuf;
+ int error = 0;
+
+ UnixError::check(statfs(originalPath.c_str(), &sfsbuf));
+ qtn_file_t original_attr = qtn_file_alloc();
+
+ if (original_attr != NULL)
+ {
+ if (qtn_file_init_with_mount_point(original_attr, sfsbuf.f_mntonname) == 0)
+ {
+ error = qtn_file_apply_to_mount_point(original_attr, mountPoint.c_str());
+ }
+ qtn_file_free(original_attr);
+ }
+ else
+ {
+ error = errno;
+ }
+
+ if (error)
+ {
+ Syslog::warning("SecTranslocate: Failed to apply quarantine information\n\tMountpoint: %s\n\tOriginal Path: %s",
+ mountPoint.c_str(),
+ originalPath.c_str());
+ UnixError::throwMe(error);
+ }
+}
+
+/* Given the path to a new mountpoint and the original path to translocate, calculate the path
+ to the desired app in the new mountpoint, and sanity check that calculation */
+static string newAppPath (const string &mountPoint, const TranslocationPath &originalPath)
+{
+ vector<string> original = splitPath(originalPath.getPathToTranslocate());
+
+ if (original.size() == 0)
+ {
+ Syslog::error("SecTranslocate: Invalid originalPath: %s", originalPath.getPathToTranslocate().c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ string midPath = mountPoint+"/d";
+ string outPath = originalPath.getTranslocatedPathToOriginalPath(midPath+"/"+original.back());
+
+ /* ExtendedAutoFileDesc will throw if one of these doesn't exist or isn't accessible */
+ ExtendedAutoFileDesc mountFd(mountPoint);
+ ExtendedAutoFileDesc midFd(midPath);
+ ExtendedAutoFileDesc outFd(outPath);
+
+ if(!outFd.isFileSystemType(NULLFS_FSTYPE) ||
+ !mountFd.isFileSystemType(NULLFS_FSTYPE) ||
+ !midFd.isFileSystemType(NULLFS_FSTYPE))
+ {
+ Syslog::warning("SecTranslocate::App exists at expected translocation path (%s) but isn't a nullfs mount (%s)",
+ outPath.c_str(),
+ outFd.getFsType().c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ if(!outFd.pathIsAbsolute() ||
+ !mountFd.pathIsAbsolute() ||
+ !midFd.pathIsAbsolute() )
+ {
+ Syslog::warning("SecTranslocate::App path isn't resolved\n\tGot: %s\n\tExpected: %s",
+ outFd.getRealPath().c_str(),
+ outPath.c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ fsid_t outFsid = outFd.getFsid();
+ fsid_t midFsid = midFd.getFsid();
+ fsid_t mountFsid = mountFd.getFsid();
+
+ /* different fsids mean that there is more than one volume between the expected mountpoint and the expected app path */
+ if (memcmp(&outFsid, &midFsid, sizeof(fsid_t)) != 0 ||
+ memcmp(&outFsid, &mountFsid, sizeof(fsid_t)) != 0)
+ {
+ Syslog::warning("SecTranslocate:: the fsid is not consistent between app, /d/ and mountpoint");
+ UnixError::throwMe(EINVAL);
+ }
+
+ return outFd.getRealPath();
+}
+
+/* Create an app translocation point given the original path and an optional destination path.
+ note the destination path can only be an outermost path (where the translocation would happen) and not a path to nested code
+ synchronize the process on the dispatch queue. */
+string translocatePathForUser(const TranslocationPath &originalPath, const string &destPath)
+{
+ string newPath;
+ exception_ptr exception(0);
+
+ string mountpoint;
+ bool owned = false;
+ try
+ {
+ const string &toTranslocate = originalPath.getPathToTranslocate();
+ string baseDirForUser = translocationDirForUser(); //throws
+ string destMountPoint;
+ if(!destPath.empty())
+ {
+ destMountPoint = getMountpointFromAppPath(destPath, toTranslocate); //throws or returns a mountpoint
+ }
+
+ mountpoint = mountExistsForUser(baseDirForUser, toTranslocate, destMountPoint); //throws, detects invalid destMountPoint string
+
+ if (!mountpoint.empty())
+ {
+ /* A mount point exists already so bail*/
+ newPath = newAppPath(mountpoint, originalPath);
+ return newPath; /* exit the block */
+ }
+ if (destMountPoint.empty())
+ {
+ mountpoint = makeNewMountpoint(baseDirForUser); //throws
+ owned = true;
+ }
+ else
+ {
+ AutoFileDesc fd(getFDForDirectory(destMountPoint, &owned)); //throws, makes the directory if it doesn't exist
+
+ validateMountpoint(destMountPoint, owned); //throws
+ mountpoint = destMountPoint;
+ }
+
+ UnixError::check(mount(NULLFS_FSTYPE, mountpoint.c_str(), MNT_RDONLY, (void*)toTranslocate.c_str()));
+
+ setMountPointQuarantineIfNecessary(mountpoint, toTranslocate); //throws
+
+ newPath = newAppPath(mountpoint, originalPath); //throws
+
+ if (!destPath.empty())
+ {
+ if (newPath != originalPath.getTranslocatedPathToOriginalPath(destPath))
+ {
+ Syslog::warning("SecTranslocate: created app translocation point did not equal requested app translocation point\n\texpected: %s\n\tcreated: %s",
+ newPath.c_str(),
+ destPath.c_str());
+ /* the app at originalPath didn't match the one at destPath */
+ UnixError::throwMe(EINVAL);
+ }
+ }
+ // log that we created a new mountpoint (we don't log when we are re-using)
+ Syslog::warning("SecTranslocateCreateSecureDirectoryForURL: created %s",
+ newPath.c_str());
+ }
+ catch (...)
+ {
+ exception = current_exception();
+
+ if (!mountpoint.empty())
+ {
+ if (owned)
+ {
+ /* try to unmount/delete (best effort)*/
+ unmount(mountpoint.c_str(), 0);
+ rmdir(mountpoint.c_str());
+ }
+ }
+ }
+
+ /* rethrow outside the dispatch block */
+ if (exception)
+ {
+ rethrow_exception(exception);
+ }
+
+ return newPath;
+}
+
+/* Loop through the directory in the specified user directory and delete any that aren't mountpoints */
+static void cleanupTranslocationDirForUser(const string &userDir)
+{
+ DIR* translocationDir = opendir(userDir.c_str());
+
+ if( translocationDir )
+ {
+ struct dirent de;
+ struct statfs sfbuf;
+ struct dirent * result = NULL;
+
+ while (readdir_r(translocationDir, &de, &result) == 0 && result)
+ {
+ if(result->d_type == DT_DIR)
+ {
+ if (result->d_name[0] == '.')
+ {
+ if(result->d_namlen == 1 ||
+ (result->d_namlen == 2 &&
+ result->d_name[1] == '.'))
+ {
+ /* skip . and .. */
+ continue;
+ }
+ }
+ string nextDir = userDir+string(result->d_name);
+ if (0 == statfs(nextDir.c_str(), &sfbuf) &&
+ nextDir == sfbuf.f_mntonname)
+ {
+ /* its a mount point so continue */
+ continue;
+ }
+
+ /* not a mountpoint so delete it */
+ if(unlinkat(dirfd(translocationDir), result->d_name, AT_REMOVEDIR))
+ {
+ Syslog::warning("SecTranslocate: failed to delete directory during cleanup (error %d)\n\tUser Dir: %s\n\tDir to delete: %s",
+ errno,
+ userDir.c_str(),
+ result->d_name);
+ }
+ }
+ }
+ closedir(translocationDir);
+ }
+}
+
+/* Unmount and delete a directory */
+static int removeMountPoint(const string &mountpoint, bool force)
+{
+ int error = 0;
+
+ if (0 == unmount(mountpoint.c_str(), force ? MNT_FORCE : 0) &&
+ 0 == rmdir(mountpoint.c_str()))
+ {
+ Syslog::warning("SecTranslocate: removed mountpoint: %s",
+ mountpoint.c_str());
+ }
+ else
+ {
+ error = errno;
+ Syslog::warning("SecTranslocate: failed to unmount/remove mount point (errno: %d): %s",
+ error, mountpoint.c_str());
+ }
+
+ return error;
+}
+
+/* Destroy the specified translocated path, and clean up the user's translocation directory.
+ It is the caller's responsibility to synchronize the operation on the dispatch queue. */
+bool destroyTranslocatedPathForUser(const string &translocatedPath)
+{
+ bool result = false;
+ int error = 0;
+ /* steps
+ 1. verify the translocatedPath is for the user
+ 2. verify it is a nullfs mountpoint (with app path)
+ 3. unmount it
+ 4. delete it
+ 5. loop through all the other directories in the app translation directory looking for directories not mounted on and delete them.
+ */
+
+ string baseDirForUser = translocationDirForUser(); // throws
+ bool shouldUnmount = false;
+ string translocatedMountpoint;
+
+ { //Use a block to get rid of the file descriptor before we try to unmount.
+ ExtendedAutoFileDesc fd(translocatedPath);
+ translocatedMountpoint = fd.getMountPoint();
+ /*
+ To support unmount when nested apps end, just make sure that the requested path is on a translocation
+ point for this user, not that they asked for a translocation point to be removed.
+ */
+ shouldUnmount = fd.isInPrefixDir(baseDirForUser) && fd.isFileSystemType(NULLFS_FSTYPE);
+ }
+
+ if (shouldUnmount)
+ {
+ error = removeMountPoint(translocatedMountpoint);
+ result = error == 0;
+ }
+
+ if (!result && !error)
+ {
+ Syslog::warning("SecTranslocate: mountpoint does not belong to user(%d): %s",
+ getuid(),
+ translocatedPath.c_str());
+ error = EPERM;
+ }
+
+ cleanupTranslocationDirForUser(baseDirForUser);
+
+ if (error)
+ {
+ UnixError::throwMe(error);
+ }
+
+ return result;
+}
+
+/* Cleanup any translocation directories for this user that are either mounted from the
+ specified volume or from a volume that doesn't exist anymore. If an empty volumePath
+ is provided this has the effect of only cleaning up translocation points that point
+ to volumes that don't exist anymore.
+
+ It is the caller's responsibility to synchronize the operation on the dispatch queue.
+ */
+bool destroyTranslocatedPathsForUserOnVolume(const string &volumePath)
+{
+ bool cleanupError = false;
+ string baseDirForUser = translocationDirForUser();
+ vector <struct statfs> mountTable = getMountTableSnapshot();
+ fsid_t unmountingFsid;
+
+ /* passing in an empty volume here will fail to open */
+ ExtendedAutoFileDesc volume(volumePath, O_RDONLY, FileDesc::modeMissingOk);
+
+ if(volume.isOpen())
+ {
+ unmountingFsid = volume.getFsid();
+ }
+
+ for (auto &mnt : mountTable)
+ {
+ /*
+ we need to look at each translocation mount and check
+ 1. is it ours
+ 2. does its mntfromname still exist, if it doesn't unmount it
+ 3. if it does, is it the same as the volume we are cleaning up?, if so unmount it.
+ */
+ if (strcmp(mnt.f_fstypename, NULLFS_FSTYPE) == 0 &&
+ strncmp(mnt.f_mntonname, baseDirForUser.c_str(), baseDirForUser.length()) == 0)
+ {
+ ExtendedAutoFileDesc volumeToCheck(mnt.f_mntfromname, O_RDONLY, FileDesc::modeMissingOk);
+
+ if (!volumeToCheck.isOpen())
+ {
+ // In this case we are trying to unmount a translocation point that points to nothing. Force it.
+ // Not forcing it currently hangs in UBC cleanup.
+ (void)removeMountPoint(mnt.f_mntonname , true);
+ }
+ else if (volume.isOpen())
+ {
+ fsid_t toCheckFsid = volumeToCheck.getFsid();
+ if( memcmp(&unmountingFsid, &toCheckFsid, sizeof(fsid_t)) == 0)
+ {
+ if(removeMountPoint(mnt.f_mntonname) != 0)
+ {
+ cleanupError = true;
+ }
+ }
+ }
+ }
+ }
+
+ return !cleanupError;
+}
+/* This is intended to be used periodically to clean up translocation points that aren't used anymore */
+void tryToDestroyUnusedTranslocationMounts()
+{
+ vector <struct statfs> mountTable = getMountTableSnapshot();
+ string baseDirForUser = translocationDirForUser();
+
+ for (auto &mnt : mountTable)
+ {
+ if (strcmp(mnt.f_fstypename, NULLFS_FSTYPE) == 0 &&
+ strncmp(mnt.f_mntonname, baseDirForUser.c_str(), baseDirForUser.length()) == 0)
+ {
+ ExtendedAutoFileDesc volumeToCheck(mnt.f_mntfromname, O_RDONLY, FileDesc::modeMissingOk);
+
+ // Try to destroy the mount point. If the mirroed volume (volumeToCheck) isn't open then force it.
+ // Not forcing it currently hangs in UBC cleanup.
+ (void)removeMountPoint(mnt.f_mntonname , !volumeToCheck.isOpen());
+ }
+ }
+}
+
+} //namespace SecTranslocate
+}// namespace Security
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateShared.hpp b/OSX/libsecurity_translocate/lib/SecTranslocateShared.hpp
new file mode 100644
index 00000000..0940b3a1
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateShared.hpp
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/* Purpose: This header exposes shared functions that actually implement mount creation, policy question
+ answering and mount deletion.
+
+ Important: None of these functions implement synchronization and they all throw exceptions. It is up
+ to the caller to handle those concerns.
+ */
+
+#include <string>
+#include "SecTranslocateUtilities.hpp"
+
+#ifndef SecTranslocateShared_hpp
+#define SecTranslocateShared_hpp
+
+namespace Security {
+
+namespace SecTranslocate {
+
+using namespace std;
+
+/* XPC Function keys */
+extern const char* kSecTranslocateXPCFuncCreate;
+extern const char* kSecTranslocateXPCFuncCheckIn;
+
+/* XPC message argument keys */
+extern const char* kSecTranslocateXPCMessageFunction;
+extern const char* kSecTranslocateXPCMessageOriginalPath;
+extern const char* kSecTranslocateXPCMessageDestinationPath;
+extern const char* kSecTranslocateXPCMessagePid;
+
+/*XPC message reply keys */
+extern const char* kSecTranslocateXPCReplyError;
+extern const char* kSecTranslocateXPCReplySecurePath;
+
+class TranslocationPath
+{
+public:
+ TranslocationPath(string originalPath);
+ inline bool shouldTranslocate() const { return should; };
+ inline const string & getOriginalRealPath() const { return realOriginalPath; };
+ inline const string & getPathToTranslocate() const { return pathToTranslocate; };
+ inline const string & getPathInsideTranslocation() const { return pathInsideTranslocationPoint; } ;
+ string getTranslocatedPathToOriginalPath(const string &translocationPoint) const;
+private:
+ TranslocationPath() = delete;
+
+ bool should;
+ string realOriginalPath;
+ string pathToTranslocate;
+ string pathInsideTranslocationPoint;
+
+ ExtendedAutoFileDesc findOuterMostCodeBundleForFD(ExtendedAutoFileDesc &fd);
+};
+
+string getOriginalPath(const ExtendedAutoFileDesc& fd, bool* isDir); //throws
+
+// For methods below, the caller is responsible for ensuring that only one thread is
+// accessing/modifying the mount table at a time
+string translocatePathForUser(const TranslocationPath &originalPath, const string &destPath); //throws
+bool destroyTranslocatedPathForUser(const string &translocatedPath); //throws
+bool destroyTranslocatedPathsForUserOnVolume(const string &volumePath = ""); //throws
+void tryToDestroyUnusedTranslocationMounts();
+
+} //namespace SecTranslocate
+}// namespace Security
+
+#endif /* SecTranslocateShared_hpp */
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateUtilities.cpp b/OSX/libsecurity_translocate/lib/SecTranslocateUtilities.cpp
new file mode 100644
index 00000000..103dd357
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateUtilities.cpp
@@ -0,0 +1,330 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <string>
+#include <vector>
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/sysctl.h>
+#include <dlfcn.h>
+
+#define __APPLE_API_PRIVATE
+#include <quarantine.h>
+#undef __APPLE_API_PRIVATE
+
+#include <security_utilities/logging.h>
+#include <security_utilities/unix++.h>
+#include <security_utilities/cfutilities.h>
+
+#include "SecTranslocateUtilities.hpp"
+
+#define APP_TRANSLOCATION_DIR "/AppTranslocation/"
+
+namespace Security {
+
+using namespace Security::UnixPlusPlus;
+
+namespace SecTranslocate {
+
+using namespace std;
+
+/* store the real path and fstatfs for the file descriptor. This throws if either fail */
+void ExtendedAutoFileDesc::init()
+{
+ char absPath[MAXPATHLEN];
+ if(isOpen())
+ {
+ UnixError::check(fstatfs(fd(), &fsInfo));
+ fcntl(F_GETPATH, absPath);
+ realPath = absPath;
+ quarantined = false;
+ qtn_flags = 0;
+ quarantineFetched = false; //only fetch quarantine info when we need it
+ }
+}
+
+bool ExtendedAutoFileDesc::isFileSystemType(const string &fsType) const
+{
+ notOpen(); //Throws if not Open
+
+ return fsType == fsInfo.f_fstypename;
+}
+
+bool ExtendedAutoFileDesc::pathIsAbsolute() const
+{
+ notOpen(); //Throws if not Open
+
+ return originalPath == realPath;
+}
+
+bool ExtendedAutoFileDesc::isMountPoint() const
+{
+ notOpen(); //Throws if not Open
+ return realPath == fsInfo.f_mntonname;
+}
+bool ExtendedAutoFileDesc::isInPrefixDir(const string &prefixDir) const
+{
+ notOpen(); //Throws if not Open
+
+ return strncmp(realPath.c_str(), prefixDir.c_str(), prefixDir.length()) == 0;
+}
+
+string ExtendedAutoFileDesc::getFsType() const
+{
+ notOpen(); //Throws if not Open
+
+ return fsInfo.f_fstypename;
+}
+
+string ExtendedAutoFileDesc::getMountPoint() const
+{
+ notOpen(); //Throws if not Open
+
+ return fsInfo.f_mntonname;
+}
+
+string ExtendedAutoFileDesc::getMountFromPath() const
+{
+ notOpen(); //Throws if not Open
+
+ return fsInfo.f_mntfromname;
+}
+
+const string& ExtendedAutoFileDesc::getRealPath() const
+{
+ notOpen(); //Throws if not Open
+
+ return realPath;
+}
+
+fsid_t const ExtendedAutoFileDesc::getFsid() const
+{
+ notOpen(); //Throws if not Open
+
+ return fsInfo.f_fsid;
+}
+
+void ExtendedAutoFileDesc::fetchQuarantine()
+{
+ if(!quarantineFetched)
+ {
+ notOpen();
+
+ qtn_file_t qf = qtn_file_alloc();
+
+ if(qf)
+ {
+ if(0 == qtn_file_init_with_fd(qf, fd()))
+ {
+ quarantined = true;
+ qtn_flags = qtn_file_get_flags(qf);
+ }
+ qtn_file_free(qf);
+ quarantineFetched = true;
+ }
+ else
+ {
+ Syslog::error("SecTranslocate: failed to allocate memory for quarantine struct");
+ UnixError::throwMe();
+ }
+ }
+}
+
+bool ExtendedAutoFileDesc::isQuarantined()
+{
+ notOpen();
+ fetchQuarantine();
+
+ return quarantined;
+}
+
+bool ExtendedAutoFileDesc::isUserApproved()
+{
+ notOpen();
+ fetchQuarantine();
+
+ return ((qtn_flags & QTN_FLAG_USER_APPROVED) == QTN_FLAG_USER_APPROVED);
+}
+
+bool ExtendedAutoFileDesc::shouldTranslocate()
+{
+ notOpen();
+ fetchQuarantine();
+
+ return ((qtn_flags & (QTN_FLAG_TRANSLOCATE | QTN_FLAG_DO_NOT_TRANSLOCATE)) == QTN_FLAG_TRANSLOCATE);
+}
+
+/* Take an absolute path and split it into a vector of path components */
+vector<string> splitPath(const string &path)
+{
+ vector<string> out;
+ size_t start = 0;
+ size_t end = 0;
+ size_t len = 0;
+
+ if(path.empty() || path.front() != '/')
+ {
+ Syslog::error("SecTranslocate::splitPath: asked to split a non-absolute or empty path: %s",path.c_str());
+ UnixError::throwMe(EINVAL);
+ }
+
+ while(end != string::npos)
+ {
+ end = path.find('/', start);
+ len = (end == string::npos) ? end : (end - start);
+ string temp = path.substr(start,len);
+
+ if(!temp.empty())
+ {
+ out.push_back(temp);
+ }
+ start = end + 1;
+ }
+
+ return out;
+}
+
+/* Take a vector of path components and turn it into an absolute path */
+string joinPath(vector<string>& path)
+{
+ string out = "";
+ for(auto &i : path)
+ {
+ out += "/"+i;
+ }
+ return out;
+}
+
+string joinPathUpTo(vector<string> &path, size_t index)
+{
+ if (path.size() == 0 || index > path.size()-1)
+ {
+ Syslog::error("SecTranslocate::joinPathUpTo invalid index %lu (size %lu)",index, path.size()-1);
+ UnixError::throwMe(EINVAL);
+ }
+
+ string out = "";
+ for (size_t i = 0; i <= index; i++)
+ {
+ out += "/" + path[i];
+ }
+
+ return out;
+}
+
+/* Fully resolve the path provided */
+string getRealPath(const string &path)
+{
+ char absPath[MAXPATHLEN];
+ AutoFileDesc fd(path);
+ fd.fcntl(F_GETPATH, absPath);
+ return absPath;
+}
+
+/* Create a UUID string */
+string makeUUID()
+{
+ CFRef<CFUUIDRef> newUUID = CFUUIDCreate(NULL);
+ if (!newUUID)
+ {
+ UnixError::throwMe(ENOMEM);
+ }
+
+ CFRef<CFStringRef> str = CFUUIDCreateString(NULL, newUUID.get());
+ if (!str)
+ {
+ UnixError::throwMe(ENOMEM);
+ }
+
+ return cfString(str);
+}
+
+void* checkedDlopen(const char* path, int mode)
+{
+ void* handle = dlopen(path, mode);
+
+ if(handle == NULL)
+ {
+ Syslog::critical("SecTranslocate: failed to load library %s: %s", path, dlerror());
+ UnixError::throwMe();
+ }
+
+ return handle;
+}
+
+void* checkedDlsym(void* handle, const char* symbol)
+{
+ void* result = dlsym(handle, symbol);
+
+ if(result == NULL)
+ {
+ Syslog::critical("SecTranslocate: failed to load symbol %s: %s", symbol, dlerror());
+ UnixError::throwMe();
+ }
+ return result;
+}
+
+/* Calculate the app translocation directory for the user inside the user's temp directory */
+string translocationDirForUser()
+{
+ char userTempPath[MAXPATHLEN];
+
+ if(confstr(_CS_DARWIN_USER_TEMP_DIR, userTempPath, sizeof(userTempPath)) == 0)
+ {
+ Syslog::error("SecTranslocate: Failed to get temp dir for user %d (error:%d)",
+ getuid(),
+ errno);
+ UnixError::throwMe();
+ }
+
+ // confstr returns a path with a symlink, we want the resolved path */
+ return getRealPath(userTempPath)+APP_TRANSLOCATION_DIR;
+}
+
+/* Get a file descriptor for the provided path. if the last component of the provided path doesn't
+ exist, create it and then re-attempt to get the file descriptor.
+ */
+int getFDForDirectory(const string &directoryPath, bool *owned)
+{
+ FileDesc fd(directoryPath, O_RDONLY, FileDesc::modeMissingOk);
+ if(!fd)
+ {
+ UnixError::check(mkdir(directoryPath.c_str(),0755));
+ fd.open(directoryPath);
+ /* owned means that the library created the directory rather than it being pre-existent.
+ We just made a directory that didn't exist before, so set owned to true. */
+ if(owned)
+ {
+ *owned = true;
+ }
+ }
+ else if (owned)
+ {
+ *owned = false;
+ }
+
+ return fd;
+}
+}
+}
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateUtilities.hpp b/OSX/libsecurity_translocate/lib/SecTranslocateUtilities.hpp
new file mode 100644
index 00000000..e2503e2d
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateUtilities.hpp
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/* Purpose:
+ This header and its corresponding implementation are intended to house functionality that's useful
+ throughtout SecTranslocate but isn't directly tied to the SPI or things that must be serialized.
+ */
+
+#ifndef SecTranslocateUtilities_hpp
+#define SecTranslocateUtilities_hpp
+
+#include <stdio.h>
+#include <sys/param.h>
+#include <sys/mount.h>
+#include <security_utilities/unix++.h>
+
+#include <string>
+#include <vector>
+
+#define NULLFS_FSTYPE "nullfs"
+
+namespace Security {
+
+using namespace Security::UnixPlusPlus;
+
+namespace SecTranslocate {
+
+using namespace std;
+
+class ExtendedAutoFileDesc : public AutoFileDesc {
+public:
+ ExtendedAutoFileDesc() = delete; //Always want these initialized with a path
+
+ ExtendedAutoFileDesc(const char *path, int flag = O_RDONLY, mode_t mode = 0666)
+ : AutoFileDesc(path, flag, mode), originalPath(path) { init(); }
+ ExtendedAutoFileDesc(const std::string &path, int flag = O_RDONLY, mode_t mode = 0666)
+ : AutoFileDesc(path, flag, mode),originalPath(path) { init(); }
+
+ bool isFileSystemType(const string &fsType) const;
+ bool pathIsAbsolute() const;
+ bool isMountPoint() const;
+ bool isInPrefixDir(const string &prefixDir) const;
+ string getFsType() const;
+ string getMountPoint() const;
+ string getMountFromPath() const;
+ const string& getRealPath() const;
+ fsid_t const getFsid() const;
+ bool isQuarantined();
+ bool isUserApproved();
+ bool shouldTranslocate();
+
+ // implicit destructor should call AutoFileDesc destructor. Nothing else to clean up.
+private:
+ void init();
+ inline void notOpen() const { if(!isOpen()) UnixError::throwMe(EINVAL); };
+
+ struct statfs fsInfo;
+ string realPath;
+ string originalPath;
+ bool quarantineFetched;
+ bool quarantined;
+ uint32_t qtn_flags;
+ void fetchQuarantine();
+};
+
+//General utilities
+string makeUUID();
+void* checkedDlopen(const char* path, int mode);
+void* checkedDlsym(void* handle, const char* symbol);
+
+//Path parsing functions
+vector<string> splitPath(const string &path);
+string joinPath(vector<string>& path);
+ string joinPathUpTo(vector<string> &path, size_t index);
+
+//File system utlities
+string getRealPath(const string &path);
+int getFDForDirectory(const string &directoryPath, bool *owned = NULL); //creates the directory if it can
+
+
+//Translocation specific utilities
+string translocationDirForUser();
+
+} // namespace SecTranslocate
+} // namespace Security
+
+
+#endif /* SecTranslocateUtilities_hpp */
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateXPCServer.cpp b/OSX/libsecurity_translocate/lib/SecTranslocateXPCServer.cpp
new file mode 100644
index 00000000..769f72ac
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateXPCServer.cpp
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <string>
+#include <vector>
+
+#include <dispatch/dispatch.h>
+#include <xpc/xpc.h>
+
+#include <security_utilities/unix++.h>
+#include <security_utilities/logging.h>
+
+#include "SecTranslocateInterface.hpp"
+#include "SecTranslocateXPCServer.hpp"
+#include "SecTranslocateUtilities.hpp"
+#include "SecTranslocateShared.hpp"
+
+namespace Security {
+namespace SecTranslocate {
+
+static void doCreate(xpc_object_t msg, xpc_object_t reply)
+{
+ const char* original = xpc_dictionary_get_string(msg, kSecTranslocateXPCMessageOriginalPath);
+ const char* dest = xpc_dictionary_get_string(msg, kSecTranslocateXPCMessageDestinationPath);
+
+ string originalPath = original ? original : "";
+ string destPath = dest ? dest: "";
+
+ if( originalPath.empty())
+ {
+ Syslog::error("SecTranslocate: XPCServer, doCreate no path to translocate");
+ UnixError::throwMe(EINVAL);
+ }
+
+ TranslocationPath tPath(originalPath);
+
+ string result = tPath.getOriginalRealPath();
+
+ if(tPath.shouldTranslocate())
+ {
+ result = Security::SecTranslocate::translocatePathForUser(tPath, destPath);
+ }
+ xpc_dictionary_set_string(reply, kSecTranslocateXPCReplySecurePath, result.c_str());
+}
+
+static void doCheckIn(xpc_object_t msg)
+{
+ if (xpc_dictionary_get_value(msg, kSecTranslocateXPCMessagePid) == NULL)
+ {
+ Syslog::error("SecTranslocate, XpcServer, doCheckin, no pid provided");
+ UnixError::throwMe(EINVAL);
+ }
+ int64_t pid = xpc_dictionary_get_int64(msg, kSecTranslocateXPCMessagePid);
+ Translocator * t = getTranslocator();
+ if(t)
+ {
+ t->appLaunchCheckin((pid_t)pid);
+ }
+ else
+ {
+ Syslog::critical("SecTranslocate, XpcServer, doCheckin, No top level translocator");
+ UnixError::throwMe(EINVAL);
+ }
+}
+
+XPCServer::XPCServer(dispatch_queue_t q):notificationQ(q)
+{
+ if(q == NULL)
+ {
+ Syslog::critical("SecTranslocate: XPCServer, no dispatch queue provided");
+ UnixError::throwMe(EINVAL);
+ }
+ //notificationQ is assumed to be serial
+ service = xpc_connection_create_mach_service(SECTRANSLOCATE_XPC_SERVICE_NAME,
+ notificationQ,
+ XPC_CONNECTION_MACH_SERVICE_LISTENER);
+ if (service == NULL)
+ {
+ Syslog::critical("SecTranslocate: XPCServer, failed to create xpc mach service");
+ UnixError::throwMe(ENOMEM);
+ }
+
+ dispatch_retain(notificationQ);
+ xpc_connection_set_event_handler(service, ^(xpc_object_t cmsg) {
+ if (xpc_get_type(cmsg) == XPC_TYPE_CONNECTION) {
+ xpc_connection_t connection = xpc_connection_t(cmsg);
+ Syslog::debug("SecTranslocate: XPCServer, Connection from pid %d", xpc_connection_get_pid(connection));
+ xpc_connection_set_event_handler(connection, ^(xpc_object_t msg) {
+ if (xpc_get_type(msg) == XPC_TYPE_DICTIONARY) {
+ xpc_retain(msg);
+ dispatch_async(notificationQ, ^{ // async from here
+ const char *function = xpc_dictionary_get_string(msg, kSecTranslocateXPCMessageFunction);
+ Syslog::debug("SecTranslocate: XPCServer, pid %d requested %s", xpc_connection_get_pid(connection), function);
+ xpc_object_t reply = xpc_dictionary_create_reply(msg);
+ try {
+ if (function == NULL) {
+ xpc_dictionary_set_int64(reply, kSecTranslocateXPCReplyError, EINVAL);
+ } else if (!strcmp(function, kSecTranslocateXPCFuncCreate)) {
+ doCreate(msg, reply);
+ } else if (!strcmp(function, kSecTranslocateXPCFuncCheckIn)) {
+ doCheckIn(msg);
+ } else {
+ xpc_dictionary_set_int64(reply, kSecTranslocateXPCReplyError, EINVAL);
+ }
+ } catch (Security::UnixError err) {
+ xpc_dictionary_set_int64(reply, kSecTranslocateXPCReplyError, err.unixError());
+ } catch (...) {
+ xpc_dictionary_set_int64(reply, kSecTranslocateXPCReplyError, EINVAL);
+ }
+ xpc_release(msg);
+ if (reply) {
+ xpc_connection_send_message(connection, reply);
+ xpc_release(reply);
+ }
+ });
+ }
+ });
+ xpc_connection_resume(connection);
+ } else {
+ const char *s = xpc_copy_description(cmsg);
+ Syslog::error("SecTranslocate: XPCServer, unepxected incoming message - %s", s);
+ free((char*)s);
+ }
+ });
+ xpc_connection_resume(service);
+}
+
+XPCServer::~XPCServer()
+{
+ xpc_connection_cancel(service);
+ dispatch_release(notificationQ);
+}
+
+} //namespace Security
+} //namespace SecTranslocate
diff --git a/OSX/libsecurity_translocate/lib/SecTranslocateXPCServer.hpp b/OSX/libsecurity_translocate/lib/SecTranslocateXPCServer.hpp
new file mode 100644
index 00000000..2b14381b
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/SecTranslocateXPCServer.hpp
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/* Purpose: This defines the xpc server for translocation */
+
+#ifndef SecTranslocateXPCServer_hpp
+#define SecTranslocateXPCServer_hpp
+
+#include <dispatch/dispatch.h>
+#include <xpc/xpc.h>
+
+namespace Security {
+namespace SecTranslocate {
+
+class XPCServer
+{
+public:
+ XPCServer(dispatch_queue_t q);
+ ~XPCServer();
+private:
+ XPCServer() = delete;
+ XPCServer(const XPCServer& that) = delete;
+
+ dispatch_queue_t notificationQ;
+ xpc_connection_t service;
+};
+
+} //namespace SecTranslocate
+} //namespace Security
+
+#endif /* SecTranslocateXPCServer_hpp */
diff --git a/OSX/libsecurity_translocate/lib/security_translocate.exp b/OSX/libsecurity_translocate/lib/security_translocate.exp
new file mode 100644
index 00000000..d18a7c00
--- /dev/null
+++ b/OSX/libsecurity_translocate/lib/security_translocate.exp
@@ -0,0 +1,25 @@
+#
+# Copyright (c) 2016 Apple Inc. All Rights Reserved.
+#
+# @APPLE_LICENSE_HEADER_START@
+#
+# This file contains Original Code and/or Modifications of Original Code
+# as defined in and that are subject to the Apple Public Source License
+# Version 2.0 (the 'License'). You may not use this file except in
+# compliance with the License. Please obtain a copy of the License at
+# http://www.opensource.apple.com/apsl/ and read it before using this
+# file.
+#
+# The Original Code and all software distributed under the License are
+# distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+# EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+# INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+# Please see the License for the specific language governing rights and
+# limitations under the License.
+#
+# @APPLE_LICENSE_HEADER_END@
+#
+
+_SecTranslocateCreateSecureDirectoryForURL
+_SecTranslocateDeleteSecureDirectory
diff --git a/OSX/libsecurity_translocate/libsecurity_translocate.xcodeproj/project.pbxproj b/OSX/libsecurity_translocate/libsecurity_translocate.xcodeproj/project.pbxproj
new file mode 100644
index 00000000..19323604
--- /dev/null
+++ b/OSX/libsecurity_translocate/libsecurity_translocate.xcodeproj/project.pbxproj
@@ -0,0 +1,383 @@
+// !$*UTF8*$!
+{
+ archiveVersion = 1;
+ classes = {
+ };
+ objectVersion = 46;
+ objects = {
+
+/* Begin PBXBuildFile section */
+ 1F2D0DD71CBC7294007390C6 /* SecTranslocateXPCServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1F2D0DD51CBC7294007390C6 /* SecTranslocateXPCServer.cpp */; };
+ 1F2D0DD81CBC7294007390C6 /* SecTranslocateXPCServer.hpp in Headers */ = {isa = PBXBuildFile; fileRef = 1F2D0DD61CBC7294007390C6 /* SecTranslocateXPCServer.hpp */; };
+ 1F50781B1CB47EA500A017CD /* SecTranslocateUtilities.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1F5078191CB47EA500A017CD /* SecTranslocateUtilities.cpp */; };
+ 1F50781C1CB47EA500A017CD /* SecTranslocateUtilities.hpp in Headers */ = {isa = PBXBuildFile; fileRef = 1F50781A1CB47EA500A017CD /* SecTranslocateUtilities.hpp */; };
+ 1F5078221CB5769200A017CD /* SecTranslocateServer.hpp in Headers */ = {isa = PBXBuildFile; fileRef = 1F50781E1CB5747100A017CD /* SecTranslocateServer.hpp */; };
+ 1F5A5D481CB5D8CF009BDA30 /* SecTranslocateLSNotification.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1F5A5D461CB5D8CF009BDA30 /* SecTranslocateLSNotification.cpp */; };
+ 1F5A5D491CB5D8CF009BDA30 /* SecTranslocateLSNotification.hpp in Headers */ = {isa = PBXBuildFile; fileRef = 1F5A5D471CB5D8CF009BDA30 /* SecTranslocateLSNotification.hpp */; };
+ 1F77EB011CBB15B7006E0E7E /* SecTranslocateDANotification.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1FB9D34D1CBB0E7C00374EF3 /* SecTranslocateDANotification.cpp */; };
+ 1F975A3E1CBD5613003EF8F6 /* SecTranslocateClient.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1F975A3C1CBD5613003EF8F6 /* SecTranslocateClient.cpp */; };
+ 1F975A3F1CBD5613003EF8F6 /* SecTranslocateClient.hpp in Headers */ = {isa = PBXBuildFile; fileRef = 1F975A3D1CBD5613003EF8F6 /* SecTranslocateClient.hpp */; };
+ 1FB9D3501CBB0E7C00374EF3 /* SecTranslocateDANotification.hpp in Headers */ = {isa = PBXBuildFile; fileRef = 1FB9D34E1CBB0E7C00374EF3 /* SecTranslocateDANotification.hpp */; };
+ 1FC462B81C498980001E4B1F /* SecTranslocate.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1FC462B71C49897F001E4B1F /* SecTranslocate.cpp */; };
+ 1FC462BA1C498991001E4B1F /* SecTranslocate.h in Headers */ = {isa = PBXBuildFile; fileRef = 1FC462B91C498991001E4B1F /* SecTranslocate.h */; };
+ 1FC4A6151CBDA7B900390630 /* SecTranslocateInterface.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1FC4A6141CBDA7B900390630 /* SecTranslocateInterface.cpp */; };
+ 1FC4A6161CBDC5C300390630 /* SecTranslocateServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1F50781D1CB5747100A017CD /* SecTranslocateServer.cpp */; };
+ 1FD0FA551CBC4A8C0037CB0E /* SecTranslocateInterface.hpp in Headers */ = {isa = PBXBuildFile; fileRef = 1FD0FA541CBC4A8C0037CB0E /* SecTranslocateInterface.hpp */; };
+ 1FEFBDB01CB6D2AD00FAC2A1 /* SecTranslocateShared.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1F5A5D431CB58E97009BDA30 /* SecTranslocateShared.cpp */; };
+ 1FEFBDB11CB6D2BC00FAC2A1 /* SecTranslocateShared.hpp in Headers */ = {isa = PBXBuildFile; fileRef = 1F5A5D421CB58E97009BDA30 /* SecTranslocateShared.hpp */; };
+/* End PBXBuildFile section */
+
+/* Begin PBXFileReference section */
+ 1F2D0DD51CBC7294007390C6 /* SecTranslocateXPCServer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SecTranslocateXPCServer.cpp; path = lib/SecTranslocateXPCServer.cpp; sourceTree = SOURCE_ROOT; };
+ 1F2D0DD61CBC7294007390C6 /* SecTranslocateXPCServer.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; name = SecTranslocateXPCServer.hpp; path = lib/SecTranslocateXPCServer.hpp; sourceTree = SOURCE_ROOT; };
+ 1F5078191CB47EA500A017CD /* SecTranslocateUtilities.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SecTranslocateUtilities.cpp; path = lib/SecTranslocateUtilities.cpp; sourceTree = SOURCE_ROOT; };
+ 1F50781A1CB47EA500A017CD /* SecTranslocateUtilities.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; name = SecTranslocateUtilities.hpp; path = lib/SecTranslocateUtilities.hpp; sourceTree = SOURCE_ROOT; };
+ 1F50781D1CB5747100A017CD /* SecTranslocateServer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SecTranslocateServer.cpp; path = lib/SecTranslocateServer.cpp; sourceTree = SOURCE_ROOT; };
+ 1F50781E1CB5747100A017CD /* SecTranslocateServer.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; name = SecTranslocateServer.hpp; path = lib/SecTranslocateServer.hpp; sourceTree = SOURCE_ROOT; };
+ 1F5A5D421CB58E97009BDA30 /* SecTranslocateShared.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; name = SecTranslocateShared.hpp; path = lib/SecTranslocateShared.hpp; sourceTree = SOURCE_ROOT; };
+ 1F5A5D431CB58E97009BDA30 /* SecTranslocateShared.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SecTranslocateShared.cpp; path = lib/SecTranslocateShared.cpp; sourceTree = SOURCE_ROOT; };
+ 1F5A5D461CB5D8CF009BDA30 /* SecTranslocateLSNotification.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SecTranslocateLSNotification.cpp; path = lib/SecTranslocateLSNotification.cpp; sourceTree = SOURCE_ROOT; };
+ 1F5A5D471CB5D8CF009BDA30 /* SecTranslocateLSNotification.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; name = SecTranslocateLSNotification.hpp; path = lib/SecTranslocateLSNotification.hpp; sourceTree = SOURCE_ROOT; };
+ 1F975A3C1CBD5613003EF8F6 /* SecTranslocateClient.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SecTranslocateClient.cpp; path = lib/SecTranslocateClient.cpp; sourceTree = SOURCE_ROOT; };
+ 1F975A3D1CBD5613003EF8F6 /* SecTranslocateClient.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; name = SecTranslocateClient.hpp; path = lib/SecTranslocateClient.hpp; sourceTree = SOURCE_ROOT; };
+ 1FAA71431C10D8E000EAAE3E /* libsecurity_translocate.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurity_translocate.a; sourceTree = BUILT_PRODUCTS_DIR; };
+ 1FB9D34D1CBB0E7C00374EF3 /* SecTranslocateDANotification.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SecTranslocateDANotification.cpp; path = lib/SecTranslocateDANotification.cpp; sourceTree = SOURCE_ROOT; };
+ 1FB9D34E1CBB0E7C00374EF3 /* SecTranslocateDANotification.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; name = SecTranslocateDANotification.hpp; path = lib/SecTranslocateDANotification.hpp; sourceTree = SOURCE_ROOT; };
+ 1FC462B71C49897F001E4B1F /* SecTranslocate.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SecTranslocate.cpp; path = lib/SecTranslocate.cpp; sourceTree = SOURCE_ROOT; };
+ 1FC462B91C498991001E4B1F /* SecTranslocate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTranslocate.h; path = lib/SecTranslocate.h; sourceTree = SOURCE_ROOT; };
+ 1FC4A6141CBDA7B900390630 /* SecTranslocateInterface.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SecTranslocateInterface.cpp; path = lib/SecTranslocateInterface.cpp; sourceTree = SOURCE_ROOT; };
+ 1FD0FA541CBC4A8C0037CB0E /* SecTranslocateInterface.hpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.h; name = SecTranslocateInterface.hpp; path = lib/SecTranslocateInterface.hpp; sourceTree = SOURCE_ROOT; };
+ 1FDA9ABE1C449C880083929D /* security_translocate.exp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.exports; name = security_translocate.exp; path = lib/security_translocate.exp; sourceTree = SOURCE_ROOT; };
+/* End PBXFileReference section */
+
+/* Begin PBXFrameworksBuildPhase section */
+ 1FAA71401C10D8E000EAAE3E /* Frameworks */ = {
+ isa = PBXFrameworksBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+/* End PBXFrameworksBuildPhase section */
+
+/* Begin PBXGroup section */
+ 1FAA713A1C10D8E000EAAE3E = {
+ isa = PBXGroup;
+ children = (
+ 1FAA71451C10D8E000EAAE3E /* lib */,
+ 1FAA71441C10D8E000EAAE3E /* Products */,
+ );
+ sourceTree = "<group>";
+ };
+ 1FAA71441C10D8E000EAAE3E /* Products */ = {
+ isa = PBXGroup;
+ children = (
+ 1FAA71431C10D8E000EAAE3E /* libsecurity_translocate.a */,
+ );
+ name = Products;
+ sourceTree = "<group>";
+ };
+ 1FAA71451C10D8E000EAAE3E /* lib */ = {
+ isa = PBXGroup;
+ children = (
+ 1F975A3C1CBD5613003EF8F6 /* SecTranslocateClient.cpp */,
+ 1F975A3D1CBD5613003EF8F6 /* SecTranslocateClient.hpp */,
+ 1F2D0DD51CBC7294007390C6 /* SecTranslocateXPCServer.cpp */,
+ 1F2D0DD61CBC7294007390C6 /* SecTranslocateXPCServer.hpp */,
+ 1FD0FA541CBC4A8C0037CB0E /* SecTranslocateInterface.hpp */,
+ 1FB9D34D1CBB0E7C00374EF3 /* SecTranslocateDANotification.cpp */,
+ 1FB9D34E1CBB0E7C00374EF3 /* SecTranslocateDANotification.hpp */,
+ 1F5A5D461CB5D8CF009BDA30 /* SecTranslocateLSNotification.cpp */,
+ 1F5A5D471CB5D8CF009BDA30 /* SecTranslocateLSNotification.hpp */,
+ 1F5A5D421CB58E97009BDA30 /* SecTranslocateShared.hpp */,
+ 1F5A5D431CB58E97009BDA30 /* SecTranslocateShared.cpp */,
+ 1F50781D1CB5747100A017CD /* SecTranslocateServer.cpp */,
+ 1F50781E1CB5747100A017CD /* SecTranslocateServer.hpp */,
+ 1FC462B91C498991001E4B1F /* SecTranslocate.h */,
+ 1FC462B71C49897F001E4B1F /* SecTranslocate.cpp */,
+ 1FDA9ABE1C449C880083929D /* security_translocate.exp */,
+ 1F5078191CB47EA500A017CD /* SecTranslocateUtilities.cpp */,
+ 1F50781A1CB47EA500A017CD /* SecTranslocateUtilities.hpp */,
+ 1FC4A6141CBDA7B900390630 /* SecTranslocateInterface.cpp */,
+ );
+ name = lib;
+ path = libsecurity_translocate;
+ sourceTree = "<group>";
+ };
+/* End PBXGroup section */
+
+/* Begin PBXHeadersBuildPhase section */
+ 1FAA71411C10D8E000EAAE3E /* Headers */ = {
+ isa = PBXHeadersBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ 1FC462BA1C498991001E4B1F /* SecTranslocate.h in Headers */,
+ 1FD0FA551CBC4A8C0037CB0E /* SecTranslocateInterface.hpp in Headers */,
+ 1F975A3F1CBD5613003EF8F6 /* SecTranslocateClient.hpp in Headers */,
+ 1F5078221CB5769200A017CD /* SecTranslocateServer.hpp in Headers */,
+ 1FB9D3501CBB0E7C00374EF3 /* SecTranslocateDANotification.hpp in Headers */,
+ 1F5A5D491CB5D8CF009BDA30 /* SecTranslocateLSNotification.hpp in Headers */,
+ 1FEFBDB11CB6D2BC00FAC2A1 /* SecTranslocateShared.hpp in Headers */,
+ 1F2D0DD81CBC7294007390C6 /* SecTranslocateXPCServer.hpp in Headers */,
+ 1F50781C1CB47EA500A017CD /* SecTranslocateUtilities.hpp in Headers */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+/* End PBXHeadersBuildPhase section */
+
+/* Begin PBXNativeTarget section */
+ 1FAA71421C10D8E000EAAE3E /* libsecurity_translocate */ = {
+ isa = PBXNativeTarget;
+ buildConfigurationList = 1FAA714C1C10D8E000EAAE3E /* Build configuration list for PBXNativeTarget "libsecurity_translocate" */;
+ buildPhases = (
+ 1FAA713F1C10D8E000EAAE3E /* Sources */,
+ 1FAA71401C10D8E000EAAE3E /* Frameworks */,
+ 1FAA71411C10D8E000EAAE3E /* Headers */,
+ );
+ buildRules = (
+ );
+ dependencies = (
+ );
+ name = libsecurity_translocate;
+ productName = libsecurity_translocate;
+ productReference = 1FAA71431C10D8E000EAAE3E /* libsecurity_translocate.a */;
+ productType = "com.apple.product-type.library.static";
+ };
+/* End PBXNativeTarget section */
+
+/* Begin PBXProject section */
+ 1FAA713B1C10D8E000EAAE3E /* Project object */ = {
+ isa = PBXProject;
+ attributes = {
+ LastUpgradeCheck = 0800;
+ ORGANIZATIONNAME = Apple;
+ TargetAttributes = {
+ 1FAA71421C10D8E000EAAE3E = {
+ CreatedOnToolsVersion = 7.2;
+ };
+ };
+ };
+ buildConfigurationList = 1FAA713E1C10D8E000EAAE3E /* Build configuration list for PBXProject "libsecurity_translocate" */;
+ compatibilityVersion = "Xcode 3.2";
+ developmentRegion = English;
+ hasScannedForEncodings = 0;
+ knownRegions = (
+ en,
+ );
+ mainGroup = 1FAA713A1C10D8E000EAAE3E;
+ productRefGroup = 1FAA71441C10D8E000EAAE3E /* Products */;
+ projectDirPath = "";
+ projectRoot = "";
+ targets = (
+ 1FAA71421C10D8E000EAAE3E /* libsecurity_translocate */,
+ );
+ };
+/* End PBXProject section */
+
+/* Begin PBXSourcesBuildPhase section */
+ 1FAA713F1C10D8E000EAAE3E /* Sources */ = {
+ isa = PBXSourcesBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ 1FC4A6161CBDC5C300390630 /* SecTranslocateServer.cpp in Sources */,
+ 1F2D0DD71CBC7294007390C6 /* SecTranslocateXPCServer.cpp in Sources */,
+ 1FC462B81C498980001E4B1F /* SecTranslocate.cpp in Sources */,
+ 1F77EB011CBB15B7006E0E7E /* SecTranslocateDANotification.cpp in Sources */,
+ 1F975A3E1CBD5613003EF8F6 /* SecTranslocateClient.cpp in Sources */,
+ 1F5A5D481CB5D8CF009BDA30 /* SecTranslocateLSNotification.cpp in Sources */,
+ 1FEFBDB01CB6D2AD00FAC2A1 /* SecTranslocateShared.cpp in Sources */,
+ 1FC4A6151CBDA7B900390630 /* SecTranslocateInterface.cpp in Sources */,
+ 1F50781B1CB47EA500A017CD /* SecTranslocateUtilities.cpp in Sources */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+/* End PBXSourcesBuildPhase section */
+
+/* Begin XCBuildConfiguration section */
+ 1FAA714A1C10D8E000EAAE3E /* Debug */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
+ CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
+ CLANG_CXX_LIBRARY = "libc++";
+ CLANG_ENABLE_MODULES = YES;
+ CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ CODE_SIGN_IDENTITY = "-";
+ COPY_PHASE_STRIP = NO;
+ DEBUG_INFORMATION_FORMAT = dwarf;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_C_LANGUAGE_STANDARD = gnu99;
+ GCC_DYNAMIC_NO_PIC = NO;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_OPTIMIZATION_LEVEL = 0;
+ GCC_PREPROCESSOR_DEFINITIONS = (
+ "DEBUG=1",
+ "$(inherited)",
+ );
+ GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
+ GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ GCC_WARN_UNUSED_VARIABLE = YES;
+ MACOSX_DEPLOYMENT_TARGET = 10.11;
+ MTL_ENABLE_DEBUG_INFO = YES;
+ ONLY_ACTIVE_ARCH = YES;
+ SDKROOT = macosx.internal;
+ };
+ name = Debug;
+ };
+ 1FAA714B1C10D8E000EAAE3E /* Release */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
+ CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
+ CLANG_CXX_LIBRARY = "libc++";
+ CLANG_ENABLE_MODULES = YES;
+ CLANG_ENABLE_OBJC_ARC = YES;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ CODE_SIGN_IDENTITY = "-";
+ COPY_PHASE_STRIP = NO;
+ DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+ ENABLE_NS_ASSERTIONS = NO;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_C_LANGUAGE_STANDARD = gnu99;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
+ GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ GCC_WARN_UNUSED_VARIABLE = YES;
+ MACOSX_DEPLOYMENT_TARGET = 10.11;
+ MTL_ENABLE_DEBUG_INFO = NO;
+ SDKROOT = macosx.internal;
+ };
+ name = Release;
+ };
+ 1FAA714D1C10D8E000EAAE3E /* Debug */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = YES;
+ "ARCHS[sdk=macosx*]" = "$(ARCHS_STANDARD_32_64_BIT)";
+ CLANG_CXX_LANGUAGE_STANDARD = "compiler-default";
+ CLANG_CXX_LIBRARY = "compiler-default";
+ CLANG_ENABLE_MODULES = NO;
+ CLANG_ENABLE_OBJC_ARC = NO;
+ CLANG_WARN_BOOL_CONVERSION = NO;
+ CODE_SIGN_IDENTITY = "";
+ COMBINE_HIDPI_IMAGES = YES;
+ DEAD_CODE_STRIPPING = YES;
+ DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+ ENABLE_NS_ASSERTIONS = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = NO;
+ EXECUTABLE_PREFIX = "";
+ FRAMEWORK_SEARCH_PATHS = "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES;
+ HEADER_SEARCH_PATHS = (
+ "$(inherited)",
+ "$(SYSTEM_LIBRARY_DIR)/Frameworks/System.framework/PrivateHeaders",
+ "$(PROJECT_DIR)/../include",
+ "$(BUILT_PRODUCTS_DIR)/derived_src",
+ "$(PROJECT_DIR)/../utilities/",
+ );
+ ONLY_ACTIVE_ARCH = NO;
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ PUBLIC_HEADERS_FOLDER_PATH = /usr/local/include/security_translocate;
+ SDKROOT = macosx.internal;
+ VERSIONING_SYSTEM = "apple-generic";
+ WARNING_CFLAGS = (
+ "$(inherited)",
+ "-Wall",
+ "-Wno-four-char-constants",
+ "-Wno-unknown-pragmas",
+ );
+ };
+ name = Debug;
+ };
+ 1FAA714E1C10D8E000EAAE3E /* Release */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = YES;
+ "ARCHS[sdk=macosx*]" = "$(ARCHS_STANDARD_32_64_BIT)";
+ CLANG_CXX_LANGUAGE_STANDARD = "compiler-default";
+ CLANG_CXX_LIBRARY = "compiler-default";
+ CLANG_ENABLE_MODULES = NO;
+ CLANG_ENABLE_OBJC_ARC = NO;
+ CLANG_WARN_BOOL_CONVERSION = NO;
+ CODE_SIGN_IDENTITY = "";
+ COMBINE_HIDPI_IMAGES = YES;
+ DEAD_CODE_STRIPPING = YES;
+ DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+ ENABLE_NS_ASSERTIONS = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = NO;
+ EXECUTABLE_PREFIX = "";
+ FRAMEWORK_SEARCH_PATHS = "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
+ GCC_PREPROCESSOR_DEFINITIONS = "NDEBUG=1";
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
+ GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES;
+ HEADER_SEARCH_PATHS = (
+ "$(inherited)",
+ "$(SYSTEM_LIBRARY_DIR)/Frameworks/System.framework/PrivateHeaders",
+ "$(PROJECT_DIR)/../include",
+ "$(BUILT_PRODUCTS_DIR)/derived_src",
+ "$(PROJECT_DIR)/../utilities/",
+ );
+ ONLY_ACTIVE_ARCH = NO;
+ PRODUCT_NAME = "$(TARGET_NAME)";
+ PUBLIC_HEADERS_FOLDER_PATH = /usr/local/include/security_translocate;
+ SDKROOT = macosx.internal;
+ VERSIONING_SYSTEM = "apple-generic";
+ WARNING_CFLAGS = (
+ "$(inherited)",
+ "-Wall",
+ "-Wno-four-char-constants",
+ "-Wno-unknown-pragmas",
+ );
+ };
+ name = Release;
+ };
+/* End XCBuildConfiguration section */
+
+/* Begin XCConfigurationList section */
+ 1FAA713E1C10D8E000EAAE3E /* Build configuration list for PBXProject "libsecurity_translocate" */ = {
+ isa = XCConfigurationList;
+ buildConfigurations = (
+ 1FAA714A1C10D8E000EAAE3E /* Debug */,
+ 1FAA714B1C10D8E000EAAE3E /* Release */,
+ );
+ defaultConfigurationIsVisible = 0;
+ defaultConfigurationName = Release;
+ };
+ 1FAA714C1C10D8E000EAAE3E /* Build configuration list for PBXNativeTarget "libsecurity_translocate" */ = {
+ isa = XCConfigurationList;
+ buildConfigurations = (
+ 1FAA714D1C10D8E000EAAE3E /* Debug */,
+ 1FAA714E1C10D8E000EAAE3E /* Release */,
+ );
+ defaultConfigurationIsVisible = 0;
+ defaultConfigurationName = Release;
+ };
+/* End XCConfigurationList section */
+ };
+ rootObject = 1FAA713B1C10D8E000EAAE3E /* Project object */;
+}
diff --git a/OSX/libsecurity_utilities/lib/CSPDLTransaction.cpp b/OSX/libsecurity_utilities/lib/CSPDLTransaction.cpp
index 1cbe0d02..5b8769ec 100644
--- a/OSX/libsecurity_utilities/lib/CSPDLTransaction.cpp
+++ b/OSX/libsecurity_utilities/lib/CSPDLTransaction.cpp
@@ -45,8 +45,29 @@ DLTransaction::~DLTransaction() {
finalize();
}
-void DLTransaction::success() {
+void DLTransaction::commit() {
+ // Commit the transaction, and throw if it fails
+
+ // If autocommit wasn't on on the database when we started, don't
+ // actually commit. There might be something else going on...
+ if(mAutoCommit) {
+ Security::CssmClient::ObjectImpl::check(CSSM_DL_PassThrough(mDldbh, CSSM_APPLEFILEDL_COMMIT, NULL, NULL));
+ CSSM_DL_PassThrough(mDldbh, CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT, reinterpret_cast<const void *>(mAutoCommit), NULL);
+ }
+
+ // Throwing above means this wasn't a success and we're not finalized. On exit, we'll roll back the transaction.
mSuccess = true;
+ mFinalized = true;
+}
+
+void DLTransaction::rollback() {
+ // If autocommit wasn't on on the database when we started, don't
+ // actually roll back. There might be something else going on...
+ if(mAutoCommit) {
+ CSSM_DL_PassThrough(mDldbh, CSSM_APPLEFILEDL_ROLLBACK, NULL, NULL);
+ CSSM_DL_PassThrough(mDldbh, CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT,
+ reinterpret_cast<const void *>(mAutoCommit), NULL);
+ }
}
void DLTransaction::finalize() {
@@ -54,31 +75,18 @@ void DLTransaction::finalize() {
return;
}
- // If autocommit wasn't on on the database when we started, don't
- // actually commit. There might be something else going on...
- if(mAutoCommit) {
- // if this transaction was a success, commit. Otherwise, roll back.
- if(mSuccess) {
- Security::CssmClient::ObjectImpl::check(CSSM_DL_PassThrough(mDldbh,
- CSSM_APPLEFILEDL_COMMIT, NULL, NULL));
- CSSM_DL_PassThrough(mDldbh, CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT,
- reinterpret_cast<const void *>(mAutoCommit), NULL);
- } else {
- // This is a failed transaction. Roll back, and turn autoCommit back on.
- //
- // Note that we're likely (but not necessarily) unwinding the stack for an exception right now.
- // (If this transaction succeeded, we wouldn't be here. So, it failed, and this code likes to fail with exceptions.)
- // If this throws an exception, we might crash the whole process.
- // Swallow exceptions whole, but log them aggressively.
- try {
- CSSM_DL_PassThrough(mDldbh, CSSM_APPLEFILEDL_ROLLBACK, NULL, NULL);
- CSSM_DL_PassThrough(mDldbh, CSSM_APPLEFILEDL_TOGGLE_AUTOCOMMIT,
- reinterpret_cast<const void *>(mAutoCommit), NULL);
- } catch(CssmError cssme) {
- const char* errStr = cssmErrorString(cssme.error);
- secdebugfunc("integrity", "caught CssmError during transaction rollback: %d %s", (int) cssme.error, errStr);
- syslog(LOG_ERR, "ERROR: failed to rollback keychain transaction: %d %s", (int) cssme.error, errStr);
- }
+ // if this transaction was not a success, roll back.
+ if(!mSuccess) {
+ // Note that we're likely (but not necessarily) unwinding the stack for an exception right now.
+ // (If this transaction succeeded, we wouldn't be here. So, it failed, and this code likes to fail with exceptions.)
+ // If this throws an exception, we might crash the whole process.
+ // Swallow exceptions whole, but log them aggressively.
+ try {
+ rollback();
+ } catch(CssmError cssme) {
+ const char* errStr = cssmErrorString(cssme.error);
+ secnotice("integrity", "caught CssmError during transaction rollback: %d %s", (int) cssme.error, errStr);
+ syslog(LOG_ERR, "ERROR: failed to rollback keychain transaction: %d %s", (int) cssme.error, errStr);
}
}
mFinalized = true;
@@ -95,6 +103,5 @@ CSPDLTransaction::CSPDLTransaction(Security::CssmClient::Db& db)
}
CSPDLTransaction::~CSPDLTransaction() {
- finalize();
}
diff --git a/OSX/libsecurity_utilities/lib/CSPDLTransaction.h b/OSX/libsecurity_utilities/lib/CSPDLTransaction.h
index 2a5adce3..078d9aca 100644
--- a/OSX/libsecurity_utilities/lib/CSPDLTransaction.h
+++ b/OSX/libsecurity_utilities/lib/CSPDLTransaction.h
@@ -29,14 +29,9 @@
//
// This class performs a transaction on a CSPDL database.
//
-// It will commit when:
+// If commit() has not yet been called when the object goes out of scope, the transaction will roll back instead (exceptions will be swallowed).
//
-// 1) success() has been called
-// 2) the object goes out of scope OR finalize() is called
-//
-// if success() has not been called, the transaction will roll back instead.
-//
-// You can nest transaction objects, but I don't really suggest it...
+// Nesting transactions will likely work, but isn't recommended.
//
class DLTransaction {
public:
@@ -45,18 +40,22 @@ public:
~DLTransaction();
// Everything has gone right; this transaction will commit.
- // If you don't call this, the transaction will roll back.
- void success();
-
- // Commit or rollback as appropriate
- void finalize();
+ // If you don't call this, the transaction will roll back when the object goes out of scope.
+ // Might throw on error.
+ void commit();
protected:
DLTransaction();
- // Actually toggle autocommit using the dldbh
+ // Note: disables autocommit using the dldbh
void initialize();
+ // Call rollback if necessary. Never throws.
+ void finalize();
+
+ // Rolls back database transactions. Might throw.
+ void rollback();
+
CSSM_DL_DB_HANDLE mDldbh;
bool mSuccess;
diff --git a/OSX/libsecurity_utilities/lib/FileLockTransaction.cpp b/OSX/libsecurity_utilities/lib/FileLockTransaction.cpp
new file mode 100644
index 00000000..1af4828a
--- /dev/null
+++ b/OSX/libsecurity_utilities/lib/FileLockTransaction.cpp
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2015 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include "FileLockTransaction.h"
+#include <Security/SecBasePriv.h>
+#include <syslog.h>
+
+FileLockTransaction::FileLockTransaction(Security::CssmClient::Db& db)
+ : mDb(db), mSuccess(false), mFinalized(false), mDeleteOnFailure(false) {
+ initialize();
+}
+
+void FileLockTransaction::initialize() {
+ mDb->takeFileLock();
+}
+
+FileLockTransaction::~FileLockTransaction() {
+ finalize();
+}
+
+void FileLockTransaction::success() {
+ mSuccess = true;
+}
+
+void FileLockTransaction::setDeleteOnFailure() {
+ mDeleteOnFailure = true;
+}
+
+void FileLockTransaction::finalize() {
+ if(mFinalized) {
+ return;
+ }
+
+ // if this transaction was a success, commit. Otherwise, roll back.
+ if(mSuccess) {
+ mDb->releaseFileLock(true);
+ } else {
+ // This is a failure.
+
+ // Note that we're likely (but not necessarily) unwinding the stack for an exception right now.
+ // (If this transaction succeeded, we wouldn't be here. So, it failed, and this code likes to fail with exceptions.)
+ // If this throws an exception, we might crash the whole process.
+ // Swallow exceptions whole, but log them aggressively.
+ try {
+ if(mDeleteOnFailure) {
+ mDb->deleteFile();
+ }
+ mDb->releaseFileLock(false);
+ } catch(CssmError cssme) {
+ const char* errStr = cssmErrorString(cssme.error);
+ secnotice("integrity", "caught CssmError during transaction rollback: %d %s", (int) cssme.error, errStr);
+ syslog(LOG_ERR, "ERROR: failed to rollback keychain transaction: %d %s", (int) cssme.error, errStr);
+ }
+ }
+ mFinalized = true;
+}
diff --git a/OSX/libsecurity_utilities/lib/FileLockTransaction.h b/OSX/libsecurity_utilities/lib/FileLockTransaction.h
new file mode 100644
index 00000000..ad9c2432
--- /dev/null
+++ b/OSX/libsecurity_utilities/lib/FileLockTransaction.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2015 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#ifndef FileLockTransaction_h
+#define FileLockTransaction_h
+
+#include <security_cdsa_client/dlclient.h>
+//
+// This class performs a file lock transaction on a Cssm Db object.
+//
+// It will attempt to take the file lock upon creation.
+//
+// It will release the file lock upon destruction OR calling finalize().
+//
+// If you have called success(), it will tell the file lock transaction to commit
+// otherwise, it will tell the file lock transaction to roll back.
+//
+// If you call setDeleteOnFailure(), and the transaction would normally roll
+// back, this transaction will instead delete the Db's underlying file.
+//
+class FileLockTransaction {
+public:
+ FileLockTransaction(Security::CssmClient::Db& db);
+
+ ~FileLockTransaction();
+
+ // Everything has gone right; this transaction will commit.
+ // If you don't call this, the transaction will roll back.
+ void success();
+
+ // Commit or rollback as appropriate
+ void finalize();
+
+ // After calling this method, if this class attempts to roll back the
+ // transaction, it will also attempt to delete the database file.
+ void setDeleteOnFailure();
+
+protected:
+ // Actually toggle autocommit using the dldbh
+ void initialize();
+
+ Security::CssmClient::Db mDb;
+
+ bool mSuccess;
+ bool mFinalized;
+ bool mDeleteOnFailure;
+};
+
+#endif
diff --git a/OSX/libsecurity_utilities/lib/alloc.h b/OSX/libsecurity_utilities/lib/alloc.h
index 83403e01..411b58cb 100644
--- a/OSX/libsecurity_utilities/lib/alloc.h
+++ b/OSX/libsecurity_utilities/lib/alloc.h
@@ -74,8 +74,13 @@ public:
// All right, if you *really* have to have calloc...
void *calloc(size_t size, size_t count) throw(std::bad_alloc)
{
- void *addr = malloc(size * count);
- memset(addr, 0, size * count);
+ size_t bytes = 0;
+ if(__builtin_mul_overflow(size, count, &bytes)) {
+ // Multiplication overflowed.
+ throw std::bad_alloc();
+ }
+ void *addr = malloc(bytes);
+ memset(addr, 0, bytes);
return addr;
}
diff --git a/OSX/libsecurity_ssl/lib/appleSession.h b/OSX/libsecurity_utilities/lib/casts.h
similarity index 55%
rename from OSX/libsecurity_ssl/lib/appleSession.h
rename to OSX/libsecurity_utilities/lib/casts.h
index fd87cd62..da638502 100644
--- a/OSX/libsecurity_ssl/lib/appleSession.h
+++ b/OSX/libsecurity_utilities/lib/casts.h
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 1999-2001,2005-2007,2010-2012,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,39 +17,30 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
-/*
- * appleSession.h - Session storage module, Apple CDSA version.
- */
+#ifndef casts_h
+#define casts_h
-#ifndef _APPLE_SESSION_H_
-#define _APPLE_SESSION_H_
+#include <stdexcept>
+#include <security_utilities/debugging.h>
+#include <syslog.h>
-#include "ssl.h"
+template<typename TSource, typename TResult>
+static inline TResult int_cast(TSource value) {
+ // TODO: if we're using C++11, we should do some static_asserts on the signedness of these types
+ TResult result = static_cast<TResult>(value);
-#ifdef __cplusplus
-extern "C" {
+ if (static_cast<TSource>(result) != value) {
+#ifndef NDEBUG
+ syslog(LOG_ERR, "%s: casted value out of range", __PRETTY_FUNCTION__);
#endif
-
-extern OSStatus sslAddSession (
- const SSLBuffer sessionKey,
- const SSLBuffer sessionData,
- uint32_t timeToLive); /* optional time-to-live in seconds; 0 ==> default */
-
-extern OSStatus sslCopySession (
- const SSLBuffer sessionKey,
- SSLBuffer *sessionData);
-
-extern OSStatus sslDeleteSession (
- const SSLBuffer sessionKey);
-
-extern OSStatus sslCleanupSession(void);
-
-#ifdef __cplusplus
+ secnotice("int_cast", "casted value out of range");
+ throw std::out_of_range("int_cast: casted value out of range");
+ }
+ return result;
}
-#endif
-#endif /* _APPLE_SESSION_H_ */
+#endif /* casts_h */
diff --git a/OSX/libsecurity_utilities/lib/ccaudit.cpp b/OSX/libsecurity_utilities/lib/ccaudit.cpp
index ecde313a..5a543cad 100644
--- a/OSX/libsecurity_utilities/lib/ccaudit.cpp
+++ b/OSX/libsecurity_utilities/lib/ccaudit.cpp
@@ -116,7 +116,7 @@ void AuditRecord::submit(const short event_code, const int returnCode,
if (!(au_get_state() == AUC_AUDITING))
return;
- secdebug("ccaudit", "Submitting authorization audit record");
+ secinfo("ccaudit", "Submitting authorization audit record");
int ret = kAUNoErr;
diff --git a/OSX/libsecurity_utilities/lib/cfclass.cpp b/OSX/libsecurity_utilities/lib/cfclass.cpp
index 75244e0c..530edb4b 100644
--- a/OSX/libsecurity_utilities/lib/cfclass.cpp
+++ b/OSX/libsecurity_utilities/lib/cfclass.cpp
@@ -26,8 +26,6 @@
#include <security_utilities/threading.h>
#include <CoreFoundation/CFString.h>
#include <sys/time.h>
-#include <auto_zone.h>
-#include <objc/objc-auto.h>
//
// CFClass
@@ -60,42 +58,11 @@ CFClass::cleanupObject(intptr_t op, CFTypeRef cf, bool &zap)
// the default is to not throw away the object
zap = false;
- bool isGC = CF_IS_COLLECTABLE(cf);
-
uint32_t currentCount;
SecCFObject *obj = SecCFObject::optional(cf);
uint32_t oldCount;
currentCount = obj->updateRetainCount(op, &oldCount);
-
- if (isGC)
- {
- auto_zone_t* zone = objc_collectableZone();
-
- if (op == -1 && oldCount == 0)
- {
- auto_zone_release(zone, (void*) cf);
- }
- else if (op == 1 && oldCount == 0 && currentCount == 1)
- {
- auto_zone_retain(zone, (void*) cf);
- }
- else if (op == -1 && oldCount == 1 && currentCount == 0)
- {
- /*
- To prevent accidental resurrection, just pull it out of the
- cache.
- */
- obj->aboutToDestruct();
- auto_zone_release(zone, (void*) cf);
- }
- else if (op == 0)
- {
- return currentCount;
- }
-
- return 0;
- }
if (op == 0)
{
@@ -163,23 +130,14 @@ void
CFClass::finalizeType(CFTypeRef cf) throw()
{
/*
- Why are we asserting the mutex here as well as in refCountForType?
- Because the way we control the objects and the queues are different
- under GC than they are under non-GC operations.
-
- In non-GC, we need to control the lifetime of the object. This means
+ We need to control the lifetime of the object. This means
that the cache lock has to be asserted while we are determining if the
object should live or die. The mutex is recursive, which means that
we won't end up with mutex inversion.
-
- In GC, GC figures out the lifetime of the object. We probably don't need
- to assert the mutex here, but it doesn't hurt.
*/
SecCFObject *obj = SecCFObject::optional(cf);
- bool isCollectable = CF_IS_COLLECTABLE(cf);
-
try
{
Mutex* mutex = obj->getMutexForObject();
@@ -207,11 +165,6 @@ CFClass::finalizeType(CFTypeRef cf) throw()
catch(...)
{
}
-
- if (isCollectable)
- {
- delete obj;
- }
}
Boolean
diff --git a/OSX/libsecurity_utilities/lib/cfmach++.cpp b/OSX/libsecurity_utilities/lib/cfmach++.cpp
index f04828bd..8e02670d 100644
--- a/OSX/libsecurity_utilities/lib/cfmach++.cpp
+++ b/OSX/libsecurity_utilities/lib/cfmach++.cpp
@@ -86,7 +86,7 @@ void CFAutoPort::enable()
}
CFRunLoopAddSource(CFRunLoopGetCurrent(), mSource, kCFRunLoopCommonModes);
mEnabled = true;
- secdebug("autoport", "%p enabled", this);
+ secinfo("autoport", "%p enabled", this);
}
}
@@ -100,7 +100,7 @@ void CFAutoPort::disable()
if (mEnabled) {
CFRunLoopRemoveSource(CFRunLoopGetCurrent(), mSource, kCFRunLoopCommonModes);
mEnabled = false;
- secdebug("autoport", "%p disabled", this);
+ secinfo("autoport", "%p disabled", this);
}
}
@@ -114,13 +114,13 @@ static int gNumTimesCalled = 0;
void CFAutoPort::cfCallback(CFMachPortRef cfPort, void *msg, CFIndex size, void *context)
{
++gNumTimesCalled;
- secdebug("adhoc", "Callback was called %d times.", gNumTimesCalled);
+ secinfo("adhoc", "Callback was called %d times.", gNumTimesCalled);
Message message(msg, (mach_msg_size_t)size);
try {
reinterpret_cast<CFAutoPort *>(context)->receive(message);
} catch (...) {
- secdebug("autoport", "%p receive handler failed with exception", context);
+ secinfo("autoport", "%p receive handler failed with exception", context);
}
}
diff --git a/OSX/libsecurity_utilities/lib/cfutilities.cpp b/OSX/libsecurity_utilities/lib/cfutilities.cpp
index 8f147467..c2f199bc 100644
--- a/OSX/libsecurity_utilities/lib/cfutilities.cpp
+++ b/OSX/libsecurity_utilities/lib/cfutilities.cpp
@@ -261,7 +261,7 @@ CFDataRef cfLoadFile(CFURLRef url)
&data, NULL, NULL, &error)) {
return data;
} else {
- secdebug("cfloadfile", "failed to fetch %s error=%d", cfString(url).c_str(), int(error));
+ secinfo("cfloadfile", "failed to fetch %s error=%d", cfString(url).c_str(), int(error));
return NULL;
}
}
diff --git a/OSX/libsecurity_utilities/lib/cfutilities.h b/OSX/libsecurity_utilities/lib/cfutilities.h
index b8a38d3a..a29174d0 100644
--- a/OSX/libsecurity_utilities/lib/cfutilities.h
+++ b/OSX/libsecurity_utilities/lib/cfutilities.h
@@ -412,12 +412,12 @@ inline CFDataRef makeCFData(const void *data, size_t size)
inline CFDataRef makeCFData(CFDictionaryRef dictionary)
{
- return CFPropertyListCreateXMLData(NULL, dictionary);
+ return CFPropertyListCreateData(NULL, dictionary, kCFPropertyListXMLFormat_v1_0, 0, NULL);
}
inline CFDataRef makeCFData(CFArrayRef array)
{
- return CFPropertyListCreateXMLData(NULL, array);
+ return CFPropertyListCreateData(NULL, array, kCFPropertyListXMLFormat_v1_0, 0, NULL);
}
template <class Data>
diff --git a/OSX/libsecurity_utilities/lib/coderepository.cpp b/OSX/libsecurity_utilities/lib/coderepository.cpp
index bc18eec4..0c97973a 100644
--- a/OSX/libsecurity_utilities/lib/coderepository.cpp
+++ b/OSX/libsecurity_utilities/lib/coderepository.cpp
@@ -49,14 +49,14 @@ PathList::PathList(const string &subPath,
if (envPath[0] == '!') {
// envar="!path" -> single-item override (debugging only)
mDebugOverride = envPath + 1;
- secdebug("pathlist", "%p env(\"%s\") overrides to \"%s\"",
+ secinfo("pathlist", "%p env(\"%s\") overrides to \"%s\"",
this, envar, mDebugOverride.c_str());
return;
}
#endif //NDEBUG
// treat envPath as a classic colon-separated list of directories
- secdebug("pathlist", "%p configuring from env(\"%s\")", this, envar);
+ secinfo("pathlist", "%p configuring from env(\"%s\")", this, envar);
while (const char *p = strchr(envPath, ':')) {
addDirectory(string(envPath, p - envPath));
envPath = p + 1;
@@ -66,9 +66,9 @@ PathList::PathList(const string &subPath,
}
// no joy from environment variables
- secdebug("pathlist", "%p configuring from default path set \"%s\"", this, subPath.c_str());
+ secinfo("pathlist", "%p configuring from default path set \"%s\"", this, subPath.c_str());
if (forUser)
- secdebug("pathlist", "user search list not yet implemented");
+ secinfo("pathlist", "user search list not yet implemented");
addDirectory("/Library/" + subPath);
addDirectory("/System/Library/" + subPath);
}
diff --git a/OSX/libsecurity_utilities/lib/coderepository.h b/OSX/libsecurity_utilities/lib/coderepository.h
index 400dcf73..fb405324 100644
--- a/OSX/libsecurity_utilities/lib/coderepository.h
+++ b/OSX/libsecurity_utilities/lib/coderepository.h
@@ -89,18 +89,18 @@ void CodeRepository<Code>::update()
if (CFRef<CFArrayRef> bundles = CFBundleCreateBundlesFromDirectory(NULL,
CFTempURL(*it, true), mSuffix.empty() ? NULL : CFStringRef(CFTempString(mSuffix)))) {
CFIndex count = CFArrayGetCount(bundles);
- secdebug("coderep", "%p directory %s has %ld entries", this, it->c_str(), count);
+ secinfo("coderep", "%p directory %s has %ld entries", this, it->c_str(), count);
for (CFIndex n = 0; n < count; n++)
try {
result.push_back(new Code((CFBundleRef)CFArrayGetValueAtIndex(bundles, n)));
} catch (...) {
- secdebug("coderep", "%p exception creating %s (skipped)",
+ secinfo("coderep", "%p exception creating %s (skipped)",
this, cfString(CFBundleRef(CFArrayGetValueAtIndex(bundles, n))).c_str());
}
} else
- secdebug("coderep", "directory %s bundle read failed", it->c_str());
+ secinfo("coderep", "directory %s bundle read failed", it->c_str());
}
- secdebug("coderep", "%p total of %ld items in list", this, result.size());
+ secinfo("coderep", "%p total of %ld items in list", this, result.size());
this->swap(result);
}
diff --git a/OSX/libsecurity_utilities/lib/daemon.cpp b/OSX/libsecurity_utilities/lib/daemon.cpp
index fc8c15e4..f06ced98 100644
--- a/OSX/libsecurity_utilities/lib/daemon.cpp
+++ b/OSX/libsecurity_utilities/lib/daemon.cpp
@@ -94,12 +94,12 @@ bool executeSelf(char **argv)
{
static const char reExecEnv[] = "_RE_EXECUTE";
if (getenv(reExecEnv)) { // was re-executed
- secdebug("daemon", "self-execution complete");
+ secinfo("daemon", "self-execution complete");
unsetenv(reExecEnv);
return true;
} else {
setenv(reExecEnv, "go", 1);
- secdebug("daemon", "self-executing (ouch!)");
+ secinfo("daemon", "self-executing (ouch!)");
execv(argv[0], argv);
perror("re-execution");
Syslog::error("Re-execution attempt failed");
diff --git a/OSX/libsecurity_utilities/lib/debugging.cpp b/OSX/libsecurity_utilities/lib/debugging.cpp
deleted file mode 100644
index 5f5fa108..00000000
--- a/OSX/libsecurity_utilities/lib/debugging.cpp
+++ /dev/null
@@ -1,518 +0,0 @@
-/*
- * Copyright (c) 2000-2004,2011-2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-//
-// debugging - non-trivial debugging support
-//
-#include <security_utilities/debugsupport.h>
-#include <security_utilities/globalizer.h>
-#include <cstdarg>
-#include <ctype.h>
-
-#define SYSLOG_NAMES // compile syslog name tables
-#include <syslog.h>
-
-#include <cxxabi.h> // for name demangling
-#include <mach-o/dyld.h> // for _NSGetExecutablePath
-#include <limits.h>
-
-// enable kernel tracing
-#define ENABLE_SECTRACE 1
-
-
-namespace Security {
-namespace Debug {
-
-
-//
-// Dump facility
-//
-bool dumping(const char *scope)
-{
-#if defined(NDEBUG_STUBS)
- return false;
-#else
- return Target::get().dump(scope);
-#endif
-}
-
-void dump(const char *format, ...)
-{
-#if !defined(NDEBUG_CODE)
- va_list args;
- va_start(args, format);
- Target::get().dump(format, args);
- va_end(args);
-#endif
-}
-
-void dumpData(const void *ptr, size_t size)
-{
-#if !defined(NDEBUG_CODE)
- const char *addr = reinterpret_cast<const char *>(ptr);
- const char *end = addr + size;
- bool isText = true;
- for (const char *p = addr; p < end; p++)
- if (!isprint(*p)) { isText = false; break; }
-
- if (isText) {
- dump("\"");
- for (const char *p = addr; p < end; p++)
- dump("%c", *p);
- dump("\"");
- } else {
- dump("0x");
- for (const char *p = addr; p < end; p++)
- dump("%2.2x", static_cast<unsigned char>(*p));
- }
-#endif //NDEBUG_STUBS
-}
-
-void dumpData(const char *title, const void *ptr, size_t size)
-{
-#if !defined(NDEBUG_CODE)
- dump("%s: ", title);
- dumpData(ptr, size);
- dump("\n");
-#endif //NDEBUG_STUBS
-}
-
-
-//
-// Turn a C++ typeid into a nice type name.
-// This uses the C++ ABI where available.
-// We're stripping out a few C++ prefixes; they're pretty redundant (and obvious).
-//
-string makeTypeName(const type_info &type)
-{
- int status;
- char *cname = abi::__cxa_demangle(type.name(), NULL, NULL, &status);
- string name = !strncmp(cname, "Security::", 10) ? (cname + 10) :
- !strncmp(cname, "std::", 5) ? (cname + 5) :
- cname;
- ::free(cname); // yes, really (ABI rules)
- return name;
-}
-
-
-//
-// Target initialization.
-// This where we should do all "first time" initializations.
-//
-#if !defined(NDEBUG_CODE)
-
-char Target::progName[maxProgNameLength + 1];
-unsigned int Target::PerThread::lastUsed;
-
-Target::Target()
- : showScope(false), showThread(false), showProc(false), showDate(false),
- sink(NULL)
-{
- // put into singleton slot if first
- if (singleton == NULL)
- singleton = this;
-
- // insert terminate handler
- if (!previousTerminator) // first time we do this
- previousTerminator = set_terminate(terminator);
-
- // get program name
- char execPath[PATH_MAX];
- uint32_t length = sizeof(execPath);
- if (_NSGetExecutablePath(execPath, &length)) {
- strcpy(progName, "unknown");
- } else {
- const char *p = strrchr(execPath, '/');
- if (p)
- p++;
- else
- p = execPath;
- size_t plen = strlen(p);
- if (plen > maxProgNameLength) // too long
- p += plen - maxProgNameLength; // take rear
- strcpy(progName, p);
- }
-}
-
-Target::~Target()
-{
-}
-
-
-static void addScope(char *&bufp, const char *scope)
-{
- if (const char *sep = strchr(scope, ',')) {
- bufp += sprintf(bufp, "%-*s", Name::maxLength, (const char *)Name(scope, sep));
- } else { // single scope
- bufp += sprintf(bufp, "%-*s", Name::maxLength, scope);
- }
-}
-
-
-//
-// The core logging function of a Target
-//
-void Target::message(const char *scope, const char *format, va_list args)
-{
- if (logSelector(scope)) {
- // note: messageConstructionSize is big enough for all prefixes constructed
- char buffer[messageConstructionSize]; // building the message here
- char *bufp = buffer;
-
- // date option
- if (showDate && sink->needsDate) {
- time_t now = time(NULL);
- char *date = ctime(&now);
- date[19] = '\0';
- bufp += sprintf(bufp, "%s ", date + 4); // Nov 24 18:22:48
- }
-
- // leading scope
- if (showScope && scope)
- addScope(bufp, scope);
-
- if (showProc || showThread) {
- char sub[maxProgNameLength + 20];
- unsigned plen = 0;
- if (showProc && showThread)
- plen = sprintf(sub, "%s[%d]", progName, getpid());
- else if (showProc)
- plen = sprintf(sub, "%s", progName);
- else
- plen = sprintf(sub, "[%d]", getpid());
- unsigned int id = perThread().id;
- if (id > 1)
- plen += sprintf(sub + plen, ":%d", id);
- if (plen <= procLength)
- bufp += sprintf(bufp, "%-*s ", int(procLength), sub);
- else
- bufp += sprintf(bufp, "%s ", sub + plen - procLength);
- }
-
- // scope after proc/thread/pid
- if (showScopeRight && scope)
- addScope(bufp, scope);
-
- // now stuff the message body in, slightly roasted
- size_t left = buffer + sizeof(buffer) - bufp - 1; // reserve one
- size_t written = vsnprintf(bufp, left, format, args);
- for (char *p = bufp; *p; p++)
- if (!isprint(*p))
- *p = '?';
- if (written >= left) { // snprintf overflowed
- bufp += left;
- strcpy(bufp - 3, "...");
- } else
- bufp += written;
-
- // now append a newline and a null
- bufp[0] = '\n';
- bufp[1] = '\0';
-
- // submit to sink (do not count newline and null in count)
- sink->put(buffer, (unsigned int)(bufp - buffer));
- }
-}
-
-bool Target::debugging(const char *scope)
-{
- return logSelector(scope);
-}
-
-
-//
-// The core debug-dump function of a target
-//
-void Target::dump(const char *format, va_list args)
-{
- char buffer[messageConstructionSize]; // building the message here
- vsnprintf(buffer, sizeof(buffer), format, args);
- for (char *p = buffer; *p; p++)
- if ((!isprint(*p) && !isspace(*p)) || *p == '\r')
- *p = '?';
- sink->dump(buffer);
-}
-
-bool Target::dump(const char *scope)
-{
- return dumpSelector(scope);
-}
-
-
-//
-// Selector objects.
-//
-Target::Selector::Selector() : useSet(false), negate(false)
-{ }
-
-void Target::Selector::operator = (const char *scope)
-{
- if (scope) {
- // initial values
- if (!strcmp(scope, "all")) {
- useSet = false;
- negate = true;
- } else if (!strcmp(scope, "none")) {
- useSet = negate = false;
- } else {
- useSet = true;
- enableSet.erase(enableSet.begin(), enableSet.end());
- if (scope[0] == '-') {
- negate = true;
- scope++;
- } else
- negate = false;
- while (const char *sep = strchr(scope, ',')) {
- enableSet.insert(Name(scope, sep));
- scope = sep + 1;
- }
- enableSet.insert(scope);
- }
- } else {
- useSet = negate = false;
- }
-}
-
-bool Target::Selector::operator () (const char *scope) const
-{
- // a scope of NULL is a special override; it always qualifies
- if (scope == NULL)
- return true;
-
- if (useSet) {
- while (const char *sep = strchr(scope, ',')) {
- if (enableSet.find(Name(scope, sep)) != enableSet.end())
- return !negate;
- scope = sep + 1;
- }
- return (enableSet.find(scope) != enableSet.end()) != negate;
- } else {
- return negate;
- }
-}
-
-
-//
-// Establish Target state from the environment
-//
-void Target::setFromEnvironment()
-{
- // set scopes
- logSelector = getenv("DEBUGSCOPE");
- dumpSelector = getenv("DEBUGDUMP");
-
- //
- // Set and configure destination. Currently available:
- // /some/where -> that file
- // LOG_SOMETHING -> syslog facility
- // >&number -> that (already) open (for write or append) file descriptor
- // anything else -> try as a filename sight unseen [may change]
- // DEBUGDEST not set -> stderr
- // anything in error -> stderr (with an error message on it)
- //
- if (const char *dest = getenv("DEBUGDEST")) {
- if (dest[0] == '/') { // full pathname, write to file
- to(dest);
- } else if (!strncmp(dest, "LOG_", 4)) { // syslog
- int facility = LOG_DAEMON;
- for (CODE *cp = facilitynames; cp->c_name; cp++)
- if (!strcmp(dest, cp->c_name))
- facility = cp->c_val;
- to(facility | LOG_DEBUG);
- } else if (!strncmp(dest, ">&", 2)) { // to file descriptor
- int fd = atoi(dest+2);
- if (FILE *f = fdopen(fd, "a")) {
- to(f);
- } else {
- to(stderr);
- secdebug("", "cannot log to fd[%d]: %s", fd, strerror(errno));
- }
- } else { // if everything else fails, write a file
- to(dest);
- }
- } else { // default destination is stderr
- to(stderr);
- }
- configure();
-}
-
-
-void Target::configure()
-{
- configure(getenv("DEBUGOPTIONS"));
-}
-
-void Target::configure(const char *config)
-{
- // configure global options
- showScopeRight = config && strstr(config, "rscope");
- showScope = !showScopeRight && config && strstr(config, "scope");
- showThread = config && (strstr(config, "thread") || strstr(config, "pid")); // (legacy)
- showProc = config && strstr(config, "proc");
- showDate = config && strstr(config, "date");
-
- // configure sink
- if (sink)
- sink->configure(config);
-}
-
-
-//
-// Explicit destination assignments
-//
-void Target::to(Sink *s)
-{
- delete sink;
- sink = s;
-}
-
-void Target::to(FILE *file)
-{
- to(new FileSink(file));
-}
-
-void Target::to(const char *filename)
-{
- if (FILE *f = fopen(filename, "a")) {
- to(new FileSink(f));
- } else {
- to(stderr);
- secdebug("", "cannot debug to \"%s\": %s", filename, strerror(errno));
- }
-}
-
-void Target::to(int syslogPriority)
-{
- to(new SyslogSink(syslogPriority));
-}
-
-
-//
-// Making and retrieving the default singleton
-//
-Target *Target::singleton;
-
-Target &Target::get()
-{
- if (singleton == NULL) {
- Target *t = new Target;
- t->setFromEnvironment();
- }
- return *singleton;
-}
-
-
-//
-// Standard sink implementations
-//
-Target::Sink::~Sink()
-{ }
-
-void Target::Sink::dump(const char *)
-{ }
-
-void Target::Sink::configure(const char *)
-{ }
-
-
-//
-// The terminate handler installed when a Target is created
-//
-terminate_handler Target::previousTerminator;
-
-void Target::terminator()
-{
- secdebug("exception", "uncaught exception terminates program");
- previousTerminator();
- secdebug("exception", "prior termination handler failed to abort; forcing abort");
- abort();
-}
-
-
-//
-// File sinks (write to file via stdio)
-//
-void FileSink::put(const char *inbuf, unsigned int length)
-{
- fwrite(inbuf, 1, length + 1, file); // do pick up the trailing newline
-}
-
-void FileSink::dump(const char *text)
-{
- fputs(text, file);
-}
-
-void FileSink::configure(const char *options)
-{
- if (options == NULL || !strstr(options, "noflush")) {
- // we mean "if the file isn't unbuffered", but what's the portable way to say that?
- if (file != stderr)
- setlinebuf(file);
- }
-}
-
-
-//
-// Syslog sinks (write to syslog)
-//
-void SyslogSink::put(const char *buffer, unsigned int length)
-{
- syslog(priority, "%1.*s", length, buffer); // don't pick up trailing newline
-}
-
-void SyslogSink::dump(const char *text)
-{
- // add to dump buffer
- snprintf(dumpPtr, dumpBuffer + dumpBufferSize - dumpPtr, "%s", text);
-
- // take off full lines and submit
- char *p = dumpBase;
- while (char *q = strchr(p, '\n')) {
- *q++ = '\0'; // terminate/break
- syslog(priority, " @@ %s", p);
- p = q;
- }
-
- if (*p) { // left-over unterminated line segment in buffer
- dumpPtr = p + strlen(p);
- if ((dumpBase = p) > dumpBuffer + dumpBufferSize / 2) {
- // shift buffer down to make room
- memmove(dumpBuffer, dumpBase, dumpPtr - dumpBase);
- dumpPtr -= (dumpBase - dumpBuffer);
- dumpBase = dumpBuffer;
- }
- } else { // buffer is empty; reset to start
- dumpBase = dumpPtr = dumpBuffer;
- }
-}
-
-void SyslogSink::configure(const char *options)
-{
-}
-
-#endif //NDEBUG_CODE
-
-
-} // end namespace Debug
-} // end namespace Security
diff --git a/OSX/libsecurity_utilities/lib/debugging.h b/OSX/libsecurity_utilities/lib/debugging.h
deleted file mode 100644
index 36b25377..00000000
--- a/OSX/libsecurity_utilities/lib/debugging.h
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright (c) 2000-2004,2011-2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-//
-// debugging - non-trivial debug support
-//
-#ifndef _H_DEBUGGING
-#define _H_DEBUGGING
-
-
-#include <security_utilities/debugging_internal.h>
-
-#ifdef __cplusplus
-
-#include <security_utilities/utilities.h>
-#include <cstdarg>
-#include <typeinfo>
-
-namespace Security {
-namespace Debug {
-
-
-//
-// Debug-dumping functions always exist. They may be stubs depending on build options.
-//
-bool dumping(const char *scope);
-void dump(const char *format, ...) __attribute((format(printf,1,2)));
-void dumpData(const void *data, size_t length);
-void dumpData(const char *title, const void *data, size_t length);
-template <class Data> inline void dumpData(const Data &obj)
-{ dumpData(obj.data(), obj.length()); }
-template <class Data> inline void dumpData(const char *title, const Data &obj)
-{ dumpData(title, obj.data(), obj.length()); }
-
-
-//
-// The following functions perform runtime recovery of type names.
-// This is meant for debugging ONLY. Don't even THINK of depending
-// on this for program correctness. For all you know, we may replace
-// all those names with "XXX" tomorrow.
-//
-string makeTypeName(const type_info &info);
-
-template <class Object>
-string typeName(const Object &obj)
-{
- return makeTypeName(typeid(obj));
-}
-
-template <class Object>
-string typeName()
-{
- return makeTypeName(typeid(Object));
-}
-
-
-//
-// We are still conditionally emitting debug-dumping code
-//
-#undef DEBUGGING
-#if !defined(NDEBUG)
-# define DEBUGGING 1
-# define DEBUGDUMP 1
-#else //NDEBUG
-# define DEBUGGING 0
-#endif //NDEBUG
-
-#if defined(DEBUGDUMP)
-# define IFDUMP(code) code
-# define IFDUMPING(scope,code) if (Debug::dumping(scope)) code; else /* no */
-#else
-# define IFDUMP(code) /* no-op */
-# define IFDUMPING(scope,code) /* no-op */
-#endif
-
-
-//
-// We have some very, very old customers who call old debug facilities.
-// Dummy them out for now.
-//
-inline bool debugging(const char *scope) DEPRECATED_ATTRIBUTE;
-inline void debug(const char *scope, const char *format, ...) DEPRECATED_ATTRIBUTE;
-inline void vdebug(const char *scope, const char *format, va_list args) DEPRECATED_ATTRIBUTE;
-
-inline bool debugging(const char *scope) { return false; }
-inline void debug(const char *scope, const char *format, ...) { }
-inline void vdebug(const char *scope, const char *format, va_list args) { }
-
-
-
-
-
-} // end namespace Debug
-} // end namespace Security
-
-// leak debug() into the global namespace because URLAccess et al rely on that
-using Security::Debug::debug;
-
-#else //__cplusplus
-
-#include <stdio.h>
-
-#endif //__cplusplus
-
-#include <CoreFoundation/CFString.h>
-
-
-#endif //_H_DEBUGGING
diff --git a/OSX/libsecurity_utilities/lib/debugging.h b/OSX/libsecurity_utilities/lib/debugging.h
new file mode 120000
index 00000000..ac6a54fc
--- /dev/null
+++ b/OSX/libsecurity_utilities/lib/debugging.h
@@ -0,0 +1 @@
+./../utilities/src/debugging.h
\ No newline at end of file
diff --git a/OSX/libsecurity_utilities/lib/debugging_internal.cpp b/OSX/libsecurity_utilities/lib/debugging_internal.cpp
index 53aeecd7..d3dcac17 100644
--- a/OSX/libsecurity_utilities/lib/debugging_internal.cpp
+++ b/OSX/libsecurity_utilities/lib/debugging_internal.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000-2012,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2011-2012,2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -22,46 +22,506 @@
*/
-#include "debugging_internal.h"
-#include <stdarg.h>
-#include <CoreFoundation/CoreFoundation.h>
-
-void secdebug_internal(const char* scope, const char* format, ...)
-{
- if (__builtin_expect(SECURITY_DEBUG_LOG_ENABLED(), 0))
- {
- va_list list;
- va_start(list, format);
-
- CFStringRef formatString = CFStringCreateWithCString(NULL, format, kCFStringEncodingUTF8);
- CFStringRef message = CFStringCreateWithFormatAndArguments(kCFAllocatorDefault, NULL, formatString, list);
- CFRelease(formatString);
- CFIndex maxLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(message), kCFStringEncodingUTF8) + 1;
- char buffer[maxLength];
- CFStringGetCString(message, buffer, sizeof(buffer), kCFStringEncodingUTF8);
- CFRelease(message);
- SECURITY_DEBUG_LOG((char *)(scope), (buffer));
-
- va_end(list);
- }
-}
-
-void secdebugfunc_internal(const char* scope, const char* functionname, const char* format, ...)
-{
- if (__builtin_expect(SECURITY_DEBUG_LOG_ENABLED(), 0))
- {
- va_list list;
- va_start(list, format);
-
- CFStringRef formatString = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%s: %s"), functionname, format);
- CFStringRef message = CFStringCreateWithFormatAndArguments(kCFAllocatorDefault, NULL, formatString, list);
- CFRelease(formatString);
- CFIndex maxLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(message), kCFStringEncodingUTF8) + 1;
- char buffer[maxLength];
- CFStringGetCString(message, buffer, sizeof(buffer), kCFStringEncodingUTF8);
- CFRelease(message);
- SECURITY_DEBUG_LOG((char *)(scope), (buffer));
-
- va_end(list);
- }
+//
+// debugging - non-trivial debugging support
+//
+#include <security_utilities/debugging_internal.h>
+#include <security_utilities/debugsupport.h>
+#include <security_utilities/globalizer.h>
+#include <cstdarg>
+#include <ctype.h>
+
+#define SYSLOG_NAMES // compile syslog name tables
+#include <syslog.h>
+
+#include <cxxabi.h> // for name demangling
+#include <mach-o/dyld.h> // for _NSGetExecutablePath
+#include <limits.h>
+
+// enable kernel tracing
+#define ENABLE_SECTRACE 1
+
+
+namespace Security {
+namespace Debug {
+
+
+//
+// Dump facility
+//
+bool dumping(const char *scope)
+{
+#if defined(NDEBUG_STUBS)
+ return false;
+#else
+ return Target::get().dump(scope);
+#endif
+}
+
+void dump(const char *format, ...)
+{
+#if !defined(NDEBUG_CODE)
+ va_list args;
+ va_start(args, format);
+ Target::get().dump(format, args);
+ va_end(args);
+#endif
+}
+
+void dumpData(const void *ptr, size_t size)
+{
+#if !defined(NDEBUG_CODE)
+ const char *addr = reinterpret_cast<const char *>(ptr);
+ const char *end = addr + size;
+ bool isText = true;
+ for (const char *p = addr; p < end; p++)
+ if (!isprint(*p)) { isText = false; break; }
+
+ if (isText) {
+ dump("\"");
+ for (const char *p = addr; p < end; p++)
+ dump("%c", *p);
+ dump("\"");
+ } else {
+ dump("0x");
+ for (const char *p = addr; p < end; p++)
+ dump("%2.2x", static_cast<unsigned char>(*p));
+ }
+#endif //NDEBUG_STUBS
+}
+
+void dumpData(const char *title, const void *ptr, size_t size)
+{
+#if !defined(NDEBUG_CODE)
+ dump("%s: ", title);
+ dumpData(ptr, size);
+ dump("\n");
+#endif //NDEBUG_STUBS
+}
+
+
+//
+// Turn a C++ typeid into a nice type name.
+// This uses the C++ ABI where available.
+// We're stripping out a few C++ prefixes; they're pretty redundant (and obvious).
+//
+string makeTypeName(const type_info &type)
+{
+ int status;
+ char *cname = abi::__cxa_demangle(type.name(), NULL, NULL, &status);
+ string name = !strncmp(cname, "Security::", 10) ? (cname + 10) :
+ !strncmp(cname, "std::", 5) ? (cname + 5) :
+ cname;
+ ::free(cname); // yes, really (ABI rules)
+ return name;
+}
+
+
+//
+// Target initialization.
+// This where we should do all "first time" initializations.
+//
+#if !defined(NDEBUG_CODE)
+
+char Target::progName[maxProgNameLength + 1];
+unsigned int Target::PerThread::lastUsed;
+
+Target::Target()
+ : showScope(false), showThread(false), showProc(false), showDate(false),
+ sink(NULL)
+{
+ // put into singleton slot if first
+ if (singleton == NULL)
+ singleton = this;
+
+ // insert terminate handler
+ if (!previousTerminator) // first time we do this
+ previousTerminator = set_terminate(terminator);
+
+ // get program name
+ char execPath[PATH_MAX];
+ uint32_t length = sizeof(execPath);
+ if (_NSGetExecutablePath(execPath, &length)) {
+ strcpy(progName, "unknown");
+ } else {
+ const char *p = strrchr(execPath, '/');
+ if (p)
+ p++;
+ else
+ p = execPath;
+ size_t plen = strlen(p);
+ if (plen > maxProgNameLength) // too long
+ p += plen - maxProgNameLength; // take rear
+ strcpy(progName, p);
+ }
+}
+
+Target::~Target()
+{
+}
+
+
+static void addScope(char *&bufp, const char *scope)
+{
+ if (const char *sep = strchr(scope, ',')) {
+ bufp += sprintf(bufp, "%-*s", Name::maxLength, (const char *)Name(scope, sep));
+ } else { // single scope
+ bufp += sprintf(bufp, "%-*s", Name::maxLength, scope);
+ }
+}
+
+
+//
+// The core logging function of a Target
+//
+void Target::message(const char *scope, const char *format, va_list args)
+{
+ if (logSelector(scope)) {
+ // note: messageConstructionSize is big enough for all prefixes constructed
+ char buffer[messageConstructionSize]; // building the message here
+ char *bufp = buffer;
+
+ // date option
+ if (showDate && sink->needsDate) {
+ time_t now = time(NULL);
+ char *date = ctime(&now);
+ date[19] = '\0';
+ bufp += sprintf(bufp, "%s ", date + 4); // Nov 24 18:22:48
+ }
+
+ // leading scope
+ if (showScope && scope)
+ addScope(bufp, scope);
+
+ if (showProc || showThread) {
+ char sub[maxProgNameLength + 20];
+ unsigned plen = 0;
+ if (showProc && showThread)
+ plen = sprintf(sub, "%s[%d]", progName, getpid());
+ else if (showProc)
+ plen = sprintf(sub, "%s", progName);
+ else
+ plen = sprintf(sub, "[%d]", getpid());
+ unsigned int id = perThread().id;
+ if (id > 1)
+ plen += sprintf(sub + plen, ":%d", id);
+ if (plen <= procLength)
+ bufp += sprintf(bufp, "%-*s ", int(procLength), sub);
+ else
+ bufp += sprintf(bufp, "%s ", sub + plen - procLength);
+ }
+
+ // scope after proc/thread/pid
+ if (showScopeRight && scope)
+ addScope(bufp, scope);
+
+ // now stuff the message body in, slightly roasted
+ size_t left = buffer + sizeof(buffer) - bufp - 1; // reserve one
+ size_t written = vsnprintf(bufp, left, format, args);
+ for (char *p = bufp; *p; p++)
+ if (!isprint(*p))
+ *p = '?';
+ if (written >= left) { // snprintf overflowed
+ bufp += left;
+ strcpy(bufp - 3, "...");
+ } else
+ bufp += written;
+
+ // now append a newline and a null
+ bufp[0] = '\n';
+ bufp[1] = '\0';
+
+ // submit to sink (do not count newline and null in count)
+ sink->put(buffer, (unsigned int)(bufp - buffer));
+ }
+}
+
+bool Target::debugging(const char *scope)
+{
+ return logSelector(scope);
+}
+
+
+//
+// The core debug-dump function of a target
+//
+void Target::dump(const char *format, va_list args)
+{
+ char buffer[messageConstructionSize]; // building the message here
+ vsnprintf(buffer, sizeof(buffer), format, args);
+ for (char *p = buffer; *p; p++)
+ if ((!isprint(*p) && !isspace(*p)) || *p == '\r')
+ *p = '?';
+ sink->dump(buffer);
+}
+
+bool Target::dump(const char *scope)
+{
+ return dumpSelector(scope);
+}
+
+
+//
+// Selector objects.
+//
+Target::Selector::Selector() : useSet(false), negate(false)
+{ }
+
+void Target::Selector::operator = (const char *scope)
+{
+ if (scope) {
+ // initial values
+ if (!strcmp(scope, "all")) {
+ useSet = false;
+ negate = true;
+ } else if (!strcmp(scope, "none")) {
+ useSet = negate = false;
+ } else {
+ useSet = true;
+ enableSet.erase(enableSet.begin(), enableSet.end());
+ if (scope[0] == '-') {
+ negate = true;
+ scope++;
+ } else
+ negate = false;
+ while (const char *sep = strchr(scope, ',')) {
+ enableSet.insert(Name(scope, sep));
+ scope = sep + 1;
+ }
+ enableSet.insert(scope);
+ }
+ } else {
+ useSet = negate = false;
+ }
+}
+
+bool Target::Selector::operator () (const char *scope) const
+{
+ // a scope of NULL is a special override; it always qualifies
+ if (scope == NULL)
+ return true;
+
+ if (useSet) {
+ while (const char *sep = strchr(scope, ',')) {
+ if (enableSet.find(Name(scope, sep)) != enableSet.end())
+ return !negate;
+ scope = sep + 1;
+ }
+ return (enableSet.find(scope) != enableSet.end()) != negate;
+ } else {
+ return negate;
+ }
+}
+
+
+//
+// Establish Target state from the environment
+//
+void Target::setFromEnvironment()
+{
+ // set scopes
+ logSelector = getenv("DEBUGSCOPE");
+ dumpSelector = getenv("DEBUGDUMP");
+
+ //
+ // Set and configure destination. Currently available:
+ // /some/where -> that file
+ // LOG_SOMETHING -> syslog facility
+ // >&number -> that (already) open (for write or append) file descriptor
+ // anything else -> try as a filename sight unseen [may change]
+ // DEBUGDEST not set -> stderr
+ // anything in error -> stderr (with an error message on it)
+ //
+ if (const char *dest = getenv("DEBUGDEST")) {
+ if (dest[0] == '/') { // full pathname, write to file
+ to(dest);
+ } else if (!strncmp(dest, "LOG_", 4)) { // syslog
+ int facility = LOG_DAEMON;
+ for (CODE *cp = facilitynames; cp->c_name; cp++)
+ if (!strcmp(dest, cp->c_name))
+ facility = cp->c_val;
+ to(facility | LOG_DEBUG);
+ } else if (!strncmp(dest, ">&", 2)) { // to file descriptor
+ int fd = atoi(dest+2);
+ if (FILE *f = fdopen(fd, "a")) {
+ to(f);
+ } else {
+ to(stderr);
+ secinfo("", "cannot log to fd[%d]: %s", fd, strerror(errno));
+ }
+ } else { // if everything else fails, write a file
+ to(dest);
+ }
+ } else { // default destination is stderr
+ to(stderr);
+ }
+ configure();
+}
+
+
+void Target::configure()
+{
+ configure(getenv("DEBUGOPTIONS"));
+}
+
+void Target::configure(const char *config)
+{
+ // configure global options
+ showScopeRight = config && strstr(config, "rscope");
+ showScope = !showScopeRight && config && strstr(config, "scope");
+ showThread = config && (strstr(config, "thread") || strstr(config, "pid")); // (legacy)
+ showProc = config && strstr(config, "proc");
+ showDate = config && strstr(config, "date");
+
+ // configure sink
+ if (sink)
+ sink->configure(config);
+}
+
+
+//
+// Explicit destination assignments
+//
+void Target::to(Sink *s)
+{
+ delete sink;
+ sink = s;
+}
+
+void Target::to(FILE *file)
+{
+ to(new FileSink(file));
+}
+
+void Target::to(const char *filename)
+{
+ if (FILE *f = fopen(filename, "a")) {
+ to(new FileSink(f));
+ } else {
+ to(stderr);
+ secinfo("", "cannot debug to \"%s\": %s", filename, strerror(errno));
+ }
+}
+
+void Target::to(int syslogPriority)
+{
+ to(new SyslogSink(syslogPriority));
+}
+
+
+//
+// Making and retrieving the default singleton
+//
+Target *Target::singleton;
+
+Target &Target::get()
+{
+ if (singleton == NULL) {
+ Target *t = new Target;
+ t->setFromEnvironment();
+ }
+ return *singleton;
+}
+
+
+//
+// Standard sink implementations
+//
+Target::Sink::~Sink()
+{ }
+
+void Target::Sink::dump(const char *)
+{ }
+
+void Target::Sink::configure(const char *)
+{ }
+
+
+//
+// The terminate handler installed when a Target is created
+//
+terminate_handler Target::previousTerminator;
+
+void Target::terminator()
+{
+ secinfo("exception", "uncaught exception terminates program");
+ previousTerminator();
+ secinfo("exception", "prior termination handler failed to abort; forcing abort");
+ abort();
+}
+
+
+//
+// File sinks (write to file via stdio)
+//
+void FileSink::put(const char *inbuf, unsigned int length)
+{
+ fwrite(inbuf, 1, length + 1, file); // do pick up the trailing newline
+}
+
+void FileSink::dump(const char *text)
+{
+ fputs(text, file);
+}
+
+void FileSink::configure(const char *options)
+{
+ if (options == NULL || !strstr(options, "noflush")) {
+ // we mean "if the file isn't unbuffered", but what's the portable way to say that?
+ if (file != stderr)
+ setlinebuf(file);
+ }
+}
+
+
+//
+// Syslog sinks (write to syslog)
+//
+void SyslogSink::put(const char *buffer, unsigned int length)
+{
+ syslog(priority, "%1.*s", length, buffer); // don't pick up trailing newline
+}
+
+void SyslogSink::dump(const char *text)
+{
+ // add to dump buffer
+ snprintf(dumpPtr, dumpBuffer + dumpBufferSize - dumpPtr, "%s", text);
+
+ // take off full lines and submit
+ char *p = dumpBase;
+ while (char *q = strchr(p, '\n')) {
+ *q++ = '\0'; // terminate/break
+ syslog(priority, " @@ %s", p);
+ p = q;
+ }
+
+ if (*p) { // left-over unterminated line segment in buffer
+ dumpPtr = p + strlen(p);
+ if ((dumpBase = p) > dumpBuffer + dumpBufferSize / 2) {
+ // shift buffer down to make room
+ memmove(dumpBuffer, dumpBase, dumpPtr - dumpBase);
+ dumpPtr -= (dumpBase - dumpBuffer);
+ dumpBase = dumpBuffer;
+ }
+ } else { // buffer is empty; reset to start
+ dumpBase = dumpPtr = dumpBuffer;
+ }
+}
+
+void SyslogSink::configure(const char *options)
+{
+}
+
+#endif //NDEBUG_CODE
+
+
+} // end namespace Debug
+} // end namespace Security
+
+
+void secdebug_internal(const char* scope, const char* format, ...) {
+ // no-op.
+}
+void secdebugfunc_internal(const char* scope, const char* functionname, const char* format, ...) {
+ // no-op.
}
diff --git a/OSX/libsecurity_utilities/lib/debugging_internal.h b/OSX/libsecurity_utilities/lib/debugging_internal.h
index 6f990296..a33ee7c2 100644
--- a/OSX/libsecurity_utilities/lib/debugging_internal.h
+++ b/OSX/libsecurity_utilities/lib/debugging_internal.h
@@ -1,6 +1,6 @@
/*
- * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
- *
+ * Copyright (c) 2000-2004,2011-2012,2014 Apple Inc. All Rights Reserved.
+ *
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
@@ -22,42 +22,121 @@
*/
-#ifndef libsecurity_utilities_debugging_internal_h
-#define libsecurity_utilities_debugging_internal_h
-
+//
+// debugging_internal - non-trivial debug support
+//
+// everything in this file is deprecated. Try not to use it.
+//
+#ifndef _H_DEBUGGING
+#define _H_DEBUGGING
#ifdef __cplusplus
-extern "C"
+
+#include <security_utilities/utilities.h>
+#include <cstdarg>
+#include <typeinfo>
+
+namespace Security {
+namespace Debug {
+
+
+//
+// Debug-dumping functions always exist. They may be stubs depending on build options.
+//
+bool dumping(const char *scope);
+void dump(const char *format, ...) __attribute((format(printf,1,2)));
+void dumpData(const void *data, size_t length);
+void dumpData(const char *title, const void *data, size_t length);
+template <class Data> inline void dumpData(const Data &obj)
+{ dumpData(obj.data(), obj.length()); }
+template <class Data> inline void dumpData(const char *title, const Data &obj)
+{ dumpData(title, obj.data(), obj.length()); }
+
+
+//
+// The following functions perform runtime recovery of type names.
+// This is meant for debugging ONLY. Don't even THINK of depending
+// on this for program correctness. For all you know, we may replace
+// all those names with "XXX" tomorrow.
+//
+string makeTypeName(const type_info &info);
+
+template <class Object>
+string typeName(const Object &obj)
{
-#endif // __cplusplus
+ return makeTypeName(typeid(obj));
+}
+
+template <class Object>
+string typeName()
+{
+ return makeTypeName(typeid(Object));
+}
+
//
-// Include DTrace static probe definitions
+// We are still conditionally emitting debug-dumping code
//
-typedef const void *DTException;
+#undef DEBUGGING
+#if !defined(NDEBUG)
+# define DEBUGGING 1
+# define DEBUGDUMP 1
+#else //NDEBUG
+# define DEBUGGING 0
+#endif //NDEBUG
+
+#if defined(DEBUGDUMP)
+# define IFDUMP(code) code
+# define IFDUMPING(scope,code) if (Debug::dumping(scope)) code; else /* no */
+#else
+# define IFDUMP(code) /* no-op */
+# define IFDUMPING(scope,code) /* no-op */
+#endif
-#include <security_utilities/utilities_dtrace.h>
//
-// The debug-log macro is now unconditionally emitted as a DTrace static probe point.
+// We have some very, very old customers who call old debug facilities.
+// Dummy them out for now.
//
+inline bool debugging(const char *scope) DEPRECATED_ATTRIBUTE;
+inline void debug(const char *scope, const char *format, ...) DEPRECATED_ATTRIBUTE;
+inline void vdebug(const char *scope, const char *format, va_list args) DEPRECATED_ATTRIBUTE;
+
+inline bool debugging(const char *scope) { return false; }
+inline void debug(const char *scope, const char *format, ...) { }
+inline void vdebug(const char *scope, const char *format, va_list args) { }
+
-void secdebug_internal(const char* scope, const char* format, ...);
-void secdebugfunc_internal(const char* scope, const char* functionname, const char* format, ...);
-#define secdebug(scope, format...) secdebug_internal(scope, format)
-#define secdebugfunc(scope, format...) secdebugfunc_internal(scope, __PRETTY_FUNCTION__, format)
-#define secdebugf(scope, __msg) SECURITY_DEBUG_LOG((char *)(scope), (__msg))
+
+
+} // end namespace Debug
+} // end namespace Security
+
+// leak debug() into the global namespace because URLAccess et al rely on that
+using Security::Debug::debug;
+
+__BEGIN_DECLS
//
-// The old secdelay() macro is also emitted as a DTrace probe (use destructive actions to handle this).
-// Secdelay() should be considered a legacy feature; just put a secdebug at the intended delay point.
+// Include DTrace static probe definitions
//
-#define secdelay(file) SECURITY_DEBUG_DELAY((char *)(file))
+typedef const void *DTException;
+#include <security_utilities/utilities_dtrace.h>
+// The following are deprecated functions. Don't use them (but they need to be here for symbol reasons).
+void secdebug_internal(const char* scope, const char* format, ...);
+void secdebugfunc_internal(const char* scope, const char* functionname, const char* format, ...);
-#ifdef __cplusplus
-};
-#endif // __cplusplus
+__END_DECLS
-#endif
+#else //__cplusplus
+
+#include <stdio.h>
+
+#endif //__cplusplus
+
+#include <CoreFoundation/CFString.h>
+
+
+#endif //_H_DEBUGGING
diff --git a/OSX/libsecurity_utilities/lib/errors.cpp b/OSX/libsecurity_utilities/lib/errors.cpp
index eab27f83..7384c990 100644
--- a/OSX/libsecurity_utilities/lib/errors.cpp
+++ b/OSX/libsecurity_utilities/lib/errors.cpp
@@ -30,6 +30,8 @@
#include <typeinfo>
#include <stdio.h>
#include <Security/SecBase.h>
+#include <execinfo.h>
+#include <cxxabi.h>
//@@@
// From cssmapple.h - layering break
@@ -40,13 +42,8 @@
//
// The base of the exception hierarchy.
-// Note that the debug output here depends on a particular
-// implementation feature of gcc; to wit, that the exception object
-// is created and then copied (at least once) via its copy constructor.
-// If your compiler does not invoke the copy constructor, you won't get
-// debug output, but nothing worse should happen.
//
-CommonError::CommonError()
+CommonError::CommonError() : whatBuffer("CommonError")
{
}
@@ -54,34 +51,89 @@ CommonError::CommonError()
//
// We strongly encourage catching all exceptions by const reference, so the copy
// constructor of our exceptions should never be called.
-// We trace a copy to help catch violations of this rule.
//
CommonError::CommonError(const CommonError &source)
{
- SECURITY_EXCEPTION_COPY(this, &source);
+ strlcpy(whatBuffer, source.whatBuffer, whatBufferSize);
}
CommonError::~CommonError() throw ()
{
- SECURITY_EXCEPTION_HANDLED(this);
+}
+
+void CommonError::LogBacktrace() {
+ // Only do this work if we're actually going to log things
+ if(secinfoenabled("security_exception")) {
+ const size_t maxsize = 32;
+ void* callstack[maxsize];
+
+ int size = backtrace(callstack, maxsize);
+ char** names = backtrace_symbols(callstack, size);
+
+ // C++ symbolicate the callstack
+
+ const char* delim = " ";
+ string build;
+ char * token = NULL;
+ char * line = NULL;
+
+ for(int i = 0; i < size; i++) {
+ build = "";
+
+ line = names[i];
+
+ while((token = strsep(&line, delim))) {
+ if(*token == '\0') {
+ build += " ";
+ } else {
+ int status = 0;
+ char * demangled = abi::__cxa_demangle(token, NULL, NULL, &status);
+ if(status == 0) {
+ build += demangled;
+ } else {
+ build += token;
+ }
+ build += " ";
+
+ if(demangled) {
+ free(demangled);
+ }
+ }
+ }
+
+ secinfo("security_exception", "%s", build.c_str());
+ }
+ free(names);
+ }
}
+
//
// UnixError exceptions
//
UnixError::UnixError() : error(errno)
{
- SECURITY_EXCEPTION_THROW_UNIX(this, errno);
+ SECURITY_EXCEPTION_THROW_UNIX(this, errno);
+
+ snprintf(whatBuffer, whatBufferSize, "UNIX errno exception: %d", this->error);
+ secnotice("security_exception", "%s", what());
+ LogBacktrace();
}
UnixError::UnixError(int err) : error(err)
{
- SECURITY_EXCEPTION_THROW_UNIX(this, err);
+ SECURITY_EXCEPTION_THROW_UNIX(this, err);
+
+ snprintf(whatBuffer, whatBufferSize, "UNIX error exception: %d", this->error);
+ secnotice("security_exception", "%s", what());
+ LogBacktrace();
}
const char *UnixError::what() const throw ()
-{ return "UNIX error exception"; }
+{
+ return whatBuffer;
+}
OSStatus UnixError::osStatus() const
@@ -103,11 +155,17 @@ UnixError UnixError::make(int err) { return UnixError(err); }
//
MacOSError::MacOSError(int err) : error(err)
{
- SECURITY_EXCEPTION_THROW_OSSTATUS(this, err);
+ SECURITY_EXCEPTION_THROW_OSSTATUS(this, err);
+
+ snprintf(whatBuffer, whatBufferSize, "MacOS error: %d", this->error);
+ secnotice("security_exception", "%s", what());
+ LogBacktrace();
}
const char *MacOSError::what() const throw ()
-{ return "MacOS error"; }
+{
+ return whatBuffer;
+}
OSStatus MacOSError::osStatus() const
{ return error; }
@@ -137,7 +195,9 @@ MacOSError MacOSError::make(int error)
//
CFError::CFError()
{
- SECURITY_EXCEPTION_THROW_CF(this);
+ SECURITY_EXCEPTION_THROW_CF(this);
+ secnotice("security_exception", "CFError");
+ LogBacktrace();
}
const char *CFError::what() const throw ()
diff --git a/OSX/libsecurity_utilities/lib/errors.h b/OSX/libsecurity_utilities/lib/errors.h
index cbc2bd62..4725bee5 100644
--- a/OSX/libsecurity_utilities/lib/errors.h
+++ b/OSX/libsecurity_utilities/lib/errors.h
@@ -54,6 +54,11 @@ public:
virtual OSStatus osStatus() const = 0;
virtual int unixError() const = 0;
+
+ char whatBuffer[128];
+ const size_t whatBufferSize = sizeof(whatBuffer);
+
+ static void LogBacktrace();
};
diff --git a/OSX/libsecurity_utilities/lib/exports b/OSX/libsecurity_utilities/lib/exports
index d9e60230..f262b943 100644
--- a/OSX/libsecurity_utilities/lib/exports
+++ b/OSX/libsecurity_utilities/lib/exports
@@ -1,2 +1,8 @@
_secdebug_internal
_secdebugfunc_internal
+#ifdef TARGET_OS_OSX
+_weak_os_log_impl
+_weak_os_log_create
+_weak_os_log_type_enabled
+_logObjForScope
+#endif
diff --git a/OSX/libsecurity_utilities/lib/globalizer.h b/OSX/libsecurity_utilities/lib/globalizer.h
index 66480469..aa733560 100644
--- a/OSX/libsecurity_utilities/lib/globalizer.h
+++ b/OSX/libsecurity_utilities/lib/globalizer.h
@@ -127,7 +127,7 @@ class CleanModuleNexus : public ModuleNexus<Type> {
public:
~CleanModuleNexus()
{
- secdebug("nexus", "ModuleNexus %p destroyed object 0x%x",
+ secinfo("nexus", "ModuleNexus %p destroyed object 0x%x",
this, ModuleNexus<Type>::pointer);
delete reinterpret_cast<Type *>(ModuleNexus<Type>::pointer);
}
diff --git a/OSX/libsecurity_utilities/lib/hosts.cpp b/OSX/libsecurity_utilities/lib/hosts.cpp
index 2d15a909..689d46fc 100644
--- a/OSX/libsecurity_utilities/lib/hosts.cpp
+++ b/OSX/libsecurity_utilities/lib/hosts.cpp
@@ -130,7 +130,7 @@ NamedHost::NamedHost(const char *name) : mName(name)
if (hostent *he = gethostbyname(name)) {
for (char **p = he->h_addr_list; *p; p++)
mAddrs.insert(*reinterpret_cast<in_addr *>(*p));
- secdebug("ipname", "host %s resolves to %ld address(es)", mName.c_str(), mAddrs.size());
+ secinfo("ipname", "host %s resolves to %ld address(es)", mName.c_str(), mAddrs.size());
return;
}
UnixError::throwMe(ENOENT); //@@@ h_errno translation or other source
diff --git a/OSX/libsecurity_utilities/lib/iodevices.cpp b/OSX/libsecurity_utilities/lib/iodevices.cpp
index 28633d3e..42874c4d 100644
--- a/OSX/libsecurity_utilities/lib/iodevices.cpp
+++ b/OSX/libsecurity_utilities/lib/iodevices.cpp
@@ -190,7 +190,7 @@ void NotificationPort::add(const DeviceMatch &match, Receiver &receiver, const c
&iterator));
// run initial iterator to process existing devices
- secdebug("iokit", "dispatching initial device match iterator %d", iterator);
+ secinfo("iokit", "dispatching initial device match iterator %d", iterator);
DeviceIterator it(iterator);
receiver.ioChange(it);
}
@@ -199,10 +199,9 @@ void NotificationPort::addInterestNotification(Receiver &receiver, io_service_t
const io_name_t interestType)
{
io_iterator_t iterator;
- mach_port_t pp = NotificationPort::port();
- secdebug("iokit", "NotificationPort::addInterest - type: %s [port: %p (0x%08X), service: 0x%08X]",
- interestType, mPortRef, pp, service);
+ secinfo("iokit", "NotificationPort::addInterest - type: %s [port: %p (0x%08X), service: 0x%08X]",
+ interestType, mPortRef, NotificationPort::port(), service);
// We cannot throw if we get an error here since we will receive notifications
// from each plane, and not all planes have the necessary information to be
@@ -212,30 +211,30 @@ void NotificationPort::addInterestNotification(Receiver &receiver, io_service_t
const char *msgstr = mach_error_string(kr);
const char *msgtyp = mach_error_type(kr);
if (msgstr && msgtyp)
- secdebug("iokit", " msg: %s, typ: %s", msgstr, msgtyp);
+ secinfo("iokit", " msg: %s, typ: %s", msgstr, msgtyp);
}
void NotificationPort::ioNotify(void *refCon, io_iterator_t iterator)
{
- secdebug("iokit", "dispatching new device match iterator %d", iterator);
+ secinfo("iokit", "dispatching new device match iterator %d", iterator);
DeviceIterator it(iterator);
try {
reinterpret_cast<Receiver *>(refCon)->ioChange(it);
} catch (...) {
- secdebug("iokit", "ioChange callback threw an exception (ignored)");
+ secinfo("iokit", "ioChange callback threw an exception (ignored)");
}
}
void NotificationPort::ioDeviceNotification(void *refCon, io_service_t service,
natural_t messageType, void *messageArgument)
{
- secdebug("iokit", "dispatching NEW device notification iterator, service 0x%08X, msg: 0x%04X, arg: %p",
+ secinfo("iokit", "dispatching NEW device notification iterator, service 0x%08X, msg: 0x%04X, arg: %p",
service, messageType, messageArgument);
const char *msgstr = mach_error_string(messageType);
const char *msgtyp = mach_error_type(messageType);
if (msgstr && msgtyp)
- secdebug("iokit", " msg: %s, typ: %s", msgstr, msgtyp);
+ secinfo("iokit", " msg: %s, typ: %s", msgstr, msgtyp);
if (service!=io_service_t(-1))
reinterpret_cast<Receiver *>(refCon)->ioServiceChange(refCon, service, messageType, messageArgument);
diff --git a/OSX/libsecurity_utilities/lib/ip++.cpp b/OSX/libsecurity_utilities/lib/ip++.cpp
index b589c11f..030b678f 100644
--- a/OSX/libsecurity_utilities/lib/ip++.cpp
+++ b/OSX/libsecurity_utilities/lib/ip++.cpp
@@ -159,7 +159,7 @@ void Socket::open(int domain, int type, int protocol)
{
checkSetFd(::socket(domain, type, protocol));
mAtEnd = false;
- secdebug("sockio", "socket(%d,%d) -> %d", type, protocol, fd());
+ secinfo("sockio", "socket(%d,%d) -> %d", type, protocol, fd());
}
void Socket::prepare(int fdFlags, int domain, int type, int protocol)
@@ -182,13 +182,13 @@ void Socket::bind(const IPAddress &addr, IPPort port)
void Socket::bind(const IPSockAddress &local)
{
checkError(::bind(fd(), local, sizeof(local)));
- secdebug("sockio", "%d bind to %s", fd(), string(local).c_str());
+ secinfo("sockio", "%d bind to %s", fd(), string(local).c_str());
}
void Socket::bind(const UNSockAddress &local)
{
checkError(::bind(fd(), local, sizeof(local)));
- secdebug("sockio", "%d bind to %s", fd(), string(local).c_str());
+ secinfo("sockio", "%d bind to %s", fd(), string(local).c_str());
}
@@ -224,17 +224,17 @@ bool Socket::connect(const IPSockAddress &peer)
if (::connect(fd(), peer, sizeof(peer))) {
switch (errno) {
case EINPROGRESS:
- secdebug("sockio", "%d connecting to %s", fd(), string(peer).c_str());
+ secinfo("sockio", "%d connecting to %s", fd(), string(peer).c_str());
return false;
case EALREADY:
if (int err = error()) // connect failed
UnixError::throwMe(err);
// just keep trying
- secdebug("sockio", "%d still trying to connect", fd());
+ secinfo("sockio", "%d still trying to connect", fd());
return false;
case EISCONN:
if (flags() & O_NONBLOCK) {
- secdebug("sockio", "%d now connected", fd());
+ secinfo("sockio", "%d now connected", fd());
return true;
} else {
UnixError::throwMe();
@@ -243,7 +243,7 @@ bool Socket::connect(const IPSockAddress &peer)
UnixError::throwMe();
}
} else {
- secdebug("sockio", "%d connect to %s", fd(), string(peer).c_str());
+ secinfo("sockio", "%d connect to %s", fd(), string(peer).c_str());
return true;
}
}
@@ -257,7 +257,7 @@ bool Socket::connect(const UNSockAddress &peer)
{
// no nice async support here: local operation (but keep the niceties)
checkError(::connect(fd(), peer, sizeof(peer)));
- secdebug("sockio", "%d connect to %s", fd(), string(peer).c_str());
+ secinfo("sockio", "%d connect to %s", fd(), string(peer).c_str());
return true;
}
@@ -314,7 +314,7 @@ void Socket::connect(const Host &host, IPPort port)
for (set<IPAddress>::const_iterator it = addrs.begin(); it != addrs.end(); it++) {
const IPSockAddress address(*it, port);
if (::connect(fd(), address, sizeof(IPSockAddress)) == 0) {
- secdebug("sockio", "%d connect to %s", fd(), string(address).c_str());
+ secinfo("sockio", "%d connect to %s", fd(), string(address).c_str());
return;
}
}
diff --git a/OSX/libsecurity_utilities/lib/mach++.cpp b/OSX/libsecurity_utilities/lib/mach++.cpp
index f0ba24b7..616dcdf7 100644
--- a/OSX/libsecurity_utilities/lib/mach++.cpp
+++ b/OSX/libsecurity_utilities/lib/mach++.cpp
@@ -41,7 +41,8 @@ namespace MachPlusPlus {
//
Error::Error(kern_return_t err) : error(err)
{
- SECURITY_EXCEPTION_THROW_MACH(this, err);
+ SECURITY_EXCEPTION_THROW_MACH(this, err);
+ secnotice("security_exception", "mach error: %d", err);
}
Error::~Error() throw()
@@ -127,9 +128,9 @@ mach_port_t Port::requestNotify(mach_port_t notify, mach_msg_id_t type, mach_por
default: typeName = "???"; break;
}
if (notify == MACH_PORT_NULL)
- secdebug("port", "%d cancel notify %s", port(), typeName);
+ secinfo("port", "%d cancel notify %s", port(), typeName);
else
- secdebug("port", "%d request notify %s to %d (sync %d)", port(), typeName, notify, sync);
+ secinfo("port", "%d request notify %s to %d (sync %d)", port(), typeName, notify, sync);
#endif //!NDEBUG
return previous;
@@ -232,7 +233,7 @@ mach_port_t Bootstrap::checkInOptional(const char *name) const
void Bootstrap::registerAs(mach_port_t port, const char *name) const
{
- secdebug("bootstrap", "creating service port %d in %d:%s", port, this->port(), name);
+ secinfo("bootstrap", "creating service port %d in %d:%s", port, this->port(), name);
check(::bootstrap_register(mPort, makeName(name), port));
}
@@ -298,13 +299,13 @@ StBootstrap::StBootstrap(const Bootstrap &newBoot, const TaskPort &task)
{
mOldBoot = Bootstrap();
mTask.bootstrap(newBoot);
- secdebug("StBoot", "bootstrap for %d switched to %d", mTask.port(), newBoot.port());
+ secinfo("StBoot", "bootstrap for %d switched to %d", mTask.port(), newBoot.port());
}
StBootstrap::~StBootstrap()
{
mTask.bootstrap(mOldBoot);
- secdebug("StBoot", "bootstrap for %d returned to %d", mTask.port(), mOldBoot.port());
+ secinfo("StBoot", "bootstrap for %d returned to %d", mTask.port(), mOldBoot.port());
}
diff --git a/OSX/libsecurity_utilities/lib/mach++.h b/OSX/libsecurity_utilities/lib/mach++.h
index f87b4a3c..84236769 100644
--- a/OSX/libsecurity_utilities/lib/mach++.h
+++ b/OSX/libsecurity_utilities/lib/mach++.h
@@ -32,6 +32,7 @@
#include <security_utilities/errors.h>
#include <security_utilities/threading.h>
#include <security_utilities/globalizer.h>
+#include <security_utilities/debugging_internal.h>
#include <mach/mach.h>
#include <servers/bootstrap.h>
#include <set>
diff --git a/OSX/libsecurity_utilities/lib/macho++.cpp b/OSX/libsecurity_utilities/lib/macho++.cpp
index ed3a2fea..9587e253 100644
--- a/OSX/libsecurity_utilities/lib/macho++.cpp
+++ b/OSX/libsecurity_utilities/lib/macho++.cpp
@@ -140,7 +140,7 @@ void MachOBase::initHeader(const mach_header *header)
m64 = true;
break;
default:
- secdebug("macho", "%p: unrecognized header magic (%x)", this, mHeader->magic);
+ secinfo("macho", "%p: unrecognized header magic (%x)", this, mHeader->magic);
UnixError::throwMe(ENOEXEC);
}
}
@@ -505,7 +505,7 @@ Universal::Universal(FileDesc fd, size_t offset /* = 0 */, size_t length /* = 0
if (last_arch->cputype == (CPU_ARCH_ABI64 | CPU_TYPE_ARM)) {
mArchCount++;
}
- secdebug("macho", "%p is a fat file with %d architectures",
+ secinfo("macho", "%p is a fat file with %d architectures",
this, mArchCount);
/* A Mach-O universal file has padding of no more than "page size"
@@ -579,14 +579,14 @@ Universal::Universal(FileDesc fd, size_t offset /* = 0 */, size_t length /* = 0
mArchList = NULL;
mArchCount = 0;
mThinArch = Architecture(mheader.cputype, mheader.cpusubtype);
- secdebug("macho", "%p is a thin file (%s)", this, mThinArch.name());
+ secinfo("macho", "%p is a thin file (%s)", this, mThinArch.name());
break;
case MH_CIGAM:
case MH_CIGAM_64:
mArchList = NULL;
mArchCount = 0;
mThinArch = Architecture(flip(mheader.cputype), flip(mheader.cpusubtype));
- secdebug("macho", "%p is a thin file (%s)", this, mThinArch.name());
+ secinfo("macho", "%p is a thin file (%s)", this, mThinArch.name());
break;
default:
UnixError::throwMe(ENOEXEC);
diff --git a/OSX/libsecurity_utilities/lib/machrunloopserver.cpp b/OSX/libsecurity_utilities/lib/machrunloopserver.cpp
index 38021594..f6ef5ac5 100644
--- a/OSX/libsecurity_utilities/lib/machrunloopserver.cpp
+++ b/OSX/libsecurity_utilities/lib/machrunloopserver.cpp
@@ -97,7 +97,7 @@ void MachRunLoopServer::receive(const Message &request)
void MachRunLoopServer::oneRequest(const Message &request)
{
if (!handle(request, mReplyMessage)) { // MIG dispatch failed
- secdebug("machrls", "MachRunLoopServer dispatch failed");
+ secinfo("machrls", "MachRunLoopServer dispatch failed");
} else {
// MIG dispatch handled the call. Send reply back to caller.
mReplyMessage.send((MACH_MSGH_BITS_REMOTE(mReplyMessage.bits()) == MACH_MSG_TYPE_MOVE_SEND_ONCE) ?
diff --git a/OSX/libsecurity_utilities/lib/machserver.cpp b/OSX/libsecurity_utilities/lib/machserver.cpp
index 82434ef2..b2f2b775 100644
--- a/OSX/libsecurity_utilities/lib/machserver.cpp
+++ b/OSX/libsecurity_utilities/lib/machserver.cpp
@@ -89,13 +89,13 @@ MachServer::~MachServer()
//
void MachServer::add(Port receiver)
{
- SECURITY_MACHSERVER_PORT_ADD(receiver);
+ secinfo("machserver", "port add: %d", receiver.port());
mPortSet += receiver;
}
void MachServer::remove(Port receiver)
{
- SECURITY_MACHSERVER_PORT_REMOVE(receiver);
+ secinfo("machserver", "port remove: %d", receiver.port());
mPortSet -= receiver;
}
@@ -143,9 +143,9 @@ void MachServer::run(mach_msg_size_t maxSize, mach_msg_options_t options)
highestWorkerCount = 1;
// run server loop in initial (immortal) thread
- SECURITY_MACHSERVER_START_THREAD(false);
+ secinfo("machserver", "start thread");
runServerThread(false);
- SECURITY_MACHSERVER_END_THREAD(false);
+ secinfo("machserver", "end thread");
// primary server thread exited somehow (not currently possible)
assert(false);
@@ -192,7 +192,7 @@ void MachServer::runServerThread(bool doTimeout)
Time::Absolute rightNow = Time::now();
if (rightNow >= nextCheckTime) { // reaping period complete; process
UInt32 idlers = leastIdleWorkers;
- SECURITY_MACHSERVER_REAP(workerCount, idlers);
+ secinfo("machserver", "reaping workers: %d %d", (uint32_t) workerCount, (uint32_t) idlers);
nextCheckTime = rightNow + workerTimeout;
leastIdleWorkers = INT_MAX;
if (idlers > 1) // multiple idle threads throughout measuring interval...
@@ -213,9 +213,7 @@ void MachServer::runServerThread(bool doTimeout)
timeout = workerTimeout;
}
}
- if (SECURITY_MACHSERVER_RECEIVE_ENABLED())
- SECURITY_MACHSERVER_RECEIVE(indefinite ? 0 : timeout.seconds());
-
+
// receive next IPC request (or wait for timeout)
mach_msg_return_t mr = indefinite ?
mach_msg_overwrite(bufRequest,
@@ -235,7 +233,7 @@ void MachServer::runServerThread(bool doTimeout)
// process received request message below
break;
default:
- SECURITY_MACHSERVER_RECEIVE_ERROR(mr);
+ secinfo("machserver", "received error: %d", mr);
continue;
}
@@ -248,7 +246,7 @@ void MachServer::runServerThread(bool doTimeout)
} else {
// normal request message
StLock<MachServer, &MachServer::busy, &MachServer::idle> _(*this);
- SECURITY_MACHSERVER_BEGIN(bufRequest.localPort(), bufRequest.msgId());
+ secinfo("machserver", "begin request: %d, %d", bufRequest.localPort().port(), bufRequest.msgId());
// try subsidiary handlers first
bool handled = false;
@@ -263,7 +261,7 @@ void MachServer::runServerThread(bool doTimeout)
handle(bufRequest, bufReply);
}
- SECURITY_MACHSERVER_END();
+ secinfo("machserver", "end request");
}
// process reply generated by handler
@@ -303,7 +301,7 @@ void MachServer::runServerThread(bool doTimeout)
case MACH_MSG_SUCCESS:
break;
default:
- SECURITY_MACHSERVER_SEND_ERROR(mr, bufReply.remotePort());
+ secinfo("machserver", "send error: %d %d", mr, bufReply.remotePort().port());
bufReply.destroy();
break;
}
@@ -371,7 +369,7 @@ void MachServer::releaseWhenDone(Allocator &alloc, void *memory)
if (memory) {
set<Allocation> &releaseSet = perThread().deferredAllocations;
assert(releaseSet.find(Allocation(memory, alloc)) == releaseSet.end());
- SECURITY_MACHSERVER_ALLOC_REGISTER(memory, &alloc);
+ secinfo("machserver", "allocing register %p with alloc %p", memory, &alloc);
releaseSet.insert(Allocation(memory, alloc));
}
}
@@ -388,8 +386,8 @@ void MachServer::releaseDeferredAllocations()
{
set<Allocation> &releaseSet = perThread().deferredAllocations;
for (set<Allocation>::iterator it = releaseSet.begin(); it != releaseSet.end(); it++) {
- SECURITY_MACHSERVER_ALLOC_RELEASE(it->addr, it->allocator);
-
+ secinfo("machserver", "releasing alloc at %p with %p", it->addr, it->allocator);
+
// before we release the deferred allocation, zap it so that secrets aren't left in memory
size_t memSize = malloc_size(it->addr);
bzero(it->addr, memSize);
@@ -464,12 +462,12 @@ void MachServer::LoadThread::action()
// register the worker thread and go
server.addThread(this);
try {
- SECURITY_MACHSERVER_START_THREAD(true);
+ secinfo("machserver", "start thread");
server.runServerThread(true);
- SECURITY_MACHSERVER_END_THREAD(false);
+ secinfo("machserver", "end thread");
} catch (...) {
// fell out of server loop by error. Let the thread go quietly
- SECURITY_MACHSERVER_END_THREAD(true);
+ secinfo("machserver", "end thread (due to error)");
}
server.removeThread(this);
}
@@ -515,7 +513,7 @@ bool MachServer::processTimer()
return false; // nothing (more) to be done now
} // drop lock; work has been retrieved
try {
- SECURITY_MACHSERVER_TIMER_START(top, top->longTerm(), Time::now().internalForm());
+ secinfo("machserver", "timer start: %p, %d, %f", top, top->longTerm(), Time::now().internalForm());
StLock<MachServer::Timer,
&MachServer::Timer::select, &MachServer::Timer::unselect> _t(*top);
if (top->longTerm()) {
@@ -524,9 +522,9 @@ bool MachServer::processTimer()
} else {
top->action();
}
- SECURITY_MACHSERVER_TIMER_END(false);
+ secinfo("machserver", "timer end (false)");
} catch (...) {
- SECURITY_MACHSERVER_TIMER_END(true);
+ secinfo("machserver", "timer end (true)");
}
return true;
}
diff --git a/OSX/libsecurity_utilities/lib/memutils.h b/OSX/libsecurity_utilities/lib/memutils.h
index 035aee1c..20333873 100644
--- a/OSX/libsecurity_utilities/lib/memutils.h
+++ b/OSX/libsecurity_utilities/lib/memutils.h
@@ -51,7 +51,7 @@ static const size_t systemAlignment = 4;
// Get the local alignment for a type, as used by the acting compiler.
//
template <class T>
-inline size_t alignof() { struct { char c; T t; } s; return sizeof(s) - sizeof(T); }
+inline int alignof() { struct { char c; T t; } s; return sizeof(s) - sizeof(T); }
//
diff --git a/OSX/libsecurity_utilities/lib/muscle++.cpp b/OSX/libsecurity_utilities/lib/muscle++.cpp
index d1841472..575edce6 100644
--- a/OSX/libsecurity_utilities/lib/muscle++.cpp
+++ b/OSX/libsecurity_utilities/lib/muscle++.cpp
@@ -39,7 +39,8 @@ namespace Muscle {
//
Error::Error(MSC_RV err) : error(err)
{
- SECURITY_EXCEPTION_THROW_OTHER(this, err, (char *)"muscle");
+ SECURITY_EXCEPTION_THROW_OTHER(this, err, (char *)"muscle");
+ secnotice("security_exception", "muscle: %d", err);
}
@@ -97,7 +98,7 @@ void Connection::open(const PCSC::ReaderState &reader, unsigned share)
// establish Muscle-level connection to card
Error::check(::MSCEstablishConnection(&info, share, NULL, 0, this));
mIsOpen = true;
- secdebug("muscle", "%p opened %s", this, info.slotName);
+ secinfo("muscle", "%p opened %s", this, info.slotName);
// pull initial status
updateStatus();
@@ -106,7 +107,7 @@ void Connection::open(const PCSC::ReaderState &reader, unsigned share)
void Connection::close()
{
if (mIsOpen) {
- secdebug("muscle", "%p closing", this);
+ secinfo("muscle", "%p closing", this);
Error::check(::MSCReleaseConnection(this, SCARD_LEAVE_CARD));
mIsOpen = false;
}
@@ -117,14 +118,14 @@ void Connection::begin(Transaction *trans)
{
assert(!mCurrentTransaction);
Error::check(::MSCBeginTransaction(this));
- secdebug("muscle", "%p start transaction %p", this, trans);
+ secinfo("muscle", "%p start transaction %p", this, trans);
mCurrentTransaction = trans;
}
void Connection::end(Transaction *trans)
{
assert(trans == mCurrentTransaction);
- secdebug("muscle", "%p end transaction %p", this, trans);
+ secinfo("muscle", "%p end transaction %p", this, trans);
Error::check(::MSCEndTransaction(this, SCARD_LEAVE_CARD));
mCurrentTransaction = NULL;
}
diff --git a/OSX/libsecurity_utilities/lib/osxcode.cpp b/OSX/libsecurity_utilities/lib/osxcode.cpp
index 51c01007..7b464a01 100644
--- a/OSX/libsecurity_utilities/lib/osxcode.cpp
+++ b/OSX/libsecurity_utilities/lib/osxcode.cpp
@@ -59,7 +59,7 @@ RefPointer<OSXCode> OSXCode::main()
if (const char *contents = strstr(cpath, "/Contents/MacOS/"))
if (contents + 15 == slash)
return new Bundle(path.substr(0, contents-cpath).c_str());
- secdebug("bundle", "OSXCode::main(%s) not recognized as bundle (treating as tool)", cpath);
+ secinfo("bundle", "OSXCode::main(%s) not recognized as bundle (treating as tool)", cpath);
}
return new ExecutableTool(path.c_str());
}
@@ -124,7 +124,7 @@ Bundle::Bundle(const char *path, const char *execPath /* = NULL */)
{
if (execPath) // caller knows that one; set it
mExecutablePath = execPath;
- secdebug("bundle", "%p Bundle from path %s(%s)", this, path, executablePath().c_str());
+ secinfo("bundle", "%p Bundle from path %s(%s)", this, path, executablePath().c_str());
}
Bundle::Bundle(CFBundleRef bundle, const char *root /* = NULL */)
@@ -133,7 +133,7 @@ Bundle::Bundle(CFBundleRef bundle, const char *root /* = NULL */)
assert(bundle);
CFRetain(bundle);
mPath = root ? root : cfStringRelease(CFBundleCopyBundleURL(mBundle));
- secdebug("bundle", "%p Bundle from bundle %p(%s)", this, bundle, mPath.c_str());
+ secinfo("bundle", "%p Bundle from bundle %p(%s)", this, bundle, mPath.c_str());
}
@@ -156,7 +156,7 @@ string Bundle::executablePath() const
CFBundleRef Bundle::cfBundle() const
{
if (!mBundle) {
- secdebug("bundle", "instantiating CFBundle for %s", mPath.c_str());
+ secinfo("bundle", "instantiating CFBundle for %s", mPath.c_str());
CFRef<CFURLRef> url = CFURLCreateFromFileSystemRepresentation(NULL,
(const UInt8 *)mPath.c_str(), mPath.length(), true);
if (!url || !(mBundle = CFBundleCreate(NULL, url)))
@@ -214,12 +214,12 @@ void LoadableBundle::load()
{
if (!CFBundleLoadExecutable(cfBundle()))
CFError::throwMe();
- secdebug("bundle", "%p (%s) loaded", this, path().c_str());
+ secinfo("bundle", "%p (%s) loaded", this, path().c_str());
}
void LoadableBundle::unload()
{
- secdebug("bundle", "%p (%s) unloaded", this, path().c_str());
+ secinfo("bundle", "%p (%s) unloaded", this, path().c_str());
CFBundleUnloadExecutable(cfBundle());
}
diff --git a/OSX/libsecurity_utilities/lib/pcsc++.cpp b/OSX/libsecurity_utilities/lib/pcsc++.cpp
index 0a79de0e..8c5e409d 100644
--- a/OSX/libsecurity_utilities/lib/pcsc++.cpp
+++ b/OSX/libsecurity_utilities/lib/pcsc++.cpp
@@ -59,7 +59,8 @@ inline void decode(vector<string> &names, const vector<char> &buffer, size_t siz
//
Error::Error(unsigned long err) : error(err)
{
- SECURITY_EXCEPTION_THROW_PCSC(this, (unsigned int)err);
+ SECURITY_EXCEPTION_THROW_PCSC(this, (unsigned int)err);
+ secnotice("security_exception", "pcsc: %d", (unsigned int) err);
}
@@ -158,11 +159,11 @@ void Session::open()
try {
Error::check(::SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, &mContext));
mIsOpen = true;
- secdebug("pcsc", "context opened");
+ secinfo("pcsc", "context opened");
} catch (const Error &err) {
if (err.error == SCARD_F_INTERNAL_ERROR)
{
- secdebug("pcsc", "got internal error; assuming pcscd absent; context not ready");
+ secinfo("pcsc", "got internal error; assuming pcscd absent; context not ready");
return;
}
}
@@ -176,11 +177,11 @@ void Session::close()
try {
if (mContext)
Error::check(SCardReleaseContext(mContext));
- secdebug("pcsc", "context closed");
+ secinfo("pcsc", "context closed");
} catch (const Error &err) {
if (err.error == SCARD_F_INTERNAL_ERROR)
{
- secdebug("pcsc", "got internal error; assuming pcscd absent; context not ready");
+ secinfo("pcsc", "got internal error; assuming pcscd absent; context not ready");
return;
}
}
@@ -203,18 +204,23 @@ bool Session::check(long rc)
void Session::listReaders(vector<string> &readers, const char *groups)
{
- uint32_t size = 0;
- if (check(::SCardListReaders(mContext, groups, NULL, &size)))
+ uint32_t size = uint32_t(mReaderBuffer.size());
+ for (;;)
{
- mReaderBuffer.resize(size);
- if (check(::SCardListReaders(mContext, groups, &mReaderBuffer[0], &size)))
- {
- decode(readers, mReaderBuffer, size);
- return;
+ int32_t rc = ::SCardListReaders(mContext, groups, &mReaderBuffer[0], &size);
+ switch (rc) {
+ case SCARD_S_SUCCESS:
+ if (size <= mReaderBuffer.size()) {
+ decode(readers, mReaderBuffer, size);
+ return;
+ }
+ case SCARD_E_INSUFFICIENT_BUFFER:
+ mReaderBuffer.resize(size);
+ break;
+ default:
+ Error::throwMe(rc);
}
}
-
- readers.clear(); // treat as success (returning zero readers)
}
@@ -282,7 +288,7 @@ void Card::disconnect(unsigned long disposition)
{
if (mTransactionNestLevel > 0)
{
- secdebug("pcsc", "%p: disconnect, dropping: %d transactions", this, mTransactionNestLevel);
+ secinfo("pcsc", "%p: disconnect, dropping: %d transactions", this, mTransactionNestLevel);
mTransactionNestLevel = 0;
}
@@ -297,7 +303,7 @@ Card::checkReset(unsigned int rv)
{
if (rv == SCARD_W_RESET_CARD)
{
- secdebug("pcsc", "%p: card reset during pcsc call, we're disconnected", this);
+ secinfo("pcsc", "%p: card reset during pcsc call, we're disconnected", this);
didDisconnect();
}
Error::check(rv);
@@ -321,7 +327,7 @@ Card::transmit(const unsigned char *pbSendBuffer, size_t cbSendLength,
{
if (mConnectedState == kDisconnected)
{
- secdebug("pcsc", "%p: transmit after disconnect, reconnecting", this);
+ secinfo("pcsc", "%p: transmit after disconnect, reconnecting", this);
reconnect();
}
@@ -342,25 +348,25 @@ void Card::begin()
{
if (mConnectedState == kDisconnected)
{
- secdebug("pcsc", "%p: begin transaction after disconnect, reconnecting", this);
+ secinfo("pcsc", "%p: begin transaction after disconnect, reconnecting", this);
reconnect();
}
checkReset(::SCardBeginTransaction(mHandle));
}
mTransactionNestLevel++;
- secdebug("pcsc", "%p begin transaction: %d", this, mTransactionNestLevel);
+ secinfo("pcsc", "%p begin transaction: %d", this, mTransactionNestLevel);
}
void Card::end(unsigned long disposition)
{
// Only the last transaction ended is sent to PCSC
- secdebug("pcsc", "%p end transaction: %d", this, mTransactionNestLevel);
+ secinfo("pcsc", "%p end transaction: %d", this, mTransactionNestLevel);
if (disposition == SCARD_RESET_CARD)
{
if (mConnectedState == kDisconnected)
{
- secdebug("pcsc", "%p: end transaction after disconnect, reconnecting to reset card", this);
+ secinfo("pcsc", "%p: end transaction after disconnect, reconnecting to reset card", this);
reconnect();
}
@@ -373,7 +379,7 @@ void Card::end(unsigned long disposition)
if (mTransactionNestLevel == 0)
{
if (mConnectedState == kDisconnected)
- secdebug("pcsc", "%p: end transaction while disconnected ignored", this);
+ secinfo("pcsc", "%p: end transaction while disconnected ignored", this);
else
{
checkReset(::SCardEndTransaction(mHandle, (uint32_t)disposition));
diff --git a/OSX/libsecurity_utilities/lib/powerwatch.cpp b/OSX/libsecurity_utilities/lib/powerwatch.cpp
index 1e3037b9..239f1acb 100644
--- a/OSX/libsecurity_utilities/lib/powerwatch.cpp
+++ b/OSX/libsecurity_utilities/lib/powerwatch.cpp
@@ -69,24 +69,22 @@ IOPowerWatcher::iopmcallback(void * param,
{
IOPowerWatcher *me = (IOPowerWatcher *)param;
- if (SECURITY_DEBUG_LOG_ENABLED()) {
- secdebug("powerwatch", "powerstates");
+ secnotice("powerwatch", "powerstates");
if (capabilities & kIOPMSystemPowerStateCapabilityDisk)
- secdebug("powerwatch", "disk");
+ secnotice("powerwatch", "disk");
if (capabilities & kIOPMSystemPowerStateCapabilityNetwork)
- secdebug("powerwatch", "net");
+ secnotice("powerwatch", "net");
if (capabilities & kIOPMSystemPowerStateCapabilityAudio)
- secdebug("powerwatch", "audio");
+ secnotice("powerwatch", "audio");
if (capabilities & kIOPMSystemPowerStateCapabilityVideo)
- secdebug("powerwatch", "video");
- }
+ secnotice("powerwatch", "video");
/* if cpu and no display -> in DarkWake */
if ((capabilities & (kIOPMSystemPowerStateCapabilityCPU|kIOPMSystemPowerStateCapabilityVideo)) == kIOPMSystemPowerStateCapabilityCPU) {
- secdebug("powerwatch", "enter DarkWake");
+ secnotice("powerwatch", "enter DarkWake");
me->mInDarkWake = true;
} else if (me->mInDarkWake) {
- secdebug("powerwatch", "exit DarkWake");
+ secnotice("powerwatch", "exit DarkWake");
me->mInDarkWake = false;
}
@@ -177,43 +175,43 @@ void IOPowerWatcher::ioCallback(void *refCon, io_service_t service,
enum { allow, refuse, ignore } reaction;
switch (messageType) {
case kIOMessageSystemWillSleep:
- secdebug("powerwatch", "system will sleep");
+ secnotice("powerwatch", "system will sleep");
me->systemWillSleep();
reaction = allow;
break;
case kIOMessageSystemHasPoweredOn:
- secdebug("powerwatch", "system has powered on");
+ secnotice("powerwatch", "system has powered on");
me->systemIsWaking();
reaction = ignore;
break;
case kIOMessageSystemWillPowerOff:
- secdebug("powerwatch", "system will power off");
+ secnotice("powerwatch", "system will power off");
me->systemWillPowerDown();
reaction = allow;
break;
case kIOMessageSystemWillNotPowerOff:
- secdebug("powerwatch", "system will not power off");
+ secnotice("powerwatch", "system will not power off");
reaction = ignore;
break;
case kIOMessageCanSystemSleep:
- secdebug("powerwatch", "can system sleep");
+ secnotice("powerwatch", "can system sleep");
reaction = allow;
break;
case kIOMessageSystemWillNotSleep:
- secdebug("powerwatch", "system will not sleep");
+ secnotice("powerwatch", "system will not sleep");
reaction = ignore;
break;
case kIOMessageCanSystemPowerOff:
- secdebug("powerwatch", "can system power off");
+ secnotice("powerwatch", "can system power off");
reaction = allow;
break;
case kIOMessageSystemWillPowerOn:
- secdebug("powerwatch", "system will power on");
+ secnotice("powerwatch", "system will power on");
me->systemWillPowerOn();
reaction = ignore;
break;
default:
- secdebug("powerwatch",
+ secnotice("powerwatch",
"type 0x%x message received (ignored)", messageType);
reaction = ignore;
break;
@@ -222,15 +220,15 @@ void IOPowerWatcher::ioCallback(void *refCon, io_service_t service,
// handle acknowledgments
switch (reaction) {
case allow:
- secdebug("powerwatch", "calling IOAllowPowerChange");
+ secnotice("powerwatch", "calling IOAllowPowerChange");
IOAllowPowerChange(me->mKernelPort, long(argument));
break;
case refuse:
- secdebug("powerwatch", "calling IOCancelPowerChange");
+ secnotice("powerwatch", "calling IOCancelPowerChange");
IOCancelPowerChange(me->mKernelPort, long(argument));
break;
case ignore:
- secdebug("powerwatch", "sending no response");
+ secnotice("powerwatch", "sending no response");
break;
}
}
diff --git a/OSX/libsecurity_utilities/lib/refcount.h b/OSX/libsecurity_utilities/lib/refcount.h
index 677376c5..945488f1 100644
--- a/OSX/libsecurity_utilities/lib/refcount.h
+++ b/OSX/libsecurity_utilities/lib/refcount.h
@@ -49,14 +49,15 @@ namespace Security {
// way to "demand copy" a RefCount subclass. Trust me; it's been tried. Don't.
//
-#if !defined(DEBUG_REFCOUNTS)
-# define DEBUG_REFCOUNTS 1
-#endif
+// Uncomment to debug refcounts
+//# define DEBUG_REFCOUNTS 1
#if DEBUG_REFCOUNTS
-# define RCDEBUG(_kind, _args...) SECURITY_DEBUG_REFCOUNT_##_kind((void *)this, ##_args)
+# define RCDEBUG_CREATE() secinfo("refcount", "%p: CREATE", this)
+# define RCDEBUG(_kind, n) secinfo("refcount", "%p: %s: %d", this, #_kind, n)
#else
-# define RCDEBUG(kind) /* nothing */
+# define RCDEBUG_CREATE() /* nothing */
+# define RCDEBUG(kind, _args...) /* nothing */
#endif
@@ -65,7 +66,7 @@ namespace Security {
//
class RefCount {
public:
- RefCount() : mRefCount(0) { RCDEBUG(CREATE); }
+ RefCount() : mRefCount(0) { RCDEBUG_CREATE(); }
protected:
template <class T> friend class RefPointer;
diff --git a/OSX/libsecurity_utilities/lib/seccfobject.cpp b/OSX/libsecurity_utilities/lib/seccfobject.cpp
index 142a2730..11220f45 100644
--- a/OSX/libsecurity_utilities/lib/seccfobject.cpp
+++ b/OSX/libsecurity_utilities/lib/seccfobject.cpp
@@ -28,7 +28,7 @@
#include <list>
#include <security_utilities/globalizer.h>
-#include <auto_zone.h>
+#include <stdatomic.h>
SecPointerBase::SecPointerBase(const SecPointerBase& p)
{
@@ -40,20 +40,6 @@ SecPointerBase::SecPointerBase(const SecPointerBase& p)
}
-
-
-static void CheckForRelease(SecCFObject* ptr)
-{
- CFTypeRef tr = ptr->operator CFTypeRef();
- CFIndex retainCount = CFGetRetainCount(tr);
- if (retainCount == 1 || retainCount == -1)
- {
- ptr->aboutToDestruct();
- }
-}
-
-
-
SecPointerBase::SecPointerBase(SecCFObject *p)
{
if (p && !p->isNew())
@@ -69,7 +55,6 @@ SecPointerBase::~SecPointerBase()
{
if (ptr)
{
- CheckForRelease(ptr);
CFRelease(ptr->operator CFTypeRef());
}
}
@@ -85,7 +70,6 @@ SecPointerBase& SecPointerBase::operator = (const SecPointerBase& p)
}
if (ptr)
{
- CheckForRelease(ptr);
CFRelease(ptr->operator CFTypeRef());
}
ptr = p.ptr;
@@ -102,7 +86,6 @@ void SecPointerBase::assign(SecCFObject * p)
}
if (ptr)
{
- CheckForRelease(ptr);
CFRelease(ptr->operator CFTypeRef());
}
ptr = p;
@@ -114,7 +97,6 @@ void SecPointerBase::copy(SecCFObject * p)
{
if (ptr)
{
- CheckForRelease(ptr);
CFRelease(ptr->operator CFTypeRef());
}
@@ -153,14 +135,10 @@ SecCFObject::allocate(size_t size, const CFClass &cfclass) throw(std::bad_alloc)
if (p == NULL)
throw std::bad_alloc();
- ((SecRuntimeBase*) p)->isNew = true;
+ atomic_flag_clear(&((SecRuntimeBase*) p)->isOld);
void *q = ((u_int8_t*) p) + kAlignedRuntimeSize;
- if (SECURITY_DEBUG_SEC_CREATE_ENABLED()) {
- const CFRuntimeClass *rtc = _CFRuntimeGetClassWithTypeID(cfclass.typeID);
- SECURITY_DEBUG_SEC_CREATE(q, rtc ? (char *)rtc->className : NULL, (unsigned int)cfclass.typeID);
- }
return q;
}
@@ -212,7 +190,7 @@ uint32_t SecCFObject::updateRetainCount(intptr_t direction, uint32_t *oldCount)
SecCFObject::~SecCFObject()
{
- SECURITY_DEBUG_SEC_DESTROY(this);
+ //SECURITY_DEBUG_SEC_DESTROY(this);
}
bool
@@ -257,7 +235,7 @@ SecCFObject::aboutToDestruct()
Mutex*
-SecCFObject::getMutexForObject()
+SecCFObject::getMutexForObject() const
{
return NULL; // we only worry about descendants of KeychainImpl and ItemImpl
}
diff --git a/OSX/libsecurity_utilities/lib/seccfobject.h b/OSX/libsecurity_utilities/lib/seccfobject.h
index 2717d755..26c39288 100644
--- a/OSX/libsecurity_utilities/lib/seccfobject.h
+++ b/OSX/libsecurity_utilities/lib/seccfobject.h
@@ -29,15 +29,13 @@
#include <CoreFoundation/CFRuntime.h>
#include <new>
#include "threading.h"
+#include <stdatomic.h>
namespace Security {
class CFClass;
-#define SECCFFUNCTIONS(OBJTYPE, APIPTR, ERRCODE, CFCLASS) \
-\
-void *operator new(size_t size) throw(std::bad_alloc) \
-{ return SecCFObject::allocate(size, CFCLASS); } \
+#define SECCFFUNCTIONS_BASE(OBJTYPE, APIPTR) \
\
operator APIPTR() const \
{ return (APIPTR)(this->operator CFTypeRef()); } \
@@ -45,7 +43,16 @@ operator APIPTR() const \
OBJTYPE *retain() \
{ SecCFObject::handle(true); return this; } \
APIPTR handle(bool retain = true) \
-{ return (APIPTR)SecCFObject::handle(retain); } \
+{ return (APIPTR)SecCFObject::handle(retain); }
+
+#define SECCFFUNCTIONS_CREATABLE(OBJTYPE, APIPTR, CFCLASS) \
+SECCFFUNCTIONS_BASE(OBJTYPE, APIPTR)\
+\
+void *operator new(size_t size) throw(std::bad_alloc) \
+{ return SecCFObject::allocate(size, CFCLASS); }
+
+#define SECCFFUNCTIONS(OBJTYPE, APIPTR, ERRCODE, CFCLASS) \
+SECCFFUNCTIONS_CREATABLE(OBJTYPE, APIPTR, CFCLASS) \
\
static OBJTYPE *required(APIPTR ptr) \
{ if (OBJTYPE *p = dynamic_cast<OBJTYPE *>(SecCFObject::required(ptr, ERRCODE))) \
@@ -60,7 +67,7 @@ static OBJTYPE *optional(APIPTR ptr) \
struct SecRuntimeBase: CFRuntimeBase
{
- bool isNew;
+ atomic_flag isOld;
};
class SecCFObject
@@ -79,9 +86,9 @@ public:
bool isNew()
{
SecRuntimeBase *base = reinterpret_cast<SecRuntimeBase *>(reinterpret_cast<uint8_t *>(this) - kAlignedRuntimeSize);
- bool isNew = base->isNew;
- base->isNew = false;
- return isNew;
+
+ // atomic flags start clear, and like to go high.
+ return !atomic_flag_test_and_set(&(base->isOld));
}
static SecCFObject *optional(CFTypeRef) throw();
@@ -94,7 +101,7 @@ public:
uint32_t getRetainCount() {return updateRetainCount(0, NULL);}
static void operator delete(void *object) throw();
- operator CFTypeRef() const throw()
+ virtual operator CFTypeRef() const throw()
{
return reinterpret_cast<CFTypeRef>(reinterpret_cast<const uint8_t *>(this) - kAlignedRuntimeSize);
}
@@ -107,7 +114,7 @@ public:
virtual CFStringRef copyFormattingDesc(CFDictionaryRef dict);
virtual CFStringRef copyDebugDesc();
virtual void aboutToDestruct();
- virtual Mutex* getMutexForObject();
+ virtual Mutex* getMutexForObject() const;
virtual bool mayDelete();
};
diff --git a/OSX/libsecurity_utilities/lib/selector.cpp b/OSX/libsecurity_utilities/lib/selector.cpp
index e3f115a7..599e4b64 100644
--- a/OSX/libsecurity_utilities/lib/selector.cpp
+++ b/OSX/libsecurity_utilities/lib/selector.cpp
@@ -60,7 +60,7 @@ void Selector::add(int fd, Client &client, Type type)
assert(!client.isActive()); // one Selector per client, and no re-adding
assert(fd >= 0);
- secdebug("selector", "add client %p fd %d type=%d", &client, fd, type);
+ secinfo("selector", "add client %p fd %d type=%d", &client, fd, type);
// grow FDSets if needed
unsigned int pos = fd / NFDBITS;
@@ -99,7 +99,7 @@ void Selector::remove(int fd)
assert(it != clientMap.end());
assert(it->second->mSelector == this);
- secdebug("selector", "remove client %p fd %d", it->second, fd);
+ secinfo("selector", "remove client %p fd %d", it->second, fd);
// remove from FDSets
set(fd, none);
@@ -129,7 +129,7 @@ void Selector::set(int fd, Type type)
inSet.set(fd, type & input);
outSet.set(fd, type & output);
errSet.set(fd, type & critical);
- secdebug("selector", "fd %d notifications 0x%x", fd, type);
+ secinfo("selector", "fd %d notifications 0x%x", fd, type);
}
@@ -156,7 +156,7 @@ void Selector::operator () (Time::Absolute stopTime)
void Selector::singleStep(Time::Interval maxWait)
{
assert(!clientMap.empty());
- secdebug("selector", "select(%d) [%d-%d] for %ld clients",
+ secinfo("selector", "select(%d) [%d-%d] for %ld clients",
fdMax + 1, fdMin, fdMax, clientMap.size());
for (;;) { // pseudo-loop - only retries
struct timeval duration = maxWait.timevalInterval();
@@ -172,13 +172,13 @@ void Selector::singleStep(Time::Interval maxWait)
case -1: // error
if (errno == EINTR)
continue;
- secdebug("selector", "select failed: errno=%d", errno);
+ secinfo("selector", "select failed: errno=%d", errno);
UnixError::throwMe();
case 0: // no events
- secdebug("selector", "select returned nothing");
+ secinfo("selector", "select returned nothing");
return;
default: // some events
- secdebug("selector", "%d pending descriptors", hits);
+ secinfo("selector", "%d pending descriptors", hits);
//@@@ This could be optimized as a word-merge scan.
//@@@ The typical case doesn't benefit from this though, though browsers might
//@@@ and integrated servers definitely would.
@@ -188,7 +188,7 @@ void Selector::singleStep(Time::Interval maxWait)
if (outSet[fd]) types |= output;
if (errSet[fd]) types |= critical;
if (types) {
- secdebug("selector", "notify fd %d client %p type %d",
+ secinfo("selector", "notify fd %d client %p type %d",
fd, clientMap[fd], types);
clientMap[fd]->notify(fd, types);
hits--;
diff --git a/OSX/libsecurity_utilities/lib/simpleprefs.cpp b/OSX/libsecurity_utilities/lib/simpleprefs.cpp
index 105f20b7..c4d09774 100644
--- a/OSX/libsecurity_utilities/lib/simpleprefs.cpp
+++ b/OSX/libsecurity_utilities/lib/simpleprefs.cpp
@@ -39,7 +39,7 @@
#include <CoreFoundation/CFPropertyList.h>
#include <sys/stat.h>
-#define prefsDebug(args...) secdebug("simpleprefs", ## args)
+#define prefsDebug(args...) secinfo("simpleprefs", ## args)
#define kSecUserPrefsDir "Library/Preferences" /* relative to $HOME */
#define kSecSystemPrefsDir "/Library/Preferences"
diff --git a/OSX/libsecurity_utilities/lib/socks++4.cpp b/OSX/libsecurity_utilities/lib/socks++4.cpp
index 1f6908b0..20e2e9bb 100644
--- a/OSX/libsecurity_utilities/lib/socks++4.cpp
+++ b/OSX/libsecurity_utilities/lib/socks++4.cpp
@@ -47,7 +47,7 @@ void Server::connect(SocksClientSocket &me, const IPSockAddress &peer)
request.send(me, "nobody");
(Message(me)); // read and check reply message
me.mPeerAddress = peer; // best guess, Mr. Sulu
- secdebug("socks", "%d socks4 connected to %s", me.fd(), string(peer).c_str());
+ secinfo("socks", "%d socks4 connected to %s", me.fd(), string(peer).c_str());
}
void Server::connect(SocksClientSocket &me, const Host &host, IPPort port)
@@ -77,7 +77,7 @@ void Server::bind(SocksServerSocket &me, const IPAddress &peer, IPPort port)
request.send(me, "nobody");
Message reply(me);
me.mLocalAddress = reply.address().defaults(mServerAddress.address());
- secdebug("socks", "%d socks4 bound to %s", me.fd(), string(me.mLocalAddress).c_str());
+ secinfo("socks", "%d socks4 bound to %s", me.fd(), string(me.mLocalAddress).c_str());
}
void Server::receive(SocksServerSocket &me, SocksClientSocket &receiver)
@@ -85,7 +85,7 @@ void Server::receive(SocksServerSocket &me, SocksClientSocket &receiver)
Message reply(me);
receiver.setFd(me.fd(), me.mLocalAddress, reply.address());
me.clear(); // clear our own (don't close on destruction)
- secdebug("socks", "%d socks4 inbound connect", receiver.fd());
+ secinfo("socks", "%d socks4 inbound connect", receiver.fd());
}
diff --git a/OSX/libsecurity_utilities/lib/socks++5.cpp b/OSX/libsecurity_utilities/lib/socks++5.cpp
index 0aa6cc31..0f6856b0 100644
--- a/OSX/libsecurity_utilities/lib/socks++5.cpp
+++ b/OSX/libsecurity_utilities/lib/socks++5.cpp
@@ -41,13 +41,13 @@ void Server::open(Socket &s, Support &my)
{
s.open(SOCK_STREAM);
s.connect(my.mServer->address());
- secdebug("socks", "%d connected to server %s", s.fd(), string(my.mServer->address()).c_str());
+ secinfo("socks", "%d connected to server %s", s.fd(), string(my.mServer->address()).c_str());
Byte request[] = { 5, 1, socksAuthPublic };
s.write(request, sizeof(request));
Byte reply[2];
s.read(reply, sizeof(reply));
if (reply[0] != 5 || reply[1] != socksAuthPublic) {
- secdebug("socks", "%d server failed (v%d auth=%d)", s.fd(), reply[0], reply[1]);
+ secinfo("socks", "%d server failed (v%d auth=%d)", s.fd(), reply[0], reply[1]);
s.close();
UnixError::throwMe(EPROTONOSUPPORT);
}
@@ -61,7 +61,7 @@ void Server::connect(SocksClientSocket &me, const IPSockAddress &peer)
Message reply(me);
me.mLocalAddress = reply.address();
me.mPeerAddress = peer;
- secdebug("socks", "%d socks connected to %s", me.fd(), string(peer).c_str());
+ secinfo("socks", "%d socks connected to %s", me.fd(), string(peer).c_str());
}
void Server::connect(SocksClientSocket &me, const Host &host, IPPort port)
@@ -88,7 +88,7 @@ void Server::connect(SocksClientSocket &me, const Host &host, IPPort port)
Message reply(me);
me.mLocalAddress = reply.address();
//me.mPeerAddress = not provided by Socks5 protocol;
- secdebug("socks", "%d socks connected to %s", me.fd(), host.name().c_str());
+ secinfo("socks", "%d socks connected to %s", me.fd(), host.name().c_str());
#endif
}
@@ -101,7 +101,7 @@ void Server::bind(SocksServerSocket &me, const IPAddress &peer, IPPort port)
Message reply(me);
me.mLocalAddress = reply.address();
//me.mPeerAddress not available yet;
- secdebug("socks", "%d socks bound to %s", me.fd(), string(me.mLocalAddress).c_str());
+ secinfo("socks", "%d socks bound to %s", me.fd(), string(me.mLocalAddress).c_str());
}
void Server::receive(SocksServerSocket &me, SocksClientSocket &receiver)
@@ -109,7 +109,7 @@ void Server::receive(SocksServerSocket &me, SocksClientSocket &receiver)
Message reply(me);
receiver.setFd(me.fd(), me.mLocalAddress, reply.address());
me.clear(); // clear our own (don't close on destruction)
- secdebug("socks", "%d socks received from %s", receiver.fd(), string(reply.address()).c_str());
+ secinfo("socks", "%d socks received from %s", receiver.fd(), string(reply.address()).c_str());
}
diff --git a/OSX/libsecurity_utilities/lib/sqlite++.cpp b/OSX/libsecurity_utilities/lib/sqlite++.cpp
index 5eaf3a36..4a5e05e8 100644
--- a/OSX/libsecurity_utilities/lib/sqlite++.cpp
+++ b/OSX/libsecurity_utilities/lib/sqlite++.cpp
@@ -52,9 +52,10 @@ void Error::check(int err)
Error::Error(Database &db)
: error(db.errcode()), message(db.errmsg())
{
- SECURITY_EXCEPTION_THROW_SQLITE(this, error, (char*)message.c_str());
+ SECURITY_EXCEPTION_THROW_SQLITE(this, error, (char*)message.c_str());
+ secnotice("security_exception", "sqlite: %d %s",error, (char*)message.c_str());
}
-
+
void Error::throwMe(int err)
{
throw Error(err);
diff --git a/OSX/libsecurity_utilities/lib/superblob.h b/OSX/libsecurity_utilities/lib/superblob.h
index e6b8edc8..ba7a5811 100644
--- a/OSX/libsecurity_utilities/lib/superblob.h
+++ b/OSX/libsecurity_utilities/lib/superblob.h
@@ -40,6 +40,7 @@ public:
};
bool validateBlob(size_t maxSize = 0) const;
+ bool strictValidateBlob(size_t maxSize = 0) const;
unsigned count() const { return mCount; }
@@ -80,6 +81,34 @@ inline bool SuperBlobCore<_BlobType, _magic, _Type>::validateBlob(size_t maxSize
return true;
}
+struct _SBRange {
+ size_t base;
+ size_t end;
+ _SBRange(size_t b, size_t len) : base(b), end(b+len) { }
+ bool operator < (const _SBRange& other) const { return this->base < other.base; }
+};
+
+template <class _BlobType, uint32_t _magic, class _Type>
+inline bool SuperBlobCore<_BlobType, _magic, _Type>::strictValidateBlob(size_t size /* = 0 */) const
+{
+ if (!validateBlob(size)) // verifies in-bound sub-blobs
+ return false;
+ unsigned count = mCount;
+ if (count == 0)
+ return this->length() == sizeof(SuperBlobCore); // nothing in here
+
+ std::vector<_SBRange> ranges;
+ for (unsigned ix = 0; ix < count; ++ix)
+ ranges.push_back(_SBRange(mIndex[ix].offset, this->blob(ix)->length()));
+ sort(ranges.begin(), ranges.end());
+ if (ranges[0].base != sizeof(SuperBlobCore) + count * sizeof(Index))
+ return false; // start anchor
+ for (unsigned ix = 1; ix < count; ++ix)
+ if (ranges[ix].base != ranges[ix-1].end) // nothing in between
+ return false;
+ return ranges[count-1].end == this->length(); // end anchor
+}
+
//
// A generic SuperBlob ready for use. You still need to specify a magic number.
@@ -157,7 +186,7 @@ void SuperBlobCore<_BlobType, _magic, _Type>::Maker::add(Type type, BlobCore *bl
{
pair<typename BlobMap::iterator, bool> r = mPieces.insert(make_pair(type, blob));
if (!r.second) { // already there
- secdebug("superblob", "Maker %p replaces type=%d", this, type);
+ secinfo("superblob", "Maker %p replaces type=%d", this, type);
::free(r.first->second);
r.first->second = blob;
}
@@ -233,7 +262,7 @@ _BlobType *SuperBlobCore<_BlobType, _magic, _Type>::Maker::make() const
pc += it->second->length();
n++;
}
- secdebug("superblob", "Maker %p assembles %ld blob(s) into %p (size=%d)",
+ secinfo("superblob", "Maker %p assembles %ld blob(s) into %p (size=%d)",
this, mPieces.size(), result, total);
return result;
}
diff --git a/OSX/libsecurity_utilities/lib/threading.cpp b/OSX/libsecurity_utilities/lib/threading.cpp
index bfe6427c..4146c3f4 100644
--- a/OSX/libsecurity_utilities/lib/threading.cpp
+++ b/OSX/libsecurity_utilities/lib/threading.cpp
@@ -28,6 +28,7 @@
#include <security_utilities/threading.h>
#include <security_utilities/globalizer.h>
#include <security_utilities/memutils.h>
+#include <utilities/debugging.h>
#include <unistd.h> // WWDC 2007 thread-crash workaround
#include <syslog.h> // WWDC 2007 thread-crash workaround
@@ -91,6 +92,9 @@ Mutex::Mutex(Type type)
Mutex::~Mutex()
{
int result = pthread_mutex_destroy(&me);
+ if(result) {
+ secerror("Probable bug: error destroying Mutex: %d", result);
+ }
check(result);
}
@@ -156,7 +160,6 @@ void CountingMutex::enter()
{
lock();
mCount++;
- secdebug("cmutex", "%p up to %d", this, mCount);
unlock();
}
@@ -165,7 +168,6 @@ bool CountingMutex::tryEnter()
if (!tryLock())
return false;
mCount++;
- secdebug("cmutex", "%p up to %d (was try)", this, mCount);
unlock();
return true;
}
@@ -175,14 +177,12 @@ void CountingMutex::exit()
lock();
assert(mCount > 0);
mCount--;
- secdebug("cmutex", "%p down to %d", this, mCount);
unlock();
}
void CountingMutex::finishEnter()
{
mCount++;
- secdebug("cmutex", "%p finish up to %d", this, mCount);
unlock();
}
@@ -190,7 +190,6 @@ void CountingMutex::finishExit()
{
assert(mCount > 0);
mCount--;
- secdebug("cmutex", "%p finish down to %d", this, mCount);
unlock();
}
@@ -275,7 +274,7 @@ void Thread::run()
syslog(LOG_ERR, "too many failed pthread_create() attempts");
}
else
- secdebug("thread", "%p created", self.mIdent);
+ secinfo("thread", "%p created", self.mIdent);
}
void *Thread::runner(void *arg)
@@ -284,9 +283,9 @@ void *Thread::runner(void *arg)
// otherwise it will crash if something underneath throws.
{
Thread *me = static_cast<Thread *>(arg);
- secdebug("thread", "%p starting", me->self.mIdent);
+ secinfo("thread", "%p starting", me->self.mIdent);
me->action();
- secdebug("thread", "%p terminating", me->self.mIdent);
+ secinfo("thread", "%p terminating", me->self.mIdent);
delete me;
return NULL;
}
diff --git a/OSX/libsecurity_utilities/lib/threading.h b/OSX/libsecurity_utilities/lib/threading.h
index 60168536..34a47636 100644
--- a/OSX/libsecurity_utilities/lib/threading.h
+++ b/OSX/libsecurity_utilities/lib/threading.h
@@ -248,6 +248,33 @@ protected:
bool mActive;
};
+//
+// This class behaves exactly as StLock above, but accepts a pointer to a mutex instead of a reference.
+// If the pointer is NULL, this class does nothing. Otherwise, it behaves as StLock.
+// Try not to use this.
+//
+template <class Lock,
+void (Lock::*_lock)() = &Lock::lock,
+void (Lock::*_unlock)() = &Lock::unlock>
+class StMaybeLock {
+public:
+ StMaybeLock(Lock *lck) : me(lck), mActive(false)
+ { if(me) { (me->*_lock)(); mActive = true; } }
+ StMaybeLock(Lock *lck, bool option) : me(lck), mActive(option) { }
+ ~StMaybeLock() { if (me) { if(mActive) (me->*_unlock)(); } else {mActive = false;} }
+
+ bool isActive() const { return mActive; }
+ void lock() { if(me) { if(!mActive) { (me->*_lock)(); mActive = true; }}}
+ void unlock() { if(me) { if(mActive) { (me->*_unlock)(); mActive = false; }}}
+ void release() { if(me) { assert(mActive); mActive = false; } }
+
+ operator const Lock &() const { return me; }
+
+protected:
+ Lock *me;
+ bool mActive;
+};
+
// Note: if you use the TryRead or TryWrite modes, you must check if you
// actually have the lock before proceeding
class StReadWriteLock {
diff --git a/OSX/libsecurity_utilities/lib/tqueue.h b/OSX/libsecurity_utilities/lib/tqueue.h
index 571061c8..f40c2736 100644
--- a/OSX/libsecurity_utilities/lib/tqueue.h
+++ b/OSX/libsecurity_utilities/lib/tqueue.h
@@ -91,7 +91,7 @@ void ScheduleQueue<Time>::Event::unschedule()
assert(mScheduled);
back->fwd = fwd; fwd->back = back;
mScheduled = false;
- secdebug("schedq", "event %p unscheduled", this);
+ secinfo("schedq", "event %p unscheduled", this);
}
template <class Time>
@@ -100,7 +100,7 @@ inline void ScheduleQueue<Time>::schedule(Event *event, Time when)
Event *ev = first.fwd;
if (event->scheduled()) {
if (when == event->fireTime) { // no change
- secdebug("schedq", "%p (%.3f) no change", event, double(when));
+ secinfo("schedq", "%p (%.3f) no change", event, double(when));
return;
}
else if (when > event->fireTime && event != first.fwd) // forward move
@@ -112,14 +112,14 @@ inline void ScheduleQueue<Time>::schedule(Event *event, Time when)
for (; ev != &first; ev = ev->fwd) {
if (ev->fireTime > when) {
event->putBefore(ev);
- secdebug("schedq", "%p (%.3f) scheduled before %p", event, double(when), ev);
+ secinfo("schedq", "%p (%.3f) scheduled before %p", event, double(when), ev);
return;
}
}
// hit the end-of-queue; put at end
event->putBefore(&first);
- secdebug("schedq", "%p (%.3f) scheduled last", event, double(when));
+ secinfo("schedq", "%p (%.3f) scheduled last", event, double(when));
}
template <class Time>
@@ -129,7 +129,7 @@ inline typename ScheduleQueue<Time>::Event *ScheduleQueue<Time>::pop(Time now)
Event *top = first.fwd;
if (top->fireTime <= now) {
top->unschedule();
- secdebug("schedq", "event %p delivered at %.3f", top, double(now));
+ secinfo("schedq", "event %p delivered at %.3f", top, double(now));
return top;
}
}
diff --git a/OSX/libsecurity_utilities/lib/unix++.cpp b/OSX/libsecurity_utilities/lib/unix++.cpp
index 292dd392..d3ee98e7 100644
--- a/OSX/libsecurity_utilities/lib/unix++.cpp
+++ b/OSX/libsecurity_utilities/lib/unix++.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000-2001,2003-2004,2011-2012,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2001,2003-2004,2011-2012,2014-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -27,6 +27,7 @@
//
#include "unix++.h"
#include <security_utilities/cfutilities.h>
+#include <security_utilities/cfmunge.h>
#include <security_utilities/memutils.h>
#include <security_utilities/debugging.h>
#include <sys/dirent.h>
@@ -34,6 +35,7 @@
#include <cstdarg>
#include <IOKit/IOKitLib.h>
#include <IOKit/IOKitKeys.h>
+#include <IOKit/IOBSD.h>
#include <IOKit/storage/IOStorageDeviceCharacteristics.h>
@@ -57,14 +59,14 @@ void FileDesc::open(const char *path, int flags, mode_t mode)
}
}
mAtEnd = false;
- secdebug("unixio", "open(%s,0x%x,0x%x) = %d", path, flags, mode, mFd);
+ secinfo("unixio", "open(%s,0x%x,0x%x) = %d", path, flags, mode, mFd);
}
void FileDesc::close()
{
if (mFd >= 0) {
checkError(::close(mFd));
- secdebug("unixio", "close(%d)", mFd);
+ secinfo("unixio", "close(%d)", mFd);
mFd = invalidFd;
}
}
@@ -78,11 +80,11 @@ size_t FileDesc::read(void *addr, size_t length)
switch (ssize_t rc = ::read(mFd, addr, length)) {
case 0: // end-of-source
if (length == 0) { // check for errors, but don't set mAtEnd unless we have to
- secdebug("unixio", "%d zero read (ignored)", mFd);
+ secinfo("unixio", "%d zero read (ignored)", mFd);
return 0;
}
mAtEnd = true;
- secdebug("unixio", "%d end of data", mFd);
+ secinfo("unixio", "%d end of data", mFd);
return 0;
case -1: // error
if (errno == EAGAIN)
@@ -161,6 +163,12 @@ void FileDesc::writeAll(const void *addr, size_t length)
}
+void FileDesc::truncate(size_t offset)
+{
+ UnixError::check(ftruncate(mFd, offset));
+}
+
+
//
// Seeking
//
@@ -195,7 +203,7 @@ void *FileDesc::mmap(int prot, size_t length, int flags, size_t offset, void *ad
int FileDesc::fcntl(int cmd, void *arg) const
{
int rc = ::fcntl(mFd, cmd, arg);
- secdebug("unixio", "%d fcntl(%d,%p) = %d", mFd, cmd, arg, rc);
+ secinfo("unixio", "%d fcntl(%d,%p) = %d", mFd, cmd, arg, rc);
return checkError(rc);
}
@@ -255,7 +263,7 @@ bool FileDesc::tryLock(int type, const Pos &pos)
void FileDesc::LockArgs::debug(int fd, const char *what)
{
- secdebug("fdlock", "%d %s %s:%ld(%ld)", fd, what,
+ secinfo("fdlock", "%d %s %s:%ld(%ld)", fd, what,
(l_whence == SEEK_SET) ? "ABS" : (l_whence == SEEK_CUR) ? "REL" : "END",
long(l_start), long(l_len));
}
@@ -284,9 +292,9 @@ void FileDesc::setAttr(const char *name, const void *value, size_t length,
checkError(::fsetxattr(mFd, name, value, length, position, options));
}
-ssize_t FileDesc::getAttrLength(const char *name)
+ssize_t FileDesc::getAttrLength(const char *name, int options)
{
- ssize_t rc = ::fgetxattr(mFd, name, NULL, 0, 0, 0);
+ ssize_t rc = ::fgetxattr(mFd, name, NULL, 0, 0, options);
if (rc == -1)
switch (errno) {
case ENOATTR:
@@ -345,6 +353,36 @@ std::string FileDesc::getAttr(const std::string &name, int options /* = 0 */)
return string();
}
+
+static bool checkFork(ssize_t rc)
+{
+ switch (rc) {
+ case 0: // empty fork, produced by NFS/AFP et al; ignore
+ return false;
+ default: // non-empty fork present, fail
+ return true;
+ case -1: // failed system call; let's see...
+ switch (errno) {
+ case ENOATTR:
+ return false; // not present, no problem
+ case EPERM:
+ return false; // HFS+ returns that if we ask for Resource Forks on anything but plain files (e.g. directories)
+ default:
+ UnixError::throwMe();
+ }
+ }
+}
+
+bool filehasExtendedAttribute(const char *path, const char *forkname)
+{
+ return checkFork(::getxattr(path, forkname, NULL, 0, 0, 0));
+}
+
+bool FileDesc::hasExtendedAttribute(const char *forkname) const
+{
+ return checkFork(::fgetxattr(mFd, forkname, NULL, 0, 0, 0));
+}
+
bool FileDesc::isPlainFile(const std::string &path)
{
UnixStat st1, st2;
@@ -418,26 +456,23 @@ FILE *FileDesc::fdopen(const char *form)
static CFDictionaryRef deviceCharacteristics(FileDesc &fd)
{
// get device name
- AutoFileDesc::UnixStat st;
+ FileDesc::UnixStat st;
fd.fstat(st);
- char buffer[MAXNAMLEN];
- checkError(::devname_r(st.st_dev, S_IFBLK, buffer, MAXNAMLEN));
-
- // search in IO Registry for named device
- CFDictionaryRef matching = IOBSDNameMatching(kIOMasterPortDefault, 0, buffer);
- if (matching) {
- // fetch the object with the matching BSD name (consumes reference on matching)
- io_registry_entry_t entry = IOServiceGetMatchingService(kIOMasterPortDefault, matching);
- if (entry != IO_OBJECT_NULL) {
- // get device characteristics
- CFDictionaryRef characteristics = (CFDictionaryRef)IORegistryEntrySearchCFProperty(entry,
- kIOServicePlane,
- CFSTR(kIOPropertyDeviceCharacteristicsKey),
- NULL,
- kIORegistryIterateRecursively | kIORegistryIterateParents);
- IOObjectRelease(entry);
- return characteristics;
- }
+ CFTemp<CFDictionaryRef> matching("{%s=%d,%s=%d}",
+ kIOBSDMajorKey, major(st.st_dev),
+ kIOBSDMinorKey, minor(st.st_dev)
+ );
+ // IOServiceGetMatchingService CONSUMES its dictionary argument(!)
+ io_registry_entry_t entry = IOServiceGetMatchingService(kIOMasterPortDefault, matching.yield());
+ if (entry != IO_OBJECT_NULL) {
+ // get device characteristics
+ CFDictionaryRef characteristics = (CFDictionaryRef)IORegistryEntrySearchCFProperty(entry,
+ kIOServicePlane,
+ CFSTR(kIOPropertyDeviceCharacteristicsKey),
+ NULL,
+ kIORegistryIterateRecursively | kIORegistryIterateParents);
+ IOObjectRelease(entry);
+ return characteristics;
}
return NULL; // unable to get device characteristics
@@ -484,7 +519,7 @@ void makedir(const char *path, int flags, mode_t mode)
UnixError::throwMe(EEXIST);
if (!S_ISDIR(st.st_mode))
UnixError::throwMe(ENOTDIR);
- secdebug("makedir", "%s exists", path);
+ secinfo("makedir", "%s exists", path);
return;
}
@@ -498,7 +533,7 @@ void makedir(const char *path, int flags, mode_t mode)
return; // fine (race condition, resolved)
UnixError::throwMe();
}
- secdebug("makedir", "%s created", path);
+ secinfo("makedir", "%s created", path);
}
diff --git a/OSX/libsecurity_utilities/lib/unix++.h b/OSX/libsecurity_utilities/lib/unix++.h
index d6f4aa5a..d51a6146 100644
--- a/OSX/libsecurity_utilities/lib/unix++.h
+++ b/OSX/libsecurity_utilities/lib/unix++.h
@@ -36,6 +36,7 @@
#include <sys/uio.h>
#include <sys/stat.h>
#include <sys/mman.h>
+#include <sys/xattr.h>
#include <signal.h>
#include <fcntl.h>
#include <semaphore.h>
@@ -136,6 +137,8 @@ public:
template <class Data>
void writeAll(const Data &ds) { writeAll(ds.data(), ds.length()); }
+ void truncate(size_t offset);
+
// more convenient I/O
template <class T> size_t read(T &obj) { return read(&obj, sizeof(obj)); }
template <class T> size_t write(const T &obj) { return write(&obj, sizeof(obj)); }
@@ -201,14 +204,16 @@ public:
ssize_t getAttr(const std::string &name, void *value, size_t length,
u_int32_t position = 0, int options = 0)
{ return getAttr(name.c_str(), value, length, position, options); }
- ssize_t getAttrLength(const char *name);
- ssize_t getAttrLength(const std::string &name) { return getAttrLength(name.c_str()); }
+ ssize_t getAttrLength(const char *name, int options = 0);
+ ssize_t getAttrLength(const std::string &name, int options = 0) { return getAttrLength(name.c_str(), options); }
// removeAttr ignore missing attributes. Pass XATTR_REPLACE to fail in that case
void removeAttr(const char *name, int options = 0);
void removeAttr(const std::string &name, int options = 0)
{ return removeAttr(name.c_str(), options); }
size_t listAttr(char *value, size_t length, int options = 0);
+ bool hasExtendedAttribute(const char *forkname) const;
+
// xattrs with string values (not including trailing null bytes)
void setAttr(const std::string &name, const std::string &value, int options = 0);
std::string getAttr(const std::string &name, int options = 0);
@@ -250,6 +255,10 @@ protected:
};
+bool filehasExtendedAttribute(const char *path, const char *forkname);
+inline bool filehasExtendedAttribute(const std::string& path, const char *forkname) { return filehasExtendedAttribute(path.c_str(), forkname); }
+
+
//
// A (plain) FileDesc that auto-closes
//
diff --git a/OSX/libsecurity_utilities/lib/unixchild.cpp b/OSX/libsecurity_utilities/lib/unixchild.cpp
index 0cb3d918..edddcc0e 100644
--- a/OSX/libsecurity_utilities/lib/unixchild.cpp
+++ b/OSX/libsecurity_utilities/lib/unixchild.cpp
@@ -81,7 +81,7 @@ void Child::reset()
case unborn:
break; // s'okay
default:
- secdebug("unixchild", "%p reset (from state %d)", this, mState);
+ secinfo("unixchild", "%p reset (from state %d)", this, mState);
mState = unborn;
mPid = 0;
mStatus = 0;
@@ -162,11 +162,11 @@ void Child::wait()
void Child::tryKill(int signal)
{
assert(mState == alive); // ... or don't bother us
- secdebug("unixchild", "%p (pid %d) sending signal(%d)", this, pid(), signal);
+ secinfo("unixchild", "%p (pid %d) sending signal(%d)", this, pid(), signal);
if (::kill(pid(), signal))
switch (errno) {
case ESRCH: // someone else reaped ths child; or things are just wacky
- secdebug("unixchild", "%p (pid %d) has disappeared!", this, pid());
+ secinfo("unixchild", "%p (pid %d) has disappeared!", this, pid());
mState = invalid;
mChildren().erase(pid());
// fall through
@@ -186,7 +186,7 @@ void Child::kill(int signal)
if (mState == alive)
tryKill(signal);
else
- secdebug("unixchild", "%p (pid %d) not alive; cannot send signal %d",
+ secinfo("unixchild", "%p (pid %d) not alive; cannot send signal %d",
this, pid(), signal);
}
@@ -201,23 +201,32 @@ void Child::kill(int signal)
void Child::kill()
{
// note that we mustn't hold the lock across these calls
- if (this->state() == alive) {
- this->kill(SIGTERM); // shoot it once
- checkChildren(); // check for quick death
+ switch (this->state()) {
+ case alive:
if (this->state() == alive) {
- usleep(200000); // give it some time to die
- if (this->state() == alive) { // could have been reaped by another thread
- checkChildren(); // check again
- if (this->state() == alive) { // it... just... won't... die...
- this->kill(SIGKILL); // take THAT!
- checkChildren();
- if (this->state() == alive) // stuck zombie
- this->abandon(); // leave the body behind
+ this->kill(SIGTERM); // shoot it once
+ checkChildren(); // check for quick death
+ if (this->state() == alive) {
+ usleep(200000); // give it some time to die
+ if (this->state() == alive) { // could have been reaped by another thread
+ checkChildren(); // check again
+ if (this->state() == alive) { // it... just... won't... die...
+ this->kill(SIGKILL); // take THAT!
+ checkChildren();
+ if (this->state() == alive) // stuck zombie
+ this->abandon(); // leave the body behind
+ }
}
}
}
- } else
- secdebug("unixchild", "%p (pid %d) not alive; ignoring request to kill it", this, pid());
+ break;
+ case dead:
+ secinfo("unixchild", "%p (pid %d) already dead; ignoring kill request", this, pid());
+ break;
+ default:
+ secinfo("unixchild", "%p state %d; ignoring kill request", this, this->state());
+ break;
+ }
}
@@ -231,11 +240,11 @@ void Child::abandon()
{
StLock<Mutex> _(mChildren());
if (mState == alive) {
- secdebug("unixchild", "%p (pid %d) abandoned", this, pid());
+ secinfo("unixchild", "%p (pid %d) abandoned", this, pid());
mState = abandoned;
mChildren().erase(pid());
} else {
- secdebug("unixchild", "%p (pid %d) is not alive; abandon() ignored",
+ secinfo("unixchild", "%p (pid %d) is not alive; abandon() ignored",
this, pid());
}
}
@@ -312,11 +321,11 @@ void Child::fork()
case -1: // fork failed
switch (errno) {
case EINTR:
- secdebug("unixchild", "%p fork EINTR; retrying", this);
+ secinfo("unixchild", "%p fork EINTR; retrying", this);
continue; // no problem
case EAGAIN:
if (delay < maxDelay) {
- secdebug("unixchild", "%p fork EAGAIN; delaying %d seconds",
+ secinfo("unixchild", "%p fork EAGAIN; delaying %d seconds",
this, delay);
sleep(delay);
delay *= 2;
@@ -330,16 +339,9 @@ void Child::fork()
case 0: // child
//@@@ bother to clean child map?
- secdebug("unixchild", "%p (child pid %d) running child action",
- this, getpid());
- secdelay("/tmp/delay/unixchild");
try {
this->childAction();
- secdebug("unixchild", "%p (pid %d) child action returned; exiting",
- this, getpid());
} catch (...) {
- secdebug("unixchild", "%p (pid %d) child action had uncaught exception",
- this, getpid());
}
_exit(1);
@@ -350,7 +352,7 @@ void Child::fork()
mPid = pid;
mChildren().insert(make_pair(pid, this));
}
- secdebug("unixchild", "%p (parent) running parent action", this);
+ secinfo("unixchild", "%p (parent) running parent action", this);
this->parentAction();
break;
}
@@ -366,7 +368,7 @@ void Child::fork()
bool Child::checkStatus(int options)
{
assert(state() == alive);
- secdebug("unixchild", "checking %p (pid %d)", this, this->pid());
+ secinfo("unixchild", "checking %p (pid %d)", this, this->pid());
int status;
again:
switch (IFDEBUG(pid_t pid =) ::wait4(this->pid(), &status, options, NULL)) {
@@ -375,7 +377,7 @@ bool Child::checkStatus(int options)
case EINTR:
goto again; // retry
case ECHILD:
- secdebug("unixchild", "%p (pid=%d) unknown to kernel", this, this->pid());
+ secinfo("unixchild", "%p (pid=%d) unknown to kernel", this, this->pid());
mState = invalid;
mChildren().erase(this->pid());
return false;
@@ -419,18 +421,18 @@ void Child::checkChildren()
} else if (!mChildren().empty()) {
int status;
while (pid_t pid = ::wait4(0, &status, WNOHANG, NULL)) {
- secdebug("unixchild", "universal child check (%ld children known alive)", mChildren().size());
+ secinfo("unixchild", "universal child check (%ld children known alive)", mChildren().size());
switch (pid) {
case pid_t(-1):
switch (errno) {
case EINTR:
- secdebug("unixchild", "EINTR on wait4; retrying");
+ secinfo("unixchild", "EINTR on wait4; retrying");
continue; // benign, but retry the wait()
case ECHILD:
// Should not normally happen (there *is* a child around),
// but gets returned anyway if the child is stopped in the debugger.
// Treat like a zero return (no children ready to be buried).
- secdebug("unixchild", "ECHILD with filled nursery (ignored)");
+ secinfo("unixchild", "ECHILD with filled nursery (ignored)");
goto no_more;
default:
UnixError::throwMe();
@@ -441,7 +443,7 @@ void Child::checkChildren()
child->bury(status);
casualties.add(child);
} else
- secdebug("unixchild", "reaping feral child pid=%d", pid);
+ secinfo("unixchild", "reaping feral child pid=%d", pid);
if (mChildren().empty())
goto no_more; // none left
break;
@@ -449,7 +451,7 @@ void Child::checkChildren()
}
no_more: ;
} else {
- secdebug("unixchild", "spurious checkChildren (the nursery is empty)");
+ secinfo("unixchild", "spurious checkChildren (the nursery is empty)");
}
} // release master lock
casualties.notify();
@@ -468,11 +470,11 @@ void Child::bury(int status)
mChildren().erase(mPid);
#if !defined(NDEBUG)
if (bySignal())
- secdebug("unixchild", "%p (pid %d) died by signal %d%s",
+ secinfo("unixchild", "%p (pid %d) died by signal %d%s",
this, mPid, exitSignal(),
coreDumped() ? " and dumped core" : "");
else
- secdebug("unixchild", "%p (pid %d) died by exit(%d)",
+ secinfo("unixchild", "%p (pid %d) died by exit(%d)",
this, mPid, exitCode());
#endif //NDEBUG
}
diff --git a/OSX/libsecurity_utilities/lib/vproc++.cpp b/OSX/libsecurity_utilities/lib/vproc++.cpp
index 7dd41bd8..721c7566 100644
--- a/OSX/libsecurity_utilities/lib/vproc++.cpp
+++ b/OSX/libsecurity_utilities/lib/vproc++.cpp
@@ -26,6 +26,7 @@
// fdsel - select-style file descriptor set management
//
#include "vproc++.h"
+#include <assert.h>
#include <security_utilities/debugging.h>
#include <vproc_priv.h>
diff --git a/OSX/libsecurity_utilities/libsecurity_utilities.xcodeproj/project.pbxproj b/OSX/libsecurity_utilities/libsecurity_utilities.xcodeproj/project.pbxproj
index 48b634e2..f2ee6101 100644
--- a/OSX/libsecurity_utilities/libsecurity_utilities.xcodeproj/project.pbxproj
+++ b/OSX/libsecurity_utilities/libsecurity_utilities.xcodeproj/project.pbxproj
@@ -27,7 +27,7 @@
181EA38B146D1D5A00A6D320 /* blob.h in Headers */ = {isa = PBXBuildFile; fileRef = C22550FF0A264BA0007D3358 /* blob.h */; settings = {ATTRIBUTES = (Public, ); }; };
181EA38C146D1D5A00A6D320 /* ccaudit.h in Headers */ = {isa = PBXBuildFile; fileRef = 4E4813D607739B0C0090D7C2 /* ccaudit.h */; settings = {ATTRIBUTES = (Public, ); }; };
181EA38D146D1D5A00A6D320 /* daemon.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CA684870525011D00233BF2 /* daemon.h */; settings = {ATTRIBUTES = (Public, ); }; };
- 181EA38E146D1D5A00A6D320 /* debugging.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CA684890525011D00233BF2 /* debugging.h */; settings = {ATTRIBUTES = (Public, ); }; };
+ 181EA38E146D1D5A00A6D320 /* debugging_internal.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CA684890525011D00233BF2 /* debugging_internal.h */; settings = {ATTRIBUTES = (Public, ); }; };
181EA38F146D1D5A00A6D320 /* debugsupport.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CA6848A0525011D00233BF2 /* debugsupport.h */; settings = {ATTRIBUTES = (Public, ); }; };
181EA390146D1D5A00A6D320 /* devrandom.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CA6848C0525011D00233BF2 /* devrandom.h */; settings = {ATTRIBUTES = (Public, ); }; };
181EA391146D1D5A00A6D320 /* endian.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CA6848E0525011D00233BF2 /* endian.h */; settings = {ATTRIBUTES = (Public, ); }; };
@@ -94,7 +94,7 @@
4CA684C20525011E00233BF2 /* buffers.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CA684820525011D00233BF2 /* buffers.cpp */; };
4CA684C40525011E00233BF2 /* cfutilities.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CA684840525011D00233BF2 /* cfutilities.cpp */; };
4CA684C60525011E00233BF2 /* daemon.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CA684860525011D00233BF2 /* daemon.cpp */; };
- 4CA684C80525011E00233BF2 /* debugging.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CA684880525011D00233BF2 /* debugging.cpp */; };
+ 4CA684C80525011E00233BF2 /* debugging_internal.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CA684880525011D00233BF2 /* debugging_internal.cpp */; };
4CA684CB0525011E00233BF2 /* devrandom.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CA6848B0525011D00233BF2 /* devrandom.cpp */; };
4CA684CD0525011E00233BF2 /* endian.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CA6848D0525011D00233BF2 /* endian.cpp */; };
4CA684CF0525011E00233BF2 /* fdmover.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CA6848F0525011D00233BF2 /* fdmover.cpp */; };
@@ -121,8 +121,6 @@
4E4813D707739B0C0090D7C2 /* ccaudit.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4E4813D507739B0C0090D7C2 /* ccaudit.cpp */; };
7A93A12419BE6FA600F07E9A /* dispatch.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7A93A12219BE6FA600F07E9A /* dispatch.cpp */; };
7A93A12519BE6FA600F07E9A /* dispatch.h in Headers */ = {isa = PBXBuildFile; fileRef = 7A93A12319BE6FA600F07E9A /* dispatch.h */; };
- AAA4B91E16653547005DEFDC /* debugging_internal.cpp in Sources */ = {isa = PBXBuildFile; fileRef = AAA4B91D16653547005DEFDC /* debugging_internal.cpp */; };
- AAA4B920166535B4005DEFDC /* debugging_internal.h in Headers */ = {isa = PBXBuildFile; fileRef = AAA4B91F16653597005DEFDC /* debugging_internal.h */; settings = {ATTRIBUTES = (Public, ); }; };
AAAA499A0CC587B50099E9D4 /* crc.c in Sources */ = {isa = PBXBuildFile; fileRef = AAAA49980CC587B50099E9D4 /* crc.c */; };
C200C0800731DEA300564CE0 /* trackingallocator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C200C07F0731DE8C00564CE0 /* trackingallocator.cpp */; };
C20A206B06B03FDC00979EF3 /* osxcode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C20A206906B03FDC00979EF3 /* osxcode.cpp */; };
@@ -153,6 +151,10 @@
D6C5F6BD05DD47EC00722571 /* seccfobject.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D6C5F6BB05DD47EC00722571 /* seccfobject.cpp */; };
DC27E9F51BBC589500C9BC39 /* CSPDLTransaction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC27E9F31BBC589500C9BC39 /* CSPDLTransaction.cpp */; };
DC27E9F61BBC589500C9BC39 /* CSPDLTransaction.h in Headers */ = {isa = PBXBuildFile; fileRef = DC27E9F41BBC589500C9BC39 /* CSPDLTransaction.h */; };
+ DC3122E71CE64E080040B1BD /* debugging.h in Headers */ = {isa = PBXBuildFile; fileRef = DC3122E61CE64E080040B1BD /* debugging.h */; settings = {ATTRIBUTES = (Public, ); }; };
+ DCCBDF381C51A4DC004BB34E /* FileLockTransaction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCCBDF361C51A4DC004BB34E /* FileLockTransaction.cpp */; };
+ DCCBDF391C51A4DC004BB34E /* FileLockTransaction.h in Headers */ = {isa = PBXBuildFile; fileRef = DCCBDF371C51A4DC004BB34E /* FileLockTransaction.h */; };
+ DCE4BC3E1C6E7BFC001596A7 /* casts.h in Headers */ = {isa = PBXBuildFile; fileRef = DCE4BC3C1C6E7BFC001596A7 /* casts.h */; };
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
@@ -177,12 +179,12 @@
4CA684810525011D00233BF2 /* bufferfifo.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = bufferfifo.h; sourceTree = "<group>"; };
4CA684820525011D00233BF2 /* buffers.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = buffers.cpp; sourceTree = "<group>"; };
4CA684830525011D00233BF2 /* buffers.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = buffers.h; sourceTree = "<group>"; };
- 4CA684840525011D00233BF2 /* cfutilities.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = cfutilities.cpp; sourceTree = "<group>"; };
+ 4CA684840525011D00233BF2 /* cfutilities.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = cfutilities.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CA684850525011D00233BF2 /* cfutilities.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cfutilities.h; sourceTree = "<group>"; };
4CA684860525011D00233BF2 /* daemon.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = daemon.cpp; sourceTree = "<group>"; };
4CA684870525011D00233BF2 /* daemon.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = daemon.h; sourceTree = "<group>"; };
- 4CA684880525011D00233BF2 /* debugging.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = debugging.cpp; sourceTree = "<group>"; };
- 4CA684890525011D00233BF2 /* debugging.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = debugging.h; sourceTree = "<group>"; };
+ 4CA684880525011D00233BF2 /* debugging_internal.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = debugging_internal.cpp; sourceTree = "<group>"; };
+ 4CA684890525011D00233BF2 /* debugging_internal.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = debugging_internal.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
4CA6848A0525011D00233BF2 /* debugsupport.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = debugsupport.h; sourceTree = "<group>"; };
4CA6848B0525011D00233BF2 /* devrandom.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = devrandom.cpp; sourceTree = "<group>"; };
4CA6848C0525011D00233BF2 /* devrandom.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = devrandom.h; sourceTree = "<group>"; };
@@ -193,14 +195,14 @@
4CA684910525011D00233BF2 /* fdsel.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = fdsel.cpp; sourceTree = "<group>"; };
4CA684920525011D00233BF2 /* fdsel.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = fdsel.h; sourceTree = "<group>"; };
4CA684930525011D00233BF2 /* globalizer.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = globalizer.cpp; sourceTree = "<group>"; };
- 4CA684940525011D00233BF2 /* globalizer.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = globalizer.h; sourceTree = "<group>"; };
+ 4CA684940525011D00233BF2 /* globalizer.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = globalizer.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
4CA684950525011D00233BF2 /* headermap.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = headermap.cpp; sourceTree = "<group>"; };
4CA684960525011D00233BF2 /* headermap.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = headermap.h; sourceTree = "<group>"; };
4CA684970525011D00233BF2 /* hosts.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = hosts.cpp; sourceTree = "<group>"; };
4CA684980525011D00233BF2 /* hosts.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = hosts.h; sourceTree = "<group>"; };
4CA684990525011D00233BF2 /* inetreply.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = inetreply.cpp; sourceTree = "<group>"; };
4CA6849A0525011D00233BF2 /* inetreply.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = inetreply.h; sourceTree = "<group>"; };
- 4CA6849B0525011D00233BF2 /* ip++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = "ip++.cpp"; sourceTree = "<group>"; };
+ 4CA6849B0525011D00233BF2 /* ip++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = "ip++.cpp"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CA6849C0525011D00233BF2 /* ip++.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "ip++.h"; sourceTree = "<group>"; };
4CA6849D0525011D00233BF2 /* ktracecodes.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = ktracecodes.h; sourceTree = "<group>"; };
4CA6849E0525011D00233BF2 /* logging.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = logging.cpp; sourceTree = "<group>"; };
@@ -215,47 +217,45 @@
4CA684A70525011D00233BF2 /* selector.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = selector.h; sourceTree = "<group>"; };
4CA684A80525011D00233BF2 /* socks++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = "socks++.cpp"; sourceTree = "<group>"; };
4CA684A90525011D00233BF2 /* socks++.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "socks++.h"; sourceTree = "<group>"; };
- 4CA684AA0525011D00233BF2 /* socks++4.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = "socks++4.cpp"; sourceTree = "<group>"; };
+ 4CA684AA0525011D00233BF2 /* socks++4.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = "socks++4.cpp"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CA684AB0525011D00233BF2 /* socks++4.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "socks++4.h"; sourceTree = "<group>"; };
- 4CA684AC0525011D00233BF2 /* socks++5.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = "socks++5.cpp"; sourceTree = "<group>"; };
+ 4CA684AC0525011D00233BF2 /* socks++5.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = "socks++5.cpp"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CA684AD0525011D00233BF2 /* socks++5.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "socks++5.h"; sourceTree = "<group>"; };
4CA684AE0525011D00233BF2 /* streams.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = streams.cpp; sourceTree = "<group>"; };
4CA684AF0525011D00233BF2 /* streams.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = streams.h; sourceTree = "<group>"; };
- 4CA684B00525011E00233BF2 /* threading.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = threading.cpp; sourceTree = "<group>"; };
+ 4CA684B00525011E00233BF2 /* threading.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = threading.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CA684B10525011E00233BF2 /* threading.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = threading.h; sourceTree = "<group>"; };
4CA684B20525011E00233BF2 /* threading_internal.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = threading_internal.h; sourceTree = "<group>"; };
4CA684B30525011E00233BF2 /* timeflow.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = timeflow.cpp; sourceTree = "<group>"; };
4CA684B40525011E00233BF2 /* timeflow.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = timeflow.h; sourceTree = "<group>"; };
4CA684B50525011E00233BF2 /* tqueue.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tqueue.cpp; sourceTree = "<group>"; };
- 4CA684B60525011E00233BF2 /* tqueue.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tqueue.h; sourceTree = "<group>"; };
+ 4CA684B60525011E00233BF2 /* tqueue.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = tqueue.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
4CA684B70525011E00233BF2 /* typedvalue.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = typedvalue.cpp; sourceTree = "<group>"; };
4CA684B80525011E00233BF2 /* typedvalue.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = typedvalue.h; sourceTree = "<group>"; };
- 4CA684B90525011E00233BF2 /* unix++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = "unix++.cpp"; sourceTree = "<group>"; };
+ 4CA684B90525011E00233BF2 /* unix++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = "unix++.cpp"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4CA684BA0525011E00233BF2 /* unix++.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "unix++.h"; sourceTree = "<group>"; };
4CA684BB0525011E00233BF2 /* url.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = url.cpp; sourceTree = "<group>"; };
4CA684BC0525011E00233BF2 /* url.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = url.h; sourceTree = "<group>"; };
4CA684BD0525011E00233BF2 /* utilities.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = utilities.cpp; sourceTree = "<group>"; };
4CA684BE0525011E00233BF2 /* utilities.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = utilities.h; sourceTree = "<group>"; };
4CA684BF0525011E00233BF2 /* utility_config.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = utility_config.h; sourceTree = "<group>"; };
- 4E4813D507739B0C0090D7C2 /* ccaudit.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = ccaudit.cpp; sourceTree = "<group>"; };
+ 4E4813D507739B0C0090D7C2 /* ccaudit.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = ccaudit.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
4E4813D607739B0C0090D7C2 /* ccaudit.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = ccaudit.h; sourceTree = "<group>"; };
7A93A12219BE6FA600F07E9A /* dispatch.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = dispatch.cpp; sourceTree = "<group>"; usesTabs = 1; };
7A93A12319BE6FA600F07E9A /* dispatch.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = dispatch.h; sourceTree = "<group>"; usesTabs = 1; };
- AA3BC08D166549EA00EF1D2E /* exports */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = exports; sourceTree = "<group>"; };
+ AA3BC08D166549EA00EF1D2E /* exports */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; lineEnding = 0; path = exports; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = "<none>"; };
AA5B97E70E140C3E0032C12F /* dtrace.mk */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = dtrace.mk; path = lib/dtrace.mk; sourceTree = "<group>"; usesTabs = 1; };
- AAA4B91D16653547005DEFDC /* debugging_internal.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = debugging_internal.cpp; sourceTree = "<group>"; };
- AAA4B91F16653597005DEFDC /* debugging_internal.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = debugging_internal.h; sourceTree = "<group>"; };
AAAA49980CC587B50099E9D4 /* crc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = crc.c; sourceTree = "<group>"; };
AAAA49990CC587B50099E9D4 /* crc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = crc.h; sourceTree = "<group>"; };
C200C07F0731DE8C00564CE0 /* trackingallocator.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = trackingallocator.cpp; path = lib/trackingallocator.cpp; sourceTree = SOURCE_ROOT; };
- C20A206906B03FDC00979EF3 /* osxcode.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = osxcode.cpp; sourceTree = "<group>"; };
+ C20A206906B03FDC00979EF3 /* osxcode.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = osxcode.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C20A206A06B03FDC00979EF3 /* osxcode.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = osxcode.h; sourceTree = "<group>"; };
C22550FE0A264BA0007D3358 /* blob.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = blob.cpp; sourceTree = "<group>"; };
C22550FF0A264BA0007D3358 /* blob.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = blob.h; sourceTree = "<group>"; };
C22EC335052B674000D55C69 /* trackingallocator.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = trackingallocator.h; sourceTree = "<group>"; };
C22EC38F052B7F5D00D55C69 /* errors.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = errors.h; sourceTree = "<group>"; };
C22EC3A8052B807700D55C69 /* errors.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = errors.cpp; sourceTree = "<group>"; };
- C24DAED206B8952E00387C29 /* cfmach++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = "cfmach++.cpp"; sourceTree = "<group>"; };
+ C24DAED206B8952E00387C29 /* cfmach++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = "cfmach++.cpp"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C24DAED306B8952E00387C29 /* cfmach++.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "cfmach++.h"; sourceTree = "<group>"; };
C25F97E6052C93BD00EDA739 /* powerwatch.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = powerwatch.cpp; sourceTree = "<group>"; };
C25F97E7052C93BD00EDA739 /* powerwatch.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = powerwatch.h; sourceTree = "<group>"; };
@@ -265,47 +265,51 @@
C28342C90E366A8E00E54360 /* sqlite++.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "sqlite++.h"; sourceTree = "<group>"; };
C285ECF906FB474B0007ECD6 /* transactions.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = transactions.cpp; sourceTree = "<group>"; };
C285ECFD06FB47590007ECD6 /* transactions.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = transactions.h; sourceTree = "<group>"; };
- C2A7D0B506AEDB94009A7A1E /* unixchild.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = unixchild.cpp; sourceTree = "<group>"; };
+ C2A7D0B506AEDB94009A7A1E /* unixchild.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = unixchild.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2A7D0B606AEDB94009A7A1E /* unixchild.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = unixchild.h; sourceTree = "<group>"; };
C2AEE7E80F30CF5A00C7649E /* dyld_cache_format.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = dyld_cache_format.h; sourceTree = "<group>"; };
C2AEE7EB0F30CF6600C7649E /* dyldcache.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = dyldcache.cpp; sourceTree = "<group>"; };
C2AEE7EC0F30CF6600C7649E /* dyldcache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = dyldcache.h; sourceTree = "<group>"; };
C2B1EBFD06D557B300F68F34 /* adornments.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = adornments.cpp; sourceTree = "<group>"; };
C2B1EBFE06D557B300F68F34 /* adornments.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = adornments.h; sourceTree = "<group>"; };
- C2B1EE2806D5929700F68F34 /* muscle++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = "muscle++.cpp"; sourceTree = "<group>"; };
+ C2B1EE2806D5929700F68F34 /* muscle++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = "muscle++.cpp"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2B1EE2906D5929700F68F34 /* muscle++.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "muscle++.h"; sourceTree = "<group>"; };
C2B9F35F0D5A288900CAB713 /* cfmunge.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = cfmunge.cpp; sourceTree = "<group>"; };
C2B9F3600D5A288900CAB713 /* cfmunge.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = cfmunge.h; sourceTree = "<group>"; };
- C2B9F3610D5A288900CAB713 /* macho++.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = "macho++.cpp"; sourceTree = "<group>"; usesTabs = 1; };
+ C2B9F3610D5A288900CAB713 /* macho++.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = "macho++.cpp"; sourceTree = "<group>"; usesTabs = 1; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2B9F3620D5A288900CAB713 /* macho++.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "macho++.h"; sourceTree = "<group>"; };
C2C164890F66F2CA00FD6D34 /* kq++.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "kq++.h"; sourceTree = "<group>"; };
C2C1648D0F66F2D300FD6D34 /* kq++.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = "kq++.cpp"; sourceTree = "<group>"; };
C2C9C6990CECBE5E00B3FE07 /* security_utilities.d */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.dtrace; name = security_utilities.d; path = lib/security_utilities.d; sourceTree = "<group>"; };
C2C9C6B00CECBF8E00B3FE07 /* utilities_dtrace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = utilities_dtrace.h; path = derived_src/security_utilities/utilities_dtrace.h; sourceTree = BUILT_PRODUCTS_DIR; };
C2CBCF500A3E27CF0025C2F9 /* superblob.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = superblob.cpp; sourceTree = "<group>"; };
- C2CBCF510A3E27CF0025C2F9 /* superblob.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = superblob.h; sourceTree = "<group>"; };
+ C2CBCF510A3E27CF0025C2F9 /* superblob.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = superblob.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
C2D02F9B06FFD41200A4C9B0 /* iodevices.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = iodevices.cpp; sourceTree = "<group>"; };
C2D02F9C06FFD41200A4C9B0 /* iodevices.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = iodevices.h; sourceTree = "<group>"; };
C2D382910A225B23005C63A2 /* hashing.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = hashing.cpp; sourceTree = "<group>"; };
C2D382920A225B23005C63A2 /* hashing.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = hashing.h; sourceTree = "<group>"; };
- C2D7B6FB0709CB7F00F2AE5F /* coderepository.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = coderepository.cpp; sourceTree = "<group>"; };
+ C2D7B6FB0709CB7F00F2AE5F /* coderepository.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = coderepository.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2D7B6FF0709CB8A00F2AE5F /* coderepository.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = coderepository.h; sourceTree = "<group>"; };
C2E7B1F80E2415D700956987 /* vproc++.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = "vproc++.cpp"; sourceTree = "<group>"; };
C2E7B1F90E2415D700956987 /* vproc++.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "vproc++.h"; sourceTree = "<group>"; };
- C2EA5E42052BA4E200473E26 /* mach++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = "mach++.cpp"; sourceTree = "<group>"; };
+ C2EA5E42052BA4E200473E26 /* mach++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = "mach++.cpp"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2EA5E43052BA4E200473E26 /* mach++.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "mach++.h"; sourceTree = "<group>"; };
- C2EA5E44052BA4E200473E26 /* machrunloopserver.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = machrunloopserver.cpp; sourceTree = "<group>"; };
+ C2EA5E44052BA4E200473E26 /* machrunloopserver.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = machrunloopserver.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2EA5E45052BA4E200473E26 /* machrunloopserver.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = machrunloopserver.h; sourceTree = "<group>"; };
- C2EA5E46052BA4E200473E26 /* machserver.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = machserver.cpp; sourceTree = "<group>"; };
+ C2EA5E46052BA4E200473E26 /* machserver.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = machserver.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2EA5E47052BA4E200473E26 /* machserver.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = machserver.h; sourceTree = "<group>"; };
- C2EF2B58066E516600F205D4 /* pcsc++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = "pcsc++.cpp"; sourceTree = "<group>"; };
+ C2EF2B58066E516600F205D4 /* pcsc++.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = "pcsc++.cpp"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2EF2B59066E516600F205D4 /* pcsc++.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = "pcsc++.h"; sourceTree = "<group>"; };
D65C871205DC11C300B401EF /* cfclass.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = cfclass.cpp; sourceTree = "<group>"; };
D65C871305DC11C300B401EF /* cfclass.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = cfclass.h; sourceTree = "<group>"; };
D6C5F6BB05DD47EC00722571 /* seccfobject.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = seccfobject.cpp; sourceTree = "<group>"; };
D6C5F6BC05DD47EC00722571 /* seccfobject.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = seccfobject.h; sourceTree = "<group>"; };
- DC27E9F31BBC589500C9BC39 /* CSPDLTransaction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CSPDLTransaction.cpp; sourceTree = "<group>"; };
+ DC27E9F31BBC589500C9BC39 /* CSPDLTransaction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = CSPDLTransaction.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
DC27E9F41BBC589500C9BC39 /* CSPDLTransaction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CSPDLTransaction.h; sourceTree = "<group>"; };
+ DC3122E61CE64E080040B1BD /* debugging.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; name = debugging.h; path = ../../utilities/src/debugging.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
+ DCCBDF361C51A4DC004BB34E /* FileLockTransaction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = FileLockTransaction.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
+ DCCBDF371C51A4DC004BB34E /* FileLockTransaction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FileLockTransaction.h; sourceTree = "<group>"; };
+ DCE4BC3C1C6E7BFC001596A7 /* casts.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = casts.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
/* End PBXFileReference section */
/* Begin PBXFrameworksBuildPhase section */
@@ -353,8 +357,12 @@
4CA6847F0525011D00233BF2 /* lib */ = {
isa = PBXGroup;
children = (
+ DC3122E61CE64E080040B1BD /* debugging.h */,
+ DCCBDF361C51A4DC004BB34E /* FileLockTransaction.cpp */,
+ DCCBDF371C51A4DC004BB34E /* FileLockTransaction.h */,
DC27E9F31BBC589500C9BC39 /* CSPDLTransaction.cpp */,
DC27E9F41BBC589500C9BC39 /* CSPDLTransaction.h */,
+ DCE4BC3C1C6E7BFC001596A7 /* casts.h */,
AAAA49980CC587B50099E9D4 /* crc.c */,
AAAA49990CC587B50099E9D4 /* crc.h */,
C2B1EBFE06D557B300F68F34 /* adornments.h */,
@@ -367,11 +375,9 @@
4E4813D607739B0C0090D7C2 /* ccaudit.h */,
4CA684870525011D00233BF2 /* daemon.h */,
4CA684860525011D00233BF2 /* daemon.cpp */,
- 4CA684890525011D00233BF2 /* debugging.h */,
+ 4CA684890525011D00233BF2 /* debugging_internal.h */,
4CA6848A0525011D00233BF2 /* debugsupport.h */,
- 4CA684880525011D00233BF2 /* debugging.cpp */,
- AAA4B91D16653547005DEFDC /* debugging_internal.cpp */,
- AAA4B91F16653597005DEFDC /* debugging_internal.h */,
+ 4CA684880525011D00233BF2 /* debugging_internal.cpp */,
4CA6848C0525011D00233BF2 /* devrandom.h */,
4CA6848B0525011D00233BF2 /* devrandom.cpp */,
7A93A12219BE6FA600F07E9A /* dispatch.cpp */,
@@ -559,7 +565,8 @@
181EA38B146D1D5A00A6D320 /* blob.h in Headers */,
181EA38C146D1D5A00A6D320 /* ccaudit.h in Headers */,
181EA38D146D1D5A00A6D320 /* daemon.h in Headers */,
- 181EA38E146D1D5A00A6D320 /* debugging.h in Headers */,
+ DC3122E71CE64E080040B1BD /* debugging.h in Headers */,
+ 181EA38E146D1D5A00A6D320 /* debugging_internal.h in Headers */,
181EA38F146D1D5A00A6D320 /* debugsupport.h in Headers */,
181EA390146D1D5A00A6D320 /* devrandom.h in Headers */,
181EA391146D1D5A00A6D320 /* endian.h in Headers */,
@@ -589,6 +596,7 @@
181EA3A8146D1D5A00A6D320 /* transactions.h in Headers */,
181EA3A9146D1D5A00A6D320 /* typedvalue.h in Headers */,
181EA3AA146D1D5A00A6D320 /* utilities.h in Headers */,
+ DCCBDF391C51A4DC004BB34E /* FileLockTransaction.h in Headers */,
181EA3AB146D1D5A00A6D320 /* utility_config.h in Headers */,
181EA3AE146D1D7600A6D320 /* fdmover.h in Headers */,
181EA3AF146D1D7600A6D320 /* fdsel.h in Headers */,
@@ -614,6 +622,7 @@
181EA3C2146D1D8600A6D320 /* cfutilities.h in Headers */,
181EA3C3146D1D8E00A6D320 /* bufferfifo.h in Headers */,
181EA3C4146D1D8E00A6D320 /* buffers.h in Headers */,
+ DCE4BC3E1C6E7BFC001596A7 /* casts.h in Headers */,
181EA3C5146D1D8E00A6D320 /* headermap.h in Headers */,
181EA3C6146D1D8E00A6D320 /* hosts.h in Headers */,
181EA3C7146D1D8E00A6D320 /* inetreply.h in Headers */,
@@ -623,7 +632,6 @@
181EA3CB146D1D9700A6D320 /* socks++4.h in Headers */,
181EA3CC146D1D9700A6D320 /* socks++5.h in Headers */,
1865FC241472444600FD79DF /* utilities_dtrace.h in Headers */,
- AAA4B920166535B4005DEFDC /* debugging_internal.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -655,7 +663,7 @@
4CA2A5330523D2CD00978A7B /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD4140987FCDF001272E0 /* Build configuration list for PBXProject "libsecurity_utilities" */;
compatibilityVersion = "Xcode 3.2";
@@ -685,12 +693,15 @@
files = (
);
inputPaths = (
+ "$(SRCROOT)/",
+ "$(SRCROOT)/lib/",
);
outputPaths = (
+ "${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "nmedit -s lib/exports -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
+ shellScript = "# with our source directories as input files, Xcode will only re-run this phase if there's been a source change\nnmedit -s lib/exports -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
};
C2C9C69C0CECBE8400B3FE07 /* ShellScript */ = {
isa = PBXShellScriptBuildPhase;
@@ -698,8 +709,10 @@
files = (
);
inputPaths = (
+ "$(SRCROOT)/lib/security_utilities.d",
);
outputPaths = (
+ "$(BUILT_PRODUCTS_DIR)/derived_src/security_utilities/utilities_dtrace.h",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
@@ -719,8 +732,9 @@
4CA684C40525011E00233BF2 /* cfutilities.cpp in Sources */,
7A93A12419BE6FA600F07E9A /* dispatch.cpp in Sources */,
4CA684C60525011E00233BF2 /* daemon.cpp in Sources */,
- 4CA684C80525011E00233BF2 /* debugging.cpp in Sources */,
+ 4CA684C80525011E00233BF2 /* debugging_internal.cpp in Sources */,
4CA684CB0525011E00233BF2 /* devrandom.cpp in Sources */,
+ DCCBDF381C51A4DC004BB34E /* FileLockTransaction.cpp in Sources */,
C2AEE7ED0F30CF8600C7649E /* dyldcache.cpp in Sources */,
4CA684CD0525011E00233BF2 /* endian.cpp in Sources */,
C22EC3A9052B807700D55C69 /* errors.cpp in Sources */,
@@ -772,7 +786,6 @@
C2E7B1FA0E2415D700956987 /* vproc++.cpp in Sources */,
C28342CA0E366A8E00E54360 /* sqlite++.cpp in Sources */,
C2C1648E0F66F2D300FD6D34 /* kq++.cpp in Sources */,
- AAA4B91E16653547005DEFDC /* debugging_internal.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -829,6 +842,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 181EA3EC146D2A5F00A6D320 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -836,6 +864,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 181EA3EC146D2A5F00A6D320 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurityd/lib/SharedMemoryClient.cpp b/OSX/libsecurityd/lib/SharedMemoryClient.cpp
index 923767dc..6c2ea124 100644
--- a/OSX/libsecurityd/lib/SharedMemoryClient.cpp
+++ b/OSX/libsecurityd/lib/SharedMemoryClient.cpp
@@ -19,7 +19,11 @@ SharedMemoryClient::SharedMemoryClient (const char* segmentName, SegmentOffsetTy
mSegmentName = segmentName;
mSegmentSize = segmentSize;
- mSegment = mDataArea = mDataPtr = 0;
+ mSegment = (u_int8_t*) MAP_FAILED;
+ mDataArea = mDataPtr = 0;
+
+ if (segmentSize < sizeof(u_int32_t))
+ return;
// make the name
int segmentDescriptor;
@@ -36,6 +40,25 @@ SharedMemoryClient::SharedMemoryClient (const char* segmentName, SegmentOffsetTy
}
}
+ // check the file size is large enough to support Operations
+ struct stat statResult = {};
+ int result = fstat(segmentDescriptor, &statResult);
+ if(result) {
+ UnixError::throwMe(errno);
+ }
+
+ off_t sz = statResult.st_size;
+ if(sz < sizeof(SegmentOffsetType)) {
+ close(segmentDescriptor);
+ return;
+ }
+
+ if(sz > 4*segmentSize) {
+ // File is too ridiculously large. Quit.
+ close(segmentDescriptor);
+ return;
+ }
+
// map the segment into place
mSegment = (u_int8_t*) mmap (NULL, segmentSize, PROT_READ, MAP_SHARED, segmentDescriptor, 0);
close (segmentDescriptor);
@@ -46,7 +69,7 @@ SharedMemoryClient::SharedMemoryClient (const char* segmentName, SegmentOffsetTy
}
mDataArea = mSegment + sizeof (SegmentOffsetType);
- mDataMax = mSegment + segmentSize;
+ mDataMax = mSegment + sz;
mDataPtr = mDataArea + GetProducerCount ();
}
@@ -70,7 +93,16 @@ SegmentOffsetType SharedMemoryClient::GetProducerCount ()
{
CssmError::throwMe(CSSM_ERRCODE_INTERNAL_ERROR);
}
- return OSSwapBigToHostInt32 (*(u_int32_t*) mSegment);
+ if( ((u_int8_t*) (((u_int32_t*) mSegment) + 1)) > mDataMax) {
+ // Check we can actually read this u_int32_t
+ CssmError::throwMe(CSSM_ERRCODE_INTERNAL_ERROR);
+ }
+
+ SegmentOffsetType offset = OSSwapBigToHostInt32 (*(u_int32_t*) mSegment);
+ if (&mSegment[offset] >= mDataMax)
+ CssmError::throwMe(CSSM_ERRCODE_INTERNAL_ERROR);
+ else
+ return offset;
}
diff --git a/OSX/libsecurityd/lib/eventlistener.cpp b/OSX/libsecurityd/lib/eventlistener.cpp
index 93a3c93f..73690322 100644
--- a/OSX/libsecurityd/lib/eventlistener.cpp
+++ b/OSX/libsecurityd/lib/eventlistener.cpp
@@ -29,6 +29,7 @@
#include <notify.h>
#include "sscommon.h"
#include <sys/syslog.h>
+#include <Security/SecBasePriv.h>
using namespace MachPlusPlus;
@@ -82,188 +83,96 @@ ModuleNexus<EventListenerList> gEventListeners;
ModuleNexus<Mutex> gNotificationLock;
ModuleNexus<SharedMemoryClientMaker> gMemoryClient;
-class NotificationPort : public MachPlusPlus::CFAutoPort
-{
-protected:
- SharedMemoryClient *mClient;
-
- void ReceiveImplementation(u_int8_t* buffer, SegmentOffsetType length, UnavailableReason ur);
- static void HandleRunLoopTimer(CFRunLoopTimerRef timer, void* info);
-
-public:
- NotificationPort (mach_port_t port);
- virtual ~NotificationPort ();
- virtual void receive(const MachPlusPlus::Message &msg);
-};
-
-NotificationPort::NotificationPort (mach_port_t mp) : CFAutoPort (mp)
-{
- mClient = gMemoryClient ().Client ();
-}
-
+//
+// Note that once we start notifications, we want receive them forever. Don't have a cancel option.
+//
+static void InitializeNotifications () {
+ static dispatch_queue_t notification_queue = EventListener::getNotificationQueue();
+ // Initialize the memory client
+ gMemoryClient();
-NotificationPort::~NotificationPort ()
-{
-}
+ int out_token;
+ notify_handler_t receive = ^(int token){
+ try {
+ SegmentOffsetType length;
+ UnavailableReason ur;
+ bool result;
-void NotificationPort::ReceiveImplementation(u_int8_t* buffer, SegmentOffsetType length, UnavailableReason ur)
-{
- EventListenerList& eventList = gEventListeners();
-
- // route the message to its destination
- u_int32_t* ptr = (u_int32_t*) buffer;
-
- // we have a message, do the semantics...
- SecurityServer::NotificationDomain domain = (SecurityServer::NotificationDomain) OSSwapBigToHostInt32 (*ptr++);
- SecurityServer::NotificationEvent event = (SecurityServer::NotificationEvent) OSSwapBigToHostInt32 (*ptr++);
- CssmData data ((u_int8_t*) ptr, buffer + length - (u_int8_t*) ptr);
-
- EventListenerList::iterator it = eventList.begin ();
- while (it != eventList.end ())
- {
- try
- {
- EventPointer ep = *it++;
- if (ep->GetDomain () == domain &&
- (ep->GetMask () & (1 << event)) != 0)
+ // Trust the memory client to break our loop here
+ while (true)
{
- ep->consume (domain, event, data);
- }
- }
- catch (CssmError &e)
- {
- if (e.error != CSSM_ERRCODE_INTERNAL_ERROR)
- {
- throw;
- }
- }
- }
-}
-
-
+ u_int8_t *buffer = new u_int8_t[kSharedMemoryPoolSize];
+ {
+ StLock<Mutex> lock (gNotificationLock ());
+ result = gMemoryClient().Client()->ReadMessage(buffer, length, ur);
+ if (!result)
+ {
+ delete [] buffer;
+ return;
+ }
+ }
+
+ // Send this event off to the listeners
+ {
+ EventListenerList& eventList = gEventListeners();
+
+ // route the message to its destination
+ u_int32_t* ptr = (u_int32_t*) buffer;
+
+ // we have a message, do the semantics...
+ SecurityServer::NotificationDomain domain = (SecurityServer::NotificationDomain) OSSwapBigToHostInt32 (*ptr++);
+ SecurityServer::NotificationEvent event = (SecurityServer::NotificationEvent) OSSwapBigToHostInt32 (*ptr++);
+ CssmData data ((u_int8_t*) ptr, buffer + length - (u_int8_t*) ptr);
+
+ EventListenerList::iterator it = eventList.begin ();
+ while (it != eventList.end ())
+ {
+ try
+ {
+ EventPointer ep = *it++;
+ if (ep->GetDomain () == domain &&
+ (ep->GetMask () & (1 << event)) != 0)
+ {
+ ep->consume (domain, event, data);
+ }
+ }
+ catch (CssmError &e)
+ {
+ // If we throw, libnotify will abort the process. Log these...
+ secerror("Caught CssmError while processing notification: %d %s", e.error, cssmErrorString(e.error));
+ }
+ }
+ }
-typedef void (^NotificationBlock)();
-
-
-
-void NotificationPort::HandleRunLoopTimer(CFRunLoopTimerRef timer, void* info)
-{
- // reconstruct our context and call it
- NotificationBlock nb = (NotificationBlock) info;
- nb();
-
- // clean up
- Block_release(nb);
- CFRunLoopTimerInvalidate(timer);
- CFRelease(timer);
-}
-
-
-
-void NotificationPort::receive (const MachPlusPlus::Message &msg)
-{
- /*
- Read each notification received and post a timer for each with an expiration of
- zero. I'd prefer to use a notification here, but I can't because, according to
- the documentation, each application may only have one notification center and
- the main application should have the right to pick the one it needs.
- */
-
- SegmentOffsetType length;
- UnavailableReason ur;
-
- bool result;
-
- while (true)
- {
- u_int8_t *buffer = new u_int8_t[kSharedMemoryPoolSize];
-
- {
- StLock<Mutex> lock (gNotificationLock ());
- result = mClient->ReadMessage(buffer, length, ur);
- if (!result)
- {
delete [] buffer;
- return;
}
}
+ // If these exceptions propagate, we crash our enclosing app. That's bad. Worse than silently swallowing the error.
+ catch(CssmError &cssme) {
+ secerror("caught CssmError during notification: %d %s", (int) cssme.error, cssmErrorString(cssme.error));
+ }
+ catch(UnixError &ue) {
+ secerror("caught UnixError during notification: %d %s", ue.unixError(), ue.what());
+ }
+ catch (MacOSError mose) {
+ secerror("caught MacOSError during notification: %d %s", (int) mose.osStatus(), mose.what());
+ }
+ catch (...) {
+ secerror("cauth unknknown error during notification");
+ }
+ };
- // make a block that contains our data
- NotificationBlock nb =
- ^{
- ReceiveImplementation(buffer, length, ur);
- delete [] buffer;
- };
-
- // keep it in scope
- nb = Block_copy(nb);
-
- // set up to run the next time the run loop fires
- CFRunLoopTimerContext ctx;
- memset(&ctx, 0, sizeof(ctx));
- ctx.info = nb;
-
- // make a run loop timer
- CFRunLoopTimerRef timerRef =
- CFRunLoopTimerCreate(NULL, CFAbsoluteTimeGetCurrent(), 0,
- 0, 0, NotificationPort::HandleRunLoopTimer, &ctx);
-
- // install it to be run.
- CFRunLoopAddTimer(CFRunLoopGetCurrent(), timerRef, kCFRunLoopDefaultMode);
+ uint32_t status = notify_register_dispatch(GetNotificationName(), &out_token, notification_queue, receive);
+ if(status) {
+ secerror("notify_register_dispatch failed: %d", status);
+ syslog(LOG_ERR, "notify_register_dispatch failed: %d", status);
}
}
-
-class ThreadNotifier
-{
-protected:
- NotificationPort *mNotificationPort;
- int mNotifyToken;
-
-public:
- ThreadNotifier();
- ~ThreadNotifier();
-};
-
-
-
-ThreadNotifier::ThreadNotifier()
- : mNotificationPort(NULL)
-{
- mach_port_t mp;
- if (notify_register_mach_port (GetNotificationName (), &mp, 0, &mNotifyToken) == NOTIFY_STATUS_OK) {
- mNotificationPort = new NotificationPort (mp);
- mNotificationPort->enable ();
- }
-}
-
-
-
-ThreadNotifier::~ThreadNotifier()
-{
- if (mNotificationPort) {
- notify_cancel (mNotifyToken);
- delete mNotificationPort;
- }
-}
-
-
-
-ModuleNexus<ThreadNexus<ThreadNotifier> > threadInfo;
-
-
-
-static void InitializeNotifications ()
-{
- threadInfo()(); // cause the notifier for this thread to initialize
-}
-
-
-
EventListener::EventListener (NotificationDomain domain, NotificationMask eventMask)
: mDomain (domain), mMask (eventMask)
{
@@ -271,7 +180,6 @@ EventListener::EventListener (NotificationDomain domain, NotificationMask eventM
InitializeNotifications ();
}
-
//
// StopNotification() is needed on destruction; everyone else cleans up after themselves.
//
@@ -304,6 +212,16 @@ void EventListener::FinishedInitialization(EventListener *eventListener)
gEventListeners().push_back (eventListener);
}
+dispatch_once_t EventListener::queueOnceToken = 0;
+dispatch_queue_t EventListener::notificationQueue = NULL;
+
+dispatch_queue_t EventListener::getNotificationQueue() {
+ dispatch_once(&queueOnceToken, ^{
+ notificationQueue = dispatch_queue_create("com.apple.security.keychain-notification-queue", DISPATCH_QUEUE_SERIAL);
+ });
+
+ return notificationQueue;
+}
} // end namespace SecurityServer
diff --git a/OSX/libsecurityd/lib/eventlistener.h b/OSX/libsecurityd/lib/eventlistener.h
index 2faf7ef9..889cddf1 100644
--- a/OSX/libsecurityd/lib/eventlistener.h
+++ b/OSX/libsecurityd/lib/eventlistener.h
@@ -42,7 +42,11 @@ protected:
NotificationDomain mDomain;
NotificationMask mMask;
+ static dispatch_once_t queueOnceToken;
+ static dispatch_queue_t notificationQueue;
public:
+ static dispatch_queue_t getNotificationQueue();
+
EventListener(NotificationDomain domain, NotificationMask eventMask);
virtual ~EventListener();
@@ -54,6 +58,10 @@ public:
static void FinishedInitialization(EventListener* eventListener);
};
+// For backward compatiblity, we remember the client's CFRunLoop when notifications are enabled.
+// Use this function to get this run loop, to route notifications back to them on it.
+CFRunLoopRef clientNotificationRunLoop();
+
} // end namespace SecurityServer
} // end namespace Security
diff --git a/OSX/libsecurityd/lib/ssblob.cpp b/OSX/libsecurityd/lib/ssblob.cpp
index a758dc3b..3f2fa514 100644
--- a/OSX/libsecurityd/lib/ssblob.cpp
+++ b/OSX/libsecurityd/lib/ssblob.cpp
@@ -32,26 +32,59 @@ namespace Security {
namespace SecurityServer {
uint32 CommonBlob::getCurrentVersion() {
- uint32 ret = version_MacOS_10_0;
- // If the integrity protections are turned on, use version_partition.
- // else, use version_MacOS_10_0.
- CFTypeRef integrity = (CFNumberRef)CFPreferencesCopyValue(CFSTR("KeychainIntegrity"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
- if (integrity && CFGetTypeID(integrity) == CFBooleanGetTypeID()) {
- bool integrityProtections = CFBooleanGetValue((CFBooleanRef)integrity);
-
- if(integrityProtections) {
- secdebugfunc("integrity", "creating a partition keychain; global is on");
- ret = version_partition;
+ uint32 ret = version_MacOS_10_0;
+ // If the integrity protections are turned on, use version_partition.
+ // else, use version_MacOS_10_0.
+ CFTypeRef integrity = (CFNumberRef)CFPreferencesCopyValue(CFSTR("KeychainIntegrity"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
+ if (integrity && CFGetTypeID(integrity) == CFBooleanGetTypeID()) {
+ bool integrityProtections = CFBooleanGetValue((CFBooleanRef)integrity);
+
+ if(integrityProtections) {
+ secnotice("integrity", "creating a partition keychain; global is on");
+ ret = version_partition;
+ } else {
+ secnotice("integrity", "creating a old-style keychain; global is off");
+ ret = version_MacOS_10_0;
+ }
+ CFRelease(integrity);
} else {
- secdebugfunc("integrity", "creating a old-style keychain; global is off");
- ret = version_MacOS_10_0;
+ secnotice("integrity", "global integrity not set, defaulting to on");
+ ret = version_partition;
}
- CFRelease(integrity);
- }
- return ret;
+ return ret;
}
+uint32 CommonBlob::getCurrentVersionForDb(const char* dbName) {
+ // Currently, the scheme is as follows:
+ // in ~/Library/Keychains:
+ // version_partition
+ // Elsewhere:
+ // version_MacOS_10_0`
+
+ if(pathInHomeLibraryKeychains(dbName)) {
+ return CommonBlob::getCurrentVersion();
+ }
+
+ secnotice("integrity", "outside ~/Library/Keychains/; creating a old-style keychain");
+ return version_MacOS_10_0;
+}
+
+bool CommonBlob::pathInHomeLibraryKeychains(const string& path) {
+ // We need to check if this path is in Some User's ~/Library/Keychains directory.
+ // At this level, there's no great way of discovering what's actually a
+ // user's home directory, so instead let's look for anything under
+ // ./Library/Keychains/ that isn't /Library/Keychains or /System/Library/Keychains.
+
+ string libraryKeychains = "/Library/Keychains";
+ string systemLibraryKeychains = "/System/Library/Keychains";
+
+ bool inALibraryKeychains = (string::npos != path.find(libraryKeychains));
+ bool inRootLibraryKeychains = (0 == path.find(libraryKeychains));
+ bool inSystemLibraryKeychains = (0 == path.find(systemLibraryKeychains));
+
+ return (inALibraryKeychains && !inRootLibraryKeychains && !inSystemLibraryKeychains);
+}
void CommonBlob::initialize()
{
@@ -67,7 +100,7 @@ void CommonBlob::initialize(uint32 version)
{
magic = magicNumber;
- secdebugfunc("integrity", "creating a partition keychain with version %d", version);
+ secnotice("integrity", "creating a keychain with version %d", version);
this->blobVersion = version;
}
@@ -102,7 +135,79 @@ void KeyBlob::setClearTextSignature()
{
memmove(blobSignature, clearPubKeySig, sizeof(blobSignature));
}
-
+
+//
+// Implementation of a "system keychain unlock key store"
+//
+SystemKeychainKey::SystemKeychainKey(const char *path)
+: mPath(path), mValid(false)
+{
+ // explicitly set up a key header for a raw 3DES key
+ CssmKey::Header &hdr = mKey.header();
+ hdr.blobType(CSSM_KEYBLOB_RAW);
+ hdr.blobFormat(CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING);
+ hdr.keyClass(CSSM_KEYCLASS_SESSION_KEY);
+ hdr.algorithm(CSSM_ALGID_3DES_3KEY_EDE);
+ hdr.KeyAttr = 0;
+ hdr.KeyUsage = CSSM_KEYUSE_ANY;
+ mKey = CssmData::wrap(mBlob.masterKey);
+}
+
+SystemKeychainKey::~SystemKeychainKey()
+{
+}
+
+bool SystemKeychainKey::matches(const DbBlob::Signature &signature)
+{
+ return update() && signature == mBlob.signature;
+}
+
+CssmKey& SystemKeychainKey::key()
+{
+ if(!mValid) {
+ update();
+ }
+ return mKey;
+}
+
+bool SystemKeychainKey::update()
+{
+ // if we checked recently, just assume it's okay
+ if (mValid && mUpdateThreshold > Time::now())
+ return mValid;
+
+ // check the file
+ struct stat st;
+ if (::stat(mPath.c_str(), &st)) {
+ // something wrong with the file; can't use it
+ mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
+ return mValid = false;
+ }
+ if (mValid && Time::Absolute(st.st_mtimespec) == mCachedDate)
+ return true;
+ mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
+
+ try {
+ secnotice("syskc", "reading system unlock record from %s", mPath.c_str());
+ UnixPlusPlus::AutoFileDesc fd(mPath, O_RDONLY);
+ if (fd.read(mBlob) != sizeof(mBlob))
+ return false;
+ if (mBlob.isValid()) {
+ mCachedDate = st.st_mtimespec;
+ return mValid = true;
+ } else
+ return mValid = false;
+ } catch (...) {
+ secnotice("syskc", "system unlock record not available");
+ return false;
+ }
+}
+
+bool SystemKeychainKey::valid()
+{
+ update();
+ return mValid;
+}
} // end namespace SecurityServer
diff --git a/OSX/libsecurityd/lib/ssblob.h b/OSX/libsecurityd/lib/ssblob.h
index e39414be..145d376c 100644
--- a/OSX/libsecurityd/lib/ssblob.h
+++ b/OSX/libsecurityd/lib/ssblob.h
@@ -75,12 +75,18 @@ public:
static const uint32 magicNumber = 0xfade0711;
+ static const uint32 version_none = 0x0; // dummy value for default parameters. Never set this as an actual version.
static const uint32 version_MacOS_10_0 = 0x00000100; // MacOS 10.0.x
static const uint32 version_MacOS_10_1 = 0x00000101; // MacOS 10.1.x and on
- static const uint32 version_partition = 0x00000200; // MacOS 10.11.2 and on, supporting partitioning
+ static const uint32 version_partition = 0x00000200; // MacOS 10.11.4 and on, supporting partitioning
static const uint32 currentVersion = version_partition;
- static uint32 getCurrentVersion();
+ static uint32 getCurrentVersion();
+
+ //Returns the version this database should be, given its filesystem location (as dbName)
+ static uint32 getCurrentVersionForDb(const char* dbName);
+
+ static bool pathInHomeLibraryKeychains(const string& path);
public:
void initialize();
void initialize(uint32 version);
@@ -220,6 +226,36 @@ public:
};
+//
+// This class implements a "system keychain unlock record" store
+//
+class SystemKeychainKey {
+public:
+ SystemKeychainKey(const char *path);
+ ~SystemKeychainKey();
+
+ bool matches(const DbBlob::Signature &signature);
+ CssmKey &key();
+
+ // returns true if we have actually retrieved the key
+ bool valid();
+
+private:
+ std::string mPath; // path to file
+ CssmKey mKey; // proper CssmKey with data in mBlob
+
+ bool mValid; // mBlob was validly read from mPath
+ UnlockBlob mBlob; // contents of mPath as last read
+
+ Time::Absolute mCachedDate; // modify date of file when last read
+ Time::Absolute mUpdateThreshold; // cutoff threshold for checking again
+
+ static const int checkDelay = 1; // seconds minimum delay between update checks
+
+ bool update();
+};
+
+
} // end namespace SecurityServer
} // end namespace Security
diff --git a/OSX/libsecurityd/lib/ssclient.cpp b/OSX/libsecurityd/lib/ssclient.cpp
index 37951004..444247aa 100644
--- a/OSX/libsecurityd/lib/ssclient.cpp
+++ b/OSX/libsecurityd/lib/ssclient.cpp
@@ -79,7 +79,7 @@ void ClientSession::activate()
// (that has not exec'ed), our apparent connection to SecurityServer
// is just a mirage, and we better reset it.
if (mHasForked()) {
- secdebug("SSclnt", "process has forked (now pid=%d) - resetting connection object", getpid());
+ secinfo("SSclnt", "process has forked (now pid=%d) - resetting connection object", getpid());
mGlobal.reset();
}
@@ -90,14 +90,14 @@ void ClientSession::activate()
// first time for this thread - use abbreviated registration
IPCN(ucsp_client_setupThread(UCSP_ARGS, mach_task_self()));
thread.registered = true;
- secdebug("SSclnt", "Thread registered with %s", mContactName);
+ secinfo("SSclnt", "Thread registered with %s", mContactName);
}
// if the thread's guest state has changed, tell securityd
if (thread.currentGuest != thread.lastGuest) {
IPCN(ucsp_client_setGuest(UCSP_ARGS, thread.currentGuest, kSecCSDefaultFlags));
thread.lastGuest = thread.currentGuest;
- secdebug("SSclnt", "switched guest state to 0x%x", thread.currentGuest);
+ secinfo("SSclnt", "switched guest state to 0x%x", thread.currentGuest);
}
}
@@ -147,7 +147,7 @@ ClientSession::Global::Global()
mach_task_self(), info, extForm));
thread.registered = true; // as a side-effect of setup call above
IFDEBUG(serverPort.requestNotify(thread.replyPort));
- secdebug("SSclnt", "contact with %s established", mContactName);
+ secinfo("SSclnt", "contact with %s established", mContactName);
}
@@ -160,7 +160,7 @@ ClientSession::Global::Global()
//
void ClientSession::reset()
{
- secdebug("SSclnt", "resetting client state (OUCH)");
+ secinfo("SSclnt", "resetting client state (OUCH)");
mGlobal.reset();
}
@@ -179,9 +179,9 @@ Port ClientSession::findSecurityd()
mContactName = SECURITYSERVER_BOOTSTRAP_NAME;
}
- secdebug("SSclnt", "Locating %s", mContactName);
+ secinfo("SSclnt", "Locating %s", mContactName);
Port serverPort = Bootstrap().lookup2(mContactName);
- secdebug("SSclnt", "contacting %s at port %d (version %d)",
+ secinfo("SSclnt", "contacting %s at port %d (version %d)",
mContactName, serverPort.port(), SSPROTOVERSION);
return serverPort;
}
@@ -211,10 +211,10 @@ void ClientSession::childCheckIn(Port serverPort, Port taskPort)
void ClientSession::notifyAclChange(KeyHandle key, CSSM_ACL_AUTHORIZATION_TAG tag)
{
if (mCallback) {
- secdebug("keyacl", "ACL change key %u operation %u", key, tag);
+ secinfo("keyacl", "ACL change key %u operation %u", key, tag);
mCallback(mCallbackContext, *this, key, tag);
} else
- secdebug("keyacl", "dropped ACL change notice for key %u operation %u",
+ secinfo("keyacl", "dropped ACL change notice for key %u operation %u",
key, tag);
}
diff --git a/OSX/libsecurityd/lib/ssclient.h b/OSX/libsecurityd/lib/ssclient.h
index 5b4e2d78..5fd07093 100644
--- a/OSX/libsecurityd/lib/ssclient.h
+++ b/OSX/libsecurityd/lib/ssclient.h
@@ -180,10 +180,13 @@ public:
DbHandle createDb(const DLDbIdentifier &dbId,
const AccessCredentials *cred, const AclEntryInput *owner,
const DBParameters ¶ms);
+ DbHandle cloneDb(const DLDbIdentifier &newDbId, DbHandle srcDb);
+
DbHandle cloneDbForSync(const CssmData &secretsBlob, DbHandle srcDb,
const CssmData &agentData);
DbHandle recodeDbForSync(DbHandle dbToClone, DbHandle srcDb);
DbHandle recodeDbToVersion(uint32 newVersion, DbHandle srcDb);
+ void recodeFinished(DbHandle db);
DbHandle authenticateDbsForSync(const CssmData &dbHandleArray, const CssmData &agentData);
void commitDbForSync(DbHandle srcDb, DbHandle cloneDb, CssmData &blob, Allocator &alloc);
DbHandle decodeDb(const DLDbIdentifier &dbId,
@@ -337,23 +340,11 @@ public:
KeyHandle &newKey, CssmKey::Header &newHeader)
{ return extractMasterKey(db, context, sourceDb, keyUsage, keyAttr, cred, owner,
newKey, newHeader, returnAllocator); }
-
-public:
- // Authorization API support
- void authCreate(const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
- AuthorizationFlags flags,AuthorizationBlob &result);
- void authRelease(const AuthorizationBlob &auth, AuthorizationFlags flags);
- void authCopyRights(const AuthorizationBlob &auth,
- const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
- AuthorizationFlags flags, AuthorizationItemSet **result);
- void authCopyInfo(const AuthorizationBlob &auth, const char *tag, AuthorizationItemSet * &info);
- void authExternalize(const AuthorizationBlob &auth, AuthorizationExternalForm &extForm);
- void authInternalize(const AuthorizationExternalForm &extForm, AuthorizationBlob &auth);
-
+
public:
- // Session API support
- void setSessionUserPrefs(SecuritySessionId sessionId, uint32_t userPreferencesLength, const void *userPreferences);
-
+ // Testing support calls
+ void getUserPromptAttempts(uint32_t& attempts);
+
public:
// Notification core support
void postNotification(NotificationDomain domain, NotificationEvent event, const CssmData &data);
@@ -362,12 +353,6 @@ public:
typedef OSStatus ConsumeNotification(NotificationDomain domain, NotificationEvent event,
const void *data, size_t dataLength, void *context);
-public:
- // AuthorizationDB API
- void authorizationdbGet(const AuthorizationString rightname, CssmData &rightDefinition, Allocator &alloc);
- void authorizationdbSet(const AuthorizationBlob &auth, const AuthorizationString rightname, uint32_t rightdefinitionLength, const void *rightdefinition);
- void authorizationdbRemove(const AuthorizationBlob &auth, const AuthorizationString rightname);
-
public:
// securityd helper support
void childCheckIn(Port serverPort, Port taskPort);
diff --git a/OSX/libsecurityd/lib/sstransit.cpp b/OSX/libsecurityd/lib/sstransit.cpp
index d84cc2e9..a59d7b3f 100644
--- a/OSX/libsecurityd/lib/sstransit.cpp
+++ b/OSX/libsecurityd/lib/sstransit.cpp
@@ -77,7 +77,7 @@ DatabaseAccessCredentials::DatabaseAccessCredentials(const AccessCredentials *cr
sample.checkProper();
if (sample.type() == CSSM_SAMPLE_TYPE_SYMMETRIC_KEY ||
sample.type() == CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY) {
- secdebug("SSclient", "key sample encountered");
+ secinfo("SSclient", "key sample encountered");
// proper form is sample[1] = DATA:CSPHandle, sample[2] = DATA:CSSM_KEY,
// sample[3] = auxiliary data (not changed)
if (sample.length() != 4
@@ -95,7 +95,7 @@ DatabaseAccessCredentials::DatabaseAccessCredentials(const AccessCredentials *cr
sample.checkProper();
if (sample.type() == CSSM_SAMPLE_TYPE_SYMMETRIC_KEY ||
sample.type() == CSSM_SAMPLE_TYPE_ASYMMETRIC_KEY) {
- secdebug("SSclient", "key sample encountered");
+ secinfo("SSclient", "key sample encountered");
// proper form is sample[1] = DATA:CSPHandle, sample[2] = DATA:CSSM_KEY
if (sample.length() != 3
|| sample[1].type() != CSSM_LIST_ELEMENT_DATUM
@@ -132,7 +132,7 @@ void DatabaseAccessCredentials::mapKeySample(CssmData &cspHandleData, CssmKey &k
assert(sizeof(CSSM_CSP_HANDLE) >= sizeof(KeyHandle)); // future insurance
cspHandle = ssKey;
cspHandleData.length(sizeof(KeyHandle));
- secdebug("SSclient", "key sample mapped to key 0x%x", ssKey);
+ secinfo("SSclient", "key sample mapped to key 0x%x", ssKey);
return;
case CSSMERR_CSP_INVALID_PASSTHROUGH_ID:
return; // CSP didn't understand the callback; leave the sample alone
diff --git a/OSX/libsecurityd/lib/transition.cpp b/OSX/libsecurityd/lib/transition.cpp
index b34fa376..63ffabc9 100644
--- a/OSX/libsecurityd/lib/transition.cpp
+++ b/OSX/libsecurityd/lib/transition.cpp
@@ -265,14 +265,23 @@ DbHandle ClientSession::createDb(const DLDbIdentifier &dbId,
return db;
}
+DbHandle ClientSession::cloneDb(const DLDbIdentifier &newDbId, DbHandle srcDb) {
+ DataWalkers::DLDbFlatIdentifier ident(newDbId);
+ CopyIn id(&ident, reinterpret_cast<xdrproc_t>(xdr_DLDbFlatIdentifier));
+
+ DbHandle db;
+ IPC(ucsp_client_cloneDb(UCSP_ARGS, srcDb, id.data(), id.length(), &db));
+ return db;
+}
+
DbHandle ClientSession::recodeDbForSync(DbHandle dbToClone,
DbHandle srcDb)
{
DbHandle newDb;
IPC(ucsp_client_recodeDbForSync(UCSP_ARGS, dbToClone, srcDb, &newDb));
-
- return newDb;
+
+ return newDb;
}
DbHandle ClientSession::recodeDbToVersion(uint32 newVersion, DbHandle srcDb)
@@ -284,6 +293,11 @@ DbHandle ClientSession::recodeDbToVersion(uint32 newVersion, DbHandle srcDb)
return newDb;
}
+void ClientSession::recodeFinished(DbHandle db)
+{
+ IPC(ucsp_client_recodeFinished(UCSP_ARGS, db));
+}
+
DbHandle ClientSession::authenticateDbsForSync(const CssmData &dbHandleArray,
const CssmData &agentData)
{
@@ -813,137 +827,6 @@ void ClientSession::extractMasterKey(DbHandle db, const Context &context, DbHand
}
-//
-// Authorization subsystem entry
-//
-void ClientSession::authCreate(const AuthorizationItemSet *rights,
- const AuthorizationItemSet *environment, AuthorizationFlags flags,
- AuthorizationBlob &result)
-{
- void *rightSet = NULL; mach_msg_size_t rightSet_size = 0;
- void *environ = NULL; mach_msg_size_t environ_size = 0;
-
- if ((rights &&
- !copyin_AuthorizationItemSet(rights, &rightSet, &rightSet_size)) ||
- (environment &&
- !copyin_AuthorizationItemSet(environment, &environ, &environ_size)))
- CssmError::throwMe(errAuthorizationInternal);
-
- activate();
- IPCSTART(ucsp_client_authorizationCreate(UCSP_ARGS,
- rightSet, rightSet_size,
- flags,
- environ, environ_size,
- &result));
-
- free(rightSet);
- free(environ);
-
- if (rcode == CSSMERR_CSSM_NO_USER_INTERACTION)
- CssmError::throwMe(errAuthorizationInteractionNotAllowed);
- IPCEND_CHECK;
-}
-
-void ClientSession::authRelease(const AuthorizationBlob &auth,
- AuthorizationFlags flags)
-{
- activate();
- IPCSTART(ucsp_client_authorizationRelease(UCSP_ARGS, auth, flags));
- if (rcode == CSSMERR_CSSM_NO_USER_INTERACTION)
- CssmError::throwMe(errAuthorizationInteractionNotAllowed);
- IPCEND_CHECK;
-}
-
-void ClientSession::authCopyRights(const AuthorizationBlob &auth,
- const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
- AuthorizationFlags flags,
- AuthorizationItemSet **grantedRights)
-{
- void *rightSet = NULL; mach_msg_size_t rightSet_size = 0;
- void *environ = NULL; mach_msg_size_t environ_size = 0;
- void *result = NULL; mach_msg_type_number_t resultLength = 0;
-
- if ((rights && !copyin_AuthorizationItemSet(rights, &rightSet, &rightSet_size)) ||
- (environment && !copyin_AuthorizationItemSet(environment, &environ, &environ_size)))
- CssmError::throwMe(errAuthorizationInternal); // allocation error probably
-
- activate();
- IPCSTART(ucsp_client_authorizationCopyRights(UCSP_ARGS,
- auth,
- rightSet, rightSet_size,
- flags | (grantedRights ? 0 : kAuthorizationFlagNoData),
- environ, environ_size,
- &result, &resultLength));
-
- free(rightSet);
- free(environ);
-
- // XXX/cs return error when copyout returns false
- if (rcode == CSSM_OK && grantedRights)
- copyout_AuthorizationItemSet(result, resultLength, grantedRights);
-
- if (result)
- mig_deallocate(reinterpret_cast<vm_address_t>(result), resultLength);
- if (rcode == CSSMERR_CSSM_NO_USER_INTERACTION)
- CssmError::throwMe(errAuthorizationInteractionNotAllowed);
- IPCEND_CHECK;
-}
-
-void ClientSession::authCopyInfo(const AuthorizationBlob &auth,
- const char *tag,
- AuthorizationItemSet * &info)
-{
- if (tag == NULL)
- tag = "";
- else if (tag[0] == '\0')
- MacOSError::throwMe(errAuthorizationInvalidTag);
-
- activate();
- void *result; mach_msg_type_number_t resultLength;
- IPCSTART(ucsp_client_authorizationCopyInfo(UCSP_ARGS, auth, tag, &result, &resultLength));
-
- // XXX/cs return error when copyout returns false
- if (rcode == CSSM_OK)
- copyout_AuthorizationItemSet(result, resultLength, &info);
-
- if (result)
- mig_deallocate(reinterpret_cast<vm_address_t>(result), resultLength);
-
- if (rcode == CSSMERR_CSSM_NO_USER_INTERACTION)
- CssmError::throwMe(errAuthorizationInteractionNotAllowed);
- IPCEND_CHECK;
-}
-
-void ClientSession::authExternalize(const AuthorizationBlob &auth,
- AuthorizationExternalForm &extForm)
-{
- activate();
- IPCSTART(ucsp_client_authorizationExternalize(UCSP_ARGS, auth, &extForm));
- if (rcode == CSSMERR_CSSM_NO_USER_INTERACTION)
- CssmError::throwMe(errAuthorizationInteractionNotAllowed);
- IPCEND_CHECK;
-}
-
-void ClientSession::authInternalize(const AuthorizationExternalForm &extForm,
- AuthorizationBlob &auth)
-{
- activate();
- IPCSTART(ucsp_client_authorizationInternalize(UCSP_ARGS, extForm, &auth));
- if (rcode == CSSMERR_CSSM_NO_USER_INTERACTION)
- CssmError::throwMe(errAuthorizationInteractionNotAllowed);
- IPCEND_CHECK;
-}
-
-
-//
-// Push user preferences from an app in user space to securityd
-//
-void ClientSession::setSessionUserPrefs(SecuritySessionId sessionId, uint32_t userPreferencesLength, const void *userPreferences)
-{
- IPC(ucsp_client_setSessionUserPrefs(UCSP_ARGS, sessionId, const_cast<void *>(userPreferences), userPreferencesLength));
-}
-
-
void ClientSession::postNotification(NotificationDomain domain, NotificationEvent event, const CssmData &data)
{
uint32 seq = ++mGlobal().thread().notifySeq;
@@ -951,46 +834,14 @@ void ClientSession::postNotification(NotificationDomain domain, NotificationEven
if (getenv("NOTIFYJITTER")) {
// artificially reverse odd/even sequences to test securityd's jitter buffer
seq += 2 * (seq % 2) - 1;
- secdebug("notify", "POSTING FAKE SEQUENCE %d NOTIFICATION", seq);
+ secinfo("notify", "POSTING FAKE SEQUENCE %d NOTIFICATION", seq);
}
#endif //NDEBUG
- secdebug("notify", "posting domain 0x%x event %d sequence %d",
+ secinfo("notify", "posting domain 0x%x event %d sequence %d",
domain, event, seq);
IPC(ucsp_client_postNotification(UCSP_ARGS, domain, event, DATA(data), seq));
}
-//
-// authorizationdbGet/Set/Remove
-//
-void ClientSession::authorizationdbGet(const AuthorizationString rightname, CssmData &rightDefinition, Allocator &alloc)
-{
- DataOutput definition(rightDefinition, alloc);
- activate();
- IPCSTART(ucsp_client_authorizationdbGet(UCSP_ARGS, rightname, DATA_OUT(definition)));
- if (rcode == CSSMERR_CSSM_NO_USER_INTERACTION)
- CssmError::throwMe(errAuthorizationInteractionNotAllowed);
- IPCEND_CHECK;
-}
-
-void ClientSession::authorizationdbSet(const AuthorizationBlob &auth, const AuthorizationString rightname, uint32_t rightDefinitionLength, const void *rightDefinition)
-{
- // @@@ DATA_IN in transition.cpp is not const void *
- activate();
- IPCSTART(ucsp_client_authorizationdbSet(UCSP_ARGS, auth, rightname, const_cast<void *>(rightDefinition), rightDefinitionLength));
- if (rcode == CSSMERR_CSSM_NO_USER_INTERACTION)
- CssmError::throwMe(errAuthorizationInteractionNotAllowed);
- IPCEND_CHECK;
-}
-
-void ClientSession::authorizationdbRemove(const AuthorizationBlob &auth, const AuthorizationString rightname)
-{
- activate();
- IPCSTART(ucsp_client_authorizationdbRemove(UCSP_ARGS, auth, rightname));
- if (rcode == CSSMERR_CSSM_NO_USER_INTERACTION)
- CssmError::throwMe(errAuthorizationInteractionNotAllowed);
- IPCEND_CHECK;
-}
-
//
// Code Signing related
@@ -1013,7 +864,7 @@ SecGuestRef ClientSession::createGuest(SecGuestRef host,
SecGuestRef newGuest;
IPC(ucsp_client_createGuest(UCSP_ARGS, host, status, path, DATA(cdhash), DATA(attributes), flags, &newGuest));
if (flags & kSecCSDedicatedHost) {
- secdebug("ssclient", "setting dedicated guest to 0x%x (was 0x%x)",
+ secinfo("ssclient", "setting dedicated guest to 0x%x (was 0x%x)",
mDedicatedGuest, newGuest);
mDedicatedGuest = newGuest;
}
@@ -1033,10 +884,10 @@ void ClientSession::removeGuest(SecGuestRef host, SecGuestRef guest)
void ClientSession::selectGuest(SecGuestRef newGuest)
{
if (mDedicatedGuest) {
- secdebug("ssclient", "ignoring selectGuest(0x%x) because dedicated guest=0x%x",
+ secinfo("ssclient", "ignoring selectGuest(0x%x) because dedicated guest=0x%x",
newGuest, mDedicatedGuest);
} else {
- secdebug("ssclient", "switching to guest 0x%x", newGuest);
+ secinfo("ssclient", "switching to guest 0x%x", newGuest);
mGlobal().thread().currentGuest = newGuest;
}
}
@@ -1049,6 +900,16 @@ SecGuestRef ClientSession::selectedGuest() const
return mGlobal().thread().currentGuest;
}
+//
+// Testing related
+//
+
+// Return the number of Keychain users prompts securityd has considered showing.
+// On non-internal installs, this returns 0.
+void ClientSession::getUserPromptAttempts(uint32_t& attempts) {
+ IPC(ucsp_client_getUserPromptAttempts(UCSP_ARGS, &attempts));
+}
+
} // end namespace SecurityServer
} // end namespace Security
diff --git a/OSX/libsecurityd/lib/xdr_cssm.c b/OSX/libsecurityd/lib/xdr_cssm.c
index e8a4b976..f74ce46e 100644
--- a/OSX/libsecurityd/lib/xdr_cssm.c
+++ b/OSX/libsecurityd/lib/xdr_cssm.c
@@ -154,7 +154,7 @@ bool_t inline xdr_CSSM_LIST_ELEMENT(XDR *xdrs, CSSM_LIST_ELEMENT *objp)
case CSSM_LIST_ELEMENT_WORDID:
break;
default:
- secdebug("secxdr", "Illegal CSSM_LIST_ELEMENT type: %u", objp->ElementType); return (FALSE);
+ secinfo("secxdr", "Illegal CSSM_LIST_ELEMENT type: %u", objp->ElementType); return (FALSE);
}
if (!sec_xdr_pointer(xdrs, (uint8_t**)&objp->NextElement, sizeof(CSSM_LIST_ELEMENT), (xdrproc_t)xdr_CSSM_LIST_ELEMENT))
diff --git a/OSX/libsecurityd/libsecurityd.xcodeproj/project.pbxproj b/OSX/libsecurityd/libsecurityd.xcodeproj/project.pbxproj
index 704fa365..47dee45b 100644
--- a/OSX/libsecurityd/libsecurityd.xcodeproj/project.pbxproj
+++ b/OSX/libsecurityd/libsecurityd.xcodeproj/project.pbxproj
@@ -166,7 +166,7 @@
C2A59416052E3F0800AF1EE3 /* sstransit.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = sstransit.h; path = lib/sstransit.h; sourceTree = "<group>"; };
C2A59420052E3F2100AF1EE3 /* ucsp.defs */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.mig; path = ucsp.defs; sourceTree = "<group>"; };
C2A59421052E3F2100AF1EE3 /* ucspNotify.defs */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.mig; name = ucspNotify.defs; path = mig/ucspNotify.defs; sourceTree = SOURCE_ROOT; };
- C2A594F8052E4FC200AF1EE3 /* ssblob.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = ssblob.cpp; path = lib/ssblob.cpp; sourceTree = "<group>"; };
+ C2A594F8052E4FC200AF1EE3 /* ssblob.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; name = ssblob.cpp; path = lib/ssblob.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
C2A594F9052E4FC200AF1EE3 /* ssblob.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = ssblob.h; path = lib/ssblob.h; sourceTree = "<group>"; };
C2A59508052E506A00AF1EE3 /* ucsp_types.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = ucsp_types.h; path = lib/ucsp_types.h; sourceTree = "<group>"; };
C2A788430B7AA33400CFF85C /* ucspClientC.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = ucspClientC.c; path = derived_src/securityd_client/ucspClientC.c; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -175,7 +175,7 @@
C2BD60C60AC849180057FD3D /* cshostingClient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = cshostingClient.cpp; path = derived_src/securityd_client/cshostingClient.cpp; sourceTree = BUILT_PRODUCTS_DIR; };
C2BD60C70AC849180057FD3D /* cshostingServer.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = cshostingServer.cpp; path = derived_src/securityd_client/cshostingServer.cpp; sourceTree = BUILT_PRODUCTS_DIR; };
C2BF13F20ABF086900908B48 /* cshosting.defs */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.mig; path = cshosting.defs; sourceTree = "<group>"; };
- D6942E270A642276000E7E2F /* eventlistener.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = eventlistener.cpp; path = lib/eventlistener.cpp; sourceTree = "<group>"; };
+ D6942E270A642276000E7E2F /* eventlistener.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; name = eventlistener.cpp; path = lib/eventlistener.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
D6942E280A642276000E7E2F /* eventlistener.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = eventlistener.h; path = lib/eventlistener.h; sourceTree = "<group>"; };
D6942E310A6423BC000E7E2F /* SharedMemoryClient.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; name = SharedMemoryClient.cpp; path = lib/SharedMemoryClient.cpp; sourceTree = "<group>"; };
D6942E320A6423BC000E7E2F /* SharedMemoryClient.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = SharedMemoryClient.h; path = lib/SharedMemoryClient.h; sourceTree = "<group>"; };
@@ -461,7 +461,7 @@
4CA1FEAB052A3C3800F22E42 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = C27AD4330987FCDF001272E0 /* Build configuration list for PBXProject "libsecurityd" */;
compatibilityVersion = "Xcode 3.2";
@@ -510,12 +510,16 @@
files = (
);
inputPaths = (
+ "$(SRCROOT)/",
+ "$(SRCROOT)/lib/",
+ "$(SRCROOT)/mig/",
);
outputPaths = (
+ "${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "nmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
+ shellScript = "# with our source directories as input files, Xcode will only re-run this phase if there's been a source change\nnmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
};
18B96B1214743FCF005A4D2E /* ShellScript */ = {
isa = PBXShellScriptBuildPhase;
@@ -523,12 +527,16 @@
files = (
);
inputPaths = (
+ "$(SRCROOT)/",
+ "$(SRCROOT)/lib/",
+ "$(SRCROOT)/mig/",
);
outputPaths = (
+ "${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}",
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "nmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
+ shellScript = "# with our source directories as input files, Xcode will only re-run this phase if there's been a source change\nnmedit -p \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"\nranlib \"${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}\"";
};
/* End PBXShellScriptBuildPhase section */
@@ -685,6 +693,21 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB174146EA1D6000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
+ ONLY_ACTIVE_ARCH = YES;
};
name = Debug;
};
@@ -692,6 +715,19 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 182BB174146EA1D6000BF1F3 /* lib.xcconfig */;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
+ CLANG_WARN_BOOL_CONVERSION = YES;
+ CLANG_WARN_CONSTANT_CONVERSION = YES;
+ CLANG_WARN_EMPTY_BODY = YES;
+ CLANG_WARN_ENUM_CONVERSION = YES;
+ CLANG_WARN_INT_CONVERSION = YES;
+ CLANG_WARN_UNREACHABLE_CODE = YES;
+ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+ ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_WARN_UNDECLARED_SELECTOR = YES;
+ GCC_WARN_UNINITIALIZED_AUTOS = YES;
+ GCC_WARN_UNUSED_FUNCTION = YES;
};
name = Release;
};
diff --git a/OSX/libsecurityd/mig/ucsp.defs b/OSX/libsecurityd/mig/ucsp.defs
index e7bb7348..19f66ecc 100644
--- a/OSX/libsecurityd/mig/ucsp.defs
+++ b/OSX/libsecurityd/mig/ucsp.defs
@@ -205,30 +205,36 @@ routine dlPassThrough(UCSP_PORTS; in ssid: uint32; in id: uint32; in inData: Dat
//
// Authorization subsystem
//
-routine authorizationCreate(UCSP_PORTS;
- in rights: Data;
- in flags: uint32;
- in environment: Data;
- out authorization: AuthorizationBlob);
+// routine authorizationCreate(UCSP_PORTS;
+// in rights: Data;
+// in flags: uint32;
+// in environment: Data;
+// out authorization: AuthorizationBlob);
+skip;
-routine authorizationRelease(UCSP_PORTS; in authorization: AuthorizationBlob;
- in flags: uint32);
+// routine authorizationRelease(UCSP_PORTS; in authorization: AuthorizationBlob;
+// in flags: uint32);
+skip;
-routine authorizationCopyRights(UCSP_PORTS; in authorization: AuthorizationBlob;
- in rights: Data;
- in flags: uint32;
- in environment: Data;
- out result: Data);
+// routine authorizationCopyRights(UCSP_PORTS; in authorization: AuthorizationBlob;
+// in rights: Data;
+// in flags: uint32;
+// in environment: Data;
+// out result: Data);
+skip;
-routine authorizationCopyInfo(UCSP_PORTS; in authorization: AuthorizationBlob;
- in tag: AuthorizationString;
- out info: Data);
+// routine authorizationCopyInfo(UCSP_PORTS; in authorization: AuthorizationBlob;
+// in tag: AuthorizationString;
+// out info: Data);
+skip;
-routine authorizationExternalize(UCSP_PORTS; in authorization: AuthorizationBlob;
- out form: AuthorizationExternalForm);
+// routine authorizationExternalize(UCSP_PORTS; in authorization: AuthorizationBlob;
+// out form: AuthorizationExternalForm);
+skip;
-routine authorizationInternalize(UCSP_PORTS; in form: AuthorizationExternalForm;
- out authorization: AuthorizationBlob);
+// routine authorizationInternalize(UCSP_PORTS; in form: AuthorizationExternalForm;
+// out authorization: AuthorizationBlob);
+skip;
//
@@ -238,7 +244,7 @@ skip; // was getSessionInfo -- now kept by the kernel
skip; // was setupSession -- now kept by the kernel
skip; // was setSessionDistinguishedUid -- now kept by the kernel
skip; // was getSessionDistinguishedUid -- now kept by the kernel
-routine setSessionUserPrefs(UCSP_PORTS; in sessionId: SecuritySessionId; in userPrefs: Data);
+skip; // was routine setSessionUserPrefs(UCSP_PORTS; in sessionId: SecuritySessionId; in userPrefs: Data);
//
// Notification subsystem
@@ -258,9 +264,9 @@ routine extractMasterKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in so
//
// AuthorizationDB operations
//
-routine authorizationdbGet(UCSP_PORTS; in rightname: AuthorizationString; out rightdefinition: Data);
-routine authorizationdbSet(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString; in rightDefinition: Data);
-routine authorizationdbRemove(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString);
+skip; // was: routine authorizationdbGet(UCSP_PORTS; in rightname: AuthorizationString; out rightdefinition: Data);
+skip; // was: routine authorizationdbSet(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString; in rightDefinition: Data);
+skip; // was: routine authorizationdbRemove(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString);
//
@@ -337,5 +343,12 @@ routine changeKeyStorePassphrase(UCSP_PORTS);
//
// Keychain version change support calls
//
-routine recodeDbToVersion(UCSP_PORTS; in newVersion: uint32;
- in srcDb: IPCDbHandle; out newDb: IPCDbHandle);
+routine recodeDbToVersion(UCSP_PORTS; in newVersion: uint32; in srcDb: IPCDbHandle; out newDb: IPCDbHandle);
+routine cloneDb(UCSP_PORTS; in srcDb: IPCDbHandle; in ident: Data; out newDb: IPCDbHandle);
+routine recodeFinished(UCSP_PORTS; in db: IPCDbHandle);
+
+//
+// Keychain Test Support calls
+//
+routine getUserPromptAttempts(UCSP_PORTS; out attempts: uint32_t);
+
diff --git a/OSX/regressions/regressions.xcodeproj/project.pbxproj b/OSX/regressions/regressions.xcodeproj/project.pbxproj
index d2c407cf..d1401020 100644
--- a/OSX/regressions/regressions.xcodeproj/project.pbxproj
+++ b/OSX/regressions/regressions.xcodeproj/project.pbxproj
@@ -156,7 +156,7 @@
05441E6008A971C700F0EC5A /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
};
buildConfigurationList = 4CD81AFC09BE1FD3000A9641 /* Build configuration list for PBXProject "regressions" */;
compatibilityVersion = "Xcode 3.2";
@@ -197,19 +197,18 @@
792E01860CBC0E6E007C00A0 /* Debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = lossless;
CLANG_STATIC_ANALYZER_MODE = deep;
COPY_PHASE_STRIP = NO;
+ ENABLE_TESTABILITY = YES;
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_OPTIMIZATION_LEVEL = 0;
GCC_PREPROCESSOR_DEFINITIONS = "DEBUG=1";
- "GCC_PREPROCESSOR_DEFINITIONS[sdk=iphoneos*]" = (
- "DEBUG=1",
- "NO_SERVER=1",
- );
- "GCC_PREPROCESSOR_DEFINITIONS[sdk=iphonesimulator*]" = (
+ "GCC_PREPROCESSOR_DEFINITIONS[sdk=embedded*]" = (
"DEBUG=1",
"NO_SERVER=1",
);
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
GCC_WARN_ABOUT_MISSING_NEWLINE = YES;
GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES;
@@ -232,13 +231,14 @@
"$(PROJECT_DIR)/../libDER",
"$(PROJECT_DIR)/..",
"$(PROJECT_DIR)",
- "$(BUILT_PRODUCTS_DIR)$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include",
+ "$(BUILT_PRODUCTS_DIR)/usr/local/include",
);
+ ONLY_ACTIVE_ARCH = YES;
OTHER_CFLAGS = (
"-fconstant-cfstrings",
"-fno-inline",
);
- "OTHER_LDFLAGS[sdk=iphoneos*][arch=*]" = (
+ "OTHER_LDFLAGS[sdk=embedded*][arch=*]" = (
"$(OTHER_LDFLAGS)",
"-framework",
MobileKeyBag,
@@ -246,7 +246,7 @@
RUN_CLANG_STATIC_ANALYZER = YES;
SDKROOT = macosx.internal;
SKIP_INSTALL = YES;
- SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator";
+ SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator appletvos appletvsimulator watchos watchsimulator";
WARNING_CFLAGS = (
"-Wall",
"-Wextra",
@@ -254,6 +254,7 @@
"-Wno-missing-field-initializers",
"-Wglobal-constructors",
"-Wno-deprecated-declarations",
+ "-Wno-four-char-constants",
"$(inherited)",
);
};
@@ -262,11 +263,13 @@
792E01870CBC0E6E007C00A0 /* Release */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ ASSETCATALOG_COMPRESSION = "respect-asset-catalog";
CLANG_STATIC_ANALYZER_MODE = deep;
COPY_PHASE_STRIP = YES;
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_OPTIMIZATION_LEVEL = s;
GCC_PREPROCESSOR_DEFINITIONS = "NDEBUG=1";
+ GCC_TREAT_WARNINGS_AS_ERRORS = YES;
GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
GCC_WARN_ABOUT_MISSING_NEWLINE = YES;
GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES;
@@ -289,13 +292,13 @@
"$(PROJECT_DIR)/../libDER",
"$(PROJECT_DIR)/..",
"$(PROJECT_DIR)",
- "$(BUILT_PRODUCTS_DIR)$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include",
+ "$(BUILT_PRODUCTS_DIR)/usr/local/include",
);
OTHER_CFLAGS = "-fconstant-cfstrings";
RUN_CLANG_STATIC_ANALYZER = YES;
SDKROOT = macosx.internal;
SKIP_INSTALL = YES;
- SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator";
+ SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator appletvos appletvsimulator watchos watchsimulator";
WARNING_CFLAGS = (
"-Wall",
"-Wextra",
@@ -303,6 +306,7 @@
"-Wno-missing-field-initializers",
"-Wglobal-constructors",
"-Wno-deprecated-declarations",
+ "-Wno-four-char-constants",
"$(inherited)",
);
};
@@ -312,6 +316,11 @@
isa = XCBuildConfiguration;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
+ "HEADER_SEARCH_PATHS[sdk=macosx*]" = (
+ "$(BUILT_PRODUCTS_DIR)",
+ "$(PROJECT_DIR)/../utilities",
+ "$(PROJECT_DIR)",
+ );
PRODUCT_NAME = "$(TARGET_NAME)";
};
name = Debug;
@@ -320,6 +329,11 @@
isa = XCBuildConfiguration;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
+ "HEADER_SEARCH_PATHS[sdk=macosx*]" = (
+ "$(BUILT_PRODUCTS_DIR)",
+ "$(PROJECT_DIR)/../utilities",
+ "$(PROJECT_DIR)",
+ );
PRODUCT_NAME = "$(TARGET_NAME)";
};
name = Release;
diff --git a/OSX/regressions/test/testenv.h b/OSX/regressions/test/testenv.h
index 0eedd40b..6c7b177d 100644
--- a/OSX/regressions/test/testenv.h
+++ b/OSX/regressions/test/testenv.h
@@ -32,6 +32,8 @@ extern "C" {
extern int test_strict_bats;
extern int test_verbose;
+extern int test_check_leaks;
+extern char **test_skip_leaks_test;
int tests_begin(int argc, char * const *argv);
diff --git a/OSX/regressions/test/testenv.m b/OSX/regressions/test/testenv.m
index 4bdf4671..a96144c1 100644
--- a/OSX/regressions/test/testenv.m
+++ b/OSX/regressions/test/testenv.m
@@ -57,6 +57,8 @@
int test_strict_bats = 1;
int test_verbose = 0;
int test_onebatstest = 0;
+int test_check_leaks = 0;
+char **test_skip_leaks_test = NULL;
#ifdef NO_SERVER
#include <securityd/spi.h>
@@ -176,7 +178,9 @@ static int tests_run_test(struct one_test_s *test, int argc, char * const *argv)
} else {
struct timeval start, stop;
gettimeofday(&start, NULL);
- test->entry(argc, argv);
+ @autoreleasepool {
+ test->entry(argc, argv);
+ }
gettimeofday(&stop, NULL);
/* this may overflow... */
test->duration = (stop.tv_sec-start.tv_sec) * 1000 + (stop.tv_usec / 1000) - (start.tv_usec / 1000);
@@ -185,6 +189,51 @@ static int tests_run_test(struct one_test_s *test, int argc, char * const *argv)
}
}
+ /*
+ * Check if we have any leaks, allow skipping test
+ */
+
+ if (test_check_leaks) {
+ char *cmd = NULL;
+ int ret = 0;
+
+ asprintf(&cmd, "leaks %d >/dev/null", getpid());
+ if (cmd) {
+ ret = system(cmd);
+ free(cmd);
+ }
+ if (ret != 0) {
+ unsigned n = 0;
+ fprintf(stdout, "leaks found in test %s\n", test->name);
+
+ if (test_skip_leaks_test) {
+ while (test_skip_leaks_test[n]) {
+ if (strcmp(test_skip_leaks_test[n], test->name) == 0) {
+ fprintf(stdout, "test %s known to be leaky, skipping\n", test->name);
+ ret = 0;
+ break;
+ }
+ }
+ }
+ if (ret) {
+ token = "FAIL";
+ }
+ } else {
+ if (test_skip_leaks_test) {
+ unsigned n = 0;
+
+ while (test_skip_leaks_test[n]) {
+ if (strcmp(test_skip_leaks_test[n], test->name) == 0) {
+ fprintf(stdout, "leaks didn't find leak in test %s, yet it was ignore\n", test->name);
+ token = "FAIL";
+ break;
+ }
+ }
+ }
+
+ }
+ }
+
test_plan_final(&test->failed_tests, &test->todo_pass_tests, &test->todo_tests,
&test->actual_tests, &test->planned_tests,
&test->plan_file, &test->plan_line);
@@ -314,9 +363,12 @@ tests_begin(int argc, char * const *argv) {
#if ASYNC_LOGGING
dispatch_queue_t show_queue = dispatch_queue_create("sec log queue", DISPATCH_QUEUE_SERIAL);
#endif
+
+#if USEOLDLOGGING
security_log_handler handle_logs = ^(int level, CFStringRef scope, const char *function, const char *file, int line, CFStringRef message) {
time_t now = time(NULL);
+
#if DATE_LOGGING
char *date = ctime(&now);
date[19] = '\0';
@@ -335,6 +387,8 @@ tests_begin(int argc, char * const *argv) {
CFReleaseSafe(logStr);
#endif
};
+#endif
+
for (;;) {
while (!testcase && (ch = getopt(argc, argv, "bklL1vwqs")) != -1)
@@ -348,7 +402,7 @@ tests_begin(int argc, char * const *argv) {
#endif
case 's':
if (!print_security_logs) {
- add_security_log_handler(handle_logs);
+ //add_security_log_handler(handle_logs);
print_security_logs = true;
}
break;
@@ -387,6 +441,9 @@ tests_begin(int argc, char * const *argv) {
usage(argv[0]);
}
}
+
+ if(!print_security_logs) secLogDisable();
+
if (!list && !initialized && !test_onebatstest)
fprintf(stdout, "[TEST] %s\n", getprogname());
@@ -427,7 +484,7 @@ tests_begin(int argc, char * const *argv) {
tests_summary(getprogname());
}
- remove_security_log_handler(handle_logs);
+ // remove_security_log_handler(handle_logs);
fflush(stdout);
diff --git a/OSX/regressions/test/testmore.c b/OSX/regressions/test/testmore.c
index 4d443485..4cdbb14d 100644
--- a/OSX/regressions/test/testmore.c
+++ b/OSX/regressions/test/testmore.c
@@ -24,6 +24,8 @@
*/
#include <fcntl.h>
+#include <dispatch/dispatch.h>
+#include <pthread.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
@@ -35,6 +37,7 @@
#include "testmore.h"
#include "testenv.h"
+pthread_mutex_t test_mutex; // protects the test number variables
static int test_fails = 0;
static int test_todo_pass = 0;
static int test_todo = 0;
@@ -102,9 +105,14 @@ void test_bail_out(const char *reason, const char *file, unsigned line)
void test_plan_skip_all(const char *reason)
{
- if (test_num < test_cases)
+ // Not super thread-safe. Don't test_plan_skip_all from multiple threads simultaneously.
+ pthread_mutex_lock(&test_mutex);
+ int skipN = test_cases - test_num;
+ pthread_mutex_unlock(&test_mutex);
+
+ if (skipN > 0)
{
- test_skip(reason, test_cases - test_num, 0);
+ test_skip(reason, skipN, 0);
}
}
@@ -144,6 +152,7 @@ int test_plan_ok(void) {
fflush(stderr);
const char *name = test_plan_name();
+ pthread_mutex_lock(&test_mutex);
if (!test_num)
{
if (test_cases)
@@ -170,11 +179,13 @@ int test_plan_ok(void) {
fprintf(stdout, "%s failed %d tests of %d.\n", name, test_fails, test_num);
status = 1;
}
+ pthread_mutex_unlock(&test_mutex);
fflush(stdout);
return status;
}
+// You should hold the test_mutex when you call this.
static void test_plan_reset(void) {
test_fails = 0;
test_todo_pass = 0;
@@ -186,6 +197,7 @@ static void test_plan_reset(void) {
}
void test_plan_final(int *failed, int *todo_pass, int *todo, int *actual, int *planned, const char **file, int *line) {
+ pthread_mutex_lock(&test_mutex);
if (failed)
*failed = test_fails;
if (todo_pass)
@@ -202,6 +214,7 @@ void test_plan_final(int *failed, int *todo_pass, int *todo, int *actual, int *p
*line = test_plan_line;
test_plan_reset();
+ pthread_mutex_unlock(&test_mutex);
}
void test_plan_tests(int count, const char *file, unsigned line) {
@@ -226,6 +239,13 @@ void test_plan_tests(int count, const char *file, unsigned line) {
test_plan_line=line;
test_cases = count;
+
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ if(pthread_mutex_init(&test_mutex, NULL) != 0) {
+ fprintf(stdout, "Failed to initialize mutex: %d\n", errno);
+ }
+ });
}
}
@@ -298,6 +318,7 @@ test_ok(int passed, __attribute((cf_consumed)) CFStringRef description, const ch
//fflush(stdout);
}
+ pthread_mutex_lock(&test_mutex);
++test_num;
if (passed) {
if (is_todo) {
@@ -342,6 +363,7 @@ test_ok(int passed, __attribute((cf_consumed)) CFStringRef description, const ch
reason ? reason : "");
fflush(stdout);
}
+ pthread_mutex_unlock(&test_mutex);
}
if (description)
@@ -350,28 +372,43 @@ test_ok(int passed, __attribute((cf_consumed)) CFStringRef description, const ch
return passed;
}
+
// TODO: Move this to testsec.h so that testmore and testenv can be shared
+static void buf_kill(void* p) {
+ free(p);
+}
+
const char *
sec_errstr(int err)
{
-#if 1
- static int bufnum = 0;
- static char buf[2][20];
- bufnum = bufnum ? 0 : 1;
- sprintf(buf[bufnum], "0x%X", err);
- return buf[bufnum];
-#else /* !1 */
- if (err >= errSecErrnoBase && err <= errSecErrnoLimit)
- return strerror(err - 100000);
-
-#ifdef MAC_OS_X_VERSION_10_4
- /* AvailabilityMacros.h would only define this if we are on a
- Tiger or later machine. */
- extern const char *cssmErrorString(long);
- return cssmErrorString(err);
-#else /* !defined(MAC_OS_X_VERSION_10_4) */
- extern const char *_ZN8Security15cssmErrorStringEl(long);
- return _ZN8Security15cssmErrorStringEl(err);
-#endif /* MAC_OS_X_VERSION_10_4 */
-#endif /* !1 */
+ static pthread_key_t buffer0key;
+ static pthread_key_t buffer1key;
+ static pthread_key_t switchkey;
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ pthread_key_create(&buffer0key, buf_kill);
+ pthread_key_create(&buffer1key, buf_kill);
+ pthread_key_create(&switchkey, buf_kill);
+ });
+
+ uint32_t * switchp = (uint32_t*) pthread_getspecific(switchkey);
+ if(switchp == NULL) {
+ switchp = (uint32_t*) malloc(sizeof(uint32_t));
+ *switchp = 0;
+ pthread_setspecific(switchkey, switchp);
+ }
+
+ char* buf = NULL;
+
+ pthread_key_t current = (*switchp) ? buffer0key : buffer1key;
+ *switchp = !(*switchp);
+
+ buf = pthread_getspecific(current);
+ if(buf == NULL) {
+ buf = (char*) malloc(20);
+ pthread_setspecific(current, buf);
+ }
+
+ snprintf(buf, 20, "0x%X", err);
+ return buf;
}
diff --git a/OSX/regressions/test/testpolicy.m b/OSX/regressions/test/testpolicy.m
index a7e6234a..c22adc33 100644
--- a/OSX/regressions/test/testpolicy.m
+++ b/OSX/regressions/test/testpolicy.m
@@ -26,14 +26,11 @@
#include <TargetConditionals.h>
-#if TARGET_OS_IPHONE
-
#include <Foundation/Foundation.h>
#include <CoreFoundation/CoreFoundation.h>
#include <utilities/SecCFWrappers.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
-#include <Security/SecInternal.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrust.h>
#include <Security/SecTrustPriv.h>
@@ -42,22 +39,6 @@
#include "testmore.h"
-/*
- * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
- */
-
-#include <Foundation/Foundation.h>
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecInternal.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecTrust.h>
-#include <Security/SecTrustPriv.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "testmore.h"
/* Those tests were originally written around that date. */
CFGiblisGetSingleton(CFDateRef, GetFrozenTime, frozenTime, ^{
@@ -136,7 +117,7 @@ static void runOneLeafTest(SecPolicyRef policy,
//NSLog(@"Evaluating: %@",certRef);
err = SecTrustEvaluate(trustRef, &evalRes);
if (err) {
- ok_status(err, "SecTrustCreateWithCertificates");
+ ok_status(err, "SecTrustEvaluate");
goto exit;
}
BOOL isValid = (evalRes == kSecTrustResultProceed || evalRes == kSecTrustResultUnspecified);
@@ -212,5 +193,3 @@ void runCertificateTestForDirectory(SecPolicyRef policy, CFStringRef resourceSub
[pool release];
}
-
-#endif /* TARGET_OS_IPHONE */
diff --git a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.c b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.c
index e8b51dbc..6503f798 100644
--- a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.c
+++ b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.c
@@ -45,6 +45,7 @@
#include <syslog.h>
#include <os/activity.h>
#include <CoreFoundation/CFUserNotification.h>
+#include <Security/SecureObjectSync/SOSInternal.h>
#include <utilities/debugging.h>
#include <utilities/SecCFWrappers.h>
@@ -52,9 +53,18 @@
#include "SOSCloudKeychainConstants.h"
#include "SOSCloudKeychainClient.h"
+#include "SOSKVSKeys.h"
+#include "SOSUserKeygen.h"
+#include "SecOTRSession.h"
+#include "SOSCloudKeychainLogging.h"
+
+#include <os/activity.h>
+#include <os/state_private.h>
+
static CFStringRef sErrorDomain = CFSTR("com.apple.security.sos.transport.error");
+#define KVSLOGSTATE "kvsLogState"
#define SOSCKCSCOPE "sync"
// MARK: ---------- SOSCloudTransport ----------
@@ -68,13 +78,76 @@ void SOSCloudKeychainSetTransport(SOSCloudTransportRef transport) {
sTransport = transport;
}
+void SOSCloudTransportGet(SOSCloudTransportRef transport, CFArrayRef keysToGet, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
+
+
+
/* Return the singleton cloud transport instance. */
+CFDictionaryRef SOSCloudCopyKVSState(void) {
+ __block CFDictionaryRef retval = NULL;
+
+ static dispatch_queue_t processQueue = NULL;
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ processQueue = dispatch_queue_create("KVSStateCapture", DISPATCH_QUEUE_SERIAL);
+ });
+
+ if (processQueue == NULL)
+ return NULL;
+
+ dispatch_semaphore_t waitSemaphore = NULL;
+
+ waitSemaphore = dispatch_semaphore_create(0);
+
+ CloudKeychainReplyBlock replyBlock = ^ (CFDictionaryRef returnedValues, CFErrorRef error) {
+ retval = returnedValues;
+ if (retval) CFRetain(retval);
+ dispatch_semaphore_signal(waitSemaphore);
+ };
+
+ SOSCloudKeychainGetAllObjectsFromCloud(processQueue, replyBlock);
+
+ dispatch_semaphore_wait(waitSemaphore, DISPATCH_TIME_FOREVER);
+ dispatch_release(waitSemaphore);
+
+ return retval;
+}
+
+
+os_state_block_t kvsStateBlock = ^os_state_data_t(os_state_hints_t hints) {
+ os_state_data_t retval = NULL;
+ __block CFDictionaryRef kvsdict = NULL;
+ CFDataRef serializedKVS = NULL;
+
+ require_quiet(hints->osh_api == 3, errOut); // only grab on sysdiagnose or command lin
+
+ kvsdict = SOSCloudCopyKVSState();
+
+ require_quiet(kvsdict, errOut);
+ serializedKVS = CFPropertyListCreateData(kCFAllocatorDefault, kvsdict, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
+ size_t statelen = CFDataGetLength(serializedKVS);
+ retval = (os_state_data_t)calloc(1, OS_STATE_DATA_SIZE_NEEDED(statelen));
+ require_quiet(retval, errOut);
+
+ retval->osd_type = OS_STATE_DATA_SERIALIZED_NSCF_OBJECT;
+ memcpy(retval->osd_data, CFDataGetBytePtr(serializedKVS), statelen);
+ retval->osd_size = statelen;
+ strcpy(retval->osd_title, "CloudCircle KVS Object");
+errOut:
+ CFReleaseNull(kvsdict);
+ CFReleaseNull(serializedKVS);
+ return retval;
+};
+
+
static SOSCloudTransportRef SOSCloudTransportDefaultTransport(void)
{
static dispatch_once_t sTransportOnce;
dispatch_once(&sTransportOnce, ^{
if (!sTransport)
SOSCloudKeychainSetTransport(SOSCloudTransportCreateXPCTransport());
+ // provide state handler to sysdiagnose and logging
+ os_state_add_handler(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), kvsStateBlock);
});
return sTransport;
}
@@ -220,6 +293,7 @@ static void SOSXPCCloudTransportInit(SOSXPCCloudTransportRef transport)
});
xpc_connection_resume(transport->idsProxyServiceConnection);
xpc_retain(transport->idsProxyServiceConnection);
+
}
static void talkWithIDS(SOSXPCCloudTransportRef transport, xpc_object_t message, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
@@ -389,7 +463,7 @@ xit:
}
/* Get from KVS */
-static void SOSCloudTransportGet(SOSCloudTransportRef transport, CFArrayRef keysToGet, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
+void SOSCloudTransportGet(SOSCloudTransportRef transport, CFArrayRef keysToGet, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
{
SOSXPCCloudTransportRef xpcTransport = (SOSXPCCloudTransportRef)transport;
secdebug(SOSCKCSCOPE, "%@", keysToGet);
@@ -446,6 +520,24 @@ static void SOSCloudTransportGetIDSDeviceID(SOSCloudTransportRef transport, Clou
xpc_release(message);
}
+static void SOSCloudTransportSendFragmentedIDSMessage(SOSCloudTransportRef transport, CFDictionaryRef messageData, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock){
+
+ SOSXPCCloudTransportRef xpcTransport = (SOSXPCCloudTransportRef)transport;
+ xpc_object_t xmessageData = _CFXPCCreateXPCObjectFromCFObject(messageData);
+
+ xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
+ xpc_dictionary_set_uint64(message, kMessageKeyVersion, kCKDXPCVersion);
+ xpc_dictionary_set_string(message, kMessageKeyOperation, kOperationSendFragmentedIDSMessage);
+
+ xpc_dictionary_set_value(message, kMessageKeyValue, xmessageData);
+ SecXPCDictionarySetCFObject(message, kMessageKeyDeviceName, deviceName);
+ SecXPCDictionarySetCFObject(message, kMessageKeyPeerID, peerID);
+ talkWithIDS(xpcTransport, message, processQueue, replyBlock);
+
+ xpc_release(xmessageData);
+ xpc_release(message);
+}
+
static void SOSCloudTransportSendIDSMessage(SOSCloudTransportRef transport, CFDictionaryRef messageData, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock){
SOSXPCCloudTransportRef xpcTransport = (SOSXPCCloudTransportRef)transport;
@@ -454,6 +546,7 @@ static void SOSCloudTransportSendIDSMessage(SOSCloudTransportRef transport, CFDi
xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_uint64(message, kMessageKeyVersion, kCKDXPCVersion);
xpc_dictionary_set_string(message, kMessageKeyOperation, kOperationSendIDSMessage);
+
xpc_dictionary_set_value(message, kMessageKeyValue, xmessageData);
SecXPCDictionarySetCFObject(message, kMessageKeyDeviceName, deviceName);
SecXPCDictionarySetCFObject(message, kMessageKeyPeerID, peerID);
@@ -500,24 +593,14 @@ static void SOSCloudTransportSync(SOSCloudTransportRef transport, dispatch_queue
xpc_release(message);
}
-static void SOSCloudTransportSyncAndWait(SOSCloudTransportRef transport, CFArrayRef keysToGet, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
+static void SOSCloudTransportSyncAndWait(SOSCloudTransportRef transport, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
{
SOSXPCCloudTransportRef xpcTransport = (SOSXPCCloudTransportRef)transport;
- secdebug(SOSCKCSCOPE, "%@", keysToGet);
secnotice(SOSCKCSCOPE, "%s XPC request to CKD: %s", kWAIT2MINID, kOperationSynchronizeAndWait);
- xpc_object_t xkeysOfInterest = xpc_dictionary_create(NULL, NULL, 0);
-
- xpc_object_t xkeysToRegister = keysToGet ? _CFXPCCreateXPCObjectFromCFObject(keysToGet) : xpc_null_create();
- xpc_dictionary_set_value(xkeysOfInterest, kMessageKeyKeysToGet, xkeysToRegister);
- xpc_release(xkeysToRegister);
- xkeysToRegister = NULL;
xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_uint64(message, kMessageKeyVersion, kCKDXPCVersion);
xpc_dictionary_set_string(message, kMessageKeyOperation, kOperationSynchronizeAndWait);
- xpc_dictionary_set_value(message, kMessageKeyValue, xkeysOfInterest);
- xpc_release(xkeysOfInterest);
- xkeysOfInterest = NULL;
talkWithKVS(xpcTransport, message, processQueue, replyBlock);
xpc_release(message);
@@ -534,60 +617,6 @@ static void SOSCloudTransportClearAll(SOSCloudTransportRef transport, dispatch_q
xpc_release(message);
}
-static void SOSCloudTransportRemoveObjectForKey(SOSCloudTransportRef transport, CFStringRef keyToRemove, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
-{
- SOSXPCCloudTransportRef xpcTransport = (SOSXPCCloudTransportRef)transport;
- secdebug(SOSCKCSCOPE, "start");
- CFErrorRef error = NULL;
- xpc_object_t message = NULL;
- xpc_object_t xkeytoremove = NULL;
-
- require_action(keyToRemove, xit, error = makeError(kSOSObjectNotFoundError));
-
- message = xpc_dictionary_create(NULL, NULL, 0);
- xpc_dictionary_set_uint64(message, kMessageKeyVersion, kCKDXPCVersion);
- xpc_dictionary_set_string(message, kMessageKeyOperation, kOperationRemoveObjectForKey);
-
- xkeytoremove = _CFXPCCreateXPCObjectFromCFObject(keyToRemove);
- require_action(xkeytoremove, xit, error = makeError(kSOSObjectCantBeConvertedToXPCObject));
- xpc_dictionary_set_value(message, kMessageKeyKey, xkeytoremove);
- xpc_release(xkeytoremove);
-
- talkWithKVS(xpcTransport, message, processQueue, replyBlock);
- xpc_release(message);
- return;
-
-xit:
- if(xkeytoremove)
- xpc_release(xkeytoremove);
- if(message)
- xpc_release(message);
- if (replyBlock)
- replyBlock(NULL, error);
- CFReleaseSafe(error);
-}
-static void SOSCloudTransportLocalNotification(SOSCloudTransportRef transport, CFStringRef messageToUser, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
-{
- SOSXPCCloudTransportRef xpcTransport = (SOSXPCCloudTransportRef)transport;
- secdebug(SOSCKCSCOPE, "start");
- xpc_object_t xLocalNotificationDict = xpc_dictionary_create(NULL, NULL, 0);
- char *headerKey = CFStringToCString(kCFUserNotificationAlertHeaderKey);
- char *message = CFStringToCString(messageToUser);
- xpc_dictionary_set_string(xLocalNotificationDict, headerKey, message);
-
- xpc_object_t xpcmessage = xpc_dictionary_create(NULL, NULL, 0);
- xpc_dictionary_set_uint64(xpcmessage, kMessageKeyVersion, kCKDXPCVersion);
- xpc_dictionary_set_string(xpcmessage, kMessageKeyOperation, kOperationUILocalNotification);
- xpc_dictionary_set_value (xpcmessage, kMessageKeyValue, xLocalNotificationDict);
- xpc_release(xLocalNotificationDict);
-
- talkWithKVS(xpcTransport, xpcmessage, processQueue, replyBlock);
-
- free(headerKey);
- free(message);
- xpc_release(xpcmessage);
-}
-
static void SOSCloudTransportRequestSyncWithAllPeers(SOSCloudTransportRef transport, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
{
secdebug(SOSCKCSCOPE, "start");
@@ -630,6 +659,27 @@ static void SOSCloudTransportFlush(SOSCloudTransportRef transport, dispatch_queu
xpc_release(xpcmessage);
}
+static void SOSCloudTransportCheckIDSDeviceIDAvailability(SOSCloudTransportRef transport, CFArrayRef ids, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
+{
+ secdebug(SOSCKCSCOPE, "start");
+ SOSXPCCloudTransportRef xpcTransport = (SOSXPCCloudTransportRef)transport;
+
+ xpc_object_t xIDSArray = _CFXPCCreateXPCObjectFromCFObject(ids);
+
+ xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
+ xpc_dictionary_set_uint64(message, kMessageKeyVersion, kCKDXPCVersion);
+ xpc_dictionary_set_string(message, kMessageKeyOperation, kOperationSendDeviceList);
+
+ SecXPCDictionarySetCFObject(message, kMessageKeyPeerID, peerID);
+ xpc_dictionary_set_value(message, kMessageKeyValue, xIDSArray);
+
+ talkWithIDS(xpcTransport, message, processQueue, replyBlock);
+
+ xpc_release(xIDSArray);
+ xpc_release(message);
+
+}
+
static SOSCloudTransportRef SOSCloudTransportCreateXPCTransport(void)
{
SOSXPCCloudTransportRef st;
@@ -637,17 +687,18 @@ static SOSCloudTransportRef SOSCloudTransportCreateXPCTransport(void)
st->transport.put = SOSCloudTransportPut;
st->transport.updateKeys = SOSCloudTransportUpdateKeys;
st->transport.sendIDSMessage = SOSCloudTransportSendIDSMessage;
+ st->transport.sendFragmentedIDSMessage = SOSCloudTransportSendFragmentedIDSMessage;
+
st->transport.getDeviceID = SOSCloudTransportGetIDSDeviceID;
st->transport.get = SOSCloudTransportGet;
st->transport.getAll = SOSCloudTransportGetAll;
st->transport.synchronize = SOSCloudTransportSync;
st->transport.synchronizeAndWait = SOSCloudTransportSyncAndWait;
st->transport.clearAll = SOSCloudTransportClearAll;
- st->transport.removeObjectForKey = SOSCloudTransportRemoveObjectForKey;
- st->transport.localNotification = SOSCloudTransportLocalNotification;
st->transport.requestSyncWithAllPeers = SOSCloudTransportRequestSyncWithAllPeers;
st->transport.requestEnsurePeerRegistration = SOSCloudTransportRequestEnsurePeerRegistration;
st->transport.flush = SOSCloudTransportFlush;
+ st->transport.getIDSDeviceAvailability = SOSCloudTransportCheckIDSDeviceIDAvailability;
st->transport.itemsChangedBlock = Block_copy(^CFArrayRef(CFDictionaryRef changes) {
secerror("Calling default itemsChangedBlock - fatal: %@", changes);
assert(false);
@@ -681,12 +732,22 @@ void SOSCloudKeychainUpdateKeys(CFDictionaryRef keys, dispatch_queue_t processQu
cTransportRef->updateKeys(cTransportRef, keys, processQueue, replyBlock);
}
-void SOSCloudKeychainSendIDSMessage(CFDictionaryRef message, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
+void SOSCloudKeychainSendIDSMessage(CFDictionaryRef message, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CFBooleanRef fragmentation, CloudKeychainReplyBlock replyBlock)
{
SOSCloudTransportRef cTransportRef = SOSCloudTransportDefaultTransport();
- if(cTransportRef)
+
+ if(cTransportRef && fragmentation == kCFBooleanTrue)
+ cTransportRef->sendFragmentedIDSMessage(cTransportRef, message, deviceName, peerID, processQueue, replyBlock);
+ else if(cTransportRef)
cTransportRef->sendIDSMessage(cTransportRef, message, deviceName, peerID, processQueue, replyBlock);
-
+
+}
+void SOSCloudKeychainGetIDSDeviceAvailability(CFArrayRef ids, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock){
+
+ SOSCloudTransportRef cTransportRef = SOSCloudTransportDefaultTransport();
+
+ if (cTransportRef)
+ cTransportRef->getIDSDeviceAvailability(cTransportRef, ids, peerID, processQueue, replyBlock);
}
void SOSCloudKeychainGetIDSDeviceID(CloudKeychainReplyBlock replyBlock)
{
@@ -719,11 +780,11 @@ void SOSCloudKeychainGetAllObjectsFromCloud(dispatch_queue_t processQueue, Cloud
cTransportRef->getAll(cTransportRef, processQueue, replyBlock);
}
-void SOSCloudKeychainSynchronizeAndWait(CFArrayRef keysToGet, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
+void SOSCloudKeychainSynchronizeAndWait(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
{
SOSCloudTransportRef cTransportRef = SOSCloudTransportDefaultTransport();
if (cTransportRef)
- cTransportRef->synchronizeAndWait(cTransportRef, keysToGet, processQueue, replyBlock);
+ cTransportRef->synchronizeAndWait(cTransportRef, processQueue, replyBlock);
}
//DEBUG ONLY
@@ -742,13 +803,6 @@ void SOSCloudKeychainClearAll(dispatch_queue_t processQueue, CloudKeychainReplyB
cTransportRef->clearAll(cTransportRef, processQueue, replyBlock);
}
-void SOSCloudKeychainRemoveObjectForKey(CFStringRef keyToRemove, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
-{
- SOSCloudTransportRef cTransportRef = SOSCloudTransportDefaultTransport();
- if (cTransportRef)
- cTransportRef->removeObjectForKey(cTransportRef, keyToRemove, processQueue, replyBlock);
-}
-
void SOSCloudKeychainRequestSyncWithAllPeers(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock)
{
SOSCloudTransportRef cTransportRef = SOSCloudTransportDefaultTransport();
@@ -769,4 +823,3 @@ void SOSCloudKeychainFlush(dispatch_queue_t processQueue, CloudKeychainReplyBloc
if (cTransportRef)
cTransportRef->flush(cTransportRef, processQueue, replyBlock);
}
-
diff --git a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h
index a43b1f4c..dc1bddc2 100644
--- a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h
+++ b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h
@@ -68,21 +68,22 @@ struct SOSCloudTransport
void (*updateKeys)(SOSCloudTransportRef transport, CFDictionaryRef keys, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void (*sendIDSMessage)(SOSCloudTransportRef transport, CFDictionaryRef data, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
+ void (*sendFragmentedIDSMessage)(SOSCloudTransportRef transport, CFDictionaryRef data, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
+
void (*getDeviceID)(SOSCloudTransportRef transport, CloudKeychainReplyBlock replyBlock);
// Debug calls
void (*get)(SOSCloudTransportRef transport, CFArrayRef keysToGet, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void (*getAll)(SOSCloudTransportRef transport, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void (*synchronize)(SOSCloudTransportRef transport, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
- void (*synchronizeAndWait)(SOSCloudTransportRef transport, CFArrayRef keysToGet, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
+ void (*synchronizeAndWait)(SOSCloudTransportRef transport, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void (*clearAll)(SOSCloudTransportRef transport, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void (*removeObjectForKey)(SOSCloudTransportRef transport, CFStringRef keyToRemove, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
- void (*localNotification)(SOSCloudTransportRef transport, CFStringRef messageToUser, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void (*requestSyncWithAllPeers)(SOSCloudTransportRef transport, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void (*requestEnsurePeerRegistration)(SOSCloudTransportRef transport, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void (*flush)(SOSCloudTransportRef transport, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
- void (*checkAvailability)(SOSCloudTransportRef transport, CFArrayRef peerList, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
+ void (*getIDSDeviceAvailability)(SOSCloudTransportRef transport, CFArrayRef ids, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
const void *itemsChangedBlock;
};
@@ -91,8 +92,7 @@ struct SOSCloudTransport
void SOSCloudKeychainSetTransport(SOSCloudTransportRef transport);
void SOSCloudKeychainGetIDSDeviceID(CloudKeychainReplyBlock replyBlock);
-void SOSCloudKeychainSendIDSMessage(CFDictionaryRef message, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
-
+void SOSCloudKeychainSendIDSMessage(CFDictionaryRef message, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CFBooleanRef fragmentation, CloudKeychainReplyBlock replyBlock);
void SOSCloudKeychainUpdateKeys(CFDictionaryRef keys, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void SOSCloudKeychainUnRegisterKeys(CFArrayRef keysToUnregister, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
@@ -102,21 +102,21 @@ void SOSCloudKeychainPutObjectsInCloud(CFDictionaryRef objects, dispatch_queue_t
void SOSCloudKeychainSetItemsChangedBlock(CloudItemsChangedBlock itemsChangedBlock);
CF_RETURNS_RETAINED CFArrayRef SOSCloudKeychainHandleUpdateMessage(CFDictionaryRef updates);
-void SOSCloudKeychainSynchronizeAndWait(CFArrayRef keysToGet, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
+void SOSCloudKeychainSynchronizeAndWait(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
// Debug only?
void SOSCloudKeychainGetObjectsFromCloud(CFArrayRef keysToGet, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void SOSCloudKeychainSynchronize(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void SOSCloudKeychainClearAll(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
-void SOSCloudKeychainRemoveObjectForKey(CFStringRef keyToRemove, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void SOSCloudKeychainGetAllObjectsFromCloud(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void SOSCloudKeychainRequestSyncWithAllPeers(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void SOSCloudKeychainRequestEnsurePeerRegistration(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
void SOSCloudKeychainFlush(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
-
+void SOSCloudKeychainGetIDSDeviceAvailability(CFArrayRef ids, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
+CFDictionaryRef SOSCloudCopyKVSState(void);
__END_DECLS
diff --git a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c
index 1bd4fd11..6e3d4f35 100644
--- a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c
+++ b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c
@@ -68,6 +68,7 @@ const char *kMessageKeyDeviceName = "deviceName";
const char *kMessageKeyIDSDataMessage = "idsDataMessage";
const char *kMessageKeyDeviceID = "deviceID";
const char *kMessageKeyPeerID = "peerID";
+const char *kMessageKeySendersPeerID = "sendersPeerID";
const char *kMessageOperationItemChanged = "ItemChanged";
@@ -79,14 +80,13 @@ const char *kOperationFlush = "Flush";
const char *kOperationPUTDictionary = "PUTDictionary";
const char *kOperationGETv2 = "GETv2";
-const char *kOperationRemoveObjectForKey = "RemoveObjectForKey";
const char *kOperationRegisterKeys = "RegisterKeys";
const char *kOperationGetDeviceID = "DeviceID";
+const char *kOperationSendDeviceList = "IDSDeviceList";
const char *kOperationSendIDSMessage = "IDSMessage";
-
-const char *kOperationUILocalNotification = "UILocalNotification";
+const char *kOperationSendFragmentedIDSMessage = "IDSMessageFragmented";
const char *kOperationRequestSyncWithAllPeers = "requestSyncWithAllPeers";
const char *kOperationRequestEnsurePeerRegistration = "requestEnsurePeerRegistration";
diff --git a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.h b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.h
index 3e7acca4..d3e36e24 100644
--- a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.h
+++ b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.h
@@ -43,13 +43,13 @@ extern const char *kMessageKeyKeysToGet;
extern const char *kMessageKeyKeysRequireFirstUnlock;
extern const char *kMessageKeyKeysRequiresUnlocked;
extern const char *kMessageOperationItemChanged;
-extern const char *kOperationRemoveObjectForKey;
extern const char *kMessageKeyNotificationFlags;
extern const char *kMessageKeyIDS;
extern const char *kMessageKeyDeviceName;
extern const char *kMessageKeyIDSDataMessage;
extern const char *kMessageKeyDeviceID;
extern const char *kMessageKeyPeerID;
+extern const char *kMessageKeySendersPeerID;
extern const char *kMessageContext;
extern const char *kMessageKeyParameter;
@@ -71,13 +71,15 @@ extern const char *kOperationRegisterKeys;
extern const char *kOperationGetDeviceID;
extern const uint64_t kCKDXPCVersion;
-extern const char *kOperationUILocalNotification;
extern const char *kOperationFlush;
extern const char *kOperationRequestSyncWithAllPeers;
extern const char *kOperationRequestEnsurePeerRegistration;
extern const char *kOperationSendIDSMessage;
+extern const char *kOperationSendDeviceList;
+
+extern const char *kOperationSendFragmentedIDSMessage;
extern const char * const kCloudKeychainStorechangeChangeNotification;
diff --git a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainLogging.c b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainLogging.c
new file mode 100644
index 00000000..066e05ec
--- /dev/null
+++ b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainLogging.c
@@ -0,0 +1,222 @@
+//
+// SOSCloudKeychainLogging.c
+// sec
+//
+// Created by Richard Murphy on 6/21/16.
+//
+//
+
+#include <AssertMacros.h>
+#include <CoreFoundation/CoreFoundation.h>
+//#include <syslog.h>
+//#include <os/activity.h>
+#include <utilities/debugging.h>
+#include <utilities/SecCFWrappers.h>
+#include <utilities/SecXPCError.h>
+#include "SOSCloudKeychainConstants.h"
+#include "SOSCloudKeychainClient.h"
+#include "SOSKVSKeys.h"
+#include "SOSUserKeygen.h"
+#include "SecOTRSession.h"
+#include "SOSCloudKeychainLogging.h"
+
+
+#define DATE_LENGTH 18
+
+#define KVSLOGSTATE "kvsLogState"
+
+static CFStringRef SOSCloudKVSCreateDateFromValue(CFDataRef valueAsData) {
+ CFStringRef dateString = NULL;
+ CFDataRef dateData = CFDataCreateCopyFromRange(kCFAllocatorDefault, valueAsData, CFRangeMake(0, DATE_LENGTH));
+ require_quiet(dateData, retOut);
+ dateString = CFStringCreateFromExternalRepresentation(kCFAllocatorDefault, dateData, kCFStringEncodingUTF8);
+ CFReleaseNull(dateData);
+retOut:
+ return dateString;
+}
+
+static CFDataRef SOSCloudKVSCreateDataFromValueAfterDate(CFDataRef valueAsData) {
+ return CFDataCreateCopyFromPositions(kCFAllocatorDefault, valueAsData, DATE_LENGTH, CFDataGetLength(valueAsData));
+}
+
+static void SOSCloudKVSLogCircle(CFTypeRef key, CFStringRef dateString, CFTypeRef value) {
+ if(!isData(value)) return;
+ SOSCircleRef circle = SOSCircleCreateFromData(NULL, value, NULL);
+ require_quiet(circle, retOut);
+ secnotice(KVSLOGSTATE, "%@ %@:", key, dateString);
+ SOSCircleLogState(KVSLOGSTATE, circle, NULL, NULL);
+ CFReleaseSafe(circle);
+retOut:
+ return;
+}
+
+static void SOSCloudKVSLogLastCircle(CFTypeRef key, CFTypeRef value) {
+ if(!isData(value)) return;
+ CFStringRef circle = NULL;
+ CFStringRef from = NULL;
+ CFStringRef peerID = CFSTR(" ");
+ bool parsed = SOSKVSKeyParse(kLastCircleKey, key, &circle, NULL, NULL, NULL, &from, NULL);
+ if(parsed) {
+ peerID = from;
+ }
+ CFStringRef speerID = CFStringCreateTruncatedCopy(peerID, 8);
+ CFStringRef dateString = SOSCloudKVSCreateDateFromValue(value);
+ CFDataRef circleData = SOSCloudKVSCreateDataFromValueAfterDate(value);
+ CFStringRef keyPrefix = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@ from %@: "), circle, speerID);
+ SOSCloudKVSLogCircle(keyPrefix, dateString, circleData);
+ CFReleaseNull(keyPrefix);
+ CFReleaseNull(speerID);
+ CFReleaseNull(from);
+ CFReleaseNull(dateString);
+ CFReleaseNull(circleData);
+}
+
+static void SOSCloudKVSLogKeyParameters(CFTypeRef key, CFStringRef dateString, CFTypeRef value) {
+ if(!isData(value)) return;
+ CFStringRef keyParameterDescription = UserParametersDescription(value);
+ if(!keyParameterDescription) keyParameterDescription = CFDataCopyHexString(value);
+ secnotice(KVSLOGSTATE, "%@: %@: %@", key, dateString, keyParameterDescription);
+ CFReleaseNull(keyParameterDescription);
+}
+
+static void SOSCloudKVSLogLastKeyParameters(CFTypeRef key, CFTypeRef value) {
+ if(!isData(value)) return;
+ CFStringRef from = NULL;
+ CFStringRef peerID = CFSTR(" ");
+ bool parsed = SOSKVSKeyParse(kLastKeyParameterKey, key, NULL, NULL, NULL, NULL, &from, NULL);
+ if(parsed) {
+ peerID = from;
+ }
+ CFStringRef speerID = CFStringCreateTruncatedCopy(peerID, 8);
+ CFDataRef keyParameterData = SOSCloudKVSCreateDataFromValueAfterDate(value);
+ CFStringRef dateString = SOSCloudKVSCreateDateFromValue(value);
+ CFStringRef keyPrefix = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("k%@ from %@: "), kSOSKVSKeyParametersKey, speerID);
+
+ SOSCloudKVSLogKeyParameters(keyPrefix, dateString, keyParameterData);
+ CFReleaseNull(keyPrefix);
+ CFReleaseNull(speerID);
+ CFReleaseNull(dateString);
+ CFReleaseNull(from);
+ CFReleaseNull(keyParameterData);
+}
+
+static void SOSCloudKVSLogMessage(CFTypeRef key, CFTypeRef value) {
+ CFStringRef circle = NULL;
+ CFStringRef from = NULL;
+ CFStringRef to = NULL;
+ bool parsed = SOSKVSKeyParse(kMessageKey, key, &circle, NULL, NULL, NULL, &from, &to);
+ if(parsed) {
+ CFStringRef sfrom = CFStringCreateTruncatedCopy(from, 8);
+ CFStringRef sto = CFStringCreateTruncatedCopy(to, 8);
+ if(isData(value)){
+ const char* messageType = SecOTRPacketTypeString(value);
+ secnotice(KVSLOGSTATE, "message packet from: %@ to: %@ : %s: %ld", sfrom, sto, messageType, CFDataGetLength(value));
+ } else {
+ secnotice(KVSLOGSTATE, "message packet from: %@ to: %@: %@", sfrom, sto, value);
+ }
+ CFReleaseNull(sfrom);
+ CFReleaseNull(sto);
+ } else {
+ secnotice(KVSLOGSTATE, "%@: %@", key, value);
+ }
+ CFReleaseNull(circle);
+ CFReleaseNull(from);
+ CFReleaseNull(to);
+}
+
+static void SOSCloudKVSLogRetirement(CFTypeRef key, CFTypeRef value) {
+ CFStringRef circle = NULL;
+ CFStringRef from = NULL;
+ bool parsed = SOSKVSKeyParse(kRetirementKey, key, &circle, NULL, NULL, NULL, &from, NULL);
+ if(parsed) {
+ CFStringRef sfrom = CFStringCreateTruncatedCopy(from, 8);
+ secnotice(KVSLOGSTATE, "Retired Peer: %@, from Circle: %@", sfrom, circle);
+ CFReleaseNull(sfrom);
+ } else {
+ secnotice(KVSLOGSTATE, "Retired Peer format unknown - %@", key);
+ }
+ CFReleaseNull(circle);
+ CFReleaseNull(from);
+}
+
+static void SOSCloudKVSLogKeyType(CFTypeRef key, CFTypeRef value, SOSKVSKeyType type){
+ switch (type) {
+ case kCircleKey:
+ SOSCloudKVSLogCircle(key, CFSTR(" Current "), value);
+ break;
+ case kRetirementKey:
+ SOSCloudKVSLogRetirement(key, value);
+ break;
+ case kMessageKey:
+ SOSCloudKVSLogMessage(key, value);
+ break;
+ case kParametersKey:
+ SOSCloudKVSLogKeyParameters(key, CFSTR(" Current "), value);
+ break;
+ case kLastKeyParameterKey:
+ SOSCloudKVSLogLastKeyParameters(key, value);
+ break;
+ case kLastCircleKey:
+ SOSCloudKVSLogLastCircle(key, value);
+ break;
+ case kInitialSyncKey:
+ case kAccountChangedKey:
+ case kDebugInfoKey:
+ case kRingKey:
+ case kPeerInfoKey:
+ default:
+ break;
+ }
+}
+
+void SOSCloudKVSLogState(void) {
+ static int ordering[] = {
+ kParametersKey,
+ kLastKeyParameterKey,
+ kCircleKey,
+ kLastCircleKey,
+ kRetirementKey,
+ kMessageKey,
+ kInitialSyncKey,
+ kAccountChangedKey,
+ kDebugInfoKey,
+ kRingKey,
+ kPeerInfoKey,
+ kUnknownKey,
+ };
+ dispatch_semaphore_t waitSemaphore = dispatch_semaphore_create(0);
+ dispatch_time_t finishTime = dispatch_time(DISPATCH_TIME_NOW, 10ull * NSEC_PER_SEC);
+ static volatile bool inUse = false; // Don't let log attempts stack
+
+ if(!inUse) {
+ inUse = true;
+ dispatch_retain(waitSemaphore);
+ dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+ CFDictionaryRef kvsDictionary = SOSCloudCopyKVSState();
+ if(kvsDictionary){
+ secnotice(KVSLOGSTATE, "Start");
+ // if we have anything to log - do it here.
+ for (size_t i = 0; i < (sizeof(ordering) / sizeof(SOSKVSKeyType)); i++){
+ CFDictionaryForEach(kvsDictionary, ^(const void *key, const void *value) {
+ if(SOSKVSKeyGetKeyType(key) == ordering[i]){
+ SOSCloudKVSLogKeyType(key, value, ordering[i]);
+ }
+ });
+ }
+ secnotice(KVSLOGSTATE, "Finish");
+ CFReleaseNull(kvsDictionary);
+ } else{
+ secnotice(KVSLOGSTATE, "dictionary from KVS is NULL");
+ }
+
+ inUse=false;
+ dispatch_semaphore_signal(waitSemaphore);
+ dispatch_release(waitSemaphore);
+ });
+ }
+
+ dispatch_semaphore_wait(waitSemaphore, finishTime);
+ dispatch_release(waitSemaphore);
+
+}
+
diff --git a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainLogging.h b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainLogging.h
new file mode 100644
index 00000000..938d9c81
--- /dev/null
+++ b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainLogging.h
@@ -0,0 +1,13 @@
+//
+// SOSCloudKeychainLogging.h
+// sec
+//
+//
+//
+
+#ifndef SOSCloudKeychainLogging_h
+#define SOSCloudKeychainLogging_h
+
+void SOSCloudKVSLogState(void);
+
+#endif /* SOSCloudKeychainLogging_h */
diff --git a/OSX/sec/SOSCircle/CloudKeychainProxy/CKDKVSProxy.h b/OSX/sec/SOSCircle/CloudKeychainProxy/CKDKVSProxy.h
index 91635b4f..6502ce5b 100644
--- a/OSX/sec/SOSCircle/CloudKeychainProxy/CKDKVSProxy.h
+++ b/OSX/sec/SOSCircle/CloudKeychainProxy/CKDKVSProxy.h
@@ -70,10 +70,11 @@
@property (atomic) bool syncTimerScheduled;
@property (atomic) dispatch_time_t deadline;
@property (atomic) dispatch_time_t lastSyncTime;
+
+@property (atomic) dispatch_queue_t ckdkvsproxy_queue;
@property (atomic) dispatch_queue_t calloutQueue;
@property (atomic) dispatch_queue_t freshParamsQueue;
-@property (atomic) dispatch_queue_t ckdkvsproxy_queue;
@property (atomic) dispatch_source_t penaltyTimer;
@property (atomic) bool penaltyTimerScheduled;
@property (retain, atomic) NSMutableDictionary *monitor;
@@ -91,6 +92,8 @@
- (void)requestSynchronization:(bool)force;
- (void)waitForSynchronization:(NSArray *)keys handler:(void (^)(NSDictionary *values, NSError *err))handler;
- (void)clearStore;
+- (void)recordWriteToKVS:(NSDictionary *)values;
+- (NSDictionary*)recordHaltedValuesAndReturnValuesToSafelyWrite:(NSDictionary *)values;
- (void)setObjectsFromDictionary:(NSDictionary *)values;
- (void)removeObjectForKey:(NSString *)keyToRemove;
- (void)processAllItems;
@@ -113,8 +116,6 @@
- (void)registerKeys: (NSDictionary*)keys;
-- (NSDictionary *)localNotification:(NSDictionary *)localNotificationDict outFlags:(int64_t *)outFlags;
-
- (void)processKeyChangedEvent:(NSDictionary *)keysChangedInCloud;
- (NSMutableDictionary *)copyValues:(NSSet *)keysOfInterest;
@@ -122,7 +123,4 @@
- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration))) callout;
- (void) sendKeysCallout: (NSSet *(^)(NSSet* pending, NSError **error)) handleKeys;
-- (void)recordWriteToKVS:(NSDictionary *)values;
-- (NSDictionary*)recordHaltedValuesAndReturnValuesToSafelyWrite:(NSDictionary *)values;
-
@end
diff --git a/OSX/sec/SOSCircle/CloudKeychainProxy/CKDKVSProxy.m b/OSX/sec/SOSCircle/CloudKeychainProxy/CKDKVSProxy.m
index bada77e5..b4d0d7af 100644
--- a/OSX/sec/SOSCircle/CloudKeychainProxy/CKDKVSProxy.m
+++ b/OSX/sec/SOSCircle/CloudKeychainProxy/CKDKVSProxy.m
@@ -39,7 +39,6 @@
#import "CKDKVSProxy.h"
#import "CKDPersistentState.h"
-#import "CKDUserInteraction.h"
#include <Security/SecureObjectSync/SOSARCDefines.h>
#import <IDS/IDS.h>
@@ -77,7 +76,6 @@ static NSString *kKeyUnlockNotificationRequested = @"unlockNotificationRequested
static NSString *kKeySyncWithPeersPending = @"SyncWithPeersPending";
static NSString *kKeyEnsurePeerRegistration = @"EnsurePeerRegistration";
static NSString *kKeyDSID = @"DSID";
-
static NSString *kMonitorState = @"MonitorState";
static NSString *kMonitorPenaltyBoxKey = @"Penalty";
@@ -98,8 +96,7 @@ static NSString *kMonitorWroteInTimeSlice = @"TimeSlice";
#define kSecServerKeychainChangedNotification "com.apple.security.keychainchanged"
static int max_penalty_timeout = 32;
-static int seconds_per_minute = 60;
-
+static int seconds_per_minute = 5;
enum
{
kCallbackMethodSecurityd = 0,
@@ -117,11 +114,6 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
@interface NSUbiquitousKeyValueStore (NSUbiquitousKeyValueStore_PrivateZ)
- (void) _synchronizeWithCompletionHandler:(void (^)(NSError *error))completionHandler;
-/*
- // SPI For Security
- - (void) synchronizeWithCompletionHandler:(void (^)(NSError *error))completionHandler;
- */
-
@end
@implementation UbiqitousKVSProxy
@@ -160,7 +152,7 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
[self timerFired];
});
dispatch_resume(_syncTimer);
-
+
_monitor = [NSMutableDictionary dictionary];
[[NSNotificationCenter defaultCenter]
@@ -174,12 +166,13 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
name:NSUbiquitousKeyValueStoreDidChangeExternallyNotification
object:nil];
int notificationToken;
- notify_register_dispatch(kSecServerKeychainChangedNotification, ¬ificationToken, _ckdkvsproxy_queue,
+ notify_register_dispatch(kSecServerKeychainChangedNotification, ¬ificationToken, dispatch_get_main_queue(),
^ (int token __unused)
{
secinfo("backoff", "keychain changed, wiping backoff monitor state");
_monitor = [NSMutableDictionary dictionary];
});
+
[self importKeyInterests: [SOSPersistentState registeredKeys]];
// Register for lock state changes
@@ -274,7 +267,7 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
-(void) increasePenalty:(NSNumber*)currentPenalty key:(NSString*)key keyEntry:(NSMutableDictionary**)keyEntry
{
- secnotice("backoff", "increasing penalty!");
+ secinfo("backoff", "increasing penalty!");
int newPenalty = 0;
if([currentPenalty intValue] == max_penalty_timeout){
newPenalty = max_penalty_timeout;
@@ -283,12 +276,12 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
newPenalty = 1;
else
newPenalty = [currentPenalty intValue]*2;
-
- secnotice("backoff", "key %@, waiting %d minutes long to send next messages", key, newPenalty);
-
+
+ secinfo("backoff", "key %@, waiting %d minutes long to send next messages", key, newPenalty);
+
NSNumber* penalty_timeout = [[NSNumber alloc]initWithInt:newPenalty];
dispatch_source_t existingTimer = [*keyEntry valueForKey:kMonitorPenaltyTimer];
-
+
if(existingTimer != nil){
[*keyEntry removeObjectForKey:kMonitorPenaltyTimer];
dispatch_suspend(existingTimer);
@@ -300,7 +293,7 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
dispatch_source_t timer = [self setNewTimer:newPenalty key:key];
[*keyEntry setObject:timer forKey:kMonitorPenaltyTimer];
}
-
+
[*keyEntry setObject:penalty_timeout forKey:kMonitorPenaltyBoxKey];
[_monitor setObject:*keyEntry forKey:key];
}
@@ -308,16 +301,16 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
-(void) decreasePenalty:(NSNumber*)currentPenalty key:(NSString*)key keyEntry:(NSMutableDictionary**)keyEntry
{
int newPenalty = 0;
- secnotice("backoff","decreasing penalty!");
+ secinfo("backoff","decreasing penalty!");
if([currentPenalty intValue] == 0 || [currentPenalty intValue] == 1)
newPenalty = 0;
else
newPenalty = [currentPenalty intValue]/2;
-
- secnotice("backoff","key %@, waiting %d minutes long to send next messages", key, newPenalty);
-
+
+ secinfo("backoff","key %@, waiting %d minutes long to send next messages", key, newPenalty);
+
NSNumber* penalty_timeout = [[NSNumber alloc]initWithInt:newPenalty];
-
+
dispatch_source_t existingTimer = [*keyEntry valueForKey:kMonitorPenaltyTimer];
if(existingTimer != nil){
[*keyEntry removeObjectForKey:kMonitorPenaltyTimer];
@@ -338,7 +331,7 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
[*keyEntry setObject:timer forKey:kMonitorPenaltyTimer];
}
}
-
+
[*keyEntry setObject:penalty_timeout forKey:kMonitorPenaltyBoxKey];
[_monitor setObject:*keyEntry forKey:key];
@@ -346,24 +339,24 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
- (void)penaltyTimerFired:(NSString*)key
{
- secnotice("backoff", "key: %@, !!!!!!!!!!!!!!!!penalty timeout is up!!!!!!!!!!!!", key);
+ secinfo("backoff","key: %@, !!!!!!!!!!!!!!!!penalty timeout is up!!!!!!!!!!!!", key);
NSMutableDictionary *keyEntry = [_monitor objectForKey:key];
NSMutableDictionary *queuedMessages = [keyEntry objectForKey:kMonitorMessageQueue];
- secnotice("backoff","key: %@, queuedMessages: %@", key, queuedMessages);
+ secinfo("backoff","key: %@, queuedMessages: %@", key, queuedMessages);
if(queuedMessages && [queuedMessages count] != 0){
- secnotice("backoff","key: %@, message queue not empty, writing to KVS!", key);
+ secinfo("backoff","key: %@, message queue not empty, writing to KVS!", key);
[self setObjectsFromDictionary:queuedMessages];
[keyEntry setObject:[NSMutableDictionary dictionary] forKey:kMonitorMessageQueue];
}
//decrease timeout since we successfully wrote messages out
NSNumber *penalty_timeout = [keyEntry valueForKey:kMonitorPenaltyBoxKey];
[self decreasePenalty:penalty_timeout key:key keyEntry:&keyEntry];
-
+
//recompute the timetable and number of consecutive writes to KVS
NSMutableDictionary *timetable = [keyEntry valueForKey:kMonitorTimeTable];
NSNumber *consecutiveWrites = [keyEntry valueForKey:kMonitorConsecutiveWrites];
[self recordTimestampForAppropriateInterval:&timetable key:key consecutiveWrites:&consecutiveWrites];
-
+
[keyEntry setObject:consecutiveWrites forKey:kMonitorConsecutiveWrites];
[keyEntry setObject:timetable forKey:kMonitorTimeTable];
[_monitor setObject:keyEntry forKey:key];
@@ -377,7 +370,7 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
NSMutableDictionary *thirdMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 3], kMonitorThirdMinute, @"NO",kMonitorWroteInTimeSlice, nil];
NSMutableDictionary *fourthMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 4],kMonitorFourthMinute, @"NO", kMonitorWroteInTimeSlice, nil];
NSMutableDictionary *fifthMinute = [NSMutableDictionary dictionaryWithObjectsAndKeys:[currentTime dateByAddingTimeInterval: seconds_per_minute * 5], kMonitorFifthMinute, @"NO", kMonitorWroteInTimeSlice, nil];
-
+
NSMutableDictionary *timeTable = [NSMutableDictionary dictionaryWithObjectsAndKeys: firstMinute, kMonitorFirstMinute,
secondMinute, kMonitorSecondMinute,
thirdMinute, kMonitorThirdMinute,
@@ -390,11 +383,11 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
{
NSMutableDictionary *timeTable = [self initializeTimeTable:key];
NSDate *currentTime = [NSDate date];
-
+
NSMutableDictionary *keyEntry = [NSMutableDictionary dictionaryWithObjectsAndKeys: key, kMonitorMessageKey, @0, kMonitorConsecutiveWrites, currentTime, kMonitorLastWriteTimestamp, @0, kMonitorPenaltyBoxKey, timeTable, kMonitorTimeTable,[NSMutableDictionary dictionary], kMonitorMessageQueue, nil];
-
+
[_monitor setObject:keyEntry forKey:key];
-
+
}
- (void)recordTimestampForAppropriateInterval:(NSMutableDictionary**)timeTable key:(NSString*)key consecutiveWrites:(NSNumber**)consecutiveWrites
@@ -408,13 +401,13 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
{
if(foundTimeSlot == YES)
return;
- [*timeTable enumerateKeysAndObjectsUsingBlock: ^(id minute, id obj, BOOL *stop2)
+ [*timeTable enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
{
if(foundTimeSlot == YES)
return;
- if([sortedKey isEqualToString:minute]){
+ if([sortedKey isEqualToString:key]){
NSMutableDictionary *minutesTable = (NSMutableDictionary*)obj;
- NSString *minuteKey = (NSString*)minute;
+ NSString *minuteKey = (NSString*)key;
NSDate *date = [minutesTable valueForKey:minuteKey];
if([date compare:currentTime] == NSOrderedDescending){
foundTimeSlot = YES;
@@ -437,18 +430,18 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
}
}];
}];
-
+
if(foundTimeSlot == NO){
//reset the time table
- secnotice("backoff","didn't find a time slot, resetting the table");
+ secinfo("backoff","didn't find a time slot, resetting the table");
NSMutableDictionary *lastTable = [*timeTable valueForKey:kMonitorFifthMinute];
NSDate *lastDate = [lastTable valueForKey:kMonitorFifthMinute];
-
+
if((double)[currentTime timeIntervalSinceDate: lastDate] >= seconds_per_minute){
*consecutiveWrites = [[NSNumber alloc]initWithInt:0];
}
else{
- NSString* written = [lastTable valueForKey:kMonitorWroteInTimeSlice];
+ NSString* written = [lastTable valueForKey:kMonitorWroteInTimeSlice];
if([written isEqualToString:@"YES"]){
cWrites++;
*consecutiveWrites = [[NSNumber alloc]initWithInt:cWrites];
@@ -457,7 +450,7 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
*consecutiveWrites = [[NSNumber alloc]initWithInt:0];
}
}
-
+
*timeTable = [self initializeTimeTable:key];
return;
}
@@ -484,26 +477,26 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
NSMutableDictionary *timeTable = [keyEntry objectForKey: kMonitorTimeTable];
NSNumber *existingWrites = [keyEntry objectForKey: kMonitorConsecutiveWrites];
NSDate *currentTime = [NSDate date];
-
+
[self recordTimestampForAppropriateInterval:&timeTable key:key consecutiveWrites:&existingWrites];
-
+
int consecutiveWrites = [existingWrites intValue];
- secnotice("backoff","consecutive writes: %d", consecutiveWrites);
+ secinfo("backoff","consecutive writes: %d", consecutiveWrites);
[keyEntry setObject:existingWrites forKey:kMonitorConsecutiveWrites];
[keyEntry setObject:timeTable forKey:kMonitorTimeTable];
[keyEntry setObject:currentTime forKey:kMonitorLastWriteTimestamp];
[_monitor setObject:keyEntry forKey:key];
-
+
if([penalty_timeout intValue] != 0 || ((double)[currentTime timeIntervalSinceDate: lastWriteTimestamp] <= 60 && consecutiveWrites >= 5)){
if([penalty_timeout intValue] != 0)
- secnotice("backoff","still in timeout, shouldn't write anything to KVS in this time period");
- else
- secnotice("backoff","monitor: keys have been written for 5 or more minutes, time to bump penalty timers");
+ secinfo("backoff","still in timeout, shouldn't write anything to KVS in this time period");
+ else
+ secinfo("backoff","monitor: keys have been written for 5 or more minutes, time to bump penalty timers");
[self increasePenalty:penalty_timeout key:key keyEntry:&keyEntry];
}
//keep writing freely but record it
else if((double)[currentTime timeIntervalSinceDate: lastWriteTimestamp] <= 60 && consecutiveWrites < 5){
- secnotice("backoff","monitor: still writing freely");
+ secinfo("backoff","monitor: still writing freely");
}
}
}];
@@ -519,9 +512,9 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
NSNumber *penalty = [keyEntry objectForKey:kMonitorPenaltyBoxKey];
if([penalty intValue] != 0){
NSMutableDictionary* existingQueue = [keyEntry valueForKey:kMonitorMessageQueue];
-
+
[existingQueue setObject:obj forKey:key];
-
+
[keyEntry setObject:existingQueue forKey:kMonitorMessageQueue];
[_monitor setObject:keyEntry forKey:key];
}
@@ -539,34 +532,34 @@ static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms lee
{
secnoticeq("dsid", "Ensure DSIDs match");
NSMutableDictionary *mutableValues = [NSMutableDictionary dictionaryWithCapacity:0];
-
- secnotice("backoff","!!writing these keys to KVS!!: %@", values);
- [values enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
- {
- if (obj == NULL || obj == [NSNull null])
- [store removeObjectForKey:key];
-
- else if([key isEqualToString: @"^OfficialDSID"]){
- _dsid = obj;
- secnotice("dsid", "setting dsid to %@", obj);
- }
-
- else if([key isEqual: @"^Required"]){
- if( [_dsid isEqualToString: @""]){
- secdebug("dsid", "CloudKeychainProxy setting dsid to :%@ from securityd", obj);
+
+ secinfo("backoff","!!writing these keys to KVS!!: %@", values);
+ [values enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
+ {
+ if (obj == NULL || obj == [NSNull null])
+ [store removeObjectForKey:key];
+
+ else if([key isEqualToString: @"^OfficialDSID"]){
_dsid = obj;
+ secnotice("dsid", "setting dsid to %@", obj);
}
-
- else if(![_dsid isEqual: obj]){
- secerror("Account DSIDs do not match, cloud keychain proxy: %@, securityd: %@", _dsid, obj);
- secerror("Not going to write these: %@ into KVS!", values);
- return;
- }
- }
- else
- [ mutableValues setValue:obj forKey:key ];
- }];
+ else if([key isEqual: @"^Required"]){
+ if( [_dsid isEqualToString: @""]){
+ secdebug("dsid", "CloudKeychainProxy setting dsid to :%@ from securityd", obj);
+ _dsid = obj;
+ }
+
+ else if(![_dsid isEqual: obj]){
+ secerror("Account DSIDs do not match, cloud keychain proxy: %@, securityd: %@", _dsid, obj);
+ secerror("Not going to write these: %@ into KVS!", values);
+ return;
+ }
+ }
+ else
+ [ mutableValues setObject:obj forKey:key ];
+
+ }];
secnoticeq("keytrace", "%@ sending: %@", self, [[mutableValues allKeys] componentsJoinedByString: @" "]);
[mutableValues enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
@@ -756,6 +749,7 @@ static void wait_until(dispatch_time_t when) {
- (NSDictionary*) exportKeyInterests
{
+
return @{ kKeyAlwaysKeys:[_alwaysKeys allObjects],
kKeyFirstUnlockKeys:[_firstUnlockKeys allObjects],
kKeyUnlockedKeys:[_unlockedKeys allObjects],
@@ -850,33 +844,6 @@ static void wait_until(dispatch_time_t when) {
}
}
-- (NSDictionary *)localNotification:(NSDictionary *)localNotificationDict outFlags:(int64_t *)outFlags
-{
- __block bool done = false;
- __block int64_t returnedFlags = 0;
- __block NSDictionary *responses = NULL;
-
- CKDUserInteraction *cui = [CKDUserInteraction sharedInstance];
- [cui requestShowNotification:localNotificationDict completion:^ bool (CFDictionaryRef userResponses, int64_t flags)
- {
- responses = [NSDictionary dictionaryWithDictionary:(__bridge NSDictionary *)userResponses];
- returnedFlags = flags;
- secdebug(XPROXYSCOPE, "%@ requestShowNotification: dict: %@, flags: %#llx", self, responses, returnedFlags);
- done = true;
- return true;
- }];
-
- // TODO: replace with e.g. dispatch calls to wait, or semaphore
- while (!done)
- sleep(1);
- if (outFlags)
- {
- secdebug(XPROXYSCOPE, "%@ outFlags: %#llx", self, returnedFlags);
- *outFlags = returnedFlags;
- }
- return responses;
-}
-
- (void)saveToUbiquitousStore
{
[self requestSynchronization:NO];
@@ -1007,7 +974,6 @@ static void wait_until(dispatch_time_t when) {
- (void) calloutWith: (void(^)(NSSet *pending, bool syncWithPeersPending, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration))) callout
{
// In CKDKVSProxy's serial queue
- dispatch_queue_t ckdkvsproxy_queue = dispatch_get_main_queue();
_oldInCallout = YES;
@@ -1019,7 +985,7 @@ static void wait_until(dispatch_time_t when) {
__block bool mySyncWithPeersPending;
__block bool myEnsurePeerRegistration;
__block bool wasLocked;
- dispatch_sync(ckdkvsproxy_queue, ^{
+ dispatch_sync(_ckdkvsproxy_queue, ^{
myPending = [_pendingKeys copy];
mySyncWithPeersPending = _syncWithPeersPending;
myEnsurePeerRegistration = _ensurePeerRegistration;
@@ -1033,7 +999,7 @@ static void wait_until(dispatch_time_t when) {
_shadowSyncWithPeersPending = NO;
});
- callout(myPending, mySyncWithPeersPending, myEnsurePeerRegistration, ckdkvsproxy_queue, ^(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration) {
+ callout(myPending, mySyncWithPeersPending, myEnsurePeerRegistration, _ckdkvsproxy_queue, ^(NSSet *handledKeys, bool handledSyncWithPeers, bool handledEnsurePeerRegistration) {
secdebug("event", "%@ %s%s before callout handled: %s%s", self, mySyncWithPeersPending ? "S" : "s", myEnsurePeerRegistration ? "E" : "e", handledSyncWithPeers ? "S" : "s", handledEnsurePeerRegistration ? "E" : "e");
// In CKDKVSProxy's serial queue
diff --git a/OSX/sec/SOSCircle/CloudKeychainProxy/CKDUserInteraction.m b/OSX/sec/SOSCircle/CloudKeychainProxy/CKDUserInteraction.m
deleted file mode 100644
index 23c92d20..00000000
--- a/OSX/sec/SOSCircle/CloudKeychainProxy/CKDUserInteraction.m
+++ /dev/null
@@ -1,129 +0,0 @@
-/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-//
-// CKDUserInteraction.m
-// CloudKeychainProxy
-//
-
-#import <CoreFoundation/CFUserNotification.h>
-#import <utilities/debugging.h>
-
-#import "CKDUserInteraction.h"
-#import <Security/SecureObjectSync/SOSARCDefines.h>
-
-static CKDUserInteraction *sharedInstance = nil;
-static CKDUserInteractionBlock completion;
-
-#define XPROXYUISCOPE "proxy-ui"
-
-static void userNotificationCallback(CFUserNotificationRef userNotification, CFOptionFlags responseFlags)
-{
-
-/*
- kCFUserNotificationDefaultResponse = 0,
- kCFUserNotificationAlternateResponse = 1,
- kCFUserNotificationOtherResponse = 2,
- kCFUserNotificationCancelResponse = 3
-*/
-
- CKDUserInteraction *sharedInstance = [CKDUserInteraction sharedInstance];
- CFDictionaryRef userResponses = CFUserNotificationGetResponseDictionary(userNotification);
- // CFOptionFlags are poorly named, since it's a single response value, not a mask
-
- secdebug(XPROXYUISCOPE, "sharedInstance: %@, rlsr: %@", sharedInstance, sharedInstance.runLoopSourceRef);
- secdebug(XPROXYUISCOPE, "userNotification responses: %@, flags: %#lx",userResponses, responseFlags);
-
- if (sharedInstance.runLoopSourceRef)
- CFRunLoopRemoveSource(CFRunLoopGetMain(), sharedInstance.runLoopSourceRef, kCFRunLoopDefaultMode);
-
- if (completion) // sharedInstance.completion
- {
- secdebug(XPROXYUISCOPE, "Calling user completion routine");
- completion(userResponses, responseFlags); // sharedInstance.completion
- }
-
- secdebug(XPROXYUISCOPE, "Releasing user completion routine");
-// Block_release(completion); // sharedInstance.completion
-
-/*
- if (responseFlags & kCFUserNotificationCancelResponse) {
- returnCode = kABNotifierUserCancelled;
- } else {
- fUsername = (CFStringRef)CFUserNotificationGetResponseValue(notification, kCFUserNotificationTextFieldValuesKey, 0);
- if(fUsername) CFRetain(fUsername);
-
- fPassword = (CFStringRef)CFUserNotificationGetResponseValue(notification, kCFUserNotificationTextFieldValuesKey, 1);
- if(fPassword) CFRetain(fPassword);
-
- if((response & CFUserNotificationCheckBoxChecked(0)))
-*/
-
-// if (responseFlags == kCFUserNotificationCancelResponse || responseFlags == kCFUserNotificationDefaultResponse)
- CFRunLoopStop(CFRunLoopGetCurrent());
- secdebug(XPROXYUISCOPE, "exit");
-}
-
-@implementation CKDUserInteraction
-
-+ (CKDUserInteraction *) sharedInstance
-{
- if (!sharedInstance)
- sharedInstance = [[self alloc] init];
-
- return sharedInstance;
-}
-
-- (void)requestShowNotification:(NSDictionary *)infoForUserInfo completion:(CKDUserInteractionBlock)completionf
-{
- __block CFOptionFlags flags = kCFUserNotificationCautionAlertLevel | kCFUserNotificationNoDefaultButtonFlag;
- CFTimeInterval timeout = 30.0;
-
-// completion = Block_copy(completionf);
- completion = completionf;
-
- CFStringRef headerStr = (__bridge CFStringRef)([infoForUserInfo objectForKey:(__bridge id)kCFUserNotificationAlertHeaderKey]);
-
- CFStringRef cancelStr = CFSTR("No way"); //CFStringCreateWithCString(kCFAllocatorDefault, cancel.c_str(), kCFStringEncodingUTF8);
- CFStringRef defaultStr = CFSTR("Sure"); //CFStringCreateWithCString(kCFAllocatorDefault, settings.c_str(), kCFStringEncodingUTF8);
-
- CFMutableDictionaryRef notifyDictionary = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-
- // Header and buttons
- CFDictionarySetValue(notifyDictionary, kCFUserNotificationAlertHeaderKey, headerStr);
- CFDictionarySetValue(notifyDictionary, kCFUserNotificationDefaultButtonTitleKey, defaultStr);
- CFDictionarySetValue(notifyDictionary, kCFUserNotificationAlternateButtonTitleKey, cancelStr);
-
- SInt32 error = 0;
- _userNotificationRef = CFUserNotificationCreate(kCFAllocatorDefault, timeout, flags, &error, notifyDictionary);
-
- if (_userNotificationRef)
- {
- _runLoopSourceRef = CFUserNotificationCreateRunLoopSource(kCFAllocatorDefault, _userNotificationRef, userNotificationCallback, 0);
- CFRunLoopAddSource(CFRunLoopGetMain(), _runLoopSourceRef, kCFRunLoopDefaultMode);
- }
-
-}
-
-@end
-
diff --git a/OSX/sec/SOSCircle/CloudKeychainProxy/cloudkeychain.entitlements.plist b/OSX/sec/SOSCircle/CloudKeychainProxy/cloudkeychain.entitlements.plist
deleted file mode 100644
index 46c70ef7..00000000
--- a/OSX/sec/SOSCircle/CloudKeychainProxy/cloudkeychain.entitlements.plist
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>keychain-sync-updates</key>
- <true/>
- <key>application-identifier</key>
- <string>com.apple.security.cloudkeychainproxy3</string>
- <key>sync-keychain</key>
- <true/>
- <key>keychain-access-groups</key>
- <array>
- <string>sync</string>
- <string>*</string>
- </array>
- <key>com.apple.developer.ubiquity-kvstore-identifier</key>
- <string>com.apple.security.cloudkeychainproxy3</string>
-</dict>
-</plist>
diff --git a/OSX/sec/SOSCircle/CloudKeychainProxy/cloudkeychainproxy.m b/OSX/sec/SOSCircle/CloudKeychainProxy/cloudkeychainproxy.m
index 4b4e2d24..5d9aa25d 100644
--- a/OSX/sec/SOSCircle/CloudKeychainProxy/cloudkeychainproxy.m
+++ b/OSX/sec/SOSCircle/CloudKeychainProxy/cloudkeychainproxy.m
@@ -195,21 +195,6 @@ static void cloudkeychainproxy_peer_dictionary_handler(const xpc_connection_t pe
secdebug(PROXYXPCSCOPE, "RegisterKeys message sent");
}
- else if (operation && !strcmp(operation, kOperationUILocalNotification))
- {
- xpc_object_t xLocalNotificationDict = xpc_dictionary_get_value(event, kMessageKeyValue);
- // describeXPCObject("xLocalNotificationDict: ", xLocalNotificationDict);
- NSDictionary *localNotificationDict = (__bridge_transfer NSDictionary *)(_CFXPCCreateCFObjectFromXPCObject(xLocalNotificationDict));
- int64_t outFlags = 0;
- id object = [[UbiqitousKVSProxy sharedKVSProxy] localNotification:localNotificationDict outFlags:&outFlags];
- secdebug(PROXYXPCSCOPE, "Result from [[UbiqitousKVSProxy sharedKVSProxy] localNotification:]: %@", object);
- xpc_object_t xobject = object ? _CFXPCCreateXPCObjectFromCFObject((__bridge CFTypeRef)(object)) : xpc_null_create();
- xpc_object_t replyMessage = xpc_dictionary_create_reply(event);
- xpc_dictionary_set_int64(xobject, kMessageKeyNotificationFlags, outFlags);
- xpc_dictionary_set_value(replyMessage, kMessageKeyValue, xobject);
- xpc_connection_send_message(peer, replyMessage);
- secdebug(PROXYXPCSCOPE, "localNotification reply sent");
- }
else if (operation && !strcmp(operation, kOperationRequestSyncWithAllPeers))
{
[[UbiqitousKVSProxy sharedKVSProxy] requestSyncWithAllPeers];
diff --git a/OSX/sec/SOSCircle/CloudKeychainProxy/en.lproj/InfoPlist.strings b/OSX/sec/SOSCircle/CloudKeychainProxy/en.lproj/InfoPlist.strings
deleted file mode 100644
index 477b28ff..00000000
--- a/OSX/sec/SOSCircle/CloudKeychainProxy/en.lproj/InfoPlist.strings
+++ /dev/null
@@ -1,2 +0,0 @@
-/* Localized versions of Info.plist keys */
-
diff --git a/OSX/sec/SOSCircle/Empty.c b/OSX/sec/SOSCircle/Empty.c
deleted file mode 100644
index e69de29b..00000000
diff --git a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSProxy.m b/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSProxy.m
deleted file mode 100644
index 2288fc56..00000000
--- a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSProxy.m
+++ /dev/null
@@ -1,685 +0,0 @@
-/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-//
-// IDSProxy.m
-// ids-xpc
-//
-
-
-#import <Foundation/NSArray.h>
-#import <Foundation/Foundation.h>
-
-#import <Security/SecBasePriv.h>
-#import <Security/SecItemPriv.h>
-#import <utilities/debugging.h>
-#import <notify.h>
-
-#include <Security/CKBridge/SOSCloudKeychainConstants.h>
-#include <Security/SecureObjectSync/SOSARCDefines.h>
-#include <Security/SecureObjectSync/SOSCloudCircle.h>
-#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
-
-#import <IDS/IDS.h>
-#import <os/activity.h>
-
-#include <utilities/SecAKSWrappers.h>
-#include <utilities/SecCFRelease.h>
-#include <AssertMacros.h>
-
-#import "IDSProxy.h"
-#import "IDSPersistentState.h"
-
-static const char *kStreamName = "com.apple.notifyd.matching";
-NSString *const IDSSendMessageOptionForceEncryptionOffKey = @"IDSSendMessageOptionForceEncryptionOff";
-
-static const int64_t kAttemptFlushBufferInterval = (NSEC_PER_SEC * 15);
-static const int64_t kSyncTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms leeway for handling unhandled messages.
-static const int64_t kMaxMessageRetryDelay = (NSEC_PER_SEC * 5); // 5s maximun delay for a given request
-static const int64_t kMinMessageRetryDelay = (NSEC_PER_MSEC * 500); // 500ms minimum delay before attempting to retry handling messages.
-
-#define SECD_RUN_AS_ROOT_ERROR 550
-
-
-@implementation IDSKeychainSyncingProxy
-
-+ (IDSKeychainSyncingProxy *) idsProxy
-{
- static IDSKeychainSyncingProxy *idsProxy;
- if (!idsProxy) {
- static dispatch_once_t onceToken;
- dispatch_once(&onceToken, ^{
- idsProxy = [[self alloc] init];
- });
- }
- return idsProxy;
-}
-
-- (void)persistState
-{
- if([_unhandledMessageBuffer count] > 0){
- [IDSKeychainSyncingProxyPersistentState setUnhandledMessages:_unhandledMessageBuffer];
- }
-}
-
-- (void) importKeyInterests: (NSMutableDictionary*) unhandledMessages
-{
- _unhandledMessageBuffer = unhandledMessages;
-}
-
-- (id)init
-{
- if (self = [super init])
- {
- secnotice("event", "%@ start", self);
-
- _isIDSInitDone = false;
- _service = nil;
- _calloutQueue = dispatch_queue_create("IDSCallout", DISPATCH_QUEUE_SERIAL);
- _unhandledMessageBuffer = [ [NSMutableDictionary alloc] initWithCapacity: 0];
- _isSecDRunningAsRoot = false;
- secdebug(IDSPROXYSCOPE, "%@ done", self);
-
- [self doIDSInitialization];
- if(_isIDSInitDone)
- [self doSetIDSDeviceID:nil];
-
- _syncTimer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_main_queue());
- dispatch_source_set_timer(_syncTimer, DISPATCH_TIME_FOREVER, DISPATCH_TIME_FOREVER, kSyncTimerLeeway);
- dispatch_source_set_event_handler(_syncTimer, ^{
- [self timerFired];
- });
- dispatch_resume(_syncTimer);
-
- [self importKeyInterests: [IDSKeychainSyncingProxyPersistentState unhandledMessages]];
-
- xpc_set_event_stream_handler(kStreamName, dispatch_get_main_queue(),
- ^(xpc_object_t notification){
- [self streamEvent:notification];
- });
-
- [self updateUnlockedSinceBoot];
- [self updateIsLocked];
- if (!_isLocked)
- [self keybagDidUnlock];
-
- }
- return self;
-}
-
-- (void) keybagDidLock
-{
- secnotice("event", "%@", self);
-}
-
-- (void) keybagDidUnlock
-{
- secnotice("event", "%@", self);
- [self handleAllPendingMessage];
-}
-
-- (BOOL) updateUnlockedSinceBoot
-{
- CFErrorRef aksError = NULL;
- if (!SecAKSGetHasBeenUnlocked(&_unlockedSinceBoot, &aksError)) {
- secerror("%@ Got error from SecAKSGetHasBeenUnlocked: %@", self, aksError);
- CFReleaseSafe(aksError);
- return NO;
- }
- return YES;
-}
-
-- (BOOL) updateIsLocked
-{
- CFErrorRef aksError = NULL;
- if (!SecAKSGetIsLocked(&_isLocked, &aksError)) {
- secerror("%@ Got error querying lock state: %@", self, aksError);
- CFReleaseSafe(aksError);
- return NO;
- }
- if (!_isLocked)
- _unlockedSinceBoot = YES;
- return YES;
-}
-
-- (void) keybagStateChange
-{
- os_activity_initiate("keybagStateChanged", OS_ACTIVITY_FLAG_DEFAULT, ^{
- BOOL wasLocked = _isLocked;
- if ([self updateIsLocked]) {
- if (wasLocked == _isLocked)
- secdebug("event", "%@ still %s ignoring", self, _isLocked ? "locked" : "unlocked");
- else if (_isLocked)
- [self keybagDidLock];
- else
- [self keybagDidUnlock];
- }
- });
-}
-
-- (void)streamEvent:(xpc_object_t)notification
-{
-#if (!TARGET_IPHONE_SIMULATOR)
- const char *notificationName = xpc_dictionary_get_string(notification, "Notification");
- if (!notificationName) {
- } else if (strcmp(notificationName, kUserKeybagStateChangeNotification)==0) {
- return [self keybagStateChange];
- }
- const char *eventName = xpc_dictionary_get_string(notification, "XPCEventName");
- char *desc = xpc_copy_description(notification);
- secnotice("event", "%@ event: %s name: %s desc: %s", self, eventName, notificationName, desc);
- if (desc)
- free((void *)desc);
-#endif
-}
-
-- (void)timerFired
-{
- secdebug("IDS Transport", "%@ attempting to hand unhandled messages to securityd, here is our message queue: %@", self, _unhandledMessageBuffer);
- if([_unhandledMessageBuffer count] == 0)
- _syncTimerScheduled = NO;
- else if (_syncTimerScheduled && !_isLocked){
- [self handleAllPendingMessage];
- }
-}
-
-- (dispatch_time_t) nextSyncTime
-{
- secdebug("IDS Transport", "nextSyncTime");
-
- dispatch_time_t nextSync = dispatch_time(DISPATCH_TIME_NOW, kMinMessageRetryDelay);
-
- // Don't sync again unless we waited at least kAttemptFlushBufferInterval
- if (_lastSyncTime) {
- dispatch_time_t soonest = dispatch_time(_lastSyncTime, kAttemptFlushBufferInterval);
- if (nextSync < soonest || _deadline < soonest) {
- secdebug("timer", "%@ backing off", self);
- return soonest;
- }
- }
-
- // Don't delay more than kMaxMessageRetryDelay after the first request.
- if (nextSync > _deadline) {
- secdebug("timer", "%@ hit deadline", self);
- return _deadline;
- }
-
- // Bump the timer by kMinMessageRetryDelay
- if (_syncTimerScheduled)
- secdebug("timer", "%@ bumped timer", self);
- else
- secdebug("timer", "%@ scheduled timer", self);
-
- return nextSync;
-}
-
-- (void)scheduleSyncRequestTimer
-{
- secdebug("IDS Transport", "scheduling sync request timer");
- dispatch_source_set_timer(_syncTimer, [self nextSyncTime], DISPATCH_TIME_FOREVER, kSyncTimerLeeway);
- _syncTimerScheduled = YES;
-}
-
-
-- (void)setItemsChangedBlock:(CloudItemsChangedBlock)itemsChangedBlock
-{
- self->itemsChangedCallback = itemsChangedBlock;
-}
-
-- (void)doIDSInitialization{
-
- secnotice("IDS Transport", "doIDSInitialization!");
-
- _service = [[IDSService alloc] initWithService: @IDSServiceNameKeychainSync];
-
- if( _service == nil ){
- _isIDSInitDone = false;
- secerror("Could not create ids service");
- }
- else{
- secnotice("IDS Transport", "IDS Transport Successfully set up IDS!");
- [_service addDelegate:self queue: dispatch_get_main_queue()];
-
- _isIDSInitDone = true;
- if(_isSecDRunningAsRoot == false)
- [self doSetIDSDeviceID:nil];
- }
-}
-
-- (void) calloutWith: (void(^)(NSMutableDictionary *pending, bool handlePendingMesssages, bool doSetDeviceID, dispatch_queue_t queue, void(^done)(NSMutableDictionary *handledMessages, bool handledPendingMessage, bool handledSettingDeviceID))) callout
-{
- // In IDSKeychainSyncingProxy serial queue
- dispatch_queue_t idsproxy_queue = dispatch_get_main_queue();
-
- _oldInCallout = YES;
-
- // dispatch_get_global_queue - well-known global concurrent queue
- // dispatch_get_main_queue - default queue that is bound to the main thread
- xpc_transaction_begin();
- dispatch_async(_calloutQueue, ^{
- __block NSMutableDictionary *myPending;
- __block bool myHandlePendingMessage;
- __block bool myDoSetDeviceID;
- __block bool wasLocked;
- dispatch_sync(idsproxy_queue, ^{
- myPending = [_unhandledMessageBuffer copy];
- myHandlePendingMessage = _handleAllPendingMessages;
- myDoSetDeviceID = _setIDSDeviceID;
- wasLocked = _isLocked;
-
- _inCallout = YES;
- if (!_oldInCallout)
- secnotice("deaf", ">>>>>>>>>>> _oldInCallout is NO and we're heading in to the callout!");
-
- _shadowHandleAllPendingMessages = NO;
- });
-
- callout(myPending, myHandlePendingMessage, myDoSetDeviceID, idsproxy_queue, ^(NSMutableDictionary *handledMessages, bool handledPendingMessage, bool handledSetDeviceID) {
- secdebug("event", "%@ %s%s before callout handled: %s%s", self, myHandlePendingMessage ? "P" : "p", myDoSetDeviceID ? "D" : "d", handledPendingMessage ? "H" : "h", handledSetDeviceID ? "I" : "i");
-
- // In IDSKeychainSyncingProxy's serial queue
- _inCallout = NO;
- _oldInCallout = NO;
-
- NSError *error;
-
- // Update setting device id
- _setIDSDeviceID = ((myDoSetDeviceID && !handledSetDeviceID) || _shadowHandleAllPendingMessages);
-
- _shadowDoSetIDSDeviceID = NO;
-
- if(_setIDSDeviceID && !_isLocked && _isSecDRunningAsRoot == false)
- [self doSetIDSDeviceID:&error];
-
- // Update handling pending messages
- _handleAllPendingMessages = ((myHandlePendingMessage && (!handledPendingMessage)) || _shadowHandleAllPendingMessages);
-
- _shadowHandleAllPendingMessages = NO;
-
- if (handledPendingMessage)
- _lastSyncTime = dispatch_time(DISPATCH_TIME_NOW, 0);
-
- // Update pending messages and handle them
- [handledMessages enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop){
- NSString* fromID = (NSString*)key;
- [_unhandledMessageBuffer removeObjectForKey:fromID];
- }];
-
- // Write state to disk
- [self persistState];
-
- if ([_unhandledMessageBuffer count] > 0 || (!_isLocked && wasLocked))
- [self handleAllPendingMessage];
-
- xpc_transaction_end();
- });
- });
-}
-
-- (BOOL) doSetIDSDeviceID: (NSError**)error
-{
- BOOL result = false;
- NSDictionary *userInfo;
- NSInteger code = 0;
- NSString *errorMessage;
- __block NSString* deviceID;
- __block CFErrorRef localError = NULL;
- __block bool handledSettingID = false;
-
- if(!_isIDSInitDone){
- [self doIDSInitialization];
- }
- if(_isSecDRunningAsRoot == true)
- {
- secerror("cannot set IDS device ID, secd is running as root");
- return false;
- }
- require_action_quiet(_isIDSInitDone, fail, errorMessage = @"IDSKeychainSyncingProxy can't set up the IDS service"; code = kSecIDSErrorNotRegistered);
- require_action_quiet(!_isLocked, fail, errorMessage = @"IDSKeychainSyncingProxy can't set device ID, device is locked"; code = kSecIDSErrorDeviceIsLocked);
-
- deviceID = IDSCopyLocalDeviceUniqueID();
- secdebug("IDS Transport", "This is our IDS device ID: %@", deviceID);
-
- require_action_quiet(deviceID != nil, fail, errorMessage = @"IDSKeychainSyncingProxy could not retrieve device ID from keychain"; code = kSecIDSErrorNoDeviceID);
-
- if(_inCallout && _isSecDRunningAsRoot == false){
- _shadowDoSetIDSDeviceID = YES;
- result = true;
- }
- else{
- _setIDSDeviceID = YES;
- [self calloutWith:^(NSMutableDictionary *pending, bool handlePendingMesssages, bool doSetDeviceID, dispatch_queue_t queue, void(^done)(NSMutableDictionary *, bool, bool)) {
- handledSettingID = SOSCCSetDeviceID((__bridge CFStringRef) deviceID, &localError);
-
- dispatch_async(queue, ^{
- if(localError){
- if(CFErrorGetCode(localError) == SECD_RUN_AS_ROOT_ERROR){
- secerror("SETTING RUN AS ROOT ERROR");
- _isSecDRunningAsRoot = true;
- }
- if(error)
- *error = (__bridge NSError *)(localError);
- }
- handledSettingID = YES;
- done(nil, NO, handledSettingID);
- });
- }];
- result = handledSettingID;
- }
- return result;
-
-fail:
- userInfo = [ NSDictionary dictionaryWithObjectsAndKeys:errorMessage, NSLocalizedDescriptionKey, nil ];
- if(error != nil){
- *error = [NSError errorWithDomain:@"com.apple.security.ids.error" code:code userInfo:userInfo];
- secerror("%@", *error);
- }
- return false;
-}
-
--(BOOL) sendIDSMessage:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) peerID error:(NSError**) error
-{
- BOOL result = true;
- NSDictionary *userInfo;
- NSInteger code = 0;
-
- NSString *errorMessage;
- NSString* identifier = [NSString string];
- NSMutableSet *destinations = [NSMutableSet set];
- NSArray *ListOfIDSDevices = nil;
- IDSMessagePriority priority = IDSMessagePriorityHigh;
- IDSDevice *device = nil;
- BOOL encryptionOff = YES;
- NSError *localError = nil;
- NSDictionary *options = @{IDSSendMessageOptionForceEncryptionOffKey : [NSNumber numberWithBool:encryptionOff] };
-
- require_action_quiet(_service, fail, errorMessage = @"Could not send message: IDS delegate uninitialized, can't use IDS to send this message"; code = kSecIDSErrorNotRegistered);
-
- secdebug("IDS Transport", "[_service devices]: %@, we have their deviceName: %@", [_service devices], deviceName);
- ListOfIDSDevices = [_service devices];
-
- require_action_quiet([ListOfIDSDevices count]> 0, fail, errorMessage=@"Could not send message: IDS devices are not registered yet"; code = kSecIDSErrorNotRegistered);
- secinfo("IDS Transport", "This is our list of devices: %@", ListOfIDSDevices);
-
- for(NSUInteger i = 0; i < [ ListOfIDSDevices count ]; i++){
- device = ListOfIDSDevices[i];
- if( [ deviceName compare:device.uniqueID ] == 0){
- [destinations addObject: IDSCopyIDForDevice(device)];
- }
- }
-
- require_action_quiet([destinations count] != 0, fail, errorMessage = @"Could not send message: IDS device ID for peer does not match any devices within an IDS Account"; code = kSecIDSErrorCouldNotFindMatchingAuthToken);
-
- result = [_service sendMessage:data toDestinations:destinations priority:priority options:options identifier:&identifier error:&localError ] ;
-
- require_action_quiet(localError == nil, fail, errorMessage = @"Had an error sending IDS message"; code = kSecIDSErrorFailedToSend);
-
- secdebug("IDS Transport", "IDSKeychainSyncingProxy sent this message over IDS: %@", data);
-
- return result;
-
-fail:
- userInfo = [ NSDictionary dictionaryWithObjectsAndKeys:errorMessage, NSLocalizedDescriptionKey, nil ];
- if(error != nil){
- *error = [NSError errorWithDomain:@"com.apple.security.ids.error" code:code userInfo:userInfo];
- secerror("%@", *error);
- }
- if(localError != nil)
- secerror("%@", localError);
-
- return false;
-}
-
-
-- (void) sendKeysCallout: (NSMutableDictionary*(^)(NSMutableDictionary* pending, NSError** error)) handleMessages {
- [self calloutWith: ^(NSMutableDictionary *pending, bool handlePendingMesssages, bool doSetDeviceID, dispatch_queue_t queue, void(^done)(NSMutableDictionary *, bool, bool)) {
- NSError* error = NULL;
-
- NSMutableDictionary* handled = handleMessages(pending, &error);
-
- dispatch_async(queue, ^{
- if (!handled && error) {
- secerror("%@ did not handle message: %@", self, error);
- }
-
- done(handled, NO, NO);
- });
- }];
-}
-
-- (void) handleAllPendingMessage
-{
- if([_unhandledMessageBuffer count] > 0){
- secinfo("IDS Transport", "handling Message: %@", _unhandledMessageBuffer);
- [_unhandledMessageBuffer enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop)
- {
- NSDictionary *messageAndFromID = (NSDictionary*)obj;
- NSString *fromID = (NSString*)key;
-
- if(_inCallout){
- _shadowHandleAllPendingMessages = YES;
- }
- else{
- __block CFErrorRef cf_error = NULL;
- __block HandleIDSMessageReason success = kHandleIDSMessageSuccess;
- _handleAllPendingMessages = YES;
-
- [self sendKeysCallout:^NSMutableDictionary *(NSMutableDictionary *pending, NSError** error) {
- success = SOSCCHandleIDSMessage(((__bridge CFDictionaryRef)messageAndFromID), &cf_error);
-
- if(success == kHandleIDSMessageLocked){
- secdebug("IDS Transport", "cannot handle messages when locked, error:%@", cf_error);
- [_unhandledMessageBuffer setObject: messageAndFromID forKey: fromID];
-
- _lastSyncTime = dispatch_time(DISPATCH_TIME_NOW, 0);
- _deadline = dispatch_time(DISPATCH_TIME_NOW, kAttemptFlushBufferInterval);
- //set timer
- [self scheduleSyncRequestTimer];
- return NULL;
- }
- else if(success == kHandleIDSMessageNotReady){
- secdebug("IDS Transport", "not ready to handle message, error:%@", cf_error);
- [_unhandledMessageBuffer setObject: messageAndFromID forKey: fromID];
- _lastSyncTime = dispatch_time(DISPATCH_TIME_NOW, 0);
- _deadline = dispatch_time(DISPATCH_TIME_NOW, kAttemptFlushBufferInterval);
- //set timer
- [self scheduleSyncRequestTimer];
- return NULL;
- }
- else if(success == kHandleIDSMessageOtherFail){
- secdebug("IDS Transport", "not ready to handle message, error:%@", cf_error);
- [_unhandledMessageBuffer setObject: messageAndFromID forKey: fromID];
- _lastSyncTime = dispatch_time(DISPATCH_TIME_NOW, 0);
- _deadline = dispatch_time(DISPATCH_TIME_NOW, kAttemptFlushBufferInterval);
- //set timer
- [self scheduleSyncRequestTimer];
- return NULL;
- }
- else{
- secdebug("IDS Transport", "IDSProxy handled this message! %@", messageAndFromID);
- _syncTimerScheduled = NO;
- return (NSMutableDictionary*)messageAndFromID;
- }
- }];
- }
- }];
- }
-}
-
-- (void)service:(IDSService *)service account:(IDSAccount *)account incomingMessage:(NSDictionary *)message fromID:(NSString *)fromID context:(IDSMessageContext *)context;
-{
- secdebug("IDS Transport", "IDSKeychainSyncingProxy handling this message sent over IDS%@", message);
- NSString *dataKey = [ NSString stringWithUTF8String: kMessageKeyIDSDataMessage ];
- NSString *deviceIDKey = [ NSString stringWithUTF8String: kMessageKeyDeviceID ];
- NSString *peerIDKey = [ NSString stringWithUTF8String: kMessageKeyPeerID ];
- NSString *ID = nil;
- uint32_t operationType;
- bool hadError = false;
- CFStringRef errorMessage = NULL;
- __block NSString* operation = nil;
- __block NSString* myPeerID = @"";
- NSString *messageString = nil;
- __block NSData *messageData = nil;
- __block NSString *messageAsString = nil;
- __block BOOL operationIsString = false;
- __block BOOL messageStringIsString = false;
- __block BOOL messageDataIsData = false;
-
- NSArray *devices = [_service devices];
- for(NSUInteger i = 0; i < [ devices count ]; i++){
- IDSDevice *device = devices[i];
- if( [(IDSCopyIDForDevice(device)) containsString: fromID] == YES){
- ID = device.uniqueID;
- break;
- }
- }
-
- require_action_quiet(ID, fail, hadError = true; errorMessage = CFSTR("require the sender's device ID"));
- require_action_quiet([message count] == 1, fail, hadError = true; errorMessage = CFSTR("message contained too many objects"));
-
- [message enumerateKeysAndObjectsUsingBlock: ^(id key, id obj, BOOL *stop){
- operation = (NSString*)key;
- operationIsString = (CFGetTypeID((__bridge CFTypeRef)(operation)) == CFStringGetTypeID());
-
- if(CFGetTypeID((__bridge CFTypeRef)(obj)) == CFDataGetTypeID()){
- messageDataIsData = true;
- messageData = (NSData*)obj;
- }
- else if(CFGetTypeID((__bridge CFTypeRef)(obj)) == CFStringGetTypeID()){
- messageStringIsString = true;
- messageAsString = (NSString*)obj;
- }
- }];
-
- require_action_quiet(operationIsString, fail, hadError = true; errorMessage = CFSTR("unexpected opeartion type"););
-
- if(messageData)
- require_action_quiet(messageDataIsData, fail, hadError = true; errorMessage = CFSTR("unexpected message type"););
- else if(messageAsString)
- require_action_quiet(messageStringIsString, fail, hadError = true; errorMessage = CFSTR("unexpected message type"););
-
- operationType = [operation intValue];
- if(operationType == 0)
- myPeerID = operation;
-
- switch(operationType){
- case kIDSPeerAvailabilityDone:
- {
- secdebug("ids transport", "received availability done!");
- notify_post(kSOSCCPeerAvailable);
- break;
- }
- case kIDSEndPingTestMessage:
- secdebug("ids transport", "received pong message from other device: %@, ping test PASSED", ID);
- break;
- case kIDSSendOneMessage:
- secdebug("ids transport","received ping test message, dropping on the floor now");
- break;
-
- case kIDSPeerAvailability:
- case kIDSStartPingTestMessage:
- {
- char* messageCharS;
- if(operationType == kIDSPeerAvailability){
- secdebug("ids transport", "Received Availability Message!");
- asprintf(&messageCharS, "%d",kIDSPeerAvailabilityDone);
- }
- else{
- secdebug("ids transport", "Received PingTest Message!");
- asprintf(&messageCharS, "%d", kIDSEndPingTestMessage);
- }
-
- NSString *operationString = [[NSString alloc] initWithUTF8String:messageCharS];
- messageString = @"peer availability check finished";
- NSDictionary* messsageDictionary = @{operationString : messageString};
-
- NSError *localError = NULL;
- [self sendIDSMessage:messsageDictionary name:ID peer:@"me" error:&localError];
- free(messageCharS);
-
- break;
-
- }
- default:
- {
- NSDictionary *messageAndFromID = @{dataKey : messageData, deviceIDKey: ID, peerIDKey: myPeerID};
- if(_isLocked){
- //hang on to the message and set the retry deadline
- [_unhandledMessageBuffer setObject: messageAndFromID forKey: fromID];
- _deadline = dispatch_time(DISPATCH_TIME_NOW, kMaxMessageRetryDelay);
- }
- else{
- __block CFErrorRef cf_error = NULL;
- __block HandleIDSMessageReason success = kHandleIDSMessageSuccess;
- _handleAllPendingMessages = YES;
-
- [self sendKeysCallout:^NSMutableDictionary *(NSMutableDictionary *pending, NSError** error) {
-
- success = SOSCCHandleIDSMessage(((__bridge CFDictionaryRef)messageAndFromID), &cf_error);
-
- if(success == kHandleIDSMessageLocked){
- secdebug("IDS Transport", "cannot handle messages when locked, error:%@", cf_error);
- [_unhandledMessageBuffer setObject: messageAndFromID forKey: fromID];
-
- _lastSyncTime = dispatch_time(DISPATCH_TIME_NOW, 0);
- _deadline = dispatch_time(DISPATCH_TIME_NOW, kAttemptFlushBufferInterval);
- //set timer
- [self scheduleSyncRequestTimer];
- return NULL;
- }
- else if(success == kHandleIDSMessageNotReady){
- secdebug("IDS Transport", "not ready to handle message, error:%@", cf_error);
- [_unhandledMessageBuffer setObject: messageAndFromID forKey: fromID];
- _lastSyncTime = dispatch_time(DISPATCH_TIME_NOW, 0);
- _deadline = dispatch_time(DISPATCH_TIME_NOW, kAttemptFlushBufferInterval);
- //set timer
- [self scheduleSyncRequestTimer];
- return NULL;
- }
- else if(success == kHandleIDSMessageOtherFail){
- secdebug("IDS Transport", "not ready to handle message, error:%@", cf_error);
- [_unhandledMessageBuffer setObject: messageAndFromID forKey: fromID];
- _lastSyncTime = dispatch_time(DISPATCH_TIME_NOW, 0);
- _deadline = dispatch_time(DISPATCH_TIME_NOW, kAttemptFlushBufferInterval);
- //set timer
- [self scheduleSyncRequestTimer];
- return NULL;
- }
- else{
- secdebug("IDS Transport", "IDSProxy handled this message! %@", messageAndFromID);
- return (NSMutableDictionary*)messageAndFromID;
- }
- }];
- CFReleaseSafe(cf_error);
- }
- break;
- }
- }
-fail:
- if(hadError)
- secerror("error:%@", errorMessage);
-}
-
-@end
-
-
diff --git a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist b/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist
deleted file mode 100644
index 5282d8a1..00000000
--- a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist
+++ /dev/null
@@ -1,30 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
- <key>com.apple.wifi.manager-access</key>
- <true/>
- <key>com.apple.private.ids.remoteurlconnection</key>
- <true/>
- <key>com.apple.private.ids.force-encryption-off</key>
- <array>
- <string>com.apple.private.alloy.keychainsync</string>
- </array>
- <key>com.apple.private.ids.messaging.high-priority</key>
- <array>
- <string>com.apple.private.alloy.keychainsync</string>
- </array>
- <key>com.apple.private.ids.messaging</key>
- <array>
- <string>com.apple.private.alloy.keychainsync</string>
- </array>
- <key>keychain-access-groups</key>
- <array>
- <string>apple</string>
- <string>IMCore</string>
- <string>InternetAccounts</string>
- </array>
- <key>application-identifier</key>
- <string>com.apple.security.idskeychainsyncingproxy</string>
-</dict>
-</plist>
diff --git a/OSX/sec/SOSCircle/Regressions/CKDKeyValueStore.h b/OSX/sec/SOSCircle/Regressions/CKDKeyValueStore.h
deleted file mode 100644
index a6bdcd09..00000000
--- a/OSX/sec/SOSCircle/Regressions/CKDKeyValueStore.h
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#import <Foundation/Foundation.h>
-//#import "CKDKVSProxy.h"
-#import "SOSCloudKeychainConstants.h"
-#import "SOSCloudKeychainClient.h"
-
-extern CFStringRef kCKDKVSRemoteStoreID;
-extern CFStringRef kCKDAWSRemoteStoreID;
-
-//--- protocol ---
-
-@protocol CKDKVSDelegate <NSObject>
-
-@required
-
-- (id)objectForKey:(NSString *)aKey;
-- (void)setObject:(id)anObject forKey:(NSString *)aKey;
-- (void)removeObjectForKey:(NSString *)aKey;
-
-- (NSDictionary *)dictionaryRepresentation;
-
-- (BOOL)synchronize;
-
-@optional
-- (BOOL)isLocalKVS;
-// DEBUG
-- (void)setDictionaryRepresentation:(NSMutableDictionary *)initialValue;
-- (void)clearPersistentStores;
-
-@end
-
-//--- interface ---
-
-@interface CKDKeyValueStore : NSObject <CKDKVSDelegate>
-{
- BOOL localKVS;
- BOOL persistStore;
- CloudItemsChangedBlock itemsChangedCallback;
-}
-
-@property (retain) id <CKDKVSDelegate> delegate;
-@property (retain) NSString *identifier;
-@property (retain) NSString *path;
-
-- (BOOL)synchronize;
-+ (CKDKeyValueStore *)defaultStore:(NSString *)identifier itemsChangedBlock:(CloudItemsChangedBlock)itemsChangedBlock;
-- (id)initWithIdentifier:(NSString *)xidentifier itemsChangedBlock:(CloudItemsChangedBlock)itemsChangedBlock;
-
-+ (CFStringRef)remoteStoreID;
-
-- (id)initWithItemsChangedBlock:(CloudItemsChangedBlock)itemsChangedBlock;
-- (void)cloudChanged:(NSNotification*)notification;
-
-@end
-
-@interface CKDKeyValueStoreCollection : NSObject
-{
- dispatch_queue_t syncrequestqueue;
- NSMutableDictionary *store;
-}
-@property (retain) NSMutableDictionary *collection;
-
-+ (id)sharedInstance;
-+ (id <CKDKVSDelegate>)defaultStore:(NSString *)identifier itemsChangedBlock:(CloudItemsChangedBlock)itemsChangedBlock;
-+ (void)enqueueWrite:(id)anObject forKey:(NSString *)aKey from:(NSString *)identifier;
-+ (id)enqueueWithReply:(NSString *)aKey;
-+ (BOOL)enqueueSyncWithReply;
-+ (void)postItemChangedNotification:(NSString *)keyThatChanged from:(NSString *)identifier;
-+ (void)postItemsChangedNotification:(NSArray *)keysThatChanged from:(NSString *)identifier;
-
-@end
diff --git a/OSX/sec/SOSCircle/Regressions/CKDKeyValueStore.m b/OSX/sec/SOSCircle/Regressions/CKDKeyValueStore.m
deleted file mode 100644
index cf4f24a5..00000000
--- a/OSX/sec/SOSCircle/Regressions/CKDKeyValueStore.m
+++ /dev/null
@@ -1,365 +0,0 @@
-/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-//
-// CKDKeyValueStore.m
-// sec
-//
-
-#import "CKDKeyValueStore.h"
-#import "CKDPersistentState.h"
-
-/*
- pseudo-code
-
- g = [CKDKeyValueStore defaultStore:mystoreID];
- [g setObject:obj forKey:@"foo"];
- [g synchronize];
-*/
-
-#define DONTUSENOTIFICATIONS true
-
-static const int verboseCKDKVSDebugging = false;
-
-#ifndef NDEBUG
- #define pdebug(format...) \
- do { \
- if (verboseCKDKVSDebugging) \
- NSLog(format); \
- } while (0)
-#else
- //empty
- #define pdebug(format...)
-#endif
-
-
-extern CFStringRef kCKDKVSRemoteStoreID;
-CFStringRef kCKDKVSRemoteStoreID = CFSTR("REMOTE");
-CFStringRef kCKDAWSRemoteStoreID = CFSTR("AWS");
-
-NSString * const kCKDKVSWhoChangedItemKey = @"WhoChangedItemKey";
-
-static NSString * const ourNSUbiquitousKeyValueStoreDidChangeExternallyNotification = @"ourNSUbiquitousKeyValueStoreDidChangeExternallyNotification";
-
-// MARK: ----- CKDKeyValueStore -----
-
-@implementation CKDKeyValueStore
-
-- (id)initWithIdentifier:(NSString *)identifier itemsChangedBlock:(CloudItemsChangedBlock)itemsChangedBlock
-{
- if (self = [super init])
- {
- self.delegate = self;
- self.identifier = identifier;
- self->localKVS = true;
-
- // copy blocks onto heap
- itemsChangedCallback = Block_copy(itemsChangedBlock);
-
- [[NSNotificationCenter defaultCenter] addObserver: self
- selector: @selector (iCloudAccountAvailabilityChanged:)
- name: NSUbiquityIdentityDidChangeNotification
- object: nil];
-
- [[NSNotificationCenter defaultCenter] addObserver:self
- selector:@selector(cloudChanged:)
- name:ourNSUbiquitousKeyValueStoreDidChangeExternallyNotification
- object:nil];
- }
- return self;
-}
-
-+ (CKDKeyValueStore *)defaultStore:(NSString *)identifier itemsChangedBlock:(CloudItemsChangedBlock)itemsChangedBlock
-{
- return [CKDKeyValueStoreCollection defaultStore:identifier itemsChangedBlock:itemsChangedBlock];
-}
-
-- (BOOL)synchronize
-{
- BOOL value = NO;
- value = [CKDKeyValueStoreCollection enqueueSyncWithReply];
-
- return value;
-}
-
-- (BOOL)isLocalKVS
-{
- return YES;
-}
-
-- (id)objectForKey:(NSString *)aKey
-{
- pdebug(@"retrieving value for key \"%@\"", aKey);
- id value = [CKDKeyValueStoreCollection enqueueWithReply:aKey];
- pdebug(@"retrieved value for key \"%@\": %@", aKey, value);
- return value;
-}
-
-- (void)setObject:(id)anObject forKey:(NSString *)aKey
-{
- pdebug(@"setting value for key \"%@\"", aKey);
- [CKDKeyValueStoreCollection enqueueWrite:anObject forKey:aKey from:self.identifier];
-}
-
-- (void)removeObjectForKey:(NSString *)aKey
-{
- pdebug(@"removing value for key \"%@\"", aKey);
- [CKDKeyValueStoreCollection enqueueWrite:NULL forKey:aKey from:self.identifier];
-}
-
-- (NSDictionary *)dictionaryRepresentation
-{
- pdebug(@"retrieving dictionaryRepresentation");
- id value = [CKDKeyValueStoreCollection enqueueWithReply:NULL];
- pdebug(@"retrieved dictionaryRepresentation: %@", value);
- return value;
-}
-
-- (void)setDictionaryRepresentation:(NSMutableDictionary *)initialValue
-{
- // DEBUG
- [CKDKeyValueStoreCollection enqueueWrite:initialValue forKey:NULL from:self.identifier];
-}
-
-- (void)clearPersistentStores
-{
-}
-
-+ (CFStringRef)remoteStoreID
-{
- return kCKDKVSRemoteStoreID;
-}
-
-// MARK: ----- copied from real kvs -----
-
-- (id)initWithItemsChangedBlock:(CloudItemsChangedBlock)itemsChangedBlock
-{
- if (self = [super init])
- {
- // copy blocks onto heap
- itemsChangedCallback = Block_copy(itemsChangedBlock);
-
- [[NSNotificationCenter defaultCenter] addObserver: self
- selector: @selector (iCloudAccountAvailabilityChanged:)
- name: NSUbiquityIdentityDidChangeNotification
- object: nil];
-
- [[NSNotificationCenter defaultCenter] addObserver:self
- selector:@selector(cloudChanged:)
- name:ourNSUbiquitousKeyValueStoreDidChangeExternallyNotification
- object:nil];
- }
- return self;
-}
-
-- (void)dealloc
-{
-
- [[NSNotificationCenter defaultCenter] removeObserver:self
- name:ourNSUbiquitousKeyValueStoreDidChangeExternallyNotification object:nil];
-
- [[NSNotificationCenter defaultCenter] removeObserver:self
- name:NSUbiquityIdentityDidChangeNotification object:nil];
-
- Block_release(itemsChangedCallback);
- [super dealloc];
-}
-
-- (void)cloudChanged:(NSNotification*)notification
-{
- /*
- Posted when the value of one or more keys in the local key-value store changed due to incoming data pushed from iCloud.
- This notification is sent only upon a change received from iCloud; it is not sent when your app sets a value.
-
- The user info dictionary can contain the reason for the notification as well as a list of which values changed, as follows:
-
- The value of the NSUbiquitousKeyValueStoreChangeReasonKey key, when present, indicates why the key-value store changed.
- Its value is one of the constants in âChange Reason Values .â The value of the NSUbiquitousKeyValueStoreChangedKeysKey,
- when present, is an array of strings, each the name of a key whose value changed. The notification object is the
- NSUbiquitousKeyValueStore object whose contents changed.
-
- enum {
- NSUbiquitousKeyValueStoreServerChange NS_ENUM_AVAILABLE(10_7, 5_0),
- NSUbiquitousKeyValueStoreInitialSyncChange NS_ENUM_AVAILABLE(10_7, 5_0),
- NSUbiquitousKeyValueStoreQuotaViolationChange NS_ENUM_AVAILABLE(10_7, 5_0),
- NSUbiquitousKeyValueStoreAccountChange NS_ENUM_AVAILABLE(10_8, 6_0)
- };
-
- */
-
- NSDictionary *userInfo = [notification userInfo];
- NSNumber *reason = [userInfo objectForKey:NSUbiquitousKeyValueStoreChangeReasonKey];
- NSInteger reasonValue = -1;
-
- pdebug(@"cloudChanged notification: %@", notification);
-
- NSString *whoChangedIt = [userInfo objectForKey:kCKDKVSWhoChangedItemKey];
-
- if (self.identifier && whoChangedIt && [self.identifier isEqualToString:whoChangedIt])
- {
- pdebug(@"cloudChanged by us (%@), ignoring event", self.identifier);
- return;
- }
-
- if (reason)
- {
- reasonValue = [reason integerValue];
- NSArray *reasonStrings = [NSArray arrayWithObjects:@"Server", @"InitialSync", @"QuotaViolation", @"Account", @"unknown", nil];
- long ridx = (NSUbiquitousKeyValueStoreServerChange <= reasonValue && reasonValue <= NSUbiquitousKeyValueStoreAccountChange)?reasonValue : 5;
- pdebug(@"cloudChanged with reason %ld (%@ Change)", (long)reasonValue, [reasonStrings objectAtIndex:ridx]);
- }
-
- if ((reasonValue == NSUbiquitousKeyValueStoreServerChange) ||
- (reasonValue == NSUbiquitousKeyValueStoreInitialSyncChange))
- {
- NSArray *keysChangedInCloud = [userInfo objectForKey:NSUbiquitousKeyValueStoreChangedKeysKey];
- pdebug(@"keysChangedInCloud: %@", keysChangedInCloud);
- NSMutableDictionary *changedValues = [NSMutableDictionary dictionaryWithCapacity:0];
- [keysChangedInCloud enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop)
- {
- NSString *key = (NSString *)obj;
- // itemChangedCallback(key, [self.store objectForKey:key]);
- id anObject = @"FIXME"; //[self.store objectForKey:key];
- [changedValues setObject:anObject forKey:key];
-
- pdebug(@"storeChanged updated value for %@", key);
- }];
- itemsChangedCallback((CFDictionaryRef)changedValues); // fix me *************************
- }
-}
-
-
-
-@end
-
-// MARK: ----- CKDKeyValueStoreCollection -----
-
-@implementation CKDKeyValueStoreCollection
-
-- (id)init
-{
- if (self = [super init])
- {
- self.collection = [NSMutableDictionary dictionaryWithCapacity:0];
- self->syncrequestqueue = dispatch_queue_create("syncrequestqueue", DISPATCH_QUEUE_SERIAL);
- self->store = [NSMutableDictionary dictionaryWithCapacity:0];
- }
- return self;
-}
-
-// maybe should return (CKDKeyValueStore *), main thing is that it matches the protocol
-+ (id <CKDKVSDelegate>)defaultStore:(NSString *)identifier itemsChangedBlock:(CloudItemsChangedBlock)itemsChangedBlock
-{
- // look it up in the collection and return singleton
- if (identifier == NULL)
- return (id <CKDKVSDelegate>)[NSUbiquitousKeyValueStore defaultStore];
-
- CKDKeyValueStoreCollection *mall = [CKDKeyValueStoreCollection sharedInstance];
- id <CKDKVSDelegate> store = mall.collection[identifier];
- if (!store)
- {
- store = [[CKDKeyValueStore alloc] initWithIdentifier:identifier itemsChangedBlock:itemsChangedBlock];
- mall->_collection[identifier] = store;
- }
- return store;
-
-}
-
-+ (id)sharedInstance
-{
- static dispatch_once_t once;
- static CKDKeyValueStoreCollection *sharedStoreCollection;
- dispatch_once(&once, ^ { sharedStoreCollection = [[self alloc] init]; });
- return sharedStoreCollection;
-}
-
-+ (void)enqueueWrite:(id)anObject forKey:(NSString *)aKey from:(NSString *)identifier
-{
- CKDKeyValueStoreCollection *mall = [CKDKeyValueStoreCollection sharedInstance];
- dispatch_async(mall->syncrequestqueue, ^void ()
- {
- if (aKey==NULL && (CFGetTypeID(anObject)==CFDictionaryGetTypeID()))
- {
- [mall->store setDictionary:anObject];
- [self postItemsChangedNotification:[anObject allKeys] from:identifier];
- }
- else
- {
- if (anObject)
- [mall->store setObject:anObject forKey:aKey];
- else
- [mall->store removeObjectForKey:aKey];
- [CKDKeyValueStoreCollection postItemChangedNotification:aKey from:identifier];
- }
-
- });
-}
-
-+ (id)enqueueWithReply:(NSString *)aKey
-{
- __block id value = NULL;
- CKDKeyValueStoreCollection *mall = [CKDKeyValueStoreCollection sharedInstance];
- dispatch_sync(mall->syncrequestqueue, ^void ()
- {
- value = (aKey==NULL)?mall->store:[mall->store objectForKey:aKey];
- });
- return value;
-}
-
-+ (BOOL)enqueueSyncWithReply
-{
- // basically a barrier
- __block BOOL value = false;
- CKDKeyValueStoreCollection *mall = [CKDKeyValueStoreCollection sharedInstance];
- dispatch_sync(mall->syncrequestqueue, ^void ()
- {
- value = true;
- });
- return value;
-}
-
-+ (void)postItemChangedNotification:(NSString *)keyThatChanged from:(NSString *)identifier
-{
- // convenience routine when a single key changes
- NSArray *keysThatChanged = [NSArray arrayWithObject:keyThatChanged];
- [self postItemsChangedNotification:keysThatChanged from:identifier];
-// [keysThatChanged release];
-}
-
-+ (void)postItemsChangedNotification:(NSArray *)keysThatChanged from:(NSString *)identifier
-{
- // add in array of keys plus the id of who changed it
- NSDictionary *aUserInfo = [NSDictionary dictionaryWithObjectsAndKeys:
- keysThatChanged, NSUbiquitousKeyValueStoreChangedKeysKey,
- @(NSUbiquitousKeyValueStoreServerChange), NSUbiquitousKeyValueStoreChangeReasonKey,
- identifier, kCKDKVSWhoChangedItemKey,
- nil];
-
- [[NSNotificationCenter defaultCenter] postNotificationName:ourNSUbiquitousKeyValueStoreDidChangeExternallyNotification
- object:nil userInfo:aUserInfo];
- // NSArray *keysChangedInCloud = [userInfo objectForKey:NSUbiquitousKeyValueStoreChangedKeysKey];
-}
-
-
-@end
-
diff --git a/OSX/sec/SOSCircle/Regressions/SOSRegressionUtilities.c b/OSX/sec/SOSCircle/Regressions/SOSRegressionUtilities.c
index 21e6d66d..6b72c558 100644
--- a/OSX/sec/SOSCircle/Regressions/SOSRegressionUtilities.c
+++ b/OSX/sec/SOSCircle/Regressions/SOSRegressionUtilities.c
@@ -306,7 +306,7 @@ SOSPeerInfoRef SOSCreatePeerInfoFromName(CFStringRef name, SecKeyRef* outSigning
require(outSigningKey, exit);
- GeneratePermanentECPair(256, &publicKey, outSigningKey);
+ require_quiet(SecError(GeneratePermanentECPair(256, &publicKey, outSigningKey), error, CFSTR("Failed To Create Key")), exit);
gestalt = SOSCreatePeerGestaltFromName(name);
require(gestalt, exit);
diff --git a/OSX/sec/SOSCircle/Regressions/SOSTestDataSource.c b/OSX/sec/SOSCircle/Regressions/SOSTestDataSource.c
index 290aa985..beb83e15 100644
--- a/OSX/sec/SOSCircle/Regressions/SOSTestDataSource.c
+++ b/OSX/sec/SOSCircle/Regressions/SOSTestDataSource.c
@@ -27,6 +27,8 @@
#include <corecrypto/ccder.h>
#include <Security/SecureObjectSync/SOSDataSource.h>
#include <Security/SecureObjectSync/SOSDigestVector.h>
+#include <Security/SecureObjectSync/SOSViews.h>
+
#include <utilities/array_size.h>
#include <utilities/der_plist.h>
#include <utilities/SecCFError.h>
@@ -82,7 +84,7 @@ static SOSManifestRef dsCopyManifestWithViewNameSet(SOSDataSourceRef data_source
return manifest;
}
-static bool foreach_object(SOSDataSourceRef data_source, SOSManifestRef manifest, CFErrorRef *error, void (^handle_object)(CFDataRef key, SOSObjectRef object, bool *stop)) {
+static bool foreach_object(SOSDataSourceRef data_source, SOSTransactionRef txn, SOSManifestRef manifest, CFErrorRef *error, void (^handle_object)(CFDataRef key, SOSObjectRef object, bool *stop)) {
struct SOSTestDataSource *ds = (struct SOSTestDataSource *)data_source;
ds->co_count++;
__block bool result = true;
@@ -276,11 +278,13 @@ static CFStringRef dsGetName(SOSDataSourceRef ds) {
return CFSTR("The sky is made of butterflies");
}
-static void dsSetNotifyPhaseBlock(SOSDataSourceRef ds, dispatch_queue_t queue, SOSDataSourceNotifyBlock notifyBlock) {
- ((SOSTestDataSourceRef)ds)->notifyBlock = Block_copy(notifyBlock);
+static void dsAddNotifyPhaseBlock(SOSDataSourceRef ds, SOSDataSourceNotifyBlock notifyBlock) {
+ SOSTestDataSourceRef tds = (SOSTestDataSourceRef)ds;
+ assert(tds->notifyBlock == NULL);
+ tds->notifyBlock = Block_copy(notifyBlock);
}
-static CFDataRef dsCopyStateWithKey(SOSDataSourceRef ds, CFStringRef key, CFStringRef pdmn, CFErrorRef *error) {
+static CFDataRef dsCopyStateWithKey(SOSDataSourceRef ds, CFStringRef key, CFStringRef pdmn, SOSTransactionRef txn, CFErrorRef *error) {
SOSTestDataSourceRef tds = (SOSTestDataSourceRef)ds;
CFStringRef dbkey = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@-%@"), pdmn, key);
CFDataRef state = CFDictionaryGetValue(tds->statedb, dbkey);
@@ -293,7 +297,7 @@ static CFDataRef dsCopyItemDataWithKeys(SOSDataSourceRef data_source, CFDictiona
return NULL;
}
-static bool dsWith(SOSDataSourceRef ds, CFErrorRef *error, SOSDataSourceTransactionSource source, void(^transaction)(SOSTransactionRef txn, bool *commit)) {
+static bool dsWith(SOSDataSourceRef ds, CFErrorRef *error, SOSDataSourceTransactionSource source, bool onCommitQueue, void(^transaction)(SOSTransactionRef txn, bool *commit)) {
SOSTestDataSourceRef tds = (SOSTestDataSourceRef)ds;
bool commit = true;
transaction((SOSTransactionRef)ds, &commit);
@@ -304,6 +308,12 @@ static bool dsWith(SOSDataSourceRef ds, CFErrorRef *error, SOSDataSourceTransact
return true;
}
+static bool dsReadWith(SOSDataSourceRef ds, CFErrorRef *error, SOSDataSourceTransactionSource source, void(^perform)(SOSTransactionRef txn)) {
+ SOSTestDataSourceRef tds = (SOSTestDataSourceRef)ds;
+ perform((SOSTransactionRef)tds);
+ return true;
+}
+
static bool dsSetStateWithKey(SOSDataSourceRef ds, SOSTransactionRef txn, CFStringRef pdmn, CFStringRef key, CFDataRef state, CFErrorRef *error) {
SOSTestDataSourceRef tds = (SOSTestDataSourceRef)ds;
CFStringRef dbkey = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@-%@"), pdmn, key);
@@ -329,7 +339,7 @@ SOSDataSourceRef SOSTestDataSourceCreate(void) {
ds->ds.engine = NULL;
ds->ds.dsGetName = dsGetName;
- ds->ds.dsSetNotifyPhaseBlock = dsSetNotifyPhaseBlock;
+ ds->ds.dsAddNotifyPhaseBlock = dsAddNotifyPhaseBlock;
ds->ds.dsCopyManifestWithViewNameSet = dsCopyManifestWithViewNameSet;
ds->ds.dsForEachObject = foreach_object;
ds->ds.dsCopyStateWithKey = dsCopyStateWithKey;
@@ -337,6 +347,7 @@ SOSDataSourceRef SOSTestDataSourceCreate(void) {
ds->ds.dsWith = dsWith;
ds->ds.dsRelease = dispose;
+ ds->ds.dsReadWith = dsReadWith;
ds->ds.dsMergeObject = mergeObject;
ds->ds.dsSetStateWithKey = dsSetStateWithKey;
@@ -507,7 +518,7 @@ SOSObjectRef SOSDataSourceCopyObject(SOSDataSourceRef ds, SOSObjectRef match, CF
require(digest, exit);
manifest = SOSManifestCreateWithData(digest, error);
- SOSDataSourceForEachObject(ds, manifest, error, ^void (CFDataRef key, SOSObjectRef object, bool *stop) {
+ SOSDataSourceForEachObject(ds, NULL, manifest, error, ^void (CFDataRef key, SOSObjectRef object, bool *stop) {
if (object == NULL) {
if (error && !*error) {
SecCFCreateErrorWithFormat(kSOSDataSourceObjectNotFoundError, sSOSDataSourceErrorDomain, NULL, error, 0, CFSTR("key %@ not in database"), key);
diff --git a/OSX/sec/SOSCircle/Regressions/SOSTestDevice.c b/OSX/sec/SOSCircle/Regressions/SOSTestDevice.c
index 91375914..a06f523c 100644
--- a/OSX/sec/SOSCircle/Regressions/SOSTestDevice.c
+++ b/OSX/sec/SOSCircle/Regressions/SOSTestDevice.c
@@ -31,6 +31,7 @@
#include <Security/SecureObjectSync/SOSCloudCircle.h>
#include <Security/SecureObjectSync/SOSEngine.h>
#include <Security/SecureObjectSync/SOSPeer.h>
+#include <Security/SecureObjectSync/SOSViews.h>
#include <Security/SecBase64.h>
#include <Security/SecItem.h>
#include <Security/SecItemPriv.h>
@@ -165,9 +166,8 @@ CFSetRef SOSViewsCopyTestV0Default() {
return CFSetCreate(kCFAllocatorDefault, values, array_size(values), &kCFTypeSetCallBacks);
}
-CFSetRef SOSViewsCopyTestV2Default() {
- const void *values[] = { kSOSViewWiFi, kSOSViewAutofillPasswords, kSOSViewSafariCreditCards, kSOSViewiCloudIdentity, kSOSViewBackupBagV0, kSOSViewOtherSyncable, kSOSViewPCSMasterKey, kSOSViewPCSiCloudDrive, kSOSViewPCSPhotos, kSOSViewPCSCloudKit, kSOSViewPCSEscrow, kSOSViewPCSFDE, kSOSViewPCSMailDrop, kSOSViewPCSiCloudBackup, kSOSViewPCSNotes, kSOSViewPCSiMessage, kSOSViewPCSFeldspar, kSOSViewAppleTV, kSOSViewHomeKit };
- return CFSetCreate(kCFAllocatorDefault, values, array_size(values), &kCFTypeSetCallBacks);
+CFSetRef SOSViewsCopyTestV2Default() { // this was originally listing all the views - not just the defaults - but those used to be the default. So we'll programatically get all - the actual test depends on that.
+ return SOSViewCopyViewSet(kViewSetAll);
}
SOSTestDeviceRef SOSTestDeviceSetPeerIDs(SOSTestDeviceRef td, CFArrayRef peerIDs, CFIndex version, CFSetRef defaultViews) {
@@ -224,6 +224,14 @@ bool SOSTestDeviceIsMute(SOSTestDeviceRef td) {
return td->mute;
}
+bool SOSTestDeviceSetEngineState(SOSTestDeviceRef td, CFDataRef derEngineState) {
+ CFErrorRef localError = NULL;
+ SOSTestEngineSaveWithDER(td->ds->engine, derEngineState, &localError);
+ return true;
+}
+
+
+
CFDataRef SOSTestDeviceCreateMessage(SOSTestDeviceRef td, CFStringRef peerID) {
setup("create message");
CFErrorRef error = NULL;
diff --git a/OSX/sec/SOSCircle/Regressions/SOSTestDevice.h b/OSX/sec/SOSCircle/Regressions/SOSTestDevice.h
index c22e00f2..a5f304ae 100644
--- a/OSX/sec/SOSCircle/Regressions/SOSTestDevice.h
+++ b/OSX/sec/SOSCircle/Regressions/SOSTestDevice.h
@@ -51,6 +51,8 @@ void SOSTestDeviceDestroyEngine(CFMutableDictionaryRef testDevices);
SOSTestDeviceRef SOSTestDeviceSetMute(SOSTestDeviceRef td, bool mute);
bool SOSTestDeviceIsMute(SOSTestDeviceRef td);
+bool SOSTestDeviceSetEngineState(SOSTestDeviceRef td, CFDataRef derEngineState);
+
CFDataRef SOSTestDeviceCreateMessage(SOSTestDeviceRef td, CFStringRef peerID);
bool SOSTestDeviceHandleMessage(SOSTestDeviceRef td, CFStringRef peerID, CFDataRef msgData);
diff --git a/OSX/sec/SOSCircle/Regressions/sc-130-resignationticket.c b/OSX/sec/SOSCircle/Regressions/sc-130-resignationticket.c
index 78222216..c74d3d67 100644
--- a/OSX/sec/SOSCircle/Regressions/sc-130-resignationticket.c
+++ b/OSX/sec/SOSCircle/Regressions/sc-130-resignationticket.c
@@ -61,10 +61,19 @@ static piStuff *makeSimplePeer(char *name) {
return pi;
}
+static void freeSimplePeer(piStuff *pi)
+{
+ CFReleaseSafe(pi->fpi);
+ CFReleaseSafe(pi->signingKey);
+ CFReleaseSafe(pi->resignation_ticket);
+ free(pi);
+}
+
static inline bool retire_me(piStuff *pi, size_t seconds) {
return SOSPeerInfoRetireRetirementTicket(seconds, pi->resignation_ticket);
}
+
static inline bool chkBasicTicket(piStuff *pi) {
return CFEqual(SOSPeerInfoInspectRetirementTicket(pi->resignation_ticket, NULL), SOSPeerInfoGetPeerID(pi->pi));
}
@@ -120,8 +129,8 @@ static void tests(void)
sleep(2);
ok(retire_me(iPhone, 1), "ticket not valid");
- CFDateRef retdate = NULL;
- ok((retdate = SOSPeerInfoGetRetirementDate(iPhone->resignation_ticket)) != NULL, "got retirement date %@", retdate);
+ CFDateRef retdate = SOSPeerInfoGetRetirementDate(iPhone->resignation_ticket);
+ ok(retdate != NULL, "got retirement date %@", retdate);
CFReleaseSafe(retdate);
ok(PeerInfoRoundTrip(iPhone->resignation_ticket), "retirement ticket safely DERs");
@@ -130,6 +139,11 @@ static void tests(void)
ok((appdate = SOSPeerInfoGetApplicationDate(iPhone->resignation_ticket)) != NULL, "got application date %@", appdate);
CFReleaseSafe(appdate);
#endif
+
+ freeSimplePeer(iPhone);
+ freeSimplePeer(iPad);
+ freeSimplePeer(iMac);
+ freeSimplePeer(iDrone);
}
static int kTestTestCount = 12;
diff --git a/OSX/sec/SOSCircle/Regressions/sc-140-hsa2.c b/OSX/sec/SOSCircle/Regressions/sc-140-hsa2.c
index 3ca3a38b..15e03c51 100644
--- a/OSX/sec/SOSCircle/Regressions/sc-140-hsa2.c
+++ b/OSX/sec/SOSCircle/Regressions/sc-140-hsa2.c
@@ -24,257 +24,14 @@
#include <stdio.h>
-#include "secd_regressions.h"
-
-#include <CoreFoundation/CFData.h>
-#include <Security/SecOTRSession.h>
-#include <Security/SecOTRIdentityPriv.h>
-#include <Security/SecInternal.h>
-#include <Security/SecBasePriv.h>
-#include <Security/SecKeyPriv.h>
-#include <AssertMacros.h>
-
-#include <Security/SecureObjectSync/SOSPeerInfo.h>
-#include <Security/SecureObjectSync/SOSCircle.h>
-#include <Security/SecureObjectSync/SOSCloudCircle.h>
-#include <Security/SecureObjectSync/SOSInternal.h>
-#include <Security/SecureObjectSync/SOSUserKeygen.h>
-#include <Security/SecureObjectSync/SOSTransport.h>
-#include <Security/SecureObjectSync/SOSForerunnerSession.h>
-
#include "SOSCircle_regressions.h"
-#include "SOSRegressionUtilities.h"
-#include "SOSTestDataSource.h"
-#include "SecOTRRemote.h"
-#include "SOSAccount.h"
-
-#include "SecdTestKeychainUtilities.h"
-
-#define FRT_USERNAME "username"
-#define FRT_CIRCLE_SECRET "867530"
-#define FRT_CIRCLE_WRONG_SECRET "789345"
-
-#define FRT_DSID 4241983
-
-static const unsigned char frt_hsa2_data[] = "1138";
-
-enum {
- CORRUPT_REQUEST,
- CORRUPT_CHALLENGE,
- CORRUPT_RESPONSE,
- CORRUPT_HSA2,
- WRONG_SECRET,
-};
-
-static const int _success_test_count = 8;
-static const int _failure_test_count = 1;
-static const int _failure_test_runs = 5;
-
-static const int _test_count = _success_test_count +
- (_failure_test_count * _failure_test_runs);
-
-static void
-corrupt_data(CFDataRef data, bool partial)
-{
- uint8_t *ptr = NULL;
- size_t len = 0;
- size_t i = 0;
-
- ptr = (uint8_t *)CFDataGetBytePtr(data);
- len = CFDataGetLength(data);
-
- // Don't corrupt the magic number and version, so we're forced to exercise
- // the validation logic for SRP.
- if (partial && len >= 16) {
- ptr += 32;
- len -= 32;
- }
-
- for (i = 0; i < len; i++) {
- ptr[i] = ~(ptr[i]);
- }
-}
-
-static void
-success_path(void)
-{
- CFErrorRef cferror = NULL;
- SOSForerunnerRequestorSessionRef requestor = NULL;
- SOSForerunnerAcceptorSessionRef acceptor = NULL;
-
- CFDataRef request = NULL;
- CFDataRef challenge = NULL;
- CFDataRef response = NULL;
- CFDataRef hsa2 = NULL;
- CFDataRef hsa2_decrypted = NULL;
-
- CFDataRef hsa2code = NULL;
- CFDataRef unencrypted = NULL;
- CFDataRef encrypted = NULL;
- CFDataRef decrypted = NULL;
-
- requestor = SOSForerunnerRequestorSessionCreate(NULL,
- CFSTR(FRT_USERNAME), FRT_DSID);
- ok(requestor, "requestor session created");
- require(requestor, xit);
-
- acceptor = SOSForerunnerAcceptorSessionCreate(NULL, CFSTR(FRT_USERNAME),
- FRT_DSID, CFSTR(FRT_CIRCLE_SECRET));
- ok(acceptor, "acceptor session created");
- require(acceptor, xit);
-
- request = SOSFRSCopyRequestPacket(requestor, &cferror);
- ok(request, "request packet created, error = %@", cferror);
- require(request, xit);
-
- challenge = SOSFASCopyChallengePacket(acceptor, request, &cferror);
- ok(challenge, "challenge packet created, error = %@", cferror);
- require(challenge, xit);
-
- response = SOSFRSCopyResponsePacket(requestor, challenge,
- CFSTR(FRT_CIRCLE_SECRET), NULL, &cferror);
- ok(response, "response packet created, error = %@", cferror);
- require(response, xit);
-
- hsa2code = CFDataCreate(NULL, frt_hsa2_data, sizeof(frt_hsa2_data) - 1);
- hsa2 = SOSFASCopyHSA2Packet(acceptor, response, hsa2code, &cferror);
- ok(hsa2, "hsa2 packet created, error = %@", cferror);
- require(hsa2, xit);
-
- hsa2_decrypted = SOSFRSCopyHSA2CodeFromPacket(requestor, hsa2, &cferror);
- ok(hsa2_decrypted);
- require(hsa2_decrypted, xit);
-
- ok(CFEqual(hsa2_decrypted, hsa2code));
-
-xit:
- CFReleaseNull(requestor);
- CFReleaseNull(acceptor);
-
- CFReleaseNull(hsa2code);
- CFReleaseNull(hsa2_decrypted);
- CFReleaseNull(hsa2);
- CFReleaseNull(request);
- CFReleaseNull(challenge);
- CFReleaseNull(response);
-
- CFReleaseNull(unencrypted);
- CFReleaseNull(encrypted);
- CFReleaseNull(decrypted);
-}
-
-static void
-failure_path(int which)
-{
- CFErrorRef cferror = NULL;
- SOSForerunnerRequestorSessionRef requestor = NULL;
- SOSForerunnerAcceptorSessionRef acceptor = NULL;
-
- CFDataRef hsa2code = NULL;
- CFDataRef request = NULL;
- CFDataRef challenge = NULL;
- CFDataRef response = NULL;
- CFDataRef hsa2packet = NULL;
- CFDataRef hsa2_decrypted = NULL;
- CFStringRef secret = CFSTR(FRT_CIRCLE_SECRET);
-
- requestor = SOSForerunnerRequestorSessionCreate(NULL, CFSTR(FRT_USERNAME),
- FRT_DSID);
- require(requestor, xit);
-
- acceptor = SOSForerunnerAcceptorSessionCreate(NULL, CFSTR(FRT_USERNAME),
- FRT_DSID, CFSTR(FRT_CIRCLE_SECRET));
- require(acceptor, xit);
-
- request = SOSFRSCopyRequestPacket(requestor, &cferror);
- require(request, xit);
-
- if (which == CORRUPT_REQUEST) {
- corrupt_data(request, false);
- }
-
- challenge = SOSFASCopyChallengePacket(acceptor, request, &cferror);
- if (which == CORRUPT_REQUEST) {
- ok(challenge == NULL, "did not create challenge packet");
- goto xit;
- } else {
- require(challenge, xit);
- }
-
- if (which == CORRUPT_CHALLENGE) {
- corrupt_data(challenge, true);
- } else if (which == WRONG_SECRET) {
- secret = CFSTR(FRT_CIRCLE_WRONG_SECRET);
- }
-
- response = SOSFRSCopyResponsePacket(requestor, challenge, secret, NULL,
- &cferror);
- if (which == CORRUPT_CHALLENGE) {
- ok(response == NULL, "did not create response packet");
- goto xit;
- } else {
- require(response, xit);
- }
-
- if (which == CORRUPT_RESPONSE) {
- corrupt_data(response, true);
- }
-
- hsa2code = CFDataCreate(NULL, frt_hsa2_data, sizeof(frt_hsa2_data) - 1);
- hsa2packet = SOSFASCopyHSA2Packet(acceptor, response, hsa2code, &cferror);
- if (which == CORRUPT_RESPONSE) {
- ok(hsa2packet == NULL, "did not create hsa2 packet");
- goto xit;
- } else if (which == WRONG_SECRET) {
- ok(hsa2packet == NULL, "did not create hsa2 packet from bad secret");
- goto xit;
- } else {
- require(hsa2packet, xit);
- }
-
- if (which == CORRUPT_HSA2) {
- corrupt_data(hsa2packet, true);
- }
-
- hsa2_decrypted = SOSFRSCopyHSA2CodeFromPacket(requestor, hsa2packet,
- &cferror);
- if (which == CORRUPT_HSA2) {
- ok(hsa2_decrypted == NULL, "did not decrypt hsa2 code, error = %@",
- cferror);
- goto xit;
- } else {
- require(hsa2packet, xit);
- }
-
-xit:
- CFReleaseNull(requestor);
- CFReleaseNull(acceptor);
-
- CFReleaseNull(hsa2code);
- CFReleaseNull(hsa2packet);
- CFReleaseNull(hsa2_decrypted);
- CFReleaseNull(request);
- CFReleaseNull(challenge);
- CFReleaseNull(response);
-}
-
-static void
-tests(void)
-{
- success_path();
- failure_path(CORRUPT_REQUEST);
- failure_path(CORRUPT_CHALLENGE);
- failure_path(CORRUPT_RESPONSE);
- failure_path(CORRUPT_HSA2);
- failure_path(WRONG_SECRET);
-}
int
sc_140_hsa2(int argc, char *const *argv)
{
- plan_tests(_test_count);
+ plan_tests(1);
- tests();
+ ok(true);
return 0;
}
diff --git a/OSX/sec/SOSCircle/Regressions/sc-150-backupkeyderivation.c b/OSX/sec/SOSCircle/Regressions/sc-150-backupkeyderivation.c
index 74416773..7203620e 100644
--- a/OSX/sec/SOSCircle/Regressions/sc-150-backupkeyderivation.c
+++ b/OSX/sec/SOSCircle/Regressions/sc-150-backupkeyderivation.c
@@ -2,8 +2,6 @@
// sc-150-backupkeyderivation.c
// sec
//
-// Created by Mitch Adler on 4/7/15.
-//
//
#include <stdio.h>
@@ -47,7 +45,7 @@ static inline CFMutableDataRef CFDataCreateMutableWithRandom(CFAllocatorRef allo
CFMutableDataRef result = NULL;
CFMutableDataRef data = CFDataCreateMutableWithScratch(allocator, size);
- require_quiet(0 == SecRandomCopyBytes(kSecRandomDefault, size, CFDataGetMutableBytePtr(data)), fail);
+ require_quiet(errSecSuccess == SecRandomCopyBytes(kSecRandomDefault, size, CFDataGetMutableBytePtr(data)), fail);
CFTransferRetained(result, data);
diff --git a/OSX/sec/SOSCircle/Regressions/sc-150-ring.c b/OSX/sec/SOSCircle/Regressions/sc-150-ring.c
index c1fa70e0..e4cc6ea1 100644
--- a/OSX/sec/SOSCircle/Regressions/sc-150-ring.c
+++ b/OSX/sec/SOSCircle/Regressions/sc-150-ring.c
@@ -142,10 +142,17 @@ static void tests(void)
CFReleaseNull(ringDER);
CFReleaseNull(Ring2);
CFReleaseNull(dev_a_key);
+ CFReleaseNull(dev_b_key);
+ CFReleaseNull(dev_c_key);
CFReleaseNull(cfpassword);
CFReleaseNull(user_privkey);
CFReleaseNull(user_pubkey);
+
+ CFReleaseNull(peer_a_full_info);
+ CFReleaseNull(peer_b_full_info);
+ CFReleaseNull(peer_c_full_info);
+ CFReleaseNull(Ring);
}
int sc_150_Ring(int argc, char *const *argv)
diff --git a/OSX/sec/SOSCircle/Regressions/sc-153-backupslicekeybag.c b/OSX/sec/SOSCircle/Regressions/sc-153-backupslicekeybag.c
index 70ba1462..354d3f8f 100644
--- a/OSX/sec/SOSCircle/Regressions/sc-153-backupslicekeybag.c
+++ b/OSX/sec/SOSCircle/Regressions/sc-153-backupslicekeybag.c
@@ -105,7 +105,6 @@ static void tests(void)
SOSPeerInfoRef peer1WithBackup = SOSFullPeerInfoGetPeerInfo(fullPeer1WithBackup);
-
SecKeyRef peer2SigningKey = NULL;
SOSFullPeerInfoRef fullPeer2WithBackup = SOSCreateFullPeerInfoFromName(CFSTR("peer2WithBackupID"), &peer2SigningKey, &localError);
ok(fullPeer2WithBackup, "Allocate peer 2 (%@)", localError);
@@ -119,8 +118,6 @@ static void tests(void)
SOSPeerInfoRef peer2WithBackup = SOSFullPeerInfoGetPeerInfo(fullPeer2WithBackup);
-
-
SOSBackupSliceKeyBagRef vb = SOSBackupSliceKeyBagCreate(kCFAllocatorDefault, piSet, &localError);
ok(vb == NULL, "Should fail with no peers (%@)", localError);
CFReleaseNull(localError);
@@ -129,14 +126,16 @@ static void tests(void)
CFSetAddValue(piSet, peer1WithBackup);
CFSetAddValue(piSet, peer2WithBackup);
+ SOSBackupSliceKeyBagRef vb2 = NULL;
+
#if !TARGET_IPHONE_SIMULATOR
vb = SOSBackupSliceKeyBagCreate(kCFAllocatorDefault, piSet, &localError);
ok(vb != NULL, "Allocation: (%@)", localError);
CFReleaseNull(localError);
- CFRetainAssign(vb, EncodeDecode(vb));
+ vb2 = EncodeDecode(vb);
- ok(vb != NULL, "transcoded");
+ ok(vb2 != NULL, "transcoded");
#endif
#if 0
// <rdar://problem/20561988> Have helper functions for new security object that load bags
@@ -153,19 +152,19 @@ TODO:{
#endif
CFReleaseNull(vb);
+ CFReleaseNull(vb2);
CFReleaseNull(piSet);
- CFReleaseNull(peer1WithBackup);
CFReleaseNull(peer1SigningKey);
CFReleaseNull(peer1BackupPublic);
+ CFReleaseNull(fullPeer1WithBackup);
- CFReleaseNull(peer2WithBackup);
CFReleaseNull(peer2SigningKey);
CFReleaseNull(peer2BackupPublic);
+ CFReleaseNull(fullPeer2WithBackup);
CFReleaseNull(entropy1);
CFReleaseNull(entropy2);
- CFReleaseNull(peer1BackupPublic);
}
static int kTestTestCount = tests_count;
diff --git a/OSX/sec/SOSCircle/Regressions/sc-20-keynames.c b/OSX/sec/SOSCircle/Regressions/sc-20-keynames.c
index 8fc3711d..53012fe3 100644
--- a/OSX/sec/SOSCircle/Regressions/sc-20-keynames.c
+++ b/OSX/sec/SOSCircle/Regressions/sc-20-keynames.c
@@ -50,6 +50,7 @@ static void tests(void)
SecKeyRef publicKey = NULL;
CFErrorRef error = NULL;
+
SOSCircleRef circle = SOSCircleCreate(NULL, CFSTR("Test Circle"), &error);
CFStringRef circle_key = SOSCircleKeyCreateWithCircle(circle, NULL);
@@ -60,8 +61,8 @@ static void tests(void)
is(SOSKVSKeyGetKeyTypeAndParse(circle_key, &circle_name, NULL, NULL, NULL, NULL, NULL), kCircleKey, "Is circle key, extract name");
ok(circle_name, "Circle name extracted");
ok(CFEqualSafe(circle_name, SOSCircleGetName(circle)), "Circle name matches '%@' '%@'", circle_name, SOSCircleGetName(circle));
-
- CFReleaseSafe(circle_key);
+ CFReleaseNull(circle_name);
+ CFReleaseNull(circle_key);
SOSPeerInfoRef pi = SOSCreatePeerInfoFromName(CFSTR("Test Peer"), &publicKey, &error);
@@ -121,12 +122,15 @@ static void tests(void)
CFReleaseNull(message_circle_name);
CFReleaseNull(message_from_peer_id);
CFReleaseNull(message_to_peer_id);
+ CFReleaseNull(retirement_circle_name);
+ CFReleaseNull(retirement_peer_id);
+
}
int sc_20_keynames(int argc, char *const *argv)
{
plan_tests(kTestTestCount);
-
+
tests();
return 0;
diff --git a/OSX/sec/SOSCircle/Regressions/sc-25-soskeygen.c b/OSX/sec/SOSCircle/Regressions/sc-25-soskeygen.c
index c0248233..d3693545 100644
--- a/OSX/sec/SOSCircle/Regressions/sc-25-soskeygen.c
+++ b/OSX/sec/SOSCircle/Regressions/sc-25-soskeygen.c
@@ -49,10 +49,19 @@
#include "SOSRegressionUtilities.h"
-static int kTestTestCount = (10*(4+10*4));
+#if TARGET_OS_WATCH
+#define NPARMS 3
+#define NKEYS 3
+#else
+#define NPARMS 10
+#define NKEYS 10
+#endif
-static SecKeyRef getTestKey(CFDataRef cfpassword, CFDataRef parameters, CFErrorRef *error) {
+static int kTestTestCount = (NKEYS*(4+NPARMS*4));
+
+
+static SecKeyRef createTestKey(CFDataRef cfpassword, CFDataRef parameters, CFErrorRef *error) {
SecKeyRef user_privkey = SOSUserKeygen(cfpassword, parameters, error);
ok(user_privkey, "No key!");
ok(*error == NULL, "Error: (%@)", *error);
@@ -64,24 +73,28 @@ static void tests(void) {
CFErrorRef error = NULL;
CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
- for(int j=0; j < 10; j++) {
+ for(int j=0; j < NPARMS; j++) {
CFDataRef parameters = SOSUserKeyCreateGenerateParameters(&error);
ok(parameters, "No parameters!");
ok(error == NULL, "Error: (%@)", error);
CFReleaseNull(error);
- SecKeyRef baseline_privkey = getTestKey(cfpassword, parameters, &error);
+ SecKeyRef baseline_privkey = createTestKey(cfpassword, parameters, &error);
if(baseline_privkey) {
SecKeyRef baseline_pubkey = SecKeyCreatePublicFromPrivate(baseline_privkey);
- for(int i = 0; i < 10; i++) {
- SecKeyRef user_privkey = getTestKey(cfpassword, parameters, &error);
+ for(int i = 0; i < NKEYS; i++) {
+ SecKeyRef user_privkey = createTestKey(cfpassword, parameters, &error);
SecKeyRef user_pubkey = SecKeyCreatePublicFromPrivate(user_privkey);
ok(CFEqualSafe(baseline_privkey, user_privkey), "Private Keys Don't Match");
ok(CFEqualSafe(baseline_pubkey, user_pubkey), "Public Keys Don't Match");
CFReleaseNull(error);
+ CFReleaseNull(user_privkey);
+ CFReleaseNull(user_pubkey);
}
+ CFReleaseNull(baseline_pubkey);
}
+ CFReleaseNull(baseline_privkey);
CFReleaseNull(parameters);
}
CFReleaseNull(cfpassword);
diff --git a/OSX/sec/SOSCircle/Regressions/sc-31-peerinfo-simplefuzz.c b/OSX/sec/SOSCircle/Regressions/sc-31-peerinfo-simplefuzz.c
index 20a59b92..9f879fd6 100644
--- a/OSX/sec/SOSCircle/Regressions/sc-31-peerinfo-simplefuzz.c
+++ b/OSX/sec/SOSCircle/Regressions/sc-31-peerinfo-simplefuzz.c
@@ -42,8 +42,6 @@ static void tests(void)
SOSFullPeerInfoRef fpi = SOSCreateFullPeerInfoFromName(CFSTR("Test Peer"), &signingKey, NULL);
SOSPeerInfoRef pi = SOSFullPeerInfoGetPeerInfo(fpi);
unsigned long count;
-
- CFRetainSafe(pi);
ok(NULL != pi, "info creation");
size_t size = SOSPeerInfoGetDEREncodedSize(pi, NULL);
@@ -75,7 +73,7 @@ static void tests(void)
errOut:
CFReleaseNull(signingKey);
- CFReleaseNull(pi);
+ CFReleaseNull(fpi);
}
int sc_31_peerinfo(int argc, char *const *argv)
diff --git a/OSX/sec/SOSCircle/Regressions/sc-40-circle.c b/OSX/sec/SOSCircle/Regressions/sc-40-circle.c
index d8d63a8e..b75940a8 100644
--- a/OSX/sec/SOSCircle/Regressions/sc-40-circle.c
+++ b/OSX/sec/SOSCircle/Regressions/sc-40-circle.c
@@ -51,15 +51,15 @@ static int kTestGenerationCount = 2;
static void test_generation(void)
{
SOSGenCountRef generation = SOSGenerationCreate();
- SOSGenCountRef olderGeneration = SOSGenerationCreateWithBaseline(generation);
- SOSGenCountRef evenOlderGeneration = SOSGenerationCreateWithBaseline(olderGeneration);
+ SOSGenCountRef newerGeneration = SOSGenerationCreateWithBaseline(generation);
+ SOSGenCountRef evenNewerGeneration = SOSGenerationCreateWithBaseline(newerGeneration);
- ok(SOSGenerationIsOlder(olderGeneration, generation), "should be older");
- ok(SOSGenerationIsOlder(evenOlderGeneration, olderGeneration), "should be older");
+ ok(SOSGenerationIsOlder(generation, newerGeneration), "should be older");
+ ok(SOSGenerationIsOlder(newerGeneration, evenNewerGeneration), "should be older");
CFReleaseNull(generation);
- CFReleaseNull(olderGeneration);
- CFReleaseNull(evenOlderGeneration);
+ CFReleaseNull(newerGeneration);
+ CFReleaseNull(evenNewerGeneration);
}
@@ -121,7 +121,7 @@ static void tests(void)
ok(inflated, "inflated");
ok(CFEqualSafe(inflated, circle), "Compares");
-
+ CFReleaseNull(inflated);
ok(SOSCircleRemovePeer(circle, user_privkey, peer_a_full_info, SOSFullPeerInfoGetPeerInfo(peer_a_full_info), NULL));
ok(SOSCircleCountPeers(circle) == 0, "Peer count");
@@ -162,6 +162,9 @@ static void tests(void)
CFReleaseNull(peer_b_full_info);
CFReleaseNull(peer_c_full_info);
CFReleaseNull(peer_d_full_info);
+
+ CFReleaseNull(user_privkey);
+ CFReleaseNull(circle);
}
int sc_40_circle(int argc, char *const *argv)
diff --git a/OSX/sec/SOSCircle/Regressions/sc-45-digestvector.c b/OSX/sec/SOSCircle/Regressions/sc-45-digestvector.c
index 912b3c72..b6fe07f5 100644
--- a/OSX/sec/SOSCircle/Regressions/sc-45-digestvector.c
+++ b/OSX/sec/SOSCircle/Regressions/sc-45-digestvector.c
@@ -139,6 +139,15 @@ static void testIntersectUnionDigestVector(void)
desc = dvCopyString(&dvu);
ok(CFEqual(CFSTR("abcdefgh"), desc), "uniqued dvu is %@, should be: %@", desc, CFSTR("abcdefgh"));
CFReleaseNull(desc);
+
+ SOSDigestVectorFree(&dv1);
+ SOSDigestVectorFree(&dv2);
+ SOSDigestVectorFree(&dvu);
+ SOSDigestVectorFree(&dvintersect);
+ SOSDigestVectorFree(&dvunion);
+ SOSDigestVectorFree(&dvdels);
+ SOSDigestVectorFree(&dvadds);
+ SOSDigestVectorFree(&dvpatched);
}
static void tests(void)
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.c
index 5edbc568..b387b6fb 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.c
@@ -23,22 +23,28 @@
#include <Security/SecureObjectSync/SOSRingUtils.h>
#include <Security/SecureObjectSync/SOSPeerInfoSecurityProperties.h>
#include <Security/SecureObjectSync/SOSPeerInfoV2.h>
+#include <Security/SecureObjectSync/SOSAccountTransaction.h>
#include <Security/SecItemInternal.h>
#include <SOSCircle/CKBridge/SOSCloudKeychainClient.h>
#include <SOSCircle/Regressions/SOSRegressionUtilities.h>
+#include <utilities/SecCFWrappers.h>
+
CFGiblisWithCompareFor(SOSAccount);
const CFStringRef SOSTransportMessageTypeIDS = CFSTR("IDS");
+const CFStringRef SOSTransportMessageTypeIDSV2 = CFSTR("IDS2.0");
const CFStringRef SOSTransportMessageTypeKVS = CFSTR("KVS");
const CFStringRef kSOSDSIDKey = CFSTR("AccountDSID");
const CFStringRef kSOSEscrowRecord = CFSTR("EscrowRecord");
const CFStringRef kSOSUnsyncedViewsKey = CFSTR("unsynced");
+const CFStringRef kSOSPendingEnableViewsToBeSetKey = CFSTR("pendingEnableViews");
+const CFStringRef kSOSPendingDisableViewsToBeSetKey = CFSTR("pendingDisableViews");
+
#define DATE_LENGTH 25
const CFStringRef kSOSAccountDebugScope = CFSTR("Scope");
-
bool SOSAccountEnsureFactoryCircles(SOSAccountRef a)
{
bool result = false;
@@ -68,24 +74,24 @@ SOSAccountRef SOSAccountCreateBasic(CFAllocatorRef allocator,
a->queue = dispatch_queue_create("Account Queue", DISPATCH_QUEUE_SERIAL);
- a->notification_cleanups = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
-
a->gestalt = CFRetainSafe(gestalt);
a->trusted_circle = NULL;
- a->trusted_rings = CFDictionaryCreateMutableForCFTypes(allocator);
a->backups = CFDictionaryCreateMutableForCFTypes(allocator);
a->my_identity = NULL;
a->retirees = CFSetCreateMutableForSOSPeerInfosByID(allocator);
a->factory = factory; // We adopt the factory. kthanksbai.
+
+ a->isListeningForSync = false;
a->_user_private = NULL;
a->_password_tmp = NULL;
a->user_private_timer = NULL;
+ a->lock_notification_token = NOTIFY_TOKEN_INVALID;
a->change_blocks = CFArrayCreateMutableForCFTypes(allocator);
- a->waitForInitialSync_blocks = CFDictionaryCreateMutableForCFTypes(allocator);
+ a->waitForInitialSync_blocks = NULL;
a->departure_code = kSOSNeverAppliedToCircle;
a->key_transport = (SOSTransportKeyParameterRef)SOSTransportKeyParameterKVSCreate(a, NULL);
@@ -93,10 +99,74 @@ SOSAccountRef SOSAccountCreateBasic(CFAllocatorRef allocator,
a->kvs_message_transport = NULL;
a->ids_message_transport = NULL;
a->expansion = CFDictionaryCreateMutableForCFTypes(allocator);
+ SOSAccountAddRingDictionary(a);
+
+ a->saveBlock = NULL;
+ a->circle_rings_retirements_need_attention = false;
+ a->engine_peer_state_needs_repair = false;
+ a->key_interests_need_updating = false;
+ a->deviceID = NULL;
return a;
}
+//
+// MARK: Transactional
+//
+
+void SOSAccountWithTransaction_Locked(SOSAccountRef account, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn)) {
+ SOSAccountTransactionRef at = SOSAccountTransactionCreate(account);
+ action(account, at);
+ SOSAccountTransactionFinish(at);
+ CFReleaseNull(at);
+}
+
+
+
+void SOSAccountWithTransaction(SOSAccountRef account, bool sync, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn)) {
+ dispatch_block_t with_transaction = ^{
+ SOSAccountWithTransaction_Locked(account, action);
+ };
+
+ if (sync) {
+ dispatch_sync(SOSAccountGetQueue(account), with_transaction);
+ } else {
+ dispatch_async(SOSAccountGetQueue(account), with_transaction);
+ }
+}
+
+void SOSAccountWithTransactionSync(SOSAccountRef account, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn)) {
+ SOSAccountWithTransaction(account, true, action);
+}
+
+void SOSAccountWithTransactionAsync(SOSAccountRef account, bool sync, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn)) {
+ SOSAccountWithTransaction(account, false, action);
+}
+
+//
+// MARK: Save Block
+//
+
+void SOSAccountSetSaveBlock(SOSAccountRef account, SOSAccountSaveBlock saveBlock) {
+ CFAssignRetained(account->saveBlock, Block_copy(saveBlock));
+}
+
+void SOSAccountFlattenToSaveBlock(SOSAccountRef account) {
+ if (account->saveBlock) {
+ CFErrorRef localError = NULL;
+ CFDataRef saveData = SOSAccountCopyEncodedData(account, kCFAllocatorDefault, &localError);
+
+ (account->saveBlock)(saveData, localError);
+
+ CFReleaseNull(saveData);
+ CFReleaseNull(localError);
+ }
+}
+
+//
+// MARK: Security Properties
+//
+
SOSSecurityPropertyResultCode SOSAccountUpdateSecurityProperty(SOSAccountRef account, CFStringRef property, SOSSecurityPropertyActionCode actionCode, CFErrorRef *error) {
SOSSecurityPropertyResultCode retval = kSOSCCGeneralSecurityPropertyError;
bool updateCircle = false;
@@ -140,7 +210,7 @@ bool SOSAccountUpdateGestalt(SOSAccountRef account, CFDictionaryRef new_gestalt)
if (account->trusted_circle && account->my_identity
&& SOSFullPeerInfoUpdateGestalt(account->my_identity, new_gestalt, NULL)) {
SOSAccountModifyCircle(account, NULL, ^(SOSCircleRef circle_to_change) {
- secnotice("circleChange", "dCalling SOSCircleUpdatePeerInfo for gestalt change");
+ secnotice("circleChange", "Calling SOSCircleUpdatePeerInfo for gestalt change");
return SOSCircleUpdatePeerInfo(circle_to_change, SOSAccountGetMyPeerInfo(account));
});
}
@@ -149,14 +219,32 @@ bool SOSAccountUpdateGestalt(SOSAccountRef account, CFDictionaryRef new_gestalt)
return true;
}
-bool SOSAccountUpdateDSID(SOSAccountRef account, CFStringRef dsid){
+static bool SOSAccountUpdateDSID(SOSAccountRef account, CFStringRef dsid){
SOSAccountSetValue(account, kSOSDSIDKey, dsid, NULL);
//send new DSID over account changed
SOSTransportCircleSendOfficialDSID(account->circle_transport, dsid, NULL);
-
return true;
}
+void SOSAccountAssertDSID(SOSAccountRef account, CFStringRef dsid) {
+ CFStringRef accountDSID = SOSAccountGetValue(account, kSOSDSIDKey, NULL);
+ if(accountDSID == NULL) {
+ secdebug("updates", "Setting dsid, current dsid is empty for this account: %@", dsid);
+
+ SOSAccountUpdateDSID(account, dsid);
+ } else if(CFStringCompare(dsid, accountDSID, 0) != kCFCompareEqualTo) {
+ secnotice("updates", "Changing DSID from: %@ to %@", accountDSID, dsid);
+
+ //DSID has changed, blast the account!
+ SOSAccountSetToNew(account);
+
+ //update DSID to the new DSID
+ SOSAccountUpdateDSID(account, dsid);
+ } else {
+ secnotice("updates", "Not Changing DSID: %@ to %@", accountDSID, dsid);
+ }
+}
+
bool SOSAccountUpdateFullPeerInfo(SOSAccountRef account, CFSetRef minimumViews, CFSetRef excludedViews) {
if (account->trusted_circle && account->my_identity) {
if(SOSFullPeerInfoUpdateToCurrent(account->my_identity, minimumViews, excludedViews)) {
@@ -170,9 +258,67 @@ bool SOSAccountUpdateFullPeerInfo(SOSAccountRef account, CFSetRef minimumViews,
return true;
}
+static bool SOSAccountValueSetContainsValue(SOSAccountRef account, CFStringRef key, CFTypeRef value) {
+ CFSetRef foundSet = asSet(SOSAccountGetValue(account, key, NULL), NULL);
+ return foundSet && CFSetContainsValue(foundSet, value);
+}
+
+static void SOSAccountValueUnionWith(SOSAccountRef account, CFStringRef key, CFSetRef valuesToUnion) {
+ CFMutableSetRef unionedSet = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, valuesToUnion);
+ CFSetRef foundSet = asSet(SOSAccountGetValue(account, key, NULL), NULL);
+ if (foundSet) {
+ CFSetUnion(unionedSet, foundSet);
+ }
+ SOSAccountSetValue(account, key, unionedSet, NULL);
+ CFReleaseNull(unionedSet);
+}
+
+static void SOSAccountValueSubtractFrom(SOSAccountRef account, CFStringRef key, CFSetRef valuesToSubtract) {
+ CFSetRef foundSet = asSet(SOSAccountGetValue(account, key, NULL), NULL);
+ if (foundSet) {
+ CFMutableSetRef subtractedSet = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, foundSet);
+ CFSetSubtract(subtractedSet, valuesToSubtract);
+ SOSAccountSetValue(account, key, subtractedSet, NULL);
+ CFReleaseNull(subtractedSet);
+ }
+}
+
+void SOSAccountPendEnableViewSet(SOSAccountRef account, CFSetRef enabledViews)
+{
+ if(CFSetGetValue(enabledViews, kSOSViewKeychainV0) != NULL) secnotice("viewChange", "Warning, attempting to Add KeychainV0");
+
+ SOSAccountValueUnionWith(account, kSOSPendingEnableViewsToBeSetKey, enabledViews);
+ SOSAccountValueSubtractFrom(account, kSOSPendingDisableViewsToBeSetKey, enabledViews);
+}
+
+
+void SOSAccountPendDisableViewSet(SOSAccountRef account, CFSetRef disabledViews)
+{
+ SOSAccountValueUnionWith(account, kSOSPendingDisableViewsToBeSetKey, disabledViews);
+ SOSAccountValueSubtractFrom(account, kSOSPendingEnableViewsToBeSetKey, disabledViews);
+}
+
+static SOSViewResultCode SOSAccountVirtualV0Behavior(SOSAccountRef account, SOSViewActionCode actionCode) {
+ SOSViewResultCode retval = kSOSCCGeneralViewError;
+ // The V0 view switches on and off all on it's own, we allow people the delusion
+ // of control and status if it's what we're stuck at., otherwise error.
+ if (SOSAccountSyncingV0(account)) {
+ require_action_quiet(actionCode == kSOSCCViewDisable, errOut, CFSTR("Can't disable V0 view and it's on right now"));
+ retval = kSOSCCViewMember;
+ } else {
+ require_action_quiet(actionCode == kSOSCCViewEnable, errOut, CFSTR("Can't enable V0 and it's off right now"));
+ retval = kSOSCCViewNotMember;
+ }
+errOut:
+ return retval;
+}
+
+
SOSViewResultCode SOSAccountUpdateView(SOSAccountRef account, CFStringRef viewname, SOSViewActionCode actionCode, CFErrorRef *error) {
SOSViewResultCode retval = kSOSCCGeneralViewError;
SOSViewResultCode currentStatus = kSOSCCGeneralViewError;
+ bool alreadyInSync = SOSAccountHasCompletedInitialSync(account);
+
bool updateCircle = false;
require_action_quiet(account->trusted_circle, errOut, SOSCreateError(kSOSErrorNoCircle, CFSTR("No Trusted Circle"), NULL, error));
require_action_quiet(account->my_identity, errOut, SOSCreateError(kSOSErrorPeerNotFound, CFSTR("No Peer for Account"), NULL, error));
@@ -181,29 +327,38 @@ SOSViewResultCode SOSAccountUpdateView(SOSAccountRef account, CFStringRef viewna
require_action_quiet((currentStatus == kSOSCCViewNotMember) || (currentStatus == kSOSCCViewMember), errOut, CFSTR("View Membership Not Actionable"));
if (CFEqualSafe(viewname, kSOSViewKeychainV0)) {
- // The V0 view switches on and off all on it's own, we allow people the delusion
- // of control and status if it's what we're stuck at., otherwise error.
- if (SOSAccountSyncingV0(account)) {
- require_action_quiet(actionCode = kSOSCCViewDisable, errOut, CFSTR("Can't disable V0 view and it's on right now"));
- retval = kSOSCCViewMember;
- } else {
- require_action_quiet(actionCode = kSOSCCViewEnable, errOut, CFSTR("Can't enable V0 and it's off right now"));
- retval = kSOSCCViewNotMember;
- }
+ retval = SOSAccountVirtualV0Behavior(account, actionCode);
} else if (SOSAccountSyncingV0(account) && SOSViewsIsV0Subview(viewname)) {
// Subviews of V0 syncing can't be turned off if V0 is on.
require_action_quiet(actionCode = kSOSCCViewDisable, errOut, CFSTR("Have V0 peer can't disable"));
retval = kSOSCCViewMember;
} else {
+ CFMutableSetRef pendingSet = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFSetAddValue(pendingSet, viewname);
+
if(actionCode == kSOSCCViewEnable && currentStatus == kSOSCCViewNotMember) {
- retval = SOSFullPeerInfoUpdateViews(account->my_identity, actionCode, viewname, error);
- if(retval == kSOSCCViewMember) updateCircle = true;
+ if(alreadyInSync) {
+ retval = SOSFullPeerInfoUpdateViews(account->my_identity, actionCode, viewname, error);
+ if(retval == kSOSCCViewMember) updateCircle = true;
+ } else {
+ SOSAccountPendEnableViewSet(account, pendingSet);
+ retval = kSOSCCViewMember;
+ updateCircle = false;
+ }
} else if(actionCode == kSOSCCViewDisable && currentStatus == kSOSCCViewMember) {
- retval = SOSFullPeerInfoUpdateViews(account->my_identity, actionCode, viewname, error);
- if(retval == kSOSCCViewNotMember) updateCircle = true;
+ if(alreadyInSync) {
+ retval = SOSFullPeerInfoUpdateViews(account->my_identity, actionCode, viewname, error);
+ if(retval == kSOSCCViewNotMember) updateCircle = true;
+ } else {
+ SOSAccountPendDisableViewSet(account, pendingSet);
+ retval = kSOSCCViewNotMember;
+ updateCircle = false;
+ }
} else {
retval = currentStatus;
}
+
+ CFReleaseNull(pendingSet);
if (updateCircle) {
SOSAccountModifyCircle(account, NULL, ^(SOSCircleRef circle_to_change) {
@@ -222,7 +377,13 @@ SOSViewResultCode SOSAccountViewStatus(SOSAccountRef account, CFStringRef viewna
require_action_quiet(account->trusted_circle, errOut, SOSCreateError(kSOSErrorNoCircle, CFSTR("No Trusted Circle"), NULL, error));
require_action_quiet(account->my_identity, errOut, SOSCreateError(kSOSErrorPeerNotFound, CFSTR("No Peer for Account"), NULL, error));
- retval = SOSFullPeerInfoViewStatus(account->my_identity, viewname, error);
+ if (SOSAccountValueSetContainsValue(account, kSOSPendingEnableViewsToBeSetKey, viewname)) {
+ retval = kSOSCCViewMember;
+ } else if (SOSAccountValueSetContainsValue(account, kSOSPendingDisableViewsToBeSetKey, viewname)) {
+ retval = kSOSCCViewNotMember;
+ } else {
+ retval = SOSFullPeerInfoViewStatus(account->my_identity, viewname, error);
+ }
// If that doesn't say we're a member and this view is a V0 subview, and we're syncing V0 views we are a member
if (retval != kSOSCCViewMember) {
@@ -246,49 +407,93 @@ errOut:
static void dumpViewSet(CFStringRef label, CFSetRef views) {
if(views) {
- secnotice("circleChange", "%@ list: %@", label, views);
+ CFStringSetPerformWithDescription(views, ^(CFStringRef description) {
+ secnotice("circleChange", "%@ list: %@", label, description);
+ });
} else {
secnotice("circleChange", "No %@ list provided.", label);
}
}
-bool SOSAccountUpdateViewSets(SOSAccountRef account, CFSetRef enabledViews, CFSetRef disabledViews) {
+static bool SOSAccountScreenViewListForValidV0(SOSAccountRef account, CFMutableSetRef viewSet, SOSViewActionCode actionCode) {
+ bool retval = true;
+ if(viewSet && CFSetContainsValue(viewSet, kSOSViewKeychainV0)) {
+ retval = SOSAccountVirtualV0Behavior(account, actionCode) != kSOSCCGeneralViewError;
+ CFSetRemoveValue(viewSet, kSOSViewKeychainV0);
+ }
+ return retval;
+}
+
+bool SOSAccountUpdateViewSets(SOSAccountRef account, CFSetRef origEnabledViews, CFSetRef origDisabledViews) {
+ bool retval = false;
bool updateCircle = false;
+ SOSPeerInfoRef pi = NULL;
+ CFMutableSetRef enabledViews = NULL;
+ CFMutableSetRef disabledViews = NULL;
+ if(origEnabledViews) enabledViews = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, origEnabledViews);
+ if(origDisabledViews) disabledViews = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, origDisabledViews);
dumpViewSet(CFSTR("Enabled"), enabledViews);
dumpViewSet(CFSTR("Disabled"), disabledViews);
require_action_quiet(account->trusted_circle, errOut, secnotice("views", "Attempt to set viewsets with no trusted circle"));
- require_action_quiet(account->my_identity, errOut, secnotice("views", "Attempt to set viewsets with no fullPeerInfo"));
- require_action_quiet(enabledViews || disabledViews, errOut, secnotice("views", "No work to do"));
- // Copy my views
+ // Make sure we have a peerInfo capable of supporting views.
SOSFullPeerInfoRef fpi = SOSAccountGetMyFullPeerInfo(account);
- SOSPeerInfoRef pi = SOSPeerInfoCreateCopy(kCFAllocatorDefault, SOSFullPeerInfoGetPeerInfo(fpi), NULL);
+ require_action_quiet(fpi, errOut, secnotice("views", "Attempt to set viewsets with no fullPeerInfo"));
+ require_action_quiet(enabledViews || disabledViews, errOut, secnotice("views", "No work to do"));
+
+ pi = SOSPeerInfoCreateCopy(kCFAllocatorDefault, SOSFullPeerInfoGetPeerInfo(fpi), NULL);
require_action_quiet(pi, errOut, secnotice("views", "Couldn't copy PeerInfoRef"));
-
if(!SOSPeerInfoVersionIsCurrent(pi)) {
- if(!SOSPeerInfoUpdateToV2(pi, NULL)) {
- secnotice("views", "Unable to update peer to V2- can't update views");
- return false;
- }
+ CFErrorRef updateFailure = NULL;
+ require_action_quiet(SOSPeerInfoUpdateToV2(pi, &updateFailure), errOut,
+ (secnotice("views", "Unable to update peer to V2- can't update views: %@", updateFailure), (void) CFReleaseNull(updateFailure)));
+ secnotice("V2update", "Updating PeerInfo to V2 within SOSAccountUpdateViewSets");
+ updateCircle = true;
}
- if(enabledViews) updateCircle = SOSViewSetEnable(pi, enabledViews);
- if(disabledViews) updateCircle |= SOSViewSetDisable(pi, disabledViews);
+ CFStringSetPerformWithDescription(enabledViews, ^(CFStringRef description) {
+ secnotice("viewChange", "Enabling %@", description);
+ });
- /* UPDATE FULLPEERINFO VIEWS */
+ CFStringSetPerformWithDescription(disabledViews, ^(CFStringRef description) {
+ secnotice("viewChange", "Disabling %@", description);
+ });
- if (updateCircle && SOSFullPeerInfoUpdateToThisPeer(fpi, pi, NULL)) {
- SOSAccountModifyCircle(account, NULL, ^(SOSCircleRef circle_to_change) {
- secnotice("circleChange", "Calling SOSCircleUpdatePeerInfo for views change");
- return SOSCircleUpdatePeerInfo(circle_to_change, SOSFullPeerInfoGetPeerInfo(account->my_identity));
- });
+ require_action_quiet(SOSAccountScreenViewListForValidV0(account, enabledViews, kSOSCCViewEnable), errOut, secnotice("viewChange", "Bad view change (enable) with kSOSViewKeychainV0"));
+ require_action_quiet(SOSAccountScreenViewListForValidV0(account, disabledViews, kSOSCCViewDisable), errOut, secnotice("viewChange", "Bad view change (disable) with kSOSViewKeychainV0"));
+
+ if(SOSAccountHasCompletedInitialSync(account)) {
+ if(enabledViews) updateCircle |= SOSViewSetEnable(pi, enabledViews);
+ if(disabledViews) updateCircle |= SOSViewSetDisable(pi, disabledViews);
+ retval = true;
+ } else {
+ //hold on to the views and enable them later
+ if(enabledViews) SOSAccountPendEnableViewSet(account, enabledViews);
+ if(disabledViews) SOSAccountPendDisableViewSet(account, disabledViews);
+ retval = true;
}
+ if(updateCircle) {
+ /* UPDATE FULLPEERINFO VIEWS */
+ require_quiet(SOSFullPeerInfoUpdateToThisPeer(fpi, pi, NULL), errOut);
+
+ require_quiet(SOSAccountModifyCircle(account, NULL, ^(SOSCircleRef circle_to_change) {
+ secnotice("circleChange", "Calling SOSCircleUpdatePeerInfo for views or peerInfo change");
+ return SOSCircleUpdatePeerInfo(circle_to_change, SOSFullPeerInfoGetPeerInfo(account->my_identity));
+ }), errOut);
+
+ // Make sure we update the engine
+ account->circle_rings_retirements_need_attention = true;
+ }
+
errOut:
- return updateCircle;
+ CFReleaseNull(enabledViews);
+ CFReleaseNull(disabledViews);
+ CFReleaseNull(pi);
+ return retval;
}
@@ -299,8 +504,8 @@ SOSAccountRef SOSAccountCreate(CFAllocatorRef allocator,
SOSAccountEnsureFactoryCircles(a);
- SOSUpdateKeyInterest(a);
-
+ a->key_interests_need_updating = true;
+
return a;
}
@@ -311,7 +516,7 @@ static void SOSAccountDestroy(CFTypeRef aObj) {
// Don't free it.
// a->factory
- SOSAccountCleanupNotificationForAllPeers(a);
+ SOSAccountCancelSyncChecking(a);
SOSEngineRef engine = SOSDataSourceFactoryGetEngineForDataSourceName(a->factory, SOSCircleGetName(a->trusted_circle), NULL);
@@ -323,7 +528,6 @@ static void SOSAccountDestroy(CFTypeRef aObj) {
CFReleaseNull(a->my_identity);
CFReleaseNull(a->trusted_circle);
- CFReleaseNull(a->trusted_rings);
CFReleaseNull(a->backups);
CFReleaseNull(a->retirees);
@@ -342,13 +546,14 @@ static void SOSAccountDestroy(CFTypeRef aObj) {
CFReleaseNull(a->key_transport);
CFReleaseNull(a->circle_transport);
dispatch_release(a->queue);
- CFReleaseNull(a->notification_cleanups);
dispatch_release(a->user_private_timer);
CFReleaseNull(a->change_blocks);
CFReleaseNull(a->waitForInitialSync_blocks);
CFReleaseNull(a->expansion);
+ CFReleaseNull(a->saveBlock);
+ CFReleaseNull(a->deviceID);
});
}
@@ -434,13 +639,22 @@ do_keychain_delete_sbd()
return result;
}
+void static SOSAccountResetKeyInterests(SOSAccountRef a) {
+ CFDictionaryRef emptyDictionary = CFDictionaryCreateForCFTypes(kCFAllocatorDefault, NULL);
+ SOSCloudKeychainUpdateKeys(emptyDictionary, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(CFDictionaryRef returnedValues, CFErrorRef error) {
+ if (error) {
+ secerror("Error updating keys: %@", error);
+ }
+ });
+ CFReleaseNull(emptyDictionary);
+}
+
void SOSAccountSetToNew(SOSAccountRef a) {
secnotice("accountChange", "Setting Account to New");
int result = 0;
CFReleaseNull(a->my_identity);
CFReleaseNull(a->trusted_circle);
- CFReleaseNull(a->trusted_rings);
CFReleaseNull(a->backups);
CFReleaseNull(a->retirees);
@@ -455,24 +669,35 @@ void SOSAccountSetToNew(SOSAccountRef a) {
CFReleaseNull(a->kvs_message_transport);
CFReleaseNull(a->ids_message_transport);
CFReleaseNull(a->expansion);
+ CFReleaseNull(a->deviceID);
/* remove all syncable items */
- result = do_keychain_delete_aks_bags();
+ result = do_keychain_delete_aks_bags(); (void) result;
secdebug("set to new", "result for deleting aks bags: %d", result);
- result = do_keychain_delete_identities();
+ result = do_keychain_delete_identities(); (void) result;
secdebug("set to new", "result for deleting identities: %d", result);
- result = do_keychain_delete_lakitu();
+ result = do_keychain_delete_lakitu(); (void) result;
secdebug("set to new", "result for deleting lakitu: %d", result);
- result = do_keychain_delete_sbd();
+ result = do_keychain_delete_sbd(); (void) result;
secdebug("set to new", "result for deleting sbd: %d", result);
a->user_public_trusted = false;
a->departure_code = kSOSNeverAppliedToCircle;
- a->user_private_timer = 0;
- a->lock_notification_token = 0;
+
+ if (a->user_private_timer) {
+ dispatch_source_cancel(a->user_private_timer);
+ dispatch_release(a->user_private_timer);
+ a->user_private_timer = NULL;
+ xpc_transaction_end();
+
+ }
+ if (a->lock_notification_token != NOTIFY_TOKEN_INVALID) {
+ notify_cancel(a->lock_notification_token);
+ a->lock_notification_token = NOTIFY_TOKEN_INVALID;
+ }
// keeping gestalt;
// keeping factory;
@@ -486,24 +711,46 @@ void SOSAccountSetToNew(SOSAccountRef a) {
a->kvs_message_transport = NULL;
a->ids_message_transport = NULL;
- a->trusted_rings = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
a->backups = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
a->retirees = CFSetCreateMutableForSOSPeerInfosByID(kCFAllocatorDefault);
a->expansion = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ SOSAccountAddRingDictionary(a);
SOSAccountEnsureFactoryCircles(a); // Does rings too
- SOSUpdateKeyInterest(a);
+ // Reset our key interests since we are new, we need to hear about everything:
+ SOSAccountResetKeyInterests(a);
+
+ a->key_interests_need_updating = true;
}
+bool SOSAccountIsNew(SOSAccountRef account, CFErrorRef *error){
+ bool result = false;
+ require_quiet(account->user_public_trusted == false, exit);
+ require_quiet(account->departure_code == kSOSNeverAppliedToCircle, exit);
+ require_quiet(account->user_private_timer == NULL, exit);
+ require_quiet(account->lock_notification_token == NOTIFY_TOKEN_INVALID, exit);
+ require_quiet (CFDictionaryGetCount(account->backups) == 0, exit);
+ require_quiet(CFSetGetCount(account->retirees) == 0, exit);
+
+ result = true;
+exit:
+ return result;
+}
static CFStringRef SOSAccountCopyFormatDescription(CFTypeRef aObj, CFDictionaryRef formatOptions) {
SOSAccountRef a = (SOSAccountRef) aObj;
CFStringRef gestaltDescription = CFDictionaryCopyCompactDescription(a->gestalt);
- CFStringRef result = CFStringCreateWithFormat(NULL, NULL, CFSTR("<SOSAccount@%p: Gestalt: %@ Circle: %@ Me: %@>"), a, gestaltDescription, a->trusted_circle, a->my_identity);
+ CFStringRef result = CFStringCreateWithFormat(NULL, NULL, CFSTR("<SOSAccount@%p: %c%c%c%c%c G: %@ Me: %@ C: %@ >"), a,
+ a->user_public ? 'P' : 'p',
+ a->user_public_trusted ? 'T' : 't',
+ a->isListeningForSync ? 'L' : 'l',
+ SOSAccountHasCompletedInitialSync(a) ? 'C' : 'c',
+ SOSAccountHasCompletedRequiredBackupSync(a) ? 'B' : 'b',
+ gestaltDescription, a->my_identity, a->trusted_circle);
CFReleaseNull(gestaltDescription);
@@ -528,7 +775,7 @@ static Boolean SOSAccountCompare(CFTypeRef lhs, CFTypeRef rhs)
return CFEqualSafe(laccount->gestalt, raccount->gestalt)
&& CFEqualSafe(laccount->trusted_circle, raccount->trusted_circle)
- && CFEqualSafe(laccount->trusted_rings, raccount->trusted_rings)
+ && CFEqualSafe(laccount->expansion, raccount->expansion)
&& CFEqualSafe(laccount->my_identity, raccount->my_identity);
}
@@ -548,7 +795,7 @@ SOSFullPeerInfoRef SOSAccountCopyAccountIdentityPeerInfo(SOSAccountRef account,
static bool SOSAccountThisDeviceCanSyncWithCircle(SOSAccountRef account) {
bool ok = false;
__block CFErrorRef error = NULL;
-
+
if (!SOSAccountHasPublicKey(account, &error)) {
CFReleaseSafe(error);
return false;
@@ -559,7 +806,7 @@ static bool SOSAccountThisDeviceCanSyncWithCircle(SOSAccountRef account) {
require_action_quiet(account->my_identity, xit,
SOSCreateError(kSOSErrorBadFormat, CFSTR("Account identity not set"), NULL, &error));
- SOSTransportMessageIDSGetIDSDeviceID(account);
+ SOSTransportMessageIDSGetIDSDeviceID(account);
require_action_quiet(account->trusted_circle, xit,
SOSCreateError(kSOSErrorBadFormat, CFSTR("Account trusted circle not set"), NULL, &error));
@@ -583,72 +830,240 @@ static bool SOSAccountIsThisPeerIDMe(SOSAccountRef account, CFStringRef peerID)
return myPeerID && CFEqualSafe(myPeerID, peerID);
}
-bool SOSAccountSyncWithAllPeers(SOSAccountRef account, CFErrorRef *error)
-{
+bool SOSAccountSendIKSPSyncList(SOSAccountRef account, CFErrorRef *error){
bool result = true;
- __block bool SyncingCompletedOverIDS = true;
- __block bool SyncingCompletedOverKVS = true;
__block CFErrorRef localError = NULL;
- SOSCircleRef circle = SOSAccountGetCircle(account, error);
- CFMutableDictionaryRef circleToPeerIDs = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
- CFMutableArrayRef peerIds = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
-
+ __block CFMutableArrayRef ids = NULL;
+ SOSCircleRef circle = NULL;
+
+ require_action_quiet(SOSAccountIsInCircle(account, NULL), xit,
+ SOSCreateError(kSOSErrorNoCircle, CFSTR("This device is not in circle"),
+ NULL, &localError));
+
+ circle = SOSAccountGetCircle(account, error);
+ ids = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+
require_action_quiet(SOSAccountThisDeviceCanSyncWithCircle(account), xit,
SOSCreateError(kSOSErrorNoCircle, CFSTR("This device cannot sync with circle"),
NULL, &localError));
SOSCircleForEachValidPeer(circle, account->user_public, ^(SOSPeerInfoRef peer) {
if (!SOSAccountIsThisPeerIDMe(account, SOSPeerInfoGetPeerID(peer))) {
- if (SOSPeerInfoShouldUseIDSTransport(SOSFullPeerInfoGetPeerInfo(account->my_identity), peer)) {
- secdebug("IDS Transport", "Syncing with IDS capable peers using IDS!");
- CFMutableDictionaryRef circleToIdsId = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
- CFMutableArrayRef ids = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- CFArrayAppendValue(ids, SOSPeerInfoGetPeerID(peer));
- CFDictionaryAddValue(circleToIdsId, SOSCircleGetName(circle), ids);
- SyncingCompletedOverIDS = SOSTransportMessageSyncWithPeers(account->ids_message_transport, circleToIdsId, &localError);
- if(!SyncingCompletedOverIDS){
- secerror("Failed to sync over IDS, falling back to KVS");
- SyncingCompletedOverIDS = SOSTransportMessageSyncWithPeers(account->kvs_message_transport, circleToIdsId, &localError);
+ if(SOSPeerInfoShouldUseIDSTransport(SOSFullPeerInfoGetPeerInfo(account->my_identity), peer) &&
+ SOSPeerInfoShouldUseIDSMessageFragmentation(SOSFullPeerInfoGetPeerInfo(account->my_identity), peer)){
+ SOSTransportMessageIDSSetFragmentationPreference(account->ids_message_transport, kCFBooleanTrue);
+ CFStringRef deviceID = SOSPeerInfoCopyDeviceID(peer);
+ if(deviceID != NULL){
+ CFArrayAppendValue(ids, deviceID);
}
- CFReleaseNull(circleToIdsId);
- } else {
- CFArrayAppendValue(peerIds, SOSPeerInfoGetPeerID(peer));
+ CFReleaseNull(deviceID);
+ }
+ }
+ });
+ require_quiet(CFArrayGetCount(ids) != 0, xit);
+ secnotice("IDS Transport", "List of IDS Peers to ping: %@", ids);
+
+ SOSCloudKeychainGetIDSDeviceAvailability(ids, SOSAccountGetMyPeerID(account), dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(CFDictionaryRef returnedValues, CFErrorRef sync_error) {
+ bool success = (sync_error == NULL);
+ if(!success)
+ secerror("Failed to send list of IDS peers to IDSKSP: %@", sync_error);
+ });
+xit:
+ if(error && *error != NULL)
+ secerror("SOSAccountSendIKSPSyncList had an error: %@", *error);
+
+ if(localError)
+ secerror("SOSAccountSendIKSPSyncList had an error: %@", localError);
+
+ CFReleaseNull(ids);
+ CFReleaseNull(localError);
+
+ return result;
+}
+
+bool SOSAccountSyncWithAllKVSPeers(SOSAccountRef account, CFErrorRef *error)
+{
+ __block bool result = true;
+
+ if(SOSAccountIsInCircle(account, NULL)) {
+ SOSCircleForEachValidPeer(account->trusted_circle, account->user_public, ^(SOSPeerInfoRef peer) {
+ if (!SOSAccountIsThisPeerIDMe(account, SOSPeerInfoGetPeerID(peer))) {
+ CFStringRef deviceID = SOSPeerInfoCopyDeviceID(peer);
+ if(deviceID == NULL || !SOSPeerInfoShouldUseIDSTransport(SOSFullPeerInfoGetPeerInfo(account->my_identity), peer)){
+ result = SOSAccountSyncWithKVSPeer(account, SOSPeerInfoGetPeerID(peer), error);
+ if(result){
+ secnotice("KVS Transport", "synced with peer: %@", SOSPeerInfoGetPeerID(peer));
+ }
+ else{
+ secnotice("KVS Transport", "failed to sync with peer: %@", SOSPeerInfoGetPeerID(peer));
+ }
+ }
+ CFReleaseNull(deviceID);
}
+ });
+ }
+ secnotice("sync", "SOSAccountSyncWithAllKVSPeers returns: %d", result);
+ return true;
+}
+
+static CFMutableArrayRef SOSAccountCopyPeerIDsForDSID(SOSAccountRef account, CFStringRef deviceID, CFErrorRef* error) {
+ CFMutableArrayRef peerIDs = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+
+ SOSCircleForEachValidPeer(account->trusted_circle, account->user_public, ^(SOSPeerInfoRef peer) {
+ CFStringRef peerDeviceID = SOSPeerInfoCopyDeviceID(peer);
+ if(peerDeviceID != NULL && CFStringCompare(peerDeviceID, deviceID, 0) == 0){
+ CFArrayAppendValue(peerIDs, SOSPeerInfoGetPeerID(peer));
}
+ CFReleaseNull(peerDeviceID);
});
- if (CFArrayGetCount(peerIds)) {
- secnotice("KVS", "Syncing with KVS capable peers");
- CFDictionarySetValue(circleToPeerIDs, SOSCircleGetName(circle), peerIds);
- SyncingCompletedOverKVS &= SOSTransportMessageSyncWithPeers(account->kvs_message_transport, circleToPeerIDs, &localError);
+
+ if (peerIDs == NULL || CFArrayGetCount(peerIDs) == 0) {
+ CFReleaseNull(peerIDs);
+ SOSErrorCreate(kSOSErrorPeerNotFound, error, NULL, CFSTR("No peer with DSID: %@"), deviceID);
}
- SOSEngineRef engine = SOSTransportMessageGetEngine(account->kvs_message_transport);
- result = SOSEngineSyncWithPeers(engine, account->ids_message_transport, account->kvs_message_transport, &localError);
+ return peerIDs;
+}
+
+static bool SOSAccountSyncWithKVSPeers(SOSAccountRef account, CFArrayRef peerIDs, CFErrorRef *error) {
+ CFDictionaryRef circleToPeerIDs = NULL;
+
+ CFErrorRef localError = NULL;
+ bool result = false;
+ require_action_quiet(SOSAccountThisDeviceCanSyncWithCircle(account), xit,
+ SOSCreateError(kSOSErrorNoCircle, CFSTR("This device cannot sync with circle"),
+ NULL, &localError));
+
+ circleToPeerIDs = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ SOSCircleGetName(account->trusted_circle), peerIDs,
+ NULL);
+ result = SOSTransportMessageSyncWithPeers(account->kvs_message_transport, circleToPeerIDs, &localError);
- result &= ((SyncingCompletedOverIDS) &&
- (SyncingCompletedOverKVS || (CFDictionaryGetCount(circleToPeerIDs) == 0)));
+ SOSEngineRef engine = SOSTransportMessageGetEngine(account->kvs_message_transport);
+ result &= SOSEngineSyncWithPeers(engine, &localError);
if (result)
SetCloudKeychainTraceValueForKey(kCloudKeychainNumberOfTimesSyncedWithPeers, 1);
xit:
CFReleaseNull(circleToPeerIDs);
+ if (!result) {
+ // Tell account to update SOSEngine with current trusted peers
+ if (isSOSErrorCoded(localError, kSOSErrorPeerNotFound)) {
+ secnotice("Account", "Arming account to update SOSEngine with current trusted peers");
+ account->engine_peer_state_needs_repair = true;
+ }
+ CFErrorPropagate(localError, error);
+ localError = NULL;
+ }
+ return result;
+
+}
+bool SOSAccountSyncWithKVSUsingIDSID(SOSAccountRef account, CFStringRef deviceID, CFErrorRef *error) {
+ bool result = false;
+ CFErrorRef localError = NULL;
+
+ secnotice("KVS Transport","Syncing with KVS capable peer via DSID: %@", deviceID);
+
+ CFArrayRef peerIDs = SOSAccountCopyPeerIDsForDSID(account, deviceID, &localError);
+ require_quiet(peerIDs, xit);
+
+ CFStringArrayPerfromWithDescription(peerIDs, ^(CFStringRef peerIDList) {
+ secnotice("KVS Transport", "Syncing with KVS capable peers: %@", peerIDList);
+ });
+
+ result = SOSAccountSyncWithKVSPeers(account, peerIDs, &localError);
+ secerror("KVS sync %s. (%@)", result ? "succeeded" : "failed", localError);
+
+xit:
+ CFReleaseNull(peerIDs);
+ CFErrorPropagate(localError, error);
+
+ return result;
+}
+
+bool SOSAccountSyncWithKVSPeer(SOSAccountRef account, CFStringRef peerID, CFErrorRef *error)
+{
+ bool result = false;
+ CFErrorRef localError = NULL;
+
+ secnotice("KVS Transport","Syncing with KVS capable peer: %@", peerID);
+
+ CFArrayRef peerIDs = CFArrayCreateForCFTypes(kCFAllocatorDefault, peerID, NULL);
+
+ result = SOSAccountSyncWithKVSPeers(account, peerIDs, &localError);
+ secerror("KVS sync %s. (%@)", result ? "succeeded" : "failed", localError);
+
+ CFReleaseNull(peerIDs);
+ CFErrorPropagate(localError, error);
+
+ return result;
+}
+
+#define LOG_ENGINE_STATE_INTERVAL 20
+
+bool SOSAccountSyncWithIDSPeer(SOSAccountRef account, CFStringRef deviceID, CFErrorRef *error)
+{
+ CFErrorRef localError = NULL;
+ CFMutableDictionaryRef circleToPeerIDs = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFMutableArrayRef ids = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ static int engineLogCountDown = 0;
+ bool result = true;
+
+ require_action_quiet(SOSAccountThisDeviceCanSyncWithCircle(account), xit,
+ SOSCreateError(kSOSErrorNoCircle, CFSTR("This device cannot sync with circle"),
+ NULL, &localError));
+ SOSCircleForEachValidPeer(account->trusted_circle, account->user_public, ^(SOSPeerInfoRef peer) {
+ CFStringRef peerDeviceID = SOSPeerInfoCopyDeviceID(peer);
+ if(peerDeviceID != NULL && CFStringCompare(peerDeviceID, deviceID, 0) == 0){
+ CFArrayAppendValue(ids, SOSPeerInfoGetPeerID(peer));
+ }
+ CFReleaseNull(peerDeviceID);
+ });
+
+ require_action_quiet(CFArrayGetCount(ids), xit, SOSCreateError(kSOSErrorNoCircle, CFSTR("Cannot find peer in circle"),
+ NULL, &localError));
+
+ secnotice("IDS Transport","Syncing with IDS capable peer: %@", ids);
+ CFDictionarySetValue(circleToPeerIDs, SOSCircleGetName(account->trusted_circle), ids);
+ result = SOSTransportMessageSyncWithPeers(account->ids_message_transport, circleToPeerIDs, &localError);
+ secnotice("IDS Transport", "IDS Sync result: %d", result);
+
+ SOSEngineRef engine = SOSTransportMessageGetEngine(account->ids_message_transport);
+ result &= SOSEngineSyncWithPeers(engine, &localError);
+
+ if (result)
+ SetCloudKeychainTraceValueForKey(kCloudKeychainNumberOfTimesSyncedWithPeers, 1);
+
+ if(engineLogCountDown <= 0) {
+ SOSEngineLogState(engine);
+ engineLogCountDown = LOG_ENGINE_STATE_INTERVAL;
+ } else {
+ engineLogCountDown--;
+ }
+
+xit:
+ CFReleaseNull(circleToPeerIDs);
+
if (!result) {
- secdebug("Account", "Could not sync with all peers: %@", localError);
+ secdebug("Account", "Could not sync with peer %@, error: %@", deviceID, localError);
// Tell account to update SOSEngine with current trusted peers
if (isSOSErrorCoded(localError, kSOSErrorPeerNotFound)) {
secnotice("Account", "Arming account to update SOSEngine with current trusted peers");
- account->circle_rings_retirements_need_attention = true;
+ account->engine_peer_state_needs_repair = true;
}
CFErrorPropagate(localError, error);
localError = NULL;
}
- CFReleaseNull(peerIds);
+ CFReleaseNull(ids);
CFReleaseSafe(localError);
+
return result;
}
+
+
bool SOSAccountCleanupAfterPeer(SOSAccountRef account, size_t seconds, SOSCircleRef circle,
SOSPeerInfoRef cleanupPeer, CFErrorRef* error)
{
@@ -740,19 +1155,46 @@ bool SOSAccountScanForRetired(SOSAccountRef account, SOSCircleRef circle, CFErro
SOSCircleRef SOSAccountCloneCircleWithRetirement(SOSAccountRef account, SOSCircleRef starting_circle, CFErrorRef *error) {
SOSCircleRef new_circle = SOSCircleCopyCircle(NULL, starting_circle, error);
+ SOSFullPeerInfoRef meFull = SOSAccountGetMyFullPeerInfo(account);
+ SOSPeerInfoRef me = SOSFullPeerInfoGetPeerInfo(meFull);
+ bool iAmApplicant = me && SOSCircleHasApplicant(new_circle, me, NULL);
+
if(!new_circle) return NULL;
-
+ __block bool workDone = false;
if (account->retirees) {
CFSetForEach(account->retirees, ^(const void* value) {
SOSPeerInfoRef pi = (SOSPeerInfoRef) value;
if (isSOSPeerInfo(pi)) {
SOSCircleUpdatePeerInfo(new_circle, pi);
+ workDone = true;
}
});
}
- if(SOSCircleCountPeers(new_circle) == 0) {
- SOSCircleResetToEmpty(new_circle, NULL);
+ if(workDone && SOSCircleCountPeers(new_circle) == 0) {
+ SecKeyRef userPrivKey = SOSAccountGetPrivateCredential(account, error);
+
+ if(iAmApplicant) {
+ if(userPrivKey) {
+ secnotice("resetToOffering", "Reset to offering with last retirement and me as applicant");
+ if(!SOSCircleResetToOffering(new_circle, userPrivKey, meFull, error) ||
+ !SOSAccountAddiCloudIdentity(account, new_circle, userPrivKey, error)) {
+ CFReleaseNull(new_circle);
+ return NULL;
+ }
+ } else {
+ // Do nothing. We can't resetToOffering without a userPrivKey. If we were to resetToEmpty
+ // we won't push the result later in handleUpdateCircle. If we leave the circle as it is
+ // we have a chance to set things right with a SetCreds/Join sequence. This will cause
+ // handleUpdateCircle to return false.
+ CFReleaseNull(new_circle);
+ return NULL;
+ }
+ } else {
+ // This case is when we aren't an applicant and the circle is retirement-empty.
+ secnotice("resetToEmpty", "Reset to empty with last retirement");
+ SOSCircleResetToEmpty(new_circle, NULL);
+ }
}
return new_circle;
@@ -976,10 +1418,21 @@ static SOSCCStatus SOSCCThisDeviceStatusInCircle(SOSCircleRef circle, SOSPeerInf
return kSOSCCNotInCircle;
}
+CFStringRef SOSAccountGetSOSCCStatusString(SOSCCStatus status) {
+ switch(status) {
+ case kSOSCCInCircle: return CFSTR("kSOSCCInCircle");
+ case kSOSCCNotInCircle: return CFSTR("kSOSCCNotInCircle");
+ case kSOSCCRequestPending: return CFSTR("kSOSCCRequestPending");
+ case kSOSCCCircleAbsent: return CFSTR("kSOSCCCircleAbsent");
+ case kSOSCCError: return CFSTR("kSOSCCError");
+ }
+ return CFSTR("kSOSCCError");
+}
+
bool SOSAccountIsInCircle(SOSAccountRef account, CFErrorRef *error) {
SOSCCStatus result = SOSAccountGetCircleStatus(account, error);
- if (result != kSOSCCInCircle && result != kSOSCCError) {
+ if (result != kSOSCCInCircle) {
SOSErrorCreate(kSOSErrorNoCircle, error, NULL, CFSTR("Not in circle"));
return false;
}
@@ -999,14 +1452,54 @@ SOSCCStatus SOSAccountGetCircleStatus(SOSAccountRef account, CFErrorRef* error)
// MARK: Account Reset Circles
//
-static bool SOSAccountResetCircleToOffering(SOSAccountRef account, SecKeyRef user_key, CFErrorRef *error) {
- bool result = false;
+// This needs to be called within a SOSAccountModifyCircle() block
- require(SOSAccountHasCircle(account, error), fail);
+bool SOSAccountAddiCloudIdentity(SOSAccountRef account, SOSCircleRef circle, SecKeyRef user_key, CFErrorRef *error) {
+ bool result = false;
+ SOSFullPeerInfoRef cloud_identity = NULL;
+ SOSPeerInfoRef cloud_peer = GenerateNewCloudIdentityPeerInfo(error);
+ require_quiet(cloud_peer, err_out);
+ cloud_identity = CopyCloudKeychainIdentity(cloud_peer, error);
+ CFReleaseNull(cloud_peer);
+ require_quiet(cloud_identity, err_out);
+ require_quiet(SOSCircleRequestAdmission(circle, user_key, cloud_identity, error), err_out);
+ require_quiet(SOSCircleAcceptRequest(circle, user_key, account->my_identity, SOSFullPeerInfoGetPeerInfo(cloud_identity), error), err_out);
+ result = true;
+err_out:
+ return result;
+}
+
+bool SOSAccountRemoveIncompleteiCloudIdentities(SOSAccountRef account, SOSCircleRef circle, SecKeyRef privKey, CFErrorRef *error) {
+ bool retval = false;
+ CFMutableSetRef iCloud2Remove = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
+
+ SOSCircleForEachActivePeer(circle, ^(SOSPeerInfoRef peer) {
+ if(SOSPeerInfoIsCloudIdentity(peer)) {
+ SOSFullPeerInfoRef icfpi = SOSFullPeerInfoCreateCloudIdentity(kCFAllocatorDefault, peer, NULL);
+ if(!icfpi) {
+ CFSetAddValue(iCloud2Remove, peer);
+ }
+ CFReleaseNull(icfpi);
+ }
+ });
+
+ if(CFSetGetCount(iCloud2Remove) > 0) {
+ retval = true;
+ SOSCircleRemovePeers(circle, privKey, account->my_identity, iCloud2Remove, error);
+ }
+ CFReleaseNull(iCloud2Remove);
+ return retval;
+}
+
+static bool SOSAccountResetCircleToOffering(SOSAccountTransactionRef aTxn, SecKeyRef user_key, CFErrorRef *error) {
+ SOSAccountRef account = aTxn->account;
+ bool result = false;
+
+ require(SOSAccountHasCircle(account, error), fail);
require(SOSAccountEnsureFullPeerAvailable(account, error), fail);
(void) SOSAccountResetAllRings(account, error);
-
+
SOSAccountModifyCircle(account, error, ^(SOSCircleRef circle) {
bool result = false;
SOSFullPeerInfoRef cloud_identity = NULL;
@@ -1014,18 +1507,10 @@ static bool SOSAccountResetCircleToOffering(SOSAccountRef account, SecKeyRef use
require_quiet(SOSCircleResetToOffering(circle, user_key, account->my_identity, &localError), err_out);
- {
- SOSPeerInfoRef cloud_peer = GenerateNewCloudIdentityPeerInfo(error);
- require_quiet(cloud_peer, err_out);
- cloud_identity = CopyCloudKeychainIdentity(cloud_peer, error);
- CFReleaseNull(cloud_peer);
- require_quiet(cloud_identity, err_out);
- }
-
account->departure_code = kSOSNeverLeftCircle;
require_quiet(SOSAccountAddEscrowToPeerInfo(account, SOSAccountGetMyFullPeerInfo(account), error), err_out);
- require_quiet(SOSCircleRequestAdmission(circle, user_key, cloud_identity, &localError), err_out);
- require_quiet(SOSCircleAcceptRequest(circle, user_key, account->my_identity, SOSFullPeerInfoGetPeerInfo(cloud_identity), &localError), err_out);
+
+ require_quiet(SOSAccountAddiCloudIdentity(account, circle, user_key, error), err_out);
result = true;
SOSAccountPublishCloudParameters(account, NULL);
@@ -1041,6 +1526,9 @@ static bool SOSAccountResetCircleToOffering(SOSAccountRef account, SecKeyRef use
return result;
});
+ SOSAccountSetValue(account, kSOSUnsyncedViewsKey, kCFBooleanTrue, NULL);
+ SOSAccountUpdateOutOfSyncViews(aTxn, SOSViewsGetAllCurrent());
+
result = true;
fail:
@@ -1048,14 +1536,16 @@ fail:
}
-bool SOSAccountResetToOffering(SOSAccountRef account, CFErrorRef* error) {
+bool SOSAccountResetToOffering(SOSAccountTransactionRef aTxn, CFErrorRef* error) {
+ SOSAccountRef account = aTxn->account;
SecKeyRef user_key = SOSAccountGetPrivateCredential(account, error);
if (!user_key)
return false;
CFReleaseNull(account->my_identity);
+ secnotice("resetToOffering", "Resetting circle to offering by request from client");
- return user_key && SOSAccountResetCircleToOffering(account, user_key, error);
+ return user_key && SOSAccountResetCircleToOffering(aTxn, user_key, error);
}
bool SOSAccountResetToEmpty(SOSAccountRef account, CFErrorRef* error) {
@@ -1068,6 +1558,7 @@ bool SOSAccountResetToEmpty(SOSAccountRef account, CFErrorRef* error) {
CFReleaseNull(account->my_identity);
account->departure_code = kSOSWithdrewMembership;
+ secnotice("resetToEmpty", "Reset Circle to empty by client request");
result &= SOSAccountModifyCircle(account, error, ^(SOSCircleRef circle) {
result = SOSCircleResetToEmpty(circle, error);
return result;
@@ -1076,262 +1567,63 @@ bool SOSAccountResetToEmpty(SOSAccountRef account, CFErrorRef* error) {
if (!result) {
secerror("error: %@", error ? *error : NULL);
}
-
return result;
}
//
// MARK: start backups
//
-bool SOSAccountEnsureBackupStarts(SOSAccountRef account) {
-
+bool SOSAccountEnsureInBackupRings(SOSAccountRef account) {
__block bool result = false;
__block CFErrorRef error = NULL;
- secnotice("backup", "Starting new backups");
-
- CFDataRef backupKey = SOSPeerInfoV2DictionaryCopyData(SOSAccountGetMyPeerInfo(account), sBackupKeyKey);
-
- if (CFEqualSafe(backupKey, account->backup_key)){
- CFReleaseNull(backupKey);
- return true;
- }
-
- if(account->backup_key != NULL){
- require_quiet(SOSBSKBIsGoodBackupPublic(account->backup_key, &error), exit);
- require_quiet(SOSAccountUpdatePeerInfo(account, CFSTR("Backup public key"), &error,
- ^bool(SOSFullPeerInfoRef fpi, CFErrorRef *error) {
- return SOSFullPeerInfoUpdateBackupKey(fpi, account->backup_key, error);
- }), exit);
- CFErrorRef localError = NULL;
- if (!SOSDeleteV0Keybag(&localError)) {
- secerror("Failed to delete v0 keybag: %@", localError);
- }
- CFReleaseNull(localError);
-
- result = true;
+ secnotice("backup", "Ensuring in rings");
- SOSAccountForEachBackupView(account, ^(const void *value) {
- CFStringRef viewName = (CFStringRef)value;
- result &= SOSAccountStartNewBackup(account, viewName, &error);
- });
- }
- else{
- if(account->backup_key == NULL){
- secerror("account backup key is NULL!");
- }
- }
-
-exit:
- if (!result) {
- secnotice("backupkey", "Failed to setup backup public key: %@", error ? (CFTypeRef) error : (CFTypeRef) CFSTR("No error space provided"));
- }
- CFReleaseNull(backupKey);
- return result;
-}
+ CFDataRef backupKey = NULL;
-//
-// MARK: Waiting for in-sync
-//
-
-static bool SOSAccountHasBeenInSync(SOSAccountRef account) {
- CFTypeRef unsyncedObject = SOSAccountGetValue(account, kSOSUnsyncedViewsKey, NULL);
- CFSetRef unsynced = asSet(unsyncedObject, NULL);
+ require_action_quiet(account->backup_key, exit, result = true);
- return !(unsyncedObject == kCFBooleanTrue || (unsynced && (CFSetGetCount(unsynced) > 0)));
-}
+ backupKey = SOSPeerInfoV2DictionaryCopyData(SOSAccountGetMyPeerInfo(account), sBackupKeyKey);
-static bool SOSAccountUpdateOutOfSyncViews(SOSAccountRef account, CFSetRef viewsInSync) {
- bool notifyOfChange = false;
+ require_action_quiet(!CFEqualSafe(backupKey, account->backup_key), exit, result = true); // If we're already set up, we're done.
+ require_quiet(SOSAccountUpdatePeerInfo(account, CFSTR("Backup public key"), &error, ^bool(SOSFullPeerInfoRef fpi, CFErrorRef *error) {
+ return SOSFullPeerInfoUpdateBackupKey(fpi, account->backup_key, error);
+ }), exit);
- SOSCCStatus circleStatus = SOSAccountGetCircleStatus(account, NULL);
- bool inOrApplying = (circleStatus == kSOSCCInCircle) || (circleStatus == kSOSCCRequestPending);
+ require_quiet(account->backup_key, exit); // If it went null, we're done now.
- CFTypeRef unsyncedObject = SOSAccountGetValue(account, kSOSUnsyncedViewsKey, NULL);
+ require_quiet(SOSBSKBIsGoodBackupPublic(account->backup_key, &error), exit);
- if (!inOrApplying) {
- if (unsyncedObject != NULL) {
- SOSAccountClearValue(account, kSOSUnsyncedViewsKey, NULL);
- secnotice("initial-sync", "in sync, clearing pending");
- notifyOfChange = true;
- }
- } else if (circleStatus == kSOSCCInCircle) {
- __block CFMutableSetRef viewsToSync = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
- SOSAccountForEachCirclePeerExceptMe(account, ^(SOSPeerInfoRef peer) {
- SOSPeerInfoWithEnabledViewSet(peer, ^(CFSetRef enabled) {
- CFSetUnion(viewsToSync, enabled);
- });
- });
-
- if (viewsInSync) {
- CFSetSubtract(viewsToSync, viewsInSync);
-
- }
-
- if (unsyncedObject == kCFBooleanTrue) {
- if (CFSetGetCount(viewsToSync) == 0) {
- secnotice("initial-sync", "No views to wait for");
- SOSAccountClearValue(account, kSOSUnsyncedViewsKey, NULL);
- } else {
- __block CFSetRef newViews = NULL;
- SOSPeerInfoWithEnabledViewSet(SOSAccountGetMyPeerInfo(account), ^(CFSetRef enabled) {
- newViews = CFSetCreateIntersection(kCFAllocatorDefault, enabled, viewsToSync);
- });
- secnotice("initial-sync", "Pending views set from True: %@", newViews);
- SOSAccountSetValue(account, kSOSUnsyncedViewsKey, newViews, NULL);
- CFReleaseNull(newViews);
- }
- notifyOfChange = true;
- } else if (isSet(unsyncedObject)) {
- CFSetRef waiting = (CFMutableSetRef) unsyncedObject;
- CFSetRef newViews = CFSetCreateIntersection(kCFAllocatorDefault, waiting, viewsToSync);
- if (!CFEqualSafe(waiting, newViews)) {
- if (CFSetGetCount(newViews) == 0) {
- secnotice("initial-sync", "No views left to wait for.");
- SOSAccountClearValue(account, kSOSUnsyncedViewsKey, NULL);
- } else {
- secnotice("initial-sync", "Pending views updated: %@", newViews);
- SOSAccountSetValue(account, kSOSUnsyncedViewsKey, newViews, NULL);
- }
- notifyOfChange = true;
- }
- CFReleaseNull(newViews);
- }
-
- CFReleaseNull(viewsToSync);
- }
-
- if (notifyOfChange) {
- if(SOSAccountGetValue(account, kSOSUnsyncedViewsKey, NULL) == NULL){
- CFDictionaryRef syncBlocks = account->waitForInitialSync_blocks;
- account->waitForInitialSync_blocks = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
-
- CFDictionaryForEach(syncBlocks, ^(const void *key, const void *value) {
- secnotice("updates", "calling in sync block [%@]", key);
- ((SOSAccountWaitForInitialSyncBlock)value)(account);
- });
-
- CFReleaseNull(syncBlocks);
- }
-
- // Make sure we update the engine
- account->circle_rings_retirements_need_attention = true;
+ // It's a good key, we're going with it. Stop backing up the old way.
+ CFErrorRef localError = NULL;
+ if (!SOSDeleteV0Keybag(&localError)) {
+ secerror("Failed to delete v0 keybag: %@", localError);
}
+ CFReleaseNull(localError);
- return SOSAccountHasBeenInSync(account);
-}
-
-static void SOSAccountPeerGotInSync(SOSAccountRef account, CFStringRef peerID) {
- secnotice("initial-sync", "Heard PeerID is in sync: %@", peerID);
-
- if (account->trusted_circle) {
- SOSPeerInfoRef peer = SOSCircleCopyPeerWithID(account->trusted_circle, peerID, NULL);
- if (peer) {
- CFSetRef views = SOSPeerInfoCopyEnabledViews(peer);
- SOSAccountUpdateOutOfSyncViews(account, views);
- CFReleaseNull(views);
- }
- CFReleaseNull(peer);
- }
-}
-
-void SOSAccountCleanupNotificationForAllPeers(SOSAccountRef account) {
- SOSEngineRef engine = SOSDataSourceFactoryGetEngineForDataSourceName(account->factory, SOSCircleGetName(account->trusted_circle), NULL);
+ result = true;
- CFDictionaryForEach(account->notification_cleanups, ^(const void *key, const void *value) {
- if (engine) {
- SOSEngineSetSyncCompleteListener(engine, key, NULL);
- }
- dispatch_async(account->queue, value);
+ // Setup backups the new way.
+ SOSAccountForEachBackupView(account, ^(const void *value) {
+ CFStringRef viewName = (CFStringRef)value;
+ result &= SOSAccountNewBKSBForView(account, viewName, &error);
});
- CFDictionaryRemoveAllValues(account->notification_cleanups);
-}
-
-static void SOSAccountCleanupNotificationForPeer(SOSAccountRef account, CFStringRef peerID) {
- dispatch_block_t cleanup = CFDictionaryGetValue(account->notification_cleanups, peerID);
-
- if (cleanup) {
- SOSEngineRef engine = SOSDataSourceFactoryGetEngineForDataSourceName(account->factory, SOSCircleGetName(account->trusted_circle), NULL);
-
- if (engine) {
- SOSEngineSetSyncCompleteListener(engine, peerID, NULL);
- }
-
- dispatch_async(account->queue, cleanup);
- }
-
- CFDictionaryRemoveValue(account->notification_cleanups, peerID);
-
-}
-
-static void SOSAccountRegisterCleanupBlock(SOSAccountRef account, CFStringRef peerID, dispatch_block_t block) {
- dispatch_block_t copy = Block_copy(block);
- CFDictionarySetValue(account->notification_cleanups, peerID, copy);
- CFReleaseNull(copy);
-}
-
-void SOSAccountEnsureSyncChecking(SOSAccountRef account) {
- if (CFDictionaryGetCount(account->notification_cleanups) == 0) {
- secnotice("initial-sync", "Setting up notifications to monitor in-sync");
- SOSEngineRef engine = SOSDataSourceFactoryGetEngineForDataSourceName(account->factory, SOSCircleGetName(account->trusted_circle), NULL);
-
- SOSEngineSetSyncCompleteListenerQueue(engine, account->queue);
-
- if (engine) {
- SOSAccountForEachCirclePeerExceptMe(account, ^(SOSPeerInfoRef peer) {
- CFStringRef peerID = CFStringCreateCopy(kCFAllocatorDefault, SOSPeerInfoGetPeerID(peer));
-
- secnotice("initial-sync", "Setting up monitoring for peer: %@", peerID);
- SOSAccountRegisterCleanupBlock(account, peerID, ^{
- CFReleaseSafe(peerID);
- });
-
- SOSEngineSetSyncCompleteListener(engine, peerID, ^{
- SOSAccountPeerGotInSync(account, peerID);
- SOSAccountCleanupNotificationForPeer(account, peerID);
- SOSAccountFinishTransaction(account);
- });
- });
- } else {
- secerror("Couldn't find engine to setup notifications!!!");
- }
- }
-}
-
-void SOSAccountCancelSyncChecking(SOSAccountRef account) {
- SOSAccountCleanupNotificationForAllPeers(account);
- SOSAccountUpdateOutOfSyncViews(account, NULL);
-}
-
-bool SOSAccountCheckHasBeenInSync(SOSAccountRef account) {
- bool hasBeenInSync = false;
-
- if (!SOSAccountIsInCircle(account, NULL)) {
- SOSAccountCancelSyncChecking(account);
- } else {
- hasBeenInSync = SOSAccountHasBeenInSync(account);
- if (!hasBeenInSync) {
- hasBeenInSync = SOSAccountUpdateOutOfSyncViews(account, NULL);
- if (hasBeenInSync) {
- // Cancel and declare victory
-
- SOSAccountCancelSyncChecking(account);
- } else {
- // Make sure we're watching in case this is the fist attempt
- SOSAccountEnsureSyncChecking(account);
- }
- }
+exit:
+ if (!result) {
+ secnotice("backupkey", "Failed to setup backup public key: %@", error ? (CFTypeRef) error : (CFTypeRef) CFSTR("No error space provided"));
}
-
- return hasBeenInSync;
+ CFReleaseNull(backupKey);
+ return result;
}
//
// MARK: Joining
//
-static bool SOSAccountJoinCircle(SOSAccountRef account, SecKeyRef user_key,
+static bool SOSAccountJoinCircle(SOSAccountTransactionRef aTxn, SecKeyRef user_key,
bool use_cloud_peer, CFErrorRef* error) {
+ SOSAccountRef account = aTxn->account;
+
__block bool result = false;
__block SOSFullPeerInfoRef cloud_full_peer = NULL;
@@ -1340,15 +1632,17 @@ static bool SOSAccountJoinCircle(SOSAccountRef account, SecKeyRef user_key,
SOSFullPeerInfoRef myCirclePeer = account->my_identity;
- if (use_cloud_peer) {
- cloud_full_peer = SOSCircleCopyiCloudFullPeerInfoRef(account->trusted_circle, NULL);
+ if (SOSCircleCountPeers(account->trusted_circle) == 0) {
+ secnotice("resetToOffering", "Resetting circle to offering since there are no peers");
+ // this also clears initial sync data
+ result = SOSAccountResetCircleToOffering(aTxn, user_key, error);
} else {
SOSAccountSetValue(account, kSOSUnsyncedViewsKey, kCFBooleanTrue, NULL);
- }
- if (SOSCircleCountPeers(account->trusted_circle) == 0) {
- result = SOSAccountResetCircleToOffering(account, user_key, error);
- } else {
+ if (use_cloud_peer) {
+ cloud_full_peer = SOSCircleCopyiCloudFullPeerInfoRef(account->trusted_circle, NULL);
+ }
+
SOSAccountModifyCircle(account, error, ^(SOSCircleRef circle) {
result = SOSAccountAddEscrowToPeerInfo(account, myCirclePeer, error);
result &= SOSCircleRequestAdmission(circle, user_key, myCirclePeer, error);
@@ -1359,6 +1653,7 @@ static bool SOSAccountJoinCircle(SOSAccountRef account, SecKeyRef user_key,
require_quiet(cloudid, finish);
require_quiet(SOSCircleHasActivePeerWithID(circle, cloudid, &localError), finish);
require_quiet(SOSCircleAcceptRequest(circle, user_key, cloud_full_peer, SOSFullPeerInfoGetPeerInfo(myCirclePeer), &localError), finish);
+
finish:
if (localError){
secerror("Failed to join with cloud identity: %@", localError);
@@ -1367,6 +1662,10 @@ static bool SOSAccountJoinCircle(SOSAccountRef account, SecKeyRef user_key,
}
return result;
});
+
+ if (use_cloud_peer) {
+ SOSAccountUpdateOutOfSyncViews(aTxn, SOSViewsGetAllCurrent());
+ }
}
fail:
@@ -1374,7 +1673,8 @@ fail:
return result;
}
-static bool SOSAccountJoinCircles_internal(SOSAccountRef account, bool use_cloud_identity, CFErrorRef* error) {
+static bool SOSAccountJoinCircles_internal(SOSAccountTransactionRef aTxn, bool use_cloud_identity, CFErrorRef* error) {
+ SOSAccountRef account = aTxn->account;
bool success = false;
SecKeyRef user_key = SOSAccountGetPrivateCredential(account, error);
@@ -1397,7 +1697,7 @@ static bool SOSAccountJoinCircles_internal(SOSAccountRef account, bool use_cloud
}
}
- success = SOSAccountJoinCircle(account, user_key, use_cloud_identity, error);
+ success = SOSAccountJoinCircle(aTxn, user_key, use_cloud_identity, error);
require_quiet(success, done);
@@ -1407,8 +1707,8 @@ done:
return success;
}
-bool SOSAccountJoinCircles(SOSAccountRef account, CFErrorRef* error) {
- return SOSAccountJoinCircles_internal(account, false, error);
+bool SOSAccountJoinCircles(SOSAccountTransactionRef aTxn, CFErrorRef* error) {
+ return SOSAccountJoinCircles_internal(aTxn, false, error);
}
CFStringRef SOSAccountCopyDeviceID(SOSAccountRef account, CFErrorRef *error){
@@ -1424,78 +1724,58 @@ fail:
bool SOSAccountSetMyDSID(SOSAccountRef account, CFStringRef IDS, CFErrorRef* error){
bool result = true;
-
- if(whichTransportType == kSOSTransportIDS || whichTransportType == kSOSTransportFuture){
- secdebug("IDS Transport", "We are setting our device ID: %@", IDS);
- if(IDS != NULL && (CFStringGetLength(IDS) > 0)){
- require_action_quiet(account->my_identity, fail, SOSErrorCreate(kSOSErrorPeerNotFound, error, NULL, CFSTR("No peer for me")));
+
+ secdebug("IDS Transport", "We are setting our device ID: %@", IDS);
+ if(IDS != NULL && (CFStringGetLength(IDS) > 0)){
+ require_action_quiet(account->my_identity, fail, SOSErrorCreate(kSOSErrorPeerNotFound, error, NULL, CFSTR("No peer for me")));
+
+ result = SOSAccountModifyCircle(account, error, ^bool(SOSCircleRef circle) {
- result = SOSAccountModifyCircle(account, error, ^bool(SOSCircleRef circle) {
-
- SOSFullPeerInfoUpdateDeviceID(account->my_identity, IDS, error);
- SOSFullPeerInfoUpdateTransportType(account->my_identity, SOSTransportMessageTypeIDS, error);
- SOSFullPeerInfoUpdateTransportPreference(account->my_identity, kCFBooleanTrue, error);
-
- return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(account->my_identity), NULL);
- });
- }
- else
- result = false;
- }
- else{
- secdebug("IDS Transport", "We are setting our device ID: %@", IDS);
- if(IDS != NULL && (CFStringGetLength(IDS) > 0)){
- require_action_quiet(account->my_identity, fail, SOSErrorCreate(kSOSErrorPeerNotFound, error, NULL, CFSTR("No peer for me")));
+ SOSFullPeerInfoUpdateDeviceID(account->my_identity, IDS, error);
+ SOSFullPeerInfoUpdateTransportType(account->my_identity, SOSTransportMessageTypeIDSV2, error);
+ SOSFullPeerInfoUpdateTransportPreference(account->my_identity, kCFBooleanFalse, error);
+ SOSFullPeerInfoUpdateTransportFragmentationPreference(account->my_identity, kCFBooleanTrue, error);
- result = SOSAccountModifyCircle(account, error, ^bool(SOSCircleRef circle) {
-
- SOSFullPeerInfoUpdateDeviceID(account->my_identity, IDS, error);
- SOSFullPeerInfoUpdateTransportType(account->my_identity, SOSTransportMessageTypeKVS, error);
- SOSFullPeerInfoUpdateTransportPreference(account->my_identity, kCFBooleanTrue, error);
-
- return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(account->my_identity), NULL);
- });
- }
- else
- result = false;
-
+ return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(account->my_identity), NULL);
+ });
}
-
+ else
+ result = false;
+
SOSCCSyncWithAllPeers();
fail:
+ CFReleaseNull(account->deviceID);
+ account->deviceID = CFRetainSafe(IDS);
return result;
}
-
bool SOSAccountSendIDSTestMessage(SOSAccountRef account, CFStringRef message, CFErrorRef *error){
bool result = true;
- if(whichTransportType == kSOSTransportIDS || whichTransportType == kSOSTransportFuture || whichTransportType == kSOSTransportPresent){
- //construct message dictionary, circle -> peerID -> message
-
- CFMutableDictionaryRef circleToPeerMessages = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
- CFMutableDictionaryRef peerToMessage = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
-
- char *messageCharStar;
- asprintf(&messageCharStar, "%d", kIDSSendOneMessage);
- CFStringRef messageString = CFStringCreateWithCString(kCFAllocatorDefault, messageCharStar, kCFStringEncodingUTF8);
-
- CFMutableDictionaryRef mutableDictionary = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, messageString, CFSTR("send IDS test message"), NULL);
-
- SOSCircleForEachPeer(account->trusted_circle, ^(SOSPeerInfoRef peer) {
- if(!CFEqualSafe(peer, SOSAccountGetMyPeerInfo(account)))
+ //construct message dictionary, circle -> peerID -> message
+
+ CFMutableDictionaryRef circleToPeerMessages = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFMutableDictionaryRef peerToMessage = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+
+ char *messageCharStar;
+ asprintf(&messageCharStar, "%d", kIDSSendOneMessage);
+ CFStringRef messageString = CFStringCreateWithCString(kCFAllocatorDefault, messageCharStar, kCFStringEncodingUTF8);
+
+ CFMutableDictionaryRef mutableDictionary = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, kIDSOperationType, messageString, kIDSMessageToSendKey, CFSTR("send IDS test message"), NULL);
+
+ SOSCircleForEachPeer(account->trusted_circle, ^(SOSPeerInfoRef peer) {
+ if(!CFEqualSafe(peer, SOSAccountGetMyPeerInfo(account)))
CFDictionaryAddValue(peerToMessage, SOSPeerInfoGetPeerID(peer), mutableDictionary);
- });
-
- CFDictionaryAddValue(circleToPeerMessages, SOSCircleGetName(account->trusted_circle), peerToMessage);
- result = SOSTransportMessageSendMessages(account->ids_message_transport, circleToPeerMessages, error);
-
- CFReleaseNull(mutableDictionary);
- CFReleaseNull(peerToMessage);
- CFReleaseNull(circleToPeerMessages);
- CFReleaseNull(messageString);
- free(messageCharStar);
- }
+ });
+
+ CFDictionaryAddValue(circleToPeerMessages, SOSCircleGetName(account->trusted_circle), peerToMessage);
+ result = SOSTransportMessageSendMessages(account->ids_message_transport, circleToPeerMessages, error);
+
+ CFReleaseNull(mutableDictionary);
+ CFReleaseNull(peerToMessage);
+ CFReleaseNull(circleToPeerMessages);
+ CFReleaseNull(messageString);
+ free(messageCharStar);
return result;
}
@@ -1512,9 +1792,11 @@ bool SOSAccountStartPingTest(SOSAccountRef account, CFStringRef message, CFError
char *messageCharStar;
asprintf(&messageCharStar, "%d", kIDSStartPingTestMessage);
- CFStringRef messageString = CFStringCreateWithCString(kCFAllocatorDefault, messageCharStar, kCFStringEncodingUTF8);
+ CFStringRef operationToString = CFStringCreateWithCString(kCFAllocatorDefault, messageCharStar, kCFStringEncodingUTF8);
+ CFStringRef messageToSend = CFSTR("send IDS test message");
- CFMutableDictionaryRef mutableDictionary = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, messageString, CFSTR("send IDS test message"), NULL);
+ CFMutableDictionaryRef mutableDictionary = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, kIDSOperationType, operationToString, kIDSMessageToSendKey, messageToSend, NULL);
+
SOSCircleForEachPeer(account->trusted_circle, ^(SOSPeerInfoRef peer) {
if(CFStringCompare(SOSAccountGetMyPeerID(account), SOSPeerInfoGetPeerID(peer), 0) != 0)
@@ -1527,7 +1809,7 @@ bool SOSAccountStartPingTest(SOSAccountRef account, CFStringRef message, CFError
CFReleaseNull(mutableDictionary);
CFReleaseNull(peerToMessage);
CFReleaseNull(circleToPeerMessages);
- CFReleaseNull(messageString);
+ CFReleaseNull(operationToString);
free(messageCharStar);
fail:
return result;
@@ -1535,39 +1817,38 @@ fail:
bool SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(SOSAccountRef account, CFErrorRef *error){
bool result = true;
- if(whichTransportType == kSOSTransportIDS || whichTransportType == kSOSTransportFuture || whichTransportType == kSOSTransportPresent){
-
- __block bool success = true;
- __block CFErrorRef localError = NULL;
- dispatch_semaphore_t wait_for = dispatch_semaphore_create(0);
- dispatch_retain(wait_for); // Both this scope and the block own it
-
- SOSCloudKeychainGetIDSDeviceID(^(CFDictionaryRef returnedValues, CFErrorRef sync_error){
- success = (sync_error == NULL);
- if (!success) {
- CFRetainAssign(localError, sync_error);
- }
-
- dispatch_semaphore_signal(wait_for);
- dispatch_release(wait_for);
- });
+
+ __block bool success = true;
+ __block CFErrorRef localError = NULL;
+ dispatch_semaphore_t wait_for = dispatch_semaphore_create(0);
+ dispatch_retain(wait_for); // Both this scope and the block own it
+
+ SOSCloudKeychainGetIDSDeviceID(^(CFDictionaryRef returnedValues, CFErrorRef sync_error){
+ success = (sync_error == NULL);
+ if (!success) {
+ CFRetainAssign(localError, sync_error);
+ }
- dispatch_semaphore_wait(wait_for, DISPATCH_TIME_FOREVER);
+ dispatch_semaphore_signal(wait_for);
dispatch_release(wait_for);
-
- if(!success && localError != NULL && error != NULL){
- secerror("Could not ask IDSKeychainSyncingProxy for Device ID: %@", localError);
- *error = localError;
- }
- else{
- secdebug("IDS Transport", "Attempting to retrieve the IDS Device ID");
- }
+ });
+
+ dispatch_semaphore_wait(wait_for, DISPATCH_TIME_FOREVER);
+ dispatch_release(wait_for);
+
+ if(!success && localError != NULL && error != NULL){
+ secerror("Could not ask IDSKeychainSyncingProxy for Device ID: %@", localError);
+ *error = localError;
+ result = false;
+ }
+ else{
+ secdebug("IDS Transport", "Attempting to retrieve the IDS Device ID");
}
return result;
}
-bool SOSAccountJoinCirclesAfterRestore(SOSAccountRef account, CFErrorRef* error) {
- return SOSAccountJoinCircles_internal(account, true, error);
+bool SOSAccountJoinCirclesAfterRestore(SOSAccountTransactionRef aTxn, CFErrorRef* error) {
+ return SOSAccountJoinCircles_internal(aTxn, true, error);
}
@@ -1575,6 +1856,7 @@ bool SOSAccountLeaveCircle(SOSAccountRef account, CFErrorRef* error)
{
bool result = true;
+ secnotice("leaveCircle", "Leaving circle by client request");
result &= SOSAccountModifyCircle(account, error, ^(SOSCircleRef circle) {
return sosAccountLeaveCircle(account, circle, error);
});
@@ -1607,6 +1889,7 @@ bool SOSAccountRemovePeersFromCircle(SOSAccountRef account, CFArrayRef peers, CF
} else success = true;
if (success && leaveCircle) {
+ secnotice("leaveCircle", "Leaving circle by client request");
success = sosAccountLeaveCircle(account, circle, error);
}
@@ -1627,6 +1910,7 @@ bool SOSAccountBail(SOSAccountRef account, uint64_t limit_in_seconds, CFErrorRef
// Add a task to the group
dispatch_group_async(group, queue, ^{
SOSAccountModifyCircle(account, error, ^(SOSCircleRef circle) {
+ secnotice("leaveCircle", "Leaving circle by client request");
return sosAccountLeaveCircle(account, circle, error);
});
});
@@ -1747,28 +2031,26 @@ bool SOSAccountEnsurePeerRegistration(SOSAccountRef account, CFErrorRef *error)
require_quiet(account->trusted_circle, done);
require_quiet(account->my_identity, done);
+ require_quiet(account->user_public_trusted, done);
+
// If we are not in the circle, there is no point in setting up peers
require_quiet(SOSAccountIsMyPeerActive(account, NULL), done);
// This code only uses the SOSFullPeerInfoRef for two things:
// - Finding out if this device is in the trusted circle
// - Using the peerID for this device to see if the current peer is "me"
- // - It is used indirectly by passing account->my_identity to SOSPeerCoderInitializeForPeer
+ // - It is used indirectly by passing account->my_identity to SOSEngineInitializePeerCoder
CFStringRef my_id = SOSPeerInfoGetPeerID(SOSFullPeerInfoGetPeerInfo(account->my_identity));
- SOSCircleForEachPeer(account->trusted_circle, ^(SOSPeerInfoRef peer) {
+ SOSCircleForEachValidSyncingPeer(account->trusted_circle, account->user_public, ^(SOSPeerInfoRef peer) {
if (!SOSPeerInfoPeerIDEqual(peer, my_id)) {
CFErrorRef localError = NULL;
SOSTransportMessageRef messageTransport = NULL;
- if(whichTransportType == kSOSTransportIDS || whichTransportType == kSOSTransportFuture || whichTransportType == kSOSTransportPresent){
- messageTransport = SOSPeerInfoHasDeviceID(peer) ? account->ids_message_transport : account->kvs_message_transport;
- }
- else
- messageTransport = account->kvs_message_transport;
+ messageTransport = SOSPeerInfoHasDeviceID(peer) ? account->ids_message_transport : account->kvs_message_transport;
- SOSPeerCoderInitializeForPeer(messageTransport->engine, account->my_identity, peer, &localError);
+ SOSEngineInitializePeerCoder(messageTransport->engine, account->my_identity, peer, &localError);
if (localError)
secnotice("updates", "can't initialize transport for peer %@ with %@ (%@)", peer, account->my_identity, localError);
CFReleaseSafe(localError);
@@ -1791,7 +2073,11 @@ static inline bool SOSAccountEnsureExpansion(SOSAccountRef account, CFErrorRef *
return SecAllocationError(account->expansion, error, CFSTR("Can't Alloc Account Expansion dictionary"));
}
-bool SOSAccountClearValue(SOSAccountRef account, const void *key, CFErrorRef *error) {
+//
+// Value manipulation
+//
+
+bool SOSAccountClearValue(SOSAccountRef account, CFStringRef key, CFErrorRef *error) {
bool success = SOSAccountEnsureExpansion(account, error);
require_quiet(success, errOut);
@@ -1800,7 +2086,9 @@ errOut:
return success;
}
-bool SOSAccountSetValue(SOSAccountRef account, const void *key, const void *value, CFErrorRef *error) {
+bool SOSAccountSetValue(SOSAccountRef account, CFStringRef key, CFTypeRef value, CFErrorRef *error) {
+ if (value == NULL) return SOSAccountClearValue(account, key, error);
+
bool success = SOSAccountEnsureExpansion(account, error);
require_quiet(success, errOut);
@@ -1809,8 +2097,7 @@ errOut:
return success;
}
-
-const void *SOSAccountGetValue(SOSAccountRef account, const void *key, CFErrorRef *error) {
+CFTypeRef SOSAccountGetValue(SOSAccountRef account, CFStringRef key, CFErrorRef *error) {
if (!account->expansion) {
return NULL;
}
@@ -1851,7 +2138,7 @@ bool SOSAccountAddEscrowToPeerInfo(SOSAccountRef account, SOSFullPeerInfoRef myP
bool SOSAccountCheckPeerAvailability(SOSAccountRef account, CFErrorRef *error)
{
CFMutableDictionaryRef circleToPeerMessages = NULL;
- CFStringRef messageString = NULL;
+ CFStringRef operationTypeAsString = NULL;
CFMutableDictionaryRef mutableDictionary = NULL;
CFMutableSetRef peers = NULL;
CFMutableDictionaryRef peerList = NULL;
@@ -1864,11 +2151,11 @@ bool SOSAccountCheckPeerAvailability(SOSAccountRef account, CFErrorRef *error)
circleToPeerMessages = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
//adding message type kIDSPeerAvailability so IDSKeychainSyncingProxy does not send this message as a keychain item
-
+
asprintf(&message, "%d", kIDSPeerAvailability);
- messageString = CFStringCreateWithCString(kCFAllocatorDefault, message, kCFStringEncodingUTF8);
+ operationTypeAsString = CFStringCreateWithCString(kCFAllocatorDefault, message, kCFStringEncodingUTF8);
- mutableDictionary = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, messageString, CFSTR("checking peers"), NULL);
+ mutableDictionary = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, kIDSOperationType, operationTypeAsString, kIDSMessageToSendKey, CFSTR("checking peers"), NULL);
//make sure there are peers in the circle
peers = SOSCircleCopyPeers(account->trusted_circle, kCFAllocatorDefault);
@@ -1898,10 +2185,10 @@ bool SOSAccountCheckPeerAvailability(SOSAccountRef account, CFErrorRef *error)
require_quiet(CFDictionaryGetCount(peerList) > 0 , fail);
CFDictionaryAddValue(circleToPeerMessages, SOSCircleGetName(account->trusted_circle), peerList);
result = SOSTransportMessageSendMessages(account->ids_message_transport, circleToPeerMessages, error);
-
+
fail:
CFReleaseNull(mutableDictionary);
- CFReleaseNull(messageString);
+ CFReleaseNull(operationTypeAsString);
CFReleaseNull(peerList);
CFReleaseNull(circleToPeerMessages);
CFReleaseNull(peers);
@@ -1910,7 +2197,7 @@ fail:
}
-static void SOSAccountRecordRetiredPeersInCircle(SOSAccountRef account) {
+void SOSAccountRecordRetiredPeersInCircle(SOSAccountRef account) {
if (!SOSAccountIsInCircle(account, NULL))
return;
@@ -1932,21 +2219,231 @@ static void SOSAccountRecordRetiredPeersInCircle(SOSAccountRef account) {
});
}
-void SOSAccountFinishTransaction(SOSAccountRef account) {
- if(account->circle_rings_retirements_need_attention){
- SOSAccountRecordRetiredPeersInCircle(account);
- CFErrorRef localError = NULL;
- if(!SOSTransportCircleFlushChanges(account->circle_transport, &localError)) {
- secerror("flush circle failed %@", localError);
- }
- CFReleaseSafe(localError);
-
- SOSAccountNotifyEngines(account); // For now our only rings are backup rings.
+static size_t SOSPiggyBackBlobGetDEREncodedSize(SOSGenCountRef gencount, SecKeyRef pubKey, CFDataRef signature, CFErrorRef *error) {
+ size_t total_payload = 0;
+
+ CFDataRef publicBytes = NULL;
+ OSStatus result = SecKeyCopyPublicBytes(pubKey, &publicBytes);
+
+ if (result != errSecSuccess) {
+ SOSCreateError(kSOSErrorBadKey, CFSTR("Failed to export public bytes"), NULL, error);
+ return 0;
}
+
+ require_quiet(accumulate_size(&total_payload, der_sizeof_number(gencount, error)), errOut);
+ require_quiet(accumulate_size(&total_payload, der_sizeof_data_or_null(publicBytes, error)), errOut);
+ require_quiet(accumulate_size(&total_payload, der_sizeof_data_or_null(signature, error)), errOut);
+ return ccder_sizeof(CCDER_CONSTRUCTED_SEQUENCE, total_payload);
- SOSAccountCheckHasBeenInSync(account);
+errOut:
+ SecCFDERCreateError(kSecDERErrorUnknownEncoding, CFSTR("don't know how to encode"), NULL, error);
+ return 0;
+}
- account->circle_rings_retirements_need_attention = false;
+static uint8_t* SOSPiggyBackBlobEncodeToDER(SOSGenCountRef gencount, SecKeyRef pubKey, CFDataRef signature, CFErrorRef* error, const uint8_t* der, uint8_t* der_end) {
+ CFDataRef publicBytes = NULL;
+
+ OSStatus result = SecKeyCopyPublicBytes(pubKey, &publicBytes);
+
+ if (result != errSecSuccess) {
+ SOSCreateError(kSOSErrorBadKey, CFSTR("Failed to export public bytes"), NULL, error);
+ return NULL;
+ }
+
+
+ der_end = ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der,
+ der_encode_number(gencount, error, der,
+ der_encode_data_or_null(publicBytes, error, der,
+ der_encode_data_or_null(signature, error, der, der_end))));
+ return der_end;
}
+static CFDataRef SOSPiggyBackBlobCopyEncodedData(SOSGenCountRef gencount, SecKeyRef pubKey, CFDataRef signature, CFAllocatorRef allocator, CFErrorRef *error)
+{
+ return CFDataCreateWithDER(kCFAllocatorDefault, SOSPiggyBackBlobGetDEREncodedSize(gencount, pubKey, signature, error), ^uint8_t*(size_t size, uint8_t *buffer) {
+ return SOSPiggyBackBlobEncodeToDER(gencount, pubKey, signature, error, buffer, (uint8_t *) buffer + size);
+ });
+}
+
+struct piggyBackBlob {
+ SOSGenCountRef gencount;
+ SecKeyRef pubKey;
+ CFDataRef signature;
+};
+
+static struct piggyBackBlob *SOSPiggyBackBlobCreateFromDER(CFAllocatorRef allocator, CFErrorRef *error,
+ const uint8_t** der_p, const uint8_t *der_end) {
+ const uint8_t *sequence_end;
+ struct piggyBackBlob *retval = NULL;
+ SOSGenCountRef gencount = NULL;
+ CFDataRef signature = NULL;
+ CFDataRef publicBytes = NULL;
+
+ *der_p = ccder_decode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, &sequence_end, *der_p, der_end);
+ require_action_quiet(sequence_end != NULL, errOut,
+ SOSCreateError(kSOSErrorBadFormat, CFSTR("Bad Blob DER"), (error != NULL) ? *error : NULL, error));
+ *der_p = der_decode_number(allocator, 0, &gencount, error, *der_p, sequence_end);
+ *der_p = der_decode_data_or_null(kCFAllocatorDefault, &publicBytes, error, *der_p, der_end);
+ *der_p = der_decode_data_or_null(kCFAllocatorDefault, &signature, error, *der_p, der_end);
+ require_action_quiet(*der_p && *der_p == der_end, errOut,
+ SOSCreateError(kSOSErrorBadFormat, CFSTR("Didn't consume all bytes for pbblob"), (error != NULL) ? *error : NULL, error));
+ retval = malloc(sizeof(struct piggyBackBlob));
+ retval->gencount = gencount;
+ retval->signature = signature;
+ retval->pubKey = SecKeyCreateFromPublicData(kCFAllocatorDefault, kSecECDSAAlgorithmID, publicBytes);
+
+errOut:
+ if(!retval) {
+ CFReleaseNull(gencount);
+ CFReleaseNull(publicBytes);
+ CFReleaseNull(signature);
+ }
+ return retval;
+}
+
+static struct piggyBackBlob *SOSPiggyBackBlobCreateFromData(CFAllocatorRef allocator, CFDataRef blobData, CFErrorRef *error)
+{
+ size_t size = CFDataGetLength(blobData);
+ const uint8_t *der = CFDataGetBytePtr(blobData);
+ struct piggyBackBlob *inflated = SOSPiggyBackBlobCreateFromDER(allocator, error, &der, der + size);
+ return inflated;
+}
+
+
+
+SOSPeerInfoRef SOSAccountCopyApplication(SOSAccountRef account, CFErrorRef* error) {
+ SOSPeerInfoRef applicant = NULL;
+ SecKeyRef userKey = SOSAccountGetPrivateCredential(account, error);
+ if(!userKey) return false;
+ require_quiet(SOSAccountEnsureFullPeerAvailable(account, error), errOut);
+ require(SOSFullPeerInfoPromoteToApplication(account->my_identity, userKey, error), errOut);
+ applicant = SOSPeerInfoCreateCopy(kCFAllocatorDefault, (SOSFullPeerInfoGetPeerInfo(account->my_identity)), error);
+errOut:
+ return applicant;
+}
+
+
+CFDataRef SOSAccountCopyCircleJoiningBlob(SOSAccountRef account, SOSPeerInfoRef applicant, CFErrorRef *error) {
+ SOSGenCountRef gencount = NULL;
+ CFDataRef signature = NULL;
+ SecKeyRef ourKey = NULL;
+
+ CFDataRef pbblob = NULL;
+
+ SecKeyRef userKey = SOSAccountGetTrustedPublicCredential(account, error);
+ require_quiet(userKey, errOut);
+
+ require_action_quiet(applicant, errOut, SOSCreateError(kSOSErrorProcessingFailure, CFSTR("No applicant provided"), (error != NULL) ? *error : NULL, error));
+ require_quiet(SOSPeerInfoApplicationVerify(applicant, userKey, error), errOut);
+
+ {
+ SOSFullPeerInfoRef fpi = SOSAccountGetMyFullPeerInfo(account);
+ ourKey = SOSFullPeerInfoCopyDeviceKey(fpi, error);
+ require_quiet(ourKey, errOut);
+ }
+
+ SOSCircleRef currentCircle = SOSAccountGetCircle(account, error);
+ require_quiet(currentCircle, errOut);
+
+ SOSCircleRef prunedCircle = SOSCircleCopyCircle(NULL, currentCircle, error);
+ require_quiet(prunedCircle, errOut);
+ require_quiet(SOSCirclePreGenerationSign(prunedCircle, userKey, error), errOut);
+
+ gencount = SOSGenerationIncrementAndCreate(SOSCircleGetGeneration(prunedCircle));
+
+ signature = SOSCircleCopyNextGenSignatureWithPeerAdded(prunedCircle, applicant, ourKey, error);
+ require_quiet(signature, errOut);
+
+ pbblob = SOSPiggyBackBlobCopyEncodedData(gencount, ourKey, signature, kCFAllocatorDefault, error);
+
+errOut:
+ CFReleaseNull(gencount);
+ CFReleaseNull(signature);
+ CFReleaseNull(ourKey);
+
+ return pbblob;
+}
+
+bool SOSAccountJoinWithCircleJoiningBlob(SOSAccountRef account, CFDataRef joiningBlob, CFErrorRef *error) {
+ bool retval = false;
+ SecKeyRef userKey = NULL;
+ struct piggyBackBlob *pbb = NULL;
+
+ userKey = SOSAccountGetPrivateCredential(account, error);
+ require_quiet(userKey, errOut);
+ pbb = SOSPiggyBackBlobCreateFromData(kCFAllocatorDefault, joiningBlob, error);
+ require_quiet(pbb, errOut);
+
+ SOSAccountSetValue(account, kSOSUnsyncedViewsKey, kCFBooleanTrue, NULL);
+
+ retval = SOSAccountModifyCircle(account, error, ^bool(SOSCircleRef copyOfCurrent) {
+ return SOSCircleAcceptPeerFromHSA2(copyOfCurrent, userKey,
+ pbb->gencount,
+ pbb->pubKey,
+ pbb->signature,
+ account->my_identity, error);;
+
+ });
+
+errOut:
+ if(pbb) {
+ CFReleaseNull(pbb->gencount);
+ CFReleaseNull(pbb->pubKey);
+ CFReleaseNull(pbb->signature);
+ free(pbb);
+ }
+ return retval;
+}
+
+static char boolToChars(bool val, char truechar, char falsechar) {
+ return val? truechar: falsechar;
+}
+
+#define ACCOUNTLOGSTATE "accountLogState"
+void SOSAccountLogState(SOSAccountRef account) {
+ bool hasPubKey = account->user_public != NULL;
+ bool pubTrusted = account->user_public_trusted;
+ bool hasPriv = account->_user_private != NULL;
+ SOSCCStatus stat = SOSAccountGetCircleStatus(account, NULL);
+ CFStringRef userPubKeyID = (account->user_public) ? SOSCopyIDOfKeyWithLength(account->user_public, 8, NULL):
+ CFStringCreateCopy(kCFAllocatorDefault, CFSTR("*No Key*"));
+
+ secnotice(ACCOUNTLOGSTATE, "Start");
+
+ secnotice(ACCOUNTLOGSTATE, "ACCOUNT: [keyStatus: %c%c%c hpub %@] [SOSCCStatus: %@]",
+ boolToChars(hasPubKey, 'U', 'u'), boolToChars(pubTrusted, 'T', 't'), boolToChars(hasPriv, 'I', 'i'),
+ userPubKeyID,
+ SOSAccountGetSOSCCStatusString(stat)
+ );
+ CFReleaseNull(userPubKeyID);
+ if(account->trusted_circle) SOSCircleLogState(ACCOUNTLOGSTATE, account->trusted_circle, account->user_public, SOSAccountGetMyPeerID(account));
+ else secnotice(ACCOUNTLOGSTATE, "ACCOUNT: No Circle");
+}
+
+void SOSAccountLogViewState(SOSAccountRef account) {
+ bool isInCircle = SOSAccountIsInCircle(account, NULL);
+ require_quiet(isInCircle, imOut);
+ SOSPeerInfoRef mpi = SOSAccountGetMyPeerInfo(account);
+ bool isInitialComplete = SOSAccountHasCompletedInitialSync(account);
+ bool isBackupComplete = SOSAccountHasCompletedRequiredBackupSync(account);
+
+ CFSetRef views = mpi ? SOSPeerInfoCopyEnabledViews(mpi) : NULL;
+ CFStringSetPerformWithDescription(views, ^(CFStringRef description) {
+ secnotice(ACCOUNTLOGSTATE, "Sync: %c%c PeerViews: %@",
+ boolToChars(isInitialComplete, 'I', 'i'),
+ boolToChars(isBackupComplete, 'B', 'b'),
+ description);
+ });
+ CFReleaseNull(views);
+ CFSetRef unsyncedViews = SOSAccountCopyOutstandingViews(account);
+ CFStringSetPerformWithDescription(views, ^(CFStringRef description) {
+ secnotice(ACCOUNTLOGSTATE, "outstanding views: %@", description);
+ });
+ CFReleaseNull(unsyncedViews);
+
+imOut:
+ secnotice(ACCOUNTLOGSTATE, "Finish");
+
+ return;
+}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.h
index 2028f7fe..d014ebbd 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.h
@@ -34,9 +34,9 @@
/* Forward declarations of SOS types. */
typedef struct __OpaqueSOSAccount *SOSAccountRef;
-
#include <CoreFoundation/CoreFoundation.h>
+#include <Security/SecureObjectSync/SOSAccountTransaction.h>
#include <Security/SecureObjectSync/SOSCircle.h>
#include <Security/SecureObjectSync/SOSFullPeerInfo.h>
#include <Security/SecureObjectSync/SOSCloudCircle.h>
@@ -59,6 +59,7 @@ typedef void (^SOSAccountCircleMembershipChangeBlock)(SOSCircleRef new_circle,
CFSetRef added_applicants, CFSetRef removed_applicants);
typedef void (^SOSAccountSyncablePeersBlock)(CFArrayRef trustedPeers, CFArrayRef addedPeers, CFArrayRef removedPeers);
typedef bool (^SOSAccountWaitForInitialSyncBlock)(SOSAccountRef account);
+typedef void (^SOSAccountSaveBlock)(CFDataRef flattenedAccount, CFErrorRef flattenFailError);
SOSAccountRef SOSAccountCreate(CFAllocatorRef allocator,
CFDictionaryRef gestalt,
@@ -104,6 +105,8 @@ bool SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(SOSAccountRef account
// MARK: Credential management
//
+SecKeyRef SOSAccountGetTrustedPublicCredential(SOSAccountRef account, CFErrorRef* error);
+
SecKeyRef SOSAccountGetPrivateCredential(SOSAccountRef account, CFErrorRef* error);
CFDataRef SOSAccountGetCachedPassword(SOSAccountRef account, CFErrorRef* error);
@@ -133,16 +136,17 @@ void SOSTransportEachMessage(SOSAccountRef account, CFDictionaryRef updates, CFE
SOSCCStatus SOSAccountGetCircleStatus(SOSAccountRef account, CFErrorRef* error);
+CFStringRef SOSAccountGetSOSCCStatusString(SOSCCStatus status);
bool SOSAccountIsInCircle(SOSAccountRef account, CFErrorRef *error);
-bool SOSAccountJoinCircles(SOSAccountRef account, CFErrorRef* error);
-bool SOSAccountJoinCirclesAfterRestore(SOSAccountRef account, CFErrorRef* error);
+bool SOSAccountJoinCircles(SOSAccountTransactionRef aTxn, CFErrorRef* error);
+bool SOSAccountJoinCirclesAfterRestore(SOSAccountTransactionRef aTxn, CFErrorRef* error);
bool SOSAccountLeaveCircle(SOSAccountRef account,CFErrorRef* error);
bool SOSAccountRemovePeersFromCircle(SOSAccountRef account, CFArrayRef peers, CFErrorRef* error);
bool SOSAccountBail(SOSAccountRef account, uint64_t limit_in_seconds, CFErrorRef* error);
bool SOSAccountAcceptApplicants(SOSAccountRef account, CFArrayRef applicants, CFErrorRef* error);
bool SOSAccountRejectApplicants(SOSAccountRef account, CFArrayRef applicants, CFErrorRef* error);
-bool SOSAccountResetToOffering(SOSAccountRef account, CFErrorRef* error);
+bool SOSAccountResetToOffering(SOSAccountTransactionRef aTxn, CFErrorRef* error);
bool SOSAccountResetToEmpty(SOSAccountRef account, CFErrorRef* error);
bool SOSValidateUserPublic(SOSAccountRef account, CFErrorRef* error);
@@ -165,6 +169,19 @@ bool SOSAccountIsAccountIdentity(SOSAccountRef account, SOSPeerInfoRef peer_info
enum DepartureReason SOSAccountGetLastDepartureReason(SOSAccountRef account, CFErrorRef* error);
+//
+// MARK: iCloud Identity
+//
+bool SOSAccountAddiCloudIdentity(SOSAccountRef account, SOSCircleRef circle, SecKeyRef user_key, CFErrorRef *error);
+bool SOSAccountRemoveIncompleteiCloudIdentities(SOSAccountRef account, SOSCircleRef circle, SecKeyRef privKey, CFErrorRef *error);
+
+//
+// MARK: Save Block
+//
+
+void SOSAccountSetSaveBlock(SOSAccountRef account, SOSAccountSaveBlock saveBlock);
+void SOSAccountFlattenToSaveBlock(SOSAccountRef account);
+
//
// MARK: Change blocks
//
@@ -188,6 +205,10 @@ SOSViewResultCode SOSAccountViewStatus(SOSAccountRef account, CFStringRef viewna
bool SOSAccountUpdateViewSets(SOSAccountRef account, CFSetRef enabledViews, CFSetRef disabledViews);
+void SOSAccountPendEnableViewSet(SOSAccountRef account, CFSetRef enabledViews);
+void SOSAccountPendDisableViewSet(SOSAccountRef account, CFSetRef disabledViews);
+
+
SOSSecurityPropertyResultCode SOSAccountUpdateSecurityProperty(SOSAccountRef account, CFStringRef property, SOSSecurityPropertyActionCode actionCode, CFErrorRef *error);
SOSSecurityPropertyResultCode SOSAccountSecurityPropertyStatus(SOSAccountRef account, CFStringRef property, CFErrorRef *error);
@@ -195,7 +216,13 @@ SOSSecurityPropertyResultCode SOSAccountSecurityPropertyStatus(SOSAccountRef acc
bool SOSAccountHandleParametersChange(SOSAccountRef account, CFDataRef updates, CFErrorRef *error);
-bool SOSAccountSyncWithAllPeers(SOSAccountRef account, CFErrorRef *error);
+bool SOSAccountSendIKSPSyncList(SOSAccountRef account, CFErrorRef *error);
+bool SOSAccountSyncWithAllKVSPeers(SOSAccountRef account, CFErrorRef *error);
+
+bool SOSAccountSyncWithKVSPeer(SOSAccountRef account, CFStringRef peerID, CFErrorRef *error);
+bool SOSAccountSyncWithKVSUsingIDSID(SOSAccountRef account, CFStringRef deviceID, CFErrorRef *error);
+
+bool SOSAccountSyncWithIDSPeer(SOSAccountRef account, CFStringRef peerID, CFErrorRef *error);
bool SOSAccountCleanupAfterPeer(SOSAccountRef account, size_t seconds, SOSCircleRef circle,
SOSPeerInfoRef cleanupPeer, CFErrorRef* error);
@@ -218,14 +245,16 @@ CFStringRef SOSAccountCopyIncompatibilityInfo(SOSAccountRef account, CFErrorRef*
//
bool SOSAccountIsBackupRingEmpty(SOSAccountRef account, CFStringRef viewName);
-bool SOSAccountStartNewBackup(SOSAccountRef account, CFStringRef viewName, CFErrorRef *error);
+bool SOSAccountNewBKSBForView(SOSAccountRef account, CFStringRef viewName, CFErrorRef *error);
-bool SOSAccountSetBackupPublicKey(SOSAccountRef account, CFDataRef backupKey, CFErrorRef *error);
-bool SOSAccountRemoveBackupPublickey(SOSAccountRef account, CFErrorRef *error);
+bool SOSAccountSetBackupPublicKey(SOSAccountTransactionRef aTxn, CFDataRef backupKey, CFErrorRef *error);
+bool SOSAccountRemoveBackupPublickey(SOSAccountTransactionRef aTxn, CFErrorRef *error);
bool SOSAccountSetBSKBagForAllSlices(SOSAccountRef account, CFDataRef backupSlice, bool setupV0Only, CFErrorRef *error);
SOSBackupSliceKeyBagRef SOSAccountBackupSliceKeyBagForView(SOSAccountRef account, CFStringRef viewName, CFErrorRef* error);
+bool SOSAccountIsLastBackupPeer(SOSAccountRef account, CFErrorRef *error);
+
//
// MARK: Private functions
//
@@ -249,12 +278,6 @@ CFStringRef SOSInterestListCopyDescription(CFArrayRef interests);
CFArrayRef SOSCreateActiveViewIntersectionArrayForPeerID(SOSAccountRef account, CFStringRef peerID);
CFDictionaryRef SOSViewsCreateActiveViewMatrixDictionary(SOSAccountRef account, SOSCircleRef circle, CFErrorRef *error);
-//
-// MARK: Transactional functions
-//
-
-void SOSAccountFinishTransaction(SOSAccountRef account);
-
const uint8_t* der_decode_cloud_parameters(CFAllocatorRef allocator,
CFIndex algorithmID, SecKeyRef* publicKey,
CFDataRef *parameters,
@@ -266,6 +289,33 @@ CFSetRef CreateCFSetRefFromXPCObject(xpc_object_t xpcSetDER, CFErrorRef* error);
xpc_object_t CreateXPCObjectWithCFSetRef(CFSetRef setref, CFErrorRef *error);
+//
+// MARK: HSA2 Piggyback Support Functions
+//
+
+SOSPeerInfoRef SOSAccountCopyApplication(SOSAccountRef account, CFErrorRef*);
+CFDataRef SOSAccountCopyCircleJoiningBlob(SOSAccountRef account, SOSPeerInfoRef applicant, CFErrorRef *error);
+bool SOSAccountJoinWithCircleJoiningBlob(SOSAccountRef account, CFDataRef joiningBlob, CFErrorRef *error);
+
+//
+// MARK: Initial-Sync
+//
+bool SOSAccountHasCompletedInitialSync(SOSAccountRef account);
+CFMutableSetRef SOSAccountCopyUnsyncedInitialViews(SOSAccountRef account);
+bool SOSAccountHasCompletedRequiredBackupSync(SOSAccountRef account);
+
+//
+// MARK: State Logging
+//
+void SOSAccountLogState(SOSAccountRef account);
+void SOSAccountLogViewState(SOSAccountRef account);
+
+//
+// MARK: Checking other peer views
+//
+
+CFBooleanRef SOSAccountPeersHaveViewsEnabled(SOSAccountRef account, CFArrayRef viewNames, CFErrorRef *error);
+
__END_DECLS
#endif /* !_SOSACCOUNT_H_ */
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountBackup.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountBackup.c
index c8b24a2c..a34987d0 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountBackup.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountBackup.c
@@ -127,27 +127,20 @@ static bool SOSAccountUpdateNamedRing(SOSAccountRef account, CFStringRef ringNam
SOSRingRef (^create)(CFStringRef ringName, CFErrorRef *error),
SOSRingRef (^copyModified)(SOSRingRef existing, CFErrorRef *error)) {
bool result = false;
+ SOSRingRef found = SOSAccountCopyRing(account, ringName, error);
SOSRingRef newRing = NULL;
- SOSRingRef found = (SOSRingRef) CFDictionaryGetValue(account->trusted_rings, ringName);
- if (isSOSRing(found)) {
- found = SOSRingCopyRing(found, error);
- } else {
- if (found) {
- secerror("Non ring in ring table: %@, purging!", found);
- CFDictionaryRemoveValue(account->trusted_rings, ringName);
- }
+ if(!found) {
found = create(ringName, error);
}
-
- require_quiet(found, exit);
+ require_quiet(found, errOut);
newRing = copyModified(found, error);
CFReleaseNull(found);
- require_quiet(newRing, exit);
+ require_quiet(newRing, errOut);
result = SOSAccountHandleUpdateRing(account, newRing, true, error);
-exit:
+errOut:
CFReleaseNull(found);
CFReleaseNull(newRing);
return result;
@@ -219,7 +212,7 @@ errOut:
return result;
}
-bool SOSAccountStartNewBackup(SOSAccountRef account, CFStringRef viewName, CFErrorRef *error)
+bool SOSAccountNewBKSBForView(SOSAccountRef account, CFStringRef viewName, CFErrorRef *error)
{
return SOSAccountWithBSKBForView(account, viewName, error, ^(SOSBackupSliceKeyBagRef bskb, CFErrorRef *error) {
bool result = SOSAccountSetKeybagForViewBackupRing(account, viewName, bskb, error);
@@ -229,10 +222,11 @@ bool SOSAccountStartNewBackup(SOSAccountRef account, CFStringRef viewName, CFErr
bool SOSAccountIsBackupRingEmpty(SOSAccountRef account, CFStringRef viewName) {
CFStringRef backupRing = SOSBackupCopyRingNameForView(viewName);
- SOSRingRef ring = SOSAccountGetRing(account, backupRing, NULL);
+ SOSRingRef ring = SOSAccountCopyRing(account, backupRing, NULL);
CFReleaseNull(backupRing);
int peercnt = 0;
if(ring) peercnt = SOSRingCountPeers(ring);
+ CFReleaseNull(ring);
return peercnt == 0;
}
@@ -256,31 +250,29 @@ bool SOSAccountIsMyPeerInBackupAndCurrentInView(SOSAccountRef account, CFStringR
bool result = false;
CFErrorRef bsError = NULL;
CFDataRef backupSliceData = NULL;
+ SOSRingRef ring = NULL;
SOSBackupSliceKeyBagRef backupSlice = NULL;
- require_quiet(SOSPeerInfoIsViewBackupEnabled(SOSAccountGetMyPeerInfo(account), viewname), exit);
+ require_quiet(SOSPeerInfoIsViewBackupEnabled(SOSAccountGetMyPeerInfo(account), viewname), errOut);
- CFMutableDictionaryRef trusted_rings = SOSAccountGetRings(account, &bsError);
- require_quiet(trusted_rings, exit);
-
CFStringRef ringName = SOSBackupCopyRingNameForView(viewname);
- SOSRingRef ring = (SOSRingRef)CFDictionaryGetValue(trusted_rings, ringName);
+ ring = SOSAccountCopyRing(account, ringName, &bsError);
CFReleaseNull(ringName);
- require_quiet(ring, exit);
+ require_quiet(ring, errOut);
//grab the backup slice from the ring
backupSliceData = SOSRingGetPayload(ring, &bsError);
- require_quiet(backupSliceData, exit);
+ require_quiet(backupSliceData, errOut);
backupSlice = SOSBackupSliceKeyBagCreateFromData(kCFAllocatorDefault, backupSliceData, &bsError);
- require_quiet(backupSlice, exit);
+ require_quiet(backupSlice, errOut);
CFSetRef peers = SOSBSKBGetPeers(backupSlice);
SOSPeerInfoRef myPeer = SOSAccountGetMyPeerInfo(account);
SOSPeerInfoRef myPeerInBSKB = (SOSPeerInfoRef) CFSetGetValue(peers, myPeer);
- require_quiet(isSOSPeerInfo(myPeerInBSKB), exit);
+ require_quiet(isSOSPeerInfo(myPeerInBSKB), errOut);
CFDataRef myBK = SOSPeerInfoCopyBackupKey(myPeer);
CFDataRef myPeerInBSKBBK = SOSPeerInfoCopyBackupKey(myPeerInBSKB);
@@ -288,7 +280,9 @@ bool SOSAccountIsMyPeerInBackupAndCurrentInView(SOSAccountRef account, CFStringR
CFReleaseNull(myBK);
CFReleaseNull(myPeerInBSKBBK);
-exit:
+errOut:
+ CFReleaseNull(ring);
+
if (bsError) {
secnotice("backup", "Failed to find BKSB: %@, %@ (%@)", backupSliceData, backupSlice, bsError);
}
@@ -300,34 +294,34 @@ bool SOSAccountIsPeerInBackupAndCurrentInView(SOSAccountRef account, SOSPeerInfo
bool result = false;
CFErrorRef bsError = NULL;
CFDataRef backupSliceData = NULL;
+ SOSRingRef ring = NULL;
SOSBackupSliceKeyBagRef backupSlice = NULL;
- require_quiet(testPeer, exit);
-
- CFMutableDictionaryRef trusted_rings = SOSAccountGetRings(account, &bsError);
- require_quiet(trusted_rings, exit);
+ require_quiet(testPeer, errOut);
CFStringRef ringName = SOSBackupCopyRingNameForView(viewname);
- SOSRingRef ring = (SOSRingRef)CFDictionaryGetValue(trusted_rings, ringName);
+ ring = SOSAccountCopyRing(account, ringName, &bsError);
CFReleaseNull(ringName);
- require_quiet(ring, exit);
+ require_quiet(ring, errOut);
//grab the backup slice from the ring
backupSliceData = SOSRingGetPayload(ring, &bsError);
- require_quiet(backupSliceData, exit);
+ require_quiet(backupSliceData, errOut);
backupSlice = SOSBackupSliceKeyBagCreateFromData(kCFAllocatorDefault, backupSliceData, &bsError);
- require_quiet(backupSlice, exit);
+ require_quiet(backupSlice, errOut);
CFSetRef peers = SOSBSKBGetPeers(backupSlice);
SOSPeerInfoRef peerInBSKB = (SOSPeerInfoRef) CFSetGetValue(peers, testPeer);
- require_quiet(isSOSPeerInfo(peerInBSKB), exit);
+ require_quiet(isSOSPeerInfo(peerInBSKB), errOut);
result = CFEqualSafe(testPeer, peerInBSKB);
-exit:
+errOut:
+ CFReleaseNull(ring);
+
if (bsError) {
secnotice("backup", "Failed to find BKSB: %@, %@ (%@)", backupSliceData, backupSlice, bsError);
}
@@ -349,7 +343,7 @@ bool SOSAccountUpdateOurPeerInBackup(SOSAccountRef account, SOSRingRef oldRing,
}
});
- result = SOSAccountStartNewBackup(account, viewName, error);
+ result = SOSAccountNewBKSBForView(account, viewName, error);
fail:
CFReleaseNull(viewName);
@@ -359,11 +353,9 @@ fail:
void SOSAccountForEachBackupRingName(SOSAccountRef account, void (^operation)(CFStringRef value)) {
SOSPeerInfoRef myPeer = SOSAccountGetMyPeerInfo(account);
if (myPeer) {
- CFMutableSetRef myBackupViews = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, SOSPeerInfoGetPermittedViews(myPeer));
+ CFSetRef allViews = SOSViewCopyViewSet(kViewSetAll); // All non virtual views.
- CFSetRemoveValue(myBackupViews, kSOSViewKeychainV0);
-
- CFSetForEach(myBackupViews, ^(const void *value) {
+ CFSetForEach(allViews, ^(const void *value) {
CFStringRef viewName = asString(value, NULL);
if (viewName) {
@@ -373,7 +365,7 @@ void SOSAccountForEachBackupRingName(SOSAccountRef account, void (^operation)(CF
}
});
- CFReleaseNull(myBackupViews);
+ CFReleaseNull(allViews);
}
}
@@ -382,20 +374,24 @@ void SOSAccountForEachBackupView(SOSAccountRef account, void (^operation)(const
if (myPeer) {
CFMutableSetRef myBackupViews = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, SOSPeerInfoGetPermittedViews(myPeer));
-
CFSetRemoveValue(myBackupViews, kSOSViewKeychainV0);
-
CFSetForEach(myBackupViews, operation);
-
CFReleaseNull(myBackupViews);
}
}
-bool SOSAccountSetBackupPublicKey(SOSAccountRef account, CFDataRef backupKey, CFErrorRef *error)
+bool SOSAccountSetBackupPublicKey(SOSAccountTransactionRef aTxn, CFDataRef backupKey, CFErrorRef *error)
{
+ SOSAccountRef account = aTxn->account;
+
__block bool result = false;
- secnotice("backup", "setting backup public key");
+ CFDataPerformWithHexString(backupKey, ^(CFStringRef backupKeyString) {
+ CFDataPerformWithHexString(account->backup_key, ^(CFStringRef oldBackupKey) {
+ secnotice("backup", "SetBackupPublic: %@ from %@", backupKeyString, oldBackupKey);
+ });
+ });
+
require_quiet(SOSAccountIsInCircle(account, error), exit);
if (CFEqualSafe(backupKey, account->backup_key))
@@ -403,13 +399,13 @@ bool SOSAccountSetBackupPublicKey(SOSAccountRef account, CFDataRef backupKey, CF
CFRetainAssign(account->backup_key, backupKey);
- SOSAccountEnsureBackupStarts(account);
+ account->circle_rings_retirements_need_attention = true;
result = true;
exit:
if (!result) {
- secnotice("backupkey", "Failed to setup backup public key: %@", error ? (CFTypeRef) *error : (CFTypeRef) CFSTR("No error space provided"));
+ secnotice("backupkey", "SetBackupPublic Failed: %@", error ? (CFTypeRef) *error : (CFTypeRef) CFSTR("No error space"));
}
return result;
}
@@ -451,21 +447,23 @@ exit:
return result;
}
-bool SOSAccountRemoveBackupPublickey(SOSAccountRef account, CFErrorRef *error)
+bool SOSAccountRemoveBackupPublickey(SOSAccountTransactionRef aTxn, CFErrorRef *error)
{
+ SOSAccountRef account = aTxn->account;
+
__block bool result = false;
- __block CFMutableArrayRef removals = NULL;
-
+ __block CFArrayRef removals = NULL;
+
+ CFReleaseNull(account->backup_key);
+
require_quiet(SOSAccountUpdatePeerInfo(account, CFSTR("Backup public key"), error,
^bool(SOSFullPeerInfoRef fpi, CFErrorRef *error) {
return SOSFullPeerInfoUpdateBackupKey(fpi, NULL, error);
}), exit);
-
- CFReleaseNull(account->backup_key);
-
- removals = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- CFArrayAppendValue(removals, SOSAccountGetMyPeerInfo(account));
-
+
+ removals = CFArrayCreateForCFTypes(kCFAllocatorDefault,
+ SOSAccountGetMyPeerInfo(account), NULL);
+
SOSAccountForEachBackupView(account, ^(const void *value) {
CFStringRef viewName = (CFStringRef)value;
result = SOSAccountWithBSKBAndPeerInfosForView(account, removals, viewName, error, ^(SOSBackupSliceKeyBagRef bskb, CFErrorRef *error) {
@@ -552,18 +550,14 @@ bool SOSAccountRemoveBackupPeers(SOSAccountRef account, CFArrayRef peers, CFErro
}
SOSBackupSliceKeyBagRef SOSAccountBackupSliceKeyBagForView(SOSAccountRef account, CFStringRef viewName, CFErrorRef* error){
- CFMutableDictionaryRef trusted_rings = NULL;
CFDataRef backupSliceData = NULL;
CFStringRef ringName = NULL;
SOSRingRef ring = NULL;
SOSBackupSliceKeyBagRef bskb = NULL;
- trusted_rings = SOSAccountGetRings(account, error);
- require_action_quiet(trusted_rings, exit, secnotice("keybag", "failed to get trusted rings (%@)", *error));
-
ringName = SOSBackupCopyRingNameForView(viewName);
- ring = (SOSRingRef)CFDictionaryGetValue(trusted_rings, ringName);
+ ring = SOSAccountCopyRing(account, ringName, NULL);
require_action_quiet(ring, exit, SOSCreateErrorWithFormat(kSOSErrorNoCircle, NULL, error, NULL, CFSTR("failed to get ring")));
//grab the backup slice from the ring
@@ -573,8 +567,30 @@ SOSBackupSliceKeyBagRef SOSAccountBackupSliceKeyBagForView(SOSAccountRef account
bskb = SOSBackupSliceKeyBagCreateFromData(kCFAllocatorDefault, backupSliceData, error);
exit:
+ CFReleaseNull(ring);
CFReleaseNull(ringName);
return bskb;
}
+bool SOSAccountIsLastBackupPeer(SOSAccountRef account, CFErrorRef *error) {
+ __block bool retval = false;
+ SOSPeerInfoRef pi = SOSAccountGetMyPeerInfo(account);
+ require_quiet(SOSPeerInfoHasBackupKey(pi), errOut);
+ SOSCircleRef circle = SOSAccountGetCircle(account, error);
+ require_quiet(SOSAccountIsInCircle(account, error), errOut);
+ require_action_quiet(SOSCircleCountValidSyncingPeers(circle, SOSAccountGetTrustedPublicCredential(account, error)) != 1, errOut, retval = true);
+ // We're in a circle with more than 1 ActiveValidPeers - are they in the backups?
+ SOSAccountForEachBackupView(account, ^(const void *value) {
+ CFStringRef viewname = (CFStringRef) value;
+ SOSBackupSliceKeyBagRef keybag = SOSAccountBackupSliceKeyBagForView(account, viewname, error);
+ require_quiet(keybag, inner_errOut);
+ retval |= ((SOSBSKBCountPeers(keybag) == 1) && (SOSBSKBPeerIsInKeyBag(keybag, pi)));
+ inner_errOut:
+ CFReleaseNull(keybag);
+ });
+
+errOut:
+ return retval;
+}
+
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCircles.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCircles.c
index 5bf90beb..24e0089a 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCircles.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCircles.c
@@ -16,9 +16,6 @@
// MARK: Circle management
//
-CFIndex whichTransportType;
-
-
SecKeyRef SOSAccountCopyPublicKeyForPeer(SOSAccountRef account, CFStringRef peer_id, CFErrorRef *error) {
SecKeyRef publicKey = NULL;
SOSPeerInfoRef peer = NULL;
@@ -28,7 +25,7 @@ SecKeyRef SOSAccountCopyPublicKeyForPeer(SOSAccountRef account, CFStringRef peer
peer = SOSCircleCopyPeerWithID(account->trusted_circle, peer_id, error);
require_quiet(peer, fail);
- publicKey = SOSPeerInfoCopyPubKey(peer);
+ publicKey = SOSPeerInfoCopyPubKey(peer, error);
fail:
CFReleaseSafe(peer);
@@ -53,33 +50,6 @@ fail:
return NULL;
}
-static void setup_defaults_settings(){
-
- Boolean keyExistsAndHasValue = false;
-
- whichTransportType = CFPreferencesGetAppIntegerValue(CFSTR("Transport"), CFSTR("com.apple.security"), &keyExistsAndHasValue);
- if(whichTransportType == kSOSTransportFuture)
- secdebug("IDS", "Successfully retrieved value: %d, We are a Galarch + 1 device: %ld", keyExistsAndHasValue, whichTransportType);
- else if (whichTransportType == kSOSTransportPresent)
- secdebug("IDS", "Successfully retrieved value: %d, We are a Galarch device: %ld", keyExistsAndHasValue, whichTransportType);
-
- else if (whichTransportType == kSOSTransportIDS)
- secdebug("IDS", "Successfully retrieved value: %d, We are an IDS device: %ld", keyExistsAndHasValue, whichTransportType);
-
- else if (whichTransportType == kSOSTransportKVS)
- secdebug("IDS", "Successfully retrieved value: %d, We are a KVS device: %ld", keyExistsAndHasValue, whichTransportType);
- else
- secdebug("IDS", "Successfully retrieved value: %d, We are a KVS device: %ld", keyExistsAndHasValue, whichTransportType);
-
-}
-
-static void SOSTransportInit(void) {
- static dispatch_once_t sdOnceToken;
- dispatch_once(&sdOnceToken, ^{
- setup_defaults_settings();
- });
-}
-
static bool SOSAccountInflateTransportsForCircle(SOSAccountRef account, CFStringRef circleName, CFErrorRef *error){
bool success = false;
@@ -88,11 +58,9 @@ static bool SOSAccountInflateTransportsForCircle(SOSAccountRef account, CFString
SOSTransportMessageRef tidsMessage = NULL;
SOSTransportMessageRef tkvsMessage = NULL;
- SOSTransportInit();
-
tKey = (SOSTransportKeyParameterRef)SOSTransportKeyParameterKVSCreate(account, error);
tCircle = (SOSTransportCircleRef)SOSTransportCircleKVSCreate(account, circleName, error);
-
+
require_quiet(tKey, fail);
require_quiet(tCircle, fail);
@@ -100,11 +68,12 @@ static bool SOSAccountInflateTransportsForCircle(SOSAccountRef account, CFString
require_quiet(tidsMessage, fail);
CFRetainAssign(account->ids_message_transport, tidsMessage);
+
tkvsMessage = (SOSTransportMessageRef)SOSTransportMessageKVSCreate(account, circleName, error);
require_quiet(tkvsMessage, fail);
CFRetainAssign(account->kvs_message_transport, tkvsMessage);
-
+
CFRetainAssign(account->key_transport, (SOSTransportKeyParameterRef)tKey);
CFRetainAssign(account->circle_transport, tCircle);
@@ -124,7 +93,7 @@ SOSCircleRef SOSAccountEnsureCircle(SOSAccountRef a, CFStringRef name, CFErrorRe
if (a->trusted_circle == NULL) {
a->trusted_circle = SOSCircleCreate(NULL, name, NULL);
- SOSUpdateKeyInterest(a);
+ a->key_interests_need_updating = true;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCredentials.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCredentials.c
index fed5dcd6..b7793230 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCredentials.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCredentials.c
@@ -76,9 +76,18 @@ static void SOSAccountGenerationSignatureUpdateWith(SOSAccountRef account, SecKe
if(iAmPeer && !SOSCircleVerify(circle, account->user_public, NULL)) {
change |= sosAccountUpgradeiCloudIdentity(circle, privKey);
SOSAccountRemoveInvalidApplications(account, circle);
- change |= SOSCircleGenerationUpdate(circle, privKey, account->my_identity, NULL);
+ change |= SOSCircleGenerationSign(circle, privKey, account->my_identity, NULL);
account->departure_code = kSOSNeverLeftCircle;
+ } else if(iAmPeer) {
+ SOSFullPeerInfoRef icfpi = SOSCircleCopyiCloudFullPeerInfoRef(circle, NULL);
+ if(!icfpi) {
+ SOSAccountRemoveIncompleteiCloudIdentities(account, circle, privKey, NULL);
+ change |= SOSAccountAddiCloudIdentity(account, circle, privKey, NULL);
+ } else {
+ CFReleaseNull(icfpi);
+ }
}
+ secnotice("updatingGenSignature", "we changed the circle? %@", change ? CFSTR("YES") : CFSTR("NO"));
return change;
});
}
@@ -112,9 +121,9 @@ void SOSAccountPurgePrivateCredential(SOSAccountRef account)
account->user_private_timer = NULL;
xpc_transaction_end();
}
- if (account->lock_notification_token) {
+ if (account->lock_notification_token != NOTIFY_TOKEN_INVALID) {
notify_cancel(account->lock_notification_token);
- account->lock_notification_token = 0;
+ account->lock_notification_token = NOTIFY_TOKEN_INVALID;
}
}
@@ -221,14 +230,20 @@ CFDataRef SOSAccountGetCachedPassword(SOSAccountRef account, CFErrorRef* error)
return account->_password_tmp;
}
-
-bool SOSAccountHasPublicKey(SOSAccountRef account, CFErrorRef* error)
+SecKeyRef SOSAccountGetTrustedPublicCredential(SOSAccountRef account, CFErrorRef* error)
{
if (account->user_public == NULL || account->user_public_trusted == false) {
SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Public Key not available - failed to register before call"), NULL, error);
- return false;
+ return NULL;
}
- return true;
+ return account->user_public;
+}
+
+
+
+bool SOSAccountHasPublicKey(SOSAccountRef account, CFErrorRef* error)
+{
+ return SOSAccountGetTrustedPublicCredential(account, error);
}
static void sosAccountSetTrustedCredentials(SOSAccountRef account, CFDataRef user_password, SecKeyRef user_private, bool public_was_trusted) {
@@ -255,7 +270,7 @@ errOut:
static bool sosAccountValidatePasswordOrFail(SOSAccountRef account, CFDataRef user_password, CFErrorRef *error) {
SecKeyRef privKey = sosAccountCreateKeyIfPasswordIsCorrect(account, user_password, error);
if(!privKey) {
- if(account->user_key_parameters) debugDumpUserParameters(CFSTR("params"), account->user_key_parameters);
+ if(account->user_key_parameters) debugDumpUserParameters(CFSTR("sosAccountValidatePasswordOrFail"), account->user_key_parameters);
SOSCreateError(kSOSErrorWrongPassword, CFSTR("Could not create correct key with password."), NULL, error);
return false;
}
@@ -301,14 +316,14 @@ bool SOSAccountAssertUserCredentials(SOSAccountRef account, CFStringRef user_acc
errOut:
CFReleaseSafe(parameters);
CFReleaseSafe(user_private);
- SOSUpdateKeyInterest(account);
+ account->key_interests_need_updating = true;
return account->user_public_trusted;
}
bool SOSAccountTryUserCredentials(SOSAccountRef account, CFStringRef user_account __unused, CFDataRef user_password, CFErrorRef *error) {
bool success = sosAccountValidatePasswordOrFail(account, user_password, error);
- SOSUpdateKeyInterest(account);
+ account->key_interests_need_updating = true;
return success;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountFullPeerInfo.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountFullPeerInfo.c
index c109be98..c850705e 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountFullPeerInfo.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountFullPeerInfo.c
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -28,6 +28,7 @@
#include "SOSViews.h"
static CFStringRef kicloud_identity_name = CFSTR("Cloud Identity");
+#define kSecServerPeerInfoAvailable "com.apple.security.fpiAvailable"
SecKeyRef SOSAccountCopyDeviceKey(SOSAccountRef account, CFErrorRef *error) {
@@ -99,17 +100,29 @@ bool SOSAccountEnsureFullPeerAvailable(SOSAccountRef account, CFErrorRef * error
CFReleaseNull(keyName);
if (full_key) {
- CFSetRef defaultViews = SOSViewsCreateDefault(false, NULL);
+ CFSetRef initialViews = SOSViewCopyViewSet(kViewSetInitial);
CFReleaseNull(account->my_identity);
- account->my_identity = SOSFullPeerInfoCreateWithViews(kCFAllocatorDefault, account->gestalt, account->backup_key, defaultViews,
+ account->my_identity = SOSFullPeerInfoCreateWithViews(kCFAllocatorDefault, account->gestalt, account->backup_key, initialViews,
full_key, error);
- CFReleaseNull(defaultViews);
+ CFReleaseNull(initialViews);
CFReleaseNull(full_key);
+ CFSetRef pendingDefaultViews = SOSViewCopyViewSet(kViewSetDefault);
+ SOSAccountPendEnableViewSet(account, pendingDefaultViews);
+ CFReleaseNull(pendingDefaultViews);
+
+ SOSAccountSetValue(account, kSOSUnsyncedViewsKey, kCFBooleanTrue, NULL);
+
if (!account->my_identity) {
secerror("Can't make FullPeerInfo for %@-%@ (%@) - is AKS ok?", SOSPeerGestaltGetName(account->gestalt), SOSCircleGetName(account->trusted_circle), error ? (void*)*error : (void*)CFSTR("-"));
}
+ else{
+ secnotice("fpi", "alert IDSKeychainSyncingProxy the fpi is available");
+ notify_post(kSecServerPeerInfoAvailable);
+ if(account->deviceID)
+ SOSFullPeerInfoUpdateDeviceID(account->my_identity, account->deviceID, error);
+ }
}
else {
secerror("No full_key: %@:", error ? *error : NULL);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountLog.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountLog.c
new file mode 100644
index 00000000..cd82a0b7
--- /dev/null
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountLog.c
@@ -0,0 +1,51 @@
+//
+// SOSAccountLog.c
+// sec
+//
+// Created by Richard Murphy on 6/1/16.
+//
+//
+
+#include "SOSAccountLog.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <AssertMacros.h>
+#include "SOSAccountPriv.h"
+#include "SOSViews.h"
+#include <utilities/SecCFWrappers.h>
+#include <utilities/SecCoreCrypto.h>
+#include <utilities/SecBuffer.h>
+#include <SOSPeerInfoDER.h>
+
+#include <Security/SecureObjectSync/SOSTransport.h>
+
+#include <Security/SecureObjectSync/SOSPeerInfoCollections.h>
+#include <os/state_private.h>
+
+// Keep these for later
+static CFStringRef SOSAccountCreateStringRef(SOSAccountRef account) {
+ CFStringRef hex = NULL;
+
+ CFDataRef derdata = SOSAccountCopyEncodedData(account, kCFAllocatorDefault, NULL);
+ require_quiet(derdata, errOut);
+ hex = CFDataCopyHexString(derdata);
+errOut:
+ CFRelease(derdata);
+ return hex;
+}
+
+void SOSAccountLog(SOSAccountRef account) {
+ CFStringRef hex = SOSAccountCreateStringRef(account);
+ if(!hex) return;
+ secdebug("accountLog", "Full contents: %@", hex);
+ CFRelease(hex);
+}
+
+SOSAccountRef SOSAccountCreateFromStringRef(CFStringRef hexString) {
+ CFDataRef accountDER = CFDataCreateFromHexString(kCFAllocatorDefault, hexString);
+ if(!accountDER) return NULL;
+ SOSAccountRef account = SOSAccountCreateFromData(kCFAllocatorDefault, accountDER, NULL, NULL);
+ CFReleaseNull(accountDER);
+ return account;
+}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountLog.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountLog.h
new file mode 100644
index 00000000..1fdde94d
--- /dev/null
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountLog.h
@@ -0,0 +1,27 @@
+//
+// SOSAccountLog.h
+// sec
+//
+// Created by Richard Murphy on 6/1/16.
+//
+//
+
+#ifndef SOSAccountLog_h
+#define SOSAccountLog_h
+
+#include <stdio.h>
+#include "SOSAccountPriv.h"
+#include <Security/SecureObjectSync/SOSAccountHSAJoin.h>
+#include <Security/SecureObjectSync/SOSTransportCircle.h>
+#include <Security/SecureObjectSync/SOSTransport.h>
+#include <Security/SecureObjectSync/SOSViews.h>
+#include <Security/SecureObjectSync/SOSPeerInfoCollections.h>
+#include <Security/SecureObjectSync/SOSPeerInfoPriv.h>
+#include <Security/SecureObjectSync/SOSPeerInfoV2.h>
+#include <Security/SecureObjectSync/SOSPeerInfoDER.h>
+//#include <Security/SecureObjectSync/SOSBackupSliceKeyBag.h>
+
+void SOSAccountLog(SOSAccountRef account);
+SOSAccountRef SOSAccountCreateFromStringRef(CFStringRef hexString);
+
+#endif /* SOSAccountLog_h */
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPeers.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPeers.c
index c7293fe2..618f2757 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPeers.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPeers.c
@@ -254,3 +254,33 @@ SOSPeerInfoRef SOSAccountCopyPeerWithID(SOSAccountRef account, CFStringRef peeri
if(!account->trusted_circle) return NULL;
return SOSCircleCopyPeerWithID(account->trusted_circle, peerid, error);
}
+
+CFBooleanRef SOSAccountPeersHaveViewsEnabled(SOSAccountRef account, CFArrayRef viewNames, CFErrorRef *error) {
+ CFBooleanRef result = NULL;
+ CFMutableSetRef viewsRemaining = NULL;
+ CFSetRef viewsToLookFor = NULL;
+
+ require_quiet(SOSAccountHasPublicKey(account, error), done);
+ require_quiet(SOSAccountIsInCircle(account, error), done);
+
+ viewsToLookFor = CFSetCreateCopyOfArrayForCFTypes(viewNames);
+ viewsRemaining = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, viewsToLookFor);
+ CFReleaseNull(viewsToLookFor);
+
+ SOSAccountForEachCirclePeerExceptMe(account, ^(SOSPeerInfoRef peer) {
+ if (SOSPeerInfoApplicationVerify(peer, account->user_public, NULL)) {
+ CFSetRef peerViews = SOSPeerInfoCopyEnabledViews(peer);
+ CFSetSubtract(viewsRemaining, peerViews);
+ CFReleaseNull(peerViews);
+ }
+ });
+
+ result = CFSetIsEmpty(viewsRemaining) ? kCFBooleanTrue : kCFBooleanFalse;
+
+done:
+ CFReleaseNull(viewsToLookFor);
+ CFReleaseNull(viewsRemaining);
+
+ return result;
+}
+
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPersistence.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPersistence.c
index 037656b8..9854611e 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPersistence.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPersistence.c
@@ -31,13 +31,18 @@
#include <utilities/SecCFWrappers.h>
#include <utilities/SecCoreCrypto.h>
+#include <utilities/SecBuffer.h>
+
#include <Security/SecureObjectSync/SOSKVSKeys.h>
#include <SOSPeerInfoDER.h>
#include <Security/SecureObjectSync/SOSTransport.h>
#include <Security/SecureObjectSync/SOSPeerInfoCollections.h>
+#include <os/state_private.h>
+#include "SOSAccountPriv.h"
+#define kSecServerPeerInfoAvailable "com.apple.security.fpiAvailable"
static SOSAccountRef SOSAccountCreateFromRemainingDER_v6(CFAllocatorRef allocator,
@@ -310,6 +315,9 @@ SOSAccountRef SOSAccountCreateFromDER(CFAllocatorRef allocator,
/* I may not always have an identity, but when I do, it has a private key */
if(account->my_identity) {
require_action_quiet(SOSFullPeerInfoPrivKeyExists(account->my_identity), errOut, secnotice("account", "No private key associated with my_identity, resetting"));
+ notify_post(kSecServerPeerInfoAvailable);
+ if(account->deviceID)
+ SOSFullPeerInfoUpdateDeviceID(account->my_identity, account->deviceID, error);
}
require_action_quiet(SOSAccountEnsureFactoryCircles(account), errOut,
@@ -317,16 +325,34 @@ SOSAccountRef SOSAccountCreateFromDER(CFAllocatorRef allocator,
SOSPeerInfoRef myPI = SOSAccountGetMyPeerInfo(account);
if (myPI) {
- // if we were syncing legacy keychain, ensure we include those legacy views.
- bool wasSyncingLegacy = !SOSPeerInfoVersionIsCurrent(myPI) && SOSAccountIsInCircle(account, NULL);
- CFSetRef viewsToEnsure = SOSViewsCreateDefault(wasSyncingLegacy, NULL);
- SOSAccountUpdateFullPeerInfo(account, viewsToEnsure, SOSViewsGetV0ViewSet()); // We don't permit V0 view proper, only sub-views
- CFReleaseNull(viewsToEnsure);
+ if(SOSAccountHasCompletedInitialSync(account)) {
+ CFMutableSetRef viewsToEnsure = SOSViewCopyViewSet(kViewSetAlwaysOn);
+
+ // Previous version PeerInfo if we were syncing legacy keychain, ensure we include those legacy views.
+ if(!SOSPeerInfoVersionIsCurrent(myPI) && SOSAccountIsInCircle(account, NULL)) {
+ CFSetRef V0toAdd = SOSViewCopyViewSet(kViewSetV0);
+ CFSetUnion(viewsToEnsure, V0toAdd);
+ CFReleaseNull(V0toAdd);
+ }
+
+ SOSAccountUpdateFullPeerInfo(account, viewsToEnsure, SOSViewsGetV0ViewSet()); // We don't permit V0 view proper, only sub-views
+ CFReleaseNull(viewsToEnsure);
+ }
+
+ SOSPeerInfoRef oldPI = myPI;
+ // if UpdateFullPeerInfo did something - we need to make sure we have the right Ref
+ myPI = SOSAccountGetMyPeerInfo(account);
+ if(oldPI != myPI) secnotice("canary", "Caught spot where PIs differ in account setup");
+ CFStringRef transportTypeInflatedFromDER = SOSPeerInfoCopyTransportType(myPI);
+ if (CFStringCompare(transportTypeInflatedFromDER, CFSTR("IDS"), 0) == 0 || CFStringCompare(transportTypeInflatedFromDER, CFSTR("KVS"), 0) == 0)
+ SOSFullPeerInfoUpdateTransportType(account->my_identity, SOSTransportMessageTypeIDSV2, NULL); //update the transport type to the current IDS V2 type
+
+ CFReleaseNull(transportTypeInflatedFromDER);
}
-
- SOSAccountCheckHasBeenInSync(account);
-
- SOSUpdateKeyInterest(account);
+
+ SOSAccountWithTransactionSync(account, ^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ account->key_interests_need_updating = true;
+ });
result = CFRetainSafe(account);
@@ -404,12 +430,9 @@ uint8_t* SOSAccountEncodeToDER(SOSAccountRef account, CFErrorRef* error, const u
CFDataRef SOSAccountCopyEncodedData(SOSAccountRef account, CFAllocatorRef allocator, CFErrorRef *error)
{
- size_t size = SOSAccountGetDEREncodedSize(account, error);
- if (size == 0)
- return NULL;
- uint8_t buffer[size];
- uint8_t* start = SOSAccountEncodeToDER(account, error, buffer, buffer + sizeof(buffer));
- CFDataRef result = CFDataCreate(kCFAllocatorDefault, start, size);
- return result;
+ return CFDataCreateWithDER(kCFAllocatorDefault, SOSAccountGetDEREncodedSize(account, error), ^uint8_t*(size_t size, uint8_t *buffer) {
+ return SOSAccountEncodeToDER(account, error, buffer, (uint8_t *) buffer + size);
+ });
}
+
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPriv.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPriv.h
index a405b064..e5fce352 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPriv.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPriv.h
@@ -39,6 +39,7 @@
#include <Security/SecureObjectSync/SOSPeerInfo.h>
#include <Security/SecureObjectSync/SOSPeerInfoInternal.h>
#include <Security/SecureObjectSync/SOSUserKeygen.h>
+#include <Security/SecureObjectSync/SOSAccountTransaction.h>
#include <utilities/iCloudKeychainTrace.h>
#include <Security/SecItemPriv.h>
@@ -53,8 +54,9 @@ struct __OpaqueSOSAccount {
SOSFullPeerInfoRef my_identity;
SOSCircleRef trusted_circle;
+
+ CFStringRef deviceID;
- CFMutableDictionaryRef trusted_rings;
CFMutableDictionaryRef backups;
CFMutableSetRef retirees;
@@ -68,12 +70,13 @@ struct __OpaqueSOSAccount {
// Non-persistent data
dispatch_queue_t queue;
- CFMutableDictionaryRef notification_cleanups;
SOSDataSourceFactoryRef factory;
SecKeyRef _user_private;
CFDataRef _password_tmp;
+ bool isListeningForSync;
+
dispatch_source_t user_private_timer;
int lock_notification_token;
@@ -83,11 +86,15 @@ struct __OpaqueSOSAccount {
SOSTransportMessageRef ids_message_transport;
//indicates if changes in circle, rings, or retirements need to be pushed
- bool circle_rings_retirements_need_attention;
+ bool circle_rings_retirements_need_attention;
+ bool engine_peer_state_needs_repair;
+ bool key_interests_need_updating;
// Live Notification
CFMutableArrayRef change_blocks;
CFMutableDictionaryRef waitForInitialSync_blocks;
+
+ SOSAccountSaveBlock saveBlock;
};
extern const CFStringRef kSOSEscrowRecord;
@@ -103,13 +110,33 @@ bool SOSAccountIsMyPeerActive(SOSAccountRef account, CFErrorRef* error);
SOSTransportMessageRef SOSAccountGetMessageTransportFor(SOSAccountRef account, SOSPeerInfoRef peerInfo);
+// MARK: Transactional
+
+void SOSAccountWithTransaction_Locked(SOSAccountRef account, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn));
+
+void SOSAccountWithTransaction(SOSAccountRef account, bool sync, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn));
+void SOSAccountWithTransactionSync(SOSAccountRef account, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn));
+void SOSAccountWithTransactionAsync(SOSAccountRef account, bool sync, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn));
+
+void SOSAccountRecordRetiredPeersInCircle(SOSAccountRef account);
+
// MARK: In Sync checking
+CF_RETURNS_RETAINED CFStringRef SOSAccountCallWhenInSync(SOSAccountRef account, SOSAccountWaitForInitialSyncBlock syncBlock);
+bool SOSAccountUnregisterCallWhenInSync(SOSAccountRef account, CFStringRef id);
+
+bool SOSAccountHandleOutOfSyncUpdate(SOSAccountRef account, CFSetRef oldOOSViews, CFSetRef newOOSViews);
+
+void SOSAccountUpdateOutOfSyncViews(SOSAccountTransactionRef aTxn, CFSetRef viewsInSync);
+
void SOSAccountEnsureSyncChecking(SOSAccountRef account);
void SOSAccountCancelSyncChecking(SOSAccountRef account);
-bool SOSAccountCheckHasBeenInSync(SOSAccountRef account);
-void SOSAccountCleanupNotificationForAllPeers(SOSAccountRef account);
+CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccountRef account);
+CFMutableSetRef SOSAccountCopyIntersectionWithOustanding(SOSAccountRef account, CFSetRef inSet);
+bool SOSAccountIntersectsWithOutstanding(SOSAccountRef account, CFSetRef views);
+bool SOSAccountIsViewOutstanding(SOSAccountRef account, CFStringRef view);
+bool SOSAccountHasOustandingViews(SOSAccountRef account);
// MARK: DER Stuff
@@ -225,7 +252,7 @@ bool SOSAccountRetrieveCloudParameters(SOSAccountRef account, SecKeyRef *newKey,
CFDataRef *newParameters, CFErrorRef* error);
//DSID
-bool SOSAccountUpdateDSID(SOSAccountRef account, CFStringRef dsid);
+void SOSAccountAssertDSID(SOSAccountRef account, CFStringRef dsid);
//
// Key extraction
@@ -237,6 +264,7 @@ SecKeyRef SOSAccountCopyPublicKeyForPeer(SOSAccountRef account, CFStringRef peer
// Testing
void SOSAccountSetLastDepartureReason(SOSAccountRef account, enum DepartureReason reason);
void SOSAccountSetUserPublicTrustedForTesting(SOSAccountRef account);
+void SOSAccountPeerGotInSync(SOSAccountTransactionRef aTxn, CFStringRef peerID, CFSetRef views);
static inline void CFArrayAppendValueIfNot(CFMutableArrayRef array, CFTypeRef value, CFTypeRef excludedValue)
{
@@ -273,19 +301,21 @@ static inline CFMutableArrayRef CFDictionaryEnsureCFArrayAndGetCurrentValue(CFMu
void SOSAccountPurgeIdentity(SOSAccountRef account);
bool sosAccountLeaveCircle(SOSAccountRef account, SOSCircleRef circle, CFErrorRef* error);
bool sosAccountLeaveRing(SOSAccountRef account, SOSRingRef ring, CFErrorRef* error);
-CFMutableDictionaryRef SOSAccountGetRings(SOSAccountRef a, CFErrorRef *error);
+void SOSAccountAddRingDictionary(SOSAccountRef a);
+bool SOSAccountForEachRing(SOSAccountRef account, SOSRingRef (^action)(CFStringRef name, SOSRingRef ring));
CFMutableDictionaryRef SOSAccountGetBackups(SOSAccountRef a, CFErrorRef *error);
bool SOSAccountUpdateBackUp(SOSAccountRef account, CFStringRef viewname, CFErrorRef *error);
-bool SOSAccountEnsureBackupStarts(SOSAccountRef account);
+bool SOSAccountEnsureInBackupRings(SOSAccountRef account);
bool SOSAccountEnsurePeerRegistration(SOSAccountRef account, CFErrorRef *error);
-extern CFIndex whichTransportType;
extern const CFStringRef kSOSDSIDKey;
-extern const CFStringRef SOSTransportMessageTypeIDS;
+extern const CFStringRef SOSTransportMessageTypeIDSV2;
extern const CFStringRef SOSTransportMessageTypeKVS;
extern const CFStringRef kSOSUnsyncedViewsKey;
+extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
+extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
typedef enum{
kSOSTransportNone = 0,
@@ -297,23 +327,25 @@ typedef enum{
SOSPeerInfoRef SOSAccountCopyPeerWithID(SOSAccountRef account, CFStringRef peerid, CFErrorRef *error);
-bool SOSAccountSetValue(SOSAccountRef account, const void *key, const void *value, CFErrorRef *error);
-bool SOSAccountClearValue(SOSAccountRef account, const void *key, CFErrorRef *error);
-const void *SOSAccountGetValue(SOSAccountRef account, const void *key, CFErrorRef *error);
+bool SOSAccountSetValue(SOSAccountRef account, CFStringRef key, CFTypeRef value, CFErrorRef *error);
+bool SOSAccountClearValue(SOSAccountRef account, CFStringRef key, CFErrorRef *error);
+CFTypeRef SOSAccountGetValue(SOSAccountRef account, CFStringRef key, CFErrorRef *error);
bool SOSAccountAddEscrowToPeerInfo(SOSAccountRef account, SOSFullPeerInfoRef myPeer, CFErrorRef *error);
bool SOSAccountAddEscrowRecords(SOSAccountRef account, CFStringRef dsid, CFDictionaryRef record, CFErrorRef *error);
bool SOSAccountCheckForRings(SOSAccountRef a, CFErrorRef *error);
bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospective_ring, bool writeUpdate, CFErrorRef *error);
-SOSRingRef SOSAccountGetRing(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error);
+SOSRingRef SOSAccountCopyRing(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error);
+bool SOSAccountSetRing(SOSAccountRef a, SOSRingRef ring, CFStringRef ringName, CFErrorRef *error);
+void SOSAccountRemoveRing(SOSAccountRef a, CFStringRef ringName);
+SOSRingRef SOSAccountCopyRingNamed(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error);
SOSRingRef SOSAccountRingCreateForName(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error);
-bool SOSAccountEnsureRings(SOSAccountRef a, CFErrorRef *error);
bool SOSAccountUpdateRingFromRemote(SOSAccountRef account, SOSRingRef newRing, CFErrorRef *error);
bool SOSAccountUpdateRing(SOSAccountRef account, SOSRingRef newRing, CFErrorRef *error);
bool SOSAccountModifyRing(SOSAccountRef account, CFStringRef ringName,
CFErrorRef* error,
bool (^action)(SOSRingRef ring));
-CFDataRef SOSAccountRingGetPayload(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error);
+CFDataRef SOSAccountRingCopyPayload(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error);
SOSRingRef SOSAccountRingCopyWithPayload(SOSAccountRef account, CFStringRef ringName, CFDataRef payload, CFErrorRef *error);
bool SOSAccountRemoveBackupPeers(SOSAccountRef account, CFArrayRef peerIDs, CFErrorRef *error);
bool SOSAccountResetRing(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error);
@@ -335,5 +367,6 @@ bool SOSAccountDeleteAccountStateFromKeychain(CFErrorRef *error);
CFDataRef SOSAccountCopyEngineStateFromKeychain(CFErrorRef *error);
bool SOSAccountDeleteEngineStateFromKeychain(CFErrorRef *error);
+bool SOSAccountIsNew(SOSAccountRef account, CFErrorRef *error);
#endif
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRingUpdate.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRingUpdate.c
index 17c84667..cf3ac04b 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRingUpdate.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRingUpdate.c
@@ -29,7 +29,7 @@ static inline bool SOSAccountHasLeft(SOSAccountRef account) {
}
#endif
-static const char *concordstring[] = {
+static const char * __unused concordstring[] = {
"kSOSConcordanceTrusted",
"kSOSConcordanceGenOld", // kSOSErrorReplay
"kSOSConcordanceNoUserSig", // kSOSErrorBadSignature
@@ -63,6 +63,8 @@ static bool SOSAccountIsPeerRetired(SOSAccountRef account, CFSetRef peers){
else
result = true;
+ CFReleaseNull(peerInfos);
+
return result;
}
@@ -93,46 +95,48 @@ static bool SOSAccountBackupSliceKeyBagNeedsFix(SOSAccountRef account, SOSBackup
}
+typedef enum {
+ accept,
+ countersign,
+ leave,
+ revert,
+ modify,
+ ignore
+} ringAction_t;
+
+static const char * __unused actionstring[] = {
+ "accept", "countersign", "leave", "revert", "modify", "ignore",
+};
+
bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRing, bool writeUpdate, CFErrorRef *error) {
bool success = true;
bool haveOldRing = true;
- const char *localRemote = writeUpdate ? "local": "remote";
+ const char * __unused localRemote = writeUpdate ? "local": "remote";
SOSFullPeerInfoRef fpi = account->my_identity;
SOSPeerInfoRef pi = SOSFullPeerInfoGetPeerInfo(fpi);
CFStringRef peerID = SOSPeerInfoGetPeerID(pi);
bool peerActive = (fpi && pi && peerID && SOSAccountIsInCircle(account, NULL));
- secnotice("signing", "start:[%s] %@", localRemote, prospectiveRing);
+ secdebug("ringSigning", "start:[%s] %@", localRemote, prospectiveRing);
require_quiet(SOSAccountHasPublicKey(account, error), errOut);
require_action_quiet(prospectiveRing, errOut,
SOSCreateError(kSOSErrorIncompatibleCircle, CFSTR("No Ring to work with"), NULL, error));
+ require_action_quiet(SOSRingIsStable(prospectiveRing), errOut, SOSCreateError(kSOSErrorIncompatibleCircle, CFSTR("You give rings a bad name"), NULL, error));
+
// We should at least have a sane ring system in the account object
require_quiet(SOSAccountCheckForRings(account, error), errOut);
CFStringRef ringName = SOSRingGetName(prospectiveRing);
- SOSRingRef oldRing = SOSAccountGetRing(account, ringName, NULL);
+ SOSRingRef oldRing = SOSAccountCopyRing(account, ringName, NULL);
SOSTransportCircleRef transport = account->circle_transport;
SOSRingRef newRing = CFRetainSafe(prospectiveRing); // TODO: SOSAccountCloneRingWithRetirement(account, prospectiveRing, error);
- typedef enum {
- accept,
- countersign,
- leave,
- revert,
- modify,
- ignore
- } ringAction_t;
-
- static const char *actionstring[] = {
- "accept", "countersign", "leave", "revert", "modify", "ignore",
- };
-
ringAction_t ringAction = ignore;
bool userTrustedoldRing = true;
@@ -154,7 +158,7 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
#endif
if (!oldRing) {
- oldRing = newRing;
+ oldRing = CFRetainSafe(newRing);
}
SOSConcordanceStatus concstat = SOSRingConcordanceTrust(fpi, peers, oldRing, newRing, oldKey, account->user_public, peerID, error);
@@ -182,7 +186,7 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
case kSOSConcordanceNoPeerSig:
ringAction = accept; // We might like this one eventually but don't countersign.
concStr = CFSTR("No trusted peer signature");
- secerror("##### No trusted peer signature found, accepting hoping for concordance later %@", newRing);
+ secnotice("signing", "##### No trusted peer signature found, accepting hoping for concordance later %@", newRing);
break;
case kSOSConcordanceNoPeer:
ringAction = leave;
@@ -208,7 +212,9 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
break;
}
- secnotice("signing", "Decided on action [%s] based on concordance state [%s] and [%s] circle.", actionstring[ringAction], concordstring[concstat], userTrustedoldRing ? "trusted" : "untrusted");
+ (void)concStr;
+
+ secdebug("ringSigning", "Decided on action [%s] based on concordance state [%s] and [%s] circle.", actionstring[ringAction], concordstring[concstat], userTrustedoldRing ? "trusted" : "untrusted");
SOSRingRef ringToPush = NULL;
bool iWasInOldRing = peerID && SOSRingHasPeerID(oldRing, peerID);
@@ -221,7 +227,7 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
SOSBackupSliceKeyBagRef bskb = SOSRingCopyBackupSliceKeyBag(newRing, &localError);
if(!bskb) {
- secnotice("signing", "Backup ring with no backup slice keybag (%@)", localError);
+ secnotice("ringSigning", "Backup ring with no backup slice keybag (%@)", localError);
} else if (SOSAccountBackupSliceKeyBagNeedsFix(account, bskb)) {
ringAction = modify;
}
@@ -231,7 +237,7 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
if (ringAction == modify) {
CFErrorRef updateError = NULL;
- CFDictionarySetValue(account->trusted_rings, ringName, newRing);
+ SOSAccountSetRing(account, newRing, ringName, error);
if(SOSAccountUpdateOurPeerInBackup(account, newRing, &updateError)) {
secdebug("signing", "Modified backup ring to include us");
@@ -253,13 +259,12 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
if (sosAccountLeaveRing(account, newRing, error)) {
ringToPush = newRing;
} else {
- secnotice("signing", "Can't leave ring %@", oldRing);
+ secdebug("ringSigning", "Can't leave ring %@", oldRing);
success = false;
}
ringAction = accept;
} else {
// We are not in this ring, but we need to update account with it, since we got it from cloud
- secnotice("signing", "We are not in this ring, but we need to update account with it");
ringAction = accept;
}
}
@@ -267,21 +272,20 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
if (ringAction == countersign) {
if (iAmInNewRing) {
if (SOSRingPeerTrusted(newRing, fpi, NULL)) {
- secinfo("signing", "Already concur with: %@", newRing);
+ secdebug("ringSigning", "Already concur with: %@", newRing);
} else {
CFErrorRef signingError = NULL;
if (fpi && SOSRingConcordanceSign(newRing, fpi, &signingError)) {
ringToPush = newRing;
- secinfo("signing", "Concurred with: %@", newRing);
} else {
- secerror("Failed to concurrence sign, error: %@ Old: %@ New: %@", signingError, oldRing, newRing);
+ secerror("Failed to concordance sign, error: %@ Old: %@ New: %@", signingError, oldRing, newRing);
success = false;
}
CFReleaseSafe(signingError);
}
} else {
- secnotice("signing", "Not countersigning, not in ring: %@", newRing);
+ secdebug("ringSigning", "Not countersigning, not in ring: %@", newRing);
}
ringAction = accept;
}
@@ -299,11 +303,7 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
SOSRingRemoveRejection(newRing, peerID);
}
- CFRetainSafe(oldRing);
- CFDictionarySetValue(account->trusted_rings, ringName, newRing);
- // TODO: Why was this? SOSAccountSetPreviousPublic(account);
-
- secnotice("signing", "%@, Accepting ring: %@", concStr, newRing);
+ SOSAccountSetRing(account, newRing, ringName, error);
if (pi && account->user_public_trusted
&& SOSRingHasApplicant(oldRing, peerID)
@@ -321,13 +321,12 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
SOSAccountCleanupRetirementTickets(account, RETIREMENT_FINALIZATION_SECONDS, NULL);
}
- CFReleaseNull(oldRing);
account->circle_rings_retirements_need_attention = true;
if (writeUpdate)
ringToPush = newRing;
- SOSUpdateKeyInterest(account);
+ account->key_interests_need_updating = true;
}
/*
@@ -338,16 +337,16 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
if (ringAction == revert) {
if(haveOldRing && peerActive && SOSRingHasPeerID(oldRing, peerID)) {
- secnotice("signing", "%@, Rejecting: %@ re-publishing %@", concStr, newRing, oldRing);
+ secdebug("ringSigning", "%@, Rejecting: %@ re-publishing %@", concStr, newRing, oldRing);
ringToPush = oldRing;
} else {
- secnotice("canary", "%@, Rejecting: %@ Have no old circle - would reset", concStr, newRing);
+ secdebug("ringSigning", "%@, Rejecting: %@ Have no old circle - would reset", concStr, newRing);
}
}
if (ringToPush != NULL) {
- secnotice("signing", "Pushing:[%s] %@", localRemote, ringToPush);
+ secdebug("ringSigning", "Pushing:[%s] %@", localRemote, ringToPush);
CFDataRef ringData = SOSRingCopyEncodedData(ringToPush, error);
if (ringData) {
success &= SOSTransportCircleRingPostRing(transport, SOSRingGetName(ringToPush), ringData, error);
@@ -356,7 +355,7 @@ bool SOSAccountHandleUpdateRing(SOSAccountRef account, SOSRingRef prospectiveRin
}
CFReleaseNull(ringData);
}
-
+ CFReleaseNull(oldRing);
CFReleaseSafe(newRing);
return success;
errOut:
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRings.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRings.c
index a7c01ff2..ff2e4ac5 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRings.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRings.c
@@ -28,6 +28,7 @@ const CFStringRef kSOSRingCreditCards = CFSTR("Ring-CreditCards");
const CFStringRef kSOSRingiCloudIdentity = CFSTR("Ring-iCloudIdentity");
const CFStringRef kSOSRingOtherSyncable = CFSTR("Ring-OtherSyncable");
+const CFStringRef kSOSRingKey = CFSTR("trusted_rings");
static CFSetRef allCurrentRings(void) {
static dispatch_once_t dot;
@@ -69,65 +70,132 @@ static ringDefPtr getRingDef(CFStringRef ringName) {
retval.ringType = kSOSRingEntropyKeyed;
- if(CFEqual(ringName, kSOSRingKeychainV0) == 0) {
- } else if(CFEqual(ringName, kSOSRingPCSHyperion) == 0) {
- } else if(CFEqual(ringName, kSOSRingPCSBladerunner) == 0) {
- } else if(CFEqual(ringName, kSOSRingKeychainV0) == 0) {
- } else if(CFEqual(ringName, kSOSRingKeychainV0) == 0) {
- } else if(CFEqual(ringName, kSOSRingKeychainV0) == 0) {
- } else if(CFEqual(ringName, kSOSRingKeychainV0) == 0) {
- } else if(CFEqual(ringName, kSOSRingCircleV2) == 0) {
+ if(CFSetContainsValue(allCurrentRings(), ringName)) {
retval.ringType = kSOSRingBase;
retval.dropWhenLeaving = false;
- } else return NULL;
+ } else {
+ retval.ringType = kSOSRingBackup;
+ retval.dropWhenLeaving = false;
+ }
return &retval;
}
-#if 0
-static bool isRingKnown(CFStringRef ringname) {
- if(getRingDef(ringname) != NULL) return true;
- secnotice("rings","Not a known ring");
- return false;
-}
-#endif
-
-static inline void SOSAccountRingForEach(void (^action)(CFStringRef ringname)) {
+__unused static inline void SOSAccountRingForEachRingMatching(SOSAccountRef a, void (^action)(SOSRingRef ring), bool (^condition)(SOSRingRef ring)) {
CFSetRef allRings = allCurrentRings();
CFSetForEach(allRings, ^(const void *value) {
CFStringRef ringName = (CFStringRef) value;
- action(ringName);
+ SOSRingRef ring = SOSAccountCopyRing(a, ringName, NULL);
+ if (condition(ring)) {
+ action(ring);
+ }
+ CFReleaseNull(ring);
});
}
+void SOSAccountAddRingDictionary(SOSAccountRef a) {
+ if(a->expansion) {
+ if(!CFDictionaryGetValue(a->expansion, kSOSRingKey)) {
+ CFMutableDictionaryRef rings = CFDictionaryCreateMutableForCFTypes(NULL);
+ CFDictionarySetValue(a->expansion, kSOSRingKey, rings);
+ CFReleaseNull(rings);
+ }
+ }
+}
-__unused static inline void SOSAccountRingForEachRingMatching(SOSAccountRef a, void (^action)(SOSRingRef ring), bool (^condition)(SOSRingRef ring)) {
- CFSetRef allRings = allCurrentRings();
- CFSetForEach(allRings, ^(const void *value) {
- CFStringRef ringName = (CFStringRef) value;
- SOSRingRef ring = SOSAccountGetRing(a, ringName, NULL);
- if (condition(ring))
- action(ring);
- });
+static CFMutableDictionaryRef SOSAccountGetRings(SOSAccountRef a, CFErrorRef *error){
+ CFMutableDictionaryRef rings = (CFMutableDictionaryRef) CFDictionaryGetValue(a->expansion, kSOSRingKey);
+ if(!rings) {
+ SOSAccountAddRingDictionary(a);
+ rings = SOSAccountGetRings(a, error);
+ }
+ return rings;
}
-CFMutableDictionaryRef SOSAccountGetRings(SOSAccountRef a, CFErrorRef *error){
- return a->trusted_rings;
+static void SOSAccountSetRings(SOSAccountRef a, CFMutableDictionaryRef newrings){
+ CFDictionarySetValue(a->expansion, newrings, kSOSRingKey);
+}
+
+bool SOSAccountForEachRing(SOSAccountRef account, SOSRingRef (^action)(CFStringRef name, SOSRingRef ring)) {
+ bool retval = false;
+ __block bool changed = false;
+ CFMutableDictionaryRef rings = SOSAccountGetRings(account, NULL);
+ CFMutableDictionaryRef ringscopy = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ require_quiet(rings, errOut);
+ require_quiet(ringscopy, errOut);
+ CFDictionaryForEach(rings, ^(const void *key, const void *value) {
+ CFStringRef ringname = (CFStringRef) key;
+ CFDataRef ringder = CFDataCreateCopy(kCFAllocatorDefault, (CFDataRef) value);
+ CFDictionaryAddValue(ringscopy, key, ringder);
+ SOSRingRef ring = SOSRingCreateFromData(NULL, ringder);
+ SOSRingRef newring = action(ringname, ring);
+ if(newring) {
+ CFDataRef newringder = SOSRingCopyEncodedData(newring, NULL);
+ CFDictionaryReplaceValue(ringscopy, key, newringder);
+ CFReleaseNull(newringder);
+ changed = true;
+ }
+ CFReleaseNull(ring);
+ CFReleaseNull(ringder);
+ CFReleaseNull(newring);
+ });
+ if(changed) {
+ SOSAccountSetRings(account, ringscopy);
+ }
+ retval = true;
+errOut:
+ CFReleaseNull(ringscopy);
+ return retval;
}
CFMutableDictionaryRef SOSAccountGetBackups(SOSAccountRef a, CFErrorRef *error){
return a->backups;
}
-SOSRingRef SOSAccountGetRing(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error) {
- CFTypeRef entry = CFDictionaryGetValue(a->trusted_rings, ringName);
- require_action_quiet(entry, fail,
- SOSCreateError(kSOSErrorNoRing, CFSTR("No Ring found"), NULL, error));
- return (SOSRingRef) entry;
+SOSRingRef SOSAccountCopyRing(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error) {
+ CFMutableDictionaryRef rings = SOSAccountGetRings(a, error);
+ require_action_quiet(rings, errOut, SOSCreateError(kSOSErrorNoRing, CFSTR("No Rings found"), NULL, error));
+ CFTypeRef ringder = CFDictionaryGetValue(rings, ringName);
+ require_action_quiet(ringder, errOut, SOSCreateError(kSOSErrorNoRing, CFSTR("No Ring found"), NULL, error));
+ SOSRingRef ring = SOSRingCreateFromData(NULL, ringder);
+ return (SOSRingRef) ring;
-fail:
+errOut:
return NULL;
}
+bool SOSAccountSetRing(SOSAccountRef a, SOSRingRef addRing, CFStringRef ringName, CFErrorRef *error) {
+ require_quiet(addRing, errOut);
+ CFMutableDictionaryRef rings = SOSAccountGetRings(a, error);
+ require_action_quiet(rings, errOut, SOSCreateError(kSOSErrorNoRing, CFSTR("No Rings found"), NULL, error));
+ CFDataRef ringder = SOSRingCopyEncodedData(addRing, error);
+ require_quiet(ringder, errOut);
+ CFDictionarySetValue(rings, ringName, ringder);
+ CFReleaseNull(ringder);
+ return true;
+errOut:
+ return false;
+}
+
+void SOSAccountRemoveRing(SOSAccountRef a, CFStringRef ringName) {
+ CFMutableDictionaryRef rings = SOSAccountGetRings(a, NULL);
+ require_quiet(rings, fail);
+ CFDictionaryRemoveValue(rings, ringName);
+fail:
+ return;
+}
+
+
+SOSRingRef SOSAccountCopyRingNamed(SOSAccountRef a, CFStringRef ringName, CFErrorRef *error) {
+ SOSRingRef found = SOSAccountCopyRing(a, ringName, error);
+ if (isSOSRing(found)) return found;
+ if (found) {
+ secerror("Non ring in ring table: %@, purging!", found);
+ SOSAccountRemoveRing(a, ringName);
+ }
+ found = NULL;
+ return found;
+}
+
CFStringRef SOSAccountGetMyPeerID(SOSAccountRef a) {
SOSFullPeerInfoRef fpi = SOSAccountGetMyFullPeerInfo(a);
require_quiet(fpi, errOut);
@@ -146,35 +214,23 @@ SOSRingRef SOSAccountRingCreateForName(SOSAccountRef a, CFStringRef ringName, CF
}
bool SOSAccountCheckForRings(SOSAccountRef a, CFErrorRef *error) {
- bool retval = isDictionary(a->trusted_rings);
- if(!retval) SOSCreateError(kSOSErrorNotReady, CFSTR("Rings not present"), NULL, error);
- return retval;
-}
-
-bool SOSAccountEnsureRings(SOSAccountRef a, CFErrorRef *error) {
- bool status = false;
-
- if(!a->trusted_rings) {
- a->trusted_rings = CFDictionaryCreateMutableForCFTypes(NULL);
- }
-
- require_quiet(SOSAccountEnsureFullPeerAvailable(a, error), errOut);
-
- SOSAccountRingForEach(^(CFStringRef ringname) {
- SOSRingRef ring = SOSAccountGetRing(a, ringname, NULL);
- if(!ring) {
- ring = SOSAccountRingCreateForName(a, ringname, error);
- if(ring) {
- CFDictionaryAddValue(a->trusted_rings, ringname, ring);
- SOSUpdateKeyInterest(a);
+ __block bool retval = true;
+ CFMutableDictionaryRef rings = SOSAccountGetRings(a, error);
+ if(rings && isDictionary(rings)) {
+ SOSAccountForEachRing(a, ^SOSRingRef(CFStringRef ringname, SOSRingRef ring) {
+ if(retval == true) {
+ if(!SOSRingIsStable(ring)) {
+ retval = false;
+ secnotice("ring", "Ring %@ not stable", ringname);
+ }
}
- CFReleaseNull(ring);
- }
- });
-
- status = true;
-errOut:
- return status;
+ return NULL;
+ });
+ } else {
+ SOSCreateError(kSOSErrorNotReady, CFSTR("Rings not present"), NULL, error);
+ retval = false;
+ }
+ return retval;
}
bool SOSAccountUpdateRingFromRemote(SOSAccountRef account, SOSRingRef newRing, CFErrorRef *error) {
@@ -188,12 +244,9 @@ bool SOSAccountUpdateRing(SOSAccountRef account, SOSRingRef newRing, CFErrorRef
bool SOSAccountModifyRing(SOSAccountRef account, CFStringRef ringName, CFErrorRef* error, bool (^action)(SOSRingRef ring)) {
bool success = false;
- SOSRingRef ring = SOSAccountGetRing(account, ringName, error);
+ SOSRingRef ring = SOSAccountCopyRing(account, ringName, error);
require_action_quiet(ring, fail, SOSErrorCreate(kSOSErrorNoRing, error, NULL, CFSTR("No Ring to get peer key from")));
- ring = SOSRingCopyRing(ring, error);
- require_quiet(ring, fail);
-
success = true;
require_quiet(action(ring), fail);
@@ -204,31 +257,32 @@ fail:
return success;
}
-CFDataRef SOSAccountRingGetPayload(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error) {
- SOSRingRef ring = SOSAccountGetRing(account, ringName, error);
- return SOSRingGetPayload(ring, error);
+CFDataRef SOSAccountRingCopyPayload(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error) {
+ SOSRingRef ring = SOSAccountCopyRing(account, ringName, error);
+ CFDataRef payload = SOSRingGetPayload(ring, error);
+ CFDataRef retval = CFDataCreateCopy(kCFAllocatorDefault, payload);
+ CFReleaseNull(ring);
+ return retval;
}
SOSRingRef SOSAccountRingCopyWithPayload(SOSAccountRef account, CFStringRef ringName, CFDataRef payload, CFErrorRef *error) {
- SOSRingRef ring = SOSAccountGetRing(account, ringName, error);
+ SOSRingRef ring = SOSAccountCopyRing(account, ringName, error);
require_quiet(ring, errOut);
- SOSRingRef new = SOSRingCopyRing(ring, error);
- require_quiet(new, errOut);
CFDataRef oldpayload = SOSRingGetPayload(ring, error);
require_quiet(!CFEqualSafe(oldpayload, payload), errOut);
- require_quiet(SOSRingSetPayload(new, NULL, payload, account->my_identity, error), errOut);
-
+ require_quiet(SOSRingSetPayload(ring, NULL, payload, account->my_identity, error), errOut);
errOut:
- return NULL;
+ return ring;
}
bool SOSAccountResetRing(SOSAccountRef account, CFStringRef ringName, CFErrorRef *error) {
bool retval = false;
- SOSRingRef ring = SOSAccountGetRing(account, ringName, error);
+ SOSRingRef ring = SOSAccountCopyRing(account, ringName, error);
SOSRingRef newring = SOSRingCreate(ringName, NULL, SOSRingGetType(ring), error);
SOSRingGenerationCreateWithBaseline(newring, ring);
SOSBackupRingSetViews(newring, account->my_identity, SOSBackupRingGetViews(ring, NULL), error);
require_quiet(newring, errOut);
+ CFReleaseNull(ring);
retval = SOSAccountUpdateRing(account, newring, error);
errOut:
CFReleaseNull(newring);
@@ -237,10 +291,21 @@ errOut:
bool SOSAccountResetAllRings(SOSAccountRef account, CFErrorRef *error) {
__block bool retval = true;
- CFDictionaryForEach(account->trusted_rings, ^(const void *key, const void *value) {
- CFStringRef ringName = (CFStringRef) key;
+ CFMutableSetRef ringList = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
+ require_quiet(ringList, errOut);
+
+ SOSAccountForEachRing(account, ^SOSRingRef(CFStringRef name, SOSRingRef ring) {
+ CFSetAddValue(ringList, name);
+ return NULL; // just using this to grab names.
+ });
+
+ CFSetForEach(ringList, ^(const void *value) {
+ CFStringRef ringName = (CFStringRef) value;
retval = retval && SOSAccountResetRing(account, ringName, error);
});
+
+errOut:
+ CFReleaseNull(ringList);
return retval;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.c
new file mode 100644
index 00000000..7d891d59
--- /dev/null
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.c
@@ -0,0 +1,199 @@
+//
+// SOSAccountTransaction.c
+// sec
+//
+//
+
+#include "SOSAccountTransaction.h"
+
+#include <utilities/SecCFWrappers.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+#include <Security/SecureObjectSync/SOSAccount.h>
+#include <Security/SecureObjectSync/SOSAccountPriv.h>
+#include <Security/SecureObjectSync/SOSPeerInfoV2.h>
+#include <Security/SecureObjectSync/SOSTransport.h>
+#include <Security/SecureObjectSync/SOSTransportCircle.h>
+
+#define kPublicKeyNotAvailable "com.apple.security.publickeynotavailable"
+
+CFGiblisFor(SOSAccountTransaction);
+
+static void SOSAccountTransactionDestroy(CFTypeRef aObj) {
+ SOSAccountTransactionRef at = (SOSAccountTransactionRef) aObj;
+
+ CFReleaseNull(at->initialUnsyncedViews);
+ CFReleaseNull(at->initialID);
+ CFReleaseNull(at->account);
+ CFReleaseNull(at->initialViews);
+ CFReleaseNull(at->initialKeyParameters);
+}
+
+static CFStringRef SOSAccountTransactionCopyFormatDescription(CFTypeRef aObj, CFDictionaryRef formatOptions) {
+ SOSAccountTransactionRef at = (SOSAccountTransactionRef) aObj;
+
+ CFMutableStringRef description = CFStringCreateMutable(kCFAllocatorDefault, 0);
+
+ CFStringAppendFormat(description, NULL, CFSTR("<SOSAccountTransactionRef@%p %ld>"),
+ at, at->initialViews ? CFSetGetCount(at->initialViews) : 0);
+
+ return description;
+}
+
+static void SOSAccountTransactionRestart(SOSAccountTransactionRef txn) {
+ txn->initialInCircle = SOSAccountIsInCircle(txn->account, NULL);
+
+ if(txn->account)
+ txn->initialTrusted = (txn->account)->user_public_trusted;
+
+ if (txn->initialInCircle) {
+ SOSAccountEnsureSyncChecking(txn->account);
+ }
+
+ CFAssignRetained(txn->initialUnsyncedViews, SOSAccountCopyOutstandingViews(txn->account));
+
+ CFReleaseNull(txn->initialKeyParameters);
+
+ if(txn->account && txn->account->user_key_parameters){
+ CFReleaseNull(txn->initialKeyParameters);
+ txn->initialKeyParameters = CFDataCreateCopy(kCFAllocatorDefault, txn->account->user_key_parameters);
+ }
+ SOSPeerInfoRef mpi = SOSAccountGetMyPeerInfo(txn->account);
+ CFAssignRetained(txn->initialViews, mpi ? SOSPeerInfoCopyEnabledViews(mpi) : NULL);
+
+ CFRetainAssign(txn->initialID, SOSPeerInfoGetPeerID(mpi));
+
+ CFStringSetPerformWithDescription(txn->initialViews, ^(CFStringRef description) {
+ secnotice("acct-txn", "Starting as:%s v:%@", txn->initialInCircle ? "member" : "non-member", description);
+ });
+}
+
+
+SOSAccountTransactionRef SOSAccountTransactionCreate(SOSAccountRef account) {
+ SOSAccountTransactionRef at = CFTypeAllocate(SOSAccountTransaction, struct __OpaqueSOSAccountTransaction, kCFAllocatorDefault);
+
+ at->account = CFRetainSafe(account);
+
+ at->initialInCircle = false;
+ at->initialViews = NULL;
+ at->initialKeyParameters = NULL;
+ at->initialTrusted = false;
+ at->initialUnsyncedViews = NULL;
+ at->initialID = NULL;
+
+ SOSAccountTransactionRestart(at);
+
+ return at;
+}
+
+#define ACCOUNT_STATE_INTERVAL 20
+
+void SOSAccountTransactionFinish(SOSAccountTransactionRef txn) {
+ CFErrorRef localError = NULL;
+ bool notifyEngines = false;
+ static int do_account_state_at_zero = 0;
+
+ SOSPeerInfoRef mpi = SOSAccountGetMyPeerInfo(txn->account);
+
+ bool inCircle = SOSAccountIsInCircle(txn->account, NULL);
+
+ if (inCircle) {
+ SOSAccountEnsureSyncChecking(txn->account);
+ } else {
+ SOSAccountCancelSyncChecking(txn->account);
+ }
+
+ // If our identity changed our inital set should be everything.
+ if (!CFEqualSafe(txn->initialID, SOSPeerInfoGetPeerID(mpi))) {
+ CFAssignRetained(txn->initialUnsyncedViews, SOSViewCopyViewSet(kViewSetAll));
+ }
+
+ CFSetRef finalUnsyncedViews = SOSAccountCopyOutstandingViews(txn->account);
+ if (!CFEqualSafe(txn->initialUnsyncedViews, finalUnsyncedViews)) {
+ if (SOSAccountHandleOutOfSyncUpdate(txn->account, txn->initialUnsyncedViews, finalUnsyncedViews)) {
+ notifyEngines = true;
+ }
+
+ CFStringSetPerformWithDescription(txn->initialUnsyncedViews, ^(CFStringRef newUnsyncedDescripion) {
+ CFStringSetPerformWithDescription(finalUnsyncedViews, ^(CFStringRef unsyncedDescription) {
+ secnotice("initial-sync", "Unsynced was: %@", unsyncedDescription);
+ secnotice("initial-sync", "Unsynced is: %@", newUnsyncedDescripion);
+ });
+ });
+ }
+ CFReleaseNull(finalUnsyncedViews);
+
+ if (txn->account->engine_peer_state_needs_repair) {
+ // We currently only get here from a failed syncwithallpeers, so
+ // that will retry. If this logic changes, force a syncwithallpeers
+ if (!SOSAccountEnsurePeerRegistration(txn->account, &localError)) {
+ secerror("Ensure peer registration while repairing failed: %@", localError);
+ }
+ CFReleaseNull(localError);
+
+ notifyEngines = true;
+ }
+
+ if(txn->account->circle_rings_retirements_need_attention){
+ SOSAccountRecordRetiredPeersInCircle(txn->account);
+
+ SOSAccountEnsureInBackupRings(txn->account);
+
+ CFErrorRef localError = NULL;
+ if(!SOSTransportCircleFlushChanges(txn->account->circle_transport, &localError)) {
+ secerror("flush circle failed %@", localError);
+ }
+ CFReleaseSafe(localError);
+
+ notifyEngines = true;
+ }
+
+ if (notifyEngines) {
+ SOSAccountNotifyEngines(txn->account);
+ }
+
+ if(txn->account->key_interests_need_updating){
+ SOSUpdateKeyInterest(txn->account);
+ }
+
+ txn->account->key_interests_need_updating = false;
+ txn->account->circle_rings_retirements_need_attention = false;
+ txn->account->engine_peer_state_needs_repair = false;
+
+ SOSAccountFlattenToSaveBlock(txn->account);
+
+ // Check for firing view membership change. On change of view membership or circle membership
+ bool isInCircle = SOSAccountIsInCircle(txn->account, NULL);
+
+ mpi = SOSAccountGetMyPeerInfo(txn->account);
+ CFSetRef views = mpi ? SOSPeerInfoCopyEnabledViews(mpi) : NULL;
+
+ CFStringSetPerformWithDescription(views, ^(CFStringRef description) {
+ secnotice("acct-txn", "Finished as:%s v:%@", isInCircle ? "member" : "non-member", description);
+ });
+ if(!CFEqualSafe(txn->initialViews, views) || txn->initialInCircle != isInCircle) {
+ notify_post(kSOSCCViewMembershipChangedNotification);
+ do_account_state_at_zero = 0;
+ }
+
+ if((txn->initialTrusted != (txn->account)->user_public_trusted) || (!CFEqualSafe(txn->initialKeyParameters, txn->account->user_key_parameters))){
+ notify_post(kPublicKeyNotAvailable);
+ do_account_state_at_zero = 0;
+ }
+
+ if(do_account_state_at_zero <= 0) {
+ SOSAccountLogState(txn->account);
+ SOSAccountLogViewState(txn->account);
+ do_account_state_at_zero = ACCOUNT_STATE_INTERVAL;
+ }
+ do_account_state_at_zero--;
+
+ CFReleaseNull(views);
+
+}
+
+void SOSAccountTransactionFinishAndRestart(SOSAccountTransactionRef txn) {
+ SOSAccountTransactionFinish(txn);
+ SOSAccountTransactionRestart(txn);
+}
+
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.h
new file mode 100644
index 00000000..87254a22
--- /dev/null
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.h
@@ -0,0 +1,41 @@
+//
+// SOSAccountTransaction.h
+// sec
+//
+//
+//
+
+#ifndef SOSAccountTransaction_h
+#define SOSAccountTransaction_h
+
+typedef struct __OpaqueSOSAccountTransaction *SOSAccountTransactionRef;
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/SecureObjectSync/SOSAccount.h>
+#include <CoreFoundation/CFRuntime.h>
+
+CF_ASSUME_NONNULL_BEGIN
+
+struct __OpaqueSOSAccountTransaction {
+ CFRuntimeBase _base;
+
+ _Nonnull SOSAccountRef account;
+
+ bool initialInCircle;
+ _Nullable CFSetRef initialViews;
+
+ _Nullable CFSetRef initialUnsyncedViews;
+ _Nullable CFStringRef initialID;
+
+ bool initialTrusted;
+ _Nullable CFDataRef initialKeyParameters;
+};
+
+
+SOSAccountTransactionRef SOSAccountTransactionCreate(SOSAccountRef account);
+void SOSAccountTransactionFinish(SOSAccountTransactionRef txn);
+void SOSAccountTransactionFinishAndRestart(SOSAccountTransactionRef txn);
+
+CF_ASSUME_NONNULL_END
+
+#endif /* SOSAccountTransaction_h */
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountUpdate.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountUpdate.c
index b0d89a24..7fe47f25 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountUpdate.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountUpdate.c
@@ -4,6 +4,8 @@
//
#include "SOSAccountPriv.h"
+#include "SOSAccountLog.h"
+
#include <Security/SecureObjectSync/SOSAccountHSAJoin.h>
#include <Security/SecureObjectSync/SOSTransportCircle.h>
#include <Security/SecureObjectSync/SOSTransport.h>
@@ -55,31 +57,27 @@ static bool isBackupSOSRing(SOSRingRef ring)
return isSOSRing(ring) && (kSOSRingBackup == SOSRingGetType(ring));
}
-static bool CFSetIntersectionNotEmpty(CFSetRef set1, CFSetRef set2) {
- __block bool intersectionEmpty = true;
- CFSetForEach(set1, ^(const void *value) {
- if (CFSetContainsValue(set2, value)) {
- intersectionEmpty = false;
- };
- });
- return !intersectionEmpty;
-}
-
-__unused
static void SOSAccountAppendPeerMetasForViewBackups(SOSAccountRef account, CFSetRef views, CFMutableArrayRef appendTo)
{
- if (account->trusted_rings == NULL || CFDictionaryGetCount(account->trusted_rings) == 0) return;
+ CFMutableDictionaryRef ringToViewTable = NULL;
+
+ require_quiet(SOSAccountIsInCircle(account, NULL), done);
+
+ require_action_quiet(SOSAccountHasCompletedRequiredBackupSync(account), done,
+ secnotice("backup", "Haven't finished initial backup syncing, not registering backup metas with engine"));
- CFMutableDictionaryRef ringToViewTable = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ require_action_quiet(SOSPeerInfoV2DictionaryHasData(SOSAccountGetMyPeerInfo(account), sBackupKeyKey), done,
+ secnotice("backup", "No key to backup to, we don't enable individual view backups"));
+
+ ringToViewTable = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
CFSetForEach(views, ^(const void *value) {
CFStringRef viewName = value;
if (isString(viewName) && !CFEqualSafe(viewName, kSOSViewKeychainV0)) {
CFStringRef ringName = SOSBackupCopyRingNameForView(viewName);
viewName = ringName;
- SOSRingRef ring = (SOSRingRef) CFDictionaryGetValue(account->trusted_rings, ringName);
-
- if (isBackupSOSRing(ring)) {
+ SOSRingRef ring = SOSAccountCopyRing(account, ringName, NULL);
+ if (ring && isBackupSOSRing(ring)) {
CFTypeRef currentValue = (CFTypeRef) CFDictionaryGetValue(ringToViewTable, ring);
if (isSet(currentValue)) {
@@ -95,17 +93,18 @@ static void SOSAccountAppendPeerMetasForViewBackups(SOSAccountRef account, CFSet
secwarning("View '%@' not being backed up â ring %@:%@ not backup ring.", viewName, ringName, ring);
}
CFReleaseNull(ringName);
+ CFReleaseNull(ring);
}
});
- CFSetRef unsynced = asSet(SOSAccountGetValue(account, kSOSUnsyncedViewsKey, NULL), NULL);
-
CFDictionaryForEach(ringToViewTable, ^(const void *key, const void *value) {
SOSRingRef ring = (SOSRingRef) key;
- CFSetRef viewNames = (CFSetRef) value;
- if (isSOSRing(ring) && isSet(viewNames)) {
- if (unsynced && CFSetIntersectionNotEmpty(unsynced, viewNames)) {
- secnotice("engine-notify", "Haven't initially synced views, not making backup peer meta: U: %@ R: %@ Vs: %@", unsynced, SOSRingGetName(ring), viewNames);
+ CFSetRef viewNames = asSet(value, NULL);
+ if (isSOSRing(ring) && viewNames) {
+ if (SOSAccountIntersectsWithOutstanding(account, viewNames)) {
+ CFStringSetPerformWithDescription(viewNames, ^(CFStringRef ringViews) {
+ secnotice("engine-notify", "Not ready, no peer meta: R: %@ Vs: %@", SOSRingGetName(ring), ringViews);
+ });
} else {
bool meta_added = false;
CFErrorRef create_error = NULL;
@@ -122,13 +121,17 @@ static void SOSAccountAppendPeerMetasForViewBackups(SOSAccountRef account, CFSet
require_quiet(SecAllocationError(newMeta, &create_error, CFSTR("Didn't make peer meta for: %@"), ring), skip);
CFArrayAppendValue(appendTo, newMeta);
- secnotice("engine-notify", "Backup peer meta: R: %@ Vs: %@ VD: %@", SOSRingGetName(ring), viewNames, ring_payload);
+ CFStringSetPerformWithDescription(viewNames, ^(CFStringRef ringViews) {
+ secnotice("engine-notify", "Backup peer meta: R: %@ Vs: %@ VD: %@", SOSRingGetName(ring), ringViews, ring_payload);
+ });
meta_added = true;
skip:
if (!meta_added) {
- secerror("Failed to register backup meta from %@ for views %@. Error (%@)", ring, viewNames, create_error);
+ CFStringSetPerformWithDescription(viewNames, ^(CFStringRef ringViews) {
+ secerror("Failed to register backup meta from %@ for views %@. Error (%@)", ring, ringViews, create_error);
+ });
}
CFReleaseNull(newMeta);
CFReleaseNull(key_bag);
@@ -137,6 +140,7 @@ static void SOSAccountAppendPeerMetasForViewBackups(SOSAccountRef account, CFSet
}
});
+done:
CFReleaseNull(ringToViewTable);
}
@@ -181,6 +185,10 @@ void SOSAccountNotifyEngines(SOSAccountRef account)
CFSetAddValue(views, kSOSViewKeychainV0);
}
+ CFStringSetPerformWithDescription(views, ^(CFStringRef viewsDescription) {
+ secnotice("engine-notify", "Meta: %@: %@", SOSPeerInfoGetPeerID(peer), viewsDescription);
+ });
+
SOSPeerMetaRef peerMeta = SOSPeerMetaCreateWithComponents(SOSPeerInfoGetPeerID(peer), views, NULL);
CFReleaseNull(views);
@@ -188,7 +196,8 @@ void SOSAccountNotifyEngines(SOSAccountRef account)
CFReleaseNull(peerMeta);
});
- // We don't make a backup peer for the magic V0 peer, so do it before we munge the set.
+ // We don't make a backup peer meta for the magic V0 peer
+ // Set up all the rest before we munge the set
SOSAccountAppendPeerMetasForViewBackups(account, myViews, syncing_peer_metas);
// If we saw someone else needing V0, we sync V0, too!
@@ -196,6 +205,9 @@ void SOSAccountNotifyEngines(SOSAccountRef account)
CFSetAddValue(myViews, kSOSViewKeychainV0);
}
+ CFStringSetPerformWithDescription(myViews, ^(CFStringRef viewsDescription) {
+ secnotice("engine-notify", "My Meta: %@: %@", myPi_id, viewsDescription);
+ });
myMeta = SOSPeerMetaCreateWithComponents(myPi_id, myViews, NULL);
CFReleaseSafe(myViews);
}
@@ -211,7 +223,7 @@ void SOSAccountNotifyEngines(SOSAccountRef account)
CFReleaseNull(zombie_peer_metas);
}
-// murf Upcoming call to View Changes Here
+// Upcoming call to View Changes Here
static void SOSAccountNotifyOfChange(SOSAccountRef account, SOSCircleRef oldCircle, SOSCircleRef newCircle)
{
account->circle_rings_retirements_need_attention = true;
@@ -249,9 +261,9 @@ CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccountRef account, CFDict
// We only handle one circle, look it up:
require_quiet(account->trusted_circle, finish); // We don't fail, we intentionally handle nothing.
- CFDictionaryRef retirment_dictionary = CFDictionaryGetValue(circle_retirement_messages, circle_name);
-
- CFDictionaryForEach(retirment_dictionary, ^(const void *key, const void *value) {
+ CFDictionaryRef retirement_dictionary = asDictionary(CFDictionaryGetValue(circle_retirement_messages, circle_name), error);
+ require_quiet(retirement_dictionary, finish);
+ CFDictionaryForEach(retirement_dictionary, ^(const void *key, const void *value) {
if(isData(value)) {
SOSPeerInfoRef pi = SOSPeerInfoCreateFromData(NULL, error, (CFDataRef) value);
if(pi && CFEqual(key, SOSPeerInfoGetPeerID(pi)) && SOSPeerInfoInspectRetirementTicket(pi, error)) {
@@ -354,6 +366,9 @@ bool SOSAccountHandleParametersChange(SOSAccountRef account, CFDataRef parameter
bool success = false;
if(SOSAccountRetrieveCloudParameters(account, &newKey, parameters, &newParameters, error)) {
+ debugDumpUserParameters(CFSTR("SOSAccountHandleParametersChange got new user key parameters:"), parameters);
+ secnotice("keygen", "SOSAccountHandleParametersChange got new public key: %@", newKey);
+
if (CFEqualSafe(account->user_public, newKey)) {
secnotice("updates", "Got same public key sent our way. Ignoring.");
success = true;
@@ -366,16 +381,15 @@ bool SOSAccountHandleParametersChange(SOSAccountRef account, CFDataRef parameter
newKey = NULL;
if(SOSAccountRetryUserCredentials(account)) {
- secnotice("keygen", "Successfully used cached password with new parameters: %@", account->user_public);
+ secnotice("keygen", "Successfully used cached password with new parameters");
SOSAccountGenerationSignatureUpdate(account, error);
} else {
SOSAccountPurgePrivateCredential(account);
- secnotice("keygen", "Got new parameters for public key - failed with cached password: %@", account->user_public);
- debugDumpUserParameters(CFSTR("params"), account->user_key_parameters);
+ secnotice("keygen", "Got new parameters for public key - could not find or use cached password");
}
account->circle_rings_retirements_need_attention = true;
- SOSUpdateKeyInterest(account);
+ account->key_interests_need_updating = true;
success = true;
}
@@ -414,13 +428,14 @@ static const char *concordstring[] = {
"kSOSConcordanceWeSigned",
};
+
bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospective_circle, bool writeUpdate, CFErrorRef *error)
{
bool success = true;
bool haveOldCircle = true;
const char *local_remote = writeUpdate ? "local": "remote";
- secnotice("signing", "start:[%s] %@", local_remote, prospective_circle);
+ secnotice("signing", "start:[%s]", local_remote);
if (!account->user_public || !account->user_public_trusted) {
SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Can't handle updates with no trusted public key here"), NULL, error);
return false;
@@ -437,7 +452,7 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
if(oldCircle == NULL) {
SOSCreateErrorWithFormat(kSOSErrorIncompatibleCircle, NULL, error, NULL, CFSTR("Current Entry is NULL; rejecting %@"), prospective_circle);
- secerror("##### Can't replace circle - we don't care about %@ ######", prospective_circle);
+ secerror("##### Can't replace circle - we don't care about it ######");
return false;
}
if (CFGetTypeID(oldCircle) != SOSCircleGetTypeID()) {
@@ -451,8 +466,6 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
// SOSAccountDestroyCirclePeerInfo(account, oldCircle, NULL);
}
- SOSFullPeerInfoRef me_full = account->my_identity;
- SOSPeerInfoRef me = SOSFullPeerInfoGetPeerInfo(me_full);
SOSTransportCircleRef transport = account->circle_transport;
@@ -460,6 +473,11 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
SOSCircleRef newCircle = SOSAccountCloneCircleWithRetirement(account, prospective_circle, error);
if(!newCircle) return false;
+ SOSFullPeerInfoRef me_full = account->my_identity;
+ SOSPeerInfoRef me = SOSFullPeerInfoGetPeerInfo(me_full);
+ CFStringRef myPeerID = SOSPeerInfoGetPeerID(me);
+ myPeerID = (myPeerID) ? myPeerID: CFSTR("No Peer");
+
if (me && SOSCircleUpdatePeerInfo(newCircle, me)) {
writeUpdate = true; // If we update our peer in the new circle we should write it if we accept it.
}
@@ -511,7 +529,7 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
case kSOSConcordanceNoPeerSig:
circle_action = accept; // We might like this one eventually but don't countersign.
concStr = CFSTR("No trusted peer signature");
- secerror("##### No trusted peer signature found, accepting hoping for concordance later %@", newCircle);
+ secnotice("signing", "##### No trusted peer signature found, accepting hoping for concordance later");
break;
case kSOSConcordanceNoPeer:
circle_action = leave;
@@ -528,7 +546,7 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
break;
}
- secnotice("signing", "Decided on action [%s] based on concordance state [%s] and [%s] circle.", actionstring[circle_action], concordstring[concstat], userTrustedOldCircle ? "trusted" : "untrusted");
+ secnotice("signing", "Decided on action [%s] based on concordance state [%s] and [%s] circle. My PeerID is %@", actionstring[circle_action], concordstring[concstat], userTrustedOldCircle ? "trusted" : "untrusted", myPeerID);
SOSCircleRef circleToPush = NULL;
@@ -544,9 +562,10 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
account->user_public, account->previous_public, old_circle_key);
if (sosAccountLeaveCircle(account, newCircle, error)) {
+ secnotice("leaveCircle", "Leaving circle by newcircle state");
circleToPush = newCircle;
} else {
- secnotice("signing", "Can't leave circle %@, but dumping identities", oldCircle);
+ secnotice("signing", "Can't leave circle, but dumping identities");
success = false;
}
account->departure_code = leave_reason;
@@ -566,15 +585,15 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
if (circle_action == countersign) {
if (me && SOSCircleHasPeer(newCircle, me, NULL)) {
if (SOSCircleVerifyPeerSigned(newCircle, me, NULL)) {
- secnotice("signing", "Already concur with: %@", newCircle);
+ secnotice("signing", "Already concur with the new circle");
} else {
CFErrorRef signing_error = NULL;
if (me_full && SOSCircleConcordanceSign(newCircle, me_full, &signing_error)) {
circleToPush = newCircle;
- secnotice("signing", "Concurred with: %@", newCircle);
+ secnotice("signing", "Concurred with new circle");
} else {
- secerror("Failed to concurrence sign, error: %@ Old: %@ New: %@", signing_error, oldCircle, newCircle);
+ secerror("Failed to concurrence sign, error: %@", signing_error);
success = false;
}
CFReleaseSafe(signing_error);
@@ -585,7 +604,7 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
writeUpdate = true;
}
} else {
- secnotice("signing", "Not countersigning, not in circle: %@", newCircle);
+ secnotice("signing", "Not countersigning, not in new circle");
debugDumpCircle(CFSTR("circle to countersign"), newCircle);
}
circle_action = accept;
@@ -636,7 +655,7 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
CFRetainAssign(account->trusted_circle, newCircle);
SOSAccountSetPreviousPublic(account);
- secnotice("signing", "%@, Accepting circle: %@", concStr, newCircle);
+ secnotice("signing", "%@, Accepting new circle", concStr);
if (me && account->user_public_trusted
&& SOSCircleHasApplicant(oldCircle, me, NULL)
@@ -646,7 +665,7 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
// We were applying and we weren't accepted.
// Our application is declared lost, let us reapply.
- secnotice("signing", "requesting readmission to circle %@", newCircle);
+ secnotice("signing", "requesting readmission to new circle");
if (SOSCircleRequestReadmission(newCircle, account->user_public, me, NULL))
writeUpdate = true;
}
@@ -661,7 +680,7 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
if (writeUpdate)
circleToPush = newCircle;
- SOSUpdateKeyInterest(account);
+ account->key_interests_need_updating = true;
}
/*
@@ -672,21 +691,24 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
if (circle_action == revert) {
if(haveOldCircle && me && SOSCircleHasActivePeer(oldCircle, me, NULL)) {
- secnotice("signing", "%@, Rejecting: %@ re-publishing %@", concStr, newCircle, oldCircle);
+ secnotice("signing", "%@, Rejecting new circle, re-publishing old circle", concStr);
debugDumpCircle(CFSTR("oldCircle"), oldCircle);
debugDumpCircle(CFSTR("newCircle"), newCircle);
circleToPush = oldCircle;
} else {
- secnotice("canary", "%@, Rejecting: %@ Have no old circle - would reset", concStr, newCircle);
+ secnotice("canary", "%@, Rejecting: new circle Have no old circle - would reset", concStr);
}
}
if (circleToPush != NULL) {
- secnotice("signing", "Pushing:[%s] %@", local_remote, circleToPush);
+ secnotice("signing", "Pushing:[%s]", local_remote);
CFDataRef circle_data = SOSCircleCopyEncodedData(circleToPush, kCFAllocatorDefault, error);
if (circle_data) {
+ // Ensure we flush changes
+ account->circle_rings_retirements_need_attention = true;
+
//recording circle we are pushing in KVS
success &= SOSTransportCircleRecordLastCirclePushedInKVS(transport, SOSCircleGetName(circleToPush), circle_data);
//posting new circle to peers
@@ -699,5 +721,6 @@ bool SOSAccountHandleUpdateCircle(SOSAccountRef account, SOSCircleRef prospectiv
CFReleaseSafe(newCircle);
CFReleaseNull(emptyCircle);
+
return success;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountViewSync.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountViewSync.c
new file mode 100644
index 00000000..185ca204
--- /dev/null
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountViewSync.c
@@ -0,0 +1,379 @@
+//
+// SOSAccountViews.c
+// sec
+//
+// Created by Mitch Adler on 6/10/16.
+//
+//
+
+
+#include <CoreFoundation/CoreFoundation.h>
+
+#include <Security/SecureObjectSync/SOSAccount.h>
+#include "SOSViews.h"
+#include "SOSAccountPriv.h"
+
+#include <utilities/SecCFWrappers.h>
+
+//
+// MARK: Helpers
+//
+
+static CFMutableSetRef SOSAccountCopyOtherPeersViews(SOSAccountRef account) {
+ __block CFMutableSetRef otherPeersViews = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
+ SOSAccountForEachCirclePeerExceptMe(account, ^(SOSPeerInfoRef peer) {
+ SOSPeerInfoWithEnabledViewSet(peer, ^(CFSetRef enabled) {
+ CFSetUnion(otherPeersViews, enabled);
+ });
+ });
+
+ return otherPeersViews;
+}
+
+//
+// MARK: Outstanding tracking
+//
+
+CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccountRef account) {
+ CFSetRef initialSyncViews = SOSViewCopyViewSet(kViewSetAll);
+ CFMutableSetRef result = SOSAccountCopyIntersectionWithOustanding(account, initialSyncViews);
+ CFReleaseNull(initialSyncViews);
+ return result;
+}
+
+
+bool SOSAccountIsViewOutstanding(SOSAccountRef account, CFStringRef view) {
+ bool isOutstandingView;
+
+ require_action_quiet(SOSAccountIsInCircle(account, NULL), done, isOutstandingView = true);
+
+ CFTypeRef unsyncedObject = SOSAccountGetValue(account, kSOSUnsyncedViewsKey, NULL);
+ require_action_quiet(unsyncedObject, done, isOutstandingView = false);
+
+ CFBooleanRef unsyncedBool = asBoolean(unsyncedObject, NULL);
+ if (unsyncedBool) {
+ isOutstandingView = CFBooleanGetValue(unsyncedBool);
+ } else {
+ CFSetRef unsyncedSet = asSet(unsyncedObject, NULL);
+ isOutstandingView = unsyncedSet && CFSetContainsValue(unsyncedSet, view);
+ }
+
+done:
+ return isOutstandingView;
+}
+
+CFMutableSetRef SOSAccountCopyIntersectionWithOustanding(SOSAccountRef account, CFSetRef inSet) {
+ CFTypeRef unsyncedObject = SOSAccountGetValue(account, kSOSUnsyncedViewsKey, NULL);
+ CFMutableSetRef result = NULL;
+
+ require_quiet(SOSAccountIsInCircle(account, NULL), done);
+
+ CFBooleanRef unsyncedBool = asBoolean(unsyncedObject, NULL);
+ if (unsyncedBool) {
+ if (!CFBooleanGetValue(unsyncedBool)) {
+ result = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
+ }
+ } else {
+ CFSetRef unsyncedSet = asSet(unsyncedObject, NULL);
+ if (unsyncedSet) {
+ result = CFSetCreateIntersection(kCFAllocatorDefault, unsyncedSet, inSet);
+ } else {
+ result = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
+ }
+ }
+
+done:
+ if (result == NULL) {
+ result = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, inSet);
+ }
+
+ return result;
+}
+
+bool SOSAccountIntersectsWithOutstanding(SOSAccountRef account, CFSetRef views) {
+ CFSetRef nonInitiallySyncedViews = SOSAccountCopyIntersectionWithOustanding(account, views);
+ bool intersects = !CFSetIsEmpty(nonInitiallySyncedViews);
+ CFReleaseNull(nonInitiallySyncedViews);
+ return intersects;
+}
+
+bool SOSAccountHasOustandingViews(SOSAccountRef account) {
+ bool hasOutstandingViews;
+
+ require_action_quiet(SOSAccountIsInCircle(account, NULL), done, hasOutstandingViews = true);
+
+ CFTypeRef unsyncedObject = SOSAccountGetValue(account, kSOSUnsyncedViewsKey, NULL);
+ require_action_quiet(unsyncedObject, done, hasOutstandingViews = false);
+
+ CFBooleanRef unsyncedBool = asBoolean(unsyncedObject, NULL);
+ if (unsyncedBool) {
+ hasOutstandingViews = CFBooleanGetValue(unsyncedBool);
+ } else {
+ hasOutstandingViews = isSet(unsyncedBool);
+ }
+
+done:
+ return hasOutstandingViews;
+}
+
+
+//
+// MARK: Initial sync functions
+//
+
+static bool SOSAccountHasCompletedInitialySyncWithSetKind(SOSAccountRef account, ViewSetKind setKind) {
+ CFSetRef viewSet = SOSViewCopyViewSet(setKind);
+ bool completedSync = !SOSAccountIntersectsWithOutstanding(account, viewSet);
+ CFReleaseNull(viewSet);
+
+ return completedSync;
+}
+
+bool SOSAccountHasCompletedInitialSync(SOSAccountRef account) {
+ return SOSAccountHasCompletedInitialySyncWithSetKind(account, kViewSetInitial);
+}
+
+bool SOSAccountHasCompletedRequiredBackupSync(SOSAccountRef account) {
+ return SOSAccountHasCompletedInitialySyncWithSetKind(account, kViewSetRequiredForBackup);
+}
+
+
+
+
+//
+// MARK: Handling initial sync being done
+//
+
+static bool SOSAccountResolvePendingViewSets(SOSAccountRef account, CFErrorRef *error) {
+ bool status = SOSAccountUpdateViewSets(account,
+ asSet(SOSAccountGetValue(account, kSOSPendingEnableViewsToBeSetKey, NULL), NULL),
+ asSet(SOSAccountGetValue(account, kSOSPendingDisableViewsToBeSetKey, NULL), NULL));
+ if(status){
+ SOSAccountClearValue(account, kSOSPendingEnableViewsToBeSetKey, NULL);
+ SOSAccountClearValue(account, kSOSPendingDisableViewsToBeSetKey, NULL);
+
+ secnotice("views","updated view sets!");
+ }
+ else{
+ secerror("Could not update view sets");
+ }
+ return status;
+}
+
+static void SOSAccountCallInitialSyncBlocks(SOSAccountRef account) {
+ CFDictionaryRef syncBlocks = NULL;
+ CFTransferRetained(syncBlocks, account->waitForInitialSync_blocks);
+
+ if (syncBlocks) {
+ CFDictionaryForEach(syncBlocks, ^(const void *key, const void *value) {
+ secnotice("updates", "calling in sync block [%@]", key);
+ ((SOSAccountWaitForInitialSyncBlock)value)(account);
+ });
+ }
+ CFReleaseNull(syncBlocks);
+}
+
+
+static void SOSAccountHandleRequiredBackupSyncDone(SOSAccountRef account) {
+ secnotice("initial-sync", "Handling Required Backup Sync done");
+}
+
+static void SOSAccountHandleInitialSyncDone(SOSAccountRef account) {
+ secnotice("initial-sync", "Handling initial sync done.");
+
+ if(!SOSAccountResolvePendingViewSets(account, NULL))
+ secnotice("initial-sync", "Account could not add the pending view sets");
+
+ SOSAccountCallInitialSyncBlocks(account);
+}
+
+
+
+//
+// MARK: Waiting for in-sync
+//
+static CFStringRef CreateUUIDString() {
+ CFUUIDRef uuid = CFUUIDCreate(kCFAllocatorDefault);
+ CFStringRef result = CFUUIDCreateString(kCFAllocatorDefault, uuid);
+ CFReleaseNull(uuid);
+ return result;
+}
+
+CFStringRef SOSAccountCallWhenInSync(SOSAccountRef account, SOSAccountWaitForInitialSyncBlock syncBlock) {
+ //if we are not initially synced
+ CFStringRef id = NULL;
+ CFTypeRef unSyncedViews = SOSAccountGetValue(account, kSOSUnsyncedViewsKey, NULL);
+ if (unSyncedViews != NULL) {
+ id = CreateUUIDString();
+ secnotice("initial-sync", "adding sync block [%@] to array!", id);
+ SOSAccountWaitForInitialSyncBlock copy = Block_copy(syncBlock);
+ if (account->waitForInitialSync_blocks == NULL) {
+ account->waitForInitialSync_blocks = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ }
+ CFDictionarySetValue(account->waitForInitialSync_blocks, id, copy);
+ Block_release(copy);
+ } else {
+ syncBlock(account);
+ }
+
+ return id;
+}
+
+bool SOSAccountUnregisterCallWhenInSync(SOSAccountRef account, CFStringRef id) {
+ if (account->waitForInitialSync_blocks == NULL) return false;
+
+ bool removed = CFDictionaryGetValueIfPresent(account->waitForInitialSync_blocks, id, NULL);
+ CFDictionaryRemoveValue(account->waitForInitialSync_blocks, id);
+ return removed;
+}
+
+static void performWithInitialSyncDescription(CFTypeRef object, void (^action)(CFStringRef description)) {
+ CFSetRef setObject = asSet(object, NULL);
+ if (setObject) {
+ CFStringSetPerformWithDescription(setObject, action);
+ } else {
+ CFStringRef format = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@"), object);
+ action(format);
+ CFReleaseNull(format);
+ }
+}
+
+static bool CFSetIntersectionWentEmpty(CFSetRef interestingSet, CFSetRef before, CFSetRef after) {
+ return ((before != NULL) && !CFSetIntersectionIsEmpty(interestingSet, before)) &&
+ ((after == NULL) || CFSetIntersectionIsEmpty(interestingSet, after));
+}
+
+static bool SOSViewIntersectionWentEmpty(ViewSetKind kind, CFSetRef before, CFSetRef after) {
+ CFSetRef kindSet = SOSViewCopyViewSet(kind);
+ bool result = CFSetIntersectionWentEmpty(kindSet, before, after);
+ CFReleaseNull(kindSet);
+ return result;
+}
+
+bool SOSAccountHandleOutOfSyncUpdate(SOSAccountRef account, CFSetRef oldOOSViews, CFSetRef newOOSViews) {
+ bool actionTaken = false;
+
+ if (SOSViewIntersectionWentEmpty(kViewSetInitial, oldOOSViews, newOOSViews)) {
+ SOSAccountHandleInitialSyncDone(account);
+ actionTaken = true;
+ }
+
+ if (SOSViewIntersectionWentEmpty(kViewSetRequiredForBackup, oldOOSViews, newOOSViews)) {
+ SOSAccountHandleRequiredBackupSyncDone(account);
+ actionTaken = true;
+ }
+ return actionTaken;
+}
+
+void SOSAccountUpdateOutOfSyncViews(SOSAccountTransactionRef aTxn, CFSetRef viewsInSync) {
+ SOSAccountRef account = aTxn->account;
+ SOSCCStatus circleStatus = SOSAccountGetCircleStatus(account, NULL);
+ bool inOrApplying = (circleStatus == kSOSCCInCircle) || (circleStatus == kSOSCCRequestPending);
+
+ CFTypeRef unsyncedObject = SOSAccountGetValue(account, kSOSUnsyncedViewsKey, NULL);
+ __block CFTypeRef newUnsyncedObject = CFRetainSafe(unsyncedObject);
+
+ CFSetRef unsyncedSet = NULL;
+ CFMutableSetRef newUnsyncedSet = NULL;
+
+ performWithInitialSyncDescription(viewsInSync, ^(CFStringRef viewsInSyncDescription) {
+ secnotice("initial-sync", "Views in sync: %@", viewsInSyncDescription);
+ });
+
+
+ if (!inOrApplying) {
+ if (unsyncedObject != NULL) {
+ secnotice("initial-sync", "not in circle nor applying: clearing pending");
+ CFReleaseNull(newUnsyncedObject);
+ }
+ } else if (circleStatus == kSOSCCInCircle) {
+ if (unsyncedObject == kCFBooleanTrue) {
+ unsyncedSet = SOSViewCopyViewSet(kViewSetAll);
+ CFAssignRetained(newUnsyncedObject, CFSetCreateCopy(kCFAllocatorDefault, unsyncedSet));
+
+ secnotice("initial-sync", "Pending views setting to all we can expect.");
+ } else if (isSet(unsyncedObject)) {
+ unsyncedSet = (CFSetRef) CFRetainSafe(unsyncedObject);
+ }
+
+ if (unsyncedSet) {
+ CFSetRef otherPeersViews = SOSAccountCopyOtherPeersViews(account);
+
+ newUnsyncedSet = CFSetCreateIntersection(kCFAllocatorDefault, unsyncedSet, otherPeersViews);
+
+ if (viewsInSync) {
+ CFSetSubtract(newUnsyncedSet, viewsInSync);
+ }
+
+ CFRetainAssign(newUnsyncedObject, newUnsyncedSet);
+ CFReleaseNull(otherPeersViews);
+ }
+
+ performWithInitialSyncDescription(newUnsyncedSet, ^(CFStringRef unsynced) {
+ secnotice("initial-sync", "Unsynced: %@", unsynced);
+ });
+ }
+
+
+ if (isSet(newUnsyncedObject) && CFSetIsEmpty((CFSetRef) newUnsyncedObject)) {
+ secnotice("initial-sync", "Empty set, using NULL instead");
+ CFReleaseNull(newUnsyncedObject);
+ }
+
+ CFErrorRef localError = NULL;
+ if (!SOSAccountSetValue(account, kSOSUnsyncedViewsKey, newUnsyncedObject, &localError)) {
+ secnotice("initial-sync", "Failure saving new unsynced value: %@ value: %@", localError, newUnsyncedObject);
+ }
+ CFReleaseNull(localError);
+
+ CFReleaseNull(newUnsyncedObject);
+ CFReleaseNull(newUnsyncedSet);
+ CFReleaseNull(unsyncedSet);
+}
+
+void SOSAccountPeerGotInSync(SOSAccountTransactionRef aTxn, CFStringRef peerID, CFSetRef views) {
+ SOSAccountRef account = aTxn->account;
+ secnotice("initial-sync", "Peer %@ synced views: %@", peerID, views);
+ if (account->trusted_circle && SOSAccountIsInCircle(account, NULL) && SOSCircleHasActivePeerWithID(account->trusted_circle, peerID, NULL)) {
+ SOSAccountUpdateOutOfSyncViews(aTxn, views);
+ }
+}
+
+static SOSEngineRef SOSAccountGetDataSourceEngine(SOSAccountRef account) {
+ return SOSDataSourceFactoryGetEngineForDataSourceName(account->factory, SOSCircleGetName(account->trusted_circle), NULL);
+}
+
+void SOSAccountEnsureSyncChecking(SOSAccountRef account) {
+ if (!account->isListeningForSync) {
+ SOSEngineRef engine = SOSAccountGetDataSourceEngine(account);
+
+ if (engine) {
+ secnotice("initial-sync", "Setting up notifications to monitor in-sync");
+ SOSEngineSetSyncCompleteListenerQueue(engine, account->queue);
+ SOSEngineSetSyncCompleteListener(engine, ^(CFStringRef peerID, CFSetRef views) {
+ SOSAccountWithTransaction_Locked(account, ^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ SOSAccountPeerGotInSync(txn, peerID, views);
+ });
+ });
+ account->isListeningForSync = true;
+ } else {
+ secerror("Couldn't find engine to setup notifications!!!");
+ }
+ }
+}
+
+void SOSAccountCancelSyncChecking(SOSAccountRef account) {
+ if (account->isListeningForSync) {
+ SOSEngineRef engine = SOSAccountGetDataSourceEngine(account);
+
+ if (engine) {
+ secnotice("initial-sync", "Cancelling notifications to monitor in-sync");
+ SOSEngineSetSyncCompleteListenerQueue(engine, NULL);
+ SOSEngineSetSyncCompleteListener(engine, NULL);
+ } else {
+ secnotice("initial-sync", "No engine to cancel notification from.");
+ }
+ account->isListeningForSync = false;
+ }
+}
+
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.c
index d3159b9f..2cd87920 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.c
@@ -122,7 +122,9 @@ size_t der_sizeof_BackupSliceKeyBag(SOSBackupSliceKeyBagRef BackupSliceKeyBag, C
size_t result = 0;
require_quiet(SecRequirementError(BackupSliceKeyBag != NULL, error, CFSTR("Null BackupSliceKeyBag")), fail);
+ require_quiet(BackupSliceKeyBag != NULL, fail); // this is redundant with what happens in SecRequirementError, but the analyzer can't understand that.
require_quiet(SecRequirementError(BackupSliceKeyBag->aks_bag != NULL, error, CFSTR("null aks_bag in BackupSliceKeyBag")), fail);
+ require_quiet(BackupSliceKeyBag->aks_bag != NULL, fail); // this is redundant with what happens in SecRequirementError, but the analyzer can't understand that.
size_t bag_size = der_sizeof_data(BackupSliceKeyBag->aks_bag, error);
require_quiet(bag_size, fail);
@@ -145,7 +147,10 @@ uint8_t* der_encode_BackupSliceKeyBag(SOSBackupSliceKeyBagRef set, CFErrorRef *e
if (der_end == NULL) return der_end;
require_quiet(SecRequirementError(set != NULL, error, CFSTR("Null set passed to encode")), fail);
- require_quiet(set, fail); // This should be removed when SecRequirementError can squelch analyzer warnings
+ require_quiet(set, fail); // Silence the NULL warning.
+
+ require_quiet(SecRequirementError(set->aks_bag != NULL, error, CFSTR("Null set passed to encode")), fail);
+ require_quiet(set->aks_bag, fail); // Silence the warning.
der_end = ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der,
der_encode_data(set->aks_bag, error, der,
@@ -226,14 +231,26 @@ static CFDictionaryRef SOSBackupSliceKeyBagCopyWrappedKeys(SOSBackupSliceKeyBagR
CFDataRef backupKey = SOSPeerInfoCopyBackupKey(pi);
if (backupKey) {
- CFDataRef wrappedKey = SOSCopyECWrapped(backupKey, secret, error);
+ CFErrorRef wrapError = NULL;
+ CFDataRef wrappedKey = SOSCopyECWrapped(backupKey, secret, &wrapError);
if (wrappedKey) {
CFDictionaryAddValue(wrappedKeys, id, wrappedKey);
+ CFDataPerformWithHexString(backupKey, ^(CFStringRef backupKeyString) {
+ CFDataPerformWithHexString(wrappedKey, ^(CFStringRef wrappedKeyString) {
+ secnotice("bskb", "Add for id: %@, bk: %@, wrapped: %@", id, backupKeyString, wrappedKeyString);
+ });
+ });
} else {
+ CFDataPerformWithHexString(backupKey, ^(CFStringRef backupKeyString) {
+ secnotice("bskb", "Failed at id: %@, bk: %@ error: %@", id, backupKeyString, wrapError);
+ });
+ CFErrorPropagate(wrapError, error);
success = false;
}
CFReleaseNull(wrappedKey);
CFReleaseNull(backupKey);
+ } else {
+ secnotice("bskb", "Skipping id %@, no backup key.", id);
}
}
@@ -355,6 +372,14 @@ CFSetRef SOSBSKBGetPeers(SOSBackupSliceKeyBagRef backupSliceKeyBag){
return backupSliceKeyBag->peers;
}
+int SOSBSKBCountPeers(SOSBackupSliceKeyBagRef backupSliceKeyBag) {
+ return (int) CFSetGetCount(backupSliceKeyBag->peers);
+}
+
+bool SOSBSKBPeerIsInKeyBag(SOSBackupSliceKeyBagRef backupSliceKeyBag, SOSPeerInfoRef pi) {
+ return CFSetGetValue(backupSliceKeyBag->peers, pi) != NULL;
+}
+
bskb_keybag_handle_t SOSBSKBLoadLocked(SOSBackupSliceKeyBagRef backupSliceKeyBag,
CFErrorRef *error)
{
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h
index 8a361143..bd8ce2e5 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h
@@ -51,6 +51,9 @@ bool SOSBSKBIsDirect(SOSBackupSliceKeyBagRef backupSliceKeyBag);
CFSetRef SOSBSKBGetPeers(SOSBackupSliceKeyBagRef backupSliceKeyBag);
+int SOSBSKBCountPeers(SOSBackupSliceKeyBagRef backupSliceKeyBag);
+
+bool SOSBSKBPeerIsInKeyBag(SOSBackupSliceKeyBagRef backupSliceKeyBag, SOSPeerInfoRef pi);
// Keybag fetching
CFDataRef SOSBSKBCopyAKSBag(SOSBackupSliceKeyBagRef backupSliceKeyBag, CFErrorRef* error);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c
index 9d86a5f1..5a40b8f6 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c
@@ -43,6 +43,7 @@
#include <Security/SecKey.h>
#include <Security/SecKeyPriv.h>
+#include <utilities/SecBuffer.h>
#include <utilities/SecCFWrappers.h>
#include <Security/SecureObjectSync/SOSCirclePriv.h>
@@ -167,20 +168,32 @@ static bool SOSCircleDigestSet(const struct ccdigest_info *di, CFMutableSetRef s
return result;
}
-
-static bool SOSCircleHash(const struct ccdigest_info *di, SOSCircleRef circle, void *hash_result, CFErrorRef *error) {
+static bool SOSCircleHashGenAndPeers(const struct ccdigest_info *di, SOSGenCountRef gen, CFMutableSetRef peers, void*hash_result, CFErrorRef *error) {
ccdigest_di_decl(di, circle_digest);
ccdigest_init(di, circle_digest);
- int64_t gen = SOSCircleGetGenerationSint(circle);
- ccdigest_update(di, circle_digest, sizeof(gen), &gen);
-
- SOSCircleDigestSet(di, circle->peers, hash_result, error);
+ int64_t generation = SOSGetGenerationSint(gen);
+ ccdigest_update(di, circle_digest, sizeof(generation), &generation);
+
+ SOSCircleDigestSet(di, peers, hash_result, error);
ccdigest_update(di, circle_digest, di->output_size, hash_result);
ccdigest_final(di, circle_digest, hash_result);
return true;
}
-static bool SOSCircleSetSignature(SOSCircleRef circle, SecKeyRef pubkey, CFDataRef signature, CFErrorRef *error) {
+static bool SOSCircleHash(const struct ccdigest_info *di, SOSCircleRef circle, void *hash_result, CFErrorRef *error) {
+ return SOSCircleHashGenAndPeers(di, SOSCircleGetGeneration(circle), circle->peers, hash_result, error);
+}
+
+static bool SOSCircleHashNextGenWithAdditionalPeer(const struct ccdigest_info *di, SOSCircleRef circle, SOSPeerInfoRef additionalPeer, void *hash_result, CFErrorRef *error) {
+ CFMutableSetRef peers = CFSetCreateMutableCopy(NULL, 0, circle->peers);
+ CFSetAddValue(peers, additionalPeer);
+
+ SOSGenCountRef nextGen = SOSGenerationIncrementAndCreate(circle->generation);
+
+ return SOSCircleHashGenAndPeers(di, nextGen, peers, hash_result, error);
+}
+
+bool SOSCircleSetSignature(SOSCircleRef circle, SecKeyRef pubkey, CFDataRef signature, CFErrorRef *error) {
bool result = false;
CFStringRef pubKeyID = SOSCopyIDOfKey(pubkey, error);
@@ -198,7 +211,7 @@ static bool SOSCircleRemoveSignatures(SOSCircleRef circle, CFErrorRef *error) {
return true;
}
-static CFDataRef SOSCircleGetSignature(SOSCircleRef circle, SecKeyRef pubkey, CFErrorRef *error) {
+CFDataRef SOSCircleGetSignature(SOSCircleRef circle, SecKeyRef pubkey, CFErrorRef *error) {
CFStringRef pubKeyID = SOSCopyIDOfKey(pubkey, error);
CFDataRef result = NULL;
require_quiet(pubKeyID, fail);
@@ -212,30 +225,66 @@ fail:
return result;
}
+#define circle_signature_di() ccsha256_di()
+
+static CFDataRef SecKeyCopyRawHashSignature(const struct ccdigest_info *di, const uint8_t* hashToSign, SecKeyRef privKey, CFErrorRef *error) {
+ CFDataRef result = NULL;
+
+ CFMutableDataRef signature = CFDataCreateMutableWithScratch(kCFAllocatorDefault, SecKeyGetSize(privKey, kSecKeySignatureSize));
+ size_t signatureSpace = CFDataGetLength(signature);
+
+ OSStatus status = SecKeyRawSign(privKey, kSecPaddingNone, hashToSign, di->output_size, CFDataGetMutableBytePtr(signature), &signatureSpace);
+ require_quiet(SecError(status, error, CFSTR("Signing failed: %d"), status), fail);
+
+ if (signatureSpace < (size_t)CFDataGetLength(signature)) {
+ CFDataSetLength(signature, signatureSpace);
+ }
+
+ CFTransferRetained(result, signature);
+fail:
+ CFReleaseNull(signature);
+ return result;
+}
+
bool SOSCircleSign(SOSCircleRef circle, SecKeyRef privKey, CFErrorRef *error) {
- if (!privKey) return false; // Really assertion but not always true for now.
- CFAllocatorRef allocator = CFGetAllocator(circle);
- uint8_t tmp[4096];
- size_t tmplen = 4096;
- const struct ccdigest_info *di = ccsha256_di();
- uint8_t hash_result[di->output_size];
-
- SOSCircleHash(di, circle, hash_result, error);
- OSStatus stat = SecKeyRawSign(privKey, kSecPaddingNone, hash_result, di->output_size, tmp, &tmplen);
- if(stat) {
- // TODO - Create a CFErrorRef;
- secerror("Bad Circle SecKeyRawSign, stat: %ld", (long)stat);
- SOSCreateError(kSOSErrorBadFormat, CFSTR("Bad Circle SecKeyRawSign"), (error != NULL) ? *error : NULL, error);
- return false;
- };
- CFDataRef signature = CFDataCreate(allocator, tmp, tmplen);
- SecKeyRef publicKey = SecKeyCreatePublicFromPrivate(privKey);
- SOSCircleSetSignature(circle, publicKey, signature, error);
- CFReleaseNull(publicKey);
- CFRelease(signature);
- return true;
+ const struct ccdigest_info *di = circle_signature_di();
+
+ __block CFDataRef signature = NULL;
+ bool didSign = false;
+ require_quiet(privKey, fail);
+
+ PerformWithBuffer(di->output_size, ^(size_t size, uint8_t *hash_result) {
+ if (SOSCircleHash(di, circle, hash_result, error)) {
+ signature = SecKeyCopyRawHashSignature(di, hash_result, privKey, error);
+ }
+ });
+ require_quiet(signature, fail);
+ require_quiet(SOSCircleSetSignature(circle, privKey, signature, error), fail);
+
+ didSign = true;
+
+fail:
+ CFReleaseNull(signature);
+ return didSign;
+}
+
+CFDataRef SOSCircleCopyNextGenSignatureWithPeerAdded(SOSCircleRef circle, SOSPeerInfoRef peer, SecKeyRef privKey, CFErrorRef *error) {
+ const struct ccdigest_info *di = circle_signature_di();
+
+ __block CFDataRef signature = NULL;
+ require_quiet(privKey, fail);
+
+ PerformWithBuffer(di->output_size, ^(size_t size, uint8_t *hash_result) {
+ if (SOSCircleHashNextGenWithAdditionalPeer(di, circle, peer, hash_result, error)) {
+ signature = SecKeyCopyRawHashSignature(di, hash_result, privKey, error);
+ }
+ });
+
+fail:
+ return signature;
}
+
static bool SOSCircleConcordanceRingSign(SOSCircleRef circle, SecKeyRef privKey, CFErrorRef *error) {
secnotice("Development", "SOSCircleEnsureRingConsistency requires ring signing op", NULL);
return true;
@@ -262,13 +311,17 @@ bool SOSCircleVerify(SOSCircleRef circle, SecKeyRef pubKey, CFErrorRef *error) {
CFDataRef signature = SOSCircleGetSignature(circle, pubKey, error);
if(!signature) return false;
- return SecKeyRawVerify(pubKey, kSecPaddingNone, hash_result, di->output_size,
- CFDataGetBytePtr(signature), CFDataGetLength(signature)) == errSecSuccess;
+ return SecError(SecKeyRawVerify(pubKey, kSecPaddingNone, hash_result, di->output_size,
+ CFDataGetBytePtr(signature), CFDataGetLength(signature)), error, CFSTR("Signature verification failed."));;
}
bool SOSCircleVerifyPeerSigned(SOSCircleRef circle, SOSPeerInfoRef peer, CFErrorRef *error) {
- SecKeyRef pub_key = SOSPeerInfoCopyPubKey(peer);
- bool result = SOSCircleVerify(circle, pub_key, error);
+ bool result = false;
+ SecKeyRef pub_key = SOSPeerInfoCopyPubKey(peer, error);
+ require_quiet(pub_key, fail);
+
+ result = SOSCircleVerify(circle, pub_key, error);
+fail:
CFReleaseSafe(pub_key);
return result;
}
@@ -371,59 +424,72 @@ fail:
return false;
}
-
-bool SOSCircleGenerationSign(SOSCircleRef circle, SecKeyRef user_approver, SOSFullPeerInfoRef peerinfo, CFErrorRef *error) {
- SecKeyRef publicKey = NULL;
-
+bool SOSCirclePreGenerationSign(SOSCircleRef circle, SecKeyRef userPubKey, CFErrorRef *error) {
+ bool retval = false;
+
SOSCircleRemoveRetired(circle, error); // Prune off retirees since we're signing this one
CFSetRemoveAllValues(circle->rejected_applicants); // Dump rejects so we clean them up sometime.
- publicKey = SecKeyCreatePublicFromPrivate(user_approver);
- SOSCircleRejectNonValidApplicants(circle, publicKey);
- SOSCircleGenerationIncrement(circle);
- require_quiet(SOSCircleEnsureRingConsistency(circle, error), fail);
- require_quiet(SOSCircleRemoveSignatures(circle, error), fail);
+ SOSCircleRejectNonValidApplicants(circle, userPubKey);
- if (SOSCircleCountPeers(circle) != 0) {
- SecKeyRef ourKey = SOSFullPeerInfoCopyDeviceKey(peerinfo, error);
- require_quiet(ourKey, fail);
+ require_quiet(SOSCircleRemoveSignatures(circle, error), errOut);
+
+ retval = true;
- // Check if we're using an invalid peerinfo for this op. There are cases where we might not be "upgraded".
- require_quiet(SOSCircleUpgradePeerInfo(circle, user_approver, peerinfo), fail);
+errOut:
+ return retval;
+
+}
- require_quiet(SOSCircleSign(circle, user_approver, error), fail);
- require_quiet(SOSCircleSign(circle, ourKey, error), fail);
+static bool SOSCircleGenerationSign_Internal(SOSCircleRef circle, SecKeyRef userKey, SOSFullPeerInfoRef fpi, CFErrorRef *error) {
+ // require_quiet(SOSCircleEnsureRingConsistency(circle, error), fail); Placeholder - this was never implemented
+ bool retval = false;
+ if (SOSCircleCountPeers(circle) != 0) {
+ SecKeyRef ourKey = SOSFullPeerInfoCopyDeviceKey(fpi, error);
+ require_quiet(ourKey, errOut);
+
+ // Check if we're using an invalid peerinfo for this op. There are cases where we might not be "upgraded".
+ require_quiet(SOSCircleUpgradePeerInfo(circle, userKey, fpi), errOut);
+
+ require_quiet(SOSCircleSign(circle, userKey, error), errOut);
+ require_quiet(SOSCircleSign(circle, ourKey, error), errOut);
CFReleaseNull(ourKey);
}
-
- CFReleaseNull(publicKey);
- return true;
+ retval = true;
-fail:
- CFReleaseNull(publicKey);
- return false;
+errOut:
+ return retval;
}
-bool SOSCircleGenerationUpdate(SOSCircleRef circle, SecKeyRef user_approver, SOSFullPeerInfoRef peerinfo, CFErrorRef *error) {
-
- return SOSCircleGenerationSign(circle, user_approver, peerinfo, error);
-
-#if 0
- bool success = false;
-
- SecKeyRef ourKey = SOSFullPeerInfoCopyDeviceKey(peerinfo, error);
- require_quiet(ourKey, fail);
+bool SOSCircleGenerationSign(SOSCircleRef circle, SecKeyRef userKey, SOSFullPeerInfoRef fpi, CFErrorRef *error) {
+ bool retval = false;
+ SecKeyRef publicKey = NULL;
+ publicKey = SecKeyCreatePublicFromPrivate(userKey);
- require_quiet(SOSCircleSign(circle, user_approver, error), fail);
- require_quiet(SOSCircleSign(circle, ourKey, error), fail);
+ require_quiet(SOSCirclePreGenerationSign(circle, publicKey, error), errOut);
+ SOSCircleGenerationIncrement(circle);
+ require_quiet(SOSCircleGenerationSign_Internal(circle, userKey, fpi, error), errOut);
+ retval = true;
+
+errOut:
+ CFReleaseNull(publicKey);
+ return retval;
+}
- success = true;
-fail:
- CFReleaseNull(ourKey);
- return success;
-#endif
+static bool SOSCircleGenerationSignWithGenCount(SOSCircleRef circle, SecKeyRef userKey, SOSFullPeerInfoRef fpi, SOSGenCountRef gencount, CFErrorRef *error) {
+ bool retval = false;
+ SOSGenCountRef currentGen = SOSCircleGetGeneration(circle);
+ require_action_quiet(SOSGenerationIsOlder(currentGen, gencount), errOut, SOSCreateError(kSOSErrorReplay, CFSTR("Generation Count for new circle is too old"), NULL, error));
+ require_quiet(SOSCirclePreGenerationSign(circle, userKey, error), errOut);
+ SOSCircleSetGeneration(circle, gencount);
+ require_quiet(SOSCircleGenerationSign_Internal(circle, userKey, fpi, error), errOut);
+ retval = true;
+
+errOut:
+ return retval;
}
+
bool SOSCircleConcordanceSign(SOSCircleRef circle, SOSFullPeerInfoRef peerinfo, CFErrorRef *error) {
bool success = false;
SecKeyRef ourKey = SOSFullPeerInfoCopyDeviceKey(peerinfo, error);
@@ -439,7 +505,8 @@ exit:
static inline SOSConcordanceStatus CheckPeerStatus(SOSCircleRef circle, SOSPeerInfoRef peer, SecKeyRef user_public_key, CFErrorRef *error) {
SOSConcordanceStatus result = kSOSConcordanceNoPeer;
- SecKeyRef pubKey = SOSPeerInfoCopyPubKey(peer);
+ SecKeyRef pubKey = SOSPeerInfoCopyPubKey(peer, error);
+ require_quiet(pubKey, exit);
require_action_quiet(SOSCircleHasActiveValidPeer(circle, peer, user_public_key, error), exit, result = kSOSConcordanceNoPeer);
require_action_quiet(SOSCircleVerifySignatureExists(circle, pubKey, error), exit, result = kSOSConcordanceNoPeerSig);
@@ -471,7 +538,7 @@ static inline bool SOSCircleIsEmpty(SOSCircleRef circle) {
}
static inline bool SOSCircleHasDegenerateGeneration(SOSCircleRef deGenCircle){
- int testPtr;
+ CFIndex testPtr;
CFNumberRef genCountTest = SOSCircleGetGeneration(deGenCircle);
CFNumberGetValue(genCountTest, kCFNumberCFIndexType, &testPtr);
return (testPtr== 0);
@@ -505,13 +572,18 @@ static inline SOSConcordanceStatus GetSignersStatus(SOSCircleRef signers_circle,
return status;
}
-// Is proposed older than current?
-static inline bool isOlderGeneration(SOSCircleRef current, SOSCircleRef proposed) {
- return CFNumberCompare(current->generation, proposed->generation, NULL) == kCFCompareGreaterThan;
+// Is current older than proposed?
+bool SOSCircleIsOlderGeneration(SOSCircleRef older, SOSCircleRef newer) {
+ return SOSGenerationIsOlder(older->generation, newer->generation);
}
static inline bool SOSCircleIsValidReset(SOSCircleRef current, SOSCircleRef proposed) {
- return (!isOlderGeneration(current, proposed)) && SOSCircleIsEmpty(proposed); // is current older or equal to proposed and is proposed empty
+ bool retval = false;
+ retval = SOSCircleIsEmpty(proposed);
+ require_quiet(retval, errOut);
+ retval = SOSCircleIsOlderGeneration(current, proposed);
+errOut:
+ return retval;
}
@@ -537,8 +609,8 @@ SOSConcordanceStatus SOSCircleConcordanceTrust(SOSCircleRef known_circle, SOSCir
SecKeyRef known_pubkey, SecKeyRef user_pubkey,
SOSPeerInfoRef me, CFErrorRef *error) {
if(user_pubkey == NULL) {
- SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Concordance with no public key"), NULL, error);
- return kSOSConcordanceNoUserKey; //TODO: - needs to return an error
+ SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Concordance with no user public key"), NULL, error);
+ return kSOSConcordanceNoUserKey;
}
if(SOSCircleIsDegenerateReset(proposed_circle)) {
@@ -550,12 +622,12 @@ SOSConcordanceStatus SOSCircleConcordanceTrust(SOSCircleRef known_circle, SOSCir
}
if(!SOSCircleVerifySignatureExists(proposed_circle, user_pubkey, error)) {
- SOSCreateError(kSOSErrorBadSignature, CFSTR("No public signature"), (error != NULL) ? *error : NULL, error);
+ SOSCreateError(kSOSErrorBadSignature, CFSTR("No public signature to match current user key"), (error != NULL) ? *error : NULL, error);
return kSOSConcordanceNoUserSig;
}
if(!SOSCircleVerify(proposed_circle, user_pubkey, error)) {
- SOSCreateError(kSOSErrorBadSignature, CFSTR("Bad public signature"), (error != NULL) ? *error : NULL, error);
+ SOSCreateError(kSOSErrorBadSignature, CFSTR("Bad user public signature"), (error != NULL) ? *error : NULL, error);
debugDumpCircle(CFSTR("proposed_circle"), proposed_circle);
return kSOSConcordanceBadUserSig;
}
@@ -568,8 +640,8 @@ SOSConcordanceStatus SOSCircleConcordanceTrust(SOSCircleRef known_circle, SOSCir
return GetSignersStatus(proposed_circle, proposed_circle, user_pubkey, NULL, error);
}
- if(isOlderGeneration(known_circle, proposed_circle)) {
- SOSCreateError(kSOSErrorReplay, CFSTR("Bad generation"), NULL, error);
+ if(SOSCircleIsOlderGeneration(proposed_circle, known_circle)) {
+ SOSCreateError(kSOSErrorReplay, CFSTR("Bad generation - proposed circle gencount is older than known circle gencount"), NULL, error);
debugDumpCircle(CFSTR("isOlderGeneration known_circle"), known_circle);
debugDumpCircle(CFSTR("isOlderGeneration proposed_circle"), proposed_circle);
return kSOSConcordanceGenOld;
@@ -609,8 +681,8 @@ static CFMutableStringRef defaultDescription(CFTypeRef aObj){
if (SOSCircleVerifyPeerSigned(c, peer, NULL)) {
sig = CFSTR("â");
} else {
- SecKeyRef pub_key = SOSPeerInfoCopyPubKey(peer);
- CFDataRef signature = SOSCircleGetSignature(c, pub_key, NULL);
+ SecKeyRef pub_key = SOSPeerInfoCopyPubKey(peer, NULL);
+ CFDataRef signature = pub_key ? SOSCircleGetSignature(c, pub_key, NULL) : NULL;
sig = (signature == NULL) ? CFSTR("-") : CFSTR("?");
CFReleaseNull(pub_key);
}
@@ -663,8 +735,8 @@ static CFMutableStringRef descriptionWithFormatOptions(CFTypeRef aObj, CFDiction
if (SOSCircleVerifyPeerSigned(c, peer, NULL)) {
sig = CFSTR("â");
} else {
- SecKeyRef pub_key = SOSPeerInfoCopyPubKey(peer);
- CFDataRef signature = SOSCircleGetSignature(c, pub_key, NULL);
+ SecKeyRef pub_key = SOSPeerInfoCopyPubKey(peer, NULL);
+ CFDataRef signature = pub_key ? SOSCircleGetSignature(c, pub_key, NULL) : NULL;
sig = (signature == NULL) ? CFSTR("-") : CFSTR("?");
CFReleaseNull(pub_key);
}
@@ -791,6 +863,16 @@ int SOSCircleCountActiveValidPeers(SOSCircleRef circle, SecKeyRef pubkey) {
return count;
}
+int SOSCircleCountValidSyncingPeers(SOSCircleRef circle, SecKeyRef pubkey) {
+ SOSCircleAssertStable(circle);
+ __block int count = 0;
+ SOSCircleForEachValidSyncingPeer(circle, pubkey, ^(SOSPeerInfoRef peer) {
+ ++count;
+ });
+ return count;
+
+}
+
int SOSCircleCountRetiredPeers(SOSCircleRef circle) {
SOSCircleAssertStable(circle);
__block int count = 0;
@@ -900,6 +982,14 @@ bool SOSCircleResetToEmpty(SOSCircleRef circle, CFErrorRef *error) {
SOSGenCountRef oldGen = SOSCircleGetGeneration(circle);
SOSGenCountRef newGen = SOSGenerationCreateWithBaseline(oldGen);
SOSCircleSetGeneration(circle, newGen);
+ CFReleaseSafe(newGen);
+ return true;
+}
+
+bool SOSCircleResetToEmptyWithSameGeneration(SOSCircleRef circle, CFErrorRef *error) {
+ SOSGenCountRef gen = SOSGenerationCopy(SOSCircleGetGeneration(circle));
+ SOSCircleResetToEmpty(circle, error);
+ SOSCircleSetGeneration(circle, gen);
return true;
}
@@ -927,6 +1017,7 @@ static bool SOSCircleRecordAdmissionRequest(SOSCircleRef circle, SecKeyRef user_
require_action_quiet(!isPeer, fail, SOSCreateError(kSOSErrorAlreadyPeer, CFSTR("Cannot request admission when already a peer"), NULL, error));
+ // This adds to applicants and will take off rejected if it's there.
CFSetTransferObject(requestorPeerInfo, circle->rejected_applicants, circle->applicants);
return true;
@@ -1175,6 +1266,10 @@ void SOSCircleForEachValidPeer(SOSCircleRef circle, SecKeyRef user_public_key, v
});
}
+void SOSCircleForEachValidSyncingPeer(SOSCircleRef circle, SecKeyRef user_public_key, void (^action)(SOSPeerInfoRef peer)) {
+ SOSCircleForEachValidPeer(circle, user_public_key, action);
+}
+
void SOSCircleForEachApplicant(SOSCircleRef circle, void (^action)(SOSPeerInfoRef peer)) {
CFSetForEach(circle->applicants, ^(const void*value) { action((SOSPeerInfoRef) value); } );
}
@@ -1265,3 +1360,63 @@ void debugDumpCircle(CFStringRef message, SOSCircleRef circle) {
CFRelease(derdata);
}
}
+
+bool SOSCircleAcceptPeerFromHSA2(SOSCircleRef circle, SecKeyRef userKey, SOSGenCountRef gencount, SecKeyRef pPubKey, CFDataRef signature, SOSFullPeerInfoRef fpi, CFErrorRef *error) {
+ SOSPeerInfoRef peerInfo = SOSFullPeerInfoGetPeerInfo(fpi);
+ CFSetAddValue(circle->peers, peerInfo);
+ // Gen sign first, then add signature from our approver - remember gensign removes all existing sigs.
+ return SOSCircleGenerationSignWithGenCount(circle, userKey, fpi, gencount, error) && SOSCircleSetSignature(circle, pPubKey, signature, error) && SOSCircleVerify(circle, pPubKey, error);
+}
+
+
+/*
+ ccstatus: Not in Circle (1)
+ Account user public is trusted
+ Generation Count: [2016-05-19 15:53 4]
+
+ */
+
+void SOSCircleLogState(char *category, SOSCircleRef circle, SecKeyRef pubKey, CFStringRef myPID) {
+ if(!circle) return;
+ CFStringRef genString = SOSGenerationCountCopyDescription(SOSCircleGetGeneration(circle));
+ char sigchr = 'v';
+ if(pubKey && SOSCircleVerify(circle, pubKey, NULL)) {
+ sigchr = 'V';
+ }
+ secnotice(category, "CIRCLE: [%20@] UserSigned: %c", genString, sigchr);
+ if(CFSetGetCount(circle->peers) == 0 )
+ secnotice(category, "Peers In Circle: None");
+ else{
+ secnotice(category, "Peers In Circle:");
+ SOSCircleForEachPeer(circle, ^(SOSPeerInfoRef peer) {
+ char sigchr = 'v';
+ if (SOSCircleVerifyPeerSigned(circle, peer, NULL)) {
+ sigchr = 'V';
+ }
+ SOSPeerInfoLogState(category, peer, pubKey, myPID, sigchr);
+ });
+ }
+
+ //applicants
+ if(CFSetGetCount(circle->applicants) == 0 )
+ secnotice(category, "Applicants To Circle: None");
+ else{
+ secnotice(category, "Applicants To Circle:");
+
+ SOSCircleForEachApplicant(circle, ^(SOSPeerInfoRef peer) {
+ SOSPeerInfoLogState(category, peer, pubKey, myPID, 'v');
+ });
+ }
+
+ //rejected
+ if(CFSetGetCount(circle->rejected_applicants) == 0)
+ secnotice(category, "Rejected Applicants To Circle: None");
+ else{
+ secnotice(category, "Rejected Applicants To Circle:");
+ CFSetForEach(circle->rejected_applicants, ^(const void *value) {
+ SOSPeerInfoRef peer = (SOSPeerInfoRef) value;
+ SOSPeerInfoLogState(category, peer, pubKey, myPID, 'v');
+ });
+ }
+ CFReleaseNull(genString);
+}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.h
index 6c3eca1c..17479989 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.h
@@ -51,6 +51,8 @@ SOSCircleRef SOSCircleCreateFromDER(CFAllocatorRef allocator, CFErrorRef* error,
SOSCircleRef SOSCircleCreateFromData(CFAllocatorRef allocator, CFDataRef circleData, CFErrorRef *error);
SOSCircleRef SOSCircleCopyCircle(CFAllocatorRef allocator, SOSCircleRef otherCircle, CFErrorRef *error);
+bool SOSCircleSetSignature(SOSCircleRef circle, SecKeyRef pubkey, CFDataRef signature, CFErrorRef *error);
+CFDataRef SOSCircleGetSignature(SOSCircleRef circle, SecKeyRef pubkey, CFErrorRef *error);
bool SOSCircleSign(SOSCircleRef circle, SecKeyRef privkey, CFErrorRef *error);
bool SOSCircleVerifySignatureExists(SOSCircleRef circle, SecKeyRef pubKey, CFErrorRef *error);
bool SOSCircleVerify(SOSCircleRef circle, SecKeyRef pubkey, CFErrorRef *error);
@@ -58,7 +60,6 @@ bool SOSCircleVerify(SOSCircleRef circle, SecKeyRef pubkey, CFErrorRef *error);
bool SOSCircleVerifyPeerSigned(SOSCircleRef circle, SOSPeerInfoRef peer, CFErrorRef *error);
bool SOSCircleGenerationSign(SOSCircleRef circle, SecKeyRef user_approver, SOSFullPeerInfoRef peerinfo, CFErrorRef *error);
-bool SOSCircleGenerationUpdate(SOSCircleRef circle, SecKeyRef user_approver, SOSFullPeerInfoRef peerinfo, CFErrorRef *error);
bool SOSCircleSignOldStyleResetToOfferingCircle(SOSCircleRef circle, SOSFullPeerInfoRef peerinfo, SecKeyRef user_approver, CFErrorRef *error);
@@ -97,6 +98,8 @@ SOSPeerInfoRef SOSCircleCopyPeerWithID(SOSCircleRef circle, CFStringRef peerid,
int SOSCircleCountPeers(SOSCircleRef circle);
int SOSCircleCountActivePeers(SOSCircleRef circle);
int SOSCircleCountActiveValidPeers(SOSCircleRef circle, SecKeyRef pubkey);
+int SOSCircleCountValidSyncingPeers(SOSCircleRef circle, SecKeyRef pubkey);
+
int SOSCircleCountRetiredPeers(SOSCircleRef circle);
void SOSCircleForEachPeer(SOSCircleRef circle, void (^action)(SOSPeerInfoRef peer));
@@ -104,6 +107,7 @@ void SOSCircleForEachRetiredPeer(SOSCircleRef circle, void (^action)(SOSPeerInfo
void SOSCircleForEachActivePeer(SOSCircleRef circle, void (^action)(SOSPeerInfoRef peer));
void SOSCircleForEachActiveValidPeer(SOSCircleRef circle, SecKeyRef user_public_key, void (^action)(SOSPeerInfoRef peer));
void SOSCircleForEachValidPeer(SOSCircleRef circle, SecKeyRef user_public_key, void (^action)(SOSPeerInfoRef peer));
+void SOSCircleForEachValidSyncingPeer(SOSCircleRef circle, SecKeyRef user_public_key, void (^action)(SOSPeerInfoRef peer));
bool SOSCircleHasPeerWithID(SOSCircleRef circle, CFStringRef peerid, CFErrorRef *error);
@@ -115,6 +119,7 @@ bool SOSCircleHasActiveValidPeer(SOSCircleRef circle, SOSPeerInfoRef peerInfo, S
bool SOSCircleResetToOffering(SOSCircleRef circle, SecKeyRef user_privkey, SOSFullPeerInfoRef requestor, CFErrorRef *error);
bool SOSCircleResetToEmpty(SOSCircleRef circle, CFErrorRef *error);
+bool SOSCircleResetToEmptyWithSameGeneration(SOSCircleRef circle, CFErrorRef *error);
bool SOSCircleRequestAdmission(SOSCircleRef circle, SecKeyRef user_privkey, SOSFullPeerInfoRef requestor, CFErrorRef *error);
bool SOSCircleRequestReadmission(SOSCircleRef circle, SecKeyRef user_pubkey, SOSPeerInfoRef requestor, CFErrorRef *error);
@@ -146,15 +151,24 @@ bool SOSCircleConcordanceSign(SOSCircleRef circle, SOSFullPeerInfoRef peerinfo,
bool SOSCircleSharedTrustedPeers(SOSCircleRef current, SOSCircleRef proposed, SOSPeerInfoRef me);
+bool SOSCircleIsOlderGeneration(SOSCircleRef current, SOSCircleRef proposed);
+
SOSConcordanceStatus SOSCircleConcordanceTrust(SOSCircleRef known_circle, SOSCircleRef proposed_circle,
SecKeyRef known_pubkey, SecKeyRef user_pubkey,
SOSPeerInfoRef exclude, CFErrorRef *error);
+
+CFDataRef SOSCircleCopyNextGenSignatureWithPeerAdded(SOSCircleRef circle, SOSPeerInfoRef peer, SecKeyRef privKey, CFErrorRef *error);
+bool SOSCirclePreGenerationSign(SOSCircleRef circle, SecKeyRef userPubKey, CFErrorRef *error);
+
//
// Testing routines:
//
CFDataRef SOSCircleCreateIncompatibleCircleDER(CFErrorRef* error);
void debugDumpCircle(CFStringRef message, SOSCircleRef circle);
+void SOSCircleLogState(char *category, SOSCircleRef circle, SecKeyRef pubKey, CFStringRef myPID);
+
+bool SOSCircleAcceptPeerFromHSA2(SOSCircleRef circle, SecKeyRef userKey, SOSGenCountRef gencount, SecKeyRef pPubKey, CFDataRef signature, SOSFullPeerInfoRef fpi, CFErrorRef *error);
__END_DECLS
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircleDer.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircleDer.c
index f08cc17b..0bbe42bb 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircleDer.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircleDer.c
@@ -160,11 +160,7 @@ fail:
CFDataRef SOSCircleCopyEncodedData(SOSCircleRef circle, CFAllocatorRef allocator, CFErrorRef *error)
{
- size_t size = SOSCircleGetDEREncodedSize(circle, error);
- if (size == 0)
- return NULL;
- uint8_t buffer[size];
- uint8_t* start = SOSCircleEncodeToDER(circle, error, buffer, buffer + sizeof(buffer));
- CFDataRef result = CFDataCreate(kCFAllocatorDefault, start, size);
- return result;
+ return CFDataCreateWithDER(kCFAllocatorDefault, SOSCircleGetDEREncodedSize(circle, error), ^uint8_t*(size_t size, uint8_t *buffer) {
+ return SOSCircleEncodeToDER(circle, error, buffer, (uint8_t *) buffer + size);
+ });
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.c
index 701b5ad0..bc070180 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.c
@@ -58,10 +58,8 @@
#include <ipc/securityd_client.h>
#include <securityd/spi.h>
-#include "SOSRegressionUtilities.h"
#include <Security/SecuritydXPC.h>
-#include <SOSPeerInfoDER.h>
-#include <SOSCloudKeychainClient.h>
+#include "SOSPeerInfoDER.h"
const char * kSOSCCCircleChangedNotification = "com.apple.security.secureobjectsync.circlechanged";
const char * kSOSCCViewMembershipChangedNotification = "com.apple.security.secureobjectsync.viewschanged";
@@ -177,7 +175,7 @@ static CFStringRef simple_cfstring_error_request(enum SecXPCOperation op, CFErro
static bool simple_bool_error_request(enum SecXPCOperation op, CFErrorRef* error)
{
__block bool result = false;
-
+
secdebug("sosops","enter - operation: %d", op);
securityd_send_sync_and_do(op, error, NULL, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
@@ -186,6 +184,21 @@ static bool simple_bool_error_request(enum SecXPCOperation op, CFErrorRef* error
return result;
}
+static CFBooleanRef cfarray_to_cfboolean_error_request(enum SecXPCOperation op, CFArrayRef views, CFErrorRef* error)
+{
+ __block bool result = false;
+
+ secdebug("sosops","enter - operation: %d", op);
+ bool noError = securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
+ return SecXPCDictionarySetPList(message, kSecXPCKeyArray, views, error);
+ }, ^bool(xpc_object_t response, __unused CFErrorRef *error) {
+ result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
+ return true;
+ });
+ return noError ? (result ? kCFBooleanTrue : kCFBooleanFalse) : NULL;
+}
+
+
static bool escrow_to_bool_error_request(enum SecXPCOperation op, CFStringRef escrow_label, uint64_t tries, CFErrorRef* error)
{
__block bool result = false;
@@ -212,7 +225,7 @@ static bool escrow_to_bool_error_request(enum SecXPCOperation op, CFStringRef es
return result;
}
-static CFArrayRef simple_array_error_request(enum SecXPCOperation op, CFErrorRef* error)
+static CF_RETURNS_RETAINED CFArrayRef simple_array_error_request(enum SecXPCOperation op, CFErrorRef* error)
{
__block CFArrayRef result = NULL;
@@ -486,6 +499,60 @@ static bool set_hsa2_autoaccept_error_request(enum SecXPCOperation op, CFDataRef
return result;
}
+
+
+static bool cfdata_error_request_returns_bool(enum SecXPCOperation op, CFDataRef thedata, CFErrorRef *error) {
+ __block bool result = false;
+
+ sec_trace_enter_api(NULL);
+ securityd_send_sync_and_do(op, error, ^(xpc_object_t message, CFErrorRef *error) {
+ xpc_object_t xdata = _CFXPCCreateXPCObjectFromCFObject(thedata);
+ bool success = false;
+ if (xdata) {
+ xpc_dictionary_set_value(message, kSecXPCData, xdata);
+ success = true;
+ xpc_release(xdata);
+ }
+
+ return success;
+ }, ^(xpc_object_t response, __unused CFErrorRef *error) {
+ result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
+ return (bool)true;
+ });
+
+ return result;
+}
+
+
+static CFDataRef cfdata_error_request_returns_cfdata(enum SecXPCOperation op, CFDataRef thedata, CFErrorRef *error) {
+ __block CFDataRef result = NULL;
+
+ sec_trace_enter_api(NULL);
+ securityd_send_sync_and_do(op, error, ^(xpc_object_t message, CFErrorRef *error) {
+ xpc_object_t xdata = _CFXPCCreateXPCObjectFromCFObject(thedata);
+ bool success = false;
+ if (xdata) {
+ xpc_dictionary_set_value(message, kSecXPCData, xdata);
+ success = true;
+ xpc_release(xdata);
+ }
+ return success;
+ }, ^(xpc_object_t response, __unused CFErrorRef *error) {
+ xpc_object_t temp_result = xpc_dictionary_get_value(response, kSecXPCKeyResult);
+ if (response && (NULL != temp_result)) {
+ CFTypeRef object = _CFXPCCreateCFObjectFromXPCObject(temp_result);
+ result = asData(object, error);
+ if (!result) {
+ CFReleaseNull(object);
+ }
+ }
+ return (bool) (result != NULL);
+ });
+
+ return result;
+}
+
+
bool SOSCCRequestToJoinCircle(CFErrorRef* error)
{
sec_trace_enter_api(NULL);
@@ -506,6 +573,27 @@ bool SOSCCRequestToJoinCircleAfterRestore(CFErrorRef* error)
}, NULL)
}
+bool SOSCCAccountHasPublicKey(CFErrorRef *error)
+{
+
+ sec_trace_enter_api(NULL);
+ sec_trace_return_bool_api(^{
+ do_if_registered(soscc_AccountHasPublicKey, error);
+
+ return simple_bool_error_request(kSecXPCOpAccountHasPublicKey, error);
+ }, NULL)
+
+}
+
+bool SOSCCAccountIsNew(CFErrorRef *error)
+{
+ sec_trace_enter_api(NULL);
+ sec_trace_return_bool_api(^{
+ do_if_registered(soscc_AccountIsNew, error);
+
+ return simple_bool_error_request(kSecXPCOpAccountIsNew, error);
+ }, NULL)
+}
bool SOSCCWaitForInitialSync(CFErrorRef* error)
{
@@ -857,7 +945,7 @@ static SOSPeerInfoRef SOSSetNewPublicBackupKey(CFDataRef pubKey, CFErrorRef *err
SOSPeerInfoRef SOSCCCopyMyPeerWithNewDeviceRecoverySecret(CFDataRef secret, CFErrorRef *error){
CFDataRef publicKeyData = SOSCopyDeviceBackupPublicKey(secret, error);
- return SOSSetNewPublicBackupKey(publicKeyData, error);
+ return publicKeyData ? SOSSetNewPublicBackupKey(publicKeyData, error) : NULL;
}
bool SOSCCRegisterSingleRecoverySecret(CFDataRef aks_bag, bool forV0Only, CFErrorRef *error){
@@ -925,23 +1013,17 @@ static bool deviceid_to_bool_error_request(enum SecXPCOperation op,
return true;
}, ^bool(xpc_object_t response, CFErrorRef *error) {
result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
- if(result == false){
- xpc_object_t xpc_error = xpc_dictionary_get_value(response, kSecXPCKeyError);
- if (xpc_error && error) {
- *error = SecCreateCFErrorWithXPCObject(xpc_error);
- }
- }
return result;
});
return result;
}
-static int idsDict_to_bool_error_request(enum SecXPCOperation op,
+static int idsDict_to_int_error_request(enum SecXPCOperation op,
CFDictionaryRef IDS,
CFErrorRef* error)
{
- __block int result = false;
+ __block int result = 0;
securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
SecXPCDictionarySetPListOptional(message, kSecXPCKeyIDSMessage, IDS, error);
@@ -951,7 +1033,7 @@ static int idsDict_to_bool_error_request(enum SecXPCOperation op,
if ((temp_result >= INT32_MIN) && (temp_result <= INT32_MAX)) {
result = (int)temp_result;
}
- return result;
+ return true;
});
return result;
@@ -1013,12 +1095,8 @@ bool SOSCCSetDeviceID(CFStringRef IDS, CFErrorRef* error)
secnotice("sosops", "SOSCCSetDeviceID!! %@\n", IDS);
sec_trace_enter_api(NULL);
sec_trace_return_bool_api(^{
- CFErrorRef localError = NULL;
- do_if_registered(soscc_SetDeviceID, IDS, &localError);
- bool result = deviceid_to_bool_error_request(kSecXPCOpSetDeviceID, IDS, &localError);
- if(localError){
- *error = CFRetainSafe(localError);
- }
+ do_if_registered(soscc_SetDeviceID, IDS, error);
+ bool result = deviceid_to_bool_error_request(kSecXPCOpSetDeviceID, IDS, error);
return result;
}, NULL)
}
@@ -1059,7 +1137,27 @@ HandleIDSMessageReason SOSCCHandleIDSMessage(CFDictionaryRef IDS, CFErrorRef* er
sec_trace_enter_api(NULL);
sec_trace_return_api(HandleIDSMessageReason, ^{
do_if_registered(soscc_HandleIDSMessage, IDS, error);
- return (HandleIDSMessageReason) idsDict_to_bool_error_request(kSecXPCOpHandleIDSMessage, IDS, error);
+ return (HandleIDSMessageReason) idsDict_to_int_error_request(kSecXPCOpHandleIDSMessage, IDS, error);
+ }, NULL)
+}
+
+bool SOSCCRequestSyncWithPeerOverKVS(CFStringRef peerID, CFErrorRef *error)
+{
+ secnotice("sosops", "SOSCCRequestSyncWithPeerOverKVS!! %@\n", peerID);
+ sec_trace_enter_api(NULL);
+ sec_trace_return_bool_api(^{
+ do_if_registered(soscc_requestSyncWithPeerOverKVS, peerID, error);
+ return deviceid_to_bool_error_request(kSecXPCOpSyncWithKVSPeer, peerID, error);
+ }, NULL)
+}
+
+bool SOSCCRequestSyncWithPeerOverIDS(CFStringRef deviceID, CFErrorRef *error)
+{
+ secnotice("sosops", "SOSCCRequestSyncWithPeerOverIDS!! %@\n", deviceID);
+ sec_trace_enter_api(NULL);
+ sec_trace_return_bool_api(^{
+ do_if_registered(soscc_requestSyncWithPeerOverIDS, deviceID, error);
+ return deviceid_to_bool_error_request(kSecXPCOpSyncWithIDSPeer, deviceID, error);
}, NULL)
}
@@ -1284,7 +1382,7 @@ static bool sosIsViewSetSyncing(size_t n, CFStringRef *views) {
}
bool SOSCCIsIcloudKeychainSyncing(void) {
- CFStringRef views[] = { kSOSViewKeychainV0 };
+ CFStringRef views[] = { kSOSViewAutofillPasswords, kSOSViewSafariCreditCards };
return sosIsViewSetSyncing(1, views);
}
@@ -1308,6 +1406,12 @@ bool SOSCCIsWiFiSyncing(void) {
return sosIsViewSetSyncing(1, views);
}
+bool SOSCCIsContinuityUnlockSyncing(void) {
+ CFStringRef views[] = { kSOSViewContinuityUnlock };
+ return sosIsViewSetSyncing(1, views);
+}
+
+
bool SOSCCSetEscrowRecord(CFStringRef escrow_label, uint64_t tries, CFErrorRef *error ){
secnotice("escrow", "enter SOSCCSetEscrowRecord");
sec_trace_enter_api(NULL);
@@ -1349,3 +1453,61 @@ bool SOSWrapToBackupSliceKeyBagForView(CFStringRef viewName, CFDataRef input, CF
return cfstring_and_cfdata_to_cfdata_cfdata_error_request(kSecXPCOpWrapToBackupSliceKeyBagForView, viewName, input, output, bskbEncoded, error);
}, NULL)
}
+
+
+SOSPeerInfoRef SOSCCCopyApplication(CFErrorRef *error) {
+ secnotice("hsa2PB", "enter SOSCCCopyApplication applicant");
+ sec_trace_enter_api(NULL);
+
+ sec_trace_return_api(SOSPeerInfoRef, ^{
+ do_if_registered(soscc_CopyApplicant, error);
+ return peer_info_error_request(kSecXPCOpCopyApplication, error);
+ }, CFSTR("return=%@"));
+}
+
+CFDataRef SOSCCCopyCircleJoiningBlob(SOSPeerInfoRef applicant, CFErrorRef *error) {
+ secnotice("hsa2PB", "enter SOSCCCopyCircleJoiningBlob approver");
+ sec_trace_enter_api(NULL);
+
+ sec_trace_return_api(CFDataRef, ^{
+ CFDataRef result = NULL;
+ do_if_registered(soscc_CopyCircleJoiningBlob, applicant, error);
+ CFDataRef piData = SOSPeerInfoCopyEncodedData(applicant, kCFAllocatorDefault, error);
+ result = cfdata_error_request_returns_cfdata(kSecXPCOpCopyCircleJoiningBlob, piData, error);
+ CFReleaseNull(piData);
+ return result;
+ }, CFSTR("return=%@"));
+}
+
+bool SOSCCJoinWithCircleJoiningBlob(CFDataRef joiningBlob, CFErrorRef *error) {
+ secnotice("hsa2PB", "enter SOSCCJoinWithCircleJoiningBlob applicant");
+ sec_trace_enter_api(NULL);
+ sec_trace_return_bool_api(^{
+ do_if_registered(soscc_JoinWithCircleJoiningBlob, joiningBlob, error);
+
+ return cfdata_error_request_returns_bool(kSecXPCOpJoinWithCircleJoiningBlob, joiningBlob, error);
+ }, NULL)
+
+ return false;
+}
+
+bool SOSCCIsThisDeviceLastBackup(CFErrorRef *error) {
+ secnotice("peer", "enter SOSCCIsThisDeviceLastBackup");
+ sec_trace_enter_api(NULL);
+ sec_trace_return_bool_api(^{
+ do_if_registered(soscc_IsThisDeviceLastBackup, error);
+
+ return simple_bool_error_request(kSecXPCOpIsThisDeviceLastBackup, error);
+ }, NULL)
+}
+
+CFBooleanRef SOSCCPeersHaveViewsEnabled(CFArrayRef viewNames, CFErrorRef *error) {
+ secnotice("view-enabled", "enter SOSCCPeersHaveViewsEnabled");
+ sec_trace_enter_api(NULL);
+ sec_trace_return_api(CFBooleanRef, ^{
+ do_if_registered(soscc_SOSCCPeersHaveViewsEnabled, viewNames, error);
+
+ return cfarray_to_cfboolean_error_request(kSecXPCOpPeersHaveViewsEnabled, viewNames, error);
+ }, CFSTR("return=%@"))
+}
+
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h
index 3ce34a30..aee7a32f 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h
@@ -218,6 +218,14 @@ bool SOSCCIsHomeKitSyncing(void);
bool SOSCCIsWiFiSyncing(void);
+/*!
+ @function SOSCCIsAlwaysOnNoInitialSyncSyncing
+ @abstract determines whether homekit keychain syncing is occuring (kSOSViewHomeKit)
+ @result true if we're in the circle. false otherwise.
+ */
+
+bool SOSCCIsContinuityUnlockSyncing(void);
+
/*!
@function SOSCCRequestToJoinCircle
@abstract Requests that this device join the circle.
@@ -428,7 +436,6 @@ bool SOSCCSetAutoAcceptInfo(CFDataRef autoaccept, CFErrorRef *error);
*/
bool SOSCCCheckPeerAvailability(CFErrorRef *error);
-
/*!
@function SOSCCGetLastDepartureReason
@abstract Returns the code of why you left the circle.
@@ -443,7 +450,8 @@ enum DepartureReason {
kSOSNeverAppliedToCircle, // We've never applied to a circle
kSOSDiscoveredRetirement, // We discovered that we were retired.
kSOSLostPrivateKey, // We lost our private key
- // <-- add additional departure reason codes HERE!
+ kSOSPasswordChanged, // We lost our public key, password change?
+ // <-- add additional departure reason codes HERE!
kSOSNumDepartureReasons, // ACHTUNG: this *MUST* be the last entry - ALWAYS!
};
@@ -479,10 +487,9 @@ CFStringRef SOSCCCopyIncompatibilityInfo(CFErrorRef *error);
// -- Views that sync to os in (iOS in (7.1, 8.*) Mac OS in (10.9, 10.10)) peers
//
-// kSOSViewKeychainV0 - All items in the original iCloud Keychain are in this view
+// kSOSViewKeychainV0 - All items in the original iCloud Keychain are in the views listed below
// It is defined by the query:
// class in (genp inet keys) and pdmn in (ak,ck,dk,aku,cku,dku) and vwht = NULL and tkid = NULL
-extern const CFStringRef kSOSViewKeychainV0;
// kSOSViewWiFi - class = genp and pdmn in (ak,ck,dk,aku,cku,dku) and vwht = NULL and agrp = apple and svce = AirPort
extern const CFStringRef kSOSViewWiFi;
@@ -495,6 +502,7 @@ extern const CFStringRef kSOSViewSafariCreditCards;
// kSOSViewiCloudIdentity - class = keys and pdmn in (ak,ck,dk,aku,cku,dku) and vwht = NULL and agrp = com.apple.security.sos
extern const CFStringRef kSOSViewiCloudIdentity;
+// End of KeychainV0 views
// kSOSViewBackupBagV0 - class = genp and and pdmn in (ak,ck,dk,aku,cku,dku) and vwht = NULL and agrp = com.apple.sbd
// (LEAVE OUT FOR NOW) and svce = SecureBackupService pdmn = ak acct = SecureBackupPublicKeybag
@@ -524,9 +532,12 @@ extern const CFStringRef kSOSViewPCSiCloudBackup;
extern const CFStringRef kSOSViewPCSNotes;
extern const CFStringRef kSOSViewPCSiMessage;
extern const CFStringRef kSOSViewPCSFeldspar;
+extern const CFStringRef kSOSViewPCSSharing;
extern const CFStringRef kSOSViewAppleTV;
extern const CFStringRef kSOSViewHomeKit;
+extern const CFStringRef kSOSViewContinuityUnlock;
+extern const CFStringRef kSOSViewAccessoryPairing;
/*!
@function SOSCCView
@@ -633,6 +644,14 @@ SOSPeerInfoRef SOSCCCopyMyPeerWithNewDeviceRecoverySecret(CFDataRef secret, CFEr
bool SOSCCRegisterSingleRecoverySecret(CFDataRef aks_bag, bool forV0Only, CFErrorRef *error);
+/*!
+ @function SOSCCIsThisDeviceLastBackup
+ @param error Why this query can't be accepted.
+ @result true if this is the last backup device, false otherwise.
+ */
+
+bool SOSCCIsThisDeviceLastBackup(CFErrorRef *error);
+
/*!
@function SOSCCSetEscrowRecord
@param escrow_label Account label
@@ -654,6 +673,40 @@ bool SOSCCSetEscrowRecord(CFStringRef escrow_label, uint64_t tries, CFErrorRef *
*/
CFDictionaryRef SOSCCCopyEscrowRecord(CFErrorRef *error);
+/*!
+ @function SOSCCCopyApplication
+ @param error What went wrong getting the applicant peerInfo.
+ @result PeerInfoRef that's an applicant peerinfo to be used as the start of an HSA2 piggyback entry.
+ */
+
+SOSPeerInfoRef SOSCCCopyApplication(CFErrorRef *error);
+
+/*!
+ @function SOSCCCopyCircleJoiningBlob
+ @param applicant The peerInfo applicant to pre-approve for membership in the circle
+ @param error Why this peerInfo wasn't accepted.
+ @result DER blob containing the gencount and this peerkey signature of the current circle with the applicant as a member at the gencount.
+ */
+CFDataRef SOSCCCopyCircleJoiningBlob(SOSPeerInfoRef applicant, CFErrorRef *error);
+
+/*!
+ @function SOSCCJoinWithCircleJoiningBlob
+ @param joiningBlob DER blob to be used to create a suitable circle for this pre-approved peer to join.
+ @param error Why this peerInfo can't be accepted.
+ @result true if this succeeded.
+ */
+
+bool SOSCCJoinWithCircleJoiningBlob(CFDataRef joiningBlob, CFErrorRef *error);
+
+/*!
+ @function: bool SOSCCPeersHaveViewsEnabled(CFSetRef viewNames)
+ @param viewNames the collection of views we want to know if other peers have enabled
+ @result CFBooleanTrue if we are in circle and all views are enabled by at least one other peer,
+ CFBooleanFalse if we are in circle and any of the views aren't avaialbe
+ NULL if we have an error.
+ */
+CFBooleanRef SOSCCPeersHaveViewsEnabled(CFArrayRef viewNames, CFErrorRef *error);
+
__END_DECLS
#endif
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h
index 4deffc24..42a0794e 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h
@@ -55,8 +55,8 @@ CFArrayRef SOSCCCopyConcurringPeerPeerInfo(CFErrorRef* error);
bool SOSCCPurgeUserCredentials(CFErrorRef* error);
CFStringRef SOSCCGetStatusDescription(SOSCCStatus status);
-SecKeyRef SOSCCGetUserPrivKey(CFErrorRef *error);
-SecKeyRef SOSCCGetUserPubKey(CFErrorRef *error);
+bool SOSCCAccountHasPublicKey(CFErrorRef *error);
+bool SOSCCAccountIsNew(CFErrorRef *error);
/*!
@function SOSCCHandleIDSMessage
@@ -134,6 +134,8 @@ CFDataRef SOSCCCopyAccountState(CFErrorRef* error);
bool SOSCCDeleteAccountState(CFErrorRef *error);
CFDataRef SOSCCCopyEngineData(CFErrorRef* error);
bool SOSCCDeleteEngineState(CFErrorRef *error);
+bool SOSCCRequestSyncWithPeerOverKVS( CFStringRef peerID, CFErrorRef *error);
+bool SOSCCRequestSyncWithPeerOverIDS(CFStringRef peerID, CFErrorRef *error);
char *SOSCCSysdiagnose(const char *directoryname);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c
index 6d8ff2d5..5e6e9ae3 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c
@@ -39,6 +39,7 @@
#include <utilities/SecCFWrappers.h>
#include <utilities/SecIOFormat.h>
#include <utilities/SecCFError.h>
+#include <utilities/SecCoreCrypto.h>
#include <utilities/debugging.h>
#include <utilities/der_plist.h>
@@ -50,12 +51,44 @@
#include "AssertMacros.h"
struct __OpaqueSOSCoder {
+ CFRuntimeBase _base;
+
CFStringRef peer_id;
SecOTRSessionRef sessRef;
bool waitingForDataPacket;
CFDataRef pendingResponse;
+
+ CFDataRef hashOfLastReceived;
+ bool lastReceivedWasOld;
};
+#define lastReceived_di ccsha1_di
+
+CFGiblisWithCompareFor(SOSCoder)
+
+static CFStringRef SOSCoderCopyFormatDescription(CFTypeRef cf, CFDictionaryRef formatOptions) {
+ SOSCoderRef coder = (SOSCoderRef)cf;
+ if(coder){
+ CFStringRef desc = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("<Coder %@ %@ %@ %s%s>"),
+ coder->peer_id,
+ coder->sessRef,
+ coder->hashOfLastReceived,
+ coder->waitingForDataPacket ? "W" : "w",
+ coder->lastReceivedWasOld ? "O" : "o"
+ );
+ return desc;
+ }
+ else
+ return CFSTR("NULL");
+}
+
+static Boolean SOSCoderCompare(CFTypeRef cfA, CFTypeRef cfB) {
+ SOSCoderRef coderA = (SOSCoderRef)cfA, coderB = (SOSCoderRef)cfB;
+ // Use mainly to see if peerB is actually this device (peerA)
+ return CFStringCompare(coderA->peer_id, coderB->peer_id, 0) == kCFCompareEqualTo;
+}
+
+
static const char *SOSCoderString(SOSCoderStatus coderStatus) {
switch (coderStatus) {
case kSOSCoderDataReturned: return "DataReturned";
@@ -68,6 +101,10 @@ static const char *SOSCoderString(SOSCoderStatus coderStatus) {
}
}
+CFStringRef SOSCoderGetID(SOSCoderRef coder) {
+ return coder->peer_id;
+}
+
/*
static void logRawCoderMessage(const uint8_t* der, uint8_t* der_end, bool encoding)
{
@@ -85,33 +122,6 @@ static const char *SOSCoderString(SOSCoderStatus coderStatus) {
}
*/
-static size_t der_sizeof_bool(bool value) {
- return ccder_sizeof(CCDER_BOOLEAN, 1);
-}
-
-static uint8_t* der_encode_bool(bool value, const uint8_t *der, uint8_t *der_end) {
- uint8_t valueByte = value;
- return ccder_encode_tl(CCDER_BOOLEAN, 1, der,
- ccder_encode_body(1, &valueByte, der, der_end));
-}
-
-static const uint8_t* der_decode_bool(bool *value, const uint8_t *der, const uint8_t *der_end) {
- size_t payload_size = 0;
-
- der = ccder_decode_tl(CCDER_BOOLEAN, &payload_size, der, der_end);
-
- if (payload_size != 1) {
- der = NULL;
- }
-
- if (der != NULL) {
- *value = (*der != 0);
- der++;
- }
-
- return der;
-}
-
static CFMutableDataRef sessSerialized(SOSCoderRef coder, CFErrorRef *error) {
CFMutableDataRef otr_state = NULL;
@@ -151,7 +161,7 @@ static size_t SOSCoderGetDEREncodedSize(SOSCoderRef coder, CFErrorRef *error) {
if (otr_state) {
size_t data_size = der_sizeof_data(otr_state, error);
- size_t waiting_size = der_sizeof_bool(coder->waitingForDataPacket);
+ size_t waiting_size = ccder_sizeof_bool(coder->waitingForDataPacket, error);
size_t pending_size = der_sizeof_optional_data(coder->pendingResponse);
if ((data_size != 0) && (waiting_size != 0))
@@ -172,7 +182,7 @@ static uint8_t* SOSCoderEncodeToDER(SOSCoderRef coder, CFErrorRef* error, const
if(otr_state) {
result = ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der,
der_encode_data(otr_state, error, der,
- der_encode_bool(coder->waitingForDataPacket, der,
+ ccder_encode_bool(coder->waitingForDataPacket, der,
der_encode_optional_data(coder->pendingResponse, error, der, der_end))));
CFReleaseSafe(otr_state);
}
@@ -199,45 +209,129 @@ CFDataRef SOSCoderCopyDER(SOSCoderRef coder, CFErrorRef* error) {
return encoded;
}
+static SOSCoderRef SOSCoderCreate_internal() {
+ SOSCoderRef p = CFTypeAllocate(SOSCoder, struct __OpaqueSOSCoder, kCFAllocatorDefault);
+
+ p->peer_id = NULL;
+ p->sessRef = NULL;
+ p->pendingResponse = NULL;
+ p->waitingForDataPacket = false;
+
+ p->hashOfLastReceived = NULL;
+ p->lastReceivedWasOld = false;
+
+ return p;
+
+}
+
+// 0 - Type not understood
+// 1 - OCTET_STRING, just stored the data for OTR
+// 2 - SEQUENCE with no version value
+// 3 - SEQUENCE with version value we pull out of the CCDER_INTEGER
+
+typedef enum coderExportFormatVersion {
+ kNotUnderstood = 0,
+ kCoderAsOTRDataOnly = 1,
+ kCoderAsSequence = 2,
+ kCoderAsVersionedSequence = 3,
+
+ kCurrentCoderExportVersion = kCoderAsVersionedSequence
+} CoderExportFormatVersion;
+
+static uint64_t SOSCoderGetExportedVersion(const uint8_t *der, const uint8_t *der_end) {
+ ccder_tag tag;
+ uint64_t result = kNotUnderstood;
+ require(ccder_decode_tag(&tag, der, der_end),xit);
+ switch (tag) {
+ case CCDER_OCTET_STRING: // TODO: this code is safe to delete?
+ result = kCoderAsOTRDataOnly;
+ break;
+
+ case CCDER_CONSTRUCTED_SEQUENCE:
+ {
+ const uint8_t *sequence_end = NULL;
+ der = ccder_decode_sequence_tl(&sequence_end, der, der_end);
+ ccder_tag firstSequenceTag;
+ require(ccder_decode_tag(&firstSequenceTag, der, der_end),xit);
+
+ switch (firstSequenceTag) {
+ case CCDER_OCTET_STRING:
+ result = kCoderAsSequence;
+ break;
+ case CCDER_INTEGER:
+ der = ccder_decode_uint64(NULL, der, sequence_end);
+ if (der == NULL) {
+ result = kNotUnderstood;
+ } else {
+ result = kCoderAsVersionedSequence;
+ }
+ break;
+ }
+ }
+ }
+xit:
+ return result;
+
+}
+
SOSCoderRef SOSCoderCreateFromData(CFDataRef exportedData, CFErrorRef *error) {
// TODO: fill in errors for all failure cases
//require_action_quiet(coder, xit, SOSCreateError(kSOSErrorSendFailure, CFSTR("No coder for peer"), NULL, error));
- SOSCoderRef p = calloc(1, sizeof(struct __OpaqueSOSCoder));
+ SOSCoderRef p = SOSCoderCreate_internal();
const uint8_t *der = CFDataGetBytePtr(exportedData);
const uint8_t *der_end = der + CFDataGetLength(exportedData);
CFDataRef otr_data = NULL;
- ccder_tag tag;
- require(ccder_decode_tag(&tag, der, der_end),fail);
-
- switch (tag) {
- case CCDER_OCTET_STRING: // TODO: this code is safe to delete?
- {
+ switch (SOSCoderGetExportedVersion(der, der_end)) {
+ case kCoderAsOTRDataOnly:
der = der_decode_data(kCFAllocatorDefault, 0, &otr_data, error, der, der_end);
p->waitingForDataPacket = false;
+ break;
+
+ case kCoderAsSequence:
+ {
+ const uint8_t *sequence_end = NULL;
+ der = ccder_decode_sequence_tl(&sequence_end, der, der_end);
+
+ require_action_quiet(sequence_end == der_end, fail, SecCFDERCreateError(kSOSErrorDecodeFailure, CFSTR("Extra data in SOS coder"), NULL, error));
+
+ der = der_decode_data(kCFAllocatorDefault, 0, &otr_data, error, der, sequence_end);
+ der = ccder_decode_bool(&p->waitingForDataPacket, der, sequence_end);
+ if (der != sequence_end) { // optionally a pending response
+ der = der_decode_data(kCFAllocatorDefault, 0, &p->pendingResponse, error, der, sequence_end);
+ }
}
- break;
-
- case CCDER_CONSTRUCTED_SEQUENCE:
+ break;
+
+ case kCoderAsVersionedSequence:
{
const uint8_t *sequence_end = NULL;
der = ccder_decode_sequence_tl(&sequence_end, der, der_end);
-
+
require_action_quiet(sequence_end == der_end, fail, SecCFDERCreateError(kSOSErrorDecodeFailure, CFSTR("Extra data in SOS coder"), NULL, error));
-
+
+ uint64_t version;
+ der = ccder_decode_uint64(&version, der, sequence_end);
+ if (version != kCoderAsVersionedSequence) {
+ SOSErrorCreate(kSOSErrorDecodeFailure, error, NULL, CFSTR("Unsupported Sequence Version: %lld"), version);
+ goto fail;
+ }
+
der = der_decode_data(kCFAllocatorDefault, 0, &otr_data, error, der, sequence_end);
- der = der_decode_bool(&p->waitingForDataPacket, der, sequence_end);
+ der = ccder_decode_bool(&p->waitingForDataPacket, der, sequence_end);
+ der = ccder_decode_bool(&p->lastReceivedWasOld, der, sequence_end);
+ der = der_decode_data(kCFAllocatorDefault, 0, &p->hashOfLastReceived, error, der, sequence_end);
if (der != sequence_end) { // optionally a pending response
der = der_decode_data(kCFAllocatorDefault, 0, &p->pendingResponse, error, der, sequence_end);
}
}
- break;
-
+ break;
+
default:
- SecCFDERCreateError(kSOSErrorDecodeFailure, CFSTR("Unsupported SOS Coder DER"), NULL, error);
+ SOSErrorCreate(kSOSErrorDecodeFailure, error, NULL, CFSTR("Unsupported SOS Coder DER"));
goto fail;
}
@@ -246,11 +340,14 @@ SOSCoderRef SOSCoderCreateFromData(CFDataRef exportedData, CFErrorRef *error) {
p->sessRef = SecOTRSessionCreateFromData(NULL, otr_data);
require(p->sessRef, fail);
+ if (p->hashOfLastReceived == NULL)
+ p->hashOfLastReceived = CFDataCreateMutableWithScratch(kCFAllocatorDefault, lastReceived_di()->output_size);
+
CFReleaseSafe(otr_data);
return p;
fail:
- SOSCoderDispose(p);
+ CFReleaseNull(p);
CFReleaseSafe(otr_data);
return NULL;
}
@@ -259,7 +356,8 @@ fail:
SOSCoderRef SOSCoderCreate(SOSPeerInfoRef peerInfo, SOSFullPeerInfoRef myPeerInfo, CFBooleanRef useCompact, CFErrorRef *error) {
CFAllocatorRef allocator = CFGetAllocator(peerInfo);
- SOSCoderRef coder = calloc(1, sizeof(struct __OpaqueSOSCoder));
+ SOSCoderRef coder = SOSCoderCreate_internal();
+
CFErrorRef localError = NULL;
SecOTRFullIdentityRef myRef = NULL;
@@ -276,7 +374,8 @@ SOSCoderRef SOSCoderCreate(SOSPeerInfoRef peerInfo, SOSFullPeerInfoRef myPeerInf
CFReleaseNull(privateKey);
- publicKey = SOSPeerInfoCopyPubKey(peerInfo);
+ publicKey = SOSPeerInfoCopyPubKey(peerInfo, &localError);
+ require(publicKey, errOut);
peerRef = SecOTRPublicIdentityCreateFromSecKeyRef(allocator, publicKey, &localError);
require_quiet(peerRef, errOut);
@@ -291,7 +390,7 @@ SOSCoderRef SOSCoderCreate(SOSPeerInfoRef peerInfo, SOSFullPeerInfoRef myPeerInf
coder->waitingForDataPacket = false;
coder->pendingResponse = NULL;
-
+
CFReleaseNull(publicKey);
CFReleaseNull(privateKey);
CFReleaseNull(myRef);
@@ -300,6 +399,9 @@ SOSCoderRef SOSCoderCreate(SOSPeerInfoRef peerInfo, SOSFullPeerInfoRef myPeerInf
secnotice("coder", "NULL Coder requested, no transport security");
}
+ coder->hashOfLastReceived = CFDataCreateMutableWithScratch(kCFAllocatorDefault, lastReceived_di()->output_size);
+ coder->lastReceivedWasOld = false;
+
SOSCoderStart(coder, NULL);
return coder;
@@ -312,19 +414,19 @@ errOut:
CFReleaseNull(publicKey);
CFReleaseNull(privateKey);
- free(coder);
+ CFReleaseNull(coder);
return NULL;
}
-void SOSCoderDispose(SOSCoderRef coder)
+static void SOSCoderDestroy(CFTypeRef cf)
{
+ SOSCoderRef coder = (SOSCoderRef) cf;
if (coder) {
CFReleaseNull(coder->sessRef);
CFReleaseNull(coder->pendingResponse);
CFReleaseNull(coder->peer_id);
- free(coder);
+ CFReleaseNull(coder->hashOfLastReceived);
}
- coder = NULL;
}
void SOSCoderReset(SOSCoderRef coder)
@@ -332,6 +434,35 @@ void SOSCoderReset(SOSCoderRef coder)
SecOTRSessionReset(coder->sessRef);
coder->waitingForDataPacket = false;
CFReleaseNull(coder->pendingResponse);
+
+ coder->lastReceivedWasOld = false;
+ CFReleaseNull(coder->hashOfLastReceived);
+ coder->hashOfLastReceived = CFDataCreateMutableWithScratch(kCFAllocatorDefault, lastReceived_di()->output_size);
+}
+
+bool SOSCoderIsFor(SOSCoderRef coder, SOSPeerInfoRef peerInfo, SOSFullPeerInfoRef myPeerInfo) {
+ SecKeyRef theirPublicKey = NULL;
+ SecKeyRef myPublicKey = NULL;
+ bool isForThisPair = false;
+ CFErrorRef localError = NULL;
+
+ myPublicKey = SOSPeerInfoCopyPubKey(SOSFullPeerInfoGetPeerInfo(myPeerInfo), &localError);
+ require(myPublicKey, errOut);
+
+ theirPublicKey = SOSPeerInfoCopyPubKey(peerInfo, &localError);
+ require(theirPublicKey, errOut);
+
+ isForThisPair = SecOTRSIsForKeys(coder->sessRef, myPublicKey, theirPublicKey);
+
+errOut:
+ if (localError) {
+ secerror("SOSCoderIsFor failed: %@\n", localError ? localError : (CFTypeRef)CFSTR("No local error in SOSCoderCreate"));
+ }
+
+ CFReleaseNull(myPublicKey);
+ CFReleaseNull(theirPublicKey);
+ CFReleaseNull(localError);
+ return isForThisPair;
}
CFDataRef SOSCoderCopyPendingResponse(SOSCoderRef coder)
@@ -417,6 +548,7 @@ SOSCoderStatus SOSCoderUnwrap(SOSCoderRef coder, CFDataRef codedMessage, CFMutab
CFStringRef beginState = CFCopyDescription(coder->sessRef);
enum SecOTRSMessageKind kind = SecOTRSGetMessageKind(coder->sessRef, codedMessage);
+
switch (kind) {
case kOTRNegotiationPacket: {
/* If we're in here we haven't completed negotiating a session. Use SecOTRSProcessPacket() to go through
@@ -465,6 +597,12 @@ SOSCoderStatus SOSCoderUnwrap(SOSCoderRef coder, CFDataRef codedMessage, CFMutab
}
case kOTRDataPacket:
+ {
+ CFDataRef previousMessageHash = coder->hashOfLastReceived;
+ coder->hashOfLastReceived = CFDataCreateWithHash(kCFAllocatorDefault, lastReceived_di(), CFDataGetBytePtr(codedMessage), CFDataGetLength(codedMessage));
+ bool lastWasOld = coder->lastReceivedWasOld;
+ coder->lastReceivedWasOld = false;
+
if(!SecOTRSGetIsReadyForMessages(coder->sessRef)) {
CFStringAppend(action, CFSTR("not ready for data; resending DH packet"));
SetCloudKeychainTraceValueForKey(kCloudKeychainNumberOfTimesSyncFailed, 1);
@@ -477,27 +615,44 @@ SOSCoderStatus SOSCoderUnwrap(SOSCoderRef coder, CFDataRef codedMessage, CFMutab
CFMutableDataRef exposed = CFDataCreateMutable(0, 0);
OSStatus otrResult = SecOTRSVerifyAndExposeMessage(coder->sessRef, codedMessage, exposed);
CFStringAppend(action, CFSTR("verify and expose message"));
- if (otrResult) {
- if (otrResult == errSecOTRTooOld) {
- CFStringAppend(action, CFSTR(" too old"));
- result = kSOSCoderStaleEvent;
- }
- else if(otrResult == errSecOTRIDTooNew){
+ switch(otrResult) {
+ case errSecSuccess:
+ CFStringAppend(action, CFSTR("decoded OTR protected packet"));
+ CFTransferRetained(*message, exposed);
+ result = kSOSCoderDataReturned;
+ break;
+ case errSecOTRTooOld:
+ if (CFEqualSafe(previousMessageHash, coder->hashOfLastReceived)) {
+ CFStringAppend(action, CFSTR(" repeated"));
+ result = kSOSCoderStaleEvent;
+ } else {
+ coder->lastReceivedWasOld = true;
+ if (lastWasOld) {
+ CFStringAppend(action, CFSTR(" too old, repeated renegotiating"));
+ // Fail so we will renegotiate
+ result = kSOSCoderFailure;
+ } else {
+ CFStringAppend(action, CFSTR(" too old, forcing message"));
+ // Force message send.
+ result = kSOSCoderForceMessage;
+ }
+ }
+ break;
+ case errSecOTRIDTooNew:
CFStringAppend(action, CFSTR(" too new"));
result = kSOSCoderTooNew;
- }else {
+ break;
+ default:
SecError(otrResult, error, CFSTR("%@ Cannot expose message: %" PRIdOSStatus), clientId, otrResult);
secerror("%@ Decode OTR Protected Packet: %@", clientId, error ? *error : NULL);
result = kSOSCoderFailure;
- }
- } else {
- CFStringAppend(action, CFSTR("decoded OTR protected packet"));
- *message = exposed;
- exposed = NULL;
- result = kSOSCoderDataReturned;
+ break;
}
+
CFReleaseNull(exposed);
}
+ CFReleaseNull(previousMessageHash);
+ }
break;
default:
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.h
index bfc2c3d7..c6e831b5 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.h
@@ -39,16 +39,21 @@ enum {
kSOSCoderFailure = 3,
kSOSCoderStaleEvent = 4,
kSOSCoderTooNew = 5,
+ kSOSCoderForceMessage = 6,
};
typedef uint32_t SOSCoderStatus;
+CFTypeID SOSCoderGetTypeID(void);
+
SOSCoderRef SOSCoderCreate(SOSPeerInfoRef peerInfo, SOSFullPeerInfoRef myPeerInfo, CFBooleanRef useCompact, CFErrorRef *error);
SOSCoderRef SOSCoderCreateFromData(CFDataRef exportedData, CFErrorRef *error);
-void SOSCoderDispose(SOSCoderRef coder);
-
CFDataRef SOSCoderCopyDER(SOSCoderRef coder, CFErrorRef* error);
+CFStringRef SOSCoderGetID(SOSCoderRef coder);
+
+bool SOSCoderIsFor(SOSCoderRef coder, SOSPeerInfoRef peerInfo, SOSFullPeerInfoRef myPeerInfo);
+
SOSCoderStatus
SOSCoderStart(SOSCoderRef coder, CFErrorRef *error);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSDataSource.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSDataSource.h
index d7792daa..f75ca70b 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSDataSource.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSDataSource.h
@@ -104,7 +104,7 @@ typedef CFOptionFlags SOSDataSourceTransactionType;
enum SOSDataSourceTransactionPhase {
kSOSDataSourceTransactionDidRollback = 0, // A transaction just got rolled back
kSOSDataSourceTransactionWillCommit, // A transaction is about to commit.
- kSOSDataSourceTransactionDidCommit, // A transnaction sucessfully committed.
+ kSOSDataSourceTransactionDidCommit, // A transaction sucessfully committed.
};
typedef CFOptionFlags SOSDataSourceTransactionPhase;
@@ -127,14 +127,16 @@ struct SOSDataSource {
// General SOSDataSource methods
CFStringRef (*dsGetName)(SOSDataSourceRef ds);
- void (*dsSetNotifyPhaseBlock)(SOSDataSourceRef ds, dispatch_queue_t queue, SOSDataSourceNotifyBlock notifyBlock);
+ void (*dsAddNotifyPhaseBlock)(SOSDataSourceRef ds, SOSDataSourceNotifyBlock notifyBlock);
SOSManifestRef (*dsCopyManifestWithViewNameSet)(SOSDataSourceRef ds, CFSetRef viewNameSet, CFErrorRef *error);
- bool (*dsForEachObject)(SOSDataSourceRef ds, SOSManifestRef manifest, CFErrorRef *error, void (^handleObject)(CFDataRef key, SOSObjectRef object, bool *stop));
- CFDataRef (*dsCopyStateWithKey)(SOSDataSourceRef ds, CFStringRef key, CFStringRef pdmn, CFErrorRef *error);
+ bool (*dsForEachObject)(SOSDataSourceRef ds, SOSTransactionRef txn, SOSManifestRef manifest, CFErrorRef *error, void (^handleObject)(CFDataRef key, SOSObjectRef object, bool *stop));
+ CFDataRef (*dsCopyStateWithKey)(SOSDataSourceRef ds, CFStringRef key, CFStringRef pdmn, SOSTransactionRef txn, CFErrorRef *error);
CFDataRef (*dsCopyItemDataWithKeys)(SOSDataSourceRef ds, CFDictionaryRef keys, CFErrorRef *error);
+ bool (*dsDeleteStateWithKey)(SOSDataSourceRef ds, CFStringRef key, CFStringRef pdmn, SOSTransactionRef txn, CFErrorRef *error);
- bool (*dsWith)(SOSDataSourceRef ds, CFErrorRef *error, SOSDataSourceTransactionSource source, void(^transaction)(SOSTransactionRef txn, bool *commit));
+ bool (*dsWith)(SOSDataSourceRef ds, CFErrorRef *error, SOSDataSourceTransactionSource source, bool onCommitQueue, void(^transaction)(SOSTransactionRef txn, bool *commit));
bool (*dsRelease)(SOSDataSourceRef ds, CFErrorRef *error); // Destructor
+ bool (*dsReadWith)(SOSDataSourceRef ds, CFErrorRef *error, SOSDataSourceTransactionSource source, void(^perform)(SOSTransactionRef txn));
// SOSTransaction methods, writes to a dataSource require a transaction.
SOSMergeResult (*dsMergeObject)(SOSTransactionRef txn, SOSObjectRef object, SOSObjectRef *createdObject, CFErrorRef *error);
@@ -159,37 +161,53 @@ static inline CFStringRef SOSDataSourceGetName(SOSDataSourceRef ds) {
return ds->dsGetName(ds);
}
-static inline void SOSDataSourceSetNotifyPhaseBlock(SOSDataSourceRef ds, dispatch_queue_t queue, SOSDataSourceNotifyBlock notifyBlock) {
- ds->dsSetNotifyPhaseBlock(ds, queue, notifyBlock);
+static inline void SOSDataSourceAddNotifyPhaseBlock(SOSDataSourceRef ds, SOSDataSourceNotifyBlock notifyBlock) {
+ ds->dsAddNotifyPhaseBlock(ds, notifyBlock);
}
static inline SOSManifestRef SOSDataSourceCopyManifestWithViewNameSet(SOSDataSourceRef ds, CFSetRef viewNameSet, CFErrorRef *error) {
return ds->dsCopyManifestWithViewNameSet(ds, viewNameSet, error);
}
-static inline bool SOSDataSourceForEachObject(SOSDataSourceRef ds, SOSManifestRef manifest, CFErrorRef *error, void (^handleObject)(CFDataRef digest, SOSObjectRef object, bool *stop)) {
- return ds->dsForEachObject(ds, manifest, error, handleObject);
+static inline bool SOSDataSourceForEachObject(SOSDataSourceRef ds, SOSTransactionRef txn, SOSManifestRef manifest, CFErrorRef *error, void (^handleObject)(CFDataRef digest, SOSObjectRef object, bool *stop)) {
+ return ds->dsForEachObject(ds, txn, manifest, error, handleObject);
}
static inline bool SOSDataSourceWith(SOSDataSourceRef ds, CFErrorRef *error,
void(^transaction)(SOSTransactionRef txn, bool *commit)) {
- return ds->dsWith(ds, error, kSOSDataSourceSOSTransaction, transaction);
+ return ds->dsWith(ds, error, kSOSDataSourceSOSTransaction, false, transaction);
+}
+
+static inline bool SOSDataSourceWithCommitQueue(SOSDataSourceRef ds, CFErrorRef *error,
+ void(^transaction)(SOSTransactionRef txn, bool *commit)) {
+ return ds->dsWith(ds, error, kSOSDataSourceSOSTransaction, true, transaction);
}
static inline bool SOSDataSourceWithAPI(SOSDataSourceRef ds, bool isAPI, CFErrorRef *error,
void(^transaction)(SOSTransactionRef txn, bool *commit)) {
- return ds->dsWith(ds, error, isAPI ? kSOSDataSourceAPITransaction : kSOSDataSourceSOSTransaction, transaction);
+ return ds->dsWith(ds, error, isAPI ? kSOSDataSourceAPITransaction : kSOSDataSourceSOSTransaction, false, transaction);
+}
+
+static inline bool SOSDataSourceReadWithCommitQueue(SOSDataSourceRef ds, CFErrorRef *error,
+ void(^perform)(SOSTransactionRef txn)) {
+ return ds->dsReadWith(ds, error, kSOSDataSourceSOSTransaction, perform);
}
-static inline CFDataRef SOSDataSourceCopyStateWithKey(SOSDataSourceRef ds, CFStringRef key, CFStringRef pdmn, CFErrorRef *error)
+
+static inline CFDataRef SOSDataSourceCopyStateWithKey(SOSDataSourceRef ds, CFStringRef key, CFStringRef pdmn, SOSTransactionRef txn, CFErrorRef *error)
{
- return ds->dsCopyStateWithKey(ds, key, pdmn, error);
+ return ds->dsCopyStateWithKey(ds, key, pdmn, txn, error);
}
static inline CFDataRef SOSDataSourceCopyItemDataWithKeys(SOSDataSourceRef ds, CFDictionaryRef keys, CFErrorRef *error) {
return ds->dsCopyItemDataWithKeys(ds, keys, error);
}
+static inline bool SOSDataSourceDeleteStateWithKey(SOSDataSourceRef ds, CFStringRef key, CFStringRef pdmn, SOSTransactionRef txn, CFErrorRef *error)
+{
+ return ds->dsDeleteStateWithKey(ds, key, pdmn, txn, error);
+}
+
static inline bool SOSDataSourceRelease(SOSDataSourceRef ds, CFErrorRef *error) {
return !ds || ds->dsRelease(ds, error);
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSDigestVector.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSDigestVector.c
index 2d90b8c5..6c6674ec 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSDigestVector.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSDigestVector.c
@@ -33,31 +33,37 @@ CFStringRef kSOSDigestVectorErrorDomain = CFSTR("com.apple.security.sos.digestve
/* SOSDigestVector code. */
-#define VECTOR_GROW(vector, count, capacity) \
-do { \
- if ((count) > capacity) { \
- capacity = ((capacity) + 16) * 3 / 2; \
- if (capacity < (count)) \
- capacity = (count); \
- vector = reallocf((vector), sizeof(*(vector)) * capacity); \
- } \
-} while (0)
-
-static void SOSDigestVectorEnsureCapacity(struct SOSDigestVector *dv, size_t count) {
- VECTOR_GROW(dv->digest, count, dv->capacity);
-}
+const size_t kMaxDVCapacity = (1024*1024L); // roughly based on KVS limit, helps avoid integer overflow issues
+
+static bool SOSDigestVectorEnsureCapacity(struct SOSDigestVector *dv, size_t count) {
+ // Note that capacity is the number of digests it can hold, not the size in bytes
+ // Already big enough.
+ if (count <= dv->capacity)
+ return true;
+ // Too big
+ if (count > kMaxDVCapacity) {
+ secerror("Requesting too much space for digest vectors: %ld", count);
+ return false;
+ }
-void SOSDigestVectorReplaceAtIndex(struct SOSDigestVector *dv, size_t ix, const uint8_t *digest)
-{
- SOSDigestVectorEnsureCapacity(dv, ix + 1);
- memcpy(dv->digest[ix], digest, SOSDigestSize);
- dv->unsorted = true;
+ size_t capacity = (dv->capacity + 16) * 3 / 2;
+ size_t digestSize = sizeof(*(dv->digest));
+ if (capacity < count)
+ capacity = count;
+ dv->digest = reallocf(dv->digest, digestSize * capacity);
+ if (dv->digest == NULL) {
+ dv->count = 0;
+ secerror("reallocf failed requesting space for digest vectors: %ld (bytes)", digestSize * capacity);
+ return false;
+ }
+ dv->capacity = capacity;
+ return true;
}
static void SOSDigestVectorAppendOrdered(struct SOSDigestVector *dv, const uint8_t *digest)
{
- SOSDigestVectorEnsureCapacity(dv, dv->count + 1);
- memcpy(dv->digest[dv->count++], digest, SOSDigestSize);
+ if (SOSDigestVectorEnsureCapacity(dv, dv->count + 1))
+ memcpy(dv->digest[dv->count++], digest, SOSDigestSize);
}
void SOSDigestVectorAppend(struct SOSDigestVector *dv, const uint8_t *digest)
@@ -71,9 +77,9 @@ static int SOSDigestCompare(const void *a, const void *b)
return memcmp(a, b, SOSDigestSize);
}
-// Remove duplicates from sorted manifest using minimal memcpy() calls
-static __unused void SOSDigestVectorUnique(struct SOSDigestVector *dv) {
- if (dv->count < 2)
+// Remove duplicates from sorted manifest using minimal memmove() calls
+static void SOSDigestVectorUnique(struct SOSDigestVector *dv) {
+ if (dv->count < 2 || dv->digest == NULL)
return;
const uint8_t *prev = dv->digest[0];
@@ -95,7 +101,7 @@ static __unused void SOSDigestVectorUnique(struct SOSDigestVector *dv) {
// 1) Finish copy for current region up to previous element
prev += SOSDigestSize;
if (dest != source)
- memcpy(dest, source, prev - source);
+ memmove(dest, source, prev - source);
dest += prev - source;
// 2) Skip remaining dupes
if (cur < end) {
@@ -117,7 +123,7 @@ static __unused void SOSDigestVectorUnique(struct SOSDigestVector *dv) {
if (source < end) {
prev += SOSDigestSize;
if (dest != source)
- memcpy(dest, source, prev - source);
+ memmove(dest, source, prev - source);
dest += prev - source;
}
dv->count = (dest - dv->digest[0]) / SOSDigestSize;
@@ -126,7 +132,7 @@ static __unused void SOSDigestVectorUnique(struct SOSDigestVector *dv) {
void SOSDigestVectorSort(struct SOSDigestVector *dv)
{
- if (dv->unsorted) {
+ if (dv->unsorted && dv->digest) {
qsort(dv->digest, dv->count, sizeof(*dv->digest), SOSDigestCompare);
dv->unsorted = false;
SOSDigestVectorUnique(dv);
@@ -162,8 +168,12 @@ bool SOSDigestVectorContains(struct SOSDigestVector *dv, const uint8_t *digest)
size_t SOSDigestVectorIndexOfSorted(const struct SOSDigestVector *dv, const uint8_t *digest)
{
- const void *pos = bsearch(digest, dv->digest, dv->count, sizeof(*dv->digest), SOSDigestCompare);
- return pos ? ((size_t)(pos - (void *)dv->digest)) / SOSDigestSize : ((size_t)-1);
+ if (dv->digest) {
+ const void *pos = bsearch(digest, dv->digest, dv->count, sizeof(*dv->digest), SOSDigestCompare);
+ return pos ? ((size_t)(pos - (void *)dv->digest)) / SOSDigestSize : ((size_t)-1);
+ } else {
+ return -1;
+ }
}
size_t SOSDigestVectorIndexOf(struct SOSDigestVector *dv, const uint8_t *digest)
@@ -185,7 +195,7 @@ void SOSDigestVectorFree(struct SOSDigestVector *dv)
void SOSDigestVectorApplySorted(const struct SOSDigestVector *dv, SOSDigestVectorApplyBlock with)
{
bool stop = false;
- for (size_t ix = 0; !stop && ix < dv->count; ++ix) {
+ for (size_t ix = 0; !stop && ix < dv->count && dv->digest; ++ix) {
with(dv->digest[ix], &stop);
}
}
@@ -206,7 +216,7 @@ void SOSDigestVectorApply(struct SOSDigestVector *dv, SOSDigestVectorApplyBlock
static size_t SOSIncrementAndSkipDupes(const uint8_t *digests, size_t count, const size_t ix) {
size_t new_ix = ix;
- if (new_ix < count) {
+ if (digests && new_ix < count) {
while (++new_ix < count) {
int delta = SOSDigestCompare(digests + ix * SOSDigestSize, digests + new_ix * SOSDigestSize);
assert(delta <= 0);
@@ -237,8 +247,8 @@ void SOSDigestVectorAppendMultipleOrdered(struct SOSDigestVector *dv,
void SOSDigestVectorAppendMultipleOrdered(struct SOSDigestVector *dv,
size_t count, const uint8_t *digests) {
if (count) {
- SOSDigestVectorEnsureCapacity(dv, dv->count + count);
- memcpy(dv->digest[dv->count], digests, count * SOSDigestSize);
+ if (SOSDigestVectorEnsureCapacity(dv, dv->count + count))
+ memcpy(dv->digest[dv->count], digests, count * SOSDigestSize);
dv->count += count;
}
}
@@ -334,7 +344,7 @@ static void SOSDigestVectorAppendComplementAtIndex(size_t a_ix, const struct SOS
struct SOSDigestVector *dvcomplement)
{
assert(a_ix <= dvA->count && b_ix <= dvB->count);
- while (a_ix < dvA->count && b_ix < dvB->count) {
+ while (a_ix < dvA->count && b_ix < dvB->count && dvA->digest && dvB->digest) {
int delta = SOSDigestCompare(dvA->digest[a_ix], dvB->digest[b_ix]);
if (delta == 0) {
a_ix = SOSDVINCRIX(dvA, a_ix);
@@ -346,7 +356,8 @@ static void SOSDigestVectorAppendComplementAtIndex(size_t a_ix, const struct SOS
b_ix = SOSDVINCRIX(dvB, b_ix);
}
}
- SOSDigestVectorAppendMultipleOrdered(dvcomplement, dvB->count - b_ix, dvB->digest[b_ix]);
+ if (dvB->digest)
+ SOSDigestVectorAppendMultipleOrdered(dvcomplement, dvB->count - b_ix, dvB->digest[b_ix]);
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSDigestVector.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSDigestVector.h
index 78dc6681..3e6fc842 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSDigestVector.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSDigestVector.h
@@ -34,6 +34,7 @@
#include <corecrypto/ccsha1.h>
#include <CoreFoundation/CFError.h>
+#include <sys/types.h>
__BEGIN_DECLS
@@ -48,6 +49,8 @@ extern CFStringRef kSOSDigestVectorErrorDomain;
#define SOSDigestVectorInit { .digest = NULL, .count = 0, .capacity = 0, .unsorted = false }
+typedef uint8_t (*SOSDigestVectorDigestPtr)[SOSDigestSize];
+
struct SOSDigestVector {
uint8_t (*digest)[SOSDigestSize];
size_t count;
@@ -67,7 +70,6 @@ size_t SOSDigestVectorIndexOf(struct SOSDigestVector *dv, const uint8_t *digest)
size_t SOSDigestVectorIndexOfSorted(const struct SOSDigestVector *dv, const uint8_t *digest);
bool SOSDigestVectorContains(struct SOSDigestVector *dv, const uint8_t *digest);
bool SOSDigestVectorContainsSorted(const struct SOSDigestVector *dv, const uint8_t *digest);
-void SOSDigestVectorReplaceAtIndex(struct SOSDigestVector *dv, size_t ix, const uint8_t *digest);
void SOSDigestVectorFree(struct SOSDigestVector *dv);
void SOSDigestVectorApply(struct SOSDigestVector *dv, SOSDigestVectorApplyBlock with);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSECWrapUnwrap.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSECWrapUnwrap.c
index f232bb6f..f23285c9 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSECWrapUnwrap.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSECWrapUnwrap.c
@@ -36,7 +36,7 @@ SOSCopyECWrappedData(ccec_pub_ctx *ec_ctx, CFDataRef data, CFErrorRef *error)
require_quiet(SecRequirementError(data != NULL, error, CFSTR("data required for wrapping")), exit);
require_quiet(SecRequirementError(ec_ctx != NULL, error, CFSTR("ec pub key required for wrapping")), exit);
- require_quiet(ec_ctx, exit); // This should be removed when SecRequirementError can squelch analyzer warnings
+ require_quiet(ec_ctx != NULL, exit);
outputLength = ccec_rfc6637_wrap_key_size(ec_ctx, CCEC_RFC6637_COMPACT_KEYS | DEBUGKEYS, CFDataGetLength(data));
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c
index 2d2777ee..66f53239 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c
@@ -33,6 +33,7 @@
#include <Security/SecureObjectSync/SOSPeer.h>
#include <Security/SecureObjectSync/SOSViews.h>
#include <Security/SecureObjectSync/SOSBackupEvent.h>
+#include <Security/SecureObjectSync/SOSPersist.h>
#include <corecrypto/ccder.h>
#include <stdlib.h>
#include <stdbool.h>
@@ -63,6 +64,10 @@
// MARK: SOSEngine The Keychain database with syncable keychain support.
//
+//----------------------------------------------------------------------------------------
+// MARK: Engine state v0
+//----------------------------------------------------------------------------------------
+
// Key in dataSource for general engine state file.
// This file only has digest entries in it, no manifests.
static const CFStringRef kSOSEngineState = CFSTR("engine-state");
@@ -74,6 +79,83 @@ static CFStringRef kSOSEnginePeerIDsKey = CFSTR("peerIDs");
static CFStringRef kSOSEngineIDKey = CFSTR("id");
static CFStringRef kSOSEngineTraceDateKey = CFSTR("traceDate");
+//----------------------------------------------------------------------------------------
+// MARK: Engine state v2
+//----------------------------------------------------------------------------------------
+
+static const CFIndex kCurrentEngineVersion = 2;
+// Keychain/datasource items
+// Used for the kSecAttrAccount when saving in the datasource with dsSetStateWithKey
+// Class D [kSecAttrAccessibleAlwaysPrivate/kSecAttrAccessibleAlwaysThisDeviceOnly]
+static CFStringRef kSOSEngineStatev2 = CFSTR("engine-state-v2");
+static CFStringRef kSOSEnginePeerStates = CFSTR("engine-peer-states");
+static CFStringRef kSOSEngineManifestCache = CFSTR("engine-manifest-cache");
+#define kSOSEngineProtectionDomainClassD kSecAttrAccessibleAlwaysPrivate // >>>> or kSecAttrAccessibleAlwaysThisDeviceOnly
+// Class A [kSecAttrAccessibleWhenUnlockedThisDeviceOnly]
+static CFStringRef kSOSEngineCoders = CFSTR("engine-coders");
+#define kSOSEngineProtectionDomainClassA kSecAttrAccessibleWhenUnlockedThisDeviceOnly
+
+// Keys for individual dictionaries
+// engine-state-v2
+static CFStringRef kSOSEngineStateVersionKey = CFSTR("engine-stateVersion");
+
+// Current save/load routines
+// SOSEngineCreate/SOSEngineLoad/SOSEngineSetState
+// SOSEngineSave/SOSEngineDoSave/SOSEngineCopyState
+// no save/load functions external to this file
+
+/*
+ Divide engine state into five pieces:
+
+ - General engine state
+ - My peer ID
+ - List of other (trusted) peer IDs
+
+ - Coder data (formerly in peer state)
+ - Backup Keybags (backup peers only)
+ - Peer state (including manifest hashes -- just keys into ManifestCache)
+ [__OpaqueSOSPeer/SOSPeerRef]
+ must-send
+ send-objects
+ sequence-number
+ Peer object states:
+ pending-objects
+ unwanted-manifest
+ confirmed-manifest
+ local-manifest
+ pending-manifest
+ Views
+
+ - Manifest Cache
+ - local manifest hashes (copy of local keychain)
+ - peer manifest hashes
+
+ These divisions are based on size, frequency of update, and protection domain
+
+ The Manifest Cache is a dictionary where each key is a hash over its entry,
+ which is a concatenation of 20 byte hashes of the keychain items. The local
+ keychain is present as one entry. The other entries are subsets of that, one
+ for each confirmed/pending/missing/unwanted shared with a peer. The local
+ keychain entry can be re-created by iterating over the databse, whereas the
+ others are built up through communicating with other peers.
+
+ 83:d=2 hl=2 l= 13 prim: UTF8STRING :manifestCache
+ 98:d=2 hl=4 l= 912 cons: SET
+ 102:d=3 hl=2 l= 24 cons: SEQUENCE
+ 104:d=4 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
+ 126:d=4 hl=2 l= 0 prim: OCTET STRING
+ 128:d=3 hl=2 l= 124 cons: SEQUENCE
+ 130:d=4 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:F9B59370A4733F0D174E8D220C5BE3AF062C775B
+ 152:d=4 hl=2 l= 100 prim: OCTET STRING [HEX DUMP]:5A574BB4EC90C3BBCC69EE73CBFE039133AE807265D6A58003B8D205997EAB96390AAB207E63A2E270A476CAB5B2D9D2F7B0E55512AA957B58D5658E7EF907B069B83AA6BA941790A3C3C4A68292D59DABA3CA342966EFF82E1ACAEB691FD6E20772E17E
+ 254:d=3 hl=4 l= 366 cons: SEQUENCE
+ 258:d=4 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:2E69C2F7F3E014075B30004CE0EC6C1AD419EBF5
+ 280:d=4 hl=4 l= 340 prim: OCTET STRING [HEX DUMP]:07571E9678FD7D68812E409CC96C1F54834A099A0C3A2D12CCE2EA95F4505EA52F2C982B2ADEE3DA14D4712C000309BF63D54A98B61AA1D963C40E0E2531C83B28CA5BE6DA0D26400C3C77A618F711DD3CC0BF86CCBAF8AA3332973268B30EEBF21CD8184D9C8427CA13DECCC7BB83C80009A2EF45CCC07F586315C80CEEEEF5D5352FD000AAE6D9CBB4294D5959FD00198225AF9ABD09B341A2FDC278E9FD1465D6A58003B8D205997EAB96390AAB207E63A2E270A476CAB5B2D9D2F7B0E55512AA957B58D5658E7EF907B069B83AA6BA941790A3C3C4A68292D59D95C9D4D8A8BCA2E8242AB0D409F671F298B6DCAE9BC4238C09E07548CEFB300098606F9E4F230C99ABA3CA342966EFF82E1ACAEB691FD6E20772E17EB4FEFB84F8CF75C0C69C59532C354D175A59F961BA4D4DFA017FD8192288F14278AE76712E127D65FE616C7E4FD0713644F7C9A7ABA1CE065694A968
+ 624:d=3 hl=4 l= 386 cons: SEQUENCE
+ 628:d=4 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:CCF179FF718C10F151E7409EDF1A06F0DF10DCAD
+ 650:d=4 hl=4 l= 360 prim: OCTET STRING [HEX DUMP]:07571E9678FD7D68812E409CC96C1F54834A099A0C3A2D12CCE2EA95F4505EA52F2C982B2ADEE3DA14D4712C000309BF63D54A98B61AA1D963C40E0E2531C83B28CA5BE6DA0D26400C3C77A618F711DD3CC0BF86CCBAF8AA3332973268B30EEBF21CD8184D9C8427CA13DECCC7BB83C80009A2EF45CCC07F586315C80CEEEEF5D5352FD000AAE6D9CBB4294D5959FD00198225AF9ABD09B341A2FDC278E9FD145A574BB4EC90C3BBCC69EE73CBFE039133AE807265D6A58003B8D205997EAB96390AAB207E63A2E270A476CAB5B2D9D2F7B0E55512AA957B58D5658E7EF907B069B83AA6BA941790A3C3C4A68292D59D95C9D4D8A8BCA2E8242AB0D409F671F298B6DCAE9BC4238C09E07548CEFB300098606F9E4F230C99ABA3CA342966EFF82E1ACAEB691FD6E20772E17EB4FEFB84F8CF75C0C69C59532C354D175A59F961BA4D4DFA017FD8192288F14278AE76712E127D65FE616C7E4FD0713644F7C9A7ABA1CE065694A968
+
+ */
+
/* SOSEngine implementation. */
struct __OpaqueSOSEngine {
CFRuntimeBase _base;
@@ -94,18 +176,28 @@ struct __OpaqueSOSEngine {
CFDictionaryRef viewName2ChangeTracker; // CFStringRef -> SOSChangeTrackerRef
CFArrayRef peerIDs;
CFDateRef lastTraceDate; // Last time we did a CloudKeychainTrace
+ CFMutableDictionaryRef coders;
+ bool haveLoadedCoders;
+
+ bool dirty;
+ bool codersNeedSaving;
dispatch_queue_t queue; // Engine queue
dispatch_source_t save_timer; // Engine state save timer
+ bool save_timer_pending; // Engine state timer running, read/modify on engine queue
- dispatch_queue_t syncCompleteQueue; // Non-retained queue for async notificaion
- CFMutableDictionaryRef syncCompleteListeners; // Map from PeerID->notification block
+ dispatch_queue_t syncCompleteQueue; // Non-retained queue for async notificaion
+ SOSEnginePeerInSyncBlock syncCompleteListener; // Block to call to notify the listener.
};
-static bool SOSEngineLoad(SOSEngineRef engine, CFErrorRef *error);
-
-
+static bool SOSEngineLoad(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
+static bool SOSEngineSetPeers_locked(SOSEngineRef engine, SOSPeerMetaRef myPeerMeta, CFArrayRef trustedPeerMetas, CFArrayRef untrustedPeerMetas);
+static void SOSEngineApplyPeerState(SOSEngineRef engine, CFDictionaryRef peerStateMap);
+static void SOSEngineSynthesizePeerMetas(SOSEngineRef engine, CFMutableArrayRef trustedPeersMetas, CFMutableArrayRef untrustedPeers);
+static bool SOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
+static bool SOSEngineDeleteV0State(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error);
+
static CFStringRef SOSPeerIDArrayCreateString(CFArrayRef peerIDs) {
return peerIDs ? CFStringCreateByCombiningStrings(kCFAllocatorDefault, peerIDs, CFSTR(" ")) : CFSTR("");
}
@@ -145,6 +237,7 @@ void logRawMessage(CFDataRef message, bool sending, uint64_t seqno)
CFReleaseSafe(hexMessage);
#endif
}
+
//
// Peer state layout. WRONG! It's an array now
// The peer state is an array.
@@ -167,13 +260,17 @@ CFStringRef SOSEngineGetMyID(SOSEngineRef engine) {
// TEMPORARY: Get the list of IDs for cleanup, this shouldn't be used instead it should iterate KVS.
CFArrayRef SOSEngineGetPeerIDs(SOSEngineRef engine) {
+ if(!engine) return NULL;
return engine->peerIDs;
}
void SOSEngineClearCache(SOSEngineRef engine){
CFReleaseNull(engine->manifestCache);
CFReleaseNull(engine->localMinusUnreadableDigest);
- dispatch_release(engine->queue);
+ if (engine->save_timer)
+ dispatch_source_cancel(engine->save_timer);
+ dispatch_release(engine->queue);
+ engine->queue = NULL;
}
static SOSPeerRef SOSEngineCopyPeerWithMapEntry_locked(SOSEngineRef engine, CFStringRef peerID, CFTypeRef mapEntry, CFErrorRef *error) {
@@ -359,6 +456,81 @@ static bool SOSEngineGCManifests_locked(SOSEngineRef engine, CFErrorRef *error)
// End of Manifest cache
//
+//----------------------------------------------------------------------------------------
+// MARK: Coders
+//----------------------------------------------------------------------------------------
+
+/*
+ Each peer has an associated coder, whcih the engine keeps track of in a
+ CFDictionary indexed by peerID. The coders are read from disk when first needed,
+ then kept in memory as SOSCoders.
+
+ N.B. Don't rollback coder in memory if a transaction is rolled back, since this
+ might lead to reuse of an IV.
+*/
+
+static bool SOSEngineCopyCoderData(SOSEngineRef engine, CFStringRef peerID, CFDataRef *coderData, CFErrorRef *error) {
+ bool ok = true;
+ SOSCoderRef coder = (SOSCoderRef)CFDictionaryGetValue(engine->coders, peerID);
+ if (coder && (CFGetTypeID(coder) == SOSCoderGetTypeID())) {
+ CFErrorRef localError = NULL;
+ ok = *coderData = SOSCoderCopyDER(coder, &localError);
+ if (!ok) {
+ secerror("failed to der encode coder for peer %@, dropping it: %@", peerID, localError);
+ CFDictionaryRemoveValue(engine->coders, peerID);
+ CFErrorPropagate(localError, error);
+ }
+ } else {
+ *coderData = NULL;
+ }
+ return ok;
+}
+
+static SOSCoderRef SOSEngineGetCoderInTx_locked(SOSEngineRef engine, SOSTransactionRef txn, CFStringRef peerID, CFErrorRef *error) {
+ if (!engine->haveLoadedCoders) {
+ engine->haveLoadedCoders = SOSEngineLoadCoders(engine, txn, error);
+
+ if (!engine->haveLoadedCoders) {
+ return NULL;
+ }
+ }
+
+ SOSCoderRef coder = (SOSCoderRef)CFDictionaryGetValue(engine->coders, peerID);
+ if (!coder || (CFGetTypeID(coder) != SOSCoderGetTypeID())) {
+ SOSErrorCreate(kSOSErrorPeerNotFound, error, NULL, CFSTR("No coder for peer: %@"), peerID);
+ }
+ return coder;
+}
+
+static SOSCoderRef SOSEngineGetCoder_locked(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error) {
+ return SOSEngineGetCoderInTx_locked(engine, NULL, peerID, error);
+}
+
+static bool SOSEngineEnsureCoder_locked(SOSEngineRef engine, CFStringRef peerID, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, SOSCoderRef ourCoder, CFErrorRef *error) {
+ if (!ourCoder || !SOSCoderIsFor(ourCoder, peerInfo, myPeerInfo)) {
+ secinfo("coder", "New coder for id %@.", peerID);
+ CFErrorRef localError = NULL;
+ SOSCoderRef coder = SOSCoderCreate(peerInfo, myPeerInfo, kCFBooleanFalse, &localError);
+ if (!coder) {
+ secerror("Failed to create coder for %@: %@", peerID, localError);
+ CFErrorPropagate(localError, error);
+ return false;
+ }
+ CFDictionarySetValue(engine->coders, peerID, coder);
+ CFReleaseNull(coder);
+ }
+ return true;
+}
+
+bool SOSEngineInitializePeerCoder(SOSEngineRef engine, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
+ __block bool ok = true;
+ CFStringRef peerID = SOSPeerInfoGetPeerID(peerInfo);
+ ok &= SOSEngineForPeerID(engine, peerID, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
+ ok = SOSEngineEnsureCoder_locked(engine, peerID, myPeerInfo, peerInfo, coder, error);
+ });
+ return ok;
+}
+
static bool SOSEngineGCPeerState_locked(SOSEngineRef engine, CFErrorRef *error) {
bool ok = true;
@@ -393,81 +565,169 @@ static CFMutableDictionaryRef SOSEngineCopyPeerState_locked(SOSEngineRef engine,
return peerState;
}
-static CFDataRef SOSEngineCopyState(SOSEngineRef engine, CFErrorRef *error) {
- CFDataRef der = NULL;
- CFMutableDictionaryRef state = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
- if (engine->myID) CFDictionarySetValue(state, kSOSEngineIDKey, engine->myID);
- if (engine->peerIDs) CFDictionarySetValue(state, kSOSEnginePeerIDsKey, engine->peerIDs);
- if (engine->lastTraceDate) CFDictionarySetValue(state, kSOSEngineTraceDateKey, engine->lastTraceDate);
- CFTypeRef peerState = SOSEngineCopyPeerState_locked(engine, error);
- if (peerState) CFDictionarySetValue(state, kSOSEnginePeerStateKey, peerState);
- CFReleaseSafe(peerState);
- CFDictionaryRef mfc = SOSEngineCopyEncodedManifestCache_locked(engine, error);
- if (mfc) {
- CFDictionarySetValue(state, kSOSEngineManifestCacheKey, mfc);
- CFReleaseSafe(mfc);
- }
- der = CFPropertyListCreateDERData(kCFAllocatorDefault, state, error);
- CFReleaseSafe(state);
- secnotice("engine", "%@", engine);
+static CFMutableDictionaryRef SOSEngineCopyPeerCoders_locked(SOSEngineRef engine, CFErrorRef *error) {
+ CFMutableDictionaryRef coders = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFDictionaryForEach(engine->peerMap, ^(const void *key, const void *value) {
+ CFDataRef coderData = NULL;
+ CFErrorRef localError = NULL;
+ bool ok = SOSEngineCopyCoderData(engine, (CFStringRef)key, &coderData, &localError);
+ if (!ok) {
+ secnotice("engine", "%@ no coder for peer: %@", key, localError);
+ }
+ if (ok && coderData) {
+ CFDictionarySetValue(coders, key, coderData);
+ }
+ CFReleaseNull(coderData);
+ CFReleaseNull(localError);
+ });
+ return coders;
+}
+
+//----------------------------------------------------------------------------------------
+// MARK: Engine state v2 Save
+//----------------------------------------------------------------------------------------
+
+// Coders and keybags
+
+static CFDataRef SOSEngineCopyCoders(SOSEngineRef engine, CFErrorRef *error) {
+ // Copy the CFDataRef version of the coders into a dictionary, which is then DER-encoded for saving
+ CFDictionaryRef coders = SOSEngineCopyPeerCoders_locked(engine, error);
+ CFDataRef der = CFPropertyListCreateDERData(kCFAllocatorDefault, coders, error);
+ CFReleaseSafe(coders);
return der;
}
-static bool SOSEngineDoSave(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
- CFDataRef derState = SOSEngineCopyState(engine, error);
- bool ok = derState && SOSDataSourceSetStateWithKey(engine->dataSource, txn, kSOSEngineState, kSecAttrAccessibleAlways, derState, error);
+static bool SOSEngineSaveCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
+ // MUST hold engine lock
+ // Device must be unlocked for this to succeed
+ bool ok = true;
+ if (engine->codersNeedSaving) {
+ CFDataRef derCoders = SOSEngineCopyCoders(engine, error);
+ bool ok = derCoders && SOSDataSourceSetStateWithKey(engine->dataSource, txn, kSOSEngineCoders,
+ kSOSEngineProtectionDomainClassA, derCoders, error);
+ if (ok) {
+ engine->codersNeedSaving = false;
+ }
+ CFReleaseSafe(derCoders);
+ }
+ return ok;
+}
+
+static CFDictionaryRef SOSEngineCopyBasicState(SOSEngineRef engine, CFErrorRef *error) {
+ // Create a version of the in-memory engine state for saving to disk
+ CFMutableDictionaryRef state = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ if (engine->myID)
+ CFDictionarySetValue(state, kSOSEngineIDKey, engine->myID);
+ if (engine->peerIDs)
+ CFDictionarySetValue(state, kSOSEnginePeerIDsKey, engine->peerIDs);
+ if (engine->lastTraceDate)
+ CFDictionarySetValue(state, kSOSEngineTraceDateKey, engine->lastTraceDate);
+
+ SOSPersistCFIndex(state, kSOSEngineStateVersionKey, kCurrentEngineVersion);
+ return state;
+}
+
+static bool SOSEngineDoSaveOneState(SOSEngineRef engine, SOSTransactionRef txn, CFStringRef key, CFStringRef pdmn,
+ CFDictionaryRef state, CFErrorRef *error) {
+ CFDataRef derState = CFPropertyListCreateDERData(kCFAllocatorDefault, state, error);
+ bool ok = derState && SOSDataSourceSetStateWithKey(engine->dataSource, txn, key, pdmn, derState, error);
CFReleaseSafe(derState);
return ok;
}
+static bool SOSEngineDoSave(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
+ bool ok = true;
+
+ CFDictionaryRef state = SOSEngineCopyBasicState(engine, error);
+ ok &= state && SOSEngineDoSaveOneState(engine, txn, kSOSEngineStatev2, kSOSEngineProtectionDomainClassD, state, error);
+ CFReleaseNull(state);
+
+ state = SOSEngineCopyPeerState_locked(engine, error);
+ ok &= state && SOSEngineDoSaveOneState(engine, txn, kSOSEnginePeerStates, kSOSEngineProtectionDomainClassD, state, error);
+ CFReleaseNull(state);
+
+ state = SOSEngineCopyEncodedManifestCache_locked(engine, error);
+ ok &= state && SOSEngineDoSaveOneState(engine, txn, kSOSEngineManifestCache, kSOSEngineProtectionDomainClassD, state, error);
+ CFReleaseNull(state);
+
+ ok &= SOSEngineSaveCoders(engine, txn, error);
+
+ SOSEngineDeleteV0State(engine, txn, NULL);
+
+ return ok;
+}
+
+#if ENGINE_DELAY_SAVE
+
#define SOSENGINE_SAVE_TIMEOUT (NSEC_PER_MSEC * 500ull)
#define SOSENGINE_SAVE_LEEWAY (NSEC_PER_MSEC * 500ull)
#define SOSENGINE_SAVE_MAX_DELAY (NSEC_PER_MSEC * 500ull)
#if !(TARGET_IPHONE_SIMULATOR)
static void SOSEngineShouldSave(SOSEngineRef engine) {
- if (engine->save_timer) {
- // Possibly defer timer further up to engine->save_deadline
- return;
- }
+ bool start_timer = false;
+
+ if (engine->save_timer == NULL) {
+ // Schedule the timer to fire on a concurrent queue, so we can follow
+ // the proper procedure of acquiring a dataSource and then engine queues.
+ engine->save_timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0));
+ dispatch_source_set_event_handler(engine->save_timer, ^{
+ CFErrorRef dsWithError = NULL;
+
+ // Start with clearing the pending state so that any other caller
+ // get their own timer, worse case it that we get a duplicate store.
+ dispatch_sync(engine->queue, ^{
+ engine->save_timer_pending = false;
+ });
- // Schedule the timer to fire on a concurrent queue, so we can follow
- // the proper procedure of acquiring a dataSource and then engine queues.
- engine->save_timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0));
- dispatch_source_set_event_handler(engine->save_timer, ^{
- CFErrorRef dsWithError = NULL;
- if (engine->dataSource) {
- if (!SOSDataSourceWith(engine->dataSource, &dsWithError, ^(SOSTransactionRef txn, bool *commit) {
- dispatch_sync(engine->queue, ^{
- CFErrorRef saveError = NULL;
- if (!SOSEngineDoSave(engine, txn, &saveError)) {
- secerrorq("Failed to save engine state: %@", saveError);
- CFReleaseNull(saveError);
- }
- });
- })) {
- secerrorq("Failed to open dataSource to save engine state: %@", dsWithError);
- CFReleaseNull(dsWithError);
+ if (engine->dataSource) {
+ if (!SOSDataSourceWith(engine->dataSource, &dsWithError, ^(SOSTransactionRef txn, bool *commit) {
+ dispatch_sync(engine->queue, ^{
+ CFErrorRef saveError = NULL;
+ if (!SOSEngineDoSave(engine, txn, &saveError)) {
+ secerrorq("Failed to save engine state: %@", saveError);
+ CFReleaseNull(saveError);
+ }
+ });
+ })) {
+ secerrorq("Failed to open dataSource to save engine state: %@", dsWithError);
+ CFReleaseNull(dsWithError);
+ }
}
- }
- xpc_transaction_end();
- });
+
+ xpc_transaction_end();
+ });
+ start_timer = true;
+ assert(engine->save_timer_pending == false);
+ }
+
+ if (engine->save_timer_pending)
+ return;
+
+ engine->save_timer_pending = true;
+
+ // Start a trasaction, then start the timer, the handler for the timer will end
+ // the transaction.
+ xpc_transaction_begin();
+
// Set the timer's fire time to now + SOSENGINE_SAVE_TIMEOUT seconds with a SOSENGINE_SAVE_LEEWAY fuzz factor.
dispatch_source_set_timer(engine->save_timer,
dispatch_time(DISPATCH_TIME_NOW, SOSENGINE_SAVE_TIMEOUT),
DISPATCH_TIME_FOREVER, SOSENGINE_SAVE_LEEWAY);
- // Start a trasaction, then start the timer, the handler for the timer will end
- // the transaction.
- xpc_transaction_begin();
- dispatch_resume(engine->save_timer);
+
+ if (start_timer)
+ dispatch_resume(engine->save_timer);
+
}
#endif
+#endif /* ENGINE_DELAY_SAVE */
+
static bool SOSEngineSave(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
// Don't save engine state from tests
if (!engine->dataSource)
return true;
-#if (TARGET_IPHONE_SIMULATOR)
+#if (TARGET_IPHONE_SIMULATOR) || !ENGINE_DELAY_SAVE
return SOSEngineDoSave(engine, txn, error);
#else
SOSEngineShouldSave(engine);
@@ -475,6 +735,215 @@ static bool SOSEngineSave(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef
return true;
}
+//----------------------------------------------------------------------------------------
+// MARK: Engine state v2 Load/Restore
+//----------------------------------------------------------------------------------------
+
+// Restore the in-memory state of engine from saved state loaded from the db
+static bool SOSEngineSetManifestCacheWithDictionary(SOSEngineRef engine, CFDictionaryRef manifestCache, CFErrorRef *error) {
+ __block bool ok = true;
+ CFReleaseNull(engine->manifestCache);
+ if (manifestCache) {
+ engine->manifestCache = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFDictionaryForEach(manifestCache, ^(const void *key, const void *value) {
+ CFDataRef data = (CFDataRef)value;
+ if (isData(data)) {
+ SOSManifestRef mf = SOSManifestCreateWithData(data, NULL);
+ if (mf)
+ CFDictionarySetValue(engine->manifestCache, key, mf);
+ CFReleaseSafe(mf);
+ }
+ });
+ }
+
+ return ok;
+}
+
+static bool SOSEngineUpdateStateWithDictionary(SOSEngineRef engine, CFDictionaryRef stateDict, CFErrorRef *error) {
+ bool ok = true;
+#if 0
+ if (stateDict) {
+ // If kCurrentEngineVersion > 2, uncomment and fill in code below
+ CFIndex engineVersion = 0 ;
+ bool versionPresent = SOSPeerGetOptionalPersistedCFIndex(stateDict, kSOSEngineStateVersionKey, &engineVersion);
+ if (versionPresent && (engineVersion != kCurrentEngineVersion)) {
+ // need migration
+ }
+ }
+#endif
+ return ok;
+}
+
+static bool SOSEngineSetStateWithDictionary(SOSEngineRef engine, CFDictionaryRef stateDict, CFErrorRef *error) {
+ bool ok = true;
+ if (stateDict) {
+ SOSEngineUpdateStateWithDictionary(engine, stateDict, error);
+ CFRetainAssign(engine->myID, asString(CFDictionaryGetValue(stateDict, kSOSEngineIDKey), NULL));
+ CFRetainAssign(engine->peerIDs, asArray(CFDictionaryGetValue(stateDict, kSOSEnginePeerIDsKey), NULL));
+ CFRetainAssign(engine->lastTraceDate, asDate(CFDictionaryGetValue(stateDict, kSOSEngineTraceDateKey), NULL));
+
+ }
+ secnotice("engine", "%@", engine);
+ return ok;
+}
+
+static bool SOSEngineSetPeerStateWithDictionary(SOSEngineRef engine, CFDictionaryRef peerStateDict, CFErrorRef *error) {
+ // Set the in-memory peer state using the dictionary version of the DER-encoded version from disk
+ CFMutableArrayRef untrustedPeers = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFMutableArrayRef trustedPeersMetas = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ SOSEngineApplyPeerState(engine, asDictionary(peerStateDict, NULL));
+ SOSEngineSynthesizePeerMetas(engine, trustedPeersMetas, untrustedPeers);
+ SOSEngineSetPeers_locked(engine, engine->myID, trustedPeersMetas, untrustedPeers);
+ CFReleaseNull(trustedPeersMetas);
+ CFReleaseNull(untrustedPeers);
+ return true;
+}
+
+static CFMutableDictionaryRef derStateToDictionaryCopy(CFDataRef state, CFErrorRef *error) {
+ bool ok = true;
+ CFMutableDictionaryRef stateDict = NULL;
+ if (state) {
+ const uint8_t *der = CFDataGetBytePtr(state);
+ const uint8_t *der_end = der + CFDataGetLength(state);
+ ok = der = der_decode_dictionary(kCFAllocatorDefault, kCFPropertyListMutableContainers, (CFDictionaryRef *)&stateDict, error, der, der_end);
+ if (der && der != der_end) {
+ ok = SOSErrorCreate(kSOSErrorDecodeFailure, error, NULL, CFSTR("trailing %td bytes at end of state"), der_end - der);
+ }
+ if (!ok) {
+ CFReleaseNull(stateDict);
+ }
+ }
+ return stateDict;
+}
+
+static bool SOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
+ // Read the serialized engine state from the datasource (aka keychain) and populate the in-memory engine
+ bool ok = true;
+ CFDataRef derCoders = NULL;
+ CFMutableDictionaryRef codersDict = NULL;
+
+ derCoders = SOSDataSourceCopyStateWithKey(engine->dataSource, kSOSEngineCoders, kSOSEngineProtectionDomainClassA, txn, error);
+ require_quiet(derCoders, xit);
+ codersDict = derStateToDictionaryCopy(derCoders, error);
+ require_quiet(codersDict, xit);
+
+ CFDictionaryForEach(engine->peerMap, ^(const void *peerID, const void *peerState) {
+ if (peerID) {
+ if (!CFDictionaryContainsKey(engine->coders, peerID)) {
+ CFDataRef coderData = asData(CFDictionaryGetValue(codersDict, peerID), NULL);
+ if (coderData) {
+ CFErrorRef createError = NULL;
+ SOSCoderRef coder = SOSCoderCreateFromData(coderData, &createError);
+ if (coder) {
+ // Sanity check
+ CFStringRef coderid = SOSCoderGetID(coder);
+ if (!CFEqualSafe(coderid, (CFStringRef)peerID)) {
+ secerror("Coder id %@ on disk does not match: %@", coderid, peerID);
+ } else {
+ CFDictionaryAddValue(engine->coders, peerID, coder);
+ }
+ } else {
+ secnotice("coder", "Coder for '%@' failed to create: %@", peerID, createError);
+ }
+ CFReleaseNull(createError);
+ CFReleaseNull(coder);
+ } else {
+ // Needed a coder, didn't find one, notify the account to help us out.
+ // Next attempt to sync will fix this
+ SOSCCEnsurePeerRegistration();
+ }
+ }
+
+ }
+ });
+xit:
+ CFReleaseNull(derCoders);
+ CFReleaseNull(codersDict);
+ return ok;
+}
+
+static bool SOSEngineDeleteV0State(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
+// SOSDataSourceDeleteStateWithKey(engine->dataSource, kSOSEngineState, kSOSEngineProtectionDomainClassD, txn, error);
+
+ // Create effectively empty state until delete is working
+ CFMutableDictionaryRef state = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ if (engine->myID)
+ CFDictionarySetValue(state, kSOSEngineIDKey, engine->myID);
+ CFDataRef derState = CFPropertyListCreateDERData(kCFAllocatorDefault, state, error);
+ CFReleaseNull(state);
+
+ bool ok = derState && SOSDataSourceSetStateWithKey(engine->dataSource, txn, kSOSEngineState, kSOSEngineProtectionDomainClassD, derState, error);
+ CFReleaseSafe(derState);
+ return ok;
+}
+
+static bool SOSEngineLoad(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) {
+ // Read the serialized engine state from the datasource (aka keychain) and populate the in-memory engine
+ bool ok = true;
+ CFDataRef basicEngineState = NULL;
+ CFMutableDictionaryRef engineState = NULL;
+ CFDictionaryRef manifestCache = NULL;
+ CFDictionaryRef peerStateDict = NULL;
+ CFMutableDictionaryRef codersDict = NULL;
+ // Look for the v2 engine state first
+ basicEngineState = SOSDataSourceCopyStateWithKey(engine->dataSource, kSOSEngineStatev2, kSOSEngineProtectionDomainClassD, txn, error);
+ if (basicEngineState) {
+ CFDataRef data = NULL;
+ engineState = derStateToDictionaryCopy(basicEngineState, error);
+
+ data = SOSDataSourceCopyStateWithKey(engine->dataSource, kSOSEngineManifestCache, kSOSEngineProtectionDomainClassD, txn, error);
+ manifestCache = derStateToDictionaryCopy(data, error);
+ CFReleaseNull(data);
+
+ data = SOSDataSourceCopyStateWithKey(engine->dataSource, kSOSEnginePeerStates, kSOSEngineProtectionDomainClassD, txn, error);
+ peerStateDict = derStateToDictionaryCopy(data, error);
+ CFReleaseNull(data);
+ } else {
+ // Look for original V0 engine state next
+ CFDataRef v0EngineStateData = SOSDataSourceCopyStateWithKey(engine->dataSource, kSOSEngineState, kSOSEngineProtectionDomainClassD, txn, error);
+ if (v0EngineStateData) {
+ engineState = derStateToDictionaryCopy(v0EngineStateData, error);
+ if (engineState) {
+ manifestCache = CFRetainSafe(asDictionary(CFDictionaryGetValue(engineState, kSOSEngineManifestCacheKey), NULL));
+ peerStateDict = CFRetainSafe(asDictionary(CFDictionaryGetValue(engineState, kSOSEnginePeerStateKey), NULL));
+ }
+ CFReleaseNull(v0EngineStateData);
+ }
+ secnotice("coder", "Migrating from v0 engine state; dropping coders and forcing re-negotiation");
+ SOSCCEnsurePeerRegistration();
+ SOSCCSyncWithAllPeers();
+ }
+
+ ok = engineState && SOSEngineSetStateWithDictionary(engine, engineState, error);
+
+ ok &= SOSEngineSetManifestCacheWithDictionary(engine, manifestCache, error);
+
+ ok &= peerStateDict && SOSEngineSetPeerStateWithDictionary(engine, peerStateDict, error);
+
+ CFReleaseSafe(basicEngineState);
+ CFReleaseSafe(engineState);
+ CFReleaseSafe(manifestCache);
+ CFReleaseSafe(peerStateDict);
+ CFReleaseSafe(codersDict);
+ return ok;
+}
+
+bool SOSTestEngineSaveWithDER(SOSEngineRef engine, CFDataRef derState, CFErrorRef *error) {
+ assert(true);
+ return true;
+}
+
+/*
+ bool SOSTestEngineSave(SOSEngineRef engine, CFErrorRef *error) {
+
+}
+
+*/
+
+//----------------------------------------------------------------------------------------
+// MARK: Change Trackers and Peer Manifests
+//----------------------------------------------------------------------------------------
+
static SOSManifestRef SOSEngineCreateManifestWithViewNameSet_locked(SOSEngineRef engine, CFSetRef viewNameSet, CFErrorRef *error) {
// TODO: Potentially tell all changeTrackers to track manifests ( //forall ct do SOSChangeTrackerSetConcrete(ct, true);
// and read the entire dataSource and pass all objects though the filter here, instead of
@@ -527,10 +996,10 @@ static void SOSEngineObjectWithView(SOSEngineRef engine, SOSObjectRef object, vo
&& isString(pdmn)
&& (CFEqual(pdmn, kSecAttrAccessibleWhenUnlocked)
|| CFEqual(pdmn, kSecAttrAccessibleAfterFirstUnlock)
- || CFEqual(pdmn, kSecAttrAccessibleAlways)
+ || CFEqual(pdmn, kSecAttrAccessibleAlwaysPrivate)
|| CFEqual(pdmn, kSecAttrAccessibleWhenUnlockedThisDeviceOnly)
|| CFEqual(pdmn, kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly)
- || CFEqual(pdmn, kSecAttrAccessibleAlwaysThisDeviceOnly)))
+ || CFEqual(pdmn, kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate)))
{
CFTypeRef tomb = SecDbItemGetCachedValueWithName(item, kSecAttrTombstone);
char cvalue = 0;
@@ -590,6 +1059,72 @@ static void SOSEngineObjectWithView(SOSEngineRef engine, SOSObjectRef object, vo
}
}
+//
+// Deliver delayed notifiations of changes in keychain
+//
+
+static void
+SOSSendViewNotification(CFSetRef viewNotifications)
+{
+ CFNotificationCenterRef center = CFNotificationCenterGetDarwinNotifyCenter();
+
+ CFSetForEach(viewNotifications, ^(const void *value) {
+ secinfo("view", "Sending view notification for view %@", value);
+
+ CFStringRef str = CFStringCreateWithFormat(NULL, NULL, CFSTR("com.apple.security.view-change.%@"), value);
+ if (str == NULL)
+ return;
+
+ CFNotificationCenterPostNotificationWithOptions(center, str, NULL, NULL, 0);
+ CFRelease(str);
+
+ });
+}
+
+static void
+SOSArmViewNotificationEvents(CFSetRef viewNotifications)
+{
+ static CFMutableSetRef pendingViewNotifications;
+ static dispatch_once_t onceToken;
+ static dispatch_queue_t queue;
+
+ dispatch_once(&onceToken, ^{
+ queue = dispatch_queue_create("ViewNotificationQueue", NULL);
+ });
+ if (queue == NULL || CFSetGetCount(viewNotifications) == 0)
+ return;
+
+ /*
+ * PendingViewNotifications is only modified on queue.
+ * PendingViewNotifications is used as a signal if a timer is running.
+ *
+ * If a timer is running, new events are just added to the existing
+ * pendingViewNotifications.
+ */
+
+#define DELAY_OF_NOTIFICATION_IN_NS (NSEC_PER_SEC)
+
+ CFRetain(viewNotifications);
+
+ dispatch_async(queue, ^{
+ if (pendingViewNotifications == NULL) {
+ pendingViewNotifications = CFSetCreateMutableCopy(NULL, 0, viewNotifications);
+
+ dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)DELAY_OF_NOTIFICATION_IN_NS), queue, ^{
+ SOSSendViewNotification(pendingViewNotifications);
+
+ // when timer hits, clear out set of modified views
+ CFRelease(pendingViewNotifications);
+ pendingViewNotifications = NULL;
+ });
+ } else {
+ CFSetUnion(pendingViewNotifications, viewNotifications);
+ }
+ CFRelease(viewNotifications);
+ });
+}
+
+
//
// SOSChangeMapper - Helper for SOSEngineUpdateChanges_locked
//
@@ -599,6 +1134,7 @@ struct SOSChangeMapper {
SOSDataSourceTransactionPhase phase;
SOSDataSourceTransactionSource source;
CFMutableDictionaryRef ct2changes;
+ CFMutableSetRef viewNotifications;
};
static void SOSChangeMapperInit(struct SOSChangeMapper *cm, SOSEngineRef engine, SOSTransactionRef txn, SOSDataSourceTransactionPhase phase, SOSDataSourceTransactionSource source) {
@@ -607,10 +1143,28 @@ static void SOSChangeMapperInit(struct SOSChangeMapper *cm, SOSEngineRef engine,
cm->phase = phase;
cm->source = source;
cm->ct2changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ cm->viewNotifications = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
+}
+
+static void SOSChangeMapperSendNotifications(struct SOSChangeMapper *cm)
+{
+ SOSArmViewNotificationEvents(cm->viewNotifications);
}
static void SOSChangeMapperFree(struct SOSChangeMapper *cm) {
CFReleaseSafe(cm->ct2changes);
+ CFReleaseSafe(cm->viewNotifications);
+}
+
+static void SOSChangeMapperAddViewNotification(struct SOSChangeMapper *cm, CFStringRef view)
+{
+ assert(isString(view));
+
+ // aggregate the PCS view into one notification
+ if (CFStringHasPrefix(view, CFSTR("PCS-"))) {
+ view = CFSTR("PCS");
+ }
+ CFSetSetValue(cm->viewNotifications, view);
}
static void SOSChangeMapperAppendObject(struct SOSChangeMapper *cm, SOSChangeTrackerRef ct, bool isAdd, CFTypeRef object) {
@@ -641,7 +1195,7 @@ static bool SOSChangeMapperIngestChange(struct SOSChangeMapper *cm, bool isAdd,
// delivery to all changeTrackers interested in any of those views.
SOSObjectRef object = (SOSObjectRef)change;
CFMutableSetRef changeTrackerSet = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
- // First gather all the changeTrackers interested in this object (eleminating dupes by collecting them in a set)
+ // First gather all the changeTrackers interested in this object (eliminating dupes by collecting them in a set)
SOSEngineObjectWithView(cm->engine, object, ^(CFStringRef viewName) {
const void *ctorset = CFDictionaryGetValue(cm->engine->viewName2ChangeTracker, viewName);
if (isSet(ctorset)) {
@@ -649,6 +1203,9 @@ static bool SOSChangeMapperIngestChange(struct SOSChangeMapper *cm, bool isAdd,
} else if (ctorset) {
CFSetAddValue(changeTrackerSet, ctorset);
}
+
+
+ SOSChangeMapperAddViewNotification(cm, viewName);
});
// Then append the object to the changes array in the ct2changes dictionary keyed by viewSet
CFSetForEach(changeTrackerSet, ^(const void *ct) {
@@ -670,15 +1227,17 @@ static bool SOSChangeMapperSend(struct SOSChangeMapper *cm, CFErrorRef *error) {
static bool SOSEngineUpdateChanges_locked(SOSEngineRef engine, SOSTransactionRef txn, SOSDataSourceTransactionPhase phase, SOSDataSourceTransactionSource source, CFArrayRef changes, CFErrorRef *error)
{
- secnoticeq("engine", "%@: %s %s %ld changes", engine->myID, phase == kSOSDataSourceTransactionWillCommit ? "will-commit" : phase == kSOSDataSourceTransactionDidCommit ? "did-commit" : "did-rollback", source == kSOSDataSourceSOSTransaction ? "sos" : "api", CFArrayGetCount(changes));
+ secnoticeq("engine", "%@: %s %s %ld changes, txn=%@, %p", engine->myID, phase == kSOSDataSourceTransactionWillCommit ? "will-commit" : phase == kSOSDataSourceTransactionDidCommit ? "did-commit" : "did-rollback", source == kSOSDataSourceSOSTransaction ? "sos" : "api", CFArrayGetCount(changes), txn, txn);
bool ok = true;
switch (phase) {
case kSOSDataSourceTransactionDidRollback:
- ok &= SOSEngineLoad(engine, error);
+ ok &= SOSEngineLoad(engine, txn, error);
break;
+ case kSOSDataSourceTransactionDidCommit: // Corruption causes us to process items at DidCommit
case kSOSDataSourceTransactionWillCommit:
- case kSOSDataSourceTransactionDidCommit:
{
+ bool mappedItemChanged = false;
+
struct SOSChangeMapper cm;
SOSChangeMapperInit(&cm, engine, txn, phase, source);
SecDbEventRef event;
@@ -686,10 +1245,17 @@ static bool SOSEngineUpdateChanges_locked(SOSEngineRef engine, SOSTransactionRef
CFTypeRef deleted = NULL;
CFTypeRef inserted = NULL;
SecDbEventGetComponents(event, &deleted, &inserted, error);
- if (deleted)
- SOSChangeMapperIngestChange(&cm, false, deleted);
+ if (deleted) {
+ bool someoneCares = SOSChangeMapperIngestChange(&cm, false, deleted);
+ if (someoneCares) {
+ mappedItemChanged = true;
+ }
+ }
if (inserted) {
bool someoneCares = SOSChangeMapperIngestChange(&cm, true, inserted);
+ if (someoneCares) {
+ mappedItemChanged = true;
+ }
if (!someoneCares && !isData(inserted) && SecDbItemIsTombstone((SecDbItemRef)inserted) && !CFEqualSafe(SecDbItemGetValue((SecDbItemRef)inserted, &v7utomb, NULL), kCFBooleanTrue)) {
CFErrorRef localError = NULL;
// A tombstone was inserted but there is no changetracker that
@@ -703,15 +1269,19 @@ static bool SOSEngineUpdateChanges_locked(SOSEngineRef engine, SOSTransactionRef
}
ok &= SOSChangeMapperSend(&cm, error);
+ SOSChangeMapperSendNotifications(&cm); // Trigger notifications for view that changes changed
SOSChangeMapperFree(&cm);
- if (phase == kSOSDataSourceTransactionDidCommit) {
- // We are being called outside a transaction, beware, that any
- // db changes we attempt to make here will cause deadlock!
- } else {
- // Write SOSEngine and SOSPeer state to disk
- // TODO: Only do this if dirty
- ok &= SOSEngineSave(engine, txn, error);
+ if (ok && phase == kSOSDataSourceTransactionWillCommit) {
+ // Only consider writing if we're in the WillCommit phase.
+ // DidCommit phases happen outside the database lock and
+ // writing to the DBConn will cause deadlocks.
+ if (mappedItemChanged) {
+ // Write SOSEngine and SOSPeer state to disk
+ ok &= SOSEngineSave(engine, txn, error);
+ } else {
+ secnotice("engine", "Not saving engine state, nothing changed.");
+ }
}
break;
}
@@ -720,12 +1290,14 @@ static bool SOSEngineUpdateChanges_locked(SOSEngineRef engine, SOSTransactionRef
}
static void SOSEngineSetNotifyPhaseBlock(SOSEngineRef engine) {
- SOSDataSourceSetNotifyPhaseBlock(engine->dataSource, engine->queue, ^(SOSDataSourceRef ds, SOSTransactionRef txn, SOSDataSourceTransactionPhase phase, SOSDataSourceTransactionSource source, CFArrayRef changes) {
- CFErrorRef localError = NULL;
- if (!SOSEngineUpdateChanges_locked(engine, txn, phase, source, changes, &localError)) {
- secerror("updateChanged failed: %@", localError);
- }
- CFReleaseSafe(localError);
+ SOSDataSourceAddNotifyPhaseBlock(engine->dataSource, ^(SOSDataSourceRef ds, SOSTransactionRef txn, SOSDataSourceTransactionPhase phase, SOSDataSourceTransactionSource source, CFArrayRef changes) {
+ dispatch_sync(engine->queue, ^{
+ CFErrorRef localError = NULL;
+ if (!SOSEngineUpdateChanges_locked(engine, txn, phase, source, changes, &localError)) {
+ secerror("updateChanged failed: %@", localError);
+ }
+ CFReleaseSafe(localError);
+ });
});
}
@@ -790,16 +1362,10 @@ static SOSChangeTrackerRef SOSReferenceAndGetChangeTracker(CFDictionaryRef looku
return ct;
}
-static CFStringRef CFStringCreateWithViewNameSet(CFSetRef vns);
-
static void CFStringAppendPeerIDAndViews(CFMutableStringRef desc, CFStringRef peerID, CFSetRef vns) {
- if (vns) {
- CFStringRef vnsDesc = CFStringCreateWithViewNameSet(vns);
- CFStringAppendFormat(desc, NULL, CFSTR(" %@ (%@)"), peerID, vnsDesc);
- CFReleaseSafe(vnsDesc);
- } else {
- CFStringAppendFormat(desc, NULL, CFSTR(" %@ NULL"), peerID);
- }
+ CFStringSetPerformWithDescription(vns, ^(CFStringRef description) {
+ CFStringAppendFormat(desc, NULL, CFSTR(" %@ (%@)"), peerID, description);
+ });
}
// Must be called after updating viewNameSet2ChangeTracker
@@ -1038,6 +1604,34 @@ static bool SOSEngineSetPeers_locked(SOSEngineRef engine, SOSPeerMetaRef myPeerM
CFStringRef myPeerID = myPeerMeta ? SOSPeerMetaGetComponents(myPeerMeta, &myViews, &myKeyBag, &error) : NULL;
if (desc) CFStringAppendPeerIDAndViews(desc, myPeerID, myViews);
+ // Start with no coders
+ CFMutableDictionaryRef codersToKeep = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+
+ // If we're the same peerID we keep known peers (both trusted and untrusted)
+ if (CFEqualSafe(myPeerID, engine->myID)) {
+ void (^copyPeerMetasCoder)(const void *value) = ^(const void*element) {
+ SOSPeerMetaRef peerMeta = (SOSPeerMetaRef) element;
+
+ CFStringRef currentID = SOSPeerMetaGetComponents(peerMeta, NULL, NULL, NULL);
+ if (currentID) {
+ SOSCoderRef coder = (SOSCoderRef) CFDictionaryGetValue(engine->coders, currentID);
+ if (coder) {
+ CFDictionarySetValue(codersToKeep, currentID, coder);
+ }
+ }
+ };
+
+ if (trustedPeerMetas) {
+ CFArrayForEach(trustedPeerMetas, copyPeerMetasCoder);
+ }
+ if (untrustedPeerMetas) {
+ CFArrayForEach(untrustedPeerMetas, copyPeerMetasCoder);
+ }
+ }
+
+ CFTransferRetained(engine->coders, codersToKeep);
+ engine->codersNeedSaving = true;
+
CFRetainAssign(engine->myID, myPeerID);
// Remake engine->peerMap from both trusted and untrusted peers
@@ -1170,54 +1764,6 @@ static void SOSEngineCloudKeychainTraceIfNeeded(SOSEngineRef engine) {
#endif
}
-// Restore the in-memory state of engine from saved state loaded from the db
-static bool SOSEngineSetState(SOSEngineRef engine, CFDataRef state, CFErrorRef *error) {
- __block bool ok = true;
- if (state) {
- CFMutableDictionaryRef dict = NULL;
- const uint8_t *der = CFDataGetBytePtr(state);
- const uint8_t *der_end = der + CFDataGetLength(state);
- ok = der = der_decode_dictionary(kCFAllocatorDefault, kCFPropertyListMutableContainers, (CFDictionaryRef *)&dict, error, der, der_end);
- if (der && der != der_end) {
- ok = SOSErrorCreate(kSOSErrorDecodeFailure, error, NULL, CFSTR("trailing %td bytes at end of state"), der_end - der);
- } else if (ok) {
- CFReleaseNull(engine->manifestCache);
- CFMutableDictionaryRef mfc = (CFMutableDictionaryRef)CFDictionaryGetValue(dict, kSOSEngineManifestCacheKey);
- if (mfc) {
- engine->manifestCache = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
- CFDictionaryForEach(mfc, ^(const void *key, const void *value) {
- CFDataRef data = (CFDataRef)value;
- if (isData(data)) {
- SOSManifestRef mf = SOSManifestCreateWithData(data, NULL);
- if (mf)
- CFDictionarySetValue(engine->manifestCache, key, mf);
- CFReleaseSafe(mf);
- }
- });
- }
- CFMutableArrayRef untrustedPeers = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- CFMutableArrayRef trustedPeersMetas = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- CFRetainAssign(engine->peerIDs, asArray(CFDictionaryGetValue(dict, kSOSEnginePeerIDsKey), NULL));
- CFRetainAssign(engine->lastTraceDate, asDate(CFDictionaryGetValue(dict, kSOSEngineTraceDateKey), NULL));
- SOSEngineApplyPeerState(engine, asDictionary(CFDictionaryGetValue(dict, kSOSEnginePeerStateKey), NULL));
- SOSEngineSynthesizePeerMetas(engine, trustedPeersMetas, untrustedPeers);
- SOSEngineSetPeers_locked(engine, (CFStringRef)CFDictionaryGetValue(dict, kSOSEngineIDKey),
- trustedPeersMetas, untrustedPeers);
- CFReleaseNull(trustedPeersMetas);
- CFReleaseNull(untrustedPeers);
- }
- CFReleaseNull(dict);
- }
- secnotice("engine", "%@", engine);
- return ok;
-}
-
-static bool SOSEngineLoad(SOSEngineRef engine, CFErrorRef *error) {
- CFDataRef state = SOSDataSourceCopyStateWithKey(engine->dataSource, kSOSEngineState, kSecAttrAccessibleAlways, error);
- bool ok = state && SOSEngineSetState(engine, state, error);
- CFReleaseSafe(state);
- return ok;
-}
static bool SOSEngineCircleChanged_locked(SOSEngineRef engine, SOSPeerMetaRef myPeerMeta, CFArrayRef trustedPeers, CFArrayRef untrustedPeers) {
// Sanity check params
@@ -1265,9 +1811,13 @@ SOSEngineRef SOSEngineCreate(SOSDataSourceRef dataSource, CFErrorRef *error) {
engine->viewNameSet2ChangeTracker = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
engine->viewName2ChangeTracker = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
//engine->syncCompleteQueue = NULL;
- engine->syncCompleteListeners = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ engine->syncCompleteListener = NULL;
+ engine->coders = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ engine->haveLoadedCoders = false;
+ engine->codersNeedSaving = false;
+
CFErrorRef engineError = NULL;
- if (!SOSEngineLoad(engine, &engineError)) {
+ if (!SOSEngineLoad(engine, NULL, &engineError)) {
secwarning("engine failed load state starting with nothing %@", engineError);
CFReleaseNull(engineError);
if (!SOSEngineInit(engine, error)) {
@@ -1290,7 +1840,7 @@ static void SOSEngineDoOnQueue(SOSEngineRef engine, dispatch_block_t action)
static bool SOSEngineDoTxnOnQueue(SOSEngineRef engine, CFErrorRef *error, void(^transaction)(SOSTransactionRef txn, bool *commit))
{
- return SOSDataSourceWith(engine->dataSource, error, ^(SOSTransactionRef txn, bool *commit) {
+ return SOSDataSourceWithCommitQueue(engine->dataSource, error, ^(SOSTransactionRef txn, bool *commit) {
SOSEngineDoOnQueue(engine, ^{ transaction(txn, commit); });
});
}
@@ -1302,6 +1852,7 @@ static bool SOSEngineDoTxnOnQueue(SOSEngineRef engine, CFErrorRef *error, void(^
void SOSEngineDispose(SOSEngineRef engine) {
// NOOP Engines stick around forever to monitor dataSource changes.
engine->dataSource = NULL;
+ CFReleaseNull(engine->coders);
}
void SOSEngineForEachPeer(SOSEngineRef engine, void (^with)(SOSPeerRef peer)) {
@@ -1693,34 +2244,37 @@ static __unused bool SOSEngineCheckPeerIntegrity(SOSEngineRef engine, SOSPeerRef
return true;
}
-void SOSEngineSetSyncCompleteListener(SOSEngineRef engine, CFStringRef peerID, dispatch_block_t notify_block) {
- dispatch_block_t copy = Block_copy(notify_block);
+void SOSEngineSetSyncCompleteListener(SOSEngineRef engine, SOSEnginePeerInSyncBlock notify_block) {
SOSEngineDoOnQueue(engine, ^{
- if (notify_block) {
- CFDictionarySetValue(engine->syncCompleteListeners, peerID, copy);
- } else {
- CFDictionaryRemoveValue(engine->syncCompleteListeners, peerID);
- }
+ CFAssignRetained(engine->syncCompleteListener, Block_copy(notify_block));
});
- CFReleaseNull(copy);
}
void SOSEngineSetSyncCompleteListenerQueue(SOSEngineRef engine, dispatch_queue_t notify_queue) {
SOSEngineDoOnQueue(engine, ^{
- engine->syncCompleteQueue = notify_queue;
+ CFRetainAssign(engine->syncCompleteQueue, notify_queue);
});
}
static void SOSEngineCompletedSyncWithPeer(SOSEngineRef engine, SOSPeerRef peer) {
- dispatch_block_t notify = CFDictionaryGetValue(engine->syncCompleteListeners, SOSPeerGetID(peer));
- if (notify && engine->syncCompleteQueue)
- dispatch_async(engine->syncCompleteQueue, notify);
-
- // Delete dictionary entry?
+ SOSEnginePeerInSyncBlock block_to_call = engine->syncCompleteListener;
+
+ if (block_to_call && engine->syncCompleteQueue) {
+ CFStringRef ID = CFRetainSafe(SOSPeerGetID(peer));
+ CFSetRef views = CFRetainSafe(SOSPeerGetViewNameSet(peer));
+ CFRetainSafe(block_to_call);
+
+ dispatch_async(engine->syncCompleteQueue, ^{
+ block_to_call(ID, views);
+ CFReleaseSafe(ID);
+ CFReleaseSafe(views);
+ CFReleaseSafe(block_to_call);
+ });
+ }
}
-CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSPeerRef peer,
+CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer,
CFErrorRef *error, SOSEnginePeerMessageSentBlock *sent) {
SOSManifestRef local = SOSEngineCopyLocalPeerManifest_locked(engine, peer, error);
__block SOSMessageRef message = SOSMessageCreate(kCFAllocatorDefault, SOSPeerGetMessageVersion(peer), error);
@@ -1824,14 +2378,21 @@ CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSPeerRef peer,
__block size_t objectsSize = 0;
__block struct SOSDigestVector dv = SOSDigestVectorInit;
CFMutableArrayRef changes = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- if (!SOSDataSourceForEachObject(engine->dataSource, pendingObjects, error, ^void(CFDataRef key, SOSObjectRef object, bool *stop) {
+ __block CFErrorRef dsfeError = NULL;
+
+ if (!SOSDataSourceForEachObject(engine->dataSource, txn, pendingObjects, &dsfeError, ^void(CFDataRef key, SOSObjectRef object, bool *stop) {
CFErrorRef localError = NULL;
CFDataRef digest = NULL;
CFDataRef der = NULL;
+#if !defined(NDEBUG)
+ const uint8_t *d = CFDataGetBytePtr(key);
+#endif
+ secdebug("engine", "%@:%@ object %02X%02X%02X%02X error from SOSDataSourceForEachObject: %@",
+ engine->myID, SOSPeerGetID(peer), d[0], d[1], d[2], d[3], dsfeError);
if (!object) {
const uint8_t *d = CFDataGetBytePtr(key);
- secnoticeq("engine", "%@:%@ object %02X%02X%02X%02X dropping from manifest: not found in datasource",
- engine->myID, SOSPeerGetID(peer), d[0], d[1], d[2], d[3]);
+ secerror("%@:%@ object %02X%02X%02X%02X dropping from manifest: not found in datasource: %@",
+ engine->myID, SOSPeerGetID(peer), d[0], d[1], d[2], d[3], dsfeError);
SOSChangesAppendDelete(changes, key);
} else if (!(der = SOSEngineCopyObjectDER(engine, object, &localError))
|| !(digest = SOSObjectCopyDigest(engine->dataSource, object, &localError))) {
@@ -1878,13 +2439,16 @@ CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSPeerRef peer,
if (objectsSize > kSOSMessageMaxObjectsSize)
*stop = true;
}
+ CFErrorPropagate(dsfeError, error); // this also releases dsfeError
+ dsfeError = NULL;
CFReleaseSafe(der);
CFReleaseSafe(digest);
})) {
CFReleaseNull(message);
}
- if (dv.count)
+ if (dv.count){
objectsSent = SOSManifestCreateWithDigestVector(&dv, error);
+ }
if (CFArrayGetCount(changes)) {
CFErrorRef localError = NULL;
if (!SOSEngineUpdateChanges_locked(engine, NULL, kSOSDataSourceTransactionDidCommit, kSOSDataSourceSOSTransaction, changes, &localError))
@@ -1893,6 +2457,8 @@ CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSPeerRef peer,
CFAssignRetained(local, SOSEngineCopyLocalPeerManifest_locked(engine, peer, error));
}
CFReleaseSafe(changes);
+ SOSDigestVectorFree(&dv);
+ CFReleaseNull(dsfeError);
}
} else {
// If we have no confirmed manifest, we want all pendedObjects going out as a manifest
@@ -2024,7 +2590,7 @@ static bool SOSEngineWriteToBackup_locked(SOSEngineRef engine, SOSPeerRef peer,
});
if (ok && SOSManifestGetCount(pendingObjects)) {
CFMutableArrayRef changes = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- ok &= SOSDataSourceForEachObject(engine->dataSource, pendingObjects, error, ^void(CFDataRef key, SOSObjectRef object, bool *stop) {
+ ok &= SOSDataSourceForEachObject(engine->dataSource, NULL, pendingObjects, error, ^void(CFDataRef key, SOSObjectRef object, bool *stop) {
CFErrorRef localError = NULL;
CFDataRef digest = NULL;
CFDictionaryRef backupItem = NULL;
@@ -2127,7 +2693,7 @@ done:
return ok;
}
-bool SOSEngineSyncWithPeers(SOSEngineRef engine, CFTypeRef idsTransport, CFTypeRef kvsTransport, CFErrorRef *error) {
+bool SOSEngineSyncWithPeers(SOSEngineRef engine, CFErrorRef *error) {
__block bool ok = true;
__block bool incomplete = false;
ok &= SOSEngineDoTxnOnQueue(engine, error, ^(SOSTransactionRef txn, bool *commit) {
@@ -2167,6 +2733,8 @@ void SOSEngineCircleChanged(SOSEngineRef engine, CFStringRef myPeerID, CFArrayRe
__block bool peersOrViewsChanged = false;
SOSEngineDoOnQueue(engine, ^{
peersOrViewsChanged = SOSEngineCircleChanged_locked(engine, myPeerID, trustedPeers, untrustedPeers);
+ engine->dirty = peersOrViewsChanged;
+ engine->codersNeedSaving = peersOrViewsChanged;
});
__block bool ok = true;
@@ -2230,21 +2798,42 @@ SOSPeerRef SOSEngineCopyPeerWithID(SOSEngineRef engine, CFStringRef peer_id, CFE
return peer;
}
-bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSPeerRef peer)) {
+bool SOSEngineForPeerIDNoCoder(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer)) {
__block bool ok = true;
- SOSEngineDoOnQueue(engine, ^{
- SOSPeerRef peer = SOSEngineCopyPeerWithID_locked(engine, peerID, error);
- if (peer) {
- forPeer(peer);
- CFRelease(peer);
- } else {
- ok = false;
- }
+ SOSDataSourceReadWithCommitQueue(engine->dataSource, error, ^(SOSTransactionRef txn) {
+ SOSEngineDoOnQueue(engine, ^{
+ SOSPeerRef peer = SOSEngineCopyPeerWithID_locked(engine, peerID, error);
+ if (peer) {
+ forPeer(txn, peer);
+ CFRelease(peer);
+ } else {
+ ok = false;
+ }
+ });
+ });
+
+ return ok;
+}
+
+bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder)) {
+ __block bool ok = true;
+ SOSDataSourceReadWithCommitQueue(engine->dataSource, error, ^(SOSTransactionRef txn) {
+ SOSEngineDoOnQueue(engine, ^{
+ SOSPeerRef peer = SOSEngineCopyPeerWithID_locked(engine, peerID, error);
+ if (peer) {
+ SOSCoderRef coder = SOSEngineGetCoder_locked(engine, peerID, NULL);
+ forPeer(txn, peer, coder);
+ CFRelease(peer);
+ } else {
+ ok = false;
+ }
+ });
});
+
return ok;
}
-bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^with)(SOSPeerRef peer, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState)) {
+bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^with)(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState)) {
__block bool result = true;
result &= SOSEngineDoTxnOnQueue(engine, error, ^(SOSTransactionRef txn, bool *commit) {
SOSPeerRef peer = SOSEngineCopyPeerWithID_locked(engine, peerID, error);
@@ -2252,7 +2841,8 @@ bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *er
result = SOSErrorCreate(kSOSErrorPeerNotFound, error, NULL, CFSTR("Engine has no peer for %@"), peerID);
} else {
bool saveState = false;
- with(peer, engine->dataSource, txn, &saveState);
+ SOSCoderRef coder = SOSEngineGetCoderInTx_locked(engine, txn, peerID, NULL);
+ with(peer, coder, engine->dataSource, txn, &saveState);
CFReleaseSafe(peer);
if (saveState)
result = SOSEngineSave(engine, txn, error);
@@ -2265,14 +2855,14 @@ bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *er
CFDataRef SOSEngineCreateMessageToSyncToPeer(SOSEngineRef engine, CFStringRef peerID, SOSEnginePeerMessageSentBlock *sentBlock, CFErrorRef *error) {
__block CFDataRef message = NULL;
- SOSEngineForPeerID(engine, peerID, error, ^(SOSPeerRef peer) {
- message = SOSEngineCreateMessage_locked(engine, peer, error, sentBlock);
+ SOSEngineForPeerID(engine, peerID, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
+ message = SOSEngineCreateMessage_locked(engine, txn, peer, error, sentBlock);
});
return message;
}
bool SOSEnginePeerDidConnect(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error) {
- return SOSEngineWithPeerID(engine, peerID, error, ^(SOSPeerRef peer, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *saveState) {
+ return SOSEngineWithPeerID(engine, peerID, error, ^(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *saveState) {
*saveState = SOSPeerDidConnect(peer);
});
}
@@ -2281,7 +2871,7 @@ bool SOSEngineSetPeerConfirmedManifest(SOSEngineRef engine, CFStringRef backupNa
CFDataRef keybagDigest, CFDataRef manifestData, CFErrorRef *error) {
__block bool ok = true;
- ok &= SOSEngineForPeerID(engine, backupName, error, ^(SOSPeerRef peer) {
+ ok &= SOSEngineForPeerID(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
bool dirty = false;
bool incomplete = false;
SOSManifestRef confirmed = NULL;
@@ -2322,26 +2912,11 @@ CFArrayRef SOSEngineCopyBackupPeerNames(SOSEngineRef engine, CFErrorRef *error)
return backupNames;
}
-static CFStringRef CFStringCreateWithViewNameSet(CFSetRef vns) {
- CFIndex count = CFSetGetCount(vns);
- CFMutableArrayRef mvn = CFArrayCreateMutableForCFTypesWithCapacity(kCFAllocatorDefault, count);
- CFSetForEach(vns, ^(const void *value) {
- CFArrayAppendValue(mvn, value);
- });
- CFArraySortValues(mvn, CFRangeMake(0, count), (CFComparatorFunction)CFStringCompare, 0);
- CFStringRef string = CFStringCreateByCombiningStrings(kCFAllocatorDefault, mvn, CFSTR(":"));
- CFRelease(mvn);
- return string;
-}
-
static CFStringRef CFStringCreateWithLabelAndViewNameSetDescription(CFStringRef label, CFStringRef peerID, CFSetRef vns, SOSManifestRef manifest) {
- CFStringRef vnsDesc = CFStringCreateWithViewNameSet(vns);
- CFStringRef desc;
- if (manifest)
- desc = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@ %@ (%@) [%lu]"), label, peerID, vnsDesc, SOSManifestGetCount(manifest));
- else
- desc = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@ %@ (%@)"), label, peerID, vnsDesc);
- CFReleaseSafe(vnsDesc);
+ __block CFStringRef desc;
+ CFStringSetPerformWithDescription(vns, ^(CFStringRef description) {
+ desc = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@ %@ (%@) [%lu]"), label, peerID, description, (manifest) ? SOSManifestGetCount(manifest): 0);
+ });
return desc;
}
@@ -2386,3 +2961,31 @@ CFArrayRef SOSEngineCopyPeerConfirmedDigests(SOSEngineRef engine, CFErrorRef *er
SOSDataSourceRef SOSEngineGetDataSource(SOSEngineRef engine) {
return engine->dataSource;
}
+
+#define ENGINELOGSTATE "engineLogState"
+void SOSEngineLogState(SOSEngineRef engine) {
+ CFErrorRef error = NULL;
+ CFArrayRef confirmedDigests = NULL;
+
+ secnotice(ENGINELOGSTATE, "Start");
+
+ require_action_quiet(engine, retOut, secnotice(ENGINELOGSTATE, "No Engine Available"));
+ confirmedDigests = SOSEngineCopyPeerConfirmedDigests(engine, &error);
+ require_action_quiet(confirmedDigests, retOut, secnotice(ENGINELOGSTATE, "No engine peers: %@\n", error));
+ CFIndex entries = CFArrayGetCount(confirmedDigests) / 2;
+ for(CFIndex i = 0; i < entries; i++) {
+ CFStringRef partA = asString(CFArrayGetValueAtIndex(confirmedDigests, i*2), NULL);
+ CFDataRef partB = asData(CFArrayGetValueAtIndex(confirmedDigests, i*2+1), NULL);
+ if(partA && partB) {
+ CFStringRef hexDigest = CFDataCopyHexString(partB);
+ secnotice(ENGINELOGSTATE, "%@ %@", partA, hexDigest);
+ CFReleaseNull(hexDigest);
+ }
+ }
+retOut:
+ CFReleaseNull(error);
+ CFReleaseNull(confirmedDigests);
+ secnotice(ENGINELOGSTATE, "Finish");
+
+ return;
+}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h
index a7e9b0ea..c1f334bd 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h
@@ -87,24 +87,26 @@ void SOSEngineCircleChanged(SOSEngineRef engine, CFStringRef myPeerID, CFArrayRe
void SOSEngineForEachPeer(SOSEngineRef engine, void (^with)(SOSPeerRef peer));
// TODO: Move SOSTransportMessageIDSRef declarations somewhere we can get to them here.
-//void SOSEngineSyncWithPeers(SOSEngineRef engine, SOSTransportMessageIDSRef ids, SOSTransportMessageKVSRef kvs, CFErrorRef *error);
-bool SOSEngineSyncWithPeers(SOSEngineRef engine, CFTypeRef ids, CFTypeRef kvs, CFErrorRef *error);
+bool SOSEngineSyncWithPeers(SOSEngineRef engine, CFErrorRef *error);
// Don't call this unless you know what you are doing. If you do then still don't call it.
bool SOSEngineHandleMessage_locked(SOSEngineRef engine, CFStringRef peerID, SOSMessageRef message,
SOSTransactionRef txn, bool *commit, bool *somethingChanged, CFErrorRef *error);
-CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSPeerRef peer,
+CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer,
CFErrorRef *error, SOSEnginePeerMessageSentBlock *sent);
// Return a SOSPeerRef for a given peer_id.
SOSPeerRef SOSEngineCopyPeerWithID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error);
// Operate on a peer with a given peer_id under the engine lock
-bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error, void (^forPeer)(SOSPeerRef peer));
+bool SOSEngineForPeerID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder));
+bool SOSEngineForPeerIDNoCoder(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error, void (^forPeer)(SOSTransactionRef txn, SOSPeerRef peer));
// Modify a peer inside a transaction under then engine lock and optionally force an engine state save when done.
-bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error, void (^with)(SOSPeerRef peer, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState));
+bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error, void (^with)(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState));
+
+bool SOSEngineInitializePeerCoder(SOSEngineRef engine, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, CFErrorRef *error);
// Return a message to be sent for the current state. Returns NULL on errors,
// return a zero length CFDataRef if there is nothing to send.
@@ -127,12 +129,16 @@ CFArrayRef SOSEngineCopyPeerConfirmedDigests(SOSEngineRef engine, CFErrorRef *er
// Private do not use!
SOSDataSourceRef SOSEngineGetDataSource(SOSEngineRef engine);
+bool SOSTestEngineSaveWithDER(SOSEngineRef engine, CFDataRef derState, CFErrorRef *error);
// MARK: Sync completion notification registration
-void SOSEngineSetSyncCompleteListener(SOSEngineRef engine, CFStringRef peerID, dispatch_block_t notify_block);
+typedef void (^SOSEnginePeerInSyncBlock)(CFStringRef peerID, CFSetRef views);
+void SOSEngineSetSyncCompleteListener(SOSEngineRef engine, SOSEnginePeerInSyncBlock notify_block);
void SOSEngineSetSyncCompleteListenerQueue(SOSEngineRef engine, dispatch_queue_t notify_queue);
+// Engine State by Log
+void SOSEngineLogState(SOSEngineRef engine);
__END_DECLS
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSExports.exp-in b/OSX/sec/SOSCircle/SecureObjectSync/SOSExports.exp-in
index 5a146182..b29f9403 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSExports.exp-in
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSExports.exp-in
@@ -26,9 +26,12 @@ _SOSCCCopyYetToSyncViewsList
_SOSCCGetLastDepartureReason
_SOSCCGetStatusDescription
_SOSCCHandleIDSMessage
+_SOSCCRequestSyncWithPeerOverKVS
+_SOSCCRequestSyncWithPeerOverIDS
_SOSCCIDSDeviceIDIsAvailableTest
_SOSCCIDSPingTest
_SOSCCIDSServiceRegistrationTest
+_SOSCCPeersHaveViewsEnabled
_SOSCCProcessEnsurePeerRegistration
_SOSCCProcessSyncWithAllPeers
_SOSCCPurgeUserCredentials
@@ -63,6 +66,7 @@ _SOSCCIsSafariSyncing
_SOSCCIsAppleTVSyncing
_SOSCCIsHomeKitSyncing
_SOSCCIsWiFiSyncing
+_SOSCCIsContinuityUnlockSyncing
_SOSCCWaitForInitialSync
_SOSCCSetEscrowRecord
_SOSCCCopyEscrowRecord
@@ -71,6 +75,11 @@ _SOSCCCopyAccountState
_SOSCCDeleteAccountState
_SOSCCCopyEngineData
_SOSCCDeleteEngineState
+_SOSCCCopyApplication
+_SOSCCCopyCircleJoiningBlob
+_SOSCCJoinWithCircleJoiningBlob
+_SOSCCAccountHasPublicKey
+_SOSCCAccountIsNew
_UserParametersDescription
@@ -151,6 +160,7 @@ _SOSCCApplyToARing
_SOSCCWithdrawlFromARing
_SOSCCRingStatus
_SOSCCEnableRing
+_SOSCCIsThisDeviceLastBackup
_SOSCloudKeychainSendIDSMessage
@@ -195,40 +205,8 @@ _SOSWrapToBackupSliceKeyBagForView
// View SPI
//
-_kSOSViewAppleTV
-_kSOSViewAutofillPasswords
-_kSOSViewBackupBagV0
-_kSOSViewHintAppleTV
-_kSOSViewHintHomeKit
-_kSOSViewHintPCSCloudKit
-_kSOSViewHintPCSEscrow
-_kSOSViewHintPCSFDE
-_kSOSViewHintPCSMailDrop
-_kSOSViewHintPCSMasterKey
-_kSOSViewHintPCSNotes
-_kSOSViewHintPCSPhotos
-_kSOSViewHintPCSiCloudBackup
-_kSOSViewHintPCSiCloudDrive
-_kSOSViewHintPCSiMessage
-_kSOSViewHintPCSFeldspar
-_kSOSViewHomeKit
-_kSOSViewiCloudIdentity
_kSOSViewKeychainV0
-_kSOSViewPCSCloudKit
-_kSOSViewPCSEscrow
-_kSOSViewPCSFDE
-_kSOSViewPCSMailDrop
-_kSOSViewPCSMasterKey
-_kSOSViewPCSNotes
-_kSOSViewPCSPhotos
-_kSOSViewPCSiCloudBackup
-_kSOSViewPCSiCloudDrive
-_kSOSViewPCSiMessage
-_kSOSViewPCSFeldspar
-_kSOSViewSafariCreditCards
-_kSOSViewWiFi
-_kSOSViewOtherSyncable
-
+_SOSViewCopyViewSet
_SOSViewsGetAllCurrent
@@ -236,20 +214,7 @@ _SOSViewsGetAllCurrent
// Preferred symbols for viewHints
//
-_kSecAttrViewHintPCSMasterKey
-_kSecAttrViewHintPCSiCloudDrive
-_kSecAttrViewHintPCSPhotos
-_kSecAttrViewHintPCSCloudKit
-_kSecAttrViewHintPCSEscrow
-_kSecAttrViewHintPCSFDE
-_kSecAttrViewHintPCSMailDrop
-_kSecAttrViewHintPCSiCloudBackup
-_kSecAttrViewHintPCSNotes
-_kSecAttrViewHintPCSiMessage
-
-_kSecAttrViewHintAppleTV
-_kSecAttrViewHintHomeKit
-_kSecAttrViewHintThumper
+#include "Security/SecureObjectSync/SOSViews.exp-in"
_kSecUseSystemKeychain
_kSecUseSyncBubbleKeychain
@@ -261,12 +226,12 @@ _SOSCircleCreateFromData
_SOSCircleGenerationIncrement
_SOSCircleGenerationSetValue
_SOSCircleGetGenerationSint
+_SOSAccountPeerGotInSync
_SOSCloudKeychainClearAll
_SOSCloudKeychainGetAllObjectsFromCloud
_SOSCloudKeychainGetObjectsFromCloud
_SOSCloudKeychainPutObjectsInCloud
-_SOSCloudKeychainSendIDSMessage
_SOSCloudKeychainSetItemsChangedBlock
_SOSCloudKeychainSynchronizeAndWait
_SOSCloudKeychainUpdateKeys
@@ -311,6 +276,7 @@ _SOSPeerInfoV2DictionaryCopySet
_sViewsKey
_sSerialNumberKey
_sPreferIDS
+_sPreferIDSFragmentation
_sDeviceID
_sTransportType
_sSecurityPropertiesKey
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.c
deleted file mode 100644
index 20ea7ebb..00000000
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.c
+++ /dev/null
@@ -1,1464 +0,0 @@
-#include "SOSForerunnerSession.h"
-#include "SOSAccountDer.c"
-#include "SOSPlatform.h"
-
-#include <CoreFoundation/CFRuntime.h>
-#include <utilities/SecCFWrappers.h>
-#include <utilities/SecCFError.h>
-#include <Security/SecureObjectSync/SOSInternal.h>
-#include <corecrypto/ccsrp.h>
-#include <corecrypto/ccsha2.h>
-#include <corecrypto/ccdh_gp.h>
-#include <corecrypto/ccder.h>
-#include <corecrypto/ccaes.h>
-#include <corecrypto/ccmode.h>
-#include <corecrypto/cchkdf.h>
-#include <CommonCrypto/CommonRandomSPI.h>
-#include <os/assumes.h>
-#include <AssertMacros.h>
-
-#pragma mark Definitions
-#define FR_VERSION 1llu
-#define FR_MAGIC_REQUEST 0x67756d70llu
-#define FR_MAGIC_CHALLENGE 0x67756d71llu
-#define FR_MAGIC_RESPONSE 0x67756d72llu
-#define FR_MAGIC_HSA2 0x67756d73llu
-#define FR_SALT_LEN 32llu
-
-#define FR_Z_SZ_HKDF_V1 32
-#define FR_Z_SZ_V1 16
-#define FR_Z_FROM_REQUESTOR "requestor2acceptor"
-#define FR_Z_FROM_ACCEPTOR "acceptor2requestor"
-
-#define FR_TAG_SIZE_V1 CCAES_KEY_SIZE_128
-#define FR_SIDECAR_SIZE_V1 (sizeof(uint64_t) + FR_TAG_SIZE_V1)
-
-// The initialization vector has three parts.
-// |<-------- DSID -------->|<- X ->|<------ counter ------>|
-// 64 bits 8 bits 56 bits
-//
-// The DSID is known to each end and supplied to each session object at create-
-// time. X is either 0x0a or 0x0b, depending on whether the message came from an
-// acceptor or requestor session, respectively. These values are static and
-// known to each end. The counter starts at zero on each end and is incremented
-// for each packet generated. It is sent as a sidecar along with the encrypted
-// data blob, and it is then used to construct the IV for decryption along with
-// the other two (known) components. Its value can not exceed 2^56 - 1.
-#define FR_IV_SIZE_V1 (sizeof(uint64_t) + sizeof(uint64_t))
-#define FR_IV_X_ACCEPT_V1 (0x0a)
-#define FR_IV_X_REQUEST_V1 (0x0b)
-#define FR_IV_X_SIZE_V1 (1)
-#define FR_IV_CNT_MAX_V1 ((0x100000000000000llu) - 1)
-#define FR_IV_CNT_SIZE_V1 (7)
-
-#define FR_MAX_ACCEPTOR_TRIES 2
-
-#define print_paddedline(stream, pad, fmt, ...) do { \
- size_t i = 0; \
- for (i = 0; i < pad; i++) { \
- fprintf((stream), "\t"); \
- } \
-\
- fprintf((stream), fmt "\n", ## __VA_ARGS__); \
-} while (0);
-
-#pragma mark Utilities
-__unused static void
-_print_blob(FILE *stream, size_t pad, const char *name,
- uint8_t *buff, size_t sz, size_t len2print)
-{
- size_t nb2w = 0;
- if (len2print && len2print < sz) {
- nb2w = len2print;
- } else {
- nb2w = sz;
- }
-
- if (nb2w == 0) {
- print_paddedline(stream, pad, "%s = (null)\n", name);
- } else {
- size_t i = 0; \
- for (i = 0; i < pad; i++) {
- fprintf(stream, "\t");
- }
-
- fprintf(stream, "%s = 0x", name);
-
- uint8_t *buffp = buff;
- for (i = 0; i < nb2w; i++) {
- fprintf(stream, "%2.2x", buffp[i]);
- }
-
- if (len2print && sz > len2print) {
- fprintf(stream, "...");
- }
-
- fprintf(stream, "\n");
- }
-}
-
-#pragma mark CoreCrypto Helpers
-static uint8_t *
-_ccder_shim_encode_octet_string(size_t len, const uint8_t *start,
- const uint8_t *der, uint8_t *der_end)
-{
- der_end = ccder_encode_body(len, start, der, der_end);
- der_end = ccder_encode_tl(CCDER_OCTET_STRING, len, der, der_end);
- require_action_quiet(der_end, xit, {
- os_hardware_trap();
- });
-
-xit:
- return der_end;
-}
-
-static uint8_t *
-_ccder_shim_decode_octect_string(size_t *len, const uint8_t **start,
- const uint8_t *der, const uint8_t *der_end)
-{
- der = ccder_decode_tl(CCDER_OCTET_STRING, len, der, der_end);
- if (der && start) {
- *start = der;
- der += *len;
- }
-
- return (uint8_t *)der;
-}
-
-static ccsrp_ctx *
-_ccsrp_shim_alloc(const struct ccdigest_info *di, ccdh_const_gp_t gp)
-{
- ccsrp_ctx *srp = NULL;
- int error = -1;
-
- // CoreCrypto wants these to be 8-byte aligned. malloc(3) and friends return
- // memory that is suitable for use as AltiVec/SSE data types, so they are
- // good for this interface.
- srp = malloc(ccsrp_sizeof_srp(di, gp));
- require_action_quiet(srp, xit, {
- error = errno;
- });
-
- if (!((uintptr_t)srp & 7) == 0) {
- os_hardware_trap();
- }
-
- ccsrp_ctx_init(srp, di, gp);
- error = 0;
-
-xit:
- if (error) {
- free(srp);
- srp = NULL;
- }
-
- return srp;
-}
-
-static void
-_derive_sending_key(ccsrp_ctx *srp, const char *info, uint8_t *Z, size_t Z_len)
-{
- const struct ccdigest_info *di = ccsha256_di();
- const uint8_t *K = NULL;
- size_t K_len = 0;
- uint8_t Z2[FR_Z_SZ_HKDF_V1];
- int error = -1;
-
- if (Z_len < FR_Z_SZ_V1) {
- os_hardware_trap();
- }
-
- K = ccsrp_get_session_key(srp, &K_len);
-
- error = cchkdf(di, K_len, K, 0, NULL, strlen(info), info, sizeof(Z2), Z2);
- os_assert_zero(error);
-
- // Only use first 16 bytes for AEAD.
- memcpy(Z, Z2, FR_Z_SZ_V1);
-}
-
-static void
-_construct_iv_v1(const uint8_t iv[FR_IV_SIZE_V1], uint64_t dsid,
- uint8_t x, uint64_t cnt)
-{
- uint8_t *cur_iv = (uint8_t *)iv;
-
- if (!(x == FR_IV_X_ACCEPT_V1 || x == FR_IV_X_REQUEST_V1)) {
- os_hardware_trap();
- }
-
- dsid = OSSwapHostToBigInt64(dsid);
- memcpy(cur_iv, &dsid, sizeof(dsid));
- cur_iv += sizeof(dsid);
-
- // No need to swap; it's just one byte.
- memcpy(cur_iv, &x, sizeof(x));
- cur_iv += sizeof(x);
-
- if (cnt > FR_IV_CNT_MAX_V1) {
- os_hardware_trap();
- }
-
- cnt = OSSwapHostToBigInt64(cnt);
- memcpy(cur_iv, &cnt, FR_IV_CNT_SIZE_V1);
-}
-
-static uint8_t *
-_encrypt_data_v1(const uint8_t *unenc, size_t unenc_len,
- uint64_t dsid, uint8_t x, uint64_t cnt,
- uint8_t *key, size_t key_len, size_t *enc_len)
-{
- uint8_t *enc = NULL;
- int error = -1;
-
- uint8_t *enc_cur = NULL;
- size_t enc_len2 = 0;
- const struct ccmode_gcm *mode = ccaes_gcm_encrypt_mode();
- ccgcm_ctx_decl(mode->size, gcm);
- uint8_t iv[FR_IV_SIZE_V1];
-
- enc_len2 += FR_SIDECAR_SIZE_V1;
- enc_len2 += unenc_len;
-
- enc = malloc(enc_len2);
- require_action_quiet(enc, xit, {
- error = errno;
- });
-
- enc_cur = enc;
-
- ccgcm_init(mode, gcm, key_len, key);
- _construct_iv_v1(iv, dsid, x, cnt);
- ccgcm_set_iv(mode, gcm, FR_IV_SIZE_V1, iv);
- ccgcm_gmac(mode, gcm, 0, NULL);
-
- if (cnt > FR_IV_CNT_MAX_V1) {
- os_hardware_trap();
- }
-
- cnt = OSSwapHostToBigInt64(cnt);
- memcpy(enc_cur, &cnt, sizeof(cnt));
- enc_cur += sizeof(cnt);
-
- ccgcm_update(mode, gcm, unenc_len, unenc, enc_cur);
- enc_cur += unenc_len;
-
- ccgcm_finalize(mode, gcm, FR_TAG_SIZE_V1, enc_cur);
- error = 0;
-
-xit:
- ccgcm_ctx_clear(ccgcm_context_size(mode), gcm);
-
- if (error) {
- free(enc);
- enc = NULL;
- } else {
- *enc_len = enc_len2;
- }
-
- return enc;
-}
-
-static uint8_t *
-_decrypt_data_v1(const uint8_t *enc, size_t enc_len,
- uint64_t dsid, uint8_t x, uint8_t *key, size_t key_len, size_t *dec_len)
-{
- uint8_t *dec = NULL;
- int error = -1;
- int ret = -1;
-
- size_t dec_len2 = 0;
- const struct ccmode_gcm *mode = ccaes_gcm_decrypt_mode();
- ccgcm_ctx_decl(mode->size, gcm);
- const uint8_t *enc_cur = NULL;
- uint64_t cnt = 0;
- uint8_t iv[FR_IV_SIZE_V1];
- uint8_t tag[FR_TAG_SIZE_V1];
-
- enc_cur = enc;
-
- // At minimum, the encrypted data must contain the tag and counter.
- require_action_quiet(enc_len >= FR_SIDECAR_SIZE_V1, xit, {
- error = EINVAL;
- });
- dec_len2 = enc_len - FR_SIDECAR_SIZE_V1;
-
- dec = malloc(dec_len2);
- require_action_quiet(dec, xit, {
- error = errno;
- });
-
- memcpy(&cnt, enc_cur, sizeof(cnt));
- cnt = OSSwapBigToHostConstInt64(cnt);
- require_action_quiet(cnt <= FR_IV_CNT_MAX_V1, xit, {
- error = ERANGE;
- });
- enc_cur += sizeof(cnt);
-
- ccgcm_init(mode, gcm, key_len, key);
-
- _construct_iv_v1(iv, dsid, x, cnt);
- ccgcm_set_iv(mode, gcm, FR_IV_SIZE_V1, iv);
- ccgcm_gmac(mode, gcm, 0, NULL);
-
- ccgcm_update(mode, gcm, dec_len2, enc_cur, dec);
- enc_cur += dec_len2;
-
- ccgcm_finalize(mode, gcm, FR_TAG_SIZE_V1, tag);
-
- ret = cc_cmp_safe(FR_TAG_SIZE_V1, enc_cur, tag);
- require_action_quiet(ret == 0, xit, {
- error = EINVAL;
- });
-
- error = 0;
-
-xit:
- ccgcm_ctx_clear(ccgcm_context_size(mode), gcm);
-
- if (error) {
- free(dec);
- dec = NULL;
- } else {
- *dec_len = dec_len2;
- }
-
- return dec;
-}
-
-#pragma mark Protocol Messages
-static size_t
-_version_and_magic_size(void)
-{
- return ccder_sizeof_uint64(FR_VERSION) +
- ccder_sizeof_uint64(FR_MAGIC_REQUEST);
-}
-
-static uint8_t *
-_stamp_version_and_magic(uint8_t *der, uint8_t *der_end, uint64_t which)
-{
- uint8_t *der_end2 = der_end;
-
- der_end2 = ccder_encode_uint64(which, der, der_end2);
- der_end2 = ccder_encode_uint64(FR_VERSION, der, der_end2);
-
- return der_end2;
-}
-
-static uint8_t *
-_validate_blob(const uint8_t *der, uint8_t *der_end, uint64_t which, int *error)
-{
- uint64_t magic = 0;
- uint64_t version = 0;
-
- der = ccder_decode_uint64(&version, der, der_end);
- if (version != FR_VERSION) {
- *error = EPROTO;
- return NULL;
- }
-
- der = ccder_decode_uint64(&magic, der, der_end);
- if (magic != which) {
- *error = EBADRPC;
- return NULL;
- }
-
- return (uint8_t *)der;
-}
-
-static uint8_t *
-_create_request_v1(const uint8_t *A_bytes, size_t A_len,
- size_t *der_len, int *error)
-{
- uint8_t *der = NULL;
- uint8_t *der_end = NULL;
- int error2 = -1;
- size_t needed = 0;
-
- needed += _version_and_magic_size();
- needed += ccder_sizeof(CCDER_OCTET_STRING, A_len);
-
- der = malloc(needed);
- require_action_quiet(der, xit, {
- error2 = errno;
- });
-
- der_end = der + needed;
-
- // DER encoding happens back-to-front, so stash the end value and pass to
- // subsequent invocations of the API. In practical terms, if the buffer
- // length is large enough, these encoding calls should not fail, so don't
- // bother to check the return value since we've gone through the trouble of
- // sizing the buffer above.
- der_end = _ccder_shim_encode_octet_string(A_len, A_bytes, der, der_end);
- der_end = _stamp_version_and_magic(der, der_end, FR_MAGIC_REQUEST);
- require_action_quiet(der_end, xit, {
- os_hardware_trap();
- });
-
- *der_len = needed;
- error2 = 0;
-
-xit:
- if (error2) {
- free(der);
- der = NULL;
- }
-
- return der;
-}
-
-static bool
-_decode_request_v1(ccsrp_ctx *ctx, uint8_t **A_bytes, size_t *A_len,
- uint8_t *der, size_t der_len, int *error)
-{
- bool result = false;
- int error2 = -1;
- uint8_t *A_bytes2 = NULL;
- size_t A_len2 = 0;
- uint8_t *der_end = der + der_len;
-
- der = _validate_blob(der, der_end, FR_MAGIC_REQUEST, &error2);
- require_quiet(der, xit);
-
- der = _ccder_shim_decode_octect_string(&A_len2,
- (const uint8_t **)&A_bytes2, der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- require_action_quiet(A_len2 == ccsrp_ctx_sizeof_n(ctx), xit, {
- error2 = ERANGE;
- });
-
- result = true;
-
-xit:
- if (result) {
- *A_bytes = A_bytes2;
- *A_len = A_len2;
- } else {
- *error = error2;
- }
-
- return result;
-}
-
-static uint8_t *
-_create_challenge_v1(const uint8_t *B_bytes, size_t B_len,
- const uint8_t *salt, size_t salt_len, size_t *der_len, int *error)
-{
- uint8_t *der = NULL;
- int error2 = -1;
-
- uint8_t *der_end = NULL;
-
- size_t needed = 0;
-
- needed += _version_and_magic_size();
- needed += ccder_sizeof(CCDER_OCTET_STRING, B_len);
- needed += ccder_sizeof(CCDER_OCTET_STRING, salt_len);
-
- der = malloc(needed);
- require_action_quiet(der, xit, {
- error2 = errno;
- });
-
- der_end = der + needed;
-
- der_end = _ccder_shim_encode_octet_string(salt_len, salt, der, der_end);
- der_end = _ccder_shim_encode_octet_string(B_len, B_bytes, der, der_end);
- der_end = _stamp_version_and_magic(der, der_end, FR_MAGIC_CHALLENGE);
- require_action_quiet(der_end, xit, {
- os_hardware_trap();
- });
-
- *der_len = needed;
- error2 = 0;
-
-xit:
- if (error2) {
- *error = error2;
-
- free(der);
- der = NULL;
- }
-
- return der;
-}
-
-static bool
-_decode_challenge_v1(ccsrp_ctx *srp, uint8_t **B_bytes, size_t *B_len,
- uint8_t **salt, size_t *salt_len, uint8_t *der, size_t der_len,
- int *error)
-{
- bool result = false;
- int error2 = -1;
-
- uint8_t *B_bytes2 = NULL;
- size_t B_len2 = 0;
- uint8_t *salt2 = NULL;
- size_t salt_len2 = 0;
- uint8_t *der_end = der + der_len;
-
- der = _validate_blob(der, der_end, FR_MAGIC_CHALLENGE, &error2);
- require_quiet(der, xit);
-
- der = _ccder_shim_decode_octect_string(&B_len2, (const uint8_t **)&B_bytes2,
- der, der_end);
- require_action_quiet(B_bytes, xit, {
- error2 = EINVAL;
- });
-
- require_action_quiet(B_len2 == ccsrp_ctx_sizeof_n(srp), xit, {
- error2 = ERANGE;
- });
-
- der = _ccder_shim_decode_octect_string(&salt_len2, (const uint8_t **)&salt2,
- der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- require_action_quiet(salt_len2 == FR_SALT_LEN, xit, {
- error2 = ERANGE;
- });
-
- result = true;
-
-xit:
- if (result) {
- *B_bytes = B_bytes2;
- *B_len = B_len2;
- *salt = salt2;
- *salt_len = salt_len2;
- } else {
- *error = error2;
- }
-
- return result;
-}
-
-static uint8_t *
-_create_response_v1(const uint8_t *M1_bytes, size_t M1_len,
- const uint8_t *I_bytes, size_t I_len, size_t *der_len,
- int *error)
-{
- uint8_t *der = NULL;
- int error2 = -1;
-
- uint8_t *der_end = NULL;
- size_t needed = 0;
-
- needed += _version_and_magic_size();
- needed += ccder_sizeof(CCDER_OCTET_STRING, M1_len);
- needed += ccder_sizeof(CCDER_OCTET_STRING, I_len);
-
- der = malloc(needed);
- require_action_quiet(der, xit, {
- error2 = errno;
- });
-
- der_end = der + needed;
- der_end = _ccder_shim_encode_octet_string(I_len, I_bytes, der, der_end);
- der_end = _ccder_shim_encode_octet_string(M1_len, M1_bytes, der, der_end);
- der_end = _stamp_version_and_magic(der, der_end, FR_MAGIC_RESPONSE);
- require_action_quiet(der_end, xit, {
- os_hardware_trap();
- });
-
- *der_len = needed;
- error2 = 0;
-
-xit:
- if (error2) {
- *error = error2;
-
- free(der);
- der = NULL;
- }
-
- return der;
-}
-
-static bool
-_decode_response_v1(ccsrp_ctx *srp, uint8_t **M_bytes, size_t *M_len,
- uint8_t **I_bytes, size_t *I_len,
- uint8_t *der, size_t der_len, int *error)
-{
- bool result = false;
- int error2 = -1;
-
- uint8_t *M_bytes2 = NULL;
- size_t M_len2 = 0;
- uint8_t *I_bytes2 = NULL;
- size_t I_len2 = 0;
- uint8_t *der_end = der + der_len;
-
- der = _validate_blob(der, der_end, FR_MAGIC_RESPONSE, &error2);
- require_quiet(der, xit);
-
- der = _ccder_shim_decode_octect_string(&M_len2, (const uint8_t **)&M_bytes2,
- der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- require_action_quiet(M_len2 == ccsrp_session_size(srp), xit, {
- error2 = ERANGE;
- });
-
- der = _ccder_shim_decode_octect_string(&I_len2,
- (const uint8_t **)&I_bytes2, der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- result = true;
-
-xit:
- if (result) {
- *M_bytes = M_bytes2;
- *M_len = M_len2;
-
- *I_bytes = I_bytes2;
- *I_len = I_len2;
- } else {
- *error = error2;
- }
-
- return result;
-}
-
-static uint8_t *
-_create_hsa2_v1(uint8_t *hsa2code, size_t hsa2code_len,
- uint8_t *HAMK_bytes, size_t HAMK_len, size_t *der_len, int *error)
-{
- uint8_t *der = NULL;
- int error2 = -1;
-
- uint8_t *der_end = NULL;
- size_t needed = 0;
-
- needed += _version_and_magic_size();
- needed += ccder_sizeof(CCDER_OCTET_STRING, hsa2code_len);
- needed += ccder_sizeof(CCDER_OCTET_STRING, HAMK_len);
-
- der = malloc(needed);
- require_action_quiet(der, xit, {
- error2 = errno;
- });
-
- der_end = der + needed;
- der_end = _ccder_shim_encode_octet_string(HAMK_len, HAMK_bytes,
- der, der_end);
- der_end = _ccder_shim_encode_octet_string(hsa2code_len, hsa2code,
- der, der_end);
- der_end = _stamp_version_and_magic(der, der_end, FR_MAGIC_HSA2);
- require_action_quiet(der_end, xit, {
- os_hardware_trap();
- });
-
- *der_len = needed;
- error2 = 0;
-
-xit:
- if (error2) {
- *error = error2;
-
- free(der);
- der = NULL;
- }
-
- return der;
-}
-
-static bool
-_decode_hsa2_v1(ccsrp_ctx *srp, uint8_t **hsa2_bytes, size_t *hsa2_len,
- uint8_t **HAMK_bytes, size_t *HAMK_len, uint8_t *der, size_t der_len,
- int *error)
-{
- bool result = false;
- int error2 = -1;
-
- uint8_t *hsa2_bytes2 = NULL;
- size_t hsa2_len2 = 0;
- uint8_t *HAMK_bytes2 = NULL;
- size_t HAMK_len2 = 0;
- uint8_t *der_end = der + der_len;
-
- der = _validate_blob(der, der_end, FR_MAGIC_HSA2, &error2);
- require_quiet(der, xit);
-
- der = _ccder_shim_decode_octect_string(&hsa2_len2,
- (const uint8_t **)&hsa2_bytes2, der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- der = _ccder_shim_decode_octect_string(&HAMK_len2,
- (const uint8_t **)&HAMK_bytes2, der, der_end);
- require_action_quiet(der, xit, {
- error2 = EINVAL;
- });
-
- require_action_quiet(HAMK_len2 == ccsrp_session_size(srp), xit, {
- error2 = ERANGE;
- });
-
- result = true;
-
-xit:
- if (result) {
- *hsa2_bytes = hsa2_bytes2;
- *hsa2_len = hsa2_len2;
-
- *HAMK_bytes = HAMK_bytes2;
- *HAMK_len = HAMK_len2;
- } else {
- *error = error2;
- }
-
- return result;
-}
-
-#pragma mark Requesting Session
-struct __OpaqueSOSForerunnerRequestorSession {
- CFRuntimeBase __cf;
-
- ccsrp_ctx *rs_srp;
- uint64_t rs_dsid;
- uint64_t rs_packet_cnt;
-
- uint8_t rs_Z_r2a[FR_Z_SZ_V1];
- uint8_t rs_Z_a2r[FR_Z_SZ_V1];
-
- CFStringRef rsUsername;
-};
-
-static void
-_SOSForerunnerRequestorSessionClassInit(CFTypeRef session)
-{
- SOSForerunnerRequestorSessionRef self = (void *)session;
- size_t howmuch2zero = sizeof(*self) - sizeof(self->__cf);
- uint8_t *start = (uint8_t *)self + sizeof(self->__cf);
-
- bzero(start, howmuch2zero);
-}
-
-static void
-_SOSForerunnerRequestorSessionClassFinalize(CFTypeRef session)
-{
- SOSForerunnerRequestorSessionRef self = (void *)session;
-
- free(self->rs_srp);
- CFReleaseNull(self->rsUsername);
-}
-
-static CFRuntimeClass _SOSForerunnerRequestorSessionClass = {
- .version = 0,
- .className = "forerunner requestor session",
- .init = _SOSForerunnerRequestorSessionClassInit,
- .copy = NULL,
- .finalize = _SOSForerunnerRequestorSessionClassFinalize,
- .equal = NULL,
- .hash = NULL,
- .copyFormattingDesc = NULL,
- .copyDebugDesc = NULL,
-};
-
-#pragma mark Requestor Class Methods
-CFTypeID
-SOSForerunnerRequestorSessionGetTypeID(void)
-{
- static dispatch_once_t once = 0;
- static CFTypeID tid = 0;
-
- dispatch_once(&once, ^{
- tid = _CFRuntimeRegisterClass(
- (const CFRuntimeClass * const)
- &_SOSForerunnerRequestorSessionClass);
- if (tid == _kCFRuntimeNotATypeID) {
- os_hardware_trap();
- }
- });
-
- return tid;
-}
-
-#pragma mark Requestor Public Methods
-SOSForerunnerRequestorSessionRef
-SOSForerunnerRequestorSessionCreate(CFAllocatorRef allocator,
- CFStringRef username, uint64_t dsid)
-{
- SOSForerunnerRequestorSessionRef self = NULL;
- int error = -1;
- const size_t xtra = sizeof(*self) - sizeof(self->__cf);
- const struct ccdigest_info *di = ccsha256_di();
- ccdh_const_gp_t gp = ccsrp_gp_rfc5054_3072();
-
- self = (void *)_CFRuntimeCreateInstance(allocator,
- SOSForerunnerRequestorSessionGetTypeID(), xtra, NULL);
- require_action_quiet(self, xit, {
- error = ENOMEM;
- });
-
- self->rsUsername = CFRetain(username);
- self->rs_srp = _ccsrp_shim_alloc(di, gp);
- self->rs_dsid = dsid;
- require_action_quiet(self->rs_srp, xit, {
- error = ENOMEM;
- });
-
- error = 0;
-
-xit:
- if (error) {
- CFReleaseNull(self);
- self = NULL;
- }
-
- return self;
-}
-
-CFDataRef
-SOSFRSCopyRequestPacket(SOSForerunnerRequestorSessionRef self,
- CFErrorRef *cferror)
-{
- CFDataRef request = NULL;
- int error = -1;
-
- uint8_t A_bytes[ccsrp_exchange_size(self->rs_srp)];
- size_t A_len = ccsrp_exchange_size(self->rs_srp);
- uint8_t *der = NULL;
- size_t der_len = 0;
-
- error = ccsrp_client_start_authentication(self->rs_srp,
- ccDRBGGetRngState(), A_bytes);
- require_action_quiet(error == 0, xit, {
- (void)SecCoreCryptoError(error, cferror, CFSTR("failed to start SRP"));
- });
-
- der = _create_request_v1(A_bytes, A_len, &der_len, &error);
- require_action_quiet(der, xit, {
- // Yes, I know, let's report an allocation error by trying to allocate a
- // bloated pseudo-exception.
- (void)SecPOSIXError(error, cferror,
- CFSTR("failed to allocate response data"));
- });
-
- request = CFDataCreateWithBytesNoCopy(NULL, der, der_len,
- kCFAllocatorMalloc);
- require_action_quiet(request, xit, {
- error = ENOMEM;
- (void)SecPOSIXError(error, cferror,
- CFSTR("failed to allocate request data"));
- });
-
-xit:
- if (error) {
- if (request) {
- CFRelease(request);
- request = NULL;
- } else {
- free(der);
- }
- }
-
- return request;
-}
-
-CFDataRef
-SOSFRSCopyResponsePacket(SOSForerunnerRequestorSessionRef self,
- CFDataRef challenge, CFStringRef secret, CFDictionaryRef peerInfo,
- CFErrorRef *cferror)
-{
- CFDataRef response = NULL;
- int error = -1;
-
- char *username_str = NULL;
- char *secret_str = NULL;
-
- // Challenge.
- bool result = false;
- uint8_t *der = NULL;
- uint8_t *salt = NULL;
- size_t salt_len = 0;
- uint8_t *B_bytes = NULL;
- size_t B_len = 0;
-
- // Response.
- uint8_t *resp_der = NULL;
- size_t resp_der_len = 0;
- uint8_t M1_bytes[ccsrp_session_size(self->rs_srp)];
- size_t M1_len = ccsrp_session_size(self->rs_srp);
-
-#if CONFIG_ARM_AUTOACCEPT
- SOSPeerInfoRef peer = NULL;
- CFDataRef cfI = NULL;
-#else // CONFIG_ARM_AUTOACCEPT
- const uint8_t fakeI[] = {
- 'A',
- 'B',
- 'C',
- 'D',
- 'E',
- 'F',
- };
-#endif // CONFIG_ARM_AUTOACCEPT
-
- const uint8_t *I_bytes = NULL;
- size_t I_len = 0;
- uint8_t *I_enc_bytes = NULL;
- size_t I_enc_len = 0;
-
- der = (UInt8 *)CFDataGetBytePtr(challenge);
-
- username_str = CFStringToCString(self->rsUsername);
- require_quiet(username_str, xit);
-
- secret_str = CFStringToCString(secret);
- require_quiet(secret_str, xit);
-
- result = _decode_challenge_v1(self->rs_srp, &B_bytes, &B_len,
- &salt, &salt_len, der, CFDataGetLength(challenge), &error);
- require_action_quiet(result, xit, {
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("failed to decode challenge"));
- });
-
- // Do not include the null terminator in the length of the secret -- for the
- // purposes of this challenge, it's just a blob of data.
- error = ccsrp_client_process_challenge(self->rs_srp, username_str,
- strlen(secret_str), secret_str, salt_len, salt,
- B_bytes, M1_bytes);
- require_action_quiet(error == 0, xit, {
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("failed to process challenge"));
- });
-
- _derive_sending_key(self->rs_srp, FR_Z_FROM_REQUESTOR,
- self->rs_Z_r2a, sizeof(self->rs_Z_r2a));
-
-#if CONFIG_ARM_AUTOACCEPT
- peer = SOSCCCopyMyPeerInfo(cferror);
- require_quiet(peer, xit);
-
- cfI = SOSPeerInfoGetAutoAcceptInfo(peer);
- require_action_quiet(cfI, xit, {
- error = ENOENT;
- (void)SecPOSIXError(error, cferror,
- CFSTR("failed to obtain auto-accept info"));
- });
-
- I_bytes = CFDataGetBytePtr(cfI);
- I_len = CFDataGetLength(cfI);
-#else // CONFIG_ARM_AUTOACCEPT
- I_bytes = fakeI;
- I_len = sizeof(fakeI);
-#endif // CONFIG_ARM_AUTOACCEPT
-
- I_enc_bytes = _encrypt_data_v1(I_bytes, I_len,
- self->rs_dsid, FR_IV_X_REQUEST_V1, self->rs_packet_cnt,
- self->rs_Z_r2a, sizeof(self->rs_Z_r2a), &I_enc_len);
- require_action_quiet(I_enc_bytes, xit, {
- error = ENOMEM;
- });
-
- self->rs_packet_cnt++;
-
- resp_der = _create_response_v1(M1_bytes, M1_len, I_enc_bytes, I_enc_len,
- &resp_der_len, &error);
- require_action_quiet(resp_der, xit, {
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("failed to create response"));
- });
-
- response = CFDataCreateWithBytesNoCopy(NULL, resp_der, resp_der_len,
- kCFAllocatorMalloc);
- require_action_quiet(response, xit, {
- error = ENOMEM;
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("failed to create response"));
- });
-
- error = 0;
-
-xit:
- free(username_str);
- free(secret_str);
-
- if (error) {
- if (response) {
- CFRelease(response);
- response = NULL;
- } else {
- free(resp_der);
- }
- }
-
- return response;
-}
-
-CFDataRef
-SOSFRSCopyHSA2CodeFromPacket(SOSForerunnerRequestorSessionRef self,
- CFDataRef hsa2packet, CFErrorRef *cferror)
-{
- CFDataRef cfhsa2 = NULL;
- int error = -1;
-
- bool result = false;
- uint8_t *der = NULL;
- size_t der_len = 0;
- uint8_t *hsa2_enc_bytes = NULL;
- size_t hsa2_enc_len = 0;
- uint8_t *hsa2_bytes = NULL;
- size_t hsa2_len = 0;
- uint8_t *HAMK_bytes = NULL;
- size_t HAMK_len = 0;
-
- der = (UInt8 *)CFDataGetBytePtr(hsa2packet);
- der_len = CFDataGetLength(hsa2packet);
-
- result = _decode_hsa2_v1(self->rs_srp, &hsa2_enc_bytes, &hsa2_enc_len,
- &HAMK_bytes, &HAMK_len, der, der_len, &error);
- require_quiet(result, xit);
-
- result = ccsrp_client_verify_session(self->rs_srp, HAMK_bytes);
- require_action_quiet(result, xit, {
- (void)SecPOSIXError(EBADMSG, cferror,
- CFSTR("failed to verify session"));
- });
-
- _derive_sending_key(self->rs_srp, FR_Z_FROM_ACCEPTOR,
- self->rs_Z_a2r, sizeof(self->rs_Z_a2r));
-
- hsa2_bytes = _decrypt_data_v1(hsa2_enc_bytes, hsa2_enc_len,
- self->rs_dsid, FR_IV_X_ACCEPT_V1,
- self->rs_Z_a2r, sizeof(self->rs_Z_a2r), &hsa2_len);
- require_action_quiet(hsa2_bytes, xit, {
- error = EINVAL;
- });
-
- cfhsa2 = CFDataCreateWithBytesNoCopy(NULL, hsa2_bytes, hsa2_len,
- kCFAllocatorMalloc);
- require_action_quiet(cfhsa2, xit, {
- error = ENOMEM;
- });
-
- error = 0;
-
-xit:
- if (error) {
- if (cfhsa2) {
- CFRelease(cfhsa2);
- cfhsa2 = NULL;
- } else {
- free(hsa2_bytes);
- }
- }
-
- return cfhsa2;
-}
-
-CFDataRef
-SOSFRSCopyDecryptedData(SOSForerunnerRequestorSessionRef self,
- CFDataRef encrypted)
-{
- CFDataRef decrypted = NULL;
- int error = -1;
-
- const uint8_t *enc = CFDataGetBytePtr(encrypted);
- size_t enc_len = CFDataGetLength(encrypted);
- uint8_t *dec = NULL;
- size_t dec_len = 0;
-
- dec = _decrypt_data_v1(enc, enc_len,
- self->rs_dsid, FR_IV_X_ACCEPT_V1,
- self->rs_Z_a2r, sizeof(self->rs_Z_a2r), &dec_len);
- require_action_quiet(dec, xit, {
- error = EINVAL;
- });
-
- decrypted = CFDataCreateWithBytesNoCopy(NULL, dec, dec_len,
- kCFAllocatorMalloc);
- require_action_quiet(decrypted, xit, {
- error = ENOMEM;
- });
-
- error = 0;
-
-xit:
- if (error) {
- if (decrypted) {
- CFRelease(decrypted);
- decrypted = NULL;
- } else {
- free(dec);
- }
- }
-
- return decrypted;
-}
-
-#pragma mark Acceptor Session
-struct __OpaqueSOSForerunnerAcceptorSession {
- CFRuntimeBase __cf;
-
- ccsrp_ctx *as_srp;
- uint64_t as_dsid;
- uint64_t as_accept_cnt;
- uint64_t as_packet_cnt;
-
- uint8_t as_Z_a2r[FR_Z_SZ_V1];
- uint8_t as_Z_r2a[FR_Z_SZ_V1];
-
- CFStringRef asUsername;
- CFDataRef asCircleSecret;
-};
-
-static void
-_SOSForerunnerAcceptorSessionClassInit(CFTypeRef session)
-{
- SOSForerunnerAcceptorSessionRef self = (void *)session;
- size_t howmuch2zero = sizeof(*self) - sizeof(self->__cf);
- uint8_t *start = (uint8_t *)self + sizeof(self->__cf);
-
- bzero(start, howmuch2zero);
-}
-
-static void
-_SOSForerunnerAcceptorSessionClassFinalize(CFTypeRef session)
-{
- SOSForerunnerAcceptorSessionRef self = (void *)session;
-
- free(self->as_srp);
- CFRelease(self->asUsername);
- CFRelease(self->asCircleSecret);
-}
-
-static CFRuntimeClass _SOSForerunnerAcceptorSessionClass = {
- .version = 0,
- .className = "forerunner acceptor session",
- .init = _SOSForerunnerAcceptorSessionClassInit,
- .copy = NULL,
- .finalize = _SOSForerunnerAcceptorSessionClassFinalize,
- .equal = NULL,
- .hash = NULL,
- .copyFormattingDesc = NULL,
- .copyDebugDesc = NULL,
-};
-
-#pragma mark Acceptor Class Methods
-CFTypeID
-SOSForerunnerAcceptorSessionGetTypeID(void)
-{
- static dispatch_once_t once = 0;
- static CFTypeID tid = 0;
-
- dispatch_once(&once, ^{
- tid = _CFRuntimeRegisterClass(
- (const CFRuntimeClass * const)
- &_SOSForerunnerAcceptorSessionClass);
- if (tid == _kCFRuntimeNotATypeID) {
- os_hardware_trap();
- }
- });
-
- return tid;
-}
-
-#pragma mark Acceptor Public Methods
-SOSForerunnerAcceptorSessionRef
-SOSForerunnerAcceptorSessionCreate(CFAllocatorRef allocator,
- CFStringRef username, uint64_t dsid, CFStringRef circleSecret)
-{
- SOSForerunnerAcceptorSessionRef self = NULL;
- int error = -1;
-
- size_t xtra = sizeof(*self) - sizeof(self->__cf);
- char *secret = NULL;
- const struct ccdigest_info *di = ccsha256_di();
- ccdh_const_gp_t gp = ccsrp_gp_rfc5054_3072();
-
- self = (void *)_CFRuntimeCreateInstance(allocator,
- SOSForerunnerAcceptorSessionGetTypeID(), xtra, NULL);
- require_action_quiet(self, xit, {
- error = ENOMEM;
- });
-
- self->as_srp = _ccsrp_shim_alloc(di, gp);
- require_action_quiet(self, xit, {
- error = ENOMEM;
- });
-
- self->as_dsid = dsid;
-
- secret = CFStringToCString(circleSecret);
- require_action_quiet(secret, xit, {
- error = ENOMEM;
- });
-
- // We don't care about the null terminating byte.
- self->asCircleSecret = CFDataCreateWithBytesNoCopy(NULL,
- (const UInt8 *)secret, strlen(secret), kCFAllocatorMalloc);
- require_action_quiet(self->asCircleSecret, xit, {
- error = ENOMEM;
- });
-
- self->asUsername = CFRetain(username);
- error = 0;
-
-xit:
- if (error) {
- if (self && !self->asCircleSecret) {
- free(secret);
- }
-
- CFReleaseNull(self);
- self = NULL;
- }
-
- return self;
-}
-
-CFDataRef
-SOSFASCopyChallengePacket(SOSForerunnerAcceptorSessionRef self,
- CFDataRef requestorPacket, CFErrorRef *cferror)
-{
- CFDataRef challenge = NULL;
- int error = -1;
- int ret = -1;
-
- bool decoded = false;
- char *username_str = NULL;
- uint8_t verifier[ccsrp_ctx_sizeof_n(self->as_srp)];
- uint8_t salt[FR_SALT_LEN];
-
- uint8_t *der = NULL;
- uint8_t *challenge_der = NULL;
- size_t challenge_len = 0;
-
- uint8_t *A_bytes = NULL;
- size_t A_len = 0;
- uint8_t B_bytes[ccsrp_exchange_size(self->as_srp)];
- size_t B_len = ccsrp_exchange_size(self->as_srp);
-
- der = (uint8_t *)CFDataGetBytePtr(requestorPacket);
- decoded = _decode_request_v1(self->as_srp, &A_bytes, &A_len,
- der, CFDataGetLength(requestorPacket), &error);
- require_action_quiet(decoded, xit, {
- (void)SecCoreCryptoError(error, cferror, CFSTR("bad request packet"));
- });
-
- username_str = CFStringToCString(self->asUsername);
- ret = SecRandomCopyBytes(NULL, sizeof(salt), salt);
- require_action_quiet(ret == 0, xit, {
- error = errno;
- (void)SecPOSIXError(error, cferror, CFSTR("failed to generate salt"));
- });
-
- error = ccsrp_generate_verifier(self->as_srp, username_str,
- CFDataGetLength(self->asCircleSecret),
- CFDataGetBytePtr(self->asCircleSecret), sizeof(salt), salt,
- verifier);
- require_action_quiet(error == 0, xit, {
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("failed to generate SRP verifier"));
- });
-
- error = ccsrp_server_start_authentication(self->as_srp, ccDRBGGetRngState(),
- username_str, sizeof(salt), salt, verifier, A_bytes, B_bytes);
- require_action_quiet(error == 0, xit, {
- (void)SecCoreCryptoError(error, cferror,
- CFSTR("could not start server SRP"));
- });
-
- challenge_der = _create_challenge_v1(B_bytes, B_len,
- salt, sizeof(salt), &challenge_len, &error);
- require_action_quiet(challenge_der, xit, {
- (void)SecPOSIXError(error, cferror,
- CFSTR("could not construct challenge"));
- });
-
- challenge = CFDataCreateWithBytesNoCopy(NULL, challenge_der, challenge_len,
- kCFAllocatorMalloc);
- error = 0;
-
-xit:
- if (error) {
- if (challenge) {
- CFRelease(challenge);
- challenge = NULL;
- } else {
- free(challenge_der);
- }
- }
-
- free(username_str);
-
- return challenge;
-}
-
-CFDataRef
-SOSFASCopyHSA2Packet(SOSForerunnerAcceptorSessionRef self,
- CFDataRef responsePacket, CFDataRef hsa2code, CFErrorRef *cferror)
-{
- CFDataRef hsa2 = NULL;
- int error = -1;
-
- // Response.
- const uint8_t *der = CFDataGetBytePtr(responsePacket);
- size_t der_len = CFDataGetLength(responsePacket);
- uint8_t *M_bytes = NULL;
- size_t M_len = 0;
- uint8_t *I_enc_bytes = NULL;
- size_t I_enc_len = 0;
- uint8_t *I_bytes = NULL;
- size_t I_len = 0;
- uint8_t HAMK_bytes[ccsrp_session_size(self->as_srp)];
-
- // HSA2 packet.
- uint8_t *hsa2_bytes = NULL;
- size_t hsa2_len = 0;
- uint8_t *hsa2_enc_bytes = NULL;
- size_t hsa2_enc_len = 0;
- uint8_t *hsa2_packet_bytes = NULL;
- size_t hsa2_packet_len = 0;
-
- bool result = false;
-#if CONFIG_ARM_AUTOACCEPT
- CFDataRef cfI = NULL;
-#endif // CONFIG_ARM_AUTOACCEPT
-
- result = _decode_response_v1(self->as_srp, &M_bytes, &M_len,
- &I_enc_bytes, &I_enc_len, (uint8_t *)der, der_len, &error);
- require_action_quiet(result, xit, {
- (void)SecPOSIXError(error, cferror, CFSTR("bad response"));
- });
-
- result = ccsrp_server_verify_session(self->as_srp, M_bytes, HAMK_bytes);
- require_action_quiet(result, xit, {
- if (self->as_accept_cnt > FR_MAX_ACCEPTOR_TRIES) {
- error = EBADMSG;
- } else {
- error = EAGAIN;
- self->as_accept_cnt++;
- }
-
- (void)SecPOSIXError(error, cferror,
- CFSTR("session verification failed"));
- });
-
- _derive_sending_key(self->as_srp, FR_Z_FROM_ACCEPTOR,
- self->as_Z_a2r, sizeof(self->as_Z_a2r));
-
- hsa2_bytes = (uint8_t *)CFDataGetBytePtr(hsa2code);
- hsa2_len = CFDataGetLength(hsa2code);
-
- hsa2_enc_bytes = _encrypt_data_v1(hsa2_bytes, hsa2_len,
- self->as_dsid, FR_IV_X_ACCEPT_V1, self->as_packet_cnt,
- self->as_Z_a2r, sizeof(self->as_Z_a2r), &hsa2_enc_len);
- require_action_quiet(hsa2_enc_bytes, xit, {
- error = ENOMEM;
- });
-
- self->as_packet_cnt++;
-
- hsa2_packet_bytes = _create_hsa2_v1(hsa2_enc_bytes, hsa2_enc_len,
- HAMK_bytes, sizeof(HAMK_bytes), &hsa2_packet_len, &error);
- require_quiet(hsa2_packet_bytes, xit);
-
- hsa2 = CFDataCreateWithBytesNoCopy(NULL, hsa2_packet_bytes, hsa2_packet_len,
- kCFAllocatorMalloc);
- require_action_quiet(hsa2, xit, {
- error = ENOMEM;
- (void)SecPOSIXError(error, cferror,
- CFSTR("could not create hsa2 packet"));
- });
-
- _derive_sending_key(self->as_srp, FR_Z_FROM_REQUESTOR,
- self->as_Z_r2a, sizeof(self->as_Z_r2a));
-
- I_bytes = _decrypt_data_v1(I_enc_bytes, I_enc_len,
- self->as_dsid, FR_IV_X_REQUEST_V1,
- self->as_Z_r2a, sizeof(self->as_Z_r2a), &I_len);
- require_action_quiet(I_bytes, xit, {
- error = EINVAL;
- });
-
-#if CONFIG_ARM_AUTOACCEPT
- cfI = CFDataCreateWithBytesNoCopy(NULL, I_bytes, I_len, kCFAllocatorMalloc);
- require_action_quiet(cfI, xit, {
- error = ENOMEM;
- (void)SecPOSIXError(error, cferror,
- CFSTR("could not create identity data"));
- });
-
- result = SOSCCSetAutoAcceptInfo(cfI, cferror);
- require_quiet(result, xit);
-#endif // CONFIG_ARM_AUTOACCEPT
-
- error = 0;
-
-xit:
- if (error) {
- if (hsa2) {
- CFRelease(hsa2);
- hsa2 = NULL;
- } else {
- free(hsa2_packet_bytes);
- }
- }
-
- free(hsa2_enc_bytes);
-
-#if CONFIG_ARM_AUTOACCEPT
- if (cfI) {
- CFRelease(cfI);
- } else {
- free(I_bytes);
- }
-#else // CONFIG_ARM_AUTOACCEPT
- free(I_bytes);
-#endif // CONFIG_ARM_AUTOACCEPT
-
- return hsa2;
-}
-
-CFDataRef
-SOSFASCopyEncryptedData(SOSForerunnerAcceptorSessionRef self, CFDataRef data)
-{
- CFDataRef encrypted = NULL;
- int error = -1;
-
- uint8_t *enc = NULL;
- size_t enc_len = 0;
-
- enc = _encrypt_data_v1(CFDataGetBytePtr(data), CFDataGetLength(data),
- self->as_dsid, FR_IV_X_ACCEPT_V1, self->as_packet_cnt,
- self->as_Z_a2r, sizeof(self->as_Z_a2r), &enc_len);
- require_action_quiet(enc, xit, {
- error = EINVAL;
- });
-
- encrypted = CFDataCreateWithBytesNoCopy(NULL, enc, enc_len,
- kCFAllocatorMalloc);
- require_action_quiet(encrypted, xit, {
- error = ENOMEM;
- });
-
- error = 0;
-
-xit:
- if (error) {
- if (encrypted) {
- CFRelease(encrypted);
- encrypted = NULL;
- } else {
- free(enc);
- }
- }
-
- return encrypted;
-}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.h
deleted file mode 100644
index 2aa421ab..00000000
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.h
+++ /dev/null
@@ -1,380 +0,0 @@
-/*
- * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*!
- @header SOSForerunnerSession.h
- Describes interfaces for both requesting and approving forerunner sessions. A
- A forerunner session encapsulates the following control flow between two
- devices, Requestor and Acceptor, when Requestor attempts to join a syncing
- circle already inhabited by Acceptor.
-
- 0. Requestor creates a requesting session containing PAKE key pair
- 1. Requestor creates a packet to request membership in the syncing circle;
- Packet includes session public key
- 2. Requestor sends RequestPacket to Acceptor using an interface of its
- choosing
- 3. Acceptor receives RequestPacket.
- 4. Acceptor creates an approving session containing PAKE key pair with
- RequestPacket
- 5. Acceptor generates Secret, a six-digit code that never leaves Acceptor
- 6. Acceptor generates ChallengePacket, derived from the public key in
- RequestPacket and Secret
- 7. Acceptor sends ChallengePacket to Requestor using an interface of its
- choosing
- 8. Requestor receives ChallengePacket
- 9. Requestor asks User to enter Secret
-10. Requestor creates ResponsePacket, derived from Secret and the public key
- contained in ChallengePacket
-11. Requestor sends ResponsePacket to Acceptor using an interface of its
- choosing
-12. Acceptor receives ResponsePacket
-13. Acceptor validates ResponsePacket
-14. Acceptor generates HSA2Code
-14b. Acceptor encrypts and attests to the HSA2Code to its session key
-15. Acceptor sends encrypted HSA2Code to Requestor using an interface of its
- choosing
-16. Requestor receives encrypted HSA2Code
-16b. Requestor decrypts and verifies HSA2Code
-17. Requestor sends HSA2Code to Apple
-18. Apple adds Requestor to trusted device list
-19. Requestor generates Identity
-20. Requestor applies to syncing circle with Identity
- */
-
-#ifndef _SEC_SOSFORERUNNERSESSION_H_
-#define _SEC_SOSFORERUNNERSESSION_H_
-
-#include <sys/cdefs.h>
-#include <os/base.h>
-#include <os/object.h>
-#include <CoreFoundation/CoreFoundation.h>
-#include <CoreFoundation/CFError.h>
-
-__BEGIN_DECLS
-
-/*!
- @const SECFR_API_VERSION
- An API version that may be used during the preprocessing phase to determine
- which version of the API is being built against. This may be used to guard
- against breaking due to changes in the API that are not sync'ed against your
- project. For example, if version 20150424 adds a new method,
- SOSFRSNewMethod(), you may guard your use of that method with
-
- #if SECFR_API_VERSION >= 20150424
- SOSFRSNewMethod();
- #endif // SECFR_API_VERSION >= 20150424
- */
-#define SECFR_API_VERSION 20150424
-
-/*!
- @type SOSForerunnerRequestorSessionRef
- An opaque type representing the requesting side of a session being used to
- enter the requestor into a syncing circle. The object has no thread affinity,
- but it is not safe to invoke methods on the same object from multiple threads
- concurrently.
- */
-typedef struct __OpaqueSOSForerunnerRequestorSession
- *SOSForerunnerRequestorSessionRef;
-
-/*!
- @function SOSForerunnerRequestorSessionGetTypeID
-
- @abstract
- Returns the type identifier for the requestor session class.
-
- @result
- A type identifier.
- */
-OS_EXPORT OS_WARN_RESULT
-CFTypeID
-SOSForerunnerRequestorSessionGetTypeID(void);
-
-/*!
- @function SOSForerunnerRequestorSessionCreate
-
- @abstract
- Creates a new requesting session object to negotiate entry into a syncing
- circle.
-
- @param allocator
- The vestigal CoreFoundation allocator. Pass NULL or
- {@link kCFAllocatorDefault}.
-
- @param username
- The AppleID for the account whose syncing circle is to be joined.
-
- @param dsid
- The DirectoryServices identifier for the AppleID given in {@param username}.
-
- @result
- A new session object. This object must be released with {@link CFRelease} when
- it is no longer needed.
- */
-OS_EXPORT OS_MALLOC OS_OBJECT_RETURNS_RETAINED OS_WARN_RESULT
-SOSForerunnerRequestorSessionRef
-SOSForerunnerRequestorSessionCreate(CFAllocatorRef allocator,
- CFStringRef username, uint64_t dsid);
-
-/*!
- @function SOSFRSCopyRequestPacket
-
- @abstract
- Returns a request packet suitable for requesting to join a syncing circle.
-
- @param session
- The session from which to copy the request packet.
-
- @param error
- Upon unsuccessful return, an error object describing the failure condition. May
- be NULL.
-
- @result
- A new data object representing the request packet.
- */
-OS_EXPORT OS_OBJECT_RETURNS_RETAINED OS_WARN_RESULT OS_NONNULL1
-CFDataRef
-SOSFRSCopyRequestPacket(SOSForerunnerRequestorSessionRef session,
- CFErrorRef *error);
-
-/*!
- @function SOSFRSCopyResponsePacket
-
- @abstract
- Returns a response packet suitable for responding to a challenge to join a
- syncing circle.
-
- @param session
- The session from which to copy the response packet.
-
- @param challenge
- The challenge packet received from the approving device.
-
- @param secret
- The six-digit secret generated by the approving device and entered by the user
- on the requesting device.
-
- @param peerInfo
- A dictionary containing information about the peer, such as GPS location,
- device type, etc. Pass NULL for now. This contents of this dictionary will be
- defined at a future date.
-
- @param error
- Upon unsuccessful return, an error object describing the failure condition. May
- be NULL.
-
- @result
- A new data object representing the response packet.
- */
-OS_EXPORT OS_OBJECT_RETURNS_RETAINED OS_WARN_RESULT OS_NONNULL1 OS_NONNULL2
-OS_NONNULL3
-CFDataRef
-SOSFRSCopyResponsePacket(SOSForerunnerRequestorSessionRef session,
- CFDataRef challenge, CFStringRef secret, CFDictionaryRef peerInfo,
- CFErrorRef *error);
-
-/*!
- @function SOSFRSCopyHSA2CodeFromPacket
-
- @abstract
- Returns the HSA2 join code from the encrypted packet sent by the approving
- device.
-
- @param session
- The session from which to copy the HSA2 join code.
-
- @param hsa2packet
- The encrypted packet containing the HSA2 join code sent by the approving
- device.
-
- @result
- A new data object representing the HSA2 join code.
- */
-OS_EXPORT OS_OBJECT_RETURNS_RETAINED OS_WARN_RESULT OS_NONNULL1 OS_NONNULL2
-CFDataRef
-SOSFRSCopyHSA2CodeFromPacket(SOSForerunnerRequestorSessionRef session,
- CFDataRef hsa2packet, CFErrorRef *error);
-
-/*!
- @function SOSFRSCopyDecryptedData
-
- @abstract
- Decrypts data received through the secured communication channel negotiated by
- the session.
-
- @param session
- The session that the encrypted data is associated with.
-
- @param encrypted
- The encrypted data received from the approving device.
-
- @result
- A new data object representing the decrypted data received from the approving
- device.
- */
-OS_EXPORT OS_OBJECT_RETURNS_RETAINED OS_WARN_RESULT OS_NONNULL1 OS_NONNULL2
-CFDataRef
-SOSFRSCopyDecryptedData(SOSForerunnerRequestorSessionRef session,
- CFDataRef encrypted);
-
-/*!
- @type SOSForerunnerAcceptorSessionRef
- An opaque type representing the accepting side of a session being used to
- enter a new requesting device into the syncing circle of which the acceptor is
- a member. The object has no thread affinity, but it is not safe to invoke
- methods on the same object from multiple threads concurrently.
- */
-typedef struct __OpaqueSOSForerunnerAcceptorSession
- *SOSForerunnerAcceptorSessionRef;
-
-/*!
- @function SOSForerunnerAcceptorSessionGetTypeID
-
- @abstract
- Returns the type identifier for the acceptor session class.
-
- @result
- A type identifier.
- */
-OS_EXPORT OS_WARN_RESULT
-CFTypeID
-SOSForerunnerAcceptorSessionGetTypeID(void);
-
-/*!
- @function SOSForerunnerAcceptorSessionCreate
-
- @abstract
- Creates a new accepting session object to negotiate entry of a requesting
- device into a syncing circle.
-
- @param allocator
- The vestigal CoreFoundation allocator. Pass NULL or
- {@link kCFAllocatorDefault}.
-
- @param username
- The AppleID for the account whose syncing circle is to be joined.
-
- @param dsid
- The DirectoryServices identifier for the AppleID given in {@param username}.
-
- @param circleSecret
- The six-digit secret generated to join the syncing circle.
-
- @result
- A new session object. This object must be released with {@link CFRelease} when
- it is no longer needed.
- */
-OS_EXPORT OS_MALLOC OS_OBJECT_RETURNS_RETAINED OS_WARN_RESULT OS_NONNULL2
-OS_NONNULL4
-SOSForerunnerAcceptorSessionRef
-SOSForerunnerAcceptorSessionCreate(CFAllocatorRef allocator,
- CFStringRef username, uint64_t dsid, CFStringRef circleSecret);
-
-/*!
- @function SOSFASCopyChallengePacket
-
- @abstract
- Returns a challenge packet that a requesting device must satisfy to join the
- syncing circle of which the accepting device is a member.
-
- @param session
- The session from which to copy the challenge packet.
-
- @param requestorPacket
- The initial requestor packet received from the device requesting to join the
- circle.
-
- @param error
- Upon unsuccessful return, an error object describing the failure condition. May
- be NULL.
-
- @result
- A new data object representing the challenge packet.
- */
-OS_EXPORT OS_OBJECT_RETURNS_RETAINED OS_WARN_RESULT OS_NONNULL1 OS_NONNULL2
-CFDataRef
-SOSFASCopyChallengePacket(SOSForerunnerAcceptorSessionRef session,
- CFDataRef requestorPacket, CFErrorRef *error);
-
-/*!
- @function SOSFASCopyHSA2Packet
-
- @abstract
- Processes the packet sent in response to the challenge packet by the requesting
- device and, if the challenge is satisfied, arms auto-acceptance into the HSA2
- trusted device list and returns a packet containing the HSA2 join code to be
- sent to the requestor.
-
- @param session
- The session associated with the challenge that the response was sent to
- satisfy.
-
- @param responsePacket
- The packet sent by the requestor in response to the challenge.
-
- @param hsa2Code
- The code for the requestor to use to join the HSA2 trusted device list.
-
- @param error
- Upon unsuccessful return, an error object describing the failure condition.
- Unlike the other interfaces in this API suite, this parameter cannot be NULL,
- as different error codes indicate different caller responsibilities.
-
- If the underlying error is EAGAIN, the caller may attempt to re-negotiate with
- the requesting device. If too many attempts are made to re-negotiate, EBADMSG
- will be returned. At this point, the caller may not attempt to create another
- HSA2 packet; the connection should be terminated and the session torn down.
-
- @result
- An encrypted packet containing the HSA2 join code. NULL in the event of
- failure.
- */
-OS_EXPORT OS_MALLOC OS_OBJECT_RETURNS_RETAINED OS_WARN_RESULT OS_NONNULL1
-OS_NONNULL2 OS_NONNULL3 OS_NONNULL4
-CFDataRef
-SOSFASCopyHSA2Packet(SOSForerunnerAcceptorSessionRef session,
- CFDataRef responsePacket, CFDataRef hsa2Code, CFErrorRef *error);
-
-/*!
- @function SOSFASCopyEncryptedData
-
- @abstract
- Encrypts data for transport over the negotiated session.
-
- @param session
- The session object for which to encrypt the given data.
-
- @param data
- The data to encrypt.
-
- @result
- The encrypted representation of {@param data}.
- */
-OS_EXPORT OS_MALLOC OS_OBJECT_RETURNS_RETAINED OS_WARN_RESULT OS_NONNULL1
-OS_NONNULL2
-CFDataRef
-SOSFASCopyEncryptedData(SOSForerunnerAcceptorSessionRef session,
- CFDataRef data);
-
-__END_DECLS
-
-#endif /* _SEC_SOSFORERUNNERSESSION_H_ */
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.c
index 6abe081e..ea3a6cc9 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.c
@@ -84,6 +84,7 @@ struct __OpaqueSOSFullPeerInfo {
CFGiblisWithHashFor(SOSFullPeerInfo);
+
CFStringRef kSOSFullPeerInfoDescriptionKey = CFSTR("SOSFullPeerInfoDescription");
CFStringRef kSOSFullPeerInfoSignatureKey = CFSTR("SOSFullPeerInfoSignature");
CFStringRef kSOSFullPeerInfoNameKey = CFSTR("SOSFullPeerInfoName");
@@ -111,7 +112,7 @@ fail:
bool SOSFullPeerInfoUpdateToThisPeer(SOSFullPeerInfoRef peer, SOSPeerInfoRef pi, CFErrorRef *error) {
return SOSFullPeerInfoUpdate(peer, error, ^SOSPeerInfoRef(SOSPeerInfoRef peer, SecKeyRef key, CFErrorRef *error) {
- return SOSPeerInfoSign(key, pi, error) ? pi: NULL;
+ return SOSPeerInfoSign(key, pi, error) ? CFRetainSafe(pi): NULL;
});
}
@@ -128,22 +129,14 @@ SOSFullPeerInfoRef SOSFullPeerInfoCreateWithViews(CFAllocatorRef allocator,
SOSFullPeerInfoRef result = NULL;
SOSFullPeerInfoRef fpi = CFTypeAllocate(SOSFullPeerInfo, struct __OpaqueSOSFullPeerInfo, allocator);
- CFStringRef transportType = NULL;
- CFBooleanRef preferIDS = NULL;
CFStringRef IDSID = CFSTR("");
+ CFStringRef transportType =SOSTransportMessageTypeIDSV2;
+ CFBooleanRef preferIDS = kCFBooleanFalse;
+ CFBooleanRef preferIDSFragmentation = kCFBooleanTrue;
- if (whichTransportType == kSOSTransportFuture || whichTransportType == kSOSTransportIDS){
- transportType =SOSTransportMessageTypeIDS;
- preferIDS = kCFBooleanTrue;
- }
- else{
- transportType =SOSTransportMessageTypeKVS;
- preferIDS = kCFBooleanTrue;
- }
-
fpi->peer_info = SOSPeerInfoCreateWithTransportAndViews(allocator, gestalt, backupKey,
IDSID, transportType, preferIDS,
- initialViews,
+ preferIDSFragmentation, initialViews,
signingKey, error);
require_quiet(fpi->peer_info, exit);
@@ -193,6 +186,13 @@ bool SOSFullPeerInfoUpdateTransportPreference(SOSFullPeerInfoRef peer, CFBoolean
});
}
+bool SOSFullPeerInfoUpdateTransportFragmentationPreference(SOSFullPeerInfoRef peer, CFBooleanRef preference, CFErrorRef* error){
+ return SOSFullPeerInfoUpdate(peer, error, ^SOSPeerInfoRef(SOSPeerInfoRef peer, SecKeyRef key, CFErrorRef *error) {
+ return SOSPeerInfoSetIDSFragmentationPreference(kCFAllocatorDefault, peer, preference, key, error);
+ });
+}
+
+
SOSFullPeerInfoRef SOSFullPeerInfoCreateCloudIdentity(CFAllocatorRef allocator, SOSPeerInfoRef peer, CFErrorRef* error) {
SOSFullPeerInfoRef fpi = CFTypeAllocate(SOSFullPeerInfo, struct __OpaqueSOSFullPeerInfo, allocator);
@@ -205,7 +205,8 @@ SOSFullPeerInfoRef SOSFullPeerInfoCreateCloudIdentity(CFAllocatorRef allocator,
goto exit;
}
- pubKey = SOSPeerInfoCopyPubKey(peer);
+ pubKey = SOSPeerInfoCopyPubKey(peer, error);
+ require_quiet(pubKey, exit);
fpi->key_ref = SecKeyCreatePersistentRefToMatchingPrivateKey(pubKey, error);
@@ -323,6 +324,8 @@ SOSViewResultCode SOSFullPeerInfoUpdateViews(SOSFullPeerInfoRef peer, SOSViewAct
{
__block SOSViewResultCode retval = kSOSCCGeneralViewError;
+ secnotice("viewChange", "%s view %@", SOSViewsXlateAction(action), viewname);
+
return SOSFullPeerInfoUpdate(peer, error, ^SOSPeerInfoRef(SOSPeerInfoRef peer, SecKeyRef key, CFErrorRef *error) {
return SOSPeerInfoCopyWithViewsChange(kCFAllocatorDefault, peer, action, viewname, &retval, key, error);
}) ? retval : kSOSCCGeneralViewError;
@@ -361,6 +364,7 @@ static bool sosFullPeerInfoRequiresUpdate(SOSFullPeerInfoRef peer, CFSetRef mini
if(!(SOSPeerInfoV2DictionaryHasString(peer->peer_info, sDeviceID)))return true;
if(!(SOSPeerInfoV2DictionaryHasString(peer->peer_info, sTransportType))) return true;
if(!(SOSPeerInfoV2DictionaryHasBoolean(peer->peer_info, sPreferIDS))) return true;
+ if(!(SOSPeerInfoV2DictionaryHasBoolean(peer->peer_info, sPreferIDSFragmentation))) return true;
if(SOSFullPeerInfoNeedsViewUpdate(peer, minimumViews, excludedViews)) return true;
return false;
@@ -384,7 +388,7 @@ bool SOSFullPeerInfoUpdateToCurrent(SOSFullPeerInfoRef peer, CFSetRef minimumVie
secnotice("upgrade", "SOSFullPeerInfoCopyDeviceKey failed: %@", copyError));
SOSPeerInfoRef newPeer = SOSPeerInfoCreateCurrentCopy(kCFAllocatorDefault, peer->peer_info,
- NULL, NULL, NULL, newViews,
+ NULL, NULL, kCFBooleanFalse, kCFBooleanTrue, newViews,
device_key, &createError);
require_action_quiet(newPeer, errOut,
secnotice("upgrade", "Peer info v2 create copy failed: %@", createError));
@@ -404,7 +408,6 @@ errOut:
SOSViewResultCode SOSFullPeerInfoViewStatus(SOSFullPeerInfoRef peer, CFStringRef viewname, CFErrorRef *error)
{
SOSPeerInfoRef pi = SOSFullPeerInfoGetPeerInfo(peer);
- secnotice("views", "have pi %s", (pi)? "true": "false");
if(!pi) return kSOSCCGeneralViewError;
return SOSPeerInfoViewStatus(pi, viewname, error);
}
@@ -444,27 +447,35 @@ SOSPeerInfoRef SOSFullPeerInfoGetPeerInfo(SOSFullPeerInfoRef fullPeer) {
// MARK: Private Key Retrieval and Existence
-static SecKeyRef SOSFullPeerInfoCopyPubKey(SOSFullPeerInfoRef fpi) {
+static SecKeyRef SOSFullPeerInfoCopyPubKey(SOSFullPeerInfoRef fpi, CFErrorRef *error) {
SecKeyRef retval = NULL;
require_quiet(fpi, errOut);
SOSPeerInfoRef pi = SOSFullPeerInfoGetPeerInfo(fpi);
require_quiet(pi, errOut);
- retval = SOSPeerInfoCopyPubKey(pi);
+ retval = SOSPeerInfoCopyPubKey(pi, error);
errOut:
return retval;
}
static SecKeyRef SOSFullPeerInfoCopyMatchingPrivateKey(SOSFullPeerInfoRef fpi, CFErrorRef *error) {
- SecKeyRef pub = SOSFullPeerInfoCopyPubKey(fpi);
- SecKeyRef retval = SecKeyCopyMatchingPrivateKey(pub, error);
+ SecKeyRef retval = NULL;
+
+ SecKeyRef pub = SOSFullPeerInfoCopyPubKey(fpi, error);
+ require_quiet(pub, exit);
+ retval = SecKeyCopyMatchingPrivateKey(pub, error);
+exit:
CFReleaseNull(pub);
return retval;
}
static OSStatus SOSFullPeerInfoGetMatchingPrivateKeyStatus(SOSFullPeerInfoRef fpi, CFErrorRef *error) {
- SecKeyRef pub = SOSFullPeerInfoCopyPubKey(fpi);
- OSStatus retval = SecKeyGetMatchingPrivateKeyStatus(pub, error);
+ OSStatus retval = errSecParam;
+ SecKeyRef pub = SOSFullPeerInfoCopyPubKey(fpi, error);
+ require_quiet(pub, exit);
+ retval = SecKeyGetMatchingPrivateKeyStatus(pub, error);
+
+exit:
CFReleaseNull(pub);
return retval;
}
@@ -482,15 +493,24 @@ bool SOSFullPeerInfoPrivKeyExists(SOSFullPeerInfoRef peer) {
}
bool SOSFullPeerInfoPurgePersistentKey(SOSFullPeerInfoRef fpi, CFErrorRef* error) {
- SecKeyRef pub = SOSFullPeerInfoCopyPubKey(fpi);
- CFDictionaryRef privQuery = CreatePrivateKeyMatchingQuery(pub, false);
- CFMutableDictionaryRef query = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, privQuery);
+ bool result = false;
+ CFDictionaryRef privQuery = NULL;
+ CFMutableDictionaryRef query = NULL;
+
+ SecKeyRef pub = SOSFullPeerInfoCopyPubKey(fpi, error);
+ require_quiet(pub, fail);
+
+ privQuery = CreatePrivateKeyMatchingQuery(pub, false);
+ query = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, privQuery);
CFDictionaryAddValue(query, kSecUseTombstones, kCFBooleanFalse);
- SecItemDelete(query);
+
+ result = SecError(SecItemDelete(query), error, CFSTR("Deleting while purging"));
+
+fail:
CFReleaseNull(privQuery);
CFReleaseNull(query);
CFReleaseNull(pub);
- return true;
+ return result;
}
SecKeyRef SOSFullPeerInfoCopyDeviceKey(SOSFullPeerInfoRef fullPeer, CFErrorRef* error) {
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h
index 6df8afb7..e4e0f4bd 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h
@@ -99,6 +99,8 @@ CFDataRef SOSFullPeerInfoCopyEncodedData(SOSFullPeerInfoRef peer, CFAllocatorRef
bool SOSFullPeerInfoUpdateTransportType(SOSFullPeerInfoRef peer, CFStringRef transportType, CFErrorRef* error);
bool SOSFullPeerInfoUpdateDeviceID(SOSFullPeerInfoRef peer, CFStringRef deviceID, CFErrorRef* error);
bool SOSFullPeerInfoUpdateTransportPreference(SOSFullPeerInfoRef peer, CFBooleanRef preference, CFErrorRef* error);
+bool SOSFullPeerInfoUpdateTransportFragmentationPreference(SOSFullPeerInfoRef peer, CFBooleanRef preference, CFErrorRef* error);
+
SOSSecurityPropertyResultCode SOSFullPeerInfoUpdateSecurityProperty(SOSFullPeerInfoRef peer, SOSViewActionCode action, CFStringRef property, CFErrorRef* error);
SOSSecurityPropertyResultCode SOSFullPeerInfoSecurityPropertyStatus(SOSFullPeerInfoRef peer, CFStringRef property, CFErrorRef *error);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSGenCount.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSGenCount.c
index 4c2d6adf..fb8d8518 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSGenCount.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSGenCount.c
@@ -87,13 +87,30 @@ SOSGenCountRef SOSGenerationCopy(SOSGenCountRef gen) {
return CFNumberCreate(NULL, kCFNumberSInt64Type, &value);
}
-bool SOSGenerationIsOlder(SOSGenCountRef current, SOSGenCountRef proposed) {
- return CFNumberCompare(current, proposed, NULL) == kCFCompareGreaterThan;
+// Is current older than proposed?
+bool SOSGenerationIsOlder(SOSGenCountRef older, SOSGenCountRef newer) {
+ switch(CFNumberCompare(older, newer, NULL)) {
+ case kCFCompareLessThan: return true;
+ case kCFCompareEqualTo: return false;
+ case kCFCompareGreaterThan: return false;
+ }
+ return false;
}
+// Is current older than proposed?
+static bool SOSGenerationIsOlderOrEqual(SOSGenCountRef older, SOSGenCountRef newer) {
+ switch(CFNumberCompare(older, newer, NULL)) {
+ case kCFCompareLessThan: return true;
+ case kCFCompareEqualTo: return true;
+ case kCFCompareGreaterThan: return false;
+ }
+ return false;
+}
+
+
SOSGenCountRef SOSGenerationCreateWithBaseline(SOSGenCountRef reference) {
SOSGenCountRef retval = SOSGenerationCreate();
- if(!SOSGenerationIsOlder(retval, reference)) {
+ if(SOSGenerationIsOlderOrEqual(retval, reference)) {
CFReleaseNull(retval);
retval = SOSGenerationIncrementAndCreate(reference);
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.c
index d8c6323c..b743f85f 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.c
@@ -67,7 +67,7 @@ bool SOSErrorCreate(CFIndex errorCode, CFErrorRef *error, CFDictionaryRef format
bool SOSCreateError(CFIndex errorCode, CFStringRef descriptionString, CFErrorRef previousError, CFErrorRef *newError) {
SOSCreateErrorWithFormat(errorCode, previousError, newError, NULL, CFSTR("%@"), descriptionString);
- return true;
+ return false;
}
bool SOSCreateErrorWithFormat(CFIndex errorCode, CFErrorRef previousError, CFErrorRef *newError,
@@ -81,8 +81,7 @@ bool SOSCreateErrorWithFormat(CFIndex errorCode, CFErrorRef previousError, CFErr
bool SOSCreateErrorWithFormatAndArguments(CFIndex errorCode, CFErrorRef previousError, CFErrorRef *newError,
CFDictionaryRef formatOptions, CFStringRef format, va_list args) {
- SecCFCreateErrorWithFormatAndArguments(errorCode, kSOSErrorDomain, previousError, newError, formatOptions, format, args);
- return true;
+ return SecCFCreateErrorWithFormatAndArguments(errorCode, kSOSErrorDomain, previousError, newError, formatOptions, format, args);
}
@@ -193,6 +192,14 @@ fail:
return result;
}
+CFStringRef SOSCopyIDOfKeyWithLength(SecKeyRef key, CFIndex len, CFErrorRef *error) {
+ CFStringRef retval = NULL;
+ CFStringRef tmp = SOSCopyIDOfKey(key, error);
+ if(tmp) retval = CFStringCreateWithSubstring(kCFAllocatorDefault, tmp, CFRangeMake(0, len));
+ CFReleaseNull(tmp);
+ return retval;
+}
+
CFGiblisGetSingleton(ccec_const_cp_t, SOSGetBackupKeyCurveParameters, sBackupKeyCurveParameters, ^{
*sBackupKeyCurveParameters = ccec_cp_256();
});
@@ -205,7 +212,6 @@ CFGiblisGetSingleton(ccec_const_cp_t, SOSGetBackupKeyCurveParameters, sBackupKey
//
const int kBackupKeyIterations = 20;
const uint8_t sBackupKeySalt[] = { 0 };
-const int kBackupKeyMaxBytes = 256;
bool SOSPerformWithDeviceBackupFullKey(ccec_const_cp_t cp, CFDataRef entropy, CFErrorRef *error, void (^operation)(ccec_full_ctx_t fullKey))
{
@@ -229,6 +235,7 @@ bool SOSGenerateDeviceBackupFullKey(ccec_full_ctx_t generatedKey, ccec_const_cp_
bool result = false;
int cc_result = 0;
struct ccrng_pbkdf2_prng_state pbkdf2_prng;
+ const int kBackupKeyMaxBytes = 1024; // This may be a function of the cp but will be updated when we use a formally deterministic key generation.
cc_result = ccrng_pbkdf2_prng_init(&pbkdf2_prng, kBackupKeyMaxBytes,
CFDataGetLength(entropy), CFDataGetBytePtr(entropy),
@@ -278,3 +285,19 @@ CFDataRef SOSDateCreate(void) {
return CFDataCreate(NULL, buf, bufsiz);
}
+
+CFDataRef CFDataCreateWithDER(CFAllocatorRef allocator, CFIndex size, uint8_t*(^operation)(size_t size, uint8_t *buffer)) {
+ __block CFMutableDataRef result = NULL;
+ if(!size) return NULL;
+ if((result = CFDataCreateMutableWithScratch(allocator, size)) == NULL) return NULL;
+ uint8_t *ptr = CFDataGetMutableBytePtr(result);
+ uint8_t *derptr = operation(size, ptr);
+ if(derptr == ptr) return result; // most probable case
+ if(!derptr || derptr < ptr) { // DER op failed - or derptr ended up prior to allocated buffer
+ CFReleaseNull(result);
+ } else if(derptr > ptr) { // This is a possible case where we don't end up using the entire allocated buffer
+ size_t diff = derptr - ptr; // The unused space ends up being the beginning of the allocation
+ CFDataDeleteBytes(result, CFRangeMake(0, diff));
+ }
+ return result;
+}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.h
index 0cf11582..3aadefe3 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.h
@@ -70,6 +70,8 @@ enum {
kSOSErrorNoiCloudPeer = 1044,
};
+extern CFStringRef kSOSErrorDomain;
+
// Returns false unless errorCode is 0.
bool SOSErrorCreate(CFIndex errorCode, CFErrorRef *error, CFDictionaryRef formatOptions, CFStringRef descriptionString, ...);
@@ -113,6 +115,7 @@ OSStatus GeneratePermanentECPair(int keySize, SecKeyRef* public, SecKeyRef *full
CFStringRef SOSItemsChangedCopyDescription(CFDictionaryRef changes, bool is_sender);
CFStringRef SOSCopyIDOfKey(SecKeyRef key, CFErrorRef *error);
+CFStringRef SOSCopyIDOfKeyWithLength(SecKeyRef key, CFIndex len, CFErrorRef *error);
//
// Der encoding accumulation
@@ -125,6 +128,8 @@ static inline bool accumulate_size(size_t *accumulator, size_t size) {
// Used for simple timestamping that's DERable (not durable)
CFDataRef SOSDateCreate(void);
+CFDataRef CFDataCreateWithDER(CFAllocatorRef allocator, CFIndex size, uint8_t*(^operation)(size_t size, uint8_t *buffer));
+
__END_DECLS
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.c
index 42888de5..c384c8b4 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.c
@@ -67,8 +67,7 @@ static CFStringRef copyStringEndingIn(CFMutableStringRef in, CFStringRef token)
return retval;
}
-SOSKVSKeyType SOSKVSKeyGetKeyTypeAndParse(CFStringRef key, CFStringRef *circle, CFStringRef *peerInfo, CFStringRef *ring, CFStringRef *backupName, CFStringRef *from, CFStringRef *to)
-{
+SOSKVSKeyType SOSKVSKeyGetKeyType(CFStringRef key) {
SOSKVSKeyType retval = kUnknownKey;
if(CFStringHasPrefix(key, sCirclePrefix)) retval = kCircleKey;
@@ -82,8 +81,14 @@ SOSKVSKeyType SOSKVSKeyGetKeyTypeAndParse(CFStringRef key, CFStringRef *circle,
else if(CFStringHasPrefix(key, sLastCirclePushedPrefix)) retval = kLastCircleKey;
else if(CFStringHasPrefix(key, sLastKeyParametersPushedPrefix)) retval = kLastKeyParameterKey;
else retval = kMessageKey;
+
+ return retval;
+}
+
+bool SOSKVSKeyParse(SOSKVSKeyType keyType, CFStringRef key, CFStringRef *circle, CFStringRef *peerInfo, CFStringRef *ring, CFStringRef *backupName, CFStringRef *from, CFStringRef *to) {
+ bool retval = true;
- switch(retval) {
+ switch(keyType) {
case kCircleKey:
if (circle) {
CFRange fromRange = CFRangeMake(1, CFStringGetLength(key)-1);
@@ -104,7 +109,7 @@ SOSKVSKeyType SOSKVSKeyGetKeyTypeAndParse(CFStringRef key, CFStringRef *circle,
if (from && mFrom) *from = CFStringCreateCopy(NULL, mFrom);
if (to && mTo) *to = CFStringCreateCopy(NULL, mTo);
} else {
- retval = kUnknownKey;
+ retval = false;
}
CFReleaseNull(mCircle);
CFReleaseNull(mFrom);
@@ -122,9 +127,8 @@ SOSKVSKeyType SOSKVSKeyGetKeyTypeAndParse(CFStringRef key, CFStringRef *circle,
if (circle) *circle = CFStringCreateCopy(NULL, mCircle);
if (from) *from = CFStringCreateCopy(NULL, mPeer);
} else {
- retval = kUnknownKey;
+ retval = false;
}
- // TODO - Update our circle
CFReleaseNull(mCircle);
CFReleaseNull(mPeer);
CFReleaseNull(keycopy);
@@ -154,20 +158,57 @@ SOSKVSKeyType SOSKVSKeyGetKeyTypeAndParse(CFStringRef key, CFStringRef *circle,
case kParametersKey:
case kInitialSyncKey:
case kUnknownKey:
+ break;
case kLastKeyParameterKey:
+ if(from) {
+ CFStringRef mPrefix = NULL;
+ CFStringRef mFrom = NULL;
+ CFMutableStringRef keycopy = CFStringCreateMutableCopy(NULL, 128, key);
+
+ if( ((mPrefix = copyStringEndingIn(keycopy, sCircleSeparator)) != NULL) &&
+ ((mFrom = copyStringEndingIn(keycopy, NULL)) != NULL)) {
+ if (from && mFrom) *from = CFStringCreateCopy(NULL, mFrom);
+ } else {
+ retval = false;
+ }
+ CFReleaseNull(mPrefix);
+ CFReleaseNull(mFrom);
+ CFReleaseNull(keycopy);
+ }
+ break;
case kLastCircleKey:
+ if (circle && from) {
+ CFStringRef mCircle = NULL;
+ CFStringRef mFrom = NULL;
+ CFMutableStringRef keycopy = CFStringCreateMutableCopy(NULL, 128, key);
+
+ if( ((mCircle = copyStringEndingIn(keycopy, sCircleSeparator)) != NULL) &&
+ ((mFrom = copyStringEndingIn(keycopy, NULL)) != NULL)) {
+ if (circle && mCircle) *circle = CFStringCreateCopy(NULL, mCircle);
+ if (from && mFrom) *from = CFStringCreateCopy(NULL, mFrom);
+ } else {
+ retval = false;
+ }
+ CFReleaseNull(mCircle);
+ CFReleaseNull(mFrom);
+ CFReleaseNull(keycopy);
+ }
+
break;
}
-
return retval;
}
-
-SOSKVSKeyType SOSKVSKeyGetKeyType(CFStringRef key)
+SOSKVSKeyType SOSKVSKeyGetKeyTypeAndParse(CFStringRef key, CFStringRef *circle, CFStringRef *peerInfo, CFStringRef *ring, CFStringRef *backupName, CFStringRef *from, CFStringRef *to)
{
- return SOSKVSKeyGetKeyTypeAndParse(key, NULL, NULL, NULL, NULL, NULL, NULL);
+ SOSKVSKeyType retval = SOSKVSKeyGetKeyType(key);
+ bool parsed = SOSKVSKeyParse(retval, key, circle, peerInfo, ring, backupName, from, to);
+ if(!parsed) retval = kUnknownKey;
+
+ return retval;
}
+
CFStringRef SOSCircleKeyCreateWithCircle(SOSCircleRef circle, CFErrorRef *error)
{
return SOSCircleKeyCreateWithName(SOSCircleGetName(circle), error);
@@ -238,7 +279,7 @@ CFStringRef SOSMessageKeyCreateWithCircleNameAndPeerNames(CFStringRef circleName
CFStringRef SOSMessageKeyCreateWithCircleNameAndTransportType(CFStringRef circleName, CFStringRef transportType)
{
return CFStringCreateWithFormat(NULL, NULL, CFSTR("%@%@%@%@%@"),
- circleName, sCircleSeparator, transportType, sFromToSeparator, SOSTransportMessageTypeIDS);
+ circleName, sCircleSeparator, transportType, sFromToSeparator, SOSTransportMessageTypeIDSV2);
}
CFStringRef SOSMessageKeyCreateWithCircleAndPeerNames(SOSCircleRef circle, CFStringRef from_peer_name, CFStringRef to_peer_name)
@@ -251,19 +292,23 @@ CFStringRef SOSMessageKeyCreateWithCircleAndPeerInfos(SOSCircleRef circle, SOSPe
return SOSMessageKeyCreateWithCircleAndPeerNames(circle, SOSPeerInfoGetPeerID(from_peer), SOSPeerInfoGetPeerID(to_peer));
}
-CFStringRef SOSMessageKeyCreateFromPeerToTransport(SOSTransportMessageKVSRef transport, CFStringRef peer_name) {
+CFStringRef SOSMessageKeyCreateFromPeerToTransport(SOSTransportMessageRef transport, CFStringRef peer_name) {
CFErrorRef error = NULL;
SOSEngineRef engine = SOSTransportMessageGetEngine((SOSTransportMessageRef)transport);
CFStringRef circleName = SOSTransportMessageGetCircleName((SOSTransportMessageRef)transport);
CFStringRef my_id = SOSEngineGetMyID(engine);
-
+ if(my_id == NULL)
+ {
+ secerror("cannot create message keys, SOSEngineGetMyID returned NULL");
+ return NULL;
+ }
CFStringRef result = SOSMessageKeyCreateWithCircleNameAndPeerNames(circleName, peer_name, my_id);
CFReleaseSafe(error);
return result;
}
-CFStringRef SOSMessageKeyCreateFromTransportToPeer(SOSTransportMessageKVSRef transport, CFStringRef peer_name) {
+CFStringRef SOSMessageKeyCreateFromTransportToPeer(SOSTransportMessageRef transport, CFStringRef peer_name) {
CFErrorRef error = NULL;
SOSEngineRef engine = SOSTransportMessageGetEngine((SOSTransportMessageRef)transport);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h
index 5a8a2b02..35b6f3af 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h
@@ -41,6 +41,7 @@ extern const CFStringRef sLastKeyParametersPushedPrefix;
extern const CFStringRef sDebugInfoPrefix;
SOSKVSKeyType SOSKVSKeyGetKeyType(CFStringRef key);
+bool SOSKVSKeyParse(SOSKVSKeyType keyType, CFStringRef key, CFStringRef *circle, CFStringRef *peerInfo, CFStringRef *ring, CFStringRef *backupName, CFStringRef *from, CFStringRef *to);
SOSKVSKeyType SOSKVSKeyGetKeyTypeAndParse(CFStringRef key, CFStringRef *circle, CFStringRef *peerInfo, CFStringRef *ring, CFStringRef *backupName, CFStringRef *from, CFStringRef *to);
CFStringRef SOSCircleKeyCreateWithCircle(SOSCircleRef circle, CFErrorRef *error);
@@ -60,8 +61,8 @@ CFStringRef SOSMessageKeyCreateWithCircleAndPeerInfos(SOSCircleRef circle, SOSPe
CFStringRef SOSRetirementKeyCreateWithCircleNameAndPeer(CFStringRef circle_name, CFStringRef retirement_peer_name);
CFStringRef SOSRetirementKeyCreateWithCircleAndPeer(SOSCircleRef circle, CFStringRef retirement_peer_name);
-CFStringRef SOSMessageKeyCreateFromTransportToPeer(SOSTransportMessageKVSRef transport, CFStringRef peer_name);
-CFStringRef SOSMessageKeyCreateFromPeerToTransport(SOSTransportMessageKVSRef transport, CFStringRef peer_name);
+CFStringRef SOSMessageKeyCreateFromTransportToPeer(SOSTransportMessageRef transport, CFStringRef peer_name);
+CFStringRef SOSMessageKeyCreateFromPeerToTransport(SOSTransportMessageRef transport, CFStringRef peer_name);
CFStringRef SOSMessageKeyCreateWithCircleNameAndTransportType(CFStringRef circleName, CFStringRef transportType);
CFStringRef SOSPeerInfoV2KeyCreateWithPeerName(CFStringRef peer_name);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.c
index 2e8d6600..6ba78c45 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.c
@@ -27,7 +27,6 @@
*/
#include <Security/SecureObjectSync/SOSPeer.h>
-#include <Security/SecureObjectSync/SOSCoder.h>
#include <Security/SecureObjectSync/SOSDigestVector.h>
#include <Security/SecureObjectSync/SOSInternal.h>
#include <Security/SecureObjectSync/SOSTransport.h>
@@ -77,7 +76,6 @@ static CFStringRef kSOSPeerConfirmedManifestKey = CFSTR("confirmed-manifest");
static CFStringRef kSOSPeerProposedManifestKey = CFSTR("pending-manifest"); // array of digests
static CFStringRef kSOSPeerLocalManifestKey = CFSTR("local-manifest"); // array of digests
static CFStringRef kSOSPeerVersionKey = CFSTR("vers"); // int
-static CFStringRef kSOSPeerCoderKey = CFSTR("coder"); // der encoded SOSCoder
//
// SOSPeerMeta keys that can also be used in peerstate...
@@ -310,8 +308,6 @@ static void SOSManifestArrayAppendManifest(CFMutableArrayRef *manifests, SOSMani
struct __OpaqueSOSPeer {
CFRuntimeBase _base;
- SOSCoderRef coder;
- CFDataRef coderData;
CFStringRef peer_id;
CFSetRef views;
CFIndex version;
@@ -364,68 +360,6 @@ static Boolean SOSPeerCompare(CFTypeRef cfA, CFTypeRef cfB)
return CFStringCompare(SOSPeerGetID(peerA), SOSPeerGetID(peerB), 0) == kCFCompareEqualTo;
}
-// Coder and coderData caching.
-// A Peer has either a coderData or a coder. Upon serialization the
-// coder will be turned into coderData but the coder will stay instantiated
-// unless the peer is released.
-static void SOSPeerSetCoderData(SOSPeerRef peer, CFDataRef coderData){
- if (peer->coder) {
- SOSCoderDispose(peer->coder);
- peer->coder = NULL;
- }
- CFRetainAssign(peer->coderData, coderData);
-}
-
-static bool SOSPeerCopyCoderData(SOSPeerRef peer, CFDataRef *coderData, CFErrorRef *error) {
- // TODO: We can optionally call SOSPeerSetCoderData here to clear the coder whenever its encoded,
- // if we assume that coders are written out to disk more often than they are used.
- bool ok = true;
- if (peer->coder) {
-#if 1
- CFErrorRef localError = NULL;
- ok = *coderData = SOSCoderCopyDER(peer->coder, &localError);
- if (!ok) {
- secerror("failed to der encode coder for peer %@, dropping it: %@", peer->peer_id, localError);
- SOSCoderDispose(peer->coder);
- peer->coder = NULL;
- CFErrorPropagate(localError, error);
- }
- return ok;
-#else
- // Alternate always delete in memory coder after der encoding it.
- CFAssignRetained(peer->coderData, SOSCoderCopyDER(peer->coder, error));
- ok = peer->coderData;
- SOSCoderDispose(peer->coder);
- peer->coder = NULL;
-#endif
- }
- *coderData = CFRetainSafe(peer->coderData);
- return ok;
-}
-
-SOSCoderRef SOSPeerGetCoder(SOSPeerRef peer, CFErrorRef *error) {
- if (peer->coderData) {
- peer->coder = SOSCoderCreateFromData(peer->coderData, error);
- CFReleaseNull(peer->coderData);
- } else if (!peer->coder) {
- SOSErrorCreate(kSOSErrorPeerNotFound, error, NULL, CFSTR("No coderData nor coder for peer: %@"), peer->peer_id);
- }
- return peer->coder;
-}
-
-bool SOSPeerEnsureCoder(SOSPeerRef peer, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
- if (!SOSPeerGetCoder(peer, NULL)) {
- secinfo("peer", "New coder for id %@.", peer->peer_id);
- CFErrorRef localError = NULL;
- peer->coder = SOSCoderCreate(peerInfo, myPeerInfo, kCFBooleanFalse, &localError);
- if (!peer->coder) {
- secerror("Failed to create coder for %@: %@", peer->peer_id, localError);
- CFErrorPropagate(localError, error);
- return false;
- }
- }
- return true;
-}
static bool SOSPeerGetPersistedBoolean(CFDictionaryRef persisted, CFStringRef key) {
CFBooleanRef boolean = CFDictionaryGetValue(persisted, key);
@@ -579,10 +513,6 @@ bool SOSPeerSetState(SOSPeerRef p, SOSEngineRef engine, CFDictionaryRef state, C
p->sendObjects = SOSPeerGetPersistedBoolean(state, kSOSPeerSendObjectsKey);
CFRetainAssign(p->views, SOSPeerGetPersistedViewNameSet(p, state, kSOSPeerViewsKey));
SOSPeerSetKeyBag(p, SOSPeerGetPersistedData(state, kSOSPeerKeyBagKey));
- // Don't rollback coder in memory if a transaction is rolled back, since this
- // might lead to reuse of an IV.
- if (!p->coder)
- SOSPeerSetCoderData(p, SOSPeerGetPersistedData(state, kSOSPeerCoderKey));
CFAssignRetained(p->pendingObjects, SOSEngineCopyPersistedManifest(engine, state, kSOSPeerPendingObjectsKey));
CFAssignRetained(p->unwantedManifest, SOSEngineCopyPersistedManifest(engine, state, kSOSPeerUnwantedManifestKey));
CFAssignRetained(p->confirmedManifest, SOSEngineCopyPersistedManifest(engine, state, kSOSPeerConfirmedManifestKey));
@@ -610,16 +540,6 @@ static SOSPeerRef SOSPeerCreate_Internal(SOSEngineRef engine, CFDictionaryRef st
return p;
}
-static bool SOSPeerPersistOptionalCoder(SOSPeerRef peer, CFMutableDictionaryRef persist, CFStringRef key, CFErrorRef *error) {
- CFDataRef coderData = NULL;
- bool ok = SOSPeerCopyCoderData(peer, &coderData, error);
- if (coderData) {
- CFDictionarySetValue(persist, key, coderData);
- CFReleaseSafe(coderData);
- }
- return ok;
-}
-
static void SOSPeerPersistBool(CFMutableDictionaryRef persist, CFStringRef key, bool value) {
CFDictionarySetValue(persist, key, value ? kCFBooleanTrue : kCFBooleanFalse);
}
@@ -684,8 +604,7 @@ CFDictionaryRef SOSPeerCopyState(SOSPeerRef peer, CFErrorRef *error) {
if (keybag && !CFEqual(peer->peer_id, kSOSViewKeychainV0_tomb))
SOSPeerPersistOptionalValue(state, kSOSPeerKeyBagKey, keybag);
- if (!SOSPeerPersistOptionalCoder(peer, state, kSOSPeerCoderKey, error)
- || !SOSPeerPersistOptionalManifest(state, kSOSPeerPendingObjectsKey, peer->pendingObjects, error)
+ if (!SOSPeerPersistOptionalManifest(state, kSOSPeerPendingObjectsKey, peer->pendingObjects, error)
|| !SOSPeerPersistOptionalManifest(state, kSOSPeerUnwantedManifestKey, peer->unwantedManifest, error)
|| !SOSPeerPersistOptionalManifest(state, kSOSPeerConfirmedManifestKey, peer->confirmedManifest, error)
|| !SSOSPeerPersistManifestArray(state, kSOSPeerProposedManifestKey, peer->proposedManifests, error)
@@ -703,7 +622,6 @@ static void SOSPeerDestroy(CFTypeRef cf) {
SOSPeerRef peer = (SOSPeerRef)cf;
CFReleaseNull(peer->peer_id);
CFReleaseNull(peer->views);
- SOSPeerSetCoderData(peer, NULL);
CFReleaseNull(peer->pendingObjects);
CFReleaseNull(peer->unwantedManifest);
CFReleaseNull(peer->confirmedManifest);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.h
index f5276225..61b2f68f 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.h
@@ -84,10 +84,6 @@ CFIndex SOSPeerGetVersion(SOSPeerRef peer);
CFStringRef SOSPeerGetID(SOSPeerRef peer);
bool SOSPeersEqual(SOSPeerRef peerA, SOSPeerRef peerB);
-// Coders
-SOSCoderRef SOSPeerGetCoder(SOSPeerRef peer, CFErrorRef *error);
-bool SOSPeerEnsureCoder(SOSPeerRef peer, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, CFErrorRef *error);
-
uint64_t SOSPeerNextSequenceNumber(SOSPeerRef peer);
uint64_t SOSPeerGetMessageVersion(SOSPeerRef peer);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.c
index 36e2c153..ef4f0640 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.c
@@ -1,3 +1,26 @@
+/*
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
#include <Security/SecureObjectSync/SOSPeer.h>
#include <Security/SecureObjectSync/SOSPeerCoder.h>
#include <Security/SecureObjectSync/SOSTransportMessage.h>
@@ -11,27 +34,17 @@
#include <AssertMacros.h>
#include "SOSInternal.h"
-// TODO: This could possibly move to SOSEngine?
-bool SOSPeerCoderInitializeForPeer(SOSEngineRef engine, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, CFErrorRef *error) {
- __block bool ok = true;
- ok &= SOSEngineForPeerID(engine, SOSPeerInfoGetPeerID(peerInfo), error, ^(SOSPeerRef peer) {
- ok = SOSPeerEnsureCoder(peer, myPeerInfo, peerInfo, error);
- });
- return ok;
-}
-
void SOSPeerCoderConsume(SOSEnginePeerMessageSentBlock *sent, bool ok) {
if (*sent)
(*sent)(ok);
}
-enum SOSCoderUnwrapStatus SOSPeerHandleCoderMessage(SOSPeerRef peer, CFStringRef peer_id, CFDataRef codedMessage, CFDataRef *decodedMessage, bool *forceSave, CFErrorRef *error) {
+enum SOSCoderUnwrapStatus SOSPeerHandleCoderMessage(SOSPeerRef peer, SOSCoderRef coder, CFStringRef peer_id, CFDataRef codedMessage, CFDataRef *decodedMessage, bool *forceSave, CFErrorRef *error) {
enum SOSCoderUnwrapStatus result = SOSCoderUnwrapError;
CFMutableDataRef localDecodedMessage = NULL;
SOSCoderStatus coderStatus = kSOSCoderDataReturned;
- SOSCoderRef coder = SOSPeerGetCoder(peer, error);
require_action_quiet(coder, xit, secerror("%@ getCoder: %@", peer_id, error ? *error : NULL));
CFErrorRef localError = NULL;
if (coder) {
@@ -64,6 +77,10 @@ enum SOSCoderUnwrapStatus SOSPeerHandleCoderMessage(SOSPeerRef peer, CFStringRef
secinfo("engine", "%@ engine stale event ignored", peer_id);
result = SOSCoderUnwrapHandled;
break;
+ case kSOSCoderForceMessage:
+ SOSPeerSetMustSendMessage(peer, true);
+ result = SOSCoderUnwrapHandled;
+ break;
case kSOSCoderTooNew: // We received an event from the future!
secnotice("engine", "%@ engine received a message too soon, time to restart", peer_id);
SOSCoderReset(coder);
@@ -85,15 +102,14 @@ xit:
return result;
}
-bool SOSPeerCoderSendMessageIfNeeded(SOSEngineRef engine, SOSPeerRef peer, CFDataRef *message_to_send, CFStringRef circle_id, CFStringRef peer_id, SOSEnginePeerMessageSentBlock *sent, CFErrorRef *error) {
- SOSCoderRef coder = SOSPeerGetCoder(peer, error);
+bool SOSPeerCoderSendMessageIfNeeded(SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder, CFDataRef *message_to_send, CFStringRef circle_id, CFStringRef peer_id, SOSEnginePeerMessageSentBlock *sent, CFErrorRef *error) {
bool ok = false;
require_action_quiet(coder, xit, secerror("%@ getCoder: %@", peer_id, error ? *error : NULL));
if (SOSCoderCanWrap(coder)) {
secinfo("transport", "%@ Coder can wrap, getting message from engine", peer_id);
CFMutableDataRef codedMessage = NULL;
- CFDataRef message = SOSEngineCreateMessage_locked(engine, peer, error, sent);
+ CFDataRef message = SOSEngineCreateMessage_locked(engine, txn, peer, error, sent);
if (!message) {
secnotice("transport", "%@ SOSEngineCreateMessageToSyncToPeer failed: %@", peer_id, *error);
} else if (CFDataGetLength(message) || SOSPeerMustSendMessage(peer)) {
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.h
index 8251d7cb..88b3bb23 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.h
@@ -1,3 +1,26 @@
+/*
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
#ifndef SOSPeerCoder_h
#define SOSPeerCoder_h
@@ -10,11 +33,9 @@ enum SOSCoderUnwrapStatus{
SOSCoderUnwrapHandled = 2
};
-bool SOSPeerCoderSendMessageIfNeeded(SOSEngineRef engine, SOSPeerRef peer, CFDataRef *message_to_send, CFStringRef circle_id, CFStringRef peer_id, SOSEnginePeerMessageSentBlock *sent, CFErrorRef *error);
-
-enum SOSCoderUnwrapStatus SOSPeerHandleCoderMessage(SOSPeerRef peer, CFStringRef peer_id, CFDataRef codedMessage, CFDataRef *decodedMessage, bool *forceSave, CFErrorRef *error);
+bool SOSPeerCoderSendMessageIfNeeded(SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder, CFDataRef *message_to_send, CFStringRef circle_id, CFStringRef peer_id, SOSEnginePeerMessageSentBlock *sent, CFErrorRef *error);
-bool SOSPeerCoderInitializeForPeer(SOSEngineRef engine, SOSFullPeerInfoRef myPeerInfo, SOSPeerInfoRef peerInfo, CFErrorRef *error);
+enum SOSCoderUnwrapStatus SOSPeerHandleCoderMessage(SOSPeerRef peer, SOSCoderRef coder, CFStringRef peer_id, CFDataRef codedMessage, CFDataRef *decodedMessage, bool *forceSave, CFErrorRef *error);
bool SOSPeerSendMessageIfNeeded(SOSPeerRef peer, CFDataRef *message, CFDataRef *message_to_send, SOSCoderRef *coder, CFStringRef circle_id, CFStringRef peer_id, SOSEnginePeerMessageSentBlock *sent, CFErrorRef *error);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.c
index 181e3273..bf7f74cc 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.c
@@ -92,6 +92,7 @@ CFStringRef kSOSPeerInfoNameKey = CFSTR("SOSPeerInfoName");
//Peer Info V2 Dictionary IDS keys
CFStringRef sPreferIDS = CFSTR("PreferIDS");
+CFStringRef sPreferIDSFragmentation = CFSTR("PreferIDFragmentation");
CFStringRef sTransportType = CFSTR("TransportType");
CFStringRef sDeviceID = CFSTR("DeviceID");
@@ -101,13 +102,19 @@ SOSPeerInfoRef SOSPeerInfoAllocate(CFAllocatorRef allocator) {
return CFTypeAllocate(SOSPeerInfo, struct __OpaqueSOSPeerInfo, allocator);
}
-SecKeyRef SOSPeerInfoCopyPubKey(SOSPeerInfoRef peer) {
- CFDataRef pubKeyBytes = CFDictionaryGetValue(peer->description, sPublicKeyKey);
- if (pubKeyBytes == NULL)
- return NULL;
+SecKeyRef SOSPeerInfoCopyPubKey(SOSPeerInfoRef peer, CFErrorRef* error) {
+ SecKeyRef result = NULL;
+
+ CFDataRef pubKeyBytes = asData(CFDictionaryGetValue(peer->description, sPublicKeyKey), error);
+ require_quiet(pubKeyBytes, fail);
+
CFAllocatorRef allocator = CFGetAllocator(peer);
- SecKeyRef pubKey = SecKeyCreateFromPublicData(allocator, kSecECDSAAlgorithmID, pubKeyBytes);
- return pubKey;
+ result = SecKeyCreateFromPublicData(allocator, kSecECDSAAlgorithmID, pubKeyBytes);
+
+ require_quiet(SecAllocationError(result, error, CFSTR("Failed to create public key from data %@"), pubKeyBytes), fail);
+
+fail:
+ return result;
}
CFDataRef SOSPeerInfoGetAutoAcceptInfo(SOSPeerInfoRef peer) {
@@ -175,10 +182,8 @@ bool SOSPeerInfoVerify(SOSPeerInfoRef peer, CFErrorRef *error) {
const struct ccdigest_info *di = ccsha256_di();
uint8_t hbuf[di->output_size];
- SecKeyRef pubKey = SOSPeerInfoCopyPubKey(peer);
- require_action_quiet(pubKey, error_out,
- SOSErrorCreate(kSOSErrorNoKey, error, NULL,
- CFSTR("Couldn't find pub key for %@"), peer));
+ SecKeyRef pubKey = SOSPeerInfoCopyPubKey(peer, error);
+ require_quiet(pubKey, error_out);
require_quiet(SOSDescriptionHash(peer, di, hbuf, error), error_out);
@@ -202,7 +207,7 @@ void SOSPeerInfoSetVersionNumber(SOSPeerInfoRef pi, int version) {
static SOSPeerInfoRef SOSPeerInfoCreate_Internal(CFAllocatorRef allocator,
CFDictionaryRef gestalt, CFDataRef backup_key,
CFStringRef IDSID, CFStringRef transportType, CFBooleanRef preferIDS,
- CFSetRef enabledViews,
+ CFBooleanRef preferFragmentation, CFSetRef enabledViews,
SecKeyRef signingKey, CFErrorRef* error,
void (^ description_modifier)(CFMutableDictionaryRef description)) {
SOSPeerInfoRef pi = CFTypeAllocate(SOSPeerInfo, struct __OpaqueSOSPeerInfo, allocator);
@@ -238,6 +243,7 @@ static SOSPeerInfoRef SOSPeerInfoCreate_Internal(CFAllocatorRef allocator,
sGestaltKey, pi->gestalt,
NULL);
+
description_modifier(pi->description);
@@ -254,10 +260,11 @@ static SOSPeerInfoRef SOSPeerInfoCreate_Internal(CFAllocatorRef allocator,
}
// V2DictionarySetValue handles NULL as remove
- SOSPeerInfoV2DictionarySetValue(pi, sBackupKeyKey, backup_key);
+ if (backup_key != NULL) SOSPeerInfoV2DictionarySetValue(pi, sBackupKeyKey, backup_key);
SOSPeerInfoV2DictionarySetValue(pi, sDeviceID, IDSID);
SOSPeerInfoV2DictionarySetValue(pi, sTransportType, transportType);
SOSPeerInfoV2DictionarySetValue(pi, sPreferIDS, preferIDS);
+ SOSPeerInfoV2DictionarySetValue(pi, sPreferIDSFragmentation, preferFragmentation);
SOSPeerInfoV2DictionarySetValue(pi, sViewsKey, enabledViews);
@@ -275,20 +282,20 @@ exit:
}
SOSPeerInfoRef SOSPeerInfoCreate(CFAllocatorRef allocator, CFDictionaryRef gestalt, CFDataRef backup_key, SecKeyRef signingKey, CFErrorRef* error) {
- return SOSPeerInfoCreate_Internal(allocator, gestalt, backup_key, NULL, NULL, NULL, NULL, signingKey, error, ^(CFMutableDictionaryRef description) {});
+ return SOSPeerInfoCreate_Internal(allocator, gestalt, backup_key, NULL, NULL, NULL, NULL, NULL, signingKey, error, ^(CFMutableDictionaryRef description) {});
}
SOSPeerInfoRef SOSPeerInfoCreateWithTransportAndViews(CFAllocatorRef allocator, CFDictionaryRef gestalt, CFDataRef backup_key,
CFStringRef IDSID, CFStringRef transportType, CFBooleanRef preferIDS,
- CFSetRef enabledViews,
+ CFBooleanRef preferFragmentation, CFSetRef enabledViews,
SecKeyRef signingKey, CFErrorRef* error)
{
- return SOSPeerInfoCreate_Internal(allocator, gestalt, backup_key, IDSID, transportType, preferIDS, enabledViews, signingKey, error, ^(CFMutableDictionaryRef description) {});
+ return SOSPeerInfoCreate_Internal(allocator, gestalt, backup_key, IDSID, transportType, preferIDS, preferFragmentation, enabledViews, signingKey, error, ^(CFMutableDictionaryRef description) {});
}
SOSPeerInfoRef SOSPeerInfoCreateCloudIdentity(CFAllocatorRef allocator, CFDictionaryRef gestalt, SecKeyRef signingKey, CFErrorRef* error) {
- return SOSPeerInfoCreate_Internal(allocator, gestalt, NULL, NULL, NULL, NULL, NULL, signingKey, error, ^(CFMutableDictionaryRef description) {
+ return SOSPeerInfoCreate_Internal(allocator, gestalt, NULL, NULL, NULL, NULL, NULL, NULL, signingKey, error, ^(CFMutableDictionaryRef description) {
CFDictionarySetValue(description, sCloudIdentityKey, kCFBooleanTrue);
});
@@ -321,7 +328,7 @@ bool SOSPeerInfoVersionHasV2Data(SOSPeerInfoRef pi) {
}
SOSPeerInfoRef SOSPeerInfoCreateCurrentCopy(CFAllocatorRef allocator, SOSPeerInfoRef toCopy,
- CFStringRef IDSID, CFStringRef transportType, CFBooleanRef preferIDS, CFSetRef enabledViews,
+ CFStringRef IDSID, CFStringRef transportType, CFBooleanRef preferIDS, CFBooleanRef preferFragmentation,CFSetRef enabledViews,
SecKeyRef signingKey, CFErrorRef* error) {
SOSPeerInfoRef pi = SOSPeerInfoCreateCopy(allocator, toCopy, error);
@@ -338,6 +345,9 @@ SOSPeerInfoRef SOSPeerInfoCreateCurrentCopy(CFAllocatorRef allocator, SOSPeerInf
if (preferIDS) {
SOSPeerInfoV2DictionarySetValue(pi, sPreferIDS, preferIDS);
}
+ if (sPreferIDSFragmentation) {
+ SOSPeerInfoV2DictionarySetValue(pi, sPreferIDSFragmentation, preferFragmentation);
+ }
if (enabledViews) {
SOSPeerInfoV2DictionarySetValue(pi, sViewsKey, enabledViews);
}
@@ -474,7 +484,8 @@ SOSPeerInfoRef SOSPeerInfoCopyWithPing(CFAllocatorRef allocator, SOSPeerInfoRef
SOSPeerInfoRef pi = SOSPeerInfoCreateCopy(allocator, toCopy, error);
CFDataRef ping = CFDataCreateWithRandomBytes(8);
SOSPeerInfoV2DictionarySetValue(pi, sPingKey, ping);
- SecKeyRef pub_key = SOSPeerInfoCopyPubKey(pi);
+ SecKeyRef pub_key = SOSPeerInfoCopyPubKey(pi, error);
+ require_quiet(pub_key, exit);
pi->id = SOSCopyIDOfKey(pub_key, error);
require_quiet(pi->id, exit);
require_action_quiet(SOSPeerInfoSign(signingKey, pi, error), exit, CFReleaseNull(pi));
@@ -524,8 +535,8 @@ static void SOSPeerInfoDestroy(CFTypeRef aObj) {
CFReleaseNull(pi->signature);
CFReleaseNull(pi->gestalt);
CFReleaseNull(pi->id);
- CFReleaseNull(pi->v2Dictionary);
- CFReleaseNull(pi->secproperties);
+ if(pi->v2Dictionary) CFReleaseNull(pi->v2Dictionary);
+ if(pi->secproperties) CFReleaseNull(pi->secproperties);
}
static Boolean SOSPeerInfoCompare(CFTypeRef lhs, CFTypeRef rhs) {
@@ -617,6 +628,45 @@ static CFStringRef SOSPeerInfoCopyFormatDescription(CFTypeRef aObj, CFDictionary
return description;
}
+static char boolToChars(bool val, char truechar, char falsechar) {
+ return val? truechar: falsechar;
+}
+
+static CFStringRef isKnown(CFStringRef ref) {
+ return ref? ref: CFSTR("Unknown ");
+}
+
+void SOSPeerInfoLogState(char *category, SOSPeerInfoRef pi, SecKeyRef pubKey, CFStringRef myPID, char sigchr) {
+ if(!pi) return;
+ bool appValid = SOSPeerInfoApplicationVerify(pi, pubKey, NULL);
+ bool retired = SOSPeerInfoIsRetirementTicket(pi);
+ bool selfValid = SOSPeerInfoVerify(pi, NULL);
+ bool backingUp = SOSPeerInfoHasBackupKey(pi);
+ bool isMe = CFEqualSafe(SOSPeerInfoGetPeerID(pi), myPID) == true;
+ bool isKVS = SOSPeerInfoKVSOnly(pi);
+ CFStringRef osVersion = CFDictionaryGetValue(pi->gestalt, kPIOSVersionKey);
+ CFStringRef tmp = SOSPeerInfoV2DictionaryCopyString(pi, sDeviceID);
+ CFStringRef deviceID = CFStringCreateTruncatedCopy(tmp, 8);
+ CFReleaseNull(tmp);
+ CFStringRef serialNum = SOSPeerInfoCopySerialNumber(pi);
+ CFStringRef peerID = CFStringCreateTruncatedCopy(SOSPeerInfoGetPeerID(pi), 8);
+
+ secnotice(category, "PI: [name: %-20@] [%c%c%c%c%c%c%c] [type: %-20@] [spid: %8@] [os: %10@] [devid: %10@] [serial: %12@]", isKnown(SOSPeerInfoGetPeerName(pi)),
+ boolToChars(isMe, 'M', 'm'),
+ boolToChars(appValid, 'A', 'a'),
+ boolToChars(selfValid, 'S', 's'),
+ boolToChars(retired, 'R', 'r'),
+ boolToChars(backingUp, 'B', 'b'),
+ boolToChars(isKVS, 'K', 'I'),
+ sigchr,
+ isKnown(SOSPeerInfoGetPeerDeviceType(pi)), isKnown(peerID),
+ isKnown(osVersion), isKnown(deviceID), isKnown(serialNum));
+
+ CFReleaseNull(peerID);
+ CFReleaseNull(deviceID);
+ CFReleaseNull(serialNum);
+}
+
CFDictionaryRef SOSPeerInfoCopyPeerGestalt(SOSPeerInfoRef pi) {
CFRetain(pi->gestalt);
return pi->gestalt;
@@ -708,7 +758,7 @@ static CFDateRef sosCreateCFDate(CFDataRef sosdate) {
}
static bool sospeer_application_hash(SOSPeerInfoRef pi, const struct ccdigest_info *di, uint8_t *hbuf) {
- CFDataRef appdate = CFDictionaryGetValue(pi->description, sApplicationDate);
+ CFDataRef appdate = asData(CFDictionaryGetValue(pi->description, sApplicationDate), NULL);
if(!appdate) return false;
ccdigest_di_decl(di, ctx);
ccdigest_init(di, ctx);
@@ -836,7 +886,7 @@ CFStringRef SOSPeerInfoInspectRetirementTicket(SOSPeerInfoRef pi, CFErrorRef *er
require_quiet(SOSPeerInfoVerify(pi, error), err);
- retirement = sosCreateCFDate(CFDictionaryGetValue(pi->description, sRetirementDate));
+ retirement = asDate(sosCreateCFDate(CFDictionaryGetValue(pi->description, sRetirementDate)), error);
require_action_quiet(retirement, err,
SOSCreateError(kSOSErrorUnexpectedType, CFSTR("Peer is not retired"), NULL, error));
@@ -895,6 +945,20 @@ SOSPeerInfoRef SOSPeerInfoSetIDSPreference(CFAllocatorRef allocator, SOSPeerInfo
});
}
+CFBooleanRef SOSPeerInfoCopyIDSFragmentationPreference(SOSPeerInfoRef peer){
+ CFBooleanRef preference = (CFBooleanRef)SOSPeerInfoV2DictionaryCopyBoolean(peer, sPreferIDSFragmentation);
+ return (preference ? preference : CFRetain(kCFBooleanFalse));
+}
+
+SOSPeerInfoRef SOSPeerInfoSetIDSFragmentationPreference(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFBooleanRef preference, SecKeyRef signingKey, CFErrorRef *error){
+ return SOSPeerInfoCopyWithModification(allocator, toCopy, signingKey, error,
+ ^bool(SOSPeerInfoRef peerToModify, CFErrorRef *error) {
+ SOSPeerInfoV2DictionarySetValue(peerToModify, sPreferIDSFragmentation, preference);
+ return true;
+ });
+}
+
+
CFStringRef SOSPeerInfoCopyTransportType(SOSPeerInfoRef peer){
CFStringRef transportType = (CFStringRef)SOSPeerInfoV2DictionaryCopyString(peer, sTransportType);
return (transportType ? transportType : CFRetain(SOSTransportMessageTypeKVS));
@@ -909,6 +973,13 @@ SOSPeerInfoRef SOSPeerInfoSetTransportType(CFAllocatorRef allocator, SOSPeerInfo
});
}
+bool SOSPeerInfoKVSOnly(SOSPeerInfoRef pi) {
+ CFStringRef transportType = SOSPeerInfoCopyTransportType(pi);
+ bool retval = CFEqualSafe(transportType, SOSTransportMessageTypeKVS);
+ CFReleaseNull(transportType);
+ return retval;
+}
+
bool SOSPeerInfoHasDeviceID(SOSPeerInfoRef peer) {
return SOSPeerInfoV2DictionaryHasString(peer, sDeviceID);
}
@@ -925,41 +996,38 @@ SOSPeerInfoRef SOSPeerInfoSetDeviceID(CFAllocatorRef allocator, SOSPeerInfoRef t
return true;
});
}
-
bool SOSPeerInfoShouldUseIDSTransport(SOSPeerInfoRef myPeer, SOSPeerInfoRef theirPeer){
- CFBooleanRef myPreference = SOSPeerInfoCopyIDSPreference(myPeer);
CFStringRef myTransportType = SOSPeerInfoCopyTransportType(myPeer);
-
- CFBooleanRef theirPreference = SOSPeerInfoCopyIDSPreference(theirPeer);
CFStringRef theirTransportType = SOSPeerInfoCopyTransportType(theirPeer);
-
- bool success = false;
- //If I'm a galarch KVS + peer is KVS and ids only is true for both == KVS
- if((CFStringCompare(myTransportType, SOSTransportMessageTypeKVS, 0) == 0 && CFStringCompare(theirTransportType, SOSTransportMessageTypeKVS, 0) == 0)&& (myPreference == kCFBooleanTrue && theirPreference == kCFBooleanTrue))
- success = false;
-
- //If transport is IDS Galarch +1 (Pref is true) and peer is KVS (ids is true) == IDS
- else if ((CFStringCompare(myTransportType, SOSTransportMessageTypeIDS, 0) == 0 && CFStringCompare(theirTransportType, SOSTransportMessageTypeKVS, 0) == 0) && (myPreference == kCFBooleanTrue && theirPreference == kCFBooleanTrue))
- success = true;
- else if ((CFStringCompare(theirTransportType, SOSTransportMessageTypeIDS, 0) == 0 && CFStringCompare(myTransportType, SOSTransportMessageTypeKVS, 0) == 0) && (theirPreference == kCFBooleanTrue && myPreference == kCFBooleanTrue))
- success = true;
+ bool success = false;
- //If transport is IDS Galarch +1 and peer is IDS Galarch +1 (prefer IDS is true) == IDS
- else if ((CFStringCompare(myTransportType, SOSTransportMessageTypeIDS, 0) == 0 && CFStringCompare(theirTransportType, SOSTransportMessageTypeIDS, 0) == 0))
+ //sync only if we are the new IDS fragmented system
+ if((CFStringCompare(myTransportType, SOSTransportMessageTypeIDSV2, 0) == 0 && CFStringCompare(theirTransportType, SOSTransportMessageTypeIDSV2, 0) == 0))
success = true;
-
- //If KVS and KVS prefer IDS is false (set to false or doesn't exist) == KVS
- else if ((CFStringCompare(myTransportType, SOSTransportMessageTypeKVS, 0) == 0 && CFStringCompare(theirTransportType, SOSTransportMessageTypeKVS, 0) == 0) && (myPreference == kCFBooleanFalse && theirPreference == kCFBooleanFalse))
- success = false;
-
else
success = false;
-
- CFReleaseSafe(myPreference);
+
CFReleaseSafe(myTransportType);
- CFReleaseSafe(theirPreference);
CFReleaseSafe(theirTransportType);
+
+ return success;
+
+}
+
+bool SOSPeerInfoShouldUseIDSMessageFragmentation(SOSPeerInfoRef myPeer, SOSPeerInfoRef theirPeer){
+
+ bool success = false;
+
+ CFBooleanRef myPreference = SOSPeerInfoCopyIDSFragmentationPreference(myPeer);
+
+ CFBooleanRef theirPreference = SOSPeerInfoCopyIDSFragmentationPreference(theirPeer);
+ secerror("mypreference: %@, theirpreference: %@", myPreference, theirPreference);
+ if((myPreference == kCFBooleanTrue && theirPreference == kCFBooleanTrue))
+ success = true;
+
+ CFReleaseNull(myPreference);
+ CFReleaseNull(theirPreference);
return success;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h
index 1414f022..f84daaa1 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h
@@ -65,14 +65,14 @@ SOSPeerInfoRef SOSPeerInfoCreate(CFAllocatorRef allocator, CFDictionaryRef gesta
SOSPeerInfoRef SOSPeerInfoCreateWithTransportAndViews(CFAllocatorRef allocator, CFDictionaryRef gestalt, CFDataRef backup_key,
CFStringRef IDSID, CFStringRef transportType, CFBooleanRef preferIDS,
- CFSetRef enabledViews,
+ CFBooleanRef preferFragmentation, CFSetRef enabledViews,
SecKeyRef signingKey, CFErrorRef* error);
SOSPeerInfoRef SOSPeerInfoCreateCloudIdentity(CFAllocatorRef allocator, CFDictionaryRef gestalt, SecKeyRef signingKey, CFErrorRef* error);
SOSPeerInfoRef SOSPeerInfoCreateCopy(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFErrorRef* error);
SOSPeerInfoRef SOSPeerInfoCreateCurrentCopy(CFAllocatorRef allocator, SOSPeerInfoRef toCopy,
- CFStringRef IDSID, CFStringRef transportType, CFBooleanRef preferIDS, CFSetRef enabledViews,
+ CFStringRef IDSID, CFStringRef transportType, CFBooleanRef preferIDS, CFBooleanRef preferFragmentation, CFSetRef enabledViews,
SecKeyRef signingKey, CFErrorRef* error);
bool SOSPeerInfoVersionIsCurrent(SOSPeerInfoRef pi);
bool SOSPeerInfoVersionHasV2Data(SOSPeerInfoRef pi);
@@ -172,7 +172,7 @@ CFStringRef SOSPeerGestaltGetName(CFDictionaryRef gestalt);
// These are Mobile Gestalt questions. Not all Gestalt questions are carried.
CFTypeRef SOSPeerGestaltGetAnswer(CFDictionaryRef gestalt, CFStringRef question);
-SecKeyRef SOSPeerInfoCopyPubKey(SOSPeerInfoRef peer);
+SecKeyRef SOSPeerInfoCopyPubKey(SOSPeerInfoRef peer, CFErrorRef *error);
CFDataRef SOSPeerInfoGetAutoAcceptInfo(SOSPeerInfoRef peer);
@@ -205,8 +205,12 @@ SOSSecurityPropertyResultCode SOSPeerInfoSecurityPropertyStatus(SOSPeerInfoRef p
CFBooleanRef SOSPeerInfoCopyIDSPreference(SOSPeerInfoRef peer);
SOSPeerInfoRef SOSPeerInfoSetIDSPreference(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFBooleanRef preference, SecKeyRef signingKey, CFErrorRef *error);
+CFBooleanRef SOSPeerInfoCopyIDSFragmentationPreference(SOSPeerInfoRef peer);
+SOSPeerInfoRef SOSPeerInfoSetIDSFragmentationPreference(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFBooleanRef preference, SecKeyRef signingKey, CFErrorRef *error);
+
CFStringRef SOSPeerInfoCopyTransportType(SOSPeerInfoRef peer);
SOSPeerInfoRef SOSPeerInfoSetTransportType(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFStringRef transportType, SecKeyRef signingKey, CFErrorRef *error);
+bool SOSPeerInfoKVSOnly(SOSPeerInfoRef pi);
// IDSs device ID
bool SOSPeerInfoHasDeviceID(SOSPeerInfoRef peer);
@@ -214,6 +218,9 @@ CFStringRef SOSPeerInfoCopyDeviceID(SOSPeerInfoRef peer);
SOSPeerInfoRef SOSPeerInfoSetDeviceID(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFStringRef IDS, SecKeyRef signingKey, CFErrorRef *error);
bool SOSPeerInfoShouldUseIDSTransport(SOSPeerInfoRef myPeer, SOSPeerInfoRef theirPeer);
+bool SOSPeerInfoShouldUseIDSMessageFragmentation(SOSPeerInfoRef myPeer, SOSPeerInfoRef theirPeer);
+
+void SOSPeerInfoLogState(char *category, SOSPeerInfoRef pi, SecKeyRef pubKey, CFStringRef myPID, char sigchr);
__END_DECLS
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoCollections.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoCollections.h
index 02ca4e6f..676ee8ef 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoCollections.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoCollections.h
@@ -31,7 +31,7 @@
//
// CFSet of PeerInfos by ID.
//
-const CFSetCallBacks kSOSPeerSetCallbacks;
+extern const CFSetCallBacks kSOSPeerSetCallbacks;
CFMutableSetRef CFSetCreateMutableForSOSPeerInfosByID(CFAllocatorRef allocator);
CFMutableSetRef CFSetCreateMutableForSOSPeerInfosByIDWithArray(CFAllocatorRef allocator, CFArrayRef peerInfos);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoDER.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoDER.c
index e6921ece..dc4df897 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoDER.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoDER.c
@@ -43,13 +43,9 @@ uint8_t* SOSPeerInfoEncodeToDER(SOSPeerInfoRef peer, CFErrorRef* error, const ui
}
CFDataRef SOSPeerInfoCopyEncodedData(SOSPeerInfoRef peer, CFAllocatorRef allocator, CFErrorRef *error) {
- size_t size = SOSPeerInfoGetDEREncodedSize(peer, error);
- if (size == 0) return NULL;
-
- uint8_t buffer[size];
- uint8_t* start = SOSPeerInfoEncodeToDER(peer, error, buffer, buffer + sizeof(buffer));
- CFDataRef result = CFDataCreate(kCFAllocatorDefault, start, size);
- return result;
+ return CFDataCreateWithDER(kCFAllocatorDefault, SOSPeerInfoGetDEREncodedSize(peer, error), ^uint8_t*(size_t size, uint8_t *buffer) {
+ return SOSPeerInfoEncodeToDER(peer, error, buffer, (uint8_t *) buffer + size);
+ });
}
@@ -117,7 +113,7 @@ SOSPeerInfoRef SOSPeerInfoCreateFromDER(CFAllocatorRef allocator, CFErrorRef* er
pi->gestalt = gestalt;
CFRetain(pi->gestalt);
- pubKey = SOSPeerInfoCopyPubKey(pi);
+ pubKey = SOSPeerInfoCopyPubKey(pi, error);
require_quiet(pubKey, fail);
pi->id = SOSCopyIDOfKey(pubKey, error);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.c
index ab74681c..d48a7b91 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.c
@@ -76,6 +76,13 @@ void SOSPeerInfoSetSerialNumber(SOSPeerInfoRef pi) {
CFReleaseNull(serialNumber);
}
+const CFStringRef SOSSerialUnknown = CFSTR("Unknown");
+
+CFStringRef SOSPeerInfoCopySerialNumber(SOSPeerInfoRef pi) {
+ CFStringRef retval = SOSPeerInfoV2DictionaryCopyString(pi, sSerialNumberKey);
+ return (retval ? retval : CFRetain(SOSSerialUnknown));
+}
+
static bool SOSPeerInfoV2SanityCheck(SOSPeerInfoRef pi) {
if(!pi) {
return false;
@@ -88,7 +95,7 @@ static bool SOSPeerInfoV2SanityCheck(SOSPeerInfoRef pi) {
static CFDataRef SOSPeerInfoGetV2Data(SOSPeerInfoRef pi) {
if(SOSPeerInfoV2SanityCheck(pi) == false) return NULL;
- return CFDictionaryGetValue(pi->description, sV2DictionaryKey);
+ return asData(CFDictionaryGetValue(pi->description, sV2DictionaryKey), NULL);
}
static CFMutableDictionaryRef SOSCreateDictionaryFromDER(CFDataRef v2Data, CFErrorRef *error) {
@@ -153,25 +160,20 @@ bool SOSPeerInfoUpdateToV2(SOSPeerInfoRef pi, CFErrorRef *error) {
if(serialNumber == NULL) {
secnotice("signing", "serialNumber was returned NULL\n");
}
- CFMutableSetRef views = SOSViewsCreateDefault(false, error);
+ CFMutableSetRef views = SOSViewCopyViewSet(kViewSetDefault);
CFMutableSetRef secproperties = CFSetCreateMutable(NULL, 0, &kCFTypeSetCallBacks);
if(serialNumber) CFDictionaryAddValue(v2Dictionary, sSerialNumberKey, serialNumber);
CFDictionaryAddValue(v2Dictionary, sViewsKey, views);
CFDictionaryAddValue(v2Dictionary, sSecurityPropertiesKey, secproperties);
-
- if (whichTransportType == kSOSTransportFuture || whichTransportType == kSOSTransportIDS){
- CFDictionaryAddValue(v2Dictionary, sDeviceID, CFSTR(""));
- CFDictionaryAddValue(v2Dictionary, sTransportType, SOSTransportMessageTypeIDS);
- CFDictionaryAddValue(v2Dictionary, sPreferIDS, kCFBooleanTrue);
- }
- else{
- CFDictionaryAddValue(v2Dictionary, sDeviceID, CFSTR(""));
- CFDictionaryAddValue(v2Dictionary, sTransportType, SOSTransportMessageTypeKVS);
- CFDictionaryAddValue(v2Dictionary, sPreferIDS, kCFBooleanTrue);
- }
+
+ CFDictionaryAddValue(v2Dictionary, sDeviceID, CFSTR(""));
+ CFDictionaryAddValue(v2Dictionary, sTransportType, SOSTransportMessageTypeIDSV2);
+ CFDictionaryAddValue(v2Dictionary, sPreferIDS, kCFBooleanFalse);
+ CFDictionaryAddValue(v2Dictionary, sPreferIDSFragmentation, kCFBooleanTrue);
+
require_action_quiet((v2data = SOSCreateDERFromDictionary(v2Dictionary, error)), out, SOSCreateError(kSOSErrorAllocationFailure, CFSTR("No Memory"), NULL, error));
CFDictionaryAddValue(pi->description, sV2DictionaryKey, v2data);
- //SOSPeerInfoExpandV2Data(pi, error);
+ SOSPeerInfoExpandV2Data(pi, error);
retval = true;
out:
CFReleaseNull(views);
@@ -194,15 +196,18 @@ errOut:
bool SOSPeerInfoExpandV2Data(SOSPeerInfoRef pi, CFErrorRef *error) {
CFDataRef v2data = NULL;
- bool retval = false;
+ CFMutableDictionaryRef v2Dictionary = NULL;
- require_quiet(pi, out);
- CFReleaseNull(pi->v2Dictionary);
require_action_quiet((v2data = SOSPeerInfoGetV2Data(pi)), out, SOSCreateError(kSOSErrorDecodeFailure, CFSTR("No V2 Data in description"), NULL, error));
- require_action_quiet((pi->v2Dictionary = SOSCreateDictionaryFromDER(v2data, error)), out, SOSCreateError(kSOSErrorDecodeFailure, CFSTR("Can't expand V2 Dictionary"), NULL, error));
- retval = true;
+ require_action_quiet((v2Dictionary = SOSCreateDictionaryFromDER(v2data, error)), out, SOSCreateError(kSOSErrorDecodeFailure, CFSTR("Can't expand V2 Dictionary"), NULL, error));
+ CFReleaseNull(pi->v2Dictionary);
+ pi->v2Dictionary = v2Dictionary;
+ return true;
+
out:
- return retval;
+ CFReleaseNull(v2Dictionary);
+ return false;
+
}
void SOSPeerInfoV2DictionarySetValue(SOSPeerInfoRef pi, const void *key, const void *value) {
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.h
index 3645a23e..69052ab5 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.h
@@ -23,6 +23,8 @@ extern CFStringRef sSerialNumberKey; // Device Serial Number
extern CFStringRef sSecurityPropertiesKey; // Set of Security Properties
extern CFStringRef kSOSHsaCrKeyDictionary; // HSA Challenge-Response area
extern CFStringRef sPreferIDS; // Whether or not a peer requires to speak over IDS or KVS
+extern CFStringRef sPreferIDSFragmentation; // Whether or not a peer requires to speak over fragmented IDS or not
+
extern CFStringRef sTransportType; // Dictates the transport type
extern CFStringRef sDeviceID; // The IDS device id
extern CFStringRef sRingState; // Dictionary of Ring Membership States
@@ -53,5 +55,6 @@ void SOSPeerInfoV2DictionaryWithSet(SOSPeerInfoRef pi, const void *key, void(^op
bool SOSPeerInfoSerialNumberIsSet(SOSPeerInfoRef pi);
void SOSPeerInfoSetSerialNumber(SOSPeerInfoRef pi);
+CFStringRef SOSPeerInfoCopySerialNumber(SOSPeerInfoRef pi);
#endif /* defined(_sec_SOSPeerInfoV2_) */
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPersist.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSPersist.h
new file mode 100644
index 00000000..12f36a4a
--- /dev/null
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPersist.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+/*
+ * SOSPersist.h -- Utility routines for get/set in CFDictionary
+ */
+
+#ifndef _SOSPERSIST_H_
+#define _SOSPERSIST_H_
+
+__BEGIN_DECLS
+
+#include <utilities/SecCFRelease.h>
+#include <utilities/SecCFWrappers.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+#include <stdlib.h>
+
+#include <AssertMacros.h>
+
+
+static inline bool SOSPeerGetPersistedBoolean(CFDictionaryRef persisted, CFStringRef key) {
+ CFBooleanRef boolean = CFDictionaryGetValue(persisted, key);
+ return boolean && CFBooleanGetValue(boolean);
+}
+
+static inline CFDataRef SOSPeerGetPersistedData(CFDictionaryRef persisted, CFStringRef key) {
+ return asData(CFDictionaryGetValue(persisted, key), NULL);
+}
+
+static inline int64_t SOSPeerGetPersistedInt64(CFDictionaryRef persisted, CFStringRef key) {
+ int64_t integer = 0;
+ CFNumberRef number = CFDictionaryGetValue(persisted, key);
+ if (number) {
+ CFNumberGetValue(number, kCFNumberSInt64Type, &integer);
+ }
+ return integer;
+}
+
+static inline bool SOSPeerGetOptionalPersistedCFIndex(CFDictionaryRef persisted, CFStringRef key, CFIndex *value) {
+ bool exists = false;
+ CFNumberRef number = CFDictionaryGetValue(persisted, key);
+ if (number) {
+ exists = true;
+ CFNumberGetValue(number, kCFNumberCFIndexType, value);
+ }
+ return exists;
+}
+
+static inline void SOSPersistBool(CFMutableDictionaryRef persist, CFStringRef key, bool value) {
+ CFDictionarySetValue(persist, key, value ? kCFBooleanTrue : kCFBooleanFalse);
+}
+
+static inline void SOSPersistInt64(CFMutableDictionaryRef persist, CFStringRef key, int64_t value) {
+ CFNumberRef number = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &value);
+ CFDictionarySetValue(persist, key, number);
+ CFReleaseSafe(number);
+}
+
+static inline void SOSPersistCFIndex(CFMutableDictionaryRef persist, CFStringRef key, CFIndex value) {
+ CFNumberRef number = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &value);
+ CFDictionarySetValue(persist, key, number);
+ CFReleaseSafe(number);
+}
+
+static inline void SOSPersistOptionalValue(CFMutableDictionaryRef persist, CFStringRef key, CFTypeRef value) {
+ if (value)
+ CFDictionarySetValue(persist, key, value);
+}
+
+__END_DECLS
+
+#endif /* !_SOSPERSIST_H_ */
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingBackup.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingBackup.c
index dc86979b..75d448f5 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingBackup.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingBackup.c
@@ -155,7 +155,7 @@ static SOSConcordanceStatus SOSRingPeerKeyConcordanceTrust_Backup(SOSFullPeerInf
return kSOSConcordanceNoUserKey;
}
- if(SOSRingIsOlderGeneration(knownRing, proposedRing)) {
+ if(SOSRingIsOlderGeneration(proposedRing, knownRing)) {
SOSCreateError(kSOSErrorReplay, CFSTR("Bad generation"), NULL, error);
return kSOSConcordanceGenOld;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingConcordanceTrust.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingConcordanceTrust.c
index 615f4666..f8df2d60 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingConcordanceTrust.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingConcordanceTrust.c
@@ -53,7 +53,8 @@ static inline SOSConcordanceStatus CheckPeerStatus(CFStringRef peerID, SOSPeerIn
SecKeyRef pubKey = NULL;
require_action_quiet(peer, exit, result = kSOSConcordanceNoPeer);
- pubKey = SOSPeerInfoCopyPubKey(peer);
+ pubKey = SOSPeerInfoCopyPubKey(peer, error);
+ require_quiet(pubKey, exit);
require_action_quiet(SOSRingHasPeerID(ring, peerID), exit, result = kSOSConcordanceNoPeer);
require_action_quiet(SOSPeerInfoApplicationVerify(peer, userPub, NULL), exit, result = kSOSConcordanceNoPeer);
require_action_quiet(SOSRingVerifySignatureExists(ring, pubKey, error), exit, result = kSOSConcordanceNoPeerSig);
@@ -149,7 +150,7 @@ SOSConcordanceStatus SOSRingUserKeyConcordanceTrust(SOSFullPeerInfoRef me, CFSet
return GetSignersStatus(peers, proposedRing, proposedRing, userPubkey, NULL, error);
}
- if(SOSRingIsOlderGeneration(knownRing, proposedRing)) {
+ if(SOSRingIsOlderGeneration(proposedRing, knownRing)) {
SOSCreateError(kSOSErrorReplay, CFSTR("Bad generation"), NULL, error);
return kSOSConcordanceGenOld;
}
@@ -177,7 +178,7 @@ SOSConcordanceStatus SOSRingPeerKeyConcordanceTrust(SOSFullPeerInfoRef me, CFSet
return GetSignersStatus(peers, proposedRing, proposedRing, userPubkey, NULL, error);
}
- if(SOSRingIsOlderGeneration(knownRing, proposedRing)) {
+ if(SOSRingIsOlderGeneration(proposedRing, knownRing)) {
SOSCreateError(kSOSErrorReplay, CFSTR("Bad generation"), NULL, error);
return kSOSConcordanceGenOld;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingDER.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingDER.c
index 142e1790..a7a4da84 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingDER.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingDER.c
@@ -63,13 +63,9 @@ uint8_t* SOSRingEncodeToDER(SOSRingRef ring, CFErrorRef* error, const uint8_t* d
}
CFDataRef SOSRingCopyEncodedData(SOSRingRef ring, CFErrorRef *error) {
- size_t size = SOSRingGetDEREncodedSize(ring, error);
- if (size == 0) return NULL;
-
- uint8_t buffer[size];
- uint8_t* start = SOSRingEncodeToDER(ring, error, buffer, buffer + sizeof(buffer));
- CFDataRef result = CFDataCreate(kCFAllocatorDefault, start, size);
- return result;
+ return CFDataCreateWithDER(kCFAllocatorDefault, SOSRingGetDEREncodedSize(ring, error), ^uint8_t*(size_t size, uint8_t *buffer) {
+ return SOSRingEncodeToDER(ring, error, buffer, (uint8_t *) buffer + size);
+ });
}
SOSRingRef SOSRingCreateFromDER(CFErrorRef* error, const uint8_t** der_p, const uint8_t *der_end) {
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingTypes.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingTypes.c
index d5dd445e..6b807ba8 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingTypes.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingTypes.c
@@ -255,9 +255,12 @@ errOut:
}
bool SOSRingPeerTrusted(SOSRingRef ring, SOSFullPeerInfoRef requestor, CFErrorRef *error) {
+ bool retval = false;
SOSPeerInfoRef pi = SOSFullPeerInfoGetPeerInfo(requestor);
- SecKeyRef pubkey = SOSPeerInfoCopyPubKey(pi);
- bool retval = SOSRingPKTrusted(ring, pubkey, error);
+ SecKeyRef pubkey = SOSPeerInfoCopyPubKey(pi, error);
+ require_quiet(pubkey, exit);
+ retval = SOSRingPKTrusted(ring, pubkey, error);
+exit:
CFReleaseNull(pubkey);
return retval;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.c
index d57fc66a..cc36d298 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.c
@@ -116,11 +116,11 @@ SOSRingRef SOSRingConvertAndAssertStable(CFTypeRef ringAsType) {
CFStringRef SOSRingGetName(SOSRingRef ring) {
assert(ring);
assert(ring->signedInformation);
- return CFDictionaryGetValue(ring->signedInformation, sNameKey);
+ return asString(CFDictionaryGetValue(ring->signedInformation, sNameKey), NULL);
}
const char *SOSRingGetNameC(SOSRingRef ring) {
- CFStringRef name = SOSRingGetName(ring);
+ CFStringRef name = asString(SOSRingGetName(ring), NULL);
if (!name)
return strdup("");
return CFStringToCString(name);
@@ -404,7 +404,7 @@ bool SOSRingSetPayload_Internal(SOSRingRef ring, CFDataRef payload) {
CFSetRef SOSRingGetBackupViewset_Internal(SOSRingRef ring) {
SOSRingAssertStable(ring);
- return (CFSetRef) CFDictionaryGetValue(ring->signedInformation, sBackupViewSetKey);
+ return asSet(CFDictionaryGetValue(ring->signedInformation, sBackupViewSetKey), NULL);
}
bool SOSRingSetBackupViewset_Internal(SOSRingRef ring, CFSetRef viewSet) {
@@ -418,7 +418,7 @@ bool SOSRingSetBackupViewset_Internal(SOSRingRef ring, CFSetRef viewSet) {
static inline CFMutableSetRef SOSRingGetPeerIDs(SOSRingRef ring) {
SOSRingAssertStable(ring);
- return (CFMutableSetRef) CFDictionaryGetValue(ring->signedInformation, sPeerIDsKey);
+ return (CFMutableSetRef) asSet(CFDictionaryGetValue(ring->signedInformation, sPeerIDsKey), NULL);
}
bool SOSRingSetPeerIDs(SOSRingRef ring, CFMutableSetRef peers) {
@@ -688,8 +688,13 @@ bool SOSRingVerify(SOSRingRef ring, SecKeyRef pubKey, CFErrorRef *error) {
}
bool SOSRingVerifyPeerSigned(SOSRingRef ring, SOSPeerInfoRef peer, CFErrorRef *error) {
- SecKeyRef pubkey = SOSPeerInfoCopyPubKey(peer);
- bool result = SOSRingVerify(ring, pubkey, error);
+ bool result = false;
+ SecKeyRef pubkey = SOSPeerInfoCopyPubKey(peer, error);
+ require_quiet(pubkey, fail);
+
+ result = SOSRingVerify(ring, pubkey, error);
+
+fail:
CFReleaseSafe(pubkey);
return result;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.h
index cf008393..0b97e463 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.h
@@ -36,6 +36,11 @@ void SOSRingAssertStable(SOSRingRef ring)
assert(ring->data);
}
+static inline
+bool SOSRingIsStable(SOSRingRef ring) {
+ return (ring) && (ring->unSignedInformation) && (ring->signedInformation) && (ring->signatures)&& (ring->data);
+}
+
/* unSignedInformation Dictionary Keys */
extern CFStringRef sApplicantsKey;
extern CFStringRef sRejectionsKey;
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.c
index 3becdc52..9975c403 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.c
@@ -41,6 +41,8 @@
#include "keychain_log.h"
#include "secToolFileIO.h"
+#include "secViewDisplay.h"
+
#include <Security/SecPasswordGenerate.h>
@@ -54,9 +56,13 @@ CF_EXPORT const CFStringRef _kCFSystemVersionBuildVersionKey;
-static char *CFDictionaryCopyCString(CFDictionaryRef dict, const void *key) {
+static char *CFDictionaryCopyCStringWithDefault(CFDictionaryRef dict, const void *key, char *defaultString) {
+ char *retval = NULL;
+ require_quiet(dict, use_default);
CFStringRef val = CFDictionaryGetValue(dict, key);
- char *retval = CFStringToCString(val);
+ retval = CFStringToCString(val);
+use_default:
+ if(!retval) retval = strdup(defaultString);
return retval;
}
@@ -516,82 +522,6 @@ static bool dumpKVS(char *itemName, CFErrorRef *err)
}
-static struct foo {
- const char *name;
- const CFStringRef *viewspec;
-} string2View[] = {
- {
- "keychain", &kSOSViewKeychainV0
- }, {
- "masterkey", &kSOSViewPCSMasterKey,
- }, {
- "iclouddrive", &kSOSViewPCSiCloudDrive,
- }, {
- "photos", &kSOSViewPCSPhotos,
- }, {
- "escrow", &kSOSViewPCSEscrow,
- }, {
- "fde", &kSOSViewPCSFDE,
- }, {
- "maildrop", &kSOSViewPCSMailDrop,
- }, {
- "icloudbackup", &kSOSViewPCSiCloudBackup,
- }, {
- "notes", &kSOSViewPCSNotes,
- }, {
- "imessage", &kSOSViewPCSiMessage,
- }, {
- "feldspar", &kSOSViewPCSFeldspar,
- }, {
- "appletv", &kSOSViewAppleTV,
- }, {
- "homekit", &kSOSViewHomeKit,
- }, {
- "wifi", &kSOSViewWiFi,
- }, {
- "passwords", &kSOSViewAutofillPasswords,
- }, {
- "creditcards", &kSOSViewSafariCreditCards,
- }, {
- "icloudidentity", &kSOSViewiCloudIdentity,
- }, {
- "othersyncable", &kSOSViewOtherSyncable,
- }
-};
-
-static CFStringRef convertViewReturnCodeToString(SOSViewActionCode ac) {
- CFStringRef retval = NULL;
- switch(ac) {
- case kSOSCCGeneralViewError:
- retval = CFSTR("General Error"); break;
- case kSOSCCViewMember:
- retval = CFSTR("Is Member of View"); break;
- case kSOSCCViewNotMember:
- retval = CFSTR("Is Not Member of View"); break;
- case kSOSCCViewNotQualified:
- retval = CFSTR("Is not qualified for View"); break;
- case kSOSCCNoSuchView:
- retval = CFSTR("No Such View"); break;
- }
- return retval;
-}
-
-static bool listviewcmd(CFErrorRef *err) {
- unsigned n;
-
- for (n = 0; n < sizeof(string2View)/sizeof(string2View[0]); n++) {
- CFStringRef viewspec = *string2View[n].viewspec;
-
- SOSViewResultCode rc = SOSCCView(viewspec, kSOSCCViewQuery, err);
- CFStringRef resultString = convertViewReturnCodeToString(rc);
-
- printmsg(CFSTR("View Result: %@ : %@\n"), resultString, viewspec);
- };
-
- return true;
-}
-
-
static char *createDateStrNow() {
char *retval = NULL;
time_t clock;
@@ -646,7 +576,6 @@ static char *sysdiagnose_dir(const char *passedIn, const char *hostname, const c
}
-
static char *sysdiagnose_dump(const char *dirname) {
char *outputDir = NULL;
char hostname[80];
@@ -658,17 +587,9 @@ static char *sysdiagnose_dump(const char *dirname) {
char *now = createDateStrNow();
CFDictionaryRef sysfdef = _CFCopySystemVersionDictionary();
- if(sysfdef) {
- productName = CFDictionaryCopyCString(sysfdef, _kCFSystemVersionProductNameKey);
- productVersion = CFDictionaryCopyCString(sysfdef, _kCFSystemVersionProductVersionKey);
- buildVersion = CFDictionaryCopyCString(sysfdef, _kCFSystemVersionBuildVersionKey);
- }
- if (productName == NULL)
- productName = strdup("unknownProduct");
- if (productVersion == NULL)
- productVersion = strdup("unknownProductVersion");
- if (buildVersion)
- buildVersion = strdup("unknownVersion");
+ productName = CFDictionaryCopyCStringWithDefault(sysfdef, _kCFSystemVersionProductNameKey, "unknownProduct");
+ productVersion = CFDictionaryCopyCStringWithDefault(sysfdef, _kCFSystemVersionProductVersionKey, "unknownProductVersion");
+ buildVersion = CFDictionaryCopyCStringWithDefault(sysfdef, _kCFSystemVersionBuildVersionKey, "unknownVersion");
if(gethostname(hostname, 80)) {
strcpy(hostname, "unknownhost");
@@ -684,7 +605,7 @@ static char *sysdiagnose_dump(const char *dirname) {
#endif
outputDir = sysdiagnose_dir(dirname, hostname, productVersion, now);
- if(!outputDir) return NULL;
+ if(!outputDir) goto errOut;
mkdir(outputDir, 0700);
@@ -714,16 +635,16 @@ static char *sysdiagnose_dump(const char *dirname) {
copyFileToOutputDir(outputDir, keysToRegister);
copyFileToOutputDir(outputDir, cloudkeychainproxy3);
- if(productName) free(productName);
- if(productVersion) free(productVersion);
- if(buildVersion) free(buildVersion);
-
- free(now);
+errOut:
+ if(now) free(now);
CFReleaseNull(sysfdef);
#if ! TARGET_OS_EMBEDDED
free(keysToRegister);
free(cloudkeychainproxy3);
#endif
+ if(productName) free(productName);
+ if(productVersion) free(productVersion);
+ if(buildVersion) free(buildVersion);
return outputDir;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.c
index e001acb1..8e671deb 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.c
@@ -11,6 +11,7 @@
#include <Security/SecureObjectSync/SOSRing.h>
#include <SOSCloudKeychainClient.h>
+#include <SOSCloudKeychainLogging.h>
#include <utilities/debugging.h>
#include <utilities/SecCFWrappers.h>
#include <CoreFoundation/CFBase.h>
@@ -226,50 +227,51 @@ static void showWhatWasHandled(CFDictionaryRef updates, CFMutableArrayRef handle
CFReleaseSafe(handledKeysStr);
}
+#define KVS_STATE_INTERVAL 50
+
CF_RETURNS_RETAINED
CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountRef account, CFDictionaryRef updates, CFErrorRef *error){
+ static int KVSLogCountDown = 0;
CFMutableArrayRef handledKeys = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFStringRef dsid = NULL;
- if(CFDictionaryContainsKey(updates, kSOSKVSAccountChangedKey)){
+ if(CFDictionaryGetValueIfPresent(updates, kSOSKVSAccountChangedKey, (const void**)&dsid)){
secnotice("accountChange", "SOSTransportDispatchMessages received kSOSKVSAccountChangedKey");
+ KVSLogCountDown = 0; // Get an initial check on KVS values
// While changing accounts we may modify the key params array. To avoid stepping on ourselves we
// copy the list for iteration. Now modifying the transport outside of the list iteration.
- __block SOSTransportKeyParameterRef tempTransport = NULL;
- CFMutableArrayRef originalKeyParams = CFArrayCreateMutableCopy(kCFAllocatorDefault, CFArrayGetCount(SOSGetTransportKeyParameters()), SOSGetTransportKeyParameters());
- do{
- tempTransport = NULL;
- CFArrayForEach(originalKeyParams, ^(const void *value) {
- SOSTransportKeyParameterRef transport = (SOSTransportKeyParameterRef) value;
- if(CFEqualSafe(SOSTransportKeyParameterGetAccount(transport), account)){
- tempTransport = transport;
- }
- });
- if(tempTransport != NULL){
+ CFMutableArrayRef transportsToUse = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+
+ CFArrayForEach(SOSGetTransportKeyParameters(), ^(const void *value) {
+ SOSTransportKeyParameterRef transport = (SOSTransportKeyParameterRef) value;
+ if(CFEqualSafe(SOSTransportKeyParameterGetAccount(transport), account)){
+ CFArrayAppendValue(transportsToUse, transport);
+ }
+
+ });
+
+ CFArrayForEach(transportsToUse, ^(const void *value) {
+ SOSTransportKeyParameterRef tempTransport = (SOSTransportKeyParameterRef) value;
+
+ CFStringRef accountDSID = (CFStringRef)SOSAccountGetValue(account, kSOSDSIDKey, error);
+
+ if(accountDSID == NULL){
SOSTransportKeyParameterHandleNewAccount(tempTransport, account);
- CFStringRef dsid = NULL;
- if(CFDictionaryGetValueIfPresent(updates, kSOSKVSAccountChangedKey, (const void**)&dsid)){
- if(dsid != NULL){
- CFStringRef accountDSID = (CFStringRef)SOSAccountGetValue(account, kSOSDSIDKey, error);
-
- if(accountDSID == NULL){
- SOSAccountSetValue(account, kSOSDSIDKey, dsid, error);
- secdebug("dsid", "Assigning new DSID: %@", dsid);
- }
- else if(accountDSID != NULL && CFStringCompare(accountDSID, dsid, 0) != 0 ){
- SOSAccountSetValue(account, kSOSDSIDKey, dsid, error);
- secdebug("dsid", "Assigning new DSID: %@", dsid);
- }
- else
- secdebug("dsid", "DSIDs are the same!");
- }
- }
- CFArrayRemoveAllValue(originalKeyParams, tempTransport);
+ SOSAccountSetValue(account, kSOSDSIDKey, dsid, error);
+ secdebug("dsid", "Assigning new DSID: %@", dsid);
+ } else if(accountDSID != NULL && CFStringCompare(accountDSID, dsid, 0) != 0 ) {
+ SOSTransportKeyParameterHandleNewAccount(tempTransport, account);
+ SOSAccountSetValue(account, kSOSDSIDKey, dsid, error);
+ secdebug("dsid", "Assigning new DSID: %@", dsid);
+ } else {
+ secdebug("dsid", "DSIDs are the same!");
}
- }while(tempTransport != NULL);
- CFArrayAppendValue(handledKeys, kSOSKVSAccountChangedKey);
- CFReleaseNull(originalKeyParams);
+ });
+ CFReleaseNull(transportsToUse);
+
+ CFArrayAppendValue(handledKeys, kSOSKVSAccountChangedKey);
}
@@ -296,6 +298,7 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountRef account, CFDictiona
CFStringRef to_name = NULL;
CFStringRef backup_name = NULL;
+ require_quiet(isString(key), errOut);
switch (SOSKVSKeyGetKeyTypeAndParse(key, &circle_name, &peer_info_name, &ring_name, &backup_name, &from_name, &to_name)) {
case kCircleKey:
CFDictionarySetValue(circle_circle_messages_table, circle_name, value);
@@ -338,7 +341,8 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountRef account, CFDictiona
break;
}
-
+
+ errOut:
CFReleaseNull(circle_name);
CFReleaseNull(from_name);
CFReleaseNull(to_name);
@@ -436,14 +440,51 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountRef account, CFDictiona
if(CFDictionaryGetCount(circle_peer_messages_table)) {
CFArrayForEach(SOSGetTransportMessages(), ^(const void *value) {
SOSTransportMessageRef tkvs = (SOSTransportMessageRef) value;
- if(SOSTransportMessageGetTransportType(tkvs, error) != kIDS){
+
+ if(SOSTransportMessageGetTransportType(tkvs, error) == kIDSTest){ //this case is for the IDS test transport
+ if(CFEqualSafe(SOSTransportMessageGetAccount((SOSTransportMessageRef)value), account)){
+ CFErrorRef handleMessagesError = NULL;
+ CFDictionaryRef handledPeers = SOSTransportMessageHandleMessages(account->ids_message_transport, circle_peer_messages_table, &handleMessagesError);
+
+ if (handledPeers) {
+ // We need to look for and send responses.
+ SOSAccountSendIKSPSyncList(account, error);
+ SOSAccountSyncWithAllKVSPeers(account, error);
+
+ CFDictionaryForEach(handledPeers, ^(const void *key, const void *value) {
+ if (isString(key) && isArray(value)) {
+ CFArrayForEach(value, ^(const void *value) {
+ if (isString(value)) {
+ CFStringRef peerID = (CFStringRef) value;
+ CFStringRef kvsHandledKey = SOSMessageKeyCreateFromPeerToTransport(account->ids_message_transport, peerID);
+ CFArrayAppendValue(handledKeys, kvsHandledKey);
+ CFReleaseSafe(kvsHandledKey);
+ }
+ });
+ }
+ });
+ CFErrorRef flushError = NULL;
+ if (!SOSTransportMessageFlushChanges((SOSTransportMessageRef)account->kvs_message_transport, &flushError)) {
+ secerror("Flush failed: %@", flushError);
+ }
+ }
+ else {
+ secerror("Didn't handle? : %@", handleMessagesError);
+ }
+ CFReleaseNull(handledPeers);
+ CFReleaseNull(handleMessagesError);
+ }
+ }
+
+ else if(SOSTransportMessageGetTransportType(tkvs, error) != kIDS){
if(CFEqualSafe(SOSTransportMessageGetAccount((SOSTransportMessageRef)value), account)){
CFErrorRef handleMessagesError = NULL;
CFDictionaryRef handledPeers = SOSTransportMessageHandleMessages(account->kvs_message_transport, circle_peer_messages_table, &handleMessagesError);
if (handledPeers) {
// We need to look for and send responses.
- SOSAccountSyncWithAllPeers(account, error);
+ SOSAccountSendIKSPSyncList(account, error);
+ SOSAccountSyncWithAllKVSPeers(account, error);
CFDictionaryForEach(handledPeers, ^(const void *key, const void *value) {
if (isString(key) && isArray(value)) {
@@ -451,8 +492,9 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountRef account, CFDictiona
if (isString(value)) {
CFStringRef peerID = (CFStringRef) value;
- CFStringRef kvsHandledKey = SOSMessageKeyCreateFromPeerToTransport((SOSTransportMessageKVSRef)account->kvs_message_transport, peerID);
- CFArrayAppendValue(handledKeys, kvsHandledKey);
+ CFStringRef kvsHandledKey = SOSMessageKeyCreateFromPeerToTransport(account->kvs_message_transport, peerID);
+ if(kvsHandledKey != NULL)
+ CFArrayAppendValue(handledKeys, kvsHandledKey);
CFReleaseSafe(kvsHandledKey);
}
});
@@ -510,7 +552,7 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountRef account, CFDictiona
CFMutableArrayRef handledRingMessages = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
CFDictionaryForEach(ring_update_message_table, ^(const void *key, const void *value) {
- CFDataRef ringData = (CFDataRef)value;
+ CFDataRef ringData = asData(value, NULL);
SOSRingRef ring = SOSRingCreateFromData(error, ringData);
if(SOSAccountUpdateRingFromRemote(account, ring, error)){
@@ -541,6 +583,11 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountRef account, CFDictiona
CFReleaseNull(ring_update_message_table);
CFReleaseNull(peer_info_message_table);
CFReleaseNull(debug_info_message_table);
+
+ if(KVSLogCountDown <= 0) {
+ SOSCloudKVSLogState();
+ KVSLogCountDown = KVS_STATE_INTERVAL;
+ } else KVSLogCountDown--;
showWhatWasHandled(updates, handledKeys);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.h
index 6d419183..23b19bf4 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.h
@@ -28,7 +28,9 @@ enum TransportType{
kUnknown = 0,
kKVS = 1,
kIDS = 2,
- kBackupPeer = 3
+ kBackupPeer = 3,
+ kIDSTest = 4,
+ kKVSTest = 5
};
#endif
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.c
index eac2d2ff..2f9e0371 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.c
@@ -256,10 +256,11 @@ static CFArrayRef handleCircleMessages(SOSTransportCircleRef transport, CFMutabl
CFMutableArrayRef handledKeys = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
CFDictionaryForEach(circle_circle_messages_table, ^(const void *key, const void *value) {
CFErrorRef circleMessageError = NULL;
- if (!SOSAccountHandleCircleMessage(SOSTransportCircleGetAccount(transport), key, value, &circleMessageError)) {
+ if(!isString(key) || !isData(value)) {
+ secerror("Error, Key-Value for CircleMessage was not CFString/CFData");
+ } if (!SOSAccountHandleCircleMessage(SOSTransportCircleGetAccount(transport), key, value, &circleMessageError)) {
secerror("Error handling circle message %@ (%@): %@", key, value, circleMessageError);
- }
- else{
+ } else{
CFStringRef circle_id = (CFStringRef) key;
CFArrayAppendValue(handledKeys, circle_id);
}
@@ -341,15 +342,11 @@ bool SOSTransportCircleKVSAppendRingKeyInterest(SOSTransportCircleKVSRef transpo
CFReleaseNull(ring_key);
});
- // And any trusted rings!
- CFMutableDictionaryRef rings = SOSAccountGetRings(account, error);
- require_quiet(rings, fail);
- require_quiet(CFDictionaryGetCount(rings) > 0, fail);
- CFDictionaryForEach(rings, ^(const void *key, const void *value) {
- CFStringRef ringName = asString(key, NULL);
- CFStringRef ring_key = SOSRingKeyCreateWithRingName(ringName);
+ SOSAccountForEachRing(account, ^SOSRingRef(CFStringRef name, SOSRingRef ring) {
+ CFStringRef ring_key = SOSRingKeyCreateWithRingName(name);
CFSetAddValue(ringKeys, ring_key);
CFReleaseNull(ring_key);
+ return NULL;
});
CFSetForEach(ringKeys, ^(const void *value) {
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.c
index b0906995..69896bcf 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.c
@@ -93,9 +93,9 @@ bool SOSTransportMessageHandlePeerMessage(SOSTransportMessageRef transport, CFSt
__block bool result = true;
__block bool somethingChanged = false;
SOSEngineRef engine = SOSTransportMessageGetEngine(transport);
- result &= SOSEngineWithPeerID(engine, peerID, error, ^(SOSPeerRef peer, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *shouldSave) {
+ result &= SOSEngineWithPeerID(engine, peerID, error, ^(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *shouldSave) {
CFDataRef decodedMessage = NULL;
- enum SOSCoderUnwrapStatus uwstatus = SOSPeerHandleCoderMessage(peer, peerID, codedMessage, &decodedMessage, shouldSave, error);
+ enum SOSCoderUnwrapStatus uwstatus = SOSPeerHandleCoderMessage(peer, coder, peerID, codedMessage, &decodedMessage, shouldSave, error);
if (uwstatus == SOSCoderUnwrapDecoded) {
SOSMessageRef message = NULL;
if (decodedMessage && CFDataGetLength(decodedMessage)) {
@@ -124,11 +124,11 @@ bool SOSTransportMessageSendMessageIfNeeded(SOSTransportMessageRef transport, CF
__block bool ok = true;
SOSEngineRef engine = SOSTransportMessageGetEngine(transport);
- ok &= SOSEngineForPeerID(engine, peer_id, error, ^(SOSPeerRef peer) {
+ ok &= SOSEngineForPeerID(engine, peer_id, error, ^(SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder) {
// Now under engine lock do stuff
CFDataRef message_to_send = NULL;
SOSEnginePeerMessageSentBlock sent = NULL;
- ok = SOSPeerCoderSendMessageIfNeeded(engine, peer, &message_to_send, circle_id, peer_id, &sent, error);
+ ok = SOSPeerCoderSendMessageIfNeeded(engine, txn, peer, coder, &message_to_send, circle_id, peer_id, &sent, error);
if (message_to_send) {
CFDictionaryRef peer_dict = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
peer_id, message_to_send,
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.c
index 9111aa48..9e2d7747 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.c
@@ -25,16 +25,17 @@
struct __OpaqueSOSTransportMessageIDS {
struct __OpaqueSOSTransportMessage m;
-
+ CFBooleanRef useFragmentation;
};
const CFStringRef kSecIDSErrorDomain = CFSTR("com.apple.security.ids.error");
-
+const CFStringRef kIDSOperationType = CFSTR("IDSMessageOperation");
+const CFStringRef kIDSMessageToSendKey = CFSTR("MessageToSendKey");
//
// V-table implementation forward declarations
//
-static bool sendToPeer(SOSTransportMessageRef transport, CFStringRef circleName, CFStringRef deviceID, CFStringRef peerID, CFDictionaryRef message, CFErrorRef *error);
+static bool sendToPeer(SOSTransportMessageRef transport, CFStringRef circleName, CFStringRef deviceID, CFStringRef peerID,CFDictionaryRef message, CFErrorRef *error);
static bool syncWithPeers(SOSTransportMessageRef transport, CFDictionaryRef circleToPeerIDs, CFErrorRef *error);
static bool sendMessages(SOSTransportMessageRef transport, CFDictionaryRef circleToPeersToMessage, CFErrorRef *error);
static void destroy(SOSTransportMessageRef transport);
@@ -46,6 +47,16 @@ static inline CFIndex getTransportType(SOSTransportMessageRef transport, CFError
return kIDS;
}
+void SOSTransportMessageIDSSetFragmentationPreference(SOSTransportMessageRef transport, CFBooleanRef preference){
+ SOSTransportMessageIDSRef t = (SOSTransportMessageIDSRef)transport;
+ t->useFragmentation = preference;
+}
+
+CFBooleanRef SOSTransportMessageIDSGetFragmentationPreference(SOSTransportMessageRef transport){
+ SOSTransportMessageIDSRef t = (SOSTransportMessageIDSRef)transport;
+ return t->useFragmentation;
+ }
+
SOSTransportMessageIDSRef SOSTransportMessageIDSCreate(SOSAccountRef account, CFStringRef circleName, CFErrorRef *error)
{
SOSTransportMessageIDSRef ids = (SOSTransportMessageIDSRef) SOSTransportMessageCreateForSubclass(sizeof(struct __OpaqueSOSTransportMessageIDS) - sizeof(CFRuntimeBase), account, circleName, error);
@@ -73,75 +84,116 @@ static void destroy(SOSTransportMessageRef transport){
}
static CF_RETURNS_RETAINED CFDictionaryRef handleMessages(SOSTransportMessageRef transport, CFMutableDictionaryRef circle_peer_messages_table, CFErrorRef *error) {
- // TODO: This might need to be: return CFDictionaryCreateForCFTypes(kCFAllocatorDefault, NULL);
- return CFDictionaryCreateForCFTypes(kCFAllocatorDefault);
+ return CFDictionaryCreateForCFTypes(kCFAllocatorDefault, NULL);
+}
+
+static HandleIDSMessageReason checkMessageValidity(SOSAccountRef account, CFStringRef fromDeviceID, CFStringRef fromPeerID, CFStringRef *peerID, SOSPeerInfoRef *theirPeerInfo){
+
+ __block HandleIDSMessageReason reason = kHandleIDSMessageDontHandle;
+
+ SOSCircleForEachPeer(account->trusted_circle, ^(SOSPeerInfoRef peer) {
+ CFStringRef deviceID = SOSPeerInfoCopyDeviceID(peer);
+ CFStringRef pID = SOSPeerInfoGetPeerID(peer);
+
+ if( deviceID && pID && fromPeerID && fromDeviceID && CFStringGetLength(fromPeerID) != 0 ){
+ if(CFStringCompare(pID, fromPeerID, 0) == 0){
+ if(CFStringGetLength(deviceID) == 0){
+ secnotice("ids transport", "device ID was empty in the peer list, holding on to message");
+ CFReleaseNull(deviceID);
+ reason = kHandleIDSMessageNotReady;
+ return;
+ }
+ else if(CFStringCompare(fromDeviceID, deviceID, 0) != 0){ //IDSids do not match, ghost
+ reason = kHandleIDSmessageDeviceIDMismatch;
+ CFReleaseNull(deviceID);
+ return;
+ }
+ else if(CFStringCompare(deviceID, fromDeviceID, 0) == 0){
+ *peerID = pID;
+ *theirPeerInfo = peer;
+ CFReleaseNull(deviceID);
+ reason = kHandleIDSMessageSuccess;
+ return;
+ }
+ }
+ }
+ CFReleaseNull(deviceID);
+ });
+
+ return reason;
}
HandleIDSMessageReason SOSTransportMessageIDSHandleMessage(SOSAccountRef account, CFDictionaryRef message, CFErrorRef *error) {
- secdebug("IDS Transport", "SOSTransportMessageIDSHandleMessage!");
+ secnotice("IDS Transport", "SOSTransportMessageIDSHandleMessage!");
CFStringRef dataKey = CFStringCreateWithCString(kCFAllocatorDefault, kMessageKeyIDSDataMessage, kCFStringEncodingASCII);
CFStringRef deviceIDKey = CFStringCreateWithCString(kCFAllocatorDefault, kMessageKeyDeviceID, kCFStringEncodingASCII);
-
- CFDataRef messageData = (CFDataRef)CFDictionaryGetValue(message, dataKey);
- CFStringRef fromID = (CFStringRef)CFDictionaryGetValue(message, deviceIDKey);
-
- SOSPeerInfoRef myPeer = SOSAccountGetMyPeerInfo(account);
+ CFStringRef sendersPeerIDKey = CFStringCreateWithCString(kCFAllocatorDefault, kMessageKeySendersPeerID, kCFStringEncodingASCII);
- if(!myPeer) {
- CFReleaseNull(deviceIDKey);
- CFReleaseNull(dataKey);
- if(!SOSAccountHasFullPeerInfo(account, error))
- return kHandleIDSMessageOtherFail;
- }
+ HandleIDSMessageReason result = kHandleIDSMessageSuccess;
- __block CFStringRef peerID = NULL;
-
- SOSCircleForEachPeer(account->trusted_circle, ^(SOSPeerInfoRef peer) {
- CFStringRef deviceID = SOSPeerInfoCopyDeviceID(peer);
- if(deviceID && CFStringCompare(deviceID, fromID, 0) == 0)
- peerID = SOSPeerInfoGetPeerID(peer);
- CFReleaseNull(deviceID);
- });
- if(!peerID){
- secerror("Could not find peer matching the IDS device ID, dropping message");
- CFReleaseNull(dataKey);
- CFReleaseNull(deviceIDKey);
- return kHandleIDSMessageNotReady;
- }
+ CFDataRef messageData = asData(CFDictionaryGetValue(message, dataKey), NULL);
+ __block CFStringRef fromDeviceID = asString(CFDictionaryGetValue(message, deviceIDKey), NULL);
+ __block CFStringRef fromPeerID = (CFStringRef)CFDictionaryGetValue(message, sendersPeerIDKey);
- if(messageData != NULL && CFDataGetLength(messageData) > 0){
+ CFStringRef peerID = NULL;
+ SOSPeerInfoRef theirPeer = NULL;
+
+ require_action_quiet(fromDeviceID, exit, result = kHandleIDSMessageDontHandle);
+ require_action_quiet(fromPeerID, exit, result = kHandleIDSMessageDontHandle);
+ require_action_quiet(messageData && CFDataGetLength(messageData) != 0, exit, result = kHandleIDSMessageDontHandle);
+ require_action_quiet(SOSAccountHasFullPeerInfo(account, error), exit, result = kHandleIDSMessageNotReady);
+
+ require_quiet((result = checkMessageValidity( account, fromDeviceID, fromPeerID, &peerID, &theirPeer)) == kHandleIDSMessageSuccess, exit);
+
+ if (SOSTransportMessageHandlePeerMessage(account->ids_message_transport, peerID, messageData, error)) {
+ CFMutableDictionaryRef peersToSyncWith = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFMutableArrayRef peerIDs = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFArrayAppendValue(peerIDs, peerID);
+ CFDictionaryAddValue(peersToSyncWith, SOSCircleGetName(account->trusted_circle), peerIDs);
- if (SOSTransportMessageHandlePeerMessage(account->ids_message_transport, peerID, messageData, error)) {
- CFMutableDictionaryRef peersToSyncWith = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
- CFMutableArrayRef peerIDs = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- CFArrayAppendValue(peerIDs, peerID);
- CFDictionaryAddValue(peersToSyncWith, SOSCircleGetName(account->trusted_circle), peerIDs);
-
- if(!SOSTransportMessageSyncWithPeers(account->ids_message_transport, peersToSyncWith, error))
- {
- secerror("SOSTransportMessageIDSHandleMessage Could not sync with all peers: %@", *error);
- }
- else{
- secdebug("IDS Transport", "Synced with all peers!");
- CFReleaseNull(dataKey);
- CFReleaseNull(deviceIDKey);
- return kHandleIDSMessageSuccess;
- }
-
+ //sync using fragmentation?
+ if(SOSPeerInfoShouldUseIDSMessageFragmentation(SOSFullPeerInfoGetPeerInfo(account->my_identity), theirPeer)){
+ //set useFragmentation bit
+ SOSTransportMessageIDSSetFragmentationPreference(account->ids_message_transport, kCFBooleanTrue);
}
else{
- CFReleaseNull(dataKey);
- CFReleaseNull(deviceIDKey);
+ SOSTransportMessageIDSSetFragmentationPreference(account->ids_message_transport, kCFBooleanFalse);
+ }
+
+ if(!SOSTransportMessageSyncWithPeers(account->ids_message_transport, peersToSyncWith, error)){
+ secerror("SOSTransportMessageIDSHandleMessage Could not sync with all peers: %@", *error);
+ }else{
+ secnotice("IDS Transport", "Synced with all peers!");
+ }
+
+ CFReleaseNull(peersToSyncWith);
+ CFReleaseNull(peerIDs);
+ }else{
+ if(error && *error != NULL){
+ CFStringRef errorMessage = CFErrorCopyDescription(*error);
+ if (-25308 == CFErrorGetCode(*error)) { // tell IDSKeychainSyncingProxy to call us back when device unlocks
+ result = kHandleIDSMessageLocked;
+ }else{ //else drop it, couldn't handle the message
+ result = kHandleIDSMessageDontHandle;
+ }
+ secerror("IDS Transport Could not handle message: %@, %@", messageData, *error);
+ CFReleaseNull(errorMessage);
+
+ }
+ else{ //no error but failed? drop it, log message
secerror("IDS Transport Could not handle message: %@", messageData);
- return kHandleIDSMessageOtherFail;
+ result = kHandleIDSMessageDontHandle;
+
}
}
- secerror("Data doesn't exist: %@", messageData);
+
+exit:
+ CFReleaseNull(sendersPeerIDKey);
CFReleaseNull(deviceIDKey);
CFReleaseNull(dataKey);
- return kHandleIDSMessageOtherFail;
+ return result;
}
@@ -155,15 +207,33 @@ static bool sendToPeer(SOSTransportMessageRef transport, CFStringRef circleName,
CFMutableDataRef mutableData = NULL;
SOSAccountRef account = SOSTransportMessageGetAccount(transport);
CFStringRef ourPeerID = SOSPeerInfoGetPeerID(SOSAccountGetMyPeerInfo(account));
+ CFStringRef operationToString = NULL;
+
+ CFDictionaryRef messagetoSend = NULL;
require_action_quiet((deviceID != NULL && CFStringGetLength(deviceID) >0), fail, errorMessage = CFSTR("Need an IDS Device ID to sync"));
+ if(CFDictionaryGetValue(message, kIDSOperationType) == NULL && SOSTransportMessageIDSGetFragmentationPreference(transport) == kCFBooleanTrue){
+ //otherwise handle a keychain data blob using fragmentation!
+ secnotice("IDS Transport","sendToPeer: using fragmentation!");
+ char *messageCharStar;
+ asprintf(&messageCharStar, "%d", kIDSKeychainSyncIDSFragmentation);
+ operationToString = CFStringCreateWithCString(kCFAllocatorDefault, messageCharStar, kCFStringEncodingUTF8);
+ free(messageCharStar);
+
+ messagetoSend = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault, kIDSOperationType, operationToString, kIDSMessageToSendKey, message, NULL);
+ }
+ else{ //otherhandle handle the test message without fragmentation
+ messagetoSend = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, CFDictionaryGetCount(message), message);
+ secnotice("IDS Transport","sendToPeer: not going to fragment message");
+ }
+
dispatch_semaphore_t wait_for = dispatch_semaphore_create(0);
dispatch_retain(wait_for); // Both this scope and the block own it.
secnotice("ids transport", "Starting");
- SOSCloudKeychainSendIDSMessage(message, deviceID, ourPeerID, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(CFDictionaryRef returnedValues, CFErrorRef sync_error) {
+ SOSCloudKeychainSendIDSMessage(messagetoSend, deviceID, ourPeerID, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), SOSTransportMessageIDSGetFragmentationPreference(transport), ^(CFDictionaryRef returnedValues, CFErrorRef sync_error) {
success = (sync_error == NULL);
if (sync_error && error) {
CFRetainAssign(*error, sync_error);
@@ -183,13 +253,14 @@ static bool sendToPeer(SOSTransportMessageRef transport, CFStringRef circleName,
secerror("Failed to send message to peer");
}
else{
- secdebug("IDS Transport", "Sent message to peer!");
+ secnotice("IDS Transport", "Sent message to peer!");
}
-
+
+ CFReleaseNull(messagetoSend);
CFReleaseNull(operation);
CFReleaseNull(operationData);
CFReleaseNull(mutableData);
-
+ CFReleaseNull(operationToString);
return success;
fail:
@@ -198,14 +269,17 @@ fail:
*error =CFErrorCreate(kCFAllocatorDefault, CFSTR("com.apple.security.ids.error"), kSecIDSErrorNoDeviceID, userInfo);
secerror("%@", *error);
}
+ CFReleaseNull(messagetoSend);
CFReleaseNull(operation);
CFReleaseNull(operationData);
CFReleaseNull(mutableData);
CFReleaseNull(userInfo);
+ CFReleaseNull(operationToString);
return success;
}
+
static bool syncWithPeers(SOSTransportMessageRef transport, CFDictionaryRef circleToPeerIDs, CFErrorRef *error) {
// Each entry is keyed by circle name and contains a list of peerIDs
__block bool result = true;
@@ -249,6 +323,13 @@ static bool sendMessages(SOSTransportMessageRef transport, CFDictionaryRef circl
}
SOSCircleForEachPeer(circle, ^(SOSPeerInfoRef peer) {
if(!CFEqualSafe(myPeer, peer)){
+ if(SOSPeerInfoShouldUseIDSMessageFragmentation(myPeer, peer)){
+ SOSTransportMessageIDSSetFragmentationPreference(transport, kCFBooleanTrue);
+ }
+ else{
+ SOSTransportMessageIDSSetFragmentationPreference(transport, kCFBooleanFalse);
+ }
+
CFStringRef deviceID = SOSPeerInfoCopyDeviceID(peer);
if(CFStringCompare(SOSPeerInfoGetPeerID(peer), peerID, 0) == 0){
bool rx = false;
@@ -261,10 +342,13 @@ static bool sendMessages(SOSTransportMessageRef transport, CFDictionaryRef circl
});
}
});
+
fail:
+ CFReleaseNull(message);
return result;
}
+
static bool flushChanges(SOSTransportMessageRef transport, CFErrorRef *error)
{
return true;
@@ -285,7 +369,7 @@ void SOSTransportMessageIDSGetIDSDeviceID(SOSAccountRef account){
secerror("Could not ask IDSKeychainSyncingProxy for Device ID: %@", sync_error);
}
else{
- secdebug("IDS Transport", "Successfully attempting to retrieve the IDS Device ID");
+ secnotice("IDS Transport", "Successfully attempting to retrieve the IDS Device ID");
}
});
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.h
index 90a03643..783b3323 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.h
@@ -12,7 +12,8 @@ typedef enum {
kIDSSyncMessagesRaw = 4,
kIDSSyncMessagesCompact = 5,
kIDSPeerAvailability = 6,
- kIDSPeerAvailabilityDone = 7
+ kIDSPeerAvailabilityDone = 7,
+ kIDSKeychainSyncIDSFragmentation = 8
} idsOperation;
//error handling stuff
@@ -24,11 +25,13 @@ typedef enum {
kSecIDSErrorCouldNotFindMatchingAuthToken = -4,
kSecIDSErrorDeviceIsLocked = -5,
kSecIDSErrorNoPeersAvailable = -6
-
+
} idsError;
extern const CFStringRef kSecIDSErrorDomain;
+extern const CFStringRef kIDSOperationType;
+extern const CFStringRef kIDSMessageToSendKey;
typedef struct __OpaqueSOSTransportMessageIDS *SOSTransportMessageIDSRef;
@@ -37,3 +40,7 @@ SOSTransportMessageIDSRef SOSTransportMessageIDSCreate(SOSAccountRef account, CF
HandleIDSMessageReason SOSTransportMessageIDSHandleMessage(SOSAccountRef account, CFDictionaryRef message, CFErrorRef *error);
void SOSTransportMessageIDSGetIDSDeviceID(SOSAccountRef account);
+
+void SOSTransportMessageIDSSetFragmentationPreference(SOSTransportMessageRef transport, CFBooleanRef preference);
+CFBooleanRef SOSTransportMessageIDSGetFragmentationPreference(SOSTransportMessageRef transport);
+
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.c
index e69a62c3..fb2bdf17 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.c
@@ -52,14 +52,16 @@ SOSTransportMessageKVSRef SOSTransportMessageKVSCreate(SOSAccountRef account, CF
bool SOSTransportMessageKVSAppendKeyInterest(SOSTransportMessageKVSRef transport, CFMutableArrayRef alwaysKeys, CFMutableArrayRef afterFirstUnlockKeys, CFMutableArrayRef unlockedKeys, CFErrorRef *localError){
SOSEngineRef engine = SOSTransportMessageGetEngine((SOSTransportMessageRef)transport);
require_quiet(engine, fail);
+
CFArrayRef peerInfos = SOSAccountCopyPeersToListenTo(SOSTransportMessageGetAccount((SOSTransportMessageRef) transport), localError);
if(peerInfos){
CFArrayForEach(peerInfos, ^(const void *value) {
SOSPeerInfoRef peer = (SOSPeerInfoRef)value;
CFStringRef peerID = SOSPeerInfoGetPeerID(peer);
- CFStringRef peerMessage = SOSMessageKeyCreateFromPeerToTransport(transport, peerID);
- CFArrayAppendValue(unlockedKeys, peerMessage);
+ CFStringRef peerMessage = SOSMessageKeyCreateFromPeerToTransport((SOSTransportMessageRef)transport, peerID);
+ if(peerMessage != NULL)
+ CFArrayAppendValue(unlockedKeys, peerMessage);
CFReleaseNull(peerMessage);
});
CFReleaseNull(peerInfos);
@@ -190,11 +192,11 @@ CFDictionaryRef handleMessages(SOSTransportMessageRef transport, CFMutableDictio
if(peerToMessage){
CFDictionaryForEach(peerToMessage, ^(const void *key, const void *value) {
- CFStringRef peer_id = (CFStringRef) key;
- CFDataRef peer_message = (CFDataRef) value;
+ CFStringRef peer_id = asString(key, NULL);
+ CFDataRef peer_message = asData(value, NULL);
CFErrorRef localError = NULL;
- if (SOSTransportMessageHandlePeerMessage(transport, peer_id, peer_message, &localError)) {
+ if (peer_id && peer_message && SOSTransportMessageHandlePeerMessage(transport, peer_id, peer_message, &localError)) {
CFArrayAppendValue(handled_peers, key);
} else {
secnotice("transport", "%@ KVSTransport handle message failed: %@", peer_id, localError);
@@ -218,7 +220,7 @@ static bool sendToPeer(SOSTransportMessageRef transport, CFStringRef circleName,
if(dsid == NULL)
dsid = kCFNull;
- CFStringRef message_to_peer_key = SOSMessageKeyCreateFromTransportToPeer(kvsTransport, peerID);
+ CFStringRef message_to_peer_key = SOSMessageKeyCreateFromTransportToPeer((SOSTransportMessageRef)kvsTransport, peerID);
CFDictionaryRef a_message_to_a_peer = CFDictionaryCreateForCFTypes(NULL, message_to_peer_key, message, kSOSKVSRequiredKey, dsid, NULL);
if (!SOSTransportMessageKVSUpdateKVS(kvsTransport, a_message_to_a_peer, error)) {
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h
index ad00b1a3..e14e4cf0 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h
@@ -39,10 +39,11 @@ typedef enum SyncWithAllPeersReason {
} SyncWithAllPeersReason;
typedef enum HandleIDSMessageReason {
- kHandleIDSMessageOtherFail = 0,
+ kHandleIDSMessageDontHandle = 0,
kHandleIDSMessageNotReady,
kHandleIDSMessageSuccess,
kHandleIDSMessageLocked,
+ kHandleIDSmessageDeviceIDMismatch
} HandleIDSMessageReason;
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.c
index 93455c9f..3779e516 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.c
@@ -319,8 +319,9 @@ CF_RETURNS_RETAINED CFStringRef UserParametersDescription(CFDataRef parameters){
&newKey, &newParameters, &error,
CFDataGetBytePtr(parameters), CFDataGetPastEndPtr(parameters));
+
if (parse_end != CFDataGetPastEndPtr(parameters)){
- secnotice("keygen", "failed to decode cloud parameters");
+ secdebug("keygen", "failed to decode cloud parameters");
return NULL;
}
@@ -335,16 +336,22 @@ CF_RETURNS_RETAINED CFStringRef UserParametersDescription(CFDataRef parameters){
der = der_decode_pbkdf2_params(&saltlen, &salt, &iterations, &keysize, der, der_end);
if (der == NULL) {
- secnotice("keygen", "failed to decode pbkdf2 params");
+ secdebug("keygen", "failed to decode pbkdf2 params");
return NULL;
}
- BufferPerformWithHexString(salt, saltlen, ^(CFStringRef saltHex) {
+ CFStringRef userPubKeyID = SOSCopyIDOfKeyWithLength(newKey, 8, NULL);
+
+ BufferPerformWithHexString(salt, 4, ^(CFStringRef saltHex) { // Only dump 4 bytes worth of salthex
CFDataPerformWithHexString(newParameters, ^(CFStringRef parametersHex) {
- description = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("<Params: count: %zd, keysize: %zd, salt: %@, key: %@>"), iterations, keysize, saltHex, newKey);
+ description = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("<Params: iter: %zd, size: %zd, salt: %@> <keyid: %@>"), iterations, keysize, saltHex, userPubKeyID);
});
});
+ CFReleaseNull(newParameters);
+ CFReleaseNull(newKey);
+ CFReleaseNull(userPubKeyID);
+
return description;
}
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.c
index ec40ceb3..f7478434 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.c
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.c
@@ -60,28 +60,10 @@ const CFStringRef kSOSViewOtherSyncable_tomb = CFSTR("OtherSyncable-tomb"
// Views
const CFStringRef kSOSViewKeychainV0 = CFSTR("KeychainV0"); // iCloud Keychain syncing for v0 peers
-const CFStringRef kSOSViewWiFi = CFSTR("WiFi");
-const CFStringRef kSOSViewAutofillPasswords = CFSTR("Passwords");
-const CFStringRef kSOSViewSafariCreditCards = CFSTR("CreditCards");
-const CFStringRef kSOSViewiCloudIdentity = CFSTR("iCloudIdentity");
-const CFStringRef kSOSViewBackupBagV0 = CFSTR("BackupBagV0"); // iCloud Keychain backup bag for v0 peers (single item)
-const CFStringRef kSOSViewOtherSyncable = CFSTR("OtherSyncable");
-
-// PCS (Protected Cloud Storage) Views
-const CFStringRef kSOSViewPCSMasterKey = CFSTR("PCS-MasterKey");
-const CFStringRef kSOSViewPCSiCloudDrive = CFSTR("PCS-iCloudDrive"); // Bladerunner
-const CFStringRef kSOSViewPCSPhotos = CFSTR("PCS-Photos"); // Hyperion
-const CFStringRef kSOSViewPCSCloudKit = CFSTR("PCS-CloudKit"); // Liverpool
-const CFStringRef kSOSViewPCSEscrow = CFSTR("PCS-Escrow");
-const CFStringRef kSOSViewPCSFDE = CFSTR("PCS-FDE");
-const CFStringRef kSOSViewPCSMailDrop = CFSTR("PCS-Maildrop"); // PianoMover
-const CFStringRef kSOSViewPCSiCloudBackup = CFSTR("PCS-Backup");
-const CFStringRef kSOSViewPCSNotes = CFSTR("PCS-Notes");
-const CFStringRef kSOSViewPCSiMessage = CFSTR("PCS-iMessage");
-const CFStringRef kSOSViewPCSFeldspar = CFSTR("PCS-Feldspar");
-
-const CFStringRef kSOSViewAppleTV = CFSTR("AppleTV");
-const CFStringRef kSOSViewHomeKit = CFSTR("HomeKit");
+#undef DOVIEWMACRO
+#define DOVIEWMACRO(VIEWNAME, DEFSTRING, CMDSTRING, DEFAULTSETTING, INITIALSYNCSETTING, ALWAYSONSETTING, BACKUPSETTING, V0SETTING) \
+const CFStringRef kSOSView##VIEWNAME = CFSTR(DEFSTRING);
+#include "Security/SecureObjectSync/ViewList.list"
// View Hints
// Note that by definition, there cannot be a V0 view hint
@@ -101,6 +83,31 @@ const CFStringRef kSOSViewHintPCSFeldspar = CFSTR("PCS-Feldspar");
const CFStringRef kSOSViewHintAppleTV = CFSTR("AppleTV");
const CFStringRef kSOSViewHintHomeKit = CFSTR("HomeKit");
+CFMutableSetRef SOSViewCopyViewSet(ViewSetKind setKind) {
+ CFMutableSetRef result = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
+
+#undef DOVIEWMACRO
+#define __TYPE_MEMBER_ false
+#define __TYPE_MEMBER_D true
+#define __TYPE_MEMBER_I true
+#define __TYPE_MEMBER_A true
+#define __TYPE_MEMBER_V true
+#define __TYPE_MEMBER_B true
+#define DOVIEWMACRO(VIEWNAME, DEFSTRING, CMDSTRING, DEFAULT, INITIAL, ALWAYSON, BACKUP, V0) \
+ if ((setKind == kViewSetAll) || \
+ ((setKind == kViewSetDefault) && __TYPE_MEMBER_##DEFAULT) || \
+ ((setKind == kViewSetInitial) && __TYPE_MEMBER_##INITIAL) || \
+ ((setKind == kViewSetAlwaysOn) && __TYPE_MEMBER_##ALWAYSON) || \
+ ((setKind == kViewSetRequiredForBackup) && __TYPE_MEMBER_##BACKUP) || \
+ ((setKind == kViewSetV0) && __TYPE_MEMBER_##V0) ) { \
+ CFSetAddValue(result, kSOSView##VIEWNAME); \
+ }
+
+#include "Security/SecureObjectSync/ViewList.list"
+
+ return result;
+}
+
CFGiblisGetSingleton(CFSetRef, SOSViewsGetV0ViewSet, defaultViewSet, ^{
// Since peer->views must never be NULL, fill in with a default
const void *values[] = { kSOSViewKeychainV0 };
@@ -109,9 +116,7 @@ CFGiblisGetSingleton(CFSetRef, SOSViewsGetV0ViewSet, defaultViewSet, ^{
CFGiblisGetSingleton(CFSetRef, SOSViewsGetV0SubviewSet, subViewSet, (^{
// Since peer->views must never be NULL, fill in with a default
- const void *values[] = { kSOSViewWiFi, kSOSViewAutofillPasswords, kSOSViewSafariCreditCards,
- kSOSViewiCloudIdentity, kSOSViewBackupBagV0, kSOSViewOtherSyncable };
- *subViewSet = CFSetCreate(kCFAllocatorDefault, values, array_size(values), &kCFTypeSetCallBacks);
+ *subViewSet = SOSViewCopyViewSet(kViewSetV0);
}));
CFGiblisGetSingleton(CFSetRef, SOSViewsGetV0BackupViewSet, defaultViewSet, ^{
@@ -124,6 +129,12 @@ CFGiblisGetSingleton(CFSetRef, SOSViewsGetV0BackupBagViewSet, defaultViewSet, ^{
*defaultViewSet = CFSetCreate(kCFAllocatorDefault, values, array_size(values), &kCFTypeSetCallBacks);
});
+
+CFGiblisGetSingleton(CFSetRef, SOSViewsGetInitialSyncSubviewSet, subViewSet, (^{
+ *subViewSet = SOSViewCopyViewSet(kViewSetInitial);
+}));
+
+
bool SOSViewsIsV0Subview(CFStringRef viewName) {
return CFSetContainsValue(SOSViewsGetV0SubviewSet(), viewName);
}
@@ -137,58 +148,28 @@ CFSetRef SOSViewsGetAllCurrent(void) {
static dispatch_once_t dot;
static CFMutableSetRef allViews = NULL;
dispatch_once(&dot, ^{
- allViews = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
+ allViews = SOSViewCopyViewSet(kViewSetAll);
+
CFSetAddValue(allViews, kSOSViewKeychainV0);
- CFSetAddValue(allViews, kSOSViewPCSMasterKey);
- CFSetAddValue(allViews, kSOSViewPCSiCloudDrive);
- CFSetAddValue(allViews, kSOSViewPCSPhotos);
- CFSetAddValue(allViews, kSOSViewPCSCloudKit);
- CFSetAddValue(allViews, kSOSViewPCSEscrow);
- CFSetAddValue(allViews, kSOSViewPCSFDE);
- CFSetAddValue(allViews, kSOSViewPCSMailDrop);
- CFSetAddValue(allViews, kSOSViewPCSiCloudBackup);
- CFSetAddValue(allViews, kSOSViewPCSNotes);
- CFSetAddValue(allViews, kSOSViewPCSiMessage);
- CFSetAddValue(allViews, kSOSViewPCSFeldspar);
- CFSetAddValue(allViews, kSOSViewAppleTV);
- CFSetAddValue(allViews, kSOSViewHomeKit);
- CFSetAddValue(allViews, kSOSViewWiFi);
- CFSetAddValue(allViews, kSOSViewAutofillPasswords);
- CFSetAddValue(allViews, kSOSViewSafariCreditCards);
- CFSetAddValue(allViews, kSOSViewiCloudIdentity);
- CFSetAddValue(allViews, kSOSViewBackupBagV0);
- CFSetAddValue(allViews, kSOSViewOtherSyncable);
+ if(sTestViewSet) CFSetUnion(allViews, sTestViewSet);
});
- return sTestViewSet ? sTestViewSet : allViews;
+ return allViews;
}
-static CFMutableSetRef CFSetCreateMutableCopyForSOSViews(CFAllocatorRef allocator, CFSetRef original) {
- if(!original) return NULL;
- return CFSetCreateMutableCopy(allocator, 0, original);
-}
-
-CFMutableSetRef SOSViewsCreateDefault(bool includeLegacy, CFErrorRef *error) {
- CFMutableSetRef result = CFSetCreateMutableCopyForSOSViews(NULL, SOSViewsGetAllCurrent());
-
- // We don't by default particiate in V0, actually we don't want
- // to let folks enable it.
- CFSetRemoveValue(result, kSOSViewKeychainV0);
-
- if (!includeLegacy) {
- // We don't by default participate in fractures of iCloudKeychain
- CFSetRemoveValue(result, kSOSViewWiFi);
- CFSetRemoveValue(result, kSOSViewAutofillPasswords);
- CFSetRemoveValue(result, kSOSViewSafariCreditCards);
- CFSetRemoveValue(result, kSOSViewOtherSyncable);
+const char *SOSViewsXlateAction(SOSViewActionCode action) {
+ switch(action) {
+ case kSOSCCViewEnable: return "kSOSCCViewEnable";
+ case kSOSCCViewDisable: return "kSOSCCViewDisable";
+ case kSOSCCViewQuery: return "kSOSCCViewQuery";
+ default: return "unknownViewAction";
}
-
- return result;
}
+
// Eventually this will want to know the gestalt or security properties...
void SOSViewsForEachDefaultEnabledViewName(void (^operation)(CFStringRef viewName)) {
- CFMutableSetRef defaultViews = SOSViewsCreateDefault(false, NULL);
-
+ CFMutableSetRef defaultViews = SOSViewCopyViewSet(kViewSetDefault);
+
CFSetForEach(defaultViews, ^(const void *value) {
CFStringRef name = asString(value, NULL);
@@ -196,7 +177,7 @@ void SOSViewsForEachDefaultEnabledViewName(void (^operation)(CFStringRef viewNam
operation(name);
}
});
-
+
CFReleaseNull(defaultViews);
}
@@ -207,6 +188,14 @@ static bool SOSViewsIsKnownView(CFStringRef viewname) {
return false;
}
+static bool viewErrorReport(CFIndex errorCode, CFErrorRef *error, CFStringRef format, CFStringRef viewname, int retval) {
+ return SOSCreateErrorWithFormat(errorCode, NULL, error, NULL, format, viewname, retval);
+}
+
+static bool SOSViewsRequireIsKnownView(CFStringRef viewname, CFErrorRef* error) {
+ return SOSViewsIsKnownView(viewname) || viewErrorReport(kSOSErrorNameMismatch, error, viewUnknownError, viewname, kSOSCCNoSuchView);
+}
+
bool SOSPeerInfoIsEnabledView(SOSPeerInfoRef pi, CFStringRef viewName) {
if (pi->version < kSOSPeerV2BaseVersion) {
return CFSetContainsValue(SOSViewsGetV0ViewSet(), viewName);
@@ -242,10 +231,10 @@ CFSetRef SOSPeerInfoGetPermittedViews(SOSPeerInfoRef pi) {
}
static void SOSPeerInfoSetViews(SOSPeerInfoRef pi, CFSetRef newviews) {
- if(!newviews) {
- secnotice("views","Asked to swap to NULL views");
- return;
- }
+ if(!newviews) {
+ secnotice("views","Asked to swap to NULL views");
+ return;
+ }
SOSPeerInfoV2DictionarySetValue(pi, sViewsKey, newviews);
}
@@ -253,114 +242,102 @@ static bool SOSPeerInfoViewIsValid(SOSPeerInfoRef pi, CFStringRef viewname) {
return true;
}
-static bool viewErrorReport(CFIndex errorCode, CFErrorRef *error, CFStringRef format, CFStringRef viewname, int retval) {
- return SOSCreateErrorWithFormat(errorCode, NULL, error, NULL, format, viewname, retval);
-}
-
SOSViewResultCode SOSViewsEnable(SOSPeerInfoRef pi, CFStringRef viewname, CFErrorRef *error) {
- SOSViewResultCode retval = kSOSCCGeneralViewError;
-
+ SOSViewResultCode retval = kSOSCCGeneralViewError;
+
CFMutableSetRef newviews = SOSPeerInfoCopyEnabledViews(pi);
- require_action_quiet(newviews, fail,
- SOSCreateError(kSOSErrorAllocationFailure, viewMemError, NULL, error));
- require_action_quiet(SOSViewsIsKnownView(viewname), fail,
- viewErrorReport(kSOSErrorNameMismatch, error, viewUnknownError, viewname, retval = kSOSCCNoSuchView));
+ require_action_quiet(newviews, fail,
+ SOSCreateError(kSOSErrorAllocationFailure, viewMemError, NULL, error));
+ require_action_quiet(SOSViewsRequireIsKnownView(viewname, error), fail,
+ retval = kSOSCCNoSuchView);
require_action_quiet(SOSPeerInfoViewIsValid(pi, viewname), fail,
- viewErrorReport(kSOSErrorNameMismatch, error, viewInvalidError, viewname, retval = kSOSCCViewNotQualified));
+ viewErrorReport(kSOSErrorNameMismatch, error, viewInvalidError, viewname, retval = kSOSCCViewNotQualified));
CFSetAddValue(newviews, viewname);
- SOSPeerInfoSetViews(pi, newviews);
+ SOSPeerInfoSetViews(pi, newviews);
CFReleaseSafe(newviews);
return kSOSCCViewMember;
fail:
- CFReleaseNull(newviews);
- secnotice("views","Failed to enable view(%@): %@", viewname, *error);
- return retval;
+ CFReleaseNull(newviews);
+ secnotice("views","Failed to enable view(%@): %@", viewname, error ? *error : NULL);
+ return retval;
}
bool SOSViewSetEnable(SOSPeerInfoRef pi, CFSetRef viewSet) {
- __block bool retval = true;
__block bool addedView = false;
CFMutableSetRef newviews = SOSPeerInfoCopyEnabledViews(pi);
require_action_quiet(newviews, errOut, secnotice("views", "failed to copy enabled views"));
-
+
CFSetForEach(viewSet, ^(const void *value) {
CFStringRef viewName = (CFStringRef) value;
- if(SOSViewsIsKnownView(viewName) && SOSPeerInfoViewIsValid(pi, viewName) && !CFSetContainsValue(newviews, viewName)) {
- addedView = true;
- CFSetAddValue(newviews, viewName);
+ if(SOSViewsIsKnownView(viewName) && SOSPeerInfoViewIsValid(pi, viewName)) {
+ if (!CFSetContainsValue(newviews, viewName)) {
+ addedView = true;
+ CFSetAddValue(newviews, viewName);
+ }
} else {
- retval = false;
secnotice("views", "couldn't add view %@", viewName);
}
});
- require_quiet(retval, errOut);
+ require_quiet(addedView, errOut);
+
+ SOSPeerInfoSetViews(pi, newviews);
- if (addedView) {
- SOSPeerInfoSetViews(pi, newviews);
- }
-
errOut:
CFReleaseNull(newviews);
- return retval;
+ return addedView;
}
SOSViewResultCode SOSViewsDisable(SOSPeerInfoRef pi, CFStringRef viewname, CFErrorRef *error) {
- SOSViewResultCode retval = kSOSCCGeneralViewError;
+ SOSViewResultCode retval = kSOSCCGeneralViewError;
CFMutableSetRef newviews = SOSPeerInfoCopyEnabledViews(pi);
- require_action_quiet(newviews, fail,
- SOSCreateError(kSOSErrorAllocationFailure, viewMemError, NULL, error));
- require_action_quiet(SOSViewsIsKnownView(viewname), fail,
- viewErrorReport(kSOSErrorNameMismatch, error, viewUnknownError, viewname, retval = kSOSCCNoSuchView));
+ require_action_quiet(newviews, fail,
+ SOSCreateError(kSOSErrorAllocationFailure, viewMemError, NULL, error));
+ require_action_quiet(SOSViewsRequireIsKnownView(viewname, error), fail, retval = kSOSCCNoSuchView);
CFSetRemoveValue(newviews, viewname);
- SOSPeerInfoSetViews(pi, newviews);
+ SOSPeerInfoSetViews(pi, newviews);
CFReleaseSafe(newviews);
return kSOSCCViewNotMember;
fail:
- CFReleaseNull(newviews);
- secnotice("views","Failed to disable view(%@): %@", viewname, *error);
- return retval;
+ CFReleaseNull(newviews);
+ secnotice("views","Failed to disable view(%@): %@", viewname, error ? *error : NULL);
+ return retval;
}
bool SOSViewSetDisable(SOSPeerInfoRef pi, CFSetRef viewSet) {
- __block bool retval = true;
__block bool removed = false;
CFMutableSetRef newviews = SOSPeerInfoCopyEnabledViews(pi);
require_action_quiet(newviews, errOut, secnotice("views", "failed to copy enabled views"));
-
+
CFSetForEach(viewSet, ^(const void *value) {
CFStringRef viewName = (CFStringRef) value;
if(SOSViewsIsKnownView(viewName) && CFSetContainsValue(newviews, viewName)) {
removed = true;
CFSetRemoveValue(newviews, viewName);
} else {
- retval = false;
secnotice("views", "couldn't delete view %@", viewName);
}
});
- require_quiet(retval, errOut);
+ require_quiet(removed, errOut);
+
+ SOSPeerInfoSetViews(pi, newviews);
- if(removed) {
- SOSPeerInfoSetViews(pi, newviews);
- }
-
errOut:
CFReleaseNull(newviews);
- return retval;
+ return removed;
}
SOSViewResultCode SOSViewsQuery(SOSPeerInfoRef pi, CFStringRef viewname, CFErrorRef *error) {
- SOSViewResultCode retval = kSOSCCNoSuchView;
+ SOSViewResultCode retval = kSOSCCNoSuchView;
CFSetRef views = NULL;
- secnotice("views", "Querying %@", viewname);
- require_action_quiet(SOSViewsIsKnownView(viewname), fail,
- SOSCreateError(kSOSErrorNameMismatch, viewUnknownError, NULL, error));
+ require_quiet(SOSViewsRequireIsKnownView(viewname, error), fail);
+
views = SOSPeerInfoCopyEnabledViews(pi);
if(!views){
retval = kSOSCCViewNotMember;
@@ -376,12 +353,12 @@ SOSViewResultCode SOSViewsQuery(SOSPeerInfoRef pi, CFStringRef viewname, CFError
} else {
retval = (CFSetContainsValue(views, viewname)) ? kSOSCCViewMember: kSOSCCViewNotMember;
}
-
+
CFReleaseNull(views);
return retval;
-
+
fail:
- secnotice("views","Failed to query view(%@): %@", viewname, *error);
+ secnotice("views","Failed to query view(%@): %@", viewname, error ? *error : NULL);
CFReleaseNull(views);
return retval;
}
@@ -397,7 +374,7 @@ static CFArrayRef SOSCreateActiveViewIntersectionArrayForPeerInfos(SOSPeerInfoRe
return NULL;
}
CFStringRef pi1views[count];
-
+
retval = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
CFSetGetValues(views1, (const void **) &pi1views);
for(size_t i = 0; i < count; i++) {
@@ -417,9 +394,9 @@ CFArrayRef SOSCreateActiveViewIntersectionArrayForPeerID(SOSAccountRef account,
SOSPeerInfoRef theirPI = SOSAccountCopyPeerWithID(account, peerID, NULL);
require_action_quiet(myPI, errOut, retval = NULL);
require_action_quiet(theirPI, errOut, retval = NULL);
-
+
retval = SOSCreateActiveViewIntersectionArrayForPeerInfos(myPI, theirPI);
-
+
errOut:
CFReleaseNull(theirPI);
return retval;
@@ -429,7 +406,7 @@ errOut:
CFDictionaryRef SOSViewsCreateActiveViewMatrixDictionary(SOSAccountRef account, SOSCircleRef circle, CFErrorRef *error) {
CFMutableDictionaryRef retval = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
SOSPeerInfoRef myPI = SOSAccountGetMyPeerInfo(account);
-
+
// For now, all views require that a valid member peer is in the circle and active/valid
CFMutableSetRef peers = SOSCircleCopyPeers(circle, kCFAllocatorDefault);
@@ -456,12 +433,12 @@ CFDictionaryRef SOSViewsCreateActiveViewMatrixDictionary(SOSAccountRef account,
});
CFDictionaryAddValue(retval, viewname, viewset);
});
-
+
if(CFDictionaryGetCount(retval) == 0) goto errOut; // Not really an error - just no intersection of views with anyone
CFReleaseNull(peers);
CFReleaseNull(myViews);
return retval;
-
+
errOut:
CFReleaseNull(retval);
CFReleaseNull(peers);
@@ -478,9 +455,9 @@ errOut:
CFSetRef CreateCFSetRefFromXPCObject(xpc_object_t xpcSetDER, CFErrorRef* error) {
CFSetRef retval = NULL;
require_action_quiet(xpcSetDER, errOut, SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedNull, sSecXPCErrorDomain, NULL, error, NULL, CFSTR("Unexpected Null Set to decode")));
-
+
require_action_quiet(xpc_get_type(xpcSetDER) == XPC_TYPE_DATA, errOut, SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedType, sSecXPCErrorDomain, NULL, error, NULL, CFSTR("xpcSetDER not data, got %@"), xpcSetDER));
-
+
const uint8_t* der = xpc_data_get_bytes_ptr(xpcSetDER);
const uint8_t* der_end = der + xpc_data_get_length(xpcSetDER);
der = der_decode_set(kCFAllocatorDefault, kCFPropertyListMutableContainersAndLeaves, &retval, error, der, der_end);
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.exp-in b/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.exp-in
new file mode 100644
index 00000000..06ffa5c1
--- /dev/null
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.exp-in
@@ -0,0 +1,26 @@
+
+#define VIEWHINTEXPORT(VIEWNAME) _kSecAttrViewHint##VIEWNAME
+#define VIEWEXPORT(VIEWNAME) _kSOSView##VIEWNAME
+
+// Synthesized views - no viewhint
+VIEWEXPORT(KeychainV0)
+
+// Can we get rid of this? There's no ViewHint
+//VIEWEXPORT(PCSFeldspar)
+
+// This only exists as a viewhint
+//VIEWHINTEXPORT(Thumper)
+
+// Views with ViewHints
+#undef DOVIEWMACRO
+#define DOVIEWMACRO(VIEWNAME, DEFSTRING, CMDSTRING, DEFAULTSETTING, INITIALSYNCSETTING, ALWAYSONSETTING, BACKUPSETTING, V0SETTING) _kSOSView##VIEWNAME
+#include "Security/SecureObjectSync/ViewList.list"
+
+// V0 Subviews don't have view hints, they use queries
+#undef DOVIEWMACRO
+#define DO_EXPORT_(VIEWNAME) _kSecAttrViewHint##VIEWNAME
+#define DO_EXPORT_V(VIEWNAME)
+#define DOVIEWMACRO(VIEWNAME, DEFSTRING, CMDSTRING, DEFAULTSETTING, INITIALSYNCSETTING, ALWAYSONSETTING, BACKUPSETTING, V0SETTING) DO_EXPORT_##V0SETTING(VIEWNAME)
+#include "Security/SecureObjectSync/ViewList.list"
+#undef DOVIEWMACRO
+
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.h
index 78f0fe45..db10fa3e 100644
--- a/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.h
+++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.h
@@ -35,6 +35,7 @@
__BEGIN_DECLS
// Internal only views, do not export.
+extern const CFStringRef kSOSViewKeychainV0;
extern const CFStringRef kSOSViewKeychainV0_tomb;
extern const CFStringRef kSOSViewBackupBagV0_tomb;
extern const CFStringRef kSOSViewWiFi_tomb;
@@ -50,6 +51,19 @@ typedef struct __OpaqueSOSView {
} *SOSViewRef;
+typedef enum {
+ kViewSetAll,
+ kViewSetDefault,
+ kViewSetInitial,
+ kViewSetAlwaysOn,
+ kViewSetV0,
+ kViewSetRequiredForBackup
+} ViewSetKind;
+
+CFMutableSetRef SOSViewCopyViewSet(ViewSetKind setKind);
+
+
+
CFSetRef SOSViewsGetV0ViewSet(void);
CFSetRef SOSViewsGetV0SubviewSet(void);
CFSetRef SOSViewsGetV0BackupViewSet(void);
@@ -57,8 +71,6 @@ CFSetRef SOSViewsGetV0BackupBagViewSet(void);
bool SOSViewsIsV0Subview(CFStringRef viewName);
-CFMutableSetRef SOSViewsCreateDefault(bool includeLegacy, CFErrorRef *error);
-
// Basic interfaces to change and query views
SOSViewResultCode SOSViewsEnable(SOSPeerInfoRef pi, CFStringRef viewname, CFErrorRef *error);
bool SOSViewSetEnable(SOSPeerInfoRef pi, CFSetRef viewSet);
@@ -79,7 +91,7 @@ static inline bool SOSPeerInfoIsViewPermitted(SOSPeerInfoRef peerInfo, CFStringR
return kSOSCCViewMember == viewResult || kSOSCCViewPending == viewResult || kSOSCCViewNotMember == viewResult;
}
-
+const char *SOSViewsXlateAction(SOSViewActionCode action);
__END_DECLS
#endif /* defined(_sec_SOSViews_) */
diff --git a/OSX/sec/SOSCircle/SecureObjectSync/ViewList.list b/OSX/sec/SOSCircle/SecureObjectSync/ViewList.list
new file mode 100644
index 00000000..27c99bdc
--- /dev/null
+++ b/OSX/sec/SOSCircle/SecureObjectSync/ViewList.list
@@ -0,0 +1,40 @@
+
+// This is the list of views.
+// To add a new view put it in this file with the DOVIEWMACRO defined:
+// Arguments for DOVIEWMACRO in arg order are:
+// DOVIEWMACRO(VIEWNAME, DEFSTRING, CMDSTRING, DEFAULTSETTING, INITIALSYNCSETTING, ALWAYSONSETTING, V0SETTING)
+// VIEWNAME - the base name used for both the view and the viewhint. This will become the constants kSOSView<name> and kSecAttrViewHint<name>
+// DEFSTRING - the string constant to be used for both the viewname and viewhint
+// CMDSTRING - the string used in the "security" command when refering to this view.
+// DEFAULTSETTING - if the view is turned on by default put a D in this column - otherwise keep it blank
+// INITIALSYNCSETTING - if the view is to be included in initialSync default put a I in this column - otherwise keep it blank
+// ALWAYSONSETTING - if the view cannot be disabled put an A in this column - otherwise keep it blank
+// BACKUPSETTING - if the view must be synced before we do any backup put a B in this column - otherwise keep it blank
+// V0SETTING - this is used for "synthentic" views for V0 - there are no viewhints for these" - for all others keep it blank
+//
+// Once an entry is in here make the following two additional changes:
+// for views, add the declaration for kSOSView<name> in SOSCloudCircle.h
+// for viewhints add the declaration for kSecAttrViewHint<name> in both versions (OSX and iOS) of SecItemPriv.h
+
+DOVIEWMACRO(WiFi, "WiFi", "wifi", , , , , V)
+DOVIEWMACRO(AutofillPasswords, "Passwords", "passwords", , , , , V)
+DOVIEWMACRO(SafariCreditCards, "CreditCards", "creditcards", , , , , V)
+DOVIEWMACRO(iCloudIdentity, "iCloudIdentity", "icloudidentity", D, I, A, B, V)
+DOVIEWMACRO(BackupBagV0, "BackupBagV0", "backupv0", D, I, A, , V)
+DOVIEWMACRO(OtherSyncable, "OtherSyncable", "othersyncable", , , , , V)
+DOVIEWMACRO(ContinuityUnlock, "ContinuityUnlock", "continuityunlock", D, , A, , )
+DOVIEWMACRO(AppleTV, "AppleTV", "appletv", D, , A, , )
+DOVIEWMACRO(HomeKit, "HomeKit", "homekit", D, , A, , )
+DOVIEWMACRO(AccessoryPairing, "AccessoryPairing", "accessorypairing", D, , A, , )
+DOVIEWMACRO(PCSCloudKit, "PCS-CloudKit", "cloudkit", D, , A, , )
+DOVIEWMACRO(PCSEscrow, "PCS-Escrow", "escrow", D, I, A, B, )
+DOVIEWMACRO(PCSFDE, "PCS-FDE", "fde", D, , A, , )
+DOVIEWMACRO(PCSFeldspar, "PCS-Feldspar", "feldspar", D, , A, , )
+DOVIEWMACRO(PCSMailDrop, "PCS-Maildrop", "maildrop", D, , A, , )
+DOVIEWMACRO(PCSMasterKey, "PCS-MasterKey", "masterkey", D, I, A, B, )
+DOVIEWMACRO(PCSNotes, "PCS-Notes", "notes", D, , A, , )
+DOVIEWMACRO(PCSPhotos, "PCS-Photos", "photos", D, , A, , )
+DOVIEWMACRO(PCSSharing, "PCS-Sharing", "sharing", D, , A, , )
+DOVIEWMACRO(PCSiCloudBackup, "PCS-Backup", "icloudbackup", D, I, A, , )
+DOVIEWMACRO(PCSiCloudDrive, "PCS-iCloudDrive", "iclouddrive", D, , A, , )
+DOVIEWMACRO(PCSiMessage, "PCS-iMessage", "imessage", D, , A, , )
diff --git a/OSX/sec/SOSCircle/Tool/NSFileHandle+Formatting.h b/OSX/sec/SOSCircle/Tool/NSFileHandle+Formatting.h
new file mode 100644
index 00000000..847456d5
--- /dev/null
+++ b/OSX/sec/SOSCircle/Tool/NSFileHandle+Formatting.h
@@ -0,0 +1,21 @@
+//
+// NSFileHandle+Formatting.h
+// sec
+//
+//
+
+#ifndef NSFileHandle_Formatting_h
+#define NSFileHandle_Formatting_h
+
+#include <stdio.h>
+
+#import <Foundation/Foundation.h>
+
+@interface NSFileHandle (Formatting)
+
+- (void) writeString: (NSString*) string;
+- (void) writeFormat: (NSString*) format, ... NS_FORMAT_FUNCTION(1, 2);
+
+@end
+
+#endif /* NSFileHandle_Formatting_h */
diff --git a/OSX/sec/SOSCircle/Tool/NSFileHandle+Formatting.m b/OSX/sec/SOSCircle/Tool/NSFileHandle+Formatting.m
new file mode 100644
index 00000000..b9f27627
--- /dev/null
+++ b/OSX/sec/SOSCircle/Tool/NSFileHandle+Formatting.m
@@ -0,0 +1,30 @@
+//
+// NSFileHandle+Formatting.m
+// sec
+//
+//
+
+#include <stdarg.h>
+
+#import <Foundation/Foundation.h>
+#import "NSFileHandle+Formatting.h"
+
+
+@implementation NSFileHandle (Formatting)
+
+- (void) writeString: (NSString*) string {
+ [self writeData:[string dataUsingEncoding:NSUTF8StringEncoding]];
+}
+
+- (void) writeFormat: (NSString*) format, ... {
+ va_list args;
+ va_start(args, format);
+
+ NSString* formatted = [[NSString alloc] initWithFormat:format arguments:args];
+
+ va_end(args);
+
+ [self writeString: formatted];
+}
+
+@end
diff --git a/OSX/sec/SOSCircle/Tool/keychain_log.c b/OSX/sec/SOSCircle/Tool/keychain_log.c
index ca9339c3..5dc6d745 100644
--- a/OSX/sec/SOSCircle/Tool/keychain_log.c
+++ b/OSX/sec/SOSCircle/Tool/keychain_log.c
@@ -66,6 +66,10 @@
#include "keychain_log.h"
#include "secToolFileIO.h"
+#include "secViewDisplay.h"
+#include <utilities/debugging.h>
+
+
#include <Security/SecPasswordGenerate.h>
#define MAXKVSKEYTYPE kUnknownKey
@@ -450,80 +454,6 @@ static bool dumpKVS(char *itemName, CFErrorRef *err)
}
-static struct foo {
- const char *name;
- const CFStringRef *viewspec;
-} string2View[] = {
- {
- "keychain", &kSOSViewKeychainV0
- }, {
- "masterkey", &kSOSViewPCSMasterKey,
- }, {
- "iclouddrive", &kSOSViewPCSiCloudDrive,
- }, {
- "photos", &kSOSViewPCSPhotos,
- }, {
- "escrow", &kSOSViewPCSEscrow,
- }, {
- "fde", &kSOSViewPCSFDE,
- }, {
- "maildrop", &kSOSViewPCSMailDrop,
- }, {
- "icloudbackup", &kSOSViewPCSiCloudBackup,
- }, {
- "notes", &kSOSViewPCSNotes,
- }, {
- "imessage", &kSOSViewPCSiMessage,
- }, {
- "feldspar", &kSOSViewPCSFeldspar,
- }, {
- "appletv", &kSOSViewAppleTV,
- }, {
- "homekit", &kSOSViewHomeKit,
- }, {
- "wifi", &kSOSViewWiFi,
- }, {
- "passwords", &kSOSViewAutofillPasswords,
- }, {
- "creditcards", &kSOSViewSafariCreditCards,
- }, {
- "icloudidentity", &kSOSViewiCloudIdentity,
- }, {
- "othersyncable", &kSOSViewOtherSyncable,
- }
-};
-
-static CFStringRef convertViewReturnCodeToString(SOSViewActionCode ac) {
- CFStringRef retval = NULL;
- switch(ac) {
- case kSOSCCGeneralViewError:
- retval = CFSTR("General Error"); break;
- case kSOSCCViewMember:
- retval = CFSTR("Is Member of View"); break;
- case kSOSCCViewNotMember:
- retval = CFSTR("Is Not Member of View"); break;
- case kSOSCCViewNotQualified:
- retval = CFSTR("Is not qualified for View"); break;
- case kSOSCCNoSuchView:
- retval = CFSTR("No Such View"); break;
- }
- return retval;
-}
-
-static bool listviewcmd(CFErrorRef *err) {
- unsigned n;
-
- for (n = 0; n < sizeof(string2View)/sizeof(string2View[0]); n++) {
- CFStringRef viewspec = *string2View[n].viewspec;
-
- SOSViewResultCode rc = SOSCCView(viewspec, kSOSCCViewQuery, err);
- CFStringRef resultString = convertViewReturnCodeToString(rc);
-
- printmsg(CFSTR("View Result: %@ : %@\n"), resultString, viewspec);
- };
-
- return true;
-}
#define USE_NEW_SPI 1
#if ! USE_NEW_SPI
@@ -562,9 +492,9 @@ static void sysdiagnose_dump() {
char *outputParent = NULL;
char *outputDir = NULL;
char hostname[80];
- char *productName = NULL;
- char *productVersion = NULL;
- char *buildVersion = NULL;
+ char *productName = "NA";
+ char *productVersion = "NA";
+ char *buildVersion = "NA";
char *keysToRegister = NULL;
char *cloudkeychainproxy3 = NULL;
char *now = createDateStrNow();
@@ -580,10 +510,6 @@ static void sysdiagnose_dump() {
productName = CFDictionaryCopyCString(sysfdef, _kCFSystemVersionProductNameKey);
productVersion = CFDictionaryCopyCString(sysfdef, _kCFSystemVersionProductVersionKey);
buildVersion = CFDictionaryCopyCString(sysfdef, _kCFSystemVersionBuildVersionKey);
- } else {
- strcpy(productName, "unknownProduct");
- strcpy(productVersion, "unknownProductVersion");
- strcpy(buildVersion, "unknownVersion");
}
// OUTPUTBASE=ckcdiagnose_snapshot_${HOSTNAME}_${PRODUCT_VERSION}_${NOW}
@@ -648,9 +574,6 @@ static void sysdiagnose_dump() {
copyFileToOutputDir(outputDir, cloudkeychainproxy3);
free(now);
- if(productName) free(productName);
- if(productVersion) free(productVersion);
- if(buildVersion) free(buildVersion);
CFReleaseNull(sysfdef);
#if ! TARGET_OS_EMBEDDED
free(keysToRegister);
@@ -665,6 +588,12 @@ static void sysdiagnose_dump() {
#endif /* USE_NEW_SPI */
+static bool logmark(const char *optarg) {
+ if(!optarg) return false;
+ secnotice("mark", "%s", optarg);
+ return true;
+}
+
// enable, disable, accept, reject, status, Reset, Clear
int
@@ -676,6 +605,7 @@ keychain_log(int argc, char * const *argv)
" -D [itemName] dump contents of KVS"
" -L list all known view and their status"
" -s sysdiagnose log dumps"
+ " -M string place a mark in the syslog - category \"mark\""
*/
setOutputTo(NULL, NULL);
@@ -684,7 +614,7 @@ keychain_log(int argc, char * const *argv)
CFErrorRef error = NULL;
bool hadError = false;
- while ((ch = getopt(argc, argv, "DiLs")) != -1)
+ while ((ch = getopt(argc, argv, "DiLM:s")) != -1)
switch (ch) {
case 'i':
@@ -703,6 +633,10 @@ keychain_log(int argc, char * const *argv)
case 'L':
hadError = !listviewcmd(&error);
break;
+
+ case 'M':
+ hadError = !logmark(optarg);
+ break;
case '?':
default:
diff --git a/OSX/sec/SOSCircle/Tool/keychain_sync.c b/OSX/sec/SOSCircle/Tool/keychain_sync.c
index 5bd81cf8..c8722326 100644
--- a/OSX/sec/SOSCircle/Tool/keychain_sync.c
+++ b/OSX/sec/SOSCircle/Tool/keychain_sync.c
@@ -57,7 +57,10 @@
#include "keychain_sync.h"
#include "keychain_log.h"
+#include "syncbackup.h"
+
#include "secToolFileIO.h"
+#include "secViewDisplay.h"
#include <Security/SecPasswordGenerate.h>
@@ -224,12 +227,8 @@ static void dumpCircleInfo()
static bool enableDefaultViews()
{
bool result = false;
- CFMutableSetRef viewsToEnable = CFSetCreateMutable(NULL, 0, NULL);
+ CFMutableSetRef viewsToEnable = SOSViewCopyViewSet(kViewSetV0);
CFMutableSetRef viewsToDisable = CFSetCreateMutable(NULL, 0, NULL);
- CFSetAddValue(viewsToEnable, (void*)kSOSViewWiFi);
- CFSetAddValue(viewsToEnable, (void*)kSOSViewAutofillPasswords);
- CFSetAddValue(viewsToEnable, (void*)kSOSViewSafariCreditCards);
- CFSetAddValue(viewsToEnable, (void*)kSOSViewOtherSyncable);
result = SOSCCViewSet(viewsToEnable, viewsToDisable);
CFRelease(viewsToEnable);
@@ -531,20 +530,9 @@ static bool dumpKVS(char *itemName, CFErrorRef *err)
return true;
}
-static bool syncAndWait(char *itemName, CFErrorRef *err)
+static bool syncAndWait(CFErrorRef *err)
{
- CFArrayRef keysToGet = NULL;
__block CFTypeRef objects = NULL;
- if (!itemName)
- {
- fprintf(errFile, "No item keys supplied\n");
- return false;
- }
-
- CFStringRef itemStr = CFStringCreateWithCString(kCFAllocatorDefault, itemName, kCFStringEncodingUTF8);
- fprintf(outFile, "Retrieving %s from KVS\n", itemName);
- keysToGet = CFArrayCreateForCFTypes(kCFAllocatorDefault, itemStr, NULL);
- CFReleaseSafe(itemStr);
dispatch_queue_t generalq = dispatch_queue_create("general", DISPATCH_QUEUE_SERIAL);
@@ -557,169 +545,22 @@ static bool syncAndWait(char *itemName, CFErrorRef *err)
secinfo("sync", "SOSCloudKeychainSynchronizeAndWait returned: %@", returnedValues);
if (error)
secerror("SOSCloudKeychainSynchronizeAndWait returned error: %@", error);
- objects = returnedValues;
- if (objects)
- CFRetain(objects);
+ objects = CFRetainSafe(returnedValues);
+
secinfo("sync", "SOSCloudKeychainGetObjectsFromCloud block exit: %@", objects);
dispatch_semaphore_signal(waitSemaphore);
};
- SOSCloudKeychainSynchronizeAndWait(keysToGet, generalq, replyBlock);
+ SOSCloudKeychainSynchronizeAndWait(generalq, replyBlock);
dispatch_semaphore_wait(waitSemaphore, finishTime);
dispatch_release(waitSemaphore);
- CFReleaseSafe(keysToGet);
dumpKVS(NULL, NULL);
fprintf(outFile, "\n");
return false;
}
-static struct foo {
- const char *name;
- const CFStringRef *viewspec;
-} string2View[] = {
- {
- "keychain", &kSOSViewKeychainV0
- }, {
- "masterkey", &kSOSViewPCSMasterKey,
- }, {
- "iclouddrive", &kSOSViewPCSiCloudDrive,
- }, {
- "photos", &kSOSViewPCSPhotos,
- }, {
- "escrow", &kSOSViewPCSEscrow,
- }, {
- "fde", &kSOSViewPCSFDE,
- }, {
- "maildrop", &kSOSViewPCSMailDrop,
- }, {
- "icloudbackup", &kSOSViewPCSiCloudBackup,
- }, {
- "notes", &kSOSViewPCSNotes,
- }, {
- "imessage", &kSOSViewPCSiMessage,
- }, {
- "feldspar", &kSOSViewPCSFeldspar,
- }, {
- "appletv", &kSOSViewAppleTV,
- }, {
- "homekit", &kSOSViewHomeKit,
- }, {
- "wifi", &kSOSViewWiFi,
- }, {
- "passwords", &kSOSViewAutofillPasswords,
- }, {
- "creditcards", &kSOSViewSafariCreditCards,
- }, {
- "icloudidentity", &kSOSViewiCloudIdentity,
- }, {
- "othersyncable", &kSOSViewOtherSyncable,
- }
-};
-
-static CFStringRef convertStringToView(char *viewname) {
- unsigned n;
-
- for (n = 0; n < sizeof(string2View)/sizeof(string2View[0]); n++) {
- if (strcmp(string2View[n].name, viewname) == 0)
- return *string2View[n].viewspec;
- }
-
- // Leak this, since it's a getter.
- return CFStringCreateWithCString(kCFAllocatorDefault, viewname, kCFStringEncodingUTF8);
-}
-
-static CFStringRef convertViewReturnCodeToString(SOSViewActionCode ac) {
- CFStringRef retval = NULL;
- switch(ac) {
- case kSOSCCGeneralViewError:
- retval = CFSTR("General Error"); break;
- case kSOSCCViewMember:
- retval = CFSTR("Is Member of View"); break;
- case kSOSCCViewNotMember:
- retval = CFSTR("Is Not Member of View"); break;
- case kSOSCCViewNotQualified:
- retval = CFSTR("Is not qualified for View"); break;
- case kSOSCCNoSuchView:
- retval = CFSTR("No Such View"); break;
- }
- return retval;
-}
-
-static bool viewcmd(char *itemName, CFErrorRef *err) {
- char *cmd, *viewname;
- SOSViewActionCode ac = kSOSCCViewQuery;
- CFStringRef viewspec;
-
- viewname = strchr(itemName, ':');
- if(viewname == NULL) return false;
- *viewname = 0;
- viewname++;
- cmd = itemName;
-
- if(strcmp(cmd, "enable") == 0) {
- ac = kSOSCCViewEnable;
- } else if(strcmp(cmd, "disable") == 0) {
- ac = kSOSCCViewDisable;
- } else if(strcmp(cmd, "query") == 0) {
- ac = kSOSCCViewQuery;
- } else {
- return false;
- }
-
- if(strchr(viewname, ',') == NULL) { // original single value version
- viewspec = convertStringToView(viewname);
- if(!viewspec) return false;
-
- SOSViewResultCode rc = SOSCCView(viewspec, ac, err);
- CFStringRef resultString = convertViewReturnCodeToString(rc);
-
- printmsg(CFSTR("View Result: %@ : %@\n"), resultString, viewspec);
- return true;
- }
-
- if(ac == kSOSCCViewQuery) return false;
-
- // new multi-view version
- char *viewlist = strdup(viewname);
- char *token;
- char *tofree = viewlist;
- CFMutableSetRef viewSet = CFSetCreateMutable(NULL, 0, &kCFCopyStringSetCallBacks);
-
- while ((token = strsep(&viewlist, ",")) != NULL) {
- CFStringRef resultString = convertStringToView(token);
- CFSetAddValue(viewSet, resultString);
- }
-
- printmsg(CFSTR("viewSet provided is %@\n"), viewSet);
-
- free(tofree);
-
- bool retcode;
- if(ac == kSOSCCViewEnable) retcode = SOSCCViewSet(viewSet, NULL);
- else retcode = SOSCCViewSet(NULL, viewSet);
-
- fprintf(outFile, "SOSCCViewSet returned %s\n", (retcode)? "true": "false");
-
- return true;
-}
-
-static bool listviewcmd(CFErrorRef *err) {
- unsigned n;
-
- for (n = 0; n < sizeof(string2View)/sizeof(string2View[0]); n++) {
- CFStringRef viewspec = *string2View[n].viewspec;
-
- SOSViewResultCode rc = SOSCCView(viewspec, kSOSCCViewQuery, err);
- CFStringRef resultString = convertViewReturnCodeToString(rc);
-
- printmsg(CFSTR("View Result: %@ : %@\n"), resultString, viewspec);
- };
-
- return true;
-}
-
static CFStringRef convertStringToProperty(char *propertyname) {
CFStringRef propertyspec = NULL;
@@ -824,17 +665,19 @@ static bool dumpMyPeer(CFErrorRef *error) {
CFMutableSetRef views = SOSPeerInfoV2DictionaryCopySet(myPeer, sViewsKey);
CFStringRef serialNumber = SOSPeerInfoV2DictionaryCopyString(myPeer, sSerialNumberKey);
CFBooleanRef preferIDS = SOSPeerInfoV2DictionaryCopyBoolean(myPeer, sPreferIDS);
+ CFBooleanRef preferIDSFragmentation = SOSPeerInfoV2DictionaryCopyBoolean(myPeer, sPreferIDSFragmentation);
CFStringRef transportType = SOSPeerInfoV2DictionaryCopyString(myPeer, sTransportType);
CFStringRef idsDeviceID = SOSPeerInfoV2DictionaryCopyString(myPeer, sDeviceID);
CFMutableSetRef properties = SOSPeerInfoV2DictionaryCopySet(myPeer, sSecurityPropertiesKey);
- printmsg(CFSTR("Serial#: %@ PrefIDS#: %@ transportType#: %@ idsDeviceID#: %@\n"),
- serialNumber, preferIDS, transportType, idsDeviceID);
+ printmsg(CFSTR("Serial#: %@ PrefIDS#: %@ PrefFragmentation#: %@ transportType#: %@ idsDeviceID#: %@\n"),
+ serialNumber, preferIDS, preferIDSFragmentation, transportType, idsDeviceID);
dumpStringSet(CFSTR(" Views: "), views);
dumpStringSet(CFSTR("SecurityProperties: "), properties);
CFReleaseSafe(serialNumber);
CFReleaseSafe(preferIDS);
+ CFReleaseSafe(preferIDSFragmentation);
CFReleaseSafe(views);
CFReleaseSafe(transportType);
CFReleaseSafe(idsDeviceID);
@@ -897,6 +740,7 @@ static bool clientViewStatus(CFErrorRef *error) {
prClientViewState("AppleTV", SOSCCIsAppleTVSyncing());
prClientViewState("HomeKit", SOSCCIsHomeKitSyncing());
prClientViewState("Wifi", SOSCCIsWiFiSyncing());
+ prClientViewState("AlwaysOnNoInitialSync", SOSCCIsContinuityUnlockSyncing());
return false;
}
@@ -976,7 +820,7 @@ keychain_sync(int argc, char * const *argv)
" -k pend all registered kvs keys"
" -C clear all values from KVS"
" -D [itemName] dump contents of KVS"
- " -W itemNames sync and dump"
+ " -W sync and dump"
"
"Misc"
" -v [enable|disable|query:viewname] enable, disable, or query my PeerInfo's view set"
@@ -997,7 +841,7 @@ keychain_sync(int argc, char * const *argv)
bool hadError = false;
setOutputTo(NULL, NULL);
- while ((ch = getopt(argc, argv, "ab:deg:hikl:mopq:rsSv:w:x:zA:B:MNJCDEF:HG:ILOP:RT:UW:X:VY01234")) != -1)
+ while ((ch = getopt(argc, argv, "ab:deg:hikl:mopq:rsSv:w:x:zA:B:MNJCDEF:HG:ILOP:RT:UWX:VY01234")) != -1)
switch (ch) {
case 'l':
{
@@ -1363,7 +1207,7 @@ keychain_sync(int argc, char * const *argv)
break;
case 'W':
- hadError = syncAndWait(optarg, &error);
+ hadError = syncAndWait(&error);
break;
case 'v':
diff --git a/OSX/sec/SOSCircle/Tool/keychain_sync.h b/OSX/sec/SOSCircle/Tool/keychain_sync.h
index a36d0439..c54d0ab5 100644
--- a/OSX/sec/SOSCircle/Tool/keychain_sync.h
+++ b/OSX/sec/SOSCircle/Tool/keychain_sync.h
@@ -73,7 +73,7 @@ SECURITY_COMMAND(
" -k pend all registered kvs keys\n"
" -C clear all values from KVS\n"
" -D [itemName] dump contents of KVS\n"
- " -W itemNames sync and dump\n"
+ " -W sync and dump\n"
"\n"
"Misc\n"
" -v [enable|disable|query:viewname] enable, disable, or query my PeerInfo's view set\n"
diff --git a/OSX/sec/SOSCircle/Tool/keychain_sync_test.h b/OSX/sec/SOSCircle/Tool/keychain_sync_test.h
new file mode 100644
index 00000000..fabf163c
--- /dev/null
+++ b/OSX/sec/SOSCircle/Tool/keychain_sync_test.h
@@ -0,0 +1,15 @@
+//
+// keychain_sync_test.h
+// sec
+//
+//
+
+#include <SecurityTool/security_tool_commands.h>
+
+SECURITY_COMMAND(
+ "sync-test", keychain_sync_test,
+ "[options]\n"
+ "Keychain Sync Test\n"
+ " -p|--enabled-peer-views <view-name-list>\n"
+ "\n",
+ "Keychain Syncing test commands." )
diff --git a/OSX/sec/SOSCircle/Tool/keychain_sync_test.m b/OSX/sec/SOSCircle/Tool/keychain_sync_test.m
new file mode 100644
index 00000000..834aea63
--- /dev/null
+++ b/OSX/sec/SOSCircle/Tool/keychain_sync_test.m
@@ -0,0 +1,90 @@
+//
+// keychain_sync_test.c
+// sec
+//
+// Created by Mitch Adler on 7/8/16.
+//
+//
+
+#include "keychain_sync_test.h"
+
+#include "secToolFileIO.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#import <Foundation/Foundation.h>
+
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+
+#import "NSFileHandle+Formatting.h"
+
+int
+keychain_sync_test(int argc, char * const *argv)
+{
+ NSFileHandle *fhout = [NSFileHandle fileHandleWithStandardOutput];
+ NSFileHandle *fherr = [NSFileHandle fileHandleWithStandardError];
+ /*
+ "Keychain Syncing test"
+
+ */
+ int result = 0;
+ NSError* error = nil;
+ CFErrorRef cfError = NULL;
+
+ static int verbose_flag = 0;
+ static struct option long_options[] =
+ {
+ /* These options set a flag. */
+ {"verbose", no_argument, &verbose_flag, 1},
+ {"brief", no_argument, &verbose_flag, 0},
+ /* These options donât set a flag.
+ We distinguish them by their indices. */
+ {"enabled-peer-views", required_argument, 0, 'p'},
+ {0, 0, 0, 0}
+ };
+ static const char * params = "abc:d:f:";
+
+ /* getopt_long stores the option index here. */
+ int option_index = 0;
+
+ NSArray<NSString*>* viewList = nil;
+
+ int opt_result = 0;
+ while (opt_result != -1) {
+ opt_result = getopt_long (argc, argv, params, long_options, &option_index);
+ switch (opt_result) {
+ case 'p': {
+ NSString* parameter = [NSString stringWithCString: optarg encoding:NSUTF8StringEncoding];
+
+ viewList = [parameter componentsSeparatedByString:@","];
+
+ }
+ break;
+ case -1:
+ break;
+ default:
+ return 2;
+ }
+
+ }
+
+ if (viewList) {
+ CFBooleanRef result = SOSCCPeersHaveViewsEnabled((__bridge CFArrayRef) viewList, &cfError);
+ if (result != NULL) {
+ [fhout writeFormat: @"Views: %@\n", viewList];
+ [fhout writeFormat: @"Enabled on other peers: %@\n", CFBooleanGetValue(result) ? @"yes" : @"no"];
+ }
+ }
+
+ if (cfError != NULL) {
+ [fherr writeFormat: @"Error: %@\n", cfError];
+ }
+
+ if (error != NULL) {
+ [fherr writeFormat: @"Error: %@\n", error];
+ }
+
+ return result;
+}
diff --git a/OSX/sec/SOSCircle/Tool/secToolFileIO.c b/OSX/sec/SOSCircle/Tool/secToolFileIO.c
index 233e170f..6c982743 100644
--- a/OSX/sec/SOSCircle/Tool/secToolFileIO.c
+++ b/OSX/sec/SOSCircle/Tool/secToolFileIO.c
@@ -2,7 +2,6 @@
// secToolFileIO.c
// sec
//
-// Created by Richard Murphy on 1/22/16.
//
//
diff --git a/OSX/sec/SOSCircle/Tool/secToolFileIO.h b/OSX/sec/SOSCircle/Tool/secToolFileIO.h
index a73bcd9c..a31ffc8d 100644
--- a/OSX/sec/SOSCircle/Tool/secToolFileIO.h
+++ b/OSX/sec/SOSCircle/Tool/secToolFileIO.h
@@ -2,7 +2,6 @@
// secToolFileIO.h
// sec
//
-// Created by Richard Murphy on 1/22/16.
//
//
diff --git a/OSX/sec/SOSCircle/Tool/secViewDisplay.c b/OSX/sec/SOSCircle/Tool/secViewDisplay.c
new file mode 100644
index 00000000..2e4a827a
--- /dev/null
+++ b/OSX/sec/SOSCircle/Tool/secViewDisplay.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+// secViewDisplay.c
+// sec
+//
+//
+//
+
+#include "secViewDisplay.h"
+#include "secToolFileIO.h"
+
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
+#include <Security/SecureObjectSync/SOSViews.h>
+
+
+static struct foo {
+ const char *name;
+ const CFStringRef *viewspec;
+} string2View[] = {
+ { "keychain", &kSOSViewKeychainV0 },
+#undef DOVIEWMACRO
+#define DOVIEWMACRO(VIEWNAME, DEFSTRING, CMDSTRING, DEFAULTSETTING, INITIALSYNCSETTING, ALWAYSONSETTING, BACKUPSETTING, V0SETTING) { CMDSTRING, &kSOSView##VIEWNAME, },
+#include "Security/SecureObjectSync/ViewList.list"
+};
+
+static CFStringRef convertStringToView(char *viewname) {
+ unsigned n;
+
+ for (n = 0; n < sizeof(string2View)/sizeof(string2View[0]); n++) {
+ if (strcmp(string2View[n].name, viewname) == 0)
+ return *string2View[n].viewspec;
+ }
+
+ // Leak this, since it's a getter.
+ return CFStringCreateWithCString(kCFAllocatorDefault, viewname, kCFStringEncodingUTF8);
+}
+
+static CFStringRef convertViewReturnCodeToString(SOSViewActionCode ac) {
+ CFStringRef retval = NULL;
+ switch(ac) {
+ case kSOSCCGeneralViewError:
+ retval = CFSTR("General Error"); break;
+ case kSOSCCViewMember:
+ retval = CFSTR("Is Member of View"); break;
+ case kSOSCCViewNotMember:
+ retval = CFSTR("Is Not Member of View"); break;
+ case kSOSCCViewNotQualified:
+ retval = CFSTR("Is not qualified for View"); break;
+ case kSOSCCNoSuchView:
+ retval = CFSTR("No Such View"); break;
+ }
+ return retval;
+}
+
+bool viewcmd(char *itemName, CFErrorRef *err) {
+ char *cmd, *viewname;
+ SOSViewActionCode ac = kSOSCCViewQuery;
+ CFStringRef viewspec;
+
+ viewname = strchr(itemName, ':');
+ if(viewname == NULL) return false;
+ *viewname = 0;
+ viewname++;
+ cmd = itemName;
+
+ if(strcmp(cmd, "enable") == 0) {
+ ac = kSOSCCViewEnable;
+ } else if(strcmp(cmd, "disable") == 0) {
+ ac = kSOSCCViewDisable;
+ } else if(strcmp(cmd, "query") == 0) {
+ ac = kSOSCCViewQuery;
+ } else {
+ return false;
+ }
+
+ if(strchr(viewname, ',') == NULL) { // original single value version
+ viewspec = convertStringToView(viewname);
+ if(!viewspec) return false;
+
+ SOSViewResultCode rc = SOSCCView(viewspec, ac, err);
+ CFStringRef resultString = convertViewReturnCodeToString(rc);
+
+ printmsg(CFSTR("View Result: %@ : %@\n"), resultString, viewspec);
+ return true;
+ }
+
+ if(ac == kSOSCCViewQuery) return false;
+
+ // new multi-view version
+ char *viewlist = strdup(viewname);
+ char *token;
+ char *tofree = viewlist;
+ CFMutableSetRef viewSet = CFSetCreateMutable(NULL, 0, &kCFCopyStringSetCallBacks);
+
+ while ((token = strsep(&viewlist, ",")) != NULL) {
+ CFStringRef resultString = convertStringToView(token);
+ CFSetAddValue(viewSet, resultString);
+ }
+
+ printmsg(CFSTR("viewSet provided is %@\n"), viewSet);
+
+ free(tofree);
+
+ bool retcode;
+ if(ac == kSOSCCViewEnable) retcode = SOSCCViewSet(viewSet, NULL);
+ else retcode = SOSCCViewSet(NULL, viewSet);
+
+ fprintf(outFile, "SOSCCViewSet returned %s\n", (retcode)? "true": "false");
+
+ return true;
+}
+
+bool listviewcmd(CFErrorRef *err) {
+ unsigned n;
+
+ for (n = 0; n < sizeof(string2View)/sizeof(string2View[0]); n++) {
+ CFStringRef viewspec = *string2View[n].viewspec;
+
+ SOSViewResultCode rc = SOSCCView(viewspec, kSOSCCViewQuery, err);
+ CFStringRef resultString = convertViewReturnCodeToString(rc);
+
+ printmsg(CFSTR("View Result: %@ : %@\n"), resultString, viewspec);
+ };
+
+ return true;
+}
diff --git a/OSX/tlsnke/tlsnketest/ssl-utils.h b/OSX/sec/SOSCircle/Tool/secViewDisplay.h
similarity index 71%
rename from OSX/tlsnke/tlsnketest/ssl-utils.h
rename to OSX/sec/SOSCircle/Tool/secViewDisplay.h
index a9009a0d..ea71b811 100644
--- a/OSX/tlsnke/tlsnketest/ssl-utils.h
+++ b/OSX/sec/SOSCircle/Tool/secViewDisplay.h
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,18 +17,24 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
+//
+// secViewDisplay.h
+// sec
+//
+//
+//
-#ifndef __SSL_UTILS_H__
-#define __SSL_UTILS_H__
+#ifndef secViewDisplay_h
+#define secViewDisplay_h
-#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) { CFRelease(_cf); } }
-#define CFReleaseNull(CF) { CFTypeRef _cf = (CF); if (_cf) { (CF) = NULL; CFRelease(_cf); } }
+#include <stdio.h>
+#include <CoreFoundation/CoreFoundation.h>
-CFArrayRef server_chain(void);
-CFArrayRef client_chain(void);
+bool listviewcmd(CFErrorRef *err);
+bool viewcmd(char *itemName, CFErrorRef *err);
-#endif
+#endif /* secViewDisplay_h */
diff --git a/OSX/sec/SOSCircle/Tool/syncbackup.c b/OSX/sec/SOSCircle/Tool/syncbackup.c
new file mode 100644
index 00000000..d202ee3e
--- /dev/null
+++ b/OSX/sec/SOSCircle/Tool/syncbackup.c
@@ -0,0 +1,87 @@
+
+/*
+ * Copyright (c) 2003-2007,2009-2010,2013-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ */
+
+//
+// syncbackup.c
+// sec
+//
+//
+//
+
+#include "syncbackup.h"
+
+
+#include <stdio.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
+
+#include <utilities/SecCFWrappers.h>
+
+#include <SecurityTool/readline.h>
+#include "secToolFileIO.h"
+
+
+static bool dumpBackupInfo(CFErrorRef *error) {
+ CFReleaseNull(*error);
+ bool isLast = SOSCCIsThisDeviceLastBackup(error);
+
+ printmsg(CFSTR("This %s the last backup peer.\n"), (isLast) ? "is": "isn't");
+ return *error != NULL;
+}
+
+
+int
+syncbackup(int argc, char * const *argv)
+{
+ /*
+ "Circle Backup Information"
+ " -i info (current status)"
+
+ */
+ setOutputTo(NULL, NULL);
+
+ int ch, result = 0;
+ CFErrorRef error = NULL;
+ bool hadError = false;
+
+ while ((ch = getopt(argc, argv, "i")) != -1)
+ switch (ch) {
+
+ case 'i':
+ hadError = dumpBackupInfo(&error);
+ break;
+
+ case '?':
+ default:
+ return 2; /* Return 2 triggers usage message. */
+ }
+
+ if (hadError)
+ printerr(CFSTR("Error: %@\n"), error);
+
+ return result;
+}
diff --git a/OSX/sec/SOSCircle/Tool/syncbackup.h b/OSX/sec/SOSCircle/Tool/syncbackup.h
new file mode 100644
index 00000000..4050dd32
--- /dev/null
+++ b/OSX/sec/SOSCircle/Tool/syncbackup.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// syncbackup.h
+// sec
+//
+//
+//
+
+
+#include <SecurityTool/security_tool_commands.h>
+
+SECURITY_COMMAND(
+ "syncbackup", syncbackup,
+ "[options]\n"
+ " -i info (current status)\n"
+ "\n",
+ "iCloud Circle Backup Information")
+
diff --git a/OSX/sec/Security/AppleBaselineEscrowCertificates.h b/OSX/sec/Security/AppleBaselineEscrowCertificates.h
index 5a4d011e..a2483bac 100644
--- a/OSX/sec/Security/AppleBaselineEscrowCertificates.h
+++ b/OSX/sec/Security/AppleBaselineEscrowCertificates.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2013-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -36,7 +36,7 @@ struct RootRecord
========================================================================== */
-static const UInt8 kBaseLineEscrowRootGM[] = {
+static const UInt8 kBaseLineEscrowRoot100[] = {
0x30,0x82,0x03,0xd0,0x30,0x82,0x02,0xb8,0xa0,0x03,0x02,0x01,0x02,0x02,0x01,0x64,
0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x30,
0x79,0x31,0x0c,0x30,0x0a,0x06,0x03,0x55,0x04,0x05,0x13,0x03,0x31,0x30,0x30,0x31,
@@ -101,7 +101,7 @@ static const UInt8 kBaseLineEscrowRootGM[] = {
0x96,0x87,0x44,0xc3,
};
-static const UInt8 kBaseLinePCSEscrowRootGM[] = {
+static const UInt8 kBaseLinePCSEscrowRoot100[] = {
0x30,0x82,0x03,0xD8,0x30,0x82,0x02,0xC0,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x64,
0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,
0x7D,0x31,0x0C,0x30,0x0A,0x06,0x03,0x55,0x04,0x05,0x13,0x03,0x31,0x30,0x30,0x31,
@@ -166,7 +166,7 @@ static const UInt8 kBaseLinePCSEscrowRootGM[] = {
0x69,0x12,0x04,0x6D,0x2B,0x75,0x83,0xE1,0x12,0xFC,0x3E,0xF1,
};
-static const UInt8 kBaseLineACFEscrowRootGM[] = {
+static const UInt8 kBaseLineEscrowRoot101[] = {
0x30,0x82,0x03,0xD0,0x30,0x82,0x02,0xB8,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x65,
0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,
0x79,0x31,0x0C,0x30,0x0A,0x06,0x03,0x55,0x04,0x05,0x13,0x03,0x31,0x30,0x31,0x31,
@@ -231,14 +231,91 @@ static const UInt8 kBaseLineACFEscrowRootGM[] = {
0x81,0xB1,0x3F,0x4E,
};
+static const UInt8 kBaseLineEscrowRoot102[] = {
+ 0x30,0x82,0x03,0xD0,0x30,0x82,0x02,0xB8,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x66,
+ 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,
+ 0x79,0x31,0x0C,0x30,0x0A,0x06,0x03,0x55,0x04,0x05,0x13,0x03,0x31,0x30,0x32,0x31,
+ 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,
+ 0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,
+ 0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,
+ 0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
+ 0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55,
+ 0x04,0x03,0x13,0x16,0x45,0x73,0x63,0x72,0x6F,0x77,0x20,0x53,0x65,0x72,0x76,0x69,
+ 0x63,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x36,
+ 0x30,0x35,0x31,0x33,0x30,0x37,0x32,0x37,0x31,0x31,0x5A,0x17,0x0D,0x34,0x39,0x30,
+ 0x35,0x31,0x33,0x30,0x37,0x32,0x37,0x31,0x31,0x5A,0x30,0x79,0x31,0x0C,0x30,0x0A,
+ 0x06,0x03,0x55,0x04,0x05,0x13,0x03,0x31,0x30,0x32,0x31,0x0B,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,
+ 0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,
+ 0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,
+ 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
+ 0x72,0x69,0x74,0x79,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55,0x04,0x03,0x13,0x16,0x45,
+ 0x73,0x63,0x72,0x6F,0x77,0x20,0x53,0x65,0x72,0x76,0x69,0x63,0x65,0x20,0x52,0x6F,
+ 0x6F,0x74,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
+ 0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,
+ 0x0A,0x02,0x82,0x01,0x01,0x00,0xD7,0x3B,0x54,0x8B,0x11,0x5A,0xE6,0xEB,0x22,0x67,
+ 0x2E,0xB2,0x5A,0xCF,0xE0,0xBC,0xC1,0x98,0x95,0xA0,0x26,0xF4,0x30,0x20,0x7C,0x1C,
+ 0xD3,0x5D,0xE8,0xA7,0x08,0xF7,0xB7,0x78,0x55,0x51,0xEB,0xDE,0x9D,0x7F,0xE9,0xF5,
+ 0xAD,0xF1,0x24,0xE0,0x2B,0xC2,0xD7,0xC1,0xAA,0x21,0x9D,0x1A,0x59,0x5B,0x86,0x7E,
+ 0x4D,0x48,0xEC,0xFE,0x88,0xAA,0x0B,0x3D,0xA8,0xE3,0x16,0xD1,0xF4,0x5F,0x96,0x5D,
+ 0x19,0x5F,0x89,0x98,0x54,0x46,0x9B,0xC1,0x14,0x2E,0x60,0x03,0xA7,0x50,0x2E,0x91,
+ 0x3A,0xC9,0xCC,0xA8,0x7E,0xBF,0x99,0x6A,0x16,0x20,0x02,0x85,0x69,0x2F,0x7B,0x84,
+ 0xEA,0x18,0xEE,0x9D,0x96,0xBA,0x66,0x97,0x3D,0x93,0x88,0x90,0x2D,0x9C,0x8E,0x72,
+ 0x19,0x9A,0x3A,0x86,0xB5,0xF1,0x9B,0x18,0xB4,0x7F,0x19,0x93,0x31,0x90,0xF3,0xD7,
+ 0x9D,0xC7,0x6F,0x5C,0xF1,0x80,0x23,0x95,0x99,0x01,0x21,0x53,0xE5,0x3E,0x18,0x2A,
+ 0x7D,0xBE,0x93,0x48,0xD2,0x3A,0xDB,0xF4,0x9E,0x4C,0xDA,0x99,0x20,0xA7,0x5E,0xD6,
+ 0x3E,0x63,0x15,0xEE,0xAC,0x38,0x48,0xF3,0x09,0xFB,0x6D,0x9C,0xD2,0xD2,0x0E,0xBF,
+ 0xB6,0x1E,0x01,0xF3,0x64,0x30,0x57,0xBE,0x4D,0x23,0x8B,0x7B,0x55,0x35,0x37,0x0F,
+ 0x1D,0x0A,0x0F,0x83,0x38,0x6E,0x61,0xFC,0xDD,0x19,0xF8,0x81,0xED,0x93,0x68,0xC2,
+ 0xDD,0x7A,0xDA,0xC9,0x34,0xFA,0xB8,0x78,0xCC,0xF1,0x3B,0x35,0x83,0x5E,0x11,0x1E,
+ 0xC4,0x8F,0xE4,0x86,0xF3,0xB9,0x56,0x65,0xEC,0x4E,0x9A,0x75,0x3D,0xCE,0xB3,0x19,
+ 0x90,0x5B,0xF0,0x5B,0x00,0x07,0x02,0x03,0x01,0x00,0x01,0xA3,0x63,0x30,0x61,0x30,
+ 0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,
+ 0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,
+ 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x44,0x90,0x08,0x3C,0x3E,
+ 0xE9,0x06,0xAC,0xE7,0xEA,0x81,0x5B,0xD3,0xA4,0xBD,0x2E,0xEB,0x16,0xD5,0x39,0x30,
+ 0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x44,0x90,0x08,0x3C,
+ 0x3E,0xE9,0x06,0xAC,0xE7,0xEA,0x81,0x5B,0xD3,0xA4,0xBD,0x2E,0xEB,0x16,0xD5,0x39,
+ 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,
+ 0x82,0x01,0x01,0x00,0x3E,0x5F,0xCD,0xBB,0xBF,0x7C,0xBB,0xD3,0xF6,0x92,0xF7,0x21,
+ 0xF1,0x2C,0xE4,0x64,0xD5,0xDB,0x8C,0x28,0xC0,0x3D,0xC8,0x98,0x5D,0xCF,0x20,0x39,
+ 0x11,0xB5,0x1E,0x20,0x06,0x5E,0xBC,0x59,0xEB,0x30,0x5F,0x58,0xB1,0x57,0xEF,0x47,
+ 0x7A,0xF6,0x51,0xDE,0x3C,0xC0,0xCD,0xF8,0x06,0x02,0x0C,0x29,0xE6,0xDD,0x2D,0xCE,
+ 0x89,0xF1,0x04,0xC5,0xE4,0x8E,0x0B,0x0D,0x96,0x3E,0xBD,0x34,0xC6,0xAF,0xA0,0xB2,
+ 0xE1,0xE1,0x85,0x37,0xFB,0xCB,0xF2,0xA9,0xBE,0xB5,0xB9,0x18,0x58,0x31,0x97,0x64,
+ 0x9D,0x37,0x20,0xF4,0x46,0x83,0xA2,0x2E,0xAA,0x6C,0xDB,0x3D,0x87,0xFA,0xD9,0xD4,
+ 0x85,0x24,0xB2,0x29,0x8C,0x1B,0x5E,0x51,0xC4,0x60,0xC5,0x40,0xDC,0x25,0x00,0x43,
+ 0xB2,0x5D,0xB5,0x70,0xB2,0xFD,0xF0,0x27,0x2A,0xE0,0x4B,0x04,0x5A,0x38,0x2A,0xFB,
+ 0x60,0xBC,0x66,0x7E,0xC3,0x16,0xB6,0x88,0x69,0x10,0xB8,0xE3,0x99,0x43,0xF5,0x79,
+ 0xC5,0xC5,0xF0,0x82,0x96,0xF6,0x05,0x68,0x93,0x3A,0xA6,0x45,0xB7,0xEB,0x4D,0x5D,
+ 0xAD,0x04,0x0C,0x6B,0xF0,0x7B,0x10,0x0E,0x8B,0x78,0x40,0x98,0x9F,0x52,0xEF,0xEA,
+ 0xA4,0x26,0xAA,0xED,0x57,0x52,0xB5,0x34,0x32,0x26,0xA7,0x2E,0x8C,0xFB,0x13,0x32,
+ 0x3A,0x63,0xB0,0xD9,0x5E,0xE2,0xE7,0x0F,0xB2,0x80,0xE1,0xDE,0xD6,0xD5,0xD2,0x12,
+ 0x95,0x12,0x04,0x72,0xD0,0x03,0x4F,0xB6,0xC0,0x25,0x4A,0xEA,0xCD,0x3F,0xB9,0x5F,
+ 0x8E,0x38,0x64,0x02,0x78,0xBC,0x72,0xBD,0xA4,0x7F,0x61,0x39,0xAD,0xBF,0x65,0x8D,
+ 0xF6,0x05,0xC3,0xD2,
+};
-static struct RootRecord kBaseLineEscrowRootRecord = {sizeof(kBaseLineEscrowRootGM), (UInt8*)kBaseLineEscrowRootGM};
-static struct RootRecord kBaseLineACFEscrowRootRecord = {sizeof(kBaseLineACFEscrowRootGM), (UInt8*)kBaseLineACFEscrowRootGM};
-static struct RootRecord* kBaseLineEscrowRoots[] = {&kBaseLineEscrowRootRecord, &kBaseLineACFEscrowRootRecord};
+static struct RootRecord kBaseLineEscrowRootRecord100 = {sizeof(kBaseLineEscrowRoot100), (UInt8*)kBaseLineEscrowRoot100};
+static struct RootRecord kBaseLineEscrowRootRecord101 = {sizeof(kBaseLineEscrowRoot101), (UInt8*)kBaseLineEscrowRoot101};
+static struct RootRecord kBaseLineEscrowRootRecord102 = {sizeof(kBaseLineEscrowRoot102), (UInt8*)kBaseLineEscrowRoot102};
+static struct RootRecord* kBaseLineEscrowRoots[] = {
+ &kBaseLineEscrowRootRecord100, &kBaseLineEscrowRootRecord101, &kBaseLineEscrowRootRecord102
+};
+static struct RootRecord* kBaseLineEscrowBackupRoots[] = {
+ &kBaseLineEscrowRootRecord100, &kBaseLineEscrowRootRecord101, &kBaseLineEscrowRootRecord102
+};
+static struct RootRecord* kBaseLineEscrowEnrollmentRoots[] = {
+ &kBaseLineEscrowRootRecord101, &kBaseLineEscrowRootRecord102
+};
static const int kNumberOfBaseLineEscrowRoots = (int)(sizeof(kBaseLineEscrowRoots)/sizeof(kBaseLineEscrowRoots[0]));
+static const int kNumberOfBaseLineEscrowBackupRoots = (int)(sizeof(kBaseLineEscrowBackupRoots)/sizeof(kBaseLineEscrowBackupRoots[0]));
+static const int kNumberOfBaseLineEscrowEnrollmentRoots = (int)(sizeof(kBaseLineEscrowEnrollmentRoots)/sizeof(kBaseLineEscrowEnrollmentRoots[0]));
-static struct RootRecord kBaseLinePCSEscrowRootRecord = {sizeof(kBaseLinePCSEscrowRootGM), (UInt8*)kBaseLinePCSEscrowRootGM};
-static struct RootRecord* kBaseLinePCSEscrowRoots[] = {&kBaseLinePCSEscrowRootRecord};
+static struct RootRecord kBaseLinePCSEscrowRootRecord100 = {sizeof(kBaseLinePCSEscrowRoot100), (UInt8*)kBaseLinePCSEscrowRoot100};
+static struct RootRecord* kBaseLinePCSEscrowRoots[] = {
+ &kBaseLinePCSEscrowRootRecord100
+};
static const int kNumberOfBaseLinePCSEscrowRoots = (int)(sizeof(kBaseLinePCSEscrowRoots)/sizeof(kBaseLinePCSEscrowRoots[0]));
#endif
diff --git a/OSX/sec/Security/Regressions/Security_regressions.h b/OSX/sec/Security/Regressions/Security_regressions.h
index 5a9ce794..f9701408 100644
--- a/OSX/sec/Security/Regressions/Security_regressions.h
+++ b/OSX/sec/Security/Regressions/Security_regressions.h
@@ -1,6 +1,10 @@
/* To add a test:
1) add it here
2) Add it as command line argument for SecurityTest.app in the Release and Debug schemes
+ 3) Add any resources your test use to the SecurityTest.app.
+
+ This file contains iOS only tests that are built in libSecurityRegression.a
+ For test shared between OSX and iOS, see shared_regressions.h
*/
#include <test/testmore.h>
@@ -14,32 +18,8 @@ ONE_TEST(si_11_update_data)
ONE_TEST(si_12_item_stress)
ONE_TEST(si_13_item_system)
ONE_TEST(si_14_dateparse)
-ONE_TEST(si_15_certificate)
-ONE_TEST(si_16_ec_certificate)
+ONE_TEST(si_15_delete_access_group)
ONE_TEST(si_17_item_system_bluetooth)
-ONE_TEST(si_20_sectrust_activation)
-ONE_TEST(si_20_sectrust)
-ONE_TEST(si_21_sectrust_asr)
-ONE_TEST(si_22_sectrust_iap)
-#if !TARGET_OS_WATCH
-ONE_TEST(si_23_sectrust_ocsp)
-#else
-DISABLED_ONE_TEST(si_23_sectrust_ocsp)
-#endif
-ONE_TEST(si_24_sectrust_itms)
-ONE_TEST(si_24_sectrust_nist)
-ONE_TEST(si_24_sectrust_otatasking)
-ONE_TEST(si_24_sectrust_mobileasset)
-ONE_TEST(si_24_sectrust_diginotar)
-ONE_TEST(si_24_sectrust_appleid)
-ONE_TEST(si_24_sectrust_digicert_malaysia)
-ONE_TEST(si_24_sectrust_passbook)
-ONE_TEST(si_25_sectrust_ipsec_eap)
-ONE_TEST(si_25_sectrust_apple_authentication)
-ONE_TEST(si_26_applicationsigning)
-ONE_TEST(si_27_sectrust_exceptions)
-ONE_TEST(si_28_sectrustsettings)
-ONE_TEST(si_29_sectrust_codesigning)
DISABLED_ONE_TEST(si_30_keychain_upgrade) //obsolete, needs updating
DISABLED_ONE_TEST(si_31_keychain_bad)
DISABLED_ONE_TEST(si_31_keychain_unreadable)
@@ -57,48 +37,27 @@ ONE_TEST(si_63_scep)
ONE_TEST(si_64_ossl_cms)
ONE_TEST(si_65_cms_cert_policy)
ONE_TEST(si_66_smime)
-#if !TARGET_OS_WATCH
-ONE_TEST(si_67_sectrust_blacklist)
-#else
-DISABLED_ONE_TEST(si_67_sectrust_blacklist)
-#endif
ONE_TEST(si_68_secmatchissuer)
ONE_TEST(si_69_keydesc)
-ONE_TEST(si_70_sectrust_unified)
-ONE_TEST(si_71_mobile_store_policy)
ONE_TEST(si_72_syncableitems)
ONE_TEST(si_73_secpasswordgenerate)
#if TARGET_OS_IPHONE
-ONE_TEST(si_74_OTA_PKI_Signer)
-ONE_TEST(si_75_AppleIDRecordSigning)
#if TARGET_IPHONE_SIMULATOR
OFF_ONE_TEST(si_76_shared_credentials)
#else
ONE_TEST(si_76_shared_credentials)
#endif
ONE_TEST(si_77_SecAccessControl)
-ONE_TEST(si_79_smp_cert_policy)
#else
-DISABLED_ONE_TEST(si_74_OTA_PKI_Signer)
-DISABLED_ONE_TEST(si_75_AppleIDRecordSigning)
DISABLED_ONE_TEST(si_76_shared_credentials)
DISABLED_ONE_TEST(si_77_SecAccessControl)
-DISABLED_ONE_TEST(si_79_smp_cert_policy)
#endif
ONE_TEST(si_78_query_attrs)
ONE_TEST(si_80_empty_data)
-ONE_TEST(si_81_sectrust_server_auth)
-ONE_TEST(si_81_sectrust_appletv)
-ONE_TEST(si_83_seccertificate_sighashalg)
-ONE_TEST(si_84_atv_appsigning)
-ONE_TEST(si_85_sectrust_ssl_policy)
-ONE_TEST(si_86_sectrust_eap_tls)
-ONE_TEST(si_87_sectrust_name_constraints)
-ONE_TEST(si_88_sectrust_vpnprofile)
+ONE_TEST(si_82_token_ag)
ONE_TEST(si_89_cms_hash_agility)
ONE_TEST(si_90_emcs)
-ONE_TEST(si_91_sectrust_ast2)
-ONE_TEST(si_92_sectrust_homekit)
+ONE_TEST(si_95_cms_basic)
ONE_TEST(vmdh_40)
ONE_TEST(vmdh_41_example)
diff --git a/OSX/sec/Security/Regressions/secitem/si-12-item-stress.c b/OSX/sec/Security/Regressions/secitem/si-12-item-stress.c
index d93aaefc..6ecd5031 100644
--- a/OSX/sec/Security/Regressions/secitem/si-12-item-stress.c
+++ b/OSX/sec/Security/Regressions/secitem/si-12-item-stress.c
@@ -302,10 +302,10 @@ static void tests(void)
CFStringRef accessabilites[] = {
kSecAttrAccessibleWhenUnlocked,
kSecAttrAccessibleAfterFirstUnlock,
- kSecAttrAccessibleAlways,
+ kSecAttrAccessibleAlwaysPrivate,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
- kSecAttrAccessibleAlwaysThisDeviceOnly,
+ kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate,
};
value = accessabilites[num % array_size(accessabilites)];
break;
diff --git a/OSX/sec/Security/Regressions/secitem/si-13-item-system.m b/OSX/sec/Security/Regressions/secitem/si-13-item-system.m
index a1521b37..e5f56779 100644
--- a/OSX/sec/Security/Regressions/secitem/si-13-item-system.m
+++ b/OSX/sec/Security/Regressions/secitem/si-13-item-system.m
@@ -28,7 +28,7 @@
#include <Security/Security.h>
#include <Security/SecItemPriv.h>
#include <utilities/array_size.h>
-#include <utilities/SecCFWrappers.h>
+#include <utilities/SecCFRelease.h>
#include <stdlib.h>
#include <unistd.h>
diff --git a/OSX/sec/Security/Regressions/secitem/si-15-certificate.c b/OSX/sec/Security/Regressions/secitem/si-15-certificate.c
index 6bdbbc58..0c6f925f 100644
--- a/OSX/sec/Security/Regressions/secitem/si-15-certificate.c
+++ b/OSX/sec/Security/Regressions/secitem/si-15-certificate.c
@@ -3,13 +3,14 @@
*/
#include <CoreFoundation/CoreFoundation.h>
+#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
#include <Security/SecPolicy.h>
#include <Security/SecTrust.h>
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
/*
Apple Inc. CA
@@ -720,6 +721,10 @@ static void tests(void)
isnt(cert6 = SecCertificateCreateWithBytes(NULL, _wapi_as_der,
sizeof(_wapi_as_der)), NULL, "create cert6");
+ if (!cert0 || !cert1 || !cert2 || !cert3 || !cert4 || !cert5 || !cert6) {
+ goto errOut;
+ }
+
ok(SecCertificateIsSelfSignedCA(cert0), "cert0 is CA");
ok(!SecCertificateIsSelfSignedCA(cert1), "cert1 is not CA");
ok(SecCertificateIsSelfSignedCA(cert5), "cert5 is v1 CA");
@@ -762,7 +767,17 @@ static void tests(void)
CFStringRef desc = NULL;
ok(desc = CFCopyDescription(cert4), "cert4 CFCopyDescription works");
+ CFReleaseNull(desc);
+
+ CFDataRef spki1Hash = SecCertificateCopySubjectPublicKeyInfoSHA1Digest(cert0);
+ isnt(spki1Hash, NULL, "cert0 has a SHA-1 subject public key info hash");
+ CFReleaseSafe(spki1Hash);
+
+ CFDataRef spki2Hash = SecCertificateCopySubjectPublicKeyInfoSHA256Digest(cert0);
+ isnt(spki2Hash, NULL, "cert0 has a SHA-256 subject public key info hash");
+ CFReleaseSafe(spki2Hash);
+errOut:
CFReleaseSafe(cert0);
CFReleaseSafe(cert1);
CFReleaseSafe(cert2);
@@ -770,12 +785,11 @@ static void tests(void)
CFReleaseSafe(cert4);
CFReleaseSafe(cert5);
CFReleaseSafe(cert6);
- CFReleaseNull(desc);
}
int si_15_certificate(int argc, char *const *argv)
{
- plan_tests(21);
+ plan_tests(23);
tests();
diff --git a/OSX/sec/Security/Regressions/secitem/si-15-delete-access-group.m b/OSX/sec/Security/Regressions/secitem/si-15-delete-access-group.m
new file mode 100644
index 00000000..bc846996
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-15-delete-access-group.m
@@ -0,0 +1,88 @@
+//
+// si-15-delete-access-group.m
+// sec
+//
+// Created by Love Hörnquist Ã
strand on 2016-06-28.
+//
+//
+
+#import <Foundation/Foundation.h>
+#include <Security/Security.h>
+#include <Security/SecItemPriv.h>
+#include <unistd.h>
+
+#include "Security_regressions.h"
+
+
+int si_15_delete_access_group(int argc, char *const *argv)
+{
+ plan_tests(4);
+
+ @autoreleasepool {
+ NSDictionary *query = NULL, *item = NULL;
+ NSDictionary *query2 = NULL, *item2 = NULL;
+ NSString *agrp = @"123456.test.group";
+ NSString *agrp2 = @"123456.test.group2";
+ CFErrorRef error = NULL;
+
+ /*
+ * Clean first
+ */
+ query = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrLabel : @"keychain label",
+ };
+ query2 = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrLabel : @"keychain label2",
+ };
+ SecItemDelete((CFDictionaryRef)query);
+ SecItemDelete((CFDictionaryRef)query2);
+
+ /*
+ * Add entry
+ */
+
+ item = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrLabel : @"keychain label",
+ (id)kSecAttrAccessGroup : agrp
+ };
+
+ ok_status(SecItemAdd((CFDictionaryRef)item, NULL), "SecItemAdd2");
+
+ ok_status(SecItemCopyMatching((CFDictionaryRef)query, NULL));
+
+ item2 = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrLabel : @"keychain label2",
+ (id)kSecAttrAccessGroup : agrp2
+ };
+
+ ok_status(SecItemAdd((CFDictionaryRef)item2, NULL), "SecItemAdd2");
+
+ is_status(SecItemCopyMatching((CFDictionaryRef)query, NULL), errSecSuccess);
+ is_status(SecItemCopyMatching((CFDictionaryRef)query2, NULL), errSecSuccess);
+
+
+ ok(SecItemDeleteAllWithAccessGroups((__bridge CFArrayRef)@[ agrp ], &error),
+ "SecItemDeleteAllWithAccessGroups: %@", error);
+
+ if (error)
+ CFRelease(error);
+
+ is_status(SecItemCopyMatching((CFDictionaryRef)query, NULL), errSecItemNotFound);
+ is_status(SecItemCopyMatching((CFDictionaryRef)query2, NULL), errSecSuccess);
+
+ ok(SecItemDeleteAllWithAccessGroups((__bridge CFArrayRef)@[ agrp2 ], &error),
+ "SecItemDeleteAllWithAccessGroups: %@", error);
+
+ if (error)
+ CFRelease(error);
+
+ is_status(SecItemCopyMatching((CFDictionaryRef)query, NULL), errSecItemNotFound);
+ is_status(SecItemCopyMatching((CFDictionaryRef)query2, NULL), errSecItemNotFound);
+ }
+
+ return 0;
+}
diff --git a/OSX/sec/Security/Regressions/secitem/si-16-ec-certificate.c b/OSX/sec/Security/Regressions/secitem/si-16-ec-certificate.c
index 370c6b5c..807bc7b1 100644
--- a/OSX/sec/Security/Regressions/secitem/si-16-ec-certificate.c
+++ b/OSX/sec/Security/Regressions/secitem/si-16-ec-certificate.c
@@ -34,7 +34,7 @@
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
/* Set this to 1 to test support for the legacy ecdsa-with-specified
signature oid. */
@@ -1145,13 +1145,10 @@ static void tests(void)
"20060303001200", "End_P384_combined_SHA1_cer");
trust_ok(End_P521_combined_SHA1_cer, RootP256_cer,
"20060303001200", "End_P521_combined_SHA1_cer");
- TODO: {
- todo("ecdsa-with-SHA512 seems to be failing");
- trust_ok(End_P256_combined_SHA512_cer, RootP256_cer,
- "20060303001200", "End_P256_combined_SHA512_cer");
- trust_ok(End_P521_combined_SHA512_cer, RootP256_cer,
- "20060303001200", "End_P521_combined_SHA512_cer");
- }
+ trust_ok(End_P256_combined_SHA512_cer, RootP256_cer,
+ "20060303001200", "End_P256_combined_SHA512_cer");
+ trust_ok(End_P521_combined_SHA512_cer, RootP256_cer,
+ "20060303001200", "End_P521_combined_SHA512_cer");
/* Verification of ECC certs created by NSS */
trust_ok(ECCCA_cer, ECCCA_cer,
diff --git a/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m b/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m
index 33c164f2..cf8f39ff 100644
--- a/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m
+++ b/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m
@@ -28,7 +28,7 @@
#include <Security/Security.h>
#include <Security/SecItemPriv.h>
#include <utilities/array_size.h>
-#include <utilities/SecCFWrappers.h>
+#include <utilities/SecCFRelease.h>
#include <stdlib.h>
#include <unistd.h>
diff --git a/OSX/sec/Security/Regressions/secitem/si-20-sectrust-activation.c b/OSX/sec/Security/Regressions/secitem/si-20-sectrust-activation.c
deleted file mode 100644
index 01b29ccb..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-20-sectrust-activation.c
+++ /dev/null
@@ -1,942 +0,0 @@
-/*
- * Copyright (c) 2006-2010,2012-2013 Apple Inc. All Rights Reserved.
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecTrust.h>
-#include <Security/SecTrustPriv.h>
-#include <Security/SecInternal.h>
-#include <utilities/array_size.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "Security_regressions.h"
-
-unsigned char certa[] = {
- 0x30, 0x82, 0x02, 0xba, 0x30, 0x82, 0x01, 0xa2, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x00, 0x30, 0x1e, 0x17,
- 0x0d, 0x31, 0x30, 0x30, 0x38, 0x32, 0x34, 0x32, 0x32, 0x35, 0x35, 0x31,
- 0x37, 0x5a, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x38, 0x32, 0x31, 0x32, 0x32,
- 0x35, 0x35, 0x31, 0x37, 0x5a, 0x30, 0x00, 0x30, 0x82, 0x01, 0x22, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
- 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
- 0x82, 0x01, 0x01, 0x00, 0xbe, 0xa4, 0x39, 0x73, 0x58, 0xca, 0xcc, 0x43,
- 0x1c, 0xb1, 0xce, 0x1e, 0xf3, 0x4b, 0xcd, 0x80, 0xb5, 0x90, 0x66, 0x06,
- 0xf7, 0x82, 0x08, 0xf8, 0xd6, 0x93, 0x6e, 0x06, 0x89, 0xed, 0x70, 0x66,
- 0xfb, 0xed, 0x96, 0xcd, 0xcb, 0x6a, 0x7b, 0x93, 0x74, 0x15, 0x8e, 0x37,
- 0x8b, 0x40, 0x6d, 0x29, 0xf7, 0x37, 0x4c, 0x44, 0x66, 0x73, 0xe4, 0xb2,
- 0x7f, 0x9b, 0x13, 0x73, 0x3a, 0x5d, 0x12, 0x1c, 0xa0, 0x39, 0x98, 0xdb,
- 0x26, 0xa1, 0x56, 0x2b, 0xf4, 0xc5, 0x39, 0xa3, 0xd8, 0x83, 0x2d, 0xa9,
- 0x6b, 0x73, 0xac, 0x42, 0xc0, 0xb8, 0xbf, 0xfb, 0xb7, 0x2e, 0xf2, 0x90,
- 0xa6, 0x96, 0xa4, 0x8c, 0xf5, 0xdf, 0xd4, 0x26, 0xff, 0x08, 0x30, 0x39,
- 0x1f, 0x59, 0xd4, 0xbf, 0x2f, 0x8f, 0x24, 0xab, 0x80, 0xff, 0x6c, 0x5a,
- 0x6b, 0xfd, 0x9b, 0xac, 0x10, 0x96, 0x86, 0x07, 0x04, 0x20, 0x1f, 0xb3,
- 0xf8, 0x0a, 0xdd, 0x09, 0x48, 0x04, 0x1e, 0x43, 0x66, 0x81, 0x96, 0xa4,
- 0x98, 0x3d, 0x50, 0x4e, 0xef, 0x29, 0x36, 0x3a, 0xad, 0x60, 0x70, 0xd3,
- 0x76, 0xee, 0xed, 0x6a, 0xd5, 0xf9, 0x6c, 0xac, 0x3f, 0x92, 0xff, 0x36,
- 0xe8, 0x96, 0x19, 0xfb, 0x6f, 0x8a, 0x68, 0xd0, 0x32, 0x2e, 0xc9, 0xe2,
- 0x47, 0xf7, 0x5d, 0xd3, 0xba, 0x84, 0x7f, 0x06, 0xaf, 0xa1, 0xa9, 0x7a,
- 0xb9, 0x02, 0xf3, 0x0a, 0x95, 0xe3, 0xef, 0x45, 0x99, 0x4d, 0x7d, 0xfb,
- 0xb0, 0x94, 0x5c, 0x14, 0xeb, 0x53, 0x15, 0x9b, 0xc9, 0x7b, 0x13, 0x13,
- 0xd3, 0x53, 0xb8, 0x42, 0xdd, 0x63, 0xbf, 0xaa, 0xe9, 0xff, 0x21, 0x86,
- 0x21, 0xef, 0xb4, 0x3c, 0x41, 0x38, 0xd8, 0x68, 0x6b, 0xd8, 0x75, 0x48,
- 0x15, 0x57, 0x39, 0x28, 0xf0, 0xe3, 0x1a, 0x5c, 0x02, 0x0f, 0x1d, 0xd6,
- 0x90, 0xd3, 0xd9, 0x78, 0x6d, 0xd4, 0xba, 0x2d, 0x02, 0x03, 0x01, 0x00,
- 0x01, 0xa3, 0x3f, 0x30, 0x3d, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13,
- 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
- 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa4, 0x9b, 0x02, 0x27, 0xdf, 0xb1,
- 0xc3, 0x84, 0x43, 0x44, 0x36, 0x3e, 0x5b, 0x7c, 0x43, 0x3b, 0x69, 0x9e,
- 0x35, 0x0b, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff,
- 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
- 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01,
- 0x01, 0x00, 0x44, 0xb0, 0x0f, 0x9b, 0xc1, 0x93, 0x72, 0x0a, 0xdd, 0x68,
- 0x0a, 0x08, 0x78, 0xf0, 0xee, 0x95, 0x38, 0x31, 0x8c, 0x71, 0x96, 0x5d,
- 0xb3, 0xc2, 0xd6, 0xa3, 0xdb, 0xc3, 0xaa, 0x06, 0xa4, 0xf8, 0xb4, 0xb0,
- 0xd3, 0xb8, 0xcd, 0x3f, 0x22, 0xf0, 0xf1, 0x5c, 0xf5, 0xf8, 0x46, 0xa2,
- 0xf2, 0xd2, 0xd3, 0xa2, 0x2f, 0x30, 0xd8, 0x90, 0x9f, 0x1a, 0xb7, 0x9b,
- 0xc9, 0xf1, 0x72, 0xde, 0xb5, 0xfe, 0x62, 0xb6, 0x73, 0xe8, 0xb9, 0xe4,
- 0x3a, 0x77, 0xb6, 0xd5, 0x9f, 0x22, 0x06, 0x71, 0x31, 0x83, 0x5c, 0xd3,
- 0x06, 0x76, 0x7d, 0x67, 0x0e, 0x8e, 0xa5, 0x69, 0xb1, 0x4e, 0xe4, 0x5f,
- 0x67, 0x74, 0xe4, 0x56, 0xd8, 0x73, 0x35, 0x2e, 0x0d, 0x4f, 0xdd, 0x1a,
- 0xc1, 0x47, 0xb5, 0x16, 0xa1, 0x8c, 0x63, 0x7b, 0x0d, 0x95, 0xe8, 0x84,
- 0xce, 0x7e, 0xd4, 0xc6, 0xae, 0x8c, 0x7d, 0xfe, 0xc4, 0xe8, 0xb7, 0x09,
- 0xd9, 0x2b, 0xaa, 0xbe, 0x90, 0x9c, 0x86, 0xcb, 0xc8, 0xcc, 0x73, 0x3a,
- 0xaa, 0xd7, 0x19, 0x7d, 0x7f, 0xfc, 0x84, 0x5f, 0x31, 0x4e, 0xb7, 0xd0,
- 0xeb, 0x5c, 0xb7, 0x0b, 0x3a, 0x06, 0x0e, 0xeb, 0x80, 0x4d, 0x96, 0x85,
- 0x64, 0xbf, 0xf0, 0xc8, 0x6a, 0x5d, 0x0e, 0xd3, 0x26, 0x76, 0xbe, 0xb5,
- 0x36, 0x25, 0x68, 0x41, 0x10, 0x0a, 0x79, 0x58, 0x0f, 0x7f, 0x44, 0xf4,
- 0xf1, 0x9b, 0xeb, 0x00, 0xac, 0xbf, 0xa6, 0xaa, 0x3d, 0x88, 0x40, 0x70,
- 0x03, 0x7c, 0x5a, 0x45, 0x17, 0x8c, 0xf1, 0xe3, 0xf4, 0x61, 0x77, 0x56,
- 0x5f, 0xfc, 0x7a, 0xc8, 0x35, 0x5a, 0x95, 0xe3, 0x0c, 0xfb, 0x6d, 0x6d,
- 0x6c, 0xcc, 0x86, 0x47, 0x9d, 0xb3, 0xe1, 0xe2, 0x26, 0xcb, 0xb8, 0xa4,
- 0x91, 0xb6, 0x51, 0x4c, 0xf5, 0x37, 0x68, 0x29, 0xc1, 0xef, 0xba, 0xf0,
- 0x8b, 0x82, 0x17, 0x65, 0x81, 0xe9
-};
-unsigned int certa_len = 702;
-
-unsigned char certb[] = {
- 0x30, 0x82, 0x02, 0xad, 0x30, 0x82, 0x01, 0x95, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x00, 0x30, 0x1e, 0x17,
- 0x0d, 0x31, 0x30, 0x30, 0x38, 0x32, 0x34, 0x32, 0x32, 0x35, 0x35, 0x31,
- 0x37, 0x5a, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x38, 0x32, 0x31, 0x32, 0x32,
- 0x35, 0x35, 0x31, 0x37, 0x5a, 0x30, 0x00, 0x30, 0x82, 0x01, 0x22, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
- 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
- 0x82, 0x01, 0x01, 0x00, 0xd7, 0x67, 0x3f, 0xf1, 0x88, 0xf8, 0x81, 0x9d,
- 0x6b, 0x8a, 0x5e, 0xc7, 0xc7, 0x1f, 0xfc, 0x04, 0x89, 0x81, 0x0a, 0x1a,
- 0x7f, 0x70, 0x63, 0x6f, 0x66, 0x8e, 0x1a, 0x7a, 0xb0, 0xf9, 0xb9, 0x71,
- 0x3d, 0xda, 0xcb, 0xd5, 0x84, 0xa8, 0x67, 0x4e, 0xde, 0x7e, 0x3e, 0xc8,
- 0x15, 0x01, 0xe2, 0x41, 0xb7, 0x82, 0x4a, 0x6e, 0x62, 0x12, 0xa1, 0xe7,
- 0x8b, 0x78, 0x5c, 0x50, 0x13, 0xd1, 0x0a, 0xbc, 0x6c, 0x6b, 0xad, 0xb6,
- 0x3b, 0x65, 0xd6, 0x89, 0x03, 0x76, 0x51, 0x2b, 0xee, 0xa1, 0x8b, 0x54,
- 0x41, 0xbb, 0x03, 0x6a, 0x55, 0xda, 0x06, 0xac, 0xf0, 0xd0, 0xa0, 0x39,
- 0xe5, 0x0e, 0x22, 0xe9, 0x44, 0x28, 0xfb, 0x03, 0xbd, 0x21, 0xc5, 0xb6,
- 0xd3, 0x11, 0x3b, 0x90, 0x78, 0xc3, 0xe7, 0x41, 0x8d, 0x9b, 0xf1, 0xab,
- 0x0f, 0xa3, 0x31, 0x4f, 0x52, 0x59, 0x0f, 0x66, 0x66, 0x86, 0x43, 0x26,
- 0x3f, 0x4e, 0x29, 0x83, 0x7f, 0x60, 0x3d, 0x59, 0x55, 0xad, 0x47, 0x09,
- 0x75, 0x96, 0x50, 0xec, 0xfb, 0x15, 0xbd, 0x15, 0x2a, 0x32, 0x73, 0x23,
- 0xe8, 0x3e, 0xe0, 0x16, 0xc6, 0x46, 0x54, 0x6d, 0xff, 0x84, 0x5a, 0x55,
- 0xe1, 0xea, 0xb3, 0xcc, 0x33, 0xf2, 0xa1, 0x2d, 0x5a, 0x1e, 0x48, 0xc5,
- 0x75, 0xa1, 0x84, 0xc4, 0x81, 0x7d, 0xcf, 0xf9, 0x8d, 0x09, 0xdc, 0xba,
- 0xad, 0xad, 0x52, 0x34, 0xc0, 0xda, 0xec, 0x37, 0x14, 0x24, 0xda, 0xdf,
- 0xd6, 0x3e, 0x98, 0xfc, 0x8e, 0x00, 0xf7, 0x8a, 0x44, 0xe5, 0xe6, 0xe7,
- 0x07, 0x0e, 0x8a, 0x52, 0xff, 0xff, 0xac, 0x9c, 0x3e, 0x31, 0xc7, 0x93,
- 0xe6, 0x71, 0xf3, 0x13, 0x42, 0xe3, 0x99, 0x73, 0x17, 0x5b, 0x79, 0xfa,
- 0xd4, 0xc2, 0xcd, 0x68, 0x59, 0x43, 0x91, 0xb0, 0x87, 0xd0, 0x5f, 0x5c,
- 0x22, 0x1c, 0xbf, 0xc2, 0x12, 0x4c, 0xc2, 0x4b, 0x02, 0x03, 0x01, 0x00,
- 0x01, 0xa3, 0x32, 0x30, 0x30, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13,
- 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d,
- 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xae, 0xc3, 0x1e,
- 0x3f, 0x30, 0xe6, 0xe4, 0xf5, 0x68, 0x0d, 0x57, 0xed, 0x55, 0x53, 0xea,
- 0x91, 0xdb, 0x71, 0x24, 0xcf, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01,
- 0x00, 0x28, 0x3d, 0xe2, 0xa1, 0x7e, 0x13, 0x8b, 0xd7, 0xf3, 0xf5, 0xaa,
- 0x5a, 0x2c, 0x06, 0x95, 0x5f, 0x3d, 0x12, 0x2a, 0xf4, 0xbd, 0x80, 0xb2,
- 0x3a, 0x2d, 0x72, 0x85, 0xb6, 0xf6, 0x1f, 0xdc, 0x5e, 0x27, 0xfb, 0xc4,
- 0xb8, 0x48, 0xeb, 0xab, 0x44, 0xec, 0x8b, 0xa9, 0x0b, 0x77, 0xb5, 0x21,
- 0xa0, 0x3c, 0x11, 0xec, 0x9c, 0x68, 0x8b, 0xe8, 0x35, 0x5f, 0xaf, 0xee,
- 0x0a, 0x8d, 0x39, 0x44, 0xa4, 0x75, 0x97, 0x73, 0x49, 0x41, 0xef, 0xe3,
- 0xf7, 0xc7, 0x0d, 0x7f, 0x23, 0x0d, 0xfe, 0x83, 0xf3, 0x7b, 0x21, 0x00,
- 0x5b, 0x2d, 0xbb, 0x76, 0xea, 0x79, 0xce, 0x2c, 0x86, 0x15, 0x08, 0xf7,
- 0x12, 0x48, 0x0e, 0x5e, 0x0c, 0x97, 0xce, 0xbd, 0xc9, 0x0d, 0xa2, 0x73,
- 0xec, 0x81, 0x54, 0x2b, 0x50, 0xab, 0xb6, 0xea, 0xa7, 0xa1, 0x8a, 0xbf,
- 0xee, 0x16, 0xf1, 0x2b, 0x03, 0x97, 0xfb, 0x38, 0x9d, 0xa8, 0xde, 0x73,
- 0xb1, 0x8f, 0xd2, 0x3b, 0x40, 0x86, 0x32, 0xdb, 0xeb, 0x8f, 0x0a, 0xf7,
- 0x1f, 0xac, 0xbc, 0x32, 0x05, 0x8b, 0xa1, 0xc6, 0xdd, 0x39, 0x9c, 0xfa,
- 0x70, 0x91, 0xda, 0x80, 0x60, 0xfa, 0xaa, 0xef, 0x51, 0x65, 0x2c, 0x09,
- 0x21, 0x9b, 0x35, 0xed, 0x99, 0x07, 0xbd, 0x63, 0x84, 0x72, 0xa0, 0xc4,
- 0x11, 0x7e, 0x6e, 0x27, 0xe1, 0xda, 0xd4, 0xac, 0xf1, 0xca, 0xc0, 0xfd,
- 0x77, 0x64, 0x29, 0x3b, 0x49, 0x64, 0x5f, 0xe3, 0x4c, 0x8b, 0x93, 0x98,
- 0x9a, 0x9a, 0xb7, 0xb7, 0x04, 0xfc, 0x7d, 0x82, 0x9b, 0xcc, 0x1d, 0xd2,
- 0x8c, 0x98, 0x3b, 0x9a, 0xca, 0x53, 0x9b, 0x04, 0x6d, 0x3d, 0x41, 0x38,
- 0x8c, 0x2b, 0xea, 0xaa, 0x28, 0xef, 0x27, 0xd3, 0xc7, 0x0e, 0x59, 0xa1,
- 0x30, 0xd9, 0xee, 0x92, 0x5a, 0x34, 0x21, 0x11, 0x54, 0xa4, 0xdd, 0xc0,
- 0x86, 0x07, 0xd9, 0x33, 0xb1
-};
-unsigned int certb_len = 689;
-
-unsigned char certc[] = {
- 0x30, 0x82, 0x02, 0xad, 0x30, 0x82, 0x01, 0x95, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x00, 0x30, 0x1e, 0x17,
- 0x0d, 0x31, 0x30, 0x30, 0x38, 0x32, 0x37, 0x32, 0x33, 0x30, 0x37, 0x34,
- 0x35, 0x5a, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x38, 0x32, 0x34, 0x32, 0x33,
- 0x30, 0x37, 0x34, 0x35, 0x5a, 0x30, 0x00, 0x30, 0x82, 0x01, 0x22, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
- 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
- 0x82, 0x01, 0x01, 0x00, 0xae, 0x74, 0xef, 0x9f, 0x1f, 0x5d, 0x85, 0x83,
- 0x57, 0xce, 0x65, 0xd5, 0x54, 0x2d, 0x71, 0x4d, 0xea, 0x6c, 0x57, 0x8c,
- 0x4f, 0x3f, 0xfd, 0xcb, 0x22, 0x01, 0xa0, 0x2a, 0xbd, 0x41, 0xd1, 0xf5,
- 0xb2, 0xf5, 0xe7, 0x7b, 0xe3, 0xd1, 0xe1, 0x48, 0xcf, 0xc6, 0xdb, 0x71,
- 0x52, 0xde, 0xd9, 0x1e, 0xb4, 0x29, 0xd4, 0xc8, 0xf2, 0xf9, 0x6e, 0xbb,
- 0xff, 0x69, 0x36, 0x72, 0xa8, 0x8b, 0x54, 0x0d, 0xf7, 0x5c, 0x3d, 0x62,
- 0x10, 0xdc, 0x8d, 0x4a, 0xc3, 0x11, 0x91, 0x9f, 0x24, 0xe1, 0x5e, 0xcf,
- 0x21, 0x82, 0xa9, 0xf9, 0xff, 0xa6, 0xe2, 0x79, 0xc2, 0x0b, 0x93, 0xa2,
- 0x31, 0x62, 0xef, 0x01, 0x4e, 0x77, 0xd2, 0xa6, 0x49, 0xb4, 0x6e, 0x8e,
- 0xbd, 0x63, 0x57, 0x01, 0x51, 0xd6, 0xb3, 0xf0, 0x11, 0xd5, 0xf1, 0xf8,
- 0xcc, 0xd8, 0x4e, 0x9d, 0x04, 0xf7, 0xa3, 0xa1, 0x14, 0x61, 0x6a, 0x21,
- 0x16, 0xe3, 0xa3, 0x6d, 0x92, 0xaf, 0xc6, 0xfd, 0x12, 0x63, 0x54, 0xbf,
- 0x24, 0xc8, 0x11, 0xcc, 0xdb, 0xaf, 0x14, 0xdd, 0x84, 0xd9, 0xdd, 0x5d,
- 0xc4, 0xe6, 0x92, 0xbe, 0x76, 0x3b, 0x91, 0x52, 0xcb, 0x4c, 0x31, 0x8c,
- 0xeb, 0x12, 0xce, 0xde, 0xe0, 0xb4, 0x12, 0x7f, 0xa1, 0x60, 0xd4, 0x9e,
- 0xc5, 0x0b, 0x49, 0xd6, 0xbf, 0x9a, 0x13, 0x99, 0x0e, 0x65, 0x83, 0xff,
- 0xf5, 0xab, 0xe2, 0x76, 0xa3, 0x58, 0x7a, 0xea, 0x0d, 0x0f, 0x76, 0x4c,
- 0xff, 0xf3, 0xc7, 0x6e, 0x48, 0x0a, 0xba, 0x37, 0x87, 0x32, 0x94, 0x44,
- 0xfa, 0x06, 0x70, 0xfd, 0x9a, 0x17, 0x7e, 0x73, 0x92, 0x6e, 0xe6, 0xc9,
- 0x75, 0xbb, 0xd3, 0x16, 0x92, 0xb0, 0xed, 0xfc, 0x80, 0x3d, 0xba, 0x56,
- 0x82, 0xdf, 0xe7, 0xf5, 0xe1, 0xc8, 0xd7, 0x68, 0xf9, 0xc5, 0x8b, 0xf5,
- 0x15, 0x3d, 0xda, 0x77, 0xc1, 0xc8, 0xb8, 0xfb, 0x02, 0x03, 0x01, 0x00,
- 0x01, 0xa3, 0x32, 0x30, 0x30, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13,
- 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d,
- 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x6e, 0x04, 0x5d,
- 0xde, 0x1e, 0x58, 0xca, 0x9d, 0xa4, 0x25, 0x50, 0xeb, 0xf9, 0xff, 0x3c,
- 0x31, 0xb7, 0x29, 0x63, 0xa8, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01,
- 0x00, 0x01, 0x6d, 0xbb, 0xa9, 0xf5, 0x59, 0x07, 0xe2, 0xf5, 0x8c, 0x82,
- 0x84, 0x3f, 0x13, 0xe0, 0x2f, 0x03, 0x9b, 0xce, 0x8d, 0x48, 0x80, 0x60,
- 0xda, 0xfc, 0x8e, 0x08, 0xda, 0xff, 0x83, 0x49, 0xd4, 0x10, 0x80, 0xe2,
- 0x57, 0x95, 0x27, 0x92, 0xb5, 0x61, 0x23, 0x4c, 0x23, 0x3a, 0x9a, 0x61,
- 0xd5, 0xdb, 0x60, 0x00, 0x7d, 0x18, 0x96, 0xc2, 0x97, 0xa7, 0x6f, 0x41,
- 0x38, 0xf3, 0xb7, 0x04, 0xeb, 0x86, 0xce, 0xe3, 0x27, 0x2b, 0xf2, 0x6d,
- 0x25, 0xf9, 0xc2, 0x04, 0x8a, 0x58, 0x6e, 0x32, 0x8c, 0x04, 0xe5, 0x2a,
- 0x60, 0x03, 0x5c, 0x78, 0xf8, 0x34, 0xfe, 0x24, 0x67, 0x77, 0xd7, 0x7a,
- 0x96, 0xec, 0x0d, 0x37, 0x74, 0x22, 0xc4, 0xa6, 0x42, 0x83, 0x3a, 0x5b,
- 0xed, 0x11, 0x46, 0xfd, 0x1d, 0xd5, 0x8c, 0x39, 0x3b, 0x24, 0x70, 0x2a,
- 0x4a, 0xdf, 0x54, 0xbd, 0xa5, 0x29, 0x86, 0xa5, 0xe6, 0xcb, 0xde, 0x99,
- 0x8c, 0x7d, 0x80, 0xcc, 0xb1, 0x2f, 0x5e, 0xad, 0x51, 0xfa, 0x74, 0x15,
- 0x17, 0xc3, 0x00, 0xfc, 0xa8, 0x7f, 0x67, 0x44, 0x5f, 0x0e, 0x29, 0x8e,
- 0x74, 0x12, 0xab, 0x2c, 0xc5, 0xee, 0xd2, 0xa3, 0xb6, 0xa8, 0x78, 0xb0,
- 0x04, 0x8e, 0x77, 0x33, 0x91, 0x1d, 0x8e, 0x50, 0x97, 0x61, 0x5c, 0x1f,
- 0x0e, 0xe0, 0x2a, 0xfa, 0x56, 0x1d, 0x5b, 0x36, 0x63, 0xeb, 0x13, 0x70,
- 0xb2, 0x40, 0x1e, 0x78, 0x41, 0x71, 0x7d, 0x81, 0x63, 0xe9, 0xec, 0xe4,
- 0xe6, 0x7b, 0x63, 0x4f, 0x29, 0x75, 0x7a, 0xf7, 0x96, 0x47, 0x7d, 0x5b,
- 0x11, 0xd2, 0x52, 0x17, 0x69, 0x19, 0x53, 0x3f, 0x8f, 0xc2, 0xaa, 0xaf,
- 0x42, 0x35, 0x3b, 0xb2, 0x94, 0x6f, 0xcf, 0xf8, 0xb1, 0xca, 0xe7, 0x47,
- 0xcc, 0xed, 0x6c, 0x97, 0xfd, 0xdd, 0x41, 0x3a, 0x22, 0x69, 0xfc, 0x3c,
- 0xdf, 0x13, 0x32, 0x3c, 0xa4
-};
-unsigned int certc_len = 689;
-
-
-unsigned char _AppleiPhoneDeviceCert_DER[] = {
- 0x30, 0x82, 0x03, 0x3f, 0x30, 0x82, 0x02, 0xa8, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x0a, 0x01, 0x4c, 0x21, 0x41, 0x26, 0x71, 0x63, 0x81, 0xd8,
- 0xd9, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x01, 0x0b, 0x05, 0x00, 0x30, 0x5a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
- 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
- 0x0b, 0x13, 0x0c, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50, 0x68,
- 0x6f, 0x6e, 0x65, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03,
- 0x13, 0x16, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50, 0x68, 0x6f,
- 0x6e, 0x65, 0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x20, 0x43, 0x41,
- 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x38, 0x30, 0x37, 0x32, 0x32, 0x31, 0x38,
- 0x33, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x31, 0x31, 0x30, 0x37, 0x32,
- 0x32, 0x31, 0x38, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30, 0x81, 0x87, 0x31,
- 0x31, 0x30, 0x2f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x28, 0x32, 0x31,
- 0x33, 0x63, 0x65, 0x65, 0x35, 0x63, 0x64, 0x31, 0x31, 0x37, 0x37, 0x38,
- 0x62, 0x65, 0x65, 0x32, 0x63, 0x64, 0x31, 0x63, 0x65, 0x61, 0x36, 0x32,
- 0x34, 0x62, 0x63, 0x63, 0x30, 0x61, 0x62, 0x38, 0x31, 0x33, 0x64, 0x32,
- 0x33, 0x35, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08,
- 0x13, 0x02, 0x43, 0x41, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41,
- 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0f, 0x30,
- 0x0d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x06, 0x69, 0x50, 0x68, 0x6f,
- 0x6e, 0x65, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00,
- 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0x82, 0x8e, 0xda, 0x67, 0x93,
- 0x6d, 0x54, 0x03, 0x98, 0xcc, 0xdb, 0xec, 0x06, 0xed, 0xd7, 0x4e, 0xc7,
- 0x74, 0xc8, 0xb5, 0x91, 0x64, 0xf9, 0x52, 0x23, 0x50, 0xae, 0x4d, 0x15,
- 0x22, 0x8b, 0x05, 0x03, 0x79, 0x76, 0x45, 0xfc, 0x33, 0xcb, 0x2a, 0xf1,
- 0x5c, 0x96, 0x49, 0x96, 0x06, 0x11, 0x06, 0x6e, 0x76, 0xbe, 0x99, 0xdc,
- 0xae, 0xf9, 0x67, 0x3d, 0x03, 0x0c, 0x07, 0x5f, 0x38, 0xe5, 0x98, 0x64,
- 0x65, 0x68, 0xd2, 0x65, 0x59, 0x9a, 0xd6, 0x70, 0x59, 0x80, 0xf2, 0x54,
- 0x91, 0xb9, 0xd9, 0x45, 0x80, 0x6a, 0x29, 0x4f, 0xa7, 0xfb, 0x72, 0x75,
- 0x70, 0x2a, 0xb2, 0xe9, 0x35, 0x7d, 0x63, 0x8f, 0xf7, 0x83, 0xba, 0x4a,
- 0x8e, 0xb8, 0x29, 0x37, 0xde, 0x70, 0x3e, 0xc2, 0x0f, 0xc7, 0x55, 0x36,
- 0xce, 0xc1, 0xd4, 0x2d, 0x11, 0xb7, 0x02, 0x46, 0x7a, 0x30, 0x69, 0xba,
- 0x81, 0x60, 0x5d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xdd, 0x30,
- 0x81, 0xda, 0x30, 0x81, 0x82, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x7b,
- 0x30, 0x79, 0x80, 0x14, 0xb2, 0xfe, 0x21, 0x23, 0x44, 0x86, 0x95, 0x6a,
- 0x79, 0xd5, 0x81, 0x26, 0x8e, 0x73, 0x10, 0xd8, 0xa7, 0x4c, 0x8e, 0x74,
- 0xa1, 0x5e, 0xa4, 0x5c, 0x30, 0x5a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
- 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04,
- 0x0b, 0x13, 0x0c, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50, 0x68,
- 0x6f, 0x6e, 0x65, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03,
- 0x13, 0x16, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50, 0x68, 0x6f,
- 0x6e, 0x65, 0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x20, 0x43, 0x41,
- 0x82, 0x01, 0x01, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
- 0x04, 0x14, 0x54, 0x8c, 0xa9, 0x72, 0xce, 0x75, 0x20, 0xf9, 0x99, 0xa0,
- 0xa7, 0x9e, 0xb9, 0x1f, 0x7d, 0x70, 0x67, 0x74, 0xf5, 0x01, 0x30, 0x0c,
- 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00,
- 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04,
- 0x03, 0x02, 0x05, 0xa0, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01,
- 0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x03, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x32,
- 0xc8, 0xf6, 0xa0, 0x75, 0x47, 0x75, 0xaf, 0x5c, 0xac, 0x0d, 0x12, 0xc4,
- 0x73, 0x63, 0x0e, 0x59, 0xee, 0x99, 0x1a, 0xea, 0xe8, 0x8c, 0x12, 0xd9,
- 0x64, 0xf5, 0xe3, 0x45, 0x1e, 0x62, 0x45, 0xb5, 0xc4, 0xfc, 0xf4, 0x37,
- 0x92, 0xfe, 0xb9, 0x8e, 0x06, 0x87, 0xcb, 0xf6, 0x16, 0xb7, 0xca, 0x1a,
- 0x31, 0x24, 0x7e, 0xdf, 0x46, 0xd9, 0xe1, 0x26, 0x82, 0xff, 0xcd, 0xd1,
- 0x10, 0xba, 0xfd, 0x1e, 0x47, 0xc4, 0x3c, 0x76, 0x0d, 0x39, 0x0b, 0x57,
- 0xd9, 0xf1, 0xd5, 0x1d, 0x18, 0xd3, 0x35, 0xae, 0x1d, 0xdf, 0xec, 0xf1,
- 0x2a, 0x9d, 0x61, 0x91, 0x60, 0x43, 0x15, 0x2f, 0x4b, 0x19, 0x24, 0xc9,
- 0xbd, 0xf6, 0xa4, 0x66, 0x48, 0x48, 0x55, 0x67, 0xbf, 0xaa, 0x71, 0xa2,
- 0x92, 0x3d, 0x3c, 0xc7, 0xdc, 0x73, 0x6e, 0x38, 0xe6, 0xae, 0x6b, 0x8e,
- 0xbc, 0xbb, 0xa2, 0x75, 0xf9, 0x7a, 0x77
-};
-
-/*
- subject= /C=US/O=Apple Inc./OU=Apple iPhone/CN=Apple iPhone Activation
- issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPhone Certification Authority
- serial=02
-*/
-const uint8_t _AppleiPhoneActivation_DER[] = {
- 0x30, 0x82, 0x03, 0x67, 0x30, 0x82, 0x02, 0x4f,
- 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x02,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30,
- 0x79, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
- 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x31, 0x2d, 0x30, 0x2b, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x13, 0x24, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50, 0x68, 0x6f,
- 0x6e, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
- 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x37,
- 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x35, 0x35,
- 0x30, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x34, 0x30,
- 0x34, 0x31, 0x36, 0x32, 0x32, 0x35, 0x35, 0x30,
- 0x32, 0x5a, 0x30, 0x5b, 0x31, 0x0b, 0x30, 0x09,
- 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
- 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
- 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x15,
- 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
- 0x0c, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69,
- 0x50, 0x68, 0x6f, 0x6e, 0x65, 0x31, 0x20, 0x30,
- 0x1e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x17,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50,
- 0x68, 0x6f, 0x6e, 0x65, 0x20, 0x41, 0x63, 0x74,
- 0x69, 0x76, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
- 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
- 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xc5, 0x01, 0x7c, 0xd1,
- 0x22, 0x60, 0x2b, 0x9a, 0x88, 0x87, 0x7d, 0xb4,
- 0xb6, 0xa0, 0xf7, 0x2a, 0x01, 0xf6, 0xc4, 0xbf,
- 0x47, 0x75, 0x8e, 0x4e, 0xc6, 0x6e, 0x75, 0xfb,
- 0xfb, 0x86, 0x14, 0x97, 0x22, 0x1f, 0xa6, 0xbc,
- 0xc1, 0x55, 0xd9, 0x66, 0xcf, 0x62, 0x47, 0x62,
- 0xfd, 0x7e, 0xd3, 0x82, 0x33, 0x26, 0xd2, 0xfb,
- 0x70, 0xbf, 0x7b, 0x50, 0x8e, 0xdf, 0x93, 0x48,
- 0xb4, 0x38, 0xc6, 0x34, 0x6a, 0x5f, 0x1a, 0xf8,
- 0x93, 0xd0, 0x6b, 0x85, 0x20, 0xeb, 0x5d, 0x53,
- 0x6e, 0xa1, 0x2d, 0xfa, 0x78, 0xc0, 0x98, 0x09,
- 0x20, 0x7b, 0x71, 0xd7, 0x58, 0x30, 0x5d, 0x01,
- 0x70, 0xfd, 0x32, 0x19, 0x02, 0xed, 0x3f, 0xfd,
- 0xa3, 0xbe, 0xf3, 0x39, 0x0d, 0x68, 0x96, 0x2e,
- 0x1c, 0x51, 0xdc, 0xe5, 0x9d, 0x85, 0x9f, 0xce,
- 0x65, 0xb4, 0x3d, 0xdb, 0x8e, 0xc6, 0xeb, 0xde,
- 0x01, 0xe6, 0x18, 0xe3, 0x02, 0x03, 0x01, 0x00,
- 0x01, 0xa3, 0x81, 0x9b, 0x30, 0x81, 0x98, 0x30,
- 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01,
- 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30,
- 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01,
- 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06,
- 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0xa1, 0xa0, 0xd2, 0xfe, 0xb7, 0xb4, 0x73, 0xfe,
- 0x9b, 0x14, 0x6a, 0xaf, 0xcd, 0x3d, 0x73, 0x4f,
- 0x1f, 0xef, 0xd6, 0x94, 0x30, 0x1f, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
- 0x14, 0xe7, 0x34, 0x2a, 0x2e, 0x22, 0xde, 0x39,
- 0x60, 0x6b, 0xb4, 0x94, 0xce, 0x77, 0x83, 0x61,
- 0x2f, 0x31, 0xa0, 0x7c, 0x35, 0x30, 0x38, 0x06,
- 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x31, 0x30, 0x2f,
- 0x30, 0x2d, 0xa0, 0x2b, 0xa0, 0x29, 0x86, 0x27,
- 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77,
- 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65,
- 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x70, 0x70,
- 0x6c, 0x65, 0x63, 0x61, 0x2f, 0x69, 0x70, 0x68,
- 0x6f, 0x6e, 0x65, 0x2e, 0x63, 0x72, 0x6c, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82,
- 0x01, 0x01, 0x00, 0x5f, 0x6a, 0x9a, 0xb5, 0x0d,
- 0x74, 0x0f, 0x85, 0x44, 0xe6, 0x06, 0x3f, 0xba,
- 0x56, 0x71, 0x84, 0xc0, 0x2b, 0xea, 0x4b, 0xc8,
- 0xe7, 0xfd, 0xcc, 0xe6, 0x84, 0xed, 0xa7, 0x95,
- 0x23, 0xcf, 0x39, 0x57, 0xc6, 0x3f, 0x04, 0xa1,
- 0xe1, 0x97, 0x00, 0x28, 0xfb, 0x31, 0x24, 0x88,
- 0xe5, 0x37, 0x15, 0xb1, 0x0f, 0x09, 0x2f, 0x55,
- 0xb5, 0x2d, 0x7c, 0x64, 0x17, 0x30, 0x0f, 0xff,
- 0x9d, 0xe5, 0x94, 0x13, 0x30, 0x59, 0x27, 0x85,
- 0xc5, 0x09, 0xc1, 0xd3, 0xea, 0xaa, 0x39, 0xe6,
- 0xf4, 0xba, 0x93, 0x7c, 0x7f, 0xf1, 0xe2, 0x9c,
- 0x3c, 0x38, 0xd1, 0xd1, 0x0f, 0x3c, 0x47, 0x76,
- 0x9f, 0x7a, 0x80, 0xe5, 0x77, 0x03, 0x8f, 0xbc,
- 0x69, 0xb9, 0x28, 0x01, 0x27, 0xdc, 0x62, 0xab,
- 0xc8, 0x47, 0x2a, 0x57, 0x9d, 0xbb, 0xab, 0xdd,
- 0xb4, 0x51, 0x85, 0x3c, 0xc0, 0xb3, 0x85, 0x48,
- 0x2d, 0x2e, 0xa3, 0x4f, 0x21, 0x58, 0xca, 0x66,
- 0x5e, 0x49, 0xec, 0x2d, 0x06, 0xe6, 0xe6, 0x9a,
- 0x28, 0x28, 0xd6, 0x40, 0x90, 0x89, 0x91, 0x9c,
- 0xef, 0xa7, 0x39, 0x7d, 0xe0, 0xc0, 0xc8, 0x76,
- 0xf6, 0x6f, 0x31, 0x2a, 0xb6, 0xfc, 0x77, 0x5a,
- 0x9a, 0xe5, 0x8e, 0xd4, 0xb8, 0xe9, 0x04, 0xf9,
- 0x09, 0x1e, 0x98, 0x7a, 0x58, 0xa7, 0x66, 0x78,
- 0xa8, 0xdf, 0x68, 0xc0, 0xcd, 0x16, 0x13, 0xc6,
- 0xd4, 0xba, 0xaf, 0x72, 0x6c, 0xbd, 0x90, 0xe2,
- 0x27, 0x4e, 0xfe, 0x10, 0x77, 0x26, 0x7c, 0x67,
- 0x69, 0xc7, 0x08, 0x0e, 0xfb, 0xb6, 0xed, 0x5b,
- 0x5a, 0x45, 0x6a, 0xbd, 0x19, 0x8c, 0x5f, 0x7f,
- 0x8d, 0x82, 0x8a, 0x9c, 0xe6, 0x0d, 0xca, 0xf0,
- 0xab, 0xc2, 0xcc, 0xe1, 0x69, 0xf6, 0xd2, 0x63,
- 0x0c, 0xc0, 0x1b, 0x91, 0x09, 0xa1, 0x71, 0x41,
- 0xe1, 0xdf, 0xa9, 0x89, 0x61, 0xd4, 0x0d, 0xc3,
- 0xf1, 0xb5, 0xc7
-};
-
-unsigned char _AppleiPhoneDeviceCA_DER[] = {
- 0x30, 0x82, 0x03, 0x69, 0x30, 0x82, 0x02, 0x51, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x79, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31,
- 0x2d, 0x30, 0x2b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x24, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50, 0x68, 0x6f, 0x6e, 0x65, 0x20, 0x43,
- 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e,
- 0x17, 0x0d, 0x30, 0x37, 0x30, 0x34, 0x31, 0x36, 0x32, 0x32, 0x35, 0x34,
- 0x34, 0x36, 0x5a, 0x17, 0x0d, 0x31, 0x34, 0x30, 0x34, 0x31, 0x36, 0x32,
- 0x32, 0x35, 0x34, 0x34, 0x36, 0x5a, 0x30, 0x5a, 0x31, 0x0b, 0x30, 0x09,
- 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
- 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03,
- 0x55, 0x04, 0x0b, 0x13, 0x0c, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69,
- 0x50, 0x68, 0x6f, 0x6e, 0x65, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55,
- 0x04, 0x03, 0x13, 0x16, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50,
- 0x68, 0x6f, 0x6e, 0x65, 0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x20,
- 0x43, 0x41, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00,
- 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xf1, 0x94, 0x4a, 0xc9, 0xea,
- 0xba, 0x5a, 0x18, 0x60, 0xad, 0xcb, 0xa2, 0x4d, 0x4d, 0x4e, 0x54, 0x19,
- 0x69, 0x17, 0x59, 0x07, 0x66, 0xcb, 0x97, 0xe8, 0x66, 0x9a, 0x47, 0x5f,
- 0x46, 0xae, 0x67, 0x7a, 0xb5, 0x4a, 0x73, 0x54, 0xb1, 0xcb, 0x04, 0xf6,
- 0xbd, 0x36, 0xb8, 0x0c, 0x55, 0x38, 0x8a, 0x84, 0x83, 0x31, 0x52, 0x65,
- 0xf9, 0x33, 0xe1, 0x97, 0x77, 0x9c, 0x2b, 0x4c, 0x26, 0xb0, 0x25, 0x3f,
- 0xe9, 0x32, 0xaa, 0x7b, 0x08, 0x74, 0x94, 0xec, 0xc1, 0x4b, 0x38, 0x1d,
- 0x67, 0x4e, 0x08, 0x52, 0x94, 0x5a, 0x8b, 0x59, 0xa3, 0x5c, 0xd7, 0x93,
- 0xf4, 0xa0, 0xfe, 0x55, 0x85, 0xbb, 0x4c, 0x46, 0x97, 0x5e, 0x6e, 0xb2,
- 0x77, 0x45, 0x2f, 0x67, 0x5c, 0xbc, 0x0b, 0x18, 0xbf, 0x59, 0xb9, 0x6c,
- 0x86, 0xf7, 0x2a, 0x75, 0x76, 0xd2, 0x19, 0x71, 0xf4, 0x29, 0x63, 0xb9,
- 0x25, 0x0b, 0xaf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x9e, 0x30,
- 0x81, 0x9b, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff,
- 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d,
- 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
- 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xb2, 0xfe,
- 0x21, 0x23, 0x44, 0x86, 0x95, 0x6a, 0x79, 0xd5, 0x81, 0x26, 0x8e, 0x73,
- 0x10, 0xd8, 0xa7, 0x4c, 0x8e, 0x74, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
- 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xe7, 0x34, 0x2a, 0x2e, 0x22,
- 0xde, 0x39, 0x60, 0x6b, 0xb4, 0x94, 0xce, 0x77, 0x83, 0x61, 0x2f, 0x31,
- 0xa0, 0x7c, 0x35, 0x30, 0x38, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x31,
- 0x30, 0x2f, 0x30, 0x2d, 0xa0, 0x2b, 0xa0, 0x29, 0x86, 0x27, 0x68, 0x74,
- 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70,
- 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65,
- 0x63, 0x61, 0x2f, 0x69, 0x70, 0x68, 0x6f, 0x6e, 0x65, 0x2e, 0x63, 0x72,
- 0x6c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x77, 0x5d, 0xcf,
- 0x67, 0x7a, 0x4c, 0x56, 0x2b, 0xa4, 0x54, 0x77, 0xbd, 0x59, 0x48, 0x3c,
- 0x1e, 0xe9, 0xbe, 0xd0, 0x8f, 0xf4, 0x90, 0x72, 0xaf, 0x8e, 0x1c, 0x15,
- 0x77, 0xf2, 0x0c, 0xc0, 0x69, 0x57, 0xc9, 0x4e, 0xc3, 0x85, 0x46, 0x16,
- 0x76, 0x36, 0xb6, 0x5f, 0xfc, 0xea, 0x8f, 0xb5, 0xb6, 0xe0, 0x0a, 0xb9,
- 0xed, 0xd1, 0x0a, 0x9b, 0x77, 0xea, 0xab, 0x12, 0xb9, 0x5c, 0x21, 0x55,
- 0x19, 0x8e, 0x47, 0x23, 0x47, 0x11, 0xb1, 0xd1, 0x0d, 0xc9, 0x33, 0xfb,
- 0x97, 0x14, 0xa2, 0x89, 0x34, 0x58, 0x8f, 0x69, 0xa5, 0x3d, 0xe7, 0x61,
- 0x78, 0x29, 0xfe, 0x93, 0xa4, 0xf9, 0xcb, 0x45, 0x38, 0x5e, 0xbe, 0x34,
- 0x15, 0x7c, 0x16, 0x6f, 0x69, 0xd6, 0xa8, 0x21, 0x75, 0x02, 0x02, 0x2e,
- 0x76, 0x18, 0x2f, 0x55, 0xbc, 0x65, 0xbe, 0xa7, 0x31, 0x52, 0x6f, 0x19,
- 0xcf, 0xbc, 0x83, 0x78, 0x9d, 0x09, 0x16, 0x8b, 0xd7, 0x42, 0x1c, 0x8e,
- 0xe5, 0xf2, 0xd4, 0x1d, 0x12, 0xc2, 0x40, 0x5b, 0x2c, 0x01, 0xb7, 0xfc,
- 0x07, 0x88, 0xbc, 0xad, 0x86, 0x2c, 0x05, 0x48, 0x58, 0x4e, 0xca, 0x55,
- 0x25, 0xcc, 0x55, 0xa4, 0x82, 0x25, 0xb6, 0x46, 0x29, 0x74, 0x84, 0x52,
- 0x20, 0x04, 0x40, 0xe3, 0xd1, 0xcd, 0xbc, 0xa2, 0xb8, 0x87, 0x38, 0xf3,
- 0x31, 0x2f, 0xce, 0x84, 0xa4, 0x29, 0x54, 0xac, 0x3e, 0x38, 0x21, 0x19,
- 0xc6, 0x9b, 0x42, 0x55, 0xe3, 0x76, 0xa6, 0x36, 0xdd, 0xb7, 0xdb, 0xb3,
- 0x8b, 0x5e, 0xf9, 0xa1, 0x5a, 0x3f, 0xbb, 0xa0, 0x76, 0x02, 0xb2, 0x80,
- 0x5b, 0x5e, 0xee, 0xe9, 0x71, 0x07, 0x21, 0xd0, 0xcc, 0x39, 0xee, 0xdc,
- 0x6f, 0x7d, 0xe9, 0x79, 0x52, 0x3a, 0x4c, 0x3d, 0x79, 0x5b, 0x83, 0x08,
- 0xa7, 0x24, 0x0f, 0x6e, 0x9f, 0x28, 0xae, 0x55, 0xde, 0xfa, 0xd0, 0x3c,
- 0x24
-};
-
-/*
- subject= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPhone Certification Authority
- issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA
- serial=17
-*/
-const uint8_t _AppleiPhoneCertificationAuthority_DER[] = {
- 0x30, 0x82, 0x03, 0xf3, 0x30, 0x82, 0x02, 0xdb,
- 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x17,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30,
- 0x62, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
- 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x31, 0x16, 0x30, 0x14, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74,
- 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x30,
- 0x37, 0x30, 0x34, 0x31, 0x32, 0x31, 0x37, 0x34,
- 0x33, 0x32, 0x38, 0x5a, 0x17, 0x0d, 0x32, 0x32,
- 0x30, 0x34, 0x31, 0x32, 0x31, 0x37, 0x34, 0x33,
- 0x32, 0x38, 0x5a, 0x30, 0x79, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
- 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x13, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
- 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
- 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31,
- 0x2d, 0x30, 0x2b, 0x06, 0x03, 0x55, 0x04, 0x03,
- 0x13, 0x24, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x69, 0x50, 0x68, 0x6f, 0x6e, 0x65, 0x20, 0x43,
- 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
- 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
- 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x82,
- 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
- 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
- 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
- 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa3,
- 0x1e, 0xbe, 0xf0, 0x47, 0xc0, 0xb4, 0x9e, 0x10,
- 0x5b, 0x46, 0xa4, 0xb8, 0x21, 0xb8, 0x4f, 0x86,
- 0x21, 0x70, 0x28, 0x45, 0x60, 0x5c, 0x1c, 0xc3,
- 0xc8, 0x0a, 0x64, 0x63, 0x88, 0xfb, 0xfc, 0x69,
- 0xee, 0xf8, 0x54, 0xfc, 0xe9, 0x5b, 0xb7, 0x06,
- 0x4e, 0x04, 0x2f, 0xc3, 0x6b, 0x33, 0xaf, 0x44,
- 0x4c, 0xea, 0x4b, 0x80, 0x09, 0xb4, 0x87, 0xf6,
- 0x5b, 0xb4, 0xfd, 0x64, 0xdd, 0xb3, 0x72, 0xe0,
- 0x13, 0xb3, 0xfd, 0x17, 0xd9, 0xbc, 0xe7, 0xa8,
- 0xed, 0xc2, 0x8c, 0x61, 0xc2, 0x2a, 0xf9, 0xec,
- 0xce, 0xa5, 0x5e, 0xd6, 0x69, 0xeb, 0x64, 0x0b,
- 0x8d, 0x08, 0x8f, 0xb8, 0xa0, 0x50, 0x46, 0x09,
- 0xdc, 0x19, 0xe4, 0xe5, 0xb0, 0x94, 0x6d, 0xbb,
- 0xf7, 0x99, 0x98, 0xc4, 0xe8, 0x9b, 0x41, 0x4e,
- 0xd4, 0xf1, 0x65, 0xe3, 0x1b, 0x52, 0x7a, 0xdc,
- 0xe8, 0x03, 0xd9, 0x6e, 0x1d, 0xda, 0x10, 0x55,
- 0x86, 0xa4, 0x29, 0x58, 0x49, 0x0c, 0xea, 0x47,
- 0xd7, 0x15, 0x34, 0x33, 0xf6, 0xc0, 0xa0, 0x44,
- 0x4a, 0x70, 0xbe, 0x2c, 0xb5, 0x2a, 0x30, 0x37,
- 0x8c, 0x2e, 0x15, 0xeb, 0xd1, 0xe4, 0x6c, 0x97,
- 0x38, 0x55, 0x56, 0xb1, 0x35, 0x2b, 0x58, 0xea,
- 0x44, 0xa3, 0x26, 0x85, 0xee, 0xc8, 0x66, 0x4a,
- 0xe4, 0xcf, 0x89, 0xf0, 0x3d, 0x63, 0xad, 0x29,
- 0xde, 0xad, 0xba, 0x5a, 0xb3, 0xdc, 0xa5, 0xa3,
- 0x9a, 0xa7, 0x09, 0x4e, 0x80, 0x16, 0x35, 0x65,
- 0xa4, 0x85, 0x0d, 0x63, 0x7b, 0x3e, 0x63, 0x8a,
- 0xda, 0x7d, 0x4a, 0x46, 0xec, 0xa3, 0x39, 0x18,
- 0x34, 0xb9, 0xc6, 0x28, 0x65, 0x18, 0xbc, 0x13,
- 0x60, 0x9c, 0x7f, 0x57, 0xac, 0x14, 0xc9, 0x89,
- 0xed, 0xa1, 0xb6, 0x87, 0x68, 0x52, 0xb6, 0x84,
- 0x4e, 0xb8, 0xc8, 0x83, 0xec, 0xf9, 0x9e, 0x19,
- 0xab, 0xb3, 0xc1, 0x0b, 0x86, 0xc7, 0x9f, 0x02,
- 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0x9c, 0x30,
- 0x81, 0x99, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d,
- 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02,
- 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d,
- 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03,
- 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55,
- 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xe7, 0x34,
- 0x2a, 0x2e, 0x22, 0xde, 0x39, 0x60, 0x6b, 0xb4,
- 0x94, 0xce, 0x77, 0x83, 0x61, 0x2f, 0x31, 0xa0,
- 0x7c, 0x35, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
- 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x2b,
- 0xd0, 0x69, 0x47, 0x94, 0x76, 0x09, 0xfe, 0xf4,
- 0x6b, 0x8d, 0x2e, 0x40, 0xa6, 0xf7, 0x47, 0x4d,
- 0x7f, 0x08, 0x5e, 0x30, 0x36, 0x06, 0x03, 0x55,
- 0x1d, 0x1f, 0x04, 0x2f, 0x30, 0x2d, 0x30, 0x2b,
- 0xa0, 0x29, 0xa0, 0x27, 0x86, 0x25, 0x68, 0x74,
- 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
- 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63,
- 0x6f, 0x6d, 0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65,
- 0x63, 0x61, 0x2f, 0x72, 0x6f, 0x6f, 0x74, 0x2e,
- 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
- 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x1d,
- 0xd1, 0xd5, 0x7b, 0xdd, 0x74, 0x4e, 0xd7, 0x17,
- 0xfc, 0x82, 0x2d, 0x0c, 0x99, 0x9b, 0x5e, 0x42,
- 0x72, 0xf2, 0x69, 0xdc, 0xd5, 0x6b, 0x5e, 0x0d,
- 0x0c, 0x6b, 0x4b, 0x3e, 0x7b, 0x14, 0x25, 0xde,
- 0xb3, 0x94, 0xe8, 0xa0, 0xfa, 0x0f, 0x80, 0x89,
- 0xf2, 0x17, 0x3d, 0x00, 0x02, 0xa2, 0x91, 0x91,
- 0xbe, 0x74, 0x57, 0xdc, 0xaf, 0x9a, 0x9f, 0xa1,
- 0x0a, 0x7d, 0x30, 0xbe, 0x00, 0x2a, 0xcc, 0x21,
- 0x59, 0xeb, 0xfd, 0x49, 0xac, 0x6e, 0x75, 0x19,
- 0xe8, 0x9a, 0x7a, 0x03, 0xd1, 0x86, 0xf6, 0xe7,
- 0xf6, 0xb0, 0x0e, 0x4b, 0x49, 0xfa, 0xa3, 0xb7,
- 0x41, 0xba, 0xd7, 0xd1, 0xe3, 0x56, 0xa1, 0x7d,
- 0x83, 0xab, 0x97, 0xae, 0xf8, 0x51, 0x4a, 0x26,
- 0xc1, 0x85, 0x42, 0x13, 0x26, 0x8d, 0x03, 0x54,
- 0x66, 0x10, 0x5e, 0x60, 0x84, 0x05, 0x12, 0x31,
- 0x2b, 0x6b, 0x54, 0xc0, 0xa0, 0xc8, 0x41, 0xbc,
- 0x54, 0x1e, 0xe7, 0x54, 0xad, 0x13, 0x00, 0xd2,
- 0x4a, 0xc7, 0xbb, 0xc1, 0x8a, 0xaf, 0x81, 0x08,
- 0x8e, 0xf0, 0x46, 0x0a, 0xbf, 0x27, 0xa6, 0xbe,
- 0xdc, 0xcf, 0x39, 0x3a, 0x80, 0x70, 0x19, 0x23,
- 0x32, 0xa3, 0x6b, 0x66, 0x5d, 0x9e, 0x4d, 0xa8,
- 0x47, 0x49, 0xb2, 0x7b, 0x45, 0xb5, 0x51, 0x33,
- 0xa7, 0x74, 0x67, 0x09, 0x4e, 0xb6, 0x6c, 0x6f,
- 0x48, 0xf7, 0x2c, 0xb9, 0x33, 0x05, 0x44, 0x6b,
- 0x45, 0xbe, 0x74, 0x4b, 0x6f, 0xb2, 0x86, 0x91,
- 0xb4, 0x3e, 0x25, 0x28, 0x25, 0x9e, 0xb3, 0xc2,
- 0x51, 0x86, 0xfc, 0x4f, 0xe5, 0xaf, 0x3b, 0xaa,
- 0xbb, 0x44, 0x2c, 0x01, 0x49, 0xe2, 0x74, 0xb3,
- 0x34, 0xfa, 0x44, 0xef, 0x14, 0xc2, 0x11, 0xf2,
- 0x2d, 0x19, 0x1a, 0x51, 0x89, 0xd3, 0x08, 0x4a,
- 0x41, 0x6c, 0x58, 0x56, 0xde, 0x9b, 0x3a, 0xe1,
- 0x05, 0x57, 0xe5, 0x62, 0xcf, 0xd2, 0x0f
-};
-
-static const unsigned char _AppleFactoryDeviceCA_DER[] = {
- 0x30, 0x82, 0x03, 0x78, 0x30, 0x82, 0x02, 0x60, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81, 0x80, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
- 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24,
- 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65,
- 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
- 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79,
- 0x31, 0x34, 0x30, 0x32, 0x06, 0x03, 0x55, 0x04, 0x03, 0x14, 0x2b, 0x5b,
- 0x54, 0x45, 0x53, 0x54, 0x5d, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x69, 0x50, 0x68, 0x6f, 0x6e, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
- 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x37,
- 0x30, 0x33, 0x32, 0x31, 0x30, 0x36, 0x32, 0x30, 0x35, 0x30, 0x5a, 0x17,
- 0x0d, 0x32, 0x32, 0x30, 0x33, 0x31, 0x32, 0x30, 0x36, 0x32, 0x30, 0x35,
- 0x30, 0x5a, 0x30, 0x61, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
- 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e,
- 0x63, 0x2e, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
- 0x0c, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50, 0x68, 0x6f, 0x6e,
- 0x65, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x03, 0x14, 0x1d,
- 0x5b, 0x54, 0x45, 0x53, 0x54, 0x5d, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65,
- 0x20, 0x69, 0x50, 0x68, 0x6f, 0x6e, 0x65, 0x20, 0x44, 0x65, 0x76, 0x69,
- 0x63, 0x65, 0x20, 0x43, 0x41, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
- 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xd7, 0x60,
- 0x52, 0x2a, 0xfa, 0x93, 0x52, 0xdc, 0xdb, 0xae, 0x92, 0x6b, 0xd6, 0xac,
- 0x59, 0x17, 0x1f, 0x9a, 0x20, 0xed, 0x34, 0xae, 0xc2, 0x15, 0xe8, 0xe3,
- 0xf0, 0x3b, 0x63, 0x84, 0xd8, 0x6d, 0x8d, 0x02, 0x65, 0x74, 0xe6, 0x62,
- 0x18, 0x27, 0xd1, 0xfc, 0x78, 0xc3, 0x2f, 0x36, 0x83, 0x39, 0x91, 0x9f,
- 0x3d, 0x32, 0xe0, 0x95, 0x7f, 0x90, 0x3b, 0xab, 0x47, 0xbe, 0xf1, 0x47,
- 0x85, 0x8c, 0x5d, 0xab, 0x1c, 0x5c, 0xbb, 0x10, 0x69, 0x47, 0x56, 0xb8,
- 0x15, 0xbf, 0x34, 0x4a, 0xf0, 0x49, 0x6e, 0x8a, 0x35, 0x4a, 0x4f, 0x47,
- 0xbb, 0x3e, 0xea, 0xcc, 0xdf, 0x2e, 0xf4, 0xb8, 0x96, 0x16, 0x94, 0xdd,
- 0x38, 0xf6, 0xf0, 0x82, 0xcf, 0x26, 0xfd, 0x67, 0xa1, 0x73, 0x01, 0x43,
- 0xd8, 0x25, 0xbd, 0x02, 0x2c, 0x82, 0x89, 0x7c, 0x70, 0x01, 0x68, 0xc2,
- 0x8a, 0x85, 0x60, 0x84, 0x77, 0x83, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
- 0x81, 0x9e, 0x30, 0x81, 0x9b, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f,
- 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06,
- 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01,
- 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
- 0x14, 0x38, 0x05, 0x20, 0xa9, 0x3f, 0xc6, 0x79, 0xf4, 0xec, 0x9a, 0x6f,
- 0x7f, 0x47, 0x02, 0x5e, 0x6e, 0xa4, 0x79, 0x11, 0xf5, 0x30, 0x1f, 0x06,
- 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0xa2,
- 0x4c, 0xa9, 0x8a, 0x5b, 0x4a, 0x27, 0x5e, 0x85, 0xa6, 0x4d, 0x05, 0x1c,
- 0x27, 0x44, 0xa5, 0x87, 0x76, 0x17, 0x30, 0x38, 0x06, 0x03, 0x55, 0x1d,
- 0x1f, 0x04, 0x31, 0x30, 0x2f, 0x30, 0x2d, 0xa0, 0x2b, 0xa0, 0x29, 0x86,
- 0x27, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e,
- 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x70,
- 0x70, 0x6c, 0x65, 0x63, 0x61, 0x2f, 0x69, 0x70, 0x68, 0x6f, 0x6e, 0x65,
- 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
- 0x8d, 0xbe, 0x6b, 0xc8, 0x4e, 0x80, 0x9e, 0x78, 0x86, 0x0c, 0x09, 0xd0,
- 0x6e, 0xed, 0xc1, 0xdc, 0x30, 0xf7, 0x29, 0x4b, 0x20, 0x4e, 0x2c, 0x6c,
- 0xb3, 0x24, 0x72, 0xfd, 0xce, 0x24, 0x34, 0x60, 0x95, 0x30, 0xd7, 0x32,
- 0x61, 0x31, 0xe5, 0xd4, 0xd5, 0x63, 0xaa, 0x3f, 0x89, 0x81, 0xf6, 0x44,
- 0xab, 0x71, 0xd0, 0xbc, 0x17, 0xdb, 0xab, 0xbc, 0xec, 0xbb, 0xa4, 0x40,
- 0x6a, 0xe7, 0xe4, 0x57, 0xc6, 0x28, 0x6f, 0x11, 0x72, 0xfc, 0x0c, 0x51,
- 0x07, 0x31, 0xdb, 0x40, 0x54, 0xee, 0xb5, 0xe6, 0x1e, 0xe3, 0xdc, 0x9b,
- 0xf9, 0x3c, 0x6a, 0xba, 0xd8, 0xc3, 0x20, 0xf1, 0xdd, 0x49, 0xcb, 0x3a,
- 0xa6, 0x29, 0xcd, 0x52, 0xf9, 0xf3, 0xf3, 0x18, 0x5e, 0xdd, 0x82, 0x83,
- 0xb8, 0xe8, 0x4e, 0x94, 0x10, 0x7a, 0x1e, 0x11, 0xa0, 0x63, 0x4d, 0x8e,
- 0x60, 0x4a, 0x1d, 0x45, 0x72, 0x4d, 0xa0, 0xac, 0x1f, 0xb0, 0x98, 0x8b,
- 0xb4, 0x33, 0x5a, 0x85, 0x60, 0xcf, 0x7f, 0x89, 0x35, 0x62, 0x65, 0xd1,
- 0x1b, 0x48, 0xa4, 0xec, 0xca, 0x60, 0x1a, 0x9d, 0xa6, 0xd1, 0xb9, 0x3d,
- 0xf3, 0x64, 0xa4, 0x67, 0xd1, 0xa5, 0x1b, 0xb6, 0xd9, 0xe7, 0x65, 0x75,
- 0xcb, 0xaf, 0x2f, 0x7a, 0xdb, 0xd8, 0xa1, 0xf4, 0xf3, 0x09, 0xbf, 0x9a,
- 0x99, 0x1a, 0x34, 0xa6, 0xed, 0x1f, 0x82, 0x84, 0x0b, 0xb6, 0xa8, 0x68,
- 0x5d, 0xec, 0x49, 0xd4, 0xb3, 0x34, 0x84, 0xaf, 0xcb, 0xa4, 0xd9, 0x00,
- 0xf0, 0xbc, 0x07, 0x6c, 0x17, 0xe7, 0x95, 0xbb, 0xc3, 0x3d, 0xd9, 0xbb,
- 0x6a, 0x13, 0x1d, 0x34, 0xbd, 0x2f, 0xc1, 0x9a, 0xf1, 0x4d, 0x67, 0x5f,
- 0x56, 0x33, 0x90, 0xb2, 0xef, 0xff, 0x27, 0xda, 0x19, 0x60, 0x55, 0xb0,
- 0x78, 0xc2, 0x8c, 0x34, 0x5b, 0x61, 0x3a, 0xe1, 0xec, 0x61, 0x92, 0x8b,
- 0x2f, 0x04, 0x9a, 0xc6
-};
-
-unsigned char _AppleFactoryDeviceCert_DER[] = {
- 0x30, 0x82, 0x03, 0x7c, 0x30, 0x82, 0x02, 0xe5, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x61, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x15, 0x30, 0x13, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x0c, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x69, 0x50, 0x68, 0x6f, 0x6e, 0x65, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03,
- 0x55, 0x04, 0x03, 0x14, 0x1d, 0x5b, 0x54, 0x45, 0x53, 0x54, 0x5d, 0x20,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50, 0x68, 0x6f, 0x6e, 0x65,
- 0x20, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x20, 0x43, 0x41, 0x30, 0x1e,
- 0x17, 0x0d, 0x30, 0x39, 0x30, 0x31, 0x32, 0x30, 0x30, 0x36, 0x32, 0x36,
- 0x34, 0x33, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x30, 0x31, 0x31, 0x38, 0x30,
- 0x36, 0x32, 0x36, 0x34, 0x33, 0x5a, 0x30, 0x81, 0x87, 0x31, 0x31, 0x30,
- 0x2f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x28, 0x63, 0x61, 0x62, 0x32,
- 0x38, 0x64, 0x35, 0x36, 0x37, 0x31, 0x38, 0x64, 0x39, 0x35, 0x32, 0x34,
- 0x66, 0x38, 0x31, 0x64, 0x63, 0x63, 0x31, 0x30, 0x35, 0x35, 0x38, 0x65,
- 0x35, 0x34, 0x65, 0x33, 0x32, 0x35, 0x31, 0x36, 0x39, 0x63, 0x66, 0x65,
- 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
- 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02,
- 0x43, 0x41, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
- 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0f, 0x30, 0x0d, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x06, 0x69, 0x50, 0x68, 0x6f, 0x6e, 0x65,
- 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
- 0x89, 0x02, 0x81, 0x81, 0x00, 0xaf, 0xe4, 0x3c, 0xd3, 0x42, 0xb5, 0x82,
- 0x6f, 0x13, 0x13, 0x51, 0x67, 0xd1, 0x37, 0xec, 0xc6, 0xb9, 0xab, 0xff,
- 0xde, 0x9a, 0xcc, 0x6b, 0x16, 0xc3, 0x41, 0x78, 0x77, 0x20, 0x07, 0x46,
- 0xc9, 0x50, 0xab, 0x4d, 0xf4, 0xd9, 0x0e, 0x52, 0x0a, 0x86, 0x20, 0x28,
- 0x19, 0xaf, 0xe0, 0x96, 0xaa, 0x4e, 0x24, 0xac, 0xad, 0xf9, 0x6b, 0x61,
- 0x99, 0xda, 0x09, 0x3e, 0x7a, 0x4a, 0xe1, 0x5d, 0xa5, 0xb7, 0x12, 0xc7,
- 0xf7, 0x9b, 0xf8, 0xdb, 0x3a, 0x28, 0x33, 0x07, 0x2c, 0xf0, 0xf7, 0x41,
- 0xd1, 0x0f, 0xb0, 0x97, 0x01, 0xf1, 0xb3, 0x75, 0xc1, 0x4f, 0x48, 0x42,
- 0x52, 0x41, 0x42, 0x99, 0x89, 0x39, 0x59, 0x96, 0xec, 0x2d, 0x72, 0xf0,
- 0x32, 0x75, 0xc9, 0x00, 0xcd, 0xad, 0xf0, 0x2f, 0xbe, 0x6a, 0x07, 0xac,
- 0xbc, 0x04, 0x54, 0x15, 0xe0, 0x6e, 0xcb, 0x11, 0x86, 0x77, 0xaf, 0xf2,
- 0x07, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x1b, 0x30, 0x82,
- 0x01, 0x17, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30,
- 0x00, 0x30, 0x2e, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42,
- 0x01, 0x0d, 0x04, 0x21, 0x16, 0x1f, 0x22, 0x4f, 0x70, 0x65, 0x6e, 0x53,
- 0x53, 0x4c, 0x20, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64,
- 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
- 0x22, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x34, 0xe0, 0x45, 0x63, 0xa4, 0x4a, 0x7d, 0x07, 0xf2, 0x1e, 0xc1, 0x55,
- 0xf3, 0x33, 0x21, 0xa5, 0xa9, 0x71, 0x92, 0x06, 0x30, 0x81, 0xad, 0x06,
- 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xa5, 0x30, 0x81, 0xa2, 0x80, 0x14,
- 0x38, 0x05, 0x20, 0xa9, 0x3f, 0xc6, 0x79, 0xf4, 0xec, 0x9a, 0x6f, 0x7f,
- 0x47, 0x02, 0x5e, 0x6e, 0xa4, 0x79, 0x11, 0xf5, 0xa1, 0x81, 0x86, 0xa4,
- 0x81, 0x83, 0x30, 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x13, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
- 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x34, 0x30, 0x32, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x14, 0x2b, 0x5b, 0x54, 0x45, 0x53, 0x54, 0x5d,
- 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50, 0x68, 0x6f, 0x6e,
- 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
- 0x79, 0x82, 0x01, 0x01, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04,
- 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00,
- 0x02, 0xc0, 0x6e, 0x4c, 0x4c, 0xeb, 0x7b, 0x02, 0xc3, 0x09, 0x05, 0x51,
- 0x29, 0xc1, 0x72, 0x3f, 0x7e, 0x39, 0x3f, 0xfd, 0x1f, 0xe0, 0x09, 0x9d,
- 0xff, 0xb6, 0xff, 0xda, 0xfd, 0xbc, 0xc9, 0xbd, 0xb2, 0x8d, 0x59, 0xf9,
- 0x89, 0x6a, 0x09, 0x96, 0x50, 0xdd, 0xf6, 0x16, 0xf6, 0x23, 0x84, 0x0b,
- 0xef, 0x0d, 0xf5, 0x16, 0x59, 0x8f, 0x7b, 0xd9, 0xbe, 0x1d, 0x94, 0xab,
- 0x07, 0x3c, 0x8c, 0x1e, 0x1b, 0x55, 0xa3, 0xab, 0xe7, 0x20, 0x97, 0x67,
- 0x1b, 0xb6, 0xad, 0x11, 0xe9, 0x8c, 0xd5, 0x80, 0xba, 0x3b, 0xad, 0xf8,
- 0x4e, 0x15, 0xce, 0x47, 0x4d, 0x2a, 0x67, 0x74, 0x4f, 0xe3, 0x3c, 0x95,
- 0x46, 0xed, 0x90, 0x33, 0x25, 0x01, 0x53, 0x74, 0x41, 0x29, 0xa5, 0x51,
- 0xee, 0x7a, 0x8c, 0x2e, 0x09, 0x0f, 0x2f, 0x25, 0x35, 0x81, 0x8a, 0x2e,
- 0xc3, 0x4b, 0xce, 0x79, 0xe1, 0xf8, 0x31, 0xeb
-};
-
-
-/* Test basic add delete update copy matching stuff. */
-static void tests(void)
-{
- SecTrustRef trust;
- SecCertificateRef _device_cert, _device_ca, _device_activation,
- _iphone_cert_authority, _factory_device_ca, _factory_device_cert;
- isnt(_device_activation = SecCertificateCreateWithBytes(NULL,
- _AppleiPhoneActivation_DER, sizeof(_AppleiPhoneActivation_DER)),
- NULL, "create iphone activation cert");
- isnt(_iphone_cert_authority = SecCertificateCreateWithBytes(NULL,
- _AppleiPhoneCertificationAuthority_DER,
- sizeof(_AppleiPhoneCertificationAuthority_DER)),
- NULL, "create iphone cert authority");
- isnt(_device_ca = SecCertificateCreateWithBytes(NULL,
- _AppleiPhoneDeviceCA_DER,
- sizeof(_AppleiPhoneDeviceCA_DER)),
- NULL, "create iphone device CA");
- isnt(_device_cert = SecCertificateCreateWithBytes(NULL,
- _AppleiPhoneDeviceCert_DER,
- sizeof(_AppleiPhoneDeviceCert_DER)),
- NULL, "create iphone device certificate");
- isnt(_factory_device_ca = SecCertificateCreateWithBytes(NULL,
- _AppleFactoryDeviceCA_DER,
- sizeof(_AppleFactoryDeviceCA_DER)),
- NULL, "create factory device authority");
- isnt(_factory_device_cert = SecCertificateCreateWithBytes(NULL,
- _AppleFactoryDeviceCert_DER,
- sizeof(_AppleFactoryDeviceCert_DER)),
- NULL, "create factory device certificate");
-
- const void *v_certs[] = {
- _device_activation,
- _iphone_cert_authority
- };
- SecPolicyRef policy = SecPolicyCreateiPhoneActivation();
- CFArrayRef certs = CFArrayCreate(NULL, v_certs,
- array_size(v_certs), NULL);
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
-
- SecTrustResultType trustResult;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
-
- is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
-
- CFArrayRef anchors = CFArrayCreate(NULL, (const void **)&_iphone_cert_authority,
- 1, &kCFTypeArrayCallBacks);
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
- "trust is kSecTrustResultRecoverableTrustFailure");
- is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
-
- CFReleaseSafe(anchors);
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(_device_activation);
-
- /* SHA256 signature test */
- policy = SecPolicyCreateiPhoneDeviceCertificate();
- const void *v_dev_certs[] = {
- _device_cert,
- _device_ca,
- _iphone_cert_authority
- };
- certs = CFArrayCreate(NULL, v_dev_certs,
- array_size(v_dev_certs), NULL);
-
- /* leaf is valid from 238444365-333052365 */
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- CFDateRef date = CFDateCreate(NULL, 220752000.0); /* 1 Jan 2008 */
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFRelease(date);
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified, "trusted");
-
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
-
- certs = CFArrayCreate(NULL, (const void **)&_factory_device_cert, 1, NULL);
- anchors = CFArrayCreate(NULL, (const void **)&_factory_device_ca, 1, NULL);
- policy = SecPolicyCreateFactoryDeviceCertificate();
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- /* pick date outside of validity range: 254125603-569485603 */
- date = CFDateCreate(NULL, 220752000.0); /* 1 Jan 2008 */
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFRelease(date);
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchor");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified, "trusted");
- is(2, SecTrustGetCertificateCount(trust), "cert count is 2");
-
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(anchors);
-
- CFReleaseSafe(_iphone_cert_authority);
- CFReleaseSafe(_device_ca);
- CFReleaseSafe(_device_cert);
- CFReleaseSafe(_factory_device_ca);
- CFReleaseSafe(_factory_device_cert);
-
- SecCertificateRef _pairing_host_cert, _pairing_root_cert, _wrong_pairing_root_cert;
- isnt(_pairing_host_cert = SecCertificateCreateWithBytes(NULL,
- certa, certa_len),
- NULL, "create iphone activation cert");
- isnt(_pairing_root_cert = SecCertificateCreateWithBytes(NULL,
- certb, certb_len),
- NULL, "create iphone cert authority");
- isnt(_wrong_pairing_root_cert = SecCertificateCreateWithBytes(NULL,
- certc, certc_len),
- NULL, "create iphone cert authority");
-
- const void *pairing_certs_chain[] = {
- _pairing_host_cert,
- _pairing_root_cert
- };
- policy = SecPolicyCreateLockdownPairing();
- certs = CFArrayCreate(NULL, pairing_certs_chain,
- array_size(pairing_certs_chain), NULL);
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
- "trust is kSecTrustResultRecoverableTrustFailure");
-
- is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
-
- anchors = CFArrayCreate(NULL, (const void **)&_pairing_root_cert,
- 1, &kCFTypeArrayCallBacks);
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
- is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
- CFReleaseSafe(trust);
- CFReleaseSafe(certs);
-
- ok_status(SecTrustCreateWithCertificates(anchors, policy, &trust), "create trust");
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
- CFReleaseSafe(trust);
-
- certs = CFArrayCreate(NULL, (const void **)&_wrong_pairing_root_cert,
- 1, NULL);
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
- "trust is kSecTrustResultRecoverableTrustFailure");
-
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(trust);
- CFReleaseSafe(anchors);
-
- CFReleaseSafe(_pairing_root_cert);
- CFReleaseSafe(_pairing_host_cert);
- CFReleaseSafe(_wrong_pairing_root_cert);
-
-}
-
-int si_20_sectrust_activation(int argc, char *const *argv)
-{
- plan_tests(43);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-20-sectrust.c b/OSX/sec/Security/Regressions/secitem/si-20-sectrust.c
index f53e135b..5240ddbe 100644
--- a/OSX/sec/Security/Regressions/secitem/si-20-sectrust.c
+++ b/OSX/sec/Security/Regressions/secitem/si-20-sectrust.c
@@ -5,24 +5,33 @@
#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
-#include <Security/SecInternal.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecItem.h>
-#include <ipc/securityd_client.h>
#include <utilities/array_size.h>
#include <utilities/SecCFWrappers.h>
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
+#if TARGET_OS_IPHONE
+#include <Security/SecInternal.h>
+#include <ipc/securityd_client.h>
+#endif
+
+#include "shared_regressions.h"
#include "si-20-sectrust.h"
-/* Test basic add delete update copy matching stuff. */
+/* Test SecTrust API. */
static void basic_tests(void)
{
- SecTrustRef trust;
- SecCertificateRef cert0, cert1;
+ SecTrustRef trust = NULL;
+ CFArrayRef _anchors = NULL, certs = NULL, anchors = NULL, replacementPolicies;
+ SecCertificateRef cert0 = NULL, cert1 = NULL, _root = NULL, cert_xedge2 = NULL, garthc2 = NULL;
+ SecPolicyRef policy = NULL, replacementPolicy = NULL, replacementPolicy2 = NULL;
+ CFDateRef date = NULL;
+ CFDataRef c0_serial = NULL, serial = NULL;
+ CFDictionaryRef query = NULL;
+
isnt(cert0 = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)),
NULL, "create cert0");
isnt(cert1 = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)),
@@ -31,8 +40,8 @@ static void basic_tests(void)
cert0,
cert1
};
- SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
- CFArrayRef certs = CFArrayCreate(NULL, v_certs,
+ policy = SecPolicyCreateSSL(false, NULL);
+ certs = CFArrayCreate(NULL, v_certs,
array_size(v_certs), NULL);
/* SecTrustCreateWithCertificates failures. */
@@ -52,13 +61,14 @@ static void basic_tests(void)
is(SecTrustGetCertificateAtIndex(trust, 0), cert0, "cert 0 is leaf");
/* Jul 30 2014. */
- CFDateRef date = NULL;
isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 30, 12, 0, 0),
NULL, "create verify date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
SecTrustResultType trustResult;
+#if TARGET_OS_IPHONE
SKIP: {
#ifdef NO_SERVER
skip("Can't fail to connect to securityd in NO_SERVER mode", 4, false);
@@ -74,6 +84,7 @@ SKIP: {
SecServerSetMachServiceName(NULL);
// End of Restore OS environment tests
}
+#endif
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultUnspecified,
@@ -81,24 +92,33 @@ SKIP: {
is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
- CFDataRef c0_serial = CFDataCreate(NULL, _c0_serial, sizeof(_c0_serial));
- CFDataRef serial;
+ if (!cert0) { goto errOut; }
+ c0_serial = CFDataCreate(NULL, _c0_serial, sizeof(_c0_serial));
+#if TARGET_OS_IPHONE
ok(serial = SecCertificateCopySerialNumber(cert0), "copy cert0 serial");
+#else
+ CFErrorRef error = NULL;
+ ok(serial = SecCertificateCopySerialNumber(cert0, &error), "copy cert0 serial");
+ CFReleaseNull(error);
+#endif
ok(CFEqual(c0_serial, serial), "serial matches");
+ CFReleaseNull(serial);
+ CFReleaseNull(c0_serial);
- CFArrayRef anchors = CFArrayCreate(NULL, (const void **)&cert1, 1, &kCFTypeArrayCallBacks);
+ anchors = CFArrayCreate(NULL, (const void **)&cert1, 1, &kCFTypeArrayCallBacks);
ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
- CFReleaseSafe(anchors);
+ CFReleaseNull(anchors);
anchors = CFArrayCreate(NULL, NULL, 0, NULL);
ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set empty anchors list");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
"trust is kSecTrustResultRecoverableTrustFailure");
+ CFReleaseNull(anchors);
ok_status(SecTrustSetAnchorCertificatesOnly(trust, false), "trust passed in anchors and system anchors");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
@@ -111,33 +131,32 @@ SKIP: {
"trust is kSecTrustResultRecoverableTrustFailure");
/* Test cert_1 intermediate from the keychain. */
- CFReleaseSafe(trust);
+ CFReleaseNull(trust);
ok_status(SecTrustCreateWithCertificates(cert0, policy, &trust),
"create trust with single cert0");
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
// Add cert1
- CFDictionaryRef query = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ query = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
kSecClass, kSecClassCertificate, kSecValueRef, cert1, NULL);
ok_status(SecItemAdd(query, NULL), "add cert1 to keychain");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
// Cleanup added cert1.
ok_status(SecItemDelete(query), "remove cert1 from keychain");
- CFReleaseSafe(query);
+ CFReleaseNull(query);
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
/* Set certs to be the xedge2 leaf. */
- CFReleaseSafe(certs);
- const void *cert_xedge2;
+ CFReleaseNull(certs);
isnt(cert_xedge2 = SecCertificateCreateWithBytes(NULL, xedge2_certificate,
sizeof(xedge2_certificate)), NULL, "create cert_xedge2");
- certs = CFArrayCreate(NULL, &cert_xedge2, 1, NULL);
+ certs = CFArrayCreate(NULL, (const void **)&cert_xedge2, 1, NULL);
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(date);
+ CFReleaseNull(trust);
+ CFReleaseNull(policy);
+ CFReleaseNull(date);
bool server = true;
policy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
@@ -146,13 +165,12 @@ SKIP: {
/* This test uses a cert whose root is no longer in our trust store,
* so we need to explicitly set it as a trusted anchor
*/
- SecCertificateRef _root;
isnt(_root = SecCertificateCreateWithBytes(NULL, entrust1024RootCA, sizeof(entrust1024RootCA)),
NULL, "create root");
const void *v_roots[] = { _root };
- CFArrayRef _anchors;
isnt(_anchors = CFArrayCreate(NULL, v_roots, array_size(v_roots), NULL),
NULL, "create anchors");
+ if (!_anchors) { goto errOut; }
ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
/* Jan 1st 2009. */
@@ -162,8 +180,8 @@ SKIP: {
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
+ CFReleaseNull(trust);
+ CFReleaseNull(policy);
server = false;
policy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
@@ -174,8 +192,8 @@ SKIP: {
is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
"trust is kSecTrustResultRecoverableTrustFailure");
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
+ CFReleaseNull(trust);
+ CFReleaseNull(policy);
server = true;
policy = SecPolicyCreateIPSec(server, CFSTR("xedge2.apple.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
@@ -193,32 +211,32 @@ SKIP: {
"trust is kSecTrustResultUnspecified");
#endif
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
+ CFReleaseNull(trust);
+ CFReleaseNull(policy);
server = true;
policy = SecPolicyCreateSSL(server, CFSTR("nowhere.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
"create trust for ssl server nowhere.com");
- SecPolicyRef replacementPolicy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
+ replacementPolicy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
SecTrustSetPolicies(trust, replacementPolicy);
- CFReleaseSafe(replacementPolicy);
+ CFReleaseNull(replacementPolicy);
ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
+ CFReleaseNull(trust);
+ CFReleaseNull(policy);
server = true;
policy = SecPolicyCreateSSL(server, CFSTR("nowhere.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
"create trust for ssl server nowhere.com");
- SecPolicyRef replacementPolicy2 = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
- CFArrayRef replacementPolicies = CFArrayCreate(kCFAllocatorDefault, (CFTypeRef*)&replacementPolicy2, 1, &kCFTypeArrayCallBacks);
+ replacementPolicy2 = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
+ replacementPolicies = CFArrayCreate(kCFAllocatorDefault, (CFTypeRef*)&replacementPolicy2, 1, &kCFTypeArrayCallBacks);
SecTrustSetPolicies(trust, replacementPolicies);
- CFReleaseSafe(replacementPolicy2);
- CFReleaseSafe(replacementPolicies);
+ CFReleaseNull(replacementPolicy2);
+ CFReleaseNull(replacementPolicies);
ok_status(SecTrustSetAnchorCertificates(trust, _anchors), "set anchors");
ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
@@ -226,15 +244,14 @@ SKIP: {
"trust is kSecTrustResultUnspecified");
/* Test self signed ssl cert with cert itself set as anchor. */
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(date);
- const void *garthc2;
+ CFReleaseNull(trust);
+ CFReleaseNull(policy);
+ CFReleaseNull(certs);
+ CFReleaseNull(date);
server = true;
isnt(garthc2 = SecCertificateCreateWithBytes(NULL, garthc2_certificate,
sizeof(garthc2_certificate)), NULL, "create garthc2");
- certs = CFArrayCreate(NULL, &garthc2, 1, NULL);
+ certs = CFArrayCreate(NULL, (const void **)&garthc2, 1, NULL);
policy = SecPolicyCreateSSL(server, CFSTR("garthc2.apple.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
"create trust for ip server garthc2.apple.com");
@@ -248,22 +265,59 @@ SKIP: {
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
- CFReleaseSafe(garthc2);
- CFReleaseSafe(cert_xedge2);
- CFReleaseSafe(anchors);
- CFReleaseSafe(trust);
- CFReleaseSafe(serial);
- CFReleaseSafe(c0_serial);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(cert0);
- CFReleaseSafe(cert1);
- CFReleaseSafe(date);
+
+errOut:
+ CFReleaseSafe(garthc2);
+ CFReleaseSafe(cert_xedge2);
+ CFReleaseSafe(anchors);
+ CFReleaseSafe(trust);
+ CFReleaseSafe(serial);
+ CFReleaseSafe(c0_serial);
+ CFReleaseSafe(policy);
+ CFReleaseSafe(certs);
+ CFReleaseSafe(cert0);
+ CFReleaseSafe(cert1);
+ CFReleaseSafe(date);
CFReleaseSafe(_root);
CFReleaseSafe(_anchors);
}
+static void negative_integer_tests(void)
+{
+ /* Test that we can handle and fix up negative integer value(s) in ECDSA signature */
+ const void *negIntSigLeaf;
+ isnt(negIntSigLeaf = SecCertificateCreateWithBytes(NULL, _leaf_NegativeIntInSig,
+ sizeof(_leaf_NegativeIntInSig)), NULL, "create negIntSigLeaf");
+ CFArrayRef certs = NULL;
+ isnt(certs = CFArrayCreate(NULL, &negIntSigLeaf, 1, NULL), NULL, "failed to create certs array");
+ SecPolicyRef policy = NULL;
+ isnt(policy = SecPolicyCreateiAP(), NULL, "failed to create policy");
+ SecTrustRef trust = NULL;
+ ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
+ "create trust for negIntSigLeaf");
+
+ const void *rootAACA2;
+ isnt(rootAACA2 = SecCertificateCreateWithBytes(NULL, _root_AACA2,
+ sizeof(_root_AACA2)), NULL, "create rootAACA2");
+ CFArrayRef anchors = NULL;
+ isnt(anchors = CFArrayCreate(NULL, &rootAACA2, 1, NULL), NULL, "failed to create anchors array");
+ if (!anchors) { goto errOut; }
+ ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchor certificates");
+
+ SecTrustResultType trustResult;
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
+
+errOut:
+ CFReleaseNull(trust);
+ CFReleaseNull(certs);
+ CFReleaseNull(anchors);
+ CFReleaseNull(negIntSigLeaf);
+ CFReleaseNull(rootAACA2);
+ CFReleaseNull(policy);
+}
+
static void rsa8k_tests(void)
{
/* Test prt_forest_fi that have a 8k RSA key */
@@ -284,7 +338,7 @@ static void rsa8k_tests(void)
SecKeyRef pubkey = SecTrustCopyPublicKey(trust);
isnt(pubkey, NULL, "pubkey returned");
- CFReleaseSafe(certs);
+ CFReleaseNull(certs);
CFReleaseNull(prt_forest_fi);
CFReleaseNull(policy);
CFReleaseNull(trust);
@@ -310,10 +364,12 @@ static void date_tests(void)
SecTrustRef trust = NULL;
SecTrustResultType trustResult;
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
+ if (!anchors) { goto errOut; }
ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
/* September 4, 2013 (prior to "notBefore" date of 2 April 2014, should fail) */
isnt(date = CFDateCreate(NULL, 400000000), NULL, "failed to create date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 23 Sep 2013");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 23 Sep 2013");
is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "expected kSecTrustResultRecoverableTrustFailure");
@@ -321,6 +377,7 @@ static void date_tests(void)
/* January 17, 2016 (recent date within validity period, should succeed) */
isnt(date = CFDateCreate(NULL, 474747474), NULL, "failed to create date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 17 Jan 2016");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 17 Jan 2016");
is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
@@ -328,6 +385,7 @@ static void date_tests(void)
/* December 20, 9999 (far-future date within validity period, should succeed) */
isnt(date = CFDateCreate(NULL, 252423000000), NULL, "failed to create date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 20 Dec 9999");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 20 Dec 9999");
is_status(trustResult, kSecTrustResultUnspecified, "expected kSecTrustResultUnspecified");
@@ -335,15 +393,17 @@ static void date_tests(void)
/* January 12, 10000 (after the "notAfter" date of 31 Dec 9999, should fail) */
isnt(date = CFDateCreate(NULL, 252425000000), NULL, "failed to create date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set trust date to 12 Jan 10000");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust on 12 Jan 10000");
is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "expected kSecTrustResultRecoverableTrustFailure");
CFReleaseNull(date);
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(anchors);
- CFReleaseSafe(certs);
+errOut:
+ CFReleaseNull(trust);
+ CFReleaseNull(policy);
+ CFReleaseNull(anchors);
+ CFReleaseNull(certs);
CFReleaseNull(root);
CFReleaseNull(leaf);
}
@@ -375,7 +435,9 @@ static bool test_chain_of_three(uint8_t *cert0, size_t cert0len,
SecTrustRef trust = NULL;
SecTrustResultType trustResult;
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "failed to create trust");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "failed to set verify date");
+ if (!anchors) { goto errOut; }
ok_status(SecTrustSetAnchorCertificates(trust, anchors), "failed to set anchors");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate chain");
@@ -392,14 +454,15 @@ static bool test_chain_of_three(uint8_t *cert0, size_t cert0len,
ok = true;
}
- CFReleaseSafe(secCert0);
- CFReleaseSafe(secCert1);
- CFReleaseSafe(secRoot);
- CFReleaseSafe(certs);
- CFReleaseSafe(anchors);
- CFReleaseSafe(date);
- CFReleaseSafe(policy);
- CFReleaseSafe(trust);
+errOut:
+ CFReleaseNull(secCert0);
+ CFReleaseNull(secCert1);
+ CFReleaseNull(secRoot);
+ CFReleaseNull(certs);
+ CFReleaseNull(anchors);
+ CFReleaseNull(date);
+ CFReleaseNull(policy);
+ CFReleaseNull(trust);
return ok;
}
@@ -441,9 +504,14 @@ static void ec_key_size_tests() {
int si_20_sectrust(int argc, char *const *argv)
{
- plan_tests(101+8*13);
+#if TARGET_OS_IPHONE
+ plan_tests(101+9+(8*13));
+#else
+ plan_tests(97+9+(8*13));
+#endif
basic_tests();
+ negative_integer_tests();
rsa8k_tests();
date_tests();
rsa_key_size_tests();
diff --git a/OSX/sec/Security/Regressions/secitem/si-20-sectrust.h b/OSX/sec/Security/Regressions/secitem/si-20-sectrust.h
index a854cc1d..7c0d2135 100644
--- a/OSX/sec/Security/Regressions/secitem/si-20-sectrust.h
+++ b/OSX/sec/Security/Regressions/secitem/si-20-sectrust.h
@@ -1596,3 +1596,87 @@ unsigned char _leaf384C[665]={
0x84,0xBF,0xE2,0x1F,0xED,0x08,0x70,0x0F,0xCA,0x45,0xBA,0x68,0x1C,0xF3,0x15,0x7E,
0xAB,0x41,0x0E,0xAB,0x84,0x29,0x33,0x87,0x3A,
};
+
+/* subject:/C=US/O=Apple Inc./OU=Apple Accessories/CN=IPA_204E6F2CB683A518F7726D190000C5DA */
+/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Accessories Certification Authority - 00000002 */
+unsigned char _leaf_NegativeIntInSig[559]={
+ 0x30,0x82,0x02,0x2B,0x30,0x82,0x01,0xD1,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x20,
+ 0x4E,0x6F,0x2C,0xB6,0x83,0xA5,0x18,0xF7,0x72,0x6D,0x19,0x00,0x00,0xC5,0xDA,0x30,
+ 0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,0x30,0x81,0x89,0x31,0x0B,
+ 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,
+ 0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,
+ 0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,
+ 0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
+ 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x3D,0x30,0x3B,0x06,0x03,0x55,0x04,
+ 0x03,0x13,0x34,0x41,0x70,0x70,0x6C,0x65,0x20,0x41,0x63,0x63,0x65,0x73,0x73,0x6F,
+ 0x72,0x69,0x65,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
+ 0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,0x30,
+ 0x30,0x30,0x30,0x30,0x30,0x30,0x32,0x30,0x1E,0x17,0x0D,0x31,0x35,0x31,0x32,0x33,
+ 0x31,0x31,0x31,0x35,0x31,0x31,0x37,0x5A,0x17,0x0D,0x34,0x39,0x31,0x32,0x33,0x31,
+ 0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x6D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,
+ 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1A,0x30,0x18,0x06,
+ 0x03,0x55,0x04,0x0B,0x13,0x11,0x41,0x70,0x70,0x6C,0x65,0x20,0x41,0x63,0x63,0x65,
+ 0x73,0x73,0x6F,0x72,0x69,0x65,0x73,0x31,0x2D,0x30,0x2B,0x06,0x03,0x55,0x04,0x03,
+ 0x14,0x24,0x49,0x50,0x41,0x5F,0x32,0x30,0x34,0x45,0x36,0x46,0x32,0x43,0x42,0x36,
+ 0x38,0x33,0x41,0x35,0x31,0x38,0x46,0x37,0x37,0x32,0x36,0x44,0x31,0x39,0x30,0x30,
+ 0x30,0x30,0x43,0x35,0x44,0x41,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE,
+ 0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00,
+ 0x04,0x9A,0x21,0x88,0x3D,0x3B,0xCD,0xA9,0x9F,0x1B,0xC6,0x5F,0x47,0x5D,0xA8,0xEB,
+ 0x52,0x18,0x9F,0x1E,0xF3,0xD8,0x7C,0xB6,0x1D,0x39,0x7A,0x8C,0xE0,0xDB,0x79,0xB4,
+ 0x9D,0x37,0x16,0xB8,0x6F,0x1C,0x29,0x42,0x59,0xA5,0x4E,0xA2,0x9A,0xB1,0x0E,0xC4,
+ 0x55,0xCC,0x89,0x79,0x4A,0x9E,0xDB,0x95,0x7A,0xF3,0x3D,0x7F,0x58,0xAD,0xF7,0x61,
+ 0xB3,0xA3,0x36,0x30,0x34,0x30,0x32,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,
+ 0x06,0x24,0x01,0x01,0xFF,0x04,0x22,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,
+ 0xCE,0x3D,0x04,0x03,0x02,0x03,0x48,0x00,0x30,0x45,0x02,0x20,0x80,0x6B,0x96,0x6C,
+ 0x83,0x04,0x29,0x68,0x52,0xF9,0x74,0x42,0x7C,0x49,0x81,0x39,0x53,0x91,0x53,0x0D,
+ 0x95,0xB7,0x4F,0x18,0xFC,0xA5,0x38,0x9A,0x55,0x68,0x53,0x02,0x02,0x21,0x00,0xF5,
+ 0xE4,0xF2,0xB7,0x0B,0x7F,0x43,0xFA,0xDB,0xC2,0x1A,0x05,0xEF,0xF9,0x0E,0x31,0xFC,
+ 0x0A,0xCB,0xCD,0x6C,0x03,0x8A,0x73,0x95,0x74,0xB1,0x57,0x03,0x09,0x55,0x8D,
+};
+
+/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Accessories Certification Authority - 00000002 */
+/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Accessories Certification Authority - 00000002 */
+unsigned char _root_AACA2[618]={
+ 0x30,0x82,0x02,0x66,0x30,0x82,0x02,0x0C,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x00,
+ 0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,0x30,0x81,0x89,0x31,
+ 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,
+ 0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,
+ 0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,
+ 0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
+ 0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x3D,0x30,0x3B,0x06,0x03,0x55,
+ 0x04,0x03,0x13,0x34,0x41,0x70,0x70,0x6C,0x65,0x20,0x41,0x63,0x63,0x65,0x73,0x73,
+ 0x6F,0x72,0x69,0x65,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
+ 0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,
+ 0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x32,0x30,0x1E,0x17,0x0D,0x31,0x35,0x31,0x31,
+ 0x31,0x38,0x32,0x31,0x32,0x35,0x33,0x32,0x5A,0x17,0x0D,0x34,0x35,0x31,0x31,0x31,
+ 0x38,0x32,0x31,0x32,0x35,0x33,0x32,0x5A,0x30,0x81,0x89,0x31,0x0B,0x30,0x09,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
+ 0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,
+ 0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,
+ 0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,
+ 0x6F,0x72,0x69,0x74,0x79,0x31,0x3D,0x30,0x3B,0x06,0x03,0x55,0x04,0x03,0x13,0x34,
+ 0x41,0x70,0x70,0x6C,0x65,0x20,0x41,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65,
+ 0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
+ 0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,0x30,0x30,0x30,0x30,
+ 0x30,0x30,0x30,0x32,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D,0x02,
+ 0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00,0x04,0x0E,
+ 0x9B,0x88,0xC9,0x72,0x9C,0x91,0x0B,0xA3,0x08,0xFE,0x6C,0x6B,0x70,0x0D,0xF6,0x49,
+ 0x31,0x87,0x60,0xE4,0xB9,0x0E,0x8A,0xD8,0xB1,0x41,0x2D,0xEE,0x09,0x9E,0x7A,0xD2,
+ 0x0C,0xEB,0xFD,0x97,0x23,0x33,0x8F,0xCD,0x44,0x0A,0x6C,0xBD,0x5E,0xA5,0xC0,0x1B,
+ 0x9E,0x04,0x8A,0xD4,0x28,0x17,0x52,0xE8,0x28,0x35,0x84,0xED,0x7D,0xBE,0x2A,0xA3,
+ 0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,
+ 0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,
+ 0x03,0x02,0x01,0x06,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x58,
+ 0x4B,0x2B,0x2A,0x6C,0x19,0x2A,0x4D,0x45,0xCC,0x24,0x52,0x5A,0xEC,0x54,0x1A,0xA9,
+ 0xC8,0xA5,0x32,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,
+ 0x58,0x4B,0x2B,0x2A,0x6C,0x19,0x2A,0x4D,0x45,0xCC,0x24,0x52,0x5A,0xEC,0x54,0x1A,
+ 0xA9,0xC8,0xA5,0x32,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,
+ 0x03,0x48,0x00,0x30,0x45,0x02,0x20,0x10,0x6F,0xD9,0x76,0x71,0xC9,0x4C,0xC0,0x78,
+ 0x6D,0x0E,0x43,0xD1,0x56,0x53,0x36,0x58,0x56,0xED,0x87,0x40,0xAC,0xF6,0xC5,0x86,
+ 0x87,0xF0,0xCD,0xA6,0x13,0x3B,0x53,0x02,0x21,0x00,0xD6,0x45,0x85,0xE3,0xE3,0x1A,
+ 0xE1,0x7D,0x22,0xD8,0x36,0xC1,0x88,0xC1,0x07,0xD9,0x4D,0x88,0x2E,0x08,0xA2,0xDD,
+ 0x13,0xB5,0x2A,0xAE,0x3B,0x83,0x2B,0xB2,0x7E,0xB3,
+};
diff --git a/OSX/sec/Security/Regressions/secitem/si-21-sectrust-asr.c b/OSX/sec/Security/Regressions/secitem/si-21-sectrust-asr.c
index b8e1c56e..0e7e5350 100644
--- a/OSX/sec/Security/Regressions/secitem/si-21-sectrust-asr.c
+++ b/OSX/sec/Security/Regressions/secitem/si-21-sectrust-asr.c
@@ -12,14 +12,17 @@
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrust.h>
#include <Security/SecKey.h>
-#include <Security/SecInternal.h>
+#include <Security/SecKeyPriv.h>
#include <CommonCrypto/CommonDigest.h>
#include <CommonCrypto/CommonDigestSPI.h>
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
+
+#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) CFRelease(_cf); }
+#define CFReleaseNull(CF) { CFTypeRef _cf = (CF); if (_cf) CFRelease(_cf); (CF) = NULL; }
static const UInt8 sITunesStoreRootCertificate[] =
{
@@ -133,7 +136,9 @@ static void tests(void)
CFDataRef signature = CFDictionaryGetValue(urlBagDict, CFSTR("signature"));
CFDataRef bag = CFDictionaryGetValue(urlBagDict, CFSTR("bag"));
unsigned char sha1_hash[CC_SHA1_DIGEST_LENGTH];
+ CFDataRef sha1Data = NULL;
CCDigest(kCCDigestSHA1, CFDataGetBytePtr(bag), CFDataGetLength(bag), sha1_hash);
+ sha1Data = CFDataCreate(NULL, sha1_hash, sizeof(sha1_hash));
isnt(policy = SecPolicyCreateBasicX509(), NULL, "create policy instance");
@@ -148,9 +153,14 @@ static void tests(void)
}
SecKeyRef pub_key_leaf;
isnt(pub_key_leaf = SecTrustCopyPublicKey(trust), NULL, "get leaf pub key");
- ok_status(SecKeyRawVerify(pub_key_leaf, kSecPaddingPKCS1SHA1, sha1_hash, sizeof(sha1_hash), CFDataGetBytePtr(signature), CFDataGetLength(signature)),
- "verify signature on bag");
-
+ if (!pub_key_leaf) { goto errOut; }
+ CFErrorRef error = NULL;
+ ok(SecKeyVerifySignature(pub_key_leaf, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1, sha1Data, signature, &error),
+ "verify signature on bag");
+ CFReleaseNull(error);
+
+errOut:
+ CFReleaseSafe(sha1Data);
CFReleaseSafe(pub_key_leaf);
CFReleaseSafe(urlBagDict);
CFReleaseSafe(certs);
diff --git a/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.c b/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.c
index dcb64ccf..e75eebb8 100644
--- a/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.c
+++ b/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006-2010,2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006-2016 Apple Inc. All Rights Reserved.
*/
#include <CoreFoundation/CoreFoundation.h>
@@ -8,524 +8,14 @@
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrust.h>
#include <utilities/array_size.h>
+#include <utilities/SecCFRelease.h>
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
-/*
- subject= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPod Accessories Certification Authority
- issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA
- serial=16
-*/
-const uint8_t _iAP1CA[] = {
- 0x30, 0x82, 0x03, 0xfe, 0x30, 0x82, 0x02, 0xe6,
- 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x16,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30,
- 0x62, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
- 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x31, 0x16, 0x30, 0x14, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74,
- 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x30,
- 0x37, 0x30, 0x32, 0x31, 0x34, 0x32, 0x32, 0x31,
- 0x38, 0x30, 0x38, 0x5a, 0x17, 0x0d, 0x32, 0x32,
- 0x30, 0x32, 0x31, 0x34, 0x32, 0x32, 0x31, 0x38,
- 0x30, 0x38, 0x5a, 0x30, 0x81, 0x83, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e,
- 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04,
- 0x0b, 0x13, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65,
- 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41,
- 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79,
- 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x13, 0x2e, 0x41, 0x70, 0x70, 0x6c, 0x65,
- 0x20, 0x69, 0x50, 0x6f, 0x64, 0x20, 0x41, 0x63,
- 0x63, 0x65, 0x73, 0x73, 0x6f, 0x72, 0x69, 0x65,
- 0x73, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
- 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
- 0x79, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
- 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
- 0x01, 0x00, 0xa1, 0xf6, 0xca, 0xdb, 0x3d, 0x4a,
- 0x5a, 0x3e, 0xef, 0x74, 0x78, 0xf1, 0xb7, 0xb0,
- 0x32, 0x82, 0x1f, 0x90, 0xc6, 0x08, 0xdf, 0xaa,
- 0x3b, 0xd2, 0xcb, 0x0f, 0xe6, 0x37, 0x13, 0xf8,
- 0xff, 0x71, 0xfc, 0x28, 0x86, 0x24, 0x36, 0x85,
- 0x3f, 0xd0, 0x1d, 0x9c, 0xd0, 0x9c, 0xb2, 0x5d,
- 0x20, 0x41, 0xdc, 0xb0, 0xd8, 0xa8, 0x86, 0x3c,
- 0x42, 0x3c, 0xbe, 0x5a, 0x48, 0xdf, 0x34, 0x74,
- 0x9a, 0x61, 0x05, 0x0d, 0xce, 0xc8, 0x25, 0x14,
- 0xc8, 0x0a, 0xcd, 0xbd, 0xba, 0x12, 0x1b, 0x3b,
- 0x41, 0x13, 0x8e, 0x38, 0x65, 0x1d, 0xac, 0x1d,
- 0xd5, 0x38, 0x95, 0x9d, 0x3a, 0xd0, 0x79, 0x5c,
- 0x66, 0x9c, 0x47, 0x4b, 0x2c, 0xb8, 0x44, 0x3b,
- 0x7e, 0x8b, 0x68, 0x39, 0x3e, 0x46, 0xc1, 0xb8,
- 0xc0, 0x85, 0xd6, 0x84, 0xfb, 0x0e, 0xa6, 0xdd,
- 0x34, 0x06, 0xda, 0x1c, 0x78, 0xd9, 0xc4, 0x63,
- 0x11, 0x1b, 0xcf, 0x20, 0x15, 0xd2, 0x7a, 0xef,
- 0x60, 0x40, 0xdf, 0xba, 0xe0, 0x05, 0x45, 0x41,
- 0x82, 0x0e, 0x9b, 0x78, 0x2d, 0x2a, 0xb4, 0x94,
- 0xb5, 0xca, 0x79, 0xcd, 0xdb, 0xb5, 0x95, 0x02,
- 0xbe, 0x55, 0x2c, 0x36, 0x21, 0xaf, 0x6e, 0x39,
- 0xb6, 0x76, 0x5a, 0xec, 0x5d, 0x6a, 0xf3, 0xcc,
- 0xfa, 0x90, 0x8a, 0x15, 0x77, 0xbb, 0xba, 0x5c,
- 0x2b, 0xa1, 0x87, 0xf8, 0x0e, 0x70, 0x5d, 0x23,
- 0x01, 0x08, 0x79, 0xef, 0xab, 0xd7, 0x91, 0x38,
- 0x81, 0x35, 0xb3, 0x07, 0xd4, 0x79, 0xa2, 0x25,
- 0xa7, 0xf7, 0x90, 0x75, 0xeb, 0xeb, 0x71, 0xa2,
- 0xd0, 0xc1, 0xab, 0x02, 0x06, 0xf9, 0x07, 0x08,
- 0x97, 0x35, 0xda, 0x7e, 0x4d, 0x61, 0x51, 0x75,
- 0x92, 0xf6, 0x19, 0xf5, 0xdf, 0xfb, 0xc9, 0xa5,
- 0x4e, 0x9b, 0x8a, 0x14, 0x11, 0x4c, 0x10, 0x74,
- 0x83, 0xaf, 0x2f, 0xfc, 0xb6, 0xd6, 0x6b, 0x57,
- 0x46, 0x1d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
- 0x81, 0x9c, 0x30, 0x81, 0x99, 0x30, 0x0e, 0x06,
- 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04,
- 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06,
- 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
- 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d,
- 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
- 0x14, 0xff, 0x4b, 0x1a, 0x43, 0x9a, 0xf5, 0x19,
- 0x96, 0xab, 0x18, 0x00, 0x2b, 0x61, 0xc9, 0xee,
- 0x40, 0x9d, 0x8e, 0xc7, 0x04, 0x30, 0x1f, 0x06,
- 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
- 0x80, 0x14, 0x2b, 0xd0, 0x69, 0x47, 0x94, 0x76,
- 0x09, 0xfe, 0xf4, 0x6b, 0x8d, 0x2e, 0x40, 0xa6,
- 0xf7, 0x47, 0x4d, 0x7f, 0x08, 0x5e, 0x30, 0x36,
- 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x2f, 0x30,
- 0x2d, 0x30, 0x2b, 0xa0, 0x29, 0xa0, 0x27, 0x86,
- 0x25, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
- 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c,
- 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x70,
- 0x70, 0x6c, 0x65, 0x63, 0x61, 0x2f, 0x72, 0x6f,
- 0x6f, 0x74, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01,
- 0x01, 0x00, 0x9e, 0xb4, 0xaf, 0x3d, 0xb7, 0x61,
- 0xe0, 0x64, 0xc3, 0x86, 0x27, 0xd2, 0x3f, 0xe9,
- 0xe4, 0x08, 0x50, 0x77, 0xa2, 0x81, 0x09, 0x8c,
- 0x7d, 0xb7, 0xd0, 0x54, 0x52, 0xde, 0xfe, 0x8d,
- 0x48, 0xf2, 0x86, 0xc1, 0x17, 0xe5, 0x1a, 0x5d,
- 0x29, 0x20, 0xd3, 0x81, 0xca, 0xee, 0xc8, 0xa3,
- 0x61, 0xb3, 0x90, 0x9f, 0x73, 0xe8, 0xe3, 0xc8,
- 0xbc, 0xa7, 0x12, 0xb4, 0x8c, 0x2d, 0xaa, 0xf5,
- 0x39, 0x27, 0x19, 0xf5, 0xfb, 0xf9, 0x14, 0x7b,
- 0x3a, 0xb4, 0x78, 0x1a, 0x9a, 0x4c, 0x96, 0xeb,
- 0x36, 0xc7, 0xfe, 0xb5, 0xe7, 0x14, 0x7e, 0x6c,
- 0x4f, 0xa8, 0x22, 0xba, 0x23, 0x82, 0xf0, 0xce,
- 0xfa, 0x09, 0x7b, 0x8a, 0x0d, 0x5a, 0x61, 0x21,
- 0x74, 0x7a, 0xca, 0xc2, 0xca, 0x6b, 0xc2, 0x63,
- 0x40, 0x77, 0x23, 0x2b, 0x8f, 0xa0, 0x29, 0x5c,
- 0xeb, 0xad, 0xfc, 0xcc, 0xdc, 0x5a, 0x42, 0x42,
- 0x2e, 0xc8, 0x4f, 0xb4, 0x90, 0xd2, 0x6e, 0xfc,
- 0x4f, 0x8a, 0x0e, 0xa8, 0xb7, 0x83, 0x5c, 0x5c,
- 0x12, 0x02, 0x15, 0x17, 0xa8, 0x65, 0x7d, 0x5a,
- 0x28, 0x2b, 0x69, 0x5f, 0x76, 0x9e, 0x2f, 0xe0,
- 0x9e, 0xec, 0x41, 0x57, 0x97, 0xc5, 0x0f, 0x9a,
- 0xa0, 0x70, 0xb8, 0x2c, 0x8f, 0x6d, 0x80, 0xb5,
- 0x46, 0xec, 0xe8, 0x58, 0xb0, 0x04, 0x40, 0x3c,
- 0xc3, 0x62, 0x8a, 0x0a, 0xb7, 0xa9, 0x5b, 0x58,
- 0x7d, 0xea, 0x7b, 0x8c, 0xff, 0xf7, 0xf8, 0xbf,
- 0xd2, 0xc1, 0x95, 0x76, 0x05, 0xd7, 0x5d, 0x16,
- 0x4d, 0xf1, 0x1e, 0x7d, 0xb2, 0x81, 0x10, 0xe8,
- 0x47, 0x74, 0x12, 0xf1, 0xe6, 0x60, 0x3f, 0xe3,
- 0x6f, 0xb6, 0xa4, 0xc6, 0xe1, 0x08, 0xb3, 0xe4,
- 0x7d, 0x98, 0xf1, 0xfb, 0xd0, 0x42, 0xb2, 0x59,
- 0x26, 0x17, 0xfb, 0x72, 0x6b, 0x05, 0xa9, 0xac,
- 0x94, 0xbf, 0x88, 0x0a, 0x09, 0xef, 0xd2, 0xa5,
- 0x25, 0xae
-};
-
-/*
- subject= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPod Accessories Certification Authority
- issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA
- serial=16
-*/
-const uint8_t _iAP2CA[] = {
- 0x30, 0x82, 0x03, 0xfe, 0x30, 0x82, 0x02, 0xe6,
- 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x16,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30,
- 0x62, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
- 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x31, 0x16, 0x30, 0x14, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74,
- 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x30,
- 0x37, 0x30, 0x32, 0x31, 0x34, 0x32, 0x32, 0x31,
- 0x38, 0x30, 0x38, 0x5a, 0x17, 0x0d, 0x32, 0x32,
- 0x30, 0x32, 0x31, 0x34, 0x32, 0x32, 0x31, 0x38,
- 0x30, 0x38, 0x5a, 0x30, 0x81, 0x83, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e,
- 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04,
- 0x0b, 0x13, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65,
- 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41,
- 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79,
- 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x13, 0x2e, 0x41, 0x70, 0x70, 0x6c, 0x65,
- 0x20, 0x69, 0x50, 0x6f, 0x64, 0x20, 0x41, 0x63,
- 0x63, 0x65, 0x73, 0x73, 0x6f, 0x72, 0x69, 0x65,
- 0x73, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
- 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
- 0x79, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
- 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
- 0x01, 0x00, 0xa1, 0xf6, 0xca, 0xdb, 0x3d, 0x4a,
- 0x5a, 0x3e, 0xef, 0x74, 0x78, 0xf1, 0xb7, 0xb0,
- 0x32, 0x82, 0x1f, 0x90, 0xc6, 0x08, 0xdf, 0xaa,
- 0x3b, 0xd2, 0xcb, 0x0f, 0xe6, 0x37, 0x13, 0xf8,
- 0xff, 0x71, 0xfc, 0x28, 0x86, 0x24, 0x36, 0x85,
- 0x3f, 0xd0, 0x1d, 0x9c, 0xd0, 0x9c, 0xb2, 0x5d,
- 0x20, 0x41, 0xdc, 0xb0, 0xd8, 0xa8, 0x86, 0x3c,
- 0x42, 0x3c, 0xbe, 0x5a, 0x48, 0xdf, 0x34, 0x74,
- 0x9a, 0x61, 0x05, 0x0d, 0xce, 0xc8, 0x25, 0x14,
- 0xc8, 0x0a, 0xcd, 0xbd, 0xba, 0x12, 0x1b, 0x3b,
- 0x41, 0x13, 0x8e, 0x38, 0x65, 0x1d, 0xac, 0x1d,
- 0xd5, 0x38, 0x95, 0x9d, 0x3a, 0xd0, 0x79, 0x5c,
- 0x66, 0x9c, 0x47, 0x4b, 0x2c, 0xb8, 0x44, 0x3b,
- 0x7e, 0x8b, 0x68, 0x39, 0x3e, 0x46, 0xc1, 0xb8,
- 0xc0, 0x85, 0xd6, 0x84, 0xfb, 0x0e, 0xa6, 0xdd,
- 0x34, 0x06, 0xda, 0x1c, 0x78, 0xd9, 0xc4, 0x63,
- 0x11, 0x1b, 0xcf, 0x20, 0x15, 0xd2, 0x7a, 0xef,
- 0x60, 0x40, 0xdf, 0xba, 0xe0, 0x05, 0x45, 0x41,
- 0x82, 0x0e, 0x9b, 0x78, 0x2d, 0x2a, 0xb4, 0x94,
- 0xb5, 0xca, 0x79, 0xcd, 0xdb, 0xb5, 0x95, 0x02,
- 0xbe, 0x55, 0x2c, 0x36, 0x21, 0xaf, 0x6e, 0x39,
- 0xb6, 0x76, 0x5a, 0xec, 0x5d, 0x6a, 0xf3, 0xcc,
- 0xfa, 0x90, 0x8a, 0x15, 0x77, 0xbb, 0xba, 0x5c,
- 0x2b, 0xa1, 0x87, 0xf8, 0x0e, 0x70, 0x5d, 0x23,
- 0x01, 0x08, 0x79, 0xef, 0xab, 0xd7, 0x91, 0x38,
- 0x81, 0x35, 0xb3, 0x07, 0xd4, 0x79, 0xa2, 0x25,
- 0xa7, 0xf7, 0x90, 0x75, 0xeb, 0xeb, 0x71, 0xa2,
- 0xd0, 0xc1, 0xab, 0x02, 0x06, 0xf9, 0x07, 0x08,
- 0x97, 0x35, 0xda, 0x7e, 0x4d, 0x61, 0x51, 0x75,
- 0x92, 0xf6, 0x19, 0xf5, 0xdf, 0xfb, 0xc9, 0xa5,
- 0x4e, 0x9b, 0x8a, 0x14, 0x11, 0x4c, 0x10, 0x74,
- 0x83, 0xaf, 0x2f, 0xfc, 0xb6, 0xd6, 0x6b, 0x57,
- 0x46, 0x1d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
- 0x81, 0x9c, 0x30, 0x81, 0x99, 0x30, 0x0e, 0x06,
- 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04,
- 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06,
- 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
- 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d,
- 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
- 0x14, 0xff, 0x4b, 0x1a, 0x43, 0x9a, 0xf5, 0x19,
- 0x96, 0xab, 0x18, 0x00, 0x2b, 0x61, 0xc9, 0xee,
- 0x40, 0x9d, 0x8e, 0xc7, 0x04, 0x30, 0x1f, 0x06,
- 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
- 0x80, 0x14, 0x2b, 0xd0, 0x69, 0x47, 0x94, 0x76,
- 0x09, 0xfe, 0xf4, 0x6b, 0x8d, 0x2e, 0x40, 0xa6,
- 0xf7, 0x47, 0x4d, 0x7f, 0x08, 0x5e, 0x30, 0x36,
- 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x2f, 0x30,
- 0x2d, 0x30, 0x2b, 0xa0, 0x29, 0xa0, 0x27, 0x86,
- 0x25, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
- 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c,
- 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x70,
- 0x70, 0x6c, 0x65, 0x63, 0x61, 0x2f, 0x72, 0x6f,
- 0x6f, 0x74, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01,
- 0x01, 0x00, 0x9e, 0xb4, 0xaf, 0x3d, 0xb7, 0x61,
- 0xe0, 0x64, 0xc3, 0x86, 0x27, 0xd2, 0x3f, 0xe9,
- 0xe4, 0x08, 0x50, 0x77, 0xa2, 0x81, 0x09, 0x8c,
- 0x7d, 0xb7, 0xd0, 0x54, 0x52, 0xde, 0xfe, 0x8d,
- 0x48, 0xf2, 0x86, 0xc1, 0x17, 0xe5, 0x1a, 0x5d,
- 0x29, 0x20, 0xd3, 0x81, 0xca, 0xee, 0xc8, 0xa3,
- 0x61, 0xb3, 0x90, 0x9f, 0x73, 0xe8, 0xe3, 0xc8,
- 0xbc, 0xa7, 0x12, 0xb4, 0x8c, 0x2d, 0xaa, 0xf5,
- 0x39, 0x27, 0x19, 0xf5, 0xfb, 0xf9, 0x14, 0x7b,
- 0x3a, 0xb4, 0x78, 0x1a, 0x9a, 0x4c, 0x96, 0xeb,
- 0x36, 0xc7, 0xfe, 0xb5, 0xe7, 0x14, 0x7e, 0x6c,
- 0x4f, 0xa8, 0x22, 0xba, 0x23, 0x82, 0xf0, 0xce,
- 0xfa, 0x09, 0x7b, 0x8a, 0x0d, 0x5a, 0x61, 0x21,
- 0x74, 0x7a, 0xca, 0xc2, 0xca, 0x6b, 0xc2, 0x63,
- 0x40, 0x77, 0x23, 0x2b, 0x8f, 0xa0, 0x29, 0x5c,
- 0xeb, 0xad, 0xfc, 0xcc, 0xdc, 0x5a, 0x42, 0x42,
- 0x2e, 0xc8, 0x4f, 0xb4, 0x90, 0xd2, 0x6e, 0xfc,
- 0x4f, 0x8a, 0x0e, 0xa8, 0xb7, 0x83, 0x5c, 0x5c,
- 0x12, 0x02, 0x15, 0x17, 0xa8, 0x65, 0x7d, 0x5a,
- 0x28, 0x2b, 0x69, 0x5f, 0x76, 0x9e, 0x2f, 0xe0,
- 0x9e, 0xec, 0x41, 0x57, 0x97, 0xc5, 0x0f, 0x9a,
- 0xa0, 0x70, 0xb8, 0x2c, 0x8f, 0x6d, 0x80, 0xb5,
- 0x46, 0xec, 0xe8, 0x58, 0xb0, 0x04, 0x40, 0x3c,
- 0xc3, 0x62, 0x8a, 0x0a, 0xb7, 0xa9, 0x5b, 0x58,
- 0x7d, 0xea, 0x7b, 0x8c, 0xff, 0xf7, 0xf8, 0xbf,
- 0xd2, 0xc1, 0x95, 0x76, 0x05, 0xd7, 0x5d, 0x16,
- 0x4d, 0xf1, 0x1e, 0x7d, 0xb2, 0x81, 0x10, 0xe8,
- 0x47, 0x74, 0x12, 0xf1, 0xe6, 0x60, 0x3f, 0xe3,
- 0x6f, 0xb6, 0xa4, 0xc6, 0xe1, 0x08, 0xb3, 0xe4,
- 0x7d, 0x98, 0xf1, 0xfb, 0xd0, 0x42, 0xb2, 0x59,
- 0x26, 0x17, 0xfb, 0x72, 0x6b, 0x05, 0xa9, 0xac,
- 0x94, 0xbf, 0x88, 0x0a, 0x09, 0xef, 0xd2, 0xa5,
- 0x25, 0xae
-};
+#include "si-22-sectrust-iap.h"
-/*
- subject= /C=US/O=Apple Inc./OU=Apple iPod Accessories/CN=IPA_3333AA070313AA06AA0007AA000001
- issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPod Accessories Certification Authority
- serial=3333AA070313AA06AA0007AA000001
-*/
-const uint8_t _leaf0[] = {
- 0x30, 0x82, 0x03, 0x59, 0x30, 0x82, 0x02, 0x41,
- 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x0f, 0x33,
- 0x33, 0xaa, 0x07, 0x03, 0x13, 0xaa, 0x06, 0xaa,
- 0x00, 0x07, 0xaa, 0x00, 0x00, 0x01, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81, 0x83,
- 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
- 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e,
- 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03,
- 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
- 0x74, 0x79, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03,
- 0x55, 0x04, 0x03, 0x13, 0x2e, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x69, 0x50, 0x6f, 0x64, 0x20,
- 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6f, 0x72,
- 0x69, 0x65, 0x73, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x30,
- 0x37, 0x30, 0x33, 0x31, 0x33, 0x32, 0x31, 0x31,
- 0x37, 0x32, 0x36, 0x5a, 0x17, 0x0d, 0x31, 0x35,
- 0x30, 0x33, 0x31, 0x33, 0x32, 0x31, 0x31, 0x37,
- 0x32, 0x36, 0x5a, 0x30, 0x70, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
- 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x13, 0x16, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x69, 0x50, 0x6f, 0x64, 0x20, 0x41, 0x63, 0x63,
- 0x65, 0x73, 0x73, 0x6f, 0x72, 0x69, 0x65, 0x73,
- 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x14, 0x22, 0x49, 0x50, 0x41, 0x5f, 0x33,
- 0x33, 0x33, 0x33, 0x41, 0x41, 0x30, 0x37, 0x30,
- 0x33, 0x31, 0x33, 0x41, 0x41, 0x30, 0x36, 0x41,
- 0x41, 0x30, 0x30, 0x30, 0x37, 0x41, 0x41, 0x30,
- 0x30, 0x30, 0x30, 0x30, 0x31, 0x30, 0x81, 0x9f,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
- 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
- 0x81, 0x00, 0xcb, 0x76, 0xe3, 0xa7, 0x3b, 0xf0,
- 0x42, 0xd5, 0x48, 0x93, 0x62, 0x0a, 0x10, 0x17,
- 0x37, 0xb9, 0xc8, 0x52, 0xdd, 0xde, 0x8a, 0x40,
- 0xa0, 0xf8, 0xda, 0xe8, 0x64, 0x0a, 0x67, 0xf5,
- 0x8f, 0x91, 0xa6, 0xb5, 0x93, 0xe8, 0xc2, 0x28,
- 0xb3, 0xac, 0xf4, 0xaf, 0x40, 0xc6, 0xbb, 0x49,
- 0x85, 0x5a, 0x7c, 0x1b, 0x42, 0xc3, 0x3c, 0xc8,
- 0x95, 0x36, 0x0b, 0x85, 0xbe, 0x36, 0x85, 0xb7,
- 0x0d, 0x04, 0x0e, 0x4e, 0x4c, 0x3c, 0x28, 0xfb,
- 0x03, 0x78, 0x42, 0xac, 0xf1, 0x9e, 0xad, 0x22,
- 0x7c, 0x86, 0xd3, 0xa6, 0x0e, 0xc8, 0x42, 0xbd,
- 0x9c, 0x7c, 0xd9, 0x2c, 0xe4, 0x1f, 0xd5, 0x91,
- 0x4e, 0x9d, 0xb7, 0xff, 0x83, 0x2e, 0x06, 0x3e,
- 0xd4, 0x95, 0xe4, 0x0e, 0x8e, 0x2d, 0x46, 0x8f,
- 0xcf, 0xe6, 0x32, 0xce, 0x47, 0x56, 0x57, 0x97,
- 0x1a, 0x87, 0xc8, 0xd4, 0xf3, 0x32, 0xf9, 0xd6,
- 0x80, 0x83, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
- 0x60, 0x30, 0x5e, 0x30, 0x0e, 0x06, 0x03, 0x55,
- 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03,
- 0x02, 0x03, 0xb8, 0x30, 0x0c, 0x06, 0x03, 0x55,
- 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30,
- 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
- 0x04, 0x16, 0x04, 0x14, 0x71, 0x53, 0x3f, 0x7f,
- 0x72, 0x47, 0xbb, 0xe3, 0x60, 0xd9, 0xd9, 0xd8,
- 0x39, 0x6d, 0x8d, 0x33, 0xa3, 0x74, 0xc3, 0x59,
- 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
- 0x18, 0x30, 0x16, 0x80, 0x14, 0xff, 0x4b, 0x1a,
- 0x43, 0x9a, 0xf5, 0x19, 0x96, 0xab, 0x18, 0x00,
- 0x2b, 0x61, 0xc9, 0xee, 0x40, 0x9d, 0x8e, 0xc7,
- 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00,
- 0x03, 0x82, 0x01, 0x01, 0x00, 0x0f, 0xd9, 0x40,
- 0x27, 0x1c, 0x00, 0x01, 0x2d, 0x4c, 0x67, 0xa6,
- 0x0d, 0x74, 0xa8, 0xbd, 0xf6, 0x97, 0x16, 0x46,
- 0xb1, 0x02, 0xd7, 0x51, 0xf6, 0x02, 0xc1, 0x0f,
- 0xb1, 0x34, 0x8a, 0xcb, 0xb7, 0x81, 0x29, 0xbd,
- 0x7b, 0x67, 0xa3, 0xe6, 0x49, 0x3d, 0xbb, 0x3e,
- 0x0d, 0x26, 0x75, 0x1d, 0xdc, 0x37, 0xa7, 0x38,
- 0x86, 0xd8, 0x81, 0x5a, 0xc5, 0xaf, 0xcd, 0xd6,
- 0xcb, 0x0e, 0xba, 0x53, 0x28, 0x57, 0x83, 0x16,
- 0x23, 0xcc, 0x11, 0x01, 0x0e, 0x18, 0x4d, 0xfe,
- 0x29, 0x1b, 0x7c, 0x3f, 0x33, 0xd5, 0x4b, 0x7c,
- 0x74, 0xb5, 0xfd, 0x62, 0xc5, 0x45, 0xec, 0x08,
- 0xe4, 0xc0, 0xd3, 0xce, 0xba, 0xb0, 0x04, 0x0d,
- 0x7c, 0xef, 0x5c, 0x3f, 0x92, 0xdc, 0x45, 0x24,
- 0xa3, 0x02, 0xfe, 0xa4, 0x60, 0x15, 0x28, 0x43,
- 0x1b, 0x46, 0x51, 0x1f, 0x9f, 0x0d, 0x89, 0x62,
- 0x6c, 0x30, 0xe2, 0x2b, 0xf7, 0x8c, 0x7b, 0xd6,
- 0xe3, 0x71, 0x11, 0xd1, 0xe5, 0xf5, 0x83, 0xae,
- 0xd8, 0xeb, 0x5a, 0x40, 0xb6, 0x09, 0x00, 0x53,
- 0x8f, 0xaf, 0x4d, 0xa7, 0x3d, 0x50, 0xb0, 0x1b,
- 0x88, 0x6b, 0x9d, 0x18, 0x79, 0x1e, 0xcb, 0xbf,
- 0x86, 0xba, 0xde, 0x48, 0x28, 0x3a, 0x53, 0x17,
- 0x59, 0x2d, 0xc2, 0x98, 0xe0, 0xe7, 0x54, 0x03,
- 0xd0, 0x1d, 0xfb, 0xc1, 0xca, 0x68, 0x43, 0x2d,
- 0x23, 0xc3, 0xa3, 0x12, 0x04, 0x89, 0x77, 0x41,
- 0xb8, 0x96, 0x3f, 0xdc, 0x00, 0x73, 0x07, 0xd0,
- 0xa6, 0x8c, 0x35, 0x45, 0xb4, 0x07, 0x69, 0xf8,
- 0x79, 0x6e, 0x7b, 0x04, 0x6d, 0x0f, 0x95, 0x20,
- 0x5b, 0x76, 0x17, 0x78, 0x91, 0x91, 0xa4, 0xbe,
- 0x6d, 0x5c, 0xe9, 0x71, 0x12, 0x68, 0x6c, 0xb7,
- 0xa4, 0x36, 0xc3, 0x82, 0xcf, 0x65, 0x7d, 0xe3,
- 0x50, 0x92, 0x02, 0x54, 0x3d, 0xfe, 0x16, 0x8d,
- 0x4f, 0xe0, 0x11, 0xe0, 0xb5
-};
-
-/*
- subject= /C=US/O=Apple Computer, Inc./OU=Apple Computer iPod Accessories/CN=IPA_3333AA070313AA06AA0011AA000001
- issuer= /C=US/O=Apple Computer, Inc./OU=Apple Computer Certificate Authority/CN=Apple iPod Accessories Certificate Authority
- serial=3333AA070313AA06AA0011AA000001
-*/
-const uint8_t _leaf1[] = {
- 0x30, 0x82, 0x03, 0x7c, 0x30, 0x82, 0x02, 0x64,
- 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x0f, 0x33,
- 0x33, 0xaa, 0x07, 0x03, 0x13, 0xaa, 0x06, 0xaa,
- 0x00, 0x11, 0xaa, 0x00, 0x00, 0x01, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81, 0x92,
- 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1d, 0x30,
- 0x1b, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x14,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x6f,
- 0x6d, 0x70, 0x75, 0x74, 0x65, 0x72, 0x2c, 0x20,
- 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2d, 0x30, 0x2b,
- 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x24, 0x41,
- 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x6f, 0x6d,
- 0x70, 0x75, 0x74, 0x65, 0x72, 0x20, 0x43, 0x65,
- 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
- 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x31, 0x35, 0x30, 0x33, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x13, 0x2c, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x69, 0x50, 0x6f, 0x64,
- 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6f,
- 0x72, 0x69, 0x65, 0x73, 0x20, 0x43, 0x65, 0x72,
- 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
- 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
- 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x37,
- 0x30, 0x33, 0x31, 0x33, 0x32, 0x31, 0x32, 0x37,
- 0x33, 0x35, 0x5a, 0x17, 0x0d, 0x31, 0x35, 0x30,
- 0x33, 0x31, 0x33, 0x32, 0x31, 0x32, 0x37, 0x33,
- 0x35, 0x5a, 0x30, 0x81, 0x83, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x13, 0x14, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x43, 0x6f, 0x6d, 0x70, 0x75,
- 0x74, 0x65, 0x72, 0x2c, 0x20, 0x49, 0x6e, 0x63,
- 0x2e, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55,
- 0x04, 0x0b, 0x13, 0x1f, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x20, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74,
- 0x65, 0x72, 0x20, 0x69, 0x50, 0x6f, 0x64, 0x20,
- 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6f, 0x72,
- 0x69, 0x65, 0x73, 0x31, 0x2b, 0x30, 0x29, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x14, 0x22, 0x49, 0x50,
- 0x41, 0x5f, 0x33, 0x33, 0x33, 0x33, 0x41, 0x41,
- 0x30, 0x37, 0x30, 0x33, 0x31, 0x33, 0x41, 0x41,
- 0x30, 0x36, 0x41, 0x41, 0x30, 0x30, 0x31, 0x31,
- 0x41, 0x41, 0x30, 0x30, 0x30, 0x30, 0x30, 0x31,
- 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
- 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
- 0x89, 0x02, 0x81, 0x81, 0x00, 0x91, 0x66, 0xdb,
- 0x40, 0x0e, 0xc4, 0xe5, 0x8d, 0xb3, 0x86, 0xfd,
- 0x36, 0x06, 0x38, 0xcc, 0x83, 0xa4, 0xd7, 0xff,
- 0x14, 0xa6, 0x77, 0x3b, 0x63, 0x7a, 0xae, 0xe8,
- 0x76, 0xdb, 0xd8, 0x2f, 0x7c, 0x70, 0x84, 0xe8,
- 0x0a, 0x63, 0x33, 0xa7, 0xcb, 0x0e, 0x17, 0x94,
- 0x80, 0x39, 0xb7, 0xe6, 0x16, 0x0c, 0xa7, 0x1f,
- 0x7d, 0x11, 0x02, 0x76, 0xda, 0x1d, 0x0b, 0xed,
- 0x8d, 0x2a, 0xeb, 0x60, 0xcf, 0x55, 0x85, 0xbd,
- 0x92, 0x32, 0xc9, 0xc9, 0xb2, 0x16, 0xea, 0xba,
- 0xa8, 0xc8, 0x8c, 0xe4, 0x93, 0x7a, 0x0a, 0xaa,
- 0x40, 0x24, 0x0f, 0x96, 0xc7, 0xc5, 0x95, 0x21,
- 0xd9, 0xb0, 0x98, 0x51, 0x8d, 0xe4, 0xc6, 0x63,
- 0x6e, 0x73, 0x92, 0xab, 0x77, 0xe9, 0x71, 0xaf,
- 0x0e, 0x50, 0xa3, 0xb4, 0x68, 0xa8, 0x82, 0x67,
- 0x88, 0xf9, 0xa5, 0xc8, 0x68, 0x7b, 0x49, 0x36,
- 0x72, 0xee, 0x06, 0x1a, 0x95, 0x02, 0x03, 0x01,
- 0x00, 0x01, 0xa3, 0x60, 0x30, 0x5e, 0x30, 0x0e,
- 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff,
- 0x04, 0x04, 0x03, 0x02, 0x03, 0xb8, 0x30, 0x0c,
- 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff,
- 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03,
- 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xde,
- 0x6a, 0x9d, 0x5e, 0x83, 0x77, 0xa6, 0xfe, 0xa9,
- 0x65, 0x30, 0x5f, 0x98, 0xe8, 0xa4, 0x7c, 0xde,
- 0x0a, 0xb3, 0x48, 0x30, 0x1f, 0x06, 0x03, 0x55,
- 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
- 0xc9, 0xaa, 0x84, 0x6b, 0x06, 0xb8, 0x76, 0xe2,
- 0x96, 0x4f, 0xe7, 0x27, 0x02, 0xd7, 0x2e, 0x3b,
- 0xda, 0xf7, 0xb0, 0x18, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
- 0x96, 0x07, 0x3b, 0x68, 0xe8, 0x2f, 0x97, 0xa5,
- 0x42, 0xff, 0x9d, 0x34, 0xfd, 0x3a, 0xd2, 0x01,
- 0x69, 0xd7, 0x67, 0x46, 0x9a, 0x7d, 0x56, 0xe0,
- 0x7f, 0x91, 0xee, 0xc3, 0x5c, 0xd2, 0x51, 0x54,
- 0xe3, 0xd2, 0x17, 0x08, 0xb2, 0xbc, 0xcd, 0x85,
- 0xf8, 0x8e, 0xad, 0x49, 0x53, 0xe1, 0x07, 0x5a,
- 0x9b, 0x03, 0xa2, 0x35, 0xca, 0xcf, 0xc6, 0xb6,
- 0xc9, 0x71, 0x53, 0xbc, 0x2e, 0xa3, 0x1b, 0x03,
- 0x5c, 0x55, 0x57, 0xa3, 0x10, 0xbc, 0x15, 0x81,
- 0xd5, 0xe6, 0xa3, 0xb8, 0x21, 0x50, 0x2e, 0x44,
- 0xd4, 0xea, 0x71, 0x17, 0xe5, 0xfc, 0x71, 0xc3,
- 0xf9, 0xe8, 0x99, 0x98, 0xf3, 0x5f, 0xff, 0xb2,
- 0x8e, 0xc7, 0x56, 0x74, 0x46, 0xec, 0x63, 0x3f,
- 0x4a, 0xa6, 0x9c, 0x85, 0x7c, 0x08, 0x61, 0x32,
- 0xb7, 0x35, 0x36, 0x01, 0x0c, 0xce, 0xd8, 0xe3,
- 0xc4, 0x6a, 0x0d, 0xf2, 0x25, 0x56, 0x59, 0xba,
- 0x88, 0x1b, 0xb4, 0x21, 0x80, 0xb9, 0x69, 0x9e,
- 0x93, 0xf7, 0xb1, 0x22, 0x19, 0x8b, 0x8b, 0xd8,
- 0xbd, 0xdc, 0x0c, 0xa7, 0x69, 0x4b, 0x5b, 0xe9,
- 0xd7, 0x7a, 0x1d, 0xef, 0x37, 0x0d, 0x24, 0xdc,
- 0xa7, 0x67, 0xbc, 0x0d, 0xe1, 0x0d, 0x28, 0xa0,
- 0xb8, 0x83, 0x28, 0x6a, 0x8a, 0xd6, 0x59, 0x40,
- 0x4a, 0xf1, 0x06, 0x0d, 0x75, 0xb9, 0x81, 0x4b,
- 0x4c, 0x2d, 0xcb, 0x57, 0xe0, 0x7a, 0x32, 0x5b,
- 0xe0, 0xea, 0xdd, 0x0c, 0xdc, 0xfd, 0x5e, 0x7e,
- 0xb0, 0x77, 0x07, 0x0d, 0xa7, 0x14, 0x0b, 0x41,
- 0x94, 0x4f, 0x10, 0x3e, 0xa5, 0x0c, 0x68, 0x3f,
- 0x8c, 0x70, 0x5c, 0x29, 0xb7, 0xe9, 0xfc, 0x09,
- 0x35, 0x5c, 0x2d, 0xb3, 0xa9, 0x4f, 0x51, 0xb0,
- 0xa7, 0xd5, 0xad, 0x3f, 0xe2, 0xa2, 0x4c, 0x73,
- 0xfc, 0x2f, 0x6e, 0x21, 0x38, 0xe5, 0xbb, 0x8b,
- 0x57, 0x51, 0xe5, 0x9b, 0x8b, 0xa6, 0xaa, 0x0b
-};
-
-#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) CFRelease(_cf); }
-
-/* Test basic add delete update copy matching stuff. */
static void tests(void)
{
SecTrustRef trust;
@@ -552,8 +42,8 @@ static void tests(void)
};
CFArrayRef anchors = CFArrayCreate(NULL, v_anchors,
array_size(v_anchors), NULL);
- CFArrayRef certs0 = CFArrayCreate(NULL, (const void **)&leaf0, 1, NULL);
- CFArrayRef certs1 = CFArrayCreate(NULL, (const void **)&leaf1, 1, NULL);
+ CFArrayRef certs0 = CFArrayCreate(NULL, (const void **)&leaf0, 1, &kCFTypeArrayCallBacks);
+ CFArrayRef certs1 = CFArrayCreate(NULL, (const void **)&leaf1, 1, &kCFTypeArrayCallBacks);
ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust for leaf0");
ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
@@ -572,12 +62,7 @@ static void tests(void)
ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust for leaf1");
ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- TODO:
- {
- todo("We need the actual iAP1 intermediate");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
- }
+ is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
CFReleaseSafe(anchors);
CFReleaseSafe(certs1);
@@ -591,12 +76,96 @@ static void tests(void)
CFReleaseSafe(date);
}
+static void test_v3(void) {
+ SecCertificateRef v3CA = NULL, v3leaf = NULL;
+ isnt(v3CA = SecCertificateCreateWithBytes(NULL, _v3ca, sizeof(_v3ca)),
+ NULL, "create v3leaf");
+ isnt(v3leaf = SecCertificateCreateWithBytes(NULL, _v3leaf, sizeof(_v3leaf)),
+ NULL, "create v3leaf");
+
+ /* Test v3 certs meet iAP policy */
+ SecPolicyRef policy = NULL;
+ SecTrustRef trust = NULL;
+ CFArrayRef certs = NULL, anchors = NULL;
+ CFDateRef date = NULL;
+ SecTrustResultType trustResult;
+
+ certs = CFArrayCreate(NULL, (const void **)&v3leaf, 1, &kCFTypeArrayCallBacks);
+ anchors = CFArrayCreate(NULL, (const void **)&v3CA, 1, &kCFTypeArrayCallBacks);
+ policy = SecPolicyCreateiAP();
+ ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust ref");
+ ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchor");
+ ok(date = CFDateCreate(NULL, 484000000.0), "create date"); /* 3 May 2016 */
+ if (!date) { goto trustFail; }
+ ok_status(SecTrustSetVerifyDate(trust, date), "set verify date");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate");
+ is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
+
+trustFail:
+ CFReleaseSafe(policy);
+ CFReleaseSafe(trust);
+ CFReleaseSafe(certs);
+ CFReleaseSafe(anchors);
+ CFReleaseSafe(date);
+
+#if TARGET_OS_IPHONE
+ /* Test interface for determining iAuth version */
+ SecCertificateRef leaf0 = NULL, leaf1 = NULL;
+ isnt(leaf0 = SecCertificateCreateWithBytes(NULL, _leaf0, sizeof(_leaf0)),
+ NULL, "create leaf0");
+ isnt(leaf1 = SecCertificateCreateWithBytes(NULL, _leaf1, sizeof(_leaf1)),
+ NULL, "create leaf1");
+
+ is_status(SecCertificateGetiAuthVersion(leaf0), kSeciAuthVersion2, "v2 certificate");
+ is_status(SecCertificateGetiAuthVersion(leaf1), kSeciAuthVersion2, "v2 certificate");
+ is_status(SecCertificateGetiAuthVersion(v3leaf), kSeciAuthVersion3, "v3 certificate");
+
+ CFReleaseSafe(leaf0);
+ CFReleaseSafe(leaf1);
+
+ /* Test the extension-copying interface */
+ CFDataRef extensionData = NULL;
+ uint8_t extensionValue[32] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0A,
+ };
+ ok(extensionData = SecCertificateCopyiAPAuthCapabilities(v3leaf),
+ "copy iAuthv3 extension data");
+ is(CFDataGetLength(extensionData), 32, "compare expected size");
+ is(memcmp(extensionValue, CFDataGetBytePtr(extensionData), 32), 0,
+ "compare expected output");
+ CFReleaseNull(extensionData);
+
+ /* Test extension-copying interface with a malformed extension. */
+ uint8_t extensionValue2[32] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
+ };
+ SecCertificateRef malformedV3leaf = NULL;
+ isnt(malformedV3leaf = SecCertificateCreateWithBytes(NULL, _malformedV3Leaf, sizeof(_malformedV3Leaf)),
+ NULL, "create malformed v3 leaf");
+ ok(extensionData = SecCertificateCopyiAPAuthCapabilities(malformedV3leaf),
+ "copy iAuthv3 extension data for malformed leaf");
+ is(CFDataGetLength(extensionData), 32, "compare expected size");
+ is(memcmp(extensionValue2, CFDataGetBytePtr(extensionData), 32), 0,
+ "compare expected output");
+ CFReleaseNull(extensionData);
+ CFReleaseNull(malformedV3leaf);
+#endif
+ CFReleaseSafe(v3leaf);
+ CFReleaseSafe(v3CA);
+}
+
int si_22_sectrust_iap(int argc, char *const *argv)
{
- plan_tests(14);
-
+#if TARGET_OS_IPHONE
+ plan_tests(14+20);
+#else
+ plan_tests(14+8);
+#endif
tests();
+ test_v3();
return 0;
}
diff --git a/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.h b/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.h
new file mode 100644
index 00000000..fe444c5c
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.h
@@ -0,0 +1,427 @@
+/*
+ * Copyright (c) 2007-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#ifndef _SECURITY_SI_22_SECTRUST_IAP_H_
+#define _SECURITY_SI_22_SECTRUST_IAP_H_
+
+/*
+ subject= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPod Accessories Certification Authority
+ issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA
+ serial=16
+ */
+const uint8_t _iAP1CA[] = {
+ 0x30, 0x82, 0x04, 0x3F, 0x30, 0x82, 0x03, 0x27, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x0D,
+ 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30,
+ 0x81, 0x86, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+ 0x1D, 0x30, 0x1B, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x14, 0x41, 0x70, 0x70, 0x6C, 0x65, 0x20,
+ 0x43, 0x6F, 0x6D, 0x70, 0x75, 0x74, 0x65, 0x72, 0x2C, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x2D,
+ 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x24, 0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x43,
+ 0x6F, 0x6D, 0x70, 0x75, 0x74, 0x65, 0x72, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
+ 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x31, 0x29, 0x30,
+ 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x20, 0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x52, 0x6F,
+ 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41,
+ 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1E, 0x17, 0x0D, 0x30, 0x36, 0x30, 0x35,
+ 0x31, 0x32, 0x32, 0x30, 0x35, 0x33, 0x30, 0x39, 0x5A, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x35, 0x31,
+ 0x32, 0x32, 0x30, 0x35, 0x33, 0x30, 0x39, 0x5A, 0x30, 0x81, 0x92, 0x31, 0x0B, 0x30, 0x09, 0x06,
+ 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1D, 0x30, 0x1B, 0x06, 0x03, 0x55, 0x04,
+ 0x0A, 0x13, 0x14, 0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x43, 0x6F, 0x6D, 0x70, 0x75, 0x74, 0x65,
+ 0x72, 0x2C, 0x20, 0x49, 0x6E, 0x63, 0x2E, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x0B,
+ 0x13, 0x24, 0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x43, 0x6F, 0x6D, 0x70, 0x75, 0x74, 0x65, 0x72,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74,
+ 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x31, 0x35, 0x30, 0x33, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
+ 0x2C, 0x41, 0x70, 0x70, 0x6C, 0x65, 0x20, 0x69, 0x50, 0x6F, 0x64, 0x20, 0x41, 0x63, 0x63, 0x65,
+ 0x73, 0x73, 0x6F, 0x72, 0x69, 0x65, 0x73, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
+ 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x82, 0x01,
+ 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00,
+ 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 0x9F, 0x2B,
+ 0x5A, 0x43, 0x27, 0x3A, 0x1B, 0x7E, 0xC4, 0xB8, 0x4A, 0x36, 0x45, 0x0E, 0x61, 0x4F, 0xA4, 0x51,
+ 0xD7, 0x9F, 0xCD, 0x22, 0x63, 0x09, 0x86, 0x50, 0xAE, 0xB2, 0xD6, 0x49, 0xEF, 0xE6, 0xBF, 0x2E,
+ 0xD7, 0x4D, 0x56, 0x03, 0xF5, 0x4F, 0x39, 0x26, 0x86, 0xF5, 0xF2, 0xD9, 0xB3, 0xDF, 0x11, 0x57,
+ 0x93, 0x51, 0xB7, 0x3A, 0x06, 0x63, 0xCD, 0x9B, 0x99, 0x37, 0xB9, 0x69, 0x8D, 0x03, 0x7F, 0xDE,
+ 0xA3, 0xB8, 0x38, 0x69, 0xF4, 0x41, 0x04, 0x40, 0xEB, 0x2F, 0x95, 0xEC, 0x1B, 0x21, 0x25, 0xE9,
+ 0x6A, 0xBB, 0x2E, 0x88, 0xB6, 0x0F, 0x20, 0x89, 0xF4, 0x13, 0x39, 0x3E, 0x29, 0x17, 0x69, 0xC8,
+ 0x6B, 0xBC, 0xF3, 0xE7, 0xDA, 0x65, 0x9C, 0xF9, 0x9E, 0x34, 0x0B, 0xE6, 0x60, 0x28, 0xFB, 0x80,
+ 0x80, 0x0C, 0x6A, 0x5E, 0xDA, 0x1D, 0x8D, 0x38, 0xE6, 0xD4, 0x61, 0xD5, 0x66, 0x82, 0x7C, 0x3E,
+ 0xF8, 0x30, 0xA6, 0xE1, 0xAA, 0x1E, 0xB0, 0xA0, 0x1E, 0x77, 0xD7, 0xA7, 0xED, 0x97, 0x9E, 0xA3,
+ 0xFD, 0x6F, 0xA1, 0x68, 0xBB, 0xC5, 0x89, 0x75, 0xE3, 0x65, 0x43, 0x67, 0x4E, 0x11, 0x77, 0x40,
+ 0x5F, 0xA1, 0x48, 0x3F, 0x9E, 0x23, 0xB0, 0x0F, 0x45, 0x68, 0x52, 0x0B, 0x8A, 0x73, 0x2B, 0x01,
+ 0x35, 0x2B, 0xAC, 0xFA, 0x9B, 0x1B, 0x9B, 0xA2, 0x46, 0xAE, 0x78, 0x05, 0xE8, 0xAC, 0xB7, 0xB4,
+ 0x01, 0xD0, 0x3D, 0x5A, 0x76, 0x4F, 0x8D, 0x89, 0x94, 0x61, 0x9D, 0xBC, 0xA0, 0xD6, 0xF9, 0x48,
+ 0xF1, 0x0F, 0xF9, 0x89, 0x4A, 0xCD, 0xAB, 0x53, 0x86, 0x4D, 0x4E, 0xF4, 0x35, 0x8B, 0x57, 0x64,
+ 0x5A, 0x5F, 0x52, 0xD3, 0xF7, 0x1F, 0x17, 0xC0, 0xA2, 0x8C, 0x21, 0x69, 0x4A, 0x2B, 0x30, 0x3F,
+ 0x0F, 0x37, 0x56, 0xE8, 0xE3, 0x6E, 0x5C, 0xEA, 0x98, 0x71, 0x12, 0xF0, 0x28, 0xAD, 0x02, 0x03,
+ 0x01, 0x00, 0x01, 0xA3, 0x81, 0xA9, 0x30, 0x81, 0xA6, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F,
+ 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x13,
+ 0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D,
+ 0x0E, 0x04, 0x16, 0x04, 0x14, 0xC9, 0xAA, 0x84, 0x6B, 0x06, 0xB8, 0x76, 0xE2, 0x96, 0x4F, 0xE7,
+ 0x27, 0x02, 0xD7, 0x2E, 0x3B, 0xDA, 0xF7, 0xB0, 0x18, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23,
+ 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x2B, 0xD0, 0x69, 0x47, 0x94, 0x76, 0x09, 0xFE, 0xF4, 0x6B,
+ 0x8D, 0x2E, 0x40, 0xA6, 0xF7, 0x47, 0x4D, 0x7F, 0x08, 0x5E, 0x30, 0x43, 0x06, 0x03, 0x55, 0x1D,
+ 0x1F, 0x04, 0x3C, 0x30, 0x3A, 0x30, 0x38, 0xA0, 0x36, 0xA0, 0x34, 0x86, 0x32, 0x68, 0x74, 0x74,
+ 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x61, 0x70, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F,
+ 0x6D, 0x2F, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x61, 0x75, 0x74,
+ 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x2F, 0x72, 0x6F, 0x6F, 0x74, 0x2E, 0x63, 0x72, 0x6C, 0x30,
+ 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82,
+ 0x01, 0x01, 0x00, 0xC5, 0x74, 0x7A, 0x7E, 0x5C, 0x75, 0x0E, 0xD3, 0x8A, 0x1C, 0x8D, 0x26, 0x20,
+ 0xDF, 0x1F, 0xC3, 0x04, 0x0E, 0x81, 0x1E, 0xE2, 0x13, 0x85, 0xB7, 0x64, 0xE3, 0x97, 0x5D, 0x46,
+ 0x27, 0x1D, 0x08, 0x98, 0x77, 0xA5, 0xC3, 0x9F, 0x63, 0x84, 0xD1, 0x66, 0x4F, 0x0A, 0xE8, 0x13,
+ 0xF6, 0xE5, 0x94, 0x07, 0xB0, 0x06, 0xC5, 0x56, 0xEB, 0x04, 0x4B, 0xD2, 0xD0, 0x1D, 0xB4, 0xE1,
+ 0xB6, 0x2D, 0x30, 0x8C, 0x61, 0xCE, 0xC2, 0x54, 0xC5, 0xAD, 0xE2, 0x43, 0x33, 0x1F, 0x23, 0x21,
+ 0xCB, 0xBD, 0xFD, 0x35, 0x7F, 0x5F, 0xEC, 0x31, 0x0D, 0x03, 0xA6, 0x39, 0x28, 0x55, 0xBC, 0x23,
+ 0x78, 0xB4, 0x03, 0xF8, 0x24, 0xEB, 0x0D, 0x24, 0xB7, 0xAA, 0x3A, 0xCB, 0x7C, 0x02, 0x8F, 0xD5,
+ 0x86, 0x96, 0xA3, 0xE7, 0x8A, 0xF4, 0x8F, 0x84, 0xF7, 0x57, 0xF7, 0x8C, 0xA0, 0xF5, 0xAE, 0x9F,
+ 0x8F, 0x31, 0x62, 0x4F, 0xA7, 0xB3, 0x5E, 0x4B, 0xC3, 0x20, 0xA3, 0x40, 0xFA, 0xED, 0x13, 0x70,
+ 0x77, 0xAB, 0x59, 0x65, 0x89, 0x6B, 0xFD, 0xA9, 0x92, 0x9B, 0xFB, 0x54, 0xB1, 0x25, 0x37, 0xE0,
+ 0x7C, 0x49, 0x8F, 0x86, 0x3C, 0x99, 0xF4, 0x17, 0x11, 0x3D, 0x2E, 0x41, 0x7D, 0x00, 0x98, 0xB4,
+ 0x1A, 0xA4, 0xEC, 0x5F, 0xE7, 0xC6, 0xC9, 0xE8, 0x90, 0x01, 0x2F, 0xB5, 0xF3, 0x4C, 0x6E, 0x4F,
+ 0x36, 0xBC, 0x7D, 0xCF, 0x56, 0x6C, 0x9B, 0xEB, 0xEB, 0x8B, 0xCE, 0x02, 0xE1, 0x82, 0xA0, 0x00,
+ 0x0A, 0x10, 0x33, 0x06, 0xEB, 0xD5, 0x5E, 0xC3, 0x62, 0xE2, 0xBA, 0xF5, 0x25, 0x7D, 0xFC, 0xDA,
+ 0xE1, 0x49, 0x3D, 0x9F, 0xE9, 0x9F, 0x12, 0xDA, 0xF9, 0x7D, 0x22, 0x7C, 0x8F, 0x13, 0xCA, 0x06,
+ 0x34, 0xD7, 0x4C, 0xF6, 0x40, 0x71, 0x78, 0xB1, 0xAF, 0xEC, 0xC1, 0x66, 0xDF, 0xAE, 0xAD, 0x3B,
+ 0xCC, 0x0E, 0xC0
+};
+
+/*
+ subject= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPod Accessories Certification Authority
+ issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA
+ serial=16
+ */
+const uint8_t _iAP2CA[] = {
+ 0x30, 0x82, 0x03, 0xfe, 0x30, 0x82, 0x02, 0xe6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x16,
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30,
+ 0x62, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
+ 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70,
+ 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
+ 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x16, 0x30, 0x14, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74,
+ 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x37, 0x30, 0x32, 0x31, 0x34, 0x32, 0x32, 0x31,
+ 0x38, 0x30, 0x38, 0x5a, 0x17, 0x0d, 0x32, 0x32, 0x30, 0x32, 0x31, 0x34, 0x32, 0x32, 0x31, 0x38,
+ 0x30, 0x38, 0x5a, 0x30, 0x81, 0x83, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70,
+ 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04,
+ 0x0b, 0x13, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
+ 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79,
+ 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2e, 0x41, 0x70, 0x70, 0x6c, 0x65,
+ 0x20, 0x69, 0x50, 0x6f, 0x64, 0x20, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6f, 0x72, 0x69, 0x65,
+ 0x73, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
+ 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
+ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa1, 0xf6, 0xca, 0xdb, 0x3d, 0x4a,
+ 0x5a, 0x3e, 0xef, 0x74, 0x78, 0xf1, 0xb7, 0xb0, 0x32, 0x82, 0x1f, 0x90, 0xc6, 0x08, 0xdf, 0xaa,
+ 0x3b, 0xd2, 0xcb, 0x0f, 0xe6, 0x37, 0x13, 0xf8, 0xff, 0x71, 0xfc, 0x28, 0x86, 0x24, 0x36, 0x85,
+ 0x3f, 0xd0, 0x1d, 0x9c, 0xd0, 0x9c, 0xb2, 0x5d, 0x20, 0x41, 0xdc, 0xb0, 0xd8, 0xa8, 0x86, 0x3c,
+ 0x42, 0x3c, 0xbe, 0x5a, 0x48, 0xdf, 0x34, 0x74, 0x9a, 0x61, 0x05, 0x0d, 0xce, 0xc8, 0x25, 0x14,
+ 0xc8, 0x0a, 0xcd, 0xbd, 0xba, 0x12, 0x1b, 0x3b, 0x41, 0x13, 0x8e, 0x38, 0x65, 0x1d, 0xac, 0x1d,
+ 0xd5, 0x38, 0x95, 0x9d, 0x3a, 0xd0, 0x79, 0x5c, 0x66, 0x9c, 0x47, 0x4b, 0x2c, 0xb8, 0x44, 0x3b,
+ 0x7e, 0x8b, 0x68, 0x39, 0x3e, 0x46, 0xc1, 0xb8, 0xc0, 0x85, 0xd6, 0x84, 0xfb, 0x0e, 0xa6, 0xdd,
+ 0x34, 0x06, 0xda, 0x1c, 0x78, 0xd9, 0xc4, 0x63, 0x11, 0x1b, 0xcf, 0x20, 0x15, 0xd2, 0x7a, 0xef,
+ 0x60, 0x40, 0xdf, 0xba, 0xe0, 0x05, 0x45, 0x41, 0x82, 0x0e, 0x9b, 0x78, 0x2d, 0x2a, 0xb4, 0x94,
+ 0xb5, 0xca, 0x79, 0xcd, 0xdb, 0xb5, 0x95, 0x02, 0xbe, 0x55, 0x2c, 0x36, 0x21, 0xaf, 0x6e, 0x39,
+ 0xb6, 0x76, 0x5a, 0xec, 0x5d, 0x6a, 0xf3, 0xcc, 0xfa, 0x90, 0x8a, 0x15, 0x77, 0xbb, 0xba, 0x5c,
+ 0x2b, 0xa1, 0x87, 0xf8, 0x0e, 0x70, 0x5d, 0x23, 0x01, 0x08, 0x79, 0xef, 0xab, 0xd7, 0x91, 0x38,
+ 0x81, 0x35, 0xb3, 0x07, 0xd4, 0x79, 0xa2, 0x25, 0xa7, 0xf7, 0x90, 0x75, 0xeb, 0xeb, 0x71, 0xa2,
+ 0xd0, 0xc1, 0xab, 0x02, 0x06, 0xf9, 0x07, 0x08, 0x97, 0x35, 0xda, 0x7e, 0x4d, 0x61, 0x51, 0x75,
+ 0x92, 0xf6, 0x19, 0xf5, 0xdf, 0xfb, 0xc9, 0xa5, 0x4e, 0x9b, 0x8a, 0x14, 0x11, 0x4c, 0x10, 0x74,
+ 0x83, 0xaf, 0x2f, 0xfc, 0xb6, 0xd6, 0x6b, 0x57, 0x46, 0x1d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
+ 0x81, 0x9c, 0x30, 0x81, 0x99, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04,
+ 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
+ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
+ 0x14, 0xff, 0x4b, 0x1a, 0x43, 0x9a, 0xf5, 0x19, 0x96, 0xab, 0x18, 0x00, 0x2b, 0x61, 0xc9, 0xee,
+ 0x40, 0x9d, 0x8e, 0xc7, 0x04, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
+ 0x80, 0x14, 0x2b, 0xd0, 0x69, 0x47, 0x94, 0x76, 0x09, 0xfe, 0xf4, 0x6b, 0x8d, 0x2e, 0x40, 0xa6,
+ 0xf7, 0x47, 0x4d, 0x7f, 0x08, 0x5e, 0x30, 0x36, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x2f, 0x30,
+ 0x2d, 0x30, 0x2b, 0xa0, 0x29, 0xa0, 0x27, 0x86, 0x25, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
+ 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x63, 0x61, 0x2f, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01,
+ 0x01, 0x00, 0x9e, 0xb4, 0xaf, 0x3d, 0xb7, 0x61, 0xe0, 0x64, 0xc3, 0x86, 0x27, 0xd2, 0x3f, 0xe9,
+ 0xe4, 0x08, 0x50, 0x77, 0xa2, 0x81, 0x09, 0x8c, 0x7d, 0xb7, 0xd0, 0x54, 0x52, 0xde, 0xfe, 0x8d,
+ 0x48, 0xf2, 0x86, 0xc1, 0x17, 0xe5, 0x1a, 0x5d, 0x29, 0x20, 0xd3, 0x81, 0xca, 0xee, 0xc8, 0xa3,
+ 0x61, 0xb3, 0x90, 0x9f, 0x73, 0xe8, 0xe3, 0xc8, 0xbc, 0xa7, 0x12, 0xb4, 0x8c, 0x2d, 0xaa, 0xf5,
+ 0x39, 0x27, 0x19, 0xf5, 0xfb, 0xf9, 0x14, 0x7b, 0x3a, 0xb4, 0x78, 0x1a, 0x9a, 0x4c, 0x96, 0xeb,
+ 0x36, 0xc7, 0xfe, 0xb5, 0xe7, 0x14, 0x7e, 0x6c, 0x4f, 0xa8, 0x22, 0xba, 0x23, 0x82, 0xf0, 0xce,
+ 0xfa, 0x09, 0x7b, 0x8a, 0x0d, 0x5a, 0x61, 0x21, 0x74, 0x7a, 0xca, 0xc2, 0xca, 0x6b, 0xc2, 0x63,
+ 0x40, 0x77, 0x23, 0x2b, 0x8f, 0xa0, 0x29, 0x5c, 0xeb, 0xad, 0xfc, 0xcc, 0xdc, 0x5a, 0x42, 0x42,
+ 0x2e, 0xc8, 0x4f, 0xb4, 0x90, 0xd2, 0x6e, 0xfc, 0x4f, 0x8a, 0x0e, 0xa8, 0xb7, 0x83, 0x5c, 0x5c,
+ 0x12, 0x02, 0x15, 0x17, 0xa8, 0x65, 0x7d, 0x5a, 0x28, 0x2b, 0x69, 0x5f, 0x76, 0x9e, 0x2f, 0xe0,
+ 0x9e, 0xec, 0x41, 0x57, 0x97, 0xc5, 0x0f, 0x9a, 0xa0, 0x70, 0xb8, 0x2c, 0x8f, 0x6d, 0x80, 0xb5,
+ 0x46, 0xec, 0xe8, 0x58, 0xb0, 0x04, 0x40, 0x3c, 0xc3, 0x62, 0x8a, 0x0a, 0xb7, 0xa9, 0x5b, 0x58,
+ 0x7d, 0xea, 0x7b, 0x8c, 0xff, 0xf7, 0xf8, 0xbf, 0xd2, 0xc1, 0x95, 0x76, 0x05, 0xd7, 0x5d, 0x16,
+ 0x4d, 0xf1, 0x1e, 0x7d, 0xb2, 0x81, 0x10, 0xe8, 0x47, 0x74, 0x12, 0xf1, 0xe6, 0x60, 0x3f, 0xe3,
+ 0x6f, 0xb6, 0xa4, 0xc6, 0xe1, 0x08, 0xb3, 0xe4, 0x7d, 0x98, 0xf1, 0xfb, 0xd0, 0x42, 0xb2, 0x59,
+ 0x26, 0x17, 0xfb, 0x72, 0x6b, 0x05, 0xa9, 0xac, 0x94, 0xbf, 0x88, 0x0a, 0x09, 0xef, 0xd2, 0xa5,
+ 0x25, 0xae
+};
+
+/*
+ subject= /C=US/O=Apple Inc./OU=Apple iPod Accessories/CN=IPA_3333AA070313AA06AA0007AA000001
+ issuer= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPod Accessories Certification Authority
+ serial=3333AA070313AA06AA0007AA000001
+ */
+const uint8_t _leaf0[] = {
+ 0x30,0x82,0x03,0x59,0x30,0x82,0x02,0x41,0xA0,0x03,0x02,0x01,0x02,0x02,0x0F,0x33,
+ 0x33,0xAA,0x07,0x03,0x13,0xAA,0x06,0xAA,0x00,0x07,0xAA,0x00,0x00,0x01,0x30,0x0D,
+ 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,0x83,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,
+ 0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,
+ 0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,
+ 0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
+ 0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x37,0x30,0x35,0x06,0x03,
+ 0x55,0x04,0x03,0x13,0x2E,0x41,0x70,0x70,0x6C,0x65,0x20,0x69,0x50,0x6F,0x64,0x20,
+ 0x41,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65,0x73,0x20,0x43,0x65,0x72,0x74,
+ 0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,
+ 0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x37,0x30,0x33,0x31,0x33,0x32,0x31,0x31,
+ 0x37,0x32,0x36,0x5A,0x17,0x0D,0x31,0x35,0x30,0x33,0x31,0x33,0x32,0x31,0x31,0x37,
+ 0x32,0x36,0x5A,0x30,0x70,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
+ 0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,
+ 0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1F,0x30,0x1D,0x06,0x03,0x55,0x04,0x0B,
+ 0x13,0x16,0x41,0x70,0x70,0x6C,0x65,0x20,0x69,0x50,0x6F,0x64,0x20,0x41,0x63,0x63,
+ 0x65,0x73,0x73,0x6F,0x72,0x69,0x65,0x73,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,
+ 0x03,0x14,0x22,0x49,0x50,0x41,0x5F,0x33,0x33,0x33,0x33,0x41,0x41,0x30,0x37,0x30,
+ 0x33,0x31,0x33,0x41,0x41,0x30,0x36,0x41,0x41,0x30,0x30,0x30,0x37,0x41,0x41,0x30,
+ 0x30,0x30,0x30,0x30,0x31,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81,
+ 0x81,0x00,0xCB,0x76,0xE3,0xA7,0x3B,0xF0,0x42,0xD5,0x48,0x93,0x62,0x0A,0x10,0x17,
+ 0x37,0xB9,0xC8,0x52,0xDD,0xDE,0x8A,0x40,0xA0,0xF8,0xDA,0xE8,0x64,0x0A,0x67,0xF5,
+ 0x8F,0x91,0xA6,0xB5,0x93,0xE8,0xC2,0x28,0xB3,0xAC,0xF4,0xAF,0x40,0xC6,0xBB,0x49,
+ 0x85,0x5A,0x7C,0x1B,0x42,0xC3,0x3C,0xC8,0x95,0x36,0x0B,0x85,0xBE,0x36,0x85,0xB7,
+ 0x0D,0x04,0x0E,0x4E,0x4C,0x3C,0x28,0xFB,0x03,0x78,0x42,0xAC,0xF1,0x9E,0xAD,0x22,
+ 0x7C,0x86,0xD3,0xA6,0x0E,0xC8,0x42,0xBD,0x9C,0x7C,0xD9,0x2C,0xE4,0x1F,0xD5,0x91,
+ 0x4E,0x9D,0xB7,0xFF,0x83,0x2E,0x06,0x3E,0xD4,0x95,0xE4,0x0E,0x8E,0x2D,0x46,0x8F,
+ 0xCF,0xE6,0x32,0xCE,0x47,0x56,0x57,0x97,0x1A,0x87,0xC8,0xD4,0xF3,0x32,0xF9,0xD6,
+ 0x80,0x83,0x02,0x03,0x01,0x00,0x01,0xA3,0x60,0x30,0x5E,0x30,0x0E,0x06,0x03,0x55,
+ 0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x03,0xB8,0x30,0x0C,0x06,0x03,0x55,
+ 0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
+ 0x04,0x16,0x04,0x14,0x71,0x53,0x3F,0x7F,0x72,0x47,0xBB,0xE3,0x60,0xD9,0xD9,0xD8,
+ 0x39,0x6D,0x8D,0x33,0xA3,0x74,0xC3,0x59,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,
+ 0x18,0x30,0x16,0x80,0x14,0xFF,0x4B,0x1A,0x43,0x9A,0xF5,0x19,0x96,0xAB,0x18,0x00,
+ 0x2B,0x61,0xC9,0xEE,0x40,0x9D,0x8E,0xC7,0x04,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
+ 0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x0F,0xD9,0x40,
+ 0x27,0x1C,0x00,0x01,0x2D,0x4C,0x67,0xA6,0x0D,0x74,0xA8,0xBD,0xF6,0x97,0x16,0x46,
+ 0xB1,0x02,0xD7,0x51,0xF6,0x02,0xC1,0x0F,0xB1,0x34,0x8A,0xCB,0xB7,0x81,0x29,0xBD,
+ 0x7B,0x67,0xA3,0xE6,0x49,0x3D,0xBB,0x3E,0x0D,0x26,0x75,0x1D,0xDC,0x37,0xA7,0x38,
+ 0x86,0xD8,0x81,0x5A,0xC5,0xAF,0xCD,0xD6,0xCB,0x0E,0xBA,0x53,0x28,0x57,0x83,0x16,
+ 0x23,0xCC,0x11,0x01,0x0E,0x18,0x4D,0xFE,0x29,0x1B,0x7C,0x3F,0x33,0xD5,0x4B,0x7C,
+ 0x74,0xB5,0xFD,0x62,0xC5,0x45,0xEC,0x08,0xE4,0xC0,0xD3,0xCE,0xBA,0xB0,0x04,0x0D,
+ 0x7C,0xEF,0x5C,0x3F,0x92,0xDC,0x45,0x24,0xA3,0x02,0xFE,0xA4,0x60,0x15,0x28,0x43,
+ 0x1B,0x46,0x51,0x1F,0x9F,0x0D,0x89,0x62,0x6C,0x30,0xE2,0x2B,0xF7,0x8C,0x7B,0xD6,
+ 0xE3,0x71,0x11,0xD1,0xE5,0xF5,0x83,0xAE,0xD8,0xEB,0x5A,0x40,0xB6,0x09,0x00,0x53,
+ 0x8F,0xAF,0x4D,0xA7,0x3D,0x50,0xB0,0x1B,0x88,0x6B,0x9D,0x18,0x79,0x1E,0xCB,0xBF,
+ 0x86,0xBA,0xDE,0x48,0x28,0x3A,0x53,0x17,0x59,0x2D,0xC2,0x98,0xE0,0xE7,0x54,0x03,
+ 0xD0,0x1D,0xFB,0xC1,0xCA,0x68,0x43,0x2D,0x23,0xC3,0xA3,0x12,0x04,0x89,0x77,0x41,
+ 0xB8,0x96,0x3F,0xDC,0x00,0x73,0x07,0xD0,0xA6,0x8C,0x35,0x45,0xB4,0x07,0x69,0xF8,
+ 0x79,0x6E,0x7B,0x04,0x6D,0x0F,0x95,0x20,0x5B,0x76,0x17,0x78,0x91,0x91,0xA4,0xBE,
+ 0x6D,0x5C,0xE9,0x71,0x12,0x68,0x6C,0xB7,0xA4,0x36,0xC3,0x82,0xCF,0x65,0x7D,0xE3,
+ 0x50,0x92,0x02,0x54,0x3D,0xFE,0x16,0x8D,0x4F,0xE0,0x11,0xE0,0xB5,
+};
+
+/*
+ subject= /C=US/O=Apple Computer, Inc./OU=Apple Computer iPod Accessories/CN=IPA_3333AA070313AA06AA0011AA000001
+ issuer= /C=US/O=Apple Computer, Inc./OU=Apple Computer Certificate Authority/CN=Apple iPod Accessories Certificate Authority
+ serial=3333AA070313AA06AA0011AA000001
+ */
+const uint8_t _leaf1[] = {
+ 0x30,0x82,0x03,0x7C,0x30,0x82,0x02,0x64,0xA0,0x03,0x02,0x01,0x02,0x02,0x0F,0x33,
+ 0x33,0xAA,0x07,0x03,0x13,0xAA,0x06,0xAA,0x00,0x11,0xAA,0x00,0x00,0x01,0x30,0x0D,
+ 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,0x92,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x1D,0x30,
+ 0x1B,0x06,0x03,0x55,0x04,0x0A,0x13,0x14,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x6F,
+ 0x6D,0x70,0x75,0x74,0x65,0x72,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x2D,0x30,0x2B,
+ 0x06,0x03,0x55,0x04,0x0B,0x13,0x24,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x6F,0x6D,
+ 0x70,0x75,0x74,0x65,0x72,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
+ 0x65,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x35,0x30,0x33,0x06,
+ 0x03,0x55,0x04,0x03,0x13,0x2C,0x41,0x70,0x70,0x6C,0x65,0x20,0x69,0x50,0x6F,0x64,
+ 0x20,0x41,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65,0x73,0x20,0x43,0x65,0x72,
+ 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,
+ 0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x37,0x30,0x33,0x31,0x33,0x32,0x31,0x32,0x37,
+ 0x33,0x35,0x5A,0x17,0x0D,0x31,0x35,0x30,0x33,0x31,0x33,0x32,0x31,0x32,0x37,0x33,
+ 0x35,0x5A,0x30,0x81,0x83,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
+ 0x55,0x53,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0A,0x13,0x14,0x41,0x70,0x70,
+ 0x6C,0x65,0x20,0x43,0x6F,0x6D,0x70,0x75,0x74,0x65,0x72,0x2C,0x20,0x49,0x6E,0x63,
+ 0x2E,0x31,0x28,0x30,0x26,0x06,0x03,0x55,0x04,0x0B,0x13,0x1F,0x41,0x70,0x70,0x6C,
+ 0x65,0x20,0x43,0x6F,0x6D,0x70,0x75,0x74,0x65,0x72,0x20,0x69,0x50,0x6F,0x64,0x20,
+ 0x41,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65,0x73,0x31,0x2B,0x30,0x29,0x06,
+ 0x03,0x55,0x04,0x03,0x14,0x22,0x49,0x50,0x41,0x5F,0x33,0x33,0x33,0x33,0x41,0x41,
+ 0x30,0x37,0x30,0x33,0x31,0x33,0x41,0x41,0x30,0x36,0x41,0x41,0x30,0x30,0x31,0x31,
+ 0x41,0x41,0x30,0x30,0x30,0x30,0x30,0x31,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,
+ 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,
+ 0x89,0x02,0x81,0x81,0x00,0x91,0x66,0xDB,0x40,0x0E,0xC4,0xE5,0x8D,0xB3,0x86,0xFD,
+ 0x36,0x06,0x38,0xCC,0x83,0xA4,0xD7,0xFF,0x14,0xA6,0x77,0x3B,0x63,0x7A,0xAE,0xE8,
+ 0x76,0xDB,0xD8,0x2F,0x7C,0x70,0x84,0xE8,0x0A,0x63,0x33,0xA7,0xCB,0x0E,0x17,0x94,
+ 0x80,0x39,0xB7,0xE6,0x16,0x0C,0xA7,0x1F,0x7D,0x11,0x02,0x76,0xDA,0x1D,0x0B,0xED,
+ 0x8D,0x2A,0xEB,0x60,0xCF,0x55,0x85,0xBD,0x92,0x32,0xC9,0xC9,0xB2,0x16,0xEA,0xBA,
+ 0xA8,0xC8,0x8C,0xE4,0x93,0x7A,0x0A,0xAA,0x40,0x24,0x0F,0x96,0xC7,0xC5,0x95,0x21,
+ 0xD9,0xB0,0x98,0x51,0x8D,0xE4,0xC6,0x63,0x6E,0x73,0x92,0xAB,0x77,0xE9,0x71,0xAF,
+ 0x0E,0x50,0xA3,0xB4,0x68,0xA8,0x82,0x67,0x88,0xF9,0xA5,0xC8,0x68,0x7B,0x49,0x36,
+ 0x72,0xEE,0x06,0x1A,0x95,0x02,0x03,0x01,0x00,0x01,0xA3,0x60,0x30,0x5E,0x30,0x0E,
+ 0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x03,0xB8,0x30,0x0C,
+ 0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1D,0x06,0x03,
+ 0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xDE,0x6A,0x9D,0x5E,0x83,0x77,0xA6,0xFE,0xA9,
+ 0x65,0x30,0x5F,0x98,0xE8,0xA4,0x7C,0xDE,0x0A,0xB3,0x48,0x30,0x1F,0x06,0x03,0x55,
+ 0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xC9,0xAA,0x84,0x6B,0x06,0xB8,0x76,0xE2,
+ 0x96,0x4F,0xE7,0x27,0x02,0xD7,0x2E,0x3B,0xDA,0xF7,0xB0,0x18,0x30,0x0D,0x06,0x09,
+ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,
+ 0x96,0x07,0x3B,0x68,0xE8,0x2F,0x97,0xA5,0x42,0xFF,0x9D,0x34,0xFD,0x3A,0xD2,0x01,
+ 0x69,0xD7,0x67,0x46,0x9A,0x7D,0x56,0xE0,0x7F,0x91,0xEE,0xC3,0x5C,0xD2,0x51,0x54,
+ 0xE3,0xD2,0x17,0x08,0xB2,0xBC,0xCD,0x85,0xF8,0x8E,0xAD,0x49,0x53,0xE1,0x07,0x5A,
+ 0x9B,0x03,0xA2,0x35,0xCA,0xCF,0xC6,0xB6,0xC9,0x71,0x53,0xBC,0x2E,0xA3,0x1B,0x03,
+ 0x5C,0x55,0x57,0xA3,0x10,0xBC,0x15,0x81,0xD5,0xE6,0xA3,0xB8,0x21,0x50,0x2E,0x44,
+ 0xD4,0xEA,0x71,0x17,0xE5,0xFC,0x71,0xC3,0xF9,0xE8,0x99,0x98,0xF3,0x5F,0xFF,0xB2,
+ 0x8E,0xC7,0x56,0x74,0x46,0xEC,0x63,0x3F,0x4A,0xA6,0x9C,0x85,0x7C,0x08,0x61,0x32,
+ 0xB7,0x35,0x36,0x01,0x0C,0xCE,0xD8,0xE3,0xC4,0x6A,0x0D,0xF2,0x25,0x56,0x59,0xBA,
+ 0x88,0x1B,0xB4,0x21,0x80,0xB9,0x69,0x9E,0x93,0xF7,0xB1,0x22,0x19,0x8B,0x8B,0xD8,
+ 0xBD,0xDC,0x0C,0xA7,0x69,0x4B,0x5B,0xE9,0xD7,0x7A,0x1D,0xEF,0x37,0x0D,0x24,0xDC,
+ 0xA7,0x67,0xBC,0x0D,0xE1,0x0D,0x28,0xA0,0xB8,0x83,0x28,0x6A,0x8A,0xD6,0x59,0x40,
+ 0x4A,0xF1,0x06,0x0D,0x75,0xB9,0x81,0x4B,0x4C,0x2D,0xCB,0x57,0xE0,0x7A,0x32,0x5B,
+ 0xE0,0xEA,0xDD,0x0C,0xDC,0xFD,0x5E,0x7E,0xB0,0x77,0x07,0x0D,0xA7,0x14,0x0B,0x41,
+ 0x94,0x4F,0x10,0x3E,0xA5,0x0C,0x68,0x3F,0x8C,0x70,0x5C,0x29,0xB7,0xE9,0xFC,0x09,
+ 0x35,0x5C,0x2D,0xB3,0xA9,0x4F,0x51,0xB0,0xA7,0xD5,0xAD,0x3F,0xE2,0xA2,0x4C,0x73,
+ 0xFC,0x2F,0x6E,0x21,0x38,0xE5,0xBB,0x8B,0x57,0x51,0xE5,0x9B,0x8B,0xA6,0xAA,0x0B
+};
+
+/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Accessories Certification Authority - 00000000 */
+/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Accessories Certification Authority - 00000000 */
+const uint8_t _v3ca[618]={
+ 0x30,0x82,0x02,0x66,0x30,0x82,0x02,0x0C,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x00,
+ 0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,0x30,0x81,0x89,0x31,
+ 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,
+ 0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,
+ 0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,
+ 0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
+ 0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x3D,0x30,0x3B,0x06,0x03,0x55,
+ 0x04,0x03,0x13,0x34,0x41,0x70,0x70,0x6C,0x65,0x20,0x41,0x63,0x63,0x65,0x73,0x73,
+ 0x6F,0x72,0x69,0x65,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
+ 0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,
+ 0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x32,
+ 0x32,0x34,0x30,0x30,0x31,0x39,0x33,0x33,0x5A,0x17,0x0D,0x34,0x36,0x30,0x32,0x32,
+ 0x34,0x30,0x30,0x31,0x39,0x33,0x33,0x5A,0x30,0x81,0x89,0x31,0x0B,0x30,0x09,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
+ 0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,
+ 0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,
+ 0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,
+ 0x6F,0x72,0x69,0x74,0x79,0x31,0x3D,0x30,0x3B,0x06,0x03,0x55,0x04,0x03,0x13,0x34,
+ 0x41,0x70,0x70,0x6C,0x65,0x20,0x41,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65,
+ 0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
+ 0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,0x30,0x30,0x30,0x30,
+ 0x30,0x30,0x30,0x30,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D,0x02,
+ 0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00,0x04,0xF3,
+ 0xA9,0x19,0x0B,0xFA,0xF5,0xAB,0x2A,0x99,0xC0,0x6A,0x08,0x7E,0x6C,0x21,0x88,0x88,
+ 0x3C,0xDC,0xE0,0xB1,0x80,0x11,0x00,0x35,0xF5,0x03,0x6B,0x82,0x81,0xAD,0x73,0x8B,
+ 0x76,0xE7,0xD5,0x6B,0x7E,0x6A,0xE4,0xF6,0x10,0x7A,0x30,0x32,0xC9,0xBE,0x75,0x28,
+ 0xBA,0x7C,0xF7,0x02,0x19,0x1C,0x18,0x68,0xBB,0x2F,0xEC,0xEC,0x06,0x66,0xF9,0xA3,
+ 0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,
+ 0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,
+ 0x03,0x02,0x01,0x06,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x69,
+ 0x96,0xE3,0x5B,0x36,0x2A,0xAE,0x8B,0xB1,0x02,0x94,0x1D,0xA6,0x13,0x5B,0xB2,0x6E,
+ 0xE9,0x9B,0x31,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,
+ 0x69,0x96,0xE3,0x5B,0x36,0x2A,0xAE,0x8B,0xB1,0x02,0x94,0x1D,0xA6,0x13,0x5B,0xB2,
+ 0x6E,0xE9,0x9B,0x31,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,
+ 0x03,0x48,0x00,0x30,0x45,0x02,0x20,0x7B,0x11,0x63,0x57,0xFE,0x7B,0xA3,0xF7,0xF2,
+ 0x32,0x4D,0x04,0x21,0x8F,0x97,0xDB,0xF5,0xE8,0x74,0x3E,0x2A,0x3F,0x18,0x1A,0xCC,
+ 0xE4,0x7A,0xB5,0x73,0x68,0x9C,0xB3,0x02,0x21,0x00,0xEC,0x33,0xC9,0xF9,0xE8,0xC1,
+ 0x40,0x10,0xD8,0x88,0xF7,0x2B,0xC3,0x30,0x8F,0xF1,0x22,0xFF,0x66,0x32,0xB4,0x69,
+ 0x05,0xFA,0x92,0x9C,0xB6,0xEF,0x6C,0x61,0xE7,0xFA,
+};
+
+/* subject:/C=US/O=Apple Inc./OU=Apple Accessories/CN=IPA_019256C98E8DCE6074DEE81A0002A756 */
+/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Accessories Certification Authority - 00000000 */
+unsigned char _v3leaf[558]={
+ 0x30,0x82,0x02,0x2A,0x30,0x82,0x01,0xD1,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x01,
+ 0x92,0x56,0xC9,0x8E,0x8D,0xCE,0x60,0x74,0xDE,0xE8,0x1A,0x00,0x02,0xA7,0x56,0x30,
+ 0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,0x30,0x81,0x89,0x31,0x0B,
+ 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,
+ 0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,
+ 0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,
+ 0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
+ 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x3D,0x30,0x3B,0x06,0x03,0x55,0x04,
+ 0x03,0x13,0x34,0x41,0x70,0x70,0x6C,0x65,0x20,0x41,0x63,0x63,0x65,0x73,0x73,0x6F,
+ 0x72,0x69,0x65,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
+ 0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,0x30,
+ 0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x34,0x31,
+ 0x34,0x32,0x30,0x34,0x30,0x33,0x31,0x5A,0x17,0x0D,0x34,0x39,0x31,0x32,0x33,0x31,
+ 0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x6D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,
+ 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1A,0x30,0x18,0x06,
+ 0x03,0x55,0x04,0x0B,0x13,0x11,0x41,0x70,0x70,0x6C,0x65,0x20,0x41,0x63,0x63,0x65,
+ 0x73,0x73,0x6F,0x72,0x69,0x65,0x73,0x31,0x2D,0x30,0x2B,0x06,0x03,0x55,0x04,0x03,
+ 0x14,0x24,0x49,0x50,0x41,0x5F,0x30,0x31,0x39,0x32,0x35,0x36,0x43,0x39,0x38,0x45,
+ 0x38,0x44,0x43,0x45,0x36,0x30,0x37,0x34,0x44,0x45,0x45,0x38,0x31,0x41,0x30,0x30,
+ 0x30,0x32,0x41,0x37,0x35,0x36,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE,
+ 0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00,
+ 0x04,0xD7,0x21,0x4D,0x08,0x7F,0xEA,0x11,0x15,0xEA,0xF3,0x4D,0x9D,0x86,0x79,0x42,
+ 0xE0,0xA2,0x72,0x68,0x08,0xD5,0xF4,0xD2,0x8F,0x79,0x20,0x45,0xE5,0xFD,0xE8,0x8E,
+ 0xFE,0x08,0xD0,0x72,0x0B,0x88,0x9F,0xDD,0x8B,0xC3,0x55,0x91,0x09,0xD1,0xFB,0x9E,
+ 0x8B,0xFA,0x7A,0x64,0xD5,0x70,0xD6,0x33,0xB4,0xAF,0x80,0xA4,0xAB,0x0A,0xE3,0x3D,
+ 0x23,0xA3,0x36,0x30,0x34,0x30,0x32,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,
+ 0x06,0x24,0x01,0x01,0xFF,0x04,0x22,0x04,0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0A,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,
+ 0xCE,0x3D,0x04,0x03,0x02,0x03,0x47,0x00,0x30,0x44,0x02,0x20,0x5E,0xDD,0x00,0x88,
+ 0x4C,0x1F,0x58,0xF1,0x44,0xC9,0x0C,0xE1,0x9B,0x54,0x1F,0xB9,0x20,0xC1,0xDE,0x00,
+ 0x9F,0xEC,0xA8,0xDD,0x5E,0xDC,0x2A,0xF4,0xFC,0xFC,0x36,0x8A,0x02,0x20,0x0A,0x4C,
+ 0x2F,0x9D,0xA0,0x4C,0xEB,0xA0,0xF1,0xAF,0xAE,0xDA,0x0F,0x2C,0x93,0x22,0x0B,0x74,
+ 0xD5,0x2B,0x80,0x3D,0x81,0x33,0x33,0xB6,0x6C,0xFB,0xC0,0xB5,0x70,0x9B,
+};
+
+/* subject:/C=US/O=Apple Inc./OU=Apple Accessories/CN=IPA_204E6F2CB683A518F7726D190000C5DA */
+/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Accessories Certification Authority - 00000002 */
+unsigned char _malformedV3Leaf[] = {
+ 0x30,0x82,0x02,0x2B,0x30,0x82,0x01,0xD1,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x20,
+ 0x4E,0x6F,0x2C,0xB6,0x83,0xA5,0x18,0xF7,0x72,0x6D,0x19,0x00,0x00,0xC5,0xDA,0x30,
+ 0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,0x30,0x81,0x89,0x31,0x0B,
+ 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,
+ 0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,
+ 0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,
+ 0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
+ 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x3D,0x30,0x3B,0x06,0x03,0x55,0x04,
+ 0x03,0x13,0x34,0x41,0x70,0x70,0x6C,0x65,0x20,0x41,0x63,0x63,0x65,0x73,0x73,0x6F,
+ 0x72,0x69,0x65,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
+ 0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x20,0x2D,0x20,0x30,
+ 0x30,0x30,0x30,0x30,0x30,0x30,0x32,0x30,0x1E,0x17,0x0D,0x31,0x35,0x31,0x32,0x33,
+ 0x31,0x31,0x31,0x35,0x31,0x31,0x37,0x5A,0x17,0x0D,0x34,0x39,0x31,0x32,0x33,0x31,
+ 0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x6D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,
+ 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1A,0x30,0x18,0x06,
+ 0x03,0x55,0x04,0x0B,0x13,0x11,0x41,0x70,0x70,0x6C,0x65,0x20,0x41,0x63,0x63,0x65,
+ 0x73,0x73,0x6F,0x72,0x69,0x65,0x73,0x31,0x2D,0x30,0x2B,0x06,0x03,0x55,0x04,0x03,
+ 0x14,0x24,0x49,0x50,0x41,0x5F,0x32,0x30,0x34,0x45,0x36,0x46,0x32,0x43,0x42,0x36,
+ 0x38,0x33,0x41,0x35,0x31,0x38,0x46,0x37,0x37,0x32,0x36,0x44,0x31,0x39,0x30,0x30,
+ 0x30,0x30,0x43,0x35,0x44,0x41,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE,
+ 0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00,
+ 0x04,0x9A,0x21,0x88,0x3D,0x3B,0xCD,0xA9,0x9F,0x1B,0xC6,0x5F,0x47,0x5D,0xA8,0xEB,
+ 0x52,0x18,0x9F,0x1E,0xF3,0xD8,0x7C,0xB6,0x1D,0x39,0x7A,0x8C,0xE0,0xDB,0x79,0xB4,
+ 0x9D,0x37,0x16,0xB8,0x6F,0x1C,0x29,0x42,0x59,0xA5,0x4E,0xA2,0x9A,0xB1,0x0E,0xC4,
+ 0x55,0xCC,0x89,0x79,0x4A,0x9E,0xDB,0x95,0x7A,0xF3,0x3D,0x7F,0x58,0xAD,0xF7,0x61,
+ 0xB3,0xA3,0x36,0x30,0x34,0x30,0x32,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,
+ 0x06,0x24,0x01,0x01,0xFF,0x04,0x22,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,
+ 0xCE,0x3D,0x04,0x03,0x02,0x03,0x48,0x00,0x30,0x45,0x02,0x20,0x80,0x6B,0x96,0x6C,
+ 0x83,0x04,0x29,0x68,0x52,0xF9,0x74,0x42,0x7C,0x49,0x81,0x39,0x53,0x91,0x53,0x0D,
+ 0x95,0xB7,0x4F,0x18,0xFC,0xA5,0x38,0x9A,0x55,0x68,0x53,0x02,0x02,0x21,0x00,0xF5,
+ 0xE4,0xF2,0xB7,0x0B,0x7F,0x43,0xFA,0xDB,0xC2,0x1A,0x05,0xEF,0xF9,0x0E,0x31,0xFC,
+ 0x0A,0xCB,0xCD,0x6C,0x03,0x8A,0x73,0x95,0x74,0xB1,0x57,0x03,0x09,0x55,0x8D,
+};
+
+#endif /* _SECURITY_SI_22_SECTRUST_IAP_H_ */
diff --git a/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c b/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c
index ea000d85..e227e08f 100644
--- a/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c
+++ b/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c
@@ -17,7 +17,7 @@
#include <unistd.h>
#include <string.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
/* subject:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=3014267/C=US/postalCode=95131-2021/ST=California/L=San Jose/streetAddress=2211 N 1st St/O=PayPal, Inc./OU=Information Systems/CN=www.paypal.com */
/* issuer :/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA */
@@ -1206,6 +1206,7 @@ static void test_forced_revocation()
CFDateRef VerifyDate;
isnt(VerifyDate = CFDateCreate(NULL, 332900000.0), NULL, "Create verify date");
+ if (!VerifyDate) { goto errOut; }
// Standard evaluation should succeed for the given verify date
{
@@ -1245,6 +1246,7 @@ static void test_forced_revocation()
}
// Free remaining resources
+errOut:
CFReleaseSafe(VerifyDate);
CFReleaseSafe(SMIMEDefaultPolicy);
CFReleaseSafe(SMIMEDefaultPolicyWithRevocation);
diff --git a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-appleid.c b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-appleid.c
deleted file mode 100644
index d956007b..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-appleid.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (c) 2011-2012 Apple Inc. All Rights Reserved.
- */
-
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecInternal.h>
-
-#include <test/testpolicy.h>
-
-#include "Security_regressions.h"
-
-static void tests(void)
-{
- SecPolicyRef policy = SecPolicyCreateAppleIDAuthorityPolicy();
-
- /* Run the tests. */
- runCertificateTestForDirectory(policy, CFSTR("AppleID-certs"), NULL);
-
- CFReleaseSafe(policy);
-}
-
-int si_24_sectrust_appleid(int argc, char *const *argv)
-{
- plan_tests(2);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-digicert-malaysia.c b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-digicert-malaysia.c
index b11f28a7..97a500a5 100644
--- a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-digicert-malaysia.c
+++ b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-digicert-malaysia.c
@@ -3,11 +3,11 @@
*/
#include <Security/SecPolicyPriv.h>
-#include <Security/SecInternal.h>
+#include <utilities/SecCFWrappers.h>
#include <test/testpolicy.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
static void tests(void)
{
diff --git a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-diginotar.c b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-diginotar.c
index 95a6b35b..4f363710 100644
--- a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-diginotar.c
+++ b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-diginotar.c
@@ -3,11 +3,11 @@
*/
#include <Security/SecPolicyPriv.h>
-#include <Security/SecInternal.h>
+#include <utilities/SecCFWrappers.h>
#include <test/testpolicy.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
static void tests(void)
{
@@ -23,7 +23,7 @@ static void tests(void)
int si_24_sectrust_diginotar(int argc, char *const *argv)
{
- plan_tests(27);
+ plan_tests(25);
tests();
diff --git a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-itms.c b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-itms.c
index 7f96dbfa..5b4fe130 100644
--- a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-itms.c
+++ b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-itms.c
@@ -8,7 +8,6 @@
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrust.h>
#include <Security/SecKey.h>
-#include <Security/SecInternal.h>
#include <CommonCrypto/CommonDigest.h>
#include <CommonCrypto/CommonDigestSPI.h>
#include <utilities/SecCFWrappers.h>
@@ -16,7 +15,7 @@
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
static const UInt8 sITunesStoreRootCertificate[] =
{
@@ -132,7 +131,9 @@ static void tests(void)
CFDataRef signature = CFDictionaryGetValue(urlBagDict, CFSTR("signature"));
CFDataRef bag = CFDictionaryGetValue(urlBagDict, CFSTR("bag"));
unsigned char sha1_hash[CC_SHA1_DIGEST_LENGTH];
+ CFDataRef sha1Data = NULL;
CCDigest(kCCDigestSHA1, CFDataGetBytePtr(bag), CFDataGetLength(bag), sha1_hash);
+ sha1Data = CFDataCreate(NULL, sha1_hash, sizeof(sha1_hash));
isnt(policy = SecPolicyCreateiTunesStoreURLBag(), NULL, "create policy instance");
@@ -151,9 +152,14 @@ static void tests(void)
is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
SecKeyRef pub_key_leaf;
isnt(pub_key_leaf = SecTrustCopyPublicKey(trust), NULL, "get leaf pub key");
- ok_status(SecKeyRawVerify(pub_key_leaf, kSecPaddingPKCS1SHA1, sha1_hash, sizeof(sha1_hash), CFDataGetBytePtr(signature), CFDataGetLength(signature)),
- "verify signature on bag");
-
+ if (!pub_key_leaf) { goto errOut; }
+ CFErrorRef error = NULL;
+ ok(SecKeyVerifySignature(pub_key_leaf, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1, sha1Data, signature, &error),
+ "verify signature on bag");
+ CFReleaseNull(error);
+
+errOut:
+ CFReleaseSafe(sha1Data);
CFReleaseSafe(pub_key_leaf);
CFReleaseSafe(urlBagDict);
CFReleaseSafe(certs);
diff --git a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-mobileasset.c b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-mobileasset.c
deleted file mode 100644
index 819a797f..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-mobileasset.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (c) 2011-2012 Apple Inc. All Rights Reserved.
- */
-
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecInternal.h>
-
-#include <test/testpolicy.h>
-
-#include "Security_regressions.h"
-
-static void tests(void)
-{
- SecPolicyRef otaPolicy = SecPolicyCreateMobileAsset();
-
- /* Run the tests. */
- runCertificateTestForDirectory(otaPolicy, CFSTR("mobileasset-certs"), NULL);
-
- CFReleaseSafe(otaPolicy);
-}
-
-int si_24_sectrust_mobileasset(int argc, char *const *argv)
-{
- plan_tests(2);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-nist.c b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-nist.c
index aea1a460..c2ff1f1a 100644
--- a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-nist.c
+++ b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-nist.c
@@ -3,11 +3,11 @@
*/
#include <Security/SecPolicyPriv.h>
-#include <Security/SecInternal.h>
+#include <utilities/SecCFWrappers.h>
#include <test/testpolicy.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
static void tests(void)
{
diff --git a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-otatasking.c b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-otatasking.c
deleted file mode 100644
index f7d0ffcc..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-otatasking.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (c) 2011-2012 Apple Inc. All Rights Reserved.
- */
-
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecInternal.h>
-
-#include <test/testpolicy.h>
-
-#include "Security_regressions.h"
-
-static void tests(void)
-{
- SecPolicyRef otaPolicy = SecPolicyCreateOTATasking();
-
- /* Run the tests. */
- runCertificateTestForDirectory(otaPolicy, CFSTR("OTATasking-certs"), NULL);
-
- CFReleaseSafe(otaPolicy);
-}
-
-int si_24_sectrust_otatasking(int argc, char *const *argv)
-{
- plan_tests(2);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-shoebox.c b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-passbook.c
similarity index 73%
rename from OSX/sec/Security/Regressions/secitem/si-24-sectrust-shoebox.c
rename to OSX/sec/Security/Regressions/secitem/si-24-sectrust-passbook.c
index 193e987c..b0d361ba 100644
--- a/OSX/sec/Security/Regressions/secitem/si-24-sectrust-shoebox.c
+++ b/OSX/sec/Security/Regressions/secitem/si-24-sectrust-passbook.c
@@ -28,186 +28,12 @@
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecCMS.h>
-#include <Security/SecInternal.h>
#include <stdlib.h>
#include <unistd.h>
#include <utilities/SecCFWrappers.h>
#include <test/testpolicy.h>
-#include "Security_regressions.h"
-
-/* subject:/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */
-static const unsigned char _wwdrca[]={
-0x30,0x82,0x04,0x23,0x30,0x82,0x03,0x0B,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x19,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
-0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
-0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
-0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06,
-0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,
-0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x38,0x30,0x32,0x31,0x34,0x31,0x38,0x35,
-0x36,0x33,0x35,0x5A,0x17,0x0D,0x31,0x36,0x30,0x32,0x31,0x34,0x31,0x38,0x35,0x36,
-0x33,0x35,0x5A,0x30,0x81,0x96,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
-0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,
-0x0B,0x0C,0x23,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,0x69,
-0x64,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,0x6C,
-0x61,0x74,0x69,0x6F,0x6E,0x73,0x31,0x44,0x30,0x42,0x06,0x03,0x55,0x04,0x03,0x0C,
-0x3B,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,0x69,0x64,0x65,
-0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,0x6C,0x61,0x74,
-0x69,0x6F,0x6E,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
-0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,0x01,0x22,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
-0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xCA,0x38,0x54,
-0xA6,0xCB,0x56,0xAA,0xC8,0x24,0x39,0x48,0xE9,0x8C,0xEE,0xEC,0x5F,0xB8,0x7F,0x26,
-0x91,0xBC,0x34,0x53,0x7A,0xCE,0x7C,0x63,0x80,0x61,0x77,0x64,0x5E,0xA5,0x07,0x23,
-0xB6,0x39,0xFE,0x50,0x2D,0x15,0x56,0x58,0x70,0x2D,0x7E,0xC4,0x6E,0xC1,0x4A,0x85,
-0x3E,0x2F,0xF0,0xDE,0x84,0x1A,0xA1,0x57,0xC9,0xAF,0x7B,0x18,0xFF,0x6A,0xFA,0x15,
-0x12,0x49,0x15,0x08,0x19,0xAC,0xAA,0xDB,0x2A,0x32,0xED,0x96,0x63,0x68,0x52,0x15,
-0x3D,0x8C,0x8A,0xEC,0xBF,0x6B,0x18,0x95,0xE0,0x03,0xAC,0x01,0x7D,0x97,0x05,0x67,
-0xCE,0x0E,0x85,0x95,0x37,0x6A,0xED,0x09,0xB6,0xAE,0x67,0xCD,0x51,0x64,0x9F,0xC6,
-0x5C,0xD1,0xBC,0x57,0x6E,0x67,0x35,0x80,0x76,0x36,0xA4,0x87,0x81,0x6E,0x38,0x8F,
-0xD8,0x2B,0x15,0x4E,0x7B,0x25,0xD8,0x5A,0xBF,0x4E,0x83,0xC1,0x8D,0xD2,0x93,0xD5,
-0x1A,0x71,0xB5,0x60,0x9C,0x9D,0x33,0x4E,0x55,0xF9,0x12,0x58,0x0C,0x86,0xB8,0x16,
-0x0D,0xC1,0xE5,0x77,0x45,0x8D,0x50,0x48,0xBA,0x2B,0x2D,0xE4,0x94,0x85,0xE1,0xE8,
-0xC4,0x9D,0xC6,0x68,0xA5,0xB0,0xA3,0xFC,0x67,0x7E,0x70,0xBA,0x02,0x59,0x4B,0x77,
-0x42,0x91,0x39,0xB9,0xF5,0xCD,0xE1,0x4C,0xEF,0xC0,0x3B,0x48,0x8C,0xA6,0xE5,0x21,
-0x5D,0xFD,0x6A,0x6A,0xBB,0xA7,0x16,0x35,0x60,0xD2,0xE6,0xAD,0xF3,0x46,0x29,0xC9,
-0xE8,0xC3,0x8B,0xE9,0x79,0xC0,0x6A,0x61,0x67,0x15,0xB2,0xF0,0xFD,0xE5,0x68,0xBC,
-0x62,0x5F,0x6E,0xCF,0x99,0xDD,0xEF,0x1B,0x63,0xFE,0x92,0x65,0xAB,0x02,0x03,0x01,
-0x00,0x01,0xA3,0x81,0xAE,0x30,0x81,0xAB,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,
-0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x86,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,
-0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
-0x04,0x16,0x04,0x14,0x88,0x27,0x17,0x09,0xA9,0xB6,0x18,0x60,0x8B,0xEC,0xEB,0xBA,
-0xF6,0x47,0x59,0xC5,0x52,0x54,0xA3,0xB7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,
-0x18,0x30,0x16,0x80,0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,
-0x2E,0x40,0xA6,0xF7,0x47,0x4D,0x7F,0x08,0x5E,0x30,0x36,0x06,0x03,0x55,0x1D,0x1F,
-0x04,0x2F,0x30,0x2D,0x30,0x2B,0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,
-0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
-0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,0x61,0x2F,0x72,0x6F,0x6F,0x74,0x2E,0x63,0x72,
-0x6C,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x02,0x01,0x04,
-0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
-0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xDA,0x32,0x00,0x96,0xC5,0x54,0x94,0xD3,0x3B,
-0x82,0x37,0x66,0x7D,0x2E,0x68,0xD5,0xC3,0xC6,0xB8,0xCB,0x26,0x8C,0x48,0x90,0xCF,
-0x13,0x24,0x6A,0x46,0x8E,0x63,0xD4,0xF0,0xD0,0x13,0x06,0xDD,0xD8,0xC4,0xC1,0x37,
-0x15,0xF2,0x33,0x13,0x39,0x26,0x2D,0xCE,0x2E,0x55,0x40,0xE3,0x0B,0x03,0xAF,0xFA,
-0x12,0xC2,0xE7,0x0D,0x21,0xB8,0xD5,0x80,0xCF,0xAC,0x28,0x2F,0xCE,0x2D,0xB3,0x4E,
-0xAF,0x86,0x19,0x04,0xC6,0xE9,0x50,0xDD,0x4C,0x29,0x47,0x10,0x23,0xFC,0x6C,0xBB,
-0x1B,0x98,0x6B,0x48,0x89,0xE1,0x5B,0x9D,0xDE,0x46,0xDB,0x35,0x85,0x35,0xEF,0x3E,
-0xD0,0xE2,0x58,0x4B,0x38,0xF4,0xED,0x75,0x5A,0x1F,0x5C,0x70,0x1D,0x56,0x39,0x12,
-0xE5,0xE1,0x0D,0x11,0xE4,0x89,0x25,0x06,0xBD,0xD5,0xB4,0x15,0x8E,0x5E,0xD0,0x59,
-0x97,0x90,0xE9,0x4B,0x81,0xE2,0xDF,0x18,0xAF,0x44,0x74,0x1E,0x19,0xA0,0x3A,0x47,
-0xCC,0x91,0x1D,0x3A,0xEB,0x23,0x5A,0xFE,0xA5,0x2D,0x97,0xF7,0x7B,0xBB,0xD6,0x87,
-0x46,0x42,0x85,0xEB,0x52,0x3D,0x26,0xB2,0x63,0xA8,0xB4,0xB1,0xCA,0x8F,0xF4,0xCC,
-0xE2,0xB3,0xC8,0x47,0xE0,0xBF,0x9A,0x59,0x83,0xFA,0xDA,0x98,0x53,0x2A,0x82,0xF5,
-0x7C,0x65,0x2E,0x95,0xD9,0x33,0x5D,0xF5,0xED,0x65,0xCC,0x31,0x37,0xC5,0x5A,0x04,
-0xE8,0x6B,0xE1,0xE7,0x88,0x03,0x4A,0x75,0x9E,0x9B,0x28,0xCB,0x4A,0x40,0x88,0x65,
-0x43,0x75,0xDD,0xCB,0x3A,0x25,0x23,0xC5,0x9E,0x57,0xF8,0x2E,0xCE,0xD2,0xA9,0x92,
-0x5E,0x73,0x2E,0x2F,0x25,0x75,0x15,
-};
-
-/* subject:/UID=pass.com.apple.cardman/CN=Pass Type ID: pass.com.apple.cardman/OU=A1B2C3D4E5/O=Apple Internal Use Only/C=US */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority */
-static const unsigned char _leaf[]={
-0x30,0x82,0x05,0xF1,0x30,0x82,0x04,0xD9,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x29,
-0xD6,0x12,0x53,0x17,0x20,0x2D,0x6A,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
-0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,0x96,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
-0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
-0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x2C,0x30,0x2A,0x06,
-0x03,0x55,0x04,0x0B,0x0C,0x23,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,
-0x64,0x77,0x69,0x64,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,
-0x52,0x65,0x6C,0x61,0x74,0x69,0x6F,0x6E,0x73,0x31,0x44,0x30,0x42,0x06,0x03,0x55,
-0x04,0x03,0x0C,0x3B,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,
-0x69,0x64,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,
-0x6C,0x61,0x74,0x69,0x6F,0x6E,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,
-0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,
-0x1E,0x17,0x0D,0x31,0x32,0x30,0x35,0x33,0x30,0x32,0x33,0x32,0x30,0x31,0x30,0x5A,
-0x17,0x0D,0x31,0x33,0x30,0x35,0x33,0x30,0x32,0x33,0x32,0x30,0x31,0x30,0x5A,0x30,
-0x81,0x9B,0x31,0x26,0x30,0x24,0x06,0x0A,0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,
-0x01,0x01,0x0C,0x16,0x70,0x61,0x73,0x73,0x2E,0x63,0x6F,0x6D,0x2E,0x61,0x70,0x70,
-0x6C,0x65,0x2E,0x63,0x61,0x72,0x64,0x6D,0x61,0x6E,0x31,0x2D,0x30,0x2B,0x06,0x03,
-0x55,0x04,0x03,0x0C,0x24,0x50,0x61,0x73,0x73,0x20,0x54,0x79,0x70,0x65,0x20,0x49,
-0x44,0x3A,0x20,0x70,0x61,0x73,0x73,0x2E,0x63,0x6F,0x6D,0x2E,0x61,0x70,0x70,0x6C,
-0x65,0x2E,0x63,0x61,0x72,0x64,0x6D,0x61,0x6E,0x31,0x13,0x30,0x11,0x06,0x03,0x55,
-0x04,0x0B,0x0C,0x0A,0x41,0x31,0x42,0x32,0x43,0x33,0x44,0x34,0x45,0x35,0x31,0x20,
-0x30,0x1E,0x06,0x03,0x55,0x04,0x0A,0x0C,0x17,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
-0x6E,0x74,0x65,0x72,0x6E,0x61,0x6C,0x20,0x55,0x73,0x65,0x20,0x4F,0x6E,0x6C,0x79,
-0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,
-0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
-0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xBB,0x6C,
-0x6C,0xD4,0xCD,0x0B,0xD9,0x47,0x49,0xE1,0xA3,0xFE,0x73,0xE0,0x15,0xA6,0x2E,0x35,
-0xC8,0xB7,0xCD,0xAB,0x5E,0xD3,0x87,0x8A,0x94,0x8F,0x4D,0x94,0x52,0x72,0x27,0x57,
-0xB8,0xF5,0xA8,0xE2,0xF2,0xB0,0x46,0xAD,0xB9,0x30,0x9B,0x6A,0xD7,0x0A,0xFF,0x0E,
-0x5E,0x78,0x4C,0x97,0x17,0x16,0xA7,0x03,0xE1,0x13,0xE7,0x97,0x72,0x24,0xC8,0x7F,
-0x80,0x91,0xD2,0x45,0xA3,0xF8,0x21,0xCE,0x2D,0xFA,0xE4,0x3A,0x5E,0x04,0x30,0xE9,
-0x48,0xCA,0x32,0xCE,0x52,0x4C,0xCF,0x14,0xF9,0x04,0x58,0x30,0x4A,0xF8,0x49,0xBB,
-0x39,0x18,0x5C,0x4B,0x28,0x9E,0x14,0x16,0x23,0x73,0x6E,0x0D,0xCD,0xCD,0xEF,0x98,
-0xE7,0x90,0x04,0x0E,0x4A,0xC8,0x16,0x22,0x76,0x68,0xC6,0xDF,0x5D,0x20,0xA7,0x49,
-0x2E,0x55,0x9E,0x50,0x31,0x56,0x50,0x29,0xF9,0x56,0x09,0x38,0x32,0x25,0x1B,0x3A,
-0x1C,0x97,0x3E,0x04,0xEE,0x69,0x3C,0x68,0x44,0x54,0x51,0x27,0x75,0x70,0xA2,0x33,
-0x86,0x7A,0x9D,0x71,0xC0,0x18,0x2E,0x37,0xB5,0x47,0x8D,0xBE,0x57,0xB6,0xAA,0xDA,
-0x1D,0xE8,0x78,0x23,0x66,0xC8,0x6C,0xE3,0x7E,0xFD,0xDE,0x6B,0x70,0x2F,0x76,0x1D,
-0xA6,0x2B,0x97,0xEE,0xAD,0x5B,0x8B,0x8E,0x00,0x87,0x27,0xDF,0x16,0x54,0x08,0x97,
-0x18,0x23,0x31,0x2C,0xF5,0x9D,0x41,0xD5,0xBB,0x60,0x23,0x92,0x3D,0xCC,0x9E,0x2D,
-0xFF,0xA5,0x8B,0xE0,0xF9,0x65,0xDC,0x94,0x58,0xB0,0x9D,0x73,0x05,0x05,0x21,0xA1,
-0xB3,0x37,0xA4,0x8F,0x5D,0xDA,0xCE,0x9C,0xF6,0x63,0x9B,0x6B,0x9F,0x77,0x02,0x03,
-0x01,0x00,0x01,0xA3,0x82,0x02,0x3A,0x30,0x82,0x02,0x36,0x30,0x3D,0x06,0x08,0x2B,
-0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x31,0x30,0x2F,0x30,0x2D,0x06,0x08,0x2B,
-0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x21,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
-0x6F,0x63,0x73,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,
-0x63,0x73,0x70,0x2D,0x77,0x77,0x64,0x72,0x30,0x33,0x30,0x1D,0x06,0x03,0x55,0x1D,
-0x0E,0x04,0x16,0x04,0x14,0x9B,0xC2,0x61,0x59,0x72,0x23,0xB6,0x5F,0x91,0x0F,0x04,
-0x87,0x92,0xF9,0xA4,0xF3,0x6B,0xE9,0xBE,0xAB,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,
-0x04,0x02,0x30,0x00,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,
-0x14,0x88,0x27,0x17,0x09,0xA9,0xB6,0x18,0x60,0x8B,0xEC,0xEB,0xBA,0xF6,0x47,0x59,
-0xC5,0x52,0x54,0xA3,0xB7,0x30,0x82,0x01,0x0F,0x06,0x03,0x55,0x1D,0x20,0x04,0x82,
-0x01,0x06,0x30,0x82,0x01,0x02,0x30,0x81,0xFF,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
-0x63,0x64,0x05,0x01,0x30,0x81,0xF1,0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
-0x07,0x02,0x01,0x16,0x1D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,
-0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,
-0x61,0x2F,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,0x30,
-0x81,0xB6,0x0C,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,0x65,0x20,0x6F,0x6E,
-0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
-0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,0x74,0x79,0x20,0x61,
-0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,0x74,0x61,0x6E,0x63,
-0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,0x6E,0x20,0x61,0x70,
-0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,0x6E,0x64,0x61,0x72,
-0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,0x63,0x6F,0x6E,0x64,
-0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,0x65,0x2C,0x20,0x63,
-0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,0x6F,0x6C,0x69,0x63,
-0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,
-0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,0x20,0x73,0x74,0x61,
-0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x30,0x06,0x03,0x55,0x1D,0x1F,0x04,
-0x29,0x30,0x27,0x30,0x25,0xA0,0x23,0xA0,0x21,0x86,0x1F,0x68,0x74,0x74,0x70,0x3A,
-0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,
-0x77,0x77,0x64,0x72,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0B,0x06,0x03,0x55,0x1D,
-0x0F,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x1E,0x06,0x03,0x55,0x1D,0x25,0x04,0x17,
-0x30,0x15,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x09,0x2A,0x86,
-0x48,0x86,0xF7,0x63,0x64,0x04,0x0E,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,
-0x63,0x64,0x06,0x03,0x02,0x04,0x02,0x05,0x00,0x30,0x26,0x06,0x0A,0x2A,0x86,0x48,
-0x86,0xF7,0x63,0x64,0x06,0x01,0x10,0x04,0x18,0x0C,0x16,0x70,0x61,0x73,0x73,0x2E,
-0x63,0x6F,0x6D,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x61,0x72,0x64,0x6D,0x61,
-0x6E,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,
-0x03,0x82,0x01,0x01,0x00,0x9B,0xEF,0x1E,0xFF,0xEE,0xD5,0xFD,0x71,0x1A,0xF5,0x17,
-0xFE,0x05,0xBA,0x30,0xFC,0xBD,0x6D,0x01,0xB0,0x0B,0x78,0x41,0x4B,0x76,0x71,0xD1,
-0x8C,0xF0,0xCD,0xED,0xD9,0xAA,0xEC,0xAD,0x1D,0x4A,0x2D,0xCC,0x00,0x11,0x5B,0x1D,
-0xD9,0xEF,0x08,0xA2,0x3D,0xEA,0xE9,0xBD,0x35,0x0B,0x1C,0x9F,0xE7,0xEB,0xC9,0xC9,
-0xEA,0x99,0xCC,0x77,0x27,0xB9,0x01,0x09,0x72,0x40,0xBA,0xD4,0x26,0x54,0x8F,0x30,
-0x84,0x7E,0x03,0x65,0xDA,0x08,0xB2,0x92,0xEE,0x61,0x4E,0x5F,0x00,0x39,0x48,0x2D,
-0x99,0x83,0xB5,0xC4,0x33,0xB2,0xF7,0x62,0xCF,0x6A,0xBF,0xBB,0xB8,0x40,0x70,0xBF,
-0x11,0xFF,0x7F,0xC1,0xC1,0x8D,0x1D,0x67,0x6C,0x87,0x02,0xE2,0x93,0x17,0x16,0xC3,
-0xEC,0x5E,0x97,0xE4,0xDD,0x12,0xCC,0xB2,0xDD,0x91,0x51,0xA8,0x32,0x25,0x6D,0xF7,
-0x55,0xB7,0x4A,0x8E,0x6B,0x90,0xCB,0x0F,0x4C,0x93,0x87,0x2A,0xD9,0x31,0xB8,0x1A,
-0x16,0x12,0xBB,0x6E,0xFC,0xB0,0xAE,0xFB,0x93,0x76,0x63,0x37,0xB7,0x36,0x13,0x11,
-0xC5,0x53,0x45,0xE0,0x0D,0xFF,0xAF,0x05,0x5F,0x67,0x51,0xE1,0x54,0x29,0xA2,0x1A,
-0x7C,0x61,0xE0,0xC2,0xCD,0xAC,0xBE,0xEE,0xA6,0x4A,0xDC,0x92,0x95,0x48,0x41,0x2F,
-0x37,0xC0,0x64,0x05,0xAA,0x4F,0x05,0xEE,0xE0,0x3F,0xA0,0x9F,0x43,0x6C,0xCC,0xD5,
-0x97,0x64,0x6D,0x15,0x5B,0xB6,0xCD,0x2A,0xBC,0x18,0xDE,0xC7,0x94,0x80,0x2D,0x2B,
-0x81,0x14,0xFC,0x48,0xF7,0xDF,0xCE,0x94,0xB3,0xFD,0xF5,0x7E,0x42,0x4D,0x33,0x58,
-0x4D,0x7A,0x62,0x2E,0x61,
-};
+#include "shared_regressions.h"
static const unsigned char _USAirwaysCorrect_signature[] = {
0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
@@ -861,116 +687,23 @@ static void test_sig_verification(void)
NULL, "create policy");
ok_status(SecCMSVerifySignedData(badSig, badManifest, policy, &trust, NULL, NULL, NULL), "verify signed data 3");
isnt(trust, NULL, "get trust");
+ if (!trust) { goto errOut; }
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
ok(trustResult == kSecTrustResultRecoverableTrustFailure, "recoverable trustResult expected (ok)");
+
+errOut:
CFReleaseNull(trust);
+ CFReleaseNull(policy);
CFRelease(badManifest);
CFRelease(badSig);
trust = NULL;
}
-static void tests(void)
-{
- /* Aug 1st 2012. */
- CFDateRef date;
- CFArrayRef policies;
- SecPolicyRef policy;
- SecTrustRef trust;
- SecCertificateRef cert0, cert1;
- CFMutableArrayRef certs;
- SecTrustResultType trustResult;
-
- isnt(cert0 = SecCertificateCreateWithBytes(NULL, _leaf, sizeof(_leaf)),
- NULL, "create cert0");
- isnt(cert1 = SecCertificateCreateWithBytes(NULL, _wwdrca, sizeof(_wwdrca)),
- NULL, "create cert1");
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0,
- &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, cert0);
- CFArrayAppendValue(certs, cert1);
-
- /* Case 1: make sure known-good values cause policy to succeed */
- isnt(policy = SecPolicyCreatePassbookCardSigner(CFSTR("pass.com.apple.cardman"), CFSTR("A1B2C3D4E5")),
- NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2012, 8, 1, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "unspecified trustResult expected (ok)");
- CFRelease(trust);
- trust = NULL;
-
- /* Case 2: make sure known-bad card identifier value causes policy to fail */
- isnt(policy = SecPolicyCreatePassbookCardSigner(CFSTR("pass.com.scuzzo.cardman"), CFSTR("A1B2C3D4E5")),
- NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2012, 8, 1, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseNull(date);
- date = NULL;
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultRecoverableTrustFailure, "recoverable trustResult expected (ok)");
- CFRelease(trust);
- trust = NULL;
-
- /* Case 3: make sure known-bad teamID value causes policy to fail */
- isnt(policy = SecPolicyCreatePassbookCardSigner(CFSTR("pass.com.apple.cardman"), CFSTR("01B2C3D4E5")),
- NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2012, 8, 1, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseNull(date);
- date = NULL;
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultRecoverableTrustFailure, "recoverable trustResult expected (ok)");
- CFRelease(trust);
- trust = NULL;
-
- test_sig_verification();
-
- CFDateRef whenWritten = CFDateCreateForGregorianZuluDay(NULL, 2012, 5, 10);
-
- SecPolicyRef passbookPolicy = SecPolicyCreatePassbookCardSigner(CFSTR("com.apple.testcard"),
- CFSTR("A1B2C3D4E5"));
-
- /* Run the tests. */
- runCertificateTestForDirectory(passbookPolicy, CFSTR("Passbook"), whenWritten);
-
- CFReleaseSafe(whenWritten);
- CFReleaseSafe(passbookPolicy);
-}
-
int si_24_sectrust_passbook(int argc, char *const *argv)
{
- plan_tests(30);
+ plan_tests(9);
- tests();
+ test_sig_verification();
return 0;
}
diff --git a/OSX/sec/Security/Regressions/secitem/si-25-sectrust-apple-authentication.c b/OSX/sec/Security/Regressions/secitem/si-25-sectrust-apple-authentication.c
deleted file mode 100644
index f246ff33..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-25-sectrust-apple-authentication.c
+++ /dev/null
@@ -1,700 +0,0 @@
-/*
- * Copyright (c) 2008-2010,2012-2014 Apple Inc. All Rights Reserved.
- *
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecTrust.h>
-#include <Security/SecInternal.h>
-#include <utilities/array_size.h>
-#include <utilities/SecCFWrappers.h>
-
-#include "Security_regressions.h"
-
-unsigned char _gsservice[1030] = {
- 0x30, 0x82, 0x04, 0x02, 0x30, 0x82, 0x02, 0xea, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x52, 0xd0, 0x6f, 0xea, 0xaf, 0xdf, 0xb7, 0x01, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
- 0x05, 0x00, 0x30, 0x6d, 0x31, 0x27, 0x30, 0x25, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x0c, 0x1e, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x53, 0x65, 0x72,
- 0x76, 0x65, 0x72, 0x20, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x43, 0x41, 0x31, 0x20, 0x30,
- 0x1e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x17, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
- 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x30,
- 0x35, 0x31, 0x35, 0x30, 0x30, 0x32, 0x38, 0x34, 0x31, 0x5a, 0x17, 0x0d,
- 0x31, 0x35, 0x30, 0x36, 0x31, 0x34, 0x30, 0x30, 0x32, 0x38, 0x34, 0x31,
- 0x5a, 0x30, 0x49, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x03,
- 0x0c, 0x0d, 0x67, 0x73, 0x61, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e,
- 0x63, 0x6f, 0x6d, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x0c, 0x04, 0x49, 0x53, 0x26, 0x54, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
- 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
- 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
- 0x00, 0xa8, 0xf3, 0x31, 0x6a, 0x17, 0xd3, 0xa1, 0x1b, 0x68, 0x4f, 0x33,
- 0x35, 0x88, 0x62, 0x74, 0xb7, 0x22, 0x42, 0x93, 0x3d, 0x1d, 0xbf, 0xb0,
- 0x4c, 0x31, 0x7c, 0xc5, 0x94, 0xf9, 0x77, 0xfa, 0x82, 0x44, 0x45, 0x1d,
- 0x72, 0x46, 0x79, 0x60, 0x64, 0x30, 0x01, 0xbc, 0x48, 0x63, 0x7b, 0x39,
- 0x4e, 0x00, 0x14, 0x0b, 0x93, 0x4b, 0x9c, 0x5a, 0x58, 0x24, 0xbd, 0xb1,
- 0xc3, 0xed, 0x46, 0xf1, 0x7f, 0x7f, 0x46, 0xaa, 0xfc, 0xd5, 0x1e, 0xd4,
- 0xc0, 0x21, 0x4c, 0x06, 0x84, 0x99, 0x6b, 0x9a, 0x4d, 0x2e, 0xeb, 0xa4,
- 0x03, 0xea, 0x6c, 0xb7, 0x1b, 0xfb, 0x14, 0xab, 0xba, 0x80, 0x53, 0x0d,
- 0xb5, 0xc7, 0x27, 0xc6, 0xa1, 0x2e, 0x3b, 0x5b, 0x9a, 0xa4, 0xe5, 0xc4,
- 0x89, 0x4f, 0x75, 0xd8, 0x72, 0xd0, 0x63, 0x44, 0x84, 0xd2, 0xae, 0x76,
- 0xf5, 0xcf, 0xad, 0x8e, 0x3e, 0xa2, 0xc4, 0x96, 0xe8, 0x19, 0xbc, 0xe9,
- 0x91, 0xad, 0xed, 0xf6, 0x04, 0x19, 0x7f, 0xe0, 0x58, 0xf0, 0x77, 0x06,
- 0x06, 0xef, 0xf7, 0x11, 0x16, 0xe7, 0x42, 0x3b, 0x99, 0x87, 0x34, 0x0b,
- 0x6d, 0xb7, 0x87, 0x79, 0x4c, 0x4b, 0x0a, 0xba, 0xfd, 0x8d, 0x2b, 0x77,
- 0xb9, 0x08, 0xee, 0x61, 0x51, 0x52, 0x86, 0xc1, 0xff, 0x1e, 0x8e, 0xc5,
- 0x81, 0xcd, 0xb8, 0x95, 0x0a, 0x40, 0xf8, 0x53, 0x99, 0x44, 0x64, 0xcb,
- 0x87, 0x7b, 0xf0, 0xf2, 0x9b, 0x89, 0x46, 0x15, 0xbd, 0x1a, 0x18, 0x0a,
- 0x01, 0x0d, 0xae, 0x88, 0xc2, 0x82, 0x6a, 0x45, 0xe1, 0xf4, 0x9e, 0x88,
- 0x6f, 0x2f, 0xec, 0x2f, 0xa3, 0x15, 0x0d, 0x91, 0xe6, 0x49, 0x6b, 0xca,
- 0xa4, 0x95, 0x29, 0x9c, 0x07, 0xcb, 0x79, 0x80, 0xf3, 0x38, 0x9b, 0xdc,
- 0x47, 0x8d, 0xde, 0x85, 0xd7, 0x7c, 0x2e, 0xa7, 0xf5, 0x1e, 0x91, 0xe0,
- 0xb7, 0xbe, 0x6a, 0x46, 0x31, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81,
- 0xc9, 0x30, 0x81, 0xc6, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04,
- 0x16, 0x04, 0x14, 0x59, 0x6d, 0xaa, 0x5e, 0x68, 0x7b, 0x33, 0xfa, 0x9d,
- 0xab, 0xd0, 0x53, 0xc2, 0xa6, 0xf5, 0x33, 0x27, 0xf4, 0x44, 0x45, 0x30,
- 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30,
- 0x00, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
- 0x80, 0x14, 0x2c, 0xc5, 0x6d, 0x52, 0xdd, 0x31, 0xef, 0x8c, 0xec, 0x08,
- 0x81, 0xed, 0xdf, 0xdc, 0xca, 0x43, 0x00, 0x45, 0x01, 0xd0, 0x30, 0x3c,
- 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x35, 0x30, 0x33, 0x30, 0x31, 0xa0,
- 0x2f, 0xa0, 0x2d, 0x86, 0x2b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
- 0x63, 0x72, 0x6c, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f,
- 0x6d, 0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65,
- 0x72, 0x61, 0x75, 0x74, 0x68, 0x63, 0x61, 0x31, 0x2e, 0x63, 0x72, 0x6c,
- 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04,
- 0x03, 0x02, 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01,
- 0x01, 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x03, 0x01, 0x30, 0x10, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x63, 0x64, 0x06, 0x1b, 0x02, 0x04, 0x02, 0x05, 0x00, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
- 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x71, 0x84, 0xf8, 0x3e, 0x59, 0x9e,
- 0xea, 0xbb, 0x8e, 0x6d, 0xd8, 0x8f, 0x4e, 0xb1, 0xef, 0x93, 0xa5, 0x4a,
- 0x78, 0x4b, 0x86, 0x1e, 0x97, 0xe5, 0xe4, 0x04, 0x32, 0x12, 0x8d, 0xcb,
- 0xbb, 0xba, 0x48, 0xe1, 0xee, 0x74, 0x60, 0x86, 0xc2, 0xdb, 0x26, 0xc1,
- 0x7a, 0x42, 0x1c, 0x05, 0xa9, 0x70, 0x04, 0x22, 0xa3, 0x87, 0xf6, 0x74,
- 0xca, 0x86, 0x10, 0x32, 0xa2, 0x42, 0x2e, 0x5d, 0x62, 0x5d, 0xdb, 0x1c,
- 0x6c, 0x88, 0xcb, 0xbe, 0x1a, 0x61, 0xe4, 0x80, 0x63, 0x8b, 0x8d, 0xe3,
- 0x10, 0xda, 0x4b, 0x77, 0xad, 0x54, 0x26, 0x35, 0x5a, 0x07, 0xdd, 0x3c,
- 0x05, 0x15, 0xcc, 0x16, 0xd2, 0xf1, 0xe6, 0xd3, 0x8b, 0xc6, 0x0a, 0x4c,
- 0x71, 0x88, 0x5a, 0x2c, 0xcf, 0xd9, 0x86, 0x85, 0x9d, 0x8e, 0xba, 0xe6,
- 0x9a, 0xd9, 0xb0, 0xcd, 0x03, 0xf7, 0x5d, 0xa2, 0x85, 0x95, 0xe3, 0x47,
- 0x40, 0x73, 0x4b, 0xf7, 0x32, 0xe1, 0xc5, 0x37, 0x5e, 0xc3, 0x1f, 0xf0,
- 0x04, 0x00, 0xa5, 0x1c, 0xe3, 0xd7, 0x75, 0x65, 0xc1, 0xa0, 0x69, 0x56,
- 0xd0, 0xae, 0xa1, 0xda, 0xd3, 0xa5, 0x4c, 0x24, 0x17, 0x63, 0xd0, 0xe8,
- 0x72, 0x51, 0xeb, 0x03, 0x51, 0xed, 0x33, 0x07, 0x20, 0x49, 0x41, 0xd7,
- 0xa8, 0xa9, 0x82, 0x19, 0x07, 0x82, 0x19, 0xf8, 0xca, 0x63, 0x42, 0x5c,
- 0xa6, 0x97, 0x13, 0x46, 0x6c, 0xfa, 0xd5, 0xcb, 0x73, 0x46, 0xd2, 0x34,
- 0xf5, 0xc8, 0x1c, 0x4f, 0x59, 0x93, 0xda, 0x3c, 0x68, 0xc0, 0xe4, 0xbb,
- 0xbe, 0x2f, 0x72, 0x7b, 0x80, 0x96, 0xf3, 0x34, 0xc4, 0x22, 0x28, 0xfa,
- 0x99, 0x1a, 0x95, 0xb6, 0x8a, 0x08, 0x0c, 0xeb, 0x92, 0xa4, 0x74, 0x6b,
- 0xd6, 0xfe, 0x85, 0xa5, 0xa5, 0xbc, 0x8f, 0xbc, 0x16, 0x86, 0x20, 0x8c,
- 0xe5, 0xd0, 0xf0, 0xaa, 0xa3, 0x34, 0x62, 0x15, 0x7f, 0xae
-};
-
-#if 0
-unsigned char _apnservice[1] = {
- 0
-};
-#endif
-
-unsigned char _apnserviceLegacy[1319] = {
- 0x30, 0x82, 0x05, 0x23, 0x30, 0x82, 0x04, 0x0b, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x04, 0x4c, 0x21, 0xdf, 0x34, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81,
- 0xb1, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
- 0x0d, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2c, 0x20, 0x49, 0x6e,
- 0x63, 0x2e, 0x31, 0x39, 0x30, 0x37, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
- 0x30, 0x77, 0x77, 0x77, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74,
- 0x2e, 0x6e, 0x65, 0x74, 0x2f, 0x72, 0x70, 0x61, 0x20, 0x69, 0x73, 0x20,
- 0x69, 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x65, 0x64,
- 0x20, 0x62, 0x79, 0x20, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63,
- 0x65, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x16,
- 0x28, 0x63, 0x29, 0x20, 0x32, 0x30, 0x30, 0x39, 0x20, 0x45, 0x6e, 0x74,
- 0x72, 0x75, 0x73, 0x74, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e,
- 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x45, 0x6e, 0x74,
- 0x72, 0x75, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
- 0x72, 0x69, 0x74, 0x79, 0x20, 0x2d, 0x20, 0x4c, 0x31, 0x43, 0x30, 0x1e,
- 0x17, 0x0d, 0x31, 0x34, 0x30, 0x31, 0x32, 0x31, 0x30, 0x31, 0x35, 0x34,
- 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x31, 0x32, 0x31, 0x30,
- 0x36, 0x30, 0x31, 0x31, 0x39, 0x5a, 0x30, 0x6c, 0x31, 0x0b, 0x30, 0x09,
- 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
- 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69,
- 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03,
- 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69,
- 0x6e, 0x6f, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
- 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
- 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x16, 0x63, 0x6f,
- 0x75, 0x72, 0x69, 0x65, 0x72, 0x2e, 0x70, 0x75, 0x73, 0x68, 0x2e, 0x61,
- 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
- 0x02, 0x82, 0x01, 0x01, 0x00, 0xbc, 0xa5, 0x87, 0x51, 0x14, 0xd2, 0x37,
- 0xd9, 0xc7, 0xe0, 0x62, 0xc7, 0x73, 0x60, 0x2e, 0x5f, 0x38, 0x7f, 0xc4,
- 0x1a, 0x58, 0xe8, 0x0b, 0xb5, 0xd0, 0x79, 0xb5, 0xe7, 0xda, 0x22, 0x14,
- 0xf1, 0xa1, 0xb8, 0xe0, 0x28, 0x28, 0xa9, 0x58, 0x43, 0x31, 0x6d, 0x0a,
- 0x5f, 0x45, 0x32, 0x0f, 0xb6, 0x9d, 0x23, 0x79, 0x91, 0xa2, 0xb0, 0xa4,
- 0x7a, 0x6f, 0xf4, 0xf4, 0x18, 0x7b, 0x22, 0xfe, 0x46, 0x96, 0xe7, 0x3a,
- 0xbf, 0xb3, 0xab, 0x4b, 0x29, 0xb1, 0x0e, 0xa0, 0xd4, 0x7c, 0x34, 0x19,
- 0x5d, 0x61, 0x1a, 0xe4, 0x5a, 0x64, 0xa5, 0xf1, 0xed, 0x4a, 0x18, 0xa0,
- 0x4f, 0x78, 0xfa, 0x10, 0x2c, 0x21, 0x13, 0xed, 0x8e, 0x8d, 0xa6, 0x61,
- 0x04, 0x0d, 0xb9, 0xc0, 0x9c, 0xc4, 0x54, 0xeb, 0x37, 0xa2, 0x38, 0xad,
- 0xca, 0x7d, 0x5f, 0xac, 0x47, 0xc9, 0x60, 0xf0, 0x81, 0xa6, 0x4c, 0x68,
- 0xf0, 0xa1, 0x7f, 0x45, 0xa4, 0x18, 0xc9, 0x64, 0x8c, 0xfd, 0x83, 0xb8,
- 0xa9, 0xdc, 0xbd, 0x23, 0xae, 0x90, 0x70, 0xef, 0x8f, 0x42, 0xf4, 0x28,
- 0x35, 0x1a, 0xfa, 0xee, 0x34, 0x3f, 0x25, 0x35, 0x20, 0x9c, 0x52, 0xfd,
- 0x4d, 0xf6, 0x5c, 0xe8, 0x66, 0x53, 0xb9, 0x40, 0xd1, 0x37, 0x39, 0x69,
- 0x71, 0xc4, 0x90, 0x5f, 0xa7, 0x3c, 0x65, 0xae, 0x3e, 0xf3, 0x32, 0x86,
- 0x45, 0x3f, 0xbe, 0x9a, 0xd9, 0x84, 0x6b, 0x13, 0xd0, 0x02, 0x8a, 0x64,
- 0x99, 0xf8, 0x71, 0x10, 0x06, 0xe1, 0xc9, 0x43, 0xaf, 0x26, 0x85, 0xbd,
- 0x98, 0x67, 0xe5, 0x31, 0x26, 0x03, 0x03, 0xdd, 0x85, 0x06, 0x5e, 0xc3,
- 0x6e, 0xd8, 0x31, 0x25, 0x15, 0x7b, 0x4a, 0x05, 0x23, 0xdb, 0xfe, 0xc1,
- 0xb8, 0x1c, 0x80, 0xff, 0x2e, 0x8c, 0x14, 0xce, 0x57, 0x70, 0x09, 0x48,
- 0xa2, 0xd6, 0xd9, 0xb0, 0x96, 0xe6, 0x27, 0x31, 0x37, 0x02, 0x03, 0x01,
- 0x00, 0x01, 0xa3, 0x82, 0x01, 0x85, 0x30, 0x82, 0x01, 0x81, 0x30, 0x0b,
- 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30,
- 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08,
- 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x33, 0x06, 0x03, 0x55, 0x1d,
- 0x1f, 0x04, 0x2c, 0x30, 0x2a, 0x30, 0x28, 0xa0, 0x26, 0xa0, 0x24, 0x86,
- 0x22, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e,
- 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x2f,
- 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x31, 0x63, 0x2e, 0x63, 0x72, 0x6c, 0x30,
- 0x64, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04,
- 0x58, 0x30, 0x56, 0x30, 0x23, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
- 0x07, 0x30, 0x01, 0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
- 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74,
- 0x2e, 0x6e, 0x65, 0x74, 0x30, 0x2f, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x30, 0x02, 0x86, 0x23, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
- 0x2f, 0x61, 0x69, 0x61, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74,
- 0x2e, 0x6e, 0x65, 0x74, 0x2f, 0x32, 0x30, 0x34, 0x38, 0x2d, 0x6c, 0x31,
- 0x63, 0x2e, 0x63, 0x65, 0x72, 0x30, 0x4a, 0x06, 0x03, 0x55, 0x1d, 0x20,
- 0x04, 0x43, 0x30, 0x41, 0x30, 0x35, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf6, 0x7d, 0x07, 0x4b, 0x02, 0x30, 0x28, 0x30, 0x26, 0x06, 0x08, 0x2b,
- 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x1a, 0x68, 0x74, 0x74,
- 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x65, 0x6e, 0x74, 0x72,
- 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x2f, 0x72, 0x70, 0x61, 0x30,
- 0x08, 0x06, 0x06, 0x67, 0x81, 0x0c, 0x01, 0x02, 0x02, 0x30, 0x21, 0x06,
- 0x03, 0x55, 0x1d, 0x11, 0x04, 0x1a, 0x30, 0x18, 0x82, 0x16, 0x63, 0x6f,
- 0x75, 0x72, 0x69, 0x65, 0x72, 0x2e, 0x70, 0x75, 0x73, 0x68, 0x2e, 0x61,
- 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1f, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x1e, 0xf1, 0xab,
- 0x89, 0x06, 0xf8, 0x49, 0x0f, 0x01, 0x33, 0x77, 0xee, 0x14, 0x7a, 0xee,
- 0x19, 0x7c, 0x93, 0x28, 0x4d, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
- 0x04, 0x16, 0x04, 0x14, 0xb7, 0x39, 0x7c, 0x4e, 0x5e, 0x30, 0xf5, 0x1a,
- 0xcf, 0xfc, 0x32, 0xea, 0xc4, 0x62, 0x99, 0x39, 0x11, 0x46, 0x97, 0xc1,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
- 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x02, 0x52, 0xbe, 0x76, 0xb9,
- 0x87, 0x6d, 0x50, 0xf2, 0x0a, 0x3f, 0xeb, 0x6c, 0xd2, 0xe0, 0x5c, 0xf6,
- 0xff, 0xe8, 0xe0, 0x9c, 0x73, 0x08, 0xab, 0x25, 0xb8, 0xdc, 0x10, 0x21,
- 0x2e, 0xf4, 0x9d, 0x48, 0xe4, 0xfd, 0xc7, 0x08, 0x82, 0x3f, 0x20, 0xac,
- 0x80, 0x14, 0x78, 0x64, 0xe3, 0xd2, 0x26, 0xc4, 0x3f, 0x8f, 0x4f, 0x5d,
- 0xdc, 0x17, 0xda, 0x37, 0x54, 0x40, 0xe2, 0x5b, 0x9b, 0x74, 0x44, 0xfc,
- 0x06, 0x27, 0xe6, 0xf3, 0x4d, 0x3b, 0xd7, 0x11, 0x34, 0x36, 0x75, 0xc9,
- 0xf9, 0xd9, 0x78, 0x5c, 0x68, 0xc8, 0x9b, 0xe2, 0xaa, 0x33, 0x5b, 0x91,
- 0x6f, 0x83, 0x37, 0xbd, 0x5d, 0x32, 0x25, 0xdf, 0xba, 0x5c, 0x7d, 0xa8,
- 0x4a, 0x39, 0x13, 0x97, 0x4e, 0x3e, 0x92, 0x10, 0x73, 0x48, 0x58, 0x70,
- 0x50, 0x41, 0x14, 0xa4, 0x31, 0x8a, 0x1b, 0x25, 0xa7, 0x69, 0xaa, 0x70,
- 0x12, 0x1b, 0x88, 0xc8, 0xf8, 0xa7, 0x2f, 0xad, 0xf7, 0xfb, 0xa6, 0x2c,
- 0x03, 0xe7, 0xc0, 0x6d, 0x66, 0x4a, 0x07, 0xc8, 0x5a, 0x40, 0xb2, 0x74,
- 0xcb, 0xe8, 0x84, 0x05, 0xaf, 0x76, 0x71, 0x05, 0x5d, 0x9e, 0x84, 0x49,
- 0x06, 0x90, 0x65, 0xeb, 0xf7, 0x7c, 0xeb, 0x28, 0x1d, 0x19, 0x6d, 0x08,
- 0x05, 0xbe, 0x09, 0x21, 0x8a, 0x8f, 0x67, 0xcb, 0x74, 0x7e, 0x9a, 0x4a,
- 0x1a, 0x3c, 0x50, 0xe9, 0x64, 0x7f, 0x33, 0x85, 0x98, 0x9d, 0x6e, 0x03,
- 0xf1, 0x22, 0x50, 0xf7, 0xa4, 0xc2, 0xce, 0xab, 0x13, 0xb8, 0x42, 0xda,
- 0x47, 0x6a, 0x89, 0xfd, 0xd6, 0x2b, 0xe1, 0x64, 0xb7, 0x4e, 0x99, 0x2d,
- 0xaa, 0xab, 0x39, 0xc3, 0x7e, 0x94, 0x9f, 0x5e, 0x63, 0x9c, 0x9c, 0xc9,
- 0x51, 0xbb, 0x25, 0x0c, 0x66, 0xd4, 0x98, 0x0e, 0x2c, 0xa5, 0xcd, 0xdf,
- 0x0a, 0xaa, 0x55, 0x1b, 0xf4, 0xab, 0x52, 0x7d, 0x18, 0xcb, 0x11
-};
-
-unsigned char _idsservice[1165] = {
- 0x30, 0x82, 0x04, 0x89, 0x30, 0x82, 0x03, 0x71, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x3f, 0x12, 0x55, 0x6e, 0x83, 0x66, 0x49, 0xaf, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
- 0x05, 0x00, 0x30, 0x6d, 0x31, 0x27, 0x30, 0x25, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x0c, 0x1e, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x53, 0x65, 0x72,
- 0x76, 0x65, 0x72, 0x20, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x43, 0x41, 0x31, 0x20, 0x30,
- 0x1e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x17, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
- 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30,
- 0x34, 0x32, 0x32, 0x30, 0x34, 0x30, 0x39, 0x34, 0x31, 0x5a, 0x17, 0x0d,
- 0x31, 0x36, 0x30, 0x35, 0x32, 0x31, 0x30, 0x34, 0x30, 0x39, 0x34, 0x31,
- 0x5a, 0x30, 0x57, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03,
- 0x0c, 0x0f, 0x73, 0x63, 0x35, 0x6d, 0x76, 0x2e, 0x61, 0x70, 0x70, 0x6c,
- 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,
- 0x04, 0x0b, 0x0c, 0x10, 0x49, 0x53, 0x47, 0x20, 0x44, 0x65, 0x6c, 0x69,
- 0x76, 0x65, 0x72, 0x79, 0x20, 0x4f, 0x70, 0x73, 0x31, 0x13, 0x30, 0x11,
- 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65,
- 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
- 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,
- 0x01, 0x01, 0x00, 0xc6, 0xcb, 0xa5, 0x72, 0x45, 0xe2, 0x88, 0xc4, 0x9e,
- 0x17, 0x57, 0x79, 0x05, 0x84, 0x1d, 0x36, 0xa3, 0x61, 0xf8, 0xb6, 0x35,
- 0x41, 0x5b, 0xff, 0xf7, 0xe3, 0x46, 0x06, 0x2b, 0xf6, 0x66, 0x9a, 0x54,
- 0x2c, 0x4a, 0xa3, 0x98, 0xed, 0xb0, 0xcc, 0x9b, 0xc3, 0xd4, 0x2f, 0x62,
- 0x66, 0x18, 0x04, 0x87, 0x42, 0x66, 0x55, 0x64, 0x94, 0xe3, 0xdd, 0xd6,
- 0x1c, 0x20, 0xbe, 0xe8, 0x58, 0xfc, 0x3c, 0x13, 0x18, 0xa4, 0x50, 0xa5,
- 0xe5, 0x63, 0xf7, 0x04, 0xfd, 0x13, 0x14, 0x0b, 0xf6, 0x5f, 0x80, 0x6c,
- 0xd7, 0xc1, 0xb5, 0xaf, 0xc7, 0xc9, 0xd7, 0xf2, 0xac, 0xd4, 0xf1, 0xe0,
- 0x54, 0x35, 0x70, 0x7f, 0x17, 0x81, 0xef, 0x1c, 0x2b, 0x99, 0x63, 0xc3,
- 0x2b, 0xd6, 0x13, 0x02, 0xda, 0x0b, 0x3b, 0xda, 0xfd, 0x92, 0x16, 0x1a,
- 0xe4, 0x78, 0xa8, 0x1c, 0xb4, 0xa4, 0xd3, 0x9a, 0x3e, 0x76, 0x86, 0xe5,
- 0x34, 0xa2, 0xba, 0x25, 0x30, 0x35, 0xa6, 0x04, 0xa8, 0xa6, 0xbf, 0xf8,
- 0x98, 0x5f, 0xc9, 0x91, 0xaa, 0xc3, 0x18, 0x13, 0x01, 0xc0, 0x47, 0xc2,
- 0x97, 0xf4, 0x5e, 0x3e, 0x62, 0x57, 0xad, 0xe5, 0x3a, 0x5d, 0x46, 0x3f,
- 0xc3, 0x96, 0x5e, 0x89, 0xe2, 0x60, 0x27, 0x26, 0x83, 0xb0, 0x01, 0xdf,
- 0x4e, 0x69, 0x4c, 0x08, 0x21, 0xbc, 0x0d, 0xb0, 0x44, 0xae, 0x20, 0xcf,
- 0xef, 0xa7, 0x01, 0xd8, 0x4c, 0x5c, 0xfa, 0x49, 0xb5, 0x97, 0x08, 0xf3,
- 0x4b, 0x1f, 0xba, 0x5e, 0x3f, 0x4b, 0x02, 0xe2, 0x28, 0x06, 0x83, 0x92,
- 0x66, 0x47, 0x8a, 0xdc, 0x19, 0x34, 0xb1, 0x58, 0xec, 0xf3, 0xff, 0x59,
- 0x78, 0x8e, 0x05, 0x11, 0x0d, 0x2a, 0x4f, 0xad, 0xd2, 0x2f, 0xf6, 0x84,
- 0x1e, 0xdf, 0xbb, 0xad, 0x62, 0x9a, 0x29, 0x4c, 0xcc, 0x63, 0xd7, 0xd2,
- 0x16, 0xd1, 0xa1, 0xca, 0x06, 0xc3, 0xe9, 0x02, 0x03, 0x01, 0x00, 0x01,
- 0xa3, 0x82, 0x01, 0x41, 0x30, 0x82, 0x01, 0x3d, 0x30, 0x1d, 0x06, 0x03,
- 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xe4, 0x66, 0xa1, 0x55, 0x5d,
- 0x18, 0x41, 0xbf, 0x9f, 0xed, 0x9e, 0xd5, 0xec, 0xf6, 0xe8, 0x46, 0x8c,
- 0xf4, 0x0e, 0xb3, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01,
- 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
- 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x2c, 0xc5, 0x6d, 0x52, 0xdd, 0x31,
- 0xef, 0x8c, 0xec, 0x08, 0x81, 0xed, 0xdf, 0xdc, 0xca, 0x43, 0x00, 0x45,
- 0x01, 0xd0, 0x30, 0x3c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x35, 0x30,
- 0x33, 0x30, 0x31, 0xa0, 0x2f, 0xa0, 0x2d, 0x86, 0x2b, 0x68, 0x74, 0x74,
- 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x61, 0x70, 0x70, 0x6c,
- 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x73,
- 0x65, 0x72, 0x76, 0x65, 0x72, 0x61, 0x75, 0x74, 0x68, 0x63, 0x61, 0x31,
- 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01,
- 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x13, 0x06, 0x03,
- 0x55, 0x1d, 0x25, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01,
- 0x05, 0x05, 0x07, 0x03, 0x01, 0x30, 0x77, 0x06, 0x03, 0x55, 0x1d, 0x11,
- 0x04, 0x70, 0x30, 0x6e, 0x82, 0x0f, 0x73, 0x63, 0x35, 0x6d, 0x76, 0x2e,
- 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x0f, 0x70,
- 0x73, 0x32, 0x6c, 0x73, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63,
- 0x6f, 0x6d, 0x82, 0x14, 0x76, 0x65, 0x6e, 0x69, 0x63, 0x65, 0x2d, 0x71,
- 0x61, 0x31, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
- 0x82, 0x14, 0x76, 0x65, 0x6e, 0x69, 0x63, 0x65, 0x2d, 0x71, 0x61, 0x32,
- 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x0e,
- 0x76, 0x65, 0x6e, 0x31, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63,
- 0x6f, 0x6d, 0x82, 0x0e, 0x76, 0x65, 0x6e, 0x32, 0x2e, 0x61, 0x70, 0x70,
- 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x11, 0x06, 0x0b, 0x2a, 0x86,
- 0x48, 0x86, 0xf7, 0x63, 0x64, 0x06, 0x1b, 0x04, 0x01, 0x04, 0x02, 0x05,
- 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8a, 0x5a, 0xb4,
- 0xc5, 0xb7, 0x7c, 0xc0, 0xa8, 0x08, 0x18, 0xa1, 0x46, 0x03, 0x1c, 0x86,
- 0x4c, 0x37, 0x0a, 0x11, 0xe8, 0x8e, 0x69, 0x52, 0x8b, 0xb1, 0x10, 0xf7,
- 0x8d, 0xae, 0xcd, 0x14, 0x6a, 0xf0, 0xd0, 0x9e, 0x92, 0x52, 0x83, 0x5e,
- 0x1d, 0x12, 0xa2, 0x16, 0x9e, 0x79, 0x4c, 0xfe, 0x54, 0x4f, 0x00, 0x66,
- 0x38, 0x5a, 0xab, 0x34, 0xeb, 0xb4, 0x28, 0xb1, 0x75, 0xd1, 0xef, 0x3d,
- 0x79, 0xad, 0x56, 0x07, 0x4d, 0x57, 0xdf, 0x05, 0x32, 0xc4, 0x91, 0x7a,
- 0x7d, 0x4f, 0x7e, 0xe2, 0xa6, 0xca, 0xd3, 0x70, 0xfb, 0x8a, 0x7f, 0x84,
- 0xaa, 0x21, 0xa0, 0x5f, 0x29, 0x6f, 0x78, 0x08, 0x14, 0xda, 0xb9, 0xa8,
- 0xb8, 0xea, 0x3f, 0x77, 0xf0, 0x5f, 0x0f, 0xc7, 0xc0, 0x0a, 0x68, 0xf4,
- 0x41, 0x4d, 0xb3, 0xac, 0xd2, 0xf4, 0xdb, 0x6e, 0xea, 0x91, 0xee, 0x22,
- 0xdc, 0x8d, 0xc8, 0x98, 0x59, 0x95, 0xec, 0x6f, 0x8a, 0x91, 0x3e, 0xe5,
- 0x55, 0x0f, 0x3f, 0xbe, 0x1b, 0xd9, 0x69, 0x6e, 0x8d, 0x97, 0x58, 0x5c,
- 0x73, 0x4b, 0x80, 0x13, 0x40, 0xdc, 0x0e, 0x8d, 0x32, 0xea, 0x60, 0x58,
- 0x3d, 0x3a, 0x71, 0xff, 0xd7, 0x3c, 0xde, 0xd4, 0xcc, 0x61, 0xd9, 0x7c,
- 0xa6, 0xfa, 0x39, 0x66, 0xcd, 0x91, 0xef, 0xea, 0xec, 0xe0, 0x9e, 0xd5,
- 0xd0, 0x24, 0x2d, 0xe3, 0xb1, 0x39, 0x3f, 0x4e, 0xbd, 0x1a, 0xc5, 0x6a,
- 0x24, 0xd9, 0x34, 0xb6, 0xbc, 0xe7, 0x4c, 0x16, 0xe2, 0xc1, 0xfb, 0x83,
- 0xc7, 0x49, 0x77, 0x56, 0x3c, 0x9f, 0x7d, 0xf9, 0x2c, 0xc4, 0x8e, 0x8e,
- 0x15, 0xc5, 0x2f, 0xd3, 0xfe, 0x6a, 0x21, 0xbb, 0x0a, 0x1b, 0xd2, 0x50,
- 0xd2, 0x15, 0x2f, 0x21, 0x86, 0xd7, 0x51, 0x7f, 0xcd, 0xe9, 0xfe, 0x6a,
- 0xa7, 0x4d, 0x07, 0x23, 0x48, 0x53, 0xa7, 0x32, 0x06, 0x77, 0x53, 0x4f,
- 0x9d
-};
-
-unsigned char _server_auth[1020] = {
- 0x30, 0x82, 0x03, 0xf8, 0x30, 0x82, 0x02, 0xe0, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x23, 0x69, 0x74, 0x04, 0xad, 0xcb, 0x83, 0x14, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
- 0x05, 0x00, 0x30, 0x62, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
- 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e,
- 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
- 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
- 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
- 0x55, 0x04, 0x03, 0x13, 0x0d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x52,
- 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34,
- 0x30, 0x33, 0x30, 0x38, 0x30, 0x31, 0x35, 0x33, 0x30, 0x34, 0x5a, 0x17,
- 0x0d, 0x32, 0x39, 0x30, 0x33, 0x30, 0x38, 0x30, 0x31, 0x35, 0x33, 0x30,
- 0x34, 0x5a, 0x30, 0x6d, 0x31, 0x27, 0x30, 0x25, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x0c, 0x1e, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x53, 0x65, 0x72,
- 0x76, 0x65, 0x72, 0x20, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x43, 0x41, 0x31, 0x20, 0x30,
- 0x1e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x17, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
- 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
- 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
- 0x01, 0x00, 0xb9, 0x26, 0x16, 0xb0, 0xcb, 0x87, 0xab, 0x71, 0x15, 0x92,
- 0x8e, 0xdf, 0xaa, 0x3e, 0xe1, 0x80, 0xd7, 0x53, 0xba, 0xa4, 0x60, 0xcc,
- 0x7c, 0x85, 0x72, 0xf7, 0x30, 0x7c, 0x09, 0x4f, 0x57, 0x0d, 0x4a, 0xff,
- 0xe1, 0x5e, 0xc9, 0x4b, 0x50, 0x13, 0x02, 0x64, 0xb1, 0xbd, 0x39, 0x35,
- 0xd1, 0xd7, 0x04, 0x51, 0xc1, 0x18, 0xfa, 0x22, 0xfa, 0xae, 0xdf, 0x98,
- 0x18, 0xd6, 0xbf, 0x4e, 0x4d, 0x43, 0x10, 0xfa, 0x25, 0x88, 0x9f, 0xd3,
- 0x40, 0x85, 0x76, 0xe5, 0x22, 0x81, 0xb6, 0x54, 0x45, 0x73, 0x9a, 0x8b,
- 0xe3, 0x9c, 0x48, 0x1a, 0x86, 0x7a, 0xc3, 0x51, 0xe2, 0xda, 0x95, 0xf8,
- 0xa4, 0x7d, 0xdb, 0x30, 0xde, 0x6c, 0x0e, 0xc4, 0xc5, 0xf5, 0x6c, 0x98,
- 0xe7, 0xa6, 0xfa, 0x57, 0x20, 0x1d, 0x19, 0x73, 0x7a, 0x0e, 0xcd, 0x63,
- 0x0f, 0xb7, 0x27, 0x88, 0x2e, 0xe1, 0x9a, 0x68, 0x82, 0xb8, 0x40, 0x6c,
- 0x63, 0x16, 0x24, 0x66, 0x2b, 0xe7, 0xb2, 0xe2, 0x54, 0x7d, 0xe7, 0x88,
- 0x39, 0xa2, 0x1b, 0x81, 0x3e, 0x02, 0xd3, 0x39, 0xd8, 0x97, 0x77, 0x4a,
- 0x32, 0x0c, 0xd6, 0x0a, 0x0a, 0xb3, 0x04, 0x9b, 0xf1, 0x72, 0x6f, 0x63,
- 0xa8, 0x15, 0x1e, 0x6c, 0x37, 0xe8, 0x0f, 0xdb, 0x53, 0x90, 0xd6, 0x29,
- 0x5c, 0xbc, 0x6a, 0x57, 0x9b, 0x46, 0x78, 0x0a, 0x3e, 0x24, 0xea, 0x9a,
- 0x3f, 0xa1, 0xd8, 0x3f, 0xf5, 0xdb, 0x6e, 0xa8, 0x6c, 0x82, 0xb5, 0xdd,
- 0x99, 0x38, 0xec, 0x92, 0x56, 0x94, 0xa6, 0xc5, 0x73, 0x26, 0xd1, 0xae,
- 0x08, 0xb2, 0xc6, 0x52, 0xe7, 0x8e, 0x76, 0x4b, 0x89, 0xb8, 0x54, 0x0f,
- 0x6e, 0xe0, 0xd9, 0x42, 0xdb, 0x2a, 0x65, 0x87, 0x46, 0x14, 0xbb, 0x96,
- 0xb8, 0x57, 0xbb, 0x51, 0xe6, 0x84, 0x13, 0xf7, 0x0d, 0xa1, 0xb6, 0x89,
- 0xac, 0x7c, 0xd1, 0x21, 0x74, 0xab, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
- 0x81, 0xa6, 0x30, 0x81, 0xa3, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
- 0x04, 0x16, 0x04, 0x14, 0x2c, 0xc5, 0x6d, 0x52, 0xdd, 0x31, 0xef, 0x8c,
- 0xec, 0x08, 0x81, 0xed, 0xdf, 0xdc, 0xca, 0x43, 0x00, 0x45, 0x01, 0xd0,
- 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
- 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
- 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x2b, 0xd0, 0x69, 0x47, 0x94, 0x76,
- 0x09, 0xfe, 0xf4, 0x6b, 0x8d, 0x2e, 0x40, 0xa6, 0xf7, 0x47, 0x4d, 0x7f,
- 0x08, 0x5e, 0x30, 0x2e, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x27, 0x30,
- 0x25, 0x30, 0x23, 0xa0, 0x21, 0xa0, 0x1f, 0x86, 0x1d, 0x68, 0x74, 0x74,
- 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x61, 0x70, 0x70, 0x6c,
- 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x63,
- 0x72, 0x6c, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff,
- 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x10, 0x06, 0x0a, 0x2a, 0x86,
- 0x48, 0x86, 0xf7, 0x63, 0x64, 0x06, 0x02, 0x0c, 0x04, 0x02, 0x05, 0x00,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x23, 0xf1, 0x06, 0x7e,
- 0x50, 0x41, 0x81, 0xa2, 0x5e, 0xd3, 0x70, 0xa4, 0x49, 0x91, 0xaf, 0xd8,
- 0xcc, 0x67, 0x8c, 0xa1, 0x25, 0x7d, 0xc4, 0x9a, 0x93, 0x39, 0x2f, 0xd8,
- 0x69, 0xfb, 0x1b, 0x41, 0x5b, 0x44, 0xd7, 0xd9, 0x6b, 0xcb, 0x3b, 0x25,
- 0x09, 0x1a, 0xf2, 0xf4, 0xe3, 0xc7, 0x9c, 0xe8, 0xb0, 0x5b, 0xf0, 0xdf,
- 0xdd, 0x22, 0x25, 0x11, 0x15, 0x93, 0xb9, 0x49, 0x5e, 0xda, 0x0c, 0x66,
- 0x7a, 0x5e, 0xd7, 0x6f, 0xf0, 0x63, 0xd4, 0x65, 0x8c, 0xc4, 0x7a, 0x54,
- 0x7d, 0x56, 0x4f, 0x65, 0x9a, 0xfd, 0xda, 0xc4, 0xb2, 0xc8, 0xb0, 0xb8,
- 0xa1, 0xcb, 0x7d, 0xe0, 0x47, 0xa8, 0x40, 0x15, 0xb8, 0x16, 0x19, 0xed,
- 0x5b, 0x61, 0x8e, 0xdf, 0xaa, 0xd0, 0xcd, 0xd2, 0x3a, 0xc0, 0x7e, 0x3a,
- 0x9f, 0x22, 0x4e, 0xdf, 0xdf, 0xf4, 0x4e, 0x1a, 0xcd, 0x93, 0xff, 0xd0,
- 0xf0, 0x45, 0x55, 0x64, 0x33, 0x3e, 0xd4, 0xe5, 0xda, 0x68, 0xa0, 0x13,
- 0x8a, 0x76, 0x30, 0x27, 0xd4, 0xbf, 0xf8, 0x1e, 0x76, 0xf6, 0xf9, 0xc3,
- 0x00, 0xef, 0xb1, 0x83, 0xea, 0x53, 0x6d, 0x5c, 0x35, 0xc7, 0x0d, 0x07,
- 0x01, 0xba, 0xf8, 0x61, 0xb9, 0xfe, 0xc5, 0x9a, 0x6b, 0x43, 0x61, 0x81,
- 0x03, 0xeb, 0xba, 0x5f, 0x70, 0x9d, 0xe8, 0x6f, 0x94, 0x24, 0x4b, 0xdc,
- 0xce, 0x92, 0xa8, 0x2e, 0xa2, 0x35, 0x3c, 0xe3, 0x49, 0xe0, 0x16, 0x77,
- 0xa2, 0xdc, 0x6b, 0xb9, 0x8d, 0x18, 0x42, 0xb9, 0x36, 0x96, 0x43, 0x32,
- 0xc6, 0xcb, 0x76, 0x99, 0x35, 0x36, 0xd8, 0x56, 0xc6, 0x98, 0x5d, 0xc3,
- 0x6f, 0xa5, 0x7e, 0x95, 0xc2, 0xd5, 0x7a, 0x0a, 0x02, 0x20, 0x66, 0x78,
- 0x92, 0xf2, 0x67, 0xa4, 0x23, 0x0d, 0xe8, 0x09, 0xbd, 0xcc, 0x21, 0x31,
- 0x10, 0xa0, 0xbd, 0xbe, 0xb5, 0xdd, 0x4c, 0xdd, 0x46, 0x03, 0x99, 0x99
-};
-
-unsigned char _entrustL1[1270] = {
- 0x30, 0x82, 0x04, 0xf2, 0x30, 0x82, 0x03, 0xda, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x04, 0x38, 0x63, 0xe9, 0xfc, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81,
- 0xb4, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b,
- 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x31,
- 0x40, 0x30, 0x3e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x14, 0x37, 0x77, 0x77,
- 0x77, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65,
- 0x74, 0x2f, 0x43, 0x50, 0x53, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x20, 0x69,
- 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x20, 0x62, 0x79, 0x20, 0x72, 0x65,
- 0x66, 0x2e, 0x20, 0x28, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x73, 0x20, 0x6c,
- 0x69, 0x61, 0x62, 0x2e, 0x29, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55,
- 0x04, 0x0b, 0x13, 0x1c, 0x28, 0x63, 0x29, 0x20, 0x31, 0x39, 0x39, 0x39,
- 0x20, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74,
- 0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64, 0x31, 0x33, 0x30, 0x31,
- 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2a, 0x45, 0x6e, 0x74, 0x72, 0x75,
- 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
- 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x28, 0x32, 0x30, 0x34, 0x38,
- 0x29, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x39, 0x31, 0x32, 0x31, 0x30, 0x32,
- 0x30, 0x34, 0x33, 0x35, 0x34, 0x5a, 0x17, 0x0d, 0x31, 0x39, 0x31, 0x32,
- 0x31, 0x30, 0x32, 0x31, 0x31, 0x33, 0x35, 0x34, 0x5a, 0x30, 0x81, 0xb1,
- 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
- 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0d,
- 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2c, 0x20, 0x49, 0x6e, 0x63,
- 0x2e, 0x31, 0x39, 0x30, 0x37, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x30,
- 0x77, 0x77, 0x77, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e,
- 0x6e, 0x65, 0x74, 0x2f, 0x72, 0x70, 0x61, 0x20, 0x69, 0x73, 0x20, 0x69,
- 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20,
- 0x62, 0x79, 0x20, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
- 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x16, 0x28,
- 0x63, 0x29, 0x20, 0x32, 0x30, 0x30, 0x39, 0x20, 0x45, 0x6e, 0x74, 0x72,
- 0x75, 0x73, 0x74, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30,
- 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x45, 0x6e, 0x74, 0x72,
- 0x75, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
- 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x20, 0x2d, 0x20, 0x4c, 0x31, 0x43, 0x30, 0x82, 0x01,
- 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
- 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x97, 0xa3, 0x2d, 0x3c, 0x9e, 0xde,
- 0x05, 0xda, 0x13, 0xc2, 0x11, 0x8d, 0x9d, 0x8e, 0xe3, 0x7f, 0xc7, 0x4b,
- 0x7e, 0x5a, 0x9f, 0xb3, 0xff, 0x62, 0xab, 0x73, 0xc8, 0x28, 0x6b, 0xba,
- 0x10, 0x64, 0x82, 0x87, 0x13, 0xcd, 0x57, 0x18, 0xff, 0x28, 0xce, 0xc0,
- 0xe6, 0x0e, 0x06, 0x91, 0x50, 0x29, 0x83, 0xd1, 0xf2, 0xc3, 0x2a, 0xdb,
- 0xd8, 0xdb, 0x4e, 0x04, 0xcc, 0x00, 0xeb, 0x8b, 0xb6, 0x96, 0xdc, 0xbc,
- 0xaa, 0xfa, 0x52, 0x77, 0x04, 0xc1, 0xdb, 0x19, 0xe4, 0xae, 0x9c, 0xfd,
- 0x3c, 0x8b, 0x03, 0xef, 0x4d, 0xbc, 0x1a, 0x03, 0x65, 0xf9, 0xc1, 0xb1,
- 0x3f, 0x72, 0x86, 0xf2, 0x38, 0xaa, 0x19, 0xae, 0x10, 0x88, 0x78, 0x28,
- 0xda, 0x75, 0xc3, 0x3d, 0x02, 0x82, 0x02, 0x9c, 0xb9, 0xc1, 0x65, 0x77,
- 0x76, 0x24, 0x4c, 0x98, 0xf7, 0x6d, 0x31, 0x38, 0xfb, 0xdb, 0xfe, 0xdb,
- 0x37, 0x02, 0x76, 0xa1, 0x18, 0x97, 0xa6, 0xcc, 0xde, 0x20, 0x09, 0x49,
- 0x36, 0x24, 0x69, 0x42, 0xf6, 0xe4, 0x37, 0x62, 0xf1, 0x59, 0x6d, 0xa9,
- 0x3c, 0xed, 0x34, 0x9c, 0xa3, 0x8e, 0xdb, 0xdc, 0x3a, 0xd7, 0xf7, 0x0a,
- 0x6f, 0xef, 0x2e, 0xd8, 0xd5, 0x93, 0x5a, 0x7a, 0xed, 0x08, 0x49, 0x68,
- 0xe2, 0x41, 0xe3, 0x5a, 0x90, 0xc1, 0x86, 0x55, 0xfc, 0x51, 0x43, 0x9d,
- 0xe0, 0xb2, 0xc4, 0x67, 0xb4, 0xcb, 0x32, 0x31, 0x25, 0xf0, 0x54, 0x9f,
- 0x4b, 0xd1, 0x6f, 0xdb, 0xd4, 0xdd, 0xfc, 0xaf, 0x5e, 0x6c, 0x78, 0x90,
- 0x95, 0xde, 0xca, 0x3a, 0x48, 0xb9, 0x79, 0x3c, 0x9b, 0x19, 0xd6, 0x75,
- 0x05, 0xa0, 0xf9, 0x88, 0xd7, 0xc1, 0xe8, 0xa5, 0x09, 0xe4, 0x1a, 0x15,
- 0xdc, 0x87, 0x23, 0xaa, 0xb2, 0x75, 0x8c, 0x63, 0x25, 0x87, 0xd8, 0xf8,
- 0x3d, 0xa6, 0xc2, 0xcc, 0x66, 0xff, 0xa5, 0x66, 0x68, 0x55, 0x02, 0x03,
- 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x0b, 0x30, 0x82, 0x01, 0x07, 0x30,
- 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03,
- 0x02, 0x01, 0x06, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01,
- 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x33, 0x06, 0x08,
- 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x27, 0x30, 0x25,
- 0x30, 0x23, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
- 0x86, 0x17, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73,
- 0x70, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65,
- 0x74, 0x30, 0x32, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x2b, 0x30, 0x29,
- 0x30, 0x27, 0xa0, 0x25, 0xa0, 0x23, 0x86, 0x21, 0x68, 0x74, 0x74, 0x70,
- 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75,
- 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x2f, 0x32, 0x30, 0x34, 0x38, 0x63,
- 0x61, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x3b, 0x06, 0x03, 0x55, 0x1d, 0x20,
- 0x04, 0x34, 0x30, 0x32, 0x30, 0x30, 0x06, 0x04, 0x55, 0x1d, 0x20, 0x00,
- 0x30, 0x28, 0x30, 0x26, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x02, 0x01, 0x16, 0x1a, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77,
- 0x77, 0x77, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e,
- 0x65, 0x74, 0x2f, 0x72, 0x70, 0x61, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
- 0x0e, 0x04, 0x16, 0x04, 0x14, 0x1e, 0xf1, 0xab, 0x89, 0x06, 0xf8, 0x49,
- 0x0f, 0x01, 0x33, 0x77, 0xee, 0x14, 0x7a, 0xee, 0x19, 0x7c, 0x93, 0x28,
- 0x4d, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
- 0x80, 0x14, 0x55, 0xe4, 0x81, 0xd1, 0x11, 0x80, 0xbe, 0xd8, 0x89, 0xb9,
- 0x08, 0xa3, 0x31, 0xf9, 0xa1, 0x24, 0x09, 0x16, 0xb9, 0x70, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
- 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x07, 0xf6, 0x5f, 0x82, 0x84, 0x7f,
- 0x80, 0x40, 0xc7, 0x90, 0x34, 0x46, 0x42, 0x24, 0x03, 0xce, 0x2f, 0xab,
- 0xba, 0x83, 0x9e, 0x25, 0x73, 0x0d, 0xed, 0xac, 0x05, 0x69, 0xc6, 0x87,
- 0xed, 0xa3, 0x5c, 0xf2, 0x57, 0xc1, 0xb1, 0x49, 0x76, 0x9a, 0x4d, 0xf2,
- 0x3f, 0xdd, 0xe4, 0x0e, 0xfe, 0x0b, 0x3e, 0xb9, 0x98, 0xd9, 0x32, 0x95,
- 0x1d, 0x32, 0xf4, 0x01, 0xee, 0x9c, 0xc8, 0xc8, 0xe5, 0x3f, 0xe0, 0x53,
- 0x76, 0x62, 0xfc, 0xdd, 0xab, 0x6d, 0x3d, 0x94, 0x90, 0xf2, 0xc0, 0xb3,
- 0x3c, 0x98, 0x27, 0x36, 0x5e, 0x28, 0x97, 0x22, 0xfc, 0x1b, 0x40, 0xd3,
- 0x2b, 0x0d, 0xad, 0xb5, 0x57, 0x6d, 0xdf, 0x0f, 0xe3, 0x4b, 0xef, 0x73,
- 0x02, 0x10, 0x65, 0xfa, 0x1b, 0xd0, 0xac, 0x31, 0xd5, 0xe3, 0x0f, 0xe8,
- 0xba, 0x32, 0x30, 0x83, 0xee, 0x4a, 0xd0, 0xbf, 0xdf, 0x22, 0x90, 0x7a,
- 0xbe, 0xec, 0x3a, 0x1b, 0xc4, 0x49, 0x04, 0x1d, 0xf1, 0xae, 0x80, 0x77,
- 0x3c, 0x42, 0x08, 0xdb, 0xa7, 0x3b, 0x28, 0xa6, 0x80, 0x01, 0x03, 0xe6,
- 0x39, 0xa3, 0xeb, 0xdf, 0x80, 0x59, 0x1b, 0xf3, 0x2c, 0xbe, 0xdc, 0x72,
- 0x44, 0x79, 0xa0, 0x6c, 0x07, 0xa5, 0x6d, 0x4d, 0x44, 0x8e, 0x42, 0x68,
- 0xca, 0x94, 0x7c, 0x2e, 0x36, 0xba, 0x85, 0x9e, 0xcd, 0xaa, 0xc4, 0x5e,
- 0x3c, 0x54, 0xbe, 0xfe, 0x2f, 0xea, 0x69, 0x9d, 0x1c, 0x1e, 0x29, 0x9b,
- 0x96, 0xd8, 0xc8, 0xfe, 0x51, 0x90, 0xf1, 0x24, 0xa6, 0x90, 0x06, 0xb3,
- 0xf0, 0x29, 0xa2, 0xff, 0x78, 0x2e, 0x77, 0x5c, 0x45, 0x21, 0xd9, 0x44,
- 0x00, 0x31, 0xf3, 0xbe, 0x32, 0x4f, 0xf5, 0x0a, 0x32, 0x0d, 0xfc, 0xfc,
- 0xba, 0x16, 0x76, 0x56, 0xb2, 0xd6, 0x48, 0x92, 0xf2, 0x8b, 0xa6, 0x3e,
- 0xb7, 0xac, 0x5c, 0x69, 0xea, 0x0b, 0x3f, 0x66, 0x45, 0xb9
-};
-
-
-static void tests_grandslam(void)
-{
- SecTrustRef trust;
- SecCertificateRef serverauth, service;
- SecPolicyRef policy;
-
- isnt(serverauth = SecCertificateCreateWithBytes(NULL, _server_auth, sizeof(_server_auth)),
- NULL, "create serverauth");
- isnt(service = SecCertificateCreateWithBytes(NULL, _gsservice, sizeof(_gsservice)),
- NULL, "create sservice");
-
- CFTypeRef certs[2] = { service, serverauth };
-
- CFArrayRef array = CFArrayCreate(NULL, (const void **)&certs, sizeof(certs)/sizeof(certs[0]), NULL);
- isnt(array, NULL, "array");
-
- isnt(policy = SecPolicyCreateAppleGSService(CFSTR("gsa.apple.com"), NULL), NULL, "create policy");
-
- ok_status(SecTrustCreateWithCertificates(array, policy, &trust), "create trust");
-
- CFTimeZoneRef tz = CFTimeZoneCreateWithName(NULL, CFSTR("CET"), true);
- CFDateRef date = CFDateCreateForGregorianMoment(NULL, tz, 2015, 04, 20, 19, 10, 0);
- CFReleaseNull(tz);
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
-
- SecTrustResultType trustResult;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is not kSecTrustResultUnspecified");
-
- is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
-
- CFReleaseNull(trust);
- CFReleaseNull(policy);
- CFReleaseNull(date);
- CFReleaseNull(array);
-}
-
-static void tests_ids(void)
-{
- SecTrustRef trust;
- SecCertificateRef serverauth, service;
- SecPolicyRef policy;
-
- isnt(serverauth = SecCertificateCreateWithBytes(NULL, _server_auth, sizeof(_server_auth)),
- NULL, "create serverauth");
- isnt(service = SecCertificateCreateWithBytes(NULL, _idsservice, sizeof(_idsservice)),
- NULL, "create sservice");
-
- CFTypeRef certs[2] = { service, serverauth };
-
- CFArrayRef array = CFArrayCreate(NULL, (const void **)&certs, sizeof(certs)/sizeof(certs[0]), NULL);
- isnt(array, NULL, "array");
-
- CFDictionaryRef context = CFDictionaryCreateForCFTypes(NULL,
- CFSTR("AppleServerAuthenticationAllowUATIDS"), kCFBooleanTrue,
- NULL);
- isnt(context, NULL, "context");
-
- isnt(policy = SecPolicyCreateAppleIDSServiceContext(CFSTR("sc5mv.apple.com"), context), NULL, "create policy");
-
- ok_status(SecTrustCreateWithCertificates(array, policy, &trust), "create trust");
-
- CFTimeZoneRef tz = CFTimeZoneCreateWithName(NULL, CFSTR("CET"), true);
- CFDateRef date = CFDateCreateForGregorianMoment(NULL, tz, 2015, 05, 11, 19, 10, 0);
- CFReleaseNull(tz);
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
-
- SecTrustResultType trustResult;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is not kSecTrustResultUnspecified");
-
- is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
-
- CFReleaseNull(trust);
- CFReleaseNull(policy);
- CFReleaseNull(date);
- CFReleaseNull(context);
- CFReleaseNull(array);
-}
-
-
-static void tests_apn(void)
-{
-#if 0 /* these certs are not cooked yet */
- SecTrustRef trust;
- SecCertificateRef serverauth, service;
- SecPolicyRef policy;
-
- isnt(serverauth = SecCertificateCreateWithBytes(NULL, _server_auth, sizeof(_server_auth)),
- NULL, "create serverauth");
- isnt(service = SecCertificateCreateWithBytes(NULL, _apnservice, sizeof(_apnservice)),
- NULL, "create sservice");
-
- CFTypeRef certs[2] = { service, serverauth };
-
- CFArrayRef array = CFArrayCreate(NULL, (const void **)&certs, sizeof(certs)/sizeof(certs[0]), NULL);
- isnt(array, NULL, "array");
-
- isnt(policy = SecPolicyCreateApplePushService(CFSTR("courier.push.apple.com")), NULL, "create policy");
-
- ok_status(SecTrustCreateWithCertificates(array, policy, &trust), "create trust");
-
- CFTimeZoneRef tz = CFTimeZoneCreateWithName(NULL, CFSTR("CET"), true);
- CFDateRef date = CFDateCreateForGregorianMoment(NULL, tz, 2015, 05, 11, 19, 10, 0);
- CFReleaseNull(tz);
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
-
- SecTrustResultType trustResult;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
-
- is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
-
- CFReleaseNull(trust);
- CFReleaseNull(policy);
- CFReleaseNull(date);
- CFReleaseNull(array);
-#endif
-}
-
-static void tests_apn_legacy(void)
-{
- SecTrustRef trust;
- SecCertificateRef serverauth, service;
- SecPolicyRef policy;
-
- isnt(serverauth = SecCertificateCreateWithBytes(NULL, _entrustL1, sizeof(_entrustL1)),
- NULL, "create serverauth");
- isnt(service = SecCertificateCreateWithBytes(NULL, _apnserviceLegacy, sizeof(_apnserviceLegacy)),
- NULL, "create service");
-
- CFTypeRef certs[2] = { service, serverauth };
-
- CFArrayRef array = CFArrayCreate(NULL, (const void **)&certs, sizeof(certs)/sizeof(certs[0]), NULL);
- isnt(array, NULL, "array");
-
- isnt(policy = SecPolicyCreateApplePushServiceLegacy(CFSTR("courier.push.apple.com")), NULL, "create policy");
-
- ok_status(SecTrustCreateWithCertificates(array, policy, &trust), "create trust");
-
- CFTimeZoneRef tz = CFTimeZoneCreateWithName(NULL, CFSTR("CET"), true);
- CFDateRef date = CFDateCreateForGregorianMoment(NULL, tz, 2015, 05, 11, 19, 10, 0);
- CFReleaseNull(tz);
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
-
- SecTrustResultType trustResult;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
-
- is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
-
- CFReleaseNull(trust);
- CFReleaseNull(policy);
- CFReleaseNull(date);
- CFReleaseNull(array);
-}
-
-
-int si_25_sectrust_apple_authentication(int argc, char *const *argv)
-{
- plan_tests(28);
-
- tests_grandslam();
- tests_ids();
- tests_apn();
- tests_apn_legacy();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-25-sectrust-ipsec-eap.c b/OSX/sec/Security/Regressions/secitem/si-25-sectrust-ipsec-eap.c
deleted file mode 100644
index 40b221d1..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-25-sectrust-ipsec-eap.c
+++ /dev/null
@@ -1,778 +0,0 @@
-/*
- * Copyright (c) 2008-2010,2012-2014 Apple Inc. All Rights Reserved.
- *
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecTrust.h>
-#include <Security/SecInternal.h>
-#include <utilities/array_size.h>
-#include <utilities/SecCFWrappers.h>
-
-#include "Security_regressions.h"
-
-
-/*
-openssl req -newkey rsa:2048 -sha1 -days 365 -sha1 \
- -subj "/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA" \
- -nodes -keyout CA-key.pem -out CA-csr.pem
-openssl x509 -req -sha1 -in CA-csr.pem -signkey CA-key.pem -set_serial 0 -out CA-cert.pem
-
-openssl req -newkey rsa:1024 -sha1 \
- -subj "/O=Apple Inc./OU=IS&T/CN=IPSec Gateway/C=US/ST=California/L=Cupertino" \
- -nodes -out ipsec-csr.pem -keyout ipsec-key.pem
-openssl x509 -req -in ipsec-csr.pem -CA CA-cert.pem -CAkey CA-key.pem -set_serial 1 \
- -out ipsec-cert.pem -extfile ext.txt -extensions v3_req
-
-[ v3_req ]
-keyUsage = digitalSignature, keyEncipherment
-subjectAltName=email:user@fqdn.com,DNS:ipsec.apple.com,IP:17.255.42.2,DNS:ipsec2.apple.com,IP:17.255.42.1
-
-*/
-
-/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */
-unsigned char _ca_certificate[828]={
-0x30,0x82,0x03,0x38,0x30,0x82,0x02,0x20,0x02,0x01,0x00,0x30,0x0D,0x06,0x09,0x2A,
-0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x62,0x31,0x0B,0x30,0x09,
-0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,
-0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,
-0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,
-0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,
-0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,
-0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,
-0x17,0x0D,0x30,0x39,0x31,0x31,0x31,0x33,0x32,0x32,0x30,0x37,0x32,0x35,0x5A,0x17,
-0x0D,0x30,0x39,0x31,0x32,0x31,0x33,0x32,0x32,0x30,0x37,0x32,0x35,0x5A,0x30,0x62,
-0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,
-0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,
-0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,
-0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
-0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06,0x03,
-0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,
-0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
-0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,
-0x01,0x01,0x00,0xD3,0x61,0x56,0x8A,0xF3,0x52,0x4C,0xAF,0xB3,0xF8,0x27,0x74,0x53,
-0x32,0x2F,0xB8,0x38,0xB1,0x58,0x43,0x3A,0x82,0x22,0xA2,0x54,0x78,0xB4,0xBD,0x96,
-0x94,0xD9,0x43,0x00,0xA3,0x5F,0x83,0xF5,0xFB,0x4C,0x8F,0x40,0xE6,0xC4,0x36,0xD7,
-0xF4,0x4A,0x9C,0xA1,0x03,0xCE,0x9F,0x28,0x01,0x07,0x29,0x40,0x69,0xA9,0xC7,0xF0,
-0x0A,0x2F,0x76,0xC7,0x44,0xE3,0xA5,0x1C,0xC9,0x49,0x0A,0xFA,0x89,0xC8,0x00,0x48,
-0x05,0x68,0xC9,0x20,0x15,0xC1,0x2D,0xDB,0x3C,0x2C,0xD5,0xE8,0xC2,0xC0,0x31,0x14,
-0x72,0x58,0xE1,0xBE,0x47,0xB4,0xEE,0xA8,0x77,0x33,0xB6,0xC0,0x55,0x77,0x66,0x52,
-0x1C,0xDF,0x71,0x23,0x99,0x28,0xCA,0x3F,0x08,0xC6,0x20,0x02,0xAB,0xC4,0x57,0x50,
-0x6B,0xB1,0xCF,0x85,0xEF,0x76,0xF6,0x97,0xF5,0x3E,0x0B,0xEC,0xC1,0x26,0xC2,0xF9,
-0xD4,0x9E,0xE5,0x8E,0x30,0xD6,0x94,0xC7,0x0E,0x64,0x6B,0x73,0x36,0xF4,0xF7,0xB6,
-0xD5,0xC7,0x69,0xF4,0xBC,0xCF,0x63,0x72,0xB0,0xDD,0xB9,0x46,0x5C,0xE0,0xD7,0x4D,
-0x20,0xC7,0xE8,0xFD,0x2D,0x7A,0x81,0x34,0xF8,0x26,0x4C,0x83,0x02,0x80,0x33,0xB1,
-0x24,0x95,0xE5,0x10,0x98,0xC1,0x95,0xF0,0x43,0xC2,0x8D,0x8A,0x0E,0x33,0x68,0xAC,
-0x17,0xA6,0x68,0x7D,0xC9,0xEC,0xEC,0x17,0x1F,0xD2,0x01,0x11,0x02,0x09,0x12,0x75,
-0x40,0xCC,0x28,0xE2,0x1B,0xCC,0xC2,0x2B,0xF2,0xDC,0x4D,0x71,0x5B,0x28,0x6F,0x30,
-0x16,0x22,0xDA,0x87,0x92,0x7B,0x43,0x09,0x1F,0x89,0x8C,0xDD,0x8F,0xD9,0xD2,0xB9,
-0x88,0xDE,0xA3,0x02,0x03,0x01,0x00,0x01,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
-0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x66,0x29,0x32,0x2C,
-0x4B,0x10,0x82,0xFA,0x90,0x18,0xC5,0x0C,0x1F,0xC5,0x42,0x47,0x48,0xEF,0x0A,0x16,
-0xFE,0x46,0xF8,0x81,0x4C,0x1B,0x43,0x3B,0x66,0x66,0xDD,0xBB,0xFF,0x9A,0xE9,0xAD,
-0x92,0xC1,0x56,0xB3,0x3F,0x04,0xEE,0x0C,0x7C,0x4F,0xCE,0x39,0xC4,0x24,0x39,0x3C,
-0x6F,0x08,0x02,0x44,0xEE,0x25,0x22,0x01,0x14,0x55,0x05,0xB6,0x5C,0x92,0x34,0x8C,
-0x37,0x33,0xAB,0xD3,0xBD,0x28,0xF2,0x88,0x96,0xDF,0x4F,0xE1,0x45,0x73,0x9D,0x1A,
-0x56,0x6D,0x06,0x0C,0x38,0xAC,0xCA,0x83,0xAF,0xCB,0x3F,0xF2,0xF4,0x78,0x5D,0x2E,
-0x1D,0x52,0x26,0x60,0x4D,0xE4,0x7D,0xDE,0x41,0xE5,0x98,0x10,0x59,0x7E,0x36,0x94,
-0x74,0x45,0xE8,0x3E,0x0E,0x1A,0xE7,0x8C,0xE5,0xD8,0x35,0x97,0x1E,0xA8,0x25,0x22,
-0x07,0xA6,0x6E,0x39,0x22,0x35,0x85,0xBD,0xDC,0x8B,0x49,0x9B,0x9C,0xA5,0xE4,0xBF,
-0xD8,0x9D,0x18,0x27,0x24,0x7F,0x7D,0x07,0x7A,0x2A,0xBA,0x94,0x63,0x9C,0x03,0xA0,
-0x41,0x1E,0x12,0x0F,0xA9,0xA9,0x6A,0x16,0xA9,0x3C,0x4A,0x12,0xBB,0x15,0xBA,0xD2,
-0x1C,0xA2,0x74,0x29,0xD5,0xBE,0x5C,0x1B,0x87,0x82,0x5B,0x25,0x01,0xF6,0x91,0x8F,
-0x7B,0xCC,0x2C,0x92,0x65,0xE9,0x6F,0xFA,0x09,0x2D,0xE2,0x40,0xA0,0x81,0x30,0xDE,
-0xD3,0x96,0x3A,0x2C,0x5E,0x0C,0xEE,0x10,0xA7,0x7D,0x9B,0xDC,0x75,0x06,0x41,0x4A,
-0x8D,0x31,0x04,0x2C,0x9E,0xAD,0xED,0xD5,0xF8,0x08,0xBA,0xBD,0x4C,0xBE,0x1F,0xC6,
-0x6C,0x03,0xC5,0x79,0x26,0xDA,0x79,0x21,0xCA,0x5C,0x3A,0xEC,
-};
-
-/* subject:/O=Apple Inc./OU=IS&T/CN=IPSec Gateway/C=US/ST=California/L=Cupertino */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */
-unsigned char _ipsec_certificate[807]={
-0x30,0x82,0x03,0x23,0x30,0x82,0x02,0x0B,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x01,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
-0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
-0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
-0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06,
-0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,
-0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x39,0x31,0x31,0x31,0x33,0x32,0x32,0x30,
-0x37,0x33,0x37,0x5A,0x17,0x0D,0x30,0x39,0x31,0x32,0x31,0x33,0x32,0x32,0x30,0x37,
-0x33,0x37,0x5A,0x30,0x72,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,
-0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0D,0x30,0x0B,0x06,0x03,
-0x55,0x04,0x0B,0x14,0x04,0x49,0x53,0x26,0x54,0x31,0x16,0x30,0x14,0x06,0x03,0x55,
-0x04,0x03,0x13,0x0D,0x49,0x50,0x53,0x65,0x63,0x20,0x47,0x61,0x74,0x65,0x77,0x61,
-0x79,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
-0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x13,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,
-0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x13,0x09,0x43,0x75,
-0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,
-0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,
-0x02,0x81,0x81,0x00,0xBB,0xA8,0x14,0x61,0x78,0x57,0x5A,0x23,0xC0,0xDA,0xC9,0xF0,
-0x16,0x46,0x61,0xDA,0x48,0x5F,0xA7,0x0E,0xED,0x66,0xA8,0xBD,0x5A,0x4E,0x70,0xA4,
-0xEB,0x65,0xB0,0x4C,0xF7,0x72,0xF6,0x51,0xCD,0xB1,0xAF,0x39,0xEF,0x9B,0x9E,0xDF,
-0xA9,0x08,0xC1,0xF0,0xCF,0x54,0x9D,0x54,0xD1,0x4F,0xDE,0x95,0xE9,0xF5,0xD1,0xB2,
-0x17,0x9E,0x00,0x29,0x42,0x3F,0xD2,0x6A,0x0C,0xFB,0x71,0xC4,0x8A,0x4E,0x21,0x7B,
-0xAB,0x98,0xBA,0x5C,0x8E,0x7D,0x2E,0xF4,0x1C,0x33,0x6E,0x3C,0x92,0x18,0xA0,0xBD,
-0x23,0x05,0xBF,0xAB,0xE4,0xF5,0x2C,0xA6,0x55,0x69,0x43,0xA7,0xFA,0x52,0xB0,0x57,
-0x51,0xC5,0xF8,0xC4,0xE0,0x81,0x30,0x56,0x49,0xB8,0x6D,0xF0,0xAE,0xF8,0xAC,0xF0,
-0x43,0xAC,0x0D,0xB3,0x02,0x03,0x01,0x00,0x01,0xA3,0x58,0x30,0x56,0x30,0x0B,0x06,
-0x03,0x55,0x1D,0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x47,0x06,0x03,0x55,0x1D,
-0x11,0x04,0x40,0x30,0x3E,0x81,0x0D,0x75,0x73,0x65,0x72,0x40,0x66,0x71,0x64,0x6E,
-0x2E,0x63,0x6F,0x6D,0x82,0x0F,0x69,0x70,0x73,0x65,0x63,0x2E,0x61,0x70,0x70,0x6C,
-0x65,0x2E,0x63,0x6F,0x6D,0x87,0x04,0x11,0xFF,0x2A,0x02,0x82,0x10,0x69,0x70,0x73,
-0x65,0x63,0x32,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x87,0x04,0x11,
-0xFF,0x2A,0x01,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
-0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xB3,0x75,0x2A,0xD1,0xB5,0x54,0x87,0x57,0x59,
-0xD2,0x38,0x99,0x4E,0xFE,0x0E,0x02,0x0D,0x50,0x95,0xE8,0x14,0x12,0x76,0x18,0x98,
-0x14,0xD4,0xDE,0xCA,0x1D,0x25,0x86,0xDA,0x3E,0x47,0x64,0x67,0xDB,0x0B,0x17,0x5E,
-0xF1,0xF2,0x8A,0xB9,0xC2,0xB5,0xCA,0x53,0x4B,0x6E,0x20,0xA3,0xE2,0xEE,0x51,0xE0,
-0xD7,0xD1,0x46,0x21,0x40,0x82,0x32,0x25,0x6F,0x70,0x17,0xA7,0xE1,0xF6,0xD0,0x71,
-0xA4,0x58,0xDF,0x54,0x2F,0x49,0xFE,0x93,0x2C,0x47,0x46,0x54,0xF8,0x0E,0xC5,0xFF,
-0x57,0xE5,0x59,0xAF,0xCF,0xF6,0xEB,0x1F,0x43,0xAB,0x1D,0x0E,0xF2,0x22,0x5C,0x96,
-0x52,0x40,0xDE,0xA5,0xE6,0xB2,0xE6,0xFC,0x4D,0x89,0xC3,0x5E,0x27,0x32,0xBD,0xFD,
-0x70,0x50,0xA6,0x57,0x94,0x8A,0xDA,0x9B,0x74,0xCB,0x43,0xD8,0x8E,0x78,0x8B,0x52,
-0x0C,0x0E,0x11,0x8E,0x34,0xA2,0x8B,0x52,0x18,0x15,0xB2,0x06,0xA9,0x27,0x44,0x5D,
-0x6D,0x3C,0xE1,0x66,0x89,0x4D,0xE3,0x2B,0x19,0x96,0x0D,0x44,0xC5,0x79,0xF0,0x10,
-0x76,0x38,0xBC,0xA1,0x99,0x84,0x5D,0x30,0x5A,0x04,0x61,0x75,0x1B,0xC1,0x88,0xD7,
-0x5E,0xAB,0xA6,0xA8,0x9C,0x2C,0xDA,0xE7,0xDB,0x73,0x19,0x40,0xF0,0x46,0xC5,0x15,
-0xEA,0x6B,0x22,0x69,0x49,0xE1,0xD4,0x8C,0xA7,0xB1,0xAA,0x98,0x3D,0x7B,0x7F,0x1C,
-0x8F,0xAF,0x29,0x00,0xE4,0xEE,0x28,0xF6,0xF6,0x94,0x40,0x89,0x60,0x99,0xF4,0xDE,
-0xEE,0xDE,0x43,0x04,0x5D,0x19,0x9D,0x56,0xE3,0xBC,0x8A,0xD6,0xA7,0x0C,0xCF,0xED,
-0x1E,0x8B,0x86,0xE7,0x34,0xA6,0x56,
-};
-
-unsigned char ivpntest_com_root_der[] = {
- 0x30, 0x82, 0x04, 0x98, 0x30, 0x82, 0x03, 0x80, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x10, 0x7a, 0xdb, 0x4e, 0x56, 0x1a, 0xb8, 0x90, 0xae, 0x46,
- 0x6f, 0x06, 0x74, 0x44, 0x09, 0x68, 0x87, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x4e,
- 0x31, 0x13, 0x30, 0x11, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2,
- 0x2c, 0x64, 0x01, 0x19, 0x16, 0x03, 0x63, 0x6f, 0x6d, 0x31, 0x18, 0x30,
- 0x16, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01,
- 0x19, 0x16, 0x08, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x31,
- 0x1d, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x14, 0x71, 0x61,
- 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65,
- 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x39,
- 0x30, 0x31, 0x32, 0x38, 0x30, 0x32, 0x34, 0x33, 0x33, 0x30, 0x5a, 0x17,
- 0x0d, 0x31, 0x34, 0x30, 0x31, 0x32, 0x38, 0x30, 0x32, 0x35, 0x32, 0x34,
- 0x33, 0x5a, 0x30, 0x4e, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0a, 0x09, 0x92,
- 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x03, 0x63, 0x6f,
- 0x6d, 0x31, 0x18, 0x30, 0x16, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93,
- 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x08, 0x69, 0x76, 0x70, 0x6e, 0x74,
- 0x65, 0x73, 0x74, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x04, 0x03,
- 0x13, 0x14, 0x71, 0x61, 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76,
- 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82,
- 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
- 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbe, 0xf8, 0xff, 0x61, 0xca,
- 0x9d, 0xcf, 0x07, 0x4d, 0x06, 0xf4, 0x52, 0x4b, 0x3f, 0x84, 0xc5, 0x0b,
- 0x71, 0xef, 0x7f, 0x7d, 0x35, 0xac, 0x68, 0xce, 0x84, 0xe6, 0x7c, 0x0a,
- 0xba, 0x02, 0x71, 0xcf, 0x81, 0x40, 0xcb, 0x25, 0xdb, 0x41, 0x23, 0x84,
- 0x88, 0x4d, 0x16, 0xa2, 0x41, 0xa5, 0x2a, 0x98, 0xa3, 0xb7, 0x02, 0xff,
- 0x54, 0xb6, 0xd5, 0x55, 0x75, 0x17, 0xbc, 0xd5, 0x04, 0x24, 0x35, 0x63,
- 0xfa, 0xcb, 0x98, 0x38, 0x98, 0x18, 0xd3, 0x13, 0xc1, 0xef, 0x1a, 0xfe,
- 0xb7, 0xcd, 0x2e, 0xc2, 0xb8, 0x0d, 0x3e, 0x62, 0x38, 0xc0, 0x05, 0xf9,
- 0x5b, 0xc5, 0xd5, 0xf6, 0xc4, 0x9d, 0x8e, 0xc3, 0x90, 0x32, 0xa2, 0xb1,
- 0x88, 0xa8, 0xf9, 0xd3, 0x0d, 0x02, 0x8d, 0xbe, 0x8f, 0x41, 0xe7, 0x92,
- 0x85, 0xe7, 0x4c, 0x11, 0x9a, 0x4b, 0xfb, 0x00, 0xa9, 0x9f, 0xf5, 0xfb,
- 0x23, 0xda, 0xf1, 0xfd, 0x95, 0x89, 0xd5, 0x2b, 0xc5, 0xbf, 0x9c, 0xc3,
- 0x93, 0xd0, 0xc2, 0xf8, 0x12, 0xbe, 0x26, 0x24, 0x41, 0x80, 0x64, 0x2f,
- 0xc0, 0x7b, 0x31, 0x85, 0x06, 0x3c, 0xe4, 0xc6, 0x7e, 0xbc, 0x61, 0xa7,
- 0xa2, 0xf4, 0xa7, 0xd7, 0xd7, 0xcb, 0xeb, 0xea, 0xb0, 0xc6, 0xd7, 0x13,
- 0xd6, 0x09, 0xfa, 0x45, 0xc6, 0x25, 0x6f, 0x34, 0xdc, 0x78, 0x70, 0xa0,
- 0xa5, 0xea, 0xd7, 0xe7, 0xda, 0xe2, 0x5a, 0x7a, 0xc3, 0xe3, 0x7a, 0x8d,
- 0xf3, 0x5a, 0x78, 0xfa, 0x57, 0xe1, 0xf1, 0xae, 0x6b, 0xea, 0x83, 0xd0,
- 0xd7, 0xa9, 0x43, 0x2d, 0x5d, 0x8b, 0xac, 0xbb, 0x92, 0x5b, 0x2a, 0xd7,
- 0x27, 0xbe, 0xe7, 0xa0, 0xd2, 0xc5, 0x9b, 0xd7, 0xa4, 0xc1, 0x6a, 0xf8,
- 0xec, 0xfc, 0xa6, 0x96, 0xfc, 0x09, 0x11, 0x95, 0xca, 0x75, 0xab, 0x8a,
- 0x5b, 0xd2, 0xb2, 0xb4, 0x11, 0xf1, 0x88, 0x34, 0xe3, 0xb7, 0x21, 0x02,
- 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x70, 0x30, 0x82, 0x01, 0x6c,
- 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
- 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
- 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
- 0x0e, 0x04, 0x16, 0x04, 0x14, 0x40, 0xb5, 0x54, 0x10, 0x88, 0x09, 0xeb,
- 0x3e, 0x2e, 0x69, 0x82, 0xa6, 0xa0, 0xd8, 0xe4, 0xb0, 0x98, 0xc1, 0x69,
- 0x3d, 0x30, 0x82, 0x01, 0x19, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x82,
- 0x01, 0x10, 0x30, 0x82, 0x01, 0x0c, 0x30, 0x82, 0x01, 0x08, 0xa0, 0x82,
- 0x01, 0x04, 0xa0, 0x82, 0x01, 0x00, 0x86, 0x81, 0xbc, 0x6c, 0x64, 0x61,
- 0x70, 0x3a, 0x2f, 0x2f, 0x2f, 0x43, 0x4e, 0x3d, 0x71, 0x61, 0x73, 0x72,
- 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74,
- 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x43, 0x4e, 0x3d, 0x71, 0x61, 0x73, 0x72,
- 0x76, 0x31, 0x30, 0x2c, 0x43, 0x4e, 0x3d, 0x43, 0x44, 0x50, 0x2c, 0x43,
- 0x4e, 0x3d, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x25, 0x32, 0x30, 0x4b,
- 0x65, 0x79, 0x25, 0x32, 0x30, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
- 0x73, 0x2c, 0x43, 0x4e, 0x3d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
- 0x73, 0x2c, 0x43, 0x4e, 0x3d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75,
- 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x44, 0x43, 0x3d, 0x69, 0x76,
- 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2c, 0x44, 0x43, 0x3d, 0x63, 0x6f,
- 0x6d, 0x3f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
- 0x65, 0x52, 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4c,
- 0x69, 0x73, 0x74, 0x3f, 0x62, 0x61, 0x73, 0x65, 0x3f, 0x6f, 0x62, 0x6a,
- 0x65, 0x63, 0x74, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x3d, 0x63, 0x52, 0x4c,
- 0x44, 0x69, 0x73, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
- 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x86, 0x3f, 0x68, 0x74, 0x74, 0x70, 0x3a,
- 0x2f, 0x2f, 0x71, 0x61, 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76,
- 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x43,
- 0x65, 0x72, 0x74, 0x45, 0x6e, 0x72, 0x6f, 0x6c, 0x6c, 0x2f, 0x71, 0x61,
- 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65,
- 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x10,
- 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04,
- 0x03, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
- 0x07, 0x74, 0x27, 0x8c, 0xdd, 0x75, 0xa1, 0x0d, 0x97, 0xd1, 0x9d, 0x0d,
- 0xae, 0x3b, 0xf3, 0x14, 0x0f, 0xa1, 0x1c, 0x51, 0xd8, 0x68, 0xe7, 0xfd,
- 0xd0, 0xaf, 0xe7, 0x66, 0x62, 0xf8, 0x73, 0x75, 0x88, 0x6c, 0xb9, 0xb3,
- 0x1e, 0xf5, 0x82, 0x3a, 0x1d, 0x82, 0x7b, 0xa3, 0x18, 0xd9, 0x1a, 0x40,
- 0xf2, 0xcd, 0xb3, 0x83, 0xae, 0x12, 0x5b, 0xb4, 0x45, 0xd9, 0xbe, 0x51,
- 0x3e, 0x11, 0x64, 0xaf, 0x95, 0x06, 0xb6, 0xbd, 0xd1, 0xa1, 0xfd, 0xbb,
- 0xdb, 0xa4, 0xbb, 0xba, 0x3e, 0xd5, 0xd6, 0x1d, 0x37, 0x80, 0x17, 0xe8,
- 0x08, 0x75, 0x5f, 0x5d, 0x49, 0x5f, 0x70, 0xdd, 0x67, 0xde, 0x9a, 0x34,
- 0x95, 0x2e, 0x54, 0x58, 0x42, 0xaf, 0x8a, 0x57, 0xf2, 0xb4, 0x1f, 0xfb,
- 0x40, 0x9c, 0x05, 0xa0, 0x6a, 0x9a, 0x91, 0x0e, 0x27, 0xaa, 0x9e, 0xdb,
- 0xbf, 0x50, 0xc9, 0xa4, 0x2f, 0xc8, 0x71, 0x00, 0x11, 0xf8, 0x2f, 0xda,
- 0x98, 0xf4, 0x1d, 0x98, 0x2a, 0xe9, 0x29, 0xc7, 0xea, 0x74, 0x65, 0xf1,
- 0x6d, 0x06, 0x9f, 0x59, 0xa3, 0x50, 0x7e, 0x1b, 0x52, 0x5a, 0xb9, 0x5e,
- 0xce, 0xa0, 0x03, 0x53, 0xe8, 0xba, 0x36, 0x4a, 0xc2, 0x95, 0xdb, 0x34,
- 0x61, 0xc8, 0xf4, 0xa5, 0x7c, 0xd6, 0x9d, 0x64, 0x91, 0xfb, 0x23, 0xfd,
- 0x8b, 0x3a, 0xd2, 0x67, 0xb0, 0x64, 0xa7, 0x80, 0x82, 0x74, 0x85, 0x45,
- 0xa7, 0x78, 0x57, 0xb6, 0xf0, 0x0a, 0xf9, 0xa2, 0xb5, 0x7f, 0x7e, 0x88,
- 0x21, 0xd7, 0x67, 0xd2, 0xc4, 0x9c, 0x98, 0x51, 0x9b, 0x71, 0xfb, 0x39,
- 0xf2, 0xb3, 0xfd, 0x3f, 0x0b, 0x61, 0x59, 0xa0, 0x15, 0x40, 0x53, 0x71,
- 0xac, 0xf5, 0xf7, 0xee, 0x03, 0x6b, 0x1f, 0x5d, 0x29, 0x0a, 0xf7, 0x4f,
- 0x1a, 0xea, 0xa4, 0xb8, 0x02, 0x63, 0x7c, 0x37, 0x37, 0xdd, 0x46, 0x42,
- 0xe3, 0xe1, 0x82, 0x94
-};
-unsigned int ivpntest_com_root_der_len = 1180;
-
-unsigned char vpn3000_id_cer[] = {
- 0x30, 0x82, 0x06, 0x84, 0x30, 0x82, 0x05, 0x6c, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x0a, 0x14, 0xb8, 0xa0, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x2a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x01, 0x05, 0x05, 0x00, 0x30, 0x4e, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0a,
- 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x03,
- 0x63, 0x6f, 0x6d, 0x31, 0x18, 0x30, 0x16, 0x06, 0x0a, 0x09, 0x92, 0x26,
- 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x08, 0x69, 0x76, 0x70,
- 0x6e, 0x74, 0x65, 0x73, 0x74, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x03, 0x55,
- 0x04, 0x03, 0x13, 0x14, 0x71, 0x61, 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e,
- 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d,
- 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x39, 0x30, 0x33, 0x31, 0x30, 0x30, 0x32,
- 0x34, 0x39, 0x35, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x31, 0x30, 0x33, 0x31,
- 0x30, 0x30, 0x32, 0x34, 0x39, 0x35, 0x32, 0x5a, 0x30, 0x6d, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x75, 0x73, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x63, 0x61,
- 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x63,
- 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x11, 0x30, 0x0f,
- 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x69, 0x76, 0x70, 0x6e, 0x74,
- 0x65, 0x73, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x13, 0x02, 0x71, 0x61, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x13, 0x14, 0x76, 0x70, 0x6e, 0x33, 0x30, 0x30, 0x30, 0x2e, 0x69,
- 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9d, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8b, 0x00, 0x30, 0x81, 0x87,
- 0x02, 0x81, 0x81, 0x00, 0x8a, 0xaa, 0x14, 0x59, 0x49, 0x6e, 0x70, 0x37,
- 0x3d, 0x53, 0x22, 0x27, 0x95, 0xc0, 0x11, 0x3e, 0xb4, 0x7d, 0x5c, 0x37,
- 0x29, 0xd8, 0x4c, 0x5d, 0x81, 0x6c, 0xdc, 0x50, 0xd3, 0xa9, 0x88, 0xaa,
- 0x99, 0x68, 0x94, 0x1d, 0x63, 0x9a, 0xf1, 0xd4, 0x57, 0x63, 0xa3, 0x78,
- 0x29, 0x5e, 0xae, 0x4a, 0xe6, 0x8b, 0x70, 0xf9, 0x04, 0x82, 0x1e, 0xa8,
- 0x1d, 0x61, 0x98, 0xda, 0xe3, 0xac, 0x86, 0xb7, 0x62, 0x58, 0xae, 0x37,
- 0xee, 0x1b, 0x37, 0xf8, 0xfd, 0x12, 0xc6, 0x69, 0x87, 0x58, 0xf5, 0x66,
- 0xb2, 0x07, 0xed, 0x2d, 0x3c, 0xbb, 0x64, 0xac, 0x92, 0x07, 0x98, 0x17,
- 0x72, 0xdc, 0x41, 0xf0, 0x7b, 0x1a, 0x3e, 0x83, 0x29, 0x05, 0x36, 0x21,
- 0x08, 0x23, 0xf6, 0x8a, 0x84, 0x31, 0x83, 0x50, 0xea, 0x53, 0xe0, 0x88,
- 0x24, 0x84, 0xdd, 0xb2, 0x4a, 0x3a, 0x90, 0x4b, 0xeb, 0x08, 0x07, 0x6b,
- 0x02, 0x01, 0x03, 0xa3, 0x82, 0x03, 0xc9, 0x30, 0x82, 0x03, 0xc5, 0x30,
- 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x18, 0x30, 0x16, 0x82, 0x14,
- 0x76, 0x70, 0x6e, 0x33, 0x30, 0x30, 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e,
- 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1d, 0x06, 0x03,
- 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3d, 0xb1, 0xf6, 0x70, 0x4c,
- 0x4d, 0x42, 0xf4, 0x41, 0x91, 0xd4, 0xef, 0xa8, 0xcf, 0x45, 0x31, 0x16,
- 0x29, 0x92, 0x1a, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18,
- 0x30, 0x16, 0x80, 0x14, 0x40, 0xb5, 0x54, 0x10, 0x88, 0x09, 0xeb, 0x3e,
- 0x2e, 0x69, 0x82, 0xa6, 0xa0, 0xd8, 0xe4, 0xb0, 0x98, 0xc1, 0x69, 0x3d,
- 0x30, 0x82, 0x01, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x82, 0x01,
- 0x53, 0x30, 0x82, 0x01, 0x4f, 0x30, 0x82, 0x01, 0x4b, 0xa0, 0x82, 0x01,
- 0x47, 0xa0, 0x82, 0x01, 0x43, 0x86, 0x81, 0xbc, 0x6c, 0x64, 0x61, 0x70,
- 0x3a, 0x2f, 0x2f, 0x2f, 0x43, 0x4e, 0x3d, 0x71, 0x61, 0x73, 0x72, 0x76,
- 0x31, 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e,
- 0x63, 0x6f, 0x6d, 0x2c, 0x43, 0x4e, 0x3d, 0x71, 0x61, 0x73, 0x72, 0x76,
- 0x31, 0x30, 0x2c, 0x43, 0x4e, 0x3d, 0x43, 0x44, 0x50, 0x2c, 0x43, 0x4e,
- 0x3d, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x25, 0x32, 0x30, 0x4b, 0x65,
- 0x79, 0x25, 0x32, 0x30, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73,
- 0x2c, 0x43, 0x4e, 0x3d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73,
- 0x2c, 0x43, 0x4e, 0x3d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72,
- 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x44, 0x43, 0x3d, 0x69, 0x76, 0x70,
- 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2c, 0x44, 0x43, 0x3d, 0x63, 0x6f, 0x6d,
- 0x3f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
- 0x52, 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4c, 0x69,
- 0x73, 0x74, 0x3f, 0x62, 0x61, 0x73, 0x65, 0x3f, 0x6f, 0x62, 0x6a, 0x65,
- 0x63, 0x74, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x3d, 0x63, 0x52, 0x4c, 0x44,
- 0x69, 0x73, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x50,
- 0x6f, 0x69, 0x6e, 0x74, 0x86, 0x3f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
- 0x2f, 0x71, 0x61, 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76, 0x70,
- 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x43, 0x65,
- 0x72, 0x74, 0x45, 0x6e, 0x72, 0x6f, 0x6c, 0x6c, 0x2f, 0x71, 0x61, 0x73,
- 0x72, 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2e, 0x63, 0x72, 0x6c, 0x86, 0x41, 0x66,
- 0x69, 0x6c, 0x65, 0x3a, 0x2f, 0x2f, 0x5c, 0x5c, 0x71, 0x61, 0x73, 0x72,
- 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74,
- 0x2e, 0x63, 0x6f, 0x6d, 0x5c, 0x43, 0x65, 0x72, 0x74, 0x45, 0x6e, 0x72,
- 0x6f, 0x6c, 0x6c, 0x5c, 0x71, 0x61, 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e,
- 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x82, 0x01, 0x8f, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x82, 0x01, 0x81, 0x30, 0x82,
- 0x01, 0x7d, 0x30, 0x81, 0xb4, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
- 0x07, 0x30, 0x01, 0x86, 0x81, 0xa7, 0x6c, 0x64, 0x61, 0x70, 0x3a, 0x2f,
- 0x2f, 0x2f, 0x43, 0x4e, 0x3d, 0x71, 0x61, 0x73, 0x72, 0x76, 0x31, 0x30,
- 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f,
- 0x6d, 0x2c, 0x43, 0x4e, 0x3d, 0x41, 0x49, 0x41, 0x2c, 0x43, 0x4e, 0x3d,
- 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x25, 0x32, 0x30, 0x4b, 0x65, 0x79,
- 0x25, 0x32, 0x30, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2c,
- 0x43, 0x4e, 0x3d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2c,
- 0x43, 0x4e, 0x3d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61,
- 0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x44, 0x43, 0x3d, 0x69, 0x76, 0x70, 0x6e,
- 0x74, 0x65, 0x73, 0x74, 0x2c, 0x44, 0x43, 0x3d, 0x63, 0x6f, 0x6d, 0x3f,
- 0x63, 0x41, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
- 0x65, 0x3f, 0x62, 0x61, 0x73, 0x65, 0x3f, 0x6f, 0x62, 0x6a, 0x65, 0x63,
- 0x74, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x3d, 0x63, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68,
- 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01,
- 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x54, 0x68, 0x74, 0x74, 0x70, 0x3a,
- 0x2f, 0x2f, 0x71, 0x61, 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76,
- 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x43,
- 0x65, 0x72, 0x74, 0x45, 0x6e, 0x72, 0x6f, 0x6c, 0x6c, 0x2f, 0x71, 0x61,
- 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65,
- 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x5f, 0x71, 0x61, 0x73, 0x72, 0x76,
- 0x31, 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e,
- 0x63, 0x6f, 0x6d, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x62, 0x06, 0x08, 0x2b,
- 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x56, 0x66, 0x69, 0x6c,
- 0x65, 0x3a, 0x2f, 0x2f, 0x5c, 0x5c, 0x71, 0x61, 0x73, 0x72, 0x76, 0x31,
- 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63,
- 0x6f, 0x6d, 0x5c, 0x43, 0x65, 0x72, 0x74, 0x45, 0x6e, 0x72, 0x6f, 0x6c,
- 0x6c, 0x5c, 0x71, 0x61, 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76,
- 0x70, 0x6e, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x5f, 0x71,
- 0x61, 0x73, 0x72, 0x76, 0x31, 0x30, 0x2e, 0x69, 0x76, 0x70, 0x6e, 0x74,
- 0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2e, 0x63, 0x72, 0x74, 0x30,
- 0x3f, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
- 0x04, 0x32, 0x1e, 0x30, 0x00, 0x49, 0x00, 0x50, 0x00, 0x53, 0x00, 0x45,
- 0x00, 0x43, 0x00, 0x49, 0x00, 0x6e, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72,
- 0x00, 0x6d, 0x00, 0x65, 0x00, 0x64, 0x00, 0x69, 0x00, 0x61, 0x00, 0x74,
- 0x00, 0x65, 0x00, 0x4f, 0x00, 0x66, 0x00, 0x66, 0x00, 0x6c, 0x00, 0x69,
- 0x00, 0x6e, 0x00, 0x65, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01,
- 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d,
- 0x0f, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x13, 0x06, 0x03, 0x55,
- 0x1d, 0x25, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x08, 0x02, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
- 0x50, 0x59, 0x35, 0x26, 0x1b, 0x1b, 0x60, 0x29, 0x39, 0xe1, 0x3d, 0xc5,
- 0xdc, 0xe7, 0xcd, 0x8c, 0xbb, 0x7b, 0x86, 0xad, 0x82, 0xc2, 0xb3, 0xea,
- 0xdb, 0xd9, 0xe0, 0x8b, 0x40, 0x7b, 0x7e, 0xe1, 0xe9, 0xbe, 0x4d, 0x9a,
- 0x42, 0xda, 0xb3, 0x4c, 0x13, 0x08, 0x84, 0x10, 0x0f, 0x01, 0xb0, 0x13,
- 0x89, 0xd6, 0xf0, 0xc6, 0xb8, 0x6e, 0x77, 0xbc, 0x48, 0x49, 0xf2, 0x25,
- 0xc1, 0x89, 0x62, 0xe8, 0xd9, 0x4e, 0xd7, 0xa9, 0x4b, 0x53, 0xd6, 0x6a,
- 0x45, 0x7a, 0x74, 0xc1, 0x92, 0x95, 0x74, 0x32, 0xea, 0xee, 0xfb, 0x0e,
- 0x87, 0x10, 0xce, 0x79, 0x96, 0x84, 0x41, 0x7e, 0x8f, 0x3f, 0x60, 0xff,
- 0xe4, 0x23, 0xb5, 0xc4, 0x91, 0x99, 0x5b, 0x90, 0x12, 0x88, 0xc3, 0x6a,
- 0x0e, 0x99, 0x35, 0xd6, 0x28, 0x62, 0x9f, 0x9c, 0xf0, 0xb3, 0x35, 0x0a,
- 0x8c, 0xb1, 0x01, 0x76, 0x64, 0xa8, 0x30, 0x3d, 0x09, 0x22, 0x06, 0xab,
- 0x8e, 0xba, 0x55, 0x64, 0xd6, 0x91, 0x7c, 0x01, 0xb9, 0xaa, 0xc5, 0x56,
- 0x85, 0xa3, 0xd7, 0x7c, 0xd6, 0x1a, 0x5d, 0x45, 0xee, 0x40, 0x82, 0x06,
- 0x03, 0xa2, 0x25, 0x02, 0x67, 0x24, 0xd0, 0x4c, 0xe3, 0xc5, 0x49, 0xb5,
- 0xa7, 0xe8, 0xb4, 0x4d, 0x0e, 0xe8, 0x4c, 0x76, 0xb9, 0xe5, 0xc4, 0x7c,
- 0xfc, 0x35, 0x5c, 0xe3, 0x62, 0xe2, 0x42, 0x36, 0xe9, 0xb5, 0x5f, 0xec,
- 0x50, 0xde, 0x61, 0x6e, 0x76, 0x9d, 0xe7, 0x5a, 0x4f, 0xa5, 0x45, 0x51,
- 0x41, 0xd3, 0xbb, 0x8d, 0x72, 0x51, 0xc7, 0xfb, 0x99, 0x2c, 0x52, 0x15,
- 0xa0, 0xde, 0xa9, 0xd0, 0xbc, 0x66, 0x7a, 0x81, 0x99, 0x5c, 0xd4, 0x52,
- 0x75, 0x0a, 0x80, 0x3c, 0xa9, 0x0c, 0x91, 0x51, 0x73, 0xf1, 0x97, 0xdd,
- 0xe4, 0xbb, 0xaa, 0x5b, 0x0d, 0xfe, 0xfb, 0xff, 0xed, 0xb8, 0x71, 0x3d,
- 0xbc, 0x7b, 0x70, 0xaf
-};
-unsigned int vpn3000_id_cer_len = 1672;
-
-
-unsigned char wifiuser_certificate[1305]={
-0x30,0x82,0x05,0x15,0x30,0x82,0x03,0xFD,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x05,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x23,0x31,0x21,0x30,0x1F,0x06,0x03,0x55,0x04,0x03,0x13,0x18,0x57,0x69,0x46,0x69,
-0x2D,0x49,0x6E,0x74,0x65,0x72,0x6D,0x65,0x64,0x69,0x61,0x74,0x65,0x2D,0x43,0x41,
-0x2D,0x73,0x74,0x61,0x30,0x1E,0x17,0x0D,0x30,0x35,0x30,0x31,0x30,0x31,0x30,0x30,
-0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x32,0x35,0x30,0x31,0x30,0x31,0x30,0x30,0x30,
-0x30,0x30,0x30,0x5A,0x30,0x55,0x31,0x15,0x30,0x13,0x06,0x0A,0x09,0x92,0x26,0x89,
-0x93,0xF2,0x2C,0x64,0x01,0x19,0x16,0x05,0x6C,0x6F,0x63,0x61,0x6C,0x31,0x18,0x30,
-0x16,0x06,0x0A,0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,0x16,0x08,0x77,
-0x69,0x66,0x69,0x6C,0x61,0x62,0x73,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x03,
-0x13,0x05,0x55,0x73,0x65,0x72,0x73,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,
-0x13,0x09,0x77,0x69,0x66,0x69,0x2D,0x75,0x73,0x65,0x72,0x30,0x82,0x01,0x22,0x30,
-0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
-0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xCC,0xF6,0xF1,0xD9,
-0x2E,0xFE,0xC6,0x50,0xB4,0x8F,0x1E,0x44,0xBF,0x93,0x87,0xDF,0x92,0xB2,0x5E,0xDF,
-0x31,0xEF,0x4B,0x40,0x9D,0x20,0xC4,0x88,0x7B,0x4D,0x96,0x60,0x38,0x26,0xCA,0x45,
-0xA4,0x2E,0xCF,0x99,0x02,0x89,0x37,0x2E,0xAB,0x5D,0x73,0x6C,0x17,0xC8,0x8A,0x2A,
-0xE2,0xC1,0x9D,0xB3,0x9E,0xBE,0x8A,0xDB,0xFD,0x04,0x34,0x3E,0x08,0x44,0x1B,0x0F,
-0xFE,0xB6,0xA0,0x0F,0xE1,0x51,0xD8,0x68,0x27,0x6A,0xFC,0xBE,0x8B,0x95,0xF5,0xD9,
-0x05,0x3E,0x47,0xDD,0x01,0xD3,0x84,0x17,0x07,0xEB,0x0D,0xA6,0x3D,0xC6,0xF2,0xD7,
-0xE4,0x7D,0xCB,0x9F,0xE8,0xF1,0x3B,0x03,0x72,0xFC,0x70,0x38,0x9B,0x7F,0x00,0xB3,
-0xAF,0xD8,0x4F,0x26,0x70,0xAC,0x4D,0xC6,0x72,0x91,0x9A,0xDF,0x1D,0x43,0xD5,0x22,
-0xE1,0x7E,0x70,0x47,0x74,0xF2,0x51,0x1E,0x20,0x95,0xB5,0x5E,0xAC,0xDD,0x10,0x75,
-0x72,0xDB,0x16,0x1B,0x10,0xE4,0x40,0xF0,0xE3,0x86,0xCC,0xF0,0x35,0xB9,0x36,0x86,
-0x5A,0x2F,0xD0,0xB3,0x12,0xDA,0x8F,0x50,0x61,0xB4,0xC7,0x40,0xBF,0xEC,0x81,0x83,
-0xAA,0x7A,0x69,0xD3,0x8C,0x9D,0xAF,0x0D,0xD5,0x0A,0x70,0xB5,0x35,0xB4,0xBE,0xD6,
-0xEF,0xEA,0x25,0x2F,0xDB,0x99,0x34,0xA4,0x04,0x09,0x50,0xF5,0x4B,0xEA,0xFD,0x18,
-0x55,0x16,0x2D,0x9E,0x23,0xE2,0xF7,0xBA,0xD7,0x12,0x92,0x30,0xC1,0xDB,0xE5,0x0E,
-0x53,0x58,0xC7,0x0C,0x0C,0x55,0xF4,0x64,0x42,0xAE,0x9A,0x7A,0x4F,0x0F,0x22,0xC3,
-0x44,0xF7,0xAF,0xF7,0x69,0x76,0xCF,0xFC,0xE0,0xBB,0xE9,0x33,0x02,0x03,0x01,0x00,
-0x01,0xA3,0x82,0x02,0x20,0x30,0x82,0x02,0x1C,0x30,0x3F,0x06,0x03,0x55,0x1D,0x23,
-0x04,0x38,0x30,0x36,0x80,0x14,0xB0,0x8C,0xE2,0xB2,0xC1,0x86,0xFC,0x56,0x61,0x78,
-0xBF,0x1F,0x06,0xD5,0xF3,0x11,0x92,0xB1,0x38,0x00,0xA1,0x1B,0xA4,0x19,0x30,0x17,
-0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0C,0x57,0x69,0x46,0x69,0x2D,
-0x52,0x6F,0x6F,0x74,0x2D,0x43,0x41,0x82,0x01,0x03,0x30,0x42,0x06,0x09,0x60,0x86,
-0x48,0x01,0x86,0xF8,0x42,0x01,0x04,0x04,0x35,0x16,0x33,0x68,0x74,0x74,0x70,0x3A,
-0x2F,0x2F,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x77,0x69,0x66,0x69,0x6C,0x61,0x62,
-0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x63,0x61,0x2F,0x63,0x72,0x6C,0x2F,0x77,
-0x69,0x66,0x69,0x69,0x6D,0x63,0x61,0x73,0x74,0x61,0x2E,0x63,0x72,0x6C,0x30,0x44,
-0x06,0x03,0x55,0x1D,0x1F,0x04,0x3D,0x30,0x3B,0x30,0x39,0xA0,0x37,0xA0,0x35,0x86,
-0x33,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x77,
-0x69,0x66,0x69,0x6C,0x61,0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x63,0x61,
-0x2F,0x63,0x72,0x6C,0x2F,0x77,0x69,0x66,0x69,0x69,0x6D,0x63,0x61,0x73,0x74,0x61,
-0x2E,0x63,0x72,0x6C,0x30,0x4E,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,
-0x04,0x42,0x30,0x40,0x30,0x3E,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,
-0x86,0x32,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,
-0x77,0x69,0x66,0x69,0x6C,0x61,0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x63,
-0x61,0x2F,0x63,0x61,0x2F,0x77,0x69,0x66,0x69,0x69,0x6D,0x63,0x61,0x73,0x74,0x61,
-0x2E,0x63,0x72,0x74,0x30,0x20,0x06,0x03,0x55,0x1D,0x12,0x04,0x19,0x30,0x17,0x82,
-0x15,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x77,0x69,0x66,0x69,0x6C,0x61,0x62,0x73,
-0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x30,0x33,0x06,0x03,0x55,0x1D,0x11,0x04,0x2C,0x30,
-0x2A,0xA0,0x28,0x06,0x0A,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,0xA0,
-0x1A,0x0C,0x18,0x77,0x69,0x66,0x69,0x2D,0x75,0x73,0x65,0x72,0x40,0x77,0x69,0x66,
-0x69,0x6C,0x61,0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x30,0x0B,0x06,0x03,0x55,
-0x1D,0x0F,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,
-0x16,0x04,0x14,0x0B,0xC1,0x85,0x9B,0x11,0xBC,0xE9,0x6A,0xC0,0x4E,0x08,0xB3,0x87,
-0xBC,0x29,0xAF,0x35,0x6E,0x58,0x23,0x30,0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16,
-0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x06,0x08,0x2B,0x06,
-0x01,0x05,0x05,0x07,0x03,0x04,0x30,0x44,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
-0x01,0x09,0x0F,0x04,0x37,0x30,0x35,0x30,0x0E,0x06,0x08,0x2A,0x86,0x48,0x86,0xF7,
-0x0D,0x03,0x02,0x02,0x02,0x00,0x80,0x30,0x0E,0x06,0x08,0x2A,0x86,0x48,0x86,0xF7,
-0x0D,0x03,0x04,0x02,0x02,0x00,0x80,0x30,0x07,0x06,0x05,0x2B,0x0E,0x03,0x02,0x07,
-0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x07,0x30,0x17,0x06,0x09,
-0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x04,0x0A,0x1E,0x08,0x00,0x55,0x00,
-0x73,0x00,0x65,0x00,0x72,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
-0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x0F,0x18,0x23,0xE5,0x68,0x76,0x00,
-0x79,0xF0,0xE6,0xC1,0xA1,0x47,0x26,0xE0,0x7B,0xF9,0x5A,0x6A,0x8A,0xFA,0xD2,0x90,
-0x52,0x3D,0x98,0x86,0x5A,0x43,0x4B,0xE7,0x6C,0x07,0x73,0x43,0x9E,0x8C,0x6C,0xA7,
-0xA5,0x92,0x28,0xE8,0x4B,0xB9,0xE9,0x86,0x9A,0xB9,0xDA,0x9C,0xF4,0x54,0x38,0x13,
-0xC8,0xA1,0xAF,0x5A,0xCD,0xCB,0x92,0x62,0xEF,0x45,0xC5,0x57,0x58,0xE6,0xC2,0x8E,
-0xFC,0xC2,0x84,0xC7,0xF8,0xB9,0xF0,0x90,0x45,0xA4,0x04,0x29,0x61,0xC4,0x79,0xD8,
-0xCB,0xD3,0xE8,0xF0,0x19,0x9A,0x72,0x38,0xCA,0xAF,0x71,0xF8,0xF7,0x96,0x5E,0xCD,
-0x4D,0x64,0x35,0x97,0x67,0xE2,0x96,0x01,0xF0,0x36,0x5E,0xD6,0x5D,0xCC,0x7B,0x03,
-0x3C,0xDE,0x67,0xAD,0x44,0x75,0x86,0xEE,0x1C,0x21,0x11,0xFE,0xF0,0x44,0xBC,0x89,
-0xC4,0x0C,0x20,0x27,0x36,0x54,0x03,0x93,0xC1,0x57,0xA9,0x1C,0xAA,0x6B,0x80,0xDF,
-0x43,0xCA,0xC7,0x3F,0x7D,0xAB,0xD6,0x52,0x8F,0xC2,0x04,0xDC,0x08,0x45,0xD5,0x9F,
-0xEC,0xBD,0x70,0x18,0xA6,0xFA,0xA6,0xED,0x5B,0x66,0x70,0xFC,0xB0,0x31,0xE9,0x3D,
-0xDB,0x62,0xCC,0xDE,0xF6,0x91,0xD6,0x10,0xCC,0x3D,0x7D,0x2C,0x46,0x08,0xF8,0x1F,
-0x56,0x35,0x26,0xAA,0x92,0x54,0x5E,0xDC,0xA0,0x0F,0x06,0xB8,0xFC,0xE6,0x38,0xF0,
-0xAA,0x60,0x96,0xF7,0xAD,0xC0,0xA1,0x86,0x83,0x8C,0xCD,0x6C,0x30,0xB9,0xB9,0xC1,
-0xBB,0x29,0x8F,0xE4,0x0F,0x75,0xC6,0xFD,0x81,0xDF,0x7E,0xEE,0x25,0x7A,0x76,0x9B,
-0x80,0x42,0xD4,0xF4,0x3B,0xC9,0x21,0x3D,0x7E,
-};
-
-unsigned char wifiimcasta_certificate[1115]={
-0x30,0x82,0x04,0x57,0x30,0x82,0x03,0x3F,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x03,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x17,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0C,0x57,0x69,0x46,0x69,
-0x2D,0x52,0x6F,0x6F,0x74,0x2D,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x35,0x30,0x31,
-0x30,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x32,0x35,0x30,0x31,0x30,
-0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x30,0x23,0x31,0x21,0x30,0x1F,0x06,0x03,
-0x55,0x04,0x03,0x13,0x18,0x57,0x69,0x46,0x69,0x2D,0x49,0x6E,0x74,0x65,0x72,0x6D,
-0x65,0x64,0x69,0x61,0x74,0x65,0x2D,0x43,0x41,0x2D,0x73,0x74,0x61,0x30,0x82,0x01,
-0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
-0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xA2,0xFE,
-0x9E,0x00,0xB0,0x65,0x7D,0x76,0x44,0xE6,0x0A,0x33,0xD0,0xF2,0xF2,0xC0,0xEE,0xF7,
-0x40,0x21,0x45,0x00,0xBC,0xCA,0x4F,0x51,0x0D,0xA4,0xAA,0x1E,0xF1,0x37,0xCD,0x9C,
-0xE3,0xFE,0x31,0xBE,0xD5,0x64,0x48,0x31,0xEC,0x4D,0x38,0x19,0x31,0x63,0x5C,0xFB,
-0x0C,0x46,0xB7,0x42,0xFE,0xE5,0x78,0x08,0xE5,0xEB,0xC9,0xC7,0xA6,0x52,0x0D,0x62,
-0xA2,0x06,0xD1,0x11,0x4E,0xE7,0x49,0x5B,0xC2,0xA7,0xB9,0x2F,0x43,0xF6,0xE0,0xFB,
-0xBE,0x4D,0xE9,0x31,0x18,0x55,0xA8,0x73,0x0C,0x25,0xD5,0xED,0x66,0x4D,0xC3,0xED,
-0x6B,0x71,0x74,0xEF,0xB4,0x51,0x90,0x32,0x5A,0x83,0xB9,0x6E,0x48,0x9F,0x0E,0xD4,
-0x21,0xC8,0x89,0x60,0x50,0xB9,0xAC,0x28,0x06,0xE3,0xAA,0x36,0xA9,0x16,0x92,0x4E,
-0xD3,0x2A,0x06,0xAE,0x3D,0x8B,0x1A,0x92,0x00,0x99,0x49,0x3E,0x95,0x29,0x56,0x9F,
-0x5B,0x45,0x93,0x90,0xAD,0xDA,0x3E,0x41,0x0F,0x03,0xE5,0x81,0x22,0x53,0x52,0x4B,
-0x7F,0x42,0x98,0xBB,0x62,0x1E,0xE9,0xF6,0x5D,0xE4,0xCF,0x69,0x5D,0x5C,0x10,0x9F,
-0x27,0x73,0xB8,0xEE,0xDA,0xF6,0xCC,0x43,0x56,0xD3,0x22,0x29,0x1A,0x7E,0xE5,0x8A,
-0xB7,0x41,0xCF,0xC8,0x94,0x00,0x31,0x34,0x89,0x2A,0x6B,0x27,0x35,0x9B,0x16,0xBE,
-0xFF,0x54,0x12,0xEA,0x18,0xC2,0x97,0x3A,0xE8,0xE1,0x67,0xBD,0x02,0x09,0x34,0x4C,
-0x58,0xB8,0x79,0xDE,0x1A,0xDB,0x13,0x5C,0x50,0x61,0x91,0x93,0x65,0x26,0x4D,0x1F,
-0x11,0x63,0x1B,0x28,0x6B,0x45,0x9A,0xBB,0x06,0xE1,0x4C,0x21,0x49,0x37,0x02,0x03,
-0x01,0x00,0x01,0xA3,0x82,0x01,0xA0,0x30,0x82,0x01,0x9C,0x30,0x3F,0x06,0x03,0x55,
-0x1D,0x23,0x04,0x38,0x30,0x36,0x80,0x14,0xD7,0x1D,0x74,0xC8,0xD6,0x6A,0x94,0x8C,
-0x10,0xCF,0x05,0x4F,0xE3,0x96,0xA6,0xD6,0xCF,0xB2,0x62,0xF3,0xA1,0x1B,0xA4,0x19,
-0x30,0x17,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0C,0x57,0x69,0x46,
-0x69,0x2D,0x52,0x6F,0x6F,0x74,0x2D,0x43,0x41,0x82,0x01,0x01,0x30,0x41,0x06,0x09,
-0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x04,0x04,0x34,0x16,0x32,0x68,0x74,0x74,
-0x70,0x3A,0x2F,0x2F,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x77,0x69,0x66,0x69,0x6C,
-0x61,0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x63,0x61,0x2F,0x63,0x72,0x6C,
-0x2F,0x77,0x69,0x66,0x69,0x72,0x6F,0x6F,0x74,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,
-0x43,0x06,0x03,0x55,0x1D,0x1F,0x04,0x3C,0x30,0x3A,0x30,0x38,0xA0,0x36,0xA0,0x34,
-0x86,0x32,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,
-0x77,0x69,0x66,0x69,0x6C,0x61,0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x63,
-0x61,0x2F,0x63,0x72,0x6C,0x2F,0x77,0x69,0x66,0x69,0x72,0x6F,0x6F,0x74,0x63,0x61,
-0x2E,0x63,0x72,0x6C,0x30,0x4D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,
-0x04,0x41,0x30,0x3F,0x30,0x3D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,
-0x86,0x31,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,
-0x77,0x69,0x66,0x69,0x6C,0x61,0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x63,
-0x61,0x2F,0x63,0x61,0x2F,0x77,0x69,0x66,0x69,0x72,0x6F,0x6F,0x74,0x63,0x61,0x2E,
-0x63,0x72,0x74,0x30,0x20,0x06,0x03,0x55,0x1D,0x12,0x04,0x19,0x30,0x17,0x82,0x15,
-0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x77,0x69,0x66,0x69,0x6C,0x61,0x62,0x73,0x2E,
-0x6C,0x6F,0x63,0x61,0x6C,0x30,0x20,0x06,0x03,0x55,0x1D,0x11,0x04,0x19,0x30,0x17,
-0x82,0x15,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x77,0x69,0x66,0x69,0x6C,0x61,0x62,
-0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,
-0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,
-0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x86,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,
-0x16,0x04,0x14,0xB0,0x8C,0xE2,0xB2,0xC1,0x86,0xFC,0x56,0x61,0x78,0xBF,0x1F,0x06,
-0xD5,0xF3,0x11,0x92,0xB1,0x38,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
-0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x94,0xF0,0xD6,0x8C,0x0A,
-0xDE,0x10,0xD0,0x7D,0xA5,0xB0,0xDE,0xFD,0x8D,0x1E,0xCB,0x8A,0xEC,0x60,0x66,0x74,
-0x22,0x31,0xB1,0x78,0xAD,0x0E,0x02,0x53,0x99,0xC6,0x75,0x10,0x65,0x60,0x59,0x57,
-0x60,0x76,0xE5,0x87,0x58,0x82,0xB4,0x6F,0xB6,0x11,0xB9,0x6D,0x9D,0x09,0x7F,0x55,
-0x20,0x28,0xA4,0x69,0x45,0x11,0x4A,0x9E,0x6D,0x38,0xD4,0x6B,0x26,0xBA,0x05,0xDA,
-0x4C,0x12,0xE3,0x40,0x86,0xDD,0x7F,0x4B,0xC7,0xF1,0xB7,0xF4,0xAE,0xE1,0xC5,0xB9,
-0x3B,0x4B,0x8A,0x64,0x91,0x57,0x1A,0xF1,0x9E,0x55,0x56,0x16,0xCE,0x3F,0xD1,0xD8,
-0x29,0x4A,0xC2,0x81,0x9A,0xEE,0x92,0xC8,0x3C,0x43,0x85,0xAA,0x2D,0x5B,0x2F,0x9C,
-0x68,0x00,0xD7,0x56,0xF4,0xFE,0x85,0x5F,0xF2,0x45,0x9A,0xB9,0x27,0x19,0x78,0x58,
-0x79,0x3C,0xDB,0x53,0x6B,0x45,0x94,0xF2,0x22,0x09,0xE0,0xF5,0xC3,0xFF,0xBC,0x3D,
-0xED,0x41,0x33,0x63,0xE5,0x3B,0x4C,0xE2,0x51,0xD2,0x1D,0xFA,0xFC,0xD1,0xA2,0x96,
-0xEE,0x57,0x4F,0x08,0xDC,0x31,0xEB,0x1F,0x9D,0xBD,0x9F,0x4C,0x75,0xC0,0xCD,0x4F,
-0x79,0x1F,0x7C,0x5B,0x6A,0x61,0x5C,0xE7,0x54,0xF3,0xBF,0xB4,0xE7,0xE9,0xE4,0x01,
-0xEE,0x4E,0x1A,0x0F,0x9A,0xC0,0x22,0x72,0xB0,0x37,0x9C,0x51,0xE6,0x2F,0x51,0x64,
-0xEC,0xDF,0x80,0x6F,0xD9,0x08,0x5B,0x58,0xAC,0xDD,0x32,0xF4,0xA6,0x2F,0x4D,0x18,
-0x1D,0x92,0x5E,0x2E,0x16,0xAF,0x76,0xF6,0x4D,0x2F,0xE7,0x13,0xFA,0x76,0xA7,0x22,
-0x57,0x4C,0xE5,0x01,0x53,0x69,0x0B,0xF9,0x34,0xBA,0xB5,
-};
-
-unsigned char wifirootca_certificate[1038]={
-0x30,0x82,0x04,0x0A,0x30,0x82,0x02,0xF2,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x01,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x17,0x31,0x15,0x30,0x13,0x06,0x03,0x55,0x04,0x03,0x13,0x0C,0x57,0x69,0x46,0x69,
-0x2D,0x52,0x6F,0x6F,0x74,0x2D,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x35,0x30,0x31,
-0x30,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x32,0x35,0x30,0x31,0x30,
-0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x30,0x17,0x31,0x15,0x30,0x13,0x06,0x03,
-0x55,0x04,0x03,0x13,0x0C,0x57,0x69,0x46,0x69,0x2D,0x52,0x6F,0x6F,0x74,0x2D,0x43,
-0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
-0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,
-0x01,0x00,0xB9,0xE7,0x9B,0x04,0x54,0x53,0x99,0x0B,0xB6,0x6D,0x50,0x97,0xC8,0x42,
-0x36,0x82,0xE0,0x93,0xA4,0x51,0xB7,0x7E,0x9E,0x6A,0xDC,0x22,0x3D,0x39,0xDA,0x5C,
-0xD0,0xA2,0x29,0x51,0x8F,0xE1,0x36,0xA3,0x45,0x07,0xCC,0x9C,0x24,0xC9,0xD3,0x5B,
-0xBC,0x34,0x83,0xEB,0xFD,0xE2,0x79,0xD6,0x70,0x11,0x16,0x9E,0xDA,0x83,0xC0,0xFE,
-0x70,0x98,0x2F,0xDB,0x0E,0x9D,0x00,0xA9,0x7C,0x99,0xBA,0xBB,0xC4,0xDB,0x4A,0xE2,
-0xEE,0x46,0xAC,0xA5,0x35,0x1B,0xC2,0xBD,0xF0,0xE0,0x6A,0x77,0x29,0x34,0x6E,0x6D,
-0x5F,0x51,0xDE,0x67,0xFD,0x27,0xF1,0x50,0x02,0xBF,0xE9,0x1B,0x95,0x2E,0x99,0x0B,
-0xB3,0x4D,0x7C,0xBC,0x5E,0x4B,0x29,0x5D,0x52,0xE3,0x14,0xDE,0xD3,0x6D,0xFA,0xB4,
-0x07,0x6C,0xB7,0x83,0xE7,0x5A,0xB3,0x51,0xC6,0x73,0xA6,0x96,0xEB,0x97,0x2F,0xBA,
-0x04,0xF0,0xF2,0xEB,0xEE,0xC0,0xB8,0x95,0x29,0x98,0xCA,0xAF,0x8B,0xC9,0x27,0xAD,
-0x22,0x93,0x17,0x9C,0x88,0x51,0x79,0x90,0x31,0xCB,0x9F,0x98,0x47,0xB6,0x5C,0x03,
-0xD1,0x0F,0x98,0xBF,0xEA,0x32,0x97,0x65,0xD3,0x54,0xD5,0x71,0x0B,0x52,0x7F,0x55,
-0xA7,0x88,0xB1,0x0B,0x04,0xD5,0x84,0x71,0xA7,0x62,0x28,0x53,0xBB,0x33,0xBE,0x11,
-0xFD,0x98,0x7D,0x3A,0x03,0x98,0x17,0x73,0xB7,0xD6,0xDE,0x02,0x57,0x47,0x39,0x9D,
-0x0C,0x26,0x17,0xAA,0x33,0x42,0x44,0x5A,0xB0,0x0D,0x8F,0x1A,0xF7,0xBF,0x18,0xBF,
-0x2D,0x32,0x2A,0x32,0x0C,0x4C,0xBA,0xC9,0xEA,0xA9,0x2E,0x07,0xBE,0x4C,0xD2,0xC4,
-0x59,0xF7,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0x5F,0x30,0x82,0x01,0x5B,0x30,
-0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,
-0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x86,
-0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xD7,0x1D,0x74,0xC8,0xD6,
-0x6A,0x94,0x8C,0x10,0xCF,0x05,0x4F,0xE3,0x96,0xA6,0xD6,0xCF,0xB2,0x62,0xF3,0x30,
-0x41,0x06,0x09,0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x04,0x04,0x34,0x16,0x32,
-0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x77,0x69,
-0x66,0x69,0x6C,0x61,0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x63,0x61,0x2F,
-0x63,0x72,0x6C,0x2F,0x77,0x69,0x66,0x69,0x72,0x6F,0x6F,0x74,0x63,0x61,0x2E,0x63,
-0x72,0x6C,0x30,0x43,0x06,0x03,0x55,0x1D,0x1F,0x04,0x3C,0x30,0x3A,0x30,0x38,0xA0,
-0x36,0xA0,0x34,0x86,0x32,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x65,0x72,0x76,
-0x65,0x72,0x2E,0x77,0x69,0x66,0x69,0x6C,0x61,0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,
-0x6C,0x2F,0x63,0x61,0x2F,0x63,0x72,0x6C,0x2F,0x77,0x69,0x66,0x69,0x72,0x6F,0x6F,
-0x74,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x4D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
-0x07,0x01,0x01,0x04,0x41,0x30,0x3F,0x30,0x3D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
-0x07,0x30,0x02,0x86,0x31,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x65,0x72,0x76,
-0x65,0x72,0x2E,0x77,0x69,0x66,0x69,0x6C,0x61,0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,
-0x6C,0x2F,0x63,0x61,0x2F,0x63,0x61,0x2F,0x77,0x69,0x66,0x69,0x72,0x6F,0x6F,0x74,
-0x63,0x61,0x2E,0x63,0x72,0x74,0x30,0x20,0x06,0x03,0x55,0x1D,0x12,0x04,0x19,0x30,
-0x17,0x82,0x15,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x77,0x69,0x66,0x69,0x6C,0x61,
-0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x30,0x20,0x06,0x03,0x55,0x1D,0x11,0x04,
-0x19,0x30,0x17,0x82,0x15,0x73,0x65,0x72,0x76,0x65,0x72,0x2E,0x77,0x69,0x66,0x69,
-0x6C,0x61,0x62,0x73,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,
-0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x91,0x75,
-0x35,0x21,0xF9,0x64,0xDD,0xF8,0xB1,0x73,0xDF,0x64,0x19,0x50,0xF6,0xC9,0xDD,0x06,
-0xFE,0xF9,0x24,0xEE,0xED,0x9B,0x1D,0x4F,0xDA,0x76,0x07,0xFC,0xDB,0x87,0x20,0x13,
-0xB6,0xC7,0x08,0x25,0x9A,0x08,0x73,0x32,0xD6,0xB6,0xD6,0xE4,0xC7,0x00,0x88,0xD2,
-0x60,0x7D,0x85,0x4E,0x83,0xE6,0x9E,0xD1,0x75,0x6C,0xA8,0x76,0x96,0x1B,0x92,0x17,
-0x99,0x15,0x85,0x6F,0x27,0x6C,0xAE,0x48,0xA1,0x31,0xD2,0x34,0xDA,0x90,0xEA,0xB8,
-0xB0,0x30,0x85,0xCB,0xA2,0xC2,0xC0,0x8E,0xBB,0x45,0x31,0x35,0xDA,0x78,0x14,0xD1,
-0x4A,0x36,0x4D,0x97,0xBF,0x33,0x1A,0xC5,0xE6,0xDA,0x8A,0x9E,0x15,0xC2,0x87,0xD1,
-0x84,0x31,0xEB,0xBD,0xB8,0x04,0xF6,0x97,0xFA,0x38,0xA6,0x52,0x34,0xB3,0x1E,0xCD,
-0x1B,0xFB,0xC2,0x3E,0x4C,0x2F,0xCA,0x0A,0x60,0x97,0x74,0xD0,0x91,0x0C,0xA0,0x98,
-0xE8,0x17,0x63,0x27,0x3B,0x72,0xA0,0x07,0xB0,0x2F,0x6F,0x3A,0x00,0xAF,0xD7,0x4C,
-0xDB,0x37,0x9C,0xB5,0x1E,0x67,0xB5,0x81,0x5E,0xC9,0xB9,0xC1,0x7B,0xE0,0xC6,0xB5,
-0x02,0x8C,0xD6,0x6D,0xD4,0x00,0x0B,0x57,0x7E,0xF7,0x99,0x50,0xD4,0x83,0xBC,0x8F,
-0xF4,0xEB,0xAD,0x20,0xF4,0x22,0x78,0xAF,0x55,0x2C,0xD2,0xDC,0x55,0xDA,0xEE,0xF2,
-0xE7,0x7B,0x24,0x76,0x19,0xB8,0x2E,0x1D,0xDA,0x37,0x18,0xBB,0x85,0x77,0xEF,0xEB,
-0x2E,0xB4,0x3E,0xC1,0xE0,0x49,0x67,0xB4,0xA4,0xF9,0xFF,0x9F,0xDC,0x76,0xAC,0x92,
-0xB4,0x96,0xEC,0xBA,0x36,0x46,0x80,0xCC,0xA4,0xF9,0x89,0x3E,0xF9,0x7D,
-};
-
-/* Test basic add delete update copy matching stuff. */
-static void tests(void)
-{
- SecTrustRef trust;
- SecCertificateRef anchor, leaf;
- SecPolicyRef policy;
- isnt(anchor = SecCertificateCreateWithBytes(NULL, _ca_certificate, sizeof(_ca_certificate)),
- NULL, "create anchor");
- isnt(leaf = SecCertificateCreateWithBytes(NULL, _ipsec_certificate, sizeof(_ipsec_certificate)),
- NULL, "create leaf");
-
- CFArrayRef anchor_certs = CFArrayCreate(NULL, (const void **)&anchor, 1, NULL);
- CFArrayRef leaf_certs = CFArrayCreate(NULL, (const void **)&leaf, 1, NULL);
-
- const void *host[] = { CFSTR("ipsec.apple.com"), CFSTR("17.255.42.1"),
- CFSTR("ipsec2.apple.com"), CFSTR("17.255.42.2"),
- /* CFSTR("user@fqdn.com"), */ NULL };
- CFStringRef *host_value = (CFStringRef*)host;
- while (*host_value) {
- isnt(policy = SecPolicyCreateIPSec(true, *host_value++), NULL, "create ipsec policy instance");
-
- ok_status(SecTrustCreateWithCertificates(leaf_certs, policy, &trust), "create trust for leaf");
-
- CFTimeZoneRef tz = CFTimeZoneCreateWithName(NULL, CFSTR("CET"), true);
- CFDateRef date = CFDateCreateForGregorianMoment(NULL, tz, 2009, 12, 1, 19, 10, 0);
- CFReleaseNull(tz);
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
- ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor");
-
- SecTrustResultType trustResult;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
-
- is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
-
- CFReleaseNull(trust);
- CFReleaseNull(policy);
- CFReleaseNull(date);
- }
-
- const void *hosts[] = { CFSTR("test.apple.com"), CFSTR("fake.apple.com"), CFSTR("ipsec.apple.com") };
- CFArrayRef valid_hosts = CFArrayCreate(NULL, hosts, array_size(hosts), NULL);
- isnt(policy = SecPolicyCreateEAP(true, valid_hosts), NULL, "create eap policy instance");
-
- ok_status(SecTrustCreateWithCertificates(leaf_certs, policy, &trust), "create trust for leaf");
-
- CFTimeZoneRef tz = CFTimeZoneCreateWithName(NULL, CFSTR("CET"), true);
- CFDateRef date = CFDateCreateForGregorianMoment(NULL, tz, 2009, 12, 1, 19, 10, 0);
- CFReleaseNull(tz);
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
- ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor");
-
- SecTrustResultType trustResult;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
-
- CFReleaseNull(trust);
- CFReleaseNull(policy);
- CFReleaseNull(date);
-
- CFReleaseSafe(valid_hosts);
- CFReleaseSafe(leaf_certs);
- CFReleaseSafe(anchor_certs);
- CFReleaseSafe(leaf);
- CFReleaseSafe(anchor);
-
-
- isnt(anchor = SecCertificateCreateWithBytes(NULL, ivpntest_com_root_der, ivpntest_com_root_der_len),
- NULL, "create anchor");
- isnt(leaf = SecCertificateCreateWithBytes(NULL, vpn3000_id_cer, vpn3000_id_cer_len),
- NULL, "create leaf");
-
- anchor_certs = CFArrayCreate(NULL, (const void **)&anchor, 1, NULL);
- leaf_certs = CFArrayCreate(NULL, (const void **)&leaf, 1, NULL);
-
- isnt(policy = SecPolicyCreateIPSec(true, CFSTR("vpn3000.ivpntest.com")), NULL, "create ipsec policy instance");
- ok_status(SecTrustCreateWithCertificates(leaf_certs, policy, &trust), "create trust for leaf");
-
- tz = CFTimeZoneCreateWithName(NULL, CFSTR("CET"), true);
- date = CFDateCreateForGregorianMoment(NULL, tz, 2009, 3, 11, 19, 10, 0);
- CFReleaseNull(tz);
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
- ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor");
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
-
- is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
-
- CFReleaseNull(trust);
- CFReleaseNull(policy);
- CFReleaseNull(date);
-
- CFReleaseSafe(leaf_certs);
- CFReleaseSafe(anchor_certs);
- CFReleaseSafe(leaf);
- CFReleaseSafe(anchor);
-
-}
-
-static void testnontrustedcachainbuilder(void) {
- SecCertificateRef user, imcasta, rootca;
- CFMutableArrayRef certs;
- SecPolicyRef policy;
- SecTrustRef trust;
-
- isnt(user = SecCertificateCreateWithBytes(NULL,
- wifiuser_certificate, sizeof(wifiuser_certificate)), NULL,
- "create wifiuser");
- isnt(imcasta = SecCertificateCreateWithBytes(NULL,
- wifiimcasta_certificate, sizeof(wifiimcasta_certificate)), NULL,
- "create wifiimcasta");
- isnt(rootca = SecCertificateCreateWithBytes(NULL,
- wifirootca_certificate, sizeof(wifirootca_certificate)), NULL,
- "create wifirootca");
-
- certs = CFArrayCreateMutable(NULL, 0, NULL);
- CFArrayAppendValue(certs, user);
- CFArrayAppendValue(certs, imcasta);
- CFArrayAppendValue(certs, rootca);
- isnt(policy = SecPolicyCreateEAP(false, NULL), NULL,
- "create eap client cert policy instance");
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
- "create trust with 3 certs");
-
- SecTrustResultType trustResult;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
- "trust is kSecTrustResultRecoverableTrustFailure");
-
- is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
-
- CFReleaseNull(user);
- CFReleaseNull(imcasta);
- CFReleaseNull(rootca);
- CFReleaseNull(certs);
- CFReleaseNull(policy);
- CFReleaseNull(trust);
-}
-
-int si_25_sectrust_ipsec_eap(int argc, char *const *argv)
-{
- plan_tests(53);
-
-
- tests();
- testnontrustedcachainbuilder();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-26-applicationsigning.c b/OSX/sec/Security/Regressions/secitem/si-26-sectrust-copyproperties.c
similarity index 97%
rename from OSX/sec/Security/Regressions/secitem/si-26-applicationsigning.c
rename to OSX/sec/Security/Regressions/secitem/si-26-sectrust-copyproperties.c
index 9e31866c..13a902fa 100644
--- a/OSX/sec/Security/Regressions/secitem/si-26-applicationsigning.c
+++ b/OSX/sec/Security/Regressions/secitem/si-26-sectrust-copyproperties.c
@@ -9,15 +9,15 @@
#include <Security/SecTrust.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecKey.h>
-#include <Security/SecInternal.h>
#include <CommonCrypto/CommonDigest.h>
#include <stdlib.h>
#include <unistd.h>
#include <utilities/SecIOFormat.h>
+#include <utilities/SecCFWrappers.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
/* subject:/CN=iPhone Developer: Katherine Kojima/OU=Core OS Plus Others/O=Core OS Plus Others/C=usa */
/* issuer :/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority */
@@ -186,6 +186,9 @@ unsigned char wwdr_intermediate_cert[1063]={
};
/* TODO: Use the shared version of this function in print_cert.c. */
+#if !TARGET_OS_IPHONE
+__unused
+#endif
static void print_line(CFStringRef line) {
UInt8 buf[256];
CFRange range = { .location = 0 };
@@ -200,6 +203,9 @@ static void print_line(CFStringRef line) {
fputc('\n', stdout);
}
+#if !TARGET_OS_IPHONE
+__unused
+#endif
static void printPlist(CFArrayRef plist, CFIndex indent, CFIndex maxWidth) {
CFIndex count = CFArrayGetCount(plist);
CFIndex ix;
@@ -297,6 +303,9 @@ static void printPlist(CFArrayRef plist, CFIndex indent, CFIndex maxWidth) {
}
}
+#if !TARGET_OS_IPHONE
+__unused
+#endif
static CFIndex maxLabelWidth(CFArrayRef plist, CFIndex indent) {
CFIndex count = CFArrayGetCount(plist);
CFIndex ix;
@@ -325,6 +334,9 @@ static CFIndex maxLabelWidth(CFArrayRef plist, CFIndex indent) {
return maxWidth;
}
+#if !TARGET_OS_IPHONE
+__unused
+#endif
static void print_plist(CFArrayRef plist) {
if (plist)
printPlist(plist, 0, maxLabelWidth(plist, 0));
@@ -332,6 +344,9 @@ static void print_plist(CFArrayRef plist) {
printf("NULL plist\n");
}
+#if !TARGET_OS_IPHONE
+__unused
+#endif
static void print_cert(SecCertificateRef cert, bool verbose) {
CFArrayRef plist;
if (verbose)
@@ -376,17 +391,22 @@ static void tests(void)
SecTrustResultType trustResult;
CFArrayRef properties = NULL;
properties = SecTrustCopyProperties(trust);
+#if TARGET_OS_IPHONE
+ // Note: OS X will trigger the evaluation in order to return the properties.
is(properties, NULL, "no properties returned before eval");
+#endif
CFReleaseNull(properties);
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
properties = SecTrustCopyProperties(trust);
+#if TARGET_OS_IPHONE
if (properties) {
print_plist(properties);
print_cert(leaf, true);
print_cert(wwdr_intermediate, false);
}
+#endif
CFReleaseNull(properties);
CFReleaseNull(trust);
@@ -397,9 +417,14 @@ static void tests(void)
CFReleaseNull(trust);
}
-int si_26_applicationsigning(int argc, char *const *argv)
+int si_26_sectrust_copyproperties(int argc, char *const *argv)
{
+#if TARGET_OS_IPHONE
plan_tests(8);
+#else
+ // <rdar://problem/26358545>
+ plan_tests(7);
+#endif
tests();
diff --git a/OSX/sec/Security/Regressions/secitem/si-27-sectrust-exceptions.c b/OSX/sec/Security/Regressions/secitem/si-27-sectrust-exceptions.c
index 613b1ca2..f5cd8d28 100644
--- a/OSX/sec/Security/Regressions/secitem/si-27-sectrust-exceptions.c
+++ b/OSX/sec/Security/Regressions/secitem/si-27-sectrust-exceptions.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006-2010,2012-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006-2010,2012-2016 Apple Inc. All Rights Reserved.
*/
#include <CoreFoundation/CoreFoundation.h>
@@ -11,7 +11,7 @@
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
/* subject:/jurisdictionC=US/jurisdictionST=California/businessCategory=Private Organization/serialNumber=C0806592/C=US/postalCode=95014/ST=California/L=Cupertino/street=1 Infinite Loop/O=Apple Inc./OU=GNCS Traffic Management/CN=secure.store.apple.com */
/* issuer :/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 */
@@ -230,83 +230,164 @@ static unsigned char _c1[]={
0xE1,0xE0,0x33,0x9D,0xB3,0xCB,0x36,0x91,0x4B,0xFE,0xA1,0xB4,0xEE,0xF0,0xF9,
};
+/* subject:/CN=self-signed.ssltest.apple.com/C=US */
+/* issuer :/CN=self-signed.ssltest.apple.com/C=US */
+
+static unsigned char _ss0[]={
+ 0x30,0x82,0x03,0x0F,0x30,0x82,0x01,0xF7,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x01,
+ 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,
+ 0x35,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x03,0x0C,0x1D,0x73,0x65,0x6C,0x66,
+ 0x2D,0x73,0x69,0x67,0x6E,0x65,0x64,0x2E,0x73,0x73,0x6C,0x74,0x65,0x73,0x74,0x2E,
+ 0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x36,0x30,0x37,
+ 0x32,0x31,0x35,0x33,0x30,0x38,0x5A,0x17,0x0D,0x31,0x37,0x30,0x36,0x30,0x37,0x32,
+ 0x31,0x35,0x33,0x30,0x38,0x5A,0x30,0x35,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,
+ 0x03,0x0C,0x1D,0x73,0x65,0x6C,0x66,0x2D,0x73,0x69,0x67,0x6E,0x65,0x64,0x2E,0x73,
+ 0x73,0x6C,0x74,0x65,0x73,0x74,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,
+ 0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
+ 0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xCC,0x72,
+ 0x7D,0x09,0x36,0x5A,0x6A,0xED,0xC1,0x7A,0x2C,0xF4,0x7C,0x58,0x63,0x05,0x3E,0x91,
+ 0x68,0x55,0xB1,0x2A,0x5D,0x57,0xF3,0xA4,0xA7,0x80,0x05,0x41,0x74,0xB2,0xAD,0x5A,
+ 0x7F,0x38,0xF6,0xF7,0xFD,0xF9,0x64,0x4D,0xDE,0xF9,0x7A,0xD3,0x8C,0x78,0xE9,0x71,
+ 0xCF,0x1D,0x3E,0xF0,0xDB,0x12,0x48,0x74,0x22,0xA8,0x1F,0x3F,0xB9,0xDD,0xB0,0xAD,
+ 0x8C,0x10,0x64,0x05,0x0E,0xE2,0x59,0x9A,0xEB,0x3F,0xBF,0xA9,0x48,0x07,0xD9,0x2C,
+ 0x07,0x44,0x70,0x14,0x16,0x56,0x9C,0x73,0x01,0x2E,0x0B,0xF1,0x2A,0x9F,0x1C,0xC6,
+ 0x78,0x56,0xB7,0x0B,0xDA,0xA6,0xE6,0x99,0x87,0x2D,0x49,0xFB,0xF0,0x47,0x22,0xA6,
+ 0x8B,0xF0,0x02,0x37,0x31,0xD0,0x34,0x9F,0x43,0xD1,0x24,0x49,0x94,0x7F,0xFD,0x48,
+ 0x9C,0xBA,0x5D,0x6B,0xD4,0xF9,0x9E,0xB5,0x18,0xE4,0xB2,0x06,0x46,0xC3,0xD9,0xE7,
+ 0x80,0xD8,0x61,0xA9,0x09,0x5E,0xBA,0x2E,0x58,0x56,0xAE,0x37,0x31,0x6E,0x87,0x98,
+ 0xD5,0xC9,0x2B,0x31,0x5C,0x40,0x01,0xDF,0xD5,0x63,0x9E,0x05,0x18,0x21,0x53,0x70,
+ 0x62,0x36,0x44,0xCD,0x02,0xC0,0xCC,0x6A,0x58,0xC6,0xF6,0xA4,0xDC,0x89,0x94,0xBD,
+ 0x4E,0xC4,0xEE,0xEE,0x40,0x31,0x59,0xC3,0x43,0xAD,0x34,0x30,0xDE,0xA9,0xA7,0x0D,
+ 0x85,0xF7,0x96,0x8C,0x45,0xC1,0x6E,0x85,0x39,0x97,0xA6,0x4F,0xEA,0xE8,0x2F,0x01,
+ 0x3D,0xC0,0x3B,0x34,0x9F,0x8F,0xCB,0xD6,0x22,0x79,0x2C,0x8C,0x8C,0xE6,0xBB,0x1F,
+ 0x89,0x87,0x93,0x3B,0x39,0x4E,0x64,0x7D,0xDA,0x4D,0x52,0x4C,0x97,0xE5,0x02,0x03,
+ 0x01,0x00,0x01,0xA3,0x2A,0x30,0x28,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,
+ 0xFF,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x16,0x06,0x03,0x55,0x1D,0x25,0x01,0x01,
+ 0xFF,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,
+ 0x01,0x01,0x00,0x36,0x06,0xC9,0xE6,0x98,0xC2,0x84,0x1D,0x13,0x1E,0x54,0x35,0x6D,
+ 0xE5,0xCB,0xC5,0xFD,0xD9,0x54,0x45,0x83,0x53,0xB3,0x3B,0xE7,0x30,0x6F,0xAE,0xEA,
+ 0x63,0x3F,0xA8,0xFA,0xD9,0x6D,0x0F,0x7D,0xD4,0xB6,0x28,0x66,0xF9,0x57,0x87,0x3E,
+ 0x57,0x27,0xB6,0x9A,0x56,0xAE,0xD7,0xE0,0x11,0x20,0x71,0xC1,0xEA,0xF6,0xED,0x74,
+ 0x1A,0x5A,0xB1,0x74,0x6C,0xBE,0xAC,0x0E,0x3C,0xD9,0x3E,0xEC,0x17,0x6E,0xF0,0x69,
+ 0xC9,0x4D,0xD2,0x7E,0xAE,0x8B,0x01,0xCC,0x1A,0x23,0x7C,0x58,0x07,0x30,0xE4,0x2A,
+ 0x12,0xE8,0xA0,0x25,0x65,0x66,0xB5,0xC7,0x5D,0xD8,0x47,0xDF,0xD7,0x51,0xBC,0xA2,
+ 0xAA,0xF0,0x2F,0xB5,0x9E,0x20,0x6D,0x1F,0x84,0x00,0xF0,0xD0,0xB8,0x42,0x6A,0x9A,
+ 0xE7,0xCA,0x7B,0xE5,0x39,0x09,0x91,0xBF,0xCB,0x4D,0x7A,0x32,0x1E,0x00,0x6E,0xE5,
+ 0xF7,0x44,0x80,0x82,0x38,0x53,0x64,0xB7,0x26,0x81,0xCB,0xCE,0xA1,0xAF,0x0C,0x67,
+ 0x32,0xC6,0xE4,0x5D,0x09,0x7B,0x37,0xD7,0xC8,0x43,0x44,0xEF,0xC6,0xF8,0x72,0xFF,
+ 0x65,0xD4,0x39,0x3D,0xEC,0x72,0xA5,0x28,0xFF,0x70,0x47,0x38,0xA3,0xC7,0xCC,0x5E,
+ 0x0F,0xFF,0x43,0x83,0x78,0x49,0x68,0x90,0x48,0x89,0xAD,0xE1,0x2E,0xFA,0x8F,0x59,
+ 0xB6,0x08,0x2A,0x72,0x2F,0x52,0x3F,0x73,0x84,0xCA,0xD8,0x18,0x6C,0xDA,0xA3,0x2E,
+ 0xF2,0xD7,0x4C,0x21,0xD9,0xF8,0xB1,0x86,0xE9,0x35,0x78,0xE4,0x4F,0xD0,0x93,0x11,
+ 0x8F,0xF4,0xB1,0x17,0x4F,0xDE,0xAC,0xBD,0xA9,0xBC,0x94,0xFC,0x2E,0x7D,0xF9,0x05,
+ 0x26,0x90,0xF1,
+};
+
#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) CFRelease(_cf); }
+#define CFReleaseNull(CF) { CFTypeRef _cf = (CF); if (_cf) { (CF) = NULL; CFRelease(_cf); } }
/* Test basic add delete update copy matching stuff. */
static void tests(void)
{
- SecTrustRef trust;
- SecCertificateRef cert0, cert1;
+ SecTrustRef trust;
+ SecCertificateRef cert0, cert1, sscert0;
+ CFArrayRef anchors = NULL;
isnt(cert0 = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)),
- NULL, "create cert0");
+ NULL, "create cert0");
isnt(cert1 = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)),
- NULL, "create cert1");
+ NULL, "create cert1");
+ isnt(sscert0 = SecCertificateCreateWithBytes(NULL, _ss0, sizeof(_ss0)),
+ NULL, "create sscert0");
const void *v_certs[] = {
cert0,
cert1
};
- SecPolicyRef policy = SecPolicyCreateSSL(false, CFSTR("secure.store.apple.com"));
- CFArrayRef certs = CFArrayCreate(NULL, v_certs,
- array_size(v_certs), NULL);
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
+ SecPolicyRef policy = SecPolicyCreateSSL(false, CFSTR("secure.store.apple.com"));
+ CFArrayRef certs = CFArrayCreate(NULL, v_certs,
+ array_size(v_certs), NULL);
+ ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
/* Jun 12 2015. */
CFDateRef date = CFDateCreate(NULL, 455843208.0);
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
+ ok_status(SecTrustSetVerifyDate(trust, date), "set date");
SecTrustResultType trustResult;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
- CFDataRef exceptions;
- ok(exceptions = SecTrustCopyExceptions(trust), "create an exceptions");
- ok(SecTrustSetExceptions(trust, exceptions), "set exceptions");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultProceed, "trust is kSecTrustResultProceed");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultUnspecified,
+ "trust is kSecTrustResultUnspecified");
+ CFDataRef exceptions;
+ ok(exceptions = SecTrustCopyExceptions(trust), "create exceptions");
+ if (!exceptions) { goto errOut; }
+ ok(SecTrustSetExceptions(trust, exceptions), "set exceptions");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultProceed, "trust is kSecTrustResultProceed");
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- policy = SecPolicyCreateSSL(false, CFSTR("badstore.apple.com"));
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust with hostname mismatch");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- ok(SecTrustSetExceptions(trust, exceptions), "set old exceptions");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure");
- CFReleaseSafe(exceptions);
- ok(exceptions = SecTrustCopyExceptions(trust), "create a new exceptions");
- ok(SecTrustSetExceptions(trust, exceptions), "set exceptions");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultProceed, "trust is kSecTrustResultProceed");
+ CFReleaseNull(trust);
+ CFReleaseNull(policy);
+ policy = SecPolicyCreateSSL(false, CFSTR("badstore.apple.com"));
+ ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust with hostname mismatch");
+ ok_status(SecTrustSetVerifyDate(trust, date), "set date");
+ ok(SecTrustSetExceptions(trust, exceptions), "set old exceptions");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure");
+ CFReleaseNull(exceptions);
+ ok(exceptions = SecTrustCopyExceptions(trust), "create exceptions");
+ if (!exceptions) { goto errOut; }
+ ok(SecTrustSetExceptions(trust, exceptions), "set exceptions");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultProceed, "trust is kSecTrustResultProceed");
- CFReleaseSafe(trust);
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- ok(SecTrustSetExceptions(trust, exceptions), "set exceptions");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultProceed, "trust is kSecTrustResultProceed");
- CFArrayRef anchors = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks);
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set empty anchor list");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure");
+ CFReleaseNull(trust);
+ ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
+ ok_status(SecTrustSetVerifyDate(trust, date), "set date");
+ ok(SecTrustSetExceptions(trust, exceptions), "set exceptions");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultProceed, "trust is kSecTrustResultProceed");
+ anchors = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks);
+ ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set empty anchor list");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure");
ok_status(SecTrustSetAnchorCertificatesOnly(trust, false), "trust passed in anchors and system anchors");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultProceed, "trust is now kSecTrustResultProceed");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultProceed, "trust is now kSecTrustResultProceed");
ok_status(SecTrustSetAnchorCertificatesOnly(trust, true), "only trust passed in anchors (default)");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure again");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure again");
- CFReleaseSafe(exceptions);
- ok(exceptions = SecTrustCopyExceptions(trust), "create a new exceptions");
- ok(SecTrustSetExceptions(trust, exceptions), "set exceptions");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultProceed, "trust is kSecTrustResultProceed");
- CFReleaseSafe(date);
+ CFReleaseNull(exceptions);
+ ok(exceptions = SecTrustCopyExceptions(trust), "create exceptions");
+ if (!exceptions) { goto errOut; }
+ ok(SecTrustSetExceptions(trust, exceptions), "set exceptions");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultProceed, "trust is kSecTrustResultProceed");
+ CFReleaseNull(date);
date = CFDateCreate(NULL, 667680000.0);
- ok_status(SecTrustSetVerifyDate(trust, date), "set date to far future so certs are expired");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure");
+ ok_status(SecTrustSetVerifyDate(trust, date), "set date to far future so certs are expired");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure");
+
+ CFReleaseNull(trust);
+ CFReleaseNull(policy);
+ policy = SecPolicyCreateSSL(false, CFSTR("self-signed.ssltest.apple.com"));
+ ok_status(SecTrustCreateWithCertificates(sscert0, policy, &trust), "create trust");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure");
+ CFReleaseNull(exceptions);
+ ok(exceptions = SecTrustCopyExceptions(trust), "create exceptions");
+ if (!exceptions) { goto errOut; }
+ ok(SecTrustSetExceptions(trust, exceptions), "set exceptions");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultProceed, "trust is kSecTrustResultProceed");
+ CFReleaseNull(exceptions);
+ ok(!SecTrustSetExceptions(trust, NULL), "clear exceptions");
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+ is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure");
+errOut:
CFReleaseSafe(anchors);
CFReleaseSafe(exceptions);
CFReleaseSafe(trust);
@@ -314,12 +395,13 @@ static void tests(void)
CFReleaseSafe(certs);
CFReleaseSafe(cert0);
CFReleaseSafe(cert1);
+ CFReleaseSafe(sscert0);
CFReleaseSafe(date);
}
int si_27_sectrust_exceptions(int argc, char *const *argv)
{
- plan_tests(40);
+ plan_tests(51);
tests();
diff --git a/OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.c b/OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.c
deleted file mode 100644
index 4e1a9d2d..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.c
+++ /dev/null
@@ -1,215 +0,0 @@
-/*
- * Copyright (c) 2008-2010,2012 Apple Inc. All Rights Reserved.
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecTrustStore.h>
-#include <Security/SecItemPriv.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "Security_regressions.h"
-
-/*
- subject= /C=US/ST=California/L=Cupertino/O=Apple Computer, Inc./OU=Apple Internet Services/OU=Terms of use at www.verisign.com/rpa (c)00/CN=store.apple.com
- issuer= /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
- serial=4450E623F57E734FF85C1DEEFB976C86
-*/
-static const uint8_t _c0[] = {
- 0x30, 0x82, 0x04, 0x82, 0x30, 0x82, 0x03, 0xeb,
- 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x44,
- 0x50, 0xe6, 0x23, 0xf5, 0x7e, 0x73, 0x4f, 0xf8,
- 0x5c, 0x1d, 0xee, 0xfb, 0x97, 0x6c, 0x86, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81,
- 0xba, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55,
- 0x04, 0x0a, 0x13, 0x16, 0x56, 0x65, 0x72, 0x69,
- 0x53, 0x69, 0x67, 0x6e, 0x20, 0x54, 0x72, 0x75,
- 0x73, 0x74, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f,
- 0x72, 0x6b, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0b, 0x13, 0x0e, 0x56, 0x65, 0x72,
- 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x33, 0x30, 0x31, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2a, 0x56, 0x65,
- 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x49,
- 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69,
- 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x53, 0x65, 0x72,
- 0x76, 0x65, 0x72, 0x20, 0x43, 0x41, 0x20, 0x2d,
- 0x20, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x33,
- 0x31, 0x49, 0x30, 0x47, 0x06, 0x03, 0x55, 0x04,
- 0x0b, 0x13, 0x40, 0x77, 0x77, 0x77, 0x2e, 0x76,
- 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e,
- 0x63, 0x6f, 0x6d, 0x2f, 0x43, 0x50, 0x53, 0x20,
- 0x49, 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x62,
- 0x79, 0x20, 0x52, 0x65, 0x66, 0x2e, 0x20, 0x4c,
- 0x49, 0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59,
- 0x20, 0x4c, 0x54, 0x44, 0x2e, 0x28, 0x63, 0x29,
- 0x39, 0x37, 0x20, 0x56, 0x65, 0x72, 0x69, 0x53,
- 0x69, 0x67, 0x6e, 0x30, 0x1e, 0x17, 0x0d, 0x30,
- 0x35, 0x30, 0x33, 0x30, 0x32, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x37,
- 0x30, 0x34, 0x30, 0x31, 0x32, 0x33, 0x35, 0x39,
- 0x35, 0x39, 0x5a, 0x30, 0x81, 0xc6, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61,
- 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61,
- 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x14, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72,
- 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x1d, 0x30, 0x1b,
- 0x06, 0x03, 0x55, 0x04, 0x0a, 0x14, 0x14, 0x41,
- 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x6f, 0x6d,
- 0x70, 0x75, 0x74, 0x65, 0x72, 0x2c, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x20, 0x30, 0x1e, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x14, 0x17, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
- 0x72, 0x6e, 0x65, 0x74, 0x20, 0x53, 0x65, 0x72,
- 0x76, 0x69, 0x63, 0x65, 0x73, 0x31, 0x33, 0x30,
- 0x31, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x14, 0x2a,
- 0x54, 0x65, 0x72, 0x6d, 0x73, 0x20, 0x6f, 0x66,
- 0x20, 0x75, 0x73, 0x65, 0x20, 0x61, 0x74, 0x20,
- 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69,
- 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x72, 0x70, 0x61, 0x20, 0x28, 0x63, 0x29,
- 0x30, 0x30, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03,
- 0x55, 0x04, 0x03, 0x14, 0x0f, 0x73, 0x74, 0x6f,
- 0x72, 0x65, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65,
- 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x81, 0x9f, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81,
- 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81,
- 0x00, 0xbf, 0x8f, 0x59, 0x14, 0xbb, 0x91, 0xa4,
- 0xe6, 0x3e, 0x75, 0xf8, 0x38, 0x36, 0xfe, 0xcd,
- 0x9e, 0x5d, 0x3f, 0x14, 0x62, 0xfc, 0xe7, 0x48,
- 0x5f, 0x7e, 0x6b, 0x6e, 0x87, 0xd2, 0x31, 0x6e,
- 0x9d, 0x19, 0x92, 0x6f, 0xe3, 0xbc, 0x7e, 0x48,
- 0xb1, 0x2f, 0x9d, 0x70, 0x2c, 0x11, 0xdf, 0x35,
- 0xd1, 0xee, 0xd2, 0xd5, 0x37, 0x92, 0x4e, 0x06,
- 0x66, 0xb3, 0xc9, 0x9c, 0x99, 0xec, 0x09, 0xc6,
- 0xc4, 0xd6, 0xe6, 0x62, 0xb7, 0x97, 0x24, 0xd8,
- 0x38, 0x40, 0xf1, 0xa0, 0x1c, 0x0f, 0xf2, 0x3d,
- 0xaf, 0x4a, 0x93, 0xba, 0x11, 0xad, 0x67, 0xc4,
- 0x4b, 0x1d, 0x74, 0x33, 0x7c, 0xb9, 0x6b, 0x2d,
- 0xc5, 0x9b, 0x6a, 0xd2, 0xf2, 0x28, 0x08, 0x05,
- 0x18, 0x7d, 0xf0, 0xde, 0x28, 0x61, 0xf1, 0x81,
- 0xd5, 0x56, 0x4f, 0x20, 0x6e, 0xf3, 0x34, 0x89,
- 0x67, 0xd3, 0xa7, 0x09, 0xda, 0xc7, 0x89, 0x4d,
- 0xe1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82,
- 0x01, 0x79, 0x30, 0x82, 0x01, 0x75, 0x30, 0x09,
- 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30,
- 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f,
- 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x46,
- 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x3f, 0x30,
- 0x3d, 0x30, 0x3b, 0xa0, 0x39, 0xa0, 0x37, 0x86,
- 0x35, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
- 0x63, 0x72, 0x6c, 0x2e, 0x76, 0x65, 0x72, 0x69,
- 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x33, 0x49,
- 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69,
- 0x6f, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x72, 0x76,
- 0x65, 0x72, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x44,
- 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x3d, 0x30,
- 0x3b, 0x30, 0x39, 0x06, 0x0b, 0x60, 0x86, 0x48,
- 0x01, 0x86, 0xf8, 0x45, 0x01, 0x07, 0x17, 0x03,
- 0x30, 0x2a, 0x30, 0x28, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x1c,
- 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f,
- 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69,
- 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x72, 0x70, 0x61, 0x30, 0x28, 0x06, 0x03,
- 0x55, 0x1d, 0x25, 0x04, 0x21, 0x30, 0x1f, 0x06,
- 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42,
- 0x04, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x34,
- 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x01, 0x01, 0x04, 0x28, 0x30, 0x26, 0x30, 0x24,
- 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x30, 0x01, 0x86, 0x18, 0x68, 0x74, 0x74, 0x70,
- 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e,
- 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e,
- 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x6d, 0x06, 0x08,
- 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x0c,
- 0x04, 0x61, 0x30, 0x5f, 0xa1, 0x5d, 0xa0, 0x5b,
- 0x30, 0x59, 0x30, 0x57, 0x30, 0x55, 0x16, 0x09,
- 0x69, 0x6d, 0x61, 0x67, 0x65, 0x2f, 0x67, 0x69,
- 0x66, 0x30, 0x21, 0x30, 0x1f, 0x30, 0x07, 0x06,
- 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14,
- 0x8f, 0xe5, 0xd3, 0x1a, 0x86, 0xac, 0x8d, 0x8e,
- 0x6b, 0xc3, 0xcf, 0x80, 0x6a, 0xd4, 0x48, 0x18,
- 0x2c, 0x7b, 0x19, 0x2e, 0x30, 0x25, 0x16, 0x23,
- 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6c,
- 0x6f, 0x67, 0x6f, 0x2e, 0x76, 0x65, 0x72, 0x69,
- 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x76, 0x73, 0x6c, 0x6f, 0x67, 0x6f, 0x2e,
- 0x67, 0x69, 0x66, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
- 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x01, 0x5e,
- 0x47, 0x3c, 0x5f, 0x38, 0x4f, 0x4d, 0x64, 0xf1,
- 0x33, 0x13, 0xd3, 0xcf, 0x80, 0xf9, 0x88, 0x93,
- 0xba, 0x44, 0x7b, 0xf0, 0xbd, 0x60, 0x96, 0x39,
- 0xa8, 0xc5, 0x76, 0x18, 0x01, 0xa7, 0x03, 0x53,
- 0x8b, 0x92, 0xda, 0x97, 0xaa, 0x85, 0xc7, 0xb7,
- 0x7d, 0x58, 0x83, 0x68, 0x4a, 0xd9, 0x54, 0x78,
- 0x7f, 0xa0, 0xe9, 0x8f, 0xc5, 0xb4, 0x3a, 0xb7,
- 0x3c, 0xa1, 0x70, 0x40, 0xac, 0xc2, 0xc6, 0x5b,
- 0xbd, 0x70, 0x90, 0xb9, 0xc6, 0x7d, 0x7e, 0x49,
- 0xe4, 0xbd, 0xc1, 0x5d, 0x1a, 0x0f, 0x9e, 0x0a,
- 0x93, 0xfd, 0xc7, 0x7a, 0x8b, 0x9c, 0x61, 0x61,
- 0x34, 0x02, 0xcc, 0x68, 0xdd, 0x2b, 0x29, 0xbc,
- 0x83, 0x8d, 0x7a, 0x8b, 0x22, 0xb9, 0x1e, 0x79,
- 0x3a, 0x5a, 0xc6, 0xda, 0xb3, 0xaf, 0xaf, 0x0b,
- 0x41, 0x16, 0xda, 0xd2, 0x8e, 0xcd, 0xc1, 0xc0,
- 0x43, 0xfc, 0xb3, 0x10, 0xb7, 0x27
-};
-
-#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) CFRelease(_cf); }
-
-static void tests(void)
-{
- SecCertificateRef cert0;
- isnt(cert0 = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)),
- NULL, "create cert0");
- SecTrustStoreRef user_store;
- isnt(user_store = SecTrustStoreForDomain(kSecTrustStoreDomainUser),
- NULL, "get user trust settings store handle");
- ok(!SecTrustStoreContains(user_store, cert0),
- "cert0 is not yet present");
- ok_status(SecTrustStoreSetTrustSettings(user_store, cert0, NULL),
- "make cert0 trusted for anything");
- ok(SecTrustStoreContains(user_store, cert0),
- "cert0 is present");
- ok_status(SecTrustStoreSetTrustSettings(user_store, cert0, NULL),
- "make cert0 trusted for anything - again, should update now");
- ok(SecTrustStoreContains(user_store, cert0),
- "cert0 is still present");
- ok_status(SecTrustStoreRemoveCertificate(user_store, cert0),
- "removing cert0");
- ok(!SecTrustStoreContains(user_store, cert0),
- "cert0 is no longer present");
-
- /* Adding again...*/
- ok_status(SecTrustStoreSetTrustSettings(user_store, cert0, NULL),
- "make cert0 trusted for anything");
- ok(SecTrustStoreContains(user_store, cert0),
- "cert0 is present");
-
- /* Remove it */
- ok_status(SecTrustStoreRemoveCertificate(user_store, cert0),
- "removing cert0");
- ok(!SecTrustStoreContains(user_store, cert0),
- "cert0 is no longer present");
-
- CFReleaseSafe(cert0);
-}
-
-int si_28_sectrustsettings(int argc, char *const *argv)
-{
- plan_tests(13);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.h b/OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.h
new file mode 100644
index 00000000..040bd530
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.h
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ */
+
+#ifndef si_28_sectrustsettings_h
+#define si_28_sectrustsettings_h
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Trust Settings Test Root CA */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Trust Settings Test Root CA */
+unsigned char _trustSettingsRoot[1008]={
+ 0x30,0x82,0x03,0xEC,0x30,0x82,0x02,0xD4,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0xEE,0xAD,0xE6,0x5E,0x2C,0x5C,0x7C,0x40,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,0x91,0x31,0x0B,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,
+ 0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,
+ 0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
+ 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,
+ 0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,
+ 0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,
+ 0x65,0x72,0x69,0x6E,0x67,0x31,0x24,0x30,0x22,0x06,0x03,0x55,0x04,0x03,0x0C,0x1B,
+ 0x54,0x72,0x75,0x73,0x74,0x20,0x53,0x65,0x74,0x74,0x69,0x6E,0x67,0x73,0x20,0x54,
+ 0x65,0x73,0x74,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,
+ 0x36,0x30,0x33,0x31,0x39,0x32,0x33,0x33,0x30,0x34,0x34,0x5A,0x17,0x0D,0x32,0x36,
+ 0x30,0x33,0x31,0x37,0x32,0x33,0x33,0x30,0x34,0x34,0x5A,0x30,0x81,0x91,0x31,0x0B,
+ 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,
+ 0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,
+ 0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,
+ 0x74,0x69,0x6E,0x6F,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,
+ 0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,
+ 0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,
+ 0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x24,0x30,0x22,0x06,0x03,0x55,
+ 0x04,0x03,0x0C,0x1B,0x54,0x72,0x75,0x73,0x74,0x20,0x53,0x65,0x74,0x74,0x69,0x6E,
+ 0x67,0x73,0x20,0x54,0x65,0x73,0x74,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,
+ 0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,
+ 0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,
+ 0xC6,0xB5,0x94,0x9F,0x10,0xC7,0x49,0x4F,0xAF,0xA5,0xE4,0x98,0xEE,0xEB,0x9C,0x39,
+ 0xCA,0xF0,0x47,0x54,0xCA,0x26,0x4A,0xDD,0x6E,0x1E,0x33,0x4F,0x5E,0xF5,0x9F,0x4A,
+ 0x41,0x3F,0xC3,0xCF,0xEB,0x30,0x51,0xD8,0x85,0xAB,0xD6,0xDD,0x45,0xBF,0x0D,0x67,
+ 0x0D,0xDA,0x88,0x07,0xD8,0xB2,0x6D,0x6C,0x56,0xEE,0x27,0x74,0xDE,0x81,0xAC,0x35,
+ 0x9F,0xBC,0x9E,0x4A,0x97,0x0E,0xB4,0x84,0xA4,0xFA,0x24,0x21,0xBE,0x74,0x40,0xB4,
+ 0x9E,0xFC,0x81,0x9B,0xE6,0x82,0xB8,0xB6,0xAD,0x33,0x88,0xEC,0x30,0x5B,0x88,0x56,
+ 0x7E,0x3D,0x03,0x7A,0xC7,0xC2,0x58,0xF9,0x7C,0x68,0x77,0x75,0x8B,0x59,0x82,0x28,
+ 0xFC,0x0B,0x69,0x25,0x61,0x1E,0xCA,0x1F,0x7C,0x4D,0x3E,0x74,0xE5,0xE1,0xA0,0xDD,
+ 0xB3,0xD8,0xBD,0x11,0x4A,0x57,0xB9,0xAA,0xB3,0x92,0x53,0x9C,0x2A,0xE5,0x91,0xD8,
+ 0x57,0xCC,0xAD,0xB9,0x7F,0x4B,0x94,0x0F,0xCD,0xE0,0xEF,0xF7,0xE9,0x2A,0xE4,0x90,
+ 0xEF,0xA2,0x69,0x53,0x46,0x68,0x5D,0x39,0xD5,0x08,0x24,0x33,0x3D,0x81,0xF5,0x34,
+ 0xCD,0x06,0xC4,0xDB,0xC7,0x59,0xF9,0x9C,0xD9,0x00,0xD1,0x33,0x8F,0xE5,0x9D,0xF5,
+ 0x7A,0xD0,0x91,0x3A,0x1F,0xE2,0x5C,0x24,0xB4,0xFD,0xF1,0x86,0x04,0x66,0x10,0xEC,
+ 0x8F,0xB5,0x50,0xEF,0xBC,0x13,0xC2,0x32,0x52,0xFD,0x55,0x8D,0x9A,0x3E,0xB1,0xA0,
+ 0x94,0x02,0x96,0xF4,0x64,0xE3,0x23,0x4F,0x18,0x19,0xAF,0x82,0xD0,0x25,0xA2,0x8C,
+ 0x76,0x6B,0xDA,0xBA,0xF9,0xE8,0x0D,0xBA,0x32,0x74,0xF1,0x2F,0xB9,0xE3,0xD2,0x93,
+ 0x02,0x03,0x01,0x00,0x01,0xA3,0x45,0x30,0x43,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
+ 0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x03,0x30,0x0E,0x06,
+ 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,
+ 0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x68,0x31,0x64,0x1E,0x5C,0x68,0x6A,0x83,
+ 0xBD,0x39,0x22,0x44,0xF6,0xD3,0x6C,0x70,0xF7,0xDD,0x22,0x53,0x30,0x0D,0x06,0x09,
+ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,
+ 0x01,0xDF,0xE1,0x02,0xED,0x2A,0x55,0xC3,0xFF,0x9A,0xD7,0x43,0xCF,0xD9,0x5F,0x3C,
+ 0xD5,0xAF,0xB1,0xEF,0x1F,0xF1,0x15,0x88,0x17,0x37,0x69,0x25,0xC1,0x42,0xFC,0xE3,
+ 0x18,0xBC,0x02,0x6A,0x0B,0xAD,0xDB,0x49,0xE0,0xCB,0xBE,0x84,0xC0,0xF8,0x26,0xD0,
+ 0xA6,0x4C,0xCB,0x3D,0xF4,0x52,0xBA,0xF2,0x3B,0x2C,0x3F,0xD6,0x46,0xAA,0xC8,0xE7,
+ 0xE5,0x4A,0x41,0x7D,0xCA,0xC3,0x3A,0xEF,0xD0,0xFF,0xA2,0x1A,0x07,0x4E,0x18,0x70,
+ 0xC6,0xBD,0xA2,0x37,0xD9,0x72,0xFB,0x95,0xC9,0x0A,0x4E,0x39,0x0D,0x67,0x45,0xF2,
+ 0x92,0x34,0x2E,0x94,0x02,0x51,0x97,0x96,0x82,0x75,0x1C,0x7D,0x14,0x40,0x15,0x38,
+ 0xB5,0x4D,0x17,0xBE,0xCE,0xDB,0x54,0x12,0x68,0xF6,0xCE,0xFA,0xE0,0x73,0xD3,0x3B,
+ 0x7B,0x01,0xDC,0x43,0x17,0x46,0x00,0x2F,0x82,0x1F,0x4D,0x09,0x78,0x22,0x84,0x76,
+ 0x2B,0xB6,0xA4,0xA8,0x87,0xC3,0x3F,0x13,0x4D,0x99,0xEF,0x23,0x52,0x92,0xCE,0x65,
+ 0x1C,0x00,0x4A,0xCC,0xEE,0x3B,0x73,0xEB,0x52,0x86,0xA3,0xBC,0x22,0xAF,0xE2,0x88,
+ 0x5A,0xED,0x34,0x51,0xC4,0x67,0x9F,0xA2,0x7E,0x4B,0xCC,0x65,0xFC,0xD6,0x38,0x42,
+ 0x5A,0x24,0xB8,0x02,0x6F,0x99,0xA0,0xF7,0x38,0x86,0x8A,0x02,0xCD,0x28,0x9B,0xEA,
+ 0xD9,0xA0,0x24,0x57,0x1E,0x40,0x02,0x89,0x29,0x4C,0x3F,0xF5,0xEF,0x8F,0xE7,0x4C,
+ 0xDB,0x42,0xFA,0x8D,0x4C,0xD3,0x30,0xF7,0x71,0x7F,0xC2,0x41,0x66,0x19,0x7D,0x47,
+ 0x99,0x26,0xF5,0x74,0x39,0xFE,0xB8,0xDF,0x60,0x36,0x02,0x0E,0x77,0x28,0x12,0x84,
+};
+
+/* subject:/C=US/ST=California/O=Apple, Inc./OU=Security Engineering/CN=Trust Settings Test Sub CA */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Trust Settings Test Root CA */
+unsigned char _trustSettingsInt[1016]={
+ 0x30,0x82,0x03,0xF4,0x30,0x82,0x02,0xDC,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0xBE,0x29,0xEC,0x6D,0x40,0x7E,0x44,0x9A,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,0x91,0x31,0x0B,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,
+ 0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,
+ 0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
+ 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,
+ 0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,
+ 0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,
+ 0x65,0x72,0x69,0x6E,0x67,0x31,0x24,0x30,0x22,0x06,0x03,0x55,0x04,0x03,0x0C,0x1B,
+ 0x54,0x72,0x75,0x73,0x74,0x20,0x53,0x65,0x74,0x74,0x69,0x6E,0x67,0x73,0x20,0x54,
+ 0x65,0x73,0x74,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,
+ 0x36,0x30,0x33,0x31,0x39,0x32,0x33,0x34,0x30,0x31,0x33,0x5A,0x17,0x0D,0x31,0x37,
+ 0x30,0x33,0x31,0x39,0x32,0x33,0x34,0x30,0x31,0x33,0x5A,0x30,0x7C,0x31,0x0B,0x30,
+ 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,
+ 0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,
+ 0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,
+ 0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,
+ 0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,
+ 0x72,0x69,0x6E,0x67,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x03,0x0C,0x1A,0x54,
+ 0x72,0x75,0x73,0x74,0x20,0x53,0x65,0x74,0x74,0x69,0x6E,0x67,0x73,0x20,0x54,0x65,
+ 0x73,0x74,0x20,0x53,0x75,0x62,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,
+ 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,
+ 0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC3,0x98,0xDB,0xB7,0x52,0xC3,
+ 0xC9,0xD3,0xB8,0x35,0x57,0xAE,0xF4,0x93,0x21,0xDD,0xAD,0x17,0xA8,0xE3,0x39,0xB0,
+ 0x27,0xF3,0x9F,0x12,0x77,0xF3,0xF0,0x03,0xED,0xAE,0xE7,0x79,0x86,0x17,0x07,0x1C,
+ 0xDE,0x34,0x41,0x25,0x39,0xCA,0xFE,0xD1,0x13,0x3B,0xBB,0x7E,0x77,0x7E,0x32,0x99,
+ 0xDD,0xEB,0xBA,0xDC,0x6D,0xB9,0xF5,0x8A,0x1C,0x19,0x71,0xE3,0xE4,0x7F,0x39,0x0C,
+ 0x3F,0x09,0x46,0x22,0x28,0x60,0x1A,0x42,0xA2,0x6E,0xE4,0x64,0xCF,0x02,0x68,0xAC,
+ 0x74,0xD1,0xBD,0xE4,0xC7,0x69,0x90,0xA5,0xA4,0x4F,0x1C,0x6E,0x08,0x79,0x28,0xE8,
+ 0x3E,0xE3,0x62,0x15,0xF8,0xB9,0xC1,0x56,0x1A,0xB0,0xE3,0x27,0x02,0xC6,0x29,0x20,
+ 0x7B,0x34,0x54,0xCC,0x0F,0xDB,0x5B,0x5E,0x81,0x0F,0x20,0xB7,0xB4,0x43,0xB3,0x29,
+ 0xE7,0xB7,0x83,0xCB,0x01,0xB3,0x57,0x3E,0x7B,0xBC,0x21,0x2F,0xED,0x24,0x99,0xB4,
+ 0xCD,0x64,0x9F,0x47,0xA3,0x5E,0x7B,0x99,0x69,0x8D,0xEB,0x6C,0x9D,0x60,0x7C,0x2F,
+ 0x2D,0xF5,0xC9,0x9D,0x11,0x7B,0x61,0x4A,0x0D,0x70,0x11,0x14,0x6C,0xE1,0xCB,0xC1,
+ 0x20,0xAF,0x55,0xBF,0xBE,0x8B,0xB6,0x9A,0x03,0x6C,0xFD,0x7A,0xCF,0xFB,0x92,0xD1,
+ 0x85,0xEE,0x5B,0x1E,0xEA,0xDC,0x58,0xF3,0xF1,0x0B,0x88,0x9E,0xA5,0xB4,0xD2,0xCD,
+ 0x74,0x47,0x18,0xA8,0xE3,0xFD,0x45,0xC2,0xE1,0x4D,0x97,0x77,0x89,0x48,0xF9,0x66,
+ 0xA4,0xEF,0x9E,0x33,0x3E,0xF0,0xED,0x55,0xF7,0x92,0xF4,0x1B,0xF7,0xF6,0xF9,0x90,
+ 0xCE,0xD5,0xA1,0x3F,0xE7,0xB7,0x2E,0x33,0x8F,0x9D,0x02,0x03,0x01,0x00,0x01,0xA3,
+ 0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,
+ 0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,
+ 0x03,0x02,0x02,0x04,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xFD,
+ 0x26,0x89,0x9C,0xA6,0x9A,0xF6,0x33,0x48,0xA9,0x5D,0x0B,0xF6,0x90,0x2F,0xA6,0xC8,
+ 0x22,0x30,0x70,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,
+ 0x68,0x31,0x64,0x1E,0x5C,0x68,0x6A,0x83,0xBD,0x39,0x22,0x44,0xF6,0xD3,0x6C,0x70,
+ 0xF7,0xDD,0x22,0x53,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,
+ 0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xA0,0xCA,0xAB,0x34,0xCF,0x6A,0x97,0x40,
+ 0x58,0x49,0xEE,0xA5,0x03,0x98,0xDB,0x6B,0x8D,0x19,0x11,0x83,0x5C,0x52,0xA5,0xD0,
+ 0xA2,0x3B,0x5E,0x59,0x13,0x53,0xCA,0xAA,0x6B,0x26,0x6D,0x14,0x4A,0x6D,0x8A,0x61,
+ 0xA7,0xDD,0x3E,0x2D,0x8B,0x4A,0x62,0xA4,0x3D,0x06,0xEE,0x76,0xB5,0x6F,0x93,0x30,
+ 0xD1,0x29,0xEA,0x34,0x01,0xB3,0x6B,0x1A,0xF3,0xCA,0x26,0x1E,0x76,0x2E,0x46,0xB3,
+ 0x73,0xE1,0x97,0x95,0x2F,0x16,0xC8,0x1F,0xF8,0x79,0x0E,0xEA,0x36,0xB0,0xEA,0x49,
+ 0xBE,0x5A,0x40,0xFE,0x83,0x51,0x94,0x78,0x74,0xD0,0x22,0x87,0x34,0xF5,0xEE,0x44,
+ 0x55,0x4B,0x4A,0xFF,0xF9,0xCD,0x84,0x68,0x32,0x94,0x98,0xCF,0xE0,0x51,0x66,0xEC,
+ 0x93,0x12,0x26,0x37,0xBD,0xA1,0x71,0x3B,0xF6,0x7A,0x40,0x48,0x62,0xC8,0xDD,0xE8,
+ 0x74,0x2C,0x14,0x09,0x18,0xDA,0x23,0x85,0xFF,0x2A,0x65,0xBF,0x0E,0x72,0x32,0xE2,
+ 0xD8,0x89,0x36,0x99,0x51,0x00,0xBD,0x16,0x48,0x46,0xFB,0x02,0xFA,0x7A,0xC3,0x73,
+ 0xBC,0x3B,0xB4,0x34,0x1C,0xBD,0x63,0x8D,0x12,0x97,0x66,0x8E,0x89,0x6C,0x79,0x8C,
+ 0xA9,0x77,0x49,0x92,0x7E,0xB2,0xF8,0xDE,0x58,0xB9,0xF1,0xEA,0xAF,0x74,0x94,0x46,
+ 0x1A,0x7B,0x5F,0x65,0x8D,0x08,0x38,0xBA,0xE4,0xB2,0xC2,0x27,0x05,0x76,0x38,0x1F,
+ 0x2B,0xFD,0x29,0x86,0xDA,0x38,0xB3,0x1E,0x37,0x38,0xE4,0x6F,0x81,0x35,0xA7,0x82,
+ 0x85,0xF5,0x8B,0xEC,0x24,0xD1,0xA1,0x12,0xFB,0x54,0xC4,0x51,0xA4,0x97,0xF2,0x0B,
+ 0xD4,0xE5,0x79,0x49,0x60,0x27,0x0D,0x5D,
+};
+
+/* subject:/C=US/ST=California/O=Apple, Inc./OU=Security Engineering/CN=Trust Settings Test SSL Leaf */
+/* issuer :/C=US/ST=California/O=Apple, Inc./OU=Security Engineering/CN=Trust Settings Test Sub CA */
+unsigned char _trustSettingsSSLLeaf[1059]={
+ 0x30,0x82,0x04,0x1F,0x30,0x82,0x03,0x07,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0x81,0x94,0x54,0x10,0xDC,0xA5,0x98,0x17,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x7C,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,
+ 0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x14,0x30,0x12,0x06,
+ 0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,
+ 0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,
+ 0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,
+ 0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x03,0x0C,0x1A,0x54,0x72,0x75,0x73,0x74,
+ 0x20,0x53,0x65,0x74,0x74,0x69,0x6E,0x67,0x73,0x20,0x54,0x65,0x73,0x74,0x20,0x53,
+ 0x75,0x62,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x33,0x32,0x30,0x30,
+ 0x30,0x31,0x30,0x35,0x37,0x5A,0x17,0x0D,0x31,0x37,0x30,0x33,0x32,0x30,0x30,0x30,
+ 0x31,0x30,0x35,0x37,0x5A,0x30,0x7E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,
+ 0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,
+ 0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x14,0x30,0x12,0x06,0x03,0x55,
+ 0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,
+ 0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,
+ 0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x25,
+ 0x30,0x23,0x06,0x03,0x55,0x04,0x03,0x0C,0x1C,0x54,0x72,0x75,0x73,0x74,0x20,0x53,
+ 0x65,0x74,0x74,0x69,0x6E,0x67,0x73,0x20,0x54,0x65,0x73,0x74,0x20,0x53,0x53,0x4C,
+ 0x20,0x4C,0x65,0x61,0x66,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
+ 0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,
+ 0x0A,0x02,0x82,0x01,0x01,0x00,0xBC,0x1C,0xAC,0x0E,0x78,0xFC,0xFA,0x63,0x97,0x5B,
+ 0xE3,0xFB,0xE9,0x31,0x60,0x9C,0xAE,0x81,0x9F,0xE1,0x19,0x95,0xF1,0xE2,0x27,0x14,
+ 0x33,0x86,0xA3,0x11,0x16,0x35,0x36,0x93,0x05,0xB6,0x88,0xC1,0x97,0x52,0xAB,0x0D,
+ 0xA6,0x22,0xF2,0x5E,0xDF,0x9E,0x27,0x9F,0x82,0x4F,0x0B,0xAD,0x96,0x9D,0xD4,0x7A,
+ 0x85,0xEA,0x62,0x89,0x6E,0xD5,0xC1,0x0D,0xCD,0x0D,0x15,0x4D,0x66,0x1F,0xA9,0xA8,
+ 0xB3,0xFA,0xC1,0x59,0x74,0x69,0xE6,0xA5,0x4A,0xF2,0xA3,0xC9,0x5F,0x29,0x7D,0x9E,
+ 0x49,0x5B,0x02,0x41,0x11,0x80,0x5C,0xD0,0x69,0x41,0x7C,0x05,0xFB,0xBA,0x0B,0xB6,
+ 0x10,0x6D,0x30,0xF3,0xB7,0x76,0x4A,0x32,0xCE,0xF0,0x50,0x74,0x70,0x1C,0x7A,0xE7,
+ 0x05,0x2A,0x01,0x00,0xB0,0xBB,0x22,0xB0,0xAD,0x7C,0x19,0xFD,0x5A,0xE3,0xC5,0xCD,
+ 0x51,0x15,0x97,0xF4,0xE4,0xEF,0x60,0x56,0x2C,0x92,0xB1,0xD4,0x9D,0xF9,0x26,0x1F,
+ 0x0C,0x11,0x2F,0x2F,0xA5,0xFA,0xD6,0x8E,0x87,0x1D,0xCC,0xA7,0xA0,0x3C,0x23,0xBB,
+ 0x52,0x30,0x11,0x13,0x43,0x7C,0xFE,0x63,0xEE,0xAE,0xAF,0xE6,0xED,0x07,0xD2,0x89,
+ 0xCB,0xC0,0xFE,0xF1,0xBF,0x75,0x18,0xA8,0xFF,0x34,0x9A,0x5C,0x28,0xEC,0x18,0x55,
+ 0x68,0xF7,0x24,0x30,0x94,0x49,0x23,0xCB,0xF1,0xE3,0xBE,0x1D,0x51,0xA3,0x2B,0x21,
+ 0x7D,0xFC,0x6E,0x93,0x19,0xE7,0xA5,0x26,0xFE,0xE2,0x5D,0xED,0x4A,0xD4,0xB9,0x60,
+ 0xE4,0xE7,0x77,0xA8,0xFF,0x13,0x06,0x0D,0x58,0x82,0x25,0x6D,0xEB,0xAC,0xA9,0x56,
+ 0xF9,0x2C,0x60,0xBB,0x66,0x77,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0xA1,0x30,0x81,
+ 0x9E,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,
+ 0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,
+ 0x1D,0x06,0x03,0x55,0x1D,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,
+ 0x05,0x07,0x03,0x01,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x30,0x1F,
+ 0x06,0x03,0x55,0x1D,0x11,0x04,0x18,0x30,0x16,0x82,0x14,0x74,0x65,0x73,0x74,0x73,
+ 0x65,0x72,0x76,0x65,0x72,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,
+ 0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xC6,0xED,0xD2,0x4E,0x23,0xC9,
+ 0xA9,0xC8,0x64,0x3A,0x55,0x51,0x0F,0x27,0x52,0xD6,0x18,0x12,0x66,0xC8,0x30,0x1F,
+ 0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xFD,0x26,0x89,0x9C,0xA6,
+ 0x9A,0xF6,0x33,0x48,0xA9,0x5D,0x0B,0xF6,0x90,0x2F,0xA6,0xC8,0x22,0x30,0x70,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,
+ 0x01,0x01,0x00,0xB1,0x56,0x55,0xC7,0x1F,0xF6,0x15,0x59,0xA6,0x0B,0xC4,0xBB,0x48,
+ 0x53,0x1B,0xE7,0xC1,0x7F,0x72,0x65,0x0E,0xE9,0x08,0x22,0xF6,0x30,0x9C,0xB3,0xCA,
+ 0xCF,0xDE,0x16,0x2C,0x90,0x30,0x59,0xC4,0xB2,0xE7,0x1E,0xD2,0xF3,0xD6,0x29,0x94,
+ 0xA3,0xD5,0xFA,0x98,0xC1,0xBF,0xD7,0xC3,0x52,0xBC,0xFF,0x6D,0xB6,0xE1,0xCE,0x1A,
+ 0x59,0xF9,0x68,0x6D,0x98,0x8B,0x48,0x7D,0xE6,0xD0,0x1F,0xFE,0xF7,0x9C,0x73,0x09,
+ 0x73,0x9B,0x5D,0xAF,0x88,0x37,0x35,0x1C,0x3F,0x9A,0x07,0xE0,0x3B,0x29,0x24,0x7F,
+ 0x04,0x9A,0xD2,0x3F,0xDE,0xF3,0x68,0x1D,0x16,0x8D,0xD0,0x4F,0xB6,0x83,0x19,0x70,
+ 0xBB,0x1F,0x21,0x91,0x49,0x3F,0x12,0x89,0xF6,0x88,0x8A,0x2F,0xDC,0x55,0x54,0xBE,
+ 0x78,0xDD,0x2F,0xC9,0x0C,0x7B,0x8C,0xA8,0x33,0x33,0x1D,0xA0,0x6D,0xA4,0xA6,0x6A,
+ 0xA4,0x49,0xD6,0x37,0x6D,0x95,0x15,0x0C,0xFA,0xA5,0xCF,0x5A,0x28,0xD9,0x37,0x5D,
+ 0xC5,0xC5,0x3A,0x30,0x8D,0x54,0xE4,0xAB,0x19,0x7A,0xF0,0x33,0xAE,0x64,0xA9,0x42,
+ 0x83,0xD2,0xF2,0x68,0x39,0xA2,0xE1,0x71,0x68,0x19,0x81,0x5A,0x9B,0xB4,0xDD,0xBC,
+ 0xA6,0xC7,0x19,0x40,0x87,0x50,0x6F,0x49,0xD2,0xC1,0x92,0x57,0xE4,0x5B,0x5F,0x41,
+ 0x85,0x22,0x33,0x8D,0xC7,0x0B,0x3F,0x55,0xC1,0x46,0x2C,0xB6,0xDE,0xF7,0x80,0x54,
+ 0xA5,0x62,0x0E,0xA3,0x24,0x14,0x9B,0xF1,0xEE,0x9D,0x7F,0x65,0xA2,0x1D,0x0C,0x32,
+ 0x86,0x81,0xDE,0xDC,0xD7,0xB6,0x06,0x3A,0xF6,0xF0,0x81,0x6A,0xBE,0xC4,0xA0,0x87,
+ 0xEA,0x6A,0x6C,
+};
+
+/* subject:/C=US/ST=California/O=Apple, Inc./OU=Security Engineering/CN=Trust Settings Test SMIME Leaf */
+/* issuer :/C=US/ST=California/O=Apple, Inc./OU=Security Engineering/CN=Trust Settings Test Sub CA */
+unsigned char _trustSettingsSMIMELeaf[1050]={
+ 0x30,0x82,0x04,0x16,0x30,0x82,0x02,0xFE,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0x81,0x94,0x54,0x10,0xDC,0xA5,0x98,0x18,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x7C,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,
+ 0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x14,0x30,0x12,0x06,
+ 0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,
+ 0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,
+ 0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,
+ 0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x03,0x0C,0x1A,0x54,0x72,0x75,0x73,0x74,
+ 0x20,0x53,0x65,0x74,0x74,0x69,0x6E,0x67,0x73,0x20,0x54,0x65,0x73,0x74,0x20,0x53,
+ 0x75,0x62,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x33,0x32,0x30,0x30,
+ 0x30,0x31,0x31,0x35,0x32,0x5A,0x17,0x0D,0x31,0x37,0x30,0x33,0x32,0x30,0x30,0x30,
+ 0x31,0x31,0x35,0x32,0x5A,0x30,0x81,0x80,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
+ 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,
+ 0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x14,0x30,0x12,0x06,0x03,
+ 0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,
+ 0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,
+ 0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,
+ 0x27,0x30,0x25,0x06,0x03,0x55,0x04,0x03,0x0C,0x1E,0x54,0x72,0x75,0x73,0x74,0x20,
+ 0x53,0x65,0x74,0x74,0x69,0x6E,0x67,0x73,0x20,0x54,0x65,0x73,0x74,0x20,0x53,0x4D,
+ 0x49,0x4D,0x45,0x20,0x4C,0x65,0x61,0x66,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,
+ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,
+ 0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE7,0x42,0xF7,0x3B,0x41,0xB4,0x91,
+ 0xF6,0xC3,0x4F,0x5B,0x52,0x9C,0x4D,0x1E,0x0D,0x1F,0x1A,0xE8,0x07,0x14,0x00,0x48,
+ 0x00,0x18,0x13,0xA6,0xD0,0xC4,0x49,0x6A,0xC7,0x47,0xBE,0xC6,0x07,0x9F,0xED,0x81,
+ 0xC8,0x49,0x7C,0xC8,0x69,0x14,0x2D,0xAD,0xD4,0x98,0x58,0x1A,0x6D,0xCC,0x28,0x54,
+ 0xA1,0x13,0xAF,0x2A,0xB5,0xF5,0x4B,0x6F,0x97,0x85,0x33,0xE0,0x12,0xF8,0x06,0x95,
+ 0xA0,0x57,0x81,0xD1,0x51,0x4E,0x1B,0x29,0x80,0x9F,0x3C,0x49,0x34,0x28,0x61,0x59,
+ 0x6A,0x56,0xA1,0x13,0x52,0x1B,0x41,0x6E,0xE2,0xA7,0xE1,0x6E,0x10,0xCC,0x07,0x48,
+ 0x0C,0x36,0x25,0x35,0xD3,0xBB,0x8F,0x45,0xF9,0x37,0x4D,0xB4,0xC7,0x9E,0xFA,0x7F,
+ 0x99,0xFC,0xB5,0x35,0xD7,0x96,0xC6,0xF7,0xF0,0x19,0x34,0xB6,0xD9,0x3C,0x82,0x38,
+ 0xBF,0x23,0x04,0x21,0x4A,0xFC,0xC1,0x8C,0x89,0xB1,0x45,0xFC,0x9B,0x4D,0xAE,0x28,
+ 0x4F,0xF6,0xD3,0x69,0xBB,0x3B,0xC5,0x5F,0x72,0xC7,0xD3,0xDF,0x70,0x97,0x7B,0xEE,
+ 0xD6,0x09,0xD6,0x21,0xF3,0xCF,0x8D,0x50,0xAF,0x48,0xDA,0x2C,0xEB,0x90,0x8E,0x1D,
+ 0xEE,0x94,0xA7,0xAB,0x21,0x0E,0xC8,0xE2,0xA1,0x7F,0x36,0x98,0x1A,0x99,0xDD,0x85,
+ 0x3A,0xEE,0xF0,0xE6,0x34,0x15,0x98,0x6D,0xA8,0x22,0x4E,0x4F,0x54,0x06,0xF1,0x1F,
+ 0xE0,0xDD,0x8E,0xB1,0xA5,0x94,0xA2,0xC5,0xD2,0xA3,0xEA,0xD9,0xD9,0x28,0x1B,0x4B,
+ 0x98,0x82,0x89,0x18,0x2D,0x7B,0x17,0xD6,0x92,0x5F,0x20,0x44,0xAF,0xD5,0x27,0x02,
+ 0x2C,0x2E,0x8F,0x14,0x20,0x70,0xA1,0xD4,0x65,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,
+ 0x95,0x30,0x81,0x92,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,
+ 0x30,0x00,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,
+ 0x06,0x01,0x05,0x05,0x07,0x03,0x04,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,
+ 0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x11,0x04,0x16,
+ 0x30,0x14,0x81,0x12,0x75,0x73,0x65,0x72,0x6E,0x61,0x6D,0x65,0x40,0x61,0x70,0x70,
+ 0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+ 0x14,0xC6,0xD8,0x0B,0xD7,0xD4,0x9E,0x84,0x41,0xB3,0x59,0x05,0x41,0xDF,0xC3,0x2A,
+ 0x77,0xBB,0x41,0x20,0x85,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,
+ 0x80,0x14,0xFD,0x26,0x89,0x9C,0xA6,0x9A,0xF6,0x33,0x48,0xA9,0x5D,0x0B,0xF6,0x90,
+ 0x2F,0xA6,0xC8,0x22,0x30,0x70,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
+ 0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x4B,0x02,0x37,0x7F,0xBA,0x3D,
+ 0xD5,0xDF,0xE9,0xD6,0x52,0x6D,0x39,0x23,0x83,0x1B,0xFB,0x17,0x15,0x1A,0x45,0x9E,
+ 0xF2,0x55,0xA3,0x2C,0x18,0xF1,0x01,0xA1,0x2D,0xAA,0x78,0x39,0xA8,0x5A,0xD5,0x9E,
+ 0x37,0xE4,0x50,0x31,0x7A,0x07,0x61,0xD8,0xE9,0x2A,0x32,0x1F,0x04,0x3F,0x27,0x03,
+ 0xDC,0x77,0x7F,0x1B,0xD7,0x45,0x55,0x1F,0x5B,0xCC,0x7A,0xF1,0x5C,0x74,0x9E,0xA5,
+ 0x2A,0xA3,0xAC,0x63,0xBE,0x8B,0xEB,0x38,0x39,0xEC,0x53,0x9E,0x09,0x5A,0x86,0x2D,
+ 0x25,0x9C,0x78,0x85,0x02,0x07,0xE5,0xE2,0x98,0xB3,0x70,0x50,0x1A,0xAE,0x4F,0xF4,
+ 0x9F,0x89,0xA9,0x84,0xBF,0x6F,0x03,0x42,0x6B,0x12,0x0A,0x15,0x73,0x3F,0xC6,0x8B,
+ 0x32,0xDA,0x52,0x17,0xC5,0xC2,0x96,0x68,0xF7,0x31,0x1B,0x5D,0xB1,0x49,0x4C,0x2D,
+ 0xE7,0x3E,0x42,0xD6,0xF1,0x14,0xA9,0xBE,0x2F,0xD9,0x65,0xEB,0x0F,0x51,0x58,0x09,
+ 0x7D,0x4D,0x07,0x4B,0xE4,0x49,0x13,0x8B,0x70,0xA9,0x90,0x6C,0x9F,0x10,0xD2,0x8B,
+ 0x90,0xBE,0x63,0xF9,0x8E,0xF8,0x73,0x22,0xBE,0x54,0xEE,0x96,0x56,0x66,0xBC,0x2F,
+ 0x2A,0xC6,0x6B,0x84,0x67,0x4D,0xD8,0xF7,0xBA,0xCD,0x75,0x3B,0x73,0xEF,0x05,0x46,
+ 0x52,0xA4,0xF9,0xA7,0x03,0x29,0xA4,0x9A,0x11,0xAE,0x79,0xE5,0x53,0x3E,0xC5,0xD7,
+ 0x75,0x39,0x2D,0x82,0xC3,0x60,0x5F,0x12,0x9B,0x90,0x19,0xD6,0xB1,0xA4,0xF7,0x8B,
+ 0x62,0xF9,0x44,0x4E,0x15,0xA5,0xD3,0xFF,0x75,0x4E,0x44,0x84,0x78,0xCF,0x68,0x18,
+ 0xFE,0x46,0xEB,0xFE,0x0E,0x11,0xCB,0x34,0x53,0xAB,
+};
+
+#endif /* si_28_sectrustsettings_h */
diff --git a/OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.m b/OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.m
new file mode 100644
index 00000000..17828427
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-28-sectrustsettings.m
@@ -0,0 +1,565 @@
+/*
+ * Copyright (c) 2008-2010,2012,2016 Apple Inc. All Rights Reserved.
+ */
+
+#include <Foundation/Foundation.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
+#include <Security/SecPolicy.h>
+#include <Security/SecPolicyPriv.h>
+#include <Security/SecTrust.h>
+#include <Security/SecTrustSettings.h>
+#include <Security/SecTrustSettingsPriv.h>
+#include <utilities/SecCFRelease.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#if TARGET_OS_IPHONE
+#include <Security/SecTrustStore.h>
+#else
+#include <Security/SecKeychain.h>
+#endif
+
+#include "shared_regressions.h"
+
+#include "si-28-sectrustsettings.h"
+
+/* Of course, the interface is different for OS X and iOS. */
+/* each call is 1 test */
+#if TARGET_OS_IPHONE
+#define setTS(cert, settings) \
+{ \
+ ok_status(SecTrustStoreSetTrustSettings(defaultStore, cert, settings), \
+ "set trust settings"); \
+}
+#else
+/* Use admin store on OS X to avoid user prompts.
+ * Sleep a little so trustd has time to get the KeychainEvent. */
+#define setTS(cert, settings) \
+{ \
+ ok_status(SecTrustSettingsSetTrustSettings(cert, kSecTrustSettingsDomainAdmin, \
+ settings), "set trust settings"); \
+ usleep(20000); \
+}
+#endif
+
+#if TARGET_OS_IPHONE
+#define setTSFail(cert, settings) \
+{ \
+ is(SecTrustStoreSetTrustSettings(defaultStore, cert, settings), errSecParam, \
+ "set trust settings"); \
+}
+#else
+#define setTSFail(cert, settings) \
+{ \
+ is(SecTrustSettingsSetTrustSettings(cert, kSecTrustSettingsDomainAdmin, \
+ settings), errSecParam, "set trust settings"); \
+}
+#endif
+
+/* each call is 1 test */
+#if TARGET_OS_IPHONE
+#define removeTS(cert) \
+{ \
+ ok_status(SecTrustStoreRemoveCertificate(defaultStore, cert), \
+ "remove trust settings"); \
+}
+#else
+#define removeTS(cert) \
+{ \
+ ok_status(SecTrustSettingsRemoveTrustSettings(cert, kSecTrustSettingsDomainAdmin), \
+ "remove trust settings"); \
+}
+#endif
+
+/* each call is 4 tests */
+#define check_trust(certs, policy, valid_date, expected) \
+{ \
+ SecTrustRef trust = NULL; \
+ SecTrustResultType trust_result; \
+ ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), \
+ "create trust with " #policy " policy"); \
+ ok_status(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)valid_date), \
+ "set trust verify date"); \
+ ok_status(SecTrustEvaluate(trust, &trust_result), "evaluate trust"); \
+ is(trust_result, expected, \
+ "check trust result for " #policy " policy"); \
+ CFReleaseSafe(trust); \
+}
+
+static SecCertificateRef cert0 = NULL;
+static SecCertificateRef cert1 = NULL;
+static SecCertificateRef cert2 = NULL;
+static SecCertificateRef cert3 = NULL;
+static SecPolicyRef sslPolicy = NULL;
+static SecPolicyRef smimePolicy = NULL;
+static SecPolicyRef basicPolicy = NULL;
+static CFArrayRef sslChain = NULL;
+static CFArrayRef smimeChain = NULL;
+static NSDate *verify_date = nil;
+
+#if TARGET_OS_IPHONE
+static SecTrustStoreRef defaultStore = NULL;
+#else
+#define kSystemLoginKeychainPath "/Library/Keychains/System.keychain"
+static NSMutableArray *deleteMeCertificates = NULL;
+#endif
+
+
+static void setup_globals(void) {
+
+ cert0 = SecCertificateCreateWithBytes(NULL, _trustSettingsRoot, sizeof(_trustSettingsRoot));
+ cert1 = SecCertificateCreateWithBytes(NULL, _trustSettingsInt, sizeof(_trustSettingsInt));
+ cert2 = SecCertificateCreateWithBytes(NULL, _trustSettingsSSLLeaf, sizeof(_trustSettingsSSLLeaf));
+ cert3 = SecCertificateCreateWithBytes(NULL, _trustSettingsSMIMELeaf, sizeof(_trustSettingsSMIMELeaf));
+
+ sslPolicy = SecPolicyCreateSSL(true, CFSTR("testserver.apple.com"));
+ smimePolicy = SecPolicyCreateSMIME(kSecAnyEncryptSMIME, CFSTR("username@apple.com"));
+ basicPolicy = SecPolicyCreateBasicX509();
+
+ const void *v_certs1[] = { cert2, cert1, cert0 };
+ sslChain = CFArrayCreate(NULL, v_certs1, sizeof(v_certs1)/sizeof(*v_certs1), &kCFTypeArrayCallBacks);
+
+ const void *v_certs2[] = { cert3, cert1, cert0 };
+ smimeChain = CFArrayCreate(NULL, v_certs2, sizeof(v_certs2)/sizeof(*v_certs2), &kCFTypeArrayCallBacks);
+
+ verify_date = [NSDate dateWithTimeIntervalSinceReferenceDate:482000000.0]; // Apr 10 2016
+
+#if TARGET_OS_IPHONE
+ defaultStore = SecTrustStoreForDomain(kSecTrustStoreDomainUser);
+#else
+ /* Since we're putting trust settings in the admin domain,
+ * we need to add the certs to the system keychain. */
+ SecKeychainRef kcRef = NULL;
+ CFArrayRef certRef = NULL;
+ NSDictionary *attrs = nil;
+
+ SecKeychainOpen(kSystemLoginKeychainPath, &kcRef);
+ if (!kcRef) {
+ goto out;
+ }
+
+ deleteMeCertificates = [[NSMutableArray alloc] init];
+
+ attrs = @{(__bridge NSString*)kSecValueRef: (__bridge id)cert0,
+ (__bridge NSString*)kSecUseKeychain: (__bridge id)kcRef,
+ (__bridge NSString*)kSecReturnPersistentRef: @YES};
+ if (SecItemAdd((CFDictionaryRef)attrs, (void *)&certRef) == 0)
+ [deleteMeCertificates addObject:(__bridge NSArray *)certRef];
+ CFReleaseNull(certRef);
+
+ attrs = @{(__bridge NSString*)kSecValueRef: (__bridge id)cert1,
+ (__bridge NSString*)kSecUseKeychain: (__bridge id)kcRef,
+ (__bridge NSString*)kSecReturnPersistentRef: @YES};
+ if (SecItemAdd((CFDictionaryRef)attrs, (void *)&certRef) == 0)
+ [deleteMeCertificates addObject:(__bridge NSArray *)certRef];
+ CFReleaseNull(certRef);
+
+ attrs = @{(__bridge NSString*)kSecValueRef: (__bridge id)cert2,
+ (__bridge NSString*)kSecUseKeychain: (__bridge id)kcRef,
+ (__bridge NSString*)kSecReturnPersistentRef: @YES};
+ if (SecItemAdd((CFDictionaryRef)attrs, (void *)&certRef) == 0)
+ [deleteMeCertificates addObject:(__bridge NSArray *)certRef];
+ CFReleaseNull(certRef);
+
+ attrs = @{(__bridge NSString*)kSecValueRef: (__bridge id)cert3,
+ (__bridge NSString*)kSecUseKeychain: (__bridge id)kcRef,
+ (__bridge NSString*)kSecReturnPersistentRef: @YES};
+ if (SecItemAdd((CFDictionaryRef)attrs, (void *)&certRef) == 0)
+ [deleteMeCertificates addObject:(__bridge NSArray *)certRef];
+ CFReleaseNull(certRef);
+
+ out:
+ CFReleaseNull(kcRef);
+#endif
+}
+
+static void cleanup_globals(void) {
+#if !TARGET_OS_IPHONE
+ [deleteMeCertificates enumerateObjectsUsingBlock:^(id _Nonnull obj, NSUInteger idx, BOOL * _Nonnull stop) {
+ SecItemDelete((CFDictionaryRef)@{ (__bridge NSString*)kSecValuePersistentRef: [obj objectAtIndex:0]});
+ }];
+#endif
+
+ CFReleaseNull(cert0);
+ CFReleaseNull(cert1);
+ CFReleaseNull(cert2);
+ CFReleaseNull(cert3);
+ CFReleaseNull(sslPolicy);
+ CFReleaseNull(smimePolicy);
+ CFReleaseNull(basicPolicy);
+ CFReleaseNull(sslChain);
+ CFReleaseNull(smimeChain);
+}
+
+#define kNumberNoConstraintsTests (17+7*4)
+static void test_no_constraints(void) {
+ /* root with the default TrustRoot result succeeds */
+ setTS(cert0, NULL);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert0);
+
+ /* intermediate with the default TrustRoot result fails */
+ setTSFail(cert1, NULL);
+
+ /* root with TrustRoot result succeeds */
+ NSDictionary *trustRoot = @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustRoot)};
+ setTS(cert0, (__bridge CFDictionaryRef)trustRoot);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert0);
+
+ /* intermediate with TrustRoot fails to set */
+ setTSFail(cert1, (__bridge CFDictionaryRef)trustRoot);
+
+ /* root with TrustAsRoot fails to set */
+ NSDictionary *trustAsRoot = @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustAsRoot)};
+ setTSFail(cert0, (__bridge CFDictionaryRef)trustAsRoot);
+
+ /* intermediate with TrustAsRoot result succeeds */
+ setTS(cert1, (__bridge CFDictionaryRef)trustAsRoot);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert1);
+
+ /* trusting the root but denying the intermediate fails */
+ NSDictionary *deny = @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultDeny)};
+ setTS(cert0, NULL);
+ setTS(cert1, (__bridge CFDictionaryRef)deny);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultDeny);
+ removeTS(cert1);
+ removeTS(cert0);
+
+ /* the unspecified result gives us default behavior */
+ NSDictionary *unspecified = @{ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultUnspecified)};
+ setTS(cert1, (__bridge CFDictionaryRef)unspecified);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert1);
+
+ /* trusting one leaf doesn't make other leaf trusted */
+ setTS(cert2, (__bridge CFDictionaryRef)trustAsRoot);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultUnspecified);
+ check_trust(smimeChain, basicPolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert2);
+}
+
+#define kNumberPolicyConstraintsTests (2+3*4)
+static void test_policy_constraints(void) {
+ /* Trust only for SSL server. SSL server policy succeeds. */
+ NSDictionary *sslServerAllowed = @{ (__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)sslPolicy,
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustAsRoot) };
+ setTS(cert1, (__bridge CFDictionaryRef)sslServerAllowed);
+ check_trust(sslChain, sslPolicy, verify_date, kSecTrustResultUnspecified);
+
+ /* SSL client policy fails. */
+ SecPolicyRef sslClient = SecPolicyCreateSSL(false, NULL);
+ check_trust(sslChain, sslClient, verify_date, kSecTrustResultRecoverableTrustFailure);
+ CFReleaseNull(sslClient);
+
+ /* Basic policy fails */
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert1);
+}
+
+#define kNumberPolicyStringConstraintsTests (4+6*4)
+static void test_policy_string_constraints(void) {
+ NSArray *hostnameAllowed = @[ @{ (__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)sslPolicy,
+ (__bridge NSString*)kSecTrustSettingsPolicyString: @("wrongname.apple.com"),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultDeny) },
+ @{ (__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)sslPolicy,
+ (__bridge NSString*)kSecTrustSettingsPolicyString: @("testserver.apple.com"),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustAsRoot) }
+ ];
+ setTS(cert2, (__bridge CFArrayRef)hostnameAllowed);
+ /* evaluating against trusted hostname passes */
+ check_trust(sslChain, sslPolicy, verify_date, kSecTrustResultUnspecified);
+
+ /* evaluating against hostname not in trust settings is recoverable failure */
+ SecPolicyRef weirdnamePolicy = SecPolicyCreateSSL(true, CFSTR("weirdname.apple.com"));
+ check_trust(sslChain, weirdnamePolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ CFReleaseNull(weirdnamePolicy);
+
+ /* evaluating against hostname denied by trust settings is denied */
+ SecPolicyRef wrongnamePolicy = SecPolicyCreateSSL(true, CFSTR("wrongname.apple.com"));
+ check_trust(sslChain, wrongnamePolicy, verify_date, kSecTrustResultDeny);
+ CFReleaseNull(wrongnamePolicy);
+ removeTS(cert2);
+
+ NSArray *emailAllowed = @[ @{ (__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)smimePolicy,
+ (__bridge NSString*)kSecTrustSettingsPolicyString: @("wrongemail@apple.com"),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultDeny) },
+ @{ (__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)smimePolicy,
+ (__bridge NSString*)kSecTrustSettingsPolicyString: @("username@apple.com"),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustAsRoot) }
+ ];
+ setTS(cert3, (__bridge CFArrayRef)emailAllowed);
+ /* evaluating against trusted email passes */
+ check_trust(smimeChain, smimePolicy, verify_date, kSecTrustResultUnspecified);
+
+ /* evaluating against hostname not in trust settings is recoverable failure */
+ SecPolicyRef weirdemailPolicy = SecPolicyCreateSMIME(kSecAnyEncryptSMIME, CFSTR("weirdemail@apple.com"));
+ check_trust(smimeChain, weirdemailPolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ CFReleaseNull(weirdemailPolicy);
+
+ /* evaluating against hostname denied by trust settings is denied */
+ SecPolicyRef wrongemailPolicy = SecPolicyCreateSMIME(kSecAnyEncryptSMIME, CFSTR("wrongemail@apple.com"));
+ check_trust(smimeChain, wrongemailPolicy, verify_date, kSecTrustResultDeny);
+ CFReleaseNull(wrongemailPolicy);
+ removeTS(cert3);
+}
+
+#if TARGET_OS_IPHONE
+#define kNumberApplicationsConstraintsTests 0
+static void test_application_constraints(void) {}
+#else
+#include <Security/SecTrustedApplicationPriv.h>
+#define kNumberApplicationsConstraintsTests (2+4+2*4)
+static void test_application_constraints(void) {
+ SecTrustedApplicationRef thisApp = NULL, someOtherApp = NULL;
+
+ ok_status(SecTrustedApplicationCreateFromPath(NULL, &thisApp),
+ "create TrustedApplicationRef for this app");
+ ok_status(SecTrustedApplicationCreateFromPath("/Applications/Safari.app", &someOtherApp),
+ "create TrustedApplicationRef for Safari");
+
+ NSDictionary *thisAppTS = @{ (__bridge NSString*)kSecTrustSettingsApplication: (__bridge id)thisApp,
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustRoot)};
+
+ NSDictionary *someOtherAppTS = @{ (__bridge NSString*)kSecTrustSettingsApplication: (__bridge id)someOtherApp,
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustRoot)};
+
+ /* This application Trust Setting succeeds */
+ setTS(cert0, (__bridge CFDictionaryRef)thisAppTS);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert0);
+
+ /* Some other application Trust Setting fails */
+ setTS(cert0, (__bridge CFDictionaryRef)someOtherAppTS);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert0);
+
+ CFReleaseNull(thisApp);
+ CFReleaseNull(someOtherApp);
+}
+#endif
+
+#define kNumberKeyUsageConstraintsTests (14+11*4)
+static void test_key_usage_constraints(void) {
+ /* any key usage succeeds */
+ NSDictionary *anyKeyUse = @{ (__bridge NSString*)kSecTrustSettingsKeyUsage: @(kSecTrustSettingsKeyUseAny),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustRoot)};
+ setTS(cert0, (__bridge CFDictionaryRef)anyKeyUse);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert0);
+
+ /* signCert key usage on an intermediate or root succeeds */
+ NSDictionary *signCertUseRoot = @{ (__bridge NSString*)kSecTrustSettingsKeyUsage: @(kSecTrustSettingsKeyUseSignCert),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustRoot)};
+ setTS(cert0, (__bridge CFDictionaryRef)signCertUseRoot);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert0)
+
+ NSDictionary *signCertUseInt = @{ (__bridge NSString*)kSecTrustSettingsKeyUsage: @(kSecTrustSettingsKeyUseSignCert),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustAsRoot)};
+ setTS(cert1, (__bridge CFDictionaryRef)signCertUseInt);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert1);
+
+ /* intermediate without signCert key usage fails */
+ NSDictionary *signatureUse = @{ (__bridge NSString*)kSecTrustSettingsKeyUsage: @(kSecTrustSettingsKeyUseSignature),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustAsRoot)};
+ setTS(cert1, (__bridge CFDictionaryRef)signatureUse);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert1);
+
+ /* brief interlude to create a bunch of SMIME policies with different key usages */
+ SecPolicyRef smimeSignature = SecPolicyCreateSMIME(kSecSignSMIMEUsage, CFSTR("username@apple.com"));
+ SecPolicyRef smimeDataEncrypt = SecPolicyCreateSMIME(kSecDataEncryptSMIMEUsage, CFSTR("username@apple.com"));
+ SecPolicyRef smimeKeyEncrypt = SecPolicyCreateSMIME(kSecKeyEncryptSMIMEUsage, CFSTR("username@apple.com"));
+ SecPolicyRef smimeKeyExchange = SecPolicyCreateSMIME(kSecKeyExchangeBothSMIMEUsage, CFSTR("username@apple.com"));
+ SecPolicyRef smimeMultiple = SecPolicyCreateSMIME((kSecSignSMIMEUsage | kSecKeyEncryptSMIMEUsage),
+ CFSTR("username@apple.com"));
+
+ /* signature smime policy passes for signature use TS*/
+ setTS(cert3, (__bridge CFDictionaryRef)signatureUse);
+ check_trust(smimeChain, smimeSignature, verify_date, kSecTrustResultUnspecified);
+
+ /* any use policy fails for signature use TS */
+ check_trust(smimeChain, smimePolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+
+ /* multiple use smime policy against signature use */
+ check_trust(smimeChain, smimeMultiple, verify_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert3);
+
+ /* key encrypt smime policy passes for key encrypt use */
+ NSDictionary *keyEncryptUse = @{ (__bridge NSString*)kSecTrustSettingsKeyUsage: @(kSecTrustSettingsKeyUseEnDecryptKey),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustAsRoot)};
+ setTS(cert3, (__bridge CFDictionaryRef)keyEncryptUse);
+ check_trust(smimeChain, smimeKeyEncrypt, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert3);
+
+ /* multiple use smime policy against multiple uses */
+ NSDictionary *multipleUse = @{ (__bridge NSString*)kSecTrustSettingsKeyUsage: @(kSecTrustSettingsKeyUseEnDecryptKey |
+ kSecTrustSettingsKeyUseSignature),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustAsRoot)};
+ setTS(cert3, (__bridge CFDictionaryRef)multipleUse)
+ check_trust(smimeChain, smimeMultiple, verify_date, kSecTrustResultUnspecified);
+
+ /* signature smime policy against multiple uses */
+ check_trust(smimeChain, smimeSignature, verify_date, kSecTrustResultRecoverableTrustFailure);
+
+ /* any use smime policy against multiple uses */
+ check_trust(smimeChain, smimePolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert3);
+
+ CFReleaseNull(smimeSignature);
+ CFReleaseNull(smimeDataEncrypt);
+ CFReleaseNull(smimeKeyEncrypt);
+ CFReleaseNull(smimeKeyExchange);
+ CFReleaseNull(smimeMultiple);
+}
+
+#define kNumberAllowedErrorsTests (14+8*4)
+static void test_allowed_errors(void) {
+ setTS(cert0, NULL);
+
+ /* allow expired errors */
+ NSDate *expired_date = [NSDate dateWithTimeIntervalSinceReferenceDate:520000000.0]; // Jun 24 2017
+ check_trust(sslChain, basicPolicy, expired_date, kSecTrustResultRecoverableTrustFailure);
+
+ NSDictionary *allowExpired = @{ (__bridge NSString*)kSecTrustSettingsAllowedError: @(-2147409654),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultUnspecified)};
+ setTS(cert1, (__bridge CFDictionaryRef)allowExpired)
+ setTS(cert2, (__bridge CFDictionaryRef)allowExpired);
+ check_trust(sslChain, basicPolicy, expired_date, kSecTrustResultUnspecified);
+ removeTS(cert2);
+ removeTS(cert1);
+
+ /* allow hostname mismatch errors */
+ SecPolicyRef wrongNameSSL = NULL;
+ wrongNameSSL = SecPolicyCreateSSL(true, CFSTR("wrongname.apple.com"));
+ check_trust(sslChain, wrongNameSSL, verify_date, kSecTrustResultRecoverableTrustFailure);
+
+ NSDictionary *allowHostnameMismatch = @{ (__bridge NSString*)kSecTrustSettingsAllowedError: @(-2147408896),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultUnspecified) };
+ setTS(cert2, (__bridge CFDictionaryRef)allowHostnameMismatch);
+ sleep(1); // sleep a little extra so trustd gets trust settings event before evaluating leaf
+ check_trust(sslChain, wrongNameSSL, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert2);
+ CFReleaseNull(wrongNameSSL);
+
+ /* allow email mismatch errors */
+ SecPolicyRef wrongNameSMIME = NULL;
+ wrongNameSMIME = SecPolicyCreateSMIME(kSecAnyEncryptSMIME, CFSTR("test@apple.com"));
+ check_trust(smimeChain, wrongNameSMIME, verify_date, kSecTrustResultRecoverableTrustFailure);
+
+ NSDictionary *allowEmailMismatch = @{ (__bridge NSString*)kSecTrustSettingsAllowedError: @(-2147408872),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultUnspecified) };
+ setTS(cert3, (__bridge CFDictionaryRef)allowEmailMismatch);
+ sleep(1); // sleep a little extra so trustd gets trust settings event before evaluating leaf
+ check_trust(smimeChain, wrongNameSMIME, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert3);
+ CFReleaseNull(wrongNameSMIME);
+
+ /* allowed error with a policy constraint */
+ NSDictionary *allowExpiredConstrained = @{ (__bridge NSString*)kSecTrustSettingsAllowedError: @(-2147409654),
+ (__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)sslPolicy,
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultUnspecified)};
+ setTS(cert1, (__bridge CFDictionaryRef)allowExpiredConstrained)
+ setTS(cert2, (__bridge CFDictionaryRef)allowExpiredConstrained);
+ check_trust(sslChain, sslPolicy, expired_date, kSecTrustResultUnspecified);
+ check_trust(sslChain, basicPolicy, expired_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert2);
+ removeTS(cert1);
+
+ removeTS(cert0);
+}
+
+#define kNumberMultipleConstraintsTests (8+9*4)
+static void test_multiple_constraints(void) {
+ /* deny all but */
+ NSArray *denyAllBut = @[
+ @{(__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)sslPolicy ,
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustRoot)},
+ @{(__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultDeny) }
+ ];
+ setTS(cert0, (__bridge CFArrayRef)denyAllBut);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultDeny);
+ check_trust(sslChain, sslPolicy, verify_date, kSecTrustResultUnspecified);
+ removeTS(cert0);
+
+ /* allow all but */
+ NSArray *allowAllBut = @[
+ @{(__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)sslPolicy ,
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultUnspecified)},
+ @{(__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustRoot) }
+ ];
+ setTS(cert0, (__bridge CFArrayRef)allowAllBut);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultUnspecified);
+ check_trust(sslChain, sslPolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert0);
+
+ /* different results for specific policies */
+ NSArray *specifyPolicyResult = @[
+ @{(__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)sslPolicy,
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultDeny)},
+ @{(__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)basicPolicy,
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustRoot) }
+ ];
+ setTS(cert0, (__bridge CFArrayRef)specifyPolicyResult);
+ check_trust(sslChain, basicPolicy, verify_date, kSecTrustResultUnspecified);
+ check_trust(sslChain, sslPolicy, verify_date, kSecTrustResultDeny);
+ check_trust(smimeChain, smimePolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert0);
+
+ /* different results for additional constraint with same policy */
+ NSArray *policyConstraintResult = @[
+ @{(__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)sslPolicy,
+ (__bridge NSString*)kSecTrustSettingsPolicyString: @("wrongname.apple.com"),
+ (__bridge NSString*)kSecTrustSettingsAllowedError: @(-2147408896),
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultTrustAsRoot)},
+ @{(__bridge NSString*)kSecTrustSettingsPolicy: (__bridge id)sslPolicy,
+ (__bridge NSString*)kSecTrustSettingsResult: @(kSecTrustSettingsResultUnspecified) }
+ ];
+ SecPolicyRef wrongNameSSL = NULL;
+ wrongNameSSL = SecPolicyCreateSSL(true, CFSTR("wrongname.apple.com"));
+ setTS(cert2, (__bridge CFArrayRef)policyConstraintResult);
+ sleep(1); // sleep a little extra so trustd gets trust settings event before evaluating leaf
+ check_trust(sslChain, wrongNameSSL, verify_date, kSecTrustSettingsResultUnspecified);
+ check_trust(sslChain, sslPolicy, verify_date, kSecTrustResultRecoverableTrustFailure);
+ removeTS(cert2);
+ CFReleaseNull(wrongNameSSL);
+
+}
+
+int si_28_sectrustsettings(int argc, char *const *argv)
+{
+ plan_tests(kNumberNoConstraintsTests +
+ kNumberPolicyConstraintsTests +
+ kNumberPolicyStringConstraintsTests +
+ kNumberApplicationsConstraintsTests +
+ kNumberKeyUsageConstraintsTests +
+ kNumberAllowedErrorsTests +
+ kNumberMultipleConstraintsTests);
+
+#if !TARGET_OS_IPHONE
+ if (getuid() != 0) {
+ printf("Test must be run as root on OS X");
+ return 0;
+ }
+#endif
+
+ @autoreleasepool {
+ setup_globals();
+ test_no_constraints();
+ test_policy_constraints();
+ test_policy_string_constraints();
+ test_application_constraints();
+ test_key_usage_constraints();
+ test_allowed_errors();
+ test_multiple_constraints();
+ cleanup_globals();
+ }
+
+ return 0;
+}
diff --git a/OSX/sec/Security/Regressions/secitem/si-29-sectrust-codesigning.c b/OSX/sec/Security/Regressions/secitem/si-29-sectrust-codesigning.c
deleted file mode 100644
index c950a399..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-29-sectrust-codesigning.c
+++ /dev/null
@@ -1,695 +0,0 @@
-/*
- * Copyright (c) 2007-2010,2012-2013 Apple Inc. All Rights Reserved.
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecTrust.h>
-#include <Security/SecTrustPriv.h>
-#include <Security/SecKey.h>
-#include <Security/SecInternal.h>
-#include <utilities/array_size.h>
-#include <CommonCrypto/CommonDigest.h>
-#include <utilities/SecInternalReleasePriv.h>
-
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "Security_regressions.h"
-
-/* subject:/CN=iPhone Developer: Katherine Kojima/OU=Core OS Plus Others/O=Core OS Plus Others/C=usa */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority */
-static unsigned char codesigning_certificate[1415]={
-0x30,0x82,0x05,0x83,0x30,0x82,0x04,0x6B,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x70,
-0xA9,0x16,0x20,0x02,0xA2,0xD4,0x50,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
-0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,0x96,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
-0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
-0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x2C,0x30,0x2A,0x06,
-0x03,0x55,0x04,0x0B,0x0C,0x23,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,
-0x64,0x77,0x69,0x64,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,
-0x52,0x65,0x6C,0x61,0x74,0x69,0x6F,0x6E,0x73,0x31,0x44,0x30,0x42,0x06,0x03,0x55,
-0x04,0x03,0x0C,0x3B,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,
-0x69,0x64,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,
-0x6C,0x61,0x74,0x69,0x6F,0x6E,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,
-0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,
-0x1E,0x17,0x0D,0x30,0x38,0x30,0x33,0x32,0x36,0x31,0x37,0x30,0x37,0x34,0x36,0x5A,
-0x17,0x0D,0x30,0x38,0x30,0x39,0x32,0x34,0x31,0x37,0x30,0x37,0x34,0x36,0x5A,0x30,
-0x77,0x31,0x2B,0x30,0x29,0x06,0x03,0x55,0x04,0x03,0x0C,0x22,0x69,0x50,0x68,0x6F,
-0x6E,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x3A,0x20,0x4B,0x61,
-0x74,0x68,0x65,0x72,0x69,0x6E,0x65,0x20,0x4B,0x6F,0x6A,0x69,0x6D,0x61,0x31,0x1C,
-0x30,0x1A,0x06,0x03,0x55,0x04,0x0B,0x0C,0x13,0x43,0x6F,0x72,0x65,0x20,0x4F,0x53,
-0x20,0x50,0x6C,0x75,0x73,0x20,0x4F,0x74,0x68,0x65,0x72,0x73,0x31,0x1C,0x30,0x1A,
-0x06,0x03,0x55,0x04,0x0A,0x0C,0x13,0x43,0x6F,0x72,0x65,0x20,0x4F,0x53,0x20,0x50,
-0x6C,0x75,0x73,0x20,0x4F,0x74,0x68,0x65,0x72,0x73,0x31,0x0C,0x30,0x0A,0x06,0x03,
-0x55,0x04,0x06,0x13,0x03,0x75,0x73,0x61,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,
-0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,
-0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xD4,0x2B,0xF2,0x10,0x71,0x0B,0xBB,
-0x3D,0xA0,0x1A,0x32,0x41,0xBC,0xA9,0x55,0xF4,0xFB,0x6C,0x9C,0xB5,0x32,0x52,0x10,
-0x7E,0x41,0xF4,0x2C,0x18,0x3A,0x4F,0x32,0x9D,0xA3,0x64,0x28,0xDD,0x94,0xD0,0xB8,
-0x3F,0xF9,0x7C,0x62,0xE6,0xF5,0xF1,0x16,0x0D,0x7F,0xBA,0xEC,0xBF,0xD9,0x95,0xD4,
-0x7A,0xD7,0x4D,0x32,0x0F,0xCD,0x6D,0xBC,0xF3,0x10,0xDE,0xE8,0x5D,0xA1,0xDA,0x98,
-0x8F,0x6C,0x75,0xF7,0x7B,0xBE,0x33,0x43,0xBD,0x95,0xFA,0x35,0xD6,0x77,0x81,0x68,
-0x02,0x9C,0x41,0x99,0x0B,0x53,0x5F,0x58,0xF3,0x85,0x4C,0xAB,0x06,0xC2,0xC0,0xC4,
-0xD8,0x68,0x64,0xE3,0x14,0x5F,0x62,0x75,0xD5,0x66,0x9B,0xEE,0x4A,0x49,0xBA,0xC7,
-0x7B,0xD1,0xE6,0x96,0x9D,0xE5,0xEF,0x99,0x0E,0x87,0xEC,0xE3,0xA4,0x54,0x3E,0x19,
-0xBB,0x87,0x53,0x9C,0x3C,0x6A,0x94,0x6B,0x22,0x1A,0x01,0xAF,0x21,0xD5,0xDA,0xB0,
-0x92,0xE0,0x70,0x61,0xDD,0xC1,0x37,0x60,0x1F,0xC3,0xB0,0xFC,0xB3,0x00,0x4A,0x56,
-0x9D,0x70,0xC3,0xDE,0x66,0xD0,0xEF,0x39,0x88,0x48,0xBD,0x6D,0xA6,0xB2,0x2C,0x0A,
-0x78,0xCE,0x05,0x62,0x9B,0xE9,0x18,0x4E,0x59,0xC8,0xDC,0xD3,0xDF,0xB6,0x77,0xB5,
-0xA3,0xDA,0x62,0x15,0x9A,0x50,0x1E,0x28,0x55,0x70,0xC2,0xB7,0x97,0x63,0x00,0x1E,
-0x0E,0x3A,0x8B,0xA6,0x13,0xE5,0xE0,0xD6,0xE6,0xFA,0x61,0xDE,0x5F,0x30,0x72,0xAA,
-0xE4,0xBA,0x21,0x74,0x63,0x4A,0xF2,0x18,0x4C,0x99,0x8D,0x75,0x27,0x91,0xF9,0xD4,
-0x08,0xAE,0xB6,0xDA,0x69,0x33,0x06,0x7F,0x17,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,
-0x01,0xF1,0x30,0x82,0x01,0xED,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,
-0x04,0x02,0x30,0x00,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,
-0x03,0x02,0x07,0x80,0x30,0x16,0x06,0x03,0x55,0x1D,0x25,0x01,0x01,0xFF,0x04,0x0C,
-0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,0x30,0x1D,0x06,0x03,
-0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x6A,0x6D,0x56,0xC6,0xA5,0x0E,0xC2,0x97,0xF7,
-0x17,0x48,0xBE,0xA0,0x07,0xFF,0x77,0xE9,0xEF,0xB2,0xED,0x30,0x1F,0x06,0x03,0x55,
-0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x88,0x27,0x17,0x09,0xA9,0xB6,0x18,0x60,
-0x8B,0xEC,0xEB,0xBA,0xF6,0x47,0x59,0xC5,0x52,0x54,0xA3,0xB7,0x30,0x82,0x01,0x0F,
-0x06,0x03,0x55,0x1D,0x20,0x04,0x82,0x01,0x06,0x30,0x82,0x01,0x02,0x30,0x81,0xFF,
-0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF1,0x30,0x81,
-0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x81,0xB6,0x0C,0x81,
-0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,0x65,0x20,0x6F,0x6E,0x20,0x74,0x68,0x69,
-0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x62,0x79,
-0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,0x74,0x79,0x20,0x61,0x73,0x73,0x75,0x6D,
-0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,0x74,0x61,0x6E,0x63,0x65,0x20,0x6F,0x66,
-0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,0x6E,0x20,0x61,0x70,0x70,0x6C,0x69,0x63,
-0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,0x6E,0x64,0x61,0x72,0x64,0x20,0x74,0x65,
-0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,0x63,0x6F,0x6E,0x64,0x69,0x74,0x69,0x6F,
-0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,0x65,0x2C,0x20,0x63,0x65,0x72,0x74,0x69,
-0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x6E,
-0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,
-0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,0x20,0x73,0x74,0x61,0x74,0x65,0x6D,0x65,
-0x6E,0x74,0x73,0x2E,0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,
-0x16,0x1D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,
-0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,0x61,0x2F,0x30,
-0x4D,0x06,0x03,0x55,0x1D,0x1F,0x04,0x46,0x30,0x44,0x30,0x42,0xA0,0x40,0xA0,0x3E,
-0x86,0x3C,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x64,0x65,0x76,0x65,0x6C,0x6F,0x70,
-0x65,0x72,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x65,0x72,
-0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x61,0x75,0x74,0x68,0x6F,0x72,
-0x69,0x74,0x79,0x2F,0x77,0x77,0x64,0x72,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x13,
-0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x01,0x02,0x01,0x01,0xFF,0x04,
-0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
-0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xA1,0x1D,0x8C,0xB9,0x21,0x59,0xC8,0xC0,0x08,
-0x25,0x97,0x78,0x0D,0x04,0x14,0x85,0xA8,0xFC,0xC3,0xB1,0x7E,0x72,0x45,0x4C,0x96,
-0x82,0x90,0x73,0x68,0x24,0x65,0x11,0x0F,0xB8,0x0D,0xB8,0xE4,0x46,0xD5,0x61,0x01,
-0x64,0xB8,0x51,0xF8,0xAE,0xE7,0xCF,0xF2,0x7A,0x93,0x78,0xC7,0x9A,0xD3,0xF4,0xF8,
-0x04,0xDB,0xF1,0x4A,0xDB,0x05,0x98,0x2F,0xF3,0x39,0x37,0xB0,0x2B,0x49,0x9A,0x82,
-0x36,0x63,0xF4,0xB3,0x70,0x75,0x43,0xE3,0xF1,0xBD,0xB5,0x68,0x0C,0xB3,0x7E,0xA3,
-0xB3,0x29,0x55,0xD2,0x34,0xD8,0x13,0xB5,0x87,0xD3,0xCE,0xEB,0x26,0xE5,0xCB,0x1F,
-0xF1,0xE1,0x89,0x7A,0xB0,0x39,0xB2,0x2E,0x88,0x76,0xE9,0x68,0x69,0x4E,0x90,0xB4,
-0x7C,0x42,0x7A,0x2C,0xDF,0x33,0xCF,0x2F,0xBD,0x38,0x3A,0xCC,0xB3,0xC7,0x47,0x9C,
-0xC4,0x87,0xCE,0x1A,0x1E,0xF4,0xBB,0xC9,0x97,0x35,0x1C,0x65,0xC2,0xF0,0x2F,0x98,
-0x50,0x96,0xA6,0x6C,0xF5,0x1B,0x45,0xE6,0x48,0xBE,0x17,0xFB,0xF6,0x61,0x3E,0x94,
-0xF3,0x49,0x57,0xB5,0x54,0x5F,0xE1,0x92,0x30,0xF9,0xC6,0xB7,0x21,0xE0,0x30,0x64,
-0x83,0xE7,0x49,0x97,0x8D,0xDC,0xE5,0x9D,0x89,0xA9,0x14,0x2E,0xEF,0x21,0x00,0xBA,
-0x13,0x63,0xF4,0xCD,0x2F,0x61,0x17,0x58,0xAB,0xD3,0xA8,0x06,0x54,0x5F,0x60,0xB3,
-0xBE,0xED,0xE8,0xF8,0xA4,0x29,0x2F,0xE1,0x4A,0x0E,0xB1,0xFE,0xCE,0x73,0x14,0x9A,
-0x3A,0x95,0xFC,0xC8,0xB6,0x53,0xBC,0xBF,0x3A,0xB0,0xAE,0x80,0x76,0xF5,0x57,0x47,
-0xD2,0x1C,0x08,0x19,0x22,0xF2,0x6D,
-};
-
-/* subject:/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */
-static unsigned char wwdr_anchor_certificate[1063]={
-0x30,0x82,0x04,0x23,0x30,0x82,0x03,0x0B,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x19,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
-0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
-0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
-0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06,
-0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,
-0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x38,0x30,0x32,0x31,0x34,0x31,0x38,0x35,
-0x36,0x33,0x35,0x5A,0x17,0x0D,0x31,0x36,0x30,0x32,0x31,0x34,0x31,0x38,0x35,0x36,
-0x33,0x35,0x5A,0x30,0x81,0x96,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
-0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,
-0x0B,0x0C,0x23,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,0x69,
-0x64,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,0x6C,
-0x61,0x74,0x69,0x6F,0x6E,0x73,0x31,0x44,0x30,0x42,0x06,0x03,0x55,0x04,0x03,0x0C,
-0x3B,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,0x69,0x64,0x65,
-0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,0x6C,0x61,0x74,
-0x69,0x6F,0x6E,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
-0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,0x01,0x22,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
-0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xCA,0x38,0x54,
-0xA6,0xCB,0x56,0xAA,0xC8,0x24,0x39,0x48,0xE9,0x8C,0xEE,0xEC,0x5F,0xB8,0x7F,0x26,
-0x91,0xBC,0x34,0x53,0x7A,0xCE,0x7C,0x63,0x80,0x61,0x77,0x64,0x5E,0xA5,0x07,0x23,
-0xB6,0x39,0xFE,0x50,0x2D,0x15,0x56,0x58,0x70,0x2D,0x7E,0xC4,0x6E,0xC1,0x4A,0x85,
-0x3E,0x2F,0xF0,0xDE,0x84,0x1A,0xA1,0x57,0xC9,0xAF,0x7B,0x18,0xFF,0x6A,0xFA,0x15,
-0x12,0x49,0x15,0x08,0x19,0xAC,0xAA,0xDB,0x2A,0x32,0xED,0x96,0x63,0x68,0x52,0x15,
-0x3D,0x8C,0x8A,0xEC,0xBF,0x6B,0x18,0x95,0xE0,0x03,0xAC,0x01,0x7D,0x97,0x05,0x67,
-0xCE,0x0E,0x85,0x95,0x37,0x6A,0xED,0x09,0xB6,0xAE,0x67,0xCD,0x51,0x64,0x9F,0xC6,
-0x5C,0xD1,0xBC,0x57,0x6E,0x67,0x35,0x80,0x76,0x36,0xA4,0x87,0x81,0x6E,0x38,0x8F,
-0xD8,0x2B,0x15,0x4E,0x7B,0x25,0xD8,0x5A,0xBF,0x4E,0x83,0xC1,0x8D,0xD2,0x93,0xD5,
-0x1A,0x71,0xB5,0x60,0x9C,0x9D,0x33,0x4E,0x55,0xF9,0x12,0x58,0x0C,0x86,0xB8,0x16,
-0x0D,0xC1,0xE5,0x77,0x45,0x8D,0x50,0x48,0xBA,0x2B,0x2D,0xE4,0x94,0x85,0xE1,0xE8,
-0xC4,0x9D,0xC6,0x68,0xA5,0xB0,0xA3,0xFC,0x67,0x7E,0x70,0xBA,0x02,0x59,0x4B,0x77,
-0x42,0x91,0x39,0xB9,0xF5,0xCD,0xE1,0x4C,0xEF,0xC0,0x3B,0x48,0x8C,0xA6,0xE5,0x21,
-0x5D,0xFD,0x6A,0x6A,0xBB,0xA7,0x16,0x35,0x60,0xD2,0xE6,0xAD,0xF3,0x46,0x29,0xC9,
-0xE8,0xC3,0x8B,0xE9,0x79,0xC0,0x6A,0x61,0x67,0x15,0xB2,0xF0,0xFD,0xE5,0x68,0xBC,
-0x62,0x5F,0x6E,0xCF,0x99,0xDD,0xEF,0x1B,0x63,0xFE,0x92,0x65,0xAB,0x02,0x03,0x01,
-0x00,0x01,0xA3,0x81,0xAE,0x30,0x81,0xAB,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,
-0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x86,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,
-0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
-0x04,0x16,0x04,0x14,0x88,0x27,0x17,0x09,0xA9,0xB6,0x18,0x60,0x8B,0xEC,0xEB,0xBA,
-0xF6,0x47,0x59,0xC5,0x52,0x54,0xA3,0xB7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,
-0x18,0x30,0x16,0x80,0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,
-0x2E,0x40,0xA6,0xF7,0x47,0x4D,0x7F,0x08,0x5E,0x30,0x36,0x06,0x03,0x55,0x1D,0x1F,
-0x04,0x2F,0x30,0x2D,0x30,0x2B,0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,
-0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
-0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,0x61,0x2F,0x72,0x6F,0x6F,0x74,0x2E,0x63,0x72,
-0x6C,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x02,0x01,0x04,
-0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
-0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xDA,0x32,0x00,0x96,0xC5,0x54,0x94,0xD3,0x3B,
-0x82,0x37,0x66,0x7D,0x2E,0x68,0xD5,0xC3,0xC6,0xB8,0xCB,0x26,0x8C,0x48,0x90,0xCF,
-0x13,0x24,0x6A,0x46,0x8E,0x63,0xD4,0xF0,0xD0,0x13,0x06,0xDD,0xD8,0xC4,0xC1,0x37,
-0x15,0xF2,0x33,0x13,0x39,0x26,0x2D,0xCE,0x2E,0x55,0x40,0xE3,0x0B,0x03,0xAF,0xFA,
-0x12,0xC2,0xE7,0x0D,0x21,0xB8,0xD5,0x80,0xCF,0xAC,0x28,0x2F,0xCE,0x2D,0xB3,0x4E,
-0xAF,0x86,0x19,0x04,0xC6,0xE9,0x50,0xDD,0x4C,0x29,0x47,0x10,0x23,0xFC,0x6C,0xBB,
-0x1B,0x98,0x6B,0x48,0x89,0xE1,0x5B,0x9D,0xDE,0x46,0xDB,0x35,0x85,0x35,0xEF,0x3E,
-0xD0,0xE2,0x58,0x4B,0x38,0xF4,0xED,0x75,0x5A,0x1F,0x5C,0x70,0x1D,0x56,0x39,0x12,
-0xE5,0xE1,0x0D,0x11,0xE4,0x89,0x25,0x06,0xBD,0xD5,0xB4,0x15,0x8E,0x5E,0xD0,0x59,
-0x97,0x90,0xE9,0x4B,0x81,0xE2,0xDF,0x18,0xAF,0x44,0x74,0x1E,0x19,0xA0,0x3A,0x47,
-0xCC,0x91,0x1D,0x3A,0xEB,0x23,0x5A,0xFE,0xA5,0x2D,0x97,0xF7,0x7B,0xBB,0xD6,0x87,
-0x46,0x42,0x85,0xEB,0x52,0x3D,0x26,0xB2,0x63,0xA8,0xB4,0xB1,0xCA,0x8F,0xF4,0xCC,
-0xE2,0xB3,0xC8,0x47,0xE0,0xBF,0x9A,0x59,0x83,0xFA,0xDA,0x98,0x53,0x2A,0x82,0xF5,
-0x7C,0x65,0x2E,0x95,0xD9,0x33,0x5D,0xF5,0xED,0x65,0xCC,0x31,0x37,0xC5,0x5A,0x04,
-0xE8,0x6B,0xE1,0xE7,0x88,0x03,0x4A,0x75,0x9E,0x9B,0x28,0xCB,0x4A,0x40,0x88,0x65,
-0x43,0x75,0xDD,0xCB,0x3A,0x25,0x23,0xC5,0x9E,0x57,0xF8,0x2E,0xCE,0xD2,0xA9,0x92,
-0x5E,0x73,0x2E,0x2F,0x25,0x75,0x15,
-};
-
-static unsigned char applicable_exceptions[] = {
- 0x62, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x30, 0x30, 0xa1, 0x01, 0xd6, 0x02,
- 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x08, 0x08, 0x08, 0x08, 0x0d, 0x5f,
- 0x10, 0x12, 0x43, 0x72, 0x69, 0x74, 0x69, 0x63, 0x61, 0x6c, 0x45, 0x78,
- 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x5f, 0x10, 0x10, 0x49,
- 0x73, 0x73, 0x75, 0x65, 0x72, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e,
- 0x61, 0x6d, 0x65, 0x5f, 0x10, 0x11, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63,
- 0x74, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x5b,
- 0x43, 0x68, 0x61, 0x69, 0x6e, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x5a,
- 0x41, 0x6e, 0x63, 0x68, 0x6f, 0x72, 0x53, 0x48, 0x41, 0x31, 0x5a, 0x53,
- 0x48, 0x41, 0x31, 0x44, 0x69, 0x67, 0x65, 0x73, 0x74, 0x08, 0x08, 0x08,
- 0x08, 0x08, 0x4f, 0x10, 0x14, 0xd7, 0x16, 0x8a, 0x2a, 0x8e, 0xa0, 0x18,
- 0xba, 0x31, 0x36, 0x99, 0x01, 0x90, 0x58, 0xde, 0x18, 0x85, 0xa2, 0xab,
- 0xc2, 0x08, 0x0a, 0x17, 0x2c, 0x3f, 0x53, 0x5f, 0x6a, 0x75, 0x76, 0x77,
- 0x78, 0x79, 0x7a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x91
-};
-
-/* subject:/C=US/O=Apple Inc./CN=TEST Apple iPhone OS Provisioning Profile Signing TEST */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPhone Certification Authority */
-static unsigned char _c0[1031]={
-0x30,0x82,0x04,0x03,0x30,0x82,0x02,0xEB,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x0E,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x79,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
-0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
-0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
-0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x2D,0x30,0x2B,0x06,
-0x03,0x55,0x04,0x03,0x13,0x24,0x41,0x70,0x70,0x6C,0x65,0x20,0x69,0x50,0x68,0x6F,
-0x6E,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
-0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x38,
-0x30,0x35,0x30,0x32,0x31,0x37,0x35,0x36,0x35,0x31,0x5A,0x17,0x0D,0x30,0x39,0x30,
-0x35,0x30,0x32,0x31,0x37,0x35,0x36,0x35,0x31,0x5A,0x30,0x63,0x31,0x0B,0x30,0x09,
-0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,
-0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x3F,
-0x30,0x3D,0x06,0x03,0x55,0x04,0x03,0x13,0x36,0x54,0x45,0x53,0x54,0x20,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x69,0x50,0x68,0x6F,0x6E,0x65,0x20,0x4F,0x53,0x20,0x50,0x72,
-0x6F,0x76,0x69,0x73,0x69,0x6F,0x6E,0x69,0x6E,0x67,0x20,0x50,0x72,0x6F,0x66,0x69,
-0x6C,0x65,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,0x67,0x20,0x54,0x45,0x53,0x54,0x30,
-0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,
-0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,
-0xAD,0x52,0x0E,0xF9,0x9B,0x54,0x95,0x16,0x61,0x2D,0xBF,0xD3,0x84,0x3B,0xC5,0x6B,
-0x3C,0x0C,0x4C,0xD7,0x27,0x39,0x59,0xAF,0x37,0x47,0x75,0x3B,0xDA,0xF1,0xEB,0xE2,
-0xB8,0xA6,0xCA,0x07,0xF5,0xC2,0x9B,0x69,0x32,0xDF,0x45,0x2E,0xC7,0xAD,0xC6,0xC3,
-0x64,0x6C,0x26,0x5C,0xBA,0x48,0xC8,0x6E,0x09,0x84,0xDC,0xAC,0xC4,0x49,0x02,0x29,
-0x6D,0x40,0x77,0x7D,0x7F,0x16,0x08,0x16,0xF3,0x07,0xC2,0x3A,0xDB,0x80,0x28,0x00,
-0x74,0x0E,0xAD,0xD1,0x48,0x82,0x55,0x69,0x95,0x8B,0x19,0x39,0xA1,0xE5,0xA1,0x38,
-0xE2,0x42,0xC1,0x2D,0x9A,0x71,0xB5,0xE6,0xAB,0xF6,0x21,0xC6,0xBD,0x3D,0x7B,0xBF,
-0x8D,0x0E,0x87,0x85,0x37,0x3C,0x50,0x93,0x12,0xC7,0xA1,0x9B,0xEF,0x1F,0x18,0xD7,
-0xC6,0x1C,0x12,0x7B,0x74,0xED,0xB2,0x6C,0x19,0xFC,0xA9,0x1B,0xDD,0xB0,0x3B,0x5F,
-0xBD,0x10,0x02,0xE5,0x58,0xDB,0x19,0xA8,0x05,0xE4,0xB2,0x2F,0xF4,0x36,0x0C,0xD9,
-0x2F,0xF5,0x2B,0x9A,0x17,0x68,0x0F,0x86,0xCF,0xBC,0x63,0xFF,0x4B,0x35,0x46,0x25,
-0x3A,0x98,0x7C,0x22,0x90,0xA3,0x2D,0xF7,0x78,0x5D,0x0B,0x35,0x98,0x96,0x39,0xA9,
-0xE1,0x2C,0x74,0x96,0x63,0x08,0xB4,0x3A,0x3C,0x76,0x41,0x19,0xF2,0x17,0x3D,0xC9,
-0x1D,0xBA,0xFA,0xDD,0x53,0x8B,0x30,0x73,0xBB,0x3D,0x96,0xCB,0x71,0xB7,0xB9,0x2A,
-0xF9,0x39,0x6D,0xD1,0x33,0xF4,0x1F,0xE9,0xAD,0xB0,0xAA,0x1C,0xCB,0xA7,0x1F,0xBA,
-0x6F,0x13,0x17,0xC9,0xE1,0x8F,0x8A,0xCD,0xDF,0x4D,0xBB,0xFD,0x6C,0xC6,0x06,0xEB,
-0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0xAB,0x30,0x81,0xA8,0x30,0x0B,0x06,0x03,0x55,
-0x1D,0x0F,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,
-0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x11,0x06,0x0B,0x2A,0x86,0x48,0x86,0xF7,0x63,
-0x64,0x06,0x02,0x02,0x01,0x04,0x02,0x05,0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
-0x04,0x16,0x04,0x14,0xF7,0x0D,0xCA,0x30,0x6D,0xD5,0xB1,0x7B,0x33,0xEB,0x45,0xC0,
-0xEA,0x08,0x16,0xBB,0x16,0x2F,0x2C,0x30,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,
-0x18,0x30,0x16,0x80,0x14,0xE7,0x34,0x2A,0x2E,0x22,0xDE,0x39,0x60,0x6B,0xB4,0x94,
-0xCE,0x77,0x83,0x61,0x2F,0x31,0xA0,0x7C,0x35,0x30,0x38,0x06,0x03,0x55,0x1D,0x1F,
-0x04,0x31,0x30,0x2F,0x30,0x2D,0xA0,0x2B,0xA0,0x29,0x86,0x27,0x68,0x74,0x74,0x70,
-0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
-0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,0x61,0x2F,0x69,0x70,0x68,0x6F,0x6E,0x65,0x2E,
-0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
-0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xA1,0x94,0x7D,0xB9,0xCC,0x61,0xBD,0x93,0xB7,
-0x65,0x0D,0xED,0x4B,0xFB,0x23,0x98,0x6C,0xFD,0xD8,0xEC,0x4F,0x61,0xF7,0x08,0xB4,
-0x52,0xC5,0x4D,0x48,0x1C,0x15,0xE3,0x0D,0xE6,0x50,0x1A,0xE1,0x3D,0x28,0x63,0x5A,
-0xB7,0x28,0x2F,0x51,0xAE,0x25,0x64,0x2B,0x18,0x37,0x55,0x34,0xC3,0xC5,0x31,0x6D,
-0x81,0xED,0x82,0x9A,0xEB,0x22,0x91,0x0A,0x1B,0x19,0xAB,0xDE,0xF6,0xFC,0x2F,0x0D,
-0xE4,0xDE,0x84,0x2D,0x38,0x96,0xA1,0x68,0xED,0x55,0xCB,0x9D,0xCF,0x55,0x07,0xF2,
-0x93,0xE0,0x40,0x53,0x26,0x56,0x7E,0x70,0x4E,0x15,0x3F,0x53,0x3B,0x4D,0x4C,0x63,
-0x8E,0x43,0xC1,0x41,0xB0,0xC3,0x10,0xD2,0xDE,0x52,0xF0,0xB1,0x41,0xB1,0x32,0x3F,
-0x14,0x82,0x30,0x0D,0x9E,0xFA,0x2D,0x61,0x96,0xA5,0x09,0xA5,0xFC,0x6D,0x01,0xCC,
-0xDD,0x2F,0xC4,0x92,0x7E,0x63,0x82,0xAD,0x51,0x4F,0xC7,0x2C,0xF7,0x1F,0x01,0x85,
-0xEE,0x0F,0xF7,0x6E,0x18,0x4E,0xEB,0xA0,0x8F,0x91,0x17,0xE6,0x3C,0x7D,0x24,0xC6,
-0xB3,0x1F,0xAC,0xDC,0xDE,0xC9,0x92,0x28,0x26,0x53,0x1A,0x84,0x7D,0xAB,0x74,0xC1,
-0x8C,0x78,0x61,0x62,0x54,0x03,0xB0,0xB1,0x2A,0xAD,0x44,0x13,0x93,0xEB,0x6A,0x5C,
-0xD5,0xF9,0xEC,0x02,0x56,0x8F,0x88,0x7F,0x67,0x5D,0x24,0xDF,0x70,0x43,0xFC,0x29,
-0x58,0x89,0xED,0x17,0x91,0x2F,0x8C,0xD9,0xA3,0xB5,0x6B,0xAE,0x6D,0x24,0x41,0x82,
-0x7E,0xFE,0x03,0xA5,0xE4,0xD3,0x34,0x1D,0xE7,0x21,0xE7,0xD7,0x70,0x5A,0xAB,0xFE,
-0x1D,0x51,0xC4,0x59,0x48,0x80,0xFC,
-};
-
-/* subject:/C=US/O=Apple Inc./CN=TEST Apple iPhone OS Application Signing TEST */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPhone Certification Authority */
-static unsigned char _c1[1046]={
-0x30,0x82,0x04,0x12,0x30,0x82,0x02,0xFA,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x19,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x79,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
-0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
-0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
-0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x2D,0x30,0x2B,0x06,
-0x03,0x55,0x04,0x03,0x13,0x24,0x41,0x70,0x70,0x6C,0x65,0x20,0x69,0x50,0x68,0x6F,
-0x6E,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
-0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x38,
-0x30,0x35,0x30,0x32,0x32,0x30,0x31,0x30,0x30,0x38,0x5A,0x17,0x0D,0x30,0x39,0x30,
-0x35,0x30,0x32,0x32,0x30,0x31,0x30,0x30,0x38,0x5A,0x30,0x5A,0x31,0x0B,0x30,0x09,
-0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,
-0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x36,
-0x30,0x34,0x06,0x03,0x55,0x04,0x03,0x13,0x2D,0x54,0x45,0x53,0x54,0x20,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x69,0x50,0x68,0x6F,0x6E,0x65,0x20,0x4F,0x53,0x20,0x41,0x70,
-0x70,0x6C,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,
-0x67,0x20,0x54,0x45,0x53,0x54,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,
-0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,
-0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xDA,0xC9,0x59,0x0A,0xD0,0xC3,0x90,0xFE,0x18,
-0xCA,0x8A,0xEE,0x45,0x67,0x51,0x1E,0xF6,0x77,0x98,0xD0,0x29,0xC4,0xF3,0x4D,0xFD,
-0x3E,0xC8,0x17,0x2E,0x42,0xCD,0xAF,0x85,0x13,0xC5,0x74,0x6F,0x8D,0x81,0x64,0x09,
-0x91,0x4E,0xC3,0x64,0xF8,0x21,0x81,0xB7,0x33,0x17,0xBC,0x2D,0xEC,0x19,0xBB,0xF8,
-0x0D,0x4A,0x78,0xCA,0xB2,0xE4,0x7A,0x79,0xF5,0x18,0xFA,0xB4,0x63,0x7F,0xDD,0xE5,
-0x87,0x7B,0x11,0xFD,0xC6,0xFA,0x70,0x5E,0x97,0xDC,0x58,0xD4,0x5D,0x81,0xCA,0x60,
-0x0D,0x8F,0x27,0x51,0x99,0x8D,0x81,0x02,0x5D,0x2E,0xA1,0x42,0xB2,0xD0,0xC9,0xFC,
-0x46,0xD5,0xCB,0xA9,0x68,0xC2,0x93,0xAD,0x1E,0x99,0x7D,0x79,0x22,0x36,0x32,0xC3,
-0x9A,0x92,0xBA,0x04,0x00,0xDB,0xFA,0x8A,0xAC,0xB7,0x74,0x33,0x58,0xAC,0xED,0x9D,
-0xAB,0xC5,0x23,0xAA,0x7E,0xAE,0xEE,0x97,0x67,0x96,0x2F,0x52,0xA2,0x34,0x23,0x83,
-0x97,0x18,0x57,0xA9,0xA6,0x1A,0xF1,0x09,0x3C,0xD6,0x5C,0x39,0xA1,0xB2,0x59,0x7E,
-0xA8,0x65,0x3B,0x45,0x60,0xED,0x6A,0x94,0xD2,0x05,0x79,0xFA,0xAA,0x51,0x4D,0x59,
-0x93,0x72,0xEB,0x9D,0x24,0x23,0xEA,0x32,0xD3,0x5A,0x83,0xB5,0x2D,0xB7,0x14,0xDA,
-0x24,0x60,0x07,0xC0,0x20,0x7E,0x6F,0xD4,0x56,0x85,0x47,0x29,0xE5,0xC0,0x1C,0x91,
-0xC8,0xE4,0x04,0xB4,0x3E,0x4F,0xAB,0x53,0xCC,0x6D,0x71,0x39,0x8F,0x17,0x19,0x16,
-0x81,0x24,0xFA,0xD4,0x4D,0xD0,0x3B,0x4B,0x87,0x0A,0xFF,0x92,0x86,0x89,0x1D,0xFC,
-0x4E,0xA0,0x58,0x0F,0xA5,0x9C,0x19,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0xC3,0x30,
-0x81,0xC0,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,0x04,0x04,0x03,0x02,0x07,0x80,0x30,
-0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x16,0x06,
-0x03,0x55,0x1D,0x25,0x01,0x01,0xFF,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,
-0x05,0x05,0x07,0x03,0x03,0x30,0x11,0x06,0x0B,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,
-0x06,0x01,0x03,0x01,0x04,0x02,0x05,0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,
-0x16,0x04,0x14,0xB8,0x12,0xA4,0x44,0x18,0x52,0x79,0x30,0x43,0xE0,0x8E,0xFC,0xA6,
-0x7A,0xE7,0x5D,0x0B,0x04,0xB3,0x8C,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,
-0x30,0x16,0x80,0x14,0xE7,0x34,0x2A,0x2E,0x22,0xDE,0x39,0x60,0x6B,0xB4,0x94,0xCE,
-0x77,0x83,0x61,0x2F,0x31,0xA0,0x7C,0x35,0x30,0x38,0x06,0x03,0x55,0x1D,0x1F,0x04,
-0x31,0x30,0x2F,0x30,0x2D,0xA0,0x2B,0xA0,0x29,0x86,0x27,0x68,0x74,0x74,0x70,0x3A,
-0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,
-0x61,0x70,0x70,0x6C,0x65,0x63,0x61,0x2F,0x69,0x70,0x68,0x6F,0x6E,0x65,0x2E,0x63,
-0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,
-0x00,0x03,0x82,0x01,0x01,0x00,0x93,0x79,0x8C,0xD9,0x4C,0x24,0x0A,0x60,0x14,0x6B,
-0xAF,0xA1,0xE9,0xEF,0x52,0xDC,0x89,0x91,0x4D,0x13,0xF3,0xDB,0x90,0x5E,0x55,0x36,
-0x1C,0x50,0xBE,0xA6,0x57,0x86,0x32,0x73,0x6E,0x51,0x6C,0x40,0xBA,0xCB,0x1D,0xF8,
-0x44,0xCB,0x14,0x6C,0xBC,0x09,0x2E,0xA5,0xEA,0x26,0x29,0xAB,0xF1,0x8B,0x66,0x53,
-0x99,0x40,0x5D,0xB5,0xBE,0x07,0xD3,0x3C,0x18,0x51,0xEC,0x16,0xC6,0xE4,0x28,0x06,
-0xD3,0x33,0x46,0xB4,0x2A,0x96,0xBE,0x1F,0x60,0xF7,0x7A,0x63,0xC7,0xB7,0x21,0x53,
-0x50,0x9B,0x83,0x54,0xDA,0x7B,0xF8,0x52,0x69,0xFD,0xCF,0x79,0xF5,0x4F,0xA4,0xE4,
-0x34,0x0B,0xC8,0xB9,0x21,0xE7,0x57,0x69,0x9A,0xE3,0xCB,0x47,0xE4,0x74,0x49,0x9A,
-0xD8,0x22,0x7B,0x58,0x0D,0xF7,0x64,0x10,0x30,0x69,0x73,0xC6,0x8E,0x4B,0x36,0x1B,
-0xBB,0xA4,0x48,0x9A,0x5E,0x81,0x97,0x0D,0x5C,0x4A,0x1F,0xE6,0xC8,0x75,0xC2,0xD9,
-0x5D,0x8C,0xE4,0xB3,0xBA,0x5C,0xB9,0xDC,0xCC,0x93,0x7C,0x1F,0x16,0xC7,0x13,0x38,
-0xEA,0x80,0x15,0xF8,0x60,0x80,0xF8,0x44,0xA5,0x8E,0x23,0x10,0x4A,0xD6,0x9A,0x17,
-0x2C,0xEE,0x53,0xF8,0x01,0x45,0xED,0x9A,0x90,0x59,0x07,0xE6,0x14,0xB4,0xA6,0x22,
-0xE4,0xAF,0x50,0xD8,0x6E,0xC0,0x19,0xCF,0x3B,0xC0,0x6C,0x54,0x8C,0x4F,0xFA,0x8F,
-0xB4,0x54,0x75,0xA5,0xED,0xF6,0x22,0x54,0xE5,0x1A,0x4D,0x87,0x60,0x2F,0x3E,0x3A,
-0xB8,0x02,0x07,0xB2,0x0E,0xC4,0x1E,0x70,0x5D,0xB7,0xC5,0x28,0xEC,0x26,0xF7,0x0E,
-0x11,0xBC,0xE8,0x63,0x8C,0x5A,
-};
-
-
-/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPhone Certification Authority */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */
-static unsigned char _i1[1015]={
-0x30,0x82,0x03,0xF3,0x30,0x82,0x02,0xDB,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x17,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
-0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
-0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
-0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06,
-0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,
-0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x37,0x30,0x34,0x31,0x32,0x31,0x37,0x34,
-0x33,0x32,0x38,0x5A,0x17,0x0D,0x32,0x32,0x30,0x34,0x31,0x32,0x31,0x37,0x34,0x33,
-0x32,0x38,0x5A,0x30,0x79,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
-0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,
-0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,
-0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,
-0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,
-0x2D,0x30,0x2B,0x06,0x03,0x55,0x04,0x03,0x13,0x24,0x41,0x70,0x70,0x6C,0x65,0x20,
-0x69,0x50,0x68,0x6F,0x6E,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,
-0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,
-0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,
-0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xA3,
-0x1E,0xBE,0xF0,0x47,0xC0,0xB4,0x9E,0x10,0x5B,0x46,0xA4,0xB8,0x21,0xB8,0x4F,0x86,
-0x21,0x70,0x28,0x45,0x60,0x5C,0x1C,0xC3,0xC8,0x0A,0x64,0x63,0x88,0xFB,0xFC,0x69,
-0xEE,0xF8,0x54,0xFC,0xE9,0x5B,0xB7,0x06,0x4E,0x04,0x2F,0xC3,0x6B,0x33,0xAF,0x44,
-0x4C,0xEA,0x4B,0x80,0x09,0xB4,0x87,0xF6,0x5B,0xB4,0xFD,0x64,0xDD,0xB3,0x72,0xE0,
-0x13,0xB3,0xFD,0x17,0xD9,0xBC,0xE7,0xA8,0xED,0xC2,0x8C,0x61,0xC2,0x2A,0xF9,0xEC,
-0xCE,0xA5,0x5E,0xD6,0x69,0xEB,0x64,0x0B,0x8D,0x08,0x8F,0xB8,0xA0,0x50,0x46,0x09,
-0xDC,0x19,0xE4,0xE5,0xB0,0x94,0x6D,0xBB,0xF7,0x99,0x98,0xC4,0xE8,0x9B,0x41,0x4E,
-0xD4,0xF1,0x65,0xE3,0x1B,0x52,0x7A,0xDC,0xE8,0x03,0xD9,0x6E,0x1D,0xDA,0x10,0x55,
-0x86,0xA4,0x29,0x58,0x49,0x0C,0xEA,0x47,0xD7,0x15,0x34,0x33,0xF6,0xC0,0xA0,0x44,
-0x4A,0x70,0xBE,0x2C,0xB5,0x2A,0x30,0x37,0x8C,0x2E,0x15,0xEB,0xD1,0xE4,0x6C,0x97,
-0x38,0x55,0x56,0xB1,0x35,0x2B,0x58,0xEA,0x44,0xA3,0x26,0x85,0xEE,0xC8,0x66,0x4A,
-0xE4,0xCF,0x89,0xF0,0x3D,0x63,0xAD,0x29,0xDE,0xAD,0xBA,0x5A,0xB3,0xDC,0xA5,0xA3,
-0x9A,0xA7,0x09,0x4E,0x80,0x16,0x35,0x65,0xA4,0x85,0x0D,0x63,0x7B,0x3E,0x63,0x8A,
-0xDA,0x7D,0x4A,0x46,0xEC,0xA3,0x39,0x18,0x34,0xB9,0xC6,0x28,0x65,0x18,0xBC,0x13,
-0x60,0x9C,0x7F,0x57,0xAC,0x14,0xC9,0x89,0xED,0xA1,0xB6,0x87,0x68,0x52,0xB6,0x84,
-0x4E,0xB8,0xC8,0x83,0xEC,0xF9,0x9E,0x19,0xAB,0xB3,0xC1,0x0B,0x86,0xC7,0x9F,0x02,
-0x03,0x01,0x00,0x01,0xA3,0x81,0x9C,0x30,0x81,0x99,0x30,0x0E,0x06,0x03,0x55,0x1D,
-0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x86,0x30,0x0F,0x06,0x03,0x55,0x1D,
-0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1D,0x06,0x03,0x55,
-0x1D,0x0E,0x04,0x16,0x04,0x14,0xE7,0x34,0x2A,0x2E,0x22,0xDE,0x39,0x60,0x6B,0xB4,
-0x94,0xCE,0x77,0x83,0x61,0x2F,0x31,0xA0,0x7C,0x35,0x30,0x1F,0x06,0x03,0x55,0x1D,
-0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,
-0x6B,0x8D,0x2E,0x40,0xA6,0xF7,0x47,0x4D,0x7F,0x08,0x5E,0x30,0x36,0x06,0x03,0x55,
-0x1D,0x1F,0x04,0x2F,0x30,0x2D,0x30,0x2B,0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,
-0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,
-0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,0x61,0x2F,0x72,0x6F,0x6F,0x74,0x2E,
-0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
-0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x1D,0xD1,0xD5,0x7B,0xDD,0x74,0x4E,0xD7,0x17,
-0xFC,0x82,0x2D,0x0C,0x99,0x9B,0x5E,0x42,0x72,0xF2,0x69,0xDC,0xD5,0x6B,0x5E,0x0D,
-0x0C,0x6B,0x4B,0x3E,0x7B,0x14,0x25,0xDE,0xB3,0x94,0xE8,0xA0,0xFA,0x0F,0x80,0x89,
-0xF2,0x17,0x3D,0x00,0x02,0xA2,0x91,0x91,0xBE,0x74,0x57,0xDC,0xAF,0x9A,0x9F,0xA1,
-0x0A,0x7D,0x30,0xBE,0x00,0x2A,0xCC,0x21,0x59,0xEB,0xFD,0x49,0xAC,0x6E,0x75,0x19,
-0xE8,0x9A,0x7A,0x03,0xD1,0x86,0xF6,0xE7,0xF6,0xB0,0x0E,0x4B,0x49,0xFA,0xA3,0xB7,
-0x41,0xBA,0xD7,0xD1,0xE3,0x56,0xA1,0x7D,0x83,0xAB,0x97,0xAE,0xF8,0x51,0x4A,0x26,
-0xC1,0x85,0x42,0x13,0x26,0x8D,0x03,0x54,0x66,0x10,0x5E,0x60,0x84,0x05,0x12,0x31,
-0x2B,0x6B,0x54,0xC0,0xA0,0xC8,0x41,0xBC,0x54,0x1E,0xE7,0x54,0xAD,0x13,0x00,0xD2,
-0x4A,0xC7,0xBB,0xC1,0x8A,0xAF,0x81,0x08,0x8E,0xF0,0x46,0x0A,0xBF,0x27,0xA6,0xBE,
-0xDC,0xCF,0x39,0x3A,0x80,0x70,0x19,0x23,0x32,0xA3,0x6B,0x66,0x5D,0x9E,0x4D,0xA8,
-0x47,0x49,0xB2,0x7B,0x45,0xB5,0x51,0x33,0xA7,0x74,0x67,0x09,0x4E,0xB6,0x6C,0x6F,
-0x48,0xF7,0x2C,0xB9,0x33,0x05,0x44,0x6B,0x45,0xBE,0x74,0x4B,0x6F,0xB2,0x86,0x91,
-0xB4,0x3E,0x25,0x28,0x25,0x9E,0xB3,0xC2,0x51,0x86,0xFC,0x4F,0xE5,0xAF,0x3B,0xAA,
-0xBB,0x44,0x2C,0x01,0x49,0xE2,0x74,0xB3,0x34,0xFA,0x44,0xEF,0x14,0xC2,0x11,0xF2,
-0x2D,0x19,0x1A,0x51,0x89,0xD3,0x08,0x4A,0x41,0x6C,0x58,0x56,0xDE,0x9B,0x3A,0xE1,
-0x05,0x57,0xE5,0x62,0xCF,0xD2,0x0F,
-};
-
-
-/* subject:/C=US/O=Apple Inc./CN=Apple iPhone OS Application Signing */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPhone Certification Authority */
-static unsigned char app_signing_production[903]={
-0x30,0x82,0x03,0x83,0x30,0x82,0x02,0x6B,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x1E,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x79,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
-0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
-0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
-0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x2D,0x30,0x2B,0x06,
-0x03,0x55,0x04,0x03,0x13,0x24,0x41,0x70,0x70,0x6C,0x65,0x20,0x69,0x50,0x68,0x6F,
-0x6E,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
-0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x38,
-0x30,0x35,0x32,0x31,0x30,0x32,0x30,0x34,0x31,0x35,0x5A,0x17,0x0D,0x32,0x30,0x30,
-0x35,0x32,0x31,0x30,0x32,0x30,0x34,0x31,0x35,0x5A,0x30,0x50,0x31,0x0B,0x30,0x09,
-0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,
-0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x2C,
-0x30,0x2A,0x06,0x03,0x55,0x04,0x03,0x13,0x23,0x41,0x70,0x70,0x6C,0x65,0x20,0x69,
-0x50,0x68,0x6F,0x6E,0x65,0x20,0x4F,0x53,0x20,0x41,0x70,0x70,0x6C,0x69,0x63,0x61,
-0x74,0x69,0x6F,0x6E,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,0x67,0x30,0x81,0x9F,0x30,
-0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,
-0x8D,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xB1,0x1D,0x55,0x38,0xAE,0xEF,0xF6,
-0x30,0xA5,0x9B,0x65,0xAE,0x79,0x36,0x01,0x4D,0x48,0x02,0x6E,0x71,0xB8,0x67,0xD2,
-0xF8,0x53,0xF5,0xD8,0xB9,0x27,0xBD,0xAD,0x4B,0xF7,0x44,0xF3,0x5D,0xD6,0x83,0x62,
-0x31,0x71,0x20,0x1D,0xBE,0x02,0x91,0x11,0x42,0xED,0xD9,0xCC,0x29,0xD8,0x31,0xE8,
-0x60,0x07,0x1B,0x07,0x97,0x74,0x7F,0xFA,0x1D,0x89,0xDE,0x85,0x4B,0xD5,0x1F,0xA4,
-0xFE,0x28,0x2D,0xD3,0x29,0x6E,0xD4,0x3F,0xEB,0x10,0x99,0x33,0x11,0x8C,0xD4,0xD4,
-0x32,0x15,0xEE,0xDF,0xB3,0x58,0x2C,0x29,0x6C,0x79,0x48,0x41,0xAE,0x0C,0xDF,0xE6,
-0x8A,0x2C,0x2B,0xA5,0xE9,0x1E,0xD8,0xB6,0x71,0xA2,0xAB,0x11,0x28,0x48,0x72,0xC5,
-0xE3,0x35,0xA5,0x0C,0xDF,0xE7,0xAC,0x44,0x87,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,
-0xC2,0x30,0x81,0xBF,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,0x04,0x04,0x03,0x02,0x07,
-0x80,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,
-0x16,0x06,0x03,0x55,0x1D,0x25,0x01,0x01,0xFF,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,
-0x06,0x01,0x05,0x05,0x07,0x03,0x03,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,
-0x63,0x64,0x06,0x01,0x03,0x04,0x02,0x05,0x00,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
-0x04,0x16,0x04,0x14,0x29,0x74,0x91,0xAC,0x21,0xD9,0xCD,0xA4,0xBD,0x78,0xF0,0x8A,
-0x46,0xF9,0x0A,0xB4,0x6E,0x06,0xAC,0x09,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,
-0x18,0x30,0x16,0x80,0x14,0xE7,0x34,0x2A,0x2E,0x22,0xDE,0x39,0x60,0x6B,0xB4,0x94,
-0xCE,0x77,0x83,0x61,0x2F,0x31,0xA0,0x7C,0x35,0x30,0x38,0x06,0x03,0x55,0x1D,0x1F,
-0x04,0x31,0x30,0x2F,0x30,0x2D,0xA0,0x2B,0xA0,0x29,0x86,0x27,0x68,0x74,0x74,0x70,
-0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
-0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,0x61,0x2F,0x69,0x70,0x68,0x6F,0x6E,0x65,0x2E,
-0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
-0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x8C,0xEC,0xB5,0x3E,0x50,0x80,0xCC,0x0D,0xF5,
-0x1D,0x2A,0x24,0x38,0x1D,0x60,0xED,0x32,0x8E,0xB2,0x78,0xBB,0x73,0x97,0xF5,0x90,
-0x61,0x4C,0x35,0xF2,0x95,0xDA,0xB7,0x97,0xD3,0x75,0x4C,0x05,0xBE,0xEE,0xE3,0xD1,
-0x66,0xF2,0x36,0xE8,0xF1,0xAD,0x60,0xDF,0x92,0x48,0x6C,0xD1,0xC3,0x95,0x57,0x22,
-0x1F,0xDC,0x74,0x3B,0x36,0xD6,0xC9,0x49,0x43,0xD0,0x74,0x9B,0x74,0xF3,0xFD,0xC8,
-0x8E,0x07,0x79,0x7B,0x5C,0xE0,0x4B,0x74,0xB2,0xBE,0x05,0xFE,0x43,0x68,0xA2,0x30,
-0x04,0xCC,0x5B,0x4B,0x78,0xB3,0x08,0x26,0x3B,0x28,0x47,0xCE,0xF6,0x59,0xAB,0xCC,
-0x10,0xE1,0xBB,0x55,0x3C,0x67,0x55,0x73,0x98,0xF2,0x6E,0xFE,0x51,0x80,0xE7,0x71,
-0x54,0xAF,0x88,0xE8,0xDB,0xE9,0x73,0xA9,0x66,0x17,0x79,0x70,0x1B,0x1C,0xAB,0x24,
-0x74,0x08,0x20,0x46,0xC5,0x99,0x30,0x3E,0x13,0x9A,0x60,0x9F,0x08,0x5B,0xCC,0x01,
-0x26,0xFA,0x93,0x6B,0x72,0xC7,0xB6,0xEC,0x7E,0x3B,0x77,0xE3,0xEB,0x85,0x53,0x82,
-0x4B,0xF7,0x11,0xF7,0x5F,0x7F,0x1D,0xDA,0xA7,0xFE,0x24,0xF5,0x41,0x7D,0x10,0xF1,
-0xBF,0xA6,0x90,0x86,0xC8,0x59,0x98,0xAF,0x41,0xFA,0x91,0x24,0x7C,0x2C,0x38,0x40,
-0x97,0xA2,0xE8,0x4F,0x7A,0xCD,0x1A,0xAD,0x6F,0xC0,0x12,0x1D,0xA7,0x59,0xE5,0xF5,
-0x27,0xF2,0x00,0x5C,0xF0,0xB6,0x8F,0x0E,0xFB,0xCE,0x69,0xAA,0x1F,0x21,0x6A,0xD8,
-0xC7,0x79,0x1B,0x4F,0x1A,0xB2,0xC6,0xC5,0x9C,0xEF,0x11,0x3E,0x7B,0xB1,0xB7,0x7E,
-0xE8,0x8C,0xE0,0xD1,0xFE,0x6D,0x32,
-};
-
-/* subject:/C=US/O=Apple Inc./CN=Apple iPhone OS Provisioning Profile Signing */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple iPhone Certification Authority */
-static unsigned char prof_signing_production[1021]={
-0x30,0x82,0x03,0xF9,0x30,0x82,0x02,0xE1,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x1F,
-0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
-0x79,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
-0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
-0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
-0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
-0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x2D,0x30,0x2B,0x06,
-0x03,0x55,0x04,0x03,0x13,0x24,0x41,0x70,0x70,0x6C,0x65,0x20,0x69,0x50,0x68,0x6F,
-0x6E,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
-0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x1E,0x17,0x0D,0x30,0x38,
-0x30,0x35,0x32,0x31,0x30,0x32,0x30,0x34,0x31,0x35,0x5A,0x17,0x0D,0x32,0x30,0x30,
-0x35,0x32,0x31,0x30,0x32,0x30,0x34,0x31,0x35,0x5A,0x30,0x59,0x31,0x0B,0x30,0x09,
-0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,
-0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x35,
-0x30,0x33,0x06,0x03,0x55,0x04,0x03,0x13,0x2C,0x41,0x70,0x70,0x6C,0x65,0x20,0x69,
-0x50,0x68,0x6F,0x6E,0x65,0x20,0x4F,0x53,0x20,0x50,0x72,0x6F,0x76,0x69,0x73,0x69,
-0x6F,0x6E,0x69,0x6E,0x67,0x20,0x50,0x72,0x6F,0x66,0x69,0x6C,0x65,0x20,0x53,0x69,
-0x67,0x6E,0x69,0x6E,0x67,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
-0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,
-0x0A,0x02,0x82,0x01,0x01,0x00,0xC5,0x22,0x96,0xB6,0xD1,0xFC,0xBD,0x7C,0x84,0xC2,
-0xFD,0x6B,0x39,0xD4,0x60,0xCC,0xCE,0x4E,0x3A,0xDA,0x41,0x42,0x9E,0x8D,0x94,0xA9,
-0x18,0x67,0x86,0x8A,0x16,0xF1,0x46,0xB1,0x1C,0x69,0x25,0xC7,0xBF,0xF3,0xB3,0x88,
-0xDD,0xC8,0xA5,0xA9,0xC9,0xA5,0x8B,0x42,0x39,0x58,0x39,0xB4,0x8A,0xDB,0x40,0xFA,
-0x74,0xA4,0xAC,0x75,0x57,0x21,0x8D,0xDB,0xD9,0xAA,0xA2,0x0A,0xBE,0xE4,0x9A,0x2A,
-0x83,0x00,0xDA,0x1F,0x37,0x11,0xC0,0xCA,0xCA,0x10,0x76,0xFB,0xE6,0x50,0xC1,0x15,
-0x1B,0x0B,0x67,0x9C,0x8F,0xA1,0xF3,0x5C,0xC8,0x9D,0x78,0xA6,0xAD,0x05,0x80,0xAE,
-0xD7,0x0A,0xB4,0x84,0x9A,0xD8,0x8E,0xD4,0xB4,0x6E,0xF4,0x49,0x99,0x2F,0x1D,0x8E,
-0x7C,0x10,0xE3,0x11,0xC2,0x92,0x74,0x28,0xB2,0x7C,0x2B,0x98,0x15,0xC7,0x0D,0x55,
-0x00,0xAA,0x67,0xA1,0xEE,0x4C,0x54,0xA6,0x9E,0x13,0xE4,0x80,0x2F,0xE1,0xC3,0x36,
-0x47,0x12,0xA1,0xFF,0x56,0xA4,0x9D,0x94,0xEF,0xA5,0x50,0xE2,0x64,0x1B,0x00,0x08,
-0xA4,0xE2,0xB2,0xBD,0x9C,0x76,0xF3,0xAE,0xEA,0x84,0x73,0xD0,0x8F,0xBA,0xFF,0x33,
-0xD7,0x90,0xE6,0x1A,0xB5,0x1F,0xBE,0x83,0x00,0xEA,0x7F,0xF6,0x24,0xA7,0x40,0xE1,
-0x86,0xE2,0x13,0x97,0x27,0x0B,0x5D,0x7D,0xC5,0x0B,0x8F,0x6F,0xA6,0xC4,0x5D,0x63,
-0x30,0x21,0x8D,0x95,0x92,0xEC,0x1A,0xD1,0x55,0x94,0x7F,0x63,0x8F,0x66,0x3F,0x84,
-0x67,0x0C,0x1D,0x70,0x17,0xBC,0x99,0xA8,0x12,0x1D,0x9B,0x07,0x1E,0x0F,0x76,0x3A,
-0x0C,0x40,0x6F,0xAF,0x28,0x3B,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0xAB,0x30,0x81,
-0xA8,0x30,0x0B,0x06,0x03,0x55,0x1D,0x0F,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x0C,
-0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x11,0x06,0x0B,
-0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x02,0x02,0x01,0x04,0x02,0x05,0x00,0x30,
-0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xD6,0xE3,0x26,0x4A,0x0D,0x68,
-0xB3,0x0E,0x10,0xBD,0xF8,0xDF,0x25,0x21,0xE3,0x7F,0xC2,0x55,0x7F,0x6C,0x30,0x1F,
-0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xE7,0x34,0x2A,0x2E,0x22,
-0xDE,0x39,0x60,0x6B,0xB4,0x94,0xCE,0x77,0x83,0x61,0x2F,0x31,0xA0,0x7C,0x35,0x30,
-0x38,0x06,0x03,0x55,0x1D,0x1F,0x04,0x31,0x30,0x2F,0x30,0x2D,0xA0,0x2B,0xA0,0x29,
-0x86,0x27,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,
-0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,0x61,0x2F,0x69,
-0x70,0x68,0x6F,0x6E,0x65,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
-0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x23,0xDF,0xB9,
-0xC3,0x8D,0xFB,0x3E,0x64,0xC7,0x1C,0x5D,0x42,0xD0,0x18,0x97,0x80,0xD1,0x34,0xCD,
-0x13,0xC8,0xC0,0x6D,0xF5,0x86,0xC3,0x1C,0x5E,0xE7,0xC4,0x55,0x54,0x0C,0x58,0xB7,
-0x0F,0x5D,0x53,0x41,0xF9,0xDC,0xB5,0x77,0x97,0xB4,0x77,0x93,0x84,0x39,0x5F,0xDF,
-0x7B,0x62,0x29,0x75,0xBD,0xEC,0xF8,0xB2,0x7B,0x90,0xF7,0xEA,0x1A,0x48,0xBF,0x6C,
-0x05,0x2A,0x31,0xE0,0xC7,0x5B,0x24,0x40,0xA3,0x98,0xFD,0x16,0x9A,0x93,0x70,0x6A,
-0xDC,0xED,0x47,0xB6,0x65,0x3B,0xFC,0x89,0x8B,0x66,0x45,0x46,0x8C,0xDE,0x4B,0xB6,
-0x70,0x6D,0xBA,0xA7,0xB1,0x14,0x4F,0xA3,0x6C,0xDB,0x4F,0x4F,0x42,0x98,0x7C,0xF5,
-0x05,0x80,0xCD,0xB6,0x11,0xB0,0xF0,0xEC,0xD4,0x59,0x6A,0xBF,0x1B,0x4D,0xFA,0xA5,
-0xE4,0xBD,0xDE,0x2F,0xB2,0xB9,0x8F,0x0B,0x31,0x44,0xF3,0x92,0x1C,0x02,0x48,0x74,
-0x9F,0xFF,0xAB,0x25,0x8D,0x4F,0xFB,0x74,0xEC,0x2B,0x3B,0x2C,0x0A,0xDE,0x65,0x29,
-0x92,0x1D,0x17,0xEA,0x94,0x4A,0x6F,0x78,0x41,0x41,0x97,0x31,0xA9,0x25,0x9A,0xF1,
-0x69,0x1B,0xD4,0xE1,0x2D,0xF4,0x1A,0xB6,0x89,0xC0,0xBF,0xD6,0x95,0x0E,0xB7,0x85,
-0xB7,0xC6,0x42,0xF0,0x29,0xE9,0xFA,0xF4,0xE4,0x71,0xB7,0x59,0xDB,0x61,0x31,0x33,
-0x52,0x74,0x51,0x37,0x86,0x91,0x1F,0x49,0x70,0xBE,0xF3,0x02,0x26,0x0B,0xBC,0xD5,
-0x12,0x58,0xB0,0xEF,0x5A,0x85,0xEC,0x56,0xCB,0xB4,0xA1,0xAE,0xF5,0x88,0x6C,0x89,
-0x16,0x27,0x13,0x25,0xDF,0xE7,0xE2,0x15,0xE4,0x7A,0x21,0x66,0x9A,
-};
-
-
-static void tests(void)
-{
- SecTrustRef trust;
- SecCertificateRef leaf, root;
- SecPolicyRef policy;
-
- isnt(leaf = SecCertificateCreateWithBytes(kCFAllocatorDefault,
- codesigning_certificate, sizeof(codesigning_certificate)), NULL, "create leaf");
- isnt(root = SecCertificateCreateWithBytes(kCFAllocatorDefault,
- wwdr_anchor_certificate, sizeof(wwdr_anchor_certificate)), NULL, "create root");
-
- CFArrayRef certs = CFArrayCreate(kCFAllocatorDefault, (const void **)&leaf, 1, NULL);
- CFArrayRef anchors = CFArrayCreate(kCFAllocatorDefault, (const void **)&root, 1, NULL);
- isnt(policy = SecPolicyCreateiPhoneApplicationSigning(), NULL, "create policy instance");
-
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust for leaf");
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set WWDR anchor for evaluation");
- CFDataRef exceptions = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
- applicable_exceptions, sizeof(applicable_exceptions), kCFAllocatorNull);
- ok(SecTrustSetExceptions(trust, exceptions), "set applicable exceptions");
- CFReleaseNull(exceptions);
-
- SecTrustResultType trustResult;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultProceed, "trust is kSecTrustResultProceed");
-
- CFReleaseNull(policy);
- CFReleaseNull(trust);
- isnt(policy = SecPolicyCreateiPhoneProfileApplicationSigning(), NULL,
- "create iPhoneProfileApplicationSigning policy instance");
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust for leaf");
- CFDateRef verifyDate = CFDateCreate(kCFAllocatorDefault, 228244066);
- ok_status(SecTrustSetVerifyDate(trust, verifyDate), "set verify date");
- CFReleaseNull(verifyDate);
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- TODO: {
- todo("We now require a complete certificate chain up to an anchor for every policy");
- is_status(trustResult, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified");
- }
- CFReleaseNull(trust);
- CFReleaseNull(leaf);
- CFReleaseNull(certs);
- CFReleaseNull(policy);
- CFReleaseNull(root);
- CFReleaseNull(anchors);
-
-/*
- CFDataRef trust_exceptions = SecTrustCopyExceptions(trust);
- int fd = open("/var/tmp/si-29-except", O_CREAT|O_RDWR, 0644);
- write(fd, CFDataGetBytePtr(trust_exceptions), CFDataGetLength(trust_exceptions));
- close(fd);
- CFPropertyListRef exception_plist = CFPropertyListCreateWithData(kCFAllocatorDefault, trust_exceptions, kCFPropertyListImmutable, NULL, NULL);
- CFShow(exception_plist);
-*/
-
- SecCertificateRef cert0, cert1, ntmd0,
- app_signing_production_cert, prof_production_cert;
- isnt(cert0 = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)),
- NULL, "create cert0");
- isnt(cert1 = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)),
- NULL, "create cert1");
- isnt(ntmd0 = SecCertificateCreateWithBytes(NULL, _i1, sizeof(_i1)),
- NULL, "create cert1");
- isnt(app_signing_production_cert = SecCertificateCreateWithBytes(NULL, app_signing_production, sizeof(app_signing_production)),
- NULL, "create app_signing_production");
- isnt(prof_production_cert = SecCertificateCreateWithBytes(NULL, prof_signing_production, sizeof(prof_signing_production)),
- NULL, "create prof_signing_production");
- const void *v_certs[] = {
- cert0,
- ntmd0
- };
- policy = SecPolicyCreateiPhoneProvisioningProfileSigning();
- certs = CFArrayCreate(NULL, v_certs, array_size(v_certs), NULL);
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- /* This is a TEST cert. If we're testing on an external release or on a prod-fused device, expect a trust failure.*/
- if (SecIsInternalRelease() && !SecIsProductionFused()) {
- is_status(trustResult,kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
- }
- else {
- is_status(trustResult,kSecTrustResultRecoverableTrustFailure,
- "trust is kSecTrustResultRecoverableTrustFailure");
- }
-
- CFReleaseNull(certs);
- CFReleaseNull(trust);
-
- v_certs[0] = prof_production_cert;
- certs = CFArrayCreate(NULL, v_certs, array_size(v_certs), NULL);
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
-
- CFReleaseNull(certs);
- CFReleaseNull(trust);
- CFReleaseNull(policy);
-
- policy = SecPolicyCreateiPhoneApplicationSigning();
- v_certs[0] = cert1;
- certs = CFArrayCreate(NULL, v_certs, array_size(v_certs), NULL);
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- /* This is a TEST cert. If we're testing on an external release or on a prod-fused device, expect a trust failure.*/
- if (SecIsInternalRelease() && !SecIsProductionFused()) {
- is_status(trustResult,kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
- }
- else {
- is_status(trustResult,kSecTrustResultRecoverableTrustFailure,
- "trust is kSecTrustResultRecoverableTrustFailure");
- }
-
- CFReleaseNull(certs);
- CFReleaseNull(trust);
-
- v_certs[0] = app_signing_production_cert;
- certs = CFArrayCreate(NULL, v_certs, array_size(v_certs), NULL);
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified,
- "trust is kSecTrustResultUnspecified");
-
- CFReleaseNull(certs);
- CFReleaseNull(trust);
- CFReleaseNull(policy);
-
- CFReleaseNull(cert0);
- CFReleaseNull(cert1);
- CFReleaseNull(ntmd0);
- CFReleaseNull(app_signing_production_cert);
- CFReleaseNull(prof_production_cert);
-
-}
-
-int si_29_sectrust_codesigning(int argc, char *const *argv)
-{
- plan_tests(30);
-
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-33-keychain-backup.c b/OSX/sec/Security/Regressions/secitem/si-33-keychain-backup.c
index 2afaa805..1369991d 100644
--- a/OSX/sec/Security/Regressions/secitem/si-33-keychain-backup.c
+++ b/OSX/sec/Security/Regressions/secitem/si-33-keychain-backup.c
@@ -248,6 +248,7 @@ static void test_persistent2(struct test_persistent_s *p)
static CFMutableDictionaryRef test_create_lockdown_identity_query(void) {
CFMutableDictionaryRef query = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
CFDictionaryAddValue(query, kSecClass, kSecClassGenericPassword);
+ CFDictionaryAddValue(query, kSecAttrAccount, CFSTR("test-delete-me"));
CFDictionaryAddValue(query, kSecAttrAccessGroup, CFSTR("lockdown-identities"));
return query;
}
@@ -377,6 +378,12 @@ static CFDataRef create_keybag(keybag_handle_t bag_type, CFDataRef password)
/* Test low level keychain migration from device to device interface. */
static void tests(void)
{
+ {
+ CFMutableDictionaryRef lock_down_query = test_create_lockdown_identity_query();
+ (void)SecItemDelete(lock_down_query);
+ CFReleaseNull(lock_down_query);
+ }
+
int v_eighty = 80;
CFNumberRef eighty = CFNumberCreate(NULL, kCFNumberSInt32Type, &v_eighty);
const char *v_data = "test";
@@ -390,7 +397,8 @@ static void tests(void)
CFDictionaryAddValue(query, kSecAttrAuthenticationType, kSecAttrAuthenticationTypeDefault);
CFDictionaryAddValue(query, kSecValueData, pwdata);
// NUKE anything we might have left around from a previous test run so we don't crash.
- SecItemDelete(query);
+ (void)SecItemDelete(query);
+
ok_status(SecItemAdd(query, NULL), "add internet password");
is_status(SecItemAdd(query, NULL), errSecDuplicateItem,
"add internet password again");
diff --git a/OSX/sec/Security/Regressions/secitem/si-40-seckey-custom.c b/OSX/sec/Security/Regressions/secitem/si-40-seckey-custom.c
index 50dd5aa8..938378ee 100644
--- a/OSX/sec/Security/Regressions/secitem/si-40-seckey-custom.c
+++ b/OSX/sec/Security/Regressions/secitem/si-40-seckey-custom.c
@@ -88,8 +88,7 @@ static OSStatus CustomKeyCompute(SecKeyRef key,
static size_t CustomKeyBlockSize(SecKeyRef key)
{
- is(customKey, key, "CustomKeyBlockSize");
- return 42;
+ return 5;
}
static CFDictionaryRef CustomKeyCopyAttributeDictionary(SecKeyRef key)
@@ -198,10 +197,10 @@ static void tests(SecKeyDescriptor *descriptor)
is(customKey, initedCustomKey, "CustomKeyInit got the right key");
SecPadding padding = kSecPaddingPKCS1;
- const uint8_t *src = NULL;
- size_t srcLen = 3;
- uint8_t *dst = NULL;
- size_t dstLen = 3;
+ const uint8_t *src = (const uint8_t *)"defgh";
+ size_t srcLen = 5;
+ uint8_t dst[5];
+ size_t dstLen = 5;
ok_status(SecKeyDecrypt(customKey, padding, src, srcLen, dst, &dstLen),
"SecKeyDecrypt");
@@ -211,7 +210,7 @@ static void tests(SecKeyDescriptor *descriptor)
"SecKeyRawSign");
ok_status(SecKeyRawVerify(customKey, padding, src, srcLen, dst, dstLen),
"SecKeyRawVerify");
- is(SecKeyGetSize(customKey, kSecKeyKeySizeInBits), (size_t)42*8, "SecKeyGetSize");
+ is(SecKeyGetSize(customKey, kSecKeyKeySizeInBits), (size_t)5*8, "SecKeyGetSize");
CFDictionaryRef attrDict = NULL;
ok(attrDict = SecKeyCopyAttributeDictionary(customKey),
@@ -242,7 +241,7 @@ static void tests(SecKeyDescriptor *descriptor)
int si_40_seckey_custom(int argc, char *const *argv)
{
- plan_tests(21 * 4);
+ plan_tests(20 * 4);
tests(&kCustomKeyDescriptor_version0);
tests(&kCustomKeyDescriptor_version1);
diff --git a/OSX/sec/Security/Regressions/secitem/si-40-seckey.c b/OSX/sec/Security/Regressions/secitem/si-40-seckey.c
index 1644000c..531912b5 100644
--- a/OSX/sec/Security/Regressions/secitem/si-40-seckey.c
+++ b/OSX/sec/Security/Regressions/secitem/si-40-seckey.c
@@ -33,10 +33,13 @@
#include <Security/SecureTransport.h>
#include <Security/SecRandom.h>
#include <utilities/array_size.h>
+#include <utilities/SecCFWrappers.h>
#include <CommonCrypto/CommonDigest.h>
#include <libDER/libDER.h>
#include <stdlib.h>
#include <unistd.h>
+#include <corecrypto/ccsha1.h>
+#include <corecrypto/ccsha2.h>
#include "Security_regressions.h"
@@ -122,7 +125,7 @@ static void dump_bytes(uint8_t* bytes, size_t amount)
}
#endif
-#define kEncryptDecryptTestCount 5
+#define kEncryptDecryptTestCount 6
static void test_encrypt_decrypt(SecKeyRef pubKey, SecKeyRef privKey, uint32_t padding, size_t keySizeInBytes)
{
SKIP: {
@@ -134,13 +137,13 @@ static void test_encrypt_decrypt(SecKeyRef pubKey, SecKeyRef privKey, uint32_t p
default: skip("what is the max_len for this padding?", 5, false);
}
- uint8_t secret[max_len + 1], encrypted_secret[keySizeInBytes], decrypted_secret[keySizeInBytes];
+ uint8_t secret[max_len + 2], encrypted_secret[keySizeInBytes], decrypted_secret[keySizeInBytes];
uint8_t *secret_ptr = secret;
size_t secret_len = max_len;
size_t encrypted_secret_len = sizeof(encrypted_secret);
size_t decrypted_secret_len = sizeof(decrypted_secret);
memset(decrypted_secret, 0xff, decrypted_secret_len);
- SecRandomCopyBytes(kSecRandomDefault, sizeof(secret), secret);
+ ok_status(SecRandomCopyBytes(kSecRandomDefault, sizeof(secret), secret),"rng");
// zero pad, no accidental second zero byte
if (padding == kSecPaddingNone) {
@@ -170,7 +173,7 @@ static void test_encrypt_decrypt(SecKeyRef pubKey, SecKeyRef privKey, uint32_t p
}
}
-#define kKeyGenTestCount (49 + (3*kEncryptDecryptTestCount))
+#define kKeyGenTestCount (50 + (3*kEncryptDecryptTestCount))
static void testkeygen(size_t keySizeInBits) {
SecKeyRef pubKey = NULL, privKey = NULL;
size_t keySizeInBytes = (keySizeInBits + 7) / 8;
@@ -199,109 +202,111 @@ static void testkeygen(size_t keySizeInBits) {
/* Sign something. */
uint8_t something[keySizeInBytes];
size_t something_len = keySizeInBytes - 11;
- SecRandomCopyBytes(kSecRandomDefault, sizeof(something), something);
+ ok_status(SecRandomCopyBytes(kSecRandomDefault, sizeof(something), something),"rng");
uint8_t sig[keySizeInBytes];
size_t sigLen = sizeof(sig);
- is_status(SecKeyRawSign(privKey, kSecPaddingPKCS1,
- something, something_len + 1, sig, &sigLen),
- errSecParam, "sign overflow");
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1,
- something, something_len, sig, &sigLen), "sign something");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1,
- something, something_len, sig, sigLen), "verify sig on something");
-
- // Torture test ASN.1 encoder by setting high bit to 1.
- uint8_t digest[CC_SHA512_DIGEST_LENGTH] = {
- 0x80, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
- 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
- 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
- 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
- 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
- };
- //CC_MD2(something, sizeof(something), digest);
- ok_status(!SecKeyRawSign(privKey, kSecPaddingPKCS1MD2,
- digest, CC_MD2_DIGEST_LENGTH, sig, &sigLen),
- "don't sign md2 digest");
- ok_status(!SecKeyRawVerify(pubKey, kSecPaddingPKCS1MD2,
- digest, CC_MD2_DIGEST_LENGTH, sig, sigLen),
- "verify sig on md2 digest fails");
-
- //CC_MD5(something, sizeof(something), digest);
- sigLen = sizeof(sig);
- ok_status(!SecKeyRawSign(privKey, kSecPaddingPKCS1MD5,
- digest, CC_MD5_DIGEST_LENGTH, sig, &sigLen),
- "don't sign md5 digest");
- ok_status(!SecKeyRawVerify(pubKey, kSecPaddingPKCS1MD5,
- digest, CC_MD5_DIGEST_LENGTH, sig, sigLen),
- "verify sig on md5 digest fails");
-
- //CCDigest(kCCDigestSHA1, something, sizeof(something), digest);
- sigLen = sizeof(sig);
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA1,
- digest, CC_SHA1_DIGEST_LENGTH, sig, &sigLen),
- "sign sha1 digest");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA1,
- digest, CC_SHA1_DIGEST_LENGTH, sig, sigLen),
- "verify sig on sha1 digest");
-
- uint8_t signature[keySizeInBytes], *ptr = signature;
- size_t signature_len = sizeof(signature);
- ok_status(SecKeyDecrypt(pubKey, kSecPaddingNone, sig, sigLen, signature, &signature_len), "inspect signature");
- is(signature_len, keySizeInBytes - 1, "got signature");
- while(*ptr && ((size_t)(ptr - signature) < signature_len)) ptr++;
- is(signature + signature_len - ptr, 16 /* length(\0 || OID_SHA1) */ + CC_SHA1_DIGEST_LENGTH, "successful decode");
-
- /* PKCS1 padding is 00 01 PAD * 8 or more 00 data.
- data is SEQ { SEQ { OID NULL } BIT STRING 00 DIGEST }
- So min data + pad overhead is 11 + 9 + oidlen
- oidlen = 11 for the sha2 family of oids, so we have 29 bytes; or
- 232 bits of minimum overhead. */
- const size_t pkcs1Overhead = 232;
- if (keySizeInBits > 224 + pkcs1Overhead) {
- //CC_SHA224(something, sizeof(something), digest);
+ if (privKey != NULL && pubKey != NULL) {
+ is_status(SecKeyRawSign(privKey, kSecPaddingPKCS1,
+ something, something_len + 1, sig, &sigLen),
+ errSecParam, "sign overflow");
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1,
+ something, something_len, sig, &sigLen), "sign something");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1,
+ something, something_len, sig, sigLen), "verify sig on something");
+
+ // Torture test ASN.1 encoder by setting high bit to 1.
+ uint8_t digest[CC_SHA512_DIGEST_LENGTH] = {
+ 0x80, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+ };
+ //CC_MD2(something, sizeof(something), digest);
+ ok_status(!SecKeyRawSign(privKey, kSecPaddingPKCS1MD2,
+ digest, CC_MD2_DIGEST_LENGTH, sig, &sigLen),
+ "don't sign md2 digest");
+ ok_status(!SecKeyRawVerify(pubKey, kSecPaddingPKCS1MD2,
+ digest, CC_MD2_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on md2 digest fails");
+
+ //CC_MD5(something, sizeof(something), digest);
sigLen = sizeof(sig);
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA224,
- digest, CC_SHA224_DIGEST_LENGTH, sig, &sigLen),
- "sign sha224 digest");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA224,
- digest, CC_SHA224_DIGEST_LENGTH, sig, sigLen),
- "verify sig on sha224 digest");
- }
-
- if (keySizeInBits > 256 + pkcs1Overhead) {
- //CC_SHA256(something, sizeof(something), digest);
+ ok_status(!SecKeyRawSign(privKey, kSecPaddingPKCS1MD5,
+ digest, CC_MD5_DIGEST_LENGTH, sig, &sigLen),
+ "don't sign md5 digest");
+ ok_status(!SecKeyRawVerify(pubKey, kSecPaddingPKCS1MD5,
+ digest, CC_MD5_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on md5 digest fails");
+
+ //CCDigest(kCCDigestSHA1, something, sizeof(something), digest);
sigLen = sizeof(sig);
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA256,
- digest, CC_SHA256_DIGEST_LENGTH, sig, &sigLen),
- "sign sha256 digest");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA256,
- digest, CC_SHA256_DIGEST_LENGTH, sig, sigLen),
- "verify sig on sha256 digest");
- }
-
- if (keySizeInBits > 384 + pkcs1Overhead) {
- //CC_SHA384(something, sizeof(something), digest);
- sigLen = sizeof(sig);
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA384,
- digest, CC_SHA384_DIGEST_LENGTH, sig, &sigLen),
- "sign sha384 digest");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA384,
- digest, CC_SHA384_DIGEST_LENGTH, sig, sigLen),
- "verify sig on sha384 digest");
- }
-
- if (keySizeInBits > 512 + pkcs1Overhead) {
- //CC_SHA512(something, sizeof(something), digest);
- sigLen = sizeof(sig);
- ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA512,
- digest, CC_SHA512_DIGEST_LENGTH, sig, &sigLen),
- "sign sha512 digest");
- ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA512,
- digest, CC_SHA512_DIGEST_LENGTH, sig, sigLen),
- "verify sig on sha512 digest");
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA1,
+ digest, CC_SHA1_DIGEST_LENGTH, sig, &sigLen),
+ "sign sha1 digest");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA1,
+ digest, CC_SHA1_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on sha1 digest");
+
+ uint8_t signature[keySizeInBytes], *ptr = signature;
+ size_t signature_len = sizeof(signature);
+ ok_status(SecKeyDecrypt(pubKey, kSecPaddingNone, sig, sigLen, signature, &signature_len), "inspect signature");
+ is(signature_len, keySizeInBytes - 1, "got signature");
+ while(*ptr && ((size_t)(ptr - signature) < signature_len)) ptr++;
+ is(signature + signature_len - ptr, 16 /* length(\0 || OID_SHA1) */ + CC_SHA1_DIGEST_LENGTH, "successful decode");
+
+ /* PKCS1 padding is 00 01 PAD * 8 or more 00 data.
+ data is SEQ { SEQ { OID NULL } BIT STRING 00 DIGEST }
+ So min data + pad overhead is 11 + 9 + oidlen
+ oidlen = 11 for the sha2 family of oids, so we have 29 bytes; or
+ 232 bits of minimum overhead. */
+ const size_t pkcs1Overhead = 232;
+ if (keySizeInBits > 224 + pkcs1Overhead) {
+ //CC_SHA224(something, sizeof(something), digest);
+ sigLen = sizeof(sig);
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA224,
+ digest, CC_SHA224_DIGEST_LENGTH, sig, &sigLen),
+ "sign sha224 digest");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA224,
+ digest, CC_SHA224_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on sha224 digest");
+ }
+
+ if (keySizeInBits > 256 + pkcs1Overhead) {
+ //CC_SHA256(something, sizeof(something), digest);
+ sigLen = sizeof(sig);
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA256,
+ digest, CC_SHA256_DIGEST_LENGTH, sig, &sigLen),
+ "sign sha256 digest");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA256,
+ digest, CC_SHA256_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on sha256 digest");
+ }
+
+ if (keySizeInBits > 384 + pkcs1Overhead) {
+ //CC_SHA384(something, sizeof(something), digest);
+ sigLen = sizeof(sig);
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA384,
+ digest, CC_SHA384_DIGEST_LENGTH, sig, &sigLen),
+ "sign sha384 digest");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA384,
+ digest, CC_SHA384_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on sha384 digest");
+ }
+
+ if (keySizeInBits > 512 + pkcs1Overhead) {
+ //CC_SHA512(something, sizeof(something), digest);
+ sigLen = sizeof(sig);
+ ok_status(SecKeyRawSign(privKey, kSecPaddingPKCS1SHA512,
+ digest, CC_SHA512_DIGEST_LENGTH, sig, &sigLen),
+ "sign sha512 digest");
+ ok_status(SecKeyRawVerify(pubKey, kSecPaddingPKCS1SHA512,
+ digest, CC_SHA512_DIGEST_LENGTH, sig, sigLen),
+ "verify sig on sha512 digest");
+ }
}
test_encrypt_decrypt(pubKey, privKey, kSecPaddingNone, keySizeInBytes);
@@ -431,8 +436,507 @@ static void testkeygen2(size_t keySizeInBits) {
CFRelease(privd);
}
+static const int kTestSupportedCount = 3 + (4 * 11) + 2 + (4 * 5);
+static void testsupportedalgos(size_t keySizeInBits)
+{
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ CFNumberRef kzib;
+
+ int32_t iKeySizeInBits = (int32_t) keySizeInBits;
+ kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &iKeySizeInBits);
+ CFMutableDictionaryRef kgp = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
+ CFDictionaryAddValue(kgp, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionaryAddValue(kgp, kSecAttrKeySizeInBits, kzib);
+
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) persistent RSA keypair",
+ keySizeInBits, keySizeInBytes);
+ CFRelease(kzib);
+ CFRelease(kgp);
+
+ is(SecKeyGetSize(pubKey, kSecKeyKeySizeInBits), (size_t) keySizeInBits, "public key size is ok");
+ is(SecKeyGetSize(privKey, kSecKeyKeySizeInBits), (size_t) keySizeInBits, "private key size is ok");
+
+ const SecKeyAlgorithm sign[] = {
+ kSecKeyAlgorithmRSASignatureRaw,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512,
+ };
+
+ for (size_t i = 0; i < array_size(sign); i++) {
+ ok(SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeSign, sign[i]),
+ "privKey supports sign algorithm %@", sign[i]);
+ ok(SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeVerify, sign[i]),
+ "pubKey supports verify algorithm %@", sign[i]);
+ // Our privKey actually supports even verify operation because it is adapter over decrypt...
+ ok(SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeVerify, sign[i]),
+ "privKey supports verify algorithm %@", sign[i]);
+ ok(!SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeSign, sign[i]),
+ "pubKey doesn't support verify algorithm %@", sign[i]);
+ }
+ ok(!SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeSign, kSecKeyAlgorithmECDSASignatureDigestX962),
+ "RSA privKey does not support ECDSA algorithm");
+ ok(!SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeVerify, kSecKeyAlgorithmECDSASignatureDigestX962),
+ "RSA pubKey does not support ECDSA algorithm");
+
+ const SecKeyAlgorithm crypt[] = {
+ kSecKeyAlgorithmRSAEncryptionRaw,
+ kSecKeyAlgorithmRSAEncryptionPKCS1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
+// kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
+// kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
+ };
+ for (size_t i = 0; i < array_size(crypt); i++) {
+ ok(SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeDecrypt, crypt[i]),
+ "privKey supports decrypt algorithm %@", crypt[i]);
+ ok(SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeEncrypt, crypt[i]),
+ "pubKey supports encrypt algorithm %@", crypt[i]);
+ ok(!SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeEncrypt, crypt[i]),
+ "privKey doesn't supports encrypt algorithm %@", crypt[i]);
+ ok(SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeDecrypt, crypt[i]),
+ "pubKey supports decrypt algorithm %@", crypt[i]);
+ }
+
+ /* Cleanup. */
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
+#define kCreateWithDataTestCount 13
+static void testcreatewithdata(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeRSA,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) RSA keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ CFMutableDictionaryRef kcwd = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeRSA,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ CFReleaseNull(kzib);
+
+ CFErrorRef error = NULL;
+ CFDataRef privExternalData = NULL, pubExternalData = NULL;
+ SecKeyRef dataKey = NULL;
+
+ { // privKey
+ privExternalData = SecKeyCopyExternalRepresentation(privKey, &error);
+ ok(privExternalData && CFGetTypeID(privExternalData) == CFDataGetTypeID(),
+ "priv key SecKeyCopyExternalRepresentation failed");
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid priv key external data", 4, privExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(privExternalData, kcwd, &error);
+ ok(dataKey, "priv key SecKeyCreateWithData failed");
+ CFReleaseNull(error);
+
+ eq_cf(privKey, dataKey, "priv keys differ");
+ CFReleaseNull(dataKey);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(privExternalData, kcwd, &error);
+ ok(!dataKey, "priv key SecKeyCreateWithData succeeded with invalid kSecAttrKeyClass");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFMutableDataRef modifiedExternalData = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ CFDataAppend(modifiedExternalData, privExternalData);
+ *CFDataGetMutableBytePtr(modifiedExternalData) ^= 0xff;
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(modifiedExternalData, kcwd, &error);
+ ok(!dataKey, "priv key SecKeyCreateWithData succeeded with invalid external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(modifiedExternalData);
+ }
+ }
+
+ { // pubKey
+ pubExternalData = SecKeyCopyExternalRepresentation(pubKey, &error);
+ ok(pubExternalData && CFGetTypeID(pubExternalData) == CFDataGetTypeID(),
+ "pub key SecKeyCopyExternalRepresentation failed");
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid pub key external data", 4, pubExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(pubExternalData, kcwd, &error);
+ ok(dataKey, "pub key SecKeyCreateWithData failed");
+ CFReleaseNull(error);
+
+ eq_cf(pubKey, dataKey, "pub keys differ");
+ CFReleaseNull(dataKey);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(pubExternalData, kcwd, &error);
+ ok(!dataKey, "pub key SecKeyCreateWithData succeeded with invalid kSecAttrKeyClass");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFMutableDataRef modifiedExternalData = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ CFDataAppend(modifiedExternalData, pubExternalData);
+ *CFDataGetMutableBytePtr(modifiedExternalData) ^= 0xff;
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(modifiedExternalData, kcwd, &error);
+ ok(!dataKey, "pub key SecKeyCreateWithData succeeded with invalid external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(modifiedExternalData);
+ }
+ }
+
+ SKIP: {
+ skip("invalid pub key external data", 1, pubExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(pubExternalData, kcwd, &error);
+ ok(!dataKey, "priv key SecKeyCreateWithData succeeded with public external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(pubExternalData);
+ }
+
+ SKIP: {
+ skip("invalid priv key external data", 1, privExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(privExternalData, kcwd, &error);
+ ok(!dataKey, "pub key SecKeyCreateWithData succeeded with private external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(privExternalData);
+ }
+
+ CFReleaseNull(kcwd);
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
+#define kCopyAttributesTestCount 20
+static void testcopyattributes(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeRSA,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) RSA keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ CFDictionaryRef attributes;
+ CFTypeRef attrValue = NULL, privAppLabel = NULL, pubAppLabel = NULL;
+
+ { // privKey
+ attributes = SecKeyCopyAttributes(privKey);
+ ok(attributes && CFGetTypeID(attributes) == CFDictionaryGetTypeID(),
+ "priv key SecKeyCopyAttributes failed");
+
+ SKIP: {
+ skip("invalid attributes", 8, attributes);
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanEncrypt);
+ eq_cf(attrValue, kCFBooleanFalse, "invalid priv key kSecAttrCanEncrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDecrypt);
+ eq_cf(attrValue, kCFBooleanTrue, "invalid priv key kSecAttrCanDecrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDerive);
+ eq_cf(attrValue, kCFBooleanFalse, "invalid priv key kSecAttrCanDerive");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanSign);
+ eq_cf(attrValue, kCFBooleanTrue, "invalid priv key kSecAttrCanSign");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanVerify);
+ eq_cf(attrValue, kCFBooleanFalse, "invalid priv key kSecAttrCanVerify");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyClass);
+ eq_cf(attrValue, kSecAttrKeyClassPrivate, "priv key invalid kSecAttrKeyClass");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyType);
+ eq_cf(attrValue, kSecAttrKeyTypeRSA, "invalid priv key kSecAttrKeyType");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeySizeInBits);
+ eq_cf(attrValue, kzib, "invalid priv key kSecAttrKeySizeInBits");
+
+ privAppLabel = CFDictionaryGetValue(attributes, kSecAttrApplicationLabel);
+ CFRetainSafe(privAppLabel);
+
+ CFReleaseNull(attributes);
+ }
+ }
+
+ { // pubKey
+ attributes = SecKeyCopyAttributes(pubKey);
+ ok(attributes && CFGetTypeID(attributes) == CFDictionaryGetTypeID(),
+ "pub key SecKeyCopyAttributes failed");
+
+ SKIP: {
+ skip("invalid attributes", 8, attributes);
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanEncrypt);
+ eq_cf(attrValue, kCFBooleanTrue, "pub key invalid kSecAttrCanEncrypt");
+
+ // Although unusual, our RSA public key can even decrypt.
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDecrypt);
+ eq_cf(attrValue, kCFBooleanTrue, "pub key invalid kSecAttrCanDecrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDerive);
+ eq_cf(attrValue, kCFBooleanFalse, "pub key invalid kSecAttrCanDerive");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanSign);
+ eq_cf(attrValue, kCFBooleanFalse, "pub key invalid kSecAttrCanSign");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanVerify);
+ eq_cf(attrValue, kCFBooleanTrue, "pub key invalid kSecAttrCanVerify");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyClass);
+ eq_cf(attrValue, kSecAttrKeyClassPublic, "pub key invalid kSecAttrKeyClass");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyType);
+ eq_cf(attrValue, kSecAttrKeyTypeRSA, "pub key invalid kSecAttrKeyType");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeySizeInBits);
+ eq_cf(attrValue, kzib, "pub key invalid kSecAttrKeySizeInBits");
+
+ pubAppLabel = CFDictionaryGetValue(attributes, kSecAttrApplicationLabel);
+ CFRetainSafe(pubAppLabel);
+
+ CFReleaseNull(attributes);
+ }
+ }
+
+ eq_cf(privAppLabel, pubAppLabel, "priv key and pub key kSecAttrApplicationLabel differ");
+
+ CFReleaseNull(privAppLabel);
+ CFReleaseNull(pubAppLabel);
+ CFReleaseNull(kzib);
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
+#define kCopyPublicKeyTestCount 5
+static void testcopypublickey(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeRSA,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ CFReleaseNull(kzib);
+
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) RSA keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ SecKeyRef pubKeyCopy = NULL;
+
+ { // privKey
+ pubKeyCopy = SecKeyCopyPublicKey(privKey);
+ ok(pubKeyCopy, "priv key SecKeyCopyPublicKey failed");
+ eq_cf(pubKeyCopy, pubKey, "pub key from priv key SecKeyCopyPublicKey and pub key differ");
+ CFReleaseNull(pubKeyCopy);
+ }
+
+ { // pubKey
+ pubKeyCopy = SecKeyCopyPublicKey(pubKey);
+ ok(pubKeyCopy, "pub key SecKeyCopyPublicKey failed");
+ eq_cf(pubKeyCopy, pubKey, "pub key from pub key SecKeyCopyPublicKey and pub key differ");
+ CFReleaseNull(pubKeyCopy);
+ }
+
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
+#define kSignAndVerifyTestCount 84
+static void testsignverify(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeRSA,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ CFReleaseNull(kzib);
+
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) RSA keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ SecKeyAlgorithm algorithms[] = {
+ kSecKeyAlgorithmRSASignatureRaw,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512,
+ };
+
+ CFDataRef testData = CFStringCreateExternalRepresentation(kCFAllocatorDefault, CFSTR("test"), kCFStringEncodingUTF8, 0);
+ ok(testData, "creating test data failed");
+
+ SKIP: {
+ skip("invalid test data", 71, testData);
+
+ CFErrorRef error = NULL;
+
+ for (uint32_t ix = 0; ix < array_size(algorithms); ++ix) {
+ SecKeyAlgorithm algorithm = algorithms[ix];
+ SecKeyAlgorithm incompatibleAlgorithm = (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureRaw)) ?
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1 : kSecKeyAlgorithmRSASignatureRaw;
+
+ CFDataRef dataToSign = NULL;
+ if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha1_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %@", algorithm);
+ }
+ else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha224_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %@", algorithm);
+ }
+ else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha256_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %@", algorithm);
+ }
+ else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha384_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %@", algorithm);
+ }
+ else if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha512_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %@", algorithm);
+ }
+ else {
+ CFRetainAssign(dataToSign, testData);
+ }
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid data to sign", 7, dataToSign);
+
+ CFDataRef signature = SecKeyCreateSignature(pubKey, algorithm, dataToSign, &error);
+ ok(!signature, "SecKeyCopySignature succeeded with pub key for algorithm %@", algorithm);
+ CFReleaseNull(error);
+ CFReleaseNull(signature);
+
+ signature = SecKeyCreateSignature(privKey, algorithm, dataToSign, &error);
+ ok(signature, "SecKeyCopySignature failed for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid signature", 4, signature);
+
+ ok(!SecKeyVerifySignature(privKey, algorithm, dataToSign, signature, &error),
+ "SecKeyVerifySignature succeeded with priv key for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ ok(!SecKeyVerifySignature(pubKey, incompatibleAlgorithm, dataToSign, signature, &error),
+ "SecKeyVerifySignature succeeded with wrong algorithm for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ ok(SecKeyVerifySignature(pubKey, algorithm, dataToSign, signature, &error),
+ "SecKeyVerifySignature failed for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ CFMutableDataRef modifiedSignature = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ CFDataAppend(modifiedSignature, signature);
+ *CFDataGetMutableBytePtr(modifiedSignature) ^= 0xff;
+
+ ok(!SecKeyVerifySignature(pubKey, algorithm, dataToSign, modifiedSignature, &error),
+ "SecKeyVerifySignature succeeded with bad signature for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ CFMutableDataRef modifiedDataToSign = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ CFDataAppend(modifiedDataToSign, dataToSign);
+ *CFDataGetMutableBytePtr(modifiedDataToSign) ^= 0xff;
+
+ ok(!SecKeyVerifySignature(pubKey, algorithm, modifiedDataToSign, signature, &error),
+ "SecKeyVerifySignature succeeded with bad data for algorithm %@", algorithm);
+ CFReleaseNull(error);
+
+ CFReleaseNull(modifiedDataToSign);
+ CFReleaseNull(modifiedSignature);
+ CFReleaseNull(signature);
+ }
+ CFReleaseNull(dataToSign);
+ }
+ }
+ CFReleaseNull(testData);
+ }
+
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
/* Test basic add delete update copy matching stuff. */
-#define kTestCount ((3 * kKeyGenTestCount) + kKeyGen2TestCount)
+#define kTestCount ((3 * kKeyGenTestCount) + kKeyGen2TestCount + kTestSupportedCount + kCreateWithDataTestCount \
+ + kCopyAttributesTestCount + kCopyPublicKeyTestCount + kSignAndVerifyTestCount)
static void tests(void)
{
/* Comment out lines below for testing generating all common key sizes,
@@ -445,6 +949,12 @@ static void tests(void)
//testkeygen(4096);
testkeygen2(768);
+
+ testsupportedalgos(768);
+ testcreatewithdata(768);
+ testcopyattributes(768);
+ testcopypublickey(768);
+ testsignverify(768);
}
int si_40_seckey(int argc, char *const *argv)
diff --git a/OSX/sec/Security/Regressions/secitem/si-41-sececkey.c b/OSX/sec/Security/Regressions/secitem/si-41-sececkey.c
index 147c40a3..5b3ea199 100644
--- a/OSX/sec/Security/Regressions/secitem/si-41-sececkey.c
+++ b/OSX/sec/Security/Regressions/secitem/si-41-sececkey.c
@@ -48,6 +48,7 @@
#include <libDER/libDER.h>
#include <stdlib.h>
#include <unistd.h>
+#include <corecrypto/ccsha2.h>
#include "Security_regressions.h"
@@ -249,10 +250,12 @@ SKIP: {
uint8_t something[20] = {0x80, 0xbe, 0xef, 0xba, 0xd0, };
size_t sigLen = SecKeyGetSize(privKey2, kSecKeySignatureSize);
uint8_t sig[sigLen];
- ok_status(SecKeyRawSign(privKey2, kSecPaddingPKCS1,
- something, sizeof(something), sig, &sigLen), "sign something");
- ok_status(SecKeyRawVerify(pubKey2, kSecPaddingPKCS1,
- something, sizeof(something), sig, sigLen), "verify sig on something");
+ if (privKey2 != NULL && pubKey2 != NULL) {
+ ok_status(SecKeyRawSign(privKey2, kSecPaddingPKCS1,
+ something, sizeof(something), sig, &sigLen), "sign something");
+ ok_status(SecKeyRawVerify(pubKey2, kSecPaddingPKCS1,
+ something, sizeof(something), sig, sigLen), "verify sig on something");
+ }
/* Cleanup. */
CFReleaseNull(pubKey2);
@@ -408,39 +411,587 @@ static void testsignformat(void)
kSecKeyEncodingBytes))!=NULL,
"recreate seckey");
- // Verify fixed signature
- ok_status(SecKeyRawVerify(pubkey, kSecPaddingPKCS1,
- EC_SigDigest, sizeof(EC_SigDigest), EC_P256_SigDER, sizeof(EC_P256_SigDER)), "verify DER sig on something");
+ if (pubkey != NULL && pkey != NULL) {
+ // Verify fixed signature
+ ok_status(SecKeyRawVerify(pubkey, kSecPaddingPKCS1,
+ EC_SigDigest, sizeof(EC_SigDigest), EC_P256_SigDER, sizeof(EC_P256_SigDER)), "verify DER sig on something");
- ok_status(SecKeyRawVerify(pubkey, kSecPaddingSigRaw,
- EC_SigDigest, sizeof(EC_SigDigest), EC_P256_SigRaw, sizeof(EC_P256_SigRaw)), "verify RAW sig on something");
+ ok_status(SecKeyRawVerify(pubkey, kSecPaddingSigRaw,
+ EC_SigDigest, sizeof(EC_SigDigest), EC_P256_SigRaw, sizeof(EC_P256_SigRaw)), "verify RAW sig on something");
- // Verify signature with mismatching format
- ok_status(!SecKeyRawVerify(pubkey, kSecPaddingSigRaw,
- EC_SigDigest, sizeof(EC_SigDigest), EC_P256_SigDER, sizeof(EC_P256_SigDER)), "verify DER sig with RAW option");
+ // Verify signature with mismatching format
+ ok_status(!SecKeyRawVerify(pubkey, kSecPaddingSigRaw,
+ EC_SigDigest, sizeof(EC_SigDigest), EC_P256_SigDER, sizeof(EC_P256_SigDER)), "verify DER sig with RAW option");
- ok_status(!SecKeyRawVerify(pubkey, kSecPaddingPKCS1,
- EC_SigDigest, sizeof(EC_SigDigest), EC_P256_SigRaw, sizeof(EC_P256_SigRaw)), "verify RAW sig with DER something");
+ ok_status(!SecKeyRawVerify(pubkey, kSecPaddingPKCS1,
+ EC_SigDigest, sizeof(EC_SigDigest), EC_P256_SigRaw, sizeof(EC_P256_SigRaw)), "verify RAW sig with DER something");
- // Sign something in each format
- ok_status(SecKeyRawSign(pkey, kSecPaddingPKCS1,
- EC_SigDigest, sizeof(EC_SigDigest), EC_signature_DER, &EC_signature_DER_size), "sign DER sig on something");
+ // Sign something in each format
+ ok_status(SecKeyRawSign(pkey, kSecPaddingPKCS1,
+ EC_SigDigest, sizeof(EC_SigDigest), EC_signature_DER, &EC_signature_DER_size), "sign DER sig on something");
- ok_status(SecKeyRawSign(pkey, kSecPaddingSigRaw,
- EC_SigDigest, sizeof(EC_SigDigest), EC_signature_RAW, &EC_signature_RAW_size), "sign RAW sig on something");
+ ok_status(SecKeyRawSign(pkey, kSecPaddingSigRaw,
+ EC_SigDigest, sizeof(EC_SigDigest), EC_signature_RAW, &EC_signature_RAW_size), "sign RAW sig on something");
- // Verify expecting that verification does the right thing.
- ok_status(SecKeyRawVerify(pubkey, kSecPaddingPKCS1,
- EC_SigDigest, sizeof(EC_SigDigest), EC_signature_DER, EC_signature_DER_size), "verify DER sig on something");
+ // Verify expecting that verification does the right thing.
+ ok_status(SecKeyRawVerify(pubkey, kSecPaddingPKCS1,
+ EC_SigDigest, sizeof(EC_SigDigest), EC_signature_DER, EC_signature_DER_size), "verify DER sig on something");
- ok_status(SecKeyRawVerify(pubkey, kSecPaddingSigRaw,
- EC_SigDigest, sizeof(EC_SigDigest), EC_signature_RAW, EC_signature_RAW_size), "verify RAW sig on something");
+ ok_status(SecKeyRawVerify(pubkey, kSecPaddingSigRaw,
+ EC_SigDigest, sizeof(EC_SigDigest), EC_signature_RAW, EC_signature_RAW_size), "verify RAW sig on something");
+ }
CFReleaseNull(pkey);
CFReleaseNull(pubkey);
CFReleaseNull(pubdata);
}
+static void testkeyexchange(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ CFNumberRef kzib;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeEC,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ CFReleaseNull(kzib);
+
+ SecKeyRef pubKey1 = NULL, privKey1 = NULL;
+ SecKeyRef pubKey2 = NULL, privKey2 = NULL;
+
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey1, &privKey1),
+ "Generate %ld bit (%ld byte) EC keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey2, &privKey2),
+ "Generate %ld bit (%ld byte) EC keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ const SecKeyAlgorithm algos[] = {
+ kSecKeyAlgorithmECDHKeyExchangeStandard,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512,
+ kSecKeyAlgorithmECDHKeyExchangeCofactor,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512,
+ };
+
+ // Strange size to test borderline conditions.
+ CFIndex rs = 273;
+ CFNumberRef requestedSize = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &rs);
+ CFDataRef sharedInfo = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)"sharedInput", 11);
+ CFDictionaryRef params = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecKeyKeyExchangeParameterRequestedSize, requestedSize,
+ kSecKeyKeyExchangeParameterSharedInfo, sharedInfo,
+ NULL);
+ CFRelease(requestedSize);
+ CFRelease(sharedInfo);
+
+ for (size_t ix = 0; ix < array_size(algos); ++ix) {
+ CFErrorRef error = NULL;
+
+ CFDataRef secret1 = SecKeyCopyKeyExchangeResult(privKey1, algos[ix], pubKey2, params, &error);
+ ok(secret1 != NULL && CFGetTypeID(secret1) == CFDataGetTypeID());
+ CFReleaseNull(error);
+
+ CFDataRef secret2 = SecKeyCopyKeyExchangeResult(privKey2, algos[ix], pubKey1, params, &error);
+ ok(secret2 != NULL && CFGetTypeID(secret1) == CFDataGetTypeID());
+ CFReleaseNull(error);
+
+ eq_cf(secret1, secret2, "results of key exchange are equal");
+ if (algos[ix] != kSecKeyAlgorithmECDHKeyExchangeCofactor && algos[ix] != kSecKeyAlgorithmECDHKeyExchangeStandard) {
+ is(CFDataGetLength(secret1), rs, "generated response has expected length");
+ }
+
+ CFReleaseNull(secret1);
+ CFReleaseNull(secret2);
+ }
+
+ CFReleaseNull(privKey1);
+ CFReleaseNull(pubKey1);
+ CFReleaseNull(privKey2);
+ CFReleaseNull(pubKey2);
+ CFReleaseNull(params);
+}
+
+static void testsupportedalgos(size_t keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ CFNumberRef kzib;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeEC,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ CFReleaseNull(kzib);
+
+ SecKeyRef pubKey = NULL, privKey = NULL;
+
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) EC keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+
+ const SecKeyAlgorithm sign[] = {
+ kSecKeyAlgorithmECDSASignatureRFC4754,
+ kSecKeyAlgorithmECDSASignatureDigestX962,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA1,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA224,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA256,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA384,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA512,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA1,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA224,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA256,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA384,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA512,
+ };
+
+ for (size_t i = 0; i < array_size(sign); i++) {
+ ok(SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeSign, sign[i]),
+ "privKey supports sign algorithm %@", sign[i]);
+ ok(SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeVerify, sign[i]),
+ "pubKey supports verify algorithm %@", sign[i]);
+ ok(!SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeVerify, sign[i]),
+ "privKey doesn't supports verify algorithm %@", sign[i]);
+ ok(!SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeSign, sign[i]),
+ "pubKey doesn't support verify algorithm %@", sign[i]);
+ }
+
+ const SecKeyAlgorithm keyexchange[] = {
+ kSecKeyAlgorithmECDHKeyExchangeStandard,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512,
+ kSecKeyAlgorithmECDHKeyExchangeCofactor,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512,
+ };
+ for (size_t i = 0; i < array_size(crypt); i++) {
+ ok(SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeKeyExchange, keyexchange[i]),
+ "privKey supports keyexchange algorithm %@", keyexchange[i]);
+ ok(!SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeKeyExchange, keyexchange[i]),
+ "pubKey doesn't support keyexchange algorithm %@", keyexchange[i]);
+ }
+
+ /* Cleanup. */
+ CFReleaseNull(kgp);
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
+static void testcreatewithdata(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeEC,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) EC keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ CFMutableDictionaryRef kcwd = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeEC,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ CFReleaseNull(kzib);
+
+ CFErrorRef error = NULL;
+ CFDataRef privExternalData = NULL, pubExternalData = NULL;
+ SecKeyRef dataKey = NULL;
+
+ { // privKey
+ privExternalData = SecKeyCopyExternalRepresentation(privKey, &error);
+ ok(privExternalData && CFGetTypeID(privExternalData) == CFDataGetTypeID(),
+ "priv key SecKeyCopyExternalRepresentation failed");
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid priv key external data", 4, privExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(privExternalData, kcwd, &error);
+ ok(dataKey, "priv key SecKeyCreateWithData failed");
+ CFReleaseNull(error);
+
+ eq_cf(privKey, dataKey, "priv keys differ");
+ CFReleaseNull(dataKey);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(privExternalData, kcwd, &error);
+ ok(!dataKey, "priv key SecKeyCreateWithData succeeded with invalid kSecAttrKeyClass");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFMutableDataRef modifiedExternalData = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ CFDataAppend(modifiedExternalData, privExternalData);
+ *CFDataGetMutableBytePtr(modifiedExternalData) ^= 0xff;
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(modifiedExternalData, kcwd, &error);
+ ok(!dataKey, "priv key SecKeyCreateWithData succeeded with invalid external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(modifiedExternalData);
+ }
+ }
+
+ { // pubKey
+ pubExternalData = SecKeyCopyExternalRepresentation(pubKey, &error);
+ ok(pubExternalData && CFGetTypeID(pubExternalData) == CFDataGetTypeID(),
+ "pub key SecKeyCopyExternalRepresentation failed");
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid pub key external data", 4, pubExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(pubExternalData, kcwd, &error);
+ ok(dataKey, "pub key SecKeyCreateWithData failed");
+ CFReleaseNull(error);
+
+ eq_cf(pubKey, dataKey, "pub keys differ");
+ CFReleaseNull(dataKey);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(pubExternalData, kcwd, &error);
+ ok(!dataKey, "pub key SecKeyCreateWithData succeeded with invalid kSecAttrKeyClass");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFMutableDataRef modifiedExternalData = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ CFDataAppend(modifiedExternalData, pubExternalData);
+ *CFDataGetMutableBytePtr(modifiedExternalData) ^= 0xff;
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(modifiedExternalData, kcwd, &error);
+ ok(!dataKey, "pub key SecKeyCreateWithData succeeded with invalid external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(modifiedExternalData);
+ }
+ }
+
+ SKIP: {
+ skip("invalid pub key external data", 1, pubExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ dataKey = SecKeyCreateWithData(pubExternalData, kcwd, &error);
+ ok(!dataKey, "priv key SecKeyCreateWithData succeeded with public external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(pubExternalData);
+ }
+
+ SKIP: {
+ skip("invalid priv key external data", 1, privExternalData);
+
+ CFDictionarySetValue(kcwd, kSecAttrKeyClass, kSecAttrKeyClassPublic);
+ dataKey = SecKeyCreateWithData(privExternalData, kcwd, &error);
+ ok(!dataKey, "pub key SecKeyCreateWithData succeeded with private external data");
+ CFReleaseNull(error);
+ CFReleaseNull(dataKey);
+
+ CFReleaseNull(privExternalData);
+ }
+
+ CFReleaseNull(kcwd);
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
+static void testcopyattributes(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeEC,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) EC keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ CFDictionaryRef attributes;
+ CFTypeRef attrValue = NULL, privAppLabel = NULL, pubAppLabel = NULL;
+
+ { // privKey
+ attributes = SecKeyCopyAttributes(privKey);
+ ok(attributes && CFGetTypeID(attributes) == CFDictionaryGetTypeID(),
+ "priv key SecKeyCopyAttributes failed");
+
+ SKIP: {
+ skip("invalid attributes", 8, attributes);
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanEncrypt);
+ eq_cf(attrValue, kCFBooleanFalse, "invalid priv key kSecAttrCanEncrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDecrypt);
+ eq_cf(attrValue, kCFBooleanTrue, "invalid priv key kSecAttrCanDecrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDerive);
+ eq_cf(attrValue, kCFBooleanTrue, "invalid priv key kSecAttrCanDerive");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanSign);
+ eq_cf(attrValue, kCFBooleanTrue, "invalid priv key kSecAttrCanSign");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanVerify);
+ eq_cf(attrValue, kCFBooleanFalse, "invalid priv key kSecAttrCanVerify");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyClass);
+ eq_cf(attrValue, kSecAttrKeyClassPrivate, "priv key invalid kSecAttrKeyClass");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyType);
+ eq_cf(attrValue, kSecAttrKeyTypeEC, "invalid priv key kSecAttrKeyType");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeySizeInBits);
+ eq_cf(attrValue, kzib, "invalid priv key kSecAttrKeySizeInBits");
+
+ privAppLabel = CFDictionaryGetValue(attributes, kSecAttrApplicationLabel);
+ CFRetainSafe(privAppLabel);
+
+ CFReleaseNull(attributes);
+ }
+ }
+
+ { // pubKey
+ attributes = SecKeyCopyAttributes(pubKey);
+ ok(attributes && CFGetTypeID(attributes) == CFDictionaryGetTypeID(),
+ "pub key SecKeyCopyAttributes failed");
+
+ SKIP: {
+ skip("invalid attributes", 8, attributes);
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanEncrypt);
+ eq_cf(attrValue, kCFBooleanTrue, "pub key invalid kSecAttrCanEncrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDecrypt);
+ eq_cf(attrValue, kCFBooleanFalse, "pub key invalid kSecAttrCanDecrypt");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanDerive);
+ eq_cf(attrValue, kCFBooleanFalse, "pub key invalid kSecAttrCanDerive");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanSign);
+ eq_cf(attrValue, kCFBooleanFalse, "pub key invalid kSecAttrCanSign");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrCanVerify);
+ eq_cf(attrValue, kCFBooleanTrue, "pub key invalid kSecAttrCanVerify");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyClass);
+ eq_cf(attrValue, kSecAttrKeyClassPublic, "pub key invalid kSecAttrKeyClass");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeyType);
+ eq_cf(attrValue, kSecAttrKeyTypeEC, "pub key invalid kSecAttrKeyType");
+
+ attrValue = CFDictionaryGetValue(attributes, kSecAttrKeySizeInBits);
+ eq_cf(attrValue, kzib, "pub key invalid kSecAttrKeySizeInBits");
+
+ pubAppLabel = CFDictionaryGetValue(attributes, kSecAttrApplicationLabel);
+ CFRetainSafe(pubAppLabel);
+
+ CFReleaseNull(attributes);
+ }
+ }
+
+ eq_cf(privAppLabel, pubAppLabel, "priv key and pub key kSecAttrApplicationLabel differ");
+
+ CFReleaseNull(privAppLabel);
+ CFReleaseNull(pubAppLabel);
+ CFReleaseNull(kzib);
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
+static void testcopypublickey(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeEC,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ CFReleaseNull(kzib);
+
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) EC keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ SecKeyRef pubKeyCopy = NULL;
+
+ { // privKey
+ pubKeyCopy = SecKeyCopyPublicKey(privKey);
+ ok(pubKeyCopy, "priv key SecKeyCopyPublicKey failed");
+ eq_cf(pubKeyCopy, pubKey, "pub key from priv key SecKeyCopyPublicKey and pub key differ");
+ CFReleaseNull(pubKeyCopy);
+ }
+
+ { // pubKey
+ pubKeyCopy = SecKeyCopyPublicKey(pubKey);
+ ok(pubKeyCopy, "pub key SecKeyCopyPublicKey failed");
+ eq_cf(pubKeyCopy, pubKey, "pub key from pub key SecKeyCopyPublicKey and pub key differ");
+ CFReleaseNull(pubKeyCopy);
+ }
+
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
+static void testsignverify(unsigned long keySizeInBits)
+{
+ size_t keySizeInBytes = (keySizeInBits + 7) / 8;
+ int32_t keysz32 = (int32_t)keySizeInBits;
+
+ CFNumberRef kzib = CFNumberCreate(NULL, kCFNumberSInt32Type, &keysz32);
+ CFDictionaryRef kgp = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, kSecAttrKeyTypeEC,
+ kSecAttrKeySizeInBits, kzib,
+ kSecAttrIsPermanent, kCFBooleanFalse,
+ NULL);
+ CFReleaseNull(kzib);
+
+ SecKeyRef pubKey = NULL, privKey = NULL;
+ OSStatus status;
+ ok_status(status = SecKeyGeneratePair(kgp, &pubKey, &privKey),
+ "Generate %ld bit (%ld byte) EC keypair (status = %d)",
+ keySizeInBits, keySizeInBytes, (int)status);
+ CFReleaseNull(kgp);
+
+ SecKeyAlgorithm algorithms[] = {
+ kSecKeyAlgorithmECDSASignatureRFC4754,
+ kSecKeyAlgorithmECDSASignatureDigestX962,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA1,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA224,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA256,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA384,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA512
+ };
+
+ CFDataRef testData = CFStringCreateExternalRepresentation(kCFAllocatorDefault, CFSTR("test"), kCFStringEncodingUTF8, 0);
+ ok(testData, "creating test data failed");
+
+ SKIP: {
+ skip("invalid test data", 51, status == errSecSuccess && testData);
+
+ CFErrorRef error = NULL;
+
+ for (uint32_t ix = 0; ix < array_size(algorithms); ++ix) {
+ SecKeyAlgorithm algorithm = algorithms[ix];
+ SecKeyAlgorithm incompatibleAlgorithm = CFEqual(algorithm, kSecKeyAlgorithmECDSASignatureRFC4754) ?
+ kSecKeyAlgorithmECDSASignatureDigestX962 : kSecKeyAlgorithmECDSASignatureRFC4754;
+
+ CFDataRef dataToSign = NULL;
+ if (CFEqual(algorithm, kSecKeyAlgorithmECDSASignatureRFC4754) ||
+ CFEqual(algorithm, kSecKeyAlgorithmECDSASignatureDigestX962)) {
+ dataToSign = CFDataCreateWithHash(kCFAllocatorDefault, ccsha256_di(),
+ CFDataGetBytePtr(testData), CFDataGetLength(testData));
+ ok(dataToSign, "creating digest failed for algorithm %d", (int)algorithm);
+ CFReleaseNull(error);
+ }
+ else {
+ CFRetainAssign(dataToSign, testData);
+ }
+
+ SKIP: {
+ skip("invalid data to sign", 7, dataToSign != NULL);
+
+ CFDataRef signature = SecKeyCreateSignature(pubKey, algorithm, dataToSign, &error);
+ ok(!signature, "SecKeyCopySignature succeeded with pub key for algorithm %d", (int)algorithm);
+ CFReleaseNull(error);
+ CFReleaseNull(signature);
+
+ signature = SecKeyCreateSignature(privKey, algorithm, dataToSign, &error);
+ ok(signature, "SecKeyCopySignature failed for algorithm %d", (int)algorithm);
+ CFReleaseNull(error);
+
+ SKIP: {
+ skip("invalid signature", 5, signature != NULL);
+
+ ok(!SecKeyVerifySignature(privKey, algorithm, dataToSign, signature, &error),
+ "SecKeyVerifySignature succeeded with priv key for %d", (int)algorithm);
+ CFReleaseNull(error);
+
+ ok(!SecKeyVerifySignature(pubKey, incompatibleAlgorithm, dataToSign, signature, &error),
+ "SecKeyVerifySignature succeeded with wrong algorithm for %d", (int)algorithm);
+ CFReleaseNull(error);
+
+ ok(SecKeyVerifySignature(pubKey, algorithm, dataToSign, signature, &error),
+ "SecKeyVerifySignature failed for algorithm %d", (int)algorithm);
+ CFReleaseNull(error);
+
+ CFMutableDataRef modifiedSignature = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ CFDataAppend(modifiedSignature, signature);
+ *CFDataGetMutableBytePtr(modifiedSignature) ^= 0xff;
+
+ ok(!SecKeyVerifySignature(pubKey, algorithm, dataToSign, modifiedSignature, &error),
+ "SecKeyVerifySignature succeeded with bad signature for algorithm %d", (int)algorithm);
+ CFReleaseNull(error);
+
+ CFMutableDataRef modifiedDataToSign = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ CFDataAppend(modifiedDataToSign, dataToSign);
+ *CFDataGetMutableBytePtr(modifiedDataToSign) ^= 0xff;
+
+ ok(!SecKeyVerifySignature(pubKey, algorithm, modifiedDataToSign, signature, &error),
+ "SecKeyVerifySignature succeeded with bad data for %d", (int)algorithm);
+ CFReleaseNull(error);
+
+ CFReleaseNull(modifiedDataToSign);
+ CFReleaseNull(modifiedSignature);
+
+ CFReleaseNull(signature);
+ }
+ CFReleaseNull(dataToSign);
+ }
+ }
+ }
+
+ CFReleaseNull(testData);
+ CFReleaseNull(pubKey);
+ CFReleaseNull(privKey);
+}
+
/* Test basic add delete update copy matching stuff. */
static void tests(void)
{
@@ -463,11 +1014,22 @@ static void tests(void)
testkeywrap(256, _kSecKeyWrapRFC6637WrapDigestSHA512KekAES256);
testkeywrap(521, _kSecKeyWrapRFC6637WrapDigestSHA512KekAES256);
+ testkeyexchange(192);
+ testkeyexchange(224);
+ testkeyexchange(256);
+ testkeyexchange(384);
+ testkeyexchange(521);
+
+ testsupportedalgos(192);
+ testcreatewithdata(192);
+ testcopyattributes(192);
+ testcopypublickey(192);
+ testsignverify(192);
}
int si_41_sececkey(int argc, char *const *argv)
{
- plan_tests(175);
+ plan_tests(557);
tests();
diff --git a/OSX/sec/Security/Regressions/secitem/si-60-cms.c b/OSX/sec/Security/Regressions/secitem/si-60-cms.c
index 2ca7eec3..d55209bd 100644
--- a/OSX/sec/Security/Regressions/secitem/si-60-cms.c
+++ b/OSX/sec/Security/Regressions/secitem/si-60-cms.c
@@ -1761,9 +1761,7 @@ static void tests(void)
CFDataSetLength(message_data, 0);
CFMutableDictionaryRef params = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(params, kSecCMSSignHashAlgorithm, kSecCMSHashingAlgorithmMD5);
- ok_status(SecCMSCreateSignedData(identity, NULL, params, NULL, message_data), "sign md5 message");
- //write_data("/var/tmp/md5_sign", message_data);
- ok_status(SecCMSVerify(message_data, NULL, policy, &trust, NULL), "verify it");
+ is(SecCMSCreateSignedData(identity, NULL, params, NULL, message_data), errSecParam, "signing md5 message should fail");
message = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
mobileconfig_with_long_issuer, sizeof(mobileconfig_with_long_issuer),
@@ -1822,7 +1820,7 @@ static void tests(void)
int si_60_cms(int argc, char *const *argv)
{
- plan_tests(43);
+ plan_tests(42);
tests();
diff --git a/OSX/sec/Security/Regressions/secitem/si-66-smime.c b/OSX/sec/Security/Regressions/secitem/si-66-smime.c
index 45702290..41cf18f5 100644
--- a/OSX/sec/Security/Regressions/secitem/si-66-smime.c
+++ b/OSX/sec/Security/Regressions/secitem/si-66-smime.c
@@ -2535,8 +2535,8 @@ static void tests(void)
int keySize;
SecCertificateRef recipients[] = { cert, NULL };
ok_status(SecSMIMEFindBulkAlgForRecipients(recipients, &algorithmTag, &keySize), "get cipher for 512 bit key");
- is(algorithmTag, (SECOidTag)SEC_OID_DES_CBC, "weak asym, des is okay");
- is(keySize, 64, "superfluous");
+ is(algorithmTag, (SECOidTag)SEC_OID_DES_EDE3_CBC, "weak asym, 3des for interop");
+ is(keySize, 192, "superfluous");
recipients[0] = smime_cert;
ok_status(SecSMIMEFindBulkAlgForRecipients(recipients, &algorithmTag, &keySize), "get cipher for 1024 bit key");
is(algorithmTag, (SECOidTag)SEC_OID_DES_EDE3_CBC, "okay asym, 3des for interop");
diff --git a/OSX/sec/Security/Regressions/secitem/si-67-sectrust-blacklist.c b/OSX/sec/Security/Regressions/secitem/si-67-sectrust-blacklist.c
index 2b82e3c6..94405e1f 100644
--- a/OSX/sec/Security/Regressions/secitem/si-67-sectrust-blacklist.c
+++ b/OSX/sec/Security/Regressions/secitem/si-67-sectrust-blacklist.c
@@ -25,7 +25,6 @@
#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
-#include <Security/SecInternal.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrust.h>
#include <stdlib.h>
@@ -48,7 +47,7 @@
#include "si-67-sectrust-blacklist/login.skype.com.cer.h"
#include "si-67-sectrust-blacklist/www.google.com.cer.h"
-#include "Security_regressions.h"
+#include "shared_regressions.h"
static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTrustResultType trust_result)
{
@@ -78,18 +77,18 @@ static void validate_one_cert(uint8_t *data, size_t len, int chain_length, SecTr
static void tests(void)
{
- validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 3, kSecTrustResultFatalTrustFailure);
- validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 3, kSecTrustResultFatalTrustFailure);
+ validate_one_cert(Global_Trustee_cer, sizeof(Global_Trustee_cer), 2, kSecTrustResultFatalTrustFailure);
+ validate_one_cert(login_yahoo_com_1_cer, sizeof(login_yahoo_com_1_cer), 2, kSecTrustResultFatalTrustFailure);
/* this is the root, which isn't ok for ssl and fails here, but at the
same time it proves that kSecTrustResultFatalTrustFailure isn't
returned for policy failures that aren't blacklisting */
- validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 3, kSecTrustResultFatalTrustFailure);
- validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 3, kSecTrustResultFatalTrustFailure);
- validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 3, kSecTrustResultFatalTrustFailure);
- validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 3, kSecTrustResultFatalTrustFailure);
- validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
- validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 3, kSecTrustResultFatalTrustFailure);
- validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 3, kSecTrustResultFatalTrustFailure);
+ validate_one_cert(login_yahoo_com_2_cer, sizeof(login_yahoo_com_2_cer), 2, kSecTrustResultFatalTrustFailure);
+ validate_one_cert(addons_mozilla_org_cer, sizeof(addons_mozilla_org_cer), 2, kSecTrustResultFatalTrustFailure);
+ validate_one_cert(login_yahoo_com_cer, sizeof(login_yahoo_com_cer), 2, kSecTrustResultFatalTrustFailure);
+ validate_one_cert(login_live_com_cer, sizeof(login_live_com_cer), 2, kSecTrustResultFatalTrustFailure);
+ validate_one_cert(mail_google_com_cer, sizeof(mail_google_com_cer), 2, kSecTrustResultFatalTrustFailure);
+ validate_one_cert(login_skype_com_cer, sizeof(login_skype_com_cer), 2, kSecTrustResultFatalTrustFailure);
+ validate_one_cert(www_google_com_cer, sizeof(www_google_com_cer), 2, kSecTrustResultFatalTrustFailure);
}
static int ping_host(char *host_name){
diff --git a/OSX/sec/Security/Regressions/secitem/si-69-keydesc.c b/OSX/sec/Security/Regressions/secitem/si-69-keydesc.c
index a30f5581..e0553759 100644
--- a/OSX/sec/Security/Regressions/secitem/si-69-keydesc.c
+++ b/OSX/sec/Security/Regressions/secitem/si-69-keydesc.c
@@ -55,9 +55,9 @@ unsigned char ecPubKey[] = {
0x04, 0x01, 0x41, 0x34, 0x87, 0xfd, 0xe1, 0x51, 0x5d, 0x29, 0x12, 0x07, 0xc2, 0x57, 0x54, 0x19, 0xd2, 0xd9, 0x18, 0x95, 0x07, 0x17, 0x8a, 0xf7, 0x2d, 0x2b, 0xf9, 0xbc, 0xe6, 0x1b, 0xe7, 0x81, 0x35, 0x13, 0x5f, 0x1d, 0xfa, 0xed, 0x7e, 0x70, 0x2b, 0xcd, 0x01, 0xa0, 0xaa, 0x7f, 0xe4, 0x0f, 0x4e, 0x19, 0x56, 0xb0, 0x15, 0xfb, 0xd8, 0xc9, 0xe7, 0x48, 0xcf, 0xc7, 0x5e, 0xe8, 0xcc, 0x74, 0x34, 0x61, 0xa5, 0x01, 0x02, 0x67, 0x03, 0x16, 0xce, 0x3d, 0x31, 0x37, 0x9c, 0x0b, 0x03, 0x65, 0x94, 0xaa, 0xd0, 0x1d, 0xa9, 0x5a, 0xe3, 0x0a, 0xf9, 0x82, 0xef, 0x43, 0x75, 0x5b, 0x46, 0x52, 0x6c, 0x0a, 0x02, 0x3f, 0xc3, 0xd3, 0x42, 0x0d, 0xa7, 0x90, 0x8c, 0x4b, 0x15, 0x88, 0x89, 0x24, 0xed, 0x91, 0x0a, 0xa1, 0x20, 0x0d, 0x82, 0xed, 0x87, 0x8c, 0x98, 0x8e, 0xbe, 0xbc, 0xa3, 0xa7, 0xca, 0x50, 0x2d, 0x71, 0x73
};
-const char *rsaKeyDescription = "<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 3, block size: 768 bits, exponent: {hex: 10001, decimal: 65537}, modulus: C06342B4F06F2CDA71EF9D9D3E3E93C9D42EE562326ABBEB3457EB8AF862F9C01C145499046B1992DDA37D8C8648C9A60363F8AB9CB92B494C53B139F94ABC8BFCEA93B62E411F2150CAF799C77773031458511AA768E58D686BCA334FCC6B41";
+const char *rsaKeyDescription = "<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 4, block size: 768 bits, exponent: {hex: 10001, decimal: 65537}, modulus: C06342B4F06F2CDA71EF9D9D3E3E93C9D42EE562326ABBEB3457EB8AF862F9C01C145499046B1992DDA37D8C8648C9A60363F8AB9CB92B494C53B139F94ABC8BFCEA93B62E411F2150CAF799C77773031458511AA768E58D686BCA334FCC6B41";
-const char *ecKeyDescription = "<SecKeyRef curve type: kSecECCurveSecp521r1, algorithm id: 3, key type: ECPublicKey, version: 3, block size: 528 bits, y: 73712D50CAA7A3BCBE8E988C87ED820D20A10A91ED248988154B8C90A70D42D3C33F020A6C52465B7543EF82F90AE35AA91DD0AA9465030B9C37313DCE1603670201, x: A5613474CCE85EC7CF48E7C9D8FB15B056194E0FE47FAAA001CD2B707EEDFA1D5F133581E71BE6BCF92B2DF78A17079518D9D2195457C20712295D51E1FD87344101";
+const char *ecKeyDescription = "<SecKeyRef curve type: kSecECCurveSecp521r1, algorithm id: 3, key type: ECPublicKey, version: 4, block size: 528 bits, y: 0102670316CE3D31379C0B036594AAD01DA95AE30AF982EF43755B46526C0A023FC3D3420DA7908C4B15888924ED910AA1200D82ED878C988EBEBCA3A7CA502D7173, x: 01413487FDE1515D291207C2575419D2D9189507178AF72D2BF9BCE61BE78135135F1DFAED7E702BCD01A0AA7FE40F4E1956B015FBD8C9E748CFC75EE8CC743461A5";
static void testECKeyDesc() {
diff --git a/OSX/sec/Security/Regressions/secitem/si-70-sectrust-unified.c b/OSX/sec/Security/Regressions/secitem/si-70-sectrust-unified.c
index 356c62d1..d0469d9c 100644
--- a/OSX/sec/Security/Regressions/secitem/si-70-sectrust-unified.c
+++ b/OSX/sec/Security/Regressions/secitem/si-70-sectrust-unified.c
@@ -31,10 +31,10 @@
#include <CoreFoundation/CoreFoundation.h>
#include <Security/Security.h>
#include <Security/SecCertificatePriv.h>
-#include <Security/SecInternal.h>
#include <utilities/array_size.h>
+#include <utilities/SecCFWrappers.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
#include <test/testcert.h>
/* This is a minimal test case to ensure that the functionality of
@@ -324,6 +324,7 @@ static void tests(void)
isnt(policy, NULL, "SecPolicyCreateWithProperties");
CFReleaseSafe(properties);
}
+ if (!policy) { goto errOut; }
/* Test introspection of a policy's properties via SecPolicyCopyProperties */
{
@@ -355,6 +356,7 @@ static void tests(void)
CFReleaseSafe(results);
}
+errOut:
CFReleaseSafe(trust);
CFReleaseSafe(policy);
CFReleaseSafe(date);
diff --git a/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c b/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c
index f7314c5e..1d539187 100644
--- a/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c
+++ b/OSX/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c
@@ -25,19 +25,19 @@
#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
-#include <Security/SecCertificateInternal.h>
#include <Security/SecItem.h>
#include <Security/SecItemPriv.h>
#include <Security/SecIdentityPriv.h>
#include <Security/SecIdentity.h>
#include <Security/SecPolicy.h>
#include <Security/SecPolicyPriv.h>
-#include <Security/SecPolicyInternal.h>
+#include <Security/SecTrust.h>
+#include <Security/SecTrustPriv.h>
#include <utilities/SecCFRelease.h>
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
//#if defined(NO_SERVER) && NO_SERVER == 1
@@ -487,6 +487,7 @@ static void test_pcs_escrow_with_anchor_roots(CFArrayRef anchors)
SecTrustResultType trustResult = kSecTrustResultUnspecified;
SecPolicyRef policy = NULL;
CFArrayRef certs = NULL;
+ CFDateRef date = NULL;
SecTrustRef trust = NULL;
isnt(leafCert = SecCertificateCreateWithBytes(NULL, kPCSEscrowLeafCert, sizeof(kPCSEscrowLeafCert)),
@@ -498,7 +499,11 @@ static void test_pcs_escrow_with_anchor_roots(CFArrayRef anchors)
NULL, "could not create PCS Escrow policy for GM PCS Escrow Leaf cert");
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
- "could not create trust for PCS escrow service test GM PCS Escrow Leaf cert");
+ "could not create trust for PCS escrow service test GM PCS Escrow Leaf cert");
+
+ /* Set explicit verify date: Mar 18 2016. */
+ isnt(date = CFDateCreate(NULL, 480000000.0), NULL, "create verify date");
+ ok_status(SecTrustSetVerifyDate(trust, date), "set date");
SecTrustSetAnchorCertificates(trust, anchors);
@@ -507,6 +512,7 @@ static void test_pcs_escrow_with_anchor_roots(CFArrayRef anchors)
is_status(trustResult, kSecTrustResultUnspecified,
"trust is not kSecTrustResultUnspecified for GM PCS Escrow Leaf cert");
+ CFReleaseSafe(date);
CFReleaseSafe(trust);
CFReleaseSafe(policy);
CFReleaseSafe(certs);
@@ -565,7 +571,7 @@ int si_71_mobile_store_policy(int argc, char *const *argv)
{
//#if defined(NO_SERVER) && NO_SERVER == 1
- plan_tests(20);
+ plan_tests(22);
tests();
diff --git a/OSX/sec/Security/Regressions/secitem/si-73-secpasswordgenerate.c b/OSX/sec/Security/Regressions/secitem/si-73-secpasswordgenerate.c
index 4206fb84..e87294c8 100644
--- a/OSX/sec/Security/Regressions/secitem/si-73-secpasswordgenerate.c
+++ b/OSX/sec/Security/Regressions/secitem/si-73-secpasswordgenerate.c
@@ -7,13 +7,88 @@
#include <Security/SecPasswordGenerate.h>
#include <utilities/SecCFRelease.h>
#include "Security_regressions.h"
+#include <stdarg.h>
+
+static void test_password_generate(bool ok, SecPasswordType type, int n,...)
+{
+ va_list argp;
+ CFTypeRef key, value;
+ va_start(argp, n);
+ int i;
+
+ CFMutableDictionaryRef passwordRequirements = NULL;
+ CFStringRef password = NULL;
+ CFErrorRef error = NULL;
+
+ passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
+
+ for(i=0; i<n; i++) {
+ key = va_arg(argp, CFTypeRef);
+ value = va_arg(argp, CFTypeRef);
+ CFDictionaryAddValue(passwordRequirements, key, value);
+ }
+
+ password = SecPasswordGenerate(type, &error, passwordRequirements);
+
+ if(ok) {
+ isnt(password, NULL);
+ is(error, NULL);
+ if((password==NULL) || (error!=NULL))
+ {
+ printf("Oh no!\n");
+ }
+ } else {
+ is(password, NULL);
+ isnt(error, NULL);
+ }
+
+ CFReleaseSafe(password);
+ CFReleaseSafe(passwordRequirements);
+ CFReleaseSafe(error);
+
+ va_end(argp);
+}
static void tests(void)
{
CFErrorRef error = NULL;
CFStringRef password = NULL;
+
+ //Create dictionary for common required character sets
+ CFCharacterSetRef uppercaseLetterCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetUppercaseLetter);
+ CFCharacterSetRef lowercaseLetterCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetLowercaseLetter);
+ CFCharacterSetRef decimalDigitCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetDecimalDigit);
+
CFMutableArrayRef requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFMutableDictionaryRef passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
+ CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
+ CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
+ CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
+
+ //Create common CFNumbers
+ int i2 = 2;
+ int i4 = 4;
+ int i5 = 5;
+ int i6 = 6;
+ int i12 = 12;
+ int i19 = 19;
+ int i20 = 20;
+ int i23 = 23;
+ int i24 = 24;
+ int i32 = 32;
+ int i56 = 56;
+
+ CFNumberRef cf2 = CFNumberCreate(NULL, kCFNumberIntType, &i2);
+ CFNumberRef cf4 = CFNumberCreate(NULL, kCFNumberIntType, &i4);
+ CFNumberRef cf5 = CFNumberCreate(NULL, kCFNumberIntType, &i5);
+ CFNumberRef cf6 = CFNumberCreate(NULL, kCFNumberIntType, &i6);
+ CFNumberRef cf12 = CFNumberCreate(NULL, kCFNumberIntType, &i12);
+ CFNumberRef cf19 = CFNumberCreate(NULL, kCFNumberIntType, &i19);
+ CFNumberRef cf20 = CFNumberCreate(NULL, kCFNumberIntType, &i20);
+ CFNumberRef cf23 = CFNumberCreate(NULL, kCFNumberIntType, &i23);
+ CFNumberRef cf24 = CFNumberCreate(NULL, kCFNumberIntType, &i24);
+ CFNumberRef cf32 = CFNumberCreate(NULL, kCFNumberIntType, &i32);
+ CFNumberRef cf56 = CFNumberCreate(NULL, kCFNumberIntType, &i56);
+
//generates random digit string
is(true, (password = SecPasswordCreateWithRandomDigits(8, &error)) != NULL) ;
@@ -27,205 +102,69 @@ static void tests(void)
is(true, (password = SecPasswordCreateWithRandomDigits(5, &error)) != NULL) ;
CFReleaseNull(password);
-
- CFCharacterSetRef uppercaseLetterCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetUppercaseLetter);
- CFCharacterSetRef lowercaseLetterCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetLowercaseLetter);
- CFCharacterSetRef decimalDigitCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetDecimalDigit);
-
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordDefaultForType, CFSTR("true"));
-
+
//test default PIN
- password = SecPasswordGenerate(kSecPasswordTypePIN, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
- CFReleaseNull(password);
- error = NULL;
-
+ test_password_generate(true, kSecPasswordTypePIN, 1,
+ kSecPasswordDefaultForType, CFSTR("true"));
+
//test default icloud recovery code
- password = SecPasswordGenerate(kSecPasswordTypeiCloudRecovery, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
- CFReleaseNull(password);
- error = NULL;
-
+ test_password_generate(true, kSecPasswordTypeiCloudRecovery, 1,
+ kSecPasswordDefaultForType, CFSTR("true"));
+
//test default wifi
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordDefaultForType, CFSTR("true"));
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
- CFReleaseNull(password);
- error = NULL;
- CFRelease(passwordRequirements);
-
- //test default safari
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordDefaultForType, CFSTR("true"));
- password = SecPasswordGenerate(kSecPasswordTypeSafari, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
+ test_password_generate(true, kSecPasswordTypeWifi, 1,
+ kSecPasswordDefaultForType, CFSTR("true"));
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
+ //test default safari
+ test_password_generate(true, kSecPasswordTypeSafari, 1,
+ kSecPasswordDefaultForType, CFSTR("true"));
//test icloud recovery code generation
- password = SecPasswordGenerate(kSecPasswordTypeiCloudRecovery, &error, NULL);
- isnt(password, NULL);
- ok(error == NULL);
+ test_password_generate(true, kSecPasswordTypeiCloudRecovery, 1,
+ kSecPasswordDefaultForType, CFSTR("true"));
- error = NULL;
- CFReleaseNull(password);
-
//dictionary setup
- int min = 20;
- int max = 32;
-
- CFNumberRef minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- CFNumberRef maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- CFStringRef allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
-
- //test wifi code generation
- //test with min/max in range of default
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
-
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
-
+ test_password_generate(true, kSecPasswordTypeWifi, 4,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
//test with max == min
- min = 24;
- max = 24;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
+ test_password_generate(true, kSecPasswordTypeWifi, 4,
+ kSecPasswordMinLengthKey, cf24,
+ kSecPasswordMaxLengthKey, cf24,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
-
- passwordRequirements = NULL;
-
//test disallowed characters
- min = 24;
- max = 56;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdefghijklmnopqrstuvwxyz0123456789");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordDisallowedCharacters, CFSTR("aidfl"));
+ test_password_generate(true, kSecPasswordTypeWifi, 5,
+ kSecPasswordMinLengthKey, cf24,
+ kSecPasswordMaxLengthKey, cf24,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdefghijklmnopqrstuvwxyz0123456789"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordDisallowedCharacters, CFSTR("aidfl"));
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
-
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- passwordRequirements = NULL;
//test can't start with characters
- min = 24;
- max = 56;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("diujk");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordCantStartWithChars, CFSTR("d"));
-
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
-
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- passwordRequirements = NULL;
-
+ test_password_generate(true, kSecPasswordTypeWifi, 5,
+ kSecPasswordMinLengthKey, cf24,
+ kSecPasswordMaxLengthKey, cf56,
+ kSecPasswordAllowedCharactersKey, CFSTR("diujk"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordCantStartWithChars, CFSTR("d"));
//test can't end with characters
- min = 24;
- max = 56;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("diujk89");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordCantEndWithChars, CFSTR("d"));
-
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
+ test_password_generate(true, kSecPasswordTypeWifi, 5,
+ kSecPasswordMinLengthKey, cf24,
+ kSecPasswordMaxLengthKey, cf56,
+ kSecPasswordAllowedCharactersKey, CFSTR("diujk89"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordCantEndWithChars, CFSTR("d"));
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- passwordRequirements = NULL;
-
-
//test 4 digit pin generation
for(int i =0 ; i< 100; i++){
- password = SecPasswordGenerate(kSecPasswordTypePIN, &error, passwordRequirements);
+ password = SecPasswordGenerate(kSecPasswordTypePIN, &error, NULL);
isnt(password, NULL);
ok(error == NULL);
@@ -234,647 +173,211 @@ static void tests(void)
}
//test 6 digit pin
- min = 4;
- max = 6;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- password = SecPasswordGenerate(kSecPasswordTypePIN, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
-
- error = NULL;
- CFReleaseNull(password);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(passwordRequirements);
-
+ test_password_generate(true, kSecPasswordTypePIN, 2,
+ kSecPasswordMinLengthKey, cf4,
+ kSecPasswordMaxLengthKey, cf6);
//test 5 digit pin
- min = 4;
- max = 5;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- password = SecPasswordGenerate(kSecPasswordTypePIN, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
+ test_password_generate(true, kSecPasswordTypePIN, 2,
+ kSecPasswordMinLengthKey, cf5,
+ kSecPasswordMaxLengthKey, cf6);
- error = NULL;
- CFReleaseNull(password);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(passwordRequirements);
//test safari password
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
-
- password = SecPasswordGenerate(kSecPasswordTypeSafari, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
+ test_password_generate(true, kSecPasswordTypeSafari, 4,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(requiredCharacterSets);
-
//test flexible group size and number of groups in the password
//test safari password
- min = 12;
- max = 19;
- int groupSize = 5;
- int numberOfGroups = 23;
-
- CFTypeRef groupSizeRef = CFNumberCreate(NULL, kCFNumberIntType, &groupSize);
- CFTypeRef numberOfGroupsRef = CFNumberCreate(NULL, kCFNumberIntType, &numberOfGroups);
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordGroupSize, groupSizeRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordNumberOfGroups, numberOfGroupsRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordSeparator, CFSTR("*"));
+ test_password_generate(true, kSecPasswordTypeSafari, 7,
+ kSecPasswordMinLengthKey, cf12,
+ kSecPasswordMaxLengthKey, cf19,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordGroupSize, cf5,
+ kSecPasswordNumberOfGroups, cf23,
+ kSecPasswordSeparator, CFSTR("*"));
- password = SecPasswordGenerate(kSecPasswordTypeSafari, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
-
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(requiredCharacterSets);
-
//test at least N characters
//test safari password
- min = 24;
- max = 32;
- int N = 5;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
- CFNumberRef threshold = CFNumberCreate(NULL, kCFNumberIntType, &N);
-
- CFStringRef characters = CFSTR("ab");
CFMutableDictionaryRef atLeast = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(atLeast, kSecPasswordCharacters, characters);
- CFDictionaryAddValue(atLeast, kSecPasswordCharacterCount, threshold);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordContainsAtLeastNSpecificCharacters, atLeast);
+ CFDictionaryAddValue(atLeast, kSecPasswordCharacters, CFSTR("ab"));
+ CFDictionaryAddValue(atLeast, kSecPasswordCharacterCount, cf5);
- password = SecPasswordGenerate(kSecPasswordTypeSafari, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
+ test_password_generate(true, kSecPasswordTypeSafari, 5,
+ kSecPasswordMinLengthKey, cf12,
+ kSecPasswordMaxLengthKey, cf19,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordContainsAtLeastNSpecificCharacters, atLeast);
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(requiredCharacterSets);
+ CFReleaseSafe(atLeast);
//test no More than N characters
//test safari password
- min = 24;
- max = 32;
- N = 5;
-
-
- threshold = CFNumberCreate(NULL, kCFNumberIntType, &N);
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
CFMutableDictionaryRef noMoreThan = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFStringRef noMore = CFSTR("ab");
- CFDictionaryAddValue(noMoreThan, kSecPasswordCharacters, noMore);
- CFDictionaryAddValue(noMoreThan, kSecPasswordCharacterCount, threshold);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordContainsNoMoreThanNSpecificCharacters, noMoreThan);
-
- password = SecPasswordGenerate(kSecPasswordTypeSafari, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
+ CFDictionaryAddValue(noMoreThan, kSecPasswordCharacters, CFSTR("ab"));
+ CFDictionaryAddValue(noMoreThan, kSecPasswordCharacterCount, cf5);
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(requiredCharacterSets);
+ test_password_generate(true, kSecPasswordTypeSafari, 5,
+ kSecPasswordMinLengthKey, cf12,
+ kSecPasswordMaxLengthKey, cf19,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordContainsNoMoreThanNSpecificCharacters, noMoreThan);
+
+ CFReleaseSafe(noMoreThan);
//test identical character threshold
//test safari password
- min = 12;
- max = 19;
- N = 2;
-
- threshold = CFNumberCreate(NULL, kCFNumberIntType, &N);
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordContainsNoMoreThanNConsecutiveIdenticalCharacters, threshold);
-
- password = SecPasswordGenerate(kSecPasswordTypeSafari, &error, passwordRequirements);
- isnt(password, NULL);
- ok(error == NULL);
+ test_password_generate(true, kSecPasswordTypeSafari, 5,
+ kSecPasswordMinLengthKey, cf12,
+ kSecPasswordMaxLengthKey, cf19,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordContainsNoMoreThanNConsecutiveIdenticalCharacters, cf2);
+
- error = NULL;
- CFReleaseNull(password);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(requiredCharacterSets);
/////////////////now test all the error cases
//test with no required characters
-
- min = 24;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- allowedCharacters = CFSTR("abcdsefw2345");
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ CFMutableArrayRef emptyCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
+ test_password_generate(false, kSecPasswordTypeWifi, 4,
+ kSecPasswordMinLengthKey, cf24,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, emptyCharacterSets);
- CFRelease(error);
- error = NULL;
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(passwordRequirements);
+ CFReleaseSafe(emptyCharacterSets);
//test with no allowed characters
- min = 24;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- CFRelease(error);
- error = NULL;
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(passwordRequirements);
+ test_password_generate(false, kSecPasswordTypeWifi, 4,
+ kSecPasswordMinLengthKey, cf24,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR(""),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
//test with min > max
- min = 32;
- max = 20;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(passwordRequirements);
+ test_password_generate(false, kSecPasswordTypeWifi, 4,
+ kSecPasswordMinLengthKey, cf32,
+ kSecPasswordMaxLengthKey, cf24,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
//test by ommitting dictionary parameters
//omit max length
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(passwordRequirements);
+ test_password_generate(false, kSecPasswordTypeWifi, 3,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
//omit min length
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(passwordRequirements);
+ test_password_generate(false, kSecPasswordTypeWifi, 3,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
//omit allowed characters
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(passwordRequirements);
+ test_password_generate(false, kSecPasswordTypeWifi, 3,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
//omit required characters
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
- CFRelease(passwordRequirements);
+ test_password_generate(false, kSecPasswordTypeWifi, 3,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"));
+
//pass in wrong type for min
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
-
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
-
+ test_password_generate(false, kSecPasswordTypeWifi, 4,
+ kSecPasswordMinLengthKey, CFSTR("20"),
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
+
//pass in wrong type for max
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, allowedCharacters);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
-
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
-
+ test_password_generate(false, kSecPasswordTypeWifi, 4,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, CFSTR("32"),
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
+
//pass in wrong type for allowed
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
-
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
-
+ test_password_generate(false, kSecPasswordTypeWifi, 4,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, requiredCharacterSets,
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets);
+
//pass in wrong type for required
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, minRef);
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
+ test_password_generate(false, kSecPasswordTypeWifi, 4,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, CFSTR("abcdsefw2345"));
//pass in wrong type for no less than
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordContainsAtLeastNSpecificCharacters, CFSTR("hehe"));
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
-
- //pass in wrong type for no more than
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordContainsNoMoreThanNSpecificCharacters, CFSTR("hehe"));
+ test_password_generate(false, kSecPasswordTypeWifi, 5,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordContainsAtLeastNSpecificCharacters, CFSTR("hehe"));
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
- error = NULL;
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
+ //pass in wrong type for no more than
+ test_password_generate(false, kSecPasswordTypeWifi, 5,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordContainsNoMoreThanNSpecificCharacters, CFSTR("hehe"));
//pass in wrong disallowed characters
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordDisallowedCharacters, requiredCharacterSets);
-
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
+ test_password_generate(false, kSecPasswordTypeWifi, 5,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordDisallowedCharacters, requiredCharacterSets);
//pass in wrong type for no more than's dictionary
- min = 20;
- max = 32;
-
- minRef = CFNumberCreate(NULL, kCFNumberIntType, &min);
- maxRef = CFNumberCreate(NULL, kCFNumberIntType, &max);
-
CFMutableDictionaryRef wrongCount = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
CFDictionaryAddValue(wrongCount, kSecPasswordCharacters, CFSTR("lkj"));
CFDictionaryAddValue(wrongCount, kSecPasswordCharacterCount, CFSTR("sdf"));
-
- passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
- requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMinLengthKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordMaxLengthKey, maxRef);
- allowedCharacters = CFSTR("abcdsefw2345");
-
- CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, minRef);
- CFDictionaryAddValue(passwordRequirements, kSecPasswordContainsNoMoreThanNSpecificCharacters, wrongCount);
-
- password = SecPasswordGenerate(kSecPasswordTypeWifi, &error, passwordRequirements);
- ok(password == NULL);
- ok(error != NULL);
-
- error = NULL;
- CFRelease(wrongCount);
- CFRelease(passwordRequirements);
- CFRelease(minRef);
- CFRelease(maxRef);
- CFRelease(allowedCharacters);
-
+
+ test_password_generate(false, kSecPasswordTypeWifi, 5,
+ kSecPasswordMinLengthKey, cf20,
+ kSecPasswordMaxLengthKey, cf32,
+ kSecPasswordAllowedCharactersKey, CFSTR("abcdsefw2345"),
+ kSecPasswordRequiredCharactersKey, requiredCharacterSets,
+ kSecPasswordContainsNoMoreThanNSpecificCharacters, wrongCount);
+
+ CFReleaseSafe(wrongCount);
+
+
+ //release CF objects:
+ CFReleaseSafe(cf2);
+ CFReleaseSafe(cf4);
+ CFReleaseSafe(cf5);
+ CFReleaseSafe(cf6);
+ CFReleaseSafe(cf12);
+ CFReleaseSafe(cf19);
+ CFReleaseSafe(cf20);
+ CFReleaseSafe(cf23);
+ CFReleaseSafe(cf24);
+ CFReleaseSafe(cf32);
+ CFReleaseSafe(cf56);
+
+ CFReleaseSafe(requiredCharacterSets);
+
+
+ // Weak Passwords tests
password = CFSTR("Apple1?");
isnt(true, SecPasswordIsPasswordWeak(password));
CFRelease(password);
@@ -1021,12 +524,15 @@ static void tests(void)
is(true, SecPasswordIsPasswordWeak2(true, CFSTR("525252")));
is(true, SecPasswordIsPasswordWeak2(false, CFSTR("525252")));
is(true, SecPasswordIsPasswordWeak2(false, CFSTR("52525")));
-
+
+ is(true, SecPasswordIsPasswordWeak2(true, CFSTR("098765")));
+ is(true, SecPasswordIsPasswordWeak(CFSTR("0987")));
+
}
int si_73_secpasswordgenerate(int argc, char *const *argv)
{
- plan_tests(308);
+ plan_tests(310);
tests();
return 0;
diff --git a/OSX/sec/Security/Regressions/secitem/si-74-OTAPKISigner.c b/OSX/sec/Security/Regressions/secitem/si-74-OTAPKISigner.c
index b555e4d4..36ce0067 100644
--- a/OSX/sec/Security/Regressions/secitem/si-74-OTAPKISigner.c
+++ b/OSX/sec/Security/Regressions/secitem/si-74-OTAPKISigner.c
@@ -25,21 +25,19 @@
#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
-#include <Security/SecCertificateInternal.h>
#include <Security/SecItem.h>
#include <Security/SecItemPriv.h>
#include <Security/SecIdentityPriv.h>
#include <Security/SecIdentity.h>
#include <Security/SecPolicy.h>
#include <Security/SecPolicyPriv.h>
-#include <Security/SecPolicyInternal.h>
+#include <Security/SecTrust.h>
+#include <Security/SecTrustPriv.h>
#include <Security/SecCMS.h>
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
-
-#if TARGET_OS_IPHONE
+#include "shared_regressions.h"
#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) { CFRelease(_cf); } }
@@ -902,7 +900,8 @@ static void test_OTA_PKI()
NULL, "Get the Apple PKI Settings Root Certification Authority Cert Data");
SecCertificateRef apple_pki_settings_root_certificate_authority_cert = NULL;
- isnt(apple_pki_settings_root_certificate_authority_cert = SecCertificateCreateWithData(kCFAllocatorDefault, apple_pki_settings_root_certificate_authority_cert_data),
+ isnt(apple_pki_settings_root_certificate_authority_cert = SecCertificateCreateWithBytes(kCFAllocatorDefault,
+ kApplePKISettingsRootCACert, sizeof(kApplePKISettingsRootCACert)),
NULL, "Get the Apple PKI Settings Root Certification Authority Cert");
CFArrayRef anchors = CFArrayCreate(kCFAllocatorDefault, (const void **)&apple_pki_settings_root_certificate_authority_cert, 1, &kCFTypeArrayCallBacks);
@@ -1007,4 +1006,3 @@ int si_74_OTA_PKI_Signer(int argc, char *const *argv)
return 0;
}
-#endif
diff --git a/OSX/sec/Security/Regressions/secitem/si-75-AppleIDRecordSigning.c b/OSX/sec/Security/Regressions/secitem/si-75-AppleIDRecordSigning.c
deleted file mode 100644
index 939f7080..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-75-AppleIDRecordSigning.c
+++ /dev/null
@@ -1,267 +0,0 @@
-/*
- * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecCertificateInternal.h>
-#include <Security/SecItem.h>
-#include <Security/SecItemPriv.h>
-#include <Security/SecIdentityPriv.h>
-#include <Security/SecIdentity.h>
-#include <Security/SecPolicy.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecPolicyInternal.h>
-#include <Security/SecCMS.h>
-#include <utilities/SecCFWrappers.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "Security_regressions.h"
-
-/*
- Subject: CN=Apple ID Validation Record Signing 01
- Issuer: C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority
- Not After : Jul 29 19:36:18 2015 GMT
-*/
-static const UInt8 kLeafCert[] = {
- 0x30, 0x82, 0x05, 0x11, 0x30, 0x82, 0x03, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x3d,
- 0x73, 0xc1, 0x2f, 0x55, 0xba, 0x4c, 0x53, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x8a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
- 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x31, 0x3e, 0x30, 0x3c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x35, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
- 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x33, 0x30, 0x37, 0x32, 0x39, 0x31, 0x39, 0x33,
- 0x36, 0x31, 0x38, 0x5a, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x37, 0x32, 0x39, 0x31, 0x39, 0x33, 0x36,
- 0x31, 0x38, 0x5a, 0x30, 0x30, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x25,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x44, 0x20, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x20, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69,
- 0x6e, 0x67, 0x20, 0x30, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
- 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb1, 0x13, 0xc4, 0x56, 0xe4, 0x16, 0x44, 0x9e, 0xbd, 0x35,
- 0x6a, 0x2e, 0xce, 0x47, 0x03, 0x3c, 0x28, 0x25, 0xcd, 0x89, 0x90, 0xc8, 0xfe, 0xb5, 0x02, 0x1f,
- 0xc3, 0x20, 0x04, 0xf6, 0x34, 0x74, 0x1f, 0x2a, 0xd3, 0x67, 0xe5, 0x90, 0xb8, 0x43, 0xad, 0x1c,
- 0xf0, 0xa0, 0x8e, 0xd5, 0x63, 0xff, 0x7c, 0x60, 0x03, 0x5b, 0x18, 0x02, 0x01, 0x56, 0x69, 0xda,
- 0xff, 0x08, 0xdd, 0x56, 0x22, 0x38, 0x09, 0xd8, 0xe8, 0x1e, 0x2f, 0xda, 0x57, 0x93, 0x36, 0xa1,
- 0x4d, 0x24, 0x72, 0x4d, 0x3c, 0x89, 0xde, 0x66, 0x61, 0x4c, 0xe2, 0x42, 0x2f, 0x09, 0x7d, 0x43,
- 0x49, 0xe0, 0x8b, 0x25, 0x34, 0x89, 0x8b, 0x3b, 0x8d, 0xd5, 0xbd, 0x24, 0x81, 0xf8, 0xc5, 0x99,
- 0x3a, 0x36, 0xfc, 0xf2, 0x20, 0x7d, 0xc7, 0xcb, 0xf5, 0x29, 0x3c, 0xc4, 0xed, 0x2d, 0xa2, 0xca,
- 0xa2, 0x21, 0x4f, 0x0b, 0x4b, 0xf6, 0xb5, 0x6b, 0x45, 0xa0, 0x4a, 0xeb, 0x5f, 0x47, 0x1f, 0xb5,
- 0x4d, 0x44, 0x10, 0xc6, 0xc4, 0xa4, 0x5a, 0x97, 0x70, 0x26, 0x62, 0x27, 0xba, 0xcc, 0xdd, 0x42,
- 0x46, 0xd7, 0x78, 0x3d, 0xe8, 0xe3, 0x6f, 0x46, 0x0b, 0xe6, 0xa2, 0xe8, 0x01, 0x83, 0xfb, 0xe3,
- 0x8c, 0xba, 0x76, 0x86, 0x56, 0xa7, 0x85, 0xf9, 0x18, 0xcb, 0x86, 0xc1, 0x31, 0x0d, 0xee, 0x56,
- 0x98, 0x4c, 0x63, 0x05, 0x3d, 0xbc, 0xcd, 0x96, 0x83, 0x37, 0x74, 0x86, 0xa4, 0x73, 0x44, 0x4c,
- 0x9d, 0x4e, 0x5a, 0xe8, 0x9d, 0xdf, 0x3e, 0xfe, 0x00, 0x61, 0x45, 0xd8, 0xf5, 0x5c, 0x30, 0x82,
- 0x95, 0x5b, 0xdc, 0x92, 0x2d, 0x15, 0x29, 0x8c, 0x61, 0xec, 0xbc, 0x6b, 0x0a, 0xf0, 0xb6, 0x74,
- 0xf2, 0x64, 0xe6, 0xf1, 0xd4, 0x01, 0x8b, 0x2f, 0x80, 0xe8, 0x5b, 0x5d, 0xe7, 0xa7, 0xa1, 0x68,
- 0xc1, 0x6b, 0x1d, 0x5e, 0x1d, 0xb7, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xd2, 0x30,
- 0x82, 0x01, 0xce, 0x30, 0x40, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04,
- 0x34, 0x30, 0x32, 0x30, 0x30, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86,
- 0x24, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x61, 0x70, 0x70,
- 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x34, 0x2d, 0x61, 0x61,
- 0x69, 0x63, 0x61, 0x30, 0x34, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x3b, 0xea, 0x41, 0x8f, 0x09, 0xf9, 0x35, 0xf8, 0xe3, 0x61, 0xcd, 0x8b, 0x40, 0xc7, 0x9f, 0x8d,
- 0x4a, 0x1e, 0x0c, 0x27, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x31, 0xea, 0x76, 0xa9,
- 0x23, 0x74, 0xa5, 0xdf, 0xd4, 0xfd, 0xee, 0xa0, 0xc1, 0xa6, 0x9e, 0xc6, 0x11, 0x0e, 0x11, 0xec,
- 0x30, 0x82, 0x01, 0x1c, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x82, 0x01, 0x13, 0x30, 0x82, 0x01,
- 0x0f, 0x30, 0x82, 0x01, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x05, 0x01,
- 0x30, 0x81, 0xfd, 0x30, 0x81, 0xc3, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02,
- 0x30, 0x81, 0xb6, 0x0c, 0x81, 0xb3, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e, 0x63, 0x65, 0x20, 0x6f,
- 0x6e, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
- 0x74, 0x65, 0x20, 0x62, 0x79, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x70, 0x61, 0x72, 0x74, 0x79, 0x20,
- 0x61, 0x73, 0x73, 0x75, 0x6d, 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x61, 0x6e,
- 0x63, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65, 0x20, 0x74, 0x68, 0x65, 0x6e, 0x20, 0x61,
- 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x62, 0x6c, 0x65, 0x20, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61,
- 0x72, 0x64, 0x20, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x6f, 0x6e,
- 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6f, 0x66, 0x20, 0x75, 0x73, 0x65, 0x2c, 0x20,
- 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x70, 0x6f, 0x6c, 0x69,
- 0x63, 0x79, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
- 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61, 0x63, 0x74, 0x69, 0x63, 0x65, 0x20, 0x73, 0x74,
- 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x30, 0x35, 0x06, 0x08, 0x2b, 0x06, 0x01,
- 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x29, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77,
- 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79,
- 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80,
- 0x30, 0x0f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x06, 0x19, 0x04, 0x02, 0x05,
- 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
- 0x03, 0x82, 0x01, 0x01, 0x00, 0x97, 0xda, 0x8f, 0xab, 0x57, 0xa2, 0xfb, 0x85, 0xa5, 0x64, 0xbb,
- 0xe9, 0xed, 0x6c, 0x13, 0x54, 0x3e, 0x3c, 0x00, 0xb5, 0xa4, 0xd2, 0x8a, 0xd9, 0xe6, 0xda, 0x9e,
- 0x2b, 0x49, 0xc4, 0x80, 0x09, 0xa9, 0x0e, 0xda, 0xf3, 0xb1, 0x16, 0xa7, 0xbb, 0x14, 0x4e, 0xdf,
- 0x95, 0xca, 0x3e, 0xc1, 0x2f, 0xcf, 0x0d, 0xa3, 0x0c, 0x5b, 0x36, 0x6f, 0x48, 0xe3, 0x44, 0x6e,
- 0x96, 0xb1, 0x1c, 0xfc, 0x71, 0x3f, 0x88, 0xb0, 0x07, 0x20, 0x62, 0x62, 0x3d, 0x96, 0x56, 0x84,
- 0xb2, 0x5e, 0xa6, 0x1b, 0x57, 0xca, 0x53, 0x75, 0xda, 0x11, 0x9c, 0xb4, 0x14, 0x57, 0x49, 0x07,
- 0x14, 0xa3, 0xda, 0xd5, 0xe4, 0x1e, 0xb6, 0x14, 0xd4, 0x67, 0x7a, 0x0a, 0xf3, 0xcc, 0xc1, 0x23,
- 0x5c, 0x53, 0x62, 0x61, 0x6a, 0x94, 0x37, 0xfb, 0x6b, 0x87, 0xcf, 0xc2, 0xa6, 0x13, 0xbc, 0x49,
- 0x42, 0x21, 0xde, 0x98, 0x83, 0x45, 0xf4, 0x9e, 0xc4, 0x67, 0x14, 0xc4, 0x4b, 0x26, 0xed, 0xf8,
- 0xb5, 0xd7, 0x22, 0xaa, 0x54, 0x93, 0x60, 0xf6, 0xaf, 0x23, 0xd0, 0x8e, 0xe8, 0xa0, 0x94, 0xfa,
- 0xf6, 0x96, 0x12, 0x14, 0x24, 0xe0, 0x46, 0xbb, 0xf4, 0xf2, 0x7b, 0xe1, 0x76, 0x84, 0xc0, 0x38,
- 0x72, 0x83, 0x35, 0x09, 0xc8, 0xb2, 0xe7, 0x5c, 0x00, 0xbe, 0xb2, 0x0e, 0x20, 0x33, 0x00, 0x4d,
- 0x09, 0xde, 0xdf, 0x1e, 0x09, 0xd0, 0xa5, 0xf8, 0x60, 0x05, 0x72, 0x26, 0x72, 0x2b, 0xc5, 0x05,
- 0xf7, 0xd0, 0xe7, 0xa8, 0xc7, 0x54, 0x77, 0x2a, 0x84, 0xe5, 0xf9, 0x4f, 0x83, 0x96, 0x67, 0x2d,
- 0x3d, 0x36, 0xf5, 0xba, 0x42, 0xa6, 0x21, 0x77, 0x87, 0x8e, 0xa4, 0xa6, 0xf3, 0xa8, 0x90, 0x4b,
- 0x27, 0x25, 0x8c, 0x78, 0x45, 0xd8, 0x95, 0x2c, 0x0e, 0x19, 0xef, 0xc9, 0x80, 0x7a, 0x97, 0xb6,
- 0x37, 0x1e, 0x31, 0x59, 0x3c
-};
-
-/*
- Subject: C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority
- Issuer: C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA
- Not After : Jul 26 19:16:09 2017 GMT
-*/
-static const UInt8 kIntermediateCert[] = {
- 0x30, 0x82, 0x04, 0x17, 0x30, 0x82, 0x02, 0xff, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x1b,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30,
- 0x62, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x16, 0x30, 0x14, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74,
- 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x30, 0x30, 0x35, 0x32, 0x36, 0x31, 0x39, 0x31,
- 0x36, 0x30, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x37, 0x32, 0x36, 0x31, 0x39, 0x31, 0x36,
- 0x30, 0x39, 0x5a, 0x30, 0x81, 0x8a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04,
- 0x0b, 0x0c, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79,
- 0x31, 0x3e, 0x30, 0x3c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x35, 0x41, 0x70, 0x70, 0x6c, 0x65,
- 0x20, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x49, 0x6e, 0x74,
- 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79,
- 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
- 0x00, 0xe3, 0x5b, 0xb3, 0x27, 0x6a, 0x0c, 0xbf, 0x6e, 0xaa, 0x4c, 0xe7, 0xc5, 0x3f, 0x6f, 0x6d,
- 0x4c, 0xe6, 0xa2, 0x95, 0xd5, 0xeb, 0xd5, 0x02, 0xaf, 0x70, 0x74, 0x46, 0xb9, 0xd1, 0x8f, 0xac,
- 0x3b, 0xb7, 0xde, 0x0c, 0x84, 0xd0, 0x90, 0x5f, 0xff, 0xe7, 0x59, 0x43, 0xce, 0xba, 0xd5, 0xc6,
- 0xc5, 0xed, 0x4f, 0xfc, 0xbf, 0xc3, 0x97, 0x59, 0x39, 0xf9, 0x64, 0xe8, 0x0e, 0x4a, 0x9f, 0x9f,
- 0xf6, 0xec, 0x7a, 0x88, 0xea, 0xdf, 0xb6, 0xe7, 0x62, 0x01, 0x7f, 0x9a, 0x0f, 0xc5, 0x4a, 0x16,
- 0xeb, 0xac, 0xe6, 0x98, 0x5f, 0x42, 0x3e, 0x82, 0xcb, 0x1d, 0xb3, 0x6a, 0xef, 0x1b, 0xc2, 0x8b,
- 0xb6, 0x09, 0x99, 0xc9, 0xf0, 0x2c, 0x12, 0xd7, 0x2b, 0x88, 0xbe, 0x2a, 0xa8, 0xf6, 0x61, 0x3b,
- 0x89, 0xea, 0xbf, 0x7f, 0x69, 0x46, 0x02, 0xcc, 0x64, 0x3e, 0x24, 0xe9, 0x5f, 0x8e, 0xf4, 0xfb,
- 0xe2, 0x8a, 0xfe, 0x03, 0xfa, 0x29, 0x2c, 0xda, 0xc9, 0x94, 0x48, 0xd0, 0xde, 0xee, 0x2f, 0x88,
- 0x4c, 0xf7, 0x20, 0xb5, 0x6c, 0x22, 0xca, 0xe9, 0x86, 0xc5, 0x4b, 0x5d, 0xcf, 0x83, 0xaf, 0x4f,
- 0xc6, 0xb0, 0x0c, 0xb3, 0xeb, 0xd0, 0x99, 0x6d, 0xad, 0xf7, 0x26, 0x6f, 0x09, 0x2f, 0x87, 0xb8,
- 0xe2, 0xb4, 0x32, 0x51, 0x8d, 0xf6, 0xcc, 0x2f, 0x88, 0x97, 0xdc, 0xd7, 0x0c, 0x6b, 0x92, 0xca,
- 0xa7, 0x1e, 0xd2, 0xfa, 0x23, 0x3e, 0x81, 0xf6, 0x09, 0xa6, 0x89, 0x8a, 0x3d, 0x48, 0x09, 0x8d,
- 0x08, 0x0d, 0xb0, 0x5d, 0xba, 0x05, 0x59, 0xf1, 0x79, 0x05, 0xa4, 0x09, 0x5b, 0x66, 0xa6, 0xed,
- 0x8b, 0x93, 0xbc, 0xc7, 0x5d, 0x79, 0x37, 0xe1, 0x44, 0x35, 0x91, 0x8e, 0xd8, 0xd7, 0x0f, 0x95,
- 0x92, 0x67, 0x43, 0xac, 0x75, 0x2b, 0x12, 0x49, 0x23, 0x36, 0x11, 0x5d, 0xd3, 0xf2, 0x82, 0xb8,
- 0x13, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xae, 0x30, 0x81, 0xab, 0x30, 0x0e, 0x06, 0x03,
- 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
- 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06,
- 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x31, 0xea, 0x76, 0xa9, 0x23, 0x74, 0xa5, 0xdf,
- 0xd4, 0xfd, 0xee, 0xa0, 0xc1, 0xa6, 0x9e, 0xc6, 0x11, 0x0e, 0x11, 0xec, 0x30, 0x1f, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x2b, 0xd0, 0x69, 0x47, 0x94, 0x76, 0x09,
- 0xfe, 0xf4, 0x6b, 0x8d, 0x2e, 0x40, 0xa6, 0xf7, 0x47, 0x4d, 0x7f, 0x08, 0x5e, 0x30, 0x36, 0x06,
- 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x2f, 0x30, 0x2d, 0x30, 0x2b, 0xa0, 0x29, 0xa0, 0x27, 0x86, 0x25,
- 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65,
- 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x63, 0x61, 0x2f, 0x72, 0x6f, 0x6f,
- 0x74, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x10, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64,
- 0x06, 0x02, 0x03, 0x04, 0x02, 0x05, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8d, 0x65, 0x84, 0xd1, 0xff,
- 0x3b, 0x3d, 0x27, 0x62, 0x90, 0x15, 0xf6, 0x59, 0xce, 0x3b, 0xc9, 0xc2, 0xff, 0x9c, 0x45, 0x3c,
- 0x8f, 0xc6, 0xf9, 0x44, 0x87, 0xcb, 0xfd, 0xe0, 0x79, 0x36, 0x20, 0x2d, 0x1e, 0xf7, 0x2a, 0xca,
- 0x09, 0x4d, 0x28, 0xf4, 0xfe, 0xbf, 0x30, 0x13, 0xc1, 0x91, 0x76, 0x59, 0x19, 0x8a, 0xc0, 0x4c,
- 0x99, 0xef, 0x5a, 0xf5, 0xbd, 0x8e, 0x87, 0x93, 0x70, 0x3b, 0x9c, 0xcc, 0x16, 0x74, 0x49, 0x55,
- 0x65, 0x3a, 0xf5, 0x5b, 0x6a, 0xca, 0x17, 0x2b, 0xe7, 0x9d, 0x28, 0x93, 0x98, 0xa0, 0x67, 0x34,
- 0x1a, 0xe2, 0xe9, 0x96, 0x0d, 0x47, 0xef, 0xc8, 0x9c, 0x37, 0xe4, 0xd3, 0xda, 0xf5, 0xa1, 0xd8,
- 0x42, 0xeb, 0xbd, 0x51, 0x16, 0x03, 0x35, 0x94, 0x1d, 0x5a, 0x31, 0x42, 0x3d, 0x78, 0x81, 0xfe,
- 0x4f, 0xa2, 0xbf, 0x3a, 0xbc, 0x78, 0x09, 0xe4, 0xcb, 0x28, 0x6e, 0x66, 0x4f, 0xe9, 0x4f, 0xb7,
- 0xb5, 0xd2, 0xa2, 0x3d, 0x19, 0xb1, 0x23, 0x1d, 0x3f, 0x66, 0x93, 0xb2, 0x51, 0xc3, 0x00, 0x3b,
- 0x92, 0xaa, 0xe3, 0xfd, 0x2c, 0x17, 0x22, 0xd9, 0x40, 0x94, 0x28, 0x30, 0x08, 0x54, 0xf8, 0x29,
- 0x2a, 0xd5, 0xae, 0xed, 0x77, 0xc3, 0xd4, 0x80, 0x32, 0xa0, 0xc2, 0x67, 0xa3, 0x61, 0xd1, 0xb1,
- 0x67, 0x99, 0x5a, 0x05, 0xd7, 0xbb, 0x5d, 0x25, 0x55, 0xbc, 0x16, 0xfd, 0x0e, 0x4e, 0x86, 0x6a,
- 0x9e, 0x90, 0x9d, 0xc8, 0x34, 0x80, 0x01, 0xf4, 0x2b, 0x50, 0x52, 0xea, 0x46, 0x33, 0x20, 0x54,
- 0xb8, 0x7b, 0x23, 0xce, 0x4d, 0x45, 0x32, 0x2e, 0x66, 0x5b, 0x1d, 0x8c, 0xd9, 0x16, 0xca, 0x6c,
- 0xad, 0x83, 0xdd, 0x04, 0xcf, 0xb6, 0x51, 0x8d, 0xa3, 0xb6, 0xa1, 0x37, 0xa8, 0xa9, 0x8b, 0x94,
- 0xb6, 0xc4, 0xc0, 0x5a, 0x2e, 0xf8, 0xd4, 0xa3, 0x28, 0x9d, 0xaa,
-
-
-};
-
-
-static void tests(void)
-{
- SecTrustResultType trustResult = kSecTrustResultProceed;
- SecPolicyRef policy = NULL;
- SecTrustRef trust = NULL;
- CFArrayRef certs = NULL;
- CFDateRef date = NULL;
-
- CFDataRef appleid_record_signing_cert_data = NULL;
- isnt(appleid_record_signing_cert_data = CFDataCreate(kCFAllocatorDefault, kLeafCert, sizeof(kLeafCert)),
- NULL, "Get the AppleID Record Signing Leaf Certificate Data");
-
- SecCertificateRef appleid_record_signing_cert = NULL;
- isnt(appleid_record_signing_cert = SecCertificateCreateWithData(kCFAllocatorDefault, appleid_record_signing_cert_data),
- NULL, "Get the AppleID Record Signing Leaf Certificate Data");
-
- CFDataRef appleid_intermediate_cert_data = NULL;
- isnt(appleid_intermediate_cert_data = CFDataCreate(kCFAllocatorDefault, kIntermediateCert, sizeof(kIntermediateCert)),
- NULL, "Get the AppleID Intermediate Certificate Data");
-
- SecCertificateRef appleid_intermediate_cert = NULL;
- isnt(appleid_intermediate_cert = SecCertificateCreateWithData(kCFAllocatorDefault, appleid_intermediate_cert_data),
- NULL, "Get the AppleID Intermediate Certificate");
-
- SecCertificateRef certs_to_use[] = {appleid_record_signing_cert, appleid_intermediate_cert};
-
- certs = CFArrayCreate(NULL, (const void **)certs_to_use, 2, NULL);
-
- isnt(policy = SecPolicyCreateAppleIDValidationRecordSigningPolicy(),
- NULL, "Create AppleID Record signing policy SecPolicyRef");
-
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
- "Create AppleID record signing leaf");
-
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 20, 12, 0, 0), NULL, "Create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "Set date");
- CFReleaseSafe(date);
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "Evaluate trust for AppleID record signing policy");
-
- is_status(trustResult, kSecTrustResultUnspecified,
- "Trust is kSecTrustResultUnspecified AppleID record signing leaf");
-
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(appleid_record_signing_cert);
- CFReleaseSafe(appleid_intermediate_cert_data);
- CFReleaseSafe(appleid_record_signing_cert_data);
-}
-
-
-int si_75_AppleIDRecordSigning(int argc, char *const *argv)
-{
- plan_tests(10);
- tests();
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-76-shared-credentials.c b/OSX/sec/Security/Regressions/secitem/si-76-shared-credentials.c
index 368854f7..9e10fffb 100644
--- a/OSX/sec/Security/Regressions/secitem/si-76-shared-credentials.c
+++ b/OSX/sec/Security/Regressions/secitem/si-76-shared-credentials.c
@@ -24,7 +24,7 @@
#include "Security_regressions.h"
-#if !TARGET_OS_WATCH
+#if !TARGET_OS_WATCH && !TARGET_OS_TV
#define WAIT_WHILE(X) { while ((X)) { (void)CFRunLoopRunInMode(kCFRunLoopDefaultMode, 0.1, TRUE); } }
@@ -161,7 +161,7 @@ static void tests(void)
int si_76_shared_credentials(int argc, char *const *argv)
{
-#if !TARGET_OS_WATCH
+#if !TARGET_OS_WATCH && !TARGET_OS_TV
plan_tests(12);
tests();
#else
diff --git a/OSX/sec/Security/Regressions/secitem/si-79-smp-cert-policy.c b/OSX/sec/Security/Regressions/secitem/si-79-smp-cert-policy.c
deleted file mode 100644
index f0f0d916..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-79-smp-cert-policy.c
+++ /dev/null
@@ -1,410 +0,0 @@
-/*
- * si-79-smp-cert-policy.c
- * Security
- *
- * Copyright (c) 2014 Apple Inc. All Rights Reserved.
- *
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecCertificateInternal.h>
-#include <Security/SecItem.h>
-#include <Security/SecItemPriv.h>
-#include <Security/SecIdentityPriv.h>
-#include <Security/SecIdentity.h>
-#include <Security/SecPolicy.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecPolicyInternal.h>
-#include <Security/SecCMS.h>
-#include <utilities/SecCFWrappers.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "Security_regressions.h"
-
-#if TARGET_OS_IPHONE
-
-static const UInt8 kTestAppleRootCAECCCert[] = {
- 0x30,0x82,0x02,0x27,0x30,0x82,0x01,0xCD,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x59,
- 0xD1,0xEC,0x10,0x92,0x41,0xC7,0xC4,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x04,0x03,0x02,0x30,0x67,0x31,0x21,0x30,0x1F,0x06,0x03,0x55,0x04,0x03,0x0C,0x18,
- 0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,
- 0x43,0x41,0x20,0x2D,0x20,0x45,0x43,0x43,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,
- 0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
- 0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,
- 0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,
- 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,
- 0x31,0x34,0x30,0x31,0x33,0x31,0x32,0x31,0x34,0x36,0x34,0x36,0x5A,0x17,0x0D,0x33,
- 0x34,0x30,0x31,0x32,0x36,0x32,0x31,0x34,0x36,0x34,0x36,0x5A,0x30,0x67,0x31,0x21,
- 0x30,0x1F,0x06,0x03,0x55,0x04,0x03,0x0C,0x18,0x54,0x65,0x73,0x74,0x20,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,0x45,0x43,
- 0x43,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,
- 0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,
- 0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x55,0x53,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D,
- 0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00,0x04,
- 0x7B,0x38,0x10,0xD0,0x0A,0xA3,0x1B,0x7C,0x1D,0x24,0xFB,0x39,0xD6,0x6B,0x1C,0x0A,
- 0x97,0x48,0x30,0xFF,0x4C,0x70,0x49,0x3D,0x21,0x66,0x4F,0xF5,0x89,0x00,0xAF,0x93,
- 0xEF,0x74,0x9A,0xE8,0x4C,0x27,0x3D,0xBE,0x95,0x50,0x52,0x3D,0x53,0x90,0xF3,0x32,
- 0xAB,0x83,0xB6,0x5E,0x73,0xC8,0xE7,0x17,0x8B,0x18,0x09,0x93,0x9F,0x97,0xD5,0x16,
- 0xA3,0x63,0x30,0x61,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xD2,
- 0x47,0xE2,0xC5,0x34,0x71,0xC6,0x10,0x8D,0x93,0xEE,0x04,0x43,0x1F,0xE1,0x1B,0x0F,
- 0xE1,0xCD,0x11,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,
- 0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,
- 0x14,0xD2,0x47,0xE2,0xC5,0x34,0x71,0xC6,0x10,0x8D,0x93,0xEE,0x04,0x43,0x1F,0xE1,
- 0x1B,0x0F,0xE1,0xCD,0x11,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,
- 0x04,0x03,0x02,0x01,0x06,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,
- 0x02,0x03,0x48,0x00,0x30,0x45,0x02,0x21,0x00,0xDC,0x06,0x2B,0x72,0x87,0x20,0xEC,
- 0xF7,0xDC,0xC8,0xF2,0xF8,0x89,0x0A,0x57,0x63,0x9A,0x92,0x4A,0x84,0x6E,0xDD,0x17,
- 0x50,0xEE,0x6F,0x01,0x4C,0xA1,0xA0,0x74,0xD1,0x02,0x20,0x1F,0x35,0x7A,0xB5,0x0B,
- 0x79,0x80,0xD4,0x9C,0x9F,0x31,0xDC,0x36,0x1C,0xC6,0xFD,0x65,0x72,0x40,0x67,0xBA,
- 0xFC,0x6F,0x59,0x5E,0xEF,0xEA,0x5E,0x87,0xAC,0x30,0x0D,
-};
-
-static const UInt8 kTestAppleSystemIntegrationCAECCCert[] = {
- 0x30,0x82,0x02,0xD8,0x30,0x82,0x02,0x7F,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x63,
- 0x70,0x58,0xB8,0xE5,0xC6,0x5A,0x1E,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x04,0x03,0x02,0x30,0x67,0x31,0x21,0x30,0x1F,0x06,0x03,0x55,0x04,0x03,0x0C,0x18,
- 0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,
- 0x43,0x41,0x20,0x2D,0x20,0x45,0x43,0x43,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,
- 0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
- 0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,
- 0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,
- 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,
- 0x31,0x34,0x30,0x32,0x30,0x36,0x31,0x36,0x32,0x36,0x34,0x37,0x5A,0x17,0x0D,0x32,
- 0x34,0x30,0x32,0x30,0x34,0x31,0x36,0x32,0x36,0x34,0x37,0x5A,0x30,0x75,0x31,0x2F,
- 0x30,0x2D,0x06,0x03,0x55,0x04,0x03,0x0C,0x26,0x54,0x65,0x73,0x74,0x20,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x20,0x49,0x6E,0x74,0x65,0x67,
- 0x72,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x41,0x20,0x2D,0x20,0x45,0x43,0x43,0x31,
- 0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66,
- 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,
- 0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,
- 0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
- 0x02,0x55,0x53,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,
- 0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00,0x04,0x51,0xB4,
- 0x48,0x6D,0x6B,0xB1,0xD2,0x48,0xE0,0x04,0x32,0x5E,0xA2,0x91,0xFF,0x86,0x21,0xE2,
- 0x20,0x09,0xCE,0x46,0x7E,0xC2,0x10,0xAA,0x20,0x8A,0x47,0xF4,0x59,0x71,0xC2,0x69,
- 0xBD,0xFE,0xF4,0xB8,0xEC,0xCB,0xDF,0x45,0x06,0x9B,0x64,0x3A,0x98,0x60,0x08,0x16,
- 0xB8,0x87,0xF4,0x9E,0x6E,0xC5,0xBF,0x14,0xA9,0xB0,0x40,0x6B,0xD1,0x0B,0xA3,0x82,
- 0x01,0x05,0x30,0x82,0x01,0x01,0x30,0x54,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
- 0x01,0x01,0x04,0x48,0x30,0x46,0x30,0x44,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
- 0x30,0x01,0x86,0x38,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2D,
- 0x75,0x61,0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,
- 0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70,0x30,0x34,0x2D,0x74,0x65,0x73,0x74,0x61,0x70,
- 0x70,0x6C,0x65,0x72,0x6F,0x6F,0x74,0x63,0x61,0x65,0x63,0x63,0x30,0x1D,0x06,0x03,
- 0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xA3,0x46,0x13,0xFE,0x94,0x7F,0xE0,0xA2,0x8F,
- 0x16,0xF0,0xF8,0x1E,0x9B,0x8B,0x14,0x84,0x70,0x59,0xF9,0x30,0x12,0x06,0x03,0x55,
- 0x1D,0x13,0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x00,0x30,
- 0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xD2,0x47,0xE2,0xC5,
- 0x34,0x71,0xC6,0x10,0x8D,0x93,0xEE,0x04,0x43,0x1F,0xE1,0x1B,0x0F,0xE1,0xCD,0x11,
- 0x30,0x45,0x06,0x03,0x55,0x1D,0x1F,0x04,0x3E,0x30,0x3C,0x30,0x3A,0xA0,0x38,0xA0,
- 0x36,0x86,0x34,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61,
- 0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
- 0x2F,0x74,0x65,0x73,0x74,0x61,0x70,0x70,0x6C,0x65,0x72,0x6F,0x6F,0x74,0x63,0x61,
- 0x65,0x63,0x63,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,
- 0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x04,0x03,0x02,0x03,0x47,0x00,0x30,0x44,0x02,0x20,0x6A,0x68,0x3F,0x95,0xCA,0x35,
- 0xD2,0xB6,0x46,0xF5,0x34,0xA2,0xF4,0x1A,0x8C,0x15,0x6D,0xC6,0x7E,0x88,0x95,0x9E,
- 0x55,0x8E,0x8F,0x78,0x65,0x9D,0x5B,0x70,0x63,0x45,0x02,0x20,0x1B,0x45,0x91,0x33,
- 0xF1,0x6E,0x7B,0xC1,0x0D,0x2E,0xF0,0x33,0xB3,0xFF,0xC3,0x1F,0xAC,0x6F,0xAB,0xFC,
- 0x67,0xB6,0x1B,0x57,0xAF,0x88,0xA6,0xCF,0xA7,0x4F,0x20,0x06,
-};
-
-static const UInt8 kTestSMPCert[] = {
- 0x30,0x82,0x02,0xC4,0x30,0x82,0x02,0x6B,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x4B,
- 0x62,0x72,0xF1,0xCD,0xCE,0xBA,0x8D,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x04,0x03,0x02,0x30,0x75,0x31,0x2F,0x30,0x2D,0x06,0x03,0x55,0x04,0x03,0x0C,0x26,
- 0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x79,0x73,0x74,0x65,
- 0x6D,0x20,0x49,0x6E,0x74,0x65,0x67,0x72,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x41,
- 0x20,0x2D,0x20,0x45,0x43,0x43,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,
- 0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
- 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
- 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,
- 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x34,
- 0x30,0x32,0x30,0x36,0x31,0x36,0x34,0x35,0x35,0x35,0x5A,0x17,0x0D,0x31,0x36,0x30,
- 0x32,0x30,0x36,0x31,0x36,0x34,0x35,0x35,0x35,0x5A,0x30,0x70,0x31,0x32,0x30,0x30,
- 0x06,0x03,0x55,0x04,0x03,0x0C,0x29,0x54,0x65,0x73,0x74,0x20,0x45,0x43,0x43,0x20,
- 0x43,0x72,0x79,0x70,0x74,0x6F,0x20,0x53,0x65,0x72,0x76,0x69,0x63,0x65,0x73,0x20,
- 0x45,0x6E,0x63,0x69,0x70,0x68,0x65,0x72,0x6D,0x65,0x6E,0x74,0x20,0x55,0x43,0x35,
- 0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,0x0B,0x0C,0x0F,0x43,0x72,0x79,0x70,0x74,
- 0x6F,0x20,0x53,0x65,0x72,0x76,0x69,0x63,0x65,0x73,0x31,0x13,0x30,0x11,0x06,0x03,
- 0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,
- 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x59,0x30,0x13,
- 0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x03,0x01,0x07,0x03,0x42,0x00,0x04,0xAC,0xB8,0x3A,0x1B,0x4E,0x15,0x87,0xDD,0xCF,
- 0xCD,0x21,0x30,0x23,0x28,0xF2,0x86,0x10,0x28,0x7C,0xF3,0x65,0x39,0xCD,0xFD,0x30,
- 0xB5,0x61,0x71,0xE0,0x59,0x20,0xB7,0xC0,0x59,0x24,0xF9,0x7F,0x75,0xBB,0xD5,0x30,
- 0xC0,0x25,0x52,0xE2,0x13,0xF1,0x0B,0x4D,0x50,0xC4,0x46,0x57,0x6A,0x13,0x69,0xC9,
- 0x82,0x8A,0xA9,0x21,0x24,0xD5,0x92,0xA3,0x81,0xE9,0x30,0x81,0xE6,0x30,0x4E,0x06,
- 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x42,0x30,0x40,0x30,0x3E,0x06,
- 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x32,0x68,0x74,0x74,0x70,0x3A,
- 0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2D,0x75,0x61,0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,
- 0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70,0x30,0x34,
- 0x2D,0x74,0x65,0x73,0x74,0x61,0x73,0x69,0x63,0x61,0x65,0x63,0x63,0x30,0x1D,0x06,
- 0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x73,0x0B,0x8A,0xF4,0xFA,0xA2,0xC9,0x6F,
- 0xAC,0x2E,0x9C,0xCC,0xE9,0xFE,0xBD,0xA6,0xE2,0xF0,0xC0,0xFF,0x30,0x0C,0x06,0x03,
- 0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,0x03,0x55,0x1D,
- 0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xA3,0x46,0x13,0xFE,0x94,0x7F,0xE0,0xA2,0x8F,
- 0x16,0xF0,0xF8,0x1E,0x9B,0x8B,0x14,0x84,0x70,0x59,0xF9,0x30,0x36,0x06,0x03,0x55,
- 0x1D,0x1F,0x04,0x2F,0x30,0x2D,0x30,0x2B,0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,
- 0x74,0x70,0x3A,0x2F,0x2F,0x75,0x61,0x74,0x2D,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,
- 0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x73,0x69,0x63,0x61,0x65,0x63,0x63,0x2E,
- 0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,
- 0x02,0x03,0x28,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,0x03,
- 0x47,0x00,0x30,0x44,0x02,0x20,0x60,0x56,0xC6,0x37,0xB9,0x8B,0x58,0x05,0xF0,0x89,
- 0x61,0x61,0xA4,0xB8,0x83,0x5F,0x9E,0xCF,0x6E,0x21,0x6E,0xEF,0xA1,0x89,0x5C,0xB5,
- 0x2E,0x6E,0xE1,0x10,0x46,0x4F,0x02,0x20,0x07,0x8D,0xA5,0xD0,0xC8,0x85,0x31,0xF0,
- 0x4B,0x2C,0xB5,0x1B,0x96,0xC4,0x5D,0x86,0x85,0xF8,0x1A,0x3A,0x37,0x6B,0xEC,0xD0,
- 0x7F,0x45,0x88,0x35,0xD0,0x75,0xDC,0xA2,
-};
-
-static const UInt8 kAppleSystemIntegrationCAG3Cert[]={
- 0x30,0x82,0x02,0xEB,0x30,0x82,0x02,0x70,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x61,
- 0x5A,0xA1,0xA9,0x73,0x3C,0xEB,0x81,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x04,0x03,0x02,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,
- 0x47,0x33,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,
- 0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
- 0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,
- 0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,
- 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,
- 0x31,0x34,0x30,0x35,0x30,0x36,0x32,0x33,0x34,0x35,0x31,0x30,0x5A,0x17,0x0D,0x32,
- 0x39,0x30,0x35,0x30,0x36,0x32,0x33,0x34,0x35,0x31,0x30,0x5A,0x30,0x75,0x31,0x29,
- 0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x0C,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,
- 0x79,0x73,0x74,0x65,0x6D,0x20,0x49,0x6E,0x74,0x65,0x67,0x72,0x61,0x74,0x69,0x6F,
- 0x6E,0x20,0x43,0x41,0x20,0x2D,0x20,0x47,0x33,0x31,0x26,0x30,0x24,0x06,0x03,0x55,
- 0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,
- 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,
- 0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,
- 0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
- 0x02,0x55,0x53,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,
- 0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00,0x04,0xD1,0x57,
- 0x4C,0x8E,0x38,0xD5,0xF7,0x36,0x28,0x54,0x7D,0x16,0x1A,0xE4,0xF0,0x4F,0x1E,0xB2,
- 0xA8,0xC0,0x2F,0x1F,0xE2,0x26,0x69,0x76,0xDF,0x36,0xAB,0xDC,0xED,0xAF,0xA6,0x92,
- 0xF2,0x5A,0x4E,0xAF,0x29,0x84,0xAC,0xF1,0x86,0x15,0x04,0x43,0xFA,0x83,0x03,0x03,
- 0x58,0xF6,0x5E,0x8F,0xC2,0x22,0x29,0x28,0xF2,0x06,0x18,0x09,0x30,0x79,0xA3,0x81,
- 0xF7,0x30,0x81,0xF4,0x30,0x46,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,
- 0x04,0x3A,0x30,0x38,0x30,0x36,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,
- 0x86,0x2A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x61,0x70,
- 0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70,0x30,0x34,0x2D,0x61,
- 0x70,0x70,0x6C,0x65,0x72,0x6F,0x6F,0x74,0x63,0x61,0x67,0x33,0x30,0x1D,0x06,0x03,
- 0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x26,0x5D,0xAF,0x92,0x3C,0x20,0x98,0x18,0x35,
- 0xBE,0x98,0x50,0xA6,0x01,0x5E,0xA7,0xE9,0x21,0x2D,0x79,0x30,0x0F,0x06,0x03,0x55,
- 0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,
- 0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xBB,0xB0,0xDE,0xA1,0x58,0x33,0x88,
- 0x9A,0xA4,0x8A,0x99,0xDE,0xBE,0xBD,0xEB,0xAF,0xDA,0xCB,0x24,0xAB,0x30,0x37,0x06,
- 0x03,0x55,0x1D,0x1F,0x04,0x30,0x30,0x2E,0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,
- 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,
- 0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x72,0x6F,0x6F,0x74,0x63,0x61,
- 0x67,0x33,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,
- 0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,
- 0x64,0x06,0x02,0x0D,0x04,0x02,0x05,0x00,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,
- 0x3D,0x04,0x03,0x02,0x03,0x69,0x00,0x30,0x66,0x02,0x31,0x00,0xD6,0xB2,0xC3,0xB3,
- 0x3D,0xE3,0x30,0xE4,0x7A,0x24,0x62,0x35,0xDA,0xF0,0xB9,0xDC,0x3B,0x66,0x94,0x40,
- 0xBA,0x8D,0x43,0xC4,0x2A,0xF5,0xE3,0xA1,0x4A,0x7C,0xD5,0x87,0x24,0xCC,0xEA,0x49,
- 0x0E,0xEE,0xAA,0xE4,0x72,0x0D,0x63,0x4F,0x03,0x07,0x6C,0x63,0x02,0x31,0x00,0xFF,
- 0xDF,0x24,0x7E,0xA8,0x28,0x02,0x55,0xBF,0xEB,0x8D,0x72,0x1D,0xC9,0x27,0x82,0xA1,
- 0x0D,0xB7,0xD5,0x0F,0xAA,0xF2,0xFF,0x49,0xFA,0x3F,0xA4,0xED,0x44,0xEE,0x53,0x76,
- 0x89,0x18,0x0A,0x64,0xC6,0x96,0x00,0x47,0x9D,0x40,0x04,0xEF,0x5A,0xAA,0x07,
-};
-
-static const UInt8 kProdSMPCert[]={
- 0x30,0x82,0x02,0xC6,0x30,0x82,0x02,0x6D,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x52,
- 0x6F,0x62,0xEF,0x7A,0x0F,0x39,0x08,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x04,0x03,0x02,0x30,0x75,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x0C,0x20,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x79,0x73,0x74,0x65,0x6D,0x20,0x49,0x6E,0x74,
- 0x65,0x67,0x72,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x41,0x20,0x2D,0x20,0x47,0x33,
- 0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,
- 0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
- 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
- 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,
- 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x34,
- 0x30,0x35,0x30,0x38,0x30,0x31,0x32,0x31,0x31,0x34,0x5A,0x17,0x0D,0x31,0x36,0x30,
- 0x36,0x30,0x36,0x30,0x31,0x32,0x31,0x31,0x34,0x5A,0x30,0x6C,0x31,0x32,0x30,0x30,
- 0x06,0x03,0x55,0x04,0x03,0x0C,0x29,0x65,0x63,0x63,0x2D,0x63,0x72,0x79,0x70,0x74,
- 0x6F,0x2D,0x73,0x65,0x72,0x76,0x69,0x63,0x65,0x73,0x2D,0x65,0x6E,0x63,0x69,0x70,
- 0x68,0x65,0x72,0x6D,0x65,0x6E,0x74,0x5F,0x55,0x43,0x35,0x2D,0x50,0x52,0x4F,0x44,
- 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0B,0x0C,0x0B,0x69,0x4F,0x53,0x20,0x53,
- 0x79,0x73,0x74,0x65,0x6D,0x73,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
- 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,
- 0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,
- 0x48,0xCE,0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,
- 0x42,0x00,0x04,0xBC,0x09,0xB9,0xBA,0x02,0xDA,0x80,0x3F,0x60,0xCC,0xE0,0xEB,0xC6,
- 0x16,0x76,0xDE,0x7F,0x40,0x7A,0x52,0x34,0xB8,0x22,0x65,0xB8,0x7A,0x08,0x22,0xD1,
- 0x6F,0xF4,0x5A,0x0F,0x69,0xE2,0x31,0x7F,0x83,0x60,0x04,0x0A,0xBF,0x80,0xF7,0x8D,
- 0xEB,0x40,0x15,0x84,0xBE,0x65,0x70,0x41,0x22,0xEE,0x63,0x0B,0x04,0x5E,0xB3,0x4F,
- 0xD7,0x73,0x0E,0xA3,0x81,0xEF,0x30,0x81,0xEC,0x30,0x45,0x06,0x08,0x2B,0x06,0x01,
- 0x05,0x05,0x07,0x01,0x01,0x04,0x39,0x30,0x37,0x30,0x35,0x06,0x08,0x2B,0x06,0x01,
- 0x05,0x05,0x07,0x30,0x01,0x86,0x29,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,
- 0x73,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,
- 0x70,0x30,0x34,0x2D,0x61,0x70,0x70,0x6C,0x65,0x73,0x69,0x63,0x61,0x33,0x30,0x31,
- 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xD2,0xFD,0x1F,0xDD,0x61,
- 0xA8,0xE4,0x0E,0x78,0xBD,0xDB,0x60,0xB9,0xCC,0x7A,0x3F,0x46,0x8B,0xF5,0xA4,0x30,
- 0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,
- 0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x26,0x5D,0xAF,0x92,0x3C,0x20,
- 0x98,0x18,0x35,0xBE,0x98,0x50,0xA6,0x01,0x5E,0xA7,0xE9,0x21,0x2D,0x79,0x30,0x34,
- 0x06,0x03,0x55,0x1D,0x1F,0x04,0x2D,0x30,0x2B,0x30,0x29,0xA0,0x27,0xA0,0x25,0x86,
- 0x23,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,
- 0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x73,0x69,0x63,0x61,0x33,
- 0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,
- 0x03,0x02,0x03,0x28,0x30,0x0F,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,
- 0x1E,0x04,0x02,0x05,0x00,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,
- 0x02,0x03,0x47,0x00,0x30,0x44,0x02,0x20,0x33,0x1F,0xB7,0xC0,0x93,0x22,0x9C,0x71,
- 0xD8,0x62,0xF1,0x7B,0x72,0xDC,0x97,0x63,0xDF,0xD1,0x3B,0xBF,0xD7,0x8C,0xB0,0xE7,
- 0xE0,0xC1,0x6B,0x26,0x6A,0xC4,0xF0,0x14,0x02,0x20,0x20,0xD7,0xD7,0xD1,0x7B,0xAD,
- 0x90,0x83,0x23,0xEA,0x34,0x1E,0x0C,0x8F,0x90,0xAB,0x97,0xB1,0x2D,0x06,0xE3,0x30,
- 0x56,0x29,0x20,0x94,0x74,0x36,0xFD,0x1B,0x9C,0xD5,
-};
-
-static void test_smp_cert_policy()
-{
- CFDateRef date=NULL;
- CFArrayRef policies=NULL;
- SecPolicyRef policy=NULL;
- SecTrustRef trust=NULL;
- SecCertificateRef testCert0=NULL, testCert1=NULL, testRoot=NULL;
- SecCertificateRef prodCert0=NULL, prodCert1=NULL;
- CFMutableArrayRef testCerts=NULL, prodCerts=NULL;
- SecTrustResultType trustResult;
- CFIndex chainLen;
-
- /* Test hierarchy */
- isnt(testCert0 = SecCertificateCreateWithBytes(NULL, kTestSMPCert, sizeof(kTestSMPCert)),
- NULL, "create testCert0");
- isnt(testCert1 = SecCertificateCreateWithBytes(NULL, kTestAppleSystemIntegrationCAECCCert, sizeof(kTestAppleSystemIntegrationCAECCCert)),
- NULL, "create testCert1");
- isnt(testRoot = SecCertificateCreateWithBytes(NULL, kTestAppleRootCAECCCert, sizeof(kTestAppleRootCAECCCert)),
- NULL, "create testRoot");
-
- isnt(testCerts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create test cert array");
- CFArrayAppendValue(testCerts, testCert0);
- CFArrayAppendValue(testCerts, testCert1);
-
- /* Production hierarchy */
- isnt(prodCert0 = SecCertificateCreateWithBytes(NULL, kProdSMPCert, sizeof(kProdSMPCert)),
- NULL, "create prodCert0");
- isnt(prodCert1 = SecCertificateCreateWithBytes(NULL, kAppleSystemIntegrationCAG3Cert, sizeof(kAppleSystemIntegrationCAG3Cert)),
- NULL, "create prodCert1");
-
- isnt(prodCerts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create prod cert array");
- CFArrayAppendValue(prodCerts, prodCert0);
- CFArrayAppendValue(prodCerts, prodCert1);
-
-
- /* Case 1: production policy with production certs (should succeed) */
- isnt(policy = SecPolicyCreateAppleSMPEncryption(), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(prodCerts, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 4, 11, 12, 0, 0),
- NULL, "create verify date");
- //%%% policy currently doesn't care about expiration dates
- //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "chain length 3 expected (got %d)", (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- /* Case 2: test policy with test certs (should succeed) */
- isnt(policy = SecPolicyCreateTestAppleSMPEncryption(), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(testCerts, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 4, 11, 12, 0, 0),
- NULL, "create verify date");
- //%%% policy currently doesn't care about expiration dates
- //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "chain length 3 expected (got %d)", (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- /* Case 3: production policy with test certs (should fail) */
- isnt(policy = SecPolicyCreateAppleSMPEncryption(), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(testCerts, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 4, 11, 12, 0, 0),
- NULL, "create verify date");
- //%%% policy currently doesn't care about expiration dates
- //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
- (int)trustResult);
- CFRelease(trust);
- trust = NULL;
-
- /* Case 4: test policy with production certs (should fail) */
- isnt(policy = SecPolicyCreateTestAppleSMPEncryption(), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(prodCerts, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 4, 11, 12, 0, 0),
- NULL, "create verify date");
- //%%% policy currently doesn't care about expiration dates
- //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
- (int)trustResult);
- CFRelease(trust);
- trust = NULL;
-
- CFReleaseSafe(testCert0);
- CFReleaseSafe(testCert1);
- CFReleaseSafe(testRoot);
- CFReleaseSafe(prodCert0);
- CFReleaseSafe(prodCert1);
-
- CFReleaseSafe(testCerts);
- CFReleaseSafe(prodCerts);
-}
-
-static void tests(void)
-{
- test_smp_cert_policy();
-}
-
-int si_79_smp_cert_policy(int argc, char *const *argv)
-{
- plan_tests(29);
-
- tests();
-
- return 0;
-}
-
-#endif
diff --git a/OSX/sec/Security/Regressions/secitem/si-81-sectrust-appletv.c b/OSX/sec/Security/Regressions/secitem/si-81-sectrust-appletv.c
deleted file mode 100644
index 01f1f1a6..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-81-sectrust-appletv.c
+++ /dev/null
@@ -1,558 +0,0 @@
-/*
- * si-81-sectrust-appletv.c
- * Security
- *
- * Copyright (c) 2015 Apple Inc. All Rights Reserved.
- *
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecCertificateInternal.h>
-#include <Security/SecItem.h>
-#include <Security/SecItemPriv.h>
-#include <Security/SecIdentityPriv.h>
-#include <Security/SecIdentity.h>
-#include <Security/SecPolicy.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecPolicyInternal.h>
-#include <Security/SecCMS.h>
-#include <utilities/SecCFWrappers.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "Security_regressions.h"
-
-static const UInt8 kTestAppleTVOSAppSigLeaf[] = {
- 0x30, 0x82, 0x05, 0x5f, 0x30, 0x82, 0x04, 0x47, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x34, 0xc4, 0xe1, 0x74, 0xfd, 0x82, 0xed, 0x21, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
- 0x05, 0x00, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x0c, 0x23, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57, 0x6f, 0x72, 0x6c,
- 0x64, 0x77, 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65, 0x6c, 0x6f,
- 0x70, 0x65, 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x73, 0x31, 0x44, 0x30, 0x42, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x3b,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x77,
- 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65,
- 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30,
- 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x36, 0x32, 0x36, 0x32, 0x32, 0x34,
- 0x30, 0x31, 0x37, 0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x32, 0x30, 0x37,
- 0x32, 0x31, 0x34, 0x38, 0x34, 0x37, 0x5a, 0x30, 0x4b, 0x31, 0x27, 0x30,
- 0x25, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1e, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x20, 0x54, 0x56, 0x4f, 0x53, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69,
- 0x6e, 0x67, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
- 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
- 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xba, 0x8f, 0xd0,
- 0x2b, 0xfb, 0x04, 0x41, 0x7e, 0xef, 0x73, 0xf1, 0x86, 0x5b, 0xce, 0xe8,
- 0x0d, 0xb5, 0xec, 0x5f, 0xd9, 0x24, 0x49, 0x6d, 0x5c, 0x97, 0xeb, 0xb2,
- 0xa6, 0xfb, 0x7c, 0x9f, 0xcf, 0xd0, 0x18, 0xfa, 0xa1, 0xdf, 0x9f, 0x4a,
- 0x42, 0xc3, 0xc3, 0xd3, 0x46, 0x91, 0x8c, 0x74, 0x3b, 0x6e, 0x54, 0xb8,
- 0xe7, 0xec, 0x10, 0x8b, 0xc0, 0x2f, 0xe8, 0x96, 0x86, 0xaa, 0x8b, 0xb7,
- 0x8f, 0xee, 0x2a, 0x31, 0xf3, 0xaf, 0x04, 0x77, 0x16, 0x09, 0x9e, 0xf9,
- 0x9d, 0x30, 0x74, 0x5d, 0x9e, 0xb1, 0x11, 0x66, 0xef, 0x0d, 0x61, 0x1c,
- 0xc2, 0xfe, 0x6b, 0x75, 0x80, 0x0e, 0x42, 0x14, 0x4e, 0xdc, 0x38, 0xfd,
- 0x18, 0x22, 0x03, 0xe0, 0x51, 0xbd, 0xd0, 0xf3, 0x52, 0x36, 0xff, 0x83,
- 0x90, 0xde, 0xbe, 0x60, 0xec, 0x82, 0x66, 0xad, 0x49, 0x54, 0x71, 0x39,
- 0xdd, 0x48, 0xc3, 0x13, 0x99, 0xc2, 0xcc, 0x77, 0x55, 0x5e, 0x48, 0xeb,
- 0xee, 0x34, 0x31, 0x04, 0xef, 0x7e, 0xe1, 0x42, 0x54, 0x10, 0xcf, 0x09,
- 0x9c, 0x0d, 0xc4, 0x55, 0x3d, 0x30, 0x98, 0x78, 0xfb, 0x38, 0xac, 0xdb,
- 0xd8, 0x63, 0x3f, 0x64, 0x07, 0x7f, 0x53, 0x4d, 0xc8, 0xbc, 0x60, 0x3e,
- 0x89, 0x49, 0x88, 0x07, 0xb4, 0x80, 0x15, 0xd5, 0xc2, 0x13, 0x8b, 0xff,
- 0x0c, 0x90, 0xb6, 0x67, 0x0c, 0xaf, 0xf4, 0xef, 0x5c, 0x9d, 0xba, 0xf3,
- 0x95, 0x5b, 0xd2, 0x9a, 0x7e, 0x80, 0x8d, 0xc9, 0x6f, 0xcd, 0x75, 0xe5,
- 0xb6, 0xfb, 0x61, 0x8b, 0x9c, 0x3b, 0xce, 0xc2, 0x4c, 0xba, 0xb7, 0xf6,
- 0x48, 0xa6, 0x79, 0x4a, 0x34, 0xf1, 0xe1, 0x47, 0xba, 0x29, 0x5d, 0x04,
- 0x26, 0x64, 0xee, 0x5e, 0x8e, 0x0c, 0x9d, 0xa7, 0x05, 0xe3, 0x58, 0xd7,
- 0xe4, 0xb5, 0x4e, 0x7b, 0xdc, 0x2a, 0xab, 0xc1, 0xea, 0x82, 0x7d, 0xcb,
- 0x93, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xf9, 0x30, 0x82,
- 0x01, 0xf5, 0x30, 0x47, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x01, 0x01, 0x04, 0x3b, 0x30, 0x39, 0x30, 0x37, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x2b, 0x68, 0x74, 0x74, 0x70,
- 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x61, 0x70, 0x70, 0x6c,
- 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x34,
- 0x2d, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x77, 0x77, 0x64, 0x72, 0x63, 0x61,
- 0x32, 0x30, 0x33, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
- 0x04, 0x14, 0x49, 0xaa, 0xae, 0x84, 0x57, 0x14, 0x56, 0x8f, 0x0b, 0xeb,
- 0x63, 0x6b, 0x62, 0x75, 0x68, 0xfc, 0x5b, 0x8c, 0x77, 0xa1, 0x30, 0x0c,
- 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00,
- 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
- 0x14, 0x88, 0x27, 0x17, 0x09, 0xa9, 0xb6, 0x18, 0x60, 0x8b, 0xec, 0xeb,
- 0xba, 0xf6, 0x47, 0x59, 0xc5, 0x52, 0x54, 0xa3, 0xb7, 0x30, 0x82, 0x01,
- 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x82, 0x01, 0x14, 0x30, 0x82,
- 0x01, 0x10, 0x30, 0x82, 0x01, 0x0c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x63, 0x64, 0x05, 0x01, 0x30, 0x81, 0xfe, 0x30, 0x81, 0xc3, 0x06,
- 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x81, 0xb6,
- 0x0c, 0x81, 0xb3, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e, 0x63, 0x65, 0x20,
- 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x62, 0x79, 0x20, 0x61,
- 0x6e, 0x79, 0x20, 0x70, 0x61, 0x72, 0x74, 0x79, 0x20, 0x61, 0x73, 0x73,
- 0x75, 0x6d, 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x61,
- 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65, 0x20, 0x74,
- 0x68, 0x65, 0x6e, 0x20, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x62,
- 0x6c, 0x65, 0x20, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x20,
- 0x74, 0x65, 0x72, 0x6d, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x6f,
- 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6f, 0x66, 0x20,
- 0x75, 0x73, 0x65, 0x2c, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
- 0x63, 0x61, 0x74, 0x65, 0x20, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20,
- 0x61, 0x6e, 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
- 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61, 0x63, 0x74, 0x69,
- 0x63, 0x65, 0x20, 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
- 0x73, 0x2e, 0x30, 0x36, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x02, 0x01, 0x16, 0x2a, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77,
- 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
- 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x30, 0x0e,
- 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02,
- 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff,
- 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x03, 0x03, 0x30, 0x13, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63,
- 0x64, 0x06, 0x01, 0x18, 0x01, 0x01, 0xff, 0x04, 0x02, 0x05, 0x00, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
- 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x9c, 0x07, 0xde, 0xde, 0xc2,
- 0xfc, 0x6c, 0x94, 0xb1, 0x1a, 0x6a, 0x38, 0x75, 0xe0, 0x74, 0x70, 0xe9,
- 0x9d, 0x47, 0xd6, 0xde, 0xcd, 0xd0, 0xdb, 0xed, 0x2f, 0x50, 0xfa, 0x0d,
- 0xe3, 0xb9, 0x3d, 0x36, 0xc9, 0x4b, 0xee, 0x4e, 0xc4, 0x83, 0xb9, 0x7d,
- 0x40, 0x01, 0x92, 0x3f, 0x18, 0x8a, 0x19, 0xe8, 0xac, 0x5d, 0xb1, 0xc1,
- 0xd2, 0x30, 0x98, 0x85, 0x28, 0x91, 0x0c, 0x92, 0x71, 0x79, 0xec, 0x4b,
- 0x51, 0xcc, 0xdf, 0x99, 0x71, 0x87, 0x04, 0x60, 0x09, 0x3e, 0xfa, 0x56,
- 0x9f, 0x99, 0xa3, 0xef, 0x0c, 0x02, 0xd2, 0xdf, 0xcf, 0x18, 0xf2, 0x34,
- 0x6e, 0x93, 0xd0, 0x0e, 0x81, 0xe4, 0x4e, 0x37, 0x7b, 0x1d, 0xe7, 0x8c,
- 0xa6, 0x71, 0x6d, 0x95, 0x66, 0x7d, 0xc0, 0x80, 0x74, 0x71, 0xe1, 0xd7,
- 0x97, 0x35, 0x9b, 0x26, 0xe9, 0x84, 0x4a, 0x96, 0x30, 0xfc, 0xf1, 0x26,
- 0x23, 0x1d, 0xec, 0x71, 0x2f, 0x39, 0x40, 0x14, 0xaf, 0x34, 0x0e, 0x85,
- 0x3c, 0xd0, 0x9e, 0x8d, 0x4e, 0xf8, 0x04, 0x0a, 0xc2, 0x3f, 0x44, 0x7d,
- 0x19, 0x2d, 0xe7, 0xc0, 0xf1, 0xce, 0xa9, 0x2f, 0x6c, 0x79, 0xbd, 0x65,
- 0x69, 0x3e, 0xf6, 0x76, 0x59, 0xeb, 0x70, 0x0c, 0xaf, 0x04, 0x44, 0x82,
- 0x02, 0x15, 0x24, 0x3e, 0xc3, 0xe0, 0x9e, 0x5d, 0xa0, 0xe3, 0x66, 0x72,
- 0x59, 0x6e, 0x51, 0x41, 0xd6, 0x72, 0xdd, 0x4d, 0xca, 0x96, 0xb0, 0x1a,
- 0xc1, 0x47, 0x5a, 0xef, 0xc9, 0xc4, 0x11, 0x11, 0x7a, 0xec, 0x9c, 0x1c,
- 0x12, 0x19, 0x72, 0xb8, 0xc3, 0x98, 0x3e, 0x3b, 0xe7, 0x4a, 0x3f, 0xb8,
- 0x48, 0x40, 0xd6, 0x68, 0xa9, 0xce, 0x07, 0xe7, 0x0e, 0x5e, 0x56, 0x33,
- 0xf8, 0xb0, 0x4c, 0xc2, 0xb6, 0x25, 0xcc, 0x5f, 0xbd, 0xdb, 0xe5, 0x78,
- 0xb6, 0x5f, 0x99, 0x3e, 0xdc, 0xaf, 0x20, 0x3d, 0x5a, 0x0f, 0x13
-};
-
-static const UInt8 kTestAppleTVOSAppSigTestLeaf[] = {
- 0x30, 0x82, 0x05, 0x52, 0x30, 0x82, 0x04, 0x3a, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x29, 0x7b, 0x51, 0x36, 0x47, 0xa4, 0x6f, 0x23, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
- 0x05, 0x00, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x0c, 0x23, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57, 0x6f, 0x72, 0x6c,
- 0x64, 0x77, 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65, 0x6c, 0x6f,
- 0x70, 0x65, 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x73, 0x31, 0x44, 0x30, 0x42, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x3b,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x77,
- 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65,
- 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30,
- 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x32, 0x30, 0x36, 0x32, 0x33, 0x35,
- 0x33, 0x31, 0x36, 0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x32, 0x30, 0x37,
- 0x32, 0x31, 0x34, 0x38, 0x34, 0x37, 0x5a, 0x30, 0x55, 0x31, 0x31, 0x30,
- 0x2f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x28, 0x54, 0x45, 0x53, 0x54,
- 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x54, 0x56, 0x4f, 0x53, 0x20,
- 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
- 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x54, 0x45, 0x53, 0x54,
- 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41,
- 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x82,
- 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
- 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc9, 0x74, 0x71, 0x4a, 0x58,
- 0x65, 0xdf, 0x19, 0x27, 0x08, 0x97, 0x9b, 0xf3, 0x12, 0x14, 0x8e, 0xa2,
- 0xd0, 0xa2, 0x1e, 0x1d, 0x46, 0xae, 0xdf, 0xc4, 0xef, 0x57, 0xc0, 0x82,
- 0x5f, 0xb9, 0xe5, 0x63, 0x53, 0x57, 0xad, 0xaa, 0x32, 0x84, 0x6f, 0xbe,
- 0xdf, 0x65, 0x1f, 0x73, 0x0a, 0x85, 0x55, 0x3a, 0xb3, 0xcf, 0x43, 0x02,
- 0x18, 0xe4, 0xad, 0x04, 0xa0, 0x83, 0x89, 0x3d, 0x6f, 0xfa, 0xdf, 0xb3,
- 0x82, 0xa2, 0xb2, 0x6d, 0x46, 0x63, 0x4d, 0x88, 0x0a, 0xe7, 0x96, 0x68,
- 0x3b, 0x6f, 0x96, 0xf8, 0xa9, 0x92, 0x18, 0x15, 0x0d, 0xf4, 0xe9, 0x44,
- 0xf5, 0x62, 0xf1, 0x50, 0x4d, 0x86, 0x60, 0x5b, 0x89, 0x72, 0x3c, 0x53,
- 0x8a, 0xda, 0x3a, 0x4f, 0x1d, 0x58, 0x1a, 0xc2, 0xaf, 0x46, 0x0c, 0x6d,
- 0x53, 0x6d, 0xa3, 0x4d, 0x36, 0xa0, 0xfe, 0x54, 0xc6, 0xdd, 0x94, 0x01,
- 0x43, 0xc1, 0xdf, 0x62, 0xd2, 0x2e, 0x76, 0x96, 0x10, 0x29, 0x30, 0x4f,
- 0x51, 0x35, 0x5d, 0x5f, 0x10, 0x32, 0x0f, 0xec, 0xad, 0xd0, 0x0a, 0xc1,
- 0xde, 0x7f, 0x7d, 0xcc, 0xa7, 0x4b, 0x67, 0x5e, 0x97, 0xbf, 0x45, 0x9f,
- 0x0b, 0x68, 0x93, 0x0b, 0x42, 0x7b, 0x49, 0xf9, 0xda, 0x3d, 0xa3, 0x5e,
- 0x22, 0x6b, 0x48, 0x2d, 0x86, 0x96, 0x25, 0xc1, 0x78, 0x11, 0xad, 0x7f,
- 0x70, 0x43, 0x49, 0x05, 0x8d, 0x59, 0xe2, 0x80, 0x51, 0x79, 0x58, 0x5c,
- 0xfb, 0x75, 0x6c, 0xa0, 0x7f, 0x62, 0xf5, 0x7d, 0xc1, 0xe7, 0xf8, 0x06,
- 0x85, 0x9f, 0xb3, 0xaa, 0x90, 0x98, 0x53, 0x8d, 0x7b, 0x40, 0x04, 0x71,
- 0xf4, 0xa4, 0xce, 0xa0, 0x20, 0x3d, 0x77, 0x32, 0xf5, 0x94, 0x20, 0x54,
- 0xa2, 0xe2, 0x98, 0x8c, 0x38, 0x63, 0x94, 0xe5, 0x73, 0xa1, 0xcc, 0xcc,
- 0xe4, 0x11, 0x34, 0xfb, 0xff, 0x41, 0x63, 0x2c, 0x39, 0xaf, 0x39, 0x02,
- 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xe2, 0x30, 0x82, 0x01, 0xde,
- 0x30, 0x47, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01,
- 0x04, 0x3b, 0x30, 0x39, 0x30, 0x37, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x30, 0x01, 0x86, 0x2b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
- 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e,
- 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x34, 0x2d, 0x61,
- 0x70, 0x70, 0x6c, 0x65, 0x77, 0x77, 0x64, 0x72, 0x63, 0x61, 0x32, 0x30,
- 0x34, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x0a, 0x14, 0xfb, 0x9f, 0x6f, 0x4e, 0x79, 0xc0, 0xbb, 0xc8, 0xa5, 0x35,
- 0xeb, 0x06, 0x6a, 0xe7, 0x45, 0x6a, 0x61, 0xad, 0x30, 0x0c, 0x06, 0x03,
- 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
- 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x88,
- 0x27, 0x17, 0x09, 0xa9, 0xb6, 0x18, 0x60, 0x8b, 0xec, 0xeb, 0xba, 0xf6,
- 0x47, 0x59, 0xc5, 0x52, 0x54, 0xa3, 0xb7, 0x30, 0x82, 0x01, 0x1d, 0x06,
- 0x03, 0x55, 0x1d, 0x20, 0x04, 0x82, 0x01, 0x14, 0x30, 0x82, 0x01, 0x10,
- 0x30, 0x82, 0x01, 0x0c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63,
- 0x64, 0x05, 0x01, 0x30, 0x81, 0xfe, 0x30, 0x81, 0xc3, 0x06, 0x08, 0x2b,
- 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x81, 0xb6, 0x0c, 0x81,
- 0xb3, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x6e,
- 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x62, 0x79, 0x20, 0x61, 0x6e, 0x79,
- 0x20, 0x70, 0x61, 0x72, 0x74, 0x79, 0x20, 0x61, 0x73, 0x73, 0x75, 0x6d,
- 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x61, 0x6e, 0x63,
- 0x65, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65, 0x20, 0x74, 0x68, 0x65,
- 0x6e, 0x20, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x62, 0x6c, 0x65,
- 0x20, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x20, 0x74, 0x65,
- 0x72, 0x6d, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x6f, 0x6e, 0x64,
- 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6f, 0x66, 0x20, 0x75, 0x73,
- 0x65, 0x2c, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
- 0x74, 0x65, 0x20, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x61, 0x6e,
- 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61, 0x63, 0x74, 0x69, 0x63, 0x65,
- 0x20, 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e,
- 0x30, 0x36, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01,
- 0x16, 0x2a, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
- 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63,
- 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x61, 0x75,
- 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x30, 0x0e, 0x06, 0x03,
- 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80,
- 0x30, 0x14, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x06,
- 0x01, 0x18, 0x01, 0x01, 0x01, 0xff, 0x04, 0x02, 0x05, 0x00, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
- 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x58, 0xef, 0x32, 0x6c, 0x48, 0x29,
- 0xfa, 0x5e, 0x5e, 0x32, 0xa6, 0xbe, 0xe4, 0xd2, 0x3e, 0x72, 0xcf, 0xb9,
- 0x74, 0x62, 0x84, 0x90, 0xa1, 0x5f, 0xbb, 0xd3, 0x3d, 0x67, 0x19, 0xf4,
- 0x1b, 0xa1, 0x31, 0x38, 0xe0, 0xdb, 0xe4, 0x14, 0x6d, 0x9e, 0x99, 0x34,
- 0xd3, 0x53, 0x97, 0xb4, 0xaa, 0x63, 0x61, 0x56, 0xac, 0x1e, 0x70, 0x54,
- 0x98, 0x18, 0x2d, 0xc9, 0xa8, 0x31, 0x21, 0x95, 0x64, 0x25, 0xc1, 0x3e,
- 0xfa, 0xbb, 0xc8, 0x13, 0x9b, 0x0c, 0xa5, 0xa5, 0xc2, 0x8e, 0x4e, 0xad,
- 0x25, 0xef, 0xbe, 0x94, 0xe6, 0x0e, 0x91, 0x36, 0x44, 0xad, 0x93, 0x12,
- 0x20, 0x3c, 0x3a, 0xc0, 0xfe, 0x6d, 0x47, 0xbe, 0xa1, 0x29, 0xde, 0x53,
- 0xee, 0x6c, 0xee, 0x56, 0xec, 0xae, 0xeb, 0x08, 0x24, 0x3e, 0x43, 0xef,
- 0x92, 0x6b, 0x2a, 0x66, 0x5c, 0x9f, 0x25, 0x77, 0x4e, 0x96, 0x45, 0x4d,
- 0xd7, 0xac, 0xc0, 0xc8, 0xfe, 0xd2, 0x37, 0x52, 0xc8, 0xcb, 0xe3, 0x26,
- 0xad, 0xb2, 0xd9, 0x90, 0x3f, 0x68, 0x93, 0xb5, 0x3f, 0x10, 0xd3, 0x61,
- 0xb7, 0x09, 0x35, 0x42, 0xd4, 0xf4, 0xde, 0x3b, 0x42, 0x3e, 0x8c, 0xe1,
- 0xe8, 0xa7, 0xcb, 0x24, 0x2c, 0x38, 0xd1, 0xa0, 0x99, 0x22, 0xd9, 0xab,
- 0x3a, 0x39, 0xda, 0x78, 0x22, 0x2a, 0x01, 0xe2, 0xda, 0x30, 0x0b, 0x82,
- 0xca, 0x7d, 0xe0, 0xca, 0xd0, 0x95, 0x13, 0x50, 0x4f, 0x85, 0x86, 0x83,
- 0x3d, 0x3d, 0xa2, 0x2c, 0xeb, 0x46, 0x7c, 0x50, 0xc0, 0x5a, 0x60, 0x7b,
- 0x70, 0xb5, 0x5f, 0xb7, 0xa8, 0x54, 0x81, 0xe7, 0xb0, 0xf2, 0x91, 0xc6,
- 0xd6, 0xc1, 0xc4, 0xd6, 0xdb, 0xea, 0xfa, 0xf4, 0xf0, 0x6c, 0x00, 0xbf,
- 0x0f, 0x71, 0xff, 0xb3, 0x6c, 0x59, 0x08, 0x2f, 0x28, 0xd3, 0xaf, 0xc3,
- 0xd2, 0xde, 0xe1, 0x1a, 0x54, 0x76, 0xfe, 0x2c, 0x98, 0xf1
-};
-
-static const UInt8 kTestAppleWWDRIntm[] = {
- 0x30, 0x82, 0x04, 0x23, 0x30, 0x82, 0x03, 0x0b, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x19, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x62, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31,
- 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x30,
- 0x1e, 0x17, 0x0d, 0x30, 0x38, 0x30, 0x32, 0x31, 0x34, 0x31, 0x38, 0x35,
- 0x36, 0x33, 0x35, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x32, 0x31, 0x34,
- 0x31, 0x38, 0x35, 0x36, 0x33, 0x35, 0x5a, 0x30, 0x81, 0x96, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
- 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2c, 0x30, 0x2a,
- 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x23, 0x41, 0x70, 0x70, 0x6c, 0x65,
- 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x77, 0x69, 0x64, 0x65, 0x20, 0x44,
- 0x65, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x72, 0x20, 0x52, 0x65, 0x6c,
- 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x31, 0x44, 0x30, 0x42, 0x06, 0x03,
- 0x55, 0x04, 0x03, 0x0c, 0x3b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57,
- 0x6f, 0x72, 0x6c, 0x64, 0x77, 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76,
- 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
- 0x72, 0x69, 0x74, 0x79, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
- 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
- 0x00, 0xca, 0x38, 0x54, 0xa6, 0xcb, 0x56, 0xaa, 0xc8, 0x24, 0x39, 0x48,
- 0xe9, 0x8c, 0xee, 0xec, 0x5f, 0xb8, 0x7f, 0x26, 0x91, 0xbc, 0x34, 0x53,
- 0x7a, 0xce, 0x7c, 0x63, 0x80, 0x61, 0x77, 0x64, 0x5e, 0xa5, 0x07, 0x23,
- 0xb6, 0x39, 0xfe, 0x50, 0x2d, 0x15, 0x56, 0x58, 0x70, 0x2d, 0x7e, 0xc4,
- 0x6e, 0xc1, 0x4a, 0x85, 0x3e, 0x2f, 0xf0, 0xde, 0x84, 0x1a, 0xa1, 0x57,
- 0xc9, 0xaf, 0x7b, 0x18, 0xff, 0x6a, 0xfa, 0x15, 0x12, 0x49, 0x15, 0x08,
- 0x19, 0xac, 0xaa, 0xdb, 0x2a, 0x32, 0xed, 0x96, 0x63, 0x68, 0x52, 0x15,
- 0x3d, 0x8c, 0x8a, 0xec, 0xbf, 0x6b, 0x18, 0x95, 0xe0, 0x03, 0xac, 0x01,
- 0x7d, 0x97, 0x05, 0x67, 0xce, 0x0e, 0x85, 0x95, 0x37, 0x6a, 0xed, 0x09,
- 0xb6, 0xae, 0x67, 0xcd, 0x51, 0x64, 0x9f, 0xc6, 0x5c, 0xd1, 0xbc, 0x57,
- 0x6e, 0x67, 0x35, 0x80, 0x76, 0x36, 0xa4, 0x87, 0x81, 0x6e, 0x38, 0x8f,
- 0xd8, 0x2b, 0x15, 0x4e, 0x7b, 0x25, 0xd8, 0x5a, 0xbf, 0x4e, 0x83, 0xc1,
- 0x8d, 0xd2, 0x93, 0xd5, 0x1a, 0x71, 0xb5, 0x60, 0x9c, 0x9d, 0x33, 0x4e,
- 0x55, 0xf9, 0x12, 0x58, 0x0c, 0x86, 0xb8, 0x16, 0x0d, 0xc1, 0xe5, 0x77,
- 0x45, 0x8d, 0x50, 0x48, 0xba, 0x2b, 0x2d, 0xe4, 0x94, 0x85, 0xe1, 0xe8,
- 0xc4, 0x9d, 0xc6, 0x68, 0xa5, 0xb0, 0xa3, 0xfc, 0x67, 0x7e, 0x70, 0xba,
- 0x02, 0x59, 0x4b, 0x77, 0x42, 0x91, 0x39, 0xb9, 0xf5, 0xcd, 0xe1, 0x4c,
- 0xef, 0xc0, 0x3b, 0x48, 0x8c, 0xa6, 0xe5, 0x21, 0x5d, 0xfd, 0x6a, 0x6a,
- 0xbb, 0xa7, 0x16, 0x35, 0x60, 0xd2, 0xe6, 0xad, 0xf3, 0x46, 0x29, 0xc9,
- 0xe8, 0xc3, 0x8b, 0xe9, 0x79, 0xc0, 0x6a, 0x61, 0x67, 0x15, 0xb2, 0xf0,
- 0xfd, 0xe5, 0x68, 0xbc, 0x62, 0x5f, 0x6e, 0xcf, 0x99, 0xdd, 0xef, 0x1b,
- 0x63, 0xfe, 0x92, 0x65, 0xab, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81,
- 0xae, 0x30, 0x81, 0xab, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01,
- 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
- 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01,
- 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x88, 0x27, 0x17, 0x09, 0xa9, 0xb6, 0x18, 0x60, 0x8b, 0xec, 0xeb, 0xba,
- 0xf6, 0x47, 0x59, 0xc5, 0x52, 0x54, 0xa3, 0xb7, 0x30, 0x1f, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x2b, 0xd0, 0x69,
- 0x47, 0x94, 0x76, 0x09, 0xfe, 0xf4, 0x6b, 0x8d, 0x2e, 0x40, 0xa6, 0xf7,
- 0x47, 0x4d, 0x7f, 0x08, 0x5e, 0x30, 0x36, 0x06, 0x03, 0x55, 0x1d, 0x1f,
- 0x04, 0x2f, 0x30, 0x2d, 0x30, 0x2b, 0xa0, 0x29, 0xa0, 0x27, 0x86, 0x25,
- 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x61,
- 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x70, 0x70,
- 0x6c, 0x65, 0x63, 0x61, 0x2f, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x63, 0x72,
- 0x6c, 0x30, 0x10, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64,
- 0x06, 0x02, 0x01, 0x04, 0x02, 0x05, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82,
- 0x01, 0x01, 0x00, 0xda, 0x32, 0x00, 0x96, 0xc5, 0x54, 0x94, 0xd3, 0x3b,
- 0x82, 0x37, 0x66, 0x7d, 0x2e, 0x68, 0xd5, 0xc3, 0xc6, 0xb8, 0xcb, 0x26,
- 0x8c, 0x48, 0x90, 0xcf, 0x13, 0x24, 0x6a, 0x46, 0x8e, 0x63, 0xd4, 0xf0,
- 0xd0, 0x13, 0x06, 0xdd, 0xd8, 0xc4, 0xc1, 0x37, 0x15, 0xf2, 0x33, 0x13,
- 0x39, 0x26, 0x2d, 0xce, 0x2e, 0x55, 0x40, 0xe3, 0x0b, 0x03, 0xaf, 0xfa,
- 0x12, 0xc2, 0xe7, 0x0d, 0x21, 0xb8, 0xd5, 0x80, 0xcf, 0xac, 0x28, 0x2f,
- 0xce, 0x2d, 0xb3, 0x4e, 0xaf, 0x86, 0x19, 0x04, 0xc6, 0xe9, 0x50, 0xdd,
- 0x4c, 0x29, 0x47, 0x10, 0x23, 0xfc, 0x6c, 0xbb, 0x1b, 0x98, 0x6b, 0x48,
- 0x89, 0xe1, 0x5b, 0x9d, 0xde, 0x46, 0xdb, 0x35, 0x85, 0x35, 0xef, 0x3e,
- 0xd0, 0xe2, 0x58, 0x4b, 0x38, 0xf4, 0xed, 0x75, 0x5a, 0x1f, 0x5c, 0x70,
- 0x1d, 0x56, 0x39, 0x12, 0xe5, 0xe1, 0x0d, 0x11, 0xe4, 0x89, 0x25, 0x06,
- 0xbd, 0xd5, 0xb4, 0x15, 0x8e, 0x5e, 0xd0, 0x59, 0x97, 0x90, 0xe9, 0x4b,
- 0x81, 0xe2, 0xdf, 0x18, 0xaf, 0x44, 0x74, 0x1e, 0x19, 0xa0, 0x3a, 0x47,
- 0xcc, 0x91, 0x1d, 0x3a, 0xeb, 0x23, 0x5a, 0xfe, 0xa5, 0x2d, 0x97, 0xf7,
- 0x7b, 0xbb, 0xd6, 0x87, 0x46, 0x42, 0x85, 0xeb, 0x52, 0x3d, 0x26, 0xb2,
- 0x63, 0xa8, 0xb4, 0xb1, 0xca, 0x8f, 0xf4, 0xcc, 0xe2, 0xb3, 0xc8, 0x47,
- 0xe0, 0xbf, 0x9a, 0x59, 0x83, 0xfa, 0xda, 0x98, 0x53, 0x2a, 0x82, 0xf5,
- 0x7c, 0x65, 0x2e, 0x95, 0xd9, 0x33, 0x5d, 0xf5, 0xed, 0x65, 0xcc, 0x31,
- 0x37, 0xc5, 0x5a, 0x04, 0xe8, 0x6b, 0xe1, 0xe7, 0x88, 0x03, 0x4a, 0x75,
- 0x9e, 0x9b, 0x28, 0xcb, 0x4a, 0x40, 0x88, 0x65, 0x43, 0x75, 0xdd, 0xcb,
- 0x3a, 0x25, 0x23, 0xc5, 0x9e, 0x57, 0xf8, 0x2e, 0xce, 0xd2, 0xa9, 0x92,
- 0x5e, 0x73, 0x2e, 0x2f, 0x25, 0x75, 0x15
-};
-
-/* Subject: UID=AP773K8VXL, CN=iPhone Developer: Julien Oster (S64MW3JM4L), OU=M2657GZ2M9, O=Apple Inc. - OS Security, C=US
- * Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority */
-static const UInt8 kTestiPhoneDevCert[] = {
- 0x30, 0x82, 0x05, 0xa4, 0x30, 0x82, 0x04, 0x8c, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x38, 0x3a, 0x38, 0x67, 0x79, 0xb5, 0xa4, 0xc8, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
- 0x05, 0x00, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x0c, 0x23, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57, 0x6f, 0x72, 0x6c,
- 0x64, 0x77, 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65, 0x6c, 0x6f,
- 0x70, 0x65, 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x73, 0x31, 0x44, 0x30, 0x42, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x3b,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x77,
- 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65,
- 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30,
- 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x32, 0x31, 0x36, 0x32, 0x31, 0x31,
- 0x38, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x31, 0x35, 0x31, 0x32, 0x31, 0x36,
- 0x32, 0x31, 0x31, 0x38, 0x30, 0x30, 0x5a, 0x30, 0x81, 0x97, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64,
- 0x01, 0x01, 0x0c, 0x0a, 0x41, 0x50, 0x37, 0x37, 0x33, 0x4b, 0x38, 0x56,
- 0x58, 0x4c, 0x31, 0x34, 0x30, 0x32, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
- 0x2b, 0x69, 0x50, 0x68, 0x6f, 0x6e, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65,
- 0x6c, 0x6f, 0x70, 0x65, 0x72, 0x3a, 0x20, 0x4a, 0x75, 0x6c, 0x69, 0x65,
- 0x6e, 0x20, 0x4f, 0x73, 0x74, 0x65, 0x72, 0x20, 0x28, 0x53, 0x36, 0x34,
- 0x4d, 0x57, 0x33, 0x4a, 0x4d, 0x34, 0x4c, 0x29, 0x31, 0x13, 0x30, 0x11,
- 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0a, 0x4d, 0x32, 0x36, 0x35, 0x37,
- 0x47, 0x5a, 0x32, 0x4d, 0x39, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55,
- 0x04, 0x0a, 0x0c, 0x18, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e,
- 0x63, 0x2e, 0x20, 0x2d, 0x20, 0x4f, 0x53, 0x20, 0x53, 0x65, 0x63, 0x75,
- 0x72, 0x69, 0x74, 0x79, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
- 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
- 0x01, 0x00, 0xaf, 0x63, 0x4c, 0x3e, 0xbd, 0x24, 0xb8, 0xfe, 0xd1, 0xb7,
- 0x7e, 0xe6, 0x65, 0x91, 0xf6, 0xcf, 0xd6, 0x5f, 0xe2, 0xf5, 0xe4, 0x75,
- 0x22, 0xa4, 0xa7, 0xcd, 0x0e, 0x4a, 0x93, 0xbd, 0x26, 0x19, 0xa0, 0x55,
- 0x56, 0x58, 0xbf, 0x82, 0xb3, 0xc7, 0x69, 0xf1, 0x9b, 0x0b, 0xe8, 0xa6,
- 0xef, 0xa4, 0x85, 0xcb, 0x17, 0x15, 0xa1, 0x6d, 0x9f, 0xa8, 0x7e, 0xec,
- 0x7f, 0x45, 0x87, 0x26, 0x0a, 0x85, 0x32, 0x71, 0x5b, 0x49, 0x62, 0x92,
- 0x96, 0xa6, 0x27, 0xe4, 0x1e, 0x33, 0x0a, 0xeb, 0x15, 0x31, 0xb3, 0x31,
- 0x88, 0x99, 0x73, 0x27, 0xf5, 0x1e, 0x2b, 0x33, 0xfd, 0x84, 0x71, 0xb0,
- 0xd4, 0x84, 0xf1, 0x0b, 0x44, 0x49, 0x6a, 0x41, 0xd1, 0xc3, 0xa1, 0x4d,
- 0x18, 0xa7, 0xbb, 0x3c, 0xef, 0x80, 0xc6, 0x28, 0x14, 0x79, 0x2e, 0x6c,
- 0x99, 0xd7, 0x10, 0xd9, 0x10, 0xf5, 0xe4, 0xf1, 0x92, 0x87, 0x13, 0x21,
- 0x55, 0xa7, 0x1c, 0x90, 0xa1, 0xbb, 0x77, 0xbd, 0xee, 0xc4, 0x14, 0x35,
- 0xfe, 0x9b, 0xde, 0xfb, 0x27, 0xe1, 0x95, 0xd5, 0x14, 0x5b, 0xce, 0x8f,
- 0x11, 0xc1, 0x82, 0x18, 0x1e, 0x34, 0x47, 0x58, 0xbd, 0x71, 0x3d, 0xe5,
- 0x69, 0xde, 0xeb, 0x2c, 0xe6, 0x5c, 0x46, 0x7b, 0xd1, 0x50, 0x20, 0xe2,
- 0x86, 0x76, 0xad, 0x72, 0x4e, 0xa2, 0x3b, 0x53, 0xe6, 0xec, 0xbb, 0x57,
- 0xd5, 0xc5, 0x54, 0x0b, 0x58, 0x09, 0xc6, 0xc2, 0xe2, 0xc7, 0x5e, 0x29,
- 0x4e, 0xb2, 0x74, 0x9d, 0x87, 0x0a, 0x7c, 0x3a, 0x9e, 0x1e, 0x42, 0x60,
- 0x68, 0x62, 0xa3, 0x5d, 0x89, 0x3f, 0xa0, 0xb2, 0xdc, 0x8a, 0x50, 0xd8,
- 0x78, 0x2a, 0xb9, 0xe7, 0xb0, 0x91, 0xd7, 0x83, 0x11, 0xb4, 0xac, 0x71,
- 0x15, 0x60, 0x3d, 0xcc, 0xf8, 0x2c, 0xb4, 0x80, 0x1d, 0x19, 0xa5, 0x0d,
- 0x8f, 0xa1, 0xaf, 0x24, 0x99, 0x9f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
- 0x82, 0x01, 0xf1, 0x30, 0x82, 0x01, 0xed, 0x30, 0x1d, 0x06, 0x03, 0x55,
- 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x90, 0x1f, 0x57, 0xaf, 0x17, 0xb5,
- 0xec, 0xcf, 0xee, 0x0f, 0xdb, 0x1c, 0x36, 0x9c, 0xa3, 0xe3, 0x15, 0xba,
- 0x7a, 0xb5, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff,
- 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
- 0x18, 0x30, 0x16, 0x80, 0x14, 0x88, 0x27, 0x17, 0x09, 0xa9, 0xb6, 0x18,
- 0x60, 0x8b, 0xec, 0xeb, 0xba, 0xf6, 0x47, 0x59, 0xc5, 0x52, 0x54, 0xa3,
- 0xb7, 0x30, 0x82, 0x01, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x82,
- 0x01, 0x06, 0x30, 0x82, 0x01, 0x02, 0x30, 0x81, 0xff, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x05, 0x01, 0x30, 0x81, 0xf1, 0x30,
- 0x81, 0xc3, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02,
- 0x30, 0x81, 0xb6, 0x0c, 0x81, 0xb3, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e,
- 0x63, 0x65, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63,
- 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x62,
- 0x79, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x70, 0x61, 0x72, 0x74, 0x79, 0x20,
- 0x61, 0x73, 0x73, 0x75, 0x6d, 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65,
- 0x70, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68,
- 0x65, 0x20, 0x74, 0x68, 0x65, 0x6e, 0x20, 0x61, 0x70, 0x70, 0x6c, 0x69,
- 0x63, 0x61, 0x62, 0x6c, 0x65, 0x20, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61,
- 0x72, 0x64, 0x20, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x20, 0x61, 0x6e, 0x64,
- 0x20, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20,
- 0x6f, 0x66, 0x20, 0x75, 0x73, 0x65, 0x2c, 0x20, 0x63, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x70, 0x6f, 0x6c, 0x69,
- 0x63, 0x79, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61,
- 0x63, 0x74, 0x69, 0x63, 0x65, 0x20, 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d,
- 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x30, 0x29, 0x06, 0x08, 0x2b, 0x06, 0x01,
- 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x1d, 0x68, 0x74, 0x74, 0x70, 0x3a,
- 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e,
- 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x63, 0x61, 0x2f,
- 0x30, 0x4d, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x46, 0x30, 0x44, 0x30,
- 0x42, 0xa0, 0x40, 0xa0, 0x3e, 0x86, 0x3c, 0x68, 0x74, 0x74, 0x70, 0x3a,
- 0x2f, 0x2f, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x72, 0x2e,
- 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x65,
- 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61,
- 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x77, 0x77, 0x64,
- 0x72, 0x63, 0x61, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x0e, 0x06, 0x03, 0x55,
- 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30,
- 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, 0x30,
- 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03, 0x30,
- 0x13, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x06, 0x01,
- 0x02, 0x01, 0x01, 0xff, 0x04, 0x02, 0x05, 0x00, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03,
- 0x82, 0x01, 0x01, 0x00, 0x9e, 0x2c, 0xba, 0x8f, 0x18, 0xe6, 0x04, 0xa8,
- 0x03, 0x35, 0xf7, 0x56, 0x24, 0xb9, 0xfc, 0x29, 0x22, 0x86, 0x42, 0xf1,
- 0x81, 0xce, 0x82, 0x9a, 0x19, 0x4c, 0x0d, 0xb0, 0x4e, 0xe6, 0x7c, 0xd1,
- 0x06, 0xab, 0xef, 0xd3, 0x5b, 0x17, 0xdf, 0xad, 0x84, 0xa2, 0x93, 0x16,
- 0x7a, 0x51, 0xd6, 0x94, 0x4a, 0xbb, 0x7b, 0xfa, 0x97, 0x66, 0x52, 0x03,
- 0x69, 0x13, 0x14, 0x8a, 0x5c, 0x6c, 0x88, 0x45, 0x0f, 0x69, 0xd0, 0x62,
- 0x29, 0x9c, 0xc1, 0xf1, 0x72, 0x95, 0xd7, 0x48, 0x28, 0x6e, 0xe5, 0xa3,
- 0x20, 0x68, 0xba, 0xde, 0xe8, 0x88, 0x93, 0xfa, 0x20, 0x05, 0x1d, 0xee,
- 0x0e, 0xf5, 0x3f, 0x82, 0xf2, 0xc8, 0xe6, 0xc0, 0x96, 0x50, 0xba, 0x3e,
- 0x9e, 0x9d, 0x14, 0x4d, 0xd0, 0x73, 0x7c, 0xdd, 0x56, 0xf6, 0x49, 0x9c,
- 0xca, 0xb1, 0x98, 0x1e, 0x5f, 0xee, 0xe3, 0xcb, 0xbb, 0xf7, 0x9d, 0x48,
- 0x30, 0xe4, 0x6d, 0x6f, 0xfc, 0xe8, 0xbd, 0x28, 0xb6, 0x25, 0x09, 0x41,
- 0x7f, 0xd6, 0xb1, 0x7b, 0x97, 0xab, 0xc3, 0xaf, 0x66, 0xaa, 0x92, 0x17,
- 0x30, 0x13, 0x70, 0xb2, 0x23, 0x1a, 0xd8, 0x59, 0x6e, 0xe2, 0x12, 0x5d,
- 0x6a, 0x56, 0x1f, 0x56, 0xf0, 0x9d, 0x94, 0x77, 0x75, 0x21, 0x9a, 0x2f,
- 0x7d, 0x3c, 0x01, 0x92, 0x56, 0x1c, 0xf4, 0x72, 0x23, 0x94, 0xa4, 0x07,
- 0x4c, 0xd5, 0x6f, 0x71, 0x10, 0x1b, 0x7e, 0x98, 0xc2, 0xbb, 0x73, 0xbf,
- 0xc9, 0x4a, 0x42, 0x53, 0x17, 0x58, 0x09, 0x30, 0xba, 0x04, 0xf8, 0x97,
- 0x3e, 0x13, 0x4e, 0x67, 0x2d, 0xec, 0x73, 0x67, 0x10, 0x28, 0x5f, 0xd4,
- 0xda, 0xa5, 0x83, 0xbe, 0x06, 0x83, 0x07, 0xce, 0x59, 0x9d, 0x1e, 0x35,
- 0x1d, 0x66, 0x87, 0xae, 0x7a, 0x65, 0xfb, 0x76, 0x9b, 0xcf, 0xd7, 0xf1,
- 0xb7, 0x8d, 0x2f, 0x5c, 0x8e, 0xa7, 0xcc, 0x8d
-};
-
-static void test_with_cert(const char *name,
- const UInt8 *cert0_bytes, CFIndex cert0_len,
- const UInt8 *cert1_bytes, CFIndex cert1_len,
- SecTrustResultType expectedTrustResult) {
- CFDateRef date=NULL;
- CFArrayRef policies=NULL;
- SecPolicyRef policy=NULL;
- SecTrustRef trust=NULL;
- SecCertificateRef cert0=NULL, cert1=NULL;
- CFMutableArrayRef certs=NULL;
- SecTrustResultType trustResult;
- CFIndex chainLen;
-
- isnt(cert0 = SecCertificateCreateWithBytes(NULL, cert0_bytes, cert0_len),
- NULL, "%s: create cert0", name);
- isnt(cert1 = SecCertificateCreateWithBytes(NULL, cert1_bytes, cert1_len),
- NULL, "%s: create cert1", name);
- // these chain to the Apple Root CA so it is not provided
-
- if (!cert0 || !cert1)
- return;
-
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "%s: create cert array", name);
- CFArrayAppendValue(certs, cert0);
- CFArrayAppendValue(certs, cert1);
-
- isnt(policy = SecPolicyCreateAppleTVOSApplicationSigning(), NULL, "%s: create policy", name);
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "%s: create trust", name);
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 20, 12, 0, 0),
- NULL, "%s: create verify date", name);
- ok_status(SecTrustSetVerifyDate(trust, date), "%s: set date", name);
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustEvaluate(trust, &trustResult), "%s: evaluate trust", name);
- ok(trustResult == expectedTrustResult, "%s: trustResult unexpected (expected %d, got %d)",
- name, (int)expectedTrustResult, (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "%s: chain length 3 expected (got %d)", name, (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- CFReleaseSafe(cert0);
- CFReleaseSafe(cert1);
- CFReleaseSafe(certs);
-}
-
-static void tests(void)
-{
- // Those are the certificates which should officially pass.
- test_with_cert("AppleTV Prod",
- kTestAppleTVOSAppSigLeaf, sizeof(kTestAppleTVOSAppSigLeaf),
- kTestAppleWWDRIntm, sizeof(kTestAppleWWDRIntm),
- kSecTrustResultUnspecified);
- test_with_cert("AppleTV Test",
- kTestAppleTVOSAppSigTestLeaf, sizeof(kTestAppleTVOSAppSigTestLeaf),
- kTestAppleWWDRIntm, sizeof(kTestAppleWWDRIntm),
- kSecTrustResultUnspecified);
-
- // An iPhone dev cert, which has a common intermediate, but not the right marker OIDs, should of course fail.
- test_with_cert("iPhone Dev",
- kTestiPhoneDevCert, sizeof(kTestiPhoneDevCert),
- kTestAppleWWDRIntm, sizeof(kTestAppleWWDRIntm),
- kSecTrustResultRecoverableTrustFailure);
-
-}
-
-int si_81_sectrust_appletv(int argc, char *const *argv)
-{
- plan_tests(30);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-81-sectrust-server-auth.c b/OSX/sec/Security/Regressions/secitem/si-81-sectrust-server-auth.c
deleted file mode 100644
index e3899d62..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-81-sectrust-server-auth.c
+++ /dev/null
@@ -1,581 +0,0 @@
-/*
- * si-81-sectrust-server-auth.c
- * Security
- *
- * Copyright (c) 2014-2015 Apple Inc. All Rights Reserved.
- *
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecCertificateInternal.h>
-#include <Security/SecItem.h>
-#include <Security/SecItemPriv.h>
-#include <Security/SecIdentityPriv.h>
-#include <Security/SecIdentity.h>
-#include <Security/SecPolicy.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecPolicyInternal.h>
-#include <Security/SecCMS.h>
-#include <utilities/SecCFWrappers.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "Security_regressions.h"
-
-
-static const UInt8 kTestAppleVPNLeafCert[] = {
- 0x30,0x82,0x04,0x55,0x30,0x82,0x03,0x3D,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x1F,
- 0xF4,0x7D,0xBF,0x19,0x70,0x2F,0xE4,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x6E,0x31,0x28,0x30,0x26,0x06,0x03,0x55,0x04,
- 0x03,0x0C,0x1F,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,
- 0x74,0x65,0x20,0x56,0x50,0x4E,0x20,0x43,0x6C,0x69,0x65,0x6E,0x74,0x20,0x43,0x41,
- 0x20,0x31,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,
- 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
- 0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,
- 0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
- 0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x34,0x30,0x37,0x30,0x37,
- 0x32,0x30,0x33,0x38,0x35,0x33,0x5A,0x17,0x0D,0x31,0x34,0x31,0x30,0x30,0x35,0x32,
- 0x30,0x33,0x38,0x35,0x33,0x5A,0x30,0x61,0x31,0x5F,0x30,0x5D,0x06,0x03,0x55,0x04,
- 0x03,0x0C,0x56,0x63,0x6F,0x6D,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x69,0x73,0x74,
- 0x2E,0x64,0x73,0x2E,0x61,0x70,0x70,0x6C,0x65,0x63,0x6F,0x6E,0x6E,0x65,0x63,0x74,
- 0x32,0x2E,0x70,0x72,0x6F,0x64,0x75,0x63,0x74,0x69,0x6F,0x6E,0x2E,0x76,0x70,0x6E,
- 0x2E,0x38,0x46,0x32,0x42,0x33,0x41,0x44,0x43,0x44,0x37,0x32,0x45,0x44,0x32,0x45,
- 0x41,0x30,0x38,0x44,0x44,0x43,0x32,0x36,0x41,0x44,0x30,0x32,0x35,0x35,0x41,0x39,
- 0x38,0x33,0x42,0x31,0x44,0x45,0x42,0x45,0x42,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,
- 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,
- 0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xE1,0xA1,0xCB,0x69,0x00,0x88,
- 0x06,0x3A,0x7C,0xE3,0x29,0x1F,0x1C,0x32,0x22,0xD2,0x71,0xFA,0x06,0xED,0xC0,0x16,
- 0x41,0x80,0x4C,0x82,0xA5,0x98,0x98,0x02,0xCE,0xB3,0x7D,0xC9,0x89,0x8D,0x91,0xDE,
- 0x61,0x34,0xCB,0xB9,0x24,0xA8,0xA4,0x4F,0x7F,0x07,0x09,0x80,0x6A,0xAB,0x0C,0x3C,
- 0xBC,0xD5,0xDA,0xAB,0xD1,0x69,0x47,0x7C,0x1F,0x93,0x4E,0xF0,0x44,0x50,0x54,0x91,
- 0x85,0xB6,0x67,0x53,0x35,0x45,0x60,0x92,0xD8,0xDA,0x20,0xBC,0x7E,0x3E,0xA5,0xA0,
- 0xD7,0x2B,0x62,0x78,0x94,0xA4,0x97,0x74,0x07,0xAA,0x7A,0x91,0xFC,0xF4,0xFA,0x50,
- 0x8E,0x24,0x6D,0x2E,0x64,0x01,0x23,0x6D,0x16,0xA2,0x5A,0x18,0xFB,0x82,0xAB,0x7E,
- 0x19,0xE9,0x7F,0x1E,0xEE,0x4C,0x0A,0xEA,0xD5,0xE4,0xE7,0x29,0xE5,0xA1,0x52,0xAD,
- 0xED,0xD9,0xE9,0x56,0xA1,0xFC,0xD8,0x9D,0x89,0xC9,0x31,0x3F,0x98,0xE6,0xBD,0xAF,
- 0x5B,0x6E,0xCC,0x43,0x0B,0xD9,0x55,0xC7,0x8A,0x1A,0x36,0x1A,0xE7,0x1B,0x46,0xD5,
- 0xF8,0x90,0xD9,0x68,0x2E,0x29,0xBE,0xED,0xE0,0x15,0x2A,0x5F,0x8F,0xBA,0x4C,0x32,
- 0x99,0xF5,0x83,0x85,0x74,0x8E,0x4A,0x69,0xC6,0x0E,0x3F,0x35,0x1C,0xD8,0x8F,0xB6,
- 0x28,0x94,0x68,0xF5,0x65,0x33,0x12,0xE6,0x8D,0x9D,0x8F,0x99,0x71,0xFC,0xAA,0x2B,
- 0xF8,0x79,0xFD,0x89,0x66,0x0E,0xDC,0x17,0xF4,0x73,0xFD,0x11,0x2A,0x8A,0xC5,0x90,
- 0x8C,0xC3,0x33,0x48,0x02,0x19,0x2D,0x86,0xD7,0xED,0xD8,0x4D,0xF4,0x21,0xB0,0x1D,
- 0xB8,0x3B,0xCC,0x7A,0xBA,0x10,0x9C,0x32,0x95,0x7D,0x02,0x03,0x01,0x00,0x01,0xA3,
- 0x82,0x01,0x02,0x30,0x81,0xFF,0x30,0x4B,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
- 0x01,0x01,0x04,0x3F,0x30,0x3D,0x30,0x3B,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
- 0x30,0x01,0x86,0x2F,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,
- 0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70,0x30,0x31,
- 0x2D,0x63,0x6F,0x72,0x70,0x76,0x70,0x6E,0x63,0x6C,0x69,0x65,0x6E,0x74,0x63,0x61,
- 0x31,0x30,0x31,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x9D,0x04,
- 0x52,0xAB,0xBA,0x68,0x49,0x05,0x7E,0x09,0xE8,0x74,0x00,0x30,0x87,0xAF,0x16,0xF0,
- 0xD5,0x9D,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,
- 0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xA9,0x85,0xE3,
- 0x5B,0xDB,0xFF,0xFC,0x2D,0x7F,0x80,0x04,0xAA,0xF0,0xDA,0xAD,0x37,0x78,0x82,0xA3,
- 0xE0,0x30,0x3A,0x06,0x03,0x55,0x1D,0x1F,0x04,0x33,0x30,0x31,0x30,0x2F,0xA0,0x2D,
- 0xA0,0x2B,0x86,0x29,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x61,
- 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x6F,0x72,0x70,0x76,0x70,0x6E,
- 0x63,0x6C,0x69,0x65,0x6E,0x74,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,
- 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x16,0x06,
- 0x03,0x55,0x1D,0x25,0x01,0x01,0xFF,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,
- 0x05,0x05,0x07,0x03,0x02,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
- 0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x11,0x76,0x58,0xDA,0x13,0xD2,0x3F,
- 0x8E,0x4F,0xA0,0xAE,0x38,0xE5,0x74,0x85,0x94,0x60,0x3F,0xD7,0x30,0xBD,0x56,0x65,
- 0xCB,0x28,0xD9,0x5B,0xCF,0x7E,0xEB,0x49,0x03,0x6A,0x6E,0xFB,0x17,0xC7,0xEA,0x3F,
- 0x04,0xCF,0xC1,0xA2,0xFC,0x7C,0x8F,0xC0,0x19,0x79,0xF1,0xD5,0x07,0xF5,0x83,0xA4,
- 0x33,0x6A,0xBC,0x0F,0x24,0x8E,0xA0,0x63,0xD3,0x00,0xA0,0xD8,0x08,0x92,0x21,0xB6,
- 0x5B,0x56,0xE2,0x79,0x58,0xF2,0x3F,0x0F,0x98,0xC1,0x69,0xB6,0x10,0xA3,0x8C,0xA4,
- 0xE4,0xEE,0x50,0xF6,0x52,0x5D,0x84,0x48,0x69,0x59,0x6D,0x21,0x7F,0xFB,0x1B,0xA3,
- 0x21,0xBA,0xAE,0xCC,0x0A,0xD2,0xB4,0xBF,0xAA,0x7D,0x63,0xEE,0x74,0x9C,0x62,0x21,
- 0xCB,0x93,0x14,0x7F,0x8E,0x38,0xD9,0x1D,0xF0,0x77,0xB1,0x77,0x92,0xE8,0xFE,0xFE,
- 0xAE,0x6D,0xAF,0x5A,0x6F,0xE8,0xBC,0x4E,0xAC,0xAF,0xDF,0xF1,0xE1,0x4C,0x2A,0x26,
- 0x9A,0xA1,0xD7,0x35,0xFD,0xE7,0x2B,0xBD,0x40,0xBB,0xE1,0x2A,0xEA,0xB0,0xEF,0xEF,
- 0xE8,0x40,0x29,0xB7,0xDC,0xA2,0xC5,0x68,0x01,0xEB,0xBE,0x19,0x3F,0x22,0xFF,0x2D,
- 0x43,0x2D,0xBA,0xB3,0x33,0xCF,0xDD,0xD7,0xBC,0x4B,0xEC,0x44,0x47,0x74,0x78,0x39,
- 0x59,0xE3,0xC7,0x5A,0x9A,0x65,0xCD,0xFF,0xE5,0x80,0x63,0xEF,0xCB,0x8A,0xA4,0xF6,
- 0x69,0xFF,0x65,0x26,0xA5,0xDA,0x53,0xBE,0x03,0xF6,0x81,0x52,0x2A,0x2C,0x71,0x59,
- 0x7B,0x2A,0x4A,0xE1,0x9A,0x2A,0x52,0xEE,0x7A,0x48,0x80,0x86,0xD0,0x9D,0x66,0xB5,
- 0xD3,0xE7,0xAC,0x03,0x14,0x04,0x4F,0xC6,0x65,
-};
-
-static const UInt8 kTestAppleVPNCACert[] = {
- 0x30,0x82,0x04,0x44,0x30,0x82,0x03,0x2C,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x0E,
- 0x74,0x07,0xCA,0x6E,0x0B,0xA3,0x20,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x66,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,
- 0x03,0x0C,0x17,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,
- 0x74,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x31,0x20,0x30,0x1E,0x06,0x03,
- 0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
- 0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,
- 0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,
- 0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,
- 0x17,0x0D,0x31,0x34,0x30,0x33,0x31,0x39,0x30,0x30,0x30,0x30,0x35,0x30,0x5A,0x17,
- 0x0D,0x32,0x39,0x30,0x33,0x31,0x39,0x30,0x30,0x30,0x30,0x35,0x30,0x5A,0x30,0x6E,
- 0x31,0x28,0x30,0x26,0x06,0x03,0x55,0x04,0x03,0x0C,0x1F,0x41,0x70,0x70,0x6C,0x65,
- 0x20,0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,0x74,0x65,0x20,0x56,0x50,0x4E,0x20,0x43,
- 0x6C,0x69,0x65,0x6E,0x74,0x20,0x43,0x41,0x20,0x31,0x31,0x20,0x30,0x1E,0x06,0x03,
- 0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
- 0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,
- 0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,
- 0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,
- 0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,
- 0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xA4,
- 0xBF,0xFE,0x2F,0x4D,0x46,0x90,0x89,0x1C,0x89,0xDF,0x4E,0x70,0x02,0x73,0x9F,0x2A,
- 0x10,0xFA,0x72,0x60,0xEE,0x99,0x16,0xE8,0x05,0xB7,0x7D,0x73,0x96,0x03,0x6A,0x46,
- 0x7F,0x2E,0xAE,0xC9,0x42,0xF1,0x05,0xAA,0x64,0xED,0x4B,0xF8,0xE7,0xAF,0x2D,0x16,
- 0xB2,0xC2,0x4F,0x52,0x31,0xEE,0x9E,0xCC,0x23,0x7E,0x40,0xA2,0x7B,0xCE,0x89,0xD8,
- 0x0F,0xE4,0xB8,0x27,0x50,0x33,0xB3,0x24,0x01,0x61,0xB1,0xD5,0x81,0x7A,0x75,0x1F,
- 0xFF,0x3C,0x99,0x79,0x9D,0x7A,0x17,0x44,0x1A,0xC0,0xD2,0xF4,0x64,0x69,0x2C,0x9C,
- 0x75,0x22,0xC8,0x51,0x0D,0xD7,0xB6,0x8D,0x9B,0xF6,0x13,0x9F,0xA8,0xC1,0x0F,0xC0,
- 0x4A,0x5A,0x83,0x98,0x01,0x4C,0x04,0xDF,0xCD,0x74,0xC5,0x4C,0x3D,0x72,0x05,0x41,
- 0xCA,0x64,0x17,0xED,0x63,0x1C,0x8A,0xCE,0x93,0x05,0x18,0xF7,0xD8,0x35,0x75,0xD0,
- 0x7D,0x03,0x57,0xE7,0x15,0x20,0xC1,0x1A,0x02,0xAD,0x94,0x91,0x06,0x88,0xAF,0xCB,
- 0x41,0x24,0xF1,0xBB,0x17,0xC3,0x73,0x4A,0x63,0x08,0xE0,0xAF,0x14,0xCA,0x03,0x8C,
- 0xC9,0xA5,0xDC,0x5C,0xE3,0x7F,0xF6,0x33,0x99,0x07,0xD2,0xA5,0x15,0xEB,0x70,0xB7,
- 0x3E,0x5D,0xD5,0x50,0x81,0x9C,0xE3,0x7C,0x3B,0x21,0x98,0xB3,0xE2,0xF3,0x00,0x8D,
- 0xBE,0x68,0xDD,0x9B,0xFC,0x87,0xBF,0xF0,0x01,0x58,0x53,0xAC,0x2B,0x01,0xE9,0x81,
- 0xB4,0x49,0x4A,0x02,0x98,0xC3,0x5B,0x92,0xFD,0x0B,0x9C,0xDC,0x56,0x96,0x5B,0x3B,
- 0x02,0x81,0x1F,0x00,0xC2,0x2C,0xF0,0x1C,0xB9,0x38,0x20,0xE7,0x51,0x90,0x91,0x02,
- 0x03,0x01,0x00,0x01,0xA3,0x81,0xED,0x30,0x81,0xEA,0x30,0x41,0x06,0x08,0x2B,0x06,
- 0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x35,0x30,0x33,0x30,0x31,0x06,0x08,0x2B,0x06,
- 0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x25,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,
- 0x63,0x73,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,
- 0x73,0x70,0x30,0x34,0x2D,0x63,0x6F,0x72,0x70,0x72,0x6F,0x6F,0x74,0x30,0x1D,0x06,
- 0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xA9,0x85,0xE3,0x5B,0xDB,0xFF,0xFC,0x2D,
- 0x7F,0x80,0x04,0xAA,0xF0,0xDA,0xAD,0x37,0x78,0x82,0xA3,0xE0,0x30,0x0F,0x06,0x03,
- 0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,
- 0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x35,0x20,0x26,0xCE,0x85,0xBE,
- 0x49,0x26,0x20,0x01,0xDD,0xC8,0xEE,0xFF,0x3D,0x68,0xC8,0xD0,0xDF,0xF5,0x30,0x32,
- 0x06,0x03,0x55,0x1D,0x1F,0x04,0x2B,0x30,0x29,0x30,0x27,0xA0,0x25,0xA0,0x23,0x86,
- 0x21,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,
- 0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x6F,0x72,0x70,0x72,0x6F,0x6F,0x74,0x2E,0x63,
- 0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,
- 0x01,0x06,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x18,0x05,
- 0x04,0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,
- 0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x38,0x50,0xD1,0x41,0x40,0xAD,0x98,0x12,
- 0xB6,0xB5,0x7A,0xC6,0x42,0xD7,0x40,0x25,0x2A,0xDB,0x7C,0xEA,0x84,0xA8,0x21,0xCE,
- 0xA9,0xBE,0x26,0x0D,0x10,0xFD,0xFE,0x9C,0x8D,0x8A,0xA5,0xA6,0x3C,0x44,0xDA,0xF1,
- 0xD1,0x05,0xEF,0xB3,0x17,0x8F,0x21,0x88,0x3B,0xF8,0x48,0x5B,0xE3,0xF6,0xC1,0x1B,
- 0x6C,0xE4,0xD0,0xF7,0xD2,0xA1,0xF9,0x89,0xFA,0x71,0x12,0x4F,0x90,0x95,0x73,0x89,
- 0xE9,0xD8,0xB5,0xBD,0x4B,0xF6,0x39,0x9D,0x97,0xFB,0x1C,0x5C,0x46,0x48,0x83,0x13,
- 0x02,0xBF,0xA5,0xB1,0x74,0xD9,0x8A,0x41,0xA4,0x80,0x1E,0xD4,0xA6,0xC5,0x2C,0xD3,
- 0x42,0xEF,0x17,0x8B,0xB0,0xFB,0x49,0x12,0x60,0x29,0x35,0xA6,0xAF,0x23,0x04,0xF1,
- 0x26,0x8A,0x84,0x81,0x54,0x16,0x62,0x7B,0xBD,0xCE,0x09,0x39,0x3C,0x74,0x05,0xF4,
- 0x75,0xE8,0x8A,0x77,0x13,0x07,0x93,0xB8,0x95,0x8E,0xD5,0x29,0x3E,0x17,0x6D,0x1B,
- 0xA0,0xCB,0x4A,0xBB,0x33,0x28,0x06,0xCA,0x76,0x20,0x6F,0x07,0x32,0x04,0xE3,0xD9,
- 0xD2,0x89,0xAE,0xD7,0x17,0x16,0x4A,0x4E,0x80,0xD6,0x9F,0x1F,0x75,0x6E,0x7C,0xCF,
- 0x17,0xCE,0xD7,0x5E,0x5E,0x7B,0x55,0xC2,0x0D,0xCA,0xE2,0xEB,0x87,0x60,0xAC,0x32,
- 0x31,0x1E,0x9F,0xF0,0x77,0xA3,0x28,0x6A,0x34,0xD0,0xF9,0xEE,0x47,0x6D,0xE6,0x1E,
- 0x8A,0x87,0x82,0x49,0x72,0xBA,0x09,0x3B,0xB9,0x3B,0xF9,0xA4,0xEC,0x9B,0x5F,0x6B,
- 0xEE,0xC1,0x6E,0xAC,0xC5,0x45,0xF4,0x44,0x8B,0x9B,0x27,0xBB,0xA4,0xBE,0x8D,0x74,
- 0xE1,0x5D,0x4A,0xA2,0x35,0x4D,0xC8,0x42,
-};
-
-static const UInt8 kTestAppleCorpCACert[] = {
- 0x30,0x82,0x03,0xB1,0x30,0x82,0x02,0x99,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x14,
- 0x99,0x6B,0x4A,0x6A,0xE4,0x40,0xA0,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x66,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,
- 0x03,0x0C,0x17,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,
- 0x74,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x31,0x20,0x30,0x1E,0x06,0x03,
- 0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
- 0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,
- 0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,
- 0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,
- 0x17,0x0D,0x31,0x33,0x30,0x37,0x31,0x36,0x31,0x39,0x32,0x30,0x34,0x35,0x5A,0x17,
- 0x0D,0x32,0x39,0x30,0x37,0x31,0x37,0x31,0x39,0x32,0x30,0x34,0x35,0x5A,0x30,0x66,
- 0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x03,0x0C,0x17,0x41,0x70,0x70,0x6C,0x65,
- 0x20,0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,0x74,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,
- 0x43,0x41,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,
- 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,
- 0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,
- 0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
- 0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,
- 0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,
- 0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB5,0x3B,0xE3,0x9F,0x6A,0x1D,0x0E,0x46,0x51,
- 0x1E,0xD0,0xB5,0x17,0x6B,0x06,0x4B,0x92,0xAF,0x38,0x10,0x25,0xA1,0xEE,0x1E,0x4E,
- 0xEF,0x19,0xE0,0x73,0xB5,0x37,0x33,0x72,0x21,0x21,0xCB,0x62,0x4A,0x3D,0xA9,0x68,
- 0xD8,0x07,0xB4,0xEB,0x8D,0x0A,0xDB,0x30,0x33,0x21,0x2F,0x6F,0xD3,0xF7,0x5D,0xCE,
- 0x20,0x0A,0x04,0xDB,0xFF,0xBF,0x75,0x08,0x42,0x3F,0x3E,0xD8,0xC8,0xEF,0xA4,0xF8,
- 0x56,0x7B,0x13,0x64,0x6B,0xF3,0xA2,0x38,0x10,0xFA,0xEE,0x9D,0x83,0x93,0x1D,0xFB,
- 0xEF,0x13,0x6C,0x38,0x49,0xDD,0xEB,0x71,0xA6,0x92,0x58,0x04,0xDE,0x01,0x41,0x2B,
- 0x99,0x5E,0xBD,0x24,0x3F,0x69,0xA8,0x44,0xF2,0xAA,0x01,0x78,0xB9,0x38,0x06,0x10,
- 0x77,0x36,0xF8,0xF2,0xA3,0x3E,0xD9,0x5F,0xEA,0xF5,0x8B,0x6A,0xA6,0x5F,0xE6,0x51,
- 0xD0,0x9B,0x50,0xA0,0x1E,0xF5,0x85,0x9E,0x49,0x50,0x4A,0x61,0x78,0xDA,0x29,0xA7,
- 0x33,0x72,0x8B,0x83,0xEE,0x7B,0xA7,0x79,0x4E,0x8E,0x02,0x6F,0x9D,0x25,0x97,0x26,
- 0x86,0x0C,0x82,0xC5,0x8C,0x16,0x7E,0x49,0x61,0xFD,0xFF,0x1A,0xA0,0x0D,0x28,0xE1,
- 0x68,0xF5,0xAE,0x85,0x72,0xF3,0xAB,0xE0,0x74,0x75,0xCC,0x57,0x64,0x3C,0x2C,0x55,
- 0x05,0xC9,0x8D,0xAA,0xB3,0xEC,0xC8,0x62,0x88,0x15,0x2A,0xC4,0x59,0x60,0x37,0xC1,
- 0xED,0x6B,0xCE,0xE9,0xCA,0xAF,0xB0,0xA5,0x45,0xBA,0xFF,0x16,0x32,0xAA,0x92,0x86,
- 0xD9,0xB9,0xA1,0x13,0x75,0x95,0x9B,0x97,0x5C,0x2D,0xB5,0x12,0xCA,0x6B,0x6B,0x39,
- 0xD6,0x9B,0x4B,0x34,0x47,0xAB,0x35,0x02,0x03,0x01,0x00,0x01,0xA3,0x63,0x30,0x61,
- 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x35,0x20,0x26,0xCE,0x85,
- 0xBE,0x49,0x26,0x20,0x01,0xDD,0xC8,0xEE,0xFF,0x3D,0x68,0xC8,0xD0,0xDF,0xF5,0x30,
- 0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,
- 0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x35,0x20,0x26,
- 0xCE,0x85,0xBE,0x49,0x26,0x20,0x01,0xDD,0xC8,0xEE,0xFF,0x3D,0x68,0xC8,0xD0,0xDF,
- 0xF5,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,
- 0x06,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,
- 0x03,0x82,0x01,0x01,0x00,0x73,0x02,0x4A,0xA6,0x77,0x02,0xA7,0xE1,0xCB,0x52,0x97,
- 0x9D,0x89,0x11,0xA0,0x8F,0xBC,0xF3,0x8F,0x14,0x01,0x29,0xF3,0xA5,0x45,0x17,0x06,
- 0xF8,0x04,0xF2,0x6D,0xD5,0xC3,0x77,0xB8,0x00,0xC2,0x0A,0x1A,0x09,0x32,0x36,0x36,
- 0x69,0xC1,0x2A,0xF0,0x44,0x37,0xBC,0x7E,0x5F,0x15,0xF7,0x08,0x9C,0x19,0x27,0x1D,
- 0x70,0x4F,0xDC,0x17,0x94,0x3C,0xBB,0x24,0xB4,0xE6,0xFC,0x71,0x9A,0xD4,0xCF,0x2C,
- 0x12,0xBA,0xF0,0xB6,0x8F,0x78,0x99,0xAA,0x8C,0x17,0x7E,0x94,0x0C,0x6A,0x37,0x5B,
- 0x35,0x91,0x52,0xFA,0x64,0xA3,0x33,0x34,0x99,0x37,0x00,0x3C,0xB4,0x4E,0x6E,0x63,
- 0xED,0xC3,0x1D,0x37,0x5B,0x45,0xB4,0xDF,0x82,0xCD,0xFE,0xAA,0x92,0x64,0xC8,0x2F,
- 0xD6,0x2D,0x2E,0xB1,0xED,0x6A,0x04,0xF1,0xC2,0x48,0x8D,0x4B,0xB4,0x84,0x39,0xA3,
- 0x31,0x4D,0xF6,0x63,0xB4,0xC3,0x6E,0xA1,0xA5,0x2F,0xD2,0x1E,0xB0,0xC6,0x0C,0xD1,
- 0x04,0x3A,0x31,0xBC,0x87,0x49,0xF8,0x26,0x0B,0xD3,0x0C,0x08,0x29,0xBB,0x9F,0x4D,
- 0x08,0xF0,0x9C,0x11,0xD3,0xA5,0x2C,0x8D,0x98,0xB1,0x1B,0xB1,0x57,0xD3,0x69,0xAE,
- 0x9E,0x2D,0xD5,0x64,0x38,0x58,0xC9,0xB2,0x84,0x04,0xAB,0x10,0x1D,0xCA,0x6B,0x29,
- 0xA5,0xAB,0xCC,0xFE,0xBB,0x74,0xF4,0x35,0x03,0x8F,0x65,0x2A,0x0B,0xBB,0xC7,0x17,
- 0x6A,0x49,0x34,0x83,0x30,0x92,0x8D,0xD7,0xAE,0x95,0xD0,0xD7,0x23,0xA7,0xE3,0x29,
- 0x09,0xA1,0xB1,0x34,0xC3,0x95,0x49,0xC3,0xA4,0xF1,0x36,0x00,0x09,0xD3,0xA4,0x09,
- 0xAD,0xF2,0x5C,0x97,0xB2,
-};
-
-
-static const UInt8 kTestAppleServerAuthCACert[] = {
- 0x30,0x82,0x03,0xF8,0x30,0x82,0x02,0xE0,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x23,
- 0x69,0x74,0x04,0xAD,0xCB,0x83,0x14,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,
- 0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,
- 0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,
- 0x74,0x79,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,
- 0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x34,
- 0x30,0x33,0x30,0x38,0x30,0x31,0x35,0x33,0x30,0x34,0x5A,0x17,0x0D,0x32,0x39,0x30,
- 0x33,0x30,0x38,0x30,0x31,0x35,0x33,0x30,0x34,0x5A,0x30,0x6D,0x31,0x27,0x30,0x25,
- 0x06,0x03,0x55,0x04,0x03,0x0C,0x1E,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,0x72,
- 0x76,0x65,0x72,0x20,0x41,0x75,0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,0x69,
- 0x6F,0x6E,0x20,0x43,0x41,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,
- 0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,
- 0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,
- 0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,
- 0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,
- 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,
- 0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB9,0x26,0x16,0xB0,0xCB,0x87,
- 0xAB,0x71,0x15,0x92,0x8E,0xDF,0xAA,0x3E,0xE1,0x80,0xD7,0x53,0xBA,0xA4,0x60,0xCC,
- 0x7C,0x85,0x72,0xF7,0x30,0x7C,0x09,0x4F,0x57,0x0D,0x4A,0xFF,0xE1,0x5E,0xC9,0x4B,
- 0x50,0x13,0x02,0x64,0xB1,0xBD,0x39,0x35,0xD1,0xD7,0x04,0x51,0xC1,0x18,0xFA,0x22,
- 0xFA,0xAE,0xDF,0x98,0x18,0xD6,0xBF,0x4E,0x4D,0x43,0x10,0xFA,0x25,0x88,0x9F,0xD3,
- 0x40,0x85,0x76,0xE5,0x22,0x81,0xB6,0x54,0x45,0x73,0x9A,0x8B,0xE3,0x9C,0x48,0x1A,
- 0x86,0x7A,0xC3,0x51,0xE2,0xDA,0x95,0xF8,0xA4,0x7D,0xDB,0x30,0xDE,0x6C,0x0E,0xC4,
- 0xC5,0xF5,0x6C,0x98,0xE7,0xA6,0xFA,0x57,0x20,0x1D,0x19,0x73,0x7A,0x0E,0xCD,0x63,
- 0x0F,0xB7,0x27,0x88,0x2E,0xE1,0x9A,0x68,0x82,0xB8,0x40,0x6C,0x63,0x16,0x24,0x66,
- 0x2B,0xE7,0xB2,0xE2,0x54,0x7D,0xE7,0x88,0x39,0xA2,0x1B,0x81,0x3E,0x02,0xD3,0x39,
- 0xD8,0x97,0x77,0x4A,0x32,0x0C,0xD6,0x0A,0x0A,0xB3,0x04,0x9B,0xF1,0x72,0x6F,0x63,
- 0xA8,0x15,0x1E,0x6C,0x37,0xE8,0x0F,0xDB,0x53,0x90,0xD6,0x29,0x5C,0xBC,0x6A,0x57,
- 0x9B,0x46,0x78,0x0A,0x3E,0x24,0xEA,0x9A,0x3F,0xA1,0xD8,0x3F,0xF5,0xDB,0x6E,0xA8,
- 0x6C,0x82,0xB5,0xDD,0x99,0x38,0xEC,0x92,0x56,0x94,0xA6,0xC5,0x73,0x26,0xD1,0xAE,
- 0x08,0xB2,0xC6,0x52,0xE7,0x8E,0x76,0x4B,0x89,0xB8,0x54,0x0F,0x6E,0xE0,0xD9,0x42,
- 0xDB,0x2A,0x65,0x87,0x46,0x14,0xBB,0x96,0xB8,0x57,0xBB,0x51,0xE6,0x84,0x13,0xF7,
- 0x0D,0xA1,0xB6,0x89,0xAC,0x7C,0xD1,0x21,0x74,0xAB,0x02,0x03,0x01,0x00,0x01,0xA3,
- 0x81,0xA6,0x30,0x81,0xA3,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,
- 0x2C,0xC5,0x6D,0x52,0xDD,0x31,0xEF,0x8C,0xEC,0x08,0x81,0xED,0xDF,0xDC,0xCA,0x43,
- 0x00,0x45,0x01,0xD0,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,
- 0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,
- 0x80,0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,0x2E,0x40,0xA6,
- 0xF7,0x47,0x4D,0x7F,0x08,0x5E,0x30,0x2E,0x06,0x03,0x55,0x1D,0x1F,0x04,0x27,0x30,
- 0x25,0x30,0x23,0xA0,0x21,0xA0,0x1F,0x86,0x1D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
- 0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x72,0x6F,
- 0x6F,0x74,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,
- 0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,
- 0x64,0x06,0x02,0x0C,0x04,0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
- 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x23,0xF1,0x06,0x7E,
- 0x50,0x41,0x81,0xA2,0x5E,0xD3,0x70,0xA4,0x49,0x91,0xAF,0xD8,0xCC,0x67,0x8C,0xA1,
- 0x25,0x7D,0xC4,0x9A,0x93,0x39,0x2F,0xD8,0x69,0xFB,0x1B,0x41,0x5B,0x44,0xD7,0xD9,
- 0x6B,0xCB,0x3B,0x25,0x09,0x1A,0xF2,0xF4,0xE3,0xC7,0x9C,0xE8,0xB0,0x5B,0xF0,0xDF,
- 0xDD,0x22,0x25,0x11,0x15,0x93,0xB9,0x49,0x5E,0xDA,0x0C,0x66,0x7A,0x5E,0xD7,0x6F,
- 0xF0,0x63,0xD4,0x65,0x8C,0xC4,0x7A,0x54,0x7D,0x56,0x4F,0x65,0x9A,0xFD,0xDA,0xC4,
- 0xB2,0xC8,0xB0,0xB8,0xA1,0xCB,0x7D,0xE0,0x47,0xA8,0x40,0x15,0xB8,0x16,0x19,0xED,
- 0x5B,0x61,0x8E,0xDF,0xAA,0xD0,0xCD,0xD2,0x3A,0xC0,0x7E,0x3A,0x9F,0x22,0x4E,0xDF,
- 0xDF,0xF4,0x4E,0x1A,0xCD,0x93,0xFF,0xD0,0xF0,0x45,0x55,0x64,0x33,0x3E,0xD4,0xE5,
- 0xDA,0x68,0xA0,0x13,0x8A,0x76,0x30,0x27,0xD4,0xBF,0xF8,0x1E,0x76,0xF6,0xF9,0xC3,
- 0x00,0xEF,0xB1,0x83,0xEA,0x53,0x6D,0x5C,0x35,0xC7,0x0D,0x07,0x01,0xBA,0xF8,0x61,
- 0xB9,0xFE,0xC5,0x9A,0x6B,0x43,0x61,0x81,0x03,0xEB,0xBA,0x5F,0x70,0x9D,0xE8,0x6F,
- 0x94,0x24,0x4B,0xDC,0xCE,0x92,0xA8,0x2E,0xA2,0x35,0x3C,0xE3,0x49,0xE0,0x16,0x77,
- 0xA2,0xDC,0x6B,0xB9,0x8D,0x18,0x42,0xB9,0x36,0x96,0x43,0x32,0xC6,0xCB,0x76,0x99,
- 0x35,0x36,0xD8,0x56,0xC6,0x98,0x5D,0xC3,0x6F,0xA5,0x7E,0x95,0xC2,0xD5,0x7A,0x0A,
- 0x02,0x20,0x66,0x78,0x92,0xF2,0x67,0xA4,0x23,0x0D,0xE8,0x09,0xBD,0xCC,0x21,0x31,
- 0x10,0xA0,0xBD,0xBE,0xB5,0xDD,0x4C,0xDD,0x46,0x03,0x99,0x99,
-};
-
-static const UInt8 kTestAppleServerAuthLeafCert[] = {
- 0x30,0x82,0x04,0x09,0x30,0x82,0x02,0xF1,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x16,
- 0x18,0xA0,0xD4,0x51,0xA2,0x9E,0x3B,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x6D,0x31,0x27,0x30,0x25,0x06,0x03,0x55,0x04,
- 0x03,0x0C,0x1E,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,0x72,0x76,0x65,0x72,0x20,
- 0x41,0x75,0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,
- 0x41,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,
- 0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,
- 0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x34,0x30,0x33,0x31,0x39,0x32,
- 0x33,0x34,0x36,0x32,0x38,0x5A,0x17,0x0D,0x31,0x35,0x30,0x34,0x31,0x38,0x32,0x33,
- 0x34,0x36,0x32,0x38,0x5A,0x30,0x50,0x31,0x1A,0x30,0x18,0x06,0x03,0x55,0x04,0x03,
- 0x0C,0x11,0x74,0x65,0x73,0x74,0x2E,0x6E,0x6F,0x73,0x75,0x63,0x68,0x64,0x6F,0x6D,
- 0x61,0x69,0x6E,0x31,0x10,0x30,0x0E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x07,0x43,0x6F,
- 0x72,0x65,0x20,0x4F,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,
- 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,
- 0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,
- 0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB8,0x1C,0xEF,0xB4,0x53,0x87,0x41,0x75,
- 0x73,0x4E,0xDA,0xB3,0xAB,0x82,0x30,0x19,0x37,0x9D,0x29,0x2E,0x95,0xD2,0x2A,0x43,
- 0x9C,0x1B,0x39,0xD4,0xBA,0xCD,0xAD,0x82,0xE4,0xBC,0x6F,0xA1,0x94,0x1C,0x75,0xBB,
- 0xCD,0x21,0x95,0x1C,0x7B,0x13,0x92,0x13,0x4F,0x19,0xDE,0x1A,0x98,0x6D,0xA3,0xD4,
- 0xC2,0x6F,0xCC,0xB6,0x4F,0xF1,0x3E,0xCA,0x09,0xC3,0x76,0xA4,0xB9,0x34,0xF5,0x41,
- 0x67,0x78,0x3E,0xC5,0x9B,0x22,0xE1,0xC9,0x9B,0x2D,0x93,0x27,0x21,0x3A,0x55,0x0E,
- 0xDF,0x3A,0x07,0xB4,0x52,0xC8,0x34,0x94,0x13,0x0F,0x8B,0x2E,0xAE,0x62,0x4B,0xA5,
- 0xFC,0xD2,0x3C,0x41,0x53,0x62,0x8A,0xF7,0x26,0xD7,0xE4,0x23,0xF0,0x85,0xEA,0xBA,
- 0x01,0x1E,0x88,0x18,0xEC,0xC9,0x45,0xC9,0xA1,0x03,0xCF,0x3A,0x1E,0xDC,0x82,0x1A,
- 0xC5,0x99,0x93,0xC6,0x55,0xA8,0x06,0xDA,0xBB,0x29,0xDC,0x23,0x82,0xA6,0x5D,0x03,
- 0x44,0xA6,0xF2,0xD9,0x4C,0xC0,0x32,0x82,0x41,0x9C,0xC8,0x86,0x58,0xDE,0xF3,0x53,
- 0x6B,0xF7,0x5E,0x4B,0xFB,0x2F,0x81,0x3D,0x18,0xA0,0xBC,0xA3,0x6A,0x18,0x21,0xD3,
- 0xC5,0xFA,0x93,0xCA,0xE6,0x02,0x8C,0x1D,0xE2,0xDC,0x8F,0x19,0xC6,0xB4,0xF9,0x91,
- 0xF0,0x0E,0xEB,0x55,0xF1,0x8F,0x73,0x78,0x9D,0xFA,0x30,0x84,0x4D,0xAD,0x56,0x1C,
- 0x39,0xA0,0x47,0x83,0x5F,0x7F,0x6B,0x67,0x5E,0xA3,0xCC,0xE8,0xA5,0xE9,0x8F,0x47,
- 0x56,0x7A,0xA2,0x32,0x47,0xBB,0x94,0x47,0xD7,0x95,0xCD,0x20,0x2D,0x2F,0x07,0xF0,
- 0xCA,0x14,0x87,0xE7,0xA9,0xE0,0x3D,0xED,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0xC9,
- 0x30,0x81,0xC6,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x1D,0x04,
- 0xFD,0x64,0x9B,0x64,0x95,0x70,0x6F,0x4C,0x0E,0x47,0x51,0xE7,0xBC,0xE2,0x28,0xC4,
- 0xE9,0x43,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,
- 0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x2C,0xC5,0x6D,
- 0x52,0xDD,0x31,0xEF,0x8C,0xEC,0x08,0x81,0xED,0xDF,0xDC,0xCA,0x43,0x00,0x45,0x01,
- 0xD0,0x30,0x3C,0x06,0x03,0x55,0x1D,0x1F,0x04,0x35,0x30,0x33,0x30,0x31,0xA0,0x2F,
- 0xA0,0x2D,0x86,0x2B,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x61,
- 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x73,0x65,
- 0x72,0x76,0x65,0x72,0x61,0x75,0x74,0x68,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,
- 0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x07,0x80,0x30,
- 0x16,0x06,0x03,0x55,0x1D,0x25,0x01,0x01,0xFF,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,
- 0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,
- 0x63,0x64,0x06,0x1B,0x01,0x04,0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
- 0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x0E,0x66,0xD7,
- 0x3C,0x7B,0xB1,0x93,0xAB,0x83,0x2D,0x9F,0xC1,0x10,0x3E,0x78,0x1D,0x24,0x81,0x17,
- 0x7E,0x94,0x83,0xA3,0x46,0x73,0xF4,0xD0,0xAA,0xA7,0x9F,0x3C,0xF8,0x18,0xCF,0x8C,
- 0x50,0x11,0x67,0x94,0x55,0xD9,0x35,0x1A,0x35,0xA6,0x31,0xDD,0x51,0x18,0xD4,0x65,
- 0xB7,0x7A,0x47,0xBB,0xC5,0xA5,0xC4,0xA5,0x5A,0x0D,0x20,0x76,0xF6,0xAB,0x2D,0x36,
- 0x81,0xDA,0x43,0xE4,0xAC,0x5F,0xC5,0xA5,0x28,0x9F,0x1E,0x29,0x41,0x5D,0xD1,0x51,
- 0x0F,0xD5,0x5B,0x28,0x87,0x20,0x0C,0x9F,0x2E,0x95,0xA1,0xFD,0x42,0xBD,0xAE,0x25,
- 0x3F,0x53,0x92,0x95,0xD3,0xB4,0x49,0xBE,0xA8,0xB2,0x29,0x7F,0x99,0x35,0xEE,0x81,
- 0x2A,0x4D,0xB5,0x00,0x64,0xCB,0xEA,0xBB,0x11,0xAC,0xBC,0x1C,0x04,0xF3,0x83,0x79,
- 0x8D,0xBD,0x68,0x81,0xBF,0x25,0xBA,0x54,0xAB,0xC0,0x1E,0x75,0x8E,0x4E,0xE1,0xBF,
- 0x29,0x1B,0xA7,0x2F,0xFD,0x91,0x64,0xEE,0xA0,0x96,0xD4,0xAB,0xED,0x6F,0x77,0x3A,
- 0x87,0xE6,0x44,0xF6,0xAF,0xD2,0x7D,0x0D,0xBB,0x77,0x20,0xF4,0x1D,0x2E,0xA9,0x74,
- 0x7B,0x8E,0xF6,0x34,0xA4,0x37,0x82,0x25,0x77,0x82,0x44,0x74,0xF9,0xAB,0xC6,0x62,
- 0x1D,0xDF,0x34,0xBB,0x1C,0x09,0x30,0xD7,0x0F,0xAC,0xDA,0x9E,0x6F,0x30,0xAF,0xD6,
- 0xC1,0x82,0x85,0x48,0xCB,0xBA,0xBE,0x6A,0x7E,0x44,0x32,0x43,0x65,0x48,0x5B,0x53,
- 0x45,0xAD,0xC3,0x5D,0x22,0x89,0x40,0x36,0xE9,0xC4,0x86,0xFF,0x74,0x09,0x34,0x27,
- 0x14,0x36,0x61,0x84,0x37,0x18,0xE2,0x9F,0xD5,0x69,0xE2,0x38,0xDF,
-};
-
-
-static void test_apple_server_auth_policy()
-{
- CFDateRef date=NULL;
- CFArrayRef policies=NULL;
- SecPolicyRef policy=NULL;
- SecTrustRef trust=NULL;
- SecCertificateRef cert0=NULL, cert1=NULL;
- CFMutableArrayRef certs=NULL;
- SecTrustResultType trustResult;
- CFIndex chainLen;
-
- isnt(cert0 = SecCertificateCreateWithBytes(NULL, kTestAppleServerAuthLeafCert, sizeof(kTestAppleServerAuthLeafCert)),
- NULL, "create cert0");
- isnt(cert1 = SecCertificateCreateWithBytes(NULL, kTestAppleServerAuthCACert, sizeof(kTestAppleServerAuthCACert)),
- NULL, "create cert1");
- // these chain to the Apple Root CA so it is not provided
-
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, cert0);
- CFArrayAppendValue(certs, cert1);
-
- /* Case 1: success */
- isnt(policy = SecPolicyCreateAppleSSLService(CFSTR("test.nosuchdomain")), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 20, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "chain length 3 expected (got %d)", (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- CFReleaseSafe(cert0);
- CFReleaseSafe(cert1);
- CFReleaseSafe(certs);
-}
-
-static void test_apple_corp_ca_policy()
-{
- CFDateRef date=NULL;
- CFArrayRef policies=NULL;
- SecPolicyRef policy=NULL;
- SecTrustRef trust=NULL;
- SecCertificateRef cert0=NULL, cert1=NULL, cert2=NULL;
- CFMutableArrayRef certs=NULL, servers=NULL, anchors=NULL;
-
- SecTrustResultType trustResult;
- CFIndex chainLen;
-
- isnt(cert0 = SecCertificateCreateWithBytes(NULL, kTestAppleVPNLeafCert, sizeof(kTestAppleVPNLeafCert)),
- NULL, "create cert0");
- isnt(cert1 = SecCertificateCreateWithBytes(NULL, kTestAppleVPNCACert, sizeof(kTestAppleVPNCACert)),
- NULL, "create cert1");
- isnt(cert2 = SecCertificateCreateWithBytes(NULL, kTestAppleCorpCACert, sizeof(kTestAppleCorpCACert)),
- NULL, "create cert2");
-
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, cert0);
- CFArrayAppendValue(certs, cert1);
- CFArrayAppendValue(certs, cert2);
- isnt(anchors = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create anchors array");
- CFArrayAppendValue(anchors, cert2);
-
- /* Case 1: SSL server (expected to fail) */
- isnt(policy = SecPolicyCreateSSL(true, CFSTR("com.apple.ist.ds.appleconnect2.production.vpn.8F2B3ADCD72ED2EA08DDC26AD0255A983B1DEBEB")), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 20, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
- (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "chain length 3 expected (got %d)", (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- /* Case 2: SSL client (expected to pass) */
- isnt(policy = SecPolicyCreateSSL(false, NULL), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 20, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "chain length 3 expected (got %d)", (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- /* Case 3: EAP server (expected to fail) */
- isnt(servers = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(servers, CFSTR("com.apple.ist.ds.appleconnect2.production.vpn.8F2B3ADCD72ED2EA08DDC26AD0255A983B1DEBEB"));
- isnt(policy = SecPolicyCreateEAP(true, servers), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 20, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
- (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "chain length 3 expected (got %d)", (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- /* Case 4: EAP client (expected to pass) */
- isnt(servers = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(servers, CFSTR("com.apple.ist.ds.appleconnect2.production.vpn.8F2B3ADCD72ED2EA08DDC26AD0255A983B1DEBEB"));
- isnt(policy = SecPolicyCreateEAP(false, servers), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 20, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "chain length 3 expected (got %d)", (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- /* Case 5: IPsec client (expected to pass) */
- isnt(policy = SecPolicyCreateIPSec(false, NULL), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2014, 7, 20, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "chain length 3 expected (got %d)", (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- CFReleaseSafe(cert0);
- CFReleaseSafe(cert1);
- CFReleaseSafe(cert2);
- CFReleaseSafe(certs);
- CFReleaseSafe(servers);
- CFReleaseSafe(anchors);
-}
-
-static void tests(void)
-{
- test_apple_server_auth_policy();
- test_apple_corp_ca_policy();
-}
-
-int si_81_sectrust_server_auth(int argc, char *const *argv)
-{
- plan_tests(57);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-82-token-ag.c b/OSX/sec/Security/Regressions/secitem/si-82-token-ag.c
new file mode 100644
index 00000000..3cdc50bb
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-82-token-ag.c
@@ -0,0 +1,33 @@
+//
+// si-82-token-ag.c
+// Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
+//
+//
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
+#include <Security/SecBase.h>
+#include <utilities/array_size.h>
+#include <utilities/SecCFWrappers.h>
+
+#include "Security_regressions.h"
+
+static void tests(void) {
+ CFMutableDictionaryRef dict = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
+ CFDictionaryAddValue(dict, kSecClass, kSecClassGenericPassword);
+ CFDictionaryAddValue(dict, kSecAttrService, CFSTR("test"));
+ CFDictionaryAddValue(dict, kSecAttrAccessGroup, kSecAttrAccessGroupToken);
+
+ ok_status(SecItemAdd(dict, NULL));
+ ok_status(SecItemDelete(dict));
+
+ CFRelease(dict);
+}
+
+int si_82_token_ag(int argc, char *const *argv) {
+
+ plan_tests(2);
+ tests();
+ return 0;
+}
diff --git a/OSX/sec/Security/Regressions/secitem/si-83-seccertificate-sighashalg.c b/OSX/sec/Security/Regressions/secitem/si-83-seccertificate-sighashalg.c
index ab463064..bbbf794b 100644
--- a/OSX/sec/Security/Regressions/secitem/si-83-seccertificate-sighashalg.c
+++ b/OSX/sec/Security/Regressions/secitem/si-83-seccertificate-sighashalg.c
@@ -9,12 +9,11 @@
#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
-#include <Security/SecCertificateInternal.h>
#include <utilities/SecCFWrappers.h>
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
/* prototypes */
int si_83_seccertificate_sighashalg(int argc, char *const *argv);
diff --git a/OSX/sec/Security/Regressions/secitem/si-84-sectrust-atv-appsigning.c b/OSX/sec/Security/Regressions/secitem/si-84-sectrust-atv-appsigning.c
deleted file mode 100644
index ff2046e4..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-84-sectrust-atv-appsigning.c
+++ /dev/null
@@ -1,478 +0,0 @@
-/*
- * si-84-sectrust-atv-appsigning.c
- * Security
- *
- * Copyright (c) 2015 Apple Inc. All Rights Reserved.
- *
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecCertificateInternal.h>
-#include <Security/SecItem.h>
-#include <Security/SecItemPriv.h>
-#include <Security/SecIdentityPriv.h>
-#include <Security/SecIdentity.h>
-#include <Security/SecPolicy.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecPolicyInternal.h>
-#include <Security/SecCMS.h>
-#include <utilities/SecCFWrappers.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "Security_regressions.h"
-
-/* subject:/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */
-static const UInt8 kWwdrAnchorCertificate[] = {
- 0x30,0x82,0x04,0x23,0x30,0x82,0x03,0x0B,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x19,
- 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
- 0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
- 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
- 0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
- 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06,
- 0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,
- 0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x38,0x30,0x32,0x31,0x34,0x31,0x38,0x35,
- 0x36,0x33,0x35,0x5A,0x17,0x0D,0x31,0x36,0x30,0x32,0x31,0x34,0x31,0x38,0x35,0x36,
- 0x33,0x35,0x5A,0x30,0x81,0x96,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
- 0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,
- 0x0B,0x0C,0x23,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,0x69,
- 0x64,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,0x6C,
- 0x61,0x74,0x69,0x6F,0x6E,0x73,0x31,0x44,0x30,0x42,0x06,0x03,0x55,0x04,0x03,0x0C,
- 0x3B,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,0x69,0x64,0x65,
- 0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,0x6C,0x61,0x74,
- 0x69,0x6F,0x6E,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
- 0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,0x01,0x22,
- 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
- 0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xCA,0x38,0x54,
- 0xA6,0xCB,0x56,0xAA,0xC8,0x24,0x39,0x48,0xE9,0x8C,0xEE,0xEC,0x5F,0xB8,0x7F,0x26,
- 0x91,0xBC,0x34,0x53,0x7A,0xCE,0x7C,0x63,0x80,0x61,0x77,0x64,0x5E,0xA5,0x07,0x23,
- 0xB6,0x39,0xFE,0x50,0x2D,0x15,0x56,0x58,0x70,0x2D,0x7E,0xC4,0x6E,0xC1,0x4A,0x85,
- 0x3E,0x2F,0xF0,0xDE,0x84,0x1A,0xA1,0x57,0xC9,0xAF,0x7B,0x18,0xFF,0x6A,0xFA,0x15,
- 0x12,0x49,0x15,0x08,0x19,0xAC,0xAA,0xDB,0x2A,0x32,0xED,0x96,0x63,0x68,0x52,0x15,
- 0x3D,0x8C,0x8A,0xEC,0xBF,0x6B,0x18,0x95,0xE0,0x03,0xAC,0x01,0x7D,0x97,0x05,0x67,
- 0xCE,0x0E,0x85,0x95,0x37,0x6A,0xED,0x09,0xB6,0xAE,0x67,0xCD,0x51,0x64,0x9F,0xC6,
- 0x5C,0xD1,0xBC,0x57,0x6E,0x67,0x35,0x80,0x76,0x36,0xA4,0x87,0x81,0x6E,0x38,0x8F,
- 0xD8,0x2B,0x15,0x4E,0x7B,0x25,0xD8,0x5A,0xBF,0x4E,0x83,0xC1,0x8D,0xD2,0x93,0xD5,
- 0x1A,0x71,0xB5,0x60,0x9C,0x9D,0x33,0x4E,0x55,0xF9,0x12,0x58,0x0C,0x86,0xB8,0x16,
- 0x0D,0xC1,0xE5,0x77,0x45,0x8D,0x50,0x48,0xBA,0x2B,0x2D,0xE4,0x94,0x85,0xE1,0xE8,
- 0xC4,0x9D,0xC6,0x68,0xA5,0xB0,0xA3,0xFC,0x67,0x7E,0x70,0xBA,0x02,0x59,0x4B,0x77,
- 0x42,0x91,0x39,0xB9,0xF5,0xCD,0xE1,0x4C,0xEF,0xC0,0x3B,0x48,0x8C,0xA6,0xE5,0x21,
- 0x5D,0xFD,0x6A,0x6A,0xBB,0xA7,0x16,0x35,0x60,0xD2,0xE6,0xAD,0xF3,0x46,0x29,0xC9,
- 0xE8,0xC3,0x8B,0xE9,0x79,0xC0,0x6A,0x61,0x67,0x15,0xB2,0xF0,0xFD,0xE5,0x68,0xBC,
- 0x62,0x5F,0x6E,0xCF,0x99,0xDD,0xEF,0x1B,0x63,0xFE,0x92,0x65,0xAB,0x02,0x03,0x01,
- 0x00,0x01,0xA3,0x81,0xAE,0x30,0x81,0xAB,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,
- 0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x86,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,
- 0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
- 0x04,0x16,0x04,0x14,0x88,0x27,0x17,0x09,0xA9,0xB6,0x18,0x60,0x8B,0xEC,0xEB,0xBA,
- 0xF6,0x47,0x59,0xC5,0x52,0x54,0xA3,0xB7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,
- 0x18,0x30,0x16,0x80,0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,
- 0x2E,0x40,0xA6,0xF7,0x47,0x4D,0x7F,0x08,0x5E,0x30,0x36,0x06,0x03,0x55,0x1D,0x1F,
- 0x04,0x2F,0x30,0x2D,0x30,0x2B,0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,
- 0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
- 0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,0x61,0x2F,0x72,0x6F,0x6F,0x74,0x2E,0x63,0x72,
- 0x6C,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x02,0x01,0x04,
- 0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
- 0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xDA,0x32,0x00,0x96,0xC5,0x54,0x94,0xD3,0x3B,
- 0x82,0x37,0x66,0x7D,0x2E,0x68,0xD5,0xC3,0xC6,0xB8,0xCB,0x26,0x8C,0x48,0x90,0xCF,
- 0x13,0x24,0x6A,0x46,0x8E,0x63,0xD4,0xF0,0xD0,0x13,0x06,0xDD,0xD8,0xC4,0xC1,0x37,
- 0x15,0xF2,0x33,0x13,0x39,0x26,0x2D,0xCE,0x2E,0x55,0x40,0xE3,0x0B,0x03,0xAF,0xFA,
- 0x12,0xC2,0xE7,0x0D,0x21,0xB8,0xD5,0x80,0xCF,0xAC,0x28,0x2F,0xCE,0x2D,0xB3,0x4E,
- 0xAF,0x86,0x19,0x04,0xC6,0xE9,0x50,0xDD,0x4C,0x29,0x47,0x10,0x23,0xFC,0x6C,0xBB,
- 0x1B,0x98,0x6B,0x48,0x89,0xE1,0x5B,0x9D,0xDE,0x46,0xDB,0x35,0x85,0x35,0xEF,0x3E,
- 0xD0,0xE2,0x58,0x4B,0x38,0xF4,0xED,0x75,0x5A,0x1F,0x5C,0x70,0x1D,0x56,0x39,0x12,
- 0xE5,0xE1,0x0D,0x11,0xE4,0x89,0x25,0x06,0xBD,0xD5,0xB4,0x15,0x8E,0x5E,0xD0,0x59,
- 0x97,0x90,0xE9,0x4B,0x81,0xE2,0xDF,0x18,0xAF,0x44,0x74,0x1E,0x19,0xA0,0x3A,0x47,
- 0xCC,0x91,0x1D,0x3A,0xEB,0x23,0x5A,0xFE,0xA5,0x2D,0x97,0xF7,0x7B,0xBB,0xD6,0x87,
- 0x46,0x42,0x85,0xEB,0x52,0x3D,0x26,0xB2,0x63,0xA8,0xB4,0xB1,0xCA,0x8F,0xF4,0xCC,
- 0xE2,0xB3,0xC8,0x47,0xE0,0xBF,0x9A,0x59,0x83,0xFA,0xDA,0x98,0x53,0x2A,0x82,0xF5,
- 0x7C,0x65,0x2E,0x95,0xD9,0x33,0x5D,0xF5,0xED,0x65,0xCC,0x31,0x37,0xC5,0x5A,0x04,
- 0xE8,0x6B,0xE1,0xE7,0x88,0x03,0x4A,0x75,0x9E,0x9B,0x28,0xCB,0x4A,0x40,0x88,0x65,
- 0x43,0x75,0xDD,0xCB,0x3A,0x25,0x23,0xC5,0x9E,0x57,0xF8,0x2E,0xCE,0xD2,0xA9,0x92,
- 0x5E,0x73,0x2E,0x2F,0x25,0x75,0x15,
-};
-
-// Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority
-// Subject: CN=TEST Apple TVOS Application Signing TEST, O=Apple Inc., C=US
-static const UInt8 kTestATVAppSigningCert[] = {
- 0x30, 0x82, 0x05, 0x52, 0x30, 0x82, 0x04, 0x3a, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x29, 0x7b, 0x51, 0x36, 0x47, 0xa4, 0x6f, 0x23, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
- 0x05, 0x00, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x0c, 0x23, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57, 0x6f, 0x72, 0x6c,
- 0x64, 0x77, 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65, 0x6c, 0x6f,
- 0x70, 0x65, 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x73, 0x31, 0x44, 0x30, 0x42, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x3b,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x77,
- 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65,
- 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30,
- 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x32, 0x30, 0x36, 0x32, 0x33, 0x35,
- 0x33, 0x31, 0x36, 0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x32, 0x30, 0x37,
- 0x32, 0x31, 0x34, 0x38, 0x34, 0x37, 0x5a, 0x30, 0x55, 0x31, 0x31, 0x30,
- 0x2f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x28, 0x54, 0x45, 0x53, 0x54,
- 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x54, 0x56, 0x4f, 0x53, 0x20,
- 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
- 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x54, 0x45, 0x53, 0x54,
- 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41,
- 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x82,
- 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
- 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc9, 0x74, 0x71, 0x4a, 0x58,
- 0x65, 0xdf, 0x19, 0x27, 0x08, 0x97, 0x9b, 0xf3, 0x12, 0x14, 0x8e, 0xa2,
- 0xd0, 0xa2, 0x1e, 0x1d, 0x46, 0xae, 0xdf, 0xc4, 0xef, 0x57, 0xc0, 0x82,
- 0x5f, 0xb9, 0xe5, 0x63, 0x53, 0x57, 0xad, 0xaa, 0x32, 0x84, 0x6f, 0xbe,
- 0xdf, 0x65, 0x1f, 0x73, 0x0a, 0x85, 0x55, 0x3a, 0xb3, 0xcf, 0x43, 0x02,
- 0x18, 0xe4, 0xad, 0x04, 0xa0, 0x83, 0x89, 0x3d, 0x6f, 0xfa, 0xdf, 0xb3,
- 0x82, 0xa2, 0xb2, 0x6d, 0x46, 0x63, 0x4d, 0x88, 0x0a, 0xe7, 0x96, 0x68,
- 0x3b, 0x6f, 0x96, 0xf8, 0xa9, 0x92, 0x18, 0x15, 0x0d, 0xf4, 0xe9, 0x44,
- 0xf5, 0x62, 0xf1, 0x50, 0x4d, 0x86, 0x60, 0x5b, 0x89, 0x72, 0x3c, 0x53,
- 0x8a, 0xda, 0x3a, 0x4f, 0x1d, 0x58, 0x1a, 0xc2, 0xaf, 0x46, 0x0c, 0x6d,
- 0x53, 0x6d, 0xa3, 0x4d, 0x36, 0xa0, 0xfe, 0x54, 0xc6, 0xdd, 0x94, 0x01,
- 0x43, 0xc1, 0xdf, 0x62, 0xd2, 0x2e, 0x76, 0x96, 0x10, 0x29, 0x30, 0x4f,
- 0x51, 0x35, 0x5d, 0x5f, 0x10, 0x32, 0x0f, 0xec, 0xad, 0xd0, 0x0a, 0xc1,
- 0xde, 0x7f, 0x7d, 0xcc, 0xa7, 0x4b, 0x67, 0x5e, 0x97, 0xbf, 0x45, 0x9f,
- 0x0b, 0x68, 0x93, 0x0b, 0x42, 0x7b, 0x49, 0xf9, 0xda, 0x3d, 0xa3, 0x5e,
- 0x22, 0x6b, 0x48, 0x2d, 0x86, 0x96, 0x25, 0xc1, 0x78, 0x11, 0xad, 0x7f,
- 0x70, 0x43, 0x49, 0x05, 0x8d, 0x59, 0xe2, 0x80, 0x51, 0x79, 0x58, 0x5c,
- 0xfb, 0x75, 0x6c, 0xa0, 0x7f, 0x62, 0xf5, 0x7d, 0xc1, 0xe7, 0xf8, 0x06,
- 0x85, 0x9f, 0xb3, 0xaa, 0x90, 0x98, 0x53, 0x8d, 0x7b, 0x40, 0x04, 0x71,
- 0xf4, 0xa4, 0xce, 0xa0, 0x20, 0x3d, 0x77, 0x32, 0xf5, 0x94, 0x20, 0x54,
- 0xa2, 0xe2, 0x98, 0x8c, 0x38, 0x63, 0x94, 0xe5, 0x73, 0xa1, 0xcc, 0xcc,
- 0xe4, 0x11, 0x34, 0xfb, 0xff, 0x41, 0x63, 0x2c, 0x39, 0xaf, 0x39, 0x02,
- 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xe2, 0x30, 0x82, 0x01, 0xde,
- 0x30, 0x47, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01,
- 0x04, 0x3b, 0x30, 0x39, 0x30, 0x37, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x30, 0x01, 0x86, 0x2b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
- 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e,
- 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x34, 0x2d, 0x61,
- 0x70, 0x70, 0x6c, 0x65, 0x77, 0x77, 0x64, 0x72, 0x63, 0x61, 0x32, 0x30,
- 0x34, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x0a, 0x14, 0xfb, 0x9f, 0x6f, 0x4e, 0x79, 0xc0, 0xbb, 0xc8, 0xa5, 0x35,
- 0xeb, 0x06, 0x6a, 0xe7, 0x45, 0x6a, 0x61, 0xad, 0x30, 0x0c, 0x06, 0x03,
- 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1f,
- 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x88,
- 0x27, 0x17, 0x09, 0xa9, 0xb6, 0x18, 0x60, 0x8b, 0xec, 0xeb, 0xba, 0xf6,
- 0x47, 0x59, 0xc5, 0x52, 0x54, 0xa3, 0xb7, 0x30, 0x82, 0x01, 0x1d, 0x06,
- 0x03, 0x55, 0x1d, 0x20, 0x04, 0x82, 0x01, 0x14, 0x30, 0x82, 0x01, 0x10,
- 0x30, 0x82, 0x01, 0x0c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63,
- 0x64, 0x05, 0x01, 0x30, 0x81, 0xfe, 0x30, 0x81, 0xc3, 0x06, 0x08, 0x2b,
- 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x81, 0xb6, 0x0c, 0x81,
- 0xb3, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x6e,
- 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x62, 0x79, 0x20, 0x61, 0x6e, 0x79,
- 0x20, 0x70, 0x61, 0x72, 0x74, 0x79, 0x20, 0x61, 0x73, 0x73, 0x75, 0x6d,
- 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x61, 0x6e, 0x63,
- 0x65, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65, 0x20, 0x74, 0x68, 0x65,
- 0x6e, 0x20, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x62, 0x6c, 0x65,
- 0x20, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x20, 0x74, 0x65,
- 0x72, 0x6d, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x6f, 0x6e, 0x64,
- 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6f, 0x66, 0x20, 0x75, 0x73,
- 0x65, 0x2c, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
- 0x74, 0x65, 0x20, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x61, 0x6e,
- 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61, 0x63, 0x74, 0x69, 0x63, 0x65,
- 0x20, 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e,
- 0x30, 0x36, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01,
- 0x16, 0x2a, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77,
- 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63,
- 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x61, 0x75,
- 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x30, 0x0e, 0x06, 0x03,
- 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80,
- 0x30, 0x14, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x06,
- 0x01, 0x18, 0x01, 0x01, 0x01, 0xff, 0x04, 0x02, 0x05, 0x00, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
- 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x58, 0xef, 0x32, 0x6c, 0x48, 0x29,
- 0xfa, 0x5e, 0x5e, 0x32, 0xa6, 0xbe, 0xe4, 0xd2, 0x3e, 0x72, 0xcf, 0xb9,
- 0x74, 0x62, 0x84, 0x90, 0xa1, 0x5f, 0xbb, 0xd3, 0x3d, 0x67, 0x19, 0xf4,
- 0x1b, 0xa1, 0x31, 0x38, 0xe0, 0xdb, 0xe4, 0x14, 0x6d, 0x9e, 0x99, 0x34,
- 0xd3, 0x53, 0x97, 0xb4, 0xaa, 0x63, 0x61, 0x56, 0xac, 0x1e, 0x70, 0x54,
- 0x98, 0x18, 0x2d, 0xc9, 0xa8, 0x31, 0x21, 0x95, 0x64, 0x25, 0xc1, 0x3e,
- 0xfa, 0xbb, 0xc8, 0x13, 0x9b, 0x0c, 0xa5, 0xa5, 0xc2, 0x8e, 0x4e, 0xad,
- 0x25, 0xef, 0xbe, 0x94, 0xe6, 0x0e, 0x91, 0x36, 0x44, 0xad, 0x93, 0x12,
- 0x20, 0x3c, 0x3a, 0xc0, 0xfe, 0x6d, 0x47, 0xbe, 0xa1, 0x29, 0xde, 0x53,
- 0xee, 0x6c, 0xee, 0x56, 0xec, 0xae, 0xeb, 0x08, 0x24, 0x3e, 0x43, 0xef,
- 0x92, 0x6b, 0x2a, 0x66, 0x5c, 0x9f, 0x25, 0x77, 0x4e, 0x96, 0x45, 0x4d,
- 0xd7, 0xac, 0xc0, 0xc8, 0xfe, 0xd2, 0x37, 0x52, 0xc8, 0xcb, 0xe3, 0x26,
- 0xad, 0xb2, 0xd9, 0x90, 0x3f, 0x68, 0x93, 0xb5, 0x3f, 0x10, 0xd3, 0x61,
- 0xb7, 0x09, 0x35, 0x42, 0xd4, 0xf4, 0xde, 0x3b, 0x42, 0x3e, 0x8c, 0xe1,
- 0xe8, 0xa7, 0xcb, 0x24, 0x2c, 0x38, 0xd1, 0xa0, 0x99, 0x22, 0xd9, 0xab,
- 0x3a, 0x39, 0xda, 0x78, 0x22, 0x2a, 0x01, 0xe2, 0xda, 0x30, 0x0b, 0x82,
- 0xca, 0x7d, 0xe0, 0xca, 0xd0, 0x95, 0x13, 0x50, 0x4f, 0x85, 0x86, 0x83,
- 0x3d, 0x3d, 0xa2, 0x2c, 0xeb, 0x46, 0x7c, 0x50, 0xc0, 0x5a, 0x60, 0x7b,
- 0x70, 0xb5, 0x5f, 0xb7, 0xa8, 0x54, 0x81, 0xe7, 0xb0, 0xf2, 0x91, 0xc6,
- 0xd6, 0xc1, 0xc4, 0xd6, 0xdb, 0xea, 0xfa, 0xf4, 0xf0, 0x6c, 0x00, 0xbf,
- 0x0f, 0x71, 0xff, 0xb3, 0x6c, 0x59, 0x08, 0x2f, 0x28, 0xd3, 0xaf, 0xc3,
- 0xd2, 0xde, 0xe1, 0x1a, 0x54, 0x76, 0xfe, 0x2c, 0x98, 0xf1,
-};
-
-// Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority
-// Subject: CN=Apple TVOS Application Signing, O=Apple Inc., C=US
-static const UInt8 kATVAppSigningCert[] = {
- 0x30, 0x82, 0x05, 0x5f, 0x30, 0x82, 0x04, 0x47, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x34, 0xc4, 0xe1, 0x74, 0xfd, 0x82, 0xed, 0x21, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
- 0x05, 0x00, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x0c, 0x23, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57, 0x6f, 0x72, 0x6c,
- 0x64, 0x77, 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65, 0x6c, 0x6f,
- 0x70, 0x65, 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x73, 0x31, 0x44, 0x30, 0x42, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x3b,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x77,
- 0x69, 0x64, 0x65, 0x20, 0x44, 0x65, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65,
- 0x72, 0x20, 0x52, 0x65, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30,
- 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x36, 0x32, 0x36, 0x32, 0x32, 0x34,
- 0x30, 0x31, 0x37, 0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x32, 0x30, 0x37,
- 0x32, 0x31, 0x34, 0x38, 0x34, 0x37, 0x5a, 0x30, 0x4b, 0x31, 0x27, 0x30,
- 0x25, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1e, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x20, 0x54, 0x56, 0x4f, 0x53, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69,
- 0x6e, 0x67, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
- 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
- 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xba, 0x8f, 0xd0,
- 0x2b, 0xfb, 0x04, 0x41, 0x7e, 0xef, 0x73, 0xf1, 0x86, 0x5b, 0xce, 0xe8,
- 0x0d, 0xb5, 0xec, 0x5f, 0xd9, 0x24, 0x49, 0x6d, 0x5c, 0x97, 0xeb, 0xb2,
- 0xa6, 0xfb, 0x7c, 0x9f, 0xcf, 0xd0, 0x18, 0xfa, 0xa1, 0xdf, 0x9f, 0x4a,
- 0x42, 0xc3, 0xc3, 0xd3, 0x46, 0x91, 0x8c, 0x74, 0x3b, 0x6e, 0x54, 0xb8,
- 0xe7, 0xec, 0x10, 0x8b, 0xc0, 0x2f, 0xe8, 0x96, 0x86, 0xaa, 0x8b, 0xb7,
- 0x8f, 0xee, 0x2a, 0x31, 0xf3, 0xaf, 0x04, 0x77, 0x16, 0x09, 0x9e, 0xf9,
- 0x9d, 0x30, 0x74, 0x5d, 0x9e, 0xb1, 0x11, 0x66, 0xef, 0x0d, 0x61, 0x1c,
- 0xc2, 0xfe, 0x6b, 0x75, 0x80, 0x0e, 0x42, 0x14, 0x4e, 0xdc, 0x38, 0xfd,
- 0x18, 0x22, 0x03, 0xe0, 0x51, 0xbd, 0xd0, 0xf3, 0x52, 0x36, 0xff, 0x83,
- 0x90, 0xde, 0xbe, 0x60, 0xec, 0x82, 0x66, 0xad, 0x49, 0x54, 0x71, 0x39,
- 0xdd, 0x48, 0xc3, 0x13, 0x99, 0xc2, 0xcc, 0x77, 0x55, 0x5e, 0x48, 0xeb,
- 0xee, 0x34, 0x31, 0x04, 0xef, 0x7e, 0xe1, 0x42, 0x54, 0x10, 0xcf, 0x09,
- 0x9c, 0x0d, 0xc4, 0x55, 0x3d, 0x30, 0x98, 0x78, 0xfb, 0x38, 0xac, 0xdb,
- 0xd8, 0x63, 0x3f, 0x64, 0x07, 0x7f, 0x53, 0x4d, 0xc8, 0xbc, 0x60, 0x3e,
- 0x89, 0x49, 0x88, 0x07, 0xb4, 0x80, 0x15, 0xd5, 0xc2, 0x13, 0x8b, 0xff,
- 0x0c, 0x90, 0xb6, 0x67, 0x0c, 0xaf, 0xf4, 0xef, 0x5c, 0x9d, 0xba, 0xf3,
- 0x95, 0x5b, 0xd2, 0x9a, 0x7e, 0x80, 0x8d, 0xc9, 0x6f, 0xcd, 0x75, 0xe5,
- 0xb6, 0xfb, 0x61, 0x8b, 0x9c, 0x3b, 0xce, 0xc2, 0x4c, 0xba, 0xb7, 0xf6,
- 0x48, 0xa6, 0x79, 0x4a, 0x34, 0xf1, 0xe1, 0x47, 0xba, 0x29, 0x5d, 0x04,
- 0x26, 0x64, 0xee, 0x5e, 0x8e, 0x0c, 0x9d, 0xa7, 0x05, 0xe3, 0x58, 0xd7,
- 0xe4, 0xb5, 0x4e, 0x7b, 0xdc, 0x2a, 0xab, 0xc1, 0xea, 0x82, 0x7d, 0xcb,
- 0x93, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xf9, 0x30, 0x82,
- 0x01, 0xf5, 0x30, 0x47, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x01, 0x01, 0x04, 0x3b, 0x30, 0x39, 0x30, 0x37, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x2b, 0x68, 0x74, 0x74, 0x70,
- 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x61, 0x70, 0x70, 0x6c,
- 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x34,
- 0x2d, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x77, 0x77, 0x64, 0x72, 0x63, 0x61,
- 0x32, 0x30, 0x33, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
- 0x04, 0x14, 0x49, 0xaa, 0xae, 0x84, 0x57, 0x14, 0x56, 0x8f, 0x0b, 0xeb,
- 0x63, 0x6b, 0x62, 0x75, 0x68, 0xfc, 0x5b, 0x8c, 0x77, 0xa1, 0x30, 0x0c,
- 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00,
- 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
- 0x14, 0x88, 0x27, 0x17, 0x09, 0xa9, 0xb6, 0x18, 0x60, 0x8b, 0xec, 0xeb,
- 0xba, 0xf6, 0x47, 0x59, 0xc5, 0x52, 0x54, 0xa3, 0xb7, 0x30, 0x82, 0x01,
- 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x82, 0x01, 0x14, 0x30, 0x82,
- 0x01, 0x10, 0x30, 0x82, 0x01, 0x0c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x63, 0x64, 0x05, 0x01, 0x30, 0x81, 0xfe, 0x30, 0x81, 0xc3, 0x06,
- 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x81, 0xb6,
- 0x0c, 0x81, 0xb3, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e, 0x63, 0x65, 0x20,
- 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x62, 0x79, 0x20, 0x61,
- 0x6e, 0x79, 0x20, 0x70, 0x61, 0x72, 0x74, 0x79, 0x20, 0x61, 0x73, 0x73,
- 0x75, 0x6d, 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x61,
- 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65, 0x20, 0x74,
- 0x68, 0x65, 0x6e, 0x20, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x62,
- 0x6c, 0x65, 0x20, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64, 0x20,
- 0x74, 0x65, 0x72, 0x6d, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x6f,
- 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6f, 0x66, 0x20,
- 0x75, 0x73, 0x65, 0x2c, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
- 0x63, 0x61, 0x74, 0x65, 0x20, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20,
- 0x61, 0x6e, 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
- 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61, 0x63, 0x74, 0x69,
- 0x63, 0x65, 0x20, 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
- 0x73, 0x2e, 0x30, 0x36, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x02, 0x01, 0x16, 0x2a, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77,
- 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
- 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x30, 0x0e,
- 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02,
- 0x07, 0x80, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff,
- 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x03, 0x03, 0x30, 0x13, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63,
- 0x64, 0x06, 0x01, 0x18, 0x01, 0x01, 0xff, 0x04, 0x02, 0x05, 0x00, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
- 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x9c, 0x07, 0xde, 0xde, 0xc2,
- 0xfc, 0x6c, 0x94, 0xb1, 0x1a, 0x6a, 0x38, 0x75, 0xe0, 0x74, 0x70, 0xe9,
- 0x9d, 0x47, 0xd6, 0xde, 0xcd, 0xd0, 0xdb, 0xed, 0x2f, 0x50, 0xfa, 0x0d,
- 0xe3, 0xb9, 0x3d, 0x36, 0xc9, 0x4b, 0xee, 0x4e, 0xc4, 0x83, 0xb9, 0x7d,
- 0x40, 0x01, 0x92, 0x3f, 0x18, 0x8a, 0x19, 0xe8, 0xac, 0x5d, 0xb1, 0xc1,
- 0xd2, 0x30, 0x98, 0x85, 0x28, 0x91, 0x0c, 0x92, 0x71, 0x79, 0xec, 0x4b,
- 0x51, 0xcc, 0xdf, 0x99, 0x71, 0x87, 0x04, 0x60, 0x09, 0x3e, 0xfa, 0x56,
- 0x9f, 0x99, 0xa3, 0xef, 0x0c, 0x02, 0xd2, 0xdf, 0xcf, 0x18, 0xf2, 0x34,
- 0x6e, 0x93, 0xd0, 0x0e, 0x81, 0xe4, 0x4e, 0x37, 0x7b, 0x1d, 0xe7, 0x8c,
- 0xa6, 0x71, 0x6d, 0x95, 0x66, 0x7d, 0xc0, 0x80, 0x74, 0x71, 0xe1, 0xd7,
- 0x97, 0x35, 0x9b, 0x26, 0xe9, 0x84, 0x4a, 0x96, 0x30, 0xfc, 0xf1, 0x26,
- 0x23, 0x1d, 0xec, 0x71, 0x2f, 0x39, 0x40, 0x14, 0xaf, 0x34, 0x0e, 0x85,
- 0x3c, 0xd0, 0x9e, 0x8d, 0x4e, 0xf8, 0x04, 0x0a, 0xc2, 0x3f, 0x44, 0x7d,
- 0x19, 0x2d, 0xe7, 0xc0, 0xf1, 0xce, 0xa9, 0x2f, 0x6c, 0x79, 0xbd, 0x65,
- 0x69, 0x3e, 0xf6, 0x76, 0x59, 0xeb, 0x70, 0x0c, 0xaf, 0x04, 0x44, 0x82,
- 0x02, 0x15, 0x24, 0x3e, 0xc3, 0xe0, 0x9e, 0x5d, 0xa0, 0xe3, 0x66, 0x72,
- 0x59, 0x6e, 0x51, 0x41, 0xd6, 0x72, 0xdd, 0x4d, 0xca, 0x96, 0xb0, 0x1a,
- 0xc1, 0x47, 0x5a, 0xef, 0xc9, 0xc4, 0x11, 0x11, 0x7a, 0xec, 0x9c, 0x1c,
- 0x12, 0x19, 0x72, 0xb8, 0xc3, 0x98, 0x3e, 0x3b, 0xe7, 0x4a, 0x3f, 0xb8,
- 0x48, 0x40, 0xd6, 0x68, 0xa9, 0xce, 0x07, 0xe7, 0x0e, 0x5e, 0x56, 0x33,
- 0xf8, 0xb0, 0x4c, 0xc2, 0xb6, 0x25, 0xcc, 0x5f, 0xbd, 0xdb, 0xe5, 0x78,
- 0xb6, 0x5f, 0x99, 0x3e, 0xdc, 0xaf, 0x20, 0x3d, 0x5a, 0x0f, 0x13
-};
-
-static void test_atv_appsigning_cert_policy()
-{
- CFDateRef date=NULL;
- CFArrayRef policies=NULL;
- SecPolicyRef policy=NULL;
- SecTrustRef trust=NULL;
- SecCertificateRef testCert0=NULL, testCert1=NULL;
- SecCertificateRef prodCert0=NULL, prodCert1=NULL;
- CFMutableArrayRef testCerts=NULL, prodCerts=NULL;
- SecTrustResultType trustResult;
- CFIndex chainLen;
-
- /* Test hierarchy */
- isnt(testCert0 = SecCertificateCreateWithBytes(NULL, kTestATVAppSigningCert, sizeof(kTestATVAppSigningCert)),
- NULL, "create testCert0");
- isnt(testCert1 = SecCertificateCreateWithBytes(NULL, kWwdrAnchorCertificate, sizeof(kWwdrAnchorCertificate)),
- NULL, "create testCert1");
-
- isnt(testCerts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create test cert array");
- CFArrayAppendValue(testCerts, testCert0);
- CFArrayAppendValue(testCerts, testCert1);
-
- /* Production hierarchy */
- isnt(prodCert0 = SecCertificateCreateWithBytes(NULL, kATVAppSigningCert, sizeof(kATVAppSigningCert)),
- NULL, "create prodCert0");
- isnt(prodCert1 = SecCertificateCreateWithBytes(NULL, kWwdrAnchorCertificate, sizeof(kWwdrAnchorCertificate)),
- NULL, "create prodCert1");
-
- isnt(prodCerts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create prod cert array");
- CFArrayAppendValue(prodCerts, prodCert0);
- CFArrayAppendValue(prodCerts, prodCert1);
-
- /* Case 1: production policy with production certs (should succeed) */
- isnt(policy = SecPolicyCreateAppleATVAppSigning(), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(prodCerts, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2015, 7, 1, 12, 0, 0),
- NULL, "create verify date");
- //%%% policy currently doesn't care about expiration dates
- //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "chain length 3 expected (got %d)", (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- /* Case 2: test policy with test certs (should succeed) */
- isnt(policy = SecPolicyCreateTestAppleATVAppSigning(), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(testCerts, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2015, 7, 1, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
- chainLen = SecTrustGetCertificateCount(trust);
- ok(chainLen == 3, "chain length 3 expected (got %d)", (int)chainLen);
- CFRelease(trust);
- trust = NULL;
-
- /* Case 3: production policy with test certs (should fail) */
- isnt(policy = SecPolicyCreateAppleATVAppSigning(), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(testCerts, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2015, 7, 1, 12, 0, 0),
- NULL, "create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
- (int)trustResult);
- CFRelease(trust);
- trust = NULL;
-
- /* Case 4: test policy with production certs (should fail) */
- isnt(policy = SecPolicyCreateTestAppleATVAppSigning(), NULL, "create policy");
- policies = CFArrayCreate(NULL, (const void **)&policy, 1, &kCFTypeArrayCallBacks);
- CFRelease(policy);
- policy = NULL;
- ok_status(SecTrustCreateWithCertificates(prodCerts, policies, &trust),
- "create trust");
- CFRelease(policies);
- policies = NULL;
- isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2015, 7, 1, 12, 0, 0),
- NULL, "create verify date");
- //%%% policy currently doesn't care about expiration dates
- //ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- CFReleaseSafe(date);
- date = NULL;
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultRecoverableTrustFailure, "trustResult 5 expected (got %d)",
- (int)trustResult);
- CFRelease(trust);
- trust = NULL;
-
- CFReleaseSafe(testCert0);
- CFReleaseSafe(testCert1);
- CFReleaseSafe(prodCert0);
- CFReleaseSafe(prodCert1);
-
- CFReleaseSafe(testCerts);
- CFReleaseSafe(prodCerts);
-}
-
-static void tests(void)
-{
- test_atv_appsigning_cert_policy();
-}
-
-int si_84_atv_appsigning(int argc, char *const *argv)
-{
- plan_tests(30);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-85-sectrust-ssl-policy.c b/OSX/sec/Security/Regressions/secitem/si-85-sectrust-ssl-policy.c
index e1738a6c..b04c7405 100644
--- a/OSX/sec/Security/Regressions/secitem/si-85-sectrust-ssl-policy.c
+++ b/OSX/sec/Security/Regressions/secitem/si-85-sectrust-ssl-policy.c
@@ -3,100 +3,15 @@
*/
#include <Security/SecPolicyPriv.h>
-#include <Security/SecInternal.h>
#include <Security/SecTrust.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecCertificatePriv.h>
#include <AssertMacros.h>
#include <utilities/SecCFWrappers.h>
-#include "Security_regressions.h"
-
-unsigned char SSLTrustPolicyTestRootCertificate_cer[987] = {
- 0x30, 0x82, 0x03, 0xd7, 0x30, 0x82, 0x02, 0xbf, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x8e, 0x31, 0x21,
- 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x53, 0x53, 0x4c,
- 0x20, 0x54, 0x72, 0x75, 0x73, 0x74, 0x20, 0x50, 0x6f, 0x6c, 0x69, 0x63,
- 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x14, 0x30,
- 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1d, 0x30, 0x1b, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x14, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
- 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69,
- 0x6e, 0x67, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43,
- 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d,
- 0x31, 0x35, 0x30, 0x38, 0x32, 0x30, 0x30, 0x32, 0x30, 0x31, 0x31, 0x39,
- 0x5a, 0x17, 0x0d, 0x32, 0x35, 0x30, 0x38, 0x31, 0x37, 0x30, 0x32, 0x30,
- 0x31, 0x31, 0x39, 0x5a, 0x30, 0x81, 0x8e, 0x31, 0x21, 0x30, 0x1f, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x72,
- 0x75, 0x73, 0x74, 0x20, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54,
- 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
- 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x04,
- 0x0b, 0x0c, 0x14, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
- 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31,
- 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61,
- 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x0b, 0x30, 0x09,
- 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30,
- 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65,
- 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
- 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
- 0x01, 0x00, 0xdf, 0x3b, 0x3f, 0xbc, 0xee, 0xbe, 0x24, 0xf1, 0x44, 0x79,
- 0x8b, 0x39, 0x01, 0x3d, 0xd3, 0x9c, 0xe4, 0xf3, 0xd1, 0x2b, 0x43, 0x83,
- 0xfe, 0x44, 0xf3, 0xf8, 0xd8, 0xf3, 0xd7, 0xa3, 0xe8, 0x7d, 0xd0, 0x1b,
- 0x18, 0x1d, 0x0d, 0x7e, 0x5d, 0x89, 0xb3, 0xc7, 0xe1, 0x3e, 0xbe, 0x6e,
- 0xe3, 0xdd, 0x9f, 0x8d, 0x42, 0xd6, 0xb1, 0xd2, 0x63, 0x69, 0x4d, 0x09,
- 0xe9, 0x09, 0x21, 0x11, 0x42, 0x1e, 0x78, 0xf7, 0x20, 0x8c, 0x55, 0xf3,
- 0x32, 0xeb, 0xd4, 0xed, 0xfd, 0xbd, 0xa7, 0x25, 0x90, 0x0b, 0x24, 0x6a,
- 0x86, 0xc1, 0x3f, 0xbc, 0x19, 0xc5, 0x3d, 0x02, 0x52, 0x10, 0xfe, 0xf3,
- 0xd3, 0xac, 0x97, 0x2d, 0xf5, 0xa2, 0xf5, 0x92, 0x47, 0xcc, 0x2e, 0x78,
- 0x21, 0x6c, 0x57, 0xc8, 0x8d, 0x9e, 0x04, 0x59, 0x83, 0x17, 0xd8, 0x63,
- 0x5e, 0xdf, 0xe5, 0x24, 0x3b, 0x34, 0x0b, 0x15, 0x73, 0xec, 0x50, 0x61,
- 0x92, 0xef, 0xab, 0x1c, 0xeb, 0x42, 0xdf, 0x76, 0x6b, 0x5f, 0x64, 0xd1,
- 0x38, 0xdc, 0xe9, 0x36, 0x82, 0x6a, 0xb3, 0xcc, 0x6f, 0x4a, 0x3b, 0xaf,
- 0xd3, 0xf2, 0x1d, 0xf3, 0xf4, 0xd8, 0x0f, 0xa0, 0x5d, 0xf5, 0xdd, 0x21,
- 0x92, 0x1f, 0xf1, 0x98, 0x0d, 0x12, 0x72, 0x82, 0x3e, 0xea, 0xc9, 0xf4,
- 0x4c, 0x0c, 0x43, 0x3f, 0x1d, 0x18, 0x8a, 0xe5, 0x4d, 0xbd, 0x9f, 0x5b,
- 0x11, 0x37, 0xd1, 0x3c, 0xad, 0xdb, 0x72, 0xac, 0x90, 0xd0, 0x72, 0x42,
- 0x12, 0xb6, 0xe1, 0x6f, 0x10, 0x77, 0x1e, 0x60, 0x3b, 0x42, 0x31, 0xdc,
- 0x9c, 0xdd, 0xfb, 0x36, 0xab, 0x5e, 0x65, 0xf4, 0xab, 0x1c, 0x0d, 0x7f,
- 0x1b, 0xff, 0xb0, 0xfa, 0x42, 0x0a, 0x82, 0x2e, 0x43, 0x4c, 0x29, 0x72,
- 0x82, 0xcb, 0x61, 0xf4, 0xbf, 0xbb, 0x34, 0x9e, 0x43, 0xac, 0xef, 0x50,
- 0xc5, 0xc4, 0x58, 0x7f, 0x65, 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
- 0x3e, 0x30, 0x3c, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01,
- 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30,
- 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03,
- 0x02, 0x02, 0x84, 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01,
- 0xff, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
- 0x07, 0x03, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x0d,
- 0x4e, 0xac, 0x67, 0xc0, 0xe0, 0xfa, 0x66, 0x2e, 0xc3, 0x3e, 0x90, 0x34,
- 0x4e, 0xdf, 0x64, 0xfa, 0x06, 0x2e, 0x4e, 0x99, 0xa0, 0x91, 0xf6, 0x96,
- 0xe1, 0x41, 0x5d, 0xf6, 0x23, 0x56, 0xbc, 0x64, 0xf9, 0x79, 0xcd, 0x70,
- 0xcb, 0xd0, 0xa3, 0x17, 0x87, 0x64, 0x6c, 0x3d, 0x72, 0xca, 0x4b, 0x5e,
- 0xae, 0xbf, 0xef, 0x84, 0x04, 0xd4, 0x30, 0xf3, 0xff, 0xbc, 0xa1, 0x28,
- 0x2e, 0xd1, 0xfd, 0x43, 0xa3, 0x18, 0xce, 0x89, 0x00, 0x59, 0x3e, 0x6a,
- 0x70, 0x73, 0xca, 0x3c, 0x3c, 0xac, 0x6a, 0xfc, 0xb9, 0x5c, 0x79, 0x14,
- 0xd7, 0xc8, 0x19, 0x63, 0x6d, 0x37, 0x28, 0xf9, 0x78, 0xd6, 0xb9, 0x2e,
- 0xb2, 0x75, 0xd1, 0x05, 0x9c, 0xce, 0xd4, 0x87, 0xe0, 0x92, 0xf7, 0x46,
- 0xdf, 0x73, 0x5f, 0x56, 0x1c, 0xff, 0x95, 0x04, 0xa8, 0xb3, 0xa9, 0x4c,
- 0x74, 0x07, 0xc6, 0x0a, 0xb9, 0xcd, 0x4c, 0x17, 0x1f, 0x40, 0x73, 0x7d,
- 0xb6, 0x73, 0xc7, 0x28, 0x1f, 0x7d, 0x47, 0x86, 0x2a, 0xa2, 0xa1, 0x83,
- 0x8b, 0xa4, 0x46, 0x85, 0xeb, 0x19, 0x8c, 0x5e, 0x3c, 0xa4, 0x73, 0x9d,
- 0x04, 0x82, 0xe7, 0x0e, 0x2a, 0x3c, 0x83, 0xa1, 0x10, 0xcc, 0x27, 0x81,
- 0x1d, 0x3e, 0x1a, 0x7d, 0x1c, 0x4b, 0xfd, 0x45, 0x39, 0xbb, 0x1a, 0xc5,
- 0xae, 0x29, 0x22, 0x56, 0x2c, 0x2a, 0x76, 0xc8, 0x26, 0x9f, 0xf0, 0x4f,
- 0x48, 0xc8, 0x9d, 0x20, 0xc9, 0x9d, 0x63, 0xc4, 0xe1, 0xad, 0x70, 0xa9,
- 0x75, 0xb3, 0xb2, 0xff, 0x35, 0xeb, 0x89, 0x6a, 0x80, 0x11, 0x60, 0x7d,
- 0xab, 0xd5, 0xd2, 0xa4, 0xd3, 0x1c, 0x34, 0x21, 0xdf, 0xbe, 0x0a, 0x4f,
- 0xcc, 0x79, 0xca, 0x88, 0x81, 0x2b, 0x06, 0x11, 0x1f, 0x31, 0x22, 0x43,
- 0x93, 0x76, 0x2c, 0x90, 0x5b, 0x5f, 0x42, 0x3e, 0x97, 0x61, 0x4b, 0xcc,
- 0x22, 0x6e, 0xf0
-};
+#include "shared_regressions.h"
+
+#include "si-85-sectrust-ssl-policy.h"
static void runTestForDictionary (const void *test_key, const void *test_value, void *context) {
CFDictionaryRef test_info = test_value;
@@ -133,7 +48,7 @@ static void runTestForDictionary (const void *test_key, const void *test_value,
/* create certificates */
leaf = SecCertificateCreateWithData(NULL, cert_data);
- root = SecCertificateCreateWithBytes(NULL, SSLTrustPolicyTestRootCertificate_cer, sizeof(SSLTrustPolicyTestRootCertificate_cer));
+ root = SecCertificateCreateWithBytes(NULL, _SSLTrustPolicyTestRootCA, sizeof(_SSLTrustPolicyTestRootCA));
CFRelease(cert_data);
require_action_quiet(leaf && root, cleanup, fail("%@: Unable to create certificates", test_name));
@@ -156,9 +71,9 @@ static void runTestForDictionary (const void *test_key, const void *test_value,
err = SecTrustSetAnchorCertificates(trust, anchor_array);
require_noerr_action(err, cleanup, ok_status(err, "SecTrustSetAnchorCertificates"));
- /* set date in trust ref */
- date = CFDateCreateForGregorianZuluMoment(NULL, 2015, 8, 24, 12, 0, 0);
- require_action_quiet(date, cleanup, fail("%@: Unable to create very date", test_name));
+ /* set date in trust ref to 4 Sep 2015 */
+ date = CFDateCreate(NULL, 463079909.0);
+ require_action_quiet(date, cleanup, fail("%@: Unable to create verify date", test_name));
err = SecTrustSetVerifyDate(trust, date);
CFRelease(date);
require_noerr_action(err, cleanup, ok_status(err, "SecTrustSetVerifyDate"));
@@ -240,7 +155,7 @@ exit:
int si_85_sectrust_ssl_policy(int argc, char *const *argv)
{
- plan_tests(26);
+ plan_tests(37);
tests();
diff --git a/OSX/sec/Security/Regressions/secitem/si-86-sectrust-eap-tls.h b/OSX/sec/Security/Regressions/secitem/si-85-sectrust-ssl-policy.h
similarity index 53%
rename from OSX/sec/Security/Regressions/secitem/si-86-sectrust-eap-tls.h
rename to OSX/sec/Security/Regressions/secitem/si-85-sectrust-ssl-policy.h
index 198b0a86..92c259ba 100644
--- a/OSX/sec/Security/Regressions/secitem/si-86-sectrust-eap-tls.h
+++ b/OSX/sec/Security/Regressions/secitem/si-85-sectrust-ssl-policy.h
@@ -2,7 +2,7 @@
* Copyright (c) 2015 Apple Inc. All Rights Reserved.
*/
-unsigned char _TestRootCertificate[987] = {
+unsigned char _SSLTrustPolicyTestRootCA[987] = {
0x30, 0x82, 0x03, 0xd7, 0x30, 0x82, 0x02, 0xbf, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x8e, 0x31, 0x21,
@@ -87,72 +87,3 @@ unsigned char _TestRootCertificate[987] = {
0x93, 0x76, 0x2c, 0x90, 0x5b, 0x5f, 0x42, 0x3e, 0x97, 0x61, 0x4b, 0xcc,
0x22, 0x6e, 0xf0
};
-
-/* SHA1 Fingerprint=1A:F0:B4:68:A1:D4:A8:F2:59:F4:DE:14:53:ED:13:34:43:D7:8A:3F */
-/* subject:/CN=Test16/O=Apple, Inc./OU=Security Engineering/ST=California/C=US/L=Cupertino */
-/* issuer :/CN=SSL Trust Policy Test CA/O=Apple, Inc./OU=Security Engineering/ST=California/C=US/L=Cupertino */
-
-unsigned char _TestLeafCertificate[992]={
- 0x30,0x82,0x03,0xDC,0x30,0x82,0x02,0xC4,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x0D,
- 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,
- 0x81,0x8E,0x31,0x21,0x30,0x1F,0x06,0x03,0x55,0x04,0x03,0x0C,0x18,0x53,0x53,0x4C,
- 0x20,0x54,0x72,0x75,0x73,0x74,0x20,0x50,0x6F,0x6C,0x69,0x63,0x79,0x20,0x54,0x65,
- 0x73,0x74,0x20,0x43,0x41,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,
- 0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,
- 0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,
- 0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x13,0x30,0x11,0x06,0x03,
- 0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,
- 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x12,0x30,0x10,
- 0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
- 0x30,0x1E,0x17,0x0D,0x31,0x35,0x30,0x38,0x32,0x31,0x31,0x36,0x35,0x38,0x33,0x33,
- 0x5A,0x17,0x0D,0x31,0x36,0x30,0x38,0x32,0x30,0x31,0x36,0x35,0x38,0x33,0x33,0x5A,
- 0x30,0x7C,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x03,0x0C,0x06,0x54,0x65,0x73,
- 0x74,0x31,0x36,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,
- 0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,
- 0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,
- 0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
- 0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x0B,0x30,
- 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x12,0x30,0x10,0x06,0x03,
- 0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x30,0x82,
- 0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,
- 0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB1,
- 0x53,0xD1,0x2F,0xE4,0x11,0x91,0x44,0x1D,0xE7,0xC0,0xF5,0x59,0xA0,0xEF,0x7E,0xA5,
- 0x17,0xCC,0x1E,0x89,0x1F,0xBD,0x22,0x1B,0x47,0xCC,0x67,0x1C,0x05,0x54,0xF2,0xD0,
- 0x73,0x7B,0xBC,0x00,0x0E,0xE5,0xE6,0xF5,0x07,0xB5,0xAE,0x28,0xE6,0x9E,0xEB,0xE8,
- 0x68,0x2C,0xE7,0x8F,0xFD,0xDA,0x6A,0x62,0xDE,0x68,0x86,0x49,0x8D,0xE2,0x34,0x3F,
- 0x83,0xAD,0xE6,0x6B,0x89,0xBC,0xB5,0x33,0x48,0xE5,0xD1,0xB4,0x2A,0xC5,0x30,0xEE,
- 0x48,0x9E,0xAA,0x84,0x48,0x35,0x3B,0x6F,0x84,0x38,0x04,0x24,0xB9,0x3A,0x5B,0x2D,
- 0x84,0x8D,0x5A,0x55,0x05,0x89,0x6E,0xF3,0x48,0x95,0x85,0x41,0x04,0xF7,0xD2,0x69,
- 0xFE,0x56,0x2A,0x48,0x9D,0xB1,0xAB,0x49,0xA5,0xBA,0x2D,0xD5,0x07,0xD4,0xCD,0x9A,
- 0x9E,0xF1,0xF2,0xFD,0x80,0x7B,0x12,0xD6,0xA5,0xEB,0x9C,0x01,0xDC,0xAF,0x32,0xA8,
- 0x8F,0x2F,0x42,0x3D,0x40,0x8E,0xC8,0xA1,0xF6,0xF1,0xA9,0x1A,0x3F,0xC2,0x20,0x79,
- 0x32,0xCB,0x90,0xFA,0x17,0xE1,0x1D,0xF5,0xBE,0x6D,0x6C,0x86,0x50,0x22,0x71,0x1C,
- 0x84,0x1D,0xEC,0xFF,0xE9,0xDB,0x81,0xC8,0x28,0x10,0xDD,0x7E,0x30,0x3E,0xC8,0x2E,
- 0x43,0xDD,0x5C,0x4B,0xE2,0xA1,0x63,0x45,0xEE,0x08,0x8D,0x9A,0x56,0xAD,0x5E,0x62,
- 0xF6,0xF9,0xFE,0x6B,0x20,0x23,0xAC,0x48,0xFD,0xEF,0xC0,0xB6,0x6E,0x8A,0x47,0xA8,
- 0xBE,0x4D,0x76,0xE8,0x6B,0x34,0xA9,0x46,0x83,0xA4,0xC9,0x16,0x0F,0x4F,0x70,0x7D,
- 0x4E,0x06,0xAE,0x05,0x5C,0x5E,0x2E,0x03,0xC4,0x04,0x95,0x87,0x5F,0xC3,0x1F,0x02,
- 0x03,0x01,0x00,0x01,0xA3,0x56,0x30,0x54,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,
- 0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0x00,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,
- 0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x07,0x80,0x30,0x16,0x06,0x03,0x55,0x1D,0x25,
- 0x01,0x01,0xFF,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,
- 0x04,0x30,0x19,0x06,0x03,0x55,0x1D,0x11,0x04,0x12,0x30,0x10,0x82,0x0E,0x74,0x65,
- 0x73,0x74,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x30,0x0D,0x06,0x09,
- 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,
- 0x08,0x06,0xDA,0x74,0xA3,0x6C,0xC9,0x54,0x01,0x5D,0x78,0xA2,0xD3,0x6A,0x83,0x14,
- 0xA7,0xDC,0xF9,0xFA,0xA1,0x76,0xF4,0x49,0xA0,0x4F,0xA8,0xCA,0xCC,0x18,0xC8,0x5E,
- 0x3A,0x42,0xA2,0xDA,0x8F,0xA5,0x69,0x07,0xB4,0xDE,0x93,0x8A,0xA7,0x0A,0x71,0x01,
- 0xE6,0x2A,0x80,0x04,0x64,0xA9,0xF2,0x88,0x51,0xC0,0x29,0xD6,0x1A,0x07,0x4A,0xCD,
- 0x26,0xFD,0xD0,0x09,0x2A,0x9D,0xBA,0x7B,0x85,0x17,0xD4,0xA3,0x0C,0x62,0x06,0x7E,
- 0x2B,0xC7,0x54,0x0D,0x2E,0x6E,0xB6,0xC6,0x2C,0x6E,0x01,0x64,0xA7,0xC0,0xC8,0x3D,
- 0xB1,0xC8,0x33,0x1D,0xA4,0xBB,0xEC,0xB0,0x90,0x9B,0x99,0x19,0x03,0x13,0xB0,0x6B,
- 0xE8,0x0A,0x40,0x10,0x9C,0x9B,0xD0,0x71,0x4A,0x32,0xE7,0x88,0x97,0xB3,0xB1,0xE6,
- 0x98,0xC2,0xF8,0x00,0xCB,0x43,0x83,0x69,0x08,0x20,0x79,0x68,0xE0,0x7F,0x11,0x04,
- 0x81,0xCE,0x1F,0x64,0xB7,0x5F,0xE8,0x25,0x31,0x4F,0x9D,0xE4,0x3B,0xF5,0xBE,0xF1,
- 0xA3,0xA2,0xDC,0x2F,0x3E,0x17,0xA1,0x25,0x36,0xFF,0x4F,0xFE,0xC9,0xF8,0x2B,0x41,
- 0x21,0x47,0xC5,0x1A,0x75,0x73,0xB6,0xE8,0x25,0x00,0x9E,0xB5,0xDF,0x4A,0x43,0x65,
- 0x86,0x34,0xDC,0x1D,0x48,0x0B,0xAE,0x8B,0xB0,0x79,0x5B,0xBA,0xCD,0x81,0xE7,0xAA,
- 0x87,0x77,0x79,0xD3,0x88,0xB8,0x7A,0x77,0x88,0x58,0x71,0x76,0xCE,0xC6,0xE4,0x19,
- 0xE8,0xEF,0xE8,0xFC,0xD3,0x95,0x68,0x67,0xFB,0x6C,0x70,0x89,0x70,0xF4,0xEE,0x7C,
- 0x3A,0x5B,0xF2,0x30,0xBE,0x35,0x60,0x7A,0x5C,0xF0,0x47,0x32,0x26,0xA2,0xCB,0xAF,
-};
diff --git a/OSX/sec/Security/Regressions/secitem/si-86-sectrust-eap-tls.c b/OSX/sec/Security/Regressions/secitem/si-86-sectrust-eap-tls.c
deleted file mode 100644
index 122b3db0..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-86-sectrust-eap-tls.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (c) 2015 Apple Inc. All Rights Reserved.
- */
-
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecInternal.h>
-#include <Security/SecTrust.h>
-#include <Security/SecTrustPriv.h>
-#include <Security/SecCertificatePriv.h>
-
-#include "Security_regressions.h"
-
-#include "si-86-sectrust-eap-tls.h"
-
-
-static void tests(void)
-{
- SecTrustRef trust = NULL;
- SecPolicyRef policy = NULL;
- SecCertificateRef leaf, root;
- SecTrustResultType trustResult;
-
- isnt(leaf = SecCertificateCreateWithBytes(NULL, _TestLeafCertificate, sizeof(_TestLeafCertificate)), NULL, "create leaf");
- isnt(root = SecCertificateCreateWithBytes(NULL, _TestRootCertificate, sizeof(_TestRootCertificate)), NULL, "create root");
-
- const void *v_certs[] = { leaf };
- const void *v_roots[] = { root };
- CFArrayRef certs = CFArrayCreate(NULL, v_certs, sizeof(v_certs)/sizeof(*v_certs), &kCFTypeArrayCallBacks);
- CFArrayRef roots = CFArrayCreate(NULL, v_roots, sizeof(v_roots)/sizeof(*v_roots), &kCFTypeArrayCallBacks);
-
- /* Create EAP policy with specific hostname. */
- CFStringRef host = CFSTR("test.apple.com");
- const void *v_names[] = { host };
- CFArrayRef names = CFArrayCreate(NULL, v_names, sizeof(v_names)/sizeof(*v_names), &kCFTypeArrayCallBacks);
- isnt(policy = SecPolicyCreateEAP(true, names), NULL, "create policy");
-
- /* Create trust reference. */
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
-
- /* Set explicit verify date: Sep 1 2015. */
- CFDateRef date = NULL;
- isnt(date = CFDateCreate(NULL, 462823871.0), NULL, "Create verify date");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
- /* Provide root certificate. */
- ok_status(SecTrustSetAnchorCertificates(trust, roots), "set anchors");
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trustResult is kSecTrustResultRecoverableTrustFailure");
- is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
-
- CFReleaseSafe(date);
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(roots);
- CFReleaseSafe(names);
- CFReleaseSafe(root);
- CFReleaseSafe(leaf);
-}
-
-int si_86_sectrust_eap_tls(int argc, char *const *argv)
-{
- plan_tests(10);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-87-sectrust-name-constraints.c b/OSX/sec/Security/Regressions/secitem/si-87-sectrust-name-constraints.c
index 3a62d402..a558ac8b 100644
--- a/OSX/sec/Security/Regressions/secitem/si-87-sectrust-name-constraints.c
+++ b/OSX/sec/Security/Regressions/secitem/si-87-sectrust-name-constraints.c
@@ -5,17 +5,15 @@
#include <CoreFoundation/CoreFoundation.h>
#include <Security/SecCertificate.h>
#include <Security/SecCertificatePriv.h>
-#include <Security/SecInternal.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecItem.h>
-#include <ipc/securityd_client.h>
#include <utilities/array_size.h>
#include <utilities/SecCFWrappers.h>
#include <stdlib.h>
#include <unistd.h>
-#include "Security_regressions.h"
+#include "shared_regressions.h"
#include "si-87-sectrust-name-constraints.h"
@@ -46,6 +44,7 @@ static void test_att(void)
/* Set explicit verify date: Aug 14 2015. */
CFDateRef date = NULL;
isnt(date = CFDateCreateForGregorianZuluMoment(NULL, 2015, 8, 14, 12, 0, 0), NULL, "create verify date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
/* Provide root certificate. */
@@ -55,6 +54,7 @@ static void test_att(void)
is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 5, "cert count is 5");
+errOut:
CFReleaseSafe(date);
CFReleaseSafe(trust);
CFReleaseSafe(policy);
@@ -93,6 +93,7 @@ static void test_intel1(void)
/* Set explicit verify date: Sep 3 2015. */
CFDateRef date = NULL;
isnt(date = CFDateCreate(NULL, 463037436.0), NULL, "create verify date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
/* Provide root certificate. */
@@ -102,6 +103,7 @@ static void test_intel1(void)
is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 4, "cert count is 4");
+errOut:
CFReleaseSafe(date);
CFReleaseSafe(trust);
CFReleaseSafe(policy);
@@ -139,6 +141,7 @@ static void test_intel2(void)
/* Set explicit verify date: Sep 3 2015. */
CFDateRef date = NULL;
isnt(date = CFDateCreate(NULL, 463037436.0), NULL, "create verify date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
/* Provide root certificate. */
@@ -148,6 +151,7 @@ static void test_intel2(void)
is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 4, "cert count is 4");
+errOut:
CFReleaseSafe(date);
CFReleaseSafe(trust);
CFReleaseSafe(policy);
@@ -185,6 +189,7 @@ static void test_abb(void)
/* Set explicit verify date: Sep 16 2015. */
CFDateRef date = NULL;
isnt(date = CFDateCreate(NULL, 464128479.0), NULL, "create verify date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
/* Provide root certificate. */
@@ -194,6 +199,7 @@ static void test_abb(void)
is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 4, "cert count is 4");
+errOut:
CFReleaseSafe(date);
CFReleaseSafe(trust);
CFReleaseSafe(policy);
@@ -231,6 +237,7 @@ static void test_bechtel1(void)
/* Set explicit verify date: Sep 29 2015. */
CFDateRef date = NULL;
isnt(date = CFDateCreate(NULL, 465253810.0), NULL, "create verify date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
/* Provide root certificate. */
@@ -240,6 +247,7 @@ static void test_bechtel1(void)
is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 4, "cert count is 4");
+errOut:
CFReleaseSafe(date);
CFReleaseSafe(trust);
CFReleaseSafe(policy);
@@ -277,6 +285,7 @@ static void test_bechtel2(void)
/* Set explicit verify date: Sep 29 2015. */
CFDateRef date = NULL;
isnt(date = CFDateCreate(NULL, 465253810.0), NULL, "create verify date");
+ if (!date) { goto errOut; }
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
/* Provide root certificate. */
@@ -286,6 +295,7 @@ static void test_bechtel2(void)
is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 4, "cert count is 4");
+errOut:
CFReleaseSafe(date);
CFReleaseSafe(trust);
CFReleaseSafe(policy);
diff --git a/OSX/sec/Security/Regressions/secitem/si-88-sectrust-vpnprofile.c b/OSX/sec/Security/Regressions/secitem/si-88-sectrust-vpnprofile.c
deleted file mode 100644
index 519a5ee5..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-88-sectrust-vpnprofile.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * Copyright (c) 2015 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecPolicyPriv.h>
-
-#include "utilities/SecCFRelease.h"
-#include "utilities/SecCFWrappers.h"
-
-#include "Security_regressions.h"
-
-
-#include "si-88-sectrust-vpnprofile.h"
-
-static void tests(void)
-{
- SecTrustRef trust = NULL;
- SecPolicyRef policy = NULL;
- SecCertificateRef cert0, cert1, cert2, cert3, rootcert;
- SecTrustResultType trustResult;
-
- //Evaluation should succeed for cert0 and cert1
-
- isnt(cert0 = SecCertificateCreateWithBytes(NULL, c0, sizeof(c0)), NULL, "create cert0");
- isnt(cert1 = SecCertificateCreateWithBytes(NULL, c1, sizeof(c1)), NULL, "create cert1");
- isnt(rootcert = SecCertificateCreateWithBytes(NULL, root, sizeof(root)), NULL, "create root cert");
-
- const void *v_certs[] = { cert0, cert1 };
- CFArrayRef certs = CFArrayCreate(NULL, v_certs, sizeof(v_certs)/sizeof(*v_certs), &kCFTypeArrayCallBacks);
- CFArrayRef anchor_certs = CFArrayCreate(NULL, (const void**)&rootcert, 1, &kCFTypeArrayCallBacks);
-
- /* Set explicit verify date: 15 Dec 2015 */
- CFDateRef date = NULL;
- isnt(date = CFDateCreate(NULL, 471907305.0), NULL, "Create verify date");
-
- /* Create AppleTV VPN profile signing policy instance. */
- isnt(policy = SecPolicyCreateAppleATVVPNProfileSigning(), NULL, "create policy");
-
- /* Create trust reference. */
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified");
- is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
-
-
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(cert1);
- CFReleaseSafe(cert0);
-
- //Evaluation should fail for cert2 and cert3 (wrong OID, not Apple anchor)
-
- isnt(cert2 = SecCertificateCreateWithBytes(NULL, c2, sizeof(c2)), NULL, "create cert2");
- isnt(cert3 = SecCertificateCreateWithBytes(NULL, c3, sizeof(c3)), NULL, "create cert3");
-
- const void *v_certs2[] = { cert2, cert3 };
- certs = CFArrayCreate(NULL, v_certs2, sizeof(v_certs2)/sizeof(*v_certs2), &kCFTypeArrayCallBacks);
-
- isnt(policy = SecPolicyCreateAppleATVVPNProfileSigning(), NULL, "create policy");
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trustResult is kSecTrustResultRecoverableTrustFailure");
-
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(cert3);
- CFReleaseSafe(cert2);
- CFReleaseSafe(anchor_certs);
- CFReleaseSafe(rootcert);
- CFReleaseSafe(date);
-}
-
-
-
-int si_88_sectrust_vpnprofile(int argc, char *const *argv);
-
-int si_88_sectrust_vpnprofile(int argc, char *const *argv)
-{
- plan_tests(18);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-88-sectrust-vpnprofile.h b/OSX/sec/Security/Regressions/secitem/si-88-sectrust-vpnprofile.h
deleted file mode 100644
index 4db7772a..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-88-sectrust-vpnprofile.h
+++ /dev/null
@@ -1,450 +0,0 @@
-/*
- * Copyright (c) 2015 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#ifndef si_88_sectrust_vpnprofile_h
-#define si_88_sectrust_vpnprofile_h
-
-#include <stdio.h>
-
-
-/*
- * Subject: CN=Apple TV OS VPN Profile Signing, OU=IS&T, O=Apple Inc., C=US
- * Issuer: CN=Test Apple System Integration 2 Certification Authority, OU=Apple Certification Authority, O=Apple Inc., C=US
- */
-
-static unsigned char c0[] = {
- 0x30,0x82,0x04,0x20,0x30,0x82,0x03,0x08,0xa0,0x03,0x02,0x01,0x02,0x02,0x08,0x33,
- 0xb5,0x72,0x55,0xd4,0x16,0x04,0x76,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,
- 0x0d,0x01,0x01,0x0b,0x05,0x00,0x30,0x81,0x8c,0x31,0x40,0x30,0x3e,0x06,0x03,0x55,
- 0x04,0x03,0x0c,0x37,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6c,0x65,0x20,0x53,
- 0x79,0x73,0x74,0x65,0x6d,0x20,0x49,0x6e,0x74,0x65,0x67,0x72,0x61,0x74,0x69,0x6f,
- 0x6e,0x20,0x32,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6f,
- 0x6e,0x20,0x41,0x75,0x74,0x68,0x6f,0x72,0x69,0x74,0x79,0x31,0x26,0x30,0x24,0x06,
- 0x03,0x55,0x04,0x0b,0x0c,0x1d,0x41,0x70,0x70,0x6c,0x65,0x20,0x43,0x65,0x72,0x74,
- 0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x20,0x41,0x75,0x74,0x68,0x6f,0x72,
- 0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x0c,0x0a,0x41,0x70,
- 0x70,0x6c,0x65,0x20,0x49,0x6e,0x63,0x2e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x55,0x53,0x30,0x1e,0x17,0x0d,0x31,0x35,0x31,0x30,0x30,0x38,0x30,
- 0x38,0x33,0x37,0x33,0x35,0x5a,0x17,0x0d,0x31,0x37,0x31,0x31,0x30,0x36,0x30,0x38,
- 0x33,0x37,0x33,0x35,0x5a,0x30,0x5b,0x31,0x28,0x30,0x26,0x06,0x03,0x55,0x04,0x03,
- 0x0c,0x1f,0x41,0x70,0x70,0x6c,0x65,0x20,0x54,0x56,0x20,0x4f,0x53,0x20,0x56,0x50,
- 0x4e,0x20,0x50,0x72,0x6f,0x66,0x69,0x6c,0x65,0x20,0x53,0x69,0x67,0x6e,0x69,0x6e,
- 0x67,0x31,0x0d,0x30,0x0b,0x06,0x03,0x55,0x04,0x0b,0x0c,0x04,0x49,0x53,0x26,0x54,
- 0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x0c,0x0a,0x41,0x70,0x70,0x6c,0x65,
- 0x20,0x49,0x6e,0x63,0x2e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
- 0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,
- 0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,
- 0x01,0x01,0x00,0xdb,0x85,0xf8,0x04,0xc4,0xaf,0x59,0x41,0x4e,0xd5,0xd5,0xe8,0x25,
- 0x32,0x6f,0x58,0x52,0x53,0x7f,0xca,0xe0,0x27,0xab,0x50,0xb0,0x17,0xd9,0x51,0x46,
- 0xa1,0x5d,0xf6,0xb8,0xbb,0x20,0xb7,0xab,0x68,0x0c,0x75,0xc0,0x4a,0x67,0x9f,0x1e,
- 0xd9,0x52,0x3a,0xa5,0x37,0x72,0xb6,0x45,0x2a,0x43,0x3b,0xe9,0x6d,0xd7,0xca,0x9b,
- 0x59,0xc5,0xdd,0xe5,0x81,0xef,0xf4,0x11,0xe1,0xc5,0x76,0x05,0xe5,0xc3,0xf2,0x60,
- 0x3b,0x3d,0xff,0x9e,0x5f,0x99,0x72,0x9f,0x73,0x90,0x6f,0x43,0x5b,0xe6,0x07,0xae,
- 0xb2,0x60,0x18,0x35,0x69,0x2c,0xb5,0x2c,0x94,0xe6,0xb9,0x89,0x43,0xce,0x98,0x6d,
- 0xa3,0x4e,0x01,0xbc,0x75,0x48,0x85,0xcf,0xff,0x78,0x84,0x45,0xf3,0x5a,0xa6,0x34,
- 0x0e,0x05,0xc1,0x1c,0xb8,0xc9,0x96,0x6c,0xf4,0x47,0x07,0xb5,0xc0,0xe1,0x2d,0x5c,
- 0x80,0x44,0x8f,0x9e,0x6a,0xf7,0x6d,0x11,0xd8,0x8c,0x47,0x82,0x02,0xec,0x3b,0x15,
- 0x73,0x28,0x8e,0xdb,0x4f,0xaa,0x66,0x37,0x23,0x9f,0xf6,0x60,0x91,0xd2,0x74,0x30,
- 0xa5,0x7c,0xd1,0x6a,0x29,0x69,0x72,0xcb,0xc8,0x54,0x1e,0x65,0x45,0x88,0xfc,0xae,
- 0xb1,0x77,0x93,0x41,0xe4,0xff,0xf4,0x2c,0xae,0xfd,0x77,0x24,0x26,0x7e,0x35,0x95,
- 0xa0,0x83,0x72,0x8d,0x3a,0x7e,0x45,0x1e,0xbc,0x9b,0x60,0x31,0x4d,0x26,0x8f,0x28,
- 0xfe,0xd9,0x47,0x15,0xe4,0x90,0x21,0x4f,0xc3,0x09,0xa4,0x64,0x72,0x4b,0xfa,0x5b,
- 0xf4,0xf8,0x41,0x6d,0x75,0x8b,0x3f,0xec,0xc5,0x8e,0xf5,0x3b,0x82,0x66,0xb3,0xee,
- 0x57,0x96,0xb9,0x02,0x03,0x01,0x00,0x01,0xa3,0x81,0xb5,0x30,0x81,0xb2,0x30,0x41,
- 0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x35,0x30,0x33,0x30,0x31,
- 0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x25,0x68,0x74,0x74,0x70,
- 0x3a,0x2f,0x2f,0x6f,0x63,0x73,0x70,0x2e,0x61,0x70,0x70,0x6c,0x65,0x2e,0x63,0x6f,
- 0x6d,0x2f,0x6f,0x63,0x73,0x70,0x30,0x34,0x2d,0x61,0x73,0x69,0x32,0x63,0x61,0x30,
- 0x31,0x30,0x1d,0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x71,0xb8,0xd1,0xe1,
- 0x65,0xc1,0x45,0xa6,0xd1,0x68,0x50,0x68,0x20,0x78,0x8c,0x90,0xff,0x53,0x5f,0x5f,
- 0x30,0x0c,0x06,0x03,0x55,0x1d,0x13,0x01,0x01,0xff,0x04,0x02,0x30,0x00,0x30,0x1f,
- 0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xfd,0x1a,0x95,0xb8,0x3f,
- 0x63,0x8a,0x39,0xa1,0x32,0x9e,0xae,0x33,0xa5,0x79,0xd3,0x5e,0xa1,0xb3,0xd4,0x30,
- 0x0e,0x06,0x03,0x55,0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x07,0x80,0x30,
- 0x0f,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x63,0x64,0x06,0x2b,0x04,0x02,0x05,0x00,
- 0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,
- 0x82,0x01,0x01,0x00,0x70,0xb2,0xd9,0xf4,0x23,0xfc,0x51,0x3e,0x2f,0xf6,0x24,0xbb,
- 0x2a,0x0b,0xa6,0x61,0xa8,0xb5,0x73,0x57,0x0f,0x9c,0xa0,0x23,0xe4,0x6d,0x0a,0xef,
- 0xa1,0x6c,0x2b,0xa7,0x62,0x0c,0xca,0x0e,0x7a,0x28,0xcd,0xe3,0xe4,0xc5,0x05,0x61,
- 0x27,0x59,0xf8,0xde,0xf5,0xf1,0x6a,0x97,0xc8,0x7c,0x53,0x0f,0x9c,0x05,0xda,0x59,
- 0xce,0x43,0x9b,0x5e,0x8c,0xbd,0xe2,0xa8,0xcf,0x36,0xe3,0xfd,0x8d,0x4d,0x71,0x6d,
- 0x08,0xb6,0xef,0x0d,0x77,0x90,0x24,0xd2,0x84,0x14,0xfd,0x13,0x59,0x49,0x7c,0xd7,
- 0xa8,0xbc,0x75,0x03,0xda,0x7d,0xa6,0xb2,0x9e,0x61,0x8d,0x56,0xba,0x09,0x38,0x7c,
- 0x69,0x92,0xf4,0x23,0x0a,0x78,0xce,0xd6,0xe5,0x90,0xb7,0xa7,0x07,0xb0,0x29,0xd2,
- 0x03,0x36,0xa3,0x38,0x08,0xf7,0x9d,0xe6,0x3c,0x60,0x38,0x3f,0x81,0x4d,0x9b,0xb8,
- 0x7d,0xe4,0xe2,0x97,0x70,0x62,0xed,0x00,0xa2,0x7e,0xed,0xd4,0x81,0xcc,0xc4,0x5d,
- 0x99,0x23,0xb1,0x27,0x1b,0xb7,0xf6,0x74,0x0a,0xca,0x4d,0x6a,0x47,0x57,0xe2,0x7d,
- 0xdb,0xb6,0xd8,0xb3,0xc6,0xc7,0xb4,0xbc,0x92,0xc9,0x09,0x2f,0xb9,0x00,0x3e,0x7e,
- 0x2d,0x01,0xd7,0x79,0x69,0xdb,0x21,0xf2,0x03,0x44,0xf4,0xa0,0xb8,0x78,0x82,0x5b,
- 0x29,0xd7,0x95,0x1c,0xcb,0x2a,0x10,0xf3,0xf5,0x78,0x82,0x73,0x10,0xc4,0x14,0x7b,
- 0x7b,0x3d,0xca,0xa0,0xb6,0x35,0x89,0x8b,0x6b,0x54,0x97,0x7b,0xcc,0x64,0x39,0xa2,
- 0xec,0x46,0xdb,0x47,0x6c,0x18,0x98,0x4b,0xda,0x00,0x7a,0x6b,0xf1,0xcf,0x09,0x1b,
- 0x71,0xe6,0x4d,0x61};
-
-/*
- * Subject: CN=Test Apple System Integration 2 Certification Authority, OU=Apple Certification Authority, O=Apple Inc., C=US
- * Issuer: C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Test Apple Root CA
- */
-static unsigned char c1[] = {
- 0x30,0x82,0x04,0x2a,0x30,0x82,0x03,0x12,0xa0,0x03,0x02,0x01,0x02,0x02,0x08,0x4b,
- 0x50,0x1c,0xd1,0xe0,0xd2,0x2a,0xd7,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,
- 0x0d,0x01,0x01,0x0b,0x05,0x00,0x30,0x67,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x0c,0x0a,
- 0x41,0x70,0x70,0x6c,0x65,0x20,0x49,0x6e,0x63,0x2e,0x31,0x26,0x30,0x24,0x06,0x03,
- 0x55,0x04,0x0b,0x0c,0x1d,0x41,0x70,0x70,0x6c,0x65,0x20,0x43,0x65,0x72,0x74,0x69,
- 0x66,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x20,0x41,0x75,0x74,0x68,0x6f,0x72,0x69,
- 0x74,0x79,0x31,0x1b,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0c,0x12,0x54,0x65,0x73,
- 0x74,0x20,0x41,0x70,0x70,0x6c,0x65,0x20,0x52,0x6f,0x6f,0x74,0x20,0x43,0x41,0x30,
- 0x1e,0x17,0x0d,0x31,0x35,0x30,0x36,0x30,0x39,0x30,0x31,0x31,0x31,0x32,0x34,0x5a,
- 0x17,0x0d,0x32,0x37,0x30,0x39,0x31,0x33,0x32,0x32,0x33,0x35,0x33,0x37,0x5a,0x30,
- 0x81,0x8c,0x31,0x40,0x30,0x3e,0x06,0x03,0x55,0x04,0x03,0x0c,0x37,0x54,0x65,0x73,
- 0x74,0x20,0x41,0x70,0x70,0x6c,0x65,0x20,0x53,0x79,0x73,0x74,0x65,0x6d,0x20,0x49,
- 0x6e,0x74,0x65,0x67,0x72,0x61,0x74,0x69,0x6f,0x6e,0x20,0x32,0x20,0x43,0x65,0x72,
- 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x20,0x41,0x75,0x74,0x68,0x6f,
- 0x72,0x69,0x74,0x79,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0b,0x0c,0x1d,0x41,
- 0x70,0x70,0x6c,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
- 0x6f,0x6e,0x20,0x41,0x75,0x74,0x68,0x6f,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,
- 0x06,0x03,0x55,0x04,0x0a,0x0c,0x0a,0x41,0x70,0x70,0x6c,0x65,0x20,0x49,0x6e,0x63,
- 0x2e,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,
- 0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,
- 0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xab,
- 0x4b,0x9c,0x5d,0x27,0xad,0xd5,0x99,0x83,0x0d,0x6c,0x73,0x9d,0xb6,0x29,0x16,0x47,
- 0x4e,0xa1,0xcf,0x24,0x3a,0x08,0x68,0xc8,0x18,0x5f,0xa0,0x50,0x8f,0xb8,0x79,0x44,
- 0x25,0x6c,0x7a,0x46,0xc7,0xae,0x43,0xb0,0xe5,0x1f,0xf3,0x55,0x08,0x70,0xb6,0xe4,
- 0xad,0xa1,0xad,0x1a,0xac,0xb8,0x8e,0x6a,0xd2,0xc6,0x0f,0x2f,0x6f,0xe0,0xcf,0xc6,
- 0x97,0x4c,0x0a,0x62,0xd6,0x10,0x88,0x21,0x04,0xaa,0x8f,0xdb,0x17,0x82,0x83,0xcc,
- 0xde,0xa5,0xd4,0x10,0x75,0x96,0x61,0x52,0x97,0xda,0x3c,0x00,0x2b,0x41,0x7a,0xe6,
- 0xd6,0xda,0xa2,0x7f,0x77,0x44,0x31,0x96,0xc2,0x1b,0xd3,0x4c,0x42,0x0e,0x43,0x0a,
- 0xa4,0x69,0xe0,0xea,0x84,0xf6,0x6c,0x74,0xc5,0xeb,0x37,0xe0,0xee,0xb5,0x59,0xbd,
- 0xa8,0xaa,0xdb,0x8c,0x1e,0x44,0x79,0x4b,0x19,0x62,0x70,0x99,0xed,0x89,0x72,0x8c,
- 0xfc,0x39,0x37,0xdf,0x3c,0x08,0x57,0x0b,0xfb,0x05,0xa6,0x34,0xdc,0x40,0x9b,0x2a,
- 0x88,0x78,0xa1,0xd8,0x28,0x4d,0x1b,0xf9,0x42,0x8f,0xd8,0xfb,0x4f,0x32,0xbb,0xfb,
- 0xc7,0xfa,0x01,0x80,0xff,0xbc,0x7c,0xaa,0x48,0x3f,0x0b,0x46,0x79,0x40,0xf4,0xa6,
- 0x16,0x11,0x9d,0xb1,0x36,0x28,0xaf,0x5e,0x09,0xfe,0x61,0x5e,0x82,0x1b,0x6c,0xf5,
- 0xad,0xd6,0x1a,0x2b,0x66,0xec,0xf7,0xe4,0x73,0x65,0x7c,0xe8,0x18,0x06,0x52,0x38,
- 0xc9,0x16,0x00,0x13,0x50,0x5a,0x30,0xcd,0x03,0x37,0x3e,0x3a,0xd2,0x01,0x15,0xe0,
- 0x56,0xb9,0x6e,0x99,0x00,0x3a,0x29,0x1e,0x95,0x23,0x5c,0xfc,0x2f,0xb5,0xe1,0x02,
- 0x03,0x01,0x00,0x01,0xa3,0x81,0xb3,0x30,0x81,0xb0,0x30,0x1d,0x06,0x03,0x55,0x1d,
- 0x0e,0x04,0x16,0x04,0x14,0xfd,0x1a,0x95,0xb8,0x3f,0x63,0x8a,0x39,0xa1,0x32,0x9e,
- 0xae,0x33,0xa5,0x79,0xd3,0x5e,0xa1,0xb3,0xd4,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,
- 0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x1f,0x06,0x03,0x55,0x1d,
- 0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x59,0xb8,0x2b,0x94,0x3a,0x1b,0xba,0xf1,0x00,
- 0xae,0xee,0x50,0x52,0x23,0x33,0xc9,0x59,0xc3,0x54,0x98,0x30,0x3b,0x06,0x03,0x55,
- 0x1d,0x1f,0x04,0x34,0x30,0x32,0x30,0x30,0xa0,0x2e,0xa0,0x2c,0x86,0x2a,0x68,0x74,
- 0x74,0x70,0x3a,0x2f,0x2f,0x63,0x72,0x6c,0x2d,0x75,0x61,0x74,0x2e,0x63,0x6f,0x72,
- 0x70,0x2e,0x61,0x70,0x70,0x6c,0x65,0x2e,0x63,0x6f,0x6d,0x2f,0x74,0x65,0x73,0x74,
- 0x72,0x6f,0x6f,0x74,0x2e,0x63,0x72,0x6c,0x30,0x0e,0x06,0x03,0x55,0x1d,0x0f,0x01,
- 0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06,0x0a,0x2a,0x86,0x48,0x86,
- 0xf7,0x63,0x64,0x06,0x02,0x0a,0x04,0x02,0x05,0x00,0x30,0x0d,0x06,0x09,0x2a,0x86,
- 0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x8e,0x39,
- 0x3b,0xb3,0x24,0x07,0x5b,0x3a,0xce,0x2d,0x3e,0x6d,0x80,0x67,0x88,0x99,0x38,0xe3,
- 0x5e,0x0f,0x5a,0x07,0xea,0xe4,0x50,0x2d,0x34,0xf0,0x7d,0x69,0xd3,0x9d,0x83,0x39,
- 0x9f,0xf8,0xfd,0xae,0x94,0x4a,0x59,0xd9,0xd5,0x1a,0xf3,0xe6,0xba,0x2d,0xdc,0xbd,
- 0x15,0x33,0xa0,0x66,0x13,0x05,0x4d,0xb4,0x46,0x41,0x1d,0x90,0xa3,0x84,0x03,0x5d,
- 0x0c,0x6e,0xc7,0x65,0x67,0x4f,0xec,0x96,0xf2,0xdf,0x17,0x1e,0xa9,0xa0,0xa0,0xb9,
- 0x65,0x79,0x85,0x7d,0x42,0x92,0x7d,0xfa,0xc7,0xfc,0x0a,0xa0,0xe4,0xab,0x25,0xe3,
- 0x85,0x2e,0x92,0xc5,0x8f,0xd5,0x27,0xb4,0x71,0x32,0x07,0x3e,0x01,0x53,0x02,0x72,
- 0x32,0x41,0x72,0x1e,0x4f,0x39,0xef,0xeb,0xc0,0x46,0x43,0xee,0xe7,0xab,0x68,0xf2,
- 0x64,0x44,0x2c,0x99,0x0a,0x25,0xc2,0x53,0x58,0xdb,0x4a,0x64,0x14,0x7e,0x1a,0x04,
- 0x12,0x18,0xf8,0xe8,0x2e,0x7a,0x38,0xc3,0x62,0xae,0x9c,0x9a,0x56,0x66,0x98,0x8d,
- 0x33,0xb4,0x90,0x44,0xec,0xd1,0x03,0x2d,0xa8,0x0e,0x4d,0x50,0x2a,0xb7,0xa0,0x17,
- 0xa4,0xd2,0x24,0xcf,0xab,0x2a,0x28,0x7b,0x53,0x74,0x7e,0x41,0xad,0x0e,0xf0,0xa3,
- 0x2a,0x16,0x46,0x89,0x72,0xf6,0x7b,0xf2,0x77,0xd7,0x97,0x52,0xc2,0xcc,0x12,0x2a,
- 0x1b,0xf5,0x47,0x6f,0x06,0xa6,0x16,0x59,0x52,0xf9,0xc6,0x9c,0xfa,0x76,0x5f,0xa7,
- 0x4f,0x30,0xe9,0xa1,0x76,0x41,0x44,0x3d,0x3e,0x12,0x18,0xf1,0x4c,0xfd,0xfb,0x96,
- 0xb5,0x81,0xae,0xc8,0xf5,0x7c,0x7b,0x4c,0xd2,0x4d,0x0c,0x44,0xdb,0xf2};
-
-/* SHA1 Fingerprint=45:27:70:FE:5F:E9:C2:DD:F9:77:17:29:F7:2B:71:DC:23:37:D1:1B */
-/* subject:/CN=Mac OS X Provisioning Profile Signing/O=Apple Inc./C=US */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority */
-
-static unsigned char c2[1334]={
- 0x30,0x82,0x05,0x32,0x30,0x82,0x04,0x1A,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x1A,
- 0xA6,0x77,0xFE,0x20,0xB7,0x68,0x2E,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,0x96,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
- 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,
- 0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x2C,0x30,0x2A,0x06,
- 0x03,0x55,0x04,0x0B,0x0C,0x23,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,
- 0x64,0x77,0x69,0x64,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,
- 0x52,0x65,0x6C,0x61,0x74,0x69,0x6F,0x6E,0x73,0x31,0x44,0x30,0x42,0x06,0x03,0x55,
- 0x04,0x03,0x0C,0x3B,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,
- 0x69,0x64,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,
- 0x6C,0x61,0x74,0x69,0x6F,0x6E,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,
- 0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,
- 0x1E,0x17,0x0D,0x31,0x31,0x30,0x34,0x30,0x38,0x32,0x32,0x31,0x32,0x32,0x35,0x5A,
- 0x17,0x0D,0x31,0x36,0x30,0x32,0x30,0x36,0x32,0x32,0x31,0x32,0x32,0x35,0x5A,0x30,
- 0x52,0x31,0x2E,0x30,0x2C,0x06,0x03,0x55,0x04,0x03,0x0C,0x25,0x4D,0x61,0x63,0x20,
- 0x4F,0x53,0x20,0x58,0x20,0x50,0x72,0x6F,0x76,0x69,0x73,0x69,0x6F,0x6E,0x69,0x6E,
- 0x67,0x20,0x50,0x72,0x6F,0x66,0x69,0x6C,0x65,0x20,0x53,0x69,0x67,0x6E,0x69,0x6E,
- 0x67,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,
- 0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
- 0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,
- 0x82,0x01,0x01,0x00,0xA6,0x4C,0x9D,0xD8,0xC4,0xF8,0x64,0x71,0xBB,0x53,0xAE,0xD6,
- 0x76,0x93,0x70,0x22,0xA0,0xD1,0xB9,0x18,0x85,0x90,0x4A,0x50,0xB9,0x5A,0x68,0x59,
- 0xCA,0x9C,0x71,0x40,0xD3,0x21,0xCA,0x0E,0x99,0xD5,0x44,0x1C,0xD8,0xE3,0x2B,0x77,
- 0x21,0x6B,0x0D,0x92,0x19,0xEA,0x7C,0xE5,0x05,0xB9,0x1E,0x95,0xD8,0xAD,0xB4,0x1F,
- 0xE6,0xAE,0xBB,0xF3,0x0B,0x29,0x44,0x40,0x4D,0x10,0xA5,0x37,0x48,0x26,0x56,0x37,
- 0xD8,0x50,0xC1,0x5F,0x87,0x4E,0xE2,0x4D,0xD6,0xD6,0x7F,0x0D,0x39,0xA7,0xBB,0xB0,
- 0x06,0x90,0x39,0xAB,0xB2,0x96,0x2C,0x4A,0x07,0x2F,0x17,0xEA,0x3C,0x00,0xBF,0x8F,
- 0xEB,0xD3,0xE7,0x5E,0x5F,0x05,0x59,0x42,0xC2,0x24,0x59,0x29,0x81,0xEF,0x4E,0xB1,
- 0x1F,0x82,0xB5,0x57,0x66,0xC7,0x37,0xBD,0xA9,0xED,0x21,0xB9,0xCB,0xC4,0x27,0xC2,
- 0x58,0x37,0x8D,0x8A,0xF4,0x4B,0xBD,0x3F,0xFC,0x41,0x08,0x67,0x42,0x4B,0x3A,0xCA,
- 0x72,0xFA,0x38,0xA8,0x77,0xF3,0xD3,0x6C,0x46,0xF7,0x73,0x5D,0x83,0xBA,0xD3,0x86,
- 0x6A,0xEB,0x4E,0x61,0x6D,0x8A,0xCE,0x90,0xEC,0x0E,0xE7,0x39,0x69,0xDD,0x49,0xA0,
- 0x7E,0xB3,0xD9,0x7E,0x2B,0x4C,0x51,0x5A,0x1D,0xDA,0x54,0x16,0xE5,0xA6,0xF1,0xB0,
- 0x04,0x80,0xAC,0x87,0x77,0x11,0x2C,0x6D,0x5B,0x78,0x38,0x9C,0x71,0x4E,0xF6,0x0E,
- 0xCD,0x78,0x2C,0x03,0x42,0xAC,0x4C,0x3B,0x3E,0xE2,0xBE,0xD2,0xBC,0x70,0x5B,0x00,
- 0x6A,0xAA,0xA3,0x66,0xAB,0xBA,0x44,0x33,0x96,0x76,0xEC,0x37,0xA3,0x33,0xC8,0x2C,
- 0xED,0x6E,0x37,0xB5,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x01,0xC5,0x30,0x82,0x01,
- 0xC1,0x30,0x3D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x31,0x30,
- 0x2F,0x30,0x2D,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x21,0x68,
- 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x6F,0x63,0x73,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,
- 0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70,0x2D,0x77,0x77,0x64,0x72,0x30,0x33,
- 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x16,0x40,0x54,0xF8,0x17,
- 0x37,0x2C,0x46,0xE4,0x5F,0x75,0x8C,0xF9,0x55,0x70,0x0E,0xEF,0x1E,0xE7,0xF1,0x30,
- 0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,
- 0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x88,0x27,0x17,0x09,0xA9,0xB6,
- 0x18,0x60,0x8B,0xEC,0xEB,0xBA,0xF6,0x47,0x59,0xC5,0x52,0x54,0xA3,0xB7,0x30,0x82,
- 0x01,0x0F,0x06,0x03,0x55,0x1D,0x20,0x04,0x82,0x01,0x06,0x30,0x82,0x01,0x02,0x30,
- 0x81,0xFF,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF1,
- 0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x81,0xB6,
- 0x0C,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,0x65,0x20,0x6F,0x6E,0x20,0x74,
- 0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,
- 0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,0x74,0x79,0x20,0x61,0x73,0x73,
- 0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,0x74,0x61,0x6E,0x63,0x65,0x20,
- 0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,0x6E,0x20,0x61,0x70,0x70,0x6C,
- 0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,0x6E,0x64,0x61,0x72,0x64,0x20,
- 0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,0x63,0x6F,0x6E,0x64,0x69,0x74,
- 0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,0x65,0x2C,0x20,0x63,0x65,0x72,
- 0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,0x6F,0x6C,0x69,0x63,0x79,0x20,
- 0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
- 0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,0x20,0x73,0x74,0x61,0x74,0x65,
- 0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x29,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,
- 0x02,0x01,0x16,0x1D,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,
- 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,0x61,
- 0x2F,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x07,
- 0x80,0x30,0x0F,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x04,0x0B,0x04,0x02,
- 0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,
- 0x00,0x03,0x82,0x01,0x01,0x00,0x41,0x76,0x9C,0x4B,0x42,0x36,0x40,0x75,0xF4,0x68,
- 0x51,0x76,0x3F,0x77,0xBE,0x7A,0x66,0x04,0x08,0xA3,0xA8,0xDA,0xD9,0x60,0x30,0xA4,
- 0x3A,0x5E,0x2D,0xF8,0x10,0x06,0x96,0x9B,0xD7,0x10,0x14,0x8C,0x95,0x71,0x26,0xC9,
- 0x01,0x83,0xB2,0x27,0xA9,0x74,0xA6,0xDB,0x5F,0xB5,0xA9,0x39,0x67,0x54,0x6F,0x08,
- 0x43,0x9E,0x4C,0x46,0xA1,0xA8,0x22,0xBF,0x58,0x49,0xB3,0x1C,0xC6,0xF0,0xAA,0xF3,
- 0x67,0x89,0x5E,0xA6,0x79,0x3E,0x25,0xB7,0xE9,0x00,0x2B,0xD9,0xEE,0xED,0x6F,0xF8,
- 0x48,0x3B,0x97,0x4A,0x54,0x27,0x38,0x54,0xC2,0x4A,0xBF,0x35,0x36,0x6F,0x92,0x02,
- 0x65,0x35,0x2A,0x63,0x3D,0x13,0xA8,0x06,0x5D,0x51,0x7E,0x61,0x10,0xF7,0xF5,0x56,
- 0x22,0xFB,0x28,0xA3,0x8F,0xAE,0xE6,0x28,0x4B,0xEA,0x7C,0x22,0x70,0x49,0x61,0x76,
- 0x51,0xFC,0x9C,0x64,0x9A,0x88,0x8B,0x6C,0x4B,0x1A,0x22,0xF0,0xE8,0xB3,0xD2,0xF6,
- 0x2C,0x31,0xD7,0xC4,0x30,0xBF,0x82,0xDD,0x22,0x93,0x14,0x20,0x73,0xAA,0xB8,0xD1,
- 0x17,0x1E,0x3F,0x36,0x4F,0x94,0x9C,0xF3,0xF9,0x3B,0x9A,0xDB,0x69,0x1A,0x91,0x6D,
- 0x56,0x60,0x2A,0x86,0xBD,0x25,0x68,0x24,0xCC,0x11,0x09,0x17,0x88,0xCE,0x27,0xA1,
- 0xE1,0x6B,0x30,0xB2,0x8C,0xB9,0xA8,0xA0,0xB7,0xF0,0xAA,0x46,0xA4,0x95,0x21,0x13,
- 0xC8,0x4F,0xE9,0xA9,0xB1,0x35,0x12,0x57,0xE6,0x04,0xD0,0x3D,0xFF,0x12,0xDC,0xEB,
- 0xDA,0xC5,0xD9,0x85,0xD6,0xBC,0x96,0xCF,0x90,0x02,0xC7,0x66,0xC7,0xF7,0x78,0x77,
- 0xDA,0xA6,0xD7,0x89,0x1B,0xAF,
-};
-
-/* SHA1 Fingerprint=09:50:B6:CD:3D:2F:37:EA:24:6A:1A:AA:20:DF:AA:DB:D6:FE:1F:75 */
-/* subject:/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */
-
-static unsigned char c3[1063]={
- 0x30,0x82,0x04,0x23,0x30,0x82,0x03,0x0B,0xA0,0x03,0x02,0x01,0x02,0x02,0x01,0x19,
- 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,
- 0x62,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
- 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x13,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
- 0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x13,0x1D,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
- 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x16,0x30,0x14,0x06,
- 0x03,0x55,0x04,0x03,0x13,0x0D,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,
- 0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x30,0x38,0x30,0x32,0x31,0x34,0x31,0x38,0x35,
- 0x36,0x33,0x35,0x5A,0x17,0x0D,0x31,0x36,0x30,0x32,0x31,0x34,0x31,0x38,0x35,0x36,
- 0x33,0x35,0x5A,0x30,0x81,0x96,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
- 0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,
- 0x0B,0x0C,0x23,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,0x69,
- 0x64,0x65,0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,0x6C,
- 0x61,0x74,0x69,0x6F,0x6E,0x73,0x31,0x44,0x30,0x42,0x06,0x03,0x55,0x04,0x03,0x0C,
- 0x3B,0x41,0x70,0x70,0x6C,0x65,0x20,0x57,0x6F,0x72,0x6C,0x64,0x77,0x69,0x64,0x65,
- 0x20,0x44,0x65,0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x20,0x52,0x65,0x6C,0x61,0x74,
- 0x69,0x6F,0x6E,0x73,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,
- 0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x30,0x82,0x01,0x22,
- 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,
- 0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xCA,0x38,0x54,
- 0xA6,0xCB,0x56,0xAA,0xC8,0x24,0x39,0x48,0xE9,0x8C,0xEE,0xEC,0x5F,0xB8,0x7F,0x26,
- 0x91,0xBC,0x34,0x53,0x7A,0xCE,0x7C,0x63,0x80,0x61,0x77,0x64,0x5E,0xA5,0x07,0x23,
- 0xB6,0x39,0xFE,0x50,0x2D,0x15,0x56,0x58,0x70,0x2D,0x7E,0xC4,0x6E,0xC1,0x4A,0x85,
- 0x3E,0x2F,0xF0,0xDE,0x84,0x1A,0xA1,0x57,0xC9,0xAF,0x7B,0x18,0xFF,0x6A,0xFA,0x15,
- 0x12,0x49,0x15,0x08,0x19,0xAC,0xAA,0xDB,0x2A,0x32,0xED,0x96,0x63,0x68,0x52,0x15,
- 0x3D,0x8C,0x8A,0xEC,0xBF,0x6B,0x18,0x95,0xE0,0x03,0xAC,0x01,0x7D,0x97,0x05,0x67,
- 0xCE,0x0E,0x85,0x95,0x37,0x6A,0xED,0x09,0xB6,0xAE,0x67,0xCD,0x51,0x64,0x9F,0xC6,
- 0x5C,0xD1,0xBC,0x57,0x6E,0x67,0x35,0x80,0x76,0x36,0xA4,0x87,0x81,0x6E,0x38,0x8F,
- 0xD8,0x2B,0x15,0x4E,0x7B,0x25,0xD8,0x5A,0xBF,0x4E,0x83,0xC1,0x8D,0xD2,0x93,0xD5,
- 0x1A,0x71,0xB5,0x60,0x9C,0x9D,0x33,0x4E,0x55,0xF9,0x12,0x58,0x0C,0x86,0xB8,0x16,
- 0x0D,0xC1,0xE5,0x77,0x45,0x8D,0x50,0x48,0xBA,0x2B,0x2D,0xE4,0x94,0x85,0xE1,0xE8,
- 0xC4,0x9D,0xC6,0x68,0xA5,0xB0,0xA3,0xFC,0x67,0x7E,0x70,0xBA,0x02,0x59,0x4B,0x77,
- 0x42,0x91,0x39,0xB9,0xF5,0xCD,0xE1,0x4C,0xEF,0xC0,0x3B,0x48,0x8C,0xA6,0xE5,0x21,
- 0x5D,0xFD,0x6A,0x6A,0xBB,0xA7,0x16,0x35,0x60,0xD2,0xE6,0xAD,0xF3,0x46,0x29,0xC9,
- 0xE8,0xC3,0x8B,0xE9,0x79,0xC0,0x6A,0x61,0x67,0x15,0xB2,0xF0,0xFD,0xE5,0x68,0xBC,
- 0x62,0x5F,0x6E,0xCF,0x99,0xDD,0xEF,0x1B,0x63,0xFE,0x92,0x65,0xAB,0x02,0x03,0x01,
- 0x00,0x01,0xA3,0x81,0xAE,0x30,0x81,0xAB,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,
- 0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x86,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,
- 0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
- 0x04,0x16,0x04,0x14,0x88,0x27,0x17,0x09,0xA9,0xB6,0x18,0x60,0x8B,0xEC,0xEB,0xBA,
- 0xF6,0x47,0x59,0xC5,0x52,0x54,0xA3,0xB7,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,
- 0x18,0x30,0x16,0x80,0x14,0x2B,0xD0,0x69,0x47,0x94,0x76,0x09,0xFE,0xF4,0x6B,0x8D,
- 0x2E,0x40,0xA6,0xF7,0x47,0x4D,0x7F,0x08,0x5E,0x30,0x36,0x06,0x03,0x55,0x1D,0x1F,
- 0x04,0x2F,0x30,0x2D,0x30,0x2B,0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,
- 0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
- 0x2F,0x61,0x70,0x70,0x6C,0x65,0x63,0x61,0x2F,0x72,0x6F,0x6F,0x74,0x2E,0x63,0x72,
- 0x6C,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x02,0x01,0x04,
- 0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,
- 0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xDA,0x32,0x00,0x96,0xC5,0x54,0x94,0xD3,0x3B,
- 0x82,0x37,0x66,0x7D,0x2E,0x68,0xD5,0xC3,0xC6,0xB8,0xCB,0x26,0x8C,0x48,0x90,0xCF,
- 0x13,0x24,0x6A,0x46,0x8E,0x63,0xD4,0xF0,0xD0,0x13,0x06,0xDD,0xD8,0xC4,0xC1,0x37,
- 0x15,0xF2,0x33,0x13,0x39,0x26,0x2D,0xCE,0x2E,0x55,0x40,0xE3,0x0B,0x03,0xAF,0xFA,
- 0x12,0xC2,0xE7,0x0D,0x21,0xB8,0xD5,0x80,0xCF,0xAC,0x28,0x2F,0xCE,0x2D,0xB3,0x4E,
- 0xAF,0x86,0x19,0x04,0xC6,0xE9,0x50,0xDD,0x4C,0x29,0x47,0x10,0x23,0xFC,0x6C,0xBB,
- 0x1B,0x98,0x6B,0x48,0x89,0xE1,0x5B,0x9D,0xDE,0x46,0xDB,0x35,0x85,0x35,0xEF,0x3E,
- 0xD0,0xE2,0x58,0x4B,0x38,0xF4,0xED,0x75,0x5A,0x1F,0x5C,0x70,0x1D,0x56,0x39,0x12,
- 0xE5,0xE1,0x0D,0x11,0xE4,0x89,0x25,0x06,0xBD,0xD5,0xB4,0x15,0x8E,0x5E,0xD0,0x59,
- 0x97,0x90,0xE9,0x4B,0x81,0xE2,0xDF,0x18,0xAF,0x44,0x74,0x1E,0x19,0xA0,0x3A,0x47,
- 0xCC,0x91,0x1D,0x3A,0xEB,0x23,0x5A,0xFE,0xA5,0x2D,0x97,0xF7,0x7B,0xBB,0xD6,0x87,
- 0x46,0x42,0x85,0xEB,0x52,0x3D,0x26,0xB2,0x63,0xA8,0xB4,0xB1,0xCA,0x8F,0xF4,0xCC,
- 0xE2,0xB3,0xC8,0x47,0xE0,0xBF,0x9A,0x59,0x83,0xFA,0xDA,0x98,0x53,0x2A,0x82,0xF5,
- 0x7C,0x65,0x2E,0x95,0xD9,0x33,0x5D,0xF5,0xED,0x65,0xCC,0x31,0x37,0xC5,0x5A,0x04,
- 0xE8,0x6B,0xE1,0xE7,0x88,0x03,0x4A,0x75,0x9E,0x9B,0x28,0xCB,0x4A,0x40,0x88,0x65,
- 0x43,0x75,0xDD,0xCB,0x3A,0x25,0x23,0xC5,0x9E,0x57,0xF8,0x2E,0xCE,0xD2,0xA9,0x92,
- 0x5E,0x73,0x2E,0x2F,0x25,0x75,0x15,
-};
-
-static unsigned char root[] = {
- 0x30, 0x82, 0x04, 0xcc, 0x30, 0x82, 0x03, 0xb4, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x3d, 0x00, 0x4b, 0x90, 0x3e, 0xde, 0xe0, 0xd0, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
- 0x05, 0x00, 0x30, 0x67, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
- 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e,
- 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
- 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
- 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03,
- 0x55, 0x04, 0x03, 0x0c, 0x12, 0x54, 0x65, 0x73, 0x74, 0x20, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x30,
- 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34, 0x32, 0x32, 0x30, 0x32, 0x31,
- 0x35, 0x34, 0x38, 0x5a, 0x17, 0x0d, 0x33, 0x35, 0x30, 0x32, 0x30, 0x39,
- 0x32, 0x31, 0x34, 0x30, 0x33, 0x36, 0x5a, 0x30, 0x67, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31,
- 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x12, 0x54, 0x65,
- 0x73, 0x74, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f,
- 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
- 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
- 0x00, 0xc7, 0xd1, 0x43, 0x53, 0x7f, 0x0d, 0x88, 0x6b, 0xe6, 0xb1, 0x67,
- 0x9d, 0xee, 0x67, 0xb6, 0xe7, 0x77, 0x12, 0x81, 0xc4, 0xdf, 0x24, 0x6b,
- 0x7a, 0x75, 0x24, 0xf7, 0x01, 0x09, 0xce, 0x34, 0x92, 0xf5, 0x38, 0x08,
- 0x42, 0x7e, 0xec, 0x9d, 0xf2, 0x5d, 0x38, 0x91, 0xb4, 0x93, 0x98, 0x35,
- 0x11, 0x3c, 0x98, 0x00, 0x77, 0xd9, 0xd7, 0xf3, 0x4a, 0xf8, 0xf0, 0xbc,
- 0xeb, 0x97, 0x5d, 0x4b, 0x61, 0x2e, 0xfb, 0xc5, 0xcc, 0x68, 0xb7, 0x6d,
- 0x69, 0x10, 0xcc, 0xa5, 0x61, 0x78, 0xa8, 0x81, 0x02, 0x9e, 0xe7, 0x63,
- 0xc5, 0xff, 0x29, 0x22, 0x82, 0x68, 0xaa, 0xaa, 0x0e, 0xfb, 0xa9, 0xd8,
- 0x16, 0x73, 0x25, 0xbf, 0x9d, 0x08, 0x62, 0x2f, 0x78, 0x04, 0xf6, 0xf6,
- 0x44, 0x07, 0x37, 0x6e, 0x99, 0x1b, 0x93, 0xd8, 0x7f, 0xee, 0x72, 0xde,
- 0xe8, 0x32, 0xf6, 0x6d, 0x78, 0x04, 0xa0, 0xa8, 0x21, 0x26, 0x8a, 0x32,
- 0xe3, 0xb1, 0x65, 0x85, 0xa1, 0x7b, 0x1a, 0xa9, 0x02, 0xb2, 0xbb, 0xee,
- 0xdd, 0xdd, 0x8f, 0x41, 0x49, 0xc8, 0x3f, 0xdc, 0x1e, 0xdf, 0x21, 0xa3,
- 0x95, 0x99, 0xbb, 0xfc, 0x29, 0xba, 0x40, 0x43, 0xb9, 0x1c, 0xcd, 0xc9,
- 0x21, 0x45, 0x73, 0xad, 0xff, 0xfd, 0xa2, 0x6c, 0x5c, 0x3b, 0x1c, 0x37,
- 0x91, 0x34, 0x8e, 0x5c, 0xd3, 0xd5, 0x03, 0x58, 0x28, 0xc7, 0xf2, 0x76,
- 0x6f, 0x11, 0xc0, 0xb5, 0xbd, 0x7e, 0xef, 0x23, 0xb3, 0x3d, 0xb8, 0xbd,
- 0x38, 0x66, 0x8c, 0xf2, 0x78, 0x95, 0xc1, 0x8b, 0x32, 0x65, 0x3a, 0x9b,
- 0x49, 0x1a, 0x5c, 0x41, 0x3c, 0xc6, 0x85, 0x50, 0xec, 0x85, 0xf0, 0x59,
- 0x17, 0x81, 0xe8, 0x96, 0xe8, 0x6a, 0xcc, 0xb3, 0xc7, 0x46, 0xbf, 0x81,
- 0x48, 0xd1, 0x09, 0x1b, 0xbc, 0x73, 0x1e, 0xd7, 0xe8, 0x27, 0xa8, 0x49,
- 0x48, 0xa2, 0x1c, 0x41, 0x1d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82,
- 0x01, 0x7a, 0x30, 0x82, 0x01, 0x76, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
- 0x0e, 0x04, 0x16, 0x04, 0x14, 0x59, 0xb8, 0x2b, 0x94, 0x3a, 0x1b, 0xba,
- 0xf1, 0x00, 0xae, 0xee, 0x50, 0x52, 0x23, 0x33, 0xc9, 0x59, 0xc3, 0x54,
- 0x98, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
- 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
- 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x59, 0xb8, 0x2b, 0x94, 0x3a,
- 0x1b, 0xba, 0xf1, 0x00, 0xae, 0xee, 0x50, 0x52, 0x23, 0x33, 0xc9, 0x59,
- 0xc3, 0x54, 0x98, 0x30, 0x82, 0x01, 0x11, 0x06, 0x03, 0x55, 0x1d, 0x20,
- 0x04, 0x82, 0x01, 0x08, 0x30, 0x82, 0x01, 0x04, 0x30, 0x82, 0x01, 0x00,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x05, 0x01, 0x30,
- 0x81, 0xf2, 0x30, 0x2a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x02, 0x01, 0x16, 0x1e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f,
- 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f,
- 0x6d, 0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x63, 0x61, 0x2f, 0x30, 0x81,
- 0xc3, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30,
- 0x81, 0xb6, 0x0c, 0x81, 0xb3, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e, 0x63,
- 0x65, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x65,
- 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x62, 0x79,
- 0x20, 0x61, 0x6e, 0x79, 0x20, 0x70, 0x61, 0x72, 0x74, 0x79, 0x20, 0x61,
- 0x73, 0x73, 0x75, 0x6d, 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65, 0x70,
- 0x74, 0x61, 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65,
- 0x20, 0x74, 0x68, 0x65, 0x6e, 0x20, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63,
- 0x61, 0x62, 0x6c, 0x65, 0x20, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72,
- 0x64, 0x20, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20,
- 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6f,
- 0x66, 0x20, 0x75, 0x73, 0x65, 0x2c, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x70, 0x6f, 0x6c, 0x69, 0x63,
- 0x79, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61, 0x63,
- 0x74, 0x69, 0x63, 0x65, 0x20, 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65,
- 0x6e, 0x74, 0x73, 0x2e, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01,
- 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03,
- 0x82, 0x01, 0x01, 0x00, 0x10, 0x5e, 0x6c, 0x69, 0xfc, 0xa6, 0x0f, 0xe2,
- 0x09, 0xd5, 0x94, 0x90, 0xa6, 0x7c, 0x22, 0xdc, 0xee, 0xb0, 0x8f, 0x24,
- 0x22, 0x4f, 0xb3, 0x67, 0xdb, 0x32, 0xb0, 0xd6, 0x24, 0x87, 0xe6, 0xf3,
- 0xea, 0x9e, 0xd0, 0x95, 0x75, 0xaa, 0xa7, 0x08, 0xff, 0xb0, 0x35, 0xd7,
- 0x1f, 0xa3, 0xbf, 0x89, 0x55, 0x0c, 0x1c, 0xa4, 0xd0, 0xf8, 0x00, 0x17,
- 0x44, 0x94, 0x36, 0x63, 0x3b, 0x83, 0xfe, 0x4e, 0xe5, 0xb3, 0xec, 0x7b,
- 0x7d, 0xce, 0xfe, 0xa9, 0x54, 0xed, 0xbb, 0x12, 0xa6, 0x72, 0x2b, 0xb3,
- 0x48, 0x00, 0xc7, 0x8e, 0xf5, 0x5b, 0x68, 0xc9, 0x24, 0x22, 0x7f, 0xa1,
- 0x4d, 0xfc, 0x54, 0xd9, 0xd0, 0x5d, 0x82, 0x53, 0x71, 0x29, 0x66, 0xcf,
- 0x0f, 0x6d, 0x32, 0xa6, 0x3f, 0xae, 0x54, 0x27, 0xc2, 0x8c, 0x12, 0x4c,
- 0xf0, 0xd6, 0xc1, 0x80, 0x75, 0xc3, 0x33, 0x19, 0xd1, 0x8b, 0x58, 0xe6,
- 0x00, 0x69, 0x76, 0xe7, 0xe5, 0x3d, 0x47, 0xf9, 0xc0, 0x9c, 0xe7, 0x19,
- 0x1e, 0x95, 0xbc, 0x52, 0x15, 0xce, 0x94, 0xf8, 0x30, 0x14, 0x0b, 0x39,
- 0x0e, 0x8b, 0xaf, 0x29, 0x30, 0x56, 0xaf, 0x5a, 0x28, 0xac, 0xe1, 0x0f,
- 0x51, 0x76, 0x76, 0x9a, 0xe7, 0xb9, 0x7d, 0xa3, 0x30, 0xe8, 0xe3, 0x71,
- 0x15, 0xe8, 0xbf, 0x0d, 0x4f, 0x12, 0x9b, 0x65, 0xab, 0xef, 0xa4, 0xe9,
- 0x42, 0xf0, 0xd2, 0x4d, 0x20, 0x55, 0x29, 0x88, 0x58, 0x5c, 0x82, 0x67,
- 0x63, 0x20, 0x50, 0xc6, 0xca, 0x04, 0xe8, 0xbc, 0x3d, 0x93, 0x06, 0x21,
- 0xb2, 0xc0, 0xbf, 0x53, 0x1e, 0xe1, 0x8b, 0x48, 0xa9, 0xb9, 0xd7, 0xe6,
- 0x5f, 0x4e, 0x5a, 0x2f, 0x43, 0xac, 0x35, 0xbd, 0x26, 0x60, 0x2f, 0x01,
- 0xd5, 0x86, 0x6b, 0x64, 0xfa, 0x67, 0x05, 0x44, 0x55, 0x83, 0x5b, 0x93,
- 0x9c, 0x7c, 0xa7, 0x26, 0x4e, 0x02, 0x2b, 0x48
-};
-
-
-#endif /* si_88_sectrust_vpnprofile_h */
diff --git a/OSX/sec/Security/Regressions/secitem/si-90-emcs.m b/OSX/sec/Security/Regressions/secitem/si-90-emcs.m
index 771973f6..1e192f6a 100644
--- a/OSX/sec/Security/Regressions/secitem/si-90-emcs.m
+++ b/OSX/sec/Security/Regressions/secitem/si-90-emcs.m
@@ -11,11 +11,9 @@ static void tests(void)
@autoreleasepool {
NSDictionary *idmsData = SecEMCSCreateNewiDMSKey(NULL, NULL, @"1234", NULL, NULL);
- [idmsData autorelease];
ok(idmsData);
NSData *emcsKey = SecEMCSCreateDerivedEMCSKey(idmsData, @"1234", NULL);
- [emcsKey autorelease];
ok(emcsKey, "emcs key");
/*
@@ -23,10 +21,8 @@ static void tests(void)
*/
NSDictionary *newIdmsData = SecEMCSCreateNewiDMSKey(NULL, emcsKey, @"4321", NULL, NULL);
- [newIdmsData autorelease];
NSData *newEmcsKey = SecEMCSCreateDerivedEMCSKey(newIdmsData, @"4321", NULL);
- [newEmcsKey autorelease];
ok(newEmcsKey, "new emcs key");
ok([newEmcsKey isEqualToData:emcsKey], "key same");
@@ -45,8 +41,6 @@ static void tests(void)
ok([data isEqualToData:[NSData dataWithBytes:"\xa4\x42\x8b\xb0\xb8\x20\xdb\xfa\x58\x84\xab\xe3\x52\x93\xeb\x10" length:16]], "same");
- [data release];
-
data = SecEMCSCreateDerivedEMCSKey(fakeIdmsData, @"4321", NULL);
ok(!data, "KFD2");
}
diff --git a/OSX/sec/Security/Regressions/secitem/si-91-sectrust-ast2.c b/OSX/sec/Security/Regressions/secitem/si-91-sectrust-ast2.c
deleted file mode 100644
index aa101508..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-91-sectrust-ast2.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/*
- * Copyright (c) 2015 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecPolicyPriv.h>
-
-#include "utilities/SecCFRelease.h"
-#include "utilities/SecCFWrappers.h"
-
-#include "Security_regressions.h"
-
-
-#include "si-91-sectrust-ast2.h"
-
-static void tests(void)
-{
- SecTrustRef trust = NULL;
- SecPolicyRef policy = NULL;
- SecCertificateRef cert0 = NULL, cert1 = NULL, rootcert = NULL;
- SecTrustResultType trustResult;
- CFDictionaryRef allowTestRoot = NULL;
-
- isnt(cert0 = SecCertificateCreateWithBytes(NULL, _ast2TestLeaf, sizeof(_ast2TestLeaf)), NULL, "create cert0");
- isnt(cert1 = SecCertificateCreateWithBytes(NULL, _AppleTestServerAuthCA, sizeof(_AppleTestServerAuthCA)), NULL, "create cert1");
- isnt(rootcert = SecCertificateCreateWithBytes(NULL, _AppleTestRoot, sizeof(_AppleTestRoot)), NULL, "create root cert");
-
- const void *v_certs[] = { cert0, cert1 };
- CFArrayRef certs = CFArrayCreate(NULL, v_certs, sizeof(v_certs)/sizeof(*v_certs), &kCFTypeArrayCallBacks);
- CFArrayRef anchor_certs = CFArrayCreate(NULL, (const void**)&rootcert, 1, &kCFTypeArrayCallBacks);
-
- /* Set explicit verify date: 15 Dec 2015 */
- CFDateRef date = NULL;
- isnt(date = CFDateCreate(NULL, 471907305.0), NULL, "Create verify date");
-
- /* Evaluate test certs with production policy. Should fail. */
- isnt(policy = SecPolicyCreateAppleAST2Service(CFSTR("ast2.test.domain.here"), NULL), NULL, "create prod policy");
-
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trustResult is kSecTrustResultRecoverableTrustFailure");
-
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
-
- /* Evaluate test certs with test root allowed */
- CFStringRef key = CFSTR("AppleServerAuthenticationAllowUATAST2");
- isnt(allowTestRoot = CFDictionaryCreate(NULL, (const void **)&key, (const void **)&kCFBooleanTrue, 1,
- &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks),
- NULL, "create context dictionary");
- isnt(policy = SecPolicyCreateAppleAST2Service(CFSTR("ast2.test.domain.here"), allowTestRoot), NULL, "create test policy");
-
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified");
- is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
-
- CFReleaseSafe(date);
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(cert0);
- CFReleaseSafe(cert1);
- CFReleaseSafe(anchor_certs);
- CFReleaseSafe(rootcert);
- CFReleaseSafe(key);
-
-}
-
-
-int si_91_sectrust_ast2(int argc, char *const *argv)
-{
- plan_tests(18);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-91-sectrust-ast2.h b/OSX/sec/Security/Regressions/secitem/si-91-sectrust-ast2.h
deleted file mode 100644
index 1bccf35a..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-91-sectrust-ast2.h
+++ /dev/null
@@ -1,265 +0,0 @@
-/*
- * Copyright (c) 2015 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#ifndef si_91_sectrust_ast2_h
-#define si_91_sectrust_ast2_h
-
-#include <stdio.h>
-
-/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
-unsigned char _AppleTestRoot[1232]={
- 0x30,0x82,0x04,0xCC,0x30,0x82,0x03,0xB4,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x3D,
- 0x00,0x4B,0x90,0x3E,0xDE,0xE0,0xD0,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,
- 0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,
- 0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,
- 0x74,0x79,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,
- 0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,
- 0x1E,0x17,0x0D,0x31,0x35,0x30,0x34,0x32,0x32,0x30,0x32,0x31,0x35,0x34,0x38,0x5A,
- 0x17,0x0D,0x33,0x35,0x30,0x32,0x30,0x39,0x32,0x31,0x34,0x30,0x33,0x36,0x5A,0x30,
- 0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
- 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
- 0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
- 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x1B,0x30,0x19,0x06,
- 0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,
- 0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,
- 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,
- 0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC7,0xD1,0x43,0x53,0x7F,0x0D,0x88,
- 0x6B,0xE6,0xB1,0x67,0x9D,0xEE,0x67,0xB6,0xE7,0x77,0x12,0x81,0xC4,0xDF,0x24,0x6B,
- 0x7A,0x75,0x24,0xF7,0x01,0x09,0xCE,0x34,0x92,0xF5,0x38,0x08,0x42,0x7E,0xEC,0x9D,
- 0xF2,0x5D,0x38,0x91,0xB4,0x93,0x98,0x35,0x11,0x3C,0x98,0x00,0x77,0xD9,0xD7,0xF3,
- 0x4A,0xF8,0xF0,0xBC,0xEB,0x97,0x5D,0x4B,0x61,0x2E,0xFB,0xC5,0xCC,0x68,0xB7,0x6D,
- 0x69,0x10,0xCC,0xA5,0x61,0x78,0xA8,0x81,0x02,0x9E,0xE7,0x63,0xC5,0xFF,0x29,0x22,
- 0x82,0x68,0xAA,0xAA,0x0E,0xFB,0xA9,0xD8,0x16,0x73,0x25,0xBF,0x9D,0x08,0x62,0x2F,
- 0x78,0x04,0xF6,0xF6,0x44,0x07,0x37,0x6E,0x99,0x1B,0x93,0xD8,0x7F,0xEE,0x72,0xDE,
- 0xE8,0x32,0xF6,0x6D,0x78,0x04,0xA0,0xA8,0x21,0x26,0x8A,0x32,0xE3,0xB1,0x65,0x85,
- 0xA1,0x7B,0x1A,0xA9,0x02,0xB2,0xBB,0xEE,0xDD,0xDD,0x8F,0x41,0x49,0xC8,0x3F,0xDC,
- 0x1E,0xDF,0x21,0xA3,0x95,0x99,0xBB,0xFC,0x29,0xBA,0x40,0x43,0xB9,0x1C,0xCD,0xC9,
- 0x21,0x45,0x73,0xAD,0xFF,0xFD,0xA2,0x6C,0x5C,0x3B,0x1C,0x37,0x91,0x34,0x8E,0x5C,
- 0xD3,0xD5,0x03,0x58,0x28,0xC7,0xF2,0x76,0x6F,0x11,0xC0,0xB5,0xBD,0x7E,0xEF,0x23,
- 0xB3,0x3D,0xB8,0xBD,0x38,0x66,0x8C,0xF2,0x78,0x95,0xC1,0x8B,0x32,0x65,0x3A,0x9B,
- 0x49,0x1A,0x5C,0x41,0x3C,0xC6,0x85,0x50,0xEC,0x85,0xF0,0x59,0x17,0x81,0xE8,0x96,
- 0xE8,0x6A,0xCC,0xB3,0xC7,0x46,0xBF,0x81,0x48,0xD1,0x09,0x1B,0xBC,0x73,0x1E,0xD7,
- 0xE8,0x27,0xA8,0x49,0x48,0xA2,0x1C,0x41,0x1D,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,
- 0x01,0x7A,0x30,0x82,0x01,0x76,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
- 0x14,0x59,0xB8,0x2B,0x94,0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,0x23,0x33,
- 0xC9,0x59,0xC3,0x54,0x98,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,
- 0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,
- 0x16,0x80,0x14,0x59,0xB8,0x2B,0x94,0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,
- 0x23,0x33,0xC9,0x59,0xC3,0x54,0x98,0x30,0x82,0x01,0x11,0x06,0x03,0x55,0x1D,0x20,
- 0x04,0x82,0x01,0x08,0x30,0x82,0x01,0x04,0x30,0x82,0x01,0x00,0x06,0x09,0x2A,0x86,
- 0x48,0x86,0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF2,0x30,0x2A,0x06,0x08,0x2B,0x06,
- 0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1E,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,
- 0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,
- 0x70,0x6C,0x65,0x63,0x61,0x2F,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
- 0x07,0x02,0x02,0x30,0x81,0xB6,0x0C,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,
- 0x65,0x20,0x6F,0x6E,0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,
- 0x69,0x63,0x61,0x74,0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,
- 0x74,0x79,0x20,0x61,0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,
- 0x74,0x61,0x6E,0x63,0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,
- 0x6E,0x20,0x61,0x70,0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,
- 0x6E,0x64,0x61,0x72,0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,
- 0x63,0x6F,0x6E,0x64,0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,
- 0x65,0x2C,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,
- 0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,
- 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,
- 0x20,0x73,0x74,0x61,0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x0E,0x06,0x03,
- 0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x0D,0x06,0x09,
- 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,
- 0x10,0x5E,0x6C,0x69,0xFC,0xA6,0x0F,0xE2,0x09,0xD5,0x94,0x90,0xA6,0x7C,0x22,0xDC,
- 0xEE,0xB0,0x8F,0x24,0x22,0x4F,0xB3,0x67,0xDB,0x32,0xB0,0xD6,0x24,0x87,0xE6,0xF3,
- 0xEA,0x9E,0xD0,0x95,0x75,0xAA,0xA7,0x08,0xFF,0xB0,0x35,0xD7,0x1F,0xA3,0xBF,0x89,
- 0x55,0x0C,0x1C,0xA4,0xD0,0xF8,0x00,0x17,0x44,0x94,0x36,0x63,0x3B,0x83,0xFE,0x4E,
- 0xE5,0xB3,0xEC,0x7B,0x7D,0xCE,0xFE,0xA9,0x54,0xED,0xBB,0x12,0xA6,0x72,0x2B,0xB3,
- 0x48,0x00,0xC7,0x8E,0xF5,0x5B,0x68,0xC9,0x24,0x22,0x7F,0xA1,0x4D,0xFC,0x54,0xD9,
- 0xD0,0x5D,0x82,0x53,0x71,0x29,0x66,0xCF,0x0F,0x6D,0x32,0xA6,0x3F,0xAE,0x54,0x27,
- 0xC2,0x8C,0x12,0x4C,0xF0,0xD6,0xC1,0x80,0x75,0xC3,0x33,0x19,0xD1,0x8B,0x58,0xE6,
- 0x00,0x69,0x76,0xE7,0xE5,0x3D,0x47,0xF9,0xC0,0x9C,0xE7,0x19,0x1E,0x95,0xBC,0x52,
- 0x15,0xCE,0x94,0xF8,0x30,0x14,0x0B,0x39,0x0E,0x8B,0xAF,0x29,0x30,0x56,0xAF,0x5A,
- 0x28,0xAC,0xE1,0x0F,0x51,0x76,0x76,0x9A,0xE7,0xB9,0x7D,0xA3,0x30,0xE8,0xE3,0x71,
- 0x15,0xE8,0xBF,0x0D,0x4F,0x12,0x9B,0x65,0xAB,0xEF,0xA4,0xE9,0x42,0xF0,0xD2,0x4D,
- 0x20,0x55,0x29,0x88,0x58,0x5C,0x82,0x67,0x63,0x20,0x50,0xC6,0xCA,0x04,0xE8,0xBC,
- 0x3D,0x93,0x06,0x21,0xB2,0xC0,0xBF,0x53,0x1E,0xE1,0x8B,0x48,0xA9,0xB9,0xD7,0xE6,
- 0x5F,0x4E,0x5A,0x2F,0x43,0xAC,0x35,0xBD,0x26,0x60,0x2F,0x01,0xD5,0x86,0x6B,0x64,
- 0xFA,0x67,0x05,0x44,0x55,0x83,0x5B,0x93,0x9C,0x7C,0xA7,0x26,0x4E,0x02,0x2B,0x48,
-};
-
-/* subject:/CN=Test Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
-unsigned char _AppleTestServerAuthCA[1043]={
- 0x30,0x82,0x04,0x0F,0x30,0x82,0x02,0xF7,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x4B,
- 0x28,0xA9,0x3B,0x57,0x8B,0xF6,0x26,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,
- 0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,
- 0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,
- 0x74,0x79,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,
- 0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,
- 0x1E,0x17,0x0D,0x31,0x35,0x30,0x36,0x30,0x38,0x30,0x37,0x35,0x38,0x34,0x35,0x5A,
- 0x17,0x0D,0x32,0x39,0x30,0x33,0x30,0x38,0x30,0x31,0x35,0x33,0x30,0x34,0x5A,0x30,
- 0x72,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,0x03,0x0C,0x23,0x54,0x65,0x73,0x74,
- 0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,0x72,0x76,0x65,0x72,0x20,0x41,0x75,
- 0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x41,0x31,
- 0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66,
- 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,
- 0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,
- 0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
- 0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,
- 0x82,0x01,0x01,0x00,0xC5,0x7B,0x3F,0x48,0xD3,0x62,0x93,0x93,0x7C,0x0C,0x37,0x69,
- 0xDB,0x28,0x05,0x40,0x12,0xD7,0x1F,0x0A,0xB8,0xC3,0xBA,0x24,0x39,0x22,0xDC,0x39,
- 0x42,0x1F,0xFD,0x93,0x45,0x3C,0x23,0x0B,0x3E,0xB4,0x96,0xA6,0x55,0x59,0xBA,0xC4,
- 0x99,0xE7,0x8A,0x5F,0x8F,0xAE,0x66,0xA7,0x28,0xE2,0x9E,0x68,0xD9,0xEC,0x52,0x67,
- 0xFE,0xDD,0xBE,0x59,0xB4,0xAD,0x97,0x63,0x64,0xB0,0x08,0x3C,0xBB,0x6E,0xD1,0x29,
- 0xD8,0x58,0xA1,0x99,0x6C,0x2F,0x2F,0xB3,0xF5,0x5C,0x59,0xCA,0xA1,0xE6,0x67,0x44,
- 0x3C,0x13,0xB4,0xAE,0x0D,0x00,0xC7,0x53,0xB7,0xF5,0x61,0x58,0xD5,0xC8,0x42,0xFC,
- 0xE2,0xFD,0xD5,0x39,0x18,0x80,0xE2,0x72,0xBC,0xF8,0xC3,0x9F,0xCB,0xD8,0x2F,0x83,
- 0x40,0x9A,0x3E,0x55,0x5E,0x61,0xA9,0xC4,0x81,0x14,0x2B,0x7B,0x19,0x15,0xAD,0x84,
- 0x5E,0x80,0xA8,0x67,0x79,0x05,0x16,0x48,0x5C,0xAE,0x1A,0x2B,0x59,0x9F,0xAA,0x62,
- 0x0B,0x2F,0x57,0xCD,0xE8,0xA8,0x5D,0x38,0xAD,0x7C,0x90,0x79,0x50,0xAC,0x4D,0x13,
- 0xA4,0xA7,0xF3,0x73,0xED,0xD6,0x93,0x45,0xDD,0xA8,0xC6,0xFE,0x03,0x28,0x4D,0x58,
- 0xC1,0x8B,0xC1,0x03,0x0E,0xE7,0xDF,0x78,0xDD,0x21,0xC6,0x6D,0x1E,0xA0,0x38,0xD7,
- 0xA7,0xD7,0x04,0x8C,0x7F,0xCA,0x15,0xEA,0x88,0xE9,0xAE,0x8D,0x46,0xE0,0x87,0x94,
- 0x3E,0x8F,0x53,0x11,0x88,0x23,0x99,0x7B,0x9D,0xD8,0x69,0x1A,0x22,0xAE,0xB5,0x18,
- 0xA5,0x9F,0xEA,0x71,0x31,0x0B,0x27,0x93,0x85,0x1D,0xF7,0xA0,0xC3,0x82,0x0A,0x3F,
- 0xEE,0xD2,0xD4,0xEF,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0xB3,0x30,0x81,0xB0,0x30,
- 0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xA8,0xCA,0x7A,0x9B,0xA8,0x37,
- 0x71,0x9E,0x3D,0xEC,0x5A,0xAB,0x66,0x2E,0xDC,0xD7,0x14,0x3D,0x7B,0xF2,0x30,0x0F,
- 0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,
- 0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x59,0xB8,0x2B,0x94,
- 0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,0x23,0x33,0xC9,0x59,0xC3,0x54,0x98,
- 0x30,0x3B,0x06,0x03,0x55,0x1D,0x1F,0x04,0x34,0x30,0x32,0x30,0x30,0xA0,0x2E,0xA0,
- 0x2C,0x86,0x2A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61,
- 0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
- 0x2F,0x74,0x65,0x73,0x74,0x72,0x6F,0x6F,0x74,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,
- 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06,
- 0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x02,0x0C,0x04,0x02,0x05,0x00,0x30,
- 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,
- 0x01,0x01,0x00,0x11,0x24,0x61,0x2B,0x7C,0x5E,0x67,0x29,0x94,0x14,0x19,0x16,0xD5,
- 0xD4,0x7A,0xEE,0x53,0x1A,0x64,0xA2,0x6A,0x2B,0x04,0xE6,0x2C,0xA1,0x08,0xBA,0xCA,
- 0x81,0xF5,0x28,0x2A,0xCE,0xD5,0x6B,0x52,0xAC,0xE7,0xBD,0xB3,0x23,0xB9,0x67,0x2C,
- 0xC7,0x9E,0x61,0xA1,0xD9,0x6C,0x3F,0x4F,0x55,0xD4,0x75,0xAF,0x44,0xAD,0xF8,0xCE,
- 0x58,0xA7,0x2E,0xF8,0x6A,0xF0,0x76,0x51,0x31,0x75,0x4C,0xCA,0xF6,0xC3,0x59,0xC7,
- 0xE6,0xAE,0x4A,0x20,0x4E,0x5F,0xB9,0xAB,0x1C,0xB6,0x36,0x25,0x60,0x02,0x32,0x47,
- 0x7D,0xA0,0xE2,0x36,0xB3,0x3B,0x40,0x20,0x9E,0x38,0x40,0x1C,0x7E,0x83,0x35,0x9C,
- 0x9D,0x8B,0xD1,0xF9,0xEA,0xD4,0xF2,0x83,0xE0,0x30,0xEA,0xC3,0xEE,0x3D,0x76,0x98,
- 0x9E,0x0A,0x07,0xB5,0xB6,0xFC,0x38,0x32,0xF6,0x41,0xEF,0x8E,0x25,0x2C,0xE3,0xC7,
- 0xA7,0xAD,0x88,0x77,0x4D,0x10,0x1D,0x67,0x50,0x64,0xB0,0x02,0x04,0x2C,0xEA,0x4C,
- 0x81,0x33,0xBE,0xF3,0xCD,0x43,0x63,0x97,0x44,0xDF,0xBB,0xC6,0xE2,0x37,0x32,0xF1,
- 0xE4,0x19,0x1F,0xF5,0xAE,0xDA,0x05,0xC4,0x0B,0xFA,0x30,0xCA,0x77,0x78,0x65,0xD6,
- 0x4F,0x2D,0xFE,0x63,0xD3,0x4C,0x3D,0xA9,0x0E,0xC4,0x0F,0xD6,0xCC,0x2A,0x2D,0x06,
- 0x9B,0xDE,0x94,0xF6,0x22,0x2E,0x89,0xCB,0x68,0x4E,0xDE,0x79,0xE5,0x83,0xDE,0x64,
- 0x63,0xE9,0x77,0x88,0xF1,0x57,0xF2,0x5C,0xB4,0x77,0x3A,0xC8,0x1F,0x6D,0x80,0x4C,
- 0x8B,0x68,0xA5,0xFA,0xAD,0x1F,0x5C,0x8C,0x50,0x27,0xED,0xF7,0x43,0x68,0xAD,0x34,
- 0x5E,0xF6,0x74,
-};
-
-/* subject:/CN=ast2.test.domain.here/OU=IS&T/O=Apple Inc./C=US */
-/* issuer :/CN=Test Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */
-unsigned char _ast2TestLeaf[1223]={
- 0x30,0x82,0x04,0xC3,0x30,0x82,0x03,0xAB,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x51,
- 0x24,0x24,0xE7,0xA6,0xFC,0x66,0x24,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x72,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,
- 0x03,0x0C,0x23,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,
- 0x72,0x76,0x65,0x72,0x20,0x41,0x75,0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,
- 0x69,0x6F,0x6E,0x20,0x43,0x41,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,
- 0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
- 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
- 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,
- 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x35,
- 0x31,0x32,0x30,0x39,0x31,0x36,0x30,0x31,0x34,0x31,0x5A,0x17,0x0D,0x31,0x37,0x30,
- 0x31,0x30,0x37,0x31,0x36,0x30,0x31,0x34,0x31,0x5A,0x30,0x51,0x31,0x1E,0x30,0x1C,
- 0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x61,0x73,0x74,0x32,0x2E,0x74,0x65,0x73,0x74,
- 0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x2E,0x68,0x65,0x72,0x65,0x31,0x0D,0x30,0x0B,
- 0x06,0x03,0x55,0x04,0x0B,0x0C,0x04,0x49,0x53,0x26,0x54,0x31,0x13,0x30,0x11,0x06,
- 0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,
- 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,
- 0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
- 0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB8,0x3F,
- 0x03,0x68,0x0F,0xEB,0x75,0x69,0x6F,0xAB,0x1A,0x2A,0x5F,0x48,0x97,0x73,0x4A,0x90,
- 0xD9,0xB2,0x60,0x88,0x3D,0xD6,0xA3,0x7B,0xFE,0x37,0xF1,0x2B,0x57,0xDB,0xE2,0xFE,
- 0xDA,0xE9,0x35,0x90,0x4E,0xC1,0x9B,0xB7,0x07,0x7D,0x0C,0xB7,0xAE,0xAF,0x5C,0xD8,
- 0xDC,0xD8,0x5A,0x65,0x4D,0x34,0x11,0xDF,0x75,0x27,0x4F,0xA0,0xC0,0x3B,0xF0,0x85,
- 0x16,0xDD,0x25,0x6C,0x21,0x23,0xFA,0xD0,0xF7,0x3D,0x37,0x66,0xF2,0x32,0x10,0x95,
- 0xA0,0x36,0xE0,0x33,0xB5,0x4D,0x5A,0x33,0xAC,0xB6,0x2E,0xBC,0x22,0xA5,0x20,0xA7,
- 0xA9,0x16,0xE4,0xDB,0xE7,0x42,0xC9,0x6A,0xF7,0xDF,0x55,0xF4,0xC3,0x9C,0x1B,0xE9,
- 0x56,0x7F,0xF3,0x1F,0xD7,0x94,0x19,0xB0,0x2B,0xBC,0x4B,0xF8,0xDF,0xB2,0x4A,0xDD,
- 0xAA,0x1A,0x67,0xD8,0xEA,0xF7,0x30,0xF8,0xB1,0x6B,0x3C,0xC4,0xF7,0xA2,0x70,0xEF,
- 0xAA,0xDD,0x49,0x8A,0x27,0x8E,0x71,0xF7,0xC1,0xFE,0x7B,0xD5,0xF2,0x45,0xC8,0xE4,
- 0xA9,0x73,0x53,0x90,0xB0,0xFA,0xA0,0xDE,0x71,0xFF,0x58,0x74,0x2C,0xC4,0xD1,0x54,
- 0x14,0xCC,0x00,0xF4,0x95,0xEB,0x81,0x85,0xBB,0xCC,0x3D,0xCF,0x7D,0xF3,0xEE,0x75,
- 0xE6,0x82,0xCB,0x93,0x79,0x8F,0xD9,0xED,0xE7,0x45,0x6F,0xA8,0xBE,0xA4,0xDE,0x45,
- 0x46,0x38,0x14,0xDC,0x79,0xF6,0x1F,0x64,0xD3,0x05,0x45,0xBF,0x50,0x1B,0x81,0x7E,
- 0x6C,0x77,0x1B,0xF2,0xBC,0x57,0xFD,0x25,0x94,0xB4,0x9A,0x0B,0x48,0x59,0x8F,0x8A,
- 0x0C,0x8F,0xBD,0x4C,0xE2,0x53,0x49,0xBC,0xC6,0x16,0x99,0xF4,0xE6,0x6F,0x02,0x03,
- 0x01,0x00,0x01,0xA3,0x82,0x01,0x7C,0x30,0x82,0x01,0x78,0x30,0x53,0x06,0x08,0x2B,
- 0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x47,0x30,0x45,0x30,0x43,0x06,0x08,0x2B,
- 0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x37,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
- 0x6F,0x63,0x73,0x70,0x2D,0x75,0x61,0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,
- 0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70,0x30,0x33,0x2D,0x61,
- 0x70,0x70,0x6C,0x65,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,0x74,0x68,0x30,0x31,
- 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xC2,0x1E,0xBD,0xED,0x39,
- 0xF8,0x62,0x73,0x86,0x05,0xF3,0xBC,0x85,0x73,0xB3,0xA9,0x3C,0x12,0xBA,0xA8,0x30,
- 0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,
- 0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xA8,0xCA,0x7A,0x9B,0xA8,0x37,
- 0x71,0x9E,0x3D,0xEC,0x5A,0xAB,0x66,0x2E,0xDC,0xD7,0x14,0x3D,0x7B,0xF2,0x30,0x49,
- 0x06,0x03,0x55,0x1D,0x1F,0x04,0x42,0x30,0x40,0x30,0x3E,0xA0,0x3C,0xA0,0x3A,0x86,
- 0x38,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61,0x74,0x2E,
- 0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x74,
- 0x65,0x73,0x74,0x61,0x70,0x70,0x6C,0x65,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,
- 0x74,0x68,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,
- 0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,
- 0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x50,
- 0x06,0x03,0x55,0x1D,0x11,0x04,0x49,0x30,0x47,0x82,0x15,0x61,0x73,0x74,0x32,0x2E,
- 0x74,0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x2E,0x68,0x65,0x72,0x65,
- 0x82,0x16,0x61,0x73,0x74,0x32,0x2E,0x74,0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,
- 0x69,0x6E,0x32,0x2E,0x68,0x65,0x72,0x65,0x82,0x16,0x61,0x73,0x74,0x32,0x2E,0x74,
- 0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x33,0x2E,0x68,0x65,0x72,0x65,
- 0x30,0x11,0x06,0x0B,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x1B,0x08,0x02,0x04,
- 0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
- 0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xA1,0xF3,0x96,0x32,0xD2,0x94,0x78,0x0F,0x03,
- 0xF5,0xCF,0x96,0x8F,0xAC,0xDA,0xA9,0x1E,0x39,0xE5,0xCE,0x24,0xFD,0xA6,0x66,0x06,
- 0x00,0xBC,0x66,0x69,0xC1,0xE1,0xF2,0x31,0xB6,0x70,0xBB,0xD6,0xCA,0x7A,0xCC,0xCF,
- 0x01,0x1E,0x47,0x80,0x60,0x43,0x05,0x48,0x8E,0x33,0xF7,0xA9,0xFD,0xE8,0xB9,0x05,
- 0x9F,0x7E,0xD1,0xF2,0xDA,0x13,0x45,0xD9,0x96,0x16,0x64,0xD5,0x74,0x0F,0xBD,0x1C,
- 0x95,0x72,0xD6,0x31,0xBD,0xFB,0x66,0xC6,0xC0,0xD4,0x4C,0x52,0x1D,0xFB,0xB0,0x65,
- 0x4F,0xF2,0x4C,0x4D,0xF5,0x68,0xD6,0xB5,0x4C,0x14,0xC1,0xFA,0xF1,0xDF,0x70,0x4E,
- 0x14,0x07,0x8C,0xD6,0x55,0x66,0x91,0x97,0xE0,0x95,0x46,0x15,0x25,0x9B,0xCA,0xC4,
- 0x64,0x10,0xFA,0xB4,0xDF,0xF3,0x2E,0x3A,0x26,0x74,0xFB,0x44,0x8E,0x8A,0xEA,0xC9,
- 0x2E,0x31,0xD9,0xA2,0xB3,0xA0,0xAF,0x5E,0x48,0xE1,0x5A,0xEC,0xE0,0xA7,0x3B,0x35,
- 0x1C,0x8F,0xFF,0xAA,0x02,0xBB,0x2F,0x95,0x11,0xA8,0x8B,0xE6,0x3D,0x65,0x1B,0xC0,
- 0xBD,0x6C,0xCC,0x11,0x0C,0xFE,0xCD,0x0D,0x30,0xF1,0xE7,0x53,0xA4,0x7E,0xAC,0x50,
- 0xC9,0x23,0x01,0xEE,0xD3,0xD5,0xE5,0xAC,0x0F,0x04,0x22,0xDA,0x30,0x14,0x25,0x6A,
- 0x64,0x7B,0xA9,0x9E,0xB9,0x59,0x07,0x0B,0x0C,0x39,0x88,0x18,0x5B,0x35,0x61,0x31,
- 0x3D,0x4E,0xCE,0xD5,0xB3,0x67,0x82,0x88,0x3C,0x10,0x12,0xA6,0xC0,0x08,0xC3,0xA5,
- 0x41,0x39,0x69,0xAE,0x84,0x34,0x9C,0xED,0x4A,0xED,0x3A,0x85,0x9D,0x98,0xF7,0x12,
- 0xD1,0x1D,0xCD,0x9B,0xC8,0x60,0x57,
-};
-
-#endif /* si_91_sectrust_ast2_h */
diff --git a/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.c b/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.c
deleted file mode 100644
index e879e3f2..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.c
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * Copyright (c) 2016 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecPolicyPriv.h>
-
-#include "utilities/SecCFRelease.h"
-#include "utilities/SecCFWrappers.h"
-
-#include "Security_regressions.h"
-
-#include "si-92-sectrust-homekit.h"
-
-static void tests(void)
-{
- SecTrustRef trust = NULL;
- SecPolicyRef policy = NULL;
- SecCertificateRef cert0 = NULL, cert1 = NULL, rootcert = NULL;
- SecTrustResultType trustResult;
- CFArrayRef certs = NULL, anchor_certs = NULL;
-
- isnt(cert0 = SecCertificateCreateWithBytes(NULL, _AppleHomeKitUATServer, sizeof(_AppleHomeKitUATServer)), NULL, "create cert0");
- isnt(cert1 = SecCertificateCreateWithBytes(NULL, _AppleHomeKitCA, sizeof(_AppleHomeKitCA)), NULL, "create cert1");
- isnt(rootcert = SecCertificateCreateWithBytes(NULL, _AppleG3Root, sizeof(_AppleG3Root)), NULL, "create root cert");
-
- const void *v_certs[] = { cert0, cert1 };
- certs = CFArrayCreate(NULL, v_certs, sizeof(v_certs)/sizeof(*v_certs), &kCFTypeArrayCallBacks);
- anchor_certs = CFArrayCreate(NULL, (const void**)&rootcert, 1, &kCFTypeArrayCallBacks);
-
- /* Set explicit verify date: 12 February 2016 */
- CFDateRef date = NULL;
- isnt(date = CFDateCreate(NULL, 476992610.0), NULL, "Create verify date");
-
- /* Evaluate production certs with policy. Should succeed.*/
- isnt(policy = SecPolicyCreateAppleHomeKitServerAuth(CFSTR("homekit.accessories-qa.apple.com")), NULL, "create policy");
-
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified");
- is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
-
- CFReleaseSafe(trust);
- CFReleaseSafe(certs);
- CFReleaseSafe(cert0);
- CFReleaseSafe(cert1);
- CFReleaseSafe(anchor_certs);
- CFReleaseSafe(rootcert);
-
- /* Evaluate certs with a different profile against this test. Should fail. */
- isnt(cert0 = SecCertificateCreateWithBytes(NULL, _testLeaf, sizeof(_testLeaf)), NULL, "create cert0");
- isnt(cert1 = SecCertificateCreateWithBytes(NULL, _testServerAuthCA, sizeof(_testServerAuthCA)), NULL, "create cert1");
- isnt(rootcert = SecCertificateCreateWithBytes(NULL, _testRoot, sizeof(_testRoot)), NULL, "create root cert");
-
- const void *v_certs2[] = { cert0, cert1 };
- certs = CFArrayCreate(NULL, v_certs2, sizeof(v_certs2)/sizeof(*v_certs2), &kCFTypeArrayCallBacks);
- anchor_certs = CFArrayCreate(NULL, (const void**)&rootcert, 1, &kCFTypeArrayCallBacks);
-
- ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
- ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor");
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
-
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trustResult is kSecTrustResultRecoverableTrustFailure");
-
- CFReleaseSafe(date);
- CFReleaseSafe(trust);
- CFReleaseSafe(policy);
- CFReleaseSafe(certs);
- CFReleaseSafe(cert0);
- CFReleaseSafe(cert1);
- CFReleaseSafe(anchor_certs);
- CFReleaseSafe(rootcert);
-
-}
-
-
-int si_92_sectrust_homekit(int argc, char *const *argv)
-{
- plan_tests(19);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.h b/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.h
deleted file mode 100644
index 0f68a429..00000000
--- a/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.h
+++ /dev/null
@@ -1,409 +0,0 @@
-/*
- * Copyright (c) 2016 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#ifndef si_92_sectrust_homekit_h
-#define si_92_sectrust_homekit_h
-
-#include <stdio.h>
-
-/* subject:/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */
-/* issuer :/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */
-unsigned char _AppleG3Root[]={
- 0x30,0x82,0x02,0x43,0x30,0x82,0x01,0xC9,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x2D,
- 0xC5,0xFC,0x88,0xD2,0xC5,0x4B,0x95,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x04,0x03,0x03,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,
- 0x47,0x33,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,
- 0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
- 0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,
- 0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,
- 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,
- 0x31,0x34,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x39,0x30,0x36,0x5A,0x17,0x0D,0x33,
- 0x39,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x39,0x30,0x36,0x5A,0x30,0x67,0x31,0x1B,
- 0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,
- 0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,0x47,0x33,0x31,0x26,0x30,0x24,0x06,
- 0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,
- 0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,
- 0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x55,0x53,0x30,0x76,0x30,0x10,0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D,
- 0x02,0x01,0x06,0x05,0x2B,0x81,0x04,0x00,0x22,0x03,0x62,0x00,0x04,0x98,0xE9,0x2F,
- 0x3D,0x40,0x72,0xA4,0xED,0x93,0x22,0x72,0x81,0x13,0x1C,0xDD,0x10,0x95,0xF1,0xC5,
- 0xA3,0x4E,0x71,0xDC,0x14,0x16,0xD9,0x0E,0xE5,0xA6,0x05,0x2A,0x77,0x64,0x7B,0x5F,
- 0x4E,0x38,0xD3,0xBB,0x1C,0x44,0xB5,0x7F,0xF5,0x1F,0xB6,0x32,0x62,0x5D,0xC9,0xE9,
- 0x84,0x5B,0x4F,0x30,0x4F,0x11,0x5A,0x00,0xFD,0x58,0x58,0x0C,0xA5,0xF5,0x0F,0x2C,
- 0x4D,0x07,0x47,0x13,0x75,0xDA,0x97,0x97,0x97,0x6F,0x31,0x5C,0xED,0x2B,0x9D,0x7B,
- 0x20,0x3B,0xD8,0xB9,0x54,0xD9,0x5E,0x99,0xA4,0x3A,0x51,0x0A,0x31,0xA3,0x42,0x30,
- 0x40,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xBB,0xB0,0xDE,0xA1,
- 0x58,0x33,0x88,0x9A,0xA4,0x8A,0x99,0xDE,0xBE,0xBD,0xEB,0xAF,0xDA,0xCB,0x24,0xAB,
- 0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,
- 0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,
- 0x06,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03,0x03,0x68,0x00,
- 0x30,0x65,0x02,0x31,0x00,0x83,0xE9,0xC1,0xC4,0x16,0x5E,0x1A,0x5D,0x34,0x18,0xD9,
- 0xED,0xEF,0xF4,0x6C,0x0E,0x00,0x46,0x4B,0xB8,0xDF,0xB2,0x46,0x11,0xC5,0x0F,0xFD,
- 0xE6,0x7A,0x8C,0xA1,0xA6,0x6B,0xCE,0xC2,0x03,0xD4,0x9C,0xF5,0x93,0xC6,0x74,0xB8,
- 0x6A,0xDF,0xAA,0x23,0x15,0x02,0x30,0x6D,0x66,0x8A,0x10,0xCA,0xD4,0x0D,0xD4,0x4F,
- 0xCD,0x8D,0x43,0x3E,0xB4,0x8A,0x63,0xA5,0x33,0x6E,0xE3,0x6D,0xDA,0x17,0xB7,0x64,
- 0x1F,0xC8,0x53,0x26,0xF9,0x88,0x62,0x74,0x39,0x0B,0x17,0x5B,0xCB,0x51,0xA8,0x0C,
- 0xE8,0x18,0x03,0xE7,0xA2,0xB2,0x28,
-};
-
-/* subject:/CN=Apple HomeKit Server CA/OU=Apple Certification Authority/O=Apple Inc./C=US */
-/* issuer :/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */
-unsigned char _AppleHomeKitCA[]={
- 0x30,0x82,0x02,0x98,0x30,0x82,0x02,0x1F,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x37,
- 0xF6,0xF8,0x7D,0xFB,0xC3,0xD4,0x92,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x04,0x03,0x02,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,
- 0x47,0x33,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,
- 0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
- 0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,
- 0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,
- 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,
- 0x31,0x36,0x30,0x32,0x30,0x39,0x32,0x30,0x30,0x36,0x33,0x30,0x5A,0x17,0x0D,0x33,
- 0x31,0x30,0x32,0x30,0x39,0x32,0x30,0x30,0x36,0x33,0x30,0x5A,0x30,0x6C,0x31,0x20,
- 0x30,0x1E,0x06,0x03,0x55,0x04,0x03,0x0C,0x17,0x41,0x70,0x70,0x6C,0x65,0x20,0x48,
- 0x6F,0x6D,0x65,0x4B,0x69,0x74,0x20,0x53,0x65,0x72,0x76,0x65,0x72,0x20,0x43,0x41,
- 0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,
- 0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
- 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
- 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,
- 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x59,0x30,0x13,0x06,0x07,
- 0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,
- 0x07,0x03,0x42,0x00,0x04,0xD5,0x1A,0xFF,0x7F,0xA9,0x84,0x21,0x33,0x22,0x0A,0xD0,
- 0x05,0x76,0x70,0x09,0xCE,0x59,0x65,0xF6,0x4F,0x53,0xD6,0x0D,0x76,0x90,0xC1,0x6E,
- 0xF7,0x8D,0x40,0x32,0xF1,0xB6,0x91,0x06,0xAF,0x51,0xE4,0xF0,0xA7,0x45,0x9C,0xD0,
- 0xD8,0x6C,0x23,0x26,0x5A,0x05,0x6A,0x6C,0x07,0x4F,0x9C,0x81,0xEE,0x58,0xB0,0x18,
- 0x41,0x58,0x9C,0x85,0xFC,0xA3,0x81,0xAF,0x30,0x81,0xAC,0x30,0x1D,0x06,0x03,0x55,
- 0x1D,0x0E,0x04,0x16,0x04,0x14,0x9C,0x6A,0xFA,0xC5,0x96,0x06,0x60,0xAC,0x69,0x67,
- 0xDD,0x5E,0x81,0xF9,0xDD,0xCA,0x9B,0x2E,0x3A,0x1E,0x30,0x0F,0x06,0x03,0x55,0x1D,
- 0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55,
- 0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xBB,0xB0,0xDE,0xA1,0x58,0x33,0x88,0x9A,
- 0xA4,0x8A,0x99,0xDE,0xBE,0xBD,0xEB,0xAF,0xDA,0xCB,0x24,0xAB,0x30,0x37,0x06,0x03,
- 0x55,0x1D,0x1F,0x04,0x30,0x30,0x2E,0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,0x68,
- 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,
- 0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x72,0x6F,0x6F,0x74,0x63,0x61,0x67,
- 0x33,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,
- 0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,
- 0x06,0x02,0x10,0x04,0x02,0x05,0x00,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x04,0x03,0x02,0x03,0x67,0x00,0x30,0x64,0x02,0x30,0x35,0x1E,0xFD,0xB4,0xE4,0x6A,
- 0xFD,0x0C,0xA7,0xED,0x5E,0xA9,0x17,0x9E,0x6D,0x81,0x2F,0x35,0x0F,0x09,0x9F,0x7C,
- 0x4A,0x02,0xE1,0x25,0x47,0x9D,0xAF,0x7B,0xD3,0x59,0x4F,0x43,0x5A,0xDC,0xFA,0x79,
- 0xC2,0x26,0xFC,0x57,0x21,0xEF,0x3B,0x90,0x60,0xB5,0x02,0x30,0x4E,0x6B,0x0E,0xF2,
- 0xCF,0xCF,0x68,0x0E,0x9C,0x0D,0x58,0xB4,0x98,0x3D,0x89,0xAD,0xD1,0x71,0x76,0x1C,
- 0xCA,0x7A,0x12,0x2F,0xC2,0xCF,0xF0,0x7D,0x1B,0xDB,0x94,0xFD,0xBD,0x3D,0x6D,0x63,
- 0x21,0x8D,0xC2,0x8A,0x38,0x6B,0x7E,0xB4,0x0D,0xC7,0x72,0xC1,
-};
-
-/* subject:/CN=homekit.accessories-qa.apple.com/OU=Embedded Core Technology QA/O=Apple Inc./C=US */
-/* issuer :/CN=Apple HomeKit Server CA/OU=Apple Certification Authority/O=Apple Inc./C=US */
-unsigned char _AppleHomeKitUATServer[792]={
- 0x30,0x82,0x03,0x14,0x30,0x82,0x02,0xBB,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x61,
- 0xE7,0xC3,0x29,0xAE,0x15,0xAB,0xC8,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
- 0x04,0x03,0x02,0x30,0x6C,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x03,0x0C,0x17,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x48,0x6F,0x6D,0x65,0x4B,0x69,0x74,0x20,0x53,0x65,
- 0x72,0x76,0x65,0x72,0x20,0x43,0x41,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,
- 0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,
- 0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,
- 0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,
- 0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,
- 0x53,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x32,0x31,0x31,0x30,0x30,0x34,0x32,0x30,
- 0x32,0x5A,0x17,0x0D,0x31,0x37,0x30,0x33,0x31,0x32,0x30,0x30,0x34,0x32,0x30,0x32,
- 0x5A,0x30,0x73,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x0C,0x20,0x68,0x6F,
- 0x6D,0x65,0x6B,0x69,0x74,0x2E,0x61,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65,
- 0x73,0x2D,0x71,0x61,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x31,0x24,
- 0x30,0x22,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1B,0x45,0x6D,0x62,0x65,0x64,0x64,0x65,
- 0x64,0x20,0x43,0x6F,0x72,0x65,0x20,0x54,0x65,0x63,0x68,0x6E,0x6F,0x6C,0x6F,0x67,
- 0x79,0x20,0x51,0x41,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,
- 0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
- 0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE,
- 0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00,
- 0x04,0xC4,0xFE,0x35,0x16,0x5B,0x50,0x66,0x3B,0x28,0xFA,0x77,0x2B,0x59,0x67,0x7F,
- 0xDD,0x83,0x1C,0xC7,0x10,0x71,0x6D,0xA8,0x82,0x08,0xE0,0x81,0x21,0x86,0x6B,0x18,
- 0x17,0xE9,0x38,0xB6,0x42,0xC0,0xDE,0x6C,0x81,0x23,0x16,0x2C,0xE3,0x3C,0x6C,0x71,
- 0x63,0x45,0xBF,0x14,0x82,0xB5,0xBC,0x59,0x34,0x47,0x86,0x83,0xC0,0xC4,0x4D,0x48,
- 0x11,0xA3,0x82,0x01,0x3E,0x30,0x82,0x01,0x3A,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
- 0x04,0x16,0x04,0x14,0x24,0xCD,0x2A,0x09,0xD1,0xAD,0x73,0x19,0x8C,0x0C,0x2A,0xA0,
- 0x7B,0xEE,0x21,0x36,0x96,0x82,0x48,0x8E,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,
- 0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,
- 0x16,0x80,0x14,0x9C,0x6A,0xFA,0xC5,0x96,0x06,0x60,0xAC,0x69,0x67,0xDD,0x5E,0x81,
- 0xF9,0xDD,0xCA,0x9B,0x2E,0x3A,0x1E,0x30,0x36,0x06,0x03,0x55,0x1D,0x1F,0x04,0x2F,
- 0x30,0x2D,0x30,0x2B,0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,0x3A,0x2F,
- 0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x68,
- 0x6B,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,0x74,0x68,0x2E,0x63,0x72,0x6C,0x30,
- 0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x03,0x88,0x30,
- 0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,
- 0x05,0x07,0x03,0x01,0x30,0x7B,0x06,0x03,0x55,0x1D,0x11,0x04,0x74,0x30,0x72,0x82,
- 0x20,0x68,0x6F,0x6D,0x65,0x6B,0x69,0x74,0x2E,0x61,0x63,0x63,0x65,0x73,0x73,0x6F,
- 0x72,0x69,0x65,0x73,0x2D,0x71,0x61,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,
- 0x6D,0x82,0x25,0x70,0x61,0x73,0x73,0x2E,0x68,0x6F,0x6D,0x65,0x6B,0x69,0x74,0x2E,
- 0x61,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65,0x73,0x2D,0x71,0x61,0x2E,0x61,
- 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x27,0x72,0x65,0x70,0x6F,0x72,0x74,
- 0x2E,0x68,0x6F,0x6D,0x65,0x6B,0x69,0x74,0x2E,0x61,0x63,0x63,0x65,0x73,0x73,0x6F,
- 0x72,0x69,0x65,0x73,0x2D,0x71,0x61,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,
- 0x6D,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x1B,0x09,0x04,
- 0x02,0x05,0x00,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,0x03,
- 0x47,0x00,0x30,0x44,0x02,0x20,0x71,0x18,0xBA,0xDB,0x3D,0x3F,0x0C,0x54,0xA7,0xC4,
- 0x79,0x6A,0x95,0x7D,0x0F,0xBC,0xFC,0x58,0x19,0xC4,0x2A,0xCC,0x17,0xA3,0xE3,0x18,
- 0xA8,0xD2,0x9C,0xE0,0xCE,0x50,0x02,0x20,0x39,0x02,0x7B,0x84,0x19,0xE4,0x6B,0x58,
- 0xFC,0xB8,0xB1,0x48,0xB1,0x5B,0x26,0xD9,0x70,0x10,0xCC,0x9C,0x4C,0x06,0x8C,0x73,
- 0xCB,0xC7,0xAA,0x28,0xA7,0x25,0x2A,0x6F,
-};
-
-/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
-unsigned char _testRoot[1232]={
- 0x30,0x82,0x04,0xCC,0x30,0x82,0x03,0xB4,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x3D,
- 0x00,0x4B,0x90,0x3E,0xDE,0xE0,0xD0,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,
- 0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,
- 0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,
- 0x74,0x79,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,
- 0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,
- 0x1E,0x17,0x0D,0x31,0x35,0x30,0x34,0x32,0x32,0x30,0x32,0x31,0x35,0x34,0x38,0x5A,
- 0x17,0x0D,0x33,0x35,0x30,0x32,0x30,0x39,0x32,0x31,0x34,0x30,0x33,0x36,0x5A,0x30,
- 0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
- 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
- 0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,
- 0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
- 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x1B,0x30,0x19,0x06,
- 0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,
- 0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,
- 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,
- 0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC7,0xD1,0x43,0x53,0x7F,0x0D,0x88,
- 0x6B,0xE6,0xB1,0x67,0x9D,0xEE,0x67,0xB6,0xE7,0x77,0x12,0x81,0xC4,0xDF,0x24,0x6B,
- 0x7A,0x75,0x24,0xF7,0x01,0x09,0xCE,0x34,0x92,0xF5,0x38,0x08,0x42,0x7E,0xEC,0x9D,
- 0xF2,0x5D,0x38,0x91,0xB4,0x93,0x98,0x35,0x11,0x3C,0x98,0x00,0x77,0xD9,0xD7,0xF3,
- 0x4A,0xF8,0xF0,0xBC,0xEB,0x97,0x5D,0x4B,0x61,0x2E,0xFB,0xC5,0xCC,0x68,0xB7,0x6D,
- 0x69,0x10,0xCC,0xA5,0x61,0x78,0xA8,0x81,0x02,0x9E,0xE7,0x63,0xC5,0xFF,0x29,0x22,
- 0x82,0x68,0xAA,0xAA,0x0E,0xFB,0xA9,0xD8,0x16,0x73,0x25,0xBF,0x9D,0x08,0x62,0x2F,
- 0x78,0x04,0xF6,0xF6,0x44,0x07,0x37,0x6E,0x99,0x1B,0x93,0xD8,0x7F,0xEE,0x72,0xDE,
- 0xE8,0x32,0xF6,0x6D,0x78,0x04,0xA0,0xA8,0x21,0x26,0x8A,0x32,0xE3,0xB1,0x65,0x85,
- 0xA1,0x7B,0x1A,0xA9,0x02,0xB2,0xBB,0xEE,0xDD,0xDD,0x8F,0x41,0x49,0xC8,0x3F,0xDC,
- 0x1E,0xDF,0x21,0xA3,0x95,0x99,0xBB,0xFC,0x29,0xBA,0x40,0x43,0xB9,0x1C,0xCD,0xC9,
- 0x21,0x45,0x73,0xAD,0xFF,0xFD,0xA2,0x6C,0x5C,0x3B,0x1C,0x37,0x91,0x34,0x8E,0x5C,
- 0xD3,0xD5,0x03,0x58,0x28,0xC7,0xF2,0x76,0x6F,0x11,0xC0,0xB5,0xBD,0x7E,0xEF,0x23,
- 0xB3,0x3D,0xB8,0xBD,0x38,0x66,0x8C,0xF2,0x78,0x95,0xC1,0x8B,0x32,0x65,0x3A,0x9B,
- 0x49,0x1A,0x5C,0x41,0x3C,0xC6,0x85,0x50,0xEC,0x85,0xF0,0x59,0x17,0x81,0xE8,0x96,
- 0xE8,0x6A,0xCC,0xB3,0xC7,0x46,0xBF,0x81,0x48,0xD1,0x09,0x1B,0xBC,0x73,0x1E,0xD7,
- 0xE8,0x27,0xA8,0x49,0x48,0xA2,0x1C,0x41,0x1D,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,
- 0x01,0x7A,0x30,0x82,0x01,0x76,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
- 0x14,0x59,0xB8,0x2B,0x94,0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,0x23,0x33,
- 0xC9,0x59,0xC3,0x54,0x98,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,
- 0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,
- 0x16,0x80,0x14,0x59,0xB8,0x2B,0x94,0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,
- 0x23,0x33,0xC9,0x59,0xC3,0x54,0x98,0x30,0x82,0x01,0x11,0x06,0x03,0x55,0x1D,0x20,
- 0x04,0x82,0x01,0x08,0x30,0x82,0x01,0x04,0x30,0x82,0x01,0x00,0x06,0x09,0x2A,0x86,
- 0x48,0x86,0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF2,0x30,0x2A,0x06,0x08,0x2B,0x06,
- 0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1E,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,
- 0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,
- 0x70,0x6C,0x65,0x63,0x61,0x2F,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
- 0x07,0x02,0x02,0x30,0x81,0xB6,0x0C,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,
- 0x65,0x20,0x6F,0x6E,0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,
- 0x69,0x63,0x61,0x74,0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,
- 0x74,0x79,0x20,0x61,0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,
- 0x74,0x61,0x6E,0x63,0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,
- 0x6E,0x20,0x61,0x70,0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,
- 0x6E,0x64,0x61,0x72,0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,
- 0x63,0x6F,0x6E,0x64,0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,
- 0x65,0x2C,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,
- 0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,
- 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,
- 0x20,0x73,0x74,0x61,0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x0E,0x06,0x03,
- 0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x0D,0x06,0x09,
- 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,
- 0x10,0x5E,0x6C,0x69,0xFC,0xA6,0x0F,0xE2,0x09,0xD5,0x94,0x90,0xA6,0x7C,0x22,0xDC,
- 0xEE,0xB0,0x8F,0x24,0x22,0x4F,0xB3,0x67,0xDB,0x32,0xB0,0xD6,0x24,0x87,0xE6,0xF3,
- 0xEA,0x9E,0xD0,0x95,0x75,0xAA,0xA7,0x08,0xFF,0xB0,0x35,0xD7,0x1F,0xA3,0xBF,0x89,
- 0x55,0x0C,0x1C,0xA4,0xD0,0xF8,0x00,0x17,0x44,0x94,0x36,0x63,0x3B,0x83,0xFE,0x4E,
- 0xE5,0xB3,0xEC,0x7B,0x7D,0xCE,0xFE,0xA9,0x54,0xED,0xBB,0x12,0xA6,0x72,0x2B,0xB3,
- 0x48,0x00,0xC7,0x8E,0xF5,0x5B,0x68,0xC9,0x24,0x22,0x7F,0xA1,0x4D,0xFC,0x54,0xD9,
- 0xD0,0x5D,0x82,0x53,0x71,0x29,0x66,0xCF,0x0F,0x6D,0x32,0xA6,0x3F,0xAE,0x54,0x27,
- 0xC2,0x8C,0x12,0x4C,0xF0,0xD6,0xC1,0x80,0x75,0xC3,0x33,0x19,0xD1,0x8B,0x58,0xE6,
- 0x00,0x69,0x76,0xE7,0xE5,0x3D,0x47,0xF9,0xC0,0x9C,0xE7,0x19,0x1E,0x95,0xBC,0x52,
- 0x15,0xCE,0x94,0xF8,0x30,0x14,0x0B,0x39,0x0E,0x8B,0xAF,0x29,0x30,0x56,0xAF,0x5A,
- 0x28,0xAC,0xE1,0x0F,0x51,0x76,0x76,0x9A,0xE7,0xB9,0x7D,0xA3,0x30,0xE8,0xE3,0x71,
- 0x15,0xE8,0xBF,0x0D,0x4F,0x12,0x9B,0x65,0xAB,0xEF,0xA4,0xE9,0x42,0xF0,0xD2,0x4D,
- 0x20,0x55,0x29,0x88,0x58,0x5C,0x82,0x67,0x63,0x20,0x50,0xC6,0xCA,0x04,0xE8,0xBC,
- 0x3D,0x93,0x06,0x21,0xB2,0xC0,0xBF,0x53,0x1E,0xE1,0x8B,0x48,0xA9,0xB9,0xD7,0xE6,
- 0x5F,0x4E,0x5A,0x2F,0x43,0xAC,0x35,0xBD,0x26,0x60,0x2F,0x01,0xD5,0x86,0x6B,0x64,
- 0xFA,0x67,0x05,0x44,0x55,0x83,0x5B,0x93,0x9C,0x7C,0xA7,0x26,0x4E,0x02,0x2B,0x48,
-};
-
-/* subject:/CN=Test Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */
-/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
-unsigned char _testServerAuthCA[1043]={
- 0x30,0x82,0x04,0x0F,0x30,0x82,0x02,0xF7,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x4B,
- 0x28,0xA9,0x3B,0x57,0x8B,0xF6,0x26,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
- 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
- 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,
- 0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,
- 0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,
- 0x74,0x79,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,
- 0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,
- 0x1E,0x17,0x0D,0x31,0x35,0x30,0x36,0x30,0x38,0x30,0x37,0x35,0x38,0x34,0x35,0x5A,
- 0x17,0x0D,0x32,0x39,0x30,0x33,0x30,0x38,0x30,0x31,0x35,0x33,0x30,0x34,0x5A,0x30,
- 0x72,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,0x03,0x0C,0x23,0x54,0x65,0x73,0x74,
- 0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,0x72,0x76,0x65,0x72,0x20,0x41,0x75,
- 0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x41,0x31,
- 0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66,
- 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,
- 0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,
- 0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
- 0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,
- 0x82,0x01,0x01,0x00,0xC5,0x7B,0x3F,0x48,0xD3,0x62,0x93,0x93,0x7C,0x0C,0x37,0x69,
- 0xDB,0x28,0x05,0x40,0x12,0xD7,0x1F,0x0A,0xB8,0xC3,0xBA,0x24,0x39,0x22,0xDC,0x39,
- 0x42,0x1F,0xFD,0x93,0x45,0x3C,0x23,0x0B,0x3E,0xB4,0x96,0xA6,0x55,0x59,0xBA,0xC4,
- 0x99,0xE7,0x8A,0x5F,0x8F,0xAE,0x66,0xA7,0x28,0xE2,0x9E,0x68,0xD9,0xEC,0x52,0x67,
- 0xFE,0xDD,0xBE,0x59,0xB4,0xAD,0x97,0x63,0x64,0xB0,0x08,0x3C,0xBB,0x6E,0xD1,0x29,
- 0xD8,0x58,0xA1,0x99,0x6C,0x2F,0x2F,0xB3,0xF5,0x5C,0x59,0xCA,0xA1,0xE6,0x67,0x44,
- 0x3C,0x13,0xB4,0xAE,0x0D,0x00,0xC7,0x53,0xB7,0xF5,0x61,0x58,0xD5,0xC8,0x42,0xFC,
- 0xE2,0xFD,0xD5,0x39,0x18,0x80,0xE2,0x72,0xBC,0xF8,0xC3,0x9F,0xCB,0xD8,0x2F,0x83,
- 0x40,0x9A,0x3E,0x55,0x5E,0x61,0xA9,0xC4,0x81,0x14,0x2B,0x7B,0x19,0x15,0xAD,0x84,
- 0x5E,0x80,0xA8,0x67,0x79,0x05,0x16,0x48,0x5C,0xAE,0x1A,0x2B,0x59,0x9F,0xAA,0x62,
- 0x0B,0x2F,0x57,0xCD,0xE8,0xA8,0x5D,0x38,0xAD,0x7C,0x90,0x79,0x50,0xAC,0x4D,0x13,
- 0xA4,0xA7,0xF3,0x73,0xED,0xD6,0x93,0x45,0xDD,0xA8,0xC6,0xFE,0x03,0x28,0x4D,0x58,
- 0xC1,0x8B,0xC1,0x03,0x0E,0xE7,0xDF,0x78,0xDD,0x21,0xC6,0x6D,0x1E,0xA0,0x38,0xD7,
- 0xA7,0xD7,0x04,0x8C,0x7F,0xCA,0x15,0xEA,0x88,0xE9,0xAE,0x8D,0x46,0xE0,0x87,0x94,
- 0x3E,0x8F,0x53,0x11,0x88,0x23,0x99,0x7B,0x9D,0xD8,0x69,0x1A,0x22,0xAE,0xB5,0x18,
- 0xA5,0x9F,0xEA,0x71,0x31,0x0B,0x27,0x93,0x85,0x1D,0xF7,0xA0,0xC3,0x82,0x0A,0x3F,
- 0xEE,0xD2,0xD4,0xEF,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0xB3,0x30,0x81,0xB0,0x30,
- 0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xA8,0xCA,0x7A,0x9B,0xA8,0x37,
- 0x71,0x9E,0x3D,0xEC,0x5A,0xAB,0x66,0x2E,0xDC,0xD7,0x14,0x3D,0x7B,0xF2,0x30,0x0F,
- 0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,
- 0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x59,0xB8,0x2B,0x94,
- 0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,0x23,0x33,0xC9,0x59,0xC3,0x54,0x98,
- 0x30,0x3B,0x06,0x03,0x55,0x1D,0x1F,0x04,0x34,0x30,0x32,0x30,0x30,0xA0,0x2E,0xA0,
- 0x2C,0x86,0x2A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61,
- 0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
- 0x2F,0x74,0x65,0x73,0x74,0x72,0x6F,0x6F,0x74,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,
- 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06,
- 0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x02,0x0C,0x04,0x02,0x05,0x00,0x30,
- 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,
- 0x01,0x01,0x00,0x11,0x24,0x61,0x2B,0x7C,0x5E,0x67,0x29,0x94,0x14,0x19,0x16,0xD5,
- 0xD4,0x7A,0xEE,0x53,0x1A,0x64,0xA2,0x6A,0x2B,0x04,0xE6,0x2C,0xA1,0x08,0xBA,0xCA,
- 0x81,0xF5,0x28,0x2A,0xCE,0xD5,0x6B,0x52,0xAC,0xE7,0xBD,0xB3,0x23,0xB9,0x67,0x2C,
- 0xC7,0x9E,0x61,0xA1,0xD9,0x6C,0x3F,0x4F,0x55,0xD4,0x75,0xAF,0x44,0xAD,0xF8,0xCE,
- 0x58,0xA7,0x2E,0xF8,0x6A,0xF0,0x76,0x51,0x31,0x75,0x4C,0xCA,0xF6,0xC3,0x59,0xC7,
- 0xE6,0xAE,0x4A,0x20,0x4E,0x5F,0xB9,0xAB,0x1C,0xB6,0x36,0x25,0x60,0x02,0x32,0x47,
- 0x7D,0xA0,0xE2,0x36,0xB3,0x3B,0x40,0x20,0x9E,0x38,0x40,0x1C,0x7E,0x83,0x35,0x9C,
- 0x9D,0x8B,0xD1,0xF9,0xEA,0xD4,0xF2,0x83,0xE0,0x30,0xEA,0xC3,0xEE,0x3D,0x76,0x98,
- 0x9E,0x0A,0x07,0xB5,0xB6,0xFC,0x38,0x32,0xF6,0x41,0xEF,0x8E,0x25,0x2C,0xE3,0xC7,
- 0xA7,0xAD,0x88,0x77,0x4D,0x10,0x1D,0x67,0x50,0x64,0xB0,0x02,0x04,0x2C,0xEA,0x4C,
- 0x81,0x33,0xBE,0xF3,0xCD,0x43,0x63,0x97,0x44,0xDF,0xBB,0xC6,0xE2,0x37,0x32,0xF1,
- 0xE4,0x19,0x1F,0xF5,0xAE,0xDA,0x05,0xC4,0x0B,0xFA,0x30,0xCA,0x77,0x78,0x65,0xD6,
- 0x4F,0x2D,0xFE,0x63,0xD3,0x4C,0x3D,0xA9,0x0E,0xC4,0x0F,0xD6,0xCC,0x2A,0x2D,0x06,
- 0x9B,0xDE,0x94,0xF6,0x22,0x2E,0x89,0xCB,0x68,0x4E,0xDE,0x79,0xE5,0x83,0xDE,0x64,
- 0x63,0xE9,0x77,0x88,0xF1,0x57,0xF2,0x5C,0xB4,0x77,0x3A,0xC8,0x1F,0x6D,0x80,0x4C,
- 0x8B,0x68,0xA5,0xFA,0xAD,0x1F,0x5C,0x8C,0x50,0x27,0xED,0xF7,0x43,0x68,0xAD,0x34,
- 0x5E,0xF6,0x74,
-};
-
-/* subject:/CN=ast2.test.domain.here/OU=IS&T/O=Apple Inc./C=US */
-/* issuer :/CN=Test Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */
-unsigned char _testLeaf[1223]={
- 0x30,0x82,0x04,0xC3,0x30,0x82,0x03,0xAB,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x51,
- 0x24,0x24,0xE7,0xA6,0xFC,0x66,0x24,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
- 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x72,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,
- 0x03,0x0C,0x23,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,
- 0x72,0x76,0x65,0x72,0x20,0x41,0x75,0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,
- 0x69,0x6F,0x6E,0x20,0x43,0x41,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,
- 0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
- 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
- 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,
- 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x35,
- 0x31,0x32,0x30,0x39,0x31,0x36,0x30,0x31,0x34,0x31,0x5A,0x17,0x0D,0x31,0x37,0x30,
- 0x31,0x30,0x37,0x31,0x36,0x30,0x31,0x34,0x31,0x5A,0x30,0x51,0x31,0x1E,0x30,0x1C,
- 0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x61,0x73,0x74,0x32,0x2E,0x74,0x65,0x73,0x74,
- 0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x2E,0x68,0x65,0x72,0x65,0x31,0x0D,0x30,0x0B,
- 0x06,0x03,0x55,0x04,0x0B,0x0C,0x04,0x49,0x53,0x26,0x54,0x31,0x13,0x30,0x11,0x06,
- 0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,
- 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,
- 0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
- 0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB8,0x3F,
- 0x03,0x68,0x0F,0xEB,0x75,0x69,0x6F,0xAB,0x1A,0x2A,0x5F,0x48,0x97,0x73,0x4A,0x90,
- 0xD9,0xB2,0x60,0x88,0x3D,0xD6,0xA3,0x7B,0xFE,0x37,0xF1,0x2B,0x57,0xDB,0xE2,0xFE,
- 0xDA,0xE9,0x35,0x90,0x4E,0xC1,0x9B,0xB7,0x07,0x7D,0x0C,0xB7,0xAE,0xAF,0x5C,0xD8,
- 0xDC,0xD8,0x5A,0x65,0x4D,0x34,0x11,0xDF,0x75,0x27,0x4F,0xA0,0xC0,0x3B,0xF0,0x85,
- 0x16,0xDD,0x25,0x6C,0x21,0x23,0xFA,0xD0,0xF7,0x3D,0x37,0x66,0xF2,0x32,0x10,0x95,
- 0xA0,0x36,0xE0,0x33,0xB5,0x4D,0x5A,0x33,0xAC,0xB6,0x2E,0xBC,0x22,0xA5,0x20,0xA7,
- 0xA9,0x16,0xE4,0xDB,0xE7,0x42,0xC9,0x6A,0xF7,0xDF,0x55,0xF4,0xC3,0x9C,0x1B,0xE9,
- 0x56,0x7F,0xF3,0x1F,0xD7,0x94,0x19,0xB0,0x2B,0xBC,0x4B,0xF8,0xDF,0xB2,0x4A,0xDD,
- 0xAA,0x1A,0x67,0xD8,0xEA,0xF7,0x30,0xF8,0xB1,0x6B,0x3C,0xC4,0xF7,0xA2,0x70,0xEF,
- 0xAA,0xDD,0x49,0x8A,0x27,0x8E,0x71,0xF7,0xC1,0xFE,0x7B,0xD5,0xF2,0x45,0xC8,0xE4,
- 0xA9,0x73,0x53,0x90,0xB0,0xFA,0xA0,0xDE,0x71,0xFF,0x58,0x74,0x2C,0xC4,0xD1,0x54,
- 0x14,0xCC,0x00,0xF4,0x95,0xEB,0x81,0x85,0xBB,0xCC,0x3D,0xCF,0x7D,0xF3,0xEE,0x75,
- 0xE6,0x82,0xCB,0x93,0x79,0x8F,0xD9,0xED,0xE7,0x45,0x6F,0xA8,0xBE,0xA4,0xDE,0x45,
- 0x46,0x38,0x14,0xDC,0x79,0xF6,0x1F,0x64,0xD3,0x05,0x45,0xBF,0x50,0x1B,0x81,0x7E,
- 0x6C,0x77,0x1B,0xF2,0xBC,0x57,0xFD,0x25,0x94,0xB4,0x9A,0x0B,0x48,0x59,0x8F,0x8A,
- 0x0C,0x8F,0xBD,0x4C,0xE2,0x53,0x49,0xBC,0xC6,0x16,0x99,0xF4,0xE6,0x6F,0x02,0x03,
- 0x01,0x00,0x01,0xA3,0x82,0x01,0x7C,0x30,0x82,0x01,0x78,0x30,0x53,0x06,0x08,0x2B,
- 0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x47,0x30,0x45,0x30,0x43,0x06,0x08,0x2B,
- 0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x37,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
- 0x6F,0x63,0x73,0x70,0x2D,0x75,0x61,0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,
- 0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70,0x30,0x33,0x2D,0x61,
- 0x70,0x70,0x6C,0x65,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,0x74,0x68,0x30,0x31,
- 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xC2,0x1E,0xBD,0xED,0x39,
- 0xF8,0x62,0x73,0x86,0x05,0xF3,0xBC,0x85,0x73,0xB3,0xA9,0x3C,0x12,0xBA,0xA8,0x30,
- 0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,
- 0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xA8,0xCA,0x7A,0x9B,0xA8,0x37,
- 0x71,0x9E,0x3D,0xEC,0x5A,0xAB,0x66,0x2E,0xDC,0xD7,0x14,0x3D,0x7B,0xF2,0x30,0x49,
- 0x06,0x03,0x55,0x1D,0x1F,0x04,0x42,0x30,0x40,0x30,0x3E,0xA0,0x3C,0xA0,0x3A,0x86,
- 0x38,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61,0x74,0x2E,
- 0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x74,
- 0x65,0x73,0x74,0x61,0x70,0x70,0x6C,0x65,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,
- 0x74,0x68,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,
- 0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,
- 0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x50,
- 0x06,0x03,0x55,0x1D,0x11,0x04,0x49,0x30,0x47,0x82,0x15,0x61,0x73,0x74,0x32,0x2E,
- 0x74,0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x2E,0x68,0x65,0x72,0x65,
- 0x82,0x16,0x61,0x73,0x74,0x32,0x2E,0x74,0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,
- 0x69,0x6E,0x32,0x2E,0x68,0x65,0x72,0x65,0x82,0x16,0x61,0x73,0x74,0x32,0x2E,0x74,
- 0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x33,0x2E,0x68,0x65,0x72,0x65,
- 0x30,0x11,0x06,0x0B,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x1B,0x08,0x02,0x04,
- 0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
- 0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xA1,0xF3,0x96,0x32,0xD2,0x94,0x78,0x0F,0x03,
- 0xF5,0xCF,0x96,0x8F,0xAC,0xDA,0xA9,0x1E,0x39,0xE5,0xCE,0x24,0xFD,0xA6,0x66,0x06,
- 0x00,0xBC,0x66,0x69,0xC1,0xE1,0xF2,0x31,0xB6,0x70,0xBB,0xD6,0xCA,0x7A,0xCC,0xCF,
- 0x01,0x1E,0x47,0x80,0x60,0x43,0x05,0x48,0x8E,0x33,0xF7,0xA9,0xFD,0xE8,0xB9,0x05,
- 0x9F,0x7E,0xD1,0xF2,0xDA,0x13,0x45,0xD9,0x96,0x16,0x64,0xD5,0x74,0x0F,0xBD,0x1C,
- 0x95,0x72,0xD6,0x31,0xBD,0xFB,0x66,0xC6,0xC0,0xD4,0x4C,0x52,0x1D,0xFB,0xB0,0x65,
- 0x4F,0xF2,0x4C,0x4D,0xF5,0x68,0xD6,0xB5,0x4C,0x14,0xC1,0xFA,0xF1,0xDF,0x70,0x4E,
- 0x14,0x07,0x8C,0xD6,0x55,0x66,0x91,0x97,0xE0,0x95,0x46,0x15,0x25,0x9B,0xCA,0xC4,
- 0x64,0x10,0xFA,0xB4,0xDF,0xF3,0x2E,0x3A,0x26,0x74,0xFB,0x44,0x8E,0x8A,0xEA,0xC9,
- 0x2E,0x31,0xD9,0xA2,0xB3,0xA0,0xAF,0x5E,0x48,0xE1,0x5A,0xEC,0xE0,0xA7,0x3B,0x35,
- 0x1C,0x8F,0xFF,0xAA,0x02,0xBB,0x2F,0x95,0x11,0xA8,0x8B,0xE6,0x3D,0x65,0x1B,0xC0,
- 0xBD,0x6C,0xCC,0x11,0x0C,0xFE,0xCD,0x0D,0x30,0xF1,0xE7,0x53,0xA4,0x7E,0xAC,0x50,
- 0xC9,0x23,0x01,0xEE,0xD3,0xD5,0xE5,0xAC,0x0F,0x04,0x22,0xDA,0x30,0x14,0x25,0x6A,
- 0x64,0x7B,0xA9,0x9E,0xB9,0x59,0x07,0x0B,0x0C,0x39,0x88,0x18,0x5B,0x35,0x61,0x31,
- 0x3D,0x4E,0xCE,0xD5,0xB3,0x67,0x82,0x88,0x3C,0x10,0x12,0xA6,0xC0,0x08,0xC3,0xA5,
- 0x41,0x39,0x69,0xAE,0x84,0x34,0x9C,0xED,0x4A,0xED,0x3A,0x85,0x9D,0x98,0xF7,0x12,
- 0xD1,0x1D,0xCD,0x9B,0xC8,0x60,0x57,
-};
-
-#endif /* si_92_sectrust_homekit_h */
diff --git a/OSX/sec/Security/Regressions/secitem/si-95-cms-basic.c b/OSX/sec/Security/Regressions/secitem/si-95-cms-basic.c
new file mode 100644
index 00000000..cc305319
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-95-cms-basic.c
@@ -0,0 +1,508 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include "si-95-cms-basic.h"
+#include "Security_regressions.h"
+
+#include <AssertMacros.h>
+
+#include <utilities/SecCFRelease.h>
+
+#include <Security/SecBase.h>
+#include <Security/SecImportExport.h>
+
+#include <Security/SecIdentity.h>
+#include <Security/SecPolicy.h>
+#include <Security/SecItem.h>
+
+#include <Security/SecCmsMessage.h>
+#include <Security/SecCmsSignedData.h>
+#include <Security/SecCmsContentInfo.h>
+#include <Security/SecCmsSignerInfo.h>
+#include <Security/SecCmsEncoder.h>
+#include <Security/SecCmsDecoder.h>
+#include <Security/SecCmsEnvelopedData.h>
+#include <Security/SecCmsRecipientInfo.h>
+#include <Security/SecAsn1Types.h>
+
+#include <security_asn1/secerr.h>
+#include <security_asn1/seccomon.h>
+
+/* These tests are essentially the same as cms_01_basic in the OS X
+ * libsecurity_smime_regressions. They are not unified into a single
+ * test because libsecurity_smime diverges so much between the platforms
+ * that unifying the tests makes every third line a TARGET macro.
+ */
+
+#define kNumberSetupTests 8
+static CFDataRef setup_keychain(const uint8_t *p12, size_t p12_len, SecIdentityRef *identity, SecCertificateRef *cert) {
+ CFDictionaryRef p12Options = NULL, item_dict = NULL, query_dict = NULL;
+ CFArrayRef p12Items = NULL;
+ CFStringRef p12Password = NULL;
+ CFDataRef p12Data = NULL, identityPersistentRef = NULL;
+ CFTypeRef keychainItems = NULL;
+
+ /* load identity */
+ ok(p12Password = CFStringCreateWithCString(NULL, "password", kCFStringEncodingASCII),
+ "Create p12 password");
+ require_action(p12Options = CFDictionaryCreate(NULL, (const void **)&kSecImportExportPassphrase,
+ (const void **)&p12Password, 1,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks),
+ errOut, fail("Create p12 options dictionary"));
+ require_action(p12Data = CFDataCreate(NULL, p12, p12_len), errOut,
+ fail("Create p12 data"));
+ ok_status(SecPKCS12Import(p12Data, p12Options, &p12Items),
+ "import test identity");
+ ok(item_dict = CFArrayGetValueAtIndex(p12Items, 0),
+ "Get pkcs12 output");
+ ok(*identity = (SecIdentityRef)CFRetainSafe(CFDictionaryGetValue(item_dict, kSecImportItemIdentity)),
+ "Get identity from results");
+
+ /* add identity to keychain because libsecurity_smime needs it there */
+ const void *keys[] = { kSecValueRef, kSecReturnPersistentRef};
+ const void *values[] = { *identity, kCFBooleanTrue };
+ require_action(query_dict = CFDictionaryCreate(NULL, keys, values, 2,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks),
+ errOut, fail("Create SecItem query dictionary"));
+ ok_status(SecItemAdd(query_dict, &keychainItems),
+ "Add identity to keychain");
+ is(CFGetTypeID(keychainItems), CFDataGetTypeID(),
+ "Verify SecItem result type");
+ ok(identityPersistentRef = (CFDataRef)CFRetainSafe(keychainItems),
+ "Get persistent reference to identity");
+
+ /* get the certificate */
+ require_action(identity && *identity, errOut, fail("get identity failed"));
+ ok_status(SecIdentityCopyCertificate(*identity, cert),
+ "Copy certificate");
+
+errOut:
+ CFReleaseNull(p12Password);
+ CFReleaseNull(p12Options);
+ CFReleaseNull(p12Data);
+ CFReleaseNull(p12Items);
+ CFReleaseNull(query_dict);
+ CFReleaseNull(keychainItems);
+ return identityPersistentRef;
+}
+
+#define kNumberCleanupTests 1
+static void cleanup_keychain(CFDataRef identityPersistenRef, SecIdentityRef identity, SecCertificateRef cert) {
+ CFDictionaryRef query = NULL;
+ require_action(query = CFDictionaryCreate(NULL, (const void**)&kSecValuePersistentRef,
+ (const void**)&identityPersistenRef, 1,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks),
+ errOut, fail("Create SecItem dictionary"));
+ ok_status(SecItemDelete(query),
+ "Delete identity from keychain");
+
+errOut:
+ CFReleaseNull(query);
+ CFReleaseNull(cert);
+ CFReleaseNull(identity);
+}
+
+static OSStatus sign_please(SecIdentityRef identity, SECOidTag digestAlgTag, bool withAttrs, uint8_t *expected_output, size_t expected_len) {
+ OSStatus status = SECFailure;
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsSignedDataRef sigd = NULL;
+ SecCmsContentInfoRef cinfo = NULL;
+ SecCmsSignerInfoRef signerInfo = NULL;
+ SecCmsEncoderRef encoder = NULL;
+ CFMutableDataRef outCms = NULL;
+ uint8_t string_to_sign[] = "This message is signed. Ain't it pretty?";
+
+ /* setup the message */
+ require_action_string(cmsg = SecCmsMessageCreate(), out,
+ status = errSecAllocate, "Failed to create message");
+ require_action_string(sigd = SecCmsSignedDataCreate(cmsg), out,
+ status = errSecAllocate, "Failed to create signed data");
+ require_action_string(cinfo = SecCmsMessageGetContentInfo(cmsg), out,
+ status = errSecParam, "Failed to get cms content info");
+ require_noerr_string(status = SecCmsContentInfoSetContentSignedData(cinfo, sigd), out,
+ "Failed to set signed data into content info");
+ require_action_string(cinfo = SecCmsSignedDataGetContentInfo(sigd), out,
+ status = errSecParam, "Failed to get content info from signed data");
+ require_noerr_string(status = SecCmsContentInfoSetContentData(cinfo, NULL, false), out,
+ "Failed to set signed data content info");
+ require_action_string(signerInfo = SecCmsSignerInfoCreate(sigd, identity, digestAlgTag), out,
+ status = errSecAllocate, "Failed to create signer info");
+ require_noerr_string(status = SecCmsSignerInfoIncludeCerts(signerInfo, SecCmsCMCertOnly,
+ certUsageEmailSigner), out,
+ "Failed to put certs in signer info");
+
+ if(withAttrs) {
+ require_noerr_string(status = SecCmsSignerInfoAddSigningTime(signerInfo, 480000000.0), out,
+ "Couldn't add an attribute");
+ }
+
+ /* encode now */
+ require_action_string(outCms = CFDataCreateMutable(NULL, 0), out,
+ status = errSecAllocate, "Failed to create cms data");
+ require_noerr_string(status = SecCmsEncoderCreate(cmsg, NULL, NULL, outCms, NULL, NULL,
+ NULL, NULL, &encoder), out,
+ "Failed to create encoder");
+ require_noerr_string(status = SecCmsEncoderUpdate(encoder, string_to_sign, sizeof(string_to_sign)), out,
+ "Failed to add data ");
+ status = SecCmsEncoderFinish(encoder);
+ encoder = NULL; // SecCmsEncoderFinish always frees the encoder but doesn't NULL it.
+ require_noerr_quiet(status, out);
+
+ /* verify the output matches expected results */
+ if (expected_output) {
+ require_action_string((CFIndex)expected_len == CFDataGetLength(outCms), out,
+ status = -1, "Output size differs from expected");
+ require_noerr_action_string(memcmp(expected_output, CFDataGetBytePtr(outCms), expected_len), out,
+ status = -1, "Output differs from expected");
+ }
+
+out:
+ if (encoder) {
+ SecCmsEncoderDestroy(encoder);
+ }
+ if (cmsg) {
+ SecCmsMessageDestroy(cmsg);
+ }
+ CFReleaseNull(outCms);
+ return status;
+
+}
+
+static OSStatus verify_please(SecKeychainRef keychain, uint8_t *data_to_verify, size_t length) {
+ OSStatus status = SECFailure;
+ SecCmsDecoderRef decoder = NULL;
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsContentInfoRef cinfo = NULL;
+ SecCmsSignedDataRef sigd = NULL;
+ SecPolicyRef policy = NULL;
+ SecTrustRef trust = NULL;
+
+ if (!data_to_verify) {
+ return errSecSuccess; // reasons...
+ }
+
+ require_noerr_string(status = SecCmsDecoderCreate(NULL, NULL, NULL, NULL,
+ NULL, NULL, &decoder), out,
+ "Failed to create decoder");
+ require_noerr_string(status = SecCmsDecoderUpdate(decoder, data_to_verify, length), out,
+ "Failed to add data ");
+ status = SecCmsDecoderFinish(decoder, &cmsg);
+ decoder = NULL; // SecCmsDecoderFinish always frees the decoder
+ require_noerr_quiet(status, out);
+
+ require_action_string(cinfo = SecCmsMessageContentLevel(cmsg, 0), out,
+ status = errSecDecode, "Failed to get content info");
+ require_action_string(SEC_OID_PKCS7_SIGNED_DATA == SecCmsContentInfoGetContentTypeTag(cinfo), out,
+ status = errSecDecode, "Content type was pkcs7 signed data");
+ require_action_string(sigd = (SecCmsSignedDataRef)SecCmsContentInfoGetContent(cinfo), out,
+ status = errSecDecode, "Failed to get signed data");
+ require_action_string(policy = SecPolicyCreateBasicX509(), out,
+ status = errSecAllocate, "Failed to create basic policy");
+ status = SecCmsSignedDataVerifySignerInfo(sigd, 0, keychain, policy, &trust);
+
+out:
+ if (decoder) {
+ SecCmsDecoderDestroy(decoder);
+ }
+ if (cmsg) {
+ SecCmsMessageDestroy(cmsg);
+ }
+ CFReleaseNull(policy);
+ CFReleaseNull(trust);
+ return status;
+}
+
+static uint8_t *invalidate_signature(uint8_t *cms_data, size_t length) {
+ if (!cms_data || !length || (length < 10)) {
+ return NULL;
+ }
+ uint8_t *invalid_cms = NULL;
+
+ invalid_cms = malloc(length);
+ if (invalid_cms) {
+ memcpy(invalid_cms, cms_data, length);
+ /* This modifies the signature part of the test cms binaries */
+ invalid_cms[length - 10] = 0x00;
+ }
+
+ return invalid_cms;
+}
+
+static OSStatus invalidate_and_verify(SecKeychainRef kc, uint8_t *cms_data, size_t length) {
+ OSStatus status = SECFailure;
+ uint8_t *invalid_cms_data = NULL;
+
+ if (!cms_data) {
+ return SECFailure; // reasons...
+ }
+
+ require_action_string(invalid_cms_data = invalidate_signature(cms_data, length), out,
+ status = errSecAllocate, "Unable to allocate buffer for invalid cms data");
+ status = verify_please(kc, invalid_cms_data, length);
+
+out:
+ if (invalid_cms_data) {
+ free(invalid_cms_data);
+ }
+ return status;
+}
+
+/* forward declaration */
+static OSStatus decrypt_please(const uint8_t *data_to_decrypt, size_t length);
+
+static OSStatus encrypt_please(SecCertificateRef recipient, SECOidTag encAlg, int keysize) {
+ OSStatus status = SECFailure;
+ SecCmsMessageRef cmsg = NULL;
+ SecCmsEnvelopedDataRef envd = NULL;
+ SecCmsContentInfoRef cinfo = NULL;
+ SecCmsRecipientInfoRef rinfo = NULL;
+ SecCmsEncoderRef encoder = NULL;
+ CFMutableDataRef outCms = NULL;
+
+ const uint8_t data_to_encrypt[] = "This data is encrypted. Is cool, no?";
+
+ /* set up the message */
+ require_action_string(cmsg = SecCmsMessageCreate(), out,
+ status = errSecAllocate, "Failed to create message");
+ require_action_string(envd = SecCmsEnvelopedDataCreate(cmsg, encAlg, keysize), out,
+ status = errSecAllocate, "Failed to create enveloped data");
+ require_action_string(cinfo = SecCmsMessageGetContentInfo(cmsg), out,
+ status = errSecParam, "Failed to get content info from cms message");
+ require_noerr_string(status = SecCmsContentInfoSetContentEnvelopedData(cinfo, envd), out,
+ "Failed to set enveloped data in cms message");
+ require_action_string(cinfo = SecCmsEnvelopedDataGetContentInfo(envd), out,
+ status = errSecParam, "Failed to get content info from enveloped data");
+ require_noerr_string(status = SecCmsContentInfoSetContentData(cinfo, NULL, false), out,
+ "Failed to set data type in envelope");
+ require_action_string(rinfo = SecCmsRecipientInfoCreate(envd, recipient), out,
+ status = errSecAllocate, "Failed to create recipient info");
+
+ /* encode the message */
+ require_action_string(outCms = CFDataCreateMutable(NULL, 0), out,
+ status = errSecAllocate, "Failed to create cms data");
+ require_noerr_string(status = SecCmsEncoderCreate(cmsg, NULL, NULL, outCms, NULL, NULL,
+ NULL, NULL, &encoder), out,
+ "Failed to create encoder");
+ require_noerr_string(status = SecCmsEncoderUpdate(encoder, data_to_encrypt, sizeof(data_to_encrypt)), out,
+ "Failed to update encoder with data");
+ status = SecCmsEncoderFinish(encoder);
+ encoder = NULL; // SecCmsEncoderFinish always frees the encoder but doesn't NULL it.
+ require_noerr_quiet(status, out);
+
+ require_noerr_string(status = decrypt_please(CFDataGetBytePtr(outCms), CFDataGetLength(outCms)), out,
+ "Failed to decrypt the data we just encrypted");
+
+out:
+ if (encoder) {
+ SecCmsEncoderDestroy(encoder);
+ }
+ if (cmsg) {
+ SecCmsMessageDestroy(cmsg);
+ }
+ CFReleaseNull(outCms);
+ return status;
+}
+
+static OSStatus decrypt_please(const uint8_t *data_to_decrypt, size_t length) {
+ OSStatus status = SECFailure;
+ SecCmsDecoderRef decoder = NULL;
+ SecCmsMessageRef cmsg = NULL;
+ const SecAsn1Item *content = NULL;
+ const uint8_t encrypted_string[] = "This data is encrypted. Is cool, no?";
+
+ require_noerr_string(status = SecCmsDecoderCreate(NULL, NULL, NULL, NULL, NULL,
+ NULL, &decoder), out,
+ "Failed to create decoder");
+ require_noerr_string(status = SecCmsDecoderUpdate(decoder, data_to_decrypt, length), out,
+ "Failed to add data ");
+ status = SecCmsDecoderFinish(decoder, &cmsg);
+ decoder = NULL; // SecCmsDecoderFinish always frees the decoder
+ require_noerr_quiet(status, out);
+ require_action_string(content = SecCmsMessageGetContent(cmsg), out,
+ status = errSecDecode, "Unable to get message contents");
+
+ /* verify the output matches expected results */
+
+ require_action_string(sizeof(encrypted_string) == content->Length, out,
+ status = -1, "Output size differs from expected");
+ require_noerr_action_string(memcmp(encrypted_string, content->Data, content->Length), out,
+ status = -1, "Output differs from expected");
+
+out:
+ if (cmsg) {
+ SecCmsMessageDestroy(cmsg);
+ }
+ return status;
+}
+
+/* Signing with attributes goes through a different code path than signing without,
+ * so we need to test both. */
+#define kNumberSignTests 10
+static void sign_tests(SecIdentityRef identity, bool isRSA) {
+
+ /* no attributes */
+ is(sign_please(identity, SEC_OID_MD5, false, NULL, 0),
+ SEC_ERROR_INVALID_ALGORITHM, "Signed with MD5. Not cool.");
+ is(sign_please(identity, SEC_OID_SHA1, false, (isRSA) ? rsa_sha1 : NULL,
+ (isRSA) ? sizeof(rsa_sha1) : 0),
+ errSecSuccess, "Signed with SHA-1");
+ is(sign_please(identity, SEC_OID_SHA256, false, (isRSA) ? rsa_sha256 : NULL,
+ (isRSA) ? sizeof(rsa_sha256) : 0),
+ errSecSuccess, "Signed with SHA-256");
+ is(sign_please(identity, SEC_OID_SHA384, false, NULL, 0), errSecSuccess, "Signed with SHA-384");
+ is(sign_please(identity, SEC_OID_SHA512, false, NULL, 0), errSecSuccess, "Signed with SHA-512");
+
+ /* with attributes */
+ is(sign_please(identity, SEC_OID_MD5, true, NULL, 0),
+ SEC_ERROR_INVALID_ALGORITHM, "Signed with MD5 and attributes. Not cool.");
+ is(sign_please(identity, SEC_OID_SHA1, true, (isRSA) ? rsa_sha1_attr : NULL,
+ (isRSA) ? sizeof(rsa_sha1_attr) : 0),
+ errSecSuccess, "Signed with SHA-1 and attributes");
+ is(sign_please(identity, SEC_OID_SHA256, true, (isRSA) ? rsa_sha256_attr : NULL,
+ (isRSA) ? sizeof(rsa_sha256_attr) : 0),
+ errSecSuccess, "Signed with SHA-256 and attributes");
+ is(sign_please(identity, SEC_OID_SHA384, true, NULL, 0),
+ errSecSuccess, "Signed with SHA-384 and attributes");
+ is(sign_please(identity, SEC_OID_SHA512, true, NULL, 0),
+ errSecSuccess, "Signed with SHA-512 and attributes");
+}
+
+/* Verifying with attributes goes through a different code path than verifying without,
+ * so we need to test both. */
+#define kNumberVerifyTests 12
+static void verify_tests(SecKeychainRef kc, bool isRsa) {
+ /* no attributes */
+ is(verify_please(kc, (isRsa) ? rsa_md5 : ec_md5,
+ (isRsa) ? sizeof(rsa_md5) : sizeof(ec_md5)),
+ (isRsa) ? errSecSuccess : SECFailure, "Verify MD5, no attributes");
+ is(verify_please(kc, (isRsa) ? rsa_sha1 : ec_sha1,
+ (isRsa) ? sizeof(rsa_sha1) : sizeof(ec_sha1)),
+ errSecSuccess, "Verify SHA1, no attributes");
+ is(verify_please(kc, (isRsa) ? rsa_sha256 : ec_sha256,
+ (isRsa) ? sizeof(rsa_sha256) : sizeof(ec_sha256)),
+ errSecSuccess, "Verify SHA256, no attributes");
+
+ /* with attributes */
+ is(verify_please(kc, (isRsa) ? rsa_md5_attr : NULL,
+ (isRsa) ? sizeof(rsa_md5_attr) : 0),
+ errSecSuccess, "Verify MD5, with attributes");
+ is(verify_please(kc, (isRsa) ? rsa_sha1_attr : ec_sha1_attr,
+ (isRsa) ? sizeof(rsa_sha1_attr) : sizeof(ec_sha1_attr)),
+ errSecSuccess, "Verify SHA1, with attributes");
+ is(verify_please(kc, (isRsa) ? rsa_sha256_attr : ec_sha256_attr,
+ (isRsa) ? sizeof(rsa_sha256_attr) : sizeof(ec_sha256_attr)),
+ errSecSuccess, "Verify SHA256, with attributes");
+
+ /***** Once more, with validation errors *****/
+
+ /* no attributes */
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_md5 : ec_md5,
+ (isRsa) ? sizeof(rsa_md5) : sizeof(ec_md5)),
+ SECFailure, "Verify invalid MD5, no attributes");
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_sha1 : ec_sha1,
+ (isRsa) ? sizeof(rsa_sha1) : sizeof(ec_sha1)),
+ SECFailure, "Verify invalid SHA1, no attributes");
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_sha256 : ec_sha256,
+ (isRsa) ? sizeof(rsa_sha256) : sizeof(ec_sha256)),
+ SECFailure, "Verify invalid SHA256, no attributes");
+
+ /* with attributes */
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_md5_attr : NULL,
+ (isRsa) ? sizeof(rsa_md5_attr) : 0),
+ SECFailure, "Verify invalid MD5, with attributes");
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_sha1_attr : ec_sha1_attr,
+ (isRsa) ? sizeof(rsa_sha1_attr) : sizeof(ec_sha1_attr)),
+ SECFailure, "Verify invalid SHA1, with attributes");
+ is(invalidate_and_verify(kc, (isRsa) ? rsa_sha256_attr : ec_sha256_attr,
+ (isRsa) ? sizeof(rsa_sha256_attr) : sizeof(ec_sha256_attr)),
+ SECFailure, "Verify invalid SHA256, with attributes");
+}
+
+#define kNumberEncryptTests 5
+static void encrypt_tests(SecCertificateRef certificate) {
+ is(encrypt_please(certificate, SEC_OID_DES_EDE3_CBC, 192),
+ errSecSuccess, "Encrypt with 3DES");
+ is(encrypt_please(certificate, SEC_OID_RC2_CBC, 128),
+ SEC_ERROR_INVALID_ALGORITHM, "Encrypt with 128-bit RC2");
+ is(encrypt_please(certificate, SEC_OID_AES_128_CBC, 128),
+ errSecSuccess, "Encrypt with 128-bit AES");
+ is(encrypt_please(certificate, SEC_OID_AES_192_CBC, 192),
+ errSecSuccess, "Encrypt with 192-bit AES");
+ is(encrypt_please(certificate, SEC_OID_AES_256_CBC, 256),
+ errSecSuccess, "Encrypt with 256-bit AES");
+}
+
+#define kNumberDecryptTests 5
+static void decrypt_tests(bool isRsa) {
+ is(decrypt_please((isRsa) ? rsa_3DES : ec_3DES,
+ (isRsa) ? sizeof(rsa_3DES) : sizeof(ec_3DES)),
+ errSecSuccess, "Decrypt 3DES");
+ is(decrypt_please((isRsa) ? rsa_RC2 : ec_RC2,
+ (isRsa) ? sizeof(rsa_RC2) : sizeof(ec_RC2)),
+ SEC_ERROR_INVALID_ALGORITHM, "Decrypt 128-bit RC2");
+ is(decrypt_please((isRsa) ? rsa_AES_128 : ec_AES_128,
+ (isRsa) ? sizeof(rsa_AES_128) : sizeof(ec_AES_128)),
+ errSecSuccess, "Decrypt 128-bit AES");
+ is(decrypt_please((isRsa) ? rsa_AES_192 : ec_AES_192,
+ (isRsa) ? sizeof(rsa_AES_192) : sizeof(ec_AES_192)),
+ errSecSuccess, "Decrypt 192-bit AES");
+ is(decrypt_please((isRsa) ? rsa_AES_256 : ec_AES_256,
+ (isRsa) ? sizeof(rsa_AES_256) : sizeof(ec_AES_256)),
+ errSecSuccess, "Decrypt 256-bit AES");
+}
+
+int si_95_cms_basic(int argc, char *const *argv)
+{
+ plan_tests(2*(kNumberSetupTests + kNumberSignTests + kNumberVerifyTests +
+ kNumberEncryptTests + kNumberDecryptTests + kNumberCleanupTests));
+
+ SecIdentityRef identity = NULL;
+ SecCertificateRef certificate = NULL;
+ CFDataRef persistentRef = NULL;
+
+ /* SecKeychainRef's aren't a thing on iOS. But the SecCms SPI takes one as
+ * an argument. It gets ignored down in the bowels of libsecurity_smime, so
+ * it's safe to just pass NULL. */
+ SecKeychainRef kc = NULL;
+
+ /* RSA tests */
+ persistentRef = setup_keychain(_rsa_identity, sizeof(_rsa_identity), &identity, &certificate);
+ sign_tests(identity, true);
+ verify_tests(kc, true);
+ encrypt_tests(certificate);
+ decrypt_tests(true);
+ cleanup_keychain(persistentRef, identity, certificate);
+
+ /* EC tests */
+ persistentRef = setup_keychain(_ec_identity, sizeof(_ec_identity), &identity, &certificate);
+ sign_tests(identity, false);
+ verify_tests(kc, false);
+ encrypt_tests(certificate);
+ decrypt_tests(false);
+ cleanup_keychain(persistentRef, identity, certificate);
+
+ return 0;
+}
diff --git a/OSX/sec/Security/Regressions/secitem/si-95-cms-basic.h b/OSX/sec/Security/Regressions/secitem/si-95-cms-basic.h
new file mode 100644
index 00000000..dc46feeb
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-95-cms-basic.h
@@ -0,0 +1,1341 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#ifndef cms_01_test_h
+#define cms_01_test_h
+
+/*
+ * MARK: Identities
+ */
+unsigned char _rsa_identity[] = {
+ 0x30, 0x82, 0x0a, 0x83, 0x02, 0x01, 0x03, 0x30, 0x82, 0x0a, 0x4a, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x07, 0x01, 0xa0, 0x82, 0x0a, 0x3b, 0x04, 0x82, 0x0a, 0x37, 0x30, 0x82, 0x0a, 0x33, 0x30, 0x82, 0x04, 0xbf, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x06, 0xa0, 0x82, 0x04, 0xb0, 0x30, 0x82, 0x04, 0xac, 0x02, 0x01, 0x00,
+ 0x30, 0x82, 0x04, 0xa5, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x0a, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x06, 0x30, 0x0e, 0x04, 0x08, 0xef, 0x13, 0x69, 0xa2, 0xe0, 0xb7, 0x4d,
+ 0xf3, 0x02, 0x02, 0x08, 0x00, 0x80, 0x82, 0x04, 0x78, 0x24, 0x38, 0x74, 0x0e, 0x93, 0x67, 0x0b, 0xc4, 0x24, 0x58, 0x1c,
+ 0x1c, 0x63, 0x3a, 0xcb, 0xfb, 0x88, 0x8b, 0x95, 0xe8, 0x8b, 0x40, 0x33, 0xa1, 0x10, 0x72, 0xd6, 0x3b, 0x36, 0x52, 0xef,
+ 0xe8, 0xec, 0x27, 0xf1, 0xe2, 0xb6, 0x3d, 0x7a, 0x67, 0x28, 0x59, 0xf2, 0xa9, 0x9f, 0xf2, 0x33, 0x21, 0x26, 0xe6, 0x2f,
+ 0xbc, 0xeb, 0x39, 0xa2, 0x8a, 0x8d, 0xa0, 0xd8, 0x6e, 0xfc, 0xf9, 0x80, 0x63, 0x02, 0x68, 0x6c, 0x97, 0x43, 0x56, 0x8b,
+ 0xab, 0x1e, 0xac, 0xea, 0x6d, 0x9a, 0xdd, 0xdf, 0x67, 0x4d, 0xfb, 0xf0, 0x0b, 0x58, 0x9e, 0xc0, 0x2b, 0x06, 0x8b, 0xca,
+ 0x01, 0xcd, 0xcc, 0x79, 0xb6, 0xb1, 0xa1, 0x22, 0x00, 0x22, 0x46, 0x9f, 0x20, 0x7d, 0xd4, 0x3e, 0x1a, 0x16, 0x73, 0xfa,
+ 0x61, 0xaa, 0xaa, 0xc9, 0x9e, 0xc1, 0x66, 0x17, 0x74, 0xc8, 0x96, 0xc8, 0xab, 0x0d, 0xb3, 0x41, 0x11, 0xe6, 0x1b, 0x3d,
+ 0x1f, 0xad, 0x02, 0x0d, 0x7d, 0x68, 0xbc, 0x80, 0xeb, 0xaf, 0x1e, 0x77, 0x9e, 0xc8, 0x8c, 0xc2, 0xce, 0x15, 0x4a, 0xba,
+ 0xa3, 0xba, 0x11, 0x82, 0xcc, 0xc4, 0x8e, 0x47, 0xa4, 0x2d, 0x95, 0x00, 0x46, 0xcb, 0x45, 0x19, 0x8d, 0x8f, 0xa7, 0x47,
+ 0x4b, 0xb6, 0xd6, 0x0f, 0x33, 0x5a, 0xf6, 0xba, 0x2d, 0x6a, 0xde, 0x19, 0x22, 0x4e, 0x48, 0xf4, 0x98, 0x54, 0x6e, 0xed,
+ 0xd6, 0xf4, 0xd8, 0xaf, 0x63, 0x83, 0x72, 0x01, 0x43, 0x0d, 0x33, 0x06, 0x30, 0x15, 0x3f, 0x0b, 0xc8, 0x4f, 0x8f, 0x8f,
+ 0x04, 0x6c, 0x1c, 0x92, 0xf3, 0xb3, 0x4e, 0xb0, 0xaa, 0x19, 0x27, 0x84, 0xfc, 0xb5, 0xde, 0xed, 0xb0, 0xea, 0x42, 0xc0,
+ 0xb0, 0x25, 0xfc, 0x25, 0x59, 0xf5, 0x8a, 0xfc, 0x35, 0x8c, 0xe3, 0x47, 0xab, 0x9f, 0xd7, 0x52, 0xac, 0x57, 0x5d, 0x0f,
+ 0xc8, 0x28, 0x19, 0xf7, 0x11, 0xe5, 0x34, 0xfb, 0x80, 0x32, 0xa1, 0x63, 0xa8, 0x79, 0xcf, 0xc2, 0xbd, 0xe3, 0x9e, 0x7e,
+ 0xf1, 0x62, 0xa4, 0x38, 0x3a, 0x6a, 0xf2, 0xd5, 0xdb, 0xe2, 0x01, 0x4e, 0x58, 0x1c, 0xb1, 0x8c, 0xf4, 0x71, 0x9c, 0x1b,
+ 0xdf, 0x32, 0xa8, 0xab, 0xa0, 0xd9, 0xe3, 0x10, 0x9e, 0xe8, 0x70, 0x7f, 0x1d, 0x8d, 0x2b, 0xe4, 0x70, 0x21, 0x01, 0x88,
+ 0x26, 0x1a, 0x53, 0xcd, 0x62, 0xf2, 0x18, 0xa1, 0xe5, 0xfa, 0xbb, 0x59, 0x77, 0x46, 0xac, 0xda, 0xbe, 0x38, 0xe9, 0x69,
+ 0x48, 0x24, 0x86, 0x82, 0x8a, 0x21, 0xce, 0xbc, 0xe1, 0xef, 0xfc, 0x35, 0xd2, 0x17, 0x8e, 0x34, 0xf2, 0x52, 0x8a, 0x74,
+ 0x5d, 0x0e, 0xff, 0xf4, 0x79, 0x7b, 0x97, 0x43, 0xc2, 0xc7, 0x50, 0x70, 0x14, 0x9d, 0xc2, 0xb4, 0x42, 0xb2, 0xc2, 0xdb,
+ 0x5c, 0x99, 0xf1, 0x6f, 0xe2, 0x4f, 0xc0, 0xd3, 0xc3, 0x4a, 0xe0, 0xdf, 0xfc, 0x0a, 0xd3, 0xfb, 0x4d, 0x5f, 0x5f, 0xbe,
+ 0x68, 0x88, 0x36, 0xd8, 0x29, 0x83, 0xa6, 0x44, 0xb7, 0x13, 0x60, 0x3e, 0xb2, 0xc0, 0xce, 0xb9, 0x0a, 0xb3, 0xd3, 0xd7,
+ 0x6b, 0xa0, 0xae, 0x2c, 0x54, 0x96, 0xa6, 0x57, 0x54, 0x52, 0xe2, 0xe5, 0xd9, 0x11, 0xff, 0x94, 0xd7, 0x06, 0x87, 0x67,
+ 0x80, 0xb5, 0x44, 0xea, 0x9b, 0xfd, 0x77, 0x28, 0x57, 0x72, 0xd3, 0x6d, 0x8b, 0x0a, 0xbc, 0x94, 0xa6, 0xd6, 0x23, 0xfa,
+ 0xf3, 0x58, 0x18, 0x28, 0x6d, 0x81, 0x56, 0x05, 0x0a, 0x9c, 0x34, 0xf7, 0xb1, 0x64, 0xa4, 0xe1, 0x0b, 0x50, 0x39, 0x4b,
+ 0xfb, 0x51, 0xa1, 0x29, 0x19, 0x61, 0x6c, 0x72, 0xc9, 0xf6, 0xd3, 0xa0, 0x98, 0x66, 0x4b, 0x14, 0xd5, 0x26, 0x41, 0xd1,
+ 0x03, 0x47, 0x02, 0xde, 0x9c, 0x5f, 0x72, 0x9c, 0xbb, 0x68, 0x47, 0x23, 0xfb, 0xd7, 0xfc, 0x85, 0xa7, 0x01, 0xd8, 0x48,
+ 0x94, 0xc3, 0xf1, 0x67, 0xd9, 0xa0, 0xce, 0x1b, 0x66, 0x80, 0x70, 0x52, 0x99, 0x9c, 0x82, 0x27, 0xec, 0x65, 0x0a, 0x72,
+ 0x3e, 0xf8, 0xd1, 0x70, 0xd3, 0xce, 0x3d, 0x52, 0x1f, 0xbb, 0x18, 0x1f, 0x10, 0x49, 0x4c, 0x42, 0x67, 0x0c, 0xa3, 0xaa,
+ 0x58, 0xdb, 0x56, 0xcf, 0x39, 0x68, 0x43, 0x8e, 0xc9, 0x8d, 0xaa, 0xeb, 0x94, 0x4a, 0x1f, 0x96, 0x98, 0xa2, 0xd1, 0xcf,
+ 0x1f, 0xc5, 0xe0, 0xcf, 0x5f, 0x29, 0xf6, 0xe5, 0x80, 0x89, 0xb9, 0xb1, 0x4c, 0x2e, 0x6e, 0xbb, 0xeb, 0x43, 0xdf, 0xff,
+ 0x24, 0x42, 0xc9, 0x08, 0x98, 0x42, 0x55, 0xcb, 0x4c, 0x9e, 0xae, 0x02, 0x57, 0x81, 0x10, 0xb4, 0x2b, 0xc4, 0xfc, 0xd8,
+ 0xd2, 0x6c, 0x5c, 0x47, 0xe9, 0xc3, 0x49, 0x8b, 0x1f, 0x8e, 0xbe, 0x78, 0x08, 0x06, 0xe2, 0xab, 0xa7, 0x5c, 0x22, 0xa1,
+ 0x5a, 0xb2, 0x38, 0x8a, 0xc4, 0xd7, 0x73, 0x28, 0xe2, 0x87, 0x80, 0xac, 0x1c, 0x73, 0xdf, 0x06, 0xa0, 0xfe, 0x59, 0x30,
+ 0xd4, 0x9f, 0x58, 0x93, 0xc1, 0xbd, 0x54, 0xdb, 0xbc, 0xb1, 0x19, 0x6a, 0x57, 0x25, 0x73, 0xab, 0xd0, 0xcf, 0x26, 0x9c,
+ 0x1c, 0x6b, 0xe6, 0x89, 0x16, 0x9b, 0x34, 0x63, 0xfe, 0x95, 0x47, 0x5e, 0x3b, 0x78, 0x29, 0xda, 0x1f, 0x6f, 0xb0, 0x7a,
+ 0x5c, 0x07, 0xa8, 0x8f, 0x83, 0xc6, 0x69, 0x18, 0x12, 0x39, 0x7a, 0xb3, 0x61, 0xe4, 0x86, 0x76, 0xbf, 0xe1, 0x99, 0xc7,
+ 0xc7, 0x4c, 0x9f, 0x95, 0xc5, 0xe7, 0x88, 0x97, 0xcf, 0xd7, 0xf5, 0x20, 0xbf, 0x97, 0x6c, 0xec, 0x04, 0xb5, 0x3d, 0x07,
+ 0xc8, 0x0e, 0xe9, 0x51, 0xe2, 0x93, 0x35, 0x57, 0xdf, 0xe9, 0xfd, 0x5f, 0x83, 0x95, 0x75, 0xb1, 0xa5, 0xbe, 0xdc, 0xc1,
+ 0xa0, 0x60, 0x93, 0x38, 0xae, 0xa6, 0x20, 0xf0, 0xb5, 0x32, 0x58, 0xb2, 0x04, 0x59, 0x24, 0x5f, 0x5b, 0xd7, 0x4b, 0x45,
+ 0x9b, 0x37, 0x39, 0x95, 0xd9, 0x85, 0x2a, 0xdc, 0xe9, 0xd8, 0x09, 0xc4, 0x99, 0x41, 0x28, 0xb1, 0x97, 0x48, 0x62, 0xd0,
+ 0xc5, 0xb2, 0x75, 0x64, 0x47, 0x02, 0xec, 0x72, 0x40, 0xd1, 0x2c, 0x07, 0x0e, 0x91, 0x3e, 0x70, 0x17, 0x75, 0xb0, 0x9f,
+ 0x81, 0xcd, 0x1a, 0x03, 0xb6, 0x64, 0xd0, 0xe2, 0x62, 0x3a, 0x92, 0x7c, 0xc1, 0x0d, 0x4a, 0xfa, 0x55, 0xf8, 0xa2, 0xb7,
+ 0xf7, 0xa5, 0xaf, 0xb6, 0xd6, 0xce, 0xe9, 0x9f, 0x06, 0x15, 0x41, 0x4e, 0x50, 0x43, 0x98, 0x4c, 0xe3, 0x20, 0x83, 0x37,
+ 0xaf, 0x93, 0x6a, 0xe6, 0xc0, 0x4b, 0x93, 0x06, 0x0c, 0x2f, 0xc7, 0x10, 0x4d, 0x2e, 0x55, 0x3f, 0xd8, 0xdf, 0xab, 0x74,
+ 0x4e, 0xcc, 0x09, 0x42, 0xa3, 0x18, 0x7a, 0x55, 0x84, 0xa7, 0xba, 0x74, 0xe5, 0x29, 0xcb, 0x37, 0x19, 0xe3, 0xd8, 0x02,
+ 0xcc, 0xf4, 0x18, 0x3e, 0x58, 0x52, 0x41, 0xde, 0xba, 0x12, 0x5c, 0x89, 0xb4, 0x28, 0x04, 0x33, 0x8d, 0xe5, 0x1a, 0x30,
+ 0x97, 0x05, 0x3f, 0x19, 0xaf, 0xef, 0x07, 0x3a, 0xe2, 0xa5, 0x71, 0xfb, 0xb5, 0x87, 0x00, 0x3d, 0x53, 0x6b, 0x4c, 0x3d,
+ 0x4d, 0xc8, 0x4c, 0x94, 0xd5, 0xa5, 0x14, 0x29, 0x53, 0x80, 0x99, 0x70, 0xcf, 0x11, 0x8b, 0xb0, 0x19, 0x38, 0x0d, 0x04,
+ 0x4f, 0x47, 0xc7, 0x4c, 0x20, 0x8f, 0x06, 0xf0, 0x49, 0xc2, 0x4a, 0xc8, 0xe6, 0x95, 0x27, 0x6c, 0xd4, 0xbb, 0x2e, 0x8c,
+ 0x1b, 0xd6, 0x83, 0xa6, 0x26, 0x1d, 0x69, 0x8a, 0xf5, 0x7d, 0x34, 0x4c, 0xeb, 0xf4, 0x66, 0x70, 0x4d, 0x41, 0xa5, 0xce,
+ 0x1e, 0xbc, 0xa0, 0xc5, 0xed, 0x48, 0x1a, 0xcb, 0xf7, 0xae, 0x66, 0x5d, 0x12, 0x83, 0xa2, 0xf3, 0x4b, 0x8b, 0xa6, 0x88,
+ 0x90, 0x4f, 0x70, 0x3b, 0xbd, 0x9a, 0x8a, 0x82, 0x33, 0x40, 0x32, 0x15, 0x0b, 0x3b, 0x3d, 0xac, 0x83, 0xd9, 0xde, 0x0a,
+ 0x94, 0x13, 0x53, 0x17, 0xba, 0xdb, 0x73, 0x4f, 0xf2, 0xec, 0x56, 0xce, 0x32, 0xd6, 0x9a, 0xf7, 0xda, 0x35, 0x00, 0x46,
+ 0x0f, 0x74, 0xa5, 0x71, 0x4b, 0x4f, 0x0d, 0x8a, 0xa2, 0xd3, 0xbb, 0x2c, 0xb5, 0xe9, 0x75, 0x08, 0x94, 0xfc, 0xcb, 0xdf,
+ 0x05, 0x48, 0x32, 0x56, 0x57, 0x39, 0xfb, 0xfa, 0xe5, 0xbd, 0x85, 0x3f, 0xb2, 0xd4, 0x9e, 0xf3, 0xd6, 0x71, 0xf3, 0x33,
+ 0x60, 0x46, 0x32, 0xbc, 0x52, 0x6d, 0xfd, 0x9e, 0x71, 0xdb, 0x6d, 0x27, 0xe4, 0xc3, 0x9e, 0x99, 0x07, 0x3c, 0x49, 0x91,
+ 0xce, 0x01, 0x7f, 0x47, 0x26, 0x35, 0xd0, 0x21, 0x3c, 0x97, 0x81, 0x1e, 0x22, 0x4e, 0xb6, 0x79, 0x9c, 0x61, 0x51, 0xaf,
+ 0x3c, 0x27, 0x03, 0x6b, 0xb1, 0x4c, 0xe0, 0x21, 0x87, 0x4e, 0x03, 0xf1, 0xf5, 0x30, 0x82, 0x05, 0x6c, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x05, 0x5d, 0x04, 0x82, 0x05, 0x59, 0x30, 0x82, 0x05, 0x55,
+ 0x30, 0x82, 0x05, 0x51, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x82, 0x04,
+ 0xee, 0x30, 0x82, 0x04, 0xea, 0x30, 0x1c, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30,
+ 0x0e, 0x04, 0x08, 0xe9, 0xa1, 0x13, 0x54, 0xfb, 0x10, 0xe0, 0x7d, 0x02, 0x02, 0x08, 0x00, 0x04, 0x82, 0x04, 0xc8, 0x69,
+ 0x8d, 0x27, 0x9a, 0xd6, 0x8e, 0xa9, 0xe1, 0x3f, 0xd4, 0x8c, 0xb8, 0x48, 0xbb, 0x4e, 0xb6, 0x7f, 0xc6, 0x01, 0x54, 0x23,
+ 0x72, 0x8b, 0x5f, 0x1d, 0x1a, 0x0c, 0x4a, 0xbd, 0x89, 0x76, 0x00, 0x98, 0x9c, 0xbd, 0xbc, 0x54, 0x16, 0x5f, 0x86, 0xea,
+ 0x73, 0x74, 0x27, 0x1b, 0x63, 0x69, 0xdb, 0xed, 0xd4, 0x79, 0xd6, 0xef, 0x33, 0x50, 0x4a, 0x36, 0x57, 0x5c, 0xca, 0xa6,
+ 0x17, 0xc4, 0x12, 0x84, 0x42, 0xf7, 0x1b, 0x7c, 0xd8, 0x5e, 0x6e, 0x7e, 0x86, 0x21, 0x6c, 0xeb, 0xe9, 0xb9, 0xf4, 0x77,
+ 0xe3, 0xf4, 0x3d, 0x50, 0x09, 0x86, 0x24, 0xca, 0x98, 0x3d, 0x88, 0x28, 0xc6, 0x5a, 0xfe, 0x52, 0x86, 0x14, 0xe1, 0x36,
+ 0x46, 0x6f, 0xa9, 0x55, 0xf9, 0x8b, 0xfb, 0x49, 0xa1, 0xe5, 0x52, 0xc6, 0x19, 0x25, 0x7e, 0x96, 0x26, 0xaf, 0xf3, 0x84,
+ 0x44, 0x3b, 0x8a, 0xe5, 0x0a, 0xf6, 0x86, 0xcd, 0x20, 0xf4, 0x4f, 0x78, 0xfc, 0x04, 0x15, 0xf3, 0x47, 0x80, 0x5e, 0x1b,
+ 0x25, 0x9a, 0x85, 0xf0, 0xc3, 0x1c, 0xd3, 0x45, 0xb5, 0xe2, 0x6c, 0xd8, 0xd0, 0x50, 0x50, 0xa0, 0xc2, 0x55, 0xc1, 0xab,
+ 0x4b, 0x07, 0xa2, 0xec, 0x00, 0xe7, 0x80, 0xe8, 0xc9, 0x1a, 0xb8, 0xab, 0xe1, 0x0c, 0x9e, 0x3b, 0x7e, 0xf7, 0x64, 0xae,
+ 0x03, 0x92, 0x40, 0x72, 0x24, 0x94, 0x0c, 0x27, 0xe6, 0x88, 0x44, 0x84, 0x29, 0x8d, 0xe1, 0x18, 0xab, 0xf5, 0xef, 0xaf,
+ 0xdb, 0x70, 0xf7, 0x81, 0xf6, 0x9f, 0x97, 0x8c, 0xb0, 0x70, 0xf5, 0xb3, 0x8c, 0x0e, 0xda, 0xd0, 0xb0, 0x75, 0x93, 0x39,
+ 0x9c, 0x5d, 0xe4, 0x42, 0xfa, 0x37, 0x24, 0x3f, 0x57, 0xba, 0x0b, 0xc6, 0x3f, 0x92, 0x5c, 0x93, 0x80, 0x7e, 0xe3, 0x3f,
+ 0x7a, 0xc8, 0x40, 0x9c, 0xe8, 0xf7, 0x3a, 0x66, 0xe6, 0x75, 0x0e, 0x7d, 0x20, 0x7b, 0xf5, 0xa1, 0x6f, 0x8b, 0x8b, 0xb8,
+ 0x56, 0xf8, 0x96, 0xb4, 0xab, 0xf9, 0xcc, 0x4f, 0x8a, 0x92, 0x64, 0x1e, 0x90, 0xe0, 0xee, 0x08, 0xc9, 0xf9, 0x71, 0x73,
+ 0x9b, 0x25, 0x4c, 0x6c, 0xef, 0x61, 0x31, 0x24, 0x98, 0x69, 0x3f, 0xdb, 0x10, 0x24, 0xdc, 0xfd, 0x2a, 0x54, 0xbf, 0xa5,
+ 0x76, 0xfc, 0xab, 0xe1, 0xf2, 0x72, 0x87, 0x74, 0xb1, 0x9d, 0x98, 0xcf, 0xe8, 0x3c, 0xf4, 0x03, 0x3f, 0x6b, 0x69, 0xa5,
+ 0x79, 0x4a, 0xb8, 0xbf, 0x5d, 0xb7, 0x89, 0xcc, 0x44, 0xc7, 0x7e, 0x11, 0x8e, 0x46, 0xb2, 0x47, 0x80, 0xbe, 0xc5, 0xfc,
+ 0x64, 0x35, 0x1d, 0x6b, 0x77, 0xe6, 0x01, 0x51, 0xbc, 0x6e, 0xab, 0xf5, 0x2b, 0x35, 0x65, 0x41, 0x44, 0x54, 0x60, 0x82,
+ 0xbe, 0x09, 0x53, 0x5e, 0xa0, 0x4f, 0xf7, 0xe6, 0x8b, 0xed, 0x33, 0xd4, 0x8a, 0xf8, 0x61, 0x87, 0x13, 0x2e, 0xdb, 0x4b,
+ 0x5a, 0x9d, 0xee, 0xd5, 0x2d, 0x58, 0xa7, 0xb4, 0x0b, 0xf4, 0x3b, 0xf8, 0x2f, 0xbf, 0xe7, 0x47, 0xde, 0xc0, 0x33, 0x0c,
+ 0xab, 0x44, 0xd7, 0x6e, 0x71, 0x49, 0xd4, 0x4f, 0x9b, 0x1b, 0xf2, 0xac, 0xa2, 0x35, 0x77, 0x6e, 0x71, 0xa9, 0xc3, 0xfc,
+ 0xa3, 0x66, 0x19, 0x58, 0x3d, 0xbc, 0x41, 0xfa, 0x8f, 0x15, 0x36, 0xb4, 0x04, 0x2e, 0x21, 0x7d, 0x6a, 0x25, 0xcd, 0xca,
+ 0x82, 0x11, 0x05, 0x64, 0x07, 0x94, 0x45, 0xf3, 0x9b, 0xbc, 0x95, 0xa7, 0x3e, 0x0a, 0x78, 0xad, 0x28, 0x62, 0x13, 0xff,
+ 0x38, 0x10, 0x03, 0x1a, 0x9f, 0xed, 0xc5, 0x78, 0xa2, 0xd3, 0xb0, 0x3c, 0x8f, 0x4f, 0xf6, 0x93, 0x7b, 0xf2, 0xdc, 0xe5,
+ 0xe3, 0xe2, 0x56, 0x26, 0x74, 0xb1, 0xef, 0x26, 0xc5, 0x66, 0x55, 0xb2, 0x03, 0xba, 0x58, 0x87, 0x4e, 0x7d, 0x32, 0xa5,
+ 0x78, 0x82, 0x6c, 0x49, 0x5c, 0xc7, 0xee, 0x32, 0x4a, 0x15, 0x82, 0x9e, 0xee, 0xb0, 0xc6, 0xf4, 0xf3, 0x23, 0x84, 0x09,
+ 0x76, 0xb3, 0xa4, 0x7f, 0xe9, 0x7a, 0xd3, 0x75, 0xc9, 0x18, 0x5e, 0xb1, 0x56, 0x38, 0x25, 0x6e, 0xcd, 0x7d, 0x97, 0x57,
+ 0xbd, 0x5f, 0xf1, 0x14, 0xbc, 0x37, 0xf1, 0x42, 0x23, 0x1b, 0xaf, 0x67, 0x55, 0x77, 0xff, 0x5f, 0xe2, 0x0a, 0x05, 0x09,
+ 0x23, 0xfd, 0x75, 0xcd, 0xde, 0x6a, 0x36, 0x06, 0x89, 0x69, 0x3d, 0x3c, 0x80, 0x26, 0x71, 0xce, 0x74, 0xdf, 0xff, 0x42,
+ 0x1e, 0xcc, 0x49, 0x60, 0x43, 0x98, 0x50, 0x7d, 0x4d, 0xbd, 0x1c, 0x6f, 0x89, 0xe6, 0xba, 0x82, 0x8c, 0x64, 0x57, 0x24,
+ 0x10, 0x7d, 0xb1, 0x1a, 0x17, 0x48, 0x55, 0xdd, 0x1b, 0xc8, 0xfb, 0xd6, 0x8b, 0xe5, 0x1e, 0x62, 0xdc, 0x7d, 0xfe, 0x5c,
+ 0x3e, 0x9b, 0xcd, 0x20, 0x6f, 0xa0, 0xae, 0x85, 0x39, 0xcd, 0xf4, 0xae, 0x66, 0x7d, 0x54, 0xe3, 0x16, 0x87, 0x13, 0x28,
+ 0xd2, 0x8c, 0x67, 0x20, 0xbb, 0x9e, 0x76, 0x3a, 0x3b, 0x89, 0xf2, 0xd2, 0xe3, 0xd0, 0xbe, 0xb8, 0x03, 0xfa, 0x11, 0x88,
+ 0x5e, 0x47, 0x0b, 0xba, 0xfa, 0x69, 0x73, 0x14, 0x30, 0xb3, 0xcb, 0x77, 0x4f, 0x24, 0x57, 0xcb, 0xd4, 0x1b, 0x62, 0x60,
+ 0xdf, 0xcb, 0xf8, 0x5d, 0x3c, 0xa4, 0xd9, 0xb5, 0xa4, 0xaa, 0x44, 0x0a, 0x9e, 0x99, 0x03, 0xab, 0xdd, 0xbc, 0xe3, 0x32,
+ 0xd7, 0x24, 0x19, 0x59, 0x8f, 0x28, 0x55, 0x1b, 0x53, 0x29, 0xb5, 0xbc, 0xbd, 0x8b, 0x20, 0x25, 0xf0, 0x49, 0xee, 0x3f,
+ 0xaf, 0x74, 0xad, 0x9a, 0x10, 0x2a, 0x04, 0xab, 0x5a, 0x40, 0xf3, 0x2f, 0x37, 0x57, 0xe7, 0xdb, 0x6b, 0x8e, 0x19, 0xab,
+ 0x29, 0x78, 0x37, 0x04, 0xdb, 0xe5, 0x7b, 0x5a, 0x80, 0x74, 0xae, 0x50, 0xef, 0x25, 0xf3, 0xb5, 0xf2, 0xc8, 0x4b, 0xf6,
+ 0x67, 0x91, 0xd5, 0x95, 0xe1, 0x96, 0x65, 0xf3, 0xe3, 0x92, 0xb6, 0xd8, 0x6d, 0xf6, 0xf0, 0x2a, 0x6d, 0x5f, 0xfd, 0x16,
+ 0x11, 0x43, 0x22, 0x7b, 0xa3, 0x5c, 0x05, 0xdc, 0x68, 0x21, 0x50, 0x54, 0xe0, 0x37, 0x41, 0x9e, 0x20, 0x4d, 0x72, 0xfb,
+ 0xee, 0x91, 0x9d, 0x72, 0xa9, 0xc6, 0x7d, 0x77, 0x30, 0xe2, 0x1e, 0xec, 0xad, 0x1e, 0x5c, 0xe3, 0x0a, 0xb7, 0x32, 0xcf,
+ 0x90, 0x12, 0x14, 0xcf, 0x19, 0xdf, 0xf8, 0x76, 0x93, 0x27, 0x4a, 0xeb, 0x44, 0x85, 0xc7, 0xfd, 0x60, 0x72, 0xa3, 0x60,
+ 0x78, 0x4d, 0x0c, 0xec, 0xfa, 0xee, 0x57, 0xf6, 0xe2, 0x0f, 0x2b, 0xcf, 0x83, 0x5d, 0xae, 0xe5, 0x77, 0x59, 0xc9, 0x57,
+ 0xa9, 0x9e, 0x07, 0x08, 0xf5, 0x06, 0x27, 0x82, 0x92, 0x3e, 0x62, 0xbf, 0xdb, 0xa3, 0x94, 0xc1, 0xee, 0xf6, 0x59, 0xe5,
+ 0xaf, 0x67, 0x78, 0x51, 0x0d, 0x76, 0xaa, 0x0e, 0x96, 0xf3, 0xe3, 0x22, 0x7a, 0x51, 0x01, 0xcb, 0x11, 0x60, 0x0e, 0x02,
+ 0x9a, 0x32, 0xcf, 0xb2, 0x75, 0x69, 0x53, 0x89, 0x1c, 0x7a, 0x27, 0x93, 0xd0, 0x80, 0x82, 0xf1, 0x5e, 0x64, 0xe0, 0xc4,
+ 0xc6, 0x34, 0x59, 0x4d, 0xe2, 0xb7, 0xf0, 0x1c, 0xf6, 0x2a, 0xdb, 0x25, 0xf7, 0x10, 0xe0, 0x25, 0x56, 0x25, 0x74, 0xa2,
+ 0xbe, 0xec, 0x1e, 0x46, 0xe9, 0x42, 0x0a, 0x5f, 0x46, 0xf3, 0xa8, 0xd6, 0x6e, 0x59, 0x77, 0x11, 0xde, 0x60, 0x17, 0x5d,
+ 0xce, 0xa5, 0x94, 0x4b, 0x93, 0x6f, 0x01, 0xe6, 0xcb, 0x3f, 0xfb, 0x58, 0x10, 0xea, 0xae, 0xd6, 0x37, 0xa9, 0xd1, 0x12,
+ 0x98, 0xc7, 0x86, 0xd4, 0xc1, 0x03, 0x33, 0x8d, 0x41, 0xc2, 0x38, 0x2c, 0xc4, 0x4b, 0x22, 0xc5, 0xb6, 0x48, 0x38, 0x29,
+ 0xe8, 0xe7, 0x5d, 0x22, 0x5f, 0x74, 0x1a, 0xdb, 0x51, 0xda, 0x1d, 0x41, 0xcb, 0x89, 0xc8, 0xd4, 0x44, 0x58, 0x72, 0x3b,
+ 0x84, 0x39, 0xd3, 0x6f, 0x66, 0x40, 0xbb, 0xe0, 0xe6, 0xfd, 0x6f, 0xcf, 0x6b, 0xcb, 0x9e, 0x02, 0x7d, 0xf2, 0xe0, 0x9e,
+ 0x65, 0xa9, 0xb7, 0xea, 0x57, 0x8a, 0xbc, 0x99, 0xc0, 0xfc, 0x3e, 0x74, 0xe1, 0x2a, 0x48, 0x96, 0xc0, 0xd3, 0x85, 0x76,
+ 0xf4, 0x63, 0x3e, 0x2e, 0x24, 0xdd, 0x4c, 0x50, 0x4e, 0x6e, 0x5c, 0x0d, 0x45, 0x6d, 0x55, 0x77, 0x28, 0x37, 0x62, 0x85,
+ 0x85, 0x9d, 0xf4, 0x2f, 0x09, 0xad, 0x6a, 0xc4, 0x0d, 0xa1, 0x8b, 0x63, 0x49, 0xc9, 0x2f, 0x05, 0x28, 0x80, 0x4c, 0xc3,
+ 0x30, 0xf3, 0x4f, 0xa8, 0xea, 0xf7, 0xcc, 0xe7, 0xe6, 0x95, 0xb1, 0x35, 0x63, 0x3e, 0xfd, 0xd2, 0x8e, 0xf6, 0x59, 0xaf,
+ 0x8a, 0xbc, 0x57, 0x89, 0x8b, 0x3d, 0x61, 0x60, 0x59, 0x44, 0xc6, 0xc1, 0x37, 0x34, 0x5c, 0x22, 0x32, 0x9f, 0x82, 0xde,
+ 0x22, 0x70, 0x9b, 0x94, 0x3c, 0x39, 0x3a, 0xa4, 0x7f, 0xc2, 0x28, 0x21, 0x2b, 0xbe, 0xf2, 0xe2, 0xfa, 0x28, 0xc2, 0xaa,
+ 0x9f, 0xb8, 0x77, 0x8e, 0x0a, 0x76, 0xf9, 0xe0, 0x9d, 0x62, 0x56, 0x78, 0xf4, 0xa4, 0x1c, 0x8c, 0xd0, 0x34, 0x37, 0x5d,
+ 0x24, 0x65, 0x91, 0x42, 0xaf, 0x90, 0xda, 0xb8, 0xee, 0x6e, 0x84, 0xd6, 0x47, 0x4f, 0x72, 0xf1, 0xcc, 0x38, 0x3c, 0x5f,
+ 0x88, 0xf1, 0xef, 0xfb, 0xae, 0xcb, 0xc3, 0xca, 0x1d, 0xd0, 0x0a, 0xf6, 0xc4, 0x7e, 0x7d, 0xc3, 0x2d, 0xf9, 0xb5, 0x51,
+ 0xe6, 0x18, 0xb4, 0x31, 0x50, 0x30, 0x29, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x14, 0x31, 0x1c,
+ 0x1e, 0x1a, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x53, 0x00, 0x20, 0x00, 0x52, 0x00, 0x53, 0x00, 0x41, 0x00, 0x20, 0x00, 0x74,
+ 0x00, 0x65, 0x00, 0x73, 0x00, 0x74, 0x00, 0x00, 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09,
+ 0x15, 0x31, 0x16, 0x04, 0x14, 0x32, 0xee, 0x79, 0x16, 0x2f, 0x60, 0x4a, 0xad, 0x6c, 0xf7, 0xcd, 0x55, 0x45, 0x5b, 0x1a,
+ 0x44, 0x40, 0x97, 0x4d, 0x10, 0x30, 0x30, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00,
+ 0x04, 0x14, 0xe0, 0x6f, 0xbb, 0xf2, 0x68, 0xc1, 0x65, 0xf7, 0xe4, 0x60, 0xe3, 0x17, 0xce, 0x09, 0xfb, 0xe9, 0x35, 0x92,
+ 0x95, 0x91, 0x04, 0x08, 0xb7, 0x0b, 0x82, 0x9e, 0xd4, 0x9f, 0x8e, 0xfd, 0x02, 0x01, 0x01
+};
+
+unsigned char _ec_identity[] = {
+ 0x30, 0x82, 0x04, 0xbe, 0x02, 0x01, 0x03, 0x30, 0x82, 0x04, 0x85, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x07, 0x01, 0xa0, 0x82, 0x04, 0x76, 0x04, 0x82, 0x04, 0x72, 0x30, 0x82, 0x04, 0x6e, 0x30, 0x82, 0x03, 0x2f, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x06, 0xa0, 0x82, 0x03, 0x20, 0x30, 0x82, 0x03, 0x1c, 0x02, 0x01, 0x00,
+ 0x30, 0x82, 0x03, 0x15, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x0a, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x06, 0x30, 0x0e, 0x04, 0x08, 0x82, 0x45, 0xec, 0x50, 0xa0, 0x4e, 0xec,
+ 0x6d, 0x02, 0x02, 0x08, 0x00, 0x80, 0x82, 0x02, 0xe8, 0x88, 0xd8, 0xd8, 0xc0, 0x6a, 0x39, 0x55, 0x4a, 0x65, 0x53, 0x7a,
+ 0x44, 0x9d, 0x95, 0x87, 0x84, 0x46, 0xc5, 0xa8, 0x94, 0xd3, 0xd4, 0x8f, 0xfe, 0x69, 0x13, 0x0e, 0xb0, 0x55, 0x4b, 0x88,
+ 0x7a, 0x37, 0x5d, 0x17, 0x97, 0x03, 0x47, 0x65, 0x83, 0x41, 0x2b, 0xbc, 0xbc, 0x22, 0x3e, 0xe9, 0x62, 0xbe, 0x51, 0x72,
+ 0x39, 0x7d, 0xfd, 0x96, 0x40, 0x85, 0x6b, 0x28, 0xee, 0xf6, 0x0c, 0x87, 0xeb, 0xd6, 0x19, 0x42, 0xfa, 0xcf, 0x30, 0x74,
+ 0xba, 0xca, 0x87, 0xf3, 0x0f, 0x83, 0x28, 0xc5, 0xbf, 0xbe, 0x29, 0x4b, 0x5d, 0x70, 0xcc, 0x9d, 0x26, 0x88, 0xe2, 0x84,
+ 0xbf, 0x11, 0x3e, 0x42, 0x23, 0x78, 0x46, 0x4f, 0x8b, 0xf3, 0xaf, 0xc7, 0x33, 0x6e, 0x4b, 0x83, 0x85, 0x44, 0xe3, 0x03,
+ 0xd1, 0xb5, 0x98, 0xad, 0x36, 0x5b, 0x37, 0xf0, 0x15, 0x12, 0xfb, 0x17, 0xa7, 0x92, 0xf9, 0x90, 0x5e, 0x8e, 0x12, 0xea,
+ 0x02, 0xbd, 0x9b, 0x9c, 0x9e, 0x29, 0x4d, 0x80, 0x13, 0x94, 0xcf, 0xf5, 0xc4, 0x12, 0x54, 0x87, 0x50, 0x90, 0x2b, 0xc7,
+ 0x43, 0x58, 0x2a, 0x85, 0xf3, 0x36, 0xb7, 0x88, 0xfb, 0x63, 0xe6, 0x58, 0xac, 0xd5, 0x22, 0xdc, 0x1c, 0x43, 0x2a, 0x0d,
+ 0x28, 0xb7, 0x14, 0x93, 0x2a, 0x5d, 0x41, 0x6d, 0xcb, 0xc8, 0xcb, 0xed, 0x17, 0x81, 0xd9, 0x73, 0x1b, 0xe1, 0x26, 0x69,
+ 0x5a, 0x52, 0x7f, 0x60, 0x08, 0x52, 0x85, 0x08, 0xe5, 0x3b, 0x66, 0x70, 0x0d, 0x84, 0x29, 0x34, 0xb4, 0xf4, 0x62, 0x41,
+ 0xca, 0xc2, 0xf8, 0x4b, 0xcd, 0x29, 0xcd, 0xb7, 0xc8, 0x7c, 0x3c, 0x8b, 0x28, 0x3e, 0x5d, 0xa8, 0x23, 0xab, 0xe6, 0x73,
+ 0x9e, 0x83, 0xc8, 0x81, 0xd0, 0x51, 0x16, 0xd0, 0xaf, 0x1d, 0xc8, 0x86, 0xb8, 0x9f, 0x08, 0x26, 0x20, 0x97, 0x69, 0xdf,
+ 0x30, 0x34, 0xd6, 0x00, 0xcd, 0x40, 0x7f, 0xe4, 0x97, 0x0c, 0x3b, 0x48, 0xa4, 0x81, 0x18, 0xca, 0x63, 0x09, 0xf8, 0xf0,
+ 0x4e, 0x95, 0x67, 0x65, 0x0a, 0xb5, 0xd6, 0xc7, 0xf7, 0xdf, 0x8d, 0x08, 0xb3, 0x10, 0x8f, 0xd2, 0x0f, 0xa9, 0x58, 0x20,
+ 0x75, 0x9e, 0xbb, 0x28, 0x70, 0x38, 0x45, 0x74, 0xc4, 0x8c, 0xa4, 0x31, 0x09, 0x2c, 0x17, 0x8a, 0xea, 0xcb, 0xff, 0x5d,
+ 0x3a, 0xd6, 0x13, 0x40, 0xd4, 0x51, 0x85, 0x9b, 0x7f, 0xe4, 0x0f, 0xc1, 0xf9, 0x51, 0xae, 0x26, 0x0f, 0x58, 0x31, 0x55,
+ 0x1f, 0x87, 0x08, 0x0d, 0x96, 0x4b, 0x1f, 0xf4, 0xa4, 0x3b, 0xa2, 0x31, 0x24, 0x93, 0x1d, 0xbf, 0xa8, 0xc7, 0x19, 0x77,
+ 0xef, 0xc4, 0xf5, 0xf5, 0x94, 0xbc, 0x24, 0xfa, 0xf5, 0x18, 0xb3, 0xe6, 0x33, 0x5c, 0x3d, 0xed, 0x30, 0xac, 0x4b, 0x8b,
+ 0x13, 0x5f, 0x8e, 0x0f, 0xb5, 0xd1, 0x25, 0x19, 0x06, 0x09, 0x4f, 0x35, 0xb9, 0x74, 0x00, 0x1c, 0x51, 0xc6, 0xd9, 0xdf,
+ 0x68, 0xbd, 0x3f, 0x83, 0x02, 0xc1, 0xf9, 0xfc, 0x9e, 0x6c, 0xce, 0xf5, 0x18, 0xd1, 0xe6, 0x07, 0x0d, 0x5d, 0x44, 0x68,
+ 0xc3, 0xe3, 0x4a, 0x22, 0x17, 0x56, 0xff, 0xe1, 0xa6, 0x19, 0x92, 0x8e, 0x82, 0x39, 0x07, 0xd7, 0xf1, 0xfc, 0x21, 0x54,
+ 0x3c, 0x39, 0x01, 0x76, 0x09, 0xe6, 0xf8, 0xd9, 0x1d, 0x28, 0x1e, 0xa6, 0x54, 0xc4, 0xe8, 0x49, 0x20, 0x7b, 0x01, 0x58,
+ 0xa9, 0x78, 0x1e, 0x49, 0x35, 0x84, 0x16, 0x04, 0x74, 0x73, 0x5f, 0xa6, 0xc9, 0xe0, 0xb5, 0x59, 0x70, 0x13, 0x9c, 0x52,
+ 0x11, 0x59, 0x76, 0x9f, 0x29, 0x68, 0x47, 0x78, 0xb3, 0x11, 0xdc, 0xcc, 0xb2, 0xd8, 0xa9, 0x8f, 0x4f, 0xa9, 0xa5, 0xa5,
+ 0x6c, 0x6d, 0x89, 0xa2, 0x53, 0x40, 0xed, 0x74, 0xf4, 0x78, 0xb4, 0x7c, 0xc1, 0x79, 0x41, 0x38, 0xe7, 0xea, 0xb3, 0x21,
+ 0xfd, 0x9c, 0x43, 0x98, 0x13, 0x05, 0x6b, 0x35, 0x77, 0xd9, 0x49, 0xa6, 0x3e, 0x89, 0x9b, 0x97, 0x03, 0x40, 0x91, 0xaa,
+ 0x9f, 0x10, 0xf7, 0xd7, 0x99, 0xc2, 0xa0, 0x58, 0x74, 0xae, 0x77, 0x5f, 0xba, 0x72, 0x1d, 0xbb, 0xd5, 0x93, 0x0c, 0x52,
+ 0x85, 0xe2, 0x79, 0x06, 0x43, 0x0e, 0xb7, 0x98, 0xd6, 0x5b, 0xa8, 0x67, 0x1b, 0xe2, 0x33, 0xd7, 0x05, 0xb7, 0x30, 0x30,
+ 0x2a, 0xb7, 0x9d, 0xcb, 0x68, 0xc8, 0x9a, 0xc7, 0xa2, 0x4e, 0x6c, 0x92, 0x5e, 0x93, 0x45, 0x6a, 0x40, 0x4a, 0xb9, 0xcf,
+ 0x54, 0x93, 0xf8, 0x29, 0xdd, 0x50, 0x34, 0x22, 0xec, 0xfe, 0xc5, 0xa5, 0x17, 0x8b, 0x2a, 0x9c, 0x10, 0xd5, 0x8f, 0x61,
+ 0x65, 0x8d, 0x02, 0x8c, 0x0a, 0x59, 0x85, 0x23, 0x24, 0x87, 0xab, 0x14, 0xa4, 0x5e, 0x7a, 0xfc, 0xab, 0x09, 0x52, 0x1a,
+ 0x8f, 0xd4, 0x43, 0x88, 0xbe, 0xc3, 0x40, 0xfe, 0xde, 0xad, 0x58, 0x79, 0x22, 0xb8, 0xe0, 0xdf, 0xfc, 0xf6, 0x41, 0xe0,
+ 0xc4, 0x5f, 0x9b, 0xca, 0xfb, 0x3a, 0x82, 0xc5, 0xbf, 0x87, 0x68, 0x62, 0x7e, 0x77, 0xb3, 0xf1, 0xcf, 0x4e, 0x99, 0x75,
+ 0x73, 0xf0, 0x14, 0x62, 0x92, 0x82, 0xb0, 0x6b, 0x61, 0xb5, 0xb4, 0x0c, 0x3b, 0x2c, 0xe4, 0x72, 0x3e, 0xd9, 0xce, 0xab,
+ 0xce, 0x3b, 0x43, 0x1f, 0xe0, 0xa9, 0xc3, 0x51, 0xf4, 0x65, 0xae, 0xcc, 0x41, 0x5e, 0xc6, 0xdc, 0x75, 0x70, 0xb9, 0xd9,
+ 0x4b, 0x91, 0xfb, 0x8a, 0x07, 0xf8, 0x8a, 0xe5, 0x9e, 0x7e, 0x7b, 0x6f, 0x0b, 0x44, 0x68, 0x85, 0xa2, 0x0e, 0xa6, 0xaa,
+ 0x3e, 0x02, 0x79, 0xaa, 0x80, 0x13, 0x0e, 0x7c, 0x63, 0xb7, 0x37, 0x6c, 0x2a, 0x30, 0x82, 0x01, 0x37, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x01, 0x28, 0x04, 0x82, 0x01, 0x24, 0x30, 0x82, 0x01, 0x20,
+ 0x30, 0x82, 0x01, 0x1c, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x81, 0xbc,
+ 0x30, 0x81, 0xb9, 0x30, 0x1c, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30, 0x0e, 0x04,
+ 0x08, 0xfc, 0x17, 0x87, 0x42, 0xb4, 0x69, 0xe7, 0x51, 0x02, 0x02, 0x08, 0x00, 0x04, 0x81, 0x98, 0xf6, 0xe7, 0x7c, 0x12,
+ 0x5f, 0x2a, 0x64, 0xc2, 0x3e, 0xa5, 0xd5, 0xe8, 0xd5, 0xc3, 0x5b, 0x8b, 0xbb, 0xbe, 0x7d, 0xd3, 0xc3, 0xfe, 0xed, 0x56,
+ 0xb4, 0x0f, 0x8a, 0xa3, 0x9e, 0x76, 0xb4, 0x6c, 0xec, 0x39, 0x23, 0xce, 0xa6, 0x4d, 0x4a, 0x9a, 0x9a, 0x50, 0x4f, 0x51,
+ 0xbd, 0x40, 0x95, 0x5a, 0x1c, 0x7d, 0x78, 0xd2, 0xc1, 0x2c, 0xeb, 0x03, 0x39, 0x9c, 0xa6, 0x96, 0x3f, 0xff, 0x1f, 0x6d,
+ 0x25, 0xf1, 0x6b, 0x17, 0xb6, 0x46, 0xbb, 0x8d, 0xc5, 0xd8, 0x52, 0x4a, 0x81, 0x14, 0xc8, 0xfd, 0x37, 0x9a, 0x89, 0x28,
+ 0x21, 0x61, 0xa1, 0x5e, 0xc1, 0x2e, 0x60, 0x82, 0xc0, 0x84, 0x37, 0x9f, 0xa8, 0xa5, 0x60, 0xba, 0x5e, 0x0b, 0x68, 0x0e,
+ 0x7e, 0x12, 0xa1, 0x83, 0x45, 0x16, 0x32, 0x0b, 0x01, 0xc6, 0x91, 0x4b, 0xcd, 0x47, 0x5a, 0xe5, 0x34, 0x57, 0x43, 0x6f,
+ 0xd5, 0x5e, 0x76, 0x99, 0xe3, 0x9e, 0xc3, 0xa7, 0xf5, 0xb3, 0x7b, 0x49, 0x2d, 0x74, 0x17, 0x70, 0xaf, 0x24, 0xc9, 0x0e,
+ 0xcc, 0x23, 0xe6, 0x80, 0xfc, 0x2e, 0x0b, 0xa7, 0x31, 0x4e, 0x30, 0x27, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x09, 0x14, 0x31, 0x1a, 0x1e, 0x18, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x53, 0x00, 0x20, 0x00, 0x45, 0x00, 0x43, 0x00,
+ 0x20, 0x00, 0x54, 0x00, 0x65, 0x00, 0x73, 0x00, 0x74, 0x00, 0x00, 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x15, 0x31, 0x16, 0x04, 0x14, 0x23, 0xa4, 0x22, 0x91, 0xad, 0x83, 0x47, 0x86, 0xf2, 0x1f, 0x18, 0x0d,
+ 0x62, 0x70, 0x5c, 0x45, 0x40, 0x00, 0x30, 0xc6, 0x30, 0x30, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02,
+ 0x1a, 0x05, 0x00, 0x04, 0x14, 0xf6, 0xff, 0x21, 0x16, 0x00, 0x67, 0x5b, 0xc1, 0x78, 0xcc, 0x05, 0x18, 0x77, 0x60, 0x45,
+ 0xa4, 0xd9, 0x79, 0xcf, 0xea, 0x04, 0x08, 0x3d, 0x07, 0x4e, 0x1e, 0xcb, 0x39, 0xda, 0x8a, 0x02, 0x01, 0x01
+};
+
+/*
+ * MARK: RSA-signed messages (no attributes)
+ */
+unsigned char rsa_md5[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20,
+ 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41,
+ 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xa0, 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+ 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
+ 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53,
+ 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65,
+ 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63,
+ 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e,
+ 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65,
+ 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34,
+ 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38, 0x32,
+ 0x39, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20,
+ 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70,
+ 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53,
+ 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20,
+ 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11,
+ 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30,
+ 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61,
+ 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
+ 0x02, 0x82, 0x01, 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3, 0xf4,
+ 0x24, 0x8d, 0x25, 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd, 0xb0,
+ 0x72, 0xe9, 0xa9, 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b, 0xf7,
+ 0x7d, 0x59, 0xe9, 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3, 0xcf,
+ 0xf7, 0x21, 0x88, 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e, 0x54,
+ 0x59, 0x4d, 0xce, 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e, 0x00,
+ 0x6f, 0x6e, 0xf8, 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57, 0xba,
+ 0xcc, 0x29, 0xbe, 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a, 0xb1,
+ 0xc3, 0x68, 0xd5, 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70, 0xad,
+ 0x41, 0xfb, 0x61, 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10, 0x86,
+ 0x8a, 0x1e, 0x3b, 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c, 0x6a,
+ 0x1b, 0xea, 0x1a, 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a, 0x0b,
+ 0x70, 0x90, 0x60, 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2, 0x52,
+ 0x8f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff,
+ 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+ 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c, 0xd5,
+ 0x6e, 0x8b, 0x04, 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39, 0x09,
+ 0xa7, 0x6c, 0x2d, 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60, 0xbf,
+ 0x57, 0x6f, 0xd8, 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3, 0xa4,
+ 0xca, 0xde, 0x3f, 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab, 0x94,
+ 0x0e, 0xb9, 0x70, 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12, 0x60,
+ 0xe5, 0x91, 0xec, 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7, 0x61,
+ 0x51, 0x57, 0x73, 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25, 0x77,
+ 0x35, 0xe9, 0x3e, 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72, 0xaf,
+ 0x06, 0x44, 0x1e, 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7, 0x63,
+ 0x7a, 0x32, 0xda, 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3, 0x63,
+ 0xf3, 0x5c, 0x45, 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91, 0xa1,
+ 0xd0, 0x30, 0x29, 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f, 0xca,
+ 0x3f, 0xb5, 0x54, 0x31, 0x82, 0x01, 0xdb, 0x30, 0x82, 0x01, 0xd7, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7,
+ 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+ 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x44, 0x4f, 0x1c, 0x4f, 0x73, 0x46, 0xb4, 0x67, 0x86, 0x53, 0x6e, 0x09, 0x4a, 0x18,
+ 0x89, 0x82, 0xb0, 0x9d, 0xf5, 0xa9, 0x81, 0x21, 0x97, 0x2d, 0x1c, 0x61, 0x4a, 0xa0, 0x9a, 0xa1, 0x6d, 0xb0, 0xb2, 0xbe,
+ 0xc8, 0x27, 0x4a, 0x0e, 0xbd, 0x52, 0xf2, 0x56, 0x8a, 0xb6, 0x41, 0x45, 0xfc, 0xf6, 0x09, 0xb7, 0x83, 0x89, 0x87, 0xc6,
+ 0x5c, 0xfb, 0xe0, 0x22, 0x75, 0x9b, 0xa2, 0x24, 0x65, 0xd0, 0x51, 0xe0, 0xc6, 0x00, 0xad, 0x39, 0x50, 0x84, 0x31, 0x5c,
+ 0x63, 0x54, 0x8c, 0x3c, 0xa3, 0x69, 0x7f, 0xb2, 0x2c, 0x60, 0xa1, 0x5d, 0x6a, 0xac, 0xb2, 0x02, 0x26, 0x5b, 0x82, 0x61,
+ 0x2e, 0xb0, 0x32, 0xf7, 0x4e, 0xa3, 0x31, 0x00, 0xa7, 0x29, 0x4b, 0xdc, 0x30, 0x7f, 0x33, 0x14, 0x5a, 0xf1, 0x58, 0x5e,
+ 0x90, 0x77, 0xf3, 0x9c, 0x68, 0xbe, 0xe9, 0x4c, 0xf6, 0x33, 0x64, 0xdf, 0x3f, 0xf4, 0xb9, 0x6b, 0xd5, 0x54, 0xb8, 0x4a,
+ 0x8f, 0xbb, 0xce, 0xde, 0x4a, 0x58, 0x9e, 0xad, 0x67, 0x99, 0xbe, 0xe7, 0x0a, 0x54, 0x2b, 0x19, 0x0c, 0x45, 0x45, 0x41,
+ 0x9e, 0x56, 0x07, 0x45, 0x95, 0x56, 0x92, 0xa8, 0xd6, 0x8f, 0xab, 0xb0, 0x9b, 0x39, 0xcb, 0x5a, 0x0d, 0x29, 0x2d, 0x8b,
+ 0x53, 0xf4, 0x85, 0xb1, 0xec, 0x6f, 0x95, 0xd2, 0x6e, 0xd5, 0x36, 0x65, 0xd4, 0x30, 0x4d, 0x26, 0x37, 0x8b, 0x06, 0x39,
+ 0xf5, 0xe6, 0xde, 0x8c, 0xf0, 0x84, 0x69, 0x96, 0xd7, 0xb9, 0x22, 0x24, 0xf5, 0x74, 0x69, 0x4e, 0x2b, 0xea, 0x9d, 0x5a,
+ 0xd7, 0xfc, 0xea, 0x7d, 0x8f, 0xd7, 0x34, 0x7f, 0x4f, 0x8a, 0x5c, 0xb6, 0x73, 0x9a, 0x8f, 0xa0, 0x74, 0x5e, 0xca, 0xdc,
+ 0xc9, 0x78, 0x85, 0x46, 0xb8, 0x79, 0x29, 0x10, 0xa5, 0x6c, 0x1e, 0x4e, 0xac, 0xba, 0x8e, 0xa2, 0x2d, 0xf8, 0x40, 0x2d,
+ 0xde, 0xf7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_sha1[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0b, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20, 0x6d, 0x65, 0x73,
+ 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41, 0x69, 0x6e, 0x27,
+ 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0,
+ 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x74, 0x3f,
+ 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0xa7,
+ 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31,
+ 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x30,
+ 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41,
+ 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c,
+ 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75,
+ 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64,
+ 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
+ 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3, 0xf4, 0x24, 0x8d, 0x25,
+ 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd, 0xb0, 0x72, 0xe9, 0xa9,
+ 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b, 0xf7, 0x7d, 0x59, 0xe9,
+ 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3, 0xcf, 0xf7, 0x21, 0x88,
+ 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e, 0x54, 0x59, 0x4d, 0xce,
+ 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e, 0x00, 0x6f, 0x6e, 0xf8,
+ 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57, 0xba, 0xcc, 0x29, 0xbe,
+ 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a, 0xb1, 0xc3, 0x68, 0xd5,
+ 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70, 0xad, 0x41, 0xfb, 0x61,
+ 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10, 0x86, 0x8a, 0x1e, 0x3b,
+ 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c, 0x6a, 0x1b, 0xea, 0x1a,
+ 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a, 0x0b, 0x70, 0x90, 0x60,
+ 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2, 0x52, 0x8f, 0x02, 0x03,
+ 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30,
+ 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
+ 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c, 0xd5, 0x6e, 0x8b, 0x04,
+ 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39, 0x09, 0xa7, 0x6c, 0x2d,
+ 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60, 0xbf, 0x57, 0x6f, 0xd8,
+ 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3, 0xa4, 0xca, 0xde, 0x3f,
+ 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab, 0x94, 0x0e, 0xb9, 0x70,
+ 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12, 0x60, 0xe5, 0x91, 0xec,
+ 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7, 0x61, 0x51, 0x57, 0x73,
+ 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25, 0x77, 0x35, 0xe9, 0x3e,
+ 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72, 0xaf, 0x06, 0x44, 0x1e,
+ 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7, 0x63, 0x7a, 0x32, 0xda,
+ 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3, 0x63, 0xf3, 0x5c, 0x45,
+ 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91, 0xa1, 0xd0, 0x30, 0x29,
+ 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f, 0xca, 0x3f, 0xb5, 0x54,
+ 0x31, 0x82, 0x01, 0xd8, 0x30, 0x82, 0x01, 0xd4, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
+ 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00,
+ 0x29, 0xbb, 0xc2, 0xc1, 0x17, 0xb9, 0x7d, 0x8b, 0x43, 0xc6, 0x25, 0xad, 0xf1, 0xae, 0xb6, 0x26, 0x78, 0x9c, 0x92, 0x47,
+ 0x77, 0xf8, 0xac, 0x53, 0xca, 0x17, 0x58, 0x4a, 0x8d, 0x66, 0x44, 0x99, 0x14, 0x3f, 0x63, 0x98, 0x3a, 0x7c, 0xe6, 0x65,
+ 0xf0, 0x2a, 0x5e, 0x49, 0xbe, 0xdd, 0x40, 0x6e, 0x21, 0x43, 0xe1, 0xb9, 0x13, 0xa8, 0x31, 0xbf, 0x12, 0xb2, 0x78, 0x97,
+ 0xda, 0x00, 0x5d, 0x7f, 0xf3, 0x2e, 0xea, 0x6f, 0x8b, 0x98, 0xb6, 0x7e, 0x63, 0x75, 0x3b, 0xd0, 0xfc, 0x69, 0xa8, 0x0d,
+ 0x8f, 0xe3, 0xc0, 0x7c, 0xc4, 0xa4, 0x2e, 0x66, 0x63, 0x7f, 0xae, 0x4e, 0xb8, 0xc3, 0xcd, 0x53, 0xf6, 0x7b, 0xf1, 0x7b,
+ 0xfa, 0x89, 0x6f, 0xb6, 0x81, 0x65, 0x13, 0xc4, 0x2d, 0xdd, 0x7a, 0x52, 0x3d, 0x77, 0xd1, 0x78, 0x48, 0x70, 0x17, 0x58,
+ 0x1e, 0x58, 0x5c, 0xb8, 0xcf, 0x22, 0x3a, 0x1f, 0x95, 0x99, 0xe5, 0x5e, 0x91, 0xb4, 0x0f, 0x2e, 0x17, 0xeb, 0x5d, 0x20,
+ 0x80, 0xfe, 0x75, 0x07, 0x75, 0x9b, 0xda, 0x26, 0xa0, 0xb4, 0x1f, 0xe2, 0x8b, 0x94, 0x90, 0xad, 0x05, 0x75, 0xef, 0xe3,
+ 0x35, 0xa4, 0x6f, 0x50, 0x11, 0x40, 0xd5, 0x20, 0x1c, 0x32, 0xed, 0x24, 0xd6, 0x1e, 0x76, 0x95, 0x96, 0x35, 0xa2, 0x7c,
+ 0x81, 0x42, 0x95, 0x32, 0x58, 0xd8, 0x68, 0xf8, 0x2e, 0x06, 0x5e, 0x99, 0x8f, 0xc2, 0x43, 0x5e, 0x84, 0x21, 0x8a, 0x87,
+ 0xfc, 0x36, 0xff, 0x10, 0x81, 0x52, 0xe7, 0xb0, 0xbd, 0x5d, 0x5e, 0xb3, 0x24, 0xb2, 0x06, 0x04, 0xb7, 0x6f, 0xb2, 0x6d,
+ 0x83, 0x3f, 0xe0, 0xc6, 0x3d, 0x29, 0xf3, 0x90, 0xa3, 0x3a, 0xcc, 0x5c, 0x64, 0x34, 0x22, 0x9c, 0xfb, 0x86, 0x83, 0xd1,
+ 0x48, 0x6f, 0xea, 0x1d, 0xca, 0x2c, 0x4f, 0x13, 0xc7, 0x94, 0x82, 0x38, 0xc2, 0xbd, 0x6b, 0xd4, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00
+};
+
+unsigned char rsa_sha256[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73,
+ 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20,
+ 0x41, 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xa0, 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+ 0x00, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52,
+ 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+ 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c,
+ 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65,
+ 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06,
+ 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d,
+ 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31,
+ 0x34, 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38,
+ 0x32, 0x39, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53,
+ 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70,
+ 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67,
+ 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30,
+ 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21,
+ 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e,
+ 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
+ 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3,
+ 0xf4, 0x24, 0x8d, 0x25, 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd,
+ 0xb0, 0x72, 0xe9, 0xa9, 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b,
+ 0xf7, 0x7d, 0x59, 0xe9, 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3,
+ 0xcf, 0xf7, 0x21, 0x88, 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e,
+ 0x54, 0x59, 0x4d, 0xce, 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e,
+ 0x00, 0x6f, 0x6e, 0xf8, 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57,
+ 0xba, 0xcc, 0x29, 0xbe, 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a,
+ 0xb1, 0xc3, 0x68, 0xd5, 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70,
+ 0xad, 0x41, 0xfb, 0x61, 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10,
+ 0x86, 0x8a, 0x1e, 0x3b, 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c,
+ 0x6a, 0x1b, 0xea, 0x1a, 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a,
+ 0x0b, 0x70, 0x90, 0x60, 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2,
+ 0x52, 0x8f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01,
+ 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c,
+ 0xd5, 0x6e, 0x8b, 0x04, 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39,
+ 0x09, 0xa7, 0x6c, 0x2d, 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60,
+ 0xbf, 0x57, 0x6f, 0xd8, 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3,
+ 0xa4, 0xca, 0xde, 0x3f, 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab,
+ 0x94, 0x0e, 0xb9, 0x70, 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12,
+ 0x60, 0xe5, 0x91, 0xec, 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7,
+ 0x61, 0x51, 0x57, 0x73, 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25,
+ 0x77, 0x35, 0xe9, 0x3e, 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72,
+ 0xaf, 0x06, 0x44, 0x1e, 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7,
+ 0x63, 0x7a, 0x32, 0xda, 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3,
+ 0x63, 0xf3, 0x5c, 0x45, 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91,
+ 0xa1, 0xd0, 0x30, 0x29, 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f,
+ 0xca, 0x3f, 0xb5, 0x54, 0x31, 0x82, 0x01, 0xdc, 0x30, 0x82, 0x01, 0xd8, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81,
+ 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xc9, 0x25, 0xbe, 0xb8, 0xf2, 0x2c, 0x7f, 0xc8, 0x3a, 0xc3, 0xc2, 0x4b,
+ 0xac, 0x54, 0xcf, 0xa6, 0x75, 0xaa, 0xeb, 0x40, 0x68, 0xee, 0xe2, 0xb1, 0xa8, 0x70, 0x9e, 0xe9, 0x8b, 0xf1, 0x0a, 0x85,
+ 0x88, 0x40, 0xef, 0xb8, 0xa5, 0x04, 0x87, 0x63, 0x03, 0xf5, 0x41, 0x81, 0x29, 0x42, 0x7f, 0x31, 0x8f, 0x5b, 0xde, 0xe8,
+ 0x15, 0xc1, 0xa3, 0x45, 0xf1, 0xbc, 0xff, 0x81, 0x58, 0xbd, 0xac, 0x4c, 0xa5, 0xb3, 0x30, 0x9a, 0xb8, 0x9e, 0x69, 0x10,
+ 0xad, 0x44, 0x7b, 0x93, 0x28, 0xba, 0xca, 0x6f, 0x2e, 0xf8, 0x1b, 0x03, 0xc2, 0x0a, 0x4a, 0x06, 0x32, 0x4d, 0x30, 0x50,
+ 0xb7, 0x9c, 0x57, 0x4d, 0x4b, 0x6c, 0x34, 0x53, 0xd8, 0xf5, 0xca, 0x91, 0xa5, 0xdf, 0xa6, 0x67, 0x0a, 0x2e, 0x02, 0x47,
+ 0x1c, 0x1c, 0xd6, 0x2b, 0xe2, 0x85, 0xc1, 0xda, 0x79, 0xa2, 0xe2, 0x1e, 0xf8, 0x5e, 0xf9, 0x76, 0x55, 0xaf, 0x61, 0xaf,
+ 0xde, 0x0a, 0x7b, 0xeb, 0xa1, 0xa8, 0xc6, 0xef, 0x76, 0x2f, 0x50, 0xd1, 0x0a, 0xce, 0xdb, 0x14, 0xc3, 0x13, 0x72, 0xe5,
+ 0x26, 0x67, 0x90, 0x19, 0x15, 0x7b, 0x79, 0x05, 0xeb, 0x20, 0xb3, 0x5a, 0x4e, 0x78, 0xae, 0x2d, 0x9c, 0xd1, 0x31, 0xfd,
+ 0x2e, 0xcb, 0x84, 0xb9, 0x67, 0xea, 0xaf, 0xb3, 0xc2, 0x5f, 0xf5, 0xcd, 0x7b, 0x66, 0x3f, 0xdf, 0xf7, 0xe7, 0x76, 0x46,
+ 0x57, 0xd9, 0xee, 0x4b, 0xb2, 0xc8, 0x7b, 0xf9, 0x88, 0xab, 0x8e, 0xca, 0xfc, 0x39, 0xd1, 0x8e, 0x1c, 0xba, 0x3e, 0x63,
+ 0xb7, 0xe8, 0x0e, 0x2f, 0xde, 0x6b, 0x76, 0x81, 0xbf, 0x78, 0x26, 0x0c, 0xa0, 0x2c, 0x35, 0x21, 0xde, 0xb4, 0x45, 0x0a,
+ 0x84, 0xea, 0x68, 0xa5, 0x37, 0xe8, 0x4a, 0xbc, 0xa6, 0xcf, 0x24, 0x85, 0x46, 0x33, 0x9e, 0xd9, 0xba, 0x58, 0x75, 0xd7,
+ 0x45, 0xc2, 0x99, 0xe5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * MARK: RSA-signed messages (with attributes)
+ */
+unsigned char rsa_md5_attr[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20,
+ 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41,
+ 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xa0, 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+ 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
+ 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53,
+ 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65,
+ 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63,
+ 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e,
+ 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65,
+ 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34,
+ 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38, 0x32,
+ 0x39, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20,
+ 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70,
+ 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53,
+ 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20,
+ 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11,
+ 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30,
+ 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61,
+ 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
+ 0x02, 0x82, 0x01, 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3, 0xf4,
+ 0x24, 0x8d, 0x25, 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd, 0xb0,
+ 0x72, 0xe9, 0xa9, 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b, 0xf7,
+ 0x7d, 0x59, 0xe9, 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3, 0xcf,
+ 0xf7, 0x21, 0x88, 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e, 0x54,
+ 0x59, 0x4d, 0xce, 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e, 0x00,
+ 0x6f, 0x6e, 0xf8, 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57, 0xba,
+ 0xcc, 0x29, 0xbe, 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a, 0xb1,
+ 0xc3, 0x68, 0xd5, 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70, 0xad,
+ 0x41, 0xfb, 0x61, 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10, 0x86,
+ 0x8a, 0x1e, 0x3b, 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c, 0x6a,
+ 0x1b, 0xea, 0x1a, 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a, 0x0b,
+ 0x70, 0x90, 0x60, 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2, 0x52,
+ 0x8f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff,
+ 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+ 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c, 0xd5,
+ 0x6e, 0x8b, 0x04, 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39, 0x09,
+ 0xa7, 0x6c, 0x2d, 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60, 0xbf,
+ 0x57, 0x6f, 0xd8, 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3, 0xa4,
+ 0xca, 0xde, 0x3f, 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab, 0x94,
+ 0x0e, 0xb9, 0x70, 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12, 0x60,
+ 0xe5, 0x91, 0xec, 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7, 0x61,
+ 0x51, 0x57, 0x73, 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25, 0x77,
+ 0x35, 0xe9, 0x3e, 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72, 0xaf,
+ 0x06, 0x44, 0x1e, 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7, 0x63,
+ 0x7a, 0x32, 0xda, 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3, 0x63,
+ 0xf3, 0x5c, 0x45, 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91, 0xa1,
+ 0xd0, 0x30, 0x29, 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f, 0xca,
+ 0x3f, 0xb5, 0x54, 0x31, 0x82, 0x02, 0x36, 0x30, 0x82, 0x02, 0x32, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7,
+ 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0xa0, 0x59, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x09, 0x03, 0x31, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x38, 0x31, 0x33,
+ 0x32, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x12,
+ 0x04, 0x10, 0xed, 0xa3, 0x75, 0x22, 0xef, 0xdc, 0x73, 0x52, 0x7f, 0xff, 0x56, 0x77, 0xdd, 0x1b, 0xaa, 0xae, 0x30, 0x0d,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x8f, 0x71, 0x05,
+ 0x7b, 0x53, 0xb1, 0x1d, 0xd3, 0xc5, 0x17, 0xc1, 0x65, 0x6d, 0xa6, 0xa2, 0x14, 0xd6, 0x07, 0xaa, 0xa1, 0x33, 0x3d, 0x30,
+ 0x4c, 0x2e, 0x62, 0x66, 0x5f, 0x43, 0x7e, 0x57, 0x65, 0x5f, 0xa2, 0x71, 0x2a, 0x20, 0x48, 0xc3, 0xef, 0x82, 0x6b, 0xcb,
+ 0xb9, 0xf4, 0xae, 0x8d, 0x90, 0x7a, 0x47, 0x1d, 0x28, 0xec, 0x66, 0x3c, 0x2a, 0x5c, 0xa1, 0x74, 0xce, 0x85, 0x8e, 0x37,
+ 0x45, 0x9e, 0xf0, 0xed, 0x67, 0x4a, 0xf8, 0x3e, 0xa4, 0xcb, 0xac, 0xdb, 0x35, 0x82, 0x71, 0xbf, 0xfb, 0xc6, 0xcc, 0x89,
+ 0x17, 0xb6, 0xaf, 0xfb, 0x1c, 0x4b, 0x92, 0x21, 0x88, 0xc1, 0x8e, 0x0e, 0xf6, 0x05, 0xb6, 0x70, 0x7b, 0x34, 0x98, 0x27,
+ 0xe2, 0xa9, 0x3b, 0xf2, 0x72, 0xba, 0xd4, 0x33, 0x21, 0x72, 0x55, 0x91, 0x4c, 0x03, 0xda, 0x18, 0x36, 0xe7, 0xdb, 0x77,
+ 0x9e, 0xdb, 0x0f, 0x0a, 0x0c, 0xff, 0x45, 0x46, 0x5e, 0x8b, 0xd8, 0x4b, 0x5f, 0xdd, 0xa0, 0x16, 0xc8, 0xdd, 0xf2, 0x30,
+ 0xea, 0x54, 0x6a, 0x05, 0x94, 0x4e, 0x75, 0xc6, 0x38, 0x96, 0xd2, 0x73, 0x92, 0xff, 0xe3, 0xc6, 0x73, 0xd4, 0xb2, 0x9e,
+ 0xf8, 0xc1, 0xa5, 0x4d, 0x0a, 0x49, 0xdd, 0x41, 0x8f, 0x06, 0xd5, 0x6e, 0xe1, 0x51, 0x4a, 0xb7, 0x88, 0xec, 0xe3, 0x3e,
+ 0xcd, 0xfd, 0x54, 0x0d, 0x91, 0x75, 0xa2, 0xa0, 0x77, 0x82, 0x2b, 0xa1, 0xb6, 0x4f, 0x15, 0x44, 0xa2, 0xdf, 0xd2, 0x5b,
+ 0xf7, 0xd1, 0x91, 0xf3, 0x24, 0x29, 0x0b, 0xef, 0x71, 0xf5, 0xee, 0xfa, 0x21, 0xa1, 0xfb, 0xab, 0x78, 0x4d, 0x87, 0x97,
+ 0xb8, 0x91, 0x9d, 0xd9, 0x9e, 0x3b, 0x9f, 0xcc, 0xcb, 0x0b, 0x38, 0xd9, 0x84, 0xf4, 0xd4, 0x1d, 0xee, 0xab, 0x88, 0x9d,
+ 0xd5, 0xff, 0xe3, 0x2f, 0x93, 0x75, 0xfd, 0x77, 0xff, 0xab, 0x41, 0x55, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_sha1_attr[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0b, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20, 0x6d, 0x65, 0x73,
+ 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41, 0x69, 0x6e, 0x27,
+ 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0,
+ 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x74, 0x3f,
+ 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0xa7,
+ 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31,
+ 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x30,
+ 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41,
+ 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c,
+ 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75,
+ 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64,
+ 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
+ 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3, 0xf4, 0x24, 0x8d, 0x25,
+ 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd, 0xb0, 0x72, 0xe9, 0xa9,
+ 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b, 0xf7, 0x7d, 0x59, 0xe9,
+ 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3, 0xcf, 0xf7, 0x21, 0x88,
+ 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e, 0x54, 0x59, 0x4d, 0xce,
+ 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e, 0x00, 0x6f, 0x6e, 0xf8,
+ 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57, 0xba, 0xcc, 0x29, 0xbe,
+ 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a, 0xb1, 0xc3, 0x68, 0xd5,
+ 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70, 0xad, 0x41, 0xfb, 0x61,
+ 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10, 0x86, 0x8a, 0x1e, 0x3b,
+ 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c, 0x6a, 0x1b, 0xea, 0x1a,
+ 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a, 0x0b, 0x70, 0x90, 0x60,
+ 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2, 0x52, 0x8f, 0x02, 0x03,
+ 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30,
+ 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
+ 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c, 0xd5, 0x6e, 0x8b, 0x04,
+ 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39, 0x09, 0xa7, 0x6c, 0x2d,
+ 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60, 0xbf, 0x57, 0x6f, 0xd8,
+ 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3, 0xa4, 0xca, 0xde, 0x3f,
+ 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab, 0x94, 0x0e, 0xb9, 0x70,
+ 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12, 0x60, 0xe5, 0x91, 0xec,
+ 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7, 0x61, 0x51, 0x57, 0x73,
+ 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25, 0x77, 0x35, 0xe9, 0x3e,
+ 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72, 0xaf, 0x06, 0x44, 0x1e,
+ 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7, 0x63, 0x7a, 0x32, 0xda,
+ 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3, 0x63, 0xf3, 0x5c, 0x45,
+ 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91, 0xa1, 0xd0, 0x30, 0x29,
+ 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f, 0xca, 0x3f, 0xb5, 0x54,
+ 0x31, 0x82, 0x02, 0x37, 0x30, 0x82, 0x02, 0x33, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
+ 0x00, 0xa0, 0x5d, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0b, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x38, 0x31, 0x33, 0x32, 0x30, 0x30, 0x30, 0x5a, 0x30,
+ 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x16, 0x04, 0x14, 0xef, 0x53, 0x0b, 0xfa,
+ 0xcf, 0x34, 0x18, 0xb3, 0x30, 0xff, 0xf8, 0x9e, 0x09, 0xb3, 0xb6, 0x21, 0xd6, 0x83, 0xb9, 0xe9, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x52, 0xbd, 0xa1, 0x0a, 0x41,
+ 0xce, 0xc1, 0xe8, 0xe8, 0x2f, 0x2e, 0x1f, 0x73, 0xd1, 0x2f, 0x2e, 0x53, 0x53, 0x21, 0xec, 0x88, 0x30, 0x6a, 0x9d, 0x58,
+ 0x64, 0x95, 0xef, 0xf2, 0x20, 0x55, 0xb0, 0x15, 0x64, 0x02, 0x1d, 0xf9, 0x44, 0xdd, 0xcb, 0x7a, 0x9c, 0x50, 0x10, 0xea,
+ 0xfa, 0x6f, 0x07, 0x64, 0xaf, 0x30, 0x6e, 0xe2, 0xc1, 0x34, 0x55, 0xd0, 0x6a, 0x6e, 0xe1, 0x09, 0x91, 0xb7, 0xe3, 0x7b,
+ 0x02, 0x19, 0x3d, 0xfc, 0xdd, 0xab, 0x45, 0xe7, 0xf4, 0xeb, 0xfd, 0xa2, 0x17, 0x3e, 0xf2, 0xae, 0x8a, 0x07, 0x84, 0x98,
+ 0xe7, 0xee, 0x42, 0x0c, 0x74, 0x08, 0xf6, 0xc0, 0xfc, 0x29, 0xc3, 0x8a, 0xbe, 0x6c, 0x0b, 0x1e, 0x4a, 0xa8, 0x43, 0x3c,
+ 0x94, 0xdb, 0x26, 0xdb, 0x8c, 0x28, 0x68, 0xea, 0x53, 0x39, 0x89, 0xe8, 0xfe, 0x94, 0x60, 0x1f, 0x23, 0xf7, 0x1f, 0x3a,
+ 0x40, 0xdf, 0xe1, 0x4b, 0x9a, 0x66, 0x11, 0x9e, 0x45, 0x68, 0x85, 0x15, 0x64, 0x5f, 0xe6, 0xc8, 0x2a, 0xca, 0x07, 0x66,
+ 0x23, 0x01, 0x00, 0xa8, 0x90, 0x68, 0x05, 0xfd, 0x3a, 0x96, 0x7f, 0x86, 0x55, 0x6d, 0xe4, 0x92, 0x12, 0xe9, 0x07, 0x51,
+ 0x54, 0xfb, 0x79, 0x55, 0x13, 0xca, 0xdf, 0xb9, 0xb5, 0x79, 0x9f, 0xf0, 0x5d, 0xb0, 0xfd, 0xe8, 0xa2, 0xf3, 0x15, 0x02,
+ 0xfb, 0xe0, 0x25, 0xd6, 0xd6, 0x9c, 0x87, 0xfd, 0xee, 0x11, 0x5a, 0x62, 0xe3, 0xfe, 0xea, 0xff, 0xd2, 0xde, 0x4c, 0x03,
+ 0xfe, 0x3c, 0x66, 0xcc, 0x54, 0x3c, 0xe2, 0x0d, 0xde, 0x3e, 0x0e, 0x38, 0x7b, 0x67, 0xe5, 0xd1, 0xea, 0x78, 0x4f, 0xb2,
+ 0x8e, 0x8f, 0x2b, 0xc9, 0x76, 0x2c, 0xa9, 0xcc, 0x1d, 0xdb, 0x71, 0x40, 0x8a, 0x67, 0xbe, 0x6f, 0x3d, 0xa3, 0xba, 0x9a,
+ 0xa4, 0x4b, 0x74, 0x57, 0xd9, 0xcb, 0x4e, 0xff, 0xc2, 0xb4, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_sha256_attr[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73,
+ 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20,
+ 0x41, 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xa0, 0x82, 0x03, 0xe5, 0x30, 0x82, 0x03, 0xe1, 0x30, 0x82, 0x02, 0xc9, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
+ 0x00, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52,
+ 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+ 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c,
+ 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65,
+ 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61,
+ 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06,
+ 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d,
+ 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31,
+ 0x34, 0x30, 0x30, 0x31, 0x38, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x38,
+ 0x32, 0x39, 0x5a, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53,
+ 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70,
+ 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25,
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67,
+ 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30,
+ 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21,
+ 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e,
+ 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01,
+ 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xe2, 0x9b, 0xcb, 0x6c, 0x77, 0xb7, 0xd1, 0x05, 0xa0, 0xae, 0x86, 0x20, 0x45, 0xd3,
+ 0xf4, 0x24, 0x8d, 0x25, 0x34, 0x31, 0xa9, 0xe2, 0x10, 0x36, 0xf5, 0x0a, 0x0b, 0x90, 0x4a, 0xa5, 0x6b, 0x5c, 0x16, 0xcd,
+ 0xb0, 0x72, 0xe9, 0xa9, 0x80, 0x5f, 0x6d, 0xb2, 0x4d, 0xd9, 0x58, 0x16, 0x9f, 0x68, 0x81, 0x9a, 0x6b, 0xeb, 0xd5, 0x4b,
+ 0xf7, 0x7d, 0x59, 0xe9, 0x46, 0x2b, 0x5b, 0x8f, 0xe4, 0xec, 0xab, 0x5c, 0x07, 0x74, 0xa2, 0x0e, 0x59, 0xbb, 0xfc, 0xd3,
+ 0xcf, 0xf7, 0x21, 0x88, 0x6c, 0x88, 0xd9, 0x6b, 0xa3, 0xa3, 0x4e, 0x5b, 0xd1, 0x1c, 0xfb, 0x04, 0xf5, 0xb2, 0x12, 0x0e,
+ 0x54, 0x59, 0x4d, 0xce, 0x0a, 0xe0, 0x26, 0x24, 0x06, 0xeb, 0xc8, 0xa2, 0xc6, 0x41, 0x28, 0xf9, 0x79, 0xe4, 0xb1, 0x4e,
+ 0x00, 0x6f, 0x6e, 0xf8, 0x96, 0x9e, 0x45, 0x28, 0x70, 0xec, 0xc7, 0xdc, 0xa2, 0xdd, 0x92, 0xab, 0xdd, 0x6f, 0xd8, 0x57,
+ 0xba, 0xcc, 0x29, 0xbe, 0xb7, 0x00, 0x1e, 0x8d, 0x13, 0x3f, 0x47, 0x34, 0x3c, 0xd0, 0xc6, 0xc8, 0x17, 0xdf, 0x74, 0x8a,
+ 0xb1, 0xc3, 0x68, 0xd5, 0xba, 0x76, 0x60, 0x55, 0x5f, 0x8d, 0xfa, 0xbd, 0xe7, 0x11, 0x9e, 0x59, 0x96, 0xe5, 0x93, 0x70,
+ 0xad, 0x41, 0xfb, 0x61, 0x46, 0x70, 0xc4, 0x05, 0x12, 0x23, 0x23, 0xc0, 0x9d, 0xc8, 0xc5, 0xf5, 0x96, 0xe5, 0x48, 0x10,
+ 0x86, 0x8a, 0x1e, 0x3b, 0x83, 0xd1, 0x47, 0x3a, 0x27, 0x00, 0x71, 0x10, 0xa3, 0x52, 0xba, 0xae, 0x01, 0x43, 0x87, 0x9c,
+ 0x6a, 0x1b, 0xea, 0x1a, 0x44, 0x4f, 0x4a, 0xac, 0xd4, 0x82, 0x55, 0xee, 0x1f, 0x25, 0x9c, 0x55, 0xca, 0xd2, 0xd0, 0x3a,
+ 0x0b, 0x70, 0x90, 0x60, 0x49, 0x47, 0x02, 0xfd, 0x89, 0x2c, 0x9a, 0x26, 0x36, 0x34, 0x8f, 0x24, 0x39, 0x8c, 0xe9, 0xa2,
+ 0x52, 0x8f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01,
+ 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4c, 0xed, 0x5b, 0xaf, 0x13, 0x16, 0x5d, 0xe2, 0xdd, 0x5c, 0x48, 0x1c,
+ 0xd5, 0x6e, 0x8b, 0x04, 0x51, 0xd6, 0x38, 0x80, 0xfd, 0x52, 0x4a, 0x34, 0xdc, 0x13, 0x35, 0x6e, 0x64, 0x39, 0x39, 0x39,
+ 0x09, 0xa7, 0x6c, 0x2d, 0x39, 0xf2, 0x04, 0x21, 0xe3, 0xea, 0x8f, 0xf8, 0xbe, 0x46, 0x0e, 0x20, 0x82, 0xd0, 0xc5, 0x60,
+ 0xbf, 0x57, 0x6f, 0xd8, 0x29, 0xb4, 0x66, 0xdb, 0xbf, 0x92, 0xc9, 0xdc, 0x90, 0x97, 0x0f, 0x2f, 0x59, 0xa0, 0x13, 0xf3,
+ 0xa4, 0xca, 0xde, 0x3f, 0x80, 0x2a, 0x99, 0xb4, 0xee, 0x71, 0xc3, 0x56, 0x71, 0x51, 0x37, 0x55, 0xa1, 0x60, 0x89, 0xab,
+ 0x94, 0x0e, 0xb9, 0x70, 0xa5, 0x55, 0xf3, 0x1a, 0x87, 0xa4, 0x41, 0x4c, 0x45, 0xba, 0xb6, 0x56, 0xd6, 0x45, 0x56, 0x12,
+ 0x60, 0xe5, 0x91, 0xec, 0xf7, 0xbe, 0x39, 0xa4, 0x80, 0x08, 0x9f, 0xea, 0x17, 0x12, 0x0e, 0xa6, 0xe6, 0xef, 0x09, 0xf7,
+ 0x61, 0x51, 0x57, 0x73, 0xe3, 0x57, 0x88, 0xd7, 0xf8, 0x5f, 0xaf, 0x5d, 0xaf, 0x88, 0x32, 0xb4, 0x09, 0x3e, 0x7c, 0x25,
+ 0x77, 0x35, 0xe9, 0x3e, 0x6e, 0x0a, 0xb9, 0xb4, 0xa3, 0x06, 0x07, 0x0f, 0x7e, 0x93, 0x26, 0x16, 0x38, 0x1e, 0x4e, 0x72,
+ 0xaf, 0x06, 0x44, 0x1e, 0x8d, 0x96, 0xa6, 0x15, 0x9c, 0x82, 0x6d, 0x71, 0x99, 0x84, 0x8d, 0x12, 0x46, 0xf2, 0xbb, 0xa7,
+ 0x63, 0x7a, 0x32, 0xda, 0xa9, 0xde, 0xb6, 0x34, 0x14, 0xfb, 0x07, 0x0c, 0xab, 0x3b, 0x0a, 0xa1, 0x8b, 0xda, 0x15, 0xb3,
+ 0x63, 0xf3, 0x5c, 0x45, 0x2f, 0x0b, 0x6e, 0xc7, 0x27, 0x72, 0xc1, 0x37, 0x56, 0x30, 0xe3, 0x26, 0xbb, 0x19, 0x4f, 0x91,
+ 0xa1, 0xd0, 0x30, 0x29, 0x5b, 0x79, 0x79, 0x5c, 0xe6, 0x4f, 0xed, 0xcf, 0x81, 0xb2, 0x50, 0x35, 0x96, 0x23, 0xb2, 0x9f,
+ 0xca, 0x3f, 0xb5, 0x54, 0x31, 0x82, 0x02, 0x47, 0x30, 0x82, 0x02, 0x43, 0x02, 0x01, 0x01, 0x30, 0x81, 0xb0, 0x30, 0x81,
+ 0xa7, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa0, 0x69, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x38,
+ 0x31, 0x33, 0x32, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x2f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04,
+ 0x31, 0x22, 0x04, 0x20, 0x33, 0x1f, 0x3a, 0xc4, 0x95, 0x97, 0x64, 0x1c, 0x99, 0x9b, 0x37, 0xc8, 0xf2, 0xba, 0xd0, 0xb4,
+ 0x38, 0xa5, 0x9c, 0x3a, 0xa3, 0x78, 0xf9, 0xfb, 0x66, 0x28, 0x4e, 0x6a, 0x90, 0xcc, 0x0e, 0x4c, 0x30, 0x0d, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xae, 0x6d, 0xa9, 0xa7, 0xee,
+ 0x0c, 0x94, 0x1b, 0xf3, 0x93, 0x40, 0x43, 0x11, 0x41, 0x20, 0x11, 0x60, 0xd9, 0x4e, 0xb6, 0x2d, 0x3e, 0x98, 0xfe, 0x06,
+ 0xd2, 0xc4, 0xe4, 0x0a, 0x66, 0xdc, 0xbb, 0xbd, 0x4d, 0x8e, 0xcb, 0xe1, 0x87, 0x39, 0x3f, 0xb3, 0x4b, 0xf8, 0xe7, 0x18,
+ 0x6f, 0x39, 0xad, 0x01, 0xd4, 0xe8, 0x85, 0x8c, 0x84, 0x96, 0x2c, 0x3a, 0xd4, 0xcf, 0x3c, 0xe5, 0x05, 0xdd, 0xc7, 0xc0,
+ 0xb7, 0x72, 0x7b, 0x32, 0xa1, 0xff, 0x69, 0x51, 0xd4, 0xc9, 0x3e, 0x1f, 0x89, 0x71, 0x39, 0xd9, 0x99, 0x1e, 0xa9, 0x33,
+ 0x83, 0xc1, 0x37, 0x3e, 0xf2, 0xbd, 0xad, 0x8f, 0xa9, 0x24, 0x82, 0xad, 0x7d, 0x54, 0x8f, 0x6f, 0x8a, 0xdb, 0xbf, 0xd4,
+ 0xd4, 0x9c, 0x0a, 0x11, 0x8a, 0xb2, 0x0c, 0xd9, 0x32, 0xf1, 0xe6, 0x76, 0x4a, 0x09, 0x1a, 0x6a, 0xdf, 0x48, 0x2f, 0xf4,
+ 0x89, 0x73, 0xc8, 0x37, 0xb0, 0x14, 0xa9, 0x59, 0xc3, 0x94, 0x63, 0x6c, 0xfd, 0x90, 0x2c, 0x3a, 0x58, 0xa4, 0x5e, 0xbb,
+ 0x2f, 0x5e, 0x1d, 0xdc, 0x57, 0x47, 0x09, 0x77, 0xbc, 0x2b, 0x76, 0xfa, 0x97, 0x85, 0x63, 0x4b, 0xd6, 0x32, 0xac, 0x7e,
+ 0xa0, 0x41, 0xd1, 0xc7, 0x1a, 0x59, 0x3f, 0x39, 0xd1, 0xa7, 0x3f, 0xa7, 0x3f, 0x23, 0x11, 0x3e, 0x19, 0x6d, 0x63, 0xa1,
+ 0x4c, 0xcd, 0x03, 0x22, 0x07, 0x72, 0x4c, 0x44, 0x07, 0xd9, 0x85, 0x18, 0x63, 0x8c, 0x96, 0x29, 0x20, 0xc4, 0x1b, 0xac,
+ 0x6e, 0x4f, 0x95, 0x7d, 0x97, 0x9f, 0xcc, 0x94, 0xf4, 0xfe, 0x8b, 0x08, 0x1c, 0x8a, 0x9d, 0x19, 0x6d, 0x42, 0x92, 0x73,
+ 0xa9, 0xd0, 0xb3, 0x4c, 0x46, 0x40, 0x88, 0xcb, 0x51, 0x2f, 0x73, 0xec, 0x43, 0x4c, 0x09, 0xa7, 0xb5, 0x89, 0x4b, 0xe4,
+ 0xbc, 0xdc, 0x1d, 0x17, 0xf9, 0x55, 0xe5, 0x59, 0xea, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * MARK: EC-signed messages (no attributes)
+ */
+unsigned char ec_md5[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0e, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20,
+ 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41,
+ 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xa0, 0x82, 0x02, 0x57, 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+ 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81, 0xa6,
+ 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65,
+ 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
+ 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e,
+ 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74,
+ 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72,
+ 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
+ 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70,
+ 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31, 0x39,
+ 0x35, 0x36, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01,
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x39, 0x79, 0x59, 0x3f, 0x88,
+ 0x07, 0x03, 0x42, 0x1a, 0x09, 0x93, 0x0d, 0xcd, 0x1b, 0x5a, 0xa7, 0x2f, 0x7d, 0x5f, 0xc2, 0x7b, 0xd9, 0x81, 0xb8, 0x81,
+ 0xa1, 0x4e, 0xc5, 0x36, 0xae, 0xc7, 0xe1, 0xa4, 0xf0, 0x0f, 0x4e, 0x75, 0x34, 0xbc, 0xb0, 0xc8, 0xf3, 0xe6, 0x87, 0x6c,
+ 0xc4, 0xcd, 0x8c, 0x8f, 0x1c, 0xbc, 0xb1, 0x16, 0x46, 0x22, 0x6f, 0xfa, 0x00, 0xfc, 0xac, 0x57, 0x65, 0xe1, 0xa3, 0x13,
+ 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
+ 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0x81,
+ 0x1b, 0xed, 0x5a, 0x08, 0x6d, 0xdb, 0x89, 0xef, 0x27, 0x9b, 0x8d, 0xe6, 0x6f, 0xd0, 0x56, 0xfd, 0xb9, 0x33, 0xe4, 0x85,
+ 0x7a, 0x2f, 0x65, 0x39, 0x6c, 0x0d, 0xef, 0xd5, 0x82, 0xc9, 0x7d, 0x02, 0x20, 0x34, 0x18, 0xb8, 0xaf, 0xf2, 0x05, 0xcb,
+ 0xeb, 0xf7, 0x1c, 0x73, 0x77, 0x8d, 0x03, 0xcc, 0xc7, 0x80, 0x34, 0x44, 0x8f, 0x51, 0x6a, 0x6d, 0x80, 0x46, 0xce, 0xf5,
+ 0xbe, 0x85, 0x40, 0x5a, 0xdd, 0x31, 0x82, 0x01, 0x1b, 0x30, 0x82, 0x01, 0x17, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaf, 0x30,
+ 0x81, 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x30, 0x09, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x04,
+ 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xa2, 0x9f, 0x73, 0x2d, 0x2a, 0xa0, 0xca, 0xb4, 0xf6, 0xc9, 0xfd, 0x68, 0xd2, 0xe7,
+ 0x8d, 0x07, 0xdd, 0x60, 0xcc, 0xe1, 0xb6, 0xfe, 0xa9, 0x11, 0xd8, 0xb7, 0x68, 0xa4, 0xe3, 0xed, 0x1b, 0x42, 0x02, 0x20,
+ 0x4b, 0x64, 0x3e, 0xe0, 0x50, 0x29, 0x89, 0x30, 0xd0, 0x32, 0x2d, 0xfc, 0xd3, 0x6b, 0xe8, 0x06, 0x15, 0xe2, 0x91, 0x99,
+ 0x7b, 0x26, 0xc4, 0xa3, 0x85, 0xf0, 0x05, 0x95, 0x4d, 0xf9, 0x51, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_sha1[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0b, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20, 0x6d, 0x65, 0x73,
+ 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41, 0x69, 0x6e, 0x27,
+ 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0,
+ 0x82, 0x02, 0x57, 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x50, 0x2b,
+ 0xa2, 0xa7, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81, 0xa6, 0x31, 0x19, 0x30,
+ 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20,
+ 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30,
+ 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
+ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45,
+ 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69,
+ 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61,
+ 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e,
+ 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a,
+ 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a, 0x30, 0x81, 0xa6, 0x31, 0x19,
+ 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
+ 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x39, 0x79, 0x59, 0x3f, 0x88, 0x07, 0x03, 0x42,
+ 0x1a, 0x09, 0x93, 0x0d, 0xcd, 0x1b, 0x5a, 0xa7, 0x2f, 0x7d, 0x5f, 0xc2, 0x7b, 0xd9, 0x81, 0xb8, 0x81, 0xa1, 0x4e, 0xc5,
+ 0x36, 0xae, 0xc7, 0xe1, 0xa4, 0xf0, 0x0f, 0x4e, 0x75, 0x34, 0xbc, 0xb0, 0xc8, 0xf3, 0xe6, 0x87, 0x6c, 0xc4, 0xcd, 0x8c,
+ 0x8f, 0x1c, 0xbc, 0xb1, 0x16, 0x46, 0x22, 0x6f, 0xfa, 0x00, 0xfc, 0xac, 0x57, 0x65, 0xe1, 0xa3, 0x13, 0x30, 0x11, 0x30,
+ 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0x81, 0x1b, 0xed, 0x5a,
+ 0x08, 0x6d, 0xdb, 0x89, 0xef, 0x27, 0x9b, 0x8d, 0xe6, 0x6f, 0xd0, 0x56, 0xfd, 0xb9, 0x33, 0xe4, 0x85, 0x7a, 0x2f, 0x65,
+ 0x39, 0x6c, 0x0d, 0xef, 0xd5, 0x82, 0xc9, 0x7d, 0x02, 0x20, 0x34, 0x18, 0xb8, 0xaf, 0xf2, 0x05, 0xcb, 0xeb, 0xf7, 0x1c,
+ 0x73, 0x77, 0x8d, 0x03, 0xcc, 0xc7, 0x80, 0x34, 0x44, 0x8f, 0x51, 0x6a, 0x6d, 0x80, 0x46, 0xce, 0xf5, 0xbe, 0x85, 0x40,
+ 0x5a, 0xdd, 0x31, 0x82, 0x01, 0x19, 0x30, 0x82, 0x01, 0x15, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaf, 0x30, 0x81, 0xa6, 0x31,
+ 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73,
+ 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+ 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63,
+ 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79,
+ 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63,
+ 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a,
+ 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c,
+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a,
+ 0x05, 0x00, 0x30, 0x09, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x04, 0x48, 0x30, 0x46, 0x02, 0x21, 0x00,
+ 0xd4, 0xce, 0xa5, 0xcc, 0x15, 0x91, 0x6e, 0xa9, 0x98, 0x77, 0xaa, 0xda, 0x65, 0xa0, 0xf6, 0xa0, 0xcc, 0xb1, 0xcc, 0x2c,
+ 0x26, 0x9f, 0xd0, 0x05, 0x17, 0x90, 0xed, 0x57, 0xb0, 0x2d, 0x59, 0xfb, 0x02, 0x21, 0x00, 0x8d, 0xc2, 0x5c, 0x85, 0xbb,
+ 0x13, 0x25, 0x8f, 0x8e, 0x6a, 0x9b, 0x81, 0x80, 0x5b, 0x13, 0xec, 0x2c, 0x2d, 0xc1, 0x3b, 0x14, 0x03, 0x19, 0x03, 0xdd,
+ 0x5c, 0xa8, 0x8e, 0x79, 0x5d, 0xa6, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_sha256[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73,
+ 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20,
+ 0x41, 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xa0, 0x82, 0x02, 0x57, 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31,
+ 0x39, 0x35, 0x36, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a, 0x30,
+ 0x81, 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x39, 0x79, 0x59, 0x3f,
+ 0x88, 0x07, 0x03, 0x42, 0x1a, 0x09, 0x93, 0x0d, 0xcd, 0x1b, 0x5a, 0xa7, 0x2f, 0x7d, 0x5f, 0xc2, 0x7b, 0xd9, 0x81, 0xb8,
+ 0x81, 0xa1, 0x4e, 0xc5, 0x36, 0xae, 0xc7, 0xe1, 0xa4, 0xf0, 0x0f, 0x4e, 0x75, 0x34, 0xbc, 0xb0, 0xc8, 0xf3, 0xe6, 0x87,
+ 0x6c, 0xc4, 0xcd, 0x8c, 0x8f, 0x1c, 0xbc, 0xb1, 0x16, 0x46, 0x22, 0x6f, 0xfa, 0x00, 0xfc, 0xac, 0x57, 0x65, 0xe1, 0xa3,
+ 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
+ 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00,
+ 0x81, 0x1b, 0xed, 0x5a, 0x08, 0x6d, 0xdb, 0x89, 0xef, 0x27, 0x9b, 0x8d, 0xe6, 0x6f, 0xd0, 0x56, 0xfd, 0xb9, 0x33, 0xe4,
+ 0x85, 0x7a, 0x2f, 0x65, 0x39, 0x6c, 0x0d, 0xef, 0xd5, 0x82, 0xc9, 0x7d, 0x02, 0x20, 0x34, 0x18, 0xb8, 0xaf, 0xf2, 0x05,
+ 0xcb, 0xeb, 0xf7, 0x1c, 0x73, 0x77, 0x8d, 0x03, 0xcc, 0xc7, 0x80, 0x34, 0x44, 0x8f, 0x51, 0x6a, 0x6d, 0x80, 0x46, 0xce,
+ 0xf5, 0xbe, 0x85, 0x40, 0x5a, 0xdd, 0x31, 0x82, 0x01, 0x1c, 0x30, 0x82, 0x01, 0x18, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaf,
+ 0x30, 0x81, 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43,
+ 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c,
+ 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75,
+ 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64,
+ 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0d, 0x06, 0x09, 0x60,
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x09, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+ 0x01, 0x04, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xa7, 0xb6, 0xd0, 0x7d, 0x38, 0x8c, 0x77, 0x1d, 0xa9, 0x57, 0x99, 0x8f,
+ 0x4b, 0x13, 0xca, 0x9d, 0x6d, 0xf7, 0x41, 0x3f, 0xd7, 0xa8, 0x7e, 0x53, 0x90, 0x53, 0x87, 0x4f, 0x9e, 0x23, 0xdb, 0x47,
+ 0x02, 0x20, 0x25, 0xe4, 0xca, 0x33, 0x86, 0x21, 0x65, 0xc2, 0x2a, 0xc7, 0x8d, 0x58, 0x36, 0x50, 0x07, 0xf3, 0x6b, 0x35,
+ 0x2e, 0xd5, 0x4d, 0x31, 0xa3, 0x87, 0x30, 0xf8, 0x72, 0x99, 0x39, 0x2a, 0xba, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * MARK: EC-signed messages (with attributes)
+ */
+unsigned char ec_sha1_attr[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0b, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73, 0x20, 0x6d, 0x65, 0x73,
+ 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20, 0x41, 0x69, 0x6e, 0x27,
+ 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xa0,
+ 0x82, 0x02, 0x57, 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x04, 0x50, 0x2b,
+ 0xa2, 0xa7, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81, 0xa6, 0x31, 0x19, 0x30,
+ 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20,
+ 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14, 0x30,
+ 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
+ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45,
+ 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69,
+ 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61,
+ 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e,
+ 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a,
+ 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a, 0x30, 0x81, 0xa6, 0x31, 0x19,
+ 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
+ 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x39, 0x79, 0x59, 0x3f, 0x88, 0x07, 0x03, 0x42,
+ 0x1a, 0x09, 0x93, 0x0d, 0xcd, 0x1b, 0x5a, 0xa7, 0x2f, 0x7d, 0x5f, 0xc2, 0x7b, 0xd9, 0x81, 0xb8, 0x81, 0xa1, 0x4e, 0xc5,
+ 0x36, 0xae, 0xc7, 0xe1, 0xa4, 0xf0, 0x0f, 0x4e, 0x75, 0x34, 0xbc, 0xb0, 0xc8, 0xf3, 0xe6, 0x87, 0x6c, 0xc4, 0xcd, 0x8c,
+ 0x8f, 0x1c, 0xbc, 0xb1, 0x16, 0x46, 0x22, 0x6f, 0xfa, 0x00, 0xfc, 0xac, 0x57, 0x65, 0xe1, 0xa3, 0x13, 0x30, 0x11, 0x30,
+ 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0a, 0x06, 0x08,
+ 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0x81, 0x1b, 0xed, 0x5a,
+ 0x08, 0x6d, 0xdb, 0x89, 0xef, 0x27, 0x9b, 0x8d, 0xe6, 0x6f, 0xd0, 0x56, 0xfd, 0xb9, 0x33, 0xe4, 0x85, 0x7a, 0x2f, 0x65,
+ 0x39, 0x6c, 0x0d, 0xef, 0xd5, 0x82, 0xc9, 0x7d, 0x02, 0x20, 0x34, 0x18, 0xb8, 0xaf, 0xf2, 0x05, 0xcb, 0xeb, 0xf7, 0x1c,
+ 0x73, 0x77, 0x8d, 0x03, 0xcc, 0xc7, 0x80, 0x34, 0x44, 0x8f, 0x51, 0x6a, 0x6d, 0x80, 0x46, 0xce, 0xf5, 0xbe, 0x85, 0x40,
+ 0x5a, 0xdd, 0x31, 0x82, 0x01, 0x76, 0x30, 0x82, 0x01, 0x72, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaf, 0x30, 0x81, 0xa6, 0x31,
+ 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54, 0x65, 0x73,
+ 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+ 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63,
+ 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79,
+ 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63,
+ 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a,
+ 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c,
+ 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a,
+ 0x05, 0x00, 0xa0, 0x5d, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0b, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x38, 0x31, 0x33, 0x32, 0x30, 0x30, 0x30, 0x5a,
+ 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x16, 0x04, 0x14, 0xef, 0x53, 0x0b,
+ 0xfa, 0xcf, 0x34, 0x18, 0xb3, 0x30, 0xff, 0xf8, 0x9e, 0x09, 0xb3, 0xb6, 0x21, 0xd6, 0x83, 0xb9, 0xe9, 0x30, 0x09, 0x06,
+ 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x04, 0x46, 0x30, 0x44, 0x02, 0x20, 0x27, 0xfc, 0x20, 0xc2, 0x9e, 0xf7,
+ 0x26, 0xa7, 0x9d, 0x78, 0x7e, 0xc6, 0x1c, 0xd6, 0x29, 0x90, 0x81, 0x6b, 0x17, 0x85, 0xac, 0x44, 0xb8, 0x56, 0x95, 0xe8,
+ 0x35, 0x12, 0x31, 0xde, 0xb1, 0x91, 0x02, 0x20, 0x08, 0xe0, 0xd4, 0x58, 0x0d, 0x79, 0x60, 0xc1, 0x20, 0x3b, 0x1c, 0x0c,
+ 0xda, 0x46, 0x91, 0x73, 0x21, 0x38, 0x77, 0xe8, 0x97, 0xe1, 0xa8, 0xe8, 0x2d, 0x38, 0xd2, 0xa3, 0x72, 0xfb, 0xe3, 0xa4,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_sha256_attr[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01,
+ 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x29, 0x54, 0x68, 0x69, 0x73,
+ 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x2e, 0x20,
+ 0x41, 0x69, 0x6e, 0x27, 0x74, 0x20, 0x69, 0x74, 0x20, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x3f, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0xa0, 0x82, 0x02, 0x57, 0x30, 0x82, 0x02, 0x53, 0x30, 0x82, 0x01, 0xf9, 0xa0, 0x03, 0x02, 0x01, 0x02,
+ 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31, 0x34, 0x30, 0x30, 0x31,
+ 0x39, 0x35, 0x36, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x30, 0x30, 0x31, 0x39, 0x35, 0x36, 0x5a, 0x30,
+ 0x81, 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20,
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20,
+ 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61,
+ 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x71, 0x39, 0x79, 0x59, 0x3f,
+ 0x88, 0x07, 0x03, 0x42, 0x1a, 0x09, 0x93, 0x0d, 0xcd, 0x1b, 0x5a, 0xa7, 0x2f, 0x7d, 0x5f, 0xc2, 0x7b, 0xd9, 0x81, 0xb8,
+ 0x81, 0xa1, 0x4e, 0xc5, 0x36, 0xae, 0xc7, 0xe1, 0xa4, 0xf0, 0x0f, 0x4e, 0x75, 0x34, 0xbc, 0xb0, 0xc8, 0xf3, 0xe6, 0x87,
+ 0x6c, 0xc4, 0xcd, 0x8c, 0x8f, 0x1c, 0xbc, 0xb1, 0x16, 0x46, 0x22, 0x6f, 0xfa, 0x00, 0xfc, 0xac, 0x57, 0x65, 0xe1, 0xa3,
+ 0x13, 0x30, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
+ 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00,
+ 0x81, 0x1b, 0xed, 0x5a, 0x08, 0x6d, 0xdb, 0x89, 0xef, 0x27, 0x9b, 0x8d, 0xe6, 0x6f, 0xd0, 0x56, 0xfd, 0xb9, 0x33, 0xe4,
+ 0x85, 0x7a, 0x2f, 0x65, 0x39, 0x6c, 0x0d, 0xef, 0xd5, 0x82, 0xc9, 0x7d, 0x02, 0x20, 0x34, 0x18, 0xb8, 0xaf, 0xf2, 0x05,
+ 0xcb, 0xeb, 0xf7, 0x1c, 0x73, 0x77, 0x8d, 0x03, 0xcc, 0xc7, 0x80, 0x34, 0x44, 0x8f, 0x51, 0x6a, 0x6d, 0x80, 0x46, 0xce,
+ 0xf5, 0xbe, 0x85, 0x40, 0x5a, 0xdd, 0x31, 0x82, 0x01, 0x86, 0x30, 0x82, 0x01, 0x82, 0x02, 0x01, 0x01, 0x30, 0x81, 0xaf,
+ 0x30, 0x81, 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43,
+ 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c,
+ 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75,
+ 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64,
+ 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
+ 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09,
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40,
+ 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x30, 0x0d, 0x06, 0x09, 0x60,
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa0, 0x69, 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c,
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x31,
+ 0x38, 0x31, 0x33, 0x32, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x2f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09,
+ 0x04, 0x31, 0x22, 0x04, 0x20, 0x33, 0x1f, 0x3a, 0xc4, 0x95, 0x97, 0x64, 0x1c, 0x99, 0x9b, 0x37, 0xc8, 0xf2, 0xba, 0xd0,
+ 0xb4, 0x38, 0xa5, 0x9c, 0x3a, 0xa3, 0x78, 0xf9, 0xfb, 0x66, 0x28, 0x4e, 0x6a, 0x90, 0xcc, 0x0e, 0x4c, 0x30, 0x09, 0x06,
+ 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x04, 0x46, 0x30, 0x44, 0x02, 0x20, 0x76, 0x40, 0x7c, 0xf7, 0x6a, 0x21,
+ 0x2b, 0x45, 0x88, 0xb7, 0x3f, 0x90, 0x22, 0x80, 0x52, 0x36, 0x8b, 0x95, 0xf7, 0x79, 0x4c, 0xf8, 0x2d, 0x20, 0x48, 0x10,
+ 0xad, 0x0d, 0x59, 0x48, 0x50, 0xb0, 0x02, 0x20, 0x31, 0xa2, 0x19, 0x75, 0x17, 0xf3, 0x0b, 0x5f, 0x35, 0xf9, 0xac, 0xa2,
+ 0x7f, 0x50, 0x94, 0x9b, 0x08, 0x86, 0x40, 0xf9, 0x56, 0xdf, 0xdd, 0x0a, 0x6c, 0xdd, 0x7d, 0x67, 0xf0, 0xa5, 0x2d, 0x5a,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * MARK: RSA encrypted
+ */
+unsigned char rsa_3DES[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x00,
+ 0x31, 0x82, 0x01, 0xcd, 0x30, 0x82, 0x01, 0xc9, 0x02, 0x01, 0x00, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xd8, 0xc9, 0x64, 0x49, 0x02, 0x4b, 0x6c, 0x18, 0x92, 0x5b, 0x0a,
+ 0xcc, 0x8e, 0x2b, 0x81, 0xb8, 0x35, 0xff, 0x0e, 0x19, 0x92, 0x24, 0x4b, 0x7e, 0x40, 0x0e, 0xcb, 0x25, 0xee, 0x74, 0x2a,
+ 0x8c, 0xe5, 0xa2, 0xcf, 0xd7, 0xd3, 0x1d, 0x6e, 0xa2, 0x45, 0x98, 0x22, 0xf7, 0x7d, 0xd4, 0x2d, 0x35, 0x7e, 0x68, 0xb6,
+ 0xc6, 0x21, 0x84, 0x70, 0x50, 0xfb, 0x35, 0xe7, 0x41, 0xc6, 0x99, 0xc0, 0x91, 0x3e, 0x05, 0x30, 0x71, 0x7a, 0xb4, 0x12,
+ 0x32, 0x9f, 0x6a, 0x22, 0x35, 0x5e, 0x85, 0x12, 0x81, 0x0a, 0x28, 0x46, 0x79, 0xab, 0x0e, 0x87, 0xd5, 0xb8, 0x33, 0x0a,
+ 0xe0, 0x68, 0xfd, 0xd4, 0x3b, 0xd9, 0x01, 0xaa, 0xfb, 0xf3, 0x89, 0x78, 0x35, 0x55, 0x37, 0x72, 0x65, 0x54, 0xa6, 0xb5,
+ 0x44, 0x48, 0x82, 0xcc, 0xbe, 0x77, 0x56, 0x7c, 0xae, 0xb2, 0x49, 0x34, 0xb7, 0x8e, 0x86, 0xd0, 0xcb, 0xdc, 0x55, 0x1f,
+ 0xd0, 0xdf, 0x0c, 0x40, 0x7b, 0xef, 0xd9, 0x11, 0x76, 0x26, 0x2a, 0xa0, 0xcc, 0xf7, 0x7e, 0x2d, 0x8e, 0x3f, 0xfe, 0x1e,
+ 0xfd, 0x4e, 0x6f, 0xed, 0x0d, 0xe3, 0x5c, 0xc7, 0x8f, 0x3f, 0x44, 0xd7, 0xaa, 0xc4, 0xaf, 0x5a, 0xb6, 0xa8, 0xcb, 0xf9,
+ 0x18, 0x1d, 0xac, 0x99, 0x33, 0x64, 0xdc, 0x9c, 0x79, 0x70, 0xd1, 0x8e, 0xe1, 0x91, 0xe8, 0x4a, 0x9a, 0xd4, 0xbb, 0xd6,
+ 0x49, 0xaa, 0xe2, 0xc0, 0x37, 0x7e, 0x01, 0xf8, 0x79, 0xea, 0xaa, 0x3f, 0xcf, 0x00, 0xdb, 0xb6, 0x29, 0xa3, 0x01, 0x9a,
+ 0x5c, 0x51, 0x5e, 0x0a, 0x15, 0x61, 0x34, 0xf9, 0x15, 0x43, 0x2f, 0x4f, 0x0f, 0xc8, 0x87, 0xaf, 0x20, 0x71, 0xbb, 0x08,
+ 0x31, 0x09, 0x23, 0x87, 0xb3, 0x18, 0xaf, 0x5a, 0xfa, 0x09, 0x69, 0xcb, 0x1f, 0xca, 0x6c, 0xcd, 0x04, 0xe6, 0x64, 0xb1,
+ 0xfb, 0x17, 0x54, 0xb7, 0x29, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x14,
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04, 0x08, 0x40, 0x70, 0xf8, 0x8a, 0xcd, 0x13, 0xbe, 0xcf,
+ 0xa0, 0x80, 0x04, 0x20, 0x14, 0xf3, 0xb8, 0x0f, 0x06, 0xbc, 0x80, 0xf6, 0x20, 0xa2, 0x83, 0xb0, 0x45, 0x23, 0x5f, 0xc8,
+ 0xe1, 0xee, 0xb4, 0x04, 0x2d, 0xcb, 0x1e, 0xe9, 0x97, 0x33, 0x79, 0x56, 0x2b, 0x8c, 0x47, 0x99, 0x04, 0x08, 0x72, 0xe3,
+ 0x41, 0xa0, 0xe7, 0x71, 0x0a, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_RC2[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x00,
+ 0x31, 0x82, 0x01, 0xcd, 0x30, 0x82, 0x01, 0xc9, 0x02, 0x01, 0x00, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xc4, 0x99, 0x34, 0xf9, 0x35, 0xb8, 0xf3, 0xc4, 0xae, 0x00, 0x1a,
+ 0x61, 0x88, 0xd1, 0x6f, 0xb9, 0x6e, 0x2d, 0x4e, 0x77, 0x58, 0xbf, 0x7c, 0x21, 0xb4, 0x85, 0xc3, 0x39, 0x84, 0xbd, 0x19,
+ 0x24, 0x73, 0x9b, 0x80, 0xdf, 0xcc, 0xc2, 0x8a, 0xc1, 0xa1, 0x20, 0xa2, 0xf5, 0x47, 0x9f, 0x36, 0x80, 0x4a, 0x5a, 0x69,
+ 0x1f, 0x0d, 0x3e, 0xf1, 0x68, 0x57, 0x12, 0x31, 0x59, 0x6a, 0xf4, 0xbd, 0x5d, 0x98, 0x94, 0xca, 0x96, 0x9c, 0xd7, 0x51,
+ 0xcd, 0x55, 0x44, 0x24, 0x57, 0x4c, 0xe7, 0x11, 0xb5, 0x53, 0x19, 0x79, 0x72, 0xda, 0x19, 0xc9, 0xbd, 0xae, 0x74, 0xc0,
+ 0xbe, 0x71, 0xa7, 0x62, 0x1a, 0xf9, 0x7f, 0x40, 0x2b, 0xf3, 0xdf, 0x15, 0x68, 0x89, 0xf0, 0xb8, 0x84, 0x96, 0x42, 0x0b,
+ 0x37, 0x26, 0x9a, 0x73, 0xd5, 0x47, 0x23, 0xf7, 0x3e, 0xfa, 0x5f, 0x91, 0xea, 0x82, 0x8f, 0x0c, 0x71, 0xa3, 0xdf, 0x6a,
+ 0x9a, 0xe1, 0xe6, 0xd3, 0xf9, 0x5a, 0xfc, 0x5d, 0x55, 0x95, 0x6e, 0xa9, 0x2f, 0xdf, 0x79, 0x06, 0x62, 0x0b, 0x55, 0x68,
+ 0xfc, 0x0f, 0xad, 0x2a, 0x34, 0x6e, 0xc8, 0xc3, 0x09, 0x68, 0x03, 0xba, 0xc2, 0x92, 0x13, 0x91, 0x50, 0x3d, 0xc4, 0x79,
+ 0xe9, 0x69, 0x2a, 0x25, 0x2a, 0x8f, 0x56, 0xce, 0xe6, 0x0f, 0xc5, 0x9e, 0x3f, 0xcc, 0x42, 0xb3, 0x27, 0xd5, 0xe8, 0x4b,
+ 0xba, 0x10, 0x33, 0xfb, 0x75, 0x67, 0x85, 0xa3, 0xc6, 0x93, 0xb1, 0xea, 0xfb, 0x8c, 0x4b, 0x25, 0x18, 0x24, 0xcf, 0x30,
+ 0xe9, 0x29, 0xde, 0x4a, 0xeb, 0xd3, 0xab, 0x3c, 0xf1, 0xfb, 0x57, 0x55, 0x30, 0xf0, 0xc0, 0x1e, 0x25, 0xbc, 0xe9, 0x1e,
+ 0x92, 0x73, 0xb6, 0xd5, 0xe3, 0xa3, 0xf6, 0x52, 0x72, 0x04, 0x96, 0x1e, 0x26, 0xda, 0x70, 0xb4, 0xba, 0x1c, 0xc4, 0xc4,
+ 0x76, 0xdd, 0x6d, 0xbc, 0x71, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x19,
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x02, 0x30, 0x0d, 0x02, 0x01, 0x3a, 0x04, 0x08, 0x15, 0xea, 0x8f,
+ 0x86, 0x56, 0x06, 0x50, 0x78, 0xa0, 0x80, 0x04, 0x20, 0xc8, 0x6c, 0x6c, 0xfb, 0x40, 0xcd, 0x3d, 0x23, 0x79, 0xba, 0x7e,
+ 0x40, 0xad, 0xa8, 0x01, 0x3b, 0x63, 0xdf, 0x29, 0xe0, 0x5e, 0x82, 0xfb, 0x20, 0x3c, 0x2b, 0xc1, 0x12, 0x57, 0xd0, 0x04,
+ 0xd2, 0x04, 0x08, 0x21, 0x53, 0x34, 0x58, 0x2e, 0x5a, 0xd3, 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00
+};
+
+unsigned char rsa_AES_128[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x00,
+ 0x31, 0x82, 0x01, 0xcd, 0x30, 0x82, 0x01, 0xc9, 0x02, 0x01, 0x00, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x61, 0x0b, 0xaa, 0xa7, 0xce, 0xe7, 0x74, 0xe6, 0x13, 0x91, 0xf4,
+ 0x9f, 0x83, 0x2d, 0x85, 0xef, 0x23, 0x1b, 0x6a, 0x90, 0x2d, 0x03, 0x61, 0x60, 0xf6, 0xa0, 0xa3, 0x84, 0x43, 0x04, 0xdf,
+ 0x08, 0x7a, 0x10, 0xaf, 0x6d, 0x9e, 0x4e, 0x57, 0xf9, 0x59, 0xe2, 0x12, 0xc6, 0xbf, 0x30, 0x46, 0x27, 0x03, 0x74, 0x12,
+ 0x5e, 0x4a, 0xe9, 0xf0, 0xdb, 0x4c, 0xf5, 0x91, 0xaa, 0x87, 0xf4, 0x1a, 0x93, 0xc7, 0xde, 0xf1, 0xde, 0x56, 0x28, 0x5e,
+ 0x3f, 0x95, 0x8b, 0xb2, 0x02, 0x17, 0x91, 0x26, 0x0f, 0x60, 0x95, 0x56, 0xe9, 0xdd, 0x19, 0xdb, 0xfc, 0xba, 0x35, 0x02,
+ 0x15, 0x3e, 0xb4, 0x76, 0x6d, 0x11, 0xf6, 0xab, 0xb7, 0x06, 0x9c, 0x7a, 0xb2, 0xcd, 0xef, 0x01, 0xef, 0x17, 0x36, 0x39,
+ 0x44, 0x51, 0x55, 0xb8, 0xee, 0xf3, 0xea, 0xdd, 0x31, 0xea, 0x25, 0xa4, 0x5c, 0xc1, 0x24, 0xf0, 0xd1, 0x46, 0xbf, 0xba,
+ 0x9f, 0xc3, 0x9c, 0x82, 0xa9, 0x2a, 0x00, 0xad, 0x7f, 0xb3, 0xec, 0x37, 0x27, 0x3e, 0x35, 0x4b, 0xe9, 0xef, 0xab, 0x96,
+ 0x40, 0xeb, 0xc3, 0xf1, 0x06, 0xad, 0x43, 0x27, 0x58, 0x53, 0xee, 0xe9, 0x6f, 0x32, 0x00, 0x8a, 0xc1, 0x6e, 0x41, 0xc9,
+ 0x93, 0xe2, 0xc3, 0xec, 0xf5, 0xd6, 0x8c, 0xe6, 0x23, 0x0c, 0xa6, 0x69, 0x3d, 0x26, 0xd0, 0xff, 0xf0, 0xdd, 0xcc, 0x2c,
+ 0xe2, 0xac, 0xf4, 0x6c, 0xe2, 0xd8, 0x50, 0x50, 0xac, 0x18, 0x25, 0x41, 0x5b, 0xf2, 0xd7, 0xf6, 0x7e, 0xe4, 0x96, 0x78,
+ 0x34, 0x3b, 0x68, 0x05, 0x87, 0x65, 0x3c, 0x86, 0xfa, 0x7b, 0x71, 0xc4, 0xfd, 0x84, 0x91, 0x21, 0x5b, 0x2f, 0x14, 0x59,
+ 0x2b, 0x5e, 0xf6, 0x67, 0x4c, 0x54, 0x47, 0x04, 0xf0, 0x03, 0x6b, 0x58, 0x56, 0x44, 0x5b, 0x9e, 0xbc, 0x62, 0x0d, 0xcf,
+ 0x60, 0x62, 0xba, 0x86, 0x36, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1d,
+ 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x02, 0x04, 0x10, 0xa9, 0x7a, 0x30, 0x37, 0x44, 0x04, 0x37,
+ 0x12, 0x9c, 0xa6, 0xc9, 0xbe, 0x97, 0x3f, 0x5a, 0x57, 0xa0, 0x80, 0x04, 0x20, 0xa6, 0x84, 0xcc, 0x53, 0x40, 0xb5, 0x96,
+ 0x19, 0x67, 0x3a, 0x52, 0xa2, 0x42, 0x88, 0xe8, 0xea, 0x57, 0xea, 0x72, 0xc1, 0x8d, 0x09, 0xed, 0x36, 0x87, 0xf8, 0xf8,
+ 0x79, 0x19, 0x94, 0x87, 0x51, 0x04, 0x10, 0x40, 0x40, 0x80, 0x6a, 0x65, 0x21, 0x00, 0xde, 0x95, 0xa9, 0xcd, 0xe8, 0xea,
+ 0x2e, 0xbc, 0x8d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_AES_192[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x00,
+ 0x31, 0x82, 0x01, 0xcd, 0x30, 0x82, 0x01, 0xc9, 0x02, 0x01, 0x00, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xb5, 0x1e, 0x33, 0xe7, 0x51, 0xaf, 0x12, 0xda, 0xed, 0x3c, 0x81,
+ 0x81, 0x0a, 0xfd, 0x7e, 0xe0, 0x6b, 0x11, 0x9d, 0xed, 0xca, 0x31, 0xd8, 0x43, 0xe9, 0x28, 0xd6, 0x47, 0x69, 0x81, 0x3d,
+ 0x69, 0x64, 0x3f, 0xa1, 0x41, 0x00, 0xa9, 0x90, 0x90, 0x8f, 0x90, 0x50, 0xad, 0xd7, 0x46, 0xe4, 0x5b, 0xf2, 0x81, 0x39,
+ 0xe3, 0xa0, 0x91, 0x21, 0x54, 0x10, 0xb6, 0x61, 0x4a, 0xb4, 0xdc, 0xf8, 0x4d, 0xbb, 0x48, 0x8c, 0x95, 0xac, 0x95, 0xb0,
+ 0x81, 0x59, 0xfa, 0xeb, 0xc2, 0x46, 0xd1, 0xf7, 0x02, 0xff, 0x4c, 0x9d, 0xc8, 0x9a, 0x1c, 0x10, 0xe5, 0x8a, 0x4c, 0xaf,
+ 0x6d, 0xa8, 0xe0, 0xdb, 0xfd, 0x52, 0x71, 0x1a, 0xc7, 0x1b, 0x8a, 0xc8, 0xf8, 0x29, 0x51, 0x51, 0xee, 0xfd, 0x73, 0x1b,
+ 0x13, 0xb4, 0xa1, 0xdc, 0x2a, 0x44, 0x25, 0x92, 0xd9, 0x16, 0xae, 0x7a, 0x89, 0x30, 0x92, 0xff, 0x7d, 0x4a, 0x8e, 0xe2,
+ 0xb7, 0xad, 0x92, 0xc9, 0xc9, 0x97, 0x7b, 0x71, 0x5a, 0x28, 0xbe, 0x80, 0x55, 0xc6, 0x61, 0xd4, 0x74, 0xdc, 0xca, 0x45,
+ 0x09, 0x3c, 0x4c, 0x4f, 0xe5, 0x5a, 0x0a, 0x5d, 0xe5, 0x07, 0xc0, 0x7c, 0x92, 0x4d, 0xca, 0x67, 0x94, 0x88, 0x56, 0x71,
+ 0x8d, 0xc8, 0xb3, 0x17, 0x2e, 0x11, 0x3b, 0xab, 0x33, 0xa1, 0x1a, 0xdb, 0x26, 0x2c, 0x72, 0x6f, 0xd5, 0x5b, 0xa7, 0x01,
+ 0x78, 0xae, 0xf6, 0x39, 0xa6, 0xbf, 0x34, 0xfb, 0xc3, 0xcc, 0xd5, 0xb0, 0xda, 0x2f, 0x8b, 0x0a, 0x54, 0x14, 0x2b, 0xd7,
+ 0xbb, 0x66, 0x4e, 0x3d, 0xd1, 0x26, 0x45, 0xa4, 0x01, 0xf3, 0xb3, 0x0a, 0x9f, 0xf7, 0x2b, 0xd7, 0x9b, 0x69, 0xc3, 0x36,
+ 0x58, 0x38, 0xec, 0xdf, 0xce, 0xa6, 0x66, 0xdb, 0xe3, 0xce, 0x2d, 0xcb, 0xd0, 0x40, 0xc3, 0x7a, 0xb4, 0xdf, 0x99, 0xb5,
+ 0xfc, 0x9c, 0x85, 0xb7, 0x69, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1d,
+ 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x16, 0x04, 0x10, 0x48, 0xce, 0x27, 0x89, 0x24, 0xcc, 0x5e,
+ 0x2a, 0x56, 0x94, 0x8a, 0x5a, 0xb8, 0x94, 0xc0, 0x2a, 0xa0, 0x80, 0x04, 0x20, 0xcb, 0x2e, 0x26, 0xf5, 0x81, 0x51, 0xdd,
+ 0x9d, 0x5d, 0x65, 0x1b, 0x8c, 0xc5, 0x71, 0x44, 0x14, 0x14, 0x2d, 0x39, 0xf2, 0x7d, 0xfb, 0x93, 0x48, 0xb5, 0xf7, 0x5b,
+ 0xed, 0x75, 0xa3, 0xfb, 0x28, 0x04, 0x10, 0x6c, 0xfa, 0xab, 0x37, 0x9f, 0xbe, 0xae, 0x97, 0x58, 0x86, 0x55, 0x1d, 0x09,
+ 0xf8, 0x22, 0x9e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char rsa_AES_256[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x00,
+ 0x31, 0x82, 0x01, 0xcd, 0x30, 0x82, 0x01, 0xc9, 0x02, 0x01, 0x00, 0x30, 0x81, 0xb0, 0x30, 0x81, 0xa7, 0x31, 0x1a, 0x30,
+ 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x43, 0x4d, 0x53, 0x20, 0x52, 0x53, 0x41, 0x20, 0x54, 0x65, 0x73, 0x74,
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x14,
+ 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20,
+ 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68,
+ 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43,
+ 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70, 0x70, 0x6c, 0x65,
+ 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x74, 0x3f, 0x1d, 0x98, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+ 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xb6, 0x78, 0xdd, 0x6f, 0x1d, 0x43, 0x80, 0xed, 0x26, 0x31, 0xed,
+ 0x03, 0x60, 0xd7, 0x73, 0x86, 0xf6, 0x0a, 0x73, 0xa1, 0x15, 0xe5, 0xa5, 0x6b, 0xd4, 0xcf, 0x66, 0x64, 0xfb, 0x5b, 0xdc,
+ 0xc5, 0x40, 0x6b, 0xc8, 0x95, 0xcb, 0xad, 0xa6, 0x2a, 0x0d, 0xed, 0xfb, 0xb1, 0xd9, 0xff, 0xd2, 0xd4, 0x26, 0x61, 0xcc,
+ 0xc5, 0xbf, 0x2c, 0x87, 0x96, 0x1b, 0x12, 0xb0, 0x71, 0x7a, 0xc5, 0x1d, 0x93, 0x89, 0x14, 0x67, 0x8a, 0xa3, 0x58, 0xbb,
+ 0x75, 0xca, 0x61, 0x67, 0x09, 0xbb, 0x91, 0x55, 0x45, 0x55, 0xff, 0xff, 0xb6, 0xa9, 0x76, 0x93, 0xc2, 0x15, 0xc2, 0x37,
+ 0x21, 0x01, 0x98, 0x90, 0x82, 0x8a, 0x49, 0x1b, 0x7e, 0x79, 0x87, 0x3c, 0xbe, 0x03, 0xba, 0x80, 0xac, 0xa9, 0x3a, 0x90,
+ 0xf2, 0x85, 0xf5, 0xb7, 0x87, 0xa4, 0x20, 0x9f, 0x0f, 0xc4, 0x76, 0xce, 0x8c, 0x6a, 0x6d, 0x6a, 0xc1, 0x9a, 0xc1, 0x39,
+ 0xba, 0x6a, 0xdb, 0xe8, 0x63, 0xdb, 0xfd, 0xde, 0x65, 0x1c, 0x73, 0x73, 0xdd, 0x6a, 0x44, 0x17, 0x30, 0xe6, 0x5d, 0x35,
+ 0x1b, 0x48, 0xe3, 0x66, 0x87, 0xa7, 0x0c, 0x0f, 0xcc, 0xe0, 0x02, 0x9d, 0xb1, 0x0d, 0xe5, 0x3a, 0x34, 0x9f, 0x24, 0x15,
+ 0x71, 0x38, 0x21, 0xc2, 0x64, 0x26, 0x5a, 0x6e, 0x56, 0x60, 0x1b, 0x4b, 0xa7, 0x09, 0x7f, 0xc8, 0xb6, 0xcc, 0x3e, 0x6b,
+ 0x9d, 0x1e, 0x93, 0x28, 0x58, 0x79, 0xeb, 0x66, 0xbb, 0xf3, 0xa5, 0x5a, 0x85, 0xcd, 0x94, 0x55, 0x49, 0x48, 0xe6, 0x0b,
+ 0xde, 0x27, 0x97, 0xd3, 0xa7, 0xac, 0x43, 0x39, 0x9d, 0x0f, 0x82, 0x98, 0x2d, 0xbb, 0xef, 0x0f, 0xf0, 0xb6, 0x6a, 0xeb,
+ 0x46, 0xe0, 0x1e, 0xfb, 0x98, 0xfa, 0x5b, 0x7b, 0x7c, 0xb2, 0x67, 0x5e, 0x32, 0x00, 0x11, 0x9d, 0xe6, 0xed, 0x79, 0xd0,
+ 0xc6, 0x7a, 0xa5, 0x78, 0xf4, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1d,
+ 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a, 0x04, 0x10, 0xbc, 0x87, 0x6d, 0xcb, 0x49, 0xeb, 0x09,
+ 0x09, 0x2a, 0xb1, 0xe4, 0xd8, 0x90, 0x7a, 0xee, 0xec, 0xa0, 0x80, 0x04, 0x20, 0xc1, 0x71, 0xaf, 0xa6, 0xd4, 0x0a, 0xea,
+ 0xa7, 0xd2, 0x5e, 0x00, 0x62, 0x1d, 0x9d, 0x8c, 0xc2, 0x72, 0xba, 0x24, 0xbb, 0x54, 0xb8, 0x0d, 0xe7, 0xed, 0x83, 0x67,
+ 0xbb, 0xb8, 0x43, 0x93, 0x03, 0x04, 0x10, 0xae, 0x0f, 0xc0, 0xaf, 0x22, 0xab, 0xb8, 0x54, 0xbf, 0x88, 0xff, 0xef, 0x3c,
+ 0x8c, 0xd5, 0x2f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * MARK: EC encrypted
+ */
+unsigned char ec_3DES[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x02,
+ 0x31, 0x82, 0x01, 0x6b, 0xa1, 0x82, 0x01, 0x67, 0x30, 0x82, 0x01, 0x63, 0x02, 0x01, 0x03, 0xa0, 0x55, 0xa1, 0x53, 0x30,
+ 0x51, 0x30, 0x0b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x05, 0x00, 0x03, 0x42, 0x00, 0x04, 0x6e, 0x8e,
+ 0x7a, 0x5f, 0x8b, 0x92, 0x84, 0xea, 0x7a, 0x9c, 0x00, 0x25, 0xef, 0xba, 0xe1, 0x3c, 0x1e, 0x54, 0xcc, 0xfb, 0x8f, 0x4a,
+ 0xc4, 0xfe, 0x9f, 0x13, 0xaf, 0x7d, 0x19, 0x21, 0x31, 0x0a, 0xb6, 0x9f, 0xcd, 0x86, 0x4f, 0xac, 0x4e, 0x58, 0xa2, 0x43,
+ 0x41, 0xf2, 0x87, 0xd9, 0x09, 0x31, 0xaf, 0x52, 0xb7, 0x7d, 0x5e, 0xef, 0x94, 0xa6, 0x60, 0xb0, 0x90, 0x19, 0xd8, 0xd6,
+ 0x6d, 0xe4, 0xa1, 0x0a, 0x04, 0x08, 0xb3, 0x0f, 0xa8, 0x09, 0xbb, 0x40, 0x00, 0x2f, 0x30, 0x21, 0x06, 0x09, 0x2b, 0x81,
+ 0x05, 0x10, 0x86, 0x48, 0x3f, 0x00, 0x02, 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04,
+ 0x08, 0xa5, 0x6f, 0xb2, 0xab, 0xdc, 0x28, 0x07, 0xa3, 0x30, 0x81, 0xd7, 0x30, 0x81, 0xd4, 0x30, 0x81, 0xaf, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x04, 0x20, 0x25, 0x53, 0x52, 0x49, 0xc7,
+ 0x54, 0xfc, 0xb7, 0xc9, 0x45, 0x0a, 0x65, 0xd1, 0x2e, 0x74, 0x68, 0x82, 0x40, 0x0f, 0xf2, 0x23, 0x71, 0x3d, 0xfe, 0x1f,
+ 0x29, 0xcb, 0x8d, 0x3a, 0x3b, 0x31, 0x99, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01,
+ 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04, 0x08, 0x8d, 0xff, 0xae, 0x19, 0xfa, 0x5f,
+ 0xac, 0x17, 0xa0, 0x80, 0x04, 0x20, 0x21, 0x72, 0x77, 0x5a, 0x8c, 0xba, 0x15, 0xb7, 0x05, 0x4e, 0x05, 0x26, 0x12, 0xef,
+ 0x0a, 0xd8, 0x8b, 0x82, 0x09, 0x05, 0x4b, 0xd5, 0xdc, 0x9e, 0xd6, 0x83, 0x5c, 0xd0, 0xeb, 0xac, 0x96, 0x51, 0x04, 0x08,
+ 0xbc, 0x4c, 0x7a, 0x8b, 0xfe, 0xea, 0x75, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_RC2[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x02,
+ 0x31, 0x82, 0x01, 0x63, 0xa1, 0x82, 0x01, 0x5f, 0x30, 0x82, 0x01, 0x5b, 0x02, 0x01, 0x03, 0xa0, 0x55, 0xa1, 0x53, 0x30,
+ 0x51, 0x30, 0x0b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x05, 0x00, 0x03, 0x42, 0x00, 0x04, 0xe7, 0x2b,
+ 0xa7, 0x9d, 0x50, 0xb8, 0x53, 0x3a, 0x9a, 0xb4, 0x96, 0x26, 0xff, 0x34, 0x1f, 0xad, 0xa8, 0x9f, 0xc7, 0xeb, 0x85, 0x4d,
+ 0x87, 0x2a, 0x52, 0xcf, 0xb7, 0x9b, 0xb2, 0x7e, 0x45, 0xa1, 0x32, 0x8e, 0x73, 0x46, 0xf8, 0x70, 0xa1, 0xe8, 0x2c, 0x85,
+ 0x05, 0x87, 0xe3, 0x60, 0xce, 0xcb, 0x10, 0xa7, 0x70, 0x7f, 0xde, 0x1c, 0x14, 0xfd, 0x37, 0x1b, 0xd5, 0x1c, 0xe9, 0x7e,
+ 0x04, 0xf0, 0xa1, 0x0a, 0x04, 0x08, 0x4d, 0xeb, 0x81, 0xb0, 0x6b, 0xab, 0x37, 0x97, 0x30, 0x21, 0x06, 0x09, 0x2b, 0x81,
+ 0x05, 0x10, 0x86, 0x48, 0x3f, 0x00, 0x02, 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04,
+ 0x08, 0x8b, 0x55, 0xd5, 0xac, 0x91, 0x46, 0xd4, 0xc1, 0x30, 0x81, 0xcf, 0x30, 0x81, 0xcc, 0x30, 0x81, 0xaf, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x04, 0x18, 0xad, 0x29, 0xc4, 0x57, 0x7e,
+ 0xc6, 0x8b, 0x25, 0xb9, 0x68, 0x67, 0x34, 0x6a, 0xda, 0xb6, 0x69, 0x3f, 0xa5, 0x83, 0x6c, 0x7d, 0xb7, 0x2f, 0x14, 0x30,
+ 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x19, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x03, 0x02, 0x30, 0x0d, 0x02, 0x01, 0x3a, 0x04, 0x08, 0xf2, 0x82, 0xe9, 0x5e, 0xcd, 0x8f, 0xe5, 0x24, 0xa0,
+ 0x80, 0x04, 0x20, 0x5b, 0x89, 0x81, 0xa2, 0x22, 0x48, 0x8c, 0x89, 0x71, 0xf3, 0x30, 0x7e, 0x9a, 0x22, 0x77, 0x1d, 0xee,
+ 0x78, 0x0e, 0x9a, 0x43, 0xe2, 0xe9, 0xf7, 0x9e, 0xae, 0xe3, 0xd8, 0xf5, 0x37, 0xeb, 0x74, 0x04, 0x08, 0xdf, 0x23, 0x14,
+ 0xd2, 0x65, 0xb3, 0xe3, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_AES_128[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x02,
+ 0x31, 0x82, 0x01, 0x63, 0xa1, 0x82, 0x01, 0x5f, 0x30, 0x82, 0x01, 0x5b, 0x02, 0x01, 0x03, 0xa0, 0x55, 0xa1, 0x53, 0x30,
+ 0x51, 0x30, 0x0b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x05, 0x00, 0x03, 0x42, 0x00, 0x04, 0xd7, 0x78,
+ 0x2a, 0xf6, 0xce, 0x5e, 0xc4, 0x86, 0x08, 0x29, 0xa6, 0x71, 0xe3, 0x95, 0x64, 0x50, 0x29, 0x7d, 0x6c, 0xed, 0xcd, 0x50,
+ 0xb9, 0x00, 0x31, 0xa3, 0x22, 0x44, 0x68, 0x2b, 0x1b, 0x20, 0x16, 0x8b, 0x98, 0x06, 0x2a, 0xb6, 0xfc, 0x09, 0xba, 0x98,
+ 0x65, 0xfd, 0xc7, 0x22, 0x16, 0x53, 0xa2, 0xf0, 0x6e, 0xea, 0xc5, 0x1b, 0x52, 0x4a, 0x3c, 0xd7, 0x34, 0x87, 0x37, 0x10,
+ 0x79, 0x86, 0xa1, 0x0a, 0x04, 0x08, 0x3c, 0x7d, 0x8c, 0x77, 0xe5, 0x3a, 0x51, 0xa1, 0x30, 0x21, 0x06, 0x09, 0x2b, 0x81,
+ 0x05, 0x10, 0x86, 0x48, 0x3f, 0x00, 0x02, 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04,
+ 0x08, 0x2d, 0xae, 0x3c, 0xc8, 0x8e, 0x8c, 0xe8, 0xb2, 0x30, 0x81, 0xcf, 0x30, 0x81, 0xcc, 0x30, 0x81, 0xaf, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x04, 0x18, 0xa9, 0x8d, 0xfd, 0xd2, 0x2f,
+ 0x1b, 0xbf, 0x89, 0x5d, 0xbe, 0x34, 0x93, 0x69, 0xdb, 0x71, 0x0c, 0xd1, 0x86, 0x87, 0x3e, 0xb3, 0x4f, 0x9e, 0x19, 0x30,
+ 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
+ 0x65, 0x03, 0x04, 0x01, 0x02, 0x04, 0x10, 0xa3, 0x3d, 0x9e, 0x01, 0x59, 0xcd, 0x0f, 0xcb, 0xf5, 0x6e, 0xda, 0xa6, 0xc7,
+ 0xb1, 0x42, 0xec, 0xa0, 0x80, 0x04, 0x20, 0x1d, 0xbf, 0xbd, 0xea, 0x30, 0xac, 0xeb, 0x24, 0xc4, 0x52, 0xfc, 0x2e, 0x3b,
+ 0x95, 0x6c, 0x2b, 0xf4, 0x4b, 0xee, 0xf6, 0x7a, 0x52, 0x06, 0x1d, 0x89, 0x78, 0x6d, 0x62, 0x11, 0x4b, 0xdc, 0x35, 0x04,
+ 0x10, 0x77, 0x65, 0xaf, 0x79, 0x76, 0xa8, 0x6c, 0xc1, 0x32, 0x62, 0xc8, 0xde, 0xfe, 0x8a, 0xf4, 0xd1, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_AES_192[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x02,
+ 0x31, 0x82, 0x01, 0x6b, 0xa1, 0x82, 0x01, 0x67, 0x30, 0x82, 0x01, 0x63, 0x02, 0x01, 0x03, 0xa0, 0x55, 0xa1, 0x53, 0x30,
+ 0x51, 0x30, 0x0b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x05, 0x00, 0x03, 0x42, 0x00, 0x04, 0x6a, 0x3b,
+ 0xb5, 0x42, 0x6a, 0x4f, 0x29, 0x5c, 0x21, 0xe7, 0xd2, 0x6f, 0x41, 0x65, 0x72, 0x26, 0x7c, 0x99, 0xe2, 0xd3, 0x54, 0x60,
+ 0xbd, 0x92, 0xff, 0x4a, 0xa0, 0x00, 0xf7, 0xf2, 0x75, 0xd8, 0x10, 0xfd, 0xea, 0x93, 0x7d, 0x20, 0xa1, 0x21, 0xa6, 0x57,
+ 0x44, 0x45, 0x47, 0x8f, 0x90, 0x2f, 0xc9, 0x11, 0xf7, 0xb3, 0x7e, 0xbe, 0x61, 0x6a, 0xe9, 0x5f, 0xbe, 0xb4, 0x08, 0xbf,
+ 0x0f, 0x13, 0xa1, 0x0a, 0x04, 0x08, 0xbf, 0xe2, 0xbe, 0xa4, 0x54, 0x91, 0xbe, 0x0b, 0x30, 0x21, 0x06, 0x09, 0x2b, 0x81,
+ 0x05, 0x10, 0x86, 0x48, 0x3f, 0x00, 0x02, 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04,
+ 0x08, 0x5c, 0x40, 0xe0, 0x4e, 0x20, 0xbc, 0xb9, 0xed, 0x30, 0x81, 0xd7, 0x30, 0x81, 0xd4, 0x30, 0x81, 0xaf, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x04, 0x20, 0xcd, 0x66, 0x20, 0x4b, 0x82,
+ 0x06, 0x6a, 0x0b, 0x24, 0x94, 0xf6, 0x62, 0xcd, 0x5e, 0x61, 0x3e, 0xb1, 0x81, 0x2b, 0x39, 0xcf, 0xd8, 0x95, 0x71, 0x24,
+ 0x9b, 0xbe, 0xc2, 0x2e, 0x72, 0x5b, 0x2f, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01,
+ 0x30, 0x1d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x16, 0x04, 0x10, 0x7c, 0xbc, 0x78, 0xc9, 0x75,
+ 0x2f, 0xb8, 0xdb, 0x78, 0xee, 0xcc, 0x90, 0x2b, 0x77, 0x19, 0xc3, 0xa0, 0x80, 0x04, 0x20, 0xa7, 0x18, 0x7f, 0x3b, 0x5c,
+ 0x99, 0xc7, 0x18, 0x57, 0xca, 0x51, 0xa8, 0x14, 0x34, 0xd3, 0x1f, 0x60, 0xb2, 0xfd, 0xdf, 0xcd, 0x33, 0x18, 0xd0, 0x41,
+ 0xc6, 0x0f, 0x88, 0x37, 0x3d, 0xc4, 0xb4, 0x04, 0x10, 0x9e, 0xdd, 0x92, 0x67, 0x60, 0xb1, 0x73, 0x20, 0xa4, 0xad, 0x15,
+ 0x80, 0x08, 0x50, 0xc8, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+unsigned char ec_AES_256[] = {
+ 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x03, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x02,
+ 0x31, 0x82, 0x01, 0x73, 0xa1, 0x82, 0x01, 0x6f, 0x30, 0x82, 0x01, 0x6b, 0x02, 0x01, 0x03, 0xa0, 0x55, 0xa1, 0x53, 0x30,
+ 0x51, 0x30, 0x0b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x05, 0x00, 0x03, 0x42, 0x00, 0x04, 0x51, 0xf6,
+ 0x31, 0x78, 0xba, 0x47, 0x10, 0xd3, 0xe7, 0x3e, 0x03, 0x47, 0x51, 0x40, 0xcd, 0xf1, 0x77, 0xbb, 0x80, 0x28, 0xba, 0x9e,
+ 0x85, 0x96, 0x67, 0x28, 0xb5, 0x41, 0xa3, 0xf0, 0x4d, 0x64, 0xef, 0x5c, 0xcb, 0xd7, 0x87, 0x49, 0x6d, 0xf1, 0xeb, 0xd7,
+ 0x70, 0xd5, 0xe9, 0xef, 0xf2, 0xfa, 0x13, 0xe0, 0xf8, 0xed, 0x36, 0xea, 0xaa, 0x77, 0xed, 0xcb, 0xfd, 0x5a, 0x24, 0x4f,
+ 0x47, 0xf1, 0xa1, 0x0a, 0x04, 0x08, 0xf6, 0x65, 0x06, 0x57, 0x1a, 0x33, 0x5f, 0x4d, 0x30, 0x21, 0x06, 0x09, 0x2b, 0x81,
+ 0x05, 0x10, 0x86, 0x48, 0x3f, 0x00, 0x02, 0x30, 0x14, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x04,
+ 0x08, 0x29, 0xe6, 0x26, 0xd9, 0x55, 0x3f, 0x80, 0x5d, 0x30, 0x81, 0xdf, 0x30, 0x81, 0xdc, 0x30, 0x81, 0xaf, 0x30, 0x81,
+ 0xa6, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x10, 0x43, 0x4d, 0x53, 0x20, 0x45, 0x43, 0x20, 0x54,
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
+ 0x53, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49,
+ 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41,
+ 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x12, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x40, 0x61, 0x70,
+ 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x02, 0x04, 0x50, 0x2b, 0xa2, 0xa7, 0x04, 0x28, 0xbc, 0xbe, 0x49, 0x1e, 0xd3,
+ 0x65, 0xf5, 0xb5, 0xb9, 0x25, 0x25, 0xac, 0xa6, 0xcf, 0x99, 0x08, 0xe6, 0x36, 0x02, 0xf0, 0x33, 0xc0, 0x42, 0x9a, 0x5d,
+ 0x06, 0xde, 0x37, 0xd4, 0xf1, 0x51, 0x52, 0xab, 0xbb, 0xd2, 0xda, 0x07, 0x33, 0x86, 0x55, 0x30, 0x80, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01,
+ 0x2a, 0x04, 0x10, 0x58, 0xf6, 0xd7, 0x84, 0xe2, 0xe6, 0x8f, 0x12, 0xe1, 0x81, 0xfb, 0xe9, 0x9f, 0x02, 0xf4, 0x5b, 0xa0,
+ 0x80, 0x04, 0x20, 0xf3, 0x04, 0x59, 0x33, 0x99, 0x87, 0x13, 0x67, 0xce, 0xcd, 0x8a, 0x35, 0x0f, 0x86, 0x3a, 0xa5, 0x95,
+ 0xae, 0x6f, 0x75, 0x77, 0xb0, 0x87, 0x63, 0xf9, 0xfc, 0x86, 0x5d, 0x30, 0xf4, 0xa8, 0xb8, 0x04, 0x10, 0x71, 0x74, 0x33,
+ 0x6a, 0x63, 0x01, 0x59, 0x32, 0xeb, 0x66, 0x9e, 0x46, 0x2d, 0x33, 0xbf, 0x7a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00
+};
+
+#endif /* cms_01_test_h */
diff --git a/OSX/sec/Security/Regressions/secitem/si-97-sectrust-path-scoring.h b/OSX/sec/Security/Regressions/secitem/si-97-sectrust-path-scoring.h
new file mode 100644
index 00000000..5466b82f
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-97-sectrust-path-scoring.h
@@ -0,0 +1,685 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ */
+
+#ifndef si_97_sectrust_path_scoring_h
+#define si_97_sectrust_path_scoring_h
+
+/* Path Scoring Hierarchy
+ * _pathScorignLeaf
+ * ^
+ * |
+ * _pathScoringInt*
+ * ^ ^ ^
+ * / | \
+ * _pathScoringSHA2* <-- _pathScoringSHA1Root _pathScoring1024Root
+ * ^ ^
+ * | \
+ * _pathScorignSHA2Root _pathScoringSHA2Root2
+ */
+
+/* subject:/C=US/ST=California/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring Leaf */
+/* issuer :/C=US/ST=California/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring Intermediate */
+unsigned char _pathScoringLeaf[1002]={
+ 0x30,0x82,0x03,0xE6,0x30,0x82,0x02,0xCE,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0x9F,0x2F,0xF1,0xEC,0x05,0xCA,0x8B,0x68,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x7B,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,
+ 0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x14,0x30,0x12,0x06,
+ 0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,
+ 0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,
+ 0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,
+ 0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x03,0x0C,0x19,0x50,0x61,0x74,0x68,0x20,
+ 0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,0x65,0x72,0x6D,0x65,0x64,
+ 0x69,0x61,0x74,0x65,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x34,0x32,0x37,0x32,0x33,
+ 0x33,0x33,0x35,0x35,0x5A,0x17,0x0D,0x31,0x37,0x30,0x34,0x32,0x37,0x32,0x33,0x33,
+ 0x33,0x35,0x35,0x5A,0x30,0x73,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+ 0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,
+ 0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,
+ 0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,
+ 0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,
+ 0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x1A,0x30,
+ 0x18,0x06,0x03,0x55,0x04,0x03,0x0C,0x11,0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,
+ 0x72,0x69,0x6E,0x67,0x20,0x4C,0x65,0x61,0x66,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,
+ 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,
+ 0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC4,0x57,0x3F,0xF2,0xE2,0xAC,
+ 0xB1,0x18,0x4D,0xFC,0x3B,0xE1,0xBC,0x4D,0x91,0x3F,0x7B,0xF6,0x86,0xA9,0xE8,0xFA,
+ 0x46,0x9A,0xF1,0xCB,0x99,0x9A,0xA1,0x73,0xA6,0xEF,0x7B,0x2E,0xE7,0x8A,0xE3,0xE0,
+ 0xAA,0x7A,0xD5,0x24,0xA1,0x7F,0x8F,0x39,0xD1,0x31,0xDF,0x3C,0x9C,0x30,0x75,0xD1,
+ 0xB7,0xCF,0x15,0x17,0x5A,0x84,0x28,0x67,0xED,0xF0,0xA8,0x40,0x26,0xD5,0xCE,0x15,
+ 0x7F,0x81,0xC9,0x7A,0xE7,0x85,0xC4,0xCF,0x4F,0x31,0xCC,0x73,0x8B,0x9A,0x53,0xBC,
+ 0x35,0x6F,0xD1,0x38,0xD5,0xA7,0x52,0x63,0x99,0x32,0xC9,0xA8,0x0D,0x40,0x13,0xEF,
+ 0x2F,0x8E,0xC8,0x8E,0x28,0x95,0xE5,0x6C,0x58,0x88,0x31,0x09,0xCA,0x7B,0x41,0x2D,
+ 0x48,0x50,0xAE,0xE1,0xB8,0x4D,0xD2,0xF6,0x4A,0x5E,0x62,0x32,0x26,0xA9,0xEA,0x13,
+ 0x7B,0xCE,0x5A,0xE1,0x26,0x0A,0xAA,0x71,0x91,0x65,0x5D,0xBE,0xCA,0xE8,0x58,0xFF,
+ 0xD7,0x0B,0x12,0xA3,0xC2,0xBD,0x49,0xB1,0x91,0x5E,0xFD,0x68,0xE1,0x57,0x66,0xCA,
+ 0xB1,0x44,0xC9,0xBC,0xCC,0x8B,0xC5,0xE0,0xA9,0x4D,0x08,0x19,0xDD,0x2D,0xE7,0x25,
+ 0x33,0x6F,0x6E,0x5B,0x18,0x20,0x4E,0x86,0x1C,0x8A,0x52,0x6D,0x33,0xAE,0x32,0xFE,
+ 0xC1,0x53,0x3F,0x10,0xBC,0x5D,0xB2,0x68,0x2E,0xF4,0xEA,0xAD,0xBA,0x6B,0xEC,0x03,
+ 0x75,0xCB,0x6C,0x20,0x45,0x70,0xFE,0xD2,0x96,0x31,0xE4,0x11,0x3C,0x2A,0xAD,0x2F,
+ 0x6A,0x54,0xEE,0x0B,0xAA,0x82,0x13,0x5C,0x6E,0x22,0x58,0x5F,0xBB,0x16,0xAD,0x0A,
+ 0x57,0x5D,0x72,0xDB,0x68,0xB3,0xDB,0xC7,0x7D,0xF7,0x02,0x03,0x01,0x00,0x01,0xA3,
+ 0x75,0x30,0x73,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,
+ 0x00,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,
+ 0xA0,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,
+ 0x01,0x05,0x05,0x07,0x03,0x02,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+ 0x14,0xB5,0x06,0xF9,0x17,0x36,0x4F,0x32,0xDA,0xA3,0x91,0xF6,0x95,0xCD,0x7C,0x4C,
+ 0x88,0x2B,0x56,0xEA,0x8B,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,
+ 0x80,0x14,0x32,0x5D,0xB4,0x51,0x5E,0xF4,0x7B,0x34,0x99,0xC2,0x17,0xDE,0x57,0x6F,
+ 0x43,0x09,0xCE,0xE3,0xE8,0x52,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
+ 0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x6B,0x0E,0xBC,0xE7,0x7C,0xA9,
+ 0x81,0xE8,0x53,0x62,0xA8,0x2E,0x16,0xE6,0x74,0xC8,0x24,0x17,0xB9,0x83,0xBE,0xC7,
+ 0xE1,0xA7,0xF7,0xFF,0xA0,0xD6,0x12,0xA7,0x9D,0xE0,0xB1,0xBC,0x23,0x19,0xB5,0xFC,
+ 0xB8,0x48,0x58,0x49,0x18,0xCC,0xD9,0xDC,0x2B,0x87,0x3D,0x49,0xCE,0x92,0x1E,0x65,
+ 0x4C,0xCB,0xA4,0xCA,0x53,0xA1,0x97,0x3A,0x1E,0x97,0xCF,0x32,0x3B,0xEF,0x24,0x5F,
+ 0x92,0x71,0x04,0x26,0x4F,0x20,0x4A,0xAE,0x30,0x13,0x9F,0x0C,0x77,0x02,0xE8,0xB5,
+ 0x2A,0x43,0xA5,0xD2,0xD4,0x9D,0x59,0xDE,0xE1,0x80,0x99,0x8C,0x93,0xAF,0xA1,0x00,
+ 0x72,0x25,0xD2,0x43,0x07,0x63,0xF1,0x2F,0x8F,0xF1,0x73,0xFB,0x4A,0xA0,0x27,0xF0,
+ 0xAA,0x8B,0x89,0xFB,0x7B,0xA1,0x0B,0xB5,0x17,0xD5,0xF2,0xA4,0xF7,0xAB,0xA1,0x9A,
+ 0xF8,0xAB,0x84,0x91,0x90,0x94,0xC3,0x0B,0x4B,0xBD,0xEC,0x81,0xB0,0x39,0x22,0x74,
+ 0xC9,0x72,0xA6,0x73,0xE1,0x9C,0xA1,0x42,0xEE,0xE7,0x72,0x64,0x89,0x04,0x0C,0x17,
+ 0x0B,0xD3,0x61,0x6B,0x8B,0xB3,0xF7,0xF1,0xA0,0x9A,0xB7,0xA5,0x75,0xA1,0xEE,0x3F,
+ 0x70,0x0F,0xEB,0x8F,0xDF,0xE2,0x92,0x86,0x80,0x74,0xD6,0xFE,0x76,0x65,0x74,0xD3,
+ 0xF8,0x4E,0x11,0xD6,0xDA,0x3D,0xB2,0x33,0x1C,0xFB,0x22,0x22,0x81,0x6A,0x54,0xC4,
+ 0x05,0x0F,0x31,0x9F,0x25,0x01,0xBB,0x14,0x0E,0x11,0x72,0x2B,0x93,0x72,0x75,0xFF,
+ 0x26,0x09,0x91,0x1E,0x9A,0x27,0x32,0x80,0xF0,0x97,0x4B,0xBB,0x69,0xC5,0x00,0x52,
+ 0x57,0x5C,0x6F,0x54,0xFF,0xD4,0xDE,0x4E,0xCE,0xD4,
+};
+
+/* subject:/C=US/ST=California/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring Intermediate */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-256 Root CA */
+unsigned char _pathScoringIntSHA2[1016]={
+ 0x30,0x82,0x03,0xF4,0x30,0x82,0x02,0xDC,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0x85,0x03,0xAD,0x19,0x1A,0x67,0x3A,0x82,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,0x92,0x31,0x0B,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,
+ 0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,
+ 0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
+ 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,
+ 0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,
+ 0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,
+ 0x65,0x72,0x69,0x6E,0x67,0x31,0x25,0x30,0x23,0x06,0x03,0x55,0x04,0x03,0x0C,0x1C,
+ 0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x53,0x48,0x41,
+ 0x2D,0x32,0x35,0x36,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,
+ 0x31,0x36,0x30,0x34,0x32,0x37,0x32,0x33,0x32,0x36,0x32,0x39,0x5A,0x17,0x0D,0x31,
+ 0x37,0x30,0x34,0x32,0x37,0x32,0x33,0x32,0x36,0x32,0x39,0x5A,0x30,0x7B,0x31,0x0B,
+ 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,
+ 0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,
+ 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,
+ 0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,
+ 0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,
+ 0x65,0x72,0x69,0x6E,0x67,0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x03,0x0C,0x19,
+ 0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,
+ 0x65,0x72,0x6D,0x65,0x64,0x69,0x61,0x74,0x65,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,
+ 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,
+ 0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xCE,0xE0,0x94,0x1E,0x22,0xCB,
+ 0x41,0x6C,0x08,0xE5,0x76,0x95,0x18,0xCD,0xFD,0x8D,0x34,0x7A,0x01,0xFF,0xDF,0x78,
+ 0xD9,0x3D,0xF5,0x42,0xD7,0xCB,0x51,0x5E,0x27,0x4D,0x75,0xC9,0x86,0x85,0x32,0x13,
+ 0x7C,0xF6,0x47,0x6C,0xF5,0xCA,0xE5,0x0E,0xCB,0x3D,0x9E,0x88,0x7A,0xDC,0xE3,0x14,
+ 0x95,0x48,0x73,0x6F,0xFA,0xFC,0x7E,0xD5,0x6A,0xCA,0x4D,0x02,0x8D,0x3B,0xB0,0xF4,
+ 0xE9,0x0E,0xD9,0x37,0xAE,0x7C,0x18,0xF7,0xA5,0x9C,0x49,0xD9,0x80,0x44,0x4F,0xB4,
+ 0xB5,0x0A,0x97,0x68,0x62,0xEC,0x96,0x97,0x19,0xD1,0xF0,0xFA,0x2A,0x0A,0x1D,0xBE,
+ 0x03,0x24,0x2A,0xF6,0x48,0xC6,0x23,0xD8,0x81,0x51,0xF9,0x5A,0x20,0xE7,0xFD,0x2B,
+ 0xDC,0xCA,0xE1,0x35,0xCC,0xE4,0x61,0xD9,0x9D,0x55,0x83,0x5F,0xCA,0x50,0xF7,0x9C,
+ 0xD6,0x75,0xAD,0x0C,0x9D,0x4D,0x83,0x64,0x4D,0x9D,0xC4,0xCD,0x00,0x0A,0x41,0xE0,
+ 0xB5,0x0C,0x7F,0x6D,0xA2,0x06,0xB7,0x5D,0x7E,0x6A,0xB2,0xFE,0x12,0x4B,0x6F,0x09,
+ 0xEE,0x7E,0xD3,0x33,0x79,0x8F,0xD5,0x61,0xDC,0x63,0x7D,0x14,0x49,0xA3,0x5C,0xA6,
+ 0x1C,0x24,0x44,0xCF,0x81,0xF1,0xB8,0x0E,0xC5,0xE1,0x44,0x21,0x19,0x77,0x88,0x60,
+ 0xD0,0xF9,0xCA,0x43,0x1D,0xD0,0xED,0xF9,0xEC,0x2F,0x12,0x49,0x70,0x46,0x59,0x63,
+ 0x1B,0x02,0x8B,0xE3,0xFC,0x9F,0x38,0x2B,0x1C,0x78,0xD4,0x84,0x32,0x35,0xFD,0xA2,
+ 0xAC,0xF1,0xC0,0x5A,0xFA,0x00,0x2D,0x2A,0x21,0x34,0x86,0x37,0x06,0xE8,0x75,0xCE,
+ 0xAA,0x9B,0x43,0xC9,0x8B,0xD9,0x92,0x6E,0xDD,0xA3,0x02,0x03,0x01,0x00,0x01,0xA3,
+ 0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,
+ 0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,
+ 0x03,0x02,0x02,0x04,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x32,
+ 0x5D,0xB4,0x51,0x5E,0xF4,0x7B,0x34,0x99,0xC2,0x17,0xDE,0x57,0x6F,0x43,0x09,0xCE,
+ 0xE3,0xE8,0x52,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,
+ 0x9C,0x0D,0xCC,0x81,0x68,0x89,0x97,0x76,0x54,0xB2,0xDF,0xAA,0xD1,0xC3,0x76,0xD1,
+ 0x25,0x16,0xD8,0xF9,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,
+ 0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xA6,0xD6,0xAB,0xB8,0xFF,0x96,0xFA,0xFB,
+ 0xBA,0x89,0x74,0x1D,0xD4,0xBD,0xA4,0x52,0xC9,0x6B,0x04,0xB0,0x52,0x62,0xF5,0x8F,
+ 0x1E,0xED,0xDB,0x93,0x4A,0x8B,0xEF,0xD6,0x76,0x0C,0x9B,0xC3,0x6D,0xA8,0xD5,0x5C,
+ 0x79,0x3B,0x5D,0x35,0x71,0xAD,0xFA,0xCF,0x03,0xF8,0x43,0xD5,0xB8,0x42,0x9C,0x44,
+ 0x94,0x60,0xED,0x81,0x31,0x71,0x77,0xBA,0xC4,0xD1,0x51,0x53,0x34,0xA6,0xBD,0xA6,
+ 0xFF,0xAE,0x58,0x43,0x69,0xFD,0xB2,0x8C,0xF0,0x78,0x09,0xA0,0xCB,0x8E,0xD5,0xE6,
+ 0x1B,0xA5,0xB0,0xDA,0x46,0x9F,0xA1,0x4B,0x08,0xE2,0xD3,0xBE,0xB4,0x47,0x6B,0x34,
+ 0xAF,0x42,0x3B,0xE5,0x21,0xC2,0x77,0x47,0x7E,0x35,0xA8,0xFB,0x11,0xD0,0xB7,0x0B,
+ 0x99,0x86,0x4C,0x8E,0x04,0x3C,0x12,0xEF,0x1C,0x71,0x5B,0xA0,0x4E,0xCD,0xC1,0x89,
+ 0xDB,0xA0,0x09,0x97,0xF9,0x20,0x7E,0xE8,0x4E,0x1A,0x16,0x6F,0x09,0x91,0x12,0x9D,
+ 0xFF,0x5E,0xB7,0xD3,0xF6,0x5E,0xEC,0x36,0xE0,0x24,0x17,0x2D,0x8C,0xD1,0xE5,0x2F,
+ 0x29,0xB1,0xAA,0xB9,0xD4,0x6F,0xBE,0x57,0xAB,0x70,0x1F,0x5C,0x8E,0x64,0x16,0x0E,
+ 0xA3,0xE9,0xC6,0xC4,0xF8,0xC1,0xCE,0x3A,0xBB,0x60,0xEB,0x6B,0x0E,0x79,0x72,0x34,
+ 0x23,0xA9,0x49,0x23,0xFC,0xC1,0xA9,0x75,0xDD,0xE7,0x6E,0x2C,0x81,0x88,0x51,0x46,
+ 0xF2,0xD5,0x66,0x46,0x08,0x4E,0x93,0x74,0xCD,0xF3,0x5F,0x7D,0xAC,0x85,0x71,0x52,
+ 0xC1,0x9B,0xAA,0x41,0x76,0x4A,0xBC,0xD5,0x03,0x83,0x84,0x17,0xDC,0x40,0xA7,0xAC,
+ 0xEA,0x1E,0x6F,0x0B,0xE3,0x36,0x2A,0x25,
+};
+
+/* subject:/C=US/ST=California/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring Intermediate */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-1 Root CA */
+unsigned char _pathScoringIntSHA1[1013]={
+ 0x30,0x82,0x03,0xF1,0x30,0x82,0x02,0xD9,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x7B,
+ 0x3C,0xA2,0x3A,0xC8,0xD9,0x66,0x5A,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
+ 0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,0x90,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,
+ 0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,
+ 0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,
+ 0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,
+ 0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,
+ 0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,
+ 0x72,0x69,0x6E,0x67,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x03,0x0C,0x1A,0x50,
+ 0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x53,0x48,0x41,0x2D,
+ 0x31,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,
+ 0x34,0x32,0x38,0x32,0x32,0x31,0x30,0x31,0x36,0x5A,0x17,0x0D,0x31,0x36,0x30,0x35,
+ 0x32,0x37,0x32,0x32,0x31,0x30,0x31,0x36,0x5A,0x30,0x7B,0x31,0x0B,0x30,0x09,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
+ 0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x14,0x30,
+ 0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,
+ 0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,
+ 0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,
+ 0x6E,0x67,0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x03,0x0C,0x19,0x50,0x61,0x74,
+ 0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,0x65,0x72,0x6D,
+ 0x65,0x64,0x69,0x61,0x74,0x65,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,
+ 0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,
+ 0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xCE,0xE0,0x94,0x1E,0x22,0xCB,0x41,0x6C,0x08,
+ 0xE5,0x76,0x95,0x18,0xCD,0xFD,0x8D,0x34,0x7A,0x01,0xFF,0xDF,0x78,0xD9,0x3D,0xF5,
+ 0x42,0xD7,0xCB,0x51,0x5E,0x27,0x4D,0x75,0xC9,0x86,0x85,0x32,0x13,0x7C,0xF6,0x47,
+ 0x6C,0xF5,0xCA,0xE5,0x0E,0xCB,0x3D,0x9E,0x88,0x7A,0xDC,0xE3,0x14,0x95,0x48,0x73,
+ 0x6F,0xFA,0xFC,0x7E,0xD5,0x6A,0xCA,0x4D,0x02,0x8D,0x3B,0xB0,0xF4,0xE9,0x0E,0xD9,
+ 0x37,0xAE,0x7C,0x18,0xF7,0xA5,0x9C,0x49,0xD9,0x80,0x44,0x4F,0xB4,0xB5,0x0A,0x97,
+ 0x68,0x62,0xEC,0x96,0x97,0x19,0xD1,0xF0,0xFA,0x2A,0x0A,0x1D,0xBE,0x03,0x24,0x2A,
+ 0xF6,0x48,0xC6,0x23,0xD8,0x81,0x51,0xF9,0x5A,0x20,0xE7,0xFD,0x2B,0xDC,0xCA,0xE1,
+ 0x35,0xCC,0xE4,0x61,0xD9,0x9D,0x55,0x83,0x5F,0xCA,0x50,0xF7,0x9C,0xD6,0x75,0xAD,
+ 0x0C,0x9D,0x4D,0x83,0x64,0x4D,0x9D,0xC4,0xCD,0x00,0x0A,0x41,0xE0,0xB5,0x0C,0x7F,
+ 0x6D,0xA2,0x06,0xB7,0x5D,0x7E,0x6A,0xB2,0xFE,0x12,0x4B,0x6F,0x09,0xEE,0x7E,0xD3,
+ 0x33,0x79,0x8F,0xD5,0x61,0xDC,0x63,0x7D,0x14,0x49,0xA3,0x5C,0xA6,0x1C,0x24,0x44,
+ 0xCF,0x81,0xF1,0xB8,0x0E,0xC5,0xE1,0x44,0x21,0x19,0x77,0x88,0x60,0xD0,0xF9,0xCA,
+ 0x43,0x1D,0xD0,0xED,0xF9,0xEC,0x2F,0x12,0x49,0x70,0x46,0x59,0x63,0x1B,0x02,0x8B,
+ 0xE3,0xFC,0x9F,0x38,0x2B,0x1C,0x78,0xD4,0x84,0x32,0x35,0xFD,0xA2,0xAC,0xF1,0xC0,
+ 0x5A,0xFA,0x00,0x2D,0x2A,0x21,0x34,0x86,0x37,0x06,0xE8,0x75,0xCE,0xAA,0x9B,0x43,
+ 0xC9,0x8B,0xD9,0x92,0x6E,0xDD,0xA3,0x02,0x03,0x01,0x00,0x01,0xA3,0x63,0x30,0x61,
+ 0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,
+ 0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x02,
+ 0x04,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x32,0x5D,0xB4,0x51,
+ 0x5E,0xF4,0x7B,0x34,0x99,0xC2,0x17,0xDE,0x57,0x6F,0x43,0x09,0xCE,0xE3,0xE8,0x52,
+ 0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x16,0x69,0x41,
+ 0x49,0x0A,0x45,0xCB,0xB8,0x53,0x2E,0x21,0x9D,0x93,0x63,0x84,0xFC,0x2C,0x2E,0x93,
+ 0x9A,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,
+ 0x03,0x82,0x01,0x01,0x00,0x06,0xC0,0x4B,0x59,0xE2,0xD7,0x08,0x16,0x2D,0x1F,0xD8,
+ 0x35,0x21,0x38,0xD4,0xE3,0x66,0x5E,0x25,0x27,0xAE,0x36,0x81,0x0B,0x9B,0x5D,0x3F,
+ 0x67,0x80,0x8E,0x01,0x0F,0xE2,0x2D,0x34,0xD9,0x07,0x2B,0x42,0xB0,0xCE,0x45,0x6A,
+ 0x62,0x38,0x7B,0xCE,0x74,0x47,0x39,0x1C,0x61,0x34,0x2F,0x22,0xAB,0x2E,0x4D,0x90,
+ 0x3D,0xAB,0x09,0xFB,0x39,0x87,0x87,0x38,0x5B,0xE1,0x42,0x52,0x4F,0x96,0x81,0x00,
+ 0x12,0x40,0x02,0x7B,0x72,0x51,0x0E,0xF0,0x9C,0x2D,0xBB,0xBE,0x58,0xB2,0x0D,0x30,
+ 0xF1,0xE8,0x0C,0xCF,0xD2,0xC3,0xF6,0xDE,0xF7,0x2E,0x2B,0xD9,0xFF,0xFA,0x6D,0x4F,
+ 0x45,0x6F,0x3F,0x62,0x8A,0xCC,0xBE,0x10,0x86,0x12,0x2E,0xC0,0x04,0xF1,0xDD,0x91,
+ 0x5B,0x47,0x68,0xBE,0xBD,0xAC,0x15,0xD1,0xBC,0xF4,0x81,0xC2,0x0C,0xCD,0x56,0x59,
+ 0x03,0x7D,0xA9,0x94,0x6C,0x53,0x69,0x1B,0x91,0x60,0xCB,0xBC,0x11,0xD0,0x30,0xCE,
+ 0xAA,0xD4,0x6F,0xE2,0x78,0x51,0xC4,0x41,0x1A,0x1C,0x39,0xEC,0x17,0xBC,0x93,0x68,
+ 0xEF,0x9E,0xB9,0x27,0x4E,0xE7,0x4B,0x97,0xCD,0x0E,0xFD,0x05,0xAC,0xF0,0xF2,0xEB,
+ 0xFF,0x8B,0x3C,0x74,0xFB,0x8F,0xFE,0xF3,0xC3,0x29,0x42,0xCE,0xA9,0x8D,0xDA,0x75,
+ 0x34,0x09,0xF7,0xEC,0x5A,0x90,0x72,0x43,0xC4,0xCD,0xFD,0x1D,0x80,0xF4,0x76,0xDF,
+ 0x7E,0x5A,0xF3,0x09,0x0E,0x5B,0x2F,0x76,0xA8,0x78,0x28,0xC0,0x48,0x11,0x1F,0x10,
+ 0x34,0x2C,0x5F,0x20,0x3E,0xFA,0x03,0x2C,0xB2,0x2B,0xBD,0xA0,0x50,0x22,0xCC,0xCF,
+ 0x49,0x1B,0xFF,0x57,0x89,
+};
+
+/* subject:/C=US/ST=California/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring Intermediate */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring 1024-bit Root CA */
+unsigned char _pathScoringInt1024[887]={
+ 0x30,0x82,0x03,0x73,0x30,0x82,0x02,0xDC,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x4E,
+ 0x41,0xAC,0x3E,0xF7,0xA4,0x3D,0xBF,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
+ 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,0x93,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,
+ 0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,
+ 0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,
+ 0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,
+ 0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,
+ 0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,
+ 0x72,0x69,0x6E,0x67,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x03,0x0C,0x1D,0x50,
+ 0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x31,0x30,0x32,0x34,
+ 0x2D,0x62,0x69,0x74,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,
+ 0x31,0x36,0x30,0x34,0x32,0x37,0x32,0x33,0x33,0x31,0x35,0x32,0x5A,0x17,0x0D,0x31,
+ 0x36,0x30,0x35,0x32,0x37,0x32,0x33,0x33,0x31,0x35,0x32,0x5A,0x30,0x7B,0x31,0x0B,
+ 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,
+ 0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,
+ 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,
+ 0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,
+ 0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,
+ 0x65,0x72,0x69,0x6E,0x67,0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x03,0x0C,0x19,
+ 0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x49,0x6E,0x74,
+ 0x65,0x72,0x6D,0x65,0x64,0x69,0x61,0x74,0x65,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,
+ 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,
+ 0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xCE,0xE0,0x94,0x1E,0x22,0xCB,
+ 0x41,0x6C,0x08,0xE5,0x76,0x95,0x18,0xCD,0xFD,0x8D,0x34,0x7A,0x01,0xFF,0xDF,0x78,
+ 0xD9,0x3D,0xF5,0x42,0xD7,0xCB,0x51,0x5E,0x27,0x4D,0x75,0xC9,0x86,0x85,0x32,0x13,
+ 0x7C,0xF6,0x47,0x6C,0xF5,0xCA,0xE5,0x0E,0xCB,0x3D,0x9E,0x88,0x7A,0xDC,0xE3,0x14,
+ 0x95,0x48,0x73,0x6F,0xFA,0xFC,0x7E,0xD5,0x6A,0xCA,0x4D,0x02,0x8D,0x3B,0xB0,0xF4,
+ 0xE9,0x0E,0xD9,0x37,0xAE,0x7C,0x18,0xF7,0xA5,0x9C,0x49,0xD9,0x80,0x44,0x4F,0xB4,
+ 0xB5,0x0A,0x97,0x68,0x62,0xEC,0x96,0x97,0x19,0xD1,0xF0,0xFA,0x2A,0x0A,0x1D,0xBE,
+ 0x03,0x24,0x2A,0xF6,0x48,0xC6,0x23,0xD8,0x81,0x51,0xF9,0x5A,0x20,0xE7,0xFD,0x2B,
+ 0xDC,0xCA,0xE1,0x35,0xCC,0xE4,0x61,0xD9,0x9D,0x55,0x83,0x5F,0xCA,0x50,0xF7,0x9C,
+ 0xD6,0x75,0xAD,0x0C,0x9D,0x4D,0x83,0x64,0x4D,0x9D,0xC4,0xCD,0x00,0x0A,0x41,0xE0,
+ 0xB5,0x0C,0x7F,0x6D,0xA2,0x06,0xB7,0x5D,0x7E,0x6A,0xB2,0xFE,0x12,0x4B,0x6F,0x09,
+ 0xEE,0x7E,0xD3,0x33,0x79,0x8F,0xD5,0x61,0xDC,0x63,0x7D,0x14,0x49,0xA3,0x5C,0xA6,
+ 0x1C,0x24,0x44,0xCF,0x81,0xF1,0xB8,0x0E,0xC5,0xE1,0x44,0x21,0x19,0x77,0x88,0x60,
+ 0xD0,0xF9,0xCA,0x43,0x1D,0xD0,0xED,0xF9,0xEC,0x2F,0x12,0x49,0x70,0x46,0x59,0x63,
+ 0x1B,0x02,0x8B,0xE3,0xFC,0x9F,0x38,0x2B,0x1C,0x78,0xD4,0x84,0x32,0x35,0xFD,0xA2,
+ 0xAC,0xF1,0xC0,0x5A,0xFA,0x00,0x2D,0x2A,0x21,0x34,0x86,0x37,0x06,0xE8,0x75,0xCE,
+ 0xAA,0x9B,0x43,0xC9,0x8B,0xD9,0x92,0x6E,0xDD,0xA3,0x02,0x03,0x01,0x00,0x01,0xA3,
+ 0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,
+ 0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,
+ 0x03,0x02,0x02,0x04,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x32,
+ 0x5D,0xB4,0x51,0x5E,0xF4,0x7B,0x34,0x99,0xC2,0x17,0xDE,0x57,0x6F,0x43,0x09,0xCE,
+ 0xE3,0xE8,0x52,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,
+ 0x33,0x7A,0x50,0x9A,0x1D,0xDE,0xED,0x5E,0x1F,0xAA,0x16,0x7F,0x6F,0x2E,0x04,0xB0,
+ 0x45,0xBF,0xB4,0x27,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,
+ 0x0B,0x05,0x00,0x03,0x81,0x81,0x00,0x16,0x9D,0x30,0x13,0x7C,0x95,0x20,0x4B,0xFF,
+ 0x50,0xD2,0x73,0xF5,0xAB,0x29,0xA9,0xDC,0x82,0x98,0x80,0x54,0x5A,0x0B,0xB0,0x08,
+ 0xDE,0x37,0xBD,0x82,0xB9,0x5A,0x2E,0x6D,0x1A,0x82,0xE9,0x7B,0x54,0x68,0xB0,0x56,
+ 0x71,0xBE,0x87,0xBD,0x34,0x6F,0xB8,0x9C,0x68,0xDA,0xC3,0x1C,0x5F,0xE0,0x24,0xEA,
+ 0xAD,0x58,0x04,0xB5,0x0B,0x32,0xFA,0x69,0x61,0xF7,0x3B,0xE5,0xF8,0x4D,0xB0,0x55,
+ 0x22,0xD7,0xFC,0xBC,0xD5,0xFA,0xC2,0x2B,0xF3,0xF8,0xEC,0x96,0xDB,0xB7,0xAC,0xF2,
+ 0xF0,0x99,0x77,0x4E,0x72,0x1F,0x5B,0xC1,0x78,0x6C,0xC7,0x46,0x80,0x7D,0xF6,0x50,
+ 0x87,0xB9,0xE3,0x45,0xE3,0xD3,0xD0,0x01,0x17,0x06,0xCC,0xFF,0x9A,0x68,0x8E,0x22,
+ 0xFA,0xF6,0xFD,0xC6,0x2B,0x02,0x93,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-256 Root CA */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-256 Root CA */
+unsigned char _pathScoringSHA2Root[1010]={
+ 0x30,0x82,0x03,0xEE,0x30,0x82,0x02,0xD6,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0x92,0xA4,0xDF,0xEB,0x8D,0xF9,0xAD,0xA3,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,0x92,0x31,0x0B,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,
+ 0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,
+ 0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
+ 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,
+ 0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,
+ 0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,
+ 0x65,0x72,0x69,0x6E,0x67,0x31,0x25,0x30,0x23,0x06,0x03,0x55,0x04,0x03,0x0C,0x1C,
+ 0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x53,0x48,0x41,
+ 0x2D,0x32,0x35,0x36,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,
+ 0x31,0x36,0x30,0x34,0x32,0x37,0x32,0x33,0x31,0x39,0x34,0x34,0x5A,0x17,0x0D,0x32,
+ 0x36,0x30,0x34,0x32,0x35,0x32,0x33,0x31,0x39,0x34,0x34,0x5A,0x30,0x81,0x92,0x31,
+ 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,
+ 0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,
+ 0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,
+ 0x72,0x74,0x69,0x6E,0x6F,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,
+ 0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,
+ 0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,
+ 0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x25,0x30,0x23,0x06,0x03,
+ 0x55,0x04,0x03,0x0C,0x1C,0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,
+ 0x67,0x20,0x53,0x48,0x41,0x2D,0x32,0x35,0x36,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,
+ 0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,
+ 0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,
+ 0x01,0x00,0xC2,0xB8,0x58,0x1B,0xA2,0x26,0xA0,0x78,0xFE,0x3D,0x97,0x87,0x5C,0xA4,
+ 0xA1,0x12,0x5D,0x3F,0x1D,0xC9,0x02,0x65,0xDA,0xB4,0x5D,0x55,0x63,0x77,0xC5,0x61,
+ 0x62,0x18,0x3B,0x81,0x18,0x68,0x6A,0xA2,0xC9,0xC9,0x60,0xB0,0xEE,0x45,0x44,0x33,
+ 0x37,0x48,0x9D,0x73,0x83,0xA3,0x47,0xBC,0x73,0x65,0x42,0xAF,0x94,0x01,0x68,0x7E,
+ 0x92,0x6A,0xFF,0xA5,0x26,0x33,0x93,0x1B,0xA8,0xE0,0x25,0x93,0x62,0xB6,0x40,0x50,
+ 0x73,0x67,0x5F,0xDF,0x72,0x61,0x71,0x80,0xEC,0xE2,0x06,0x6A,0x7F,0xE3,0x96,0x0C,
+ 0x3F,0x16,0x39,0xE0,0xB6,0x73,0x0A,0x8F,0x77,0x97,0xBC,0x0C,0x34,0x48,0x1B,0x53,
+ 0x7B,0xDE,0x80,0x11,0x06,0x7B,0x53,0x41,0x7F,0x8B,0x9C,0x0E,0xD2,0x39,0x51,0xEF,
+ 0xC5,0xAD,0xFD,0x37,0x9E,0x17,0xC9,0xF3,0xCA,0xDC,0x66,0xB1,0x69,0xA3,0x27,0x56,
+ 0xCB,0x42,0xD3,0x5A,0x64,0x1E,0x48,0x91,0x91,0x2D,0x1A,0x1D,0x2E,0x5C,0x13,0x48,
+ 0x28,0x1C,0x39,0x6D,0x8F,0x4F,0xAE,0x0A,0x77,0x35,0x08,0xD8,0xBC,0x74,0xDE,0xB3,
+ 0xB9,0xE8,0xDA,0x2B,0x7A,0x4E,0x92,0x60,0xA5,0x42,0xE2,0xB1,0x76,0x55,0x5C,0x89,
+ 0x6A,0x71,0x73,0x65,0xE0,0xBE,0x83,0x47,0x39,0xFB,0xE4,0x47,0xE8,0x7F,0xA5,0x24,
+ 0x87,0x6F,0xFB,0xE8,0x3D,0x0B,0x0B,0x01,0xB4,0xBB,0xAF,0x99,0x14,0x16,0x0A,0x46,
+ 0x2A,0x6E,0xD2,0x1D,0xBD,0x24,0x79,0x76,0xB9,0xFC,0x0D,0x18,0xB0,0xE1,0xC2,0x73,
+ 0x15,0xF7,0x04,0xC3,0x45,0x49,0x16,0x1B,0xD0,0x85,0x72,0xD1,0xBC,0x7C,0x5D,0x11,
+ 0xB6,0xFF,0x02,0x03,0x01,0x00,0x01,0xA3,0x45,0x30,0x43,0x30,0x12,0x06,0x03,0x55,
+ 0x1D,0x13,0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x03,0x30,
+ 0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,
+ 0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x9C,0x0D,0xCC,0x81,0x68,0x89,
+ 0x97,0x76,0x54,0xB2,0xDF,0xAA,0xD1,0xC3,0x76,0xD1,0x25,0x16,0xD8,0xF9,0x30,0x0D,
+ 0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,
+ 0x01,0x00,0xBD,0xAE,0x74,0x88,0x29,0x25,0x03,0xA9,0xDD,0x06,0xF5,0xEA,0x7E,0xEC,
+ 0x8B,0xB1,0xDA,0xB9,0xAB,0xE0,0xA5,0x2B,0x8F,0x1B,0x21,0x11,0x88,0x06,0xAD,0xA3,
+ 0x01,0xBA,0x73,0xFA,0xE3,0x38,0xE6,0xA8,0x32,0xBE,0x8F,0xAE,0xB2,0x77,0x8C,0xD9,
+ 0x75,0x46,0x49,0x43,0x7C,0x71,0x56,0x08,0xDD,0xB6,0x46,0x9A,0x0A,0x07,0xE7,0x7C,
+ 0xD9,0xC9,0xA6,0xCB,0x2B,0x3F,0xE2,0x05,0x5D,0xE9,0xFC,0xE0,0xDF,0x02,0xB5,0x84,
+ 0xE0,0x5C,0x0C,0x28,0x30,0xDF,0x59,0x11,0x7D,0xB9,0x2B,0xDA,0x9E,0x7E,0xD8,0x61,
+ 0x13,0xAA,0xFE,0x3A,0x7F,0xA9,0x87,0x78,0xD2,0xB1,0x06,0xE9,0xC3,0x6F,0x68,0xED,
+ 0x90,0xE4,0x08,0x3F,0x6C,0x85,0xD4,0x75,0xA3,0x46,0x8E,0x3C,0x02,0xEE,0x6E,0x8B,
+ 0x3E,0x46,0x2A,0x3C,0x3E,0x1C,0x44,0xCA,0x75,0x58,0xA0,0xEB,0xED,0x18,0xCA,0x99,
+ 0x20,0x6B,0x8E,0xEA,0xD0,0xAC,0x0E,0x96,0x17,0x85,0x06,0xCA,0x69,0x80,0xCB,0x95,
+ 0xC0,0xB2,0x95,0x0B,0x72,0xF7,0xAA,0x81,0x64,0xDE,0x95,0xAF,0x89,0xBC,0x82,0x02,
+ 0x6A,0xB5,0x32,0x91,0xED,0x33,0x47,0x0F,0x66,0x9E,0x8B,0xEC,0x2B,0xF8,0xEA,0x1E,
+ 0x55,0xAD,0x48,0xB9,0xBE,0xC3,0xFB,0xBB,0x07,0xF5,0xDA,0xDF,0x38,0xF2,0x48,0xF0,
+ 0x7D,0x4A,0x9C,0x02,0x83,0x08,0xB6,0xDF,0x4D,0x96,0xCA,0x6E,0x60,0xD9,0x20,0x7F,
+ 0x61,0xAA,0x0A,0xF8,0x11,0xCE,0x85,0x75,0x2D,0x2C,0x43,0x53,0x2D,0x9D,0xD2,0x24,
+ 0xE1,0x83,0xC4,0xA7,0xAD,0xEF,0x4C,0xC9,0xC7,0x3D,0xC1,0xD1,0xB0,0x32,0x9D,0x99,
+ 0xBC,0x51,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-256 Root CA */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-1 Root CA */
+unsigned char _pathScoringSHA2CrossSHA1[1037]={
+ 0x30,0x82,0x04,0x09,0x30,0x82,0x02,0xF1,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x7B,
+ 0x3C,0xA2,0x3A,0xC8,0xD9,0x66,0x59,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
+ 0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,0x90,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+ 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,
+ 0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,
+ 0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,
+ 0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,
+ 0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,
+ 0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,
+ 0x72,0x69,0x6E,0x67,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x03,0x0C,0x1A,0x50,
+ 0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x53,0x48,0x41,0x2D,
+ 0x31,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,
+ 0x34,0x32,0x38,0x32,0x31,0x35,0x39,0x35,0x38,0x5A,0x17,0x0D,0x31,0x37,0x30,0x34,
+ 0x32,0x38,0x32,0x31,0x35,0x39,0x35,0x38,0x5A,0x30,0x81,0x92,0x31,0x0B,0x30,0x09,
+ 0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,
+ 0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,
+ 0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,
+ 0x6E,0x6F,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,
+ 0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,
+ 0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,
+ 0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x25,0x30,0x23,0x06,0x03,0x55,0x04,0x03,
+ 0x0C,0x1C,0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x53,
+ 0x48,0x41,0x2D,0x32,0x35,0x36,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,
+ 0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,
+ 0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC2,
+ 0xB8,0x58,0x1B,0xA2,0x26,0xA0,0x78,0xFE,0x3D,0x97,0x87,0x5C,0xA4,0xA1,0x12,0x5D,
+ 0x3F,0x1D,0xC9,0x02,0x65,0xDA,0xB4,0x5D,0x55,0x63,0x77,0xC5,0x61,0x62,0x18,0x3B,
+ 0x81,0x18,0x68,0x6A,0xA2,0xC9,0xC9,0x60,0xB0,0xEE,0x45,0x44,0x33,0x37,0x48,0x9D,
+ 0x73,0x83,0xA3,0x47,0xBC,0x73,0x65,0x42,0xAF,0x94,0x01,0x68,0x7E,0x92,0x6A,0xFF,
+ 0xA5,0x26,0x33,0x93,0x1B,0xA8,0xE0,0x25,0x93,0x62,0xB6,0x40,0x50,0x73,0x67,0x5F,
+ 0xDF,0x72,0x61,0x71,0x80,0xEC,0xE2,0x06,0x6A,0x7F,0xE3,0x96,0x0C,0x3F,0x16,0x39,
+ 0xE0,0xB6,0x73,0x0A,0x8F,0x77,0x97,0xBC,0x0C,0x34,0x48,0x1B,0x53,0x7B,0xDE,0x80,
+ 0x11,0x06,0x7B,0x53,0x41,0x7F,0x8B,0x9C,0x0E,0xD2,0x39,0x51,0xEF,0xC5,0xAD,0xFD,
+ 0x37,0x9E,0x17,0xC9,0xF3,0xCA,0xDC,0x66,0xB1,0x69,0xA3,0x27,0x56,0xCB,0x42,0xD3,
+ 0x5A,0x64,0x1E,0x48,0x91,0x91,0x2D,0x1A,0x1D,0x2E,0x5C,0x13,0x48,0x28,0x1C,0x39,
+ 0x6D,0x8F,0x4F,0xAE,0x0A,0x77,0x35,0x08,0xD8,0xBC,0x74,0xDE,0xB3,0xB9,0xE8,0xDA,
+ 0x2B,0x7A,0x4E,0x92,0x60,0xA5,0x42,0xE2,0xB1,0x76,0x55,0x5C,0x89,0x6A,0x71,0x73,
+ 0x65,0xE0,0xBE,0x83,0x47,0x39,0xFB,0xE4,0x47,0xE8,0x7F,0xA5,0x24,0x87,0x6F,0xFB,
+ 0xE8,0x3D,0x0B,0x0B,0x01,0xB4,0xBB,0xAF,0x99,0x14,0x16,0x0A,0x46,0x2A,0x6E,0xD2,
+ 0x1D,0xBD,0x24,0x79,0x76,0xB9,0xFC,0x0D,0x18,0xB0,0xE1,0xC2,0x73,0x15,0xF7,0x04,
+ 0xC3,0x45,0x49,0x16,0x1B,0xD0,0x85,0x72,0xD1,0xBC,0x7C,0x5D,0x11,0xB6,0xFF,0x02,
+ 0x03,0x01,0x00,0x01,0xA3,0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,
+ 0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,
+ 0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x02,0x04,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
+ 0x04,0x16,0x04,0x14,0x9C,0x0D,0xCC,0x81,0x68,0x89,0x97,0x76,0x54,0xB2,0xDF,0xAA,
+ 0xD1,0xC3,0x76,0xD1,0x25,0x16,0xD8,0xF9,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,
+ 0x18,0x30,0x16,0x80,0x14,0x16,0x69,0x41,0x49,0x0A,0x45,0xCB,0xB8,0x53,0x2E,0x21,
+ 0x9D,0x93,0x63,0x84,0xFC,0x2C,0x2E,0x93,0x9A,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
+ 0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x67,0xD1,0x7F,
+ 0x75,0xCD,0x7F,0x29,0x39,0x08,0x8A,0x11,0x20,0x35,0x72,0xD9,0x7B,0x06,0x20,0x0F,
+ 0xB9,0x08,0xD4,0xFF,0x6A,0xA6,0x56,0xF3,0x06,0x82,0x6A,0x42,0x03,0x8A,0x45,0xC3,
+ 0x58,0xB1,0xE9,0xFF,0x40,0xFB,0xE1,0x14,0xA1,0x40,0xE5,0x95,0x46,0x44,0xAA,0x78,
+ 0xAC,0x95,0x2F,0x8C,0x68,0x94,0x50,0xD5,0xBA,0x87,0x6C,0x55,0x69,0x6D,0xBF,0x58,
+ 0x4C,0x0E,0x67,0x7E,0xEE,0xAF,0x41,0x56,0xAF,0x60,0x5B,0x4D,0xA7,0xA1,0xAE,0x91,
+ 0xEF,0x24,0xDC,0x2E,0xF7,0x04,0xA1,0x21,0xAC,0x28,0xEB,0x56,0x82,0xB0,0x49,0x96,
+ 0x34,0x7A,0xC9,0xAD,0x79,0x35,0x39,0x9B,0x66,0xA8,0x10,0xC8,0xF1,0xC6,0x03,0x1E,
+ 0xFB,0x49,0x55,0xB9,0x83,0x05,0x4B,0xF2,0xBD,0xC5,0xA7,0x5F,0x11,0xDF,0x59,0x0D,
+ 0x60,0x42,0xF1,0x9F,0x47,0x36,0x15,0x9C,0x59,0x3A,0xB9,0xA9,0xD3,0x5F,0x0E,0x2B,
+ 0xEB,0x2A,0x75,0x42,0x13,0x61,0x71,0xE2,0x93,0x38,0x9A,0x93,0x27,0x95,0x50,0x42,
+ 0x30,0xF9,0x59,0x49,0x66,0xBE,0xCA,0xEA,0x51,0x22,0x30,0x5F,0xA0,0xF2,0x7A,0xF4,
+ 0x95,0x3C,0x9A,0x5D,0x8A,0xAE,0x7C,0xBA,0x94,0x10,0xB3,0x7B,0x77,0x12,0x9F,0x30,
+ 0x97,0x19,0x7B,0x82,0x7B,0xDB,0x9B,0xFC,0x83,0x3A,0xD5,0x6A,0x6E,0x2A,0x9F,0xB6,
+ 0x04,0xB8,0xD1,0x68,0xBC,0x35,0xCF,0x24,0x55,0xA7,0xFE,0x63,0xEE,0x08,0xA3,0xDD,
+ 0x16,0x4D,0xF6,0xA1,0x8D,0x12,0x8A,0x18,0x11,0x41,0x7D,0xC5,0xBB,0x2C,0x5B,0xF8,
+ 0xDB,0x07,0x56,0xAB,0x06,0x19,0x4B,0x60,0x11,0xB4,0x79,0x45,0x13,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-256 Root CA */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-2 Root 2 */
+unsigned char _pathScoringSHA2CrossSHA2[1037]={
+ 0x30,0x82,0x04,0x09,0x30,0x82,0x02,0xF1,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0x85,0x03,0xAD,0x19,0x1A,0x67,0x3A,0x85,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,0x8F,0x31,0x0B,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,
+ 0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,
+ 0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
+ 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,
+ 0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,
+ 0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,
+ 0x65,0x72,0x69,0x6E,0x67,0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x03,0x0C,0x19,
+ 0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x53,0x48,0x41,
+ 0x2D,0x32,0x20,0x52,0x6F,0x6F,0x74,0x20,0x32,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,
+ 0x34,0x32,0x38,0x32,0x32,0x32,0x38,0x35,0x36,0x5A,0x17,0x0D,0x31,0x37,0x30,0x34,
+ 0x32,0x38,0x32,0x32,0x32,0x38,0x35,0x36,0x5A,0x30,0x81,0x92,0x31,0x0B,0x30,0x09,
+ 0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,
+ 0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,
+ 0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,
+ 0x6E,0x6F,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,
+ 0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,
+ 0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,
+ 0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x25,0x30,0x23,0x06,0x03,0x55,0x04,0x03,
+ 0x0C,0x1C,0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x53,
+ 0x48,0x41,0x2D,0x32,0x35,0x36,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,
+ 0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,
+ 0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC2,
+ 0xB8,0x58,0x1B,0xA2,0x26,0xA0,0x78,0xFE,0x3D,0x97,0x87,0x5C,0xA4,0xA1,0x12,0x5D,
+ 0x3F,0x1D,0xC9,0x02,0x65,0xDA,0xB4,0x5D,0x55,0x63,0x77,0xC5,0x61,0x62,0x18,0x3B,
+ 0x81,0x18,0x68,0x6A,0xA2,0xC9,0xC9,0x60,0xB0,0xEE,0x45,0x44,0x33,0x37,0x48,0x9D,
+ 0x73,0x83,0xA3,0x47,0xBC,0x73,0x65,0x42,0xAF,0x94,0x01,0x68,0x7E,0x92,0x6A,0xFF,
+ 0xA5,0x26,0x33,0x93,0x1B,0xA8,0xE0,0x25,0x93,0x62,0xB6,0x40,0x50,0x73,0x67,0x5F,
+ 0xDF,0x72,0x61,0x71,0x80,0xEC,0xE2,0x06,0x6A,0x7F,0xE3,0x96,0x0C,0x3F,0x16,0x39,
+ 0xE0,0xB6,0x73,0x0A,0x8F,0x77,0x97,0xBC,0x0C,0x34,0x48,0x1B,0x53,0x7B,0xDE,0x80,
+ 0x11,0x06,0x7B,0x53,0x41,0x7F,0x8B,0x9C,0x0E,0xD2,0x39,0x51,0xEF,0xC5,0xAD,0xFD,
+ 0x37,0x9E,0x17,0xC9,0xF3,0xCA,0xDC,0x66,0xB1,0x69,0xA3,0x27,0x56,0xCB,0x42,0xD3,
+ 0x5A,0x64,0x1E,0x48,0x91,0x91,0x2D,0x1A,0x1D,0x2E,0x5C,0x13,0x48,0x28,0x1C,0x39,
+ 0x6D,0x8F,0x4F,0xAE,0x0A,0x77,0x35,0x08,0xD8,0xBC,0x74,0xDE,0xB3,0xB9,0xE8,0xDA,
+ 0x2B,0x7A,0x4E,0x92,0x60,0xA5,0x42,0xE2,0xB1,0x76,0x55,0x5C,0x89,0x6A,0x71,0x73,
+ 0x65,0xE0,0xBE,0x83,0x47,0x39,0xFB,0xE4,0x47,0xE8,0x7F,0xA5,0x24,0x87,0x6F,0xFB,
+ 0xE8,0x3D,0x0B,0x0B,0x01,0xB4,0xBB,0xAF,0x99,0x14,0x16,0x0A,0x46,0x2A,0x6E,0xD2,
+ 0x1D,0xBD,0x24,0x79,0x76,0xB9,0xFC,0x0D,0x18,0xB0,0xE1,0xC2,0x73,0x15,0xF7,0x04,
+ 0xC3,0x45,0x49,0x16,0x1B,0xD0,0x85,0x72,0xD1,0xBC,0x7C,0x5D,0x11,0xB6,0xFF,0x02,
+ 0x03,0x01,0x00,0x01,0xA3,0x63,0x30,0x61,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,
+ 0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,
+ 0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x02,0x04,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
+ 0x04,0x16,0x04,0x14,0x9C,0x0D,0xCC,0x81,0x68,0x89,0x97,0x76,0x54,0xB2,0xDF,0xAA,
+ 0xD1,0xC3,0x76,0xD1,0x25,0x16,0xD8,0xF9,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,
+ 0x18,0x30,0x16,0x80,0x14,0xEE,0x14,0x01,0x4A,0x7C,0x0F,0xF6,0x93,0x65,0x78,0xC9,
+ 0x0B,0x36,0x7E,0xE1,0xA4,0x08,0x10,0xE0,0x96,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,
+ 0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x82,0xA2,0xED,
+ 0x51,0x1F,0x5B,0xDF,0x8E,0x4F,0x63,0x3D,0xF1,0xC2,0xF7,0x69,0x7F,0xC6,0xD5,0x3D,
+ 0x41,0x85,0xBB,0x6C,0xF1,0xD7,0xFC,0x31,0x3A,0xEB,0x43,0x54,0x1F,0x79,0x2A,0xCE,
+ 0xC2,0xEE,0x02,0x73,0xBD,0xB0,0x76,0xF9,0x4C,0xD8,0xF6,0x4E,0x67,0xDD,0xE9,0xC0,
+ 0xCA,0x76,0xD5,0x70,0xCE,0xA7,0x70,0xBC,0xDF,0x8A,0x1C,0x0A,0xF4,0x2C,0x0A,0x3B,
+ 0x9D,0x88,0xBD,0x6F,0x34,0x6C,0x17,0x80,0x37,0x68,0x4F,0x8E,0x83,0x8F,0xD4,0xA9,
+ 0x52,0x02,0x8C,0xA5,0xB3,0x06,0x7F,0x60,0x0B,0x8E,0x5D,0x90,0xE8,0x15,0x24,0xF6,
+ 0x72,0x0D,0xCC,0xF1,0xF0,0x99,0x38,0xAB,0x49,0x80,0x57,0xC1,0x6E,0x64,0xCE,0xE6,
+ 0xF1,0x44,0x94,0x32,0x7E,0x70,0x25,0x1B,0x40,0xBC,0x7D,0x3C,0x2D,0xD5,0xB2,0x3F,
+ 0xDF,0xAD,0xCE,0x25,0x3C,0x36,0x3B,0xE5,0x6E,0x7E,0xA3,0x41,0xA6,0xA8,0x63,0x41,
+ 0x35,0x62,0x12,0xEB,0x61,0x45,0x79,0x64,0x34,0xA8,0xA8,0xCB,0x89,0x38,0xC9,0xE8,
+ 0x70,0xBC,0xD3,0xFF,0x4C,0x07,0x27,0x69,0xBD,0x07,0xD1,0x28,0x60,0xF5,0xD7,0x5D,
+ 0x11,0xDA,0x93,0x95,0xAC,0x0E,0xC9,0x5D,0x8A,0x42,0x79,0xD7,0x4B,0xC3,0x59,0x67,
+ 0xEC,0x66,0xAA,0x92,0x35,0x1B,0xAC,0x0F,0xD6,0x69,0x1C,0xBB,0x5F,0xFE,0x3A,0x78,
+ 0xC1,0x5E,0x7F,0x5F,0x8D,0xFE,0xCD,0xB2,0xCE,0xBC,0xBB,0xFE,0xC0,0x78,0xBC,0x6B,
+ 0xB2,0x89,0x75,0xC2,0x85,0x36,0xBC,0x52,0x5C,0x79,0xEE,0x06,0x83,0x64,0xB9,0xEE,
+ 0x7B,0xB5,0xE6,0x77,0x02,0xB1,0xAD,0x6C,0x93,0x62,0x54,0xA9,0xFF,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-1 Root CA */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-1 Root CA */
+unsigned char _pathScoringSHA1Root[1006]={
+ 0x30,0x82,0x03,0xEA,0x30,0x82,0x02,0xD2,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0xBA,0x20,0x76,0x50,0x1F,0x96,0xBA,0xB0,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x81,0x90,0x31,0x0B,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,
+ 0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,
+ 0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
+ 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,
+ 0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,
+ 0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,
+ 0x65,0x72,0x69,0x6E,0x67,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,0x03,0x0C,0x1A,
+ 0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x53,0x48,0x41,
+ 0x2D,0x31,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x36,
+ 0x30,0x34,0x32,0x37,0x32,0x33,0x32,0x30,0x33,0x36,0x5A,0x17,0x0D,0x31,0x36,0x30,
+ 0x35,0x32,0x37,0x32,0x33,0x32,0x30,0x33,0x36,0x5A,0x30,0x81,0x90,0x31,0x0B,0x30,
+ 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,
+ 0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,
+ 0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,
+ 0x69,0x6E,0x6F,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,
+ 0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,
+ 0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,
+ 0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x23,0x30,0x21,0x06,0x03,0x55,0x04,
+ 0x03,0x0C,0x1A,0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,
+ 0x53,0x48,0x41,0x2D,0x31,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,0x01,
+ 0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
+ 0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xF6,0x23,
+ 0x3F,0x1E,0x96,0x9F,0xD3,0xD3,0xE1,0xF3,0x18,0x17,0xB8,0x5F,0xFD,0xFE,0xD6,0x83,
+ 0x72,0xD0,0x40,0x76,0xAE,0x85,0x66,0xFA,0x56,0x3D,0xF6,0x13,0xD2,0xC4,0xC1,0x96,
+ 0x54,0x9C,0x8A,0x5B,0xC8,0xAA,0x26,0x40,0x21,0x15,0xC1,0x18,0xA8,0x86,0xB7,0xAB,
+ 0x98,0xFB,0x91,0xFC,0xE4,0x40,0xC7,0x24,0x44,0xFD,0xCB,0x28,0xFA,0x9F,0x01,0x55,
+ 0x36,0xD2,0x92,0xE1,0xD6,0x6E,0x83,0x04,0xD1,0x9B,0x5C,0xF0,0x2B,0x9E,0xCA,0xA9,
+ 0x1A,0x56,0x4C,0x7D,0x7B,0x74,0xE6,0x66,0x86,0x5B,0x3A,0xC0,0xC2,0x7F,0x01,0x17,
+ 0xD0,0xB5,0x05,0x5A,0x8B,0x3D,0xE5,0xF0,0xE3,0x0C,0xBB,0x3B,0x4C,0x3D,0x82,0x50,
+ 0xC5,0xAB,0xF0,0x16,0xD2,0xF0,0x9C,0x3A,0x85,0x7E,0xC8,0xCA,0x05,0x00,0x04,0xA3,
+ 0x20,0x88,0x59,0xB3,0xA7,0x3F,0xFD,0x57,0xB7,0xC9,0x25,0x36,0x03,0xDD,0x69,0x1E,
+ 0x1F,0xB3,0x86,0xC2,0x05,0x29,0x83,0x8A,0xA3,0xC9,0xAE,0x39,0xA3,0x2B,0xB8,0xC5,
+ 0xB9,0x9B,0x04,0x44,0xA5,0x86,0xA0,0x87,0xF7,0x8F,0x61,0x6B,0xB2,0xA6,0x14,0x06,
+ 0x5E,0x31,0x6C,0x55,0x76,0xB9,0xEA,0x07,0xE8,0x2B,0x07,0x66,0x3E,0x2B,0xB6,0x83,
+ 0x23,0x6C,0x92,0xD0,0xCF,0xC7,0x1C,0x01,0xAC,0x24,0x1C,0xAD,0xB2,0xE1,0x88,0x42,
+ 0x65,0x4C,0x5E,0xBD,0xDB,0x84,0x3E,0x8F,0xC3,0xEE,0x9A,0x96,0x5A,0x12,0x78,0xCE,
+ 0x6D,0xA6,0x1A,0xB1,0xE3,0x2D,0xA2,0xA3,0x1E,0x13,0xAB,0xDA,0x4B,0xC1,0x15,0xAC,
+ 0x00,0xBC,0x69,0x19,0xA1,0x5E,0x13,0x5A,0x94,0x8B,0x24,0x86,0xFA,0xCF,0x02,0x03,
+ 0x01,0x00,0x01,0xA3,0x45,0x30,0x43,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,
+ 0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x03,0x30,0x0E,0x06,0x03,0x55,
+ 0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,0x03,0x55,
+ 0x1D,0x0E,0x04,0x16,0x04,0x14,0x16,0x69,0x41,0x49,0x0A,0x45,0xCB,0xB8,0x53,0x2E,
+ 0x21,0x9D,0x93,0x63,0x84,0xFC,0x2C,0x2E,0x93,0x9A,0x30,0x0D,0x06,0x09,0x2A,0x86,
+ 0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xC9,0x58,
+ 0xA9,0x2A,0x2E,0xF0,0x4A,0x92,0x56,0x1E,0x49,0x5A,0xB6,0xD1,0x2C,0xC2,0xCD,0x46,
+ 0x8A,0x23,0xAB,0x8D,0xE7,0x27,0xA5,0x13,0x13,0x68,0xD2,0x3B,0x55,0x68,0x16,0x18,
+ 0xCD,0x9E,0x59,0x42,0xE3,0xB9,0x8D,0xEF,0x40,0x0F,0x07,0x3C,0x6F,0x14,0x9B,0x96,
+ 0xBE,0x05,0x61,0x8B,0x8F,0xAC,0xE3,0xB6,0x55,0xC5,0xAA,0x60,0x7D,0x7E,0x88,0x21,
+ 0x1C,0xE0,0x79,0x4E,0x7C,0x81,0x0E,0x2F,0xA0,0xEA,0xCC,0x60,0x51,0x81,0x22,0x4D,
+ 0x22,0xD5,0x50,0x69,0x38,0xBB,0x78,0x22,0xCF,0xA4,0xEE,0xF7,0x3D,0x32,0x9C,0x97,
+ 0xB1,0x08,0x72,0x5A,0x5F,0x5D,0x87,0x57,0x2B,0x79,0x0B,0x1E,0x02,0x0E,0xEF,0xF0,
+ 0x51,0x90,0xB4,0x30,0x96,0x96,0x6B,0xB8,0x27,0xCE,0x21,0x16,0x2E,0xFB,0xC8,0x3B,
+ 0x67,0x5C,0xAF,0x5F,0xA2,0xB4,0x62,0x13,0x42,0x29,0xEB,0x6F,0x23,0x20,0xCA,0xC0,
+ 0x00,0x4A,0x3F,0x17,0x42,0x60,0x23,0xA2,0x62,0xCC,0x2F,0x9B,0x45,0xFD,0x96,0xE9,
+ 0xCC,0x91,0x97,0xAD,0x4B,0x22,0x68,0xD5,0x5C,0x80,0x37,0x8C,0xA9,0xC2,0xBC,0x0E,
+ 0x73,0xD2,0x0F,0x1A,0x9E,0x38,0xF7,0xA1,0x0F,0x54,0x5F,0x19,0x67,0x2C,0x5F,0x19,
+ 0x1C,0x1E,0xC1,0x94,0x0B,0x3D,0x45,0xBE,0x2C,0xB4,0x0E,0xB8,0xC5,0x0F,0x90,0x5C,
+ 0x56,0xC0,0xCF,0x10,0x5D,0xF8,0x8E,0xFD,0x89,0xFB,0x79,0xE5,0x7F,0x90,0x23,0x32,
+ 0x59,0xFB,0x82,0xA1,0xE0,0xED,0xFD,0x78,0xB5,0x6A,0x43,0x16,0x74,0x63,0x12,0x4A,
+ 0x69,0x9E,0x2B,0x89,0xD2,0x0F,0xED,0x16,0x03,0xAF,0x22,0xA0,0x50,0x84,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring 1024-bit Root CA */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring 1024-bit Root CA */
+unsigned char _pathScoring1024Root[751]={
+ 0x30,0x82,0x02,0xEB,0x30,0x82,0x02,0x54,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0xED,0x39,0x85,0x61,0x84,0x81,0x40,0x27,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,0x93,0x31,0x0B,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,
+ 0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,
+ 0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
+ 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,
+ 0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,
+ 0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,
+ 0x65,0x72,0x69,0x6E,0x67,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x03,0x0C,0x1D,
+ 0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x31,0x30,0x32,
+ 0x34,0x2D,0x62,0x69,0x74,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x1E,0x17,
+ 0x0D,0x31,0x36,0x30,0x34,0x32,0x37,0x32,0x33,0x32,0x31,0x31,0x36,0x5A,0x17,0x0D,
+ 0x31,0x36,0x30,0x35,0x32,0x37,0x32,0x33,0x32,0x31,0x31,0x36,0x5A,0x30,0x81,0x93,
+ 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,
+ 0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,
+ 0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,
+ 0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,
+ 0x0B,0x41,0x70,0x70,0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,
+ 0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,
+ 0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x26,0x30,0x24,0x06,
+ 0x03,0x55,0x04,0x03,0x0C,0x1D,0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,
+ 0x6E,0x67,0x20,0x31,0x30,0x32,0x34,0x2D,0x62,0x69,0x74,0x20,0x52,0x6F,0x6F,0x74,
+ 0x20,0x43,0x41,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,
+ 0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,
+ 0xC5,0x95,0x90,0x2B,0x48,0x5F,0x05,0x00,0xBE,0xAB,0x39,0x44,0x4A,0x49,0x13,0x53,
+ 0xE2,0xBF,0x96,0x27,0x74,0x4B,0xF1,0x2E,0xD3,0xAC,0x91,0x71,0xB1,0x3B,0x45,0xC0,
+ 0xF8,0xC7,0x1A,0x6F,0x14,0x5C,0x30,0xEB,0x0D,0x76,0x22,0x88,0xB6,0x10,0x25,0x86,
+ 0xA0,0x97,0x8A,0x25,0x58,0x20,0x97,0x91,0x6E,0xCD,0x29,0xD1,0x3B,0x4C,0x1F,0xC5,
+ 0xF9,0x76,0xB8,0x39,0x03,0x5D,0x36,0x35,0x89,0x51,0x9B,0x1D,0xB7,0xFB,0x0A,0xD8,
+ 0x02,0x60,0x08,0xA0,0x6E,0x60,0x7F,0x2C,0x79,0x59,0x51,0xE7,0x5C,0x51,0x91,0xEE,
+ 0x56,0x04,0xBB,0xF8,0x21,0x16,0x96,0xCE,0x5D,0x77,0xB3,0xB8,0x00,0xDC,0x22,0x9C,
+ 0x7C,0x34,0x21,0x90,0x89,0x5C,0xD5,0xFC,0x5F,0x92,0xFE,0x58,0x36,0xA3,0x26,0xD9,
+ 0x02,0x03,0x01,0x00,0x01,0xA3,0x45,0x30,0x43,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,
+ 0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x03,0x30,0x0E,0x06,
+ 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,
+ 0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x33,0x7A,0x50,0x9A,0x1D,0xDE,0xED,0x5E,
+ 0x1F,0xAA,0x16,0x7F,0x6F,0x2E,0x04,0xB0,0x45,0xBF,0xB4,0x27,0x30,0x0D,0x06,0x09,
+ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x81,0x81,0x00,0xB5,
+ 0x5E,0x70,0xD9,0xE8,0x6B,0xC1,0x01,0xFE,0xFB,0xCD,0xB7,0x9B,0xF9,0x01,0xBD,0xC2,
+ 0x03,0x7A,0xF6,0x69,0xCB,0x05,0x74,0xA8,0x96,0x95,0xB8,0x05,0xEE,0x9B,0xAF,0x03,
+ 0x73,0xB8,0x84,0xBC,0x38,0x02,0xEE,0x93,0x54,0xFD,0xDD,0x5E,0x94,0x71,0x49,0x95,
+ 0xA9,0x7F,0xDB,0xF1,0x33,0x03,0x18,0x35,0x2B,0xFF,0x47,0x89,0xBA,0xB6,0xCF,0x86,
+ 0x55,0x47,0x4C,0x5D,0x8E,0xEE,0xF0,0xFB,0x65,0x9F,0x11,0x13,0xF4,0xE2,0x21,0x2E,
+ 0xA9,0x22,0x4F,0x9D,0x13,0xE6,0x4A,0x73,0x7D,0xBC,0x0F,0xE9,0x66,0x4F,0x28,0xEF,
+ 0x33,0x37,0x1E,0x99,0x6A,0xFC,0x6F,0x4A,0x83,0x49,0xD0,0x2F,0x47,0x3C,0x54,0x92,
+ 0xD3,0xF2,0x45,0xCA,0xD1,0x57,0x57,0x1F,0x53,0x8B,0x86,0x48,0xA8,0x2C,0x41,
+};
+
+/* subject:/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-2 Root 2 */
+/* issuer :/C=US/ST=California/L=Cupertino/O=Apple, Inc./OU=Security Engineering/CN=Path Scoring SHA-2 Root 2 */
+unsigned char _pathScoringSHA2Root2[1004]={
+ 0x30,0x82,0x03,0xE8,0x30,0x82,0x02,0xD0,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
+ 0xA9,0x2E,0x82,0xBE,0xE1,0xBD,0xCE,0x0A,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x81,0x8F,0x31,0x0B,0x30,0x09,0x06,0x03,
+ 0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,
+ 0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,
+ 0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,
+ 0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,0x6C,0x65,
+ 0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,
+ 0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,
+ 0x65,0x72,0x69,0x6E,0x67,0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x03,0x0C,0x19,
+ 0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x53,0x48,0x41,
+ 0x2D,0x32,0x20,0x52,0x6F,0x6F,0x74,0x20,0x32,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,
+ 0x34,0x32,0x38,0x30,0x30,0x33,0x33,0x32,0x37,0x5A,0x17,0x0D,0x32,0x36,0x30,0x34,
+ 0x32,0x36,0x30,0x30,0x33,0x33,0x32,0x37,0x5A,0x30,0x81,0x8F,0x31,0x0B,0x30,0x09,
+ 0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,
+ 0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,
+ 0x30,0x10,0x06,0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,
+ 0x6E,0x6F,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0B,0x41,0x70,0x70,
+ 0x6C,0x65,0x2C,0x20,0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,
+ 0x0B,0x0C,0x14,0x53,0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,
+ 0x6E,0x65,0x65,0x72,0x69,0x6E,0x67,0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x03,
+ 0x0C,0x19,0x50,0x61,0x74,0x68,0x20,0x53,0x63,0x6F,0x72,0x69,0x6E,0x67,0x20,0x53,
+ 0x48,0x41,0x2D,0x32,0x20,0x52,0x6F,0x6F,0x74,0x20,0x32,0x30,0x82,0x01,0x22,0x30,
+ 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,
+ 0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xD9,0x77,0x10,0x8C,
+ 0xF1,0xA8,0x45,0x96,0xD4,0xD9,0x4D,0x3A,0x8D,0x57,0x63,0x21,0x40,0xB8,0x26,0x29,
+ 0x71,0xAC,0x6C,0xBF,0x39,0x07,0x09,0x3A,0x51,0xA8,0xB6,0x05,0x63,0xBB,0x1B,0x72,
+ 0xD7,0xD8,0x7C,0x4F,0x47,0x4C,0x49,0x68,0xE5,0xD9,0x94,0x68,0xA3,0x01,0xCA,0x1E,
+ 0x42,0xB0,0xDA,0xD1,0xBF,0xFB,0xEE,0x8D,0x7D,0x1B,0x80,0x1A,0xCA,0x1B,0x8B,0x47,
+ 0xDE,0x00,0xF1,0x1B,0x47,0x47,0x77,0xA5,0x3F,0xA4,0x38,0x81,0x1D,0x84,0xAF,0xCC,
+ 0x28,0x0A,0x42,0x4D,0xB7,0x5A,0xFB,0xA4,0x6A,0x31,0x24,0x52,0x49,0x56,0x33,0xCB,
+ 0xE6,0xD0,0xBF,0xB5,0x13,0x20,0x13,0x43,0x9D,0x5F,0x6D,0x2A,0x6F,0xEB,0x71,0xD4,
+ 0x80,0xBC,0xD0,0x1A,0xDB,0xD9,0xCF,0x44,0x9B,0x26,0xBE,0x08,0x88,0xCF,0x3E,0xC6,
+ 0x2B,0x97,0x31,0xF7,0xCF,0x9B,0x42,0x25,0x65,0x8B,0x99,0x05,0xBE,0x8F,0x01,0xE4,
+ 0x78,0x2B,0x13,0xB1,0x2F,0x60,0x15,0x04,0x77,0x96,0xA0,0xC2,0x1D,0x94,0xFC,0x6A,
+ 0x00,0x11,0xC7,0x2C,0x6D,0x0A,0x61,0x1E,0x21,0x1B,0xA8,0xC8,0x62,0x5A,0xA7,0x77,
+ 0xFE,0x21,0x8E,0x3B,0x92,0xD9,0x18,0x99,0x9E,0xF7,0x5B,0xBF,0xDC,0x8B,0x99,0x7B,
+ 0x16,0xD3,0x81,0xB0,0xB5,0xE3,0xEF,0x2C,0x4E,0x69,0x98,0x13,0x7E,0x84,0xC1,0xA5,
+ 0x0E,0xFE,0x58,0xFB,0x11,0x0A,0x9C,0xCD,0x40,0xA8,0x8D,0xC2,0x5C,0x15,0xE6,0x01,
+ 0xCD,0x4E,0x8C,0x82,0xF6,0xB0,0x11,0xD0,0x61,0xFA,0x8F,0xAF,0x16,0xF7,0x79,0x9E,
+ 0xAE,0x39,0xD3,0x7F,0x6A,0xE8,0x05,0xBB,0xE4,0x1C,0x02,0x33,0x02,0x03,0x01,0x00,
+ 0x01,0xA3,0x45,0x30,0x43,0x30,0x12,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,
+ 0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01,0x02,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,
+ 0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
+ 0x04,0x16,0x04,0x14,0xEE,0x14,0x01,0x4A,0x7C,0x0F,0xF6,0x93,0x65,0x78,0xC9,0x0B,
+ 0x36,0x7E,0xE1,0xA4,0x08,0x10,0xE0,0x96,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,
+ 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xBC,0x5D,0xB7,0xB5,
+ 0x4C,0xC9,0x6A,0x5D,0xC0,0xD6,0x3F,0x49,0x1A,0xCA,0xB6,0xCF,0x9C,0x83,0xF4,0x98,
+ 0xD4,0x28,0x86,0x2C,0xFF,0xC5,0x0E,0x68,0xDE,0x36,0x93,0xA9,0x47,0x65,0xE9,0xEF,
+ 0xA3,0xD7,0x1C,0xB6,0x28,0x4E,0xBC,0x84,0xD1,0x7B,0x0C,0x3B,0xD2,0xB5,0xC2,0x6F,
+ 0xF5,0xCC,0x2E,0x41,0x81,0xB3,0x69,0xDE,0xA2,0x2E,0x8D,0x37,0x5B,0x11,0x60,0xA3,
+ 0xE1,0xF0,0x3A,0x1C,0x61,0x8A,0xB6,0xBC,0x64,0x74,0xF6,0x3F,0xFF,0x8F,0x45,0x2D,
+ 0xFF,0x13,0xF1,0x4D,0xCF,0x9C,0x05,0x67,0x81,0xD0,0xE7,0xDD,0x9F,0xE3,0x00,0x7B,
+ 0x15,0x3E,0x86,0x34,0x6D,0xA1,0xB5,0xF8,0xDF,0x2D,0x9E,0xB0,0x3A,0xE2,0xC9,0xBE,
+ 0x39,0x1A,0xB1,0xC1,0xF7,0xDB,0x3C,0x92,0x46,0x50,0x65,0xBE,0xC0,0xA7,0x28,0xF8,
+ 0x85,0xF4,0x78,0x1C,0xFE,0x83,0xDB,0xD9,0x6A,0x55,0xBE,0xB9,0xD2,0x81,0xBE,0xF1,
+ 0xEA,0xCB,0x0A,0x62,0x44,0x28,0x08,0xFB,0xE3,0x94,0x32,0x47,0x16,0x4E,0xA0,0x09,
+ 0x2A,0x79,0xCB,0x44,0x1C,0x96,0x6A,0xD4,0xC5,0x3F,0xBD,0x11,0x39,0xBA,0x0F,0x3A,
+ 0xC3,0xB1,0xE2,0x35,0x82,0x1C,0x41,0x80,0x7D,0x05,0x16,0x4B,0xB4,0x84,0x39,0xEE,
+ 0x3D,0x09,0xF9,0x99,0x62,0xA0,0x93,0x20,0x46,0xE0,0x5A,0xEF,0x21,0x95,0x21,0x6A,
+ 0x6A,0x6C,0x27,0x67,0x23,0xB5,0x17,0x4B,0x00,0xD9,0xCC,0x51,0x64,0x6F,0xE4,0xD0,
+ 0x40,0xDB,0x96,0x2E,0xF8,0x44,0x2D,0x7F,0x5E,0xBA,0xAC,0x6B,0xC2,0x7B,0xC5,0xE8,
+ 0xA6,0xB4,0x43,0x6A,0xA2,0x98,0x0F,0x55,0xE4,0xA9,0xD1,0x78,
+};
+
+#endif /* si_97_sectrust_path_scoring_h */
diff --git a/OSX/sec/Security/Regressions/secitem/si-97-sectrust-path-scoring.m b/OSX/sec/Security/Regressions/secitem/si-97-sectrust-path-scoring.m
new file mode 100644
index 00000000..1e7d3897
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-97-sectrust-path-scoring.m
@@ -0,0 +1,256 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ */
+
+#include <AssertMacros.h>
+#import <Foundation/Foundation.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecPolicyPriv.h>
+#include <Security/SecTrust.h>
+#include <utilities/SecCFRelease.h>
+
+#include "shared_regressions.h"
+
+#include "si-97-sectrust-path-scoring.h"
+
+static SecCertificateRef leaf = NULL;
+static SecCertificateRef intSHA2 = NULL;
+static SecCertificateRef intSHA1 = NULL;
+static SecCertificateRef int1024 = NULL;
+static SecCertificateRef rootSHA2 = NULL;
+static SecCertificateRef rootSHA1 = NULL;
+static SecCertificateRef root1024 = NULL;
+static SecCertificateRef crossSHA2_SHA1 = NULL;
+static SecCertificateRef crossSHA2_SHA2 = NULL;
+static SecCertificateRef rootSHA2_2 = NULL;
+static SecPolicyRef basicPolicy = NULL;
+static SecPolicyRef sslPolicy = NULL;
+static NSDate *verifyDate1 = nil;
+static NSDate *verifyDate2 = nil;
+
+static void setup_globals(void) {
+ leaf = SecCertificateCreateWithBytes(NULL, _pathScoringLeaf, sizeof(_pathScoringLeaf));
+ intSHA2 = SecCertificateCreateWithBytes(NULL, _pathScoringIntSHA2, sizeof(_pathScoringIntSHA2));
+ intSHA1 = SecCertificateCreateWithBytes(NULL, _pathScoringIntSHA1, sizeof(_pathScoringIntSHA1));
+ int1024 = SecCertificateCreateWithBytes(NULL, _pathScoringInt1024, sizeof(_pathScoringInt1024));
+ rootSHA2 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2Root, sizeof(_pathScoringSHA2Root));
+ rootSHA1 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA1Root, sizeof(_pathScoringSHA1Root));
+ root1024 = SecCertificateCreateWithBytes(NULL, _pathScoring1024Root, sizeof(_pathScoring1024Root));
+ crossSHA2_SHA1 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2CrossSHA1, sizeof(_pathScoringSHA2CrossSHA1));
+ crossSHA2_SHA2 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2CrossSHA2, sizeof(_pathScoringSHA2CrossSHA2));
+ rootSHA2_2 = SecCertificateCreateWithBytes(NULL, _pathScoringSHA2Root2, sizeof(_pathScoringSHA2Root2));
+
+ basicPolicy = SecPolicyCreateBasicX509();
+ sslPolicy = SecPolicyCreateSSL(true, NULL);
+
+ // May 1, 2016 at 5:53:20 AM PDT
+ verifyDate1 = [NSDate dateWithTimeIntervalSinceReferenceDate:483800000.0];
+ // May 27, 2016 at 4:20:50 PM PDT
+ verifyDate2 = [NSDate dateWithTimeIntervalSinceReferenceDate:486084050.0];
+}
+
+static void cleanup_globals(void) {
+ CFReleaseNull(leaf);
+ CFReleaseNull(intSHA2);
+ CFReleaseNull(intSHA1);
+ CFReleaseNull(int1024);
+ CFReleaseNull(rootSHA2);
+ CFReleaseNull(rootSHA1);
+ CFReleaseNull(root1024);
+ CFReleaseNull(crossSHA2_SHA1);
+ CFReleaseNull(crossSHA2_SHA2);
+ CFReleaseNull(rootSHA2_2);
+
+ CFReleaseNull(basicPolicy);
+ CFReleaseNull(sslPolicy);
+}
+
+static bool testTrust(NSArray *certs, NSArray *anchors, SecPolicyRef policy,
+ NSDate *verifyDate, SecTrustResultType expectedResult,
+ NSArray *expectedChain) {
+ bool testPassed = false;
+ SecTrustRef trust = NULL;
+ SecTrustResultType trustResult = kSecTrustResultInvalid;
+ require_noerr_string(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs,
+ policy,
+ &trust),
+ errOut, "failed to create trust ref");
+ if (anchors) {
+ require_noerr_string(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors),
+ errOut, "failed to set anchors");
+ }
+ require_noerr_string(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate),
+ errOut, "failed to set verify date");
+ require_noerr_string(SecTrustEvaluate(trust, &trustResult),
+ errOut, "failed to evaluate trust");
+
+ /* check result */
+ if (expectedResult == kSecTrustResultUnspecified) {
+ require_string(trustResult == expectedResult,
+ errOut, "unexpected untrusted chain");
+ } else if (expectedResult == kSecTrustResultRecoverableTrustFailure) {
+ require_string(trustResult == expectedResult,
+ errOut, "unexpected trusted chain");
+ }
+
+ /* check the chain that returned */
+ require_string((NSUInteger)SecTrustGetCertificateCount(trust) == [expectedChain count],
+ errOut, "wrong number of certs in result chain");
+ NSUInteger ix, count = [expectedChain count];
+ for (ix = 0; ix < count; ix++) {
+ require_string(CFEqual(SecTrustGetCertificateAtIndex(trust, ix),
+ (__bridge SecCertificateRef)[expectedChain objectAtIndex:ix]),
+ errOut, "chain didn't match expected");
+ }
+ testPassed = true;
+
+errOut:
+ CFReleaseNull(trust);
+ return testPassed;
+}
+
+/* Path Scoring Hierarchy
+ * leaf
+ * ^ ^ ^
+ * / | \
+ * intSHA2 intSHA1 int1024
+ * ^ ^ ^ ^ ^
+ * / | \ | |
+ * rootSHA2 crossSHA2_SHA1 crossSHA2_SHA2 rootSHA1 root1024
+ * ^ ^
+ * | |
+ * rootSHA1 rootSHA2_2
+ */
+
+static void tests(SecPolicyRef policy) {
+ NSArray *certs = nil;
+ NSArray *anchors = nil;
+ NSArray *chain = nil;
+ SecTrustResultType expectedTrustResult = ((policy == basicPolicy) ? kSecTrustResultUnspecified :
+ kSecTrustResultRecoverableTrustFailure);
+
+ /* Choose a short chain over a long chain, when ending in a self-signed cert */
+ certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2];
+ anchors = @[(__bridge id)rootSHA2, (__bridge id)rootSHA2_2];
+ chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2];
+ ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
+ "%s test: choose shorter chain over longer chain, SHA-2",
+ (policy == basicPolicy) ? "accept" : "reject");
+
+ certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)crossSHA2_SHA1];
+ anchors = @[(__bridge id)rootSHA1];
+ chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
+ ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
+ "%s test: choose shorter chain over longer chain, SHA-1",
+ (policy == basicPolicy) ? "accept" : "reject");
+
+ /* Choose a SHA-2 chain over a SHA-1 chain */
+ certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1];
+ anchors = @[(__bridge id)rootSHA1, (__bridge id)rootSHA2];
+ chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2];
+ ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
+ "%s test: choose SHA-2 chain over SHA-1 chain, order 1",
+ (policy == basicPolicy) ? "accept" : "reject");
+
+ certs = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)intSHA2];
+ anchors = @[(__bridge id)rootSHA2, (__bridge id)rootSHA1];
+ ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
+ "%s test: choose SHA-2 chain over SHA-1 chain, order 2",
+ (policy == basicPolicy) ? "accept" : "reject");
+
+ /* Choose a longer SHA-2 chain over the shorter SHA-1 chain */
+ certs = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2];
+ anchors = @[(__bridge id)rootSHA1, (__bridge id)rootSHA2_2];
+ chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2, (__bridge id)rootSHA2_2];
+ ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
+ "%s test: choose longer SHA-2 chain over shorter SHA-1 chain",
+ (policy == basicPolicy) ? "accept" : "reject");
+
+ /* Choose 1024-bit temporally valid chain over 2048-bit invalid chain */
+ certs = @[(__bridge id)leaf, (__bridge id)int1024, (__bridge id)intSHA1];
+ anchors = @[(__bridge id)root1024, (__bridge id)rootSHA1];
+ chain = @[(__bridge id)leaf, (__bridge id)int1024, (__bridge id)root1024];
+ ok(testTrust(certs, anchors, policy, verifyDate2, expectedTrustResult, chain),
+ "%s test: choose temporally valid chain over invalid chain",
+ (policy == basicPolicy) ? "accept" : "reject");
+
+ /* Choose an anchored chain over an unanchored chain */
+ certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)rootSHA2];
+ anchors = @[(__bridge id)rootSHA1];
+ chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
+ ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
+ "%s test: choose an anchored chain over an unanchored chain",
+ (policy == basicPolicy) ? "accept" : "reject");
+
+ /* Choose an anchored SHA-1 chain over an unanchored SHA-2 chain */
+ certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)rootSHA2];
+ anchors = @[(__bridge id)rootSHA1];
+ chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
+ ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
+ "%s test: choose anchored SHA-1 chain over unanchored SHA-2 chain",
+ (policy == basicPolicy) ? "accept" : "reject");
+
+ /* Choose an anchored SHA-1 cross-signed chain over unanchored SHA-2 chains */
+ certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2,
+ (__bridge id)crossSHA2_SHA1, (__bridge id)crossSHA2_SHA2, (__bridge id)rootSHA2_2];
+ chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA1, (__bridge id)rootSHA1];
+ ok(testTrust(certs, anchors, policy, verifyDate1, expectedTrustResult, chain),
+ "%s test: choose anchored cross-signed chain over unanchored chains",
+ (policy == basicPolicy) ? "accept" : "reject");
+}
+
+static void accept_tests(void) {
+ tests(basicPolicy);
+
+}
+
+static void reject_tests(void) {
+ /* The leaf certificate is a client SSL certificate, and will fail the sslPolicy. */
+ tests(sslPolicy);
+
+ /* reject only tests */
+ NSArray *certs = nil;
+ NSArray *anchors = nil;
+ NSArray *chain = nil;
+
+ /* Choose a 2048-bit chain over a 1024-bit chain */
+ certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)int1024];
+ anchors = @[(__bridge id)rootSHA2, (__bridge id)root1024];
+ chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)rootSHA2];
+ ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
+ "reject test: choose 2048-bit chain over 1024-bit chain, order 1");
+
+ certs = @[(__bridge id)leaf, (__bridge id)int1024, (__bridge id)intSHA2];
+ anchors = @[(__bridge id)root1024, (__bridge id)rootSHA2];
+ ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
+ "reject test: choose 2048-bit chain over 1024-bit chain, order 2");
+
+ /* Choose a complete chain over an incomplete chain */
+ certs = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)intSHA1, (__bridge id)rootSHA1];
+ anchors = @[];
+ chain = @[(__bridge id)leaf, (__bridge id)intSHA1, (__bridge id)rootSHA1];
+ ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
+ "reject test: choose a chain that ends in a self-signed cert over one that doesn't");
+
+ /* Choose a long chain over a short chain when not ending with a self-signed cert */
+ certs = @[(__bridge id)leaf, (__bridge id)crossSHA2_SHA2, (__bridge id)intSHA2];
+ anchors = nil;
+ chain = @[(__bridge id)leaf, (__bridge id)intSHA2, (__bridge id)crossSHA2_SHA2];
+ ok(testTrust(certs, anchors, sslPolicy, verifyDate1, kSecTrustResultRecoverableTrustFailure, chain),
+ "reject test: choose longer chain over shorter chain, no roots");
+}
+
+int si_97_sectrust_path_scoring(int argc, char *const *argv)
+{
+ plan_tests(2*9 + 4);
+
+ @autoreleasepool {
+ setup_globals();
+ accept_tests();
+ reject_tests();
+ cleanup_globals();
+ }
+
+ return 0;
+}
diff --git a/OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c b/OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c
index 0079cb65..bd1da9bd 100644
--- a/OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c
+++ b/OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c
@@ -23,6 +23,7 @@
#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
#include <Security/SecAccessControl.h>
#include <Security/SecAccessControlPriv.h>
#include <Security/SecInternal.h>
@@ -50,8 +51,6 @@
#include "Security_regressions.h"
-static CFTypeRef kSecAccessControlKeyProtection = CFSTR("prot");
-
#if LA_CONTEXT_IMPLEMENTED
static bool aks_consistency_test(bool currentAuthDataFormat, kern_return_t expectedAksResult, SecAccessControlRef access_control, CFDataRef acm_context);
static CFDataRef kc_create_auth_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes);
@@ -64,7 +63,7 @@ static int aks_crypt_acl(CFTypeRef operation, keybag_handle_t keybag,
static void tests(void)
{
CFAllocatorRef allocator = kCFAllocatorDefault;
- CFTypeRef protection = kSecAttrAccessibleAlways;
+ CFTypeRef protection = kSecAttrAccessibleAlwaysPrivate;
CFErrorRef error = NULL;
// Simple API tests:
diff --git a/OSX/sec/Security/Regressions/vmdh/vmdh-41-example.c b/OSX/sec/Security/Regressions/vmdh/vmdh-41-example.c
index 03943d00..b237f350 100644
--- a/OSX/sec/Security/Regressions/vmdh/vmdh-41-example.c
+++ b/OSX/sec/Security/Regressions/vmdh/vmdh-41-example.c
@@ -18,15 +18,16 @@
/* How to reach in the internals of SecDH/vmdh struct */
static inline ccdh_gp_t vmdh_gp(struct vmdh *dh)
{
- void *p = dh;
- ccdh_gp_t gp = { .gp = p };
+ ccdh_gp_t gp;
+ gp.gp = (ccdh_gp *)dh;
return gp;
}
static inline ccdh_full_ctx_t vmdh_priv(struct vmdh *dh)
{
void *p = dh;
- cczp_t zp = { .u = p };
+ cczp_t zp;
+ zp.zp = (struct cczp *) dh;
cc_size s = ccn_sizeof_n(cczp_n(zp));
ccdh_full_ctx_t priv = { .hdr = (struct ccdh_ctx_header *)(p+ccdh_gp_size(s)) };
return priv;
diff --git a/OSX/sec/Security/Regressions/vmdh/vmdh-42-example2.c b/OSX/sec/Security/Regressions/vmdh/vmdh-42-example2.c
index 102b113e..345cee70 100644
--- a/OSX/sec/Security/Regressions/vmdh/vmdh-42-example2.c
+++ b/OSX/sec/Security/Regressions/vmdh/vmdh-42-example2.c
@@ -18,15 +18,16 @@
/* How to reach in the internals of SecDH/vmdh struct */
static inline ccdh_gp_t vmdh_gp(struct vmdh *dh)
{
- void *p = dh;
- ccdh_gp_t gp = { .gp = p };
+ ccdh_gp_t gp;
+ gp.gp = (ccdh_gp *)dh;
return gp;
}
static inline ccdh_full_ctx_t vmdh_priv(struct vmdh *dh)
{
void *p = dh;
- cczp_t zp = { .u = p };
+ cczp_t zp;
+ zp.zp = (struct cczp *) dh;
cc_size s = ccn_sizeof_n(cczp_n(zp));
ccdh_full_ctx_t priv = { .hdr = (struct ccdh_ctx_header *)(p+ccdh_gp_size(s)) };
return priv;
diff --git a/OSX/sec/Security/SecAccessControl.c b/OSX/sec/Security/SecAccessControl.c
index 7be943ee..752cf3e3 100644
--- a/OSX/sec/Security/SecAccessControl.c
+++ b/OSX/sec/Security/SecAccessControl.c
@@ -30,6 +30,7 @@
#include <Security/SecAccessControl.h>
#include <Security/SecAccessControlPriv.h>
#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
#include <utilities/SecCFWrappers.h>
#include <utilities/SecCFError.h>
#include <utilities/der_plist.h>
@@ -89,8 +90,7 @@ SecAccessControlRef SecAccessControlCreate(CFAllocatorRef allocator, CFErrorRef
access_control->dict = CFDictionaryCreateMutableForCFTypes(allocator);
return access_control;
}
-
-#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
static CFDataRef _getEmptyData() {
static CFMutableDataRef emptyData = NULL;
static dispatch_once_t onceToken;
@@ -115,7 +115,7 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF
goto errOut;
if (flags) {
-#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
bool or = (flags & kSecAccessControlOr) ? true : false;
bool and = (flags & kSecAccessControlAnd) ? true : false;
@@ -152,7 +152,7 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF
CFReleaseNull(constraint);
}
-#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
if (flags & kSecAccessControlTouchIDAny) {
require_quiet(constraint = SecAccessConstraintCreateTouchIDAny(allocator, _getEmptyData()), errOut);
CFArrayAppendValue(constraints, constraint);
@@ -170,11 +170,12 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF
}
#endif
CFIndex constraints_count = CFArrayGetCount(constraints);
-#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
if (constraints_count > 1) {
require_quiet(constraint = SecAccessConstraintCreateValueOfKofN(allocator, or?1:constraints_count, constraints, error), errOut);
if (flags & kSecAccessControlPrivateKeyUsage) {
require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, constraint, error), errOut);
+ require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut);
}
else {
require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDecrypt, constraint, error), errOut);
@@ -185,28 +186,30 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF
} else
#endif
if (constraints_count == 1) {
-#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
if (flags & kSecAccessControlPrivateKeyUsage) {
require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, CFArrayGetValueAtIndex(constraints, 0), error), errOut);
+ require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut);
}
else {
#endif
require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDecrypt, CFArrayGetValueAtIndex(constraints, 0), error), errOut);
require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpEncrypt, kCFBooleanTrue, error), errOut);
-#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
}
#endif
require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDelete, kCFBooleanTrue, error), errOut);
} else {
-#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
if (flags & kSecAccessControlPrivateKeyUsage) {
require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, kCFBooleanTrue, error), errOut);
+ require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut);
require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDelete, kCFBooleanTrue, error), errOut);
}
else {
#endif
require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDefaultAcl, kCFBooleanTrue, error), errOut);
-#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
}
#endif
}
@@ -251,13 +254,15 @@ static bool checkItemInArray(CFTypeRef item, const CFTypeRef *values, CFIndex co
bool SecAccessControlSetProtection(SecAccessControlRef access_control, CFTypeRef protection, CFErrorRef *error) {
- // Verify protection type.
- CheckItemInArray(protection, ItemArray(kSecAttrAccessibleAlways, kSecAttrAccessibleAfterFirstUnlock,
- kSecAttrAccessibleWhenUnlocked, kSecAttrAccessibleAlwaysThisDeviceOnly,
- kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
- kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
- kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly),
- "SecAccessControl: invalid protection %@");
+ if (!protection || CFGetTypeID(protection) != CFDictionaryGetTypeID()) {
+ // Verify protection type.
+ CheckItemInArray(protection, ItemArray(kSecAttrAccessibleAlwaysPrivate, kSecAttrAccessibleAfterFirstUnlock,
+ kSecAttrAccessibleWhenUnlocked, kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate,
+ kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
+ kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+ kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly),
+ "SecAccessControl: invalid protection %@");
+ }
// Protection valid, use it.
CFDictionarySetValue(access_control->dict, kSecAccessControlKeyProtection, protection);
@@ -334,8 +339,8 @@ errOut:
bool SecAccessControlAddConstraintForOperation(SecAccessControlRef access_control, CFTypeRef operation, CFTypeRef constraint, CFErrorRef *error) {
CheckItemInArray(operation, ItemArray(kAKSKeyOpEncrypt, kAKSKeyOpDecrypt,
-#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
- kAKSKeyOpSign,
+#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80)
+ kAKSKeyOpSign, kAKSKeyOpAttest,
#endif
kAKSKeyOpSync, kAKSKeyOpDefaultAcl, kAKSKeyOpDelete),
"SecAccessControl: invalid operation %@");
diff --git a/OSX/sec/Security/SecAccessControl.h b/OSX/sec/Security/SecAccessControl.h
index 25c6e17b..ddef861d 100644
--- a/OSX/sec/Security/SecAccessControl.h
+++ b/OSX/sec/Security/SecAccessControl.h
@@ -46,17 +46,34 @@ CF_IMPLICIT_BRIDGING_ENABLED
CFTypeID SecAccessControlGetTypeID(void)
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
-typedef CF_OPTIONS(CFIndex, SecAccessControlCreateFlags) {
+#if RC_HIDE_J79 || RC_HIDE_J80
+
+typedef CF_OPTIONS(CFOptionFlags, SecAccessControlCreateFlags) {
+ kSecAccessControlUserPresence = 1 << 0, // User presence policy using Touch ID or Passcode. Touch ID does not have to be available or enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
+ kSecAccessControlTouchIDAny CF_ENUM_AVAILABLE(NA, 9_0) = 1u << 1, // Constraint: Touch ID (any finger). Touch ID must be available and at least one finger must be enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
+ kSecAccessControlTouchIDCurrentSet CF_ENUM_AVAILABLE(NA, 9_0) = 1u << 3, // Constraint: Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must be enrolled. When fingers are added or removed, the item is invalidated.
+ kSecAccessControlDevicePasscode CF_ENUM_AVAILABLE(10_11, 9_0) = 1u << 4, // Constraint: Device passcode
+ kSecAccessControlOr CF_ENUM_AVAILABLE(NA, 9_0) = 1u << 14, // Constraint logic operation: when using more than one constraint, at least one of them must be satisfied.
+ kSecAccessControlAnd CF_ENUM_AVAILABLE(NA, 9_0) = 1u << 15, // Constraint logic operation: when using more than one constraint, all must be satisfied.
+ kSecAccessControlPrivateKeyUsage CF_ENUM_AVAILABLE(NA, 9_0) = 1u << 30, // Create access control for private key operations (i.e. sign operation)
+ kSecAccessControlApplicationPassword CF_ENUM_AVAILABLE(NA, 9_0) = 1u << 31, // Security: Application provided password for data encryption key generation. This is not a constraint but additional item encryption mechanism.
+} __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
+
+#else
+
+typedef CF_OPTIONS(CFOptionFlags, SecAccessControlCreateFlags) {
kSecAccessControlUserPresence = 1 << 0, // User presence policy using Touch ID or Passcode. Touch ID does not have to be available or enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
- kSecAccessControlTouchIDAny CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 1, // Constraint: Touch ID (any finger). Touch ID must be available and at least one finger must be enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
- kSecAccessControlTouchIDCurrentSet CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 3, // Constraint: Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must be enrolled. When fingers are added or removed, the item is invalidated.
- kSecAccessControlDevicePasscode CF_ENUM_AVAILABLE(10_11, 9_0) = 1 << 4, // Constraint: Device passcode
- kSecAccessControlOr CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 14, // Constraint logic operation: when using more than one constraint, at least one of them must be satisfied.
- kSecAccessControlAnd CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 15, // Constraint logic operation: when using more than one constraint, all must be satisfied.
- kSecAccessControlPrivateKeyUsage CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 30, // Create access control for private key operations (i.e. sign operation)
- kSecAccessControlApplicationPassword CF_ENUM_AVAILABLE(NA, 9_0) = 1 << 31, // Security: Application provided password for data encryption key generation. This is not a constraint but additional item encryption mechanism.
+ kSecAccessControlTouchIDAny CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 1, // Constraint: Touch ID (any finger). Touch ID must be available and at least one finger must be enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
+ kSecAccessControlTouchIDCurrentSet CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 3, // Constraint: Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must be enrolled. When fingers are added or removed, the item is invalidated.
+ kSecAccessControlDevicePasscode CF_ENUM_AVAILABLE(10_11, 9_0) = 1u << 4, // Constraint: Device passcode
+ kSecAccessControlOr CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 14, // Constraint logic operation: when using more than one constraint, at least one of them must be satisfied.
+ kSecAccessControlAnd CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 15, // Constraint logic operation: when using more than one constraint, all must be satisfied.
+ kSecAccessControlPrivateKeyUsage CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 30, // Create access control for private key operations (i.e. sign operation)
+ kSecAccessControlApplicationPassword CF_ENUM_AVAILABLE(10_12, 9_0) = 1u << 31, // Security: Application provided password for data encryption key generation. This is not a constraint but additional item encryption mechanism.
} __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
+#endif
+
/*!
@function SecAccessControlCreateWithFlags
@abstract Creates new access control object based on protection type and additional flags.
diff --git a/OSX/sec/Security/SecBase.h b/OSX/sec/Security/SecBase.h
index 84253b32..7a9bf1ff 100644
--- a/OSX/sec/Security/SecBase.h
+++ b/OSX/sec/Security/SecBase.h
@@ -109,6 +109,7 @@ CF_ENUM(OSStatus)
errSecInteractionNotAllowed = -25308, /* User interaction is not allowed. */
errSecDecode = -26275, /* Unable to decode the provided data. */
errSecAuthFailed = -25293, /* The user name or passphrase you entered is not correct. */
+ errSecVerifyFailed = -67808, /* A cryptographic verification failure has occurred. */
};
CF_IMPLICIT_BRIDGING_DISABLED
diff --git a/OSX/sec/Security/SecBasePriv.h b/OSX/sec/Security/SecBasePriv.h
index 69c2dc98..86b6f730 100644
--- a/OSX/sec/Security/SecBasePriv.h
+++ b/OSX/sec/Security/SecBasePriv.h
@@ -125,7 +125,6 @@ enum
errSecFailedToSendIDSMessage = -25334, /* Failed to send IDS message. */
errSecDeviceIDNoMatch = -25335, /* The provided device ID does not match any device IDs in the ids account. */
errSecPeersNotAvailable = -25336, /* No peers in the circle are available/online. */
-
};
diff --git a/OSX/sec/Security/SecCFAllocator.c b/OSX/sec/Security/SecCFAllocator.c
new file mode 100644
index 00000000..39d4f48b
--- /dev/null
+++ b/OSX/sec/Security/SecCFAllocator.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <Security/SecCFAllocator.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <corecrypto/cc.h>
+#include <malloc/malloc.h>
+
+static CFAllocatorContext sDefaultCtx;
+
+static CFStringRef SecCFAllocatorCopyDescription(const void *info) {
+ return CFSTR("Custom CFAllocator for sensitive data that zeroizes on deallocate");
+}
+
+// primary goal of this allocator is to clear memory when it is deallocated
+static void SecCFAllocatorDeallocate(void *ptr, void *info) {
+ if (!ptr) return;
+ size_t sz = malloc_size(ptr);
+ if(sz) cc_clear(sz, ptr);
+
+ sDefaultCtx.deallocate(ptr, info);
+}
+
+CFAllocatorRef SecCFAllocatorZeroize(void) {
+ static dispatch_once_t sOnce = 0;
+ static CFAllocatorRef sAllocator = NULL;
+ dispatch_once(&sOnce, ^{
+ CFAllocatorGetContext(kCFAllocatorMallocZone, &sDefaultCtx);
+
+ CFAllocatorContext ctx = {0,
+ sDefaultCtx.info,
+ sDefaultCtx.retain,
+ sDefaultCtx.release,
+ SecCFAllocatorCopyDescription,
+ sDefaultCtx.allocate,
+ sDefaultCtx.reallocate,
+ SecCFAllocatorDeallocate,
+ sDefaultCtx.preferredSize};
+
+ sAllocator = CFAllocatorCreate(NULL, &ctx);
+ });
+
+ return sAllocator;
+}
diff --git a/codesign_wrapper/codesign.h b/OSX/sec/Security/SecCFAllocator.h
similarity index 72%
rename from codesign_wrapper/codesign.h
rename to OSX/sec/Security/SecCFAllocator.h
index 75486061..4169fa29 100644
--- a/codesign_wrapper/codesign.h
+++ b/OSX/sec/Security/SecCFAllocator.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2004,2011 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -19,24 +19,21 @@
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
- *
- * cmsutil.h
*/
-#ifndef _CODESIGN_H_
-#define _CODESIGN_H_ 1
+#ifndef _SECURITY_SECCFALLOCATOR_H_
+#define _SECURITY_SECCFALLOCATOR_H_
+#include <Security/SecBasePriv.h>
#include <CoreFoundation/CoreFoundation.h>
-#ifdef __cplusplus
-extern "C" {
-#endif
+__BEGIN_DECLS
-extern CFMutableDictionaryRef load_code_signature(FILE *binary, size_t slice_offset);
-extern CFArrayRef load_code_signatures(const char *path);
+/*
+ * A CFAllocator that zeroizes memory on deallocation
+ */
+CFAllocatorRef SecCFAllocatorZeroize(void);
-#ifdef __cplusplus
-}
-#endif
+__END_DECLS
-#endif /* _CODESIGN_H_ */
+#endif /* _SECURITY_SECCFALLOCATOR_H_ */
diff --git a/OSX/sec/Security/SecCMS.c b/OSX/sec/Security/SecCMS.c
index e08a1a35..155f3299 100644
--- a/OSX/sec/Security/SecCMS.c
+++ b/OSX/sec/Security/SecCMS.c
@@ -67,13 +67,9 @@
#include <security_smime/secoid.h>
#include <security_smime/cmslocal.h>
-CFTypeRef kSecCMSBulkEncryptionAlgorithm = CFSTR("kSecCMSBulkEncryptionAlgorithm");
+
CFTypeRef kSecCMSSignDigest = CFSTR("kSecCMSSignDigest");
CFTypeRef kSecCMSSignDetached = CFSTR("kSecCMSSignDetached");
-CFTypeRef kSecCMSSignHashAlgorithm = CFSTR("kSecCMSSignHashAlgorithm");
-CFTypeRef kSecCMSEncryptionAlgorithmDESCBC = CFSTR("kSecCMSEncryptionAlgorithmDESCBC");
-CFTypeRef kSecCMSEncryptionAlgorithmAESCBC = CFSTR("kSecCMSEncryptionAlgorithmAESCBC");
-CFTypeRef kSecCMSHashingAlgorithmMD5 = CFSTR("kSecCMSHashingAlgorithmMD5");
CFTypeRef kSecCMSCertChainMode = CFSTR("kSecCMSCertChainMode");
CFTypeRef kSecCMSCertChainModeNone = CFSTR("0");
CFTypeRef kSecCMSAdditionalCerts = CFSTR("kSecCMSAdditionalCerts");
@@ -81,6 +77,17 @@ CFTypeRef kSecCMSSignedAttributes = CFSTR("kSecCMSSignedAttributes");
CFTypeRef kSecCMSSignDate = CFSTR("kSecCMSSignDate");
CFTypeRef kSecCMSAllCerts = CFSTR("kSecCMSAllCerts");
+CFTypeRef kSecCMSBulkEncryptionAlgorithm = CFSTR("kSecCMSBulkEncryptionAlgorithm");
+CFTypeRef kSecCMSEncryptionAlgorithmDESCBC = CFSTR("kSecCMSEncryptionAlgorithmDESCBC");
+CFTypeRef kSecCMSEncryptionAlgorithmAESCBC = CFSTR("kSecCMSEncryptionAlgorithmAESCBC");
+
+CFTypeRef kSecCMSSignHashAlgorithm = CFSTR("kSecCMSSignHashAlgorithm");
+CFTypeRef kSecCMSHashingAlgorithmMD5 = CFSTR("kSecCMSHashingAlgorithmMD5");
+CFTypeRef kSecCMSHashingAlgorithmSHA1 = CFSTR("kSecCMSHashingAlgorithmSHA1");
+CFTypeRef kSecCMSHashingAlgorithmSHA256 = CFSTR("kSecCMSHashingAlgorithmSHA256");
+CFTypeRef kSecCMSHashingAlgorithmSHA384 = CFSTR("kSecCMSHashingAlgorithmSHA384");
+CFTypeRef kSecCMSHashingAlgorithmSHA512 = CFSTR("kSecCMSHashingAlgorithmSHA512");
+
OSStatus SecCMSCreateEnvelopedData(CFTypeRef recipient_or_cfarray_thereof,
CFDictionaryRef params, CFDataRef data, CFMutableDataRef enveloped_data)
{
@@ -344,12 +351,18 @@ OSStatus SecCMSCreateSignedData(SecIdentityRef identity, CFDataRef data,
SECOidTag algorithm = SEC_OID_SHA1;
if (algorithm_name) {
- if (CFEqual(kSecCMSHashingAlgorithmMD5, algorithm_name)) {
- algorithm = SEC_OID_MD5;
+ if (CFEqual(kSecCMSHashingAlgorithmSHA1, algorithm_name)) {
+ algorithm = SEC_OID_SHA1;
+ } else if (CFEqual(kSecCMSHashingAlgorithmSHA256, algorithm_name)) {
+ algorithm = SEC_OID_SHA256;
+ } else if (CFEqual(kSecCMSHashingAlgorithmSHA384, algorithm_name)) {
+ algorithm = SEC_OID_SHA384;
+ } else if (CFEqual(kSecCMSHashingAlgorithmSHA512, algorithm_name)) {
+ algorithm = SEC_OID_SHA512;
} else {
+ // signing with MD5 is no longer allowed
algorithm = SEC_OID_UNKNOWN;
}
-
}
return SecCMSSignDataOrDigestAndAttributes(identity, data,
diff --git a/OSX/sec/Security/SecCMS.h b/OSX/sec/Security/SecCMS.h
index 780fca54..4f4b106d 100644
--- a/OSX/sec/Security/SecCMS.h
+++ b/OSX/sec/Security/SecCMS.h
@@ -47,9 +47,15 @@ extern const void * kSecCMSAllCerts;
extern const void * kSecCMSEncryptionAlgorithmDESCBC;
extern const void * kSecCMSEncryptionAlgorithmAESCBC;
-extern const void * kSecCMSHashingAlgorithmMD5;
+extern const void * kSecCMSHashingAlgorithmMD5
+ __IOS_DEPRECATED(__IPHONE_3_1, __IPHONE_10_0, "Disuse this constant in order to upgrade to SHA-1");
extern const void * kSecCMSCertChainModeNone;
+extern const void * kSecCMSHashingAlgorithmSHA1;
+extern const void * kSecCMSHashingAlgorithmSHA256;
+extern const void * kSecCMSHashingAlgorithmSHA384;
+extern const void * kSecCMSHashingAlgorithmSHA512;
+
/*!
@function SecCMSVerifyCopyDataAndAttributes
@abstract verify a signed data cms blob.
diff --git a/OSX/sec/Security/SecCTKKey.c b/OSX/sec/Security/SecCTKKey.c
index db281610..93181ca1 100644
--- a/OSX/sec/Security/SecCTKKey.c
+++ b/OSX/sec/Security/SecCTKKey.c
@@ -33,6 +33,10 @@
#include <ctkclient.h>
#include <libaks_acl_cf_keys.h>
+#if TKTOKEN_CLIENT_INTERFACE_VERSION <= 1
+#define kTKTokenCreateAttributeAuxParams "auxParams"
+#endif
+
#include "SecECKey.h"
#include "SecRSAKey.h"
#include "SecCTKKeyPriv.h"
@@ -46,6 +50,7 @@ typedef struct {
CFDataRef objectID;
SecCFDictionaryCOW auth_params;
SecCFDictionaryCOW attributes;
+ CFMutableDictionaryRef params;
} SecCTKKeyData;
static void SecCTKKeyDestroy(SecKeyRef key) {
@@ -55,14 +60,22 @@ static void SecCTKKeyDestroy(SecKeyRef key) {
CFReleaseSafe(kd->objectID);
CFReleaseSafe(kd->auth_params.mutable_dictionary);
CFReleaseSafe(kd->attributes.mutable_dictionary);
+ CFReleaseSafe(kd->params);
}
static CFIndex SecCTKGetAlgorithmID(SecKeyRef key) {
SecCTKKeyData *kd = key->key;
- if (CFEqualSafe(CFDictionaryGetValue(kd->attributes.dictionary, kSecAttrKeyType), kSecAttrKeyTypeEC))
- return kSecECDSAAlgorithmID;
- else
- return kSecRSAAlgorithmID;
+ CFTypeRef type = CFDictionaryGetValue(kd->attributes.dictionary, kSecAttrKeyType);
+ if (type != NULL) {
+ if (CFGetTypeID(type) == CFNumberGetTypeID()) {
+ CFIndex keyType;
+ if (CFNumberGetValue(type, kCFNumberCFIndexType, &keyType) && keyType == 73 /* kSecAttrKeyTypeEC */)
+ return kSecECDSAAlgorithmID;
+ } else if (CFGetTypeID(type) == CFStringGetTypeID() && CFEqual(type, kSecAttrKeyTypeEC)) {
+ return kSecECDSAAlgorithmID;
+ }
+ }
+ return kSecRSAAlgorithmID;
}
static SecItemAuthResult SecCTKProcessError(CFStringRef operation, TKTokenRef token, CFDataRef object_id, CFArrayRef *ac_pairs, CFErrorRef *error) {
@@ -82,47 +95,48 @@ static SecItemAuthResult SecCTKProcessError(CFStringRef operation, TKTokenRef to
return kSecItemAuthResultError;
}
-static OSStatus SecCTKKeyRawSign(SecKeyRef key, SecPadding padding,
- const uint8_t *dataToSign, size_t dataToSignLen,
- uint8_t *sig, size_t *sigLen) {
- OSStatus status = errSecSuccess;
- CFDataRef digest = CFDataCreateWithBytesNoCopy(NULL, dataToSign, dataToSignLen, kCFAllocatorNull);
+static const CFTypeRef *aclOperations[] = {
+ [kSecKeyOperationTypeSign] = &kAKSKeyOpSign,
+ [kSecKeyOperationTypeDecrypt] = &kAKSKeyOpDecrypt,
+ [kSecKeyOperationTypeKeyExchange] = &kAKSKeyOpComputeKey,
+};
+static CFTypeRef SecCTKKeyCopyOperationResult(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm,
+ CFArrayRef algorithms, SecKeyOperationMode mode,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
SecCTKKeyData *kd = key->key;
- __block SecCFDictionaryCOW sign_auth_params = { kd->auth_params.dictionary };
+ __block SecCFDictionaryCOW auth_params = { kd->auth_params.dictionary };
__block TKTokenRef token = CFRetainSafe(kd->token);
-
- status = SecOSStatusWith(^bool(CFErrorRef *error) {
- return SecItemAuthDo(&sign_auth_params, error, ^SecItemAuthResult(CFDictionaryRef auth_params, CFArrayRef *ac_pairs, CFErrorRef *error) {
- CFDataRef signature = NULL;
- SecItemAuthResult auth_result = kSecItemAuthResultOK;
-
- if (sign_auth_params.mutable_dictionary != NULL) {
- // auth_params were modified, so reconnect the token in order to update the attributes.
- TKTokenRef new_token = NULL;
- require_quiet(new_token = SecTokenCreate(kd->token_id, auth_params, error), out);
- CFAssignRetained(token, new_token);
+ __block CFTypeRef result = kCFNull;
+
+ CFErrorRef localError = NULL;
+ SecItemAuthDo(&auth_params, &localError, ^SecItemAuthResult(CFDictionaryRef ap, CFArrayRef *ac_pairs, CFErrorRef *error) {
+ if (auth_params.mutable_dictionary != NULL || token == NULL || kd->params != NULL) {
+ // token was not connected yet or auth_params were modified, so reconnect the token in order to update the attributes.
+ SecCFDictionaryCOW attributes = { ap };
+ if (kd->params && CFDictionaryGetCount(kd->params) > 0) {
+ CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&attributes), CFSTR(kTKTokenCreateAttributeAuxParams), kd->params);
+ }
+ CFAssignRetained(token, SecTokenCreate(kd->token_id, attributes.dictionary, error));
+ CFReleaseSafe(attributes.mutable_dictionary);
+ if (token == NULL) {
+ return kSecItemAuthResultError;
}
+ }
- require_action_quiet(signature = TKTokenCopySignature(token, kd->objectID, padding, digest, error), out,
- auth_result = SecCTKProcessError(kAKSKeyOpSign, token, kd->objectID, ac_pairs, error));
- require_action_quiet((CFIndex)*sigLen >= CFDataGetLength(signature), out,
- SecError(errSecParam, error, CFSTR("signature buffer too small (%ulb required)"),
- (unsigned long)CFDataGetLength(signature)));
- *sigLen = CFDataGetLength(signature);
- CFDataGetBytes(signature, CFRangeMake(0, *sigLen), sig);
- *sigLen = CFDataGetLength(signature);
-
- out:
- CFReleaseSafe(signature);
- return auth_result;
- });
+#if TKTOKEN_CLIENT_INTERFACE_VERSION >= 1
+ result = TKTokenCopyOperationResult(token, kd->objectID, operation, algorithms, mode, in1, in2, error);
+#else
+ result = TKTokenCopyCryptoResult(token, kd->objectID, operation, (CFIndex)algorithm, in1, in2, error);
+#endif
+ return (result != NULL) ? kSecItemAuthResultOK : SecCTKProcessError(*aclOperations[operation], token,
+ kd->objectID, ac_pairs, error);
});
- CFReleaseSafe(sign_auth_params.mutable_dictionary);
- CFReleaseSafe(digest);
+ CFErrorPropagate(localError, error);
+ CFReleaseSafe(auth_params.mutable_dictionary);
CFReleaseSafe(token);
- return status;
+ return result;
}
static size_t SecCTKKeyBlockSize(SecKeyRef key) {
@@ -213,27 +227,21 @@ out:
return attrs;
}
-SecKeyDescriptor kSecCTKKeyDescriptor = {
- kSecKeyDescriptorVersion,
- "CTKKey",
- sizeof(SecCTKKeyData),
- NULL, // SecKeyInit
- SecCTKKeyDestroy,
- SecCTKKeyRawSign,
- NULL, // SecKeyRawVerifyMethod
- NULL, // SecKeyEncryptMethod
- NULL, // SecKeyRawDecrypt
- NULL, // SecKeyComputeMethod
- SecCTKKeyBlockSize,
- SecCTKKeyCopyAttributeDictionary,
- SecCTKKeyCopyKeyDescription,
- SecCTKGetAlgorithmID,
- SecCTKKeyCopyPublicOctets,
- NULL, // SecKeyCopyWrapKey
- NULL, // SecKeyCopyUnwrapKey
+static SecKeyDescriptor kSecCTKKeyDescriptor = {
+ .version = kSecKeyDescriptorVersion,
+ .name = "CTKKey",
+ .extraBytes = sizeof(SecCTKKeyData),
+
+ .destroy = SecCTKKeyDestroy,
+ .blockSize = SecCTKKeyBlockSize,
+ .copyDictionary = SecCTKKeyCopyAttributeDictionary,
+ .describe = SecCTKKeyCopyKeyDescription,
+ .getAlgorithmID = SecCTKGetAlgorithmID,
+ .copyPublic = SecCTKKeyCopyPublicOctets,
+ .copyOperationResult = SecCTKKeyCopyOperationResult,
};
-SecKeyRef SecKeyCreateCTKKey(CFAllocatorRef allocator, CFDictionaryRef refAttributes) {
+SecKeyRef SecKeyCreateCTKKey(CFAllocatorRef allocator, CFDictionaryRef refAttributes, CFErrorRef *error) {
SecKeyRef key = SecKeyCreate(allocator, &kSecCTKKeyDescriptor, 0, 0, 0);
SecCTKKeyData *kd = key->key;
kd->token = CFRetainSafe(CFDictionaryGetValue(refAttributes, kSecUseToken));
@@ -243,6 +251,9 @@ SecKeyRef SecKeyCreateCTKKey(CFAllocatorRef allocator, CFDictionaryRef refAttrib
CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(&kd->attributes), kSecUseToken);
CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(&kd->attributes), kSecUseTokenObjectID);
SecItemAuthCopyParams(&kd->auth_params, &kd->attributes);
+ if (CFDictionaryGetValue(kd->attributes.dictionary, kSecAttrIsPrivate) == NULL) {
+ CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&kd->attributes), kSecAttrIsPrivate, kCFBooleanTrue);
+ }
return key;
}
@@ -295,3 +306,137 @@ out:
CFReleaseSafe(publicData);
return status;
}
+
+SecKeyRef SecKeyCopyAttestationKey(SecKeyAttestationKeyType keyType, CFErrorRef *error) {
+ if (keyType != kSecKeyAttestationKeyTypeSIK && keyType != kSecKeyAttestationKeyTypeGID) {
+ SecError(errSecParam, error, CFSTR("unexpected attestation key type %u"), (unsigned)keyType);
+ return NULL;
+ }
+
+ // [NSKeyedArchiver archivedDataWithRootObject:[@"com.apple.setoken.sik" dataUsingEncoding:NSUTF8StringEncoding]];
+ static const uint8_t sikObjectIDBytes[] = {
+ 0x62, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x30, 0x30, 0xd4, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x14,
+ 0x15, 0x58, 0x24, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x58, 0x24, 0x6f, 0x62, 0x6a, 0x65,
+ 0x63, 0x74, 0x73, 0x59, 0x24, 0x61, 0x72, 0x63, 0x68, 0x69, 0x76, 0x65, 0x72, 0x54, 0x24, 0x74,
+ 0x6f, 0x70, 0x12, 0x00, 0x01, 0x86, 0xa0, 0xa3, 0x07, 0x08, 0x0d, 0x55, 0x24, 0x6e, 0x75, 0x6c,
+ 0x6c, 0xd2, 0x09, 0x0a, 0x0b, 0x0c, 0x57, 0x4e, 0x53, 0x2e, 0x64, 0x61, 0x74, 0x61, 0x56, 0x24,
+ 0x63, 0x6c, 0x61, 0x73, 0x73, 0x4f, 0x10, 0x15, 0x63, 0x6f, 0x6d, 0x2e, 0x61, 0x70, 0x70, 0x6c,
+ 0x65, 0x2e, 0x73, 0x65, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x2e, 0x73, 0x69, 0x6b, 0x80, 0x02, 0xd2,
+ 0x0e, 0x0f, 0x10, 0x11, 0x5a, 0x24, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x6e, 0x61, 0x6d, 0x65, 0x58,
+ 0x24, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x65, 0x73, 0x5d, 0x4e, 0x53, 0x4d, 0x75, 0x74, 0x61, 0x62,
+ 0x6c, 0x65, 0x44, 0x61, 0x74, 0x61, 0xa3, 0x10, 0x12, 0x13, 0x56, 0x4e, 0x53, 0x44, 0x61, 0x74,
+ 0x61, 0x58, 0x4e, 0x53, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x10, 0x0f, 0x4e, 0x53, 0x4b,
+ 0x65, 0x79, 0x65, 0x64, 0x41, 0x72, 0x63, 0x68, 0x69, 0x76, 0x65, 0x72, 0xd1, 0x16, 0x17, 0x54,
+ 0x72, 0x6f, 0x6f, 0x74, 0x80, 0x01, 0x08, 0x11, 0x1a, 0x23, 0x2d, 0x32, 0x37, 0x3b, 0x41, 0x46,
+ 0x4e, 0x55, 0x6d, 0x6f, 0x74, 0x7f, 0x88, 0x96, 0x9a, 0xa1, 0xaa, 0xbc, 0xbf, 0xc4, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc6
+ };
+
+ // [NSKeyedArchiver archivedDataWithRootObject:[@"com.apple.setoken.gid" dataUsingEncoding:NSUTF8StringEncoding]];
+ static const uint8_t gidObjectIDBytes[] = {
+ 0x62, 0x70, 0x6c, 0x69, 0x73, 0x74, 0x30, 0x30, 0xd4, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x14,
+ 0x15, 0x58, 0x24, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x58, 0x24, 0x6f, 0x62, 0x6a, 0x65,
+ 0x63, 0x74, 0x73, 0x59, 0x24, 0x61, 0x72, 0x63, 0x68, 0x69, 0x76, 0x65, 0x72, 0x54, 0x24, 0x74,
+ 0x6f, 0x70, 0x12, 0x00, 0x01, 0x86, 0xa0, 0xa3, 0x07, 0x08, 0x0d, 0x55, 0x24, 0x6e, 0x75, 0x6c,
+ 0x6c, 0xd2, 0x09, 0x0a, 0x0b, 0x0c, 0x57, 0x4e, 0x53, 0x2e, 0x64, 0x61, 0x74, 0x61, 0x56, 0x24,
+ 0x63, 0x6c, 0x61, 0x73, 0x73, 0x4f, 0x10, 0x15, 0x63, 0x6f, 0x6d, 0x2e, 0x61, 0x70, 0x70, 0x6c,
+ 0x65, 0x2e, 0x73, 0x65, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x2e, 0x67, 0x69, 0x64, 0x80, 0x02, 0xd2,
+ 0x0e, 0x0f, 0x10, 0x11, 0x5a, 0x24, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x6e, 0x61, 0x6d, 0x65, 0x58,
+ 0x24, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x65, 0x73, 0x5d, 0x4e, 0x53, 0x4d, 0x75, 0x74, 0x61, 0x62,
+ 0x6c, 0x65, 0x44, 0x61, 0x74, 0x61, 0xa3, 0x10, 0x12, 0x13, 0x56, 0x4e, 0x53, 0x44, 0x61, 0x74,
+ 0x61, 0x58, 0x4e, 0x53, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x10, 0x0f, 0x4e, 0x53, 0x4b,
+ 0x65, 0x79, 0x65, 0x64, 0x41, 0x72, 0x63, 0x68, 0x69, 0x76, 0x65, 0x72, 0xd1, 0x16, 0x17, 0x54,
+ 0x72, 0x6f, 0x6f, 0x74, 0x80, 0x01, 0x08, 0x11, 0x1a, 0x23, 0x2d, 0x32, 0x37, 0x3b, 0x41, 0x46,
+ 0x4e, 0x55, 0x6d, 0x6f, 0x74, 0x7f, 0x88, 0x96, 0x9a, 0xa1, 0xaa, 0xbc, 0xbf, 0xc4, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc6
+ };
+
+ CFDataRef objectID = (keyType == kSecKeyAttestationKeyTypeSIK) ?
+ CFDataCreate(kCFAllocatorDefault, sikObjectIDBytes, sizeof(sikObjectIDBytes)) :
+ CFDataCreate(kCFAllocatorDefault, gidObjectIDBytes, sizeof(gidObjectIDBytes)) ;
+
+ const void *keys[] = { kSecUseToken, kSecUseTokenObjectID, kSecAttrTokenID };
+ const void *values[] = { kCFNull, objectID, CFSTR("com.apple.setoken.attest") };
+
+ CFDictionaryRef attributes = CFDictionaryCreate(kCFAllocatorDefault,
+ keys, values, sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+
+ return SecKeyCreateCTKKey(kCFAllocatorDefault, attributes, error);
+}
+
+CFDataRef SecKeyCreateAttestation(SecKeyRef key, SecKeyRef keyToAttest, CFErrorRef *error) {
+ if (!key || !keyToAttest) {
+ SecError(errSecParam, error, CFSTR("attestation key(s) is NULL"));
+ return NULL;
+ }
+
+ SecCTKKeyData *attestingKeyData = key->key;
+ SecCTKKeyData *keyToAttestData = keyToAttest->key;
+
+ if (key->key_class != &kSecCTKKeyDescriptor) {
+ SecError(errSecUnsupportedOperation, error, CFSTR("attestation not supported by key %@"), key);
+ return NULL;
+ }
+ if (keyToAttest->key_class != &kSecCTKKeyDescriptor || CFEqual(keyToAttestData->token, kCFNull)) {
+ SecError(errSecUnsupportedOperation, error, CFSTR("attestation not supported for key %@"), keyToAttest);
+ return NULL;
+ }
+
+ const void *keys[] = {
+ CFSTR(kTKTokenControlAttribAttestingKey),
+ CFSTR(kTKTokenControlAttribKeyToAttest),
+ };
+ const void *values[] = {
+ attestingKeyData->objectID,
+ keyToAttestData->objectID
+ };
+
+ CFDictionaryRef attributes = NULL;
+ __block CFDictionaryRef outputAttributes = NULL;
+ CFDataRef attestationData = NULL;
+ __block SecCFDictionaryCOW sign_auth_params = { keyToAttestData->auth_params.dictionary };
+
+ attributes = CFDictionaryCreate(kCFAllocatorDefault, keys, values, sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+
+ SecItemAuthDo(&sign_auth_params, error, ^SecItemAuthResult(CFDictionaryRef auth_params, CFArrayRef *ac_pairs, CFErrorRef *error) {
+ outputAttributes = TKTokenControl(keyToAttestData->token, attributes, error);
+ return outputAttributes ? kSecItemAuthResultOK : SecCTKProcessError(kAKSKeyOpAttest, keyToAttestData->token, keyToAttestData->objectID, ac_pairs, error);
+ });
+ require(outputAttributes, out);
+
+ attestationData = CFDictionaryGetValue(outputAttributes, CFSTR(kTKTokenControlAttribAttestationData));
+ require_action(attestationData, out, SecError(errSecInternal, error, CFSTR("could not get attestation data")));
+
+ if (CFGetTypeID(attestationData) != CFDataGetTypeID()) {
+ SecError(errSecInternal, error, CFSTR("unexpected attestation object type"));
+ attestationData = NULL;
+ }
+
+ CFRetainSafe(attestationData);
+
+out:
+ CFReleaseSafe(attributes);
+ CFReleaseSafe(outputAttributes);
+ return attestationData;
+}
+
+Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) {
+ require_action_quiet(key->key_class == &kSecCTKKeyDescriptor, out,
+ SecError(errSecUnimplemented, error, CFSTR("SecKeySetParameter() not supported for key %@"), key));
+ SecCTKKeyData *kd = key->key;
+ if (kd->params == NULL) {
+ kd->params = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ }
+ if (value != NULL) {
+ CFDictionarySetValue(kd->params, name, value);
+ } else {
+ CFDictionaryRemoveValue(kd->params, name);
+ }
+
+out:
+ return TRUE;
+}
diff --git a/OSX/sec/Security/SecCTKKeyPriv.h b/OSX/sec/Security/SecCTKKeyPriv.h
index 2bb845b2..a91b857d 100644
--- a/OSX/sec/Security/SecCTKKeyPriv.h
+++ b/OSX/sec/Security/SecCTKKeyPriv.h
@@ -34,7 +34,7 @@ extern const CFStringRef kSecUseTokenObjectID;
OSStatus SecCTKKeyGeneratePair(CFDictionaryRef parameters,
SecKeyRef *rsaPublicKey, SecKeyRef *rsaPrivateKey);
-SecKeyRef SecKeyCreateCTKKey(CFAllocatorRef allocator, CFDictionaryRef refAttributes);
+SecKeyRef SecKeyCreateCTKKey(CFAllocatorRef allocator, CFDictionaryRef refAttributes, CFErrorRef *error);
__END_DECLS
diff --git a/OSX/sec/Security/SecCertificate.c b/OSX/sec/Security/SecCertificate.c
index acbd1466..674e1607 100644
--- a/OSX/sec/Security/SecCertificate.c
+++ b/OSX/sec/Security/SecCertificate.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -54,6 +54,7 @@
#include "SecFramework.h"
#include "SecItem.h"
#include "SecItemPriv.h"
+#include "SecSignatureVerificationSupport.h"
#include <stdbool.h>
#include <utilities/debugging.h>
#include <utilities/SecCFWrappers.h>
@@ -85,34 +86,34 @@ typedef struct KnownExtension {
bool critical;
DERItem extnValue;
} KnownExtension;
+#endif
enum {
kSecSelfSignedUnknown = 0,
kSecSelfSignedFalse,
kSecSelfSignedTrue,
};
-#endif
struct __SecCertificate {
- CFRuntimeBase _base;
+ CFRuntimeBase _base;
- DERItem _der; /* Entire certificate in DER form. */
- DERItem _tbs; /* To Be Signed cert DER bytes. */
- DERAlgorithmId _sigAlg; /* Top level signature algorithm. */
- DERItem _signature; /* The content of the sig bit string. */
+ DERItem _der; /* Entire certificate in DER form. */
+ DERItem _tbs; /* To Be Signed cert DER bytes. */
+ DERAlgorithmId _sigAlg; /* Top level signature algorithm. */
+ DERItem _signature; /* The content of the sig bit string. */
UInt8 _version;
- DERItem _serialNum; /* Integer. */
- DERAlgorithmId _tbsSigAlg; /* sig alg MUST be same as _sigAlg. */
- DERItem _issuer; /* Sequence of RDN. */
- CFAbsoluteTime _notBefore;
- CFAbsoluteTime _notAfter;
- DERItem _subject; /* Sequence of RDN. */
+ DERItem _serialNum; /* Integer. */
+ DERAlgorithmId _tbsSigAlg; /* sig alg MUST be same as _sigAlg. */
+ DERItem _issuer; /* Sequence of RDN. */
+ CFAbsoluteTime _notBefore;
+ CFAbsoluteTime _notAfter;
+ DERItem _subject; /* Sequence of RDN. */
DERItem _subjectPublicKeyInfo; /* SPKI */
- DERAlgorithmId _algId; /* oid and params of _pubKeyDER. */
- DERItem _pubKeyDER; /* contents of bit string */
- DERItem _issuerUniqueID; /* bit string, optional */
- DERItem _subjectUniqueID; /* bit string, optional */
+ DERAlgorithmId _algId; /* oid and params of _pubKeyDER. */
+ DERItem _pubKeyDER; /* contents of bit string */
+ DERItem _issuerUniqueID; /* bit string, optional */
+ DERItem _subjectUniqueID; /* bit string, optional */
#if 0
/* Known extensions if the certificate contains them,
@@ -135,7 +136,7 @@ struct __SecCertificate {
#endif
bool _foundUnknownCriticalExtension;
- /* Well known certificate extensions. */
+ /* Well known certificate extensions. */
SecCEBasicConstraints _basicConstraints;
SecCEPolicyConstraints _policyConstraints;
CFDictionaryRef _policyMappings;
@@ -150,22 +151,22 @@ struct __SecCertificate {
the value of the extension. */
SecKeyUsage _keyUsage;
- /* OCTECTS of SubjectKeyIdentifier extensions KeyIdentifier.
- Length = 0 if not present. */
- DERItem _subjectKeyIdentifier;
+ /* OCTETS of SubjectKeyIdentifier extensions KeyIdentifier.
+ Length = 0 if not present. */
+ DERItem _subjectKeyIdentifier;
- /* OCTECTS of AuthorityKeyIdentifier extensions KeyIdentifier.
- Length = 0 if not present. */
- DERItem _authorityKeyIdentifier;
- /* AuthorityKeyIdentifier extension _authorityKeyIdentifierIssuer and
- _authorityKeyIdentifierSerialNumber have non zero length if present.
- Both are either present or absent together. */
- DERItem _authorityKeyIdentifierIssuer;
- DERItem _authorityKeyIdentifierSerialNumber;
+ /* OCTETS of AuthorityKeyIdentifier extensions KeyIdentifier.
+ Length = 0 if not present. */
+ DERItem _authorityKeyIdentifier;
+ /* AuthorityKeyIdentifier extension _authorityKeyIdentifierIssuer and
+ _authorityKeyIdentifierSerialNumber have non zero length if present.
+ Both are either present or absent together. */
+ DERItem _authorityKeyIdentifierIssuer;
+ DERItem _authorityKeyIdentifierSerialNumber;
- /* Subject alt name extension, if present. Not malloced, it's just a
- pointer to an element in the _extensions array. */
- const SecCertificateExtension *_subjectAltName;
+ /* Subject alt name extension, if present. Not malloced, it's just a
+ pointer to an element in the _extensions array. */
+ const SecCertificateExtension *_subjectAltName;
/* Parsed extension values. */
@@ -184,11 +185,11 @@ struct __SecCertificate {
/* Array of CFDataRefs containing the generalNames for permittedSubtrees
Name Constraints.*/
- CFArrayRef _permittedSubtrees;
+ CFArrayRef _permittedSubtrees;
/* Array of CFDataRefs containing the generalNames for excludedSubtrees
Name Constraints. */
- CFArrayRef _excludedSubtrees;
+ CFArrayRef _excludedSubtrees;
CFMutableArrayRef _embeddedSCTs;
@@ -196,19 +197,19 @@ struct __SecCertificate {
CFIndex _extensionCount;
SecCertificateExtension *_extensions;
- /* Optional cached fields. */
- SecKeyRef _pubKey; /* never set, never used */
- CFDataRef _der_data;
- CFArrayRef _properties;
- CFDataRef _serialNumber;
- CFDataRef _normalizedIssuer;
- CFDataRef _normalizedSubject;
- CFDataRef _authorityKeyID;
- CFDataRef _subjectKeyID;
+ /* Optional cached fields. */
+ SecKeyRef _pubKey;
+ CFDataRef _der_data;
+ CFArrayRef _properties;
+ CFDataRef _serialNumber;
+ CFDataRef _normalizedIssuer;
+ CFDataRef _normalizedSubject;
+ CFDataRef _authorityKeyID;
+ CFDataRef _subjectKeyID;
- CFDataRef _sha1Digest;
- CFTypeRef _keychain_item;
- uint8_t _isSelfSigned;
+ CFDataRef _sha1Digest;
+ CFTypeRef _keychain_item;
+ uint8_t _isSelfSigned;
};
@@ -696,7 +697,7 @@ static void SecCEPBasicConstraints(SecCertificateRef certificate,
require_noerr_quiet(DERParseSequence(&extn->extnValue,
DERNumBasicConstraintsItemSpecs, DERBasicConstraintsItemSpecs,
&basicConstraints, sizeof(basicConstraints)), badDER);
- require_noerr_quiet(DERParseBoolean(&basicConstraints.cA, false,
+ require_noerr_quiet(DERParseBooleanWithDefault(&basicConstraints.cA, false,
&certificate->_basicConstraints.isCA), badDER);
if (basicConstraints.pathLenConstraint.length != 0) {
require_noerr_quiet(DERParseInteger(
@@ -762,16 +763,19 @@ static DERReturn parseGeneralSubtrees(DERItem *derSubtrees, CFArrayRef *generalS
}
require_quiet(derGS.maximum.length == 0, badDER);
require_quiet(derGS.generalName.length != 0, badDER);
-
+
CFDataRef generalName = NULL;
require_quiet(generalName = CFDataCreate(kCFAllocatorDefault,
derGS.generalName.data,
derGS.generalName.length),
- badDER);
+ badDER);
CFArrayAppendValue(gs, generalName);
CFReleaseNull(generalName);
}
+ // since generalSubtrees is a pointer to an instance variable,
+ // make sure we release the existing array before assignment.
+ CFReleaseSafe(*generalSubtrees);
*generalSubtrees = gs;
require_quiet(drtn == DR_EndOfSequence, badDER);
@@ -805,9 +809,80 @@ badDER:
secdebug("cert", "failed to parse Name Constraints extension");
}
+static OSStatus appendCRLDPFromGeneralNames(void *context, SecCEGeneralNameType type,
+ const DERItem *value) {
+ CFMutableArrayRef *crlDPs = (CFMutableArrayRef *)context;
+ if (type == GNT_URI) {
+ CFURLRef url = NULL;
+ url = CFURLCreateWithBytes(NULL, value->data, value->length, kCFStringEncodingASCII, NULL);
+ if (url) {
+ if (!*crlDPs) {
+ *crlDPs = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ }
+ CFArrayAppendValue(*crlDPs, url);
+ CFRelease(url);
+ }
+ }
+ return errSecSuccess;
+}
+
+/*
+ id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 }
+
+ CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+
+ DistributionPoint ::= SEQUENCE {
+ distributionPoint [0] DistributionPointName OPTIONAL,
+ reasons [1] ReasonFlags OPTIONAL,
+ cRLIssuer [2] GeneralNames OPTIONAL }
+
+ DistributionPointName ::= CHOICE {
+ fullName [0] GeneralNames,
+ nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
+ */
static void SecCEPCrlDistributionPoints(SecCertificateRef certificate,
const SecCertificateExtension *extn) {
secdebug("cert", "critical: %s", extn->critical ? "yes" : "no");
+ DERSequence crlDPSeq;
+ DERTag tag;
+ DERReturn drtn = DERDecodeSeqInit(&extn->extnValue, &tag, &crlDPSeq);
+ require_noerr_quiet(drtn, badDER);
+ require_quiet(tag == ASN1_CONSTR_SEQUENCE, badDER);
+ DERDecodedInfo dpContent;
+ while ((drtn = DERDecodeSeqNext(&crlDPSeq, &dpContent)) == DR_Success) {
+ require_quiet(dpContent.tag == ASN1_CONSTR_SEQUENCE, badDER);
+ DERDistributionPoint dp;
+ drtn = DERParseSequenceContent(&dpContent.content, DERNumDistributionPointItemSpecs,
+ DERDistributionPointItemSpecs, &dp, sizeof(dp));
+ require_noerr_quiet(drtn, badDER);
+ require_quiet(dp.distributionPoint.data || dp.cRLIssuer.data, badDER);
+ if (dp.distributionPoint.data) {
+ DERDecodedInfo dpName;
+ drtn = DERDecodeItem(&dp.distributionPoint, &dpName);
+ require_noerr_quiet(drtn, badDER);
+ switch (dpName.tag) {
+ case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0:
+ drtn = parseGeneralNamesContent(&dpName.content, &certificate->_crlDistributionPoints,
+ appendCRLDPFromGeneralNames);
+ require_noerr_quiet(drtn, badDER);
+ break;
+ case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1:
+ /* RelativeDistinguishName. Nothing we can do with that. */
+ break;
+ default:
+ goto badDER;
+ }
+ }
+ if (dp.cRLIssuer.data) {
+ drtn = SecCertificateParseGeneralNames(&dp.cRLIssuer, &certificate->_crlDistributionPoints,
+ appendCRLDPFromGeneralNames);
+ require_noerr_quiet(drtn, badDER);
+ }
+ }
+ require_quiet(drtn == DR_EndOfSequence, badDER);
+ return;
+badDER:
+ secdebug("cert", "failed to parse CRL Distribution Points extension");
}
/*
@@ -1128,7 +1203,7 @@ static void SecCEPAuthorityInfoAccess(SecCertificateRef certificate,
break;
}
default:
- secdebug("cert", "bad general name for id-ad-ocsp AccessDescription t: 0x%02x v: %.*s",
+ secdebug("cert", "bad general name for id-ad-ocsp AccessDescription t: 0x%02llx v: %.*s",
generalNameContent.tag, (int) generalNameContent.content.length, generalNameContent.content.data);
goto badDER;
break;
@@ -1576,6 +1651,8 @@ static bool SecCertificateParse(SecCertificateRef certificate)
DERNumAlgorithmIdItemSpecs, DERAlgorithmIdItemSpecs,
&certificate->_tbsSigAlg, sizeof(certificate->_tbsSigAlg));
require_noerr_quiet(drtn, badCert);
+ require_quiet(DEROidCompare(&certificate->_sigAlg.oid,
+ &certificate->_tbsSigAlg.oid), badCert);
/* The issuer is in the tbsCert.issuer - it's a sequence without the tag
and length fields. */
@@ -1693,7 +1770,7 @@ static bool SecCertificateParse(SecCertificateRef certificate)
require_noerr_quiet(drtn, badCert);
/* Copy stuff into certificate->extensions[ix]. */
certificate->_extensions[ix].extnID = extn.extnID;
- require_noerr_quiet(drtn = DERParseBoolean(&extn.critical, false,
+ require_noerr_quiet(drtn = DERParseBooleanWithDefault(&extn.critical, false,
&certificate->_extensions[ix].critical), badCert);
certificate->_extensions[ix].extnValue = extn.extnValue;
@@ -1762,21 +1839,23 @@ SecCertificateRef SecCertificateCreate(CFAllocatorRef allocator,
*/
SecCertificateRef SecCertificateCreateWithData(CFAllocatorRef allocator,
CFDataRef der_certificate) {
- check(der_certificate);
- CFIndex size = sizeof(struct __SecCertificate);
- SecCertificateRef result = (SecCertificateRef)_CFRuntimeCreateInstance(
+ if (!der_certificate) {
+ return NULL;
+ }
+ CFIndex size = sizeof(struct __SecCertificate);
+ SecCertificateRef result = (SecCertificateRef)_CFRuntimeCreateInstance(
allocator, SecCertificateGetTypeID(), size - sizeof(CFRuntimeBase), 0);
if (result) {
memset((char*)result + sizeof(result->_base), 0, size - sizeof(result->_base));
- result->_der_data = CFDataCreateCopy(allocator, der_certificate);
+ result->_der_data = CFDataCreateCopy(allocator, der_certificate);
result->_der.data = (DERByte *)CFDataGetBytePtr(result->_der_data);
result->_der.length = CFDataGetLength(result->_der_data);
if (!SecCertificateParse(result)) {
CFRelease(result);
return NULL;
}
- }
- return result;
+ }
+ return result;
}
SecCertificateRef SecCertificateCreateWithKeychainItem(CFAllocatorRef allocator,
@@ -1791,6 +1870,18 @@ SecCertificateRef SecCertificateCreateWithKeychainItem(CFAllocatorRef allocator,
return result;
}
+OSStatus SecCertificateSetKeychainItem(SecCertificateRef certificate,
+ CFTypeRef keychain_item)
+{
+ if (!certificate) {
+ return errSecParam;
+ }
+ CFRetainSafe(keychain_item);
+ CFReleaseSafe(certificate->_keychain_item);
+ certificate->_keychain_item = keychain_item;
+ return errSecSuccess;
+}
+
CFDataRef SecCertificateCopyData(SecCertificateRef certificate) {
check(certificate);
CFDataRef result = NULL;
@@ -2659,7 +2750,7 @@ static void appendBoolProperty(CFMutableArrayRef properties,
static void appendBooleanProperty(CFMutableArrayRef properties,
CFStringRef label, const DERItem *boolean, bool defaultValue) {
bool result;
- DERReturn drtn = DERParseBoolean(boolean, defaultValue, &result);
+ DERReturn drtn = DERParseBooleanWithDefault(boolean, defaultValue, &result);
if (drtn) {
/* Couldn't parse boolean; dump the raw unparsed data as hex. */
appendInvalidProperty(properties, label, boolean);
@@ -4139,7 +4230,7 @@ CFDataRef SecCertificateGetNormalizedSubjectContent(
/* Verify that certificate was signed by issuerKey. */
OSStatus SecCertificateIsSignedBy(SecCertificateRef certificate,
- SecKeyRef issuerKey) {
+ SecKeyRef issuerKey) {
/* Setup algId in SecAsn1AlgId format. */
SecAsn1AlgId algId;
algId.algorithm.Length = certificate->_tbsSigAlg.oid.length;
@@ -4147,13 +4238,17 @@ OSStatus SecCertificateIsSignedBy(SecCertificateRef certificate,
algId.parameters.Length = certificate->_tbsSigAlg.params.length;
algId.parameters.Data = certificate->_tbsSigAlg.params.data;
- OSStatus status = SecKeyDigestAndVerify(issuerKey, &algId,
+ CFErrorRef error = NULL;
+ if (!SecVerifySignatureWithPublicKey(issuerKey, &algId,
certificate->_tbs.data, certificate->_tbs.length,
- certificate->_signature.data, certificate->_signature.length);
- if (status) {
- secdebug("verify", "signature verify failed: %" PRIdOSStatus, status);
- return errSecNotSigner;
- }
+ certificate->_signature.data, certificate->_signature.length, &error))
+ {
+#if !defined(NDEBUG)
+ secdebug("verify", "signature verify failed: %" PRIdOSStatus, (error) ? (OSStatus)CFErrorGetCode(error) : errSecNotSigner);
+#endif
+ CFReleaseSafe(error);
+ return errSecNotSigner;
+ }
return errSecSuccess;
}
@@ -4413,7 +4508,7 @@ static OSStatus appendDNSNamesFromGeneralNames(void *context, SecCEGeneralNameTy
<digit> ::= any one of the ten digits 0 through 9
*/
static bool isDNSName(CFStringRef string) {
- CFStringInlineBuffer buf;
+ CFStringInlineBuffer buf = {};
CFIndex ix, labelLength = 0, length = CFStringGetLength(string);
/* From RFC 1035 2.3.4. Size limits:
labels 63 octets or less
@@ -4808,7 +4903,7 @@ static OSStatus appendToRFC2253String(void *context,
a space character occurring at the end of the string
one of the characters ",", "+", """, "\", "<", ">" or ";"
*/
- CFStringInlineBuffer buffer;
+ CFStringInlineBuffer buffer = {};
CFIndex ix, length = CFStringGetLength(raw);
CFRange range = { 0, length };
CFStringInitInlineBuffer(raw, &buffer, range);
@@ -4887,7 +4982,7 @@ static CFDataRef SecDERItemCopySequence(DERItem *content) {
sequence_length);
CFDataSetLength(sequence, sequence_length);
uint8_t *sequence_ptr = CFDataGetMutableBytePtr(sequence);
- *sequence_ptr++ = 0x30; /* ASN1_CONSTR_SEQUENCE */
+ *sequence_ptr++ = ONE_BYTE_ASN1_CONSTR_SEQUENCE;
require_noerr_quiet(DEREncodeLength(content->length,
sequence_ptr, &seq_len_length), out);
sequence_ptr += seq_len_length;
@@ -4926,24 +5021,28 @@ SecKeyRef SecCertificateCopyPublicKey_ios(SecCertificateRef certificate)
SecKeyRef SecCertificateCopyPublicKey(SecCertificateRef certificate)
#endif
{
- const DERAlgorithmId *algId =
- SecCertificateGetPublicKeyAlgorithm(certificate);
- const DERItem *keyData = SecCertificateGetPublicKeyData(certificate);
- const DERItem *params = NULL;
- if (algId->params.length != 0) {
- params = &algId->params;
+ if (certificate->_pubKey == NULL) {
+ const DERAlgorithmId *algId =
+ SecCertificateGetPublicKeyAlgorithm(certificate);
+ const DERItem *keyData = SecCertificateGetPublicKeyData(certificate);
+ const DERItem *params = NULL;
+ if (algId->params.length != 0) {
+ params = &algId->params;
+ }
+ SecAsn1Oid oid1 = { .Data = algId->oid.data, .Length = algId->oid.length };
+ SecAsn1Item params1 = {
+ .Data = params ? params->data : NULL,
+ .Length = params ? params->length : 0
+ };
+ SecAsn1Item keyData1 = {
+ .Data = keyData ? keyData->data : NULL,
+ .Length = keyData ? keyData->length : 0
+ };
+ certificate->_pubKey = SecKeyCreatePublicFromDER(kCFAllocatorDefault, &oid1, ¶ms1,
+ &keyData1);
}
- SecAsn1Oid oid1 = { .Data = algId->oid.data, .Length = algId->oid.length };
- SecAsn1Item params1 = {
- .Data = params ? params->data : NULL,
- .Length = params ? params->length : 0
- };
- SecAsn1Item keyData1 = {
- .Data = keyData ? keyData->data : NULL,
- .Length = keyData ? keyData->length : 0
- };
- return SecKeyCreatePublicFromDER(kCFAllocatorDefault, &oid1, ¶ms1,
- &keyData1);
+
+ return CFRetainSafe(certificate->_pubKey);
}
bool SecCertificateIsWeak(SecCertificateRef certificate) {
@@ -4971,17 +5070,55 @@ out:
return weak;
}
+bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate,
+ CFDictionaryRef keySizes) {
+ bool goodSize = false;
+ SecKeyRef pubKey = NULL;
+#if SECTRUST_OSX
+ require_quiet(pubKey = SecCertificateCopyPublicKey_ios(certificate), out);
+#else
+ require_quiet(pubKey = SecCertificateCopyPublicKey(certificate) ,out);
+#endif
+ size_t size = SecKeyGetBlockSize(pubKey);
+ CFNumberRef minSize;
+ size_t minSizeInBits;
+ switch (SecKeyGetAlgorithmIdentifier(pubKey)) {
+ case kSecRSAAlgorithmID:
+ if(CFDictionaryGetValueIfPresent(keySizes, kSecAttrKeyTypeRSA, (const void**)&minSize)
+ && minSize && CFNumberGetValue(minSize, kCFNumberLongType, &minSizeInBits)) {
+ if (size >= (size_t)(minSizeInBits+7)/8) goodSize = true;
+ }
+ break;
+ case kSecECDSAAlgorithmID:
+ if(CFDictionaryGetValueIfPresent(keySizes, kSecAttrKeyTypeEC, (const void**)&minSize)
+ && minSize && CFNumberGetValue(minSize, kCFNumberLongType, &minSizeInBits)) {
+ if (size >= (size_t)(minSizeInBits+7)/8) goodSize = true;
+ }
+ break;
+ default:
+ goodSize = false;
+ }
+out:
+ CFReleaseSafe(pubKey);
+ return goodSize;
+}
+
CFDataRef SecCertificateGetSHA1Digest(SecCertificateRef certificate) {
+ if (!certificate || !certificate->_der.data) {
+ return NULL;
+ }
if (!certificate->_sha1Digest) {
- certificate->_sha1Digest =
- SecSHA1DigestCreate(CFGetAllocator(certificate),
- certificate->_der.data, certificate->_der.length);
- }
-
- return certificate->_sha1Digest;
+ certificate->_sha1Digest =
+ SecSHA1DigestCreate(CFGetAllocator(certificate),
+ certificate->_der.data, certificate->_der.length);
+ }
+ return certificate->_sha1Digest;
}
CFDataRef SecCertificateCopySHA256Digest(SecCertificateRef certificate) {
+ if (!certificate || !certificate->_der.data) {
+ return NULL;
+ }
return SecSHA256DigestCreate(CFGetAllocator(certificate),
certificate->_der.data, certificate->_der.length);
}
@@ -4994,29 +5131,46 @@ CFDataRef SecCertificateCopyIssuerSHA1Digest(SecCertificateRef certificate) {
CFDataGetBytePtr(issuer), CFDataGetLength(issuer));
CFRelease(issuer);
}
- return digest;
+ return digest;
}
CFDataRef SecCertificateCopyPublicKeySHA1Digest(SecCertificateRef certificate) {
+ if (!certificate || !certificate->_pubKeyDER.data) {
+ return NULL;
+ }
return SecSHA1DigestCreate(CFGetAllocator(certificate),
certificate->_pubKeyDER.data, certificate->_pubKeyDER.length);
}
+CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA1Digest(SecCertificateRef certificate) {
+ if (!certificate || !certificate->_subjectPublicKeyInfo.data) {
+ return NULL;
+ }
+ return SecSHA1DigestCreate(CFGetAllocator(certificate),
+ certificate->_subjectPublicKeyInfo.data, certificate->_subjectPublicKeyInfo.length);
+}
+
CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA256Digest(SecCertificateRef certificate) {
+ if (!certificate || !certificate->_subjectPublicKeyInfo.data) {
+ return NULL;
+ }
return SecSHA256DigestCreate(CFGetAllocator(certificate),
certificate->_subjectPublicKeyInfo.data, certificate->_subjectPublicKeyInfo.length);
}
CFTypeRef SecCertificateCopyKeychainItem(SecCertificateRef certificate)
{
- if (!certificate)
+ if (!certificate) {
return NULL;
-
+ }
CFRetainSafe(certificate->_keychain_item);
return certificate->_keychain_item;
}
CFDataRef SecCertificateGetAuthorityKeyID(SecCertificateRef certificate) {
+ if (!certificate) {
+ return NULL;
+ }
if (!certificate->_authorityKeyID &&
certificate->_authorityKeyIdentifier.length) {
certificate->_authorityKeyID = CFDataCreate(kCFAllocatorDefault,
@@ -5028,6 +5182,9 @@ CFDataRef SecCertificateGetAuthorityKeyID(SecCertificateRef certificate) {
}
CFDataRef SecCertificateGetSubjectKeyID(SecCertificateRef certificate) {
+ if (!certificate) {
+ return NULL;
+ }
if (!certificate->_subjectKeyID &&
certificate->_subjectKeyIdentifier.length) {
certificate->_subjectKeyID = CFDataCreate(kCFAllocatorDefault,
@@ -5039,30 +5196,48 @@ CFDataRef SecCertificateGetSubjectKeyID(SecCertificateRef certificate) {
}
CFArrayRef SecCertificateGetCRLDistributionPoints(SecCertificateRef certificate) {
+ if (!certificate) {
+ return NULL;
+ }
return certificate->_crlDistributionPoints;
}
CFArrayRef SecCertificateGetOCSPResponders(SecCertificateRef certificate) {
+ if (!certificate) {
+ return NULL;
+ }
return certificate->_ocspResponders;
}
CFArrayRef SecCertificateGetCAIssuers(SecCertificateRef certificate) {
+ if (!certificate) {
+ return NULL;
+ }
return certificate->_caIssuers;
}
bool SecCertificateHasCriticalSubjectAltName(SecCertificateRef certificate) {
- return certificate->_subjectAltName &&
- certificate->_subjectAltName->critical;
+ if (!certificate) {
+ return false;
+ }
+ return certificate->_subjectAltName &&
+ certificate->_subjectAltName->critical;
}
bool SecCertificateHasSubject(SecCertificateRef certificate) {
+ if (!certificate) {
+ return false;
+ }
/* Since the _subject field is the content of the subject and not the
whole thing, we can simply check for a 0 length subject here. */
return certificate->_subject.length != 0;
}
bool SecCertificateHasUnknownCriticalExtension(SecCertificateRef certificate) {
- return certificate->_foundUnknownCriticalExtension;
+ if (!certificate) {
+ return false;
+ }
+ return certificate->_foundUnknownCriticalExtension;
}
/* Private API functions. */
@@ -5135,65 +5310,72 @@ SecCertificateRef SecCertificateCreateFromAttributeDictionary(
}
#endif
-OSStatus SecCertificateIsSelfSigned(SecCertificateRef certificate, Boolean *isSelfSigned) {
- if (!certificate || (CFGetTypeID(certificate) != SecCertificateGetTypeID())) {
- return errSecInvalidCertificate;
- }
- if (!isSelfSigned) {
- return errSecParam;
- }
-#if 0
- // %%% TBD: IsSelfSigned doesn't require basicConstraints like IsSelfSignedCA,
- // which is actually what we want here. Probably need a separate version
- // of this function to do the signature comparison, and have the basicConstraints
- // check be implemented only in IsSelfSignedCA.
-
- if (certificate->_isSelfSigned == 0) {
- certificate->_isSelfSigned =
- (SecCertificateIsIssuedBy(certificate, certificate, 0) ?
- 1 : 0);
- }
- *isSelfSigned = (certificate->_isSelfSigned == 1);
-#else
- *isSelfSigned = SecCertificateIsSelfSignedCA(certificate);
-#endif
- return errSecSuccess;
-}
-
-bool SecCertificateIsSelfSignedCA(SecCertificateRef certificate) {
- bool result = false;
- SecKeyRef publicKey = NULL;
+static bool _SecCertificateIsSelfSigned(SecCertificateRef certificate) {
+ if (certificate->_isSelfSigned == kSecSelfSignedUnknown) {
+ certificate->_isSelfSigned = kSecSelfSignedFalse;
+ SecKeyRef publicKey = NULL;
+ require(certificate && (CFGetTypeID(certificate) == SecCertificateGetTypeID()), out);
#if SECTRUST_OSX
- require(publicKey = SecCertificateCopyPublicKey_ios(certificate), out);
+ require(publicKey = SecCertificateCopyPublicKey_ios(certificate), out);
#else
- require(publicKey = SecCertificateCopyPublicKey(certificate), out);
+ require(publicKey = SecCertificateCopyPublicKey(certificate), out);
#endif
- CFDataRef normalizedIssuer =
+ CFDataRef normalizedIssuer =
SecCertificateGetNormalizedIssuerContent(certificate);
- CFDataRef normalizedSubject =
+ CFDataRef normalizedSubject =
SecCertificateGetNormalizedSubjectContent(certificate);
- require_quiet(normalizedIssuer && normalizedSubject &&
- CFEqual(normalizedIssuer, normalizedSubject), out);
+ require_quiet(normalizedIssuer && normalizedSubject &&
+ CFEqual(normalizedIssuer, normalizedSubject), out);
+
+ CFDataRef authorityKeyID = SecCertificateGetAuthorityKeyID(certificate);
+ CFDataRef subjectKeyID = SecCertificateGetSubjectKeyID(certificate);
+ if (authorityKeyID) {
+ require_quiet(subjectKeyID && CFEqual(subjectKeyID, authorityKeyID), out);
+ }
- CFDataRef authorityKeyID = SecCertificateGetAuthorityKeyID(certificate);
- CFDataRef subjectKeyID = SecCertificateGetSubjectKeyID(certificate);
- if (authorityKeyID) {
- require_quiet(subjectKeyID && CFEqual(subjectKeyID, authorityKeyID), out);
+ require_noerr_quiet(SecCertificateIsSignedBy(certificate, publicKey), out);
+
+ certificate->_isSelfSigned = kSecSelfSignedTrue;
+ out:
+ CFReleaseSafe(publicKey);
}
+ return (certificate->_isSelfSigned == kSecSelfSignedTrue);
+}
+
+bool SecCertificateIsCA(SecCertificateRef certificate) {
+ bool result = false;
+ require(certificate && (CFGetTypeID(certificate) == SecCertificateGetTypeID()), out);
if (SecCertificateVersion(certificate) >= 3) {
const SecCEBasicConstraints *basicConstraints = SecCertificateGetBasicConstraints(certificate);
- require_quiet(basicConstraints && basicConstraints->isCA, out);
- require_noerr_quiet(SecCertificateIsSignedBy(certificate, publicKey), out);
+ result = (basicConstraints && basicConstraints->isCA);
+ }
+ else {
+ result = _SecCertificateIsSelfSigned(certificate);
}
-
- result = true;
out:
- CFReleaseSafe(publicKey);
return result;
}
+bool SecCertificateIsSelfSignedCA(SecCertificateRef certificate) {
+ return (_SecCertificateIsSelfSigned(certificate) && SecCertificateIsCA(certificate));
+}
+
+OSStatus SecCertificateIsSelfSigned(SecCertificateRef certificate, Boolean *isSelfSigned) {
+ if (!certificate || (CFGetTypeID(certificate) != SecCertificateGetTypeID())) {
+ return errSecInvalidCertificate;
+ }
+ if (!isSelfSigned) {
+ return errSecParam;
+ }
+ *isSelfSigned = _SecCertificateIsSelfSigned(certificate);
+ return errSecSuccess;
+}
+
SecKeyUsage SecCertificateGetKeyUsage(SecCertificateRef certificate) {
+ if (!certificate) {
+ return kSecKeyUsageUnspecified;
+ }
return certificate->_keyUsage;
}
@@ -5201,7 +5383,7 @@ CFArrayRef SecCertificateCopyExtendedKeyUsage(SecCertificateRef certificate)
{
CFMutableArrayRef extended_key_usage_oids =
CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- require_quiet(extended_key_usage_oids, out);
+ require_quiet(certificate && extended_key_usage_oids, out);
int ix;
for (ix = 0; ix < certificate->_extensionCount; ++ix) {
const SecCertificateExtension *extn = &certificate->_extensions[ix];
@@ -5234,6 +5416,7 @@ out:
CFArrayRef SecCertificateCopySignedCertificateTimestamps(SecCertificateRef certificate)
{
+ require_quiet(certificate, out);
int ix;
for (ix = 0; ix < certificate->_extensionCount; ++ix) {
@@ -5264,6 +5447,7 @@ static bool matches_expected(DERItem der, CFTypeRef expected) {
}
break;
+ case ASN1_IA5_STRING:
case ASN1_UTF8_STRING: {
if (isString(expected)) {
CFStringRef expectedString = (CFStringRef) expected;
@@ -5361,7 +5545,35 @@ static bool GetDecimalValueOfString(CFStringRef string, uint32_t* value)
return result;
}
-static CFDataRef CreateOidDataFromString(CFAllocatorRef allocator, CFStringRef string)
+bool SecCertificateIsOidString(CFStringRef oid)
+{
+ if (!oid) return false;
+ if (2 >= CFStringGetLength(oid)) return false;
+ bool result = true;
+
+ /* oid string only has the allowed characters */
+ CFCharacterSetRef decimalOid = CFCharacterSetCreateWithCharactersInString(NULL, CFSTR("0123456789."));
+ CFCharacterSetRef nonDecimalOid = CFCharacterSetCreateInvertedSet(NULL, decimalOid);
+ if (CFStringFindCharacterFromSet(oid, nonDecimalOid, CFRangeMake(0, CFStringGetLength(oid)), kCFCompareForcedOrdering, NULL)) {
+ result = false;
+ }
+
+ /* first arc is allowed */
+ UniChar firstArc[2];
+ CFRange firstTwo = {0, 2};
+ CFStringGetCharacters(oid, firstTwo, firstArc);
+ if (firstArc[1] != '.' ||
+ (firstArc[0] != '0' && firstArc[0] != '1' && firstArc[0] != '2')) {
+ result = false;
+ }
+
+ CFReleaseNull(decimalOid);
+ CFReleaseNull(nonDecimalOid);
+
+ return result;
+}
+
+CFDataRef SecCertificateCreateOidDataFromString(CFAllocatorRef allocator, CFStringRef string)
{
CFMutableDataRef currentResult = NULL;
CFDataRef encodedResult = NULL;
@@ -5369,7 +5581,7 @@ static CFDataRef CreateOidDataFromString(CFAllocatorRef allocator, CFStringRef s
CFArrayRef parts = NULL;
CFIndex count = 0;
- if (!string)
+ if (!string || !SecCertificateIsOidString(string))
goto exit;
parts = CFStringCreateArrayBySeparatingStrings(NULL, string, CFSTR("."));
@@ -5451,7 +5663,7 @@ static void check_for_marker(const void *key, const void *value, void *context)
if (CFGetTypeID(key_string) != CFStringGetTypeID())
return;
- CFDataRef key_data = CreateOidDataFromString(NULL, key_string);
+ CFDataRef key_data = SecCertificateCreateOidDataFromString(NULL, key_string);
if (NULL == key_data)
return;
@@ -5466,6 +5678,7 @@ static void check_for_marker(const void *key, const void *value, void *context)
// CFType Ref is either:
//
// CFData - OID to match with no data permitted
+// CFString - decimal OID to match
// CFDictionary - OID -> Value table for expected values Single Object or Array
// CFArray - Array of the above.
//
@@ -5483,10 +5696,126 @@ bool SecCertificateHasMarkerExtension(SecCertificateRef certificate, CFTypeRef o
return context.found;
} else if (CFGetTypeID(oids) == CFDataGetTypeID()) {
return cert_contains_marker_extension(certificate, oids);
+ } else if (CFGetTypeID(oids) == CFStringGetTypeID()) {
+ CFDataRef dataOid = SecCertificateCreateOidDataFromString(NULL, oids);
+ if (dataOid == NULL) return false;
+ bool result = cert_contains_marker_extension(certificate, dataOid);
+ CFReleaseNull(dataOid);
+ return result;
}
return false;
}
+static DERItem *cert_extension_value_for_marker(SecCertificateRef certificate, CFDataRef oid) {
+ CFIndex ix;
+ const uint8_t *oid_data = CFDataGetBytePtr(oid);
+ size_t oid_len = CFDataGetLength(oid);
+
+ for (ix = 0; ix < certificate->_extensionCount; ++ix) {
+ const SecCertificateExtension *extn = &certificate->_extensions[ix];
+ if (extn->extnID.length == oid_len
+ && !memcmp(extn->extnID.data, oid_data, extn->extnID.length))
+ {
+ return (DERItem *)&extn->extnValue;
+ }
+ }
+ return NULL;
+}
+
+//
+// CFType Ref is either:
+//
+// CFData - OID to match with no data permitted
+// CFString - decimal OID to match
+//
+DERItem *SecCertificateGetExtensionValue(SecCertificateRef certificate, CFTypeRef oid) {
+ if (!certificate || !oid) {
+ return NULL;
+ }
+
+ if(CFGetTypeID(oid) == CFDataGetTypeID()) {
+ return cert_extension_value_for_marker(certificate, oid);
+ } else if (CFGetTypeID(oid) == CFStringGetTypeID()) {
+ CFDataRef dataOid = SecCertificateCreateOidDataFromString(NULL, oid);
+ if (dataOid == NULL) return NULL;
+ DERItem *result = cert_extension_value_for_marker(certificate, dataOid);
+ CFReleaseNull(dataOid);
+ return result;
+ }
+
+ return NULL;
+}
+
+CFDataRef SecCertificateCopyiAPAuthCapabilities(SecCertificateRef certificate) {
+ if (!certificate) {
+ return NULL;
+ }
+ CFDataRef extensionData = NULL;
+ DERItem *extensionValue = NULL;
+ extensionValue = SecCertificateGetExtensionValue(certificate,
+ CFSTR("1.2.840.113635.100.6.36"));
+ require_quiet(extensionValue, out);
+ /* The extension is a octet string containing the DER-encoded 32-byte octet string */
+ require_quiet(extensionValue->length == 34, out);
+ DERDecodedInfo decodedValue;
+ require_noerr_quiet(DERDecodeItem(extensionValue, &decodedValue), out);
+ if (decodedValue.tag == ASN1_OCTET_STRING) {
+ require_quiet(decodedValue.content.length == 32, out);
+ extensionData = CFDataCreate(NULL, decodedValue.content.data,
+ decodedValue.content.length);
+ } else {
+ require_quiet(extensionValue->data[33] == 0x00 &&
+ extensionValue->data[32] == 0x00, out);
+ extensionData = CFDataCreate(NULL, extensionValue->data, 32);
+ }
+out:
+ return extensionData;
+}
+
+#if 0
+/* From iapd IAPAuthenticationTypes.h */
+typedef struct IapCertSerialNumber
+{
+ uint8_t xservID; // Xserver ID
+ uint8_t hsmID; // Hardware security module ID (generated cert)
+ uint8_t delimiter01; // Field delimiter (IAP_CERT_FIELD_DELIMITER)
+ uint8_t dateYear; // Date year cert was issued
+ uint8_t dateMonth; // Date month cert was issued
+ uint8_t dateDay; // Date day cert was issued
+ uint8_t delimiter02; // Field delimiter (IAP_CERT_FIELD_DELIMITER)
+ uint8_t devClass; // iAP device class (maps to lingo permissions)
+ uint8_t delimiter03; // Field delimiter (IAP_CERT_FIELD_DELIMITER)
+ uint8_t batchNumHi; // Batch number high byte (15:08)
+ uint8_t batchNumLo; // Batch number low byte (07:00)
+ uint8_t delimiter04; // Field delimiter (IAP_CERT_FIELD_DELIMITER)
+ uint8_t serialNumHi; // Serial number high byte (23:16)
+ uint8_t serialNumMid; // Serial number middle byte (15:08)
+ uint8_t serialNumLo; // Serial number low byte (07:00)
+
+} IapCertSerialNumber_t, *pIapCertSerialNumber_t;
+#endif
+
+#define IAP_CERT_FIELD_DELIMITER 0xAA // "Apple_Accessory" delimiter
+SeciAuthVersion SecCertificateGetiAuthVersion(SecCertificateRef certificate) {
+ if (!certificate) {
+ return kSeciAuthInvalid;
+ }
+ if (NULL != SecCertificateGetExtensionValue(certificate,
+ CFSTR("1.2.840.113635.100.6.36"))) {
+ return kSeciAuthVersion3;
+ }
+ DERItem serialNumber = certificate->_serialNum;
+ require_quiet(serialNumber.data, out);
+ require_quiet(serialNumber.length == 15, out);
+ require_quiet(serialNumber.data[2] == IAP_CERT_FIELD_DELIMITER &&
+ serialNumber.data[6] == IAP_CERT_FIELD_DELIMITER &&
+ serialNumber.data[8] == IAP_CERT_FIELD_DELIMITER &&
+ serialNumber.data[11] == IAP_CERT_FIELD_DELIMITER, out);
+ return kSeciAuthVersion2;
+out:
+ return kSeciAuthInvalid;
+}
+
SecCertificateRef SecCertificateCreateWithPEM(CFAllocatorRef allocator,
CFDataRef pem_certificate)
{
@@ -5609,18 +5938,16 @@ static CFArrayRef CopyEscrowCertificates(SecCertificateEscrowRootType escrowRoot
},
^bool(xpc_object_t response, CFErrorRef *error)
{
- xpc_object_t xpc_array = xpc_dictionary_get_value(response, kSecXPCKeyResult);
+ xpc_object_t xpc_array = xpc_dictionary_get_value(response, kSecXPCKeyResult);
- if (response && (NULL != xpc_array))
- {
- result = (CFArrayRef)_CFXPCCreateCFObjectFromXPCObject(xpc_array);
- }
- else
- {
- return SecError(errSecInternal, error, CFSTR("Did not get the Escrow certificates"));
+ if (response && (NULL != xpc_array)) {
+ result = (CFArrayRef)_CFXPCCreateCFObjectFromXPCObject(xpc_array);
}
- return result != NULL;
- });
+ else {
+ return SecError(errSecInternal, error, CFSTR("Did not get the Escrow certificates"));
+ }
+ return result != NULL;
+ });
return result;
}
@@ -5631,88 +5958,87 @@ CFArrayRef SecCertificateCopyEscrowRoots(SecCertificateEscrowRootType escrowRoot
CFDataRef certData = NULL;
int numRoots = 0;
- // The request is for the base line certificates.
- // Use the hard coded data to generate the return array
if (kSecCertificateBaselineEscrowRoot == escrowRootType ||
- kSecCertificateBaselinePCSEscrowRoot == escrowRootType)
+ kSecCertificateBaselinePCSEscrowRoot == escrowRootType ||
+ kSecCertificateBaselineEscrowBackupRoot == escrowRootType ||
+ kSecCertificateBaselineEscrowEnrollmentRoot == escrowRootType)
{
+ // The request is for the base line certificates.
+ // Use the hard coded data to generate the return array.
+ struct RootRecord** pEscrowRoots;
+ switch (escrowRootType) {
+ case kSecCertificateBaselineEscrowRoot:
+ numRoots = kNumberOfBaseLineEscrowRoots;
+ pEscrowRoots = kBaseLineEscrowRoots;
+ break;
+ case kSecCertificateBaselinePCSEscrowRoot:
+ numRoots = kNumberOfBaseLinePCSEscrowRoots;
+ pEscrowRoots = kBaseLinePCSEscrowRoots;
+ break;
+ case kSecCertificateBaselineEscrowBackupRoot:
+ numRoots = kNumberOfBaseLineEscrowBackupRoots;
+ pEscrowRoots = kBaseLineEscrowBackupRoots;
+ break;
+ case kSecCertificateBaselineEscrowEnrollmentRoot:
+ default:
+ numRoots = kNumberOfBaseLineEscrowEnrollmentRoots;
+ pEscrowRoots = kBaseLineEscrowEnrollmentRoots;
+ break;
+ }
+
// Get the hard coded set of roots
- numRoots = (kSecCertificateBaselineEscrowRoot == escrowRootType) ?
- kNumberOfBaseLineEscrowRoots :
- kNumberOfBaseLinePCSEscrowRoots;
SecCertificateRef baseLineCerts[numRoots];
- struct RootRecord** pEscrowRoots = kBaseLineEscrowRoots;
struct RootRecord* pRootRecord = NULL;
- if (kSecCertificateBaselinePCSEscrowRoot == escrowRootType) {
- pEscrowRoots = kBaseLinePCSEscrowRoots;
- }
-
- for (iCnt = 0; iCnt < numRoots; iCnt++)
- {
- pRootRecord = pEscrowRoots[iCnt];
- if (NULL != pRootRecord && pRootRecord->_length > 0 && NULL != pRootRecord->_bytes)
- {
+ for (iCnt = 0; iCnt < numRoots; iCnt++) {
+ pRootRecord = pEscrowRoots[iCnt];
+ if (NULL != pRootRecord && pRootRecord->_length > 0 && NULL != pRootRecord->_bytes) {
certData = CFDataCreate(kCFAllocatorDefault, pRootRecord->_bytes, pRootRecord->_length);
- if (NULL != certData)
- {
+ if (NULL != certData) {
baseLineCerts[iCnt] = SecCertificateCreateWithData(kCFAllocatorDefault, certData);
CFRelease(certData);
}
- }
- }
+ }
+ }
result = CFArrayCreate(kCFAllocatorDefault, (const void **)baseLineCerts, numRoots, &kCFTypeArrayCallBacks);
- for (iCnt = 0; iCnt < numRoots; iCnt++)
- {
- if (NULL != baseLineCerts[iCnt])
- {
+ for (iCnt = 0; iCnt < numRoots; iCnt++) {
+ if (NULL != baseLineCerts[iCnt]) {
CFRelease(baseLineCerts[iCnt]);
}
}
}
- // The request is for the current certificates.
- else
- {
+ else {
+ // The request is for the current certificates.
CFErrorRef error = NULL;
CFArrayRef cert_datas = CopyEscrowCertificates(escrowRootType, &error);
- if (NULL != error || NULL == cert_datas)
- {
- if (NULL != error)
- {
+ if (NULL != error || NULL == cert_datas) {
+ if (NULL != error) {
CFRelease(error);
}
-
- if (NULL != cert_datas)
- {
+ if (NULL != cert_datas) {
CFRelease(cert_datas);
}
return result;
}
- numRoots = (int)(CFArrayGetCount(cert_datas));
+ numRoots = (int)(CFArrayGetCount(cert_datas));
SecCertificateRef assetCerts[numRoots];
- for (iCnt = 0; iCnt < numRoots; iCnt++)
- {
+ for (iCnt = 0; iCnt < numRoots; iCnt++) {
certData = (CFDataRef)CFArrayGetValueAtIndex(cert_datas, iCnt);
- if (NULL != certData)
- {
+ if (NULL != certData) {
SecCertificateRef aCertRef = SecCertificateCreateWithData(kCFAllocatorDefault, certData);
assetCerts[iCnt] = aCertRef;
}
- else
- {
+ else {
assetCerts[iCnt] = NULL;
}
}
- if (numRoots > 0)
- {
+ if (numRoots > 0) {
result = CFArrayCreate(kCFAllocatorDefault, (const void **)assetCerts, numRoots, &kCFTypeArrayCallBacks);
- for (iCnt = 0; iCnt < numRoots; iCnt++)
- {
- if (NULL != assetCerts[iCnt])
- {
+ for (iCnt = 0; iCnt < numRoots; iCnt++) {
+ if (NULL != assetCerts[iCnt]) {
CFRelease(assetCerts[iCnt]);
}
}
@@ -5722,6 +6048,16 @@ CFArrayRef SecCertificateCopyEscrowRoots(SecCertificateEscrowRootType escrowRoot
return result;
}
+SEC_CONST_DECL (kSecSignatureDigestAlgorithmUnknown, "SignatureDigestUnknown");
+SEC_CONST_DECL (kSecSignatureDigestAlgorithmMD2, "SignatureDigestMD2");
+SEC_CONST_DECL (kSecSignatureDigestAlgorithmMD4, "SignatureDigestMD4");
+SEC_CONST_DECL (kSecSignatureDigestAlgorithmMD5, "SignatureDigestMD5");
+SEC_CONST_DECL (kSecSignatureDigestAlgorithmSHA1, "SignatureDigestSHA1");
+SEC_CONST_DECL (kSecSignatureDigestAlgorithmSHA224, "SignatureDigestSHA224");
+SEC_CONST_DECL (kSecSignatureDigestAlgorithmSHA256, "SignatureDigestSHA256");
+SEC_CONST_DECL (kSecSignatureDigestAlgorithmSHA384, "SignatureDigestSHA284");
+SEC_CONST_DECL (kSecSignatureDigestAlgorithmSHA512, "SignatureDigestSHA512");
+
SecSignatureHashAlgorithm SecCertificateGetSignatureHashAlgorithm(SecCertificateRef certificate)
{
SecSignatureHashAlgorithm result = kSecSignatureHashAlgorithmUnknown;
diff --git a/OSX/sec/Security/SecCertificateInternal.h b/OSX/sec/Security/SecCertificateInternal.h
index 750faa96..262c0377 100644
--- a/OSX/sec/Security/SecCertificateInternal.h
+++ b/OSX/sec/Security/SecCertificateInternal.h
@@ -330,6 +330,23 @@ OSStatus SecCertificateParseGeneralNames(const DERItem *generalNames, void *cont
parseGeneralNameCallback callback);
bool SecCertificateIsWeak(SecCertificateRef certificate);
+bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate,
+ CFDictionaryRef keySizes);
+
+extern const CFStringRef kSecSignatureDigestAlgorithmUnknown;
+extern const CFStringRef kSecSignatureDigestAlgorithmMD2;
+extern const CFStringRef kSecSignatureDigestAlgorithmMD4;
+extern const CFStringRef kSecSignatureDigestAlgorithmMD5;
+extern const CFStringRef kSecSignatureDigestAlgorithmSHA1;
+extern const CFStringRef kSecSignatureDigestAlgorithmSHA224;
+extern const CFStringRef kSecSignatureDigestAlgorithmSHA256;
+extern const CFStringRef kSecSignatureDigestAlgorithmSHA384;
+extern const CFStringRef kSecSignatureDigestAlgorithmSHA512;
+
+CFDataRef SecCertificateCreateOidDataFromString(CFAllocatorRef allocator, CFStringRef string);
+bool SecCertificateIsOidString(CFStringRef oid);
+
+DERItem *SecCertificateGetExtensionValue(SecCertificateRef certificate, CFTypeRef oid);
__END_DECLS
diff --git a/OSX/sec/Security/SecCertificatePath.c b/OSX/sec/Security/SecCertificatePath.c
index f0066425..9b47506b 100644
--- a/OSX/sec/Security/SecCertificatePath.c
+++ b/OSX/sec/Security/SecCertificatePath.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007-2010,2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2007-2010,2012-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -81,6 +81,10 @@ struct SecCertificatePath {
FIXME get rid of this since it's a property of the evaluation, not a
static feature of a certificate path? */
bool isAnchored;
+
+ /* Usage constraints derived from trust settings. */
+ CFMutableArrayRef usageConstraints;
+
SecCertificateRef certificates[];
};
@@ -92,6 +96,7 @@ static void SecCertificatePathDestroy(CFTypeRef cf) {
for (ix = 0; ix < certificatePath->count; ++ix) {
CFRelease(certificatePath->certificates[ix]);
}
+ CFRelease(certificatePath->usageConstraints);
}
static Boolean SecCertificatePathCompare(CFTypeRef cf1, CFTypeRef cf2) {
@@ -104,6 +109,8 @@ static Boolean SecCertificatePathCompare(CFTypeRef cf1, CFTypeRef cf2) {
if (!CFEqual(cp1->certificates[ix], cp2->certificates[ix]))
return false;
}
+ if (!CFEqual(cp1->usageConstraints, cp2->usageConstraints))
+ return false;
return true;
}
@@ -116,6 +123,7 @@ static CFHashCode SecCertificatePathHash(CFTypeRef cf) {
for (ix = 0; ix < certificatePath->count; ++ix) {
hashCode += CFHash(certificatePath->certificates[ix]);
}
+ hashCode += CFHash(certificatePath->usageConstraints);
return hashCode;
}
@@ -143,7 +151,7 @@ static CFStringRef SecCertificatePathCopyFormatDescription(CFTypeRef cf, CFDicti
/* Create a new certificate path from an old one. */
SecCertificatePathRef SecCertificatePathCreate(SecCertificatePathRef path,
- SecCertificateRef certificate) {
+ SecCertificateRef certificate, CFArrayRef usageConstraints) {
CFAllocatorRef allocator = kCFAllocatorDefault;
check(certificate);
CFIndex count;
@@ -183,6 +191,22 @@ SecCertificatePathRef SecCertificatePathCreate(SecCertificatePathRef path,
result->certificates[count - 1] = certificate;
CFRetainSafe(certificate);
+ CFArrayRef emptyArray = NULL;
+ if (!usageConstraints) {
+ require_action_quiet(emptyArray = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks), exit, CFReleaseNull(result));
+ usageConstraints = emptyArray;
+ }
+ CFMutableArrayRef constraints;
+ if (path) {
+ require_action_quiet(constraints = CFArrayCreateMutableCopy(kCFAllocatorDefault, count, path->usageConstraints), exit, CFReleaseNull(result));
+ } else {
+ require_action_quiet(constraints = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks), exit, CFReleaseNull(result));
+ }
+ CFArrayAppendValue(constraints, usageConstraints);
+ result->usageConstraints = constraints;
+
+exit:
+ CFReleaseSafe(emptyArray);
return result;
}
@@ -195,6 +219,8 @@ SecCertificatePathRef SecCertificatePathCreateWithXPCArray(xpc_object_t xpc_path
require_action_quiet(count = xpc_array_get_count(xpc_path), exit, SecError(errSecDecode, error, CFSTR("xpc_path array count == 0")));
size_t size = sizeof(struct SecCertificatePath) + count * sizeof(SecCertificateRef);
require_action_quiet(result = (SecCertificatePathRef)_CFRuntimeCreateInstance(kCFAllocatorDefault, SecCertificatePathGetTypeID(), size - sizeof(CFRuntimeBase), 0), exit, SecError(errSecDecode, error, CFSTR("_CFRuntimeCreateInstance returned NULL")));
+ CFMutableArrayRef constraints;
+ require_action_quiet(constraints = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks), exit, SecError(errSecAllocate, error, CFSTR("failed to create constraints")); CFReleaseNull(result));
result->count = count;
result->nextParentSource = 0;
@@ -202,11 +228,17 @@ SecCertificatePathRef SecCertificatePathCreateWithXPCArray(xpc_object_t xpc_path
result->selfIssued = -1;
result->isSelfSigned = false;
result->isAnchored = false;
+ result->usageConstraints = constraints;
+
size_t ix;
for (ix = 0; ix < count; ++ix) {
SecCertificateRef certificate = SecCertificateCreateWithXPCArrayAtIndex(xpc_path, ix, error);
if (certificate) {
result->certificates[ix] = certificate;
+ CFArrayRef emptyArray;
+ require_action_quiet(emptyArray = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks), exit, SecError(errSecAllocate, error, CFSTR("failed to create emptyArray")); CFReleaseNull(result));
+ CFArrayAppendValue(result->usageConstraints, emptyArray);
+ CFRelease(emptyArray);
} else {
result->count = ix; // total allocated
CFReleaseNull(result);
@@ -218,6 +250,49 @@ exit:
return result;
}
+SecCertificatePathRef SecCertificatPathCreateDeserialized(CFArrayRef certificates, CFErrorRef *error) {
+ SecCertificatePathRef result = NULL;
+ require_action_quiet(isArray(certificates), exit,
+ SecError(errSecParam, error, CFSTR("certificates is not an array")));
+ size_t count = 0;
+ require_action_quiet(count = CFArrayGetCount(certificates), exit,
+ SecError(errSecDecode, error, CFSTR("certificates array count == 0")));
+ size_t size = sizeof(struct SecCertificatePath) + count * sizeof(SecCertificateRef);
+ require_action_quiet(result = (SecCertificatePathRef)_CFRuntimeCreateInstance(kCFAllocatorDefault, SecCertificatePathGetTypeID(), size - sizeof(CFRuntimeBase), 0), exit,
+ SecError(errSecDecode, error, CFSTR("_CFRuntimeCreateInstance returned NULL")));
+ CFMutableArrayRef constraints;
+ require_action_quiet(constraints = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks), exit,
+ SecError(errSecAllocate, error, CFSTR("failed to create constraints")); CFReleaseNull(result));
+
+ result->count = count;
+ result->nextParentSource = 0;
+ result->lastVerifiedSigner = count;
+ result->selfIssued = -1;
+ result->isSelfSigned = false;
+ result->isAnchored = false;
+ result->usageConstraints = constraints;
+
+ size_t ix;
+ for (ix = 0; ix < count; ++ix) {
+ SecCertificateRef certificate = SecCertificateCreateWithData(NULL, CFArrayGetValueAtIndex(certificates, ix));
+ if (certificate) {
+ result->certificates[ix] = certificate;
+ CFArrayRef emptyArray;
+ require_action_quiet(emptyArray = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks), exit,
+ SecError(errSecAllocate, error, CFSTR("failed to create emptyArray")); CFReleaseNull(result));
+ CFArrayAppendValue(result->usageConstraints, emptyArray);
+ CFRelease(emptyArray);
+ } else {
+ result->count = ix; // total allocated
+ CFReleaseNull(result);
+ break;
+ }
+ }
+
+exit:
+ return result;
+}
+
SecCertificatePathRef SecCertificatePathCopyFromParent(
SecCertificatePathRef path, CFIndex skipCount) {
CFAllocatorRef allocator = kCFAllocatorDefault;
@@ -244,18 +319,25 @@ SecCertificatePathRef SecCertificatePathCopyFromParent(
if (!result)
return NULL;
+ CFMutableArrayRef constraints;
+ require_action_quiet(constraints = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks), exit, CFReleaseNull(result));
+
result->count = count;
result->nextParentSource = 0;
result->lastVerifiedSigner = lastVerifiedSigner;
result->selfIssued = selfIssued;
result->isSelfSigned = isSelfSigned;
result->isAnchored = path->isAnchored;
+ result->usageConstraints = constraints;
CFIndex ix;
for (ix = 0; ix < count; ++ix) {
- result->certificates[ix] = path->certificates[ix + skipCount];
+ CFIndex pathIX = ix + skipCount;
+ result->certificates[ix] = path->certificates[pathIX];
CFRetain(result->certificates[ix]);
+ CFArrayAppendValue(result->usageConstraints, CFArrayGetValueAtIndex(path->usageConstraints, pathIX));
}
+exit:
return result;
}
@@ -288,12 +370,16 @@ SecCertificatePathRef SecCertificatePathCopyAddingLeaf(SecCertificatePathRef pat
if (!result)
return NULL;
+ CFMutableArrayRef constraints;
+ require_action_quiet(constraints = CFArrayCreateMutableCopy(kCFAllocatorDefault, count, path->usageConstraints), exit, CFReleaseNull(result));
+
result->count = count;
result->nextParentSource = 0;
result->lastVerifiedSigner = lastVerifiedSigner;
result->selfIssued = selfIssued;
result->isSelfSigned = isSelfSigned;
result->isAnchored = path->isAnchored;
+ result->usageConstraints = constraints;
CFIndex ix;
for (ix = 1; ix < count; ++ix) {
result->certificates[ix] = path->certificates[ix - 1];
@@ -302,6 +388,12 @@ SecCertificatePathRef SecCertificatePathCopyAddingLeaf(SecCertificatePathRef pat
result->certificates[0] = leaf;
CFRetain(leaf);
+ CFArrayRef emptyArray;
+ require_action_quiet(emptyArray = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks), exit, CFReleaseNull(result));
+ CFArrayInsertValueAtIndex(result->usageConstraints, 0, emptyArray);
+ CFRelease(emptyArray);
+
+exit:
return result;
}
@@ -322,6 +414,40 @@ exit:
return xpc_chain;
}
+/* Create an array of SecCertificateRefs from a certificate path. */
+CFArrayRef SecCertificatePathCopyCertificates(SecCertificatePathRef path, CFErrorRef *error) {
+ CFMutableArrayRef outCerts = NULL;
+ size_t ix, count = path->count;
+ require_action_quiet(outCerts = CFArrayCreateMutable(NULL, count, &kCFTypeArrayCallBacks), exit,
+ SecError(errSecParam, error, CFSTR("CFArray failed to create")));
+ for (ix = 0; ix < count; ++ix) {
+ SecCertificateRef cert = SecCertificatePathGetCertificateAtIndex(path, ix);
+ if (cert) {
+ CFArrayAppendValue(outCerts, cert);
+ }
+ }
+exit:
+ return outCerts;
+}
+
+CFArrayRef SecCertificatePathCreateSerialized(SecCertificatePathRef path, CFErrorRef *error) {
+ CFMutableArrayRef serializedCerts = NULL;
+ require_quiet(path, exit);
+ size_t ix, count = path->count;
+ require_action_quiet(serializedCerts = CFArrayCreateMutable(NULL, count, &kCFTypeArrayCallBacks), exit,
+ SecError(errSecParam, error, CFSTR("CFArray failed to create")));
+ for (ix = 0; ix < count; ++ix) {
+ SecCertificateRef cert = SecCertificatePathGetCertificateAtIndex(path, ix);
+ CFDataRef certData = SecCertificateCopyData(cert);
+ if (certData) {
+ CFArrayAppendValue(serializedCerts, certData);
+ CFRelease(certData);
+ }
+ }
+exit:
+ return serializedCerts;
+}
+
/* Record the fact that we found our own root cert as our parent
certificate. */
void SecCertificatePathSetSelfIssued(
@@ -333,12 +459,41 @@ void SecCertificatePathSetSelfIssued(
}
secdebug("trust", "%@ is self issued", certificatePath);
certificatePath->selfIssued = certificatePath->count - 1;
+
+ /* now check that the selfIssued cert was actually self-signed */
+ if (certificatePath->selfIssued >= 0 && !certificatePath->isSelfSigned) {
+ SecCertificateRef cert = certificatePath->certificates[certificatePath->selfIssued];
+ Boolean isSelfSigned = false;
+ OSStatus status = SecCertificateIsSelfSigned(cert, &isSelfSigned);
+ if ((status == errSecSuccess) && isSelfSigned) {
+ certificatePath->isSelfSigned = true;
+ } else {
+ certificatePath->selfIssued = -1;
+ }
+ }
}
void SecCertificatePathSetIsAnchored(
SecCertificatePathRef certificatePath) {
secdebug("trust", "%@ is anchored", certificatePath);
certificatePath->isAnchored = true;
+
+ /* Now check if that anchor (last cert) was actually self-signed.
+ * In the non-anchor case, this is handled by SecCertificatePathSetSelfIssued.
+ * Because anchored chains immediately go into the candidate bucket in the trust
+ * server, we need to ensure that the self-signed/self-issued members are set
+ * for the purposes of scoring. */
+ if (!certificatePath->isSelfSigned && certificatePath->count > 0) {
+ SecCertificateRef cert = certificatePath->certificates[certificatePath->count - 1];
+ Boolean isSelfSigned = false;
+ OSStatus status = SecCertificateIsSelfSigned(cert, &isSelfSigned);
+ if ((status == errSecSuccess) && isSelfSigned) {
+ certificatePath->isSelfSigned = true;
+ if (certificatePath->selfIssued == -1) {
+ certificatePath->selfIssued = certificatePath->count - 1;
+ }
+ }
+ }
}
/* Return the index of the first non anchor certificate in the chain that is
@@ -408,39 +563,16 @@ SecKeyRef SecCertificatePathCopyPublicKeyAtIndex(
SecCertificatePathRef certificatePath, CFIndex ix) {
SecCertificateRef certificate =
SecCertificatePathGetCertificateAtIndex(certificatePath, ix);
- const DERAlgorithmId *algId =
- SecCertificateGetPublicKeyAlgorithm(certificate);
- const DERItem *params = NULL;
- if (algId->params.length != 0) {
- params = &algId->params;
- } else {
- CFIndex count = certificatePath->count;
- for (++ix; ix < count; ++ix) {
- certificate = certificatePath->certificates[ix];
- const DERAlgorithmId *chain_algId =
- SecCertificateGetPublicKeyAlgorithm(certificate);
- if (!DEROidCompare(&algId->oid, &chain_algId->oid)) {
- /* Algorithm oids differ, params stay NULL. */
- break;
- }
- if (chain_algId->params.length != 0) {
- params = &chain_algId->params;
- break;
- }
- }
- }
- const DERItem *keyData = SecCertificateGetPublicKeyData(certificate);
- SecAsn1Oid oid1 = { .Data = algId->oid.data, .Length = algId->oid.length };
- SecAsn1Item params1 = {
- .Data = params ? params->data : NULL,
- .Length = params ? params->length : 0
- };
- SecAsn1Item keyData1 = {
- .Data = keyData ? keyData->data : NULL,
- .Length = keyData ? keyData->length : 0
- };
- return SecKeyCreatePublicFromDER(kCFAllocatorDefault, &oid1, ¶ms1,
- &keyData1);
+#if SECTRUST_OSX
+ return SecCertificateCopyPublicKey_ios(certificate);
+#else
+ return SecCertificateCopyPublicKey(certificate);
+#endif
+}
+
+CFArrayRef SecCertificatePathGetUsageConstraintsAtIndex(
+ SecCertificatePathRef certificatePath, CFIndex ix) {
+ return (CFArrayRef)CFArrayGetValueAtIndex(certificatePath->usageConstraints, ix);
}
SecPathVerifyStatus SecCertificatePathVerify(
@@ -465,69 +597,110 @@ SecPathVerifyStatus SecCertificatePathVerify(
}
}
- if (certificatePath->selfIssued >= 0 && !certificatePath->isSelfSigned) {
- SecKeyRef issuerKey =
- SecCertificatePathCopyPublicKeyAtIndex(certificatePath,
- certificatePath->selfIssued);
- if (!issuerKey) {
- certificatePath->selfIssued = -1;
- } else {
- OSStatus status = SecCertificateIsSignedBy(
- certificatePath->certificates[certificatePath->selfIssued],
- issuerKey);
- CFRelease(issuerKey);
- if (!status) {
- certificatePath->isSelfSigned = true;
- } else {
- certificatePath->selfIssued = -1;
- }
- }
- }
-
return kSecPathVerifySuccess;
}
+static bool SecCertificatePathIsValid(SecCertificatePathRef certificatePath, CFAbsoluteTime verifyTime) {
+ CFIndex ix;
+ for (ix = 0; ix < certificatePath->count; ++ix) {
+ if (!SecCertificateIsValid(certificatePath->certificates[ix],
+ verifyTime))
+ return false;
+ }
+ return true;
+}
+
+bool SecCertificatePathHasWeakHash(SecCertificatePathRef certificatePath) {
+ CFIndex ix, count = certificatePath->count;
+
+ if (SecCertificatePathIsAnchored(certificatePath)) {
+ /* For anchored paths, don't check the hash algorithm of the anchored cert,
+ * since we already decided to trust it. */
+ count--;
+ }
+ for (ix = 0; ix < count; ++ix) {
+ SecSignatureHashAlgorithm certAlg = 0;
+ certAlg = SecCertificateGetSignatureHashAlgorithm(certificatePath->certificates[ix]);
+ if (certAlg == kSecSignatureHashAlgorithmUnknown ||
+ certAlg == kSecSignatureHashAlgorithmMD2 ||
+ certAlg == kSecSignatureHashAlgorithmMD4 ||
+ certAlg == kSecSignatureHashAlgorithmMD5 ||
+ certAlg == kSecSignatureHashAlgorithmSHA1) {
+ return true;
+ }
+ }
+ return false;
+}
+
+static bool SecCertificatePathHasWeakKeySize(SecCertificatePathRef certificatePath) {
+ CFDictionaryRef keySizes = NULL;
+ CFNumberRef rsaSize = NULL, ecSize = NULL;
+ bool result = true;
+
+ /* RSA key sizes are 2048-bit or larger. EC key sizes are P-224 or larger. */
+ require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
+ require(ecSize = CFNumberCreateWithCFIndex(NULL, 224), errOut);
+ const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
+ const void *values[] = { rsaSize, ecSize };
+ require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
+
+ CFIndex ix;
+ for (ix = 0; ix < certificatePath->count; ++ix) {
+ if (!SecCertificateIsAtLeastMinKeySize(certificatePath->certificates[ix],
+ keySizes)) {
+ result = true;
+ goto errOut;
+ }
+ }
+ result = false;
+
+errOut:
+ CFReleaseSafe(keySizes);
+ CFReleaseSafe(rsaSize);
+ CFReleaseSafe(ecSize);
+ return result;
+}
+
/* Return a score for this certificate chain. */
CFIndex SecCertificatePathScore(
SecCertificatePathRef certificatePath, CFAbsoluteTime verifyTime) {
CFIndex score = 0;
+
+ /* Paths that don't verify score terribly.c */
+ if (certificatePath->lastVerifiedSigner != certificatePath->count - 1) {
+ secdebug("trust", "lvs: %" PRIdCFIndex " count: %" PRIdCFIndex,
+ certificatePath->lastVerifiedSigner, certificatePath->count);
+ score -= 100000;
+ }
+
if (certificatePath->isAnchored) {
/* Anchored paths for the win! */
score += 10000;
}
- /* Score points for each certificate in the chain. */
- score += 10 * certificatePath->count;
-
- if (certificatePath->isSelfSigned) {
- /* If there is a self signed certificate at the end ofthe chain we
- count it as an extra certificate. If there is one in the middle
- of the chain we count it for half. */
- if (certificatePath->selfIssued == certificatePath->count - 1)
- score += 10;
- else
- score += 5;
- }
+ if (certificatePath->isSelfSigned && (certificatePath->selfIssued == certificatePath->count - 1)) {
+ /* Chains that terminate in a self-signed certificate are preferred,
+ even if they don't end in an anchor. */
+ score += 1000;
+ /* Shorter chains ending in a self-signed cert are preferred. */
+ score -= 1 * certificatePath->count;
+ } else {
+ /* Longer chains are preferred when the chain doesn't end in a self-signed cert. */
+ score += 1 * certificatePath->count;
+ }
- /* Paths that don't verify score terribly. */
- if (certificatePath->lastVerifiedSigner != certificatePath->count - 1) {
- secdebug("trust", "lvs: %" PRIdCFIndex " count: %" PRIdCFIndex,
- certificatePath->lastVerifiedSigner, certificatePath->count);
- score -= 100000;
- }
+ if (SecCertificatePathIsValid(certificatePath, verifyTime)) {
+ score += 100;
+ }
- /* Subtract 1 point for each not valid certificate, make sure we
- subtract less than the amount we add per certificate, since
- regardless of temporal validity we still prefer longer chains
- to shorter ones. This distinction is just to ensure that when
- everything else is equal we prefer the chain with the most
- certificates that are valid at the given verifyTime. */
- CFIndex ix;
- for (ix = 0; ix < certificatePath->count - 1; ++ix) {
- if (!SecCertificateIsValid(certificatePath->certificates[ix],
- verifyTime))
- score -= 1;
- }
+ if (!SecCertificatePathHasWeakHash(certificatePath)) {
+ score += 10;
+ }
+
+ if (!SecCertificatePathHasWeakKeySize(certificatePath)) {
+ score += 10;
+ }
return score;
}
diff --git a/OSX/sec/Security/SecCertificatePath.h b/OSX/sec/Security/SecCertificatePath.h
index ed157bdd..b87932b5 100644
--- a/OSX/sec/Security/SecCertificatePath.h
+++ b/OSX/sec/Security/SecCertificatePath.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007-2009,2012-2013 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2007-2009,2012-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -45,14 +45,23 @@ CFTypeID SecCertificatePathGetTypeID(void);
/* Create a new certificate path from an old one. */
SecCertificatePathRef SecCertificatePathCreate(SecCertificatePathRef path,
- SecCertificateRef certificate);
+ SecCertificateRef certificate, CFArrayRef usageConstraints);
/* Create a new certificate path from an xpc_array of datas. */
SecCertificatePathRef SecCertificatePathCreateWithXPCArray(xpc_object_t xpc_path, CFErrorRef *error);
+/* Create a new certificate path from a CFArray of datas. */
+SecCertificatePathRef SecCertificatPathCreateDeserialized(CFArrayRef certificates, CFErrorRef *error);
+
/* Create an array of CFDataRefs from a certificate path. */
xpc_object_t SecCertificatePathCopyXPCArray(SecCertificatePathRef path, CFErrorRef *error);
+/* Create an array of SecCertificateRefs from a certificate path. */
+CFArrayRef SecCertificatePathCopyCertificates(SecCertificatePathRef path, CFErrorRef *error);
+
+/* Create a serialized Certificate Array from a certificate path. */
+CFArrayRef SecCertificatePathCreateSerialized(SecCertificatePathRef path, CFErrorRef *error);
+
SecCertificatePathRef SecCertificatePathCopyAddingLeaf(SecCertificatePathRef path,
SecCertificateRef leaf);
@@ -98,6 +107,9 @@ CFIndex SecCertificatePathGetIndexOfCertificate(SecCertificatePathRef path,
SecCertificateRef SecCertificatePathGetRoot(
SecCertificatePathRef certificatePath);
+CFArrayRef SecCertificatePathGetUsageConstraintsAtIndex(
+ SecCertificatePathRef certificatePath, CFIndex ix);
+
SecKeyRef SecCertificatePathCopyPublicKeyAtIndex(
SecCertificatePathRef certificatePath, CFIndex ix);
@@ -111,6 +123,8 @@ enum {
SecPathVerifyStatus SecCertificatePathVerify(
SecCertificatePathRef certificatePath);
+bool SecCertificatePathHasWeakHash(SecCertificatePathRef certificatePath);
+
CFIndex SecCertificatePathScore(SecCertificatePathRef certificatePath,
CFAbsoluteTime verifyTime);
diff --git a/OSX/sec/Security/SecCertificatePriv.h b/OSX/sec/Security/SecCertificatePriv.h
index 98e1ec05..16d4cb85 100644
--- a/OSX/sec/Security/SecCertificatePriv.h
+++ b/OSX/sec/Security/SecCertificatePriv.h
@@ -46,8 +46,7 @@
__BEGIN_DECLS
-typedef uint32_t SecKeyUsage;
-enum {
+typedef CF_OPTIONS(uint32_t, SecKeyUsage) {
kSecKeyUsageUnspecified = 0,
kSecKeyUsageDigitalSignature = 1 << 0,
kSecKeyUsageNonRepudiation = 1 << 1,
@@ -63,12 +62,15 @@ enum {
kSecKeyUsageAll = 0x7FFFFFFF
};
-typedef uint32_t SecCertificateEscrowRootType;
-enum {
+typedef CF_ENUM(uint32_t, SecCertificateEscrowRootType) {
kSecCertificateBaselineEscrowRoot = 0,
kSecCertificateProductionEscrowRoot = 1,
kSecCertificateBaselinePCSEscrowRoot = 2,
kSecCertificateProductionPCSEscrowRoot = 3,
+ kSecCertificateBaselineEscrowBackupRoot = 4, // v100 and v101
+ kSecCertificateProductionEscrowBackupRoot = 5,
+ kSecCertificateBaselineEscrowEnrollmentRoot = 6, // v101 only
+ kSecCertificateProductionEscrowEnrollmentRoot = 7,
};
/* The names of the files that contain the escrow certificates */
@@ -98,13 +100,20 @@ CFDataRef SecCertificateCopyIssuerSHA1Digest(SecCertificateRef certificate);
CFDataRef SecCertificateCopyPublicKeySHA1Digest(SecCertificateRef certificate);
+CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA1Digest(SecCertificateRef certificate);
+
CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA256Digest(SecCertificateRef certificate);
CFDataRef SecCertificateCopySHA256Digest(SecCertificateRef certificate);
+SecKeyRef SecCertificateCopyPublicKey(SecCertificateRef certificate);
+
SecCertificateRef SecCertificateCreateWithKeychainItem(CFAllocatorRef allocator,
CFDataRef der_certificate, CFTypeRef keychainItem);
+OSStatus SecCertificateSetKeychainItem(SecCertificateRef certificate,
+ CFTypeRef keychain_item);
+
CFTypeRef SecCertificateCopyKeychainItem(SecCertificateRef certificate);
/*!
@@ -190,6 +199,10 @@ OSStatus SecCertificateIsSelfSigned(SecCertificateRef certRef, Boolean *isSelfSi
extension indicating that it's a certificate authority. */
bool SecCertificateIsSelfSignedCA(SecCertificateRef certificate);
+/* Return true if certificate has a basic constraints extension
+ indicating that it's a certificate authority. */
+bool SecCertificateIsCA(SecCertificateRef certificate);
+
SecKeyUsage SecCertificateGetKeyUsage(SecCertificateRef certificate);
/* Returns an array of CFDataRefs for all extended key usage oids or NULL */
@@ -220,11 +233,13 @@ CFArrayRef SecCertificateXPCArrayCopyArray(xpc_object_t xpc_certificates, CFErro
/* Return the precert TBSCertificate DER data - used for Certificate Transparency */
CFDataRef SecCertificateCopyPrecertTBS(SecCertificateRef certificate);
+/* Return an attribute dictionary used to store this item in a keychain. */
+CFDictionaryRef SecCertificateCopyAttributeDictionary(SecCertificateRef certificate);
+
/*
* Enumerated constants for signature hash algorithms.
*/
-typedef uint32_t SecSignatureHashAlgorithm;
-enum {
+typedef CF_ENUM(uint32_t, SecSignatureHashAlgorithm){
kSecSignatureHashAlgorithmUnknown = 0,
kSecSignatureHashAlgorithmMD2 = 1,
kSecSignatureHashAlgorithmMD4 = 2,
@@ -248,6 +263,22 @@ enum {
SecSignatureHashAlgorithm SecCertificateGetSignatureHashAlgorithm(SecCertificateRef certificate)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+/* Return the auth capabilities bitmask from the iAP marker extension */
+CF_RETURNS_RETAINED CFDataRef SecCertificateCopyiAPAuthCapabilities(SecCertificateRef certificate)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+
+typedef CF_ENUM(uint32_t, SeciAuthVersion) {
+ kSeciAuthInvalid = 0,
+ kSeciAuthVersion1 = 1, /* unused */
+ kSeciAuthVersion2 = 2,
+ kSeciAuthVersion3 = 3,
+} __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+
+/* Return the iAuth version indicated by the certificate. This function does
+ * not guarantee that the certificate is valid, so the caller must still call
+ * SecTrustEvaluate to guarantee that the certificate was properly issued */
+SeciAuthVersion SecCertificateGetiAuthVersion(SecCertificateRef certificate)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
__END_DECLS
diff --git a/OSX/sec/Security/SecCertificateRequest.c b/OSX/sec/Security/SecCertificateRequest.c
index 33be0f0a..9f598a15 100644
--- a/OSX/sec/Security/SecCertificateRequest.c
+++ b/OSX/sec/Security/SecCertificateRequest.c
@@ -1196,7 +1196,7 @@ SecGenerateCertificateRequestSubject(SecCertificateRef ca_certificate, CFArrayRe
sequence = CFDataCreateMutable(kCFAllocatorDefault, 0);
CFDataSetLength(sequence, seq_len_length);
uint8_t *sequence_ptr = CFDataGetMutableBytePtr(sequence);
- *sequence_ptr++ = 0x30; //ASN1_CONSTR_SEQUENCE;
+ *sequence_ptr++ = 0x30; //ONE_BYTE_ASN1_CONSTR_SEQUENCE;
require_noerr_quiet(DEREncodeLength(subject_item.Length + issuer_item.Length, sequence_ptr, &sequence_length), out);
sequence_ptr += sequence_length;
memcpy(sequence_ptr, issuer_item.Data, issuer_item.Length);
diff --git a/OSX/sec/Security/SecDH.c b/OSX/sec/Security/SecDH.c
index 5da3f7af..2ff80628 100644
--- a/OSX/sec/Security/SecDH.c
+++ b/OSX/sec/Security/SecDH.c
@@ -45,15 +45,16 @@
static inline ccdh_gp_t SecDH_gp(SecDHContext dh)
{
- void *p = dh;
- ccdh_gp_t gp = { .gp = p };
+ ccdh_gp_t gp;
+ gp.gp = (ccdh_gp *)dh;
return gp;
}
static inline ccdh_full_ctx_t SecDH_priv(SecDHContext dh)
{
void *p = dh;
- cczp_t zp = { .u = p };
+ cczp_t zp;
+ zp.zp = (struct cczp *) dh;
cc_size s = ccn_sizeof_n(cczp_n(zp));
ccdh_full_ctx_t priv = { .hdr = (struct ccdh_ctx_header *)(p+ccdh_gp_size(s)) };
return priv;
@@ -114,7 +115,7 @@ OSStatus SecDHCreate(uint32_t g, const uint8_t *p, size_t p_len,
if(recip) {
if(ccn_read_uint(n+1, CCDH_GP_RECIP(gp), recip_len, recip))
goto errOut;
- gp.zp.zp->mod_prime = cczp_mod;
+ CCZP_MOD_PRIME(gp.zp) = cczp_mod;
} else {
cczp_init(gp.zp);
};
@@ -170,10 +171,17 @@ sizeof(DER_DHParamsItemSpecs) / sizeof(DERItemSpec);
OSStatus SecDHCreateFromParameters(const uint8_t *params,
size_t params_len, SecDHContext *pdh)
{
+ // We support DomainParameters as specified in PKCS#3
+ // (http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-3-diffie-hellman-key-agreement-standar.htm)
+ // DHParameter ::= SEQUENCE {
+ // prime INTEGER, -- p
+ // base INTEGER, -- g
+ // privateValueLength INTEGER OPTIONAL }
+
DERReturn drtn;
DERItem paramItem = {(DERByte *)params, params_len};
DER_DHParams decodedParams;
- uint32_t l;
+ uint32_t l = 0;
drtn = DERParseSequence(¶mItem,
DER_NumDHParamsItemSpecs, DER_DHParamsItemSpecs,
@@ -181,9 +189,11 @@ OSStatus SecDHCreateFromParameters(const uint8_t *params,
if(drtn)
return drtn;
- drtn = DERParseInteger(&decodedParams.l, &l);
- if(drtn)
- return drtn;
+ if (decodedParams.l.length > 0) {
+ drtn = DERParseInteger(&decodedParams.l, &l);
+ if(drtn)
+ return drtn;
+ }
cc_size n = ccn_nof_size(decodedParams.p.length);
cc_size p_len = ccn_sizeof_n(n);
size_t context_size = ccdh_gp_size(p_len)+ccdh_full_ctx_size(p_len);
@@ -204,7 +214,7 @@ OSStatus SecDHCreateFromParameters(const uint8_t *params,
if(decodedParams.recip.length) {
if(ccn_read_uint(n+1, CCDH_GP_RECIP(gp), decodedParams.recip.length, decodedParams.recip.data))
goto errOut;
- gp.zp.zp->mod_prime = cczp_mod;
+ CCZP_MOD_PRIME(gp.zp) = cczp_mod;
} else {
cczp_init(gp.zp);
};
diff --git a/OSX/sec/Security/SecDigest.c b/OSX/sec/Security/SecDigest.c
new file mode 100644
index 00000000..48740f53
--- /dev/null
+++ b/OSX/sec/Security/SecDigest.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2006-2010,2012-2015 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#ifdef STANDALONE
+/* Allows us to build genanchors against the BaseSDK. */
+#undef __ENVIRONMENT_IPHONE_OS_VERSION_MIN_REQUIRED__
+#undef __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__
+#endif
+
+#include "SecFramework.h"
+#include <dispatch/dispatch.h>
+#include <CommonCrypto/CommonDigest.h>
+#include <CommonCrypto/CommonDigestSPI.h>
+#include <Security/SecAsn1Coder.h>
+#include <Security/oidsalg.h>
+#include <utilities/SecCFWrappers.h>
+#include <Security/SecBase.h>
+#include <inttypes.h>
+
+/* Return the SHA1 digest of a chunk of data as newly allocated CFDataRef. */
+CFDataRef SecSHA1DigestCreate(CFAllocatorRef allocator,
+ const UInt8 *data, CFIndex length) {
+ CFMutableDataRef digest = CFDataCreateMutable(allocator,
+ CC_SHA1_DIGEST_LENGTH);
+ CFDataSetLength(digest, CC_SHA1_DIGEST_LENGTH);
+ CCDigest(kCCDigestSHA1, data, length, CFDataGetMutableBytePtr(digest));
+ return digest;
+}
+
+CFDataRef SecSHA256DigestCreate(CFAllocatorRef allocator,
+ const UInt8 *data, CFIndex length) {
+ CFMutableDataRef digest = CFDataCreateMutable(allocator,
+ CC_SHA256_DIGEST_LENGTH);
+ CFDataSetLength(digest, CC_SHA256_DIGEST_LENGTH);
+ CCDigest(kCCDigestSHA256, data, length, CFDataGetMutableBytePtr(digest));
+ return digest;
+}
+
+CFDataRef SecSHA256DigestCreateFromData(CFAllocatorRef allocator, CFDataRef data) {
+ CFMutableDataRef digest = CFDataCreateMutable(allocator,
+ CC_SHA256_DIGEST_LENGTH);
+ CFDataSetLength(digest, CC_SHA256_DIGEST_LENGTH);
+ CCDigest(kCCDigestSHA256, CFDataGetBytePtr(data), CFDataGetLength(data), CFDataGetMutableBytePtr(digest));
+ return digest;
+}
+
+CFDataRef SecDigestCreate(CFAllocatorRef allocator,
+ const SecAsn1Oid *algorithm, const SecAsn1Item *params,
+ const UInt8 *data, CFIndex length) {
+ unsigned char *(*digestFcn)(const void *data, CC_LONG len, unsigned char *md);
+ CFIndex digestLen;
+
+ if (length > INT32_MAX)
+ return NULL;
+
+ if (SecAsn1OidCompare(algorithm, &CSSMOID_SHA1)) {
+ digestFcn = CC_SHA1;
+ digestLen = CC_SHA1_DIGEST_LENGTH;
+ } else if (SecAsn1OidCompare(algorithm, &CSSMOID_SHA224)) {
+ digestFcn = CC_SHA224;
+ digestLen = CC_SHA224_DIGEST_LENGTH;
+ } else if (SecAsn1OidCompare(algorithm, &CSSMOID_SHA256)) {
+ digestFcn = CC_SHA256;
+ digestLen = CC_SHA256_DIGEST_LENGTH;
+ } else if (SecAsn1OidCompare(algorithm, &CSSMOID_SHA384)) {
+ digestFcn = CC_SHA384;
+ digestLen = CC_SHA384_DIGEST_LENGTH;
+ } else if (SecAsn1OidCompare(algorithm, &CSSMOID_SHA512)) {
+ digestFcn = CC_SHA512;
+ digestLen = CC_SHA512_DIGEST_LENGTH;
+ } else {
+ return NULL;
+ }
+
+ CFMutableDataRef digest = CFDataCreateMutable(allocator, digestLen);
+ CFDataSetLength(digest, digestLen);
+
+ digestFcn(data, (CC_LONG)length, CFDataGetMutableBytePtr(digest));
+ return digest;
+}
diff --git a/OSX/sec/Security/SecECKey.c b/OSX/sec/Security/SecECKey.c
index 5b9de329..118e87af 100644
--- a/OSX/sec/Security/SecECKey.c
+++ b/OSX/sec/Security/SecECKey.c
@@ -45,6 +45,7 @@
#include <Security/SecInternal.h>
#include <utilities/SecCFError.h>
#include <utilities/SecCFWrappers.h>
+#include <utilities/array_size.h>
#include <corecrypto/ccec.h>
#include <corecrypto/ccsha1.h>
#include <corecrypto/ccsha2.h>
@@ -99,9 +100,9 @@ static ccoid_t ccoid_secp224r1 = CC_EC_OID_SECP224R1;
static ccoid_t ccoid_secp384r1 = CC_EC_OID_SECP384R1;
static ccoid_t ccoid_secp521r1 = CC_EC_OID_SECP521R1;
-static ccec_const_cp_t ccec_cp_for_oid(ccoid_t oid)
+static ccec_const_cp_t ccec_cp_for_oid(const unsigned char *oid)
{
- if (oid.oid) {
+ if (oid!=NULL) {
if (ccoid_equal(oid, ccoid_secp192r1)) {
return ccec_cp_192();
} else if (ccoid_equal(oid, ccoid_secp256r1)) {
@@ -133,7 +134,7 @@ static OSStatus SecECPublicKeyInit(SecKeyRef key,
}
ccec_const_cp_t cp = getCPForPublicSize(derKey->keyLength);
- require_action(cp.zp, errOut, err = errSecDecode);
+ require_action_quiet(cp.zp, errOut, err = errSecDecode);
/* TODO: Parse and use real params from passed in derKey->algId.params */
err = (ccec_import_pub(cp, derKey->keyLength, derKey->key, pubkey)
@@ -143,7 +144,7 @@ static OSStatus SecECPublicKeyInit(SecKeyRef key,
case kSecKeyEncodingBytes:
{
ccec_const_cp_t cp = getCPForPublicSize(keyDataLength);
- require_action(cp.zp, errOut, err = errSecDecode);
+ require_action_quiet(cp.zp, errOut, err = errSecDecode);
err = (ccec_import_pub(cp, keyDataLength, keyData, pubkey)
? errSecDecode : errSecSuccess);
break;
@@ -154,7 +155,7 @@ static OSStatus SecECPublicKeyInit(SecKeyRef key,
fullKey._full = (ccec_full_ctx *) keyData;
cc_size fullKeyN = ccec_ctx_n(fullKey);
- require(fullKeyN <= ccn_nof(kMaximumECKeySize), errOut);
+ require_quiet(fullKeyN <= ccn_nof(kMaximumECKeySize), errOut);
memcpy(pubkey._pub, fullKey.pub, ccec_pub_ctx_size(ccn_sizeof_n(fullKeyN)));
err = errSecSuccess;
break;
@@ -169,45 +170,51 @@ errOut:
return err;
}
-static OSStatus SecECPublicKeyRawVerify(SecKeyRef key, SecPadding padding,
- const uint8_t *signedData, size_t signedDataLen,
- const uint8_t *sig, size_t sigLen) {
- int err = errSecInternalComponent;
- ccec_pub_ctx_t pubkey;
- pubkey.pub = key->key;
- bool valid = 0;
+static CFTypeRef SecECPublicKeyCopyOperationResult(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm,
+ CFArrayRef algorithms, SecKeyOperationMode mode,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ if (operation != kSecKeyOperationTypeVerify) {
+ // EC public key supports only signature verification.
+ return kCFNull;
+ }
+
+ if (CFEqual(algorithm, kSecKeyAlgorithmECDSASignatureRFC4754) || CFEqual(algorithm, kSecKeyAlgorithmECDSASignatureDigestX962)) {
+ if (mode == kSecKeyOperationModePerform) {
+ bool valid = false;
+ int err = -1;
+ size_t sigLen = CFDataGetLength(in2);
+ uint8_t *sig = (uint8_t *)CFDataGetBytePtr(in2);
+ ccec_pub_ctx_t pubkey = { .pub = key->key };
+
+ if (CFEqual(algorithm, kSecKeyAlgorithmECDSASignatureDigestX962)) {
+ err = ccec_verify(pubkey, CFDataGetLength(in1), CFDataGetBytePtr(in1), sigLen, sig, &valid);
+ } else {
+ if (ccec_signature_r_s_size(pubkey.fullt) * 2 != sigLen) {
+ SecError(errSecParam, error, CFSTR("bad signature size, got %d, expecting %d bytes"),
+ (int)sigLen, (int)ccec_signature_r_s_size(pubkey.fullt) * 2);
+ return NULL;
+ }
+ err = ccec_verify_composite(pubkey, CFDataGetLength(in1), CFDataGetBytePtr(in1),
+ sig, sig + (sigLen >> 1), &valid);
+ }
- // Perform verification
- if (padding==kSecPaddingSigRaw) {
- require_action_quiet(ccec_signature_r_s_size(pubkey.fullt)*2==sigLen, errOut, err = errSecParam);
- err=ccec_verify_composite(pubkey, signedDataLen, signedData, (uint8_t*)sig, (uint8_t*)sig+(sigLen>>1),&valid);
- }
- else {
- // kSecPaddingSigDERx962 or default
- err=ccec_verify(pubkey, signedDataLen, signedData, sigLen, sig, &valid);
+ if (err != 0) {
+ SecError(errSecVerifyFailed, error, CFSTR("EC signature verification failed (ccerr %d)"), err);
+ return NULL;
+ } else if (!valid) {
+ SecError(errSecVerifyFailed, error, CFSTR("EC signature verification failed, no match"));
+ return NULL;
+ } else {
+ return kCFBooleanTrue;
+ }
+ } else {
+ // Algorithm is supported.
+ return kCFBooleanTrue;
+ }
+ } else {
+ // Other algorithms are unsupported.
+ return kCFNull;
}
-
- // Result
- err=(!err && valid?errSecSuccess:errSSLCrypto); // TODO: Should be errSecNotSigner;
-
-errOut:
- return err;
-}
-
-static OSStatus SecECPublicKeyRawEncrypt(SecKeyRef key, SecPadding padding,
- const uint8_t *plainText, size_t plainTextLen,
- uint8_t *cipherText, size_t *cipherTextLen) {
- ccec_pub_ctx_t pubkey;
- pubkey.pub = key->key;
- int err = errSecUnimplemented;
-
-#if 0
- require_noerr(err = ccec_wrap_key(pubkey, &ccsha256_di,
- plainTextLen, plainText, cipherText), errOut);
-
-errOut:
-#endif
- return err;
}
static size_t SecECPublicKeyBlockSize(SecKeyRef key) {
@@ -221,15 +228,17 @@ static size_t SecECPublicKeyBlockSize(SecKeyRef key) {
static CFDataRef SecECPublicKeyExport(CFAllocatorRef allocator,
ccec_pub_ctx_t pubkey) {
size_t pub_size = ccec_export_pub_size(pubkey);
- CFMutableDataRef blob = CFDataCreateMutable(allocator, pub_size);
- if (blob) {
- CFDataSetLength(blob, pub_size);
- ccec_export_pub(pubkey, CFDataGetMutableBytePtr(blob));
- }
-
+ CFMutableDataRef blob = CFDataCreateMutableWithScratch(allocator, pub_size);
+ ccec_export_pub(pubkey, CFDataGetMutableBytePtr(blob));
return blob;
}
+static CFDataRef SecECPublicKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error) {
+ ccec_pub_ctx_t pubkey;
+ pubkey.pub = key->key;
+ return SecECPublicKeyExport(NULL, pubkey);
+}
+
static OSStatus SecECPublicKeyCopyPublicOctets(SecKeyRef key, CFDataRef *serailziation)
{
ccec_pub_ctx_t pubkey;
@@ -245,7 +254,11 @@ static OSStatus SecECPublicKeyCopyPublicOctets(SecKeyRef key, CFDataRef *serailz
}
static CFDictionaryRef SecECPublicKeyCopyAttributeDictionary(SecKeyRef key) {
- return SecKeyGeneratePublicAttributeDictionary(key, kSecAttrKeyTypeEC);
+ CFDictionaryRef dict = SecKeyGeneratePublicAttributeDictionary(key, kSecAttrKeyTypeEC);
+ CFMutableDictionaryRef mutableDict = CFDictionaryCreateMutableCopy(NULL, 0, dict);
+ CFDictionarySetValue(mutableDict, kSecAttrCanDerive, kCFBooleanFalse);
+ CFAssignRetained(dict, mutableDict);
+ return dict;
}
static const char *
@@ -270,48 +283,34 @@ getCurveName(SecKeyRef key)
static CFStringRef SecECPublicKeyCopyKeyDescription(SecKeyRef key)
{
- ccec_pub_ctx_t ecPubkey;
CFStringRef keyDescription = NULL;
- size_t xlen, ylen, ix;
- CFMutableStringRef xString = NULL;
- CFMutableStringRef yString = NULL;
-
- ecPubkey.pub = key->key;
-
+ CFMutableStringRef strings[2] = { NULL, };
const char* curve = getCurveName(key);
- uint8_t *xunit = (uint8_t*)ccec_ctx_x(ecPubkey);
- require_quiet( NULL != xunit, fail);
- xlen = (size_t)strlen((char*)xunit);
-
-
- xString = CFStringCreateMutable(kCFAllocatorDefault, xlen * 2);
- require_quiet( NULL != xString, fail);
-
- for (ix = 0; ix < xlen; ++ix)
- {
- CFStringAppendFormat(xString, NULL, CFSTR("%02X"), xunit[ix]);
- }
-
- uint8_t *yunit = (uint8_t*)ccec_ctx_y(ecPubkey);
- require_quiet( NULL != yunit, fail);
- ylen = (size_t)strlen((char*)yunit);
-
- yString = CFStringCreateMutable(kCFAllocatorDefault, ylen*2);
- require_quiet( NULL != yString, fail);
-
- for(ix = 0; ix < ylen; ++ix)
- {
- CFStringAppendFormat(yString, NULL, CFSTR("%02X"), yunit[ix]);
+ ccec_pub_ctx_t ecPubkey = { .pub = key->key };
+ size_t len = ccec_ctx_size(ecPubkey);
+ uint8_t buffer[len];
+ for (int i = 0; i < 2; ++i) {
+ ccn_write_uint(ccec_ctx_n(ecPubkey), (i == 0) ? ccec_ctx_x(ecPubkey) : ccec_ctx_y(ecPubkey), len, buffer);
+ require_quiet(strings[i] = CFStringCreateMutable(kCFAllocatorDefault, len * 2), fail);
+ for (size_t byteIndex = 0; byteIndex < len; ++byteIndex) {
+ CFStringAppendFormat(strings[i], NULL, CFSTR("%02X"), buffer[byteIndex]);
+ }
}
- keyDescription = CFStringCreateWithFormat(kCFAllocatorDefault,NULL,CFSTR( "<SecKeyRef curve type: %s, algorithm id: %lu, key type: %s, version: %d, block size: %zu bits, y: %@, x: %@, addr: %p>"), curve, (long)SecKeyGetAlgorithmId(key), key->key_class->name, key->key_class->version, (8*SecKeyGetBlockSize(key)), yString, xString, key);
+ keyDescription = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
+ CFSTR( "<SecKeyRef curve type: %s, algorithm id: %lu, key type: %s, version: %d, block size: %zu bits, y: %@, x: %@, addr: %p>"),
+ curve, (long)SecKeyGetAlgorithmId(key), key->key_class->name, key->key_class->version,
+ 8 * SecKeyGetBlockSize(key), strings[1], strings[0], key);
fail:
- CFReleaseSafe(xString);
- CFReleaseSafe(yString);
+ CFReleaseSafe(strings[0]);
+ CFReleaseSafe(strings[1]);
if(!keyDescription)
- keyDescription = CFStringCreateWithFormat(kCFAllocatorDefault,NULL,CFSTR("<SecKeyRef curve type: %s, algorithm id: %lu, key type: %s, version: %d, block size: %zu bits, addr: %p>"), curve,(long)SecKeyGetAlgorithmId(key), key->key_class->name, key->key_class->version, (8*SecKeyGetBlockSize(key)), key);
+ keyDescription = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
+ CFSTR("<SecKeyRef curve type: %s, algorithm id: %lu, key type: %s, version: %d, block size: %zu bits, addr: %p>"),
+ curve,(long)SecKeyGetAlgorithmId(key), key->key_class->name, key->key_class->version,
+ 8 * SecKeyGetBlockSize(key), key);
return keyDescription;
}
@@ -335,7 +334,7 @@ static CFDataRef SecECKeyCopyWrapKey(SecKeyRef key, SecKeyWrapType type, CFDataR
const struct ccec_rfc6637_curve *curve;
const struct ccec_rfc6637_wrap *wrap = NULL;
uint8_t sym_alg = 0;
- long flags = 0;
+ int32_t flags = 0;
pubkey.pub = key->key;
@@ -376,7 +375,7 @@ static CFDataRef SecECKeyCopyWrapKey(SecKeyRef key, SecKeyWrapType type, CFDataR
}
num = CFDictionaryGetValue(parameters, _kSecKeyWrapRFC6637Flags);
- if (isNull(num)) {
+ if (isNumber(num)) {
if (!CFNumberGetValue(num, kCFNumberLongType, &flags)) {
SecError(errSecUnsupportedOperation, error, CFSTR("invalid flags: %@"), num);
return NULL;
@@ -395,7 +394,7 @@ static CFDataRef SecECKeyCopyWrapKey(SecKeyRef key, SecKeyWrapType type, CFDataR
}
CFMutableDataRef data = CFDataCreateMutableWithScratch(NULL, output_size);
- require(data, errOut);
+ require_quiet(data, errOut);
err = ccec_rfc6637_wrap_key(pubkey, CFDataGetMutableBytePtr(data), flags,
sym_alg, CFDataGetLength(unwrappedKey), CFDataGetBytePtr(unwrappedKey),
@@ -410,25 +409,20 @@ errOut:
return data;
}
-
SecKeyDescriptor kSecECPublicKeyDescriptor = {
- kSecKeyDescriptorVersion,
- "ECPublicKey",
- ccec_pub_ctx_size(ccn_sizeof(kMaximumECKeySize)), /* extraBytes */
- SecECPublicKeyInit,
- SecECPublicKeyDestroy,
- NULL, /* SecKeyRawSignMethod */
- SecECPublicKeyRawVerify,
- SecECPublicKeyRawEncrypt,
- NULL, /* SecKeyDecryptMethod */
- NULL, /* SecKeyComputeMethod */
- SecECPublicKeyBlockSize,
- SecECPublicKeyCopyAttributeDictionary,
- SecECPublicKeyCopyKeyDescription,
- SecECKeyGetAlgorithmID,
- SecECPublicKeyCopyPublicOctets,
- SecECKeyCopyWrapKey,
- NULL, /* SecKeyCopyUnwrapKey */
+ .version = kSecKeyDescriptorVersion,
+ .name = "ECPublicKey",
+ .extraBytes = ccec_pub_ctx_size(ccn_sizeof(kMaximumECKeySize)),
+ .init = SecECPublicKeyInit,
+ .destroy = SecECPublicKeyDestroy,
+ .blockSize = SecECPublicKeyBlockSize,
+ .copyDictionary = SecECPublicKeyCopyAttributeDictionary,
+ .copyExternalRepresentation = SecECPublicKeyCopyExternalRepresentation,
+ .describe = SecECPublicKeyCopyKeyDescription,
+ .getAlgorithmID = SecECKeyGetAlgorithmID,
+ .copyPublic = SecECPublicKeyCopyPublicOctets,
+ .copyWrapKey = SecECKeyCopyWrapKey,
+ .copyOperationResult = SecECPublicKeyCopyOperationResult,
};
/* Public Key API functions. */
@@ -436,7 +430,7 @@ SecKeyRef SecKeyCreateECPublicKey(CFAllocatorRef allocator,
const uint8_t *keyData, CFIndex keyDataLength,
SecKeyEncoding encoding) {
return SecKeyCreate(allocator, &kSecECPublicKeyDescriptor, keyData,
- keyDataLength, encoding);
+ keyDataLength, encoding);
}
@@ -470,44 +464,44 @@ static OSStatus SecECPrivateKeyInit(SecKeyRef key,
//err = ecc_import(keyData, keyDataLength, fullkey);
/* DER != PKCS#1, but we'll go along with it */
- ccoid_t oid;
+ const unsigned char *oid;
size_t n;
ccec_const_cp_t cp;
- require_noerr(ccec_der_import_priv_keytype(keyDataLength, keyData, &oid, &n), abort);
+ require_noerr_quiet(ccec_der_import_priv_keytype(keyDataLength, keyData, (ccoid_t*)&oid, &n), abort);
cp = ccec_cp_for_oid(oid);
if (cp.zp == NULL) {
cp = ccec_curve_for_length_lookup(n * 8 /* bytes -> bits */,
ccec_cp_192(), ccec_cp_224(), ccec_cp_256(), ccec_cp_384(), ccec_cp_521(), NULL);
}
- require_action(cp.zp != NULL, abort, err = errSecDecode);
+ require_action_quiet(cp.zp != NULL, abort, err = errSecDecode);
ccec_ctx_init(cp, fullkey);
- require_noerr(ccec_der_import_priv(cp, keyDataLength, keyData, fullkey), abort);
+ require_noerr_quiet(ccec_der_import_priv(cp, keyDataLength, keyData, fullkey), abort);
err = errSecSuccess;
break;
}
case kSecKeyEncodingBytes:
{
ccec_const_cp_t cp = getCPForPrivateSize(keyDataLength);
- require(cp.zp != NULL, abort);
+ require_quiet(cp.zp != NULL, abort);
ccec_ctx_init(cp, fullkey);
size_t pubSize = ccec_export_pub_size(fullkey);
- require(pubSize < (size_t) keyDataLength, abort);
- require_noerr_action(ccec_import_pub(cp, pubSize, keyData, fullkey),
- abort,
- err = errSecDecode);
+ require_quiet(pubSize < (size_t) keyDataLength, abort);
+ require_noerr_action_quiet(ccec_import_pub(cp, pubSize, keyData, fullkey),
+ abort,
+ err = errSecDecode);
keyData += pubSize;
keyDataLength -= pubSize;
cc_unit *k = ccec_ctx_k(fullkey);
- require_noerr_action(ccn_read_uint(ccec_ctx_n(fullkey), k, keyDataLength, keyData),
- abort,
- err = errSecDecode);
+ require_noerr_action_quiet(ccn_read_uint(ccec_ctx_n(fullkey), k, keyDataLength, keyData),
+ abort,
+ err = errSecDecode);
err = errSecSuccess;
break;
@@ -539,64 +533,81 @@ abort:
return err;
}
-static OSStatus SecECPrivateKeyRawSign(SecKeyRef key, SecPadding padding,
- const uint8_t *dataToSign, size_t dataToSignLen,
- uint8_t *sig, size_t *sigLen) {
- ccec_full_ctx_t fullkey = {};
- fullkey.hdr = key->key;
- int err;
- require_action_quiet(sigLen, errOut, err = errSecParam);
-
- // Perform signature
- if (padding==kSecPaddingSigRaw) {
- // kSecPaddingSigRaw: {r,s} raw byte in big endian, concatenated.
- cc_size r_s_size=ccec_signature_r_s_size(fullkey);
- require_action_quiet(*sigLen>=(r_s_size<<1), errOut, err = errSecParam);
- require_noerr(err = ccec_sign_composite(fullkey, dataToSignLen, dataToSign,
- sig, sig+r_s_size, ccrng_seckey), errOut);
- *sigLen=(r_s_size<<1);
- }
- else {
- // kSecPaddingSigDERx962 or default
- require_noerr(err = ccec_sign(fullkey, dataToSignLen, dataToSign,
- sigLen, sig, ccrng_seckey), errOut);
- }
-errOut:
- return err;
-}
-
-#if 0
-static const struct ccdigest_info *
-ccdigest_lookup_by_oid(unsigned long oid_size, const void *oid) {
- static const struct ccdigest_info *dis[] = {
- &ccsha1_di,
- &ccsha224_di,
- &ccsha256_di,
- &ccsha384_di,
- &ccsha512_di
- };
- size_t i;
- for (i = 0; i < array_size(dis); ++i) {
- if (oid_size == dis[i]->oid_size && !memcmp(dis[i]->oid, oid, oid_size))
- return dis[i];
+static CFTypeRef SecECPrivateKeyCopyOperationResult(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm,
+ CFArrayRef allAlgorithms, SecKeyOperationMode mode,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ // Default answer is 'unsupported', unless we find out that we can support it.
+ CFTypeRef result = kCFNull;
+
+ ccec_full_ctx_t fullkey = { .hdr = key->key };
+ switch (operation) {
+ case kSecKeyOperationTypeSign: {
+ if (CFEqual(algorithm, kSecKeyAlgorithmECDSASignatureRFC4754)) {
+ if (mode == kSecKeyOperationModePerform) {
+ // Perform r/s mode of signature.
+ cc_size r_s_size = ccec_signature_r_s_size(fullkey);
+ result = CFDataCreateMutableWithScratch(NULL, r_s_size << 1);
+ uint8_t *signatureBuffer = CFDataGetMutableBytePtr((CFMutableDataRef)result);
+ int err = ccec_sign_composite(fullkey, CFDataGetLength(in1), CFDataGetBytePtr(in1),
+ signatureBuffer, signatureBuffer + r_s_size, ccrng_seckey);
+ require_action_quiet(err == 0, out, (CFReleaseNull(result),
+ SecError(errSecParam, error, CFSTR("%@: RFC4754 signing failed (ccerr %d)"),
+ key, err)));
+ } else {
+ // Operation is supported.
+ result = kCFBooleanTrue;
+ }
+ } else if (CFEqual(algorithm, kSecKeyAlgorithmECDSASignatureDigestX962)) {
+ if (mode == kSecKeyOperationModePerform) {
+ // Perform x962 mode of signature.
+ size_t size = ccec_sign_max_size(ccec_ctx_cp(fullkey));
+ result = CFDataCreateMutableWithScratch(NULL, size);
+ int err = ccec_sign(fullkey, CFDataGetLength(in1), CFDataGetBytePtr(in1),
+ &size, CFDataGetMutableBytePtr((CFMutableDataRef)result), ccrng_seckey);
+ require_action_quiet(err == 0, out, (CFReleaseNull(result),
+ SecError(errSecParam, error, CFSTR("%@: X962 signing failed (ccerr %d)"),
+ key, err)));
+ CFDataSetLength((CFMutableDataRef)result, size);
+ } else {
+ // Operation is supported.
+ result = kCFBooleanTrue;
+ }
+ }
+ break;
+ }
+ case kSecKeyOperationTypeKeyExchange:
+ if (CFEqual(algorithm, kSecKeyAlgorithmECDHKeyExchangeStandard) ||
+ CFEqual(algorithm, kSecKeyAlgorithmECDHKeyExchangeCofactor)) {
+ if (mode == kSecKeyOperationModePerform) {
+ int err;
+ ccec_const_cp_t cp = getCPForPublicSize(CFDataGetLength(in1));
+ require_action_quiet(cp.zp != NULL, out,
+ SecError(errSecParam, error, CFSTR("ECpriv sharedsecret: bad public key")));
+ uint8_t pubkeyBuffer[ccec_pub_ctx_size(ccn_sizeof(kMaximumECKeySize))];
+ ccec_pub_ctx_t pubkey = { .pub = (struct ccec_ctx_public *)pubkeyBuffer };
+ err = ccec_import_pub(cp, CFDataGetLength(in1), CFDataGetBytePtr(in1), pubkey);
+ require_noerr_action_quiet(err, out, SecError(errSecParam, error,
+ CFSTR("ECpriv sharedsecret: bad public key (err %d)"), err));
+ size_t size = ccec_ccn_size(cp);
+ result = CFDataCreateMutableWithScratch(NULL, size);
+ err = ccecdh_compute_shared_secret(fullkey, pubkey, &size,
+ CFDataGetMutableBytePtr((CFMutableDataRef)result), ccrng_seckey);
+ require_noerr_action_quiet(err, out, (CFReleaseNull(result),
+ SecError(errSecDecode, error,
+ CFSTR("ECpriv failed to compute shared secret (err %d)"), err)));
+ CFDataSetLength((CFMutableDataRef)result, size);
+ } else {
+ // Operation is supported.
+ result = kCFBooleanTrue;
+ }
+ }
+ break;
+ default:
+ break;
}
- return NULL;
-}
-#endif
-static OSStatus SecECPrivateKeyRawDecrypt(SecKeyRef key, SecPadding padding,
- const uint8_t *cipherText, size_t cipherTextLen,
- uint8_t *plainText, size_t *plainTextLen) {
- ccec_full_ctx_t fullkey;
- fullkey.hdr = key->key;
- int err = errSecUnimplemented;
-
-#if 0
- err = ccec_unwrap_key(fullkey, ccrng_seckey, ccdigest_lookup_by_oid,
- cipherTextLen, cipherText, plainTextLen, plainText);
-#endif
-
- return err;
+out:
+ return result;
}
static size_t SecECPrivateKeyBlockSize(SecKeyRef key) {
@@ -620,40 +631,27 @@ static OSStatus SecECPrivateKeyCopyPublicOctets(SecKeyRef key, CFDataRef *serail
return errSecSuccess;
}
-static CFDataRef SecECPPrivateKeyExport(CFAllocatorRef allocator,
- ccec_full_ctx_t fullkey) {
+static CFDataRef SecECPrivateKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error) {
+ ccec_full_ctx_t fullkey;
+ fullkey.hdr = key->key;
size_t prime_size = ccec_cp_prime_size(ccec_ctx_cp(fullkey));
size_t key_size = ccec_export_pub_size(fullkey) + prime_size;
- CFMutableDataRef blob = CFDataCreateMutable(allocator, key_size);
- if (blob) {
- CFDataSetLength(blob, key_size);
- ccec_export_pub(fullkey, CFDataGetMutableBytePtr(blob));
- UInt8 *dest = CFDataGetMutableBytePtr(blob) + ccec_export_pub_size(fullkey);
- const cc_unit *k = ccec_ctx_k(fullkey);
- ccn_write_uint_padded(ccec_ctx_n(fullkey), k, prime_size, dest);
- }
-
- return blob;
+ CFMutableDataRef blob = CFDataCreateMutableWithScratch(NULL, key_size);
+ ccec_export_pub(fullkey, CFDataGetMutableBytePtr(blob));
+ UInt8 *dest = CFDataGetMutableBytePtr(blob) + ccec_export_pub_size(fullkey);
+ const cc_unit *k = ccec_ctx_k(fullkey);
+ ccn_write_uint_padded(ccec_ctx_n(fullkey), k, prime_size, dest);
+ return blob;
}
-
static CFDictionaryRef SecECPrivateKeyCopyAttributeDictionary(SecKeyRef key) {
- CFDictionaryRef dict = NULL;
- CFAllocatorRef allocator = CFGetAllocator(key);
-
+ /* Export the full ec key pair. */
ccec_full_ctx_t fullkey;
fullkey.hdr = key->key;
+ CFDataRef fullKeyBlob = SecECPrivateKeyCopyExternalRepresentation(key, NULL);
- CFDataRef fullKeyBlob = NULL;
-
- /* Export the full ec key pair. */
- require(fullKeyBlob = SecECPPrivateKeyExport(allocator, fullkey), errOut);
-
- dict = SecKeyGeneratePrivateAttributeDictionary(key, kSecAttrKeyTypeEC, fullKeyBlob);
-
-errOut:
+ CFDictionaryRef dict = SecKeyGeneratePrivateAttributeDictionary(key, kSecAttrKeyTypeEC, fullKeyBlob);
CFReleaseSafe(fullKeyBlob);
-
return dict;
}
static CFStringRef SecECPrivateKeyCopyKeyDescription(SecKeyRef key) {
@@ -672,7 +670,7 @@ static CFDataRef SecECKeyCopyUnwrapKey(SecKeyRef key, SecKeyWrapType type, CFDat
CFMutableDataRef data;
int res;
uint8_t sym_alg = 0;
- unsigned long flags = 0;
+ int32_t flags = 0;
fullkey.hdr = key->key;
@@ -702,8 +700,8 @@ static CFDataRef SecECKeyCopyUnwrapKey(SecKeyRef key, SecKeyWrapType type, CFDat
}
CFNumberRef num = CFDictionaryGetValue(parameters, _kSecKeyWrapRFC6637Flags);
- if (isNull(num)) {
- if (!CFNumberGetValue(num, kCFNumberSInt32Type, &num)) {
+ if (isNumber(num)) {
+ if (!CFNumberGetValue(num, kCFNumberSInt32Type, &flags)) {
SecError(errSecUnsupportedOperation, error, CFSTR("invalid flags: %@"), num);
return NULL;
}
@@ -744,25 +742,22 @@ static CFDataRef SecECKeyCopyUnwrapKey(SecKeyRef key, SecKeyWrapType type, CFDat
return data;
}
-
SecKeyDescriptor kSecECPrivateKeyDescriptor = {
- kSecKeyDescriptorVersion,
- "ECPrivateKey",
- ccec_full_ctx_size(ccn_sizeof(kMaximumECKeySize)), /* extraBytes */
- SecECPrivateKeyInit,
- SecECPrivateKeyDestroy,
- SecECPrivateKeyRawSign,
- NULL, /* SecKeyRawVerifyMethod */
- NULL, /* SecKeyEncryptMethod */
- SecECPrivateKeyRawDecrypt,
- NULL, /* SecKeyComputeMethod */
- SecECPrivateKeyBlockSize,
- SecECPrivateKeyCopyAttributeDictionary,
- SecECPrivateKeyCopyKeyDescription,
- SecECKeyGetAlgorithmID,
- SecECPrivateKeyCopyPublicOctets,
- SecECKeyCopyWrapKey,
- SecECKeyCopyUnwrapKey,
+ .version = kSecKeyDescriptorVersion,
+ .name = "ECPrivateKey",
+ .extraBytes = ccec_full_ctx_size(ccn_sizeof(kMaximumECKeySize)),
+
+ .init = SecECPrivateKeyInit,
+ .destroy = SecECPrivateKeyDestroy,
+ .blockSize = SecECPrivateKeyBlockSize,
+ .copyDictionary = SecECPrivateKeyCopyAttributeDictionary,
+ .describe = SecECPrivateKeyCopyKeyDescription,
+ .getAlgorithmID = SecECKeyGetAlgorithmID,
+ .copyPublic = SecECPrivateKeyCopyPublicOctets,
+ .copyExternalRepresentation = SecECPrivateKeyCopyExternalRepresentation,
+ .copyWrapKey = SecECKeyCopyWrapKey,
+ .copyUnwrapKey = SecECKeyCopyUnwrapKey,
+ .copyOperationResult = SecECPrivateKeyCopyOperationResult,
};
/* Private Key API functions. */
@@ -788,7 +783,7 @@ OSStatus SecECKeyGeneratePair(CFDictionaryRef parameters,
/* Create SecKeyRef's from the pkcs1 encoded keys. */
pubKey = SecKeyCreate(allocator, &kSecECPublicKeyDescriptor,
- privKey->key, 0, kSecExtractPublicFromPrivate);
+ privKey->key, 0, kSecExtractPublicFromPrivate);
require(pubKey, errOut);
@@ -814,37 +809,43 @@ errOut:
/* It's debatable whether this belongs here or in the ssl code since the
curve values come from a tls related rfc4492. */
SecECNamedCurve SecECKeyGetNamedCurve(SecKeyRef key) {
- if (key->key_class != &kSecECPublicKeyDescriptor &&
- key->key_class != &kSecECPrivateKeyDescriptor)
- return kSecECCurveNone;
-
- ccec_pub_ctx_t pubkey;
- pubkey.pub = key->key;
- switch (ccec_ctx_size(pubkey)) {
+ SecECNamedCurve result = kSecECCurveNone;
+ CFDictionaryRef attributes = NULL;
+ require_quiet(SecKeyGetAlgorithmId(key) == kSecECDSAAlgorithmID, out);
+ require_quiet(attributes = SecKeyCopyAttributes(key), out);
+ CFTypeRef bitsRef = CFDictionaryGetValue(attributes, kSecAttrKeySizeInBits);
+ CFIndex bits;
+ require_quiet(bitsRef != NULL && CFGetTypeID(bitsRef) == CFNumberGetTypeID() &&
+ CFNumberGetValue(bitsRef, kCFNumberCFIndexType, &bits), out);
+ switch (bits) {
#if 0
- case 24:
- return kSecECCurveSecp192r1;
- case 28:
- return kSecECCurveSecp224r1;
+ case 192:
+ result = kSecECCurveSecp192r1;
+ break;
+ case 224:
+ result = kSecECCurveSecp224r1;
+ break;
#endif
- case 32:
- return kSecECCurveSecp256r1;
- case 48:
- return kSecECCurveSecp384r1;
- case 66:
- return kSecECCurveSecp521r1;
+ case 256:
+ result = kSecECCurveSecp256r1;
+ break;
+ case 384:
+ result = kSecECCurveSecp384r1;
+ break;
+ case 521:
+ result = kSecECCurveSecp521r1;
+ break;
}
- return kSecECCurveNone;
+
+out:
+ CFReleaseSafe(attributes);
+ return result;
}
CFDataRef SecECKeyCopyPublicBits(SecKeyRef key) {
- if (key->key_class != &kSecECPublicKeyDescriptor &&
- key->key_class != &kSecECPrivateKeyDescriptor)
- return NULL;
-
- ccec_pub_ctx_t pubkey;
- pubkey.pub = key->key;
- return SecECPublicKeyExport(CFGetAllocator(key), pubkey);
+ CFDataRef bytes = NULL;
+ SecKeyCopyPublicBytes(key, &bytes);
+ return bytes;
}
/* Vile accessors that get us the pub or priv key to use temporarily */
diff --git a/OSX/sec/Security/SecEMCS.m b/OSX/sec/Security/SecEMCS.m
index 1aa12152..234dc087 100644
--- a/OSX/sec/Security/SecEMCS.m
+++ b/OSX/sec/Security/SecEMCS.m
@@ -21,11 +21,12 @@
* @APPLE_LICENSE_HEADER_END@
*/
-#define __KEYCHAINCORE__
+#define __KEYCHAINCORE__ 1
#include <Foundation/Foundation.h>
#include <Security/SecBase.h>
#include <Security/SecBasePriv.h>
+#include <Security/SecCFAllocator.h>
#include <corecrypto/ccpbkdf2.h>
#include <corecrypto/ccsha2.h>
#include <corecrypto/ccaes.h>
@@ -90,7 +91,7 @@ CopyUnwrappedKey(CFDataRef wrappingKey, CFDataRef wrappedKey)
ccecb_init(ecb_mode, key, CFDataGetLength(wrappingKey), CFDataGetBytePtr(wrappingKey));
- unwrappedKey = CFDataCreateMutableWithScratch(CFAllocatorSensitive(), ccwrap_unwrapped_size(CFDataGetLength(wrappedKey)));
+ unwrappedKey = CFDataCreateMutableWithScratch(SecCFAllocatorZeroize(), ccwrap_unwrapped_size(CFDataGetLength(wrappedKey)));
require(unwrappedKey, out);
size_t obytes = 0;
@@ -130,7 +131,7 @@ CreateDerivedKey(CFDataRef salt, long iterations, NSString *managedCredential)
}
- CFMutableDataRef key = CFDataCreateMutable(CFAllocatorSensitive(), KEY_LENGTH);
+ CFMutableDataRef key = CFDataCreateMutable(SecCFAllocatorZeroize(), KEY_LENGTH);
if (key == NULL) {
memset_s(buffer, strLength, 0, strLength);
return NULL;
@@ -229,9 +230,9 @@ SecEMCSCreateNewiDMSKey(NSDictionary *options,
goto out;
if (oldEMCSKey) {
- localEmcsKey = CFDataCreateMutableCopy(CFAllocatorSensitive(), 0, (__bridge CFDataRef)oldEMCSKey);
+ localEmcsKey = CFDataCreateMutableCopy(SecCFAllocatorZeroize(), 0, (__bridge CFDataRef)oldEMCSKey);
} else {
- localEmcsKey = CFDataCreateMutableWithScratch(CFAllocatorSensitive(), KEY_LENGTH);
+ localEmcsKey = CFDataCreateMutableWithScratch(SecCFAllocatorZeroize(), KEY_LENGTH);
if (localEmcsKey == NULL)
goto out;
if (SecRandomCopyBytes(NULL, CFDataGetLength(localEmcsKey), CFDataGetMutableBytePtr(localEmcsKey)) != 0)
diff --git a/OSX/sec/Security/SecExports.exp-in b/OSX/sec/Security/SecExports.exp-in
index 6300a347..f2356874 100644
--- a/OSX/sec/Security/SecExports.exp-in
+++ b/OSX/sec/Security/SecExports.exp-in
@@ -45,45 +45,82 @@ _SecBase64Encode2
// Trust
//
-_kSecPolicyAppleX509Basic
-_kSecPolicyAppleSSL
-_kSecPolicyAppleSMIME
-_kSecPolicyAppleEAP
-_kSecPolicyAppleSWUpdateSigning
-_kSecPolicyApplePackageSigning
-_kSecPolicyAppleIPsec
+// Policies
+_kSecPolicyAppleAST2DiagnosticsServerAuth
+_kSecPolicyAppleATVVPNProfileSigning
_kSecPolicyAppleCodeSigning
+_kSecPolicyAppleEAP
+_kSecPolicyAppleEscrowProxyCompatibilityServerAuth
+_kSecPolicyAppleEscrowProxyServerAuth
+_kSecPolicyAppleEscrowService
+_kSecPolicyAppleExternalDeveloper
+_kSecPolicyAppleFactoryDeviceCertificate
+_kSecPolicyAppleFMiPServerAuth
+_kSecPolicyAppleGenericApplePinned
+_kSecPolicyAppleGenericAppleSSLPinned
+_kSecPolicyAppleGSService
+_kSecPolicyAppleHomeKitServerAuth
+_kSecPolicyAppleiAP
+_kSecPolicyAppleIDAuthority
+_kSecPolicyAppleIDSService
+_kSecPolicyAppleIDSServiceContext
_kSecPolicyAppleIDValidation
+_kSecPolicyAppleIDValidationRecordSigning
_kSecPolicyAppleIDValidationRecordSigningPolicy
-_kSecPolicyAppleOSXProvisioningProfileSigning
-_kSecPolicyMacAppStoreReceipt
-_kSecPolicyAppleTimeStamping
-_kSecPolicyAppleRevocation
-_kSecPolicyApplePassbookSigning
+_kSecPolicyAppleiPhoneActivation
+_kSecPolicyAppleiPhoneApplicationSigning
+_kSecPolicyAppleiPhoneDeviceCertificate
+_kSecPolicyAppleiPhoneProfileApplicationSigning
+_kSecPolicyAppleiPhoneProvisioningProfileSigning
+_kSecPolicyAppleIPsec
+_kSecPolicyAppleiTunesStoreURLBag
+_kSecPolicyAppleLegacyPushService
+_kSecPolicyAppleLockdownPairing
+_kSecPolicyAppleMMCSCompatibilityServerAuth
+_kSecPolicyAppleMMCSService
+_kSecPolicyAppleMobileAsset
_kSecPolicyAppleMobileStore
-_kSecPolicyAppleTestMobileStore
+_kSecPolicyAppleOCSPSigner
+_kSecPolicyAppleOSXProvisioningProfileSigning
_kSecPolicyAppleOTAPKISigner
-_kSecPolicyAppleTestOTAPKISigner
-_kSecPolicyAppleEscrowService
+_kSecPolicyAppleOTATasking
+_kSecPolicyApplePackageSigning
+_kSecPolicyApplePassbookSigning
+_kSecPolicyApplePayIssuerEncryption
_kSecPolicyApplePCSEscrowService
+_kSecPolicyApplePKINITClient
+_kSecPolicyApplePKINITServer
+_kSecPolicyApplePPQService
+_kSecPolicyApplePPQSigning
_kSecPolicyAppleProfileSigner
+_kSecPolicyApplePushService
_kSecPolicyAppleQAProfileSigner
+_kSecPolicyAppleRevocation
+_kSecPolicyAppleServerAuthentication
+_kSecPolicyAppleSMIME
_kSecPolicyAppleSMPEncryption
-_kSecPolicyAppleTestSMPEncryption
-_kSecPolicyApplePPQSigning
+_kSecPolicyAppleSoftwareSigning
+_kSecPolicyAppleSSL
+_kSecPolicyAppleSWUpdateSigning
+_kSecPolicyAppleTestMobileStore
+_kSecPolicyAppleTestOTAPKISigner
_kSecPolicyAppleTestPPQSigning
-_kSecPolicyAppleATVAppSigning
-_kSecPolicyAppleTestATVAppSigning
-_kSecPolicyAppleATVVPNProfileSigning
-_kSecPolicyApplePayIssuerEncryption
-_kSecPolicyAppleAST2DiagnosticsServerAuth
-_kSecPolicyAppleAnchorAllowTestRootsOnProduction
+_kSecPolicyAppleTestSMPEncryption
+_kSecPolicyAppleTimeStamping
+_kSecPolicyAppleTVOSApplicationSigning
+_kSecPolicyAppleUniqueDeviceIdentifierCertificate
+_kSecPolicyAppleURLBag
+_kSecPolicyAppleX509Basic
+_kSecPolicyMacAppStoreReceipt
+
+// Policy Checks
_kSecPolicyAppleAnchorIncludeTestRoots
_kSecPolicyCheckAnchorSHA1
+_kSecPolicyCheckAnchorSHA256
_kSecPolicyCheckAnchorApple
_kSecPolicyCheckAnchorTrusted
_kSecPolicyCheckBasicCertificateProcessing
-_kSecPolicyCheckBasicContraints
+_kSecPolicyCheckBasicConstraints
_kSecPolicyCheckBlackListedKey
_kSecPolicyCheckBlackListedLeaf
_kSecPolicyCheckCertificatePolicy
@@ -97,99 +134,158 @@ _kSecPolicyCheckExtendedValidation
_kSecPolicyCheckGrayListedKey
_kSecPolicyCheckGrayListedLeaf
_kSecPolicyCheckIdLinkage
+_kSecPolicyCheckIntermediateEKU
_kSecPolicyCheckIntermediateMarkerOid
_kSecPolicyCheckIntermediateSPKISHA256
_kSecPolicyCheckIssuerCommonName
-_kSecPolicyCheckWeakIntermediates
-_kSecPolicyCheckWeakLeaf
-_kSecPolicyCheckWeakRoot
+_kSecPolicyCheckKeySize
_kSecPolicyCheckKeyUsage
_kSecPolicyCheckLeafMarkerOid
+_kSecPolicyCheckLeafMarkerOidWithoutValueCheck
_kSecPolicyCheckNoNetworkAccess
_kSecPolicyCheckNonEmptySubject
_kSecPolicyCheckNotValidBefore
_kSecPolicyCheckQualifiedCertStatements
_kSecPolicyCheckRevocation
_kSecPolicyCheckRevocationResponseRequired
+_kSecPolicyCheckRevocationOCSP
+_kSecPolicyCheckRevocationCRL
+_kSecPolicyCheckRevocationAny
+_kSecPolicyCheckSignatureHashAlgorithms
_kSecPolicyCheckSSLHostname
_kSecPolicyCheckSubjectCommonName
_kSecPolicyCheckSubjectCommonNamePrefix
_kSecPolicyCheckSubjectCommonNameTEST
_kSecPolicyCheckSubjectOrganization
_kSecPolicyCheckSubjectOrganizationalUnit
+_kSecPolicyCheckUsageConstraints
_kSecPolicyCheckValidIntermediates
_kSecPolicyCheckValidLeaf
_kSecPolicyCheckValidRoot
+_kSecPolicyCheckWeakIntermediates
+_kSecPolicyCheckWeakLeaf
+_kSecPolicyCheckWeakRoot
+
+// Policy Properties
_kSecPolicyClient
+_kSecPolicyContext
+_kSecPolicyIntermediateMarkerOid
+_kSecPolicyLeafMarkerOid
_kSecPolicyName
_kSecPolicyOid
+_kSecPolicyPolicyName
_kSecPolicyRevocationFlags
_kSecPolicyTeamIdentifier
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+_kSecPolicyKU_CRLSign
+_kSecPolicyKU_DataEncipherment
+_kSecPolicyKU_DecipherOnly
+_kSecPolicyKU_DigitalSignature
+_kSecPolicyKU_EncipherOnly
+_kSecPolicyKU_KeyAgreement
+_kSecPolicyKU_KeyCertSign
+_kSecPolicyKU_KeyEncipherment
+_kSecPolicyKU_NonRepudiation
+#endif
-_SecPolicyCopyEscrowRootCertificate
+_SecPolicyCheckCertEAPTrustedServerNames
+_SecPolicyCheckCertEmail
+_SecPolicyCheckCertExtendedKeyUsage
+_SecPolicyCheckCertLeafMarkerOid
+_SecPolicyCheckCertLeafMarkerOidWithoutValueCheck
+_SecPolicyCheckCertKeyUsage
+_SecPolicyCheckCertNotValidBefore
+_SecPolicyCheckCertSignatureHashAlgorithms
+_SecPolicyCheckCertSSLHostname
+_SecPolicyCheckCertSubjectCommonName
+_SecPolicyCheckCertSubjectCommonNamePrefix
+_SecPolicyCheckCertSubjectCommonNameTEST
+_SecPolicyCheckCertSubjectOrganization
+_SecPolicyCheckCertSubjectOrganizationalUnit
_SecPolicyCopyProperties
_SecPolicyCreate
+_SecPolicyCreateAppleAST2Service
+_SecPolicyCreateAppleATVVPNProfileSigning
+_SecPolicyCreateAppleCompatibilityEscrowProxyService
+_SecPolicyCreateAppleCompatibilityMMCSService
+_SecPolicyCreateAppleEscrowProxyService
+_SecPolicyCreateAppleExternalDeveloper
+_SecPolicyCreateAppleFMiPService
+_SecPolicyCreateAppleGSService
+_SecPolicyCreateAppleHomeKitServerAuth
_SecPolicyCreateAppleIDAuthorityPolicy
-#if TARGET_OS_IPHONE
+_SecPolicyCreateAppleIDSService
+_SecPolicyCreateAppleIDSServiceContext
_SecPolicyCreateAppleIDValidationRecordSigningPolicy
-_SecPolicyCreateAppleSMPEncryption
-_SecPolicyCreateTestAppleSMPEncryption
-#endif
-_SecPolicyCreateAppleATVAppSigning
-_SecPolicyCreateTestAppleATVAppSigning
+_SecPolicyCreateAppleMMCSService
+_SecPolicyCreateApplePackageSigning
_SecPolicyCreateApplePayIssuerEncryption
+_SecPolicyCreateApplePinned
+_SecPolicyCreateApplePPQService
_SecPolicyCreateApplePPQSigning
-_SecPolicyCreateTestApplePPQSigning
-_SecPolicyCreateAppleGSService
-_SecPolicyCreateAppleIDSService
-_SecPolicyCreateAppleIDSServiceContext
_SecPolicyCreateApplePushService
_SecPolicyCreateApplePushServiceLegacy
-_SecPolicyCreateAppleMMCSService
-_SecPolicyCreateApplePPQService
-_SecPolicyCreateAppleAST2Service
+_SecPolicyCreateAppleSMPEncryption
+_SecPolicyCreateAppleSoftwareSigning
+_SecPolicyCreateAppleSSLPinned
_SecPolicyCreateAppleSSLService
-_SecPolicyCreateApplePackageSigning
-_SecPolicyCreateAppleSWUpdateSigning
-_SecPolicyCreateAppleHomeKitServerAuth
+_SecPolicyCreateAppleTimeStamping
+_SecPolicyCreateAppleTVOSApplicationSigning
_SecPolicyCreateBasicX509
_SecPolicyCreateCodeSigning
_SecPolicyCreateConfigurationProfileSigner
-_SecPolicyCreateQAConfigurationProfileSigner
-#if TARGET_OS_IPHONE
-_SecPolicyCreateOTAPKISigner
-_SecPolicyCreateTestOTAPKISigner
-#endif
_SecPolicyCreateEAP
_SecPolicyCreateEscrowServiceSigner
-_SecPolicyCreatePCSEscrowServiceSigner
_SecPolicyCreateFactoryDeviceCertificate
-_SecPolicyCreateIPSec
-_SecPolicyCreateMacAppStoreReceipt
-_SecPolicyCreateMobileStoreSigner
-_SecPolicyCreateTestMobileStoreSigner
-_SecPolicyCreateOCSPSigner
-_SecPolicyCreateOSXProvisioningProfileSigning
-_SecPolicyCreateRevocation
-_SecPolicyCreatePassbookCardSigner
-_SecPolicyCreateSMIME
-_SecPolicyCreateSSL
_SecPolicyCreateiAP
_SecPolicyCreateiPhoneActivation
_SecPolicyCreateiPhoneApplicationSigning
_SecPolicyCreateiPhoneDeviceCertificate
_SecPolicyCreateiPhoneProfileApplicationSigning
_SecPolicyCreateiPhoneProvisioningProfileSigning
-_SecPolicyCreateAppleTVOSApplicationSigning
-_SecPolicyCreateAppleATVVPNProfileSigning
+_SecPolicyCreateIPSec
_SecPolicyCreateiTunesStoreURLBag
_SecPolicyCreateLockdownPairing
+_SecPolicyCreateMacAppStoreReceipt
_SecPolicyCreateMobileAsset
+_SecPolicyCreateMobileStoreSigner
+_SecPolicyCreateOCSPSigner
+_SecPolicyCreateOSXProvisioningProfileSigning
+_SecPolicyCreateOTAPKISigner
_SecPolicyCreateOTATasking
+_SecPolicyCreatePassbookCardSigner
+_SecPolicyCreatePCSEscrowServiceSigner
+_SecPolicyCreateQAConfigurationProfileSigner
+_SecPolicyCreateRevocation
+_SecPolicyCreateSSL
+_SecPolicyCreateSMIME
+_SecPolicyCreateTestApplePPQSigning
+_SecPolicyCreateTestAppleSMPEncryption
+_SecPolicyCreateTestMobileStoreSigner
+_SecPolicyCreateTestOTAPKISigner
+_SecPolicyCreateAppleUniqueDeviceCertificate
_SecPolicyCreateURLBag
_SecPolicyCreateWithProperties
+_SecPolicyGetName
+_SecPolicyGetOidString
_SecPolicyGetTypeID
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+_SecPolicyCopy
+_SecPolicyCopyAll
+_SecPolicyCreateAppleTimeStampingAndRevocationPolicies
+_SecPolicyCreateItemImplInstance
+_SecPolicyCreateWithOID
+_SecPolicyGetOID
+_SecPolicyGetStringForOID
+_SecPolicyGetTPHandle
+_SecPolicyGetValue
+_SecPolicySearchCopyNext
+_SecPolicySearchCreate
+_SecPolicySearchGetTypeID
+_SecPolicySetProperties
+_SecPolicySetValue
+#endif
_kSecPropertyKeyLabel
@@ -206,7 +302,18 @@ _kSecPropertyTypeTitle
_kSecPropertyTypeURL
_kSecPropertyTypeWarning
+_kSecSignatureDigestAlgorithmUnknown
+_kSecSignatureDigestAlgorithmMD2
+_kSecSignatureDigestAlgorithmMD4
+_kSecSignatureDigestAlgorithmMD5
+_kSecSignatureDigestAlgorithmSHA1
+_kSecSignatureDigestAlgorithmSHA224
+_kSecSignatureDigestAlgorithmSHA256
+_kSecSignatureDigestAlgorithmSHA384
+_kSecSignatureDigestAlgorithmSHA512
+
_kSecTrustCertificateTransparency
+_kSecTrustCertificateTransparencyWhiteList
_kSecTrustEvaluationDate
_kSecTrustExtendedValidation
_kSecTrustOrganizationName
@@ -216,6 +323,7 @@ _kSecTrustRevocationChecked
_kSecTrustRevocationReason
_kSecTrustRevocationValidUntilDate
_kSecTrustInfoCertificateTransparencyKey
+_kSecTrustInfoCertificateTransparencyWhiteListKey
_kSecTrustInfoCompanyNameKey
_kSecTrustInfoExtendedValidationKey
_kSecTrustInfoRevocationKey
@@ -232,31 +340,57 @@ _SecTrustCopyPublicKey
_SecTrustCopyResult
_SecTrustCopySummaryPropertiesAtIndex
_SecTrustCreateWithCertificates
+_SecTrustDeserialize
_SecTrustEvaluate
_SecTrustEvaluateAsync
+_SecTrustEvaluateLeafOnly
_SecTrustGetCertificateAtIndex
_SecTrustGetCertificateCount
_SecTrustGetDetails
+_SecTrustGetKeychainsAllowed
_SecTrustGetNetworkFetchAllowed
_SecTrustGetOTAPKIAssetVersionNumber
-_SecTrustOTAPKIGetUpdatedAsset
_SecTrustGetTrustResult
_SecTrustGetTypeID
_SecTrustGetVerifyTime
+_SecTrustOTAPKIGetUpdatedAsset
+_SecTrustSerialize
_SecTrustSetAnchorCertificates
_SecTrustSetAnchorCertificatesOnly
_SecTrustSetExceptions
+_SecTrustSetKeychainsAllowed
_SecTrustSetNetworkFetchAllowed
_SecTrustSetOCSPResponse
_SecTrustSetPolicies
_SecTrustSetSignedCertificateTimestamps
_SecTrustSetTrustedLogs
_SecTrustSetVerifyDate
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+_SecTrustCopyAnchorCertificates
+_SecTrustCopyExtendedResult
+_SecTrustCopyProperties_ios
+_SecTrustGetCSSMAnchorCertificates
+_SecTrustGetCssmResult
+_SecTrustGetCssmResultCode
+_SecTrustGetResult
+_SecTrustGetTPHandle
+_SecTrustGetUserTrust
+_SecTrustLegacySourcesEventRunloopCreate
+_SecTrustLegacyCRLFetch
+_SecTrustLegacyCRLStatus
+_SecTrustSetKeychains
+_SecTrustSetOptions
+_SecTrustSetParameters
+_SecTrustSetUserTrust
+_SecTrustSetUserTrustLegacy
+#endif
_SecTrustStoreContains
_SecTrustStoreForDomain
_SecTrustStoreGetSettingsVersionNumber
_SecTrustStoreRemoveCertificate
_SecTrustStoreSetTrustSettings
+_SecTrustStoreCopyAll
+_SecTrustStoreCopyUsageConstraints
//
// Identity
@@ -273,14 +407,19 @@ _SecIdentitySignCertificate
//
_kSecCertificateKeyUsage
+_kSecCertificateEscrowFileName
_kSecCertificateExtensions
_kSecCertificateExtensionsEncoded
+_kSecCertificateProductionEscrowKey
+_kSecCertificateProductionPCSEscrowKey
+_SecCertificateCopyAttributeDictionary
_SecCertificateCopyCommonNames
_SecCertificateCopyCompanyName
_SecCertificateCopyEscrowRoots
_SecCertificateCopyDNSNames
_SecCertificateCopyData
_SecCertificateCopyExtendedKeyUsage
+_SecCertificateCopyiAPAuthCapabilities
_SecCertificateCopyIPAddresses
_SecCertificateCopyIssuerSHA1Digest
_SecCertificateCopyIssuerSequence
@@ -297,12 +436,14 @@ _SecCertificateCopyRFC822Names
_SecCertificateCopySerialNumber
_SecCertificateCopySHA256Digest
_SecCertificateCopySignedCertificateTimestamps
+_SecCertificateCopySubjectPublicKeyInfoSHA1Digest
_SecCertificateCopySubjectPublicKeyInfoSHA256Digest
_SecCertificateCopySubjectSequence
_SecCertificateCopySubjectString
_SecCertificateCopySubjectSummary
_SecCertificateCopySummaryProperties
_SecCertificateCreate
+_SecCertificateCreateOidDataFromString
_SecCertificateCreateWithBytes
_SecCertificateCreateWithData
_SecCertificateCreateWithKeychainItem
@@ -312,7 +453,10 @@ _SecCertificateGetBasicConstraints
_SecCertificateGetBytePtr
_SecCertificateGetCAIssuers
_SecCertificateGetCertificatePolicies
+_SecCertificateGetCRLDistributionPoints
_SecCertificateGetExcludedSubtrees
+_SecCertificateGetExtensionValue
+_SecCertificateGetiAuthVersion
_SecCertificateGetInhibitAnyPolicySkipCerts
_SecCertificateGetKeyUsage
_SecCertificateGetLength
@@ -333,8 +477,12 @@ _SecCertificateHasCriticalSubjectAltName
_SecCertificateHasMarkerExtension
_SecCertificateHasSubject
_SecCertificateHasUnknownCriticalExtension
+_SecCertificateIsAtLeastMinKeySize
+_SecCertificateIsCA
+_SecCertificateIsOidString
_SecCertificateIsSelfSigned
_SecCertificateIsSelfSignedCA
+_SecCertificateIsSignedBy
_SecCertificateIsValid
_SecCertificateIsWeak
_SecCertificateNotValidAfter
@@ -342,14 +490,18 @@ _SecCertificateNotValidBefore
_SecCertificateParseGeneralNameContentProperty
_SecCertificateParseGeneralNames
_SecCertificatePathCopyAddingLeaf
+_SecCertificatePathCopyCertificates
_SecCertificatePathCopyFromParent
_SecCertificatePathCopyPublicKeyAtIndex
_SecCertificatePathCreate
+_SecCertificatePathCreateSerialized
_SecCertificatePathGetCertificateAtIndex
_SecCertificatePathGetCount
_SecCertificatePathGetIndexOfCertificate
_SecCertificatePathGetNextSourceIndex
_SecCertificatePathGetRoot
+_SecCertificatePathGetUsageConstraintsAtIndex
+_SecCertificatePathHasWeakHash
_SecCertificatePathIsAnchored
_SecCertificatePathScore
_SecCertificatePathSelfSignedIndex
@@ -357,10 +509,8 @@ _SecCertificatePathSetIsAnchored
_SecCertificatePathSetNextSourceIndex
_SecCertificatePathSetSelfIssued
_SecCertificatePathVerify
+_SecCertificateSetKeychainItem
_SecCertificateVersion
-_kSecCertificateProductionEscrowKey
-_kSecCertificateProductionPCSEscrowKey
-_kSecCertificateEscrowFileName
//
// SCEP
@@ -408,6 +558,7 @@ _SecOTRSEndSession
_SecOTRSGetIsReadyForMessages
_SecOTRSGetIsIdle
_SecOTRSGetMessageKind
+_SecOTRSIsForKeys
_SecOTRSSignAndProtectMessage
_SecOTRSVerifyAndExposeMessage
_SecOTRSPrecalculateKeys
@@ -461,7 +612,7 @@ _sSecXPCErrorDomain
_kSecXPCKeyOTAFileDirectory
_kSecXPCKeyEscrowLabel
_kSecXPCKeyTriesLabel
-_kSecXPCKeyAvailability
+
//
// Logging
@@ -482,6 +633,10 @@ _kSecCMSSignHashAlgorithm
_kSecCMSEncryptionAlgorithmDESCBC
_kSecCMSEncryptionAlgorithmAESCBC
_kSecCMSHashingAlgorithmMD5
+_kSecCMSHashingAlgorithmSHA1
+_kSecCMSHashingAlgorithmSHA256
+_kSecCMSHashingAlgorithmSHA384
+_kSecCMSHashingAlgorithmSHA512
_kSecCMSCertChainMode
_kSecCMSAdditionalCerts
_kSecCMSSignedAttributes
@@ -609,14 +764,23 @@ _SecECDoWithFullKey
_SecECDoWithPubKey
_SecECKeyCopyPublicBits
_SecECKeyGetNamedCurve
+_SecKeyCopyAttestationKey
_SecKeyCopyAttributeDictionary
+_SecKeyCopyAttributes
_SecKeyCopyExponent
+_SecKeyCopyExternalRepresentation
_SecKeyCopyMatchingPrivateKey
_SecKeyCopyModulus
_SecKeyCopyPersistentRef
_SecKeyCopyPublicBytes
+_SecKeyCopyPublicKey
+_SecKeyCopyKeyExchangeResult
_SecKeyCreate
+_SecKeyCreateAttestation
+_SecKeyCreateEncryptedData
+_SecKeyCreateDecryptedData
_SecKeyCreatePublicFromPrivate
+_SecKeyCreateSignature
_SecKeyCreateFromAttributeDictionary
_SecKeyCreateECPrivateKey
_SecKeyCreateECPublicKey
@@ -624,8 +788,11 @@ _SecKeyCreateFromPublicBytes
_SecKeyCreateFromPublicData
_SecKeyCreateFromSubjectPublicKeyInfoData
_SecKeyCreatePersistentRefToMatchingPrivateKey
+_SecKeyCreateRandomKey
_SecKeyCreateRSAPrivateKey
_SecKeyCreateRSAPublicKey
+_SecKeyCreateRSAPublicKey_ios
+_SecKeyCreateWithData
_SecKeyDecrypt
_SecKeyFindWithPersistentRef
_SecKeyDigestAndSign
@@ -639,10 +806,80 @@ _SecKeyGetBlockSize
_SecKeyGetMatchingPrivateKeyStatus
_SecKeyGetSize
_SecKeyGetTypeID
+_SecKeyIsAlgorithmSupported
_SecKeyRawSign
_SecKeyRawVerify
+_SecKeySetParameter
_SecKeySignDigest
_SecKeyVerifyDigest
+_SecKeyVerifySignature
+_kSecKeyAlgorithmRSASignatureRaw
+_kSecKeyAlgorithmRSASignatureRawCCUnit
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
+_kSecKeyAlgorithmECDSASignatureRFC4754
+_kSecKeyAlgorithmECDSASignatureDigestX962
+_kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+_kSecKeyAlgorithmECDSASignatureDigestX962SHA224
+_kSecKeyAlgorithmECDSASignatureDigestX962SHA256
+_kSecKeyAlgorithmECDSASignatureDigestX962SHA384
+_kSecKeyAlgorithmECDSASignatureDigestX962SHA512
+_kSecKeyAlgorithmECDSASignatureMessageX962SHA1
+_kSecKeyAlgorithmECDSASignatureMessageX962SHA224
+_kSecKeyAlgorithmECDSASignatureMessageX962SHA256
+_kSecKeyAlgorithmECDSASignatureMessageX962SHA384
+_kSecKeyAlgorithmECDSASignatureMessageX962SHA512
+_kSecKeyAlgorithmRSAEncryptionRaw
+_kSecKeyAlgorithmRSAEncryptionRawCCUnit
+_kSecKeyAlgorithmRSAEncryptionPKCS1
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA1
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA224
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA256
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA384
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA512
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
+_kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
+_kSecKeyAlgorithmECDHKeyExchangeStandard
+_kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
+_kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
+_kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
+_kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
+_kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
+_kSecKeyAlgorithmECDHKeyExchangeCofactor
+_kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
+_kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
+_kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
+_kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
+_kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
+_kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
+_kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
+_kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
+_kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
+_kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
+_kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
+_kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
+_kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
+_kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
+_kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
+_kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5
+_kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5
+_kSecKeyKeyExchangeParameterRequestedSize
+_kSecKeyKeyExchangeParameterSharedInfo
_kSecPrivateKeyAttrs
_kSecPublicKeyAttrs
__SecKeyCopyWrapKey
@@ -660,12 +897,15 @@ __kSecKeyWrapRFC6637Flags
_kSecAttrAFPServerSignature
_kSecAttrAccessGroup
+_kSecAttrAccessGroupToken
_kSecAttrAccessible
_kSecAttrAccessibleAfterFirstUnlock
_kSecAttrAccessibleAlways
+_kSecAttrAccessibleAlwaysPrivate
_kSecAttrAccessibleWhenUnlocked
_kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
_kSecAttrAccessibleAlwaysThisDeviceOnly
+_kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate
_kSecAttrAccessibleWhenUnlockedThisDeviceOnly
_kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
_kSecAttrAccount
@@ -719,6 +959,7 @@ _kSecAttrKeyCreator
_kSecAttrKeySizeInBits
_kSecAttrKeyType
_kSecAttrKeyTypeEC
+_kSecAttrKeyTypeECSECPrimeRandom
_kSecAttrKeyTypeRSA
_kSecAttrLabel
_kSecAttrModificationDate
@@ -772,20 +1013,9 @@ _kSecAttrSynchronizableAny
_kSecAttrSyncViewHint
_kSecAttrTokenID
_kSecAttrTokenIDSecureEnclave
+_kSecAttrTokenOID
_kSecAttrTombstone
-_kSecAttrViewHintPCSMasterKey
-_kSecAttrViewHintPCSiCloudDrive
-_kSecAttrViewHintPCSPhotos
-_kSecAttrViewHintPCSCloudKit
-_kSecAttrViewHintPCSEscrow
-_kSecAttrViewHintPCSFDE
-_kSecAttrViewHintPCSMailDrop
-_kSecAttrViewHintPCSiCloudBackup
-_kSecAttrViewHintPCSNotes
-_kSecAttrViewHintPCSiMessage
-_kSecAttrViewHintAppleTV
-_kSecAttrViewHintHomeKit
-_kSecAttrViewHintThumper
+#include "Security/SecureObjectSync/SOSViews.exp-in"
_kSecAttrType
_kSecAttrVolume
_kSecAttrWasAlwaysSensitive
@@ -841,6 +1071,7 @@ __SecKeychainBackupSyncable
__SecKeychainRestoreSyncable
__SecKeychainRestoreBackupFromFileDescriptor
__SecKeychainWriteBackupToFileDescriptor
+__SecKeychainCopyKeybagUUIDFromFileDescriptor
_SecItemBackupWithRegisteredBackups
_SecItemBackupSetConfirmedManifest
_SecItemBackupRestore
@@ -855,6 +1086,9 @@ __SecSecuritydCopyWhoAmI
__SecSyncBubbleTransfer
__SecSystemKeychainTransfer
__SecSyncDeleteUserViews
+_SecItemUpdateTokenItems
+_SecItemDeleteAllWithAccessGroups
+__SecTokenItemCopyValueData
_kSecXPCKeyAttributesToUpdate
_kSecXPCKeyBackup
@@ -907,3 +1141,8 @@ _DERDecodeItem
_SecEMCSCreateDerivedEMCSKey
_SecEMCSCreateNewiDMSKey
+
+//
+// Custom CFAllocators
+//
+_SecCFAllocatorZeroize
diff --git a/OSX/sec/Security/SecFramework.c b/OSX/sec/Security/SecFramework.c
index 009b4c06..a9ebe114 100644
--- a/OSX/sec/Security/SecFramework.c
+++ b/OSX/sec/Security/SecFramework.c
@@ -36,17 +36,13 @@
#include <CoreFoundation/CFBundle.h>
#include <CoreFoundation/CFURLAccess.h>
#include <Security/SecRandom.h>
-#include <CommonCrypto/CommonDigest.h>
-#include <CommonCrypto/CommonDigestSPI.h>
-#include <Security/SecAsn1Coder.h>
-#include <Security/oidsalg.h>
+#include <CommonCrypto/CommonRandomSPI.h>
#include <fcntl.h>
#include <sys/types.h>
#include <unistd.h>
#include <utilities/debugging.h>
#include <utilities/SecCFWrappers.h>
#include <Security/SecBase.h>
-#include <errno.h>
#include <inttypes.h>
#if !(TARGET_IPHONE_SIMULATOR && defined(IPHONE_SIMULATOR_HOST_MIN_VERSION_REQUIRED) && IPHONE_SIMULATOR_HOST_MIN_VERSION_REQUIRED < 1090)
@@ -106,67 +102,8 @@ CFDataRef SecFrameworkCopyResourceContents(CFStringRef resourceName,
return data;
}
-/* Return the SHA1 digest of a chunk of data as newly allocated CFDataRef. */
-CFDataRef SecSHA1DigestCreate(CFAllocatorRef allocator,
- const UInt8 *data, CFIndex length) {
- CFMutableDataRef digest = CFDataCreateMutable(allocator,
- CC_SHA1_DIGEST_LENGTH);
- CFDataSetLength(digest, CC_SHA1_DIGEST_LENGTH);
- CCDigest(kCCDigestSHA1, data, length, CFDataGetMutableBytePtr(digest));
- return digest;
-}
-CFDataRef SecSHA256DigestCreate(CFAllocatorRef allocator,
- const UInt8 *data, CFIndex length) {
- CFMutableDataRef digest = CFDataCreateMutable(allocator,
- CC_SHA256_DIGEST_LENGTH);
- CFDataSetLength(digest, CC_SHA256_DIGEST_LENGTH);
- CCDigest(kCCDigestSHA256, data, length, CFDataGetMutableBytePtr(digest));
- return digest;
-}
-
-CFDataRef SecSHA256DigestCreateFromData(CFAllocatorRef allocator, CFDataRef data) {
- CFMutableDataRef digest = CFDataCreateMutable(allocator,
- CC_SHA256_DIGEST_LENGTH);
- CFDataSetLength(digest, CC_SHA256_DIGEST_LENGTH);
- CCDigest(kCCDigestSHA256, CFDataGetBytePtr(data), CFDataGetLength(data), CFDataGetMutableBytePtr(digest));
- return digest;
-}
-
-CFDataRef SecDigestCreate(CFAllocatorRef allocator,
- const SecAsn1Oid *algorithm, const SecAsn1Item *params,
- const UInt8 *data, CFIndex length) {
- unsigned char *(*digestFcn)(const void *data, CC_LONG len, unsigned char *md);
- CFIndex digestLen;
-
- if (SecAsn1OidCompare(algorithm, &CSSMOID_SHA1)) {
- digestFcn = CC_SHA1;
- digestLen = CC_SHA1_DIGEST_LENGTH;
- } else if (SecAsn1OidCompare(algorithm, &CSSMOID_SHA224)) {
- digestFcn = CC_SHA224;
- digestLen = CC_SHA224_DIGEST_LENGTH;
- } else if (SecAsn1OidCompare(algorithm, &CSSMOID_SHA256)) {
- digestFcn = CC_SHA256;
- digestLen = CC_SHA256_DIGEST_LENGTH;
- } else if (SecAsn1OidCompare(algorithm, &CSSMOID_SHA384)) {
- digestFcn = CC_SHA384;
- digestLen = CC_SHA384_DIGEST_LENGTH;
- } else if (SecAsn1OidCompare(algorithm, &CSSMOID_SHA512)) {
- digestFcn = CC_SHA512;
- digestLen = CC_SHA512_DIGEST_LENGTH;
- } else {
- return NULL;
- }
-
- CFMutableDataRef digest = CFDataCreateMutable(allocator, digestLen);
- CFDataSetLength(digest, digestLen);
- //FIXME: Cast from CFIndex to CC_LONG
- digestFcn(data, (CC_LONG)length, CFDataGetMutableBytePtr(digest));
- return digest;
-}
-
-#include <CommonCrypto/CommonRandomSPI.h>
const SecRandomRef kSecRandomDefault = NULL;
int SecRandomCopyBytes(SecRandomRef rnd, size_t count, uint8_t *bytes) {
@@ -174,74 +111,3 @@ int SecRandomCopyBytes(SecRandomRef rnd, size_t count, uint8_t *bytes) {
return errSecParam;
return CCRandomCopyBytes(kCCRandomDefault, bytes, count);
}
-
-#if 0
-#include <CommonCrypto/CommonDigest.h>
-#include <stdlib.h>
-
-/* FIPS rng declarations. */
-typedef struct __SecRandom *SecRandomRef;
-SecRandomRef SecRandomCreate(CFIndex randomAlg, CFIndex seedLength,
- const UInt8 *seed);
-void SecRandomCopyBytes(SecRandomRef randomref, CFIndex numBytes, UInt8 *outBytes);
-
-/* FIPS Rng implementation. */
-struct __SecRandom {
- CC_SHA1_CTX sha1;
- CFIndex bytesLeft;
- UInt8 block[64];
-};
-
-SecRandomRef SecRandomCreate(CFIndex randomAlg, CFIndex seedLength,
- const UInt8 *seed) {
- SecRandomRef result = (SecRandomRef)malloc(sizeof(struct __SecRandom));
- CC_SHA1_Init(&result->sha1);
- memset(result->block + 20, 0, 44);
- result->bytesLeft = 0;
-
- if (seedLength) {
- /* Digest the seed and put it into output. */
- CCDigest(kCCDigestSHA1, seed, seedLength, result->block);
- } else {
- /* Seed 20 bytes from "/dev/srandom". */
- int fd = open("/dev/srandom", O_RDONLY);
- if (fd < 0)
- goto errOut;
-
- if (read(fd, result->block, 20) != 20)
- goto errOut;
-
- close(fd);
- }
-
- CC_SHA1_Update(&result->sha1, result->block, 64);
-
- return result;
-
-errOut:
- free(result);
- return NULL;
-}
-
-void SecRandomCopyBytes(SecRandomRef randomref, CFIndex numBytes,
- UInt8 *outBytes) {
- while (numBytes > 0) {
- if (!randomref->bytesLeft) {
- CC_SHA1_Update(&randomref->sha1, randomref->block, 64);
- OSWriteBigInt32(randomref->block, 0, randomref->sha1.h0);
- OSWriteBigInt32(randomref->block, 4, randomref->sha1.h1);
- OSWriteBigInt32(randomref->block, 8, randomref->sha1.h2);
- OSWriteBigInt32(randomref->block, 12, randomref->sha1.h3);
- OSWriteBigInt32(randomref->block, 16, randomref->sha1.h4);
- randomref->bytesLeft = 20;
- }
- CFIndex outLength = (numBytes > randomref->bytesLeft ?
- randomref->bytesLeft : numBytes);
- memcpy(outBytes, randomref->block + 20 - randomref->bytesLeft,
- outLength);
- randomref->bytesLeft -= outLength;
- outBytes += outLength;
- numBytes -= outLength;
- }
-}
-#endif
diff --git a/OSX/sec/Security/SecFrameworkStrings.h b/OSX/sec/Security/SecFrameworkStrings.h
index 6635514a..f628db3f 100644
--- a/OSX/sec/Security/SecFrameworkStrings.h
+++ b/OSX/sec/Security/SecFrameworkStrings.h
@@ -170,8 +170,6 @@ __BEGIN_DECLS
#define SEC_SUBJECT_NAME_KEY SecStringWithDefaultValue("Subject Name", "Certificate", 0, "Subject Name", "")
#define SEC_ISSUER_NAME_KEY SecStringWithDefaultValue("Issuer Name", "Certificate", 0, "Issuer Name", "")
-//#define SEC_X509_VERSION_KEY SecStringWithDefaultValue("X.509 version %d %scertificate", "Certificate", 0, "X.509 version %d %scertificate", "")
-//#define SEC_CERTIFICATE_TYPE_KEY SecStringWithDefaultValue("Certificate Type", "Certificate", 0, "Certificate Type", "")
#define SEC_CERT_VERSION_VALUE_KEY SecStringWithDefaultValue("%d", "Certificate", 0, "%d", "format string to turn version number into a string")
#define SEC_VERSION_KEY SecStringWithDefaultValue("Version", "Certificate", 0, "Version", "")
#define SEC_SERIAL_NUMBER_KEY SecStringWithDefaultValue("Serial Number", "Certificate", 0, "Serial Number", "")
@@ -194,7 +192,7 @@ __BEGIN_DECLS
#define SEC_CK_PASSWORD_INCORRECT SecStringWithDefaultValue("Incorrect Password For â%@â", "CloudKeychain", 0, "Incorrect Password For â%@â", "Title for alert when password has been entered incorrectly")
#define SEC_CK_TRY_AGAIN SecStringWithDefaultValue("Try Again", "CloudKeychain", 0, "Try Again", "Button for try again after incorrect password")
#define SEC_CK_ALLOW SecStringWithDefaultValue("Allow", "CloudKeychain", 0, "Allow", "Allow button")
-#define SEC_CK_DONT_ALLOW SecStringWithDefaultValue("Don't Allow", "CloudKeychain", 0, "Don't Allow", "Don't Allow button")
+#define SEC_CK_DONT_ALLOW SecStringWithDefaultValue("Donât Allow", "CloudKeychain", 0, "Donât Allow", "Donât Allow button")
#define SEC_CK_ICLOUD_PASSWORD SecStringWithDefaultValue("Password", "CloudKeychain", 0, "password", "Password prompt text")
#define SEC_CK_TID_FUTURE SecStringWithDefaultValue("the future", "CloudKeychain", 0, "the future", "the future")
@@ -211,7 +209,7 @@ __BEGIN_DECLS
#define SEC_CK_PWD_REQUIRED_BODY_IOS SecStringWithDefaultValue("Enter your password in iCloud Settings.", "CloudKeychain", 0, "Enter your password in iCloud Settings.", "iOS alert text when iCloud keychain was disabled or reset")
#define SEC_CK_CR_REASON_INTERNAL SecStringWithDefaultValue(" (AppleInternal: departure reason %s)", "CloudKeychain", 0, " (AppleInternal: departure reason %s)", "Display departure reason code on internal devices")
#define SEC_CK_CONTINUE SecStringWithDefaultValue("Continue", "CloudKeychain", 0, "Continue", "Button text to continue to iCloud settings (iOS)")
-#define SEC_CK_NOT_NOW SecStringWithDefaultValue("Not now", "CloudKeychain", 0, "Not now", "Button text to dismiss alert")
+#define SEC_CK_NOT_NOW SecStringWithDefaultValue("Not Now", "CloudKeychain", 0, "Not Now", "Button text to dismiss alert")
#define SEC_CK_APPROVAL_TITLE_OSX SecStringWithDefaultValue("Apple ID Sign In Alert", "CloudKeychain", 0, "Apple ID Sign In Alert", "Title for alert when approving another device")
#define SEC_CK_APPROVAL_BODY_OSX SecStringWithDefaultValue("â%@â wants to use your iCloud account.", "CloudKeychain", 0, "â%@â wants to use your iCloud account.", "Body text when approving another device")
diff --git a/OSX/sec/Security/SecItem.c b/OSX/sec/Security/SecItem.c
index 68b60013..161f56ce 100644
--- a/OSX/sec/Security/SecItem.c
+++ b/OSX/sec/Security/SecItem.c
@@ -31,9 +31,9 @@
#include <Security/SecItem.h>
#include <Security/SecItemPriv.h>
#include <Security/SecItemInternal.h>
+#include <Security/SecItemShim.h>
#include <Security/SecAccessControl.h>
#include <Security/SecAccessControlPriv.h>
-#ifndef SECITEM_SHIM_OSX
#include <Security/SecKey.h>
#include <Security/SecKeyPriv.h>
#include <Security/SecCertificateInternal.h>
@@ -41,9 +41,9 @@
#include <Security/SecIdentityPriv.h>
#include <Security/SecRandom.h>
#include <Security/SecBasePriv.h>
-#endif // *** END SECITEM_SHIM_OSX ***
#include <Security/SecCTKKeyPriv.h>
#include <Security/SecTask.h>
+#include <Security/SecPolicyInternal.h>
#include <errno.h>
#include <limits.h>
#include <sqlite3.h>
@@ -75,8 +75,10 @@
#include <libaks_acl_cf_keys.h>
#include <os/activity.h>
#include <Security/SecureObjectSync/SOSTransportMessageIDS.h>
+#include <pthread.h>
#include <Security/SecInternal.h>
+#include "SOSInternal.h"
#include <TargetConditionals.h>
#include <ipc/securityd_client.h>
#include <Security/SecuritydXPC.h>
@@ -90,9 +92,6 @@
#include <libDER/asn1Types.h>
#endif // *** END SECITEM_SHIM_OSX ***
-/* label when certificate data is joined with key data */
-#define CERTIFICATE_DATA_COLUMN_LABEL "certdata"
-
#include <utilities/SecDb.h>
#include <IOKit/IOReturn.h>
@@ -225,14 +224,6 @@ static OSStatus osstatus_for_localauthentication_error(CFIndex laError) {
}
static OSStatus osstatus_for_ctk_error(CFIndex ctkError) {
- // Hack, get rid of it once dep lands: <rdar://problem/21181736> Export error code constants from ctkclient.h header
-#ifndef kTKErrorCodeNotImplemented
-#define kTKErrorCodeNotImplemented -1
-#endif
-#ifndef kTKErrorCodeCanceledByUser
-#define kTKErrorCodeCanceledByUser -4
-#endif
-
switch (ctkError) {
case kTKErrorCodeBadParameter:
return errSecParam;
@@ -245,6 +236,7 @@ static OSStatus osstatus_for_ctk_error(CFIndex ctkError) {
}
}
+
// Convert from securityd error codes to OSStatus for legacy API.
OSStatus SecErrorGetOSStatus(CFErrorRef error) {
OSStatus status;
@@ -273,6 +265,8 @@ OSStatus SecErrorGetOSStatus(CFErrorRef error) {
status = osstatus_for_localauthentication_error(CFErrorGetCode(error));
} else if (CFEqual(CFSTR(kTKErrorDomain), domain)) {
status = osstatus_for_ctk_error(CFErrorGetCode(error));
+ } else if (CFEqual(kSOSErrorDomain, domain)) {
+ status = errSecInternal;
} else {
secnotice("securityd", "unknown error domain: %@ for error: %@", domain, error);
status = errSecInternal;
@@ -281,44 +275,126 @@ OSStatus SecErrorGetOSStatus(CFErrorRef error) {
return status;
}
+static void
+lastErrorReleaseError(void *value)
+{
+ if (value)
+ CFRelease(value);
+}
+
+static bool
+getLastErrorKey(pthread_key_t *kv)
+{
+ static pthread_key_t key;
+ static bool haveKey = false;
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ if (pthread_key_create(&key, lastErrorReleaseError) == 0)
+ haveKey = true;
+ });
+ *kv = key;
+ return haveKey;
+}
+
+static void
+SetLastError(CFErrorRef newError)
+{
+ pthread_key_t key;
+ if (!getLastErrorKey(&key))
+ return;
+ CFErrorRef oldError = pthread_getspecific(key);
+ if (oldError)
+ CFRelease(oldError);
+ if (newError)
+ CFRetain(newError);
+ pthread_setspecific(key, newError);
+}
+
+CFErrorRef
+SecCopyLastError(OSStatus status)
+{
+ pthread_key_t key;
+ CFErrorRef error;
+
+ if (!getLastErrorKey(&key))
+ return NULL;
+
+ error = pthread_getspecific(key);
+ if (error) {
+ if (status && status != SecErrorGetOSStatus(error)) {
+ error = NULL;
+ } else {
+ CFRetain(error);
+ }
+ }
+ return error;
+}
+
// Wrapper to provide a CFErrorRef for legacy API.
OSStatus SecOSStatusWith(bool (^perform)(CFErrorRef *error)) {
CFErrorRef error = NULL;
OSStatus status;
if (perform(&error)) {
assert(error == NULL);
+ SetLastError(NULL);
status = errSecSuccess;
} else {
assert(error);
+ SetLastError(error);
status = SecErrorGetOSStatus(error);
if (status != errSecItemNotFound) // Occurs in normal operation, so exclude
- secerror("error:[%" PRIdOSStatus "] %@", status, error);
+ secinfo("OSStatus", "error:[%" PRIdOSStatus "] %@", status, error);
CFReleaseNull(error);
}
return status;
}
+/* Drop assorted kSecAttrCanXxxx attributes from the query, because these attributes are generated
+ by SecKey implementation and may differ between OS versions, see <rdar://problem/27095761>.
+ */
+
+static CFDictionaryRef
+AttributeCreateFilteredOutSecAttrs(CFDictionaryRef attributes)
+{
+ CFMutableDictionaryRef filtered = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, attributes);
+ if (filtered == NULL)
+ return NULL;
+ CFDictionaryRemoveValue(filtered, kSecAttrCanSign);
+ CFDictionaryRemoveValue(filtered, kSecAttrCanVerify);
+ CFDictionaryRemoveValue(filtered, kSecAttrCanEncrypt);
+ CFDictionaryRemoveValue(filtered, kSecAttrCanDecrypt);
+ CFDictionaryRemoveValue(filtered, kSecAttrCanDerive);
+ CFDictionaryRemoveValue(filtered, kSecAttrCanWrap);
+ CFDictionaryRemoveValue(filtered, kSecAttrCanUnwrap);
+ CFDictionaryRemoveValue(filtered, kSecAttrCanSignRecover);
+ CFDictionaryRemoveValue(filtered, kSecAttrCanVerifyRecover);
+
+ return filtered;
+}
+
+
/* IPC uses CFPropertyList to un/marshall input/output data and can handle:
CFData, CFString, CFArray, CFDictionary, CFDate, CFBoolean, and CFNumber
Currently in need of conversion below:
@@@ kSecValueRef allows SecKeychainItemRef and SecIdentityRef
- @@@ kSecMatchPolicy allows a query with a SecPolicyRef
@@@ kSecUseItemList allows a query against a list of itemrefs, this isn't
currently implemented at all, but when it is needs to short circuit to
local evaluation, different from the sql query abilities
*/
-#ifndef SECITEM_SHIM_OSX
static CFDictionaryRef
-SecItemCopyAttributeDictionary(CFTypeRef ref) {
+SecItemCopyAttributeDictionary(CFTypeRef ref, bool forQuery) {
CFDictionaryRef refDictionary = NULL;
CFTypeID typeID = CFGetTypeID(ref);
if (typeID == SecKeyGetTypeID()) {
refDictionary = SecKeyCopyAttributeDictionary((SecKeyRef)ref);
+ if (refDictionary && forQuery) {
+ CFDictionaryRef filtered = AttributeCreateFilteredOutSecAttrs(refDictionary);
+ CFAssignRetained(refDictionary, filtered);
+ }
} else if (typeID == SecCertificateGetTypeID()) {
- refDictionary =
- SecCertificateCopyAttributeDictionary((SecCertificateRef)ref);
+ refDictionary = SecCertificateCopyAttributeDictionary((SecCertificateRef)ref);
} else if (typeID == SecIdentityGetTypeID()) {
assert(false);
SecIdentityRef identity = (SecIdentityRef)ref;
@@ -332,53 +408,44 @@ SecItemCopyAttributeDictionary(CFTypeRef ref) {
if (key_dict && data) {
refDictionary = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, key_dict);
- CFDictionarySetValue((CFMutableDictionaryRef)refDictionary,
- CFSTR(CERTIFICATE_DATA_COLUMN_LABEL), data);
+ CFDictionarySetValue((CFMutableDictionaryRef)refDictionary, kSecAttrIdentityCertificateData, data);
}
CFReleaseNull(key_dict);
CFReleaseNull(data);
}
CFReleaseNull(cert);
CFReleaseNull(key);
- } else {
- refDictionary = NULL;
}
return refDictionary;
}
+#ifdef SECITEM_SHIM_OSX
+extern CFTypeRef SecItemCreateFromAttributeDictionary_osx(CFDictionaryRef refAttributes);
+#endif
+
static CFTypeRef
SecItemCreateFromAttributeDictionary(CFDictionaryRef refAttributes) {
CFTypeRef ref = NULL;
CFStringRef class = CFDictionaryGetValue(refAttributes, kSecClass);
- if (CFEqual(class, kSecClassCertificate)) {
+ if (CFEqual(class, kSecClassKey)) {
+ ref = SecKeyCreateFromAttributeDictionary(refAttributes);
+ } else if (CFEqual(class, kSecClassCertificate)) {
ref = SecCertificateCreateFromAttributeDictionary(refAttributes);
- } else if (CFEqual(class, kSecClassKey)) {
- ref = SecKeyCreateFromAttributeDictionary(refAttributes);
} else if (CFEqual(class, kSecClassIdentity)) {
- CFAllocatorRef allocator = NULL;
- CFDataRef data = CFDictionaryGetValue(refAttributes, CFSTR(CERTIFICATE_DATA_COLUMN_LABEL));
- SecCertificateRef cert = SecCertificateCreateWithData(allocator, data);
+ CFDataRef data = CFDictionaryGetValue(refAttributes, kSecAttrIdentityCertificateData);
+ SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, data);
SecKeyRef key = SecKeyCreateFromAttributeDictionary(refAttributes);
if (key && cert)
- ref = SecIdentityCreate(allocator, cert, key);
+ ref = SecIdentityCreate(kCFAllocatorDefault, cert, key);
CFReleaseSafe(cert);
CFReleaseSafe(key);
-#if 0
- /* We don't support SecKeychainItemRefs yet. */
- } else if (CFEqual(class, kSecClassGenericPassword)) {
- } else if (CFEqual(class, kSecClassInternetPassword)) {
- } else if (CFEqual(class, kSecClassAppleSharePassword)) {
-#endif
+#ifdef SECITEM_SHIM_OSX
} else {
- ref = NULL;
+ ref = SecItemCreateFromAttributeDictionary_osx(refAttributes);
+#endif
}
return ref;
}
-#else
-
-extern CFTypeRef SecItemCreateFromAttributeDictionary(CFDictionaryRef refAttributes);
-
-#endif
OSStatus
SecItemCopyDisplayNames(CFArrayRef items, CFArrayRef *displayNames)
@@ -387,7 +454,6 @@ SecItemCopyDisplayNames(CFArrayRef items, CFArrayRef *displayNames)
return -1 /* errSecUnimplemented */;
}
-#ifndef SECITEM_SHIM_OSX
typedef OSStatus (*secitem_operation)(CFDictionaryRef attributes, CFTypeRef *result);
static bool explode_identity(CFDictionaryRef attributes, secitem_operation operation,
@@ -449,6 +515,7 @@ static bool explode_identity(CFDictionaryRef attributes, secitem_operation opera
/* now perform the operation for the key */
CFDictionarySetValue(partial_query, kSecValueRef, key);
CFDictionarySetValue(partial_query, kSecReturnPersistentRef, kCFBooleanFalse);
+
status = operation(partial_query, NULL);
if ((operation == (secitem_operation)SecItemAdd) &&
(status == errSecDuplicateItem) &&
@@ -497,6 +564,83 @@ static bool explode_identity(CFDictionaryRef attributes, secitem_operation opera
return handled;
}
+static bool
+SecErrorPropagateLastError(OSStatus status, CFErrorRef *error)
+{
+ if (status) {
+ CFErrorRef lastError = SecCopyLastError(status);
+ if (lastError)
+ CFErrorPropagate(lastError, error);
+ else
+ SecError(status, error, CFSTR("SecError: error not captured, OSStatus was: %d"), (int)status);
+ return false;
+ }
+ return true;
+}
+
+static bool
+handleUpdateIdentity(CFDictionaryRef query,
+ CFDictionaryRef update,
+ bool *result,
+ CFErrorRef *error)
+{
+ CFMutableDictionaryRef updatedQuery = NULL;
+ SecCertificateRef cert = NULL;
+ SecKeyRef key = NULL;
+ bool handled = false;
+
+ *result = false;
+
+ CFTypeRef value = CFDictionaryGetValue(query, kSecValueRef);
+ if (value) {
+ CFTypeID typeID = CFGetTypeID(value);
+ if (typeID == SecIdentityGetTypeID()) {
+ SecIdentityRef identity = (SecIdentityRef)value;
+ OSStatus status;
+
+ handled = true;
+
+ status = SecIdentityCopyCertificate(identity, &cert);
+ require_noerr_action_quiet(status, errOut, SecErrorPropagateLastError(status, error));
+
+ status = SecIdentityCopyPrivateKey(identity, &key);
+ require_noerr_action_quiet(status, errOut, SecErrorPropagateLastError(status, error));
+
+ updatedQuery = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, query);
+ require_action_quiet(updatedQuery, errOut, *result = false);
+
+ CFDictionarySetValue(updatedQuery, kSecValueRef, cert);
+ require_quiet(SecItemUpdateWithError(updatedQuery, update, error), errOut);
+
+ CFDictionarySetValue(updatedQuery, kSecValueRef, key);
+ require_quiet(SecItemUpdateWithError(updatedQuery, update, error), errOut);
+
+ }
+ } else {
+ value = CFDictionaryGetValue(query, kSecClass);
+ if (value && CFEqual(kSecClassIdentity, value)) {
+ handled = true;
+
+ updatedQuery = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, query);
+ require_action_quiet(updatedQuery, errOut, *result = false);
+
+ CFDictionarySetValue(updatedQuery, kSecClass, kSecClassCertificate);
+ require_quiet(SecItemUpdateWithError(updatedQuery, update, error), errOut);
+
+ CFDictionarySetValue(updatedQuery, kSecClass, kSecClassKey);
+ require_quiet(SecItemUpdateWithError(updatedQuery, update, error), errOut);
+
+ CFReleaseNull(updatedQuery);
+ }
+ }
+ *result = true;
+errOut:
+ CFReleaseNull(updatedQuery);
+ CFReleaseNull(cert);
+ CFReleaseNull(key);
+ return handled;
+}
+
static void infer_cert_label(SecCFDictionaryCOW *attributes)
{
if (!CFDictionaryContainsKey(attributes->dictionary, kSecAttrLabel)) {
@@ -564,8 +708,6 @@ bool _SecItemParsePersistentRef(CFDataRef persistent_ref, CFStringRef *return_cl
return valid_ref;
}
-#endif // *** END SECITEM_SHIM_OSX ***
-
static bool cf_bool_value(CFTypeRef cf_bool)
{
return (cf_bool && CFEqual(kCFBooleanTrue, cf_bool));
@@ -620,6 +762,18 @@ out:
return plist;
}
+CFDataRef _SecTokenItemCopyValueData(CFDataRef db_value, CFErrorRef *error) {
+ CFDataRef valueData = NULL;
+ CFDictionaryRef itemDict = NULL;
+ require_quiet(itemDict = SecTokenItemValueCopy(db_value, error), out);
+ CFRetainAssign(valueData, CFDictionaryGetValue(itemDict, kSecTokenValueDataKey));
+ require_action_quiet(valueData, out, SecError(errSecInternal, error, CFSTR("token item does not contain value data")));
+
+out:
+ CFReleaseSafe(itemDict);
+ return valueData;
+}
+
TKTokenRef SecTokenCreate(CFStringRef token_id, CFDictionaryRef auth_params, CFErrorRef *error) {
CFMutableDictionaryRef token_attrs = NULL;
TKTokenRef token = NULL;
@@ -640,7 +794,7 @@ static bool SecTokenItemCreateFromAttributes(CFDictionaryRef attributes, CFDicti
bool ok = false;
CFMutableDictionaryRef attrs = CFDictionaryCreateMutableCopy(NULL, 0, attributes);
CFTypeRef token_id = CFDictionaryGetValue(attributes, kSecAttrTokenID);
- if (token_id != NULL) {
+ if (token_id != NULL && object_id != NULL) {
if (CFRetainSafe(token) == NULL) {
require_quiet(token = SecTokenCreate(token_id, auth_params, error), out);
}
@@ -673,8 +827,12 @@ static bool SecItemResultCopyPrepared(CFTypeRef raw_result, TKTokenRef token,
CFDataRef value = NULL;
CFTypeRef persistent_ref = NULL;
CFStringRef token_id = NULL;
+ CFStringRef cert_token_id = NULL;
CFDataRef object_id = NULL;
CFMutableDictionaryRef attrs = NULL;
+ CFDataRef cert_data = NULL;
+ CFDataRef cert_object_id = NULL;
+ TKTokenRef cert_token = NULL;
bool wants_ref = cf_bool_value(CFDictionaryGetValue(query, kSecReturnRef));
bool wants_data = cf_bool_value(CFDictionaryGetValue(query, kSecReturnData));
@@ -683,14 +841,20 @@ static bool SecItemResultCopyPrepared(CFTypeRef raw_result, TKTokenRef token,
// Get token value if not provided by the caller.
bool token_item = false;
+ bool cert_token_item = false;
if (token == NULL) {
if (CFGetTypeID(raw_result) == CFDictionaryGetTypeID()) {
token_id = CFDictionaryGetValue(raw_result, kSecAttrTokenID);
token_item = (token_id != NULL);
+
+ cert_token_id = CFDictionaryGetValue(raw_result, kSecAttrIdentityCertificateTokenID);
+ cert_token_item = (cert_token_id != NULL);
}
} else {
token_item = true;
+ cert_token_item = true;
CFRetain(token);
+ CFRetainAssign(cert_token, token);
}
// Decode and prepare data value, if it is requested at the output, or if we want attributes from token.
@@ -708,7 +872,7 @@ static bool SecItemResultCopyPrepared(CFTypeRef raw_result, TKTokenRef token,
ac_data = CFRetainSafe(CFDictionaryGetValue(parsed_value, kSecTokenValueAccessControlKey));
object_value = CFRetainSafe(CFDictionaryGetValue(parsed_value, kSecTokenValueDataKey));
CFRelease(parsed_value);
- if (wants_data && object_value == NULL) {
+ if ((wants_data || wants_ref) && object_value == NULL) {
// Retrieve value directly from the token.
if (token == NULL) {
require_quiet(token = SecTokenCreate(token_id, auth_params, error), out);
@@ -761,6 +925,33 @@ static bool SecItemResultCopyPrepared(CFTypeRef raw_result, TKTokenRef token,
else
CFDictionaryRemoveValue(output, kSecValuePersistentRef);
+ if ((wants_ref || wants_attributes) && cert_token_item &&
+ CFEqualSafe(CFDictionaryGetValue(output, kSecClass), kSecClassIdentity)) {
+ // Decode also certdata field of the identity.
+ CFDataRef data = CFDictionaryGetValue(output, kSecAttrIdentityCertificateData);
+ if (data != NULL) {
+ CFDictionaryRef parsed_value;
+ require_quiet(parsed_value = SecTokenItemValueCopy(data, error), out);
+ cert_data = CFRetainSafe(CFDictionaryGetValue(parsed_value, kSecTokenValueDataKey));
+ cert_object_id = CFRetainSafe(CFDictionaryGetValue(parsed_value, kSecTokenValueObjectIDKey));
+ CFRelease(parsed_value);
+ if (cert_data == NULL) {
+ // Retrieve value directly from the token.
+ if (cert_token == NULL) {
+ require_quiet(cert_token = SecTokenCreate(cert_token_id, auth_params, error), out);
+ }
+ require_quiet(cert_data = TKTokenCopyObjectData(cert_token, cert_object_id, error), out);
+ if (CFEqual(cert_data, kCFNull))
+ CFReleaseNull(cert_data);
+ }
+ if (cert_data != NULL) {
+ CFDictionarySetValue(output, kSecAttrIdentityCertificateData, cert_data);
+ } else {
+ CFDictionaryRemoveValue(output, kSecAttrIdentityCertificateData);
+ }
+ }
+ }
+
if (wants_ref) {
CFTypeRef ref;
require_quiet(SecTokenItemCreateFromAttributes(output, auth_params, token, object_id, &ref, error), out);
@@ -797,12 +988,15 @@ static bool SecItemResultCopyPrepared(CFTypeRef raw_result, TKTokenRef token,
ok = true;
out:
+ CFReleaseSafe(cert_object_id);
+ CFReleaseSafe(cert_data);
CFReleaseSafe(ac_data);
CFReleaseSafe(value);
CFReleaseSafe(persistent_ref);
CFReleaseSafe(object_id);
CFReleaseSafe(attrs);
CFReleaseSafe(token);
+ CFReleaseSafe(cert_token);
return ok;
}
@@ -834,7 +1028,7 @@ out:
return ok;
}
-static bool SecItemAttributesPrepare(SecCFDictionaryCOW *attrs, CFErrorRef *error) {
+static bool SecItemAttributesPrepare(SecCFDictionaryCOW *attrs, bool forQuery, CFErrorRef *error) {
bool ok = false;
CFDataRef ac_data = NULL, acm_context = NULL;
void *la_lib = NULL;
@@ -860,12 +1054,11 @@ static bool SecItemAttributesPrepare(SecCFDictionaryCOW *attrs, CFErrorRef *erro
CFDictionarySetValue(SecCFDictionaryCOWGetMutable(attrs), kSecUseCredentialReference, acm_context);
}
-#ifndef SECITEM_SHIM_OSX
- // If a ref was specified we get it's attribute dictionary and parse it.
+ // If a ref was specified we get its attribute dictionary and parse it.
CFTypeRef value = CFDictionaryGetValue(attrs->dictionary, kSecValueRef);
if (value) {
CFDictionaryRef ref_attributes;
- require_action_quiet(ref_attributes = SecItemCopyAttributeDictionary(value), out,
+ require_action_quiet(ref_attributes = SecItemCopyAttributeDictionary(value, forQuery), out,
SecError(errSecValueRefUnsupported, error, CFSTR("unsupported kSecValueRef in query")));
/* Replace any attributes we already got from the ref with the ones
@@ -881,6 +1074,28 @@ static bool SecItemAttributesPrepare(SecCFDictionaryCOW *attrs, CFErrorRef *erro
CFAssignRetained(attrs->mutable_dictionary, new_query);
attrs->dictionary = attrs->mutable_dictionary;
}
+
+ CFTypeRef policy = CFDictionaryGetValue(attrs->dictionary, kSecMatchPolicy);
+ if (policy) {
+ require_action_quiet(CFGetTypeID(policy) == SecPolicyGetTypeID(), out,
+ SecError(errSecParam, error, CFSTR("unsupported kSecMatchPolicy in query")));
+
+ CFTypeRef values[] = { policy };
+ CFArrayRef policiesArray = CFArrayCreate(kCFAllocatorDefault, values, 1, &kCFTypeArrayCallBacks);
+ xpc_object_t policiesArrayXPC = SecPolicyArrayCopyXPCArray(policiesArray, error);
+ CFReleaseSafe(policiesArray);
+ require_action_quiet(policiesArrayXPC, out,
+ SecError(errSecInternal, error, CFSTR("Failed to copy XPC policy")));
+
+ CFTypeRef objectReadyForXPC = _CFXPCCreateCFObjectFromXPCObject(policiesArrayXPC);
+ xpc_release(policiesArrayXPC);
+ require_action_quiet(objectReadyForXPC, out,
+ SecError(errSecInternal, error, CFSTR("Failed to create CFObject from XPC policy")));
+
+ CFDictionarySetValue(SecCFDictionaryCOWGetMutable(attrs), kSecMatchPolicy, objectReadyForXPC);
+ CFRelease(objectReadyForXPC);
+ }
+#ifndef SECITEM_SHIM_OSX
value = CFDictionaryGetValue(attrs->dictionary, kSecAttrIssuer);
if (value) {
/* convert DN to canonical issuer, if value is DN (top level sequence) */
@@ -1054,7 +1269,7 @@ void SecItemAuthCopyParams(SecCFDictionaryCOW *auth_params, SecCFDictionaryCOW *
static SecItemAuthResult SecItemCreatePairsFromError(CFErrorRef *error, CFArrayRef *ac_pairs)
{
- if (error && CFErrorGetCode(*error) == errSecAuthNeeded && CFEqualSafe(CFErrorGetDomain(*error), kSecErrorDomain)) {
+ if (error && *error && CFErrorGetCode(*error) == errSecAuthNeeded && CFEqualSafe(CFErrorGetDomain(*error), kSecErrorDomain)) {
// Extract ACLs to be verified from the error.
CFDictionaryRef user_info = CFErrorCopyUserInfo(*error);
CFNumberRef key = CFNumberCreateWithCFIndex(NULL, errSecAuthNeeded);
@@ -1088,9 +1303,14 @@ static bool SecItemAuthDoQuery(SecCFDictionaryCOW *query, SecCFDictionaryCOW *at
// Perform initial surgery on query/attributes (resolve LAContext to serialized ACM handle, resolve
// SecAccessControlRef to serialized forms, expand kSecValueRef etc.)
- require_quiet(SecItemAttributesPrepare(query, error), out);
+ bool forQuery =
+ secItemOperation == SecItemCopyMatching ||
+ secItemOperation == SecItemUpdate ||
+ secItemOperation == SecItemDelete;
+
+ require_quiet(SecItemAttributesPrepare(query, forQuery, error), out);
if (attributes != NULL)
- require_quiet(SecItemAttributesPrepare(attributes, error), out);
+ require_quiet(SecItemAttributesPrepare(attributes, false, error), out);
// Populate auth_params dictionary according to initial query contents.
SecItemAuthCopyParams(&auth_params, query);
@@ -1144,14 +1364,6 @@ out:
return ok;
}
-#if SECITEM_SHIM_OSX
-/* TODO: Should be in some header */
-OSStatus SecItemAdd_ios(CFDictionaryRef attributes, CFTypeRef *result);
-OSStatus SecItemCopyMatching_ios(CFDictionaryRef query, CFTypeRef *result);
-OSStatus SecItemUpdate_ios(CFDictionaryRef query, CFDictionaryRef attributesToUpdate);
-OSStatus SecItemDelete_ios(CFDictionaryRef query);
-#endif
-
static bool cftype_to_bool_cftype_error_request(enum SecXPCOperation op, CFTypeRef attributes, CFTypeRef *result, CFErrorRef *error)
{
return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
@@ -1186,6 +1398,23 @@ static bool dict_to_error_request(enum SecXPCOperation op, CFDictionaryRef query
}, NULL);
}
+static bool cfstring_array_to_error_request(enum SecXPCOperation op, CFStringRef string, CFArrayRef attributes, __unused SecurityClient *client, CFErrorRef *error)
+{
+ return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
+ if (string) {
+ if (!SecXPCDictionarySetString(message, kSecXPCKeyString, string, error))
+ return false;
+ }
+
+ if (attributes) {
+ if (!SecXPCDictionarySetPList(message, kSecXPCKeyQuery, attributes, error))
+ return false;
+ }
+
+ return true;
+ }, NULL);
+}
+
static bool dict_client_to_error_request(enum SecXPCOperation op, CFDictionaryRef query, __unused SecurityClient *client, CFErrorRef *error)
{
return dict_to_error_request(op, query, error);
@@ -1262,12 +1491,11 @@ static bool SecTokenItemAdd(TKTokenRef token, CFDictionaryRef attributes, CFDict
CFMutableDictionaryRef attrs = CFDictionaryCreateMutableCopy(NULL, 0, attributes);
require_quiet(object_id = SecTokenCopyUpdatedObjectID(token, NULL, attrs, error), out);
-#ifndef SECITEM_SHIM_OSX
// Augment attributes from default attributes of the related ref (SecKeyRef, SecCertificateRef). This is best done
// by creating ref and getting back its attributes.
require_quiet(SecTokenItemCreateFromAttributes(attrs, auth_params, token, object_id, &ref, error), out);
if (ref != NULL) {
- if ((ref_attrs = SecItemCopyAttributeDictionary(ref)) != NULL) {
+ if ((ref_attrs = SecItemCopyAttributeDictionary(ref, false)) != NULL) {
CFDictionaryForEach(ref_attrs, ^(const void *key, const void *value) {
if (!CFEqual(key, kSecValueData)) {
CFDictionaryAddValue(attrs, key, value);
@@ -1275,7 +1503,6 @@ static bool SecTokenItemAdd(TKTokenRef token, CFDictionaryRef attributes, CFDict
});
}
}
-#endif
// Make sure that both attributes and data are returned.
CFDictionarySetValue(attrs, kSecReturnAttributes, kCFBooleanTrue);
@@ -1302,22 +1529,14 @@ out:
return ok;
}
-OSStatus
-#if SECITEM_SHIM_OSX
-SecItemAdd_ios(CFDictionaryRef attributes, CFTypeRef *result)
-#else
-SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
-#endif // *** END SECITEM_SHIM_OSX ***
-{
+OSStatus SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result) {
__block SecCFDictionaryCOW attrs = { attributes };
OSStatus status;
os_activity_t trace_activity = os_activity_start("SecItemAdd_ios", OS_ACTIVITY_FLAG_DEFAULT);
-#ifndef SECITEM_SHIM_OSX
require_quiet(!explode_identity(attrs.dictionary, (secitem_operation)SecItemAdd, &status, result), errOut);
infer_cert_label(&attrs);
-#endif // *** END SECITEM_SHIM_OSX ***
status = SecOSStatusWith(^bool(CFErrorRef *error) {
return SecItemAuthDoQuery(&attrs, NULL, SecItemAdd, error, ^bool(TKTokenRef token, CFDictionaryRef attributes, CFDictionaryRef unused, CFDictionaryRef auth_params, CFErrorRef *error) {
@@ -1336,9 +1555,7 @@ SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
});
});
-#ifndef SECITEM_SHIM_OSX
errOut:
-#endif
CFReleaseSafe(attrs.mutable_dictionary);
os_activity_end(trace_activity);
@@ -1346,21 +1563,13 @@ errOut:
}
-OSStatus
-#if SECITEM_SHIM_OSX
-SecItemCopyMatching_ios(CFDictionaryRef inQuery, CFTypeRef *result)
-#else
-SecItemCopyMatching(CFDictionaryRef inQuery, CFTypeRef *result)
-#endif // *** END SECITEM_SHIM_OSX ***
-{
+OSStatus SecItemCopyMatching(CFDictionaryRef inQuery, CFTypeRef *result) {
OSStatus status;
__block SecCFDictionaryCOW query = { inQuery };
os_activity_t trace_activity = os_activity_start("SecItemCopyMatching_ios", OS_ACTIVITY_FLAG_DEFAULT);
-#ifndef SECITEM_SHIM_OSX
require_quiet(!explode_identity(query.dictionary, (secitem_operation)SecItemCopyMatching, &status, result), errOut);
-#endif // *** END SECITEM_SHIM_OSX ***
bool wants_data = cf_bool_value(CFDictionaryGetValue(query.dictionary, kSecReturnData));
bool wants_attributes = cf_bool_value(CFDictionaryGetValue(query.dictionary, kSecReturnAttributes));
@@ -1386,9 +1595,7 @@ SecItemCopyMatching(CFDictionaryRef inQuery, CFTypeRef *result)
});
});
-#ifndef SECITEM_SHIM_OSX
errOut:
-#endif
CFReleaseSafe(query.mutable_dictionary);
os_activity_end(trace_activity);
@@ -1496,33 +1703,38 @@ static bool SecTokenItemUpdate(TKTokenRef token, CFDictionaryRef query, CFDictio
});
}
-OSStatus
-#if SECITEM_SHIM_OSX
-SecItemUpdate_ios(CFDictionaryRef inQuery, CFDictionaryRef inAttributesToUpdate)
-#else
-SecItemUpdate(CFDictionaryRef inQuery, CFDictionaryRef inAttributesToUpdate)
-#endif // *** END SECITEM_SHIM_OSX ***
+OSStatus SecItemUpdate(CFDictionaryRef inQuery, CFDictionaryRef inAttributesToUpdate) {
+ return SecOSStatusWith(^bool(CFErrorRef *error) {
+ return SecItemUpdateWithError(inQuery, inAttributesToUpdate, error);
+ });
+}
+
+bool
+SecItemUpdateWithError(CFDictionaryRef inQuery,
+ CFDictionaryRef inAttributesToUpdate,
+ CFErrorRef *error)
{
- OSStatus status;
__block SecCFDictionaryCOW query = { inQuery };
__block SecCFDictionaryCOW attributesToUpdate = { inAttributesToUpdate };
+ bool result = false;
- status = SecOSStatusWith(^bool(CFErrorRef *error) {
- return SecItemAuthDoQuery(&query, &attributesToUpdate, SecItemUpdate, error, ^bool(TKTokenRef token, CFDictionaryRef query, CFDictionaryRef attributes, CFDictionaryRef auth_params, CFErrorRef *error) {
- if (token == NULL) {
+ if (handleUpdateIdentity(inQuery, inAttributesToUpdate, &result, error))
+ goto errOut;
+
+ result = SecItemAuthDoQuery(&query, &attributesToUpdate, SecItemUpdate, error, ^bool(TKTokenRef token, CFDictionaryRef query, CFDictionaryRef attributes, CFDictionaryRef auth_params, CFErrorRef *error) {
+ if (token == NULL) {
return SecItemRawUpdate(query, attributes, error);
- } else {
- return SecTokenItemUpdate(token, query, attributes, error);
- }
- });
+ } else {
+ return SecTokenItemUpdate(token, query, attributes, error);
+ }
});
+errOut:
CFReleaseSafe(query.mutable_dictionary);
CFReleaseSafe(attributesToUpdate.mutable_dictionary);
- return status;
+ return result;
}
-#ifndef SECITEM_SHIM_OSX
static OSStatus explode_persistent_identity_ref(SecCFDictionaryCOW *query)
{
OSStatus status = errSecSuccess;
@@ -1547,24 +1759,15 @@ static OSStatus explode_persistent_identity_ref(SecCFDictionaryCOW *query)
return status;
}
-#endif
-OSStatus
-#if SECITEM_SHIM_OSX
-SecItemDelete_ios(CFDictionaryRef inQuery)
-#else
-SecItemDelete(CFDictionaryRef inQuery)
-#endif // *** END SECITEM_SHIM_OSX ***
-{
+OSStatus SecItemDelete(CFDictionaryRef inQuery) {
OSStatus status;
__block SecCFDictionaryCOW query = { inQuery };
os_activity_t trace_activity = os_activity_start("SecItemDelete_ios", OS_ACTIVITY_FLAG_DEFAULT);
-#ifndef SECITEM_SHIM_OSX
require_noerr_quiet(status = explode_persistent_identity_ref(&query), errOut);
require_quiet(!explode_identity(query.dictionary, (secitem_operation)SecItemDelete, &status, NULL), errOut);
-#endif // *** END SECITEM_SHIM_OSX ***
status = SecOSStatusWith(^bool(CFErrorRef *error) {
return SecItemAuthDoQuery(&query, NULL, SecItemDelete, error, ^bool(TKTokenRef token, CFDictionaryRef query, CFDictionaryRef attributes, CFDictionaryRef auth_params, CFErrorRef *error) {
@@ -1591,10 +1794,7 @@ SecItemDelete(CFDictionaryRef inQuery)
});
});
-#ifndef SECITEM_SHIM_OSX
errOut:
-#endif
-
CFReleaseSafe(query.mutable_dictionary);
os_activity_end(trace_activity);
@@ -1623,6 +1823,74 @@ SecItemDeleteAll(void)
});
}
+static bool
+agrps_client_to_error_request(enum SecXPCOperation op, CFArrayRef agrps, __unused SecurityClient *client, CFErrorRef *error)
+{
+ return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
+ return SecXPCDictionarySetPList(message, kSecXPCKeyAccessGroups, agrps, error);
+ }, NULL);
+}
+
+bool SecItemDeleteAllWithAccessGroups(CFArrayRef accessGroups, CFErrorRef *error) {
+ os_activity_t trace_activity = os_activity_start("SecItemDeleteAllWithAccessGroups", OS_ACTIVITY_FLAG_DEFAULT);
+
+ bool ok = SECURITYD_XPC(sec_delete_items_with_access_groups, agrps_client_to_error_request, accessGroups,
+ SecSecurityClientGet(), error);
+
+ os_activity_end(trace_activity);
+ return ok;
+}
+
+OSStatus
+#if SECITEM_SHIM_OSX
+SecItemUpdateTokenItems_ios(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes)
+#else
+SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes)
+#endif
+{
+ OSStatus status;
+
+ os_activity_t trace_activity = os_activity_start("SecItemDelete_ios", OS_ACTIVITY_FLAG_DEFAULT);
+
+ status = SecOSStatusWith(^bool(CFErrorRef *error) {
+ CFArrayRef tmpArrayRef = tokenItemsAttributes;
+ if (tokenItemsAttributes) {
+ CFMutableArrayRef tokenItems = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ for (CFIndex i = 0; i < CFArrayGetCount(tokenItemsAttributes); ++i) {
+ CFDictionaryRef itemAttributes = CFArrayGetValueAtIndex(tokenItemsAttributes, i);
+ CFTypeRef accessControl = CFDictionaryGetValue(itemAttributes, kSecAttrAccessControl);
+ CFTypeRef tokenOID = CFDictionaryGetValue(itemAttributes, kSecAttrTokenOID);
+ CFTypeRef valueData = CFDictionaryGetValue(itemAttributes, kSecValueData);
+ if (tokenOID != NULL && accessControl != NULL && CFDataGetTypeID() == CFGetTypeID(accessControl)) {
+ CFDataRef data = SecTokenItemValueCreate(tokenOID, accessControl, valueData, error);
+ if (!data) {
+ CFRelease(tokenItems);
+ return false;
+ }
+
+ CFMutableDictionaryRef attributes = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, itemAttributes);
+ CFDictionarySetValue(attributes, kSecValueData, data);
+ CFDictionarySetValue(attributes, kSecAttrTokenID, tokenID);
+ CFDictionaryRemoveValue(attributes, kSecAttrAccessControl);
+ CFDictionaryRemoveValue(attributes, kSecAttrTokenOID);
+ CFArrayAppendValue(tokenItems, attributes);
+ CFRelease(attributes);
+ CFRelease(data);
+ }
+ else
+ CFArrayAppendValue(tokenItems, itemAttributes);
+ }
+
+ tmpArrayRef = tokenItems;
+ }
+
+ return SECURITYD_XPC(sec_item_update_token_items, cfstring_array_to_error_request, tokenID, tmpArrayRef, SecSecurityClientGet(), error);
+ });
+
+ os_activity_end(trace_activity);
+
+ return status;
+}
CFArrayRef _SecKeychainSyncUpdateMessage(CFDictionaryRef updates, CFErrorRef *error) {
__block CFArrayRef result;
diff --git a/OSX/sec/Security/SecItem.h b/OSX/sec/Security/SecItem.h
index 17650b57..2547dc49 100644
--- a/OSX/sec/Security/SecItem.h
+++ b/OSX/sec/Security/SecItem.h
@@ -352,7 +352,8 @@ extern const CFStringRef kSecClassIdentity
kSecAttrLabel (which is intended to be human-readable). This attribute
is used to look up a key programmatically; in particular, for keys of
class kSecAttrKeyClassPublic and kSecAttrKeyClassPrivate, the value of
- this attribute is the hash of the public key.
+ this attribute is the hash of the public key. This item is a type of CFDataRef.
+ Legacy keys may contain a UUID in this field as a CFStringRef.
@constant kSecAttrIsPermanent Specifies a dictionary key whose value is a
CFBooleanRef indicating whether the key in question will be stored
permanently.
@@ -492,7 +493,7 @@ extern const CFStringRef kSecAttrCanUnwrap
extern const CFStringRef kSecAttrSyncViewHint
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecAttrTokenID
- __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0);
/*!
@enum kSecAttrAccessible Value Constants
@@ -710,12 +711,15 @@ extern const CFStringRef kSecAttrKeyClassSymmetric
in a dictionary. The kSecAttrKeyType constant is the key
and its value is one of the constants defined here.
@constant kSecAttrKeyTypeRSA.
- @constant kSecAttrKeyTypeEC.
+ @constant kSecAttrKeyTypeECSECPrimeRandom.
+ @constant kSecAttrKeyTypeEC This is legacy name for kSecAttrKeyTypeECSECPrimeRandom, new applications should not use it.
*/
extern const CFStringRef kSecAttrKeyTypeRSA
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
extern const CFStringRef kSecAttrKeyTypeEC
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0);
+extern const CFStringRef kSecAttrKeyTypeECSECPrimeRandom
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
@enum kSecAttrSynchronizable Value Constants
@@ -896,7 +900,7 @@ extern const CFStringRef kSecUseItemList
extern const CFStringRef kSecUseOperationPrompt
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
extern const CFStringRef kSecUseNoAuthenticationUI
- __OSX_AVAILABLE_BUT_DEPRECATED_MSG(__MAC_10_10, __MAC_10_11, __IPHONE_8_0, __IPHONE_9_0, "Use a kSecAuthenticationUI instead.");
+ __OSX_AVAILABLE_BUT_DEPRECATED_MSG(__MAC_10_10, __MAC_10_11, __IPHONE_8_0, __IPHONE_9_0, "Use a kSecUseAuthenticationUI instead.");
extern const CFStringRef kSecUseAuthenticationUI
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecUseAuthenticationContext
@@ -937,8 +941,26 @@ extern const CFStringRef kSecUseAuthenticationUISkip
kSecAttrTokenIDSecureEnclave in the parameters dictionary, it is not
possible to import pregenerated keys to kSecAttrTokenIDSecureEnclave token.
*/
+#if !RC_HIDE_J79 && !RC_HIDE_J80
+extern const CFStringRef kSecAttrTokenIDSecureEnclave
+__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0);
+#else
extern const CFStringRef kSecAttrTokenIDSecureEnclave
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_9_0);
+__OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_9_0);
+#endif
+
+/*!
+ @enum kSecAttrAccessGroup Value Constants
+ @constant kSecAttrAccessGroupToken Represents well-known access group
+ which contains items provided by external token (typically smart card).
+ This may be used as a value for kSecAttrAccessGroup attribute. Every
+ application has access to this access group so it is not needed to
+ explicitly list it in keychain-access-groups entitlement, but application
+ must explicitly state this access group in keychain queries in order to
+ be able to access items from external tokens.
+*/
+extern const CFStringRef kSecAttrAccessGroupToken
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
@function SecItemCopyMatching
diff --git a/OSX/sec/Security/SecItemBackup.c b/OSX/sec/Security/SecItemBackup.c
index ff08afe6..f7009811 100644
--- a/OSX/sec/Security/SecItemBackup.c
+++ b/OSX/sec/Security/SecItemBackup.c
@@ -189,6 +189,25 @@ _SecKeychainRestoreBackupFromFileDescriptor(int fd, CFDataRef backupKeybag, CFDa
return result;
}
+/*
+ * Current promise is that this is low memory usage, so in the current format, ask securityd
+ * to resolve the item for us.
+ */
+
+CFStringRef
+_SecKeychainCopyKeybagUUIDFromFileDescriptor(int fd, CFErrorRef *error)
+{
+ __block CFStringRef result;
+ os_activity_initiate("_SecKeychainCopyKeybagUUID", OS_ACTIVITY_FLAG_DEFAULT, ^{
+ securityd_send_sync_and_do(sec_keychain_backup_keybag_uuid_id, error, ^bool(xpc_object_t message, CFErrorRef *error) {
+ return SecXPCDictionarySetFileDescriptor(message, kSecXPCKeyFileDescriptor, fd, error);
+ }, ^bool(xpc_object_t response, CFErrorRef *error) {
+ return (result = SecXPCDictionaryCopyString(response, kSecXPCKeyResult, error));
+ });
+ });
+ return result;
+}
+
OSStatus _SecKeychainRestoreBackup(CFDataRef backup, CFDataRef backupKeybag,
CFDataRef password) {
diff --git a/OSX/sec/Security/SecItemConstants.c b/OSX/sec/Security/SecItemConstants.c
index ddc1f0c8..978d009b 100644
--- a/OSX/sec/Security/SecItemConstants.c
+++ b/OSX/sec/Security/SecItemConstants.c
@@ -108,6 +108,10 @@ SEC_CONST_DECL (kSecAttrSynchronizable, "sync");
SEC_CONST_DECL (kSecAttrTombstone, "tomb");
SEC_CONST_DECL (kSecAttrMultiUser, "musr");
SEC_CONST_DECL (kSecAttrNoLegacy, "nleg");
+SEC_CONST_DECL (kSecAttrTokenOID, "toid");
+
+/* Predefined access groups constants */
+SEC_CONST_DECL (kSecAttrAccessGroupToken, "com.apple.token");
/* Search Constants */
SEC_CONST_DECL (kSecMatchPolicy, "m_Policy");
@@ -154,6 +158,9 @@ SEC_CONST_DECL (kSecAttrAccessibleWhenUnlockedThisDeviceOnly, "aku");
SEC_CONST_DECL (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, "cku");
SEC_CONST_DECL (kSecAttrAccessibleAlwaysThisDeviceOnly, "dku");
SEC_CONST_DECL (kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, "akpu");
+/* kSecAttrAccessible Value Constants (Private). */
+SEC_CONST_DECL (kSecAttrAccessibleAlwaysPrivate, "dk");
+SEC_CONST_DECL (kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate, "dku");
/* kSecAttrProtocol Value Constants. */
SEC_CONST_DECL (kSecAttrProtocolFTP, "ftp ");
@@ -210,6 +217,7 @@ SEC_CONST_DECL (kSecAttrKeyClassSymmetric, "2");
/* kSecAttrKeyType Value Constants. Based on CSSM_ALGORITHMS. */
SEC_CONST_DECL (kSecAttrKeyTypeRSA, "42");
SEC_CONST_DECL (kSecAttrKeyTypeEC, "73"); /* rdar://10755886 */
+SEC_CONST_DECL (kSecAttrKeyTypeECSECPrimeRandom, "73");
/* kSecAttrSynchronizable Value Constants. */
SEC_CONST_DECL (kSecAttrSynchronizableAny, "syna");
@@ -238,18 +246,10 @@ SEC_CONST_DECL (kSecAttrTokenIDSecureEnclave, "com.apple.setoken");
/* View Hint Constants */
-SEC_CONST_DECL (kSecAttrViewHintPCSMasterKey, "PCS-MasterKey");
-SEC_CONST_DECL (kSecAttrViewHintPCSiCloudDrive, "PCS-iCloudDrive");
-SEC_CONST_DECL (kSecAttrViewHintPCSPhotos, "PCS-Photos");
-SEC_CONST_DECL (kSecAttrViewHintPCSCloudKit, "PCS-CloudKit");
-SEC_CONST_DECL (kSecAttrViewHintPCSEscrow, "PCS-Escrow");
-SEC_CONST_DECL (kSecAttrViewHintPCSFDE, "PCS-FDE");
-SEC_CONST_DECL (kSecAttrViewHintPCSMailDrop, "PCS-Maildrop");
-SEC_CONST_DECL (kSecAttrViewHintPCSiCloudBackup, "PCS-Backup");
-SEC_CONST_DECL (kSecAttrViewHintPCSNotes, "PCS-Notes");
-SEC_CONST_DECL (kSecAttrViewHintPCSiMessage, "PCS-iMessage");
-SEC_CONST_DECL (kSecAttrViewHintPCSFeldspar, "PCS-Feldspar");
-
-SEC_CONST_DECL (kSecAttrViewHintAppleTV, "AppleTV");
-SEC_CONST_DECL (kSecAttrViewHintHomeKit, "HomeKit");
-SEC_CONST_DECL (kSecAttrViewHintThumper, "Thumper");
+#undef DOVIEWMACRO
+#define DO_SEC_CONST_DECL_(VIEWNAME, DEFSTRING) const CFTypeRef kSecAttrViewHint##VIEWNAME = CFSTR(DEFSTRING);
+#define DO_SEC_CONST_DECL_V(VIEWNAME, DEFSTRING)
+
+#define DOVIEWMACRO(VIEWNAME, DEFSTRING, CMDSTRING, DEFAULTSETTING, INITIALSYNCSETTING, ALWAYSONSETTING, BACKUPSETTING, V0SETTING) DO_SEC_CONST_DECL_##V0SETTING(VIEWNAME, DEFSTRING)
+#include "Security/SecureObjectSync/ViewList.list"
+#undef DOVIEWMACRO
diff --git a/OSX/sec/Security/SecItemInternal.h b/OSX/sec/Security/SecItemInternal.h
index 71bdb50c..6312eb69 100644
--- a/OSX/sec/Security/SecItemInternal.h
+++ b/OSX/sec/Security/SecItemInternal.h
@@ -38,6 +38,10 @@ __BEGIN_DECLS
#define kSecServerKeychainChangedNotification "com.apple.security.keychainchanged"
+/* label when certificate data is joined with key data */
+static const CFStringRef kSecAttrIdentityCertificateData = CFSTR("certdata");
+static const CFStringRef kSecAttrIdentityCertificateTokenID = CFSTR("certtkid");
+
CF_RETURNS_RETAINED CFDataRef _SecItemMakePersistentRef(CFTypeRef class, sqlite_int64 rowid);
bool _SecItemParsePersistentRef(CFDataRef persistent_ref, CFStringRef *return_class,
@@ -82,6 +86,8 @@ void SecItemAuthCopyParams(SecCFDictionaryCOW *auth_params, SecCFDictionaryCOW *
TKTokenRef SecTokenCreate(CFStringRef token_id, CFDictionaryRef auth_params, CFErrorRef *error);
+CFDataRef _SecTokenItemCopyValueData(CFDataRef db_value, CFErrorRef *error);
+
__END_DECLS
#endif /* !_SECURITY_SECITEMINTERNAL_H_ */
diff --git a/OSX/sec/Security/SecItemPriv.h b/OSX/sec/Security/SecItemPriv.h
index 664242ab..ee9536d5 100644
--- a/OSX/sec/Security/SecItemPriv.h
+++ b/OSX/sec/Security/SecItemPriv.h
@@ -280,8 +280,20 @@ extern const CFStringRef kSecAttrNoLegacy
__OSX_AVAILABLE(10.11) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3);
extern const CFStringRef kSecAttrSyncViewHint
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-extern const CFStringRef kSecAttrTokenID
- __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+extern const CFStringRef kSecAttrTokenOID
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @enum kSecAttrAccessible Value Constants (Private)
+ @constant kSecAttrAccessibleAlwaysPrivate Private alias for kSecAttrAccessibleAlways,
+ which is going to be deprecated for 3rd party use.
+ @constant kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate for kSecAttrAccessibleAlwaysThisDeviceOnly,
+ which is going to be deprecated for 3rd party use.
+*/
+extern const CFStringRef kSecAttrAccessibleAlwaysPrivate
+;//%%% __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate
+;//%%% __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecAttrMultiUser
__OSX_AVAILABLE(10.11.5) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3);
@@ -299,10 +311,13 @@ extern const CFStringRef kSecAttrViewHintPCSiCloudBackup;
extern const CFStringRef kSecAttrViewHintPCSNotes;
extern const CFStringRef kSecAttrViewHintPCSiMessage;
extern const CFStringRef kSecAttrViewHintFeldspar;
+extern const CFStringRef kSecAttrViewHintPCSSharing;
extern const CFStringRef kSecAttrViewHintAppleTV;
extern const CFStringRef kSecAttrViewHintHomeKit;
extern const CFStringRef kSecAttrViewHintThumper;
+extern const CFStringRef kSecAttrViewHintContinuityUnlock;
+extern const CFStringRef kSecAttrViewHintAccessoryPairing;
/*
*
@@ -384,6 +399,16 @@ OSStatus SecItemCopyDisplayNames(CFArrayRef items, CFArrayRef *displayNames);
*/
OSStatus SecItemDeleteAll(void);
+/*!
+ @function SecItemDeleteAllWithAccessGroups
+ @abstract Deletes all items for each class for the given access groups
+ @param accessGroups An array of access groups for the items
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion Provided for use by MobileInstallation to allow cleanup after uninstall
+ Requires entitlement "com.apple.private.uninstall.deletion"
+ */
+bool SecItemDeleteAllWithAccessGroups(CFArrayRef accessGroups, CFErrorRef *error);
+
/*
Ensure the escrow keybag has been used to unlock the system keybag before
calling either of these APIs.
@@ -403,7 +428,8 @@ _SecKeychainWriteBackupToFileDescriptor(CFDataRef backupKeybag, CFDataRef passwo
bool
_SecKeychainRestoreBackupFromFileDescriptor(int fd, CFDataRef backupKeybag, CFDataRef password, CFErrorRef *error);
-
+CFStringRef
+_SecKeychainCopyKeybagUUIDFromFileDescriptor(int fd, CFErrorRef *error);
OSStatus _SecKeychainBackupSyncable(CFDataRef keybag, CFDataRef password, CFDictionaryRef backup_in, CFDictionaryRef *backup_out);
OSStatus _SecKeychainRestoreSyncable(CFDataRef keybag, CFDataRef password, CFDictionaryRef backup_in);
@@ -427,6 +453,71 @@ bool _SecSyncBubbleTransfer(CFArrayRef services, uid_t uid, CFErrorRef *error);
bool _SecSystemKeychainTransfer(CFErrorRef *error);
bool _SecSyncDeleteUserViews(uid_t uid, CFErrorRef *error);
+OSStatus SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes);
+
+/*!
+ * @function SecCopyLastError
+ * @abstract return the last CFErrorRef for this thread
+ * @param status the error code returned from the API call w/o CFErrorRef or 0
+ * @result NULL or a retained CFError of the matching error code
+ *
+ * @discussion There are plenty of API calls in Security.framework that
+ * doesn't return an CFError in case of an error, many of them actually have
+ * a CFErrorRef internally, but throw it away at the last moment.
+ * This might be your chance to get hold of it. The status code pass in is there
+ * to avoid stale copies of CFErrorRef.
+
+ * Note, not all interfaces support returning a CFErrorRef on the thread local
+ * storage. This is especially true when going though old CDSA style API.
+ */
+
+CFErrorRef
+SecCopyLastError(OSStatus status)
+ __TVOS_AVAILABLE(10.0)
+ __WATCHOS_AVAILABLE(3.0)
+ __IOS_AVAILABLE(10.0);
+
+
+bool
+SecItemUpdateWithError(CFDictionaryRef inQuery,
+ CFDictionaryRef inAttributesToUpdate,
+ CFErrorRef *error)
+ __TVOS_AVAILABLE(10.0)
+ __WATCHOS_AVAILABLE(3.0)
+ __IOS_AVAILABLE(10.0);
+
+
+#if SECTRUST_OSX && !TARGET_OS_IPHONE
+/*!
+ @function SecItemCopyParentCertificates
+ @abstract Retrieve an array of possible issuing certificates for a given certificate.
+ @param certificate A reference to a certificate whose issuers are being sought.
+ @param context Pass NULL in this parameter to indicate that the default certificate
+ source(s) should be searched. The default is to search all available keychains.
+ Values of context other than NULL are currently ignored.
+ @result An array of zero or more certificates whose normalized subject matches the
+ normalized issuer of the provided certificate. Note that no cryptographic validation
+ of the signature is performed by this function; its purpose is only to provide a list
+ of candidate certificates.
+ */
+CFArrayRef SecItemCopyParentCertificates(SecCertificateRef certificate, void *context)
+__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA);
+
+/*!
+ @function SecItemCopyStoredCertificate
+ @abstract Retrieve the first stored instance of a given certificate.
+ @param certificate A reference to a certificate.
+ @param context Pass NULL in this parameter to indicate that the default certificate
+ source(s) should be searched. The default is to search all available keychains.
+ Values of context other than NULL are currently ignored.
+ @result Returns a certificate reference if the given certificate exists in a keychain,
+ or NULL if the certificate cannot be found in any keychain. The caller is responsible
+ for releasing the returned certificate reference when finished with it.
+ */
+SecCertificateRef SecItemCopyStoredCertificate(SecCertificateRef certificate, void *context)
+__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA);
+#endif
+
__END_DECLS
#endif /* !_SECURITY_SECITEMPRIV_H_ */
diff --git a/OSX/sec/Security/SecItemShim.h b/OSX/sec/Security/SecItemShim.h
new file mode 100644
index 00000000..06032f9f
--- /dev/null
+++ b/OSX/sec/Security/SecItemShim.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2015 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*!
+ @header SecItemShim.h
+ SecItemShim defines functions and macros for shimming iOS Security
+ implementation to be used inside OSX.
+ */
+
+#ifndef _SECURITY_SECITEMSHIM_H_
+#define _SECURITY_SECITEMSHIM_H_
+
+#include <CoreFoundation/CFDictionary.h>
+#include <CoreFoundation/CFData.h>
+
+__BEGIN_DECLS
+
+struct __SecKeyDescriptor;
+
+OSStatus SecItemAdd_ios(CFDictionaryRef attributes, CFTypeRef *result);
+OSStatus SecItemCopyMatching_ios(CFDictionaryRef query, CFTypeRef *result);
+OSStatus SecItemUpdate_ios(CFDictionaryRef query, CFDictionaryRef attributesToUpdate);
+OSStatus SecItemDelete_ios(CFDictionaryRef query);
+OSStatus SecItemUpdateTokenItems_ios(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes);
+
+OSStatus SecKeyGeneratePair_ios(CFDictionaryRef parameters, SecKeyRef *publicKey, SecKeyRef *privateKey);
+SecKeyRef SecKeyCreateRandomKey_ios(CFDictionaryRef parameters, CFErrorRef *error);
+
+#if SECITEM_SHIM_OSX
+
+#define SecItemAdd SecItemAdd_ios
+#define SecItemCopyMatching SecItemCopyMatching_ios
+#define SecItemUpdate SecItemUpdate_ios
+#define SecItemDelete SecItemDelete_ios
+#define SecItemUpdateTokenItems SecItemUpdateTokenItems_ios
+
+#define SecKeyGeneratePair SecKeyGeneratePair_ios
+#define SecKeyCreateRandomKey SecKeyCreateRandomKey_ios
+
+#endif
+
+__END_DECLS
+
+#endif /* !_SECURITY_SECITEMSHIM_H_ */
diff --git a/OSX/sec/Security/SecKey.c b/OSX/sec/Security/SecKey.c
index 2d4e8d1a..7b4bc43b 100644
--- a/OSX/sec/Security/SecKey.c
+++ b/OSX/sec/Security/SecKey.c
@@ -29,11 +29,13 @@
#include <Security/SecKeyInternal.h>
#include <Security/SecItem.h>
#include <Security/SecItemPriv.h>
+#include <Security/SecItemShim.h>
#include <Security/SecFramework.h>
#include <utilities/SecIOFormat.h>
#include <utilities/SecCFWrappers.h>
+#include <utilities/array_size.h>
#include "SecRSAKeyPriv.h"
#include "SecECKeyPriv.h"
@@ -53,7 +55,10 @@
#include <Security/oidsalg.h>
#include <Security/SecInternal.h>
#include <Security/SecRandom.h>
+#include <Security/SecureTransport.h> /* For error codes. */
+
#include <corecrypto/ccrng_system.h>
+
#include <asl.h>
#include <stdlib.h>
#include <syslog.h>
@@ -62,65 +67,17 @@
#include <libDER/DER_Keys.h>
#include <libDER/DER_Encode.h>
-
-/* Static functions. */
-#define MAX_DIGEST_LEN (CC_SHA512_DIGEST_LENGTH)
-
-/* Currently length of SHA512 oid + 1 */
-#define MAX_OID_LEN (10)
-
-#define DER_MAX_DIGEST_INFO_LEN (10 + MAX_DIGEST_LEN + MAX_OID_LEN)
-
-/* Encode the digestInfo header into digestInfo and return the offset from
- digestInfo at which to put the actual digest. Returns 0 if digestInfo
- won't fit within digestInfoLength bytes.
-
- 0x30, topLen,
- 0x30, algIdLen,
- 0x06, oid.Len, oid.Data,
- 0x05, 0x00
- 0x04, digestLen
- digestData
- */
-
-static size_t DEREncodeDigestInfoPrefix(const SecAsn1Oid *oid,
- size_t digestLength, uint8_t *digestInfo, size_t digestInfoLength) {
- size_t algIdLen = oid->Length + 4;
- size_t topLen = algIdLen + digestLength + 4;
- size_t totalLen = topLen + 2;
-
- if (totalLen > digestInfoLength) {
- return 0;
- }
-
- size_t ix = 0;
- digestInfo[ix++] = (SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED);
- digestInfo[ix++] = topLen;
- digestInfo[ix++] = (SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED);
- digestInfo[ix++] = algIdLen;
- digestInfo[ix++] = SEC_ASN1_OBJECT_ID;
- digestInfo[ix++] = oid->Length;
- memcpy(&digestInfo[ix], oid->Data, oid->Length);
- ix += oid->Length;
- digestInfo[ix++] = SEC_ASN1_NULL;
- digestInfo[ix++] = 0;
- digestInfo[ix++] = SEC_ASN1_OCTET_STRING;
- digestInfo[ix++] = digestLength;
-
- return ix;
-}
-
CFDataRef SecKeyCopyPublicKeyHash(SecKeyRef key)
{
CFDataRef pubKeyDigest = NULL, pubKeyBlob = NULL;
/* encode the public key. */
- require_noerr(SecKeyCopyPublicBytes(key, &pubKeyBlob), errOut);
- require(pubKeyBlob, errOut);
+ require_noerr_quiet(SecKeyCopyPublicBytes(key, &pubKeyBlob), errOut);
+ require_quiet(pubKeyBlob, errOut);
/* Calculate the digest of the public key. */
- require(pubKeyDigest = SecSHA1DigestCreate(CFGetAllocator(key),
- CFDataGetBytePtr(pubKeyBlob), CFDataGetLength(pubKeyBlob)),
+ require_quiet(pubKeyDigest = SecSHA1DigestCreate(CFGetAllocator(key),
+ CFDataGetBytePtr(pubKeyBlob), CFDataGetLength(pubKeyBlob)),
errOut);
errOut:
CFReleaseNull(pubKeyBlob);
@@ -143,13 +100,13 @@ static CFDictionaryRef SecKeyCopyAttributeDictionaryWithLocalKey(SecKeyRef key,
CFNumberRef sizeInBits = CFNumberCreate(allocator, kCFNumberLongType, &sizeValue);
/* encode the public key. */
- require_noerr(SecKeyCopyPublicBytes(key, &pubKeyBlob), errOut);
- require(pubKeyBlob, errOut);
+ require_noerr_quiet(SecKeyCopyPublicBytes(key, &pubKeyBlob), errOut);
+ require_quiet(pubKeyBlob, errOut);
/* Calculate the digest of the public key. */
- require(pubKeyDigest = SecSHA1DigestCreate(allocator,
- CFDataGetBytePtr(pubKeyBlob), CFDataGetLength(pubKeyBlob)),
- errOut);
+ require_quiet(pubKeyDigest = SecSHA1DigestCreate(allocator,
+ CFDataGetBytePtr(pubKeyBlob), CFDataGetLength(pubKeyBlob)),
+ errOut);
DICT_ADDPAIR(kSecClass, kSecClassKey);
DICT_ADDPAIR(kSecAttrKeyClass, privateBlob ? kSecAttrKeyClassPrivate : kSecAttrKeyClassPublic);
@@ -164,15 +121,15 @@ static CFDictionaryRef SecKeyCopyAttributeDictionaryWithLocalKey(SecKeyRef key,
DICT_ADDPAIR(kSecAttrWasAlwaysSensitive, kCFBooleanFalse);
DICT_ADDPAIR(kSecAttrIsExtractable, kCFBooleanTrue);
DICT_ADDPAIR(kSecAttrWasNeverExtractable, kCFBooleanFalse);
- DICT_ADDPAIR(kSecAttrCanEncrypt, kCFBooleanFalse);
- DICT_ADDPAIR(kSecAttrCanDecrypt, kCFBooleanTrue);
+ DICT_ADDPAIR(kSecAttrCanEncrypt, privateBlob ? kCFBooleanFalse : kCFBooleanTrue);
+ DICT_ADDPAIR(kSecAttrCanDecrypt, privateBlob ? kCFBooleanTrue : kCFBooleanFalse);
DICT_ADDPAIR(kSecAttrCanDerive, kCFBooleanTrue);
- DICT_ADDPAIR(kSecAttrCanSign, kCFBooleanTrue);
- DICT_ADDPAIR(kSecAttrCanVerify, kCFBooleanFalse);
+ DICT_ADDPAIR(kSecAttrCanSign, privateBlob ? kCFBooleanTrue : kCFBooleanFalse);
+ DICT_ADDPAIR(kSecAttrCanVerify, privateBlob ? kCFBooleanFalse : kCFBooleanTrue);
DICT_ADDPAIR(kSecAttrCanSignRecover, kCFBooleanFalse);
DICT_ADDPAIR(kSecAttrCanVerifyRecover, kCFBooleanFalse);
- DICT_ADDPAIR(kSecAttrCanWrap, kCFBooleanFalse);
- DICT_ADDPAIR(kSecAttrCanUnwrap, kCFBooleanTrue);
+ DICT_ADDPAIR(kSecAttrCanWrap, privateBlob ? kCFBooleanFalse : kCFBooleanTrue);
+ DICT_ADDPAIR(kSecAttrCanUnwrap, privateBlob ? kCFBooleanTrue : kCFBooleanFalse);
DICT_ADDPAIR(kSecValueData, privateBlob ? privateBlob : pubKeyBlob);
dict = DICT_CREATE(allocator);
@@ -208,6 +165,9 @@ static CFStringRef SecKeyCopyDescription(CFTypeRef cf) {
static void SecKeyDestroy(CFTypeRef cf) {
SecKeyRef key = (SecKeyRef)cf;
+#if !TARGET_OS_IPHONE
+ CFReleaseSafe(key->cdsaKey);
+#endif
if (key->key_class->destroy)
key->key_class->destroy(key);
}
@@ -220,6 +180,8 @@ static Boolean SecKeyEqual(CFTypeRef cf1, CFTypeRef cf2)
return true;
if (!key2 || key1->key_class != key2->key_class)
return false;
+ if (key1->key_class->version >= 4 && key1->key_class->isEqual)
+ return key1->key_class->isEqual(key1, key2);
if (key1->key_class->extraBytes)
return !memcmp(key1->key, key2->key, key1->key_class->extraBytes);
@@ -227,6 +189,10 @@ static Boolean SecKeyEqual(CFTypeRef cf1, CFTypeRef cf2)
CFDictionaryRef d1, d2;
d1 = SecKeyCopyAttributeDictionary(key1);
d2 = SecKeyCopyAttributeDictionary(key2);
+ // Returning NULL is an error; bail out of the equality check
+ if(!d1 || !d2) {
+ return false;
+ }
Boolean result = CFEqual(d1, d2);
CFReleaseSafe(d1);
CFReleaseSafe(d2);
@@ -299,7 +265,7 @@ CFIndex SecKeyGetAlgorithmIdentifier(SecKeyRef key) {
if (key->key_class->version > 0 && key->key_class->getAlgorithmID) {
return key->key_class->getAlgorithmID(key);
}
- /* All version 0 key were RSA. */
+ /* All version 0 keys were RSA. */
return kSecRSAAlgorithmID;
}
@@ -314,17 +280,17 @@ OSStatus SecKeyGeneratePair(CFDictionaryRef parameters,
CFStringRef ktype = CFDictionaryGetValue(parameters, kSecAttrKeyType);
CFStringRef tokenID = CFDictionaryGetValue(parameters, kSecAttrTokenID);
- require(ktype, errOut);
+ require_quiet(ktype, errOut);
if (tokenID != NULL) {
result = SecCTKKeyGeneratePair(parameters, &pubKey, &privKey);
- } else if (CFEqual(ktype, kSecAttrKeyTypeEC)) {
+ } else if (CFEqual(ktype, kSecAttrKeyTypeECSECPrimeRandom)) {
result = SecECKeyGeneratePair(parameters, &pubKey, &privKey);
} else if (CFEqual(ktype, kSecAttrKeyTypeRSA)) {
result = SecRSAKeyGeneratePair(parameters, &pubKey, &privKey);
}
- require_noerr(result, errOut);
+ require_noerr_quiet(result, errOut);
/* Store the keys in the keychain if they are marked as permanent. */
if (getBoolForKey(pubParams, kSecAttrIsPermanent, false)) {
@@ -354,24 +320,13 @@ errOut:
}
SecKeyRef SecKeyCreatePublicFromPrivate(SecKeyRef privateKey) {
- CFDataRef serializedPublic = NULL;
- SecKeyRef result = NULL;
-
- require_noerr_quiet(SecKeyCopyPublicBytes(privateKey, &serializedPublic), fail);
- require_quiet(serializedPublic, fail);
-
- result = SecKeyCreateFromPublicData(kCFAllocatorDefault, SecKeyGetAlgorithmIdentifier(privateKey), serializedPublic);
-
-fail:
- CFReleaseSafe(serializedPublic);
-
- return result;
+ return SecKeyCopyPublicKey(privateKey);
}
CFDictionaryRef CreatePrivateKeyMatchingQuery(SecKeyRef publicKey, bool returnPersistentRef)
{
const CFTypeRef refType = (returnPersistentRef) ? kSecReturnPersistentRef: kSecReturnRef;
-
+
CFDataRef public_key_hash = SecKeyCopyPublicKeyHash(publicKey);
CFDictionaryRef query = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
@@ -401,14 +356,14 @@ SecKeyRef SecKeyCopyMatchingPrivateKey(SecKeyRef publicKey, CFErrorRef *error) {
SecKeyRef privateKey = NULL;
CFTypeRef queryResult = NULL;
CFDictionaryRef query = NULL;
-
+
require_action_quiet(publicKey != NULL, errOut, SecError(errSecParam, error, CFSTR("Null Public Key")));
query = CreatePrivateKeyMatchingQuery(publicKey, false);
require_quiet(SecError(SecItemCopyMatching(query, &queryResult), error,
CFSTR("Error finding private key from public: %@"), publicKey), errOut);
-
+
if (CFGetTypeID(queryResult) == SecKeyGetTypeID()) {
privateKey = (SecKeyRef) queryResult;
queryResult = NULL;
@@ -424,17 +379,17 @@ OSStatus SecKeyGetMatchingPrivateKeyStatus(SecKeyRef publicKey, CFErrorRef *erro
OSStatus retval = errSecParam;
CFTypeRef private_key = NULL;
CFDictionaryRef query = NULL;
-
+
require_action_quiet(publicKey != NULL, errOut, SecError(errSecParam, error, NULL, CFSTR("Null Public Key")));
query = CreatePrivateKeyMatchingQuery(publicKey, false);
-
+
retval = SecItemCopyMatching(query, &private_key);
-
+
if (!retval && CFGetTypeID(private_key) != SecKeyGetTypeID()) {
retval = errSecInternalComponent;
}
-
+
errOut:
CFReleaseNull(query);
CFReleaseNull(private_key);
@@ -448,7 +403,11 @@ SecKeyRef SecKeyCreatePublicFromDER(CFAllocatorRef allocator,
SecKeyRef publicKey = NULL;
if (SecAsn1OidCompare(oid, &CSSMOID_RSA)) {
/* pkcs1 1 */
- publicKey = SecKeyCreateRSAPublicKey(kCFAllocatorDefault,
+ /* Note that we call SecKeyCreateRSAPublicKey_ios directly instead of
+ SecKeyCreateRSAPublicKey, since on OS X the latter function will return
+ a CSSM SecKeyRef, and we always want an iOS format SecKeyRef here.
+ */
+ publicKey = SecKeyCreateRSAPublicKey_ios(allocator,
keyData->Data, keyData->Length, kSecKeyEncodingPkcs1);
} else if (SecAsn1OidCompare(oid, &CSSMOID_ecPublicKey)) {
SecDERKey derKey = {
@@ -461,7 +420,7 @@ SecKeyRef SecKeyCreatePublicFromDER(CFAllocatorRef allocator,
derKey.parameters = params->Data;
derKey.parametersLength = params->Length;
}
- publicKey = SecKeyCreateECPublicKey(kCFAllocatorDefault,
+ publicKey = SecKeyCreateECPublicKey(allocator,
(const uint8_t *)&derKey, sizeof(derKey), kSecDERKeyEncoding);
} else {
secwarning("Unsupported algorithm oid");
@@ -540,84 +499,94 @@ SecKeyRef SecKeyCreate(CFAllocatorRef allocator,
return result;
}
-enum {
- kSecKeyDigestInfoSign,
- kSecKeyDigestInfoVerify
-};
-
-static OSStatus SecKeyDigestInfoSignVerify(
- SecKeyRef key, /* Private key */
- SecPadding padding, /* kSecPaddingPKCS1@@@ */
- const uint8_t *dataToSign, /* signature over this data */
- size_t dataToSignLen, /* length of dataToSign */
- uint8_t *sig, /* signature, RETURNED */
- size_t *sigLen, /* IN/OUT */
- int mode) {
- size_t digestInfoLength = DER_MAX_DIGEST_INFO_LEN;
- uint8_t digestInfo[digestInfoLength];
- const SecAsn1Oid *digestOid;
- size_t digestLen;
-
- switch (padding) {
-#if 0
- case kSecPaddingPKCS1MD2:
- digestLen = CC_MD2_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD2;
- break;
- case kSecPaddingPKCS1MD4:
- digestLen = CC_MD4_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD4;
- break;
- case kSecPaddingPKCS1MD5:
- digestLen = CC_MD5_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD5;
- break;
+static SecKeyAlgorithm SecKeyGetSignatureAlgorithmForPadding(SecKeyRef key, SecPadding padding) {
+ switch (SecKeyGetAlgorithmIdentifier(key)) {
+ case kSecRSAAlgorithmID:
+ switch (padding) {
+ case kSecPaddingNone:
+ return kSecKeyAlgorithmRSASignatureRaw;
+ case kSecPaddingPKCS1:
+ return kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw;
+#if TARGET_OS_IPHONE
+ case kSecPaddingPKCS1SHA1:
+ return kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1;
+ case kSecPaddingPKCS1SHA224:
+ return kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224;
+ case kSecPaddingPKCS1SHA256:
+ return kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256;
+ case kSecPaddingPKCS1SHA384:
+ return kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384;
+ case kSecPaddingPKCS1SHA512:
+ return kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512;
+#else
+ // On CSSM-based implementation, these functions actually did hash its input,
+ // so keep doing that for backward compatibility.
+ case kSecPaddingPKCS1SHA1:
+ return kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1;
+ case kSecPaddingPKCS1SHA224:
+ return kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224;
+ case kSecPaddingPKCS1SHA256:
+ return kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256;
+ case kSecPaddingPKCS1SHA384:
+ return kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384;
+ case kSecPaddingPKCS1SHA512:
+ return kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512;
#endif
- case kSecPaddingPKCS1SHA1:
- digestLen = CC_SHA1_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA1;
- break;
- case kSecPaddingPKCS1SHA224:
- digestLen = CC_SHA224_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA224;
- break;
- case kSecPaddingPKCS1SHA256:
- digestLen = CC_SHA256_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA256;
- break;
- case kSecPaddingPKCS1SHA384:
- digestLen = CC_SHA384_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA384;
- break;
- case kSecPaddingPKCS1SHA512:
- digestLen = CC_SHA512_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA512;
- break;
+ default:
+ return NULL;
+ }
+ case kSecECDSAAlgorithmID:
+ switch (padding) {
+ case kSecPaddingSigRaw:
+ return kSecKeyAlgorithmECDSASignatureRFC4754;
+ default:
+ // Although it is not very logical, previous SecECKey implementation really considered
+ // anything else than SigRaw (incl. None!) as PKCS1 (i.e. x962), so we keep the behaviour
+ // for backward compatibility.
+ return kSecKeyAlgorithmECDSASignatureDigestX962;
+ }
default:
- return errSecUnsupportedPadding;
+ return NULL;
}
+}
- if (dataToSignLen != digestLen)
- return errSecParam;
-
- size_t offset = DEREncodeDigestInfoPrefix(digestOid, digestLen,
- digestInfo, digestInfoLength);
- if (!offset)
- return errSecBufferTooSmall;
-
- /* Append the digest to the digestInfo prefix and adjust the length. */
- memcpy(&digestInfo[offset], dataToSign, digestLen);
- digestInfoLength = offset + digestLen;
-
- if (mode == kSecKeyDigestInfoSign) {
- return key->key_class->rawSign(key, kSecPaddingPKCS1,
- digestInfo, digestInfoLength, sig, sigLen);
- } else {
- return key->key_class->rawVerify(key, kSecPaddingPKCS1,
- digestInfo, digestInfoLength, sig, *sigLen);
+// Generic wrapper helper for invoking new-style CFDataRef-based operations with ptr/length arguments
+// used by legacy RawSign-style functions.
+static OSStatus SecKeyPerformLegacyOperation(SecKeyRef key,
+ const uint8_t *in1Ptr, size_t in1Len,
+ const uint8_t *in2Ptr, size_t in2Len,
+ uint8_t *outPtr, size_t *outLen,
+ CFTypeRef (^operation)(CFDataRef in1, CFDataRef in2, CFRange *resultRange, CFErrorRef *error)) {
+ CFErrorRef error = NULL;
+ OSStatus status = errSecSuccess;
+ CFDataRef in1 = CFDataCreateWithBytesNoCopy(NULL, in1Ptr, in1Len, kCFAllocatorNull);
+ CFDataRef in2 = in2Ptr ? CFDataCreateWithBytesNoCopy(NULL, in2Ptr, in2Len, kCFAllocatorNull) : NULL;
+ CFRange range = { 0, -1 };
+ CFTypeRef output = operation(in1, in2, &range, &error);
+ require_quiet(output, out);
+ if (CFGetTypeID(output) == CFDataGetTypeID() && outLen != NULL) {
+ if (range.length == -1) {
+ range.length = CFDataGetLength(output);
+ }
+ require_action_quiet((size_t)range.length <= *outLen, out,
+ SecError(errSecParam, &error, CFSTR("buffer too small")));
+ *outLen = range.length;
+ CFDataGetBytes(output, range, outPtr);
}
- return errSecSuccess;
+out:
+ CFReleaseSafe(in1);
+ CFReleaseSafe(in2);
+ CFReleaseSafe(output);
+ if (error != NULL) {
+ status = (OSStatus)CFErrorGetCode(error);
+ if (status == errSecVerifyFailed) {
+ // Legacy functions used errSSLCrypto, while new implementation uses errSecVerifyFailed.
+ status = errSSLCrypto;
+ }
+ CFRelease(error);
+ }
+ return status;
}
OSStatus SecKeyRawSign(
@@ -627,16 +596,14 @@ OSStatus SecKeyRawSign(
size_t dataToSignLen, /* length of dataToSign */
uint8_t *sig, /* signature, RETURNED */
size_t *sigLen) { /* IN/OUT */
- if (!key->key_class->rawSign)
- return errSecUnsupportedOperation;
-
- if (padding < kSecPaddingPKCS1MD2) {
- return key->key_class->rawSign(key, padding, dataToSign, dataToSignLen,
- sig, sigLen);
- } else {
- return SecKeyDigestInfoSignVerify(key, padding, dataToSign, dataToSignLen,
- sig, sigLen, kSecKeyDigestInfoSign);
+ SecKeyAlgorithm algorithm = SecKeyGetSignatureAlgorithmForPadding(key, padding);
+ if (algorithm == NULL) {
+ return errSecParam;
}
+ return SecKeyPerformLegacyOperation(key, dataToSign, dataToSignLen, NULL, 0, sig, sigLen,
+ ^CFTypeRef(CFDataRef in1, CFDataRef in2, CFRange *range, CFErrorRef *error) {
+ return SecKeyCreateSignature(key, algorithm, in1, error);
+ });
}
OSStatus SecKeyRawVerify(
@@ -646,19 +613,33 @@ OSStatus SecKeyRawVerify(
size_t signedDataLen, /* length of dataToSign */
const uint8_t *sig, /* signature */
size_t sigLen) { /* length of signature */
- if (!key->key_class->rawVerify)
- return errSecUnsupportedOperation;
+ SecKeyAlgorithm algorithm = SecKeyGetSignatureAlgorithmForPadding(key, padding);
+ if (algorithm == NULL) {
+ return errSecParam;
+ }
+ OSStatus status = SecKeyPerformLegacyOperation(key, signedData, signedDataLen, sig, sigLen, NULL, NULL,
+ ^CFTypeRef(CFDataRef in1, CFDataRef in2, CFRange *range, CFErrorRef *error) {
+ return in2 != NULL && SecKeyVerifySignature(key, algorithm, in1, in2, error)
+ ? kCFBooleanTrue : NULL;
+ });
+ return status;
+}
- if (padding < kSecPaddingPKCS1MD2) {
- return key->key_class->rawVerify(key, padding, signedData, signedDataLen,
- sig, sigLen);
- } else {
- /* Casting away the constness of sig is safe since
- SecKeyDigestInfoSignVerify only modifies sig if
- mode == kSecKeyDigestInfoSign. */
- return SecKeyDigestInfoSignVerify(key, padding,
- signedData, signedDataLen, (uint8_t *)sig, &sigLen,
- kSecKeyDigestInfoVerify);
+static SecKeyAlgorithm SecKeyGetEncryptionAlgorithmForPadding(SecKeyRef key, SecPadding padding) {
+ switch (SecKeyGetAlgorithmIdentifier(key)) {
+ case kSecRSAAlgorithmID:
+ switch (padding) {
+ case kSecPaddingNone:
+ return kSecKeyAlgorithmRSAEncryptionRaw;
+ case kSecPaddingPKCS1:
+ return kSecKeyAlgorithmRSAEncryptionPKCS1;
+ case kSecPaddingOAEP:
+ return kSecKeyAlgorithmRSAEncryptionOAEPSHA1;
+ default:
+ return NULL;
+ }
+ default:
+ return NULL;
}
}
@@ -669,10 +650,15 @@ OSStatus SecKeyEncrypt(
size_t plainTextLen, /* length of plainText */
uint8_t *cipherText,
size_t *cipherTextLen) { /* IN/OUT */
- if (key->key_class->encrypt)
- return key->key_class->encrypt(key, padding, plainText, plainTextLen,
- cipherText, cipherTextLen);
- return errSecUnsupportedOperation;
+ SecKeyAlgorithm algorithm = SecKeyGetEncryptionAlgorithmForPadding(key, padding);
+ if (algorithm == NULL) {
+ return errSecParam;
+ }
+
+ return SecKeyPerformLegacyOperation(key, plainText, plainTextLen, NULL, 0, cipherText, cipherTextLen,
+ ^CFTypeRef(CFDataRef in1, CFDataRef in2, CFRange *range, CFErrorRef *error) {
+ return SecKeyCreateEncryptedData(key, algorithm, in1, error);
+ });
}
OSStatus SecKeyDecrypt(
@@ -682,10 +668,27 @@ OSStatus SecKeyDecrypt(
size_t cipherTextLen, /* length of cipherText */
uint8_t *plainText,
size_t *plainTextLen) { /* IN/OUT */
- if (key->key_class->decrypt)
- return key->key_class->decrypt(key, padding, cipherText, cipherTextLen,
- plainText, plainTextLen);
- return errSecUnsupportedOperation;
+ SecKeyAlgorithm algorithm = SecKeyGetEncryptionAlgorithmForPadding(key, padding);
+ if (algorithm == NULL) {
+ return errSecParam;
+ }
+ return SecKeyPerformLegacyOperation(key, cipherText, cipherTextLen, NULL, 0, plainText, plainTextLen,
+ ^CFTypeRef(CFDataRef in1, CFDataRef in2, CFRange *range, CFErrorRef *error) {
+ CFDataRef decrypted = SecKeyCreateDecryptedData(key, algorithm, in1, error);
+ const UInt8 *data;
+ if (decrypted != NULL && algorithm == kSecKeyAlgorithmRSAEncryptionRaw &&
+ *(data = CFDataGetBytePtr(decrypted)) == 0x00) {
+ // Strip zero-padding from the beginning of the block, as the contract of this
+ // function says.
+ range->length = CFDataGetLength(decrypted);
+ while (*data == 0x00 && range->length > 0) {
+ range->location++;
+ range->length--;
+ data++;
+ }
+ }
+ return decrypted;
+ });
}
size_t SecKeyGetBlockSize(SecKeyRef key) {
@@ -703,357 +706,165 @@ CFDictionaryRef SecKeyCopyAttributeDictionary(SecKeyRef key) {
}
SecKeyRef SecKeyCreateFromAttributeDictionary(CFDictionaryRef refAttributes) {
- /* TODO: Support having an allocator in refAttributes. */
- CFAllocatorRef allocator = NULL;
- CFDataRef data = CFDictionaryGetValue(refAttributes, kSecValueData);
- CFTypeRef ktype = CFDictionaryGetValue(refAttributes, kSecAttrKeyType);
- SInt32 algorithm;
- SecKeyRef ref;
-
- /* First figure out the key type (algorithm). */
- if (CFGetTypeID(ktype) == CFNumberGetTypeID()) {
- CFNumberGetValue(ktype, kCFNumberSInt32Type, &algorithm);
- } else if (isString(ktype)) {
- algorithm = CFStringGetIntValue(ktype);
- CFStringRef t = CFStringCreateWithFormat(0, 0, CFSTR("%ld"), (long) algorithm);
- if (!CFEqual(t, ktype)) {
- secwarning("Unsupported key class: %@", ktype);
- CFReleaseSafe(t);
- return NULL;
- }
- CFReleaseSafe(t);
- } else {
- secwarning("Unsupported key type: %@", ktype);
- return NULL;
- }
-
- /* TODO: The code below won't scale well, consider moving to something
- table driven. */
- SInt32 class;
- CFTypeRef kclass = CFDictionaryGetValue(refAttributes, kSecAttrKeyClass);
- if (CFGetTypeID(kclass) == CFNumberGetTypeID()) {
- CFNumberGetValue(kclass, kCFNumberSInt32Type, &class);
- } else if (isString(kclass)) {
- class = CFStringGetIntValue(kclass);
- CFStringRef t = CFStringCreateWithFormat(0, 0, CFSTR("%ld"), (long) class);
- if (!CFEqual(t, kclass)) {
- CFReleaseSafe(t);
- secwarning("Unsupported key class: %@", kclass);
- return NULL;
- }
- CFReleaseSafe(t);
- } else {
- secwarning("Unsupported key class: %@", kclass);
- return NULL;
- }
-
- switch (class) {
- case 0: // kSecAttrKeyClassPublic
- switch (algorithm) {
- case 42: // kSecAlgorithmRSA
- ref = SecKeyCreateRSAPublicKey(allocator,
- CFDataGetBytePtr(data), CFDataGetLength(data),
- kSecKeyEncodingBytes);
- break;
- case 43: // kSecAlgorithmECDSA
- case 73: // kSecAlgorithmEC
- ref = SecKeyCreateECPublicKey(allocator,
- CFDataGetBytePtr(data), CFDataGetLength(data),
- kSecKeyEncodingBytes);
- break;
- default:
- secwarning("Unsupported public key type: %@", ktype);
- ref = NULL;
- break;
- };
- break;
- case 1: // kSecAttrKeyClassPrivate
- if (CFDictionaryGetValue(refAttributes, kSecAttrTokenID) != NULL) {
- ref = SecKeyCreateCTKKey(allocator, refAttributes);
- break;
- }
- switch (algorithm) {
- case 42: // kSecAlgorithmRSA
- ref = SecKeyCreateRSAPrivateKey(allocator,
- CFDataGetBytePtr(data), CFDataGetLength(data),
- kSecKeyEncodingBytes);
- break;
- case 43: // kSecAlgorithmECDSA
- case 73: // kSecAlgorithmEC
- ref = SecKeyCreateECPrivateKey(allocator,
- CFDataGetBytePtr(data), CFDataGetLength(data),
- kSecKeyEncodingBytes);
- break;
- default:
- secwarning("Unsupported private key type: %@", ktype);
- ref = NULL;
- break;
- };
- break;
- case 2: // kSecAttrKeyClassSymmetric
- secwarning("Unsupported symmetric key type: %@", ktype);
- ref = NULL;
- break;
- default:
- secwarning("Unsupported key class: %@", kclass);
- ref = NULL;
+ CFErrorRef error = NULL;
+ SecKeyRef key = SecKeyCreateWithData(CFDictionaryGetValue(refAttributes, kSecValueData), refAttributes, &error);
+ if (key == NULL) {
+ CFStringRef description = CFErrorCopyDescription(error);
+ secwarning("%@", description);
+ CFRelease(description);
+ CFRelease(error);
}
-
- return ref;
+ return key;
}
-/* TODO: This function should ensure that this keys algorithm matches the
- signature algorithm. */
-static OSStatus SecKeyGetDigestInfo(SecKeyRef this, const SecAsn1AlgId *algId,
- const uint8_t *data, size_t dataLen, bool digestData,
- uint8_t *digestInfo, size_t *digestInfoLen /* IN/OUT */) {
- unsigned char *(*digestFcn)(const void *, CC_LONG, unsigned char *);
- CFIndex keyAlgID = kSecNullAlgorithmID;
- const SecAsn1Oid *digestOid;
- size_t digestLen;
- size_t offset = 0;
-
- /* Since these oids all have the same prefix, use switch. */
- if ((algId->algorithm.Length == CSSMOID_RSA.Length) &&
- !memcmp(algId->algorithm.Data, CSSMOID_RSA.Data,
- algId->algorithm.Length - 1)) {
- keyAlgID = kSecRSAAlgorithmID;
- switch (algId->algorithm.Data[algId->algorithm.Length - 1]) {
-#if 0
- case 2: /* oidMD2WithRSA */
- digestFcn = CC_MD2;
- digestLen = CC_MD2_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD2;
- break;
- case 3: /* oidMD4WithRSA */
- digestFcn = CC_MD4;
- digestLen = CC_MD4_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD4;
- break;
- case 4: /* oidMD5WithRSA */
- digestFcn = CC_MD5;
- digestLen = CC_MD5_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD5;
- break;
-#endif /* 0 */
- case 5: /* oidSHA1WithRSA */
- digestFcn = CC_SHA1;
- digestLen = CC_SHA1_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA1;
- break;
- case 11: /* oidSHA256WithRSA */
- digestFcn = CC_SHA256;
- digestLen = CC_SHA256_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA256;
- break;
- case 12: /* oidSHA384WithRSA */
- /* pkcs1 12 */
- digestFcn = CC_SHA384;
- digestLen = CC_SHA384_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA384;
- break;
- case 13: /* oidSHA512WithRSA */
- digestFcn = CC_SHA512;
- digestLen = CC_SHA512_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA512;
- break;
- case 14: /* oidSHA224WithRSA */
- digestFcn = CC_SHA224;
- digestLen = CC_SHA224_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA224;
- break;
- default:
- secdebug("key", "unsupported rsa signature algorithm");
- return errSecUnsupportedAlgorithm;
- }
- } else if ((algId->algorithm.Length == CSSMOID_ECDSA_WithSHA224.Length) &&
- !memcmp(algId->algorithm.Data, CSSMOID_ECDSA_WithSHA224.Data,
- algId->algorithm.Length - 1)) {
- keyAlgID = kSecECDSAAlgorithmID;
- switch (algId->algorithm.Data[algId->algorithm.Length - 1]) {
- case 1: /* oidSHA224WithECDSA */
- digestFcn = CC_SHA224;
- digestLen = CC_SHA224_DIGEST_LENGTH;
- break;
- case 2: /* oidSHA256WithECDSA */
- digestFcn = CC_SHA256;
- digestLen = CC_SHA256_DIGEST_LENGTH;
- break;
- case 3: /* oidSHA384WithECDSA */
- /* pkcs1 12 */
- digestFcn = CC_SHA384;
- digestLen = CC_SHA384_DIGEST_LENGTH;
- break;
- case 4: /* oidSHA512WithECDSA */
- digestFcn = CC_SHA512;
- digestLen = CC_SHA512_DIGEST_LENGTH;
- break;
- default:
- secdebug("key", "unsupported ecdsa signature algorithm");
- return errSecUnsupportedAlgorithm;
- }
- } else if (SecAsn1OidCompare(&algId->algorithm, &CSSMOID_ECDSA_WithSHA1)) {
- keyAlgID = kSecECDSAAlgorithmID;
- digestFcn = CC_SHA1;
- digestLen = CC_SHA1_DIGEST_LENGTH;
- } else if (SecAsn1OidCompare(&algId->algorithm, &CSSMOID_SHA1)) {
- digestFcn = CC_SHA1;
- digestLen = CC_SHA1_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA1;
- } else if ((algId->algorithm.Length == CSSMOID_SHA224.Length) &&
- !memcmp(algId->algorithm.Data, CSSMOID_SHA224.Data, algId->algorithm.Length - 1))
- {
- switch (algId->algorithm.Data[algId->algorithm.Length - 1]) {
- case 4: /* OID_SHA224 */
- digestFcn = CC_SHA224;
- digestLen = CC_SHA224_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA224;
- break;
- case 1: /* OID_SHA256 */
- digestFcn = CC_SHA256;
- digestLen = CC_SHA256_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA256;
- break;
- case 2: /* OID_SHA384 */
- /* pkcs1 12 */
- digestFcn = CC_SHA384;
- digestLen = CC_SHA384_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA384;
- break;
- case 3: /* OID_SHA512 */
- digestFcn = CC_SHA512;
- digestLen = CC_SHA512_DIGEST_LENGTH;
- digestOid = &CSSMOID_SHA512;
- break;
- default:
- secdebug("key", "unsupported sha-2 signature algorithm");
- return errSecUnsupportedAlgorithm;
- }
- } else if (SecAsn1OidCompare(&algId->algorithm, &CSSMOID_MD5)) {
- digestFcn = CC_MD5;
- digestLen = CC_MD5_DIGEST_LENGTH;
- digestOid = &CSSMOID_MD5;
- } else {
- secdebug("key", "unsupported digesting algorithm");
- return errSecUnsupportedAlgorithm;
- }
-
- /* check key is appropriate for signature (superfluous for digest only oid) */
- if (keyAlgID == kSecNullAlgorithmID)
- keyAlgID = SecKeyGetAlgorithmIdentifier(this);
- else if (keyAlgID != SecKeyGetAlgorithmIdentifier(this))
- return errSecUnsupportedAlgorithm;
-
- switch(keyAlgID) {
+static SecKeyAlgorithm SecKeyGetAlgorithmForSecAsn1AlgId(SecKeyRef key, const SecAsn1AlgId *algId, bool digestData) {
+ static const struct TableItem {
+ const SecAsn1Oid *oid1, *oid2;
+ const SecKeyAlgorithm *algorithms[2];
+ } translationTableRSA[] = {
+ { &CSSMOID_SHA1WithRSA, &CSSMOID_SHA1, {
+ [false] = &kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+ [true] = &kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1,
+ } },
+ { &CSSMOID_SHA224WithRSA, &CSSMOID_SHA224, {
+ [false] = &kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224,
+ [true] = &kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224,
+ } },
+ { &CSSMOID_SHA256WithRSA, &CSSMOID_SHA256, {
+ [false] = &kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+ [true] = &kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256,
+ } },
+ { &CSSMOID_SHA384WithRSA, &CSSMOID_SHA384, {
+ [false] = &kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+ [true] = &kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384,
+ } },
+ { &CSSMOID_SHA512WithRSA, &CSSMOID_SHA512, {
+ [false] = &kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+ [true] = &kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512,
+ } },
+ { &CSSMOID_MD5, NULL, {
+ [false] = &kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5,
+ [true] = &kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5,
+ } },
+ { NULL },
+ }, translationTableECDSA[] = {
+ { &CSSMOID_ECDSA_WithSHA1, &CSSMOID_SHA1, {
+ [false] = &kSecKeyAlgorithmECDSASignatureDigestX962,
+ [true] = &kSecKeyAlgorithmECDSASignatureMessageX962SHA1,
+ } },
+ { &CSSMOID_ECDSA_WithSHA224, &CSSMOID_SHA224, {
+ [false] = &kSecKeyAlgorithmECDSASignatureDigestX962,
+ [true] = &kSecKeyAlgorithmECDSASignatureMessageX962SHA224,
+ } },
+ { &CSSMOID_ECDSA_WithSHA256, &CSSMOID_SHA256, {
+ [false] = &kSecKeyAlgorithmECDSASignatureDigestX962,
+ [true] = &kSecKeyAlgorithmECDSASignatureMessageX962SHA256,
+ } },
+ { &CSSMOID_ECDSA_WithSHA384, &CSSMOID_SHA384, {
+ [false] = &kSecKeyAlgorithmECDSASignatureDigestX962,
+ [true] = &kSecKeyAlgorithmECDSASignatureMessageX962SHA384,
+ } },
+ { &CSSMOID_ECDSA_WithSHA512, &CSSMOID_SHA512, {
+ [false] = &kSecKeyAlgorithmECDSASignatureDigestX962,
+ [true] = &kSecKeyAlgorithmECDSASignatureMessageX962SHA512,
+ } },
+ { NULL },
+ };
+
+ const struct TableItem *table;
+ switch (SecKeyGetAlgorithmIdentifier(key)) {
case kSecRSAAlgorithmID:
- offset = DEREncodeDigestInfoPrefix(digestOid, digestLen,
- digestInfo, *digestInfoLen);
- if (!offset)
- return errSecBufferTooSmall;
- break;
- case kSecDSAAlgorithmID:
- if (digestOid != &CSSMOID_SHA1)
- return errSecUnsupportedAlgorithm;
+ table = translationTableRSA;
break;
case kSecECDSAAlgorithmID:
+ table = translationTableECDSA;
break;
default:
- secdebug("key", "unsupported signature algorithm");
- return errSecUnsupportedAlgorithm;
+ return NULL;
}
- if (digestData) {
- if(dataLen>UINT32_MAX) /* Check for overflow with CC_LONG cast */
- return errSecParam;
- digestFcn(data, (CC_LONG)dataLen, &digestInfo[offset]);
- *digestInfoLen = offset + digestLen;
- } else {
- if (dataLen != digestLen)
- return errSecParam;
- memcpy(&digestInfo[offset], data, dataLen);
- *digestInfoLen = offset + dataLen;
+ for (; table->oid1 != NULL; table++) {
+ if (SecAsn1OidCompare(table->oid1, &algId->algorithm) ||
+ (table->oid2 != NULL && SecAsn1OidCompare(table->oid2, &algId->algorithm))) {
+ return *table->algorithms[digestData];
+ }
}
-
- return errSecSuccess;
+ return NULL;
}
OSStatus SecKeyDigestAndVerify(
- SecKeyRef this, /* Private key */
+ SecKeyRef key, /* Private key */
const SecAsn1AlgId *algId, /* algorithm oid/params */
const uint8_t *dataToDigest, /* signature over this data */
size_t dataToDigestLen,/* length of dataToDigest */
const uint8_t *sig, /* signature to verify */
size_t sigLen) { /* length of sig */
- size_t digestInfoLength = DER_MAX_DIGEST_INFO_LEN;
- uint8_t digestInfo[digestInfoLength];
- OSStatus status;
- if (this == NULL)
- return errSecParam;
+ SecKeyAlgorithm algorithm = SecKeyGetAlgorithmForSecAsn1AlgId(key, algId, true);
+ if (algorithm == NULL) {
+ return errSecUnimplemented;
+ }
- status = SecKeyGetDigestInfo(this, algId, dataToDigest, dataToDigestLen, true,
- digestInfo, &digestInfoLength);
- if (status)
- return status;
- return SecKeyRawVerify(this, kSecPaddingPKCS1,
- digestInfo, digestInfoLength, sig, sigLen);
+ return SecKeyPerformLegacyOperation(key, dataToDigest, dataToDigestLen, sig, sigLen, NULL, NULL,
+ ^CFTypeRef(CFDataRef in1, CFDataRef in2, CFRange *range, CFErrorRef *error) {
+ return SecKeyVerifySignature(key, algorithm, in1, in2, error) ?
+ kCFBooleanTrue : NULL;
+ });
}
OSStatus SecKeyDigestAndSign(
- SecKeyRef this, /* Private key */
+ SecKeyRef key, /* Private key */
const SecAsn1AlgId *algId, /* algorithm oid/params */
const uint8_t *dataToDigest, /* signature over this data */
size_t dataToDigestLen,/* length of dataToDigest */
uint8_t *sig, /* signature, RETURNED */
size_t *sigLen) { /* IN/OUT */
- size_t digestInfoLength = DER_MAX_DIGEST_INFO_LEN;
- uint8_t digestInfo[digestInfoLength];
- OSStatus status;
-
- status = SecKeyGetDigestInfo(this, algId, dataToDigest, dataToDigestLen, true /* digest data */,
- digestInfo, &digestInfoLength);
- if (status)
- return status;
- return SecKeyRawSign(this, kSecPaddingPKCS1,
- digestInfo, digestInfoLength, sig, sigLen);
+ SecKeyAlgorithm algorithm = SecKeyGetAlgorithmForSecAsn1AlgId(key, algId, true);
+ if (algorithm == NULL) {
+ return errSecUnimplemented;
+ }
+
+ return SecKeyPerformLegacyOperation(key, dataToDigest, dataToDigestLen, NULL, 0, sig, sigLen,
+ ^CFTypeRef(CFDataRef in1, CFDataRef in2, CFRange *range, CFErrorRef *error) {
+ return SecKeyCreateSignature(key, algorithm, in1, error);
+ });
}
OSStatus SecKeyVerifyDigest(
- SecKeyRef this, /* Private key */
+ SecKeyRef key, /* Private key */
const SecAsn1AlgId *algId, /* algorithm oid/params */
const uint8_t *digestData, /* signature over this digest */
size_t digestDataLen,/* length of dataToDigest */
const uint8_t *sig, /* signature to verify */
size_t sigLen) { /* length of sig */
- size_t digestInfoLength = DER_MAX_DIGEST_INFO_LEN;
- uint8_t digestInfo[digestInfoLength];
- OSStatus status;
-
- status = SecKeyGetDigestInfo(this, algId, digestData, digestDataLen, false /* data is digest */,
- digestInfo, &digestInfoLength);
- if (status)
- return status;
- return SecKeyRawVerify(this, kSecPaddingPKCS1,
- digestInfo, digestInfoLength, sig, sigLen);
+ SecKeyAlgorithm algorithm = SecKeyGetAlgorithmForSecAsn1AlgId(key, algId, false);
+ if (algorithm == NULL) {
+ return errSecUnimplemented;
+ }
+
+ return SecKeyPerformLegacyOperation(key, digestData, digestDataLen, sig, sigLen, NULL, NULL,
+ ^CFTypeRef(CFDataRef in1, CFDataRef in2, CFRange *range, CFErrorRef *error) {
+ return SecKeyVerifySignature(key, algorithm, in1, in2, error) ?
+ kCFBooleanTrue : NULL;
+ });
}
OSStatus SecKeySignDigest(
- SecKeyRef this, /* Private key */
+ SecKeyRef key, /* Private key */
const SecAsn1AlgId *algId, /* algorithm oid/params */
const uint8_t *digestData, /* signature over this digest */
size_t digestDataLen,/* length of digestData */
uint8_t *sig, /* signature, RETURNED */
size_t *sigLen) { /* IN/OUT */
- size_t digestInfoLength = DER_MAX_DIGEST_INFO_LEN;
- uint8_t digestInfo[digestInfoLength];
- OSStatus status;
-
- status = SecKeyGetDigestInfo(this, algId, digestData, digestDataLen, false,
- digestInfo, &digestInfoLength);
- if (status)
- return status;
- return SecKeyRawSign(this, kSecPaddingPKCS1,
- digestInfo, digestInfoLength, sig, sigLen);
+ SecKeyAlgorithm algorithm = SecKeyGetAlgorithmForSecAsn1AlgId(key, algId, false);
+ if (algorithm == NULL) {
+ return errSecUnimplemented;
+ }
+
+ return SecKeyPerformLegacyOperation(key, digestData, digestDataLen, NULL, 0, sig, sigLen,
+ ^CFTypeRef(CFDataRef in1, CFDataRef in2, CFRange *range, CFErrorRef *error) {
+ return SecKeyCreateSignature(key, algorithm, in1, error);
+ });
}
CFIndex SecKeyGetAlgorithmId(SecKeyRef key) {
@@ -1218,3 +1029,350 @@ _SecKeyCopyUnwrapKey(SecKeyRef key, SecKeyWrapType type, CFDataRef wrappedKey, C
SecError(errSecUnsupportedOperation, error, CFSTR("No key unwrap for key %@"), key);
return NULL;
}
+
+static SInt32 SecKeyParamsGetSInt32(CFTypeRef value, CFStringRef errName, CFErrorRef *error) {
+ SInt32 result = -1;
+ if (CFGetTypeID(value) == CFNumberGetTypeID()) {
+ if (!CFNumberGetValue(value, kCFNumberSInt32Type, &result) || result < 0) {
+ SecError(errSecParam, error, CFSTR("Unsupported %@: %@"), errName, value);
+ }
+ } else if (isString(value)) {
+ result = CFStringGetIntValue(value);
+ CFStringRef t = CFStringCreateWithFormat(0, 0, CFSTR("%ld"), (long) result);
+ if (!CFEqual(t, value) || result < 0) {
+ SecError(errSecParam, error, CFSTR("Unsupported %@: %@"), errName, value);
+ result = -1;
+ }
+ CFReleaseSafe(t);
+ } else {
+ SecError(errSecParam, error, CFSTR("Unsupported %@: %@"), errName, value);
+ }
+ return result;
+}
+
+SecKeyRef SecKeyCreateWithData(CFDataRef keyData, CFDictionaryRef parameters, CFErrorRef *error) {
+
+ SecKeyRef key = NULL;
+ CFAllocatorRef allocator = NULL;
+
+ /* First figure out the key type (algorithm). */
+ SInt32 algorithm;
+ CFTypeRef ktype = CFDictionaryGetValue(parameters, kSecAttrKeyType);
+ require_quiet((algorithm = SecKeyParamsGetSInt32(ktype, CFSTR("key type"), error)) >= 0, out);
+ SInt32 class;
+ CFTypeRef kclass = CFDictionaryGetValue(parameters, kSecAttrKeyClass);
+ require_quiet((class = SecKeyParamsGetSInt32(kclass, CFSTR("key class"), error)) >= 0, out);
+
+ switch (class) {
+ case 0: // kSecAttrKeyClassPublic
+ switch (algorithm) {
+ case 42: // kSecAlgorithmRSA
+ key = SecKeyCreateRSAPublicKey(allocator,
+ CFDataGetBytePtr(keyData), CFDataGetLength(keyData),
+ kSecKeyEncodingBytes);
+ if (key == NULL) {
+ SecError(errSecParam, error, CFSTR("RSA public key creation from data failed"));
+ }
+ break;
+ case 43: // kSecAlgorithmECDSA
+ case 73: // kSecAlgorithmEC
+ key = SecKeyCreateECPublicKey(allocator,
+ CFDataGetBytePtr(keyData), CFDataGetLength(keyData),
+ kSecKeyEncodingBytes);
+ if (key == NULL) {
+ SecError(errSecParam, error, CFSTR("EC public key creation from data failed"));
+ }
+ break;
+ default:
+ SecError(errSecParam, error, CFSTR("Unsupported public key type: %@"), ktype);
+ break;
+ };
+ break;
+ case 1: // kSecAttrKeyClassPrivate
+ if (CFDictionaryGetValue(parameters, kSecAttrTokenID) != NULL) {
+ key = SecKeyCreateCTKKey(allocator, parameters, error);
+ break;
+ }
+ switch (algorithm) {
+ case 42: // kSecAlgorithmRSA
+ key = SecKeyCreateRSAPrivateKey(allocator,
+ CFDataGetBytePtr(keyData), CFDataGetLength(keyData),
+ kSecKeyEncodingBytes);
+ if (key == NULL) {
+ SecError(errSecParam, error, CFSTR("RSA private key creation from data failed"));
+ }
+ break;
+ case 43: // kSecAlgorithmECDSA
+ case 73: // kSecAlgorithmEC
+ key = SecKeyCreateECPrivateKey(allocator,
+ CFDataGetBytePtr(keyData), CFDataGetLength(keyData),
+ kSecKeyEncodingBytes);
+ if (key == NULL) {
+ SecError(errSecParam, error, CFSTR("EC public key creation from data failed"));
+ }
+ break;
+ default:
+ SecError(errSecParam, error, CFSTR("Unsupported private key type: %@"), ktype);
+ break;
+ };
+ break;
+ case 2: // kSecAttrKeyClassSymmetric
+ SecError(errSecUnimplemented, error, CFSTR("Unsupported symmetric key type: %@"), ktype);
+ break;
+ default:
+ SecError(errSecParam, error, CFSTR("Unsupported key class: %@"), kclass);
+ break;
+ }
+
+out:
+ return key;
+}
+
+CFDataRef SecKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error) {
+ if (!key->key_class->copyExternalRepresentation) {
+ SecError(errSecUnimplemented, error, CFSTR("export not implemented for key %@"), key);
+ return NULL;
+ }
+
+ return key->key_class->copyExternalRepresentation(key, error);
+}
+
+CFDictionaryRef SecKeyCopyAttributes(SecKeyRef key) {
+ if (key->key_class->copyDictionary)
+ return key->key_class->copyDictionary(key);
+ return NULL;
+}
+
+SecKeyRef SecKeyCopyPublicKey(SecKeyRef key) {
+ SecKeyRef result = NULL;
+ if (key->key_class->version >= 4 && key->key_class->copyPublicKey) {
+ result = key->key_class->copyPublicKey(key);
+ if (result != NULL) {
+ return result;
+ }
+ }
+
+ CFDataRef serializedPublic = NULL;
+
+ require_noerr_quiet(SecKeyCopyPublicBytes(key, &serializedPublic), fail);
+ require_quiet(serializedPublic, fail);
+
+ result = SecKeyCreateFromPublicData(kCFAllocatorDefault, SecKeyGetAlgorithmIdentifier(key), serializedPublic);
+
+fail:
+ CFReleaseSafe(serializedPublic);
+ return result;
+}
+
+SecKeyRef SecKeyCreateRandomKey(CFDictionaryRef parameters, CFErrorRef *error) {
+ SecKeyRef privKey = NULL, pubKey = NULL;
+ OSStatus status = SecKeyGeneratePair(parameters, &pubKey, &privKey);
+ SecError(status, error, CFSTR("Key generation failed, error %d"), (int)status);
+ CFReleaseSafe(pubKey);
+ return privKey;
+}
+
+#pragma mark Generic algorithm adaptor lookup and invocation
+
+static CFTypeRef SecKeyCopyBackendOperationResult(SecKeyOperationContext *context, SecKeyAlgorithm algorithm,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFTypeRef result = NULL;
+ assert(CFArrayGetCount(context->algorithm) > 0);
+ if (context->key->key_class->version >= 4 && context->key->key_class->copyOperationResult != NULL) {
+ return context->key->key_class->copyOperationResult(context->key, context->operation, algorithm,
+ context->algorithm, context->mode, in1, in2, error);
+ }
+
+ // Mapping from algorithms to legacy SecPadding values.
+ static const struct {
+ const SecKeyAlgorithm *algorithm;
+ CFIndex keyAlg;
+ SecPadding padding;
+ } paddingMap[] = {
+ { &kSecKeyAlgorithmRSASignatureRaw, kSecRSAAlgorithmID, kSecPaddingNone },
+ { &kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw, kSecRSAAlgorithmID, kSecPaddingPKCS1 },
+ { &kSecKeyAlgorithmECDSASignatureRFC4754, kSecECDSAAlgorithmID, kSecPaddingSigRaw },
+ { &kSecKeyAlgorithmECDSASignatureDigestX962, kSecECDSAAlgorithmID, kSecPaddingPKCS1 },
+ { &kSecKeyAlgorithmRSAEncryptionRaw, kSecRSAAlgorithmID, kSecPaddingNone },
+ { &kSecKeyAlgorithmRSAEncryptionPKCS1, kSecRSAAlgorithmID, kSecPaddingPKCS1 },
+ { &kSecKeyAlgorithmRSAEncryptionOAEPSHA1, kSecRSAAlgorithmID, kSecPaddingOAEP },
+ };
+ SecPadding padding = (SecPadding)-1;
+ CFIndex keyAlg = SecKeyGetAlgorithmIdentifier(context->key);
+ for (size_t i = 0; i < array_size(paddingMap); ++i) {
+ if (keyAlg == paddingMap[i].keyAlg && CFEqual(algorithm, *paddingMap[i].algorithm)) {
+ padding = paddingMap[i].padding;
+ break;
+ }
+ }
+ require_quiet(padding != (SecPadding)-1, out);
+
+ // Check legacy virtual table entries.
+ size_t size = 0;
+ OSStatus status = errSecSuccess;
+ switch (context->operation) {
+ case kSecKeyOperationTypeSign:
+ if (context->key->key_class->rawSign != NULL) {
+ result = kCFBooleanTrue;
+ if (context->mode == kSecKeyOperationModePerform) {
+ size = SecKeyGetSize(context->key, kSecKeySignatureSize);
+ result = CFDataCreateMutableWithScratch(NULL, size);
+ status = context->key->key_class->rawSign(context->key, padding,
+ CFDataGetBytePtr(in1), CFDataGetLength(in1),
+ CFDataGetMutableBytePtr((CFMutableDataRef)result), &size);
+ }
+ }
+ break;
+ case kSecKeyOperationTypeVerify:
+ if (context->key->key_class->rawVerify != NULL) {
+ result = kCFBooleanTrue;
+ if (context->mode == kSecKeyOperationModePerform) {
+ status = context->key->key_class->rawVerify(context->key, padding,
+ CFDataGetBytePtr(in1), CFDataGetLength(in1),
+ CFDataGetBytePtr(in2), CFDataGetLength(in2));
+ }
+ }
+ break;
+ case kSecKeyOperationTypeEncrypt:
+ if (context->key->key_class->encrypt != NULL) {
+ result = kCFBooleanTrue;
+ if (context->mode == kSecKeyOperationModePerform) {
+ size = SecKeyGetSize(context->key, kSecKeyEncryptedDataSize);
+ result = CFDataCreateMutableWithScratch(NULL, size);
+ status = context->key->key_class->encrypt(context->key, padding,
+ CFDataGetBytePtr(in1), CFDataGetLength(in1),
+ CFDataGetMutableBytePtr((CFMutableDataRef)result), &size);
+ }
+ }
+ break;
+ case kSecKeyOperationTypeDecrypt:
+ if (context->key->key_class->decrypt != NULL) {
+ result = kCFBooleanTrue;
+ if (context->mode == kSecKeyOperationModePerform) {
+ size = SecKeyGetSize(context->key, kSecKeyEncryptedDataSize);
+ result = CFDataCreateMutableWithScratch(NULL, size);
+ status = context->key->key_class->decrypt(context->key, padding,
+ CFDataGetBytePtr(in1), CFDataGetLength(in1),
+ CFDataGetMutableBytePtr((CFMutableDataRef)result), &size);
+ }
+ }
+ break;
+ default:
+ goto out;
+ }
+
+ if (status == errSecSuccess) {
+ if (CFGetTypeID(result) == CFDataGetTypeID()) {
+ CFDataSetLength((CFMutableDataRef)result, size);
+ }
+ } else {
+ SecError(status, error, CFSTR("legacy SecKey backend operation:%d(%d) failed"), (int)context->operation, (int)padding);
+ CFReleaseNull(result);
+ }
+
+out:
+ return result;
+}
+
+CFTypeRef SecKeyRunAlgorithmAndCopyResult(SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+
+ // Check algorithm array for cycles; if any value of it is duplicated inside, report 'algorithm not found' error.
+ CFIndex algorithmCount = CFArrayGetCount(context->algorithm);
+ for (CFIndex index = 0; index < algorithmCount - 1; index++) {
+ SecKeyAlgorithm indexAlgorithm = CFArrayGetValueAtIndex(context->algorithm, index);
+ for (CFIndex tested = index + 1; tested < algorithmCount; tested++) {
+ require_quiet(!CFEqual(indexAlgorithm, CFArrayGetValueAtIndex(context->algorithm, tested)), fail);
+ }
+ }
+
+ SecKeyAlgorithm algorithm = CFArrayGetValueAtIndex(context->algorithm, algorithmCount - 1);
+ CFTypeRef output = SecKeyCopyBackendOperationResult(context, algorithm, in1, in2, error);
+ if (output != kCFNull) {
+ // Backend handled the operation, return result.
+ return output;
+ }
+
+ // To silence static analyzer.
+ CFReleaseSafe(output);
+
+ // Get adaptor which is able to handle requested algorithm.
+ SecKeyAlgorithmAdaptor adaptor = SecKeyGetAlgorithmAdaptor(context->operation, algorithm);
+ require_quiet(adaptor != NULL, fail);
+
+ // Invoke the adaptor and return result.
+ CFTypeRef result = adaptor(context, in1, in2, error);
+ require_quiet(result != kCFNull, fail);
+ return result;
+
+fail:
+ if (context->mode == kSecKeyOperationModePerform) {
+ SecError(errSecParam, error, CFSTR("%@: algorithm not supported by the key %@"),
+ CFArrayGetValueAtIndex(context->algorithm, 0), context->key);
+ return NULL;
+ } else {
+ return kCFNull;
+ }
+}
+
+#pragma mark Algorithm-related SecKey API entry points
+
+static CFMutableArrayRef SecKeyCreateAlgorithmArray(SecKeyAlgorithm algorithm) {
+ CFMutableArrayRef result = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFArrayAppendValue(result, algorithm);
+ return result;
+}
+
+CFDataRef SecKeyCreateSignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef dataToSign, CFErrorRef *error) {
+ SecKeyOperationContext context = { key, kSecKeyOperationTypeSign, SecKeyCreateAlgorithmArray(algorithm) };
+ CFDataRef result = SecKeyRunAlgorithmAndCopyResult(&context, dataToSign, NULL, error);
+ SecKeyOperationContextDestroy(&context);
+ return result;
+}
+
+Boolean SecKeyVerifySignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef signedData, CFDataRef signature,
+ CFErrorRef *error) {
+ SecKeyOperationContext context = { key, kSecKeyOperationTypeVerify, SecKeyCreateAlgorithmArray(algorithm) };
+ CFTypeRef res = SecKeyRunAlgorithmAndCopyResult(&context, signedData, signature, error);
+ Boolean result = CFEqualSafe(res, kCFBooleanTrue);
+ CFReleaseSafe(res);
+ SecKeyOperationContextDestroy(&context);
+ return result;
+}
+
+CFDataRef SecKeyCreateEncryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef plainText, CFErrorRef *error) {
+ SecKeyOperationContext context = { key, kSecKeyOperationTypeEncrypt, SecKeyCreateAlgorithmArray(algorithm) };
+ CFDataRef result = SecKeyRunAlgorithmAndCopyResult(&context, plainText, NULL, error);
+ SecKeyOperationContextDestroy(&context);
+ return result;
+}
+
+CFDataRef SecKeyCreateDecryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef cipherText, CFErrorRef *error) {
+ SecKeyOperationContext context = { key, kSecKeyOperationTypeDecrypt, SecKeyCreateAlgorithmArray(algorithm) };
+ CFDataRef result = SecKeyRunAlgorithmAndCopyResult(&context, cipherText, NULL, error);
+ SecKeyOperationContextDestroy(&context);
+ return result;
+}
+
+CFDataRef SecKeyCopyKeyExchangeResult(SecKeyRef key, SecKeyAlgorithm algorithm, SecKeyRef publicKey,
+ CFDictionaryRef parameters, CFErrorRef *error) {
+ CFDataRef publicKeyData = NULL, result = NULL;
+ SecKeyOperationContext context = { key, kSecKeyOperationTypeKeyExchange, SecKeyCreateAlgorithmArray(algorithm) };
+ require_quiet(publicKeyData = SecKeyCopyExternalRepresentation(publicKey, error), out);
+ result = SecKeyRunAlgorithmAndCopyResult(&context, publicKeyData, parameters, error);
+
+out:
+ CFReleaseSafe(publicKeyData);
+ SecKeyOperationContextDestroy(&context);
+ return result;
+}
+
+Boolean SecKeyIsAlgorithmSupported(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm) {
+ SecKeyOperationContext context = { key, operation, SecKeyCreateAlgorithmArray(algorithm), kSecKeyOperationModeCheckIfSupported };
+ CFErrorRef error = NULL;
+ CFTypeRef res = SecKeyRunAlgorithmAndCopyResult(&context, NULL, NULL, &error);
+ Boolean result = CFEqualSafe(res, kCFBooleanTrue);
+ CFReleaseSafe(res);
+ CFReleaseSafe(error);
+ SecKeyOperationContextDestroy(&context);
+ return result;
+}
diff --git a/OSX/sec/Security/SecKey.h b/OSX/sec/Security/SecKey.h
index 4087b75d..26c980d0 100644
--- a/OSX/sec/Security/SecKey.h
+++ b/OSX/sec/Security/SecKey.h
@@ -26,8 +26,6 @@
The functions provided in SecKey.h implement and manage a particular
type of keychain item that represents a key. A key can be stored in a
keychain, but a key can also be a transient object.
-
- You can use a key as a keychain item in most functions.
*/
#ifndef _SECURITY_SECKEY_H_
@@ -35,6 +33,9 @@
#include <Security/SecBase.h>
#include <CoreFoundation/CFDictionary.h>
+#include <CoreFoundation/CFData.h>
+#include <CoreFoundation/CFSet.h>
+#include <CoreFoundation/CFError.h>
#include <sys/types.h>
__BEGIN_DECLS
@@ -155,8 +156,8 @@ extern const CFStringRef kSecPublicKeyAttrs
* kSecAttrCanUnwrap default true for private keys, false for public keys
*/
-OSStatus SecKeyGeneratePair(CFDictionaryRef parameters, SecKeyRef * __nullable CF_RETURNS_RETAINED publicKey,
- SecKeyRef * __nullable CF_RETURNS_RETAINED privateKey) __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
+OSStatus SecKeyGeneratePair(CFDictionaryRef parameters, SecKeyRef * _Nullable CF_RETURNS_RETAINED publicKey,
+ SecKeyRef * _Nullable CF_RETURNS_RETAINED privateKey) __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
/*!
@@ -293,7 +294,7 @@ OSStatus SecKeyDecrypt(
/*!
@function SecKeyGetBlockSize
- @abstract Decrypt a block of ciphertext.
+ @abstract Returns size of the block for specified key, in bytes.
@param key The key for which the block length is requested.
@result The block length of the key in bytes.
@discussion If for example key is an RSA key the value returned by
@@ -302,6 +303,654 @@ OSStatus SecKeyDecrypt(
size_t SecKeyGetBlockSize(SecKeyRef key)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
+/*!
+ @function SecKeyCreateRandomKey
+ @abstract Generates a new public/private key pair.
+ @param parameters A dictionary containing one or more key-value pairs.
+ See the discussion sections below for a complete overview of options.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @return Newly generated private key. To get associated public key, use SecKeyCopyPublicKey().
+ @discussion In order to generate a keypair the parameters dictionary must
+ at least contain the following keys:
+
+ * kSecAttrKeyType with a value being kSecAttrKeyTypeRSA or any other
+ kSecAttrKeyType defined in SecItem.h
+ * kSecAttrKeySizeInBits with a value being a CFNumberRef or CFStringRef
+ containing the requested key size in bits. Example sizes for RSA
+ keys are: 512, 768, 1024, 2048.
+
+ The values below may be set either in the top-level dictionary or in a
+ dictionary that is the value of the kSecPrivateKeyAttrs or
+ kSecPublicKeyAttrs key in the top-level dictionary. Setting these
+ attributes explicitly will override the defaults below. See SecItem.h
+ for detailed information on these attributes including the types of
+ the values.
+
+ * kSecAttrLabel default NULL
+ * kSecAttrIsPermanent if this key is present and has a Boolean value of true,
+ the key or key pair will be added to the default keychain.
+ * kSecAttrTokenID if this key should be generated on specified token. This
+ attribute can contain CFStringRef and can be present only in the top-level
+ parameters dictionary.
+ * kSecAttrApplicationTag default NULL
+ * kSecAttrEffectiveKeySize default NULL same as kSecAttrKeySizeInBits
+ * kSecAttrCanEncrypt default false for private keys, true for public keys
+ * kSecAttrCanDecrypt default true for private keys, false for public keys
+ * kSecAttrCanDerive default true
+ * kSecAttrCanSign default true for private keys, false for public keys
+ * kSecAttrCanVerify default false for private keys, true for public keys
+ * kSecAttrCanWrap default false for private keys, true for public keys
+ * kSecAttrCanUnwrap default true for private keys, false for public keys
+ */
+SecKeyRef _Nullable SecKeyCreateRandomKey(CFDictionaryRef parameters, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateWithData
+ @abstract Create a SecKey from a well-defined external representation.
+ @param keyData CFData representing the key. The format of the data depends on the type of key being created.
+ @param attributes Dictionary containing attributes describing the key to be imported. The keys in this dictionary
+ are kSecAttr* constants from SecItem.h. Mandatory attributes are:
+ * kSecAttrKeyType
+ * kSecAttrKeyClass
+ * kSecAttrKeySizeInBits
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result A SecKey object representing the key, or NULL on failure.
+ @discussion This function does not add keys to any keychain, but the SecKey object it returns can be added
+ to keychain using the SecItemAdd function.
+ The requested data format depend on the type of key (kSecAttrKeyType) being created:
+ * kSecAttrKeyTypeRSA PKCS#1 format
+ * kSecAttrKeyTypeECSECPrimeRandom SEC1 format (www.secg.org)
+ */
+SecKeyRef _Nullable SecKeyCreateWithData(CFDataRef keyData, CFDictionaryRef attributes, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyExternalRepresentation
+ @abstract Create an external representation for the given key suitable for the key's type.
+ @param key The key to be exported.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result A CFData representing the key in a format suitable for that key type.
+ @discussion This function may fail if the key is not exportable (e.g., bound to a smart card or Secure Enclave).
+ The format in which the key will be exported depends on the type of key:
+ * kSecAttrKeyTypeRSA PKCS#1 format
+ * kSecAttrKeyTypeECSECPrimeRandom SEC1 format (www.secg.org)
+ */
+CFDataRef _Nullable SecKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyAttributes
+ @abstract Retrieve keychain attributes of a key.
+ @param key The key whose attributes are to be retrieved.
+ @result Dictionary containing attributes of the key. The keys that populate this dictionary are defined
+ and discussed in SecItem.h.
+ @discussion The attributes provided by this function are:
+ * kSecAttrCanEncrypt
+ * kSecAttrCanDecrypt
+ * kSecAttrCanDerive
+ * kSecAttrCanSign
+ * kSecAttrCanVerify
+ * kSecAttrKeyClass
+ * kSecAttrKeyType
+ * kSecAttrKeySizeInBits
+ * kSecAttrTokenID
+ * kSecAttrApplicationLabel
+ Other values returned in that dictionary are RFU.
+ */
+CFDictionaryRef _Nullable SecKeyCopyAttributes(SecKeyRef key)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyPublicKey
+ @abstract Retrieve the public key from a key pair or private key.
+ @param key The key from which to retrieve a public key.
+ @result The public key or NULL if public key is not available for specified key.
+ @discussion Fails if key does not contain a public key or no public key can be computed from it.
+ */
+SecKeyRef _Nullable SecKeyCopyPublicKey(SecKeyRef key)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @enum SecKeyAlgorithm
+ @abstract Available algorithms for performing cryptographic operations with SecKey object. String representation
+ of constant can be used for logging or debugging purposes, because they contain human readable names of the algorithm.
+
+ @constant kSecKeyAlgorithmRSASignatureRaw
+ Raw RSA sign/verify operation, size of input data must be the same as value returned by SecKeyGetBlockSize().
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
+ RSA sign/verify operation, assumes that input data is digest and OID and digest algorithm as specified in PKCS# v1.5.
+ This algorithm is typically not used directly, instead use algorithm with specified digest, like
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
+ RSA signature with PKCS#1 padding, input data must be SHA-1 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
+ RSA signature with PKCS#1 padding, input data must be SHA-224 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
+ RSA signature with PKCS#1 padding, input data must be SHA-256 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
+ RSA signature with PKCS#1 padding, input data must be SHA-384 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
+ RSA signature with PKCS#1 padding, input data must be SHA-512 generated digest.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
+ RSA signature with PKCS#1 padding, SHA-1 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
+ RSA signature with PKCS#1 padding, SHA-224 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
+ RSA signature with PKCS#1 padding, SHA-256 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
+ RSA signature with PKCS#1 padding, SHA-384 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
+ RSA signature with PKCS#1 padding, SHA-512 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureRFC4754
+ ECDSA algorithm, signature is concatenated r and s, big endian, data is message digest.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA1 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA224 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA256 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA384 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, input data is message digest created by SHA512 algorithm.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA1
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-1 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA224
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-224 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA256
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-256 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA384
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-384 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmECDSASignatureMessageX962SHA512
+ ECDSA algorithm, signature is in DER x9.62 encoding, SHA-512 digest is generated from input data of any size.
+
+ @constant kSecKeyAlgorithmRSAEncryptionRaw
+ Raw RSA encryption or decryption, size of data must match RSA key modulus size. Note that direct
+ use of this algorithm without padding is cryptographically very weak, it is important to always introduce
+ some kind of padding. Input data size must be less or equal to the key block size and returned block has always
+ the same size as block size, as returned by SecKeyGetBlockSize().
+
+ @constant kSecKeyAlgorithmRSAEncryptionPKCS1
+ RSA encryption or decryption, data is padded using PKCS#1 padding scheme. This algorithm should be used only for
+ backward compatibility with existing protocols and data. New implementations should choose cryptographically
+ stronger algorithm instead (see kSecKeyAlgorithmRSAEncryptionOAEP). Input data must be at most
+ "key block size - 11" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize().
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA1. Input data must be at most
+ "key block size - 42" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA224. Input data must be at most
+ "key block size - 58" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA256. Input data must be at most
+ "key block size - 66" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA384. Input data must be at most
+ "key block size - 98" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512
+ RSA encryption or decryption, data is padded using OAEP padding scheme internally using SHA512. Input data must be at most
+ "key block size - 130" bytes long and returned block has always the same size as block size, as returned
+ by SecKeyGetBlockSize(). Use kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM to be able to encrypt and decrypt arbitrary long data.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
+ Randomly generated AES session key is encrypted by RSA with OAEP padding. User data are encrypted using session key in GCM
+ mode with all-zero 16 bytes long IV (initialization vector). Finally 16 byte AES-GCM tag is appended to ciphertext.
+ 256bit AES key is used if RSA key is 4096bit or bigger, otherwise 128bit AES key is used. Raw public key data is used
+ as authentication data for AES-GCM encryption.
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
+ ECIES encryption or decryption. This algorithm does not limit the size of the message to be encrypted or decrypted.
+ Encryption is done using AES-GCM with key negotiated by kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1. AES Key size
+ is 128bit for EC keys <=256bit and 256bit for bigger EC keys. Ephemeral public key data is used as sharedInfo for KDF,
+ and static public key data is used as authenticationData for AES-GCM processing. AES-GCM uses 16 bytes long TAG and
+ all-zero 16 byte long IV (initialization vector).
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactor
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
+ This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
+ Compute shared secret using ECDH cofactor algorithm, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandard
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys.
+ This algorithm does not accept any parameters, length of output raw shared secret is given by the length of the key.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA1 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA224 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA256 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA384 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+
+ @constant kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
+ Compute shared secret using ECDH algorithm without cofactor, suitable only for kSecAttrKeyTypeECSECPrimeRandom keys
+ and apply ANSI X9.63 KDF with SHA512 as hashing function. Requires kSecKeyKeyExchangeParameterRequestedSize and allows
+ kSecKeyKeyExchangeParameterSharedInfo parameters to be used.
+ */
+
+typedef CFStringRef SecKeyAlgorithm CF_STRING_ENUM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRaw
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureRFC4754
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRaw
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionPKCS1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandard
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactor
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateSignature
+ @abstract Given a private key and data to sign, generate a digital signature.
+ @param key Private key with which to sign.
+ @param algorithm One of SecKeyAlgorithm constants suitable to generate signature with this key.
+ @param dataToSign The data to be signed, typically the digest of the actual data.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result The signature over dataToSign represented as a CFData, or NULL on failure.
+ @discussion Computes digital signature using specified key over input data. The operation algorithm
+ further defines the exact format of input data, operation to be performed and output signature.
+ */
+CFDataRef _Nullable SecKeyCreateSignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef dataToSign,
+ CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyVerifySignature
+ @abstract Given a public key, data which has been signed, and a signature, verify the signature.
+ @param key Public key with which to verify the signature.
+ @param algorithm One of SecKeyAlgorithm constants suitable to verify signature with this key.
+ @param signedData The data over which sig is being verified, typically the digest of the actual data.
+ @param signature The signature to verify.
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result True if the signature was valid, False otherwise.
+ @discussion Verifies digital signature operation using specified key and signed data. The operation algorithm
+ further defines the exact format of input data, signature and operation to be performed.
+ */
+Boolean SecKeyVerifySignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef signedData, CFDataRef signature, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateEncryptedData
+ @abstract Encrypt a block of plaintext.
+ @param key Public key with which to encrypt the data.
+ @param algorithm One of SecKeyAlgorithm constants suitable to perform encryption with this key.
+ @param plaintext The data to encrypt. The length and format of the data must conform to chosen algorithm,
+ typically be less or equal to the value returned by SecKeyGetBlockSize().
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result The ciphertext represented as a CFData, or NULL on failure.
+ @discussion Encrypts plaintext data using specified key. The exact type of the operation including the format
+ of input and output data is specified by encryption algorithm.
+ */
+CFDataRef _Nullable SecKeyCreateEncryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef plaintext, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateDecryptedData
+ @abstract Decrypt a block of ciphertext.
+ @param key Private key with which to decrypt the data.
+ @param algorithm One of SecKeyAlgorithm constants suitable to perform decryption with this key.
+ @param ciphertext The data to decrypt. The length and format of the data must conform to chosen algorithm,
+ typically be less or equal to the value returned by SecKeyGetBlockSize().
+ @param error On error, will be populated with an error object describing the failure.
+ See "Security Error Codes" (SecBase.h).
+ @result The plaintext represented as a CFData, or NULL on failure.
+ @discussion Decrypts ciphertext data using specified key. The exact type of the operation including the format
+ of input and output data is specified by decryption algorithm.
+ */
+CFDataRef _Nullable SecKeyCreateDecryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef ciphertext, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @enum SecKeyKeyExchangeParameter SecKey Key Exchange parameters
+ @constant kSecKeyKeyExchangeParameterRequestedSize Contains CFNumberRef with requested result size in bytes.
+ @constant kSecKeyKeyExchangeParameterSharedInfo Contains CFDataRef with additional shared info
+ for KDF (key derivation function).
+ */
+typedef CFStringRef SecKeyKeyExchangeParameter CF_STRING_ENUM
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterRequestedSize
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+extern const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterSharedInfo
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyKeyExchangeResult
+ @abstract Perform Diffie-Hellman style of key exchange operation, optionally with additional key-derivation steps.
+ @param algorithm One of SecKeyAlgorithm constants suitable to perform this operation.
+ @param publicKey Remote party's public key.
+ @param parameters Dictionary with parameters, see SecKeyKeyExchangeParameter constants. Used algorithm
+ determines the set of required and optional parameters to be used.
+ @param error Pointer to an error object on failure.
+ See "Security Error Codes" (SecBase.h).
+ @result Result of key exchange operation as a CFDataRef, or NULL on failure.
+ */
+CFDataRef _Nullable SecKeyCopyKeyExchangeResult(SecKeyRef privateKey, SecKeyAlgorithm algorithm, SecKeyRef publicKey, CFDictionaryRef parameters, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @enum SecKeyOperationType
+ @abstract Defines types of cryptographic operations available with SecKey instance.
+
+ @constant kSecKeyOperationTypeSign
+ Represents SecKeyCreateSignature()
+
+ @constant kSecKeyOperationTypeVerify
+ Represents SecKeyVerifySignature()
+
+ @constant kSecKeyOperationTypeEncrypt
+ Represents SecKeyCreateEncryptedData()
+
+ @constant kSecKeyOperationTypeDecrypt
+ Represents SecKeyCreateDecryptedData()
+
+ @constant kSecKeyOperationTypeKeyExchange
+ Represents SecKeyCopyKeyExchangeResult()
+ */
+typedef CF_ENUM(CFIndex, SecKeyOperationType) {
+ kSecKeyOperationTypeSign = 0,
+ kSecKeyOperationTypeVerify = 1,
+ kSecKeyOperationTypeEncrypt = 2,
+ kSecKeyOperationTypeDecrypt = 3,
+ kSecKeyOperationTypeKeyExchange = 4,
+} __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyIsAlgorithmSupported
+ @abstract Checks whether key supports specified algorithm for specified operation.
+ @param key Key to query
+ @param operation Operation type for which the key is queried
+ @param algorithm Algorithm which is queried
+ @return True if key supports specified algorithm for specified operation, False otherwise.
+ */
+Boolean SecKeyIsAlgorithmSupported(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
CF_IMPLICIT_BRIDGING_DISABLED
CF_ASSUME_NONNULL_END
diff --git a/OSX/sec/Security/SecKeyAdaptors.c b/OSX/sec/Security/SecKeyAdaptors.c
new file mode 100644
index 00000000..84179768
--- /dev/null
+++ b/OSX/sec/Security/SecKeyAdaptors.c
@@ -0,0 +1,1217 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * SecKeyAdaptors.c - Implementation of assorted algorithm adaptors for SecKey.
+ * Algorithm adaptor is able to perform some transformation on provided input and calculated results and invoke
+ * underlying operation with different algorithm. Typical adaptors are message->digest or unpadded->padded.
+ * To invoke underlying operation, add algorithm to the context algorithm array and invoke SecKeyRunAlgorithmAndCopyResult().
+ */
+
+#include <Security/SecBase.h>
+#include <Security/SecKeyInternal.h>
+#include <Security/SecItem.h>
+#include <Security/SecCFAllocator.h>
+
+#include <AssertMacros.h>
+#include <utilities/SecCFWrappers.h>
+#include <utilities/array_size.h>
+#include <utilities/debugging.h>
+#include <utilities/SecCFError.h>
+#include <utilities/SecBuffer.h>
+
+#include <corecrypto/ccsha1.h>
+#include <corecrypto/ccsha2.h>
+#include <corecrypto/ccmd5.h>
+#include <corecrypto/ccrsa_priv.h>
+#include <corecrypto/ccansikdf.h>
+#include <corecrypto/ccmode.h>
+#include <corecrypto/ccaes.h>
+
+#pragma mark Algorithm constants value definitions
+
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRaw = CFSTR("algid:sign:RSA:raw");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRawCCUnit = CFSTR("algid:sign:RSA:raw-cc");
+
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw = CFSTR("algid:sign:RSA:digest-PKCS1v15");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5 = CFSTR("algid:sign:RSA:digest-PKCS1v15:MD5");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1 = CFSTR("algid:sign:RSA:digest-PKCS1v15:SHA1");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224 = CFSTR("algid:sign:RSA:digest-PKCS1v15:SHA224");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256 = CFSTR("algid:sign:RSA:digest-PKCS1v15:SHA256");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384 = CFSTR("algid:sign:RSA:digest-PKCS1v15:SHA384");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512 = CFSTR("algid:sign:RSA:digest-PKCS1v15:SHA512");
+
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5 = CFSTR("algid:sign:RSA:message-PKCS1v15:MD5");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1 = CFSTR("algid:sign:RSA:message-PKCS1v15:SHA1");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224 = CFSTR("algid:sign:RSA:message-PKCS1v15:SHA224");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256 = CFSTR("algid:sign:RSA:message-PKCS1v15:SHA256");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384 = CFSTR("algid:sign:RSA:message-PKCS1v15:SHA384");
+const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512 = CFSTR("algid:sign:RSA:message-PKCS1v15:SHA512");
+
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureRFC4754 = CFSTR("algid:sign:ECDSA:RFC4754");
+
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962 = CFSTR("algid:sign:ECDSA:digest-X962");
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA1 = CFSTR("algid:sign:ECDSA:digest-X962:SHA1");
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA224 = CFSTR("algid:sign:ECDSA:digest-X962:SHA224");
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA256 = CFSTR("algid:sign:ECDSA:digest-X962:SHA256");
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA384 = CFSTR("algid:sign:ECDSA:digest-X962:SHA384");
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureDigestX962SHA512 = CFSTR("algid:sign:ECDSA:digest-X962:SHA512");
+
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA1 = CFSTR("algid:sign:ECDSA:message-X962:SHA1");
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA224 = CFSTR("algid:sign:ECDSA:message-X962:SHA224");
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA256 = CFSTR("algid:sign:ECDSA:message-X962:SHA256");
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA384 = CFSTR("algid:sign:ECDSA:message-X962:SHA384");
+const SecKeyAlgorithm kSecKeyAlgorithmECDSASignatureMessageX962SHA512 = CFSTR("algid:sign:ECDSA:message-X962:SHA512");
+
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRaw = CFSTR("algid:encrypt:RSA:raw");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRawCCUnit = CFSTR("algid:encrypt:RSA:raw-cc");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionPKCS1 = CFSTR("algid:encrypt:RSA:PKCS1");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1 = CFSTR("algid:encrypt:RSA:OAEP:SHA1");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224 = CFSTR("algid:encrypt:RSA:OAEP:SHA224");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256 = CFSTR("algid:encrypt:RSA:OAEP:SHA256");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384 = CFSTR("algid:encrypt:RSA:OAEP:SHA384");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512 = CFSTR("algid:encrypt:RSA:OAEP:SHA512");
+
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM = CFSTR("algid:encrypt:RSA:OAEP:SHA1:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM = CFSTR("algid:encrypt:RSA:OAEP:SHA224:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM = CFSTR("algid:encrypt:RSA:OAEP:SHA256:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM = CFSTR("algid:encrypt:RSA:OAEP:SHA384:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM = CFSTR("algid:encrypt:RSA:OAEP:SHA512:AESGCM");
+
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM = CFSTR("algid:encrypt:ECIES:ECDH:KDFX963:SHA1:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM = CFSTR("algid:encrypt:ECIES:ECDH:KDFX963:SHA224:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM = CFSTR("algid:encrypt:ECIES:ECDH:KDFX963:SHA256:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM = CFSTR("algid:encrypt:ECIES:ECDH:KDFX963:SHA384:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM = CFSTR("algid:encrypt:ECIES:ECDH:KDFX963:SHA512:AESGCM");
+
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM = CFSTR("algid:encrypt:ECIES:ECDHC:KDFX963:SHA1:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM = CFSTR("algid:encrypt:ECIES:ECDHC:KDFX963:SHA224:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM = CFSTR("algid:encrypt:ECIES:ECDHC:KDFX963:SHA256:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM = CFSTR("algid:encrypt:ECIES:ECDHC:KDFX963:SHA384:AESGCM");
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM = CFSTR("algid:encrypt:ECIES:ECDHC:KDFX963:SHA512:AESGCM");
+
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandard = CFSTR("algid:keyexchange:ECDH");
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1 = CFSTR("algid:keyexchange:ECDH:KDFX963:SHA1");
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224 = CFSTR("algid:keyexchange:ECDH:KDFX963:SHA224");
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256 = CFSTR("algid:keyexchange:ECDH:KDFX963:SHA256");
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384 = CFSTR("algid:keyexchange:ECDH:KDFX963:SHA384");
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512 = CFSTR("algid:keyexchange:ECDH:KDFX963:SHA512");
+
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactor = CFSTR("algid:keyexchange:ECDHC");
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1 = CFSTR("algid:keyexchange:ECDHC:KDFX963:SHA1");
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224 = CFSTR("algid:keyexchange:ECDHC:KDFX963:SHA224");
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256 = CFSTR("algid:keyexchange:ECDHC:KDFX963:SHA256");
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384 = CFSTR("algid:keyexchange:ECDHC:KDFX963:SHA384");
+const SecKeyAlgorithm kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512 = CFSTR("algid:keyexchange:ECDHC:KDFX963:SHA512");
+
+const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionAKSSmartCard = CFSTR("algid:encrypt:ECIES:ECDH:SHA256:2PubKeys");
+
+void SecKeyOperationContextDestroy(SecKeyOperationContext *context) {
+ CFReleaseSafe(context->algorithm);
+}
+
+static void PerformWithCFDataBuffer(CFIndex size, void (^operation)(uint8_t *buffer, CFDataRef data)) {
+ PerformWithBuffer(size, ^(size_t size, uint8_t *buffer) {
+ CFDataRef data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, (const UInt8 *)buffer, size, kCFAllocatorNull);
+ operation(buffer, data);
+ CFRelease(data);
+ });
+}
+
+static CFDataRef SecKeyMessageToDigestAdaptor(SecKeyOperationContext *context, CFDataRef message, CFDataRef in2,
+ const struct ccdigest_info *di, CFErrorRef *error) {
+ if (context->mode == kSecKeyOperationModeCheckIfSupported) {
+ return SecKeyRunAlgorithmAndCopyResult(context, NULL, NULL, error);
+ }
+
+ __block CFTypeRef result;
+ PerformWithCFDataBuffer(di->output_size, ^(uint8_t *buffer, CFDataRef data) {
+ ccdigest(di, CFDataGetLength(message), CFDataGetBytePtr(message), buffer);
+ result = SecKeyRunAlgorithmAndCopyResult(context, data, in2, error);
+ });
+ return result;
+}
+
+#define SECKEY_DIGEST_RSA_ADAPTORS(name, di) \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15 ## name( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15 ## name); \
+ return SecKeyMessageToDigestAdaptor(context, in1, in2, di, error); \
+}
+
+#define SECKEY_DIGEST_ADAPTORS(name, di) SECKEY_DIGEST_RSA_ADAPTORS(name, di) \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962 ## name( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmECDSASignatureDigestX962 ## name); \
+ return SecKeyMessageToDigestAdaptor(context, in1, in2, di, error); \
+} \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962 ## name( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmECDSASignatureDigestX962); \
+ return SecKeyRunAlgorithmAndCopyResult(context, in1, in2, error); \
+}
+
+SECKEY_DIGEST_ADAPTORS(SHA1, ccsha1_di())
+SECKEY_DIGEST_ADAPTORS(SHA224, ccsha224_di())
+SECKEY_DIGEST_ADAPTORS(SHA256, ccsha256_di())
+SECKEY_DIGEST_ADAPTORS(SHA384, ccsha384_di())
+SECKEY_DIGEST_ADAPTORS(SHA512, ccsha512_di())
+SECKEY_DIGEST_RSA_ADAPTORS(MD5, ccmd5_di())
+
+#undef SECKEY_DIGEST_RSA_ADAPTORS
+#undef SECKEY_DIGEST_ADAPTORS
+
+static CFDataRef SecKeyRSACopyBigEndianToCCUnit(CFDataRef bigEndian, size_t size) {
+ CFMutableDataRef result = NULL;
+ if (bigEndian != NULL) {
+ size_t dataSize = CFDataGetLength(bigEndian);
+ if (dataSize > size) {
+ size = dataSize;
+ }
+ result = CFDataCreateMutableWithScratch(kCFAllocatorDefault, ccrsa_sizeof_n_from_size(size));
+ ccn_read_uint(ccn_nof_size(size), (cc_unit *)CFDataGetMutableBytePtr(result), dataSize, CFDataGetBytePtr(bigEndian));
+ }
+ return result;
+}
+
+static void PerformWithBigEndianToCCUnit(CFDataRef bigEndian, size_t size, void (^operation)(CFDataRef ccunits)) {
+ if (bigEndian == NULL) {
+ return operation(NULL);
+ }
+ size_t dataSize = CFDataGetLength(bigEndian);
+ if (dataSize > size) {
+ size = dataSize;
+ }
+ PerformWithCFDataBuffer(ccrsa_sizeof_n_from_size(size), ^(uint8_t *buffer, CFDataRef data) {
+ ccn_read_uint(ccn_nof_size(size), (cc_unit *)buffer, dataSize, CFDataGetBytePtr(bigEndian));
+ operation(data);
+ });
+}
+
+static CFDataRef SecKeyRSACopyCCUnitToBigEndian(CFDataRef ccunits, size_t size) {
+ CFMutableDataRef result = NULL;
+ if (ccunits != NULL) {
+ cc_size n = ccn_nof_size(CFDataGetLength(ccunits));
+ const cc_unit *s = (const cc_unit *)CFDataGetBytePtr(ccunits);
+ result = CFDataCreateMutableWithScratch(kCFAllocatorDefault, size);
+ ccn_write_uint_padded(n, s, CFDataGetLength(result), CFDataGetMutableBytePtr(result));
+ }
+ return result;
+}
+
+static void PerformWithCCUnitToBigEndian(CFDataRef ccunits, size_t size, void (^operation)(CFDataRef bigEndian)) {
+ if (ccunits == NULL) {
+ return operation(NULL);
+ }
+ PerformWithCFDataBuffer(size, ^(uint8_t *buffer, CFDataRef data) {
+ cc_size n = ccn_nof_size(CFDataGetLength(ccunits));
+ const cc_unit *s = (const cc_unit *)CFDataGetBytePtr(ccunits);
+ ccn_write_uint_padded(n, s, size, buffer);
+ operation(data);
+ });
+}
+
+static CFTypeRef SecKeyRSACopyPKCS1EMSASignature(SecKeyOperationContext *context,
+ CFDataRef in1, CFDataRef in2, CFErrorRef *error, const uint8_t *oid) {
+ if (oid != NULL) {
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw);
+ }
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmRSASignatureRawCCUnit);
+ if (context->mode == kSecKeyOperationModeCheckIfSupported) {
+ return SecKeyRunAlgorithmAndCopyResult(context, NULL, NULL, error);
+ }
+
+ __block CFTypeRef result = NULL;
+ size_t size = SecKeyGetBlockSize(context->key);
+ if (size == 0) {
+ SecError(errSecParam, error, CFSTR("expecting RSA key"));
+ return NULL;
+ }
+ PerformWithCFDataBuffer(size, ^(uint8_t *buffer, CFDataRef data) {
+ uint8_t s[size];
+ int err = ccrsa_emsa_pkcs1v15_encode(size, s, CFDataGetLength(in1), CFDataGetBytePtr(in1), oid);
+ require_noerr_action_quiet(err, out, SecError(errSecParam, error, CFSTR("RSAsign wrong input data length")));
+ ccn_read_uint(ccn_nof_size(size), (cc_unit *)buffer, size, s);
+ require_quiet(result = SecKeyRunAlgorithmAndCopyResult(context, data, NULL, error), out);
+ CFAssignRetained(result, SecKeyRSACopyCCUnitToBigEndian(result, SecKeyGetBlockSize(context->key)));
+ out:;
+ });
+ return result;
+}
+
+#define seckey_ccoid_md5 ((unsigned char *)"\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05")
+
+#define PKCS1v15_EMSA_SIGN_ADAPTOR(name, oid) \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Sign_RSASignatureDigestPKCS1v15 ## name( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ return SecKeyRSACopyPKCS1EMSASignature(context, in1, in2, error, oid); \
+}
+
+PKCS1v15_EMSA_SIGN_ADAPTOR(SHA1, ccoid_sha1)
+PKCS1v15_EMSA_SIGN_ADAPTOR(SHA224, ccoid_sha224)
+PKCS1v15_EMSA_SIGN_ADAPTOR(SHA256, ccoid_sha256)
+PKCS1v15_EMSA_SIGN_ADAPTOR(SHA384, ccoid_sha384)
+PKCS1v15_EMSA_SIGN_ADAPTOR(SHA512, ccoid_sha512)
+PKCS1v15_EMSA_SIGN_ADAPTOR(Raw, NULL)
+PKCS1v15_EMSA_SIGN_ADAPTOR(MD5, seckey_ccoid_md5)
+
+#undef PKCS1v15_EMSA_SIGN_ADAPTOR
+
+static CFTypeRef SecKeyAlgorithmAdaptorBigEndianToCCUnit(SecKeyOperationContext *context,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ if (context->mode == kSecKeyOperationModeCheckIfSupported) {
+ return SecKeyRunAlgorithmAndCopyResult(context, NULL, NULL, error);
+ }
+
+ __block CFTypeRef result = NULL;
+ PerformWithBigEndianToCCUnit(in1, SecKeyGetBlockSize(context->key), ^(CFDataRef ccunits) {
+ result = SecKeyRunAlgorithmAndCopyResult(context, ccunits, in2, error);
+ if (result != NULL) {
+ CFAssignRetained(result, SecKeyRSACopyCCUnitToBigEndian(result, SecKeyGetBlockSize(context->key)));
+ }
+ });
+ return result;
+}
+
+static CFTypeRef SecKeyAlgorithmAdaptorCCUnitToBigEndian(SecKeyOperationContext *context,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ if (context->mode == kSecKeyOperationModeCheckIfSupported) {
+ return SecKeyRunAlgorithmAndCopyResult(context, NULL, NULL, error);
+ }
+
+ __block CFTypeRef result = NULL;
+ PerformWithCCUnitToBigEndian(in1, SecKeyGetBlockSize(context->key), ^(CFDataRef bigEndian) {
+ result = SecKeyRunAlgorithmAndCopyResult(context, bigEndian, in2, error);
+ if (result != NULL) {
+ CFAssignRetained(result, SecKeyRSACopyBigEndianToCCUnit(result, SecKeyGetBlockSize(context->key)));
+ }
+ });
+ return result;
+}
+
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureRaw(SecKeyOperationContext *context,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmRSASignatureRawCCUnit);
+ return SecKeyAlgorithmAdaptorBigEndianToCCUnit(context, in1, in2, error);
+}
+
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureRawCCUnit(SecKeyOperationContext *context,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmRSASignatureRaw);
+ return SecKeyAlgorithmAdaptorCCUnitToBigEndian(context, in1, in2, error);
+}
+
+static bool SecKeyVerifyBadSignature(CFErrorRef *error) {
+ return SecError(errSecVerifyFailed, error, CFSTR("RSA signature verification failed, no match"));
+}
+
+static CFTypeRef SecKeyRSAVerifyAdaptor(SecKeyOperationContext *context, CFTypeRef signature, CFErrorRef *error,
+ Boolean (^verifyBlock)(CFDataRef decrypted)) {
+ CFTypeRef result = NULL;
+ context->operation = kSecKeyOperationTypeDecrypt;
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmRSAEncryptionRaw);
+ result = SecKeyRunAlgorithmAndCopyResult(context, signature, NULL, error);
+ if (context->mode == kSecKeyOperationModePerform && result != NULL) {
+ if (verifyBlock(result)) {
+ CFRetainAssign(result, kCFBooleanTrue);
+ } else {
+ CFRetainAssign(result, kCFBooleanFalse);
+ SecKeyVerifyBadSignature(error);
+ }
+ }
+ return result;
+}
+
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Verify_RSASignatureRaw(SecKeyOperationContext *context,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ return SecKeyRSAVerifyAdaptor(context, in2, error, ^Boolean(CFDataRef decrypted) {
+ // Skip zero-padding from the beginning of the decrypted signature.
+ const UInt8 *data = CFDataGetBytePtr(decrypted);
+ CFIndex length = CFDataGetLength(decrypted);
+ while (*data == 0x00 && length > 0) {
+ data++;
+ length--;
+ }
+ // The rest of the decrypted signature must be the same as input data.
+ return length == CFDataGetLength(in1) && memcmp(CFDataGetBytePtr(in1), data, length) == 0;
+ });
+};
+
+#define PKCS1v15_EMSA_VERIFY_ADAPTOR(name, oid) \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Verify_RSASignatureDigestPKCS1v15 ## name( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ return SecKeyRSAVerifyAdaptor(context, in2, error, ^Boolean(CFDataRef decrypted) { \
+ return ccrsa_emsa_pkcs1v15_verify(CFDataGetLength(decrypted), \
+ (uint8_t *)CFDataGetBytePtr(decrypted), \
+ CFDataGetLength(in1), CFDataGetBytePtr(in1), oid) == 0; \
+ }); \
+}
+
+PKCS1v15_EMSA_VERIFY_ADAPTOR(SHA1, ccoid_sha1)
+PKCS1v15_EMSA_VERIFY_ADAPTOR(SHA224, ccoid_sha224)
+PKCS1v15_EMSA_VERIFY_ADAPTOR(SHA256, ccoid_sha256)
+PKCS1v15_EMSA_VERIFY_ADAPTOR(SHA384, ccoid_sha384)
+PKCS1v15_EMSA_VERIFY_ADAPTOR(SHA512, ccoid_sha512)
+PKCS1v15_EMSA_VERIFY_ADAPTOR(Raw, NULL)
+PKCS1v15_EMSA_VERIFY_ADAPTOR(MD5, seckey_ccoid_md5)
+
+#undef PKCS1v15_EMSA_VERIFY_ADAPTOR
+
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_EncryptDecrypt_RSAEncryptionRaw(SecKeyOperationContext *context,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmRSAEncryptionRawCCUnit);
+ return SecKeyAlgorithmAdaptorBigEndianToCCUnit(context, in1, in2, error);
+}
+
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_EncryptDecrypt_RSAEncryptionRawCCUnit(SecKeyOperationContext *context,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmRSAEncryptionRaw);
+ return SecKeyAlgorithmAdaptorCCUnitToBigEndian(context, in1, in2, error);
+}
+
+static CFTypeRef SecKeyRSACopyEncryptedWithPadding(SecKeyOperationContext *context, const struct ccdigest_info *di,
+ CFDataRef in1, CFErrorRef *error) {
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmRSAEncryptionRawCCUnit);
+ size_t size = SecKeyGetBlockSize(context->key);
+ size_t minSize = (di != NULL) ? di->output_size * 2 + 2 : 11;
+ if (size < minSize) {
+ return kCFNull;
+ }
+ if (context->mode == kSecKeyOperationModeCheckIfSupported) {
+ return SecKeyRunAlgorithmAndCopyResult(context, NULL, NULL, error);
+ }
+
+ __block CFTypeRef result = NULL;
+ PerformWithCFDataBuffer(size, ^(uint8_t *buffer, CFDataRef data) {
+ int err;
+ if (di != NULL) {
+ err = ccrsa_oaep_encode(di, ccrng_seckey, size, (cc_unit *)buffer,
+ CFDataGetLength(in1), CFDataGetBytePtr(in1));
+ } else {
+ err = ccrsa_eme_pkcs1v15_encode(ccrng_seckey, size, (cc_unit *)buffer,
+ CFDataGetLength(in1), CFDataGetBytePtr(in1));
+ }
+ require_noerr_action_quiet(err, out, SecError(errSecParam, error,
+ CFSTR("RSAencrypt wrong input size (err %d)"), err));
+ require_quiet(result = SecKeyRunAlgorithmAndCopyResult(context, data, NULL, error), out);
+ CFAssignRetained(result, SecKeyRSACopyCCUnitToBigEndian(result, SecKeyGetBlockSize(context->key)));
+ out:;
+ });
+ return result;
+}
+
+static CFTypeRef SecKeyRSACopyDecryptedWithPadding(SecKeyOperationContext *context, const struct ccdigest_info *di,
+ CFDataRef in1, CFErrorRef *error) {
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmRSAEncryptionRawCCUnit);
+ size_t minSize = (di != NULL) ? di->output_size * 2 + 2 : 11;
+ if (SecKeyGetBlockSize(context->key) < minSize) {
+ return kCFNull;
+ }
+ if (context->mode == kSecKeyOperationModeCheckIfSupported) {
+ return SecKeyRunAlgorithmAndCopyResult(context, NULL, NULL, error);
+ }
+
+ __block CFMutableDataRef result = NULL;
+ PerformWithBigEndianToCCUnit(in1, SecKeyGetBlockSize(context->key), ^(CFDataRef ccunits) {
+ CFDataRef cc_result = NULL;
+ require_quiet(cc_result = SecKeyRunAlgorithmAndCopyResult(context, ccunits, NULL, error), out);
+ size_t size = CFDataGetLength(cc_result);
+ result = CFDataCreateMutableWithScratch(NULL, size);
+ int err;
+ if (di != NULL) {
+ err = ccrsa_oaep_decode(di, &size, CFDataGetMutableBytePtr(result),
+ CFDataGetLength(cc_result), (cc_unit *)CFDataGetBytePtr(cc_result));
+ } else {
+ err = ccrsa_eme_pkcs1v15_decode(&size, CFDataGetMutableBytePtr(result),
+ CFDataGetLength(cc_result), (cc_unit *)CFDataGetBytePtr(cc_result));
+ }
+ require_noerr_action_quiet(err, out, (CFReleaseNull(result),
+ SecError(errSecParam, error, CFSTR("RSAdecrypt wrong input (err %d)"), err)));
+ CFDataSetLength(result, size);
+ out:
+ CFReleaseSafe(cc_result);
+ });
+ return result;
+}
+
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionPKCS1(SecKeyOperationContext *context,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ return SecKeyRSACopyEncryptedWithPadding(context, NULL, in1, error);
+}
+
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionPKCS1(SecKeyOperationContext *context,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ return SecKeyRSACopyDecryptedWithPadding(context, NULL, in1, error);
+}
+
+#define RSA_OAEP_CRYPT_ADAPTOR(name, di) \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEP ## name( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ return SecKeyRSACopyEncryptedWithPadding(context, di, in1, error); \
+} \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEP ## name( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ return SecKeyRSACopyDecryptedWithPadding(context, di, in1, error); \
+}
+
+RSA_OAEP_CRYPT_ADAPTOR(SHA1, ccsha1_di());
+RSA_OAEP_CRYPT_ADAPTOR(SHA224, ccsha224_di());
+RSA_OAEP_CRYPT_ADAPTOR(SHA256, ccsha256_di());
+RSA_OAEP_CRYPT_ADAPTOR(SHA384, ccsha384_di());
+RSA_OAEP_CRYPT_ADAPTOR(SHA512, ccsha512_di());
+
+#undef RSA_OAEP_CRYPT_ADAPTOR
+
+const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterRequestedSize = CFSTR("requestedSize");
+const SecKeyKeyExchangeParameter kSecKeyKeyExchangeParameterSharedInfo = CFSTR("sharedInfo");
+
+static CFTypeRef SecKeyECDHCopyX963Result(SecKeyOperationContext *context, const struct ccdigest_info *di,
+ CFTypeRef in1, CFTypeRef params, CFErrorRef *error) {
+ CFTypeRef result = NULL;
+ require_quiet(result = SecKeyRunAlgorithmAndCopyResult(context, in1, NULL, error), out);
+
+ if (context->mode == kSecKeyOperationModePerform) {
+ // Parse params.
+ CFTypeRef value = NULL;
+ CFIndex requestedSize = 0;
+ require_action_quiet((value = CFDictionaryGetValue(params, kSecKeyKeyExchangeParameterRequestedSize)) != NULL
+ && CFGetTypeID(value) == CFNumberGetTypeID() &&
+ CFNumberGetValue(value, kCFNumberCFIndexType, &requestedSize), out,
+ SecError(errSecParam, error, CFSTR("kSecKeyKeyExchangeParameterRequestedSize is missing")));
+ size_t sharedInfoLength = 0;
+ const void *sharedInfo = NULL;
+ if ((value = CFDictionaryGetValue(params, kSecKeyKeyExchangeParameterSharedInfo)) != NULL &&
+ CFGetTypeID(value) == CFDataGetTypeID()) {
+ sharedInfo = CFDataGetBytePtr(value);
+ sharedInfoLength = CFDataGetLength(value);
+ }
+
+ CFMutableDataRef kdfResult = CFDataCreateMutableWithScratch(kCFAllocatorDefault, requestedSize);
+ int err = ccansikdf_x963(di, CFDataGetLength(result), CFDataGetBytePtr(result), sharedInfoLength, sharedInfo,
+ requestedSize, CFDataGetMutableBytePtr(kdfResult));
+ CFAssignRetained(result, kdfResult);
+ require_noerr_action_quiet(err, out, (CFReleaseNull(result),
+ SecError(errSecParam, error, CFSTR("ECDHKeyExchange wrong input (%d)"), err)));
+ }
+out:
+ return result;
+}
+
+#define ECDH_X963_ADAPTOR(hashname, di, cofactor) \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDH ## cofactor ## X963 ## hashname( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ CFArrayAppendValue(context->algorithm, kSecKeyAlgorithmECDHKeyExchange ## cofactor); \
+ return SecKeyECDHCopyX963Result(context, di, in1, in2, error); \
+}
+
+ECDH_X963_ADAPTOR(SHA1, ccsha1_di(), Standard)
+ECDH_X963_ADAPTOR(SHA224, ccsha224_di(), Standard)
+ECDH_X963_ADAPTOR(SHA256, ccsha256_di(), Standard)
+ECDH_X963_ADAPTOR(SHA384, ccsha384_di(), Standard)
+ECDH_X963_ADAPTOR(SHA512, ccsha512_di(), Standard)
+ECDH_X963_ADAPTOR(SHA1, ccsha1_di(), Cofactor)
+ECDH_X963_ADAPTOR(SHA224, ccsha224_di(), Cofactor)
+ECDH_X963_ADAPTOR(SHA256, ccsha256_di(), Cofactor)
+ECDH_X963_ADAPTOR(SHA384, ccsha384_di(), Cofactor)
+ECDH_X963_ADAPTOR(SHA512, ccsha512_di(), Cofactor)
+
+#undef ECDH_X963_ADAPTOR
+
+// Extract number value of either CFNumber or CFString.
+static CFIndex SecKeyGetCFIndexFromRef(CFTypeRef ref) {
+ CFIndex result = 0;
+ if (CFGetTypeID(ref) == CFNumberGetTypeID()) {
+ if (!CFNumberGetValue(ref, kCFNumberCFIndexType, &result)) {
+ result = 0;
+ }
+ } else if (CFGetTypeID(ref) == CFStringGetTypeID()) {
+ result = CFStringGetIntValue(ref);
+ }
+ return result;
+}
+
+typedef CFDataRef (*SecKeyECIESKeyExchangeCopyResult)(SecKeyOperationContext *context, SecKeyAlgorithm keyExchangeAlgorithm, bool encrypt, CFDataRef ephemeralPubKey, CFDataRef pubKey, CFErrorRef *error);
+typedef Boolean (*SecKeyECIESEncryptCopyResult)(CFDataRef keyExchangeResult, CFDataRef inData, CFMutableDataRef result, CFErrorRef *error);
+typedef CFDataRef SecKeyECIESDecryptCopyResult(CFDataRef keyExchangeResult, CFDataRef inData, CFErrorRef *error);
+
+static CFTypeRef SecKeyECIESCopyEncryptedData(SecKeyOperationContext *context, SecKeyAlgorithm keyExchangeAlgorithm,
+ SecKeyECIESKeyExchangeCopyResult keyExchangeCopyResult,
+ SecKeyECIESEncryptCopyResult encryptCopyResult,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFDictionaryRef parameters = NULL;
+ SecKeyRef ephemeralPrivateKey = NULL, ephemeralPublicKey = NULL;
+ CFDataRef pubKeyData = NULL, ephemeralPubKeyData = NULL, keyExchangeResult = NULL;
+ CFTypeRef result = NULL;
+ SecKeyRef originalKey = context->key;
+ CFMutableDataRef ciphertext = NULL;
+
+ require_action_quiet(parameters = SecKeyCopyAttributes(context->key), out,
+ SecError(errSecParam, error, CFSTR("Unable to export key parameters")));
+ require_action_quiet(CFEqual(CFDictionaryGetValue(parameters, kSecAttrKeyType), kSecAttrKeyTypeECSECPrimeRandom), out, result = kCFNull);
+ require_action_quiet(CFEqual(CFDictionaryGetValue(parameters, kSecAttrKeyClass), kSecAttrKeyClassPublic), out, result = kCFNull);
+
+ // Generate ephemeral key.
+ require_quiet(pubKeyData = SecKeyCopyExternalRepresentation(context->key, error), out);
+ CFAssignRetained(parameters, CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecAttrKeyType, CFDictionaryGetValue(parameters, kSecAttrKeyType),
+ kSecAttrKeySizeInBits, CFDictionaryGetValue(parameters, kSecAttrKeySizeInBits),
+ NULL));
+ require_quiet(ephemeralPrivateKey = SecKeyCreateRandomKey(parameters, error), out);
+ require_action_quiet(ephemeralPublicKey = SecKeyCopyPublicKey(ephemeralPrivateKey), out,
+ SecError(errSecParam, error, CFSTR("Unable to get public key from generated ECkey")));
+ require_quiet(ephemeralPubKeyData = SecKeyCopyExternalRepresentation(ephemeralPublicKey, error), out);
+
+ context->key = ephemeralPrivateKey;
+ require_quiet(keyExchangeResult = keyExchangeCopyResult(context, keyExchangeAlgorithm, true,
+ ephemeralPubKeyData, pubKeyData, error), out);
+ if (context->mode == kSecKeyOperationModePerform) {
+ // Encrypt input data using AES-GCM.
+ ciphertext = CFDataCreateMutableCopy(kCFAllocatorDefault, 0, ephemeralPubKeyData);
+ require_quiet(encryptCopyResult(keyExchangeResult, in1, ciphertext, error), out);
+ result = CFRetain(ciphertext);
+ } else {
+ result = CFRetain(keyExchangeResult);
+ }
+
+out:
+ CFReleaseSafe(parameters);
+ CFReleaseSafe(ephemeralPrivateKey);
+ CFReleaseSafe(ephemeralPublicKey);
+ CFReleaseSafe(pubKeyData);
+ CFReleaseSafe(ephemeralPubKeyData);
+ CFReleaseSafe(keyExchangeResult);
+ CFReleaseSafe(ciphertext);
+ context->key = originalKey;
+ return result;
+}
+
+static CFTypeRef SecKeyECIESCopyDecryptedData(SecKeyOperationContext *context, SecKeyAlgorithm keyExchangeAlgorithm,
+ SecKeyECIESKeyExchangeCopyResult keyExchangeCopyResult,
+ SecKeyECIESDecryptCopyResult decryptCopyResult,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFTypeRef result = NULL;
+ CFDictionaryRef parameters = NULL;
+ CFDataRef ephemeralPubKeyData = NULL, keyExchangeResult = NULL, pubKeyData = NULL;
+ SecKeyRef pubKey = NULL;
+ CFDataRef ciphertext = NULL;
+ const UInt8 *ciphertextBuffer = NULL;
+ CFIndex keySize = 0;
+
+ require_action_quiet(parameters = SecKeyCopyAttributes(context->key), out,
+ SecError(errSecParam, error, CFSTR("Unable to export key parameters")));
+ require_action_quiet(CFEqual(CFDictionaryGetValue(parameters, kSecAttrKeyType), kSecAttrKeyTypeECSECPrimeRandom), out, result = kCFNull);
+ require_action_quiet(CFEqual(CFDictionaryGetValue(parameters, kSecAttrKeyClass), kSecAttrKeyClassPrivate), out, result = kCFNull);
+
+ if (context->mode == kSecKeyOperationModePerform) {
+ // Extract ephemeral public key from the packet.
+ keySize = (SecKeyGetCFIndexFromRef(CFDictionaryGetValue(parameters, kSecAttrKeySizeInBits)) + 7) / 8;
+ require_action_quiet(CFDataGetLength(in1) >= keySize * 2 + 1, out,
+ SecError(errSecParam, error, CFSTR("%@: too small input packet for ECIES decrypt"), context->key));
+ ciphertextBuffer = CFDataGetBytePtr(in1);
+ ephemeralPubKeyData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, ciphertextBuffer, keySize * 2 + 1, kCFAllocatorNull);
+ ciphertextBuffer += keySize * 2 + 1;
+
+ require_action_quiet(pubKey = SecKeyCopyPublicKey(context->key), out,
+ SecError(errSecParam, error, CFSTR("%@: Unable to get public key"), context->key));
+ require_quiet(pubKeyData = SecKeyCopyExternalRepresentation(pubKey, error), out);
+ }
+
+ // Perform keyExchange operation.
+ require_quiet(keyExchangeResult = keyExchangeCopyResult(context, keyExchangeAlgorithm, false,
+ ephemeralPubKeyData, pubKeyData, error), out);
+ if (context->mode == kSecKeyOperationModePerform) {
+ // Decrypt ciphertext using AES-GCM.
+ ciphertext = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, ciphertextBuffer, CFDataGetLength(in1) - (keySize * 2 + 1),
+ kCFAllocatorNull);
+ require_quiet(result = decryptCopyResult(keyExchangeResult, ciphertext, error), out);
+ } else {
+ result = CFRetain(keyExchangeResult);
+ }
+
+out:
+ CFReleaseSafe(parameters);
+ CFReleaseSafe(ephemeralPubKeyData);
+ CFReleaseSafe(keyExchangeResult);
+ CFReleaseSafe(pubKeyData);
+ CFReleaseSafe(pubKey);
+ CFReleaseSafe(ciphertext);
+ return result;
+}
+
+static const CFIndex kSecKeyIESTagLength = 16;
+static const UInt8 kSecKeyIESIV[16] = { 0 };
+
+static CFDataRef SecKeyECIESKeyExchangeKDFX963CopyResult(SecKeyOperationContext *context, SecKeyAlgorithm keyExchangeAlgorithm,
+ bool encrypt, CFDataRef ephemeralPubKey, CFDataRef pubKey,
+ CFErrorRef *error) {
+ CFDictionaryRef parameters = NULL;
+ CFNumberRef keySizeRef = NULL;
+ CFDataRef result = NULL;
+
+ CFArrayAppendValue(context->algorithm, keyExchangeAlgorithm);
+ context->operation = kSecKeyOperationTypeKeyExchange;
+
+ if (context->mode == kSecKeyOperationModePerform) {
+ // Use 128bit AES for EC keys <= 256bit, 256bit AES for larger keys.
+ CFIndex keySize = ((CFDataGetLength(pubKey) - 1) / 2) * 8;
+ keySize = (keySize > 256) ? (256 / 8) : (128 / 8);
+
+ // Generate shared secret using KDF.
+ keySizeRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &keySize);
+ parameters = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
+ kSecKeyKeyExchangeParameterSharedInfo, ephemeralPubKey,
+ kSecKeyKeyExchangeParameterRequestedSize, keySizeRef,
+ NULL);
+ }
+
+ result = SecKeyRunAlgorithmAndCopyResult(context, encrypt ? pubKey : ephemeralPubKey, parameters, error);
+ CFReleaseSafe(parameters);
+ CFReleaseSafe(keySizeRef);
+ return result;
+}
+
+static Boolean SecKeyECIESEncryptAESGCMCopyResult(CFDataRef keyExchangeResult, CFDataRef inData, CFMutableDataRef result,
+ CFErrorRef *error) {
+ Boolean res = FALSE;
+ CFIndex prefix = CFDataGetLength(result);
+ CFDataSetLength(result, prefix + CFDataGetLength(inData) + kSecKeyIESTagLength);
+ UInt8 *resultBuffer = CFDataGetMutableBytePtr(result) + prefix;
+ UInt8 *tagBuffer = resultBuffer + CFDataGetLength(inData);
+ require_action_quiet(ccgcm_one_shot(ccaes_gcm_encrypt_mode(),
+ CFDataGetLength(keyExchangeResult), CFDataGetBytePtr(keyExchangeResult),
+ sizeof(kSecKeyIESIV), kSecKeyIESIV,
+ 0, NULL,
+ CFDataGetLength(inData), CFDataGetBytePtr(inData),
+ resultBuffer, kSecKeyIESTagLength, tagBuffer) == 0, out,
+ SecError(errSecParam, error, CFSTR("ECIES: Failed to aes-gcm encrypt data")));
+ res = TRUE;
+out:
+ return res;
+}
+
+static CFDataRef SecKeyECIESDecryptAESGCMCopyResult(CFDataRef keyExchangeResult, CFDataRef inData, CFErrorRef *error) {
+ CFDataRef result = NULL;
+ CFMutableDataRef plaintext = CFDataCreateMutableWithScratch(kCFAllocatorDefault, CFDataGetLength(inData) - kSecKeyIESTagLength);
+ CFMutableDataRef tag = CFDataCreateMutableWithScratch(SecCFAllocatorZeroize(), kSecKeyIESTagLength);
+ CFDataGetBytes(inData, CFRangeMake(CFDataGetLength(inData) - kSecKeyIESTagLength, kSecKeyIESTagLength),
+ CFDataGetMutableBytePtr(tag));
+ require_action_quiet(ccgcm_one_shot(ccaes_gcm_decrypt_mode(),
+ CFDataGetLength(keyExchangeResult), CFDataGetBytePtr(keyExchangeResult),
+ sizeof(kSecKeyIESIV), kSecKeyIESIV,
+ 0, NULL,
+ CFDataGetLength(plaintext), CFDataGetBytePtr(inData), CFDataGetMutableBytePtr(plaintext),
+ kSecKeyIESTagLength, CFDataGetMutableBytePtr(tag)) == 0, out,
+ SecError(errSecParam, error, CFSTR("ECIES: Failed to aes-gcm decrypt data")));
+ result = CFRetain(plaintext);
+out:
+ CFReleaseSafe(plaintext);
+ CFReleaseSafe(tag);
+ return result;
+}
+
+#define ECIES_X963_ADAPTOR(hashname, cofactor) \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIES ## cofactor ## X963 ## hashname( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ return SecKeyECIESCopyEncryptedData(context, kSecKeyAlgorithmECDHKeyExchange ## cofactor ## X963 ## hashname, \
+ SecKeyECIESKeyExchangeKDFX963CopyResult, SecKeyECIESEncryptAESGCMCopyResult, in1, in2, error); \
+} \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIES ## cofactor ## X963 ## hashname( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ return SecKeyECIESCopyDecryptedData(context, kSecKeyAlgorithmECDHKeyExchange ## cofactor ## X963 ## hashname, \
+ SecKeyECIESKeyExchangeKDFX963CopyResult, SecKeyECIESDecryptAESGCMCopyResult, in1, in2, error); \
+}
+
+ECIES_X963_ADAPTOR(SHA1, Standard)
+ECIES_X963_ADAPTOR(SHA224, Standard)
+ECIES_X963_ADAPTOR(SHA256, Standard)
+ECIES_X963_ADAPTOR(SHA384, Standard)
+ECIES_X963_ADAPTOR(SHA512, Standard)
+ECIES_X963_ADAPTOR(SHA1, Cofactor)
+ECIES_X963_ADAPTOR(SHA224, Cofactor)
+ECIES_X963_ADAPTOR(SHA256, Cofactor)
+ECIES_X963_ADAPTOR(SHA384, Cofactor)
+ECIES_X963_ADAPTOR(SHA512, Cofactor)
+
+#undef ECIES_X963_ADAPTOR
+
+static CFDataRef SecKeyECIESKeyExchangeSHA2562PubKeysCopyResult(SecKeyOperationContext *context, SecKeyAlgorithm keyExchangeAlgorithm,
+ bool encrypt, CFDataRef ephemeralPubKey, CFDataRef pubKey,
+ CFErrorRef *error) {
+ CFArrayAppendValue(context->algorithm, keyExchangeAlgorithm);
+ context->operation = kSecKeyOperationTypeKeyExchange;
+ CFMutableDataRef result = (CFMutableDataRef)SecKeyRunAlgorithmAndCopyResult(context, ephemeralPubKey, NULL, error);
+ if (result != NULL && context->mode == kSecKeyOperationModePerform) {
+ const struct ccdigest_info *di = ccsha256_di();
+ ccdigest_di_decl(di, ctx);
+ ccdigest_init(di, ctx);
+ ccdigest_update(di, ctx, CFDataGetLength(result), CFDataGetBytePtr(result));
+ ccdigest_update(di, ctx, CFDataGetLength(ephemeralPubKey), CFDataGetBytePtr(ephemeralPubKey));
+ ccdigest_update(di, ctx, CFDataGetLength(pubKey), CFDataGetBytePtr(pubKey));
+ CFAssignRetained(result, CFDataCreateMutableWithScratch(kCFAllocatorDefault, di->output_size));
+ ccdigest_final(di, ctx, CFDataGetMutableBytePtr(result));
+ }
+ return result;
+}
+
+static CFDataRef SecKeyECIESDecryptAESCBCCopyResult(CFDataRef keyExchangeResult, CFDataRef inData, CFErrorRef *error) {
+ CFMutableDataRef result = CFDataCreateMutableWithScratch(kCFAllocatorDefault, CFDataGetLength(inData));
+ cccbc_one_shot(ccaes_cbc_decrypt_mode(),
+ CFDataGetLength(keyExchangeResult), CFDataGetBytePtr(keyExchangeResult),
+ NULL, CFDataGetLength(keyExchangeResult) / CCAES_BLOCK_SIZE,
+ CFDataGetBytePtr(inData), CFDataGetMutableBytePtr(result));
+ return result;
+}
+
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIES_Standard_SHA256_2PubKeys(
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ return SecKeyECIESCopyDecryptedData(context, kSecKeyAlgorithmECDHKeyExchangeStandard,
+ SecKeyECIESKeyExchangeSHA2562PubKeysCopyResult,
+ SecKeyECIESDecryptAESCBCCopyResult,
+ in1, in2, error);
+}
+
+static CFTypeRef SecKeyRSAAESGCMCopyEncryptedData(SecKeyOperationContext *context, SecKeyAlgorithm keyWrapAlgorithm,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFTypeRef result = NULL;
+ CFDictionaryRef parameters = NULL;
+ CFDataRef pubKeyData = NULL, wrappedKey = NULL, sessionKey = NULL;
+ CFMutableDataRef ciphertext = NULL;
+
+ require_action_quiet(parameters = SecKeyCopyAttributes(context->key), out,
+ SecError(errSecParam, error, CFSTR("Unable to export key parameters")));
+ require_action_quiet(CFEqual(CFDictionaryGetValue(parameters, kSecAttrKeyType), kSecAttrKeyTypeRSA), out, result = kCFNull);
+ require_action_quiet(CFEqual(CFDictionaryGetValue(parameters, kSecAttrKeyClass), kSecAttrKeyClassPublic), out, result = kCFNull);
+
+ CFArrayAppendValue(context->algorithm, keyWrapAlgorithm);
+ require_action_quiet(context->mode == kSecKeyOperationModePerform, out,
+ result = SecKeyRunAlgorithmAndCopyResult(context, NULL, NULL, error));
+
+ // Generate session key. Use 128bit AES for RSA keys < 4096bit, 256bit AES for larger keys.
+ require_quiet(pubKeyData = SecKeyCopyExternalRepresentation(context->key, error), out);
+ CFIndex keySize = SecKeyGetCFIndexFromRef(CFDictionaryGetValue(parameters, kSecAttrKeySizeInBits));
+ require_action_quiet(sessionKey = CFDataCreateWithRandomBytes((keySize >= 4096) ? (256 / 8) : (128 / 8)), out,
+ SecError(errSecParam, error, CFSTR("Failed to generate session key")));
+
+ // Encrypt session key using wrapping algorithm and store at the beginning of the result packet.
+ require_action_quiet(wrappedKey = SecKeyRunAlgorithmAndCopyResult(context, sessionKey, NULL, error), out,
+ CFReleaseNull(result));
+ ciphertext = CFDataCreateMutableWithScratch(kCFAllocatorDefault, CFDataGetLength(wrappedKey) + CFDataGetLength(in1) + kSecKeyIESTagLength);
+ UInt8 *resultBuffer = CFDataGetMutableBytePtr(ciphertext);
+ CFDataGetBytes(wrappedKey, CFRangeMake(0, CFDataGetLength(wrappedKey)), resultBuffer);
+ resultBuffer += CFDataGetLength(wrappedKey);
+
+ // Encrypt input data using AES-GCM.
+ UInt8 *tagBuffer = resultBuffer + CFDataGetLength(in1);
+ require_action_quiet(ccgcm_one_shot(ccaes_gcm_encrypt_mode(),
+ CFDataGetLength(sessionKey), CFDataGetBytePtr(sessionKey),
+ sizeof(kSecKeyIESIV), kSecKeyIESIV,
+ CFDataGetLength(pubKeyData), CFDataGetBytePtr(pubKeyData),
+ CFDataGetLength(in1), CFDataGetBytePtr(in1), resultBuffer,
+ kSecKeyIESTagLength, tagBuffer) == 0, out,
+ SecError(errSecParam, error, CFSTR("RSAWRAP: Failed to aes-gcm encrypt data")));
+ result = CFRetain(ciphertext);
+
+out:
+ CFReleaseSafe(parameters);
+ CFReleaseSafe(pubKeyData);
+ CFReleaseSafe(wrappedKey);
+ CFReleaseSafe(sessionKey);
+ CFReleaseSafe(ciphertext);
+ return result;
+}
+
+static CFTypeRef SecKeyRSAAESGCMCopyDecryptedData(SecKeyOperationContext *context, SecKeyAlgorithm keyWrapAlgorithm,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFTypeRef result = NULL;
+ CFDictionaryRef parameters = NULL;
+ CFMutableDataRef plaintext = NULL, tag = NULL;
+ CFDataRef pubKeyData = NULL, sessionKey = NULL;
+ SecKeyRef pubKey = NULL;
+
+ require_action_quiet(parameters = SecKeyCopyAttributes(context->key), out,
+ SecError(errSecParam, error, CFSTR("Unable to export key parameters")));
+ require_action_quiet(CFEqual(CFDictionaryGetValue(parameters, kSecAttrKeyType), kSecAttrKeyTypeRSA), out, result = kCFNull);
+ require_action_quiet(CFEqual(CFDictionaryGetValue(parameters, kSecAttrKeyClass), kSecAttrKeyClassPrivate), out, result = kCFNull);
+
+ CFArrayAppendValue(context->algorithm, keyWrapAlgorithm);
+ require_action_quiet(context->mode == kSecKeyOperationModePerform, out,
+ result = SecKeyRunAlgorithmAndCopyResult(context, NULL, NULL, error));
+
+ // Extract encrypted session key.
+ require_action_quiet(pubKey = SecKeyCopyPublicKey(context->key), out,
+ SecError(errSecParam, error, CFSTR("%@: unable to get public key"), context->key));
+ require_quiet(pubKeyData = SecKeyCopyExternalRepresentation(pubKey, error), out);
+
+ CFIndex wrappedKeySize = SecKeyGetBlockSize(context->key);
+ require_action_quiet(CFDataGetLength(in1) >= wrappedKeySize + kSecKeyIESTagLength, out,
+ SecError(errSecParam, error, CFSTR("RSA-WRAP too short input data")));
+ sessionKey = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, CFDataGetBytePtr(in1), wrappedKeySize, kCFAllocatorNull);
+
+ // Decrypt session key.
+ CFAssignRetained(sessionKey, SecKeyRunAlgorithmAndCopyResult(context, sessionKey, NULL, error));
+ require_quiet(sessionKey, out);
+ CFIndex keySize = SecKeyGetCFIndexFromRef(CFDictionaryGetValue(parameters, kSecAttrKeySizeInBits));
+ keySize = (keySize >= 4096) ? (256 / 8) : (128 / 8);
+ require_action_quiet(CFDataGetLength(sessionKey) == keySize, out,
+ SecError(errSecParam, error, CFSTR("RSA-WRAP bad ciphertext, unexpected session key size")));
+
+ // Decrypt ciphertext using AES-GCM.
+ plaintext = CFDataCreateMutableWithScratch(SecCFAllocatorZeroize(), CFDataGetLength(in1) - wrappedKeySize - kSecKeyIESTagLength);
+ tag = CFDataCreateMutableWithScratch(kCFAllocatorDefault, kSecKeyIESTagLength);
+ CFDataGetBytes(in1, CFRangeMake(CFDataGetLength(in1) - kSecKeyIESTagLength, kSecKeyIESTagLength),
+ CFDataGetMutableBytePtr(tag));
+ const UInt8 *ciphertextBuffer = CFDataGetBytePtr(in1);
+ ciphertextBuffer += wrappedKeySize;
+ require_action_quiet(ccgcm_one_shot(ccaes_gcm_decrypt_mode(),
+ CFDataGetLength(sessionKey), CFDataGetBytePtr(sessionKey),
+ sizeof(kSecKeyIESIV), kSecKeyIESIV,
+ CFDataGetLength(pubKeyData), CFDataGetBytePtr(pubKeyData),
+ CFDataGetLength(plaintext), ciphertextBuffer, CFDataGetMutableBytePtr(plaintext),
+ kSecKeyIESTagLength, CFDataGetMutableBytePtr(tag)) == 0, out,
+ SecError(errSecParam, error, CFSTR("RSA-WRAP: Failed to aes-gcm decrypt data")));
+ result = CFRetain(plaintext);
+
+out:
+ CFReleaseSafe(parameters);
+ CFReleaseSafe(sessionKey);
+ CFReleaseSafe(tag);
+ CFReleaseSafe(pubKeyData);
+ CFReleaseSafe(pubKey);
+ CFReleaseSafe(plaintext);
+ return result;
+}
+
+#define RSA_OAEP_AESGCM_ADAPTOR(hashname) \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEP ## hashname ## AESGCM( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ return SecKeyRSAAESGCMCopyEncryptedData(context, kSecKeyAlgorithmRSAEncryptionOAEP ## hashname, in1, in2, error); \
+} \
+static CFTypeRef SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEP ## hashname ## AESGCM( \
+ SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) { \
+ return SecKeyRSAAESGCMCopyDecryptedData(context, kSecKeyAlgorithmRSAEncryptionOAEP ## hashname, in1, in2, error); \
+}
+
+RSA_OAEP_AESGCM_ADAPTOR(SHA1)
+RSA_OAEP_AESGCM_ADAPTOR(SHA224)
+RSA_OAEP_AESGCM_ADAPTOR(SHA256)
+RSA_OAEP_AESGCM_ADAPTOR(SHA384)
+RSA_OAEP_AESGCM_ADAPTOR(SHA512)
+
+#undef RSA_OAEP_AESGCM_ADAPTOR
+
+SecKeyAlgorithmAdaptor SecKeyGetAlgorithmAdaptor(SecKeyOperationType operation, SecKeyAlgorithm algorithm) {
+ static CFDictionaryRef adaptors[kSecKeyOperationTypeCount];
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ const void *signKeys[] = {
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5,
+
+ kSecKeyAlgorithmRSASignatureRaw,
+ kSecKeyAlgorithmRSASignatureRawCCUnit,
+
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5,
+
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA1,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA224,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA256,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA384,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA512,
+
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA1,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA224,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA256,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA384,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA512,
+ };
+ const void *signValues[] = {
+ SecKeyAlgorithmAdaptorCopyResult_Sign_RSASignatureDigestPKCS1v15SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_Sign_RSASignatureDigestPKCS1v15SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_Sign_RSASignatureDigestPKCS1v15SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_Sign_RSASignatureDigestPKCS1v15SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_Sign_RSASignatureDigestPKCS1v15SHA512,
+ SecKeyAlgorithmAdaptorCopyResult_Sign_RSASignatureDigestPKCS1v15Raw,
+ SecKeyAlgorithmAdaptorCopyResult_Sign_RSASignatureDigestPKCS1v15MD5,
+
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureRaw,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureRawCCUnit,
+
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15SHA512,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15MD5,
+
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962SHA512,
+
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962SHA512,
+ };
+ check_compile_time(array_size(signKeys) == array_size(signValues));
+ adaptors[kSecKeyOperationTypeSign] = CFDictionaryCreate(kCFAllocatorDefault, signKeys, signValues,
+ array_size(signKeys), &kCFTypeDictionaryKeyCallBacks, NULL);
+
+ const void *verifyKeys[] = {
+ kSecKeyAlgorithmRSASignatureRaw,
+
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw,
+ kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5,
+
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA224,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512,
+ kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5,
+
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA1,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA224,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA256,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA384,
+ kSecKeyAlgorithmECDSASignatureMessageX962SHA512,
+
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA1,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA224,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA256,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA384,
+ kSecKeyAlgorithmECDSASignatureDigestX962SHA512,
+ };
+ const void *verifyValues[] = {
+ SecKeyAlgorithmAdaptorCopyResult_Verify_RSASignatureRaw,
+
+ SecKeyAlgorithmAdaptorCopyResult_Verify_RSASignatureDigestPKCS1v15SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_Verify_RSASignatureDigestPKCS1v15SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_Verify_RSASignatureDigestPKCS1v15SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_Verify_RSASignatureDigestPKCS1v15SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_Verify_RSASignatureDigestPKCS1v15SHA512,
+ SecKeyAlgorithmAdaptorCopyResult_Verify_RSASignatureDigestPKCS1v15Raw,
+ SecKeyAlgorithmAdaptorCopyResult_Verify_RSASignatureDigestPKCS1v15MD5,
+
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15SHA512,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_RSASignatureMessagePKCS1v15MD5,
+
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureMessageX962SHA512,
+
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_SignVerify_ECDSASignatureDigestX962SHA512,
+ };
+ check_compile_time(array_size(verifyKeys) == array_size(verifyValues));
+ adaptors[kSecKeyOperationTypeVerify] = CFDictionaryCreate(kCFAllocatorDefault, verifyKeys, verifyValues,
+ array_size(verifyKeys), &kCFTypeDictionaryKeyCallBacks, NULL);
+
+ const void *encryptKeys[] = {
+ kSecKeyAlgorithmRSAEncryptionRaw,
+ kSecKeyAlgorithmRSAEncryptionRawCCUnit,
+
+ kSecKeyAlgorithmRSAEncryptionPKCS1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
+
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM,
+
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM,
+
+ kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM,
+ kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM,
+ kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM,
+ kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM,
+ kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM,
+ };
+ const void *encryptValues[] = {
+ SecKeyAlgorithmAdaptorCopyResult_EncryptDecrypt_RSAEncryptionRaw,
+ SecKeyAlgorithmAdaptorCopyResult_EncryptDecrypt_RSAEncryptionRawCCUnit,
+
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionPKCS1,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEPSHA1,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEPSHA224,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEPSHA256,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEPSHA384,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEPSHA512,
+
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEPSHA1AESGCM,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEPSHA224AESGCM,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEPSHA256AESGCM,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEPSHA384AESGCM,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_RSAEncryptionOAEPSHA512AESGCM,
+
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIESStandardX963SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIESStandardX963SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIESStandardX963SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIESStandardX963SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIESStandardX963SHA512,
+
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIESCofactorX963SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIESCofactorX963SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIESCofactorX963SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIESCofactorX963SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_Encrypt_ECIESCofactorX963SHA512,
+ };
+ check_compile_time(array_size(encryptKeys) == array_size(encryptValues));
+ adaptors[kSecKeyOperationTypeEncrypt] = CFDictionaryCreate(kCFAllocatorDefault, encryptKeys, encryptValues,
+ array_size(encryptKeys), &kCFTypeDictionaryKeyCallBacks, NULL);
+
+ const void *decryptKeys[] = {
+ kSecKeyAlgorithmRSAEncryptionRaw,
+ kSecKeyAlgorithmRSAEncryptionRawCCUnit,
+
+ kSecKeyAlgorithmRSAEncryptionPKCS1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
+
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM,
+ kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM,
+
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM,
+ kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM,
+
+ kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM,
+ kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM,
+ kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM,
+ kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM,
+ kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM,
+
+ kSecKeyAlgorithmECIESEncryptionAKSSmartCard,
+ };
+ const void *decryptValues[] = {
+ SecKeyAlgorithmAdaptorCopyResult_EncryptDecrypt_RSAEncryptionRaw,
+ SecKeyAlgorithmAdaptorCopyResult_EncryptDecrypt_RSAEncryptionRawCCUnit,
+
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionPKCS1,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEPSHA1,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEPSHA224,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEPSHA256,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEPSHA384,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEPSHA512,
+
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEPSHA1AESGCM,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEPSHA224AESGCM,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEPSHA256AESGCM,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEPSHA384AESGCM,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_RSAEncryptionOAEPSHA512AESGCM,
+
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIESStandardX963SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIESStandardX963SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIESStandardX963SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIESStandardX963SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIESStandardX963SHA512,
+
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIESCofactorX963SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIESCofactorX963SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIESCofactorX963SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIESCofactorX963SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIESCofactorX963SHA512,
+
+ SecKeyAlgorithmAdaptorCopyResult_Decrypt_ECIES_Standard_SHA256_2PubKeys,
+ };
+ check_compile_time(array_size(decryptKeys) == array_size(decryptValues));
+ adaptors[kSecKeyOperationTypeDecrypt] = CFDictionaryCreate(kCFAllocatorDefault, decryptKeys, decryptValues,
+ array_size(decryptKeys), &kCFTypeDictionaryKeyCallBacks, NULL);
+
+ const void *keyExchangeKeys[] = {
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA1,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA224,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA256,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA384,
+ kSecKeyAlgorithmECDHKeyExchangeStandardX963SHA512,
+
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA1,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA224,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA256,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA384,
+ kSecKeyAlgorithmECDHKeyExchangeCofactorX963SHA512,
+ };
+ const void *keyExchangeValues[] = {
+
+ SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDHStandardX963SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDHStandardX963SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDHStandardX963SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDHStandardX963SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDHStandardX963SHA512,
+
+ SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDHCofactorX963SHA1,
+ SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDHCofactorX963SHA224,
+ SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDHCofactorX963SHA256,
+ SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDHCofactorX963SHA384,
+ SecKeyAlgorithmAdaptorCopyResult_KeyExchange_ECDHCofactorX963SHA512,
+ };
+ check_compile_time(array_size(keyExchangeKeys) == array_size(keyExchangeKeys));
+ adaptors[kSecKeyOperationTypeKeyExchange] = CFDictionaryCreate(kCFAllocatorDefault, keyExchangeKeys, keyExchangeValues,
+ array_size(keyExchangeKeys), &kCFTypeDictionaryKeyCallBacks, NULL);
+ });
+
+ return CFDictionaryGetValue(adaptors[operation], algorithm);
+}
diff --git a/OSX/sec/Security/SecKeyInternal.h b/OSX/sec/Security/SecKeyInternal.h
index 1125051b..73cedd87 100644
--- a/OSX/sec/Security/SecKeyInternal.h
+++ b/OSX/sec/Security/SecKeyInternal.h
@@ -36,6 +36,24 @@ __BEGIN_DECLS
extern struct ccrng_state *ccrng_seckey;
CFIndex SecKeyGetAlgorithmIdentifier(SecKeyRef key);
+enum {
+ // Keep in sync with SecKeyOperationType enum in SecKey.h
+ kSecKeyOperationTypeCount = 5
+};
+
+typedef struct {
+ SecKeyRef key;
+ SecKeyOperationType operation;
+ CFMutableArrayRef algorithm;
+ SecKeyOperationMode mode;
+} SecKeyOperationContext;
+
+typedef CFTypeRef (*SecKeyAlgorithmAdaptor)(SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error);
+
+void SecKeyOperationContextDestroy(SecKeyOperationContext *context);
+CFTypeRef SecKeyRunAlgorithmAndCopyResult(SecKeyOperationContext *context, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error);
+SecKeyAlgorithmAdaptor SecKeyGetAlgorithmAdaptor(SecKeyOperationType operation, SecKeyAlgorithm algorithm);
+
__END_DECLS
#endif /* !_SECURITY_SECKEYINTERNAL_H_ */
diff --git a/OSX/sec/Security/SecKeyPriv.h b/OSX/sec/Security/SecKeyPriv.h
index b6da6d0e..b2d7bfcd 100644
--- a/OSX/sec/Security/SecKeyPriv.h
+++ b/OSX/sec/Security/SecKeyPriv.h
@@ -37,6 +37,7 @@
#include <Security/SecAsn1Types.h>
#include <CoreFoundation/CFRuntime.h>
#include <CoreFoundation/CoreFoundation.h>
+#include <CoreFoundation/CFDictionary.h>
__BEGIN_DECLS
@@ -97,6 +98,11 @@ enum {
};
+typedef CF_ENUM(CFIndex, SecKeyOperationMode) {
+ kSecKeyOperationModePerform = 0,
+ kSecKeyOperationModeCheckIfSupported = 1,
+};
+
typedef OSStatus (*SecKeyInitMethod)(SecKeyRef, const uint8_t *, CFIndex,
SecKeyEncoding);
typedef void (*SecKeyDestroyMethod)(SecKeyRef);
@@ -123,7 +129,25 @@ typedef CFDataRef (*SecKeyCopyWrapKeyMethod)(SecKeyRef key, SecKeyWrapType type,
typedef CFDataRef (*SecKeyCopyUnwrapKeyMethod)(SecKeyRef key, SecKeyWrapType type, CFDataRef wrappedKey, CFDictionaryRef parameters, CFDictionaryRef *outParam, CFErrorRef *error);
typedef CFStringRef (*SecKeyDescribeMethod)(SecKeyRef key);
-#define kSecKeyDescriptorVersion (3)
+typedef CFDataRef (*SecKeyCopyExternalRepresentationMethod)(SecKeyRef key, CFErrorRef *error);
+typedef SecKeyRef (*SecKeyCopyPublicKeyMethod)(SecKeyRef key);
+typedef Boolean (*SecKeyIsEqualMethod)(SecKeyRef key1, SecKeyRef key2);
+
+/*!
+ @abstract Performs cryptographic operation with the key.
+ @param key Key to perform the operation on.
+ @param operation Type of operation to be performed.
+ @param algorithm Algorithm identifier for the operation. Determines format of input and output data.
+ @param allAlgorithms Array of algorithms which were traversed until we got to this operation. The last member of this array is always the same as @c algorithm parameter.
+ @param mode Mode in which the operation is performed. Two available modes are checking only if the operation can be performed or actually performing the operation.
+ @param in1 First input parameter for the operation, meaningful only in ModePerform.
+ @param in2 Second input parameter for the operation, meaningful only in ModePerform.
+ @param error Error details when NULL is returned.
+ @return NULL if some failure occured. kCFNull if operation/algorithm/key combination is not supported, otherwise the result of the operation or kCFBooleanTrue in ModeCheckIfSupported.
+ */
+typedef CFTypeRef(*SecKeyCopyOperationResultMethod)(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm, CFArrayRef allAlgorithms, SecKeyOperationMode mode, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error);
+
+#define kSecKeyDescriptorVersion (4)
typedef struct __SecKeyDescriptor {
/* Version of this SecKeyDescriptor. Must be kSecKeyDescriptorVersion. */
@@ -169,6 +193,12 @@ typedef struct __SecKeyDescriptor {
SecKeyCopyWrapKeyMethod copyWrapKey;
SecKeyCopyUnwrapKeyMethod copyUnwrapKey;
#endif
+#if kSecKeyDescriptorVersion > 3
+ SecKeyCopyExternalRepresentationMethod copyExternalRepresentation;
+ SecKeyCopyPublicKeyMethod copyPublicKey;
+ SecKeyCopyOperationResultMethod copyOperationResult;
+ SecKeyIsEqualMethod isEqual;
+#endif
} SecKeyDescriptor;
struct __SecKey {
@@ -176,6 +206,12 @@ struct __SecKey {
const SecKeyDescriptor *key_class;
+#if !TARGET_OS_IPHONE
+ // On OSX, keep optional SecKeyRef which holds dynamically, on-demand created CSSM-based key with the same
+ // key material. It is used to implement SecKeyGetCSSMKey().
+ SecKeyRef cdsaKey;
+#endif
+
/* The actual key handled by class. */
void *key;
};
@@ -259,6 +295,12 @@ SecKeyRef SecKeyCreateFromPublicBytes(CFAllocatorRef allocator, CFIndex algorith
SecKeyRef SecKeyCreateFromPublicData(CFAllocatorRef allocator, CFIndex algorithmID, CFDataRef serialized);
CFDataRef SecKeyCopyPublicKeyHash(SecKeyRef key);
+/* This function directly creates an iOS-format SecKeyRef from public key bytes. */
+SecKeyRef SecKeyCreateRSAPublicKey_ios(CFAllocatorRef allocator,
+ const uint8_t *keyData, CFIndex keyDataLength,
+ SecKeyEncoding encoding);
+
+
CF_RETURNS_RETAINED
CFDictionaryRef SecKeyGeneratePrivateAttributeDictionary(SecKeyRef key,
CFTypeRef keyType,
@@ -367,6 +409,76 @@ CFDataRef
_SecKeyCopyUnwrapKey(SecKeyRef key, SecKeyWrapType type, CFDataRef wrappedKey, CFDictionaryRef parameters, CFDictionaryRef *outParam, CFErrorRef *error)
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
+/*!
+ @enum SecKeyAttestationKeyType
+ @abstract Defines types of builtin attestation keys.
+*/
+typedef CF_ENUM(uint32_t, SecKeyAttestationKeyType)
+{
+ kSecKeyAttestationKeyTypeSIK = 0,
+ kSecKeyAttestationKeyTypeGID
+} __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCopyAttestationKey
+ @abstract Returns a copy of a builtin attestation key.
+
+ @param keyType Type of the requested builtin key.
+ @param error An optional pointer to a CFErrorRef. This value is set if an error occurred.
+
+ @result On success a SecKeyRef containing the requested key is returned, on failure it returns NULL.
+*/
+SecKeyRef SecKeyCopyAttestationKey(SecKeyAttestationKeyType keyType, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeyCreateAttestation
+ @abstract Attests a key with another key.
+
+ @param key The attesting key.
+ @param keyToAttest The key which is to be attested.
+ @param error An optional pointer to a CFErrorRef. This value is set if an error occurred.
+
+ @result On success a CFDataRef containing the attestation data is returned, on failure it returns NULL.
+
+ @discussion Key attestation only works for CTK SEP keys, i.e. keys created with kSecAttrTokenID=kSecAttrTokenIDSecureEnclave.
+*/
+CFDataRef SecKeyCreateAttestation(SecKeyRef key, SecKeyRef keyToAttest, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecKeySetParameter
+ @abstract Sets unspecified key parameter for the backend.
+
+ @param key Key to set the parameter to.
+ @param name Identifies parameter to be set.
+ @param value New value for the parameter.
+ @param error Error which gathers more information when something went wrong.
+
+ @discussion Serves as channel between SecKey client and backend for passing additional sideband data send from SecKey caller
+ to SecKey implementation backend (currently only CTK-based token backend is supported). Parameter names and types are
+ a contract between SecKey user (application) and backend and are not interpreted by SecKey layer in any way.
+ */
+Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ Algorithms for converting between bigendian and core-crypto ccunit data representation.
+ */
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureRawCCUnit;
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSAEncryptionRawCCUnit;
+
+/*!
+ Internal algorithm for RSA-MD5. We do not want to export MD5 in new API, but we need it
+ for implementing legacy interfaces.
+ */
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureDigestPKCS1v15MD5;
+extern const SecKeyAlgorithm kSecKeyAlgorithmRSASignatureMessagePKCS1v15MD5;
+
+/*!
+ Algorithms for interoperability with libaks smartcard support.
+ */
+extern const SecKeyAlgorithm kSecKeyAlgorithmECIESEncryptionAKSSmartCard;
__END_DECLS
diff --git a/OSX/sec/Security/SecOTRFullIdentity.c b/OSX/sec/Security/SecOTRFullIdentity.c
index 2d5c4dff..877863eb 100644
--- a/OSX/sec/Security/SecOTRFullIdentity.c
+++ b/OSX/sec/Security/SecOTRFullIdentity.c
@@ -35,6 +35,7 @@
#include <CoreFoundation/CFData.h>
#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
#include <Security/SecKeyPriv.h>
#include <Security/oidsalg.h>
@@ -51,6 +52,8 @@
#define kMessageIdentityRSAKeyBits 1280
#define kMessageIdentityECKeyBits 256
+const SecAsn1AlgId *kOTRSignatureAlgIDPtr;
+
void EnsureOTRAlgIDInited(void)
{
static dispatch_once_t kSignatureAlgID_ONCE;
@@ -146,12 +149,6 @@ fail:
return (pubID != NULL); // This is safe because we're not accessing the value after release, just checking if it ever had a value of some nature.
}
-#if !TARGET_OS_IPHONE && !TARGET_IPHONE_SIMULATOR
-#define SEC_CONST_DECL(k,v) const CFStringRef k = CFSTR(v);
-SEC_CONST_DECL (kSecAttrAccessible, "pdmn");
-SEC_CONST_DECL (kSecAttrAccessibleAlwaysThisDeviceOnly, "dku");
-#endif
-
static SecKeyRef SecOTRCreateSigningKey(CFAllocatorRef allocator) {
SecKeyRef publicKey = NULL;
SecKeyRef fullKey = NULL;
@@ -169,7 +166,7 @@ static SecKeyRef SecOTRCreateSigningKey(CFAllocatorRef allocator) {
const void *signing_keygen_vals[] = { kSecAttrKeyTypeEC,
signing_bitsize,
kCFBooleanTrue,
- kSecAttrAccessibleAlwaysThisDeviceOnly,
+ kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate,
sSigningKeyName
};
keygen_parameters = CFDictionaryCreate(allocator,
@@ -469,6 +466,10 @@ size_t SecOTRFISignatureSize(SecOTRFullIdentityRef fullID)
return SecKeyGetSize(fullID->publicSigningKey, kSecKeySignatureSize);
}
+bool SecOTRFICompareToPublicKey(SecOTRFullIdentityRef fullID, SecKeyRef publicKey) {
+ return CFEqualSafe(fullID->publicSigningKey, publicKey);
+}
+
bool SecOTRFIAppendSignature(SecOTRFullIdentityRef fullID,
CFDataRef dataToHash,
CFMutableDataRef appendTo,
diff --git a/OSX/sec/Security/SecOTRIdentityPriv.h b/OSX/sec/Security/SecOTRIdentityPriv.h
index cebbfb48..b747719f 100644
--- a/OSX/sec/Security/SecOTRIdentityPriv.h
+++ b/OSX/sec/Security/SecOTRIdentityPriv.h
@@ -74,7 +74,7 @@ enum SecOTRError {
secOTRErrorOSError,
};
-const SecAsn1AlgId *kOTRSignatureAlgIDPtr;
+extern const SecAsn1AlgId *kOTRSignatureAlgIDPtr;
void EnsureOTRAlgIDInited(void);
// Private functions for Public and Full IDs
@@ -90,6 +90,8 @@ bool SecOTRFIComparePublicHash(SecOTRFullIdentityRef fullID, const uint8_t hash[
size_t SecOTRFISignatureSize(SecOTRFullIdentityRef privateID);
+bool SecOTRFICompareToPublicKey(SecOTRFullIdentityRef fullID, SecKeyRef publicKey);
+
bool SecOTRPIVerifySignature(SecOTRPublicIdentityRef publicID,
const uint8_t *dataToHash, size_t amountToHash,
const uint8_t *signatureStart, size_t signatureSize, CFErrorRef *error);
@@ -104,6 +106,9 @@ void SecOTRPIAppendHash(SecOTRPublicIdentityRef publicID, CFMutableDataRef appen
bool SecOTRPICompareHash(SecOTRPublicIdentityRef publicID, const uint8_t hash[kMPIDHashSize]);
+bool SecOTRPICompareToPublicKey(SecOTRPublicIdentityRef publicID, SecKeyRef publicKey);
+
+
// Utility streaming functions
OSStatus insertSize(CFIndex size, uint8_t* here);
OSStatus appendSize(CFIndex size, CFMutableDataRef into);
diff --git a/OSX/sec/Security/SecOTRPublicIdentity.c b/OSX/sec/Security/SecOTRPublicIdentity.c
index aeefde2c..fdec642e 100644
--- a/OSX/sec/Security/SecOTRPublicIdentity.c
+++ b/OSX/sec/Security/SecOTRPublicIdentity.c
@@ -119,6 +119,10 @@ void SecOTRAdvertiseHashes(bool advertise) {
sAdvertiseHashes = advertise;
}
+bool SecOTRPICompareToPublicKey(SecOTRPublicIdentityRef pubID, SecKeyRef publicKey) {
+ return CFEqualSafe(pubID->publicSigningKey, publicKey);
+}
+
SecOTRPublicIdentityRef SecOTRPublicIdentityCopyFromPrivate(CFAllocatorRef allocator, SecOTRFullIdentityRef fullID, CFErrorRef *error)
{
SecOTRPublicIdentityRef result = CFTypeAllocate(SecOTRPublicIdentity, struct _SecOTRPublicIdentity, allocator);
@@ -223,7 +227,15 @@ bool SecOTRPIEqualToBytes(SecOTRPublicIdentityRef id, const uint8_t*bytes, CFInd
SecOTRPIAppendSerialization(id, idStreamed, NULL);
bool equal = CFEqualSafe(dataToMatch, idStreamed);
-
+
+ if (!equal) {
+ CFDataPerformWithHexString(dataToMatch, ^(CFStringRef dataToMatchString) {
+ CFDataPerformWithHexString(idStreamed, ^(CFStringRef idStreamedString) {
+ secnotice("otr", "ID Comparison failed: d: %@ id: %@", dataToMatchString, idStreamedString);
+ });
+ });
+ }
+
CFReleaseNull(dataToMatch);
CFReleaseNull(idStreamed);
diff --git a/OSX/sec/Security/SecOTRSession.c b/OSX/sec/Security/SecOTRSession.c
index bb26c714..f3ae8f93 100644
--- a/OSX/sec/Security/SecOTRSession.c
+++ b/OSX/sec/Security/SecOTRSession.c
@@ -314,6 +314,13 @@ void SecOTRSessionReset(SecOTRSessionRef session)
}
+static void SecOTRPIPerformWithSerializationString(SecOTRPublicIdentityRef id, void (^action)(CFStringRef string)) {
+ CFMutableDataRef idData = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ SecOTRPIAppendSerialization(id, idData, NULL);
+ CFDataPerformWithHexString(idData, action);
+ CFReleaseNull(idData);
+}
+
SecOTRSessionRef SecOTRSessionCreateFromID(CFAllocatorRef allocator,
SecOTRFullIdentityRef myID,
SecOTRPublicIdentityRef theirID)
@@ -323,8 +330,8 @@ SecOTRSessionRef SecOTRSessionCreateFromID(CFAllocatorRef allocator,
(void)SecOTRGetDefaultsWriteSeconds();
newID->_queue = dispatch_queue_create("OTRSession", DISPATCH_QUEUE_SERIAL);
- newID->_me = myID;
- newID->_them = theirID;
+ newID->_me = CFRetainSafe(myID);
+ newID->_them = CFRetainSafe(theirID);
newID->_receivedDHMessage = NULL;
newID->_receivedDHKeyMessage = NULL;
newID->_myKey = NULL;
@@ -344,8 +351,15 @@ SecOTRSessionRef SecOTRSessionCreateFromID(CFAllocatorRef allocator,
SecOTRSessionResetInternal(newID);
- CFRetain(newID->_me);
- CFRetain(newID->_them);
+ {
+ SecOTRPublicIdentityRef myPublicID = SecOTRPublicIdentityCopyFromPrivate(kCFAllocatorDefault, newID->_me, NULL);
+ SecOTRPIPerformWithSerializationString(myPublicID, ^(CFStringRef myIDString) {
+ SecOTRPIPerformWithSerializationString(newID->_them, ^(CFStringRef theirIDString) {
+ secnotice("otr", "%@ Creating with M: %@, T: %@", newID, myIDString, theirIDString);
+ });
+ });
+ CFReleaseNull(myPublicID);
+ }
return newID;
}
@@ -758,6 +772,18 @@ abort:
}
+bool SecOTRSIsForKeys(SecOTRSessionRef session, SecKeyRef myPublic, SecKeyRef theirPublic)
+{
+ __block bool isForKeys = false;
+
+ dispatch_sync(session->_queue, ^{
+ isForKeys = SecOTRFICompareToPublicKey(session->_me, myPublic) &&
+ SecOTRPICompareToPublicKey(session->_them, theirPublic);
+ });
+
+ return isForKeys;
+}
+
bool SecOTRSGetIsReadyForMessages(SecOTRSessionRef session)
{
__block bool result;
diff --git a/OSX/sec/Security/SecOTRSession.h b/OSX/sec/Security/SecOTRSession.h
index 3d2aab63..e6e27835 100644
--- a/OSX/sec/Security/SecOTRSession.h
+++ b/OSX/sec/Security/SecOTRSession.h
@@ -84,6 +84,7 @@ OSStatus SecOTRSEndSession(SecOTRSessionRef session,
CFMutableDataRef messageToSend);
+bool SecOTRSIsForKeys(SecOTRSessionRef session, SecKeyRef myPublic, SecKeyRef theirPublic);
bool SecOTRSGetIsReadyForMessages(SecOTRSessionRef session);
bool SecOTRSGetIsIdle(SecOTRSessionRef session);
diff --git a/OSX/sec/Security/SecOTRSessionAKE.c b/OSX/sec/Security/SecOTRSessionAKE.c
index c8e18c32..65c4d5c8 100644
--- a/OSX/sec/Security/SecOTRSessionAKE.c
+++ b/OSX/sec/Security/SecOTRSessionAKE.c
@@ -44,10 +44,13 @@
#include <corecrypto/cchmac.h>
#include <corecrypto/ccsha2.h>
+#include <os/activity.h>
+
#include <string.h>
static void SecOTRInitMyDHKeys(SecOTRSessionRef session)
{
+
CFReleaseNull(session->_myKey);
session->_myKey = SecOTRFullDHKCreate(kCFAllocatorDefault);
CFReleaseNull(session->_myNextKey);
@@ -56,6 +59,8 @@ static void SecOTRInitMyDHKeys(SecOTRSessionRef session)
session->_missedAck = true;
session->_receivedAck = false;
bzero(session->_keyCache, sizeof(session->_keyCache));
+
+ secnotice("otr", "%@ Reinitializing DH Keys, first: %@", session, session->_myKey);
}
OSStatus SecOTRSAppendStartPacket(SecOTRSessionRef session, CFMutableDataRef appendPacket)
@@ -68,24 +73,27 @@ OSStatus SecOTRSAppendStartPacket(SecOTRSessionRef session, CFMutableDataRef app
// Generate r and x and calculate gx:
SecOTRInitMyDHKeys(session);
- CFMutableDataRef destinationMessage = NULL;
- if (session->_textOutput) {
- destinationMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
- } else {
- destinationMessage = CFRetainSafe(appendPacket);
- }
-
+ CFMutableDataRef dhMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
result = SecRandomCopyBytes(kSecRandomDefault, sizeof(session->_r), session->_r);
if (result == errSecSuccess) {
- SecOTRAppendDHMessage(session, destinationMessage);
- if (session->_textOutput) {
- SecOTRPrepareOutgoingBytes(destinationMessage, appendPacket);
- }
+ SecOTRAppendDHMessage(session, dhMessage);
}
- CFReleaseSafe(destinationMessage);
+
+ CFDataPerformWithHexString(dhMessage, ^(CFStringRef messageString) {
+ secnotice("otr", "%@ Start packet: %@", session, messageString);
+ });
+
+ if (session->_textOutput) {
+ SecOTRPrepareOutgoingBytes(dhMessage, appendPacket);
+ } else {
+ CFDataAppend(appendPacket, dhMessage);
+ }
+
+ CFReleaseSafe(dhMessage);
});
+
return result;
}
@@ -99,22 +107,24 @@ OSStatus SecOTRSAppendRestartPacket(SecOTRSessionRef session, CFMutableDataRef a
result = errSecDecode;
return;
}
- CFMutableDataRef destinationMessage;
- if (session->_textOutput) {
- destinationMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
- } else {
- destinationMessage = CFRetainSafe(appendPacket);
- }
+ CFMutableDataRef dhMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
session->_state = kAwaitingDHKey;
CFReleaseNull(session->_receivedDHMessage);
CFReleaseNull(session->_receivedDHKeyMessage);
- SecOTRAppendDHMessage(session, destinationMessage);
+ SecOTRAppendDHMessage(session, dhMessage);
+
+ CFDataPerformWithHexString(dhMessage, ^(CFStringRef messageString) {
+ secnotice("otr", "%@ Restart packet: %@", session, messageString);
+ });
+
if (session->_textOutput) {
- SecOTRPrepareOutgoingBytes(destinationMessage, appendPacket);
+ SecOTRPrepareOutgoingBytes(dhMessage, appendPacket);
+ } else {
+ CFDataAppend(appendPacket, dhMessage);
}
- CFReleaseSafe(destinationMessage);
+ CFReleaseSafe(dhMessage);
});
return result;
@@ -160,9 +170,15 @@ static bool SecOTRMyGXHashIsBigger(SecOTRSessionRef session, CFDataRef dhCommitM
require(myHash, fail);
require(theirHash, fail);
-
+
mineIsBigger = 0 < memcmp(myHash, theirHash, CCSHA256_OUTPUT_SIZE);
+ BufferPerformWithHexString(myHash, CCSHA256_OUTPUT_SIZE, ^(CFStringRef myHashString) {
+ BufferPerformWithHexString(theirHash, CCSHA256_OUTPUT_SIZE, ^(CFStringRef theirHashString) {
+ secdebug("otr", "%@ %s gx is bigger, M:%@ T:%@", session, mineIsBigger ? "mine" : "their", myHashString, theirHashString);
+ });
+ });
+
fail:
CFReleaseNull(myDHCommitMessage);
return mineIsBigger;
@@ -174,16 +190,20 @@ static OSStatus SecOTRSProcessDHMessage(SecOTRSessionRef session,
{
OSStatus result = errSecParam;
+ CFStringRef messageMessage = CFSTR("");
+
switch (session->_state) {
case kAwaitingDHKey:
// Compare hash values.
if (SecOTRMyGXHashIsBigger(session, incomingPacket)) {
// If we're bigger we resend to force them to deal.
+ messageMessage = CFSTR("Our GX is bigger, resending DH");
CFReleaseNull(session->_receivedDHMessage);
SecOTRAppendDHMessage(session, negotiationResponse);
result = errSecSuccess;
break;
} // Else intentionally fall through to idle
+ messageMessage = CFSTR("Our GX is bigger, resending DH");
case kAwaitingSignature:
case kIdle:
case kDone:
@@ -193,6 +213,8 @@ static OSStatus SecOTRSProcessDHMessage(SecOTRSessionRef session,
case kAwaitingRevealSignature:
SecOTRAppendDHKeyMessage(session, negotiationResponse);
+ if (messageMessage == 0)
+ messageMessage = CFSTR("Sending DHKey");
// Keep the packet for use later.
CFReleaseNull(session->_receivedDHMessage);
session->_receivedDHMessage = CFDataCreateCopy(kCFAllocatorDefault, incomingPacket);
@@ -205,6 +227,13 @@ static OSStatus SecOTRSProcessDHMessage(SecOTRSessionRef session,
break;
}
+ if (result == errSecSuccess) {
+ CFDataPerformWithHexString(negotiationResponse, ^(CFStringRef responseString) {
+ secnotice("otr", "%@ %@: %@", session, messageMessage, responseString);
+ });
+ } else {
+ secnotice("otr", "%@ Process DH failed %d", session, (int)result);
+ }
return result;
}
@@ -242,7 +271,8 @@ static OSStatus SecOTRSProcessDHKeyMessage(SecOTRSessionRef session,
CFMutableDataRef negotiationResponse)
{
OSStatus result = errSecUnimplemented;
-
+ CFStringRef messageMessage = CFSTR("");
+
result = SecOTRSExtractTheirPublicDHKey(session, incomingPacket);
require_noerr(result, exit);
@@ -253,16 +283,22 @@ static OSStatus SecOTRSProcessDHKeyMessage(SecOTRSessionRef session,
session->_state = kAwaitingSignature;
session->_receivedDHKeyMessage = CFDataCreateCopy(kCFAllocatorDefault, incomingPacket);
result = errSecSuccess;
+ messageMessage = CFSTR("Sending reveal signature");
break;
case kAwaitingSignature:
- if (CFEqualSafe(incomingPacket, session->_receivedDHKeyMessage))
+ if (CFEqualSafe(incomingPacket, session->_receivedDHKeyMessage)) {
SecOTRAppendRevealSignatureMessage(session, negotiationResponse);
+ messageMessage = CFSTR("Resending reveal signature");
+ } else {
+ messageMessage = CFSTR("Ignoring new DHKey message");
+ }
result = errSecSuccess;
break;
case kIdle:
case kDone:
case kAwaitingRevealSignature:
result = errSecSuccess;
+ messageMessage = CFSTR("Ignoring DHKey message");
break;
default:
result = errSecInteractionNotAllowed;
@@ -270,6 +306,14 @@ static OSStatus SecOTRSProcessDHKeyMessage(SecOTRSessionRef session,
}
exit:
+ if (result == errSecSuccess) {
+ CFDataPerformWithHexString(negotiationResponse, ^(CFStringRef responseString) {
+ secnotice("otr", "%@ %@: %@", session, messageMessage, responseString);
+ });
+ } else {
+ secnotice("otr", "%@ Process DH failed %d", session, (int)result);
+ }
+
return result;
}
@@ -412,7 +456,7 @@ static OSStatus SecVerifySignatureAndMac(SecOTRSessionRef session,
const uint8_t *macStart = *signatureAndMacBytes + xbSize;
// check the outer hmac
- require_action(0 == memcmp(macStart, signatureMac, kSHA256HMAC160Bytes), exit, result = errSecDecode);
+ require_action(0 == cc_cmp_safe(kSHA256HMAC160Bytes, macStart, signatureMac), exit, result = errSecDecode);
{
@@ -491,7 +535,18 @@ static OSStatus SecOTRSProcessRevealSignatureMessage(SecOTRSessionRef session,
session->_state = kDone;
result = errSecSuccess;
+
+ CFDataPerformWithHexString(negotiationResponse, ^(CFStringRef responseString) {
+ secnotice("otr", "%@ Sending Signature message: %@", session, responseString);
+ });
+
exit:
+
+ if (result != errSecSuccess) {
+ CFDataPerformWithHexString(incomingPacket, ^(CFStringRef incomingString) {
+ secnotice("otr", "%@ Failed to process reveal sig message (%d): %@", session, (int)result, incomingString);
+ });
+ }
return result;
}
@@ -530,49 +585,54 @@ OSStatus SecOTRSProcessPacket(SecOTRSessionRef session,
require(CFDataGetLength(incomingPacket) > 0, fail);
dispatch_sync(session->_queue, ^{
- CFDataRef decodedBytes = SecOTRCopyIncomingBytes(incomingPacket);
+ os_activity_initiate("OTR Process Packet", OS_ACTIVITY_FLAG_DEFAULT, ^{
+ CFDataRef decodedBytes = SecOTRCopyIncomingBytes(incomingPacket);
- const uint8_t* bytes = CFDataGetBytePtr(decodedBytes);
- size_t size = CFDataGetLength(decodedBytes);
+ const uint8_t* bytes = CFDataGetBytePtr(decodedBytes);
+ size_t size = CFDataGetLength(decodedBytes);
- OTRMessageType packetType = kInvalidMessage;
- if (ReadHeader(&bytes, &size, &packetType))
- packetType = kInvalidMessage;
+ OTRMessageType packetType = kInvalidMessage;
+ if (ReadHeader(&bytes, &size, &packetType))
+ packetType = kInvalidMessage;
- CFMutableDataRef destinationMessage;
- if (session->_textOutput) {
- destinationMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
- } else {
- destinationMessage = CFRetainSafe(negotiationResponse);
- }
+ CFMutableDataRef destinationMessage;
+ if (session->_textOutput) {
+ destinationMessage = CFDataCreateMutable(kCFAllocatorDefault, 0);
+ } else {
+ destinationMessage = CFRetainSafe(negotiationResponse);
+ }
- switch (packetType) {
- case kDHMessage:
- result = SecOTRSProcessDHMessage(session, decodedBytes, destinationMessage);
- break;
- case kDHKeyMessage:
- result = SecOTRSProcessDHKeyMessage(session, decodedBytes, destinationMessage);
- break;
- case kRevealSignatureMessage:
- result = SecOTRSProcessRevealSignatureMessage(session, decodedBytes, destinationMessage);
- break;
- case kSignatureMessage:
- result = SecOTRSProcessSignatureMessage(session, decodedBytes, destinationMessage);
- break;
- default:
- result = errSecDecode;
- break;
- };
-
- if (result != errSecSuccess) {
- secnotice("session", "Error %d processing packet type %d, session state %d, keyid %d, myKey %p, myNextKey %p, theirKeyId %d, theirKey %p, theirPreviousKey %p, bytes %@", (int)result, packetType, session->_state, session->_keyID, session->_myKey, session->_myNextKey, session->_theirKeyID, session->_theirKey, session->_theirPreviousKey, decodedBytes);
- }
-
- if (session->_textOutput) {
- SecOTRPrepareOutgoingBytes(destinationMessage, negotiationResponse);
- }
- CFReleaseSafe(destinationMessage);
- CFReleaseSafe(decodedBytes);
+ switch (packetType) {
+ case kDHMessage:
+ result = SecOTRSProcessDHMessage(session, decodedBytes, destinationMessage);
+ break;
+ case kDHKeyMessage:
+ result = SecOTRSProcessDHKeyMessage(session, decodedBytes, destinationMessage);
+ break;
+ case kRevealSignatureMessage:
+ result = SecOTRSProcessRevealSignatureMessage(session, decodedBytes, destinationMessage);
+ break;
+ case kSignatureMessage:
+ result = SecOTRSProcessSignatureMessage(session, decodedBytes, destinationMessage);
+ break;
+ default:
+ result = errSecDecode;
+ break;
+ };
+
+ if (result != errSecSuccess) {
+ CFDataPerformWithHexString(decodedBytes, ^(CFStringRef bytesString) {
+ secnotice("session", "%@ Error %d processing packet type %d, session state %d, keyid %d, myKey %p, myNextKey %p, theirKeyId %d, theirKey %p, theirPreviousKey %p, bytes %@", session, (int)result, packetType, session->_state, session->_keyID, session->_myKey, session->_myNextKey, session->_theirKeyID, session->_theirKey, session->_theirPreviousKey, bytesString);
+
+ });
+ }
+
+ if (session->_textOutput) {
+ SecOTRPrepareOutgoingBytes(destinationMessage, negotiationResponse);
+ }
+ CFReleaseSafe(destinationMessage);
+ CFReleaseSafe(decodedBytes);
+ });
});
fail:
diff --git a/OSX/sec/Security/SecPasswordGenerate.c b/OSX/sec/Security/SecPasswordGenerate.c
index e3e01d06..009516f8 100644
--- a/OSX/sec/Security/SecPasswordGenerate.c
+++ b/OSX/sec/Security/SecPasswordGenerate.c
@@ -249,6 +249,31 @@ bool SecPasswordIsPasswordWeak(CFStringRef passcode)
free(pin);
return true; //weak password
}
+ //check if PIN is a bunch of incrementing numbers
+ for(int i = 0; i < CFStringGetLength(passcode); i++){
+ if(i == CFStringGetLength(passcode)-1){
+ free(pin);
+ return true;
+ }
+ else if ((pin[i] + 1) == pin[i+1])
+ continue;
+ else
+ break;
+ }
+ //check if PIN is a bunch of decrementing numbers
+ for(int i = 0; i < CFStringGetLength(passcode); i++){
+ if(i == CFStringGetLength(passcode)-1){
+ free(pin);
+ return true;
+ }
+ else if ((pin[i]) == (pin[i+1] +1))
+ continue;
+ else if ((i == 0) && (pin[i] == '0') && (pin[i+1] == '9'))
+ continue;
+ else
+ break;
+ }
+
//not in this list
for(CFIndex i = 0; i < blacklistLength; i++)
{
@@ -292,6 +317,8 @@ bool SecPasswordIsPasswordWeak(CFStringRef passcode)
}
else if ((pin[i]) == (pin[i+1] +1))
continue;
+ else if ((i == 0) && (pin[i] == '0') && (pin[i+1] == '9'))
+ continue;
else
break;
}
@@ -375,6 +402,8 @@ static bool SecPasswordIsPasscodeIncrementingOrDecrementingDigits(CFStringRef pa
}
else if ((pin[i]) == (pin[i+1] +1))
continue;
+ else if ((i == 0) && (pin[i] == '0') && (pin[i+1] == '9'))
+ continue;
else
break;
}
@@ -851,7 +880,6 @@ static CFDictionaryRef passwordGenerateCreateDefaultParametersDictionary(SecPass
static CFDictionaryRef passwordGenerationCreateParametersDictionary(SecPasswordType type, CFDictionaryRef requirements)
{
CFMutableArrayRef requiredCharacterSets = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- CFArrayRef requiredCharactersArray = NULL;
CFNumberRef numReqChars = NULL;
CFIndex numberOfRequiredRandomCharacters;
CFStringRef allowedCharacters = NULL, useDefaultPasswordFormat = NULL;
@@ -885,10 +913,11 @@ static CFDictionaryRef passwordGenerationCreateParametersDictionary(SecPasswordT
allowedCharacters = CFSTR("0123456789");
CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
- requiredCharactersArray = CFArrayCreateCopy(NULL, requiredCharacterSets);
useDefaultPasswordFormat = CFSTR("false");
}
else{
+ CFArrayRef requiredCharactersArray = NULL;
+
if (minPasswordLength && minPasswordLength > defaultNumberOfRandomCharacters) {
useDefaultPasswordFormat = CFSTR("false");
numberOfRequiredRandomCharacters = minPasswordLength;
@@ -901,9 +930,26 @@ static CFDictionaryRef passwordGenerationCreateParametersDictionary(SecPasswordT
useDefaultPasswordFormat = CFSTR("false");
numberOfRequiredRandomCharacters = maxPasswordLength;
}
- allowedCharacters = (CFStringRef)CFDictionaryGetValue(requirements, kSecPasswordAllowedCharactersKey);
+ allowedCharacters = (CFStringRef)CFRetainSafe(CFDictionaryGetValue(requirements, kSecPasswordAllowedCharactersKey));
requiredCharactersArray = (CFArrayRef)CFDictionaryGetValue(requirements, kSecPasswordRequiredCharactersKey);
+
+ if (requiredCharactersArray) {
+ for (CFIndex i = 0; i < CFArrayGetCount(requiredCharactersArray); i++){
+ CFCharacterSetRef stringWithRequiredCharacters = CFArrayGetValueAtIndex(requiredCharactersArray, i);
+ if(stringWithRequiredCharacters && CFStringFindCharacterFromSet(allowedCharacters, stringWithRequiredCharacters, CFRangeMake(0, CFStringGetLength(allowedCharacters)), 0, NULL)){
+ CFArrayAppendValue(requiredCharacterSets, stringWithRequiredCharacters);
+ }
+ }
+ } else{
+ uppercaseLetterCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetUppercaseLetter);
+ lowercaseLetterCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetLowercaseLetter);
+ decimalDigitCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetDecimalDigit);
+ CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
+ CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
+ CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
+ }
}
+
if(!CFDictionaryGetValueIfPresent(requirements, kSecPasswordDisallowedCharacters, &prohibitedCharacters))
prohibitedCharacters = NULL;
@@ -935,32 +981,16 @@ static CFDictionaryRef passwordGenerationCreateParametersDictionary(SecPasswordT
if( false == CFStringFindWithOptions(allowedCharacters, CFSTR("-"), CFRangeMake(0, CFStringGetLength(allowedCharacters)), kCFCompareCaseInsensitive, NULL))
useDefaultPasswordFormat = CFSTR("false");
} else
- allowedCharacters = defaultCharacters;
+ allowedCharacters = CFRetainSafe(defaultCharacters);
// In default password format, we use dashes only as separators, not as symbols you can encounter at a random position.
if (useDefaultPasswordFormat == CFSTR("false")){
CFMutableStringRef mutatedAllowedCharacters = CFStringCreateMutableCopy(kCFAllocatorDefault, CFStringGetLength(allowedCharacters), allowedCharacters);
CFStringFindAndReplace (mutatedAllowedCharacters, CFSTR("-"), CFSTR(""), CFRangeMake(0, CFStringGetLength(allowedCharacters)),kCFCompareCaseInsensitive);
- allowedCharacters = CFStringCreateCopy(kCFAllocatorDefault, mutatedAllowedCharacters);
+ CFReleaseSafe(allowedCharacters);
+ allowedCharacters = mutatedAllowedCharacters;
}
- if (requiredCharactersArray) {
- for (CFIndex i = 0; i < CFArrayGetCount(requiredCharactersArray); i++){
- CFCharacterSetRef stringWithRequiredCharacters = CFArrayGetValueAtIndex(requiredCharactersArray, i);
- if(stringWithRequiredCharacters && CFStringFindCharacterFromSet(allowedCharacters, stringWithRequiredCharacters, CFRangeMake(0, CFStringGetLength(allowedCharacters)), 0, NULL)){
- CFArrayAppendValue(requiredCharacterSets, stringWithRequiredCharacters);
- }
- }
- } else{
- uppercaseLetterCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetUppercaseLetter);
- lowercaseLetterCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetLowercaseLetter);
- decimalDigitCharacterSet = CFCharacterSetGetPredefined(kCFCharacterSetDecimalDigit);
- CFArrayAppendValue(requiredCharacterSets, uppercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, lowercaseLetterCharacterSet);
- CFArrayAppendValue(requiredCharacterSets, decimalDigitCharacterSet);
- }
-
-
if (CFArrayGetCount(requiredCharacterSets) > numberOfRequiredRandomCharacters) {
CFReleaseNull(requiredCharacterSets);
requiredCharacterSets = NULL;
@@ -1009,7 +1039,7 @@ static CFDictionaryRef passwordGenerationCreateParametersDictionary(SecPasswordT
CFReleaseNull(allowedCharacters);
CFReleaseNull(requiredCharacterSets);
- return CFDictionaryCreateCopy(kCFAllocatorDefault, updatedConstraints);
+ return updatedConstraints;
}
static bool isDictionaryFormattedProperly(SecPasswordType type, CFDictionaryRef passwordRequirements, CFErrorRef *error){
@@ -1289,16 +1319,22 @@ CF_RETURNS_RETAINED CFStringRef SecPasswordGenerate(SecPasswordType type, CFErro
CFIndex i = 0;
while( i != requiredCharactersSize){
if((i + (CFIndex)groupSize) < requiredCharactersSize){
- CFStringAppend(finalPassword, CFStringCreateWithSubstring(kCFAllocatorDefault, randomCharacters, CFRangeMake(i, (CFIndex)groupSize)));
+ CFStringRef subString = CFStringCreateWithSubstring(kCFAllocatorDefault, randomCharacters, CFRangeMake(i, (CFIndex)groupSize));
+ CFStringAppend(finalPassword, subString);
CFStringAppend(finalPassword, separator);
+ CFReleaseSafe(subString);
i+=groupSize;
}
else if((i+(CFIndex)groupSize) == requiredCharactersSize){
- CFStringAppend(finalPassword, CFStringCreateWithSubstring(kCFAllocatorDefault, randomCharacters, CFRangeMake(i, (CFIndex)groupSize)));
+ CFStringRef subString = CFStringCreateWithSubstring(kCFAllocatorDefault, randomCharacters, CFRangeMake(i, (CFIndex)groupSize));
+ CFStringAppend(finalPassword, subString);
+ CFReleaseSafe(subString);
i+=groupSize;
}
else {
- CFStringAppend(finalPassword, CFStringCreateWithSubstring(kCFAllocatorDefault, randomCharacters, CFRangeMake(i, requiredCharactersSize - i)));
+ CFStringRef subString = CFStringCreateWithSubstring(kCFAllocatorDefault, randomCharacters, CFRangeMake(i, requiredCharactersSize - i));
+ CFStringAppend(finalPassword, subString);
+ CFReleaseSafe(subString);
i+=(requiredCharactersSize - i);
}
}
diff --git a/OSX/sec/Security/SecPasswordGenerate.h b/OSX/sec/Security/SecPasswordGenerate.h
index 9ed90fd9..2310cf56 100644
--- a/OSX/sec/Security/SecPasswordGenerate.h
+++ b/OSX/sec/Security/SecPasswordGenerate.h
@@ -111,6 +111,13 @@ bool SecPasswordIsPasswordWeak(CFStringRef passcode)
@function SecPasswordIsPasswordWeak2
@abstract Evalutes the weakness of a passcode. This function can take any type of passcode. Currently
the function evaluates passcodes with only ASCII characters
+ ***conditions in which a passcode will be evaluated as weak***
+ * all repeating characters
+ * repeating 2 digits
+ * is found in the black list of the top 10 most commonly used passcodes
+ * incrementing digits
+ * decrementing digits (including 0987)
+ * low enough levels of entropy (complex passcodes)
@param passcode a string of any length and type (4 or 6 digit PIN, complex passcode)
@param isSimple is to indicate whether we're evaluating a 4 or 6 digit PIN or a complex passcode
@result True if the password is weak, False if the password is strong.
diff --git a/OSX/sec/Security/SecPolicy.c b/OSX/sec/Security/SecPolicy.c
index a552287b..339c029d 100644
--- a/OSX/sec/Security/SecPolicy.c
+++ b/OSX/sec/Security/SecPolicy.c
@@ -38,6 +38,7 @@
#include <CoreFoundation/CFTimeZone.h>
#include <Security/SecCertificateInternal.h>
#include <Security/SecCertificatePriv.h>
+#include <Security/SecItem.h>
#include <libDER/oidsPriv.h>
#include <utilities/SecCFError.h>
#include <utilities/SecCFWrappers.h>
@@ -107,14 +108,16 @@ SEC_CONST_DECL (kSecPolicyCheckLeafBasicConstraints, "LeafBasicContraints");
********************************************************/
SEC_CONST_DECL (kSecPolicyCheckKeyUsage, "KeyUsage"); /* (rfc5280 check) */
SEC_CONST_DECL (kSecPolicyCheckExtendedKeyUsage, "ExtendedKeyUsage"); /* (rfc5280 check) */
-SEC_CONST_DECL (kSecPolicyCheckBasicContraints, "BasicContraints"); /* (rfc5280 check) */
+SEC_CONST_DECL (kSecPolicyCheckBasicConstraints, "BasicConstraints"); /* (rfc5280 check) */
SEC_CONST_DECL (kSecPolicyCheckQualifiedCertStatements, "QualifiedCertStatements"); /* (rfc5280 check) */
SEC_CONST_DECL (kSecPolicyCheckIntermediateSPKISHA256, "IntermediateSPKISHA256")
+SEC_CONST_DECL (kSecPolicyCheckIntermediateEKU, "IntermediateEKU")
/********************************************************
************** Unverified Anchor Checks ****************
********************************************************/
SEC_CONST_DECL (kSecPolicyCheckAnchorSHA1, "AnchorSHA1");
+SEC_CONST_DECL (kSecPolicyCheckAnchorSHA256, "AnchorSHA256");
/* Fake key for isAnchored check. */
SEC_CONST_DECL (kSecPolicyCheckAnchorTrusted, "AnchorTrusted");
@@ -124,7 +127,6 @@ SEC_CONST_DECL (kSecPolicyCheckAnchorApple, "AnchorApple");
/* options for kSecPolicyCheckAnchorApple */
SEC_CONST_DECL (kSecPolicyAppleAnchorIncludeTestRoots, "AnchorAppleTestRoots");
-SEC_CONST_DECL (kSecPolicyAppleAnchorAllowTestRootsOnProduction, "AnchorAppleTestRootsOnProduction");
/********************************************************
*********** Unverified Certificate Checks **************
@@ -142,6 +144,8 @@ SEC_CONST_DECL (kSecPolicyCheckValidRoot, "ValidRoot");
SEC_CONST_DECL (kSecPolicyCheckWeakIntermediates, "WeakIntermediates");
SEC_CONST_DECL (kSecPolicyCheckWeakLeaf, "WeakLeaf");
SEC_CONST_DECL (kSecPolicyCheckWeakRoot, "WeakRoot");
+SEC_CONST_DECL (kSecPolicyCheckKeySize, "KeySize");
+SEC_CONST_DECL (kSecPolicyCheckSignatureHashAlgorithms, "SignatureHashAlgorithms");
#endif
@@ -168,6 +172,9 @@ SEC_CONST_DECL (kSecPolicyCheckBasicCertificateProcessing, "BasicCertificateProc
SEC_CONST_DECL (kSecPolicyCheckExtendedValidation, "ExtendedValidation");
SEC_CONST_DECL (kSecPolicyCheckRevocation, "Revocation");
SEC_CONST_DECL (kSecPolicyCheckRevocationResponseRequired, "RevocationResponseRequired");
+SEC_CONST_DECL (kSecPolicyCheckRevocationOCSP, "OCSP");
+SEC_CONST_DECL (kSecPolicyCheckRevocationCRL, "CRL");
+SEC_CONST_DECL (kSecPolicyCheckRevocationAny, "AnyRevocationMethod");
/* Check Certificate Transparency if specified. */
SEC_CONST_DECL (kSecPolicyCheckCertificateTransparency, "CertificateTransparency");
@@ -183,8 +190,11 @@ SEC_CONST_DECL (kSecPolicyCheckGrayListedKey, "GrayListedKey");
SEC_CONST_DECL (kSecPolicyCheckBlackListedKey, "BlackListedKey");
SEC_CONST_DECL (kSecPolicyCheckLeafMarkerOid, "CheckLeafMarkerOid");
+SEC_CONST_DECL (kSecPolicyCheckLeafMarkerOidWithoutValueCheck, "CheckLeafMarkerOidNoValueCheck");
SEC_CONST_DECL (kSecPolicyCheckIntermediateMarkerOid, "CheckIntermediateMarkerOid");
+SEC_CONST_DECL (kSecPolicyCheckUsageConstraints, "UsageConstraints");
+
/* Public policy names. */
SEC_CONST_DECL (kSecPolicyAppleX509Basic, "1.2.840.113635.100.1.2");
SEC_CONST_DECL (kSecPolicyAppleSSL, "1.2.840.113635.100.1.3");
@@ -208,82 +218,143 @@ SEC_CONST_DECL (kSecPolicyAppleQAProfileSigner, "1.2.840.113635.100.1.26");
SEC_CONST_DECL (kSecPolicyAppleTestMobileStore, "1.2.840.113635.100.1.27");
SEC_CONST_DECL (kSecPolicyAppleOTAPKISigner, "1.2.840.113635.100.1.28");
SEC_CONST_DECL (kSecPolicyAppleTestOTAPKISigner, "1.2.840.113635.100.1.29");
-/* FIXME: this policy name should be deprecated and replaced with "kSecPolicyAppleIDValidationRecordSigning" */
-SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigningPolicy, "1.2.840.113625.100.1.30");
-SEC_CONST_DECL (kSecPolicyAppleSMPEncryption, "1.2.840.113625.100.1.31");
-SEC_CONST_DECL (kSecPolicyAppleTestSMPEncryption, "1.2.840.113625.100.1.32");
+SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigningPolicy, "1.2.840.113635.100.1.30");
+SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigning, "1.2.840.113635.100.1.30");
+SEC_CONST_DECL (kSecPolicyAppleSMPEncryption, "1.2.840.113635.100.1.31");
+SEC_CONST_DECL (kSecPolicyAppleTestSMPEncryption, "1.2.840.113635.100.1.32");
SEC_CONST_DECL (kSecPolicyAppleServerAuthentication, "1.2.840.113635.100.1.33");
SEC_CONST_DECL (kSecPolicyApplePCSEscrowService, "1.2.840.113635.100.1.34");
-SEC_CONST_DECL (kSecPolicyApplePPQSigning, "1.2.840.113625.100.1.35");
-SEC_CONST_DECL (kSecPolicyAppleTestPPQSigning, "1.2.840.113625.100.1.36");
-SEC_CONST_DECL (kSecPolicyAppleATVAppSigning, "1.2.840.113625.100.1.37");
-SEC_CONST_DECL (kSecPolicyAppleTestATVAppSigning, "1.2.840.113625.100.1.38");
-SEC_CONST_DECL (kSecPolicyApplePayIssuerEncryption, "1.2.840.113625.100.1.39");
-SEC_CONST_DECL (kSecPolicyAppleOSXProvisioningProfileSigning, "1.2.840.113625.100.1.40");
-SEC_CONST_DECL (kSecPolicyAppleATVVPNProfileSigning, "1.2.840.113625.100.1.41");
-SEC_CONST_DECL (kSecPolicyAppleAST2DiagnosticsServerAuth, "1.2.840.113625.100.1.42");
+SEC_CONST_DECL (kSecPolicyApplePPQSigning, "1.2.840.113635.100.1.35");
+SEC_CONST_DECL (kSecPolicyAppleTestPPQSigning, "1.2.840.113635.100.1.36");
+// Not in use. Use kSecPolicyAppleTVOSApplicationSigning instead.
+// SEC_CONST_DECL (kSecPolicyAppleATVAppSigning, "1.2.840.113635.100.1.37");
+// SEC_CONST_DECL (kSecPolicyAppleTestATVAppSigning, "1.2.840.113635.100.1.38");
+SEC_CONST_DECL (kSecPolicyApplePayIssuerEncryption, "1.2.840.113635.100.1.39");
+SEC_CONST_DECL (kSecPolicyAppleOSXProvisioningProfileSigning, "1.2.840.113635.100.1.40");
+SEC_CONST_DECL (kSecPolicyAppleATVVPNProfileSigning, "1.2.840.113635.100.1.41");
+SEC_CONST_DECL (kSecPolicyAppleAST2DiagnosticsServerAuth, "1.2.840.113635.100.1.42");
+SEC_CONST_DECL (kSecPolicyAppleEscrowProxyServerAuth, "1.2.840.113635.100.1.43");
+SEC_CONST_DECL (kSecPolicyAppleFMiPServerAuth, "1.2.840.113635.100.1.44");
+SEC_CONST_DECL (kSecPolicyAppleMMCSService, "1.2.840.113635.100.1.45");
+SEC_CONST_DECL (kSecPolicyAppleGSService, "1.2.840.113635.100.1.46");
+SEC_CONST_DECL (kSecPolicyApplePPQService, "1.2.840.113635.100.1.47");
+SEC_CONST_DECL (kSecPolicyAppleHomeKitServerAuth, "1.2.840.113635.100.1.48");
+SEC_CONST_DECL (kSecPolicyAppleiPhoneActivation, "1.2.840.113635.100.1.49");
+SEC_CONST_DECL (kSecPolicyAppleiPhoneDeviceCertificate, "1.2.840.113635.100.1.50");
+SEC_CONST_DECL (kSecPolicyAppleFactoryDeviceCertificate, "1.2.840.113635.100.1.51");
+SEC_CONST_DECL (kSecPolicyAppleiAP, "1.2.840.113635.100.1.52");
+SEC_CONST_DECL (kSecPolicyAppleiTunesStoreURLBag, "1.2.840.113635.100.1.53");
+SEC_CONST_DECL (kSecPolicyAppleiPhoneApplicationSigning, "1.2.840.113635.100.1.54");
+SEC_CONST_DECL (kSecPolicyAppleiPhoneProfileApplicationSigning, "1.2.840.113635.100.1.55");
+SEC_CONST_DECL (kSecPolicyAppleiPhoneProvisioningProfileSigning, "1.2.840.113635.100.1.56");
+SEC_CONST_DECL (kSecPolicyAppleLockdownPairing, "1.2.840.113635.100.1.57");
+SEC_CONST_DECL (kSecPolicyAppleURLBag, "1.2.840.113635.100.1.58");
+SEC_CONST_DECL (kSecPolicyAppleOTATasking, "1.2.840.113635.100.1.59");
+SEC_CONST_DECL (kSecPolicyAppleMobileAsset, "1.2.840.113635.100.1.60");
+SEC_CONST_DECL (kSecPolicyAppleIDAuthority, "1.2.840.113635.100.1.61");
+SEC_CONST_DECL (kSecPolicyAppleGenericApplePinned, "1.2.840.113635.100.1.62");
+SEC_CONST_DECL (kSecPolicyAppleGenericAppleSSLPinned, "1.2.840.113635.100.1.63");
+SEC_CONST_DECL (kSecPolicyAppleSoftwareSigning, "1.2.840.113635.100.1.64");
+SEC_CONST_DECL (kSecPolicyAppleExternalDeveloper, "1.2.840.113635.100.1.65");
+SEC_CONST_DECL (kSecPolicyAppleOCSPSigner, "1.2.840.113635.100.1.66");
+SEC_CONST_DECL (kSecPolicyAppleIDSService, "1.2.840.113635.100.1.67");
+SEC_CONST_DECL (kSecPolicyAppleIDSServiceContext, "1.2.840.113635.100.1.68");
+SEC_CONST_DECL (kSecPolicyApplePushService, "1.2.840.113635.100.1.69");
+SEC_CONST_DECL (kSecPolicyAppleLegacyPushService, "1.2.840.113635.100.1.70");
+SEC_CONST_DECL (kSecPolicyAppleTVOSApplicationSigning, "1.2.840.113635.100.1.71");
+SEC_CONST_DECL (kSecPolicyAppleUniqueDeviceIdentifierCertificate, "1.2.840.113635.100.1.72");
+SEC_CONST_DECL (kSecPolicyAppleEscrowProxyCompatibilityServerAuth, "1.2.840.113635.100.1.73");
+SEC_CONST_DECL (kSecPolicyAppleMMCSCompatibilityServerAuth, "1.2.840.113635.100.1.74");
SEC_CONST_DECL (kSecPolicyOid, "SecPolicyOid");
SEC_CONST_DECL (kSecPolicyName, "SecPolicyName");
SEC_CONST_DECL (kSecPolicyClient, "SecPolicyClient");
SEC_CONST_DECL (kSecPolicyRevocationFlags, "SecPolicyRevocationFlags");
SEC_CONST_DECL (kSecPolicyTeamIdentifier, "SecPolicyTeamIdentifier");
+SEC_CONST_DECL (kSecPolicyContext, "SecPolicyContext");
+SEC_CONST_DECL (kSecPolicyPolicyName, "SecPolicyPolicyName");
+SEC_CONST_DECL (kSecPolicyIntermediateMarkerOid, "SecPolicyIntermediateMarkerOid");
+SEC_CONST_DECL (kSecPolicyLeafMarkerOid, "SecPolicyLeafMarkerOid");
+SEC_CONST_DECL (kSecPolicyRootDigest, "SecPolicyRootDigest");
+
+SEC_CONST_DECL (kSecPolicyKU_DigitalSignature, "CE_KU_DigitalSignature");
+SEC_CONST_DECL (kSecPolicyKU_NonRepudiation, "CE_KU_NonRepudiation");
+SEC_CONST_DECL (kSecPolicyKU_KeyEncipherment, "CE_KU_KeyEncipherment");
+SEC_CONST_DECL (kSecPolicyKU_DataEncipherment, "CE_KU_DataEncipherment");
+SEC_CONST_DECL (kSecPolicyKU_KeyAgreement, "CE_KU_KeyAgreement");
+SEC_CONST_DECL (kSecPolicyKU_KeyCertSign, "CE_KU_KeyCertSign");
+SEC_CONST_DECL (kSecPolicyKU_CRLSign, "CE_KU_CRLSign");
+SEC_CONST_DECL (kSecPolicyKU_EncipherOnly, "CE_KU_EncipherOnly");
+SEC_CONST_DECL (kSecPolicyKU_DecipherOnly, "CE_KU_DecipherOnly");
/* Private policy names */
-static CFStringRef kSecPolicyOIDBasicX509 = CFSTR("basicX509");
-static CFStringRef kSecPolicyOIDSSLServer = CFSTR("sslServer");
-static CFStringRef kSecPolicyOIDSSLClient = CFSTR("sslClient");
-static CFStringRef kSecPolicyOIDiPhoneActivation = CFSTR("iPhoneActivation");
-static CFStringRef kSecPolicyOIDiPhoneDeviceCertificate =
+static CFStringRef kSecPolicyNameBasicX509 = CFSTR("basicX509");
+static CFStringRef kSecPolicyNameSSLServer = CFSTR("sslServer");
+static CFStringRef kSecPolicyNameSSLClient = CFSTR("sslClient");
+static CFStringRef kSecPolicyNameiPhoneActivation = CFSTR("iPhoneActivation");
+static CFStringRef kSecPolicyNameiPhoneDeviceCertificate =
CFSTR("iPhoneDeviceCertificate");
-static CFStringRef kSecPolicyOIDFactoryDeviceCertificate =
+static CFStringRef kSecPolicyNameFactoryDeviceCertificate =
CFSTR("FactoryDeviceCertificate");
-static CFStringRef kSecPolicyOIDiAP = CFSTR("iAP");
-static CFStringRef kSecPolicyOIDiTunesStoreURLBag = CFSTR("iTunesStoreURLBag");
-static CFStringRef kSecPolicyOIDEAPServer = CFSTR("eapServer");
-static CFStringRef kSecPolicyOIDEAPClient = CFSTR("eapClient");
-static CFStringRef kSecPolicyOIDIPSecServer = CFSTR("ipsecServer");
-static CFStringRef kSecPolicyOIDIPSecClient = CFSTR("ipsecClient");
-static CFStringRef kSecPolicyOIDiPhoneApplicationSigning =
+static CFStringRef kSecPolicyNameiAP = CFSTR("iAP");
+static CFStringRef kSecPolicyNameiTunesStoreURLBag = CFSTR("iTunesStoreURLBag");
+static CFStringRef kSecPolicyNameEAPServer = CFSTR("eapServer");
+static CFStringRef kSecPolicyNameEAPClient = CFSTR("eapClient");
+static CFStringRef kSecPolicyNameIPSecServer = CFSTR("ipsecServer");
+static CFStringRef kSecPolicyNameIPSecClient = CFSTR("ipsecClient");
+static CFStringRef kSecPolicyNameiPhoneApplicationSigning =
CFSTR("iPhoneApplicationSigning");
-static CFStringRef kSecPolicyOIDiPhoneProfileApplicationSigning =
+static CFStringRef kSecPolicyNameiPhoneProfileApplicationSigning =
CFSTR("iPhoneProfileApplicationSigning");
-static CFStringRef kSecPolicyOIDiPhoneProvisioningProfileSigning =
+static CFStringRef kSecPolicyNameiPhoneProvisioningProfileSigning =
CFSTR("iPhoneProvisioningProfileSigning");
-static CFStringRef kSecPolicyOIDAppleSWUpdateSigning = CFSTR("AppleSWUpdateSigning");
-static CFStringRef kSecPolicyOIDAppleTVOSApplicationSigning =
+static CFStringRef kSecPolicyNameAppleSWUpdateSigning = CFSTR("AppleSWUpdateSigning");
+static CFStringRef kSecPolicyNameAppleTVOSApplicationSigning =
CFSTR("AppleTVApplicationSigning");
-static CFStringRef kSecPolicyOIDRevocation = CFSTR("revocation");
-static CFStringRef kSecPolicyOIDOCSPSigner = CFSTR("OCSPSigner");
-static CFStringRef kSecPolicyOIDSMIME = CFSTR("SMIME");
-static CFStringRef kSecPolicyOIDCodeSigning = CFSTR("CodeSigning");
-static CFStringRef kSecPolicyOIDPackageSigning = CFSTR("PackageSigning");
-static CFStringRef kSecPolicyOIDLockdownPairing = CFSTR("LockdownPairing");
-static CFStringRef kSecPolicyOIDURLBag = CFSTR("URLBag");
-static CFStringRef kSecPolicyOIDOTATasking = CFSTR("OTATasking");
-static CFStringRef kSecPolicyOIDMobileAsset = CFSTR("MobileAsset");
-static CFStringRef kSecPolicyOIDAppleIDAuthority = CFSTR("AppleIDAuthority");
-static CFStringRef kSecPolicyOIDMacAppStoreReceipt = CFSTR("MacAppStoreReceipt");
-static CFStringRef kSecPolicyOIDAppleTimeStamping = CFSTR("AppleTimeStamping");
-static CFStringRef kSecPolicyOIDApplePassbook = CFSTR("ApplePassbook");
-static CFStringRef kSecPolicyOIDAppleMobileStore = CFSTR("AppleMobileStore");
-static CFStringRef kSecPolicyOIDAppleTestMobileStore = CFSTR("AppleTestMobileStore");
-static CFStringRef kSecPolicyOIDAppleEscrowService = CFSTR("AppleEscrowService");
-static CFStringRef kSecPolicyOIDApplePCSEscrowService = CFSTR("ApplePCSEscrowService");
-static CFStringRef kSecPolicyOIDAppleProfileSigner = CFSTR("AppleProfileSigner");
-static CFStringRef kSecPolicyOIDAppleQAProfileSigner = CFSTR("AppleQAProfileSigner");
-static CFStringRef kSecPolicyOIDAppleOTAPKIAssetSigner = CFSTR("AppleOTAPKIAssetSigner");
-static CFStringRef kSecPolicyOIDAppleTestOTAPKIAssetSigner = CFSTR("AppleTestOTAPKIAssetSigner");
-static CFStringRef kSecPolicyOIDAppleIDValidationRecordSigningPolicy = CFSTR("AppleIDValidationRecordSigningPolicy");
-#if TARGET_OS_EMBEDDED
-static CFStringRef kSecPolicyOIDAppleATVAppSigning = CFSTR("AppleATVAppSigning");
-static CFStringRef kSecPolicyOIDAppleTestATVAppSigning = CFSTR("AppleTestATVAppSigning");
-#endif
-static CFStringRef kSecPolicyOIDApplePayIssuerEncryption = CFSTR("ApplePayIssuerEncryption");
-static CFStringRef kSecPolicyOIDAppleOSXProvisioningProfileSigning = CFSTR("AppleOSXProvisioningProfileSigning");
-static CFStringRef kSecPolicyOIDAppleATVVPNProfileSigning = CFSTR("AppleATVVPNProfileSigning");
-static CFStringRef kSecPolicyOIDAppleAST2Service = CFSTR("AST2Service");
-static CFStringRef kSecPolicyOIDAppleHomeKitServerAuth = CFSTR("HomeKitServerAuth");
+static CFStringRef kSecPolicyNameRevocation = CFSTR("revocation");
+static CFStringRef kSecPolicyNameOCSPSigner = CFSTR("OCSPSigner");
+static CFStringRef kSecPolicyNameSMIME = CFSTR("SMIME");
+static CFStringRef kSecPolicyNameCodeSigning = CFSTR("CodeSigning");
+static CFStringRef kSecPolicyNamePackageSigning = CFSTR("PackageSigning");
+static CFStringRef kSecPolicyNameLockdownPairing = CFSTR("LockdownPairing");
+static CFStringRef kSecPolicyNameURLBag = CFSTR("URLBag");
+static CFStringRef kSecPolicyNameOTATasking = CFSTR("OTATasking");
+static CFStringRef kSecPolicyNameMobileAsset = CFSTR("MobileAsset");
+static CFStringRef kSecPolicyNameAppleIDAuthority = CFSTR("AppleIDAuthority");
+static CFStringRef kSecPolicyNameMacAppStoreReceipt = CFSTR("MacAppStoreReceipt");
+static CFStringRef kSecPolicyNameAppleTimeStamping = CFSTR("AppleTimeStamping");
+static CFStringRef kSecPolicyNameApplePassbook = CFSTR("ApplePassbook");
+static CFStringRef kSecPolicyNameAppleMobileStore = CFSTR("AppleMobileStore");
+static CFStringRef kSecPolicyNameAppleTestMobileStore = CFSTR("AppleTestMobileStore");
+static CFStringRef kSecPolicyNameAppleEscrowService = CFSTR("AppleEscrowService");
+static CFStringRef kSecPolicyNameApplePCSEscrowService = CFSTR("ApplePCSEscrowService");
+static CFStringRef kSecPolicyNameAppleProfileSigner = CFSTR("AppleProfileSigner");
+static CFStringRef kSecPolicyNameAppleQAProfileSigner = CFSTR("AppleQAProfileSigner");
+static CFStringRef kSecPolicyNameAppleOTAPKIAssetSigner = CFSTR("AppleOTAPKIAssetSigner");
+static CFStringRef kSecPolicyNameAppleTestOTAPKIAssetSigner = CFSTR("AppleTestOTAPKIAssetSigner");
+static CFStringRef kSecPolicyNameAppleIDValidationRecordSigningPolicy = CFSTR("AppleIDValidationRecordSigningPolicy");
+static CFStringRef kSecPolicyNameApplePayIssuerEncryption = CFSTR("ApplePayIssuerEncryption");
+static CFStringRef kSecPolicyNameAppleOSXProvisioningProfileSigning = CFSTR("AppleOSXProvisioningProfileSigning");
+static CFStringRef kSecPolicyNameAppleATVVPNProfileSigning = CFSTR("AppleATVVPNProfileSigning");
+static CFStringRef kSecPolicyNameAppleAST2Service = CFSTR("AST2");
+static CFStringRef kSecPolicyNameAppleEscrowProxyService = CFSTR("Escrow");
+static CFStringRef kSecPolicyNameAppleFMiPService = CFSTR("FMiP");
+static CFStringRef kSecPolicyNameAppleHomeKitServerAuth = CFSTR("HomeKit");
+static CFStringRef kSecPolicyNameAppleExternalDeveloper = CFSTR("Developer");
+static CFStringRef kSecPolicyNameAppleSoftwareSigning = CFSTR("SoftwareSigning");
+static CFStringRef kSecPolicyNameAppleSMPEncryption = CFSTR("AppleSMPEncryption");
+static CFStringRef kSecPolicyNameAppleTestSMPEncryption = CFSTR("AppleTestSMPEncryption");
+static CFStringRef kSecPolicyNameApplePPQSigning = CFSTR("ApplePPQSigning");
+static CFStringRef kSecPolicyNameAppleTestPPQSigning = CFSTR("AppleTestPPQSigning");
+static CFStringRef kSecPolicyNameAppleLegacyPushService = CFSTR("AppleLegacyPushService");
+static CFStringRef kSecPolicyNameAppleSSLService = CFSTR("AppleSSLService");
+static CFStringRef kSecPolicyNameApplePushService = CFSTR("APN");
+static CFStringRef kSecPolicyNameAppleIDSServiceContext = CFSTR("IDS");
+static CFStringRef kSecPolicyNameAppleGSService = CFSTR("GS");
+static CFStringRef kSecPolicyNameAppleMMCSService = CFSTR("MMCS");
+static CFStringRef kSecPolicyNameApplePPQService = CFSTR("PPQ");
+static CFStringRef kSecPolicyNameAppleUniqueDeviceCertificate = CFSTR("UCRT");
+
/* Policies will now change to multiple categories of checks.
@@ -426,7 +497,7 @@ check_policy(builder, chain, policy, check_class, details, depth) {
#define kSecPolicySHA1Size 20
#define kSecPolicySHA256Size 32
-const UInt8 kAppleCASHA1[kSecPolicySHA1Size] = {
+__unused const UInt8 kAppleCASHA1[kSecPolicySHA1Size] = {
0x61, 0x1E, 0x5B, 0x66, 0x2C, 0x59, 0x3A, 0x08, 0xFF, 0x58,
0xD1, 0x4A, 0xE2, 0x24, 0x52, 0xD1, 0x98, 0xDF, 0x6C, 0x60
};
@@ -461,7 +532,7 @@ static const UInt8 kTestAppleRootCA_ECC_SHA1[kSecPolicySHA1Size] = {
0x83, 0xBE, 0xDB, 0xF9, 0xA1, 0xBD, 0x5F, 0xFE, 0x55, 0x7B
};
-static const UInt8 kAppleRootCA_ECC_SHA1[kSecPolicySHA1Size] = {
+__unused static const UInt8 kAppleRootCA_ECC_SHA1[kSecPolicySHA1Size] = {
0xB5, 0x2C, 0xB0, 0x2F, 0xD5, 0x67, 0xE0, 0x35, 0x9F, 0xE8,
0xFA, 0x4D, 0x4C, 0x41, 0x03, 0x79, 0x70, 0xFE, 0x01, 0xB0
};
@@ -475,20 +546,30 @@ static const UInt8 kAppleRootCA_ECC_SHA1[kSecPolicySHA1Size] = {
static void SecPolicyDestroy(CFTypeRef cf) {
SecPolicyRef policy = (SecPolicyRef) cf;
CFRelease(policy->_oid);
+ CFReleaseSafe(policy->_name);
CFRelease(policy->_options);
}
static Boolean SecPolicyCompare(CFTypeRef cf1, CFTypeRef cf2) {
SecPolicyRef policy1 = (SecPolicyRef) cf1;
SecPolicyRef policy2 = (SecPolicyRef) cf2;
- return CFEqual(policy1->_oid, policy2->_oid) &&
- CFEqual(policy1->_options, policy2->_options);
+ if (policy1->_name && policy2->_name) {
+ return CFEqual(policy1->_oid, policy2->_oid) &&
+ CFEqual(policy1->_name, policy2->_name) &&
+ CFEqual(policy1->_options, policy2->_options);
+ } else {
+ return CFEqual(policy1->_oid, policy2->_oid) &&
+ CFEqual(policy1->_options, policy2->_options);
+ }
}
static CFHashCode SecPolicyHash(CFTypeRef cf) {
SecPolicyRef policy = (SecPolicyRef) cf;
-
- return CFHash(policy->_oid) + CFHash(policy->_options);
+ if (policy->_name) {
+ return CFHash(policy->_oid) + CFHash(policy->_name) + CFHash(policy->_options);
+ } else {
+ return CFHash(policy->_oid) + CFHash(policy->_options);
+ }
}
static CFStringRef SecPolicyCopyFormatDescription(CFTypeRef cf, CFDictionaryRef formatOptions) {
@@ -496,8 +577,9 @@ static CFStringRef SecPolicyCopyFormatDescription(CFTypeRef cf, CFDictionaryRef
CFMutableStringRef desc = CFStringCreateMutable(kCFAllocatorDefault, 0);
CFStringRef typeStr = CFCopyTypeIDDescription(CFGetTypeID(cf));
CFStringAppendFormat(desc, NULL,
- CFSTR("<%@: oid: %@ options %@"), typeStr,
- policy->_oid, policy->_options);
+ CFSTR("<%@: oid: %@ name: %@ options %@"), typeStr,
+ policy->_oid, (policy->_name) ? policy->_name : CFSTR(""),
+ policy->_options);
CFRelease(typeStr);
CFStringAppend(desc, CFSTR(" >"));
@@ -511,7 +593,7 @@ CFGiblisWithHashFor(SecPolicy);
oid (ok) is a caller provided string, only its cf type has been checked.
options is a caller provided dictionary, only its cf type has been checked.
*/
-SecPolicyRef SecPolicyCreate(CFStringRef oid, CFDictionaryRef options) {
+SecPolicyRef SecPolicyCreate(CFStringRef oid, CFStringRef name, CFDictionaryRef options) {
SecPolicyRef result = NULL;
require(oid, errOut);
@@ -523,6 +605,8 @@ SecPolicyRef SecPolicyCreate(CFStringRef oid, CFDictionaryRef options) {
CFRetain(oid);
result->_oid = oid;
+ CFRetainSafe(name);
+ result->_name = name;
CFRetain(options);
result->_options = options;
@@ -538,9 +622,12 @@ SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
// Returns NULL if the given identifier is unsupported.
SecPolicyRef policy = NULL;
- CFStringRef name = NULL;
+ CFTypeRef name = NULL;
CFStringRef teamID = NULL;
Boolean client = false;
+ CFDictionaryRef context = NULL;
+ CFStringRef policyName = NULL, intermediateMarkerOid = NULL, leafMarkerOid = NULL;
+ CFDataRef rootDigest = NULL;
require(policyIdentifier && (CFStringGetTypeID() == CFGetTypeID(policyIdentifier)), errOut);
if (properties) {
@@ -550,96 +637,102 @@ SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
CFBooleanRef dictionaryClientValue;
client = (CFDictionaryGetValueIfPresent(properties, kSecPolicyClient, (const void **)&dictionaryClientValue) &&
(dictionaryClientValue != NULL) && CFEqual(kCFBooleanTrue, dictionaryClientValue));
+ context = CFDictionaryGetValue(properties, kSecPolicyContext);
+ policyName = CFDictionaryGetValue(properties, kSecPolicyPolicyName);
+ intermediateMarkerOid = CFDictionaryGetValue(properties, kSecPolicyIntermediateMarkerOid);
+ leafMarkerOid = CFDictionaryGetValue(properties, kSecPolicyLeafMarkerOid);
+ rootDigest = CFDictionaryGetValue(properties, kSecPolicyRootDigest);
}
+ /* only the EAP policy allows a non-string name */
+ if (name && !isString(name) && !CFEqual(policyIdentifier, kSecPolicyAppleEAP)) {
+ secerror("policy \"%@\" requires a string value for the %@ key", policyIdentifier, kSecPolicyName);
+ goto errOut;
+ }
+
+ /* These are in the same order as the constant declarations. */
if (CFEqual(policyIdentifier, kSecPolicyAppleX509Basic)) {
policy = SecPolicyCreateBasicX509();
}
else if (CFEqual(policyIdentifier, kSecPolicyAppleSSL)) {
policy = SecPolicyCreateSSL(!client, name);
}
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleSMIME)) {
+ policy = SecPolicyCreateSMIME(kSecSignSMIMEUsage | kSecAnyEncryptSMIME, name);
+ }
else if (CFEqual(policyIdentifier, kSecPolicyAppleEAP)) {
CFArrayRef array = NULL;
- if (name) {
+ if (isString(name)) {
array = CFArrayCreate(kCFAllocatorDefault, (const void **)&name, 1, &kCFTypeArrayCallBacks);
+ } else if (isArray(name)) {
+ array = CFArrayCreateCopy(NULL, name);
}
policy = SecPolicyCreateEAP(!client, array);
CFReleaseSafe(array);
}
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleSWUpdateSigning)) {
+ policy = SecPolicyCreateAppleSWUpdateSigning();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleIPsec)) {
+ policy = SecPolicyCreateIPSec(!client, name);
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleCodeSigning)) {
+ policy = SecPolicyCreateCodeSigning();
+ }
else if (CFEqual(policyIdentifier, kSecPolicyApplePackageSigning)) {
policy = SecPolicyCreateApplePackageSigning();
}
- else if (CFEqual(policyIdentifier, kSecPolicyAppleSWUpdateSigning)) {
- policy = SecPolicyCreateAppleSWUpdateSigning();
- }
- else if (CFEqual(policyIdentifier, kSecPolicyAppleIPsec)) {
- policy = SecPolicyCreateIPSec(!client, name);
- }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleIDValidation)) {
+ policy = SecPolicyCreateAppleIDAuthorityPolicy();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyMacAppStoreReceipt)) {
+ policy = SecPolicyCreateMacAppStoreReceipt();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleTimeStamping)) {
+ policy = SecPolicyCreateAppleTimeStamping();
+ }
else if (CFEqual(policyIdentifier, kSecPolicyAppleRevocation)) {
policy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod);
}
- else if (CFEqual(policyIdentifier, kSecPolicyAppleSMIME)) {
- policy = SecPolicyCreateSMIME(kSecSignSMIMEUsage | kSecAnyEncryptSMIME, name);
- }
- else if (CFEqual(policyIdentifier, kSecPolicyAppleCodeSigning)) {
- policy = SecPolicyCreateCodeSigning();
- }
- else if (CFEqual(policyIdentifier, kSecPolicyAppleTimeStamping)) {
- policy = SecPolicyCreateAppleTimeStamping();
- }
- else if (CFEqual(policyIdentifier, kSecPolicyMacAppStoreReceipt)) {
- policy = SecPolicyCreateMacAppStoreReceipt();
- }
- else if (CFEqual(policyIdentifier, kSecPolicyAppleIDValidation)) {
- policy = SecPolicyCreateAppleIDAuthorityPolicy();
- }
else if (CFEqual(policyIdentifier, kSecPolicyApplePassbookSigning)) {
policy = SecPolicyCreatePassbookCardSigner(name, teamID);
}
else if (CFEqual(policyIdentifier, kSecPolicyAppleMobileStore)) {
policy = SecPolicyCreateMobileStoreSigner();
}
- else if (CFEqual(policyIdentifier, kSecPolicyAppleTestMobileStore)) {
- policy = SecPolicyCreateTestMobileStoreSigner();
- }
else if (CFEqual(policyIdentifier, kSecPolicyAppleEscrowService)) {
policy = SecPolicyCreateEscrowServiceSigner();
}
- else if (CFEqual(policyIdentifier, kSecPolicyApplePCSEscrowService)) {
- policy = SecPolicyCreatePCSEscrowServiceSigner();
- }
else if (CFEqual(policyIdentifier, kSecPolicyAppleProfileSigner)) {
policy = SecPolicyCreateConfigurationProfileSigner();
}
else if (CFEqual(policyIdentifier, kSecPolicyAppleQAProfileSigner)) {
policy = SecPolicyCreateQAConfigurationProfileSigner();
}
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleTestMobileStore)) {
+ policy = SecPolicyCreateTestMobileStoreSigner();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleOTAPKISigner)) {
+ policy = SecPolicyCreateOTAPKISigner();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleTestOTAPKISigner)) {
+ policy = SecPolicyCreateTestOTAPKISigner();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleIDValidationRecordSigning)) {
+ policy = SecPolicyCreateAppleIDValidationRecordSigningPolicy();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleSMPEncryption)) {
+ policy = SecPolicyCreateAppleSMPEncryption();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleTestSMPEncryption)) {
+ policy = SecPolicyCreateTestAppleSMPEncryption();
+ }
else if (CFEqual(policyIdentifier, kSecPolicyAppleServerAuthentication)) {
policy = SecPolicyCreateAppleSSLService(name);
}
-#if TARGET_OS_IPHONE && !TARGET_IPHONE_SIMULATOR
- else if (CFEqual(policyIdentifier, kSecPolicyAppleOTAPKISigner)) {
- policy = SecPolicyCreateOTAPKISigner();
- }
- else if (CFEqual(policyIdentifier, kSecPolicyAppleTestOTAPKISigner)) {
- policy = SecPolicyCreateTestOTAPKISigner();
- }
- else if (CFEqual(policyIdentifier, kSecPolicyAppleIDValidationRecordSigningPolicy)) {
- policy = SecPolicyCreateAppleIDValidationRecordSigningPolicy();
- }
- else if (CFEqual(policyIdentifier, kSecPolicyAppleSMPEncryption)) {
- policy = SecPolicyCreateAppleSMPEncryption();
- }
- else if (CFEqual(policyIdentifier, kSecPolicyAppleTestSMPEncryption)) {
- policy = SecPolicyCreateTestAppleSMPEncryption();
- }
- else if (CFEqual(policyIdentifier, kSecPolicyAppleATVAppSigning)) {
- policy = SecPolicyCreateAppleATVAppSigning();
+ else if (CFEqual(policyIdentifier, kSecPolicyApplePCSEscrowService)) {
+ policy = SecPolicyCreatePCSEscrowServiceSigner();
}
- else if (CFEqual(policyIdentifier, kSecPolicyAppleTestATVAppSigning)) {
- policy = SecPolicyCreateTestAppleATVAppSigning();
- }
-#endif
else if (CFEqual(policyIdentifier, kSecPolicyApplePPQSigning)) {
policy = SecPolicyCreateApplePPQSigning();
}
@@ -649,11 +742,154 @@ SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
else if (CFEqual(policyIdentifier, kSecPolicyApplePayIssuerEncryption)) {
policy = SecPolicyCreateApplePayIssuerEncryption();
}
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleOSXProvisioningProfileSigning)) {
+ policy = SecPolicyCreateOSXProvisioningProfileSigning();
+ }
else if (CFEqual(policyIdentifier, kSecPolicyAppleATVVPNProfileSigning)) {
policy = SecPolicyCreateAppleATVVPNProfileSigning();
}
else if (CFEqual(policyIdentifier, kSecPolicyAppleAST2DiagnosticsServerAuth)) {
- policy = SecPolicyCreateAppleAST2Service(name, NULL);
+ if (name) {
+ policy = SecPolicyCreateAppleAST2Service(name, context);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleEscrowProxyServerAuth)) {
+ if (name) {
+ policy = SecPolicyCreateAppleEscrowProxyService(name, context);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleFMiPServerAuth)) {
+ if (name) {
+ policy = SecPolicyCreateAppleFMiPService(name, context);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleMMCSService)) {
+ if (name) {
+ policy = SecPolicyCreateAppleMMCSService(name, context);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleGSService)) {
+ if (name) {
+ policy = SecPolicyCreateAppleGSService(name, context);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyApplePPQService)) {
+ if (name) {
+ policy = SecPolicyCreateApplePPQService(name, context);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleHomeKitServerAuth)) {
+ policy = SecPolicyCreateAppleHomeKitServerAuth(name);
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneActivation)) {
+ policy = SecPolicyCreateiPhoneActivation();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneDeviceCertificate)) {
+ policy = SecPolicyCreateiPhoneDeviceCertificate();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleFactoryDeviceCertificate)) {
+ policy = SecPolicyCreateFactoryDeviceCertificate();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleiAP)) {
+ policy = SecPolicyCreateiAP();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleiTunesStoreURLBag)) {
+ policy = SecPolicyCreateiTunesStoreURLBag();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneApplicationSigning)) {
+ policy = SecPolicyCreateiPhoneApplicationSigning();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneProfileApplicationSigning)) {
+ policy = SecPolicyCreateiPhoneProfileApplicationSigning();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneProvisioningProfileSigning)) {
+ policy = SecPolicyCreateiPhoneProvisioningProfileSigning();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleLockdownPairing)) {
+ policy = SecPolicyCreateLockdownPairing();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleURLBag)) {
+ policy = SecPolicyCreateURLBag();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleOTATasking)) {
+ policy = SecPolicyCreateOTATasking();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleMobileAsset)) {
+ policy = SecPolicyCreateMobileAsset();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleIDAuthority)) {
+ policy = SecPolicyCreateAppleIDAuthorityPolicy();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleGenericApplePinned)) {
+ policy = SecPolicyCreateApplePinned(policyName, intermediateMarkerOid, leafMarkerOid);
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleGenericAppleSSLPinned)) {
+ policy = SecPolicyCreateAppleSSLPinned(policyName, name, intermediateMarkerOid, leafMarkerOid);
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleSoftwareSigning)) {
+ policy = SecPolicyCreateAppleSoftwareSigning();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleExternalDeveloper)) {
+ policy = SecPolicyCreateAppleExternalDeveloper();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleOCSPSigner)) {
+ policy = SecPolicyCreateOCSPSigner();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleIDSService)) {
+ policy = SecPolicyCreateAppleIDSService(name);
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleIDSServiceContext)) {
+ if (name) {
+ policy = SecPolicyCreateAppleIDSServiceContext(name, context);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyApplePushService)) {
+ if (name) {
+ policy = SecPolicyCreateApplePushService(name, context);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
+ }
+ else if (name && CFEqual(policyIdentifier, kSecPolicyAppleLegacyPushService)) {
+ if (name) {
+ policy = SecPolicyCreateApplePushServiceLegacy(name);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleTVOSApplicationSigning)) {
+ policy = SecPolicyCreateAppleTVOSApplicationSigning();
+ }
+ else if (CFEqual(policyIdentifier, kSecPolicyAppleUniqueDeviceIdentifierCertificate)) {
+ policy = SecPolicyCreateAppleUniqueDeviceCertificate(rootDigest);
+ }
+ else if (name && CFEqual(policyIdentifier, kSecPolicyAppleEscrowProxyCompatibilityServerAuth)) {
+ if (name) {
+ policy = SecPolicyCreateAppleCompatibilityEscrowProxyService(name);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
+ }
+ else if (name && CFEqual(policyIdentifier, kSecPolicyAppleMMCSCompatibilityServerAuth)) {
+ if (name) {
+ policy = SecPolicyCreateAppleCompatibilityMMCSService(name);
+ } else {
+ secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier);
+ }
}
else {
secerror("ERROR: policy \"%@\" is unsupported", policyIdentifier);
@@ -681,93 +917,20 @@ CFDictionaryRef SecPolicyCopyProperties(SecPolicyRef policyRef) {
CFStringRef oid = (CFStringRef) CFRetain(policyRef->_oid);
CFTypeRef nameKey = NULL;
- // Convert private to public OID if we have one
- CFStringRef outOid = oid;
- if (CFEqual(oid, kSecPolicyOIDBasicX509)) {
- outOid = kSecPolicyAppleX509Basic;
- }
- else if (CFEqual(oid, kSecPolicyOIDSSLServer) ||
- CFEqual(oid, kSecPolicyOIDSSLClient)) {
- outOid = kSecPolicyAppleSSL;
- nameKey = kSecPolicyCheckSSLHostname;
- }
- else if (CFEqual(oid, kSecPolicyOIDEAPServer) ||
- CFEqual(oid, kSecPolicyOIDEAPClient)) {
- outOid = kSecPolicyAppleEAP;
- nameKey = kSecPolicyCheckEAPTrustedServerNames;
- }
- else if (CFEqual(oid, kSecPolicyOIDIPSecServer) ||
- CFEqual(oid, kSecPolicyOIDIPSecClient)) {
- outOid = kSecPolicyAppleIPsec;
- nameKey = kSecPolicyCheckSSLHostname;
- }
- else if (CFEqual(oid, kSecPolicyOIDRevocation)) {
- outOid = kSecPolicyAppleRevocation;
- }
- else if (CFEqual(oid, kSecPolicyOIDSMIME)) {
- outOid = kSecPolicyAppleSMIME;
- nameKey = kSecPolicyCheckEmail;
- }
- else if (CFEqual(oid, kSecPolicyOIDCodeSigning)) {
- outOid = kSecPolicyAppleCodeSigning;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleIDAuthority)) {
- outOid = kSecPolicyAppleIDValidation;
- }
- else if (CFEqual(oid, kSecPolicyOIDApplePassbook)) {
- outOid = kSecPolicyApplePassbookSigning;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleMobileStore)) {
- outOid = kSecPolicyAppleMobileStore;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleTestMobileStore)) {
- outOid = kSecPolicyAppleTestMobileStore;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleEscrowService)) {
- outOid = kSecPolicyAppleEscrowService;
- }
- else if (CFEqual(oid, kSecPolicyOIDApplePCSEscrowService)) {
- outOid = kSecPolicyApplePCSEscrowService;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleProfileSigner)) {
- outOid = kSecPolicyAppleProfileSigner;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleQAProfileSigner)) {
- outOid = kSecPolicyAppleQAProfileSigner;
- }
-#if TARGET_OS_EMBEDDED
- else if (CFEqual(oid, kSecPolicyOIDAppleOTAPKIAssetSigner)) {
- outOid = kSecPolicyAppleOTAPKISigner;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleTestOTAPKIAssetSigner)) {
- outOid = kSecPolicyAppleTestOTAPKISigner;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleIDValidationRecordSigningPolicy)) {
- outOid = kSecPolicyAppleIDValidationRecordSigningPolicy;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleATVAppSigning)) {
- outOid = kSecPolicyAppleATVAppSigning;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleTestATVAppSigning)) {
- outOid = kSecPolicyAppleTestATVAppSigning;
- }
-#endif
- else if (CFEqual(oid, kSecPolicyOIDApplePayIssuerEncryption)) {
- outOid = kSecPolicyApplePayIssuerEncryption;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleOSXProvisioningProfileSigning)) {
- outOid = kSecPolicyAppleOSXProvisioningProfileSigning;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleATVVPNProfileSigning)) {
- outOid = kSecPolicyAppleATVVPNProfileSigning;
- }
- else if (CFEqual(oid, kSecPolicyOIDAppleAST2Service)) {
- outOid = kSecPolicyAppleAST2DiagnosticsServerAuth;
+ // Determine name key
+ if (policyRef->_options) {
+ if (CFDictionaryContainsKey(policyRef->_options, kSecPolicyCheckSSLHostname)) {
+ nameKey = kSecPolicyCheckSSLHostname;
+ } else if (CFDictionaryContainsKey(policyRef->_options, kSecPolicyCheckEAPTrustedServerNames)) {
+ nameKey = kSecPolicyCheckEAPTrustedServerNames;
+ } else if (CFDictionaryContainsKey(policyRef->_options, kSecPolicyCheckEmail)) {
+ nameKey = kSecPolicyCheckEmail;
+ }
}
// Set kSecPolicyOid
CFDictionarySetValue(properties, (const void *)kSecPolicyOid,
- (const void *)outOid);
+ (const void *)oid);
// Set kSecPolicyName if we have one
if (nameKey && policyRef->_options) {
@@ -780,9 +943,10 @@ CFDictionaryRef SecPolicyCopyProperties(SecPolicyRef policyRef) {
}
// Set kSecPolicyClient
- if (CFEqual(oid, kSecPolicyOIDSSLClient) ||
- CFEqual(oid, kSecPolicyOIDIPSecClient) ||
- CFEqual(oid, kSecPolicyOIDEAPClient)) {
+ CFStringRef policyName = (CFStringRef) CFRetainSafe(policyRef->_name);
+ if (policyName && (CFEqual(policyName, kSecPolicyNameSSLClient) ||
+ CFEqual(policyName, kSecPolicyNameIPSecClient) ||
+ CFEqual(policyName, kSecPolicyNameEAPClient))) {
CFDictionarySetValue(properties, (const void *)kSecPolicyClient,
(const void *)kCFBooleanTrue);
}
@@ -799,10 +963,22 @@ static void SecPolicySetOid(SecPolicyRef policy, CFStringRef oid) {
CFReleaseSafe(temp);
}
+static void SecPolicySetName(SecPolicyRef policy, CFStringRef policyName) {
+ if (!policy || !policyName) return;
+ CFStringRef temp = policy->_name;
+ CFRetain(policyName);
+ policy->_name= policyName;
+ CFReleaseSafe(temp);
+}
+
CFStringRef SecPolicyGetOidString(SecPolicyRef policy) {
return policy->_oid;
}
+CFStringRef SecPolicyGetName(SecPolicyRef policy) {
+ return policy->_name;
+}
+
CFDictionaryRef SecPolicyGetOptions(SecPolicyRef policy) {
return policy->_options;
}
@@ -819,6 +995,9 @@ void SecPolicySetOptionsValue(SecPolicyRef policy, CFStringRef key, CFTypeRef va
CFDictionarySetValue(options, key, value);
}
+/* Local forward declaration */
+static void set_ssl_ekus(CFMutableDictionaryRef options, bool server);
+
#if !SECTRUST_OSX
// this is declared as NA for iPhone in SecPolicy.h, so declare here
OSStatus SecPolicySetProperties(SecPolicyRef policyRef, CFDictionaryRef properties);
@@ -838,24 +1017,21 @@ OSStatus SecPolicySetProperties(SecPolicyRef policyRef, CFDictionaryRef properti
if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyName,
(const void **)&name) && name) {
CFTypeID typeID = CFGetTypeID(name);
- if (CFEqual(oid, kSecPolicyOIDSSLServer) ||
- CFEqual(oid, kSecPolicyOIDSSLClient) ||
- CFEqual(oid, kSecPolicyOIDIPSecServer) ||
- CFEqual(oid, kSecPolicyOIDIPSecClient)) {
+ if (CFEqual(oid, kSecPolicyAppleSSL) ||
+ CFEqual(oid, kSecPolicyAppleIPsec)) {
if (CFStringGetTypeID() == typeID) {
SecPolicySetOptionsValue(policyRef, kSecPolicyCheckSSLHostname, name);
}
else result = errSecParam;
}
- else if (CFEqual(oid, kSecPolicyOIDEAPServer) ||
- CFEqual(oid, kSecPolicyOIDEAPClient)) {
+ else if (CFEqual(oid, kSecPolicyAppleEAP)) {
if ((CFStringGetTypeID() == typeID) ||
(CFArrayGetTypeID() == typeID)) {
SecPolicySetOptionsValue(policyRef, kSecPolicyCheckEAPTrustedServerNames, name);
}
else result = errSecParam;
}
- else if (CFEqual(oid, kSecPolicyOIDSMIME)) {
+ else if (CFEqual(oid, kSecPolicyAppleSMIME)) {
if (CFStringGetTypeID() == typeID) {
SecPolicySetOptionsValue(policyRef, kSecPolicyCheckEmail, name);
}
@@ -871,25 +1047,45 @@ OSStatus SecPolicySetProperties(SecPolicyRef policyRef, CFDictionaryRef properti
result = errSecParam;
}
else if (CFEqual(client, kCFBooleanTrue)) {
- if (CFEqual(oid, kSecPolicyOIDSSLServer)) {
- SecPolicySetOid(policyRef, kSecPolicyOIDSSLClient);
+ if (CFEqual(oid, kSecPolicyAppleSSL)) {
+ SecPolicySetName(policyRef, kSecPolicyNameSSLClient);
+ /* Set EKU checks for clients */
+ CFMutableDictionaryRef newOptions = CFDictionaryCreateMutableCopy(NULL, 0, policyRef->_options);
+ set_ssl_ekus(newOptions, false);
+ CFReleaseSafe(policyRef->_options);
+ policyRef->_options = newOptions;
}
- else if (CFEqual(oid, kSecPolicyOIDIPSecServer)) {
- SecPolicySetOid(policyRef, kSecPolicyOIDIPSecClient);
+ else if (CFEqual(oid, kSecPolicyAppleIPsec)) {
+ SecPolicySetName(policyRef, kSecPolicyNameIPSecClient);
}
- else if (CFEqual(oid, kSecPolicyOIDEAPServer)) {
- SecPolicySetOid(policyRef, kSecPolicyOIDEAPClient);
+ else if (CFEqual(oid, kSecPolicyNameEAPServer)) {
+ SecPolicySetName(policyRef, kSecPolicyNameEAPClient);
+ /* Set EKU checks for clients */
+ CFMutableDictionaryRef newOptions = CFDictionaryCreateMutableCopy(NULL, 0, policyRef->_options);
+ set_ssl_ekus(newOptions, false);
+ CFReleaseSafe(policyRef->_options);
+ policyRef->_options = newOptions;
}
}
else {
- if (CFEqual(oid, kSecPolicyOIDSSLClient)) {
- SecPolicySetOid(policyRef, kSecPolicyOIDSSLServer);
+ if (CFEqual(oid, kSecPolicyAppleSSL)) {
+ SecPolicySetName(policyRef, kSecPolicyNameSSLServer);
+ /* Set EKU checks for servers */
+ CFMutableDictionaryRef newOptions = CFDictionaryCreateMutableCopy(NULL, 0, policyRef->_options);
+ set_ssl_ekus(newOptions, true);
+ CFReleaseSafe(policyRef->_options);
+ policyRef->_options = newOptions;
}
- else if (CFEqual(oid, kSecPolicyOIDIPSecClient)) {
- SecPolicySetOid(policyRef, kSecPolicyOIDIPSecServer);
+ else if (CFEqual(oid, kSecPolicyAppleIPsec)) {
+ SecPolicySetName(policyRef, kSecPolicyNameIPSecServer);
}
- else if (CFEqual(oid, kSecPolicyOIDEAPClient)) {
- SecPolicySetOid(policyRef, kSecPolicyOIDEAPServer);
+ else if (CFEqual(oid, kSecPolicyAppleEAP)) {
+ SecPolicySetName(policyRef, kSecPolicyNameEAPServer);
+ /* Set EKU checks for servers */
+ CFMutableDictionaryRef newOptions = CFDictionaryCreateMutableCopy(NULL, 0, policyRef->_options);
+ set_ssl_ekus(newOptions, true);
+ CFReleaseSafe(policyRef->_options);
+ policyRef->_options = newOptions;
}
}
}
@@ -906,8 +1102,24 @@ extern OSStatus validate_array_of_items(CFArrayRef array, CFStringRef arrayItemT
static xpc_object_t copy_xpc_policy_object(SecPolicyRef policy) {
xpc_object_t xpc_policy = NULL;
xpc_object_t data[2] = { NULL, NULL };
- if (policy->_oid && (CFGetTypeID(policy->_oid) == CFStringGetTypeID())) {
- data[0] = _CFXPCCreateXPCObjectFromCFObject(policy->_oid);
+ if (policy->_oid && (CFGetTypeID(policy->_oid) == CFStringGetTypeID()) &&
+ policy->_name && (CFGetTypeID(policy->_name) == CFStringGetTypeID())) {
+ /* These should really be different elements of the xpc array. But
+ * SecPolicyCreateWithXPCObject previously checked the size via ==, which prevents
+ * us from appending new information while maintaining backward compatibility.
+ * Doing this makes the builders happy. */
+ CFMutableStringRef oidAndName = NULL;
+ oidAndName = CFStringCreateMutableCopy(NULL, 0, policy->_oid);
+ if (oidAndName) {
+ CFStringAppend(oidAndName, CFSTR("++"));
+ CFStringAppend(oidAndName, policy->_name);
+ data[0] = _CFXPCCreateXPCObjectFromCFObject(oidAndName);
+ CFReleaseNull(oidAndName);
+ } else {
+ data[0] = _CFXPCCreateXPCObjectFromCFObject(policy->_oid);
+ }
+ } else if (policy->_oid && (CFGetTypeID(policy->_oid) == CFStringGetTypeID())) {
+ data[0] = _CFXPCCreateXPCObjectFromCFObject(policy->_oid);
} else {
secerror("policy 0x%lX has no _oid", (uintptr_t)policy);
}
@@ -961,8 +1173,21 @@ xpc_object_t copy_xpc_policies_array(CFArrayRef policies) {
static xpc_object_t SecPolicyCopyXPCObject(SecPolicyRef policy, CFErrorRef *error) {
xpc_object_t xpc_policy = NULL;
xpc_object_t data[2] = {};
- require_action_quiet(data[0] = _CFXPCCreateXPCObjectFromCFObject(policy->_oid), exit,
- SecError(errSecParam, error, CFSTR("failed to create xpc_object from policy oid")));
+ CFMutableStringRef oidAndName = NULL;
+ oidAndName = CFStringCreateMutableCopy(NULL, 0, policy->_oid);
+ if (oidAndName) {
+ if (policy->_name) {
+ CFStringAppend(oidAndName, CFSTR("++"));
+ CFStringAppend(oidAndName, policy->_name);
+ }
+
+ require_action_quiet(data[0] = _CFXPCCreateXPCObjectFromCFObject(oidAndName), exit,
+ SecError(errSecParam, error,
+ CFSTR("failed to create xpc_object from policy oid and name")));
+ } else {
+ require_action_quiet(data[0] = _CFXPCCreateXPCObjectFromCFObject(policy->_oid), exit,
+ SecError(errSecParam, error, CFSTR("failed to create xpc_object from policy oid")));
+ }
require_action_quiet(data[1] = _CFXPCCreateXPCObjectFromCFObject(policy->_options), exit,
SecError(errSecParam, error, CFSTR("failed to create xpc_object from policy options")));
require_action_quiet(xpc_policy = xpc_array_create(data, array_size(data)), exit,
@@ -971,6 +1196,7 @@ static xpc_object_t SecPolicyCopyXPCObject(SecPolicyRef policy, CFErrorRef *erro
exit:
if (data[0]) xpc_release(data[0]);
if (data[1]) xpc_release(data[1]);
+ CFReleaseNull(oidAndName);
return xpc_policy;
}
@@ -1002,24 +1228,57 @@ exit:
return xpc_policies;
}
+static OSStatus parseOidAndName(CFStringRef oidAndName, CFStringRef *oid, CFStringRef *name) {
+ OSStatus result = errSecSuccess;
+ CFStringRef partial = NULL;
+
+ CFRange delimiter = CFStringFind(oidAndName, CFSTR("++"), 0);
+ if (delimiter.length != 2) {
+ return errSecParam;
+ }
+
+ /* get first half: oid */
+ partial = CFStringCreateWithSubstring(NULL, oidAndName, CFRangeMake(0, delimiter.location));
+ if (oid) { *oid = CFRetainSafe(partial); }
+ CFReleaseNull(partial);
+
+ /* get second half: name */
+ if (delimiter.location + 2 >= CFStringGetLength(oidAndName)) {
+ return errSecSuccess; // name is optional
+ }
+ CFRange nameRange = CFRangeMake(delimiter.location+2,
+ CFStringGetLength(oidAndName) - delimiter.location - 2);
+ partial = CFStringCreateWithSubstring(NULL, oidAndName, nameRange);
+ if (name) { *name = CFRetainSafe(partial); }
+ CFReleaseNull(partial);
+ return result;
+}
+
static SecPolicyRef SecPolicyCreateWithXPCObject(xpc_object_t xpc_policy, CFErrorRef *error) {
SecPolicyRef policy = NULL;
- CFTypeRef oid = NULL;
+ CFTypeRef oidAndName = NULL;
+ CFStringRef oid = NULL;
+ CFStringRef name = NULL;
CFTypeRef options = NULL;
require_action_quiet(xpc_policy, exit, SecError(errSecParam, error, CFSTR("policy xpc value is NULL")));
require_action_quiet(xpc_get_type(xpc_policy) == XPC_TYPE_ARRAY, exit, SecError(errSecDecode, error, CFSTR("policy xpc value is not an array")));
- require_action_quiet(xpc_array_get_count(xpc_policy) == 2, exit, SecError(errSecDecode, error, CFSTR("policy xpc array count != 2")));
- oid = _CFXPCCreateCFObjectFromXPCObject(xpc_array_get_value(xpc_policy, 0));
- require_action_quiet(isString(oid), exit,
- SecError(errSecParam, error, CFSTR("failed to convert xpc policy[0]=%@ to CFString"), oid));
+ require_action_quiet(xpc_array_get_count(xpc_policy) >= 2, exit, SecError(errSecDecode, error, CFSTR("policy xpc array count < 2")));
+ oidAndName = _CFXPCCreateCFObjectFromXPCObject(xpc_array_get_value(xpc_policy, 0));
+ require_action_quiet(isString(oidAndName), exit,
+ SecError(errSecParam, error, CFSTR("failed to convert xpc policy[0]=%@ to CFString"), oidAndName));
options = _CFXPCCreateCFObjectFromXPCObject(xpc_array_get_value(xpc_policy, 1));
require_action_quiet(isDictionary(options), exit,
SecError(errSecParam, error, CFSTR("failed to convert xpc policy[1]=%@ to CFDictionary"), options));
- require_action_quiet(policy = SecPolicyCreate(oid, options), exit, SecError(errSecDecode, error, CFSTR("Failed to create policy")));
+ require_noerr_action_quiet(parseOidAndName(oidAndName, &oid, &name), exit,
+ SecError(errSecParam, error, CFSTR("failed to convert combined %@ to name and oid"), oidAndName));
+ require_action_quiet(policy = SecPolicyCreate(oid, name, options), exit,
+ SecError(errSecDecode, error, CFSTR("Failed to create policy")));
exit:
+ CFReleaseSafe(oidAndName);
CFReleaseSafe(oid);
+ CFReleaseSafe(name);
CFReleaseSafe(options);
return policy;
}
@@ -1048,6 +1307,76 @@ exit:
}
+static SEC_CONST_DECL (kSecPolicyOptions, "policyOptions");
+
+static SecPolicyRef SecPolicyCreateWithDictionary(CFDictionaryRef dict) {
+ SecPolicyRef policy = NULL;
+ CFStringRef oid = (CFStringRef)CFDictionaryGetValue(dict, kSecPolicyOid);
+ require_quiet(isString(oid), errOut);
+ CFDictionaryRef options = (CFDictionaryRef)CFDictionaryGetValue(dict, kSecPolicyOptions);
+ require_quiet(isDictionary(options), errOut);
+ CFStringRef name = (CFStringRef)CFDictionaryGetValue(dict, kSecPolicyPolicyName);
+ policy = SecPolicyCreate(oid, name, options);
+errOut:
+ return policy;
+}
+
+static void deserializePolicy(const void *value, void *context) {
+ CFDictionaryRef policyDict = (CFDictionaryRef)value;
+ if (isDictionary(policyDict)) {
+ CFTypeRef deserializedPolicy = SecPolicyCreateWithDictionary(policyDict);
+ if (deserializedPolicy) {
+ CFArrayAppendValue((CFMutableArrayRef)context, deserializedPolicy);
+ CFRelease(deserializedPolicy);
+ }
+ }
+}
+
+CFArrayRef SecPolicyArrayCreateDeserialized(CFArrayRef serializedPolicies) {
+ CFMutableArrayRef result = NULL;
+ require_quiet(isArray(serializedPolicies), errOut);
+ CFIndex count = CFArrayGetCount(serializedPolicies);
+ result = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks);
+ CFRange all_policies = { 0, count };
+ CFArrayApplyFunction(serializedPolicies, all_policies, deserializePolicy, result);
+errOut:
+ return result;
+}
+
+static CFDictionaryRef SecPolicyCreateDictionary(SecPolicyRef policy) {
+ CFMutableDictionaryRef dict = NULL;
+ dict = CFDictionaryCreateMutable(NULL, 3, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ CFDictionaryAddValue(dict, kSecPolicyOid, policy->_oid);
+ CFDictionaryAddValue(dict, kSecPolicyOptions, policy->_options);
+ if (policy->_name) {
+ CFDictionaryAddValue(dict, kSecPolicyPolicyName, policy->_name);
+ }
+ return dict;
+}
+
+static void serializePolicy(const void *value, void *context) {
+ SecPolicyRef policy = (SecPolicyRef)value;
+ if (policy && SecPolicyGetTypeID() == CFGetTypeID(policy)) {
+ CFDictionaryRef serializedPolicy = SecPolicyCreateDictionary(policy);
+ if (serializedPolicy) {
+ CFArrayAppendValue((CFMutableArrayRef)context, serializedPolicy);
+ CFRelease(serializedPolicy);
+ }
+ }
+}
+
+CFArrayRef SecPolicyArrayCreateSerialized(CFArrayRef policies) {
+ CFMutableArrayRef result = NULL;
+ require_quiet(isArray(policies), errOut);
+ CFIndex count = CFArrayGetCount(policies);
+ result = CFArrayCreateMutable(NULL, count, &kCFTypeArrayCallBacks);
+ CFRange all_policies = { 0, count};
+ CFArrayApplyFunction(policies, all_policies, serializePolicy, result);
+errOut:
+ return result;
+}
+
static void add_element(CFMutableDictionaryRef options, CFStringRef key,
CFTypeRef value) {
CFTypeRef old_value = CFDictionaryGetValue(options, key);
@@ -1078,6 +1407,32 @@ static void add_eku(CFMutableDictionaryRef options, const DERItem *ekuOid) {
}
}
+static void add_eku_string(CFMutableDictionaryRef options, CFStringRef ekuOid) {
+ if (ekuOid) {
+ add_element(options, kSecPolicyCheckExtendedKeyUsage, ekuOid);
+ }
+}
+
+static void set_ssl_ekus(CFMutableDictionaryRef options, bool server) {
+ CFDictionaryRemoveValue(options, kSecPolicyCheckExtendedKeyUsage);
+
+ /* If server and EKU ext present then EKU ext should contain one of
+ ServerAuth or ExtendedKeyUsageAny or NetscapeSGC or MicrosoftSGC.
+ else if !server and EKU ext present then EKU ext should contain one of
+ ClientAuth or ExtendedKeyUsageAny. */
+
+ /* We always allow certificates that specify oidAnyExtendedKeyUsage. */
+ add_eku(options, NULL); /* eku extension is optional */
+ add_eku(options, &oidAnyExtendedKeyUsage);
+ if (server) {
+ add_eku(options, &oidExtendedKeyUsageServerAuth);
+ add_eku(options, &oidExtendedKeyUsageMicrosoftSGC);
+ add_eku(options, &oidExtendedKeyUsageNetscapeSGC);
+ } else {
+ add_eku(options, &oidExtendedKeyUsageClientAuth);
+ }
+}
+
static void add_ku(CFMutableDictionaryRef options, SecKeyUsage keyUsage) {
SInt32 dku = keyUsage;
CFNumberRef ku = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type,
@@ -1127,29 +1482,59 @@ static void add_leaf_marker(CFMutableDictionaryRef options, const DERItem *marke
add_leaf_marker_value(options, markerOid, NULL);
}
+static void add_leaf_marker_value_string(CFMutableDictionaryRef options, CFStringRef markerOid, CFStringRef string_value) {
+ if (NULL == string_value) {
+ add_element(options, kSecPolicyCheckLeafMarkerOid, markerOid);
+ } else {
+ CFDictionaryRef policyData = NULL;
+ const void *key[1] = { markerOid };
+ const void *value[1] = { string_value };
+ policyData = CFDictionaryCreate(kCFAllocatorDefault,
+ key, value, 1,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ add_element(options, kSecPolicyCheckLeafMarkerOid, policyData);
-static void add_certificate_policy_oid(CFMutableDictionaryRef options, const DERItem *certificatePolicyOid, CFStringRef string_value) {
- CFTypeRef certificatePolicyData = NULL;
+ CFReleaseNull(policyData);
+ }
+}
- if (NULL == string_value) {
- certificatePolicyData = CFDataCreate(kCFAllocatorDefault,
- certificatePolicyOid ? certificatePolicyOid->data : NULL,
- certificatePolicyOid ? certificatePolicyOid->length : 0);
- } else {
- CFStringRef oid_as_string = SecDERItemCopyOIDDecimalRepresentation(kCFAllocatorDefault, certificatePolicyOid);
+static void add_leaf_marker_string(CFMutableDictionaryRef options, CFStringRef markerOid) {
+ add_leaf_marker_value_string(options, markerOid, NULL);
+}
- const void *key[1] = { oid_as_string };
+static void add_intermediate_marker_value_string(CFMutableDictionaryRef options, CFStringRef markerOid, CFStringRef string_value) {
+ if (NULL == string_value) {
+ add_element(options, kSecPolicyCheckIntermediateMarkerOid, markerOid);
+ } else {
+ CFDictionaryRef policyData = NULL;
+ const void *key[1] = { markerOid };
const void *value[1] = { string_value };
- certificatePolicyData = CFDictionaryCreate(kCFAllocatorDefault,
+ policyData = CFDictionaryCreate(kCFAllocatorDefault,
key, value, 1,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- CFReleaseNull(oid_as_string);
+ add_element(options, kSecPolicyCheckIntermediateMarkerOid, policyData);
+
+ CFReleaseNull(policyData);
}
+}
- add_element(options, kSecPolicyCheckCertificatePolicy, certificatePolicyData);
+static void add_certificate_policy_oid(CFMutableDictionaryRef options, const DERItem *certificatePolicyOid) {
+ CFTypeRef certificatePolicyData = NULL;
+ certificatePolicyData = CFDataCreate(kCFAllocatorDefault,
+ certificatePolicyOid ? certificatePolicyOid->data : NULL,
+ certificatePolicyOid ? certificatePolicyOid->length : 0);
+ if (certificatePolicyData) {
+ add_element(options, kSecPolicyCheckCertificatePolicy, certificatePolicyData);
+ CFRelease(certificatePolicyData);
+ }
+}
- CFReleaseNull(certificatePolicyData);
+static void add_certificate_policy_oid_string(CFMutableDictionaryRef options, CFStringRef certificatePolicyOid) {
+ if (certificatePolicyOid) {
+ add_element(options, kSecPolicyCheckCertificatePolicy, certificatePolicyOid);
+ }
}
+
//
// Routines for adding dictionary entries for policies.
//
@@ -1158,9 +1543,10 @@ static void add_certificate_policy_oid(CFMutableDictionaryRef options, const DER
static void SecPolicyAddBasicCertOptions(CFMutableDictionaryRef options)
{
//CFDictionaryAddValue(options, kSecPolicyCheckBasicCertificateProcessing, kCFBooleanTrue);
+ // Happens automatically in SecPVCPathChecks
CFDictionaryAddValue(options, kSecPolicyCheckCriticalExtensions, kCFBooleanTrue);
CFDictionaryAddValue(options, kSecPolicyCheckIdLinkage, kCFBooleanTrue);
- CFDictionaryAddValue(options, kSecPolicyCheckBasicContraints, kCFBooleanTrue);
+ CFDictionaryAddValue(options, kSecPolicyCheckBasicConstraints, kCFBooleanTrue);
CFDictionaryAddValue(options, kSecPolicyCheckNonEmptySubject, kCFBooleanTrue);
CFDictionaryAddValue(options, kSecPolicyCheckQualifiedCertStatements, kCFBooleanTrue);
CFDictionaryAddValue(options, kSecPolicyCheckWeakIntermediates, kCFBooleanTrue);
@@ -1212,13 +1598,63 @@ errOut:
return success;
}
-static bool SecPolicyAddAppleAnchorOptions(CFMutableDictionaryRef options)
+static bool SecPolicyAddAnchorSHA256Options(CFMutableDictionaryRef options,
+ const UInt8 anchorSha1[kSecPolicySHA256Size])
{
- return SecPolicyAddAnchorSHA1Options(options, kAppleCASHA1);
+ bool success = false;
+ CFDataRef anchorData = NULL;
+
+ require(anchorData = CFDataCreate(kCFAllocatorDefault, anchorSha1, kSecPolicySHA256Size), errOut);
+ add_element(options, kSecPolicyCheckAnchorSHA256, anchorData);
+
+ success = true;
+
+errOut:
+ CFReleaseSafe(anchorData);
+ return success;
+}
+
+static bool isAppleOid(CFStringRef oid) {
+ if (!SecCertificateIsOidString(oid)) {
+ return false;
+ }
+ if (CFStringHasPrefix(oid, CFSTR("1.2.840.113635"))) {
+ return true;
+ }
+ return false;
+}
+
+static bool allowTestHierarchyForPolicy(CFStringRef policyName) {
+ bool allow = false;
+ CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("ApplePinningAllowTestCerts%@"), policyName);
+ require(setting, fail);
+ if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.security"), NULL)) {
+ allow = true;
+ }
+ CFRelease(setting);
+fail:
+ return allow;
+}
+
+static bool SecPolicyAddAppleAnchorOptions(CFMutableDictionaryRef options, CFStringRef policyName)
+{
+ CFMutableDictionaryRef appleAnchorOptions;
+ appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
+ if (!appleAnchorOptions) {
+ return false;
+ }
+
+ if (allowTestHierarchyForPolicy(policyName)) {
+ CFDictionarySetValue(appleAnchorOptions,
+ kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
+ }
+ add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions);
+ CFReleaseSafe(appleAnchorOptions);
+ return true;
}
//
-// Policy Creation Functions
+// MARK: Policy Creation Functions
//
SecPolicyRef SecPolicyCreateBasicX509(void) {
CFMutableDictionaryRef options = NULL;
@@ -1231,11 +1667,11 @@ SecPolicyRef SecPolicyCreateBasicX509(void) {
CFDictionaryAddValue(options, kSecPolicyCheckNoNetworkAccess,
kCFBooleanTrue);
- require(result = SecPolicyCreate(kSecPolicyOIDBasicX509, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleX509Basic, kSecPolicyNameBasicX509, options), errOut);
errOut:
CFReleaseSafe(options);
- return result;
+ return (SecPolicyRef _Nonnull)result;
}
SecPolicyRef SecPolicyCreateSSL(Boolean server, CFStringRef hostname) {
@@ -1254,29 +1690,128 @@ SecPolicyRef SecPolicyCreateSSL(Boolean server, CFStringRef hostname) {
CFDictionaryAddValue(options, kSecPolicyCheckBlackListedLeaf, kCFBooleanTrue);
CFDictionaryAddValue(options, kSecPolicyCheckGrayListedLeaf, kCFBooleanTrue);
- /* If server and EKU ext present then EKU ext should contain one of
- ServerAuth or ExtendedKeyUsageAny or NetscapeSGC or MicrosoftSGC.
- else if !server and EKU ext present then EKU ext should contain one of
- ClientAuth or ExtendedKeyUsageAny. */
-
- /* We always allow certificates that specify oidAnyExtendedKeyUsage. */
- add_eku(options, NULL); /* eku extension is optional */
- add_eku(options, &oidAnyExtendedKeyUsage);
- if (server) {
- add_eku(options, &oidExtendedKeyUsageServerAuth);
- add_eku(options, &oidExtendedKeyUsageMicrosoftSGC);
- add_eku(options, &oidExtendedKeyUsageNetscapeSGC);
- } else {
- add_eku(options, &oidExtendedKeyUsageClientAuth);
- }
+ set_ssl_ekus(options, server);
- require(result = SecPolicyCreate(
- server ? kSecPolicyOIDSSLServer : kSecPolicyOIDSSLClient,
+ require(result = SecPolicyCreate(kSecPolicyAppleSSL,
+ server ? kSecPolicyNameSSLServer : kSecPolicyNameSSLClient,
options), errOut);
errOut:
CFReleaseSafe(options);
- return result;
+ return (SecPolicyRef _Nonnull)result;
+}
+
+SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName, CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID) {
+ CFMutableDictionaryRef options = NULL;
+ CFDictionaryRef keySizes = NULL;
+ CFNumberRef rsaSize = NULL, ecSize = NULL;
+ SecPolicyRef result = NULL;
+
+ if (!policyName || !intermediateMarkerOID || !leafMarkerOID) {
+ goto errOut;
+ }
+
+ require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), errOut);
+
+ SecPolicyAddBasicX509Options(options);
+
+ /* Anchored to the Apple Roots */
+ require(SecPolicyAddAppleAnchorOptions(options, policyName), errOut);
+
+ /* Exactly 3 certs in the chain */
+ require(SecPolicyAddChainLengthOptions(options, 3), errOut);
+
+ /* Intermediate marker OID matches input OID */
+ if (!isAppleOid(intermediateMarkerOID)) {
+ secwarning("creating an Apple pinning policy with a non-Apple OID: %@", intermediateMarkerOID);
+ }
+ add_element(options, kSecPolicyCheckIntermediateMarkerOid, intermediateMarkerOID);
+
+ /* Leaf marker OID matches input OID */
+ if (!isAppleOid(leafMarkerOID)) {
+ secwarning("creating an Apple pinning policy with a non-Apple OID: %@", leafMarkerOID);
+ }
+ add_leaf_marker_string(options, leafMarkerOID);
+
+ /* Check revocation using any available method */
+ add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
+
+ /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
+ require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
+ require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
+ const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
+ const void *values[] = { rsaSize, ecSize };
+ require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
+ add_element(options, kSecPolicyCheckKeySize, keySizes);
+
+ require(result = SecPolicyCreate(kSecPolicyAppleGenericApplePinned,
+ policyName, options), errOut);
+
+errOut:
+ CFReleaseSafe(options);
+ CFReleaseSafe(keySizes);
+ CFReleaseSafe(rsaSize);
+ CFReleaseSafe(ecSize);
+ return result;
+}
+
+static bool
+requireUATPinning(CFStringRef service)
+{
+ bool pinningRequired = true;
+
+ if (SecIsInternalRelease()) {
+ CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("AppleServerAuthenticationNoPinning%@"), service);
+ require(setting, fail);
+ if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL))
+ pinningRequired = false;
+ CFRelease(setting);
+ }
+fail:
+ return pinningRequired;
+}
+
+SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef hostname,
+ CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID) {
+ CFMutableDictionaryRef options = NULL;
+ SecPolicyRef result = NULL;
+
+ if (!policyName || !hostname || !leafMarkerOID) {
+ goto errOut;
+ }
+
+ if (requireUATPinning(policyName)) {
+ if (intermediateMarkerOID) {
+ require(result = SecPolicyCreateApplePinned(policyName, intermediateMarkerOID, leafMarkerOID), errOut);
+ } else {
+ require(result = SecPolicyCreateApplePinned(policyName, CFSTR("1.2.840.113635.100.6.2.12"), leafMarkerOID), errOut);
+ }
+
+ require_action(options = CFDictionaryCreateMutableCopy(NULL, 0, result->_options), errOut, CFReleaseNull(result));
+
+ /* ServerAuth EKU is in leaf cert */
+ add_eku_string(options, CFSTR("1.3.6.1.5.5.7.3.1"));
+
+ /* Hostname is in leaf cert */
+ add_element(options, kSecPolicyCheckSSLHostname, hostname);
+
+ /* New leaf marker OID format */
+ add_leaf_marker_value_string(options, CFSTR("1.2.840.113635.100.6.48.1"), leafMarkerOID);
+
+ CFReleaseSafe(result->_options);
+ result->_options = CFRetainSafe(options);
+ } else {
+ result = SecPolicyCreateSSL(true, hostname);
+ }
+
+ SecPolicySetOid(result, kSecPolicyAppleGenericAppleSSLPinned);
+
+errOut:
+ CFReleaseSafe(options);
+ return result;
}
SecPolicyRef SecPolicyCreateiPhoneActivation(void) {
@@ -1305,9 +1840,10 @@ SecPolicyRef SecPolicyCreateiPhoneActivation(void) {
CFSTR("Apple iPhone Activation"));
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
+ require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameiPhoneActivation), errOut);
- require(result = SecPolicyCreate(kSecPolicyOIDiPhoneActivation, options),
+ require(result = SecPolicyCreate(kSecPolicyAppleiPhoneActivation,
+ kSecPolicyNameiPhoneActivation, options),
errOut);
errOut:
@@ -1338,9 +1874,10 @@ SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void) {
CFSTR("Apple iPhone Device CA"));
require(SecPolicyAddChainLengthOptions(options, 4), errOut);
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
+ require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameiPhoneDeviceCertificate), errOut);
- require(result = SecPolicyCreate(kSecPolicyOIDiPhoneDeviceCertificate, options),
+ require(result = SecPolicyCreate(kSecPolicyAppleiPhoneDeviceCertificate,
+ kSecPolicyNameiPhoneDeviceCertificate, options),
errOut);
errOut:
@@ -1368,7 +1905,8 @@ SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void) {
is anchored at the factory device certificate issuer. */
require(SecPolicyAddAnchorSHA1Options(options, kFactoryDeviceCASHA1), errOut);
- require(result = SecPolicyCreate(kSecPolicyOIDFactoryDeviceCertificate, options),
+ require(result = SecPolicyCreate(kSecPolicyAppleFactoryDeviceCertificate,
+ kSecPolicyNameFactoryDeviceCertificate, options),
errOut);
errOut:
@@ -1393,7 +1931,8 @@ SecPolicyRef SecPolicyCreateiAP(void) {
date = CFDateCreateForGregorianZuluDay(NULL, 2006, 5, 31);
CFDictionaryAddValue(options, kSecPolicyCheckNotValidBefore, date);
- require(result = SecPolicyCreate(kSecPolicyOIDiAP, options),
+ require(result = SecPolicyCreate(kSecPolicyAppleiAP,
+ kSecPolicyNameiAP, options),
errOut);
errOut:
@@ -1421,7 +1960,8 @@ SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void) {
require(SecPolicyAddChainLengthOptions(options, 2), errOut);
require(SecPolicyAddAnchorSHA1Options(options, kITMSCASHA1), errOut);
- require(result = SecPolicyCreate(kSecPolicyOIDiTunesStoreURLBag, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleiTunesStoreURLBag,
+ kSecPolicyNameiTunesStoreURLBag, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -1444,29 +1984,13 @@ SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef trustedServerNames) {
if (trustedServerNames) {
CFDictionaryAddValue(options, kSecPolicyCheckEAPTrustedServerNames, trustedServerNames);
+ }
- /* Specifying trusted server names implies EAP-TLS,
- so we need to check for EKU per rdar://22206018 */
-
- /* If server and EKU ext present then EKU ext should contain one of
- ServerAuth or ExtendedKeyUsageAny or NetscapeSGC or MicrosoftSGC.
- else if !server and EKU ext present then EKU ext should contain one of
- ClientAuth or ExtendedKeyUsageAny. */
-
- /* We always allow certificates that specify oidAnyExtendedKeyUsage. */
- add_eku(options, NULL); /* eku extension is optional */
- add_eku(options, &oidAnyExtendedKeyUsage);
- if (server) {
- add_eku(options, &oidExtendedKeyUsageServerAuth);
- add_eku(options, &oidExtendedKeyUsageMicrosoftSGC);
- add_eku(options, &oidExtendedKeyUsageNetscapeSGC);
- } else {
- add_eku(options, &oidExtendedKeyUsageClientAuth);
- }
- }
+ /* We need to check for EKU per rdar://22206018 */
+ set_ssl_ekus(options, server);
- require(result = SecPolicyCreate(
- server ? kSecPolicyOIDEAPServer : kSecPolicyOIDEAPClient,
+ require(result = SecPolicyCreate(kSecPolicyAppleEAP,
+ server ? kSecPolicyNameEAPServer : kSecPolicyNameEAPClient,
options), errOut);
errOut:
@@ -1502,8 +2026,8 @@ SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef hostname) {
//add_eku(options, &oidAnyExtendedKeyUsage);
//add_eku(options, &oidExtendedKeyUsageIPSec);
- require(result = SecPolicyCreate(
- server ? kSecPolicyOIDIPSecServer : kSecPolicyOIDIPSecClient,
+ require(result = SecPolicyCreate(kSecPolicyAppleIPsec,
+ server ? kSecPolicyNameIPSecServer : kSecPolicyNameIPSecClient,
options), errOut);
errOut:
@@ -1512,7 +2036,7 @@ errOut:
}
SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void) {
- CFMutableDictionaryRef options = NULL;
+ CFMutableDictionaryRef options = NULL, appleAnchorOptions = NULL;
SecPolicyRef result = NULL;
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
@@ -1520,35 +2044,55 @@ SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void) {
SecPolicyAddBasicCertOptions(options);
- /* Basic X.509 policy with the additional requirements that the chain
- length is 3, it's anchored at the AppleCA and the leaf certificate
- has issuer "Apple iPhone Certification Authority" and
- subject "Apple iPhone OS Application Signing" for the common name. */
- CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
- CFSTR("Apple iPhone Certification Authority"));
+ appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
+ require(appleAnchorOptions, errOut);
+
+ if (allowTestHierarchyForPolicy(kSecPolicyNameiPhoneApplicationSigning)) {
+ /* Allow a test hierarchy-signed cert with prod name/OIDs */
+ CFDictionarySetValue(appleAnchorOptions,
+ kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
+ }
+
+ /* Leaf checks */
if (SecIsInternalRelease() && !SecIsProductionFused()) {
+ /* Allow a prod hierarchy-signed test cert */
CFDictionaryAddValue(options, kSecPolicyCheckSubjectCommonNameTEST,
CFSTR("Apple iPhone OS Application Signing"));
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.3.1"));
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.6.1"));
+
+ /* or a test hierarchy-signed test cert */
+ CFDictionarySetValue(appleAnchorOptions,
+ kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
}
else {
CFDictionaryAddValue(options, kSecPolicyCheckSubjectCommonName,
CFSTR("Apple iPhone OS Application Signing"));
}
-
- require(SecPolicyAddChainLengthOptions(options, 3), errOut);
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.3"));
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.6"));
add_eku(options, NULL); /* eku extension is optional */
add_eku(options, &oidAnyExtendedKeyUsage);
add_eku(options, &oidExtendedKeyUsageCodeSigning);
- require(result = SecPolicyCreate(kSecPolicyOIDiPhoneApplicationSigning, options),
- errOut);
+ /* Intermediate check */
+ CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
+ CFSTR("Apple iPhone Certification Authority"));
+
+ /* Chain length check */
+ require(SecPolicyAddChainLengthOptions(options, 3), errOut);
- /* 1.2.840.113635.100.6.1.3, non-critical: DER:05:00 - application signing */
+ /* Anchored to the Apple Roots */
+ add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions);
+
+ require(result = SecPolicyCreate(kSecPolicyAppleiPhoneApplicationSigning,
+ kSecPolicyNameiPhoneApplicationSigning, options),
+ errOut);
errOut:
CFReleaseSafe(options);
+ CFReleaseSafe(appleAnchorOptions);
return result;
}
@@ -1558,11 +2102,12 @@ SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void) {
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanFalse);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
CFDictionaryAddValue(options, kSecPolicyCheckValidLeaf, kCFBooleanFalse);
- require(result = SecPolicyCreate(kSecPolicyOIDiPhoneProfileApplicationSigning,
- options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleiPhoneProfileApplicationSigning,
+ kSecPolicyNameiPhoneProfileApplicationSigning,
+ options), errOut);
errOut:
CFReleaseSafe(options);
@@ -1594,9 +2139,10 @@ SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void) {
}
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
+ require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameiPhoneProvisioningProfileSigning), errOut);
- require(result = SecPolicyCreate(kSecPolicyOIDiPhoneProvisioningProfileSigning, options),
+ require(result = SecPolicyCreate(kSecPolicyAppleiPhoneProvisioningProfileSigning,
+ kSecPolicyNameiPhoneProvisioningProfileSigning, options),
errOut);
/* 1.2.840.113635.100.6.2.2.1, non-critical: DER:05:00 - provisioning profile */
@@ -1620,32 +2166,23 @@ SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void) {
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
- CFMutableDictionaryRef appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
- require(appleAnchorOptions, errOut);
- add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions);
+ require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleTVOSApplicationSigning),
+ errOut);
/* Check for intermediate: Apple Worldwide Developer Relations */
/* 1.2.840.113635.100.6.2.1 */
add_oid(options, kSecPolicyCheckIntermediateMarkerOid, &oidAppleIntmMarkerAppleWWDR);
- add_eku(options, NULL); /* eku extension is optional */
- add_eku(options, &oidAnyExtendedKeyUsage);
- add_eku(options, &oidExtendedKeyUsageCodeSigning);
+ add_ku(options, kSecKeyUsageDigitalSignature);
/* Check for prod or test AppleTV Application Signing OIDs */
/* Prod: 1.2.840.113635.100.6.1.24 */
/* Test: 1.2.840.113635.100.6.1.24.1 */
- atvProdOid = CFDataCreate(kCFAllocatorDefault, oidAppleTVOSApplicationSigningProd.data, oidAppleTVOSApplicationSigningProd.length);
- require(atvProdOid, errOut);
- atvTestOid = CFDataCreate(kCFAllocatorDefault, oidAppleTVOSApplicationSigningTest.data, oidAppleTVOSApplicationSigningTest.length);
- require(atvTestOid, errOut);
-
- oids = CFArrayCreateForCFTypes(kCFAllocatorDefault, atvProdOid, atvTestOid, NULL);
- require(oids, errOut);
-
- add_element(options, kSecPolicyCheckLeafMarkerOid, oids);
+ add_leaf_marker(options, &oidAppleTVOSApplicationSigningProd);
+ add_leaf_marker(options, &oidAppleTVOSApplicationSigningTest);
- require(result = SecPolicyCreate(kSecPolicyOIDAppleTVOSApplicationSigning, options),
+ require(result = SecPolicyCreate(kSecPolicyAppleTVOSApplicationSigning,
+ kSecPolicyNameAppleTVOSApplicationSigning, options),
errOut);
errOut:
@@ -1668,7 +2205,8 @@ SecPolicyRef SecPolicyCreateOCSPSigner(void) {
/* Require id-kp-OCSPSigning extendedKeyUsage to be present, not optional. */
add_eku(options, &oidExtendedKeyUsageOCSPSigning);
- require(result = SecPolicyCreate(kSecPolicyOIDOCSPSigner, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleOCSPSigner,
+ kSecPolicyNameOCSPSigner, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -1679,18 +2217,19 @@ SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags) {
CFMutableDictionaryRef options = NULL;
SecPolicyRef result = NULL;
- require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ require(revocationFlags != 0, errOut);
+
+ require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
- /* false = ocsp, true = crl, string/url value = crl distribution point,
- array = list of multiple values for example false, true, url1, url2
- check ocsp, crl, and url1 and url2 for certs which have no extensions.
- */
- if (revocationFlags & kSecRevocationOCSPMethod) {
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanFalse);
+ if (revocationFlags & kSecRevocationOCSPMethod && revocationFlags & kSecRevocationCRLMethod) {
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
+ }
+ else if (revocationFlags & kSecRevocationOCSPMethod) {
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP);
}
else if (revocationFlags & kSecRevocationCRLMethod) {
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanTrue);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationCRL);
}
if (revocationFlags & kSecRevocationRequirePositiveResponse) {
@@ -1699,12 +2238,20 @@ SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags) {
if (revocationFlags & kSecRevocationNetworkAccessDisabled) {
CFDictionaryAddValue(options, kSecPolicyCheckNoNetworkAccess, kCFBooleanTrue);
- }
+ } else {
+ /* If the caller didn't explicitly disable network access, the revocation policy
+ * should override any other policy's network setting.
+ * In particular, pairing a revocation policy with BasicX509 should result in
+ * allowing network access for revocation unless explicitly disabled.
+ * Note that SecTrustSetNetworkFetchAllowed can override even this. */
+ CFDictionaryAddValue(options, kSecPolicyCheckNoNetworkAccess, kCFBooleanFalse);
+ }
/* Only flag bits 0-4 are currently defined */
require(((revocationFlags >> 5) == 0), errOut);
- require(result = SecPolicyCreate(kSecPolicyOIDRevocation, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleRevocation,
+ kSecPolicyNameRevocation, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -1759,7 +2306,12 @@ SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef email) {
add_eku(options, &oidAnyExtendedKeyUsage);
add_eku(options, &oidExtendedKeyUsageEmailProtection);
- require(result = SecPolicyCreate(kSecPolicyOIDSMIME, options), errOut);
+#if !TARGET_OS_IPHONE
+ // Check revocation on OS X
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
+#endif
+
+ require(result = SecPolicyCreate(kSecPolicyAppleSMIME, kSecPolicyNameSMIME, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -1773,13 +2325,16 @@ SecPolicyRef SecPolicyCreateApplePackageSigning(void) {
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
- // TBD: review OS X policy to see what options are needed for this policy
SecPolicyAddBasicCertOptions(options);
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
+ require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNamePackageSigning), errOut);
+
+ add_ku(options, kSecKeyUsageDigitalSignature);
+ add_eku(options, &oidExtendedKeyUsageCodeSigning);
- require(result = SecPolicyCreate(kSecPolicyOIDPackageSigning, options),
+ require(result = SecPolicyCreate(kSecPolicyApplePackageSigning,
+ kSecPolicyNamePackageSigning, options),
errOut);
errOut:
@@ -1802,17 +2357,17 @@ SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void) {
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
- // TBD: review OS X policy to see what options are needed for this policy
- SecPolicyAddBasicCertOptions(options);
+ SecPolicyAddBasicX509Options(options);
- require(SecPolicyAddChainLengthOptions(options, 3), errOut);
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
+ require(SecPolicyAddChainLengthOptions(options, 3), errOut);
+ require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSWUpdateSigning), errOut);
- add_eku(options, &oidAppleExtendedKeyUsageCodeSigning);
- add_eku(options, &oidAppleExtendedKeyUsageCodeSigningDev);
+ add_eku(options, &oidAppleExtendedKeyUsageCodeSigning);
+ add_oid(options, kSecPolicyCheckIntermediateEKU, &oidAppleExtendedKeyUsageCodeSigning);
- require(result = SecPolicyCreate(kSecPolicyOIDAppleSWUpdateSigning, options),
- errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleSWUpdateSigning,
+ kSecPolicyNameAppleSWUpdateSigning, options),
+ errOut);
errOut:
CFReleaseSafe(options);
@@ -1827,29 +2382,25 @@ SecPolicyRef SecPolicyCreateCodeSigning(void) {
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
-#if SECTRUST_OSX
-#warning STU: <rdar://21328880>
-//%%% figure out why this policy is not passing for OS X.
-// I suspect it has to do with iOS not supporting anchor and keychain options yet.
- SecPolicyAddBasicCertOptions(options);
-#else
- SecPolicyAddBasicX509Options(options);
-
- /* If the key usage extension is present we accept it having either of
- these values. */
- add_ku(options, kSecKeyUsageDigitalSignature);
- add_ku(options, kSecKeyUsageNonRepudiation);
+ SecPolicyAddBasicX509Options(options);
- /* We require a extended key usage extension and we accept any or
- codesigning ekus. */
- /* TODO: Do we want to accept the apple codesigning oid as well or is
- that a separate policy? */
- /* ANSWER: it's a separate policy, SecPolicyCreateAppleSWUpdateSigning */
- add_eku(options, &oidAnyExtendedKeyUsage);
- add_eku(options, &oidExtendedKeyUsageCodeSigning);
+ /* If the key usage extension is present, we accept it having either of
+ these values. */
+ add_ku(options, kSecKeyUsageDigitalSignature);
+ add_ku(options, kSecKeyUsageNonRepudiation);
+
+ /* We require an extended key usage extension with the codesigning
+ eku purpose. (The Apple codesigning eku is not accepted here
+ since it's valid only for SecPolicyCreateAppleSWUpdateSigning.) */
+ add_eku(options, &oidExtendedKeyUsageCodeSigning);
+#if TARGET_OS_IPHONE
+ /* Accept the 'any' eku on iOS only to match prior behavior.
+ This may be further restricted in future releases. */
+ add_eku(options, &oidAnyExtendedKeyUsage);
#endif
- require(result = SecPolicyCreate(kSecPolicyOIDCodeSigning, options),
+ require(result = SecPolicyCreate(kSecPolicyAppleCodeSigning,
+ kSecPolicyNameCodeSigning, options),
errOut);
errOut:
@@ -1865,17 +2416,21 @@ SecPolicyRef SecPolicyCreateLockdownPairing(void) {
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
//CFDictionaryAddValue(options, kSecPolicyCheckBasicCertificateProcessing,
- // kCFBooleanTrue);
+ // kCFBooleanTrue); // Happens automatically in SecPVCPathChecks
CFDictionaryAddValue(options, kSecPolicyCheckCriticalExtensions,
kCFBooleanTrue);
CFDictionaryAddValue(options, kSecPolicyCheckIdLinkage,
kCFBooleanTrue);
- CFDictionaryAddValue(options, kSecPolicyCheckBasicContraints,
+ CFDictionaryAddValue(options, kSecPolicyCheckBasicConstraints,
kCFBooleanTrue);
CFDictionaryAddValue(options, kSecPolicyCheckQualifiedCertStatements,
kCFBooleanTrue);
+ CFDictionaryAddValue(options, kSecPolicyCheckWeakIntermediates, kCFBooleanTrue);
+ CFDictionaryAddValue(options, kSecPolicyCheckWeakLeaf, kCFBooleanTrue);
+ CFDictionaryAddValue(options, kSecPolicyCheckWeakRoot, kCFBooleanTrue);
- require(result = SecPolicyCreate(kSecPolicyOIDLockdownPairing, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleLockdownPairing,
+ kSecPolicyNameLockdownPairing, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -1893,14 +2448,15 @@ SecPolicyRef SecPolicyCreateURLBag(void) {
add_eku(options, &oidExtendedKeyUsageCodeSigning);
- require(result = SecPolicyCreate(kSecPolicyOIDURLBag, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleURLBag,
+ kSecPolicyNameURLBag, options), errOut);
errOut:
CFReleaseSafe(options);
return result;
}
-static bool SecPolicyAddAppleCertificationAuthorityOptions(CFMutableDictionaryRef options, bool honorValidity)
+static bool SecPolicyAddAppleCertificationAuthorityOptions(CFMutableDictionaryRef options, bool honorValidity, CFStringRef policyName)
{
bool success = false;
@@ -1923,7 +2479,7 @@ static bool SecPolicyAddAppleCertificationAuthorityOptions(CFMutableDictionaryRe
CFSTR("Apple iPhone Certification Authority"));
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
+ require(SecPolicyAddAppleAnchorOptions(options, policyName), errOut);
success = true;
@@ -1931,7 +2487,8 @@ errOut:
return success;
}
-static SecPolicyRef SecPolicyCreateAppleCertificationAuthorityPolicy(CFStringRef policyOID, CFStringRef leafName, bool honorValidity)
+static SecPolicyRef SecPolicyCreateAppleCertificationAuthorityPolicy(CFStringRef policyOID, CFStringRef policyName,
+ CFStringRef leafName, bool honorValidity)
{
CFMutableDictionaryRef options = NULL;
SecPolicyRef result = NULL;
@@ -1939,11 +2496,11 @@ static SecPolicyRef SecPolicyCreateAppleCertificationAuthorityPolicy(CFStringRef
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
- require(SecPolicyAddAppleCertificationAuthorityOptions(options, honorValidity), errOut);
+ require(SecPolicyAddAppleCertificationAuthorityOptions(options, honorValidity, policyName), errOut);
CFDictionaryAddValue(options, kSecPolicyCheckSubjectCommonName, leafName);
- require(result = SecPolicyCreate(policyOID, options),
+ require(result = SecPolicyCreate(policyOID, policyName, options),
errOut);
errOut:
@@ -1954,12 +2511,16 @@ errOut:
SecPolicyRef SecPolicyCreateOTATasking(void)
{
- return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDOTATasking, CFSTR("OTA Task Signing"), true);
+ return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyAppleOTATasking,
+ kSecPolicyNameOTATasking,
+ CFSTR("OTA Task Signing"), true);
}
SecPolicyRef SecPolicyCreateMobileAsset(void)
{
- return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyOIDMobileAsset, CFSTR("Asset Manifest Signing"), false);
+ return SecPolicyCreateAppleCertificationAuthorityPolicy(kSecPolicyAppleMobileAsset,
+ kSecPolicyNameMobileAsset,
+ CFSTR("Asset Manifest Signing"), false);
}
SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void)
@@ -1974,7 +2535,7 @@ SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void)
SecPolicyAddBasicX509Options(options);
// Apple CA anchored
- require(SecPolicyAddAppleAnchorOptions(options), out);
+ require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleIDAuthority), out);
// with the addition of the existence check of an extension with "Apple ID Sharing Certificate" oid (1.2.840.113635.100.4.7)
// NOTE: this obviously intended to have gone into Extended Key Usage, but evidence of existing certs proves the contrary.
@@ -1984,7 +2545,8 @@ SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void)
add_oid(options, kSecPolicyCheckIntermediateMarkerOid, &oidAppleIntmMarkerAppleID);
add_oid(options, kSecPolicyCheckIntermediateMarkerOid, &oidAppleIntmMarkerAppleID2);
- require(result = SecPolicyCreate(kSecPolicyOIDAppleIDAuthority, options), out);
+ require(result = SecPolicyCreate(kSecPolicyAppleIDAuthority,
+ kSecPolicyNameAppleIDAuthority, options), out);
out:
CFReleaseSafe(options);
@@ -2002,12 +2564,25 @@ SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void)
SecPolicyAddBasicX509Options(options);
// Apple CA anchored
- require(SecPolicyAddAppleAnchorOptions(options), out);
+ require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameMacAppStoreReceipt), out);
+
+ // Chain length of 3
+ require(SecPolicyAddChainLengthOptions(options, 3), out);
+
+ // MacAppStoreReceipt policy OID
+ add_certificate_policy_oid_string(options, CFSTR("1.2.840.113635.100.5.6.1"));
+
+ // Intermediate marker OID
+ add_element(options, kSecPolicyCheckIntermediateMarkerOid, CFSTR("1.2.840.113635.100.6.2.1"));
+
+ // Leaf marker OID
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.11.1"));
- // - leaf needs certificatePolicies with CSSMOID_MACAPPSTORE_RECEIPT_CERT_POLICY
- // - chain length must be 3
+ // Check revocation
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
- require(result = SecPolicyCreate(kSecPolicyOIDMacAppStoreReceipt, options), out);
+ require(result = SecPolicyCreate(kSecPolicyMacAppStoreReceipt,
+ kSecPolicyNameMacAppStoreReceipt, options), out);
out:
CFReleaseSafe(options);
@@ -2024,7 +2599,10 @@ static SecPolicyRef _SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer, C
&kCFTypeDictionaryValueCallBacks), out);
SecPolicyAddBasicX509Options(options);
- SecPolicyAddAppleAnchorOptions(options);
+ SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameApplePassbook);
+
+ // Chain length of 3
+ require(SecPolicyAddChainLengthOptions(options, 3), out);
if (teamIdentifier) {
// If supplied, teamIdentifier must match subject OU field
@@ -2041,10 +2619,14 @@ static SecPolicyRef _SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer, C
// We should check that it also has push marker, but we don't support requiring both, only either.
// add_independent_oid(options, kSecPolicyCheckLeafMarkerOid, &oidApplePushServiceClient);
+ //WWDR Intermediate marker OID
+ add_element(options, kSecPolicyCheckIntermediateMarkerOid, CFSTR("1.2.840.113635.100.6.2.1"));
+
// And Passbook signing eku
add_eku(options, &oidAppleExtendedKeyUsagePassbook);
- require(result = SecPolicyCreate(kSecPolicyOIDApplePassbook, options), out);
+ require(result = SecPolicyCreate(kSecPolicyApplePassbookSigning,
+ kSecPolicyNameApplePassbook, options), out);
out:
CFReleaseSafe(options);
@@ -2066,7 +2648,9 @@ static SecPolicyRef CreateMobileStoreSigner(Boolean forTest)
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks), errOut);
SecPolicyAddBasicX509Options(options);
- SecPolicyAddAppleAnchorOptions(options);
+ SecPolicyAddAppleAnchorOptions(options,
+ ((forTest) ? kSecPolicyNameAppleTestMobileStore :
+ kSecPolicyNameAppleMobileStore));
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
@@ -2077,9 +2661,11 @@ static SecPolicyRef CreateMobileStoreSigner(Boolean forTest)
const DERItem* pOID = (forTest) ? &oidApplePolicyTestMobileStore : &oidApplePolicyMobileStore;
- add_certificate_policy_oid(options, pOID, NULL);
+ add_certificate_policy_oid(options, pOID);
- require(result = SecPolicyCreate(kSecPolicyOIDAppleMobileStore, options), errOut);
+ require(result = SecPolicyCreate((forTest) ? kSecPolicyAppleTestMobileStore : kSecPolicyAppleMobileStore,
+ (forTest) ? kSecPolicyNameAppleTestMobileStore : kSecPolicyNameAppleMobileStore,
+ options), errOut);
errOut:
CFReleaseSafe(options);
@@ -2088,14 +2674,12 @@ errOut:
SecPolicyRef SecPolicyCreateMobileStoreSigner(void)
{
-
return CreateMobileStoreSigner(false);
}
SecPolicyRef SecPolicyCreateTestMobileStoreSigner(void)
{
-
- return CreateMobileStoreSigner(true);
+ return CreateMobileStoreSigner(true);
}
@@ -2153,7 +2737,8 @@ CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateEscrowServiceSigner(void)
}
- require(result = SecPolicyCreate(kSecPolicyOIDAppleEscrowService, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleEscrowService,
+ kSecPolicyNameAppleEscrowService, options), errOut);
errOut:
CFReleaseSafe(anArray);
@@ -2213,61 +2798,57 @@ CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void)
}
- require(result = SecPolicyCreate(kSecPolicyOIDApplePCSEscrowService, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyApplePCSEscrowService,
+ kSecPolicyNameApplePCSEscrowService, options), errOut);
errOut:
CFReleaseSafe(anArray);
CFReleaseSafe(options);
return result;
}
-SecCertificateRef SecPolicyCopyEscrowRootCertificate(void)
-{
- SecCertificateRef result = NULL;
-
- return result;
-}
-SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void)
-{
- SecPolicyRef result = NULL;
- CFMutableDictionaryRef options = NULL;
- require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+static SecPolicyRef CreateConfigurationProfileSigner(bool forTest) {
+ SecPolicyRef result = NULL;
+ CFMutableDictionaryRef options = NULL;
+ require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks), errOut);
- SecPolicyAddBasicX509Options(options);
- SecPolicyAddAppleAnchorOptions(options);
+ SecPolicyAddBasicX509Options(options);
+ SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleProfileSigner);
+
+ //Chain length 3
+ require(SecPolicyAddChainLengthOptions(options, 3), errOut);
+
+ // Require the profile signing EKU
+ const DERItem* pOID = (forTest) ? &oidAppleExtendedKeyUsageQAProfileSigning :&oidAppleExtendedKeyUsageProfileSigning;
+ add_eku(options, pOID);
- // Require the profile signing EKU
- add_eku(options, &oidAppleExtendedKeyUsageProfileSigning);
+ // Require the Apple Application Integration CA marker OID
+ add_element(options, kSecPolicyCheckIntermediateMarkerOid, CFSTR("1.2.840.113635.100.6.2.3"));
- require(result = SecPolicyCreate(kSecPolicyOIDAppleProfileSigner, options), errOut);
+ require(result = SecPolicyCreate((forTest) ? kSecPolicyAppleQAProfileSigner: kSecPolicyAppleProfileSigner,
+ (forTest) ? kSecPolicyNameAppleQAProfileSigner : kSecPolicyNameAppleProfileSigner,
+ options), errOut);
errOut:
- CFReleaseSafe(options);
- return result;
+ CFReleaseSafe(options);
+ return result;
}
-
-SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void)
+SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void)
{
- SecPolicyRef result = NULL;
- CFMutableDictionaryRef options = NULL;
- require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
- &kCFTypeDictionaryKeyCallBacks,
- &kCFTypeDictionaryValueCallBacks), errOut);
-
- SecPolicyAddBasicX509Options(options);
- SecPolicyAddAppleAnchorOptions(options);
-
- // Require the QA profile signing EKU
- add_eku(options, &oidAppleExtendedKeyUsageQAProfileSigning);
+ return CreateConfigurationProfileSigner(false);
+}
- require(result = SecPolicyCreate(kSecPolicyOIDAppleQAProfileSigner, options), errOut);
-errOut:
- CFReleaseSafe(options);
- return result;
+SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void)
+{
+ if (SecIsInternalRelease()) {
+ return CreateConfigurationProfileSigner(true);
+ } else {
+ return CreateConfigurationProfileSigner(false);
+ }
}
SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void)
@@ -2279,7 +2860,7 @@ SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void)
&kCFTypeDictionaryValueCallBacks), errOut);
// Require valid chain from the Apple root
SecPolicyAddBasicX509Options(options);
- SecPolicyAddAppleAnchorOptions(options);
+ SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleOSXProvisioningProfileSigning);
// Require provisioning profile leaf marker OID (1.2.840.113635.100.4.11)
add_leaf_marker(options, &oidAppleCertExtOSXProvisioningProfileSigning);
@@ -2291,9 +2872,10 @@ SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void)
add_ku(options, kSecKeyUsageDigitalSignature);
// Ensure that revocation is checked (OCSP)
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanFalse);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP);
- require(result = SecPolicyCreate(kSecPolicyOIDAppleOSXProvisioningProfileSigning, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleOSXProvisioningProfileSigning,
+ kSecPolicyNameAppleOSXProvisioningProfileSigning, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -2313,7 +2895,8 @@ SecPolicyRef SecPolicyCreateOTAPKISigner(void)
SecPolicyAddAnchorSHA1Options(options, kApplePKISettingsAuthority);
require(SecPolicyAddChainLengthOptions(options, 2), errOut);
- require(result = SecPolicyCreate(kSecPolicyOIDAppleOTAPKIAssetSigner, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleOTAPKISigner,
+ kSecPolicyNameAppleOTAPKIAssetSigner, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -2324,6 +2907,11 @@ errOut:
SecPolicyRef SecPolicyCreateTestOTAPKISigner(void)
{
+ /* Guard against use on production devices */
+ if (!SecIsInternalRelease()) {
+ return SecPolicyCreateOTAPKISigner();
+ }
+
SecPolicyRef result = NULL;
CFMutableDictionaryRef options = NULL;
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
@@ -2334,7 +2922,8 @@ SecPolicyRef SecPolicyCreateTestOTAPKISigner(void)
SecPolicyAddAnchorSHA1Options(options, kAppleTestPKISettingsAuthority);
require(SecPolicyAddChainLengthOptions(options, 2), errOut);
- require(result = SecPolicyCreate(kSecPolicyOIDAppleTestOTAPKIAssetSigner, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleTestOTAPKISigner,
+ kSecPolicyNameAppleTestOTAPKIAssetSigner, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -2358,7 +2947,8 @@ SecPolicyRef SecPolicyCreateAppleSMPEncryption(void)
&kCFTypeDictionaryValueCallBacks), errOut);
SecPolicyAddBasicCertOptions(options);
- SecPolicyAddAnchorSHA1Options(options, kAppleRootCA_ECC_SHA1);
+ require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSMPEncryption),
+ errOut);
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
@@ -2373,9 +2963,10 @@ SecPolicyRef SecPolicyCreateAppleSMPEncryption(void)
add_ku(options, kSecKeyUsageKeyEncipherment);
// Ensure that revocation is checked (OCSP)
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanFalse);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP);
- require(result = SecPolicyCreate(kSecPolicyAppleSMPEncryption, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleSMPEncryption,
+ kSecPolicyNameAppleSMPEncryption, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -2406,9 +2997,10 @@ SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void)
add_ku(options, kSecKeyUsageKeyEncipherment);
// Ensure that revocation is checked (OCSP)
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanFalse);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP);
- require(result = SecPolicyCreate(kSecPolicyAppleTestSMPEncryption, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleTestSMPEncryption,
+ kSecPolicyNameAppleTestSMPEncryption, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -2428,7 +3020,9 @@ SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void)
SecPolicyAddBasicX509Options(options);
// Apple CA anchored
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
+ require(SecPolicyAddAppleAnchorOptions(options,
+ kSecPolicyNameAppleIDValidationRecordSigningPolicy),
+ errOut);
// Check for an extension with " Apple ID Validation Record Signing" oid (1.2.840.113635.100.6.25)
add_leaf_marker(options, &oidAppleCertExtensionAppleIDRecordValidationSigning);
@@ -2441,9 +3035,10 @@ SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void)
add_oid(options, kSecPolicyCheckIntermediateMarkerOid, &oidAppleIntmMarkerAppleSystemIntg2);
// Ensure that revocation is checked (OCSP)
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanFalse);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP);
- require(result = SecPolicyCreate(kSecPolicyOIDAppleIDValidationRecordSigningPolicy, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleIDValidationRecordSigning,
+ kSecPolicyNameAppleIDValidationRecordSigningPolicy, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -2476,22 +3071,6 @@ fail:
return UATAllowed;
}
-static bool
-requirePinning(bool allowNonProd, CFStringRef service)
-{
- bool pinningRequired = true;
-
- if (SecIsInternalRelease() || allowNonProd) {
- CFStringRef setting = CFStringCreateWithFormat(NULL, NULL, CFSTR("AppleServerAuthenticationNoPinning%@"), service);
- require(setting, fail);
- if (CFPreferencesGetAppBooleanValue(setting, CFSTR("com.apple.Security"), NULL))
- pinningRequired = false;
- CFRelease(setting);
- }
-fail:
- return pinningRequired;
-}
-
/*!
@function SecPolicyCreateAppleServerAuthCommon
@abstract Generic policy for server authentication Sub CAs
@@ -2509,7 +3088,7 @@ fail:
static SecPolicyRef
SecPolicyCreateAppleServerAuthCommon(CFStringRef hostname,
CFDictionaryRef __unused context,
- CFStringRef service, bool allowNonProd,
+ CFStringRef policyOID, CFStringRef service, bool allowNonProd,
const DERItem *leafMarkerOID,
const DERItem *UATLeafMarkerOID)
{
@@ -2523,6 +3102,7 @@ SecPolicyCreateAppleServerAuthCommon(CFStringRef hostname,
SecPolicyAddBasicX509Options(options);
+ require(hostname, errOut);
CFDictionaryAddValue(options, kSecPolicyCheckSSLHostname, hostname);
CFDictionaryAddValue(options, kSecPolicyCheckBlackListedLeaf, kCFBooleanTrue);
@@ -2530,7 +3110,7 @@ SecPolicyCreateAppleServerAuthCommon(CFStringRef hostname,
add_eku(options, &oidExtendedKeyUsageServerAuth);
- if (requirePinning(allowNonProd, service)) {
+ if (requireUATPinning(service)) {
bool allowUAT = allowUATRoot(allowNonProd, service, context);
/*
@@ -2541,13 +3121,10 @@ SecPolicyCreateAppleServerAuthCommon(CFStringRef hostname,
appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
require(appleAnchorOptions, errOut);
- if (allowUAT) {
+ if (allowUAT || allowTestHierarchyForPolicy(service)) {
+ /* Note: SecPolicyServer won't allow the test roots for non-internal devices */
CFDictionarySetValue(appleAnchorOptions,
kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
- if (allowNonProd) {
- CFDictionarySetValue(appleAnchorOptions,
- kSecPolicyAppleAnchorAllowTestRootsOnProduction, kCFBooleanTrue);
- }
}
add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions);
@@ -2557,30 +3134,35 @@ SecPolicyCreateAppleServerAuthCommon(CFStringRef hostname,
* as some variants of the UAT environment uses that instead
* of the test Apple CA's.
*/
+ add_leaf_marker(options, leafMarkerOID);
+ if (allowUAT && UATLeafMarkerOID) {
+ add_leaf_marker(options, UATLeafMarkerOID);
+ }
- if (allowUAT) {
- oid = CFDataCreate(kCFAllocatorDefault, leafMarkerOID->data, leafMarkerOID->length);
- require(oid, errOut);
-
- uatoid = CFDataCreate(kCFAllocatorDefault, UATLeafMarkerOID->data, UATLeafMarkerOID->length);
- require(oid, errOut);
+ /* new-style leaf marker OIDs */
+ CFStringRef leafMarkerOIDStr = NULL, UATLeafMarkerOIDStr = NULL;
+ leafMarkerOIDStr = SecDERItemCopyOIDDecimalRepresentation(NULL, leafMarkerOID);
+ if (UATLeafMarkerOID) {
+ UATLeafMarkerOIDStr = SecDERItemCopyOIDDecimalRepresentation(NULL, UATLeafMarkerOID);
+ }
- CFArrayRef array = CFArrayCreateForCFTypes(NULL, oid, uatoid, NULL);
- require(array, errOut);
+ if (leafMarkerOIDStr) {
+ add_leaf_marker_value_string(options, CFSTR("1.2.840.113635.100.6.48.1"), leafMarkerOIDStr);
+ }
+ if (allowUAT && UATLeafMarkerOIDStr) {
+ add_leaf_marker_value_string(options, CFSTR("1.2.840.113635.100.6.48.1"), UATLeafMarkerOIDStr);
+ }
- add_element(options, kSecPolicyCheckLeafMarkerOid, array);
- CFReleaseSafe(array);
- } else {
- add_leaf_marker(options, leafMarkerOID);
+ CFReleaseNull(leafMarkerOIDStr);
+ CFReleaseNull(UATLeafMarkerOIDStr);
- }
add_oid(options, kSecPolicyCheckIntermediateMarkerOid, &oidAppleIntmMarkerAppleServerAuthentication);
}
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanFalse);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
- result = SecPolicyCreate(kSecPolicyOIDSSLServer, options);
+ result = SecPolicyCreate(policyOID, service, options);
require(result, errOut);
errOut:
@@ -2591,21 +3173,18 @@ errOut:
return result;
}
-
-
/*!
@function SecPolicyCreateAppleIDSService
@abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
*/
SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname)
{
-#if 1
- return SecPolicyCreateSSL(true, hostname);
-#else
- return SecPolicyCreateAppleServerAuthCommon(hostname, NULL, CFSTR("IDS"), false,
- &oidAppleCertExtAppleServerAuthenticationIDSProd,
- &oidAppleCertExtAppleServerAuthenticationIDSTest);
-#endif
+ SecPolicyRef result = SecPolicyCreateSSL(true, hostname);
+
+ SecPolicySetOid(result, kSecPolicyAppleIDSService);
+ SecPolicySetName(result, kSecPolicyNameAppleIDSServiceContext);
+
+ return result;
}
/*!
@@ -2614,7 +3193,8 @@ SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname)
*/
SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef context)
{
- return SecPolicyCreateAppleServerAuthCommon(hostname, context, CFSTR("IDS"), false,
+ return SecPolicyCreateAppleServerAuthCommon(hostname, context, kSecPolicyAppleIDSServiceContext,
+ kSecPolicyNameAppleIDSServiceContext, false,
&oidAppleCertExtAppleServerAuthenticationIDSProd,
&oidAppleCertExtAppleServerAuthenticationIDSTest);
}
@@ -2625,7 +3205,8 @@ SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDicti
*/
SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef context)
{
- return SecPolicyCreateAppleServerAuthCommon(hostname, context, CFSTR("GS"), false,
+ return SecPolicyCreateAppleServerAuthCommon(hostname, context, kSecPolicyAppleGSService,
+ kSecPolicyNameAppleGSService, false,
&oidAppleCertExtAppleServerAuthenticationGS,
NULL);
}
@@ -2636,7 +3217,8 @@ SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef
*/
SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef context)
{
- return SecPolicyCreateAppleServerAuthCommon(hostname, context, CFSTR("APN"), false,
+ return SecPolicyCreateAppleServerAuthCommon(hostname, context, kSecPolicyApplePushService,
+ kSecPolicyNameApplePushService, false,
&oidAppleCertExtAppleServerAuthenticationAPNProd,
&oidAppleCertExtAppleServerAuthenticationAPNTest);
}
@@ -2647,7 +3229,8 @@ SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryR
*/
SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef context)
{
- return SecPolicyCreateAppleServerAuthCommon(hostname, context, CFSTR("PPQ"), false,
+ return SecPolicyCreateAppleServerAuthCommon(hostname, context, kSecPolicyApplePPQService,
+ kSecPolicyNameApplePPQService, false,
&oidAppleCertExtAppleServerAuthenticationPPQProd ,
&oidAppleCertExtAppleServerAuthenticationPPQTest);
}
@@ -2658,11 +3241,110 @@ SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRe
*/
SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef context)
{
- return SecPolicyCreateAppleServerAuthCommon(hostname, context, CFSTR("AST2"), true,
+ return SecPolicyCreateAppleServerAuthCommon(hostname, context, kSecPolicyAppleAST2DiagnosticsServerAuth,
+ kSecPolicyNameAppleAST2Service, true,
&oidAppleCertExtAST2DiagnosticsServerAuthProd,
&oidAppleCertExtAST2DiagnosticsServerAuthTest);
}
+/*!
+ @function SecPolicyCreateAppleEscrowProxyService
+ @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service (SSL + Apple restrictions)
+ */
+SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDictionaryRef context)
+{
+ return SecPolicyCreateAppleServerAuthCommon(hostname, context, kSecPolicyAppleEscrowProxyServerAuth,
+ kSecPolicyNameAppleEscrowProxyService, false,
+ &oidAppleCertExtEscrowProxyServerAuthProd,
+ &oidAppleCertExtEscrowProxyServerAuthTest);
+}
+
+/* subject:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA */
+/* SKID: C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E */
+/* Not Before: May 21 04:00:00 2002 GMT, Not After : May 21 04:00:00 2022 GMT */
+/* Signature Algorithm: sha1WithRSAEncryption */
+unsigned char GeoTrust_Global_CA_sha256[kSecPolicySHA256Size] = {
+ 0xff, 0x85, 0x6a, 0x2d, 0x25, 0x1d, 0xcd, 0x88, 0xd3, 0x66, 0x56, 0xf4, 0x50, 0x12, 0x67, 0x98,
+ 0xcf, 0xab, 0xaa, 0xde, 0x40, 0x79, 0x9c, 0x72, 0x2d, 0xe4, 0xd2, 0xb5, 0xdb, 0x36, 0xa7, 0x3a
+};
+
+/* SKID: D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29 */
+unsigned char AppleISTCA2G1_spki_sha256[kSecPolicySHA256Size] = {
+ 0xb5, 0xcf, 0x82, 0xd4, 0x7e, 0xf9, 0x82, 0x3f, 0x9a, 0xa7, 0x8f, 0x12, 0x31, 0x86, 0xc5, 0x2e,
+ 0x88, 0x79, 0xea, 0x84, 0xb0, 0xf8, 0x22, 0xc9, 0x1d, 0x83, 0xe0, 0x42, 0x79, 0xb7, 0x8f, 0xd5
+};
+
+static SecPolicyRef SecPolicyCreateAppleGeoTrustServerAuthCommon(CFStringRef hostname, CFStringRef policyOid,
+ CFStringRef policyName, bool allowNonProd,
+ CFStringRef leafMarkerOid,
+ CFStringRef testLeafMarkerOid) {
+ CFMutableDictionaryRef options = NULL;
+ CFDataRef spkiDigest = NULL;
+ SecPolicyRef result = NULL;
+
+ require(options = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), errOut);
+
+ /* basic SSL */
+ SecPolicyAddBasicX509Options(options);
+
+ require(hostname, errOut);
+ CFDictionaryAddValue(options, kSecPolicyCheckSSLHostname, hostname);
+
+ add_eku(options, &oidExtendedKeyUsageServerAuth);
+
+ /* pinning */
+ if (requireUATPinning(policyName)) {
+ /* GeoTrust root */
+ SecPolicyAddAnchorSHA256Options(options, GeoTrust_Global_CA_sha256);
+
+ /* Public key for Apple IST CA 2 */
+ spkiDigest = CFDataCreateWithBytesNoCopy(NULL, AppleISTCA2G1_spki_sha256,
+ kSecPolicySHA256Size, kCFAllocatorNull);
+ require_action(spkiDigest, errOut, CFReleaseNull(result));
+ CFDictionaryAddValue(options, kSecPolicyCheckIntermediateSPKISHA256, spkiDigest);
+
+ require_action(SecPolicyAddChainLengthOptions(options, 3), errOut, CFReleaseNull(result));
+
+ /* Marker OIDs in both formats */
+ add_leaf_marker_string(options, leafMarkerOid);
+ add_leaf_marker_value_string(options, CFSTR("1.2.840.113635.100.6.48.1"), leafMarkerOid);
+ if (testLeafMarkerOid && allowUATRoot(allowNonProd, policyName, NULL)) {
+ add_leaf_marker_string(options, testLeafMarkerOid);
+ add_leaf_marker_value_string(options, CFSTR("1.2.840.113635.100.6.48.1"), testLeafMarkerOid);
+ }
+ }
+
+ /* See <rdar://25344801> for more details */
+
+ result = SecPolicyCreate(policyOid, policyName, options);
+
+errOut:
+ CFReleaseSafe(options);
+ CFReleaseSafe(spkiDigest);
+ return result;
+}
+
+SecPolicyRef SecPolicyCreateAppleCompatibilityEscrowProxyService(CFStringRef hostname) {
+ return SecPolicyCreateAppleGeoTrustServerAuthCommon(hostname, kSecPolicyAppleEscrowProxyCompatibilityServerAuth,
+ kSecPolicyNameAppleEscrowProxyService, false,
+ CFSTR("1.2.840.113635.100.6.27.7.2"),
+ CFSTR("1.2.840.113635.100.6.27.7.1"));
+}
+
+/*!
+ @function SecPolicyCreateAppleFMiPService
+ @abstract Ensure we're appropriately pinned to the Find My iPhone service (SSL + Apple restrictions)
+ */
+SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryRef context)
+{
+ return SecPolicyCreateAppleServerAuthCommon(hostname, context, kSecPolicyAppleFMiPServerAuth,
+ kSecPolicyNameAppleFMiPService, false,
+ &oidAppleCertExtFMiPServerAuthProd,
+ &oidAppleCertExtFMiPServerAuthTest);
+}
+
+
/* should use verbatim copy, but since this is the deprecated way, don't care right now */
static const UInt8 entrustSPKIL1C[kSecPolicySHA256Size] = {
0x54, 0x5b, 0xf9, 0x35, 0xe9, 0xad, 0xa1, 0xda,
@@ -2698,9 +3380,10 @@ SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname)
add_eku(options, &oidExtendedKeyUsageServerAuth);
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanFalse);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
- result = SecPolicyCreate(kSecPolicyOIDSSLServer, options);
+ result = SecPolicyCreate(kSecPolicyAppleLegacyPushService,
+ kSecPolicyNameAppleLegacyPushService, options);
require(result, errOut);
errOut:
@@ -2713,9 +3396,19 @@ errOut:
@function SecPolicyCreateAppleMMCSService
@abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
*/
-SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef __unused context)
+SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef context)
{
- return SecPolicyCreateSSL(true, hostname);
+ return SecPolicyCreateAppleServerAuthCommon(hostname, context, kSecPolicyAppleMMCSService,
+ kSecPolicyNameAppleMMCSService, false,
+ &oidAppleCertExtAppleServerAuthenticationMMCSProd,
+ &oidAppleCertExtAppleServerAuthenticationMMCSTest);
+}
+
+SecPolicyRef SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname) {
+ return SecPolicyCreateAppleGeoTrustServerAuthCommon(hostname, kSecPolicyAppleMMCSCompatibilityServerAuth,
+ kSecPolicyNameAppleMMCSService, false,
+ CFSTR("1.2.840.113635.100.6.27.11.2"),
+ CFSTR("1.2.840.113635.100.6.27.11.1"));
}
/*!
@@ -2733,7 +3426,7 @@ SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname)
require((options=(CFMutableDictionaryRef)policy->_options) != NULL, errOut);
// Apple CA anchored
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
+ require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSSLService), errOut);
// Check leaf for Apple Server Authentication marker oid (1.2.840.113635.100.6.27.1)
add_leaf_marker(options, &oidAppleCertExtAppleServerAuthentication);
@@ -2741,8 +3434,10 @@ SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname)
// Check intermediate for Apple Server Authentication intermediate marker (1.2.840.113635.100.6.2.12)
add_oid(options, kSecPolicyCheckIntermediateMarkerOid, &oidAppleIntmMarkerAppleServerAuthentication);
- // Ensure that revocation is checked (OCSP only)
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanFalse);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
+
+ SecPolicySetOid(policy, kSecPolicyAppleServerAuthentication);
+ SecPolicySetName(policy, kSecPolicyNameAppleSSLService);
return policy;
@@ -2769,7 +3464,7 @@ SecPolicyRef SecPolicyCreateApplePPQSigning(void)
&kCFTypeDictionaryValueCallBacks), errOut);
SecPolicyAddBasicCertOptions(options);
- SecPolicyAddAppleAnchorOptions(options);
+ SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameApplePPQSigning);
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
@@ -2783,7 +3478,8 @@ SecPolicyRef SecPolicyCreateApplePPQSigning(void)
add_ku(options, kSecKeyUsageDigitalSignature);
- require(result = SecPolicyCreate(kSecPolicyApplePPQSigning, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyApplePPQSigning,
+ kSecPolicyNameApplePPQSigning, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -2800,6 +3496,11 @@ errOut:
*/
SecPolicyRef SecPolicyCreateTestApplePPQSigning(void)
{
+ /* Guard against use of test policy on production devices */
+ if (!SecIsInternalRelease()) {
+ return SecPolicyCreateApplePPQSigning();
+ }
+
SecPolicyRef result = NULL;
CFMutableDictionaryRef options = NULL;
require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
@@ -2807,7 +3508,7 @@ SecPolicyRef SecPolicyCreateTestApplePPQSigning(void)
&kCFTypeDictionaryValueCallBacks), errOut);
SecPolicyAddBasicCertOptions(options);
- SecPolicyAddAppleAnchorOptions(options);
+ SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleTestPPQSigning);
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
@@ -2821,7 +3522,8 @@ SecPolicyRef SecPolicyCreateTestApplePPQSigning(void)
add_ku(options, kSecKeyUsageDigitalSignature);
- require(result = SecPolicyCreate(kSecPolicyAppleTestPPQSigning, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleTestPPQSigning,
+ kSecPolicyNameAppleTestPPQSigning, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -2844,87 +3546,14 @@ SecPolicyRef SecPolicyCreateAppleTimeStamping(void)
/* Require id-kp-timeStamping extendedKeyUsage to be present. */
add_eku(options, &oidExtendedKeyUsageTimeStamping);
- require(result = SecPolicyCreate(kSecPolicyOIDAppleTimeStamping, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleTimeStamping,
+ kSecPolicyNameAppleTimeStamping, options), errOut);
errOut:
CFReleaseSafe(options);
return result;
}
-/*!
- @function SecPolicyCreateAppleATVAppSigning
- @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
- and apple anchor.
- Leaf cert must have Digital Signature usage.
- Leaf cert must have Apple ATV App Signing marker OID (1.2.840.113635.100.6.1.24).
- Leaf cert must have 'Apple TVOS Application Signing' common name.
- */
-SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)
-{
- SecPolicyRef result = NULL;
- CFMutableDictionaryRef options = NULL;
- require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
- &kCFTypeDictionaryKeyCallBacks,
- &kCFTypeDictionaryValueCallBacks), errOut);
- SecPolicyAddBasicCertOptions(options);
-
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
- require(SecPolicyAddChainLengthOptions(options, 3), errOut);
-
- CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
- CFSTR("Apple Worldwide Developer Relations Certification Authority"));
- CFDictionaryAddValue(options, kSecPolicyCheckSubjectCommonName,
- CFSTR("Apple TVOS Application Signing"));
-
- // Check that leaf has extension with "Apple ATV App Signing" prod oid (1.2.840.113635.100.6.1.24)
- add_leaf_marker(options, &oidAppleCertExtATVAppSigningProd);
-
- add_ku(options, kSecKeyUsageDigitalSignature);
-
- require(result = SecPolicyCreate(kSecPolicyAppleATVAppSigning, options), errOut);
-
-errOut:
- CFReleaseSafe(options);
- return result;
-}
-
-/*!
- @function SecPolicyCreateTestAppleATVAppSigning
- @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
- and apple anchor.
- Leaf cert must have Digital Signature usage.
- Leaf cert must have Apple ATV App Signing Test marker OID (1.2.840.113635.100.6.1.24.1).
- Leaf cert must have 'TEST Apple TVOS Application Signing TEST' common name.
- */
-SecPolicyRef SecPolicyCreateTestAppleATVAppSigning(void)
-{
- SecPolicyRef result = NULL;
- CFMutableDictionaryRef options = NULL;
- require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
- &kCFTypeDictionaryKeyCallBacks,
- &kCFTypeDictionaryValueCallBacks), errOut);
- SecPolicyAddBasicCertOptions(options);
-
- require(SecPolicyAddAppleAnchorOptions(options), errOut);
- require(SecPolicyAddChainLengthOptions(options, 3), errOut);
-
- CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
- CFSTR("Apple Worldwide Developer Relations Certification Authority"));
- CFDictionaryAddValue(options, kSecPolicyCheckSubjectCommonName,
- CFSTR("TEST Apple TVOS Application Signing TEST"));
-
- // Check that leaf has extension with "Apple ATV App Signing" test oid (1.2.840.113635.100.6.1.24.1)
- add_leaf_marker(options, &oidAppleCertExtATVAppSigningTest);
-
- add_ku(options, kSecKeyUsageDigitalSignature);
-
- require(result = SecPolicyCreate(kSecPolicyAppleTestATVAppSigning, options), errOut);
-
-errOut:
- CFReleaseSafe(options);
- return result;
-}
-
/*!
@function SecPolicyCreateApplePayIssuerEncryption
@abstract Check for intermediate certificate 'Apple Worldwide Developer Relations CA - G2' by name,
@@ -2941,7 +3570,8 @@ SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
&kCFTypeDictionaryValueCallBacks), errOut);
SecPolicyAddBasicCertOptions(options);
- require(SecPolicyAddAnchorSHA1Options(options, kAppleRootCA_ECC_SHA1), errOut);
+ require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameApplePayIssuerEncryption),
+ errOut);
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName,
@@ -2952,7 +3582,8 @@ SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
add_ku(options, kSecKeyUsageKeyEncipherment);
- require(result = SecPolicyCreate(kSecPolicyApplePayIssuerEncryption, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyApplePayIssuerEncryption,
+ kSecPolicyNameApplePayIssuerEncryption, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -2997,9 +3628,10 @@ SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
add_oid(options, kSecPolicyCheckIntermediateMarkerOid, &oidAppleIntmMarkerAppleSystemIntg2);
// Ensure that revocation is checked (OCSP only)
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanFalse);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP);
- require(result = SecPolicyCreate(kSecPolicyAppleATVVPNProfileSigning, options), errOut);
+ require(result = SecPolicyCreate(kSecPolicyAppleATVVPNProfileSigning,
+ kSecPolicyNameAppleATVVPNProfileSigning, options), errOut);
errOut:
CFReleaseSafe(options);
@@ -3022,8 +3654,8 @@ SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) {
add_eku(options, &oidExtendedKeyUsageServerAuth);
- if (requirePinning(false, CFSTR("HomeKit"))) {
- bool allowUAT = allowUATRoot(false, CFSTR("HomeKit"), NULL);
+ if (requireUATPinning(kSecPolicyNameAppleHomeKitServerAuth)) {
+ bool allowUAT = allowUATRoot(false, kSecPolicyNameAppleHomeKitServerAuth, NULL);
// Cert chain length 3
require(SecPolicyAddChainLengthOptions(options, 3), errOut);
@@ -3031,7 +3663,7 @@ SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) {
// Apple anchors, allowing test anchors for internal releases properly configured
appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
require(appleAnchorOptions, errOut);
- if (allowUAT) {
+ if (allowUAT || allowTestHierarchyForPolicy(kSecPolicyNameAppleHomeKitServerAuth)) {
CFDictionarySetValue(appleAnchorOptions,
kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
}
@@ -3043,9 +3675,10 @@ SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) {
}
- CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanTrue);
+ CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
- result = SecPolicyCreate(kSecPolicyOIDAppleHomeKitServerAuth, options);
+ result = SecPolicyCreate(kSecPolicyAppleHomeKitServerAuth,
+ kSecPolicyNameAppleHomeKitServerAuth, options);
require(result, errOut);
errOut:
@@ -3054,3 +3687,156 @@ errOut:
CFReleaseSafe(oid);
return result;
}
+
+SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void) {
+ CFMutableDictionaryRef options = NULL;
+ SecPolicyRef result = NULL;
+
+ /* Create basic Apple pinned policy */
+ require(result = SecPolicyCreateApplePinned(kSecPolicyNameAppleExternalDeveloper,
+ CFSTR("1.2.840.113635.100.6.2.1"), // WWDR Intermediate OID
+ CFSTR("1.2.840.113635.100.6.1.2")), // "iPhone Developer" leaf OID
+ errOut);
+
+ require_action(options = CFDictionaryCreateMutableCopy(NULL, 0, result->_options), errOut, CFReleaseNull(result));
+
+ /* Additional intermediate OIDs */
+ add_element(options, kSecPolicyCheckIntermediateMarkerOid,
+ CFSTR("1.2.840.113635.100.6.2.6")); // "Developer ID" Intermediate OID
+
+ /* Addtional leaf OIDS */
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.4")); // "iPhone Distribution" leaf OID
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.5")); // "Safari Developer" leaf OID
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.7")); // "3rd Party Mac Developer Application" leaf OID
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.8")); // "3rd Party Mac Developer Installer" leaf OID
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.12")); // "Mac Developer" leaf OID
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.13")); // "Developer ID Application" leaf OID
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.1.14")); // "Developer ID Installer" leaf OID
+
+ /* Restrict EKUs */
+ add_eku_string(options, CFSTR("1.3.6.1.5.5.7.3.3")); // CodeSigning EKU
+ add_eku_string(options, CFSTR("1.2.840.113635.100.4.8")); // "Safari Developer" EKU
+ add_eku_string(options, CFSTR("1.2.840.113635.100.4.9")); // "3rd Party Mac Developer Installer" EKU
+ add_eku_string(options, CFSTR("1.2.840.113635.100.4.13")); // "Developer ID Installer" EKU
+
+ CFReleaseSafe(result->_options);
+ result->_options = CFRetainSafe(options);
+
+ SecPolicySetOid(result, kSecPolicyAppleExternalDeveloper);
+
+errOut:
+ CFReleaseSafe(options);
+ return result;
+}
+
+/* This one is special because the intermediate has no marker OID */
+SecPolicyRef SecPolicyCreateAppleSoftwareSigning(void) {
+ CFMutableDictionaryRef options = NULL;
+ CFDictionaryRef keySizes = NULL;
+ CFNumberRef rsaSize = NULL, ecSize = NULL;
+ SecPolicyRef result = NULL;
+
+ require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), errOut);
+
+ SecPolicyAddBasicX509Options(options);
+
+ /* Anchored to the Apple Roots */
+ require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSoftwareSigning),
+ errOut);
+
+ /* Exactly 3 certs in the chain */
+ require(SecPolicyAddChainLengthOptions(options, 3), errOut);
+
+ /* Intermediate Common Name matches */
+ add_element(options, kSecPolicyCheckIssuerCommonName, CFSTR("Apple Code Signing Certification Authority"));
+
+ /* Leaf marker OID matches */
+ add_leaf_marker_string(options, CFSTR("1.2.840.113635.100.6.22"));
+
+ /* Leaf has CodeSigning EKU */
+ add_eku_string(options, CFSTR("1.3.6.1.5.5.7.3.3"));
+
+ /* Check revocation using any available method */
+ add_element(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny);
+
+ /* RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger. */
+ require(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), errOut);
+ require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
+ const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
+ const void *values[] = { rsaSize, ecSize };
+ require(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), errOut);
+ add_element(options, kSecPolicyCheckKeySize, keySizes);
+
+
+ require(result = SecPolicyCreate(kSecPolicyAppleSoftwareSigning,
+ kSecPolicyNameAppleSoftwareSigning, options), errOut);
+
+errOut:
+ CFReleaseSafe(options);
+ CFReleaseSafe(keySizes);
+ CFReleaseSafe(rsaSize);
+ CFReleaseSafe(ecSize);
+ return result;
+}
+
+/* subject:/CN=SEP Root CA/O=Apple Inc./ST=California */
+/* SKID: 58:EF:D6:BE:C5:82:B0:54:CD:18:A6:84:AD:A2:F6:7B:7B:3A:7F:CF */
+/* Not Before: Jun 24 21:43:24 2014 GMT, Not After : Jun 24 21:43:24 2029 GMT */
+/* Signature Algorithm: ecdsa-with-SHA384 */
+const uint8_t SEPRootCA_SHA256[kSecPolicySHA256Size] = {
+ 0xd1, 0xdf, 0x82, 0x00, 0xf3, 0x89, 0x4e, 0xe9, 0x96, 0xf3, 0x77, 0xdf, 0x76, 0x3b, 0x0a, 0x16,
+ 0x8f, 0xd9, 0x6c, 0x58, 0xc0, 0x3e, 0xc9, 0xb0, 0x5f, 0xa5, 0x64, 0x79, 0xc0, 0xe8, 0xc9, 0xe7
+};
+
+SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef testRootHash) {
+ CFMutableDictionaryRef options = NULL;
+ CFDictionaryRef keySizes = NULL;
+ CFNumberRef ecSize = NULL;
+ SecPolicyRef result = NULL;
+
+ require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), errOut);
+
+ /* Device certificate should never expire */
+ SecPolicyAddBasicCertOptions(options);
+
+ /* Anchored to the SEP Root CA. Allow alternative root for developers */
+ require(SecPolicyAddAnchorSHA256Options(options, SEPRootCA_SHA256),errOut);
+ if (testRootHash && SecIsInternalRelease() && !SecIsProductionFused() &&
+ allowTestHierarchyForPolicy(kSecPolicyNameAppleUniqueDeviceCertificate)
+ && (kSecPolicySHA256Size == CFDataGetLength(testRootHash))) {
+ add_element(options, kSecPolicyCheckAnchorSHA256, testRootHash);
+ }
+
+ /* Exactly 3 certs in the chain */
+ require(SecPolicyAddChainLengthOptions(options, 3), errOut);
+
+ /* Intermediate has marker OID with value */
+ add_intermediate_marker_value_string(options, CFSTR("1.2.840.113635.100.6.44"), CFSTR("ucrt"));
+
+ /* Leaf has marker OID with varying value that can't be pre-determined */
+ add_element(options, kSecPolicyCheckLeafMarkerOidWithoutValueCheck, CFSTR("1.2.840.113635.100.10.1"));
+
+ /* RSA key sizes are disallowed. EC key sizes are P-256 or larger. */
+ require(ecSize = CFNumberCreateWithCFIndex(NULL, 256), errOut);
+ require(keySizes = CFDictionaryCreate(NULL, (const void**)&kSecAttrKeyTypeEC,
+ (const void**)&ecSize, 1,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), errOut);
+ add_element(options, kSecPolicyCheckKeySize, keySizes);
+
+
+ require(result = SecPolicyCreate(kSecPolicyAppleUniqueDeviceIdentifierCertificate,
+ kSecPolicyNameAppleUniqueDeviceCertificate, options), errOut);
+
+errOut:
+ CFReleaseSafe(options);
+ CFReleaseSafe(keySizes);
+ CFReleaseSafe(ecSize);
+ return result;
+}
diff --git a/OSX/sec/Security/SecPolicy.h b/OSX/sec/Security/SecPolicy.h
index 53aba313..60e325e0 100644
--- a/OSX/sec/Security/SecPolicy.h
+++ b/OSX/sec/Security/SecPolicy.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002-2010,2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2002-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -46,6 +46,7 @@ CF_IMPLICIT_BRIDGING_ENABLED
@constant kSecPolicyAppleSSL
@constant kSecPolicyAppleSMIME
@constant kSecPolicyAppleEAP
+ @constant kSecPolicyAppleiChat
@constant kSecPolicyAppleIPsec
@constant kSecPolicyApplePKINITClient
@constant kSecPolicyApplePKINITServer
@@ -54,6 +55,8 @@ CF_IMPLICIT_BRIDGING_ENABLED
@constant kSecPolicyAppleIDValidation
@constant kSecPolicyAppleTimeStamping
@constant kSecPolicyAppleRevocation
+ @constant kSecPolicyApplePassbookSigning
+ @constant kSecPolicyApplePayIssuerEncryption
*/
extern const CFStringRef kSecPolicyAppleX509Basic
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
@@ -65,6 +68,10 @@ extern const CFStringRef kSecPolicyAppleEAP
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleIPsec
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+extern const CFStringRef kSecPolicyAppleiChat
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA);
+#endif
extern const CFStringRef kSecPolicyApplePKINITClient
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecPolicyApplePKINITServer
@@ -79,6 +86,8 @@ extern const CFStringRef kSecPolicyAppleTimeStamping
__OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleRevocation
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
+extern const CFStringRef kSecPolicyApplePassbookSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyApplePayIssuerEncryption
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
@@ -93,20 +102,26 @@ extern const CFStringRef kSecPolicyApplePayIssuerEncryption
Additional policy values which your code can optionally set:
kSecPolicyName (name which must be matched)
kSecPolicyClient (evaluate for client, rather than server)
- kSecPolicyRevocationFlags (only valid for a revocation policy)
+ kSecPolicyRevocationFlags (only valid for a revocation policy)
+ kSecPolicyTeamIdentifier (only valid for a Passbook signing policy)
@constant kSecPolicyOid Specifies the policy OID (value is a CFStringRef)
@constant kSecPolicyName Specifies a CFStringRef (or CFArrayRef of same)
containing a name which must be matched in the certificate to satisfy
this policy. For SSL/TLS, EAP, and IPSec policies, this specifies the
server name which must match the common name of the certificate.
- For S/MIME, this specifies the RFC822 email address.
+ For S/MIME, this specifies the RFC822 email address. For Passbook
+ signing, this specifies the pass signer.
@constant kSecPolicyClient Specifies a CFBooleanRef value that indicates
this evaluation should be for a client certificate. If not set (or
false), the policy evaluates the certificate as a server certificate.
@constant kSecPolicyRevocationFlags Specifies a CFNumberRef that holds a
kCFNumberCFIndexType bitmask value. See "Revocation Policy Constants"
for a description of individual bits in this value.
+ @constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
+ team identifier which must be matched in the certificate to satisfy
+ this policy. For the Passbook signing policy, this string must match
+ the Organizational Unit field of the certificate subject.
*/
extern const CFStringRef kSecPolicyOid
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
@@ -116,6 +131,8 @@ extern const CFStringRef kSecPolicyClient
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
extern const CFStringRef kSecPolicyRevocationFlags
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
+extern const CFStringRef kSecPolicyTeamIdentifier
+ __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
/*!
@@ -137,6 +154,7 @@ CFTypeID SecPolicyGetTypeID(void)
@discussion This function returns the properties for a policy, as set by the
policy's construction function or by a prior call to SecPolicySetProperties.
*/
+__nullable
CFDictionaryRef SecPolicyCopyProperties(SecPolicyRef policyRef)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0);
@@ -206,6 +224,7 @@ CF_ENUM(CFOptionFlags) {
system behavior (e.g. to force a particular method, or to disable
revocation checking entirely.)
*/
+__nullable
SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
@@ -220,6 +239,7 @@ SecPolicyRef SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
@result The returned policy reference, or NULL if the policy could not be
created.
*/
+__nullable
SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier,
CFDictionaryRef __nullable properties)
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
diff --git a/OSX/sec/Security/SecPolicyInternal.h b/OSX/sec/Security/SecPolicyInternal.h
index b1884743..cd522cc4 100644
--- a/OSX/sec/Security/SecPolicyInternal.h
+++ b/OSX/sec/Security/SecPolicyInternal.h
@@ -45,6 +45,7 @@ __BEGIN_DECLS
struct __SecPolicy {
CFRuntimeBase _base;
CFStringRef _oid;
+ CFStringRef _name;
CFDictionaryRef _options;
};
@@ -54,13 +55,15 @@ struct __SecPolicy {
policy.
@constant kSecPolicyCheckCriticalExtensions Ensure that no certificate in the chain has any critical extensions that we do not understand.
@constant kSecPolicyCheckIdLinkage Check that all the certificates in the chain that have a SubjectId, match the AuthorityId of the certificate they sign. This check is optional, in that if either certificate is missing the required extension the check succeeds.
- @constant kSecPolicyCheckBasicContraints Fails if the basic constraints for the certificate chain are not met, this allows for basic constraints to be non critical and doesn't require every CA certificate to have a basic constraints extension, and allows for leaf certificates to have basic constraints extensions.
+ @constant kSecPolicyCheckBasicConstraints Fails if the basic constraints for the certificate chain are not met, this allows for basic constraints to be non critical and doesn't require every CA certificate to have a basic constraints extension, and allows for leaf certificates to have basic constraints extensions.
@constant kSecPolicyCheckExtendedKeyUsage @@@
@constant kSecPolicyCheckIdLinkage Fails if the AuthorityKeyID -> SubjectKeyID chaining isn't right.
@constant kSecPolicyCheckKeyUsage @@@
@constant kSecPolicyCheckWeakIntermediates Fails if any certificates in the chain (other than the leaf and root) have a too small key size.
@constant kSecPolicyCheckWeakLeaf Fails if the leaf has a too small key size.
- @constant kSecPolicyCheckWeakRoot Fails fi the root has a too small key size.
+ @constant kSecPolicyCheckWeakRoot Fails if the root has a too small key size.
+ @constant kSecPolicyCheckKeySize Fails if any certificates in the chain have key size smaller than the policy allows.
+ @constant kSecPolicyCheckSignatureHashAlgorithms Fails if any certificates in the chain use a hash algorithm disallowed by the policy.
@constant kSecPolicyCheckNonEmptySubject Perform the following check: RFC 3280, 4.1.2.6, says that an empty subject name can only appear in a leaf cert, and only if subjectAltName is present and marked critical.
@constant kSecPolicyCheckQualifiedCertStatements Perform the following check: RFC 3739: if this cert has a Qualified Cert Statements extension, and it's Critical, make sure we understand all of the extension's statementIds.
@constant kSecPolicyCheckValidIntermediates Fails if any certificates in the chain are not valid at the verify time other than the leaf and the root.
@@ -68,6 +71,7 @@ struct __SecPolicy {
@constant kSecPolicyCheckValidRoot Fails if the root certificate is not valid at the verify time.
@constant kSecPolicyCheckAnchorTrusted @@@.
@constant kSecPolicyCheckAnchorSHA1 @@@.
+ @constant kSecPolicyCheckAnchorSHA256 @@@.
@constant kSecPolicyCheckAnchorApple @@@.
@constant kSecPolicyCheckSSLHostname @@@.
@constant kSecPolicyCheckEmail @@@.
@@ -78,17 +82,24 @@ struct __SecPolicy {
@constant kSecPolicyCheckEAPTrustedServerNames @@@.
@constant kSecPolicyCheckBasicCertificateProcessing @@@.
@constant kSecPolicyCheckExtendedValidation @@@.
- @constant kSecPolicyCheckRevocation @@@.
+ @constant kSecPolicyCheckRevocation Perform a revocation check.
+ @constant kSecPolicyCheckRevocationResponseRequired Require positive response for revocation check. Use of thise constant indicates that the policy should "fail closed" in case of missing revocation information.
+ @constant kSecPolicyCheckRevocationOCSP Use OCSP to perform revocation check.
+ @constant kSecPolicyCheckRevocationCRL Use CRL to perform revocation check.
+ @constant kSecPolicyCheckRevocationAny Use any available method (OCSP or CRL) to perform revocation check.
@constant kSecPolicyCheckNoNetworkAccess @@@.
@constant kSecPolicyCheckBlackListedLeaf @@@.
+ @constant kSecPolicyCheckUsageConstraints @@@.
*/
-extern const CFStringRef kSecPolicyCheckBasicContraints;
+extern const CFStringRef kSecPolicyCheckBasicConstraints;
extern const CFStringRef kSecPolicyCheckCriticalExtensions;
extern const CFStringRef kSecPolicyCheckExtendedKeyUsage;
extern const CFStringRef kSecPolicyCheckIdLinkage;
extern const CFStringRef kSecPolicyCheckWeakIntermediates;
extern const CFStringRef kSecPolicyCheckWeakLeaf;
extern const CFStringRef kSecPolicyCheckWeakRoot;
+extern const CFStringRef kSecPolicyCheckKeySize;
+extern const CFStringRef kSecPolicyCheckSignatureHashAlgorithms;
extern const CFStringRef kSecPolicyCheckKeyUsage;
extern const CFStringRef kSecPolicyCheckNonEmptySubject;
extern const CFStringRef kSecPolicyCheckQualifiedCertStatements;
@@ -97,6 +108,7 @@ extern const CFStringRef kSecPolicyCheckValidLeaf;
extern const CFStringRef kSecPolicyCheckValidRoot;
extern const CFStringRef kSecPolicyCheckAnchorTrusted;
extern const CFStringRef kSecPolicyCheckAnchorSHA1;
+extern const CFStringRef kSecPolicyCheckAnchorSHA256;
extern const CFStringRef kSecPolicyCheckAnchorApple;
extern const CFStringRef kSecPolicyCheckSSLHostname;
extern const CFStringRef kSecPolicyCheckEmail;
@@ -114,29 +126,76 @@ extern const CFStringRef kSecPolicyCheckBasicCertificateProcessing;
extern const CFStringRef kSecPolicyCheckExtendedValidation;
extern const CFStringRef kSecPolicyCheckRevocation;
extern const CFStringRef kSecPolicyCheckRevocationResponseRequired;
+extern const CFStringRef kSecPolicyCheckRevocationOCSP;
+extern const CFStringRef kSecPolicyCheckRevocationCRL;
+extern const CFStringRef kSecPolicyCheckRevocationAny;
extern const CFStringRef kSecPolicyCheckNoNetworkAccess;
extern const CFStringRef kSecPolicyCheckBlackListedLeaf;
extern const CFStringRef kSecPolicyCheckBlackListedKey;
extern const CFStringRef kSecPolicyCheckGrayListedLeaf;
extern const CFStringRef kSecPolicyCheckLeafMarkerOid;
+extern const CFStringRef kSecPolicyCheckLeafMarkerOidWithoutValueCheck;
extern const CFStringRef kSecPolicyCheckIntermediateMarkerOid;
extern const CFStringRef kSecPolicyCheckIntermediateSPKISHA256;
+extern const CFStringRef kSecPolicyCheckIntermediateEKU;
extern const CFStringRef kSecPolicyCheckGrayListedKey;
extern const CFStringRef kSecPolicyCheckCertificateTransparency;
+extern const CFStringRef kSecPolicyCheckUsageConstraints;
-/* Special options for checking Apple Anchors */
+/* Special option for checking Apple Anchors */
extern const CFStringRef kSecPolicyAppleAnchorIncludeTestRoots;
-extern const CFStringRef kSecPolicyAppleAnchorAllowTestRootsOnProduction;
-SecPolicyRef SecPolicyCreate(CFStringRef oid, CFDictionaryRef options);
+SecPolicyRef SecPolicyCreate(CFStringRef oid, CFStringRef name, CFDictionaryRef options);
-CFStringRef SecPolicyGetOidString(SecPolicyRef policy);
CFDictionaryRef SecPolicyGetOptions(SecPolicyRef policy);
void SecPolicySetOptionsValue(SecPolicyRef policy, CFStringRef key, CFTypeRef value);
xpc_object_t SecPolicyArrayCopyXPCArray(CFArrayRef policies, CFErrorRef *error);
CFArrayRef SecPolicyXPCArrayCopyArray(xpc_object_t xpc_policies, CFErrorRef *error);
+CFArrayRef SecPolicyArrayCreateDeserialized(CFArrayRef serializedPolicies);
+CFArrayRef SecPolicyArrayCreateSerialized(CFArrayRef policies);
+
+/*
+ * MARK: SecPolicyCheckCert functions
+ */
+bool SecPolicyCheckCertKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertExtendedKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertSSLHostname(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertEmail(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertSubjectCommonNamePrefix(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertSubjectCommonName(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertSubjectCommonNameTEST(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertNotValidBefore(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertSubjectOrganization(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertSubjectOrganizationalUnit(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertEAPTrustedServerNames(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertLeafMarkerOid(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertLeafMarkerOidWithoutValueCheck(SecCertificateRef cert, CFTypeRef pvcValue);
+bool SecPolicyCheckCertSignatureHashAlgorithms(SecCertificateRef cert, CFTypeRef pvcValue);
+
+
+/*
+ * MARK: SecLeafPVC functions
+ */
+
+typedef struct OpaqueSecLeafPVC *SecLeafPVCRef;
+
+struct OpaqueSecLeafPVC {
+ SecCertificateRef leaf;
+ CFArrayRef policies;
+ CFAbsoluteTime verifyTime;
+ CFArrayRef details;
+ CFMutableDictionaryRef info;
+ CFDictionaryRef callbacks;
+ CFIndex policyIX;
+ bool result;
+};
+
+void SecLeafPVCInit(SecLeafPVCRef pvc, SecCertificateRef leaf, CFArrayRef policies, CFAbsoluteTime verifyTime);
+void SecLeafPVCDelete(SecLeafPVCRef pvc);
+bool SecLeafPVCLeafChecks(SecLeafPVCRef pvc);
+
__END_DECLS
#endif /* !_SECURITY_SECPOLICYINTERNAL_H_ */
diff --git a/OSX/sec/Security/SecPolicyLeafCallbacks.c b/OSX/sec/Security/SecPolicyLeafCallbacks.c
new file mode 100644
index 00000000..c3cb359b
--- /dev/null
+++ b/OSX/sec/Security/SecPolicyLeafCallbacks.c
@@ -0,0 +1,822 @@
+/*
+ * Copyright (c) 2008-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * SecPolicyLeafCallbacks.c - Callbacks for SecPolicy for verifying leafs
+ */
+
+#include <AssertMacros.h>
+#include <CoreFoundation/CFDictionary.h>
+#include <Security/SecPolicyInternal.h>
+#include <Security/SecCertificateInternal.h>
+#include <utilities/SecCFWrappers.h>
+#include <wctype.h>
+#include <dlfcn.h>
+#include <libDER/oidsPriv.h>
+
+/*
+ * MARK: SecPolicyCheckCert Functions
+ * All SecPolicyCheckCert* return false if the cert fails the check and true if it succeeds.
+ */
+
+typedef bool (*SecPolicyCheckCertFunction)(SecCertificateRef cert, CFTypeRef pvcValue);
+
+/* This one is different from SecPolicyCheckCriticalExtensions because
+ that one is an empty stub. The CriticalExtensions check is done in
+ SecPolicyCheckBasicCertificateProcessing. */
+static bool SecPolicyCheckCertCriticalExtensions(SecCertificateRef cert, CFTypeRef __unused pvcValue) {
+ if (SecCertificateHasUnknownCriticalExtension(cert)) {
+ /* Certificate contains one or more unknown critical extensions. */
+ return false;
+ }
+ return true;
+}
+
+static bool keyusage_allows(SecKeyUsage keyUsage, CFTypeRef xku) {
+ if (!xku || CFGetTypeID(xku) != CFNumberGetTypeID())
+ return false;
+
+ SInt32 dku;
+ CFNumberGetValue((CFNumberRef)xku, kCFNumberSInt32Type, &dku);
+ SecKeyUsage ku = (SecKeyUsage)dku;
+ return (keyUsage & ku) == ku;
+}
+
+bool SecPolicyCheckCertKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue) {
+ SecKeyUsage keyUsage = SecCertificateGetKeyUsage(cert);
+ bool match = false;
+ CFTypeRef xku = pvcValue;
+ if (isArray(xku)) {
+ CFIndex ix, count = CFArrayGetCount(xku);
+ for (ix = 0; ix < count; ++ix) {
+ CFTypeRef ku = CFArrayGetValueAtIndex(xku, ix);
+ if (keyusage_allows(keyUsage, ku)) {
+ match = true;
+ break;
+ }
+ }
+ } else {
+ match = keyusage_allows(keyUsage, xku);
+ }
+ return match;
+}
+
+static bool extendedkeyusage_allows(CFArrayRef extendedKeyUsage,
+ CFDataRef xeku) {
+ if (!xeku)
+ return false;
+ if (extendedKeyUsage) {
+ CFRange all = { 0, CFArrayGetCount(extendedKeyUsage) };
+ return CFArrayContainsValue(extendedKeyUsage, all, xeku);
+ } else {
+ /* Certificate has no extended key usage, only a match if the policy
+ contains a 0 length CFDataRef. */
+ return CFDataGetLength((CFDataRef)xeku) == 0;
+ }
+}
+
+static bool isExtendedKeyUsageAllowed(CFArrayRef extendedKeyUsage,
+ CFTypeRef xeku) {
+ if (!xeku) {
+ return false;
+ }
+ if(CFGetTypeID(xeku) == CFDataGetTypeID()) {
+ return extendedkeyusage_allows(extendedKeyUsage, xeku);
+ } else if (CFGetTypeID(xeku) == CFStringGetTypeID()) {
+ CFDataRef eku = SecCertificateCreateOidDataFromString(NULL, xeku);
+ if (eku) {
+ bool result = extendedkeyusage_allows(extendedKeyUsage, eku);
+ CFRelease(eku);
+ return result;
+ }
+ }
+ return false;
+}
+
+bool SecPolicyCheckCertExtendedKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFArrayRef certExtendedKeyUsage = SecCertificateCopyExtendedKeyUsage(cert);
+ bool match = false;
+ CFTypeRef xeku = pvcValue;
+ if (isArray(xeku)) {
+ CFIndex ix, count = CFArrayGetCount(xeku);
+ for (ix = 0; ix < count; ix++) {
+ CFTypeRef eku = CFArrayGetValueAtIndex(xeku, ix);
+ if (isExtendedKeyUsageAllowed(certExtendedKeyUsage, eku)) {
+ match = true;
+ break;
+ }
+ }
+ } else {
+ match = isExtendedKeyUsageAllowed(certExtendedKeyUsage, xeku);
+ }
+ CFReleaseSafe(certExtendedKeyUsage);
+ return match;
+}
+
+static bool SecPolicyCheckCertNonEmptySubject(SecCertificateRef cert, CFTypeRef pvcValue) {
+ /* If the certificate has a subject, or
+ if it doesn't, and it's the leaf and not self signed,
+ and also has a critical subjectAltName extension it's valid. */
+ if (!SecCertificateHasSubject(cert)) {
+ Boolean isSelfSigned = true;
+ SecCertificateIsSelfSigned(cert, &isSelfSigned);
+ if (!isSelfSigned) {
+ if (!SecCertificateHasCriticalSubjectAltName(cert)) {
+ /* Leaf certificate with empty subject does not have
+ a critical subject alt name extension. */
+ return false;
+ }
+ } else {
+ /* CA certificate has empty subject. */
+ return false;
+ }
+ }
+ return true;
+}
+
+
+/* This one is different from SecPolicyCheckQualifiedCertStatements because
+ both are empty stubs. */
+static bool SecPolicyCheckCertQualifiedCertStatements(SecCertificateRef __unused cert,
+ CFTypeRef __unused pvcValue) {
+ return true;
+}
+
+#if 0
+/* We have a wildcard reference identifier that looks like "*." followed by 2 or
+ more labels. Use CFNetwork's function for determining if those labels comprise
+ a top-level domain. We need to dlopen since CFNetwork is a client of ours. */
+typedef bool (*CFNIsTLD_f)(CFStringRef domain);
+static bool SecDNSIsTLD(CFStringRef reference) {
+ bool result = false; /* fail open for allocation and symbol lookup failures */
+ static CFNIsTLD_f CFNIsDomainTopLevelFunctionPtr = NULL;
+ static dispatch_once_t onceToken;
+ CFStringRef presentedDomain = NULL;
+
+ dispatch_once(&onceToken, ^{
+ void *framework = dlopen("/System/Library/Frameworks/CFNetwork.framework/CFNetwork", RTLD_LAZY);
+ if (framework) {
+ CFNIsDomainTopLevelFunctionPtr = dlsym(framework, "_CFHostIsDomainTopLevel");
+ }
+ });
+
+ require_quiet(CFNIsDomainTopLevelFunctionPtr, out);
+ CFIndex referenceLen = CFStringGetLength(reference);
+
+ /* reference identifier is too short, we should fail it */
+ require_action_quiet(referenceLen > 2, out, result = true);
+
+ require_quiet(presentedDomain = CFStringCreateWithSubstring(NULL, reference,
+ CFRangeMake(2, referenceLen - 2)),
+ out);
+ result = CFNIsDomainTopLevelFunctionPtr(presentedDomain);
+
+out:
+ CFReleaseNull(presentedDomain);
+ return result;
+}
+#endif
+
+/* Compare hostname, to a server name obtained from the server's cert
+ Obtained from the SubjectAltName or the CommonName entry in the Subject.
+ Limited wildcard checking is performed here as outlined in RFC 6125
+ Section 6.4.3.
+
+ We adhere to the (SHOULD NOT) guidance in rules 1 and 2, and we choose
+ never to accept partial-label wildcards even though they are allowed by
+ rule 3.
+
+ We use the language from RFC 6125, particularly the following definitions:
+
+ presented identifier: An identifier that is presented by a server to
+ a client within a PKIX certificate when the client attempts to
+ establish secure communication with the server; the certificate
+ can include one or more presented identifiers of different types,
+ and if the server hosts more than one domain then the certificate
+ might present distinct identifiers for each domain.
+
+ reference identifier: An identifier, constructed from a source
+ domain and optionally an application service type, used by the
+ client for matching purposes when examining presented identifiers.
+
+ */
+static bool SecDNSMatch(CFStringRef reference, CFStringRef presented) {
+ CFArrayRef referenceLabels = NULL, presentedLabels = NULL;
+ bool result = false;
+
+ /* A trailing '.' in the reference identifier is allowed as a mechanism
+ to force TLS renegotiation. Strip it before parsing labels. */
+ CFIndex referenceLen = CFStringGetLength(reference);
+ require_quiet(referenceLen > 0, noMatch);
+ if ('.' == CFStringGetCharacterAtIndex(reference, referenceLen - 1)) {
+ CFStringRef truncatedReference = CFStringCreateWithSubstring(NULL, reference,
+ CFRangeMake(0, referenceLen - 1));
+ referenceLabels = CFStringCreateArrayBySeparatingStrings(NULL, truncatedReference, CFSTR("."));
+ CFReleaseNull(truncatedReference);
+ require_quiet(referenceLabels, noMatch);
+ } else {
+ require_quiet(referenceLabels = CFStringCreateArrayBySeparatingStrings(NULL, reference, CFSTR(".")),
+ noMatch);
+ }
+
+ require_quiet(presentedLabels = CFStringCreateArrayBySeparatingStrings(NULL, presented, CFSTR(".")),
+ noMatch);
+
+ /* Reference Identifier and Presented Identifier must have the same number of labels
+ because a wildcard in the presented identifier can only match a single label in the
+ reference identifier. */
+ require_quiet(CFArrayGetCount(referenceLabels) == CFArrayGetCount(presentedLabels), noMatch);
+
+ CFIndex ix, count = CFArrayGetCount(referenceLabels);
+ for (ix = count - 1; ix >= 0; ix--) {
+ CFStringRef rlabel = NULL, plabel = NULL;
+ require_quiet(rlabel = CFArrayGetValueAtIndex(referenceLabels, ix), noMatch);
+ require_quiet(plabel = CFArrayGetValueAtIndex(presentedLabels, ix), noMatch);
+ if (CFEqual(plabel, CFSTR("*"))) {
+ /* must only occur in left-most label */
+ require_quiet(ix == 0, noMatch);
+
+ /* must not occur before single-label TLD */
+ require_quiet(count > 2 && ix != count - 2, noMatch);
+#if 0
+ // <rdar://26563617>, check removed due to <rdar://26552669>
+ /* must not occur before a multi-label gTLD */
+ require_quiet(!SecDNSIsTLD(presented), noMatch);
+#endif
+ } else {
+ /* partial-label wildcards are disallowed */
+ CFRange partialRange = CFStringFind(plabel, CFSTR("*"), 0);
+ require_quiet(partialRange.location == kCFNotFound && partialRange.length == 0 ,
+ noMatch);
+
+ /* not a wildcard, so labels must match exactly */
+ require_quiet(CFStringCompare(rlabel, plabel, kCFCompareCaseInsensitive) == kCFCompareEqualTo, noMatch);
+ }
+ }
+
+ result = true;
+
+noMatch:
+ CFReleaseNull(referenceLabels);
+ CFReleaseNull(presentedLabels);
+ return result;
+}
+
+bool SecPolicyCheckCertSSLHostname(SecCertificateRef cert, CFTypeRef pvcValue) {
+ /* @@@ Consider what to do if the caller passes in no hostname. Should
+ we then still fail if the leaf has no dnsNames or IPAddresses at all? */
+ CFStringRef hostName = pvcValue;
+ if (!isString(hostName)) {
+ /* @@@ We can't return an error here and making the evaluation fail
+ won't help much either. */
+ return false;
+ }
+
+ bool dnsMatch = false;
+ CFArrayRef dnsNames = SecCertificateCopyDNSNames(cert);
+ if (dnsNames) {
+ CFIndex ix, count = CFArrayGetCount(dnsNames);
+ for (ix = 0; ix < count; ++ix) {
+ CFStringRef dns = (CFStringRef)CFArrayGetValueAtIndex(dnsNames, ix);
+ if (SecDNSMatch(hostName, dns)) {
+ dnsMatch = true;
+ break;
+ }
+ }
+ CFRelease(dnsNames);
+ }
+
+ if (!dnsMatch) {
+ /* Maybe hostname is an IPv4 or IPv6 address, let's compare against
+ the values returned by SecCertificateCopyIPAddresses() instead. */
+ CFArrayRef ipAddresses = SecCertificateCopyIPAddresses(cert);
+ if (ipAddresses) {
+ CFIndex ix, count = CFArrayGetCount(ipAddresses);
+ for (ix = 0; ix < count; ++ix) {
+ CFStringRef ipAddress = (CFStringRef)CFArrayGetValueAtIndex(ipAddresses, ix);
+ if (!CFStringCompare(hostName, ipAddress, kCFCompareCaseInsensitive)) {
+ dnsMatch = true;
+ break;
+ }
+ }
+ CFRelease(ipAddresses);
+ }
+ }
+
+ return dnsMatch;
+}
+
+bool SecPolicyCheckCertEmail(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFStringRef email = pvcValue;
+ bool match = false;
+ if (!isString(email)) {
+ /* We can't return an error here and making the evaluation fail
+ won't help much either. */
+ return false;
+ }
+
+ CFArrayRef addrs = SecCertificateCopyRFC822Names(cert);
+ if (addrs) {
+ CFIndex ix, count = CFArrayGetCount(addrs);
+ for (ix = 0; ix < count; ++ix) {
+ CFStringRef addr = (CFStringRef)CFArrayGetValueAtIndex(addrs, ix);
+ if (!CFStringCompare(email, addr, kCFCompareCaseInsensitive)) {
+ match = true;
+ break;
+ }
+ }
+ CFRelease(addrs);
+ }
+
+ return match;
+}
+
+static bool SecPolicyCheckCertValidLeaf(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFAbsoluteTime verifyTime = CFDateGetAbsoluteTime(pvcValue);
+ if (!SecCertificateIsValid(cert, verifyTime)) {
+ /* Leaf certificate has expired. */
+ return false;
+ }
+ return true;
+}
+
+bool SecPolicyCheckCertSubjectCommonNamePrefix(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFStringRef prefix = pvcValue;
+ bool match = true;
+ if (!isString(prefix)) {
+ /* @@@ We can't return an error here and making the evaluation fail
+ won't help much either. */
+ return false;
+ }
+ CFArrayRef commonNames = SecCertificateCopyCommonNames(cert);
+ if (!commonNames || CFArrayGetCount(commonNames) != 1 ||
+ !CFStringHasPrefix(CFArrayGetValueAtIndex(commonNames, 0), prefix)) {
+ /* Common Name prefix mismatch. */
+ match = false;
+ }
+ CFReleaseSafe(commonNames);
+ return match;
+}
+
+bool SecPolicyCheckCertSubjectCommonName(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFStringRef common_name = pvcValue;
+ bool match = true;
+ if (!isString(common_name)) {
+ /* @@@ We can't return an error here and making the evaluation fail
+ won't help much either. */
+ return false;
+ }
+ CFArrayRef commonNames = SecCertificateCopyCommonNames(cert);
+ if (!commonNames || CFArrayGetCount(commonNames) != 1 ||
+ !CFEqual(common_name, CFArrayGetValueAtIndex(commonNames, 0))) {
+ /* Common Name mismatch. */
+ match = false;
+ }
+ CFReleaseSafe(commonNames);
+ return match;
+}
+
+bool SecPolicyCheckCertSubjectCommonNameTEST(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFStringRef common_name = pvcValue;
+ bool match = true;
+ if (!isString(common_name)) {
+ /* @@@ We can't return an error here and making the evaluation fail
+ won't help much either. */
+ return false;
+ }
+ CFArrayRef commonNames = SecCertificateCopyCommonNames(cert);
+ if (!commonNames || CFArrayGetCount(commonNames) != 1) {
+ CFStringRef cert_common_name = CFArrayGetValueAtIndex(commonNames, 0);
+ CFStringRef test_common_name = common_name ?
+ CFStringCreateWithFormat(kCFAllocatorDefault,
+ NULL, CFSTR("TEST %@ TEST"), common_name) :
+ NULL;
+ if (!CFEqual(common_name, cert_common_name) &&
+ (!test_common_name || !CFEqual(test_common_name, cert_common_name)))
+ /* Common Name mismatch. */
+ match = false;
+ CFReleaseSafe(test_common_name);
+ }
+ CFReleaseSafe(commonNames);
+ return match;
+}
+
+bool SecPolicyCheckCertNotValidBefore(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFDateRef date = pvcValue;
+ if (!isDate(date)) {
+ /* @@@ We can't return an error here and making the evaluation fail
+ won't help much either. */
+ return false;
+ }
+ CFAbsoluteTime at = CFDateGetAbsoluteTime(date);
+ if (SecCertificateNotValidBefore(cert) <= at) {
+ /* Leaf certificate has not valid before that is too old. */
+ return false;
+ }
+ return true;
+}
+
+bool SecPolicyCheckCertSubjectOrganization(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFStringRef org = pvcValue;
+ bool match = true;
+ if (!isString(org)) {
+ /* @@@ We can't return an error here and making the evaluation fail
+ won't help much either. */
+ return false;
+ }
+ CFArrayRef organization = SecCertificateCopyOrganization(cert);
+ if (!organization || CFArrayGetCount(organization) != 1 ||
+ !CFEqual(org, CFArrayGetValueAtIndex(organization, 0))) {
+ /* Leaf Subject Organization mismatch. */
+ match = false;
+ }
+ CFReleaseSafe(organization);
+ return match;
+}
+
+bool SecPolicyCheckCertSubjectOrganizationalUnit(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFStringRef orgUnit = pvcValue;
+ bool match = true;
+ if (!isString(orgUnit)) {
+ /* @@@ We can't return an error here and making the evaluation fail
+ won't help much either. */
+ return false;
+ }
+ CFArrayRef organizationalUnit = SecCertificateCopyOrganizationalUnit(cert);
+ if (!organizationalUnit || CFArrayGetCount(organizationalUnit) != 1 ||
+ !CFEqual(orgUnit, CFArrayGetValueAtIndex(organizationalUnit, 0))) {
+ /* Leaf Subject Organizational Unit mismatch. */
+ match = false;
+ }
+ CFReleaseSafe(organizationalUnit);
+ return match;
+}
+
+bool SecPolicyCheckCertEAPTrustedServerNames(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFArrayRef trustedServerNames = pvcValue;
+ /* No names specified means we accept any name. */
+ if (!trustedServerNames)
+ return true;
+ if (!isArray(trustedServerNames)) {
+ /* @@@ We can't return an error here and making the evaluation fail
+ won't help much either. */
+ return false;
+ }
+
+ CFIndex tsnCount = CFArrayGetCount(trustedServerNames);
+ bool dnsMatch = false;
+ CFArrayRef dnsNames = SecCertificateCopyDNSNames(cert);
+ if (dnsNames) {
+ CFIndex ix, count = CFArrayGetCount(dnsNames);
+ // @@@ This is O(N^2) unfortunately we can't do better easily unless
+ // we don't do wildcard matching. */
+ for (ix = 0; !dnsMatch && ix < count; ++ix) {
+ CFStringRef dns = (CFStringRef)CFArrayGetValueAtIndex(dnsNames, ix);
+ CFIndex tix;
+ for (tix = 0; tix < tsnCount; ++tix) {
+ CFStringRef serverName =
+ (CFStringRef)CFArrayGetValueAtIndex(trustedServerNames, tix);
+ if (!isString(serverName)) {
+ /* @@@ We can't return an error here and making the
+ evaluation fail won't help much either. */
+ CFReleaseSafe(dnsNames);
+ return false;
+ }
+ /* we purposefully reverse the arguments here such that dns names
+ from the cert are matched against a server name list, where
+ the server names list can contain wildcards and the dns name
+ cannot. References: http://support.microsoft.com/kb/941123
+ It's easy to find occurrences where people tried to use
+ wildcard certificates and were told that those don't work
+ in this context. */
+ if (SecDNSMatch(dns, serverName)) {
+ dnsMatch = true;
+ break;
+ }
+ }
+ }
+ CFRelease(dnsNames);
+ }
+
+ return dnsMatch;
+}
+
+bool SecPolicyCheckCertLeafMarkerOid(SecCertificateRef cert, CFTypeRef pvcValue) {
+ if (pvcValue && SecCertificateHasMarkerExtension(cert, pvcValue)) {
+ return true;
+ }
+
+ return false;
+}
+
+bool SecPolicyCheckCertLeafMarkerOidWithoutValueCheck(SecCertificateRef cert,
+ CFTypeRef pvcValue) {
+ if (CFGetTypeID(pvcValue) == CFArrayGetTypeID()) {
+ CFIndex ix, length = CFArrayGetCount(pvcValue);
+ for (ix = 0; ix < length; ix++)
+ if (SecPolicyCheckCertLeafMarkerOidWithoutValueCheck(cert,
+ CFArrayGetValueAtIndex((CFArrayRef)pvcValue, ix))) {
+ return true;
+ }
+ } else if (CFGetTypeID(pvcValue) == CFDataGetTypeID() ||
+ CFGetTypeID(pvcValue) == CFStringGetTypeID()) {
+ return (NULL != SecCertificateGetExtensionValue(cert, pvcValue));
+ }
+ return false;
+}
+
+static CFSetRef copyCertificatePolicies(SecCertificateRef cert) {
+ CFMutableSetRef policies = NULL;
+ policies = CFSetCreateMutable(NULL, 0, &kCFTypeSetCallBacks);
+ if (!policies) return NULL;
+
+ const SecCECertificatePolicies *cp = SecCertificateGetCertificatePolicies(cert);
+ size_t policy_ix, policy_count = cp ? cp->numPolicies : 0;
+ for (policy_ix = 0; policy_ix < policy_count; ++policy_ix) {
+ CFDataRef oidData = NULL;
+ DERItem *policyOID = &cp->policies[policy_ix].policyIdentifier;
+ oidData = CFDataCreate(kCFAllocatorDefault, policyOID->data, policyOID->length);
+ CFSetAddValue(policies, oidData);
+ CFReleaseSafe(oidData);
+ }
+ return policies;
+}
+
+static bool checkPolicyOidData(SecCertificateRef cert , CFDataRef oid) {
+ CFSetRef policies = copyCertificatePolicies(cert);
+ bool found = false;
+ if (policies && CFSetContainsValue(policies, oid)) {
+ found = true;
+ }
+ CFReleaseSafe(policies);
+ return found;
+}
+
+/* This one is different from SecPolicyCheckCertificatePolicyOid because
+ that one checks the whole chain. (And uses policy_set_t...) */
+static bool SecPolicyCheckCertCertificatePolicyOid(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFTypeRef value = pvcValue;
+ bool result = false;
+
+ if (CFGetTypeID(value) == CFDataGetTypeID())
+ {
+ result = checkPolicyOidData(cert, value);
+ } else if (CFGetTypeID(value) == CFStringGetTypeID()) {
+ CFDataRef dataOid = SecCertificateCreateOidDataFromString(NULL, value);
+ if (dataOid) {
+ result = checkPolicyOidData(cert, dataOid);
+ CFRelease(dataOid);
+ }
+ }
+ return result;
+}
+
+static bool SecPolicyCheckCertWeak(SecCertificateRef cert, CFTypeRef __unused pvcValue) {
+ if (cert && SecCertificateIsWeak(cert)) {
+ /* Leaf certificate has a weak key. */
+ return false;
+ }
+ return true;
+}
+
+static bool SecPolicyCheckCertKeySize(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFDictionaryRef keySizes = pvcValue;
+ if (!SecCertificateIsAtLeastMinKeySize(cert, keySizes)) {
+ return false;
+ }
+ return true;
+}
+
+static CFStringRef convertSignatureHashAlgorithm(SecSignatureHashAlgorithm algorithmEnum) {
+ const void *digests[] = { kSecSignatureDigestAlgorithmUnknown,
+ kSecSignatureDigestAlgorithmMD2,
+ kSecSignatureDigestAlgorithmMD4,
+ kSecSignatureDigestAlgorithmMD5,
+ kSecSignatureDigestAlgorithmSHA1,
+ kSecSignatureDigestAlgorithmSHA224,
+ kSecSignatureDigestAlgorithmSHA256,
+ kSecSignatureDigestAlgorithmSHA384,
+ kSecSignatureDigestAlgorithmSHA512,
+ };
+ return digests[algorithmEnum];
+}
+
+bool SecPolicyCheckCertSignatureHashAlgorithms(SecCertificateRef cert, CFTypeRef pvcValue) {
+ CFSetRef disallowedHashAlgorithms = pvcValue;
+ CFStringRef certAlg = convertSignatureHashAlgorithm(SecCertificateGetSignatureHashAlgorithm(cert));
+ if (CFSetContainsValue(disallowedHashAlgorithms, certAlg)) {
+ return false;
+ }
+ return true;
+}
+
+/*
+ * MARK: SecLeafPVC functions
+ */
+static CFDictionaryRef SecLeafPVCCopyCallbacks(void) {
+ CFMutableDictionaryRef leafCallbacks = NULL;
+ leafCallbacks = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks, NULL);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckCriticalExtensions,
+ SecPolicyCheckCertCriticalExtensions);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckKeyUsage,
+ SecPolicyCheckCertKeyUsage);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckExtendedKeyUsage,
+ SecPolicyCheckCertExtendedKeyUsage);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckNonEmptySubject,
+ SecPolicyCheckCertNonEmptySubject);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckQualifiedCertStatements,
+ SecPolicyCheckCertQualifiedCertStatements);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckSSLHostname,
+ SecPolicyCheckCertSSLHostname);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckEmail,
+ SecPolicyCheckCertEmail);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckValidLeaf,
+ SecPolicyCheckCertValidLeaf);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckSubjectCommonNamePrefix,
+ SecPolicyCheckCertSubjectCommonNamePrefix);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckSubjectCommonName,
+ SecPolicyCheckCertSubjectCommonName);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckNotValidBefore,
+ SecPolicyCheckCertNotValidBefore);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckSubjectOrganization,
+ SecPolicyCheckCertSubjectOrganization);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckSubjectOrganizationalUnit,
+ SecPolicyCheckCertSubjectOrganizationalUnit);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckEAPTrustedServerNames,
+ SecPolicyCheckCertEAPTrustedServerNames);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckSubjectCommonNameTEST,
+ SecPolicyCheckCertSubjectCommonNameTEST);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckLeafMarkerOid,
+ SecPolicyCheckCertLeafMarkerOid);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckLeafMarkerOidWithoutValueCheck,
+ SecPolicyCheckCertLeafMarkerOidWithoutValueCheck);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckCertificatePolicy,
+ SecPolicyCheckCertCertificatePolicyOid);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckWeakLeaf,
+ SecPolicyCheckCertWeak);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckKeySize,
+ SecPolicyCheckCertKeySize);
+ CFDictionaryAddValue(leafCallbacks,
+ kSecPolicyCheckSignatureHashAlgorithms,
+ SecPolicyCheckCertSignatureHashAlgorithms);
+
+ return leafCallbacks;
+}
+
+void SecLeafPVCInit(SecLeafPVCRef pvc, SecCertificateRef leaf, CFArrayRef policies,
+ CFAbsoluteTime verifyTime) {
+ secdebug("alloc", "%p", pvc);
+ // Weird logging policies crashes.
+ //secdebug("policy", "%@", policies);
+ pvc->leaf = CFRetainSafe(leaf);
+ pvc->policies = CFRetainSafe(policies);
+ pvc->verifyTime = verifyTime;
+ pvc->callbacks = SecLeafPVCCopyCallbacks();
+ pvc->policyIX = 0;
+ pvc->result = true;
+
+ CFMutableDictionaryRef certDetail = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ pvc->details = CFArrayCreate(kCFAllocatorDefault, (const void **)&certDetail, 1,
+ &kCFTypeArrayCallBacks);
+ CFRelease(certDetail);
+}
+
+
+void SecLeafPVCDelete(SecLeafPVCRef pvc) {
+ secdebug("alloc", "%p", pvc);
+ CFReleaseNull(pvc->policies);
+ CFReleaseNull(pvc->details);
+ CFReleaseNull(pvc->callbacks);
+ CFReleaseNull(pvc->leaf);
+}
+
+static bool SecLeafPVCSetResultForced(SecLeafPVCRef pvc,
+ CFStringRef key, CFIndex ix, CFTypeRef result, bool force) {
+
+ secdebug("policy", "cert[%d]: %@ =(%s)[%s]> %@", (int) ix, key, "leaf",
+ (force ? "force" : ""), result);
+
+ /* If this is not something the current policy cares about ignore
+ this error and return true so our caller continues evaluation. */
+ if (!force) {
+ /* @@@ The right long term fix might be to check if none of the passed
+ in policies contain this key, since not all checks are run for all
+ policies. */
+ SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(pvc->policies, pvc->policyIX);
+ if (policy && !CFDictionaryContainsKey(policy->_options, key))
+ return true;
+ }
+
+ /* @@@ Check to see if the SecTrustSettings for the certificate in question
+ tell us to ignore this error. */
+ pvc->result = false;
+ if (!pvc->details)
+ return false;
+
+ CFMutableDictionaryRef detail =
+ (CFMutableDictionaryRef)CFArrayGetValueAtIndex(pvc->details, ix);
+
+ /* Perhaps detail should have an array of results per key? As it stands
+ in the case of multiple policy failures the last failure stands. */
+ CFDictionarySetValue(detail, key, result);
+
+ return true;
+}
+
+static bool SecLeafPVCSetResult(SecLeafPVCRef pvc,
+ CFStringRef key, CFIndex ix, CFTypeRef result) {
+ return SecLeafPVCSetResultForced(pvc, key, ix, result, false);
+}
+
+static void SecLeafPVCValidateKey(const void *key, const void *value,
+ void *context) {
+ SecLeafPVCRef pvc = (SecLeafPVCRef)context;
+
+ /* If our caller doesn't want full details and we failed earlier there is
+ no point in doing additional checks. */
+ if (!pvc->result && !pvc->details)
+ return;
+
+ SecPolicyCheckCertFunction fcn = (SecPolicyCheckCertFunction) CFDictionaryGetValue(pvc->callbacks, key);
+ if (!fcn) {
+ pvc->result = false;
+ return;
+ }
+
+ /* kSecPolicyCheckValidLeaf is special */
+ if (CFEqual(key, kSecPolicyCheckValidLeaf)) {
+ CFDateRef verifyDate = CFDateCreate(NULL, pvc->verifyTime);
+ if(!fcn(pvc->leaf, verifyDate)) {
+ SecLeafPVCSetResult(pvc, key, 0, kCFBooleanFalse);
+ }
+ CFReleaseSafe(verifyDate);
+ } else {
+ /* get pvcValue from current policy */
+ SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(pvc->policies, pvc->policyIX);
+ if (!policy) {
+ pvc->result = false;
+ return;
+ }
+ CFTypeRef pvcValue = (CFTypeRef)CFDictionaryGetValue(policy->_options, key);
+ if(!fcn(pvc->leaf, pvcValue)) {
+ SecLeafPVCSetResult(pvc, key, 0, kCFBooleanFalse);
+ }
+ }
+}
+
+bool SecLeafPVCLeafChecks(SecLeafPVCRef pvc) {
+ pvc->result = true;
+ CFArrayRef policies = pvc->policies;
+ CFIndex ix, count = CFArrayGetCount(policies);
+ for (ix = 0; ix < count; ++ix) {
+ SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(policies, ix);
+ pvc->policyIX = ix;
+ /* Validate all keys for all policies. */
+ CFDictionaryApplyFunction(policy->_options, SecLeafPVCValidateKey, pvc);
+ if (!pvc->result && !pvc->details)
+ return pvc->result;
+ }
+ return pvc->result;
+}
diff --git a/OSX/sec/Security/SecPolicyPriv.h b/OSX/sec/Security/SecPolicyPriv.h
index 9c0f0c76..049b9498 100644
--- a/OSX/sec/Security/SecPolicyPriv.h
+++ b/OSX/sec/Security/SecPolicyPriv.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2007-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -38,10 +38,12 @@
__BEGIN_DECLS
+CF_ASSUME_NONNULL_BEGIN
+CF_IMPLICIT_BRIDGING_ENABLED
+
/*!
@enum Policy Constants (Private)
@discussion Predefined constants used to specify a policy.
- @constant kSecPolicyApplePassbookSigning
@constant kSecPolicyAppleMobileStore
@constant kSecPolicyAppleTestMobileStore
@constant kSecPolicyAppleEscrowService
@@ -54,14 +56,46 @@ __BEGIN_DECLS
@constant kSecPolicyAppleSMPEncryption
@constant kSecPolicyAppleTestSMPEncryption
@constant kSecPolicyApplePCSEscrowService
+ @constant kSecPolicyApplePPQSigning
+ @constant kSecPolicyAppleTestPPQSigning
@constant kSecPolicyAppleSWUpdateSigning
@constant kSecPolicyApplePackageSigning
- @constant kSecPolicyAppleATVAppSigning
- @constant kSecPolicyAppleTestATVAppSigning
@constant kSecPolicyAppleOSXProvisioningProfileSigning
-*/
-extern const CFStringRef kSecPolicyApplePassbookSigning
- __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
+ @constant kSecPolicyAppleATVVPNProfileSigning
+ @constant kSecPolicyAppleAST2DiagnosticsServerAuth
+ @constant kSecPolicyAppleEscrowProxyServerAuth
+ @constant kSecPolicyAppleFMiPServerAuth
+ @constant kSecPolicyAppleMMCService
+ @constant kSecPolicyAppleGSService
+ @constant kSecPolicyApplePPQService
+ @constant kSecPolicyAppleHomeKitServerAuth
+ @constant kSecPolicyAppleiPhoneActivation
+ @constant kSecPolicyAppleiPhoneDeviceCertificate
+ @constant kSecPolicyAppleFactoryDeviceCertificate
+ @constant kSecPolicyAppleiAP
+ @constant kSecPolicyAppleiTunesStoreURLBag
+ @constant kSecPolicyAppleiPhoneApplicationSigning
+ @constant kSecPolicyAppleiPhoneProfileApplicationSigning
+ @constant kSecPolicyAppleiPhoneProvisioningProfileSigning
+ @constant kSecPolicyAppleLockdownPairing
+ @constant kSecPolicyAppleURLBag
+ @constant kSecPolicyAppleOTATasking
+ @constant kSecPolicyAppleMobileAsset
+ @constant kSecPolicyAppleIDAuthority
+ @constant kSecPolicyAppleGenericApplePinned
+ @constant kSecPolicyAppleGenericAppleSSLPinned
+ @constant kSecPolicyAppleSoftwareSigning
+ @constant kSecPolicyAppleExternalDeveloper
+ @constant kSecPolicyAppleOCSPSigner
+ @constant kSecPolicyAppleIDSService
+ @constant kSecPolicyAppleIDSServiceContext
+ @constant kSecPolicyApplePushService
+ @constant kSecPolicyAppleLegacyPushService
+ @constant kSecPolicyAppleTVOSApplicationSigning
+ @constant kSecPolicyAppleUniqueDeviceIdentifierCertificate
+ @constant kSecPolicyAppleEscrowProxyCompatibilityServerAuth
+ @constant kSecPolicyAppleMMCSCompatibilityServerAuth
+ */
extern const CFStringRef kSecPolicyAppleMobileStore
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleTestMobileStore
@@ -74,111 +108,283 @@ extern const CFStringRef kSecPolicyAppleQAProfileSigner
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleServerAuthentication
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
-#if TARGET_OS_IPHONE
extern const CFStringRef kSecPolicyAppleOTAPKISigner
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleTestOTAPKISigner
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_7_0);
extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_7_0);
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_NA, __MAC_NA, __IPHONE_7_0, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleIDValidationRecordSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
extern const CFStringRef kSecPolicyAppleSMPEncryption
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
extern const CFStringRef kSecPolicyAppleTestSMPEncryption
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
-#endif
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
extern const CFStringRef kSecPolicyApplePCSEscrowService
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_7_0);
-extern const CFStringRef kSecPolicyAppleSWUpdateSigning
+extern const CFStringRef kSecPolicyApplePPQSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-extern const CFStringRef kSecPolicyApplePackageSigning
+extern const CFStringRef kSecPolicyAppleTestPPQSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-extern const CFStringRef kSecPolicyAppleATVAppSigning
+extern const CFStringRef kSecPolicyAppleSWUpdateSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-extern const CFStringRef kSecPolicyAppleTestATVAppSigning
+extern const CFStringRef kSecPolicyApplePackageSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleOSXProvisioningProfileSigning
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+extern const CFStringRef kSecPolicyAppleATVVPNProfileSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
extern const CFStringRef kSecPolicyAppleAST2DiagnosticsServerAuth
__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
+extern const CFStringRef kSecPolicyAppleEscrowProxyServerAuth
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleFMiPServerAuth
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleMMCService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleGSService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyApplePPQService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleHomeKitServerAuth
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiPhoneActivation
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiPhoneDeviceCertificate
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleFactoryDeviceCertificate
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiAP
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiTunesStoreURLBag
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiPhoneApplicationSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiPhoneProfileApplicationSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleiPhoneProvisioningProfileSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleLockdownPairing
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleURLBag
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleOTATasking
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleMobileAsset
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleIDAuthority
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleGenericApplePinned
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleGenericAppleSSLPinned
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleSoftwareSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleExternalDeveloper
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleOCSPSigner
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleIDSService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleIDSServiceContext
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyApplePushService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleLegacyPushService
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleTVOSApplicationSigning
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleUniqueDeviceIdentifierCertificate
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleEscrowProxyCompatibilityServerAuth
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyAppleMMCSCompatibilityServerAuth
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+
+/*!
+ @enum Policy Value Constants
+ @abstract Predefined property key constants used to get or set values in
+ a dictionary for a policy instance.
+ @discussion
+ All policies will have the following read-only value:
+ kSecPolicyOid (the policy object identifier)
+
+ Additional policy values which your code can optionally set:
+ kSecPolicyName (name which must be matched)
+ kSecPolicyClient (evaluate for client, rather than server)
+ kSecPolicyRevocationFlags (only valid for a revocation policy)
+ kSecPolicyRevocationFlags (only valid for a revocation policy)
+ kSecPolicyTeamIdentifier (only valid for a Passbook signing policy)
+ kSecPolicyContext (valid for policies below that take a context parameter)
+ kSecPolicyPolicyName (only valid for GenericApplePinned or
+ GenericAppleSSLPinned policies)
+ kSecPolicyIntermediateMarkerOid (only valid for GenericApplePinned or
+ GenericAppleSSLPinned policies)
+ kSecPolicyLeafMarkerOid (only valid for GenericApplePinned or
+ GenericAppleSSLPinned policies)
+ kSecPolicyRootDigest (only valid for the UniqueDeviceCertificate policy)
+
+ @constant kSecPolicyContext Specifies a CFDictionaryRef with keys and values
+ specified by the particular SecPolicyCreate function.
+ @constant kSecPolicyPolicyName Specifies a CFStringRef of the name of the
+ desired policy result.
+ @constant kSecPolicyIntermediateMarkerOid Specifies a CFStringRef of the
+ marker OID (in decimal format) required in the intermediate certificate.
+ @constant kSecPolicyLeafMarkerOid Specifies a CFStringRef of the
+ marker OID (in decimal format) required in the leaf certificate.
+ @constant kSecPolicyRootDigest Specifies a CFDataRef of digest required to
+ match the SHA-256 of the root certificate.
+ */
+extern const CFStringRef kSecPolicyContext
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyPolicyName
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyIntermediateMarkerOid
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyLeafMarkerOid
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
+extern const CFStringRef kSecPolicyRootDigest
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
- @enum Policy Value Constants
- @abstract Predefined property key constants used to get or set values in
- a dictionary for a policy instance.
- @constant kSecPolicyTeamIdentifier Specifies a CFStringRef containing a
- team identifier which must be matched in the certificate to satisfy
- this policy. For the Passbook signing policy, this string must match
- the Organizational Unit field of the certificate subject.
-*/
-extern const CFStringRef kSecPolicyTeamIdentifier
- __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
+ @function SecPolicyCreateApplePinned
+ @abstract Returns a policy object for verifying Apple certificates.
+ @param policyName A string that identifies the policy name.
+ @param intermediateMarkerOID A string containing the decimal representation of the
+ extension OID in the intermediate certificate.
+ @param leafMarkerOID A string containing the decimal representation of the extension OID
+ in the leaf certificate.
+ @discussion The resulting policy uses the Basic X.509 policy with validity check and
+ pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+ the chain to be anchored to Test Apple Root CAs if the value true is set for the key
+ "ApplePinningAllowTestCerts%@" (where %@ is the policyName parameter) in the
+ com.apple.security preferences for the user of the calling application.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID matching the intermediateMarkerOID
+ parameter.
+ * The leaf has a marker extension with OID matching the leafMarkerOID parameter.
+ * Revocation is checked via OCSP or CRL.
+ * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateApplePinned(CFStringRef policyName,
+ CFStringRef intermediateMarkerOID, CFStringRef leafMarkerOID)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecPolicyCreateAppleSSLPinned
+ @abstract Returns a policy object for verifying Apple SSL certificates.
+ @param policyName A string that identifies the service/policy name.
+ @param hostname hostname to verify the certificate name against.
+ @param intermediateMarkerOID A string containing the decimal representation of the
+ extension OID in the intermediate certificate. If NULL is passed, the default OID of
+ 1.2.840.113635.100.6.2.12 is checked.
+ @param leafMarkerOID A string containing the decimal representation of the extension OID
+ in the leaf certificate.
+ @discussion The resulting policy uses the Basic X.509 policy with validity check and
+ pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+ the chain to be anchored to Test Apple Root CAs if the value true is set for the key
+ "ApplePinningAllowTestCerts%@" (where %@ is the policyName parameter) in the
+ com.apple.security preferences for the user of the calling application.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID matching the intermediateMarkerOID
+ parameter, or 1.2.840.113635.100.6.2.12 if NULL is passed.
+ * The leaf has a marker extension with OID matching the leafMarkerOID parameter.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP or CRL.
+ * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ For developers who need to disable pinning this function is equivalent to SecPolicyCreateSSL
+ on internal releases if the value true is set for the key "AppleServerAuthenticationNoPinning%@"
+ (where %@ is the policyName parameter) in the com.apple.Security preferences for the user
+ of the calling application.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleSSLPinned(CFStringRef policyName, CFStringRef hostname,
+ CFStringRef __nullable intermediateMarkerOID, CFStringRef leafMarkerOID)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
/*!
@function SecPolicyCreateiPhoneActivation
@abstract Returns a policy object for verifying iPhone Activation
certificate chains.
- @discussion This policy is like the Basic X.509 policy with the additional
- requirements that the chain must contain exactly three certificates, the
- anchor is the Apple Inc. CA, and the subject of the first intermediate
- certificate has "Apple iPhone Certification Authority" as its only
- Common Name entry.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in chain.
+ * The intermediate has Common Name "Apple iPhone Certification Authority".
+ * The leaf has Common Name "iPhone Activation".
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneActivation(void);
/*!
@function SecPolicyCreateiPhoneDeviceCertificate
@abstract Returns a policy object for verifying iPhone Device certificate
chains.
- @discussion This policy is like the Basic X.509 policy with the additional
- requirements that the chain must contain exactly four certificates, the
- anchor is the Apple Inc. CA, and the subject of the first intermediate
- certificate has "Apple iPhone Device CA" as its only Common Name entry.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * There are exactly 4 certs in chain.
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The first intermediate has Common Name "Apple iPhone Device CA".
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneDeviceCertificate(void);
/*!
@function SecPolicyCreateFactoryDeviceCertificate
@abstract Returns a policy object for verifying Factory Device certificate
chains.
- @discussion This policy is like the Basic X.509 policy with the additional
- requirements that the chain must be anchored to the factory device certificate
- issuer.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to the Factory Device CA.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateFactoryDeviceCertificate(void);
/*!
@function SecPolicyCreateiAP
@abstract Returns a policy object for verifying iAP certificate chains.
- @discussion This policy is like the Basic X.509 policy with these
- additional requirements:
- * The leaf's NotValidBefore should be greater than 5/31/06 midnight GMT.
- * The Common Name of the leaf begins with the characters "IPA_".
- * No validity checking is performed for any of the certificates.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The leaf has notBefore date after 5/31/2006 midnight GMT.
+ * The leaf has Common Name beginning with "IPA_".
The intended use of this policy is that the caller pass in the
intermediates for iAP1 and iAP2 to SecTrustSetAnchorCertificates().
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiAP(void);
/*!
@function SecPolicyCreateiTunesStoreURLBag
@abstract Returns a policy object for verifying iTunes Store URL bag
certificates.
- @discussion This policy is like the Basic X.509 policy with these
- additional requirements:
- * The leaf's Organization is Apple Inc.
- * The Common Name of the leaf is "iTunes Store URL Bag".
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to the iTMS CA.
+ * There are exactly 2 certs in the chain.
+ * The leaf has Organization "Apple Inc.".
+ * The leaf has Common Name "iTunes Store URL Bag".
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
/*!
@@ -190,10 +396,16 @@ SecPolicyRef SecPolicyCreateiTunesStoreURLBag(void);
certificate must be in the trustedServerNames list. Note that contrary
to all other policies the trustedServerNames list entries can have wildcards
whilst the certificate cannot. This matches the existing deployments.
+ @discussion This policy uses the Basic X.509 policy with validity check but
+ disallowing network fetching. If trustedServerNames param is non-null, the
+ ExtendedKeyUsage extension, if present, of the leaf certificate is verified
+ to contain either the ServerAuth OID, if the server param is true or
+ ClientAuth OID, otherwise.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef trustedServerNames);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef __nullable trustedServerNames);
/*!
@function SecPolicyCreateIPSec
@@ -202,53 +414,90 @@ SecPolicyRef SecPolicyCreateEAP(Boolean server, CFArrayRef trustedServerNames);
server certificates.
@param hostname Optional; if present, the policy will require the specified
hostname or ip address to match the hostname in the leaf certificate.
+ @discussion This policy uses the Basic X.509 policy with validity check.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef hostname);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateIPSec(Boolean server, CFStringRef __nullable hostname);
/*!
@function SecPolicyCreateAppleSWUpdateSigning
- @abstract Returned a policy object for evaluating SW update signing certs.
+ @abstract Returns a policy object for evaluating SW update signing certs.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The leaf ExtendedKeyUsage extension contains 1.2.840.113635.100.4.1.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void);
/*!
@function SecPolicyCreateApplePackageSigning
- @abstract Returned a policy object for evaluating installer package signing certs.
+ @abstract Returns a policy object for evaluating installer package signing certs.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePackageSigning(void);
/*!
@function SecPolicyCreateiPhoneApplicationSigning
@abstract Returns a policy object for evaluating signed application
signatures. This is for apps signed directly by the app store.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple iPhone Certification Authority".
+ * The leaf has Common Name "Apple iPhone OS Application Signing".
+ * If the device is not a production device and is running an internal
+ release, the leaf may have the Common Name "TEST Apple iPhone OS
+ Application Signing TEST".
+ * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID
+ or the CodeSigning OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneApplicationSigning(void);
/*!
@function SecPolicyCreateiPhoneProfileApplicationSigning
@abstract Returns a policy object for evaluating signed application
- signatures. This is meant for certificates inside a UPP or regular
- profile. Currently it only checks for experation of the leaf and
- revocation status.
+ signatures. This policy is for certificates inside a UPP or regular
+ profile.
+ @discussion This policy only verifies that the leaf is temporally valid
+ and not revoked.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneProfileApplicationSigning(void);
/*!
@function SecPolicyCreateiPhoneProvisioningProfileSigning
@abstract Returns a policy object for evaluating provisioning profile signatures.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple iPhone Certification Authority".
+ * The leaf has Common Name "Apple iPhone OS Provisioning Profile Signing".
+ * If the device is not a production device and is running an internal
+ release, the leaf may have the Common Name "TEST Apple iPhone OS
+ Provisioning Profile Signing TEST".
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
/*!
@@ -256,17 +505,31 @@ SecPolicyRef SecPolicyCreateiPhoneProvisioningProfileSigning(void);
@abstract Returns a policy object for evaluating signed application
signatures. This is for apps signed directly by the Apple TV app store,
and allows for both the prod and the dev/test certs.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs.
+ Test roots are never permitted.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
+ * The leaf has ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or
+ the CodeSigning OID.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.24 or OID
+ 1.2.840.113635.100.6.1.24.1.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void);
/*!
@function SecPolicyCreateOCSPSigner
@abstract Returns a policy object for evaluating ocsp response signers.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ requires the leaf to have an ExtendedKeyUsage of OCSPSigning.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateOCSPSigner(void);
@@ -285,303 +548,691 @@ enum {
@function SecPolicyCreateSMIME
@abstract Returns a policy object for evaluating S/MIME certificate chains.
@param smimeUsage Pass the bitwise or of one or more kSecXXXSMIMEUsage
- flags, to indicated the intended usage of this certificate. A certificate which allows
+ flags, to indicate the intended usage of this certificate.
@param email Optional; if present, the policy will require the specified
email to match the email in the leaf certificate.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ requires the leaf to have
+ * a KeyUsage matching the smimeUsage,
+ * an ExtendedKeyUsage, if any, with the AnyExtendedKeyUsage OID or the
+ EmailProtection OID, and
+ * if the email param is specified, the email address in the RFC822Name in the
+ SubjectAlternativeName extension or in the Email Address field of the
+ Subject Name.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef email);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateSMIME(CFIndex smimeUsage, CFStringRef __nullable email);
/*!
@function SecPolicyCreateCodeSigning
@abstract Returns a policy object for evaluating code signing certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ requires the leaf to have
+ * a KeyUsage with both the DigitalSignature and NonRepudiation bits set, and
+ * an ExtendedKeyUsage with the AnyExtendedKeyUsage OID or the CodeSigning OID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateCodeSigning(void);
/*!
@function SecPolicyCreateLockdownPairing
@abstract basic x509 policy for checking lockdown pairing certificate chains.
- It explicitly allows for empty subjects
+ @disucssion This policy checks some of the Basic X.509 policy options with no
+ validity check. It explicitly allows for empty subjects.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateLockdownPairing(void);
/*!
@function SecPolicyCreateURLBag
- @abstract check for private CA, eku codesigning and certificate policy that
- pertains to signing of URL bags.
+ @abstract Returns a policy object for evaluating certificate chains for signing URL bags.
+ @discussion This policy uses the Basic X.509 policy with no validity check and requires
+ that the leaf has ExtendedKeyUsage extension with the CodeSigning OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateURLBag(void);
/*!
@function SecPolicyCreateOTATasking
- @abstract check for 3 long chain through Apple Certification Policy with common name
- "OTA Task Signing".
+ @abstract Returns a policy object for evaluating certificate chains for signing OTA Tasking.
+ @discussion This policy uses the Basic X.509 policy with validity check and
+ pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The leaf has Common Name "OTA Task Signing".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateOTATasking(void);
/*!
@function SecPolicyCreateMobileAsset
- @abstract check for 3 long chain through Apple Certification Policy with common name
- "Asset Manifest Signing".
+ @abstract Returns a policy object for evaluating certificate chains for signing Mobile Assets.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The leaf has Common Name "Asset Manifest Signing".
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMobileAsset(void);
/*!
@function SecPolicyCreateAppleIDAuthorityPolicy
- @abstract check for an Apple ID identity per marker in the leaf and marker in the intermediate, rooted in the Apple CA.
+ @abstract Returns a policy object for evaluating certificate chains for Apple ID Authority.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
+ or OID 1.2.840.113635.100.6.2.7.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.4.7.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void);
/*!
@function SecPolicyCreateMacAppStoreReceipt
- @abstract check for valid Mac App Store receipt signing certificate chain
+ @abstract Returns a policy object for evaluating certificate chains for signing
+ Mac App Store Receipts.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMacAppStoreReceipt(void);
/*!
@function SecPolicyCreatePassbookCardSigner
- @abstract check rooted in the Apple CA, eku passbook, marker passbook and name matching
+ @abstract Returns a policy object for evaluating certificate chains for signing Passbook cards.
@param cardIssuer Required; must match name in marker extension.
@param teamIdentifier Optional; if present, the policy will require the specified
team ID to match the organizationalUnit field in the leaf certificate's subject.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.1.16 and containing the
+ cardIssuer.
+ * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.14.
+ * The leaf has a Organizational Unit matching the TeamID.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer,
- CFStringRef teamIdentifier);
+ CFStringRef __nullable teamIdentifier);
/*!
@function SecPolicyCreateMobileStoreSigner
- @abstract Check for key usage of digital signature,
- check for 3 long chain through Apple System Integration 2 Certification Authority
- with a certificate policy OID of 1.2.840.113635.100.5.12 that roots to the
- Apple root
+ @abstract Returns a policy object for evaluating Mobile Store certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
+ * The leaf has KeyUsage with the DigitalSignature bit set.
+ * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateMobileStoreSigner(void);
/*!
@function SecPolicyCreateTestMobileStoreSigner
- @abstract Check for key usage of digital signature,
- check for 3 long chain through Apple System Integration 2 Certification Authority
- with a certificate policy OID of 1.2.840.113635.100.5.12.1 that roots to the
- Apple root
+ @abstract Returns a policy object for evaluating Test Mobile Store certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple System Integration 2 Certification Authority".
+ * The leaf has KeyUsage with the DigitalSignature bit set.
+ * The leaf has CertificatePolicy extension with OID 1.2.840.113635.100.5.12.1.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateTestMobileStoreSigner(void);
/*!
@function SecPolicyCreateEscrowServiceSigner
- @abstract Check for key usage of digital signature, has a leaf marker OID of
- 1.2.840.113635.100.6.23.1 and roots to the production Escrow Root
+ @abstract Returns a policy object for evaluating Escrow Service certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to the current Escrow Roots in the OTAPKI asset.
+ * There are exactly 2 certs in the chain.
+ * The leaf has KeyUsage with the KeyEncipherment bit set.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateEscrowServiceSigner(void);
/*!
@function SecPolicyCreatePCSEscrowServiceSigner
- @abstract Check for key usage of digital signature, has a leaf marker OID of
- 1.2.840.113635.100.6.23.1 and roots to the production PCS Escrow Root
+ @abstract Returns a policy object for evaluating PCS Escrow Service certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to the current PCS Escrow Roots in the OTAPKI asset.
+ * There are exactly 2 certs in the chain.
+ * The leaf has KeyUsage with the KeyEncipherment bit set.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void);
-/*!
- @function SecPolicyCopyEscrowRootCertificate
- @abstract Return back the Root certificate for the Escrow service
-*/
-SecCertificateRef SecPolicyCopyEscrowRootCertificate(void);
-
/*!
@function SecPolicyCreateOSXProvisioningProfileSigning
- @abstract Check for leaf marker OID 1.2.840.113635.100.4.11,
- intermediate marker OID 1.2.840.113635.100.6.2.1,
- chains to Apple Root CA
+ @abstract Returns a policy object for evaluating certificate chains for signing OS X
+ Provisioning Profiles.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.1.
+ * The leaf has KeyUsage with the DigitalSignature bit set.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.4.11.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void);
/*!
@function SecPolicyCreateConfigurationProfileSigner
- @abstract Check for key usage of digital signature, has a EKU OID of
- 1.2.840.113635.100.4.16 and
- roots to Apple Application Integration 2 Certification Authority
+ @abstract Returns a policy object for evaluating certificate chains for signing
+ Configuration Profiles.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.16.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateConfigurationProfileSigner(void);
/*!
@function SecPolicyCreateQAConfigurationProfileSigner
- @abstract Check for key usage of digital signature, has a EKU OID of
- 1.2.840.113635.100.4.17 and
- roots to Apple Application Integration 2 Certification Authority
+ @abstract Returns a policy object for evaluating certificate chains for signing
+ QA Configuration Profiles.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The leaf has ExtendedKeyUsage with OID 1.2.840.113635.100.4.17.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void);
/*!
@function SecPolicyCreateOTAPKISigner
- @abstract Check for key usage of digital signature, and
- roots to Apple PKI Settings Root Certification Authority
+ @abstract Returns a policy object for evaluating OTA PKI certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to Apple PKI Settings CA.
+ * There are exactly 2 certs in the chain.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateOTAPKISigner(void);
/*!
@function SecPolicyCreateTestOTAPKISigner
- @abstract Check for key usage of digital signature, and
- roots to Apple PKI Settings Root - TESTING
+ @abstract Returns a policy object for evaluating OTA PKI certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to Apple Test PKI Settings CA.
+ * There are exactly 2 certs in the chain.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateTestOTAPKISigner(void);
/*!
@function SecPolicyCreateAppleIDValidationRecordSigningPolicy
- @abstract Check for leaf certificate contains the
- appleIDValidationRecordSigning (1 2 840 113635 100 6 25), and
- intermediate certificate contains
- appleCertificateExtensionApplicationIntegrationIntermediate
- (1 2 840 113635 100 6 2 3) and
- appleCertificateExtensionSystemIntegration2Intermediate
- (1 2 840 113635 100 6 2 10) and roots to the Apple root
+ @abstract Returns a policy object for evaluating certificate chains for signing
+ Apple ID Validation Records.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The intermediate(s) has(have) a marker extension with OID 1.2.840.113635.100.6.2.3
+ or OID 1.2.840.113635.100.6.2.10.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.25.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void);
/*!
@function SecPolicyCreateAppleSMPEncryption
- @abstract Check for intermediate certificate 'Apple System Integration CA - ECC' by name,
- and root certificate 'Apple Root CA - ECC' by hash.
- Leaf cert must have Key Encipherment usage. Other checks TBD.
+ @abstract Returns a policy object for evaluating SMP certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA - ECC" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.13.
+ * The leaf has KeyUsage with the KeyEncipherment bit set.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.30.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleSMPEncryption(void);
/*!
@function SecPolicyCreateTestAppleSMPEncryption
- @abstract Check for intermediate certificate 'Test Apple System Integration CA - ECC' by name,
- and root certificate 'Test Apple Root CA - ECC' by hash.
- Leaf cert must have Key Encipherment usage. Other checks TBD.
+ @abstract Returns a policy object for evaluating Test SMP certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to a Test Apple Root with ECC public key certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Test Apple System Integration CA - ECC".
+ * The leaf has KeyUsage with the KeyEncipherment bit set.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void);
/*!
@function SecPolicyCreateApplePPQSigning
- @abstract Check for intermediate certificate 'Apple System Integration 2 Certification Authority' by name,
- and apple anchor.
- Leaf cert must have Digital Signature usage.
- Leaf cert must have Apple PPQ Signing marker OID (1.2.840.113635.100.6.38.2).
- Intermediate must have marker OID (1.2.840.113635.100.6.2.10).
+ @abstract Returns a policy object for verifying production PPQ Signing certificates.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple System Integration 2 Certification
+ Authority".
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
+ * The leaf has KeyUsage with the DigitalSignature bit set.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.2.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePPQSigning(void);
/*!
@function SecPolicyCreateTestApplePPQSigning
- @abstract Check for intermediate certificate 'Apple System Integration 2 Certification Authority' by name,
- and apple anchor.
- Leaf cert must have Digital Signature usage.
- Leaf cert must have Apple PPQ Signing Test marker OID (1.2.840.113635.100.6.38.1).
- Intermediate must have marker OID (1.2.840.113635.100.6.2.10).
+ @abstract Returns a policy object for verifying test PPQ Signing certificates.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple System Integration 2 Certification
+ Authority".
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
+ * The leaf has KeyUsage with the DigitalSignature bit set.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.38.1.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateTestApplePPQSigning(void);
/*!
@function SecPolicyCreateAppleIDSService
@abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
+ @discussion This policy uses the SSL server policy.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef __nullable hostname);
/*!
@function SecPolicyCreateAppleIDSServiceContext
@abstract Ensure we're appropriately pinned to the IDS service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATIDS" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted only on internal releases either using the context dictionary or with
+ defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.4.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.4.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef context);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef __nullable context);
/*!
@function SecPolicyCreateApplePushService
- @abstract Ensure we're appropriately pinned to the Push service (SSL + Apple restrictions)
+ @abstract Ensure we're appropriately pinned to the Apple Push service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATAPN" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted only on internal releases either using the context dictionary or with
+ defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.5.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.5.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef context);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef __nullable context);
/*!
@function SecPolicyCreateApplePushServiceLegacy
@abstract Ensure we're appropriately pinned to the Push service (via Entrust)
+ @param hostname Required; hostname to verify the certificate name against.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to an Entrust Intermediate.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname);
/*!
@function SecPolicyCreateAppleMMCSService
@abstract Ensure we're appropriately pinned to the MMCS service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATMMCS" with value
+ Boolean true will allow Test Apple roots and test OIDs on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or, if
+ enabled, OID 1.2.840.113635.100.6.27.11.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via any available method.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef context);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef __nullable context);
+
+/*!
+ @function SecPolicyCreateAppleCompatibilityMMCSService
+ @abstract Ensure we're appropriately pinned to the MMCS service using compatibility certs
+ @param hostname Required; hostname to verify the certificate name against.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to the GeoTrust Global CA
+ * The intermediate has a subject public key info hash matching the public key of
+ the Apple IST CA G1 intermediate.
+ * The chain length is 3.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.11.2 or
+ OID 1.2.840.113635.100.6.27.11.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleCompatibilityMMCSService(CFStringRef hostname)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
@function SecPolicyCreateAppleGSService
@abstract Ensure we're appropriately pinned to the GS service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATGS" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted only on internal releases either using the context dictionary or with
+ defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.2.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef context)
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
/*!
@function SecPolicyCreateApplePPQService
@abstract Ensure we're appropriately pinned to the PPQ service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATPPQ" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted only on internal releases either using the context dictionary or with
+ defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.3.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.3.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef context)
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
/*!
@function SecPolicyCreateAppleAST2Service
@abstract Ensure we're appropriately pinned to the AST2 Diagnostic service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATAST2" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted either using the context dictionary or with defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.8.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.8.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef context)
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef __nullable context)
__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
/*!
- @function SecPolicyCreateAppleSSLService
- @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
+ @function SecPolicyCreateAppleEscrowProxyService
+ @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATEscrow" with value
+Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs via full certificate
+ comparison. Test Apple Root CAs are permitted only on internal releases either
+ using the context dictionary or with defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.7.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via CRL.
+ @result A policy object. The caller is responsible for calling CFRelease
+on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDictionaryRef __nullable context)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
- @function SecPolicyCreateAppleTimeStamping
- @abstract Check for RFC3161 timestamping EKU.
+ @function SecPolicyCreateAppleCompatibilityEscrowProxyService
+ @abstract Ensure we're appropriately pinned to the iCloud Escrow Proxy service using compatibility certs
+ @param hostname Required; hostname to verify the certificate name against.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to the GeoTrust Global CA
+ * The intermediate has a subject public key info hash matching the public key of
+ the Apple IST CA G1 intermediate.
+ * The chain length is 3.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.7.2 or,
+ if UAT is enabled with a defaults write (internal devices only),
+ OID 1.2.840.113635.100.6.27.7.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleTimeStamping(void);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleCompatibilityEscrowProxyService(CFStringRef hostname)
+__OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
- @function SecPolicyCreateAppleATVAppSigning
- @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
- and apple anchor.
- Leaf cert must have Digital Signature usage.
- Leaf cert must have Apple ATV App Signing marker OID (1.2.840.113635.100.6.1.24).
- Leaf cert must have 'Apple TVOS Application Signing' common name.
+ @function SecPolicyCreateAppleFMiPService
+ @abstract Ensure we're appropriately pinned to the Find My iPhone service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @param context Optional; if present, "AppleServerAuthenticationAllowUATFMiP" with value
+ Boolean true will allow Test Apple roots on internal releases.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs via full certificate
+ comparison. Test Apple Root CAs are permitted only on internal releases either
+ using the context dictionary or with defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.6.2 or,
+ if Test Roots are allowed, OID 1.2.840.113635.100.6.27.6.1.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via CRL.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)
- __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryRef __nullable context)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
/*!
- @function SecPolicyCreateTestAppleATVAppSigning
- @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations Certification Authority' by name,
- and apple anchor.
- Leaf cert must have Digital Signature usage.
- Leaf cert must have Apple ATV App Signing Test marker OID (1.2.840.113635.100.6.1.24.1).
- Leaf cert must have 'TEST Apple TVOS Application Signing TEST' common name.
+ @function SecPolicyCreateAppleSSLService
+ @abstract Ensure we're appropriately pinned to an Apple server (SSL + Apple restrictions)
+ @param hostname Optional; hostname to verify the certificate name against.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA" certificate.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.12.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.1
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage, if any, with the ServerAuth OID.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
-SecPolicyRef SecPolicyCreateTestAppleATVAppSigning(void)
- __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef __nullable hostname);
+/*!
+ @function SecPolicyCreateAppleTimeStamping
+ @abstract Returns a policy object for evaluating time stamping certificate chains.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and requires the leaf has ExtendedKeyUsage with the TimeStamping OID.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleTimeStamping(void);
/*!
@function SecPolicyCreateApplePayIssuerEncryption
- @abstract Check for intermediate certificate 'Apple Worldwide Developer Relations CA - G2' by name,
- and apple anchor.
- Leaf cert must have Key Encipherment and Key Agreement usage.
- Leaf cert must have Apple Pay Issuer Encryption marker OID (1.2.840.113635.100.6.39).
+ @abstract Returns a policy object for evaluating Apple Pay Issuer Encryption certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to "Apple Root CA - ECC" certificate.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has Common Name "Apple Worldwide Developer Relations CA - G2".
+ * The leaf has KeyUsage with the KeyEncipherment bit set.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.39.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
-
/*!
@function SecPolicyCreateAppleATVVPNProfileSigning
- @abstract Check for leaf marker OID 1.2.840.113635.100.6.43,
- intermediate marker OID 1.2.840.113635.100.6.2.10,
- chains to Apple Root CA, path length 3
+ @abstract Returns a policy object for evaluating Apple TV VPN Profile certificate chains.
+ @discussion This policy uses the Basic X.509 policy with no validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Test Apple Root CAs
+ are permitted only on internal releases.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.10.
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.43.
+ * Revocation is checked via OCSP.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
-__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
/*!
@function SecPolicyCreateAppleHomeKitServerAuth
@@ -589,20 +1240,181 @@ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
@param hostname Required; hostname to verify the certificate name against.
@discussion This policy uses the Basic X.509 policy with validity check
and pinning options:
- * The chain is anchored to any of the production Apple Root CAs via full certificate
- comparison. Test Apple Root CAs are permitted only on internal releases with defaults write.
- * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16
- * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9.
- * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
- extension or Common Name.
- * The leaf is checked against the Black and Gray lists.
- * The leaf has ExtendedKeyUsage with the ServerAuth OID.
- * Revocation is checked via CRL.
+ * The chain is anchored to any of the production Apple Root CAs via full certificate
+ comparison. Test Apple Root CAs are permitted only on internal releases with defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via CRL.
@result A policy object. The caller is responsible for calling CFRelease
on this when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
-__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
+ __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
+
+/*!
+ @function SecPolicyCreateAppleExternalDeveloper
+ @abstract Returns a policy object for verifying Apple-issued external developer
+ certificates.
+ @discussion The resulting policy uses the Basic X.509 policy with validity check and
+ pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+ the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has a marker extension with OID matching 1.2.840.113635.100.6.2.1
+ (WWDR CA) or 1.2.840.113635.100.6.2.6 (Developer ID CA).
+ * The leaf has a marker extension with OID matching one of the following:
+ * 1.2.840.113635.100.6.1.2 ("iPhone Developer" leaf)
+ * 1.2.840.113635.100.6.1.4 ("iPhone Distribution" leaf)
+ * 1.2.840.113635.100.6.1.5 ("Safari Developer" leaf)
+ * 1.2.840.113635.100.6.1.7 ("3rd Party Mac Developer Application" leaf)
+ * 1.2.840.113635.100.6.1.8 ("3rd Party Mac Developer Installer" leaf)
+ * 1.2.840.113635.100.6.1.12 ("Mac Developer" leaf)
+ * 1.2.840.113635.100.6.1.13 ("Developer ID Application" leaf)
+ * 1.2.840.113635.100.6.1.14 ("Developer ID Installer" leaf)
+ * The leaf has an ExtendedKeyUsage OID matching one of the following:
+ * 1.3.6.1.5.5.7.3.3 (CodeSigning EKU)
+ * 1.2.840.113635.100.4.8 ("Safari Developer" EKU)
+ * 1.2.840.113635.100.4.9 ("3rd Party Mac Developer Installer" EKU)
+ * 1.2.840.113635.100.4.13 ("Developer ID Installer" EKU)
+ * Revocation is checked via OCSP or CRL.
+ * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecPolicyCreateAppleSoftwareSigning
+ @abstract Returns a policy object for verifying the Apple Software Signing certificate.
+ @discussion The resulting policy uses the Basic X.509 policy with validity check and
+ pinning options:
+ * The chain is anchored to any of the production Apple Root CAs. Internal releases allow
+ the chain to be anchored to Test Apple Root CAs if a defaults write for the policy is set.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has the Common Name "Apple Code Signing Certification Authority".
+ * The leaf has a marker extension with OID matching 1.2.840.113635.100.6.22.
+ * The leaf has an ExtendedKeyUsage OID matching 1.3.6.1.5.5.7.3.3 (Code Signing).
+ * Revocation is checked via OCSP or CRL.
+ * RSA key sizes are 2048-bit or larger. EC key sizes are P-256 or larger.
+ @result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleSoftwareSigning(void)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecPolicyGetName
+ @abstract Returns a policy's name.
+ @param policy A policy reference.
+ @result A policy name.
+ */
+__nullable CFStringRef SecPolicyGetName(SecPolicyRef policy)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecPolicyGetOidString
+ @abstract Returns a policy's oid in string decimal format.
+ @param policy A policy reference.
+ @result A policy oid.
+ */
+CFStringRef SecPolicyGetOidString(SecPolicyRef policy)
+ __OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+/*!
+ @function SecPolicyCreateAppleUniqueDeviceCertificate
+ @abstract Returns a policy object for verifying Unique Device Identifier Certificates.
+ @param testRootHash Optional; The SHA-256 fingerprint of a test root for pinning.
+ @discussion The resulting policy uses the Basic X.509 policy with no validity check and
+ pinning options:
+ * The chain is anchored to the SEP Root CA. Internal releases allow the chain to be
+ anchored to the testRootHash input if the value true is set for the key
+ "ApplePinningAllowTestCertsUCRT" in the com.apple.security preferences for the user
+ of the calling application.
+ * There are exactly 3 certs in the chain.
+ * The intermediate has an extension with OID matching 1.2.840.113635.100.6.44 and value
+ of "ucrt".
+ * The leaf has a marker extension with OID matching 1.2.840.113635.100.10.1.
+ * RSA key sizes are are disallowed. EC key sizes are P-256 or larger.
+@result A policy object. The caller is responsible for calling CFRelease on this when
+ it is no longer needed.
+ */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef __nullable testRootHash)
+__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);
+
+CF_IMPLICIT_BRIDGING_DISABLED
+CF_ASSUME_NONNULL_END
+
+/*
+ * Legacy functions (OS X only)
+ */
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+
+CF_ASSUME_NONNULL_BEGIN
+CF_IMPLICIT_BRIDGING_ENABLED
+
+/*!
+ @function SecPolicyCopy
+ @abstract Returns a copy of a policy reference based on certificate type and OID.
+ @param certificateType A certificate type.
+ @param policyOID The OID of the policy you want to find. This is a required parameter. See oidsalg.h to see a list of policy OIDs.
+ @param policy The returned policy reference. This is a required parameter.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This function is deprecated in Mac OS X 10.7 and later;
+ to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h.
+ */
+OSStatus SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef * __nonnull CF_RETURNS_RETAINED policy)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
+
+/*!
+ @function SecPolicyCopyAll
+ @abstract Returns an array of all known policies based on certificate type.
+ @param certificateType A certificate type. This is a optional parameter. Pass CSSM_CERT_UNKNOWN if the certificate type is unknown.
+ @param policies The returned array of policies. This is a required parameter.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This function is deprecated in Mac OS X 10.7 and later;
+ to obtain a policy reference, use one of the SecPolicyCreate* functions in SecPolicy.h. (Note: there is normally
+ no reason to iterate over multiple disjointed policies, except to provide a way to edit trust settings for each
+ policy, as is done in certain certificate UI views. In that specific case, your code should call SecPolicyCreateWithOID
+ for each desired policy from the list of supported OID constants in SecPolicy.h.)
+ */
+OSStatus SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef * __nonnull CF_RETURNS_RETAINED policies)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
+
+/* Given a unified SecPolicyRef, return a copy with a legacy
+ C++ ItemImpl-based Policy instance. Only for internal use;
+ legacy references cannot be used by SecPolicy API functions. */
+__nullable CF_RETURNS_RETAINED
+SecPolicyRef SecPolicyCreateItemImplInstance(SecPolicyRef policy);
+
+/* Given a CSSM_OID pointer, return a string which can be passed
+ to SecPolicyCreateWithProperties. The return value can be NULL
+ if no supported policy was found for the OID argument. */
+__nullable
+CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid);
+
+/*!
+ @function SecPolicyCreateAppleTimeStampingAndRevocationPolicies
+ @abstract Create timeStamping policy array from a given set of policies by applying identical revocation behavior
+ @param policyOrArray can be a SecPolicyRef or a CFArray of SecPolicyRef
+ @discussion This function is soon to be deprecated. Callers should create an array of the non-deprecated timestamping
+ and revocation policies.
+ */
+__nullable CF_RETURNS_RETAINED
+CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray);
+
+CF_IMPLICIT_BRIDGING_DISABLED
+CF_ASSUME_NONNULL_END
+
+#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
__END_DECLS
diff --git a/OSX/sec/Security/SecRSAKey.c b/OSX/sec/Security/SecRSAKey.c
index 246fdf54..9ecc96cb 100644
--- a/OSX/sec/Security/SecRSAKey.c
+++ b/OSX/sec/Security/SecRSAKey.c
@@ -42,12 +42,15 @@
#include <Security/SecRandom.h>
#include <utilities/debugging.h>
#include <utilities/SecCFWrappers.h>
+#include <utilities/SecCFError.h>
+#include <utilities/array_size.h>
#include "SecItemPriv.h"
#include <Security/SecInternal.h>
#include <corecrypto/ccn.h>
#include <corecrypto/ccrsa.h>
#include <corecrypto/ccsha1.h>
+#include <corecrypto/ccsha2.h>
#include <libDER/asn1Types.h>
#include <libDER/DER_Keys.h>
@@ -65,62 +68,6 @@
#define RSA_PKCS1_PAD_SIGN 0x01
#define RSA_PKCS1_PAD_ENCRYPT 0x02
-static void ccn_c_dump(cc_size count, const cc_unit *s)
-{
- printf("{ ");
- cc_size ix;
- for (ix = count; ix--;) {
- printf("0x%.02x, 0x%.02x, 0x%.02x, 0x%.02x, ",
- (int) ((s[ix] >> 24) & 0xFF),
- (int) ((s[ix] >> 16) & 0xFF),
- (int) ((s[ix] >> 8 ) & 0xFF),
- (int) ((s[ix] >> 0 ) & 0xFF));
- }
- printf("};");
-}
-
-static void ccn_cprint(cc_size count, char* prefix, const cc_unit *s)
-{
- printf("%s", prefix);
- ccn_c_dump(count, s);
- printf("\n");
-}
-
-void ccrsa_dump_full_key(ccrsa_full_ctx_t key); // Suppress warnings
-void ccrsa_dump_full_key(ccrsa_full_ctx_t key) {
- ccn_cprint(ccrsa_ctx_n(key), "uint8_t m[] = ", ccrsa_ctx_m(key));
- ccn_cprint(ccrsa_ctx_n(key) + 1, "uint8_t rm[] = ", cczp_recip(ccrsa_ctx_zm(key)));
- ccn_cprint(ccrsa_ctx_n(key), "uint8_t e[] = ", ccrsa_ctx_e(key));
- ccn_cprint(ccrsa_ctx_n(key), "uint8_t d[] = ", ccrsa_ctx_d(key));
-
- printf("cc_size np = %lu;\n", cczp_n(ccrsa_ctx_private_zp(ccrsa_ctx_private(key))));
- ccn_cprint(cczp_n(ccrsa_ctx_private_zp(ccrsa_ctx_private(key))), "uint8_t p[] = ",
- cczp_prime(ccrsa_ctx_private_zp(ccrsa_ctx_private(key))));
- ccn_cprint(cczp_n(ccrsa_ctx_private_zp(ccrsa_ctx_private(key))) + 1, "uint8_t rp[] = ",
- cczp_recip(ccrsa_ctx_private_zp(ccrsa_ctx_private(key))));
- printf("cc_size nq = %lu;\n", cczp_n(ccrsa_ctx_private_zq(ccrsa_ctx_private(key))));
- ccn_cprint(cczp_n(ccrsa_ctx_private_zq(ccrsa_ctx_private(key))), "uint8_t q[] = ",
- cczp_prime(ccrsa_ctx_private_zq(ccrsa_ctx_private(key))));
- ccn_cprint(cczp_n(ccrsa_ctx_private_zq(ccrsa_ctx_private(key))) + 1, "uint8_t rq[] = ",
- cczp_recip(ccrsa_ctx_private_zq(ccrsa_ctx_private(key))));
- ccn_cprint(cczp_n(ccrsa_ctx_private_zp(ccrsa_ctx_private(key))), "uint8_t dp[] = ",
- ccrsa_ctx_private_dp(ccrsa_ctx_private(key)));
- ccn_cprint(cczp_n(ccrsa_ctx_private_zq(ccrsa_ctx_private(key))), "uint8_t dq[] = ",
- ccrsa_ctx_private_dq(ccrsa_ctx_private(key)));
- ccn_cprint(cczp_n(ccrsa_ctx_private_zp(ccrsa_ctx_private(key))), "uint8_t qinv[] = ",
- ccrsa_ctx_private_qinv(ccrsa_ctx_private(key)));
- printf("--\n");
-}
-
-void ccrsa_dump_public_key(ccrsa_pub_ctx_t key); // Suppress warning.
-void ccrsa_dump_public_key(ccrsa_pub_ctx_t key) {
- ccn_cprint(ccrsa_ctx_n(key), "uint8_t m[] = ", ccrsa_ctx_m(key));
- ccn_cprint(ccrsa_ctx_n(key) + 1, "uint8_t rm[] = ", cczp_recip(ccrsa_ctx_zm(key)));
- ccn_cprint(ccrsa_ctx_n(key), "uint8_t e[] = ", ccrsa_ctx_e(key));
-
- printf("--\n");
-}
-
/*
*
* Public Key
@@ -171,18 +118,18 @@ static OSStatus ccrsa_pub_decode_apple(ccrsa_pub_ctx_t pubkey, size_t pkcs1_size
DERItem keyItem = {(DERByte *)pkcs1, pkcs1_size};
DERRSAPubKeyApple decodedKey;
- require_noerr_action(DERParseSequence(&keyItem,
- DERNumRSAPubKeyAppleItemSpecs, DERRSAPubKeyAppleItemSpecs,
- &decodedKey, sizeof(decodedKey)),
- errOut, result = errSecDecode);
+ require_noerr_action_quiet(DERParseSequence(&keyItem,
+ DERNumRSAPubKeyAppleItemSpecs, DERRSAPubKeyAppleItemSpecs,
+ &decodedKey, sizeof(decodedKey)),
+ errOut, result = errSecDecode);
- // We could honor the recipricol, but we don't think this is used enough to care.
+ // We could honor the reciprocal, but we don't think this is used enough to care.
// Don't bother exploding the below function to try to handle this case, it computes.
- require_noerr(ccrsa_pub_init(pubkey,
- decodedKey.modulus.length, decodedKey.modulus.data,
- decodedKey.pubExponent.length, decodedKey.pubExponent.data),
- errOut);
+ require_noerr_quiet(ccrsa_pub_init(pubkey,
+ decodedKey.modulus.length, decodedKey.modulus.data,
+ decodedKey.pubExponent.length, decodedKey.pubExponent.data),
+ errOut);
result = errSecSuccess;
@@ -216,18 +163,17 @@ static OSStatus SecRSAPublicKeyInit(SecKeyRef key,
switch (encoding) {
case kSecKeyEncodingBytes: // Octets is PKCS1
case kSecKeyEncodingPkcs1: {
- const uint8_t *der_end = keyData + keyDataLength;
- size_n = ccder_decode_rsa_pub_n(keyData, der_end);
- require(size_n != 0, errOut);
- require(size_n <= ccn_nof(kMaximumRSAKeyBits), errOut);
+ size_n = ccrsa_import_pub_n(keyDataLength, keyData);
+ require_quiet(size_n != 0, errOut);
+ require_quiet(size_n <= ccn_nof(kMaximumRSAKeyBits), errOut);
key->key = calloc(1, ccrsa_pub_ctx_size(ccn_sizeof_n(size_n)));
- require_action(key->key, errOut, result = errSecAllocate);
+ require_action_quiet(key->key, errOut, result = errSecAllocate);
pubkey.pub = key->key;
ccrsa_ctx_n(pubkey) = size_n;
- require_noerr(ccrsa_import_pub(pubkey, keyDataLength, keyData), errOut);
+ require_noerr_quiet(ccrsa_import_pub(pubkey, keyDataLength, keyData), errOut);
result = errSecSuccess;
@@ -238,7 +184,7 @@ static OSStatus SecRSAPublicKeyInit(SecKeyRef key,
size_n = ccn_nof(kMaximumRSAKeyBits);
key->key = calloc(1, ccrsa_pub_ctx_size(ccn_sizeof_n(size_n)));
- require_action(key->key, errOut, result = errSecAllocate);
+ require_action_quiet(key->key, errOut, result = errSecAllocate);
pubkey.pub = key->key;
ccrsa_ctx_n(pubkey) = size_n;
@@ -252,14 +198,14 @@ static OSStatus SecRSAPublicKeyInit(SecKeyRef key,
size_n = ccn_nof_size(params->modulusLength);
key->key = calloc(1, ccrsa_pub_ctx_size(ccn_sizeof_n(size_n)));
- require_action(key->key, errOut, result = errSecAllocate);
+ require_action_quiet(key->key, errOut, result = errSecAllocate);
pubkey.pub = key->key;
ccrsa_ctx_n(pubkey) = size_n;
- require_noerr(ccrsa_pub_init(pubkey,
- params->modulusLength, params->modulus,
- params->exponentLength, params->exponent), errOut);
+ require_noerr_quiet(ccrsa_pub_init(pubkey,
+ params->modulusLength, params->modulus,
+ params->exponentLength, params->exponent), errOut);
result = errSecSuccess;
break;
@@ -272,7 +218,7 @@ static OSStatus SecRSAPublicKeyInit(SecKeyRef key,
size_n = ccrsa_ctx_n(fullKey);
key->key = calloc(1, ccrsa_pub_ctx_size(ccn_sizeof_n(size_n)));
- require_action(key->key, errOut, result = errSecAllocate);
+ require_action_quiet(key->key, errOut, result = errSecAllocate);
pubkey.pub = key->key;
ccrsa_ctx_n(pubkey) = size_n;
@@ -289,250 +235,51 @@ errOut:
return result;
}
-static OSStatus SecRSAPublicKeyRawVerify(SecKeyRef key, SecPadding padding,
- const uint8_t *signedData, size_t signedDataLen,
- const uint8_t *sig, size_t sigLen) {
- OSStatus result = errSSLCrypto;
+static CFTypeRef SecRSAPublicKeyCopyOperationResult(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm,
+ CFArrayRef allAlgorithms, SecKeyOperationMode mode,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFTypeRef result;
+ require_action_quiet(CFEqual(algorithm, kSecKeyAlgorithmRSAEncryptionRawCCUnit), out, result = kCFNull);
ccrsa_pub_ctx_t pubkey;
pubkey.pub = key->key;
-
- cc_unit s[ccrsa_ctx_n(pubkey)];
-
- ccn_read_uint(ccrsa_ctx_n(pubkey), s, sigLen, sig);
- ccrsa_pub_crypt(pubkey, s, s);
- ccn_swap(ccrsa_ctx_n(pubkey), s);
-
- const uint8_t* sBytes = (uint8_t*) s;
- const uint8_t* sEnd = (uint8_t*) (s + ccrsa_ctx_n(pubkey));
-
- switch (padding) {
- case kSecPaddingNone:
- // Skip leading zeros as long as s is bigger than signedData.
- while (((ptrdiff_t)signedDataLen < (sEnd - sBytes)) && (*sBytes == 0))
- ++sBytes;
- break;
-
- case kSecPaddingPKCS1:
- {
- // Verify and skip PKCS1 padding:
- //
- // 0x00, 0x01 (RSA_PKCS1_PAD_SIGN), 0xFF .. 0x00, signedData
- //
- size_t m_size = ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey));
- size_t prefix_zeros = ccn_sizeof_n(ccrsa_ctx_n(pubkey)) - m_size;
-
- while (prefix_zeros--)
- require_quiet(*sBytes++ == 0x00, errOut);
-
- require_quiet(*sBytes++ == 0x00, errOut);
- require_quiet(*sBytes++ == RSA_PKCS1_PAD_SIGN, errOut);
-
- while (*sBytes == 0xFF) {
- require_quiet(++sBytes < sEnd, errOut);
+ result = kCFBooleanTrue;
+ switch (operation) {
+ case kSecKeyOperationTypeEncrypt:
+ if (mode == kSecKeyOperationModePerform) {
+ // Verify that plaintext is smaller than modulus.
+ require_action_quiet(ccn_cmpn(ccn_nof_size(CFDataGetLength(in1)), (const cc_unit *)CFDataGetBytePtr(in1),
+ ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey)) < 0, out,
+ (result = NULL,
+ SecError(errSecParam, error, CFSTR("RSApubkey wrong size of buffer to encrypt"))));
+
+ // Encrypt into output buffer.
+ result = CFDataCreateMutableWithScratch(NULL, ccrsa_block_size(pubkey));
+ ccrsa_pub_crypt(pubkey, (cc_unit *)CFDataGetMutableBytePtr((CFMutableDataRef)result),
+ (const cc_unit *)CFDataGetBytePtr(in1));
}
- // Required to have at least 8 0xFFs
- require_quiet((sBytes - (uint8_t*)s) - 2 >= 8, errOut);
-
- require_quiet(*sBytes == 0x00, errOut);
- require_quiet(++sBytes < sEnd, errOut);
break;
- }
- case kSecPaddingOAEP:
- result = errSecParam;
- goto errOut;
-
- default:
- result = errSecUnimplemented;
- goto errOut;
- }
-
- // Compare the rest.
- require_quiet((sEnd - sBytes) == (ptrdiff_t)signedDataLen, errOut);
- require_quiet(memcmp(sBytes, signedData, signedDataLen) == 0, errOut);
-
- result = errSecSuccess;
-
-errOut:
- cc_clear(ccrsa_ctx_n(pubkey), s);
-
- return result;
-}
-
-static OSStatus SecRSAPublicKeyRawEncrypt(SecKeyRef key, SecPadding padding,
- const uint8_t *plainText, size_t plainTextLen,
- uint8_t *cipherText, size_t *cipherTextLen) {
- OSStatus result = errSecParam;
- ccrsa_pub_ctx_t pubkey;
- pubkey.pub = key->key;
-
- cc_unit s[ccrsa_ctx_n(pubkey)];
- const size_t m_size = ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey));
-
- require(cipherTextLen, errOut);
- require(*cipherTextLen >= m_size, errOut);
-
- uint8_t* sBytes = (uint8_t*) s;
-
- switch (padding) {
- case kSecPaddingNone:
- // We'll allow modulus size assuming input is smaller than modulus
- require_quiet(plainTextLen <= m_size, errOut);
- require_noerr_quiet(ccn_read_uint(ccrsa_ctx_n(pubkey), s, plainTextLen, plainText), errOut);
- require_quiet(ccn_cmp(ccrsa_ctx_n(pubkey), s, ccrsa_ctx_m(pubkey)) < 0, errOut);
- break;
-
- case kSecPaddingPKCS1:
- {
- // Create PKCS1 padding:
- //
- // 0x00, 0x01 (RSA_PKCS1_PAD_ENCRYPT), 0xFF .. 0x00, signedData
- //
- const int kMinimumPadding = 1 + 1 + 8 + 1;
-
- require_quiet(plainTextLen <= m_size - kMinimumPadding, errOut);
-
- size_t prefix_zeros = ccn_sizeof_n(ccrsa_ctx_n(pubkey)) - m_size;
-
- while (prefix_zeros--)
- *sBytes++ = 0x00;
-
- size_t pad_size = m_size - plainTextLen;
-
- *sBytes++ = 0x00;
- *sBytes++ = RSA_PKCS1_PAD_ENCRYPT;
-
- ccrng_generate(ccrng_seckey, pad_size - 3, sBytes);
- // Remove zeroes from the random pad
-
- const uint8_t* sEndOfPad = sBytes + (pad_size - 3);
- while (sBytes < sEndOfPad)
- {
- if (*sBytes == 0x00)
- *sBytes = 0xFF; // Michael said 0xFF was good enough.
-
- ++sBytes;
+ case kSecKeyOperationTypeDecrypt:
+ if (mode == kSecKeyOperationModePerform) {
+ // Decrypt into output buffer.
+ result = CFDataCreateMutableWithScratch(NULL, ccrsa_block_size(pubkey));
+ ccrsa_pub_crypt(pubkey, (cc_unit *)CFDataGetMutableBytePtr((CFMutableDataRef)result),
+ (const cc_unit *)CFDataGetBytePtr(in1));
}
-
- *sBytes++ = 0x00;
-
- memcpy(sBytes, plainText, plainTextLen);
-
- ccn_swap(ccrsa_ctx_n(pubkey), s);
- break;
- }
- case kSecPaddingOAEP:
- {
- const struct ccdigest_info* di = ccsha1_di();
-
- const size_t encodingOverhead = 2 + 2 * di->output_size;
-
- require_action(m_size > encodingOverhead, errOut, result = errSecParam);
- require_action_quiet(plainTextLen <= m_size - encodingOverhead, errOut, result = errSecParam);
-
- require_noerr_action(ccrsa_oaep_encode(di,
- ccrng_seckey,
- m_size, s,
- plainTextLen, plainText), errOut, result = errSecInternal);
break;
- }
default:
- goto errOut;
- }
-
-
- ccrsa_pub_crypt(pubkey, s, s);
-
- ccn_write_uint_padded(ccrsa_ctx_n(pubkey), s, m_size, cipherText);
- *cipherTextLen = m_size;
-
- result = errSecSuccess;
-
-errOut:
- ccn_zero(ccrsa_ctx_n(pubkey), s);
- return result;
-}
-
-static OSStatus SecRSAPublicKeyRawDecrypt(SecKeyRef key, SecPadding padding,
- const uint8_t *cipherText, size_t cipherTextLen, uint8_t *plainText, size_t *plainTextLen) {
- OSStatus result = errSSLCrypto;
-
- ccrsa_pub_ctx_t pubkey;
- pubkey.pub = key->key;
-
- cc_unit s[ccrsa_ctx_n(pubkey)];
-
- require_action_quiet(cipherText != NULL, errOut, result = errSecParam);
- require_action_quiet(plainText != NULL, errOut, result = errSecParam);
- require_action_quiet(plainTextLen != NULL, errOut, result = errSecParam);
-
- ccn_read_uint(ccrsa_ctx_n(pubkey), s, cipherTextLen, cipherText);
- ccrsa_pub_crypt(pubkey, s, s);
- ccn_swap(ccrsa_ctx_n(pubkey), s);
-
- const uint8_t* sBytes = (uint8_t*) s;
- const uint8_t* sEnd = (uint8_t*) (s + ccrsa_ctx_n(pubkey));
-
- switch (padding) {
- case kSecPaddingNone:
- // Skip leading zeros
- // We return the bytes for a number and
- // trim leading zeroes
- while (sBytes < sEnd && *sBytes == 0x00)
- ++sBytes;
+ result = kCFNull;
break;
-
- case kSecPaddingPKCS1:
- {
- // Verify and skip PKCS1 padding:
- //
- // 0x00, 0x01 (RSA_PKCS1_PAD_ENCRYPT), 0xFF .. 0x00, signedData
- //
- size_t m_size = ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey));
- size_t prefix_zeros = ccn_sizeof_n(ccrsa_ctx_n(pubkey)) - m_size;
-
- while (prefix_zeros--)
- require_quiet(*sBytes++ == 0x00, errOut);
-
- require_quiet(*sBytes++ == 0x00, errOut);
- require_quiet(*sBytes++ == RSA_PKCS1_PAD_ENCRYPT, errOut);
-
- while (*sBytes != 0x00) {
- require_quiet(++sBytes < sEnd, errOut);
- }
- // Required to have at least 8 0xFFs
- require_quiet((sBytes - (uint8_t*)s) - 2 >= 8, errOut);
-
- require_quiet(*sBytes == 0x00, errOut);
- require_quiet(++sBytes < sEnd, errOut);
-
- break;
- }
- case kSecPaddingOAEP:
- result = errSecParam;
- default:
- goto errOut;
}
- // Return the rest.
- require_action((sEnd - sBytes) <= (ptrdiff_t)*plainTextLen, errOut, result = errSecParam);
-
- *plainTextLen = sEnd - sBytes;
- memcpy(plainText, sBytes, *plainTextLen);
-
- result = errSecSuccess;
-
-errOut:
- ccn_zero(ccrsa_ctx_n(pubkey), s);
-
+out:
return result;
}
static size_t SecRSAPublicKeyBlockSize(SecKeyRef key) {
ccrsa_pub_ctx_t pubkey;
pubkey.pub = key->key;
-
- return ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey));
+ return ccrsa_block_size(pubkey);
}
@@ -546,16 +293,10 @@ static CFDataRef SecRSAPublicKeyCreatePKCS1(CFAllocatorRef allocator, ccrsa_pub_
const size_t result_size = DERLengthOfItem(ASN1_SEQUENCE, seq_size);
- CFMutableDataRef pkcs1 = CFDataCreateMutable(allocator, result_size);
-
- if (pkcs1 == NULL)
- return NULL;
-
- CFDataSetLength(pkcs1, result_size);
-
+ CFMutableDataRef pkcs1 = CFDataCreateMutableWithScratch(allocator, result_size);
uint8_t *bytes = CFDataGetMutableBytePtr(pkcs1);
- *bytes++ = ASN1_CONSTR_SEQUENCE;
+ *bytes++ = ONE_BYTE_ASN1_CONSTR_SEQUENCE;
DERSize itemLength = 4;
DEREncodeLength(seq_size, bytes, &itemLength);
@@ -582,7 +323,18 @@ static OSStatus SecRSAPublicKeyCopyPublicSerialization(SecKeyRef key, CFDataRef*
}
static CFDictionaryRef SecRSAPublicKeyCopyAttributeDictionary(SecKeyRef key) {
- return SecKeyGeneratePublicAttributeDictionary(key, kSecAttrKeyTypeRSA);
+ CFDictionaryRef dict = SecKeyGeneratePublicAttributeDictionary(key, kSecAttrKeyTypeRSA);
+ CFMutableDictionaryRef mutableDict = CFDictionaryCreateMutableCopy(NULL, 0, dict);
+ CFDictionarySetValue(mutableDict, kSecAttrCanDecrypt, kCFBooleanTrue);
+ CFDictionarySetValue(mutableDict, kSecAttrCanDerive, kCFBooleanFalse);
+ CFAssignRetained(dict, mutableDict);
+ return dict;
+}
+
+static CFDataRef SecRSAPublicKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error) {
+ ccrsa_pub_ctx_t pubkey;
+ pubkey.pub = key->key;
+ return SecRSAPublicKeyCreatePKCS1(CFGetAllocator(key), pubkey);
}
static CFStringRef SecRSAPublicKeyCopyDescription(SecKeyRef key) {
@@ -594,7 +346,7 @@ static CFStringRef SecRSAPublicKeyCopyDescription(SecKeyRef key) {
pubkey.pub = key->key;
CFStringRef modulusString = CFDataCopyHexString(modRef);
- require( modulusString, fail);
+ require_quiet(modulusString, fail);
keyDescription = CFStringCreateWithFormat(kCFAllocatorDefault,NULL,CFSTR( "<SecKeyRef algorithm id: %lu, key type: %s, version: %d, block size: %zu bits, exponent: {hex: %llx, decimal: %lld}, modulus: %@, addr: %p>"), SecKeyGetAlgorithmId(key), key->key_class->name, key->key_class->version, (8*SecKeyGetBlockSize(key)), (long long)*ccrsa_ctx_e(pubkey), (long long)*ccrsa_ctx_e(pubkey), modulusString, key);
@@ -608,69 +360,90 @@ fail:
}
SecKeyDescriptor kSecRSAPublicKeyDescriptor = {
- kSecKeyDescriptorVersion,
- "RSAPublicKey",
- 0, /* extraBytes */
- SecRSAPublicKeyInit,
- SecRSAPublicKeyDestroy,
- NULL, /* SecKeyRawSignMethod */
- SecRSAPublicKeyRawVerify,
- SecRSAPublicKeyRawEncrypt,
- SecRSAPublicKeyRawDecrypt,
- NULL, /* SecKeyComputeMethod */
- SecRSAPublicKeyBlockSize,
- SecRSAPublicKeyCopyAttributeDictionary,
- SecRSAPublicKeyCopyDescription,
- NULL,
- SecRSAPublicKeyCopyPublicSerialization,
- NULL,
- NULL
+ .version = kSecKeyDescriptorVersion,
+ .name = "RSAPublicKey",
+
+ .init = SecRSAPublicKeyInit,
+ .destroy = SecRSAPublicKeyDestroy,
+ .blockSize = SecRSAPublicKeyBlockSize,
+ .copyDictionary = SecRSAPublicKeyCopyAttributeDictionary,
+ .copyExternalRepresentation = SecRSAPublicKeyCopyExternalRepresentation,
+ .describe = SecRSAPublicKeyCopyDescription,
+ .copyPublic = SecRSAPublicKeyCopyPublicSerialization,
+ .copyOperationResult = SecRSAPublicKeyCopyOperationResult,
};
/* Public Key API functions. */
-SecKeyRef SecKeyCreateRSAPublicKey(CFAllocatorRef allocator,
+SecKeyRef SecKeyCreateRSAPublicKey_ios(CFAllocatorRef allocator,
const uint8_t *keyData, CFIndex keyDataLength,
SecKeyEncoding encoding) {
return SecKeyCreate(allocator, &kSecRSAPublicKeyDescriptor, keyData,
keyDataLength, encoding);
}
+SecKeyRef SecKeyCreateRSAPublicKey(CFAllocatorRef allocator,
+ const uint8_t *keyData, CFIndex keyDataLength,
+ SecKeyEncoding encoding) {
+ return SecKeyCreateRSAPublicKey_ios(allocator, keyData,
+ keyDataLength, encoding);
+}
+
CFDataRef SecKeyCopyModulus(SecKeyRef key) {
- ccrsa_pub_ctx_t pubkey;
- pubkey.pub = key->key;
+ CFDataRef modulus = NULL;
+ if (key->key_class == &kSecRSAPublicKeyDescriptor) {
+ ccrsa_pub_ctx_t pubkey;
+ pubkey.pub = key->key;
- size_t m_size = ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey));
+ size_t m_size = ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey));
- CFAllocatorRef allocator = CFGetAllocator(key);
- CFMutableDataRef modulusData = CFDataCreateMutable(allocator, m_size);
+ CFAllocatorRef allocator = CFGetAllocator(key);
+ CFMutableDataRef modulusData = CFDataCreateMutable(allocator, m_size);
- if (modulusData == NULL)
- return NULL;
+ if (modulusData == NULL)
+ return NULL;
- CFDataSetLength(modulusData, m_size);
+ CFDataSetLength(modulusData, m_size);
- ccn_write_uint(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey), m_size, CFDataGetMutableBytePtr(modulusData));
+ ccn_write_uint(ccrsa_ctx_n(pubkey), ccrsa_ctx_m(pubkey), m_size, CFDataGetMutableBytePtr(modulusData));
+ modulus = modulusData;
+ } else if (key->key_class->copyDictionary != NULL) {
+ CFDictionaryRef dict = key->key_class->copyDictionary(key);
+ if (dict != NULL) {
+ modulus = CFRetainSafe(CFDictionaryGetValue(dict, CFSTR("_rsam")));
+ CFRelease(dict);
+ }
+ }
- return modulusData;
+ return modulus;
}
CFDataRef SecKeyCopyExponent(SecKeyRef key) {
- ccrsa_pub_ctx_t pubkey;
- pubkey.pub = key->key;
+ CFDataRef exponent = NULL;
+ if (key->key_class == &kSecRSAPublicKeyDescriptor) {
+ ccrsa_pub_ctx_t pubkey;
+ pubkey.pub = key->key;
- size_t e_size = ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_e(pubkey));
+ size_t e_size = ccn_write_uint_size(ccrsa_ctx_n(pubkey), ccrsa_ctx_e(pubkey));
- CFAllocatorRef allocator = CFGetAllocator(key);
- CFMutableDataRef exponentData = CFDataCreateMutable(allocator, e_size);
+ CFAllocatorRef allocator = CFGetAllocator(key);
+ CFMutableDataRef exponentData = CFDataCreateMutable(allocator, e_size);
- if (exponentData == NULL)
- return NULL;
+ if (exponentData == NULL)
+ return NULL;
- CFDataSetLength(exponentData, e_size);
+ CFDataSetLength(exponentData, e_size);
- ccn_write_uint(ccrsa_ctx_n(pubkey), ccrsa_ctx_e(pubkey), e_size, CFDataGetMutableBytePtr(exponentData));
+ ccn_write_uint(ccrsa_ctx_n(pubkey), ccrsa_ctx_e(pubkey), e_size, CFDataGetMutableBytePtr(exponentData));
+ exponent = exponentData;
+ } else if (key->key_class->copyDictionary != NULL) {
+ CFDictionaryRef dict = key->key_class->copyDictionary(key);
+ if (dict != NULL) {
+ exponent = CFRetainSafe(CFDictionaryGetValue(dict, CFSTR("_rsae")));
+ CFRelease(dict);
+ }
+ }
- return exponentData;
+ return exponent;
}
@@ -701,18 +474,17 @@ static OSStatus SecRSAPrivateKeyInit(SecKeyRef key, const uint8_t *keyData, CFIn
case kSecKeyEncodingBytes: // Octets is PKCS1
case kSecKeyEncodingPkcs1:
{
- const uint8_t *der_end = keyData + keyDataLength;
- size_n = ccder_decode_rsa_priv_n(keyData, der_end);
- require(size_n != 0, errOut);
- require(size_n <= ccn_nof(kMaximumRSAKeyBits), errOut);
+ size_n = ccrsa_import_priv_n(keyDataLength,keyData);
+ require_quiet(size_n != 0, errOut);
+ require_quiet(size_n <= ccn_nof(kMaximumRSAKeyBits), errOut);
key->key = calloc(1, ccrsa_full_ctx_size(ccn_sizeof_n(size_n)));
- require_action(key->key, errOut, result = errSecAllocate);
+ require_action_quiet(key->key, errOut, result = errSecAllocate);
fullkey.full = key->key;
ccrsa_ctx_n(fullkey) = size_n;
- require(ccder_decode_rsa_priv(fullkey, keyData, der_end), errOut);
+ require_quiet(ccrsa_import_priv(fullkey, keyDataLength, keyData)==0, errOut);
result = errSecSuccess;
break;
@@ -733,14 +505,14 @@ static OSStatus SecRSAPrivateKeyInit(SecKeyRef key, const uint8_t *keyData, CFIn
size_n = ccn_nof(keyLengthInBits);
key->key = calloc(1, ccrsa_full_ctx_size(ccn_sizeof_n(size_n)));
- require_action(key->key, errOut, result = errSecAllocate);
+ require_action_quiet(key->key, errOut, result = errSecAllocate);
fullkey.full = key->key;
ccrsa_ctx_n(fullkey) = size_n;
/* TODO: Add support for kSecPublicExponent parameter. */
static uint8_t e[] = { 0x01, 0x00, 0x01 }; // Default is 65537
- if (!ccrsa_generate_key(keyLengthInBits, fullkey.full, sizeof(e), e, ccrng_seckey))
+ if (!ccrsa_generate_fips186_key(keyLengthInBits, fullkey.full, sizeof(e), e, ccrng_seckey,ccrng_seckey))
result = errSecSuccess;
break;
}
@@ -751,164 +523,51 @@ errOut:
return result;
}
-static OSStatus SecRSAPrivateKeyRawSign(SecKeyRef key, SecPadding padding,
- const uint8_t *dataToSign, size_t dataToSignLen,
- uint8_t *sig, size_t *sigLen) {
-
- OSStatus result = errSecParam;
-
- ccrsa_full_ctx_t fullkey;
- fullkey.full = key->key;
-
- size_t m_size = ccn_write_uint_size(ccrsa_ctx_n(fullkey), ccrsa_ctx_m(fullkey));
- cc_unit s[ccrsa_ctx_n(fullkey)];
-
- uint8_t* sBytes = (uint8_t*) s;
-
- require(sigLen, errOut);
- require(*sigLen >= m_size, errOut);
-
- switch (padding) {
- case kSecPaddingNone:
- // We'll allow modulus size assuming input is smaller than modulus
- require_quiet(dataToSignLen <= m_size, errOut);
- require_noerr_quiet(ccn_read_uint(ccrsa_ctx_n(fullkey), s, dataToSignLen, dataToSign), errOut);
- require_quiet(ccn_cmp(ccrsa_ctx_n(fullkey), s, ccrsa_ctx_m(fullkey)) < 0, errOut);
- break;
-
- case kSecPaddingPKCS1:
- {
- // Create PKCS1 padding:
- //
- // 0x00, 0x01 (RSA_PKCS1_PAD_SIGN), 0xFF .. 0x00, signedData
- //
- const int kMinimumPadding = 1 + 1 + 8 + 1;
-
- require_quiet(dataToSignLen <= m_size - kMinimumPadding, errOut);
-
- size_t prefix_zeros = ccn_sizeof_n(ccrsa_ctx_n(fullkey)) - m_size;
-
- while (prefix_zeros--)
- *sBytes++ = 0x00;
-
- size_t pad_size = m_size - dataToSignLen;
-
- *sBytes++ = 0x00;
- *sBytes++ = RSA_PKCS1_PAD_SIGN;
-
- size_t ff_size;
- for(ff_size = pad_size - 3; ff_size > 0; --ff_size)
- *sBytes++ = 0xFF;
-
- *sBytes++ = 0x00;
-
- // Get the user data into s looking like a ccn.
- memcpy(sBytes, dataToSign, dataToSignLen);
- ccn_swap(ccrsa_ctx_n(fullkey), s);
-
- break;
- }
- case kSecPaddingOAEP:
- result = errSecParam;
- default:
- goto errOut;
- }
-
- ccrsa_priv_crypt(ccrsa_ctx_private(fullkey), s, s);
-
- // Pad with leading zeros to fit in modulus size
- ccn_write_uint_padded(ccrsa_ctx_n(fullkey), s, m_size, sig);
- *sigLen = m_size;
-
- result = errSecSuccess;
-
-errOut:
- ccn_zero(ccrsa_ctx_n(fullkey), s);
- return result;
-}
-
-static OSStatus SecRSAPrivateKeyRawDecrypt(SecKeyRef key, SecPadding padding,
- const uint8_t *cipherText, size_t cipherTextLen,
- uint8_t *plainText, size_t *plainTextLen) {
- OSStatus result = errSSLCrypto;
-
- ccrsa_full_ctx_t fullkey;
- fullkey.full = key->key;
-
- size_t m_size = ccn_write_uint_size(ccrsa_ctx_n(fullkey), ccrsa_ctx_m(fullkey));
-
- cc_unit s[ccrsa_ctx_n(fullkey)];
- uint8_t recoveredData[ccn_sizeof_n(ccrsa_ctx_n(fullkey))];
-
- ccn_read_uint(ccrsa_ctx_n(fullkey), s, cipherTextLen, cipherText);
- ccrsa_priv_crypt(ccrsa_ctx_private(fullkey), s, s);
-
- const uint8_t* sBytes = (uint8_t*) s;
- const uint8_t* sEnd = (uint8_t*) (s + ccrsa_ctx_n(fullkey));
-
- require(plainTextLen, errOut);
-
- switch (padding) {
- case kSecPaddingNone:
- ccn_swap(ccrsa_ctx_n(fullkey), s);
- // Skip Zeros since our contract is to do so.
- while (sBytes < sEnd && *sBytes == 0x00)
- ++sBytes;
- break;
-
- case kSecPaddingPKCS1:
- {
- ccn_swap(ccrsa_ctx_n(fullkey), s);
- // Verify and skip PKCS1 padding:
- //
- // 0x00, 0x01 (RSA_PKCS1_PAD_ENCRYPT), 0xFF .. 0x00, signedData
- //
-
- size_t prefix_zeros = ccn_sizeof_n(ccrsa_ctx_n(fullkey)) - m_size;
-
- while (prefix_zeros--)
- require_quiet(*sBytes++ == 0x00, errOut);
-
- require_quiet(*sBytes++ == 0x00, errOut);
- require_quiet(*sBytes++ == RSA_PKCS1_PAD_ENCRYPT, errOut);
-
- while (*sBytes != 0x00) {
- require_quiet(++sBytes < sEnd, errOut);
+static CFTypeRef SecRSAPrivateKeyCopyOperationResult(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm,
+ CFArrayRef allAlgorithms, SecKeyOperationMode mode,
+ CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ CFTypeRef result = kCFNull;
+
+ ccrsa_full_ctx_t fullkey = { .full = key->key };
+ switch (operation) {
+ case kSecKeyOperationTypeSign:
+ if (CFEqual(algorithm, kSecKeyAlgorithmRSASignatureRawCCUnit)) {
+ if (mode == kSecKeyOperationModePerform) {
+ // Verify that data is smaller than modulus.
+ require_action_quiet(ccn_cmpn(ccn_nof_size(CFDataGetLength(in1)), (const cc_unit *)CFDataGetBytePtr(in1),
+ ccrsa_ctx_n(fullkey), ccrsa_ctx_m(fullkey)) < 0, out,
+ (result = NULL,
+ SecError(errSecParam, error, CFSTR("%@: sign - digest too big (%d bytes)"),
+ (int)CFDataGetLength(in1))));
+
+ // Encrypt buffer and write it to output data.
+ result = CFDataCreateMutableWithScratch(kCFAllocatorDefault, ccrsa_block_size(ccrsa_ctx_public(fullkey)));
+ ccrsa_priv_crypt(fullkey, (cc_unit *)CFDataGetMutableBytePtr((CFMutableDataRef)result),
+ (const cc_unit *)CFDataGetBytePtr(in1));
+ } else {
+ // Operation is supported.
+ result = kCFBooleanTrue;
+ }
}
- // Required to have at least 8 non-zeros
- require_quiet((sBytes - (uint8_t*)s) - 2 >= 8, errOut);
-
- require_quiet(*sBytes == 0x00, errOut);
- require_quiet(++sBytes < sEnd, errOut);
break;
- }
- case kSecPaddingOAEP:
- {
- size_t length = sizeof(recoveredData);
-
- require_noerr_quiet(ccrsa_oaep_decode(ccsha1_di(),
- &length, recoveredData,
- ccn_write_uint_size(ccrsa_ctx_n(fullkey),ccrsa_ctx_m(fullkey)), s
- ), errOut);
-
- sBytes = recoveredData;
- sEnd = recoveredData + length;
+ case kSecKeyOperationTypeDecrypt:
+ if (CFEqual(algorithm, kSecKeyAlgorithmRSAEncryptionRawCCUnit)) {
+ if (mode == kSecKeyOperationModePerform) {
+ // Decrypt buffer and write it to output data.
+ result = CFDataCreateMutableWithScratch(NULL, ccrsa_block_size(fullkey));
+ ccrsa_priv_crypt(fullkey, (cc_unit *)CFDataGetMutableBytePtr((CFMutableDataRef)result),
+ (const cc_unit *)CFDataGetBytePtr(in1));
+ } else {
+ // Operation is supported.
+ result = kCFBooleanTrue;
+ }
+ }
break;
- }
default:
- goto errOut;
+ break;
}
- require((sEnd - sBytes) <= (ptrdiff_t)*plainTextLen, errOut);
- *plainTextLen = sEnd - sBytes;
- memcpy(plainText, sBytes, *plainTextLen);
-
- result = errSecSuccess;
-
-errOut:
- bzero(recoveredData, sizeof(recoveredData));
- ccn_zero(ccrsa_ctx_n(fullkey), s);
-
+out:
return result;
}
@@ -921,34 +580,7 @@ static size_t SecRSAPrivateKeyBlockSize(SecKeyRef key) {
static CFDataRef SecRSAPrivateKeyCreatePKCS1(CFAllocatorRef allocator, ccrsa_full_ctx_t fullkey)
{
- ccrsa_priv_ctx_t privkey = ccrsa_ctx_private(fullkey);
-
- const cc_size np = cczp_n(ccrsa_ctx_private_zp(privkey));
- const cc_size nq = cczp_n(ccrsa_ctx_private_zq(privkey));
-
- size_t m_size = ccn_write_int_size(ccrsa_ctx_n(fullkey), ccrsa_ctx_m(fullkey));
- size_t e_size = ccn_write_int_size(ccrsa_ctx_n(fullkey), ccrsa_ctx_e(fullkey));
- size_t d_size = ccn_write_int_size(ccrsa_ctx_n(fullkey), ccrsa_ctx_d(fullkey));
-
- size_t p_size = ccn_write_int_size(np, cczp_prime(ccrsa_ctx_private_zp(privkey)));
- size_t q_size = ccn_write_int_size(nq, cczp_prime(ccrsa_ctx_private_zq(privkey)));
-
- size_t dp_size = ccn_write_int_size(np, ccrsa_ctx_private_dp(privkey));
- size_t dq_size = ccn_write_int_size(nq, ccrsa_ctx_private_dq(privkey));
-
- size_t qinv_size = ccn_write_int_size(np, ccrsa_ctx_private_qinv(privkey));
-
- const size_t seq_size = 3 +
- DERLengthOfItem(ASN1_INTEGER, m_size) +
- DERLengthOfItem(ASN1_INTEGER, e_size) +
- DERLengthOfItem(ASN1_INTEGER, d_size) +
- DERLengthOfItem(ASN1_INTEGER, p_size) +
- DERLengthOfItem(ASN1_INTEGER, q_size) +
- DERLengthOfItem(ASN1_INTEGER, dp_size) +
- DERLengthOfItem(ASN1_INTEGER, dq_size) +
- DERLengthOfItem(ASN1_INTEGER, qinv_size);
-
- const size_t result_size = DERLengthOfItem(ASN1_SEQUENCE, seq_size);
+ const size_t result_size = ccrsa_export_priv_size(fullkey);
CFMutableDataRef pkcs1 = CFDataCreateMutable(allocator, result_size);
@@ -959,25 +591,11 @@ static CFDataRef SecRSAPrivateKeyCreatePKCS1(CFAllocatorRef allocator, ccrsa_ful
uint8_t *bytes = CFDataGetMutableBytePtr(pkcs1);
- *bytes++ = ASN1_CONSTR_SEQUENCE;
-
- DERSize itemLength = 4;
- DEREncodeLength(seq_size, bytes, &itemLength);
- bytes += itemLength;
-
- *bytes++ = ASN1_INTEGER;
- *bytes++ = 0x01;
- *bytes++ = 0x00;
-
- ccasn_encode_int(ccrsa_ctx_n(fullkey), ccrsa_ctx_m(fullkey), m_size, &bytes);
- ccasn_encode_int(ccrsa_ctx_n(fullkey), ccrsa_ctx_e(fullkey), e_size, &bytes);
- ccasn_encode_int(ccrsa_ctx_n(fullkey), ccrsa_ctx_d(fullkey), d_size, &bytes);
-
- ccasn_encode_int(np, cczp_prime(ccrsa_ctx_private_zp(privkey)), p_size, &bytes);
- ccasn_encode_int(nq, cczp_prime(ccrsa_ctx_private_zq(privkey)), q_size, &bytes);
- ccasn_encode_int(np, ccrsa_ctx_private_dp(privkey), dp_size, &bytes);
- ccasn_encode_int(nq, ccrsa_ctx_private_dq(privkey), dq_size, &bytes);
- ccasn_encode_int(np, ccrsa_ctx_private_qinv(privkey), qinv_size, &bytes);
+ if (ccrsa_export_priv(fullkey,result_size,bytes)!=0) {
+ /* Decoding failed */
+ CFReleaseNull(pkcs1);
+ return NULL;
+ }
return pkcs1;
}
@@ -1012,9 +630,12 @@ static CFDictionaryRef SecRSAPrivateKeyCopyAttributeDictionary(SecKeyRef key) {
/* PKCS1 encode the key pair. */
fullKeyBlob = SecRSAPrivateKeyCopyPKCS1(key);
- require(fullKeyBlob, errOut);
+ require_quiet(fullKeyBlob, errOut);
dict = SecKeyGeneratePrivateAttributeDictionary(key, kSecAttrKeyTypeRSA, fullKeyBlob);
+ CFMutableDictionaryRef mutableDict = CFDictionaryCreateMutableCopy(NULL, 0, dict);
+ CFDictionarySetValue(mutableDict, kSecAttrCanDerive, kCFBooleanFalse);
+ CFAssignRetained(dict, mutableDict);
errOut:
CFReleaseSafe(fullKeyBlob);
@@ -1022,29 +643,28 @@ errOut:
return dict;
}
+static CFDataRef SecRSAPrivateKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error) {
+ return SecRSAPrivateKeyCopyPKCS1(key);
+}
+
static CFStringRef SecRSAPrivateKeyCopyDescription(SecKeyRef key){
return CFStringCreateWithFormat(kCFAllocatorDefault,NULL,CFSTR( "<SecKeyRef algorithm id: %lu, key type: %s, version: %d, block size: %zu bits, addr: %p>"), SecKeyGetAlgorithmId(key), key->key_class->name, key->key_class->version, (8*SecKeyGetBlockSize(key)), key);
}
+
SecKeyDescriptor kSecRSAPrivateKeyDescriptor = {
- kSecKeyDescriptorVersion,
- "RSAPrivateKey",
- 0, /* extraBytes */
- SecRSAPrivateKeyInit,
- SecRSAPrivateKeyDestroy,
- SecRSAPrivateKeyRawSign,
- NULL, /* SecKeyRawVerifyMethod */
- NULL, /* SecKeyEncryptMethod */
- SecRSAPrivateKeyRawDecrypt,
- NULL, /* SecKeyComputeMethod */
- SecRSAPrivateKeyBlockSize,
- SecRSAPrivateKeyCopyAttributeDictionary,
- SecRSAPrivateKeyCopyDescription,
- NULL,
- SecRSAPrivateKeyCopyPublicSerialization,
- NULL,
- NULL
+ .version = kSecKeyDescriptorVersion,
+ .name = "RSAPrivateKey",
+
+ .init = SecRSAPrivateKeyInit,
+ .destroy = SecRSAPrivateKeyDestroy,
+ .blockSize = SecRSAPrivateKeyBlockSize,
+ .copyExternalRepresentation = SecRSAPrivateKeyCopyExternalRepresentation,
+ .copyDictionary = SecRSAPrivateKeyCopyAttributeDictionary,
+ .describe = SecRSAPrivateKeyCopyDescription,
+ .copyPublic = SecRSAPrivateKeyCopyPublicSerialization,
+ .copyOperationResult = SecRSAPrivateKeyCopyOperationResult,
};
/* Private Key API functions. */
@@ -1066,13 +686,13 @@ OSStatus SecRSAKeyGeneratePair(CFDictionaryRef parameters,
SecKeyRef privKey = SecKeyCreate(allocator, &kSecRSAPrivateKeyDescriptor,
(const void*) parameters, 0, kSecGenerateKey);
- require(privKey, errOut);
+ require_quiet(privKey, errOut);
/* Create SecKeyRef's from the pkcs1 encoded keys. */
pubKey = SecKeyCreate(allocator, &kSecRSAPublicKeyDescriptor,
privKey->key, 0, kSecExtractPublicFromPrivate);
- require(pubKey, errOut);
+ require_quiet(pubKey, errOut);
if (rsaPublicKey) {
*rsaPublicKey = pubKey;
diff --git a/OSX/sec/Security/SecRandom.h b/OSX/sec/Security/SecRandom.h
index 322404a5..0ee81c63 100644
--- a/OSX/sec/Security/SecRandom.h
+++ b/OSX/sec/Security/SecRandom.h
@@ -53,10 +53,12 @@ extern const SecRandomRef kSecRandomDefault
/*!
@function SecRandomCopyBytes
@abstract Return count random bytes in *bytes, allocated by the caller.
+ It is critical to check the return value for error
@result Return 0 on success or -1 if something went wrong, check errno
to find out the real error.
*/
int SecRandomCopyBytes(SecRandomRef __nullable rnd, size_t count, uint8_t *bytes)
+ __attribute__ ((warn_unused_result))
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0);
CF_IMPLICIT_BRIDGING_DISABLED
diff --git a/OSX/sec/Security/SecServerEncryptionSupport.c b/OSX/sec/Security/SecServerEncryptionSupport.c
index 1168987b..f8152b51 100644
--- a/OSX/sec/Security/SecServerEncryptionSupport.c
+++ b/OSX/sec/Security/SecServerEncryptionSupport.c
@@ -22,8 +22,6 @@
#include <corecrypto/ccaes.h>
#include <corecrypto/ccder.h>
-#if !(TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
-
//
// We assume that SecKey is set up for this to work.
// Specifically ccrng_seckey needs to be initialized
@@ -320,10 +318,18 @@ CFDataRef SecCopyDecryptedForServer(SecKeyRef serverFullKey, CFDataRef blob, CFE
return result;
}
+#if TARGET_OS_MAC && !(TARGET_OS_IPHONE || TARGET_OS_EMBEDDED)
+#include <Security/SecTrustInternal.h>
+#endif
+
CFDataRef SecCopyEncryptedToServer(SecTrustRef trustedEvaluation, CFDataRef dataToEncrypt, CFErrorRef *error)
{
CFDataRef result = NULL;
+#if TARGET_OS_MAC && !(TARGET_OS_IPHONE || TARGET_OS_EMBEDDED)
+ SecKeyRef trustKey = SecTrustCopyPublicKey_ios(trustedEvaluation);
+#else
SecKeyRef trustKey = SecTrustCopyPublicKey(trustedEvaluation);
+#endif
require_action_quiet(trustKey, fail,
SecError(errSecInteractionNotAllowed, error, CFSTR("Failed to get key out of trust ref, was it evaluated?")));
@@ -332,24 +338,6 @@ CFDataRef SecCopyEncryptedToServer(SecTrustRef trustedEvaluation, CFDataRef data
result = SecCopyEncryptedToServerKey(trustKey, dataToEncrypt, error);
fail:
-
+ CFReleaseNull(trustKey);
return result;
}
-
-#else
-
-CFDataRef SecCopyDecryptedForServer(SecKeyRef serverFullKey, CFDataRef encryptedData, CFErrorRef* error)
-{
- SecError(errSecUnimplemented, error, CFSTR("SecCopyDecryptedForServer not implemented on this platform"));
-
- return NULL;
-}
-
-CFDataRef SecCopyEncryptedToServer(SecTrustRef trustedEvaluation, CFDataRef dataToEncrypt, CFErrorRef *error)
-{
- SecError(errSecUnimplemented, error, CFSTR("SecCopyEncryptedToServer not implemented on this platform"));
-
- return NULL;
-}
-
-#endif
diff --git a/OSX/sec/Security/SecServerEncryptionSupport.h b/OSX/sec/Security/SecServerEncryptionSupport.h
index e96b474c..54dedc5a 100644
--- a/OSX/sec/Security/SecServerEncryptionSupport.h
+++ b/OSX/sec/Security/SecServerEncryptionSupport.h
@@ -12,15 +12,16 @@
#include <Security/SecTrust.h>
CFDataRef SecCopyEncryptedToServer(SecTrustRef trustedEvaluation, CFDataRef dataToEncrypt, CFErrorRef *error)
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
//
// For testing
//
+/* Caution: These functions take an iOS SecKeyRef. Careful use is required on OS X. */
CFDataRef SecCopyDecryptedForServer(SecKeyRef serverFullKey, CFDataRef encryptedData, CFErrorRef* error)
__OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
CFDataRef SecCopyEncryptedToServerKey(SecKeyRef publicKey, CFDataRef dataToEncrypt, CFErrorRef *error)
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
#endif
diff --git a/OSX/sec/Security/SecSharedCredential.c b/OSX/sec/Security/SecSharedCredential.c
index effad87d..bf7a275a 100644
--- a/OSX/sec/Security/SecSharedCredential.c
+++ b/OSX/sec/Security/SecSharedCredential.c
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2014-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*
* SecSharedCredential.c - CoreFoundation-based functions to store and retrieve shared credentials.
@@ -54,7 +54,7 @@ OSStatus SecAddSharedWebCredentialSync(CFStringRef fqdn,
CFDictionaryAddValue(args, kSecAttrAccount, account);
}
if (password) {
-#if TARGET_OS_IPHONE && !TARGET_IPHONE_SIMULATOR && !TARGET_OS_WATCH
+#if TARGET_OS_IPHONE && !TARGET_IPHONE_SIMULATOR && !TARGET_OS_WATCH && !TARGET_OS_TV
CFDictionaryAddValue(args, kSecSharedPassword, password);
#else
CFDictionaryAddValue(args, CFSTR("spwd"), password);
@@ -244,16 +244,16 @@ void SecRequestSharedWebCredential(CFStringRef fqdn,
CFStringRef SecCreateSharedWebCredentialPassword(void)
{
-
+
CFStringRef password = NULL;
CFErrorRef error = NULL;
CFMutableDictionaryRef passwordRequirements = NULL;
-
+
CFStringRef allowedCharacters = CFSTR("abcdefghkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789");
CFCharacterSetRef requiredCharactersLower = CFCharacterSetCreateWithCharactersInString(NULL, CFSTR("abcdefghkmnopqrstuvwxyz"));
CFCharacterSetRef requiredCharactersUppder = CFCharacterSetCreateWithCharactersInString(NULL, CFSTR("ABCDEFGHJKLMNPQRSTUVWXYZ"));
CFCharacterSetRef requiredCharactersNumbers = CFCharacterSetCreateWithCharactersInString(NULL, CFSTR("3456789"));
-
+
int groupSize = 3;
int groupCount = 4;
int totalLength = (groupSize * groupCount);
@@ -261,12 +261,12 @@ CFStringRef SecCreateSharedWebCredentialPassword(void)
CFNumberRef groupCountRef = CFNumberCreate(NULL, kCFNumberIntType, &groupCount);
CFNumberRef totalLengthRef = CFNumberCreate(NULL, kCFNumberIntType, &totalLength);
CFStringRef separator = CFSTR("-");
-
+
CFMutableArrayRef requiredCharacterSets = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
CFArrayAppendValue(requiredCharacterSets, requiredCharactersLower);
CFArrayAppendValue(requiredCharacterSets, requiredCharactersUppder);
CFArrayAppendValue(requiredCharacterSets, requiredCharactersNumbers);
-
+
passwordRequirements = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
CFDictionaryAddValue(passwordRequirements, kSecPasswordAllowedCharactersKey, allowedCharacters);
CFDictionaryAddValue(passwordRequirements, kSecPasswordRequiredCharactersKey, requiredCharacterSets);
@@ -282,11 +282,11 @@ CFStringRef SecCreateSharedWebCredentialPassword(void)
CFRelease(groupSizeRef);
CFRelease(groupCountRef);
CFRelease(totalLengthRef);
-
+
password = SecPasswordGenerate(kSecPasswordTypeSafari, &error, passwordRequirements);
-
+
CFRelease(requiredCharacterSets);
- CFRelease(passwordRequirements);
+ CFRelease(passwordRequirements);
if ((error && error != errSecSuccess) || !password)
{
if (password) CFRelease(password);
@@ -295,6 +295,6 @@ CFStringRef SecCreateSharedWebCredentialPassword(void)
} else {
return password;
}
-
+
}
diff --git a/OSX/sec/Security/SecSharedCredential.h b/OSX/sec/Security/SecSharedCredential.h
index 82f0ced9..822a3f3c 100644
--- a/OSX/sec/Security/SecSharedCredential.h
+++ b/OSX/sec/Security/SecSharedCredential.h
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2014-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -53,7 +53,7 @@ CF_IMPLICIT_BRIDGING_ENABLED
that contains a password.
*/
extern const CFStringRef kSecSharedPassword
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0) __WATCHOS_UNAVAILABLE;
+ __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0) __WATCHOS_UNAVAILABLE __TVOS_UNAVAILABLE;
/*!
@function SecAddSharedWebCredential
@@ -68,7 +68,7 @@ extern const CFStringRef kSecSharedPassword
*/
void SecAddSharedWebCredential(CFStringRef fqdn, CFStringRef account, CFStringRef __nullable password,
void (^completionHandler)(CFErrorRef __nullable error))
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0) __WATCHOS_UNAVAILABLE;
+ __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0) __WATCHOS_UNAVAILABLE __TVOS_UNAVAILABLE;
/*!
@function SecRequestSharedWebCredential
@@ -90,7 +90,7 @@ void SecAddSharedWebCredential(CFStringRef fqdn, CFStringRef account, CFStringRe
*/
void SecRequestSharedWebCredential(CFStringRef __nullable fqdn, CFStringRef __nullable account,
void (^completionHandler)(CFArrayRef __nullable credentials, CFErrorRef __nullable error))
- __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0) __WATCHOS_UNAVAILABLE;
+ __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0) __WATCHOS_UNAVAILABLE __TVOS_UNAVAILABLE;
/*!
@function SecCreateSharedWebCredentialPassword
@@ -99,7 +99,7 @@ void SecRequestSharedWebCredential(CFStringRef __nullable fqdn, CFStringRef __nu
*/
__nullable
CFStringRef SecCreateSharedWebCredentialPassword(void)
-__OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0) __WATCHOS_UNAVAILABLE;
+ __OSX_AVAILABLE_STARTING(__MAC_NA, __IPHONE_8_0) __WATCHOS_UNAVAILABLE __TVOS_UNAVAILABLE;
#endif /* __BLOCKS__ */
diff --git a/OSX/sec/Security/SecSignatureVerificationSupport.c b/OSX/sec/Security/SecSignatureVerificationSupport.c
new file mode 100644
index 00000000..2e29fa3c
--- /dev/null
+++ b/OSX/sec/Security/SecSignatureVerificationSupport.c
@@ -0,0 +1,119 @@
+//
+// SecSignatureVerificationSupport.c
+// sec
+//
+
+#include <TargetConditionals.h>
+#include <AssertMacros.h>
+#include <Security/SecSignatureVerificationSupport.h>
+
+#include <CoreFoundation/CFString.h>
+#include <utilities/SecCFError.h>
+#include <utilities/SecCFWrappers.h>
+
+#include <Security/SecBasePriv.h>
+#include <Security/SecKey.h>
+#include <Security/SecKeyPriv.h>
+#include <Security/SecECKeyPriv.h>
+
+#include <corecrypto/ccn.h>
+#include <corecrypto/ccec.h>
+#include <corecrypto/ccder.h>
+
+static const uint8_t *sec_decode_forced_uint(cc_size n,
+ cc_unit *r, const uint8_t *der, const uint8_t *der_end)
+{
+ size_t len;
+ der = ccder_decode_tl(CCDER_INTEGER, &len, der, der_end);
+ if (der && ccn_read_uint(n, r, len, der) >= 0) {
+ return der + len;
+ }
+ return NULL;
+}
+
+static CFErrorRef
+SecCreateSignatureVerificationError(OSStatus errorCode, CFStringRef descriptionString)
+{
+ const CFStringRef defaultDescription = CFSTR("Error verifying signature.");
+ const void* keys[1] = { kCFErrorDescriptionKey };
+ const void* values[2] = { (descriptionString) ? descriptionString : defaultDescription };
+ return CFErrorCreateWithUserInfoKeysAndValues(kCFAllocatorDefault,
+ kCFErrorDomainOSStatus, errorCode, keys, values, 1);
+}
+
+static void
+SecRecreateSignatureWithAlgId(SecKeyRef publicKey, const SecAsn1AlgId *publicKeyAlgId,
+ const uint8_t *oldSignature, size_t oldSignatureSize,
+ uint8_t **newSignature, size_t *newSignatureSize)
+{
+ if (!publicKey || !publicKeyAlgId ||
+ kSecECDSAAlgorithmID != SecKeyGetAlgorithmId(publicKey)) {
+ // ECDSA SHA-256 is the only type of signature currently supported by this function
+ return;
+ }
+
+ cc_size n = ccec_cp_n(ccec_cp_256());
+ cc_unit r[n], s[n];
+
+ const uint8_t *oldSignatureEnd = oldSignature + oldSignatureSize;
+
+ oldSignature = ccder_decode_sequence_tl(&oldSignatureEnd, oldSignature, oldSignatureEnd);
+ oldSignature = sec_decode_forced_uint(n, r, oldSignature, oldSignatureEnd);
+ oldSignature = sec_decode_forced_uint(n, s, oldSignature, oldSignatureEnd);
+ if (!oldSignature || !(oldSignatureEnd == oldSignature)) {
+ // failed to decode the old signature successfully
+ *newSignature = NULL;
+ return;
+ }
+
+ const uint8_t *outputPointer = *newSignature;
+ uint8_t *outputEndPointer = *newSignature + *newSignatureSize;
+
+ *newSignature = ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE,
+ outputEndPointer, outputPointer,
+ ccder_encode_integer(n, r, outputPointer, ccder_encode_integer(n, s, outputPointer, outputEndPointer)));
+ long newSigSize = outputEndPointer - *newSignature;
+ *newSignatureSize = (newSigSize >= 0) ? (size_t)newSigSize : 0;
+}
+
+bool SecVerifySignatureWithPublicKey(SecKeyRef publicKey, const SecAsn1AlgId *publicKeyAlgId,
+ const uint8_t *dataToHash, size_t amountToHash,
+ const uint8_t *signatureStart, size_t signatureSize,
+ CFErrorRef *error)
+{
+ OSStatus errorCode = errSecParam;
+ require(signatureSize > 0, fail);
+
+ errorCode = SecKeyDigestAndVerify(publicKey, publicKeyAlgId,
+ dataToHash, amountToHash,
+ (uint8_t*)signatureStart, signatureSize);
+ require_noerr(errorCode, fail);
+ return true;
+
+fail:
+ ; // Semicolon works around compiler issue that won't recognize a declaration directly after a label
+
+ // fallback to potentially fix signatures with missing zero-byte padding.
+ // worst-case is that both integers get zero-padded, plus size of each integer and sequence size increases by 1
+ size_t replacementSignatureLen = signatureSize + 5;
+ uint8_t *replacementSignature = malloc(replacementSignatureLen);
+ require_quiet(replacementSignature, fail2);
+
+ uint8_t *replacementSignaturePtr = replacementSignature;
+ SecRecreateSignatureWithAlgId(publicKey, publicKeyAlgId, signatureStart, signatureSize, &replacementSignaturePtr, &replacementSignatureLen);
+ require_quiet(replacementSignaturePtr, fail2);
+
+ require_noerr_quiet(SecKeyDigestAndVerify(publicKey, publicKeyAlgId, dataToHash, amountToHash, replacementSignaturePtr, replacementSignatureLen), fail2);
+
+ free(replacementSignature);
+ return true;
+
+fail2:
+ if (replacementSignature) {
+ free(replacementSignature);
+ }
+ if (error) {
+ *error = SecCreateSignatureVerificationError(errorCode, CFSTR("Unable to verify signature"));
+ }
+ return false;
+}
diff --git a/OSX/sec/Security/SecSignatureVerificationSupport.h b/OSX/sec/Security/SecSignatureVerificationSupport.h
new file mode 100644
index 00000000..aebc12bf
--- /dev/null
+++ b/OSX/sec/Security/SecSignatureVerificationSupport.h
@@ -0,0 +1,22 @@
+//
+// SecSignatureVerificationSupport.h
+//
+//
+
+#ifndef _SECURITY_SECSIGNATUREVERIFICATION_H_
+#define _SECURITY_SECSIGNATUREVERIFICATION_H_
+
+#include <Availability.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/SecKey.h>
+#include <Security/SecAsn1Types.h>
+
+
+bool SecVerifySignatureWithPublicKey(SecKeyRef publicKey, const SecAsn1AlgId *publicKeyAlgId,
+ const uint8_t *dataToHash, size_t amountToHash,
+ const uint8_t *signatureStart, size_t signatureSize,
+ CFErrorRef *error)
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_8_0);
+
+
+#endif /* _SECURITY_SECSIGNATUREVERIFICATION_H_ */
diff --git a/OSX/sec/Security/SecTrust.c b/OSX/sec/Security/SecTrust.c
index 806f8b76..73ee03c6 100644
--- a/OSX/sec/Security/SecTrust.c
+++ b/OSX/sec/Security/SecTrust.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -55,6 +55,7 @@
#include <utilities/SecCFWrappers.h>
#include <utilities/SecCertificateTrace.h>
#include <utilities/debugging.h>
+#include <utilities/der_plist.h>
#include "SecRSAKey.h"
#include <libDER/oids.h>
@@ -70,6 +71,7 @@ SEC_CONST_DECL (kSecTrustInfoCompanyNameKey, "CompanyName");
SEC_CONST_DECL (kSecTrustInfoRevocationKey, "Revocation");
SEC_CONST_DECL (kSecTrustInfoRevocationValidUntilKey, "RevocationValidUntil");
SEC_CONST_DECL (kSecTrustInfoCertificateTransparencyKey, "CertificateTransparency");
+SEC_CONST_DECL (kSecTrustInfoCertificateTransparencyWhiteListKey, "CertificateTransparencyWhiteList");
/* Public trust result constants */
SEC_CONST_DECL (kSecTrustEvaluationDate, "TrustEvaluationDate");
@@ -81,6 +83,7 @@ SEC_CONST_DECL (kSecTrustRevocationReason, "TrustRevocationReason");
SEC_CONST_DECL (kSecTrustRevocationValidUntilDate, "TrustExpirationDate");
SEC_CONST_DECL (kSecTrustResultDetails, "TrustResultDetails");
SEC_CONST_DECL (kSecTrustCertificateTransparency, "TrustCertificateTransparency");
+SEC_CONST_DECL (kSecTrustCertificateTransparencyWhiteList, "TrustCertificateTransparencyWhiteList");
#pragma mark -
#pragma mark SecTrust
@@ -89,19 +92,19 @@ SEC_CONST_DECL (kSecTrustCertificateTransparency, "TrustCertificateTransparency"
****************** SecTrust object *********************
********************************************************/
struct __SecTrust {
- CFRuntimeBase _base;
- CFArrayRef _certificates;
- CFArrayRef _anchors;
- CFTypeRef _policies;
- CFArrayRef _responses;
- CFArrayRef _SCTs;
+ CFRuntimeBase _base;
+ CFArrayRef _certificates;
+ CFArrayRef _anchors;
+ CFTypeRef _policies;
+ CFArrayRef _responses;
+ CFArrayRef _SCTs;
CFArrayRef _trustedLogs;
- CFDateRef _verifyDate;
- SecCertificatePathRef _chain;
- SecKeyRef _publicKey;
- CFArrayRef _details;
- CFDictionaryRef _info;
- CFArrayRef _exceptions;
+ CFDateRef _verifyDate;
+ SecCertificatePathRef _chain;
+ SecKeyRef _publicKey;
+ CFArrayRef _details;
+ CFDictionaryRef _info;
+ CFArrayRef _exceptions;
/* Note that a value of kSecTrustResultInvalid (0)
* indicates the trust must be (re)evaluated; any
@@ -113,9 +116,29 @@ struct __SecTrust {
/* If true we don't trust any anchors other than the ones in _anchors. */
bool _anchorsOnly;
-
- /* Master switch to permit or disable network use in policy evaluation */
- SecNetworkPolicy _networkPolicy;
+ /* If false we shouldn't search keychains for parents or anchors. */
+ bool _keychainsAllowed;
+
+ /* Data blobs for legacy CSSM_TP_APPLE_EVIDENCE_INFO structure,
+ * to support callers of SecTrustGetResult on OS X. Since fields of
+ * one structure contain pointers into the other, these cannot be
+ * serialized; if a SecTrust is being serialized or copied, these values
+ * should just be initialized to NULL in the copy and built when needed. */
+ void* _legacy_info_array;
+ void* _legacy_status_array;
+
+ /* The trust result as determined by the trust server,
+ * before the caller's exceptions are applied.
+ */
+ SecTrustResultType _trustResultBeforeExceptions;
+
+ /* === IMPORTANT! ===
+ * Any change to this structure definition
+ * must also be made in the TSecTrust structure,
+ * located in SecTrust.cpp. To avoid problems,
+ * new fields should always be appended at the
+ * end of the structure.
+ */
};
/* Forward declarations of static functions. */
@@ -130,18 +153,26 @@ static CFStringRef SecTrustCopyFormatDescription(CFTypeRef cf, CFDictionaryRef f
static void SecTrustDestroy(CFTypeRef cf) {
SecTrustRef trust = (SecTrustRef)cf;
- CFReleaseSafe(trust->_certificates);
- CFReleaseSafe(trust->_policies);
- CFReleaseSafe(trust->_responses);
+
+ CFReleaseSafe(trust->_certificates);
+ CFReleaseSafe(trust->_policies);
+ CFReleaseSafe(trust->_responses);
CFReleaseSafe(trust->_SCTs);
CFReleaseSafe(trust->_trustedLogs);
- CFReleaseSafe(trust->_verifyDate);
- CFReleaseSafe(trust->_anchors);
- CFReleaseSafe(trust->_chain);
- CFReleaseSafe(trust->_publicKey);
- CFReleaseSafe(trust->_details);
- CFReleaseSafe(trust->_info);
+ CFReleaseSafe(trust->_verifyDate);
+ CFReleaseSafe(trust->_anchors);
+ CFReleaseSafe(trust->_chain);
+ CFReleaseSafe(trust->_publicKey);
+ CFReleaseSafe(trust->_details);
+ CFReleaseSafe(trust->_info);
CFReleaseSafe(trust->_exceptions);
+
+ if (trust->_legacy_info_array) {
+ free(trust->_legacy_info_array);
+ }
+ if (trust->_legacy_status_array) {
+ free(trust->_legacy_status_array);
+ }
}
/* Public API functions. */
@@ -179,37 +210,7 @@ OSStatus SecTrustCreateWithCertificates(CFTypeRef certificates,
CFRelease(policy);
}
else if (CFGetTypeID(policies) == CFArrayGetTypeID()) {
-#if (SECTRUST_OSX && TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE || TARGET_IPHONE_SIMULATOR))
-#warning STU: <rdar://21330613>
- // On OS X, passing an array consisting of the ssl and
- // revocation policies is causing us not to return all the
- // expected EV keys from SecTrustCopyResult, whereas if the
- // revocation policy is omitted, they are present.
- // Must debug this.
- CFMutableArrayRef t_policies = CFArrayCreateMutable(allocator, 0,
- &kCFTypeArrayCallBacks);
- CFIndex ix, count = CFArrayGetCount(policies);
- SecPolicyRef revocationPolicy = NULL, sslServerPolicy = NULL;
- for (ix=0; ix<count; ix++) {
- SecPolicyRef t_policy = (SecPolicyRef) CFArrayGetValueAtIndex(policies, ix);
- CFStringRef oidstr = SecPolicyGetOidString(t_policy);
- if (oidstr && CFEqual(oidstr, CFSTR("sslServer"))) {
- sslServerPolicy = t_policy;
- }
- if (oidstr && CFEqual(oidstr, CFSTR("revocation"))) {
- revocationPolicy = t_policy;
- } else if (t_policy) {
- CFArrayAppendValue(t_policies, t_policy);
- }
- }
- if (revocationPolicy && !(sslServerPolicy && count==2)) {
- CFArrayAppendValue(t_policies, revocationPolicy);
- }
- l_policies = CFArrayCreateCopy(allocator, t_policies);
- CFReleaseSafe(t_policies);
-#else
l_policies = CFArrayCreateCopy(allocator, policies);
-#endif
}
else if (CFGetTypeID(policies) == SecPolicyGetTypeID()) {
l_policies = CFArrayCreate(allocator, &policies, 1,
@@ -237,6 +238,7 @@ errOut:
} else {
result->_certificates = l_certs;
result->_policies = l_policies;
+ result->_keychainsAllowed = true;
if (trust)
*trust = result;
else
@@ -245,10 +247,11 @@ errOut:
return status;
}
-static void SetTrustSetNeedsEvaluation(SecTrustRef trust) {
+static void SecTrustSetNeedsEvaluation(SecTrustRef trust) {
check(trust);
if (trust) {
trust->_trustResult = kSecTrustResultInvalid;
+ trust->_trustResultBeforeExceptions = kSecTrustResultInvalid;
}
}
@@ -257,7 +260,7 @@ OSStatus SecTrustSetAnchorCertificatesOnly(SecTrustRef trust,
if (!trust) {
return errSecParam;
}
- SetTrustSetNeedsEvaluation(trust);
+ SecTrustSetNeedsEvaluation(trust);
trust->_anchorsOnly = anchorCertificatesOnly;
return errSecSuccess;
@@ -268,7 +271,7 @@ OSStatus SecTrustSetAnchorCertificates(SecTrustRef trust,
if (!trust) {
return errSecParam;
}
- SetTrustSetNeedsEvaluation(trust);
+ SecTrustSetNeedsEvaluation(trust);
if (anchorCertificates)
CFRetain(anchorCertificates);
if (trust->_anchors)
@@ -299,7 +302,7 @@ OSStatus SecTrustSetOCSPResponse(SecTrustRef trust, CFTypeRef responseData) {
if (!trust) {
return errSecParam;
}
- SetTrustSetNeedsEvaluation(trust);
+ SecTrustSetNeedsEvaluation(trust);
CFArrayRef responseArray = NULL;
if (responseData) {
if (CFGetTypeID(responseData) == CFArrayGetTypeID()) {
@@ -322,7 +325,7 @@ OSStatus SecTrustSetSignedCertificateTimestamps(SecTrustRef trust, CFArrayRef sc
if (!trust) {
return errSecParam;
}
- SetTrustSetNeedsEvaluation(trust);
+ SecTrustSetNeedsEvaluation(trust);
CFRetainAssign(trust->_SCTs, sctArray);
return errSecSuccess;
@@ -332,7 +335,7 @@ OSStatus SecTrustSetTrustedLogs(SecTrustRef trust, CFArrayRef trustedLogs) {
if (!trust) {
return errSecParam;
}
- SetTrustSetNeedsEvaluation(trust);
+ SecTrustSetNeedsEvaluation(trust);
CFRetainAssign(trust->_trustedLogs, trustedLogs);
return errSecSuccess;
@@ -342,7 +345,7 @@ OSStatus SecTrustSetVerifyDate(SecTrustRef trust, CFDateRef verifyDate) {
if (!trust) {
return errSecParam;
}
- SetTrustSetNeedsEvaluation(trust);
+ SecTrustSetNeedsEvaluation(trust);
check(verifyDate);
CFRetainAssign(trust->_verifyDate, verifyDate);
@@ -353,7 +356,7 @@ OSStatus SecTrustSetPolicies(SecTrustRef trust, CFTypeRef newPolicies) {
if (!trust || !newPolicies) {
return errSecParam;
}
- SetTrustSetNeedsEvaluation(trust);
+ SecTrustSetNeedsEvaluation(trust);
check(newPolicies);
CFArrayRef policyArray = NULL;
@@ -373,6 +376,25 @@ OSStatus SecTrustSetPolicies(SecTrustRef trust, CFTypeRef newPolicies) {
return errSecSuccess;
}
+OSStatus SecTrustSetKeychainsAllowed(SecTrustRef trust, Boolean allowed) {
+ if (!trust) {
+ return errSecParam;
+ }
+ SecTrustSetNeedsEvaluation(trust);
+ trust->_keychainsAllowed = allowed;
+
+ return errSecSuccess;
+}
+
+OSStatus SecTrustGetKeychainsAllowed(SecTrustRef trust, Boolean *allowed) {
+ if (!trust || !allowed) {
+ return errSecParam;
+ }
+ *allowed = trust->_keychainsAllowed;
+
+ return errSecSuccess;
+}
+
OSStatus SecTrustCopyPolicies(SecTrustRef trust, CFArrayRef *policies) {
if (!trust|| !policies) {
return errSecParam;
@@ -388,11 +410,78 @@ OSStatus SecTrustCopyPolicies(SecTrustRef trust, CFArrayRef *policies) {
return errSecSuccess;
}
+static OSStatus SecTrustSetOptionInPolicies(CFArrayRef policies, CFStringRef key, CFTypeRef value) {
+ OSStatus status = errSecSuccess;
+ require_action(policies && CFGetTypeID(policies) == CFArrayGetTypeID(), out, status = errSecInternal);
+ for (int i=0; i < CFArrayGetCount(policies); i++) {
+ SecPolicyRef policy = NULL;
+ require_action_quiet(policy = (SecPolicyRef)CFArrayGetValueAtIndex(policies, i), out, status = errSecInternal);
+ CFMutableDictionaryRef options = NULL;
+ require_action_quiet(options = CFDictionaryCreateMutableCopy(NULL, 0, policy->_options), out, status = errSecAllocate);
+ CFDictionaryAddValue(options, key, value);
+ CFReleaseNull(policy->_options);
+ policy->_options = options;
+ }
+out:
+ return status;
+}
+
+static OSStatus SecTrustRemoveOptionInPolicies(CFArrayRef policies, CFStringRef key) {
+ OSStatus status = errSecSuccess;
+ require_action(policies && CFGetTypeID(policies) == CFArrayGetTypeID(), out, status = errSecInternal);
+ for (int i=0; i < CFArrayGetCount(policies); i++) {
+ SecPolicyRef policy = NULL;
+ require_action_quiet(policy = (SecPolicyRef)CFArrayGetValueAtIndex(policies, i), out, status = errSecInternal);
+ if (CFDictionaryGetValue(policy->_options, key)) {
+ CFMutableDictionaryRef options = NULL;
+ require_action_quiet(options = CFDictionaryCreateMutableCopy(NULL, 0, policy->_options), out, status = errSecAllocate);
+ CFDictionaryRemoveValue(options, key);
+ CFReleaseNull(policy->_options);
+ policy->_options = options;
+ }
+ }
+out:
+ return status;
+}
+
+static CF_RETURNS_RETAINED CFArrayRef SecTrustCopyOptionsFromPolicies(CFArrayRef policies, CFStringRef key) {
+ CFMutableArrayRef foundValues = NULL;
+ foundValues = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ for (int i=0; i < CFArrayGetCount(policies); i++) {
+ SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(policies, i);
+ CFTypeRef value = CFDictionaryGetValue(policy->_options, key);
+ if (value) {
+ CFArrayAppendValue(foundValues, value);
+ }
+ }
+ if (!CFArrayGetCount(foundValues)) {
+ CFReleaseNull(foundValues);
+ return NULL;
+ }
+ else {
+ return foundValues;
+ }
+}
+
+/* The only effective way to disable network fetch is within the policy options:
+ * presence of the kSecPolicyCheckNoNetworkAccess key in any of the policies
+ * will prevent network access for fetching.
+ * The current SecTrustServer implementation doesn't distinguish between network
+ * access for revocation and network access for fetching.
+ */
OSStatus SecTrustSetNetworkFetchAllowed(SecTrustRef trust, Boolean allowFetch) {
if (!trust) {
return errSecParam;
}
- trust->_networkPolicy = (allowFetch) ? useNetworkEnabled : useNetworkDisabled;
+ if (!trust->_policies) {
+ return errSecInternal;
+ }
+ if (!allowFetch) {
+ return SecTrustSetOptionInPolicies(trust->_policies, kSecPolicyCheckNoNetworkAccess, kCFBooleanTrue);
+ }
+ else {
+ return SecTrustRemoveOptionInPolicies(trust->_policies, kSecPolicyCheckNoNetworkAccess);
+ }
return errSecSuccess;
}
@@ -400,31 +489,17 @@ OSStatus SecTrustGetNetworkFetchAllowed(SecTrustRef trust, Boolean *allowFetch)
if (!trust || !allowFetch) {
return errSecParam;
}
- Boolean allowed = false;
- SecNetworkPolicy netPolicy = trust->_networkPolicy;
- if (netPolicy == useNetworkDefault) {
- // network fetch is enabled by default for SSL only
- CFIndex idx, count = (trust->_policies) ? CFArrayGetCount(trust->_policies) : 0;
- for (idx=0; idx<count; idx++) {
- SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(trust->_policies, idx);
- if (policy) {
- CFDictionaryRef props = SecPolicyCopyProperties(policy);
- if (props) {
- CFTypeRef value = (CFTypeRef)CFDictionaryGetValue(props, kSecPolicyOid);
- if (value) {
- if (CFEqual(value, kSecPolicyAppleSSL)) {
- allowed = true;
- }
- }
- CFRelease(props);
- }
- }
- }
- } else {
- // caller has explicitly set the network policy
- allowed = (netPolicy == useNetworkEnabled);
- }
- *allowFetch = allowed;
+ if (!trust->_policies) {
+ return errSecInternal;
+ }
+ CFArrayRef foundValues = NULL;
+ if ((foundValues = SecTrustCopyOptionsFromPolicies(trust->_policies, kSecPolicyCheckNoNetworkAccess))) {
+ *allowFetch = false;
+ }
+ else {
+ *allowFetch = true;
+ }
+ CFReleaseNull(foundValues);
return errSecSuccess;
}
@@ -634,40 +709,24 @@ OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result) {
trustResult = kSecTrustResultProceed;
} else if (trustResult == kSecTrustResultRecoverableTrustFailure) {
/* If we have exceptions get details and match to exceptions. */
- CFIndex pathLength = CFArrayGetCount(trust->_details);
+ CFIndex pathLength = (trust->_details) ? CFArrayGetCount(trust->_details) : 0;
struct SecTrustCheckExceptionContext context = {};
CFIndex ix;
for (ix = 0; ix < pathLength; ++ix) {
CFDictionaryRef detail = (CFDictionaryRef)CFArrayGetValueAtIndex(trust->_details, ix);
-
- if ((ix == 0) && CFDictionaryContainsKey(detail, kSecPolicyCheckBlackListedLeaf))
- {
- trustResult = kSecTrustResultFatalTrustFailure;
- goto DoneCheckingTrust;
- }
-
- if (CFDictionaryContainsKey(detail, kSecPolicyCheckBlackListedKey))
- {
- trustResult = kSecTrustResultFatalTrustFailure;
- goto DoneCheckingTrust;
- }
-
context.exception = SecTrustGetExceptionForCertificateAtIndex(trust, ix);
CFDictionaryApplyFunction(detail, SecTrustCheckException, &context);
if (context.exceptionNotFound) {
break;
}
}
+ if (!trust->_exceptions || !CFArrayGetCount(trust->_exceptions)) {
+ goto DoneCheckingTrust;
+ }
if (!context.exceptionNotFound)
trustResult = kSecTrustResultProceed;
}
DoneCheckingTrust:
-#if SECTRUST_OSX
-#warning STU: <rdar://21014749>
- // may be fixed with rdar://21014749
- if (trustResult == kSecTrustResultProceed)
- trustResult = kSecTrustResultUnspecified;
-#endif
trust->_trustResult = trustResult;
/* log to syslog when there is a trust failure */
@@ -675,7 +734,7 @@ DoneCheckingTrust:
trustResult != kSecTrustResultConfirm &&
trustResult != kSecTrustResultUnspecified) {
CFStringRef failureDesc = SecTrustCopyFailureDescription(trust);
- secerror("%@", failureDesc);
+ secerror("%{public}@", failureDesc);
CFRelease(failureDesc);
}
@@ -820,7 +879,7 @@ static int SecXPCDictionaryGetNonZeroInteger(xpc_object_t message, const char *k
return (int)value;
}
-static SecTrustResultType certs_anchors_bool_policies_responses_scts_logs_date_ag_to_details_info_chain_int_error_request(enum SecXPCOperation op, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error)
+static SecTrustResultType certs_anchors_bool_bool_policies_responses_scts_logs_date_ag_to_details_info_chain_int_error_request(enum SecXPCOperation op, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error)
{
__block SecTrustResultType tr = kSecTrustResultInvalid;
securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
@@ -830,6 +889,7 @@ static SecTrustResultType certs_anchors_bool_policies_responses_scts_logs_date_a
return false;
if (anchorsOnly)
xpc_dictionary_set_bool(message, kSecTrustAnchorsOnlyKey, anchorsOnly);
+ xpc_dictionary_set_bool(message, kSecTrustKeychainsAllowedKey, keychainsAllowed);
if (!SecXPCDictionarySetPolicies(message, kSecTrustPoliciesKey, policies, error))
return false;
if (responses && !SecXPCDictionarySetDataArray(message, kSecTrustResponsesKey, responses, error))
@@ -922,6 +982,24 @@ static OSStatus SecTrustValidateInput(SecTrustRef trust) {
}
+static void SecTrustPostEvaluate(SecTrustRef trust) {
+ if (!trust) { return; }
+
+ CFIndex pathLength = (trust->_details) ? CFArrayGetCount(trust->_details) : 0;
+ CFIndex ix;
+ for (ix = 0; ix < pathLength; ++ix) {
+ CFDictionaryRef detail = (CFDictionaryRef)CFArrayGetValueAtIndex(trust->_details, ix);
+ if ((ix == 0) && CFDictionaryContainsKey(detail, kSecPolicyCheckBlackListedLeaf)) {
+ trust->_trustResult = kSecTrustResultFatalTrustFailure;
+ return;
+ }
+ if (CFDictionaryContainsKey(detail, kSecPolicyCheckBlackListedKey)) {
+ trust->_trustResult = kSecTrustResultFatalTrustFailure;
+ return;
+ }
+ }
+}
+
static OSStatus SecTrustEvaluateIfNecessary(SecTrustRef trust) {
__block OSStatus result;
check(trust);
@@ -936,16 +1014,24 @@ static OSStatus SecTrustEvaluateIfNecessary(SecTrustRef trust) {
CFReleaseNull(trust->_chain);
CFReleaseNull(trust->_details);
CFReleaseNull(trust->_info);
+ if (trust->_legacy_info_array) {
+ free(trust->_legacy_info_array);
+ trust->_legacy_info_array = NULL;
+ }
+ if (trust->_legacy_status_array) {
+ free(trust->_legacy_status_array);
+ trust->_legacy_status_array = NULL;
+ }
os_activity_initiate("SecTrustEvaluateIfNecessary", OS_ACTIVITY_FLAG_DEFAULT, ^{
SecTrustAddPolicyAnchors(trust);
- SecTrustValidateInput(trust);
+ SecTrustValidateInput(trust);
/* @@@ Consider an optimization where we keep a side dictionary with the SHA1 hash of ever SecCertificateRef we send, so we only send potential duplicates once, and have the server respond with either just the SHA1 hash of a certificate, or the complete certificate in the response depending on whether the client already sent it, so we don't send back certificates to the client it already has. */
result = SecOSStatusWith(^bool (CFErrorRef *error) {
trust->_trustResult = SECURITYD_XPC(sec_trust_evaluate,
- certs_anchors_bool_policies_responses_scts_logs_date_ag_to_details_info_chain_int_error_request,
- trust->_certificates, trust->_anchors, trust->_anchorsOnly,
+ certs_anchors_bool_bool_policies_responses_scts_logs_date_ag_to_details_info_chain_int_error_request,
+ trust->_certificates, trust->_anchors, trust->_anchorsOnly, trust->_keychainsAllowed,
trust->_policies, trust->_responses, trust->_SCTs, trust->_trustedLogs,
SecTrustGetVerifyTime(trust), SecAccessGroupsGetCurrent(),
&trust->_details, &trust->_info, &trust->_chain, error);
@@ -959,11 +1045,13 @@ static OSStatus SecTrustEvaluateIfNecessary(SecTrustRef trust) {
_chain and return success with a failure as the trustResult, to
make it seem like we did a cert evaluation, so ASR can extract
the public key from the leaf. */
- trust->_chain = SecCertificatePathCreate(NULL, (SecCertificateRef)CFArrayGetValueAtIndex(trust->_certificates, 0));
+ trust->_chain = SecCertificatePathCreate(NULL, (SecCertificateRef)CFArrayGetValueAtIndex(trust->_certificates, 0), NULL);
if (error)
CFReleaseNull(*error);
return true;
}
+ SecTrustPostEvaluate(trust);
+ trust->_trustResultBeforeExceptions = trust->_trustResult;
return trust->_trustResult != kSecTrustResultInvalid;
});
});
@@ -1089,6 +1177,10 @@ CFDictionaryRef SecTrustCopyInfo(SecTrustRef trust) {
return info;
}
+CFArrayRef SecTrustGetTrustExceptionsArray(SecTrustRef trust) {
+ return trust->_exceptions;
+}
+
CFDataRef SecTrustCopyExceptions(SecTrustRef trust) {
CFArrayRef details = SecTrustGetDetails(trust);
CFIndex pathLength = details ? CFArrayGetCount(details) : 0;
@@ -1137,24 +1229,30 @@ bool SecTrustSetExceptions(SecTrustRef trust, CFDataRef encodedExceptions) {
CFArrayRef exceptions = NULL;
if (NULL != encodedExceptions) {
- exceptions = CFPropertyListCreateWithData(kCFAllocatorDefault,
+ exceptions = (CFArrayRef)CFPropertyListCreateWithData(kCFAllocatorDefault,
encodedExceptions, kCFPropertyListImmutable, NULL, NULL);
}
- if (exceptions && CFGetTypeID(exceptions) != CFArrayGetTypeID()) {
- CFRelease(exceptions);
- exceptions = NULL;
- }
- CFReleaseSafe(trust->_exceptions);
- trust->_exceptions = exceptions;
+ if (exceptions && CFGetTypeID(exceptions) != CFArrayGetTypeID()) {
+ CFRelease(exceptions);
+ exceptions = NULL;
+ }
- /* If there is a valid exception entry for our current leaf we're golden. */
- if (SecTrustGetExceptionForCertificateAtIndex(trust, 0))
- return true;
+ if (trust->_exceptions && !exceptions) {
+ /* Exceptions are currently set and now we are clearing them. */
+ trust->_trustResult = trust->_trustResultBeforeExceptions;
+ }
- /* The passed in exceptions didn't match our current leaf, so we discard it. */
- CFReleaseNull(trust->_exceptions);
- return false;
+ CFReleaseSafe(trust->_exceptions);
+ trust->_exceptions = exceptions;
+
+ /* If there is a valid exception entry for our current leaf we're golden. */
+ if (SecTrustGetExceptionForCertificateAtIndex(trust, 0))
+ return true;
+
+ /* The passed in exceptions didn't match our current leaf, so we discard it. */
+ CFReleaseNull(trust->_exceptions);
+ return false;
}
CFArrayRef SecTrustCopySummaryPropertiesAtIndex(SecTrustRef trust, CFIndex ix) {
@@ -1218,7 +1316,6 @@ CFStringRef kSecPolicyCheckAnchorSHA1 = CFSTR("AnchorSHA1");
CFStringRef kSecPolicyCheckAnchorApple = CFSTR("AnchorApple");
CFStringRef kSecPolicyAppleAnchorIncludeTestRoots = CFSTR("AnchorAppleTestRoots");
-CFStringRef kSecPolicyAppleAnchorAllowTestRootsOnProduction = CFSTR("AnchorAppleTestRootsOnProduction");
/* Binding.
Only applies to leaf
@@ -1244,7 +1341,7 @@ CFStringRef kSecPolicyCheckNonEmptySubject = CFSTR("NonEmptySubject");
Cert UI: Basic constraints extension not critical (non fatal).
Cert UI: Leaf certificate has basic constraints extension (non fatal).
*/
-CFStringRef kSecPolicyCheckBasicContraints = CFSTR("BasicContraints");
+CFStringRef kSecPolicyCheckBasicConstraints = CFSTR("BasicConstraints");
CFStringRef kSecPolicyCheckKeyUsage = CFSTR("KeyUsage");
CFStringRef kSecPolicyCheckExtendedKeyUsage = CFSTR("ExtendedKeyUsage");
/* Checks that the issuer of the leaf has exactly one Common Name and that it
@@ -1281,6 +1378,7 @@ struct TrustFailures {
bool policyFail;
bool invalidCert;
bool weakKey;
+ bool revocation;
};
static void applyDetailProperty(const void *_key, const void *_value,
@@ -1307,6 +1405,7 @@ static void applyDetailProperty(const void *_key, const void *_value,
tf->unknownCritExtn = true;
} else if (CFEqual(key, kSecPolicyCheckAnchorTrusted)
|| CFEqual(key, kSecPolicyCheckAnchorSHA1)
+ || CFEqual(key, kSecPolicyCheckAnchorSHA256)
|| CFEqual(key, kSecPolicyCheckAnchorApple)) {
tf->untrustedAnchor = true;
} else if (CFEqual(key, kSecPolicyCheckSSLHostname)) {
@@ -1319,11 +1418,13 @@ static void applyDetailProperty(const void *_key, const void *_value,
|| CFEqual(key, kSecPolicyCheckWeakLeaf)
|| CFEqual(key, kSecPolicyCheckWeakRoot)) {
tf->weakKey = true;
+ } else if (CFEqual(key, kSecPolicyCheckRevocation)) {
+ tf->revocation = true;
} else
/* Anything else is a policy failure. */
#if 0
if (CFEqual(key, kSecPolicyCheckNonEmptySubject)
- || CFEqual(key, kSecPolicyCheckBasicContraints)
+ || CFEqual(key, kSecPolicyCheckBasicConstraints)
|| CFEqual(key, kSecPolicyCheckKeyUsage)
|| CFEqual(key, kSecPolicyCheckExtendedKeyUsage)
|| CFEqual(key, kSecPolicyCheckIssuerCommonName)
@@ -1348,7 +1449,13 @@ static void appendError(CFMutableArrayRef properties, CFStringRef error) {
CFReleaseNull(localizedError);
}
-CFArrayRef SecTrustCopyProperties(SecTrustRef trust) {
+#if SECTRUST_OSX || !TARGET_OS_IPHONE
+/* OS X properties array has a different structure and is implemented SecTrust.cpp. */
+CFArrayRef SecTrustCopyProperties_ios(SecTrustRef trust)
+#else
+CFArrayRef SecTrustCopyProperties(SecTrustRef trust)
+#endif
+{
CFArrayRef details = SecTrustGetDetails(trust);
if (!details)
return NULL;
@@ -1389,16 +1496,14 @@ CFArrayRef SecTrustCopyProperties(SecTrustRef trust) {
if (tf.weakKey) {
appendError(properties, CFSTR("One or more certificates is using a weak key size."));
}
+ if (tf.revocation) {
+ appendError(properties, CFSTR("One or more certificates have been revoked."));
+ }
}
if (CFArrayGetCount(properties) == 0) {
/* The certificate chain is trusted, return an empty plist */
-#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
- // return empty (non-null) plist
-#else
- // return NULL plist
CFReleaseNull(properties);
-#endif
}
return properties;
@@ -1441,6 +1546,12 @@ CFDictionaryRef SecTrustCopyResult(SecTrustRef trust) {
CFDictionarySetValue(results, (const void *)kSecTrustCertificateTransparency, (const void *)ctValue);
}
+ // kSecTrustCertificateTransparencyWhiteList
+ CFBooleanRef ctWhiteListValue;
+ if (CFDictionaryGetValueIfPresent(info, kSecTrustInfoCertificateTransparencyWhiteListKey, (const void **)&ctWhiteListValue)) {
+ CFDictionarySetValue(results, (const void *)kSecTrustCertificateTransparencyWhiteList, (const void *)ctWhiteListValue);
+ }
+
// kSecTrustExtendedValidation
CFBooleanRef evValue;
if (CFDictionaryGetValueIfPresent(info, kSecTrustInfoExtendedValidationKey, (const void **)&evValue)) {
@@ -1538,6 +1649,282 @@ OSStatus SecTrustOTAPKIGetUpdatedAsset(int* didUpdateAsset)
return noErr;
}
+/*
+ * This function performs an evaluation of the leaf certificate only, and
+ * does so in the process that called it. Its primary use is in SecItemCopyMatching
+ * when kSecMatchPolicy is in the dictionary.
+ */
+OSStatus SecTrustEvaluateLeafOnly(SecTrustRef trust, SecTrustResultType *result) {
+ if (!trust) {
+ return errSecParam;
+ }
+ OSStatus status = errSecSuccess;
+ if((status = SecTrustValidateInput(trust))) {
+ return status;
+ }
+
+ struct OpaqueSecLeafPVC pvc;
+ SecCertificateRef leaf = (SecCertificateRef)CFArrayGetValueAtIndex(trust->_certificates, 0);
+
+ SecLeafPVCInit(&pvc, leaf, trust->_policies, SecTrustGetVerifyTime(trust));
+
+ if(!SecLeafPVCLeafChecks(&pvc)) {
+ trust->_trustResult = kSecTrustResultRecoverableTrustFailure;
+ } else {
+ trust->_trustResult = kSecTrustResultUnspecified;
+ }
+
+ /* Set other result context information */
+ trust->_details = CFRetainSafe(pvc.details);
+ trust->_info = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ trust->_chain = SecCertificatePathCreate(NULL, (SecCertificateRef)CFArrayGetValueAtIndex(trust->_certificates, 0), NULL);
+
+ SecLeafPVCDelete(&pvc);
+
+ /* log to syslog when there is a trust failure */
+ if (trust->_trustResult != kSecTrustResultUnspecified) {
+ CFStringRef failureDesc = SecTrustCopyFailureDescription(trust);
+ secerror("%@", failureDesc);
+ CFRelease(failureDesc);
+ }
+
+ if (result) {
+ *result = trust->_trustResult;
+ }
+
+ return status;
+}
+
+static void deserializeCert(const void *value, void *context) {
+ CFDataRef certData = (CFDataRef)value;
+ if (isData(certData)) {
+ SecCertificateRef cert = SecCertificateCreateWithData(NULL, certData);
+ if (cert) {
+ CFArrayAppendValue((CFMutableArrayRef)context, cert);
+ CFRelease(cert);
+ }
+ }
+}
+
+static CFArrayRef SecCertificateArrayDeserialize(CFArrayRef serializedCertificates) {
+ CFMutableArrayRef result = NULL;
+ require_quiet(isArray(serializedCertificates), errOut);
+ CFIndex count = CFArrayGetCount(serializedCertificates);
+ result = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks);
+ CFRange all_certs = { 0, count };
+ CFArrayApplyFunction(serializedCertificates, all_certs, deserializeCert, result);
+errOut:
+ return result;
+}
+
+static void serializeCertificate(const void *value, void *context) {
+ SecCertificateRef cert = (SecCertificateRef)value;
+ if (cert && SecCertificateGetTypeID() == CFGetTypeID(cert)) {
+ CFDataRef certData = SecCertificateCopyData(cert);
+ if (certData) {
+ CFArrayAppendValue((CFMutableArrayRef)context, certData);
+ CFRelease(certData);
+ }
+ }
+}
+
+static CFArrayRef SecCertificateArraySerialize(CFArrayRef certificates) {
+ CFMutableArrayRef result = NULL;
+ require_quiet(isArray(certificates), errOut);
+ CFIndex count = CFArrayGetCount(certificates);
+ result = CFArrayCreateMutable(NULL, count, &kCFTypeArrayCallBacks);
+ CFRange all_certificates = { 0, count};
+ CFArrayApplyFunction(certificates, all_certificates, serializeCertificate, result);
+errOut:
+ return result;
+}
+
+static CFPropertyListRef SecTrustCopyPlist(SecTrustRef trust) {
+ CFMutableDictionaryRef output = NULL;
+ CFNumberRef trustResult = NULL;
+
+ output = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ if (trust->_certificates) {
+ CFArrayRef serializedCerts = SecCertificateArraySerialize(trust->_certificates);
+ if (serializedCerts) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustCertificatesKey), serializedCerts);
+ CFRelease(serializedCerts);
+ }
+ }
+ if (trust->_anchors) {
+ CFArrayRef serializedAnchors = SecCertificateArraySerialize(trust->_anchors);
+ if (serializedAnchors) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustAnchorsKey), serializedAnchors);
+ CFRelease(serializedAnchors);
+ }
+ }
+ if (trust->_policies) {
+ CFArrayRef serializedPolicies = SecPolicyArrayCreateSerialized(trust->_policies);
+ if (serializedPolicies) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustPoliciesKey), serializedPolicies);
+ CFRelease(serializedPolicies);
+ }
+ }
+ if (trust->_responses) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustResponsesKey), trust->_responses);
+ }
+ if (trust->_SCTs) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustSCTsKey), trust->_SCTs);
+ }
+ if (trust->_trustedLogs) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustTrustedLogsKey), trust->_trustedLogs);
+ }
+ if (trust->_verifyDate) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustVerifyDateKey), trust->_verifyDate);
+ }
+ if (trust->_chain) {
+ CFArrayRef serializedChain = SecCertificatePathCreateSerialized(trust->_chain, NULL);
+ if (serializedChain) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustChainKey), serializedChain);
+ CFRelease(serializedChain);
+ }
+ }
+ if (trust->_details) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustDetailsKey), trust->_details);
+ }
+ if (trust->_info) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustInfoKey), trust->_info);
+ }
+ if (trust->_exceptions) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustExceptionsKey), trust->_exceptions);
+ }
+ trustResult = CFNumberCreate(NULL, kCFNumberSInt32Type, &trust->_trustResult);
+ if (trustResult) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustResultKey), trustResult);
+ }
+ if (trust->_anchorsOnly) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustAnchorsOnlyKey), kCFBooleanTrue);
+ } else {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustAnchorsOnlyKey), kCFBooleanFalse);
+ }
+ if (trust->_keychainsAllowed) {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustKeychainsAllowedKey), kCFBooleanTrue);
+ } else {
+ CFDictionaryAddValue(output, CFSTR(kSecTrustKeychainsAllowedKey), kCFBooleanFalse);
+ }
+
+ CFReleaseNull(trustResult);
+ return output;
+}
+
+CFDataRef SecTrustSerialize(SecTrustRef trust, CFErrorRef *error) {
+ CFPropertyListRef plist = NULL;
+ CFDataRef derTrust = NULL;
+ require_action_quiet(trust, out,
+ SecError(errSecParam, error, CFSTR("null trust input")));
+ require_action_quiet(plist = SecTrustCopyPlist(trust), out,
+ SecError(errSecDecode, error, CFSTR("unable to create trust plist")));
+ require_quiet(derTrust = CFPropertyListCreateDERData(NULL, plist, error), out);
+
+out:
+ CFReleaseNull(plist);
+ return derTrust;
+}
+
+static OSStatus SecTrustCreateFromPlist(CFPropertyListRef plist, SecTrustRef CF_RETURNS_RETAINED *trust) {
+ OSStatus status = errSecParam;
+ SecTrustRef output = NULL;
+ CFTypeRef serializedCertificates = NULL, serializedPolicies = NULL, serializedAnchors = NULL,
+ serializedChain = NULL;
+ CFNumberRef trustResultNum = NULL;
+ CFArrayRef certificates = NULL, policies = NULL, anchors = NULL, responses = NULL,
+ SCTs = NULL, trustedLogs = NULL, details = NULL, exceptions = NULL;
+ CFDateRef verifyDate = NULL;
+ CFDictionaryRef info = NULL;
+ SecCertificatePathRef chain = NULL;
+
+ require_quiet(CFDictionaryGetTypeID() == CFGetTypeID(plist), out);
+ require_quiet(serializedCertificates = CFDictionaryGetValue(plist, CFSTR(kSecTrustCertificatesKey)), out);
+ require_quiet(certificates = SecCertificateArrayDeserialize(serializedCertificates), out);
+ require_quiet(serializedPolicies = CFDictionaryGetValue(plist, CFSTR(kSecTrustPoliciesKey)), out);
+ require_quiet(policies = SecPolicyArrayCreateDeserialized(serializedPolicies), out);
+ require_noerr_quiet(status = SecTrustCreateWithCertificates(certificates, policies, &output), out);
+
+ serializedAnchors = CFDictionaryGetValue(plist, CFSTR(kSecTrustAnchorsKey));
+ if (isArray(serializedAnchors)) {
+ anchors = SecCertificateArrayDeserialize(serializedAnchors);
+ output->_anchors = anchors;
+ }
+ responses = CFDictionaryGetValue(plist, CFSTR(kSecTrustResponsesKey));
+ if (isArray(responses)) {
+ output->_responses = CFRetainSafe(responses);
+ }
+ SCTs = CFDictionaryGetValue(plist, CFSTR(kSecTrustSCTsKey));
+ if (isArray(responses)) {
+ output->_SCTs = CFRetainSafe(SCTs);
+ }
+ trustedLogs = CFDictionaryGetValue(plist, CFSTR(kSecTrustTrustedLogsKey));
+ if (isArray(trustedLogs)) {
+ output->_trustedLogs = CFRetainSafe(trustedLogs);
+ }
+ verifyDate = CFDictionaryGetValue(plist, CFSTR(kSecTrustVerifyDateKey));
+ if (isDate(verifyDate)) {
+ output->_verifyDate = CFRetainSafe(verifyDate);
+ }
+ serializedChain = CFDictionaryGetValue(plist, CFSTR(kSecTrustChainKey));
+ if (isArray(serializedChain)) {
+ chain = SecCertificatPathCreateDeserialized(serializedChain, NULL);
+ output->_chain = chain;
+ }
+ details = CFDictionaryGetValue(plist, CFSTR(kSecTrustDetailsKey));
+ if (isArray(details)) {
+ output->_details = CFRetainSafe(details);
+ }
+ info = CFDictionaryGetValue(plist, CFSTR(kSecTrustInfoKey));
+ if (isDictionary(info)) {
+ output->_info = CFRetainSafe(info);
+ }
+ exceptions = CFDictionaryGetValue(plist, CFSTR(kSecTrustExceptionsKey));
+ if (isArray(exceptions)) {
+ output->_exceptions = CFRetainSafe(exceptions);
+ }
+ int32_t trustResult = -1;
+ trustResultNum = CFDictionaryGetValue(plist, CFSTR(kSecTrustResultKey));
+ if (isNumber(trustResultNum) && CFNumberGetValue(trustResultNum, kCFNumberSInt32Type, &trustResult) &&
+ (trustResult >= 0)) {
+ output->_trustResult = trustResult;
+ } else {
+ status = errSecParam;
+ }
+ if (CFDictionaryGetValue(plist, CFSTR(kSecTrustAnchorsOnlyKey)) == kCFBooleanTrue) {
+ output->_anchorsOnly = true;
+ } /* false is set by default */
+ if (CFDictionaryGetValue(plist, CFSTR(kSecTrustKeychainsAllowedKey)) == kCFBooleanFalse) {
+ output->_keychainsAllowed = false;
+ } /* true is set by default */
+
+out:
+ if (errSecSuccess == status && trust) {
+ *trust = output;
+ }
+ CFReleaseNull(policies);
+ CFReleaseNull(certificates);
+ return status;
+}
+
+SecTrustRef SecTrustDeserialize(CFDataRef serializedTrust, CFErrorRef *error) {
+ SecTrustRef trust = NULL;
+ CFPropertyListRef plist = NULL;
+ OSStatus status = errSecSuccess;
+ require_action_quiet(serializedTrust, out,
+ SecError(errSecParam, error, CFSTR("null serialized trust input")));
+ require_quiet(plist = CFPropertyListCreateWithDERData(NULL, serializedTrust,
+ kCFPropertyListImmutable, NULL, error), out);
+ require_noerr_action_quiet(status = SecTrustCreateFromPlist(plist, &trust), out,
+ SecError(status, error, CFSTR("unable to create trust ref")));
+
+out:
+ CFReleaseNull(plist);
+ return trust;
+}
#if 0
// MARK: -
diff --git a/OSX/sec/Security/SecTrust.h b/OSX/sec/Security/SecTrust.h
index 4842bbc2..de8a85cd 100644
--- a/OSX/sec/Security/SecTrust.h
+++ b/OSX/sec/Security/SecTrust.h
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2002-2010,2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2002-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -80,16 +80,15 @@ CF_IMPLICIT_BRIDGING_ENABLED
of trust evaluation. This value may be returned by the SecTrustEvaluate
function but not stored as part of the user trust settings.
*/
-typedef uint32_t SecTrustResultType;
-enum {
- kSecTrustResultInvalid = 0,
- kSecTrustResultProceed = 1,
- kSecTrustResultConfirm SEC_DEPRECATED_ATTRIBUTE = 2,
- kSecTrustResultDeny = 3,
- kSecTrustResultUnspecified = 4,
- kSecTrustResultRecoverableTrustFailure = 5,
- kSecTrustResultFatalTrustFailure = 6,
- kSecTrustResultOtherError = 7
+typedef CF_ENUM(uint32_t, SecTrustResultType) {
+ kSecTrustResultInvalid CF_ENUM_AVAILABLE(10_3, 2_0) = 0,
+ kSecTrustResultProceed CF_ENUM_AVAILABLE(10_3, 2_0) = 1,
+ kSecTrustResultConfirm CF_ENUM_DEPRECATED(10_3, 10_9, 2_0, 7_0) = 2,
+ kSecTrustResultDeny CF_ENUM_AVAILABLE(10_3, 2_0) = 3,
+ kSecTrustResultUnspecified CF_ENUM_AVAILABLE(10_3, 2_0) = 4,
+ kSecTrustResultRecoverableTrustFailure CF_ENUM_AVAILABLE(10_3, 2_0) = 5,
+ kSecTrustResultFatalTrustFailure CF_ENUM_AVAILABLE(10_3, 2_0) = 6,
+ kSecTrustResultOtherError CF_ENUM_AVAILABLE(10_3, 2_0) = 7
};
/*!
@@ -150,6 +149,9 @@ extern const CFStringRef kSecPropertyTypeError
@constant kSecTrustCertificateTransparency
This key will be present and have a value of kCFBooleanTrue
if this chain is CT qualified.
+ @constant kSecTrustCertificateTransparencyWhiteList
+ This key will be present and have a value of kCFBooleanTrue
+ if this chain is EV, not CT qualified, but included of the CT WhiteList.
*/
extern const CFStringRef kSecTrustEvaluationDate
@@ -165,7 +167,9 @@ extern const CFStringRef kSecTrustRevocationChecked
extern const CFStringRef kSecTrustRevocationValidUntilDate
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
extern const CFStringRef kSecTrustCertificateTransparency
-__OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+ __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
+extern const CFStringRef kSecTrustCertificateTransparencyWhiteList
+ __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0);
#ifdef __BLOCKS__
/*!
@@ -444,8 +448,9 @@ CFDataRef SecTrustCopyExceptions(SecTrustRef trust)
@abstract Set a trust cookie to be used for evaluating this certificate chain.
@param trust A reference to a trust object.
@param exceptions An exceptions cookie as returned by a call to
- SecTrustCopyExceptions() in the past.
- @result Upon calling SecTrustEvaluate(), any failures that where present at the
+ SecTrustCopyExceptions() in the past. You may pass NULL to clear any
+ exceptions which have been previously set on this trust reference.
+ @result Upon calling SecTrustEvaluate(), any failures that were present at the
time the exceptions object was created are ignored, and instead of returning
kSecTrustResultRecoverableTrustFailure, kSecTrustResultProceed will be returned
(if the certificate for which exceptions was created matches the current leaf
@@ -462,7 +467,7 @@ CFDataRef SecTrustCopyExceptions(SecTrustRef trust)
of the wireless network for which this cert is needed, the account for which
this cert should be considered valid, and so on.
*/
-bool SecTrustSetExceptions(SecTrustRef trust, CFDataRef exceptions)
+bool SecTrustSetExceptions(SecTrustRef trust, CFDataRef __nullable exceptions)
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0);
/*!
@@ -551,8 +556,7 @@ typedef SecTrustResultType SecTrustUserSetting
@constant kSecTrustOptionImplicitAnchors Properly self-signed certs are
treated as anchors implicitly.
*/
-typedef uint32_t SecTrustOptionFlags;
-enum {
+typedef CF_OPTIONS(uint32_t, SecTrustOptionFlags) {
kSecTrustOptionAllowExpired = 0x00000001,
kSecTrustOptionLeafIsCA = 0x00000002,
kSecTrustOptionFetchIssuerFromNet = 0x00000004,
@@ -628,7 +632,7 @@ OSStatus SecTrustSetKeychains(SecTrustRef trust, CFTypeRef __nullable keychainOr
for the evaluation, use SecTrustGetTrustResult.
*/
OSStatus SecTrustGetResult(SecTrustRef trustRef, SecTrustResultType * __nullable result,
- CFArrayRef * __nonnull CF_RETURNS_RETAINED certChain, CSSM_TP_APPLE_EVIDENCE_INFO * __nullable * __nonnull statusChain)
+ CFArrayRef * __nullable CF_RETURNS_RETAINED certChain, CSSM_TP_APPLE_EVIDENCE_INFO * __nullable * __nullable statusChain)
__OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA);
/*!
diff --git a/OSX/sec/Security/SecTrustInternal.h b/OSX/sec/Security/SecTrustInternal.h
index 8abc4361..42515a25 100644
--- a/OSX/sec/Security/SecTrustInternal.h
+++ b/OSX/sec/Security/SecTrustInternal.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -33,8 +33,27 @@
__BEGIN_DECLS
-#if SECTRUST_OSX
+/* args_in keys. */
+#define kSecTrustCertificatesKey "certificates"
+#define kSecTrustAnchorsKey "anchors"
+#define kSecTrustAnchorsOnlyKey "anchorsOnly"
+#define kSecTrustKeychainsAllowedKey "keychainsAllowed"
+#define kSecTrustPoliciesKey "policies"
+#define kSecTrustResponsesKey "responses"
+#define kSecTrustSCTsKey "scts"
+#define kSecTrustTrustedLogsKey "trustedLogs"
+#define kSecTrustVerifyDateKey "verifyDate"
+#define kSecTrustExceptionsKey "exceptions"
+
+/* args_out keys. */
+#define kSecTrustDetailsKey "details"
+#define kSecTrustChainKey "chain"
+#define kSecTrustResultKey "result"
+#define kSecTrustInfoKey "info"
+
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
SecKeyRef SecTrustCopyPublicKey_ios(SecTrustRef trust);
+CFArrayRef SecTrustCopyProperties_ios(SecTrustRef trust);
#endif
__END_DECLS
diff --git a/OSX/sec/Security/SecTrustPriv.h b/OSX/sec/Security/SecTrustPriv.h
index 4ace97aa..314932e3 100644
--- a/OSX/sec/Security/SecTrustPriv.h
+++ b/OSX/sec/Security/SecTrustPriv.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2003-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -31,16 +31,14 @@
#define _SECURITY_SECTRUSTPRIV_H_
#include <Security/SecTrust.h>
+#include <CoreFoundation/CFString.h>
#include <CoreFoundation/CFData.h>
#include <CoreFoundation/CFDictionary.h>
__BEGIN_DECLS
-typedef enum {
- useNetworkDefault, // default policy: network fetch enabled only for SSL
- useNetworkDisabled, // explicitly disable network use for any policy
- useNetworkEnabled // explicitly enable network use for any policy
-} SecNetworkPolicy;
+CF_ASSUME_NONNULL_BEGIN
+CF_IMPLICIT_BRIDGING_ENABLED
/* Constants used as keys in property lists. See
SecTrustCopySummaryPropertiesAtIndex for more information. */
@@ -63,6 +61,7 @@ extern const CFStringRef kSecTrustInfoCompanyNameKey;
extern const CFStringRef kSecTrustInfoRevocationKey;
extern const CFStringRef kSecTrustInfoRevocationValidUntilKey;
extern const CFStringRef kSecTrustInfoCertificateTransparencyKey;
+extern const CFStringRef kSecTrustInfoCertificateTransparencyWhiteListKey;
/*!
@enum Trust Result Constants
@@ -160,6 +159,7 @@ extern const CFStringRef kSecTrustRevocationReason;
@result A property array. It is the caller's responsability to CFRelease
the returned array when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
CFArrayRef SecTrustCopySummaryPropertiesAtIndex(SecTrustRef trust, CFIndex ix);
/*!
@@ -174,22 +174,9 @@ CFArrayRef SecTrustCopySummaryPropertiesAtIndex(SecTrustRef trust, CFIndex ix);
Unlike that function call this function returns a detailed description
of the certificate in question.
*/
+__nullable CF_RETURNS_RETAINED
CFArrayRef SecTrustCopyDetailedPropertiesAtIndex(SecTrustRef trust, CFIndex ix);
-/*!
- @function SecTrustCopyProperties
- @abstract Return a property array for this trust evaluation.
- @param trust A reference to the trust object to evaluate.
- @result A property array. It is the caller's responsibility to CFRelease
- the returned array when it is no longer needed. See
- SecTrustCopySummaryPropertiesAtIndex for a detailed description of this array.
- Unlike that function, this function returns a short text string suitable for
- display in a sheet explaining to the user why this certificate chain is
- not trusted for this operation. This function may return NULL if the
- certificate chain was trusted.
-*/
-CFArrayRef SecTrustCopyProperties(SecTrustRef trust);
-
/*!
@function SecTrustCopyInfo
@abstract Return a dictionary with additional information about the
@@ -222,26 +209,17 @@ CFArrayRef SecTrustCopyProperties(SecTrustRef trust);
validated. The caller is responsible for calling CFRelease on the value
returned when it is no longer needed.
*/
+__nullable CF_RETURNS_RETAINED
CFDictionaryRef SecTrustCopyInfo(SecTrustRef trust);
/* For debugging purposes. */
+__nullable CF_RETURNS_RETAINED
CFArrayRef SecTrustGetDetails(SecTrustRef trust);
/* For debugging purposes. */
+__nullable CF_RETURNS_RETAINED
CFStringRef SecTrustCopyFailureDescription(SecTrustRef trust);
-/*!
- @function SecTrustSetPolicies
- @abstract Set the trust policies against which the trust should be verified.
- @param trust A reference to a trust object.
- @param policies An array of one or more policies. You may pass a
- SecPolicyRef to represent a single policy.
- @result A result code. See "Security Error Codes" (SecBase.h).
- @discussion This function does not invalidate the trust, but should do so in the future.
-*/
-OSStatus SecTrustSetPolicies(SecTrustRef trust, CFTypeRef policies)
- __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_6_0);
-
OSStatus SecTrustGetOTAPKIAssetVersionNumber(int* versionNumber);
OSStatus SecTrustOTAPKIGetUpdatedAsset(int* didUpdateAsset);
@@ -269,6 +247,208 @@ OSStatus SecTrustSetSignedCertificateTimestamps(SecTrustRef trust, CFArrayRef sc
*/
OSStatus SecTrustSetTrustedLogs(SecTrustRef trust, CFArrayRef trustedLogs);
+/* Keychain searches are allowed by default. Use this to turn off seaching of
+ -keychain search list (i.e. login.keychain, system.keychain)
+ -Local Items/iCloud Keychain
+ -user- and admin-trusted roots
+ -network-fetched issuers
+ User must provide all necessary certificates in the input certificates and/or anchors. */
+OSStatus SecTrustSetKeychainsAllowed(SecTrustRef trust, Boolean allowed)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+/* Get the keychain search policy for the trust object. */
+OSStatus SecTrustGetKeychainsAllowed(SecTrustRef trust, Boolean * __nonnull allowed)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+/*!
+ @function SecTrustEvaluateLeafOnly
+ @abstract Evaluates the leaf of the trust reference synchronously.
+ @param trust A reference to the trust object to evaluate.
+ @param result A pointer to a result type.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This function will only evaluate the trust of the leaf certificate.
+ No chain will be built and only those aspects of the SecPolicyRef that address
+ the expected contents of the leaf will be checked. This function does not honor
+ any set exceptions.
+ */
+OSStatus SecTrustEvaluateLeafOnly(SecTrustRef trust, SecTrustResultType * __nonnull result)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+/*!
+ @function SecTrustSerialize
+ @abstract Creates a serialized version of the trust object
+ @param trust A reference to the trust object to serialize.
+ @param error A pointer to an error.
+ @result The serialized trust object.
+ @discussion This function is intended to be used to share SecTrustRefs between
+ processes. Saving the results to disk or sending them over network channels
+ may cause unexpected behavior.
+ */
+__nullable CF_RETURNS_RETAINED
+CFDataRef SecTrustSerialize(SecTrustRef trust, CFErrorRef *error)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+/*!
+ @function SecTrustDeserialize
+ @abstract Creates a trust object from the serialized data
+ @param serialiedTrust A reference to the serialized trust object
+ @param error A pointer to an error.
+ @result A trust object
+ @discussion This function is intended to be used to share SecTrustRefs between
+ processes. Saving the results to disk or sending them over network channels
+ may cause unexpected behavior.
+ */
+__nullable CF_RETURNS_RETAINED
+SecTrustRef SecTrustDeserialize(CFDataRef serializedTrust, CFErrorRef *error)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+/*!
+ @function SecTrustGetTrustExceptionsArray
+ @abstract Return the exceptions array current set in the trust object
+ @param trust A reference to the trust object
+ @result The array of exceptions.
+ @discussion This function returns an array of exceptions that was previously set
+ using SecTrustSetExceptions, unlike SecTrustCopyExceptions which returns the
+ exceptions which could be set using SecTrustSetExceptions.
+ */
+__nullable CFArrayRef SecTrustGetTrustExceptionsArray(SecTrustRef trust)
+ __OSX_AVAILABLE(__MAC_10_12) __IOS_AVAILABLE(__IPHONE_10_0) __TVOS_AVAILABLE(__TVOS_10_0) __WATCHOS_AVAILABLE(__WATCHOS_3_0);
+
+CF_IMPLICIT_BRIDGING_DISABLED
+CF_ASSUME_NONNULL_END
+
+/*
+ * Legacy functions (OS X only)
+ */
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+
+CF_ASSUME_NONNULL_BEGIN
+CF_IMPLICIT_BRIDGING_ENABLED
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wfour-char-constants"
+/*
+ unique keychain item attributes for user trust records.
+ */
+enum {
+ kSecTrustCertAttr = 'tcrt',
+ kSecTrustPolicyAttr = 'tpol',
+ /* Leopard and later */
+ kSecTrustPubKeyAttr = 'tpbk',
+ kSecTrustSignatureAttr = 'tsig'
+};
+
+#pragma clang diagnostic pop
+
+/*!
+ @function SecTrustGetUserTrust
+ @abstract Gets the user-specified trust settings of a certificate and policy.
+ @param certificate A reference to a certificate.
+ @param policy A reference to a policy.
+ @param trustSetting On return, a pointer to the user specified trust settings.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5.
+ */
+OSStatus SecTrustGetUserTrust(SecCertificateRef __nullable certificate, SecPolicyRef __nullable policy, SecTrustUserSetting * __nullable trustSetting)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_4, __MAC_10_5, __IPHONE_NA, __IPHONE_NA);
+
+/*!
+ @function SecTrustSetUserTrust
+ @abstract Sets the user-specified trust settings of a certificate and policy.
+ @param certificate A reference to a certificate.
+ @param policy A reference to a policy.
+ @param trustSetting The user-specified trust settings.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5.
+ @discussion as of Mac OS version 10.5, this will result in a call to
+ SecTrustSettingsSetTrustSettings().
+ */
+OSStatus SecTrustSetUserTrust(SecCertificateRef __nullable certificate, SecPolicyRef __nullable policy, SecTrustUserSetting trustSetting)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_4, __MAC_10_5, __IPHONE_NA, __IPHONE_NA);
+
+/*!
+ @function SecTrustSetUserTrustLegacy
+ @abstract Sets the user-specified trust settings of a certificate and policy.
+ @param certificate A reference to a certificate.
+ @param policy A reference to a policy.
+ @param trustSetting The user-specified trust settings.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+
+ @This is the private version of what used to be SecTrustSetUserTrust(); it operates
+ on UserTrust entries as that function used to. The current SecTrustSetUserTrust()
+ function operated on Trust Settings.
+ */
+OSStatus SecTrustSetUserTrustLegacy(SecCertificateRef __nullable certificate, SecPolicyRef __nullable policy, SecTrustUserSetting trustSetting)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_5, __MAC_10_12, __IPHONE_NA, __IPHONE_NA);
+
+/*!
+ @function SecTrustGetCSSMAnchorCertificates
+ @abstract Retrieves the CSSM anchor certificates.
+ @param cssmAnchors A pointer to an array of anchor certificates.
+ @param cssmAnchorCount A pointer to the number of certificates in anchors.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @availability Mac OS X version 10.4. Deprecated in Mac OS X version 10.5.
+ */
+OSStatus SecTrustGetCSSMAnchorCertificates(const CSSM_DATA * __nullable * __nullable cssmAnchors, uint32 *cssmAnchorCount)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_4, __MAC_10_5, __IPHONE_NA, __IPHONE_NA);
+
+/*!
+ @function SecTrustCopyExtendedResult
+ @abstract Gets the extended trust result after an evaluation has been performed.
+ @param trust A trust reference.
+ @param result On return, result points to a CFDictionaryRef containing extended trust results (if no error occurred).
+ The caller is responsible for releasing this dictionary with CFRelease when finished with it.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion This function may only be used after SecTrustEvaluate has been called for the trust reference, otherwise
+ errSecTrustNotAvailable is returned. If the certificate is not an extended validation certificate, there is
+ no extended result data and errSecDataNotAvailable is returned. Currently, only one dictionary key is defined
+ (kSecEVOrganizationName).
+
+ Note: this function will be deprecated in a future release of OS X. Your
+ code should use SecTrustCopyResult to obtain the trust results dictionary.
+ */
+OSStatus SecTrustCopyExtendedResult(SecTrustRef trust, CFDictionaryRef * __nonnull CF_RETURNS_RETAINED result)
+ __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_5, __MAC_10_12, __IPHONE_NA, __IPHONE_NA);
+
+/*
+ * Preference-related strings for Revocation policies.
+ */
+
+/*
+ * Preference domain, i.e., the name of a plist in ~/Library/Preferences or in
+ * /Library/Preferences
+ */
+#define kSecRevocationDomain "com.apple.security.revocation"
+
+/* OCSP and CRL style keys, followed by values used for both of them */
+#define kSecRevocationOcspStyle CFSTR("OCSPStyle")
+#define kSecRevocationCrlStyle CFSTR("CRLStyle")
+#define kSecRevocationOff CFSTR("None")
+#define kSecRevocationBestAttempt CFSTR("BestAttempt")
+#define kSecRevocationRequireIfPresent CFSTR("RequireIfPresent")
+#define kSecRevocationRequireForAll CFSTR("RequireForAll")
+
+/* Which first if both enabled? */
+#define kSecRevocationWhichFirst CFSTR("RevocationFirst")
+#define kSecRevocationOcspFirst CFSTR("OCSP")
+#define kSecRevocationCrlFirst CFSTR("CRL")
+
+/* boolean: A "this policy is sufficient per cert" for each */
+#define kSecRevocationOCSPSufficientPerCert CFSTR("OCSPSufficientPerCert")
+#define kSecRevocationCRLSufficientPerCert CFSTR("CRLSufficientPerCert")
+
+/* local OCSP responder URI, value arbitrary string value */
+#define kSecOCSPLocalResponder CFSTR("OCSPLocalResponder")
+
+/* Extended trust result keys (now in public API) */
+#define kSecEVOrganizationName kSecTrustOrganizationName
+#define kSecTrustExpirationDate kSecTrustRevocationValidUntilDate
+
+CF_IMPLICIT_BRIDGING_DISABLED
+CF_ASSUME_NONNULL_END
+
+#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */
+
__END_DECLS
#endif /* !_SECURITY_SECTRUSTPRIV_H_ */
diff --git a/OSX/sec/Security/SecTrustSettings.c b/OSX/sec/Security/SecTrustSettings.c
index 4f37568f..78f09e60 100644
--- a/OSX/sec/Security/SecTrustSettings.c
+++ b/OSX/sec/Security/SecTrustSettings.c
@@ -58,7 +58,7 @@ static CFDataRef SecCopyDataFromHexString(CFStringRef string) {
CFDataSetLength(data, length / 2);
bytes = CFDataGetMutableBytePtr(data);
- CFStringInlineBuffer buf;
+ CFStringInlineBuffer buf = {};
CFRange range = { 0, length };
CFStringInitInlineBuffer(string, &buf, range);
UInt8 lastv = 0;
diff --git a/OSX/sec/Security/SecTrustSettings.h b/OSX/sec/Security/SecTrustSettings.h
index eb9a3d5c..5a9c94e8 100644
--- a/OSX/sec/Security/SecTrustSettings.h
+++ b/OSX/sec/Security/SecTrustSettings.h
@@ -65,7 +65,8 @@ extern "C" {
* Usage Constraints. Each Usage Constraints dictionary contains zero or one of
* each the following components:
*
- * key = kSecTrustSettingsPolicy value = SecPolicyRef
+ * key = kSecTrustSettingsPolicy value = policy OID as CFString
+ * key = kSecTrustSettingsPolicyName value = policy name as CFString
* key = kSecTrustSettingsApplication value = SecTrustedApplicationRef
* key = kSecTrustSettingsPolicyString value = CFString, policy-specific
* key = kSecTrustSettingsKeyUsage value = CFNumber, an SInt32 key usage
@@ -94,7 +95,11 @@ extern "C" {
* Notes on the various Usage Constraints components:
*
* kSecTrustSettingsPolicy Specifies a cert verification policy, e.g., SSL,
- * SMIME, etc.
+ * SMIME, etc, using Policy Constants
+ * kSecTrustSettingsPolicyName Specifies a cert verification policy, e.g.,
+ * sslServer, eapClient, etc, using policy names.
+ * This entry can be used to restrict the policy where
+ * the same Policy Constant is used for multiple policyNames.
* kSecTrustSettingsApplication Specifies the application performing the cert
* verification.
* kSecTrustSettingsPolicyString Policy-specific. For the SMIME policy, this is
@@ -167,6 +172,7 @@ extern "C" {
* The keys in one Usage Constraints dictionary.
*/
#define kSecTrustSettingsPolicy CFSTR("kSecTrustSettingsPolicy")
+#define kSecTrustSettingsPolicyName CFSTR("kSecTrustSettingsPolicyName")
#define kSecTrustSettingsApplication CFSTR("kSecTrustSettingsApplication")
#define kSecTrustSettingsPolicyString CFSTR("kSecTrustSettingsPolicyString")
#define kSecTrustSettingsKeyUsage CFSTR("kSecTrustSettingsKeyUsage")
@@ -176,7 +182,7 @@ extern "C" {
/*
* Key usage bits, the value for Usage Constraints key kSecTrustSettingsKeyUsage.
*/
-enum {
+typedef CF_OPTIONS(uint32_t, SecTrustSettingsKeyUsage) {
/* sign/verify data */
kSecTrustSettingsKeyUseSignature = 0x00000001,
/* bulk encryption */
@@ -192,13 +198,12 @@ enum {
/* any usage (the default if this value is not specified) */
kSecTrustSettingsKeyUseAny = 0xffffffff
};
-typedef uint32_t SecTrustSettingsKeyUsage;
/*!
@enum SecTrustSettingsResult
@abstract Result of a trust settings evaluation.
*/
-enum {
+typedef CF_ENUM(uint32_t, SecTrustSettingsResult) {
kSecTrustSettingsResultInvalid = 0, /* Never valid in a Trust Settings array or
* in an API call. */
kSecTrustSettingsResultTrustRoot, /* Root cert is explicitly trusted */
@@ -207,19 +212,17 @@ enum {
kSecTrustSettingsResultUnspecified /* Neither trusted nor distrusted; evaluation
* proceeds as usual */
};
-typedef uint32_t SecTrustSettingsResult;
/*
* Specify user, local administrator, or system domain Trust Properties.
* Note that kSecTrustSettingsDomainSystem settings are read-only, even by
* root.
*/
-enum {
+typedef CF_ENUM(uint32_t, SecTrustSettingsDomain) {
kSecTrustSettingsDomainUser = 0,
kSecTrustSettingsDomainAdmin,
kSecTrustSettingsDomainSystem
};
-typedef uint32_t SecTrustSettingsDomain;
/*
* SecCertificateRef value indicating the default Root Certificate Trust Settings
diff --git a/OSX/sec/Security/SecTrustSettingsPriv.h b/OSX/sec/Security/SecTrustSettingsPriv.h
index b6c56e58..66ecb9a7 100644
--- a/OSX/sec/Security/SecTrustSettingsPriv.h
+++ b/OSX/sec/Security/SecTrustSettingsPriv.h
@@ -65,7 +65,8 @@ extern "C" {
* A usageConstraints dictionary is like so (all elements are optional). These key
* strings are defined in SecUserTrust.h.
*
- * key = kSecTrustSettingsPolicy value = policy OID as CFData
+ * key = kSecTrustSettingsPolicy value = policy OID as CFString
+ * key = kSecTrustSettingsPolicyName value = policy name as CFString
* key = kSecTrustSettingsApplication value = application path as CFString
* key = kSecTrustSettingsPolicyString value = CFString, policy-specific
* key = kSecTrustSettingsAllowedError value = CFNumber, an SInt32 CSSM_RETURN
@@ -214,6 +215,25 @@ OSStatus SecTrustSettingsSetTrustSettingsExternal(
CFTypeRef trustSettingsDictOrArray, /* optional */
CFDataRef *settingsOut); /* RETURNED */
+#if (SECTRUST_OSX && !TARGET_OS_IPHONE)
+/*
+ * A wrapper around SecTrustSettingsCopyCertificates that combines user and admin
+ * domain outputs.
+ */
+OSStatus SecTrustSettingsCopyCertificatesForUserAdminDomains(
+ CFArrayRef CF_RETURNS_RETAINED *certArray);
+
+/*
+ * Obtain Trust Settings for specified cert.
+ * Caller must CFRelease() the returned CFArray.
+ * Returns errSecItemNotFound if no Trust settings exist for the cert.
+ */
+OSStatus SecTrustSettingsCopyTrustSettings(
+ SecCertificateRef certRef,
+ SecTrustSettingsDomain domain,
+ CFArrayRef * CF_RETURNS_RETAINED trustSettings); /* RETURNED */
+#endif
+
#ifdef __cplusplus
}
#endif
diff --git a/OSX/sec/Security/SecTrustStore.c b/OSX/sec/Security/SecTrustStore.c
index 2f37dc13..f4ea4a24 100644
--- a/OSX/sec/Security/SecTrustStore.c
+++ b/OSX/sec/Security/SecTrustStore.c
@@ -29,6 +29,8 @@
#include <Security/SecCertificateInternal.h>
#include <Security/SecInternal.h>
#include <Security/SecuritydXPC.h>
+#include <Security/SecPolicyPriv.h>
+#include <Security/SecPolicyInternal.h>
#include <CoreFoundation/CFString.h>
#include <AssertMacros.h>
#include <ipc/securityd_client.h>
@@ -38,7 +40,9 @@
#include <os/activity.h>
#include <dirent.h>
#include "SecTrustPriv.h"
+#include "SecTrustSettings.h"
#include <utilities/SecCFError.h>
+#include <utilities/SecCFWrappers.h>
#include "utilities/SecDb.h"
static CFStringRef kSecTrustStoreUserName = CFSTR("user");
@@ -119,17 +123,95 @@ static bool string_cert_cftype_to_error(enum SecXPCOperation op, SecTrustStoreRe
}, NULL);
}
+static OSStatus validateConstraint(Boolean isSelfSigned, CFMutableDictionaryRef trustSettingsDict) {
+ OSStatus result = errSecSuccess;
+
+ /* Check "TrustRoot"/"TrustAsRoot" */
+ CFNumberRef resultNumber = NULL;
+ resultNumber = (CFNumberRef)CFDictionaryGetValue(trustSettingsDict, kSecTrustSettingsResult);
+ uint32_t resultValue = kSecTrustSettingsResultInvalid;
+ if (!isNumber(resultNumber) && !isSelfSigned) {
+ /* only self-signed certs get default of TrustAsRoot */
+ return errSecParam;
+ }
+ if (isNumber(resultNumber) && CFNumberGetValue(resultNumber, kCFNumberSInt32Type, &resultValue)) {
+ if (isSelfSigned && resultValue == kSecTrustSettingsResultTrustAsRoot) {
+ return errSecParam;
+ }
+ if (!isSelfSigned && resultValue == kSecTrustSettingsResultTrustRoot) {
+ return errSecParam;
+ }
+ }
+
+ /* If there's a policy specified, change the contents */
+ SecPolicyRef policy = NULL;
+ policy = (SecPolicyRef)CFDictionaryGetValue(trustSettingsDict, kSecTrustSettingsPolicy);
+ if (policy) {
+ CFStringRef policyOid = NULL, policyName = NULL;
+ policyOid = SecPolicyGetOidString(policy);
+ policyName = SecPolicyGetName(policy);
+ CFDictionarySetValue(trustSettingsDict, kSecTrustSettingsPolicy, policyOid);
+ if (policyName) { CFDictionaryAddValue(trustSettingsDict, kSecTrustSettingsPolicyName, policyName); }
+ }
+
+ return result;
+}
+
+static OSStatus validateTrustSettings(Boolean isSelfSigned,
+ CFTypeRef trustSettingsDictOrArray,
+ CFTypeRef * CF_RETURNS_RETAINED modifiedTrustSettings) {
+ OSStatus status = errSecParam;
+ CFTypeRef result = NULL;
+
+ /* NULL is a valid input */
+ if (!trustSettingsDictOrArray && isSelfSigned) {
+ return errSecSuccess;
+ } else if (!trustSettingsDictOrArray && !isSelfSigned) {
+ return errSecParam;
+ }
+
+ if (CFDictionaryGetTypeID() == CFGetTypeID(trustSettingsDictOrArray)) {
+ result = CFDictionaryCreateMutableCopy(NULL, 0, trustSettingsDictOrArray);
+ status = validateConstraint(isSelfSigned, (CFMutableDictionaryRef)result);
+ } else if (CFArrayGetTypeID() == CFGetTypeID(trustSettingsDictOrArray)) {
+ require_action_quiet(result = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks),
+ out, status = errSecAllocate);
+ CFIndex ix, count = CFArrayGetCount(trustSettingsDictOrArray);
+ for (ix = 0; ix < count; ix++) {
+ CFDictionaryRef constraint = CFArrayGetValueAtIndex(trustSettingsDictOrArray, ix);
+ CFDictionaryRef modifiedConstraint = NULL;
+ require_noerr_quiet(status = validateTrustSettings(isSelfSigned, constraint, (CFTypeRef *)&modifiedConstraint), out);
+ CFArrayAppendValue((CFMutableArrayRef)result, modifiedConstraint);
+ CFReleaseNull(modifiedConstraint); /* constraint now owned by array */
+ }
+ }
+
+out:
+ if (errSecSuccess == status && modifiedTrustSettings) {
+ *modifiedTrustSettings = CFRetainSafe(result);
+ }
+ CFReleaseNull(result);
+ return status;
+}
+
OSStatus SecTrustStoreSetTrustSettings(SecTrustStoreRef ts,
SecCertificateRef certificate,
CFTypeRef trustSettingsDictOrArray) {
__block OSStatus result;
+ __block CFTypeRef validatedTrustSettings = NULL;
+
+ Boolean isSelfSigned = false;
+ require_noerr_quiet(result = SecCertificateIsSelfSigned(certificate, &isSelfSigned), out);
+ require_noerr_quiet(result = validateTrustSettings(isSelfSigned, trustSettingsDictOrArray, &validatedTrustSettings), out);
os_activity_initiate("SecTrustStoreSetTrustSettings", OS_ACTIVITY_FLAG_DEFAULT, ^{
result = SecOSStatusWith(^bool (CFErrorRef *error) {
- return SECURITYD_XPC(sec_trust_store_set_trust_settings, string_cert_cftype_to_error, ts, certificate, trustSettingsDictOrArray, error);
+ return SECURITYD_XPC(sec_trust_store_set_trust_settings, string_cert_cftype_to_error, ts, certificate, validatedTrustSettings, error);
});
});
-
+
+out:
+ CFReleaseNull(validatedTrustSettings);
return result;
}
@@ -182,3 +264,68 @@ OSStatus SecTrustStoreGetSettingsVersionNumber(SecTrustSettingsVersionNumber* p_
return errSecSuccess;
}
+
+static bool string_to_array_error(enum SecXPCOperation op, SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error)
+{
+ return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
+ return SecXPCDictionarySetString(message, kSecXPCKeyDomain, (CFStringRef)ts, error);
+ }, ^bool(xpc_object_t response, CFErrorRef *error) {
+ if (trustStoreContents) {
+ *trustStoreContents = SecXPCDictionaryCopyArray(response, kSecXPCKeyResult, error);
+ if (!*trustStoreContents) return false;
+ }
+ return true;
+ });
+}
+
+OSStatus SecTrustStoreCopyAll(SecTrustStoreRef ts, CFArrayRef *trustStoreContents)
+{
+ __block CFArrayRef results = NULL;
+ OSStatus status = errSecParam;
+
+ os_activity_t trace_activity = os_activity_start("SecTrustStoreCopyAll", OS_ACTIVITY_FLAG_DEFAULT);
+ require(ts, errOut);
+
+ status = SecOSStatusWith(^bool (CFErrorRef *error) {
+ return SECURITYD_XPC(sec_trust_store_copy_all, string_to_array_error, ts, &results, error);
+ });
+
+ *trustStoreContents = results;
+
+errOut:
+ os_activity_end(trace_activity);
+ return status;
+}
+
+static bool string_data_to_array_error(enum SecXPCOperation op, SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error)
+{
+ return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
+ return SecXPCDictionarySetString(message, kSecXPCKeyDomain, (CFStringRef)ts, error) &&
+ SecXPCDictionarySetData(message, kSecXPCKeyDigest, digest, error);
+ }, ^bool(xpc_object_t response, CFErrorRef *error) {
+ return SecXPCDictionaryCopyArrayOptional(response, kSecXPCKeyResult, usageConstraints, error);
+ });
+}
+
+OSStatus SecTrustStoreCopyUsageConstraints(SecTrustStoreRef ts, SecCertificateRef certificate, CFArrayRef *usageConstraints)
+{
+ CFDataRef digest;
+ __block CFArrayRef results = NULL;
+ OSStatus status = errSecParam;
+
+ os_activity_t trace_activity = os_activity_start("SecTrustStoreCopyUsageConstraints", OS_ACTIVITY_FLAG_DEFAULT);
+ require(ts, errOut);
+ require(certificate, errOut);
+ require(digest = SecCertificateGetSHA1Digest(certificate), errOut);
+ require(usageConstraints, errOut);
+
+ status = SecOSStatusWith(^bool (CFErrorRef *error) {
+ return SECURITYD_XPC(sec_trust_store_copy_usage_constraints, string_data_to_array_error, ts, digest, &results, error);
+ });
+
+ *usageConstraints = results;
+
+errOut:
+ os_activity_end(trace_activity);
+ return status;
+}
diff --git a/OSX/sec/Security/SecTrustStore.h b/OSX/sec/Security/SecTrustStore.h
index 6aaad749..c47632fa 100644
--- a/OSX/sec/Security/SecTrustStore.h
+++ b/OSX/sec/Security/SecTrustStore.h
@@ -30,6 +30,7 @@
#define _SECURITY_SECTRUSTSTORE_H_
#include <Security/SecCertificate.h>
+#include <CoreFoundation/CoreFoundation.h>
__BEGIN_DECLS
@@ -58,6 +59,13 @@ OSStatus SecTrustStoreRemoveCertificate(SecTrustStoreRef ts,
OSStatus SecTrustStoreGetSettingsVersionNumber(SecTrustSettingsVersionNumber* p_settings_version_number);
+OSStatus SecTrustStoreCopyAll(SecTrustStoreRef ts, CFArrayRef *CF_RETURNS_RETAINED trustStoreContents);
+
+/* Note that usageConstraints may be NULL on success. */
+OSStatus SecTrustStoreCopyUsageConstraints(SecTrustStoreRef ts,
+ SecCertificateRef certificate,
+ CFArrayRef *CF_RETURNS_RETAINED usageConstraints);
+
__END_DECLS
#endif /* !_SECURITY_SECTRUSTSTORE_H_ */
diff --git a/OSX/sec/Security/Security.h b/OSX/sec/Security/Security.h
index 9d72fde9..98047399 100644
--- a/OSX/sec/Security/Security.h
+++ b/OSX/sec/Security/Security.h
@@ -32,4 +32,6 @@
#include <Security/SecRandom.h>
#include <Security/SecSharedCredential.h>
#include <Security/SecTrust.h>
-
+#if !TARGET_OS_IPHONE
+#include <Security/AuthSession.h>
+#endif
diff --git a/OSX/sec/Security/SecuritydXPC.c b/OSX/sec/Security/SecuritydXPC.c
index 03e76616..cfc717b1 100644
--- a/OSX/sec/Security/SecuritydXPC.c
+++ b/OSX/sec/Security/SecuritydXPC.c
@@ -23,6 +23,7 @@
#include <Security/SecuritydXPC.h>
+#include <Security/SecCFAllocator.h>
#include <ipc/securityd_client.h>
#include <utilities/SecCFError.h>
#include <utilities/SecDb.h>
@@ -59,6 +60,7 @@ const char *kSecXPCKeyViewName = "viewname";
const char *kSecXPCKeyViewActionCode = "viewactioncode";
const char *kSecXPCKeyHSA2AutoAcceptInfo = "autoacceptinfo";
const char *kSecXPCKeyString = "cfstring";
+const char *kSecXPCKeyArray = "cfarray";
const char *kSecXPCKeyNewPublicBackupKey = "newPublicBackupKey";
const char *kSecXPCKeyIncludeV0 = "includeV0";
const char *kSecXPCKeyReason = "reason";
@@ -66,8 +68,9 @@ const char *kSecXPCKeyEnabledViewsKey = "enabledViews";
const char *kSecXPCKeyDisabledViewsKey = "disabledViews";
const char *kSecXPCKeyEscrowLabel = "escrow";
const char *kSecXPCKeyTriesLabel = "tries";
-const char *kSecXPCKeyAvailability = "availability";
const char *kSecXPCKeyFileDescriptor = "fileDescriptor";
+const char *kSecXPCKeyAccessGroups = "accessGroups";
+const char *kSecXPCKeyClasses = "classes";
//
@@ -126,6 +129,10 @@ CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op)
return CFSTR("GetLastDepartureReason");
case kSecXPCOpHandleIDSMessage:
return CFSTR("HandleIDSMessage");
+ case kSecXPCOpSyncWithKVSPeer:
+ return CFSTR("SyncKVSPeer");
+ case kSecXPCOpSyncWithIDSPeer:
+ return CFSTR("SyncIDSPeer");
case kSecXPCOpIDSDeviceID:
return CFSTR("IDSDeviceID");
case kSecXPCOpLoggedOutOfAccount:
@@ -236,6 +243,10 @@ CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op)
return CFSTR("trust_store_remove_certificate");
case sec_trust_store_set_trust_settings_id:
return CFSTR("trust_store_set_trust_settings");
+ case sec_trust_store_copy_all_id:
+ return CFSTR("trust_store_copy_all");
+ case sec_trust_store_copy_usage_constraints_id:
+ return CFSTR("trust_store_copy_usage_constraints");
case soscc_EnsurePeerRegistration_id:
return CFSTR("EnsurePeerRegistration");
case kSecXPCOpSetEscrowRecord:
@@ -256,6 +267,12 @@ CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op)
return CFSTR("CopyEngineDataFromKeychain");
case kSecXPCOpDeleteEngineData:
return CFSTR("DeleteEngineDataFromKeychain");
+ case sec_item_update_token_items_id:
+ return CFSTR("UpdateTokenItems");
+ case sec_delete_items_with_access_groups_id:
+ return CFSTR("sec_delete_items_with_access_groups_id");
+ case kSecXPCOpPeersHaveViewsEnabled:
+ return CFSTR("kSecXPCOpPeersHaveViewsEnabled");
default:
return CFSTR("Unknown xpc operation");
}
@@ -431,7 +448,7 @@ CFTypeRef SecXPCDictionaryCopyPList(xpc_object_t message, const char *key, CFErr
const uint8_t *der_end = der + size;
/* use the sensitive allocator so that the dictionary is zeroized upon deallocation */
- const uint8_t *decode_end = der_decode_plist(CFAllocatorSensitive(), kCFPropertyListImmutable,
+ const uint8_t *decode_end = der_decode_plist(SecCFAllocatorZeroize(), kCFPropertyListImmutable,
&cfobject, error, der, der_end);
if (decode_end != der_end) {
SecError(errSecParam, error, CFSTR("trailing garbage after der decoded object for key %s"), key);
diff --git a/OSX/sec/Security/Tool/SecurityCommands.h b/OSX/sec/Security/Tool/SecurityCommands.h
index 033e43fd..c016e5a0 100644
--- a/OSX/sec/Security/Tool/SecurityCommands.h
+++ b/OSX/sec/Security/Tool/SecurityCommands.h
@@ -17,7 +17,7 @@ SECURITY_COMMAND("add-internet-password", keychain_add_internet_password,
SECURITY_COMMAND("item", keychain_item,
"[-v][-a|-D|-u attr=value,...|[-q][-g] attr=value,...] [-d password | -f datafile] [attr=value,...]\n"
- "-q Query for item matching (default)\n"
+ "-q Query for item matching (default). Note: as default query skips items with ACL, you have to define 'u_AuthUI=u_AuthUIA' if you want to query items with ACL\n"
"-g Get password data\n"
"-a Add item to keychain\n"
"-u Update item in keychain (require query to match)\n"
@@ -159,3 +159,13 @@ SECURITY_COMMAND_IOS("verify-cert", verify_cert,
" -q Quiet.\n"
" -C Set client to true. Otherwise, verify-cert defaults to server (ssl, IPSec, eap).\n",
"Verify certificate(s).")
+
+SECURITY_COMMAND_IOS("trust-store", trust_store_show_certificates,
+ "[-p][-f][-s][-v][-t][-k]\n"
+ " -p Output cert in PEM format.\n"
+ " -f Show fingerprint (SHA1 digest certificate.)\n"
+ " -s Show subject.\n"
+ " -v Show entire certificate in text form.\n"
+ " -t Show trust settings for certificates.\n"
+ " -k Show keyid (SHA1 digest of public key)",
+ "Display user trust store certificates and trust settings.")
diff --git a/OSX/sec/Security/Tool/codesign.c b/OSX/sec/Security/Tool/codesign.c
index a4423e10..ab01a43b 100644
--- a/OSX/sec/Security/Tool/codesign.c
+++ b/OSX/sec/Security/Tool/codesign.c
@@ -415,6 +415,7 @@ extern int codesign_util(int argc, char * const *argv)
fprintf(stderr, "\n");
}
}
+ CFReleaseNull(policy);
}
CFReleaseSafe(sigs);
diff --git a/OSX/sec/Security/Tool/keychain_find.c b/OSX/sec/Security/Tool/keychain_find.c
index 91071d54..cde7206b 100644
--- a/OSX/sec/Security/Tool/keychain_find.c
+++ b/OSX/sec/Security/Tool/keychain_find.c
@@ -485,6 +485,8 @@ int keychain_item(int argc, char * const *argv) {
result = 1;
}
} else {
+ if (!do_delete && CFDictionaryGetValue(query, kSecUseAuthenticationUI) == NULL)
+ CFDictionarySetValue(query, kSecUseAuthenticationUI, kSecUseAuthenticationUISkip);
do_find_or_delete(query, do_delete);
}
diff --git a/OSX/sec/Security/Tool/keychain_util.c b/OSX/sec/Security/Tool/keychain_util.c
index 308d5df9..704a376b 100644
--- a/OSX/sec/Security/Tool/keychain_util.c
+++ b/OSX/sec/Security/Tool/keychain_util.c
@@ -106,8 +106,14 @@ void
display_sac_line(SecAccessControlRef sac, CFMutableStringRef line)
{
CFTypeRef protection = SecAccessControlGetProtection(sac);
- if (CFStringGetTypeID() == CFGetTypeID(protection))
+ if (CFDictionaryGetTypeID() == CFGetTypeID(protection)) {
+ CFStringRef protectionStr = createStringForOps(protection);
+ CFStringAppend(line, protectionStr);
+ CFRelease(protectionStr);
+ } else if (CFStringGetTypeID() == CFGetTypeID(protection))
CFStringAppend(line, protection);
+ else
+ CFStringAppend(line, CFSTR("??"));
CFDictionaryRef constraints = SecAccessControlGetConstraints(sac);
CFStringRef constraintsString = createStringForOps(constraints);
diff --git a/OSX/sec/Security/Tool/scep.c b/OSX/sec/Security/Tool/scep.c
index f59a1781..738b1af8 100644
--- a/OSX/sec/Security/Tool/scep.c
+++ b/OSX/sec/Security/Tool/scep.c
@@ -452,6 +452,8 @@ extern int command_scep(int argc, char * const *argv)
bool scep_can_use_post = false;
bool scep_use_3des = false;
bool scep_can_use_sha1 = false;
+ bool scep_can_use_sha512 = false;
+ bool scep_can_use_sha256 = false;
CFArrayRef caps = NULL;
if (!scep_capabilities) {
@@ -481,6 +483,8 @@ extern int command_scep(int argc, char * const *argv)
scep_can_use_post = CFArrayContainsValue(caps, caps_length, CFSTR("POSTPKIOperation"));
scep_use_3des = CFArrayContainsValue(caps, caps_length, CFSTR("DES3"));
scep_can_use_sha1 = CFArrayContainsValue(caps, caps_length, CFSTR("SHA-1"));
+ scep_can_use_sha256 = CFArrayContainsValue(caps, caps_length, CFSTR("SHA-256"));
+ scep_can_use_sha512 = CFArrayContainsValue(caps, caps_length, CFSTR("SHA-512"));
// We probably inteded these to be the values and not override them below..
// but for now to quiet the analyzer we reference them here. see <rdar://problem/15010402> scep.c, command_scep assumes 3des and sha1
@@ -504,9 +508,15 @@ extern int command_scep(int argc, char * const *argv)
CFDictionarySetValue(csr_parameters, kSecCMSBulkEncryptionAlgorithm, kSecCMSEncryptionAlgorithmDESCBC);
fprintf(stderr, "SCEP server does not support 3DES, falling back to DES. You should reconfigure your server.\n");
}
- if (!scep_can_use_sha1) {
- CFDictionarySetValue(csr_parameters, kSecCMSSignHashAlgorithm, kSecCMSHashingAlgorithmMD5);
- fprintf(stderr, "SCEP server does not support SHA-1, falling back to MD5. You should reconfigure your server.\n");
+
+ if (scep_can_use_sha512) {
+ CFDictionarySetValue(csr_parameters, kSecCMSSignHashAlgorithm, kSecCMSHashingAlgorithmSHA512);
+ } else if (scep_can_use_sha256) {
+ CFDictionarySetValue(csr_parameters, kSecCMSSignHashAlgorithm, kSecCMSHashingAlgorithmSHA256);
+ } else if (scep_can_use_sha1) {
+ CFDictionarySetValue(csr_parameters, kSecCMSSignHashAlgorithm, kSecCMSHashingAlgorithmSHA1);
+ } else {
+ fprintf(stderr, "SCEP server does not support SHA-1. You must reconfigure your server.\n");
}
if (scep_subject_alt_name) {
@@ -585,7 +595,8 @@ extern int command_scep(int argc, char * const *argv)
result = 0;
out:
- SecItemDelete(identity_add);
+ if (identity_add)
+ SecItemDelete(identity_add);
CFReleaseSafe(identity_add);
//if (uuid_cfstr) CFRelease(uuid_cfstr);
CFReleaseSafe(candidate_identity);
diff --git a/OSX/sec/Security/Tool/show_certificates.c b/OSX/sec/Security/Tool/show_certificates.c
index 87fbeeb1..108885f2 100644
--- a/OSX/sec/Security/Tool/show_certificates.c
+++ b/OSX/sec/Security/Tool/show_certificates.c
@@ -52,6 +52,7 @@
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecInternal.h>
+#include <Security/SecTrustStore.h>
#include <SecurityTool/readline.h>
@@ -290,4 +291,132 @@ int keychain_show_certificates(int argc, char * const *argv)
return result;
}
+int trust_store_show_certificates(int argc, char * const *argv)
+{
+ int ch, result = 0;
+ bool output_subject = false;
+ bool verbose = false;
+ bool trust_settings = false;
+ bool output_pem = false;
+ bool output_finger_print = false;
+ bool output_keyid = false;
+ CFArrayRef certs = NULL;
+
+ while ((ch = getopt(argc, argv, "fpstvk")) != -1)
+ {
+ switch (ch)
+ {
+ case 'p':
+ output_pem = true;
+ break;
+ case 's':
+ output_subject = true;
+ break;
+ case 'v':
+ verbose = true;
+ break;
+ case 't':
+ trust_settings = true;
+ break;
+ case 'f':
+ output_finger_print = true;
+ break;
+ case 'k':
+ output_keyid = true;
+ break;
+ case '?':
+ default:
+ return 2; /* @@@ Return 2 triggers usage message. */
+ }
+ }
+
+ if(SecTrustStoreCopyAll(SecTrustStoreForDomain(kSecTrustStoreDomainUser),
+ &certs) || !certs) {
+ fprintf(stderr, "failed to get trust store contents for user\n");
+ return 1;
+ }
+
+ CFIndex ix, count = CFArrayGetCount(certs);
+ if (count) printf("*******************************************************\n");
+ for (ix = 0; ix < count; ix++) {
+ CFArrayRef certSettingsPair = NULL;
+ CFDataRef certData = NULL;
+ SecCertificateRef cert = NULL;
+
+ certSettingsPair = CFArrayGetValueAtIndex(certs, ix);
+ certData = (CFDataRef)CFArrayGetValueAtIndex(certSettingsPair, 0);
+ cert = SecCertificateCreateWithData(kCFAllocatorDefault, certData);
+ if (!cert) {
+ fprintf(stderr, "failed to get cert at %ld\n",ix);
+ return 1;
+ }
+ if (verbose) {
+ print_cert(cert, verbose);
+ } else if (output_subject) {
+ CFStringRef subject = SecCertificateCopySubjectString(cert);
+ if (subject) {
+ CFStringWriteToFileWithNewline(subject, stdout);
+ CFRelease(subject);
+ }
+ } else if (output_pem) {
+ print_buffer_pem(stdout, "CERTIFICATE",
+ SecCertificateGetLength(cert),
+ SecCertificateGetBytePtr(cert));
+ } else {
+ print_cert(cert, verbose);
+ }
+ if (output_keyid) {
+ CFDataRef key_fingerprint = SecCertificateCopyPublicKeySHA1Digest(cert);
+ if (key_fingerprint) {
+ int i;
+ CFIndex j = CFDataGetLength(key_fingerprint);
+ const uint8_t *byte = CFDataGetBytePtr(key_fingerprint);
+
+ fprintf(stdout, "Keyid:");
+ for (i = 0; i < j; i++) {
+ fprintf(stdout, " %02X", byte[i]);
+ }
+ fprintf(stdout, "\n");
+ }
+ CFReleaseSafe(key_fingerprint);
+ }
+ if (output_finger_print) {
+ CFDataRef fingerprint = SecCertificateGetSHA1Digest(cert);
+ if (fingerprint) {
+ int i;
+ CFIndex j = CFDataGetLength(fingerprint);
+ const uint8_t *byte = CFDataGetBytePtr(fingerprint);
+
+ fprintf(stdout, "Fingerprint:");
+ for (i = 0; i < j; i++) {
+ fprintf(stdout, " %02X", byte[i]);
+ }
+ fprintf(stdout, "\n");
+ }
+ }
+ if (trust_settings) {
+ CFPropertyListRef trust_settings = NULL;
+ trust_settings = CFArrayGetValueAtIndex(certSettingsPair, 1);
+ if (trust_settings && CFGetTypeID(trust_settings) != CFArrayGetTypeID()) {
+ fprintf(stderr, "failed to get trust settings for cert %ld\n", ix);
+ CFReleaseNull(cert);
+ return 1;
+ }
+ // place-holder until there are actual trust settings
+ CFStringRef settings = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), trust_settings);
+ char *settingsStr = NULL;
+ settingsStr = CFStringToCString(settings);
+ fprintf(stdout, "%s\n", settingsStr);
+ free(settingsStr);
+ CFRelease(settings);
+
+ }
+ printf("*******************************************************\n");
+ CFReleaseNull(cert);
+ }
+
+ CFRelease(certs);
+ return result;
+}
+
#endif // TARGET_OS_EMBEDDED
diff --git a/OSX/sec/Security/Tool/verify_cert.c b/OSX/sec/Security/Tool/verify_cert.c
index a1b8ebfd..3db25f96 100644
--- a/OSX/sec/Security/Tool/verify_cert.c
+++ b/OSX/sec/Security/Tool/verify_cert.c
@@ -28,77 +28,23 @@
#include <Security/SecCertificate.h>
#include <Security/SecTrust.h>
#include <Security/SecPolicy.h>
+#include <utilities/fileIo.h>
#include <sys/stat.h>
#include <stdio.h>
#include <time.h>
-int readFile(const char *fileName, unsigned char **bytes, unsigned *numBytes);
CFStringRef policyToConstant(const char *policy);
int verify_cert(int argc, char * const *argv);
-/* Read an entire file. Copied from cuFileIo.c */
-int readFile(
- const char *fileName,
- unsigned char **bytes, /* malloc'd and returned */
- unsigned *numBytes) /* returned */
-{
- int rtn;
- int fd;
- unsigned char *buf;
- struct stat sb;
- unsigned size;
-
- *numBytes = 0;
- *bytes = NULL;
- fd = open(fileName, O_RDONLY, 0);
- if (fd < 0) {
- return errno;
- }
-
- rtn = fstat(fd, &sb);
- if (rtn) {
- goto errOut;
- }
- size = (unsigned)sb.st_size;
- buf = malloc(size);
- if (buf == NULL) {
- rtn = ENOMEM;
- goto errOut;
- }
-
- rtn = (int)lseek(fd, 0, SEEK_SET);
- if (rtn < 0) {
- free(buf);
- goto errOut;
- }
-
- rtn = (int)read(fd, buf, (size_t)size);
- if (rtn != (int)size) {
- if (rtn >= 0) {
- printf("readFile: short read\n");
- }
- free(buf);
- rtn = EIO;
- }
- else {
- rtn = 0;
- *bytes = buf;
- *numBytes = size;
- }
-errOut:
- close(fd);
- return rtn;
-}
-
static int addCertFile(const char *fileName, CFMutableArrayRef *array) {
SecCertificateRef certRef = NULL;
CFDataRef dataRef = NULL;
unsigned char *buf = NULL;
- unsigned int numBytes;
+ size_t numBytes;
int rtn = 0;
- if (readFile(fileName, &buf, &numBytes)) {
+ if (readFileSizet(fileName, &buf, &numBytes)) {
rtn = -1;
goto errOut;
}
@@ -169,8 +115,8 @@ int verify_cert(int argc, char * const *argv) {
CFMutableArrayRef roots = NULL;
CFMutableDictionaryRef dict = NULL;
- const char *name = NULL;
- bool client = false;
+ CFStringRef name = NULL;
+ CFBooleanRef client = kCFBooleanFalse;
OSStatus ortn;
int ourRtn = 0;
@@ -224,8 +170,8 @@ int verify_cert(int argc, char * const *argv) {
fetch = false;
break;
case 'n':
- if (name != NULL) {
- name = optarg;
+ if (name == NULL) {
+ name = CFStringCreateWithCString(NULL, optarg, kCFStringEncodingUTF8);
}
break;
case 'q':
@@ -233,7 +179,7 @@ int verify_cert(int argc, char * const *argv) {
break;
case 'C':
/* Set to client */
- client = true;
+ client = kCFBooleanTrue;
break;
case 'd':
memset(&time, 0, sizeof(struct tm));
@@ -294,21 +240,23 @@ int verify_cert(int argc, char * const *argv) {
dict = CFDictionaryCreateMutable(NULL, 2, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (name == NULL) {
+ fprintf(stderr, "Name not specified for IPsec or SSL policy. '-n' is a required option for these policies.");
ourRtn = 2;
goto errOut;
}
CFDictionaryAddValue(dict, kSecPolicyName, name);
- CFDictionaryAddValue(dict, kSecPolicyClient, &client);
+ CFDictionaryAddValue(dict, kSecPolicyClient, client);
}
else if (!CFStringCompare(policy, kSecPolicyAppleEAP, 0)) {
dict = CFDictionaryCreateMutable(NULL, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- CFDictionaryAddValue(dict, kSecPolicyClient, &client);
+ CFDictionaryAddValue(dict, kSecPolicyClient, client);
}
else if (!CFStringCompare(policy, kSecPolicyAppleSMIME, 0)) {
dict = CFDictionaryCreateMutable(NULL, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (name == NULL) {
+ fprintf(stderr, "Name not specified for SMIME policy. '-n' is a required option for this policy.");
ourRtn = 2;
goto errOut;
}
@@ -430,5 +378,6 @@ errOut:
CFRELEASE(dict);
CFRELEASE(policyRef);
CFRELEASE(trustRef);
+ CFRELEASE(name);
return ourRtn;
}
diff --git a/OSX/sec/Security/cssmapple.h b/OSX/sec/Security/cssmapple.h
index 8f7a60ac..fcead425 100644
--- a/OSX/sec/Security/cssmapple.h
+++ b/OSX/sec/Security/cssmapple.h
@@ -31,6 +31,9 @@
extern "C" {
#endif
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
/* First, an array of bits indicating various status of the cert. */
typedef uint32 CSSM_TP_APPLE_CERT_STATUS;
enum
@@ -72,6 +75,7 @@ typedef struct {
} CSSM_TP_APPLE_EVIDENCE_INFO;
+#pragma clang diagnostic pop
#ifdef __cplusplus
}
diff --git a/OSX/sec/SecurityTool/security.1 b/OSX/sec/SecurityTool/security.1
index e411c50c..f8578761 100644
--- a/OSX/sec/SecurityTool/security.1
+++ b/OSX/sec/SecurityTool/security.1
@@ -222,6 +222,7 @@ Unset it if no keychain is specified.
.Op Ar keychain...
.Bl -item -offset -indent
Create keychains and add them to the search list. If no keychains are specified the user is prompted for one.
+Use of the -p option is insecure.
.It
Options:
.Bl -tag -compact -width -indent-indent
@@ -469,6 +470,7 @@ Specifies that private keys are to be wrapped on export.
Specifies that PEM armour is to be applied to the output data.
.It Fl P Ar passphrase
Specify the wrapping passphrase immediately. The default is to obtain a secure passphrase via GUI.
+Use of the -P option is unsecure.
.It Fl o Ar outfile
Write the output data to
.Ar outfile Ns
@@ -509,6 +511,7 @@ Specify the format of the exported data. Possible formats are openssl, bsafe, ra
Specifies that private keys are wrapped and must be unwrapped on import.
.It Fl P Ar passphrase
Specify the unwrapping passphrase immediately. The default is to obtain a secure passphrase via GUI.
+Use of the -P option is unsecure.
.El
.It
.Sy Examples
diff --git a/OSX/sec/SecurityTool/whoami.m b/OSX/sec/SecurityTool/whoami.m
index d172d73d..9e1f80d3 100644
--- a/OSX/sec/SecurityTool/whoami.m
+++ b/OSX/sec/SecurityTool/whoami.m
@@ -41,8 +41,8 @@ command_whoami(__unused int argc, __unused char * const * argv)
@autoreleasepool {
CFErrorRef error = NULL;
NSDictionary *dict = NULL;
-
- dict = [(__bridge NSDictionary *)_SecSecuritydCopyWhoAmI(&error) autorelease];
+
+ dict = CFBridgingRelease(_SecSecuritydCopyWhoAmI(&error));
if (dict) {
puts([[NSString stringWithFormat:@"the server thinks we are:\n%@\n", dict] UTF8String]);
} else {
diff --git a/OSX/sec/SharedWebCredential/com.apple.security.swcagent.plist b/OSX/sec/SharedWebCredential/com.apple.security.swcagent.plist
index cfc5197c..5f60a709 100644
--- a/OSX/sec/SharedWebCredential/com.apple.security.swcagent.plist
+++ b/OSX/sec/SharedWebCredential/com.apple.security.swcagent.plist
@@ -20,14 +20,10 @@
<key>com.apple.security.swcagent</key>
<true/>
</dict>
- <key>OnDemand</key>
- <true/>
<key>ProgramArguments</key>
<array>
<string>/System/Library/Frameworks/Security.framework/swcagent</string>
</array>
- <key>ServiceIPC</key>
- <true/>
<key>Umask</key>
<integer>54</integer>
<key>UserName</key>
diff --git a/OSX/sec/SharedWebCredential/swcagent.m b/OSX/sec/SharedWebCredential/swcagent.m
index 243c9bab..0073745b 100644
--- a/OSX/sec/SharedWebCredential/swcagent.m
+++ b/OSX/sec/SharedWebCredential/swcagent.m
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2014-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -45,6 +45,7 @@
#if TARGET_OS_IPHONE
#include <SpringBoardServices/SpringBoardServices.h>
+#include <MobileCoreServices/LSApplicationProxy.h>
#endif
#if TARGET_OS_IPHONE && !TARGET_OS_NANO
@@ -89,23 +90,6 @@ typedef WBSAutoFillDataClasses (*WBUAutoFillGetEnabledDataClasses_f)(void);
#include <xpc/connection_private.h>
#include <AssertMacros.h>
-
-// Local function declarations
-CFStringRef SWCAGetOperationDescription(enum SWCAXPCOperation op);
-bool SWCAIsAutofillEnabled(void);
-
-bool swca_confirm_add(CFDictionaryRef attributes, CFStringRef clientTaskName, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
-bool swca_confirm_copy(CFDictionaryRef attributes, CFStringRef clientTaskName, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
-bool swca_confirm_update(CFDictionaryRef attributes, CFStringRef clientTaskName, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
-bool swca_confirm_delete(CFDictionaryRef attributes, CFStringRef clientTaskName, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
-bool swca_select_item(CFArrayRef items, CFStringRef clientTaskName, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
-
-CFOptionFlags swca_handle_request(enum SWCAXPCOperation operation, CFStringRef client, CFArrayRef domains);
-bool swca_process_response(CFOptionFlags response, CFTypeRef *result);
-
-static CFArrayRef gActiveArray = NULL;
-static CFDictionaryRef gActiveItem = NULL;
-
#if TARGET_IPHONE_SIMULATOR
#define CHECK_ENTITLEMENTS 0
#else
@@ -163,9 +147,20 @@ enum {
@property(retain) NSString *client_name;
@property(retain) NSString *path;
@property(retain) NSBundle *bundle;
+-(void)dealloc;
@end
@implementation Client
+
+-(void)dealloc
+{
+ [_client release];
+ [_client_name release];
+ [_path release];
+ [_bundle release];
+ [super dealloc];
+}
@end
+
static Client *identify_client(pid_t pid)
{
Client *client = [[Client alloc] init];
@@ -177,7 +172,7 @@ static Client *identify_client(pid_t pid)
#if TARGET_OS_IPHONE
if (proc_pidpath(pid, path_buf, sizeof(path_buf)) <= 0) {
- asl_log(NULL, NULL, ASL_LEVEL_NOTICE, "Refusing client without path (pid %d)", pid);
+ secnotice("swcagent", "Refusing client without path (pid %d)", pid);
[client release];
return nil;
}
@@ -193,7 +188,7 @@ static Client *identify_client(pid_t pid)
if (!(client.path = [NSString stringWithUTF8String:path_buf]) ||
!(path_url = [NSURL fileURLWithPath:client.path])) {
- asl_log(NULL, NULL, ASL_LEVEL_NOTICE, "Refusing client without path (pid %d)", pid);
+ secnotice("swcagent", "Refusing client without path (pid %d)", pid);
[client release];
return nil;
}
@@ -205,8 +200,7 @@ static Client *identify_client(pid_t pid)
client.client_type = CLIENT_TYPE_BUNDLE_IDENTIFIER;
CFStringRef client_name_cf = NULL;
#if TARGET_OS_IPHONE
- client_name_cf = SBSCopyLocalizedApplicationNameForDisplayIdentifier((__bridge CFStringRef)client.client);
- client.client_name = (NSString *)client_name_cf;
+ client.client_name = [[LSApplicationProxy applicationProxyForIdentifier:client.client] localizedNameForContext:nil];
#else
if (!LSCopyDisplayNameForURL((__bridge CFURLRef)bundle_url, &client_name_cf))
client.client_name = (__bridge_transfer NSString *)client_name_cf;
@@ -215,7 +209,7 @@ static Client *identify_client(pid_t pid)
CFRelease(client_name_cf);
} else {
#if TARGET_OS_IPHONE
- asl_log(NULL, NULL, ASL_LEVEL_NOTICE, "Refusing client without bundle identifier (%s)", path_buf);
+ secnotice("swcagent", "Refusing client without bundle identifier (%s)", path_buf);
[client release];
[bundle_url release];
return nil;
@@ -224,7 +218,7 @@ static Client *identify_client(pid_t pid)
CFBooleanRef is_app = NULL;
CFStringRef client_name_cf;
if (bundle_url &&
- CFURLCopyResourcePropertyForKey((__bridge CFURLRef)bundle_url, _kCFURLIsApplicationKey, &is_app, NULL) &&
+ CFURLCopyResourcePropertyForKey((__bridge CFURLRef)bundle_url, kCFURLIsApplicationKey, &is_app, NULL) &&
is_app == kCFBooleanTrue) {
if ((client.client = [bundle_url path]) &&
!LSCopyDisplayNameForURL((__bridge CFURLRef)bundle_url, &client_name_cf))
@@ -255,7 +249,7 @@ struct __SecTask {
CFDictionaryRef entitlements;
};
-static CFStringRef SecTaskCopyLocalizedDescription(SecTaskRef task)
+static Client* SecTaskCopyClient(SecTaskRef task)
{
// SecTaskCopyDebugDescription is not sufficient to get the localized client name
pid_t pid;
@@ -265,11 +259,8 @@ static CFStringRef SecTaskCopyLocalizedDescription(SecTaskRef task)
pid = task->pid_self;
}
Client *client = identify_client(pid);
- CFStringRef clientTaskName = (__bridge CFStringRef)client.client_name;
- CFRetainSafe(clientTaskName);
- [client release];
- return clientTaskName;
+ return client;
}
static CFArrayRef SecTaskCopyAccessGroups(SecTaskRef task) {
@@ -282,7 +273,13 @@ static CFArrayRef SecTaskCopyAccessGroups(SecTaskRef task) {
return groups;
}
-CFStringRef SWCAGetOperationDescription(enum SWCAXPCOperation op)
+// Local function declarations
+
+static CFArrayRef gActiveArray = NULL;
+static CFDictionaryRef gActiveItem = NULL;
+
+
+static CFStringRef SWCAGetOperationDescription(enum SWCAXPCOperation op)
{
switch (op) {
case swca_add_request_id:
@@ -332,7 +329,7 @@ static OSStatus _SecWBUEnsuredInitialized(void)
}
#endif
-bool SWCAIsAutofillEnabled(void)
+static bool SWCAIsAutofillEnabled(void)
{
#if TARGET_IPHONE_SIMULATOR
// Assume the setting's on in the simulator: <rdar://problem/17057358> WBUAutoFillGetEnabledDataClasses call failing in the Simulator
@@ -348,7 +345,7 @@ bool SWCAIsAutofillEnabled(void)
#endif
}
-CFOptionFlags swca_handle_request(enum SWCAXPCOperation operation, CFStringRef client, CFArrayRef domains)
+static CFOptionFlags swca_handle_request(enum SWCAXPCOperation operation, Client* client, CFArrayRef domains)
{
CFUserNotificationRef notification = NULL;
NSMutableDictionary *notification_dictionary = NULL;
@@ -425,16 +422,17 @@ check_database:
other_button_key = @"SWC_DENY";
info_message_key = @"SWC_INFO_MESSAGE";
- notification_dictionary[(__bridge NSString *)kCFUserNotificationAlertHeaderKey] = [NSString stringWithFormat:request_format, client, domain];
+ notification_dictionary[(__bridge NSString *)kCFUserNotificationAlertHeaderKey] = [NSString stringWithFormat:request_format, client.client_name, domain];
notification_dictionary[(__bridge NSString *)kCFUserNotificationAlertMessageKey] = NSLocalizedStringFromTableInBundle(info_message_key, swc_table, security_bundle, nil);
notification_dictionary[(__bridge NSString *)kCFUserNotificationDefaultButtonTitleKey] = NSLocalizedStringFromTableInBundle(default_button_key, swc_table, security_bundle, nil);
notification_dictionary[(__bridge NSString *)kCFUserNotificationAlternateButtonTitleKey] = NSLocalizedStringFromTableInBundle(alternate_button_key, swc_table, security_bundle, nil);
-
+
if (other_button_key) {
// notification_dictionary[(__bridge NSString *)kCFUserNotificationOtherButtonTitleKey] = NSLocalizedStringFromTableInBundle(other_button_key, swc_table, security_bundle, nil);
}
notification_dictionary[(__bridge NSString *)kCFUserNotificationLocalizationURLKey] = [security_bundle bundleURL];
-
+ notification_dictionary[(__bridge NSString *)SBUserNotificationAllowedApplicationsKey] = client.client;
+
SInt32 error;
if (!(notification = CFUserNotificationCreate(NULL, 0, kCFUserNotificationStopAlertLevel | kCFUserNotificationNoDefaultButtonFlag, &error, (__bridge CFDictionaryRef)notification_dictionary)) ||
error)
@@ -450,7 +448,7 @@ out:
return response;
}
-bool swca_process_response(CFOptionFlags response, CFTypeRef *result)
+static bool swca_process_response(CFOptionFlags response, CFTypeRef *result)
{
int32_t value = (int32_t)(response & 0x3);
CFNumberRef number = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &value);
@@ -458,39 +456,39 @@ bool swca_process_response(CFOptionFlags response, CFTypeRef *result)
return (NULL != number);
}
-bool swca_confirm_add(CFDictionaryRef attributes, CFStringRef clientTaskName, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error)
+static bool swca_confirm_add(CFDictionaryRef attributes, Client* client, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error)
{
CFStringRef domain = (CFStringRef) CFDictionaryGetValue(attributes, kSecAttrServer);
CFArrayRef domains = CFArrayCreate(kCFAllocatorDefault, (const void **)&domain, 1, &kCFTypeArrayCallBacks);
- CFOptionFlags response = swca_handle_request(swca_add_request_id, clientTaskName, domains);
+ CFOptionFlags response = swca_handle_request(swca_add_request_id, client, domains);
return swca_process_response(response, result);
}
-bool swca_confirm_copy(CFDictionaryRef attributes, CFStringRef clientTaskName, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error)
+static bool swca_confirm_copy(CFDictionaryRef attributes, Client* client, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error)
{
CFStringRef domain = (CFStringRef) CFDictionaryGetValue(attributes, kSecAttrServer);
CFArrayRef domains = CFArrayCreate(kCFAllocatorDefault, (const void **)&domain, 1, &kCFTypeArrayCallBacks);
- CFOptionFlags response = swca_handle_request(swca_copy_request_id, clientTaskName, domains);
+ CFOptionFlags response = swca_handle_request(swca_copy_request_id, client, domains);
return swca_process_response(response, result);
}
-bool swca_confirm_update(CFDictionaryRef attributes, CFStringRef clientTaskName, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error)
+static bool swca_confirm_update(CFDictionaryRef attributes, Client* client, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error)
{
CFStringRef domain = (CFStringRef) CFDictionaryGetValue(attributes, kSecAttrServer);
CFArrayRef domains = CFArrayCreate(kCFAllocatorDefault, (const void **)&domain, 1, &kCFTypeArrayCallBacks);
- CFOptionFlags response = swca_handle_request(swca_update_request_id, clientTaskName, domains);
+ CFOptionFlags response = swca_handle_request(swca_update_request_id, client, domains);
return swca_process_response(response, result);
}
-bool swca_confirm_delete(CFDictionaryRef attributes, CFStringRef clientTaskName, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error)
+static bool swca_confirm_delete(CFDictionaryRef attributes, Client* client, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error)
{
CFStringRef domain = (CFStringRef) CFDictionaryGetValue(attributes, kSecAttrServer);
CFArrayRef domains = CFArrayCreate(kCFAllocatorDefault, (const void **)&domain, 1, &kCFTypeArrayCallBacks);
- CFOptionFlags response = swca_handle_request(swca_delete_request_id, clientTaskName, domains);
+ CFOptionFlags response = swca_handle_request(swca_delete_request_id, client, domains);
return swca_process_response(response, result);
}
-bool swca_select_item(CFArrayRef items, CFStringRef clientTaskName, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error)
+static bool swca_select_item(CFArrayRef items, Client* client, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error)
{
CFUserNotificationRef notification = NULL;
NSMutableDictionary *notification_dictionary = NULL;
@@ -545,20 +543,21 @@ entry:
default_button_key = @"SWC_ALLOW_USE";
alternate_button_key = @"SWC_CANCEL";
info_message_key = @"SWC_INFO_MESSAGE";
-
- notification_dictionary[(__bridge NSString *)kCFUserNotificationAlertHeaderKey] = [NSString stringWithFormat: request_title_format, clientTaskName];
+
+ notification_dictionary[(__bridge NSString *)kCFUserNotificationAlertHeaderKey] = [NSString stringWithFormat: request_title_format, client.client_name];
notification_dictionary[(__bridge NSString *)kCFUserNotificationAlertMessageKey] = NSLocalizedStringFromTableInBundle(info_message_key, swc_table, security_bundle, nil);
notification_dictionary[(__bridge NSString *)kCFUserNotificationDefaultButtonTitleKey] = NSLocalizedStringFromTableInBundle(default_button_key, swc_table, security_bundle, nil);
notification_dictionary[(__bridge NSString *)kCFUserNotificationAlternateButtonTitleKey] = NSLocalizedStringFromTableInBundle(alternate_button_key, swc_table, security_bundle, nil);
notification_dictionary[(__bridge NSString *)kCFUserNotificationLocalizationURLKey] = [security_bundle bundleURL];
notification_dictionary[(__bridge NSString *)kCFUserNotificationAlertTopMostKey] = [NSNumber numberWithBool:YES];
-
+
// additional keys for remote view controller
notification_dictionary[(__bridge NSString *)SBUserNotificationDismissOnLock] = [NSNumber numberWithBool:YES];
notification_dictionary[(__bridge NSString *)SBUserNotificationDontDismissOnUnlock] = [NSNumber numberWithBool:YES];
notification_dictionary[(__bridge NSString *)SBUserNotificationRemoteServiceBundleIdentifierKey] = @"com.apple.SharedWebCredentialViewService";
notification_dictionary[(__bridge NSString *)SBUserNotificationRemoteViewControllerClassNameKey] = @"SWCViewController";
+ notification_dictionary[(__bridge NSString *)SBUserNotificationAllowedApplicationsKey] = client.client;
SInt32 err;
if (!(notification = CFUserNotificationCreate(NULL, 0, 0, &err, (__bridge CFDictionaryRef)notification_dictionary)) ||
@@ -591,7 +590,7 @@ static void swca_xpc_dictionary_handler(const xpc_connection_t connection, xpc_o
xpc_object_t xpcError = NULL;
xpc_object_t replyMessage = NULL;
SecTaskRef clientTask = NULL;
- CFStringRef clientTaskName = NULL;
+ Client* client = NULL;
CFArrayRef accessGroups = NULL;
secdebug("swcagent_xpc", "entering");
@@ -634,7 +633,7 @@ static void swca_xpc_dictionary_handler(const xpc_connection_t connection, xpc_o
// identify original client
clientTask = SecTaskCreateWithAuditToken(kCFAllocatorDefault, auditToken);
accessGroups = SecTaskCopyAccessGroups(clientTask);
- clientTaskName = SecTaskCopyLocalizedDescription(clientTask);
+ client = SecTaskCopyClient(clientTask);
#if CHECK_ENTITLEMENTS
// check for presence of original client's shared credential entitlement
hasEntitlement = (clientTask && SecTaskGetBooleanValueForEntitlement(clientTask, kSecEntitlementAssociatedDomains));
@@ -657,7 +656,7 @@ static void swca_xpc_dictionary_handler(const xpc_connection_t connection, xpc_o
if (query) {
CFTypeRef result = NULL;
// confirm that we can add this item
- if (swca_confirm_add(query, clientTaskName, accessGroups, &result, &error) && result) {
+ if (swca_confirm_add(query, client, accessGroups, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFRelease(result);
}
@@ -672,7 +671,7 @@ static void swca_xpc_dictionary_handler(const xpc_connection_t connection, xpc_o
if (query) {
CFTypeRef result = NULL;
// confirm that we can copy this item
- if (swca_confirm_copy(query, clientTaskName, accessGroups, &result, &error) && result) {
+ if (swca_confirm_copy(query, client, accessGroups, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFRelease(result);
}
@@ -687,7 +686,7 @@ static void swca_xpc_dictionary_handler(const xpc_connection_t connection, xpc_o
if (query) {
CFTypeRef result = NULL;
// confirm that we can copy this item
- if (swca_confirm_update(query, clientTaskName, accessGroups, &result, &error) && result) {
+ if (swca_confirm_update(query, client, accessGroups, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFRelease(result);
}
@@ -702,7 +701,7 @@ static void swca_xpc_dictionary_handler(const xpc_connection_t connection, xpc_o
if (query) {
CFTypeRef result = NULL;
// confirm that we can copy this item
- if (swca_confirm_delete(query, clientTaskName, accessGroups, &result, &error) && result) {
+ if (swca_confirm_delete(query, client, accessGroups, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFRelease(result);
}
@@ -717,7 +716,7 @@ static void swca_xpc_dictionary_handler(const xpc_connection_t connection, xpc_o
if (items) {
CFTypeRef result = NULL;
// select a dictionary from an input array of dictionaries
- if (swca_select_item(items, clientTaskName, accessGroups, &result, &error) && result) {
+ if (swca_select_item(items, client, accessGroups, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
CFRelease(result);
}
@@ -784,7 +783,7 @@ static void swca_xpc_dictionary_handler(const xpc_connection_t connection, xpc_o
}
CFReleaseSafe(error);
CFReleaseSafe(accessGroups);
- CFReleaseSafe(clientTaskName);
+ [client release];
}
static void swca_xpc_init()
@@ -823,8 +822,7 @@ int main(int argc, char *argv[])
if (wait4debugger && !strcasecmp("YES", wait4debugger)) {
seccritical("SIGSTOPing self, awaiting debugger");
kill(getpid(), SIGSTOP);
- asl_log(NULL, NULL, ASL_LEVEL_CRIT,
- "Again, for good luck (or bad debuggers)");
+ seccritical("Again, for good luck (or bad debuggers)");
kill(getpid(), SIGSTOP);
}
swca_xpc_init();
diff --git a/OSX/sec/config/base.xcconfig b/OSX/sec/config/base.xcconfig
index 012f1740..8786c5f9 100644
--- a/OSX/sec/config/base.xcconfig
+++ b/OSX/sec/config/base.xcconfig
@@ -5,7 +5,7 @@ CURRENT_PROJECT_VERSION = $(RC_ProjectSourceVersion)
VERSIONING_SYSTEM = apple-generic
DEAD_CODE_STRIPPING = YES
-ARCHS = $(ARCHS_STANDARD_32_64_BIT)
+ARCHS[sdk=macosx*] = $(ARCHS_STANDARD_32_64_BIT)
GCC_WARN_CHECK_SWITCH_STATEMENTS = YES
GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = NO // should be YES at some point
@@ -47,3 +47,4 @@ STRIP_STYLE = debugging
STRIP_INSTALLED_PRODUCT = NO
WARNING_CFLAGS = -Wglobal-constructors -Wno-deprecated-declarations $(inherited)
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/OSX/sec/config/lib-arc-only.xcconfig b/OSX/sec/config/lib-arc-only.xcconfig
index 866fad6a..929e881f 100644
--- a/OSX/sec/config/lib-arc-only.xcconfig
+++ b/OSX/sec/config/lib-arc-only.xcconfig
@@ -4,6 +4,6 @@ ARCHS[sdk=macosx*] = x86_64
VALID_ARCHS[sdk=macosx*] = x86_64
// TODO: This horrible hack makes #import <Foundation/Foundation.h> work on osx
-HEADER_SEARCH_PATHS[sdk=macosx*] = $(PROJECT_DIR)/ProjectHeaders $(PROJECT_DIR)/../utilities $(PROJECT_DIR)/ipc $(PROJECT_DIR)/../libsecurity_asn1 $(PROJECT_DIR)/../regressions $(PROJECT_DIR)/../libsecurity_keychain/libDER $(BUILT_PRODUCTS_DIR)$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include $(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers
+HEADER_SEARCH_PATHS[sdk=macosx*] = $(PROJECT_DIR)/ProjectHeaders $(PROJECT_DIR)/../utilities $(PROJECT_DIR)/ipc $(PROJECT_DIR)/../libsecurity_asn1 $(PROJECT_DIR)/../regressions $(PROJECT_DIR)/../libsecurity_keychain/libDER $(BUILT_PRODUCTS_DIR)/usr/local/include $(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers
CLANG_ENABLE_OBJC_ARC = YES
diff --git a/OSX/sec/config/lib.xcconfig b/OSX/sec/config/lib.xcconfig
index c8edefd2..231bce19 100644
--- a/OSX/sec/config/lib.xcconfig
+++ b/OSX/sec/config/lib.xcconfig
@@ -3,13 +3,11 @@ EXECUTABLE_PREFIX =
CODE_SIGN_IDENTITY =
-INDIGO_INSTALL_PATH_PREFIX[sdk=iphonesimulator*] = $(SDKROOT)
-
-HEADER_SEARCH_PATHS = $(inherited) $(PROJECT_DIR) $(PROJECT_DIR)/ProjectHeaders $(PROJECT_DIR)/../utilities $(PROJECT_DIR)/ipc $(PROJECT_DIR)/../sectask $(PROJECT_DIR)/../libsecurity_asn1 $(PROJECT_DIR)/../libsecurity_ssl $(PROJECT_DIR)/../regressions $(PROJECT_DIR)/../libsecurity_keychain/libDER $(BUILT_PRODUCTS_DIR)$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include
+HEADER_SEARCH_PATHS = $(inherited) $(PROJECT_DIR) $(PROJECT_DIR)/ProjectHeaders $(PROJECT_DIR)/../utilities $(PROJECT_DIR)/ipc $(PROJECT_DIR)/../sectask $(PROJECT_DIR)/../libsecurity_asn1 $(PROJECT_DIR)/../libsecurity_ssl $(PROJECT_DIR)/../regressions $(PROJECT_DIR)/../libsecurity_keychain/libDER $(BUILT_PRODUCTS_DIR)/usr/local/include
HEADER_SEARCH_PATHS[sdk=macosx*] = $(inherited) $(PROJECT_DIR)/../libsecurity_smime $(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers
-HEADER_SEARCH_PATHS[sdk=iphone*] = $(inherited) $(PROJECT_DIR)/../../libsecurity_smime $(PROJECT_DIR)/sectask
+HEADER_SEARCH_PATHS[sdk=embedded*] = $(inherited) $(PROJECT_DIR)/../../libsecurity_smime $(PROJECT_DIR)/sectask
OTHER_CFLAGS = -isystem$(SDKROOT)/System/Library/Frameworks/System.framework/PrivateHeaders -iframework$(SDKROOT)/System/Library/PrivateFrameworks $(inherited)
@@ -27,6 +25,4 @@ WARNING_CFLAGS = $(inherited) -Wmost -Wno-four-char-constants -Wno-unknown-pragm
GCC_SYMBOLS_PRIVATE_EXTERN = NO
-SUPPORTED_PLATFORMS = macosx iphoneos iphonesimulator
-
-GCC_PREPROCESSOR_DEFINITIONS[sdk=iphonesimulator*] = $(inherited) INDIGO=1
+SUPPORTED_PLATFORMS = macosx iphoneos iphonesimulator appletvos appletvsimulator watchos watchsimulator
diff --git a/OSX/sec/config/release.xcconfig b/OSX/sec/config/release.xcconfig
index 00de196e..ba9ecc81 100644
--- a/OSX/sec/config/release.xcconfig
+++ b/OSX/sec/config/release.xcconfig
@@ -1,4 +1,4 @@
#include "base.xcconfig"
GCC_PREPROCESSOR_DEFINITIONS = $(inherited) NDEBUG=1
-GCC_PREPROCESSOR_DEFINITIONS[sdk=iphonesimulator*] = $(inherited) NO_SERVER=1
+GCC_PREPROCESSOR_DEFINITIONS[sdk=embeddedsimulator*] = $(inherited) NO_SERVER=1
diff --git a/OSX/sec/ipc/client.c b/OSX/sec/ipc/client.c
index 790d59d7..441dbf60 100644
--- a/OSX/sec/ipc/client.c
+++ b/OSX/sec/ipc/client.c
@@ -55,12 +55,15 @@ static CFArrayRef SecServerCopyAccessGroups(void) {
CFSTR("test"),
CFSTR("apple"),
CFSTR("lockdown-identities"),
+ CFSTR("123456.test.group"),
+ CFSTR("123456.test.group2"),
#else
CFSTR("sync"),
#endif
CFSTR("com.apple.security.sos"),
CFSTR("com.apple.sbd"),
CFSTR("com.apple.lakitu"),
+ kSecAttrAccessGroupToken,
NULL);
}
@@ -174,19 +177,23 @@ static xpc_connection_t trustd_connection(void) {
#endif
}
-static xpc_connection_t securityd_connection_for_operation(enum SecXPCOperation op) {
- bool isTrustOp;
+static bool is_trust_operation(enum SecXPCOperation op) {
switch (op) {
case sec_trust_store_contains_id:
case sec_trust_store_set_trust_settings_id:
case sec_trust_store_remove_certificate_id:
case sec_trust_evaluate_id:
- isTrustOp = true;
- break;
+ case sec_trust_store_copy_all_id:
+ case sec_trust_store_copy_usage_constraints_id:
+ return true;
default:
- isTrustOp = false;
break;
}
+ return false;
+}
+
+static xpc_connection_t securityd_connection_for_operation(enum SecXPCOperation op) {
+ bool isTrustOp = is_trust_operation(op);
#if SECTRUST_VERBOSE_DEBUG
{
bool sysCtx = securityd_in_system_context();
@@ -228,7 +235,14 @@ securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error)
CFIndex code = 0;
if (reply == XPC_ERROR_CONNECTION_INTERRUPTED || reply == XPC_ERROR_CONNECTION_INVALID) {
code = kSecXPCErrorConnectionFailed;
- seccritical("Failed to talk to secd after %d attempts.", max_tries);
+#if TARGET_OS_IPHONE
+ seccritical("Failed to talk to %s after %d attempts.", "securityd",
+ max_tries);
+#else
+ seccritical("Failed to talk to %s after %d attempts.",
+ (is_trust_operation((enum SecXPCOperation)operation)) ? "trustd" : "secd",
+ max_tries);
+#endif
} else if (reply == XPC_ERROR_TERMINATION_IMMINENT)
code = kSecXPCErrorUnknown;
else
diff --git a/OSX/sec/ipc/com.apple.secd.plist b/OSX/sec/ipc/com.apple.secd.plist
index 08504433..8a782acd 100644
--- a/OSX/sec/ipc/com.apple.secd.plist
+++ b/OSX/sec/ipc/com.apple.secd.plist
@@ -28,7 +28,7 @@
<key>EnvironmentVariables</key>
<dict>
<key>DEBUGSCOPE</key>
- <string>-policy-node,policy-set,policy,alloc,trust,bind,profile,trace,dbconn,OTR,serverxpc,sqlite3,error_thee_well</string>
+ <string>-policy-node,policy-set,policy,alloc,trust,bind,profile,trace,dbconn,OTR,serverxpc,sqlite3,error_thee_well,ringSigning</string>
<key>WAIT4DEBUGGER</key>
<string>NO</string>
</dict>
diff --git a/OSX/sec/ipc/com.apple.securityd.plist b/OSX/sec/ipc/com.apple.securityd.plist
index 7c776e9c..a894b471 100644
--- a/OSX/sec/ipc/com.apple.securityd.plist
+++ b/OSX/sec/ipc/com.apple.securityd.plist
@@ -9,7 +9,7 @@
<key>EnvironmentVariables</key>
<dict>
<key>DEBUGSCOPE</key>
- <string>-policy-node,policy-set,policy,alloc,trust,bind,profile,trace,dbconn,OTR,serverxpc,sqlite3,error_thee_well</string>
+ <string>-policy-node,policy-set,policy,alloc,trust,bind,profile,trace,dbconn,OTR,serverxpc,sqlite3,error_thee_well, ringSigning</string>
<key>WAIT4DEBUGGER</key>
<string>NO</string>
</dict>
@@ -22,14 +22,10 @@
<key>com.apple.securityd</key>
<true/>
</dict>
- <key>OnDemand</key>
- <true/>
<key>ProgramArguments</key>
<array>
<string>/usr/libexec/securityd</string>
</array>
- <key>ServiceIPC</key>
- <true/>
<key>Umask</key>
<integer>54</integer>
<key>UserName</key>
diff --git a/OSX/sec/ipc/securityd_client.h b/OSX/sec/ipc/securityd_client.h
index e7ad3dab..e853f37c 100644
--- a/OSX/sec/ipc/securityd_client.h
+++ b/OSX/sec/ipc/securityd_client.h
@@ -88,8 +88,11 @@ extern const char *kSecXPCKeyIncludeV0;
extern const char *kSecXPCKeyEnabledViewsKey;
extern const char *kSecXPCKeyDisabledViewsKey;
extern const char *kSecXPCKeyEscrowLabel;
-extern const char *kSecXPCKeyAvailability;
+extern const char *kSecXPCKeyTriesLabel;
extern const char *kSecXPCKeyFileDescriptor;
+extern const char *kSecXPCKeyAccessGroups;
+extern const char *kSecXPCKeyClasses;
+
//
// MARK: Dispatch macros
//
@@ -132,6 +135,7 @@ extern const char *kSecXPCKeyHSA2AutoAcceptInfo;
extern const char *kSecXPCKeyEscrowLabel;
extern const char *kSecXPCKeyTriesLabel;
extern const char *kSecXPCKeyString;
+extern const char *kSecXPCKeyArray;
extern const char *kSecXPCKeyReason;
@@ -184,6 +188,8 @@ enum SecXPCOperation {
kSecXPCOpRequestDeviceID,
kSecXPCOpSetDeviceID,
kSecXPCOpHandleIDSMessage,
+ kSecXPCOpSyncWithKVSPeer,
+ kSecXPCOpSyncWithIDSPeer,
kSecXPCOpSendIDSMessage,
kSecXPCOpPingTest,
kSecXPCOpIDSDeviceID,
@@ -234,12 +240,24 @@ enum SecXPCOperation {
kSecXPCOpDeleteAccountData,
kSecXPCOpCopyEngineData,
kSecXPCOpDeleteEngineData,
+ kSecXPCOpCopyApplication,
+ kSecXPCOpCopyCircleJoiningBlob,
+ kSecXPCOpJoinWithCircleJoiningBlob,
+ kSecXPCOpAccountHasPublicKey,
+ kSecXPCOpAccountIsNew,
/* after this is free for all */
kSecXPCOpWhoAmI,
kSecXPCOpTransmogrifyToSyncBubble,
kSecXPCOpTransmogrifyToSystemKeychain,
kSecXPCOpWrapToBackupSliceKeyBagForView,
+ sec_item_update_token_items_id,
kSecXPCOpDeleteUserView,
+ sec_trust_store_copy_all_id,
+ sec_trust_store_copy_usage_constraints_id,
+ sec_delete_items_with_access_groups_id,
+ kSecXPCOpIsThisDeviceLastBackup,
+ sec_keychain_backup_keybag_uuid_id,
+ kSecXPCOpPeersHaveViewsEnabled,
};
@@ -279,7 +297,7 @@ struct securityd {
bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error);
bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error); // TODO: remove, has no msg id
bool (*sec_item_delete_all)(CFErrorRef* error);
- SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error);
+ SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error);
CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
bool (*sec_keychain_restore)(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
@@ -360,6 +378,19 @@ struct securityd {
bool (*soscc_DeleteAccountState)(CFErrorRef *error);
CFDataRef (*soscc_CopyEngineData)(CFErrorRef *error);
bool (*soscc_DeleteEngineState)(CFErrorRef *error);
+ SOSPeerInfoRef (*soscc_CopyApplicant)(CFErrorRef *error);
+ CFDataRef (*soscc_CopyCircleJoiningBlob)(SOSPeerInfoRef applicant, CFErrorRef *error);
+ bool (*soscc_JoinWithCircleJoiningBlob)(CFDataRef joiningBlob, CFErrorRef *error);
+ bool (*soscc_AccountHasPublicKey)(CFErrorRef *error);
+ bool (*soscc_AccountIsNew)(CFErrorRef *error);
+ bool (*sec_item_update_token_items)(CFStringRef tokenID, CFArrayRef query, SecurityClient *client, CFErrorRef* error);
+ bool (*sec_trust_store_copy_all)(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error);
+ bool (*sec_trust_store_copy_usage_constraints)(SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error);
+ bool (*sec_delete_items_with_access_groups)(CFArrayRef bundleIDs, SecurityClient *client, CFErrorRef *error);
+ bool (*soscc_IsThisDeviceLastBackup)(CFErrorRef *error);
+ bool (*soscc_requestSyncWithPeerOverKVS)(CFStringRef peerID, CFErrorRef *error);
+ bool (*soscc_requestSyncWithPeerOverIDS)(CFStringRef peerID, CFErrorRef *error);
+ CFBooleanRef (*soscc_SOSCCPeersHaveViewsEnabled)(CFArrayRef views, CFErrorRef *error);
};
extern struct securityd *gSecurityd;
diff --git a/OSX/sec/ipc/server.c b/OSX/sec/ipc/server.c
index 892542d8..e24cb6db 100644
--- a/OSX/sec/ipc/server.c
+++ b/OSX/sec/ipc/server.c
@@ -33,6 +33,7 @@
#include <Security/SecItemPriv.h> /* For SecItemDeleteAll */
#include <Security/SecPolicyInternal.h>
#include <Security/SecTask.h>
+#include <Security/SecTrustInternal.h>
#include <Security/SecuritydXPC.h>
#include <securityd/OTATrustUtilities.h>
#include <securityd/SOSCloudCircleServer.h>
@@ -61,6 +62,7 @@
#endif
#if !TARGET_OS_IPHONE
#include <Security/SecTaskPriv.h>
+#include <login/SessionAgentStatusCom.h>
#endif
#include <asl.h>
#include <bsm/libbsm.h>
@@ -138,24 +140,34 @@ static CFArrayRef SecTaskCopyAccessGroups(SecTaskRef task) {
CFStringRef appID = SecTaskCopyApplicationIdentifier(task);
CFIndex kagLen = keychainAccessGroups ? CFArrayGetCount(keychainAccessGroups) : 0;
CFIndex asagLen = appleSecurityApplicationGroups ? CFArrayGetCount(appleSecurityApplicationGroups) : 0;
+ bool entitlementsValidated = true;
+ bool hasEntitlements = (kagLen + asagLen + (appID ? 1 : 0)) > 0;
#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
- if ((appID || asagLen) && !SecTaskEntitlementsValidated(task)) {
+ entitlementsValidated = SecTaskEntitlementsValidated(task);
+ if ((appID || asagLen) && !entitlementsValidated) {
CFReleaseNull(appID);
asagLen = 0;
}
#endif
CFIndex len = kagLen + asagLen + (appID ? 1 : 0);
- if (len) {
- groups = CFArrayCreateMutable(kCFAllocatorDefault, len, &kCFTypeArrayCallBacks);
+ // Always allow access to com.apple.token access group, unless entitlement validation explicitly failed.
+ CFIndex tokenLen = (!hasEntitlements || entitlementsValidated) ? 1 : 0;
+#if TARGET_OS_IPHONE
+ if (len + tokenLen)
+#endif
+ {
+ groups = CFArrayCreateMutable(kCFAllocatorDefault, len + tokenLen, &kCFTypeArrayCallBacks);
if (kagLen)
CFArrayAppendArray(groups, keychainAccessGroups, CFRangeMake(0, kagLen));
if (appID)
CFArrayAppendValue(groups, appID);
if (asagLen)
CFArrayAppendArray(groups, appleSecurityApplicationGroups, CFRangeMake(0, asagLen));
+ if (tokenLen)
+ CFArrayAppendValue(groups, kSecAttrAccessGroupToken);
#if TARGET_IPHONE_SIMULATOR
} else {
- secwarning("No keychain access group specified whilst running in simulator, falling back to default set");
+ secwarning("No keychain access group specified while running in simulator, falling back to default set");
groups = (CFMutableArrayRef)CFRetainSafe(SecAccessGroupsGetCurrent());
#endif
}
@@ -166,13 +178,12 @@ static CFArrayRef SecTaskCopyAccessGroups(SecTaskRef task) {
return groups;
}
+#if TARGET_OS_IPHONE
static pthread_key_t taskThreadKey;
static void secTaskDiagnoseEntitlements(CFArrayRef accessGroups) {
SecTaskRef taskRef = pthread_getspecific(taskThreadKey);
- if (taskRef == NULL) {
- secerror("MISSING keychain entitlements: no stored taskRef found");
+ if (taskRef == NULL)
return;
- }
CFErrorRef error = NULL;
CFArrayRef entitlementNames = CFArrayCreateForCFTypes(NULL,
@@ -181,25 +192,54 @@ static void secTaskDiagnoseEntitlements(CFArrayRef accessGroups) {
kSecEntitlementAppleSecurityApplicationGroups,
NULL);
CFDictionaryRef rawEntitlements = SecTaskCopyValuesForEntitlements(taskRef, entitlementNames, &error);
- CFRelease(entitlementNames);
-
- if (rawEntitlements == NULL) {
- secerror("MISSING keychain entitlements: retrieve-entitlements error %@", error);
- CFReleaseSafe(error);
- __security_simulatecrash(CFSTR("failed to read keychain client entitlement(s)"), __sec_exception_code_MissingEntitlements);
- return;
+ CFReleaseNull(entitlementNames);
+
+ // exclude some error types because they're accounted-for and not the reason we're here
+ if (rawEntitlements == NULL && error) {
+ CFErrorDomain domain = CFErrorGetDomain(error);
+ if (domain && CFEqual(domain, kCFErrorDomainPOSIX)) {
+ CFNumberRef code = CFErrorGetCode(error);
+ int errno;
+ if (code && CFNumberGetValue(code, kCFNumberIntType, &errno))
+ switch (errno) {
+ case ESRCH: // no such process (bad pid or process died)
+ return;
+ default:
+ break;
+ }
+ }
}
-
- secerror("MISSING keychain entitlements: raw entitlement values: %@", rawEntitlements);
- secerror("MISSING keychain entitlements: original ag: %@", accessGroups);
- CFArrayRef newAccessGroups = SecTaskCopyAccessGroups(taskRef);
- secerror("MISSING keychain entitlements: newly parsed ag: %@", newAccessGroups);
-
- __security_simulatecrash(CFSTR("keychain entitlement(s) missing"), __sec_exception_code_MissingEntitlements);
-
- CFReleaseSafe(newAccessGroups);
- CFReleaseSafe(rawEntitlements);
+
+ uint32_t cs_flags = SecTaskGetCodeSignStatus(taskRef);
+ CFStringRef identifier = SecTaskCopySigningIdentifier(taskRef, NULL);
+ CFStringRef message = NULL;
+
+ if (rawEntitlements == NULL) { // NULL indicates failure-to-fetch (SecTask entitlements not initialized)
+ message = CFStringCreateWithFormat(NULL, NULL, CFSTR("failed to fetch keychain client entitlements. task=%@ procid=%@ cs_flags=0x%08.8x error=%@"),
+ taskRef, identifier, cs_flags, error);
+ secerror("MISSING keychain entitlements: retrieve-entitlements error %@", error);
+ } else {
+ // non-NULL entitlement return => SecTaskCopyEntitlements succeeeded, no error
+ // but note that kernel EINVAL => no entitlements, no error to deal with unsigned code
+ message = CFStringCreateWithFormat(NULL, NULL, CFSTR("found no keychain client entitlements. task=%@ procid=%@ cs_flags=0x%08.8x"),
+ taskRef, identifier, cs_flags);
+ secerror("MISSING keychain entitlements: raw entitlement values: %@", rawEntitlements);
+ secerror("MISSING keychain entitlements: original ag: %@", accessGroups);
+ CFArrayRef newAccessGroups = SecTaskCopyAccessGroups(taskRef);
+ secerror("MISSING keychain entitlements: newly parsed ag: %@", newAccessGroups);
+ CFReleaseNull(newAccessGroups);
+ }
+ char buffer[1000] = "?";
+ CFStringGetCString(message, buffer, sizeof(buffer), kCFStringEncodingUTF8);
+ syslog(LOG_NOTICE, "%s", buffer);
+ __security_simulatecrash(message, __sec_exception_code_MissingEntitlements);
+
+ CFReleaseNull(rawEntitlements);
+ CFReleaseNull(message);
+ CFReleaseNull(identifier);
+ CFReleaseNull(error);
}
+#endif
static bool SecTaskGetBooleanValueForEntitlement(SecTaskRef task,
CFStringRef entitlement) {
@@ -253,7 +293,6 @@ static void with_label_and_password_and_dsid(xpc_object_t message, void (^action
static void with_label_and_number(xpc_object_t message, void (^action)(CFStringRef label, uint64_t number)) {
const char *label_utf8 = xpc_dictionary_get_string(message, kSecXPCKeyViewName);
const int64_t number = xpc_dictionary_get_int64(message, kSecXPCKeyViewActionCode);
- secnotice("views", "Action Code Raw is %d", (int) number);
CFStringRef user_label = CFStringCreateWithCString(kCFAllocatorDefault, label_utf8, kCFStringEncodingUTF8);
action(user_label, number);
@@ -373,6 +412,20 @@ exit:
return data_array;
}
+
+static CFDataRef SecXPCDictionaryCopyCFDataRef(xpc_object_t message, const char *key, CFErrorRef *error) {
+ CFDataRef retval = NULL;
+ const uint8_t *bytes = NULL;
+ size_t len = 0;
+
+ bytes = xpc_dictionary_get_data(message, key, &len);
+ require_action_quiet(bytes, errOut, SOSCreateError(kSOSErrorBadKey, CFSTR("missing CFDataRef info"), NULL, error));
+ retval = CFDataCreate(NULL, bytes, len);
+ require_action_quiet(retval, errOut, SOSCreateError(kSOSErrorBadKey, CFSTR("could not allocate CFDataRef info"), NULL, error));
+errOut:
+ return retval;
+}
+
static bool SecXPCDictionaryCopyCFDataArrayOptional(xpc_object_t message, const char *key, CFArrayRef *data_array, CFErrorRef *error) {
xpc_object_t xpc_data_array = xpc_dictionary_get_value(message, key);
if (!xpc_data_array) {
@@ -461,15 +514,39 @@ SecDataWriteFileDescriptor(int fd, CFDataRef data)
}
+// Returns error if entitlement isn't present.
+static bool
+EntitlementPresentAndTrue(uint64_t op, SecTaskRef clientTask, CFStringRef entitlement, CFErrorRef *error)
+{
+ if (!SecTaskGetBooleanValueForEntitlement(clientTask, entitlement)) {
+ SecError(errSecMissingEntitlement, error, CFSTR("%@: %@ lacks entitlement %@"), SOSCCGetOperationDescription((enum SecXPCOperation)op), clientTask, entitlement);
+ return false;
+ }
+ return true;
+}
+// Per <rdar://problem/13315020> Disable the entitlement check for "keychain-cloud-circle"
+// we disable entitlement enforcement. However, we still log so we know who needs the entitlement
static bool
-EntitlementMissing(enum SecXPCOperation op, SecTaskRef clientTask, CFStringRef entitlement, CFErrorRef *error)
+EntitlementPresentOrWhine(uint64_t op, SecTaskRef clientTask, CFStringRef entitlement, CFErrorRef *error)
{
- SecError(errSecMissingEntitlement, error, CFSTR("%@: %@ lacks entitlement %@"), SOSCCGetOperationDescription(op), clientTask, entitlement);
- return false;
+ if (!SecTaskGetBooleanValueForEntitlement(clientTask, entitlement))
+ secnotice("serverxpc", "%@: %@ lacks entitlement %@", SOSCCGetOperationDescription((enum SecXPCOperation)op), clientTask, entitlement);
+
+ return true;
}
+static bool
+EntitlementAbsentOrFalse(uint64_t op, SecTaskRef clientTask, CFStringRef entitlement, CFErrorRef *error)
+{
+ if (SecTaskGetBooleanValueForEntitlement(clientTask, entitlement)) {
+ SecError(errSecNotAvailable, error, CFSTR("%@: %@ has entitlement %@"), SOSCCGetOperationDescription((enum SecXPCOperation) op), clientTask, entitlement);
+ return false;
+ }
+ return true;
+}
+
static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, xpc_object_t event) {
xpc_type_t type = xpc_get_type(event);
__block CFErrorRef error = NULL;
@@ -526,13 +603,14 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
uint64_t operation = xpc_dictionary_get_uint64(event, kSecXPCKeyOperation);
- bool hasEntitlement;
audit_token_t auditToken = {};
xpc_connection_get_audit_token(connection, &auditToken);
client.task = SecTaskCreateWithAuditToken(kCFAllocatorDefault, auditToken);
clientAuditToken = CFDataCreate(kCFAllocatorDefault, (const UInt8*)&auditToken, sizeof(auditToken));
+#if TARGET_OS_IPHONE
pthread_setspecific(taskThreadKey, client.task);
+#endif
client.accessGroups = SecTaskCopyAccessGroups(client.task);
if (operation == sec_add_shared_web_credential_id || operation == sec_copy_shared_web_credential_id) {
domains = SecTaskCopySharedWebCredentialDomains(client.task);
@@ -546,84 +624,81 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
client.allowSyncBubbleKeychain = SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementPrivateKeychainSyncBubble);
}
#endif
-
- // TODO: change back to secdebug
secinfo("serverxpc", "XPC [%@] operation: %@ (%" PRIu64 ")", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), operation);
- if (true) {
- // Ensure that we remain dirty for a minimum of two seconds to avoid jetsam loops.
- // Refer to rdar://problem/18615626&18616300 for more details.
- int64_t minimumDirtyInterval = (int64_t) (2 * NSEC_PER_SEC);
- xpc_transaction_begin();
- dispatch_after(dispatch_time(DISPATCH_TIME_NOW, minimumDirtyInterval), dispatch_get_main_queue(), ^{
- xpc_transaction_end();
- });
- }
-
- // operations before kSecXPCOpTryUserCredentials don't need this entitlement.
- hasEntitlement = (operation < kSecXPCOpTryUserCredentials) ||
- (client.task && SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementKeychainCloudCircle));
-
- // Per <rdar://problem/13315020> Disable the entitlement check for "keychain-cloud-circle"
- // we disable entitlement enforcement. However, we still log so we know who needs the entitlement
-
- if (!hasEntitlement) {
- CFErrorRef entitlementError = NULL;
- SecError(errSecMissingEntitlement, &entitlementError, CFSTR("%@: %@ lacks entitlement %@"), SOSCCGetOperationDescription((enum SecXPCOperation)operation), client.task, kSecEntitlementKeychainCloudCircle);
- secnotice("serverxpc", "MissingEntitlement: %@", entitlementError);
- CFReleaseSafe(entitlementError);
- }
-
if (true) {
switch (operation)
{
+#if !TRUSTD_SERVER
case sec_item_add_id:
{
- CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
- if (query) {
- CFTypeRef result = NULL;
- if (_SecItemAdd(query, &client, &result, &error) && result) {
- SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
- CFRelease(result);
+ if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
+ CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
+ if (query) {
+ CFTypeRef result = NULL;
+ if (_SecItemAdd(query, &client, &result, &error) && result) {
+ SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
+ CFReleaseNull(result);
+ }
+ CFReleaseNull(query);
}
- CFRelease(query);
+ break;
}
- break;
}
case sec_item_copy_matching_id:
{
- CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
- if (query) {
- CFTypeRef result = NULL;
- if (_SecItemCopyMatching(query, &client, &result, &error) && result) {
- SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
- CFRelease(result);
+ if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
+ CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
+ if (query) {
+ CFTypeRef result = NULL;
+ if (_SecItemCopyMatching(query, &client, &result, &error) && result) {
+ SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
+ CFReleaseNull(result);
+ }
+ CFReleaseNull(query);
}
- CFRelease(query);
+ break;
}
- break;
}
case sec_item_update_id:
{
- CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
- if (query) {
- CFDictionaryRef attributesToUpdate = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyAttributesToUpdate, &error);
- if (attributesToUpdate) {
- bool result = _SecItemUpdate(query, attributesToUpdate, &client, &error);
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
- CFRelease(attributesToUpdate);
+ if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
+ CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
+ if (query) {
+ CFDictionaryRef attributesToUpdate = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyAttributesToUpdate, &error);
+ if (attributesToUpdate) {
+ bool result = _SecItemUpdate(query, attributesToUpdate, &client, &error);
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
+ CFReleaseNull(attributesToUpdate);
+ }
+ CFReleaseNull(query);
}
- CFRelease(query);
}
break;
}
case sec_item_delete_id:
{
- CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
- if (query) {
- bool result = _SecItemDelete(query, &client, &error);
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
- CFRelease(query);
+ if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
+ CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
+ if (query) {
+ bool result = _SecItemDelete(query, &client, &error);
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
+ CFReleaseNull(query);
+ }
+ }
+ break;
+ }
+ case sec_item_update_token_items_id:
+ {
+ if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
+ CFStringRef tokenID = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
+ CFArrayRef attributes = SecXPCDictionaryCopyArray(event, kSecXPCKeyQuery, &error);
+ if (tokenID) {
+ bool result = _SecItemUpdateTokenItems(tokenID, attributes, &client, &error);
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
+ }
+ CFReleaseNull(tokenID);
+ CFReleaseNull(attributes);
}
break;
}
@@ -636,14 +711,14 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
bool contains;
if (SecTrustStoreContainsCertificateWithDigest(ts, digest, &contains, &error))
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, contains);
- CFRelease(digest);
+ CFReleaseNull(digest);
}
}
break;
}
case sec_trust_store_set_trust_settings_id:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementModifyAnchorCertificates)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementModifyAnchorCertificates, &error)) {
SecTrustStoreRef ts = SecXPCDictionaryGetTrustStore(event, kSecXPCKeyDomain, &error);
if (ts) {
SecCertificateRef certificate = SecXPCDictionaryCopyCertificate(event, kSecXPCKeyCertificate, &error);
@@ -654,38 +729,68 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
CFReleaseSafe(trustSettingsDictOrArray);
}
- CFRelease(certificate);
+ CFReleaseNull(certificate);
}
}
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementModifyAnchorCertificates, &error);
}
break;
}
case sec_trust_store_remove_certificate_id:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementModifyAnchorCertificates)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementModifyAnchorCertificates, &error)) {
SecTrustStoreRef ts = SecXPCDictionaryGetTrustStore(event, kSecXPCKeyDomain, &error);
if (ts) {
CFDataRef digest = SecXPCDictionaryCopyData(event, kSecXPCKeyDigest, &error);
if (digest) {
bool result = SecTrustStoreRemoveCertificateWithDigest(ts, digest, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
- CFRelease(digest);
+ CFReleaseNull(digest);
+ }
+ }
+ }
+ break;
+ }
+ case sec_trust_store_copy_all_id:
+ {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementModifyAnchorCertificates, &error)) {
+ SecTrustStoreRef ts = SecXPCDictionaryGetTrustStore(event, kSecXPCKeyDomain, &error);
+ if (ts) {
+ CFArrayRef trustStoreContents = NULL;
+ if(_SecTrustStoreCopyAll(ts, &trustStoreContents, &error) && trustStoreContents) {
+ SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, trustStoreContents, &error);
+ CFReleaseNull(trustStoreContents);
+ }
+ }
+ }
+ break;
+ }
+ case sec_trust_store_copy_usage_constraints_id:
+ {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementModifyAnchorCertificates, &error)) {
+ SecTrustStoreRef ts = SecXPCDictionaryGetTrustStore(event, kSecXPCKeyDomain, &error);
+ if (ts) {
+ CFDataRef digest = SecXPCDictionaryCopyData(event, kSecXPCKeyDigest, &error);
+ if (digest) {
+ CFArrayRef usageConstraints = NULL;
+ if(_SecTrustStoreCopyUsageConstraints(ts, digest, &usageConstraints, &error) && usageConstraints) {
+ SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, usageConstraints, &error);
+ CFReleaseNull(usageConstraints);
+ }
+ CFReleaseNull(digest);
}
}
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementModifyAnchorCertificates, &error);
}
break;
}
case sec_delete_all_id:
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, _SecItemDeleteAll(&error));
break;
+#endif /* !TRUSTD_SERVER */
case sec_trust_evaluate_id:
{
CFArrayRef certificates = NULL, anchors = NULL, policies = NULL, responses = NULL, scts = NULL, trustedLogs = NULL;
bool anchorsOnly = xpc_dictionary_get_bool(event, kSecTrustAnchorsOnlyKey);
+ bool keychainsAllowed = xpc_dictionary_get_bool(event, kSecTrustKeychainsAllowedKey);
double verifyTime;
if (SecXPCDictionaryCopyCertificates(event, kSecTrustCertificatesKey, &certificates, &error) &&
SecXPCDictionaryCopyCertificatesOptional(event, kSecTrustAnchorsKey, &anchors, &error) &&
@@ -704,7 +809,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
replyMessage = NULL;
SecTrustServerEvaluateBlock(clientAuditToken,
- certificates, anchors, anchorsOnly, policies, responses, scts, trustedLogs, verifyTime, client.accessGroups,
+ certificates, anchors, anchorsOnly, keychainsAllowed, policies, responses, scts, trustedLogs, verifyTime, client.accessGroups,
^(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef replyError) {
// Send back reply now
if (replyError) {
@@ -722,7 +827,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
xpc_dictionary_set_value(asyncReply, kSecXPCKeyError, xpcReplyError);
xpc_release(xpcReplyError);
}
- CFRelease(replyError);
+ CFReleaseNull(replyError);
} else {
secdebug("ipc", "%@ %@ responding %@", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), asyncReply);
}
@@ -742,9 +847,10 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
CFReleaseSafe(trustedLogs);
break;
}
+#if !TRUSTD_SERVER
case sec_keychain_backup_id:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementRestoreKeychain)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
CFDataRef keybag = NULL, passcode = NULL;
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyKeybag, &keybag, &error)) {
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
@@ -767,14 +873,12 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
CFReleaseSafe(keybag);
}
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementRestoreKeychain, &error);
}
break;
}
case sec_keychain_restore_id:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementRestoreKeychain)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
CFDataRef backup = NULL;
void *mem = NULL;
size_t size = 0;
@@ -794,15 +898,42 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
CFReleaseSafe(passcode);
}
- CFRelease(keybag);
}
- CFRelease(backup);
+ CFReleaseNull(keybag);
+ }
+ CFReleaseNull(backup);
+ if (fd != -1)
+ close(fd);
+ if (mem) {
+ munmap(mem, size);
+ }
+ }
+ break;
+ }
+ case sec_keychain_backup_keybag_uuid_id:
+ {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
+ CFDataRef backup = NULL;
+ CFStringRef uuid = NULL;
+ void *mem = NULL;
+ size_t size = 0;
+
+ int fd = SecXPCDictionaryDupFileDescriptor(event, kSecXPCKeyFileDescriptor, NULL);
+ if (fd != -1) {
+ backup = SecDataCopyMmapFileDescriptor(fd, &mem, &size, &error);
+ if (backup)
+ uuid = _SecServerBackupCopyUUID(backup, &error);
}
+ if (uuid)
+ SecXPCDictionarySetString(replyMessage, kSecXPCKeyResult, uuid, &error);
+
+ CFReleaseNull(backup);
+ if (fd != -1)
+ close(fd);
if (mem) {
munmap(mem, size);
}
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementRestoreKeychain, &error);
+ CFReleaseNull(uuid);
}
break;
}
@@ -819,8 +950,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
case sec_keychain_backup_syncable_id:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementRestoreKeychain)) {
-
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
CFDictionaryRef oldbackup = NULL;
if (SecXPCDictionaryCopyDictionaryOptional(event, kSecXPCKeyBackup, &oldbackup, &error)) {
CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
@@ -834,19 +964,16 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
CFReleaseSafe(passcode);
}
- CFRelease(keybag);
+ CFReleaseNull(keybag);
}
CFReleaseSafe(oldbackup);
}
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementRestoreKeychain, &error);
}
break;
}
case sec_keychain_restore_syncable_id:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementRestoreKeychain)) {
-
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
CFDictionaryRef backup = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyBackup, &error);
if (backup) {
CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
@@ -857,29 +984,25 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
CFReleaseSafe(passcode);
}
- CFRelease(keybag);
+ CFReleaseNull(keybag);
}
- CFRelease(backup);
+ CFReleaseNull(backup);
}
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementRestoreKeychain, &error);
}
break;
}
case sec_item_backup_copy_names_id:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementRestoreKeychain)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
CFArrayRef names = SecServerItemBackupCopyNames(&error);
SecXPCDictionarySetPListOptional(replyMessage, kSecXPCKeyResult, names, &error);
CFReleaseSafe(names);
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementRestoreKeychain, &error);
}
break;
}
case sec_item_backup_handoff_fd_id:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementRestoreKeychain)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
CFStringRef backupName = SecXPCDictionaryCopyString(event, kSecXPCKeyBackup, &error);
int fd = -1;
if (backupName) {
@@ -889,14 +1012,12 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
SecXPCDictionarySetFileDescriptor(replyMessage, kSecXPCKeyResult, fd, &error);
if (fd != -1)
close(fd);
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementRestoreKeychain, &error);
}
break;
}
case sec_item_backup_set_confirmed_manifest_id:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementRestoreKeychain)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
CFDataRef keybagDigest = NULL;
if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyKeybag, &keybagDigest, &error)) {
CFDataRef manifest = NULL;
@@ -909,16 +1030,14 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
CFReleaseSafe(manifest);
}
- CFReleaseNull(keybagDigest);
}
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementRestoreKeychain, &error);
+ CFReleaseNull(keybagDigest);
}
break;
}
case sec_item_backup_restore_id:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementRestoreKeychain)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
bool result = false;
CFStringRef backupName = SecXPCDictionaryCopyString(event, kSecXPCKeyBackup, &error);
if (backupName) {
@@ -942,8 +1061,6 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
CFRelease(backupName);
}
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementRestoreKeychain, &error);
}
break;
}
@@ -961,10 +1078,10 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL;
if (_SecAddSharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
- CFRelease(result);
+ CFReleaseNull(result);
}
CFReleaseSafe(appID);
- CFRelease(query);
+ CFReleaseNull(query);
}
break;
}
@@ -976,10 +1093,10 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL;
if (_SecCopySharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) {
SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
- CFRelease(result);
+ CFReleaseNull(result);
}
CFReleaseSafe(appID);
- CFRelease(query);
+ CFReleaseNull(query);
}
break;
}
@@ -1019,7 +1136,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
CFDataRef otrSession = _SecOTRSessionCreateRemote(publicPeerId, &error);
if (otrSession) {
SecXPCDictionarySetData(replyMessage, kSecXPCKeyResult, otrSession, &error);
- CFRelease(otrSession);
+ CFReleaseNull(otrSession);
}
CFReleaseSafe(publicPeerId);
}
@@ -1036,8 +1153,8 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
SecXPCDictionarySetData(replyMessage, kSecXPCOTRSession, outputSessionData, &error);
SecXPCDictionarySetData(replyMessage, kSecXPCData, outputPacket, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCOTRReady, readyForMessages);
- CFRelease(outputSessionData);
- CFRelease(outputPacket);
+ CFReleaseNull(outputSessionData);
+ CFReleaseNull(outputPacket);
}
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
@@ -1048,31 +1165,39 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
break;
}
case kSecXPCOpTryUserCredentials:
- with_label_and_password(event, ^(CFStringRef label, CFDataRef password) {
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCTryUserCredentials_Server(label, password, &error));
- });
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ with_label_and_password(event, ^(CFStringRef label, CFDataRef password) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCTryUserCredentials_Server(label, password, &error));
+ });
+ }
break;
case kSecXPCOpSetUserCredentials:
- with_label_and_password(event, ^(CFStringRef label, CFDataRef password) {
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCSetUserCredentials_Server(label, password, &error));
- });
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ with_label_and_password(event, ^(CFStringRef label, CFDataRef password) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCSetUserCredentials_Server(label, password, &error));
+ });
+ }
break;
case kSecXPCOpSetUserCredentialsAndDSID:
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
with_label_and_password_and_dsid(event, ^(CFStringRef label, CFDataRef password, CFStringRef dsid) {
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCSetUserCredentialsAndDSID_Server(label, password, dsid, &error));
});
- break;
+ }
+ break;
case kSecXPCOpView:
- with_label_and_number(event, ^(CFStringRef view, uint64_t actionCode) {
- xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
- SOSCCView_Server(view, (SOSViewActionCode)actionCode, &error));
- });
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ with_label_and_number(event, ^(CFStringRef view, uint64_t actionCode) {
+ xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
+ SOSCCView_Server(view, (SOSViewActionCode)actionCode, &error));
+ });
+ }
break;
case kSecXPCOpViewSet:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFSetRef enabledViews = SecXPCSetCreateFromXPCDictionaryElement(event, kSecXPCKeyEnabledViewsKey);
CFSetRef disabledViews = SecXPCSetCreateFromXPCDictionaryElement(event, kSecXPCKeyDisabledViewsKey);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCViewSet_Server(enabledViews, disabledViews));
@@ -1081,37 +1206,63 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
break;
case kSecXPCOpSecurityProperty:
- with_label_and_number(event, ^(CFStringRef property, uint64_t actionCode) {
- xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
- SOSCCSecurityProperty_Server(property, (SOSSecurityPropertyActionCode)actionCode, &error));
- });
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ with_label_and_number(event, ^(CFStringRef property, uint64_t actionCode) {
+ xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
+ SOSCCSecurityProperty_Server(property, (SOSSecurityPropertyActionCode)actionCode, &error));
+ });
+ }
break;
case kSecXPCOpCanAuthenticate:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCCanAuthenticate_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCCanAuthenticate_Server(&error));
+ }
break;
case kSecXPCOpPurgeUserCredentials:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCPurgeUserCredentials_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCPurgeUserCredentials_Server(&error));
+ }
break;
case kSecXPCOpDeviceInCircle:
- xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
- SOSCCThisDeviceIsInCircle_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
+ SOSCCThisDeviceIsInCircle_Server(&error));
+ }
break;
case kSecXPCOpRequestToJoin:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCRequestToJoinCircle_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCRequestToJoinCircle_Server(&error));
+ }
+ break;
+ case kSecXPCOpAccountHasPublicKey:
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCAccountHasPublicKey_Server(&error));
+ }
+ break;
+ case kSecXPCOpAccountIsNew:
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCAccountIsNew_Server(&error));
+ }
break;
case kSecXPCOpRequestToJoinAfterRestore:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCRequestToJoinCircleAfterRestore_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCRequestToJoinCircleAfterRestore_Server(&error));
+ }
break;
case kSecXPCOpRequestEnsureFreshParameters:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCRequestEnsureFreshParameters_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCRequestEnsureFreshParameters_Server(&error));
+ }
break;
case kSecXPCOpGetAllTheRings:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef ringDescriptions = SOSCCGetAllTheRings_Server(&error);
xpc_object_t xpc_dictionary = _CFXPCCreateXPCObjectFromCFObject(ringDescriptions);
xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_dictionary);
@@ -1119,35 +1270,35 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
break;
case kSecXPCOpApplyToARing:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCApplyToARing_Server(ringName, &error));
CFReleaseNull(ringName);
}
break;
case kSecXPCOpWithdrawlFromARing:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCWithdrawlFromARing_Server(ringName, &error));
CFReleaseNull(ringName);
}
break;
case kSecXPCOpRingStatus:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRingStatus_Server(ringName, &error));
CFReleaseNull(ringName);
}
break;
case kSecXPCOpEnableRing:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCEnableRing_Server(ringName, &error));
CFReleaseNull(ringName);
}
break;
case kSecXPCOpRequestDeviceID:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef deviceID = SOSCCCopyDeviceID_Server(&error);
if (deviceID) {
SecXPCDictionarySetString(replyMessage, kSecXPCKeyResult, deviceID, &error);
@@ -1156,14 +1307,14 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
break;
case kSecXPCOpSetDeviceID:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef IDS = SecXPCDictionaryCopyString(event, kSecXPCKeyDeviceID, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCSetDeviceID_Server(IDS, &error));
CFReleaseNull(IDS);
}
break;
case kSecXPCOpHandleIDSMessage:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFDictionaryRef IDS = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyIDSMessage, &error);
xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult, SOSCCHandleIDSMessage_Server(IDS, &error));
CFReleaseNull(IDS);
@@ -1171,41 +1322,63 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
break;
case kSecXPCOpSendIDSMessage:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef message = SecXPCDictionaryCopyString(event, kSecXPCKeySendIDSMessage, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCIDSServiceRegistrationTest_Server(message, &error));
CFReleaseNull(message);
}
break;
+ case kSecXPCOpSyncWithKVSPeer:
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ CFStringRef peerID = SecXPCDictionaryCopyString(event, kSecXPCKeyDeviceID, &error);
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRequestSyncWithPeerOverKVS(peerID, &error));
+ CFReleaseNull(peerID);
+ }
+ break;
+ case kSecXPCOpSyncWithIDSPeer:
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ CFStringRef deviceID = SecXPCDictionaryCopyString(event, kSecXPCKeyDeviceID, &error);
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRequestSyncWithPeerOverIDS(deviceID, &error));
+ CFReleaseNull(deviceID);
+ }
+ break;
case kSecXPCOpPingTest:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef message = SecXPCDictionaryCopyString(event, kSecXPCKeySendIDSMessage, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCIDSPingTest_Server(message, &error));
CFReleaseNull(message);
}
break;
case kSecXPCOpIDSDeviceID:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCIDSDeviceIDIsAvailableTest_Server(&error));
}
break;
case kSecXPCOpAccountSetToNew:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCAccountSetToNew_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCAccountSetToNew_Server(&error));
+ }
break;
case kSecXPCOpResetToOffering:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCResetToOffering_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCResetToOffering_Server(&error));
+ }
break;
case kSecXPCOpResetToEmpty:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCResetToEmpty_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCResetToEmpty_Server(&error));
+ }
break;
case kSecXPCOpRemoveThisDeviceFromCircle:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCRemoveThisDeviceFromCircle_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCRemoveThisDeviceFromCircle_Server(&error));
+ }
break;
case kSecXPCOpRemovePeersFromCircle:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFArrayRef applicants = SecXPCDictionaryCopyPeerInfoArray(event, kSecXPCKeyPeerInfos, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
SOSCCRemovePeersFromCircle_Server(applicants, &error));
@@ -1213,18 +1386,20 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
break;
case kSecXPCOpLoggedOutOfAccount:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCLoggedOutOfAccount_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCLoggedOutOfAccount_Server(&error));
+ }
break;
case kSecXPCOpBailFromCircle:
- {
- uint64_t limit_in_seconds = xpc_dictionary_get_uint64(event, kSecXPCLimitInMinutes);
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCBailFromCircle_Server(limit_in_seconds, &error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ uint64_t limit_in_seconds = xpc_dictionary_get_uint64(event, kSecXPCLimitInMinutes);
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCBailFromCircle_Server(limit_in_seconds, &error));
}
break;
case kSecXPCOpAcceptApplicants:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
xpc_object_t xapplicants = xpc_dictionary_get_value(event, kSecXPCKeyPeerInfos);
CFArrayRef applicants = CreateArrayOfPeerInfoWithXPCObject(xapplicants, &error); //(CFArrayRef)(_CFXPCCreateCFObjectFromXPCObject(xapplicants));
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
@@ -1233,7 +1408,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
break;
case kSecXPCOpRejectApplicants:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
xpc_object_t xapplicants = xpc_dictionary_get_value(event, kSecXPCKeyPeerInfos);
CFArrayRef applicants = CreateArrayOfPeerInfoWithXPCObject(xapplicants, &error); //(CFArrayRef)(_CFXPCCreateCFObjectFromXPCObject(xapplicants));
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
@@ -1243,7 +1418,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
break;
case kSecXPCOpSetNewPublicBackupKey:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementRestoreKeychain)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
CFDataRef publicBackupKey = SecXPCDictionaryCopyData(event, kSecXPCKeyNewPublicBackupKey, &error);
SOSPeerInfoRef peerInfo = SOSCCSetNewPublicBackupKey_Server(publicBackupKey, &error);
CFDataRef peerInfoData = peerInfo ? SOSPeerInfoCopyEncodedData(peerInfo, kCFAllocatorDefault, &error) : NULL;
@@ -1256,61 +1431,69 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
CFReleaseNull(peerInfoData);
CFReleaseSafe(publicBackupKey);
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementRestoreKeychain, &error);
}
}
break;
case kSecXPCOpSetBagForAllSlices:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementRestoreKeychain)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
CFDataRef backupSlice = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
bool includeV0 = xpc_dictionary_get_bool(event, kSecXPCKeyIncludeV0);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, backupSlice && SOSCCRegisterSingleRecoverySecret_Server(backupSlice, includeV0, &error));
CFReleaseSafe(backupSlice);
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementRestoreKeychain, &error);
}
}
break;
case kSecXPCOpCopyApplicantPeerInfo:
- xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
- SOSCCCopyApplicantPeerInfo_Server(&error),
- &error);
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
+ SOSCCCopyApplicantPeerInfo_Server(&error),
+ &error);
+ }
break;
case kSecXPCOpCopyValidPeerPeerInfo:
- xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
- SOSCCCopyValidPeerPeerInfo_Server(&error),
- &error);
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
+ SOSCCCopyValidPeerPeerInfo_Server(&error),
+ &error);
+ }
break;
case kSecXPCOpValidateUserPublic:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
bool trusted = SOSCCValidateUserPublic_Server(&error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, trusted);
}
break;
case kSecXPCOpCopyNotValidPeerPeerInfo:
- xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
- SOSCCCopyNotValidPeerPeerInfo_Server(&error),
- &error);
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
+ SOSCCCopyNotValidPeerPeerInfo_Server(&error),
+ &error);
+ }
break;
case kSecXPCOpCopyGenerationPeerInfo:
- xpc_dictionary_set_and_consume_CFArray(replyMessage, kSecXPCKeyResult,
- SOSCCCopyGenerationPeerInfo_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_and_consume_CFArray(replyMessage, kSecXPCKeyResult,
+ SOSCCCopyGenerationPeerInfo_Server(&error));
+ }
break;
case kSecXPCOpCopyRetirementPeerInfo:
- xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
- SOSCCCopyRetirementPeerInfo_Server(&error),
- &error);
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
+ SOSCCCopyRetirementPeerInfo_Server(&error),
+ &error);
+ }
break;
case kSecXPCOpCopyViewUnawarePeerInfo:
- xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
- SOSCCCopyViewUnawarePeerInfo_Server(&error),
- &error);
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
+ SOSCCCopyViewUnawarePeerInfo_Server(&error),
+ &error);
+ }
break;
case kSecXPCOpCopyAccountData:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementKeychainCloudCircle)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
xpc_object_t xpc_account_object = NULL;
CFDataRef accountData = SOSCCCopyAccountState_Server(&error);
if(accountData)
@@ -1319,57 +1502,42 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_account_object);
CFReleaseNull(accountData);
}
- else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementKeychainCloudCircle, &error);
- }
break;
}
case kSecXPCOpDeleteAccountData:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementKeychainCloudCircle)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
bool status = SOSCCDeleteAccountState_Server(&error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, status);
}
- else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementKeychainCloudCircle, &error);
- }
-
break;
}
case kSecXPCOpCopyEngineData:
- {
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementKeychainCloudCircle)) {
-
- xpc_object_t xpc_engine_object = NULL;
- CFDataRef engineData = SOSCCCopyEngineData_Server(&error);
- if(engineData)
- xpc_engine_object = _CFXPCCreateXPCObjectFromCFObject(engineData);
-
- xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_engine_object);
- CFReleaseNull(engineData);
-
- }
- else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementKeychainCloudCircle, &error);
+ {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+
+ xpc_object_t xpc_engine_object = NULL;
+ CFDataRef engineData = SOSCCCopyEngineData_Server(&error);
+ if(engineData)
+ xpc_engine_object = _CFXPCCreateXPCObjectFromCFObject(engineData);
+
+ xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_engine_object);
+ CFReleaseNull(engineData);
+
+ }
+ break;
}
- break;
- }
case kSecXPCOpDeleteEngineData:
- {
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementKeychainCloudCircle)) {
-
- bool status = SOSCCDeleteEngineState_Server(&error);
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, status);
- }
- else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementKeychainCloudCircle, &error);
+ {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ bool status = SOSCCDeleteEngineState_Server(&error);
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, status);
+ }
+ break;
}
- break;
- }
case kSecXPCOpCopyEngineState:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementKeychainCloudCircle)) {
-
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFArrayRef array = SOSCCCopyEngineState_Server(&error);
if (array) {
xpc_object_t xpc_array = _CFXPCCreateXPCObjectFromCFObject(array);
@@ -1378,23 +1546,24 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
CFReleaseNull(array);
}
- else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementKeychainCloudCircle, &error);
- }
}
break;
case kSecXPCOpCopyPeerPeerInfo:
- xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
- SOSCCCopyPeerPeerInfo_Server(&error),
- &error);
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
+ SOSCCCopyPeerPeerInfo_Server(&error),
+ &error);
+ }
break;
case kSecXPCOpCopyConcurringPeerPeerInfo:
- xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
- SOSCCCopyConcurringPeerPeerInfo_Server(&error),
- &error);
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
+ SOSCCCopyConcurringPeerPeerInfo_Server(&error),
+ &error);
+ }
break;
case kSecXPCOpCopyMyPeerInfo:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
SOSPeerInfoRef peerInfo = SOSCCCopyMyPeerInfo_Server(&error);
CFDataRef peerInfoData = peerInfo ? SOSPeerInfoCopyEncodedData(peerInfo, kCFAllocatorDefault, &error) : NULL;
CFReleaseNull(peerInfo);
@@ -1407,26 +1576,32 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
break;
case kSecXPCOpGetLastDepartureReason:
- xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
- SOSCCGetLastDepartureReason_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
+ SOSCCGetLastDepartureReason_Server(&error));
+ }
break;
case kSecXPCOpSetLastDepartureReason:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
int32_t reason = (int32_t) xpc_dictionary_get_int64(event, kSecXPCKeyReason);
xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
SOSCCSetLastDepartureReason_Server(reason, &error));
break;
}
case kSecXPCOpProcessSyncWithAllPeers:
- xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
- SOSCCProcessSyncWithAllPeers_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
+ SOSCCProcessSyncWithAllPeers_Server(&error));
+ }
break;
case soscc_EnsurePeerRegistration_id:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCProcessEnsurePeerRegistration_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCProcessEnsurePeerRegistration_Server(&error));
+ }
break;
case kSecXPCOpCopyIncompatibilityInfo:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef iis = SOSCCCopyIncompatibilityInfo_Server(&error);
SecXPCDictionarySetString(replyMessage, kSecXPCKeyResult, iis, &error);
CFReleaseSafe(iis);
@@ -1456,7 +1631,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
break;
case kSecXPCOpSetHSA2AutoAcceptInfo:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFDataRef cfbytes = NULL;
const uint8_t *bytes = NULL;
size_t len = 0;
@@ -1480,16 +1655,18 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
xpc_dictionary_set_bool(replyMessage,
kSecXPCKeyResult,
SOSCCSetHSA2AutoAcceptInfo_Server(cfbytes, &error));
- CFRelease(cfbytes);
+ CFReleaseNull(cfbytes);
}
break;
case kSecXPCOpWaitForInitialSync:
- xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
- SOSCCWaitForInitialSync_Server(&error));
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
+ SOSCCWaitForInitialSync_Server(&error));
+ }
break;
case kSecXPCOpCopyYetToSyncViews:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFArrayRef array = SOSCCCopyYetToSyncViewsList_Server(&error);
if (array) {
xpc_object_t xpc_array = _CFXPCCreateXPCObjectFromCFObject(array);
@@ -1500,7 +1677,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
break;
case kSecXPCOpSetEscrowRecord:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFStringRef escrow_label = SecXPCDictionaryCopyString(event, kSecXPCKeyEscrowLabel, &error);
uint64_t tries = xpc_dictionary_get_int64(event, kSecXPCKeyTriesLabel);
@@ -1512,7 +1689,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
break;
case kSecXPCOpGetEscrowRecord:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
CFDictionaryRef record = SOSCCCopyEscrowRecord_Server(&error);
if (record) {
xpc_object_t xpc_dictionary = _CFXPCCreateXPCObjectFromCFObject(record);
@@ -1523,10 +1700,30 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
break;
case kSecXPCOpCheckPeerAvailability:
- {
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCCheckPeerAvailability_Server(&error));
}
break;
+
+
+ case kSecXPCOpIsThisDeviceLastBackup:
+ if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCkSecXPCOpIsThisDeviceLastBackup_Server(&error));
+ }
+ break;
+ case kSecXPCOpPeersHaveViewsEnabled:
+ {
+ CFArrayRef viewSet = SecXPCDictionaryCopyArray(event, kSecXPCKeyArray, &error);
+ if (viewSet) {
+ CFBooleanRef result = SOSCCPeersHaveViewsEnabled_Server(viewSet, &error);
+ if (result) {
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result != kCFBooleanFalse);
+ }
+ }
+ CFReleaseNull(viewSet);
+ }
+ break;
+
case kSecXPCOpWhoAmI:
{
if (client.musr)
@@ -1539,7 +1736,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
break;
case kSecXPCOpTransmogrifyToSyncBubble:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementPrivateKeychainSyncBubble)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateKeychainSyncBubble, &error)) {
#if TARGET_OS_IOS
uid_t uid = (uid_t)xpc_dictionary_get_int64(event, "uid");
CFArrayRef services = SecXPCDictionaryCopyArray(event, "services", &error);
@@ -1552,15 +1749,12 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
#else
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
#endif
-
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementPrivateKeychainSyncBubble, &error);
}
}
break;
case kSecXPCOpTransmogrifyToSystemKeychain:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementPrivateKeychainMigrateSystemKeychain)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateKeychainMigrateSystemKeychain, &error)) {
#if TARGET_OS_IOS
bool res = _SecServerTransmogrifyToSystemKeychain(&client, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, res);
@@ -1568,14 +1762,12 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
#endif
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementPrivateKeychainMigrateSystemKeychain, &error);
}
}
break;
case kSecXPCOpDeleteUserView:
{
- if (SecTaskGetBooleanValueForEntitlement(client.task, kSecEntitlementPrivateKeychainMigrateSystemKeychain)) {
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateKeychainMigrateSystemKeychain, &error)) {
bool res = false;
#if TARGET_OS_IOS
uid_t uid = (uid_t)xpc_dictionary_get_int64(event, "uid");
@@ -1585,8 +1777,6 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
#endif
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, res);
- } else {
- EntitlementMissing(((enum SecXPCOperation)operation), client.task, kSecEntitlementPrivateKeychainMigrateSystemKeychain, &error);
}
}
break;
@@ -1602,13 +1792,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
bool result = SOSWrapToBackupSliceKeyBagForView_Server(viewname, plaintext, &ciphertext, &bskbEncoded, &error);
xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
- if(error) {
- xpc_dictionary_set_data(replyMessage, kSecXPCData, NULL, 0);
- xpc_dictionary_set_data(replyMessage, kSecXPCKeyKeybag, NULL, 0);
- } else if(!result) {
- xpc_dictionary_set_data(replyMessage, kSecXPCData, NULL, 0);
- xpc_dictionary_set_data(replyMessage, kSecXPCKeyKeybag, NULL, 0);
- } else {
+ if(!error && result) {
if(ciphertext) {
xpc_dictionary_set_data(replyMessage, kSecXPCData, CFDataGetBytePtr(ciphertext), CFDataGetLength(ciphertext));
}
@@ -1616,12 +1800,69 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
xpc_dictionary_set_data(replyMessage, kSecXPCKeyKeybag, CFDataGetBytePtr(bskbEncoded), CFDataGetLength(bskbEncoded));
}
}
+ CFReleaseSafe(ciphertext);
+ CFReleaseSafe(bskbEncoded);
}
CFReleaseSafe(plaintext);
}
CFReleaseNull(viewname);
}
break;
+ case kSecXPCOpCopyApplication:
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
+ SOSPeerInfoRef peerInfo = SOSCCCopyApplication_Server(&error);
+ CFDataRef peerInfoData = peerInfo ? SOSPeerInfoCopyEncodedData(peerInfo, kCFAllocatorDefault, &error) : NULL;
+ CFReleaseNull(peerInfo);
+ if (peerInfoData) {
+ xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(peerInfoData);
+ xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
+ xpc_release(xpc_object);
+ }
+ CFReleaseNull(peerInfoData);
+ }
+ break;
+ case kSecXPCOpCopyCircleJoiningBlob:
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
+ CFDataRef appBlob = SecXPCDictionaryCopyCFDataRef(event, kSecXPCData, &error);
+ SOSPeerInfoRef applicant = SOSPeerInfoCreateFromData(kCFAllocatorDefault, &error, appBlob);
+ CFDataRef pbblob = SOSCCCopyCircleJoiningBlob_Server(applicant, &error);
+ if (pbblob) {
+ xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(pbblob);
+ xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
+ xpc_release(xpc_object);
+ }
+ CFReleaseNull(pbblob);
+ CFReleaseNull(applicant);
+ CFReleaseNull(appBlob);
+ }
+ break;
+ case kSecXPCOpJoinWithCircleJoiningBlob:
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
+ CFDataRef joiningBlob = SecXPCDictionaryCopyCFDataRef(event, kSecXPCData, &error);
+
+ bool retval = SOSCCJoinWithCircleJoiningBlob_Server(joiningBlob, &error);
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
+ CFReleaseNull(joiningBlob);
+ }
+ break;
+ case sec_delete_items_with_access_groups_id:
+ {
+ bool retval = false;
+#if TARGET_OS_IPHONE
+ if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateUninstallDeletion, &error)) {
+ CFArrayRef accessGroups = SecXPCDictionaryCopyArray(event, kSecXPCKeyAccessGroups, &error);
+
+ if (accessGroups) {
+ retval = _SecItemServerDeleteAllWithAccessGroups(accessGroups, &client, &error);
+ }
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
+ CFReleaseNull(accessGroups);
+ }
+#endif
+ xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
+ }
+ break;
+#endif /* !TRUSTD_SERVER */
default:
break;
}
@@ -1657,7 +1898,9 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
}
if (xpcError)
xpc_release(xpcError);
+#if TARGET_OS_IPHONE
pthread_setspecific(taskThreadKey, NULL);
+#endif
CFReleaseSafe(error);
CFReleaseSafe(client.accessGroups);
CFReleaseSafe(client.musr);
@@ -1668,8 +1911,10 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
static void securityd_xpc_init(const char *service_name)
{
+#if TARGET_OS_IPHONE
pthread_key_create(&taskThreadKey, NULL);
SecTaskDiagnoseEntitlements = secTaskDiagnoseEntitlements;
+#endif
secdebug("serverxpc", "start");
xpc_connection_t listener = xpc_connection_create_mach_service(service_name, NULL, XPC_CONNECTION_MACH_SERVICE_LISTENER);
@@ -1714,40 +1959,46 @@ static void securityd_soscc_lock_hack() {
free(event_description);
});
- secnotice("lockassertion", "notify_register_dispatch(kSOSCCHoldLockForInitialSync)");
- notify_register_dispatch(kSOSCCHoldLockForInitialSync, &soscc_tok, soscc_lock_queue, ^(int token __unused) {
- secnotice("lockassertion", "kSOSCCHoldLockForInitialSync: grabbing the lock");
+ secnotice("lockassertion", "notify_register_dispatch(kSOSCCHoldLockForInitialSync)");
+ notify_register_dispatch(kSOSCCHoldLockForInitialSync, &soscc_tok, soscc_lock_queue, ^(int token __unused) {
+ secnotice("lockassertion", "kSOSCCHoldLockForInitialSync: grabbing the lock");
CFErrorRef error = NULL;
-
+
uint64_t one_minute = 60ull;
if(SecAKSLockUserKeybag(one_minute, &error)){
// <rdar://problem/22500239> Prevent securityd from quitting while holding a keychain assertion
- xpc_transaction_begin();
+ xpc_transaction_begin();
- dispatch_after(dispatch_time(DISPATCH_TIME_NOW, one_minute*NSEC_PER_SEC), soscc_lock_queue, ^{
+ dispatch_after(dispatch_time(DISPATCH_TIME_NOW, one_minute*NSEC_PER_SEC), soscc_lock_queue, ^{
CFErrorRef localError = NULL;
if(!SecAKSUnLockUserKeybag(&localError))
secerror("failed to unlock: %@", localError);
CFReleaseNull(localError);
xpc_transaction_end();
- });
+ });
} else {
secerror("Failed to take device lock assertion: %@", error);
}
- CFReleaseSafe(error);
+ CFReleaseNull(error);
secnotice("lockassertion", "kSOSCCHoldLockForInitialSync => done");
});
}
#endif
+#if TRUSTD_SERVER
+#include <trustd/SecTrustOSXEntryPoints.h>
+static void trustd_init_server(void) {
+ SecTrustLegacySourcesEventRunloopCreate();
+}
+#endif
+
int main(int argc, char *argv[])
{
char *wait4debugger = getenv("WAIT4DEBUGGER");
if (wait4debugger && !strcasecmp("YES", wait4debugger)) {
seccritical("SIGSTOPing self, awaiting debugger");
kill(getpid(), SIGSTOP);
- asl_log(NULL, NULL, ASL_LEVEL_CRIT,
- "Again, for good luck (or bad debuggers)");
+ seccritical("Again, for good luck (or bad debuggers)");
kill(getpid(), SIGSTOP);
}
@@ -1763,6 +2014,22 @@ int main(int argc, char *argv[])
}
#endif
+/* <rdar://problem/15792007> Users with network home folders are unable to use/save password for Mail/Cal/Contacts/websites
+ Secd doesn't realize DB connections get invalidated when network home directory users logout
+ and their home gets unmounted. Exit secd, start fresh when user logs back in.
+*/
+#if !TARGET_OS_IPHONE
+ int sessionstatechanged_tok;
+ notify_register_dispatch(kSA_SessionStateChangedNotification, &sessionstatechanged_tok, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(int token __unused) {
+ // we could be a process running as root.
+ // However, since root never logs out this isn't an issue.
+ if (SASSessionStateForUser(getuid()) == kSA_state_loggingout_pointofnoreturn) {
+ dispatch_after(dispatch_time(DISPATCH_TIME_NOW, 3ull*NSEC_PER_SEC), dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+ xpc_transaction_exit_clean();
+ });
+ }
+ });
+#endif
const char *serviceName = kSecuritydXPCServiceName;
#if TRUSTD_SERVER
@@ -1771,10 +2038,15 @@ int main(int argc, char *argv[])
serviceName = kTrustdAgentXPCServiceName;
}
#endif
+ /* setup SQDLite before some other component have a chance to create a database connection */
+ _SecServerDatabaseSetup();
+
securityd_init_server();
+#if TRUSTD_SERVER
+ trustd_init_server();
+#endif
securityd_xpc_init(serviceName);
-
// <rdar://problem/22425706> 13B104+Roots:Device never moved past spinner after using approval to ENABLE icdp
#if TARGET_OS_EMBEDDED
securityd_soscc_lock_hack();
diff --git a/OSX/sec/os_log/README_os_log_prefs.txt b/OSX/sec/os_log/README_os_log_prefs.txt
new file mode 100644
index 00000000..311a263d
--- /dev/null
+++ b/OSX/sec/os_log/README_os_log_prefs.txt
@@ -0,0 +1,5 @@
+This is the os_log preference plist for com.apple.securityd subsystem. The plist is installed by
+
+iOS - the securityd target build phase
+OSX - the OSX subproject - secd target build phase
+
diff --git a/OSX/sec/os_log/com.apple.securityd.plist b/OSX/sec/os_log/com.apple.securityd.plist
new file mode 100644
index 00000000..bc357ec6
--- /dev/null
+++ b/OSX/sec/os_log/com.apple.securityd.plist
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>DEFAULT-OPTIONS</key>
+ <dict>
+ <key>Default-Privacy-Setting</key>
+ <string>Public</string>
+ <key>Enabled</key>
+ <string>True</string>
+ <key>Persist</key>
+ <string>Default</string>
+ <key>TTL</key>
+ <string>Default</string>
+ <key>Development</key>
+ <dict>
+ <key>Enabled</key>
+ <string>True</string>
+ <key>Persist</key>
+ <string>Default</string>
+ <key>TTL</key>
+ <string>Default</string>
+ </dict>
+ <key>Debug</key>
+ <dict>
+ <key>Enabled</key>
+ <string>True</string>
+ <key>Persist</key>
+ <string>True</string>
+ <key>TTL</key>
+ <string>2d</string>
+ </dict>
+ </dict>
+</dict>
+</plist>
diff --git a/OSX/sec/sec.xcodeproj/project.pbxproj b/OSX/sec/sec.xcodeproj/project.pbxproj
index 44102c59..98166cd8 100644
--- a/OSX/sec/sec.xcodeproj/project.pbxproj
+++ b/OSX/sec/sec.xcodeproj/project.pbxproj
@@ -7,11 +7,21 @@
objects = {
/* Begin PBXBuildFile section */
+ 093F67A41CC1171B0033151D /* SecKeyAdaptors.c in Sources */ = {isa = PBXBuildFile; fileRef = 093F67A21CC1171B0033151D /* SecKeyAdaptors.c */; };
+ 093F67A51CC1171B0033151D /* SecKeyAdaptors.c in Sources */ = {isa = PBXBuildFile; fileRef = 093F67A21CC1171B0033151D /* SecKeyAdaptors.c */; };
+ 093F67A61CC1171B0033151D /* SecKeyAdaptors.c in Sources */ = {isa = PBXBuildFile; fileRef = 093F67A21CC1171B0033151D /* SecKeyAdaptors.c */; };
+ 0982E02C1D19695B0060002E /* si-44-seckey-ec.m in Sources */ = {isa = PBXBuildFile; fileRef = 0982E02B1D19695B0060002E /* si-44-seckey-ec.m */; };
+ 09AE116F1CEDA1E4004C617D /* si-44-seckey-ies.m in Sources */ = {isa = PBXBuildFile; fileRef = 09AE116D1CEDA17A004C617D /* si-44-seckey-ies.m */; };
+ 09D1FC1F1CDCBABF00A82D0D /* si-44-seckey-gen.m in Sources */ = {isa = PBXBuildFile; fileRef = 09D1FC1D1CDCBA8800A82D0D /* si-44-seckey-gen.m */; };
+ 09EC947F1CEDEA70003E5101 /* si-44-seckey-rsa.m in Sources */ = {isa = PBXBuildFile; fileRef = 09EC947E1CEDEA70003E5101 /* si-44-seckey-rsa.m */; };
0C062B1F175E784B00806CFE /* secd-30-keychain-upgrade.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C062B1C175E784B00806CFE /* secd-30-keychain-upgrade.c */; };
0C062B20175E784B00806CFE /* secd-31-keychain-bad.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C062B1D175E784B00806CFE /* secd-31-keychain-bad.c */; };
0C062B21175E784B00806CFE /* secd-31-keychain-unreadable.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C062B1E175E784B00806CFE /* secd-31-keychain-unreadable.c */; };
0C0BDB611756882A00BC1A7E /* secd_regressions.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C0BDB601756882A00BC1A7E /* secd_regressions.h */; };
0C0BDB63175688DA00BC1A7E /* secd-01-items.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C0BDB62175688DA00BC1A7E /* secd-01-items.c */; };
+ 0C0C887A1CCED00E00617D1B /* shared_regressions.h in Headers */ = {isa = PBXBuildFile; fileRef = D40771B21C9B4CE50016AA66 /* shared_regressions.h */; };
+ 0C3276C31CB329AB005D6DDC /* secd_77_ids_messaging.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C3276C21CB329AB005D6DDC /* secd_77_ids_messaging.c */; };
+ 0C60F39C1CAF0E8E00221D24 /* secd-76-idstransport.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C60F39B1CAF0E8E00221D24 /* secd-76-idstransport.c */; };
0C664AE8175951270092D3D9 /* secd-02-upgrade-while-locked.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C664AE7175951270092D3D9 /* secd-02-upgrade-while-locked.c */; };
0CBF93F8177B7CFC001E5658 /* secd-03-corrupted-items.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CBF93F5177B7CFC001E5658 /* secd-03-corrupted-items.c */; };
0CBF93F9177B7CFC001E5658 /* secd-04-corrupted-items.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CBF93F6177B7CFC001E5658 /* secd-04-corrupted-items.c */; };
@@ -59,61 +69,69 @@
32FBBBE71B556F8900AEF9ED /* verify_cert.c in Sources */ = {isa = PBXBuildFile; fileRef = 32FBBBE61B556F8900AEF9ED /* verify_cert.c */; };
32FBBBE81B55B30E00AEF9ED /* verify_cert.c in Sources */ = {isa = PBXBuildFile; fileRef = 32FBBBE61B556F8900AEF9ED /* verify_cert.c */; };
3A70988218CDF648009FD2CC /* si_77_SecAccessControl.c in Sources */ = {isa = PBXBuildFile; fileRef = 3A70988118CDF648009FD2CC /* si_77_SecAccessControl.c */; };
- 43C3B1681AFD588800786702 /* IDS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD6C9BF81A813D52002AB913 /* IDS.framework */; };
43C3B1691AFD58AB00786702 /* IDS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD6C9BF81A813D52002AB913 /* IDS.framework */; };
43C3B16A1AFD58AC00786702 /* IDS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD6C9BF81A813D52002AB913 /* IDS.framework */; };
43C3B16B1AFD58BE00786702 /* IDS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD6C9BF81A813D52002AB913 /* IDS.framework */; };
4406660F19069C67000DA171 /* si-80-empty-data.c in Sources */ = {isa = PBXBuildFile; fileRef = 4406660E19069707000DA171 /* si-80-empty-data.c */; };
+ 440BF8F81A7A82AE001760A7 /* si-82-token-ag.c in Sources */ = {isa = PBXBuildFile; fileRef = 440BF8F41A7A7EC9001760A7 /* si-82-token-ag.c */; };
+ 442B69201BC3B149000F3A72 /* SecKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD563C14CB6EB9008233F2 /* SecKey.c */; };
+ 442B69211BC3B196000F3A72 /* SecECKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD562C14CB6EB9008233F2 /* SecECKey.c */; };
+ 442B69221BC3B1B9000F3A72 /* SecRSAKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD564714CB6EB9008233F2 /* SecRSAKey.c */; };
+ 442B69251BC3DBA9000F3A72 /* SecCTKKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 449265271AB0D6FF00644D4C /* SecCTKKey.c */; };
4469FC2C1AA0A6C90021AA26 /* secd-32-restore-bad-backup.c in Sources */ = {isa = PBXBuildFile; fileRef = 446CEEE319B6043900ECAF50 /* secd-32-restore-bad-backup.c */; };
- 4469FC2D1AA0A6D00021AA26 /* secd-33-keychain-ctk.c in Sources */ = {isa = PBXBuildFile; fileRef = 4469FC2A1AA0A69E0021AA26 /* secd-33-keychain-ctk.c */; };
+ 4469FC2D1AA0A6D00021AA26 /* secd-33-keychain-ctk.m in Sources */ = {isa = PBXBuildFile; fileRef = 4469FC2A1AA0A69E0021AA26 /* secd-33-keychain-ctk.m */; };
446BB5E518F83172005D1B83 /* SecAccessControl.c in Sources */ = {isa = PBXBuildFile; fileRef = C6766767189884D200E9A12C /* SecAccessControl.c */; };
4477A8D918F28AB700B5BB9F /* si-78-query-attrs.c in Sources */ = {isa = PBXBuildFile; fileRef = 4477A8D718F28AAE00B5BB9F /* si-78-query-attrs.c */; };
448305101B46FB8700326450 /* ios8-inet-keychain-2.h in Headers */ = {isa = PBXBuildFile; fileRef = 4483050F1B46FB8700326450 /* ios8-inet-keychain-2.h */; };
448305111B46FC0D00326450 /* secd-35-keychain-migrate-inet.c in Sources */ = {isa = PBXBuildFile; fileRef = 4483050D1B46FB6C00326450 /* secd-35-keychain-migrate-inet.c */; };
449265291AB0D6FF00644D4C /* SecCTKKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 449265271AB0D6FF00644D4C /* SecCTKKey.c */; };
4492652A1AB0D6FF00644D4C /* SecCTKKeyPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 449265281AB0D6FF00644D4C /* SecCTKKeyPriv.h */; };
- 4802A59616D711060059E5B9 /* SOSUserKeygen.c in Sources */ = {isa = PBXBuildFile; fileRef = 4802A59516D711060059E5B9 /* SOSUserKeygen.c */; };
4802A59816D7156D0059E5B9 /* SOSUserKeygen.h in Headers */ = {isa = PBXBuildFile; fileRef = 4802A59716D711190059E5B9 /* SOSUserKeygen.h */; settings = {ATTRIBUTES = (); }; };
+ 48122CCA1CFF88FF009BE3E3 /* SOSAccountLog.h in Headers */ = {isa = PBXBuildFile; fileRef = 48122CC81CFF88DC009BE3E3 /* SOSAccountLog.h */; };
+ 481A95511D1A02AA000B98F5 /* SOSCloudKeychainLogging.c in Sources */ = {isa = PBXBuildFile; fileRef = 481A954F1D1A02AA000B98F5 /* SOSCloudKeychainLogging.c */; };
+ 481A95521D1A02AA000B98F5 /* SOSCloudKeychainLogging.h in Headers */ = {isa = PBXBuildFile; fileRef = 481A95501D1A02AA000B98F5 /* SOSCloudKeychainLogging.h */; };
+ 4826374D1CC18A410082C9C8 /* secd-57-1-account-last-standing.c in Sources */ = {isa = PBXBuildFile; fileRef = 4826374C1CC18A410082C9C8 /* secd-57-1-account-last-standing.c */; };
48279BC51C57FEA20043457C /* keychain_log.c in Sources */ = {isa = PBXBuildFile; fileRef = 48279BC31C57FEA20043457C /* keychain_log.c */; };
+ 4838F6BE1CB5AA7C009E8598 /* secViewDisplay.c in Sources */ = {isa = PBXBuildFile; fileRef = 4838F6BB1CB5AA5F009E8598 /* secViewDisplay.c */; };
+ 4838F6BF1CB5AA7E009E8598 /* secViewDisplay.c in Sources */ = {isa = PBXBuildFile; fileRef = 4838F6BB1CB5AA5F009E8598 /* secViewDisplay.c */; };
+ 4838F6C01CB5B055009E8598 /* secViewDisplay.c in Sources */ = {isa = PBXBuildFile; fileRef = 4838F6BB1CB5AA5F009E8598 /* secViewDisplay.c */; };
+ 4838F6C11CB5B061009E8598 /* secToolFileIO.c in Sources */ = {isa = PBXBuildFile; fileRef = 4899F2E71C768BBE00762615 /* secToolFileIO.c */; };
484182611A30F2F200211511 /* SOSCirclePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 484182601A30F2E300211511 /* SOSCirclePriv.h */; };
484182641A30F8DE00211511 /* SOSPeerInfoPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 484182631A30F8D300211511 /* SOSPeerInfoPriv.h */; };
485B5E621AE068D800A3C183 /* secd-82-secproperties-basic.c in Sources */ = {isa = PBXBuildFile; fileRef = 485B5E611AE068D800A3C183 /* secd-82-secproperties-basic.c */; };
+ 485FE6BE1CDBED9500C916C5 /* syncbackup.c in Sources */ = {isa = PBXBuildFile; fileRef = 485FE6BC1CDBED5800C916C5 /* syncbackup.c */; };
+ 4868F41C1C7409EF0011825E /* SOSInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = E777C71B15B73F59004044A8 /* SOSInternal.h */; };
486C6C691795F9D600387075 /* secd-61-account-leave-not-in-kansas-anymore.c in Sources */ = {isa = PBXBuildFile; fileRef = 486C6C671795F20E00387075 /* secd-61-account-leave-not-in-kansas-anymore.c */; };
- 48764AE817FA2DD00005C4F1 /* SOSAccountDer.c in Sources */ = {isa = PBXBuildFile; fileRef = 48764AE717FA2DD00005C4F1 /* SOSAccountDer.c */; };
- 48764AEC17FA31E50005C4F1 /* SOSAccountPersistence.c in Sources */ = {isa = PBXBuildFile; fileRef = 48764AEB17FA31E50005C4F1 /* SOSAccountPersistence.c */; };
- 48764AEF17FA36200005C4F1 /* SOSAccountUpdate.c in Sources */ = {isa = PBXBuildFile; fileRef = 48764AEE17FA36200005C4F1 /* SOSAccountUpdate.c */; };
48764AF217FA3ACF0005C4F1 /* SOSKVSKeys.c in Sources */ = {isa = PBXBuildFile; fileRef = 48764AF117FA3ACF0005C4F1 /* SOSKVSKeys.c */; };
- 48764AF517FA3FE50005C4F1 /* SOSAccountCircles.c in Sources */ = {isa = PBXBuildFile; fileRef = 48764AF417FA3FE50005C4F1 /* SOSAccountCircles.c */; };
4878267B19C0F518002CB56F /* sc-42-circlegencount.c in Sources */ = {isa = PBXBuildFile; fileRef = 4878267919C0F505002CB56F /* sc-42-circlegencount.c */; };
4882C517177521AE0095D04B /* secd-58-password-change.c in Sources */ = {isa = PBXBuildFile; fileRef = 4882C516177521AE0095D04B /* secd-58-password-change.c */; };
4885010F1AF9857F00F10B61 /* SOSTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = 52F8DE4A1AF2E9AE00A2C271 /* SOSTypes.h */; };
488902EC16C2F88400F119FF /* SOSCoder.c in Sources */ = {isa = PBXBuildFile; fileRef = 488902EB16C2F88400F119FF /* SOSCoder.c */; };
4898223A17BDB277003BEF32 /* secd-52-account-changed.c in Sources */ = {isa = PBXBuildFile; fileRef = 4898223917BDB277003BEF32 /* secd-52-account-changed.c */; };
+ 4899F2E91C768BBE00762615 /* secToolFileIO.c in Sources */ = {isa = PBXBuildFile; fileRef = 4899F2E71C768BBE00762615 /* secToolFileIO.c */; };
+ 4899F2EA1C768BBE00762615 /* secToolFileIO.h in Headers */ = {isa = PBXBuildFile; fileRef = 4899F2E81C768BBE00762615 /* secToolFileIO.h */; };
+ 4899F2EC1C7690DE00762615 /* secToolFileIO.c in Sources */ = {isa = PBXBuildFile; fileRef = 4899F2E71C768BBE00762615 /* secToolFileIO.c */; };
489E6E4C1A71A87600D7EB8C /* SOSCircleDer.c in Sources */ = {isa = PBXBuildFile; fileRef = 489E6E4A1A71A87600D7EB8C /* SOSCircleDer.c */; };
489E6E4D1A71A87600D7EB8C /* SOSCircleDer.h in Headers */ = {isa = PBXBuildFile; fileRef = 489E6E4B1A71A87600D7EB8C /* SOSCircleDer.h */; };
48A071CF1AD6AEA900728AEF /* SOSPeerInfoSecurityProperties.c in Sources */ = {isa = PBXBuildFile; fileRef = 48A071CD1AD6AEA900728AEF /* SOSPeerInfoSecurityProperties.c */; };
48A071D01AD6AEA900728AEF /* SOSPeerInfoSecurityProperties.h in Headers */ = {isa = PBXBuildFile; fileRef = 48A071CE1AD6AEA900728AEF /* SOSPeerInfoSecurityProperties.h */; };
48A0FEDE1B6046E2001D6180 /* secd-64-circlereset.c in Sources */ = {isa = PBXBuildFile; fileRef = 48A0FEDD1B6046E2001D6180 /* secd-64-circlereset.c */; };
+ 48A9E62F1C837B4100160B5F /* secd-90-hsa2.c in Sources */ = {isa = PBXBuildFile; fileRef = 48FABEE01AD05C7100C061D1 /* secd-90-hsa2.c */; };
48B0B36F1B27B01F003E1EDB /* sc-25-soskeygen.c in Sources */ = {isa = PBXBuildFile; fileRef = 48487D271B1D5E960078C7C9 /* sc-25-soskeygen.c */; };
+ 48B5888C1D00ED9000E0C5A7 /* secd-200-logstate.c in Sources */ = {isa = PBXBuildFile; fileRef = 48B5888B1D00ED9000E0C5A7 /* secd-200-logstate.c */; };
48C34E921C45EF3000B7F29B /* secd60-account-cloud-exposure.c in Sources */ = {isa = PBXBuildFile; fileRef = 48C34E911C45EF3000B7F29B /* secd60-account-cloud-exposure.c */; };
- 48C7DF9317FF2DB500904F1A /* SOSAccountCredentials.c in Sources */ = {isa = PBXBuildFile; fileRef = 48C7DF9217FF2DB500904F1A /* SOSAccountCredentials.c */; };
- 48C7DF9617FF351A00904F1A /* SOSAccountPeers.c in Sources */ = {isa = PBXBuildFile; fileRef = 48C7DF9517FF351A00904F1A /* SOSAccountPeers.c */; };
- 48C7DF9817FF360F00904F1A /* SOSAccountFullPeerInfo.c in Sources */ = {isa = PBXBuildFile; fileRef = 48C7DF9717FF360F00904F1A /* SOSAccountFullPeerInfo.c */; };
- 48C7DF9A17FF44EF00904F1A /* SOSAccountCloudParameters.c in Sources */ = {isa = PBXBuildFile; fileRef = 48C7DF9917FF44EF00904F1A /* SOSAccountCloudParameters.c */; };
48CE733E1731C49A004C2946 /* sc-130-resignationticket.c in Sources */ = {isa = PBXBuildFile; fileRef = 48CE733D1731C49A004C2946 /* sc-130-resignationticket.c */; };
48E928C5179DD05500A7F755 /* secd-51-account-inflate.c in Sources */ = {isa = PBXBuildFile; fileRef = 48E928C4179DD05500A7F755 /* secd-51-account-inflate.c */; };
48E9CDFC1C597FED00574D6B /* SOSSysdiagnose.c in Sources */ = {isa = PBXBuildFile; fileRef = 48E9CDFB1C597FED00574D6B /* SOSSysdiagnose.c */; };
48F32D7E1777AFA3001B84BA /* secd-59-account-cleanup.c in Sources */ = {isa = PBXBuildFile; fileRef = 48F32D7D1777AFA3001B84BA /* secd-59-account-cleanup.c */; };
48F7DF261A6DB32900046644 /* SOSViews.c in Sources */ = {isa = PBXBuildFile; fileRef = 48F7DF241A6DB32900046644 /* SOSViews.c */; };
48F7DF271A6DB32900046644 /* SOSViews.h in Headers */ = {isa = PBXBuildFile; fileRef = 48F7DF251A6DB32900046644 /* SOSViews.h */; };
- 48FABEDD1AD05C1D00C061D1 /* SOSAccountHSAJoin.c in Sources */ = {isa = PBXBuildFile; fileRef = 48FABEDB1AD05C1D00C061D1 /* SOSAccountHSAJoin.c */; };
48FABEDE1AD05C1D00C061D1 /* SOSAccountHSAJoin.h in Headers */ = {isa = PBXBuildFile; fileRef = 48FABEDC1AD05C1D00C061D1 /* SOSAccountHSAJoin.h */; };
- 48FABEE21AD05C7100C061D1 /* secd-90-hsa2.c in Sources */ = {isa = PBXBuildFile; fileRef = 48FABEE01AD05C7100C061D1 /* secd-90-hsa2.c */; };
48FABEE31AD06B6B00C061D1 /* secd-62-account-hsa-join.c in Sources */ = {isa = PBXBuildFile; fileRef = 48FABEDF1AD05C7100C061D1 /* secd-62-account-hsa-join.c */; };
48FB17021A76F56C00B586C7 /* SOSPeerInfoV2.c in Sources */ = {isa = PBXBuildFile; fileRef = 48FB17001A76F56C00B586C7 /* SOSPeerInfoV2.c */; };
48FB17031A76F56C00B586C7 /* SOSPeerInfoV2.h in Headers */ = {isa = PBXBuildFile; fileRef = 48FB17011A76F56C00B586C7 /* SOSPeerInfoV2.h */; };
48FB17061A771E5700B586C7 /* secd-80-views-basic.c in Sources */ = {isa = PBXBuildFile; fileRef = 48FB17041A77181A00B586C7 /* secd-80-views-basic.c */; };
- 48FEA77C1C53000A0020C148 /* secToolFileIO.c in Sources */ = {isa = PBXBuildFile; fileRef = 48FEA7771C52FFE70020C148 /* secToolFileIO.c */; };
+ 48FD04F41CEFCFB900BEBBFF /* SOSAccountTransaction.h in Headers */ = {isa = PBXBuildFile; fileRef = 48FD04F21CEFCFB900BEBBFF /* SOSAccountTransaction.h */; };
4A5CCA5415ACEFD400702357 /* SecOTRDHKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 4A971683158FDEB800D439B7 /* SecOTRDHKey.c */; };
4A5CCA5515ACEFD400702357 /* SecOTRFullIdentity.c in Sources */ = {isa = PBXBuildFile; fileRef = 4A971686158FDEB800D439B7 /* SecOTRFullIdentity.c */; };
4A5CCA5615ACEFD400702357 /* SecOTRMath.c in Sources */ = {isa = PBXBuildFile; fileRef = 4A971688158FDEB800D439B7 /* SecOTRMath.c */; };
@@ -166,7 +184,6 @@
4C64F59717C6B3B1009C5AC2 /* sc-45-digestvector.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C64F59617C6B3B1009C5AC2 /* sc-45-digestvector.c */; };
4C65154B17B5A08900691B6A /* SOSDigestVector.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C8BDDA017B4FE8100C20EA5 /* SOSDigestVector.c */; };
4C6ED19615CB0E72004379B7 /* sc-30-peerinfo.c in Sources */ = {isa = PBXBuildFile; fileRef = E777C72815B9C9F0004044A8 /* sc-30-peerinfo.c */; };
- 4C8940DB166EA8CF00241770 /* osxshim.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C8940DA166EA8CF00241770 /* osxshim.c */; };
4C8BDD9B17B4FB8F00C20EA5 /* SOSDataSource.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C8BDD9A17B4FB8F00C20EA5 /* SOSDataSource.h */; };
4C8BDD9D17B4FD2A00C20EA5 /* SOSManifest.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C8BDD9C17B4FD2A00C20EA5 /* SOSManifest.h */; };
4C8BDD9F17B4FDE100C20EA5 /* SOSManifest.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C8BDD9E17B4FDE100C20EA5 /* SOSManifest.c */; };
@@ -195,26 +212,6 @@
4CC92A6715A3ABD400C6D578 /* si-10-find-internet.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A1915A3ABD400C6D578 /* si-10-find-internet.c */; };
4CC92A6815A3ABD400C6D578 /* si-11-update-data.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A1A15A3ABD400C6D578 /* si-11-update-data.c */; };
4CC92A6915A3ABD400C6D578 /* si-14-dateparse.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A1B15A3ABD400C6D578 /* si-14-dateparse.c */; };
- 4CC92A6A15A3ABD400C6D578 /* si-15-certificate.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A1C15A3ABD400C6D578 /* si-15-certificate.c */; };
- 4CC92A6B15A3ABD400C6D578 /* si-16-ec-certificate.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A1D15A3ABD400C6D578 /* si-16-ec-certificate.c */; };
- 4CC92A6C15A3ABD400C6D578 /* si-20-sectrust-activation.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A1E15A3ABD400C6D578 /* si-20-sectrust-activation.c */; };
- 4CC92A6D15A3ABD400C6D578 /* si-20-sectrust.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A1F15A3ABD400C6D578 /* si-20-sectrust.c */; };
- 4CC92A6E15A3ABD400C6D578 /* si-21-sectrust-asr.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2015A3ABD400C6D578 /* si-21-sectrust-asr.c */; };
- 4CC92A6F15A3ABD400C6D578 /* si-22-sectrust-iap.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2115A3ABD400C6D578 /* si-22-sectrust-iap.c */; };
- 4CC92A7015A3ABD400C6D578 /* si-23-sectrust-ocsp.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2215A3ABD400C6D578 /* si-23-sectrust-ocsp.c */; };
- 4CC92A7115A3ABD400C6D578 /* si-24-sectrust-appleid.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2315A3ABD400C6D578 /* si-24-sectrust-appleid.c */; };
- 4CC92A7215A3ABD400C6D578 /* si-24-sectrust-digicert-malaysia.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2415A3ABD400C6D578 /* si-24-sectrust-digicert-malaysia.c */; };
- 4CC92A7315A3ABD400C6D578 /* si-24-sectrust-diginotar.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2515A3ABD400C6D578 /* si-24-sectrust-diginotar.c */; };
- 4CC92A7415A3ABD400C6D578 /* si-24-sectrust-itms.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2615A3ABD400C6D578 /* si-24-sectrust-itms.c */; };
- 4CC92A7515A3ABD400C6D578 /* si-24-sectrust-mobileasset.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2715A3ABD400C6D578 /* si-24-sectrust-mobileasset.c */; };
- 4CC92A7615A3ABD400C6D578 /* si-24-sectrust-nist.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2815A3ABD400C6D578 /* si-24-sectrust-nist.c */; };
- 4CC92A7715A3ABD400C6D578 /* si-24-sectrust-otatasking.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2915A3ABD400C6D578 /* si-24-sectrust-otatasking.c */; };
- 4CC92A7815A3ABD400C6D578 /* si-24-sectrust-shoebox.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2A15A3ABD400C6D578 /* si-24-sectrust-shoebox.c */; };
- 4CC92A7915A3ABD400C6D578 /* si-25-sectrust-ipsec-eap.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2B15A3ABD400C6D578 /* si-25-sectrust-ipsec-eap.c */; };
- 4CC92A7A15A3ABD400C6D578 /* si-26-applicationsigning.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2C15A3ABD400C6D578 /* si-26-applicationsigning.c */; };
- 4CC92A7B15A3ABD400C6D578 /* si-27-sectrust-exceptions.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2D15A3ABD400C6D578 /* si-27-sectrust-exceptions.c */; };
- 4CC92A7C15A3ABD400C6D578 /* si-28-sectrustsettings.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2E15A3ABD400C6D578 /* si-28-sectrustsettings.c */; };
- 4CC92A7D15A3ABD400C6D578 /* si-29-sectrust-codesigning.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2F15A3ABD400C6D578 /* si-29-sectrust-codesigning.c */; };
4CC92A7E15A3ABD400C6D578 /* si-30-keychain-upgrade.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A3015A3ABD400C6D578 /* si-30-keychain-upgrade.c */; };
4CC92A7F15A3ABD400C6D578 /* si-31-keychain-bad.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A3115A3ABD400C6D578 /* si-31-keychain-bad.c */; };
4CC92A8015A3ABD400C6D578 /* si-31-keychain-unreadable.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A3215A3ABD400C6D578 /* si-31-keychain-unreadable.c */; };
@@ -242,17 +239,6 @@
4CC92A9715A3ABD400C6D578 /* si-65-cms-cert-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A4B15A3ABD400C6D578 /* si-65-cms-cert-policy.c */; };
4CC92A9815A3ABD400C6D578 /* signed-receipt.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A4D15A3ABD400C6D578 /* signed-receipt.h */; };
4CC92A9915A3ABD400C6D578 /* si-66-smime.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A4E15A3ABD400C6D578 /* si-66-smime.c */; };
- 4CC92A9A15A3ABD400C6D578 /* Global Trustee.cer.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A5015A3ABD400C6D578 /* Global Trustee.cer.h */; };
- 4CC92A9B15A3ABD400C6D578 /* UTN-USERFirst-Hardware.cer.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A5115A3ABD400C6D578 /* UTN-USERFirst-Hardware.cer.h */; };
- 4CC92A9C15A3ABD400C6D578 /* addons.mozilla.org.cer.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A5215A3ABD400C6D578 /* addons.mozilla.org.cer.h */; };
- 4CC92A9D15A3ABD400C6D578 /* login.live.com.cer.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A5315A3ABD400C6D578 /* login.live.com.cer.h */; };
- 4CC92A9E15A3ABD400C6D578 /* login.skype.com.cer.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A5415A3ABD400C6D578 /* login.skype.com.cer.h */; };
- 4CC92A9F15A3ABD400C6D578 /* login.yahoo.com.1.cer.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A5515A3ABD400C6D578 /* login.yahoo.com.1.cer.h */; };
- 4CC92AA015A3ABD400C6D578 /* login.yahoo.com.2.cer.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A5615A3ABD400C6D578 /* login.yahoo.com.2.cer.h */; };
- 4CC92AA115A3ABD400C6D578 /* login.yahoo.com.cer.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A5715A3ABD400C6D578 /* login.yahoo.com.cer.h */; };
- 4CC92AA215A3ABD400C6D578 /* mail.google.com.cer.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A5815A3ABD400C6D578 /* mail.google.com.cer.h */; };
- 4CC92AA315A3ABD400C6D578 /* www.google.com.cer.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC92A5915A3ABD400C6D578 /* www.google.com.cer.h */; };
- 4CC92AA415A3ABD400C6D578 /* si-67-sectrust-blacklist.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A5A15A3ABD400C6D578 /* si-67-sectrust-blacklist.c */; };
4CC92AA515A3ABD400C6D578 /* vmdh-40.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A5C15A3ABD400C6D578 /* vmdh-40.c */; };
4CC92AA615A3ABD400C6D578 /* vmdh-41-example.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A5D15A3ABD400C6D578 /* vmdh-41-example.c */; };
4CC92AA715A3ABD400C6D578 /* vmdh-42-example2.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A5E15A3ABD400C6D578 /* vmdh-42-example2.c */; };
@@ -262,17 +248,13 @@
4CCD1B021B1E404500F6DF8D /* secd-74-engine-beer-servers.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CCD1B001B1E3EA200F6DF8D /* secd-74-engine-beer-servers.c */; };
4CD1897D169F835400BC96B8 /* print_cert.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CD1897B169F835400BC96B8 /* print_cert.c */; };
521C0CD615FF9B3300604B61 /* SOSRegressionUtilities.c in Sources */ = {isa = PBXBuildFile; fileRef = 521C0CD515FF9B3300604B61 /* SOSRegressionUtilities.c */; };
- 521C0CDD15FFA05100604B61 /* CKDKeyValueStore.h in Headers */ = {isa = PBXBuildFile; fileRef = 521C0CD915FFA05000604B61 /* CKDKeyValueStore.h */; };
521C68601614A6E100E31C3E /* SOSCloudKeychainClient.h in Headers */ = {isa = PBXBuildFile; fileRef = 521C685D1614A6E100E31C3E /* SOSCloudKeychainClient.h */; settings = {ATTRIBUTES = (); }; };
+ 5221C4981CBEDB7C006047E7 /* secd-71-engine-save.c in Sources */ = {isa = PBXBuildFile; fileRef = 5221C4971CBEDB7C006047E7 /* secd-71-engine-save.c */; };
+ 5221C4C21CC5667E006047E7 /* secd-71-engine-save-sample1.h in Headers */ = {isa = PBXBuildFile; fileRef = 5221C4C11CC5667E006047E7 /* secd-71-engine-save-sample1.h */; };
523CBBF61B321C6A002C0884 /* secd-50-message.c in Sources */ = {isa = PBXBuildFile; fileRef = 523CBBF41B321C5C002C0884 /* secd-50-message.c */; };
523CBBF91B3227B5002C0884 /* secd-49-manifests.c in Sources */ = {isa = PBXBuildFile; fileRef = 523CBBF71B3227A2002C0884 /* secd-49-manifests.c */; };
525394AE1660A30000BA9687 /* SecDbItem.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C4B15931655ED9000734590 /* SecDbItem.c */; };
527258D11981C00F003CFCEC /* secd-70-engine.c in Sources */ = {isa = PBXBuildFile; fileRef = 527258CF1981C00F003CFCEC /* secd-70-engine.c */; };
- 528402AE164446410035F320 /* CKDKVSProxy.m in Sources */ = {isa = PBXBuildFile; fileRef = 521C0BB015FA5E3F00604B61 /* CKDKVSProxy.m */; };
- 528402AF164446410035F320 /* CKDPersistentState.m in Sources */ = {isa = PBXBuildFile; fileRef = 521C0BB215FA5E3F00604B61 /* CKDPersistentState.m */; };
- 528402B1164446410035F320 /* CKDUserInteraction.m in Sources */ = {isa = PBXBuildFile; fileRef = 52840292164050C80035F320 /* CKDUserInteraction.m */; };
- 528402B2164447610035F320 /* SOSCloudKeychainConstants.c in Sources */ = {isa = PBXBuildFile; fileRef = E7217B2515F8131A00D26031 /* SOSCloudKeychainConstants.c */; };
- 5284629B1AE6FCF0004C1BA2 /* SOSBackupEvent.c in Sources */ = {isa = PBXBuildFile; fileRef = 528462991AE6FCF0004C1BA2 /* SOSBackupEvent.c */; };
5284629C1AE6FCF0004C1BA2 /* SOSBackupEvent.h in Headers */ = {isa = PBXBuildFile; fileRef = 5284629A1AE6FCF0004C1BA2 /* SOSBackupEvent.h */; };
529F46F31AEC7A2E0002392C /* secd-34-backup-der-parse.c in Sources */ = {isa = PBXBuildFile; fileRef = 529F46F11AEC759E0002392C /* secd-34-backup-der-parse.c */; };
52BF439C1AFC50EC00821B5D /* SecItemConstants.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD563914CB6EB9008233F2 /* SecItemConstants.c */; };
@@ -283,21 +265,19 @@
52FD82A01AEAC8C100634FD3 /* SecItemBackup.c in Sources */ = {isa = PBXBuildFile; fileRef = 52FD82981AEA9CEF00634FD3 /* SecItemBackup.c */; };
5356520318E3C71000C383C0 /* SecOTRRemote.c in Sources */ = {isa = PBXBuildFile; fileRef = 5356520218E3C71000C383C0 /* SecOTRRemote.c */; };
5384299418E492A300E91AFE /* secd-70-otr-remote.c in Sources */ = {isa = PBXBuildFile; fileRef = 5384299318E492A300E91AFE /* secd-70-otr-remote.c */; };
- 5DE4A7BD17441CCD0036339E /* si-71-mobile-store-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = 5DE4A7BC17441CCD0036339E /* si-71-mobile-store-policy.c */; };
+ 5E0CE1651CB6347300E75776 /* secd-83-item-match-valid-on-date.m in Sources */ = {isa = PBXBuildFile; fileRef = 5E0CE1641CB6347300E75776 /* secd-83-item-match-valid-on-date.m */; };
+ 5E0CE1671CB6348D00E75776 /* secd-83-item-match-trusted.m in Sources */ = {isa = PBXBuildFile; fileRef = 5E0CE1661CB6348D00E75776 /* secd-83-item-match-trusted.m */; };
5E19C6481AA5F361005964F8 /* secd-81-item-acl-stress.c in Sources */ = {isa = PBXBuildFile; fileRef = 5E19C6471AA5F34E005964F8 /* secd-81-item-acl-stress.c */; };
5EA016381AD41AC70061BCD7 /* secd-81-item-acl.c in Sources */ = {isa = PBXBuildFile; fileRef = 5EA016361AD41AB20061BCD7 /* secd-81-item-acl.c */; };
+ 5EF2596F1CB5214B009B4C58 /* secd-83-item-match-policy.m in Sources */ = {isa = PBXBuildFile; fileRef = 5EF2596E1CB5214B009B4C58 /* secd-83-item-match-policy.m */; };
7249E1CB16C01E5F003D7268 /* OTATrustUtilities.c in Sources */ = {isa = PBXBuildFile; fileRef = 72E2DC0616BC47C800E7B236 /* OTATrustUtilities.c */; };
- 7255A46C1783333D006A8B9A /* si-74-OTAPKISigner.c in Sources */ = {isa = PBXBuildFile; fileRef = 7255A46B1783333D006A8B9A /* si-74-OTAPKISigner.c */; };
- 7255F91417A973D5004A9F38 /* si-75-AppleIDRecordSigning.c in Sources */ = {isa = PBXBuildFile; fileRef = 7255F91317A973D5004A9F38 /* si-75-AppleIDRecordSigning.c */; };
72B5923B17C6924000AE738B /* iCloudTrace.h in Headers */ = {isa = PBXBuildFile; fileRef = 72B5923A17C6924000AE738B /* iCloudTrace.h */; };
72B5923D17C6939A00AE738B /* iCloudTrace.c in Sources */ = {isa = PBXBuildFile; fileRef = 72B5923C17C6939A00AE738B /* iCloudTrace.c */; };
- 7DE20930192D29D90066419C /* si-79-smp-cert-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = 7DE2092F192D29D90066419C /* si-79-smp-cert-policy.c */; };
- 858A54681BC6FE62008A03FA /* si-88-sectrust-vpnprofile.c in Sources */ = {isa = PBXBuildFile; fileRef = 858A54641BC6FD3E008A03FA /* si-88-sectrust-vpnprofile.c */; };
- 858A54691BC6FE62008A03FA /* si-88-sectrust-vpnprofile.h in Headers */ = {isa = PBXBuildFile; fileRef = 858A54651BC6FD3E008A03FA /* si-88-sectrust-vpnprofile.h */; };
ACFD56BE19007B2D00F5F5D9 /* ios6_1_keychain_2_db.h in Headers */ = {isa = PBXBuildFile; fileRef = ACFD56BD19007B2D00F5F5D9 /* ios6_1_keychain_2_db.h */; };
BE061FCF1899E5BD00C739F6 /* si-76-shared-credentials.c in Sources */ = {isa = PBXBuildFile; fileRef = BE061FCE1899E5BD00C739F6 /* si-76-shared-credentials.c */; };
- BE0CC6081A96B69000662E69 /* si-83-seccertificate-sighashalg.c in Sources */ = {isa = PBXBuildFile; fileRef = BE0CC6061A96B68400662E69 /* si-83-seccertificate-sighashalg.c */; };
- BE3171931BB3559600BBB212 /* si-20-sectrust.h in Headers */ = {isa = PBXBuildFile; fileRef = BE3171921BB3559600BBB212 /* si-20-sectrust.h */; };
+ BE4AC7DE1C938698002A28FE /* SecSignatureVerificationSupport.c in Sources */ = {isa = PBXBuildFile; fileRef = BE4AC7DC1C938698002A28FE /* SecSignatureVerificationSupport.c */; };
+ BE4AC7DF1C938698002A28FE /* SecSignatureVerificationSupport.h in Headers */ = {isa = PBXBuildFile; fileRef = BE4AC7DD1C938698002A28FE /* SecSignatureVerificationSupport.h */; };
+ BE4AC7E01C9386B9002A28FE /* SecSignatureVerificationSupport.c in Sources */ = {isa = PBXBuildFile; fileRef = BE4AC7DC1C938698002A28FE /* SecSignatureVerificationSupport.c */; };
BE4AC9B518B8022D00B84964 /* swcagent_client.h in Headers */ = {isa = PBXBuildFile; fileRef = BEF9640918B418A400813FA3 /* swcagent_client.h */; };
BE4AC9B618B8038400B84964 /* SecuritydXPC.c in Sources */ = {isa = PBXBuildFile; fileRef = E7B01B8816572579000485F1 /* SecuritydXPC.c */; };
BE53FA301B0AC5C300719A63 /* SecKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD563C14CB6EB9008233F2 /* SecKey.c */; };
@@ -305,30 +285,22 @@
BE53FA321B0AC65B00719A63 /* SecRSAKey.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD564714CB6EB9008233F2 /* SecRSAKey.c */; };
BE5EC1F018C80108005E7682 /* swcagent_client.c in Sources */ = {isa = PBXBuildFile; fileRef = BEF9640A18B418A400813FA3 /* swcagent_client.c */; };
BE62D7601747FF3E001EAA9D /* si-72-syncableitems.c in Sources */ = {isa = PBXBuildFile; fileRef = BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */; };
- BE62D7621747FF51001EAA9D /* si-70-sectrust-unified.c in Sources */ = {isa = PBXBuildFile; fileRef = BE62D7611747FF51001EAA9D /* si-70-sectrust-unified.c */; };
BE642BB2188F32C200C899A2 /* SecSharedCredential.c in Sources */ = {isa = PBXBuildFile; fileRef = BE642BB1188F32C200C899A2 /* SecSharedCredential.c */; };
- BE794826196DBEAD00F4BA63 /* si-81-sectrust-server-auth.c in Sources */ = {isa = PBXBuildFile; fileRef = BE794825196DBEAD00F4BA63 /* si-81-sectrust-server-auth.c */; };
BE8D228F1ABB7253009A4E18 /* SecCertificate.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD562014CB6EB9008233F2 /* SecCertificate.c */; };
BE8D22901ABB725C009A4E18 /* SecPolicy.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD564214CB6EB9008233F2 /* SecPolicy.c */; };
BE8D22911ABB7264009A4E18 /* SecTrust.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD564C14CB6EB9008233F2 /* SecTrust.c */; };
BE8D22921ABB726A009A4E18 /* SecTrustSettings.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD564F14CB6EB9008233F2 /* SecTrustSettings.c */; };
BE8D22931ABB7272009A4E18 /* SecTrustStore.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD565214CB6EB9008233F2 /* SecTrustStore.c */; };
BE8D22C21ABBA4D0009A4E18 /* SecCertificatePath.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD562314CB6EB9008233F2 /* SecCertificatePath.c */; };
- BECC54E51B98FF0000FB91DC /* si-86-sectrust-eap-tls.c in Sources */ = {isa = PBXBuildFile; fileRef = BECC54E31B98FF0000FB91DC /* si-86-sectrust-eap-tls.c */; };
- BECC54E61B98FF0000FB91DC /* si-86-sectrust-eap-tls.h in Headers */ = {isa = PBXBuildFile; fileRef = BECC54E41B98FF0000FB91DC /* si-86-sectrust-eap-tls.h */; };
BEF9640D18B418A400813FA3 /* swcagent_client.c in Sources */ = {isa = PBXBuildFile; fileRef = BEF9640A18B418A400813FA3 /* swcagent_client.c */; };
BEFE994E14F2E17200356A97 /* SecDH.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD562A14CB6EB9008233F2 /* SecDH.c */; };
C6766768189884D200E9A12C /* SecAccessControl.c in Sources */ = {isa = PBXBuildFile; fileRef = C6766767189884D200E9A12C /* SecAccessControl.c */; };
- CD0CB4761A81891300C058A4 /* IDSProxy.h in Sources */ = {isa = PBXBuildFile; fileRef = CD5D34011A80391B00EBF353 /* IDSProxy.h */; };
CD0F8AF218998685003E0C52 /* SOSKVSKeys.h in Headers */ = {isa = PBXBuildFile; fileRef = CD0F8AF118998685003E0C52 /* SOSKVSKeys.h */; };
CD16F89A1AE84842004AE09C /* sc-150-ring.c in Sources */ = {isa = PBXBuildFile; fileRef = CD16F8941AE84822004AE09C /* sc-150-ring.c */; };
CD32776B18F8AEFD006B5280 /* SOSPeerCoder.c in Sources */ = {isa = PBXBuildFile; fileRef = CD32776A18F8AEFD006B5280 /* SOSPeerCoder.c */; };
CD32776D18F8B06E006B5280 /* SOSPeerCoder.h in Headers */ = {isa = PBXBuildFile; fileRef = CD32776C18F8B06E006B5280 /* SOSPeerCoder.h */; };
CD35B82A1C2650FE00E0852A /* secd-154-engine-backoff.c in Sources */ = {isa = PBXBuildFile; fileRef = CD35B8291C2650FE00E0852A /* secd-154-engine-backoff.c */; };
CD3FD10716C3064B00A83BB6 /* SecuritydXPC.c in Sources */ = {isa = PBXBuildFile; fileRef = E7B01B8816572579000485F1 /* SecuritydXPC.c */; };
- CD5D340B1A80391B00EBF353 /* IDSProxy.m in Sources */ = {isa = PBXBuildFile; fileRef = CD5D34021A80391B00EBF353 /* IDSProxy.m */; };
- CD5D340D1A80391B00EBF353 /* idskeychainsyncingproxy.m in Sources */ = {isa = PBXBuildFile; fileRef = CD5D34051A80391B00EBF353 /* idskeychainsyncingproxy.m */; };
- CD63ACDB1A805D3E001B5671 /* SOSCloudKeychainConstants.c in Sources */ = {isa = PBXBuildFile; fileRef = E7217B2515F8131A00D26031 /* SOSCloudKeychainConstants.c */; };
CD655E951AF02DDC00BD1B6E /* secd-62-account-backup.c in Sources */ = {isa = PBXBuildFile; fileRef = CD655E911AF02B9900BD1B6E /* secd-62-account-backup.c */; };
CD655E961AF02F1800BD1B6E /* sc-150-backupkeyderivation.c in Sources */ = {isa = PBXBuildFile; fileRef = E7C4F5431AD482E1000B5862 /* sc-150-backupkeyderivation.c */; };
CD773AC61ADDFDDB00C808BA /* SOSTransportBackupPeer.c in Sources */ = {isa = PBXBuildFile; fileRef = CD773AC21ADDF8C700C808BA /* SOSTransportBackupPeer.c */; };
@@ -337,8 +309,8 @@
CD95312B19228D8D005A76B2 /* SOSTransportTestTransports.c in Sources */ = {isa = PBXBuildFile; fileRef = CDAD4E9818EC8424007D4BC2 /* SOSTransportTestTransports.c */; };
CD95312C19228D92005A76B2 /* SOSTransportTestTransports.h in Headers */ = {isa = PBXBuildFile; fileRef = CDAD4E9A18EC8447007D4BC2 /* SOSTransportTestTransports.h */; };
CD95312D19228D96005A76B2 /* SOSAccountTesting.h in Headers */ = {isa = PBXBuildFile; fileRef = E7A10FAA1771245D00C4602F /* SOSAccountTesting.h */; };
+ CD9B54131CC6EED100CC487A /* secd-100-initialsync.c in Sources */ = {isa = PBXBuildFile; fileRef = CD9B54111CC6EC4D00CC487A /* secd-100-initialsync.c */; };
CDA0CB55194B95C400EF624D /* IDSFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD558FA8193544F800CFB3B1 /* IDSFoundation.framework */; };
- CDA9828A197F0C3C006A0A9F /* cloudkeychainproxy.m in Sources */ = {isa = PBXBuildFile; fileRef = 521C0BB315FA5E3F00604B61 /* cloudkeychainproxy.m */; };
CDAD4E9C18EC9B3D007D4BC2 /* SOSAccountTesting.h in Headers */ = {isa = PBXBuildFile; fileRef = E7A10FAA1771245D00C4602F /* SOSAccountTesting.h */; };
CDAD4E9D18EC9B67007D4BC2 /* SOSTransportTestTransports.c in Sources */ = {isa = PBXBuildFile; fileRef = CDAD4E9818EC8424007D4BC2 /* SOSTransportTestTransports.c */; };
CDAD4E9E18EC9B6D007D4BC2 /* SOSTransportTestTransports.h in Headers */ = {isa = PBXBuildFile; fileRef = CDAD4E9A18EC8447007D4BC2 /* SOSTransportTestTransports.h */; };
@@ -346,7 +318,6 @@
CDB6A8B81A409BC600646CD6 /* otr-60-slowroll.c in Sources */ = {isa = PBXBuildFile; fileRef = CDB6A8B71A409BC600646CD6 /* otr-60-slowroll.c */; };
CDC765C21729A72800721712 /* SecPasswordGenerate.c in Sources */ = {isa = PBXBuildFile; fileRef = CDC765C01729A72800721712 /* SecPasswordGenerate.c */; };
CDC765C41729A72800721712 /* SecPasswordGenerate.h in Headers */ = {isa = PBXBuildFile; fileRef = CDC765C11729A72800721712 /* SecPasswordGenerate.h */; };
- CDD450111ACF13BC00A37449 /* IDSPersistentState.m in Sources */ = {isa = PBXBuildFile; fileRef = CDD450101ACF13BC00A37449 /* IDSPersistentState.m */; };
CDD565A2173193AC00B6B074 /* si-73-secpasswordgenerate.c in Sources */ = {isa = PBXBuildFile; fileRef = CDD565A1173193AC00B6B074 /* si-73-secpasswordgenerate.c */; };
CDDEF81A19465E2E0069763C /* IDSFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD558FA8193544F800CFB3B1 /* IDSFoundation.framework */; };
CDE5F87B1AF025A40074958E /* SOSRingDER.c in Sources */ = {isa = PBXBuildFile; fileRef = CDC0DC321AE83E390020BA6C /* SOSRingDER.c */; };
@@ -372,13 +343,8 @@
CDE5F88F1AF025B80074958E /* SOSCircleV2.c in Sources */ = {isa = PBXBuildFile; fileRef = CDC0DC961AE842640020BA6C /* SOSCircleV2.c */; };
CDE5F8901AF025B80074958E /* SOSCircleV2.h in Headers */ = {isa = PBXBuildFile; fileRef = CDC0DC971AE842640020BA6C /* SOSCircleV2.h */; };
CDE5F8911AF025B80074958E /* SOSCircleRings.h in Headers */ = {isa = PBXBuildFile; fileRef = 484182621A30F38E00211511 /* SOSCircleRings.h */; };
- CDE5F89A1AF025BE0074958E /* SOSAccount.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC929AD15A3957800C6D578 /* SOSAccount.c */; };
CDE5F89B1AF025BE0074958E /* SOSAccount.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CC929AE15A3957800C6D578 /* SOSAccount.h */; };
- CDE5F89C1AF025BE0074958E /* SOSAccountBackup.c in Sources */ = {isa = PBXBuildFile; fileRef = E7C4F5451AD75EBE000B5862 /* SOSAccountBackup.c */; };
CDE5F89D1AF025BE0074958E /* SOSAccountPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 48764AEA17FA31670005C4F1 /* SOSAccountPriv.h */; };
- CDE5F89E1AF025BE0074958E /* SOSAccountRings.c in Sources */ = {isa = PBXBuildFile; fileRef = CDC0DC941AE842640020BA6C /* SOSAccountRings.c */; };
- CDE5F89F1AF025BE0074958E /* SOSAccountRingUpdate.c in Sources */ = {isa = PBXBuildFile; fileRef = CDC0DC951AE842640020BA6C /* SOSAccountRingUpdate.c */; };
- CDE5F8A01AF025BE0074958E /* SOSBackupSliceKeyBag.c in Sources */ = {isa = PBXBuildFile; fileRef = E71BAE801ACE1C6500DF0C29 /* SOSBackupSliceKeyBag.c */; };
CDE5F8A11AF025BE0074958E /* SOSBackupSliceKeyBag.h in Headers */ = {isa = PBXBuildFile; fileRef = E71BAE811ACE1C6500DF0C29 /* SOSBackupSliceKeyBag.h */; };
CDE5F8A21AF025D60074958E /* SOSPeerInfoDER.c in Sources */ = {isa = PBXBuildFile; fileRef = E7DBB6081AEAAF3700488C1F /* SOSPeerInfoDER.c */; };
CDE5F8A31AF025D60074958E /* SOSPeerInfoDER.h in Headers */ = {isa = PBXBuildFile; fileRef = E7DBB6091AEAAF3700488C1F /* SOSPeerInfoDER.h */; };
@@ -403,19 +369,52 @@
CDE5F8B91AF026470074958E /* SOSTransportMessage.h in Headers */ = {isa = PBXBuildFile; fileRef = CD0F8AF71899BF57003E0C52 /* SOSTransportMessage.h */; };
CDE5F8BA1AF026470074958E /* SOSTransportMessageKVS.c in Sources */ = {isa = PBXBuildFile; fileRef = CD32777618F8B39B006B5280 /* SOSTransportMessageKVS.c */; };
CDE5F8BB1AF026470074958E /* SOSTransportMessageKVS.h in Headers */ = {isa = PBXBuildFile; fileRef = CD32777818F8B3B4006B5280 /* SOSTransportMessageKVS.h */; };
- CDF42C071A884BB10080BB05 /* idksmain.m in Sources */ = {isa = PBXBuildFile; fileRef = CDF42C061A884BB10080BB05 /* idksmain.m */; };
CDF9BBE11B03E24D00D1AF0F /* secd-52-offering-gencount-reset.c in Sources */ = {isa = PBXBuildFile; fileRef = CDF9BBE01B03E24D00D1AF0F /* secd-52-offering-gencount-reset.c */; };
- D40294A91C20A806008CE4B6 /* si-91-sectrust-ast2.c in Sources */ = {isa = PBXBuildFile; fileRef = D40294A71C20A806008CE4B6 /* si-91-sectrust-ast2.c */; };
- D40294AA1C20A806008CE4B6 /* si-91-sectrust-ast2.h in Headers */ = {isa = PBXBuildFile; fileRef = D40294A81C20A806008CE4B6 /* si-91-sectrust-ast2.h */; };
- D41380C91C6E529500F1A4B6 /* si-92-sectrust-homekit.c in Sources */ = {isa = PBXBuildFile; fileRef = D41380C71C6E529500F1A4B6 /* si-92-sectrust-homekit.c */; };
- D41380CA1C6E529500F1A4B6 /* si-92-sectrust-homekit.h in Headers */ = {isa = PBXBuildFile; fileRef = D41380C81C6E529500F1A4B6 /* si-92-sectrust-homekit.h */; };
+ D40771BE1C9B50590016AA66 /* si-82-seccertificate-ct.c in Sources */ = {isa = PBXBuildFile; fileRef = D40771AB1C9B4C530016AA66 /* si-82-seccertificate-ct.c */; };
+ D40771BF1C9B50590016AA66 /* si-82-sectrust-ct.m in Sources */ = {isa = PBXBuildFile; fileRef = D40771AC1C9B4C530016AA66 /* si-82-sectrust-ct.m */; };
D4273AA61B5D54E70007D67B /* nameconstraints.c in Sources */ = {isa = PBXBuildFile; fileRef = D4273AA21B5D54CA0007D67B /* nameconstraints.c */; };
- D445CDE11B44D53C005040AC /* si-84-sectrust-atv-appsigning.c in Sources */ = {isa = PBXBuildFile; fileRef = D445CDDF1B44D372005040AC /* si-84-sectrust-atv-appsigning.c */; };
- D4B4A9A81B8BB9B70097B393 /* si-85-sectrust-ssl-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */; };
+ D43CDF731C9C77540020217E /* si-28-sectrustsettings.m in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2E15A3ABD400C6D578 /* si-28-sectrustsettings.m */; };
+ D442160A1CCAD9C200D2D455 /* si-22-sectrust-iap.h in Headers */ = {isa = PBXBuildFile; fileRef = D44216091CCAD9C200D2D455 /* si-22-sectrust-iap.h */; };
+ D44C81E81CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m in Sources */ = {isa = PBXBuildFile; fileRef = D44C81E71CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m */; };
+ D44C81EA1CD1947200BE9A0D /* si-97-sectrust-path-scoring.h in Headers */ = {isa = PBXBuildFile; fileRef = D44C81E91CD1947200BE9A0D /* si-97-sectrust-path-scoring.h */; };
+ D45FC3E71C9E084B00509CDA /* SecBase64.c in Sources */ = {isa = PBXBuildFile; fileRef = 18AD561D14CB6EB9008233F2 /* SecBase64.c */; };
+ D4653DEB1C9E2299002ED6D5 /* si-28-sectrustsettings.h in Headers */ = {isa = PBXBuildFile; fileRef = D4653DEA1C9E2299002ED6D5 /* si-28-sectrustsettings.h */; };
+ D4704F341C76AEB600E15025 /* SecPolicyLeafCallbacks.c in Sources */ = {isa = PBXBuildFile; fileRef = D48C567C1C73E5C300E41928 /* SecPolicyLeafCallbacks.c */; };
+ D474EF341C8A1CBC00AA4D86 /* personalization.c in Sources */ = {isa = PBXBuildFile; fileRef = D474EF321C8A1CBB00AA4D86 /* personalization.c */; };
+ D474EF351C8A1CBC00AA4D86 /* personalization.h in Headers */ = {isa = PBXBuildFile; fileRef = D474EF331C8A1CBB00AA4D86 /* personalization.h */; };
+ D47F511D1C3B660500A7CEFE /* SecCFAllocator.c in Sources */ = {isa = PBXBuildFile; fileRef = D47F511B1C3B660500A7CEFE /* SecCFAllocator.c */; };
+ D47F511E1C3B660500A7CEFE /* SecCFAllocator.c in Sources */ = {isa = PBXBuildFile; fileRef = D47F511B1C3B660500A7CEFE /* SecCFAllocator.c */; };
+ D47F511F1C3B660500A7CEFE /* SecCFAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = D47F511C1C3B660500A7CEFE /* SecCFAllocator.h */; };
+ D483DF6A1CD2DF9B00334824 /* si-20-sectrust.h in Headers */ = {isa = PBXBuildFile; fileRef = BE3171921BB3559600BBB212 /* si-20-sectrust.h */; };
+ D48C567D1C73E5C300E41928 /* SecPolicyLeafCallbacks.c in Sources */ = {isa = PBXBuildFile; fileRef = D48C567C1C73E5C300E41928 /* SecPolicyLeafCallbacks.c */; };
+ D4A919771CA9A3DD003D2ADA /* si-95-cms-basic.c in Sources */ = {isa = PBXBuildFile; fileRef = D4A919751CA9A3DD003D2ADA /* si-95-cms-basic.c */; };
+ D4A919781CA9A3DD003D2ADA /* si-95-cms-basic.h in Headers */ = {isa = PBXBuildFile; fileRef = D4A919761CA9A3DD003D2ADA /* si-95-cms-basic.h */; };
D4CBC1481BE9A89E00C5795E /* si-89-cms-hash-agility.c in Sources */ = {isa = PBXBuildFile; fileRef = D4CBC1461BE9A89E00C5795E /* si-89-cms-hash-agility.c */; };
D4CBC1491BE9A89E00C5795E /* si-89-cms-hash-agility.h in Headers */ = {isa = PBXBuildFile; fileRef = D4CBC1471BE9A89E00C5795E /* si-89-cms-hash-agility.h */; };
- D4DFC94A1B9958D00040945C /* si-87-sectrust-name-constraints.c in Sources */ = {isa = PBXBuildFile; fileRef = D4DFC9481B9958D00040945C /* si-87-sectrust-name-constraints.c */; };
- D4DFC94B1B9958D00040945C /* si-87-sectrust-name-constraints.h in Headers */ = {isa = PBXBuildFile; fileRef = D4DFC9491B9958D00040945C /* si-87-sectrust-name-constraints.h */; };
+ D4D886C11CEB9FAC00DC7583 /* si-87-sectrust-name-constraints.c in Sources */ = {isa = PBXBuildFile; fileRef = D4DFC9481B9958D00040945C /* si-87-sectrust-name-constraints.c */; };
+ D4D886C21CEB9FC600DC7583 /* si-85-sectrust-ssl-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */; };
+ D4D886EB1CEBF9C300DC7583 /* si-15-certificate.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A1C15A3ABD400C6D578 /* si-15-certificate.c */; };
+ D4D886EC1CEBF9C700DC7583 /* si-16-ec-certificate.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A1D15A3ABD400C6D578 /* si-16-ec-certificate.c */; };
+ D4D886ED1CEC006100DC7583 /* si-20-sectrust.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A1F15A3ABD400C6D578 /* si-20-sectrust.c */; };
+ D4D886EE1CEC007000DC7583 /* si-21-sectrust-asr.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2015A3ABD400C6D578 /* si-21-sectrust-asr.c */; };
+ D4D886EF1CEC007900DC7583 /* si-22-sectrust-iap.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2115A3ABD400C6D578 /* si-22-sectrust-iap.c */; };
+ D4D886F01CEC008600DC7583 /* si-23-sectrust-ocsp.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2215A3ABD400C6D578 /* si-23-sectrust-ocsp.c */; };
+ D4D886F11CECE75000DC7583 /* SecTrustInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = BE8D22C11ABB9B6E009A4E18 /* SecTrustInternal.h */; };
+ D4D886F41CED027800DC7583 /* si-24-sectrust-itms.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2615A3ABD400C6D578 /* si-24-sectrust-itms.c */; };
+ D4D886F51CED027D00DC7583 /* si-24-sectrust-nist.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2815A3ABD400C6D578 /* si-24-sectrust-nist.c */; };
+ D4D887531CED0A9100DC7583 /* si-24-sectrust-digicert-malaysia.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2415A3ABD400C6D578 /* si-24-sectrust-digicert-malaysia.c */; };
+ D4D887541CED0A9700DC7583 /* si-24-sectrust-diginotar.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2515A3ABD400C6D578 /* si-24-sectrust-diginotar.c */; };
+ D4D887551CED0B7D00DC7583 /* si-24-sectrust-passbook.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2A15A3ABD400C6D578 /* si-24-sectrust-passbook.c */; };
+ D4D887561CED0B8600DC7583 /* si-26-sectrust-copyproperties.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2C15A3ABD400C6D578 /* si-26-sectrust-copyproperties.c */; };
+ D4D887571CED0B9400DC7583 /* si-27-sectrust-exceptions.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A2D15A3ABD400C6D578 /* si-27-sectrust-exceptions.c */; };
+ D4D887581CED40A000DC7583 /* si-71-mobile-store-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = 5DE4A7BC17441CCD0036339E /* si-71-mobile-store-policy.c */; };
+ D4D887591CED40A500DC7583 /* si-70-sectrust-unified.c in Sources */ = {isa = PBXBuildFile; fileRef = BE62D7611747FF51001EAA9D /* si-70-sectrust-unified.c */; };
+ D4D8875A1CED40AA00DC7583 /* si-67-sectrust-blacklist.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC92A5A15A3ABD400C6D578 /* si-67-sectrust-blacklist.c */; };
+ D4D8875E1CED490700DC7583 /* si-74-OTAPKISigner.c in Sources */ = {isa = PBXBuildFile; fileRef = 7255A46B1783333D006A8B9A /* si-74-OTAPKISigner.c */; };
+ D4D8875F1CED491A00DC7583 /* si-83-seccertificate-sighashalg.c in Sources */ = {isa = PBXBuildFile; fileRef = BE0CC6061A96B68400662E69 /* si-83-seccertificate-sighashalg.c */; };
+ D4D9BA2E1C7E5F19008785EB /* SecTrustInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = BE8D22C11ABB9B6E009A4E18 /* SecTrustInternal.h */; };
+ D4D9BA2F1C7E611C008785EB /* SecServerEncryptionSupport.c in Sources */ = {isa = PBXBuildFile; fileRef = E795C9531913F88D00FA068C /* SecServerEncryptionSupport.c */; };
+ D4EC94FF1CEA4A870083E753 /* si-20-sectrust-policies.m in Sources */ = {isa = PBXBuildFile; fileRef = D4EC94D31CEA47D70083E753 /* si-20-sectrust-policies.m */; };
E703811514E1FEEF007CB458 /* SOSCloudCircle.h in Headers */ = {isa = PBXBuildFile; fileRef = E703811114E1FEE4007CB458 /* SOSCloudCircle.h */; };
E71049F3169E023B00DB0045 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 521C0B9815FA5C4A00604B61 /* Foundation.framework */; };
E7104A01169E036E00DB0045 /* SecurityTool.c in Sources */ = {isa = PBXBuildFile; fileRef = E71049FF169E036E00DB0045 /* SecurityTool.c */; };
@@ -423,13 +422,31 @@
E71BAE7F1ACE1AB900DF0C29 /* sc-153-backupslicekeybag.c in Sources */ = {isa = PBXBuildFile; fileRef = E71BAE7E1ACE1AB900DF0C29 /* sc-153-backupslicekeybag.c */; };
E7217B2715F8131A00D26031 /* SOSCloudKeychainConstants.c in Sources */ = {isa = PBXBuildFile; fileRef = E7217B2515F8131A00D26031 /* SOSCloudKeychainConstants.c */; };
E7217B2815F8131A00D26031 /* SOSCloudKeychainConstants.h in Headers */ = {isa = PBXBuildFile; fileRef = E7217B2615F8131A00D26031 /* SOSCloudKeychainConstants.h */; settings = {ATTRIBUTES = (); }; };
- E7285C971AE1E47D00AD412D /* SOSEngine.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C9DC91C15B602910036D941 /* SOSEngine.c */; };
E7285C981AE1E4A800AD412D /* SOSEngine.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9DC91915B602760036D941 /* SOSEngine.h */; };
- E7285CAC1AE1E4DF00AD412D /* SOSChangeTracker.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C31C3CB1A9E5CDA009098D8 /* SOSChangeTracker.c */; };
E7285CAD1AE1E4DF00AD412D /* SOSChangeTracker.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C31C3CC1A9E5CDA009098D8 /* SOSChangeTracker.h */; };
+ E738B71A1D11D88C0099E5C5 /* SOSAccount.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CC929AD15A3957800C6D578 /* SOSAccount.c */; };
+ E738B71B1D11D88C0099E5C5 /* SOSAccountTransaction.c in Sources */ = {isa = PBXBuildFile; fileRef = 48FD04F11CEFCFB900BEBBFF /* SOSAccountTransaction.c */; };
+ E738B71C1D11D88C0099E5C5 /* SOSAccountBackup.c in Sources */ = {isa = PBXBuildFile; fileRef = E7C4F5451AD75EBE000B5862 /* SOSAccountBackup.c */; };
+ E738B71D1D11D88C0099E5C5 /* SOSAccountCircles.c in Sources */ = {isa = PBXBuildFile; fileRef = 48764AF417FA3FE50005C4F1 /* SOSAccountCircles.c */; };
+ E738B71E1D11D88C0099E5C5 /* SOSAccountHSAJoin.c in Sources */ = {isa = PBXBuildFile; fileRef = 48FABEDB1AD05C1D00C061D1 /* SOSAccountHSAJoin.c */; };
+ E738B71F1D11D88C0099E5C5 /* SOSAccountCloudParameters.c in Sources */ = {isa = PBXBuildFile; fileRef = 48C7DF9917FF44EF00904F1A /* SOSAccountCloudParameters.c */; };
+ E738B7201D11D88C0099E5C5 /* SOSAccountCredentials.c in Sources */ = {isa = PBXBuildFile; fileRef = 48C7DF9217FF2DB500904F1A /* SOSAccountCredentials.c */; };
+ E738B7211D11D88C0099E5C5 /* SOSAccountDer.c in Sources */ = {isa = PBXBuildFile; fileRef = 48764AE717FA2DD00005C4F1 /* SOSAccountDer.c */; };
+ E738B7221D11D88C0099E5C5 /* SOSAccountFullPeerInfo.c in Sources */ = {isa = PBXBuildFile; fileRef = 48C7DF9717FF360F00904F1A /* SOSAccountFullPeerInfo.c */; };
+ E738B7231D11D88C0099E5C5 /* SOSAccountPeers.c in Sources */ = {isa = PBXBuildFile; fileRef = 48C7DF9517FF351A00904F1A /* SOSAccountPeers.c */; };
+ E738B7241D11D88C0099E5C5 /* SOSAccountPersistence.c in Sources */ = {isa = PBXBuildFile; fileRef = 48764AEB17FA31E50005C4F1 /* SOSAccountPersistence.c */; };
+ E738B7251D11D88C0099E5C5 /* SOSAccountLog.c in Sources */ = {isa = PBXBuildFile; fileRef = 48122CC71CFF88DC009BE3E3 /* SOSAccountLog.c */; };
+ E738B7261D11D88C0099E5C5 /* SOSAccountUpdate.c in Sources */ = {isa = PBXBuildFile; fileRef = 48764AEE17FA36200005C4F1 /* SOSAccountUpdate.c */; };
+ E738B7271D11D88C0099E5C5 /* SOSAccountRings.c in Sources */ = {isa = PBXBuildFile; fileRef = CDC0DC941AE842640020BA6C /* SOSAccountRings.c */; };
+ E738B7281D11D88C0099E5C5 /* SOSAccountRingUpdate.c in Sources */ = {isa = PBXBuildFile; fileRef = CDC0DC951AE842640020BA6C /* SOSAccountRingUpdate.c */; };
+ E738B72A1D11D88C0099E5C5 /* SOSBackupEvent.c in Sources */ = {isa = PBXBuildFile; fileRef = 528462991AE6FCF0004C1BA2 /* SOSBackupEvent.c */; };
+ E738B72B1D11D88C0099E5C5 /* SOSBackupSliceKeyBag.c in Sources */ = {isa = PBXBuildFile; fileRef = E71BAE801ACE1C6500DF0C29 /* SOSBackupSliceKeyBag.c */; };
+ E738B72C1D11D88C0099E5C5 /* SOSUserKeygen.c in Sources */ = {isa = PBXBuildFile; fileRef = 4802A59516D711060059E5B9 /* SOSUserKeygen.c */; };
+ E738B72F1D11D9760099E5C5 /* SOSChangeTracker.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C31C3CB1A9E5CDA009098D8 /* SOSChangeTracker.c */; };
+ E738B7301D11D9840099E5C5 /* SOSEngine.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C9DC91C15B602910036D941 /* SOSEngine.c */; };
+ E738B7321D11DAB70099E5C5 /* SOSAccountViewSync.c in Sources */ = {isa = PBXBuildFile; fileRef = E75320EB1D0B83FC00DAB140 /* SOSAccountViewSync.c */; };
+ E739A9DB1D3078D9003C088A /* NSFileHandle+Formatting.m in Sources */ = {isa = PBXBuildFile; fileRef = E739A9DA1D3078D9003C088A /* NSFileHandle+Formatting.m */; };
E748744515A61AF800624935 /* si-68-secmatchissuer.c in Sources */ = {isa = PBXBuildFile; fileRef = E748744415A61AF800624935 /* si-68-secmatchissuer.c */; };
- E75216AD1AF1F26500DDA573 /* SOSForerunnerSession.c in Sources */ = {isa = PBXBuildFile; fileRef = 4BD2F7FB1ADCDD8C0037CD5D /* SOSForerunnerSession.c */; };
- E75216AE1AF1F26500DDA573 /* SOSForerunnerSession.h in Headers */ = {isa = PBXBuildFile; fileRef = 4BD2F7FC1ADCDD8C0037CD5D /* SOSForerunnerSession.h */; };
E75AB91B1AE9964800C5EF3F /* secd-40-cc-gestalt.c in Sources */ = {isa = PBXBuildFile; fileRef = E75AB9191AE9958300C5EF3F /* secd-40-cc-gestalt.c */; };
E76079C11951FD2800F69731 /* SecLogging.c in Sources */ = {isa = PBXBuildFile; fileRef = E795C94119116EA200FA068C /* SecLogging.c */; };
E763D6231624E2670038477D /* sc-20-keynames.c in Sources */ = {isa = PBXBuildFile; fileRef = E763D6221624E2670038477D /* sc-20-keynames.c */; };
@@ -441,6 +458,8 @@
E77DE60B1C2882EC005259C2 /* si-17-item-system-bluetooth.m in Sources */ = {isa = PBXBuildFile; fileRef = E7EF51911C24C6E3002D0C23 /* si-17-item-system-bluetooth.m */; };
E7850ED01BB30E80002A54CA /* secd-63-account-resurrection.c in Sources */ = {isa = PBXBuildFile; fileRef = E731829F1B1FC9CD00FC334C /* secd-63-account-resurrection.c */; };
E7850ED11BB30E87002A54CA /* secd-65-account-retirement-reset.c in Sources */ = {isa = PBXBuildFile; fileRef = E7850ECE1BB30E6E002A54CA /* secd-65-account-retirement-reset.c */; };
+ E78A9AB21D34263100006B5B /* secd-130-other-peer-views.c in Sources */ = {isa = PBXBuildFile; fileRef = E739A9DC1D318FA4003C088A /* secd-130-other-peer-views.c */; };
+ E78A9AB31D34630300006B5B /* secd-95-escrow-persistence.c in Sources */ = {isa = PBXBuildFile; fileRef = CD8F442C1B83C435004C0047 /* secd-95-escrow-persistence.c */; };
E790C110169E53DF00E0C0C9 /* leaks.c in Sources */ = {isa = PBXBuildFile; fileRef = E790C10E169E53DF00E0C0C9 /* leaks.c */; };
E790C141169E5C6200E0C0C9 /* add_internet_password.c in Sources */ = {isa = PBXBuildFile; fileRef = E790C136169E5C6200E0C0C9 /* add_internet_password.c */; };
E790C142169E5C6200E0C0C9 /* codesign.c in Sources */ = {isa = PBXBuildFile; fileRef = E790C137169E5C6200E0C0C9 /* codesign.c */; };
@@ -462,6 +481,7 @@
E7A10FAC1771246A00C4602F /* secd-55-account-circle.c in Sources */ = {isa = PBXBuildFile; fileRef = E7A10FAB1771246A00C4602F /* secd-55-account-circle.c */; };
E7A10FAE1771249C00C4602F /* secd-57-account-leave.c in Sources */ = {isa = PBXBuildFile; fileRef = E7A10FAD1771249C00C4602F /* secd-57-account-leave.c */; };
E7A634E317FA471500920B67 /* SOSPeerInfoCollections.c in Sources */ = {isa = PBXBuildFile; fileRef = E7A634E217FA471500920B67 /* SOSPeerInfoCollections.c */; };
+ E7ACD2FB1D30204E0038050D /* keychain_sync_test.m in Sources */ = {isa = PBXBuildFile; fileRef = E7ACD2F91D30204E0038050D /* keychain_sync_test.m */; };
E7B01B5B16532507000485F1 /* SOSCloudCircleInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = E7B01B5A16532507000485F1 /* SOSCloudCircleInternal.h */; settings = {ATTRIBUTES = (); }; };
E7B01B691655DF20000485F1 /* SOSCloudCircleServer.c in Sources */ = {isa = PBXBuildFile; fileRef = E7B01B671655CCA6000485F1 /* SOSCloudCircleServer.c */; };
E7CA197A17179EC20065299C /* si-69-keydesc.c in Sources */ = {isa = PBXBuildFile; fileRef = CDA7729616B899F10069434D /* si-69-keydesc.c */; };
@@ -472,41 +492,24 @@
E7FEFB87169E363300E18152 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 521C0B9815FA5C4A00604B61 /* Foundation.framework */; };
E7FEFB91169E36D800E18152 /* keychain_sync.c in Sources */ = {isa = PBXBuildFile; fileRef = E7FEFB90169E36D800E18152 /* keychain_sync.c */; };
EB3409AF1C1D5BBE00D77661 /* secd-20-keychain_upgrade.m in Sources */ = {isa = PBXBuildFile; fileRef = EB3409AE1C1D5BB300D77661 /* secd-20-keychain_upgrade.m */; };
+ EB6432BD1C510A6E00B671F2 /* SecDigest.c in Sources */ = {isa = PBXBuildFile; fileRef = EB6432BC1C510A6E00B671F2 /* SecDigest.c */; };
+ EB6432BE1C510A6E00B671F2 /* SecDigest.c in Sources */ = {isa = PBXBuildFile; fileRef = EB6432BC1C510A6E00B671F2 /* SecDigest.c */; };
EB69AB041BF3C42F00913AF1 /* SecEMCS.m in Sources */ = {isa = PBXBuildFile; fileRef = EB69AB031BF3C42F00913AF1 /* SecEMCS.m */; };
EB69AB061BF425FD00913AF1 /* si-90-emcs.m in Sources */ = {isa = PBXBuildFile; fileRef = EB69AB051BF425F300913AF1 /* si-90-emcs.m */; };
EB69AB071BF4332700913AF1 /* si-90-emcs.m in Sources */ = {isa = PBXBuildFile; fileRef = EB69AB051BF425F300913AF1 /* si-90-emcs.m */; };
- EB8F48DD1AE4CC7000CE93A7 /* si-25-sectrust-apple-authentication.c in Sources */ = {isa = PBXBuildFile; fileRef = EB8F48DC1AE4C81400CE93A7 /* si-25-sectrust-apple-authentication.c */; };
EB9C1D0A1BDDBDE000F89272 /* si-13-item-system.m in Sources */ = {isa = PBXBuildFile; fileRef = EB9C1D091BDDBDD500F89272 /* si-13-item-system.m */; };
EBC1B8B81BE96B3A00E6ACA6 /* digest_calc.c in Sources */ = {isa = PBXBuildFile; fileRef = E790C109169E4FD200E0C0C9 /* digest_calc.c */; };
EBC1B8B91BE96B3A00E6ACA6 /* whoami.m in Sources */ = {isa = PBXBuildFile; fileRef = EBC1B8B61BE96B3200E6ACA6 /* whoami.m */; };
+ EBD344801D234E37008B6DEA /* si-15-delete-access-group.m in Sources */ = {isa = PBXBuildFile; fileRef = EBD3447F1D234E26008B6DEA /* si-15-delete-access-group.m */; };
EBDAECBC184D32BD005A18F1 /* sc-31-peerinfo-simplefuzz.c in Sources */ = {isa = PBXBuildFile; fileRef = EBDAECBA184D30C3005A18F1 /* sc-31-peerinfo-simplefuzz.c */; };
EBE32B591BEEC8C900719AA8 /* syncbubble.m in Sources */ = {isa = PBXBuildFile; fileRef = EBE32B581BEEC8C900719AA8 /* syncbubble.m */; };
EBF2D7661C1E482B006AB6FF /* secd-21-transmogrify.m in Sources */ = {isa = PBXBuildFile; fileRef = EBF2D7651C1E4823006AB6FF /* secd-21-transmogrify.m */; };
F697632318F6CFD60090438B /* keychain_util.c in Sources */ = {isa = PBXBuildFile; fileRef = F697632118F6CC3F0090438B /* keychain_util.c */; };
- F953A6A91B43597D006EC5E1 /* si-81-sectrust-appletv.c in Sources */ = {isa = PBXBuildFile; fileRef = F953A6A71B43538A006EC5E1 /* si-81-sectrust-appletv.c */; };
F9E0BD991AEF196E00554D49 /* secd-82-persistent-ref.c in Sources */ = {isa = PBXBuildFile; fileRef = F9E0BD981AEF196A00554D49 /* secd-82-persistent-ref.c */; };
F9EF72F21AC0F98400A4D24A /* secd-70-engine-smash.c in Sources */ = {isa = PBXBuildFile; fileRef = F9EF72F01AC0F97C00A4D24A /* secd-70-engine-smash.c */; };
/* End PBXBuildFile section */
/* Begin PBXCopyFilesBuildPhase section */
- 5284029E164445760035F320 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "include/${PRODUCT_NAME}";
- dstSubfolderSpec = 16;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- CD3F91491A802EBF00E07119 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "include/$(PRODUCT_NAME)";
- dstSubfolderSpec = 16;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
E71049F0169E023B00DB0045 /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 2147483647;
@@ -537,12 +540,19 @@
/* End PBXCopyFilesBuildPhase section */
/* Begin PBXFileReference section */
+ 093F67A21CC1171B0033151D /* SecKeyAdaptors.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecKeyAdaptors.c; sourceTree = "<group>"; };
+ 0982E02B1D19695B0060002E /* si-44-seckey-ec.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "si-44-seckey-ec.m"; path = "../../../../shared_regressions/si-44-seckey-ec.m"; sourceTree = "<group>"; };
+ 09AE116D1CEDA17A004C617D /* si-44-seckey-ies.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "si-44-seckey-ies.m"; path = "../../../../shared_regressions/si-44-seckey-ies.m"; sourceTree = "<group>"; };
+ 09D1FC1D1CDCBA8800A82D0D /* si-44-seckey-gen.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "si-44-seckey-gen.m"; path = "../../../../shared_regressions/si-44-seckey-gen.m"; sourceTree = "<group>"; };
+ 09EC947E1CEDEA70003E5101 /* si-44-seckey-rsa.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "si-44-seckey-rsa.m"; path = "../../../../shared_regressions/si-44-seckey-rsa.m"; sourceTree = "<group>"; };
0C062B1C175E784B00806CFE /* secd-30-keychain-upgrade.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-30-keychain-upgrade.c"; sourceTree = "<group>"; };
0C062B1D175E784B00806CFE /* secd-31-keychain-bad.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-31-keychain-bad.c"; sourceTree = "<group>"; };
0C062B1E175E784B00806CFE /* secd-31-keychain-unreadable.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-31-keychain-unreadable.c"; sourceTree = "<group>"; };
0C0BDB5F175687EC00BC1A7E /* libsecdRegressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecdRegressions.a; sourceTree = BUILT_PRODUCTS_DIR; };
0C0BDB601756882A00BC1A7E /* secd_regressions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = secd_regressions.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
0C0BDB62175688DA00BC1A7E /* secd-01-items.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-01-items.c"; sourceTree = "<group>"; };
+ 0C3276C21CB329AB005D6DDC /* secd_77_ids_messaging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = secd_77_ids_messaging.c; sourceTree = "<group>"; };
+ 0C60F39B1CAF0E8E00221D24 /* secd-76-idstransport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-76-idstransport.c"; sourceTree = "<group>"; };
0C664AE7175951270092D3D9 /* secd-02-upgrade-while-locked.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = "secd-02-upgrade-while-locked.c"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
0CBF93F5177B7CFC001E5658 /* secd-03-corrupted-items.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-03-corrupted-items.c"; sourceTree = "<group>"; };
0CBF93F6177B7CFC001E5658 /* secd-04-corrupted-items.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-04-corrupted-items.c"; sourceTree = "<group>"; };
@@ -633,7 +643,7 @@
18AD565E14CB6F79008233F2 /* SecOCSPResponse.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecOCSPResponse.h; sourceTree = "<group>"; };
18AD565F14CB6F79008233F2 /* SecPolicyServer.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = SecPolicyServer.c; sourceTree = "<group>"; };
18AD566014CB6F79008233F2 /* SecPolicyServer.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecPolicyServer.h; sourceTree = "<group>"; };
- 18AD566114CB6F79008233F2 /* SecTrustServer.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = SecTrustServer.c; sourceTree = "<group>"; };
+ 18AD566114CB6F79008233F2 /* SecTrustServer.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = SecTrustServer.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
18AD566214CB6F79008233F2 /* SecTrustServer.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecTrustServer.h; sourceTree = "<group>"; };
18AD566314CB6F79008233F2 /* SecTrustStoreServer.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = SecTrustStoreServer.c; sourceTree = "<group>"; };
18AD566414CB6F79008233F2 /* SecTrustStoreServer.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecTrustStoreServer.h; sourceTree = "<group>"; };
@@ -655,7 +665,9 @@
32FBBBE61B556F8900AEF9ED /* verify_cert.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = verify_cert.c; sourceTree = "<group>"; };
3A70988118CDF648009FD2CC /* si_77_SecAccessControl.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = si_77_SecAccessControl.c; sourceTree = "<group>"; };
4406660E19069707000DA171 /* si-80-empty-data.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "si-80-empty-data.c"; sourceTree = "<group>"; };
- 4469FC2A1AA0A69E0021AA26 /* secd-33-keychain-ctk.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "secd-33-keychain-ctk.c"; sourceTree = "<group>"; };
+ 440BF8F41A7A7EC9001760A7 /* si-82-token-ag.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-82-token-ag.c"; sourceTree = "<group>"; };
+ 442B69241BC3C5B9000F3A72 /* SecItemShim.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecItemShim.h; sourceTree = "<group>"; };
+ 4469FC2A1AA0A69E0021AA26 /* secd-33-keychain-ctk.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "secd-33-keychain-ctk.m"; sourceTree = "<group>"; };
446CEEE319B6043900ECAF50 /* secd-32-restore-bad-backup.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-32-restore-bad-backup.c"; sourceTree = "<group>"; };
4477A8D718F28AAE00B5BB9F /* si-78-query-attrs.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-78-query-attrs.c"; sourceTree = "<group>"; };
4483050D1B46FB6C00326450 /* secd-35-keychain-migrate-inet.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-35-keychain-migrate-inet.c"; sourceTree = "<group>"; };
@@ -665,14 +677,25 @@
44B2606C18F82631008DF20F /* SecAccessControlExports.exp-in */ = {isa = PBXFileReference; lastKnownFileType = text; path = "SecAccessControlExports.exp-in"; sourceTree = "<group>"; };
4802A59516D711060059E5B9 /* SOSUserKeygen.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSUserKeygen.c; sourceTree = "<group>"; };
4802A59716D711190059E5B9 /* SOSUserKeygen.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSUserKeygen.h; sourceTree = "<group>"; };
+ 48122CC71CFF88DC009BE3E3 /* SOSAccountLog.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = SOSAccountLog.c; sourceTree = "<group>"; };
+ 48122CC81CFF88DC009BE3E3 /* SOSAccountLog.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSAccountLog.h; sourceTree = "<group>"; };
+ 4812D5A51CAF07060041FAD8 /* SOSViews.exp-in */ = {isa = PBXFileReference; lastKnownFileType = text; path = "SOSViews.exp-in"; sourceTree = "<group>"; };
+ 4812D5A61CAF1FCB0041FAD8 /* ViewList.list */ = {isa = PBXFileReference; lastKnownFileType = text; path = ViewList.list; sourceTree = "<group>"; };
+ 481A954F1D1A02AA000B98F5 /* SOSCloudKeychainLogging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSCloudKeychainLogging.c; sourceTree = "<group>"; };
+ 481A95501D1A02AA000B98F5 /* SOSCloudKeychainLogging.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSCloudKeychainLogging.h; sourceTree = "<group>"; };
+ 4826374C1CC18A410082C9C8 /* secd-57-1-account-last-standing.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-57-1-account-last-standing.c"; sourceTree = "<group>"; };
48279BC31C57FEA20043457C /* keychain_log.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = keychain_log.c; sourceTree = "<group>"; };
48279BC41C57FEA20043457C /* keychain_log.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = keychain_log.h; sourceTree = "<group>"; };
+ 4838F6BB1CB5AA5F009E8598 /* secViewDisplay.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = secViewDisplay.c; sourceTree = "<group>"; };
+ 4838F6BC1CB5AA5F009E8598 /* secViewDisplay.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = secViewDisplay.h; sourceTree = "<group>"; };
484182601A30F2E300211511 /* SOSCirclePriv.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSCirclePriv.h; sourceTree = "<group>"; };
484182621A30F38E00211511 /* SOSCircleRings.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSCircleRings.h; sourceTree = "<group>"; };
484182631A30F8D300211511 /* SOSPeerInfoPriv.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSPeerInfoPriv.h; sourceTree = "<group>"; };
48487D271B1D5E960078C7C9 /* sc-25-soskeygen.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "sc-25-soskeygen.c"; sourceTree = "<group>"; };
485835871779013E0050F074 /* SOSPeerInfoInternal.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSPeerInfoInternal.h; sourceTree = "<group>"; };
485B5E611AE068D800A3C183 /* secd-82-secproperties-basic.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-82-secproperties-basic.c"; sourceTree = "<group>"; };
+ 485FE6BC1CDBED5800C916C5 /* syncbackup.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = syncbackup.c; sourceTree = "<group>"; };
+ 485FE6BD1CDBED5800C916C5 /* syncbackup.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = syncbackup.h; sourceTree = "<group>"; };
486C6C671795F20E00387075 /* secd-61-account-leave-not-in-kansas-anymore.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-61-account-leave-not-in-kansas-anymore.c"; sourceTree = "<group>"; };
48764AE717FA2DD00005C4F1 /* SOSAccountDer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSAccountDer.c; sourceTree = "<group>"; };
48764AEA17FA31670005C4F1 /* SOSAccountPriv.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSAccountPriv.h; sourceTree = "<group>"; };
@@ -685,6 +708,8 @@
488902EB16C2F88400F119FF /* SOSCoder.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSCoder.c; sourceTree = "<group>"; };
488902ED16C2F89700F119FF /* SOSCoder.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSCoder.h; sourceTree = "<group>"; };
4898223917BDB277003BEF32 /* secd-52-account-changed.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-52-account-changed.c"; sourceTree = "<group>"; };
+ 4899F2E71C768BBE00762615 /* secToolFileIO.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = secToolFileIO.c; sourceTree = "<group>"; };
+ 4899F2E81C768BBE00762615 /* secToolFileIO.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = secToolFileIO.h; sourceTree = "<group>"; };
489E6E4A1A71A87600D7EB8C /* SOSCircleDer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSCircleDer.c; sourceTree = "<group>"; };
489E6E4B1A71A87600D7EB8C /* SOSCircleDer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSCircleDer.h; sourceTree = "<group>"; };
489EA3C11AEAE659004A6AEB /* SOSRingBackup.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSRingBackup.c; sourceTree = "<group>"; };
@@ -692,6 +717,7 @@
48A071CD1AD6AEA900728AEF /* SOSPeerInfoSecurityProperties.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSPeerInfoSecurityProperties.c; sourceTree = "<group>"; };
48A071CE1AD6AEA900728AEF /* SOSPeerInfoSecurityProperties.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSPeerInfoSecurityProperties.h; sourceTree = "<group>"; };
48A0FEDD1B6046E2001D6180 /* secd-64-circlereset.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-64-circlereset.c"; sourceTree = "<group>"; };
+ 48B5888B1D00ED9000E0C5A7 /* secd-200-logstate.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-200-logstate.c"; sourceTree = "<group>"; };
48C34E911C45EF3000B7F29B /* secd60-account-cloud-exposure.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd60-account-cloud-exposure.c"; sourceTree = "<group>"; };
48C7DF9217FF2DB500904F1A /* SOSAccountCredentials.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSAccountCredentials.c; sourceTree = "<group>"; };
48C7DF9517FF351A00904F1A /* SOSAccountPeers.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSAccountPeers.c; sourceTree = "<group>"; };
@@ -710,8 +736,8 @@
48FB17001A76F56C00B586C7 /* SOSPeerInfoV2.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSPeerInfoV2.c; sourceTree = "<group>"; };
48FB17011A76F56C00B586C7 /* SOSPeerInfoV2.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSPeerInfoV2.h; sourceTree = "<group>"; };
48FB17041A77181A00B586C7 /* secd-80-views-basic.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-80-views-basic.c"; sourceTree = "<group>"; };
- 48FEA7771C52FFE70020C148 /* secToolFileIO.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = secToolFileIO.c; sourceTree = "<group>"; };
- 48FEA7781C52FFE70020C148 /* secToolFileIO.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = secToolFileIO.h; sourceTree = "<group>"; };
+ 48FD04F11CEFCFB900BEBBFF /* SOSAccountTransaction.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSAccountTransaction.c; sourceTree = "<group>"; };
+ 48FD04F21CEFCFB900BEBBFF /* SOSAccountTransaction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSAccountTransaction.h; sourceTree = "<group>"; };
4A5CCA4F15ACEFA500702357 /* libSecOtrOSX.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSecOtrOSX.a; sourceTree = BUILT_PRODUCTS_DIR; };
4A824B03158FF07000F932C0 /* libSecurityRegressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSecurityRegressions.a; sourceTree = BUILT_PRODUCTS_DIR; };
4A971682158FDEB800D439B7 /* SecOTR.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecOTR.h; sourceTree = "<group>"; };
@@ -732,8 +758,6 @@
4A971692158FDEB800D439B7 /* SecOTRSessionAKE.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecOTRSessionAKE.c; sourceTree = "<group>"; };
4A971693158FDEB800D439B7 /* SecOTRSessionPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecOTRSessionPriv.h; sourceTree = "<group>"; };
4A971694158FDEB800D439B7 /* SecOTRUtils.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecOTRUtils.c; sourceTree = "<group>"; };
- 4BD2F7FB1ADCDD8C0037CD5D /* SOSForerunnerSession.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSForerunnerSession.c; sourceTree = "<group>"; };
- 4BD2F7FC1ADCDD8C0037CD5D /* SOSForerunnerSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSForerunnerSession.h; sourceTree = "<group>"; };
4BD2F7FF1ADCDEAA0037CD5D /* sc-140-hsa2.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "sc-140-hsa2.c"; sourceTree = "<group>"; };
4BD2F8011ADCDF790037CD5D /* SOSPlatform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSPlatform.h; sourceTree = "<group>"; };
4C055FED17B60F1E001A879A /* SecDbKeychainItem.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecDbKeychainItem.c; sourceTree = "<group>"; };
@@ -758,7 +782,6 @@
4C4B15951655EDA700734590 /* SecDbItem.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecDbItem.h; sourceTree = "<group>"; };
4C5EA365164C791400A136B8 /* lib-arc-only.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = "lib-arc-only.xcconfig"; sourceTree = "<group>"; };
4C64F59617C6B3B1009C5AC2 /* sc-45-digestvector.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "sc-45-digestvector.c"; sourceTree = "<group>"; };
- 4C8940DA166EA8CF00241770 /* osxshim.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = osxshim.c; sourceTree = "<group>"; };
4C8BDD9A17B4FB8F00C20EA5 /* SOSDataSource.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSDataSource.h; sourceTree = "<group>"; };
4C8BDD9C17B4FD2A00C20EA5 /* SOSManifest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSManifest.h; sourceTree = "<group>"; };
4C8BDD9E17B4FDE100C20EA5 /* SOSManifest.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSManifest.c; sourceTree = "<group>"; };
@@ -790,24 +813,18 @@
4CC92A1B15A3ABD400C6D578 /* si-14-dateparse.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-14-dateparse.c"; sourceTree = "<group>"; };
4CC92A1C15A3ABD400C6D578 /* si-15-certificate.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-15-certificate.c"; sourceTree = "<group>"; };
4CC92A1D15A3ABD400C6D578 /* si-16-ec-certificate.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-16-ec-certificate.c"; sourceTree = "<group>"; };
- 4CC92A1E15A3ABD400C6D578 /* si-20-sectrust-activation.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-20-sectrust-activation.c"; sourceTree = "<group>"; };
4CC92A1F15A3ABD400C6D578 /* si-20-sectrust.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-20-sectrust.c"; sourceTree = "<group>"; };
4CC92A2015A3ABD400C6D578 /* si-21-sectrust-asr.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-21-sectrust-asr.c"; sourceTree = "<group>"; };
4CC92A2115A3ABD400C6D578 /* si-22-sectrust-iap.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-22-sectrust-iap.c"; sourceTree = "<group>"; };
4CC92A2215A3ABD400C6D578 /* si-23-sectrust-ocsp.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-23-sectrust-ocsp.c"; sourceTree = "<group>"; };
- 4CC92A2315A3ABD400C6D578 /* si-24-sectrust-appleid.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-24-sectrust-appleid.c"; sourceTree = "<group>"; };
4CC92A2415A3ABD400C6D578 /* si-24-sectrust-digicert-malaysia.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-24-sectrust-digicert-malaysia.c"; sourceTree = "<group>"; };
4CC92A2515A3ABD400C6D578 /* si-24-sectrust-diginotar.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-24-sectrust-diginotar.c"; sourceTree = "<group>"; };
4CC92A2615A3ABD400C6D578 /* si-24-sectrust-itms.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-24-sectrust-itms.c"; sourceTree = "<group>"; };
- 4CC92A2715A3ABD400C6D578 /* si-24-sectrust-mobileasset.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-24-sectrust-mobileasset.c"; sourceTree = "<group>"; };
4CC92A2815A3ABD400C6D578 /* si-24-sectrust-nist.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-24-sectrust-nist.c"; sourceTree = "<group>"; };
- 4CC92A2915A3ABD400C6D578 /* si-24-sectrust-otatasking.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-24-sectrust-otatasking.c"; sourceTree = "<group>"; };
- 4CC92A2A15A3ABD400C6D578 /* si-24-sectrust-shoebox.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-24-sectrust-shoebox.c"; sourceTree = "<group>"; };
- 4CC92A2B15A3ABD400C6D578 /* si-25-sectrust-ipsec-eap.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-25-sectrust-ipsec-eap.c"; sourceTree = "<group>"; };
- 4CC92A2C15A3ABD400C6D578 /* si-26-applicationsigning.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-26-applicationsigning.c"; sourceTree = "<group>"; };
+ 4CC92A2A15A3ABD400C6D578 /* si-24-sectrust-passbook.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-24-sectrust-passbook.c"; sourceTree = "<group>"; };
+ 4CC92A2C15A3ABD400C6D578 /* si-26-sectrust-copyproperties.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-26-sectrust-copyproperties.c"; sourceTree = "<group>"; };
4CC92A2D15A3ABD400C6D578 /* si-27-sectrust-exceptions.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-27-sectrust-exceptions.c"; sourceTree = "<group>"; };
- 4CC92A2E15A3ABD400C6D578 /* si-28-sectrustsettings.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-28-sectrustsettings.c"; sourceTree = "<group>"; };
- 4CC92A2F15A3ABD400C6D578 /* si-29-sectrust-codesigning.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-29-sectrust-codesigning.c"; sourceTree = "<group>"; };
+ 4CC92A2E15A3ABD400C6D578 /* si-28-sectrustsettings.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-28-sectrustsettings.m"; sourceTree = "<group>"; };
4CC92A3015A3ABD400C6D578 /* si-30-keychain-upgrade.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-30-keychain-upgrade.c"; sourceTree = "<group>"; };
4CC92A3115A3ABD400C6D578 /* si-31-keychain-bad.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-31-keychain-bad.c"; sourceTree = "<group>"; };
4CC92A3215A3ABD400C6D578 /* si-31-keychain-unreadable.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-31-keychain-unreadable.c"; sourceTree = "<group>"; };
@@ -858,32 +875,19 @@
4CD1897B169F835400BC96B8 /* print_cert.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = print_cert.c; sourceTree = "<group>"; };
4CD1897C169F835400BC96B8 /* print_cert.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = print_cert.h; sourceTree = "<group>"; };
521C0B9815FA5C4A00604B61 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
- 521C0BA615FA5D7400604B61 /* cloudkeychain.entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = cloudkeychain.entitlements.plist; path = SOSCircle/CloudKeychainProxy/cloudkeychain.entitlements.plist; sourceTree = SOURCE_ROOT; };
- 521C0BAD15FA5DA800604B61 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = InfoPlist.strings; sourceTree = "<group>"; };
- 521C0BAF15FA5E3F00604B61 /* CKDKVSProxy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; name = CKDKVSProxy.h; path = SOSCircle/CloudKeychainProxy/CKDKVSProxy.h; sourceTree = SOURCE_ROOT; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
- 521C0BB015FA5E3F00604B61 /* CKDKVSProxy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = CKDKVSProxy.m; path = SOSCircle/CloudKeychainProxy/CKDKVSProxy.m; sourceTree = SOURCE_ROOT; };
- 521C0BB115FA5E3F00604B61 /* CKDPersistentState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CKDPersistentState.h; path = SOSCircle/CloudKeychainProxy/CKDPersistentState.h; sourceTree = SOURCE_ROOT; };
- 521C0BB215FA5E3F00604B61 /* CKDPersistentState.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = CKDPersistentState.m; path = SOSCircle/CloudKeychainProxy/CKDPersistentState.m; sourceTree = SOURCE_ROOT; };
- 521C0BB315FA5E3F00604B61 /* cloudkeychainproxy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; lineEnding = 0; name = cloudkeychainproxy.m; path = SOSCircle/CloudKeychainProxy/cloudkeychainproxy.m; sourceTree = SOURCE_ROOT; xcLanguageSpecificationIdentifier = xcode.lang.objc; };
521C0CD515FF9B3300604B61 /* SOSRegressionUtilities.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSRegressionUtilities.c; sourceTree = "<group>"; };
521C0CD815FF9B4B00604B61 /* SOSRegressionUtilities.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSRegressionUtilities.h; sourceTree = "<group>"; };
- 521C0CD915FFA05000604B61 /* CKDKeyValueStore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = CKDKeyValueStore.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
- 521C0CDA15FFA05000604B61 /* CKDKeyValueStore.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CKDKeyValueStore.m; sourceTree = "<group>"; };
521C685C1614A6E100E31C3E /* SOSCloudKeychainClient.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = SOSCloudKeychainClient.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
521C685D1614A6E100E31C3E /* SOSCloudKeychainClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = SOSCloudKeychainClient.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
- 522B0ED31649A68E00A4675D /* MobileKeyBag.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileKeyBag.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.0.Internal.sdk/System/Library/PrivateFrameworks/MobileKeyBag.framework; sourceTree = DEVELOPER_DIR; };
+ 5221C4971CBEDB7C006047E7 /* secd-71-engine-save.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-71-engine-save.c"; sourceTree = "<group>"; };
+ 5221C4C11CC5667E006047E7 /* secd-71-engine-save-sample1.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "secd-71-engine-save-sample1.h"; sourceTree = "<group>"; };
523CBBF41B321C5C002C0884 /* secd-50-message.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-50-message.c"; sourceTree = "<group>"; };
523CBBF71B3227A2002C0884 /* secd-49-manifests.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-49-manifests.c"; sourceTree = "<group>"; };
526CBA5116079FB4008DF7C8 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = "../../build/Products/Debug-iphoneos/Security.framework"; sourceTree = "<group>"; };
- 5272501916838BB20029AADD /* CloudKeychainProxy.1 */ = {isa = PBXFileReference; lastKnownFileType = text.man; path = CloudKeychainProxy.1; sourceTree = "<group>"; };
527258CF1981C00F003CFCEC /* secd-70-engine.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-70-engine.c"; sourceTree = "<group>"; };
- 52840291164050C80035F320 /* CKDUserInteraction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CKDUserInteraction.h; path = SOSCircle/CloudKeychainProxy/CKDUserInteraction.h; sourceTree = SOURCE_ROOT; };
- 52840292164050C80035F320 /* CKDUserInteraction.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = CKDUserInteraction.m; path = SOSCircle/CloudKeychainProxy/CKDUserInteraction.m; sourceTree = SOURCE_ROOT; };
- 528402A0164445760035F320 /* libCloudKeychainProxy.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libCloudKeychainProxy.a; sourceTree = BUILT_PRODUCTS_DIR; };
528462991AE6FCF0004C1BA2 /* SOSBackupEvent.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSBackupEvent.c; sourceTree = "<group>"; };
5284629A1AE6FCF0004C1BA2 /* SOSBackupEvent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSBackupEvent.h; sourceTree = "<group>"; };
529F46F11AEC759E0002392C /* secd-34-backup-der-parse.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-34-backup-der-parse.c"; sourceTree = "<group>"; };
- 52C3D18E169A53150091D9D3 /* ckdmain.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = ckdmain.m; path = SOSCircle/CloudKeychainProxy/ckdmain.m; sourceTree = SOURCE_ROOT; };
52D0F026169CA72800F07D79 /* SecOnOSX.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecOnOSX.h; sourceTree = "<group>"; };
52DD7069160CD40B0027A346 /* libutilities.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libutilities.a; path = ../../build/Release/libutilities.a; sourceTree = "<group>"; };
52F8DE4A1AF2E9AE00A2C271 /* SOSTypes.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSTypes.h; sourceTree = "<group>"; };
@@ -895,36 +899,35 @@
5356520418E3C88D00C383C0 /* SecOTRRemote.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecOTRRemote.h; sourceTree = "<group>"; };
5384299318E492A300E91AFE /* secd-70-otr-remote.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-70-otr-remote.c"; sourceTree = "<group>"; };
5DE4A7BC17441CCD0036339E /* si-71-mobile-store-policy.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-71-mobile-store-policy.c"; sourceTree = "<group>"; };
+ 5E0CE1641CB6347300E75776 /* secd-83-item-match-valid-on-date.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-83-item-match-valid-on-date.m"; sourceTree = "<group>"; };
+ 5E0CE1661CB6348D00E75776 /* secd-83-item-match-trusted.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-83-item-match-trusted.m"; sourceTree = "<group>"; };
+ 5E0CE1681CB64A1300E75776 /* secd-83-item-match.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "secd-83-item-match.h"; sourceTree = "<group>"; };
5E19C6471AA5F34E005964F8 /* secd-81-item-acl-stress.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "secd-81-item-acl-stress.c"; sourceTree = "<group>"; };
5EA016361AD41AB20061BCD7 /* secd-81-item-acl.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-81-item-acl.c"; sourceTree = "<group>"; };
+ 5EF2596E1CB5214B009B4C58 /* secd-83-item-match-policy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-83-item-match-policy.m"; sourceTree = "<group>"; };
724D7363177A13A500FA10A1 /* AppleBaselineEscrowCertificates.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppleBaselineEscrowCertificates.h; sourceTree = "<group>"; };
7255A46B1783333D006A8B9A /* si-74-OTAPKISigner.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-74-OTAPKISigner.c"; sourceTree = "<group>"; };
- 7255F91317A973D5004A9F38 /* si-75-AppleIDRecordSigning.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-75-AppleIDRecordSigning.c"; sourceTree = "<group>"; };
72B5923A17C6924000AE738B /* iCloudTrace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = iCloudTrace.h; sourceTree = "<group>"; };
72B5923C17C6939A00AE738B /* iCloudTrace.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = iCloudTrace.c; sourceTree = "<group>"; };
- 72E2DC0616BC47C800E7B236 /* OTATrustUtilities.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = OTATrustUtilities.c; sourceTree = "<group>"; };
+ 72E2DC0616BC47C800E7B236 /* OTATrustUtilities.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = OTATrustUtilities.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
72E2DC0716BC47C800E7B236 /* OTATrustUtilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OTATrustUtilities.h; sourceTree = "<group>"; };
- 7DE2092F192D29D90066419C /* si-79-smp-cert-policy.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-79-smp-cert-policy.c"; sourceTree = "<group>"; };
- 858A54641BC6FD3E008A03FA /* si-88-sectrust-vpnprofile.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-88-sectrust-vpnprofile.c"; sourceTree = "<group>"; };
- 858A54651BC6FD3E008A03FA /* si-88-sectrust-vpnprofile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-88-sectrust-vpnprofile.h"; sourceTree = "<group>"; };
ACFD56BD19007B2D00F5F5D9 /* ios6_1_keychain_2_db.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ios6_1_keychain_2_db.h; sourceTree = "<group>"; };
BE061FCE1899E5BD00C739F6 /* si-76-shared-credentials.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-76-shared-credentials.c"; sourceTree = "<group>"; };
BE0CC6061A96B68400662E69 /* si-83-seccertificate-sighashalg.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-83-seccertificate-sighashalg.c"; sourceTree = "<group>"; };
BE3171921BB3559600BBB212 /* si-20-sectrust.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-20-sectrust.h"; sourceTree = "<group>"; };
+ BE4AC7DC1C938698002A28FE /* SecSignatureVerificationSupport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecSignatureVerificationSupport.c; sourceTree = "<group>"; };
+ BE4AC7DD1C938698002A28FE /* SecSignatureVerificationSupport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSignatureVerificationSupport.h; sourceTree = "<group>"; };
BE556A5D19550E1600E6EE8C /* SecPolicyCerts.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecPolicyCerts.h; sourceTree = "<group>"; };
BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-72-syncableitems.c"; sourceTree = "<group>"; };
BE62D7611747FF51001EAA9D /* si-70-sectrust-unified.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-70-sectrust-unified.c"; sourceTree = "<group>"; };
BE642BAF188F32AD00C899A2 /* SecSharedCredential.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSharedCredential.h; sourceTree = "<group>"; };
BE642BB1188F32C200C899A2 /* SecSharedCredential.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecSharedCredential.c; sourceTree = "<group>"; };
- BE794825196DBEAD00F4BA63 /* si-81-sectrust-server-auth.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-81-sectrust-server-auth.c"; sourceTree = "<group>"; };
BE8D228E1ABB7199009A4E18 /* libSecTrustOSX.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSecTrustOSX.a; sourceTree = BUILT_PRODUCTS_DIR; };
BE8D22C11ABB9B6E009A4E18 /* SecTrustInternal.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecTrustInternal.h; sourceTree = "<group>"; };
- BECC54E31B98FF0000FB91DC /* si-86-sectrust-eap-tls.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-86-sectrust-eap-tls.c"; sourceTree = "<group>"; };
- BECC54E41B98FF0000FB91DC /* si-86-sectrust-eap-tls.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-86-sectrust-eap-tls.h"; sourceTree = "<group>"; };
BEF9640618B4171200813FA3 /* libSWCAgent.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSWCAgent.a; sourceTree = BUILT_PRODUCTS_DIR; };
BEF9640918B418A400813FA3 /* swcagent_client.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = swcagent_client.h; path = SharedWebCredential/swcagent_client.h; sourceTree = "<group>"; };
BEF9640A18B418A400813FA3 /* swcagent_client.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = swcagent_client.c; path = SharedWebCredential/swcagent_client.c; sourceTree = "<group>"; };
- BEF9640B18B418A400813FA3 /* swcagent.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = swcagent.m; path = SharedWebCredential/swcagent.m; sourceTree = "<group>"; };
+ BEF9640B18B418A400813FA3 /* swcagent.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; lineEnding = 0; name = swcagent.m; path = SharedWebCredential/swcagent.m; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objc; };
C62A296818996D90006C3A11 /* SecAccessControlPriv.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecAccessControlPriv.h; sourceTree = "<group>"; };
C6766767189884D200E9A12C /* SecAccessControl.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecAccessControl.c; sourceTree = "<group>"; };
C6EE78BA189821AD009B8FEB /* SecAccessControl.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecAccessControl.h; sourceTree = "<group>"; };
@@ -947,12 +950,7 @@
CD32777618F8B39B006B5280 /* SOSTransportMessageKVS.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSTransportMessageKVS.c; sourceTree = "<group>"; };
CD32777818F8B3B4006B5280 /* SOSTransportMessageKVS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSTransportMessageKVS.h; sourceTree = "<group>"; };
CD35B8291C2650FE00E0852A /* secd-154-engine-backoff.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-154-engine-backoff.c"; sourceTree = "<group>"; };
- CD3F914B1A802EBF00E07119 /* libIDSKeychainSyncingProxy.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libIDSKeychainSyncingProxy.a; sourceTree = BUILT_PRODUCTS_DIR; };
CD558FA8193544F800CFB3B1 /* IDSFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IDSFoundation.framework; path = ../../../../../../../System/Library/PrivateFrameworks/IDSFoundation.framework; sourceTree = "<group>"; };
- CD5D34011A80391B00EBF353 /* IDSProxy.h */ = {isa = PBXFileReference; explicitFileType = sourcecode.c.objc; fileEncoding = 4; path = IDSProxy.h; sourceTree = "<group>"; };
- CD5D34021A80391B00EBF353 /* IDSProxy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = IDSProxy.m; sourceTree = "<group>"; };
- CD5D34041A80391B00EBF353 /* idskeychainsyncingproxy.entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = idskeychainsyncingproxy.entitlements.plist; sourceTree = "<group>"; };
- CD5D34051A80391B00EBF353 /* idskeychainsyncingproxy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = idskeychainsyncingproxy.m; sourceTree = "<group>"; };
CD655E911AF02B9900BD1B6E /* secd-62-account-backup.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-62-account-backup.c"; sourceTree = "<group>"; };
CD6C9BF81A813D52002AB913 /* IDS.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IDS.framework; path = System/Library/PrivateFrameworks/IDS.framework; sourceTree = SDKROOT; };
CD773AC21ADDF8C700C808BA /* SOSTransportBackupPeer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSTransportBackupPeer.c; sourceTree = "<group>"; };
@@ -960,6 +958,7 @@
CD86DE4D18BD554D00C90CDF /* SOSTransport.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSTransport.c; sourceTree = "<group>"; };
CD8E09001A2E918900A2503A /* otr-40-edgecases.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "otr-40-edgecases.c"; sourceTree = "<group>"; };
CD8F442C1B83C435004C0047 /* secd-95-escrow-persistence.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-95-escrow-persistence.c"; sourceTree = "<group>"; };
+ CD9B54111CC6EC4D00CC487A /* secd-100-initialsync.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-100-initialsync.c"; sourceTree = "<group>"; };
CDA7729616B899F10069434D /* si-69-keydesc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-69-keydesc.c"; sourceTree = "<group>"; };
CDAD4E9818EC8424007D4BC2 /* SOSTransportTestTransports.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSTransportTestTransports.c; sourceTree = "<group>"; };
CDAD4E9A18EC8447007D4BC2 /* SOSTransportTestTransports.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSTransportTestTransports.h; sourceTree = "<group>"; };
@@ -991,24 +990,33 @@
CDC0DC9A1AE842640020BA6C /* SOSGenCount.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSGenCount.h; sourceTree = "<group>"; };
CDC765C01729A72800721712 /* SecPasswordGenerate.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecPasswordGenerate.c; sourceTree = "<group>"; };
CDC765C11729A72800721712 /* SecPasswordGenerate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecPasswordGenerate.h; sourceTree = "<group>"; };
- CDD4500F1ACF134A00A37449 /* IDSPersistentState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IDSPersistentState.h; sourceTree = "<group>"; };
- CDD450101ACF13BC00A37449 /* IDSPersistentState.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = IDSPersistentState.m; sourceTree = "<group>"; };
CDD565A1173193AC00B6B074 /* si-73-secpasswordgenerate.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-73-secpasswordgenerate.c"; sourceTree = "<group>"; };
CDF1B82218BD7DDE006309BC /* SOSTransport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSTransport.h; sourceTree = "<group>"; };
- CDF42C061A884BB10080BB05 /* idksmain.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = idksmain.m; sourceTree = "<group>"; };
CDF9BBE01B03E24D00D1AF0F /* secd-52-offering-gencount-reset.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-52-offering-gencount-reset.c"; sourceTree = "<group>"; };
- D40294A71C20A806008CE4B6 /* si-91-sectrust-ast2.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-91-sectrust-ast2.c"; sourceTree = "<group>"; };
- D40294A81C20A806008CE4B6 /* si-91-sectrust-ast2.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-91-sectrust-ast2.h"; sourceTree = "<group>"; };
- D41380C71C6E529500F1A4B6 /* si-92-sectrust-homekit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-92-sectrust-homekit.c"; sourceTree = "<group>"; };
- D41380C81C6E529500F1A4B6 /* si-92-sectrust-homekit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-92-sectrust-homekit.h"; sourceTree = "<group>"; };
+ D40771AB1C9B4C530016AA66 /* si-82-seccertificate-ct.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "si-82-seccertificate-ct.c"; path = "../../../../shared_regressions/si-82-seccertificate-ct.c"; sourceTree = "<group>"; };
+ D40771AC1C9B4C530016AA66 /* si-82-sectrust-ct.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "si-82-sectrust-ct.m"; path = "../../../../shared_regressions/si-82-sectrust-ct.m"; sourceTree = "<group>"; };
+ D40771B21C9B4CE50016AA66 /* shared_regressions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = shared_regressions.h; path = ../../shared_regressions/shared_regressions.h; sourceTree = "<group>"; };
+ D40771B81C9B4D200016AA66 /* libSharedRegressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSharedRegressions.a; sourceTree = BUILT_PRODUCTS_DIR; };
D4273AA21B5D54CA0007D67B /* nameconstraints.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = nameconstraints.c; sourceTree = "<group>"; };
D4273AA31B5D54CA0007D67B /* nameconstraints.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = nameconstraints.h; sourceTree = "<group>"; };
- D445CDDF1B44D372005040AC /* si-84-sectrust-atv-appsigning.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-84-sectrust-atv-appsigning.c"; sourceTree = "<group>"; };
+ D44216091CCAD9C200D2D455 /* si-22-sectrust-iap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-22-sectrust-iap.h"; sourceTree = "<group>"; };
+ D44C81E71CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-97-sectrust-path-scoring.m"; sourceTree = "<group>"; };
+ D44C81E91CD1947200BE9A0D /* si-97-sectrust-path-scoring.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-97-sectrust-path-scoring.h"; sourceTree = "<group>"; };
+ D4653DEA1C9E2299002ED6D5 /* si-28-sectrustsettings.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-28-sectrustsettings.h"; sourceTree = "<group>"; };
+ D474EF321C8A1CBB00AA4D86 /* personalization.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = personalization.c; sourceTree = "<group>"; };
+ D474EF331C8A1CBB00AA4D86 /* personalization.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = personalization.h; sourceTree = "<group>"; };
+ D47F511B1C3B660500A7CEFE /* SecCFAllocator.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecCFAllocator.c; sourceTree = "<group>"; };
+ D47F511C1C3B660500A7CEFE /* SecCFAllocator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCFAllocator.h; sourceTree = "<group>"; };
+ D48C567C1C73E5C300E41928 /* SecPolicyLeafCallbacks.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecPolicyLeafCallbacks.c; sourceTree = "<group>"; };
+ D4A919751CA9A3DD003D2ADA /* si-95-cms-basic.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-95-cms-basic.c"; sourceTree = "<group>"; };
+ D4A919761CA9A3DD003D2ADA /* si-95-cms-basic.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-95-cms-basic.h"; sourceTree = "<group>"; };
D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-85-sectrust-ssl-policy.c"; sourceTree = "<group>"; };
+ D4C6E1681B9A0AE800E42591 /* si-85-sectrust-ssl-policy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-85-sectrust-ssl-policy.h"; sourceTree = "<group>"; };
D4CBC1461BE9A89E00C5795E /* si-89-cms-hash-agility.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-89-cms-hash-agility.c"; sourceTree = "<group>"; };
D4CBC1471BE9A89E00C5795E /* si-89-cms-hash-agility.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-89-cms-hash-agility.h"; sourceTree = "<group>"; };
D4DFC9481B9958D00040945C /* si-87-sectrust-name-constraints.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-87-sectrust-name-constraints.c"; sourceTree = "<group>"; };
D4DFC9491B9958D00040945C /* si-87-sectrust-name-constraints.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-87-sectrust-name-constraints.h"; sourceTree = "<group>"; };
+ D4EC94D31CEA47D70083E753 /* si-20-sectrust-policies.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "si-20-sectrust-policies.m"; path = "../../../../shared_regressions/si-20-sectrust-policies.m"; sourceTree = "<group>"; };
E702E75614E1F3EA00CDE635 /* libSecureObjectSync.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSecureObjectSync.a; sourceTree = BUILT_PRODUCTS_DIR; };
E702E77814E1F48800CDE635 /* libSOSRegressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSOSRegressions.a; sourceTree = BUILT_PRODUCTS_DIR; };
E703811114E1FEE4007CB458 /* SOSCloudCircle.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSCloudCircle.h; sourceTree = "<group>"; };
@@ -1024,9 +1032,11 @@
E7217B1715F80E0F00D26031 /* SOSCloudCircle.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = SOSCloudCircle.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
E7217B2515F8131A00D26031 /* SOSCloudKeychainConstants.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = SOSCloudKeychainConstants.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
E7217B2615F8131A00D26031 /* SOSCloudKeychainConstants.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSCloudKeychainConstants.h; sourceTree = "<group>"; };
- E7295C6714E3571A007FBB20 /* Empty.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = Empty.c; sourceTree = "<group>"; };
E731829F1B1FC9CD00FC334C /* secd-63-account-resurrection.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-63-account-resurrection.c"; sourceTree = "<group>"; };
+ E739A9DA1D3078D9003C088A /* NSFileHandle+Formatting.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "NSFileHandle+Formatting.m"; sourceTree = "<group>"; };
+ E739A9DC1D318FA4003C088A /* secd-130-other-peer-views.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-130-other-peer-views.c"; sourceTree = "<group>"; };
E748744415A61AF800624935 /* si-68-secmatchissuer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-68-secmatchissuer.c"; sourceTree = "<group>"; };
+ E75320EB1D0B83FC00DAB140 /* SOSAccountViewSync.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSAccountViewSync.c; sourceTree = "<group>"; };
E757D42219254B3200AF22D9 /* SecECKeyPriv.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecECKeyPriv.h; sourceTree = "<group>"; };
E75AB9191AE9958300C5EF3F /* secd-40-cc-gestalt.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-40-cc-gestalt.c"; sourceTree = "<group>"; };
E76079D21951FD2800F69731 /* liblogging.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = liblogging.a; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -1038,6 +1048,7 @@
E777C72515B87544004044A8 /* SOSPeerInfo.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSPeerInfo.c; sourceTree = "<group>"; };
E777C72815B9C9F0004044A8 /* sc-30-peerinfo.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "sc-30-peerinfo.c"; sourceTree = "<group>"; };
E7850ECE1BB30E6E002A54CA /* secd-65-account-retirement-reset.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-65-account-retirement-reset.c"; sourceTree = "<group>"; };
+ E78DCD671D306C9000DE7A88 /* NSFileHandle+Formatting.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "NSFileHandle+Formatting.h"; sourceTree = "<group>"; };
E790C0F4169E3D7200E0C0C9 /* keychain_sync.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = keychain_sync.h; sourceTree = "<group>"; };
E790C108169E4E7900E0C0C9 /* builtin_commands.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = builtin_commands.h; sourceTree = "<group>"; };
E790C109169E4FD200E0C0C9 /* digest_calc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = digest_calc.c; sourceTree = "<group>"; };
@@ -1069,6 +1080,8 @@
E7A10FAD1771249C00C4602F /* secd-57-account-leave.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-57-account-leave.c"; sourceTree = "<group>"; };
E7A634E217FA471500920B67 /* SOSPeerInfoCollections.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSPeerInfoCollections.c; sourceTree = "<group>"; };
E7A634E417FA472700920B67 /* SOSPeerInfoCollections.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSPeerInfoCollections.h; sourceTree = "<group>"; };
+ E7ACD2F91D30204E0038050D /* keychain_sync_test.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = keychain_sync_test.m; sourceTree = "<group>"; };
+ E7ACD2FA1D30204E0038050D /* keychain_sync_test.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = keychain_sync_test.h; sourceTree = "<group>"; };
E7B00701170B58BD00B27966 /* SecExports.exp-in */ = {isa = PBXFileReference; lastKnownFileType = text; path = "SecExports.exp-in"; sourceTree = "<group>"; };
E7B00702170B5FE100B27966 /* SOSExports.exp-in */ = {isa = PBXFileReference; lastKnownFileType = text; lineEnding = 0; path = "SOSExports.exp-in"; sourceTree = "<group>"; };
E7B01B5A16532507000485F1 /* SOSCloudCircleInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = SOSCloudCircleInternal.h; sourceTree = "<group>"; };
@@ -1090,10 +1103,10 @@
E7FEFB8C169E363300E18152 /* libSOSCommands.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSOSCommands.a; sourceTree = BUILT_PRODUCTS_DIR; };
E7FEFB90169E36D800E18152 /* keychain_sync.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = keychain_sync.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
EB3409AE1C1D5BB300D77661 /* secd-20-keychain_upgrade.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "secd-20-keychain_upgrade.m"; sourceTree = "<group>"; };
+ EB6432BC1C510A6E00B671F2 /* SecDigest.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecDigest.c; sourceTree = "<group>"; };
EB69AB031BF3C42F00913AF1 /* SecEMCS.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SecEMCS.m; sourceTree = "<group>"; };
EB69AB051BF425F300913AF1 /* si-90-emcs.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "si-90-emcs.m"; sourceTree = "<group>"; };
EB69AB081BF4335100913AF1 /* SecEMCSPriv.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecEMCSPriv.h; sourceTree = "<group>"; };
- EB8F48DC1AE4C81400CE93A7 /* si-25-sectrust-apple-authentication.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "si-25-sectrust-apple-authentication.c"; sourceTree = "<group>"; };
EB973200189C56310063DFED /* Cocoa.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Cocoa.framework; path = System/Library/Frameworks/Cocoa.framework; sourceTree = SDKROOT; };
EB973204189C56310063DFED /* CoreData.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreData.framework; path = System/Library/Frameworks/CoreData.framework; sourceTree = SDKROOT; };
EB973205189C56310063DFED /* AppKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AppKit.framework; path = System/Library/Frameworks/AppKit.framework; sourceTree = SDKROOT; };
@@ -1101,13 +1114,13 @@
EB97322D189C56DB0063DFED /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = ../../../../../../../System/Library/Frameworks/CoreFoundation.framework; sourceTree = "<group>"; };
EB9C1D091BDDBDD500F89272 /* si-13-item-system.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "si-13-item-system.m"; sourceTree = "<group>"; };
EBC1B8B61BE96B3200E6ACA6 /* whoami.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = whoami.m; sourceTree = "<group>"; };
+ EBD3447F1D234E26008B6DEA /* si-15-delete-access-group.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "si-15-delete-access-group.m"; sourceTree = "<group>"; };
EBDAECBA184D30C3005A18F1 /* sc-31-peerinfo-simplefuzz.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "sc-31-peerinfo-simplefuzz.c"; sourceTree = "<group>"; };
EBE32B581BEEC8C900719AA8 /* syncbubble.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = syncbubble.m; sourceTree = "<group>"; };
EBE32B9B1BF00DA500719AA8 /* entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = entitlements.plist; sourceTree = "<group>"; };
EBF2D7651C1E4823006AB6FF /* secd-21-transmogrify.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "secd-21-transmogrify.m"; sourceTree = "<group>"; };
F697632118F6CC3F0090438B /* keychain_util.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = keychain_util.c; sourceTree = "<group>"; };
F697632218F6CC3F0090438B /* keychain_util.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = keychain_util.h; sourceTree = "<group>"; };
- F953A6A71B43538A006EC5E1 /* si-81-sectrust-appletv.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-81-sectrust-appletv.c"; sourceTree = "<group>"; };
F9E0BD981AEF196A00554D49 /* secd-82-persistent-ref.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "secd-82-persistent-ref.c"; sourceTree = "<group>"; };
F9EF72F01AC0F97C00A4D24A /* secd-70-engine-smash.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-70-engine-smash.c"; sourceTree = "<group>"; };
/* End PBXFileReference section */
@@ -1172,13 +1185,6 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- 5284029D164445760035F320 /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
BE8D22881ABB7199009A4E18 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
@@ -1193,11 +1199,10 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- CD3F91481A802EBF00E07119 /* Frameworks */ = {
+ D40771B51C9B4D200016AA66 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- 43C3B1681AFD588800786702 /* IDS.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -1291,15 +1296,14 @@
4A824B03158FF07000F932C0 /* libSecurityRegressions.a */,
4CC92B1415A3BC6B00C6D578 /* libsecuritydRegressions.a */,
4A5CCA4F15ACEFA500702357 /* libSecOtrOSX.a */,
- 528402A0164445760035F320 /* libCloudKeychainProxy.a */,
E71049F2169E023B00DB0045 /* libSecurityTool.a */,
E7104A1D169E216E00DB0045 /* libSecurityCommands.a */,
E7FEFB8C169E363300E18152 /* libSOSCommands.a */,
0C0BDB5F175687EC00BC1A7E /* libsecdRegressions.a */,
BEF9640618B4171200813FA3 /* libSWCAgent.a */,
E76079D21951FD2800F69731 /* liblogging.a */,
- CD3F914B1A802EBF00E07119 /* libIDSKeychainSyncingProxy.a */,
BE8D228E1ABB7199009A4E18 /* libSecTrustOSX.a */,
+ D40771B81C9B4D200016AA66 /* libSharedRegressions.a */,
);
name = Products;
sourceTree = "<group>";
@@ -1318,27 +1322,9 @@
186CDD3014CA159600AF9171 /* Security */ = {
isa = PBXGroup;
children = (
- E7104A0F169E1F0800DB0045 /* Tool */,
4A824AFA158FF05900F932C0 /* Regressions */,
- 52D0F026169CA72800F07D79 /* SecOnOSX.h */,
- 4A971682158FDEB800D439B7 /* SecOTR.h */,
- 4A971683158FDEB800D439B7 /* SecOTRDHKey.c */,
- 4A971684158FDEB800D439B7 /* SecOTRDHKey.h */,
- 4A971685158FDEB800D439B7 /* SecOTRErrors.h */,
- 4A971686158FDEB800D439B7 /* SecOTRFullIdentity.c */,
- 4A971687158FDEB800D439B7 /* SecOTRIdentityPriv.h */,
- 4A971688158FDEB800D439B7 /* SecOTRMath.c */,
- 4A971689158FDEB800D439B7 /* SecOTRMath.h */,
- 4A97168B158FDEB800D439B7 /* SecOTRPacketData.c */,
- 4A97168C158FDEB800D439B7 /* SecOTRPacketData.h */,
- 4A97168D158FDEB800D439B7 /* SecOTRPackets.c */,
- 4A97168E158FDEB800D439B7 /* SecOTRPackets.h */,
- 4A97168F158FDEB800D439B7 /* SecOTRPublicIdentity.c */,
- 4A971690158FDEB800D439B7 /* SecOTRSession.c */,
- 4A971691158FDEB800D439B7 /* SecOTRSession.h */,
- 4A971692158FDEB800D439B7 /* SecOTRSessionAKE.c */,
- 4A971693158FDEB800D439B7 /* SecOTRSessionPriv.h */,
- 4A971694158FDEB800D439B7 /* SecOTRUtils.c */,
+ E7104A0F169E1F0800DB0045 /* Tool */,
+ 724D7363177A13A500FA10A1 /* AppleBaselineEscrowCertificates.h */,
18AD561514CB6EB9008233F2 /* certextensions.h */,
18AD561614CB6EB9008233F2 /* p12import.c */,
18AD561714CB6EB9008233F2 /* p12import.h */,
@@ -1346,13 +1332,15 @@
18AD561914CB6EB9008233F2 /* p12pbegen.h */,
18AD561A14CB6EB9008233F2 /* pbkdf2.c */,
18AD561B14CB6EB9008233F2 /* pbkdf2.h */,
+ C6766767189884D200E9A12C /* SecAccessControl.c */,
C6EE78BA189821AD009B8FEB /* SecAccessControl.h */,
+ 44B2606C18F82631008DF20F /* SecAccessControlExports.exp-in */,
C62A296818996D90006C3A11 /* SecAccessControlPriv.h */,
- C6766767189884D200E9A12C /* SecAccessControl.c */,
18AD561C14CB6EB9008233F2 /* SecBase.h */,
18AD561D14CB6EB9008233F2 /* SecBase64.c */,
18AD561E14CB6EB9008233F2 /* SecBase64.h */,
18AD561F14CB6EB9008233F2 /* SecBasePriv.h */,
+ 18AD562014CB6EB9008233F2 /* SecCertificate.c */,
18AD562114CB6EB9008233F2 /* SecCertificate.h */,
18AD562214CB6EB9008233F2 /* SecCertificateInternal.h */,
18AD562314CB6EB9008233F2 /* SecCertificatePath.c */,
@@ -1360,19 +1348,22 @@
18AD562514CB6EB9008233F2 /* SecCertificatePriv.h */,
18AD562614CB6EB9008233F2 /* SecCertificateRequest.c */,
18AD562714CB6EB9008233F2 /* SecCertificateRequest.h */,
+ D47F511B1C3B660500A7CEFE /* SecCFAllocator.c */,
+ D47F511C1C3B660500A7CEFE /* SecCFAllocator.h */,
18AD562814CB6EB9008233F2 /* SecCMS.c */,
18AD562914CB6EB9008233F2 /* SecCMS.h */,
449265271AB0D6FF00644D4C /* SecCTKKey.c */,
449265281AB0D6FF00644D4C /* SecCTKKeyPriv.h */,
18AD562A14CB6EB9008233F2 /* SecDH.c */,
18AD562B14CB6EB9008233F2 /* SecDH.h */,
+ EB6432BC1C510A6E00B671F2 /* SecDigest.c */,
18AD562C14CB6EB9008233F2 /* SecECKey.c */,
18AD562D14CB6EB9008233F2 /* SecECKey.h */,
E757D42219254B3200AF22D9 /* SecECKeyPriv.h */,
EB69AB031BF3C42F00913AF1 /* SecEMCS.m */,
EB69AB081BF4335100913AF1 /* SecEMCSPriv.h */,
+ E7B00701170B58BD00B27966 /* SecExports.exp-in */,
18AD562E14CB6EB9008233F2 /* SecFramework.c */,
- 18AD562014CB6EB9008233F2 /* SecCertificate.c */,
18AD562F14CB6EB9008233F2 /* SecFramework.h */,
18AD563014CB6EB9008233F2 /* SecFrameworkStrings.h */,
18AD563114CB6EB9008233F2 /* SecIdentity.c */,
@@ -1388,15 +1379,39 @@
18AD563914CB6EB9008233F2 /* SecItemConstants.c */,
18AD563A14CB6EB9008233F2 /* SecItemInternal.h */,
18AD563B14CB6EB9008233F2 /* SecItemPriv.h */,
+ 442B69241BC3C5B9000F3A72 /* SecItemShim.h */,
18AD563C14CB6EB9008233F2 /* SecKey.c */,
18AD563D14CB6EB9008233F2 /* SecKey.h */,
+ 093F67A21CC1171B0033151D /* SecKeyAdaptors.c */,
18AD563E14CB6EB9008233F2 /* SecKeyInternal.h */,
18AD563F14CB6EB9008233F2 /* SecKeyPriv.h */,
+ E795C94119116EA200FA068C /* SecLogging.c */,
+ E795C94319116ECA00FA068C /* SecLogging.h */,
+ 52D0F026169CA72800F07D79 /* SecOnOSX.h */,
+ 4A971682158FDEB800D439B7 /* SecOTR.h */,
+ 4A971683158FDEB800D439B7 /* SecOTRDHKey.c */,
+ 4A971684158FDEB800D439B7 /* SecOTRDHKey.h */,
+ 4A971685158FDEB800D439B7 /* SecOTRErrors.h */,
+ 4A971686158FDEB800D439B7 /* SecOTRFullIdentity.c */,
+ 4A971687158FDEB800D439B7 /* SecOTRIdentityPriv.h */,
+ 4A971688158FDEB800D439B7 /* SecOTRMath.c */,
+ 4A971689158FDEB800D439B7 /* SecOTRMath.h */,
+ 4A97168B158FDEB800D439B7 /* SecOTRPacketData.c */,
+ 4A97168C158FDEB800D439B7 /* SecOTRPacketData.h */,
+ 4A97168D158FDEB800D439B7 /* SecOTRPackets.c */,
+ 4A97168E158FDEB800D439B7 /* SecOTRPackets.h */,
+ 4A97168F158FDEB800D439B7 /* SecOTRPublicIdentity.c */,
+ 4A971690158FDEB800D439B7 /* SecOTRSession.c */,
+ 4A971691158FDEB800D439B7 /* SecOTRSession.h */,
+ 4A971692158FDEB800D439B7 /* SecOTRSessionAKE.c */,
+ 4A971693158FDEB800D439B7 /* SecOTRSessionPriv.h */,
+ 4A971694158FDEB800D439B7 /* SecOTRUtils.c */,
CDC765C01729A72800721712 /* SecPasswordGenerate.c */,
CDC765C11729A72800721712 /* SecPasswordGenerate.h */,
18AD564014CB6EB9008233F2 /* SecPBKDF.c */,
18AD564114CB6EB9008233F2 /* SecPBKDF.h */,
18AD564214CB6EB9008233F2 /* SecPolicy.c */,
+ D48C567C1C73E5C300E41928 /* SecPolicyLeafCallbacks.c */,
18AD564314CB6EB9008233F2 /* SecPolicy.h */,
BE556A5D19550E1600E6EE8C /* SecPolicyCerts.h */,
18AD564414CB6EB9008233F2 /* SecPolicyInternal.h */,
@@ -1409,27 +1424,24 @@
18AD564B14CB6EB9008233F2 /* SecSCEP.h */,
E795C9531913F88D00FA068C /* SecServerEncryptionSupport.c */,
E795C9521913112F00FA068C /* SecServerEncryptionSupport.h */,
+ BE642BB1188F32C200C899A2 /* SecSharedCredential.c */,
+ BE642BAF188F32AD00C899A2 /* SecSharedCredential.h */,
+ BE4AC7DC1C938698002A28FE /* SecSignatureVerificationSupport.c */,
+ BE4AC7DD1C938698002A28FE /* SecSignatureVerificationSupport.h */,
18AD564C14CB6EB9008233F2 /* SecTrust.c */,
18AD564D14CB6EB9008233F2 /* SecTrust.h */,
- 18AD564E14CB6EB9008233F2 /* SecTrustPriv.h */,
BE8D22C11ABB9B6E009A4E18 /* SecTrustInternal.h */,
+ 18AD564E14CB6EB9008233F2 /* SecTrustPriv.h */,
18AD564F14CB6EB9008233F2 /* SecTrustSettings.c */,
18AD565014CB6EB9008233F2 /* SecTrustSettings.h */,
18AD565114CB6EB9008233F2 /* SecTrustSettingsPriv.h */,
18AD565214CB6EB9008233F2 /* SecTrustStore.c */,
18AD565314CB6EB9008233F2 /* SecTrustStore.h */,
- BE642BB1188F32C200C899A2 /* SecSharedCredential.c */,
- BE642BAF188F32AD00C899A2 /* SecSharedCredential.h */,
18AD565414CB6EB9008233F2 /* Security.h */,
- 18AD565514CB6EB9008233F2 /* vmdh.c */,
- 18AD565614CB6EB9008233F2 /* vmdh.h */,
E7B01B8816572579000485F1 /* SecuritydXPC.c */,
E7B01B8A1657259F000485F1 /* SecuritydXPC.h */,
- 724D7363177A13A500FA10A1 /* AppleBaselineEscrowCertificates.h */,
- E7B00701170B58BD00B27966 /* SecExports.exp-in */,
- 44B2606C18F82631008DF20F /* SecAccessControlExports.exp-in */,
- E795C94119116EA200FA068C /* SecLogging.c */,
- E795C94319116ECA00FA068C /* SecLogging.h */,
+ 18AD565514CB6EB9008233F2 /* vmdh.c */,
+ 18AD565614CB6EB9008233F2 /* vmdh.h */,
);
path = Security;
sourceTree = "<group>";
@@ -1445,6 +1457,10 @@
72E2DC0716BC47C800E7B236 /* OTATrustUtilities.h */,
18AD568214CB865E008233F2 /* policytree.c */,
18AD568314CB865E008233F2 /* policytree.h */,
+ D4273AA21B5D54CA0007D67B /* nameconstraints.c */,
+ D4273AA31B5D54CA0007D67B /* nameconstraints.h */,
+ D474EF321C8A1CBB00AA4D86 /* personalization.c */,
+ D474EF331C8A1CBB00AA4D86 /* personalization.h */,
18AD568414CB865E008233F2 /* SecCAIssuerCache.c */,
18AD568514CB865E008233F2 /* SecCAIssuerCache.h */,
18AD568614CB865E008233F2 /* SecCAIssuerRequest.c */,
@@ -1489,8 +1505,6 @@
72B5923C17C6939A00AE738B /* iCloudTrace.c */,
5356520218E3C71000C383C0 /* SecOTRRemote.c */,
5356520418E3C88D00C383C0 /* SecOTRRemote.h */,
- D4273AA21B5D54CA0007D67B /* nameconstraints.c */,
- D4273AA31B5D54CA0007D67B /* nameconstraints.h */,
);
path = securityd;
sourceTree = "<group>";
@@ -1499,6 +1513,7 @@
isa = PBXGroup;
children = (
4CC92AB015A3AD0000C6D578 /* Security_regressions.h */,
+ D40771B21C9B4CE50016AA66 /* shared_regressions.h */,
4CC92A0E15A3ABD400C6D578 /* crypto */,
4CC92A1115A3ABD400C6D578 /* otr */,
4CC92A1615A3ABD400C6D578 /* secitem */,
@@ -1543,29 +1558,26 @@
4C2C8C3C17AB374700C24C13 /* si-12-item-stress.c */,
EB9C1D091BDDBDD500F89272 /* si-13-item-system.m */,
4CC92A1B15A3ABD400C6D578 /* si-14-dateparse.c */,
+ EBD3447F1D234E26008B6DEA /* si-15-delete-access-group.m */,
4CC92A1C15A3ABD400C6D578 /* si-15-certificate.c */,
4CC92A1D15A3ABD400C6D578 /* si-16-ec-certificate.c */,
E7EF51911C24C6E3002D0C23 /* si-17-item-system-bluetooth.m */,
- 4CC92A1E15A3ABD400C6D578 /* si-20-sectrust-activation.c */,
+ D4EC94D31CEA47D70083E753 /* si-20-sectrust-policies.m */,
4CC92A1F15A3ABD400C6D578 /* si-20-sectrust.c */,
BE3171921BB3559600BBB212 /* si-20-sectrust.h */,
4CC92A2015A3ABD400C6D578 /* si-21-sectrust-asr.c */,
4CC92A2115A3ABD400C6D578 /* si-22-sectrust-iap.c */,
+ D44216091CCAD9C200D2D455 /* si-22-sectrust-iap.h */,
4CC92A2215A3ABD400C6D578 /* si-23-sectrust-ocsp.c */,
- 4CC92A2315A3ABD400C6D578 /* si-24-sectrust-appleid.c */,
4CC92A2415A3ABD400C6D578 /* si-24-sectrust-digicert-malaysia.c */,
4CC92A2515A3ABD400C6D578 /* si-24-sectrust-diginotar.c */,
4CC92A2615A3ABD400C6D578 /* si-24-sectrust-itms.c */,
- 4CC92A2715A3ABD400C6D578 /* si-24-sectrust-mobileasset.c */,
4CC92A2815A3ABD400C6D578 /* si-24-sectrust-nist.c */,
- 4CC92A2915A3ABD400C6D578 /* si-24-sectrust-otatasking.c */,
- 4CC92A2A15A3ABD400C6D578 /* si-24-sectrust-shoebox.c */,
- 4CC92A2B15A3ABD400C6D578 /* si-25-sectrust-ipsec-eap.c */,
- EB8F48DC1AE4C81400CE93A7 /* si-25-sectrust-apple-authentication.c */,
- 4CC92A2C15A3ABD400C6D578 /* si-26-applicationsigning.c */,
+ 4CC92A2A15A3ABD400C6D578 /* si-24-sectrust-passbook.c */,
+ 4CC92A2C15A3ABD400C6D578 /* si-26-sectrust-copyproperties.c */,
4CC92A2D15A3ABD400C6D578 /* si-27-sectrust-exceptions.c */,
- 4CC92A2E15A3ABD400C6D578 /* si-28-sectrustsettings.c */,
- 4CC92A2F15A3ABD400C6D578 /* si-29-sectrust-codesigning.c */,
+ 4CC92A2E15A3ABD400C6D578 /* si-28-sectrustsettings.m */,
+ D4653DEA1C9E2299002ED6D5 /* si-28-sectrustsettings.h */,
4CC92A3015A3ABD400C6D578 /* si-30-keychain-upgrade.c */,
4CC92A3115A3ABD400C6D578 /* si-31-keychain-bad.c */,
4CC92A3215A3ABD400C6D578 /* si-31-keychain-unreadable.c */,
@@ -1575,6 +1587,10 @@
4CC92A3715A3ABD400C6D578 /* si-41-sececkey.c */,
4CC92A3815A3ABD400C6D578 /* si-42-identity.c */,
4CC92A3915A3ABD400C6D578 /* si-43-persistent.c */,
+ 09D1FC1D1CDCBA8800A82D0D /* si-44-seckey-gen.m */,
+ 09EC947E1CEDEA70003E5101 /* si-44-seckey-rsa.m */,
+ 0982E02B1D19695B0060002E /* si-44-seckey-ec.m */,
+ 09AE116D1CEDA17A004C617D /* si-44-seckey-ies.m */,
4CC92A3A15A3ABD400C6D578 /* si-50-secrandom.c */,
4CC92A3B15A3ABD400C6D578 /* si-60-cms.c */,
4CC92A3C15A3ABD400C6D578 /* si-61-pkcs12.c */,
@@ -1596,30 +1612,25 @@
BE62D75F1747FF3E001EAA9D /* si-72-syncableitems.c */,
CDD565A1173193AC00B6B074 /* si-73-secpasswordgenerate.c */,
7255A46B1783333D006A8B9A /* si-74-OTAPKISigner.c */,
- 7255F91317A973D5004A9F38 /* si-75-AppleIDRecordSigning.c */,
BE061FCE1899E5BD00C739F6 /* si-76-shared-credentials.c */,
3A70988118CDF648009FD2CC /* si_77_SecAccessControl.c */,
4477A8D718F28AAE00B5BB9F /* si-78-query-attrs.c */,
- 7DE2092F192D29D90066419C /* si-79-smp-cert-policy.c */,
4406660E19069707000DA171 /* si-80-empty-data.c */,
- BE794825196DBEAD00F4BA63 /* si-81-sectrust-server-auth.c */,
+ D40771AB1C9B4C530016AA66 /* si-82-seccertificate-ct.c */,
+ D40771AC1C9B4C530016AA66 /* si-82-sectrust-ct.m */,
+ 440BF8F41A7A7EC9001760A7 /* si-82-token-ag.c */,
BE0CC6061A96B68400662E69 /* si-83-seccertificate-sighashalg.c */,
- F953A6A71B43538A006EC5E1 /* si-81-sectrust-appletv.c */,
- D445CDDF1B44D372005040AC /* si-84-sectrust-atv-appsigning.c */,
D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */,
- BECC54E31B98FF0000FB91DC /* si-86-sectrust-eap-tls.c */,
- BECC54E41B98FF0000FB91DC /* si-86-sectrust-eap-tls.h */,
+ D4C6E1681B9A0AE800E42591 /* si-85-sectrust-ssl-policy.h */,
D4DFC9481B9958D00040945C /* si-87-sectrust-name-constraints.c */,
D4DFC9491B9958D00040945C /* si-87-sectrust-name-constraints.h */,
- 858A54641BC6FD3E008A03FA /* si-88-sectrust-vpnprofile.c */,
- 858A54651BC6FD3E008A03FA /* si-88-sectrust-vpnprofile.h */,
D4CBC1461BE9A89E00C5795E /* si-89-cms-hash-agility.c */,
D4CBC1471BE9A89E00C5795E /* si-89-cms-hash-agility.h */,
EB69AB051BF425F300913AF1 /* si-90-emcs.m */,
- D40294A71C20A806008CE4B6 /* si-91-sectrust-ast2.c */,
- D40294A81C20A806008CE4B6 /* si-91-sectrust-ast2.h */,
- D41380C71C6E529500F1A4B6 /* si-92-sectrust-homekit.c */,
- D41380C81C6E529500F1A4B6 /* si-92-sectrust-homekit.h */,
+ D4A919751CA9A3DD003D2ADA /* si-95-cms-basic.c */,
+ D4A919761CA9A3DD003D2ADA /* si-95-cms-basic.h */,
+ D44C81E71CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m */,
+ D44C81E91CD1947200BE9A0D /* si-97-sectrust-path-scoring.h */,
);
name = secitem;
path = Regressions/secitem;
@@ -1702,7 +1713,7 @@
0C062B1D175E784B00806CFE /* secd-31-keychain-bad.c */,
0C062B1E175E784B00806CFE /* secd-31-keychain-unreadable.c */,
446CEEE319B6043900ECAF50 /* secd-32-restore-bad-backup.c */,
- 4469FC2A1AA0A69E0021AA26 /* secd-33-keychain-ctk.c */,
+ 4469FC2A1AA0A69E0021AA26 /* secd-33-keychain-ctk.m */,
529F46F11AEC759E0002392C /* secd-34-backup-der-parse.c */,
4483050D1B46FB6C00326450 /* secd-35-keychain-migrate-inet.c */,
E75AB9191AE9958300C5EF3F /* secd-40-cc-gestalt.c */,
@@ -1716,6 +1727,7 @@
E7F0D3E9177BBE35001ACBC1 /* secd-55-account-incompatibility.c */,
E7F18556177A502900177B23 /* secd-56-account-apply.c */,
E7A10FAD1771249C00C4602F /* secd-57-account-leave.c */,
+ 4826374C1CC18A410082C9C8 /* secd-57-1-account-last-standing.c */,
4882C516177521AE0095D04B /* secd-58-password-change.c */,
48F32D7D1777AFA3001B84BA /* secd-59-account-cleanup.c */,
E7F18554177A44E000177B23 /* secd-60-account-cloud-identity.c */,
@@ -1730,16 +1742,27 @@
4C495EE01982171500BC1809 /* secd-70-engine-corrupt.c */,
F9EF72F01AC0F97C00A4D24A /* secd-70-engine-smash.c */,
5384299318E492A300E91AFE /* secd-70-otr-remote.c */,
+ 5221C4971CBEDB7C006047E7 /* secd-71-engine-save.c */,
+ 5221C4C11CC5667E006047E7 /* secd-71-engine-save-sample1.h */,
4CCD1B001B1E3EA200F6DF8D /* secd-74-engine-beer-servers.c */,
4CC62F201B4C63FE009FEF0E /* secd-75-engine-views.c */,
+ 0C60F39B1CAF0E8E00221D24 /* secd-76-idstransport.c */,
+ 0C3276C21CB329AB005D6DDC /* secd_77_ids_messaging.c */,
48FB17041A77181A00B586C7 /* secd-80-views-basic.c */,
485B5E611AE068D800A3C183 /* secd-82-secproperties-basic.c */,
5E19C6471AA5F34E005964F8 /* secd-81-item-acl-stress.c */,
5EA016361AD41AB20061BCD7 /* secd-81-item-acl.c */,
F9E0BD981AEF196A00554D49 /* secd-82-persistent-ref.c */,
+ 5EF2596E1CB5214B009B4C58 /* secd-83-item-match-policy.m */,
+ 5E0CE1641CB6347300E75776 /* secd-83-item-match-valid-on-date.m */,
+ 5E0CE1661CB6348D00E75776 /* secd-83-item-match-trusted.m */,
+ 5E0CE1681CB64A1300E75776 /* secd-83-item-match.h */,
48FABEE01AD05C7100C061D1 /* secd-90-hsa2.c */,
CD8F442C1B83C435004C0047 /* secd-95-escrow-persistence.c */,
+ CD9B54111CC6EC4D00CC487A /* secd-100-initialsync.c */,
+ E739A9DC1D318FA4003C088A /* secd-130-other-peer-views.c */,
CD35B8291C2650FE00E0852A /* secd-154-engine-backoff.c */,
+ 48B5888B1D00ED9000E0C5A7 /* secd-200-logstate.c */,
E7A10FAA1771245D00C4602F /* SOSAccountTesting.h */,
E79D62BE1767A547005A9743 /* SecdTestKeychainUtilities.c */,
E79D62BF1767A55F005A9743 /* SecdTestKeychainUtilities.h */,
@@ -1766,51 +1789,6 @@
name = Frameworks;
sourceTree = "<group>";
};
- 521C0B9B15FA5C4A00604B61 /* Supporting Files */ = {
- isa = PBXGroup;
- children = (
- );
- name = "Supporting Files";
- sourceTree = "<group>";
- };
- 521C0BAB15FA5DA800604B61 /* en.lproj */ = {
- isa = PBXGroup;
- children = (
- 521C0BAC15FA5DA800604B61 /* InfoPlist.strings */,
- );
- name = en.lproj;
- path = SOSCircle/CloudKeychainProxy/en.lproj;
- sourceTree = SOURCE_ROOT;
- };
- 5272501416838BB20029AADD /* CloudKeychainProxy */ = {
- isa = PBXGroup;
- children = (
- 521C0BAF15FA5E3F00604B61 /* CKDKVSProxy.h */,
- 521C0BB015FA5E3F00604B61 /* CKDKVSProxy.m */,
- 52C3D18E169A53150091D9D3 /* ckdmain.m */,
- 521C0BB115FA5E3F00604B61 /* CKDPersistentState.h */,
- 521C0BB215FA5E3F00604B61 /* CKDPersistentState.m */,
- 52840291164050C80035F320 /* CKDUserInteraction.h */,
- 52840292164050C80035F320 /* CKDUserInteraction.m */,
- 521C0BA615FA5D7400604B61 /* cloudkeychain.entitlements.plist */,
- 5272501916838BB20029AADD /* CloudKeychainProxy.1 */,
- 521C0BB315FA5E3F00604B61 /* cloudkeychainproxy.m */,
- 521C0BAB15FA5DA800604B61 /* en.lproj */,
- 522B0ED31649A68E00A4675D /* MobileKeyBag.framework */,
- 521C0B9B15FA5C4A00604B61 /* Supporting Files */,
- 5272501716838BB20029AADD /* Supporting Files */,
- );
- name = CloudKeychainProxy;
- path = ../CloudKeychainProxy;
- sourceTree = "<group>";
- };
- 5272501716838BB20029AADD /* Supporting Files */ = {
- isa = PBXGroup;
- children = (
- );
- name = "Supporting Files";
- sourceTree = "<group>";
- };
BEF9640718B417EB00813FA3 /* SharedWebCredentialAgent */ = {
isa = PBXGroup;
children = (
@@ -1821,20 +1799,6 @@
name = SharedWebCredentialAgent;
sourceTree = "<group>";
};
- CD5D34001A80391B00EBF353 /* IDSKeychainSyncingProxy */ = {
- isa = PBXGroup;
- children = (
- CDF42C061A884BB10080BB05 /* idksmain.m */,
- CD5D34011A80391B00EBF353 /* IDSProxy.h */,
- CD5D34021A80391B00EBF353 /* IDSProxy.m */,
- CD5D34041A80391B00EBF353 /* idskeychainsyncingproxy.entitlements.plist */,
- CD5D34051A80391B00EBF353 /* idskeychainsyncingproxy.m */,
- CDD4500F1ACF134A00A37449 /* IDSPersistentState.h */,
- CDD450101ACF13BC00A37449 /* IDSPersistentState.m */,
- );
- path = IDSKeychainSyncingProxy;
- sourceTree = "<group>";
- };
E71049F4169E023B00DB0045 /* SecurityTool */ = {
isa = PBXGroup;
children = (
@@ -1883,26 +1847,16 @@
521C685D1614A6E100E31C3E /* SOSCloudKeychainClient.h */,
E7217B2515F8131A00D26031 /* SOSCloudKeychainConstants.c */,
E7217B2615F8131A00D26031 /* SOSCloudKeychainConstants.h */,
+ 481A954F1D1A02AA000B98F5 /* SOSCloudKeychainLogging.c */,
+ 481A95501D1A02AA000B98F5 /* SOSCloudKeychainLogging.h */,
);
path = CKBridge;
sourceTree = "<group>";
};
- E7295C6614E356FE007FBB20 /* Hacks */ = {
- isa = PBXGroup;
- children = (
- E7295C6714E3571A007FBB20 /* Empty.c */,
- 4C8940DA166EA8CF00241770 /* osxshim.c */,
- );
- name = Hacks;
- sourceTree = "<group>";
- };
E7AC69CE14E1F78400CB09C1 /* SOSCircle */ = {
isa = PBXGroup;
children = (
E7217B2015F8126700D26031 /* CKBridge */,
- 5272501416838BB20029AADD /* CloudKeychainProxy */,
- E7295C6614E356FE007FBB20 /* Hacks */,
- CD5D34001A80391B00EBF353 /* IDSKeychainSyncingProxy */,
E7AC69CF14E1F78400CB09C1 /* Regressions */,
E7AC69D114E1F78400CB09C1 /* SecureObjectSync */,
E7FEFB81169E362100E18152 /* Tool */,
@@ -1913,8 +1867,6 @@
E7AC69CF14E1F78400CB09C1 /* Regressions */ = {
isa = PBXGroup;
children = (
- 521C0CD915FFA05000604B61 /* CKDKeyValueStore.h */,
- 521C0CDA15FFA05000604B61 /* CKDKeyValueStore.m */,
E763D6221624E2670038477D /* sc-20-keynames.c */,
48487D271B1D5E960078C7C9 /* sc-25-soskeygen.c */,
E777C72815B9C9F0004044A8 /* sc-30-peerinfo.c */,
@@ -1952,8 +1904,6 @@
E7217B1715F80E0F00D26031 /* SOSCloudCircle.c */,
E703811114E1FEE4007CB458 /* SOSCloudCircle.h */,
E7B01B5A16532507000485F1 /* SOSCloudCircleInternal.h */,
- 4BD2F7FB1ADCDD8C0037CD5D /* SOSForerunnerSession.c */,
- 4BD2F7FC1ADCDD8C0037CD5D /* SOSForerunnerSession.h */,
48E9CDFB1C597FED00574D6B /* SOSSysdiagnose.c */,
E777C71D15B73F9E004044A8 /* SOSInternal.c */,
E777C71B15B73F59004044A8 /* SOSInternal.h */,
@@ -1968,6 +1918,8 @@
children = (
4CC929AD15A3957800C6D578 /* SOSAccount.c */,
4CC929AE15A3957800C6D578 /* SOSAccount.h */,
+ 48FD04F11CEFCFB900BEBBFF /* SOSAccountTransaction.c */,
+ 48FD04F21CEFCFB900BEBBFF /* SOSAccountTransaction.h */,
E7C4F5451AD75EBE000B5862 /* SOSAccountBackup.c */,
48764AF417FA3FE50005C4F1 /* SOSAccountCircles.c */,
48FABEDB1AD05C1D00C061D1 /* SOSAccountHSAJoin.c */,
@@ -1978,10 +1930,13 @@
48C7DF9717FF360F00904F1A /* SOSAccountFullPeerInfo.c */,
48C7DF9517FF351A00904F1A /* SOSAccountPeers.c */,
48764AEB17FA31E50005C4F1 /* SOSAccountPersistence.c */,
+ 48122CC71CFF88DC009BE3E3 /* SOSAccountLog.c */,
+ 48122CC81CFF88DC009BE3E3 /* SOSAccountLog.h */,
48764AEA17FA31670005C4F1 /* SOSAccountPriv.h */,
48764AEE17FA36200005C4F1 /* SOSAccountUpdate.c */,
CDC0DC941AE842640020BA6C /* SOSAccountRings.c */,
CDC0DC951AE842640020BA6C /* SOSAccountRingUpdate.c */,
+ E75320EB1D0B83FC00DAB140 /* SOSAccountViewSync.c */,
528462991AE6FCF0004C1BA2 /* SOSBackupEvent.c */,
5284629A1AE6FCF0004C1BA2 /* SOSBackupEvent.h */,
E71BAE801ACE1C6500DF0C29 /* SOSBackupSliceKeyBag.c */,
@@ -2048,6 +2003,8 @@
CDC0DC3B1AE83E390020BA6C /* SOSRingV0.h */,
48F7DF241A6DB32900046644 /* SOSViews.c */,
48F7DF251A6DB32900046644 /* SOSViews.h */,
+ 4812D5A61CAF1FCB0041FAD8 /* ViewList.list */,
+ 4812D5A51CAF07060041FAD8 /* SOSViews.exp-in */,
);
name = Circle;
sourceTree = "<group>";
@@ -2106,12 +2063,20 @@
E7FEFB81169E362100E18152 /* Tool */ = {
isa = PBXGroup;
children = (
+ 4899F2E81C768BBE00762615 /* secToolFileIO.h */,
+ 4899F2E71C768BBE00762615 /* secToolFileIO.c */,
+ E78DCD671D306C9000DE7A88 /* NSFileHandle+Formatting.h */,
+ E739A9DA1D3078D9003C088A /* NSFileHandle+Formatting.m */,
E790C0F4169E3D7200E0C0C9 /* keychain_sync.h */,
E7FEFB90169E36D800E18152 /* keychain_sync.c */,
+ E7ACD2FA1D30204E0038050D /* keychain_sync_test.h */,
+ E7ACD2F91D30204E0038050D /* keychain_sync_test.m */,
48279BC41C57FEA20043457C /* keychain_log.h */,
48279BC31C57FEA20043457C /* keychain_log.c */,
- 48FEA7771C52FFE70020C148 /* secToolFileIO.c */,
- 48FEA7781C52FFE70020C148 /* secToolFileIO.h */,
+ 485FE6BD1CDBED5800C916C5 /* syncbackup.h */,
+ 485FE6BC1CDBED5800C916C5 /* syncbackup.c */,
+ 4838F6BB1CB5AA5F009E8598 /* secViewDisplay.c */,
+ 4838F6BC1CB5AA5F009E8598 /* secViewDisplay.h */,
);
path = Tool;
sourceTree = "<group>";
@@ -2151,6 +2116,7 @@
buildActionMask = 2147483647;
files = (
18AD560F14CB6E7A008233F2 /* securityd_client.h in Headers */,
+ 4868F41C1C7409EF0011825E /* SOSInternal.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -2158,15 +2124,20 @@
isa = PBXHeadersBuildPhase;
buildActionMask = 2147483647;
files = (
+ D4D9BA2E1C7E5F19008785EB /* SecTrustInternal.h in Headers */,
+ 4899F2EA1C768BBE00762615 /* secToolFileIO.h in Headers */,
CDC765C41729A72800721712 /* SecPasswordGenerate.h in Headers */,
4A971695158FDEB800D439B7 /* SecOTR.h in Headers */,
4A971697158FDEB800D439B7 /* SecOTRDHKey.h in Headers */,
4492652A1AB0D6FF00644D4C /* SecCTKKeyPriv.h in Headers */,
4A971698158FDEB800D439B7 /* SecOTRErrors.h in Headers */,
4A97169A158FDEB800D439B7 /* SecOTRIdentityPriv.h in Headers */,
+ 5221C4C21CC5667E006047E7 /* secd-71-engine-save-sample1.h in Headers */,
+ D47F511F1C3B660500A7CEFE /* SecCFAllocator.h in Headers */,
4A97169C158FDEB800D439B7 /* SecOTRMath.h in Headers */,
4A97169F158FDEB800D439B7 /* SecOTRPacketData.h in Headers */,
4A9716A1158FDEB800D439B7 /* SecOTRPackets.h in Headers */,
+ BE4AC7DF1C938698002A28FE /* SecSignatureVerificationSupport.h in Headers */,
4A9716A4158FDEB800D439B7 /* SecOTRSession.h in Headers */,
4A9716A6158FDEB800D439B7 /* SecOTRSessionPriv.h in Headers */,
52D0F028169CA72800F07D79 /* SecOnOSX.h in Headers */,
@@ -2186,6 +2157,7 @@
E7285C981AE1E4A800AD412D /* SOSEngine.h in Headers */,
4C05608A17B60F88001A879A /* SecDbKeychainItem.h in Headers */,
4C05608B17B60F88001A879A /* SecDbQuery.h in Headers */,
+ D474EF351C8A1CBC00AA4D86 /* personalization.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -2203,31 +2175,18 @@
4CC92AC015A3BC4300C6D578 /* Security_regressions.h in Headers */,
4CC92A8C15A3ABD400C6D578 /* getcacert-mdes.h in Headers */,
4CC92A8D15A3ABD400C6D578 /* getcacert-mdesqa.h in Headers */,
- BE3171931BB3559600BBB212 /* si-20-sectrust.h in Headers */,
4CC92A8F15A3ABD400C6D578 /* si-63-scep.h in Headers */,
- D4DFC94B1B9958D00040945C /* si-87-sectrust-name-constraints.h in Headers */,
4CC92A9015A3ABD400C6D578 /* attached_no_data_signed_data.h in Headers */,
+ D4A919781CA9A3DD003D2ADA /* si-95-cms-basic.h in Headers */,
4CC92A9115A3ABD400C6D578 /* attached_signed_data.h in Headers */,
- BECC54E61B98FF0000FB91DC /* si-86-sectrust-eap-tls.h in Headers */,
4CC92A9215A3ABD400C6D578 /* detached_content.h in Headers */,
4CC92A9315A3ABD400C6D578 /* detached_signed_data.h in Headers */,
4CC92A9415A3ABD400C6D578 /* privkey.h in Headers */,
4CC92A9515A3ABD400C6D578 /* signer.h in Headers */,
4CC92A9815A3ABD400C6D578 /* signed-receipt.h in Headers */,
- 4CC92A9A15A3ABD400C6D578 /* Global Trustee.cer.h in Headers */,
- 4CC92A9B15A3ABD400C6D578 /* UTN-USERFirst-Hardware.cer.h in Headers */,
- 4CC92A9C15A3ABD400C6D578 /* addons.mozilla.org.cer.h in Headers */,
- 4CC92A9D15A3ABD400C6D578 /* login.live.com.cer.h in Headers */,
- D41380CA1C6E529500F1A4B6 /* si-92-sectrust-homekit.h in Headers */,
- 4CC92A9E15A3ABD400C6D578 /* login.skype.com.cer.h in Headers */,
- 4CC92A9F15A3ABD400C6D578 /* login.yahoo.com.1.cer.h in Headers */,
- 4CC92AA015A3ABD400C6D578 /* login.yahoo.com.2.cer.h in Headers */,
- D40294AA1C20A806008CE4B6 /* si-91-sectrust-ast2.h in Headers */,
+ D483DF6A1CD2DF9B00334824 /* si-20-sectrust.h in Headers */,
D4CBC1491BE9A89E00C5795E /* si-89-cms-hash-agility.h in Headers */,
- 4CC92AA115A3ABD400C6D578 /* login.yahoo.com.cer.h in Headers */,
- 4CC92AA215A3ABD400C6D578 /* mail.google.com.cer.h in Headers */,
- 858A54691BC6FE62008A03FA /* si-88-sectrust-vpnprofile.h in Headers */,
- 4CC92AA315A3ABD400C6D578 /* www.google.com.cer.h in Headers */,
+ D442160A1CCAD9C200D2D455 /* si-22-sectrust-iap.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -2246,6 +2205,7 @@
isa = PBXHeadersBuildPhase;
buildActionMask = 2147483647;
files = (
+ D4D886F11CECE75000DC7583 /* SecTrustInternal.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -2257,11 +2217,20 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
+ D40771B61C9B4D200016AA66 /* Headers */ = {
+ isa = PBXHeadersBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ 0C0C887A1CCED00E00617D1B /* shared_regressions.h in Headers */,
+ D44C81EA1CD1947200BE9A0D /* si-97-sectrust-path-scoring.h in Headers */,
+ D4653DEB1C9E2299002ED6D5 /* si-28-sectrustsettings.h in Headers */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
E702E75014E1F3EA00CDE635 /* Headers */ = {
isa = PBXHeadersBuildPhase;
buildActionMask = 2147483647;
files = (
- E75216AE1AF1F26500DDA573 /* SOSForerunnerSession.h in Headers */,
E777C72715B882E5004044A8 /* SOSPeerInfo.h in Headers */,
CDE5F87C1AF025AC0074958E /* SOSRingDER.h in Headers */,
4885010F1AF9857F00F10B61 /* SOSTypes.h in Headers */,
@@ -2293,6 +2262,7 @@
CDE5F8B71AF026470074958E /* SOSTransportKeyParameterKVS.h in Headers */,
CDE5F8B31AF026470074958E /* SOSTransportCircleKVS.h in Headers */,
CDE5F88A1AF025B30074958E /* SOSRingBackup.h in Headers */,
+ 481A95521D1A02AA000B98F5 /* SOSCloudKeychainLogging.h in Headers */,
48A071D01AD6AEA900728AEF /* SOSPeerInfoSecurityProperties.h in Headers */,
CDE5F89D1AF025BE0074958E /* SOSAccountPriv.h in Headers */,
489E6E4D1A71A87600D7EB8C /* SOSCircleDer.h in Headers */,
@@ -2309,11 +2279,13 @@
CDE5F8A11AF025BE0074958E /* SOSBackupSliceKeyBag.h in Headers */,
CDE5F8821AF025AC0074958E /* SOSRingUtils.h in Headers */,
CDE5F89B1AF025BE0074958E /* SOSAccount.h in Headers */,
+ 48122CCA1CFF88FF009BE3E3 /* SOSAccountLog.h in Headers */,
CDE5F8911AF025B80074958E /* SOSCircleRings.h in Headers */,
CDE5F8871AF025B30074958E /* SOSGenCount.h in Headers */,
48FB17031A76F56C00B586C7 /* SOSPeerInfoV2.h in Headers */,
5284629C1AE6FCF0004C1BA2 /* SOSBackupEvent.h in Headers */,
4CBDB30E17B70206002FA799 /* SOSMessage.h in Headers */,
+ 48FD04F41CEFCFB900BEBBFF /* SOSAccountTransaction.h in Headers */,
E79277E4163B110A0096F3E2 /* SOSFullPeerInfo.h in Headers */,
E7B01B5B16532507000485F1 /* SOSCloudCircleInternal.h in Headers */,
CDE5F8A71AF025DC0074958E /* SOSARCDefines.h in Headers */,
@@ -2326,7 +2298,6 @@
buildActionMask = 2147483647;
files = (
4C495EDE1982125E00BC1809 /* SOSTestDevice.h in Headers */,
- 521C0CDD15FFA05100604B61 /* CKDKeyValueStore.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -2476,23 +2447,6 @@
productReference = 4CC92B1415A3BC6B00C6D578 /* libsecuritydRegressions.a */;
productType = "com.apple.product-type.library.static";
};
- 5284029F164445760035F320 /* libCloudKeychainProxy */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 528402A9164445760035F320 /* Build configuration list for PBXNativeTarget "libCloudKeychainProxy" */;
- buildPhases = (
- 5284029C164445760035F320 /* Sources */,
- 5284029D164445760035F320 /* Frameworks */,
- 5284029E164445760035F320 /* CopyFiles */,
- );
- buildRules = (
- );
- dependencies = (
- );
- name = libCloudKeychainProxy;
- productName = libCloudKeychainProxy;
- productReference = 528402A0164445760035F320 /* libCloudKeychainProxy.a */;
- productType = "com.apple.product-type.library.static";
- };
BE8D227F1ABB7199009A4E18 /* libSecTrustOSX */ = {
isa = PBXNativeTarget;
buildConfigurationList = BE8D228B1ABB7199009A4E18 /* Build configuration list for PBXNativeTarget "libSecTrustOSX" */;
@@ -2527,21 +2481,21 @@
productReference = BEF9640618B4171200813FA3 /* libSWCAgent.a */;
productType = "com.apple.product-type.library.static";
};
- CD3F914A1A802EBF00E07119 /* libIDSKeychainSyncingProxy */ = {
+ D40771B71C9B4D200016AA66 /* libSharedRegressions */ = {
isa = PBXNativeTarget;
- buildConfigurationList = CD3F915C1A802EC000E07119 /* Build configuration list for PBXNativeTarget "libIDSKeychainSyncingProxy" */;
+ buildConfigurationList = D40771B91C9B4D200016AA66 /* Build configuration list for PBXNativeTarget "libSharedRegressions" */;
buildPhases = (
- CD3F91471A802EBF00E07119 /* Sources */,
- CD3F91481A802EBF00E07119 /* Frameworks */,
- CD3F91491A802EBF00E07119 /* CopyFiles */,
+ D40771B41C9B4D200016AA66 /* Sources */,
+ D40771B51C9B4D200016AA66 /* Frameworks */,
+ D40771B61C9B4D200016AA66 /* Headers */,
);
buildRules = (
);
dependencies = (
);
- name = libIDSKeychainSyncingProxy;
- productName = libIDSKeychainSyncingProxy;
- productReference = CD3F914B1A802EBF00E07119 /* libIDSKeychainSyncingProxy.a */;
+ name = libSharedRegressions;
+ productName = libSharedRegressions;
+ productReference = D40771B81C9B4D200016AA66 /* libSharedRegressions.a */;
productType = "com.apple.product-type.library.static";
};
E702E73514E1F3EA00CDE635 /* libSecureObjectSync */ = {
@@ -2652,10 +2606,10 @@
186CDD0614CA116C00AF9171 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
TargetAttributes = {
- CD3F914A1A802EBF00E07119 = {
- CreatedOnToolsVersion = 7.0;
+ D40771B71C9B4D200016AA66 = {
+ CreatedOnToolsVersion = 7.3;
};
};
};
@@ -2677,18 +2631,17 @@
BE8D227F1ABB7199009A4E18 /* libSecTrustOSX */,
18270F5414CF651900B05E7F /* libsecipc_client */,
E702E73514E1F3EA00CDE635 /* libSecureObjectSync */,
- E702E75714E1F48800CDE635 /* libSOSRegressions */,
- 4A824AFB158FF07000F932C0 /* libSecurityRegressions */,
- 4CC92AC215A3BC6B00C6D578 /* libsecuritydRegressions */,
4A5CCA4E15ACEFA500702357 /* libSecOtrOSX */,
- 5284029F164445760035F320 /* libCloudKeychainProxy */,
- CD3F914A1A802EBF00E07119 /* libIDSKeychainSyncingProxy */,
E71049F1169E023B00DB0045 /* libSecurityTool */,
E7104A12169E216E00DB0045 /* libSecurityCommands */,
E7FEFB82169E363300E18152 /* libSOSCommands */,
- 0C0BDB55175687EC00BC1A7E /* libsecdRegressions */,
BEF963FE18B4171200813FA3 /* libSWCAgent */,
E76079971951FD2800F69731 /* liblogging */,
+ E702E75714E1F48800CDE635 /* libSOSRegressions */,
+ 4A824AFB158FF07000F932C0 /* libSecurityRegressions */,
+ 4CC92AC215A3BC6B00C6D578 /* libsecuritydRegressions */,
+ 0C0BDB55175687EC00BC1A7E /* libsecdRegressions */,
+ D40771B71C9B4D200016AA66 /* libSharedRegressions */,
);
};
/* End PBXProject section */
@@ -2698,17 +2651,22 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
+ 4826374D1CC18A410082C9C8 /* secd-57-1-account-last-standing.c in Sources */,
CD655E951AF02DDC00BD1B6E /* secd-62-account-backup.c in Sources */,
523CBBF61B321C6A002C0884 /* secd-50-message.c in Sources */,
E7F0D3EA177BBE35001ACBC1 /* secd-55-account-incompatibility.c in Sources */,
0C0BDB63175688DA00BC1A7E /* secd-01-items.c in Sources */,
4882C517177521AE0095D04B /* secd-58-password-change.c in Sources */,
+ 48B5888C1D00ED9000E0C5A7 /* secd-200-logstate.c in Sources */,
EB3409AF1C1D5BBE00D77661 /* secd-20-keychain_upgrade.m in Sources */,
E7A10FAE1771249C00C4602F /* secd-57-account-leave.c in Sources */,
48FABEE31AD06B6B00C061D1 /* secd-62-account-hsa-join.c in Sources */,
+ CD9B54131CC6EED100CC487A /* secd-100-initialsync.c in Sources */,
4469FC2C1AA0A6C90021AA26 /* secd-32-restore-bad-backup.c in Sources */,
523CBBF91B3227B5002C0884 /* secd-49-manifests.c in Sources */,
E7F18555177A44E000177B23 /* secd-60-account-cloud-identity.c in Sources */,
+ 5EF2596F1CB5214B009B4C58 /* secd-83-item-match-policy.m in Sources */,
+ 5E0CE1651CB6347300E75776 /* secd-83-item-match-valid-on-date.m in Sources */,
4CC62F221B4EF136009FEF0E /* secd-75-engine-views.c in Sources */,
F9EF72F21AC0F98400A4D24A /* secd-70-engine-smash.c in Sources */,
5384299418E492A300E91AFE /* secd-70-otr-remote.c in Sources */,
@@ -2720,9 +2678,11 @@
0CBF93F8177B7CFC001E5658 /* secd-03-corrupted-items.c in Sources */,
E75AB91B1AE9964800C5EF3F /* secd-40-cc-gestalt.c in Sources */,
0CBF93FC177BA9D9001E5658 /* secd-05-corrupted-items.m in Sources */,
+ 5E0CE1671CB6348D00E75776 /* secd-83-item-match-trusted.m in Sources */,
527258D11981C00F003CFCEC /* secd-70-engine.c in Sources */,
E7850ED11BB30E87002A54CA /* secd-65-account-retirement-reset.c in Sources */,
4C495EDF1982145200BC1809 /* SOSTestDevice.c in Sources */,
+ E78A9AB21D34263100006B5B /* secd-130-other-peer-views.c in Sources */,
0CBF93F9177B7CFC001E5658 /* secd-04-corrupted-items.c in Sources */,
4898223A17BDB277003BEF32 /* secd-52-account-changed.c in Sources */,
0C062B1F175E784B00806CFE /* secd-30-keychain-upgrade.c in Sources */,
@@ -2738,12 +2698,13 @@
5EA016381AD41AC70061BCD7 /* secd-81-item-acl.c in Sources */,
4C495EE21982171500BC1809 /* secd-70-engine-corrupt.c in Sources */,
CDAD4E9D18EC9B67007D4BC2 /* SOSTransportTestTransports.c in Sources */,
+ 48A9E62F1C837B4100160B5F /* secd-90-hsa2.c in Sources */,
529F46F31AEC7A2E0002392C /* secd-34-backup-der-parse.c in Sources */,
486C6C691795F9D600387075 /* secd-61-account-leave-not-in-kansas-anymore.c in Sources */,
E79D62BD176799EE005A9743 /* SOSTestDataSource.c in Sources */,
EBF2D7661C1E482B006AB6FF /* secd-21-transmogrify.m in Sources */,
448305111B46FC0D00326450 /* secd-35-keychain-migrate-inet.c in Sources */,
- 4469FC2D1AA0A6D00021AA26 /* secd-33-keychain-ctk.c in Sources */,
+ 4469FC2D1AA0A6D00021AA26 /* secd-33-keychain-ctk.m in Sources */,
E79D62BC176799DB005A9743 /* SOSRegressionUtilities.c in Sources */,
E7A10FAC1771246A00C4602F /* secd-55-account-circle.c in Sources */,
E79D62C01767A5BC005A9743 /* SecdTestKeychainUtilities.c in Sources */,
@@ -2765,12 +2726,17 @@
buildActionMask = 2147483647;
files = (
52FD82A01AEAC8C100634FD3 /* SecItemBackup.c in Sources */,
+ 093F67A51CC1171B0033151D /* SecKeyAdaptors.c in Sources */,
+ D47F511E1C3B660500A7CEFE /* SecCFAllocator.c in Sources */,
18AD566714CB70A8008233F2 /* SecItem.c in Sources */,
+ 442B69221BC3B1B9000F3A72 /* SecRSAKey.c in Sources */,
BEFE994E14F2E17200356A97 /* SecDH.c in Sources */,
+ 442B69251BC3DBA9000F3A72 /* SecCTKKey.c in Sources */,
4C8D8627177A71E80019A804 /* SOSCloudCircle.c in Sources */,
446BB5E518F83172005D1B83 /* SecAccessControl.c in Sources */,
+ 442B69201BC3B149000F3A72 /* SecKey.c in Sources */,
4C3CE9E7176005A700B521C2 /* SecuritydXPC.c in Sources */,
- 4C8940DB166EA8CF00241770 /* osxshim.c in Sources */,
+ 442B69211BC3B196000F3A72 /* SecECKey.c in Sources */,
52BF439C1AFC50EC00821B5D /* SecItemConstants.c in Sources */,
4C8D8628177A71FB0019A804 /* SecPasswordGenerate.c in Sources */,
);
@@ -2781,20 +2747,27 @@
buildActionMask = 2147483647;
files = (
18D4043914CE1FE400A2BE4E /* p12import.c in Sources */,
+ 0C3276C31CB329AB005D6DDC /* secd_77_ids_messaging.c in Sources */,
18D4043A14CE1FE400A2BE4E /* p12pbegen.c in Sources */,
18D4043B14CE1FE400A2BE4E /* pbkdf2.c in Sources */,
+ D47F511D1C3B660500A7CEFE /* SecCFAllocator.c in Sources */,
C6766768189884D200E9A12C /* SecAccessControl.c in Sources */,
18D4043C14CE1FE400A2BE4E /* SecBase64.c in Sources */,
CDF9BBE11B03E24D00D1AF0F /* secd-52-offering-gencount-reset.c in Sources */,
18D4043D14CE1FE400A2BE4E /* SecCertificate.c in Sources */,
18D4043E14CE1FE400A2BE4E /* SecCertificatePath.c in Sources */,
18D4043F14CE1FE400A2BE4E /* SecCertificateRequest.c in Sources */,
+ 0C60F39C1CAF0E8E00221D24 /* secd-76-idstransport.c in Sources */,
18D4044014CE1FE400A2BE4E /* SecCMS.c in Sources */,
+ 4899F2E91C768BBE00762615 /* secToolFileIO.c in Sources */,
18D4044114CE1FE400A2BE4E /* SecDH.c in Sources */,
+ 5221C4981CBEDB7C006047E7 /* secd-71-engine-save.c in Sources */,
449265291AB0D6FF00644D4C /* SecCTKKey.c in Sources */,
CD8F442D1B83C435004C0047 /* secd-95-escrow-persistence.c in Sources */,
18D4044214CE1FE400A2BE4E /* SecECKey.c in Sources */,
CD35B82A1C2650FE00E0852A /* secd-154-engine-backoff.c in Sources */,
+ 093F67A41CC1171B0033151D /* SecKeyAdaptors.c in Sources */,
+ D48C567D1C73E5C300E41928 /* SecPolicyLeafCallbacks.c in Sources */,
18D4044314CE1FE400A2BE4E /* SecFramework.c in Sources */,
18D4044414CE1FE400A2BE4E /* SecIdentity.c in Sources */,
18D4044514CE1FE400A2BE4E /* SecImportExport.c in Sources */,
@@ -2817,7 +2790,10 @@
18D4045014CE1FE400A2BE4E /* vmdh.c in Sources */,
4A971696158FDEB800D439B7 /* SecOTRDHKey.c in Sources */,
E795C9541913F88D00FA068C /* SecServerEncryptionSupport.c in Sources */,
+ BE4AC7DE1C938698002A28FE /* SecSignatureVerificationSupport.c in Sources */,
+ 4838F6BF1CB5AA7E009E8598 /* secViewDisplay.c in Sources */,
4A971699158FDEB800D439B7 /* SecOTRFullIdentity.c in Sources */,
+ EB6432BD1C510A6E00B671F2 /* SecDigest.c in Sources */,
4A97169B158FDEB800D439B7 /* SecOTRMath.c in Sources */,
4A97169E158FDEB800D439B7 /* SecOTRPacketData.c in Sources */,
4A9716A0158FDEB800D439B7 /* SecOTRPackets.c in Sources */,
@@ -2835,6 +2811,7 @@
files = (
E795C9481911A41300FA068C /* SecLogSettingsServer.c in Sources */,
4C055FF717B60F1E001A879A /* SecItemSchema.c in Sources */,
+ E738B72F1D11D9760099E5C5 /* SOSChangeTracker.c in Sources */,
4C055FF617B60F1E001A879A /* SecItemDb.c in Sources */,
7249E1CB16C01E5F003D7268 /* OTATrustUtilities.c in Sources */,
5356520318E3C71000C383C0 /* SecOTRRemote.c in Sources */,
@@ -2846,11 +2823,11 @@
4C3CE9E8176005B500B521C2 /* SecuritydXPC.c in Sources */,
18D4056C14CE53DD00A2BE4E /* SecOCSPCache.c in Sources */,
72B5923D17C6939A00AE738B /* iCloudTrace.c in Sources */,
- E7285C971AE1E47D00AD412D /* SOSEngine.c in Sources */,
4C055FF317B60F1E001A879A /* SecDbKeychainItem.c in Sources */,
18D4056D14CE53DD00A2BE4E /* SecOCSPRequest.c in Sources */,
18D4056E14CE53DD00A2BE4E /* SecOCSPResponse.c in Sources */,
18D4056F14CE53DD00A2BE4E /* SecPolicyServer.c in Sources */,
+ E738B7301D11D9840099E5C5 /* SOSEngine.c in Sources */,
4C055FF817B60F1E001A879A /* SecKeybagSupport.c in Sources */,
4C055FF517B60F1E001A879A /* SecItemDataSource.c in Sources */,
4C055FF417B60F1E001A879A /* SecDbQuery.c in Sources */,
@@ -2861,8 +2838,8 @@
18D4057214CE547400A2BE4E /* spi.c in Sources */,
E7B01B691655DF20000485F1 /* SOSCloudCircleServer.c in Sources */,
BE5EC1F018C80108005E7682 /* swcagent_client.c in Sources */,
- E7285CAC1AE1E4DF00AD412D /* SOSChangeTracker.c in Sources */,
525394AE1660A30000BA9687 /* SecDbItem.c in Sources */,
+ D474EF341C8A1CBC00AA4D86 /* personalization.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -2886,17 +2863,14 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
- D4B4A9A81B8BB9B70097B393 /* si-85-sectrust-ssl-policy.c in Sources */,
- D445CDE11B44D53C005040AC /* si-84-sectrust-atv-appsigning.c in Sources */,
- BE794826196DBEAD00F4BA63 /* si-81-sectrust-server-auth.c in Sources */,
D4CBC1481BE9A89E00C5795E /* si-89-cms-hash-agility.c in Sources */,
4CC92A5F15A3ABD400C6D578 /* pbkdf2-00-hmac-sha1.c in Sources */,
4CC92A6015A3ABD400C6D578 /* spbkdf-00-hmac-sha1.c in Sources */,
4CC92A6115A3ABD400C6D578 /* otr-00-identity.c in Sources */,
4CC92A6215A3ABD400C6D578 /* otr-30-negotiation.c in Sources */,
4CC92A6315A3ABD400C6D578 /* otr-otrdh.c in Sources */,
+ EBD344801D234E37008B6DEA /* si-15-delete-access-group.m in Sources */,
4CC92A6415A3ABD400C6D578 /* otr-packetdata.c in Sources */,
- 7DE20930192D29D90066419C /* si-79-smp-cert-policy.c in Sources */,
4CC92A6515A3ABD400C6D578 /* si-00-find-nothing.c in Sources */,
4CC92A6615A3ABD400C6D578 /* si-05-add.c in Sources */,
4CC92A6715A3ABD400C6D578 /* si-10-find-internet.c in Sources */,
@@ -2904,47 +2878,22 @@
CD8E09011A2E918900A2503A /* otr-40-edgecases.c in Sources */,
4CC92A6815A3ABD400C6D578 /* si-11-update-data.c in Sources */,
4CC92A6915A3ABD400C6D578 /* si-14-dateparse.c in Sources */,
- 4CC92A6A15A3ABD400C6D578 /* si-15-certificate.c in Sources */,
+ D4A919771CA9A3DD003D2ADA /* si-95-cms-basic.c in Sources */,
4406660F19069C67000DA171 /* si-80-empty-data.c in Sources */,
BE061FCF1899E5BD00C739F6 /* si-76-shared-credentials.c in Sources */,
- 4CC92A6B15A3ABD400C6D578 /* si-16-ec-certificate.c in Sources */,
- 4CC92A6C15A3ABD400C6D578 /* si-20-sectrust-activation.c in Sources */,
- 4CC92A6D15A3ABD400C6D578 /* si-20-sectrust.c in Sources */,
BE62D7601747FF3E001EAA9D /* si-72-syncableitems.c in Sources */,
- 858A54681BC6FE62008A03FA /* si-88-sectrust-vpnprofile.c in Sources */,
- 4CC92A6E15A3ABD400C6D578 /* si-21-sectrust-asr.c in Sources */,
- 4CC92A6F15A3ABD400C6D578 /* si-22-sectrust-iap.c in Sources */,
- 4CC92A7015A3ABD400C6D578 /* si-23-sectrust-ocsp.c in Sources */,
- 4CC92A7115A3ABD400C6D578 /* si-24-sectrust-appleid.c in Sources */,
- 4CC92A7215A3ABD400C6D578 /* si-24-sectrust-digicert-malaysia.c in Sources */,
- 4CC92A7315A3ABD400C6D578 /* si-24-sectrust-diginotar.c in Sources */,
EB9C1D0A1BDDBDE000F89272 /* si-13-item-system.m in Sources */,
- D4DFC94A1B9958D00040945C /* si-87-sectrust-name-constraints.c in Sources */,
CDB6A8B81A409BC600646CD6 /* otr-60-slowroll.c in Sources */,
- 4CC92A7415A3ABD400C6D578 /* si-24-sectrust-itms.c in Sources */,
EB69AB061BF425FD00913AF1 /* si-90-emcs.m in Sources */,
- 4CC92A7515A3ABD400C6D578 /* si-24-sectrust-mobileasset.c in Sources */,
4477A8D918F28AB700B5BB9F /* si-78-query-attrs.c in Sources */,
- 4CC92A7615A3ABD400C6D578 /* si-24-sectrust-nist.c in Sources */,
- D41380C91C6E529500F1A4B6 /* si-92-sectrust-homekit.c in Sources */,
- 4CC92A7715A3ABD400C6D578 /* si-24-sectrust-otatasking.c in Sources */,
- 4CC92A7815A3ABD400C6D578 /* si-24-sectrust-shoebox.c in Sources */,
- EB8F48DD1AE4CC7000CE93A7 /* si-25-sectrust-apple-authentication.c in Sources */,
- 4CC92A7915A3ABD400C6D578 /* si-25-sectrust-ipsec-eap.c in Sources */,
- 4CC92A7A15A3ABD400C6D578 /* si-26-applicationsigning.c in Sources */,
- 4CC92A7B15A3ABD400C6D578 /* si-27-sectrust-exceptions.c in Sources */,
- 4CC92A7C15A3ABD400C6D578 /* si-28-sectrustsettings.c in Sources */,
- 4CC92A7D15A3ABD400C6D578 /* si-29-sectrust-codesigning.c in Sources */,
+ 440BF8F81A7A82AE001760A7 /* si-82-token-ag.c in Sources */,
4CC92A7E15A3ABD400C6D578 /* si-30-keychain-upgrade.c in Sources */,
4C2C8C3D17AB374700C24C13 /* si-12-item-stress.c in Sources */,
- D40294A91C20A806008CE4B6 /* si-91-sectrust-ast2.c in Sources */,
4CC92A7F15A3ABD400C6D578 /* si-31-keychain-bad.c in Sources */,
4CC92A8015A3ABD400C6D578 /* si-31-keychain-unreadable.c in Sources */,
4CC92A8215A3ABD400C6D578 /* si-33-keychain-backup.c in Sources */,
- BE0CC6081A96B69000662E69 /* si-83-seccertificate-sighashalg.c in Sources */,
4CC92A8315A3ABD400C6D578 /* si-40-seckey-custom.c in Sources */,
E7CA197A17179EC20065299C /* si-69-keydesc.c in Sources */,
- BE62D7621747FF51001EAA9D /* si-70-sectrust-unified.c in Sources */,
4CC92A8415A3ABD400C6D578 /* si-40-seckey.c in Sources */,
4CC92A8515A3ABD400C6D578 /* si-41-sececkey.c in Sources */,
E7EBD75819145DF000D0F062 /* so_01_serverencryption.c in Sources */,
@@ -2952,20 +2901,14 @@
4CC92A8715A3ABD400C6D578 /* si-43-persistent.c in Sources */,
4CC92A8815A3ABD400C6D578 /* si-50-secrandom.c in Sources */,
4CC92A8915A3ABD400C6D578 /* si-60-cms.c in Sources */,
- 5DE4A7BD17441CCD0036339E /* si-71-mobile-store-policy.c in Sources */,
- BECC54E51B98FF0000FB91DC /* si-86-sectrust-eap-tls.c in Sources */,
CDB6A8B61A409BBF00646CD6 /* otr-50-roll.c in Sources */,
- F953A6A91B43597D006EC5E1 /* si-81-sectrust-appletv.c in Sources */,
CDD565A2173193AC00B6B074 /* si-73-secpasswordgenerate.c in Sources */,
4CC92A8A15A3ABD400C6D578 /* si-61-pkcs12.c in Sources */,
4CC92A8B15A3ABD400C6D578 /* si-62-csr.c in Sources */,
4CC92A8E15A3ABD400C6D578 /* si-63-scep.c in Sources */,
4CC92A9615A3ABD400C6D578 /* si-64-ossl-cms.c in Sources */,
- 7255A46C1783333D006A8B9A /* si-74-OTAPKISigner.c in Sources */,
- 7255F91417A973D5004A9F38 /* si-75-AppleIDRecordSigning.c in Sources */,
4CC92A9715A3ABD400C6D578 /* si-65-cms-cert-policy.c in Sources */,
4CC92A9915A3ABD400C6D578 /* si-66-smime.c in Sources */,
- 4CC92AA415A3ABD400C6D578 /* si-67-sectrust-blacklist.c in Sources */,
4CC92AA515A3ABD400C6D578 /* vmdh-40.c in Sources */,
4CC92AA615A3ABD400C6D578 /* vmdh-41-example.c in Sources */,
4CC92AA715A3ABD400C6D578 /* vmdh-42-example2.c in Sources */,
@@ -2980,19 +2923,7 @@
files = (
4CC92AF915A3BC6B00C6D578 /* sd-10-policytree.c in Sources */,
CD95312B19228D8D005A76B2 /* SOSTransportTestTransports.c in Sources */,
- 48FABEE21AD05C7100C061D1 /* secd-90-hsa2.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 5284029C164445760035F320 /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- CDA9828A197F0C3C006A0A9F /* cloudkeychainproxy.m in Sources */,
- 528402AE164446410035F320 /* CKDKVSProxy.m in Sources */,
- 528402AF164446410035F320 /* CKDPersistentState.m in Sources */,
- 528402B1164446410035F320 /* CKDUserInteraction.m in Sources */,
- 528402B2164447610035F320 /* SOSCloudKeychainConstants.c in Sources */,
+ E78A9AB31D34630300006B5B /* secd-95-escrow-persistence.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -3001,14 +2932,20 @@
buildActionMask = 2147483647;
files = (
BE8D228F1ABB7253009A4E18 /* SecCertificate.c in Sources */,
+ EB6432BE1C510A6E00B671F2 /* SecDigest.c in Sources */,
+ D45FC3E71C9E084B00509CDA /* SecBase64.c in Sources */,
BE8D22C21ABBA4D0009A4E18 /* SecCertificatePath.c in Sources */,
+ 093F67A61CC1171B0033151D /* SecKeyAdaptors.c in Sources */,
BE8D22901ABB725C009A4E18 /* SecPolicy.c in Sources */,
+ D4704F341C76AEB600E15025 /* SecPolicyLeafCallbacks.c in Sources */,
BE8D22911ABB7264009A4E18 /* SecTrust.c in Sources */,
BE8D22921ABB726A009A4E18 /* SecTrustSettings.c in Sources */,
BE8D22931ABB7272009A4E18 /* SecTrustStore.c in Sources */,
BE53FA301B0AC5C300719A63 /* SecKey.c in Sources */,
BE53FA311B0AC65500719A63 /* SecECKey.c in Sources */,
BE53FA321B0AC65B00719A63 /* SecRSAKey.c in Sources */,
+ D4D9BA2F1C7E611C008785EB /* SecServerEncryptionSupport.c in Sources */,
+ BE4AC7E01C9386B9002A28FE /* SecSignatureVerificationSupport.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -3021,16 +2958,39 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- CD3F91471A802EBF00E07119 /* Sources */ = {
+ D40771B41C9B4D200016AA66 /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
- CD5D340D1A80391B00EBF353 /* idskeychainsyncingproxy.m in Sources */,
- CDD450111ACF13BC00A37449 /* IDSPersistentState.m in Sources */,
- CD5D340B1A80391B00EBF353 /* IDSProxy.m in Sources */,
- CD0CB4761A81891300C058A4 /* IDSProxy.h in Sources */,
- CDF42C071A884BB10080BB05 /* idksmain.m in Sources */,
- CD63ACDB1A805D3E001B5671 /* SOSCloudKeychainConstants.c in Sources */,
+ 09AE116F1CEDA1E4004C617D /* si-44-seckey-ies.m in Sources */,
+ 09EC947F1CEDEA70003E5101 /* si-44-seckey-rsa.m in Sources */,
+ D4D887531CED0A9100DC7583 /* si-24-sectrust-digicert-malaysia.c in Sources */,
+ D4D886C21CEB9FC600DC7583 /* si-85-sectrust-ssl-policy.c in Sources */,
+ D4D887541CED0A9700DC7583 /* si-24-sectrust-diginotar.c in Sources */,
+ D4D887571CED0B9400DC7583 /* si-27-sectrust-exceptions.c in Sources */,
+ 0982E02C1D19695B0060002E /* si-44-seckey-ec.m in Sources */,
+ D44C81E81CD1944C00BE9A0D /* si-97-sectrust-path-scoring.m in Sources */,
+ D4D886F01CEC008600DC7583 /* si-23-sectrust-ocsp.c in Sources */,
+ D4D8875E1CED490700DC7583 /* si-74-OTAPKISigner.c in Sources */,
+ D4D886C11CEB9FAC00DC7583 /* si-87-sectrust-name-constraints.c in Sources */,
+ D4EC94FF1CEA4A870083E753 /* si-20-sectrust-policies.m in Sources */,
+ D4D887551CED0B7D00DC7583 /* si-24-sectrust-passbook.c in Sources */,
+ D4D887561CED0B8600DC7583 /* si-26-sectrust-copyproperties.c in Sources */,
+ D4D886EC1CEBF9C700DC7583 /* si-16-ec-certificate.c in Sources */,
+ D4D886EB1CEBF9C300DC7583 /* si-15-certificate.c in Sources */,
+ D4D886F41CED027800DC7583 /* si-24-sectrust-itms.c in Sources */,
+ D4D886EE1CEC007000DC7583 /* si-21-sectrust-asr.c in Sources */,
+ D4D887591CED40A500DC7583 /* si-70-sectrust-unified.c in Sources */,
+ D4D886ED1CEC006100DC7583 /* si-20-sectrust.c in Sources */,
+ D4D8875F1CED491A00DC7583 /* si-83-seccertificate-sighashalg.c in Sources */,
+ D4D886F51CED027D00DC7583 /* si-24-sectrust-nist.c in Sources */,
+ D4D8875A1CED40AA00DC7583 /* si-67-sectrust-blacklist.c in Sources */,
+ D43CDF731C9C77540020217E /* si-28-sectrustsettings.m in Sources */,
+ D4D887581CED40A000DC7583 /* si-71-mobile-store-policy.c in Sources */,
+ D40771BE1C9B50590016AA66 /* si-82-seccertificate-ct.c in Sources */,
+ D4D886EF1CEC007900DC7583 /* si-22-sectrust-iap.c in Sources */,
+ D40771BF1C9B50590016AA66 /* si-82-sectrust-ct.m in Sources */,
+ 09D1FC1F1CDCBABF00A82D0D /* si-44-seckey-gen.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -3038,50 +2998,54 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
- CDE5F89F1AF025BE0074958E /* SOSAccountRingUpdate.c in Sources */,
CDE5F87F1AF025AC0074958E /* SOSRingTypes.c in Sources */,
CDE5F8A51AF025D60074958E /* SOSPeerInfoRingState.c in Sources */,
+ 4838F6C11CB5B061009E8598 /* secToolFileIO.c in Sources */,
48A071CF1AD6AEA900728AEF /* SOSPeerInfoSecurityProperties.c in Sources */,
CDE5F8B01AF026470074958E /* SOSTransportCircle.c in Sources */,
CDE5F8861AF025B30074958E /* SOSGenCount.c in Sources */,
- 4802A59616D711060059E5B9 /* SOSUserKeygen.c in Sources */,
- CDE5F89A1AF025BE0074958E /* SOSAccount.c in Sources */,
489E6E4C1A71A87600D7EB8C /* SOSCircleDer.c in Sources */,
4CC929B515A3957800C6D578 /* SOSCircle.c in Sources */,
4CC929B715A3957800C6D578 /* SOSPeer.c in Sources */,
CDE5F88B1AF025B30074958E /* SOSRingBasic.c in Sources */,
- 48C7DF9A17FF44EF00904F1A /* SOSAccountCloudParameters.c in Sources */,
- E75216AD1AF1F26500DDA573 /* SOSForerunnerSession.c in Sources */,
CDE5F8891AF025B30074958E /* SOSRingBackup.c in Sources */,
CDE5F8A21AF025D60074958E /* SOSPeerInfoDER.c in Sources */,
- 48764AEF17FA36200005C4F1 /* SOSAccountUpdate.c in Sources */,
CDE5F8AC1AF026470074958E /* SOSTransport.c in Sources */,
- CDE5F89E1AF025BE0074958E /* SOSAccountRings.c in Sources */,
+ E738B7251D11D88C0099E5C5 /* SOSAccountLog.c in Sources */,
+ E738B7211D11D88C0099E5C5 /* SOSAccountDer.c in Sources */,
48E9CDFC1C597FED00574D6B /* SOSSysdiagnose.c in Sources */,
- CDE5F89C1AF025BE0074958E /* SOSAccountBackup.c in Sources */,
- 48C7DF9617FF351A00904F1A /* SOSAccountPeers.c in Sources */,
CDE5F88F1AF025B80074958E /* SOSCircleV2.c in Sources */,
- 48FABEDD1AD05C1D00C061D1 /* SOSAccountHSAJoin.c in Sources */,
CD773AC61ADDFDDB00C808BA /* SOSTransportBackupPeer.c in Sources */,
- CDE5F8A01AF025BE0074958E /* SOSBackupSliceKeyBag.c in Sources */,
+ E738B71B1D11D88C0099E5C5 /* SOSAccountTransaction.c in Sources */,
+ E738B7321D11DAB70099E5C5 /* SOSAccountViewSync.c in Sources */,
CDE5F8A81AF025DC0074958E /* SOSECWrapUnwrap.c in Sources */,
48FB17021A76F56C00B586C7 /* SOSPeerInfoV2.c in Sources */,
E777C71E15B73F9E004044A8 /* SOSInternal.c in Sources */,
CDE5F8BA1AF026470074958E /* SOSTransportMessageKVS.c in Sources */,
E777C72615B87545004044A8 /* SOSPeerInfo.c in Sources */,
+ E738B7201D11D88C0099E5C5 /* SOSAccountCredentials.c in Sources */,
CDE5F8B61AF026470074958E /* SOSTransportKeyParameterKVS.c in Sources */,
- 48764AE817FA2DD00005C4F1 /* SOSAccountDer.c in Sources */,
+ E738B72B1D11D88C0099E5C5 /* SOSBackupSliceKeyBag.c in Sources */,
+ E738B7241D11D88C0099E5C5 /* SOSAccountPersistence.c in Sources */,
+ E738B71D1D11D88C0099E5C5 /* SOSAccountCircles.c in Sources */,
+ E738B7221D11D88C0099E5C5 /* SOSAccountFullPeerInfo.c in Sources */,
E7217B2715F8131A00D26031 /* SOSCloudKeychainConstants.c in Sources */,
4C65154B17B5A08900691B6A /* SOSDigestVector.c in Sources */,
+ E738B7231D11D88C0099E5C5 /* SOSAccountPeers.c in Sources */,
E7A634E317FA471500920B67 /* SOSPeerInfoCollections.c in Sources */,
48F7DF261A6DB32900046644 /* SOSViews.c in Sources */,
+ 481A95511D1A02AA000B98F5 /* SOSCloudKeychainLogging.c in Sources */,
+ E738B72A1D11D88C0099E5C5 /* SOSBackupEvent.c in Sources */,
E79277E3163B110A0096F3E2 /* SOSFullPeerInfo.c in Sources */,
- 5284629B1AE6FCF0004C1BA2 /* SOSBackupEvent.c in Sources */,
CDE5F87B1AF025A40074958E /* SOSRingDER.c in Sources */,
+ E738B71C1D11D88C0099E5C5 /* SOSAccountBackup.c in Sources */,
CDE5F8831AF025AC0074958E /* SOSRingV0.c in Sources */,
CDE5F87D1AF025AC0074958E /* SOSRingPeerInfoUtils.c in Sources */,
CDE5F8AA1AF026130074958E /* SOSTransportMessageIDS.c in Sources */,
- 48C7DF9317FF2DB500904F1A /* SOSAccountCredentials.c in Sources */,
+ E738B7281D11D88C0099E5C5 /* SOSAccountRingUpdate.c in Sources */,
+ E738B7261D11D88C0099E5C5 /* SOSAccountUpdate.c in Sources */,
+ E738B71E1D11D88C0099E5C5 /* SOSAccountHSAJoin.c in Sources */,
+ E738B71A1D11D88C0099E5C5 /* SOSAccount.c in Sources */,
52EAF4BE163C52EB00803D0F /* SOSCloudKeychainClient.c in Sources */,
CDE5F8B21AF026470074958E /* SOSTransportCircleKVS.c in Sources */,
4C8BDD9F17B4FDE100C20EA5 /* SOSManifest.c in Sources */,
@@ -3091,11 +3055,12 @@
4CBDB30D17B70206002FA799 /* SOSMessage.c in Sources */,
CD32776B18F8AEFD006B5280 /* SOSPeerCoder.c in Sources */,
CDE5F8B41AF026470074958E /* SOSTransportKeyParameter.c in Sources */,
+ E738B71F1D11D88C0099E5C5 /* SOSAccountCloudParameters.c in Sources */,
CDE5F8811AF025AC0074958E /* SOSRingUtils.c in Sources */,
- 48C7DF9817FF360F00904F1A /* SOSAccountFullPeerInfo.c in Sources */,
- 48764AF517FA3FE50005C4F1 /* SOSAccountCircles.c in Sources */,
48764AF217FA3ACF0005C4F1 /* SOSKVSKeys.c in Sources */,
- 48764AEC17FA31E50005C4F1 /* SOSAccountPersistence.c in Sources */,
+ E738B72C1D11D88C0099E5C5 /* SOSUserKeygen.c in Sources */,
+ 4838F6C01CB5B055009E8598 /* secViewDisplay.c in Sources */,
+ E738B7271D11D88C0099E5C5 /* SOSAccountRings.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -3165,30 +3130,24 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
+ 485FE6BE1CDBED9500C916C5 /* syncbackup.c in Sources */,
48279BC51C57FEA20043457C /* keychain_log.c in Sources */,
+ 4838F6BE1CB5AA7C009E8598 /* secViewDisplay.c in Sources */,
+ 4899F2EC1C7690DE00762615 /* secToolFileIO.c in Sources */,
+ E7ACD2FB1D30204E0038050D /* keychain_sync_test.m in Sources */,
E7FEFB91169E36D800E18152 /* keychain_sync.c in Sources */,
- 48FEA77C1C53000A0020C148 /* secToolFileIO.c in Sources */,
+ E739A9DB1D3078D9003C088A /* NSFileHandle+Formatting.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXSourcesBuildPhase section */
-/* Begin PBXVariantGroup section */
- 521C0BAC15FA5DA800604B61 /* InfoPlist.strings */ = {
- isa = PBXVariantGroup;
- children = (
- 521C0BAD15FA5DA800604B61 /* en */,
- );
- name = InfoPlist.strings;
- sourceTree = "<group>";
- };
-/* End PBXVariantGroup section */
-
/* Begin XCBuildConfiguration section */
0C0BDB5D175687EC00BC1A7E /* Debug */ = {
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
@@ -3202,6 +3161,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
@@ -3245,7 +3205,16 @@
CLANG_WARN_UNREACHABLE_CODE = NO;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
ENABLE_STRICT_OBJC_MSGSEND = YES;
+ ENABLE_TESTABILITY = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_PREPROCESSOR_DEFINITIONS = (
+ "$(inherited)",
+ "DEBUG=1",
+ "NO_SERVER=1",
+ "__KEYCHAINCORE__=1",
+ );
GCC_WARN_UNDECLARED_SELECTOR = YES;
+ ONLY_ACTIVE_ARCH = YES;
RUN_CLANG_STATIC_ANALYZER = YES;
SDKROOT = macosx.internal;
};
@@ -3261,6 +3230,17 @@
CLANG_WARN_UNREACHABLE_CODE = NO;
CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
ENABLE_STRICT_OBJC_MSGSEND = YES;
+ GCC_NO_COMMON_BLOCKS = YES;
+ GCC_PREPROCESSOR_DEFINITIONS = (
+ "$(inherited)",
+ "NDEBUG=1",
+ "__KEYCHAINCORE__=1",
+ );
+ "GCC_PREPROCESSOR_DEFINITIONS[sdk=embeddedsimulator*]" = (
+ "$(inherited)",
+ "NO_SERVER=1",
+ "__KEYCHAINCORE__=1",
+ );
GCC_WARN_UNDECLARED_SELECTOR = YES;
RUN_CLANG_STATIC_ANALYZER = YES;
SDKROOT = macosx.internal;
@@ -3322,10 +3302,11 @@
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
- "FRAMEWORK_SEARCH_PATHS[sdk=iphonesimulator*]" = "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
+ "FRAMEWORK_SEARCH_PATHS[sdk=embeddedsimulator*]" = "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
"GCC_PREPROCESSOR_DEFINITIONS[sdk=macosx*]" = (
"$(inherited)",
"SECITEM_SHIM_OSX=1",
+ "SECTRUST_OSX=1",
);
};
name = Debug;
@@ -3335,10 +3316,11 @@
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
COMBINE_HIDPI_IMAGES = YES;
- "FRAMEWORK_SEARCH_PATHS[sdk=iphonesimulator*]" = "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
+ "FRAMEWORK_SEARCH_PATHS[sdk=embeddedsimulator*]" = "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
"GCC_PREPROCESSOR_DEFINITIONS[sdk=macosx*]" = (
"$(inherited)",
"SECITEM_SHIM_OSX=1",
+ "SECTRUST_OSX=1",
);
};
name = Release;
@@ -3377,11 +3359,13 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
"$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
+ RUN_CLANG_STATIC_ANALYZER = YES;
};
name = Debug;
};
@@ -3389,11 +3373,13 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
"$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
+ RUN_CLANG_STATIC_ANALYZER = YES;
};
name = Release;
};
@@ -3401,6 +3387,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
@@ -3414,6 +3401,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
@@ -3423,22 +3411,6 @@
};
name = Release;
};
- 528402AA164445760035F320 /* Debug */ = {
- isa = XCBuildConfiguration;
- baseConfigurationReference = 4C5EA365164C791400A136B8 /* lib-arc-only.xcconfig */;
- buildSettings = {
- COMBINE_HIDPI_IMAGES = YES;
- };
- name = Debug;
- };
- 528402AB164445760035F320 /* Release */ = {
- isa = XCBuildConfiguration;
- baseConfigurationReference = 4C5EA365164C791400A136B8 /* lib-arc-only.xcconfig */;
- buildSettings = {
- COMBINE_HIDPI_IMAGES = YES;
- };
- name = Release;
- };
BE8D228C1ABB7199009A4E18 /* Debug */ = {
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
@@ -3446,7 +3418,8 @@
COMBINE_HIDPI_IMAGES = YES;
GCC_PREPROCESSOR_DEFINITIONS = (
"$(inherited)",
- "SECTRUST_OSX=0",
+ "SECITEM_SHIM_OSX=1",
+ "SECTRUST_OSX=1",
);
PRODUCT_NAME = libSecTrustOSX;
};
@@ -3459,7 +3432,8 @@
COMBINE_HIDPI_IMAGES = YES;
GCC_PREPROCESSOR_DEFINITIONS = (
"$(inherited)",
- "SECTRUST_OSX=0",
+ "SECITEM_SHIM_OSX=1",
+ "SECTRUST_OSX=1",
);
PRODUCT_NAME = libSecTrustOSX;
};
@@ -3491,29 +3465,43 @@
};
name = Release;
};
- CD3F915D1A802EC000E07119 /* Debug */ = {
+ D40771BA1C9B4D200016AA66 /* Debug */ = {
isa = XCBuildConfiguration;
- baseConfigurationReference = 4C5EA365164C791400A136B8 /* lib-arc-only.xcconfig */;
+ baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
+ COPY_PHASE_STRIP = NO;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
"$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
"$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
+ "HEADER_SEARCH_PATHS[sdk=macosx*]" = (
+ "$(BUILT_PRODUCTS_DIR)",
+ "$(PROJECT_DIR)/../utilities",
+ "$(PROJECT_DIR)/../regressions",
+ );
};
name = Debug;
};
- CD3F915E1A802EC000E07119 /* Release */ = {
+ D40771BB1C9B4D200016AA66 /* Release */ = {
isa = XCBuildConfiguration;
- baseConfigurationReference = 4C5EA365164C791400A136B8 /* lib-arc-only.xcconfig */;
+ baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
+ COPY_PHASE_STRIP = NO;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
"$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
"$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
+ "HEADER_SEARCH_PATHS[sdk=macosx*]" = (
+ "$(BUILT_PRODUCTS_DIR)",
+ "$(PROJECT_DIR)/../regressions",
+ "$(PROJECT_DIR)/../utilities",
+ );
};
name = Release;
};
@@ -3545,6 +3533,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
@@ -3558,6 +3547,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
@@ -3571,6 +3561,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
@@ -3643,6 +3634,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
@@ -3655,6 +3647,7 @@
isa = XCBuildConfiguration;
baseConfigurationReference = 18270C9914CF1AAD00B05E7F /* lib.xcconfig */;
buildSettings = {
+ CLANG_ENABLE_OBJC_ARC = YES;
COMBINE_HIDPI_IMAGES = YES;
FRAMEWORK_SEARCH_PATHS = (
"$(inherited)",
@@ -3747,15 +3740,6 @@
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
- 528402A9164445760035F320 /* Build configuration list for PBXNativeTarget "libCloudKeychainProxy" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 528402AA164445760035F320 /* Debug */,
- 528402AB164445760035F320 /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
BE8D228B1ABB7199009A4E18 /* Build configuration list for PBXNativeTarget "libSecTrustOSX" */ = {
isa = XCConfigurationList;
buildConfigurations = (
@@ -3774,11 +3758,11 @@
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
};
- CD3F915C1A802EC000E07119 /* Build configuration list for PBXNativeTarget "libIDSKeychainSyncingProxy" */ = {
+ D40771B91C9B4D200016AA66 /* Build configuration list for PBXNativeTarget "libSharedRegressions" */ = {
isa = XCConfigurationList;
buildConfigurations = (
- CD3F915D1A802EC000E07119 /* Debug */,
- CD3F915E1A802EC000E07119 /* Release */,
+ D40771BA1C9B4D200016AA66 /* Debug */,
+ D40771BB1C9B4D200016AA66 /* Release */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Release;
diff --git a/OSX/sec/securityd/OTATrustUtilities.c b/OSX/sec/securityd/OTATrustUtilities.c
index 2fa71a90..dbe5ba77 100644
--- a/OSX/sec/securityd/OTATrustUtilities.c
+++ b/OSX/sec/securityd/OTATrustUtilities.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003-2004,2006-2010,2013-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2003-2004,2006-2010,2013-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -130,6 +130,7 @@ struct _OpaqueSecOTAPKI
CFSetRef _grayListSet;
CFDictionaryRef _allowList;
CFArrayRef _trustedCTLogs;
+ CFDataRef _CTWhiteListData;
CFArrayRef _escrowCertificates;
CFArrayRef _escrowPCSCertificates;
CFDictionaryRef _evPolicyToAnchorMapping;
@@ -161,6 +162,7 @@ static void SecOTAPKIDestroy(CFTypeRef cf)
free((void *)otapkiref->_anchorTable);
CFReleaseNull(otapkiref->_trustedCTLogs);
+ CFReleaseNull(otapkiref->_CTWhiteListData);
}
static CFDataRef SecOTACopyFileContents(const char *path)
@@ -398,6 +400,61 @@ static CFDataRef SecSystemTrustStoreCopyResourceContents(CFStringRef resourceNam
return data;
}
+static CFPropertyListRef CFPropertyListCopyFromAsset(const char *ota_assets_path, CFStringRef asset)
+{
+ CFPropertyListRef plist = NULL;
+ // Check to see if the <asset>.plist file is in the asset location
+ CFDataRef xmlData = NULL;
+ if (ota_assets_path) {
+ CFStringRef filePath = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%s/%@.%@"), ota_assets_path, asset, CFSTR("plist"));
+ CFURLRef url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, filePath, kCFURLPOSIXPathStyle, false);
+
+ plist = CFPropertyListReadFromFile(url);
+ CFReleaseSafe(url);
+ CFReleaseSafe(filePath);
+ }
+
+ if (!plist) {
+ // no OTA asset file, so use the file in the system trust store bundle
+ xmlData = SecSystemTrustStoreCopyResourceContents(asset, CFSTR("plist"), NULL);
+
+ if (xmlData) {
+ plist = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
+ CFRelease(xmlData);
+ }
+ }
+
+ return plist;
+}
+
+static CFSetRef CFSetCreateFromPropertyList(CFPropertyListRef plist)
+{
+ CFSetRef result = NULL;
+
+ if (plist) {
+ CFMutableSetRef tempSet = NULL;
+ if (CFGetTypeID(plist) == CFArrayGetTypeID()) {
+ tempSet = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
+ if (NULL == tempSet) {
+ return result;
+ }
+ CFArrayRef array = (CFArrayRef)plist;
+ CFIndex num_keys = CFArrayGetCount(array);
+ for (CFIndex idx = 0; idx < num_keys; idx++) {
+ CFDataRef data = (CFDataRef)CFArrayGetValueAtIndex(array, idx);
+ CFSetAddValue(tempSet, data);
+ }
+ }
+ else {
+ return result;
+ }
+
+ if (NULL != tempSet) {
+ result = tempSet;
+ }
+ }
+ return result;
+}
static const char* InitOTADirectory(int* pAssetVersion)
{
@@ -526,138 +583,38 @@ static const char* InitOTADirectory(int* pAssetVersion)
static CFSetRef InitializeBlackList(const char* path_ptr)
{
- CFSetRef result = NULL;
-
- // Check to see if the EVRoots.plist file is in the asset location
- CFDataRef xmlData = NULL;
- const char* asset_path = path_ptr;
- if (asset_path) {
- char file_path_buffer[PATH_MAX];
- memset(file_path_buffer, 0, PATH_MAX);
- snprintf(file_path_buffer, PATH_MAX, "%s/Blocked.plist", asset_path);
+ CFPropertyListRef plist = CFPropertyListCopyFromAsset(path_ptr, CFSTR("Blocked"));
+ CFSetRef result = CFSetCreateFromPropertyList(plist);
+ CFReleaseSafe(plist);
- xmlData = SecOTACopyFileContents(file_path_buffer);
- }
-
- if (!xmlData) {
- // no OTA asset file, so use the file in the system trust store bundle
- xmlData = SecSystemTrustStoreCopyResourceContents(CFSTR("Blocked"), CFSTR("plist"), NULL);
- }
-
- CFPropertyListRef blackKeys = NULL;
- if (xmlData) {
- blackKeys = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
- CFRelease(xmlData);
- }
-
- if (blackKeys) {
- CFMutableSetRef tempSet = NULL;
- if (CFGetTypeID(blackKeys) == CFArrayGetTypeID()) {
- tempSet = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
- if (NULL == tempSet) {
- CFRelease(blackKeys);
- return result;
- }
- CFArrayRef blackKeyArray = (CFArrayRef)blackKeys;
- CFIndex num_keys = CFArrayGetCount(blackKeyArray);
- for (CFIndex idx = 0; idx < num_keys; idx++) {
- CFDataRef key_data = (CFDataRef)CFArrayGetValueAtIndex(blackKeyArray, idx);
- CFSetAddValue(tempSet, key_data);
- }
- }
- else {
- CFRelease(blackKeys);
- return result;
- }
-
- if (NULL != tempSet) {
- result = tempSet;
- }
- CFRelease(blackKeys);
- }
-
- return result;
+ return result;
}
static CFSetRef InitializeGrayList(const char* path_ptr)
{
- CFSetRef result = NULL;
-
- // Check to see if the EVRoots.plist file is in the asset location
- CFDataRef xmlData = NULL;
- const char* asset_path = path_ptr;
- if (asset_path) {
- char file_path_buffer[PATH_MAX];
- memset(file_path_buffer, 0, PATH_MAX);
- snprintf(file_path_buffer, PATH_MAX, "%s/GrayListedKeys.plist", asset_path);
-
- xmlData = SecOTACopyFileContents(file_path_buffer);
- }
-
- if (!xmlData) {
- // no OTA asset file, so use the file in the system trust store bundle
- xmlData = SecSystemTrustStoreCopyResourceContents(CFSTR("GrayListedKeys"), CFSTR("plist"), NULL);
- }
-
- CFPropertyListRef grayKeys = NULL;
- if (xmlData) {
- grayKeys = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
- CFRelease(xmlData);
- }
+ CFPropertyListRef plist = CFPropertyListCopyFromAsset(path_ptr, CFSTR("GrayListedKeys"));
+ CFSetRef result = CFSetCreateFromPropertyList(plist);
+ CFReleaseSafe(plist);
- if (grayKeys) {
- CFMutableSetRef tempSet = NULL;
- if (CFGetTypeID(grayKeys) == CFArrayGetTypeID()) {
- tempSet = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
- if (NULL == tempSet) {
- CFRelease(grayKeys);
- return result;
- }
- CFArrayRef grayKeyArray = (CFArrayRef)grayKeys;
- CFIndex num_keys = CFArrayGetCount(grayKeyArray);
- for (CFIndex idx = 0; idx < num_keys; idx++) {
- CFDataRef key_data = (CFDataRef)CFArrayGetValueAtIndex(grayKeyArray, idx);
- CFSetAddValue(tempSet, key_data);
- }
- }
- else {
- CFRelease(grayKeys);
- return result;
- }
+ return result;
+}
- if (NULL != tempSet) {
- result = tempSet;
- }
+static CFDataRef InitializeCTWhiteListData(const char* path_ptr)
+{
+ CFPropertyListRef data = CFPropertyListCopyFromAsset(path_ptr, CFSTR("CTWhiteListData"));
- CFRelease(grayKeys);
+ if (data && (CFGetTypeID(data) == CFDataGetTypeID())) {
+ return data;
+ } else {
+ CFReleaseNull(data);
+ return NULL;
}
- return result;
}
static CFDictionaryRef InitializeAllowList(const char* path_ptr)
{
- // Check to see if the Allowed.plist file is in the asset location
- CFDataRef xmlData = NULL;
- const char* asset_path = path_ptr;
- if (asset_path) {
- char file_path_buffer[PATH_MAX];
- memset(file_path_buffer, 0, PATH_MAX);
- snprintf(file_path_buffer, PATH_MAX, "%s/Allowed.plist", asset_path);
-
- xmlData = SecOTACopyFileContents(file_path_buffer);
- }
-
- if (!xmlData) {
- // no OTA asset file, so use the file in the system trust store bundle
- xmlData = SecSystemTrustStoreCopyResourceContents(CFSTR("Allowed"), CFSTR("plist"), NULL);
- }
-
- CFPropertyListRef allowList = NULL;
- if (xmlData) {
- allowList = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
- CFRelease(xmlData);
- }
-
+ CFPropertyListRef allowList = CFPropertyListCopyFromAsset(path_ptr, CFSTR("Allowed"));
+
if (allowList && (CFGetTypeID(allowList) == CFDictionaryGetTypeID())) {
return allowList;
} else {
@@ -668,27 +625,7 @@ static CFDictionaryRef InitializeAllowList(const char* path_ptr)
static CFArrayRef InitializeTrustedCTLogs(const char* path_ptr)
{
- // Check to see if the TrustedCTLogs.plist file is in the asset location
- CFDataRef xmlData = NULL;
- const char* asset_path = path_ptr;
- if (asset_path) {
- char file_path_buffer[PATH_MAX];
- memset(file_path_buffer, 0, PATH_MAX);
- snprintf(file_path_buffer, PATH_MAX, "%s/TrustedCTLogs.plist", asset_path);
-
- xmlData = SecOTACopyFileContents(file_path_buffer);
- }
-
- if (!xmlData) {
- // no OTA asset file, so use the file in the system trust store bundle
- xmlData = SecSystemTrustStoreCopyResourceContents(CFSTR("TrustedCTLogs"), CFSTR("plist"), NULL);
- }
-
- CFPropertyListRef trustedCTLogs = NULL;
- if (xmlData) {
- trustedCTLogs = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
- CFRelease(xmlData);
- }
+ CFPropertyListRef trustedCTLogs = CFPropertyListCopyFromAsset(path_ptr, CFSTR("TrustedCTLogs"));
if (trustedCTLogs && (CFGetTypeID(trustedCTLogs) == CFArrayGetTypeID())) {
return trustedCTLogs;
@@ -698,34 +635,10 @@ static CFArrayRef InitializeTrustedCTLogs(const char* path_ptr)
}
}
-
static CFDictionaryRef InitializeEVPolicyToAnchorDigestsTable(const char* path_ptr)
{
- CFDictionaryRef result = NULL;
-
- // Check to see if the EVRoots.plist file is in the asset location
- CFDataRef xmlData = NULL;
- const char* asset_path = path_ptr;
- if (asset_path)
- {
- char file_path_buffer[PATH_MAX];
- memset(file_path_buffer, 0, PATH_MAX);
- snprintf(file_path_buffer, PATH_MAX, "%s/EVRoots.plist", asset_path);
-
- xmlData = SecOTACopyFileContents(file_path_buffer);
- }
-
- if (!xmlData) {
- // no OTA asset file, so use the file in the system trust store bundle
- xmlData = SecSystemTrustStoreCopyResourceContents(CFSTR("EVRoots"), CFSTR("plist"), NULL);
- }
-
- CFPropertyListRef evroots = NULL;
- if (xmlData) {
- evroots = CFPropertyListCreateWithData(
- kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
- CFRelease(xmlData);
- }
+ CFDictionaryRef result = NULL;
+ CFPropertyListRef evroots = CFPropertyListCopyFromAsset(path_ptr, CFSTR("EVRoots"));
if (evroots) {
if (CFGetTypeID(evroots) == CFDictionaryGetTypeID()) {
@@ -1039,7 +952,7 @@ static void InitializeEscrowCertificates(const char* path_ptr, CFArrayRef *escro
*escrowPCSRoots = CFArrayCreateCopy(kCFAllocatorDefault, pcs_certs);
}
}
- CFReleaseSafe(certsDictionary);
+ CFReleaseSafe(certsDictionary);
CFRelease(file_data);
}
@@ -1065,6 +978,7 @@ static SecOTAPKIRef SecOTACreate()
otapkiref->_grayListSet = NULL;
otapkiref->_allowList = NULL;
otapkiref->_trustedCTLogs = NULL;
+ otapkiref->_CTWhiteListData = NULL;
otapkiref->_escrowCertificates = NULL;
otapkiref->_escrowPCSCertificates = NULL;
otapkiref->_evPolicyToAnchorMapping = NULL;
@@ -1103,13 +1017,16 @@ static SecOTAPKIRef SecOTACreate()
return otapkiref;
}
otapkiref->_grayListSet = grayKeysSet;
-
+
// Get the allow list dictionary
otapkiref->_allowList = InitializeAllowList(path_ptr);
// Get the trusted Certificate Transparency Logs
otapkiref->_trustedCTLogs = InitializeTrustedCTLogs(path_ptr);
+ // Get the EV whitelist
+ otapkiref->_CTWhiteListData = InitializeCTWhiteListData(path_ptr);
+
CFArrayRef escrowCerts = NULL;
CFArrayRef escrowPCSCerts = NULL;
InitializeEscrowCertificates(path_ptr, &escrowCerts, &escrowPCSCerts);
@@ -1215,7 +1132,7 @@ CFDictionaryRef SecOTAPKICopyAllowList(SecOTAPKIRef otapkiRef)
{
return result;
}
-
+
result = otapkiRef->_allowList;
CFRetainSafe(result);
return result;
@@ -1234,12 +1151,25 @@ CFArrayRef SecOTAPKICopyTrustedCTLogs(SecOTAPKIRef otapkiRef)
return result;
}
+CFDataRef SecOTAPKICopyCTWhiteList(SecOTAPKIRef otapkiRef)
+{
+ CFDataRef result = NULL;
+ if (NULL == otapkiRef)
+ {
+ return result;
+ }
+
+ result = otapkiRef->_CTWhiteListData;
+ CFRetainSafe(result);
+ return result;
+}
+
+/* Returns an array of certificate data (CFDataRef) */
CFArrayRef SecOTAPKICopyEscrowCertificates(uint32_t escrowRootType, SecOTAPKIRef otapkiRef)
{
- CFArrayRef result = NULL;
- if (NULL == otapkiRef)
- {
+ CFMutableArrayRef result = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ if (NULL == otapkiRef) {
return result;
}
@@ -1248,17 +1178,46 @@ CFArrayRef SecOTAPKICopyEscrowCertificates(uint32_t escrowRootType, SecOTAPKIRef
// since this function vends production roots by definition.
case kSecCertificateBaselineEscrowRoot:
case kSecCertificateProductionEscrowRoot:
- result = otapkiRef->_escrowCertificates;
+ case kSecCertificateBaselineEscrowBackupRoot:
+ case kSecCertificateProductionEscrowBackupRoot:
+ if (otapkiRef->_escrowCertificates) {
+ CFArrayRef escrowCerts = otapkiRef->_escrowCertificates;
+ CFArrayAppendArray(result, escrowCerts, CFRangeMake(0, CFArrayGetCount(escrowCerts)));
+ }
+ break;
+ case kSecCertificateBaselineEscrowEnrollmentRoot:
+ case kSecCertificateProductionEscrowEnrollmentRoot:
+ if (otapkiRef->_escrowCertificates) {
+ // for enrollment purposes, exclude the v100 root
+ static const unsigned char V100EscrowRoot[] = {
+ 0x65,0x5C,0xB0,0x3C,0x39,0x3A,0x32,0xA6,0x0B,0x96,
+ 0x40,0xC0,0xCA,0x73,0x41,0xFD,0xC3,0x9E,0x96,0xB3
+ };
+ CFArrayRef escrowCerts = otapkiRef->_escrowCertificates;
+ CFIndex idx, count = CFArrayGetCount(escrowCerts);
+ for (idx=0; idx < count; idx++) {
+ CFDataRef tmpData = (CFDataRef) CFArrayGetValueAtIndex(escrowCerts, idx);
+ SecCertificateRef tmpCert = (tmpData) ? SecCertificateCreateWithData(NULL, tmpData) : NULL;
+ CFDataRef sha1Hash = (tmpCert) ? SecCertificateGetSHA1Digest(tmpCert) : NULL;
+ const uint8_t *dp = (sha1Hash) ? CFDataGetBytePtr(sha1Hash) : NULL;
+ if (!(dp && !memcmp(V100EscrowRoot, dp, sizeof(V100EscrowRoot))) && tmpData) {
+ CFArrayAppendValue(result, tmpData);
+ }
+ CFReleaseSafe(tmpCert);
+ }
+ }
break;
case kSecCertificateBaselinePCSEscrowRoot:
case kSecCertificateProductionPCSEscrowRoot:
- result = otapkiRef->_escrowPCSCertificates;
+ if (otapkiRef->_escrowPCSCertificates) {
+ CFArrayRef escrowPCSCerts = otapkiRef->_escrowPCSCertificates;
+ CFArrayAppendArray(result, escrowPCSCerts, CFRangeMake(0, CFArrayGetCount(escrowPCSCerts)));
+ }
break;
default:
break;
}
- CFRetainSafe(result);
return result;
}
@@ -1325,6 +1284,7 @@ void SecOTAPKIRefreshData()
});
}
+/* Returns an array of certificate data (CFDataRef) */
CFArrayRef SecOTAPKICopyCurrentEscrowCertificates(uint32_t escrowRootType, CFErrorRef* error)
{
CFArrayRef result = NULL;
diff --git a/OSX/sec/securityd/OTATrustUtilities.h b/OSX/sec/securityd/OTATrustUtilities.h
index 595a5b65..763a5114 100644
--- a/OSX/sec/securityd/OTATrustUtilities.h
+++ b/OSX/sec/securityd/OTATrustUtilities.h
@@ -60,6 +60,11 @@ CFDictionaryRef SecOTAPKICopyAllowList(SecOTAPKIRef otapkiRef);
CF_EXPORT
CFArrayRef SecOTAPKICopyTrustedCTLogs(SecOTAPKIRef otapkiRef);
+// Accessor to retrieve a copy of the current CT whitelist.
+// Caller is responsible for releasing the returned CFSetRef
+CF_EXPORT
+CFDataRef SecOTAPKICopyCTWhiteList(SecOTAPKIRef otapkiRef);
+
// Accessor to retrieve the array of Escrow certificates
// Caller is responsible for releasing the returned CFArrayRef
CF_EXPORT
diff --git a/OSX/sec/securityd/Regressions/SOSAccountTesting.h b/OSX/sec/securityd/Regressions/SOSAccountTesting.h
index 008c3b5d..46ddd3cc 100644
--- a/OSX/sec/securityd/Regressions/SOSAccountTesting.h
+++ b/OSX/sec/securityd/Regressions/SOSAccountTesting.h
@@ -30,7 +30,85 @@
#include <Security/SecureObjectSync/SOSAccountPriv.h>
#include <Security/SecureObjectSync/SOSTransport.h>
#include <Security/SecureObjectSync/SOSPeerInfoCollections.h>
+
+#include "SOSTestDataSource.h"
+#include "SOSRegressionUtilities.h"
+
#include "SOSTransportTestTransports.h"
+
+#include <utilities/SecCFWrappers.h>
+
+//
+// Implicit transaction helpers
+//
+
+static inline bool SOSAccountResetToOffering_wTxn(SOSAccountRef account, CFErrorRef* error)
+{
+ __block bool result = false;
+ SOSAccountWithTransactionSync(account, ^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ result = SOSAccountResetToOffering(txn, error);
+ });
+ return result;
+}
+
+static inline bool SOSAccountJoinCirclesAfterRestore_wTxn(SOSAccountRef account, CFErrorRef* error)
+{
+ __block bool result = false;
+ SOSAccountWithTransactionSync(account, ^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ result = SOSAccountJoinCirclesAfterRestore(txn, error);
+ });
+ return result;
+}
+
+static inline bool SOSAccountJoinCircles_wTxn(SOSAccountRef account, CFErrorRef* error)
+{
+ __block bool result = false;
+ SOSAccountWithTransactionSync(account, ^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ result = SOSAccountJoinCircles(txn, error);
+ });
+ return result;
+}
+
+static inline bool SOSAccountCheckHasBeenInSync_wTxn(SOSAccountRef account)
+{
+ return SOSAccountHasCompletedInitialSync(account);
+}
+
+static inline void SOSAccountPeerGotInSync_wTxn(SOSAccountRef account, SOSPeerInfoRef peer)
+{
+ SOSAccountWithTransactionSync(account, ^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ CFMutableSetRef views = SOSPeerInfoCopyEnabledViews(peer);
+ SOSAccountPeerGotInSync(txn, SOSPeerInfoGetPeerID(peer), views);
+ CFReleaseNull(views);
+ });
+}
+
+static inline bool SOSAccountSetBackupPublicKey_wTxn(SOSAccountRef account, CFDataRef backupKey, CFErrorRef* error)
+{
+ __block bool result = false;
+ SOSAccountWithTransactionSync(account, ^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ result = SOSAccountSetBackupPublicKey(txn, backupKey, error);
+ });
+ return result;
+}
+
+static inline bool SOSAccountRemoveBackupPublickey_wTxn(SOSAccountRef account, CFErrorRef* error)
+{
+ __block bool result = false;
+ SOSAccountWithTransactionSync(account, ^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ result = SOSAccountRemoveBackupPublickey(txn, error);
+ });
+ return result;
+}
+
+static inline SOSViewResultCode SOSAccountUpdateView_wTxn(SOSAccountRef account, CFStringRef viewname, SOSViewActionCode actionCode, CFErrorRef *error) {
+ __block SOSViewResultCode result = false;
+ SOSAccountWithTransactionSync(account, ^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ result = SOSAccountUpdateView(account, viewname, actionCode, error);
+ });
+ return result;
+}
+
//
// Account comparison
//
@@ -320,13 +398,24 @@ static bool FillAllChanges(CFMutableDictionaryRef changes) {
SOSTransportCircleTestClearChanges(tpt);
});
CFArrayForEach(message_transports, ^(const void *value) {
- SOSTransportMessageTestRef tpt = (SOSTransportMessageTestRef) value;
- CFDictionaryRemoveValue(SOSTransportMessageTestGetChanges(tpt), kCFNull);
- if (AddNewChanges(changes, SOSTransportMessageTestGetChanges(tpt), SOSTransportMessageTestGetAccount(tpt))) {
- changed |= true;
- CFSetAddValue(changedAccounts, SOSTransportMessageTestGetAccount(tpt));
+ if(SOSTransportMessageGetTransportType((SOSTransportMessageRef)value, NULL) == kKVSTest){
+ SOSTransportMessageTestRef tpt = (SOSTransportMessageTestRef) value;
+ CFDictionaryRemoveValue(SOSTransportMessageTestGetChanges(tpt), kCFNull);
+ if (AddNewChanges(changes, SOSTransportMessageTestGetChanges(tpt), SOSTransportMessageTestGetAccount((SOSTransportMessageRef)tpt))) {
+ changed |= true;
+ CFSetAddValue(changedAccounts, SOSTransportMessageTestGetAccount((SOSTransportMessageRef)tpt));
+ }
+ SOSTransportMessageTestClearChanges(tpt);
+ }
+ else if(SOSTransportMessageGetTransportType((SOSTransportMessageRef)value, NULL) == kIDSTest){
+ SOSTransportMessageRef ids = (SOSTransportMessageRef) value;
+ CFDictionaryRemoveValue(SOSTransportMessageIDSTestGetChanges(ids), kCFNull);
+ if (AddNewChanges(changes, SOSTransportMessageIDSTestGetChanges(ids), SOSTransportMessageTestGetAccount(ids))) {
+ changed |= true;
+ CFSetAddValue(changedAccounts, SOSTransportMessageTestGetAccount(ids));
+ }
+ SOSTransportMessageIDSTestClearChanges(ids);
}
- SOSTransportMessageTestClearChanges(tpt);
});
secnotice("process-changes", "Accounts with change (%@): %@", changed ? CFSTR("YES") : CFSTR("NO"), changedAccounts);
@@ -353,11 +442,21 @@ static void FillChanges(CFMutableDictionaryRef changes, SOSAccountRef forAccount
}
});
CFArrayForEach(message_transports, ^(const void *value) {
- SOSTransportMessageTestRef tpt = (SOSTransportMessageTestRef) value;
- if(CFEqualSafe(forAccount, SOSTransportMessageTestGetAccount(tpt))){
- CFDictionaryRemoveValue(SOSTransportMessageTestGetChanges(tpt), kCFNull);
- AddNewChanges(changes, SOSTransportMessageTestGetChanges(tpt), SOSTransportMessageTestGetAccount(tpt));
- SOSTransportMessageTestClearChanges(tpt);
+ if(SOSTransportMessageGetTransportType((SOSTransportMessageRef)value, NULL) == kKVSTest){
+ SOSTransportMessageTestRef tpt = (SOSTransportMessageTestRef) value;
+ if(CFEqualSafe(forAccount, SOSTransportMessageTestGetAccount((SOSTransportMessageRef)tpt))){
+ CFDictionaryRemoveValue(SOSTransportMessageTestGetChanges(tpt), kCFNull);
+ AddNewChanges(changes, SOSTransportMessageTestGetChanges(tpt), SOSTransportMessageTestGetAccount((SOSTransportMessageRef)tpt));
+ SOSTransportMessageTestClearChanges(tpt);
+ }
+ }
+ else{
+ SOSTransportMessageRef tpt = (SOSTransportMessageRef) value;
+ if(CFEqualSafe(forAccount, SOSTransportMessageTestGetAccount((SOSTransportMessageRef)tpt))){
+ CFDictionaryRemoveValue(SOSTransportMessageIDSTestGetChanges(tpt), kCFNull);
+ AddNewChanges(changes, SOSTransportMessageIDSTestGetChanges(tpt), SOSTransportMessageTestGetAccount((SOSTransportMessageRef)tpt));
+ SOSTransportMessageIDSTestClearChanges(tpt);
+ }
}
});
@@ -394,16 +493,11 @@ static inline void FeedChangesTo(CFMutableDictionaryRef changes, SOSAccountRef a
CFMutableArrayRef account_pending_keys = (CFMutableArrayRef)CFDictionaryGetValue(changes, account);
if (!isArray(account_pending_keys)) {
- CFReleaseNull(account_pending_keys);
-
account_pending_keys = CFDictionaryCopyKeys(full_list);
CFDictionaryAddValue(changes, account, account_pending_keys);
CFReleaseSafe(account_pending_keys); // The dictionary keeps it, we don't retain it here.
}
- CFMutableArrayRef handled = NULL;
-
- CFErrorRef error = NULL;
CFMutableDictionaryRef account_pending_messages = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
CFArrayForEach(account_pending_keys, ^(const void *value) {
CFDictionaryAddValue(account_pending_messages, value, CFDictionaryGetValue(full_list, value));
@@ -415,8 +509,13 @@ static inline void FeedChangesTo(CFMutableDictionaryRef changes, SOSAccountRef a
secnotice("changes", " %@", key);
});
- ok(handled = SOSTransportDispatchMessages(account, account_pending_messages, &error), "SOSTransportHandleMessages failed (%@)", error);
-
+ __block CFMutableArrayRef handled = NULL;
+ SOSAccountWithTransactionSync(account, ^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ __block CFErrorRef error = NULL;
+ ok(handled = SOSTransportDispatchMessages(account, account_pending_messages, &error), "SOSTransportHandleMessages failed (%@)", error);
+ CFReleaseNull(error);
+ });
+
if (isArray(handled)) {
CFArrayForEach(handled, ^(const void *value) {
CFArrayRemoveAllValue(account_pending_keys, value);
@@ -424,7 +523,6 @@ static inline void FeedChangesTo(CFMutableDictionaryRef changes, SOSAccountRef a
}
CFReleaseNull(account_pending_messages);
CFReleaseNull(handled);
- CFReleaseNull(error);
}
#define kFeedChangesToMultieTestCountPer 1
@@ -601,4 +699,54 @@ static inline void showActiveValidPeers(SOSAccountRef account) {
CFReleaseNull(peers);
}
+#define ok_or_quit(COND,MESSAGE,LABEL) ok(COND, MESSAGE); if(!(COND)) goto LABEL
+
+static inline bool testAccountPersistence(SOSAccountRef account) {
+ SOSDataSourceFactoryRef test_factory = SOSTestDataSourceFactoryCreate();
+ SOSDataSourceRef test_source = SOSTestDataSourceCreate();
+ SOSTestDataSourceFactorySetDataSource(test_factory, CFSTR("TestType"), test_source);
+ CFErrorRef error = NULL;
+ bool retval = false;
+ SOSAccountRef reinflatedAccount = NULL;
+ CFDataRef accountDER = NULL;
+
+ SOSAccountCheckHasBeenInSync_wTxn(account);
+
+ // DER encode account to accountData - this allows checking discreet DER functions
+ size_t size = SOSAccountGetDEREncodedSize(account, &error);
+ CFReleaseNull(error);
+ uint8_t buffer[size];
+ uint8_t* start = SOSAccountEncodeToDER(account, &error, buffer, buffer + sizeof(buffer));
+ CFReleaseNull(error);
+
+ ok_or_quit(start, "successful encoding", errOut);
+ ok_or_quit(start == buffer, "Used whole buffer", errOut);
+
+ accountDER = CFDataCreate(kCFAllocatorDefault, buffer, size);
+ ok_or_quit(accountDER, "Made CFData for Account", errOut);
+
+
+ // Re-inflate to "inflated"
+ reinflatedAccount = SOSAccountCreateFromData(kCFAllocatorDefault, accountDER, test_factory, &error);
+ CFReleaseNull(error);
+ CFReleaseNull(accountDER);
+
+ ok(reinflatedAccount, "inflated");
+ ok(CFEqualSafe(reinflatedAccount, account), "Compares");
+
+ // Repeat through SOSAccountCopyEncodedData() interface - this is the normally called combined interface
+ accountDER = SOSAccountCopyEncodedData(reinflatedAccount, kCFAllocatorDefault, &error);
+ CFReleaseNull(error);
+ CFReleaseNull(reinflatedAccount);
+ reinflatedAccount = SOSAccountCreateFromData(kCFAllocatorDefault, accountDER, test_factory, &error);
+ ok(reinflatedAccount, "inflated2");
+ ok(CFEqual(account, reinflatedAccount), "Compares");
+
+ retval = true;
+errOut:
+ CFReleaseNull(reinflatedAccount);
+ CFReleaseNull(accountDER);
+ return retval;
+}
+
#endif
diff --git a/OSX/sec/securityd/Regressions/SOSTransportTestTransports.c b/OSX/sec/securityd/Regressions/SOSTransportTestTransports.c
index cd5c5504..594724ec 100644
--- a/OSX/sec/securityd/Regressions/SOSTransportTestTransports.c
+++ b/OSX/sec/securityd/Regressions/SOSTransportTestTransports.c
@@ -48,6 +48,10 @@ static bool flushRingChanges(SOSTransportCircleRef transport, CFErrorRef* error)
static bool postRing(SOSTransportCircleRef transport, CFStringRef ringName, CFDataRef ring, CFErrorRef *error);
static bool sendDebugInfo(SOSTransportCircleRef transport, CFStringRef type, CFTypeRef debugInfo, CFErrorRef *error);
+CFMutableArrayRef key_transports = NULL;
+CFMutableArrayRef circle_transports = NULL;
+CFMutableArrayRef message_transports = NULL;
+
void SOSAccountUpdateTestTransports(SOSAccountRef account, CFDictionaryRef gestalt){
CFStringRef new_name = (CFStringRef)CFDictionaryGetValue(gestalt, kPIUserDefinedDeviceNameKey);
@@ -476,6 +480,9 @@ SOSAccountRef SOSTransportCircleTestGetAccount(SOSTransportCircleTestRef transpo
//MARK Message Test Transport
///
+static CFIndex getKVSTestTransportType(SOSTransportMessageRef transport, CFErrorRef *error);
+
+
struct SOSTransportMessageTest{
struct __OpaqueSOSTransportMessage m;
CFMutableDictionaryRef changes;
@@ -501,6 +508,9 @@ SOSTransportMessageTestRef SOSTransportTestCreateMessage(SOSAccountRef account,
tpt->m.account = CFRetainSafe(account);
tpt->name = CFRetainSafe(name);
tpt->circleName = CFRetainSafe(circleName);
+ tpt->m.getTransportType = getKVSTestTransportType;
+
+
if(!message_transports)
message_transports = CFArrayCreateMutable(kCFAllocatorDefault, 0, NULL);
CFArrayAppendValue(message_transports, (SOSTransportMessageRef)tpt);
@@ -509,6 +519,10 @@ SOSTransportMessageTestRef SOSTransportTestCreateMessage(SOSAccountRef account,
return tpt;
}
+
+static CFIndex getKVSTestTransportType(SOSTransportMessageRef transport, CFErrorRef *error){
+ return kKVSTest;
+}
CFStringRef SOSTransportMessageTestGetName(SOSTransportMessageTestRef transport){
return transport->name;
}
@@ -608,7 +622,7 @@ fail:
static bool sendToPeer(SOSTransportMessageRef transport, CFStringRef circleName, CFStringRef peerID, CFDataRef message, CFErrorRef *error) {
SOSTransportMessageTestRef testTransport = (SOSTransportMessageTestRef) transport;
bool result = true;
- CFStringRef message_to_peer_key = SOSMessageKeyCreateFromTransportToPeer((SOSTransportMessageKVSRef)transport, peerID);
+ CFStringRef message_to_peer_key = SOSMessageKeyCreateFromTransportToPeer(transport, peerID);
CFDictionaryRef a_message_to_a_peer = CFDictionaryCreateForCFTypes(NULL, message_to_peer_key, message, NULL);
SOSTransportMessageTestAddBulkToChanges((SOSTransportMessageTestRef)testTransport, a_message_to_a_peer);
@@ -630,10 +644,10 @@ static bool syncWithPeers(SOSTransportMessageRef transport, CFDictionaryRef circ
if (isString(value)) {
CFStringRef peerID = (CFStringRef) value;
SOSEngineRef engine = SOSTransportMessageGetEngine(transport);
- SOSEngineWithPeerID(engine, peerID, error, ^(SOSPeerRef peer, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState) {
+ SOSEngineWithPeerID(engine, peerID, error, ^(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState) {
SOSEnginePeerMessageSentBlock sent = NULL;
CFDataRef message_to_send = NULL;
- bool ok = SOSPeerCoderSendMessageIfNeeded(engine, peer, &message_to_send, circleName, peerID, &sent, error);
+ bool ok = SOSPeerCoderSendMessageIfNeeded(engine, txn, peer, coder, &message_to_send, circleName, peerID, &sent, error);
if (message_to_send) {
CFDictionaryRef peer_dict = CFDictionaryCreateForCFTypes(kCFAllocatorDefault, peerID, message_to_send, NULL);
CFDictionarySetValue(SOSTransportMessageTestGetChanges((SOSTransportMessageTestRef)transport), circleName, peer_dict);
@@ -708,7 +722,7 @@ static bool cleanupAfterPeer(SOSTransportMessageRef transport, CFDictionaryRef c
return SOSTransportMessageTestCleanupAfterPeerMessages((SOSTransportMessageTestRef) transport, circle_to_peer_ids, error);
}
-SOSAccountRef SOSTransportMessageTestGetAccount(SOSTransportMessageTestRef transport) {
+SOSAccountRef SOSTransportMessageTestGetAccount(SOSTransportMessageRef transport) {
return ((SOSTransportMessageRef)transport)->account;
}
@@ -719,26 +733,34 @@ SOSAccountRef SOSTransportMessageTestGetAccount(SOSTransportMessageTestRef trans
struct SOSTransportMessageIDSTest {
struct __OpaqueSOSTransportMessage m;
+ CFBooleanRef useFragmentation;
CFMutableDictionaryRef changes;
CFStringRef name;
CFStringRef circleName;
};
-
//
// V-table implementation forward declarations
//
-static bool sendToPeerIDSTest(SOSTransportMessageRef transport, CFStringRef circleName, CFStringRef deviceID, CFStringRef peerID, CFDataRef message, CFErrorRef *error);
+static bool sendDataToPeerIDSTest(SOSTransportMessageRef transport, CFStringRef circleName, CFStringRef deviceID, CFStringRef peerID, CFDataRef message, CFErrorRef *error);
+static bool sendDictionaryToPeerIDSTest(SOSTransportMessageRef transport, CFStringRef circleName, CFStringRef deviceID, CFStringRef peerID, CFDictionaryRef message, CFErrorRef *error);
+
static bool syncWithPeersIDSTest(SOSTransportMessageRef transport, CFDictionaryRef circleToPeerIDs, CFErrorRef *error);
static bool sendMessagesIDSTest(SOSTransportMessageRef transport, CFDictionaryRef circleToPeersToMessage, CFErrorRef *error);
static void destroyIDSTest(SOSTransportMessageRef transport);
static bool cleanupAfterPeerIDSTest(SOSTransportMessageRef transport, CFDictionaryRef circle_to_peer_ids, CFErrorRef *error);
static bool flushChangesIDSTest(SOSTransportMessageRef transport, CFErrorRef *error);
static CF_RETURNS_RETAINED CFDictionaryRef handleMessagesIDSTest(SOSTransportMessageRef transport, CFMutableDictionaryRef circle_peer_messages_table, CFErrorRef *error);
+static CFStringRef copyIDSTestDescription(SOSTransportMessageRef object);
+static CFIndex getIDSTestTransportType(SOSTransportMessageRef transport, CFErrorRef *error);
+
+
-SOSTransportMessageIDSTestRef SOSTransportMessageIDSTestCreate(SOSAccountRef account, CFStringRef circleName, CFErrorRef *error)
+SOSTransportMessageIDSTestRef SOSTransportMessageIDSTestCreate(SOSAccountRef account, CFStringRef accountName, CFStringRef circleName, CFErrorRef *error)
{
- SOSTransportMessageIDSTestRef ids = calloc(1, sizeof(struct SOSTransportMessageIDSTest));
+
+ SOSTransportMessageIDSTestRef ids = (SOSTransportMessageIDSTestRef) SOSTransportMessageCreateForSubclass(sizeof(struct SOSTransportMessageIDSTest) - sizeof(CFRuntimeBase), account, circleName, NULL);
+
if (ids) {
// Fill in vtable:
@@ -748,42 +770,68 @@ SOSTransportMessageIDSTestRef SOSTransportMessageIDSTestCreate(SOSAccountRef acc
ids->m.cleanupAfterPeerMessages = cleanupAfterPeerIDSTest;
ids->m.destroy = destroyIDSTest;
ids->m.handleMessages = handleMessagesIDSTest;
+ ids->m.copyDescription = copyIDSTestDescription;
+ ids->m.getName = SOSTransportMessageIDSTestGetName;
+ ids->m.getTransportType = getIDSTestTransportType;
+ ids->useFragmentation = kCFBooleanTrue;
+
// Initialize ourselves
-
+ ids->changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ ids->circleName = CFRetainSafe(circleName);
+ ids->name = CFRetainSafe(accountName);
+
+ if(!message_transports)
+ message_transports = CFArrayCreateMutable(kCFAllocatorDefault, 0, NULL);
+ CFArrayAppendValue(message_transports, (SOSTransportMessageRef)ids);
SOSRegisterTransportMessage((SOSTransportMessageRef)ids);
}
+
return ids;
}
+CFMutableDictionaryRef SOSTransportMessageIDSTestGetChanges(SOSTransportMessageRef transport){
+ return ((SOSTransportMessageIDSTestRef)transport)->changes;
+}
+
+static CFStringRef copyIDSTestDescription(SOSTransportMessageRef transport){
+ return CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@,%@,%@,%ld"),transport->circleName, transport->account, transport->getName(transport), transport->getTransportType(transport, NULL));
+}
+
+CFStringRef SOSTransportMessageIDSTestGetName(SOSTransportMessageRef transport){
+ return ((SOSTransportMessageIDSTestRef)transport)->name;
+}
+
+static CFIndex getIDSTestTransportType(SOSTransportMessageRef transport, CFErrorRef *error){
+ return kIDSTest;
+}
+
static void destroyIDSTest(SOSTransportMessageRef transport){
SOSUnregisterTransportMessage(transport);
}
+void SOSTransportMessageIDSTestSetName(SOSTransportMessageRef transport, CFStringRef accountName){
+ SOSTransportMessageIDSTestRef t = (SOSTransportMessageIDSTestRef)transport;
+ t->name = accountName;
+}
+
static CF_RETURNS_RETAINED
CFDictionaryRef handleMessagesIDSTest(SOSTransportMessageRef transport, CFMutableDictionaryRef message, CFErrorRef *error) {
+
CFMutableDictionaryRef handled = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFDictionaryRef peerToMessage = CFDictionaryGetValue(message, transport->circleName);
CFMutableArrayRef handled_peers = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
-
- if(message){
- CFDictionaryForEach(message, ^(const void *key, const void *value) {
- CFStringRef peer_id = (CFStringRef) key;
- CFDataRef peer_message = (CFDataRef) value;
- __block CFErrorRef localError = NULL;
-
- //find the Peer ID if we are given a Device ID
- SOSCircleRef circle = SOSAccountGetCircle(transport->account, error);
- SOSCircleForEachPeer(circle, ^(SOSPeerInfoRef peer) {
- CFStringRef deviceID = SOSPeerInfoCopyDeviceID(peer);
- if(CFEqualSafe(deviceID, peer_id) || CFEqualSafe(SOSPeerInfoGetPeerID(peer), peer_id)){
- CFStringRef peerID = SOSPeerInfoGetPeerID(peer);
-
- if (SOSTransportMessageHandlePeerMessage(transport, peerID, peer_message, &localError)) {
- CFArrayAppendValue(handled_peers, key);
- } else {
- secdebug("transport", "%@ IDSTransport handle message failed: %@", peer_id, localError);
- }
- }
- CFReleaseNull(deviceID);
- });
+
+ secerror("Received IDS message!");
+ if(peerToMessage){
+ CFDictionaryForEach(peerToMessage, ^(const void *key, const void *value) {
+ CFStringRef peer_id = asString(key, NULL);
+ CFDataRef peer_message = asData(value, NULL);
+ CFErrorRef localError = NULL;
+
+ if (peer_id && peer_message && SOSTransportMessageHandlePeerMessage(transport, peer_id, peer_message, &localError)) {
+ CFArrayAppendValue(handled_peers, key);
+ } else {
+ secnotice("transport", "%@ KVSTransport handle message failed: %@", peer_id, localError);
+ }
CFReleaseNull(localError);
});
}
@@ -801,30 +849,40 @@ static void SOSTransportMessageIDSTestAddBulkToChanges(SOSTransportMessageIDSTes
}
else{
CFDictionaryForEach(updates, ^(const void *key, const void *value) {
- CFDictionarySetValue(transport->changes, key, value);
+ CFDictionaryAddValue(transport->changes, key, value);
});
}
}
-static bool sendToPeerIDSTest(SOSTransportMessageRef transport, CFStringRef circleName, CFStringRef deviceID, CFStringRef peerID, CFDataRef message, CFErrorRef *error)
+static bool sendDataToPeerIDSTest(SOSTransportMessageRef transport, CFStringRef circleName, CFStringRef deviceID, CFStringRef peerID, CFDataRef message, CFErrorRef *error)
{
SOSTransportMessageIDSTestRef testTransport = (SOSTransportMessageIDSTestRef)transport;
- SOSEngineRef engine = SOSTransportMessageGetEngine(transport);
- CFStringRef my_id = SOSEngineGetMyID(engine);
-
- CFStringRef circle_to_transport_key = SOSMessageKeyCreateWithCircleNameAndTransportType(circleName, SOSTransportMessageTypeIDS);
- CFDictionaryRef a_message_to_a_peer = CFDictionaryCreateForCFTypes(NULL, my_id, message, NULL);
-
- CFDictionaryRef transport_to_messages = CFDictionaryCreateForCFTypes(NULL, circle_to_transport_key, a_message_to_a_peer, NULL);
+
+ secerror("sending message through test transport: %@", message);
+ CFStringRef message_to_peer_key = SOSMessageKeyCreateFromTransportToPeer(transport, peerID);
+ CFDictionaryRef a_message_to_a_peer = CFDictionaryCreateForCFTypes(NULL, message_to_peer_key, message, NULL);
- SOSTransportMessageIDSTestAddBulkToChanges(testTransport, transport_to_messages);
+ SOSTransportMessageIDSTestAddBulkToChanges(testTransport, a_message_to_a_peer);
+ CFReleaseNull(message_to_peer_key);
CFReleaseNull(a_message_to_a_peer);
- CFReleaseNull(transport_to_messages);
- CFReleaseNull(circle_to_transport_key);
return true;
}
-
+static bool sendDictionaryToPeerIDSTest(SOSTransportMessageRef transport, CFStringRef circleName, CFStringRef deviceID, CFStringRef peerID, CFDictionaryRef message, CFErrorRef *error)
+{
+ SOSTransportMessageIDSTestRef testTransport = (SOSTransportMessageIDSTestRef)transport;
+
+ secerror("sending message through test transport: %@", message);
+ CFStringRef message_to_peer_key = SOSMessageKeyCreateFromTransportToPeer(transport, peerID);
+ CFDictionaryRef a_message_to_a_peer = CFDictionaryCreateForCFTypes(NULL, message_to_peer_key, message, NULL);
+
+ SOSTransportMessageIDSTestAddBulkToChanges(testTransport, a_message_to_a_peer);
+
+ CFReleaseNull(message_to_peer_key);
+ CFReleaseNull(a_message_to_a_peer);
+ return true;
+
+}
static bool syncWithPeersIDSTest(SOSTransportMessageRef transport, CFDictionaryRef circleToPeerIDs, CFErrorRef *error){
// Each entry is keyed by circle name and contains a list of peerIDs
@@ -847,31 +905,55 @@ static bool syncWithPeersIDSTest(SOSTransportMessageRef transport, CFDictionaryR
}
static bool sendMessagesIDSTest(SOSTransportMessageRef transport, CFDictionaryRef circleToPeersToMessage, CFErrorRef *error) {
+
__block bool result = true;
SOSCircleRef circle = SOSAccountGetCircle(transport->account, error);
-
+ SOSPeerInfoRef myPeer = SOSAccountGetMyPeerInfo(transport->account);
+ __block CFStringRef peerID = NULL;
+ require_quiet(myPeer, fail);
+
CFDictionaryForEach(circleToPeersToMessage, ^(const void *key, const void *value) {
if (isString(key) && isDictionary(value)) {
CFStringRef circleName = (CFStringRef) key;
- CFDictionaryForEach(value, ^(const void *key, const void *value) {
- if (isString(key) && isData(value)) {
- CFStringRef peerID = (CFStringRef) key;
- CFDataRef message = (CFDataRef) value;
+
+ CFDictionaryForEach(value, ^(const void *key1, const void *value1) {
+ if (isString(key1) && isDictionary(value1)) {
+ peerID = (CFStringRef) key1;
+ CFMutableDictionaryRef message = CFRetainSafe((CFMutableDictionaryRef) value1);
SOSCircleForEachPeer(circle, ^(SOSPeerInfoRef peer) {
- CFStringRef deviceID = SOSPeerInfoCopyDeviceID(peer);
- if(CFEqualSafe(SOSPeerInfoGetPeerID(peer), peerID) || CFEqualSafe(deviceID, peerID)){
- bool rx = sendToPeerIDSTest(transport, circleName, deviceID, peerID, message, error);
- result &= rx;
+ if(!CFEqualSafe(myPeer, peer)){
+ CFStringRef deviceID = SOSPeerInfoCopyDeviceID(peer);
+ if(CFStringCompare(SOSPeerInfoGetPeerID(peer), peerID, 0) == 0){
+ bool rx = false;
+ rx = sendDictionaryToPeerIDSTest(transport, circleName, deviceID, peerID, message, error);
+ result &= rx;
+ }
+ CFReleaseNull(deviceID);
+ }
+ });
+ }
+ else{
+ peerID = (CFStringRef) key1;
+ CFDataRef message = CFRetainSafe((CFDataRef) value1);
+
+ SOSCircleForEachPeer(circle, ^(SOSPeerInfoRef peer) {
+ if(!CFEqualSafe(myPeer, peer)){
+
+ CFStringRef deviceID = SOSPeerInfoCopyDeviceID(peer);
+ if(CFStringCompare(SOSPeerInfoGetPeerID(peer), peerID, 0) == 0){
+ bool rx = false;
+ rx = sendDataToPeerIDSTest(transport, circleName, deviceID, peerID, message, error);
+ result &= rx;
+ }
CFReleaseNull(deviceID);
}
- CFReleaseNull(deviceID);
});
}
});
}
});
-
- return true;
+fail:
+ return result;
}
static bool flushChangesIDSTest(SOSTransportMessageRef transport, CFErrorRef *error)
@@ -884,3 +966,12 @@ static bool cleanupAfterPeerIDSTest(SOSTransportMessageRef transport, CFDictiona
return true;
}
+void SOSTransportMessageIDSTestClearChanges(SOSTransportMessageRef transport){
+ SOSTransportMessageIDSTestRef ids = (SOSTransportMessageIDSTestRef)transport;
+ CFReleaseNull(ids->changes);
+
+ ids->changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+
+}
+
+
diff --git a/OSX/sec/securityd/Regressions/SOSTransportTestTransports.h b/OSX/sec/securityd/Regressions/SOSTransportTestTransports.h
index f0a42443..9bb2016a 100644
--- a/OSX/sec/securityd/Regressions/SOSTransportTestTransports.h
+++ b/OSX/sec/securityd/Regressions/SOSTransportTestTransports.h
@@ -16,9 +16,9 @@ SOSTransportCircleTestRef SOSTransportTestCreateCircle(SOSAccountRef account, CF
SOSTransportMessageTestRef SOSTransportTestCreateMessage(SOSAccountRef account, CFStringRef name, CFStringRef circleName);
bool SOSTransportCircleTestRemovePendingChange(SOSTransportCircleRef transport, CFStringRef circleName, CFErrorRef *error);
-CFMutableArrayRef key_transports;
-CFMutableArrayRef circle_transports;
-CFMutableArrayRef message_transports;
+extern CFMutableArrayRef key_transports;
+extern CFMutableArrayRef circle_transports;
+extern CFMutableArrayRef message_transports;
CFStringRef SOSTransportMessageTestGetName(SOSTransportMessageTestRef transport);
CFStringRef SOSTransportCircleTestGetName(SOSTransportCircleTestRef transport);
@@ -33,7 +33,7 @@ CFMutableDictionaryRef SOSTransportMessageTestGetChanges(SOSTransportMessageTest
CFMutableDictionaryRef SOSTransportCircleTestGetChanges(SOSTransportCircleTestRef transport);
CFMutableDictionaryRef SOSTransportKeyParameterTestGetChanges(SOSTransportKeyParameterTestRef transport);
-SOSAccountRef SOSTransportMessageTestGetAccount(SOSTransportMessageTestRef transport);
+SOSAccountRef SOSTransportMessageTestGetAccount(SOSTransportMessageRef transport);
SOSAccountRef SOSTransportCircleTestGetAccount(SOSTransportCircleTestRef transport);
SOSAccountRef SOSTransportKeyParameterTestGetAccount(SOSTransportKeyParameterTestRef transport);
@@ -47,10 +47,11 @@ void SOSTransportMessageTestClearChanges(SOSTransportMessageTestRef transport);
//Test IDS transport
-SOSTransportMessageIDSTestRef SOSTransportMessageIDSTestCreate(SOSAccountRef account, CFStringRef circleName, CFErrorRef *error);
-CFMutableDictionaryRef SOSTransportMessageIDSTestGetChanges(SOSTransportMessageTestRef transport);
-void SOSTransportMessageIDSTestSetName(SOSTransportMessageTestRef transport, CFStringRef accountName);
-CFStringRef SOSTransportMessageIDSTestGetName(SOSTransportMessageTestRef transport);
+SOSTransportMessageIDSTestRef SOSTransportMessageIDSTestCreate(SOSAccountRef account, CFStringRef accountName, CFStringRef circleName, CFErrorRef *error);
+CFMutableDictionaryRef SOSTransportMessageIDSTestGetChanges(SOSTransportMessageRef transport);
+void SOSTransportMessageIDSTestSetName(SOSTransportMessageRef transport, CFStringRef accountName);
+CFStringRef SOSTransportMessageIDSTestGetName(SOSTransportMessageRef transport);
+void SOSTransportMessageIDSTestClearChanges(SOSTransportMessageRef transport);
#endif
diff --git a/OSX/sec/securityd/Regressions/SecdTestKeychainUtilities.c b/OSX/sec/securityd/Regressions/SecdTestKeychainUtilities.c
index 0591aac1..32891533 100644
--- a/OSX/sec/securityd/Regressions/SecdTestKeychainUtilities.c
+++ b/OSX/sec/securityd/Regressions/SecdTestKeychainUtilities.c
@@ -28,6 +28,7 @@
#include <utilities/SecFileLocations.h>
#include <utilities/SecCFWrappers.h>
#include <securityd/SecItemServer.h>
+#include <Security/SecureObjectSync/SOSViews.h>
#include <CoreFoundation/CoreFoundation.h>
@@ -57,3 +58,22 @@ void secd_test_setup_temp_keychain(const char* test_prefix, dispatch_block_t do_
CFReleaseNull(tmp_dir);
CFReleaseNull(keychain_dir);
}
+
+CFStringRef kTestView1 = CFSTR("TestView1");
+CFStringRef kTestView2 = CFSTR("TestView2");
+
+void secd_test_setup_testviews(void) {
+ static dispatch_once_t onceToken = 0;
+
+ dispatch_once(&onceToken, ^{
+ CFMutableSetRef testViews = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFSetAddValue(testViews, kTestView1);
+ CFSetAddValue(testViews, kTestView2);
+
+ SOSViewsSetTestViewsSet(testViews);
+ CFReleaseNull(testViews);
+ });
+}
+
+
+
diff --git a/OSX/sec/securityd/Regressions/SecdTestKeychainUtilities.h b/OSX/sec/securityd/Regressions/SecdTestKeychainUtilities.h
index e7a1696c..cb179bca 100644
--- a/OSX/sec/securityd/Regressions/SecdTestKeychainUtilities.h
+++ b/OSX/sec/securityd/Regressions/SecdTestKeychainUtilities.h
@@ -26,8 +26,14 @@
#define _SECDTESTKEYCHAINUTILITIES_
#include <dispatch/dispatch.h>
+#include <CoreFoundation/CoreFoundation.h>
#define kSecdTestSetupTestCount 1
void secd_test_setup_temp_keychain(const char* test_prefix, dispatch_block_t do_before_reset);
+extern CFStringRef kTestView1;
+extern CFStringRef kTestView2;
+
+void secd_test_setup_testviews(void);
+
#endif
diff --git a/OSX/sec/securityd/Regressions/secd-01-items.c b/OSX/sec/securityd/Regressions/secd-01-items.c
index cb25fe2f..9b167286 100644
--- a/OSX/sec/securityd/Regressions/secd-01-items.c
+++ b/OSX/sec/securityd/Regressions/secd-01-items.c
@@ -42,6 +42,7 @@ int secd_01_items(int argc, char *const *argv)
{
plan_tests(24 + kSecdTestSetupTestCount);
+ secd_test_setup_testviews(); // if running all tests get the test views setup first
/* custom keychain dir */
secd_test_setup_temp_keychain("secd_01_items", NULL);
diff --git a/OSX/sec/securityd/Regressions/secd-05-corrupted-items.m b/OSX/sec/securityd/Regressions/secd-05-corrupted-items.m
index b9427afa..bb4ba556 100644
--- a/OSX/sec/securityd/Regressions/secd-05-corrupted-items.m
+++ b/OSX/sec/securityd/Regressions/secd-05-corrupted-items.m
@@ -128,7 +128,7 @@ int secd_05_corrupted_items(int argc, char *const *argv)
SecKeychainDbReset(^{
/* corrupt all the password */
- NSString *keychain_path = [(NSString *)__SecKeychainCopyPath() autorelease];
+ NSString *keychain_path = CFBridgingRelease(__SecKeychainCopyPath());
char corrupt_item_sql[80];
sqlite3 *db;
diff --git a/OSX/sec/securityd/Regressions/secd-100-initialsync.c b/OSX/sec/securityd/Regressions/secd-100-initialsync.c
new file mode 100644
index 00000000..04dcfe2a
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-100-initialsync.c
@@ -0,0 +1,126 @@
+//
+// secd-100-initialsync.c
+// sec
+//
+
+
+/*
+ * Copyright (c) 2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#include <Security/SecBase.h>
+#include <Security/SecItem.h>
+
+#include <CoreFoundation/CFDictionary.h>
+
+#include <Security/SecureObjectSync/SOSAccount.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSInternal.h>
+#include <Security/SecureObjectSync/SOSUserKeygen.h>
+#include <Security/SecureObjectSync/SOSTransport.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "secd_regressions.h"
+#include <utilities/SecCFWrappers.h>
+#include <Security/SecKeyPriv.h>
+
+#include <securityd/SOSCloudCircleServer.h>
+
+#include "SOSAccountTesting.h"
+
+#include "SecdTestKeychainUtilities.h"
+
+static int kTestTestCount = 43;
+
+static void tests(void)
+{
+
+ CFErrorRef error = NULL;
+ CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
+ CFStringRef cfaccount = CFSTR("test@test.org");
+
+ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+
+ SOSDataSourceFactoryRef test_factory = SOSTestDataSourceFactoryCreate();
+ SOSDataSourceRef test_source = SOSTestDataSourceCreate();
+ SOSTestDataSourceFactorySetDataSource(test_factory, CFSTR("TestType"), test_source);
+
+ SOSAccountRef alice_account = CreateAccountForLocalChanges(CFSTR("AliceAccount"),CFSTR("TestType") );
+ SOSAccountRef bob_account = CreateAccountForLocalChanges(CFSTR("BobAccount"),CFSTR("TestType") );
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+
+ ok(SOSAccountJoinCircles_wTxn(alice_account, &error), "Join circle: %@", error);
+ ok(SOSAccountCheckHasBeenInSync_wTxn(alice_account), "Alice account initial sync done");
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(bob_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(error);
+ CFReleaseNull(cfpassword);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 1, "updates");
+
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 4, "updates");
+
+ {
+ CFArrayRef applicants = SOSAccountCopyApplicants(alice_account, &error);
+
+ ok(applicants && CFArrayGetCount(applicants) == 1, "See one applicant %@ (%@)", applicants, error);
+ ok(SOSAccountAcceptApplicants(alice_account, applicants, &error), "Alice accepts (%@)", error);
+ CFReleaseNull(error);
+ CFReleaseNull(applicants);
+ }
+
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 3, "updates");
+
+ accounts_agree("bob&alice pair", bob_account, alice_account);
+
+ ok(!SOSAccountCheckHasBeenInSync_wTxn(bob_account), "Bob should not be initially synced");
+ CFSetRef bob_viewSet = SOSPeerInfoCopyEnabledViews(SOSAccountGetMyPeerInfo(bob_account));
+ is(CFSetGetCount(bob_viewSet), 5, "bob's initial view set should be just the 14 views");
+ CFReleaseNull(bob_viewSet);
+
+ ok(!SOSAccountCheckHasBeenInSync_wTxn(bob_account), "Bob should not be initially synced");
+ SOSAccountPeerGotInSync_wTxn(bob_account, SOSAccountGetMyPeerInfo(alice_account));
+
+ bob_viewSet = SOSPeerInfoCopyEnabledViews(SOSAccountGetMyPeerInfo(bob_account));
+ is(CFSetGetCount(bob_viewSet), 18, "bob's initial view set should be just the back up");
+ CFReleaseNull(bob_viewSet);
+
+}
+
+int secd_100_initialsync(int argc, char *const *argv)
+{
+ plan_tests(kTestTestCount);
+
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+
+ tests();
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-130-other-peer-views.c b/OSX/sec/securityd/Regressions/secd-130-other-peer-views.c
new file mode 100644
index 00000000..548e5802
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-130-other-peer-views.c
@@ -0,0 +1,186 @@
+//
+// secd-130-other-peer-views.m
+// sec
+//
+// Created by Mitch Adler on 7/9/16.
+//
+//
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "secd_regressions.h"
+
+#include "SOSRegressionUtilities.h"
+#include <utilities/SecCFWrappers.h>
+#include <Security/SecKeyPriv.h>
+
+#include "SecdTestKeychainUtilities.h"
+
+#include "SOSAccountTesting.h"
+
+#include <Security/SecureObjectSync/SOSAccount.h>
+
+#define kTestTestCount 109
+
+#define kAccountPasswordString ((uint8_t*) "FooFooFoo")
+#define kAccountPasswordStringLen 10
+
+static void tests(void) {
+ CFErrorRef error = NULL;
+
+ // Unretained aliases.
+ CFDataRef cfpassword = CFDataCreate(NULL, kAccountPasswordString, kAccountPasswordStringLen);
+ CFStringRef cfaccount = CFSTR("test@test.org");
+ CFMutableDictionaryRef cfchanges = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+
+ SOSAccountRef alice_account = CreateAccountForLocalChanges(CFSTR("Alice"), CFSTR("TestSource"));
+ SOSAccountRef bob_account = CreateAccountForLocalChanges(CFSTR("Bob"), CFSTR("TestSource"));
+ SOSAccountRef carole_account = CreateAccountForLocalChanges(CFSTR("Carole"), CFSTR("TestSource"));
+ SOSAccountRef david_account = CreateAccountForLocalChanges(CFSTR("David"), CFSTR("TestSource"));
+
+ CFArrayRef aView = CFArrayCreateForCFTypes(kCFAllocatorDefault,
+ kSOSViewPCSMasterKey,
+ NULL);
+
+ CFArrayRef wifiView = CFArrayCreateForCFTypes(kCFAllocatorDefault,
+ kSOSViewWiFi,
+ NULL);
+
+ CFArrayRef otherView = CFArrayCreateForCFTypes(kCFAllocatorDefault,
+ kSOSViewOtherSyncable,
+ NULL);
+
+ CFArrayRef otherAndWifiViews = CFArrayCreateForCFTypes(kCFAllocatorDefault,
+ kSOSViewWiFi,
+ kSOSViewOtherSyncable,
+ NULL);
+
+ is(SOSAccountPeersHaveViewsEnabled(carole_account, aView, &error), NULL, "Peer views empty (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(bob_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+
+ // Bob wins writing at this point, feed the changes back to alice.
+ is(ProcessChangesUntilNoChange(cfchanges, alice_account, bob_account, carole_account, david_account, NULL), 1, "updates");
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(carole_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(david_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(cfpassword);
+ CFReleaseNull(error);
+
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(cfchanges, alice_account, bob_account, carole_account, david_account, NULL), 2, "updates");
+
+ is(SOSAccountPeersHaveViewsEnabled(alice_account, aView, &error), kCFBooleanFalse, "Peer views empty (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountJoinCircles_wTxn(carole_account, &error), "Carole Applies too (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountJoinCircles_wTxn(david_account, &error), "David Applies too (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(cfchanges, alice_account, bob_account, carole_account, david_account, NULL), 4, "updates");
+
+ is(SOSAccountPeersHaveViewsEnabled(carole_account, aView, &error), NULL, "Peer views empty (%@)", error);
+ CFReleaseNull(error);
+
+ {
+ CFArrayRef applicants = SOSAccountCopyApplicants(alice_account, &error);
+
+ ok(applicants && CFArrayGetCount(applicants) == 3, "See three applicants %@ (%@)", applicants, error);
+ CFReleaseNull(error);
+ ok(SOSAccountAcceptApplicants(alice_account, applicants, &error), "Accept bob into the fold");
+ CFReleaseNull(error);
+ CFReleaseSafe(applicants);
+ }
+
+ is(ProcessChangesUntilNoChange(cfchanges, alice_account, bob_account, carole_account, david_account, NULL), 5, "updates");
+
+ // Make all views work buy finishing initial sync.
+ SOSAccountPeerGotInSync_wTxn(bob_account, SOSAccountGetMyPeerInfo(alice_account));
+ SOSAccountPeerGotInSync_wTxn(carole_account, SOSAccountGetMyPeerInfo(alice_account));
+ SOSAccountPeerGotInSync_wTxn(david_account, SOSAccountGetMyPeerInfo(alice_account));
+
+ is(ProcessChangesUntilNoChange(cfchanges, alice_account, bob_account, carole_account, david_account, NULL), 4, "updates");
+
+ is(SOSAccountPeersHaveViewsEnabled(alice_account, aView, &error), kCFBooleanTrue, "Peer views empty (%@)", error);
+ CFReleaseNull(error);
+
+ is(SOSAccountPeersHaveViewsEnabled(alice_account, wifiView, &error), kCFBooleanFalse, "Peer views empty (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountUpdateView_wTxn(alice_account, kSOSViewWiFi, kSOSCCViewEnable, &error), "Enable view (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountUpdateView_wTxn(bob_account, kSOSViewOtherSyncable, kSOSCCViewEnable, &error), "Enable view (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(cfchanges, alice_account, bob_account, carole_account, david_account, NULL), 3, "updates");
+
+ is(SOSAccountPeersHaveViewsEnabled(alice_account, wifiView, &error), kCFBooleanFalse, "Wifi view for Alice (%@)", error);
+ CFReleaseNull(error);
+
+ is(SOSAccountPeersHaveViewsEnabled(alice_account, otherView, &error), kCFBooleanTrue, "other view for Alice (%@)", error);
+ CFReleaseNull(error);
+
+ is(SOSAccountPeersHaveViewsEnabled(alice_account, otherAndWifiViews, &error), kCFBooleanFalse, "both for Alice (%@)", error);
+ CFReleaseNull(error);
+
+ is(SOSAccountPeersHaveViewsEnabled(bob_account, wifiView, &error), kCFBooleanTrue, "Wifi view for Bob (%@)", error);
+ CFReleaseNull(error);
+
+ is(SOSAccountPeersHaveViewsEnabled(bob_account, otherView, &error), kCFBooleanFalse, "other view for Bob (%@)", error);
+ CFReleaseNull(error);
+
+ is(SOSAccountPeersHaveViewsEnabled(bob_account, otherAndWifiViews, &error), kCFBooleanFalse, "both for Bob (%@)", error);
+ CFReleaseNull(error);
+
+ is(SOSAccountPeersHaveViewsEnabled(carole_account, wifiView, &error), kCFBooleanTrue, "Wifi view for Carole (%@)", error);
+ CFReleaseNull(error);
+
+ is(SOSAccountPeersHaveViewsEnabled(carole_account, otherView, &error), kCFBooleanTrue, "other view for Carole (%@)", error);
+ CFReleaseNull(error);
+
+ is(SOSAccountPeersHaveViewsEnabled(carole_account, otherAndWifiViews, &error), kCFBooleanTrue, "both for Carole (%@)", error);
+ CFReleaseNull(error);
+
+ CFReleaseNull(aView);
+ CFReleaseNull(wifiView);
+ CFReleaseNull(otherView);
+ CFReleaseNull(otherAndWifiViews);
+
+ CFReleaseNull(bob_account);
+ CFReleaseNull(alice_account);
+ CFReleaseNull(carole_account);
+ CFReleaseNull(david_account);
+
+ SOSUnregisterAllTransportMessages();
+ SOSUnregisterAllTransportCircles();
+ SOSUnregisterAllTransportKeyParameters();
+ CFArrayRemoveAllValues(key_transports);
+ CFArrayRemoveAllValues(circle_transports);
+ CFArrayRemoveAllValues(message_transports);
+}
+
+int secd_130_other_peer_views(int argc, char *const *argv)
+{
+ plan_tests(kTestTestCount);
+
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+
+ tests();
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-20-keychain_upgrade.m b/OSX/sec/securityd/Regressions/secd-20-keychain_upgrade.m
index c33d9904..d4ecd92f 100644
--- a/OSX/sec/securityd/Regressions/secd-20-keychain_upgrade.m
+++ b/OSX/sec/securityd/Regressions/secd-20-keychain_upgrade.m
@@ -35,7 +35,7 @@
#import <Security/SecItem.h>
#import <Security/SecItemPriv.h>
#import <Security/SecInternal.h>
-#import <utilities/SecCFWrappers.h>
+#import <utilities/SecCFRelease.h>
#import <utilities/SecFileLocations.h>
#import <securityd/SecItemServer.h>
@@ -82,8 +82,7 @@ keychain_upgrade(bool musr, const char *dbname)
is(res, 0, "SecItemAdd(user)");
SecKeychainDbReset(^{
- NSString *keychain_path = (NSString *)__SecKeychainCopyPath();
- [keychain_path autorelease];
+ NSString *keychain_path = CFBridgingRelease(__SecKeychainCopyPath());
/* Create a new keychain sqlite db */
sqlite3 *db;
diff --git a/OSX/sec/securityd/Regressions/secd-200-logstate.c b/OSX/sec/securityd/Regressions/secd-200-logstate.c
new file mode 100644
index 00000000..42d71509
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-200-logstate.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (c) 2013-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+//
+// secd-200-logstate.c
+// sec
+//
+
+#include <stdio.h>
+
+
+
+
+#include <Security/SecBase.h>
+#include <Security/SecItem.h>
+
+#include <CoreFoundation/CFDictionary.h>
+
+#include <Security/SecureObjectSync/SOSAccount.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSInternal.h>
+#include <Security/SecureObjectSync/SOSUserKeygen.h>
+#include <Security/SecureObjectSync/SOSTransport.h>
+#include "SOSCloudKeychainLogging.h"
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "secd_regressions.h"
+#include "SOSTestDataSource.h"
+
+#include "SOSRegressionUtilities.h"
+#include <utilities/SecCFWrappers.h>
+#include <Security/SecKeyPriv.h>
+
+#include <securityd/SOSCloudCircleServer.h>
+
+#include "SOSAccountTesting.h"
+
+#include "SecdTestKeychainUtilities.h"
+
+#define HOW_MANY_MINIONS 4
+
+static int kTestTestCount = (5+(HOW_MANY_MINIONS+1)*20);
+
+
+static bool SOSArrayForEachAccount(CFArrayRef accounts, bool (^operation)(SOSAccountRef account)) {
+ __block bool retval = true;
+ CFArrayForEach(accounts, ^(const void *value) {
+ SOSAccountRef account = (SOSAccountRef) value;
+ retval &= operation(account);
+ });
+ return retval;
+}
+
+
+static inline void FeedChangesToMasterMinions(CFMutableDictionaryRef changes, SOSAccountRef master_account, CFArrayRef minion_accounts) {
+ FeedChangesTo(changes, master_account);
+ SOSArrayForEachAccount(minion_accounts, ^bool(SOSAccountRef account) {
+ FeedChangesTo(changes, account);
+ return true;
+ });
+ FeedChangesTo(changes, master_account);
+
+}
+
+
+static inline bool ProcessChangesOnceMasterMinions(CFMutableDictionaryRef changes, SOSAccountRef master_account, CFArrayRef minion_accounts) {
+ bool result = FillAllChanges(changes);
+ FeedChangesToMasterMinions(changes, master_account, minion_accounts);
+ return result;
+}
+
+static inline int ProcessChangesForMasterAndMinions(CFMutableDictionaryRef changes, SOSAccountRef master_account, CFArrayRef minion_accounts) {
+ int result = 0;
+ bool new_data = false;
+ do {
+ new_data = ProcessChangesOnceMasterMinions(changes, master_account, minion_accounts);
+ ++result;
+ } while (new_data);
+ return result;
+}
+
+static bool MakeTheBigCircle(CFMutableDictionaryRef changes, SOSAccountRef master_account, CFArrayRef minion_accounts, CFErrorRef *error) {
+ bool retval = SOSAccountResetToOffering_wTxn(master_account, error);
+ require_quiet(retval, errOut);
+ ProcessChangesForMasterAndMinions(changes, master_account, minion_accounts);
+ retval = SOSArrayForEachAccount(minion_accounts, ^bool(SOSAccountRef account) {
+ bool localret = SOSAccountJoinCircles_wTxn(account, error);
+ ProcessChangesForMasterAndMinions(changes, master_account, minion_accounts);
+ return localret;
+ });
+ require_quiet(retval, errOut);
+ CFArrayRef applicants = SOSAccountCopyApplicants(master_account, error);
+ retval = SOSAccountAcceptApplicants(master_account , applicants, error);
+ ProcessChangesForMasterAndMinions(changes, master_account, minion_accounts);
+errOut:
+ return retval;
+}
+
+
+static CFArrayRef CreateManyAccountsForLocalChanges(CFStringRef namefmt, CFStringRef data_source_name, size_t howmany) {
+ CFMutableArrayRef accounts = CFArrayCreateMutable(kCFAllocatorDefault, howmany, &kCFTypeArrayCallBacks);
+
+ for(size_t i = 0; i < howmany; i++) {
+ CFStringRef tmpname = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, namefmt, i);
+ SOSAccountRef tmp = CreateAccountForLocalChanges(tmpname, CFSTR("TestSource"));
+ CFArraySetValueAtIndex(accounts, i, tmp);
+ CFReleaseNull(tmpname);
+ CFReleaseNull(tmp);
+ }
+ return accounts;
+}
+
+static bool AssertAllCredentialsAndUpdate(CFMutableDictionaryRef changes, SOSAccountRef master_account, CFArrayRef minion_accounts, CFStringRef user_account, CFDataRef user_password, CFErrorRef *error) {
+ __block bool retval = SOSAccountAssertUserCredentialsAndUpdate(master_account, user_account, user_password, error);
+ ProcessChangesForMasterAndMinions(changes, master_account, minion_accounts);
+ retval &= SOSArrayForEachAccount(minion_accounts, ^bool(SOSAccountRef account) {
+ CFReleaseNull(*error);
+ return SOSAccountAssertUserCredentialsAndUpdate(account, user_account, user_password, error);
+ });
+ CFReleaseNull(*error);
+
+ return retval;
+}
+
+static void tests(void)
+{
+ CFErrorRef error = NULL;
+ CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
+ CFStringRef cfaccount = CFSTR("test@test.org");
+
+ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+
+ SOSAccountRef master_account = CreateAccountForLocalChanges(CFSTR("master"), CFSTR("TestSource"));
+ CFArrayRef minion_accounts = CreateManyAccountsForLocalChanges(CFSTR("minion%d"), CFSTR("TestSource"), HOW_MANY_MINIONS);
+
+ ok(AssertAllCredentialsAndUpdate(changes, master_account, minion_accounts, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+
+ secLogEnable();
+ SOSAccountLogState(master_account);
+ secLogDisable();
+
+ ok(MakeTheBigCircle(changes, master_account, minion_accounts, &error), "Get Everyone into the circle %@", error);
+
+ diag("WHAT?");
+ secLogEnable();
+ SOSAccountLogState(master_account);
+ SOSAccountLogViewState(master_account);
+ SOSCloudKVSLogState();
+ secLogDisable();
+
+ CFDataRef acctData = SOSAccountCopyEncodedData(master_account, kCFAllocatorDefault, &error);
+ diag("Account DER Size is %d for %d peers", CFDataGetLength(acctData), HOW_MANY_MINIONS+1);
+ CFReleaseNull(acctData);
+ CFReleaseNull(error);
+
+ CFDataRef circleData = SOSCircleCopyEncodedData(master_account->trusted_circle, kCFAllocatorDefault, &error);
+ diag("Circle DER Size is %d for %d peers", CFDataGetLength(circleData), HOW_MANY_MINIONS+1);
+ CFReleaseNull(circleData);
+ CFReleaseNull(error);
+
+ CFDataRef peerData = SOSPeerInfoCopyEncodedData(SOSAccountGetMyPeerInfo(master_account), kCFAllocatorDefault, &error);
+ diag("Peer DER Size is %d", CFDataGetLength(peerData));
+ CFReleaseNull(peerData);
+ CFReleaseNull(error);
+
+ CFReleaseNull(error);
+ CFReleaseNull(master_account);
+ CFReleaseNull(minion_accounts);
+
+ SOSUnregisterAllTransportMessages();
+ SOSUnregisterAllTransportCircles();
+ SOSUnregisterAllTransportKeyParameters();
+ CFArrayRemoveAllValues(key_transports);
+ CFArrayRemoveAllValues(circle_transports);
+ CFArrayRemoveAllValues(message_transports);
+
+}
+
+int secd_200_logstate(int argc, char *const *argv)
+{
+ plan_tests(kTestTestCount);
+
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+
+ tests();
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-21-transmogrify.m b/OSX/sec/securityd/Regressions/secd-21-transmogrify.m
index 97bc756d..00eeca6a 100644
--- a/OSX/sec/securityd/Regressions/secd-21-transmogrify.m
+++ b/OSX/sec/securityd/Regressions/secd-21-transmogrify.m
@@ -113,8 +113,8 @@ secd_21_transmogrify(int argc, char *const *argv)
ok(isDictionary(result), "found item");
if (isDictionary(result)) {
- NSData *data = ((NSDictionary *)result)[@"musr"];
- ok([data isEqual:(id)SecMUSRGetSystemKeychainUUID()], "item is system keychain");
+ NSData *data = ((__bridge NSDictionary *)result)[@"musr"];
+ ok([data isEqual:(__bridge id)SecMUSRGetSystemKeychainUUID()], "item is system keychain");
} else {
ok(0, "returned item is: %@", result);
}
@@ -124,7 +124,7 @@ secd_21_transmogrify(int argc, char *const *argv)
* Check sync bubble
*/
- res = _SecItemAdd((CFDictionaryRef)@{
+ res = _SecItemAdd((__bridge CFDictionaryRef)@{
(id)kSecClass : (id)kSecClassGenericPassword,
(id)kSecAttrAccessGroup : @"com.apple.ProtectedCloudStorage",
(id)kSecAttrAccessible : (id)kSecAttrAccessibleAfterFirstUnlock,
@@ -132,7 +132,7 @@ secd_21_transmogrify(int argc, char *const *argv)
}, &client, NULL, NULL);
is(res, true, "SecItemAdd(user)");
- res = _SecItemCopyMatching((CFDictionaryRef)@{
+ res = _SecItemCopyMatching((__bridge CFDictionaryRef)@{
(id)kSecClass : (id)kSecClassGenericPassword,
(id)kSecAttrAccount : @"pcs-label-me",
(id)kSecReturnAttributes : (id)kCFBooleanTrue,
@@ -142,7 +142,7 @@ secd_21_transmogrify(int argc, char *const *argv)
ok(isDictionary(result), "result is dictionary");
/* Check that data are in 502 active user keychain */
- ok (CFEqualSafe(((__bridge NSDictionary *)result)[@"musr"], musr), "not in msr 502");
+ ok (CFEqualSafe(((__bridge CFDataRef)((__bridge NSDictionary *)result)[@"musr"]), musr), "not in msr 502");
CFReleaseNull(result);
@@ -156,7 +156,7 @@ secd_21_transmogrify(int argc, char *const *argv)
* first check normal keychain
*/
- res = _SecItemCopyMatching((CFDictionaryRef)@{
+ res = _SecItemCopyMatching((__bridge CFDictionaryRef)@{
(id)kSecClass : (id)kSecClassGenericPassword,
(id)kSecAttrAccount : @"pcs-label-me",
(id)kSecReturnAttributes : (id)kCFBooleanTrue,
@@ -172,7 +172,7 @@ secd_21_transmogrify(int argc, char *const *argv)
* then syncbubble keychain
*/
- res = _SecItemCopyMatching((CFDictionaryRef)@{
+ res = _SecItemCopyMatching((__bridge CFDictionaryRef)@{
(id)kSecClass : (id)kSecClassGenericPassword,
(id)kSecAttrAccount : @"pcs-label-me",
(id)kSecReturnAttributes : (id)kCFBooleanTrue,
@@ -185,7 +185,7 @@ secd_21_transmogrify(int argc, char *const *argv)
SecSecuritySetMusrMode(false, 501, -1);
- SecAccessGroupsSetCurrent((__bridge CFArrayRef)currentACL);
+ SecAccessGroupsSetCurrent(currentACL);
CFRelease(musr);
#else
diff --git a/OSX/sec/securityd/Regressions/secd-31-keychain-bad.c b/OSX/sec/securityd/Regressions/secd-31-keychain-bad.c
index b4c8c026..c5b2d582 100644
--- a/OSX/sec/securityd/Regressions/secd-31-keychain-bad.c
+++ b/OSX/sec/securityd/Regressions/secd-31-keychain-bad.c
@@ -99,7 +99,7 @@ static void tests(void)
ok_status(SecItemDelete(query),"Deleted the item we added");
- is(__security_simulatecrash_enable(true), 3, "expecting 3 simcrashes from opening DB connection");
+ is(__security_simulatecrash_enable(true), 1, "expecting 1 simcrashes from opening DB connection");
CFRelease(query);
CFRelease(eighty);
diff --git a/OSX/sec/securityd/Regressions/secd-31-keychain-unreadable.c b/OSX/sec/securityd/Regressions/secd-31-keychain-unreadable.c
index 6d3e96ae..2001431a 100644
--- a/OSX/sec/securityd/Regressions/secd-31-keychain-unreadable.c
+++ b/OSX/sec/securityd/Regressions/secd-31-keychain-unreadable.c
@@ -90,7 +90,7 @@ static void tests(void)
int crash_count = __security_simulatecrash_enable(true);
ok(crash_count == 0 || crash_count == 1, "Expecting no or one simcrash from recovery of corrupted DB");
#else
- is(__security_simulatecrash_enable(true), 1, "Expecting simcrash from recovery of corrupted DB");
+ is(__security_simulatecrash_enable(true), 0, "Not Expecting simcrash from recovery of corrupted DB");
#endif
CFReleaseSafe(eighty);
diff --git a/OSX/sec/securityd/Regressions/secd-33-keychain-ctk.c b/OSX/sec/securityd/Regressions/secd-33-keychain-ctk.c
deleted file mode 100644
index c153b4cd..00000000
--- a/OSX/sec/securityd/Regressions/secd-33-keychain-ctk.c
+++ /dev/null
@@ -1,662 +0,0 @@
-/*
- * Copyright (c) 2015 Apple Inc. All rights reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecFramework.h>
-#include <Security/SecBase.h>
-#include <Security/SecItem.h>
-#include <Security/SecItemPriv.h>
-#include <Security/SecKey.h>
-#include <Security/SecKeyPriv.h>
-#include <Security/SecECKey.h>
-#include <Security/SecAccessControl.h>
-#include <Security/SecAccessControlPriv.h>
-#include <Security/SecInternal.h>
-#include <utilities/SecFileLocations.h>
-#include <utilities/SecCFWrappers.h>
-#include <utilities/SecCFError.h>
-
-#include <libaks_acl_cf_keys.h>
-
-#include <ctkclient_test.h>
-#include <coreauthd_spi.h>
-
-#include "secd_regressions.h"
-
-#include "SecdTestKeychainUtilities.h"
-#include "SecKeybagSupport.h"
-
-extern void LASetErrorCodeBlock(CFErrorRef (^newCreateErrorBlock)(void));
-
-static void test_item_add(void) {
-
- static const UInt8 data[] = { 0x01, 0x02, 0x03, 0x04 };
- CFDataRef valueData = CFDataCreate(NULL, data, sizeof(data));
- static const UInt8 oid[] = { 0x05, 0x06, 0x07, 0x08 };
- CFDataRef oidData = CFDataCreate(NULL, oid, sizeof(oid));
-
- CFMutableDictionaryRef attrs = CFDictionaryCreateMutableForCFTypesWith(NULL,
- kSecClass, kSecClassGenericPassword,
- kSecAttrTokenID, CFSTR("tokenid"),
- kSecAttrService, CFSTR("ctktest-service"),
- kSecValueData, valueData,
- kSecReturnAttributes, kCFBooleanTrue,
- NULL);
- // Setup token hook.
- __block int phase = 0;
- TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
- phase++;
- eq_cf(CFDictionaryGetValue(attributes, kSecAttrTokenID), CFSTR("tokenid"));
-
- blocks->createOrUpdateObject = Block_copy(^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
- phase++;
- is(objectID, NULL);
- eq_cf(CFDictionaryGetValue(at, kSecClass), kSecClassGenericPassword);
- eq_cf(CFDictionaryGetValue(at, kSecAttrService), CFDictionaryGetValue(attrs, kSecAttrService));
- eq_cf(CFDictionaryGetValue(at, kSecAttrTokenID), CFSTR("tokenid"));
- eq_cf(CFDictionaryGetValue(at, kSecValueData), valueData);
- CFDictionaryRemoveValue(at, kSecValueData);
- return CFRetainSafe(oidData);
- });
-
- blocks->copyObjectAccessControl = Block_copy(^CFDataRef(CFDataRef oid, CFErrorRef *error) {
- phase++;
- SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
- SecAccessControlSetProtection(ac, kSecAttrAccessibleAlways, NULL);
- SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
- CFDataRef acData = SecAccessControlCopyData(ac);
- CFRelease(ac);
- return acData;
- });
-
- blocks->copyObjectData = Block_copy(^CFTypeRef(CFDataRef oid, CFErrorRef *error) {
- phase++;
- return CFRetain(valueData);
- });
- });
-
- CFTypeRef result = NULL;
- ok_status(SecItemAdd(attrs, &result));
- eq_cf(CFDictionaryGetValue(result, kSecAttrService), CFSTR("ctktest-service"));
- eq_cf(CFDictionaryGetValue(result, kSecAttrTokenID), CFSTR("tokenid"));
- is(CFDictionaryGetValue(result, kSecValueData), NULL);
- CFReleaseNull(result);
-
- is(phase, 3);
-
- phase = 0;
- CFDictionarySetValue(attrs, kSecReturnData, kCFBooleanTrue);
- CFDictionarySetValue(attrs, kSecAttrService, CFSTR("ctktest-service1"));
- ok_status(SecItemAdd(attrs, &result));
- eq_cf(CFDictionaryGetValue(result, kSecAttrService), CFSTR("ctktest-service1"));
- eq_cf(CFDictionaryGetValue(result, kSecAttrTokenID), CFSTR("tokenid"));
- eq_cf(CFDictionaryGetValue(result, kSecValueData), valueData);
- CFReleaseNull(result);
-
- is(phase, 4);
-
- phase = 0;
- CFDictionaryRemoveValue(attrs, kSecReturnAttributes);
- CFDictionarySetValue(attrs, kSecAttrAccount, CFSTR("2nd"));
- ok_status(SecItemAdd(attrs, &result));
- eq_cf(result, valueData);
- CFReleaseNull(result);
- is(phase, 4);
-
- CFRelease(attrs);
- CFRelease(valueData);
- CFRelease(oidData);
-}
-static const int kItemAddTestCount = 31;
-
-static void test_item_query() {
- static const UInt8 oid[] = { 0x05, 0x06, 0x07, 0x08 };
- CFDataRef oidData = CFDataCreate(NULL, oid, sizeof(oid));
- static const UInt8 data[] = { 0x01, 0x02, 0x03, 0x04 };
- CFDataRef valueData = CFDataCreate(NULL, data, sizeof(data));
- CFDataRef valueData2 = CFDataCreate(NULL, data, sizeof(data) - 1);
-
- __block int phase = 0;
- TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
- phase++;
- eq_cf(CFDictionaryGetValue(attributes, kSecAttrTokenID), CFSTR("tokenid"));
-
- blocks->copyObjectData = _Block_copy(^CFTypeRef(CFDataRef oid, CFErrorRef *error) {
- phase++;
- return CFRetain(valueData);
- });
- });
-
- // Add non-token item with the same service, to test queries returning mixed results.
- CFMutableDictionaryRef attrs = CFDictionaryCreateMutableForCFTypesWith(NULL,
- kSecClass, kSecClassGenericPassword,
- kSecAttrService, CFSTR("ctktest-service"),
- kSecValueData, valueData2,
- NULL);
- ok_status(SecItemAdd(attrs, NULL));
- CFRelease(attrs);
-
- // Query with service.
- CFMutableDictionaryRef query;
- query = CFDictionaryCreateMutableForCFTypesWith(NULL,
- kSecClass, kSecClassGenericPassword,
- kSecAttrService, CFSTR("ctktest-service"),
- kSecReturnAttributes, kCFBooleanTrue,
- kSecReturnData, kCFBooleanTrue,
- NULL);
-
- phase = 0;
- CFTypeRef result = NULL;
- ok_status(SecItemCopyMatching(query, &result));
- is(phase, 2);
- is(CFGetTypeID(result), CFDictionaryGetTypeID());
- eq_cf(CFDictionaryGetValue(result, kSecValueData), valueData);
- is(CFGetTypeID(CFDictionaryGetValue(result, kSecAttrAccessControl)), SecAccessControlGetTypeID());
- eq_cf(CFDictionaryGetValue(result, kSecAttrService), CFSTR("ctktest-service"));
- CFReleaseSafe(result);
-
- phase = 0;
- CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
- ok_status(SecItemCopyMatching(query, &result));
- is(phase, 2);
- is(CFGetTypeID(result), CFArrayGetTypeID());
- is(CFArrayGetCount(result), 2);
- CFReleaseSafe(result);
-
- phase = 0;
- CFDictionaryRemoveValue(query, kSecMatchLimit);
- CFDictionaryRemoveValue(query, kSecReturnData);
- ok_status(SecItemCopyMatching(query, &result));
- is(phase, 0);
- is(CFGetTypeID(result), CFDictionaryGetTypeID());
- is(CFDictionaryGetValue(result, kSecValueData), NULL);
- CFReleaseSafe(result);
-
- phase = 0;
- CFDictionaryRemoveValue(query, kSecReturnAttributes);
- CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
- CFDictionarySetValue(query, kSecAttrTokenID, CFSTR("tokenid"));
- ok_status(SecItemCopyMatching(query, &result));
- is(phase, 2);
- eq_cf(result, valueData);
- CFReleaseSafe(result);
-
- CFRelease(query);
- CFRelease(valueData);
- CFRelease(valueData2);
- CFRelease(oidData);
-}
-static const int kItemQueryTestCount = 21;
-
-static void test_item_update() {
- static const UInt8 data[] = { 0x01, 0x02, 0x03, 0x04 };
- CFDataRef valueData2 = CFDataCreate(NULL, data, sizeof(data) - 1);
- CFTypeRef result = NULL;
-
- CFMutableDictionaryRef query, attrs;
-
- // Setup token hook.
- __block int phase = 0;
- __block bool store_value = false;
- TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
- phase++;
- eq_cf(CFDictionaryGetValue(attributes, kSecAttrTokenID), CFSTR("tokenid"));
-
- blocks->createOrUpdateObject = Block_copy(^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
- phase++;
- eq_cf(CFDictionaryGetValue(at, kSecValueData), valueData2);
- if (!store_value) {
- CFDictionaryRemoveValue(at, kSecValueData);
- }
- return CFRetainSafe(objectID);
- });
-
- blocks->copyObjectAccessControl = Block_copy(^CFDataRef(CFDataRef oid, CFErrorRef *error) {
- phase++;
- SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
- SecAccessControlSetProtection(ac, kSecAttrAccessibleAlways, NULL);
- SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
- CFDataRef acData = SecAccessControlCopyData(ac);
- CFRelease(ac);
- return acData;
- });
-
- blocks->copyObjectData = Block_copy(^CFTypeRef(CFDataRef oid, CFErrorRef *error) {
- phase++;
- return CFRetain(valueData2);
- });
- });
-
- query = CFDictionaryCreateMutableForCFTypesWith(NULL,
- kSecClass, kSecClassGenericPassword,
- kSecAttrTokenID, CFSTR("tokenid"),
- kSecAttrService, CFSTR("ctktest-service"),
- NULL);
-
- attrs = CFDictionaryCreateMutableForCFTypesWith(NULL,
- kSecValueData, valueData2,
- NULL);
-
- ok_status(SecItemUpdate(query, attrs));
- is(phase, 3);
-
- phase = 0;
- CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
- ok_status(SecItemCopyMatching(query, &result));
- eq_cf(valueData2, result);
- CFRelease(result);
- is(phase, 2);
-
- phase = 0;
- store_value = true;
- CFDictionaryRemoveValue(query, kSecReturnData);
- ok_status(SecItemUpdate(query, attrs));
- is(phase, 3);
-
- phase = 0;
- CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
- ok_status(SecItemCopyMatching(query, &result));
- eq_cf(valueData2, result);
- CFRelease(result);
- is(phase, 0);
-
- phase = 0;
- CFDictionarySetValue(query, kSecAttrService, CFSTR("ctktest-service1"));
- CFDictionaryRemoveValue(query, kSecReturnData);
- ok_status(SecItemUpdate(query, attrs));
- is(phase, 5);
-
- phase = 0;
- CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
- CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
- ok_status(SecItemCopyMatching(query, &result));
- is(phase, 0);
- is(CFGetTypeID(result), CFArrayGetTypeID());
- is(CFArrayGetCount(result), 2);
- eq_cf(CFArrayGetValueAtIndex(result, 0), valueData2);
- eq_cf(CFArrayGetValueAtIndex(result, 1), valueData2);
-
- CFRelease(query);
- CFRelease(attrs);
- CFRelease(valueData2);
-}
-static const int kItemUpdateTestCount = 26;
-
-static void test_item_delete(void) {
-
- CFMutableDictionaryRef query;
- CFTypeRef result;
-
- __block int phase = 0;
- __block CFErrorRef deleteError = NULL;
- TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
- phase++;
- eq_cf(CFDictionaryGetValue(attributes, kSecAttrTokenID), CFSTR("tokenid"));
-
- blocks->copyObjectAccessControl = _Block_copy(^CFDataRef(CFDataRef oid, CFErrorRef *error) {
- phase++;
- SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
- SecAccessControlSetProtection(ac, kSecAttrAccessibleAlways, NULL);
- SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
- CFDataRef acData = SecAccessControlCopyData(ac);
- CFRelease(ac);
- return acData;
- });
-
- blocks->deleteObject = _Block_copy(^bool(CFDataRef objectID, CFErrorRef *error) {
- phase++;
- if (deleteError != NULL) {
- CFAssignRetained(*error, deleteError);
- deleteError = NULL;
- return false;
- }
- return true;
- });
- });
-
- query = CFDictionaryCreateMutableForCFTypesWith(NULL,
- kSecClass, kSecClassGenericPassword,
- kSecAttrTokenID, CFSTR("tokenid"),
- kSecAttrService, CFSTR("ctktest-service"),
- NULL);
-
- phase = 0;
- ok_status(SecItemDelete(query));
- is(phase, 2);
-
- phase = 0;
- is_status(SecItemCopyMatching(query, &result), errSecItemNotFound);
- is(phase, 0);
-
- phase = 0;
- CFDictionarySetValue(query, kSecAttrService, CFSTR("ctktest-service1"));
- ok_status(SecItemCopyMatching(query, &result));
- is(phase, 0);
-
- phase = 0;
-#if LA_CONTEXT_IMPLEMENTED
- LASetErrorCodeBlock(^{ return (CFErrorRef)NULL; });
- deleteError = CFErrorCreate(NULL, CFSTR(kTKErrorDomain), kTKErrorCodeAuthenticationFailed, NULL);
- ok_status(SecItemDelete(query), "delete multiple token items");
- is(phase, 6, "connect + delete-auth-fail + copyAccess + connect + delete + delete-2nd");
-#else
- ok_status(SecItemDelete(query), "delete multiple token items");
- is(phase, 3, "connect + delete + delete");
-#endif
-
- phase = 0;
- is_status(SecItemCopyMatching(query, &result), errSecItemNotFound);
- is(phase, 0);
-
- is_status(SecItemDelete(query), errSecItemNotFound);
-
- CFRelease(query);
- CFReleaseSafe(deleteError);
-}
-#if LA_CONTEXT_IMPLEMENTED
-static const int kItemDeleteTestCount = 15;
-#else
-static const int kItemDeleteTestCount = 14;
-#endif
-
-static void test_key_generate(void) {
-
- __block int phase = 0;
- TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
- phase++;
-
- blocks->createOrUpdateObject = _Block_copy(^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
- phase++;
- is(objectID, NULL);
- CFDictionarySetValue(at, kSecClass, kSecClassKey);
- SecKeyRef publicKey = NULL, privateKey = NULL;
- CFMutableDictionaryRef params = CFDictionaryCreateMutableForCFTypesWith(NULL,
- kSecAttrKeyType, kSecAttrKeyTypeEC,
- kSecAttrKeySizeInBits, CFSTR("256"),
- NULL);
- ok_status(SecKeyGeneratePair(params, &publicKey, &privateKey));
- CFDictionaryRef privKeyAttrs = SecKeyCopyAttributeDictionary(privateKey);
- CFRelease(privateKey);
- CFRelease(publicKey);
- CFRelease(params);
- CFDataRef oid = CFRetainSafe(CFDictionaryGetValue(privKeyAttrs, kSecValueData));
- CFRelease(privKeyAttrs);
- return oid;
- });
-
- blocks->copyObjectAccessControl = _Block_copy(^CFDataRef(CFDataRef oid, CFErrorRef *error) {
- phase++;
- SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
- SecAccessControlSetProtection(ac, kSecAttrAccessibleAlways, NULL);
- SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
- CFDataRef acData = SecAccessControlCopyData(ac);
- CFRelease(ac);
- return acData;
- });
-
- blocks->copyPublicKeyData = _Block_copy(^CFDataRef(CFDataRef objectID, CFErrorRef *error) {
- phase++;
- SecKeyRef privKey = SecKeyCreateECPrivateKey(NULL, CFDataGetBytePtr(objectID), CFDataGetLength(objectID), kSecKeyEncodingBytes);
- CFDataRef publicData;
- ok_status(SecKeyCopyPublicBytes(privKey, &publicData));
- CFRelease(privKey);
- return publicData;
- });
-
- blocks->copyObjectData = _Block_copy(^CFTypeRef(CFDataRef oid, CFErrorRef *error) {
- phase++;
- return kCFNull;
- });
- });
-
- CFDictionaryRef prk_params = CFDictionaryCreateForCFTypes(NULL,
- kSecAttrIsPermanent, kCFBooleanTrue,
- NULL);
-
- CFMutableDictionaryRef params = CFDictionaryCreateMutableForCFTypesWith(NULL,
- kSecAttrKeyType, kSecAttrKeyTypeEC,
- kSecAttrKeySizeInBits, CFSTR("256"),
- kSecAttrTokenID, CFSTR("tokenid"),
- kSecPrivateKeyAttrs, prk_params,
- NULL);
- CFRelease(prk_params);
-
- SecKeyRef publicKey = NULL, privateKey = NULL;
- phase = 0;
- ok_status(SecKeyGeneratePair(params, &publicKey, &privateKey));
- is(phase, 5);
-
- CFDictionaryRef query = CFDictionaryCreateForCFTypes(NULL,
- kSecValueRef, privateKey,
- kSecReturnAttributes, kCFBooleanTrue,
- kSecReturnRef, kCFBooleanTrue,
- kSecReturnData, kCFBooleanTrue,
- NULL);
- phase = 0;
- CFDictionaryRef result = NULL, keyAttrs = NULL;
- ok_status(SecItemCopyMatching(query, (CFTypeRef *)&result));
- is(phase, 3);
- is(CFDictionaryGetValue(result, kSecValueData), NULL);
- eq_cf(CFDictionaryGetValue(result, kSecAttrTokenID), CFSTR("tokenid"));
- keyAttrs = SecKeyCopyAttributeDictionary((SecKeyRef)CFDictionaryGetValue(result, kSecValueRef));
- eq_cf(CFDictionaryGetValue(keyAttrs, kSecAttrApplicationLabel), CFDictionaryGetValue(result, kSecAttrApplicationLabel));
- CFAssignRetained(keyAttrs, SecKeyCopyAttributeDictionary(publicKey));
- eq_cf(CFDictionaryGetValue(keyAttrs, kSecAttrApplicationLabel), CFDictionaryGetValue(result, kSecAttrApplicationLabel));
-
- CFRelease(result);
- CFRelease(keyAttrs);
- CFRelease(publicKey);
- CFRelease(privateKey);
-
- CFRelease(query);
- CFRelease(params);
-}
-static const int kKeyGenerateTestCount = 14;
-
-static void test_key_sign(void) {
-
- static const UInt8 data[] = { 0x01, 0x02, 0x03, 0x04 };
- CFDataRef valueData = CFDataCreate(NULL, data, sizeof(data));
-
- __block int phase = 0;
- __block CFErrorRef signError = NULL;
- TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
- phase++;
-
- blocks->copyPublicKeyData = _Block_copy(^CFDataRef(CFDataRef objectID, CFErrorRef *error) {
- phase++;
- SecKeyRef privKey = SecKeyCreateECPrivateKey(NULL, CFDataGetBytePtr(objectID), CFDataGetLength(objectID), kSecKeyEncodingBytes);
- CFDataRef publicData;
- ok_status(SecKeyCopyPublicBytes(privKey, &publicData));
- CFRelease(privKey);
- return publicData;
- });
-
- blocks->copyObjectAccessControl = _Block_copy(^CFDataRef(CFDataRef oid, CFErrorRef *error) {
- phase++;
- SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
- SecAccessControlSetProtection(ac, kSecAttrAccessibleAlways, NULL);
- SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
- CFDataRef acData = SecAccessControlCopyData(ac);
- CFRelease(ac);
- return acData;
- });
-
- blocks->copySignature = _Block_copy(^CFDataRef(CFDataRef objectID, CFIndex padding, CFDataRef plainText, CFErrorRef *error) {
- phase++;
- if (signError != NULL) {
- CFAssignRetained(*error, signError);
- signError = NULL;
- return NULL;
- }
- return CFRetainSafe(valueData);
- });
- });
-
- CFDictionaryRef query = CFDictionaryCreateForCFTypes(NULL,
- kSecClass, kSecClassKey,
- kSecReturnRef, kCFBooleanTrue,
- NULL);
- phase = 0;
- SecKeyRef privateKey = NULL;
- ok_status(SecItemCopyMatching(query, (CFTypeRef *)&privateKey));
- is(phase, 1);
-
- phase = 0;
- CFMutableDataRef sig = CFDataCreateMutable(NULL, 0);
- CFDataSetLength(sig, 256);
- size_t sigLen = CFDataGetLength(sig);
- ok_status(SecKeyRawSign(privateKey, kSecPaddingNone, data, sizeof(data), CFDataGetMutableBytePtr(sig), &sigLen));
- is(phase, 1);
- CFDataSetLength(sig, sigLen);
- is(CFDataGetLength(sig), CFDataGetLength(valueData));
- eq_cf(valueData, sig);
-
-#if LA_CONTEXT_IMPLEMENTED
- phase = 0;
- CFDataSetLength(sig, 256);
- sigLen = CFDataGetLength(sig);
- LASetErrorCodeBlock(^ { return (CFErrorRef)NULL; });
- signError = CFErrorCreate(NULL, CFSTR(kTKErrorDomain), kTKErrorCodeAuthenticationFailed, NULL);
- ok_status(SecKeyRawSign(privateKey, kSecPaddingNone, data, sizeof(data), CFDataGetMutableBytePtr(sig), &sigLen));
- is(phase, 4);
- is(signError, NULL);
- CFDataSetLength(sig, sigLen);
- is(CFDataGetLength(sig), CFDataGetLength(valueData));
- eq_cf(valueData, sig);
-#endif
-
- CFReleaseSafe(signError);
- CFRelease(sig);
- CFRelease(privateKey);
- CFRelease(query);
-}
-#if LA_CONTEXT_IMPLEMENTED
-static const int kKeySignTestCount = 11;
-#else
-static const int kKeySignTestCount = 6;
-#endif
-
-static void test_key_generate_with_params(void) {
-
- const UInt8 data[] = "foo";
- CFDataRef cred_ref = CFDataCreate(NULL, data, 4);
- __block int phase = 0;
- TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
- phase++;
- eq_cf(CFDictionaryGetValue(attributes, kSecUseOperationPrompt), CFSTR("prompt"));
- is(CFDictionaryGetValue(attributes, kSecUseAuthenticationUI), NULL);
- eq_cf(CFDictionaryGetValue(attributes, kSecUseCredentialReference), cred_ref);
-
- blocks->createOrUpdateObject = _Block_copy(^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
- phase++;
- SecCFCreateError(-4 /* kTKErrorCodeCanceledByUser */, CFSTR(kTKErrorDomain), CFSTR(""), NULL, error);
- return NULL;
- });
- });
-
- CFDictionaryRef prk_params = CFDictionaryCreateForCFTypes(NULL,
- kSecAttrIsPermanent, kCFBooleanTrue,
- NULL);
-
- CFMutableDictionaryRef params = CFDictionaryCreateMutableForCFTypesWith(NULL,
- kSecAttrKeyType, kSecAttrKeyTypeEC,
- kSecAttrKeySizeInBits, CFSTR("256"),
- kSecAttrTokenID, CFSTR("tokenid"),
- kSecPrivateKeyAttrs, prk_params,
- kSecUseOperationPrompt, CFSTR("prompt"),
- kSecUseAuthenticationUI, kSecUseAuthenticationUIAllow,
- kSecUseCredentialReference, cred_ref,
- NULL);
- CFRelease(prk_params);
-
- SecKeyRef publicKey = NULL, privateKey = NULL;
- phase = 0;
- diag("This will produce an internal assert - on purpose");
- is_status(SecKeyGeneratePair(params, &publicKey, &privateKey), errSecUserCanceled);
- is(phase, 2);
-
- CFReleaseSafe(publicKey);
- CFReleaseSafe(privateKey);
- CFRelease(params);
- CFRelease(cred_ref);
-}
-static const int kKeyGenerateWithParamsTestCount = 5;
-
-static void test_error_codes(void) {
-
- CFMutableDictionaryRef attrs = CFDictionaryCreateMutableForCFTypesWith(NULL,
- kSecClass, kSecClassGenericPassword,
- kSecAttrTokenID, CFSTR("tokenid"),
- NULL);
- // Setup token hook.
- __block OSStatus ctk_error = 0;
- TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
- blocks->createOrUpdateObject = _Block_copy(^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
- SecCFCreateError(ctk_error, CFSTR(kTKErrorDomain), CFSTR(""), NULL, error);
- return NULL;
- });
- });
-
- ctk_error = kTKErrorCodeBadParameter;
- is_status(SecItemAdd(attrs, NULL), errSecParam);
-
- ctk_error = -1 /* kTKErrorCodeNotImplemented */;
- is_status(SecItemAdd(attrs, NULL), errSecUnimplemented);
-
- ctk_error = -4 /* kTKErrorCodeCanceledByUser */;
- is_status(SecItemAdd(attrs, NULL), errSecUserCanceled);
-
- CFRelease(attrs);
-}
-static const int kErrorCodesCount = 3;
-
-static void tests(void) {
- /* custom keychain dir */
- secd_test_setup_temp_keychain("secd_33_keychain_ctk", NULL);
-
- test_item_add();
- test_item_query();
- test_item_update();
- test_item_delete();
- test_key_generate();
- test_key_sign();
- test_key_generate_with_params();
- test_error_codes();
-}
-
-int secd_33_keychain_ctk(int argc, char *const *argv) {
- plan_tests(kItemAddTestCount +
- kItemQueryTestCount +
- kItemUpdateTestCount +
- kItemDeleteTestCount +
- kKeyGenerateTestCount +
- kKeySignTestCount +
- kKeyGenerateWithParamsTestCount +
- kErrorCodesCount +
- kSecdTestSetupTestCount);
- tests();
-
- return 0;
-}
diff --git a/OSX/sec/securityd/Regressions/secd-33-keychain-ctk.m b/OSX/sec/securityd/Regressions/secd-33-keychain-ctk.m
new file mode 100644
index 00000000..31540cad
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-33-keychain-ctk.m
@@ -0,0 +1,1045 @@
+/*
+ * Copyright (c) 2015 Apple Inc. All rights reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * This is to fool os services to not provide the Keychain manager
+ * interface tht doens't work since we don't have unified headers
+ * between iOS and OS X. rdar://23405418/
+ */
+#define __KEYCHAINCORE__ 1
+#import <Foundation/Foundation.h>
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/SecFramework.h>
+#include <Security/SecBase.h>
+#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
+#include <Security/SecKey.h>
+#include <Security/SecKeyPriv.h>
+#include <Security/SecECKey.h>
+#include <Security/SecAccessControl.h>
+#include <Security/SecAccessControlPriv.h>
+#include <Security/SecInternal.h>
+#include <Security/SecCertificatePriv.h>
+#include <utilities/SecFileLocations.h>
+#include <utilities/SecCFWrappers.h>
+#include <utilities/SecCFError.h>
+#include <SecBase64.h>
+
+#include <libaks_acl_cf_keys.h>
+
+#include <ctkclient_test.h>
+#include <coreauthd_spi.h>
+
+#include "secd_regressions.h"
+
+#include "SecdTestKeychainUtilities.h"
+#include "SecKeybagSupport.h"
+
+const char *cert1 = "MIIFQzCCBCugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJVUzENMAsGA1UEChMETklTVDEUMBIGA1UEAxMLUElWIFRlc3QgQ0EwHhcNMTUwOTE2MDAwMDAwWhcNMTYwOTE2MjM1OTU5WjBlMQswCQYDVQQGEwJVUzEbMBkGA1UEChMST2JlcnR1clRlY2hub2xvZ2llMRowGAYDVQQLExFJZGVudGl0eSBEaXZpc2lvbjEdMBsGA1UEAxMUSUQtT25lIFBJViBUZXN0IENhcmQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN8DrET5AAQ4dVIP+RD3XATFaBYpG9b2H0tV82gVGOv/t5cxOszAMxzsw7xlY/tMRrx5yz7IUUvueylHl98e7yMefP69vwqwSc4DWSELSqHOLMHd/uPLYLINIFqEW8Nq4Q02V2IxqBbiwtZeeSOqY3gQ2kiCd4cF8Itlr3UePJrlAgMBAAGjggKzMIICrzAfBgNVHSMEGDAWgBTr2hnSCEKN9N4lh2nJu6sM05YwATApBgNVHQ4EIgQg5YNVxRTOC13qs9cVUuvDIp6AH+jitdjhWJfai2bfP3QwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCGCGSAFlAwYIMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEDETCBtAYDVR0fBIGsMIGpMIGmoIGjoIGghkRodHRwOi8vZmljdGl0aW91cy5uaXN0Lmdvdi9maWN0aXRpb3VzQ1JMZGlyZWN0b3J5L2ZpY3RpdGlvdXNDUkwxLmNybIZYbGRhcDovL3NtaW1lMi5uaXN0Lmdvdi9jbj1Hb29kJTIwQ0Esbz1UZXN0JTIwQ2VydGlmaWNhdGVzLGM9VVM/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDCCASEGCCsGAQUFBwEBBIIBEzCCAQ8wPgYIKwYBBQUHMAGGMmh0dHA6Ly9maWN0aXRpb3VzLm5pc3QuZ292L2ZpY3RpdGlvdXNPQ1NQTG9jYXRpb24vMF4GCCsGAQUFBzAChlJodHRwOi8vZmljdGl0aW91cy5uaXN0Lmdvdi9maWN0aXRpb3VzQ2VydHNPbmx5Q01TZGlyZWN0b3J5L2NlcnRzSXNzdWVkVG9Hb29kQ0EucDdjMG0GCCsGAQUFBzAChmFsZGFwOi8vc21pbWUyLm5pc3QuZ292L2NuPUdvb2QlMjBDQSxvPVRlc3QlMjBDZXJ0aWZpY2F0ZXMsYz1VUz9jQUNlcnRpZmljYXRlLGNyb3NzQ2VydGlmaWNhdGVQYWlyMDIGA1UdEQQrMCmgJwYIYIZIAWUDBgagGwQZ1Oc52nOc7TnOc52haFoIySreCmGE5znD4jAQBglghkgBZQMGCQEEAwEBADANBgkqhkiG9w0BAQsFAAOCAQEAVVGMeep+1wpVFdXFIXUTkxy9RjdOO3SmMGVomfVXofVOBfVzooaI+RV5UCURnoqoHYziBidxc9YKW6n9mX6p27KfrC1roHg6wu5xVEHJ93hju35g3WAXTnqNFiQpB+GU7UvJJEhkcTU2rChuYNS5SeFZ0pv1Gyzw7WjLfh9rdAPBfRg4gxpho9SMCUnI+p5KbEiptmimtPfsVq6htT3P+m2V4UXIT6sr7T6IpnPteMppsH43NKXNM6iPCkRCUPQ0d+lpfXAYGSFIzx2WesjSmrs/CHXfwmhnbrJNPCx9zlcCMmmfGcZGyufF+10wF9gv9qx+PUwi2xMKhwuKR1LoCg==";
+const char *cert2 =
+"MIIFCTCCA/GgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJVUzENMAsGA1UEChMETklTVDEUMBIGA1UEAxMLUElWIFRlc3QgQ0EwHhcNMTUwOTE2MDAwMDAwWhcNMTYwOTE2MjM1OTU5WjBlMQswCQYDVQQGEwJVUzEbMBkGA1UEChMST2JlcnR1clRlY2hub2xvZ2llMRowGAYDVQQLExFJZGVudGl0eSBEaXZpc2lvbjEdMBsGA1UEAxMUSUQtT25lIFBJViBUZXN0IENhcmQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKij0LIQlW0VKahBGF4tu/xdwGWN+KTLLGyMQmuuG+NNG+vQMSsdXD1pd00YMBiGn3sC5b+G7lQLZ85mDQfO+eI8GDjG+Sh8W8Cghku20sxZnQ+kZOLOr//R2/ZXonVaxoBR/9tBPh0MIEIVzRS8JmltZVfhkbIR6Wiox3jVEAsPAgMBAAGjggJ5MIICdTAfBgNVHSMEGDAWgBTr2hnSCEKN9N4lh2nJu6sM05YwATApBgNVHQ4EIgQga85kaqoMEaV+E04P1gZ2OUlbCbvr623fC30WhBZn3bMwDgYDVR0PAQH/BAQDAgbAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEDDTCBtAYDVR0fBIGsMIGpMIGmoIGjoIGghkRodHRwOi8vZmljdGl0aW91cy5uaXN0Lmdvdi9maWN0aXRpb3VzQ1JMZGlyZWN0b3J5L2ZpY3RpdGlvdXNDUkwxLmNybIZYbGRhcDovL3NtaW1lMi5uaXN0Lmdvdi9jbj1Hb29kJTIwQ0Esbz1UZXN0JTIwQ2VydGlmaWNhdGVzLGM9VVM/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDCCASEGCCsGAQUFBwEBBIIBEzCCAQ8wPgYIKwYBBQUHMAGGMmh0dHA6Ly9maWN0aXRpb3VzLm5pc3QuZ292L2ZpY3RpdGlvdXNPQ1NQTG9jYXRpb24vMF4GCCsGAQUFBzAChlJodHRwOi8vZmljdGl0aW91cy5uaXN0Lmdvdi9maWN0aXRpb3VzQ2VydHNPbmx5Q01TZGlyZWN0b3J5L2NlcnRzSXNzdWVkVG9Hb29kQ0EucDdjMG0GCCsGAQUFBzAChmFsZGFwOi8vc21pbWUyLm5pc3QuZ292L2NuPUdvb2QlMjBDQSxvPVRlc3QlMjBDZXJ0aWZpY2F0ZXMsYz1VUz9jQUNlcnRpZmljYXRlLGNyb3NzQ2VydGlmaWNhdGVQYWlyMCIGA1UdEQQbMBmBF2NvbW1vbl9uYW1lQHBpdmRlbW8ub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQANg1tGsgO32fVXDyRPHFeqDa0QmQ4itHrh6BAK6n94QL8383wuPDFkPy1TfVYVdYm0Gne6hyH/Z13ycw1XXNddooT7+OiYK5F1TEhfQNiRhzTqblB/yc2lv6Ho0EsOrwPhaBRaO3EFUyjeNMxsvG8Dr9Y5u2B38ESB4OsLKHq0eD/WZjEAlyGx16Qi7YlLiHGfLMorgkg9Mbp73guNO1PItDTAnqHUUOlQ01ThNug0sR5ua1zlNFx6AIPoX4yAPrtlEMZtbsevsXlgDpO1zc26p5icBmQHYT7uzdTEEN4tmcxXg6Z/dGB63GCluf+Pc+ovRt/MMt2EbcIuwJ9C516H";
+const char *cert3 =
+"MIICETCCAbigAwIBAgIJANiM7uTufLiKMAkGByqGSM49BAEwgZIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMQ8wDQYDVQQLEwZDb3JlT1MxGjAYBgNVBAMTEUFwcGxlIFRlc3QgQ0EyIEVDMSAwHgYJKoZIhvcNAQkBFhF2a3V6ZWxhQGFwcGxlLmNvbTAeFw0xNjA1MTIxMTMyMzlaFw0yNjA1MTAxMTMyMzlaMGYxEDAOBgNVBAMTB3NldG9rZW4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMQ8wDQYDVQQLEwZDb3JlT1MwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQHKxfYgbqRHmThPnO9yQX5KrL/EPa6dZU52Wys5gC3/Mk0dNt9dLhpWblAVaeBzkos4juN3cxbnoB9MsC4bvoLoyMwITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDAJBgcqhkjOPQQBA0gAMEUCIQClcoYLhEA/xIGU94ZBcup26Pb7pXaWaaOM3+9z510TRwIgV/iprC051SuQzkqXA5weVliJOohFYjO+gUoH/6MJpDg=";
+
+extern void LASetErrorCodeBlock(CFErrorRef (^newCreateErrorBlock)(void));
+
+static void test_item_add(void) {
+
+ static const UInt8 data[] = { 0x01, 0x02, 0x03, 0x04 };
+ CFDataRef valueData = CFDataCreate(NULL, data, sizeof(data));
+ static const UInt8 oid[] = { 0x05, 0x06, 0x07, 0x08 };
+ CFDataRef oidData = CFDataCreate(NULL, oid, sizeof(oid));
+
+ CFMutableDictionaryRef attrs = CFDictionaryCreateMutableForCFTypesWith(NULL,
+ kSecClass, kSecClassGenericPassword,
+ kSecAttrTokenID, CFSTR("tokenid"),
+ kSecAttrService, CFSTR("ctktest-service"),
+ kSecValueData, valueData,
+ kSecReturnAttributes, kCFBooleanTrue,
+ NULL);
+ // Setup token hook.
+ __block int phase = 0;
+ TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
+ phase++;
+ eq_cf(CFDictionaryGetValue(attributes, kSecAttrTokenID), CFSTR("tokenid"));
+
+ blocks->createOrUpdateObject = ^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
+ phase++;
+ is(objectID, NULL);
+ eq_cf(CFDictionaryGetValue(at, kSecClass), kSecClassGenericPassword);
+ eq_cf(CFDictionaryGetValue(at, kSecAttrService), CFDictionaryGetValue(attrs, kSecAttrService));
+ eq_cf(CFDictionaryGetValue(at, kSecAttrTokenID), CFSTR("tokenid"));
+ eq_cf(CFDictionaryGetValue(at, kSecValueData), valueData);
+ CFDictionaryRemoveValue(at, kSecValueData);
+ return CFRetainSafe(oidData);
+ };
+
+ blocks->copyObjectAccessControl = ^CFDataRef(CFDataRef oid, CFErrorRef *error) {
+ phase++;
+ SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
+ SecAccessControlSetProtection(ac, kSecAttrAccessibleAlwaysPrivate, NULL);
+ SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
+ CFDataRef acData = SecAccessControlCopyData(ac);
+ CFRelease(ac);
+ return acData;
+ };
+
+ blocks->copyObjectData = ^CFTypeRef(CFDataRef oid, CFErrorRef *error) {
+ phase++;
+ return CFRetain(valueData);
+ };
+ });
+
+ CFTypeRef result = NULL;
+ ok_status(SecItemAdd(attrs, &result));
+ eq_cf(CFDictionaryGetValue(result, kSecAttrService), CFSTR("ctktest-service"));
+ eq_cf(CFDictionaryGetValue(result, kSecAttrTokenID), CFSTR("tokenid"));
+ is(CFDictionaryGetValue(result, kSecValueData), NULL);
+ CFReleaseNull(result);
+
+ is(phase, 3);
+
+ phase = 0;
+ CFDictionarySetValue(attrs, kSecReturnData, kCFBooleanTrue);
+ CFDictionarySetValue(attrs, kSecAttrService, CFSTR("ctktest-service1"));
+ ok_status(SecItemAdd(attrs, &result));
+ eq_cf(CFDictionaryGetValue(result, kSecAttrService), CFSTR("ctktest-service1"));
+ eq_cf(CFDictionaryGetValue(result, kSecAttrTokenID), CFSTR("tokenid"));
+ eq_cf(CFDictionaryGetValue(result, kSecValueData), valueData);
+ CFReleaseNull(result);
+
+ is(phase, 4);
+
+ phase = 0;
+ CFDictionaryRemoveValue(attrs, kSecReturnAttributes);
+ CFDictionarySetValue(attrs, kSecAttrAccount, CFSTR("2nd"));
+ ok_status(SecItemAdd(attrs, &result));
+ eq_cf(result, valueData);
+ CFReleaseNull(result);
+ is(phase, 4);
+
+ CFRelease(attrs);
+ CFRelease(valueData);
+ CFRelease(oidData);
+}
+static const int kItemAddTestCount = 31;
+
+static void test_item_query() {
+ static const UInt8 oid[] = { 0x05, 0x06, 0x07, 0x08 };
+ CFDataRef oidData = CFDataCreate(NULL, oid, sizeof(oid));
+ static const UInt8 data[] = { 0x01, 0x02, 0x03, 0x04 };
+ CFDataRef valueData = CFDataCreate(NULL, data, sizeof(data));
+ CFDataRef valueData2 = CFDataCreate(NULL, data, sizeof(data) - 1);
+
+ __block int phase = 0;
+ TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
+ phase++;
+ eq_cf(CFDictionaryGetValue(attributes, kSecAttrTokenID), CFSTR("tokenid"));
+
+ blocks->copyObjectData = ^CFTypeRef(CFDataRef oid, CFErrorRef *error) {
+ phase++;
+ return CFRetain(valueData);
+ };
+ });
+
+ // Add non-token item with the same service, to test queries returning mixed results.
+ CFMutableDictionaryRef attrs = CFDictionaryCreateMutableForCFTypesWith(NULL,
+ kSecClass, kSecClassGenericPassword,
+ kSecAttrService, CFSTR("ctktest-service"),
+ kSecValueData, valueData2,
+ NULL);
+ ok_status(SecItemAdd(attrs, NULL));
+ CFRelease(attrs);
+
+ // Query with service.
+ CFMutableDictionaryRef query;
+ query = CFDictionaryCreateMutableForCFTypesWith(NULL,
+ kSecClass, kSecClassGenericPassword,
+ kSecAttrService, CFSTR("ctktest-service"),
+ kSecReturnAttributes, kCFBooleanTrue,
+ kSecReturnData, kCFBooleanTrue,
+ NULL);
+
+ phase = 0;
+ CFTypeRef result = NULL;
+ ok_status(SecItemCopyMatching(query, &result));
+ is(phase, 2);
+ is(CFGetTypeID(result), CFDictionaryGetTypeID());
+ eq_cf(CFDictionaryGetValue(result, kSecValueData), valueData);
+ is(CFGetTypeID(CFDictionaryGetValue(result, kSecAttrAccessControl)), SecAccessControlGetTypeID());
+ eq_cf(CFDictionaryGetValue(result, kSecAttrService), CFSTR("ctktest-service"));
+ CFReleaseSafe(result);
+
+ phase = 0;
+ CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
+ ok_status(SecItemCopyMatching(query, &result));
+ is(phase, 2);
+ is(CFGetTypeID(result), CFArrayGetTypeID());
+ is(CFArrayGetCount(result), 2);
+ CFReleaseSafe(result);
+
+ phase = 0;
+ CFDictionaryRemoveValue(query, kSecMatchLimit);
+ CFDictionaryRemoveValue(query, kSecReturnData);
+ ok_status(SecItemCopyMatching(query, &result));
+ is(phase, 0);
+ is(CFGetTypeID(result), CFDictionaryGetTypeID());
+ is(CFDictionaryGetValue(result, kSecValueData), NULL);
+ CFReleaseSafe(result);
+
+ phase = 0;
+ CFDictionaryRemoveValue(query, kSecReturnAttributes);
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
+ CFDictionarySetValue(query, kSecAttrTokenID, CFSTR("tokenid"));
+ ok_status(SecItemCopyMatching(query, &result));
+ is(phase, 2);
+ eq_cf(result, valueData);
+ CFReleaseSafe(result);
+
+ CFRelease(query);
+ CFRelease(valueData);
+ CFRelease(valueData2);
+ CFRelease(oidData);
+}
+static const int kItemQueryTestCount = 21;
+
+static void test_item_update() {
+ static const UInt8 data[] = { 0x01, 0x02, 0x03, 0x04 };
+ CFDataRef valueData2 = CFDataCreate(NULL, data, sizeof(data) - 1);
+ CFTypeRef result = NULL;
+
+ CFMutableDictionaryRef query, attrs;
+
+ // Setup token hook.
+ __block int phase = 0;
+ __block bool store_value = false;
+ TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
+ phase++;
+ eq_cf(CFDictionaryGetValue(attributes, kSecAttrTokenID), CFSTR("tokenid"));
+
+ blocks->createOrUpdateObject = ^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
+ phase++;
+ eq_cf(CFDictionaryGetValue(at, kSecValueData), valueData2);
+ if (!store_value) {
+ CFDictionaryRemoveValue(at, kSecValueData);
+ }
+ return CFRetainSafe(objectID);
+ };
+
+ blocks->copyObjectAccessControl = ^CFDataRef(CFDataRef oid, CFErrorRef *error) {
+ phase++;
+ SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
+ SecAccessControlSetProtection(ac, kSecAttrAccessibleAlwaysPrivate, NULL);
+ SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
+ CFDataRef acData = SecAccessControlCopyData(ac);
+ CFRelease(ac);
+ return acData;
+ };
+
+ blocks->copyObjectData = ^CFTypeRef(CFDataRef oid, CFErrorRef *error) {
+ phase++;
+ return CFRetain(valueData2);
+ };
+ });
+
+ query = CFDictionaryCreateMutableForCFTypesWith(NULL,
+ kSecClass, kSecClassGenericPassword,
+ kSecAttrTokenID, CFSTR("tokenid"),
+ kSecAttrService, CFSTR("ctktest-service"),
+ NULL);
+
+ attrs = CFDictionaryCreateMutableForCFTypesWith(NULL,
+ kSecValueData, valueData2,
+ NULL);
+
+ ok_status(SecItemUpdate(query, attrs));
+ is(phase, 3);
+
+ phase = 0;
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
+ ok_status(SecItemCopyMatching(query, &result));
+ eq_cf(valueData2, result);
+ CFRelease(result);
+ is(phase, 2);
+
+ phase = 0;
+ store_value = true;
+ CFDictionaryRemoveValue(query, kSecReturnData);
+ ok_status(SecItemUpdate(query, attrs));
+ is(phase, 3);
+
+ phase = 0;
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
+ ok_status(SecItemCopyMatching(query, &result));
+ eq_cf(valueData2, result);
+ CFRelease(result);
+ is(phase, 0);
+
+ phase = 0;
+ CFDictionarySetValue(query, kSecAttrService, CFSTR("ctktest-service1"));
+ CFDictionaryRemoveValue(query, kSecReturnData);
+ ok_status(SecItemUpdate(query, attrs));
+ is(phase, 5);
+
+ phase = 0;
+ CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
+ ok_status(SecItemCopyMatching(query, &result));
+ is(phase, 0);
+ is(CFGetTypeID(result), CFArrayGetTypeID());
+ is(CFArrayGetCount(result), 2);
+ eq_cf(CFArrayGetValueAtIndex(result, 0), valueData2);
+ eq_cf(CFArrayGetValueAtIndex(result, 1), valueData2);
+
+ CFRelease(query);
+ CFRelease(attrs);
+ CFRelease(valueData2);
+}
+static const int kItemUpdateTestCount = 26;
+
+static void test_item_delete(void) {
+
+ CFMutableDictionaryRef query;
+ CFTypeRef result;
+
+ __block int phase = 0;
+ __block CFErrorRef deleteError = NULL;
+ TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
+ phase++;
+ eq_cf(CFDictionaryGetValue(attributes, kSecAttrTokenID), CFSTR("tokenid"));
+
+ blocks->copyObjectAccessControl = ^CFDataRef(CFDataRef oid, CFErrorRef *error) {
+ phase++;
+ SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
+ SecAccessControlSetProtection(ac, kSecAttrAccessibleAlwaysPrivate, NULL);
+ SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
+ CFDataRef acData = SecAccessControlCopyData(ac);
+ CFRelease(ac);
+ return acData;
+ };
+
+ blocks->deleteObject = ^bool(CFDataRef objectID, CFErrorRef *error) {
+ phase++;
+ if (deleteError != NULL) {
+ CFAssignRetained(*error, deleteError);
+ deleteError = NULL;
+ return false;
+ }
+ return true;
+ };
+ });
+
+ query = CFDictionaryCreateMutableForCFTypesWith(NULL,
+ kSecClass, kSecClassGenericPassword,
+ kSecAttrTokenID, CFSTR("tokenid"),
+ kSecAttrService, CFSTR("ctktest-service"),
+ NULL);
+
+ phase = 0;
+ ok_status(SecItemDelete(query));
+ is(phase, 2);
+
+ phase = 0;
+ is_status(SecItemCopyMatching(query, &result), errSecItemNotFound);
+ is(phase, 0);
+
+ phase = 0;
+ CFDictionarySetValue(query, kSecAttrService, CFSTR("ctktest-service1"));
+ ok_status(SecItemCopyMatching(query, &result));
+ is(phase, 0);
+
+ phase = 0;
+#if LA_CONTEXT_IMPLEMENTED
+ LASetErrorCodeBlock(^{ return (CFErrorRef)NULL; });
+ deleteError = CFErrorCreate(NULL, CFSTR(kTKErrorDomain), kTKErrorCodeAuthenticationFailed, NULL);
+ ok_status(SecItemDelete(query), "delete multiple token items");
+ is(phase, 6, "connect + delete-auth-fail + copyAccess + connect + delete + delete-2nd");
+#else
+ ok_status(SecItemDelete(query), "delete multiple token items");
+ is(phase, 3, "connect + delete + delete");
+#endif
+
+ phase = 0;
+ is_status(SecItemCopyMatching(query, &result), errSecItemNotFound);
+ is(phase, 0);
+
+ is_status(SecItemDelete(query), errSecItemNotFound);
+
+ CFRelease(query);
+ CFReleaseSafe(deleteError);
+}
+#if LA_CONTEXT_IMPLEMENTED
+static const int kItemDeleteTestCount = 15;
+#else
+static const int kItemDeleteTestCount = 14;
+#endif
+
+static void test_key_generate(void) {
+
+ __block int phase = 0;
+ TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
+ phase++;
+
+ blocks->createOrUpdateObject = ^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
+ phase++;
+ is(objectID, NULL);
+ CFDictionarySetValue(at, kSecClass, kSecClassKey);
+ SecKeyRef publicKey = NULL, privateKey = NULL;
+ CFMutableDictionaryRef params = CFDictionaryCreateMutableForCFTypesWith(NULL,
+ kSecAttrKeyType, kSecAttrKeyTypeEC,
+ kSecAttrKeySizeInBits, CFSTR("256"),
+ NULL);
+ ok_status(SecKeyGeneratePair(params, &publicKey, &privateKey));
+ CFDictionaryRef privKeyAttrs = SecKeyCopyAttributeDictionary(privateKey);
+ CFRelease(privateKey);
+ CFRelease(publicKey);
+ CFRelease(params);
+ CFDataRef oid = CFRetainSafe(CFDictionaryGetValue(privKeyAttrs, kSecValueData));
+ CFRelease(privKeyAttrs);
+ return oid;
+ };
+
+ blocks->copyObjectAccessControl = ^CFDataRef(CFDataRef oid, CFErrorRef *error) {
+ phase++;
+ SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
+ SecAccessControlSetProtection(ac, kSecAttrAccessibleAlwaysPrivate, NULL);
+ SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
+ CFDataRef acData = SecAccessControlCopyData(ac);
+ CFRelease(ac);
+ return acData;
+ };
+
+ blocks->copyPublicKeyData = ^CFDataRef(CFDataRef objectID, CFErrorRef *error) {
+ phase++;
+ SecKeyRef privKey = SecKeyCreateECPrivateKey(NULL, CFDataGetBytePtr(objectID), CFDataGetLength(objectID), kSecKeyEncodingBytes);
+ CFDataRef publicData;
+ ok_status(SecKeyCopyPublicBytes(privKey, &publicData));
+ CFRelease(privKey);
+ return publicData;
+ };
+
+ blocks->copyObjectData = ^CFTypeRef(CFDataRef oid, CFErrorRef *error) {
+ phase++;
+ return kCFNull;
+ };
+ });
+
+ CFDictionaryRef prk_params = CFDictionaryCreateForCFTypes(NULL,
+ kSecAttrIsPermanent, kCFBooleanTrue,
+ NULL);
+
+ CFMutableDictionaryRef params = CFDictionaryCreateMutableForCFTypesWith(NULL,
+ kSecAttrKeyType, kSecAttrKeyTypeEC,
+ kSecAttrKeySizeInBits, CFSTR("256"),
+ kSecAttrTokenID, CFSTR("tokenid"),
+ kSecPrivateKeyAttrs, prk_params,
+ NULL);
+ CFRelease(prk_params);
+
+ SecKeyRef publicKey = NULL, privateKey = NULL;
+ phase = 0;
+ ok_status(SecKeyGeneratePair(params, &publicKey, &privateKey));
+ is(phase, 6);
+
+ CFDictionaryRef query = CFDictionaryCreateForCFTypes(NULL,
+ kSecValueRef, privateKey,
+ kSecReturnAttributes, kCFBooleanTrue,
+ kSecReturnRef, kCFBooleanTrue,
+ kSecReturnData, kCFBooleanTrue,
+ NULL);
+ phase = 0;
+ CFDictionaryRef result = NULL, keyAttrs = NULL;
+ ok_status(SecItemCopyMatching(query, (CFTypeRef *)&result));
+ is(phase, 3);
+ is(CFDictionaryGetValue(result, kSecValueData), NULL);
+ eq_cf(CFDictionaryGetValue(result, kSecAttrTokenID), CFSTR("tokenid"));
+ keyAttrs = SecKeyCopyAttributeDictionary((SecKeyRef)CFDictionaryGetValue(result, kSecValueRef));
+ eq_cf(CFDictionaryGetValue(keyAttrs, kSecAttrApplicationLabel), CFDictionaryGetValue(result, kSecAttrApplicationLabel));
+ CFAssignRetained(keyAttrs, SecKeyCopyAttributeDictionary(publicKey));
+ eq_cf(CFDictionaryGetValue(keyAttrs, kSecAttrApplicationLabel), CFDictionaryGetValue(result, kSecAttrApplicationLabel));
+
+ CFRelease(result);
+ CFRelease(keyAttrs);
+ CFRelease(publicKey);
+ CFRelease(privateKey);
+
+ CFRelease(query);
+ CFRelease(params);
+}
+static const int kKeyGenerateTestCount = 14;
+
+static void test_key_sign(void) {
+
+#if TKTOKEN_CLIENT_INTERFACE_VERSION >= 1
+
+ static const UInt8 data[] = { 0x01, 0x02, 0x03, 0x04 };
+ CFDataRef valueData = CFDataCreate(NULL, data, sizeof(data));
+
+ __block int phase = 0;
+ __block CFErrorRef cryptoError = NULL;
+ __block SecKeyOperationType cryptoOperation = -1;
+ __block SecKeyAlgorithm cryptoAlgorithm = NULL;
+ TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
+ phase++;
+
+ blocks->copyPublicKeyData = ^CFDataRef(CFDataRef objectID, CFErrorRef *error) {
+ phase++;
+ SecKeyRef privKey = SecKeyCreateECPrivateKey(NULL, CFDataGetBytePtr(objectID), CFDataGetLength(objectID), kSecKeyEncodingBytes);
+ CFDataRef publicData;
+ ok_status(SecKeyCopyPublicBytes(privKey, &publicData));
+ CFRelease(privKey);
+ return publicData;
+ };
+
+ blocks->copyObjectAccessControl = ^CFDataRef(CFDataRef oid, CFErrorRef *error) {
+ phase++;
+ SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
+ SecAccessControlSetProtection(ac, kSecAttrAccessibleAlwaysPrivate, NULL);
+ SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
+ CFDataRef acData = SecAccessControlCopyData(ac);
+ CFRelease(ac);
+ return acData;
+ };
+
+ blocks->copyObjectOperationAlgorithms = ^CFSetRef(CFDataRef oid, CFIndex operation, CFErrorRef *error) {
+ static NSSet *ops[] = {
+ [kSecKeyOperationTypeSign] = NULL,
+ [kSecKeyOperationTypeDecrypt] = NULL,
+ [kSecKeyOperationTypeKeyExchange] = NULL,
+ };
+
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ ops[kSecKeyOperationTypeSign] = [NSSet setWithArray:@[(id)kSecKeyAlgorithmECDSASignatureDigestX962]];
+ ops[kSecKeyOperationTypeDecrypt] = [NSSet setWithArray:@[(id)kSecKeyAlgorithmRSAEncryptionRaw]];
+ ops[kSecKeyOperationTypeKeyExchange] = [NSSet setWithArray:@[(id)kSecKeyAlgorithmECDHKeyExchangeCofactor]];
+ });
+
+ return CFBridgingRetain(ops[operation]);
+ };
+
+ blocks->copyOperationResult = ^CFTypeRef(CFDataRef objectID, CFIndex operation, CFArrayRef algorithms, CFIndex secKeyOperationMode, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ SecKeyAlgorithm algorithm = CFArrayGetValueAtIndex(algorithms, CFArrayGetCount(algorithms) - 1);
+ phase++;
+ cryptoOperation = operation;
+ cryptoAlgorithm = algorithm;
+ if (cryptoError != NULL) {
+ CFAssignRetained(*error, cryptoError);
+ cryptoError = NULL;
+ return NULL;
+ }
+ return CFRetainSafe(valueData);
+ };
+
+ blocks->copyObjectData = ^CFTypeRef(CFDataRef objectID, CFErrorRef *error) {
+ phase++;
+ return kCFNull;
+ };
+ });
+
+ NSDictionary *query = @{ (id)kSecClass: (id)kSecClassKey, (id)kSecReturnRef: @YES };
+
+ phase = 0;
+ SecKeyRef privateKey = NULL;
+ ok_status(SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef *)&privateKey));
+ is(phase, 2);
+
+ phase = 0;
+ CFMutableDataRef sig = CFDataCreateMutable(NULL, 0);
+ CFDataSetLength(sig, 256);
+ size_t sigLen = CFDataGetLength(sig);
+ ok_status(SecKeyRawSign(privateKey, kSecPaddingPKCS1, data, sizeof(data), CFDataGetMutableBytePtr(sig), &sigLen));
+ is(phase, 1);
+ is(cryptoAlgorithm, kSecKeyAlgorithmECDSASignatureDigestX962);
+ is(cryptoOperation, kSecKeyOperationTypeSign);
+ CFDataSetLength(sig, sigLen);
+ is(CFDataGetLength(sig), CFDataGetLength(valueData));
+ eq_cf(valueData, sig);
+
+#if LA_CONTEXT_IMPLEMENTED
+ phase = 0;
+ CFDataSetLength(sig, 256);
+ sigLen = CFDataGetLength(sig);
+ LASetErrorCodeBlock(^{ return (CFErrorRef)NULL; });
+ cryptoError = CFErrorCreate(NULL, CFSTR(kTKErrorDomain), kTKErrorCodeAuthenticationFailed, NULL);
+ ok_status(SecKeyRawSign(privateKey, kSecPaddingPKCS1, data, sizeof(data), CFDataGetMutableBytePtr(sig), &sigLen));
+ is(phase, 4);
+ is(cryptoError, NULL);
+ CFDataSetLength(sig, sigLen);
+ is(CFDataGetLength(sig), CFDataGetLength(valueData));
+ eq_cf(valueData, sig);
+#endif
+
+ NSError *error;
+ NSData *result;
+ result = CFBridgingRelease(SecKeyCreateDecryptedData(privateKey, kSecKeyAlgorithmRSAEncryptionRaw,
+ valueData, (void *)&error));
+ eq_cf((__bridge CFDataRef)result, valueData);
+ is(cryptoAlgorithm, kSecKeyAlgorithmRSAEncryptionRaw);
+ is(cryptoOperation, kSecKeyOperationTypeDecrypt);
+
+ NSDictionary *params = @{ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeECSECPrimeRandom, (id)kSecAttrKeySizeInBits: @256 };
+ SecKeyRef otherPrivKey = NULL, otherPubKey = NULL;
+ ok_status(SecKeyGeneratePair((CFDictionaryRef)params, &otherPubKey, &otherPrivKey));
+
+ error = nil;
+ result = CFBridgingRelease(SecKeyCopyKeyExchangeResult(privateKey, kSecKeyAlgorithmECDHKeyExchangeCofactor,
+ otherPubKey, (CFDictionaryRef)@{}, (void *)&error));
+ eq_cf((__bridge CFDataRef)result, valueData);
+ is(cryptoAlgorithm, kSecKeyAlgorithmECDHKeyExchangeCofactor);
+ is(cryptoOperation, kSecKeyOperationTypeKeyExchange);
+
+ CFReleaseSafe(otherPrivKey);
+ CFReleaseSafe(otherPubKey);
+ CFReleaseSafe(cryptoError);
+ CFRelease(sig);
+ CFRelease(privateKey);
+#endif
+}
+#if TKTOKEN_CLIENT_INTERFACE_VERSION >= 1
+ #if LA_CONTEXT_IMPLEMENTED
+static const int kKeySignTestCount = 20;
+ #else
+static const int kKeySignTestCount = 15;
+ #endif
+#else
+static const int kKeySignTestCount = 0;
+#endif
+
+static void test_key_generate_with_params(void) {
+
+ const UInt8 data[] = "foo";
+ CFDataRef cred_ref = CFDataCreate(NULL, data, 4);
+ __block int phase = 0;
+ TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
+ phase++;
+ eq_cf(CFDictionaryGetValue(attributes, kSecUseOperationPrompt), CFSTR("prompt"));
+ is(CFDictionaryGetValue(attributes, kSecUseAuthenticationUI), NULL);
+ eq_cf(CFDictionaryGetValue(attributes, kSecUseCredentialReference), cred_ref);
+
+ blocks->createOrUpdateObject = ^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
+ phase++;
+ SecCFCreateError(-4 /* kTKErrorCodeCanceledByUser */, CFSTR(kTKErrorDomain), CFSTR(""), NULL, error);
+ return NULL;
+ };
+ });
+
+ CFDictionaryRef prk_params = CFDictionaryCreateForCFTypes(NULL,
+ kSecAttrIsPermanent, kCFBooleanTrue,
+ NULL);
+
+ CFMutableDictionaryRef params = CFDictionaryCreateMutableForCFTypesWith(NULL,
+ kSecAttrKeyType, kSecAttrKeyTypeEC,
+ kSecAttrKeySizeInBits, CFSTR("256"),
+ kSecAttrTokenID, CFSTR("tokenid"),
+ kSecPrivateKeyAttrs, prk_params,
+ kSecUseOperationPrompt, CFSTR("prompt"),
+ kSecUseAuthenticationUI, kSecUseAuthenticationUIAllow,
+ kSecUseCredentialReference, cred_ref,
+ NULL);
+ CFRelease(prk_params);
+
+ SecKeyRef publicKey = NULL, privateKey = NULL;
+ phase = 0;
+ diag("This will produce an internal assert - on purpose");
+ is_status(SecKeyGeneratePair(params, &publicKey, &privateKey), errSecUserCanceled);
+ is(phase, 2);
+
+ CFReleaseSafe(publicKey);
+ CFReleaseSafe(privateKey);
+ CFRelease(params);
+ CFRelease(cred_ref);
+}
+static const int kKeyGenerateWithParamsTestCount = 5;
+
+static void test_error_codes(void) {
+
+ CFMutableDictionaryRef attrs = CFDictionaryCreateMutableForCFTypesWith(NULL,
+ kSecClass, kSecClassGenericPassword,
+ kSecAttrTokenID, CFSTR("tokenid"),
+ NULL);
+ // Setup token hook.
+ __block OSStatus ctk_error = 0;
+ TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
+ blocks->createOrUpdateObject = ^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
+ SecCFCreateError(ctk_error, CFSTR(kTKErrorDomain), CFSTR(""), NULL, error);
+ return NULL;
+ };
+ });
+
+ ctk_error = kTKErrorCodeBadParameter;
+ is_status(SecItemAdd(attrs, NULL), errSecParam);
+
+ ctk_error = -1 /* kTKErrorCodeNotImplemented */;
+ is_status(SecItemAdd(attrs, NULL), errSecUnimplemented);
+
+ ctk_error = -4 /* kTKErrorCodeCanceledByUser */;
+ is_status(SecItemAdd(attrs, NULL), errSecUserCanceled);
+
+ CFRelease(attrs);
+}
+static const int kErrorCodesCount = 3;
+
+static CFDataRef copy_certificate_data(const char *base64Cert)
+{
+ size_t size = SecBase64Decode(base64Cert, strnlen(base64Cert, 2048), NULL, 0);
+ ok(size);
+ CFMutableDataRef data = CFDataCreateMutable(kCFAllocatorDefault, size);
+ CFDataSetLength(data, size);
+ size = SecBase64Decode(base64Cert, strnlen(base64Cert, 2048), (char*)CFDataGetMutableBytePtr(data), CFDataGetLength(data));
+ ok(size);
+ CFDataSetLength(data, size);
+
+ return data;
+}
+
+static CFMutableDictionaryRef copy_certificate_attributes(const char *base64Cert)
+{
+ CFDataRef data = copy_certificate_data(base64Cert);
+
+ SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, data);
+ ok(cert);
+ CFDictionaryRef certAttributes = SecCertificateCopyAttributeDictionary(cert);
+ ok(certAttributes);
+ CFMutableDictionaryRef result = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, certAttributes);
+ ok(result);
+
+ if (certAttributes)
+ CFRelease(certAttributes);
+ if (data)
+ CFRelease(data);
+ if (cert)
+ CFRelease(cert);
+
+ return result;
+}
+
+static CFDictionaryRef copy_certificate_query(const char *base64cert, CFStringRef label, CFStringRef oid, CFStringRef tokenID)
+{
+ CFMutableDictionaryRef certAttributes = copy_certificate_attributes(base64cert);
+
+ CFDictionarySetValue(certAttributes, kSecAttrLabel, label);
+ CFDictionarySetValue(certAttributes, kSecAttrAccessible, kSecAttrAccessibleAlwaysPrivate);
+ CFDictionarySetValue(certAttributes, kSecAttrTokenOID, oid);
+ CFDictionaryRemoveValue(certAttributes, kSecValueData);
+
+ SecAccessControlRef acl = SecAccessControlCreate(kCFAllocatorDefault, NULL);
+ ok(acl);
+ CFTypeRef key[] = { kSecAttrTokenID };
+ CFTypeRef value[] = { tokenID };
+ CFDictionaryRef protection = CFDictionaryCreate(kCFAllocatorDefault, key, value, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ ok(SecAccessControlSetProtection(acl, protection, NULL));
+ CFRelease(protection);
+ ok(SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL));
+ CFDataRef aclData = SecAccessControlCopyData(acl);
+ ok(aclData);
+ if (aclData) {
+ CFDictionarySetValue(certAttributes, kSecAttrAccessControl, aclData);
+ CFRelease(aclData);
+ }
+
+ if (acl)
+ CFRelease(acl);
+
+ return certAttributes;
+}
+
+static CFDictionaryRef copy_key_query(CFDictionaryRef certAttributes, CFStringRef label, CFStringRef oid, CFStringRef tokenID)
+{
+ CFMutableDictionaryRef keyAttributes = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks) ;
+
+ CFDictionarySetValue(keyAttributes, kSecClass, kSecClassKey);
+ CFDictionarySetValue(keyAttributes, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
+ CFDictionarySetValue(keyAttributes, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFNumberRef keySize = CFNumberCreateWithCFIndex(kCFAllocatorDefault, 2048);
+ CFDictionarySetValue(keyAttributes, kSecAttrKeySizeInBits, keySize);
+ CFRelease(keySize);
+
+ CFDictionarySetValue(keyAttributes, kSecAttrCanDecrypt, kCFBooleanTrue);
+ CFDictionarySetValue(keyAttributes, kSecAttrCanSign, kCFBooleanTrue);
+ CFDictionarySetValue(keyAttributes, kSecAttrCanUnwrap, kCFBooleanTrue);
+ CFDictionarySetValue(keyAttributes, kSecAttrCanDerive, kCFBooleanFalse);
+ CFDictionarySetValue(keyAttributes, kSecAttrIsPrivate, kCFBooleanTrue);
+
+ CFDictionarySetValue(keyAttributes, kSecAttrLabel, label);
+ CFDictionarySetValue(keyAttributes, kSecAttrAccessible, kSecAttrAccessibleAlwaysPrivate);
+ CFDictionarySetValue(keyAttributes, kSecAttrTokenOID, oid);
+ CFDictionarySetValue(keyAttributes, kSecAttrApplicationLabel, CFDictionaryGetValue(certAttributes, kSecAttrPublicKeyHash));
+
+ SecAccessControlRef acl = SecAccessControlCreate(kCFAllocatorDefault, NULL);
+ ok(acl);
+ CFTypeRef key[] = { kSecAttrTokenID };
+ CFTypeRef value[] = { tokenID };
+ CFDictionaryRef protection = CFDictionaryCreate(kCFAllocatorDefault, key, value, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ ok(SecAccessControlSetProtection(acl, protection, NULL));
+ CFRelease(protection);
+ ok(SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL));
+ CFDataRef aclData = SecAccessControlCopyData(acl);
+ ok(aclData);
+ if (aclData) {
+ CFDictionarySetValue(keyAttributes, kSecAttrAccessControl, aclData);
+ CFRelease(aclData);
+ }
+
+ if (acl)
+ CFRelease(acl);
+
+ return keyAttributes;
+}
+
+static void check_array_for_type_id(CFArrayRef array, CFTypeID typeID)
+{
+ if (array && CFGetTypeID(array) == CFArrayGetTypeID()) {
+ for (CFIndex i = 0; i < CFArrayGetCount(array); ++i) {
+ ok(CFGetTypeID(CFArrayGetValueAtIndex(array, i)) == typeID);
+ }
+ }
+}
+
+static void test_propagate_token_items()
+{
+ CFStringRef cert1OID = CFSTR("oid1");
+ CFStringRef cert2OID = CFSTR("oid2");
+ CFStringRef key1OID = CFSTR("oid3");
+ CFStringRef key2OID = CFSTR("oid4");
+
+ TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
+ blocks->copyObjectData = ^CFTypeRef(CFDataRef oid, CFErrorRef *error) {
+ if (CFEqual(oid, cert1OID)) {
+ return copy_certificate_data(cert1);
+ }
+ else if (CFEqual(oid, cert2OID)) {
+ return copy_certificate_data(cert2);
+ }
+ else if (CFEqual(oid, key1OID) || CFEqual(oid, key2OID)) {
+ return kCFNull;
+ }
+ else {
+ return NULL;
+ }
+ };
+ });
+
+ CFStringRef tokenID = CFSTR("com.apple.secdtest:propagate_test_token");
+
+ CFMutableArrayRef items = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+
+ CFDictionaryRef certQuery = copy_certificate_query(cert1, CFSTR("test_cert1"), cert1OID, tokenID);
+ ok(certQuery);
+ CFDictionaryRef keyQuery = copy_key_query(certQuery, CFSTR("test_key1"), key1OID, tokenID);
+ ok(keyQuery);
+
+ CFArrayAppendValue(items, certQuery);
+ CFArrayAppendValue(items, keyQuery);
+ CFReleaseSafe(certQuery);
+ CFReleaseSafe(keyQuery);
+
+ certQuery = copy_certificate_query(cert2, CFSTR("test_cert2"), cert2OID, tokenID);
+ ok(certQuery);
+ keyQuery = copy_key_query(certQuery, CFSTR("test_key2"), key2OID, tokenID);
+ ok(keyQuery);
+
+ CFArrayAppendValue(items, certQuery);
+ CFArrayAppendValue(items, keyQuery);
+ CFReleaseSafe(certQuery);
+ CFReleaseSafe(keyQuery);
+
+ OSStatus result;
+ ok_status(result = SecItemUpdateTokenItems(tokenID, NULL), "Failed to delete items.");
+
+ ok_status(result = SecItemUpdateTokenItems(tokenID, items), "Failed to propagate items.");
+ CFRelease(items);
+
+ CFMutableDictionaryRef query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+ CFDictionarySetValue(query, kSecAttrAccessGroup, CFSTR("com.apple.token"));
+ CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+ CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
+ CFTypeRef queryResult;
+ ok_status(SecItemCopyMatching(query, &queryResult));
+ ok(queryResult && CFGetTypeID(queryResult) == CFArrayGetTypeID() && CFArrayGetCount(queryResult) == 2, "Expect array with two certs");
+ check_array_for_type_id(queryResult, SecCertificateGetTypeID());
+ CFReleaseNull(queryResult);
+
+ CFDictionarySetValue(query, kSecReturnRef, kCFBooleanFalse);
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
+ ok_status(SecItemCopyMatching(query, &queryResult));
+ ok(queryResult && CFGetTypeID(queryResult) == CFArrayGetTypeID() && CFArrayGetCount(queryResult) == 2, "Expect array with two certs");
+ check_array_for_type_id(queryResult, CFDataGetTypeID());
+ CFReleaseNull(queryResult);
+
+ CFDictionarySetValue(query, kSecClass, kSecClassKey);
+ CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanFalse);
+ ok_status(SecItemCopyMatching(query, &queryResult));
+ ok(queryResult && CFGetTypeID(queryResult) == CFArrayGetTypeID() && CFArrayGetCount(queryResult) == 2, "Expect array with two keys");
+ check_array_for_type_id(queryResult, SecKeyGetTypeID());
+ CFReleaseNull(queryResult);
+
+ CFDictionarySetValue(query, kSecReturnRef, kCFBooleanFalse);
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
+ ok_status(SecItemCopyMatching(query, &queryResult));
+ ok(queryResult && CFGetTypeID(queryResult) == CFArrayGetTypeID() && CFArrayGetCount(queryResult) == 0, "Expect empty array");
+ CFReleaseNull(queryResult);
+
+ CFDictionarySetValue(query, kSecClass, kSecClassIdentity);
+ CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanFalse);
+ ok_status(SecItemCopyMatching(query, &queryResult));
+ ok(queryResult && CFGetTypeID(queryResult) == CFArrayGetTypeID() && CFArrayGetCount(queryResult) == 2, "Expect array with two identities");
+ check_array_for_type_id(queryResult, SecIdentityGetTypeID());
+ CFReleaseNull(queryResult);
+
+ CFDictionarySetValue(query, kSecReturnRef, kCFBooleanFalse);
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanTrue);
+ ok_status(SecItemCopyMatching(query, &queryResult));
+ ok(queryResult && CFGetTypeID(queryResult) == CFArrayGetTypeID() && CFArrayGetCount(queryResult) == 0, "Expect empty array");
+ CFReleaseNull(queryResult);
+
+ ok_status(result = SecItemUpdateTokenItems(tokenID, NULL), "Failed to delete items.");
+
+ CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+ CFDictionarySetValue(query, kSecReturnData, kCFBooleanFalse);
+ is_status(SecItemCopyMatching(query, &queryResult), errSecItemNotFound);
+ CFReleaseNull(queryResult);
+ CFRelease(query);
+}
+static const int kPropagateCount = 66;
+
+static void test_identity_on_two_tokens() {
+ CFStringRef cert3OID = CFSTR("oid1");
+ TKTokenTestSetHook(^(CFDictionaryRef attributes, TKTokenTestBlocks *blocks) {
+
+ blocks->createOrUpdateObject = ^CFDataRef(CFDataRef objectID, CFMutableDictionaryRef at, CFErrorRef *error) {
+ is(objectID, NULL);
+ return (__bridge_retained CFDataRef)[[NSData alloc] initWithBase64EncodedString:@"BAcrF9iBupEeZOE+c73JBfkqsv8Q9rp1lTnZbKzmALf8yTR02310uGlZuUBVp4HOSiziO43dzFuegH0ywLhu+gtJj81RD8Rt+nLR6oTARkL+0l2/fzrIouleaEYpYmEp0A==" options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ };
+
+ blocks->copyPublicKeyData = ^CFDataRef(CFDataRef objectID, CFErrorRef *error) {
+ SecKeyRef privKey = SecKeyCreateECPrivateKey(NULL, CFDataGetBytePtr(objectID), CFDataGetLength(objectID), kSecKeyEncodingBytes);
+ ok(privKey);
+ CFDataRef publicData;
+ ok_status(SecKeyCopyPublicBytes(privKey, &publicData));
+ CFReleaseSafe(privKey);
+ return publicData;
+ };
+
+ blocks->copyObjectData = ^CFTypeRef(CFDataRef oid, CFErrorRef *error) {
+ if (CFEqual(oid, cert3OID))
+ return copy_certificate_data(cert3);
+ else
+ return kCFNull;
+ };
+
+ blocks->copyObjectAccessControl = ^CFDataRef(CFDataRef oid, CFErrorRef *error) {
+ SecAccessControlRef ac = SecAccessControlCreate(NULL, NULL);
+ SecAccessControlSetProtection(ac, kSecAttrAccessibleAlwaysPrivate, NULL);
+ SecAccessControlAddConstraintForOperation(ac, kAKSKeyOpDefaultAcl, kCFBooleanTrue, NULL);
+ CFDataRef acData = SecAccessControlCopyData(ac);
+ CFRelease(ac);
+ return acData;
+ };
+
+ blocks->copyOperationResult = ^CFTypeRef(CFDataRef objectID, CFIndex operation, CFArrayRef algorithms, CFIndex secKeyOperationMode, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
+ ok(operation == 0);
+ SecKeyRef privKey = SecKeyCreateECPrivateKey(NULL, CFDataGetBytePtr(objectID), CFDataGetLength(objectID), kSecKeyEncodingBytes);
+ ok(privKey);
+ CFDataRef signature = SecKeyCreateSignature(privKey, kSecKeyAlgorithmECDSASignatureDigestX962, in1, error);
+ ok(signature);
+ CFReleaseSafe(privKey);
+ return signature;
+ };
+
+ });
+
+ @autoreleasepool {
+ NSString *tokenID1 = @"com.apple.secdtest:identity_test_token1";
+ NSString *tokenID2 = @"com.apple.secdtest:identity_test_token2";
+
+ NSDictionary *params = @{ (id)kSecAttrKeyType : (id)kSecAttrKeyTypeEC,
+ (id)kSecAttrKeySizeInBits : @"256",
+ (id)kSecAttrTokenID : tokenID1,
+ (id)kSecPrivateKeyAttrs : @{ (id)kSecAttrIsPermanent : @YES/*, (id)kSecAttrIsPrivate : @YES*/ }
+ };
+
+ SecKeyRef publicKey = NULL, privateKey = NULL;
+ ok_status(SecKeyGeneratePair((CFDictionaryRef)params, &publicKey, &privateKey));
+
+ NSDictionary *certQuery = CFBridgingRelease(copy_certificate_query(cert3, CFSTR("test_cert3"), cert3OID, (__bridge CFStringRef)tokenID2));
+ ok(certQuery);
+
+ OSStatus result;
+ ok_status(result = SecItemUpdateTokenItems((__bridge CFStringRef)tokenID2, (__bridge CFArrayRef)@[certQuery]), "Failed to propagate items.");
+
+ NSData *pubKeyHash = CFBridgingRelease(SecKeyCopyPublicKeyHash(publicKey));
+
+ CFTypeRef resultRef;
+ NSDictionary *query = @{ (id)kSecClass : (id)kSecClassKey, (id)kSecAttrApplicationLabel : pubKeyHash, (id)kSecReturnRef : @YES, (id)kSecReturnAttributes : @YES };
+ ok_status(result = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef*)&resultRef));
+ CFReleaseSafe(resultRef);
+
+ query = @{ (id)kSecClass : (id)kSecClassCertificate, (id)kSecAttrPublicKeyHash : pubKeyHash, (id)kSecReturnRef : @YES, (id)kSecReturnAttributes : @YES };
+ ok_status(result = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef*)&resultRef));
+ CFReleaseSafe(resultRef);
+
+ query = @{ (id)kSecClass : (id)kSecClassIdentity, (id)kSecAttrApplicationLabel : pubKeyHash, (id)kSecReturnRef : @YES, (id)kSecReturnAttributes : @YES };
+ ok_status(result = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef*)&resultRef));
+ CFReleaseSafe(resultRef);
+ }
+}
+static const int kIdentityonTwoTokensCount = 20;
+
+
+static void tests(void) {
+ /* custom keychain dir */
+ secd_test_setup_temp_keychain("secd_33_keychain_ctk", NULL);
+
+ test_item_add();
+ test_item_query();
+ test_item_update();
+ test_item_delete();
+ test_key_generate();
+ test_key_sign();
+ test_key_generate_with_params();
+ test_error_codes();
+ test_propagate_token_items();
+ test_identity_on_two_tokens();
+}
+
+int secd_33_keychain_ctk(int argc, char *const *argv) {
+ plan_tests(kItemAddTestCount +
+ kItemQueryTestCount +
+ kItemUpdateTestCount +
+ kItemDeleteTestCount +
+ kKeyGenerateTestCount +
+ kKeySignTestCount +
+ kKeyGenerateWithParamsTestCount +
+ kErrorCodesCount +
+ kPropagateCount +
+ kIdentityonTwoTokensCount +
+ kSecdTestSetupTestCount);
+ tests();
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-49-manifests.c b/OSX/sec/securityd/Regressions/secd-49-manifests.c
index 58c79e9f..93685b4a 100644
--- a/OSX/sec/securityd/Regressions/secd-49-manifests.c
+++ b/OSX/sec/securityd/Regressions/secd-49-manifests.c
@@ -181,7 +181,7 @@ static void test_okmfunion(SOSManifestRef a, SOSManifestRef b, SOSManifestRef n,
static SOSManifestRef createManifestWithString(CFStringRef string) {
struct SOSDigestVector dv = SOSDigestVectorInit;
CFIndex length = string ? CFStringGetLength(string) : 0;
- CFStringInlineBuffer buf;
+ CFStringInlineBuffer buf = {};
CFRange range = { 0, length };
CFStringInitInlineBuffer(string, &buf, range);
for (CFIndex ix = 0; ix < length; ++ix) {
diff --git a/OSX/sec/securityd/Regressions/secd-50-account.c b/OSX/sec/securityd/Regressions/secd-50-account.c
index bad71bd8..be6c76c9 100644
--- a/OSX/sec/securityd/Regressions/secd-50-account.c
+++ b/OSX/sec/securityd/Regressions/secd-50-account.c
@@ -81,7 +81,7 @@ static void tests(void)
CFReleaseNull(inflated);
CFDictionaryRef new_gestalt = SOSCreatePeerGestaltFromName(CFSTR("New Device"));
- ok(SOSAccountResetToOffering(account, &error), "Reset to Offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(account, &error), "Reset to Offering (%@)", error);
CFReleaseNull(error);
is(SOSAccountGetCircleStatus(account, &error), kSOSCCInCircle, "Was in Circle (%@)", error);
CFReleaseNull(error);
diff --git a/OSX/sec/securityd/Regressions/secd-51-account-inflate.c b/OSX/sec/securityd/Regressions/secd-51-account-inflate.c
index e112fd99..25c2febf 100644
--- a/OSX/sec/securityd/Regressions/secd-51-account-inflate.c
+++ b/OSX/sec/securityd/Regressions/secd-51-account-inflate.c
@@ -221,7 +221,7 @@ static void test_v6(void) {
}
#endif
-static int kTestTestCount = 10 + kSecdTestSetupTestCount;
+static int kTestTestCount = 11 + kSecdTestSetupTestCount;
static void tests(void)
{
@@ -240,41 +240,11 @@ static void tests(void)
ok(NULL != account, "Created");
- ok(SOSAccountResetToOffering(account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
-
- // Use this part with suitable changes to test when we allow account upgrades.
- size_t size = SOSAccountGetDEREncodedSize(account, &error);
- CFReleaseNull(error);
- uint8_t buffer[size];
- uint8_t* start = SOSAccountEncodeToDER(account, &error, buffer, buffer + sizeof(buffer));
- CFReleaseNull(error);
-
- ok(start, "successful encoding");
- ok(start == buffer, "Used whole buffer");
-
- CFDataRef accountData = CFDataCreate(kCFAllocatorDefault, buffer, size);
- ok(accountData, "Made CFData for Account");
-
- SOSAccountRef inflated = SOSAccountCreateFromData(kCFAllocatorDefault, accountData, test_factory, &error);
- CFReleaseNull(error);
-
- ok(inflated, "inflated");
- ok(CFEqualSafe(inflated, account), "Compares");
-
- CFDataRef secondData = SOSAccountCopyEncodedData(inflated, kCFAllocatorDefault, &error);
- CFReleaseNull(error);
- SOSAccountRef inflated2 = SOSAccountCreateFromData(kCFAllocatorDefault, secondData, test_factory, &error);
- ok(inflated2, "inflated2");
- ok(CFEqual(account, inflated2), "Compares");
-
-
+ ok(testAccountPersistence(account), "Test Account->DER->Account Equivalence");
CFReleaseNull(account);
- CFReleaseNull(inflated);
- CFReleaseNull(inflated2);
- CFReleaseNull(accountData);
- CFReleaseNull(secondData);
SOSUnregisterAllTransportMessages();
SOSUnregisterAllTransportCircles();
diff --git a/OSX/sec/securityd/Regressions/secd-52-account-changed.c b/OSX/sec/securityd/Regressions/secd-52-account-changed.c
index acaf8fb9..ea8db431 100644
--- a/OSX/sec/securityd/Regressions/secd-52-account-changed.c
+++ b/OSX/sec/securityd/Regressions/secd-52-account-changed.c
@@ -79,18 +79,18 @@ static void tests(void)
/* ==================== Three Accounts setup =============================================*/
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "update");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "update");
- ok(SOSAccountJoinCircles(carol_account, &error), "Carol Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(carol_account, &error), "Carol Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "update");
@@ -146,7 +146,7 @@ static void tests(void)
/* ==================== Three Accounts setup =============================================*/
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(countActivePeers(alice_account), 2, "2 peers - alice and icloud");
@@ -156,12 +156,12 @@ static void tests(void)
is(SOSAccountGetCircleStatus(bob_account, &error), kSOSCCNotInCircle, "Bob is not in circle");
is(SOSAccountGetCircleStatus(carol_account, &error), kSOSCCNotInCircle, "Carol is not in circle");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(carol_account, &error), "Carol Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(carol_account, &error), "Carol Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "updates");
diff --git a/OSX/sec/securityd/Regressions/secd-52-offering-gencount-reset.c b/OSX/sec/securityd/Regressions/secd-52-offering-gencount-reset.c
index d32b1aed..2a28b991 100644
--- a/OSX/sec/securityd/Regressions/secd-52-offering-gencount-reset.c
+++ b/OSX/sec/securityd/Regressions/secd-52-offering-gencount-reset.c
@@ -79,12 +79,12 @@ static void tests(void)
is(error ? CFErrorGetCode(error) : 0, kSOSErrorWrongPassword, "Expected SOSErrorWrongPassword");
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
@@ -109,7 +109,7 @@ static void tests(void)
//bob now goes def while Alice does some stuff.
ok(SOSAccountLeaveCircle(alice_account, &error), "ALICE LEAVES THE CIRCLE (%@)", error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Alice resets to offering again (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Alice resets to offering again (%@)", error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
@@ -120,7 +120,7 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(carol_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
SOSAccountSetUserPublicTrustedForTesting(carol_account);
- ok(SOSAccountResetToOffering(carol_account, &error), "Carol is going to push a reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(carol_account, &error), "Carol is going to push a reset to offering (%@)", error);
int64_t valuePtr = 0;
CFNumberRef gencount = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &valuePtr);
@@ -128,7 +128,7 @@ static void tests(void)
SecKeyRef user_privkey = SOSUserKeygen(cfpassword, carol_account->user_key_parameters, &error);
CFNumberRef genCountTest = SOSCircleGetGeneration(carol_account->trusted_circle);
- int testPtr;
+ CFIndex testPtr;
CFNumberGetValue(genCountTest, kCFNumberCFIndexType, &testPtr);
ok(testPtr== 0);
diff --git a/OSX/sec/securityd/Regressions/secd-55-account-circle.c b/OSX/sec/securityd/Regressions/secd-55-account-circle.c
index 3bc41dbe..9a4258f9 100644
--- a/OSX/sec/securityd/Regressions/secd-55-account-circle.c
+++ b/OSX/sec/securityd/Regressions/secd-55-account-circle.c
@@ -51,7 +51,7 @@
#include "SecdTestKeychainUtilities.h"
-static int kTestTestCount = 324;
+static int kTestTestCount = 326;
static void tests(void)
{
@@ -79,12 +79,14 @@ static void tests(void)
is(error ? CFErrorGetCode(error) : 0, kSOSErrorWrongPassword, "Expected SOSErrorWrongPassword");
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountHasCompletedInitialSync(alice_account), "Alice thinks she's completed initial sync");
+
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "updates");
@@ -105,7 +107,9 @@ static void tests(void)
CFArrayRef peers = SOSAccountCopyPeers(alice_account, &error);
ok(peers && CFArrayGetCount(peers) == 2, "See two peers %@ (%@)", peers, error);
CFReleaseNull(peers);
-
+
+ ok(!SOSAccountHasCompletedInitialSync(bob_account), "Bob thinks he hasn't completed initial sync");
+
CFDictionaryRef alice_new_gestalt = SOSCreatePeerGestaltFromName(CFSTR("Alice, but different"));
ok(SOSAccountUpdateGestalt(alice_account, alice_new_gestalt), "Update gestalt %@ (%@)", alice_account, error);
@@ -127,7 +131,7 @@ static void tests(void)
ok(peers && CFArrayGetCount(peers) == 1, "See one peer %@ (%@)", peers, error);
CFReleaseNull(peers);
- ok(SOSAccountJoinCircles(alice_account, &error), "Alice re-applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(alice_account, &error), "Alice re-applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "updates");
@@ -148,7 +152,7 @@ static void tests(void)
ok(SOSAccountLeaveCircle(alice_account, &error), "Alice Leaves (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountJoinCircles(alice_account, &error), "Alice re-applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(alice_account, &error), "Alice re-applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "updates");
@@ -226,7 +230,7 @@ static void tests(void)
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "updates");
accounts_agree("Alice and Bob see Alice out of circle", bob_account, alice_account);
- ok(SOSAccountJoinCircles(alice_account, &error), "Alice re-applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(alice_account, &error), "Alice re-applies (%@)", error);
CFReleaseNull(error);
ok(SOSAccountLeaveCircle(alice_account, &error), "Alice leaves while applying (%@)", error);
@@ -237,7 +241,7 @@ static void tests(void)
is(SOSAccountGetCircleStatus(alice_account, &error), kSOSCCNotInCircle, "Alice isn't applying any more");
accounts_agree("Alice leaves & some fancy concordance stuff happens", bob_account, alice_account);
- ok(SOSAccountJoinCircles(alice_account, &error), "Alice re-applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(alice_account, &error), "Alice re-applies (%@)", error);
CFReleaseNull(error);
FeedChangesTo(changes, bob_account); // Bob sees Alice reapply.
@@ -259,21 +263,21 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(carol_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(cfpassword);
- ok(SOSAccountJoinCircles(carol_account, &error), "Carol Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(carol_account, &error), "Carol Applies (%@)", error);
CFReleaseNull(error);
CFMutableDictionaryRef dropped_changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
FillChanges(dropped_changes, carol_account);
CFReleaseNull(dropped_changes);
- ok(SOSAccountResetToOffering(carol_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(carol_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, bob_account, carol_account, NULL), 2, "updates");
accounts_agree("13889901", carol_account, bob_account);
is(SOSAccountGetLastDepartureReason(bob_account, &error), kSOSMembershipRevoked, "Bob affirms he hasn't left.");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob ReApplies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob ReApplies (%@)", error);
is(ProcessChangesUntilNoChange(changes, bob_account, carol_account, NULL), 2, "updates");
{
CFArrayRef applicants = SOSAccountCopyApplicants(carol_account, &error);
@@ -290,11 +294,11 @@ static void tests(void)
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 1, "Reset propogation");
// Test multiple removal, including our own departure via that API
- ok(SOSAccountResetToOffering(alice_account, NULL), "Reset to offering");
+ ok(SOSAccountResetToOffering_wTxn(alice_account, NULL), "Reset to offering");
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "Reset propogation");
- ok(SOSAccountJoinCircles(bob_account, NULL), "bob joins again");
+ ok(SOSAccountJoinCircles_wTxn(bob_account, NULL), "bob joins again");
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "Bob request");
@@ -309,7 +313,7 @@ static void tests(void)
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 3, "carol request");
- ok(SOSAccountJoinCircles(carol_account, NULL), "carol joins again");
+ ok(SOSAccountJoinCircles_wTxn(carol_account, NULL), "carol joins again");
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carol_account, NULL), 2, "carol request");
diff --git a/OSX/sec/securityd/Regressions/secd-56-account-apply.c b/OSX/sec/securityd/Regressions/secd-56-account-apply.c
index 5a39cef4..81d0d34e 100644
--- a/OSX/sec/securityd/Regressions/secd-56-account-apply.c
+++ b/OSX/sec/securityd/Regressions/secd-56-account-apply.c
@@ -51,26 +51,15 @@
#include "SecdTestKeychainUtilities.h"
-static int kTestTestCount = 118;
+static int kTestTestCount = 230;
-#if 0
-static int countPeers(SOSAccountRef account, bool active) {
- CFErrorRef error = NULL;
- CFArrayRef peers;
-
- if(active) peers = SOSAccountCopyActivePeers(account, &error);
- else peers = SOSAccountCopyPeers(account, &error);
- int retval = (int) CFArrayGetCount(peers);
- CFReleaseNull(error);
- CFReleaseNull(peers);
- return retval;
-}
-#endif
+#define kAccountPasswordString ((uint8_t*) "FooFooFoo")
+#define kAccountPasswordStringLen 10
static void tests(void)
{
CFErrorRef error = NULL;
- CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
+ CFDataRef cfpassword = CFDataCreate(NULL, kAccountPasswordString, kAccountPasswordStringLen);
CFStringRef cfaccount = CFSTR("test@test.org");
CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
@@ -95,16 +84,16 @@ static void tests(void)
CFReleaseNull(cfpassword);
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
// Lost Application Scenario
is(ProcessChangesOnce(changes, alice_account, bob_account, carole_account, david_account, NULL), 1, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountJoinCircles(carole_account, &error), "Carole Applies too (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(carole_account, &error), "Carole Applies too (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 3, "updates");
@@ -145,9 +134,18 @@ static void tests(void)
CFReleaseSafe(applicants);
}
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob asks again");
+ ok(SOSAccountLeaveCircle(carole_account, &error), "Carole bails (%@)", error);
+ CFReleaseNull(error);
+
+ // Everyone but bob sees that carole bails.
+ is(ProcessChangesUntilNoChange(changes, alice_account, carole_account, david_account, NULL), 1, "updates");
+
+
+ // Bob reapplies, but it's to an old circle.
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob asks again");
CFReleaseNull(error);
+ // Bob returns and we mix our split worlds up.
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 2, "updates");
{
@@ -161,122 +159,54 @@ static void tests(void)
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 3, "updates");
-#if 0
-
- {
- CFArrayRef applicants = SOSAccountCopyApplicants(alice_account, &error);
-
- ok(applicants && CFArrayGetCount(applicants) == 1, "Bob automatically re-applied %@ (%@)", applicants, error);
- ok(SOSAccountAcceptApplicants(alice_account, applicants, &error), "Alice accepts (%@)", error);
- CFReleaseNull(error);
- CFReleaseNull(applicants);
- }
-
- is(countPeers(alice_account, 0), 3, "Bob is accepted after auto-reapply");
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL);
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL);
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL);
- accounts_agree("alice and carole agree after bob gets in", alice_account, carole_account);
-
+ is(countPeers(bob_account), 2, "Bob sees 2 valid peers after admission from re-apply");
+
+ accounts_agree("alice and bob agree", alice_account, bob_account);
+ accounts_agree_internal("alice and carole agree", alice_account, carole_account, false);
+
+
// Rejected Application Scenario
- ok(SOSAccountJoinCircles(david_account, &error), "Dave Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(david_account, &error), "Dave Applies (%@)", error);
CFReleaseNull(error);
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL);
-
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 2, "updates");
+
+ accounts_agree_internal("alice and david agree", alice_account, david_account, false);
+
SOSAccountPurgePrivateCredential(alice_account);
-
+
{
CFArrayRef applicants = SOSAccountCopyApplicants(alice_account, &error);
-
+
ok(applicants && CFArrayGetCount(applicants) == 1, "See one applicant %@ (%@)", applicants, error);
ok(SOSAccountRejectApplicants(alice_account, applicants, &error), "Alice rejects (%@)", error);
CFReleaseNull(error);
CFReleaseNull(applicants);
}
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL);
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL);
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL);
-
- accounts_agree("alice and carole still agree after david is rejected", alice_account, carole_account);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 2, "updates");
+
+ accounts_agree_internal("alice and carole still agree after david is rejected", alice_account, carole_account, false);
+
+ cfpassword = CFDataCreate(NULL, kAccountPasswordString, kAccountPasswordStringLen);
+
ok(SOSAccountTryUserCredentials(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(error);
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL);
-
- FillAllChanges(changes);
-
- ok(CFDictionaryGetCount(CarolChanges) == 0, "We converged. (%@)", CarolChanges);
- ok(CFDictionaryGetCount(BobChanges) == 0, "We converged. (%@)", BobChanges);
- ok(CFDictionaryGetCount(AliceChanges) == 0, "We converged. (%@)", AliceChanges);
- ok(CFDictionaryGetCount(DavidChanges) == 0, "We converged. (%@)", DavidChanges);
-
+ CFReleaseNull(cfpassword);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 1, "updates");
+
accounts_agree("bob&alice pair", bob_account, alice_account);
-
- ok(SOSAccountJoinCirclesAfterRestore(carole_account, &error), "Carole cloud identiy joins (%@)", error);
+
+ ok(SOSAccountJoinCirclesAfterRestore_wTxn(carole_account, &error), "Carole cloud identiy joins (%@)", error);
CFReleaseNull(error);
-
- is(countPeers(carole_account, false), 3, "Carole sees 3 valid peers after sliding in");
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL);
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL);
-
- FillAllChanges(changes);
- FeedChangesToMulti(AliceChanges, bob_account, carole_account, david_account, NULL);
- FeedChangesToMulti(BobChanges, alice_account, carole_account, david_account, NULL);
- FeedChangesToMulti(CarolChanges, bob_account, alice_account, david_account, NULL);
- FeedChangesToMulti(DavidChanges, bob_account, alice_account, carole_account, NULL); // Bob and carole see the final result.
-
- accounts_agree_internal("Carole's in", bob_account, alice_account, false);
- accounts_agree_internal("Carole's in - 2", bob_account, carole_account, false);
-#endif
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 4, "updates");
+
+ accounts_agree_internal("carole&alice pair", carole_account, alice_account, false);
+
+ is(countPeers(carole_account), 3, "Carole sees 3 valid peers after sliding in");
+
CFReleaseNull(bob_account);
CFReleaseNull(alice_account);
CFReleaseNull(carole_account);
diff --git a/OSX/sec/securityd/Regressions/secd-57-1-account-last-standing.c b/OSX/sec/securityd/Regressions/secd-57-1-account-last-standing.c
new file mode 100644
index 00000000..96ade6fa
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-57-1-account-last-standing.c
@@ -0,0 +1,169 @@
+//
+// secd-57-1-account-last-standing.c
+// sec
+//
+/*
+ * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+
+
+#include <Security/SecBase.h>
+#include <Security/SecItem.h>
+
+#include <CoreFoundation/CFDictionary.h>
+
+#include <Security/SecureObjectSync/SOSAccount.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSInternal.h>
+#include <Security/SecureObjectSync/SOSUserKeygen.h>
+#include <Security/SecureObjectSync/SOSTransport.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "secd_regressions.h"
+#include "SOSTestDataSource.h"
+
+#include "SOSRegressionUtilities.h"
+#include <utilities/SecCFWrappers.h>
+#include <Security/SecKeyPriv.h>
+
+#include <securityd/SOSCloudCircleServer.h>
+
+#include "SOSAccountTesting.h"
+
+#include "SecdTestKeychainUtilities.h"
+
+
+static int kTestTestCount = 66;
+
+
+static bool acceptApplicants(SOSAccountRef account, CFIndex count) {
+ bool retval = false;
+ CFErrorRef error = NULL;
+ CFArrayRef applicants = SOSAccountCopyApplicants(account, &error);
+ ok(applicants && CFArrayGetCount(applicants) == count, "See %ld applicants %@ (%@)", count, applicants, error);
+ CFReleaseNull(error);
+ require_quiet(CFArrayGetCount(applicants) == count, xit);
+ ok((retval=SOSAccountAcceptApplicants(account, applicants, &error)), "Accept applicants into the fold");
+ CFReleaseNull(error);
+ CFReleaseSafe(applicants);
+xit:
+ return retval;
+}
+
+
+static void tests(void)
+{
+ CFErrorRef error = NULL;
+ CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
+ CFStringRef cfaccount = CFSTR("test@test.org");
+
+ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+
+ SOSAccountRef alice_account = CreateAccountForLocalChanges(CFSTR("Alice"), CFSTR("TestSource"));
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account , cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, NULL), 1, "updates");
+
+ ok(SOSAccountResetToOffering_wTxn(alice_account , &error), "Reset to offering (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, NULL), 1, "updates");
+
+ ok(SOSAccountLeaveCircle(alice_account , &error), "Alice Leaves (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, NULL), 1, "updates");
+
+ ok(SOSAccountTryUserCredentials(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountJoinCircles_wTxn(alice_account , &error), "Alice re-applies (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, NULL), 1, "updates");
+
+ ok(SOSAccountIsInCircle(alice_account, &error), "Alice is back in the circle (%@)", error);
+ CFReleaseNull(error);
+
+ is(countActivePeers(alice_account), 2, "Alice sees 2 active peers");
+ is(countPeers(alice_account), 1, "Alice sees 1 valid peer");
+
+ // Have Alice leave the circle just as Bob tries to join.
+ SOSAccountRef bob_account = CreateAccountForLocalChanges(CFSTR("Bob"), CFSTR("TestSource"));
+ SOSAccountRef carole_account = CreateAccountForLocalChanges(CFSTR("Carole"), CFSTR("TestSource"));
+
+ is(ProcessChangesUntilNoChange(changes, bob_account, alice_account, carole_account, NULL), 1, "updates");
+ ok(SOSAccountTryUserCredentials(bob_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(error);
+ ok(SOSAccountTryUserCredentials(carole_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(error);
+ is(ProcessChangesUntilNoChange(changes, bob_account, alice_account, carole_account, NULL), 1, "updates");
+
+ ok(SOSAccountJoinCircles_wTxn(carole_account , &error), "Carole applies (%@)", error);
+ CFReleaseNull(error);
+ is(ProcessChangesUntilNoChange(changes, bob_account, alice_account, carole_account, NULL), 2, "updates");
+ ok(acceptApplicants(alice_account, 1), "Alice accepts Carole");
+ is(ProcessChangesUntilNoChange(changes, bob_account, alice_account, carole_account, NULL), 3, "updates");
+
+ ok(SOSAccountLeaveCircle(alice_account , &error), "Alice Leaves (%@)", error);
+ CFReleaseNull(error);
+ is(ProcessChangesUntilNoChange(changes, alice_account, carole_account, NULL), 2, "updates");
+
+ ok(SOSAccountLeaveCircle(carole_account , &error), "Carole Leaves (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, carole_account, NULL), 2, "updates");
+ ok(SOSAccountJoinCircles_wTxn(bob_account , &error), "Bob applies (%@)", error);
+ is(ProcessChangesUntilNoChange(changes, bob_account, NULL), 2, "updates");
+ CFReleaseNull(error);
+
+ is(countActivePeers(bob_account), 2, "Bob sees 2 active peers");
+ is(countPeers(bob_account), 1, "Bob sees 1 valid peer");
+
+
+ CFReleaseNull(cfpassword);
+ CFReleaseNull(alice_account);
+ CFReleaseNull(bob_account);
+
+ SOSUnregisterAllTransportMessages();
+ SOSUnregisterAllTransportCircles();
+ SOSUnregisterAllTransportKeyParameters();
+ CFArrayRemoveAllValues(key_transports);
+ CFArrayRemoveAllValues(circle_transports);
+ CFArrayRemoveAllValues(message_transports);
+}
+
+int secd_57_1_account_last_standing(int argc, char *const *argv)
+{
+ plan_tests(kTestTestCount);
+
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+
+ tests();
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-57-account-leave.c b/OSX/sec/securityd/Regressions/secd-57-account-leave.c
index 7bdceeac..bbec4104 100644
--- a/OSX/sec/securityd/Regressions/secd-57-account-leave.c
+++ b/OSX/sec/securityd/Regressions/secd-57-account-leave.c
@@ -91,12 +91,12 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(david_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account , &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account , &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(bob_account , &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account , &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 2, "updates");
@@ -140,7 +140,7 @@ static void tests(void)
ok(SOSAccountTryUserCredentials(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountJoinCircles(alice_account , &error), "Alice re-applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(alice_account , &error), "Alice re-applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 2, "updates");
@@ -169,7 +169,7 @@ static void tests(void)
accounts_agree("Alice rejoined", bob_account, alice_account);
accounts_agree_internal("Alice rejoined, carole noticed", bob_account, carole_account, false);
- ok(SOSAccountJoinCircles(carole_account , &error), "Carole applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(carole_account , &error), "Carole applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 2, "updates");
@@ -215,7 +215,7 @@ static void tests(void)
is(countPeers(david_account), 1, "david sees 1 peers");
is(countActivePeers(david_account), 4, "david sees 4 active peers");
- ok(SOSAccountJoinCircles(david_account , &error), "David applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(david_account , &error), "David applies (%@)", error);
CFReleaseNull(error);
is(countPeers(david_account), 1, "david sees 1 peers");
is(countActivePeers(david_account), 4, "david sees 4 active peers");
@@ -243,7 +243,7 @@ static void tests(void)
ok(SOSAccountLeaveCircle(bob_account, &error), "bob Leaves w/o credentials (%@)", error);
CFReleaseNull(error);
- ok(!SOSAccountIsInCircle(bob_account, &error), "bob know's he's out (%@)", error);
+ ok(!SOSAccountIsInCircle(bob_account, &error), "bob knows he's out (%@)", error);
CFReleaseNull(error);
CFReleaseNull(bob_account);
diff --git a/OSX/sec/securityd/Regressions/secd-58-password-change.c b/OSX/sec/securityd/Regressions/secd-58-password-change.c
index a62f4259..145d2253 100644
--- a/OSX/sec/securityd/Regressions/secd-58-password-change.c
+++ b/OSX/sec/securityd/Regressions/secd-58-password-change.c
@@ -63,7 +63,7 @@ static bool AssertCreds(SOSAccountRef account,CFStringRef acct_name, CFDataRef p
static bool ResetToOffering(SOSAccountRef account) {
CFErrorRef error = NULL;
bool retval;
- ok((retval = SOSAccountResetToOffering(account, &error)), "Reset to offering (%@)", error);
+ ok((retval = SOSAccountResetToOffering_wTxn(account, &error)), "Reset to offering (%@)", error);
CFReleaseNull(error);
return retval;
}
@@ -71,7 +71,7 @@ static bool ResetToOffering(SOSAccountRef account) {
static bool JoinCircle(SOSAccountRef account) {
CFErrorRef error = NULL;
bool retval;
- ok((retval = SOSAccountJoinCircles(account, &error)), "Join Circle (%@)", error);
+ ok((retval = SOSAccountJoinCircles_wTxn(account, &error)), "Join Circle (%@)", error);
CFReleaseNull(error);
return retval;
}
diff --git a/OSX/sec/securityd/Regressions/secd-59-account-cleanup.c b/OSX/sec/securityd/Regressions/secd-59-account-cleanup.c
index 60845634..3affffcf 100644
--- a/OSX/sec/securityd/Regressions/secd-59-account-cleanup.c
+++ b/OSX/sec/securityd/Regressions/secd-59-account-cleanup.c
@@ -77,12 +77,12 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(carole_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
@@ -122,7 +122,7 @@ static void tests(void)
//is(CFDictionaryGetCountOfValue(BobChanges, kCFNull),0, "0 Keys Nulled Out");
- ok(SOSAccountJoinCircles(carole_account, &error), "Carole Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(carole_account, &error), "Carole Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
diff --git a/OSX/sec/securityd/Regressions/secd-60-account-cloud-identity.c b/OSX/sec/securityd/Regressions/secd-60-account-cloud-identity.c
index 72af65ec..620ce259 100644
--- a/OSX/sec/securityd/Regressions/secd-60-account-cloud-identity.c
+++ b/OSX/sec/securityd/Regressions/secd-60-account-cloud-identity.c
@@ -51,7 +51,15 @@
#include "SecdTestKeychainUtilities.h"
-static int kTestTestCount = 141;
+static int kTestTestCount = 215;
+
+static bool purgeICloudIdentity(SOSAccountRef account) {
+ bool retval = false;
+ SOSFullPeerInfoRef icfpi = SOSCircleCopyiCloudFullPeerInfoRef(SOSAccountGetCircle(account, NULL), NULL);
+ if(!icfpi) return false;
+ retval = SOSFullPeerInfoPurgePersistentKey(icfpi, NULL);
+ return retval;
+}
static void tests(void)
{
@@ -75,13 +83,12 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(carole_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(error);
- CFReleaseNull(cfpassword);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
@@ -100,7 +107,7 @@ static void tests(void)
/*----- normal join after restore -----*/
- ok(SOSAccountJoinCirclesAfterRestore(carole_account, &error), "Carole cloud identity joins (%@)", error);
+ ok(SOSAccountJoinCirclesAfterRestore_wTxn(carole_account, &error), "Carole cloud identity joins (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 4, "updates");
@@ -120,14 +127,14 @@ static void tests(void)
/*----- join - join after restore -----*/
- ok(SOSAccountJoinCircles(carole_account, &error), "Carole normally joins (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(carole_account, &error), "Carole normally joins (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
is(countApplicants(alice_account), 1, "See one applicant");
- ok(SOSAccountJoinCirclesAfterRestore(carole_account, &error), "Carole cloud identity joins (%@)", error);
+ ok(SOSAccountJoinCirclesAfterRestore_wTxn(carole_account, &error), "Carole cloud identity joins (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 4, "updates");
@@ -142,10 +149,52 @@ static void tests(void)
accounts_agree_internal("Carole's in", bob_account, alice_account, false);
accounts_agree_internal("Carole's in - 2", bob_account, carole_account, false);
+ /* Break iCloud identity FPI in all peers */
+
+ ok(purgeICloudIdentity(alice_account), "remove iCloud private key");
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 1, "updates");
+
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 4, "updates");
+
+ ok(SOSAccountLeaveCircle(carole_account, &error), "Carol Leaves again");
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
+
+ /*----- join - join after restore -----*/
+
+ ok(SOSAccountJoinCircles_wTxn(carole_account, &error), "Carole normally joins (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
+
+ is(countApplicants(alice_account), 1, "See one applicant");
+
+ ok(SOSAccountJoinCirclesAfterRestore_wTxn(carole_account, &error), "Carole cloud identity joins (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 4, "updates");
+
+
+ is(countApplicants(alice_account), 0, "See no applicants");
+
+ is(countPeers(carole_account), 3, "Carole sees 3 valid peers after sliding in");
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 1, "updates");
+
+ accounts_agree_internal("Carole's in", bob_account, alice_account, false);
+ accounts_agree_internal("Carole's in - 2", bob_account, carole_account, false);
+
CFReleaseNull(bob_account);
CFReleaseNull(alice_account);
CFReleaseNull(carole_account);
-
+ CFReleaseNull(cfpassword);
+
SOSUnregisterAllTransportMessages();
SOSUnregisterAllTransportCircles();
SOSUnregisterAllTransportKeyParameters();
diff --git a/OSX/sec/securityd/Regressions/secd-61-account-leave-not-in-kansas-anymore.c b/OSX/sec/securityd/Regressions/secd-61-account-leave-not-in-kansas-anymore.c
index 052f0b83..7269614a 100644
--- a/OSX/sec/securityd/Regressions/secd-61-account-leave-not-in-kansas-anymore.c
+++ b/OSX/sec/securityd/Regressions/secd-61-account-leave-not-in-kansas-anymore.c
@@ -102,13 +102,13 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(david_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, david_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
@@ -124,7 +124,7 @@ static void tests(void)
// ============================== Alice and Bob are in the Account. ============================================
- ok(SOSAccountJoinCircles(carole_account, &error), "Carole Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(carole_account, &error), "Carole Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, carole_account, david_account, NULL), 2, "updates");
@@ -146,7 +146,7 @@ static void tests(void)
is(ProcessChangesUntilNoChange(changes, alice_account, carole_account, david_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(david_account, &error), "David Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(david_account, &error), "David Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, carole_account, david_account, NULL), 2, "updates");
diff --git a/OSX/sec/securityd/Regressions/secd-62-account-backup.c b/OSX/sec/securityd/Regressions/secd-62-account-backup.c
index 50cae95e..dd88584d 100644
--- a/OSX/sec/securityd/Regressions/secd-62-account-backup.c
+++ b/OSX/sec/securityd/Regressions/secd-62-account-backup.c
@@ -64,7 +64,7 @@ static CFDataRef CopyBackupKeyForString(CFStringRef string, CFErrorRef *error)
return result;
}
-static int kTestTestCount = 112;
+static int kTestTestCount = 133;
#else
static int kTestTestCount = 1;
#endif
@@ -77,15 +77,8 @@ static void tests(void)
CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
CFStringRef cfaccount = CFSTR("test@test.org");
- CFStringRef kTestView1 = CFSTR("TestView1");
- CFStringRef kTestView2 = CFSTR("TestView2");
-
- CFMutableSetRef testViews = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
- CFSetAddValue(testViews, kTestView1);
- //CFSetAddValue(testViews, kTestView2);
-
- SOSViewsSetTestViewsSet(testViews);
-
+ secd_test_setup_testviews(); // for running this test solo
+
CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
SOSAccountRef alice_account = CreateAccountForLocalChanges(CFSTR("Alice"), CFSTR("TestSource"));
SOSAccountRef bob_account = CreateAccountForLocalChanges(CFSTR("Bob"), CFSTR("TestSource"));
@@ -99,7 +92,7 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
@@ -109,7 +102,7 @@ static void tests(void)
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 1, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
@@ -129,33 +122,53 @@ static void tests(void)
ok(peers && CFArrayGetCount(peers) == 2, "See two peers %@ (%@)", peers, error);
CFReleaseNull(peers);
-
-
is(SOSAccountUpdateView(alice_account, kTestView1, kSOSCCViewEnable, &error), kSOSCCViewMember, "Enable view (%@)", error);
CFReleaseNull(error);
+ ok(SOSAccountCheckForRings(alice_account, &error), "Alice_account is good");
+ CFReleaseNull(error);
+
is(SOSAccountUpdateView(bob_account, kTestView1, kSOSCCViewEnable, &error), kSOSCCViewMember, "Enable view (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountSetBackupPublicKey(alice_account, alice_backup_key, &error), "Set backup public key, alice (%@)", error);
+ ok(SOSAccountCheckForRings(bob_account, &error), "Alice_account is good");
CFReleaseNull(error);
- ok(SOSAccountSetBackupPublicKey(bob_account, bob_backup_key, &error), "Set backup public key, alice (%@)", error);
+ ok(SOSAccountSetBackupPublicKey_wTxn(alice_account, alice_backup_key, &error), "Set backup public key, alice (%@)", error);
CFReleaseNull(error);
-
- SOSAccountEnsureBackupStarts(alice_account);
- SOSAccountEnsureBackupStarts(bob_account);
-
+
+ ok(SOSAccountCheckForRings(alice_account, &error), "Alice_account is good");
+ CFReleaseNull(error);
+
+ ok(SOSAccountSetBackupPublicKey_wTxn(bob_account, bob_backup_key, &error), "Set backup public key, alice (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountCheckForRings(bob_account, &error), "Alice_account is good");
+ CFReleaseNull(error);
+
ok(SOSAccountIsMyPeerInBackupAndCurrentInView(alice_account, kTestView1), "Is alice is in backup before sync?");
+
+ ok(SOSAccountCheckForRings(alice_account, &error), "Alice_account is good");
+ CFReleaseNull(error);
ok(SOSAccountIsMyPeerInBackupAndCurrentInView(bob_account, kTestView1), "Is bob in the backup after sync? - 1");
+ ok(SOSAccountCheckForRings(bob_account, &error), "Alice_account is good");
+ CFReleaseNull(error);
+
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 4, "updates");
-
+
+
+ ok(SOSAccountCheckForRings(alice_account, &error), "Alice_account is good");
+ CFReleaseNull(error);
+
ok(SOSAccountIsMyPeerInBackupAndCurrentInView(alice_account, kTestView1), "Is alice is in backup after sync?");
ok(SOSAccountIsMyPeerInBackupAndCurrentInView(bob_account, kTestView1), "IS bob in the backup after sync");
+ ok(!SOSAccountIsLastBackupPeer(alice_account, &error), "Alice is not last backup peer");
+ CFReleaseNull(error);
+
//
//Bob leaves the circle
//
@@ -166,11 +179,18 @@ static void tests(void)
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
ok(SOSAccountIsMyPeerInBackupAndCurrentInView(alice_account, kTestView1), "Bob left the circle, Alice is not in the backup");
+
+ ok(SOSAccountIsLastBackupPeer(alice_account, &error), "Alice is last backup peer");
+ CFReleaseNull(error);
+ ok(!SOSAccountIsLastBackupPeer(bob_account, &error), "Bob is not last backup peer");
+ CFReleaseNull(error);
+
+ ok(testAccountPersistence(alice_account), "Test Account->DER->Account Equivalence");
ok(!SOSAccountIsPeerInBackupAndCurrentInView(alice_account, SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), kTestView1), "Bob is still in the backup!");
//Bob gets back into the circle
- ok(SOSAccountJoinCircles(bob_account, &error));
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error));
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
{
CFArrayRef applicants = SOSAccountCopyApplicants(alice_account, &error);
@@ -188,18 +208,23 @@ static void tests(void)
is(SOSAccountUpdateView(bob_account, kTestView1, kSOSCCViewEnable, &error), kSOSCCViewMember, "Enable view (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountSetBackupPublicKey(bob_account, bob_backup_key, &error), "Set backup public key, alice (%@)", error);
- SOSAccountEnsureBackupStarts(bob_account);
-
+ ok(!SOSAccountIsMyPeerInBackupAndCurrentInView(bob_account, kTestView1), "Bob isn't in the backup yet");
+
+ ok(!SOSAccountIsLastBackupPeer(alice_account, &error), "Alice is not last backup peer - Bob still registers as one");
+ CFReleaseNull(error);
+
+ ok(SOSAccountSetBackupPublicKey_wTxn(bob_account, bob_backup_key, &error), "Set backup public key, alice (%@)", error);
+
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 1, "updates");
-
+ ok(!SOSAccountIsLastBackupPeer(alice_account, &error), "Alice is not last backup peer");
+ CFReleaseNull(error);
+
//
//removing backup key for bob account
//
-
- ok(SOSAccountRemoveBackupPublickey(bob_account, &error), "Removing Bob's backup key (%@)", error);
+ ok(SOSAccountRemoveBackupPublickey_wTxn(bob_account, &error), "Removing Bob's backup key (%@)", error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 3, "updates");
ok(!SOSAccountIsMyPeerInBackupAndCurrentInView(bob_account, kTestView1), "Bob's backup key is in the backup - should not be so!");
@@ -209,12 +234,11 @@ static void tests(void)
// Setting new backup public key for Bob
//
- ok(SOSAccountSetBackupPublicKey(bob_account, bob_backup_key, &error), "Set backup public key, alice (%@)", error);
+ ok(SOSAccountSetBackupPublicKey_wTxn(bob_account, bob_backup_key, &error), "Set backup public key, alice (%@)", error);
CFReleaseNull(error);
- SOSAccountEnsureBackupStarts(bob_account);
is(SOSAccountUpdateView(bob_account, kTestView1, kSOSCCViewEnable, &error), kSOSCCViewMember, "Enable view (%@)", error);
- ok(SOSAccountStartNewBackup(bob_account, kTestView1, &error), "Setting new backup public key for bob account failed: (%@)", error);
+ ok(SOSAccountNewBKSBForView(bob_account, kTestView1, &error), "Setting new backup public key for bob account failed: (%@)", error);
//bob is in his own backup
ok(SOSAccountIsMyPeerInBackupAndCurrentInView(bob_account, kTestView1), "Bob's backup key is not in the backup");
@@ -236,8 +260,6 @@ static void tests(void)
CFReleaseNull(alice_account);
CFReleaseNull(cfpassword);
- SOSViewsSetTestViewsSet(NULL);
-
SOSUnregisterAllTransportMessages();
SOSUnregisterAllTransportCircles();
SOSUnregisterAllTransportKeyParameters();
@@ -245,7 +267,6 @@ static void tests(void)
CFArrayRemoveAllValues(circle_transports);
CFArrayRemoveAllValues(message_transports);
- CFReleaseNull(testViews);
CFReleaseNull(kTestView1);
CFReleaseNull(kTestView2);
#endif
diff --git a/OSX/sec/securityd/Regressions/secd-62-account-hsa-join.c b/OSX/sec/securityd/Regressions/secd-62-account-hsa-join.c
index 1c026b13..896d3515 100644
--- a/OSX/sec/securityd/Regressions/secd-62-account-hsa-join.c
+++ b/OSX/sec/securityd/Regressions/secd-62-account-hsa-join.c
@@ -79,12 +79,12 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(carole_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(error);
CFReleaseNull(cfpassword);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
@@ -101,7 +101,7 @@ static void tests(void)
accounts_agree("bob&alice pair", bob_account, alice_account);
- ok(SOSAccountJoinCircles(carole_account, &error), "Carole Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(carole_account, &error), "Carole Applies (%@)", error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
@@ -109,9 +109,10 @@ static void tests(void)
ok(carolePeerInfo, "got carole's peerinfo");
- SecKeyRef carolePubKey = SOSPeerInfoCopyPubKey(carolePeerInfo);
+ SecKeyRef carolePubKey = SOSPeerInfoCopyPubKey(carolePeerInfo, &error);
- ok(carolePubKey, "got carole's pubkey");
+ ok(carolePubKey, "got carole's pubkey (%@)", error);
+ CFReleaseNull(error);
CFDataRef pubKeyData = NULL;
OSStatus stat = SecKeyCopyPublicBytes(carolePubKey, &pubKeyData);
diff --git a/OSX/sec/securityd/Regressions/secd-63-account-resurrection.c b/OSX/sec/securityd/Regressions/secd-63-account-resurrection.c
index 0547796f..9956f1fb 100644
--- a/OSX/sec/securityd/Regressions/secd-63-account-resurrection.c
+++ b/OSX/sec/securityd/Regressions/secd-63-account-resurrection.c
@@ -118,12 +118,12 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(carole_account, cfaccount, cfpassword, &error), "carole credential setting (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account , &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account , &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
return 2;
}, ^{
- ok(SOSAccountJoinCircles(bob_account , &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account , &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
return 2;
@@ -184,7 +184,7 @@ static void tests(void)
ok(!SOSAccountIsInCircle(alice_resurrected, &error), "Ressurrected not in circle: %@", error);
CFReleaseNull(error);
- ok(SOSAccountJoinCircles(alice_resurrected, &error), "Risen-alice Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(alice_resurrected, &error), "Risen-alice Applies (%@)", error);
CFReleaseNull(error);
return 2;
}, ^{
diff --git a/OSX/sec/securityd/Regressions/secd-64-circlereset.c b/OSX/sec/securityd/Regressions/secd-64-circlereset.c
index 9baed315..d377f41a 100644
--- a/OSX/sec/securityd/Regressions/secd-64-circlereset.c
+++ b/OSX/sec/securityd/Regressions/secd-64-circlereset.c
@@ -35,7 +35,44 @@
#include "SecdTestKeychainUtilities.h"
-static int kTestTestCount = 46;
+static int64_t getCurrentGenCount(SOSAccountRef account) {
+ return SOSCircleGetGenerationSint(account->trusted_circle);
+}
+
+static bool SOSAccountResetWithGenCountValue(SOSAccountRef account, int64_t gcount, CFErrorRef* error) {
+ if (!SOSAccountHasPublicKey(account, error))
+ return false;
+ __block bool result = true;
+
+ result &= SOSAccountResetAllRings(account, error);
+
+ CFReleaseNull(account->my_identity);
+
+ account->departure_code = kSOSWithdrewMembership;
+ result &= SOSAccountModifyCircle(account, error, ^(SOSCircleRef circle) {
+ SOSGenCountRef gencount = SOSGenerationCreateWithValue(gcount);
+ result = SOSCircleResetToEmpty(circle, error);
+ SOSCircleSetGeneration(circle, gencount);
+ CFReleaseNull(gencount);
+ return result;
+ });
+
+ if (!result) {
+ secerror("error: %@", error ? *error : NULL);
+ }
+
+ return result;
+}
+
+static SOSCircleRef SOSCircleCreateWithGenCount(int64_t gcount) {
+ SOSCircleRef c = SOSCircleCreate(kCFAllocatorDefault, CFSTR("a"), NULL);
+ SOSGenCountRef gencount = SOSGenerationCreateWithValue(gcount);
+ SOSCircleSetGeneration(c, gencount);
+ CFReleaseNull(gencount);
+ return c;
+}
+
+static int kTestTestCount = 47;
static void tests(void)
{
@@ -43,6 +80,13 @@ static void tests(void)
CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
CFStringRef cfaccount = CFSTR("test@test.org");
+ SOSCircleRef c1 = SOSCircleCreateWithGenCount(1);
+ SOSCircleRef c99 = SOSCircleCreateWithGenCount(99);
+ ok(SOSCircleIsOlderGeneration(c1, c99), "Is Comparison working correctly?", NULL);
+ CFReleaseNull(c1);
+ CFReleaseNull(c99);
+
+
CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
SOSAccountRef alice_account = CreateAccountForLocalChanges(CFSTR("Alice"), CFSTR("TestSource"));
SOSAccountRef bob_account = CreateAccountForLocalChanges(CFSTR("Bob"), CFSTR("TestSource"));
@@ -52,10 +96,10 @@ static void tests(void)
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 1, "updates");
ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
{
@@ -72,9 +116,14 @@ static void tests(void)
ok(peers && CFArrayGetCount(peers) == 2, "See two peers %@ (%@)", peers, error);
CFReleaseNull(peers);
- ok(SOSAccountResetToEmpty(alice_account, &error), "Alice resets the circle to empty");
+ uint64_t cnt = getCurrentGenCount(alice_account);
+
+ ok(SOSAccountResetWithGenCountValue(alice_account, cnt-1, &error), "Alice resets the circle to empty with old value");
CFReleaseNull(error);
- is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 1, "updates");
+ is(SOSAccountGetCircleStatus(bob_account, NULL), 0, "Bob Survives bad circle post");
+ is(SOSAccountGetCircleStatus(alice_account, NULL), 1, "Alice does not survive bad circle post");
CFReleaseNull(bob_account);
CFReleaseNull(alice_account);
CFReleaseNull(cfpassword);
diff --git a/OSX/sec/securityd/Regressions/secd-65-account-retirement-reset.c b/OSX/sec/securityd/Regressions/secd-65-account-retirement-reset.c
index 92e8bf56..278e7a73 100644
--- a/OSX/sec/securityd/Regressions/secd-65-account-retirement-reset.c
+++ b/OSX/sec/securityd/Regressions/secd-65-account-retirement-reset.c
@@ -118,7 +118,7 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(carole_account, cfaccount, cfpassword, &error), "carole credential setting (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account , &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account , &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
return 2;
@@ -135,7 +135,7 @@ static void tests(void)
return 2;
}, ^{
- ok(SOSAccountResetToOffering(bob_account , &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(bob_account , &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
return 2;
diff --git a/OSX/sec/securityd/Regressions/secd-70-engine-corrupt.c b/OSX/sec/securityd/Regressions/secd-70-engine-corrupt.c
index 427bba4c..9e57d6c2 100644
--- a/OSX/sec/securityd/Regressions/secd-70-engine-corrupt.c
+++ b/OSX/sec/securityd/Regressions/secd-70-engine-corrupt.c
@@ -247,6 +247,8 @@ int secd_70_engine_corrupt(int argc, char *const *argv)
{
plan_tests(kTestTestCount);
+ __security_simulatecrash_enable(false);
+
/* custom keychain dir */
secd_test_setup_temp_keychain(__FUNCTION__, NULL);
@@ -256,5 +258,7 @@ int secd_70_engine_corrupt(int argc, char *const *argv)
add_sha1();
change_sha1();
+ __security_simulatecrash_enable(true);
+
return 0;
}
diff --git a/OSX/sec/securityd/Regressions/secd-70-otr-remote.c b/OSX/sec/securityd/Regressions/secd-70-otr-remote.c
index c19e32b8..64d52847 100644
--- a/OSX/sec/securityd/Regressions/secd-70-otr-remote.c
+++ b/OSX/sec/securityd/Regressions/secd-70-otr-remote.c
@@ -101,8 +101,8 @@ static void tests(void)
CFReleaseNull(cfpassword);
- SOSAccountJoinCircles(alice_account, &testError);
- SOSAccountJoinCircles(bob_account, &testError);
+ SOSAccountJoinCircles_wTxn(alice_account, &testError);
+ SOSAccountJoinCircles_wTxn(bob_account, &testError);
CFDataRef alice_account_data = SOSAccountCopyEncodedData(alice_account, kCFAllocatorDefault, &testError);
CFDataRef bob_account_data = SOSAccountCopyEncodedData(bob_account, kCFAllocatorDefault, &testError);
diff --git a/OSX/sec/securityd/Regressions/secd-71-engine-save-sample1.h b/OSX/sec/securityd/Regressions/secd-71-engine-save-sample1.h
new file mode 100644
index 00000000..b2916f85
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-71-engine-save-sample1.h
@@ -0,0 +1,125 @@
+
+/*
+ MANGO-iPhone:~ mobile$ security item class=genp,acct=engine-state
+ acct : engine-state
+ agrp : com.apple.security.sos
+ cdat : 2016-04-18 20:40:33 +0000
+ mdat : 2016-04-18 20:40:33 +0000
+ musr : //
+ pdmn : dk
+ svce : SOSDataSource-ak
+ sync : 0
+ tomb : 0
+*/
+
+static unsigned char es_mango_bin[] = {
+ 0x31, 0x82, 0x0a, 0x1b, 0x30, 0x20, 0x0c, 0x02, 0x69, 0x64, 0x0c, 0x1a, 0x68, 0x42, 0x79, 0x73, 0x6d, 0x66, 0x31, 0x73, 0x44, 0x4f, 0x63, 0x2f,
+ 0x6f, 0x4d, 0x56, 0x49, 0x51, 0x66, 0x45, 0x74, 0x4b, 0x69, 0x71, 0x65, 0x64, 0x6e, 0x30, 0x27, 0x0c, 0x07, 0x70, 0x65, 0x65, 0x72, 0x49, 0x44,
+ 0x73, 0x30, 0x1c, 0x0c, 0x1a, 0x79, 0x48, 0x6d, 0x77, 0x76, 0x76, 0x6f, 0x75, 0x44, 0x38, 0x65, 0x44, 0x4d, 0x74, 0x49, 0x48, 0x5a, 0x66, 0x39,
+ 0x75, 0x65, 0x75, 0x53, 0x58, 0x2f, 0x47, 0x30, 0x82, 0x03, 0xa3, 0x0c, 0x0d, 0x6d, 0x61, 0x6e, 0x69, 0x66, 0x65, 0x73, 0x74, 0x43, 0x61, 0x63,
+ 0x68, 0x65, 0x31, 0x82, 0x03, 0x90, 0x30, 0x18, 0x04, 0x14, 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60,
+ 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09, 0x04, 0x00, 0x30, 0x7c, 0x04, 0x14, 0xf9, 0xb5, 0x93, 0x70, 0xa4, 0x73, 0x3f, 0x0d, 0x17, 0x4e, 0x8d, 0x22,
+ 0x0c, 0x5b, 0xe3, 0xaf, 0x06, 0x2c, 0x77, 0x5b, 0x04, 0x64, 0x5a, 0x57, 0x4b, 0xb4, 0xec, 0x90, 0xc3, 0xbb, 0xcc, 0x69, 0xee, 0x73, 0xcb, 0xfe,
+ 0x03, 0x91, 0x33, 0xae, 0x80, 0x72, 0x65, 0xd6, 0xa5, 0x80, 0x03, 0xb8, 0xd2, 0x05, 0x99, 0x7e, 0xab, 0x96, 0x39, 0x0a, 0xab, 0x20, 0x7e, 0x63,
+ 0xa2, 0xe2, 0x70, 0xa4, 0x76, 0xca, 0xb5, 0xb2, 0xd9, 0xd2, 0xf7, 0xb0, 0xe5, 0x55, 0x12, 0xaa, 0x95, 0x7b, 0x58, 0xd5, 0x65, 0x8e, 0x7e, 0xf9,
+ 0x07, 0xb0, 0x69, 0xb8, 0x3a, 0xa6, 0xba, 0x94, 0x17, 0x90, 0xa3, 0xc3, 0xc4, 0xa6, 0x82, 0x92, 0xd5, 0x9d, 0xab, 0xa3, 0xca, 0x34, 0x29, 0x66,
+ 0xef, 0xf8, 0x2e, 0x1a, 0xca, 0xeb, 0x69, 0x1f, 0xd6, 0xe2, 0x07, 0x72, 0xe1, 0x7e, 0x30, 0x82, 0x01, 0x6e, 0x04, 0x14, 0x2e, 0x69, 0xc2, 0xf7,
+ 0xf3, 0xe0, 0x14, 0x07, 0x5b, 0x30, 0x00, 0x4c, 0xe0, 0xec, 0x6c, 0x1a, 0xd4, 0x19, 0xeb, 0xf5, 0x04, 0x82, 0x01, 0x54, 0x07, 0x57, 0x1e, 0x96,
+ 0x78, 0xfd, 0x7d, 0x68, 0x81, 0x2e, 0x40, 0x9c, 0xc9, 0x6c, 0x1f, 0x54, 0x83, 0x4a, 0x09, 0x9a, 0x0c, 0x3a, 0x2d, 0x12, 0xcc, 0xe2, 0xea, 0x95,
+ 0xf4, 0x50, 0x5e, 0xa5, 0x2f, 0x2c, 0x98, 0x2b, 0x2a, 0xde, 0xe3, 0xda, 0x14, 0xd4, 0x71, 0x2c, 0x00, 0x03, 0x09, 0xbf, 0x63, 0xd5, 0x4a, 0x98,
+ 0xb6, 0x1a, 0xa1, 0xd9, 0x63, 0xc4, 0x0e, 0x0e, 0x25, 0x31, 0xc8, 0x3b, 0x28, 0xca, 0x5b, 0xe6, 0xda, 0x0d, 0x26, 0x40, 0x0c, 0x3c, 0x77, 0xa6,
+ 0x18, 0xf7, 0x11, 0xdd, 0x3c, 0xc0, 0xbf, 0x86, 0xcc, 0xba, 0xf8, 0xaa, 0x33, 0x32, 0x97, 0x32, 0x68, 0xb3, 0x0e, 0xeb, 0xf2, 0x1c, 0xd8, 0x18,
+ 0x4d, 0x9c, 0x84, 0x27, 0xca, 0x13, 0xde, 0xcc, 0xc7, 0xbb, 0x83, 0xc8, 0x00, 0x09, 0xa2, 0xef, 0x45, 0xcc, 0xc0, 0x7f, 0x58, 0x63, 0x15, 0xc8,
+ 0x0c, 0xee, 0xee, 0xf5, 0xd5, 0x35, 0x2f, 0xd0, 0x00, 0xaa, 0xe6, 0xd9, 0xcb, 0xb4, 0x29, 0x4d, 0x59, 0x59, 0xfd, 0x00, 0x19, 0x82, 0x25, 0xaf,
+ 0x9a, 0xbd, 0x09, 0xb3, 0x41, 0xa2, 0xfd, 0xc2, 0x78, 0xe9, 0xfd, 0x14, 0x65, 0xd6, 0xa5, 0x80, 0x03, 0xb8, 0xd2, 0x05, 0x99, 0x7e, 0xab, 0x96,
+ 0x39, 0x0a, 0xab, 0x20, 0x7e, 0x63, 0xa2, 0xe2, 0x70, 0xa4, 0x76, 0xca, 0xb5, 0xb2, 0xd9, 0xd2, 0xf7, 0xb0, 0xe5, 0x55, 0x12, 0xaa, 0x95, 0x7b,
+ 0x58, 0xd5, 0x65, 0x8e, 0x7e, 0xf9, 0x07, 0xb0, 0x69, 0xb8, 0x3a, 0xa6, 0xba, 0x94, 0x17, 0x90, 0xa3, 0xc3, 0xc4, 0xa6, 0x82, 0x92, 0xd5, 0x9d,
+ 0x95, 0xc9, 0xd4, 0xd8, 0xa8, 0xbc, 0xa2, 0xe8, 0x24, 0x2a, 0xb0, 0xd4, 0x09, 0xf6, 0x71, 0xf2, 0x98, 0xb6, 0xdc, 0xae, 0x9b, 0xc4, 0x23, 0x8c,
+ 0x09, 0xe0, 0x75, 0x48, 0xce, 0xfb, 0x30, 0x00, 0x98, 0x60, 0x6f, 0x9e, 0x4f, 0x23, 0x0c, 0x99, 0xab, 0xa3, 0xca, 0x34, 0x29, 0x66, 0xef, 0xf8,
+ 0x2e, 0x1a, 0xca, 0xeb, 0x69, 0x1f, 0xd6, 0xe2, 0x07, 0x72, 0xe1, 0x7e, 0xb4, 0xfe, 0xfb, 0x84, 0xf8, 0xcf, 0x75, 0xc0, 0xc6, 0x9c, 0x59, 0x53,
+ 0x2c, 0x35, 0x4d, 0x17, 0x5a, 0x59, 0xf9, 0x61, 0xba, 0x4d, 0x4d, 0xfa, 0x01, 0x7f, 0xd8, 0x19, 0x22, 0x88, 0xf1, 0x42, 0x78, 0xae, 0x76, 0x71,
+ 0x2e, 0x12, 0x7d, 0x65, 0xfe, 0x61, 0x6c, 0x7e, 0x4f, 0xd0, 0x71, 0x36, 0x44, 0xf7, 0xc9, 0xa7, 0xab, 0xa1, 0xce, 0x06, 0x56, 0x94, 0xa9, 0x68,
+ 0x30, 0x82, 0x01, 0x82, 0x04, 0x14, 0xcc, 0xf1, 0x79, 0xff, 0x71, 0x8c, 0x10, 0xf1, 0x51, 0xe7, 0x40, 0x9e, 0xdf, 0x1a, 0x06, 0xf0, 0xdf, 0x10,
+ 0xdc, 0xad, 0x04, 0x82, 0x01, 0x68, 0x07, 0x57, 0x1e, 0x96, 0x78, 0xfd, 0x7d, 0x68, 0x81, 0x2e, 0x40, 0x9c, 0xc9, 0x6c, 0x1f, 0x54, 0x83, 0x4a,
+ 0x09, 0x9a, 0x0c, 0x3a, 0x2d, 0x12, 0xcc, 0xe2, 0xea, 0x95, 0xf4, 0x50, 0x5e, 0xa5, 0x2f, 0x2c, 0x98, 0x2b, 0x2a, 0xde, 0xe3, 0xda, 0x14, 0xd4,
+ 0x71, 0x2c, 0x00, 0x03, 0x09, 0xbf, 0x63, 0xd5, 0x4a, 0x98, 0xb6, 0x1a, 0xa1, 0xd9, 0x63, 0xc4, 0x0e, 0x0e, 0x25, 0x31, 0xc8, 0x3b, 0x28, 0xca,
+ 0x5b, 0xe6, 0xda, 0x0d, 0x26, 0x40, 0x0c, 0x3c, 0x77, 0xa6, 0x18, 0xf7, 0x11, 0xdd, 0x3c, 0xc0, 0xbf, 0x86, 0xcc, 0xba, 0xf8, 0xaa, 0x33, 0x32,
+ 0x97, 0x32, 0x68, 0xb3, 0x0e, 0xeb, 0xf2, 0x1c, 0xd8, 0x18, 0x4d, 0x9c, 0x84, 0x27, 0xca, 0x13, 0xde, 0xcc, 0xc7, 0xbb, 0x83, 0xc8, 0x00, 0x09,
+ 0xa2, 0xef, 0x45, 0xcc, 0xc0, 0x7f, 0x58, 0x63, 0x15, 0xc8, 0x0c, 0xee, 0xee, 0xf5, 0xd5, 0x35, 0x2f, 0xd0, 0x00, 0xaa, 0xe6, 0xd9, 0xcb, 0xb4,
+ 0x29, 0x4d, 0x59, 0x59, 0xfd, 0x00, 0x19, 0x82, 0x25, 0xaf, 0x9a, 0xbd, 0x09, 0xb3, 0x41, 0xa2, 0xfd, 0xc2, 0x78, 0xe9, 0xfd, 0x14, 0x5a, 0x57,
+ 0x4b, 0xb4, 0xec, 0x90, 0xc3, 0xbb, 0xcc, 0x69, 0xee, 0x73, 0xcb, 0xfe, 0x03, 0x91, 0x33, 0xae, 0x80, 0x72, 0x65, 0xd6, 0xa5, 0x80, 0x03, 0xb8,
+ 0xd2, 0x05, 0x99, 0x7e, 0xab, 0x96, 0x39, 0x0a, 0xab, 0x20, 0x7e, 0x63, 0xa2, 0xe2, 0x70, 0xa4, 0x76, 0xca, 0xb5, 0xb2, 0xd9, 0xd2, 0xf7, 0xb0,
+ 0xe5, 0x55, 0x12, 0xaa, 0x95, 0x7b, 0x58, 0xd5, 0x65, 0x8e, 0x7e, 0xf9, 0x07, 0xb0, 0x69, 0xb8, 0x3a, 0xa6, 0xba, 0x94, 0x17, 0x90, 0xa3, 0xc3,
+ 0xc4, 0xa6, 0x82, 0x92, 0xd5, 0x9d, 0x95, 0xc9, 0xd4, 0xd8, 0xa8, 0xbc, 0xa2, 0xe8, 0x24, 0x2a, 0xb0, 0xd4, 0x09, 0xf6, 0x71, 0xf2, 0x98, 0xb6,
+ 0xdc, 0xae, 0x9b, 0xc4, 0x23, 0x8c, 0x09, 0xe0, 0x75, 0x48, 0xce, 0xfb, 0x30, 0x00, 0x98, 0x60, 0x6f, 0x9e, 0x4f, 0x23, 0x0c, 0x99, 0xab, 0xa3,
+ 0xca, 0x34, 0x29, 0x66, 0xef, 0xf8, 0x2e, 0x1a, 0xca, 0xeb, 0x69, 0x1f, 0xd6, 0xe2, 0x07, 0x72, 0xe1, 0x7e, 0xb4, 0xfe, 0xfb, 0x84, 0xf8, 0xcf,
+ 0x75, 0xc0, 0xc6, 0x9c, 0x59, 0x53, 0x2c, 0x35, 0x4d, 0x17, 0x5a, 0x59, 0xf9, 0x61, 0xba, 0x4d, 0x4d, 0xfa, 0x01, 0x7f, 0xd8, 0x19, 0x22, 0x88,
+ 0xf1, 0x42, 0x78, 0xae, 0x76, 0x71, 0x2e, 0x12, 0x7d, 0x65, 0xfe, 0x61, 0x6c, 0x7e, 0x4f, 0xd0, 0x71, 0x36, 0x44, 0xf7, 0xc9, 0xa7, 0xab, 0xa1,
+ 0xce, 0x06, 0x56, 0x94, 0xa9, 0x68, 0x30, 0x82, 0x06, 0x25, 0x0c, 0x09, 0x70, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x82, 0x06,
+ 0x16, 0x30, 0x81, 0xd5, 0x0c, 0x0f, 0x4b, 0x65, 0x79, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x56, 0x30, 0x2d, 0x74, 0x6f, 0x6d, 0x62, 0x31, 0x81, 0xc1,
+ 0x30, 0x0e, 0x0c, 0x09, 0x6d, 0x75, 0x73, 0x74, 0x2d, 0x73, 0x65, 0x6e, 0x64, 0x01, 0x01, 0x00, 0x30, 0x11, 0x0c, 0x0c, 0x73, 0x65, 0x6e, 0x64,
+ 0x2d, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x01, 0x01, 0x01, 0x30, 0x12, 0x0c, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x2d, 0x6d, 0x61, 0x6e,
+ 0x69, 0x66, 0x65, 0x73, 0x74, 0x30, 0x00, 0x30, 0x14, 0x0c, 0x0f, 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x2d, 0x6e, 0x75, 0x6d, 0x62,
+ 0x65, 0x72, 0x02, 0x01, 0x00, 0x30, 0x1a, 0x0c, 0x05, 0x76, 0x69, 0x65, 0x77, 0x73, 0xd1, 0x11, 0x0c, 0x0f, 0x4b, 0x65, 0x79, 0x63, 0x68, 0x61,
+ 0x69, 0x6e, 0x56, 0x30, 0x2d, 0x74, 0x6f, 0x6d, 0x62, 0x30, 0x2a, 0x0c, 0x10, 0x70, 0x65, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x2d, 0x6d, 0x61, 0x6e,
+ 0x69, 0x66, 0x65, 0x73, 0x74, 0x30, 0x16, 0x04, 0x14, 0xf9, 0xb5, 0x93, 0x70, 0xa4, 0x73, 0x3f, 0x0d, 0x17, 0x4e, 0x8d, 0x22, 0x0c, 0x5b, 0xe3,
+ 0xaf, 0x06, 0x2c, 0x77, 0x5b, 0x30, 0x2a, 0x0c, 0x12, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x72, 0x6d, 0x65, 0x64, 0x2d, 0x6d, 0x61, 0x6e, 0x69, 0x66,
+ 0x65, 0x73, 0x74, 0x04, 0x14, 0xf9, 0xb5, 0x93, 0x70, 0xa4, 0x73, 0x3f, 0x0d, 0x17, 0x4e, 0x8d, 0x22, 0x0c, 0x5b, 0xe3, 0xaf, 0x06, 0x2c, 0x77,
+ 0x5b, 0x30, 0x82, 0x05, 0x3a, 0x0c, 0x1a, 0x79, 0x48, 0x6d, 0x77, 0x76, 0x76, 0x6f, 0x75, 0x44, 0x38, 0x65, 0x44, 0x4d, 0x74, 0x49, 0x48, 0x5a,
+ 0x66, 0x39, 0x75, 0x65, 0x75, 0x53, 0x58, 0x2f, 0x47, 0x31, 0x82, 0x05, 0x1a, 0x30, 0x0e, 0x0c, 0x09, 0x6d, 0x75, 0x73, 0x74, 0x2d, 0x73, 0x65,
+ 0x6e, 0x64, 0x01, 0x01, 0x00, 0x30, 0x11, 0x0c, 0x0c, 0x73, 0x65, 0x6e, 0x64, 0x2d, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x01, 0x01, 0x00,
+ 0x30, 0x14, 0x0c, 0x0f, 0x73, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x2d, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x02, 0x01, 0x03, 0x30, 0x27,
+ 0x0c, 0x0f, 0x70, 0x65, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x2d, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x04, 0x14, 0xda, 0x39, 0xa3, 0xee, 0x5e,
+ 0x6b, 0x4b, 0x0d, 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09, 0x30, 0x29, 0x0c, 0x11, 0x75, 0x6e, 0x77, 0x61, 0x6e,
+ 0x74, 0x65, 0x64, 0x2d, 0x6d, 0x61, 0x6e, 0x69, 0x66, 0x65, 0x73, 0x74, 0x04, 0x14, 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
+ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09, 0x30, 0x2a, 0x0c, 0x12, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x72, 0x6d, 0x65, 0x64, 0x2d,
+ 0x6d, 0x61, 0x6e, 0x69, 0x66, 0x65, 0x73, 0x74, 0x04, 0x14, 0xcc, 0xf1, 0x79, 0xff, 0x71, 0x8c, 0x10, 0xf1, 0x51, 0xe7, 0x40, 0x9e, 0xdf, 0x1a,
+ 0x06, 0xf0, 0xdf, 0x10, 0xdc, 0xad, 0x30, 0x3e, 0x0c, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x2d, 0x6d, 0x61, 0x6e, 0x69, 0x66, 0x65, 0x73, 0x74,
+ 0x30, 0x2c, 0x04, 0x14, 0xcc, 0xf1, 0x79, 0xff, 0x71, 0x8c, 0x10, 0xf1, 0x51, 0xe7, 0x40, 0x9e, 0xdf, 0x1a, 0x06, 0xf0, 0xdf, 0x10, 0xdc, 0xad,
+ 0x04, 0x14, 0x2e, 0x69, 0xc2, 0xf7, 0xf3, 0xe0, 0x14, 0x07, 0x5b, 0x30, 0x00, 0x4c, 0xe0, 0xec, 0x6c, 0x1a, 0xd4, 0x19, 0xeb, 0xf5, 0x30, 0x40,
+ 0x0c, 0x10, 0x70, 0x65, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x2d, 0x6d, 0x61, 0x6e, 0x69, 0x66, 0x65, 0x73, 0x74, 0x30, 0x2c, 0x04, 0x14, 0xcc, 0xf1,
+ 0x79, 0xff, 0x71, 0x8c, 0x10, 0xf1, 0x51, 0xe7, 0x40, 0x9e, 0xdf, 0x1a, 0x06, 0xf0, 0xdf, 0x10, 0xdc, 0xad, 0x04, 0x14, 0x2e, 0x69, 0xc2, 0xf7,
+ 0xf3, 0xe0, 0x14, 0x07, 0x5b, 0x30, 0x00, 0x4c, 0xe0, 0xec, 0x6c, 0x1a, 0xd4, 0x19, 0xeb, 0xf5, 0x30, 0x82, 0x01, 0x16, 0x0c, 0x05, 0x76, 0x69,
+ 0x65, 0x77, 0x73, 0xd1, 0x82, 0x01, 0x0b, 0x0c, 0x04, 0x57, 0x69, 0x46, 0x69, 0x0c, 0x07, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x54, 0x56, 0x0c, 0x07,
+ 0x48, 0x6f, 0x6d, 0x65, 0x4b, 0x69, 0x74, 0x0c, 0x07, 0x50, 0x43, 0x53, 0x2d, 0x46, 0x44, 0x45, 0x0c, 0x09, 0x50, 0x43, 0x53, 0x2d, 0x4e, 0x6f,
+ 0x74, 0x65, 0x73, 0x0c, 0x09, 0x50, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x73, 0x0c, 0x0a, 0x50, 0x43, 0x53, 0x2d, 0x42, 0x61, 0x63, 0x6b,
+ 0x75, 0x70, 0x0c, 0x0a, 0x50, 0x43, 0x53, 0x2d, 0x45, 0x73, 0x63, 0x72, 0x6f, 0x77, 0x0c, 0x0a, 0x50, 0x43, 0x53, 0x2d, 0x50, 0x68, 0x6f, 0x74,
+ 0x6f, 0x73, 0x0c, 0x0b, 0x42, 0x61, 0x63, 0x6b, 0x75, 0x70, 0x42, 0x61, 0x67, 0x56, 0x30, 0x0c, 0x0b, 0x43, 0x72, 0x65, 0x64, 0x69, 0x74, 0x43,
+ 0x61, 0x72, 0x64, 0x73, 0x0c, 0x0b, 0x50, 0x43, 0x53, 0x2d, 0x53, 0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x0c, 0x0c, 0x50, 0x43, 0x53, 0x2d, 0x43,
+ 0x6c, 0x6f, 0x75, 0x64, 0x4b, 0x69, 0x74, 0x0c, 0x0c, 0x50, 0x43, 0x53, 0x2d, 0x46, 0x65, 0x6c, 0x64, 0x73, 0x70, 0x61, 0x72, 0x0c, 0x0c, 0x50,
+ 0x43, 0x53, 0x2d, 0x4d, 0x61, 0x69, 0x6c, 0x64, 0x72, 0x6f, 0x70, 0x0c, 0x0c, 0x50, 0x43, 0x53, 0x2d, 0x69, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
+ 0x65, 0x0c, 0x0d, 0x4f, 0x74, 0x68, 0x65, 0x72, 0x53, 0x79, 0x6e, 0x63, 0x61, 0x62, 0x6c, 0x65, 0x0c, 0x0d, 0x50, 0x43, 0x53, 0x2d, 0x4d, 0x61,
+ 0x73, 0x74, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x0c, 0x0e, 0x69, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x0c,
+ 0x0f, 0x50, 0x43, 0x53, 0x2d, 0x69, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x44, 0x72, 0x69, 0x76, 0x65, 0x0c, 0x10, 0x43, 0x6f, 0x6e, 0x74, 0x69, 0x6e,
+ 0x75, 0x69, 0x74, 0x79, 0x55, 0x6e, 0x6c, 0x6f, 0x63, 0x6b, 0x30, 0x82, 0x02, 0xc1, 0x0c, 0x05, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x04, 0x82, 0x02,
+ 0xb6, 0x30, 0x82, 0x02, 0xb2, 0x04, 0x82, 0x02, 0xab, 0x06, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x0c, 0x6b, 0x65, 0x79, 0x73, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x41, 0x04, 0x46, 0x62, 0x20, 0xcd, 0xee, 0x34, 0x9b, 0xb8, 0x68, 0x98, 0x21, 0xa6, 0xfc, 0x3a, 0x7c, 0xc3,
+ 0x77, 0x5d, 0x58, 0x39, 0xaf, 0xd6, 0x3c, 0xc6, 0x1c, 0xf9, 0x1e, 0xa8, 0xdb, 0x93, 0xba, 0xdd, 0xc6, 0x29, 0x6e, 0x86, 0xd9, 0x54, 0xc2, 0xe3,
+ 0x3d, 0x5f, 0x3b, 0x13, 0x87, 0xe1, 0xad, 0x4e, 0x06, 0x12, 0xab, 0xc0, 0x5e, 0x60, 0x4e, 0xf8, 0x2c, 0x37, 0x97, 0xa9, 0x5d, 0xc8, 0x25, 0x12,
+ 0x30, 0x45, 0x81, 0x43, 0x00, 0x41, 0x04, 0x70, 0xbc, 0xaa, 0x24, 0x80, 0xbf, 0x11, 0x7e, 0xeb, 0x2c, 0x4f, 0xe2, 0x86, 0xf3, 0x38, 0xab, 0x48,
+ 0x3c, 0xe5, 0xd7, 0xdc, 0x69, 0xb7, 0x81, 0x71, 0x83, 0x9b, 0xf3, 0xf7, 0xa0, 0x96, 0x0b, 0xe8, 0xcd, 0xef, 0xf7, 0x26, 0x0a, 0x7a, 0xc1, 0x22,
+ 0x7d, 0xa0, 0x00, 0x13, 0x2a, 0x95, 0xee, 0x89, 0x83, 0x9b, 0x7a, 0xf0, 0x56, 0x24, 0x28, 0x89, 0x86, 0x2e, 0x3a, 0x06, 0xca, 0xea, 0x7d, 0x67,
+ 0x0c, 0x42, 0x15, 0x56, 0x55, 0xc2, 0x39, 0x13, 0x89, 0x31, 0x73, 0xf1, 0x26, 0xce, 0x4f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+ 0x41, 0x04, 0x3a, 0x81, 0x2c, 0x93, 0xa5, 0xe2, 0x51, 0x73, 0xe3, 0xe8, 0xe4, 0xa1, 0x4b, 0xaf, 0xf9, 0xfe, 0x5c, 0x34, 0x2b, 0xde, 0xc1, 0x0a,
+ 0xe7, 0x14, 0x41, 0x4c, 0xbd, 0x93, 0xc5, 0x8e, 0x2e, 0x57, 0x0d, 0xcf, 0x68, 0x85, 0x89, 0xe8, 0x47, 0xfc, 0xf1, 0x57, 0xcb, 0xcf, 0x55, 0x6b,
+ 0x30, 0xf9, 0x95, 0x30, 0x73, 0x05, 0x90, 0x26, 0xad, 0x67, 0x6b, 0x52, 0x0a, 0x14, 0x35, 0x66, 0x6c, 0x68, 0x00, 0x00, 0x00, 0x20, 0xb7, 0x75,
+ 0x89, 0x6c, 0xa0, 0xf3, 0xb8, 0x5c, 0xcb, 0x42, 0x76, 0x5c, 0xfa, 0x23, 0xbc, 0x31, 0x25, 0x2c, 0xff, 0xbf, 0xab, 0x42, 0x93, 0xe3, 0xfe, 0xa5,
+ 0xab, 0xa1, 0x8b, 0xb9, 0xfb, 0x5d, 0x00, 0x00, 0x00, 0x41, 0x04, 0x32, 0xa0, 0x73, 0xc6, 0x84, 0x50, 0x7c, 0xd6, 0xad, 0x0f, 0x4e, 0x8e, 0x89,
+ 0xbb, 0x87, 0xe1, 0x41, 0xad, 0xc3, 0xfc, 0x10, 0x6a, 0x03, 0x2e, 0x80, 0x87, 0x57, 0xf0, 0x28, 0xbc, 0xd3, 0x2b, 0x70, 0xf5, 0x71, 0x33, 0x03,
+ 0x92, 0xa7, 0x6f, 0x85, 0xa3, 0x51, 0xc5, 0xa5, 0xea, 0xd3, 0xd1, 0x5d, 0xbf, 0xf1, 0x94, 0x1e, 0xb9, 0x14, 0x76, 0x6a, 0xa5, 0x6e, 0xbb, 0x3a,
+ 0x84, 0xa9, 0xd4, 0x00, 0x00, 0x00, 0x20, 0x69, 0x79, 0x82, 0x88, 0xd1, 0x99, 0x93, 0x6e, 0x8d, 0x67, 0x02, 0x00, 0xb1, 0xe5, 0x09, 0x90, 0x1c,
+ 0xa0, 0x9d, 0x4c, 0xb5, 0x4c, 0x8c, 0x21, 0x4b, 0x51, 0x16, 0x4a, 0x85, 0x43, 0x11, 0x51, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x41,
+ 0x04, 0x51, 0xbc, 0xc5, 0xb7, 0xa1, 0xa1, 0xf0, 0x8c, 0x32, 0xb0, 0xe0, 0x37, 0x71, 0x60, 0x7a, 0x52, 0x67, 0x92, 0x24, 0x13, 0xa1, 0x57, 0x24,
+ 0x7d, 0x04, 0x86, 0x97, 0x70, 0xb0, 0xfd, 0xbd, 0xda, 0x73, 0xea, 0x21, 0x59, 0xaa, 0x5e, 0x93, 0xcd, 0x92, 0xbb, 0x23, 0x9d, 0x28, 0x67, 0x78,
+ 0xa4, 0x6f, 0xa5, 0x98, 0xcd, 0x43, 0x7b, 0xf1, 0xf2, 0xf3, 0x65, 0xa0, 0xa3, 0x7d, 0xd9, 0xb1, 0x91, 0x00, 0x00, 0x00, 0x41, 0x04, 0xd5, 0x55,
+ 0x5f, 0xa3, 0x0d, 0xfa, 0x00, 0xea, 0x45, 0xf2, 0x3d, 0x27, 0xc8, 0xa5, 0x44, 0x7c, 0xa7, 0xc0, 0x01, 0x62, 0x26, 0xab, 0x44, 0x4b, 0xe1, 0xf6,
+ 0x89, 0x2a, 0x2b, 0x8c, 0x52, 0xaa, 0x0c, 0x1b, 0xfa, 0xf8, 0x3d, 0x1b, 0xbe, 0xc1, 0x29, 0x08, 0xdf, 0xa7, 0x30, 0x89, 0x0b, 0x5a, 0xdd, 0xcf,
+ 0xd6, 0x2e, 0x1a, 0x63, 0x81, 0x39, 0x0c, 0x61, 0x1a, 0x64, 0x0c, 0x0d, 0xb3, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0xad, 0xc2, 0xb3, 0xe0, 0x47, 0xbe, 0xbd, 0x4f, 0xe1, 0x4b, 0xd9, 0x2c, 0x5d, 0x08,
+ 0x88, 0xb2, 0x0f, 0x2a, 0xf5, 0x9a, 0x15, 0xa3, 0xb7, 0x3b, 0xd8, 0xe6, 0x48, 0x33, 0x30, 0x51, 0x26, 0x6a, 0x31, 0x99, 0x24, 0x63, 0xa8, 0xaa,
+ 0xa7, 0x46, 0xdd, 0xcf, 0x62, 0xec, 0x98, 0x97, 0xbe, 0xe0, 0xd3, 0x41, 0x15, 0x58, 0x42, 0x62, 0xd8, 0x55, 0x02, 0xc4, 0x46, 0x5c, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00
+};
+unsigned int es_mango_bin_len = 2591;
diff --git a/OSX/sec/securityd/Regressions/secd-71-engine-save.c b/OSX/sec/securityd/Regressions/secd-71-engine-save.c
new file mode 100644
index 00000000..bd367670
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-71-engine-save.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+// Test save and restore of SOSEngine states
+
+#include <SOSCircle/Regressions/SOSTestDevice.h>
+#include <SOSCircle/Regressions/SOSTestDataSource.h>
+#include "secd_regressions.h"
+#include "SecdTestKeychainUtilities.h"
+
+#include <Security/SecureObjectSync/SOSEngine.h>
+#include <Security/SecureObjectSync/SOSPeer.h>
+#include <Security/SecBase64.h>
+#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
+#include <corecrypto/ccsha2.h>
+#include <securityd/SecItemServer.h>
+#include <securityd/SecItemDataSource.h>
+#include <utilities/SecCFWrappers.h>
+#include <utilities/SecIOFormat.h>
+#include <utilities/SecFileLocations.h>
+
+#include <AssertMacros.h>
+#include <stdint.h>
+
+static int kTestTestCount = 28 + 1; // +1 for secd_test_setup_temp_keychain
+
+#include "secd-71-engine-save-sample1.h"
+
+static bool addEngineStateWithData(CFDataRef engineStateData) {
+ /*
+ MANGO-iPhone:~ mobile$ security item class=genp,acct=engine-state
+ acct : engine-state
+ agrp : com.apple.security.sos
+ cdat : 2016-04-18 20:40:33 +0000
+ mdat : 2016-04-18 20:40:33 +0000
+ musr : //
+ pdmn : dk
+ svce : SOSDataSource-ak
+ sync : 0
+ tomb : 0
+ */
+
+ CFMutableDictionaryRef item = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+
+ CFDictionarySetValue(item, kSecClass, kSecClassGenericPassword);
+ CFDictionarySetValue(item, kSecAttrAccount, CFSTR("engine-state"));
+ CFDictionarySetValue(item, kSecAttrAccessGroup, CFSTR("com.apple.security.sos"));
+ CFDictionarySetValue(item, kSecAttrAccessible, kSecAttrAccessibleAlwaysPrivate);
+ CFDictionarySetValue(item, kSecAttrService, CFSTR("SOSDataSource-ak"));
+ CFDictionarySetValue(item, kSecAttrSynchronizable, kCFBooleanFalse);
+ CFDictionarySetValue(item, kSecValueData, engineStateData);
+
+ CFErrorRef localError = NULL;
+ OSStatus status = noErr;
+ is_status(status = SecItemAdd(item, (CFTypeRef *)&localError), errSecSuccess, "add v0 engine-state");
+ CFReleaseSafe(item);
+ CFReleaseSafe(localError);
+ return status == noErr;
+}
+
+#if 0
+static void testsync2(const char *name, const char *test_directive, const char *test_reason, void (^aliceInit)(SOSDataSourceRef ds), void (^bobInit)(SOSDataSourceRef ds), CFStringRef msg, ...) {
+ __block int iteration=0;
+ SOSTestDeviceListTestSync(name, test_directive, test_reason, kSOSPeerVersion, false, ^bool(SOSTestDeviceRef source, SOSTestDeviceRef dest) {
+ if (iteration == 96) {
+ pass("%@ before message", source);
+ }
+ return false;
+ }, ^bool(SOSTestDeviceRef source, SOSTestDeviceRef dest, SOSMessageRef message) {
+ iteration++;
+ if (iteration == 60) {
+ pass("%@ before addition", source);
+ //SOSTestDeviceAddGenericItem(source, CFSTR("test_account"), CFSTR("test service"));
+ SOSTestDeviceAddRemoteGenericItem(source, CFSTR("test_account"), CFSTR("test service"));
+ pass("%@ after addition", source);
+ return true;
+ }
+ return false;
+ }, CFSTR("alice"), CFSTR("bob"), CFSTR("claire"), CFSTR("dave"),CFSTR("edward"), CFSTR("frank"), CFSTR("gary"), NULL);
+}
+#endif
+
+static void testsync2p(void) {
+ __block int iteration = 0;
+ SOSTestDeviceListTestSync("testsync2p", test_directive, test_reason, 0, false, ^bool(SOSTestDeviceRef source, SOSTestDeviceRef dest) {
+ iteration++;
+ // Add 10 items in first 10 sync messages
+ if (iteration <= 10) {
+ CFStringRef account = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("item%d"), iteration);
+ SOSTestDeviceAddGenericItem(source, account, CFSTR("testsync2p"));
+ CFReleaseSafe(account);
+ return true;
+ }
+ return false;
+ }, ^bool(SOSTestDeviceRef source, SOSTestDeviceRef dest, SOSMessageRef message) {
+ return false;
+ }, CFSTR("Atestsync2p"), CFSTR("Btestsync2p"), NULL);
+}
+
+static void savetests(void) {
+ ok(true,"message");
+// SOSEngineSave(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error)
+ testsync2p();
+}
+
+int secd_71_engine_save(int argc, char *const *argv)
+{
+ plan_tests(kTestTestCount);
+
+ /* custom keychain dir */
+ // secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+ secd_test_setup_temp_keychain(__FUNCTION__, ^{
+ CFStringRef keychain_path_cf = __SecKeychainCopyPath();
+
+ CFDataRef engineStateData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, es_mango_bin, es_mango_bin_len, kCFAllocatorNull);
+ ok(addEngineStateWithData(engineStateData),"failed to add v0 engine state");
+ CFReleaseSafe(engineStateData);
+ CFReleaseSafe(keychain_path_cf);
+ });
+
+ // TODO: use call that prepopulates keychain (block for above)
+ ok(sizeof(es_mango_bin)== es_mango_bin_len,"bad mango");
+ savetests();
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-76-idstransport.c b/OSX/sec/securityd/Regressions/secd-76-idstransport.c
new file mode 100644
index 00000000..10ced6b0
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-76-idstransport.c
@@ -0,0 +1,313 @@
+//
+// secd-76-idstransport.c
+// sec
+//
+//
+
+/*
+ * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#include <stdio.h>
+#include <Security/SecBase.h>
+#include <Security/SecItem.h>
+
+#include <Security/SecureObjectSync/SOSAccount.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSInternal.h>
+#include <Security/SecureObjectSync/SOSFullPeerInfo.h>
+#include <Security/SecureObjectSync/SOSUserKeygen.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "secd_regressions.h"
+#include "SOSTestDataSource.h"
+
+#include "SOSRegressionUtilities.h"
+#include <utilities/SecCFWrappers.h>
+
+#include <securityd/SOSCloudCircleServer.h>
+#include "SecdTestKeychainUtilities.h"
+#include "SOSAccountTesting.h"
+#include "SOSTransportTestTransports.h"
+#include <Security/SecureObjectSync/SOSTransportMessageIDS.h>
+#include <SOSCircle/CKBridge/SOSCloudKeychainConstants.h>
+#include "SOSTestDevice.h"
+
+static int kTestTestCount = 92;
+
+static void tests()
+{
+ CFErrorRef error = NULL;
+
+ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
+ CFStringRef cfaccount = CFSTR("test@test.org");
+
+ SOSAccountRef alice_account = CreateAccountForLocalChanges(CFSTR("Alice"), CFSTR("ak"));
+ SOSAccountRef bob_account = CreateAccountForLocalChanges(CFSTR("Bob"), CFSTR("ak"));
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(bob_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+
+ // Bob wins writing at this point, feed the changes back to alice.
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 1, "updates");
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(cfpassword);
+ CFReleaseNull(error);
+
+ ok(NULL != alice_account, "Alice Created");
+ ok(NULL != bob_account, "Bob Created");
+
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ {
+ CFArrayRef applicants = SOSAccountCopyApplicants(alice_account, &error);
+
+ ok(applicants && CFArrayGetCount(applicants) == 1, "See one applicant %@ (%@)", applicants, error);
+ ok(SOSAccountAcceptApplicants(alice_account, applicants, &error), "Alice accepts (%@)", error);
+ CFReleaseNull(error);
+ CFReleaseNull(applicants);
+ }
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 3, "updates");
+
+ accounts_agree("bob&alice pair", bob_account, alice_account);
+
+ CFArrayRef peers = SOSAccountCopyPeers(alice_account, &error);
+ ok(peers && CFArrayGetCount(peers) == 2, "See two peers %@ (%@)", peers, error);
+ CFReleaseNull(peers);
+
+ //creating test devices
+ CFIndex version = 0;
+
+ // Optionally prefix each peer with name to make them more unique.
+ CFArrayRef deviceIDs = CFArrayCreateForCFTypes(kCFAllocatorDefault,SOSAccountGetMyPeerID(alice_account), SOSAccountGetMyPeerID(bob_account), NULL);
+ CFSetRef views = SOSViewsCopyTestV2Default();
+ CFMutableArrayRef peerMetas = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFStringRef deviceID;
+ CFArrayForEachC(deviceIDs, deviceID) {
+ SOSPeerMetaRef peerMeta = SOSPeerMetaCreateWithComponents(deviceID, views, NULL);
+ CFArrayAppendValue(peerMetas, peerMeta);
+ CFReleaseNull(peerMeta);
+ }
+
+ CFReleaseNull(views);
+ CFArrayForEachC(deviceIDs, deviceID) {
+ SOSTestDeviceRef device = SOSTestDeviceCreateWithDbNamed(kCFAllocatorDefault, deviceID, deviceID);
+ SOSTestDeviceSetPeerIDs(device, peerMetas, version, NULL);
+
+ if(CFEqualSafe(deviceID, SOSAccountGetMyPeerID(alice_account))){
+ alice_account->factory = device->dsf;
+ SOSTestDeviceAddGenericItem(device, CFSTR("Alice"), CFSTR("Alice-add"));
+ }
+ else{
+ bob_account->factory = device->dsf;
+ SOSTestDeviceAddGenericItem(device, CFSTR("Bob"), CFSTR("Bob-add"));
+ }
+ CFReleaseNull(device);
+ }
+ CFReleaseNull(deviceIDs);
+ CFReleaseNull(peerMetas);
+
+ SOSUnregisterAllTransportMessages();
+ CFArrayRemoveAllValues(message_transports);
+
+ alice_account->ids_message_transport = (SOSTransportMessageRef)SOSTransportMessageIDSTestCreate(alice_account, CFSTR("Alice"), SOSCircleGetName(alice_account->trusted_circle), &error);
+ bob_account->ids_message_transport = (SOSTransportMessageRef)SOSTransportMessageIDSTestCreate(bob_account, CFSTR("Bob"), SOSCircleGetName(bob_account->trusted_circle), &error);
+
+ ok(alice_account->ids_message_transport != NULL, "Alice Account, Created IDS Test Transport");
+ ok(bob_account->ids_message_transport != NULL, "Bob Account, Created IDS Test Transport");
+
+ bool result = SOSAccountModifyCircle(alice_account, &error, ^bool(SOSCircleRef circle) {
+ CFErrorRef localError = NULL;
+
+ SOSFullPeerInfoUpdateTransportType(alice_account->my_identity, SOSTransportMessageTypeIDSV2, &localError);
+ SOSFullPeerInfoUpdateTransportPreference(alice_account->my_identity, kCFBooleanFalse, &localError);
+ SOSFullPeerInfoUpdateTransportFragmentationPreference(alice_account->my_identity, kCFBooleanTrue, &localError);
+
+ return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(alice_account->my_identity), NULL);
+ });
+
+ ok(result, "Alice account update circle with transport type");
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ result = SOSAccountModifyCircle(bob_account, &error, ^bool(SOSCircleRef circle) {
+ CFErrorRef localError = NULL;
+
+ SOSFullPeerInfoUpdateTransportType(bob_account->my_identity, SOSTransportMessageTypeIDSV2, &localError);
+ SOSFullPeerInfoUpdateTransportPreference(bob_account->my_identity, kCFBooleanFalse, &localError);
+ SOSFullPeerInfoUpdateTransportFragmentationPreference(bob_account->my_identity, kCFBooleanTrue, &localError);
+
+ return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), NULL);
+ });
+
+ ok(result, "Bob account update circle with transport type");
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ CFStringRef alice_transportType =SOSPeerInfoCopyTransportType(SOSAccountGetMyPeerInfo(alice_account));
+ CFStringRef bob_accountTransportType = SOSPeerInfoCopyTransportType(SOSAccountGetMyPeerInfo(bob_account));
+ ok(CFEqualSafe(alice_transportType, CFSTR("IDS2.0")), "Alice transport type not IDS");
+ ok(CFEqualSafe(bob_accountTransportType, CFSTR("IDS2.0")), "Bob transport type not IDS");
+
+ CFReleaseNull(alice_transportType);
+ CFReleaseNull(bob_accountTransportType);
+
+ SOSTransportMessageIDSTestSetName(alice_account->ids_message_transport, CFSTR("Alice Account"));
+ ok(SOSTransportMessageIDSTestGetName(alice_account->ids_message_transport) != NULL, "retrieved getting account name");
+ ok(SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(alice_account, &error) != false, "device ID from IDSKeychainSyncingProxy");
+
+ SOSTransportMessageIDSTestSetName(bob_account->ids_message_transport, CFSTR("Bob Account"));
+ ok(SOSTransportMessageIDSTestGetName(bob_account->ids_message_transport) != NULL, "retrieved getting account name");
+ ok(SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(bob_account, &error) != false, "device ID from IDSKeychainSyncingProxy");
+
+ ok(SOSAccountSetMyDSID(alice_account, CFSTR("Alice"),&error), "Setting IDS device ID");
+ CFStringRef alice_dsid = SOSAccountCopyDeviceID(alice_account, &error);
+ ok(CFEqualSafe(alice_dsid, CFSTR("Alice")), "Getting IDS device ID");
+
+ ok(SOSAccountSetMyDSID(bob_account, CFSTR("Bob"),&error), "Setting IDS device ID");
+ CFStringRef bob_dsid = SOSAccountCopyDeviceID(bob_account, &error);
+ ok(CFEqualSafe(bob_dsid, CFSTR("Bob")), "Getting IDS device ID");
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 3, "updates");
+
+ SOSTransportMessageIDSTestSetName(alice_account->ids_message_transport, CFSTR("Alice Account"));
+ ok(SOSTransportMessageIDSTestGetName(alice_account->ids_message_transport) != NULL, "retrieved getting account name");
+ ok(SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(alice_account, &error) != false, "device ID from IDSKeychainSyncingProxy");
+
+ ok(SOSAccountSetMyDSID(alice_account, CFSTR("DSID"),&error), "Setting IDS device ID");
+ CFStringRef dsid = SOSAccountCopyDeviceID(alice_account, &error);
+ ok(CFEqualSafe(dsid, CFSTR("DSID")), "Getting IDS device ID");
+ CFReleaseNull(dsid);
+
+ ok(SOSAccountStartPingTest(alice_account, CFSTR("hai there!"), &error), "Ping test");
+ ok(CFDictionaryGetCount(SOSTransportMessageIDSTestGetChanges(alice_account->ids_message_transport)) != 0, "ping message made it to transport");
+ SOSTransportMessageIDSTestClearChanges(alice_account->ids_message_transport);
+
+ ok(SOSAccountSendIDSTestMessage(alice_account, CFSTR("hai again!"), &error), "Send Test Message");
+ ok(CFDictionaryGetCount(SOSTransportMessageIDSTestGetChanges(alice_account->ids_message_transport)) != 0, "ping message made it to transport");
+
+ CFStringRef dataKey = CFStringCreateWithCString(kCFAllocatorDefault, kMessageKeyIDSDataMessage, kCFStringEncodingASCII);
+ CFStringRef deviceIDKey = CFStringCreateWithCString(kCFAllocatorDefault, kMessageKeyDeviceID, kCFStringEncodingASCII);
+ CFStringRef sendersPeerIDKey = CFStringCreateWithCString(kCFAllocatorDefault, kMessageKeySendersPeerID, kCFStringEncodingASCII);
+
+ //test IDS message handling
+ CFMutableDictionaryRef messageDict = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ ok(SOSTransportMessageIDSHandleMessage(alice_account, messageDict, &error) == kHandleIDSMessageDontHandle, "sending empty message dictionary");
+
+ CFDictionaryAddValue(messageDict, deviceIDKey, CFSTR("Alice Account"));
+ ok(SOSTransportMessageIDSHandleMessage(alice_account, messageDict, &error) == kHandleIDSMessageDontHandle, "sending device ID only");
+
+ CFReleaseNull(messageDict);
+ messageDict = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFDictionaryAddValue(messageDict, sendersPeerIDKey, CFSTR("Alice Account"));
+ ok(SOSTransportMessageIDSHandleMessage(alice_account, messageDict, &error) == kHandleIDSMessageDontHandle, "sending peer ID only");
+
+ CFReleaseNull(messageDict);
+ messageDict = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFDataRef data = CFDataCreate(kCFAllocatorDefault, 0, 0);
+ CFDictionaryAddValue(messageDict, dataKey, data);
+ ok(SOSTransportMessageIDSHandleMessage(alice_account, messageDict, &error) == kHandleIDSMessageDontHandle, "sending data only");
+
+ CFReleaseNull(messageDict);
+ CFReleaseNull(data);
+ messageDict = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ data = CFDataCreate(kCFAllocatorDefault, 0, 0);
+ CFDictionaryAddValue(messageDict, dataKey, data);
+ CFDictionaryAddValue(messageDict, sendersPeerIDKey, CFSTR("Alice Account"));
+ ok(SOSTransportMessageIDSHandleMessage(alice_account, messageDict, &error) == kHandleIDSMessageDontHandle, "sending data and peerid only");
+
+ CFReleaseNull(messageDict);
+ CFReleaseNull(data);
+ messageDict = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ data = CFDataCreate(kCFAllocatorDefault, 0, 0);
+ CFDictionaryAddValue(messageDict, dataKey, data);
+ CFDictionaryAddValue(messageDict, deviceIDKey, CFSTR("Alice Account"));
+ ok(SOSTransportMessageIDSHandleMessage(alice_account, messageDict, &error) == kHandleIDSMessageDontHandle, "sending data and deviceid only");
+
+ CFReleaseNull(messageDict);
+ CFReleaseNull(data);
+ messageDict = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFDictionaryAddValue(messageDict, deviceIDKey, CFSTR("Alice Account"));
+ CFDictionaryAddValue(messageDict, sendersPeerIDKey, CFSTR("Alice Account"));
+ ok(SOSTransportMessageIDSHandleMessage(alice_account, messageDict, &error) == kHandleIDSMessageDontHandle, "sending peerid and deviceid only");
+
+ CFReleaseNull(messageDict);
+ CFReleaseNull(data);
+ messageDict = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ data = CFDataCreate(kCFAllocatorDefault, 0, 0);
+ CFDictionaryAddValue(messageDict, dataKey, data);
+ CFDictionaryAddValue(messageDict, deviceIDKey, CFSTR("Alice Account"));
+ CFDictionaryAddValue(messageDict, sendersPeerIDKey, SOSPeerInfoGetPeerID(SOSAccountGetMyPeerInfo(bob_account)));
+ ok(SOSTransportMessageIDSHandleMessage(alice_account, messageDict, &error) == kHandleIDSMessageDontHandle, "sending peerid and deviceid and data");
+
+ CFReleaseNull(messageDict);
+ CFReleaseNull(data);
+
+ messageDict = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ data = CFDataCreate(kCFAllocatorDefault, 0, 0);
+ CFDictionaryAddValue(messageDict, dataKey, data);
+ CFStringRef BobDeviceID = SOSPeerInfoCopyDeviceID(SOSAccountGetMyPeerInfo(bob_account));
+ CFDictionaryAddValue(messageDict, deviceIDKey, BobDeviceID);
+ CFReleaseNull(BobDeviceID);
+ CFDictionaryAddValue(messageDict, sendersPeerIDKey, CFSTR("Alice Account"));
+ ok(SOSTransportMessageIDSHandleMessage(alice_account, messageDict, &error) == kHandleIDSMessageDontHandle, "sending peerid and deviceid and data");
+
+ CFReleaseNull(data);
+ CFReleaseNull(dataKey);
+ CFReleaseNull(deviceIDKey);
+ CFReleaseNull(sendersPeerIDKey);
+
+ CFReleaseNull(alice_account);
+ CFReleaseNull(bob_account);
+ CFReleaseNull(alice_dsid);
+ CFReleaseNull(bob_dsid);
+ CFReleaseNull(changes);
+
+ SOSUnregisterAllTransportMessages();
+ SOSUnregisterAllTransportCircles();
+ SOSUnregisterAllTransportKeyParameters();
+ CFArrayRemoveAllValues(key_transports);
+ CFArrayRemoveAllValues(circle_transports);
+ CFArrayRemoveAllValues(message_transports);
+
+}
+int secd_76_idstransport(int argc, char *const *argv)
+{
+ plan_tests(kTestTestCount);
+
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+
+ tests();
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-80-views-basic.c b/OSX/sec/securityd/Regressions/secd-80-views-basic.c
index 2d3bfcf9..ad0a0327 100644
--- a/OSX/sec/securityd/Regressions/secd-80-views-basic.c
+++ b/OSX/sec/securityd/Regressions/secd-80-views-basic.c
@@ -40,6 +40,8 @@
#include <Security/SecureObjectSync/SOSInternal.h>
#include <Security/SecureObjectSync/SOSFullPeerInfo.h>
#include <Security/SecureObjectSync/SOSUserKeygen.h>
+#include <Security/SecureObjectSync/SOSViews.h>
+
#include <stdlib.h>
#include <unistd.h>
@@ -72,12 +74,36 @@ static void testView(SOSAccountRef account, SOSViewResultCode expected, CFString
CFReleaseNull(error);
}
-static int kTestTestCount = 21;
+static void testViewLists(void) {
+ CFSetRef allViews = SOSViewCopyViewSet(kViewSetAll);
+ CFSetRef defaultViews = SOSViewCopyViewSet(kViewSetDefault);
+ CFSetRef initialViews = SOSViewCopyViewSet(kViewSetInitial);
+ CFSetRef alwaysOnViews = SOSViewCopyViewSet(kViewSetAlwaysOn);
+ CFSetRef backupRequiredViews = SOSViewCopyViewSet(kViewSetRequiredForBackup);
+ CFSetRef V0Views = SOSViewCopyViewSet(kViewSetV0);
+
+ is(CFSetGetCount(allViews), 22, "make sure count of allViews is correct");
+ is(CFSetGetCount(defaultViews), 18, "make sure count of defaultViews is correct");
+ is(CFSetGetCount(initialViews), 5, "make sure count of initialViews is correct");
+ is(CFSetGetCount(alwaysOnViews), 18, "make sure count of alwaysOnViews is correct");
+ is(CFSetGetCount(backupRequiredViews), 3, "make sure count of backupRequiredViews is correct");
+ is(CFSetGetCount(V0Views), 6, "make sure count of V0Views is correct");
+
+ CFReleaseNull(allViews);
+ CFReleaseNull(defaultViews);
+ CFReleaseNull(initialViews);
+ CFReleaseNull(alwaysOnViews);
+ CFReleaseNull(backupRequiredViews);
+ CFReleaseNull(V0Views);
+}
+
+static int kTestTestCount = 38;
static void tests(void)
{
CFErrorRef error = NULL;
CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
CFStringRef cfaccount = CFSTR("test@test.org");
+ CFSetRef nullSet = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
SOSDataSourceFactoryRef test_factory = SOSTestDataSourceFactoryCreate();
SOSDataSourceRef test_source = SOSTestDataSourceCreate();
@@ -89,10 +115,12 @@ static void tests(void)
CFReleaseNull(error);
CFReleaseNull(cfpassword);
- ok(SOSAccountJoinCircles(account, &error), "Join circle: %@", error);
+ ok(SOSAccountJoinCircles_wTxn(account, &error), "Join circle: %@", error);
ok(NULL != account, "Created");
+ ok(SOSAccountCheckHasBeenInSync_wTxn(account), "In sync already");
+
testView(account, kSOSCCViewNotMember, kSOSViewKeychainV0, kSOSCCViewQuery, "Expected view capability for kSOSViewKeychain");
// Default views no longer includes kSOSViewAppleTV
testView(account, kSOSCCViewMember, kSOSViewAppleTV, kSOSCCViewQuery, "Expected view capability for kSOSViewAppleTV");
@@ -114,7 +142,27 @@ static void tests(void)
testView(account, kSOSCCViewMember, kSOSViewPCSiCloudDrive, kSOSCCViewQuery, "Expected view capability for kSOSViewPCSiCloudDrive");
testView(account, kSOSCCViewNotMember, kSOSViewKeychainV0, kSOSCCViewQuery, "Expected view capability for kSOSViewKeychainV0");
testView(account, kSOSCCViewMember, kSOSViewAppleTV, kSOSCCViewQuery, "Expected view capability for kSOSViewAppleTV");
+
+ ok(SOSAccountUpdateViewSets(account, SOSViewsGetV0ViewSet(), nullSet), "Expect not accepting kSOSKeychainV0");
+ testView(account, kSOSCCViewNotMember, kSOSViewKeychainV0, kSOSCCViewQuery, "Expected no addition of kSOSKeychainV0");
+ ok(SOSAccountUpdateViewSets(account, SOSViewsGetV0ViewSet(), nullSet), "Expect not accepting kSOSKeychainV0");
+ testView(account, kSOSCCViewNotMember, kSOSViewKeychainV0, kSOSCCViewQuery, "Expected no addition of kSOSKeychainV0");
+
+ SOSPeerInfoRef pi = SOSAccountGetMyPeerInfo(account);
+ ok(pi, "should have the peerInfo");
+ SOSViewResultCode vr = SOSViewsEnable(pi, kSOSViewKeychainV0, NULL);
+
+ ok(vr == kSOSCCViewMember, "Set Virtual View manually");
+
+ ok(!SOSAccountUpdateViewSets(account, nullSet, SOSViewsGetV0ViewSet()), "Expect not removing kSOSKeychainV0");
+ testView(account, kSOSCCViewMember, kSOSViewKeychainV0, kSOSCCViewQuery, "Expected kSOSKeychainV0 is still there");
+
+ ok(!SOSAccountUpdateViewSets(account, nullSet, SOSViewsGetV0ViewSet()), "Expect not removing kSOSKeychainV0");
+ testView(account, kSOSCCViewMember, kSOSViewKeychainV0, kSOSCCViewQuery, "Expected kSOSKeychainV0 is still there");
+
+
+
CFReleaseNull(account);
SOSDataSourceRelease(test_source, NULL);
@@ -136,6 +184,7 @@ int secd_80_views_basic(int argc, char *const *argv)
secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+ testViewLists();
tests();
return 0;
diff --git a/OSX/sec/securityd/Regressions/secd-81-item-acl-stress.c b/OSX/sec/securityd/Regressions/secd-81-item-acl-stress.c
index 2e0ad638..99d49c19 100644
--- a/OSX/sec/securityd/Regressions/secd-81-item-acl-stress.c
+++ b/OSX/sec/securityd/Regressions/secd-81-item-acl-stress.c
@@ -217,9 +217,9 @@ static void tests(bool isPasscodeSet)
#endif
CFArrayRef classArray = CFArrayCreateForCFTypes(kCFAllocatorDefault, kSecClassInternetPassword, kSecClassGenericPassword, kSecClassKey, kSecClassCertificate, NULL);
- CFArrayRef protectionClassArray = CFArrayCreateForCFTypes(kCFAllocatorDefault, kSecAttrAccessibleWhenUnlocked, kSecAttrAccessibleAfterFirstUnlock, kSecAttrAccessibleAlways,
+ CFArrayRef protectionClassArray = CFArrayCreateForCFTypes(kCFAllocatorDefault, kSecAttrAccessibleWhenUnlocked, kSecAttrAccessibleAfterFirstUnlock, kSecAttrAccessibleAlwaysPrivate,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly, kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
- kSecAttrAccessibleAlwaysThisDeviceOnly, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, NULL);
+ kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, NULL);
__block uint32_t pass = 0;
CFArrayForEach(classArray, ^(CFTypeRef itemClass) {
diff --git a/OSX/sec/securityd/Regressions/secd-81-item-acl.c b/OSX/sec/securityd/Regressions/secd-81-item-acl.c
index b5c256b3..614b3543 100644
--- a/OSX/sec/securityd/Regressions/secd-81-item-acl.c
+++ b/OSX/sec/securityd/Regressions/secd-81-item-acl.c
@@ -305,7 +305,7 @@ static void item_with_application_password(uint32_t *item_num)
// Update test item by adding ACL with application password flag.
CFMutableDictionaryRef update = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
- aclRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleAlways, kSecAccessControlApplicationPassword, NULL);
+ aclRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleAlwaysPrivate, kSecAccessControlApplicationPassword, NULL);
CFDictionarySetValue(update, kSecAttrAccessControl, aclRef);
set_app_password(acmContext);
CFDictionarySetValue(item, kSecUseCredentialReference, credRefData);
@@ -332,7 +332,7 @@ static void item_with_application_password(uint32_t *item_num)
CFReleaseSafe(aclRef);
// Update item with ACL without application password.
- aclRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleAlways, 0, NULL);
+ aclRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleAlwaysPrivate, 0, NULL);
CFDictionarySetValue(update, kSecAttrAccessControl, aclRef);
LASetErrorCodeBlock(okBlock);
diff --git a/OSX/sec/securityd/Regressions/secd-82-persistent-ref.c b/OSX/sec/securityd/Regressions/secd-82-persistent-ref.c
index 87ec19aa..6099f335 100644
--- a/OSX/sec/securityd/Regressions/secd-82-persistent-ref.c
+++ b/OSX/sec/securityd/Regressions/secd-82-persistent-ref.c
@@ -7,13 +7,14 @@
//
#include <Security/Security.h>
+#include <Security/SecItemPriv.h>
#include "secd_regressions.h"
#include "SecdTestKeychainUtilities.h"
int secd_82_persistent_ref(int argc, char *const *argv)
{
- plan_tests(4);
+ plan_tests(5);
/* custom keychain dir */
secd_test_setup_temp_keychain("secd_82_persistent_ref", NULL);
@@ -28,7 +29,7 @@ int secd_82_persistent_ref(int argc, char *const *argv)
attrs = CFDictionaryCreateMutable( NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks );
CFDictionarySetValue( attrs, kSecClass, kSecClassGenericPassword );
- CFDictionarySetValue( attrs, kSecAttrAccessible, kSecAttrAccessibleAlways );
+ CFDictionarySetValue( attrs, kSecAttrAccessible, kSecAttrAccessibleAlwaysPrivate );
CFDictionarySetValue( attrs, kSecAttrLabel, CFSTR( "TestLabel" ) );
CFDictionarySetValue( attrs, kSecAttrDescription, CFSTR( "TestDescription" ) );
CFDictionarySetValue( attrs, kSecAttrAccount, CFSTR( "TestAccount" ) );
@@ -43,6 +44,7 @@ int secd_82_persistent_ref(int argc, char *const *argv)
query = CFDictionaryCreateMutable( NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks );
CFDictionarySetValue( query, kSecClass, kSecClassGenericPassword );
CFDictionarySetValue( query, kSecAttrSynchronizable, kSecAttrSynchronizableAny );;
+ CFDictionarySetValue( query, kSecAttrAccount, CFSTR( "TestAccount" ) );
CFDictionarySetValue( query, kSecReturnAttributes, kCFBooleanTrue );
CFDictionarySetValue( query, kSecReturnPersistentRef, kCFBooleanTrue );
CFDictionarySetValue( query, kSecMatchLimit, kSecMatchLimitAll );
@@ -52,6 +54,7 @@ int secd_82_persistent_ref(int argc, char *const *argv)
array = (CFArrayRef) result;
n = CFArrayGetCount( array );
+ is(n, 1);
for( i = 0; i < n; ++i )
{
item = (CFDictionaryRef) CFArrayGetValueAtIndex(array, i);
diff --git a/OSX/sec/securityd/Regressions/secd-82-secproperties-basic.c b/OSX/sec/securityd/Regressions/secd-82-secproperties-basic.c
index f76fc36d..a7ecb6e3 100644
--- a/OSX/sec/securityd/Regressions/secd-82-secproperties-basic.c
+++ b/OSX/sec/securityd/Regressions/secd-82-secproperties-basic.c
@@ -98,7 +98,7 @@ static void tests(void)
CFReleaseNull(error);
CFReleaseNull(cfpassword);
- ok(SOSAccountJoinCircles(account, &error), "Join Cirlce");
+ ok(SOSAccountJoinCircles_wTxn(account, &error), "Join Cirlce");
ok(NULL != account, "Created");
diff --git a/OSX/sec/securityd/Regressions/secd-83-item-match-policy.m b/OSX/sec/securityd/Regressions/secd-83-item-match-policy.m
new file mode 100644
index 00000000..00448438
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-83-item-match-policy.m
@@ -0,0 +1,229 @@
+//
+// secd-81-item-match-policy.m
+// sec
+
+/*
+ * This is to fool os services to not provide the Keychain manager
+ * interface tht doens't work since we don't have unified headers
+ * between iOS and OS X. rdar://23405418/
+ */
+#define __KEYCHAINCORE__ 1
+
+#import <Foundation/Foundation.h>
+#import <Security/SecCertificate.h>
+#import <Security/SecItem.h>
+#import <Security/SecBase.h>
+#import <utilities/SecCFWrappers.h>
+
+
+#import "secd_regressions.h"
+#import "SecdTestKeychainUtilities.h"
+#import "secd-83-item-match.h"
+
+//Test SSL SMIME2
+NSString *secdTestSMIME1BASE64String = @"MIIDUzCCAjugAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMRQwEgYDVQQDDAtUZXN0IFNNSU1FMTELMAkGA1UEBhMCQ1oxIjAgBgkqhkiG9w0BCQEWE3Rlc3RjZXJ0MUBhcHBsZS5jb20wHhcNMTYwNDA3MDYzNDM0WhcNMTcwNDA3MDYzNDM0WjBHMRQwEgYDVQQDDAtUZXN0IFNNSU1FMTELMAkGA1UEBhMCQ1oxIjAgBgkqhkiG9w0BCQEWE3Rlc3RjZXJ0MUBhcHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHedMsbVecoqyZwoTTE85bm3QImVz45HYFGKq/L6E5dVPamiiMRZ2BX1XnIdthbIRZhg7OU0zk2KiQKyg+bjnk+l3ZW/C6N3sAx4blq/UemOg6XtdI1Iq/HwLw5qJW8hiy9INA2nMJnSXZrnM6Ezsj92l0PQ2+8oOa95sLfi2e9NJZONESY/XNyc6tclaUYHSQR+BAzllKRorrqvpa3T2o6lmcUG+29TsRUHth6OHZLccMoA6ITk8Eq/vlAsaH4BnD7rFfBwcE/GhkkbZrmH1xaFziEIwMx3uvhsQCpspt50Pf9RWcsj3/bD4aIPUNLRkyn49ZE6MhOmMp7p5UCXapAgMBAAGjSjBIMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDBDAeBgNVHREEFzAVgRN0ZXN0Y2VydDFAYXBwbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAm3pbBBqrzR3tTwZrjLORH72PY3f/4IvhYNadP3A70Smln0xC+BIjxqTPP1YXcvwY2PfIaNkXrxaqM8/mbR5MjiDQ7SZz5jfYTuJP6+Z9Y9nL2S/62DyhVwJcRskrDCArkaXz1b2n6yEWCw4L5uJmwdRruW5D7mF10f2GtNvGlq5Wj7csKjw6Pwh8kgG3lnGqrWaNfiJku49lbAugZr2bryQvzxi3q0Kk0LBlxVt1fMae/H/cO9nwlqe+mOclJ96zRPWnXKNMduDf00OIp131gqAknXQwSJZoI2mvX9deFdaaS21T1COhvPN+dL7D5umX85NGzoLN2svzihAhMkIK+";
+//Test SSL SMIME2
+NSString *secdTestSMIME2BASE64String = @"MIIDUzCCAjugAwIBAgIBAjANBgkqhkiG9w0BAQsFADBHMRQwEgYDVQQDDAtUZXN0IFNNSU1FMjELMAkGA1UEBhMCQ1oxIjAgBgkqhkiG9w0BCQEWE3Rlc3RjZXJ0MkBhcHBsZS5jb20wHhcNMTYwNDA3MDYzNjUzWhcNMTcwNDA3MDYzNjUzWjBHMRQwEgYDVQQDDAtUZXN0IFNNSU1FMjELMAkGA1UEBhMCQ1oxIjAgBgkqhkiG9w0BCQEWE3Rlc3RjZXJ0MkBhcHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk4emo4RNYI7WXtdOjFBgxIaLf80zTH0peza4PMJO7fC+KtStC4KpvRWbIhm+CcvJjpT4jpScKuHisMgfPxfEcK7jv8kRU7waAaW3H5o56YBX+Qen+fA18ulrwwzEHO4KBK7kXT9oSLy1m09u17yf46x3NPshrg0JpTh4F1jPtEK7HPZnzoJMx8i69Rd9zfddm+Gs0TPFtqaUQ9wuKeKr/Vda9kaPo98UabpiXx94sy/rtlULiUY8Nh993KUDcGPI2LTmQSeR8EB37AEoeBm8mRR9IGdZNvkDPEXIoilw1HVMsczxCEVV0HOAcFh+HfvVsWGYySentCpOe95r4/CSbAgMBAAGjSjBIMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDBDAeBgNVHREEFzAVgRN0ZXN0Y2VydDJAYXBwbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAAVic5KfpUoy7Bu8dZ8qc+1RM/wXscK/2906/ZD7cndFSM2X7x+oRB78mtbmHlvfDC5FC5OAlxpY9S5ITtK/R67wi6LwOK3TkoQzevSqAkl8ylTfh3Sp/bwCRpVJo1yFCBdNnq4clEktu2+W6YSczjrDieN6CvhRE+AQ3sYNpxeaRJUS8PtNdPmYNnPdLK9VLB8Fg2WIHTAYV1nvai8Dvj1Fk6ukJGQxLJmXs6qUT8O+VE0CiVI5wspX+XSO/FSXiYLzFsLSRQNdWOO6U0zJlVpa1UoiRZCiVHnkDcYAMKB66hNUvRPtZYAguH7Ipg5bSld6fr8b43Vt2lkDM1iZAK";
+//Test SSL client1
+NSString *secdTestSSLClient1BASE64String = @"MIIDPTCCAiWgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBMMRkwFwYDVQQDDBBUZXN0IFNTTCBjbGllbnQxMQswCQYDVQQGEwJDWjEiMCAGCSqGSIb3DQEJARYTdGVzdGNlcnQzQGFwcGxlLmNvbTAeFw0xNjA0MDcwNjM5NDBaFw0xNzA0MDcwNjM5NDBaMEwxGTAXBgNVBAMMEFRlc3QgU1NMIGNsaWVudDExCzAJBgNVBAYTAkNaMSIwIAYJKoZIhvcNAQkBFhN0ZXN0Y2VydDNAYXBwbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvKF0N/zPBmahsQwcSrCqiUavXVLj5DEVricqEmOPd77Zr3CVf4B/zDEFqyLh2cg15WBlYV0hG8TDa49yOlJ8JZ8d58n/0A0p6Qq27/S1qc7DvpwVqSwwUl5S3DXSrVBxnJKz20Q3f2yNnHv3hJvp7dMI4C+rQK/uSy2syJalTSVUXMLjQegfv3EVBVTL8omb4Myo7HbjYhEUw/faM9NXwUNs0foR2cRvpkqJPi7r6gM/a+4T2SlSst0U+ByPgaFy2QJPPuzQSEa7vA5fmsMDSQ7BHnla1YVjloWh4LHdB32BGmjIwyHYfn5hqKl37V+oASqLeWVD1cK/2dG6nl2AmQIDAQABoyowKDAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAEIs0r+XYOl2Tt1dcRVgTXoFT8w4xAJ7JeErhBqEbhPnQ4i/7GGnd20wL3keCLeLvIJm+KOI+OMjLft276MGn6VEN33o8GKt53m0Mz/mS36xdmAdxBu0t1dh2bnBRYh+asD2gz3AFnlUDOC5DqRZ5yz0FwK9UPpN6KqBZc0YbzS/p/cc3UkzywdAX01RTzmxqGgrl5CPruIECRSieykl7fgmqitlLnYms/QvaS963cFvIM6XJdXltbED6GkVc39ab/lXFYfkSC4Wx2LGeP5NEBqeEfLpKHFOuNVo6dks8OGXXfW14jhCRaLJi6P3kh9jfTXAvW8Fw0mGoNciTLPKTK4=";
+//Test SSL client2
+NSString *secdTestSSLClient2BASE64String = @"MIIDPTCCAiWgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBMMRkwFwYDVQQDDBBUZXN0IFNTTCBjbGllbnQyMQswCQYDVQQGEwJDWjEiMCAGCSqGSIb3DQEJARYTdGVzdGNlcnQ0QGFwcGxlLmNvbTAeFw0xNjA0MDcwNjQxMDFaFw0xNzA0MDcwNjQxMDFaMEwxGTAXBgNVBAMMEFRlc3QgU1NMIGNsaWVudDIxCzAJBgNVBAYTAkNaMSIwIAYJKoZIhvcNAQkBFhN0ZXN0Y2VydDRAYXBwbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAneZGoEDMw7ZdqT5jVA+omajFDixAd9HB5kaw1kUxd6MuFTn95WhLyI84oa8FvmbxGXZ2zBxtZF3hrm2xHPJB0bwpCfzR0GlaoZKbgUzvRx8x+i/+tEkbFnlOlmU1ZW7cGWyu6bI60rfPZ5VwEe6/JgFaKTRdOACxzIaYDJhS2S2LSzgrom27k424LbCWtfwaqEuiPtF3hGmuCAfrdxJ9Pr/qBcKCjkbWdrtIYhsEJzN8oLwdLduy8jM+fiAXwW1skEgIQa7Bo4zJRIsT6fG0U/0HeSESxGfghN3dBCaWGM7yB1Cahrk8pfalhs5IFmFhNy/+UtpBYhO1DGbr4ijfHQIDAQABoyowKDAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAFrDD3o6uG8lU1NxLa+i0zSihFDv0b3y516AScUAf6jpuW0Wfhpqb/U1Gk91Zo2ZBFtQ5WniLf4wGZRFeeUOv6PTHdkBz7PtYa/nzyXOlUBdTuZ0w52e2+mEJfCpwhR7MVBvs3QmtXpg7H/lSePbbun/tl8fYRMzcycLWH9Yrz+TluNdS9/Qa3SRgXo4JUKGl8F/nvXohuz2JyGLk43l3Cq9z68IKv7c8SA448E9d+MwwsYc2YcHf9aZAwu81aP5c3XOSaWvP3uzATxb/w6tIhs7O8iHgyq7mRy2iQqACDxpcILKGEu4advaBPmB14kSz/HUS4VahafayXxhCQPqYtc=";
+//secdtest1.apple.com
+NSString *secdTestSSLServer1BASE64String = @"MIIDYzCCAkugAwIBAgIBBTANBgkqhkiG9w0BAQsFADBPMRwwGgYDVQQDDBNzZWNkdGVzdDEuYXBwbGUuY29tMQswCQYDVQQGEwJDWjEiMCAGCSqGSIb3DQEJARYTdGVzdGNlcnQ1QGFwcGxlLmNvbTAeFw0xNjA0MDcwNjQ3MThaFw0xNzA0MDcwNjQ3MThaME8xHDAaBgNVBAMME3NlY2R0ZXN0MS5hcHBsZS5jb20xCzAJBgNVBAYTAkNaMSIwIAYJKoZIhvcNAQkBFhN0ZXN0Y2VydDVAYXBwbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxWOhlJjFJ+Fyp0KRCb4Dx20TMf+/gYaNwN9/i0+YNi3wb5mAepO7gN8VoZhYf+fWO6eUGzxFwggCK5b2plZ5dW/3su5B/K5onYxE7wWPsHGfw/rolpkp84fgj2aSUBQnOuwhFvot1dmFUeh55SaIv56sLw5aIbW/xWP6Mhc8kpf8ji5xpFA5JZxmbBZi4iG4E4395DD3lXE1jN4B3aY6gknnA6BYvngvxH/2whitKTDKCqsnWPxGqbJ5kg+0julkgYVEPlfdus/MNTB/c6llKiqIkwNuzPPaHq9VRNnPctEljVJcch7ZwqbluTY+AwRGXuY0RpJ9S6+uEPaQbuDX3QIDAQABo0owSDAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwHgYDVR0RBBcwFYITc2VjZHRlc3QxLmFwcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAfJqxsLI03nm9YSVeOqcyOB+Cj41WmNCgaSvftGmPtmz4QLbEYTYDqrv2zTvTtmS5Z1ugy6XeA4sUx9j9oKJq9+FRkfxQTDOHz7e8dqUvF0ToLPRo0dlGv55FsbVgOM8vKCeqra12FWvSUHXhUn7tC+lQDDiDs5st4NkVRgRsCYHUIfYtYBWABd5Z6kWAR33qysxbxx4cHLGb/1CCfsPF+/IQYS1sF9u+q/Jvbe6Oylyb1qxoe4dcsub4AYgS+yHItcQeZksItwYWLdAQUat7r6bbMLp+EN2DJRzrIQl+Kf3nzSKRBW6HTJR19+6D/pum0q8A0A3chsMW34rvMS469w==";
+//secdtest2.apple.com
+NSString *secdTestSSLServer2BASE64String = @"MIIDYzCCAkugAwIBAgIBBjANBgkqhkiG9w0BAQsFADBPMRwwGgYDVQQDDBNzZWNkdGVzdDIuYXBwbGUuY29tMQswCQYDVQQGEwJDWjEiMCAGCSqGSIb3DQEJARYTdGVzdGNlcnQ2QGFwcGxlLmNvbTAeFw0xNjA0MDcwNjQ1NTFaFw0xNzA0MDcwNjQ1NTFaME8xHDAaBgNVBAMME3NlY2R0ZXN0Mi5hcHBsZS5jb20xCzAJBgNVBAYTAkNaMSIwIAYJKoZIhvcNAQkBFhN0ZXN0Y2VydDZAYXBwbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmI95AUYia7UATWdqAUHQGge1vK11u5CXuQm0rpvKMTwzSD/HkEX6jFnCoJ4J+3FUpeY70ZhWfnwiumGmMB6RfI3S2jIWvyrMgIRkiPhiLh5ZDmV6K/w2MVzOEiPRKPVcxgLJm8CF2/EdJnCMmJG8pvWyTwahW43WT7oAj5KdnqSCtysEZ5pOKR+U4S89x0mUuGXc6K3xVWSfM0Az2tepWc11dtuLWPSe5vCU3JuZzFfXsUqgHInWnBNjPfQrgI9LE5EIqslA5dAZLLlr4+OLCmENi6qwQ6GIvzR9S30gAk4Mo/H+RUeqqimkMD8JUL9D72FQdqcC1cFgsADbxslLgwIDAQABo0owSDAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwHgYDVR0RBBcwFYITc2VjZHRlc3QyLmFwcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAC3BDk+HtpO+FKmgx0BfNz4gXR3NjDoe0Ms2toC2YAzR33Z/VycBjLbQ0gfQHyGHYQPYzGgurYPypyzUqKJJVFClmj/VXaNANiFhegHPXRKPyFuw5wbxKE2tgCq3sJ+x4RbDoyGXZz+7bfvWbjynpgiXWWx1V1ABop1UByiYTWp7zVDLTEzYfVGkisr0sV3qoMrKxYBgjUJjXM6p5DeIFr8HaB6lSSqSlCek3oMBfgjEIurpU3LhcGeOn2ItFS8F3wj1YqLvxzgzn3LfPjUOENXI+Fy8lPgibiEeqAcT7//NwleuNQfYL5eGVzuAxcNG9b1NeDkG5t1RQgUL5JwP8bg==";
+
+void addTestCertificates(void) {
+ NSData *certDerData = [[NSData alloc] initWithBase64EncodedString:secdTestSMIME1BASE64String options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ SecCertificateRef certRef = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certDerData);
+ ok_status(SecItemAdd((__bridge CFDictionaryRef) @{ (id)kSecValueRef : (__bridge id) certRef }, NULL), "Add tet certificate");
+ CFRelease(certRef);
+
+ certDerData = [[NSData alloc] initWithBase64EncodedString:secdTestSMIME2BASE64String options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ certRef = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certDerData);
+ ok_status(SecItemAdd((__bridge CFDictionaryRef) @{ (id)kSecValueRef : (__bridge id) certRef }, NULL), "Add tet certificate");
+ CFRelease(certRef);
+
+ certDerData = [[NSData alloc] initWithBase64EncodedString:secdTestSSLClient1BASE64String options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ certRef = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certDerData);
+ ok_status(SecItemAdd((__bridge CFDictionaryRef) @{ (id)kSecValueRef : (__bridge id) certRef }, NULL), "Add tet certificate");
+ CFRelease(certRef);
+
+ certDerData = [[NSData alloc] initWithBase64EncodedString:secdTestSSLClient2BASE64String options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ certRef = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certDerData);
+ ok_status(SecItemAdd((__bridge CFDictionaryRef) @{ (id)kSecValueRef : (__bridge id) certRef }, NULL), "Add tet certificate");
+ CFRelease(certRef);
+
+ certDerData = [[NSData alloc] initWithBase64EncodedString:secdTestSSLServer1BASE64String options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ certRef = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certDerData);
+ ok_status(SecItemAdd((__bridge CFDictionaryRef) @{ (id)kSecValueRef : (__bridge id) certRef }, NULL), "Add tet certificate");
+ CFRelease(certRef);
+
+ certDerData = [[NSData alloc] initWithBase64EncodedString:secdTestSSLServer2BASE64String options:NSDataBase64DecodingIgnoreUnknownCharacters];
+ certRef = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certDerData);
+ ok_status(SecItemAdd((__bridge CFDictionaryRef) @{ (id)kSecValueRef : (__bridge id) certRef }, NULL), "Add tet certificate");
+ CFRelease(certRef);
+}
+
+static void test(id returnKeyName) {
+ NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
+ [dateFormatter setDateFormat:@"yyyy-MM-dd HH:mm:ss zzz"];
+ [dateFormatter setLocale:[[NSLocale alloc] initWithLocaleIdentifier:@"us_EN"]];
+ NSDate *validDate = [dateFormatter dateFromString: @"2016-04-07 16:00:00 GMT"];
+ NSDate *dateBefore = [dateFormatter dateFromString: @"2016-04-06 16:00:00 GMT"];
+ NSDate *dateAfter = [dateFormatter dateFromString: @"2017-04-08 16:00:00 GMT"];
+
+ CFTypeRef result = NULL;
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 6);
+ CFReleaseNull(result);
+#if TARGET_OS_IPHONE
+ SecPolicyRef policy = SecPolicyCreateWithProperties(kSecPolicyAppleSMIME, NULL);
+#else
+ SecPolicyRef policy = SecPolicyCreateWithProperties(kSecPolicyAppleSMIME, (__bridge CFDictionaryRef)@{ (id)kSecPolicyKU_DigitalSignature : @YES });
+#endif
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 2);
+ CFReleaseNull(policy);
+ CFReleaseNull(result);
+
+#if TARGET_OS_IPHONE
+ policy = SecPolicyCreateWithProperties(kSecPolicyAppleSMIME, (__bridge CFDictionaryRef)@{
+#else
+ policy = SecPolicyCreateWithProperties(kSecPolicyAppleSMIME, (__bridge CFDictionaryRef)@{ (id)kSecPolicyKU_DigitalSignature : @YES,
+#endif
+ (id)kSecPolicyName : @"testcert1@apple.com" });
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 1);
+ CFReleaseNull(result);
+
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ (id)kSecMatchValidOnDate : validDate,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 1);
+ CFReleaseNull(result);
+
+ is_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ (id)kSecMatchValidOnDate : dateBefore,
+ returnKeyName : @YES }, &result), errSecItemNotFound);
+ CFReleaseNull(result);
+
+ is_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ (id)kSecMatchValidOnDate : dateAfter,
+ returnKeyName : @YES }, &result), errSecItemNotFound);
+ CFReleaseNull(policy);
+ CFReleaseNull(result);
+#if TARGET_OS_IPHONE
+ policy = SecPolicyCreateWithProperties(kSecPolicyAppleSSL, NULL);
+#else
+ policy = SecPolicyCreateWithProperties(kSecPolicyAppleSSL, (__bridge CFDictionaryRef)@{ (id)kSecPolicyKU_DigitalSignature : @YES });
+#endif
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 2);
+ CFReleaseNull(policy);
+ CFReleaseNull(result);
+
+#if TARGET_OS_IPHONE
+ policy = SecPolicyCreateWithProperties(kSecPolicyAppleSSL, (__bridge CFDictionaryRef)@{
+#else
+ policy = SecPolicyCreateWithProperties(kSecPolicyAppleSSL, (__bridge CFDictionaryRef)@{ (id)kSecPolicyKU_DigitalSignature : @YES,
+#endif
+ (id)kSecPolicyName : @"secdtest1.apple.com" });
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 1);
+ CFReleaseNull(result);
+
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ (id)kSecMatchValidOnDate : validDate,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 1);
+ CFReleaseNull(result);
+
+ is_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ (id)kSecMatchValidOnDate : dateBefore,
+ returnKeyName : @YES }, &result), errSecItemNotFound);
+ CFReleaseNull(result);
+
+ is_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ (id)kSecMatchValidOnDate : dateAfter,
+ returnKeyName : @YES }, &result), errSecItemNotFound);
+ CFReleaseNull(policy);
+ CFReleaseNull(result);
+
+#if TARGET_OS_IPHONE
+ policy = SecPolicyCreateWithProperties(kSecPolicyAppleSSL, (__bridge CFDictionaryRef)@{
+#else
+ policy = SecPolicyCreateWithProperties(kSecPolicyAppleSSL, (__bridge CFDictionaryRef)@{ (id)kSecPolicyKU_DigitalSignature : @YES,
+#endif
+ (id)kSecPolicyClient : @YES });
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 2);
+ CFReleaseNull(result);
+
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ (id)kSecMatchValidOnDate : validDate,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 2);
+ CFReleaseNull(result);
+
+ is_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ (id)kSecMatchValidOnDate : dateBefore,
+ returnKeyName : @YES }, &result), errSecItemNotFound);
+ CFReleaseNull(result);
+
+ is_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchPolicy : (__bridge id)policy,
+ (id)kSecMatchValidOnDate : dateAfter,
+ returnKeyName : @YES }, &result), errSecItemNotFound);
+ CFReleaseNull(policy);
+ CFReleaseNull(result);
+}
+
+int secd_83_item_match_policy(int argc, char *const *argv)
+{
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+ plan_tests(103);
+
+ @autoreleasepool {
+ addTestCertificates();
+ NSArray *returnKeyNames = @[(id)kSecReturnAttributes, (id)kSecReturnData, (id)kSecReturnRef, (id)kSecReturnPersistentRef];
+ for (id returnKeyName in returnKeyNames)
+ test(returnKeyName);
+ }
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-83-item-match-trusted.m b/OSX/sec/securityd/Regressions/secd-83-item-match-trusted.m
new file mode 100644
index 00000000..0231610b
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-83-item-match-trusted.m
@@ -0,0 +1,51 @@
+//
+// secd-83-item-match-trusted.m
+// sec
+
+
+/*
+ * This is to fool os services to not provide the Keychain manager
+ * interface tht doens't work since we don't have unified headers
+ * between iOS and OS X. rdar://23405418/
+ */
+#define __KEYCHAINCORE__ 1
+
+#import <Foundation/Foundation.h>
+#import <Security/SecItem.h>
+#import <Security/SecBase.h>
+#import <utilities/SecCFWrappers.h>
+
+
+#import "secd_regressions.h"
+#import "SecdTestKeychainUtilities.h"
+#import "secd-83-item-match.h"
+
+static void test(id returnKeyName) {
+ CFTypeRef result = NULL;
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 6);
+ CFReleaseNull(result);
+
+ is_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchTrustedOnly : @YES,
+ returnKeyName : @YES }, &result), errSecItemNotFound);
+ CFReleaseNull(result);
+}
+
+int secd_83_item_match_trusted(int argc, char *const *argv)
+{
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+ plan_tests(19);
+
+ @autoreleasepool {
+ addTestCertificates();
+ NSArray *returnKeyNames = @[(id)kSecReturnAttributes, (id)kSecReturnData, (id)kSecReturnRef, (id)kSecReturnPersistentRef];
+ for (id returnKeyName in returnKeyNames)
+ test(returnKeyName);
+ }
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-83-item-match-valid-on-date.m b/OSX/sec/securityd/Regressions/secd-83-item-match-valid-on-date.m
new file mode 100644
index 00000000..7922de7a
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-83-item-match-valid-on-date.m
@@ -0,0 +1,68 @@
+//
+// secd-83-item-match-valid-on-date.m
+// sec
+
+/*
+ * This is to fool os services to not provide the Keychain manager
+ * interface tht doens't work since we don't have unified headers
+ * between iOS and OS X. rdar://23405418/
+ */
+#define __KEYCHAINCORE__ 1
+
+#import <Foundation/Foundation.h>
+#import <Security/SecItem.h>
+#import <Security/SecBase.h>
+#import <utilities/SecCFWrappers.h>
+
+
+#import "secd_regressions.h"
+#import "SecdTestKeychainUtilities.h"
+#import "secd-83-item-match.h"
+
+static void test(id returnKeyName) {
+ NSDateFormatter *dateFormatter = [[NSDateFormatter alloc] init];
+ [dateFormatter setDateFormat:@"yyyy-MM-dd HH:mm:ss zzz"];
+ [dateFormatter setLocale:[[NSLocale alloc] initWithLocaleIdentifier:@"us_EN"]];
+ NSDate *validDate = [dateFormatter dateFromString: @"2016-04-07 16:00:00 GMT"];
+ NSDate *dateBefore = [dateFormatter dateFromString: @"2016-04-06 16:00:00 GMT"];
+ NSDate *dateAfter = [dateFormatter dateFromString: @"2017-04-08 16:00:00 GMT"];
+
+ CFTypeRef result = NULL;
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 6);
+ CFReleaseNull(result);
+
+ ok_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchValidOnDate : validDate,
+ returnKeyName : @YES }, &result));
+ ok(result && CFArrayGetCount(result) == 6);
+
+ is_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchValidOnDate : dateBefore,
+ returnKeyName : @YES }, &result), errSecItemNotFound);
+ ok(result && CFArrayGetCount(result) == 6);
+ is_status(SecItemCopyMatching( (__bridge CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassCertificate,
+ (id)kSecMatchLimit : (id)kSecMatchLimitAll,
+ (id)kSecMatchValidOnDate : dateAfter,
+ returnKeyName : @YES }, &result), errSecItemNotFound);
+ ok(result && CFArrayGetCount(result) == 6);
+}
+
+int secd_83_item_match_valid_on_date(int argc, char *const *argv)
+{
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+ plan_tests(39);
+
+ @autoreleasepool {
+ addTestCertificates();
+ NSArray *returnKeyNames = @[(id)kSecReturnAttributes, (id)kSecReturnData, (id)kSecReturnRef, (id)kSecReturnPersistentRef];
+ for (id returnKeyName in returnKeyNames)
+ test(returnKeyName);
+ }
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd-83-item-match.h b/OSX/sec/securityd/Regressions/secd-83-item-match.h
new file mode 100644
index 00000000..cae87a88
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd-83-item-match.h
@@ -0,0 +1,10 @@
+//
+// secd-83-item-match.h
+// sec
+
+#ifndef secd_83_item_match_h
+#define secd_83_item_match_h
+
+void addTestCertificates(void);
+
+#endif /* secd_83_item_match_h */
diff --git a/OSX/sec/securityd/Regressions/secd-90-hsa2.c b/OSX/sec/securityd/Regressions/secd-90-hsa2.c
index 69224e7e..42278bd5 100644
--- a/OSX/sec/securityd/Regressions/secd-90-hsa2.c
+++ b/OSX/sec/securityd/Regressions/secd-90-hsa2.c
@@ -22,43 +22,144 @@
*/
-#include <stdio.h>
+#include <Security/SecBase.h>
+#include <Security/SecItem.h>
-#include "secd_regressions.h"
-
-#include <CoreFoundation/CFData.h>
-#include <Security/SecOTRSession.h>
-#include <Security/SecOTRIdentityPriv.h>
-#include <Security/SecInternal.h>
-#include <Security/SecBasePriv.h>
-#include <Security/SecKeyPriv.h>
+#include <CoreFoundation/CFDictionary.h>
-#include <Security/SecureObjectSync/SOSPeerInfo.h>
-#include <Security/SecureObjectSync/SOSCircle.h>
+#include <Security/SecureObjectSync/SOSAccount.h>
#include <Security/SecureObjectSync/SOSCloudCircle.h>
#include <Security/SecureObjectSync/SOSInternal.h>
#include <Security/SecureObjectSync/SOSUserKeygen.h>
#include <Security/SecureObjectSync/SOSTransport.h>
-#include "SOSCircle_regressions.h"
-#include "SOSRegressionUtilities.h"
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "secd_regressions.h"
#include "SOSTestDataSource.h"
-#include "SecOTRRemote.h"
-#include "SOSAccount.h"
+
+#include "SOSRegressionUtilities.h"
+#include <utilities/SecCFWrappers.h>
+#include <Security/SecKeyPriv.h>
+
+#include <securityd/SOSCloudCircleServer.h>
+
+#include "SOSAccountTesting.h"
#include "SecdTestKeychainUtilities.h"
-static int kTestTestCount = 0;
+static int kTestTestCount = 75;
+
+
+static bool SOSTestAcceptApplicant(SOSAccountRef acceptor, CFIndex appsExpected, CFErrorRef *error) {
+ bool retval = true;
+ CFArrayRef applicants = SOSAccountCopyApplicants(acceptor, error);
+ CFStringRef acceptorName = SOSAccountCopyName(acceptor);
+
+ ok(applicants && CFArrayGetCount(applicants) == appsExpected, "See %ld applicant %@ (%@)", appsExpected, applicants, *error);
+ if(CFArrayGetCount(applicants) != appsExpected) retval = false;
+ ok(retval && (retval = SOSAccountAcceptApplicants(acceptor, applicants, error)), "%@ accepts (%@)", acceptorName, *error);
+ CFReleaseNull(*error);
+ CFReleaseNull(applicants);
+ CFReleaseNull(acceptorName);
+
+ return retval;
+}
+
static void tests(void)
{
+ CFErrorRef error = NULL;
+ CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
+ CFStringRef cfaccount = CFSTR("test@test.org");
+
+ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ SOSAccountRef alice_account = CreateAccountForLocalChanges(CFSTR("Alice"), CFSTR("TestSource"));
+ SOSAccountRef bob_account = CreateAccountForLocalChanges(CFSTR("Bob"), CFSTR("TestSource"));
+ SOSAccountRef carole_account = CreateAccountForLocalChanges(CFSTR("Carol"), CFSTR("TestSource"));
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(bob_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+
+ // Bob wins writing at this point, feed the changes back to alice.
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 1, "updates");
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(error);
+
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
+
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
+
+ ok(SOSTestAcceptApplicant(alice_account, 1, &error), "Alice Accepts");
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 3, "updates");
+
+ accounts_agree("bob&alice pair", bob_account, alice_account);
+
+ ok(SOSAccountLeaveCircle(alice_account, &error));
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(carole_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(cfpassword);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 1, "updates");
+
+ SOSAccountTransactionRef txn = SOSAccountTransactionCreate(carole_account);
+
+ SOSPeerInfoRef carole_pi = SOSAccountCopyApplication(carole_account, &error);
+ ok(carole_pi != NULL, "Got Carole's Application PeerInfo");
+ CFReleaseNull(error);
+ SOSAccountTransactionFinish(txn);
+ CFReleaseNull(txn);
+
+ SOSAccountPurgePrivateCredential(bob_account);
+
+ CFDataRef bobBlob = SOSAccountCopyCircleJoiningBlob(bob_account, carole_pi, &error);
+ ok(bobBlob != NULL, "Got Piggy Back Blob from Bob");
+ CFReleaseNull(error);
+
+ ok(SOSAccountJoinWithCircleJoiningBlob(carole_account, bobBlob, &error), "Carole joins circle through piggy backing: %@", error);
+ CFReleaseNull(error);
+ CFReleaseNull(bobBlob);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "Settle Circle");
+
+ ok(!SOSAccountIsInCircle(alice_account, NULL), "Alice still retired");
+ ok(SOSAccountIsInCircle(bob_account, NULL), "Bob still here");
+ ok(SOSAccountIsInCircle(carole_account, NULL), "carol still here");
+
+ ok(!SOSAccountCheckHasBeenInSync_wTxn(carole_account), "Carol not in sync");
+
+ CFReleaseNull(bob_account);
+ CFReleaseNull(alice_account);
+ CFReleaseNull(carole_account);
+
+ SOSUnregisterAllTransportMessages();
+ SOSUnregisterAllTransportCircles();
+ SOSUnregisterAllTransportKeyParameters();
+ CFArrayRemoveAllValues(key_transports);
+ CFArrayRemoveAllValues(circle_transports);
+ CFArrayRemoveAllValues(message_transports);
+
}
+
int secd_90_hsa2(int argc, char *const *argv)
{
- plan_tests(kTestTestCount);
-
- tests();
-
- return 0;
+ plan_tests(kTestTestCount);
+
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+
+ tests();
+
+ return 0;
}
diff --git a/OSX/sec/securityd/Regressions/secd-95-escrow-persistence.c b/OSX/sec/securityd/Regressions/secd-95-escrow-persistence.c
index b74238e5..96409733 100644
--- a/OSX/sec/securityd/Regressions/secd-95-escrow-persistence.c
+++ b/OSX/sec/securityd/Regressions/secd-95-escrow-persistence.c
@@ -74,12 +74,12 @@ static void tests(void)
CFReleaseNull(cfpassword);
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
@@ -100,9 +100,9 @@ static void tests(void)
});
CFStringAppend(timeDescription, CFSTR("]"));
- uint64_t tries = 5;
+ int tries = 5;
- CFNumberRef attempts = CFNumberCreate(kCFAllocatorDefault, kCFNumberLongLongType, (const void*)&tries);
+ CFNumberRef attempts = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &tries);
CFMutableArrayRef escrowTimeAndTries = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
CFArrayAppendValue(escrowTimeAndTries, timeDescription);
@@ -131,14 +131,14 @@ static void tests(void)
ok(SOSAccountAddEscrowRecords(bob_account, CFSTR("12345"), escrowRecord, &error), "Adding escrow to Bob's account (%@)", error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
CFDictionaryRef bob_fpi_escrow = SOSPeerInfoCopyEscrowRecord(SOSFullPeerInfoGetPeerInfo(bob_account->my_identity));
ok(bob_fpi_escrow == NULL, "Bob's FPI escrow should be null");
CFReleaseNull(bob_fpi_escrow);
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
bob_fpi_escrow = SOSPeerInfoCopyEscrowRecord(SOSFullPeerInfoGetPeerInfo(bob_account->my_identity));
ok(CFEqualSafe(CFDictionaryGetValue(bob_fpi_escrow, CFSTR("12345")), escrowRecord), "Bob has escrow records in account (%@)", error);
CFReleaseNull(bob_fpi_escrow);
diff --git a/OSX/sec/securityd/Regressions/secd60-account-cloud-exposure.c b/OSX/sec/securityd/Regressions/secd60-account-cloud-exposure.c
index a23cae5e..efa5e095 100644
--- a/OSX/sec/securityd/Regressions/secd60-account-cloud-exposure.c
+++ b/OSX/sec/securityd/Regressions/secd60-account-cloud-exposure.c
@@ -58,21 +58,6 @@
static int kTestTestCount = 58;
-static bool SOSAccountAddiCloudIdentity(SOSAccountRef account, SOSCircleRef circle, SecKeyRef user_key, CFErrorRef *error) {
- bool result = false;
- SOSFullPeerInfoRef cloud_identity = NULL;
- SOSPeerInfoRef cloud_peer = GenerateNewCloudIdentityPeerInfo(error);
- require_quiet(cloud_peer, err_out);
- cloud_identity = CopyCloudKeychainIdentity(cloud_peer, error);
- CFReleaseNull(cloud_peer);
- require_quiet(cloud_identity, err_out);
- require_quiet(SOSCircleRequestAdmission(circle, user_key, cloud_identity, error), err_out);
- require_quiet(SOSCircleAcceptRequest(circle, user_key, account->my_identity, SOSFullPeerInfoGetPeerInfo(cloud_identity), error), err_out);
- result = true;
-err_out:
- return result;
-}
-
static bool SOSAccountResetCircleToNastyOffering(SOSAccountRef account, SecKeyRef userPriv, SOSPeerInfoRef pi, CFErrorRef *error) {
bool result = false;
SecKeyRef userPub = SecKeyCreatePublicFromPrivate(userPriv);
@@ -146,12 +131,12 @@ static bool performiCloudIdentityAttack(SOSAccountRef attacker, SOSAccountRef de
ProcessChangesUntilNoChange(changes, defender, accomplice, attacker, NULL);
/*----- Now use our fake iCloud identity to get in to the circle for real -----*/
- require_action_quiet(SOSAccountJoinCirclesAfterRestore(attacker, &error), testDone, retval = true);
+ require_action_quiet(SOSAccountJoinCirclesAfterRestore_wTxn(attacker, &error), testDone, retval = true);
CFReleaseNull(error);
require_action_quiet(countPeers(attacker) == 2, testDone, retval = true);
/*----- Let's see if carole can get bob into the circle and have alice believe it -----*/
- require_action_quiet(SOSAccountJoinCircles(accomplice, &error), testDone, retval = true);
+ require_action_quiet(SOSAccountJoinCircles_wTxn(accomplice, &error), testDone, retval = true);
CFReleaseNull(error);
ProcessChangesUntilNoChange(changes, defender, accomplice, attacker, NULL);
@@ -197,12 +182,12 @@ static void tests(void)
ok(SOSAccountAssertUserCredentialsAndUpdate(carole_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
CFReleaseNull(error);
- ok(SOSAccountResetToOffering(alice_account, &error), "Reset to offering (%@)", error);
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
- ok(SOSAccountJoinCircles(bob_account, &error), "Bob Applies (%@)", error);
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
CFReleaseNull(error);
is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, carole_account, NULL), 2, "updates");
diff --git a/OSX/sec/securityd/Regressions/secd_77_ids_messaging.c b/OSX/sec/securityd/Regressions/secd_77_ids_messaging.c
new file mode 100644
index 00000000..82c0be16
--- /dev/null
+++ b/OSX/sec/securityd/Regressions/secd_77_ids_messaging.c
@@ -0,0 +1,299 @@
+//
+// secd_77_ids_messaging.c
+// sec
+//
+
+/*
+ * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#include <stdio.h>
+#include <Security/SecBase.h>
+#include <Security/SecItem.h>
+
+#include <Security/SecureObjectSync/SOSAccount.h>
+#include <Security/SecureObjectSync/SOSCloudCircle.h>
+#include <Security/SecureObjectSync/SOSInternal.h>
+#include <Security/SecureObjectSync/SOSFullPeerInfo.h>
+#include <Security/SecureObjectSync/SOSUserKeygen.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "secd_regressions.h"
+#include "SOSTestDataSource.h"
+
+#include "SOSRegressionUtilities.h"
+#include <utilities/SecCFWrappers.h>
+
+#include <securityd/SOSCloudCircleServer.h>
+#include "SecdTestKeychainUtilities.h"
+#include "SOSAccountTesting.h"
+#include "SOSTransportTestTransports.h"
+#include "SOSTestDevice.h"
+#include "SOSTestDataSource.h"
+#include <Security/SecureObjectSync/SOSTransportMessageIDS.h>
+
+static int kTestTestCount = 101;
+
+static bool SOSAccountIsThisPeerIDMe(SOSAccountRef account, CFStringRef peerID) {
+ SOSPeerInfoRef mypi = SOSFullPeerInfoGetPeerInfo(account->my_identity);
+ CFStringRef myPeerID = SOSPeerInfoGetPeerID(mypi);
+
+ return myPeerID && CFEqualSafe(myPeerID, peerID);
+}
+
+static void ids_test_sync(SOSAccountRef alice_account, SOSAccountRef bob_account){
+
+ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ __block bool SyncingCompletedOverIDS = false;
+ __block CFErrorRef localError = NULL;
+ __block bool done = false;
+ do{
+ SOSCircleForEachValidPeer(alice_account->trusted_circle, alice_account->user_public, ^(SOSPeerInfoRef peer) {
+ if (!SOSAccountIsThisPeerIDMe(alice_account, SOSPeerInfoGetPeerID(peer))) {
+ if(SOSPeerInfoShouldUseIDSTransport(SOSFullPeerInfoGetPeerInfo(alice_account->my_identity), peer) &&
+ SOSPeerInfoShouldUseIDSMessageFragmentation(SOSFullPeerInfoGetPeerInfo(alice_account->my_identity), peer)){
+ secnotice("IDS Transport","Syncing with IDS capable peers using IDS!");
+
+ CFMutableDictionaryRef circleToIdsId = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFMutableArrayRef ids = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFArrayAppendValue(ids, SOSPeerInfoGetPeerID(peer));
+ CFDictionaryAddValue(circleToIdsId, SOSCircleGetName(alice_account->trusted_circle), ids);
+ SyncingCompletedOverIDS = SOSTransportMessageSyncWithPeers(alice_account->ids_message_transport, circleToIdsId, &localError);
+ CFReleaseNull(circleToIdsId);
+ CFReleaseNull(ids);
+ }
+ }
+ });
+
+ ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL);
+
+ SOSCircleForEachValidPeer(bob_account->trusted_circle, bob_account->user_public, ^(SOSPeerInfoRef peer) {
+ if (!SOSAccountIsThisPeerIDMe(bob_account, SOSPeerInfoGetPeerID(peer))) {
+ if(SOSPeerInfoShouldUseIDSTransport(SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), peer) &&
+ SOSPeerInfoShouldUseIDSMessageFragmentation(SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), peer)){
+ secnotice("IDS Transport","Syncing with IDS capable peers using IDS!");
+
+ CFMutableDictionaryRef circleToIdsId = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFMutableArrayRef ids = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFArrayAppendValue(ids, SOSPeerInfoGetPeerID(peer));
+ CFDictionaryAddValue(circleToIdsId, SOSCircleGetName(bob_account->trusted_circle), ids);
+ SyncingCompletedOverIDS &= SOSTransportMessageSyncWithPeers(bob_account->ids_message_transport, circleToIdsId, &localError);
+ CFReleaseNull(circleToIdsId);
+ CFReleaseNull(ids);
+ }
+ }
+ });
+
+ ok(SyncingCompletedOverIDS, "synced items over IDS");
+ if(CFDictionaryGetCount(SOSTransportMessageIDSTestGetChanges(alice_account->ids_message_transport)) == 0 && CFDictionaryGetCount(SOSTransportMessageIDSTestGetChanges(bob_account->ids_message_transport)) == 0){
+ done = true;
+ break;
+ }
+
+ ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL);
+
+ }while(done == false);
+ CFReleaseNull(changes);
+}
+
+static void tests()
+{
+ CFErrorRef error = NULL;
+
+ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFDataRef cfpassword = CFDataCreate(NULL, (uint8_t *) "FooFooFoo", 10);
+ CFStringRef cfaccount = CFSTR("test@test.org");
+ CFStringRef dsName = CFSTR("Test");
+
+ SOSAccountRef alice_account = CreateAccountForLocalChanges(CFSTR("Alice"), dsName);
+ SOSAccountRef bob_account = CreateAccountForLocalChanges(CFSTR("Bob"), dsName);
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(bob_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+
+ // Bob wins writing at this point, feed the changes back to alice.
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 1, "updates");
+
+ ok(SOSAccountAssertUserCredentialsAndUpdate(alice_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error);
+ CFReleaseNull(cfpassword);
+ CFReleaseNull(error);
+
+ ok(NULL != alice_account, "Alice Created");
+ ok(NULL != bob_account, "Bob Created");
+
+ ok(SOSAccountResetToOffering_wTxn(alice_account, &error), "Reset to offering (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ ok(SOSAccountJoinCircles_wTxn(bob_account, &error), "Bob Applies (%@)", error);
+ CFReleaseNull(error);
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ {
+ CFArrayRef applicants = SOSAccountCopyApplicants(alice_account, &error);
+
+ ok(applicants && CFArrayGetCount(applicants) == 1, "See one applicant %@ (%@)", applicants, error);
+ ok(SOSAccountAcceptApplicants(alice_account, applicants, &error), "Alice accepts (%@)", error);
+ CFReleaseNull(error);
+ CFReleaseNull(applicants);
+ }
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 3, "updates");
+
+ accounts_agree("bob&alice pair", bob_account, alice_account);
+
+ CFArrayRef peers = SOSAccountCopyPeers(alice_account, &error);
+ ok(peers && CFArrayGetCount(peers) == 2, "See two peers %@ (%@)", peers, error);
+ CFReleaseNull(peers);
+
+ //creating test devices
+ CFIndex version = 0;
+
+ // Optionally prefix each peer with name to make them more unique.
+ CFArrayRef deviceIDs = CFArrayCreateForCFTypes(kCFAllocatorDefault,SOSAccountGetMyPeerID(alice_account), SOSAccountGetMyPeerID(bob_account), NULL);
+ CFSetRef views = SOSViewsCopyTestV2Default();
+ CFMutableArrayRef peerMetas = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
+ CFStringRef deviceID;
+ CFArrayForEachC(deviceIDs, deviceID) {
+ SOSPeerMetaRef peerMeta = SOSPeerMetaCreateWithComponents(deviceID, views, NULL);
+ CFArrayAppendValue(peerMetas, peerMeta);
+ CFReleaseNull(peerMeta);
+ }
+
+ CFReleaseNull(views);
+ CFArrayForEachC(deviceIDs, deviceID) {
+ SOSTestDeviceRef device = SOSTestDeviceCreateWithDbNamed(kCFAllocatorDefault, deviceID, deviceID);
+ SOSTestDeviceSetPeerIDs(device, peerMetas, version, NULL);
+
+ if(CFEqualSafe(deviceID, SOSAccountGetMyPeerID(alice_account))){
+ alice_account->factory = device->dsf;
+ SOSTestDeviceAddGenericItem(device, CFSTR("Alice"), CFSTR("Alice-add"));
+ }
+ else{
+ bob_account->factory = device->dsf;
+ SOSTestDeviceAddGenericItem(device, CFSTR("Bob"), CFSTR("Bob-add"));
+ }
+
+ CFReleaseNull(device);
+ }
+ CFReleaseNull(deviceIDs);
+ CFReleaseNull(peerMetas);
+
+ SOSUnregisterAllTransportMessages();
+ CFArrayRemoveAllValues(message_transports);
+
+ alice_account->ids_message_transport = (SOSTransportMessageRef)SOSTransportMessageIDSTestCreate(alice_account, CFSTR("Alice"), SOSCircleGetName(alice_account->trusted_circle), &error);
+ bob_account->ids_message_transport = (SOSTransportMessageRef)SOSTransportMessageIDSTestCreate(bob_account, CFSTR("Bob"), SOSCircleGetName(bob_account->trusted_circle), &error);
+
+ ok(alice_account->ids_message_transport != NULL, "Alice Account, Created IDS Test Transport");
+ ok(bob_account->ids_message_transport != NULL, "Bob Account, Created IDS Test Transport");
+
+ bool result = SOSAccountModifyCircle(alice_account, &error, ^bool(SOSCircleRef circle) {
+ CFErrorRef localError = NULL;
+
+ SOSFullPeerInfoUpdateTransportType(alice_account->my_identity, SOSTransportMessageTypeIDSV2, &localError);
+ SOSFullPeerInfoUpdateTransportPreference(alice_account->my_identity, kCFBooleanFalse, &localError);
+ SOSFullPeerInfoUpdateTransportFragmentationPreference(alice_account->my_identity, kCFBooleanTrue, &localError);
+
+ return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(alice_account->my_identity), NULL);
+ });
+
+ ok(result, "Alice account update circle with transport type");
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ result = SOSAccountModifyCircle(bob_account, &error, ^bool(SOSCircleRef circle) {
+ CFErrorRef localError = NULL;
+
+ SOSFullPeerInfoUpdateTransportType(bob_account->my_identity, SOSTransportMessageTypeIDSV2, &localError);
+ SOSFullPeerInfoUpdateTransportPreference(bob_account->my_identity, kCFBooleanFalse, &localError);
+ SOSFullPeerInfoUpdateTransportFragmentationPreference(bob_account->my_identity, kCFBooleanTrue, &localError);
+
+ return SOSCircleHasPeer(circle, SOSFullPeerInfoGetPeerInfo(bob_account->my_identity), NULL);
+ });
+
+ ok(result, "Bob account update circle with transport type");
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 2, "updates");
+
+ CFStringRef alice_transportType =SOSPeerInfoCopyTransportType(SOSAccountGetMyPeerInfo(alice_account));
+ CFStringRef bob_accountTransportType = SOSPeerInfoCopyTransportType(SOSAccountGetMyPeerInfo(bob_account));
+ ok(CFEqualSafe(alice_transportType, CFSTR("IDS2.0")), "Alice transport type not IDS");
+ ok(CFEqualSafe(bob_accountTransportType, CFSTR("IDS2.0")), "Bob transport type not IDS");
+
+ CFReleaseNull(alice_transportType);
+ CFReleaseNull(bob_accountTransportType);
+
+ SOSTransportMessageIDSTestSetName(alice_account->ids_message_transport, CFSTR("Alice Account"));
+ ok(SOSTransportMessageIDSTestGetName(alice_account->ids_message_transport) != NULL, "retrieved getting account name");
+ ok(SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(alice_account, &error) != false, "device ID from IDSKeychainSyncingProxy");
+
+ SOSTransportMessageIDSTestSetName(bob_account->ids_message_transport, CFSTR("Bob Account"));
+ ok(SOSTransportMessageIDSTestGetName(bob_account->ids_message_transport) != NULL, "retrieved getting account name");
+ ok(SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(bob_account, &error) != false, "device ID from IDSKeychainSyncingProxy");
+
+
+ ok(SOSAccountSetMyDSID(alice_account, CFSTR("Alice"),&error), "Setting IDS device ID");
+ CFStringRef alice_dsid = SOSAccountCopyDeviceID(alice_account, &error);
+ ok(CFEqualSafe(alice_dsid, CFSTR("Alice")), "Getting IDS device ID");
+
+ ok(SOSAccountSetMyDSID(bob_account, CFSTR("Bob"),&error), "Setting IDS device ID");
+ CFStringRef bob_dsid = SOSAccountCopyDeviceID(bob_account, &error);
+ ok(CFEqualSafe(bob_dsid, CFSTR("Bob")), "Getting IDS device ID");
+
+ is(ProcessChangesUntilNoChange(changes, alice_account, bob_account, NULL), 3, "updates");
+
+
+ ok(SOSAccountEnsurePeerRegistration(alice_account, NULL), "ensure peer registration - alice");
+
+ ok(SOSAccountEnsurePeerRegistration(bob_account, NULL), "ensure peer registration - bob");
+
+
+ ids_test_sync(alice_account, bob_account);
+
+ CFReleaseNull(alice_account);
+ CFReleaseNull(bob_account);
+ CFReleaseNull(bob_dsid);
+ CFReleaseNull(alice_dsid);
+ CFReleaseNull(changes);
+
+ SOSUnregisterAllTransportMessages();
+ SOSUnregisterAllTransportCircles();
+ SOSUnregisterAllTransportKeyParameters();
+ CFArrayRemoveAllValues(key_transports);
+ CFArrayRemoveAllValues(circle_transports);
+ CFArrayRemoveAllValues(message_transports);
+
+}
+
+int secd_77_ids_messaging(int argc, char *const *argv)
+{
+ plan_tests(kTestTestCount);
+
+ secd_test_setup_temp_keychain(__FUNCTION__, NULL);
+
+ tests();
+
+ return 0;
+}
diff --git a/OSX/sec/securityd/Regressions/secd_regressions.h b/OSX/sec/securityd/Regressions/secd_regressions.h
index 9f6d66cb..f2e91b0e 100644
--- a/OSX/sec/securityd/Regressions/secd_regressions.h
+++ b/OSX/sec/securityd/Regressions/secd_regressions.h
@@ -48,6 +48,7 @@ ONE_TEST(secd_55_account_circle)
ONE_TEST(secd_55_account_incompatibility)
ONE_TEST(secd_56_account_apply)
ONE_TEST(secd_57_account_leave)
+ONE_TEST(secd_57_1_account_last_standing)
ONE_TEST(secd_58_password_change)
ONE_TEST(secd_59_account_cleanup)
ONE_TEST(secd_60_account_cloud_identity)
@@ -61,6 +62,10 @@ ONE_TEST(secd_65_account_retirement_reset)
ONE_TEST(secd_70_engine)
ONE_TEST(secd_70_engine_corrupt)
ONE_TEST(secd_70_engine_smash)
+DISABLED_ONE_TEST(secd_71_engine_save)
+ONE_TEST(secd_76_idstransport)
+ONE_TEST(secd_77_ids_messaging)
+
DISABLED_ONE_TEST(secd_70_otr_remote)
ONE_TEST(secd_74_engine_beer_servers)
OFF_ONE_TEST(secd_75_engine_views)
@@ -74,7 +79,12 @@ ONE_TEST(secd_81_item_acl_stress)
ONE_TEST(secd_81_item_acl)
#endif
ONE_TEST(secd_82_persistent_ref)
-DISABLED_ONE_TEST(secd_90_hsa2)
+ONE_TEST(secd_83_item_match_policy)
+ONE_TEST(secd_83_item_match_valid_on_date)
+ONE_TEST(secd_83_item_match_trusted)
+ONE_TEST(secd_90_hsa2)
ONE_TEST(secd_95_escrow_persistence)
ONE_TEST(secd_154_engine_backoff)
-
+ONE_TEST(secd_100_initialsync)
+ONE_TEST(secd_130_other_peer_views)
+ONE_TEST(secd_200_logstate)
diff --git a/OSX/sec/securityd/SOSCloudCircleServer.c b/OSX/sec/securityd/SOSCloudCircleServer.c
index 2647456d..33503349 100644
--- a/OSX/sec/securityd/SOSCloudCircleServer.c
+++ b/OSX/sec/securityd/SOSCloudCircleServer.c
@@ -25,6 +25,8 @@
#include <AssertMacros.h>
#include <CoreFoundation/CFURL.h>
+#include <Security/SecureObjectSync/SOSAccountTransaction.h>
+
#include <securityd/SOSCloudCircleServer.h>
#include <Security/SecureObjectSync/SOSCloudCircle.h>
#include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
@@ -46,6 +48,7 @@
#include <utilities/SecCFWrappers.h>
#include <utilities/SecCFRelease.h>
+#include <utilities/SecCFError.h>
#include <utilities/debugging.h>
#include <utilities/SecCoreCrypto.h>
#include <SOSCircle/CKBridge/SOSCloudKeychainClient.h>
@@ -71,16 +74,13 @@
#include <Security/SecAccessControlPriv.h>
#include <securityd/SecDbKeychainItem.h>
+#include <os/activity.h>
+#include <os/state_private.h>
+
#if TARGET_OS_EMBEDDED || TARGET_IPHONE_SIMULATOR
#include <MobileGestalt.h>
#else
#include <AppleSystemInfo/AppleSystemInfo.h>
-
-// We need authorization, but that doesn't exist
-// on sec built for desktop (iOS in a process)
-// Define AuthorizationRef here to make SystemConfiguration work
-// as if it's on iOS.
-typedef const struct AuthorizationOpaqueRef * AuthorizationRef;
#endif
#define SOSCKCSCOPE "sync"
@@ -104,8 +104,8 @@ bool SOSKeychainAccountSetFactoryForAccount(SOSCCAccountDataSourceFactoryBlock b
// Forward declared
//
-static void do_with_account(void (^action)(SOSAccountRef account));
-static void do_with_account_async(void (^action)(SOSAccountRef account));
+static void do_with_account(void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn));
+static void do_with_account_async(void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn));
//
// Constants
@@ -191,30 +191,22 @@ bool SOSItemUpdateOrAdd(CFStringRef service, CFStringRef accessibility, CFDataRe
return SecError(saveStatus, error, CFSTR("Error saving %@ to service '%@'"), data, service);
}
-static void SOSKeychainAccountEnsureSaved(SOSAccountRef account)
+static void SOSKeychainAccountEnsureSaved(CFDataRef accountAsData)
{
static CFDataRef sLastSavedAccountData = NULL;
CFErrorRef saveError = NULL;
- CFDataRef accountAsData = NULL;
-
- accountAsData = SOSAccountCopyEncodedData(account, kCFAllocatorDefault, &saveError);
-
- require_action_quiet(accountAsData, exit, secerror("Failed to transform account into data, error: %@", saveError));
require_quiet(!CFEqualSafe(sLastSavedAccountData, accountAsData), exit);
- if (!SOSItemUpdateOrAdd(kSOSAccountLabel, kSecAttrAccessibleAlwaysThisDeviceOnly, accountAsData, &saveError)) {
+ if (!SOSItemUpdateOrAdd(kSOSAccountLabel, kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate, accountAsData, &saveError)) {
secerror("Can't save account: %@", saveError);
goto exit;
}
- CFReleaseNull(sLastSavedAccountData);
- sLastSavedAccountData = accountAsData;
- accountAsData = NULL;
+ CFAssignRetained(sLastSavedAccountData, CFRetainSafe(accountAsData));
exit:
CFReleaseNull(saveError);
- CFReleaseNull(accountAsData);
}
@@ -384,7 +376,7 @@ static CFDictionaryRef CreateDeviceGestaltDictionary(SCDynamicStoreRef store, CF
static void SOSCCProcessGestaltUpdate(SCDynamicStoreRef store, CFArrayRef keys, void *context)
{
- do_with_account(^(SOSAccountRef account) {
+ do_with_account(^(SOSAccountRef account, SOSAccountTransactionRef txn) {
if(account){
CFDictionaryRef gestalt = CreateDeviceGestaltDictionary(store, keys, context);
if (SOSAccountUpdateGestalt(account, gestalt)) {
@@ -422,8 +414,31 @@ done:
return gestalt;
}
-static void do_with_account(void (^action)(SOSAccountRef account));
-static void do_with_account_async(void (^action)(SOSAccountRef account));
+os_state_block_t accountStateBlock = ^os_state_data_t(os_state_hints_t hints) {
+ os_state_data_t retval = NULL;
+ CFDataRef savedAccount = NULL;
+ if(hints->osh_api != OS_STATE_API_REQUEST) return NULL;
+
+ /* Get account DER */
+ savedAccount = SOSKeychainCopySavedAccountData();
+ require_quiet(savedAccount, errOut);
+
+ /* make a os_state_data_t object to return. */
+ size_t statelen = CFDataGetLength(savedAccount);
+ retval = (os_state_data_t)calloc(1, OS_STATE_DATA_SIZE_NEEDED(statelen));
+ require_quiet(retval, errOut);
+
+ retval->osd_type = OS_STATE_DATA_PROTOCOL_BUFFER;
+ memcpy(retval->osd_data, CFDataGetBytePtr(savedAccount), statelen);
+ retval->osd_size = statelen;
+ strlcpy(retval->osd_title, "CloudCircle Account Object", sizeof(retval->osd_title));
+
+errOut:
+ CFReleaseNull(savedAccount);
+ return retval;
+};
+
+
static SOSAccountRef GetSharedAccount(void) {
static SOSAccountRef sSharedAccount = NULL;
@@ -469,7 +484,7 @@ static SOSAccountRef GetSharedAccount(void) {
if (CFSetContainsValue(peer_additions, me)) {
// TODO: Potentially remove from here and move this to the engine
- // TODO: We also need to do this when our views change.
+ // TODO: We also need to do this when our views change.
SOSCCSyncWithAllPeers();
}
}
@@ -505,11 +520,11 @@ static SOSAccountRef GetSharedAccount(void) {
SOSCloudKeychainSetItemsChangedBlock(^CFArrayRef(CFDictionaryRef changes) {
CFRetainSafe(changes);
__block CFMutableArrayRef handledKeys = NULL;
- do_with_account(^(SOSAccountRef account) {
+ do_with_account(^(SOSAccountRef account, SOSAccountTransactionRef txn) {
CFStringRef changeDescription = SOSItemsChangedCopyDescription(changes, false);
secdebug(SOSCKCSCOPE, "Received: %@", changeDescription);
CFReleaseSafe(changeDescription);
-
+
CFErrorRef error = NULL;
handledKeys = SOSTransportDispatchMessages(account, changes, &error);
if (!handledKeys) {
@@ -517,64 +532,58 @@ static SOSAccountRef GetSharedAccount(void) {
CFReleaseNull(error);
}
});
- CFReleaseSafe(changes);
+ CFReleaseSafe(changes);
return handledKeys;
});
CFReleaseSafe(gestalt);
+ SOSAccountSetSaveBlock(sSharedAccount, ^(CFDataRef flattenedAccount, CFErrorRef flattenFailError) {
+ if (flattenedAccount) {
+ SOSKeychainAccountEnsureSaved(flattenedAccount);
+ } else {
+ secerror("Failed to transform account into data, error: %@", flattenFailError);
+ }
+ });
+
// TODO: We should not be doing extra work whenever securityd is launched, let's see if we can eliminate this call
SOSCloudKeychainRequestEnsurePeerRegistration(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL);
+
+ // provide state handler to sysdiagnose and logging
+ os_state_add_handler(dispatch_get_global_queue(0, 0), accountStateBlock);
+
});
-
+
return sSharedAccount;
}
-static void do_with_account_dynamic(void (^action)(SOSAccountRef account), bool sync) {
- Boolean keyExistsAndHasValue = false;
- whichTransportType = CFPreferencesGetAppIntegerValue(CFSTR("Transport"), CFSTR("com.apple.security"), &keyExistsAndHasValue);
+static void do_with_account_dynamic(bool sync, void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn)) {
+
SOSAccountRef account = GetSharedAccount();
if(account){
- dispatch_block_t do_action_and_save = ^{
- SOSPeerInfoRef mpi = SOSAccountGetMyPeerInfo(account);
- bool wasInCircle = SOSAccountIsInCircle(account, NULL);
- CFSetRef beforeViews = mpi ? SOSPeerInfoCopyEnabledViews(mpi) : NULL;
-
- action(account);
-
- // Fake transaction around using the account object
- SOSAccountFinishTransaction(account);
-
- mpi = SOSAccountGetMyPeerInfo(account); // Update the peer
- bool isInCircle = SOSAccountIsInCircle(account, NULL);
-
- CFSetRef afterViews = mpi ? SOSPeerInfoCopyEnabledViews(mpi) : NULL;
-
- if(!CFEqualSafe(beforeViews, afterViews) || wasInCircle != isInCircle) {
- notify_post(kSOSCCViewMembershipChangedNotification);
- }
-
- CFReleaseNull(beforeViews);
- CFReleaseNull(afterViews);
-
- SOSKeychainAccountEnsureSaved(account);
- };
-
- if (sync) {
- dispatch_sync(SOSAccountGetQueue(account), do_action_and_save);
- } else {
- dispatch_async(SOSAccountGetQueue(account), do_action_and_save);
- }
+ SOSAccountWithTransaction(account, sync, action);
}
}
-__unused static void do_with_account_async(void (^action)(SOSAccountRef account)) {
- do_with_account_dynamic(action, false);
+__unused static void do_with_account_async(void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn)) {
+ do_with_account_dynamic(false, action);
+}
+
+static void do_with_account(void (^action)(SOSAccountRef account, SOSAccountTransactionRef txn)) {
+ do_with_account_dynamic(true, action);
}
-static void do_with_account(void (^action)(SOSAccountRef account)) {
- do_with_account_dynamic(action, true);
+static bool isValidUser(CFErrorRef* error) {
+#if !(TARGET_OS_EMBEDDED)
+ if(geteuid() == 0){
+ secerror("Cannot inflate account object as root");
+ SOSErrorCreate(kSOSErrorUnsupported, error, NULL, CFSTR("Cannot inflate account object as root"));
+ return false;
+ }
+#endif
+
+ return true;
}
static bool do_if_after_first_unlock(CFErrorRef *error, dispatch_block_t action)
@@ -598,52 +607,80 @@ fail:
#endif
}
-static bool do_with_account_if_after_first_unlock(CFErrorRef *error, bool (^action)(SOSAccountRef account, CFErrorRef* error))
+static bool do_with_account_if_after_first_unlock(CFErrorRef *error, bool (^action)(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* error))
{
__block bool action_result = false;
-#if !(TARGET_OS_EMBEDDED)
- if(geteuid() == 0){
- secerror("Cannot inflate account object as root");
- if(error)
- *error = CFErrorCreate(kCFAllocatorDefault, CFSTR("com.apple.security"), RUN_AS_ROOT_ERROR, NULL);
- return false;
- }
-#endif
- return do_if_after_first_unlock(error, ^{
- do_with_account(^(SOSAccountRef account) {
- action_result = action(account, error);
+ return isValidUser(error) && do_if_after_first_unlock(error, ^{
+ do_with_account(^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ action_result = action(account, txn, error);
});
}) && action_result;
}
-static bool do_with_account_while_unlocked(CFErrorRef *error, bool (^action)(SOSAccountRef account, CFErrorRef* error))
+static bool isAssertionLockAcquireError(CFErrorRef error) {
+ return (CFErrorGetCode(error) == kIOReturnNotPermitted) && (CFEqualSafe(CFErrorGetDomain(error), kSecKernDomain));
+}
+
+static bool do_with_account_while_unlocked(CFErrorRef *error, bool (^action)(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* error))
{
+ bool result = false;
+
+ CFErrorRef statusError = NULL;
+
__block bool action_result = false;
+ __block bool attempted_action = false;
+ __block CFErrorRef localError = NULL;
-#if !(TARGET_OS_EMBEDDED)
- if(geteuid() == 0){
- secerror("Cannot inflate account object as root");
- if(error)
- *error = CFErrorCreate(kCFAllocatorDefault, CFSTR("com.apple.security"), RUN_AS_ROOT_ERROR, NULL);
- return false;
- }
-#endif
- return SecAKSDoWhileUserBagLocked(error, ^{
- do_with_account(^(SOSAccountRef account) {
- action_result = action(account, error);
+ require_quiet(isValidUser(error), done);
+
+ result = SecAKSDoWhileUserBagLocked(&localError, ^{
+ do_with_account(^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ attempted_action = true;
+ action_result = action(account, txn, error);
});
+ });
- }) && action_result;
+ // For <rdar://problem/24355048> 13E196: Circle join fails after successful recovery with a mach error if performed while device is locked
+ // If we fail with an error attempting to get an assertion while someone else has one and the system is unlocked, it must be trying to lock.
+ // we assume our caller will hold the lock assertion for us to finsh our job.
+ // to be extra paranoid we track if we tried the caller's block. If we did we don't do it again.
+
+ require_quiet(result == false && isAssertionLockAcquireError(localError), done);
+ require_quiet(!attempted_action, done);
+
+ bool isUnlocked = false;
+ (void) SecAKSGetIsUnlocked(&isUnlocked, &statusError);
+ require_action_quiet(isUnlocked, done, secnotice("while-unlocked-hack", "Not trying action, aks bag locked (%@)", statusError));
+
+ CFReleaseNull(localError);
+
+ secnotice("while-unlocked-hack", "Trying action while unlocked without assertion");
+
+ result = true;
+ do_with_account(^(SOSAccountRef account, SOSAccountTransactionRef txn) {
+ action_result = action(account, txn, &localError);
+ });
+
+ secnotice("while-unlocked-hack", "Action %s (%@)", action_result ? "succeeded" : "failed", localError);
+
+done:
+ if (error && !*error && localError) {
+ CFTransferRetained(*error, localError);
+ }
+ CFReleaseNull(localError);
+ CFReleaseNull(statusError);
+
+ return result && action_result;
}
SOSAccountRef SOSKeychainAccountGetSharedAccount()
{
__block SOSAccountRef result = NULL;
- do_with_account(^(SOSAccountRef account) {
+ do_with_account(^(SOSAccountRef account, SOSAccountTransactionRef txn) {
result = account;
});
@@ -657,31 +694,37 @@ SOSAccountRef SOSKeychainAccountGetSharedAccount()
bool SOSCCTryUserCredentials_Server(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error)
{
- return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
return SOSAccountTryUserCredentials(account, user_label, user_password, block_error);
});
}
-
SOSViewResultCode SOSCCView_Server(CFStringRef viewname, SOSViewActionCode action, CFErrorRef *error) {
__block SOSViewResultCode status = kSOSCCGeneralViewError;
- do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ bool retval = false;
+
switch(action) {
case kSOSCCViewQuery:
- status = SOSAccountViewStatus(account, viewname, error);
- break;
+ status = SOSAccountViewStatus(account, viewname, error);
+ retval = true;
+ break;
case kSOSCCViewEnable:
- case kSOSCCViewDisable: // fallthrough
- status = SOSAccountUpdateView(account, viewname, action, error);
- secnotice("views", "HEY!!!!!! I'm Changing VIEWS- %d", (int) status);
- break;
+ status = SOSAccountUpdateView(account, viewname, action, error);
+ retval = true;
+ break;
+
+ case kSOSCCViewDisable:
+ status = SOSAccountUpdateView(account, viewname, action, error);
+ retval = true;
+ break;
default:
secnotice("views", "Bad SOSViewActionCode - %d", (int) action);
- return false;
+ retval = false;
break;
}
- return true;
+ return retval;
});
return status;
}
@@ -690,19 +733,17 @@ SOSViewResultCode SOSCCView_Server(CFStringRef viewname, SOSViewActionCode actio
bool SOSCCViewSet_Server(CFSetRef enabledViews, CFSetRef disabledViews) {
__block bool status = false;
- do_with_account_if_after_first_unlock(NULL, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ do_with_account_if_after_first_unlock(NULL, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
status = SOSAccountUpdateViewSets(account, enabledViews, disabledViews);
return true;
});
return status;
}
-
-
SOSSecurityPropertyResultCode SOSCCSecurityProperty_Server(CFStringRef property, SOSSecurityPropertyActionCode action, CFErrorRef *error) {
__block SOSViewResultCode status = kSOSCCGeneralSecurityPropertyError;
- do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
switch(action) {
case kSOSCCSecurityPropertyQuery:
status = SOSAccountSecurityPropertyStatus(account, property, error);
@@ -710,7 +751,6 @@ SOSSecurityPropertyResultCode SOSCCSecurityProperty_Server(CFStringRef property,
case kSOSCCSecurityPropertyEnable:
case kSOSCCSecurityPropertyDisable: // fallthrough
status = SOSAccountUpdateSecurityProperty(account, property, action, error);
- secnotice("secprop", "HEY!!!!!! I'm Changing SecurityProperties- %d", (int) status);
break;
default:
secnotice("secprop", "Bad SOSSecurityPropertyActionCode - %d", (int) action);
@@ -726,29 +766,20 @@ void sync_the_last_data_to_kvs(SOSAccountRef account, bool waitForeverForSynchro
dispatch_semaphore_t wait_for = dispatch_semaphore_create(0);
dispatch_retain(wait_for); // Both this scope and the block own it.
-
- __block bool success = false;
-
+
secnoticeq("force-push", "calling SOSCloudKeychainSynchronizeAndWait");
-
- CFMutableArrayRef keysToGet = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
-
- SOSCloudKeychainSynchronizeAndWait(keysToGet, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(CFDictionaryRef returnedValues, CFErrorRef sync_error) {
-
+
+ SOSCloudKeychainSynchronizeAndWait(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(CFDictionaryRef returnedValues, CFErrorRef sync_error) {
if (sync_error) {
secerrorq("SOSCloudKeychainSynchronizeAndWait: %@", sync_error);
} else {
secnoticeq("force-push", "returned from call; in callback to SOSCloudKeychainSynchronizeAndWait: results: %@", returnedValues);
-
- success = true;
}
dispatch_semaphore_signal(wait_for);
dispatch_release(wait_for);
});
-
- CFReleaseNull(keysToGet);
-
+
if(waitForeverForSynchronization)
dispatch_semaphore_wait(wait_for, DISPATCH_TIME_FOREVER);
else
@@ -759,52 +790,33 @@ void sync_the_last_data_to_kvs(SOSAccountRef account, bool waitForeverForSynchro
#define kWAIT2MINID "EFRESH"
-static bool EnsureFreshParameters(SOSAccountRef account, CFErrorRef *error) {
+static bool SyncKVSAndWait(CFErrorRef *error) {
dispatch_semaphore_t wait_for = dispatch_semaphore_create(0);
dispatch_retain(wait_for); // Both this scope and the block own it.
- CFMutableArrayRef keysToGet = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- CFArrayAppendValue(keysToGet, kSOSKVSKeyParametersKey);
- // Only get key parameters due to: <rdar://problem/22794892> Upgrading from Donner with an iCDP enabled account resets iCloud keychain on devices in circle
-
- __block CFDictionaryRef valuesToUpdate = NULL;
__block bool success = false;
- secnoticeq("fresh", "%s calling SOSCloudKeychainSynchronizeAndWait", kWAIT2MINID);
+ secnoticeq("fresh", "EFP calling SOSCloudKeychainSynchronizeAndWait");
- SOSCloudKeychainSynchronizeAndWait(keysToGet, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(CFDictionaryRef returnedValues, CFErrorRef sync_error) {
+ os_activity_initiate("CloudCircle EFRESH", OS_ACTIVITY_FLAG_DEFAULT, ^(void) {
+ SOSCloudKeychainSynchronizeAndWait(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(__unused CFDictionaryRef returnedValues, CFErrorRef sync_error) {
+ secnotice("fresh", "EFP returned, callback error: %@", sync_error);
- if (sync_error) {
- secerrorq("%s SOSCloudKeychainSynchronizeAndWait: %@", kWAIT2MINID, sync_error);
+ success = (sync_error == NULL);
if (error) {
- *error = sync_error;
- CFRetainSafe(*error);
+ CFRetainAssign(*error, sync_error);
}
- } else {
- secnoticeq("fresh", "%s returned from call; in callback to SOSCloudKeychainSynchronizeAndWait: results: %@", kWAIT2MINID, returnedValues);
- valuesToUpdate = returnedValues;
- CFRetainSafe(valuesToUpdate);
- success = true;
- }
- dispatch_semaphore_signal(wait_for);
+ dispatch_semaphore_signal(wait_for);
+ dispatch_release(wait_for);
+ });
+
+
+ dispatch_semaphore_wait(wait_for, DISPATCH_TIME_FOREVER);
dispatch_release(wait_for);
- });
- dispatch_semaphore_wait(wait_for, DISPATCH_TIME_FOREVER);
- // TODO: Maybe we timeout here... used to dispatch_time(DISPATCH_TIME_NOW, 30ull * NSEC_PER_SEC));
- dispatch_release(wait_for);
- CFMutableArrayRef handledKeys = NULL;
- if ((valuesToUpdate) && (account)) {
- handledKeys = SOSTransportDispatchMessages(account, valuesToUpdate, error);
- if (!handledKeys) {
- secerrorq("%s Freshness update failed: %@", kWAIT2MINID, error ? *error : NULL);
- success = false;
- }
- }
- CFReleaseNull(handledKeys);
- CFReleaseNull(valuesToUpdate);
- CFReleaseNull(keysToGet);
+ secnotice("fresh", "EFP complete: %s %@", success ? "success" : "failure", error ? *error : NULL);
+ });
return success;
}
@@ -837,49 +849,31 @@ static bool Flush(CFErrorRef *error) {
static bool SOSCCAssertUserCredentialsAndOptionalDSID(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error) {
secnotice("updates", "Setting credentials and dsid (%@) for %@", dsid, user_label);
- bool result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+
+ bool result = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
if (dsid != NULL && CFStringCompare(dsid, CFSTR(""), 0) != 0) {
- CFStringRef accountDSID = SOSAccountGetValue(account, kSOSDSIDKey, NULL);
- if( accountDSID == NULL){
- SOSAccountUpdateDSID(account, dsid);
- secdebug("updates", "Setting dsid, current dsid is empty for this account: %@", dsid);
- }
- else if(CFStringCompare(dsid, accountDSID, 0) != kCFCompareEqualTo){
- secnotice("updates", "Changing DSID from: %@ to %@", accountDSID, dsid);
+ SOSAccountAssertDSID(account, dsid);
+ }
+ return true;
+ });
- //DSID has changed, blast the account!
- SOSAccountSetToNew(account);
+ require_quiet(result, done);
- //update DSID to the new DSID
- SOSAccountUpdateDSID(account, dsid);
- }
- else {
- secnotice("updates", "Not Changing DSID: %@ to %@", accountDSID, dsid);
- }
-
- }
-
- // Short Circuit if this passes, return immediately.
- if(SOSAccountTryUserCredentials(account, user_label, user_password, NULL)) {
- return true;
- }
+ require_quiet(SyncKVSAndWait(error), done); // Make sure we've seen what the server has
+ require_quiet(Flush(error), done); // And processed it already...before asserting
- if (!EnsureFreshParameters(account, block_error)) {
- return false;
- }
- if (!SOSAccountAssertUserCredentials(account, user_label, user_password, block_error)) {
- secnotice("updates", "EnsureFreshParameters/SOSAccountAssertUserCredentials error: %@", *block_error);
- return false;
- }
- return true;
+ result = do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *block_error) {
+ return SOSAccountAssertUserCredentials(account, user_label, user_password, block_error);
});
-
- if (result && Flush(error)) {
- result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
- return SOSAccountGenerationSignatureUpdate(account, error);
- });
- }
+ require_quiet(result, done);
+ require_quiet(Flush(error), done); // Process any incoming information..circles et.al. before fixing our signature
+
+ result = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ return SOSAccountGenerationSignatureUpdate(account, error);
+ });
+
+done:
return result;
}
@@ -896,7 +890,7 @@ bool SOSCCSetUserCredentials_Server(CFStringRef user_label, CFDataRef user_passw
bool SOSCCCanAuthenticate_Server(CFErrorRef *error)
{
- bool result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ bool result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
return SOSAccountGetPrivateCredential(account, block_error) != NULL;
});
@@ -912,7 +906,7 @@ bool SOSCCCanAuthenticate_Server(CFErrorRef *error)
bool SOSCCPurgeUserCredentials_Server(CFErrorRef *error)
{
- return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
SOSAccountPurgePrivateCredential(account);
return true;
});
@@ -922,7 +916,7 @@ SOSCCStatus SOSCCThisDeviceIsInCircle_Server(CFErrorRef *error)
{
__block SOSCCStatus status;
- return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
status = SOSAccountGetCircleStatus(account, block_error);
return true;
}) ? status : kSOSCCError;
@@ -932,19 +926,50 @@ bool SOSCCRequestToJoinCircle_Server(CFErrorRef* error)
{
__block bool result = true;
- return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
- result = SOSAccountJoinCircles(account, block_error);
+ return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ result = SOSAccountJoinCircles(txn, block_error);
return result;
});
}
+bool SOSCCAccountHasPublicKey_Server(CFErrorRef *error)
+{
+ __block bool result = true;
+ __block CFErrorRef localError = NULL;
+
+ bool hasPublicKey = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ result = SOSAccountHasPublicKey(account, &localError);
+ return result;
+ });
+
+ if(error != NULL && localError != NULL)
+ *error = localError;
+
+ return hasPublicKey;
+}
+
+bool SOSCCAccountIsNew_Server(CFErrorRef *error)
+{
+ __block bool result = true;
+ __block CFErrorRef localError = NULL;
+
+ (void) do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ result = SOSAccountIsNew(account, &localError);
+ return result;
+ });
+
+ if(error != NULL && localError != NULL)
+ *error = localError;
+
+ return result;
+}
bool SOSCCRequestToJoinCircleAfterRestore_Server(CFErrorRef* error)
{
__block bool result = true;
bool returned = false;
- returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
SOSAccountEnsurePeerRegistration(account, block_error);
- result = SOSAccountJoinCirclesAfterRestore(account, block_error);
+ result = SOSAccountJoinCirclesAfterRestore(txn, block_error);
return result;
});
return returned;
@@ -953,23 +978,26 @@ bool SOSCCRequestToJoinCircleAfterRestore_Server(CFErrorRef* error)
bool SOSCCRequestEnsureFreshParameters_Server(CFErrorRef* error)
{
- __block bool result = true;
bool returned = false;
- returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
- result = EnsureFreshParameters(account, NULL);
- return result;
+ returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ return SyncKVSAndWait(block_error);
});
+ if (returned) {
+ returned = Flush(error);
+ }
return returned;
}
bool SOSCCApplyToARing_Server(CFStringRef ringName, CFErrorRef *error){
__block bool result = true;
bool returned = false;
- returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
SOSFullPeerInfoRef fpi = SOSAccountGetMyFullPeerInfo(account);
- SOSRingRef ring = SOSAccountGetRing(account, ringName, error);
- if(fpi && ring)
+ SOSRingRef ring = SOSAccountCopyRing(account, ringName, error);
+ if(fpi && ring) {
result = SOSRingApply(ring, account->user_public, fpi , error);
+ }
+ CFReleaseNull(ring);
return result;
});
return returned;
@@ -978,11 +1006,13 @@ bool SOSCCApplyToARing_Server(CFStringRef ringName, CFErrorRef *error){
bool SOSCCWithdrawlFromARing_Server(CFStringRef ringName, CFErrorRef *error){
__block bool result = true;
bool returned = false;
- returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
SOSFullPeerInfoRef fpi = SOSAccountGetMyFullPeerInfo(account);
- SOSRingRef ring = SOSAccountGetRing(account, ringName, error);
- if(fpi && ring)
+ SOSRingRef ring = SOSAccountCopyRing(account, ringName, error);
+ if(fpi && ring) {
result = SOSRingWithdraw(ring, account->user_public, fpi , error);
+ }
+ CFReleaseNull(ring);
return result;
});
return returned;
@@ -991,11 +1021,13 @@ bool SOSCCWithdrawlFromARing_Server(CFStringRef ringName, CFErrorRef *error){
bool SOSCCEnableRing_Server(CFStringRef ringName, CFErrorRef *error){
__block bool result = true;
bool returned = false;
- returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
SOSFullPeerInfoRef fpi = SOSAccountGetMyFullPeerInfo(account);
- SOSRingRef ring = SOSAccountGetRing(account, ringName, error);
- if(fpi && ring)
- result = SOSRingResetToOffering(ring, NULL, fpi, error); ;
+ SOSRingRef ring = SOSAccountCopyRing(account, ringName, error);
+ if(fpi && ring) {
+ result = SOSRingResetToOffering(ring, NULL, fpi, error);
+ }
+ CFReleaseNull(ring);
return result;
});
return returned;
@@ -1005,14 +1037,11 @@ CFStringRef SOSCCGetAllTheRings_Server(CFErrorRef *error){
__block CFMutableDictionaryRef result = NULL;
__block CFMutableStringRef description = CFStringCreateMutable(kCFAllocatorDefault, 0);
- (void) do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, CFErrorRef *error) {
- result = SOSAccountGetRings(account, error);
-
- if(isDictionary(result)){
- CFDictionaryForEach(result, ^(const void *key, const void *value) {
- CFStringAppendFormat(description, NULL, CFSTR("%@"), value);
- });
- }
+ (void) do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
+ SOSAccountForEachRing(account, ^SOSRingRef(CFStringRef name, SOSRingRef ring) {
+ CFStringAppendFormat(description, NULL, CFSTR("%@\n"), ring);
+ return NULL;
+ });
if(result)
return true;
return false;
@@ -1024,13 +1053,16 @@ CFStringRef SOSCCGetAllTheRings_Server(CFErrorRef *error){
SOSRingStatus SOSCCRingStatus_Server(CFStringRef ringName, CFErrorRef *error){
__block bool result = true;
SOSRingStatus returned;
- returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ returned = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
SOSFullPeerInfoRef fpi = SOSAccountGetMyFullPeerInfo(account);
SOSPeerInfoRef myPeer = SOSFullPeerInfoGetPeerInfo(fpi);
- SOSRingRef ring = SOSAccountGetRing(account, ringName, error);
- if(myPeer && ring)
+ SOSRingRef ring = SOSAccountCopyRing(account, ringName, error);
+ if(myPeer && ring) {
result = SOSRingDeviceIsInRing(ring, SOSPeerInfoGetPeerID(myPeer));
+ }
+ CFReleaseNull(ring);
+
return result;
});
return returned;
@@ -1040,7 +1072,7 @@ CFStringRef SOSCCCopyDeviceID_Server(CFErrorRef *error)
{
__block CFStringRef result = NULL;
- (void) do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, CFErrorRef *error) {
+ (void) do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
result = SOSAccountCopyDeviceID(account, error);
return (!isNull(result));
});
@@ -1051,70 +1083,66 @@ bool SOSCCSetDeviceID_Server(CFStringRef IDS, CFErrorRef *error){
bool didSetID = false;
__block bool result = false;
- __block CFErrorRef blockError = NULL;
+
+ didSetID = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ result = SOSAccountSetMyDSID(account, IDS, error);
+
+ if(block_error && error != NULL ){
+ *error = *block_error;
+ }
+ return result;
+ });
- didSetID = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
- result = SOSAccountSetMyDSID(account, IDS, block_error);
- if(block_error)
- blockError = CFRetainSafe(*block_error);
+ return didSetID;
+}
+
+bool SOSCCRequestSyncWithPeerOverKVS_Server(CFStringRef deviceID, CFErrorRef *error)
+{
+ __block bool result = NULL;
+
+ result = do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
+ result = SOSAccountSyncWithKVSUsingIDSID(account, deviceID, error);
return result;
});
+ return result;
+}
+
+bool SOSCCRequestSyncWithPeerOverIDS_Server(CFStringRef deviceID, CFErrorRef *error)
+{
+ __block bool result = NULL;
- if(error){
- *error = blockError;
- }
- return didSetID;
+ result = do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
+ result = SOSAccountSyncWithIDSPeer(account, deviceID, error);
+ return result;
+ });
+ return result;
}
HandleIDSMessageReason SOSCCHandleIDSMessage_Server(CFDictionaryRef messageDict, CFErrorRef* error)
{
- // TODO: Locking flow:
- /*
- COMMON:
- - Get PeerCoder instance from SOSPeerCoderManager(Currently Engine)
- - Get Account lock and Initialize PeerCoder instance if it isn't valid yet.
- INCOMING:
- - Decode incoming msg on coder.
- - Pass msg along to SOSPeerRef if decoding is done.
- - Force reply from coder while in handshake mode. (or ask ckd to ask us later?)
- - save coder state.
-
- - Lookup SOSPeerRef in SOSEngineRef (getting engine lock temporarily to get peer.
- - Ask peer to handle decoded message
- - be notified of changed objects in all peers and update peer/engine states
- - save peer/engine state
-
- OUTGOING:
- - Ask coder to send an outgoing message if it is negotiating
- - Ask peer to create a message if needed
- - Encode peer msg with coder
- - save coder state
- - send reply to ckd for transporting
- */
-
__block HandleIDSMessageReason result = kHandleIDSMessageSuccess;
CFErrorRef action_error = NULL;
- if (!do_with_account_while_unlocked(&action_error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ if (!do_with_account_while_unlocked(&action_error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSTransportMessageIDSHandleMessage(account, messageDict, error);
- return result;
+ return true;
})) {
if (action_error) {
- if (SecErrorGetOSStatus(action_error) == errSecInteractionNotAllowed) {
- secnotice("updates", "SOSCCHandleIDSMessage_Server failed because device is locked; letting IDSKeychainSyncingProxy know");
- result = kHandleIDSMessageLocked; // tell IDSKeychainSyncingProxy to call us back when device unlocks
+ CFStringRef errorMessage = CFErrorCopyDescription(action_error);
+ if (CFEqualSafe(errorMessage, CFSTR("The operation couldnât be completed. (Mach error -536870174 - Kern return error)")) ) {
+ secnotice("updates", "SOSCCHandleIDSMessage_Server failed because device is locked; letting IDSKeychainSyncingProxy know");
+ result = kHandleIDSMessageLocked; // tell IDSKeychainSyncingProxy to call us back when device unlocks
+ } else {
+ secerror("Unexpected error: %@", action_error);
+ }
+
+ if (error && *error == NULL) {
+ *error = action_error;
+ action_error = NULL;
+ }
+ CFReleaseNull(errorMessage);
CFReleaseNull(action_error);
- } else {
- secerror("Unexpected error: %@", action_error);
- }
-
- if (error && *error == NULL) {
- *error = action_error;
- action_error = NULL;
}
-
- CFReleaseNull(action_error);
- }
}
return result;
}
@@ -1124,10 +1152,8 @@ bool SOSCCIDSPingTest_Server(CFStringRef message, CFErrorRef *error){
__block bool result = true;
__block CFErrorRef blockError = NULL;
- didSendTestMessages = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
- result = SOSAccountStartPingTest(account, message, block_error);
- if(block_error)
- blockError = CFRetainSafe(*block_error);
+ didSendTestMessages = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ result = SOSAccountStartPingTest(account, message, &blockError);
return result;
});
if(blockError && error != NULL)
@@ -1141,7 +1167,7 @@ bool SOSCCIDSServiceRegistrationTest_Server(CFStringRef message, CFErrorRef *err
__block bool result = true;
__block CFErrorRef blockError = NULL;
- didSendTestMessages = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ didSendTestMessages = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountSendIDSTestMessage(account, message, &blockError);
return result;
});
@@ -1156,11 +1182,11 @@ bool SOSCCIDSDeviceIDIsAvailableTest_Server(CFErrorRef *error){
__block bool result = true;
__block CFErrorRef blockError = NULL;
- didSendTestMessages = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ didSendTestMessages = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountRetrieveDeviceIDFromIDSKeychainSyncingProxy(account, &blockError);
return result;
});
- if(blockError && error != NULL)
+ if(blockError != NULL && error != NULL)
*error = blockError;
return didSendTestMessages;
@@ -1170,7 +1196,7 @@ bool SOSCCAccountSetToNew_Server(CFErrorRef *error)
{
__block bool result = true;
- return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
clearAllKVS(NULL);
SOSAccountSetToNew(account);
return result;
@@ -1181,9 +1207,9 @@ bool SOSCCResetToOffering_Server(CFErrorRef* error)
{
__block bool result = true;
- return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
clearAllKVS(NULL);
- result = SOSAccountResetToOffering(account, block_error);
+ result = SOSAccountResetToOffering(txn, block_error);
return result;
});
@@ -1193,7 +1219,7 @@ bool SOSCCResetToEmpty_Server(CFErrorRef* error)
{
__block bool result = true;
- return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountResetToEmpty(account, block_error);
return result;
});
@@ -1204,7 +1230,7 @@ bool SOSCCRemoveThisDeviceFromCircle_Server(CFErrorRef* error)
{
__block bool result = true;
- return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountLeaveCircle(account, block_error);
return result;
});
@@ -1214,7 +1240,7 @@ bool SOSCCRemovePeersFromCircle_Server(CFArrayRef peers, CFErrorRef* error)
{
__block bool result = true;
- return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountRemovePeersFromCircle(account, peers, block_error);
return result;
});
@@ -1225,19 +1251,19 @@ bool SOSCCLoggedOutOfAccount_Server(CFErrorRef *error)
{
__block bool result = true;
- return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
secnotice("sosops", "Signed out of account!");
bool waitForeverForSynchronization = true;
result = SOSAccountLeaveCircle(account, block_error);
- SOSAccountFinishTransaction(account); // Make sure this gets finished before we set to new.
+ SOSAccountTransactionFinishAndRestart(txn); // Make sure this gets finished before we set to new.
- SOSAccountSetToNew(account);
-
sync_the_last_data_to_kvs(account, waitForeverForSynchronization);
+ SOSAccountSetToNew(account);
+
return result;
});
}
@@ -1246,12 +1272,12 @@ bool SOSCCBailFromCircle_Server(uint64_t limit_in_seconds, CFErrorRef* error)
{
__block bool result = true;
- return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
bool waitForeverForSynchronization = false;
result = SOSAccountBail(account, limit_in_seconds, block_error);
- SOSAccountFinishTransaction(account); // Make sure this gets finished before we set to new.
+ SOSAccountTransactionFinishAndRestart(txn); // Make sure this gets finished before we push our data.
sync_the_last_data_to_kvs(account, waitForeverForSynchronization);
@@ -1264,7 +1290,7 @@ CFArrayRef SOSCCCopyApplicantPeerInfo_Server(CFErrorRef* error)
{
__block CFArrayRef result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountCopyApplicants(account, block_error);
return result != NULL;
});
@@ -1276,7 +1302,7 @@ CFArrayRef SOSCCCopyGenerationPeerInfo_Server(CFErrorRef* error)
{
__block CFArrayRef result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountCopyGeneration(account, block_error);
return result != NULL;
});
@@ -1288,7 +1314,7 @@ CFArrayRef SOSCCCopyValidPeerPeerInfo_Server(CFErrorRef* error)
{
__block CFArrayRef result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountCopyValidPeers(account, block_error);
return result != NULL;
});
@@ -1300,7 +1326,7 @@ bool SOSCCValidateUserPublic_Server(CFErrorRef* error)
{
__block bool result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSValidateUserPublic(account, block_error);
return result;
});
@@ -1312,7 +1338,7 @@ CFArrayRef SOSCCCopyNotValidPeerPeerInfo_Server(CFErrorRef* error)
{
__block CFArrayRef result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountCopyNotValidPeers(account, block_error);
return result != NULL;
});
@@ -1324,7 +1350,7 @@ CFArrayRef SOSCCCopyRetirementPeerInfo_Server(CFErrorRef* error)
{
__block CFArrayRef result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountCopyRetired(account, block_error);
return result != NULL;
});
@@ -1336,7 +1362,7 @@ CFArrayRef SOSCCCopyViewUnawarePeerInfo_Server(CFErrorRef* error)
{
__block CFArrayRef result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountCopyViewUnaware(account, block_error);
return result != NULL;
});
@@ -1358,115 +1384,71 @@ CFArrayRef SOSCCCopyEngineState_Server(CFErrorRef* error)
return result;
}
-static CFStringRef CreateUUIDString() {
- CFUUIDRef uuid = CFUUIDCreate(kCFAllocatorDefault);
- CFStringRef result = CFUUIDCreateString(kCFAllocatorDefault, uuid);
- CFReleaseNull(uuid);
- return result;
-}
-
-static CFStringRef SOSAccountCallWhenInSync(SOSAccountRef account, SOSAccountWaitForInitialSyncBlock syncBlock) {
- //if we are not initially synced
- CFStringRef id = NULL;
- CFTypeRef unSyncedViews = SOSAccountGetValue(account, kSOSUnsyncedViewsKey, NULL);
- if (unSyncedViews != NULL) {
- id = CreateUUIDString();
- secnotice("initial-sync", "adding sync block [%@] to array!", id);
- SOSAccountWaitForInitialSyncBlock copy = Block_copy(syncBlock);
- CFDictionarySetValue(account->waitForInitialSync_blocks, id, copy);
- Block_release(copy);
- } else {
- syncBlock(account);
- }
-
- return id;
-}
-
-static bool SOSAccountUnregisterCallWhenInSync(SOSAccountRef account, CFStringRef id) {
- bool removed = CFDictionaryGetValueIfPresent(account->waitForInitialSync_blocks, id, NULL);
- CFDictionaryRemoveValue(account->waitForInitialSync_blocks, id);
- return removed;
-}
-
bool SOSCCWaitForInitialSync_Server(CFErrorRef* error) {
__block dispatch_semaphore_t inSyncSema = NULL;
__block bool result = false;
__block bool synced = false;
bool timed_out = false;
-
__block CFStringRef inSyncCallID = NULL;
secnotice("initial sync", "Wait for initial sync start!");
- result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
- bool alreadyInSync = SOSAccountCheckHasBeenInSync(account);
+ result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ bool alreadyInSync = SOSAccountHasCompletedInitialSync(account);
if (!alreadyInSync) {
inSyncSema = dispatch_semaphore_create(0);
dispatch_retain(inSyncSema); // For the block
inSyncCallID = SOSAccountCallWhenInSync(account, ^bool(SOSAccountRef mightBeSynced) {
- secerror("might be synced!");
- synced = SOSAccountCheckHasBeenInSync(mightBeSynced);
-
- dispatch_semaphore_signal(inSyncSema);
- dispatch_release(inSyncSema);
- SOSAccountEnsureBackupStarts(account);
+ synced = true;
+
+ if(inSyncSema){
+ dispatch_semaphore_signal(inSyncSema);
+ if(inSyncSema)
+ dispatch_release(inSyncSema);
+ }
return true;
});
}
else{
- SOSAccountEnsureBackupStarts(account);
synced = true;
}
return true;
});
-
+
require_quiet(result, fail);
if(inSyncSema){
timed_out = dispatch_semaphore_wait(inSyncSema, dispatch_time(DISPATCH_TIME_NOW, 300ull * NSEC_PER_SEC));
}
if (timed_out) {
- do_with_account(^(SOSAccountRef account) {
+ do_with_account(^(SOSAccountRef account, SOSAccountTransactionRef txn) {
if (SOSAccountUnregisterCallWhenInSync(account, inSyncCallID)) {
- dispatch_release(inSyncSema); // if we unregistered we release the sema
+ if(inSyncSema){
+ dispatch_release(inSyncSema); // if we unregistered we release the sema
+ inSyncSema = NULL; // We've canceled the timeout so we must be the last.
+ }
}
});
if (!synced) {
- secerror("waiting for initial sync timed out, resetting account");
+ secerror("waiting for initial sync timed out");
result = false;
-
- SOSCCLoggedOutOfAccount_Server(error);
SOSErrorCreate(kSOSInitialSyncFailed, error, NULL, CFSTR("InitialSyncTimedOut"));
}
}
- if(inSyncSema)
- dispatch_release(inSyncSema);
- inSyncSema = NULL; // We've canceled the timeout so we must be the last.
require_quiet(result, fail);
-
-
- xpc_transaction_begin();
-
- dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
- result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
- result = SOSAccountIsInCircle(account, NULL);
- xpc_transaction_end();
- return result;
- });
- });
-
+
if (!synced) {
- secerror("waiting for initial sync: left circle");
+ secerror("waiting for initial sync failed");
result = false;
-
- SOSErrorCreate(kSOSInitialSyncFailed, error, NULL, CFSTR("Left circle before initial sync."));
- }
+ SOSErrorCreate(kSOSInitialSyncFailed, error, NULL, CFSTR("Initial sync timed out."));
+ }
secnotice("initial sync", "Finished!: %d", result);
+
fail:
CFReleaseNull(inSyncCallID);
return result;
@@ -1499,7 +1481,7 @@ CFArrayRef SOSCCCopyYetToSyncViewsList_Server(CFErrorRef* error) {
__block CFArrayRef views = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
views = SOSAccountCopyYetToSyncViews(account, error);
return true;
@@ -1528,7 +1510,7 @@ bool SOSWrapToBackupSliceKeyBagForView_Server(CFStringRef viewName, CFDataRef in
SOSBackupSliceKeyBagRef SOSBackupSliceKeyBagForView(CFStringRef viewName, CFErrorRef* error){
__block SOSBackupSliceKeyBagRef bskb = NULL;
- (void) do_with_account(^ (SOSAccountRef account) {
+ (void) do_with_account(^ (SOSAccountRef account, SOSAccountTransactionRef txn) {
bskb = SOSAccountBackupSliceKeyBagForView(account, viewName, error);
});
return bskb;
@@ -1551,7 +1533,7 @@ CFDataRef SOSWrapToBackupSliceKeyBag(SOSBackupSliceKeyBagRef bskb, CFDataRef inp
CFMutableDictionaryRef plaintext = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(plaintext, CFSTR("data"), input);
- require_quiet(ks_encrypt_data(bskb_handle, access, NULL, plaintext, NULL, &encrypted, error), exit);
+ require_quiet(ks_encrypt_data(bskb_handle, access, NULL, plaintext, NULL, &encrypted, false, error), exit);
exit:
CFReleaseNull(bskb);
@@ -1570,7 +1552,7 @@ CFDictionaryRef SOSCCCopyEscrowRecord_Server(CFErrorRef *error){
__block CFDictionaryRef result = NULL;
__block CFErrorRef block_error = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool(SOSAccountRef account, CFErrorRef *error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
SOSCCStatus status = SOSAccountGetCircleStatus(account, &block_error);
CFStringRef dsid = SOSAccountGetValue(account, kSOSDSIDKey, error);
CFDictionaryRef escrowRecords = NULL;
@@ -1614,7 +1596,7 @@ bool SOSCCSetEscrowRecord_Server(CFStringRef escrow_label, uint64_t tries, CFErr
__block bool result = true;
__block CFErrorRef block_error = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool(SOSAccountRef account, CFErrorRef *error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
SOSCCStatus status = SOSAccountGetCircleStatus(account, &block_error);
CFStringRef dsid = SOSAccountGetValue(account, kSOSDSIDKey, error);
@@ -1673,7 +1655,7 @@ bool SOSCCSetEscrowRecord_Server(CFStringRef escrow_label, uint64_t tries, CFErr
bool SOSCCAcceptApplicants_Server(CFArrayRef applicants, CFErrorRef* error)
{
__block bool result = true;
- return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountAcceptApplicants(account, applicants, block_error);
return result;
});
@@ -1683,7 +1665,7 @@ bool SOSCCAcceptApplicants_Server(CFArrayRef applicants, CFErrorRef* error)
bool SOSCCRejectApplicants_Server(CFArrayRef applicants, CFErrorRef* error)
{
__block bool result = true;
- return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountRejectApplicants(account, applicants, block_error);
return result;
});
@@ -1693,7 +1675,7 @@ CFArrayRef SOSCCCopyPeerPeerInfo_Server(CFErrorRef* error)
{
__block CFArrayRef result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountCopyPeers(account, block_error);
return result != NULL;
});
@@ -1705,7 +1687,7 @@ CFArrayRef SOSCCCopyConcurringPeerPeerInfo_Server(CFErrorRef* error)
{
__block CFArrayRef result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountCopyConcurringPeers(account, block_error);
return result != NULL;
});
@@ -1717,7 +1699,7 @@ SOSPeerInfoRef SOSCCCopyMyPeerInfo_Server(CFErrorRef* error)
{
__block SOSPeerInfoRef result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
// Create a copy to be DERed/sent back to client
result = SOSPeerInfoCreateCopy(kCFAllocatorDefault, SOSAccountGetMyPeerInfo(account), block_error);
return result != NULL;
@@ -1730,7 +1712,7 @@ CFDataRef SOSCCCopyAccountState_Server(CFErrorRef* error)
{
__block CFDataRef accountState = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
// Copy account state from the keychain
accountState = SOSAccountCopyAccountStateFromKeychain(block_error);
return accountState != NULL;
@@ -1743,7 +1725,7 @@ bool SOSCCDeleteAccountState_Server(CFErrorRef* error)
{
__block bool result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
// Delete account state from the keychain
result = SOSAccountDeleteAccountStateFromKeychain(block_error);
return result;
@@ -1756,7 +1738,7 @@ CFDataRef SOSCCCopyEngineData_Server(CFErrorRef* error)
{
__block CFDataRef engineState = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
// Copy engine state from the keychain
engineState = SOSAccountCopyEngineStateFromKeychain(block_error);
return engineState != NULL;
@@ -1769,7 +1751,7 @@ bool SOSCCDeleteEngineState_Server(CFErrorRef* error)
{
__block bool result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
// Delete engine state from the keychain
result = SOSAccountDeleteEngineStateFromKeychain(block_error);
return result;
@@ -1783,8 +1765,10 @@ bool SOSCCDeleteEngineState_Server(CFErrorRef* error)
SOSPeerInfoRef SOSCCSetNewPublicBackupKey_Server(CFDataRef newPublicBackup, CFErrorRef *error){
__block SOSPeerInfoRef result = NULL;
- (void) do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
- if(SOSAccountSetBackupPublicKey(account,newPublicBackup, error)){
+ (void) do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ if(SOSAccountSetBackupPublicKey(txn,newPublicBackup, error)){
+ SOSAccountTransactionFinishAndRestart(txn); // Finish the transaction to update any changes to the peer info.
+
// Create a copy to be DERed/sent back to client
result = SOSPeerInfoCreateCopy(kCFAllocatorDefault, SOSAccountGetMyPeerInfo(account), block_error);
secdebug("backup", "SOSCCSetNewPublicBackupKey_Server, new public backup is set");
@@ -1800,7 +1784,7 @@ SOSPeerInfoRef SOSCCSetNewPublicBackupKey_Server(CFDataRef newPublicBackup, CFEr
}
bool SOSCCRegisterSingleRecoverySecret_Server(CFDataRef aks_bag, bool setupV0Only, CFErrorRef *error){
- return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
return SOSAccountSetBSKBagForAllSlices(account, aks_bag, setupV0Only, error);
});
}
@@ -1809,7 +1793,7 @@ CFStringRef SOSCCCopyIncompatibilityInfo_Server(CFErrorRef* error)
{
__block CFStringRef result = NULL;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountCopyIncompatibilityInfo(account, block_error);
return result != NULL;
});
@@ -1830,7 +1814,7 @@ bool SOSCCCheckPeerAvailability_Server(CFErrorRef *error)
});
__block int token = -1;
- bool result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ bool result = do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
peerSemaphore = dispatch_semaphore_create(0);
dispatch_retain(peerSemaphore);
@@ -1879,12 +1863,20 @@ bool SOSCCCheckPeerAvailability_Server(CFErrorRef *error)
}
+bool SOSCCkSecXPCOpIsThisDeviceLastBackup_Server(CFErrorRef *error) {
+ bool result = do_with_account_while_unlocked(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
+ return SOSAccountIsLastBackupPeer(account, block_error);
+ });
+ return result;
+}
+
+
enum DepartureReason SOSCCGetLastDepartureReason_Server(CFErrorRef* error)
{
__block enum DepartureReason result = kSOSDepartureReasonError;
- (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ (void) do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
result = SOSAccountGetLastDepartureReason(account, block_error);
return result != kSOSDepartureReasonError;
});
@@ -1895,7 +1887,7 @@ enum DepartureReason SOSCCGetLastDepartureReason_Server(CFErrorRef* error)
bool SOSCCSetLastDepartureReason_Server(enum DepartureReason reason, CFErrorRef *error){
__block bool result = true;
- return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
SOSAccountSetLastDepartureReason(account, reason);
return result;
});
@@ -1905,7 +1897,7 @@ bool SOSCCSetHSA2AutoAcceptInfo_Server(CFDataRef pubKey, CFErrorRef *error) {
__block bool result = true;
return do_with_account_if_after_first_unlock(error, ^(SOSAccountRef account,
- CFErrorRef *block_error) {
+ SOSAccountTransactionRef txn, CFErrorRef *block_error) {
result = SOSAccountSetHSAPubKeyExpected(account, pubKey, error);
return (bool)result;
});
@@ -1914,7 +1906,7 @@ bool SOSCCSetHSA2AutoAcceptInfo_Server(CFDataRef pubKey, CFErrorRef *error) {
bool SOSCCProcessEnsurePeerRegistration_Server(CFErrorRef* error)
{
secnotice("updates", "Request for registering peers");
- return do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, CFErrorRef *error) {
+ return do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
return SOSAccountEnsurePeerRegistration(account, error);
});
}
@@ -1928,10 +1920,12 @@ SyncWithAllPeersReason SOSCCProcessSyncWithAllPeers_Server(CFErrorRef* error)
__block SyncWithAllPeersReason result = kSyncWithAllPeersSuccess;
CFErrorRef action_error = NULL;
- if (!do_with_account_while_unlocked(&action_error, ^bool (SOSAccountRef account, CFErrorRef* block_error) {
+ if (!do_with_account_while_unlocked(&action_error, ^bool (SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef* block_error) {
CFErrorRef localError = NULL;
+
+ SOSAccountSendIKSPSyncList(account, &localError);
- if (!SOSAccountSyncWithAllPeers(account, &localError)) {
+ if (!SOSAccountSyncWithAllKVSPeers(account, &localError)) {
secerror("sync with all peers failed: %@", localError);
CFReleaseSafe(localError);
// This isn't a device-locked error, but returning false will
@@ -1943,7 +1937,7 @@ SyncWithAllPeersReason SOSCCProcessSyncWithAllPeers_Server(CFErrorRef* error)
})) {
if (action_error) {
if (SecErrorGetOSStatus(action_error) == errSecInteractionNotAllowed) {
- secnotice("updates", "SOSAccountSyncWithAllPeers failed because device is locked; letting CloudKeychainProxy know");
+ secnotice("updates", "SOSAccountSyncWithAllKVSPeers failed because device is locked; letting CloudKeychainProxy know");
result = kSyncWithAllPeersLocked; // tell CloudKeychainProxy to call us back when device unlocks
CFReleaseNull(action_error);
} else {
@@ -1964,7 +1958,20 @@ SyncWithAllPeersReason SOSCCProcessSyncWithAllPeers_Server(CFErrorRef* error)
void SOSCCSyncWithAllPeers(void)
{
- SOSCloudKeychainRequestSyncWithAllPeers(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL);
+ os_activity_initiate("CloudCircle SyncWithAllPeers", OS_ACTIVITY_FLAG_DEFAULT, ^(void) {
+
+ SOSCloudKeychainRequestSyncWithAllPeers(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL);
+
+ });
+}
+
+void SOSCCEnsurePeerRegistration(void)
+{
+ os_activity_initiate("CloudCircle EnsurePeerRegistration", OS_ACTIVITY_FLAG_DEFAULT, ^(void) {
+
+ SOSCloudKeychainRequestEnsurePeerRegistration(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL);
+
+ });
}
CF_RETURNS_RETAINED CFArrayRef SOSCCHandleUpdateMessage(CFDictionaryRef updates)
@@ -1975,3 +1982,39 @@ CF_RETURNS_RETAINED CFArrayRef SOSCCHandleUpdateMessage(CFDictionaryRef updates)
(account) ? (result = SOSCloudKeychainHandleUpdateMessage(updates)) : (result = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault));
return result;
}
+
+SOSPeerInfoRef SOSCCCopyApplication_Server(CFErrorRef *error) {
+ __block SOSPeerInfoRef application = NULL;
+ do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
+ application = SOSAccountCopyApplication(account, error);
+ return application != NULL;
+ });
+ return application;
+
+}
+CFDataRef SOSCCCopyCircleJoiningBlob_Server(SOSPeerInfoRef applicant, CFErrorRef *error) {
+ __block CFDataRef pbblob = NULL;
+ do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
+ pbblob = SOSAccountCopyCircleJoiningBlob(account, applicant, error);
+ return pbblob != NULL;
+ });
+ return pbblob;
+}
+
+bool SOSCCJoinWithCircleJoiningBlob_Server(CFDataRef joiningBlob, CFErrorRef *error) {
+ return do_with_account_while_unlocked(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
+ return SOSAccountJoinWithCircleJoiningBlob(account, joiningBlob, error);
+ });
+
+}
+
+CFBooleanRef SOSCCPeersHaveViewsEnabled_Server(CFArrayRef viewNames, CFErrorRef *error) {
+ __block CFBooleanRef result = NULL;
+ do_with_account_if_after_first_unlock(error, ^bool(SOSAccountRef account, SOSAccountTransactionRef txn, CFErrorRef *error) {
+ result = SOSAccountPeersHaveViewsEnabled(account, viewNames, error);
+ return result != NULL;
+ });
+
+ return result;
+}
+
diff --git a/OSX/sec/securityd/SOSCloudCircleServer.h b/OSX/sec/securityd/SOSCloudCircleServer.h
index b0355242..8da304e9 100644
--- a/OSX/sec/securityd/SOSCloudCircleServer.h
+++ b/OSX/sec/securityd/SOSCloudCircleServer.h
@@ -47,6 +47,8 @@ bool SOSCCRequestToJoinCircleAfterRestore_Server(CFErrorRef* error);
CFStringRef SOSCCCopyDeviceID_Server(CFErrorRef *error);
bool SOSCCSetDeviceID_Server(CFStringRef IDS, CFErrorRef *error);
HandleIDSMessageReason SOSCCHandleIDSMessage_Server(CFDictionaryRef messageDict, CFErrorRef* error);
+bool SOSCCRequestSyncWithPeerOverKVS_Server(CFStringRef peerID, CFErrorRef *error);
+bool SOSCCRequestSyncWithPeerOverIDS_Server(CFStringRef deviceID, CFErrorRef *error);
bool SOSCCIDSServiceRegistrationTest_Server(CFStringRef message, CFErrorRef *error);
bool SOSCCIDSPingTest_Server(CFStringRef message, CFErrorRef *error);
@@ -83,10 +85,14 @@ CFArrayRef SOSCCCopyEngineState_Server(CFErrorRef* error);
CFArrayRef SOSCCCopyPeerPeerInfo_Server(CFErrorRef* error);
CFArrayRef SOSCCCopyConcurringPeerPeerInfo_Server(CFErrorRef* error);
bool SOSCCCheckPeerAvailability_Server(CFErrorRef *error);
+bool SOSCCkSecXPCOpIsThisDeviceLastBackup_Server(CFErrorRef *error);
+bool SOSCCkSecXPCOpIsThisDeviceLastBackup_Server(CFErrorRef *error);
bool SOSCCAccountSetToNew_Server(CFErrorRef *error);
bool SOSCCResetToOffering_Server(CFErrorRef* error);
bool SOSCCResetToEmpty_Server(CFErrorRef* error);
+CFBooleanRef SOSCCPeersHaveViewsEnabled_Server(CFArrayRef viewNames, CFErrorRef *error);
+
SOSViewResultCode SOSCCView_Server(CFStringRef view, SOSViewActionCode action, CFErrorRef *error);
bool SOSCCViewSet_Server(CFSetRef enabledView, CFSetRef disabledViews);
@@ -120,6 +126,7 @@ void sync_the_last_data_to_kvs(SOSAccountRef account, bool waitForeverForSynchro
// Expected to be called when the data source changes.
void SOSCCSyncWithAllPeers(void);
+void SOSCCEnsurePeerRegistration(void);
void SOSCCAddSyncablePeerBlock(CFStringRef ds_name, SOSAccountSyncablePeersBlock changeBlock);
dispatch_queue_t SOSCCGetAccountQueue(void);
@@ -161,6 +168,13 @@ bool SOSItemUpdateOrAdd(CFStringRef label, CFStringRef accessibility, CFDataRef
bool SOSCCSetEscrowRecord_Server(CFStringRef escrow_label, uint64_t tries, CFErrorRef *error);
CFDictionaryRef SOSCCCopyEscrowRecord_Server(CFErrorRef *error);
+SOSPeerInfoRef SOSCCCopyApplication_Server(CFErrorRef *error);
+CFDataRef SOSCCCopyCircleJoiningBlob_Server(SOSPeerInfoRef applicant, CFErrorRef *error);
+bool SOSCCJoinWithCircleJoiningBlob_Server(CFDataRef joiningBlob, CFErrorRef *error);
+
+bool SOSCCAccountHasPublicKey_Server(CFErrorRef *error);
+bool SOSCCAccountIsNew_Server(CFErrorRef *error);
+
__END_DECLS
diff --git a/OSX/sec/securityd/SecCAIssuerCache.c b/OSX/sec/securityd/SecCAIssuerCache.c
index 4bc1ce11..7f0ca428 100644
--- a/OSX/sec/securityd/SecCAIssuerCache.c
+++ b/OSX/sec/securityd/SecCAIssuerCache.c
@@ -47,8 +47,6 @@
#include <CoreFoundation/CFUtilities.h>
#include <utilities/SecFileLocations.h>
-#define caissuerErrorLog(args...) asl_log(NULL, NULL, ASL_LEVEL_ERR, ## args)
-
static const char expireSQL[] = "DELETE FROM issuers WHERE expires<?";
static const char beginTxnSQL[] = "BEGIN EXCLUSIVE TRANSACTION";
static const char endTxnSQL[] = "COMMIT TRANSACTION";
@@ -221,7 +219,7 @@ static SecCAIssuerCacheRef SecCAIssuerCacheCreate(const char *db_name) {
"CREATE INDEX iexpires ON issuers(expires);"
, NULL, NULL, &errmsg);
if (errmsg) {
- caissuerErrorLog("caissuer db CREATE TABLES: %s", errmsg);
+ secerror("caissuer db CREATE TABLES: %s", errmsg);
sqlite3_free(errmsg);
}
require_noerr(s3e, errOut);
@@ -291,7 +289,7 @@ static void _SecCAIssuerCacheAddCertificate(SecCAIssuerCacheRef this,
errOut:
if (s3e) {
- caissuerErrorLog("caissuer cache add failed: %s", sqlite3_errmsg(this->s3h));
+ secerror("caissuer cache add failed: %s", sqlite3_errmsg(this->s3h));
/* TODO: Blow away the cache and create a new db. */
}
}
@@ -323,7 +321,7 @@ static SecCertificateRef _SecCAIssuerCacheCopyMatching(SecCAIssuerCacheRef this,
errOut:
if (s3e) {
if (s3e != SQLITE_DONE) {
- caissuerErrorLog("caissuer cache lookup failed: %s", sqlite3_errmsg(this->s3h));
+ secerror("caissuer cache lookup failed: %s", sqlite3_errmsg(this->s3h));
/* TODO: Blow away the cache and create a new db. */
}
@@ -351,7 +349,7 @@ static void _SecCAIssuerCacheGC(void *context) {
errOut:
if (s3e) {
- caissuerErrorLog("caissuer cache expire failed: %s", sqlite3_errmsg(this->s3h));
+ secerror("caissuer cache expire failed: %s", sqlite3_errmsg(this->s3h));
/* TODO: Blow away the cache and create a new db. */
}
}
@@ -364,7 +362,7 @@ static void _SecCAIssuerCacheFlush(void *context) {
s3e = SecCAIssuerCacheCommitTxn(this);
if (s3e) {
- caissuerErrorLog("caissuer cache flush failed: %s", sqlite3_errmsg(this->s3h));
+ secerror("caissuer cache flush failed: %s", sqlite3_errmsg(this->s3h));
/* TODO: Blow away the cache and create a new db. */
}
}
diff --git a/OSX/sec/securityd/SecCAIssuerRequest.c b/OSX/sec/securityd/SecCAIssuerRequest.c
index 265aefda..4fe1591c 100644
--- a/OSX/sec/securityd/SecCAIssuerRequest.c
+++ b/OSX/sec/securityd/SecCAIssuerRequest.c
@@ -30,6 +30,7 @@
#include "SecCAIssuerCache.h"
#include <Security/SecInternal.h>
+#include <Security/SecCMS.h>
#include <CoreFoundation/CFURL.h>
#include <CFNetwork/CFHTTPMessage.h>
#include <utilities/debugging.h>
@@ -65,8 +66,8 @@ static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) {
CFHTTPMessageRef msg = CFHTTPMessageCreateRequest(kCFAllocatorDefault,
CFSTR("GET"), issuer, kCFHTTPVersion1_1);
if (msg) {
- secdebug("caissuer", "%@", msg);
- bool done = asynchttp_request(msg, &request->http);
+ secinfo("caissuer", "%@", msg);
+ bool done = asynchttp_request(msg, 0, &request->http);
CFRelease(msg);
if (done == false) {
CFRelease(scheme);
@@ -75,7 +76,7 @@ static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) {
}
secdebug("caissuer", "failed to get %@", issuer);
} else {
- secdebug("caissuer", "skipping unsupported uri %@", issuer);
+ secnotice("caissuer", "skipping unsupported uri %@", issuer);
}
CFRelease(scheme);
}
@@ -114,7 +115,30 @@ static void SecCAIssuerRequestCompleted(asynchttp_t *http,
CFDataRef data = (request->http.response ?
CFHTTPMessageCopyBody(request->http.response) : NULL);
if (data) {
+ /* RFC5280 4.2.2.1:
+ "accessLocation MUST be a uniformResourceIdentifier and the URI
+ MUST point to either a single DER encoded certificate as speci-
+ fied in [RFC2585] or a collection of certificates in a BER or
+ DER encoded "certs-only" CMS message as specified in [RFC2797]." */
+
+ /* DER-encoded certificate */
SecCertificateRef parent = SecCertificateCreateWithData(NULL, data);
+
+ /* "certs-only" CMS Message */
+ if (!parent) {
+ CFArrayRef certificates = NULL;
+ certificates = SecCMSCertificatesOnlyMessageCopyCertificates(data);
+ if (certificates && CFArrayGetCount(certificates) == 1) {
+ parent = (SecCertificateRef)CFRetainSafe(CFArrayGetValueAtIndex(certificates, 0));
+ }
+ CFReleaseNull(certificates);
+ }
+
+ /* Retry in case the certificate is in PEM format. Some CAs
+ incorrectly return a PEM encoded cert, despite RFC 5280 4.2.2.1 */
+ if (!parent) {
+ parent = SecCertificateCreateWithPEM(NULL, data);
+ }
CFRelease(data);
if (parent) {
/* We keep responses in the cache for at least 7 days, or longer
@@ -126,7 +150,7 @@ static void SecCAIssuerRequestCompleted(asynchttp_t *http,
request->issuerIX - 1);
SecCAIssuerCacheAddCertificate(parent, issuer, expires);
CFArrayRef parents = SecCAIssuerConvertToParents(
- request->certificate, parent);
+ request->certificate, parent); /* note: this releases parent */
if (parents) {
secdebug("caissuer", "response: %@ good", http->response);
request->callback(request->context, parents);
diff --git a/OSX/sec/securityd/SecDbItem.c b/OSX/sec/securityd/SecDbItem.c
index 6f4565f5..06e9fb07 100644
--- a/OSX/sec/securityd/SecDbItem.c
+++ b/OSX/sec/securityd/SecDbItem.c
@@ -357,7 +357,7 @@ CFDataRef SecDbItemCopyEncryptedDataToBackup(SecDbItemRef item, uint64_t handle,
if (attributes || auth_attributes) {
SecAccessControlRef access_control = SecDbItemCopyAccessControl(item, error);
if (access_control) {
- if (ks_encrypt_data(keybag, access_control, item->credHandle, attributes, auth_attributes, &edata, error)) {
+ if (ks_encrypt_data(keybag, access_control, item->credHandle, attributes, auth_attributes, &edata, false, error)) {
item->_edataState = kSecDbItemEncrypting;
} else {
seccritical("ks_encrypt_data (db): failed: %@", error ? *error : (CFErrorRef)CFSTR(""));
@@ -934,18 +934,19 @@ SecDbItemRef SecDbItemCreateWithStatement(CFAllocatorRef allocator, const SecDbC
SecDbForEachAttr(class, attr) {
if (return_attr(attr)) {
CFTypeRef value = SecDbColumnCopyValueWithAttr(allocator, stmt, attr, col++, error);
- if (value) {
- CFDictionarySetValue(item->attributes, SecDbAttrGetHashName(attr), value);
- CFRelease(value);
- }
+ require_action_quiet(value, errOut, CFReleaseNull(item));
+
+ CFDictionarySetValue(item->attributes, SecDbAttrGetHashName(attr), value);
+ CFRelease(value);
}
- const SecDbAttr *data_attr = SecDbClassAttrWithKind(class, kSecDbEncryptedDataAttr, error);
+ const SecDbAttr *data_attr = SecDbClassAttrWithKind(class, kSecDbEncryptedDataAttr, NULL);
if (data_attr != NULL && CFDictionaryGetValue(item->attributes, data_attr->name) != NULL) {
item->_edataState = kSecDbItemEncrypted;
}
}
+errOut:
return item;
}
@@ -1355,6 +1356,8 @@ static bool SecDbItemDoInsert(SecDbItemRef item, SecDbConnectionRef dbconn, CFEr
if (ok) {
secnotice("item", "inserted %@", item);
SecDbItemRecordUpdate(dbconn, NULL, item);
+ } else {
+ secnotice("item", "insert failed for item %@ with %@", item, error ? *error : NULL);
}
return ok;
diff --git a/OSX/sec/securityd/SecDbItem.h b/OSX/sec/securityd/SecDbItem.h
index f0df92ac..440f25e4 100644
--- a/OSX/sec/securityd/SecDbItem.h
+++ b/OSX/sec/securityd/SecDbItem.h
@@ -108,7 +108,8 @@ typedef struct SecDbClass {
} SecDbClass;
typedef struct SecDbSchema {
- int version;
+ int majorVersion;
+ int minorVersion;
const SecDbClass *classes[];
} SecDbSchema;
diff --git a/OSX/sec/securityd/SecDbKeychainItem.c b/OSX/sec/securityd/SecDbKeychainItem.c
index 5d623fa9..962fbe08 100644
--- a/OSX/sec/securityd/SecDbKeychainItem.c
+++ b/OSX/sec/securityd/SecDbKeychainItem.c
@@ -34,6 +34,7 @@
#include <CommonCrypto/CommonCryptorSPI.h>
#include <Security/SecBasePriv.h>
#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
#include <Security/SecItemInternal.h>
#include <Security/SecRandom.h>
#include <Security/SecAccessControl.h>
@@ -89,13 +90,25 @@ static const uint8_t* der_decode_set_with_repair(CFAllocatorRef allocator, CFOpt
const uint8_t* (^repairBlock)(CFAllocatorRef allocator, CFOptionFlags mutability, CFPropertyListRef* pl, CFErrorRef *error,
const uint8_t* der, const uint8_t *der_end));
+const uint32_t kUseDefaultIVMask = 1<<31;
+const int16_t kIVSizeAESGCM = 12;
+
+// echo "keychainblobstaticiv" | openssl dgst -sha256 | cut -c1-24 | xargs -I {} echo "0x{}" | xxd -r | xxd -p -i
+// 0x1e, 0xa0, 0x5c, 0xa9, 0x98, 0x2e, 0x87, 0xdc, 0xf1, 0x45, 0xe8, 0x24
+
+
+static const uint8_t gcmIV[kIVSizeAESGCM] = {
+ 0x1e, 0xa0, 0x5c, 0xa9, 0x98, 0x2e, 0x87, 0xdc, 0xf1, 0x45, 0xe8, 0x24
+};
+
+
/* Given plainText create and return a CFDataRef containing:
BULK_KEY = RandomKey()
version || keyclass|ACL || KeyStore_WRAP(keyclass, BULK_KEY) ||
AES(BULK_KEY, NULL_IV, plainText || padding)
*/
bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control, CFDataRef acm_context,
- CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, CFErrorRef *error) {
+ CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, bool useDefaultIV, CFErrorRef *error) {
CFMutableDataRef blob = NULL;
CFDataRef ac_data = NULL;
bool ok = true;
@@ -108,14 +121,19 @@ bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control,
CFMutableDataRef bulkKeyWrapped = CFDataCreateMutable(NULL, 0);
CFDataSetLength(bulkKeyWrapped, bulkKeySize + maxKeyWrapOverHead);
uint32_t key_wrapped_size;
-
+ size_t ivLen = 0;
+ const uint8_t *iv = NULL;
+ const uint8_t *aad = NULL; // Additional Authenticated Data
+ ptrdiff_t aadLen = 0;
+
#if USE_KEYSTORE
CFDataRef auth_data = NULL;
#endif
/* If access_control specifies only protection and no ACL, use legacy blob format version 3,
- which has better support for sync/backup. Otherwise, force new format v6. */
- const uint32_t version = SecAccessControlGetConstraints(access_control) ? 6 : 3;
+ which has better support for sync/backup. Otherwise, force new format v6 unless useDefaultIV is set. */
+ bool hasACLConstraints = SecAccessControlGetConstraints(access_control);
+ const uint32_t version = (hasACLConstraints ? 6 : 3);
CFDataRef plainText = NULL;
if (version < 4) {
CFMutableDictionaryRef attributes_dict = CFDictionaryCreateMutableCopy(NULL, 0, attributes);
@@ -124,7 +142,7 @@ bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control,
CFDictionaryAddValue(attributes_dict, key, value);
});
}
-
+
if (attributes_dict) {
// Drop the accc attribute for non v6 items during encode.
CFDictionaryRemoveValue(attributes_dict, kSecAttrAccessControl);
@@ -143,7 +161,7 @@ bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control,
CFDictionaryAddValue(attributes_dict, key, value);
});
}
-
+
if (attributes_dict) {
plainText = CFPropertyListCreateDERData(kCFAllocatorDefault, attributes_dict, error);
CFRelease(attributes_dict);
@@ -191,7 +209,7 @@ bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control,
size_t blobLen = sizeof(version);
uint32_t prot_length;
- if (version == 3) {
+ if (!hasACLConstraints) {
blobLen += sizeof(actual_class);
} else {
require_quiet(ac_data = kc_copy_protection_data(access_control), out);
@@ -204,11 +222,11 @@ bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control,
CFDataSetLength(blob, blobLen);
cursor = CFDataGetMutableBytePtr(blob);
- *((uint32_t *)cursor) = version;
+ *((uint32_t *)cursor) = useDefaultIV ? (version | kUseDefaultIVMask) : version;
cursor += sizeof(version);
//secerror("class: %d actual class: %d", keyclass, actual_class);
- if (version == 3) {
+ if (!hasACLConstraints) {
*((keyclass_t *)cursor) = actual_class;
cursor += sizeof(keyclass);
} else {
@@ -222,14 +240,22 @@ bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control,
*((uint32_t *)cursor) = key_wrapped_size;
cursor += sizeof(key_wrapped_size);
+ if (useDefaultIV) {
+ iv = gcmIV;
+ ivLen = kIVSizeAESGCM;
+ // AAD is (version || ac_data || key_wrapped_size)
+ aad = CFDataGetMutableBytePtr(blob);
+ aadLen = cursor - aad;
+ }
+
memcpy(cursor, CFDataGetBytePtr(bulkKeyWrapped), key_wrapped_size);
cursor += key_wrapped_size;
/* Encrypt the plainText with the bulkKey. */
CCCryptorStatus ccerr = CCCryptorGCM(kCCEncrypt, kCCAlgorithmAES128,
bulkKey, bulkKeySize,
- NULL, 0, /* iv */
- NULL, 0, /* auth data */
+ iv, ivLen, /* iv */
+ aad, aadLen, /* auth data */
CFDataGetBytePtr(plainText), ptLen,
cursor,
cursor + ctLen, &tagLen);
@@ -271,10 +297,19 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
CFDataSetLength(bulkKey, 32); /* Use 256 bit AES key for bulkKey. */
bool ok = true;
SecAccessControlRef access_control = NULL;
+
+ if (attributes_p)
+ *attributes_p = NULL;
+ if (version_p)
+ *version_p = 0;
CFMutableDataRef plainText = NULL;
CFMutableDictionaryRef attributes = NULL;
uint32_t version = 0;
+ size_t ivLen = 0;
+ const uint8_t *iv = NULL;
+ const uint8_t *aad = NULL; // Additional Authenticated Data
+ ptrdiff_t aadLen = 0;
#if USE_KEYSTORE
CFMutableDictionaryRef authenticated_attributes = NULL;
@@ -306,12 +341,20 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
}
version = *((uint32_t *)cursor);
+ if (version & kUseDefaultIVMask) {
+ version &= ~kUseDefaultIVMask;
+ iv = gcmIV;
+ ivLen = kIVSizeAESGCM;
+ }
+
cursor += sizeof(version);
size_t minimum_blob_len = sizeof(version) + 16;
size_t ctLen = blobLen - sizeof(version);
- if (version >= 4) {
+ bool hasProtectionData = (version >= 4);
+
+ if (hasProtectionData) {
/* Deserialize SecAccessControl object from the blob. */
uint32_t prot_length = *((uint32_t *)cursor);
cursor += sizeof(prot_length);
@@ -400,7 +443,7 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
}
#if USE_KEYSTORE
- if (version >= 4) {
+ if (hasProtectionData) {
if (caller_access_groups) {
caller_access_groups_data = kc_copy_access_groups_data(caller_access_groups, error);
require_quiet(ok = (caller_access_groups_data != NULL), out);
@@ -423,6 +466,12 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
keyclass, wrapped_key_size, cursor, NULL, bulkKey, error), out);
}
+ if (iv) {
+ // AAD is (version || ac_data || key_wrapped_size)
+ aad = CFDataGetBytePtr(blob);
+ aadLen = cursor - aad;
+ }
+
cursor += wrapped_key_size;
plainText = CFDataCreateMutable(NULL, ctLen);
@@ -438,8 +487,8 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro
uint8_t tag[tagLen];
ccerr = CCCryptorGCM(kCCDecrypt, kCCAlgorithmAES128,
CFDataGetBytePtr(bulkKey), CFDataGetLength(bulkKey),
- NULL, 0, /* iv */
- NULL, 0, /* auth data */
+ iv, ivLen, /* iv */
+ aad, aadLen, /* auth data */
cursor, ctLen,
CFDataGetMutableBytePtr(plainText),
tag, &tagLen);
@@ -527,13 +576,13 @@ static keyclass_t kc_parse_keyclass(CFTypeRef value, CFErrorRef *error) {
return key_class_ak;
} else if (CFEqual(value, kSecAttrAccessibleAfterFirstUnlock)) {
return key_class_ck;
- } else if (CFEqual(value, kSecAttrAccessibleAlways)) {
+ } else if (CFEqual(value, kSecAttrAccessibleAlwaysPrivate)) {
return key_class_dk;
} else if (CFEqual(value, kSecAttrAccessibleWhenUnlockedThisDeviceOnly)) {
return key_class_aku;
} else if (CFEqual(value, kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly)) {
return key_class_cku;
- } else if (CFEqual(value, kSecAttrAccessibleAlwaysThisDeviceOnly)) {
+ } else if (CFEqual(value, kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate)) {
return key_class_dku;
} else if (CFEqual(value, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly)) {
return key_class_akpu;
@@ -550,13 +599,13 @@ static CFTypeRef kc_encode_keyclass(keyclass_t keyclass) {
case key_class_ck:
return kSecAttrAccessibleAfterFirstUnlock;
case key_class_dk:
- return kSecAttrAccessibleAlways;
+ return kSecAttrAccessibleAlwaysPrivate;
case key_class_aku:
return kSecAttrAccessibleWhenUnlockedThisDeviceOnly;
case key_class_cku:
return kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;
case key_class_dku:
- return kSecAttrAccessibleAlwaysThisDeviceOnly;
+ return kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate;
case key_class_akpu:
return kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly;
default:
@@ -791,7 +840,7 @@ static bool SecDbItemImportMigrate(SecDbItemRef item, CFErrorRef *error) {
if (!isString(agrp) || !isString(accessible))
return ok;
- if (SecDbItemGetClass(item) == &genp_class && CFEqual(accessible, kSecAttrAccessibleAlways)) {
+ if (SecDbItemGetClass(item) == &genp_class && CFEqual(accessible, kSecAttrAccessibleAlwaysPrivate)) {
CFStringRef svce = SecDbItemGetCachedValueWithName(item, kSecAttrService);
if (!isString(svce)) return ok;
if (CFEqual(agrp, CFSTR("apple"))) {
@@ -810,7 +859,7 @@ static bool SecDbItemImportMigrate(SecDbItemRef item, CFErrorRef *error) {
}
}
}
- } else if (SecDbItemGetClass(item) == &inet_class && CFEqual(accessible, kSecAttrAccessibleAlways)) {
+ } else if (SecDbItemGetClass(item) == &inet_class && CFEqual(accessible, kSecAttrAccessibleAlwaysPrivate)) {
if (CFEqual(agrp, CFSTR("PrintKitAccessGroup"))) {
ok = SecDbItemSetValueWithName(item, kSecAttrAccessible, kSecAttrAccessibleWhenUnlocked, error);
} else if (CFEqual(agrp, CFSTR("apple"))) {
@@ -981,7 +1030,7 @@ CFTypeRef SecDbKeychainItemCopyEncryptedData(SecDbItemRef item, const SecDbAttr
if (attributes || auth_attributes) {
SecAccessControlRef access_control = SecDbItemCopyAccessControl(item, error);
if (access_control) {
- if (ks_encrypt_data(item->keybag, access_control, item->credHandle, attributes, auth_attributes, &edata, error)) {
+ if (ks_encrypt_data(item->keybag, access_control, item->credHandle, attributes, auth_attributes, &edata, true, error)) {
item->_edataState = kSecDbItemEncrypting;
} else if (!error || !*error || CFErrorGetCode(*error) != errSecAuthNeeded || !CFEqualSafe(CFErrorGetDomain(*error), kSecErrorDomain) ) {
seccritical("ks_encrypt_data (db): failed: %@", error ? *error : (CFErrorRef)CFSTR(""));
diff --git a/OSX/sec/securityd/SecDbKeychainItem.h b/OSX/sec/securityd/SecDbKeychainItem.h
index 0a218f33..b5a7ea6c 100644
--- a/OSX/sec/securityd/SecDbKeychainItem.h
+++ b/OSX/sec/securityd/SecDbKeychainItem.h
@@ -35,7 +35,7 @@
__BEGIN_DECLS
bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control, CFDataRef acm_context,
- CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, CFErrorRef *error);
+ CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, bool useDefaultIV, CFErrorRef *error);
bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef operation, SecAccessControlRef *paccess_control, CFDataRef acm_context,
CFDataRef blob, const SecDbClass *db_class, CFArrayRef caller_access_groups,
CFMutableDictionaryRef *attributes_p, uint32_t *version_p, CFErrorRef *error);
diff --git a/OSX/sec/securityd/SecDbQuery.c b/OSX/sec/securityd/SecDbQuery.c
index d3304a6e..99c01e5d 100644
--- a/OSX/sec/securityd/SecDbQuery.c
+++ b/OSX/sec/securityd/SecDbQuery.c
@@ -41,6 +41,8 @@
#include <Security/SecItemInternal.h>
#include <Security/SecAccessControl.h>
#include <Security/SecAccessControlPriv.h>
+#include <Security/SecPolicyInternal.h>
+#include <Security/SecuritydXPC.h>
#include <CommonCrypto/CommonDigest.h>
#include <CommonCrypto/CommonDigestSPI.h>
@@ -457,6 +459,48 @@ static void query_add_match(const void *key, const void *value, Query *q)
} else
CFRelease(canonical_issuers);
}
+ } else if (CFEqual(kSecMatchPolicy, key)) {
+ if (CFGetTypeID(value) != CFArrayGetTypeID()) {
+ SecError(errSecParam, &q->q_error, CFSTR("unsupported value for kSecMatchPolicy attribute"));
+ return;
+ }
+ xpc_object_t policiesArrayXPC = _CFXPCCreateXPCObjectFromCFObject(value);
+ if (!policiesArrayXPC) {
+ SecError(errSecParam, &q->q_error, CFSTR("unsupported kSecMatchPolicy object in query"));
+ return;
+ }
+
+ CFArrayRef policiesArray = SecPolicyXPCArrayCopyArray(policiesArrayXPC, &q->q_error);
+ xpc_release(policiesArrayXPC);
+ if (!policiesArray)
+ return;
+
+ if (CFArrayGetCount(policiesArray) != 1 || CFGetTypeID(CFArrayGetValueAtIndex(policiesArray, 0)) != SecPolicyGetTypeID()) {
+ CFRelease(policiesArray);
+ SecError(errSecParam, &q->q_error, CFSTR("unsupported array of policies"));
+ return;
+ }
+
+ query_set_policy(q, (SecPolicyRef)CFArrayGetValueAtIndex(policiesArray, 0));
+ CFRelease(policiesArray);
+ } else if (CFEqual(kSecMatchValidOnDate, key)) {
+ if (CFGetTypeID(value) == CFNullGetTypeID()) {
+ CFDateRef date = CFDateCreate(kCFAllocatorDefault, CFAbsoluteTimeGetCurrent());
+ query_set_valid_on_date(q, date);
+ CFRelease(date);
+ } else if (CFGetTypeID(value) == CFDateGetTypeID()) {
+ query_set_valid_on_date(q, value);
+ } else {
+ SecError(errSecParam, &q->q_error, CFSTR("unsupported value for kSecMatchValidOnDate attribute"));
+ return;
+ }
+ } else if (CFEqual(kSecMatchTrustedOnly, key)) {
+ if ((CFGetTypeID(value) == CFBooleanGetTypeID())) {
+ query_set_trusted_only(q, value);
+ } else {
+ SecError(errSecParam, &q->q_error, CFSTR("unsupported value for kSecMatchTrustedOnly attribute"));
+ return;
+ }
}
}
@@ -752,15 +796,14 @@ static void query_applier(const void *key, const void *value, void *context)
}
static CFStringRef query_infer_keyclass(Query *q, CFStringRef agrp) {
- /* apsd and lockdown are always dku. */
- if (CFEqual(agrp, CFSTR("com.apple.apsd"))
- || CFEqual(agrp, CFSTR("lockdown-identities"))) {
- return kSecAttrAccessibleAlwaysThisDeviceOnly;
+ /* apsd are always dku. */
+ if (CFEqual(agrp, CFSTR("com.apple.apsd"))) {
+ return kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate;
}
/* All other certs or in the apple agrp is dk. */
if (q->q_class == &cert_class) {
/* third party certs are always dk. */
- return kSecAttrAccessibleAlways;
+ return kSecAttrAccessibleAlwaysPrivate;
}
/* The rest defaults to ak. */
return kSecAttrAccessibleWhenUnlocked;
@@ -792,6 +835,9 @@ bool query_destroy(Query *q, CFErrorRef *error) {
CFReleaseSafe(q->q_access_control);
CFReleaseSafe(q->q_use_cred_handle);
CFReleaseSafe(q->q_caller_access_groups);
+ CFReleaseSafe(q->q_match_policy);
+ CFReleaseSafe(q->q_match_valid_on_date);
+ CFReleaseSafe(q->q_match_trusted_only);
free(q);
return ok;
@@ -904,3 +950,16 @@ void
query_set_caller_access_groups(Query *q, CFArrayRef caller_access_groups) {
CFRetainAssign(q->q_caller_access_groups, caller_access_groups);
}
+
+void
+query_set_policy(Query *q, SecPolicyRef policy) {
+ CFRetainAssign(q->q_match_policy, policy);
+}
+
+void query_set_valid_on_date(Query *q, CFDateRef date) {
+ CFRetainAssign(q->q_match_valid_on_date, date);
+}
+
+void query_set_trusted_only(Query *q, CFBooleanRef trusted_only) {
+ CFRetainAssign(q->q_match_trusted_only, trusted_only);
+}
diff --git a/OSX/sec/securityd/SecDbQuery.h b/OSX/sec/securityd/SecDbQuery.h
index 2a7f8474..7d1e1fab 100644
--- a/OSX/sec/securityd/SecDbQuery.h
+++ b/OSX/sec/securityd/SecDbQuery.h
@@ -125,7 +125,14 @@ typedef struct Query
CFArrayRef q_caller_access_groups;
bool q_system_keychain;
int32_t q_sync_bubble;
+ bool q_spindump_on_failure;
+ //policy for filtering certs and identities
+ SecPolicyRef q_match_policy;
+ //date for filtering certs and identities
+ CFDateRef q_match_valid_on_date;
+ //trusted only certs and identities
+ CFBooleanRef q_match_trusted_only;
Pair q_pairs[];
} Query;
@@ -147,6 +154,9 @@ Pair query_attr_at(const Query *q, CFIndex ix);
bool query_update_parse(Query *q, CFDictionaryRef update, CFErrorRef *error);
const SecDbClass *kc_class_with_name(CFStringRef name);
void query_set_caller_access_groups(Query *q, CFArrayRef caller_access_groups);
+void query_set_policy(Query *q, SecPolicyRef policy);
+void query_set_valid_on_date(Query *q, CFDateRef policy);
+void query_set_trusted_only(Query *q, CFBooleanRef trusted_only);
CFDataRef
SecMUSRCopySystemKeychainUUID(void);
diff --git a/OSX/sec/securityd/SecItemBackupServer.c b/OSX/sec/securityd/SecItemBackupServer.c
index 4c4844d7..b6a45cf5 100644
--- a/OSX/sec/securityd/SecItemBackupServer.c
+++ b/OSX/sec/securityd/SecItemBackupServer.c
@@ -50,7 +50,7 @@ static bool withDataSourceAndEngine(CFErrorRef *error, void (^action)(SOSDataSou
int SecServerItemBackupHandoffFD(CFStringRef backupName, CFErrorRef *error) {
__block int fd = -1;
if (!withDataSourceAndEngine(error, ^(SOSDataSourceRef ds, SOSEngineRef engine) {
- SOSEngineForPeerID(engine, backupName, error, ^(SOSPeerRef peer) {
+ SOSEngineForPeerIDNoCoder(engine, backupName, error, ^(SOSTransactionRef txn, SOSPeerRef peer) {
fd = SOSPeerHandoffFD(peer, error);
});
}) && fd >= 0) {
diff --git a/OSX/sec/securityd/SecItemDataSource.c b/OSX/sec/securityd/SecItemDataSource.c
index 0bdc8d8a..8c5e064f 100644
--- a/OSX/sec/securityd/SecItemDataSource.c
+++ b/OSX/sec/securityd/SecItemDataSource.c
@@ -68,6 +68,10 @@ static const SecDbClass *dsSyncedClasses[] = {
&cert_class,
};
+static bool SecErrorIsSqliteDuplicateItemError(CFErrorRef error) {
+ return error && CFErrorGetCode(error) == SQLITE_CONSTRAINT && CFEqual(kSecDbErrorDomain, CFErrorGetDomain(error));
+}
+
static bool SecDbItemSelectSHA1(SecDbQueryRef query, SecDbConnectionRef dbconn, CFErrorRef *error,
bool (^use_attr_in_where)(const SecDbAttr *attr),
bool (^add_where_sql)(CFMutableStringRef sql, bool *needWhere),
@@ -135,10 +139,10 @@ static Query *SecItemDataSourceAppendQuery(CFMutableArrayRef queries, const SecD
query_add_attribute(kSecAttrSynchronizable, kCFBooleanTrue, q);
query_add_or_attribute(kSecAttrAccessible, kSecAttrAccessibleWhenUnlocked, q);
query_add_or_attribute(kSecAttrAccessible, kSecAttrAccessibleAfterFirstUnlock, q);
- query_add_or_attribute(kSecAttrAccessible, kSecAttrAccessibleAlways, q);
+ query_add_or_attribute(kSecAttrAccessible, kSecAttrAccessibleAlwaysPrivate, q);
query_add_or_attribute(kSecAttrAccessible, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, q);
query_add_or_attribute(kSecAttrAccessible, kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, q);
- query_add_or_attribute(kSecAttrAccessible, kSecAttrAccessibleAlwaysThisDeviceOnly, q);
+ query_add_or_attribute(kSecAttrAccessible, kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate, q);
if (noTombstones) {
query_add_attribute(kSecAttrTombstone, kCFBooleanFalse, q);
@@ -325,13 +329,12 @@ static CFStringRef dsGetName(SOSDataSourceRef data_source) {
return ds->name;
}
-static void dsSetNotifyPhaseBlock(SOSDataSourceRef data_source, dispatch_queue_t queue, SOSDataSourceNotifyBlock notifyBlock) {
+static void dsAddNotifyPhaseBlock(SOSDataSourceRef data_source, SOSDataSourceNotifyBlock notifyBlock) {
SecItemDataSourceRef ds = (SecItemDataSourceRef)data_source;
- SecDbSetNotifyPhaseBlock(ds->db, queue, notifyBlock
- ? ^(SecDbConnectionRef dbconn, SecDbTransactionPhase phase, SecDbTransactionSource source, CFArrayRef changes) {
- notifyBlock(&ds->ds, (SOSTransactionRef)dbconn, phase, source, changes);
- }
- : NULL);
+ SecDbAddNotifyPhaseBlock(ds->db, ^(SecDbConnectionRef dbconn, SecDbTransactionPhase phase, SecDbTransactionSource source, CFArrayRef changes)
+ {
+ notifyBlock(&ds->ds, (SOSTransactionRef)dbconn, phase, source, changes);
+ });
}
static SOSManifestRef dsCopyManifestWithViewNameSet(SOSDataSourceRef data_source, CFSetRef viewNameSet, CFErrorRef *error) {
@@ -339,7 +342,7 @@ static SOSManifestRef dsCopyManifestWithViewNameSet(SOSDataSourceRef data_source
return SecItemDataSourceCopyManifestWithViewNameSet(ds, viewNameSet, error);
}
-static bool dsForEachObject(SOSDataSourceRef data_source, SOSManifestRef manifest, CFErrorRef *error, void (^handle_object)(CFDataRef key, SOSObjectRef object, bool *stop)) {
+static bool dsForEachObject(SOSDataSourceRef data_source, SOSTransactionRef txn, SOSManifestRef manifest, CFErrorRef *error, void (^handle_object)(CFDataRef key, SOSObjectRef object, bool *stop)) {
struct SecItemDataSource *ds = (struct SecItemDataSource *)data_source;
__block bool result = true;
const SecDbAttr *sha1Attr = SecDbClassAttrWithKind(&genp_class, kSecDbSHA1Attr, error);
@@ -358,7 +361,8 @@ static bool dsForEachObject(SOSDataSourceRef data_source, SOSManifestRef manifes
__block CFStringRef *sqls = select_sql;
__block sqlite3_stmt **stmts = select_stmts;
- result &= SecDbPerformRead(ds->db, error, ^(SecDbConnectionRef dbconn) {
+ void (^readBlock)(SecDbConnectionRef dbconn) = ^(SecDbConnectionRef dbconn)
+ {
// Setup
for (size_t class_ix = 0; class_ix < array_size(dsSyncedClasses); ++class_ix) {
result = (result
@@ -371,9 +375,14 @@ static bool dsForEachObject(SOSDataSourceRef data_source, SOSManifestRef manifes
__block SecDbItemRef item = NULL;
for (size_t class_ix = 0; result && !item && class_ix < array_size(dsSyncedClasses); ++class_ix) {
CFDictionarySetValue(queries[class_ix]->q_item, sha1Attr->name, key);
- result = (SecDbItemSelectBind(queries[class_ix], stmts[class_ix], error, use_attr_in_where, NULL) && SecDbStep(dbconn, stmts[class_ix], error, ^(bool *unused_stop) {
- item = SecDbItemCreateWithStatement(kCFAllocatorDefault, queries[class_ix]->q_class, stmts[class_ix], KEYBAG_DEVICE, error, return_attr);
- })) && SecDbReset(stmts[class_ix], error);
+ result = SecDbItemSelectBind(queries[class_ix], stmts[class_ix], error, use_attr_in_where, NULL);
+ if (result) {
+ result &= SecDbStep(dbconn, stmts[class_ix], error, ^(bool *unused_stop) {
+ item = SecDbItemCreateWithStatement(kCFAllocatorDefault, queries[class_ix]->q_class, stmts[class_ix], KEYBAG_DEVICE, error, return_attr);
+ });
+ }
+ if (result)
+ result &= SecDbReset(stmts[class_ix], error);
}
handle_object(key, (SOSObjectRef)item, stop);
CFReleaseSafe(item);
@@ -385,7 +394,14 @@ static bool dsForEachObject(SOSDataSourceRef data_source, SOSManifestRef manifes
CFReleaseSafe(sqls[class_ix]);
result &= query_destroy(queries[class_ix], error);
}
- });
+ };
+
+ if (txn) {
+ readBlock((SecDbConnectionRef)txn);
+ } else {
+ result &= SecDbPerformRead(ds->db, error, readBlock);
+ }
+
return result;
}
@@ -437,14 +453,31 @@ static CFDictionaryRef objectCopyPropertyList(SOSObjectRef object, CFErrorRef *e
return cryptoDataDict;
}
-static bool dsWith(SOSDataSourceRef data_source, CFErrorRef *error, SOSDataSourceTransactionSource source, void(^transaction)(SOSTransactionRef txn, bool *commit)) {
+static bool dsWith(SOSDataSourceRef data_source, CFErrorRef *error, SOSDataSourceTransactionSource source, bool onCommitQueue, void(^transaction)(SOSTransactionRef txn, bool *commit)) {
SecItemDataSourceRef ds = (SecItemDataSourceRef)data_source;
__block bool ok = true;
ok &= SecDbPerformWrite(ds->db, error, ^(SecDbConnectionRef dbconn) {
ok &= SecDbTransaction(dbconn,
- source == kSOSDataSourceAPITransaction ? kSecDbExclusiveTransactionType : kSecDbExclusiveRemoteTransactionType,
- error, ^(bool *commit) {
- transaction((SOSTransactionRef)dbconn, commit);
+ source == kSOSDataSourceAPITransaction ? kSecDbExclusiveTransactionType : kSecDbExclusiveRemoteTransactionType,
+ error, ^(bool *commit) {
+ if (onCommitQueue) {
+ SecDbPerformOnCommitQueue(dbconn, false, ^{
+ transaction((SOSTransactionRef)dbconn, commit);
+ });
+ } else {
+ transaction((SOSTransactionRef)dbconn, commit);
+ }
+ });
+ });
+ return ok;
+}
+
+static bool dsReadWith(SOSDataSourceRef data_source, CFErrorRef *error, SOSDataSourceTransactionSource source, void(^perform)(SOSTransactionRef txn)) {
+ SecItemDataSourceRef ds = (SecItemDataSourceRef)data_source;
+ __block bool ok = true;
+ ok &= SecDbPerformRead(ds->db, error, ^(SecDbConnectionRef dbconn) {
+ SecDbPerformOnCommitQueue(dbconn, false, ^{
+ perform((SOSTransactionRef)dbconn);
});
});
return ok;
@@ -456,13 +489,24 @@ static SOSMergeResult dsMergeObject(SOSTransactionRef txn, SOSObjectRef peersObj
__block SOSMergeResult mr = kSOSMergeFailure;
__block SecDbItemRef mergedItem = NULL;
__block SecDbItemRef replacedItem = NULL;
- if (!peersItem || !dbconn || !SecDbItemSetKeybag(peersItem, KEYBAG_DEVICE, error)) return mr;
- if (SecDbItemInsertOrReplace(peersItem, dbconn, error, ^(SecDbItemRef myItem, SecDbItemRef *replace) {
+ __block CFErrorRef localError = NULL;
+
+ if (!peersItem || !dbconn)
+ return kSOSMergeFailure;
+ if (!SecDbItemSetKeybag(peersItem, KEYBAG_DEVICE, &localError)) {
+ secnotice("ds", "kSOSMergeFailure => SecDbItemSetKeybag: %@", localError);
+ CFErrorPropagate(localError, error);
+ return kSOSMergeFailure;
+ }
+
+ if (SecDbItemInsertOrReplace(peersItem, dbconn, &localError, ^(SecDbItemRef myItem, SecDbItemRef *replace) {
// An item with the same primary key as dbItem already exists in the the database. That item is old_item.
// Let the conflict resolver choose which item to keep.
- mergedItem = SecItemDataSourceCopyMergedItem(peersItem, myItem, error);
- if (mergedObject) *mergedObject = (SOSObjectRef)CFRetain(mergedItem);
- if (!mergedItem) return;
+ mergedItem = SecItemDataSourceCopyMergedItem(peersItem, myItem, &localError);
+ if (!mergedItem)
+ return; // from block
+ if (mergedObject)
+ *mergedObject = (SOSObjectRef)CFRetain(mergedItem);
if (CFEqual(mergedItem, myItem)) {
// Conflict resolver choose my (local) item
secnotice("ds", "Conflict resolver chose my (local) item: %@", myItem);
@@ -481,18 +525,28 @@ static SOSMergeResult dsMergeObject(SOSTransactionRef txn, SOSObjectRef peersObj
}
}
})) {
+ // either SecDbItemInsertOrReplace or SecItemDataSourceCopyMergedItem failed
if (mr == kSOSMergeFailure)
{
- secnotice("ds", "kSOSMergeFailure => kSOSMergePeersObject");
+ secnotice("ds", "kSOSMergeFailure => kSOSMergePeersObject, %@", localError);
+ CFReleaseSafe(localError);
mr = kSOSMergePeersObject;
}
}
- if (error && *error && mr != kSOSMergeFailure)
- CFReleaseNull(*error);
+ if (localError && !SecErrorIsSqliteDuplicateItemError(localError)) {
+ secnotice("ds", "dsMergeObject failed: mr=%ld, %@", mr, localError);
+ // We should probably always propogate this, but for now we are only logging
+ // See rdar://problem/26451072 for case where we might need to propogate
+ if (mr == kSOSMergeFailure) {
+ CFErrorPropagate(localError, error);
+ localError = NULL;
+ }
+ }
CFReleaseSafe(mergedItem);
CFReleaseSafe(replacedItem);
+ CFReleaseSafe(localError);
return mr;
}
@@ -530,7 +584,7 @@ static CFDictionaryRef objectCopyBackup(SOSObjectRef object, uint64_t handle, CF
return backup_item;
}
-static CFDataRef dsCopyStateWithKey(SOSDataSourceRef data_source, CFStringRef key, CFStringRef pdmn, CFErrorRef *error) {
+static CFDataRef dsCopyStateWithKey(SOSDataSourceRef data_source, CFStringRef key, CFStringRef pdmn, SOSTransactionRef txn, CFErrorRef *error) {
SecItemDataSourceRef ds = (SecItemDataSourceRef)data_source;
CFStringRef dataSourceID = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SOSDataSource-%@"), ds->name);
CFMutableDictionaryRef dict = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault,
@@ -546,14 +600,19 @@ static CFDataRef dsCopyStateWithKey(SOSDataSourceRef data_source, CFStringRef ke
if (query) {
if (query->q_item) CFReleaseSafe(query->q_item);
query->q_item = dict;
- SecDbPerformRead(ds->db, error, ^(SecDbConnectionRef dbconn) {
+ void (^read_it)(SecDbConnectionRef dbconn) = ^(SecDbConnectionRef dbconn) {
SecDbItemSelect(query, dbconn, error, NULL, ^bool(const SecDbAttr *attr) {
return CFDictionaryContainsKey(dict, attr->name);
}, NULL, NULL, ^(SecDbItemRef item, bool *stop) {
secnotice("ds", "found item for key %@@%@", key, pdmn);
data = CFRetainSafe(SecDbItemGetValue(item, &v6v_Data, error));
});
- });
+ };
+ if (txn) {
+ read_it((SecDbConnectionRef) txn);
+ } else {
+ SecDbPerformRead(ds->db, error, read_it);
+ }
query_destroy(query, error);
} else {
CFReleaseSafe(dict);
@@ -622,6 +681,24 @@ static bool dsSetStateWithKey(SOSDataSourceRef data_source, SOSTransactionRef tx
return mr != kSOSMergeFailure;
}
+static bool dsDeleteStateWithKey(SOSDataSourceRef data_source, CFStringRef key, CFStringRef pdmn, SOSTransactionRef txn, CFErrorRef *error) {
+ SecItemDataSourceRef ds = (SecItemDataSourceRef)data_source;
+ CFStringRef dataSourceID = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SOSDataSource-%@"), ds->name);
+ CFMutableDictionaryRef dict = CFDictionaryCreateMutableForCFTypesWith(kCFAllocatorDefault,
+ kSecAttrAccessGroup, kSOSInternalAccessGroup,
+ kSecAttrAccount, key,
+ kSecAttrService, dataSourceID,
+ kSecAttrAccessible, pdmn,
+ kSecAttrSynchronizable, kCFBooleanFalse,
+ NULL);
+ CFReleaseSafe(dataSourceID);
+ SecDbItemRef item = SecDbItemCreateWithAttributes(kCFAllocatorDefault, &genp_class, dict, KEYBAG_DEVICE, error);
+ bool ok = SecDbItemDoDeleteSilently(item, (SecDbConnectionRef)txn, error);
+ CFReleaseNull(dict);
+ CFReleaseSafe(item);
+ return ok;
+}
+
static bool dsRestoreObject(SOSTransactionRef txn, uint64_t handle, CFDictionaryRef item, CFErrorRef *error) {
CFStringRef item_class = CFDictionaryGetValue(item, kSecItemBackupClassKey);
CFDataRef data = CFDictionaryGetValue(item, kSecItemBackupDataKey);
@@ -643,17 +720,19 @@ static bool dsRestoreObject(SOSTransactionRef txn, uint64_t handle, CFDictionary
SOSDataSourceRef SecItemDataSourceCreate(SecDbRef db, CFStringRef name, CFErrorRef *error) {
SecItemDataSourceRef ds = calloc(1, sizeof(struct SecItemDataSource));
ds->ds.dsGetName = dsGetName;
- ds->ds.dsSetNotifyPhaseBlock = dsSetNotifyPhaseBlock;
+ ds->ds.dsAddNotifyPhaseBlock = dsAddNotifyPhaseBlock;
ds->ds.dsCopyManifestWithViewNameSet = dsCopyManifestWithViewNameSet;
ds->ds.dsCopyStateWithKey = dsCopyStateWithKey;
ds->ds.dsCopyItemDataWithKeys = dsCopyItemDataWithKeys;
ds->ds.dsForEachObject = dsForEachObject;
ds->ds.dsWith = dsWith;
+ ds->ds.dsReadWith = dsReadWith;
ds->ds.dsRelease = dsRelease;
ds->ds.dsMergeObject = dsMergeObject;
ds->ds.dsSetStateWithKey = dsSetStateWithKey;
+ ds->ds.dsDeleteStateWithKey = dsDeleteStateWithKey;
ds->ds.dsRestoreObject = dsRestoreObject;
// Object field accessors
diff --git a/OSX/sec/securityd/SecItemDb.c b/OSX/sec/securityd/SecItemDb.c
index 312fb076..b8a6cc4a 100644
--- a/OSX/sec/securityd/SecItemDb.c
+++ b/OSX/sec/securityd/SecItemDb.c
@@ -28,6 +28,7 @@
*/
#include <securityd/SecItemDb.h>
+#include <utilities/SecAKSWrappers.h>
#include <securityd/SecDbKeychainItem.h>
#include <securityd/SecItemSchema.h>
@@ -41,9 +42,9 @@
#include <utilities/array_size.h>
#include <utilities/SecIOFormat.h>
#include <SecAccessControlPriv.h>
+#include <uuid/uuid.h>
-/* label when certificate data is joined with key data */
-#define CERTIFICATE_DATA_COLUMN_LABEL "certdata"
+#define kSecBackupKeybagUUIDKey CFSTR("keybag-uuid")
const SecDbAttr *SecDbAttrWithKey(const SecDbClass *c,
CFTypeRef key,
@@ -155,15 +156,17 @@ static CFDataRef SecPersistentRefCreateWithItem(SecDbItemRef item, CFErrorRef *e
return NULL;
}
-bool SecItemDbCreateSchema(SecDbConnectionRef dbt, const SecDbSchema *schema, CFErrorRef *error)
+bool SecItemDbCreateSchema(SecDbConnectionRef dbt, const SecDbSchema *schema, bool includeVersion, CFErrorRef *error)
{
__block bool ok = true;
CFMutableStringRef sql = CFStringCreateMutable(kCFAllocatorDefault, 0);
for (const SecDbClass * const *pclass = schema->classes; *pclass; ++pclass) {
SecDbAppendCreateTableWithClass(sql, *pclass);
}
- // TODO: Use tversion_class to do this.
- CFStringAppendFormat(sql, NULL, CFSTR("INSERT INTO tversion(version) VALUES(%d);"), schema->version);
+ if (includeVersion) {
+ CFStringAppendFormat(sql, NULL, CFSTR("INSERT INTO tversion(version,minor) VALUES(%d, %d);"),
+ schema->majorVersion, schema->minorVersion);
+ }
CFStringPerformWithCString(sql, ^(const char *sql_string) {
ok = SecDbErrorWithDb(sqlite3_exec(SecDbHandle(dbt), sql_string, NULL, NULL, NULL),
SecDbHandle(dbt), error, CFSTR("sqlite3_exec: %s"), sql_string);
@@ -427,10 +430,15 @@ static void s3dl_query_row(sqlite3_stmt *stmt, void *context) {
CFDataRef certData = CFDictionaryGetValue(item, kSecValueData);
if (certData) {
- CFDictionarySetValue(key, CFSTR(CERTIFICATE_DATA_COLUMN_LABEL),
- certData);
+ CFDictionarySetValue(key, kSecAttrIdentityCertificateData, certData);
CFDictionaryRemoveValue(item, kSecValueData);
}
+
+ CFDataRef certTokenID = CFDictionaryGetValue(item, kSecAttrTokenID);
+ if (certTokenID) {
+ CFDictionarySetValue(key, kSecAttrIdentityCertificateTokenID, certTokenID);
+ CFDictionaryRemoveValue(item, kSecAttrTokenID);
+ }
CFDictionaryApplyFunction(item, s3dl_merge_into_dict, key);
CFRelease(item);
item = key;
@@ -553,13 +561,14 @@ static void SecDbAppendLimit(CFMutableStringRef sql, CFIndex limit) {
static CFStringRef s3dl_select_sql(Query *q, CFArrayRef accessGroups) {
CFMutableStringRef sql = CFStringCreateMutable(NULL, 0);
if (q->q_class == &identity_class) {
- CFStringAppendFormat(sql, NULL, CFSTR("SELECT crowid, "
- CERTIFICATE_DATA_COLUMN_LABEL ", rowid,data FROM "
+ CFStringAppendFormat(sql, NULL, CFSTR("SELECT crowid, %@"
+ ", rowid,data FROM "
"(SELECT cert.rowid AS crowid, cert.labl AS labl,"
" cert.issr AS issr, cert.slnr AS slnr, cert.skid AS skid,"
- " keys.*,cert.data AS " CERTIFICATE_DATA_COLUMN_LABEL
+ " keys.*,cert.data AS %@"
" FROM keys, cert"
- " WHERE keys.priv == 1 AND cert.pkhh == keys.klbl"));
+ " WHERE keys.priv == 1 AND cert.pkhh == keys.klbl"),
+ kSecAttrIdentityCertificateData, kSecAttrIdentityCertificateData);
SecDbAppendWhereAccessGroups(sql, CFSTR("cert.agrp"), accessGroups, 0);
/* The next 3 SecDbAppendWhere calls are in the same order as in
SecDbAppendWhereClause(). This makes sqlBindWhereClause() work,
@@ -754,8 +763,12 @@ s3dl_query(s3dl_handle_row handle_row,
// update query should superceed the errSecItemNotFound below.
if (!query_error(q, error))
ok = false;
- if (ok && c->found == 0)
+ if (ok && c->found == 0) {
ok = SecError(errSecItemNotFound, error, CFSTR("no matching items found"));
+ if (q->q_spindump_on_failure) {
+ __security_stackshotreport(CFSTR("ItemNotFound"), __sec_exception_code_LostInMist);
+ }
+ }
return ok;
}
@@ -1050,8 +1063,24 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo
}
}
+ if (multiUser && CFEqual(agrp, CFSTR("appleaccount")) && cls == &genp_class) {
+ static CFStringRef accountServices[] = {
+ CFSTR("com.apple.appleaccount.fmf.token"), /* temporary tokens while accout is being setup */
+ CFSTR("com.apple.appleaccount.fmf.apptoken"),
+ CFSTR("com.apple.appleaccount.fmip.siritoken"),
+ CFSTR("com.apple.appleaccount.cloudkit.token"),
+ NULL
+ };
+ CFStringRef service = CFDictionaryGetValue(item, kSecAttrService);
+
+ if (isString(service) && matchAnyString(service, accountServices)) {
+ secdebug("backup", "found exact sys_bound item: %@", item);
+ return true;
+ }
+ }
+
if (multiUser && CFEqual(agrp, CFSTR("apple")) && cls == &genp_class) {
- static CFStringRef acountServices[] = {
+ static CFStringRef accountServices[] = {
CFSTR("com.apple.account.AppleAccount.token"),
CFSTR("com.apple.account.AppleAccount.password"),
CFSTR("com.apple.account.AppleAccount.rpassword"),
@@ -1070,7 +1099,7 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo
};
CFStringRef service = CFDictionaryGetValue(item, kSecAttrService);
- if (isString(service) && matchAnyString(service, acountServices)) {
+ if (isString(service) && matchAnyString(service, accountServices)) {
secdebug("backup", "found exact sys_bound item: %@", item);
return true;
}
@@ -1084,13 +1113,13 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo
}
if (multiUser && CFEqual(agrp, CFSTR("ichat")) && cls == &genp_class) {
- static CFStringRef acountServices[] = {
+ static CFStringRef accountServices[] = {
CFSTR("ids"),
NULL
};
CFStringRef service = CFDictionaryGetValue(item, kSecAttrService);
- if (isString(service) && matchAnyString(service, acountServices)) {
+ if (isString(service) && matchAnyString(service, accountServices)) {
secdebug("backup", "found exact sys_bound item: %@", item);
return true;
}
@@ -1234,7 +1263,7 @@ static void s3dl_export_row(sqlite3_stmt *stmt, void *context) {
/* Encode and encrypt the item to the specified keybag. */
CFDataRef edata = NULL;
- bool encrypted = ks_encrypt_data(c->dest_keybag, access_control, q->q_use_cred_handle, item, auth_attribs, &edata, &q->q_error);
+ bool encrypted = ks_encrypt_data(c->dest_keybag, access_control, q->q_use_cred_handle, item, auth_attribs, &edata, false, &q->q_error);
CFDictionaryRemoveAllValues(item);
CFRelease(auth_attribs);
if (encrypted) {
@@ -1276,6 +1305,22 @@ static void s3dl_export_row(sqlite3_stmt *stmt, void *context) {
CFReleaseSafe(access_control);
}
+static CFStringRef
+SecCreateKeybagUUID(keybag_handle_t keybag)
+{
+#if !TARGET_HAS_KEYSTORE
+ return NULL;
+#else
+ char uuidstr[37];
+ uuid_t uuid;
+ if (aks_get_bag_uuid(keybag, uuid) != KERN_SUCCESS)
+ return NULL;
+ uuid_unparse_lower(uuid, uuidstr);
+ return CFStringCreateWithCString(NULL, uuidstr, kCFStringEncodingUTF8);
+#endif
+}
+
+
CFDictionaryRef
SecServerCopyKeychainPlist(SecDbConnectionRef dbt,
SecurityClient *client,
@@ -1286,14 +1331,19 @@ SecServerCopyKeychainPlist(SecDbConnectionRef dbt,
CFMutableDictionaryRef keychain;
keychain = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ unsigned class_ix;
+ bool inMultiUser = false;
+ CFStringRef keybaguuid = NULL;
+ Query q = { .q_keybag = src_keybag,
+ .q_musrView = NULL
+ };
+
if (!keychain) {
if (error && !*error)
SecError(errSecAllocate, error, CFSTR("Can't create keychain dictionary"));
goto errOut;
}
- unsigned class_ix;
- bool inMultiUser = false;
- Query q = { .q_keybag = src_keybag };
+
q.q_return_type =
kSecReturnDataMask |
kSecReturnAttributesMask |
@@ -1301,6 +1351,7 @@ SecServerCopyKeychainPlist(SecDbConnectionRef dbt,
q.q_limit = kSecMatchUnlimited;
q.q_skip_acl_items = true;
+
#if TARGET_OS_IPHONE
if (client && client->inMultiUser) {
q.q_musrView = SecMUSRCreateActiveUserUUID(client->uid);
@@ -1310,6 +1361,10 @@ SecServerCopyKeychainPlist(SecDbConnectionRef dbt,
{
q.q_musrView = SecMUSRGetSingleUserKeychainUUID();
CFRetain(q.q_musrView);
+
+ keybaguuid = SecCreateKeybagUUID(dest_keybag);
+ if (keybaguuid)
+ CFDictionarySetValue(keychain, kSecBackupKeybagUUIDKey, keybaguuid);
}
/* Get rid of this duplicate. */
@@ -1358,6 +1413,7 @@ SecServerCopyKeychainPlist(SecDbConnectionRef dbt,
errOut:
CFReleaseNull(q.q_musrView);
+ CFReleaseNull(keybaguuid);
return keychain;
}
@@ -1398,7 +1454,7 @@ SecServerImportItem(const void *value, void *context)
secdebug("item", "Import Item : %@", dict);
- /* We use the kSecSysBoundItemFilte to indicate that we don't
+ /* We use the kSecSysBoundItemFilter to indicate that we don't
* preserve rowid's during import.
*/
if (state->s->filter == kSecBackupableItemFilter) {
@@ -1525,6 +1581,9 @@ static void SecServerImportClass(const void *key, const void *value,
SecError(errSecParam, &state->error, CFSTR("class name %@ is not a string"), key);
return;
}
+ /* ignore the Keybag UUID */
+ if (CFEqual(key, kSecBackupKeybagUUIDKey))
+ return;
const SecDbClass *class = kc_class_with_name(key);
if (!class) {
secwarning("Ignoring unknown key class '%@'", key);
@@ -1554,6 +1613,7 @@ static void SecServerImportClass(const void *key, const void *value,
bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, SecurityClient *client,
keybag_handle_t src_keybag, keybag_handle_t dest_keybag,
CFDictionaryRef keychain, enum SecItemFilter filter, CFErrorRef *error) {
+ CFStringRef keybaguuid = NULL;
bool ok = true;
CFDictionaryRef sys_bound = NULL;
@@ -1565,6 +1625,19 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, SecurityClient *clie
error), errOut);
}
+ /*
+ * Validate the uuid of the source keybag matches what we have in the backup
+ */
+ keybaguuid = SecCreateKeybagUUID(src_keybag);
+ if (keybaguuid) {
+ CFStringRef uuid = CFDictionaryGetValue(keychain, kSecBackupKeybagUUIDKey);
+ if (isString(uuid)) {
+ require_action(CFEqual(keybaguuid, uuid), errOut,
+ SecError(errSecDecode, error, CFSTR("Keybag UUID (%@) mismatch with backup (%@)"),
+ keybaguuid, uuid));
+ }
+ }
+
/* Delete everything in the keychain. */
#if TARGET_OS_IPHONE
if (client->inMultiUser) {
@@ -1608,10 +1681,20 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, SecurityClient *clie
errOut:
CFReleaseSafe(sys_bound);
+ CFReleaseSafe(keybaguuid);
return ok;
}
+CFStringRef
+SecServerBackupGetKeybagUUID(CFDictionaryRef keychain)
+{
+ CFStringRef uuid = CFDictionaryGetValue(keychain, kSecBackupKeybagUUIDKey);
+ if (!isString(uuid))
+ return NULL;
+ return uuid;
+}
+
#pragma mark - key rolling support
#if USE_KEYSTORE
diff --git a/OSX/sec/securityd/SecItemDb.h b/OSX/sec/securityd/SecItemDb.h
index 139f8a58..78dee293 100644
--- a/OSX/sec/securityd/SecItemDb.h
+++ b/OSX/sec/securityd/SecItemDb.h
@@ -75,7 +75,7 @@ bool SecItemDbSelect(SecItemDbConnectionRef dbconn, SecDbQueryRef query, CFError
#endif
-bool SecItemDbCreateSchema(SecDbConnectionRef dbt, const SecDbSchema *schema, CFErrorRef *error);
+bool SecItemDbCreateSchema(SecDbConnectionRef dbt, const SecDbSchema *schema, bool includeVersion, CFErrorRef *error);
bool SecItemDbDeleteSchema(SecDbConnectionRef dbt, const SecDbSchema *schema, CFErrorRef *error);
@@ -126,6 +126,10 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt,
enum SecItemFilter filter,
CFErrorRef *error);
+CFStringRef
+SecServerBackupGetKeybagUUID(CFDictionaryRef keychain);
+
+
#if TARGET_OS_IPHONE
bool SecServerDeleteAllForUser(SecDbConnectionRef dbt, CFDataRef musrView, bool keepU, CFErrorRef *error);
#endif
diff --git a/OSX/sec/securityd/SecItemSchema.c b/OSX/sec/securityd/SecItemSchema.c
index 644091b4..7668a5d7 100644
--- a/OSX/sec/securityd/SecItemSchema.c
+++ b/OSX/sec/securityd/SecItemSchema.c
@@ -153,6 +153,7 @@ SECDB_ATTR(v6keytype, "type", Number, SecDbFlags(P,L, , ,A, , ,C,H, ,Z, ,N,
SECDB_ATTR(v6keycrtr, "crtr", Number, SecDbFlags(P,L, , ,A, , ,C,H, ,Z, ,N, ,V0), NULL, NULL);
// | | | | | | | | | | | | | | |
SECDB_ATTR(v6version, "version", Number, SecDbFlags(P,L, , , , , , , , , , ,N, , ), NULL, NULL);
+SECDB_ATTR(v91minor, "minor", Number, SecDbFlags( ,L, , , , , , , , ,Z, ,N, , ), NULL, NULL);
const SecDbClass genp_class = {
.name = CFSTR("genp"),
@@ -317,7 +318,9 @@ const SecDbClass keys_class = {
const SecDbClass tversion_class = {
.name = CFSTR("tversion"),
.attrs = {
+ &v6rowid,
&v6version,
+ &v91minor,
0
}
};
@@ -331,11 +334,12 @@ const SecDbClass identity_class = {
},
};
-/* Version 9 (iOS 9.3 and OSX 10.11.5) database schema
- * Same contents as v8 tables; table names changed to force upgrade
- * and correct default values in table. */
-const SecDbSchema v9_schema = {
- 9,
+/*
+ * Version 9.1 (iOS 10.0 and OSX 10.11.8/10.12 addded minor version.
+ */
+const SecDbSchema v9_1_schema = {
+ .majorVersion = 9,
+ .minorVersion = 1,
.classes = {
&genp_class,
&inet_class,
@@ -346,6 +350,190 @@ const SecDbSchema v9_schema = {
}
};
+const SecDbClass v9genp_class = {
+ .name = CFSTR("genp9"),
+ .attrs = {
+ &v6rowid,
+ &v6cdat,
+ &v6mdat,
+ &v6desc,
+ &v6icmt,
+ &v6crtr,
+ &v6type,
+ &v6scrp,
+ &v6labl,
+ &v6alis,
+ &v6invi,
+ &v6nega,
+ &v6cusi,
+ &v6prot,
+ &v6acct,
+ &v6svce,
+ &v6gena,
+ &v6data,
+ &v6agrp,
+ &v6pdmn,
+ &v6sync,
+ &v6tomb,
+ &v6sha1,
+ &v7vwht,
+ &v7tkid,
+ &v6v_Data,
+ &v6v_pk,
+ &v6accc,
+ &v7utomb,
+ &v8musr,
+ 0
+ },
+};
+
+const SecDbClass v9inet_class = {
+ .name = CFSTR("inet9"),
+ .attrs = {
+ &v6rowid,
+ &v6cdat,
+ &v6mdat,
+ &v6desc,
+ &v6icmt,
+ &v6crtr,
+ &v6type,
+ &v6scrp,
+ &v6labl,
+ &v6alis,
+ &v6invi,
+ &v6nega,
+ &v6cusi,
+ &v6prot,
+ &v6acct,
+ &v6sdmn,
+ &v6srvr,
+ &v6ptcl,
+ &v6atyp,
+ &v6port,
+ &v6path,
+ &v6data,
+ &v6agrp,
+ &v6pdmn,
+ &v6sync,
+ &v6tomb,
+ &v6sha1,
+ &v7vwht,
+ &v7tkid,
+ &v6v_Data,
+ &v6v_pk,
+ &v6accc,
+ &v7utomb,
+ &v8musr,
+ 0
+ },
+};
+
+const SecDbClass v9cert_class = {
+ .name = CFSTR("cert9"),
+ .attrs = {
+ &v6rowid,
+ &v6cdat,
+ &v6mdat,
+ &v6ctyp,
+ &v6cenc,
+ &v6labl,
+ &v6certalis,
+ &v6subj,
+ &v6issr,
+ &v6slnr,
+ &v6skid,
+ &v6pkhh,
+ &v6data,
+ &v6agrp,
+ &v6pdmn,
+ &v6sync,
+ &v6tomb,
+ &v6sha1,
+ &v7vwht,
+ &v7tkid,
+ &v6v_Data,
+ &v6v_pk,
+ &v6accc,
+ &v7utomb,
+ &v8musr,
+ 0
+ },
+};
+
+const SecDbClass v9keys_class = {
+ .name = CFSTR("keys9"),
+ .attrs = {
+ &v6rowid,
+ &v6cdat,
+ &v6mdat,
+ &v6kcls,
+ &v6labl,
+ &v6alis,
+ &v6perm,
+ &v6priv,
+ &v6modi,
+ &v6klbl,
+ &v6atag,
+ &v6keycrtr,
+ &v6keytype,
+ &v6bsiz,
+ &v6esiz,
+ &v6sdat,
+ &v6edat,
+ &v6sens,
+ &v6asen,
+ &v6extr,
+ &v6next,
+ &v6encr,
+ &v6decr,
+ &v6drve,
+ &v6sign,
+ &v6vrfy,
+ &v6snrc,
+ &v6vyrc,
+ &v6wrap,
+ &v6unwp,
+ &v6data,
+ &v6agrp,
+ &v6pdmn,
+ &v6sync,
+ &v6tomb,
+ &v6sha1,
+ &v7vwht,
+ &v7tkid,
+ &v6v_Data,
+ &v6v_pk,
+ &v6accc,
+ &v7utomb,
+ &v8musr,
+ 0
+ }
+};
+
+const SecDbClass v5tversion_class = {
+ .name = CFSTR("tversion5"),
+ .attrs = {
+ &v6version,
+ 0
+ }
+};
+
+/* Version 9 (iOS 9.3 and OSX 10.11.5) database schema
+ * Same contents as v8 tables; table names changed to force upgrade
+ * and correct default values in table.
+ */
+const SecDbSchema v9_schema = {
+ .majorVersion = 9,
+ .classes = {
+ &v9genp_class,
+ &v9inet_class,
+ &v9cert_class,
+ &v9keys_class,
+ &v5tversion_class,
+ 0
+ }
+};
+
// Version 8 (Internal release iOS 9.3 and OSX 10.11.5) database schema
const SecDbClass v8genp_class = {
.name = CFSTR("genp8"),
@@ -508,13 +696,13 @@ const SecDbClass v8keys_class = {
};
const SecDbSchema v8_schema = {
- 8,
+ .majorVersion = 8,
.classes = {
&v8genp_class,
&v8inet_class,
&v8cert_class,
&v8keys_class,
- &tversion_class,
+ &v5tversion_class,
0
}
};
@@ -678,13 +866,13 @@ const SecDbClass v7keys_class = {
const SecDbSchema v7_schema = {
- 7,
+ .majorVersion = 7,
.classes = {
&v7genp_class,
&v7inet_class,
&v7cert_class,
&v7keys_class,
- &tversion_class,
+ &v5tversion_class,
0
}
};
@@ -836,13 +1024,13 @@ static const SecDbClass v6keys_class = {
};
static const SecDbSchema v6_schema = {
- 6,
+ .majorVersion = 6,
.classes = {
&v6genp_class,
&v6inet_class,
&v6cert_class,
&v6keys_class,
- &tversion_class,
+ &v5tversion_class,
0
}
};
@@ -974,18 +1162,19 @@ static const SecDbClass v5keys_class = {
};
static const SecDbSchema v5_schema = {
- 5,
+ .majorVersion = 5,
.classes = {
&v5genp_class,
&v5inet_class,
&v5cert_class,
&v5keys_class,
- &tversion_class,
+ &v5tversion_class,
0
}
};
const SecDbSchema *kc_schemas[] = {
+ &v9_1_schema,
&v9_schema,
&v8_schema,
&v7_schema,
diff --git a/OSX/sec/securityd/SecItemServer.c b/OSX/sec/securityd/SecItemServer.c
index 7527b7c9..6e2a3b44 100644
--- a/OSX/sec/securityd/SecItemServer.c
+++ b/OSX/sec/securityd/SecItemServer.c
@@ -40,6 +40,9 @@
#include <Security/SecureObjectSync/SOSChangeTracker.h>
#include <Security/SecureObjectSync/SOSDigestVector.h>
#include <Security/SecureObjectSync/SOSViews.h>
+#include <Security/SecTrustPriv.h>
+#include <Security/SecTrustInternal.h>
+#include <Security/SecCertificatePriv.h>
// TODO: Make this include work on both platforms. rdar://problem/16526848
#if TARGET_OS_EMBEDDED
@@ -60,6 +63,7 @@
#include <utilities/array_size.h>
#include <utilities/SecFileLocations.h>
#include <utilities/SecTrace.h>
+#include <utilities/SecXPCError.h>
#include <Security/SecuritydXPC.h>
#include "swcagent_client.h"
@@ -101,43 +105,55 @@ void SecKeychainChanged(bool syncWithPeers) {
/* Return the current database version in *version. */
static bool SecKeychainDbGetVersion(SecDbConnectionRef dbt, int *version, CFErrorRef *error)
{
- __block bool ok = false;
- SecDbQueryRef query = NULL;
- __block CFNumberRef versionNumber = NULL;
+ __block bool ok = true;
__block CFErrorRef localError = NULL;
+ __block bool found = false;
- require_quiet(query = query_create(&tversion_class, NULL, NULL, &localError), out);
- require_quiet(SecDbItemSelect(query, dbt, &localError, ^bool(const SecDbAttr *attr) {
- // Bind all attributes.
- return true;
- }, ^bool(const SecDbAttr *attr) {
- // No filtering.
- return false;
- }, NULL, NULL, ^(SecDbItemRef item, bool *stop) {
- versionNumber = copyNumber(SecDbItemGetValue(item, tversion_class.attrs[0], &localError));
- *stop = true;
- }), out);
-
- require_action_quiet(versionNumber != NULL && CFNumberGetValue(versionNumber, kCFNumberIntType, version), out,
- // We have a tversion table but we didn't find a single version
- // value, now what? I suppose we pretend the db is corrupted
- // since this isn't supposed to ever happen.
- SecDbError(SQLITE_CORRUPT, error, CFSTR("Failed to read version table"));
- secwarning("tversion read error: %@", error ? *error : NULL));
- ok = true;
+ /*
+ * First check for the version table itself
+ */
-out:
- if (!ok && CFErrorGetCode(localError) == SQLITE_ERROR) {
- // Most probably means that the version table does not exist at all.
- // TODO: Use "SELECT name FROM sqlite_master WHERE type='table' AND name='tversion'" to detect tversion presence.
- CFReleaseSafe(localError);
- version = 0;
+ ok &= SecDbPrepare(dbt, CFSTR("SELECT name FROM sqlite_master WHERE type='table' AND name='tversion'"), &localError, ^(sqlite3_stmt *stmt) {
+ ok = SecDbStep(dbt, stmt, NULL, ^(bool *stop) {
+ found = true;
+ *stop = 1;
+ });
+ });
+ require_action(ok, out, SecDbError(SQLITE_CORRUPT, error, CFSTR("Failed to read sqlite_master table: %@"), localError));
+ if (!found) {
+ secnotice("upgr", "no tversion table, will setup a new database: %@", localError);
+ *version = 0;
+ goto out;
+ }
+
+ /*
+ * Now build up major.minor
+ */
+
+ ok &= SecDbPrepare(dbt, CFSTR("SELECT version FROM tversion"), &localError, ^(sqlite3_stmt *stmt) {
+ ok = SecDbStep(dbt, stmt, NULL, ^(bool *stop) {
+ *version = sqlite3_column_int(stmt, 0);
+ if (*version)
+ *stop = true;
+ });
+ });
+ if (ok && (*version & 0xffff) >= 9) {
+ ok &= SecDbPrepare(dbt, CFSTR("SELECT minor FROM tversion WHERE version = ?"), &localError, ^(sqlite3_stmt *stmt) {
+ ok = SecDbBindInt(stmt, 1, *version, &localError) &&
+ SecDbStep(dbt, stmt, NULL, ^(bool *stop) {
+ int64_t minor = sqlite3_column_int64(stmt, 0);
+ *version |= ((minor & 0xff) << 8) | ((minor & 0xff0000) << 8);
+ *stop = true;
+ });
+ });
ok = true;
}
- if (query)
- query_destroy(query, NULL);
- CFReleaseSafe(versionNumber);
- return ok || CFErrorPropagate(localError, error);
+out:
+ secnotice("upgr", "database version is: 0x%08x : %d : %@", *version, ok, localError);
+ CFReleaseSafe(localError);
+
+
+ return ok;
}
static bool
@@ -223,7 +239,7 @@ static bool UpgradeSchemaPhase1(SecDbConnectionRef dbt, const SecDbSchema *oldSc
// Drop indices that that new schemas will use
sql = CFStringCreateMutable(NULL, 0);
for (newClass = newSchema->classes; *newClass != NULL; newClass++) {
- SecDbForEachAttrWithMask((*newClass), desc, kSecDbIndexFlag | kSecDbInFlag) {
+ SecDbForEachAttrWithMask((*newClass),desc, kSecDbIndexFlag | kSecDbInFlag) {
CFStringAppendFormat(sql, 0, CFSTR("DROP INDEX IF EXISTS %@%@;"), (*newClass)->name, desc->name);
}
}
@@ -231,7 +247,7 @@ static bool UpgradeSchemaPhase1(SecDbConnectionRef dbt, const SecDbSchema *oldSc
CFReleaseNull(sql);
// Create tables for new schema.
- require_quiet(ok &= SecItemDbCreateSchema(dbt, newSchema, error), out);
+ require_quiet(ok &= SecItemDbCreateSchema(dbt, newSchema, false, error), out);
// Go through all classes of current schema to transfer all items to new tables.
for (oldClass = oldSchema->classes, newClass = newSchema->classes;
*oldClass != NULL && *newClass != NULL; oldClass++, newClass++) {
@@ -273,7 +289,6 @@ static bool UpgradeSchemaPhase1(SecDbConnectionRef dbt, const SecDbSchema *oldSc
// Leave item encrypted, do not ever try to decrypt it since it will fail.
item->_edataState = kSecDbItemAlwaysEncrypted;
}
-
// Insert new item into the new table.
if (!SecDbItemInsert(item, dbt, &localError)) {
secerror("item: %@ insert during upgrade: %@", item, localError);
@@ -308,7 +323,7 @@ static bool UpgradeSchemaPhase1(SecDbConnectionRef dbt, const SecDbSchema *oldSc
}
// Remove old tables from the DB.
- CFAssignRetained(sql, CFStringCreateMutable(NULL, 0));
+ sql = CFStringCreateMutable(NULL, 0);
for (oldClass = oldSchema->classes, newClass = newSchema->classes;
*oldClass != NULL && *newClass != NULL; oldClass++, newClass++) {
if (!CFEqual((*oldClass)->name, (*newClass)->name)) {
@@ -367,8 +382,8 @@ static bool UpgradeItemPhase2(SecDbConnectionRef dbt, bool *inProgress, CFErrorR
CFStringAppendFormat(sql, NULL, CFSTR("NOT %@ IN (?,?)"), pdmn->name);
return true;
}, ^bool(sqlite3_stmt *stmt, int col) {
- return SecDbBindObject(stmt, col++, kSecAttrAccessibleAlways, error) &&
- SecDbBindObject(stmt, col++, kSecAttrAccessibleAlwaysThisDeviceOnly, error);
+ return SecDbBindObject(stmt, col++, kSecAttrAccessibleAlwaysPrivate, error) &&
+ SecDbBindObject(stmt, col++, kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate, error);
}, ^(SecDbItemRef item, bool *stop) {
CFErrorRef localError = NULL;
@@ -437,54 +452,76 @@ out:
return ok;
}
+#define SCHEMA_VERSION(schema) ((((schema)->minorVersion) << 8) | ((schema)->majorVersion))
+#define VERSION_MAJOR(version) ((version) & 0xff)
+#define VERSION_MINOR(version) (((version) >> 8) & 0xff)
+#define VERSION_NEW(version) ((version) & 0xffff)
+#define VERSION_OLD(version) (((version) >> 16) & 0xffff)
+
static bool SecKeychainDbUpgradeFromVersion(SecDbConnectionRef dbt, int version, bool *inProgress, CFErrorRef *error) {
__block bool didPhase2 = false;
__block bool ok = true;
+ __block CFErrorRef localError = NULL;
+
+ if (error)
+ *error = NULL;
// The schema we want to have is the first in the list of schemas.
const SecDbSchema *newSchema = kc_schemas[0];
// If DB schema is the one we want, we are done.
- require_quiet(newSchema->version != version, out);
+ require_quiet(SCHEMA_VERSION(newSchema) != version, out);
- if (version < 6) {
+ // Check if the schema of the database on disk is the same major, but newer version then what we have
+ // in code, lets just skip this since a newer version of the OS have upgrade it. Since its the same
+ // major, its a promise that it will be compatible.
+ if (newSchema->majorVersion == VERSION_MAJOR(version) && newSchema->minorVersion < VERSION_MINOR(version)) {
+ secnotice("upgr", "skipping upgrade since minor is newer");
+ goto out;
+ }
+
+ if (VERSION_MAJOR(version) < 6) {
// Pre v6 keychains need to have WAL enabled, since SecDb only does this at db creation time.
// NOTE: This has to be run outside of a transaction.
- require_action_quiet(ok = (SecDbExec(dbt, CFSTR("PRAGMA auto_vacuum = FULL"), error) &&
- SecDbExec(dbt, CFSTR("PRAGMA journal_mode = WAL"), error)),
+ require_action_quiet(ok = (SecDbExec(dbt, CFSTR("PRAGMA auto_vacuum = FULL"), &localError) &&
+ SecDbExec(dbt, CFSTR("PRAGMA journal_mode = WAL"), &localError)),
out, secerror("unable to enable WAL or auto vacuum, marking DB as corrupt: %@",
- error ? *error : NULL));
+ localError));
}
- ok &= SecDbTransaction(dbt, kSecDbExclusiveTransactionType, error, ^(bool *commit) {
+ ok &= SecDbTransaction(dbt, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) {
CFStringRef sql = NULL;
bool didPhase1 = false;
// Get version again once we start a transaction, someone else might change the migration state.
- int version = 0;
- require_quiet(ok = SecKeychainDbGetVersion(dbt, &version, error), out);
- require_quiet(newSchema->version != version, out);
+ int version2 = 0;
+ require_quiet(ok = SecKeychainDbGetVersion(dbt, &version2, &localError), out);
+ // Check if someone has raced us to the migration of the database
+ require_action(version == version2, out, CFReleaseNull(localError); ok = true);
+
+ require_quiet(SCHEMA_VERSION(newSchema) != version2, out);
// If this is empty database, just create table according to schema and be done with it.
- require_action_quiet(version != 0, out, ok = SecItemDbCreateSchema(dbt, newSchema, error));
+ require_action_quiet(version2 != 0, out, ok = SecItemDbCreateSchema(dbt, newSchema, true, &localError));
- int oldVersion = (version >> 16) & 0xffff;
- version &= 0xffff;
- require_action_quiet(version == newSchema->version || oldVersion == 0, out,
- ok = SecDbError(SQLITE_CORRUPT, error,
- CFSTR("Half migrated but obsolete DB found: found %d(%d) but %d is needed"),
- version, oldVersion, newSchema->version));
+ int oldVersion = VERSION_OLD(version2);
+ version2 = VERSION_NEW(version2);
+
+ require_action_quiet(version2 == SCHEMA_VERSION(newSchema) || oldVersion == 0, out,
+ ok = SecDbError(SQLITE_CORRUPT, &localError,
+ CFSTR("Half migrated but obsolete DB found: found 0x%x(0x%x) but 0x%x is needed"),
+ version2, oldVersion, SCHEMA_VERSION(newSchema)));
// Check whether we have both old and new tables in the DB.
if (oldVersion == 0) {
// Pure old-schema migration attempt, with full blown table renames etc (a.k.a. phase1)
- oldVersion = version;
- version = newSchema->version;
+ oldVersion = version2;
+ version2 = SCHEMA_VERSION(newSchema);
// Find schema for old database.
const SecDbSchema *oldSchema = NULL;
for (const SecDbSchema * const *pschema = kc_schemas; *pschema; ++pschema) {
- if ((*pschema)->version == oldVersion) {
+ if (SCHEMA_VERSION((*pschema)) == oldVersion) {
oldSchema = *pschema;
break;
}
@@ -492,11 +529,11 @@ static bool SecKeychainDbUpgradeFromVersion(SecDbConnectionRef dbt, int version,
// If we are attempting to upgrade from a version for which we have no schema, fail.
require_action_quiet(oldSchema != NULL, out,
- ok = SecDbError(SQLITE_CORRUPT, error, CFSTR("no schema for version: %d"), oldVersion);
- secerror("no schema for version %d", oldVersion));
+ ok = SecDbError(SQLITE_CORRUPT, &localError, CFSTR("no schema for version: 0x%x"), oldVersion);
+ secerror("no schema for version 0x%x", oldVersion));
- secnotice("upgr", "Upgrading from version %d to %d", oldVersion, newSchema->version);
- require(ok = UpgradeSchemaPhase1(dbt, oldSchema, error), out);
+ secnotice("upgr", "Upgrading from version 0x%x to 0x%x", oldVersion, SCHEMA_VERSION(newSchema));
+ require(ok = UpgradeSchemaPhase1(dbt, oldSchema, &localError), out);
didPhase1 = true;
}
@@ -513,7 +550,7 @@ static bool SecKeychainDbUpgradeFromVersion(SecDbConnectionRef dbt, int version,
*inProgress = true;
ok = true;
} else {
- SecErrorPropagate(phase2Error, error);
+ SecErrorPropagate(phase2Error, &localError);
}
}
CFReleaseNull(phase2Error);
@@ -522,19 +559,20 @@ static bool SecKeychainDbUpgradeFromVersion(SecDbConnectionRef dbt, int version,
if (!*inProgress) {
// If either migration path we did reported that the migration was complete, signalize that
// in the version database by cleaning oldVersion (which is stored in upper halfword of the version)
- secnotice("upgr", "Done upgrading from version %d to %d", oldVersion, newSchema->version);
+ secnotice("upgr", "Done upgrading from version 0x%x to 0x%x", oldVersion, SCHEMA_VERSION(newSchema));
oldVersion = 0;
didPhase2 = true;
}
}
-
// Update database version table.
- version |= oldVersion << 16;
- sql = CFStringCreateWithFormat(NULL, NULL, CFSTR("UPDATE %@ SET %@ = %d"),
- tversion_class.name, tversion_class.attrs[0]->name, version);
- require_quiet(ok = SecDbExec(dbt, sql, error), out);
+ uint32_t major = (VERSION_MAJOR(version2)) | (VERSION_MAJOR(oldVersion) << 16);
+ uint32_t minor = (VERSION_MINOR(version2)) | (VERSION_MINOR(oldVersion) << 16);
+ secnotice("upgr", "Upgrading saving version major 0x%x minor 0x%x", major, minor);
+ sql = CFStringCreateWithFormat(NULL, NULL, CFSTR("UPDATE tversion SET version='%d', minor='%d'"),
+ major, minor);
+ require_quiet(ok = SecDbExec(dbt, sql, &localError), out);
out:
CFReleaseSafe(sql);
@@ -548,16 +586,47 @@ static bool SecKeychainDbUpgradeFromVersion(SecDbConnectionRef dbt, int version,
}
out:
- if (!ok || (error && *error)) {
+ if (!ok || localError) {
+ /*
+ * We assume that database is corrupt at this point, but we need to
+ * check if the error we got isn't severe enough to mark the database as corrupt.
+ * In those cases we opt out of corrupting the database.
+ */
+ bool markedCorrupt = true;
+
if (ok) {
secwarning("upgrade: error has been set but status is true");
ok = false;
}
- secerror("unable to complete upgrade, marking DB as corrupt: %@", error ? *error : NULL);
- SecDbCorrupt(dbt, error ? *error : NULL);
+ if (localError) {
+ CFStringRef domain = CFErrorGetDomain(localError);
+ CFIndex code = CFErrorGetCode(localError);
+
+ if (CFEqualSafe(domain, kSecDbErrorDomain) &&
+ ((code & 0xff) == SQLITE_LOCKED || (code & 0xff) == SQLITE_BUSY))
+ {
+ /* sqlite just busy doing something else, lets try upgrading some other time */
+ ok = true;
+ markedCorrupt = false;
+ CFReleaseNull(localError);
+ } else {
+ secerror("unable to complete upgrade, marking DB as corrupt: %@", localError);
+ }
+ } else {
+ secerror("unable to complete upgrade and no error object returned, marking DB as corrupt");
+ }
+ if (markedCorrupt) {
+ SecDbCorrupt(dbt, localError);
#if TARGET_OS_EMBEDDED
- ADClientAddValueForScalarKey(CFSTR("com.apple.keychain.migration-failure"), 1);
+ ADClientAddValueForScalarKey(CFSTR("com.apple.keychain.migration-failure"), 1);
#endif
+ }
+ }
+ if (localError) {
+ if (error) {
+ *error = (CFErrorRef)CFRetain(localError);
+ }
+ CFReleaseNull(localError);
}
return ok;
@@ -735,21 +804,26 @@ static void kc_dbhandle_init(void) {
// A callback for the sqlite3_log() interface.
static void sqlite3Log(void *pArg, int iErrCode, const char *zMsg){
- secinfo("sqlite3", "(%d) %s", iErrCode, zMsg);
+ secdebug("sqlite3", "(%d) %s", iErrCode, zMsg);
}
-static void setup_sqlite3_defaults_settings() {
- int rx = sqlite3_config(SQLITE_CONFIG_LOG, sqlite3Log, NULL);
- if (SQLITE_OK != rx) {
- secwarning("Could not set up sqlite global error logging to syslog: %d", rx);
- }
+void
+_SecServerDatabaseSetup(void)
+{
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ int rx = sqlite3_config(SQLITE_CONFIG_LOG, sqlite3Log, NULL);
+ if (SQLITE_OK != rx) {
+ secwarning("Could not set up sqlite global error logging to syslog: %d", rx);
+ }
+ });
}
-static dispatch_once_t _kc_dbhandle_once;
-
-static SecDbRef kc_dbhandle(void) {
- dispatch_once(&_kc_dbhandle_once, ^{
- setup_sqlite3_defaults_settings();
+static SecDbRef kc_dbhandle(void)
+{
+ static dispatch_once_t onceToken;
+ dispatch_once(&onceToken, ^{
+ _SecServerDatabaseSetup();
kc_dbhandle_init();
});
return _kc_dbhandle;
@@ -845,17 +919,196 @@ items_matching_issuer_parent(SecDbConnectionRef dbt, CFArrayRef accessGroups, CF
return found;
}
+static bool
+_FilterWithPolicy(SecPolicyRef policy, CFDateRef date, SecCertificateRef cert)
+{
+ CFDictionaryRef props = NULL;
+ CFArrayRef keychains = NULL;
+ CFArrayRef anchors = NULL;
+ CFArrayRef certs = NULL;
+ CFArrayRef chain = NULL;
+ SecTrustRef trust = NULL;
+
+ SecTrustResultType trustResult;
+ Boolean needChain = false;
+ __block bool ok = false;
+
+ if (!policy || !cert) return false;
+
+ certs = CFArrayCreate(NULL, (const void **)&cert, (CFIndex)1, &kCFTypeArrayCallBacks);
+ require_noerr_quiet(SecTrustCreateWithCertificates(certs, policy, &trust), cleanup);
+
+ /* Set evaluation date, if specified (otherwise current date is implied) */
+ if (date && (CFGetTypeID(date) == CFDateGetTypeID())) {
+ require_noerr_quiet(SecTrustSetVerifyDate(trust, date), cleanup);
+ }
+
+ /* Check whether this is the X509 Basic policy, which means chain building */
+ props = SecPolicyCopyProperties(policy);
+ if (props) {
+ CFTypeRef oid = (CFTypeRef) CFDictionaryGetValue(props, kSecPolicyOid);
+ if (oid && (CFEqual(oid, kSecPolicyAppleX509Basic) ||
+ CFEqual(oid, kSecPolicyAppleRevocation))) {
+ needChain = true;
+ }
+ }
+
+ if (!needChain) {
+ require_noerr_quiet(SecTrustEvaluateLeafOnly(trust, &trustResult), cleanup);
+ } else {
+ require_noerr_quiet(SecTrustEvaluate(trust, &trustResult), cleanup);
+ }
+
+ require_quiet((trustResult == kSecTrustResultProceed ||
+ trustResult == kSecTrustResultUnspecified ||
+ trustResult == kSecTrustResultRecoverableTrustFailure), cleanup);
+
+ ok = true;
+#if TARGET_OS_IPHONE
+ CFArrayRef properties = SecTrustCopyProperties(trust);
+#else
+ CFArrayRef properties = SecTrustCopyProperties_ios(trust);
+#endif
+ if (properties) {
+ CFArrayForEach(properties, ^(const void *property) {
+ CFDictionaryForEach((CFDictionaryRef)property, ^(const void *key, const void *value) {
+ if (CFEqual((CFTypeRef)key, kSecPropertyKeyType) && CFEqual((CFTypeRef)value, kSecPropertyTypeError))
+ ok = false;
+ });
+ });
+ CFRelease(properties);
+ }
+
+cleanup:
+ if(props) CFRelease(props);
+ if(chain) CFRelease(chain);
+ if(anchors) CFRelease(anchors);
+ if(keychains) CFRelease(keychains);
+ if(certs) CFRelease(certs);
+ if(trust) CFRelease(trust);
+
+ return ok;
+}
+
+static bool
+_FilterWithDate(CFDateRef validOnDate, SecCertificateRef cert)
+{
+ if (!validOnDate || !cert) return false;
+
+ CFAbsoluteTime at, nb, na;
+ at = CFDateGetAbsoluteTime((CFDateRef)validOnDate);
+
+ bool ok = true;
+ nb = SecCertificateNotValidBefore(cert);
+ na = SecCertificateNotValidAfter(cert);
+
+ if (nb == 0 || na == 0 || nb == na) {
+ ok = false;
+ secnotice("FilterWithDate", "certificate cannot operate");
+ }
+ else if (at < nb) {
+ ok = false;
+ secnotice("FilterWithDate", "certificate is not valid yet");
+ }
+ else if (at > na) {
+ ok = false;
+ secnotice("FilterWithDate", "certificate expired");
+ }
+
+ return ok;
+}
+
+static bool
+_FilterWithTrust(Boolean trustedOnly, SecCertificateRef cert)
+{
+ if (!cert) return false;
+ if (!trustedOnly) return true;
+
+ bool ok = false;
+ CFArrayRef certArray = CFArrayCreate(NULL, (const void**)&cert, 1, &kCFTypeArrayCallBacks);
+ SecTrustRef trust = NULL;
+ SecPolicyRef policy = SecPolicyCreateBasicX509();
+ require_quiet(policy, out);
+
+ require_noerr_quiet(SecTrustCreateWithCertificates(certArray, policy, &trust), out);
+ SecTrustResultType trustResult;
+ require_noerr_quiet(SecTrustEvaluate(trust, &trustResult), out);
+
+ require_quiet((trustResult == kSecTrustResultProceed ||
+ trustResult == kSecTrustResultUnspecified), out);
+ ok = true;
+out:
+ CFReleaseSafe(trust);
+ CFReleaseSafe(policy);
+ CFReleaseSafe(certArray);
+ return ok;
+}
+
+static SecCertificateRef
+CopyCertificateFromItem(Query *q, CFDictionaryRef item) {
+ SecCertificateRef certRef = NULL;
+
+ CFTypeRef tokenID = NULL;
+ CFDataRef certData = NULL;
+ if (q->q_class == &identity_class) {
+ certData = CFDictionaryGetValue(item, kSecAttrIdentityCertificateData);
+ tokenID = CFDictionaryGetValue(item, kSecAttrIdentityCertificateTokenID);
+ } else if (q->q_class == &cert_class) {
+ certData = CFDictionaryGetValue(item, kSecValueData);
+ tokenID = CFDictionaryGetValue(item, kSecAttrTokenID);
+ }
+
+ require_quiet(certData, out);
+ if (tokenID != NULL) {
+ CFErrorRef error = NULL;
+ CFDataRef tokenCertData = _SecTokenItemCopyValueData(certData, &error);
+ require_action_quiet(tokenCertData, out, { secerror("function _SecTokenItemCopyValueData failed with: %@", error); CFReleaseSafe(error); });
+ certRef = SecCertificateCreateWithData(kCFAllocatorDefault, tokenCertData);
+ CFRelease(tokenCertData);
+ }
+ else
+ certRef = SecCertificateCreateWithData(kCFAllocatorDefault, certData);
+
+out:
+ return certRef;
+}
+
bool match_item(SecDbConnectionRef dbt, Query *q, CFArrayRef accessGroups, CFDictionaryRef item)
{
+ bool ok = false;
+ SecCertificateRef certRef = NULL;
if (q->q_match_issuer) {
CFDataRef issuer = CFDictionaryGetValue(item, kSecAttrIssuer);
if (!items_matching_issuer_parent(dbt, accessGroups, q->q_musrView, issuer, q->q_match_issuer, 10 /*max depth*/))
- return false;
+ return ok;
}
- /* Add future match checks here. */
+ if (q->q_match_policy && (q->q_class == &identity_class || q->q_class == &cert_class)) {
+ if (!certRef)
+ certRef = CopyCertificateFromItem(q, item);
+ require_quiet(certRef, out);
+ require_quiet(_FilterWithPolicy(q->q_match_policy, q->q_match_valid_on_date, certRef), out);
+ }
- return true;
+ if (q->q_match_valid_on_date && (q->q_class == &identity_class || q->q_class == &cert_class)) {
+ if (!certRef)
+ certRef = CopyCertificateFromItem(q, item);
+ require_quiet(certRef, out);
+ require_quiet(_FilterWithDate(q->q_match_valid_on_date, certRef), out);
+ }
+
+ if (q->q_match_trusted_only && (q->q_class == &identity_class || q->q_class == &cert_class)) {
+ if (!certRef)
+ certRef = CopyCertificateFromItem(q, item);
+ require_quiet(certRef, out);
+ require_quiet(_FilterWithTrust(CFBooleanGetValue(q->q_match_trusted_only), certRef), out);
+ }
+
+ /* Add future match checks here. */
+ ok = true;
+out:
+ CFReleaseSafe(certRef);
+ return ok;
}
/****************************************************************************
@@ -927,6 +1180,9 @@ SecItemServerCopyMatching(CFDictionaryRef query, CFTypeRef *result,
} else if (q->q_match_issuer && ((q->q_class != &cert_class) &&
(q->q_class != &identity_class))) {
ok = SecError(errSecUnsupportedOperation, error, CFSTR("unsupported match attribute"));
+ } else if (q->q_match_policy && ((q->q_class != &cert_class) &&
+ (q->q_class != &identity_class))) {
+ ok = SecError(errSecUnsupportedOperation, error, CFSTR("unsupported kSecMatchPolicy attribute"));
} else if (q->q_return_type != 0 && result == NULL) {
ok = SecError(errSecReturnMissingPointer, error, CFSTR("missing pointer"));
} else if (!q->q_error) {
@@ -978,7 +1234,8 @@ _SecItemAdd(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *resul
bool ok = true;
CFIndex ag_count;
- if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups))) {
+ if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups)) ||
+ (ag_count == 1 && CFArrayContainsValue(accessGroups, CFRangeMake(0, ag_count), kSecAttrAccessGroupToken))) {
if (SecTaskDiagnoseEntitlements)
SecTaskDiagnoseEntitlements(accessGroups);
return SecError(errSecMissingEntitlement, error,
@@ -998,7 +1255,8 @@ _SecItemAdd(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *resul
if (agrp) {
/* The user specified an explicit access group, validate it. */
if (!accessGroupsAllows(accessGroups, agrp))
- ok = SecError(errSecNoAccessForItem, error, CFSTR("NoAccessForItem"));
+ ok = SecError(errSecMissingEntitlement, error,
+ CFSTR("explicit accessGroup %@ not in client access %@"), agrp, accessGroups);
} else {
agrp = (CFStringRef)CFArrayGetValueAtIndex(client->accessGroups, 0);
@@ -1056,7 +1314,8 @@ _SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate,
CFArrayRef accessGroups = client->accessGroups;
CFIndex ag_count;
- if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups))) {
+ if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups)) ||
+ (ag_count == 1 && CFArrayContainsValue(accessGroups, CFRangeMake(0, ag_count), kSecAttrAccessGroupToken))) {
if (SecTaskDiagnoseEntitlements)
SecTaskDiagnoseEntitlements(accessGroups);
return SecError(errSecMissingEntitlement, error,
@@ -1140,7 +1399,8 @@ _SecItemDelete(CFDictionaryRef query, SecurityClient *client, CFErrorRef *error)
CFArrayRef accessGroups = client->accessGroups;
CFIndex ag_count;
- if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups))) {
+ if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups)) ||
+ (ag_count == 1 && CFArrayContainsValue(accessGroups, CFRangeMake(0, ag_count), kSecAttrAccessGroupToken))) {
if (SecTaskDiagnoseEntitlements)
SecTaskDiagnoseEntitlements(accessGroups);
return SecError(errSecMissingEntitlement, error,
@@ -1192,6 +1452,96 @@ _SecItemDelete(CFDictionaryRef query, SecurityClient *client, CFErrorRef *error)
return ok;
}
+static bool SecItemDeleteTokenItems(SecDbConnectionRef dbt, CFTypeRef classToDelete, CFTypeRef tokenID, CFArrayRef accessGroups, SecurityClient *client, CFErrorRef *error) {
+ CFTypeRef keys[] = { kSecClass, kSecAttrTokenID };
+ CFTypeRef values[] = { classToDelete, tokenID };
+
+ CFDictionaryRef query = CFDictionaryCreate(kCFAllocatorDefault, keys, values, 2, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ Query *q = query_create_with_limit(query, client->musr, kSecMatchUnlimited, error);
+ CFRelease(query);
+ bool ok;
+ if (q) {
+ query_set_caller_access_groups(q, accessGroups);
+ ok = s3dl_query_delete(dbt, q, accessGroups, error);
+ ok = query_notify_and_destroy(q, ok, error);
+ } else {
+ ok = false;
+ }
+
+ return ok;
+}
+
+static bool SecItemAddTokenItem(SecDbConnectionRef dbt, CFDictionaryRef attributes, CFArrayRef accessGroups, SecurityClient *client, CFErrorRef *error) {
+ bool ok = true;
+ Query *q = query_create_with_limit(attributes, client->musr, 0, error);
+ if (q) {
+ CFStringRef agrp = kSecAttrAccessGroupToken;
+ query_add_attribute(kSecAttrAccessGroup, agrp, q);
+
+ if (ok) {
+ query_ensure_access_control(q, agrp);
+ if (q->q_system_keychain && !client->allowSystemKeychain) {
+ ok = SecError(errSecMissingEntitlement, error, CFSTR("client doesn't have entitlement for system keychain"));
+ } else if (q->q_sync_bubble && !client->allowSyncBubbleKeychain) {
+ ok = SecError(errSecMissingEntitlement, error, CFSTR("client doesn't have entitlement for syncbubble keychain"));
+ } else if (q->q_row_id) {
+ ok = SecError(errSecValuePersistentRefUnsupported, error, CFSTR("q_row_id")); // TODO: better error string
+ } else if (!q->q_error) {
+ query_pre_add(q, true);
+ ok = s3dl_query_add(dbt, q, NULL, error);
+ }
+ }
+ ok = query_notify_and_destroy(q, ok, error);
+ } else {
+ return false;
+ }
+ return ok;
+}
+
+bool _SecItemUpdateTokenItems(CFStringRef tokenID, CFArrayRef items, SecurityClient *client, CFErrorRef *error) {
+ bool ok = true;
+ CFArrayRef accessGroups = client->accessGroups;
+ CFIndex ag_count;
+ if (!accessGroups || 0 == (ag_count = CFArrayGetCount(accessGroups))) {
+ if (SecTaskDiagnoseEntitlements)
+ SecTaskDiagnoseEntitlements(accessGroups);
+ return SecError(errSecMissingEntitlement, error,
+ CFSTR("client has neither application-identifier nor keychain-access-groups entitlements"));
+ }
+
+ ok = kc_with_dbt(true, error, ^bool (SecDbConnectionRef dbt) {
+ return kc_transaction(dbt, error, ^bool {
+ if (items) {
+ const CFTypeRef classToDelete[] = { kSecClassGenericPassword, kSecClassInternetPassword, kSecClassCertificate, kSecClassKey };
+ for (size_t i = 0; i < sizeof(classToDelete) / sizeof(classToDelete[0]); ++i) {
+ SecItemDeleteTokenItems(dbt, classToDelete[i], tokenID, accessGroups, client, NULL);
+ }
+
+ for (CFIndex i = 0; i < CFArrayGetCount(items); ++i) {
+ if (!SecItemAddTokenItem(dbt, CFArrayGetValueAtIndex(items, i), accessGroups, client, error))
+ return false;
+ }
+ return true;
+ }
+ else {
+ const CFTypeRef classToDelete[] = { kSecClassGenericPassword, kSecClassInternetPassword, kSecClassCertificate, kSecClassKey };
+ bool deleted = true;
+ for (size_t i = 0; i < sizeof(classToDelete) / sizeof(classToDelete[0]); ++i) {
+ if (!SecItemDeleteTokenItems(dbt, classToDelete[i], tokenID, accessGroups, client, error) && error && CFErrorGetCode(*error) != errSecItemNotFound) {
+ deleted = false;
+ break;
+ }
+ else if (error && *error) {
+ CFReleaseNull(*error);
+ }
+ }
+ return deleted;
+ }
+ });
+ });
+
+ return ok;
+}
/* AUDIT[securityd](done):
No caller provided inputs.
@@ -1213,6 +1563,82 @@ _SecItemDeleteAll(CFErrorRef *error) {
return SecItemServerDeleteAll(error);
}
+bool
+_SecItemServerDeleteAllWithAccessGroups(CFArrayRef accessGroups, SecurityClient *client, CFErrorRef *error)
+{
+ __block bool ok = true;
+ static dispatch_once_t onceToken;
+ static CFSetRef illegalAccessGroups = NULL;
+
+ dispatch_once(&onceToken, ^{
+ const CFStringRef values[] = {
+ CFSTR("*"),
+ CFSTR("apple"),
+ CFSTR("com.apple.security.sos"),
+ CFSTR("lockdown-identities"),
+ };
+ illegalAccessGroups = CFSetCreate(NULL, (const void **)values, sizeof(values)/sizeof(values[0]), &kCFTypeSetCallBacks);
+ });
+
+ static const CFTypeRef qclasses[] = {
+ &inet_class,
+ &genp_class,
+ &keys_class,
+ &cert_class
+ };
+
+ require_action_quiet(isArray(accessGroups), fail,
+ ok = false;
+ SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedType, sSecXPCErrorDomain, NULL, error, NULL, CFSTR("accessGroups not CFArray, got %@"), accessGroups));
+
+ // TODO: whitelist instead? look for dev IDs like 7123498YQX.com.somedev.app
+
+ require_action(CFArrayGetCount(accessGroups) != 0, fail,
+ ok = false;
+ SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedType, sSecXPCErrorDomain, NULL, error, NULL, CFSTR("accessGroups e empty")));
+
+
+ // Pre-check accessGroups for prohibited values
+ CFArrayForEach(accessGroups, ^(const void *value) {
+ CFStringRef agrp = (CFStringRef)value;
+
+ if (!isString(agrp)) {
+ SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedType, sSecXPCErrorDomain, NULL, error, NULL,
+ CFSTR("access not a string: %@"), agrp);
+ ok &= false;
+ } else if (CFSetContainsValue(illegalAccessGroups, agrp)) {
+ SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedType, sSecXPCErrorDomain, NULL, error, NULL,
+ CFSTR("illegal access group: %@"), accessGroups);
+ ok &= false;
+ }
+ });
+ require(ok,fail);
+
+ ok = kc_with_dbt(true, error, ^bool(SecDbConnectionRef dbt) {
+ return kc_transaction(dbt, error, ^bool {
+ CFErrorRef localError = NULL;
+ bool ok1 = true;
+ size_t n;
+
+ for (n = 0; n < sizeof(qclasses)/sizeof(qclasses[0]) && ok1; n++) {
+ Query *q;
+
+ q = query_create(qclasses[n], client->musr, NULL, error);
+ require(q, fail2);
+
+ (void)s3dl_query_delete(dbt, q, accessGroups, &localError);
+ fail2:
+ query_destroy(q, error);
+ CFReleaseNull(localError);
+ }
+ return ok1;
+ }) && SecDbExec(dbt, CFSTR("VACUUM"), error);
+ });
+
+fail:
+ return ok;
+}
+
// MARK: -
// MARK: Shared web credentials
@@ -1443,7 +1869,11 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes,
CFStringRef fqdn = CFRetainSafe(CFDictionaryGetValue(attributes, kSecAttrServer));
CFStringRef account = CFDictionaryGetValue(attributes, kSecAttrAccount);
- CFStringRef password = CFDictionaryGetValue(attributes, CFSTR("spwd") /* kSecSharedPassword */);
+#if TARGET_OS_IPHONE && !TARGET_OS_WATCH && !TARGET_OS_TV
+ CFStringRef password = CFDictionaryGetValue(attributes, kSecSharedPassword);
+#else
+ CFStringRef password = CFDictionaryGetValue(attributes, CFSTR("spwd"));
+#endif
CFStringRef accessGroup = CFSTR("*");
CFMutableDictionaryRef query = NULL, attrs = NULL;
SInt32 port = -1;
@@ -1542,7 +1972,7 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes,
CFDictionarySetValue(query, kSecAttrAccount, kSecSafariPasswordsNotSaved);
ok = _SecItemCopyMatching(query, &swcclient, result, error);
if(result) CFReleaseNull(*result);
- CFReleaseNull(*error);
+ if (error) CFReleaseNull(*error);
if (ok) {
SecError(errSecDuplicateItem, error, CFSTR("Item already exists for this server"));
goto cleanup;
@@ -1561,7 +1991,7 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes,
if (_SecItemCopyMatching(query, &swcclient, result, error)) {
// found it, so this becomes either an "update password" or "delete password" operation
if(result) CFReleaseNull(*result);
- CFReleaseNull(*error);
+ if(error) CFReleaseNull(*error);
bool update = (password != NULL);
if (update) {
attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
@@ -1588,12 +2018,12 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes,
}
}
if (ok) {
- CFReleaseNull(*error);
+ if (error) CFReleaseNull(*error);
}
goto cleanup;
}
- if(result) CFReleaseNull(*result);
- CFReleaseNull(*error);
+ if (result) CFReleaseNull(*result);
+ if (error) CFReleaseNull(*error);
// password does not exist, so prepare to add it
if (!password) {
@@ -1855,7 +2285,7 @@ _SecCopySharedWebCredential(CFDictionaryRef query,
if (data) {
CFStringRef password = CFStringCreateFromExternalRepresentation(kCFAllocatorDefault, data, kCFStringEncodingUTF8);
if (password) {
- #if TARGET_OS_IPHONE && !TARGET_OS_WATCH
+ #if TARGET_OS_IPHONE && !TARGET_OS_WATCH && !TARGET_OS_TV
CFDictionaryAddValue(newdict, kSecSharedPassword, password);
#else
CFDictionaryAddValue(newdict, CFSTR("spwd"), password);
@@ -1882,7 +2312,7 @@ _SecCopySharedWebCredential(CFDictionaryRef query,
for (idx = 0; idx < count; idx++) {
CFDictionaryRef dict = (CFDictionaryRef) CFArrayGetValueAtIndex(credentials, idx);
CFMutableDictionaryRef newdict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, dict);
- #if TARGET_OS_IPHONE && !TARGET_OS_WATCH
+ #if TARGET_OS_IPHONE && !TARGET_OS_WATCH && !TARGET_OS_TV
CFDictionaryRemoveValue(newdict, kSecSharedPassword);
#else
CFDictionaryRemoveValue(newdict, CFSTR("spwd"));
@@ -1961,6 +2391,7 @@ _SecCopySharedWebCredential(CFDictionaryRef query,
cleanup:
if (!ok) {
CFArrayRemoveAllValues(credentials);
+ CFReleaseNull(credentials);
}
CFReleaseSafe(foundItems);
*result = credentials;
@@ -2015,6 +2446,26 @@ _SecServerKeychainRestore(CFDataRef backup, SecurityClient *client, CFDataRef ke
return ok;
}
+CFStringRef
+_SecServerBackupCopyUUID(CFDataRef data, CFErrorRef *error)
+{
+ CFStringRef uuid = NULL;
+ CFDictionaryRef backup;
+
+ backup = CFPropertyListCreateWithData(kCFAllocatorDefault, data,
+ kCFPropertyListImmutable, NULL,
+ error);
+ if (isDictionary(backup)) {
+ uuid = SecServerBackupGetKeybagUUID(backup);
+ if (uuid)
+ CFRetain(uuid);
+ }
+ CFReleaseNull(backup);
+
+ return uuid;
+}
+
+
// MARK: -
// MARK: SecItemDataSource
@@ -2077,7 +2528,7 @@ _SecServerCopyTruthInTheCloud(CFDataRef keybag, CFDataRef password,
});
CFMutableArrayRef changes = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- SOSDataSourceForEachObject(ds, madd, error, ^void(CFDataRef digest, SOSObjectRef object, bool *stop) {
+ SOSDataSourceForEachObject(ds, NULL, madd, error, ^void(CFDataRef digest, SOSObjectRef object, bool *stop) {
CFErrorRef localError = NULL;
CFDataRef digest_data = NULL;
CFTypeRef value = NULL;
diff --git a/OSX/sec/securityd/SecItemServer.h b/OSX/sec/securityd/SecItemServer.h
index 5ec10c7a..5c394d8d 100644
--- a/OSX/sec/securityd/SecItemServer.h
+++ b/OSX/sec/securityd/SecItemServer.h
@@ -45,10 +45,15 @@ bool _SecItemCopyMatching(CFDictionaryRef query, SecurityClient *client, CFTypeR
bool _SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef *error);
bool _SecItemDelete(CFDictionaryRef query, SecurityClient *client, CFErrorRef *error);
bool _SecItemDeleteAll(CFErrorRef *error);
+bool _SecItemServerDeleteAllWithAccessGroups(CFArrayRef accessGroups, SecurityClient *client, CFErrorRef *error);
+
bool _SecServerRestoreKeychain(CFErrorRef *error);
bool _SecServerMigrateKeychain(int32_t handle_in, CFDataRef data_in, int32_t *handle_out, CFDataRef *data_out, CFErrorRef *error);
CFDataRef _SecServerKeychainCreateBackup(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error);
bool _SecServerKeychainRestore(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error);
+CFStringRef _SecServerBackupCopyUUID(CFDataRef backup, CFErrorRef *error);
+
+bool _SecItemUpdateTokenItems(CFStringRef tokenID, CFArrayRef items, SecurityClient *client, CFErrorRef *error);
CF_RETURNS_RETAINED CFArrayRef _SecServerKeychainSyncUpdateMessage(CFDictionaryRef updates, CFErrorRef *error);
bool _SecServerKeychainSyncUpdateIDSMessage(CFDictionaryRef updates, CFErrorRef *error);
@@ -72,6 +77,9 @@ void SecItemServerAppendItemDescription(CFMutableStringRef desc, CFDictionaryRef
SecDbRef SecKeychainDbCreate(CFStringRef path);
+void
+_SecServerDatabaseSetup(void);
+
/* For whitebox testing only */
void SecKeychainDbReset(dispatch_block_t inbetween);
diff --git a/OSX/sec/securityd/SecOCSPCache.c b/OSX/sec/securityd/SecOCSPCache.c
index b70dcd1a..cf367047 100644
--- a/OSX/sec/securityd/SecOCSPCache.c
+++ b/OSX/sec/securityd/SecOCSPCache.c
@@ -134,6 +134,9 @@ errOut:
static CFStringRef SecOCSPCacheCopyPath(void) {
CFStringRef ocspRelPath = kSecOCSPCacheFileName;
CFURLRef ocspURL = SecCopyURLForFileInKeychainDirectory(ocspRelPath);
+ if (!ocspURL) {
+ ocspURL = SecCopyURLForFileInUserCacheDirectory(ocspRelPath);
+ }
CFStringRef ocspPath = NULL;
if (ocspURL) {
ocspPath = CFURLCopyFileSystemPath(ocspURL, kCFURLPOSIXPathStyle);
diff --git a/OSX/sec/securityd/SecOCSPResponse.c b/OSX/sec/securityd/SecOCSPResponse.c
index 138f4836..3fcc3698 100644
--- a/OSX/sec/securityd/SecOCSPResponse.c
+++ b/OSX/sec/securityd/SecOCSPResponse.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008-2009,2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2008-2009,2012-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -122,6 +122,7 @@ static CFAbsoluteTime genTimeToCFAbsTime(const SecAsn1Item *datetime)
}
void SecOCSPSingleResponseDestroy(SecOCSPSingleResponseRef this) {
+ CFReleaseSafe(this->scts);
free(this);
}
@@ -458,7 +459,22 @@ CFAbsoluteTime SecOCSPResponseProducedAt(SecOCSPResponseRef this) {
}
CFArrayRef SecOCSPResponseCopySigners(SecOCSPResponseRef this) {
- return NULL;
+ CFMutableArrayRef result = NULL;
+ result = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ if (!result) {
+ return NULL;
+ }
+ SecAsn1Item **certs;
+ for (certs = this->basicResponse.certs; certs && *certs; ++certs) {
+ SecCertificateRef cert = NULL;
+ cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, (*certs)->Data, (*certs)->Length);
+ if (cert) {
+ CFArrayAppendValue(result, cert);
+ CFReleaseNull(cert);
+ }
+ }
+
+ return result;
}
void SecOCSPResponseFinalize(SecOCSPResponseRef this) {
@@ -542,7 +558,7 @@ SecOCSPSingleResponseRef SecOCSPResponseCopySingleResponse(
}
if (!issuerNameHash || !issuerPubKeyHash) {
- /* This can happen when the hash algorithm is not supported, shoudl be really rare */
+ /* This can happen when the hash algorithm is not supported, should be really rare */
/* See also: <rdar://problem/21908655> CrashTracer: securityd at securityd: SecOCSPResponseCopySingleResponse */
ocspdErrorLog("Unknown hash algorithm in singleResponse");
algorithm = NULL;
@@ -590,12 +606,11 @@ static bool SecOCSPResponseVerifySignature(SecOCSPResponseRef this,
}
static bool SecOCSPResponseIsIssuer(SecOCSPResponseRef this,
- SecCertificatePathRef issuer) {
+ SecCertificateRef issuer) {
bool shouldBeSigner = false;
- SecCertificateRef signer = SecCertificatePathGetCertificateAtIndex(issuer, 0);
if (this->responderIdTag == RIT_Name) {
/* Name inside response must == signer's SubjectName. */
- CFDataRef subject = SecCertificateCopySubjectSequence(signer);
+ CFDataRef subject = SecCertificateCopySubjectSequence(issuer);
if (!subject) {
ocspdDebug("error on SecCertificateCopySubjectSequence");
return false;
@@ -611,7 +626,7 @@ static bool SecOCSPResponseIsIssuer(SecOCSPResponseRef this,
CFRelease(subject);
} else /* if (this->responderIdTag == RIT_Key) */ {
/* ResponderID.byKey must == SHA1(signer's public key) */
- CFDataRef pubKeyDigest = SecCertificateCopyPublicKeySHA1Digest(signer);
+ CFDataRef pubKeyDigest = SecCertificateCopyPublicKeySHA1Digest(issuer);
if ((size_t)CFDataGetLength(pubKeyDigest) == this->responderID.byKey.Length &&
!memcmp(this->responderID.byKey.Data, CFDataGetBytePtr(pubKeyDigest),
this->responderID.byKey.Length)) {
@@ -624,7 +639,11 @@ static bool SecOCSPResponseIsIssuer(SecOCSPResponseRef this,
}
if (shouldBeSigner) {
- SecKeyRef key = SecCertificatePathCopyPublicKeyAtIndex(issuer, 0);
+#if TARGET_OS_IPHONE
+ SecKeyRef key = SecCertificateCopyPublicKey(issuer);
+#else
+ SecKeyRef key = SecCertificateCopyPublicKey_ios(issuer);
+#endif
if (key) {
shouldBeSigner = SecOCSPResponseVerifySignature(this, key);
ocspdDebug("ocsp response signature %sok", shouldBeSigner ? "" : "not ");
@@ -638,42 +657,30 @@ static bool SecOCSPResponseIsIssuer(SecOCSPResponseRef this,
return shouldBeSigner;
}
-/* Returns the SecCertificatePathRef whose leaf signed this ocspResponse if
- we can find one and NULL if we can't find a valid signer. */
-SecCertificatePathRef SecOCSPResponseCopySigner(SecOCSPResponseRef this,
- SecCertificatePathRef issuer) {
- SecCertificateRef issuerCert = SecCertificatePathGetCertificateAtIndex(issuer, 0);
- CFDataRef issuerSubject = SecCertificateGetNormalizedSubjectContent(issuerCert);
- /* Look though any certs that came with the response and see if they were
- both issued by the issuerPath and signed the response. */
+/* Returns the SecCertificateRef of the cert that signed this ocspResponse if
+ we can find one and NULL if we can't find a valid signer. */
+SecCertificateRef SecOCSPResponseCopySigner(SecOCSPResponseRef this, SecCertificateRef issuer) {
+ /* Look though any certs that came with the response to find
+ * which one signed the response. */
SecAsn1Item **certs;
for (certs = this->basicResponse.certs; certs && *certs; ++certs) {
SecCertificateRef cert = SecCertificateCreateWithBytes(
- kCFAllocatorDefault, (*certs)->Data, (*certs)->Length);
+ kCFAllocatorDefault, (*certs)->Data, (*certs)->Length);
if (cert) {
- CFDataRef certIssuer = SecCertificateGetNormalizedIssuerContent(cert);
- if (certIssuer && CFEqual(issuerSubject, certIssuer)) {
- SecCertificatePathRef signer = SecCertificatePathCopyAddingLeaf(issuer, cert);
- CFRelease(cert);
- if (signer) {
- if (SecOCSPResponseIsIssuer(this, signer)) {
- return signer;
- } else {
- ocspdErrorLog("ocsp response cert not signed by issuer.");
- CFRelease(signer);
- }
- }
+ if (SecOCSPResponseIsIssuer(this, cert)) {
+ return cert;
} else {
- ocspdErrorLog("ocsp response cert issuer doesn't match issuer subject.");
+ CFRelease(cert);
}
} else {
- ocspdErrorLog("ocsp response cert failed to parse");
+ ocspdErrorLog("ocsp response cert failed to parse");
}
- }
+ }
+ ocspdDebug("ocsp response did not contain a signer cert.");
/* If none of the returned certs work, try the issuer of the certificate
being checked directly. */
- if (SecOCSPResponseIsIssuer(this, issuer)) {
+ if (issuer && SecOCSPResponseIsIssuer(this, issuer)) {
CFRetain(issuer);
return issuer;
}
diff --git a/OSX/sec/securityd/SecOCSPResponse.h b/OSX/sec/securityd/SecOCSPResponse.h
index 2af57168..73444a49 100644
--- a/OSX/sec/securityd/SecOCSPResponse.h
+++ b/OSX/sec/securityd/SecOCSPResponse.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009,2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2009,2012-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -159,8 +159,8 @@ void SecOCSPSingleResponseDestroy(SecOCSPSingleResponseRef this);
we can find one and NULL if we can't find a valid signer. The issuerPath
contains the cert chain from the anchor to the certificate that issued the
leaf certificate for which this ocspResponse is supposed to be valid. */
-SecCertificatePathRef SecOCSPResponseCopySigner(SecOCSPResponseRef this,
- SecCertificatePathRef issuerPath);
+SecCertificateRef SecOCSPResponseCopySigner(SecOCSPResponseRef this,
+ SecCertificateRef issuerPath);
__END_DECLS
diff --git a/OSX/sec/securityd/SecPolicyServer.c b/OSX/sec/securityd/SecPolicyServer.c
index 9bad034c..2835e685 100644
--- a/OSX/sec/securityd/SecPolicyServer.c
+++ b/OSX/sec/securityd/SecPolicyServer.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2008-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -28,6 +28,7 @@
#include <securityd/SecPolicyServer.h>
#include <Security/SecPolicyInternal.h>
#include <Security/SecPolicyPriv.h>
+#include <Security/SecTask.h>
#include <utilities/SecIOFormat.h>
#include <securityd/asynchttp.h>
#include <securityd/policytree.h>
@@ -39,6 +40,7 @@
#include <Security/SecCertificateInternal.h>
#include <AssertMacros.h>
#include <utilities/debugging.h>
+#include <utilities/SecInternalReleasePriv.h>
#include <security_asn1/SecAsn1Coder.h>
#include <security_asn1/ocspTemplates.h>
#include <security_asn1/oidsalg.h>
@@ -47,8 +49,10 @@
#include <Security/SecFramework.h>
#include <Security/SecPolicyInternal.h>
#include <Security/SecTrustPriv.h>
+#include <Security/SecTrustSettings.h>
#include <Security/SecInternal.h>
#include <Security/SecKeyPriv.h>
+#include <Security/SecTask.h>
#include <CFNetwork/CFHTTPMessage.h>
#include <CFNetwork/CFHTTPStream.h>
#include <SystemConfiguration/SCDynamicStoreCopySpecific.h>
@@ -62,8 +66,12 @@
#include <utilities/SecCFWrappers.h>
#include <utilities/SecAppleAnchorPriv.h>
#include "OTATrustUtilities.h"
+#include "personalization.h"
+#include <sys/codesign.h>
-#define ocspdErrorLog(args...) asl_log(NULL, NULL, ASL_LEVEL_ERR, ## args)
+#if !TARGET_OS_IPHONE
+#include <Security/SecTaskPriv.h>
+#endif
/* Set this to 1 to dump the ocsp responses received in DER form in /tmp. */
#ifndef DUMP_OCSPRESPONSES
@@ -115,7 +123,7 @@ static CFArrayRef SecPolicyAnchorDigestsForEVPolicy(const DERItem *policyOID)
result = (CFArrayRef)CFDictionaryGetValue(evToPolicyAnchorDigest, oid);
if (roots && CFGetTypeID(result) != CFArrayGetTypeID())
{
- ocspdErrorLog("EVRoot.plist has non array value");
+ secerror("EVRoot.plist has non array value");
result = NULL;
}
CFRelease(oid);
@@ -131,6 +139,9 @@ static bool SecPolicyIsEVPolicy(const DERItem *policyOID) {
static bool SecPolicyRootCACertificateIsEV(SecCertificateRef certificate,
policy_set_t valid_policies) {
+ CFDictionaryRef keySizes = NULL;
+ CFNumberRef rsaSize = NULL, ecSize = NULL;
+ bool isEV = false;
/* Ensure that this certificate is a valid anchor for one of the
certificate policy oids specified in the leaf. */
CFDataRef digest = SecCertificateGetSHA1Digest(certificate);
@@ -145,59 +156,108 @@ static bool SecPolicyRootCACertificateIsEV(SecCertificateRef certificate,
break;
}
}
- require_quiet(good_ev_anchor, notEV);
+ require_action_quiet(good_ev_anchor, notEV, secnotice("ev", "anchor not in plist"));
CFAbsoluteTime october2006 = 178761600;
+ if (SecCertificateNotValidBefore(certificate) >= october2006) {
+ require_action_quiet(SecCertificateVersion(certificate) >= 3, notEV,
+ secnotice("ev", "Anchor issued after October 2006 and is not v3"));
+ }
if (SecCertificateVersion(certificate) >= 3
&& SecCertificateNotValidBefore(certificate) >= october2006) {
const SecCEBasicConstraints *bc = SecCertificateGetBasicConstraints(certificate);
- require_quiet(bc && bc->isCA == true, notEV);
+ require_action_quiet(bc && bc->isCA == true, notEV,
+ secnotice("ev", "Anchor has invalid basic constraints"));
SecKeyUsage ku = SecCertificateGetKeyUsage(certificate);
- require_quiet((ku & (kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign))
- == (kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign), notEV);
+ require_action_quiet((ku & (kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign))
+ == (kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign), notEV,
+ secnotice("ev", "Anchor has invalid key usage %u", ku));
}
- CFAbsoluteTime jan2011 = 315532800;
- if (SecCertificateNotValidBefore(certificate) < jan2011) {
- /* At least MD5, SHA-1 with RSA 2048 or ECC NIST P-256. */
- } else {
- /* At least SHA-1, SHA-256, SHA-384 or SHA-512 with RSA 2048 or
- ECC NIST P-256. */
- }
+ /* At least RSA 2048 or ECC NIST P-256. */
+ require_quiet(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), notEV);
+ require_quiet(ecSize = CFNumberCreateWithCFIndex(NULL, 256), notEV);
+ const void *keys[] = { kSecAttrKeyTypeRSA, kSecAttrKeyTypeEC };
+ const void *values[] = { rsaSize, ecSize };
+ require_quiet(keySizes = CFDictionaryCreate(NULL, keys, values, 2,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), notEV);
+ require_action_quiet(SecCertificateIsAtLeastMinKeySize(certificate, keySizes), notEV,
+ secnotice("ev", "Anchor's public key is too weak for EV"));
+
+ isEV = true;
- return true;
notEV:
- return false;
+ CFReleaseNull(rsaSize);
+ CFReleaseNull(ecSize);
+ CFReleaseNull(keySizes);
+ return isEV;
}
static bool SecPolicySubordinateCACertificateCouldBeEV(SecCertificateRef certificate) {
+ CFMutableDictionaryRef keySizes = NULL;
+ CFNumberRef rsaSize = NULL, ecSize = NULL;
+ bool isEV = false;
+
const SecCECertificatePolicies *cp;
cp = SecCertificateGetCertificatePolicies(certificate);
- require_quiet(cp && cp->numPolicies > 0, notEV);
- /* SecCertificateGetCRLDistributionPoints() is a noop right now */
-#if 0
+ require_action_quiet(cp && cp->numPolicies > 0, notEV,
+ secnotice("ev", "SubCA missing certificate policies"));
CFArrayRef cdp = SecCertificateGetCRLDistributionPoints(certificate);
- require_quiet(cdp && CFArrayGetCount(cdp) > 0, notEV);
-#endif
+ require_action_quiet(cdp && CFArrayGetCount(cdp) > 0, notEV,
+ secnotice("ev", "SubCA missing CRLDP"));
const SecCEBasicConstraints *bc = SecCertificateGetBasicConstraints(certificate);
- require_quiet(bc && bc->isCA == true, notEV);
+ require_action_quiet(bc && bc->isCA == true, notEV,
+ secnotice("ev", "SubCA has invalid basic constraints"));
SecKeyUsage ku = SecCertificateGetKeyUsage(certificate);
- require_quiet((ku & (kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign))
- == (kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign), notEV);
+ require_action_quiet((ku & (kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign))
+ == (kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign), notEV,
+ secnotice("ev", "SubCA has invalid key usage %u", ku));
+
+ /* 6.1.5 Key Sizes */
CFAbsoluteTime jan2011 = 315532800;
- if (SecCertificateNotValidBefore(certificate) < jan2011) {
- /* At least SHA-1 with RSA 1024 or ECC NIST P-256. */
+ CFAbsoluteTime jan2014 = 410227200;
+ require_quiet(ecSize = CFNumberCreateWithCFIndex(NULL, 256), notEV);
+ require_quiet(keySizes = CFDictionaryCreateMutable(NULL, 2, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), notEV);
+ CFDictionaryAddValue(keySizes, kSecAttrKeyTypeEC, ecSize);
+ if (SecCertificateNotValidBefore(certificate) < jan2011 ||
+ SecCertificateNotValidAfter(certificate) < jan2014) {
+ /* At least RSA 1024 or ECC NIST P-256. */
+ require_quiet(rsaSize = CFNumberCreateWithCFIndex(NULL, 1024), notEV);
+ CFDictionaryAddValue(keySizes, kSecAttrKeyTypeRSA, rsaSize);
+ require_action_quiet(SecCertificateIsAtLeastMinKeySize(certificate, keySizes), notEV,
+ secnotice("ev", "SubCA's public key is too small for issuance before 2011 or expiration before 2014"));
} else {
- /* At least SHA-1, SHA-256, SHA-284 or SHA-512 with RSA 2028 or
- ECC NIST P-256. */
+ /* At least RSA 2028 or ECC NIST P-256. */
+ require_quiet(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), notEV);
+ CFDictionaryAddValue(keySizes, kSecAttrKeyTypeRSA, rsaSize);
+ require_action_quiet(SecCertificateIsAtLeastMinKeySize(certificate, keySizes), notEV,
+ secnotice("ev", "SubCA's public key is too small for issuance after 2010 or expiration after 2013"));
}
- return true;
+ /* 7.1.3 Algorithm Object Identifiers */
+ CFAbsoluteTime jan2016 = 473299200;
+ if (SecCertificateNotValidBefore(certificate) > jan2016) {
+ /* SHA-2 only */
+ require_action_quiet(SecCertificateGetSignatureHashAlgorithm(certificate) > kSecSignatureHashAlgorithmSHA1,
+ notEV, secnotice("ev", "SubCA was issued with SHA-1 after 2015"));
+ }
+
+ isEV = true;
+
notEV:
- return false;
+ CFReleaseNull(rsaSize);
+ CFReleaseNull(ecSize);
+ CFReleaseNull(keySizes);
+ return isEV;
}
bool SecPolicySubscriberCertificateCouldBeEV(SecCertificateRef certificate) {
+ CFMutableDictionaryRef keySizes = NULL;
+ CFNumberRef rsaSize = NULL, ecSize = NULL;
+ bool isEV = false;
+
/* 3. Subscriber Certificate. */
/* (a) certificate Policies */
@@ -215,31 +275,24 @@ bool SecPolicySubscriberCertificateCouldBeEV(SecCertificateRef certificate) {
}
require_quiet(found_ev_anchor_for_leaf_policy, notEV);
- /* SecCertificateGetCRLDistributionPoints() is a noop right now */
-#if 0
/* (b) cRLDistributionPoint
- (c) authorityInformationAccess */
- CFArrayRef cdp = SecCertificateGetCRLDistributionPoints(certificate);
- if (cdp) {
- require_quiet(CFArrayGetCount(cdp) > 0, notEV);
- } else {
- CFArrayRef or = SecCertificateGetOCSPResponders(certificate);
- require_quiet(or && CFArrayGetCount(or) > 0, notEV);
- //CFArrayRef ci = SecCertificateGetCAIssuers(certificate);
- }
-#endif
+ (c) authorityInformationAccess
+ BRv1.3.4: MUST be present with OCSP Responder unless stapled response.
+ */
/* (d) basicConstraints
If present, the cA field MUST be set false. */
const SecCEBasicConstraints *bc = SecCertificateGetBasicConstraints(certificate);
if (bc) {
- require_quiet(bc->isCA == false, notEV);
+ require_action_quiet(bc->isCA == false, notEV,
+ secnotice("ev", "Leaf has invalid basic constraints"));
}
/* (e) keyUsage. */
SecKeyUsage ku = SecCertificateGetKeyUsage(certificate);
if (ku) {
- require_quiet((ku & (kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign)) == 0, notEV);
+ require_action_quiet((ku & (kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign)) == 0, notEV,
+ secnotice("ev", "Leaf has invalid key usage %u", ku));
}
#if 0
@@ -252,17 +305,60 @@ Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or bot
SecCertificateCopyExtendedKeyUsage(certificate);
#endif
- CFAbsoluteTime jan2011 = 315532800;
- if (SecCertificateNotValidAfter(certificate) < jan2011) {
- /* At least SHA-1 with RSA 1024 or ECC NIST P-256. */
+ /* 6.1.5 Key Sizes */
+ CFAbsoluteTime jan2014 = 410227200;
+ require_quiet(ecSize = CFNumberCreateWithCFIndex(NULL, 256), notEV);
+ require_quiet(keySizes = CFDictionaryCreateMutable(NULL, 2, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), notEV);
+ CFDictionaryAddValue(keySizes, kSecAttrKeyTypeEC, ecSize);
+ if (SecCertificateNotValidBefore(certificate) < jan2014) {
+ /* At least RSA 1024 or ECC NIST P-256. */
+ require_quiet(rsaSize = CFNumberCreateWithCFIndex(NULL, 1024), notEV);
+ CFDictionaryAddValue(keySizes, kSecAttrKeyTypeRSA, rsaSize);
+ require_action_quiet(SecCertificateIsAtLeastMinKeySize(certificate, keySizes), notEV,
+ secnotice("ev", "Leaf's public key is too small for issuance before 2014"));
} else {
- /* At least SHA-1, SHA-256, SHA-284 or SHA-512 with RSA 2028 or
- ECC NIST P-256. */
+ /* At least RSA 2028 or ECC NIST P-256. */
+ require_quiet(rsaSize = CFNumberCreateWithCFIndex(NULL, 2048), notEV);
+ CFDictionaryAddValue(keySizes, kSecAttrKeyTypeRSA, rsaSize);
+ require_action_quiet(SecCertificateIsAtLeastMinKeySize(certificate, keySizes), notEV,
+ secnotice("ev", "Leaf's public key is too small for issuance after 2013"));
}
- return true;
+ /* 6.3.2 Validity Periods */
+ CFAbsoluteTime jul2016 = 489024000;
+ CFAbsoluteTime notAfter = SecCertificateNotValidAfter(certificate);
+ CFAbsoluteTime notBefore = SecCertificateNotValidBefore(certificate);
+ if (SecCertificateNotValidBefore(certificate) < jul2016) {
+ /* Validity Period no greater than 60 months.
+ 60 months is no more than 5 years and 2 leap days. */
+ CFAbsoluteTime maxPeriod = 60*60*24*(365*5+2);
+ require_action_quiet(notAfter - notBefore <= maxPeriod, notEV,
+ secnotice("ev", "Leaf's validity period is more than 60 months"));
+ } else {
+ /* Validity Period no greater than 39 months.
+ 39 months is no more than 3 years, 2 31-day months,
+ 1 30-day month, and 1 leap day */
+ CFAbsoluteTime maxPeriod = 60*60*24*(365*3+2*31+30+1);
+ require_action_quiet(notAfter - notBefore <= maxPeriod, notEV,
+ secnotice("ev", "Leaf has validity period longer than 39 months and issued after 30 June 2016"));
+ }
+
+ /* 7.1.3 Algorithm Object Identifiers */
+ CFAbsoluteTime jan2016 = 473299200;
+ if (SecCertificateNotValidBefore(certificate) > jan2016) {
+ /* SHA-2 only */
+ require_action_quiet(SecCertificateGetSignatureHashAlgorithm(certificate) > kSecSignatureHashAlgorithmSHA1,
+ notEV, secnotice("ev", "Leaf was issued with SHA-1 after 2015"));
+ }
+
+ isEV = true;
+
notEV:
- return false;
+ CFReleaseNull(rsaSize);
+ CFReleaseNull(ecSize);
+ CFReleaseNull(keySizes);
+ return isEV;
}
/********************************************************
@@ -298,78 +394,25 @@ static void SecPolicyCheckIdLinkage(SecPVCRef pvc,
}
}
-static bool keyusage_allows(SecKeyUsage keyUsage, CFTypeRef xku) {
- if (!xku || CFGetTypeID(xku) != CFNumberGetTypeID())
- return false;
-
- SInt32 dku;
- CFNumberGetValue((CFNumberRef)xku, kCFNumberSInt32Type, &dku);
- SecKeyUsage ku = (SecKeyUsage)dku;
- return (keyUsage & ku) == ku;
-}
-
static void SecPolicyCheckKeyUsage(SecPVCRef pvc,
CFStringRef key) {
SecCertificateRef leaf = SecPVCGetCertificateAtIndex(pvc, 0);
- SecKeyUsage keyUsage = SecCertificateGetKeyUsage(leaf);
- bool match = false;
SecPolicyRef policy = SecPVCGetPolicy(pvc);
CFTypeRef xku = CFDictionaryGetValue(policy->_options, key);
- if (isArray(xku)) {
- CFIndex ix, count = CFArrayGetCount(xku);
- for (ix = 0; ix < count; ++ix) {
- CFTypeRef ku = CFArrayGetValueAtIndex(xku, ix);
- if (keyusage_allows(keyUsage, ku)) {
- match = true;
- break;
- }
- }
- } else {
- match = keyusage_allows(keyUsage, xku);
- }
- if (!match) {
+ if (!SecPolicyCheckCertKeyUsage(leaf, xku)) {
SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
}
}
-static bool extendedkeyusage_allows(CFArrayRef extendedKeyUsage,
- CFTypeRef xeku) {
- if (!xeku || CFGetTypeID(xeku) != CFDataGetTypeID())
- return false;
- if (extendedKeyUsage) {
- CFRange all = { 0, CFArrayGetCount(extendedKeyUsage) };
- return CFArrayContainsValue(extendedKeyUsage, all, xeku);
- } else {
- /* Certificate has no extended key usage, only a match if the policy
- contains a 0 length CFDataRef. */
- return CFDataGetLength((CFDataRef)xeku) == 0;
- }
-}
-
/* AUDIT[securityd](done):
policy->_options is a caller provided dictionary, only its cf type has
been checked.
*/
static void SecPolicyCheckExtendedKeyUsage(SecPVCRef pvc, CFStringRef key) {
SecCertificateRef leaf = SecPVCGetCertificateAtIndex(pvc, 0);
- CFArrayRef leafExtendedKeyUsage = SecCertificateCopyExtendedKeyUsage(leaf);
- bool match = false;
SecPolicyRef policy = SecPVCGetPolicy(pvc);
CFTypeRef xeku = CFDictionaryGetValue(policy->_options, key);
- if (isArray(xeku)) {
- CFIndex ix, count = CFArrayGetCount(xeku);
- for (ix = 0; ix < count; ix++) {
- CFTypeRef eku = CFArrayGetValueAtIndex(xeku, ix);
- if (extendedkeyusage_allows(leafExtendedKeyUsage, eku)) {
- match = true;
- break;
- }
- }
- } else {
- match = extendedkeyusage_allows(leafExtendedKeyUsage, xeku);
- }
- CFReleaseSafe(leafExtendedKeyUsage);
- if (!match) {
+ if (!SecPolicyCheckCertExtendedKeyUsage(leaf, xeku)){
SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
}
}
@@ -437,7 +480,7 @@ static void SecPolicyCheckBasicContraintsCommon(SecPVCRef pvc,
}
#endif
-static void SecPolicyCheckBasicContraints(SecPVCRef pvc,
+static void SecPolicyCheckBasicConstraints(SecPVCRef pvc,
CFStringRef key) {
//SecPolicyCheckBasicContraintsCommon(pvc, key, false);
}
@@ -486,7 +529,7 @@ static void SecPolicyCheckQualifiedCertStatements(SecPVCRef pvc,
Returns true on match, else false.
*/
static bool SecDomainSuffixMatch(CFStringRef hostname, CFStringRef domain) {
- CFStringInlineBuffer hbuf, dbuf;
+ CFStringInlineBuffer hbuf = {}, dbuf = {};
UniChar hch, dch;
CFIndex hix, dix,
hlength = CFStringGetLength(hostname),
@@ -542,121 +585,6 @@ static bool SecDomainSuffixMatch(CFStringRef hostname, CFStringRef domain) {
return true;
}
-/* Compare hostname, to a server name obtained from the server's cert
- Obtained from the SubjectAltName or the CommonName entry in the Subject.
- Limited wildcard checking is performed here as outlined in
-
- RFC 2818 Section 3.1. Server Identity
-
- [...] Names may contain the wildcard
- character * which is considered to match any single domain name
- component or component fragment. E.g., *.a.com matches foo.a.com but
- not bar.foo.a.com. f*.com matches foo.com but not bar.com.
- [...]
-
- Trailing '.' characters in the hostname will be ignored.
-
- Returns true on match, else false.
-
- RFC6125:
- */
-bool SecDNSMatch(CFStringRef hostname, CFStringRef servername) {
- CFStringInlineBuffer hbuf, sbuf;
- CFIndex hix, six, tix,
- hlength = CFStringGetLength(hostname),
- slength = CFStringGetLength(servername);
- CFRange hrange = { 0, hlength }, srange = { 0, slength };
- CFStringInitInlineBuffer(hostname, &hbuf, hrange);
- CFStringInitInlineBuffer(servername, &sbuf, srange);
- bool prevLabel=false;
-
- for (hix = six = 0; six < slength; ++six) {
- UniChar tch, hch, sch = CFStringGetCharacterFromInlineBuffer(&sbuf, six);
- if (sch == '*') {
- if (prevLabel) {
- /* RFC6125: No wildcard after a Previous Label */
- /* INVALID: Means we have something like foo.*.<public_suffix> */
- return false;
- }
-
- if (six + 1 >= slength) {
- /* Trailing '*' in servername, match until end of hostname or
- trailing '.'. */
- do {
- if (hix >= hlength) {
- /* If we reach the end of the hostname we have a
- match. */
- return true;
- }
- hch = CFStringGetCharacterFromInlineBuffer(&hbuf, hix++);
- } while (hch != '.');
- /* We reached the end of servername and found a '.' in
- hostname. Return true if hostname has a single
- trailing '.' return false if there is anything after it. */
- return hix == hlength;
- }
-
- /* Grab the character after the '*'. */
- sch = CFStringGetCharacterFromInlineBuffer(&sbuf, ++six);
- if (sch != '.') {
- /* We have something of the form '*foo.com'. Or '**.com'
- We don't deal with that yet, since it might require
- backtracking. Also RFC 2818 doesn't seem to require it. */
- return false;
- }
-
- /* We're looking at the '.' after the '*' in something of the
- form 'foo*.com' or '*.com'. Match until next '.' in hostname. */
- if (prevLabel==false) { /* RFC6125: Check if *.<tld> */
- tix=six+1;
- do { /* Loop to end of servername */
- if (tix > slength)
- return false; /* Means we have something like *.com */
- tch = CFStringGetCharacterFromInlineBuffer(&sbuf, tix++);
- } while (tch != '.');
- if (tix > slength)
- return false; /* In case we have *.com. */
- }
-
- do {
- /* Since we're not at the end of servername yet (that case
- was handled above), running out of chars in hostname
- means we don't have a match. */
- if (hix >= hlength)
- return false;
- hch = CFStringGetCharacterFromInlineBuffer(&hbuf, hix++);
- } while (hch != '.');
- } else {
- /* We're looking at a non wildcard character in the servername.
- If we reached the end of hostname, it's not a match. */
- if (hix >= hlength)
- return false;
-
- /* Otherwise make sure the hostname matches the character in the
- servername, case insensitively. */
- hch = CFStringGetCharacterFromInlineBuffer(&hbuf, hix++);
- if (towlower(hch) != towlower(sch))
- return false;
- if (sch == '.')
- prevLabel=true; /* Set if a confirmed previous component */
- }
- }
-
- if (hix < hlength) {
- /* We reached the end of servername but we have one or more characters
- left to compare against in the hostname. */
- if (hix + 1 == hlength &&
- CFStringGetCharacterFromInlineBuffer(&hbuf, hix) == '.') {
- /* Hostname has a single trailing '.', we're ok with that. */
- return true;
- }
- /* Anything else is not a match. */
- return false;
- }
-
- return true;
-}
-
#define kSecPolicySHA1Size 20
static const UInt8 kAppleCorpCASHA1[kSecPolicySHA1Size] = {
0xA1, 0x71, 0xDC, 0xDE, 0xE0, 0x8B, 0x1B, 0xAE, 0x30, 0xA1,
@@ -696,6 +624,7 @@ static bool SecPolicyCheckDomain(SecPVCRef pvc, CFStringRef hostname)
return true;
}
+
/* AUDIT[securityd](done):
policy->_options is a caller provided dictionary, only its cf type has
been checked.
@@ -714,36 +643,7 @@ static void SecPolicyCheckSSLHostname(SecPVCRef pvc,
}
SecCertificateRef leaf = SecPVCGetCertificateAtIndex(pvc, 0);
- bool dnsMatch = false;
- CFArrayRef dnsNames = SecCertificateCopyDNSNames(leaf);
- if (dnsNames) {
- CFIndex ix, count = CFArrayGetCount(dnsNames);
- for (ix = 0; ix < count; ++ix) {
- CFStringRef dns = (CFStringRef)CFArrayGetValueAtIndex(dnsNames, ix);
- if (SecDNSMatch(hostName, dns)) {
- dnsMatch = true;
- break;
- }
- }
- CFRelease(dnsNames);
- }
-
- if (!dnsMatch) {
- /* Maybe hostname is an IPv4 or IPv6 address, let's compare against
- the values returned by SecCertificateCopyIPAddresses() instead. */
- CFArrayRef ipAddresses = SecCertificateCopyIPAddresses(leaf);
- if (ipAddresses) {
- CFIndex ix, count = CFArrayGetCount(ipAddresses);
- for (ix = 0; ix < count; ++ix) {
- CFStringRef ipAddress = (CFStringRef)CFArrayGetValueAtIndex(ipAddresses, ix);
- if (!CFStringCompare(hostName, ipAddress, kCFCompareCaseInsensitive)) {
- dnsMatch = true;
- break;
- }
- }
- CFRelease(ipAddresses);
- }
- }
+ bool dnsMatch = SecPolicyCheckCertSSLHostname(leaf, hostName);
if (!dnsMatch) {
/* Hostname mismatch or no hostnames found in certificate. */
@@ -758,17 +658,8 @@ static void SecPolicyCheckSSLHostname(SecPVCRef pvc,
&& SecPolicySubscriberCertificateCouldBeEV(leaf)) {
secdebug("policy", "enabling optionally_ev");
pvc->optionally_ev = true;
- /* optionally_ev => check_revocation, so we don't enable revocation
- checking here, since we don't want it on for non EV ssl certs. */
-#if 0
- /* Check revocation status if the certificate asks for it (and we
- support it) currently we only support ocsp. */
- CFArrayRef ocspResponders = SecCertificateGetOCSPResponders(leaf);
- if (ocspResponders) {
- SecPVCSetCheckRevocation(pvc);
- }
-#endif
}
+
}
/* AUDIT[securityd](done):
@@ -778,7 +669,6 @@ static void SecPolicyCheckSSLHostname(SecPVCRef pvc,
static void SecPolicyCheckEmail(SecPVCRef pvc, CFStringRef key) {
SecPolicyRef policy = SecPVCGetPolicy(pvc);
CFStringRef email = (CFStringRef)CFDictionaryGetValue(policy->_options, key);
- bool match = false;
if (!isString(email)) {
/* We can't return an error here and making the evaluation fail
won't help much either. */
@@ -786,20 +676,8 @@ static void SecPolicyCheckEmail(SecPVCRef pvc, CFStringRef key) {
}
SecCertificateRef leaf = SecPVCGetCertificateAtIndex(pvc, 0);
- CFArrayRef addrs = SecCertificateCopyRFC822Names(leaf);
- if (addrs) {
- CFIndex ix, count = CFArrayGetCount(addrs);
- for (ix = 0; ix < count; ++ix) {
- CFStringRef addr = (CFStringRef)CFArrayGetValueAtIndex(addrs, ix);
- if (!CFStringCompare(email, addr, kCFCompareCaseInsensitive)) {
- match = true;
- break;
- }
- }
- CFRelease(addrs);
- }
- if (!match) {
+ if (!SecPolicyCheckCertEmail(leaf, email)) {
/* Hostname mismatch or no hostnames found in certificate. */
SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
}
@@ -865,13 +743,9 @@ static void SecPolicyCheckIssuerCommonName(SecPVCRef pvc,
won't help much either. */
return;
}
- CFArrayRef commonNames = SecCertificateCopyCommonNames(cert);
- if (!commonNames || CFArrayGetCount(commonNames) != 1 ||
- !CFEqual(commonName, CFArrayGetValueAtIndex(commonNames, 0))) {
- /* Common Name mismatch. */
- SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
- }
- CFReleaseSafe(commonNames);
+ if (!SecPolicyCheckCertSubjectCommonName(cert, commonName)) {
+ SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
+ }
}
/* AUDIT[securityd](done):
@@ -889,13 +763,9 @@ static void SecPolicyCheckSubjectCommonName(SecPVCRef pvc,
won't help much either. */
return;
}
- CFArrayRef commonNames = SecCertificateCopyCommonNames(cert);
- if (!commonNames || CFArrayGetCount(commonNames) != 1 ||
- !CFEqual(common_name, CFArrayGetValueAtIndex(commonNames, 0))) {
- /* Common Name mismatch. */
+ if (!SecPolicyCheckCertSubjectCommonName(cert, common_name)) {
SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
- }
- CFReleaseSafe(commonNames);
+ }
}
/* AUDIT[securityd](done):
@@ -913,13 +783,9 @@ static void SecPolicyCheckSubjectCommonNamePrefix(SecPVCRef pvc,
won't help much either. */
return;
}
- CFArrayRef commonNames = SecCertificateCopyCommonNames(cert);
- if (!commonNames || CFArrayGetCount(commonNames) != 1 ||
- !CFStringHasPrefix(CFArrayGetValueAtIndex(commonNames, 0), prefix)) {
- /* Common Name prefix mismatch. */
- SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
- }
- CFReleaseSafe(commonNames);
+ if (!SecPolicyCheckCertSubjectCommonNamePrefix(cert, prefix)) {
+ SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
+ }
}
/* AUDIT[securityd](done):
@@ -937,20 +803,9 @@ static void SecPolicyCheckSubjectCommonNameTEST(SecPVCRef pvc,
won't help much either. */
return;
}
- CFArrayRef commonNames = SecCertificateCopyCommonNames(cert);
- if (!commonNames || CFArrayGetCount(commonNames) != 1) {
- CFStringRef cert_common_name = CFArrayGetValueAtIndex(commonNames, 0);
- CFStringRef test_common_name = common_name ?
- CFStringCreateWithFormat(kCFAllocatorDefault,
- NULL, CFSTR("TEST %@ TEST"), common_name) :
- NULL;
- if (!CFEqual(common_name, cert_common_name) &&
- (!test_common_name || !CFEqual(test_common_name, cert_common_name)))
- /* Common Name mismatch. */
- SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
- CFReleaseSafe(test_common_name);
- }
- CFReleaseSafe(commonNames);
+ if (!SecPolicyCheckCertSubjectCommonNameTEST(cert, common_name)) {
+ SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
+ }
}
/* AUDIT[securityd](done):
@@ -967,9 +822,7 @@ static void SecPolicyCheckNotValidBefore(SecPVCRef pvc,
won't help much either. */
return;
}
- CFAbsoluteTime at = CFDateGetAbsoluteTime(date);
- if (SecCertificateNotValidBefore(cert) <= at) {
- /* Leaf certificate has not valid before that is too old. */
+ if (!SecPolicyCheckCertNotValidBefore(cert, date)) {
if (!SecPVCSetResult(pvc, key, 0, kCFBooleanFalse))
return;
}
@@ -999,32 +852,51 @@ static void SecPolicyCheckChainLength(SecPVCRef pvc,
}
}
-/* AUDIT[securityd](done):
- policy->_options is a caller provided dictionary, only its cf type has
- been checked.
- */
-static void SecPolicyCheckAnchorSHA1(SecPVCRef pvc,
- CFStringRef key) {
- CFIndex count = SecPVCGetCertificateCount(pvc);
- SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, count - 1);
- SecPolicyRef policy = SecPVCGetPolicy(pvc);
+static bool isDigestInPolicy(SecPVCRef pvc, CFStringRef key, CFDataRef digest) {
+ SecPolicyRef policy = SecPVCGetPolicy(pvc);
CFTypeRef value = CFDictionaryGetValue(policy->_options, key);
- CFDataRef anchorSHA1 = SecCertificateGetSHA1Digest(cert);
bool foundMatch = false;
-
if (isData(value))
- foundMatch = CFEqual(anchorSHA1, value);
+ foundMatch = CFEqual(digest, value);
else if (isArray(value))
- foundMatch = CFArrayContainsValue((CFArrayRef) value, CFRangeMake(0, CFArrayGetCount((CFArrayRef) value)), anchorSHA1);
+ foundMatch = CFArrayContainsValue((CFArrayRef) value, CFRangeMake(0, CFArrayGetCount((CFArrayRef) value)), digest);
else {
/* @@@ We only support Data and Array but we can't return an error here so.
- we let the evaluation fail (not much help) and assert in debug. */
+ we let the evaluation fail (not much help) and assert in debug. */
assert(false);
}
- if (!foundMatch)
- if (!SecPVCSetResult(pvc, kSecPolicyCheckAnchorSHA1, 0, kCFBooleanFalse))
+ return foundMatch;
+}
+
+static void SecPolicyCheckAnchorSHA256(SecPVCRef pvc, CFStringRef key) {
+ CFIndex count = SecPVCGetCertificateCount(pvc);
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, count - 1);
+ CFDataRef anchorSHA256 = NULL;
+ anchorSHA256 = SecCertificateCopySHA256Digest(cert);
+
+ if (!isDigestInPolicy(pvc, key, anchorSHA256)) {
+ SecPVCSetResult(pvc, kSecPolicyCheckAnchorSHA256, count-1, kCFBooleanFalse);
+ }
+
+ CFReleaseNull(anchorSHA256);
+ return;
+}
+
+
+/* AUDIT[securityd](done):
+ policy->_options is a caller provided dictionary, only its cf type has
+ been checked.
+ */
+static void SecPolicyCheckAnchorSHA1(SecPVCRef pvc,
+ CFStringRef key) {
+ CFIndex count = SecPVCGetCertificateCount(pvc);
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, count - 1);
+ CFDataRef anchorSHA1 = SecCertificateGetSHA1Digest(cert);
+
+ if (!isDigestInPolicy(pvc, key, anchorSHA1))
+ if (!SecPVCSetResult(pvc, kSecPolicyCheckAnchorSHA1, count-1, kCFBooleanFalse))
return;
return;
@@ -1037,11 +909,8 @@ static void SecPolicyCheckAnchorSHA1(SecPVCRef pvc,
*/
static void SecPolicyCheckIntermediateSPKISHA256(SecPVCRef pvc,
CFStringRef key) {
- SecPolicyRef policy = SecPVCGetPolicy(pvc);
- CFTypeRef value = CFDictionaryGetValue(policy->_options, key);
SecCertificateRef cert = NULL;
CFDataRef digest = NULL;
- bool foundMatch = false;
if (SecPVCGetCertificateCount(pvc) < 2) {
SecPVCSetResult(pvc, kSecPolicyCheckIntermediateSPKISHA256, 0, kCFBooleanFalse);
@@ -1051,21 +920,10 @@ static void SecPolicyCheckIntermediateSPKISHA256(SecPVCRef pvc,
cert = SecPVCGetCertificateAtIndex(pvc, 1);
digest = SecCertificateCopySubjectPublicKeyInfoSHA256Digest(cert);
- if (isData(value))
- foundMatch = CFEqual(digest, value);
- else if (isArray(value))
- foundMatch = CFArrayContainsValue((CFArrayRef) value, CFRangeMake(0, CFArrayGetCount((CFArrayRef) value)), digest);
- else {
- /* @@@ We only support Data and Array but we can't return an error here so.
- we let the evaluation fail (not much help) and assert in debug. */
- assert(false);
+ if (!isDigestInPolicy(pvc, key, digest)) {
+ SecPVCSetResult(pvc, kSecPolicyCheckIntermediateSPKISHA256, 1, kCFBooleanFalse);
}
-
CFReleaseNull(digest);
-
- if (!foundMatch) {
- SecPVCSetResult(pvc, kSecPolicyCheckIntermediateSPKISHA256, 0, kCFBooleanFalse);
- }
}
/*
@@ -1081,10 +939,9 @@ static void SecPolicyCheckAnchorApple(SecPVCRef pvc,
SecAppleTrustAnchorFlags flags = 0;
if (isDictionary(value)) {
- if (CFDictionaryGetValue(value, kSecPolicyAppleAnchorIncludeTestRoots))
+ if (CFDictionaryGetValue(value, kSecPolicyAppleAnchorIncludeTestRoots)) {
flags |= kSecAppleTrustAnchorFlagsIncludeTestAnchors;
- if (CFDictionaryGetValue(value, kSecPolicyAppleAnchorAllowTestRootsOnProduction))
- flags |= kSecAppleTrustAnchorFlagsAllowNonProduction;
+ }
}
bool foundMatch = SecIsAppleTrustAnchor(cert, flags);
@@ -1112,13 +969,10 @@ static void SecPolicyCheckSubjectOrganization(SecPVCRef pvc,
won't help much either. */
return;
}
- CFArrayRef organization = SecCertificateCopyOrganization(cert);
- if (!organization || CFArrayGetCount(organization) != 1 ||
- !CFEqual(org, CFArrayGetValueAtIndex(organization, 0))) {
+ if (!SecPolicyCheckCertSubjectOrganization(cert, org)) {
/* Leaf Subject Organization mismatch. */
SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
}
- CFReleaseSafe(organization);
}
static void SecPolicyCheckSubjectOrganizationalUnit(SecPVCRef pvc,
@@ -1132,13 +986,10 @@ static void SecPolicyCheckSubjectOrganizationalUnit(SecPVCRef pvc,
won't help much either. */
return;
}
- CFArrayRef organizationalUnit = SecCertificateCopyOrganizationalUnit(cert);
- if (!organizationalUnit || CFArrayGetCount(organizationalUnit) != 1 ||
- !CFEqual(orgUnit, CFArrayGetValueAtIndex(organizationalUnit, 0))) {
- /* Leaf Subject Organizational Unit mismatch. */
- SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
- }
- CFReleaseSafe(organizationalUnit);
+ if (!SecPolicyCheckCertSubjectOrganizationalUnit(cert, orgUnit)) {
+ /* Leaf Subject Organization mismatch. */
+ SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
+ }
}
/* AUDIT[securityd](done):
@@ -1159,43 +1010,8 @@ static void SecPolicyCheckEAPTrustedServerNames(SecPVCRef pvc,
return;
}
- CFIndex tsnCount = CFArrayGetCount(trustedServerNames);
SecCertificateRef leaf = SecPVCGetCertificateAtIndex(pvc, 0);
- bool dnsMatch = false;
- CFArrayRef dnsNames = SecCertificateCopyDNSNames(leaf);
- if (dnsNames) {
- CFIndex ix, count = CFArrayGetCount(dnsNames);
- // @@@ This is O(N^2) unfortunately we can't do better easily unless
- // we don't do wildcard matching. */
- for (ix = 0; !dnsMatch && ix < count; ++ix) {
- CFStringRef dns = (CFStringRef)CFArrayGetValueAtIndex(dnsNames, ix);
- CFIndex tix;
- for (tix = 0; tix < tsnCount; ++tix) {
- CFStringRef serverName =
- (CFStringRef)CFArrayGetValueAtIndex(trustedServerNames, tix);
- if (!isString(serverName)) {
- /* @@@ We can't return an error here and making the
- evaluation fail won't help much either. */
- CFReleaseSafe(dnsNames);
- return;
- }
- /* we purposefully reverse the arguments here such that dns names
- from the cert are matched against a server name list, where
- the server names list can contain wildcards and the dns name
- cannot. References: http://support.microsoft.com/kb/941123
- It's easy to find occurrences where people tried to use
- wildcard certificates and were told that those don't work
- in this context. */
- if (SecDNSMatch(dns, serverName)) {
- dnsMatch = true;
- break;
- }
- }
- }
- CFRelease(dnsNames);
- }
-
- if (!dnsMatch) {
+ if (!SecPolicyCheckCertEAPTrustedServerNames(leaf, trustedServerNames)) {
/* Hostname mismatch or no hostnames found in certificate. */
SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
}
@@ -1318,7 +1134,7 @@ static void SecPolicyCheckGrayListedLeaf(SecPVCRef pvc, CFStringRef key)
CFRelease(grayListedKeys);
}
}
- }
+}
static void SecPolicyCheckLeafMarkerOid(SecPVCRef pvc, CFStringRef key)
{
@@ -1326,10 +1142,20 @@ static void SecPolicyCheckLeafMarkerOid(SecPVCRef pvc, CFStringRef key)
SecPolicyRef policy = SecPVCGetPolicy(pvc);
CFTypeRef value = CFDictionaryGetValue(policy->_options, key);
- if (value && SecCertificateHasMarkerExtension(cert, value))
- return;
+ if (!SecPolicyCheckCertLeafMarkerOid(cert, value)) {
+ SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
+ }
+}
- SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
+static void SecPolicyCheckLeafMarkerOidWithoutValueCheck(SecPVCRef pvc, CFStringRef key)
+{
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, 0);
+ SecPolicyRef policy = SecPVCGetPolicy(pvc);
+ CFTypeRef value = CFDictionaryGetValue(policy->_options, key);
+
+ if (!SecPolicyCheckCertLeafMarkerOidWithoutValueCheck(cert, value)) {
+ SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
+ }
}
static void SecPolicyCheckIntermediateMarkerOid(SecPVCRef pvc, CFStringRef key)
@@ -1346,6 +1172,20 @@ static void SecPolicyCheckIntermediateMarkerOid(SecPVCRef pvc, CFStringRef key)
SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
}
+static void SecPolicyCheckIntermediateEKU(SecPVCRef pvc, CFStringRef key)
+{
+ CFIndex ix, count = SecPVCGetCertificateCount(pvc);
+ SecPolicyRef policy = SecPVCGetPolicy(pvc);
+ CFTypeRef peku = CFDictionaryGetValue(policy->_options, key);
+
+ for (ix = 1; ix < count - 1; ix++) {
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
+ if (!SecPolicyCheckCertExtendedKeyUsage(cert, peku)) {
+ SecPVCSetResult(pvc, key, ix, kCFBooleanFalse);
+ }
+ }
+}
+
/* Returns true if path is on the allow list, false otherwise */
static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc)
{
@@ -1353,6 +1193,7 @@ static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc)
CFIndex ix = 0, count = SecPVCGetCertificateCount(pvc);
CFStringRef authKey = NULL;
SecOTAPKIRef otapkiRef = NULL;
+ CFDictionaryRef allowList = NULL;
//get authKeyID from the last chain in the cert
if (count < 1) {
@@ -1364,13 +1205,16 @@ static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc)
return result;
}
authKey = CFDataCopyHexString(authKeyID);
+ if (NULL == authKey) {
+ goto errout;
+ }
//if allowList && key is in allowList, this would have chained up to a now-removed anchor
otapkiRef = SecOTAPKICopyCurrentOTAPKIRef();
if (NULL == otapkiRef) {
goto errout;
}
- CFDictionaryRef allowList = SecOTAPKICopyAllowList(otapkiRef);
+ allowList = SecOTAPKICopyAllowList(otapkiRef);
if (NULL == allowList) {
goto errout;
}
@@ -1407,12 +1251,63 @@ static bool SecPVCCheckCertificateAllowList(SecPVCRef pvc)
}
errout:
- CFRelease(authKey);
+ CFReleaseNull(authKey);
CFReleaseNull(otapkiRef);
CFReleaseNull(allowList);
return result;
}
+#define DCMP(_idx_) memcmp(data+(8*_idx_), digest, 8)
+
+/* Returns true if leaf is on the CT whitelist */
+static bool SecPVCCheckCTWhiteListedLeaf(SecPVCRef pvc)
+{
+ SecOTAPKIRef otapkiRef = NULL;
+ CFDataRef whiteList = NULL;
+ SecCertificateRef cert = NULL;
+ CFDataRef dgst = NULL;
+ bool result = false;
+ const uint8_t *digest = NULL;
+ const uint8_t *data = NULL;
+ require(otapkiRef = SecOTAPKICopyCurrentOTAPKIRef(), out);
+ require(whiteList = SecOTAPKICopyCTWhiteList(otapkiRef), out);
+ require(cert = SecPVCGetCertificateAtIndex(pvc, 0), out);
+ require(dgst = SecCertificateCopySHA256Digest(cert), out);
+
+ digest = CFDataGetBytePtr(dgst);
+ data = CFDataGetBytePtr(whiteList);
+ CFIndex l = 0;
+ CFIndex h = CFDataGetLength(whiteList)/8-1;
+
+ if(DCMP(l)==0 || DCMP(h)==0) {
+ result = true;
+ goto out;
+ }
+
+ if(DCMP(l)>0 || DCMP(h)<0) {
+ goto out;
+ }
+
+ while((h-l)>1) {
+ CFIndex i = (h+l)/
+ 2;
+ int s = DCMP(i);
+ if(s == 0) {
+ result = true;
+ goto out;
+ } else if(s < 0) {
+ l = i;
+ } else {
+ h = i;
+ }
+ }
+
+out:
+ CFReleaseSafe(dgst);
+ CFReleaseSafe(whiteList);
+ CFReleaseSafe(otapkiRef);
+ return result;
+}
/****************************************************************************
*********************** New rfc5280 Chain Validation ***********************
@@ -1560,7 +1455,7 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
uint32_t n = (uint32_t)count;
bool is_anchored = SecPVCIsAnchored(pvc);
if (is_anchored) {
- /* If the anchor is trusted we don't procces the last cert in the
+ /* If the anchor is trusted we don't process the last cert in the
chain (root). */
n--;
} else {
@@ -1587,8 +1482,10 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
CFMutableArrayRef excluded_subtrees = NULL;
permitted_subtrees = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
excluded_subtrees = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- assert(permitted_subtrees != NULL);
- assert(excluded_subtrees != NULL);
+ require_action_quiet(permitted_subtrees != NULL, errOut,
+ SecPVCSetResultForced(pvc, key, 0, kCFBooleanFalse, true));
+ require_action_quiet(excluded_subtrees != NULL, errOut,
+ SecPVCSetResultForced(pvc, key, 0, kCFBooleanFalse, true));
#endif
uint32_t explicit_policy = initial_explicit_policy ? 0 : n + 1;
uint32_t inhibit_any_policy = initial_any_policy_inhibit ? 0 : n + 1;
@@ -1615,20 +1512,15 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
/* Already done by chain builder. */
if (!SecCertificateIsValid(cert, verify_time)) {
CFStringRef fail_key = i == n ? kSecPolicyCheckValidLeaf : kSecPolicyCheckValidIntermediates;
- if (!SecPVCSetResult(pvc, fail_key, n - i, kCFBooleanFalse))
- return;
+ if (!SecPVCSetResult(pvc, fail_key, n - i, kCFBooleanFalse)) {
+ goto errOut;
+ }
}
if (SecCertificateIsWeak(cert)) {
CFStringRef fail_key = i == n ? kSecPolicyCheckWeakLeaf : kSecPolicyCheckWeakIntermediates;
- if (!SecPVCSetResult(pvc, fail_key, n - i, kCFBooleanFalse))
- return;
- }
-#endif
-#if 0
- /* Check revocation status if the certificate asks for it. */
- CFArrayRef ocspResponders = SecCertificateGetOCSPResponders(cert);
- if (ocspResponders) {
- SecPVCSetCheckRevocation(pvc);
+ if (!SecPVCSetResult(pvc, fail_key, n - i, kCFBooleanFalse)) {
+ goto errOut;
+ }
}
#endif
/* @@@ cert.issuer == working_issuer_name. */
@@ -1640,13 +1532,15 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
/* Verify certificate Subject Name and SubjectAltNames are not within any of the excluded_subtrees */
if(excluded_subtrees && CFArrayGetCount(excluded_subtrees)) {
if ((errSecSuccess != SecNameContraintsMatchSubtrees(cert, excluded_subtrees, &found, false)) || found) {
- if(!SecPVCSetResultForced(pvc, key, n - i, kCFBooleanFalse, true)) return;
+ secnotice("policy", "name in excluded subtrees");
+ if(!SecPVCSetResultForced(pvc, key, n - i, kCFBooleanFalse, true)) { goto errOut; }
}
}
/* Verify certificate Subject Name and SubjectAltNames are within the permitted_subtrees */
if(permitted_subtrees && CFArrayGetCount(permitted_subtrees)) {
if ((errSecSuccess != SecNameContraintsMatchSubtrees(cert, permitted_subtrees, &found, true)) || !found) {
- if(!SecPVCSetResultForced(pvc, key, n - i, kCFBooleanFalse, true)) return;
+ secnotice("policy", "name not in permitted subtrees");
+ if(!SecPVCSetResultForced(pvc, key, n - i, kCFBooleanFalse, true)) { goto errOut; }
}
}
}
@@ -1695,8 +1589,10 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
valid_policy_tree is not equal to NULL. */
if (!pvc->valid_policy_tree && explicit_policy == 0) {
/* valid_policy_tree is empty and explicit policy is 0, illegal. */
- if (!SecPVCSetResultForced(pvc, key /* @@@ Need custom key */, n - i, kCFBooleanFalse, true))
- return;
+ secnotice("policy", "policy tree failure");
+ if (!SecPVCSetResultForced(pvc, key /* @@@ Need custom key */, n - i, kCFBooleanFalse, true)) {
+ goto errOut;
+ }
}
/* If Last Cert in Path */
if (i == n)
@@ -1714,8 +1610,9 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
if (oid_equal(mapping->issuerDomainPolicy, oidAnyPolicy)
|| oid_equal(mapping->subjectDomainPolicy, oidAnyPolicy)) {
/* Policy mapping uses anyPolicy, illegal. */
- if (!SecPVCSetResultForced(pvc, key /* @@@ Need custom key */, n - i, kCFBooleanFalse))
- return;
+ if (!SecPVCSetResultForced(pvc, key /* @@@ Need custom key */, n - i, kCFBooleanFalse)) {
+ goto errOut;
+ }
}
}
/* (b) */
@@ -1802,9 +1699,10 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
#if 0 /* Checked in chain builder pre signature verify already. */
if (!bc || !bc->isCA) {
/* Basic constraints not present or not marked as isCA, illegal. */
- if (!SecPVCSetResult(pvc, kSecPolicyCheckBasicContraints,
- n - i, kCFBooleanFalse))
- return;
+ if (!SecPVCSetResult(pvc, kSecPolicyCheckBasicConstraints,
+ n - i, kCFBooleanFalse)) {
+ goto errOut;
+ }
}
#endif
/* (l) */
@@ -1813,9 +1711,10 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
max_path_length--;
} else {
/* max_path_len exceeded, illegal. */
- if (!SecPVCSetResult(pvc, kSecPolicyCheckBasicContraints,
- n - i, kCFBooleanFalse))
- return;
+ if (!SecPVCSetResult(pvc, kSecPolicyCheckBasicConstraints,
+ n - i, kCFBooleanFalse)) {
+ goto errOut;
+ }
}
}
/* (m) */
@@ -1828,16 +1727,18 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc,
SecKeyUsage keyUsage = SecCertificateGetKeyUsage(cert);
if (keyUsage && !(keyUsage & kSecKeyUsageKeyCertSign)) {
if (!SecPVCSetResultForced(pvc, kSecPolicyCheckKeyUsage,
- n - i, kCFBooleanFalse, true))
- return;
+ n - i, kCFBooleanFalse, true)) {
+ goto errOut;
+ }
}
#endif
/* (o) Recognize and process any other critical extension present in the certificate. Process any other recognized non-critical extension present in the certificate that is relevant to path processing. */
if (SecCertificateHasUnknownCriticalExtension(cert)) {
/* Certificate contains one or more unknown critical extensions. */
if (!SecPVCSetResult(pvc, kSecPolicyCheckCriticalExtensions,
- n - i, kCFBooleanFalse))
- return;
+ n - i, kCFBooleanFalse)) {
+ goto errOut;
+ }
}
} /* end loop over certs in path */
/* Wrap up */
@@ -1865,8 +1766,9 @@ working_public_key_algorithm are different, set the working_public_key_parameter
if (SecCertificateHasUnknownCriticalExtension(cert)) {
/* Certificate contains one or more unknown critical extensions. */
if (!SecPVCSetResult(pvc, kSecPolicyCheckCriticalExtensions,
- 0, kCFBooleanFalse))
- return;
+ 0, kCFBooleanFalse)) {
+ goto errOut;
+ }
}
/* (g) Calculate the intersection of the valid_policy_tree and the user-initial-policy-set, as follows */
@@ -1883,10 +1785,13 @@ working_public_key_algorithm are different, set the working_public_key_parameter
has succeeded. */
if (!pvc->valid_policy_tree && explicit_policy == 0) {
/* valid_policy_tree is empty and explicit policy is 0, illegal. */
- if (!SecPVCSetResultForced(pvc, key /* @@@ Need custom key */, 0, kCFBooleanFalse, true))
- return;
+ secnotice("policy", "policy tree failure");
+ if (!SecPVCSetResultForced(pvc, key /* @@@ Need custom key */, 0, kCFBooleanFalse, true)) {
+ goto errOut;
+ }
}
+errOut:
CFReleaseNull(permitted_subtrees);
CFReleaseNull(excluded_subtrees);
}
@@ -1907,11 +1812,24 @@ static void SecPolicyCheckEV(SecPVCRef pvc,
CFIndex ix, count = SecPVCGetCertificateCount(pvc);
policy_set_t valid_policies = NULL;
- for (ix = 0; ix < count; ++ix) {
- SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
- policy_set_t policies = policies_for_cert(cert);
- if (ix == 0) {
- /* Subscriber */
+ /* 6.1.7. Key Usage Purposes */
+ if (count) {
+ CFAbsoluteTime jul2016 = 489024000;
+ SecCertificateRef leaf = SecPVCGetCertificateAtIndex(pvc, 0);
+ if (SecCertificateNotValidBefore(leaf) > jul2016 && count < 3) {
+ /* Root CAs may not sign subscriber certificates after 30 June 2016. */
+ if (SecPVCSetResultForced(pvc, key,
+ 0, kCFBooleanFalse, true)) {
+ return;
+ }
+ }
+ }
+
+ for (ix = 0; ix < count; ++ix) {
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
+ policy_set_t policies = policies_for_cert(cert);
+ if (ix == 0) {
+ /* Subscriber */
/* anyPolicy in the leaf isn't allowed for EV, so only init
valid_policies if we have real policies. */
if (!policy_set_contains(policies, &oidAnyPolicy)) {
@@ -1921,7 +1839,7 @@ static void SecPolicyCheckEV(SecPVCRef pvc,
} else if (ix < count - 1) {
/* Subordinate CA */
if (!SecPolicySubordinateCACertificateCouldBeEV(cert)) {
- secdebug("ev", "subordinate certificate is not ev");
+ secnotice("ev", "subordinate certificate is not ev");
if (SecPVCSetResultForced(pvc, key,
ix, kCFBooleanFalse, true)) {
policy_set_free(valid_policies);
@@ -1933,7 +1851,7 @@ static void SecPolicyCheckEV(SecPVCRef pvc,
} else {
/* Root CA */
if (!SecPolicyRootCACertificateIsEV(cert, valid_policies)) {
- secdebug("ev", "anchor certificate is not ev");
+ secnotice("ev", "anchor certificate is not ev");
if (SecPVCSetResultForced(pvc, key,
ix, kCFBooleanFalse, true)) {
policy_set_free(valid_policies);
@@ -1944,7 +1862,7 @@ static void SecPolicyCheckEV(SecPVCRef pvc,
}
policy_set_free(policies);
if (!valid_policies) {
- secdebug("ev", "valid_policies set is empty: chain not ev");
+ secnotice("ev", "valid_policies set is empty: chain not ev");
/* If we ever get into a state where no policies are valid anymore
this can't be an ev chain. */
if (SecPVCSetResultForced(pvc, key,
@@ -2123,20 +2041,46 @@ out:
return data;
}
-/* If the 'sct' is valid, return the operator ID of the log that signed this sct.
+static
+CFAbsoluteTime TimestampToCFAbsoluteTime(uint64_t ts)
+{
+ return (ts / 1000) - kCFAbsoluteTimeIntervalSince1970;
+}
+
+static
+uint64_t TimestampFromCFAbsoluteTime(CFAbsoluteTime at)
+{
+ return (uint64_t)(at + kCFAbsoluteTimeIntervalSince1970) * 1000;
+}
+
+
+
+
+/*
+ If the 'sct' is valid, add it to the validatingLogs dictionary.
+
+ Inputs:
+ - validatingLogs: mutable dictionary to which to add the log that validate this SCT.
+ - sct: the SCT date
+ - entry_type: 0 for x509 cert, 1 for precert.
+ - entry: the cert or precert data.
+ - vt: verification time timestamp (as used in SCTs: ms since 1970 Epoch)
+ - trustedLog: Dictionary contain the Trusted Logs.
The SCT is valid if:
- It decodes properly.
- Its timestamp is less than 'verifyTime'.
- It is signed by a log in 'trustedLogs'.
- - The signing log expiryTime (if any) is less than 'verifyTime' (entry_type==0) or 'issuanceTime' (entry_type==1).
+ - If entry_type = 0, the log must be currently qualified.
+ - If entry_type = 1, the log may be expired.
- If the SCT is valid, the returned CFStringRef is the identifier for the log operator. That value is not retained.
- If the SCT is valid, '*validLogAtVerifyTime' is set to true if the log is not expired at 'verifyTime'
+ If the SCT is valid, it's added to the validatinLogs dictionary using the log dictionary as the key, and the timestamp as value.
+ If an entry for the same log already existing in the dictionary, the entry is replaced only if the timestamp of this SCT is earlier.
- If the SCT is not valid this function return NULL.
*/
-static CFStringRef get_valid_sct_operator(CFDataRef sct, int entry_type, CFDataRef entry, CFAbsoluteTime verifyTime, CFAbsoluteTime issuanceTime, CFArrayRef trustedLogs, bool *validLogAtVerifyTime)
+
+
+static CFDictionaryRef getSCTValidatingLog(CFDataRef sct, int entry_type, CFDataRef entry, uint64_t vt, CFArrayRef trustedLogs, CFAbsoluteTime *sct_at)
{
uint8_t version;
const uint8_t *logID;
@@ -2148,15 +2092,15 @@ static CFStringRef get_valid_sct_operator(CFDataRef sct, int entry_type, CFDataR
uint8_t sigAlg;
size_t signatureLen;
const uint8_t *signatureData;
- CFStringRef result = NULL;
SecKeyRef pubKey = NULL;
uint8_t *signed_data = NULL;
const SecAsn1Oid *oid = NULL;
SecAsn1AlgId algId;
+ CFDataRef logIDData = NULL;
+ CFDictionaryRef result = 0;
const uint8_t *p = CFDataGetBytePtr(sct);
size_t len = CFDataGetLength(sct);
- uint64_t vt =(uint64_t)( verifyTime + kCFAbsoluteTimeIntervalSince1970) * 1000;
require(len>=43, out);
@@ -2203,7 +2147,7 @@ static CFStringRef get_valid_sct_operator(CFDataRef sct, int entry_type, CFDataR
q = SSLEncodeUint16(q, extensionsLen);
memcpy(q, extensionsData, extensionsLen);
- CFDataRef logIDData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, logID, 32, kCFAllocatorNull);
+ logIDData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, logID, 32, kCFAllocatorNull);
CFDictionaryRef logData = CFArrayGetValueMatching(trustedLogs, ^bool(const void *dict) {
const void *key_data;
@@ -2215,21 +2159,11 @@ static CFStringRef get_valid_sct_operator(CFDataRef sct, int entry_type, CFDataR
CFReleaseSafe(valueID);
return result;
});
- CFReleaseSafe(logIDData);
require(logData, out);
- /* If an expiry date is specified, and is a valid CFDate, then we check it against issuanceTime or verifyTime */
- const void *expiry_date;
- if(CFDictionaryGetValueIfPresent(logData, CFSTR("expiry"), &expiry_date) && isDate(expiry_date)) {
- CFAbsoluteTime expiryTime = CFDateGetAbsoluteTime(expiry_date);
- if(entry_type == 1) {/* pre-cert: check the validity of the log at issuanceTime */
- require(issuanceTime<=expiryTime, out);
- } else {
- require(verifyTime<=expiryTime, out);
- }
- *validLogAtVerifyTime = (verifyTime<=expiryTime);
- } else {
- *validLogAtVerifyTime = true;
+ if(entry_type==0) {
+ // For external SCTs, only keep SCTs from currently valid logs.
+ require(!CFDictionaryContainsKey(logData, CFSTR("expiry")), out);
}
CFDataRef logKeyData = CFDictionaryGetValue(logData, CFSTR("key"));
@@ -2245,17 +2179,31 @@ static CFStringRef get_valid_sct_operator(CFDataRef sct, int entry_type, CFDataR
algId.parameters.Length = 0;
if(SecKeyDigestAndVerify(pubKey, &algId, signed_data, signed_data_len, signatureData, signatureLen)==0) {
- result = CFDictionaryGetValue(logData, CFSTR("operator"));
+ *sct_at = TimestampToCFAbsoluteTime(timestamp);
+ result = logData;
} else {
secerror("SCT signature failed (log=%@)\n", logData);
}
out:
+ CFReleaseSafe(logIDData);
CFReleaseSafe(pubKey);
free(signed_data);
return result;
}
+
+static void addValidatingLog(CFMutableDictionaryRef validatingLogs, CFDictionaryRef log, CFAbsoluteTime sct_at)
+{
+ CFDateRef validated_time = CFDictionaryGetValue(validatingLogs, log);
+
+ if(validated_time==NULL || (sct_at < CFDateGetAbsoluteTime(validated_time))) {
+ CFDateRef sct_time = CFDateCreate(kCFAllocatorDefault, sct_at);
+ CFDictionarySetValue(validatingLogs, log, sct_time);
+ CFReleaseSafe(sct_time);
+ }
+}
+
static CFArrayRef copy_ocsp_scts(SecPVCRef pvc)
{
CFMutableArrayRef SCTs = NULL;
@@ -2317,91 +2265,131 @@ static void SecPolicyCheckCT(SecPVCRef pvc, CFStringRef key)
CFDataRef precertEntry = copy_precert_entry_from_chain(pvc);
CFDataRef x509Entry = copy_x509_entry_from_chain(pvc);
- // This eventually contain the list of operators who validated the SCT.
- CFMutableSetRef operatorsValidatingEmbeddedScts = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
- CFMutableSetRef operatorsValidatingExternalScts = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
+ // This eventually contain list of logs who validated the SCT.
+ CFMutableDictionaryRef currentLogsValidatingScts = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFMutableDictionaryRef logsValidatingEmbeddedScts = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+
+ uint64_t vt = TimestampFromCFAbsoluteTime(pvc->verifyTime);
- __block bool atLeastOneValidAtVerifyTime = false;
- __block int lifetime; // in Months
+ __block bool at_least_one_currently_valid_external = 0;
+ __block bool at_least_one_currently_valid_embedded = 0;
- require(operatorsValidatingEmbeddedScts, out);
- require(operatorsValidatingExternalScts, out);
+ require(logsValidatingEmbeddedScts, out);
+ require(currentLogsValidatingScts, out);
if(trustedLogs) { // Don't bother trying to validate SCTs if we don't have any trusted logs.
if(embeddedScts && precertEntry) { // Don't bother if we could not get the precert.
CFArrayForEach(embeddedScts, ^(const void *value){
- bool validLogAtVerifyTime = false;
- CFStringRef operator = get_valid_sct_operator(value, 1, precertEntry, pvc->verifyTime, SecCertificateNotValidBefore(leafCert), trustedLogs, &validLogAtVerifyTime);
- if(operator) CFSetAddValue(operatorsValidatingEmbeddedScts, operator);
- if(validLogAtVerifyTime) atLeastOneValidAtVerifyTime = true;
+ CFAbsoluteTime sct_at;
+ CFDictionaryRef log = getSCTValidatingLog(value, 1, precertEntry, vt, trustedLogs, &sct_at);
+ if(log) {
+ addValidatingLog(logsValidatingEmbeddedScts, log, sct_at);
+ if(!CFDictionaryContainsKey(log, CFSTR("expiry"))) {
+ addValidatingLog(currentLogsValidatingScts, log, sct_at);
+ at_least_one_currently_valid_embedded = true;
+ }
+ }
});
}
if(builderScts && x509Entry) { // Don't bother if we could not get the cert.
CFArrayForEach(builderScts, ^(const void *value){
- bool validLogAtVerifyTime = false;
- CFStringRef operator = get_valid_sct_operator(value, 0, x509Entry, pvc->verifyTime, SecCertificateNotValidBefore(leafCert), trustedLogs, &validLogAtVerifyTime);
- if(operator) CFSetAddValue(operatorsValidatingExternalScts, operator);
- if(validLogAtVerifyTime) atLeastOneValidAtVerifyTime = true;
+ CFAbsoluteTime sct_at;
+ CFDictionaryRef log = getSCTValidatingLog(value, 0, x509Entry, vt, trustedLogs, &sct_at);
+ if(log) {
+ addValidatingLog(currentLogsValidatingScts, log, sct_at);
+ at_least_one_currently_valid_external = true;
+ }
});
}
if(ocspScts && x509Entry) {
CFArrayForEach(ocspScts, ^(const void *value){
- bool validLogAtVerifyTime = false;
- CFStringRef operator = get_valid_sct_operator(value, 0, x509Entry, pvc->verifyTime, SecCertificateNotValidBefore(leafCert), trustedLogs, &validLogAtVerifyTime);
- if(operator) CFSetAddValue(operatorsValidatingExternalScts, operator);
- if(validLogAtVerifyTime) atLeastOneValidAtVerifyTime = true;
+ CFAbsoluteTime sct_at;
+ CFDictionaryRef log = getSCTValidatingLog(value, 0, x509Entry, vt, trustedLogs, &sct_at);
+ if(log) {
+ addValidatingLog(currentLogsValidatingScts, log, sct_at);
+ at_least_one_currently_valid_external = true;
+ }
});
}
}
- /* We now have 2 sets of operators that validated those SCTS, count them and make a final decision.
- Current Policy:
- is_ct = (A1 OR A2) AND B.
- A1: 2+ to 5+ SCTs from the cert from independent logs valid at issuance time
- (operatorsValidatingEmbeddedScts)
- A2: 2+ SCTs from external sources (OCSP stapled response and TLS extension)
- from independent logs valid at verify time. (operatorsValidatingExternalScts)
- B: All least one SCTs from a log valid at verify time.
+ /* We now have 2 sets of logs that validated those SCTS, count them and make a final decision.
- Policy is based on: https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxjZXJ0aWZpY2F0ZXRyYW5zcGFyZW5jeXxneDo0ODhjNGRlOTIyMzYwNTcz
- with one difference: we consider SCTs from OCSP and TLS extensions as a whole.
- It sounds like this is what Google will eventually do, per:
- https://groups.google.com/forum/?fromgroups#!topic/certificate-transparency/VdXuzA3TLWY
+ Current Policy:
+ is_ct = (A1 AND A2) OR (B1 AND B2).
- */
+ A1: embedded SCTs from 2+ to 5+ logs valid at issuance time
+ A2: At least one embedded SCT from a currently valid log.
- SecCFCalendarDoWithZuluCalendar(^(CFCalendarRef zuluCalendar) {
- int _lifetime;
- CFCalendarGetComponentDifference(zuluCalendar,
- SecCertificateNotValidBefore(leafCert),
- SecCertificateNotValidAfter(leafCert),
- 0, "M", &_lifetime);
- lifetime = _lifetime;
- });
+ B1: SCTs from 2 currently valid logs (from any source)
+ B2: At least 1 external SCT from a currently valid log.
- CFIndex requiredEmbeddedSctsCount;
+ */
- if (lifetime < 15) {
- requiredEmbeddedSctsCount = 2;
- } else if (lifetime <= 27) {
- requiredEmbeddedSctsCount = 3;
- } else if (lifetime <= 39) {
- requiredEmbeddedSctsCount = 4;
- } else {
- requiredEmbeddedSctsCount = 5;
- }
+ pvc->is_ct = false;
+
+ if(at_least_one_currently_valid_external && CFDictionaryGetCount(currentLogsValidatingScts)>=2) {
+ pvc->is_ct = true;
+ } else if(at_least_one_currently_valid_embedded) {
+ __block CFAbsoluteTime issuanceTime = pvc->verifyTime;
+ __block int lifetime; // in Months
+ __block unsigned once_or_current_qualified_embedded = 0;
+
+ /* Calculate issuance time base on timestamp of SCTs from current logs */
+ CFDictionaryForEach(currentLogsValidatingScts, ^(const void *key, const void *value) {
+ CFDictionaryRef log = key;
+ if(!CFDictionaryContainsKey(log, CFSTR("expiry"))) {
+ // Log is still qualified
+ CFDateRef ts = (CFDateRef) value;
+ CFAbsoluteTime timestamp = CFDateGetAbsoluteTime(ts);
+ if(timestamp < issuanceTime) {
+ issuanceTime = timestamp;
+ }
+ }
+ });
+
+ /* Count Logs */
+ CFDictionaryForEach(logsValidatingEmbeddedScts, ^(const void *key, const void *value) {
+ CFDictionaryRef log = key;
+ CFDateRef ts = value;
+ CFDateRef expiry = CFDictionaryGetValue(log, CFSTR("expiry"));
+ if(expiry == NULL || CFDateCompare(ts, expiry, NULL) == kCFCompareLessThan) {
+ once_or_current_qualified_embedded++;
+ }
+ });
+
+ SecCFCalendarDoWithZuluCalendar(^(CFCalendarRef zuluCalendar) {
+ int _lifetime;
+ CFCalendarGetComponentDifference(zuluCalendar,
+ SecCertificateNotValidBefore(leafCert),
+ SecCertificateNotValidAfter(leafCert),
+ 0, "M", &_lifetime);
+ lifetime = _lifetime;
+ });
+
+ unsigned requiredEmbeddedSctsCount;
+
+ if (lifetime < 15) {
+ requiredEmbeddedSctsCount = 2;
+ } else if (lifetime <= 27) {
+ requiredEmbeddedSctsCount = 3;
+ } else if (lifetime <= 39) {
+ requiredEmbeddedSctsCount = 4;
+ } else {
+ requiredEmbeddedSctsCount = 5;
+ }
- pvc->is_ct = ((CFSetGetCount(operatorsValidatingEmbeddedScts) >= requiredEmbeddedSctsCount) ||
- (CFSetGetCount(operatorsValidatingExternalScts) >= 2)
- ) && atLeastOneValidAtVerifyTime;
+ if(once_or_current_qualified_embedded >= requiredEmbeddedSctsCount){
+ pvc->is_ct = true;
+ }
+ }
out:
-
- CFReleaseSafe(operatorsValidatingEmbeddedScts);
- CFReleaseSafe(operatorsValidatingExternalScts);
+ CFReleaseSafe(logsValidatingEmbeddedScts);
+ CFReleaseSafe(currentLogsValidatingScts);
CFReleaseSafe(builderScts);
CFReleaseSafe(embeddedScts);
CFReleaseSafe(ocspScts);
@@ -2410,37 +2398,52 @@ out:
CFReleaseSafe(x509Entry);
}
+static bool checkPolicyOidData(SecPVCRef pvc, CFDataRef oid) {
+ CFIndex ix, count = SecPVCGetCertificateCount(pvc);
+ DERItem key_value;
+ key_value.data = (DERByte *)CFDataGetBytePtr(oid);
+ key_value.length = (DERSize)CFDataGetLength(oid);
+
+ for (ix = 0; ix < count; ix++) {
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
+ policy_set_t policies = policies_for_cert(cert);
+
+ if (policy_set_contains(policies, &key_value)) {
+ return true;
+ }
+ }
+ return false;
+}
+
static void SecPolicyCheckCertificatePolicyOid(SecPVCRef pvc, CFStringRef key)
{
- CFIndex ix, count = SecPVCGetCertificateCount(pvc);
SecPolicyRef policy = SecPVCGetPolicy(pvc);
CFTypeRef value = CFDictionaryGetValue(policy->_options, key);
- DERItem key_value;
- key_value.data = NULL;
- key_value.length = 0;
+ bool result = false;
if (CFGetTypeID(value) == CFDataGetTypeID())
{
- CFDataRef key_data = (CFDataRef)value;
- key_value.data = (DERByte *)CFDataGetBytePtr(key_data);
- key_value.length = (DERSize)CFDataGetLength(key_data);
-
- for (ix = 0; ix < count; ix++) {
- SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
- policy_set_t policies = policies_for_cert(cert);
-
- if (policy_set_contains(policies, &key_value)) {
- return;
- }
- }
+ result = checkPolicyOidData(pvc, value);
+ } else if (CFGetTypeID(value) == CFStringGetTypeID()) {
+ CFDataRef dataOid = SecCertificateCreateOidDataFromString(NULL, value);
+ if (dataOid) {
+ result = checkPolicyOidData(pvc, dataOid);
+ CFRelease(dataOid);
+ }
+ }
+ if(!result) {
SecPVCSetResult(pvc, key, 0, kCFBooleanFalse);
- }
+ }
}
static void SecPolicyCheckRevocation(SecPVCRef pvc,
CFStringRef key) {
- SecPVCSetCheckRevocation(pvc);
+ SecPolicyRef policy = SecPVCGetPolicy(pvc);
+ CFTypeRef value = CFDictionaryGetValue(policy->_options, key);
+ if (isString(value)) {
+ SecPVCSetCheckRevocation(pvc, value);
+ }
}
static void SecPolicyCheckRevocationResponseRequired(SecPVCRef pvc,
@@ -2449,8 +2452,14 @@ static void SecPolicyCheckRevocationResponseRequired(SecPVCRef pvc,
}
static void SecPolicyCheckNoNetworkAccess(SecPVCRef pvc,
- CFStringRef key) {
- SecPathBuilderSetCanAccessNetwork(pvc->builder, false);
+ CFStringRef key) {
+ SecPolicyRef policy = SecPVCGetPolicy(pvc);
+ CFTypeRef value = CFDictionaryGetValue(policy->_options, key);
+ if (value == kCFBooleanTrue) {
+ SecPathBuilderSetCanAccessNetwork(pvc->builder, false);
+ } else {
+ SecPathBuilderSetCanAccessNetwork(pvc->builder, true);
+ }
}
static void SecPolicyCheckWeakIntermediates(SecPVCRef pvc,
@@ -2488,22 +2497,82 @@ static void SecPolicyCheckWeakRoot(SecPVCRef pvc,
}
}
+static void SecPolicyCheckKeySize(SecPVCRef pvc, CFStringRef key) {
+ CFIndex ix, count = SecPVCGetCertificateCount(pvc);
+ SecPolicyRef policy = SecPVCGetPolicy(pvc);
+ CFDictionaryRef keySizes = CFDictionaryGetValue(policy->_options, key);
+ for (ix = 0; ix < count; ++ix) {
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
+ if (!SecCertificateIsAtLeastMinKeySize(cert, keySizes)) {
+ if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse))
+ return;
+ }
+ }
+}
+
+static void SecPolicyCheckSignatureHashAlgorithms(SecPVCRef pvc,
+ CFStringRef key) {
+ CFIndex ix, count = SecPVCGetCertificateCount(pvc);
+ SecPolicyRef policy = SecPVCGetPolicy(pvc);
+ CFSetRef disallowedHashAlgorithms = CFDictionaryGetValue(policy->_options, key);
+ for (ix = 0; ix < count; ++ix) {
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix);
+ if (!SecPolicyCheckCertSignatureHashAlgorithms(cert, disallowedHashAlgorithms)) {
+ if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse))
+ return;
+ }
+ }
+}
+
+#define ENABLE_CRLS (TARGET_OS_MAC && !TARGET_OS_IPHONE)
+
// MARK: -
// MARK: SecRVCRef
/********************************************************
****************** SecRVCRef Functions *****************
********************************************************/
-
-const CFAbsoluteTime kSecDefaultOCSPResponseTTL = 24.0 * 60.0 * 60.0;
+typedef struct OpaqueSecORVC *SecORVCRef;
+#if ENABLE_CRLS
+typedef struct OpaqueSecCRVC *SecCRVCRef;
+#endif
/* Revocation verification context. */
struct OpaqueSecRVC {
+ /* Pointer to the pvc for this revocation check */
+ SecPVCRef pvc;
+
+ /* Index of cert in pvc that this RVC is for 0 = leaf, etc. */
+ CFIndex certIX;
+
+ /* The OCSP Revocation verification context */
+ SecORVCRef orvc;
+
+#if ENABLE_CRLS
+ SecCRVCRef crvc;
+#endif
+
+ bool done;
+};
+typedef struct OpaqueSecRVC *SecRVCRef;
+
+// MARK: SecORVCRef
+/********************************************************
+ ****************** OCSP RVC Functions ******************
+ ********************************************************/
+const CFAbsoluteTime kSecDefaultOCSPResponseTTL = 24.0 * 60.0 * 60.0;
+#define OCSP_RESPONSE_TIMEOUT (3 * NSEC_PER_SEC)
+
+/* OCSP Revocation verification context. */
+struct OpaqueSecORVC {
/* Will contain the response data. */
asynchttp_t http;
/* Pointer to the pvc for this revocation check. */
SecPVCRef pvc;
+ /* Pointer to the generic rvc for this revocation check */
+ SecRVCRef rvc;
+
/* The ocsp request we send to each responder. */
SecOCSPRequestRef ocspRequest;
@@ -2528,25 +2597,27 @@ struct OpaqueSecRVC {
bool done;
};
-typedef struct OpaqueSecRVC *SecRVCRef;
-static void SecRVCDelete(SecRVCRef rvc) {
- secdebug("alloc", "%p", rvc);
- asynchttp_free(&rvc->http);
- SecOCSPRequestFinalize(rvc->ocspRequest);
- if (rvc->ocspResponse) {
- SecOCSPResponseFinalize(rvc->ocspResponse);
- rvc->ocspResponse = NULL;
- if (rvc->ocspSingleResponse) {
- SecOCSPSingleResponseDestroy(rvc->ocspSingleResponse);
- rvc->ocspSingleResponse = NULL;
+static void SecORVCFinish(SecORVCRef orvc) {
+ secdebug("alloc", "%p", orvc);
+ asynchttp_free(&orvc->http);
+ if (orvc->ocspRequest) {
+ SecOCSPRequestFinalize(orvc->ocspRequest);
+ orvc->ocspRequest = NULL;
+ }
+ if (orvc->ocspResponse) {
+ SecOCSPResponseFinalize(orvc->ocspResponse);
+ orvc->ocspResponse = NULL;
+ if (orvc->ocspSingleResponse) {
+ SecOCSPSingleResponseDestroy(orvc->ocspSingleResponse);
+ orvc->ocspSingleResponse = NULL;
}
}
}
/* Return the next responder we should contact for this rvc or NULL if we
- exhausted them all. */
-static CFURLRef SecRVCGetNextResponder(SecRVCRef rvc) {
+ exhausted them all. */
+static CFURLRef SecORVCGetNextResponder(SecORVCRef rvc) {
SecCertificateRef cert = SecPVCGetCertificateAtIndex(rvc->pvc, rvc->certIX);
CFArrayRef ocspResponders = SecCertificateGetOCSPResponders(cert);
if (ocspResponders) {
@@ -2569,15 +2640,15 @@ static CFURLRef SecRVCGetNextResponder(SecRVCRef rvc) {
}
/* Fire off an async http request for this certs revocation status, return
- false if request was queued, true if we're done. */
-static bool SecRVCFetchNext(SecRVCRef rvc) {
- while ((rvc->responder = SecRVCGetNextResponder(rvc))) {
+ false if request was queued, true if we're done. */
+static bool SecORVCFetchNext(SecORVCRef rvc) {
+ while ((rvc->responder = SecORVCGetNextResponder(rvc))) {
CFDataRef request = SecOCSPRequestGetDER(rvc->ocspRequest);
if (!request)
goto errOut;
- secdebug("ocsp", "Sending http ocsp request for cert %ld", rvc->certIX);
- if (!asyncHttpPost(rvc->responder, request, &rvc->http)) {
+ secinfo("rvc", "Sending http ocsp request for cert %ld", rvc->certIX);
+ if (!asyncHttpPost(rvc->responder, request, OCSP_RESPONSE_TIMEOUT, &rvc->http)) {
/* Async request was posted, wait for reply. */
return false;
}
@@ -2589,52 +2660,52 @@ errOut:
}
/* Process a verified ocsp response for a given cert. Return true if the
- certificate status was obtained. */
+ certificate status was obtained. */
static bool SecOCSPSingleResponseProcess(SecOCSPSingleResponseRef this,
- SecRVCRef rvc) {
+ SecORVCRef rvc) {
bool processed;
switch (this->certStatus) {
- case CS_Good:
- secdebug("ocsp", "CS_Good for cert %" PRIdCFIndex, rvc->certIX);
- /* @@@ Mark cert as valid until a given date (nextUpdate if we have one)
- in the info dictionary. */
- //cert.revokeCheckGood(true);
- rvc->nextUpdate = this->nextUpdate == NULL_TIME ? this->thisUpdate + kSecDefaultOCSPResponseTTL : this->nextUpdate;
- processed = true;
- break;
- case CS_Revoked:
- secdebug("ocsp", "CS_Revoked for cert %" PRIdCFIndex, rvc->certIX);
- /* @@@ Mark cert as revoked (with reason) at revocation date in
- the info dictionary, or perhaps we should use a different key per
- reason? That way a client using exceptions can ignore some but
- not all reasons. */
- SInt32 reason = this->crlReason;
- CFNumberRef cfreason = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &reason);
- SecPVCSetResultForced(rvc->pvc, kSecPolicyCheckRevocation, rvc->certIX,
- cfreason, true);
- if (rvc->pvc && rvc->pvc->info) {
- /* make the revocation reason available in the trust result */
- CFDictionarySetValue(rvc->pvc->info, kSecTrustRevocationReason, cfreason);
- }
- CFRelease(cfreason);
- processed = true;
- break;
- case CS_Unknown:
- /* not an error, no per-cert status, nothing here */
- secdebug("ocsp", "CS_Unknown for cert %" PRIdCFIndex, rvc->certIX);
- processed = false;
- break;
- default:
- secdebug("ocsp", "BAD certStatus (%d) for cert %" PRIdCFIndex,
- (int)this->certStatus, rvc->certIX);
- processed = false;
- break;
+ case CS_Good:
+ secdebug("ocsp", "CS_Good for cert %" PRIdCFIndex, rvc->certIX);
+ /* @@@ Mark cert as valid until a given date (nextUpdate if we have one)
+ in the info dictionary. */
+ //cert.revokeCheckGood(true);
+ rvc->nextUpdate = this->nextUpdate == NULL_TIME ? this->thisUpdate + kSecDefaultOCSPResponseTTL : this->nextUpdate;
+ processed = true;
+ break;
+ case CS_Revoked:
+ secdebug("ocsp", "CS_Revoked for cert %" PRIdCFIndex, rvc->certIX);
+ /* @@@ Mark cert as revoked (with reason) at revocation date in
+ the info dictionary, or perhaps we should use a different key per
+ reason? That way a client using exceptions can ignore some but
+ not all reasons. */
+ SInt32 reason = this->crlReason;
+ CFNumberRef cfreason = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &reason);
+ SecPVCSetResultForced(rvc->pvc, kSecPolicyCheckRevocation, rvc->certIX,
+ cfreason, true);
+ if (rvc->pvc && rvc->pvc->info) {
+ /* make the revocation reason available in the trust result */
+ CFDictionarySetValue(rvc->pvc->info, kSecTrustRevocationReason, cfreason);
+ }
+ CFRelease(cfreason);
+ processed = true;
+ break;
+ case CS_Unknown:
+ /* not an error, no per-cert status, nothing here */
+ secdebug("ocsp", "CS_Unknown for cert %" PRIdCFIndex, rvc->certIX);
+ processed = false;
+ break;
+ default:
+ secnotice("ocsp", "BAD certStatus (%d) for cert %" PRIdCFIndex,
+ (int)this->certStatus, rvc->certIX);
+ processed = false;
+ break;
}
return processed;
}
-static void SecRVCUpdatePVC(SecRVCRef rvc) {
+static void SecORVCUpdatePVC(SecORVCRef rvc) {
if (rvc->ocspSingleResponse) {
SecOCSPSingleResponseProcess(rvc->ocspSingleResponse, rvc);
}
@@ -2643,90 +2714,151 @@ static void SecRVCUpdatePVC(SecRVCRef rvc) {
}
}
-static bool SecOCSPResponseVerify(SecOCSPResponseRef ocspResponse, SecRVCRef rvc, CFAbsoluteTime verifyTime) {
+typedef void (^SecOCSPEvaluationCompleted)(SecTrustResultType tr);
+
+static void
+SecOCSPEvaluateCompleted(const void *userData,
+ SecCertificatePathRef chain, CFArrayRef details, CFDictionaryRef info,
+ SecTrustResultType result) {
+ SecOCSPEvaluationCompleted evaluated = (SecOCSPEvaluationCompleted)userData;
+ evaluated(result);
+ Block_release(evaluated);
+
+}
+
+static bool SecOCSPResponseEvaluateSigner(SecORVCRef rvc, CFArrayRef signers, CFArrayRef issuers, CFAbsoluteTime verifyTime) {
+ __block bool evaluated = false;
+ bool trusted = false;
+ if (!signers || !issuers) {
+ return trusted;
+ }
+
+ /* Verify the signer chain against the OCSPSigner policy, using the issuer chain as anchors. */
+ const void *ocspSigner = SecPolicyCreateOCSPSigner();
+ CFArrayRef policies = CFArrayCreate(kCFAllocatorDefault,
+ &ocspSigner, 1, &kCFTypeArrayCallBacks);
+ CFRelease(ocspSigner);
+
+ SecOCSPEvaluationCompleted completed = Block_copy(^(SecTrustResultType result) {
+ if (result == kSecTrustResultProceed || result == kSecTrustResultUnspecified) {
+ evaluated = true;
+ }
+ });
+
+ CFDataRef clientAuditToken = SecPathBuilderCopyClientAuditToken(rvc->pvc->builder);
+ SecPathBuilderRef oBuilder = SecPathBuilderCreate(clientAuditToken,
+ signers, issuers, true, false,
+ policies, NULL, NULL, NULL,
+ verifyTime, NULL,
+ SecOCSPEvaluateCompleted, completed);
+ /* Build the chain(s), evaluate them, call the completed block, free the block and builder */
+ SecPathBuilderStep(oBuilder);
+ CFReleaseNull(clientAuditToken);
+ CFReleaseNull(policies);
+
+ /* verify the public key of the issuer signed the OCSP signer */
+ if (evaluated) {
+ SecCertificateRef issuer = NULL, signer = NULL;
+ SecKeyRef issuerPubKey = NULL;
+
+ issuer = (SecCertificateRef)CFArrayGetValueAtIndex(issuers, 0);
+ signer = (SecCertificateRef)CFArrayGetValueAtIndex(signers, 0);
+
+ if (issuer) {
+#if TARGET_OS_IPHONE
+ issuerPubKey = SecCertificateCopyPublicKey(issuer);
+#else
+ issuerPubKey = SecCertificateCopyPublicKey_ios(issuer);
+#endif
+ }
+ if (signer && issuerPubKey && (errSecSuccess == SecCertificateIsSignedBy(signer, issuerPubKey))) {
+ trusted = true;
+ } else {
+ secnotice("ocsp", "ocsp signer cert not signed by issuer");
+ }
+ CFReleaseNull(issuerPubKey);
+ }
+
+ return trusted;
+}
+
+static bool SecOCSPResponseVerify(SecOCSPResponseRef ocspResponse, SecORVCRef rvc, CFAbsoluteTime verifyTime) {
bool trusted;
- SecCertificatePathRef issuer = SecCertificatePathCopyFromParent(rvc->pvc->path, rvc->certIX + 1);
- SecCertificatePathRef signer = SecOCSPResponseCopySigner(ocspResponse, issuer);
- CFRelease(issuer);
-
- if (signer) {
- if (signer == issuer) {
- /* We already know we trust issuer since it's the path we are
- trying to verify minus the leaf. */
- secdebug("ocsp", "ocsp responder: %@ response signed by issuer",
- rvc->responder);
+ SecCertificatePathRef issuers = SecCertificatePathCopyFromParent(rvc->pvc->path, rvc->certIX + 1);
+ SecCertificateRef issuer = issuers ? CFRetainSafe(SecCertificatePathGetCertificateAtIndex(issuers, 0)) : NULL;
+ CFArrayRef signers = SecOCSPResponseCopySigners(ocspResponse);
+ SecCertificateRef signer = SecOCSPResponseCopySigner(ocspResponse, issuer);
+
+ if (signer && signers) {
+ if (issuer && CFEqual(signer, issuer)) {
+ /* We already know we trust issuer since it's the issuer of the
+ * cert we are verifying. */
+ secinfo("ocsp", "ocsp responder: %@ response signed by issuer",
+ rvc->responder);
trusted = true;
} else {
- secdebug("ocsp",
- "ocsp responder: %@ response signed by cert issued by issuer",
- rvc->responder);
- /* @@@ Now check that we trust signer. */
- const void *ocspSigner = SecPolicyCreateOCSPSigner();
- CFArrayRef policies = CFArrayCreate(kCFAllocatorDefault,
- &ocspSigner, 1, &kCFTypeArrayCallBacks);
- CFRelease(ocspSigner);
- struct OpaqueSecPVC ospvc;
- SecPVCInit(&ospvc, rvc->pvc->builder, policies, verifyTime);
- CFRelease(policies);
- SecPVCSetPath(&ospvc, signer, NULL);
- SecPVCLeafChecks(&ospvc);
- if (ospvc.result) {
- bool completed = SecPVCPathChecks(&ospvc);
- /* If completed is false we are waiting for a callback, this
- shouldn't happen since we aren't asking for details, no
- revocation checking is done. */
- if (!completed) {
- ocspdErrorLog("SecPVCPathChecks unexpectedly started "
- "background job!");
- /* @@@ assert() or abort here perhaps? */
- }
+ secinfo("ocsp", "ocsp responder: %@ response signed by cert issued by issuer",
+ rvc->responder);
+ CFMutableArrayRef signerCerts = NULL;
+ CFArrayRef issuerCerts = NULL;
+
+ /* Ensure the signer cert is the 0th cert for trust evaluation */
+ signerCerts = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue(signerCerts, signer);
+ CFArrayAppendArray(signerCerts, signers, CFRangeMake(0, CFArrayGetCount(signers)));
+
+ if (issuers) {
+ issuerCerts = SecCertificatePathCopyCertificates(issuers, NULL);
}
- if (ospvc.result) {
+
+ if (SecOCSPResponseEvaluateSigner(rvc, signerCerts, issuerCerts, verifyTime)) {
secdebug("ocsp", "response satisfies ocspSigner policy (%@)",
- rvc->responder);
+ rvc->responder);
trusted = true;
} else {
/* @@@ We don't trust the cert so don't use this response. */
- ocspdErrorLog("ocsp response signed by certificate which "
- "does not satisfy ocspSigner policy");
+ secnotice("ocsp", "ocsp response signed by certificate which "
+ "does not satisfy ocspSigner policy");
trusted = false;
}
- SecPVCDelete(&ospvc);
+ CFReleaseNull(signerCerts);
+ CFReleaseNull(issuerCerts);
}
-
- CFRelease(signer);
} else {
/* @@@ No signer found for this ocsp response, discard it. */
- secdebug("ocsp", "ocsp responder: %@ no signer found for response",
- rvc->responder);
+ secnotice("ocsp", "ocsp responder: %@ no signer found for response",
+ rvc->responder);
trusted = false;
}
#if DUMP_OCSPRESPONSES
char buf[40];
snprintf(buf, 40, "/tmp/ocspresponse%ld%s.der",
- rvc->certIX, (trusted ? "t" : "u"));
+ rvc->certIX, (trusted ? "t" : "u"));
secdumpdata(ocspResponse->data, buf);
#endif
-
+ CFReleaseNull(issuers);
+ CFReleaseNull(issuer);
+ CFReleaseNull(signers);
+ CFReleaseNull(signer);
return trusted;
}
-static void SecRVCConsumeOCSPResponse(SecRVCRef rvc, SecOCSPResponseRef ocspResponse /*CF_CONSUMED*/, CFTimeInterval maxAge, bool updateCache) {
+static void SecORVCConsumeOCSPResponse(SecORVCRef rvc, SecOCSPResponseRef ocspResponse /*CF_CONSUMED*/, CFTimeInterval maxAge, bool updateCache) {
SecOCSPSingleResponseRef sr = NULL;
require_quiet(ocspResponse, errOut);
SecOCSPResponseStatus orStatus = SecOCSPGetResponseStatus(ocspResponse);
require_action_quiet(orStatus == kSecOCSPSuccess, errOut,
- secdebug("ocsp", "responder: %@ returned status: %d", rvc->responder, orStatus));
+ secnotice("ocsp", "responder: %@ returned status: %d", rvc->responder, orStatus));
require_action_quiet(sr = SecOCSPResponseCopySingleResponse(ocspResponse, rvc->ocspRequest), errOut,
- secdebug("ocsp", "ocsp responder: %@ did not include status of requested cert", rvc->responder));
+ secnotice("ocsp", "ocsp responder: %@ did not include status of requested cert", rvc->responder));
// Check if this response is fresher than any (cached) response we might still have in the rvc.
require_quiet(!rvc->ocspSingleResponse || rvc->ocspSingleResponse->thisUpdate < sr->thisUpdate, errOut);
CFAbsoluteTime verifyTime = CFAbsoluteTimeGetCurrent();
/* TODO: If the responder doesn't have the ocsp-nocheck extension we should
- check whether the leaf was revoked (we are already checking the rest of
- the chain). */
+ check whether the leaf was revoked (we are already checking the rest of
+ the chain). */
/* Check the OCSP response signature and verify the response. */
require_quiet(SecOCSPResponseVerify(ocspResponse, rvc,
sr->certStatus == CS_Revoked ? SecOCSPResponseProducedAt(ocspResponse) : verifyTime), errOut);
@@ -2764,7 +2896,7 @@ errOut:
/* Callback from async http code after an ocsp response has been received. */
static void SecOCSPFetchCompleted(asynchttp_t *http, CFTimeInterval maxAge) {
- SecRVCRef rvc = (SecRVCRef)http->info;
+ SecORVCRef rvc = (SecORVCRef)http->info;
SecPVCRef pvc = rvc->pvc;
SecOCSPResponseRef ocspResponse = NULL;
if (http->response) {
@@ -2776,189 +2908,498 @@ static void SecOCSPFetchCompleted(asynchttp_t *http, CFTimeInterval maxAge) {
}
}
- SecRVCConsumeOCSPResponse(rvc, ocspResponse, maxAge, true);
+ SecORVCConsumeOCSPResponse(rvc, ocspResponse, maxAge, true);
// TODO: maybe we should set the cache-control: false in the http header and try again if the response is stale
if (!rvc->done) {
/* Clear the data for the next response. */
asynchttp_free(http);
- SecRVCFetchNext(rvc);
+ SecORVCFetchNext(rvc);
}
if (rvc->done) {
- SecRVCUpdatePVC(rvc);
- SecRVCDelete(rvc);
+ secdebug("rvc", "got OCSP response for cert: %ld", rvc->certIX);
+ SecORVCUpdatePVC(rvc);
+ SecORVCFinish(rvc);
if (!--pvc->asyncJobCount) {
+ secdebug("rvc", "done with all async jobs");
SecPathBuilderStep(pvc->builder);
}
}
}
-static void SecRVCInit(SecRVCRef rvc, SecPVCRef pvc, CFIndex certIX) {
- secdebug("alloc", "%p", rvc);
- rvc->pvc = pvc;
- rvc->certIX = certIX;
- rvc->http.queue = SecPathBuilderGetQueue(pvc->builder);
- rvc->http.token = SecPathBuilderCopyClientAuditToken(pvc->builder);
- rvc->http.completed = SecOCSPFetchCompleted;
- rvc->http.info = rvc;
- rvc->ocspRequest = NULL;
- rvc->responderIX = 0;
- rvc->responder = NULL;
- rvc->nextUpdate = NULL_TIME;
- rvc->ocspResponse = NULL;
- rvc->ocspSingleResponse = NULL;
- rvc->done = false;
+static SecORVCRef SecORVCCreate(SecRVCRef rvc, SecPVCRef pvc, CFIndex certIX) {
+ SecORVCRef orvc = NULL;
+ orvc = malloc(sizeof(struct OpaqueSecORVC));
+ if (orvc) {
+ memset(orvc, 0, sizeof(struct OpaqueSecORVC));
+ orvc->pvc = pvc;
+ orvc->rvc = rvc;
+ orvc->certIX = certIX;
+ orvc->http.queue = SecPathBuilderGetQueue(pvc->builder);
+ orvc->http.token = SecPathBuilderCopyClientAuditToken(pvc->builder);
+ orvc->http.completed = SecOCSPFetchCompleted;
+ orvc->http.info = orvc;
+ orvc->ocspRequest = NULL;
+ orvc->responderIX = 0;
+ orvc->responder = NULL;
+ orvc->nextUpdate = NULL_TIME;
+ orvc->ocspResponse = NULL;
+ orvc->ocspSingleResponse = NULL;
+ orvc->done = false;
+
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, certIX);
+ /* The certIX + 1 is ok here since certCount is always at least 1
+ less than the actual number of certs in SecPVCCheckRevocation. */
+ SecCertificateRef issuer = SecPVCGetCertificateAtIndex(pvc, certIX + 1);
+ orvc->ocspRequest = SecOCSPRequestCreate(cert, issuer);
+ }
+ return orvc;
}
-
-static bool SecPVCCheckRevocation(SecPVCRef pvc) {
- secdebug("ocsp", "checking revocation");
- CFIndex certIX, certCount = SecPVCGetCertificateCount(pvc);
- bool completed = true;
- if (certCount <= 1) {
- /* Can't verify without an issuer; we're done */
- return completed;
- }
- if (!SecPVCIsAnchored(pvc)) {
- /* We can't check revocation for chains without a trusted anchor. */
- return completed;
+static void SecORVCProcessStapledResponses(SecORVCRef rvc) {
+ /* Get stapled OCSP responses */
+ CFArrayRef ocspResponsesData = SecPathBuilderCopyOCSPResponses(rvc->pvc->builder);
+
+ if(ocspResponsesData) {
+ secdebug("rvc", "Checking stapled responses for cert %ld", rvc->certIX);
+ CFArrayForEach(ocspResponsesData, ^(const void *value) {
+ SecOCSPResponseRef ocspResponse = SecOCSPResponseCreate(value);
+ SecORVCConsumeOCSPResponse(rvc, ocspResponse, NULL_TIME, false);
+ });
+ CFRelease(ocspResponsesData);
}
- certCount--;
+}
-#if 0
- /* TODO: Implement getting this value from the client.
- Optional responder passed in though policy. */
- CFURLRef localResponder = NULL;
- /* Generate a nonce in outgoing request if true. */
- bool genNonce = false;
- /* Require a nonce in response if true. */
- bool requireRespNonce = false;
- bool cacheReadDisable = false;
- bool cacheWriteDisable = false;
-#endif
+// MARK: SecCRVCRef
+/********************************************************
+ ******************* CRL RVC Functions ******************
+ ********************************************************/
+#if ENABLE_CRLS
+#include <../trustd/SecTrustOSXEntryPoints.h>
+OSStatus errSecCertificateRevoked = -67820;
+#define kSecDefaultCRLTTL kSecDefaultOCSPResponseTTL
- if (pvc->rvcs) {
- /* We have done revocation checking already, we're done. */
- secdebug("ocsp", "Not rechecking revocation");
- return completed;
- }
+/* CRL Revocation verification context. */
+struct OpaqueSecCRVC {
+ /* Response data from ocspd. Yes, ocspd does CRLs, but not OCSP... */
+ async_ocspd_t async_ocspd;
- /* Setup things so we check revocation status of all certs except the
- anchor. */
- pvc->rvcs = calloc(sizeof(struct OpaqueSecRVC), certCount);
+ /* Pointer to the pvc for this revocation check. */
+ SecPVCRef pvc;
-#if 0
- /* Lookup cached revocation data for each certificate. */
- for (certIX = 0; certIX < certCount; ++certIX) {
- SecCertificateRef cert = SecPVCGetCertificateAtIndex(rvc->pvc, rvc->certIX);
- CFArrayRef ocspResponders = SecCertificateGetOCSPResponders(cert);
- if (ocspResponders) {
- /* First look though passed in ocsp responses. */
- //SecPVCGetOCSPResponseForCertificateAtIndex(pvc, ix, singleResponse);
-
- /* Then look though shared cache (we don't care which responder
- something came from here). */
- CFDataRef ocspResponse = SecOCSPCacheCopyMatching(SecCertIDRef certID, NULL);
-
- /* Now let's parse the response. */
- if (decodeOCSPResponse(ocspResp)) {
- secdebug("ocsp", "response ok: %@", ocspResp);
- } else {
- secdebug("ocsp", "response bad: %@", ocspResp);
- /* ocsp response not ok. */
- if (!SecPVCSetResultForced(pvc, key, ix, kCFBooleanFalse, true))
- return completed;
- }
- CFReleaseSafe(ocspResp);
- } else {
- /* Check if certificate has any crl distributionPoints. */
- CFArrayRef distributionPoints = SecCertificateGetCRLDistributionPoints(cert);
- if (distributionPoints) {
- /* Look for a cached CRL and potentially delta CRL for this certificate. */
- }
- }
- }
-#endif
+ /* Pointer to the generic rvc for this revocation check */
+ SecRVCRef rvc;
- /* Note that if we are multi threaded and a job completes after it
- is started but before we return from this function, we don't want
- a callback to decrement asyncJobCount to zero before we finish issuing
- all the jobs. To avoid this we pretend we issued certCount async jobs,
- and decrement pvc->asyncJobCount for each cert that we don't start a
- background fetch for. */
- pvc->asyncJobCount = (unsigned int) certCount;
+ /* The current CRL status from ocspd. */
+ OSStatus status;
- /* Loop though certificates again and issue an ocsp fetch if the
- revocation status checking isn't done yet. */
- for (certIX = 0; certIX < certCount; ++certIX) {
- secdebug("ocsp", "checking revocation for cert: %ld", certIX);
- SecRVCRef rvc = &((SecRVCRef)pvc->rvcs)[certIX];
- SecRVCInit(rvc, pvc, certIX);
- if (rvc->done)
- continue;
+ /* Index of cert in pvc that this RVC is for 0 = leaf, etc. */
+ CFIndex certIX;
- SecCertificateRef cert = SecPVCGetCertificateAtIndex(rvc->pvc,
- rvc->certIX);
- /* The certIX + 1 is ok here since certCount is always at least 1
- less than the actual number of certs. */
- SecCertificateRef issuer = SecPVCGetCertificateAtIndex(rvc->pvc,
- rvc->certIX + 1);
-
- rvc->ocspRequest = SecOCSPRequestCreate(cert, issuer);
-
- /* Get stapled OCSP responses */
- CFArrayRef ocspResponsesData = SecPathBuilderCopyOCSPResponses(pvc->builder);
-
- /* If we have any OCSP stapled responses, check those first */
- if(ocspResponsesData) {
- secdebug("ocsp", "Checking stapled responses for cert %ld", certIX);
- CFArrayForEach(ocspResponsesData, ^(const void *value) {
- /* TODO: Should the builder already have the appropriate SecOCSPResponseRef ? */
- SecOCSPResponseRef ocspResponse = SecOCSPResponseCreate(value);
- SecRVCConsumeOCSPResponse(rvc, ocspResponse, NULL_TIME, false);
- });
- CFRelease(ocspResponsesData);
- }
+ /* Index in array returned by SecCertificateGetCRLDistributionPoints() for
+ current distribution point. */
+ CFIndex distributionPointIX;
- /* Then check the cached response */
- secdebug("ocsp", "Checking cached responses for cert %ld", certIX);
- SecRVCConsumeOCSPResponse(rvc, SecOCSPCacheCopyMatching(rvc->ocspRequest, NULL), NULL_TIME, false);
+ /* URL of current distribution point. */
+ CFURLRef distributionPoint;
- /* If the cert is EV or if revocation checking was explicitly enabled, attempt to fire off an
- async http request for this cert's revocation status, unless we already successfully checked
- the revocation status of this cert based on the cache or stapled responses, */
- bool allow_fetch = SecPathBuilderCanAccessNetwork(pvc->builder) && (pvc->is_ev || pvc->check_revocation);
- bool fetch_done = true;
- if (rvc->done || !allow_fetch ||
- (fetch_done = SecRVCFetchNext(rvc))) {
- /* We got a cache hit or we aren't allowed to access the network,
- or the async http post failed. */
- SecRVCUpdatePVC(rvc);
- SecRVCDelete(rvc);
- /* We didn't really start a background job for this cert. */
- pvc->asyncJobCount--;
- } else if (!fetch_done) {
- /* We started at least one background fetch. */
- completed = false;
+ /* Date until which this revocation status is valid. */
+ CFAbsoluteTime nextUpdate;
+
+ bool done;
+};
+
+static void SecCRVCFinish(SecCRVCRef crvc) {
+ // nothing yet
+}
+
+static CFURLRef SecCRVCGetNextDistributionPoint(SecCRVCRef rvc) {
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(rvc->pvc, rvc->certIX);
+ CFArrayRef crlDPs = SecCertificateGetCRLDistributionPoints(cert);
+ if (crlDPs) {
+ CFIndex crlDPCount = CFArrayGetCount(crlDPs);
+ while (rvc->distributionPointIX < crlDPCount) {
+ CFURLRef distributionPoint = CFArrayGetValueAtIndex(crlDPs, rvc->distributionPointIX);
+ rvc->distributionPointIX++;
+ CFStringRef scheme = CFURLCopyScheme(distributionPoint);
+ if (scheme) {
+ /* We only support http and https responders currently. */
+ bool valid_DP = (CFEqual(CFSTR("http"), scheme) ||
+ CFEqual(CFSTR("https"), scheme) ||
+ CFEqual(CFSTR("ldap"), scheme));
+ CFRelease(scheme);
+ if (valid_DP)
+ return distributionPoint;
+ }
}
}
-
- /* Return false if we started any background jobs. */
- /* We can't just return !pvc->asyncJobCount here, since if we started any
- jobs the completion callback will be called eventually and it will call
- SecPathBuilderStep(). If for some reason everything completed before we
- get here we still want the outer SecPathBuilderStep() to terminate so we
- keep track of whether we started any jobs and return false if so. */
- return completed;
+ return NULL;
}
+static void SecCRVCGetCRLStatus(SecCRVCRef rvc) {
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(rvc->pvc, rvc->certIX);
+ SecCertificatePathRef path = rvc->pvc->path;
+ CFArrayRef serializedCertPath = SecCertificatePathCreateSerialized(path, NULL);
+ secdebug("rvc", "searching CRL cache for cert: %ld", rvc->certIX);
+ rvc->status = SecTrustLegacyCRLStatus(cert, serializedCertPath, rvc->distributionPoint);
+ CFReleaseNull(serializedCertPath);
+ /* we got a response indicating that the CRL was checked */
+ if (rvc->status == errSecSuccess || rvc->status == errSecCertificateRevoked) {
+ rvc->done = true;
+ /* ocspd doesn't give us the nextUpdate time, so set to default */
+ rvc->nextUpdate = SecPVCGetVerifyTime(rvc->pvc) + kSecDefaultCRLTTL;
+ }
+}
-void SecPolicyServerInitalize(void) {
- gSecPolicyLeafCallbacks = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
- &kCFTypeDictionaryKeyCallBacks, NULL);
- gSecPolicyPathCallbacks = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
- &kCFTypeDictionaryKeyCallBacks, NULL);
+static void SecCRVCCheckRevocationCache(SecCRVCRef rvc) {
+ while ((rvc->distributionPoint = SecCRVCGetNextDistributionPoint(rvc))) {
+ SecCRVCGetCRLStatus(rvc);
+ if (rvc->status == errSecCertificateRevoked) {
+ return;
+ }
+ }
+}
+
+/* Fire off an async http request for this certs revocation status, return
+ false if request was queued, true if we're done. */
+static bool SecCRVCFetchNext(SecCRVCRef rvc) {
+ while ((rvc->distributionPoint = SecCRVCGetNextDistributionPoint(rvc))) {
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(rvc->pvc, rvc->certIX);
+ SecCertificatePathRef path = rvc->pvc->path;
+ CFArrayRef serializedCertPath = SecCertificatePathCreateSerialized(path, NULL);
+ secinfo("rvc", "fetching CRL for cert: %ld", rvc->certIX);
+ if (!SecTrustLegacyCRLFetch(&rvc->async_ocspd, rvc->distributionPoint,
+ CFAbsoluteTimeGetCurrent(), cert, serializedCertPath)) {
+ CFDataRef clientAuditToken = NULL;
+ SecTaskRef task = NULL;
+ audit_token_t auditToken = {};
+ clientAuditToken = SecPathBuilderCopyClientAuditToken(rvc->pvc->builder);
+ require(clientAuditToken, out);
+ require(sizeof(auditToken) == CFDataGetLength(clientAuditToken), out);
+ CFDataGetBytes(clientAuditToken, CFRangeMake(0, sizeof(auditToken)), (uint8_t *)&auditToken);
+ require(task = SecTaskCreateWithAuditToken(NULL, auditToken), out);
+ secnotice("rvc", "asynchronously fetching CRL (%@) for client (%@)",
+ rvc->distributionPoint, task);
+
+ out:
+ CFReleaseNull(clientAuditToken);
+ CFReleaseNull(task);
+ /* Async request was posted, wait for reply. */
+ return false;
+ }
+ }
+ rvc->done = true;
+ return true;
+}
+
+static void SecCRVCUpdatePVC(SecCRVCRef rvc) {
+ if (rvc->status == errSecCertificateRevoked) {
+ secdebug("rvc", "CRL revoked cert %" PRIdCFIndex, rvc->certIX);
+ SInt32 reason = 0; // unspecified, since ocspd didn't tell us
+ CFNumberRef cfreason = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &reason);
+ SecPVCSetResultForced(rvc->pvc, kSecPolicyCheckRevocation, rvc->certIX,
+ cfreason, true);
+ if (rvc->pvc && rvc->pvc->info) {
+ /* make the revocation reason available in the trust result */
+ CFDictionarySetValue(rvc->pvc->info, kSecTrustRevocationReason, cfreason);
+ }
+ CFReleaseNull(cfreason);
+ }
+}
+
+static void SecCRVCFetchCompleted(async_ocspd_t *ocspd) {
+ SecCRVCRef rvc = ocspd->info;
+ SecPVCRef pvc = rvc->pvc;
+ /* we got a response indicating that the CRL was checked */
+ if (ocspd->response == errSecSuccess || ocspd->response == errSecCertificateRevoked) {
+ rvc->status = ocspd->response;
+ rvc->done = true;
+ /* ocspd doesn't give us the nextUpdate time, so set to default */
+ rvc->nextUpdate = SecPVCGetVerifyTime(rvc->pvc) + kSecDefaultCRLTTL;
+ secdebug("rvc", "got CRL response for cert: %ld", rvc->certIX);
+ SecCRVCUpdatePVC(rvc);
+ SecCRVCFinish(rvc);
+ if (!--pvc->asyncJobCount) {
+ secdebug("rvc", "done with all async jobs");
+ SecPathBuilderStep(pvc->builder);
+ }
+ } else {
+ if(SecCRVCFetchNext(rvc)) {
+ if (!--pvc->asyncJobCount) {
+ secdebug("rvc", "done with all async jobs");
+ SecPathBuilderStep(pvc->builder);
+ }
+ }
+ }
+}
+
+static SecCRVCRef SecCRVCCreate(SecRVCRef rvc, SecPVCRef pvc, CFIndex certIX) {
+ SecCRVCRef crvc = NULL;
+ crvc = malloc(sizeof(struct OpaqueSecCRVC));
+ if (crvc) {
+ memset(crvc, 0, sizeof(struct OpaqueSecCRVC));
+ crvc->pvc = pvc;
+ crvc->rvc = rvc;
+ crvc->certIX = certIX;
+ crvc->status = errSecInternal;
+ crvc->distributionPointIX = 0;
+ crvc->distributionPoint = NULL;
+ crvc->nextUpdate = NULL_TIME;
+ crvc->async_ocspd.queue = SecPathBuilderGetQueue(pvc->builder);
+ crvc->async_ocspd.completed = SecCRVCFetchCompleted;
+ crvc->async_ocspd.response = errSecInternal;
+ crvc->async_ocspd.info = crvc;
+ crvc->done = false;
+ }
+ return crvc;
+}
+
+static bool SecRVCShouldCheckCRL(SecRVCRef rvc) {
+ if (rvc->pvc->check_revocation &&
+ CFEqual(kSecPolicyCheckRevocationCRL, rvc->pvc->check_revocation)) {
+ /* Our client insists on CRLs */
+ secinfo("rvc", "client told us to check CRL");
+ return true;
+ }
+ SecCertificateRef cert = SecPVCGetCertificateAtIndex(rvc->pvc, rvc->certIX);
+ CFArrayRef ocspResponders = SecCertificateGetOCSPResponders(cert);
+ if ((!ocspResponders || CFArrayGetCount(ocspResponders) == 0) &&
+ (rvc->pvc->check_revocation && !CFEqual(kSecPolicyCheckRevocationOCSP, rvc->pvc->check_revocation))) {
+ /* The cert doesn't have OCSP responders and the client didn't specifically ask for OCSP.
+ * This logic will skip the CRL cache check if the client didn't ask for revocation checking */
+ secinfo("rvc", "client told us to check revocation and CRL is only option for cert: %ld", rvc->certIX);
+ return true;
+ }
+ return false;
+}
+#endif /* ENABLE_CRLS */
+
+static void SecRVCFinish(SecRVCRef rvc) {
+ if (rvc->orvc) {
+ SecORVCFinish(rvc->orvc);
+ }
+#if ENABLE_CRLS
+ if (rvc->crvc) {
+ SecCRVCFinish(rvc->crvc);
+ }
+#endif
+}
+
+static void SecRVCDelete(SecRVCRef rvc) {
+ if (rvc->orvc) {
+ SecORVCFinish(rvc->orvc);
+ free(rvc->orvc);
+ }
+#if ENABLE_CRLS
+ if (rvc->crvc) {
+ SecCRVCFinish(rvc->crvc);
+ free(rvc->crvc);
+ }
+#endif
+}
+
+static void SecRVCInit(SecRVCRef rvc, SecPVCRef pvc, CFIndex certIX) {
+ secdebug("alloc", "%p", rvc);
+ rvc->pvc = pvc;
+ rvc->certIX = certIX;
+ rvc->orvc = SecORVCCreate(rvc, pvc, certIX);
+#if ENABLE_CRLS
+ rvc->crvc = SecCRVCCreate(rvc, pvc, certIX);
+#endif
+ rvc->done = false;
+}
+
+static void SecRVCUpdatePVC(SecRVCRef rvc) {
+ SecORVCUpdatePVC(rvc->orvc);
+#if ENABLE_CRLS
+ SecCRVCUpdatePVC(rvc->crvc);
+#endif
+}
+
+#if ENABLE_CRLS
+static bool SecRVCShouldCheckOCSP(SecRVCRef rvc) {
+ if (!rvc->pvc->check_revocation
+ || !CFEqual(rvc->pvc->check_revocation, kSecPolicyCheckRevocationCRL)) {
+ return true;
+ }
+ return false;
+}
+#else
+static bool SecRVCShouldCheckOCSP(SecRVCRef rvc) {
+ return true;
+}
+#endif
+
+static void SecRVCCheckRevocationCaches(SecRVCRef rvc) {
+ /* Don't check OCSP cache if CRLs enabled and policy requested CRL only */
+ if (SecRVCShouldCheckOCSP(rvc)) {
+ secdebug("ocsp", "Checking cached responses for cert %ld", rvc->certIX);
+ SecORVCConsumeOCSPResponse(rvc->orvc,
+ SecOCSPCacheCopyMatching(rvc->orvc->ocspRequest, NULL),
+ NULL_TIME, false);
+ }
+#if ENABLE_CRLS
+ /* Don't check CRL cache if policy requested OCSP only */
+ if (SecRVCShouldCheckCRL(rvc)) {
+ SecCRVCCheckRevocationCache(rvc->crvc);
+ }
+#endif
+}
+
+static bool SecRVCFetchNext(SecRVCRef rvc) {
+ bool OCSP_fetch_finished = true;
+ /* Don't send OCSP request only if CRLs enabled and policy requested CRL only */
+ if (SecRVCShouldCheckOCSP(rvc)) {
+ OCSP_fetch_finished &= SecORVCFetchNext(rvc->orvc);
+ }
+ if (OCSP_fetch_finished) {
+ /* we didn't start an OCSP background job for this cert */
+ rvc->pvc->asyncJobCount--;
+ }
+
+#if ENABLE_CRLS
+ bool CRL_fetch_finished = true;
+ /* Don't check CRL cache if policy requested OCSP only */
+ if (SecRVCShouldCheckCRL(rvc)) {
+ /* reset the distributionPointIX because we already iterated through the CRLDPs
+ * in SecCRVCCheckRevocationCache */
+ rvc->crvc->distributionPointIX = 0;
+ CRL_fetch_finished &= SecCRVCFetchNext(rvc->crvc);
+ }
+ if (CRL_fetch_finished) {
+ /* we didn't start a CRL background job for this cert */
+ rvc->pvc->asyncJobCount--;
+ }
+ OCSP_fetch_finished &= CRL_fetch_finished;
+#endif
+
+ return OCSP_fetch_finished;
+}
+
+static bool SecPVCCheckRevocation(SecPVCRef pvc) {
+ secdebug("rvc", "checking revocation");
+ CFIndex certIX, certCount = SecPVCGetCertificateCount(pvc);
+ bool completed = true;
+ if (certCount <= 1) {
+ /* Can't verify without an issuer; we're done */
+ return completed;
+ }
+
+ /*
+ * Don't need to call SecPVCIsAnchored; having an issuer is sufficient here.
+ * We can't check revocation for the final cert in the chain.
+ */
+ certCount--;
+
+ if (pvc->rvcs) {
+ /* We have done revocation checking already, we're done. */
+ secdebug("rvc", "Not rechecking revocation");
+ return completed;
+ }
+
+ /* Setup things so we check revocation status of all certs except the
+ anchor. */
+ pvc->rvcs = calloc(sizeof(struct OpaqueSecRVC), certCount);
+
+ /* Note that if we are multi threaded and a job completes after it
+ is started but before we return from this function, we don't want
+ a callback to decrement asyncJobCount to zero before we finish issuing
+ all the jobs. To avoid this we pretend we issued certCount async jobs,
+ and decrement pvc->asyncJobCount for each cert that we don't start a
+ background fetch for. */
+#if !ENABLE_CRLS
+ pvc->asyncJobCount = (unsigned int) certCount;
+#else
+ /* If we enable CRLS, we may end up with two async jobs per cert: one
+ * for OCSP and one for fetching the CRL */
+ pvc->asyncJobCount = 2 * (unsigned int)certCount;
+#endif
+ secdebug("rvc", "set asyncJobCount to %d", pvc->asyncJobCount);
+
+ /* Loop though certificates again and issue an ocsp fetch if the
+ revocation status checking isn't done yet. */
+ for (certIX = 0; certIX < certCount; ++certIX) {
+ secdebug("rvc", "checking revocation for cert: %ld", certIX);
+ SecRVCRef rvc = &((SecRVCRef)pvc->rvcs)[certIX];
+ SecRVCInit(rvc, pvc, certIX);
+ if (rvc->done){
+ continue;
+ }
+ /* Ignore stapled OCSP responses only if CRLs are enabled and the
+ * policy specifically requested CRLs only. */
+ if (SecRVCShouldCheckOCSP(rvc)) {
+ /* If we have any OCSP stapled responses, check those first */
+ SecORVCProcessStapledResponses(rvc->orvc);
+ }
+
+ /* Then check the caches for revocation results. */
+ SecRVCCheckRevocationCaches(rvc);
+
+ /* The check is done if we found cached responses from either method. */
+ if (rvc->orvc->done
+#if ENABLE_CRLS
+ || rvc->orvc->done
+#endif
+ ) {
+ secdebug("rvc", "found cached response for cert: %ld", certIX);
+ rvc->done = true;
+ }
+
+ /* If the cert is EV or if revocation checking was explicitly enabled, attempt to fire off an
+ async http request for this cert's revocation status, unless we already successfully checked
+ the revocation status of this cert based on the cache or stapled responses, */
+ bool allow_fetch = SecPathBuilderCanAccessNetwork(pvc->builder) && (pvc->is_ev || pvc->check_revocation);
+ bool fetch_done = true;
+ if (rvc->done || !allow_fetch) {
+ /* We got a cache hit or we aren't allowed to access the network */
+ SecRVCUpdatePVC(rvc);
+ SecRVCFinish(rvc);
+ /* We didn't really start any background jobs for this cert. */
+ pvc->asyncJobCount--;
+#if ENABLE_CRLS
+ pvc->asyncJobCount--;
+#endif
+ secdebug("rvc", "not fetching and job count is %d for cert %ld", pvc->asyncJobCount, certIX);
+ } else {
+ fetch_done = SecRVCFetchNext(rvc);
+ }
+ if (!fetch_done) {
+ /* We started at least one background fetch. */
+ secdebug("rvc", "waiting on background fetch for cert %ld", certIX);
+ completed = false;
+ }
+ }
+
+ /* Return false if we started any background jobs. */
+ /* We can't just return !pvc->asyncJobCount here, since if we started any
+ jobs the completion callback will be called eventually and it will call
+ SecPathBuilderStep(). If for some reason everything completed before we
+ get here we still want the outer SecPathBuilderStep() to terminate so we
+ keep track of whether we started any jobs and return false if so. */
+ return completed;
+}
+
+static CFAbsoluteTime SecRVCGetEarliestNextUpdate(SecRVCRef rvc) {
+ CFAbsoluteTime enu = NULL_TIME;
+ enu = rvc->orvc->nextUpdate;
+#if ENABLE_CRLS
+ CFAbsoluteTime crlNextUpdate = rvc->crvc->nextUpdate;
+ if (enu == NULL_TIME ||
+ ((crlNextUpdate > NULL_TIME) && (enu > crlNextUpdate))) {
+ /* We didn't check OCSP or CRL next update time was sooner */
+ enu = crlNextUpdate;
+ }
+#endif
+ return enu;
+}
+
+
+void SecPolicyServerInitalize(void) {
+ gSecPolicyLeafCallbacks = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks, NULL);
+ gSecPolicyPathCallbacks = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks, NULL);
CFDictionaryAddValue(gSecPolicyPathCallbacks,
kSecPolicyCheckBasicCertificateProcessing,
@@ -2976,8 +3417,8 @@ void SecPolicyServerInitalize(void) {
kSecPolicyCheckExtendedKeyUsage,
SecPolicyCheckExtendedKeyUsage);
CFDictionaryAddValue(gSecPolicyLeafCallbacks,
- kSecPolicyCheckBasicContraints,
- SecPolicyCheckBasicContraints);
+ kSecPolicyCheckBasicConstraints,
+ SecPolicyCheckBasicConstraints);
CFDictionaryAddValue(gSecPolicyLeafCallbacks,
kSecPolicyCheckNonEmptySubject,
SecPolicyCheckNonEmptySubject);
@@ -3017,9 +3458,9 @@ void SecPolicyServerInitalize(void) {
CFDictionaryAddValue(gSecPolicyPathCallbacks,
kSecPolicyCheckAnchorSHA1,
SecPolicyCheckAnchorSHA1);
- CFDictionaryAddValue(gSecPolicyPathCallbacks,
- kSecPolicyCheckIntermediateSPKISHA256,
- SecPolicyCheckIntermediateSPKISHA256);
+ CFDictionaryAddValue(gSecPolicyPathCallbacks,
+ kSecPolicyCheckAnchorSHA256,
+ SecPolicyCheckAnchorSHA256);
CFDictionaryAddValue(gSecPolicyPathCallbacks,
kSecPolicyCheckAnchorApple,
SecPolicyCheckAnchorApple);
@@ -3053,6 +3494,15 @@ void SecPolicyServerInitalize(void) {
CFDictionaryAddValue(gSecPolicyLeafCallbacks,
kSecPolicyCheckLeafMarkerOid,
SecPolicyCheckLeafMarkerOid);
+ CFDictionaryAddValue(gSecPolicyLeafCallbacks,
+ kSecPolicyCheckLeafMarkerOidWithoutValueCheck,
+ SecPolicyCheckLeafMarkerOidWithoutValueCheck);
+ CFDictionaryAddValue(gSecPolicyPathCallbacks,
+ kSecPolicyCheckIntermediateSPKISHA256,
+ SecPolicyCheckIntermediateSPKISHA256);
+ CFDictionaryAddValue(gSecPolicyPathCallbacks,
+ kSecPolicyCheckIntermediateEKU,
+ SecPolicyCheckIntermediateEKU);
CFDictionaryAddValue(gSecPolicyPathCallbacks,
kSecPolicyCheckIntermediateMarkerOid,
SecPolicyCheckIntermediateMarkerOid);
@@ -3068,53 +3518,12 @@ void SecPolicyServerInitalize(void) {
CFDictionaryAddValue(gSecPolicyPathCallbacks,
kSecPolicyCheckWeakRoot,
SecPolicyCheckWeakRoot);
-}
-
-/* AUDIT[securityd](done):
- array (ok) is a caller provided array, only its cf type has
- been checked.
- The options (ok) field ends up in policy->_options unchecked, so every access
- of policy->_options needs to be validated.
- */
-static SecPolicyRef SecPolicyCreateWithArray(CFArrayRef array) {
- SecPolicyRef policy = NULL;
- require_quiet(array && CFArrayGetCount(array) == 2, errOut);
- CFStringRef oid = (CFStringRef)CFArrayGetValueAtIndex(array, 0);
- require_quiet(isString(oid), errOut);
- CFDictionaryRef options = (CFDictionaryRef)CFArrayGetValueAtIndex(array, 1);
- require_quiet(isDictionary(options), errOut);
- policy = SecPolicyCreate(oid, options);
-errOut:
- return policy;
-}
-
-/* AUDIT[securityd](done):
- value (ok) is an element in a caller provided array.
- */
-static void deserializePolicy(const void *value, void *context) {
- CFArrayRef policyArray = (CFArrayRef)value;
- if (isArray(policyArray)) {
- CFTypeRef deserializedPolicy = SecPolicyCreateWithArray(policyArray);
- if (deserializedPolicy) {
- CFArrayAppendValue((CFMutableArrayRef)context, deserializedPolicy);
- CFRelease(deserializedPolicy);
- }
- }
-}
-
-/* AUDIT[securityd](done):
- serializedPolicies (ok) is a caller provided array, only its cf type has
- been checked.
- */
-CFArrayRef SecPolicyArrayDeserialize(CFArrayRef serializedPolicies) {
- CFMutableArrayRef result = NULL;
- require_quiet(isArray(serializedPolicies), errOut);
- CFIndex count = CFArrayGetCount(serializedPolicies);
- result = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks);
- CFRange all_policies = { 0, count };
- CFArrayApplyFunction(serializedPolicies, all_policies, deserializePolicy, result);
-errOut:
- return result;
+ CFDictionaryAddValue(gSecPolicyPathCallbacks,
+ kSecPolicyCheckKeySize,
+ SecPolicyCheckKeySize);
+ CFDictionaryAddValue(gSecPolicyPathCallbacks,
+ kSecPolicyCheckSignatureHashAlgorithms,
+ SecPolicyCheckSignatureHashAlgorithms);
}
// MARK: -
@@ -3141,7 +3550,7 @@ void SecPVCInit(SecPVCRef pvc, SecPathBuilderRef builder, CFArrayRef policies,
pvc->policyIX = 0;
pvc->rvcs = NULL;
pvc->asyncJobCount = 0;
- pvc->check_revocation = false;
+ pvc->check_revocation = NULL;
pvc->response_required = false;
pvc->optionally_ev = false;
pvc->is_ev = false;
@@ -3151,6 +3560,11 @@ void SecPVCInit(SecPVCRef pvc, SecPathBuilderRef builder, CFArrayRef policies,
static void SecPVCDeleteRVCs(SecPVCRef pvc) {
secdebug("alloc", "%p", pvc);
if (pvc->rvcs) {
+ CFIndex certIX, certCount = SecPVCGetCertificateCount(pvc) - 1;
+ for (certIX = 0; certIX < certCount; ++certIX) {
+ SecRVCRef rvc = &((SecRVCRef)pvc->rvcs)[certIX];
+ SecRVCDelete(rvc);
+ }
free(pvc->rvcs);
pvc->rvcs = NULL;
}
@@ -3165,15 +3579,18 @@ void SecPVCDelete(SecPVCRef pvc) {
policy_tree_prune(&pvc->valid_policy_tree);
}
SecPVCDeleteRVCs(pvc);
+ CFReleaseNull(pvc->path);
}
void SecPVCSetPath(SecPVCRef pvc, SecCertificatePathRef path,
CF_CONSUMED CFArrayRef details) {
secdebug("policy", "%@", path);
- if (pvc->path != path) {
+ bool samePath = ((!path && !pvc->path) || (path && pvc->path && CFEqual(path, pvc->path)));
+ if (!samePath) {
/* Changing path makes us clear the Revocation Verification Contexts */
SecPVCDeleteRVCs(pvc);
- pvc->path = path;
+ CFReleaseSafe(pvc->path);
+ pvc->path = CFRetainSafe(path);
}
pvc->details = details;
CFReleaseNull(pvc->info);
@@ -3181,7 +3598,7 @@ void SecPVCSetPath(SecPVCRef pvc, SecCertificatePathRef path,
policy_tree_prune(&pvc->valid_policy_tree);
}
pvc->policyIX = 0;
- pvc->result = true;
+ pvc->result = true;
}
SecPolicyRef SecPVCGetPolicy(SecPVCRef pvc) {
@@ -3200,14 +3617,14 @@ bool SecPVCIsCertificateAtIndexSelfSigned(SecPVCRef pvc, CFIndex ix) {
return SecCertificatePathSelfSignedIndex(pvc->path) == ix;
}
-void SecPVCSetCheckRevocation(SecPVCRef pvc) {
- pvc->check_revocation = true;
- secdebug("ocsp", "deferred revocation checking enabled");
+void SecPVCSetCheckRevocation(SecPVCRef pvc, CFStringRef method) {
+ pvc->check_revocation = method;
+ secdebug("rvc", "deferred revocation checking enabled using %@ method", method);
}
void SecPVCSetCheckRevocationResponseRequired(SecPVCRef pvc) {
pvc->response_required = true;
- secdebug("ocsp", "revocation response required");
+ secdebug("rvc", "revocation response required");
}
bool SecPVCIsAnchored(SecPVCRef pvc) {
@@ -3218,6 +3635,54 @@ CFAbsoluteTime SecPVCGetVerifyTime(SecPVCRef pvc) {
return pvc->verifyTime;
}
+static int32_t detailKeyToCssmErr(CFStringRef key) {
+ int32_t result = 0;
+
+ if (CFEqual(key, kSecPolicyCheckSSLHostname)) {
+ result = -2147408896; // CSSMERR_APPLETP_HOSTNAME_MISMATCH
+ }
+ else if (CFEqual(key, kSecPolicyCheckEmail)) {
+ result = -2147408872; // CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND
+ }
+ else if (CFEqual(key, kSecPolicyCheckValidLeaf) ||
+ CFEqual(key, kSecPolicyCheckValidIntermediates) ||
+ CFEqual(key, kSecPolicyCheckValidRoot)) {
+ result = -2147409654; // CSSMERR_TP_CERT_EXPIRED
+ }
+
+ return result;
+}
+
+static bool SecPVCMeetsConstraint(SecPVCRef pvc, SecCertificateRef certificate, CFDictionaryRef constraint);
+
+static bool SecPVCIsAllowedError(SecPVCRef pvc, CFIndex ix, CFStringRef key) {
+ bool result = false;
+ CFArrayRef constraints = SecCertificatePathGetUsageConstraintsAtIndex(pvc->path, ix);
+ SecCertificateRef cert = SecCertificatePathGetCertificateAtIndex(pvc->path, ix);
+ CFIndex constraintIX, constraintCount = CFArrayGetCount(constraints);
+
+ for (constraintIX = 0; constraintIX < constraintCount; constraintIX++) {
+ CFDictionaryRef constraint = (CFDictionaryRef)CFArrayGetValueAtIndex(constraints, constraintIX);
+ CFNumberRef allowedErrorNumber = NULL;
+ if (!isDictionary(constraint)) {
+ continue;
+ }
+ allowedErrorNumber = (CFNumberRef)CFDictionaryGetValue(constraint, kSecTrustSettingsAllowedError);
+ int32_t allowedErrorValue = 0;
+ if (!isNumber(allowedErrorNumber) || !CFNumberGetValue(allowedErrorNumber, kCFNumberSInt32Type, &allowedErrorValue)) {
+ continue;
+ }
+
+ if (SecPVCMeetsConstraint(pvc, cert, constraint)) {
+ if (allowedErrorValue == detailKeyToCssmErr(key)) {
+ result = true;
+ break;
+ }
+ }
+ }
+ return result;
+}
+
/* AUDIT[securityd](done):
policy->_options is a caller provided dictionary, only its cf type has
been checked.
@@ -3225,7 +3690,7 @@ CFAbsoluteTime SecPVCGetVerifyTime(SecPVCRef pvc) {
bool SecPVCSetResultForced(SecPVCRef pvc,
CFStringRef key, CFIndex ix, CFTypeRef result, bool force) {
- secdebug("policy", "cert[%d]: %@ =(%s)[%s]> %@", (int) ix, key,
+ secnotice("policy", "cert[%d]: %@ =(%s)[%s]> %@", (int) ix, key,
(pvc->callbacks == gSecPolicyLeafCallbacks ? "leaf"
: (pvc->callbacks == gSecPolicyPathCallbacks ? "path"
: "custom")),
@@ -3242,8 +3707,13 @@ bool SecPVCSetResultForced(SecPVCRef pvc,
return true;
}
- /* @@@ Check to see if the SecTrustSettings for the certificate in question
+ /* Check to see if the SecTrustSettings for the certificate in question
tell us to ignore this error. */
+ if (SecPVCIsAllowedError(pvc, ix, key)) {
+ secinfo("policy", "cert[%d]: skipped allowed error %@", (int) ix, key);
+ return true;
+ }
+
pvc->result = false;
if (!pvc->details)
return false;
@@ -3353,16 +3823,18 @@ bool SecPVCParentCertificateChecks(SecPVCRef pvc, CFIndex ix) {
} else {
/* Perform intermediate specific checks. */
- /* (k) */
- const SecCEBasicConstraints *bc =
- SecCertificateGetBasicConstraints(cert);
- if (!bc || !bc->isCA) {
- /* Basic constraints not present or not marked as isCA, illegal. */
- if (!SecPVCSetResultForced(pvc, kSecPolicyCheckBasicContraints,
- ix, kCFBooleanFalse, true))
- goto errOut;
- }
- /* Consider adding (l) max_path_length checking here. */
+ /* (k) Basic constraints only relevant for v3 and later. */
+ if (SecCertificateVersion(cert) >= 3) {
+ const SecCEBasicConstraints *bc =
+ SecCertificateGetBasicConstraints(cert);
+ if (!bc || !bc->isCA) {
+ /* Basic constraints not present or not marked as isCA, illegal. */
+ if (!SecPVCSetResultForced(pvc, kSecPolicyCheckBasicConstraints,
+ ix, kCFBooleanFalse, true))
+ goto errOut;
+ }
+ }
+ /* (l) max_path_length is checked elsewhere. */
/* (n) If a key usage extension is present, verify that the keyCertSign bit is set. */
SecKeyUsage keyUsage = SecCertificateGetKeyUsage(cert);
@@ -3443,6 +3915,299 @@ bool SecPVCGrayListedKeyChecks(SecPVCRef pvc, CFIndex ix)
return true;
}
+static bool SecPVCContainsPolicy(SecPVCRef pvc, CFStringRef searchOid, CFStringRef searchName, CFIndex *policyIX) {
+ if (!isString(searchName) && !isString(searchOid)) {
+ return false;
+ }
+ CFArrayRef policies = pvc->policies;
+ CFIndex ix, count = CFArrayGetCount(policies);
+ for (ix = 0; ix < count; ++ix) {
+ SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(policies, ix);
+ CFStringRef policyName = SecPolicyGetName(policy);
+ CFStringRef policyOid = SecPolicyGetOidString(policy);
+ /* Prefer a match of both name and OID */
+ if (searchOid && searchName && policyOid && policyName) {
+ if (CFEqual(searchOid, policyOid) &&
+ CFEqual(searchName, policyName)) {
+ if (policyIX) { *policyIX = ix; }
+ return true;
+ }
+ }
+ /* Next best is just OID. */
+ if (!searchName && searchOid && policyOid) {
+ if (CFEqual(searchOid, policyOid)) {
+ if (policyIX) { *policyIX = ix; }
+ return true;
+ }
+ }
+ if (!searchOid && searchName && policyName) {
+ if (CFEqual(searchName, policyName)) {
+ if (policyIX) { *policyIX = ix; }
+ return true;
+ }
+ }
+ }
+ return false;
+}
+
+static bool SecPVCContainsString(SecPVCRef pvc, CFIndex policyIX, CFStringRef stringValue) {
+ if (!isString(stringValue)) {
+ return false;
+ }
+ bool result = false;
+
+ CFStringRef tmpStringValue = NULL;
+ if (CFStringGetCharacterAtIndex(stringValue, CFStringGetLength(stringValue) -1) == (UniChar)0x0000) {
+ tmpStringValue = CFStringCreateTruncatedCopy(stringValue, CFStringGetLength(stringValue) - 1);
+ } else {
+ tmpStringValue = CFStringCreateCopy(NULL, stringValue);
+ }
+ if (policyIX >= 0 && policyIX < CFArrayGetCount(pvc->policies)) {
+ SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(pvc->policies, policyIX);
+ /* Have to look for all the possible locations of name string */
+ CFStringRef policyString = NULL;
+ policyString = CFDictionaryGetValue(policy->_options, kSecPolicyCheckSSLHostname);
+ if (!policyString) {
+ policyString = CFDictionaryGetValue(policy->_options, kSecPolicyCheckEmail);
+ }
+ if (policyString && (CFStringCompare(tmpStringValue, policyString, kCFCompareCaseInsensitive) == kCFCompareEqualTo)) {
+ result = true;
+ goto out;
+ }
+
+ CFArrayRef policyStrings = NULL;
+ policyStrings = CFDictionaryGetValue(policy->_options, kSecPolicyCheckEAPTrustedServerNames);
+ if (policyStrings && CFArrayContainsValue(policyStrings,
+ CFRangeMake(0, CFArrayGetCount(policyStrings)),
+ tmpStringValue)) {
+ result = true;
+ goto out;
+ }
+ }
+
+out:
+ CFReleaseNull(tmpStringValue);
+ return result;
+}
+
+
+static uint32_t ts_key_usage_for_kuNumber(CFNumberRef keyUsageNumber) {
+ uint32_t ourTSKeyUsage = 0;
+ uint32_t keyUsage = 0;
+ if (keyUsageNumber &&
+ CFNumberGetValue(keyUsageNumber, kCFNumberSInt32Type, &keyUsage)) {
+ if (keyUsage & kSecKeyUsageDigitalSignature) {
+ ourTSKeyUsage |= kSecTrustSettingsKeyUseSignature;
+ }
+ if (keyUsage & kSecKeyUsageDataEncipherment) {
+ ourTSKeyUsage |= kSecTrustSettingsKeyUseEnDecryptData;
+ }
+ if (keyUsage & kSecKeyUsageKeyEncipherment) {
+ ourTSKeyUsage |= kSecTrustSettingsKeyUseEnDecryptKey;
+ }
+ if (keyUsage & kSecKeyUsageKeyAgreement) {
+ ourTSKeyUsage |= kSecTrustSettingsKeyUseKeyExchange;
+ }
+ if (keyUsage == kSecKeyUsageAll) {
+ ourTSKeyUsage = kSecTrustSettingsKeyUseAny;
+ }
+ }
+ return ourTSKeyUsage;
+}
+
+static uint32_t ts_key_usage_for_policy(SecPolicyRef policy) {
+ uint32_t ourTSKeyUsage = 0;
+ CFTypeRef policyKeyUsageType = NULL;
+
+ policyKeyUsageType = (CFTypeRef)CFDictionaryGetValue(policy->_options, kSecPolicyCheckKeyUsage);
+ if (isArray(policyKeyUsageType)) {
+ CFIndex ix, count = CFArrayGetCount(policyKeyUsageType);
+ for (ix = 0; ix < count; ix++) {
+ CFNumberRef policyKeyUsageNumber = NULL;
+ policyKeyUsageNumber = (CFNumberRef)CFArrayGetValueAtIndex(policyKeyUsageType, ix);
+ ourTSKeyUsage |= ts_key_usage_for_kuNumber(policyKeyUsageNumber);
+ }
+ } else if (isNumber(policyKeyUsageType)) {
+ ourTSKeyUsage |= ts_key_usage_for_kuNumber(policyKeyUsageType);
+ }
+
+ return ourTSKeyUsage;
+}
+
+static bool SecPVCContainsTrustSettingsKeyUsage(SecPVCRef pvc,
+ SecCertificateRef certificate, CFIndex policyIX, CFNumberRef keyUsageNumber) {
+ int64_t keyUsageValue = 0;
+ uint32_t ourKeyUsage = 0;
+
+ if (!isNumber(keyUsageNumber) || !CFNumberGetValue(keyUsageNumber, kCFNumberSInt64Type, &keyUsageValue)) {
+ return false;
+ }
+
+ if (keyUsageValue == kSecTrustSettingsKeyUseAny) {
+ return true;
+ }
+
+ /* We're using the key for revocation if we have the OCSPSigner policy.
+ * @@@ If we support CRLs, we'd need to check for that policy here too.
+ */
+ if (SecPVCContainsPolicy(pvc, kSecPolicyAppleOCSPSigner, NULL, NULL)) {
+ ourKeyUsage |= kSecTrustSettingsKeyUseSignRevocation;
+ }
+
+ /* We're using the key for verifying a cert if it's a root/intermediate
+ * in the chain. If the cert isn't in the path yet, we're about to add it,
+ * so it's a root/intermediate. If there is no path, this is the leaf.
+ */
+ CFIndex pathIndex = -1;
+ if (pvc->path) {
+ pathIndex = SecCertificatePathGetIndexOfCertificate(pvc->path, certificate);
+ } else {
+ pathIndex = 0;
+ }
+ if (pathIndex != 0) {
+ ourKeyUsage |= kSecTrustSettingsKeyUseSignCert;
+ }
+
+ /* The rest of the key usages may be specified by the policy(ies). */
+ if (policyIX >= 0 && policyIX < CFArrayGetCount(pvc->policies)) {
+ SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(pvc->policies, policyIX);
+ ourKeyUsage |= ts_key_usage_for_policy(policy);
+ } else {
+ /* Get key usage from ALL policies */
+ CFIndex ix, count = CFArrayGetCount(pvc->policies);
+ for (ix = 0; ix < count; ix++) {
+ SecPolicyRef policy = (SecPolicyRef)CFArrayGetValueAtIndex(pvc->policies, ix);
+ ourKeyUsage |= ts_key_usage_for_policy(policy);
+ }
+ }
+
+ if (ourKeyUsage == (uint32_t)(keyUsageValue & 0x00ffffffff)) {
+ return true;
+ }
+
+ return false;
+}
+
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+/* We need to declare the SecTrustedApplicationRef type for those binaries
+ * that don't include the OS X Security Framework headers. */
+typedef struct CF_BRIDGED_TYPE(id) OpaqueSecTrustedApplicationRef *SecTrustedApplicationRef;
+
+#include <Security/SecTrustedApplicationPriv.h>
+#include <bsm/libbsm.h>
+#include <libproc.h>
+
+static bool SecPVCCallerIsApplication(CFDataRef clientAuditToken, CFTypeRef appRef) {
+ bool result = false;
+ audit_token_t auditToken = {};
+ char path[MAXPATHLEN];
+
+ require(appRef && clientAuditToken, out);
+ require(CFGetTypeID(appRef) == SecTrustedApplicationGetTypeID(), out);
+
+ require(sizeof(auditToken) == CFDataGetLength(clientAuditToken), out);
+ CFDataGetBytes(clientAuditToken, CFRangeMake(0, sizeof(auditToken)), (uint8_t *)&auditToken);
+ require(proc_pidpath(audit_token_to_pid(auditToken), path, sizeof(path)) > 0, out);
+
+ if(errSecSuccess == SecTrustedApplicationValidateWithPath((SecTrustedApplicationRef)appRef, path)) {
+ result = true;
+ }
+
+out:
+ return result;
+}
+#endif
+
+static bool SecPVCMeetsConstraint(SecPVCRef pvc, SecCertificateRef certificate, CFDictionaryRef constraint) {
+ CFStringRef policyOid = NULL, policyString = NULL, policyName = NULL;
+ CFNumberRef keyUsageNumber = NULL;
+ CFTypeRef trustedApplicationData = NULL;
+
+ bool policyMatch = false, policyStringMatch = false, applicationMatch = false , keyUsageMatch = false;
+ bool result = false;
+
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+ /* OS X returns a SecPolicyRef in the constraints. Convert to the oid string. */
+ SecPolicyRef policy = NULL;
+ policy = (SecPolicyRef)CFDictionaryGetValue(constraint, kSecTrustSettingsPolicy);
+ policyOid = (policy) ? policy->_oid : NULL;
+#else
+ policyOid = (CFStringRef)CFDictionaryGetValue(constraint, kSecTrustSettingsPolicy);
+#endif
+ policyName = (CFStringRef)CFDictionaryGetValue(constraint, kSecTrustSettingsPolicyName);
+ policyString = (CFStringRef)CFDictionaryGetValue(constraint, kSecTrustSettingsPolicyString);
+ keyUsageNumber = (CFNumberRef)CFDictionaryGetValue(constraint, kSecTrustSettingsKeyUsage);
+
+ CFIndex policyIX = -1;
+ policyMatch = SecPVCContainsPolicy(pvc, policyOid, policyName, &policyIX);
+ policyStringMatch = SecPVCContainsString(pvc, policyIX, policyString);
+ keyUsageMatch = SecPVCContainsTrustSettingsKeyUsage(pvc, certificate, policyIX, keyUsageNumber);
+
+#if TARGET_OS_MAC && !TARGET_OS_IPHONE
+ trustedApplicationData = CFDictionaryGetValue(constraint, kSecTrustSettingsApplication);
+ CFDataRef clientAuditToken = SecPathBuilderCopyClientAuditToken(pvc->builder);
+ applicationMatch = SecPVCCallerIsApplication(clientAuditToken, trustedApplicationData);
+ CFReleaseNull(clientAuditToken);
+#else
+ if(CFDictionaryContainsKey(constraint, kSecTrustSettingsApplication)) {
+ secerror("kSecTrustSettingsApplication is not yet supported on this platform");
+ }
+#endif
+
+ /* If we either didn't find the parameter in the dictionary or we got a match
+ * against that parameter, for all possible parameters in the dictionary, then
+ * this trust setting result applies to the output. */
+ if (((!policyOid && !policyName) || policyMatch) &&
+ (!policyString || policyStringMatch) &&
+ (!trustedApplicationData || applicationMatch) &&
+ (!keyUsageNumber || keyUsageMatch)) {
+ result = true;
+ }
+
+ return result;
+}
+
+SecTrustSettingsResult SecPVCGetTrustSettingsResult(SecPVCRef pvc, SecCertificateRef certificate, CFArrayRef constraints) {
+ SecTrustSettingsResult result = kSecTrustSettingsResultInvalid;
+ CFIndex constraintIX, constraintCount = CFArrayGetCount(constraints);
+ for (constraintIX = 0; constraintIX < constraintCount; constraintIX++) {
+ CFDictionaryRef constraint = (CFDictionaryRef)CFArrayGetValueAtIndex(constraints, constraintIX);
+ if (!isDictionary(constraint)) {
+ continue;
+ }
+
+ CFNumberRef resultNumber = NULL;
+ resultNumber = (CFNumberRef)CFDictionaryGetValue(constraint, kSecTrustSettingsResult);
+ uint32_t resultValue = kSecTrustSettingsResultInvalid;
+ if (!isNumber(resultNumber) || !CFNumberGetValue(resultNumber, kCFNumberSInt32Type, &resultValue)) {
+ /* no SecTrustSettingsResult entry defaults to TrustRoot*/
+ resultValue = kSecTrustSettingsResultTrustRoot;
+ }
+
+ if (SecPVCMeetsConstraint(pvc, certificate, constraint)) {
+ result = resultValue;
+ break;
+ }
+ }
+ return result;
+}
+
+bool SecPVCCheckUsageConstraints(SecPVCRef pvc) {
+ bool shouldDeny = false;
+ CFIndex certIX, certCount = SecCertificatePathGetCount(pvc->path);
+ for (certIX = 0; certIX < certCount; certIX++) {
+ CFArrayRef constraints = SecCertificatePathGetUsageConstraintsAtIndex(pvc->path, certIX);
+ SecCertificateRef cert = SecCertificatePathGetCertificateAtIndex(pvc->path, certIX);
+ SecTrustSettingsResult result = SecPVCGetTrustSettingsResult(pvc, cert, constraints);
+
+ if (result == kSecTrustSettingsResultDeny) {
+ SecPVCSetResultForced(pvc, kSecPolicyCheckUsageConstraints, certIX, kCFBooleanFalse, true);
+ shouldDeny = true;
+ }
+ }
+ return shouldDeny;
+}
+
/* AUDIT[securityd](done):
policy->_options is a caller provided dictionary, only its cf type has
been checked.
@@ -3470,6 +4235,9 @@ bool SecPVCPathChecks(SecPVCRef pvc) {
return completed;
}
+ /* Check whether the TrustSettings say to deny a cert in the path. */
+ (void)SecPVCCheckUsageConstraints(pvc);
+
/* Check the things we can't check statically for the certificate path. */
/* Critical Extensions, chainLength. */
@@ -3483,12 +4251,10 @@ bool SecPVCPathChecks(SecPVCRef pvc) {
as a non EV one, if it was valid as such. */
pvc->result = pre_ev_check_result;
}
- /* Check revocation only if the chain is valid so far. The revocation will
- only fetch OCSP response over the network if the client asked for revocation
- check explicitly or is_ev is true. */
- if (pvc->result) {
- completed = SecPVCCheckRevocation(pvc);
- }
+
+ /* Check revocation always, since we don't want a lesser recoverable result
+ * to prevent the check from occurring. */
+ completed = SecPVCCheckRevocation(pvc);
/* Check for CT */
if (pvc->result || pvc->details) {
@@ -3496,6 +4262,11 @@ bool SecPVCPathChecks(SecPVCRef pvc) {
SecPolicyCheckCT(pvc, kSecPolicyCheckCertificateTransparency);
}
+ if (pvc->is_ev && !pvc->is_ct) {
+ pvc->is_ct_whitelisted = SecPVCCheckCTWhiteListedLeaf(pvc);
+ } else {
+ pvc->is_ct_whitelisted = false;
+ }
//errOut:
secdebug("policy", "end %strusted completed: %d path: %@",
@@ -3508,7 +4279,7 @@ bool SecPVCPathChecks(SecPVCRef pvc) {
piece of revocation checking info we used expires. */
CFAbsoluteTime SecPVCGetEarliestNextUpdate(SecPVCRef pvc) {
CFIndex certIX, certCount = SecPVCGetCertificateCount(pvc);
- CFAbsoluteTime enu = 0;
+ CFAbsoluteTime enu = NULL_TIME;
if (certCount <= 1 || !pvc->rvcs) {
return enu;
}
@@ -3516,16 +4287,26 @@ CFAbsoluteTime SecPVCGetEarliestNextUpdate(SecPVCRef pvc) {
for (certIX = 0; certIX < certCount; ++certIX) {
SecRVCRef rvc = &((SecRVCRef)pvc->rvcs)[certIX];
- if (rvc->nextUpdate == 0) {
+ CFAbsoluteTime thisCertNextUpdate = SecRVCGetEarliestNextUpdate(rvc);
+ if (thisCertNextUpdate == 0) {
if (certIX > 0) {
/* We allow for CA certs to not be revocation checked if they
- have no ocspResponders to check against, but the leaf
+ have no ocspResponders nor CRLDPs to check against, but the leaf
must be checked in order for us to claim we did revocation
checking. */
SecCertificateRef cert =
SecPVCGetCertificateAtIndex(rvc->pvc, rvc->certIX);
- CFArrayRef ocspResponders = SecCertificateGetOCSPResponders(cert);
- if (!ocspResponders || CFArrayGetCount(ocspResponders) == 0) {
+ CFArrayRef ocspResponders = NULL;
+ ocspResponders = SecCertificateGetOCSPResponders(cert);
+#if ENABLE_CRLS
+ CFArrayRef crlDPs = NULL;
+ crlDPs = SecCertificateGetCRLDistributionPoints(cert);
+#endif
+ if ((!ocspResponders || CFArrayGetCount(ocspResponders) == 0)
+#if ENABLE_CRLS
+ && (!crlDPs || CFArrayGetCount(crlDPs) == 0)
+#endif
+ ) {
/* We can't check this cert so we don't consider it a soft
failure that we didn't. Ideally we should support crl
checking and remove this workaround, since that more
@@ -3533,27 +4314,16 @@ CFAbsoluteTime SecPVCGetEarliestNextUpdate(SecPVCRef pvc) {
continue;
}
}
- secdebug("ocsp", "revocation checking soft failure for cert: %ld",
+ secdebug("rvc", "revocation checking soft failure for cert: %ld",
certIX);
- enu = rvc->nextUpdate;
+ enu = thisCertNextUpdate;
break;
}
- if (enu == 0 || rvc->nextUpdate < enu) {
- enu = rvc->nextUpdate;
+ if (enu == 0 || thisCertNextUpdate < enu) {
+ enu = thisCertNextUpdate;
}
-#if 0
- /* Perhaps we don't want to do this since some policies might
- ignore the certificate expiration but still use revocation
- checking. */
-
- /* Earliest certificate expiration date. */
- SecCertificateRef cert = SecPVCGetCertificateAtIndex(rvc->pvc, rvc->certIX);
- CFAbsoluteTime nva = SecCertificateNotValidAfter(cert);
- if (nva && (enu == 0 || nva < enu)
- enu = nva;
-#endif
}
- secdebug("ocsp", "revocation valid until: %lg", enu);
+ secdebug("rvc", "revocation valid until: %lg", enu);
return enu;
}
diff --git a/OSX/sec/securityd/SecPolicyServer.h b/OSX/sec/securityd/SecPolicyServer.h
index 0a6f8e21..f1393c03 100644
--- a/OSX/sec/securityd/SecPolicyServer.h
+++ b/OSX/sec/securityd/SecPolicyServer.h
@@ -31,6 +31,7 @@
#define _SECURITY_SECPOLICYSERVER_H_
#include <Security/SecPolicyInternal.h>
+#include <Security/SecTrustSettings.h>
#include <securityd/policytree.h>
#include <securityd/SecTrustServer.h>
@@ -56,11 +57,12 @@ struct OpaqueSecPVC {
void *rvcs;
unsigned int asyncJobCount;
- bool check_revocation;
+ CFStringRef check_revocation;
bool response_required;
bool optionally_ev;
bool is_ev;
bool is_ct;
+ bool is_ct_whitelisted;
bool result;
};
@@ -85,7 +87,7 @@ bool SecPVCSetResultForced(SecPVCRef pvc,
CFStringRef key, CFIndex ix, CFTypeRef result, bool force);
/* Enable revocation checking if the rest of the policy checks succeed. */
-void SecPVCSetCheckRevocation(SecPVCRef pvc);
+void SecPVCSetCheckRevocation(SecPVCRef pvc, CFStringRef method);
/* Require a revocation response for the leaf certificate. */
void SecPVCSetCheckRevocationResponseRequired(SecPVCRef pvc);
@@ -121,8 +123,6 @@ typedef void (*SecPolicyCheckFunction)(SecPVCRef pv, CFStringRef key);
*/
bool SecPolicyValidate(SecPolicyRef policy, SecPVCRef pvc, CFStringRef key);
-CFArrayRef SecPolicyArrayDeserialize(CFArrayRef serializedPolicies);
-
void SecPolicyServerInitalize(void);
/* True iff certificate could be an extended validation (EV) certificate. */
@@ -130,7 +130,9 @@ bool SecPolicySubscriberCertificateCouldBeEV(SecCertificateRef certificate);
void SecEVPolicyToAnchorDigestsInit(void);
-bool SecDNSMatch(CFStringRef hostname, CFStringRef servername);
+SecTrustSettingsResult SecPVCGetTrustSettingsResult(SecPVCRef pvc, SecCertificateRef certificate, CFArrayRef constraints);
+
+bool SecPVCCheckUsageConstraints(SecPVCRef pvc);
__END_DECLS
diff --git a/OSX/sec/securityd/SecTrustServer.c b/OSX/sec/securityd/SecTrustServer.c
index a499b047..2d6edacb 100644
--- a/OSX/sec/securityd/SecTrustServer.c
+++ b/OSX/sec/securityd/SecTrustServer.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006-2010,2012-2015 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006-2010,2012-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -40,6 +40,7 @@
#include <Security/SecCertificatePath.h>
#include <Security/SecFramework.h>
#include <Security/SecPolicyInternal.h>
+#include <Security/SecTrustSettingsPriv.h>
#include <CoreFoundation/CFRuntime.h>
#include <CoreFoundation/CFSet.h>
#include <CoreFoundation/CFString.h>
@@ -192,6 +193,7 @@ static CFArrayRef CopyCertsFromIndices(CFArrayRef offsets)
********************************************************/
#define MAX_CHAIN_LENGTH 15
+#define ACCEPT_PATH_SCORE 10000000
/* Forward declaration for use in SecCertificateSource. */
static void SecPathBuilderExtendPaths(void *context, CFArrayRef parents);
@@ -207,11 +209,14 @@ typedef struct SecCertificateSource *SecCertificateSourceRef;
typedef void(*SecCertificateSourceParents)(void *, CFArrayRef);
typedef bool(*CopyParents)(SecCertificateSourceRef source,
SecCertificateRef certificate, void *context, SecCertificateSourceParents);
+typedef CFArrayRef(*CopyConstraints)(SecCertificateSourceRef source,
+ SecCertificateRef certificate);
typedef bool(*Contains)(SecCertificateSourceRef source,
SecCertificateRef certificate);
struct SecCertificateSource {
CopyParents copyParents;
+ CopyConstraints copyUsageConstraints;
Contains contains;
};
@@ -221,6 +226,15 @@ static bool SecCertificateSourceCopyParents(SecCertificateSourceRef source,
return source->copyParents(source, certificate, context, callback);
}
+static CFArrayRef SecCertificateSourceCopyUsageConstraints(
+ SecCertificateSourceRef source, SecCertificateRef certificate) {
+ if (source->copyUsageConstraints) {
+ return source->copyUsageConstraints(source, certificate);
+ } else {
+ return NULL;
+ }
+}
+
static bool SecCertificateSourceContains(SecCertificateSourceRef source,
SecCertificateRef certificate) {
return source->contains(source, certificate);
@@ -288,10 +302,10 @@ static bool SecItemCertificateSourceCopyParents(
/* We can make this async or run this on a queue now easily. */
CFErrorRef localError = NULL;
if (!_SecItemCopyMatching(query, &client, &results, &localError)) {
- if (CFErrorGetCode(localError) != errSecItemNotFound) {
+ if (localError && (CFErrorGetCode(localError) != errSecItemNotFound)) {
secdebug("trust", "_SecItemCopyMatching: %@", localError);
}
- CFRelease(localError);
+ CFReleaseSafe(localError);
}
CFRelease(query);
CFTypeRef certs = SecItemCertificateSourceResultsPost(results);
@@ -304,9 +318,9 @@ static bool SecItemCertificateSourceCopyParents(
static bool SecItemCertificateSourceContains(SecCertificateSourceRef source,
SecCertificateRef certificate) {
SecItemCertificateSourceRef msource = (SecItemCertificateSourceRef)source;
- /* Lookup a certificate by issuer and serial number. */
- CFDataRef normalizedSubject =
- SecCertificateGetNormalizedSubjectContent(certificate);
+ /* Look up a certificate by issuer and serial number. */
+ CFDataRef normalizedIssuer = SecCertificateGetNormalizedIssuerContent(certificate);
+ CFRetainSafe(normalizedIssuer);
CFDataRef serialNumber =
#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
SecCertificateCopySerialNumber(certificate, NULL);
@@ -322,7 +336,7 @@ static bool SecItemCertificateSourceContains(SecCertificateSourceRef source,
*values[] = {
kSecClassCertificate,
kSecMatchLimitOne,
- normalizedSubject,
+ normalizedIssuer,
serialNumber
};
SecurityClient client = {
@@ -332,19 +346,19 @@ static bool SecItemCertificateSourceContains(SecCertificateSourceRef source,
.allowSyncBubbleKeychain = false,
.isNetworkExtension = false,
};
- CFDictionaryRef query = CFDictionaryCreate(NULL, keys, values, 5,
- NULL, NULL);
+ CFDictionaryRef query = CFDictionaryCreate(NULL, keys, values, 4, NULL, NULL);
CFErrorRef localError = NULL;
CFTypeRef results = NULL;
bool ok = _SecItemCopyMatching(query, &client, &results, &localError);
- CFRelease(query);
- CFRelease(serialNumber);
+ CFReleaseSafe(query);
+ CFReleaseSafe(serialNumber);
+ CFReleaseSafe(normalizedIssuer);
CFReleaseSafe(results);
if (!ok) {
if (CFErrorGetCode(localError) != errSecItemNotFound) {
secdebug("trust", "_SecItemCopyMatching: %@", localError);
}
- CFRelease(localError);
+ CFReleaseSafe(localError);
return false;
}
return true;
@@ -353,6 +367,7 @@ static bool SecItemCertificateSourceContains(SecCertificateSourceRef source,
static SecCertificateSourceRef SecItemCertificateSourceCreate(CFArrayRef accessGroups) {
SecItemCertificateSourceRef result = (SecItemCertificateSourceRef)malloc(sizeof(*result));
result->base.copyParents = SecItemCertificateSourceCopyParents;
+ result->base.copyUsageConstraints = NULL;
result->base.contains = SecItemCertificateSourceContains;
result->accessGroups = accessGroups;
CFRetainSafe(accessGroups);
@@ -403,7 +418,6 @@ errOut:
static bool SecSystemAnchorSourceContains(SecCertificateSourceRef source,
SecCertificateRef certificate) {
bool result = false;
-//#ifndef SECITEM_SHIM_OSX
CFArrayRef anchors = NULL;
SecOTAPKIRef otapkiref = NULL;
CFArrayRef cert_datas = NULL;
@@ -450,7 +464,6 @@ static bool SecSystemAnchorSourceContains(SecCertificateSourceRef source,
errOut:
CFReleaseSafe(cert_datas);
CFReleaseSafe(otapkiref);
-//#endif // SECITEM_SHIM_OSX
return result;
}
@@ -458,13 +471,15 @@ errOut:
struct SecCertificateSource kSecSystemAnchorSource = {
SecSystemAnchorSourceCopyParents,
+ NULL,
SecSystemAnchorSourceContains
};
+#if TARGET_OS_IPHONE
// MARK: -
// MARK: SecUserAnchorSource
/********************************************************
- *********** SecUserAnchorSource object ************
+ ************* SecUserAnchorSource object ***************
********************************************************/
static bool SecUserAnchorSourceCopyParents(
SecCertificateSourceRef source, SecCertificateRef certificate,
@@ -476,6 +491,17 @@ static bool SecUserAnchorSourceCopyParents(
return true;
}
+static CFArrayRef SecUserAnchorSourceCopyUsageConstraints(
+ SecCertificateSourceRef source, SecCertificateRef certificate) {
+ CFDataRef digest = SecCertificateGetSHA1Digest(certificate);
+ if (!digest)
+ return NULL;
+ CFArrayRef usageConstraints = NULL;
+ bool ok = _SecTrustStoreCopyUsageConstraints(
+ SecTrustStoreForDomain(kSecTrustStoreDomainUser), digest, &usageConstraints, NULL);
+ return (ok) ? usageConstraints : NULL;
+}
+
static bool SecUserAnchorSourceContains(SecCertificateSourceRef source,
SecCertificateRef certificate) {
return SecTrustStoreContains(
@@ -484,13 +510,15 @@ static bool SecUserAnchorSourceContains(SecCertificateSourceRef source,
struct SecCertificateSource kSecUserAnchorSource = {
SecUserAnchorSourceCopyParents,
+ SecUserAnchorSourceCopyUsageConstraints,
SecUserAnchorSourceContains
};
+#endif
// MARK: -
// MARK: SecMemoryCertificateSource
/********************************************************
- *********** SecMemoryCertificateSource object ************
+ ********** SecMemoryCertificateSource object ***********
********************************************************/
struct SecMemoryCertificateSource {
struct SecCertificateSource base;
@@ -560,6 +588,7 @@ static SecCertificateSourceRef SecMemoryCertificateSourceCreate(
SecMemoryCertificateSourceRef result = (SecMemoryCertificateSourceRef)
malloc(sizeof(*result));
result->base.copyParents = SecMemoryCertificateSourceCopyParents;
+ result->base.copyUsageConstraints = NULL;
result->base.contains = SecMemoryCertificateSourceContains;
CFIndex count = CFArrayGetCount(certificates);
result->certificates = CFSetCreateMutable(kCFAllocatorDefault, count,
@@ -601,9 +630,135 @@ static bool SecCAIssuerCertificateSourceContains(
struct SecCertificateSource kSecCAIssuerSource = {
SecCAIssuerCertificateSourceCopyParents,
+ NULL,
SecCAIssuerCertificateSourceContains
};
+#if (SECTRUST_OSX && TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE || TARGET_IPHONE_SIMULATOR))
+#include <Security/SecItemPriv.h>
+// MARK: -
+// MARK: SecLegacyCertificateSource
+/********************************************************
+ ********** SecLegacyCertificateSource object ***********
+ ********************************************************/
+
+static bool SecLegacyCertificateSourceCopyParents(
+ SecCertificateSourceRef source, SecCertificateRef certificate,
+ void *context, SecCertificateSourceParents callback) {
+ CFArrayRef parents = SecItemCopyParentCertificates(certificate, NULL);
+ callback(context, parents);
+ CFReleaseSafe(parents);
+ return true;
+}
+
+static bool SecLegacyCertificateSourceContains(
+ SecCertificateSourceRef source, SecCertificateRef certificate) {
+ SecCertificateRef cert = SecItemCopyStoredCertificate(certificate, NULL);
+ bool result = (cert) ? true : false;
+ CFReleaseSafe(cert);
+ return result;
+}
+
+struct SecCertificateSource kSecLegacyCertificateSource = {
+ SecLegacyCertificateSourceCopyParents,
+ NULL,
+ SecLegacyCertificateSourceContains
+};
+#endif /* SecLegacyCertificateSource */
+
+#if (SECTRUST_OSX && TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE || TARGET_IPHONE_SIMULATOR))
+// MARK: -
+// MARK: SecLegacyAnchorSource
+/********************************************************
+ ************ SecLegacyAnchorSource object **************
+ ********************************************************/
+
+static bool SecLegacyAnchorSourceCopyParents(
+ SecCertificateSourceRef source, SecCertificateRef certificate,
+ void *context, SecCertificateSourceParents callback) {
+ CFMutableArrayRef anchors = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+ CFArrayRef parents = SecItemCopyParentCertificates(certificate, NULL);
+ CFArrayRef trusted = NULL;
+ if (parents == NULL) {
+ goto finish;
+ }
+ /* Get the custom anchors which have been trusted in the user and admin domains.
+ * We don't need system domain roots here, since SecSystemAnchorSource provides those.
+ */
+ OSStatus status = SecTrustSettingsCopyCertificatesForUserAdminDomains(&trusted);
+ if (status == errSecSuccess && trusted) {
+ CFIndex index, count = CFArrayGetCount(parents);
+ for (index = 0; index < count; index++) {
+ SecCertificateRef parent = (SecCertificateRef)CFArrayGetValueAtIndex(parents, index);
+ if (parent && CFArrayContainsValue(trusted, CFRangeMake(0, CFArrayGetCount(trusted)), parent)) {
+ CFArrayAppendValue(anchors, parent);
+ }
+ }
+ }
+
+finish:
+ callback(context, anchors);
+ CFReleaseSafe(anchors);
+ CFReleaseSafe(parents);
+ CFReleaseSafe(trusted);
+ return true;
+}
+
+static CFArrayRef SecLegacyAnchorSourceCopyUsageConstraints(
+ SecCertificateSourceRef source, SecCertificateRef certificate) {
+
+ CFArrayRef result = NULL;
+ CFArrayRef userTrustSettings = NULL, adminTrustSettings = NULL;
+
+ OSStatus status = SecTrustSettingsCopyTrustSettings(certificate,
+ kSecTrustSettingsDomainUser,
+ &userTrustSettings);
+ if ((status == errSecSuccess) && (userTrustSettings != NULL)) {
+ result = CFRetain(userTrustSettings);
+ }
+
+ status = SecTrustSettingsCopyTrustSettings(certificate,
+ kSecTrustSettingsDomainAdmin,
+ &adminTrustSettings);
+ /* user trust settings overrule admin trust settings */
+ if ((status == errSecSuccess) && (adminTrustSettings != NULL) && (result == NULL)) {
+ result = CFRetain(adminTrustSettings);
+ }
+
+ CFReleaseNull(userTrustSettings);
+ CFReleaseNull(adminTrustSettings);
+ return result;
+}
+
+static bool SecLegacyAnchorSourceContains(
+ SecCertificateSourceRef source, SecCertificateRef certificate) {
+ if (certificate == NULL) {
+ return false;
+ }
+ CFArrayRef trusted = NULL;
+ bool result = false;
+ OSStatus status = SecTrustSettingsCopyCertificatesForUserAdminDomains(&trusted);
+ if ((status == errSecSuccess) && (trusted != NULL)) {
+ CFIndex index, count = CFArrayGetCount(trusted);
+ for (index = 0; index < count; index++) {
+ SecCertificateRef anchor = (SecCertificateRef)CFArrayGetValueAtIndex(trusted, index);
+ if (anchor && CFEqual(anchor, certificate)) {
+ result = true;
+ break;
+ }
+ }
+ }
+ CFReleaseSafe(trusted);
+ return result;
+}
+
+struct SecCertificateSource kSecLegacyAnchorSource = {
+ SecLegacyAnchorSourceCopyParents,
+ SecLegacyAnchorSourceCopyUsageConstraints,
+ SecLegacyAnchorSourceContains
+};
+#endif /* SecLegacyAnchorSource */
+
// MARK: -
// MARK: SecPathBuilder
/********************************************************
@@ -644,7 +799,7 @@ struct SecPathBuilder {
CFArrayRef leafDetails;
- CFIndex rejectScore;
+ CFIndex bestPathScore;
bool considerRejected;
bool considerPartials;
@@ -653,6 +808,8 @@ struct SecPathBuilder {
struct OpaqueSecPVC path;
SecCertificatePathRef bestPath;
bool bestPathIsEV;
+ bool bestPathIsSHA2;
+ bool denyBestPath;
CFIndex activations;
bool (*state)(SecPathBuilderRef);
@@ -670,10 +827,10 @@ static bool SecPathBuilderReportResult(SecPathBuilderRef builder);
/* Forward declarations. */
static bool SecPathBuilderIsAnchor(SecPathBuilderRef builder,
- SecCertificateRef certificate);
+ SecCertificateRef certificate, SecCertificateSourceRef *foundInSource);
-/* IDEA: policies could be made cabable of replacing incoming anchors and
- anchorsOnly argument values. For example some policies require the
+/* IDEA: policies could be made capable of replacing incoming anchors and
+ anchorsOnly argument values. For example, some policies require the
Apple Inc. CA and not any other anchor. This can be done in
SecPathBuilderLeafCertificateChecks since this only runs once. */
static void SecPathBuilderLeafCertificateChecks(SecPathBuilderRef builder,
@@ -691,7 +848,7 @@ static void SecPathBuilderLeafCertificateChecks(SecPathBuilderRef builder,
static void SecPathBuilderInit(SecPathBuilderRef builder,
CFDataRef clientAuditToken, CFArrayRef certificates,
- CFArrayRef anchors, bool anchorsOnly,
+ CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed,
CFArrayRef policies, CFArrayRef ocspResponses,
CFArrayRef signedCertificateTimestamps, CFArrayRef trustedLogs,
CFAbsoluteTime verifyTime, CFArrayRef accessGroups,
@@ -725,7 +882,9 @@ static void SecPathBuilderInit(SecPathBuilderRef builder,
SecPVCInit(&builder->path, builder, policies, verifyTime);
builder->bestPath = NULL;
builder->bestPathIsEV = false;
- builder->rejectScore = 0;
+ builder->bestPathIsSHA2 = false;
+ builder->denyBestPath = false;
+ builder->bestPathScore = 0;
/* Let's create all the certificate sources we might want to use. */
builder->certificateSource =
@@ -735,36 +894,70 @@ static void SecPathBuilderInit(SecPathBuilderRef builder,
else
builder->anchorSource = NULL;
- /* We always search certificateSource for parents since it includes the
- leaf itself and it might be self signed. */
- CFArrayAppendValue(builder->parentSources, builder->certificateSource);
- if (builder->anchorSource) {
- CFArrayAppendValue(builder->anchorSources, builder->anchorSource);
- }
+ /** Parent Sources
+ ** The order here avoids the most expensive methods if the cheaper methods
+ ** produce an acceptable chain: client-provided, keychains, network-fetched.
+ **/
+ CFArrayAppendValue(builder->parentSources, builder->certificateSource);
builder->itemCertificateSource = SecItemCertificateSourceCreate(accessGroups);
- CFArrayAppendValue(builder->parentSources, builder->itemCertificateSource);
+ if (keychainsAllowed) {
+ CFArrayAppendValue(builder->parentSources, builder->itemCertificateSource);
+#if !TARGET_OS_IPHONE
+ /* On OS X, need additional parent source to search legacy keychain files. */
+ if (kSecLegacyCertificateSource.contains && kSecLegacyCertificateSource.copyParents) {
+ CFArrayAppendValue(builder->parentSources, &kSecLegacyCertificateSource);
+ }
+#endif
+ }
if (anchorsOnly) {
/* Add the system and user anchor certificate db to the search list
- if we don't explicitly trust them. */
+ if we don't explicitly trust them. */
CFArrayAppendValue(builder->parentSources, &kSecSystemAnchorSource);
+#if TARGET_OS_IPHONE
CFArrayAppendValue(builder->parentSources, &kSecUserAnchorSource);
- } else {
- /* Only add the system and user anchor certificate db to the
- anchorSources if we are supposed to trust them. */
- CFArrayAppendValue(builder->anchorSources, &kSecSystemAnchorSource);
- CFArrayAppendValue(builder->anchorSources, &kSecUserAnchorSource);
+#endif
}
- if (builder->canAccessNetwork) {
+ if (keychainsAllowed && builder->canAccessNetwork) {
CFArrayAppendValue(builder->parentSources, &kSecCAIssuerSource);
}
+ /** Anchor Sources
+ ** The order here allows a client-provided anchor to overrule
+ ** a user or admin trust setting which can overrule the system anchors.
+ **/
+ if (builder->anchorSource) {
+ CFArrayAppendValue(builder->anchorSources, builder->anchorSource);
+ }
+ if (!anchorsOnly) {
+ /* Only add the system and user anchor certificate db to the
+ anchorSources if we are supposed to trust them. */
+#if TARGET_OS_IPHONE
+ CFArrayAppendValue(builder->anchorSources, &kSecUserAnchorSource);
+#else
+ if (keychainsAllowed && kSecLegacyAnchorSource.contains && kSecLegacyAnchorSource.copyParents) {
+ CFArrayAppendValue(builder->anchorSources, &kSecLegacyAnchorSource);
+ }
+#endif
+ CFArrayAppendValue(builder->anchorSources, &kSecSystemAnchorSource);
+ }
+
/* Now let's get the leaf cert and turn it into a path. */
SecCertificateRef leaf =
(SecCertificateRef)CFArrayGetValueAtIndex(certificates, 0);
- SecCertificatePathRef path = SecCertificatePathCreate(NULL, leaf);
- CFSetAddValue(builder->allPaths, path);
+ SecCertificateSourceRef source = NULL;
+ bool isAnchor = false;
+ CFArrayRef constraints = NULL;
+ if (SecPathBuilderIsAnchor(builder, leaf, &source)) {
+ isAnchor = true;
+ }
+ if (source) {
+ constraints = SecCertificateSourceCopyUsageConstraints(source, leaf);
+ }
+ SecCertificatePathRef path = SecCertificatePathCreate(NULL, leaf, constraints);
+ CFReleaseSafe(constraints);
+ CFSetAddValue(builder->allPaths, path);
CFArrayAppendValue(builder->partialPaths, path);
- if (SecPathBuilderIsAnchor(builder, leaf)) {
+ if (isAnchor) {
SecCertificatePathSetIsAnchored(path);
CFArrayAppendValue(builder->candidatePaths, path);
}
@@ -790,13 +983,13 @@ static void SecPathBuilderInit(SecPathBuilderRef builder,
SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken,
CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly,
- CFArrayRef policies, CFArrayRef ocspResponses,
+ bool keychainsAllowed, CFArrayRef policies, CFArrayRef ocspResponses,
CFArrayRef signedCertificateTimestamps, CFArrayRef trustedLogs,
CFAbsoluteTime verifyTime, CFArrayRef accessGroups,
SecPathBuilderCompleted completed, const void *context) {
SecPathBuilderRef builder = malloc(sizeof(*builder));
SecPathBuilderInit(builder, clientAuditToken, certificates,
- anchors, anchorsOnly, policies, ocspResponses,
+ anchors, anchorsOnly, keychainsAllowed, policies, ocspResponses,
signedCertificateTimestamps, trustedLogs, verifyTime,
accessGroups, completed, context);
return builder;
@@ -835,16 +1028,16 @@ void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow) {
builder->canAccessNetwork = allow;
if (allow) {
#if !TARGET_OS_WATCH
- secdebug("http", "network access re-enabled by policy");
+ secinfo("http", "network access re-enabled by policy");
/* re-enabling network_access re-adds kSecCAIssuerSource as
a parent source. */
CFArrayAppendValue(builder->parentSources, &kSecCAIssuerSource);
#else
- secdebug("http", "network access not allowed on WatchOS");
+ secnotice("http", "network access not allowed on WatchOS");
builder->canAccessNetwork = false;
#endif
} else {
- secdebug("http", "network access disabled by policy");
+ secinfo("http", "network access disabled by policy");
/* disabling network_access removes kSecCAIssuerSource from
the list of parent sources. */
CFIndex ix = CFArrayGetFirstIndexOfValue(builder->parentSources,
@@ -871,19 +1064,73 @@ CFArrayRef SecPathBuilderCopyTrustedLogs(SecPathBuilderRef builder)
return CFRetainSafe(builder->trustedLogs);
}
+/* This function assumes that the input source is an anchor source */
+static bool SecPathBuilderIsAnchorPerConstraints(SecPathBuilderRef builder, SecCertificateSourceRef source,
+ SecCertificateRef certificate) {
+ bool result = false;
+ CFArrayRef constraints = NULL;
+ constraints = SecCertificateSourceCopyUsageConstraints(source, certificate);
+
+ /* Unrestricted certificates:
+ * -those that come from anchor sources with no constraints
+ * -self-signed certificates with empty contraints arrays
+ */
+ Boolean selfSigned = false;
+ require(errSecSuccess == SecCertificateIsSelfSigned(certificate, &selfSigned), out);
+ if ((NULL == source->copyUsageConstraints) ||
+ (constraints && (CFArrayGetCount(constraints) == 0) && selfSigned)) {
+ secinfo("trust", "unrestricted anchor%s",
+ (NULL == source->copyUsageConstraints) ? " source" : "");
+ result = true;
+ goto out;
+ }
+
+ /* Get the trust settings result for the PVC */
+ require(constraints, out);
+ SecTrustSettingsResult settingsResult = kSecTrustSettingsResultInvalid;
+ settingsResult = SecPVCGetTrustSettingsResult(&builder->path,
+ certificate,
+ constraints);
+ if ((selfSigned && settingsResult == kSecTrustSettingsResultTrustRoot) ||
+ (!selfSigned && settingsResult == kSecTrustSettingsResultTrustAsRoot)) {
+ // For our purposes, this is an anchor.
+ secinfo("trust", "complex trust settings anchor");
+ result = true;
+ }
+
+ if (settingsResult == kSecTrustSettingsResultDeny) {
+ /* We consider denied certs "anchors" because the trust decision
+ is set regardless of building the chain further. The policy
+ validation will handle rejecting this chain. */
+ secinfo("trust", "complex trust settings denied anchor");
+ result = true;
+ }
+
+out:
+ CFReleaseNull(constraints);
+ return result;
+}
+
+/* Source returned in foundInSource has the same lifetime as the builder. */
static bool SecPathBuilderIsAnchor(SecPathBuilderRef builder,
- SecCertificateRef certificate) {
- /* We always look through all anchor sources. */
- CFIndex count = CFArrayGetCount(builder->anchorSources);
- CFIndex ix;
- for (ix = 0; ix < count; ++ix) {
- SecCertificateSourceRef source = (SecCertificateSourceRef)
- CFArrayGetValueAtIndex(builder->anchorSources, ix);
- if (SecCertificateSourceContains(source, certificate)) {
- return true;
- }
- }
- return false;
+ SecCertificateRef certificate, SecCertificateSourceRef *foundInSource) {
+ /* We look through the anchor sources in order. They are ordered in
+ SecPathBuilderInit so that process anchors override user anchors which
+ override system anchors. */
+ CFIndex count = CFArrayGetCount(builder->anchorSources);
+ CFIndex ix;
+ for (ix = 0; ix < count; ++ix) {
+ SecCertificateSourceRef source = (SecCertificateSourceRef)
+ CFArrayGetValueAtIndex(builder->anchorSources, ix);
+ if (SecCertificateSourceContains(source, certificate)) {
+ if (foundInSource)
+ *foundInSource = source;
+ if (SecPathBuilderIsAnchorPerConstraints(builder, source, certificate)) {
+ return true;
+ }
+ }
+ }
+ return false;
}
/* Return false if path is not a partial, if path was a valid candidate it
@@ -932,10 +1179,6 @@ static void SecPathBuilderProcessParents(SecPathBuilderRef builder,
CFIndex rootIX = SecCertificatePathGetCount(partial) - 1;
CFIndex num_parents = parents ? CFArrayGetCount(parents) : 0;
CFIndex parentIX;
- bool is_anchor = SecCertificatePathGetNextSourceIndex(partial) <=
- CFArrayGetCount(builder->anchorSources);
- secdebug("trust", "found %" PRIdCFIndex " candidate %s", num_parents,
- (is_anchor ? "anchors" : "parents"));
for (parentIX = 0; parentIX < num_parents; ++parentIX) {
SecCertificateRef parent = (SecCertificateRef)
CFArrayGetValueAtIndex(parents, parentIX);
@@ -955,7 +1198,11 @@ static void SecPathBuilderProcessParents(SecPathBuilderRef builder,
/* FIXME Add more sanity checks to see that parent really can be
a parent of partial_root. subjectKeyID == authorityKeyID,
signature algorithm matches public key algorithm, etc. */
- SecCertificatePathRef path = SecCertificatePathCreate(partial, parent);
+ SecCertificateSourceRef source = NULL;
+ bool is_anchor = SecPathBuilderIsAnchor(builder, parent, &source);
+ CFArrayRef constraints = (source) ? SecCertificateSourceCopyUsageConstraints(source, parent) : NULL;
+ SecCertificatePathRef path = SecCertificatePathCreate(partial, parent, constraints);
+ CFReleaseSafe(constraints);
if (!path)
continue;
if (!CFSetContainsValue(builder->allPaths, path)) {
@@ -1120,7 +1367,7 @@ static void SecPathBuilderReject(SecPathBuilderRef builder) {
return;
}
- CFIndex rejectScore = builder->rejectScore;
+ CFIndex bestPathScore = builder->bestPathScore;
CFIndex score = SecCertificatePathScore(builder->path.path,
SecPVCGetVerifyTime(&builder->path));
@@ -1128,7 +1375,7 @@ static void SecPathBuilderReject(SecPathBuilderRef builder) {
replace any previously accepted or rejected non EV chains with the
current one. */
if (pvc->is_ev && !builder->bestPathIsEV) {
- rejectScore = 0;
+ bestPathScore = 0;
}
#if 0
@@ -1143,26 +1390,27 @@ static void SecPathBuilderReject(SecPathBuilderRef builder) {
}
#endif
- /* Do this last so that changes to rejectScore above will take affect. */
- if (!builder->bestPath || score > rejectScore) {
+ /* Do this last so that changes to bestPathScore above will take effect. */
+ if (!builder->bestPath || score > bestPathScore) {
if (builder->bestPath) {
- secdebug("reject",
- "replacing %sev %s score: %ld with %sev reject score: %" PRIdCFIndex " %@",
+ secinfo("reject",
+ "replacing %sev %s score: %ld with %sev score: %" PRIdCFIndex " %@",
(builder->bestPathIsEV ? "" : "non "),
- (builder->rejectScore == INTPTR_MAX ? "accept" : "reject"),
- builder->rejectScore,
+ (builder->bestPathScore > ACCEPT_PATH_SCORE ? "accept" : "reject"),
+ builder->bestPathScore,
(pvc->is_ev ? "" : "non "), (long)score, builder->path.path);
} else {
- secdebug("reject", "%sev reject score: %" PRIdCFIndex " %@",
+ secinfo("reject", "%sev score: %" PRIdCFIndex " %@",
(pvc->is_ev ? "" : "non "), score, builder->path.path);
}
- builder->rejectScore = score;
+ builder->bestPathScore = score;
builder->bestPath = pvc->path;
builder->bestPathIsEV = pvc->is_ev;
+ builder->denyBestPath = SecPVCCheckUsageConstraints(pvc);
} else {
- secdebug("reject", "%sev reject score: %" PRIdCFIndex " lower than %" PRIdCFIndex " %@",
- (pvc->is_ev ? "" : "non "), score, rejectScore, builder->path.path);
+ secinfo("reject", "%sev score: %" PRIdCFIndex " lower than %" PRIdCFIndex " %@",
+ (pvc->is_ev ? "" : "non "), score, bestPathScore, builder->path.path);
}
}
@@ -1170,18 +1418,31 @@ static void SecPathBuilderReject(SecPathBuilderRef builder) {
static void SecPathBuilderAccept(SecPathBuilderRef builder) {
check(builder);
SecPVCRef pvc = &builder->path;
- if (pvc->is_ev || !builder->bestPathIsEV) {
- secdebug("accept", "replacing %sev accept with %sev %@",
- (builder->bestPathIsEV ? "" : "non "),
- (pvc->is_ev ? "" : "non "), builder->path.path);
- builder->rejectScore = INTPTR_MAX; /* CFIndex is signed long which is INTPTR_T */
- builder->bestPathIsEV = pvc->is_ev;
+ bool isSHA2 = !SecCertificatePathHasWeakHash(pvc->path);
+ CFIndex bestScore = builder->bestPathScore;
+ /* Score this path. Note that all points awarded or deducted in
+ * SecCertificatePathScore are < 100,000 */
+ CFIndex currScore = (SecCertificatePathScore(pvc->path, pvc->verifyTime) +
+ ACCEPT_PATH_SCORE + // 10,000,000 points for accepting
+ ((pvc->is_ev) ? 1000000 : 0)); //1,000,000 points for EV
+ if (currScore > bestScore) {
+ // current path is better than existing best path
+ secinfo("accept", "replacing %sev %s score: %ld with %sev score: %" PRIdCFIndex " %@",
+ (builder->bestPathIsEV ? "" : "non "),
+ (builder->bestPathScore > ACCEPT_PATH_SCORE ? "accept" : "reject"),
+ builder->bestPathScore,
+ (pvc->is_ev ? "" : "non "), (long)currScore, builder->path.path);
+
+ builder->bestPathScore = currScore;
+ builder->bestPathIsEV = pvc->is_ev;
+ builder->bestPathIsSHA2 = isSHA2;
builder->bestPath = pvc->path;
+ builder->denyBestPath = SecPVCCheckUsageConstraints(pvc); /* should always be false */
}
- /* If we found the best accept we can we want to switch directly to the
+ /* If we found the best accept we can, we want to switch directly to the
SecPathBuilderComputeDetails state here, since we're done. */
- if (pvc->is_ev || !pvc->optionally_ev)
+ if ((pvc->is_ev || !pvc->optionally_ev) && isSHA2)
builder->state = SecPathBuilderComputeDetails;
else
builder->state = SecPathBuilderGetNext;
@@ -1218,7 +1479,7 @@ static bool SecPathBuilderComputeDetails(SecPathBuilderRef builder) {
#if 0
if (!builder->caller_wants_details) {
SecPVCSetPath(pvc, builder->bestPath, NULL);
- pvc->result = builder->rejectScore == INTPTR_MAX;
+ pvc->result = builder->bestPathScore > ACCEPT_PATH_SCORE;
builder->state = SecPathBuilderReportResult;
return true;
}
@@ -1246,8 +1507,8 @@ static bool SecPathBuilderComputeDetails(SecPathBuilderRef builder) {
bool completed = SecPVCPathChecks(pvc);
/* Reject the certificate if it was accepted before but we failed it now. */
- if (builder->rejectScore == INTPTR_MAX && !pvc->result) {
- builder->rejectScore = 0;
+ if (builder->bestPathScore > ACCEPT_PATH_SCORE && !pvc->result) {
+ builder->bestPathScore = 0;
}
CFReleaseSafe(details);
@@ -1275,28 +1536,35 @@ static bool SecPathBuilderReportResult(SecPathBuilderRef builder) {
if (pvc->rvcs) {
CFAbsoluteTime nextUpdate = SecPVCGetEarliestNextUpdate(pvc);
if (nextUpdate == 0) {
+ /* populate revocation info for failed revocation check */
CFDictionarySetValue(pvc->info, kSecTrustInfoRevocationKey,
kCFBooleanFalse); /* iOS key */
CFDictionarySetValue(pvc->info, kSecTrustRevocationChecked,
kCFBooleanFalse); /* unified API key */
- } else {
- haveRevocationResponse = true;
- CFDateRef validUntil = CFDateCreate(kCFAllocatorDefault, nextUpdate);
- CFDictionarySetValue(pvc->info, kSecTrustInfoRevocationValidUntilKey,
- validUntil); /* iOS key */
- CFDictionarySetValue(pvc->info, kSecTrustRevocationValidUntilDate,
- validUntil); /* unified API key */
- CFRelease(validUntil);
- CFDictionarySetValue(pvc->info, kSecTrustInfoRevocationKey,
- kCFBooleanTrue); /* iOS key */
- CFDictionarySetValue(pvc->info, kSecTrustRevocationChecked,
- kCFBooleanTrue); /* unified API key */
}
}
}
+ if (pvc->info && pvc->result && pvc->rvcs) {
+ CFAbsoluteTime nextUpdate = SecPVCGetEarliestNextUpdate(pvc);
+ if (nextUpdate != 0) {
+ /* always populate revocation info for successful revocation check */
+ haveRevocationResponse = true;
+ CFDateRef validUntil = CFDateCreate(kCFAllocatorDefault, nextUpdate);
+ CFDictionarySetValue(pvc->info, kSecTrustInfoRevocationValidUntilKey,
+ validUntil); /* iOS key */
+ CFDictionarySetValue(pvc->info, kSecTrustRevocationValidUntilDate,
+ validUntil); /* unified API key */
+ CFRelease(validUntil);
+ CFDictionarySetValue(pvc->info, kSecTrustInfoRevocationKey,
+ kCFBooleanTrue); /* iOS key */
+ CFDictionarySetValue(pvc->info, kSecTrustRevocationChecked,
+ kCFBooleanTrue); /* unified API key */
+ }
+ }
+
if (pvc->info && pvc->result && pvc->response_required && !haveRevocationResponse) {
- builder->rejectScore = 0;
+ builder->bestPathScore = 0;
SecPVCSetResultForced(pvc, kSecPolicyCheckRevocationResponseRequired,
0, kCFBooleanFalse, true);
}
@@ -1306,6 +1574,11 @@ static bool SecPathBuilderReportResult(SecPathBuilderRef builder) {
kCFBooleanTrue);
}
+ if (pvc->info && pvc->is_ct_whitelisted && pvc->result) {
+ CFDictionarySetValue(pvc->info, kSecTrustInfoCertificateTransparencyWhiteListKey,
+ kCFBooleanTrue);
+ }
+
/* This will trigger the outer step function to call the completion
function. */
@@ -1331,7 +1604,7 @@ static bool SecPathBuilderReportResult(SecPathBuilderRef builder) {
bool SecPathBuilderStep(SecPathBuilderRef builder) {
if (builder->activations) {
secdebug("async", "activations: %lu returning true",
- builder->activations);
+ builder->activations);
return true;
}
@@ -1343,21 +1616,27 @@ bool SecPathBuilderStep(SecPathBuilderRef builder) {
if (builder->state) {
secdebug("async", "waiting for async reply, exiting");
/* A state returned false, it's waiting for network traffic. Let's
- return. */
+ return. */
return true;
}
if (builder->activations) {
/* There is still at least one other running instance of this builder
- somewhere on the stack, we let that instance take care of sending
- the client a response. */
+ somewhere on the stack, we let that instance take care of sending
+ the client a response. */
return false;
}
- SecTrustResultType result = (builder->rejectScore == INTPTR_MAX
- ? kSecTrustResultUnspecified : kSecTrustResultRecoverableTrustFailure);
+ SecTrustResultType result = kSecTrustResultInvalid;
+ if (builder->bestPathScore > ACCEPT_PATH_SCORE) {
+ result = kSecTrustResultUnspecified;
+ } else if (builder->denyBestPath) {
+ result = kSecTrustResultDeny;
+ } else {
+ result = kSecTrustResultRecoverableTrustFailure;
+ }
- secdebug("trust", "completed: %@ details: %@ result: %d",
+ secinfo("trust", "completed: %@ details: %@ result: %d",
builder->bestPath, builder->path.details, result);
if (builder->completed) {
@@ -1398,12 +1677,12 @@ SecTrustServerEvaluateCompleted(const void *userData,
}
void
-SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error)) {
+SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error)) {
SecTrustServerEvaluationCompleted userData = Block_copy(evaluated);
/* Call the actual evaluator function. */
SecPathBuilderRef builder = SecPathBuilderCreate(clientAuditToken,
certificates, anchors,
- anchorsOnly, policies,
+ anchorsOnly, keychainsAllowed, policies,
responses, SCTs, trustedLogs,
verifyTime, accessGroups,
SecTrustServerEvaluateCompleted, userData);
@@ -1412,10 +1691,10 @@ SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates,
// NO_SERVER Shim code only, xpc interface should call SecTrustServerEvaluateBlock() directly
-SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *pdetails, CFDictionaryRef *pinfo, SecCertificatePathRef *pchain, CFErrorRef *perror) {
+SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *pdetails, CFDictionaryRef *pinfo, SecCertificatePathRef *pchain, CFErrorRef *perror) {
dispatch_semaphore_t done = dispatch_semaphore_create(0);
__block SecTrustResultType result = kSecTrustResultInvalid;
- SecTrustServerEvaluateBlock(NULL, certificates, anchors, anchorsOnly, policies, responses, SCTs, trustedLogs, verifyTime, accessGroups, ^(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error) {
+ SecTrustServerEvaluateBlock(NULL, certificates, anchors, anchorsOnly, keychainsAllowed, policies, responses, SCTs, trustedLogs, verifyTime, accessGroups, ^(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error) {
result = tr;
if (tr == kSecTrustResultInvalid) {
if (perror) {
diff --git a/OSX/sec/securityd/SecTrustServer.h b/OSX/sec/securityd/SecTrustServer.h
index 73008fc7..f65c2ad2 100644
--- a/OSX/sec/securityd/SecTrustServer.h
+++ b/OSX/sec/securityd/SecTrustServer.h
@@ -38,23 +38,6 @@
__BEGIN_DECLS
-
-/* args_in keys. */
-#define kSecTrustCertificatesKey "certificates"
-#define kSecTrustAnchorsKey "anchors"
-#define kSecTrustAnchorsOnlyKey "anchorsOnly"
-#define kSecTrustPoliciesKey "policies"
-#define kSecTrustResponsesKey "responses"
-#define kSecTrustSCTsKey "scts"
-#define kSecTrustTrustedLogsKey "trustedLogs"
-#define kSecTrustVerifyDateKey "verifyDate"
-
-/* args_out keys. */
-#define kSecTrustDetailsKey "details"
-#define kSecTrustChainKey "chain"
-#define kSecTrustResultKey "result"
-#define kSecTrustInfoKey "info"
-
typedef struct SecPathBuilder *SecPathBuilderRef;
/* Completion callback. You should call SecTrustSessionDestroy from this. */
@@ -65,7 +48,7 @@ typedef void(*SecPathBuilderCompleted)(const void *userData,
/* Returns a new trust path builder and policy evaluation engine instance. */
SecPathBuilderRef SecPathBuilderCreate(CFDataRef clientAuditToken,
CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly,
- CFArrayRef policies, CFArrayRef ocspResponse,
+ bool keychainsAllowed, CFArrayRef policies, CFArrayRef ocspResponse,
CFArrayRef signedCertificateTimestamps, CFArrayRef trustedLogs,
CFAbsoluteTime verifyTime, CFArrayRef accessGroups,
SecPathBuilderCompleted completed, const void *userData);
@@ -96,13 +79,14 @@ dispatch_queue_t SecPathBuilderGetQueue(SecPathBuilderRef builder);
CFDataRef SecPathBuilderCopyClientAuditToken(SecPathBuilderRef builder);
/* Evaluate trust and call evaluated when done. */
-void SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error));
+void SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error));
/* Synchronously invoke SecTrustServerEvaluateBlock. */
-SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error);
+SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error);
void InitializeAnchorTable(void);
+
__END_DECLS
#endif /* !_SECURITY_SECTRUSTSERVER_H_ */
diff --git a/OSX/sec/securityd/SecTrustStoreServer.c b/OSX/sec/securityd/SecTrustStoreServer.c
index 88f5b30d..28fd42c9 100644
--- a/OSX/sec/securityd/SecTrustStoreServer.c
+++ b/OSX/sec/securityd/SecTrustStoreServer.c
@@ -65,6 +65,8 @@ static const char insertSQL[] = "INSERT INTO tsettings(sha1,subj,tset,data)VALUE
static const char updateSQL[] = "UPDATE tsettings SET tset=? WHERE sha1=?";
static const char deleteSQL[] = "DELETE FROM tsettings WHERE sha1=?";
static const char deleteAllSQL[] = "BEGIN EXCLUSIVE TRANSACTION; DELETE from tsettings; COMMIT TRANSACTION; VACUUM;";
+static const char copyAllSQL[] = "SELECT data,tset FROM tsettings ORDER BY sha1";
+static const char countAllSQL[] = "SELECT COUNT(*) FROM tsettings";
#define kSecTrustStoreName CFSTR("TrustStore")
#define kSecTrustStoreDbExtension CFSTR("sqlite3")
@@ -78,6 +80,7 @@ struct __SecTrustStore {
sqlite3_stmt *copyParents;
sqlite3_stmt *contains;
bool readOnly;
+ bool containsSettings; // For optimization of high-use calls.
};
static int sec_create_path(const char *path)
@@ -136,6 +139,29 @@ static int sec_sqlite3_open(const char *db_name, sqlite3 **s3h,
return s3e;
}
+static int64_t SecTrustStoreCountAll(SecTrustStoreRef ts) {
+ __block int64_t result = -1;
+ require_quiet(ts, errOutNotLocked);
+ dispatch_sync(ts->queue, ^{
+ sqlite3_stmt *countAllStmt = NULL;
+ int s3e = sqlite3_prepare(ts->s3h, countAllSQL, sizeof(countAllSQL),
+ &countAllStmt, NULL);
+ if (s3e == SQLITE_OK) {
+ s3e = sqlite3_step(countAllStmt);
+ if (s3e == SQLITE_ROW) {
+ result = sqlite3_column_int64(countAllStmt, 0);
+ }
+ }
+
+ if (countAllStmt) {
+ verify_noerr(sqlite3_finalize(countAllStmt));
+ }
+ });
+
+errOutNotLocked:
+ return result;
+}
+
static SecTrustStoreRef SecTrustStoreCreate(const char *db_name,
bool create) {
SecTrustStoreRef ts;
@@ -173,6 +199,15 @@ static SecTrustStoreRef SecTrustStoreCreate(const char *db_name,
require_noerr(s3e = sqlite3_prepare(ts->s3h, containsSQL, sizeof(containsSQL),
&ts->contains, NULL), errOut);
+ if (SecTrustStoreCountAll(ts) == 0) {
+ ts->containsSettings = false;
+ } else {
+ /* In the error case where SecTrustStoreCountAll returns a negative result,
+ * we'll pretend there are contents in the trust store so that we still do
+ * DB operations */
+ ts->containsSettings = true;
+ }
+
return ts;
errOut:
@@ -286,6 +321,7 @@ bool _SecTrustStoreSetTrustSettings(SecTrustStoreRef ts,
if (s3e == SQLITE_DONE) {
/* Great the insert worked. */
ok = true;
+ ts->containsSettings = true;
} else if (s3e == SQLITE_ERROR) {
/* Try update. */
require_noerr_action_quiet(s3e = sqlite3_prepare(ts->s3h, updateSQL, sizeof(updateSQL),
@@ -361,8 +397,10 @@ bool _SecTrustStoreRemoveAll(SecTrustStoreRef ts, CFErrorRef *error)
require(ts, errOutNotLocked);
require(!ts->readOnly, errOutNotLocked);
dispatch_sync(ts->queue, ^{
- if (SQLITE_OK == sqlite3_exec(ts->s3h, deleteAllSQL, NULL, NULL, NULL))
+ if (SQLITE_OK == sqlite3_exec(ts->s3h, deleteAllSQL, NULL, NULL, NULL)) {
removed_all = true;
+ ts->containsSettings = false;
+ }
/* prepared statements become unusable after deleteAllSQL, reset them */
if (ts->copyParents)
@@ -383,6 +421,7 @@ CFArrayRef SecTrustStoreCopyParents(SecTrustStoreRef ts,
__block CFMutableArrayRef parents = NULL;
require(ts, errOutNotLocked);
dispatch_sync(ts->queue, ^{
+ require_quiet(ts->containsSettings, errOut);
CFDataRef issuer;
require(issuer = SecCertificateGetNormalizedIssuerContent(certificate),
errOut);
@@ -422,18 +461,16 @@ errOutNotLocked:
return parents;
}
-/* AUDIT[securityd](done):
- ts (ok) might be NULL.
- digest (ok) is a data of any length (might be 0), only its cf type has
- been checked.
-*/
-bool SecTrustStoreContainsCertificateWithDigest(SecTrustStoreRef ts,
- CFDataRef digest, bool *contains, CFErrorRef *error) {
+static bool SecTrustStoreQueryCertificateWithDigest(SecTrustStoreRef ts,
+ CFDataRef digest, bool *contains, CFArrayRef *usageConstraints, CFErrorRef *error) {
if (contains)
*contains = false;
__block bool ok = true;
require_action_quiet(ts, errOutNotLocked, ok = SecError(errSecParam, error, CFSTR("ts is NULL")));
dispatch_sync(ts->queue, ^{
+ CFDataRef xmlData = NULL;
+ CFPropertyListRef trustSettings = NULL;
+ require_action_quiet(ts->containsSettings, errOut, ok = true);
int s3e;
require_noerr_action(s3e = sqlite3_bind_blob_wrapper(ts->contains, 1,
CFDataGetBytePtr(digest), CFDataGetLength(digest), SQLITE_STATIC),
@@ -442,6 +479,17 @@ bool SecTrustStoreContainsCertificateWithDigest(SecTrustStoreRef ts,
if (s3e == SQLITE_ROW) {
if (contains)
*contains = true;
+ if (usageConstraints) {
+ require_action(xmlData = CFDataCreate(NULL,
+ sqlite3_column_blob(ts->contains, 0),
+ sqlite3_column_bytes(ts->contains, 0)), errOut, ok = false);
+ require_action(trustSettings = CFPropertyListCreateWithData(NULL,
+ xmlData,
+ kCFPropertyListImmutable,
+ NULL, error), errOut, ok = false);
+ require_action(CFGetTypeID(trustSettings) == CFArrayGetTypeID(), errOut, ok = false);
+ *usageConstraints = CFRetain(trustSettings);
+ }
} else {
require_action(s3e == SQLITE_DONE, errOut, ok = SecDbErrorWithStmt(s3e, ts->contains, error, CFSTR("sqlite3_step failed")));
}
@@ -449,7 +497,79 @@ bool SecTrustStoreContainsCertificateWithDigest(SecTrustStoreRef ts,
errOut:
verify_noerr(sqlite3_reset(ts->contains));
verify_noerr(sqlite3_clear_bindings(ts->contains));
+ CFReleaseNull(xmlData);
+ CFReleaseNull(trustSettings);
});
errOutNotLocked:
return ok;
}
+
+bool SecTrustStoreContainsCertificateWithDigest(SecTrustStoreRef ts,
+ CFDataRef digest, bool *contains, CFErrorRef *error) {
+ return SecTrustStoreQueryCertificateWithDigest(ts, digest, contains, NULL, error);
+}
+
+bool _SecTrustStoreCopyUsageConstraints(SecTrustStoreRef ts,
+ CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error) {
+ return SecTrustStoreQueryCertificateWithDigest(ts, digest, NULL, usageConstraints, error);
+}
+
+bool _SecTrustStoreCopyAll(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error) {
+ __block bool ok = true;
+ __block CFMutableArrayRef CertsAndSettings = NULL;
+ require_action_quiet(ts, errOutNotLocked, ok = SecError(errSecParam, error, CFSTR("ts is NULL")));
+ require_action_quiet(trustStoreContents, errOutNotLocked, ok = SecError(errSecParam, error, CFSTR("trustStoreContents is NULL")));
+ dispatch_sync(ts->queue, ^{
+ sqlite3_stmt *copyAllStmt = NULL;
+ CFDataRef cert = NULL;
+ CFDataRef xmlData = NULL;
+ CFPropertyListRef trustSettings = NULL;
+ CFArrayRef certSettingsPair = NULL;
+ require_noerr(sqlite3_prepare(ts->s3h, copyAllSQL, sizeof(copyAllSQL),
+ ©AllStmt, NULL), errOut);
+ require(CertsAndSettings = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks), errOut);
+
+ for(;;) {
+ int s3e = sqlite3_step(copyAllStmt);
+ if (s3e == SQLITE_ROW) {
+ require(cert = CFDataCreate(kCFAllocatorDefault,
+ sqlite3_column_blob(copyAllStmt, 0),
+ sqlite3_column_bytes(copyAllStmt, 0)), errOut);
+ require(xmlData = CFDataCreate(NULL,
+ sqlite3_column_blob(copyAllStmt, 1),
+ sqlite3_column_bytes(copyAllStmt, 1)), errOut);
+ require(trustSettings = CFPropertyListCreateWithData(NULL,
+ xmlData,
+ kCFPropertyListImmutable,
+ NULL, error), errOut);
+ const void *pair[] = { cert , trustSettings };
+ require(certSettingsPair = CFArrayCreate(NULL, pair, 2, &kCFTypeArrayCallBacks), errOut);
+ CFArrayAppendValue(CertsAndSettings, certSettingsPair);
+
+ CFReleaseNull(cert);
+ CFReleaseNull(xmlData);
+ CFReleaseNull(trustSettings);
+ CFReleaseNull(certSettingsPair);
+ } else {
+ require_action(s3e == SQLITE_DONE, errOut, ok = SecDbErrorWithStmt(s3e, copyAllStmt, error, CFSTR("sqlite3_step failed")));
+ break;
+ }
+ }
+ goto ok;
+
+ errOut:
+ CFReleaseNull(cert);
+ CFReleaseNull(xmlData);
+ CFReleaseNull(trustSettings);
+ CFReleaseNull(certSettingsPair);
+ ok:
+ if (copyAllStmt) {
+ verify_noerr(sqlite3_finalize(copyAllStmt));
+ }
+ if (CertsAndSettings) {
+ *trustStoreContents = CertsAndSettings;
+ }
+ });
+errOutNotLocked:
+ return ok;
+}
diff --git a/OSX/sec/securityd/SecTrustStoreServer.h b/OSX/sec/securityd/SecTrustStoreServer.h
index 9d2f37af..1b16a337 100644
--- a/OSX/sec/securityd/SecTrustStoreServer.h
+++ b/OSX/sec/securityd/SecTrustStoreServer.h
@@ -50,6 +50,9 @@ CFArrayRef SecTrustStoreCopyParents(SecTrustStoreRef ts,
bool SecTrustStoreContainsCertificateWithDigest(SecTrustStoreRef source, CFDataRef digest, bool *contains, CFErrorRef *error);
+bool _SecTrustStoreCopyUsageConstraints(SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error);
+
+bool _SecTrustStoreCopyAll(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error);
__END_DECLS
diff --git a/OSX/sec/securityd/asynchttp.c b/OSX/sec/securityd/asynchttp.c
index 1c9ededa..48c2c476 100644
--- a/OSX/sec/securityd/asynchttp.c
+++ b/OSX/sec/securityd/asynchttp.c
@@ -47,8 +47,6 @@
#define PRIstatus "ld"
#endif
-#define ocspdErrorLog(args...) asl_log(NULL, NULL, ASL_LEVEL_ERR, ## args)
-
/* POST method has Content-Type header line equal to
"application/ocsp-request" */
static CFStringRef kContentType = CFSTR("Content-Type");
@@ -69,7 +67,7 @@ static CFStringRef copyParseMaxAge(CFStringRef cacheControlHeader) {
/* The format of the cache control header is a comma-separated list, but
each list element could be a key-value pair, with the value quoted and
possibly containing a comma. */
- CFStringInlineBuffer inlineBuf;
+ CFStringInlineBuffer inlineBuf = {};
CFRange componentRange;
CFIndex length = CFStringGetLength(cacheControlHeader);
bool done = false;
@@ -236,11 +234,11 @@ static void handle_server_response(CFReadStreamRef stream,
stream, error.domain, (long) error.error);
if (error.domain == kCFStreamErrorDomainPOSIX) {
- ocspdErrorLog("CFReadStream posix: %s", strerror(error.error));
+ secerror("CFReadStream posix: %s", strerror(error.error));
} else if (error.domain == kCFStreamErrorDomainMacOSStatus) {
- ocspdErrorLog("CFReadStream osstatus: %"PRIstatus, error.error);
+ secerror("CFReadStream osstatus: %"PRIstatus, error.error);
} else {
- ocspdErrorLog("CFReadStream domain: %ld error: %"PRIstatus,
+ secerror("CFReadStream domain: %ld error: %"PRIstatus,
error.domain, error.error);
}
asynchttp_complete(http);
@@ -257,7 +255,7 @@ static void handle_server_response(CFReadStreamRef stream,
break;
}
default:
- ocspdErrorLog("handle_server_response unexpected event type: %lu",
+ secerror("handle_server_response unexpected event type: %lu",
type);
break;
}
@@ -315,7 +313,7 @@ errOut:
}
bool asyncHttpPost(CFURLRef responder, CFDataRef requestData /* , bool force_nocache */ ,
- asynchttp_t *http) {
+ uint64_t timeout, asynchttp_t *http) {
bool result = true; /* True, we didn't schedule any work. */
/* resources to release on exit */
CFURLRef getURL = NULL;
@@ -376,7 +374,7 @@ bool asyncHttpPost(CFURLRef responder, CFDataRef requestData /* , bool force_noc
}
#endif
- result = asynchttp_request(NULL, http);
+ result = asynchttp_request(NULL, timeout, http);
errOut:
CFReleaseSafe(getURL);
@@ -407,7 +405,7 @@ void asynchttp_free(asynchttp_t *http) {
}
/* Return true, iff we didn't schedule any work, return false if we did. */
-bool asynchttp_request(CFHTTPMessageRef request, asynchttp_t *http) {
+bool asynchttp_request(CFHTTPMessageRef request, uint64_t timeout, asynchttp_t *http) {
secdebug("http", "request %@", request);
if (request) {
http->request = request;
@@ -424,7 +422,11 @@ bool asynchttp_request(CFHTTPMessageRef request, asynchttp_t *http) {
asynchttp_timer_proc(http);
});
// Set the timer's fire time to now + STREAM_TIMEOUT seconds with a .5 second fuzz factor.
- dispatch_source_set_timer(http->timer, dispatch_time(DISPATCH_TIME_NOW, STREAM_TIMEOUT),
+ uint64_t stream_timeout = timeout;
+ if (timeout == 0) {
+ stream_timeout = STREAM_TIMEOUT;
+ }
+ dispatch_source_set_timer(http->timer, dispatch_time(DISPATCH_TIME_NOW, stream_timeout),
DISPATCH_TIME_FOREVER, (int64_t)(500 * NSEC_PER_MSEC));
dispatch_resume(http->timer);
diff --git a/OSX/sec/securityd/asynchttp.h b/OSX/sec/securityd/asynchttp.h
index 4800f2ef..ea9c42fd 100644
--- a/OSX/sec/securityd/asynchttp.h
+++ b/OSX/sec/securityd/asynchttp.h
@@ -55,11 +55,11 @@ typedef struct asynchttp_s {
/* Return false if work was scheduled and the callback will be invoked,
true if it wasn't or the callback was already called. */
-bool asyncHttpPost(CFURLRef cfUrl, CFDataRef postData, asynchttp_t *http);
+bool asyncHttpPost(CFURLRef cfUrl, CFDataRef postData, uint64_t timeout, asynchttp_t *http);
/* Caller owns struct pointed to by http, but is responsible for calling
asynchttp_free() when it's done with it. */
-bool asynchttp_request(CFHTTPMessageRef request, asynchttp_t *http);
+bool asynchttp_request(CFHTTPMessageRef request, uint64_t timeout, asynchttp_t *http);
void asynchttp_free(asynchttp_t *http);
/* */
diff --git a/OSX/sec/securityd/entitlements.plist b/OSX/sec/securityd/entitlements.plist
index a88a3458..de0f7780 100644
--- a/OSX/sec/securityd/entitlements.plist
+++ b/OSX/sec/securityd/entitlements.plist
@@ -10,15 +10,13 @@
<true/>
<key>com.apple.private.associated-domains</key>
<true/>
- <key>com.apple.private.CoreAuthentication.SPI</key>
- <true/>
- <key>com.apple.private.CoreAuthentication.CallerPID</key>
- <true/>
<key>com.apple.private.necp.match</key>
<true/>
<key>com.apple.private.network.socket-delegate</key>
<true/>
<key>com.apple.mkb.usersession.info</key>
<true/>
+ <key>com.apple.private.applecredentialmanager.allow</key>
+ <true/>
</dict>
</plist>
diff --git a/OSX/sec/securityd/nameconstraints.c b/OSX/sec/securityd/nameconstraints.c
index fb520f6a..11755234 100644
--- a/OSX/sec/securityd/nameconstraints.c
+++ b/OSX/sec/securityd/nameconstraints.c
@@ -340,7 +340,7 @@ static void nc_decode_and_compare_subtree(const void *value, void *context) {
match_context,
nc_compare_subtree);
if (status == errSecInvalidCertificate) {
- secdebug("policy","can't parse general name or not a type we support");
+ secnotice("policy","can't parse general name or not a type we support");
}
}
out:
diff --git a/OSX/sec/securityd/personalization.c b/OSX/sec/securityd/personalization.c
new file mode 100644
index 00000000..d2b98545
--- /dev/null
+++ b/OSX/sec/securityd/personalization.c
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include "personalization.h"
+#include <AssertMacros.h>
+#include <utilities/SecCFWrappers.h>
+#include <CoreFoundation/CoreFoundation.h>
+
diff --git a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idksmain.m b/OSX/sec/securityd/personalization.h
similarity index 77%
rename from OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idksmain.m
rename to OSX/sec/securityd/personalization.h
index 0f747664..6e1cdf19 100644
--- a/OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idksmain.m
+++ b/OSX/sec/securityd/personalization.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
@@ -21,13 +21,11 @@
* @APPLE_LICENSE_HEADER_END@
*/
-#include <stdlib.h>
-#include <asl.h>
+#ifndef _SECURITY_PERSONALIZATION_H_
+#define _SECURITY_PERSONALIZATION_H_
-extern int idsproxymain(int argc, const char *argv[]);
+#include <Security/Security.h>
+#include <sys/cdefs.h>
-int main(int argc, const char *argv[])
-{
- // TODO: Remove log before ship
- return idsproxymain(argc, argv);
-}
+
+#endif /* _SECURITY_PERSONALIZATION_H_ */
diff --git a/OSX/sec/securityd/spi.c b/OSX/sec/securityd/spi.c
index 4acf2b6e..d57c7968 100644
--- a/OSX/sec/securityd/spi.c
+++ b/OSX/sec/securityd/spi.c
@@ -41,6 +41,7 @@
#include "OTATrustUtilities.h"
static struct securityd spi = {
+#if !TRUSTD_SERVER
.sec_item_add = _SecItemAdd,
.sec_item_copy_matching = _SecItemCopyMatching,
.sec_item_update = _SecItemUpdate,
@@ -53,7 +54,9 @@ static struct securityd spi = {
.sec_trust_store_remove_certificate = SecTrustStoreRemoveCertificateWithDigest,
.sec_truststore_remove_all = _SecTrustStoreRemoveAll,
.sec_item_delete_all = _SecItemDeleteAll,
+#endif /* !TRUSTD_SERVER */
.sec_trust_evaluate = SecTrustServerEvaluate,
+#if !TRUSTD_SERVER
.sec_keychain_backup = _SecServerKeychainCreateBackup,
.sec_keychain_restore = _SecServerKeychainRestore,
.sec_keychain_backup_syncable = _SecServerBackupSyncable,
@@ -131,6 +134,18 @@ static struct securityd spi = {
.soscc_DeleteAccountState = SOSCCDeleteAccountState_Server,
.soscc_CopyEngineData = SOSCCCopyEngineData_Server,
.soscc_DeleteEngineState = SOSCCDeleteEngineState_Server,
+ .soscc_AccountHasPublicKey = SOSCCAccountHasPublicKey_Server,
+ .soscc_AccountIsNew = SOSCCAccountIsNew_Server,
+ .sec_item_update_token_items = _SecItemUpdateTokenItems,
+ .sec_trust_store_copy_all = _SecTrustStoreCopyAll,
+ .sec_trust_store_copy_usage_constraints = _SecTrustStoreCopyUsageConstraints,
+ .sec_delete_items_with_access_groups = _SecItemServerDeleteAllWithAccessGroups,
+ .soscc_IsThisDeviceLastBackup = SOSCCkSecXPCOpIsThisDeviceLastBackup_Server,
+ .soscc_requestSyncWithPeerOverKVS = SOSCCRequestSyncWithPeerOverKVS_Server,
+ .soscc_requestSyncWithPeerOverIDS = SOSCCRequestSyncWithPeerOverIDS_Server,
+ .soscc_SOSCCPeersHaveViewsEnabled = SOSCCPeersHaveViewsEnabled_Server,
+
+#endif /* !TRUSTD_SERVER */
};
void securityd_init_server(void) {
diff --git a/OSX/sectests/SecurityTests-Entitlements.plist b/OSX/sectests/SecurityTests-Entitlements.plist
index dd8eb5fb..f1509978 100644
--- a/OSX/sectests/SecurityTests-Entitlements.plist
+++ b/OSX/sectests/SecurityTests-Entitlements.plist
@@ -20,12 +20,16 @@
<true/>
<key>application-identifier</key>
<string>com.apple.security.regressions</string>
+ <key>com.apple.private.uninstall.deletion</key>
+ <true/>
<key>keychain-access-groups</key>
<array>
<string>com.apple.security.regressions</string>
<string>lockdown-identities</string>
<string>apple</string>
<string>com.apple.security.sos</string>
+ <string>123456.test.group</string>
+ <string>123456.test.group2</string>
</array>
<key>com.apple.private.ubiquity-kvstore-access</key>
<array>
diff --git a/OSX/sectests/testlist.h b/OSX/sectests/testlist.h
index 2561235f..f8c6e61d 100644
--- a/OSX/sectests/testlist.h
+++ b/OSX/sectests/testlist.h
@@ -1,3 +1,7 @@
+/* sectests is deprecated. Please place new OS X Security Framework tests
+ * in SecurityTestsOSX
+ */
+
/* Don't prevent multiple inclusion of this file. */
#include <libsecurity_ssl/regressions/ssl_regressions.h>
#include <libsecurity_keychain/regressions/keychain_regressions.h>
@@ -5,4 +9,3 @@
#include <libsecurity_smime/regressions/smime_regressions.h>
#include <libsecurity_cms/regressions/cms_regressions.h>
-
diff --git a/OSX/security2/sub_commands.h b/OSX/security2/sub_commands.h
index 36fbe7b5..7487ecc4 100644
--- a/OSX/security2/sub_commands.h
+++ b/OSX/security2/sub_commands.h
@@ -26,4 +26,6 @@
#include "Security/Tool/SecurityCommands.h"
#include "SOSCircle/Tool/keychain_sync.h"
+#include "SOSCircle/Tool/keychain_sync_test.h"
#include "SOSCircle/Tool/keychain_log.h"
+#include "SOSCircle/Tool/syncbackup.h"
diff --git a/OSX/shared_regressions/shared_regressions.h b/OSX/shared_regressions/shared_regressions.h
index 2abff41a..64686bad 100644
--- a/OSX/shared_regressions/shared_regressions.h
+++ b/OSX/shared_regressions/shared_regressions.h
@@ -1,8 +1,47 @@
/* To add a test:
1) add it here
- 2) Add it as command line argument for SecurityTest.app in the Release and Debug schemes
+ 2) Add it as command line argument for SecurityTest.app/SecurityTestOSX.app in the Release, Debug schemes, and World schemes
+ 3) Add any resource your test needs in to the SecurityTest.app and SecurityTestOSX.app targets.
+
+ This file contains iOS/OSX shared tests that are built in libSharedRegression.a
+ For iOS only tests see Security_regressions.h
*/
#include <test/testmore.h>
+ONE_TEST(si_15_certificate)
+ONE_TEST(si_16_ec_certificate)
+ONE_TEST(si_20_sectrust)
+ONE_TEST(si_20_sectrust_policies)
+ONE_TEST(si_21_sectrust_asr)
+ONE_TEST(si_22_sectrust_iap)
+#if !TARGET_OS_WATCH
+ONE_TEST(si_23_sectrust_ocsp)
+#else
+DISABLED_ONE_TEST(si_23_sectrust_ocsp)
+#endif
+ONE_TEST(si_24_sectrust_itms)
+ONE_TEST(si_24_sectrust_nist)
+ONE_TEST(si_24_sectrust_diginotar)
+ONE_TEST(si_24_sectrust_digicert_malaysia)
+ONE_TEST(si_24_sectrust_passbook)
+ONE_TEST(si_26_sectrust_copyproperties)
+ONE_TEST(si_27_sectrust_exceptions)
+ONE_TEST(si_28_sectrustsettings)
+ONE_TEST(si_44_seckey_gen)
+ONE_TEST(si_44_seckey_rsa)
+ONE_TEST(si_44_seckey_ec)
+ONE_TEST(si_44_seckey_ies)
+#if !TARGET_OS_WATCH
+ONE_TEST(si_67_sectrust_blacklist)
+#else
+DISABLED_ONE_TEST(si_67_sectrust_blacklist)
+#endif
+ONE_TEST(si_70_sectrust_unified)
+ONE_TEST(si_71_mobile_store_policy)
+ONE_TEST(si_74_OTA_PKI_Signer)
ONE_TEST(si_82_seccertificate_ct)
ONE_TEST(si_82_sectrust_ct)
+ONE_TEST(si_83_seccertificate_sighashalg)
+ONE_TEST(si_85_sectrust_ssl_policy)
+ONE_TEST(si_87_sectrust_name_constraints)
+ONE_TEST(si_97_sectrust_path_scoring)
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleApplicationIntegration2CA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleApplicationIntegration2CA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..0038b604398a87ba272f592d32cce914b57ccb8b
GIT binary patch
literal 1052
zcmXqLVv#UtVrE#t%*4pV#KE%jcj`p18JPyWY@Awc9&O)w85y}*84QvPxeYkkm_u3E
zgqcEv4TTK^K^!h&F2{m`oKywRyktE?H3JopAh)nAM9?|4s3bEjGdZy&Ge1wkv9u&3
zzbLb$(ooDm1f-5xm=~fhC_leM!P(J3PMp`!*ud1t#L(Qt*w{QuoY%+#iEGf<W9VRD
z2iD4C4$%rCVHSAim87N@K`b*;z-2kikvs$(3G*QjvJa8Nz@Ujy2|1J)Ss9p{82K51
z;#^EkjEoFBJQk+sgmKJ$T5#0u%lg*Gd#&y*e13C<nT=%9(i+hP?whk4r3KdfyHWCt
z&vZkCf60x-|K94pTT-kVd1cxiwexe;yF=#OnY8hNv5-X4%o97;n@KFmYMi)SH23aZ
ze%&*yjk2`@XEZw(pX8ajYSEjUjOm%|Og7^CT{KiS9?>zqwvmZ}L-l>Ya`xM*#}51F
zN4M|O`Z#&{m7KUumU=8JALhzfud^()XZgJIOZZ%62LGAOaq~a$Fh=a#dhyNmO?8J-
zAANjdv+Pga?Xb=7xY#yvd!JnN;iKWVb@xnj4mZRFBv073D>vrA<N0dMUb6RQuiOxo
z|9f_J<D0wpjqd%?b6Rw&BI-I5Gb01z;>KkLjf)Lrfw3mb$0Eie@_k>8V#37Rw$jx%
ztc)5n@6XGrpKZVok``uU{LjK_zzn1e<Us<;z?3Q0AfkOC(|t-A=f5x6y?PGIzPtO@
zbHo|wffUHIs2ivnC@)Z4Am1jNQBqQ1rLUh{l%tmjN|SoY`MLT<z@()I6f)ogspkjT
zzyeI@Yz6{sT;SxLoWjP$%)$gr;iw577?q3+Q_uGPT@w5C<AHY1_Pd*nC$DW0x}Z4u
z@y%<u)^jQ~CGgrrI(^h-oV?Bc{}-(<??kgI4(k23_7PZ@>U{eA3clC2<`Z1?IlOvT
zbYx443qG24`+fQj_K#0)v~d@fU;f<rVEvL;8mvp~O)68(nnQ#f3$M!xDc%VPbv@U&
z=lh+|3!6`A1g<F#WM5NR-<>yUfjMWQq5i^)yIwzxF+XtQqBPI*2LeG(OQzI!e@jqG
zs9A8p{@~QstB2H+HzbA4e5?B9OvlWbcS2;uSsAxizG!T<a5%J+<E?Mf742`DY#-AX
qK9ptcE#fKX`?g?;c3_84OYo=9lQ=nAKEK$%P+0B!AMr`%yBz@728~$&
literal 0
HcmV?d00001
diff --git a/SecurityTests/AppleID-certs/Apple Application Integration Certification Authority Cert.crt b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleApplicationIntegrationCA.cer
similarity index 100%
rename from SecurityTests/AppleID-certs/Apple Application Integration Certification Authority Cert.crt
rename to OSX/shared_regressions/si-20-sectrust-policies-data/AppleApplicationIntegrationCA.cer
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleCodeSigningCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleCodeSigningCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..1fc69f3d30345690bc08f80e7b6835f05b98fb8d
GIT binary patch
literal 1042
zcmXqLV&OArV*0j#nTe5!iBZvjmyJ`a&7<u*FC!x>D}zCjA-4f18*?ZNn=n&ou%WPl
zAc(^y%;i{6kdvz5nU}0*sAix7666+^g$O#Q7L{bCWhN(<Waj57IF^=V<QHX@R2qsI
zh=9~F3-dzM1?A_LC^$PB$cghB8X6iHnHZWITbdX~iSrtnA#n}rvAcl>n;UotxWU-K
z5bOpXEvQ@bQ&JUzGt=`j^U@V?INYF#Q3*L*7+D#Zn;7{SfZ|+CO^l2Ti&h90{^$G2
zo&7_VcSd7ucI4hD>CVm1pT0Y1IYZgh(qq2jYW17%<|uqfvEaz&S$_Ubz&2U7BhepY
zrDlhuwiW9qJ+;`&D3DT=Ta)RYI7fh0?eXi@LpmyVvJTmI{5i8m(`TV)rQod6vZr!8
zE?nZ=;uBo)`@Tfk!u};IjZRHmzU|lay_T!aN(Tsbtj>D-I_;E#_Zn;6_p6>?JK3R|
zd1#4NqW<l6rq2r%clyld`|<Op?x`Y{df9b(zwA3UpIPkiPP|<raN3^pPjuHFdKu{#
zE0b!h&b%sp@nn_u<L#A9J7Z^T=6iQGlf$mZW0K0I-0KGW&fj=)V)^vO3v$YLEM~?h
z{%d7oW@KPo+_=%8ah(AlFnDG885#exumF=(n}INhugbz>z{SR)%?3<U?99vt{2)PL
zkRnzCW*}uC3liXC5n~bQ%UpJ(+{uq+X_(WTK>4;?mlXOr4dg-6$}AEFVhtkN7c$+a
zlyUz1lHIH4u<X0LZ#_qxff-1FJd3`8u7UOf%?0Xhsu?9E1y=g{<>lpiiJ+vamz<xg
z4`wAN>K6f1o?dcM4sxslQ#&wL85s(S*M18U&Dt(1ac`y8#kpm(<u+wbJAUZ!L+uOi
z*<%ZS+_H)CaKCMt({QTzUXt{7t5b`k<Q})*QuUfV`+c#%<l@-JU*^``<8S=7a^}H^
zyg6Sw8TOs`|Ic)p@6XrIUy7uRHl9-FySL)<%>JxrGk+(Z^#3HjQ6l|=!GU93?@qWh
zF6rF;vC{GIyLBhB(`(M;c((a4UA~-^Co$(ojKv9q_E`qE(lvHGnpJsg{!(lCz$9y>
zk9EN{Qrw3>_}=k!`P9*I&MJE6+?SiSM+YrGb~U22X#0&bn^#E4228h?y_L1jVt;j|
m;lAXZ-&<S7U*>ilc_cAK|9XDV(wQ6Yy3A%TnAD+Gej5NGkcz+n
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleCorporateRootCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleCorporateRootCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..c23d1c46342fd79445a6e3176915432980f34dab
GIT binary patch
literal 949
zcmXqLV%})b#58jOGZP~d6NkvmY_F^*4hsx;**LY@JlekVGBR?rG8m*8Dj3MIF^94+
z^N2eZ6y&5TIOi7?<QFBDq$&jE=a(orJHk|O^N2gA7L{bCWhN(<Waj57IF^=V<QHX@
zR2m8!2!hPu;^Bgr;hC4LXUJ{92@+%zW(o~9kQ3)MG&V3dG&8g`GB7cX66ZCt1ai%x
zT)MfViBSnT2pCxzn41{+84Q{jxtN+585y=(Kc1f@%jXs-cVVk|Hk<dP^%erE3*X84
zy_bAYyw%*eNKx^0l9%nuj2rA*UiWg{HZWGy&%gXV_M8G2%kBUBOF5kE?QWcSzvM?)
zwQx%I=S3C*zuwJlo-F(Oy>O0&=iS$Z%O*vz++%dqo*B1S#XfU|%coV06+1211j@~R
zd|GUGGyc`r?yP0;&jK&Z4p<=fwRN6nfLCJ0EzRY|McvKss+U*#^)cnoRh_QZ#?y4P
zN36~>@$Y}B1-u#$Grq2CE&9CrK}qSE@Dv-JP}Y;Zt2Vzmk<=lobtE#u{NUT{b1zS=
z->}qm*MBjiRg>Co?p!EbI(7E+7~QQxr?Rsxug&&0abIo9#LURRxH#D$(Lfd$d9r*g
zVk{!23To$C_j#%*Fy1}!?!Rrui3|6?8t{Xpg&7(Dv#=U411SS}kbp9agn?KCb{%{m
z1^gf#EWk9$h8zvRln9IlMuuW0uVv*-%O9Q&nm)Hva6$i`&;25dnxB`tinIM-`ILM0
zaQO~~LtIjvMrLN22em%9nD42J7yZsLM^at3!2gc;6r0^DTb}(XoOR{Aj?k_T+xjbJ
zuIdr5o5GW29&I`?=vT^OW0RTY3^rT*@{->kmNk!d-EzO_?7vl$Qcmb!)79JfHjCxs
zA&*|~EiIOd4Sl~QZ#kT|aH;+!xedp7F0xn|?rHb@p~iigheLDsd|!?aa|ACh)#;tF
zQF>$e<;->Sbg!mZM4a5z!m?UG_Efg!($#1F?JoIZ%G{r-#l8Euc$TM0v%#d^>+7ao
hxURhXu_oujjV6budLCZ#(Tsuf@)FLqpJJwO0sv50Vdnq<
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleCorporateVPNClientCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleCorporateVPNClientCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..a41e7307bcdce1574782677cee4191a3fac159a5
GIT binary patch
literal 1096
zcmXqLVsSBOV%Ax}%*4pV#KBj>ekzZ9v4R0F8>d#AN85K^Mn-N{27@$11p_%Y=1>-9
z9&yKlf}B(Z=lr6A{G!B?RE41Y{1OFcN0<t39&zW?qLR$C%;dz9%=|nB$I_CF{G!Z~
zN<(1-L68|-JX{bnJoA$E47m+BL4s_;OrgOBa^k#(CI-famIgpzY7iyPYh;PUHOMp6
zFi?ZILmu57VF7*$&N-Q>c_7y)7*fSOO^iy&LBYt%z}&>h&tTBR$i>ve$jGo{|37_S
zw+Wpxo%j6;n2P6X3H&NbcsEn*1?%?O;%UrTZuNTWPC9*LU6u0I`^WS3x?-CS`3D)k
zn|DUJ&S6pYxy~E>Pj;vW7;jc#Ox$?2v8q)5zs=0bxmDsWQU@-5Ny*fiQ>t_#koWqw
z-r3)T=dU=(f50oMc?P2o%l)$@M}2IISRGHLh`&vi={h%=RpR>%)6xsI%;C>P6%I-<
zt(`KFtz-RZN0pDe#Sa&IC38GjFLH{x=j75mF^}uN8P8<Dv{dwU!FIdYs{xI39@kha
z&e;6uGehsbjJvb{wD14G7!kZioAG7i7Edpx8Hb}M{pFr>Cu~}@HB+NJ!y%myGCM64
zo(E2t$i&RZz__^atwG}}14lLvZ8k<$R(3{47E=Rb149_!fU!+Aqokz3N?$)exwt?t
z5tM-RlJj%HTmuu`WMEn<0;VDZSzy%4^0A1qh^%aV9DV!$AKm%}mQ^2atu?P`TKvF(
zA0#cz$oQXy)qojD8OVbKlvyMU#2Q3Q71YkP?(<YrV7z<c-GAGR6Bq7(H827xkY~|0
z&@@nApt?Z0O%dvl<f0rTcfcH=2NX8o1L@%h*}?+M6l?|pY+T^1ketFM!OFq}%nhiS
z1DGNh87u-WIy$VKA+&94)iI~*4yszWYhJaiP&~JCpBk^g-+yy@yOu7qak=&JBJ2Cj
z;{A#p);~O=AAdV2o%7_v_e%?ZcK#|9@}DrZxbx+Wt$V${S<apQTPDWMqgj|~|I&>m
zH@h5{G{{|9c2wuG(|hsm4Zl5w5;RShtygCGsMgie7$TNbz4siarA-Ozm(mwq<-+Wf
zcTDZOs%a;lE4|>f*KT7Cwo_#a`Rqn4k8fV;Tz6eu%*(Ig+I;!ayqfdk=dQ=aRfitp
zJ@x2yd%_wcL%I1M$`@;7nOyk!&OP^;TvvOOXVETB>z&p=m%N!BpZ)G&-kPJXUtGFp
TtM6X2ueao3tk)t_-xE#%_T7;c
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleHomeKitServerCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleHomeKitServerCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..ddd97fb69f421540654cfdd5c1fdf43ed0f58c38
GIT binary patch
literal 668
zcmXqLVwz#l#3a9fnTe5!iNpNckJ{gduS_!FV&l+i^EhYA!pvllZYXUa$;KSY!ptM&
zSWu9Yst}Z)U!vgbsGzIhZfvM#paPQQ=8=U+I;R$uWTs^%CzfR9=P5XrmSp4?WtLPL
z3L6N5)N%1}LDYHXCF>b-8*qXI*@T%wgAL@wc@51Bj0`M|3=GVS4Wh((jSZ2w204Zb
z267OGh(pZq$j?pn&MZ*~PAw`+Edn};imr(?5N2Zs2Lcl#G&GnQ*_oXfSguO_uV2}s
zXspC_fwioF^IT-=H~-*kyk!#(=6&yVF#5P{BHQ}FCm)u(&be?SM_Db3H7keRe@^4O
zhz$~s5p!DqEN)zH(747x7U&gOJ{B<+kvUnvj!t7sSd*E4H?HyL-BYvmtmF*%LDIsE
zjQ?3!4VZzHfjme+nMJ}ttU+Y=hI<Pmj5}s6>6&?O-`>~jZ=F_IZD0;kAkSi8pl6`7
zKx=_Un_5OmNr9EVesWQcULq*w^pf*)^}(znU=$`NrW@-4<qY^h8u>w10ppvI%|L*S
z3+VB-@5w1_Oad%StPIHMfjOPQAce`mRPOJVCs}`amcNZ#DLyZ^QQwrGbAF8%(?eDF
zx$CPhNBTQQ-T75{NbOI!;(O}}30s*A{IdBzoj;$!H-|T3%M9DjwHFJ^WKLBH=^r}(
bp;r3#l)rmzbCVT&4|Q2&*KOfFUUU!uoG8_#
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleMacOSApplicationSigning.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleMacOSApplicationSigning.cer
new file mode 100644
index 0000000000000000000000000000000000000000..708e643ec458936a52779fa73c18e906a67c482e
GIT binary patch
literal 1370
zcmXqLVhuBBVzFDm%*4pV#F6Nv)X}3-U~9n3#;Mij(e|B}k&%^^!Ju)PA-4f18*?ZN
zn=n&ou%WPlAc(`o!{t~|kdvz5nU}0*sAHf766EGlh6sk|7v-dsXQreoxTKb)=HwTo
z7AXX!<|LM6=I0d~x)?ZtR5SBf6QNqcIkl)HGc7Y2tXaXav?L?HD6^!}Ku(<3(7@2Z
z$imRv)ZEx23dl7xFfueTv@kU@HjOgyHPkdvhuEV4vBx(tS;0RT%z+sfoSB}NnU{{;
zSIGW0Xkt`C4jM*Q2IeM4eg>d87gG}>Bf|kZ=PMzB&d-nByvBYy`HWwGIeV(odfUo%
zcJsK3V%uhhDKGuG_WOo;Kcs^>?34`B#Iz=S%+)o`dnK{VEXYQX%VgH$;Oe${D^E%|
z8S-v>&b+yt^Vt95$R+pp*>zU3DY?x3q_$eq<<X88x=xA*a)RH5PkwV(XUCSJyYXLV
z*on*w?DtyfGl@Y=;(J;AvXDa_=g#i^|MQX5p%;Qb_RrJ0IOScf^yZGG3$lOT^y2*0
zBGI~rd(WNE``4}ieP~Ad^}QdCJy^0}Q~JE%SIMTb-~EK&-4sl`AiC&VL3C5`h7adE
zu1|PzE2JpnTwuD?3FebIJc7MPKJl;mrlEdx^`?au2EP_-3o|h@GB7S~VtfY-kyi#h
zz<`$(W@P-&!eqc;AO_;8f_OXzTx=ZLY`~Po&dh8e4-!{qkuVTz5b01C=Ull>BBA@u
z>s{a6Baa4!EZ%P53sNA@;${F$G7B6Q*tOYYl#~=$>FcM!l9gT}C>81@=jZAtBPWzZ
zSUS-!FHb2-PSi^-$}!*r8OIND2MaS3dxL>2h|k9&#v-!d+tbss`w9(3l@$7wO5L<2
zmz>}NdW0XOK!K%+kqyXUGHCn{%^S%ntc(VY9}OB0!+gU8l-<VDxEYwrGZXWYQx)>_
z6iPBOixm*AN>xazR7lLLR47O+Dgm;Ji%WA;ixm=+lT!;yAbQe(dQw3+PXXjFU@A=l
zX0c+RY)WELib6?hQ7%wJUW!6;eqKr@I5#Qerzw;cr|O_sRFDtU3$hHT5;;^93W^ew
zOEQ7Z1DaWqnwy$eQmkj73HJn}m@G7a%gf7=f)*Ue$%*;~0&HC1!XY_@jggau30OX$
z78k%g!N_3W_poyLQ%|l>f8q{>ym88$lU|u`a;eAWrQGu{^Rm~gMK+z{na=w9v-;!)
z)<TJA$8NPOGY)uK#vv2d8^y+6F_k?p=gHig2EIJ6cHRB-V?kcrKIZ`2rIX_R&+brl
z-G0+m<IU>39Dm>Q|H=~Baq6gH{={9^q|=02GManO_<WXo7`)@Sl6uL$E}{QlPguz}
zg(a+g`@Z<LqoA{c@@zr2tBe;dZKqH4to`8^WpgQh!Rt@wmFIs=jPF~u@r1YtqxFR)
zchAKMGj}_E*Nv+FK82g1XoIg%zgUcV#=Yj{Z?BmjdEoc5sp5}Z{??bbL;Kfr`cL@I
Vc1r7~{G0dcWpkPqg`SR1001>d`4j*E
literal 0
HcmV?d00001
diff --git a/SecurityTests/AppleID-certs/AppleRootCertificate.crt b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleRootCA.cer
similarity index 100%
rename from SecurityTests/AppleID-certs/AppleRootCertificate.crt
rename to OSX/shared_regressions/si-20-sectrust-policies-data/AppleRootCA.cer
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleRootG2.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleRootG2.cer
new file mode 100644
index 0000000000000000000000000000000000000000..739b8141312801fc4e88396bf4366075e2711173
GIT binary patch
literal 1430
zcmXqLVx45r#9Xz2nTe5!iG%UM)2+?viys*9vT<s)d9;1!Wn|=GWiUuLls1rLV-96u
z<`Hr%D9A}w2+GedQE+xt&{c3ZGE_5A0ZDT6$U-EYQ;SM6(=wA2OEUBG6dX%SGV+Tu
zODYY84Fo~zxOliA>OAw3^$fWUI6;DJ!c3vT26E!Oh9(9k#s-EKh6V<fQR2MDmPlOs
zIi!h62{{lLSs9p{nD`kCnwYqlnwS_FZU_o_c-+$L@;oYY{7s&5?myq(4`lAGiF;(W
zT;*qdK(^1hodzN5Pd8tCtNP4f8>@Moh?3yZ7ptT%{oZtmbE?IX_gbDkv37-N%oe}J
zzP5HeiJHX2V)W^R!|$N@`QHwFe7wtbLBLg^?oW5`O>9&C@O4{}9^)<UZ+ey-@sbOZ
z9l2$ePdV6jBv`-f8`pK7i_P{@!IGcDud3Jo5#I4*QtzM38qPLbGZ<83)srsY4ZZ84
zFrnFW^3nY}B!6c=zQf`4Y<=#pc@C%iT3ahTH(oz{(7@7YbzS_b%ia0&b)^(D3eq<(
z{y4)icVf+t>$g`tk5`oHG2U-jvVF(JFAtQy>@PC8|Gm+-ur_evqs<>KYls!+pFOkI
zyw>maT8D@Bjeoz}a@j5VxYux+X5^hik_|o4CC79w3k0jliufP7(wJt`o^Grz!truT
zd5cL<f9H>k8RGj7?_MQ5Sw1#If5q{d-@GFGL~T_}KFzvQ>X@dqh4C8q`U&%RUM2mQ
z9cjbyXqw5B<a>L}ue|2zV0PvXSiivJZh)`o?<kcUJimC7=gBi~eE9C+D(5e0sT$@?
zhVL1V%UwJ(KlfCKmBa0G=l$Kfy;5go9m~kMerBe$`-Y;!<^4y#C(bF6Kle9#;h{NG
znpRI)^n9=MuAK#zQ^k*JezuG-`Fdo@vFe1KY0d%md5M4cezvVj;Boez%EZjbz_{4S
zz`;Nkn0jUTSj1RFj?5I!kzhVlePHnd-uj}3Dw%S%UITuRv@j#%e->5)W*}w22NK{1
z39tY&9UF2g17<Z~Dq~~_T=x0VmmRi~_v@bH-yQuhRK(Bk;?r}Lv5ocrwtZ+f{_%dw
z)4DrZmCI%JeVDR+*+qjnCwRF^=haS{S|>5L?oeT7jmWF>&3sQpoaUAA37lOmwM#Iu
zvEs(Zt*#Cgt5+O2_q#UPJmcH*-|LSZ_I@L8rY0QHHl=9OE2g*IxleeOO*jx<dcMc0
zHs+aO?dOx5CS|(ub^Lg&>$J&Y#WKm>kMqyI%SzoNwLx|7a?QVA>=u=J?w@!2<oD%r
z$ul3uxc#5R+Ve|J;b+^FFx979!Y$^$?nn_)^i;ImpOm(8<Dygf_KFEdJFmE!otROx
z_uIdjo(<MImzFK>U}iCt+`i2!(e>BKPs%5fi}#0h8g95*leD~AbVWzkY72)$XN3NX
zKK@{S-@NGbnHkUaFWU1<t*bEX`g0X&4;Q<6f99V&BlX7FhH;Nc#fi+X$DW0~VdFHL
z@LI%6I__kL@-1eAiQGHP?0!Dqs*%6X{*6t4s_fGPa_vi2?V9m-(&HSp^1EzXQrOzR
z_+8uOwMuNo7uNK&X}cbURvy-g_3Ur()b0{GUe*wJf7jmBSUYp~WW$$FzZ|vqUdz%|
zRj9L`)7hMV#bYD?FRt5ir<=WL`O3xkN_=-~uhZm$!vRl4y7${3cI3aS#G=g6wJW#K
pWpy#9)ybbh4V?FPy?iEiN>9&c)8#u)Swc2lF=;T`x`$u<Apjc>V~zj-
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleRootG3.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleRootG3.cer
new file mode 100644
index 0000000000000000000000000000000000000000..228bfa39cbd5acfe53fb9d196e3c1bbbd28649f8
GIT binary patch
literal 583
zcmXqLVsbWUVm!HknTe5!i9`43pN>mMy{8&*v2kd%d7QIlVP-Z+H<UJzWMd9xVdfEX
zEGWoHRS3$@FHvxIRM1s$H#Sr=PytDD^T<LZol}cSGSf1X6H7Al^AsFQOEU6{GD|8A
zg$)Ej>bQ8gAnH8xlJyL^4LCu9Y{E>T!3J{TyoM$QCdLMa7KWAvW>Mn2#+FE2`Z=V`
zK!A-M?0+UkHdgIM76v8eBnFllFZFF5ik7^ctW?w}EOS?2>c^vt{R;1hh~4CSx{Ot;
zJf%9`&*JiK8JDf~U*)$MCB>e6*%Iw<;4c`(@HZlYXX#gd9ba~L;nG{vr%%r}jCrd)
zw_3sa#?FwNaWj`#1#%fKb~11<kOhW^EFX&)i^%Q`_ZCJNcg$MSHS^xSy|35bI<2zW
zfFC3+%*gnkh1Gx=NEz^f1o%M$EWkKqLykG-3<iT#CPRkimj{oC#Yx4QNZfq;{!0!Y
zgPZq``<vVZkMjS0R@Jj`S@yX@%va`ooqVihN7nsS%A!mLxoKSjr>^i`@ju(^Y`3K=
md8u*U<J?=~+f(FE1grh*NGh@97LPt1xPs?}1oQJnn=}AQ?70g7
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleServerAuthentication.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleServerAuthentication.cer
new file mode 100644
index 0000000000000000000000000000000000000000..2cd4bebd152beaa70d254295b8d0b2ddd86f62bc
GIT binary patch
literal 1020
zcmXqLV*X*!#PnbRGZP~d6NhqU3Cr5k%_0W8Y@Awc9&O)w85y}*84QvPxeYkkm_u3E
zgqcEv4TTK^K^!h&F2{m`oKywRyktE?H3JopAh)nAM9?|4s3bEjGdZy&Ge1wkv9u&3
zzbLb$(ooDm1f-5xm=~fhC_leM!P(J3PMp`!#K73V!obkf*uW%8oY%+_iEEH+sBWMN
z*2yCW(HWdtRF+x<Haa!01ZI=7qoIO<9M~y5;<y|E^8pXC50L$6(8Q>O914uA49rc8
z{0u;GE~X|%MuwegVjE7kuPzjw)OUZC-NT0K!Mm0uoT+Io`fgCe=^xJP_5WeqN$&t*
zrj(6)Eln?8X9+wg@k{B~y8AOEuI=~pbr$%g+A;sKLu=VnrN(U`uEn#uAJ6fSYO6XN
z_~_QuA4_U)8{Es`J96}E&Wz{FeuXQ@N)}h~olWN7uHK>da8^ds4u_m%F_kp!=bIjd
z)IRU9TqNCS$8_29#`JP8Bc5wqT$@>De=N#RULh)%WB!8wcJPF2nlXE_!e_fxaM`K6
znq|N6hW*#uc`I_7w%(m-@n%xklx0VY)h@2%*mNxDd0&}#=Z+BmyazX(Zfm8syNT?c
zwj+FZ;IkIt@4O4Qb*`zos93U^iJ6gsadG1^gT}=MvcS-m<zo?J5z#rC8+6z3ea{<?
z#<%zHoN{JxWxQa(50VyUWc<&<YQPMn4CFxq$}AEFVhtkN7c$+alyUz1lHIH4u<X0L
zZ#_qxfgVVKJPR<w4U`usE|71N%_u1;u+rC0F3QnM1f@B><osOyB4E<d0}2`Nfz<PZ
zY+wN<WHti<HZE}TO-^BB;$dL|reM?r4U9@g2IY@zbpeizi{dU9Eb*MU{>GW~o`tHl
zM`lg7)W4DWTiP+&<@(L+)7Gk-QlGv&K0fEghUgFX?<%PZica3?8Fz~(tt#$%{)gl%
zsXa%kLTbbOQ)m6Xb!5|t4LcT|u6^LX!a;P0nB?2&L}2Q;aQ2ebfjX=CN`Ck6fANz#
zJNf^G53Zpp#&%bp-pW`Y+*M|ver5j;xw3CR4>P>q*!(IuH^%fhFFWI|ABj8v9i5f!
zoY=_xdRKhG+!y&%RJ`w;o3ui2k*UpN&j(`Vi|%Ca?3HlZX*SK-=-BD9nWknp!j8>|
sJ)FO^Zt9_{Ra{I8X%&+`r7uzDeZjf+jH02yg1!5;-u1cb#yoQ-0KSccPyhe`
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleSoftwareUpdateCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleSoftwareUpdateCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..4a2dc6dbb64febfadc647dd875544b6e9d65f081
GIT binary patch
literal 1047
zcmXqLVi7iIV*0&+nTe5!iBZ9TmyJ`a&7<u*FC!x>D}zCjA-4f18*?ZNn=n&ou%WPl
zAc(^y%;i{6kdvz5nU}0*sAix7666+^g$O#Q7L{bCWhN(<Waj57IF^=V<QHX@R2qsI
zh=9~F3-dzM1?A_LC^$PB$cghB8X6iHnHZWISsI#00lAh)T!Y3YDmuc<zy#t5U5F!s
z^V3So6N^$6LJLw7OHvhZINqR%Q3*M07+D#Zn;7{SfZ|+CO^l2To0vY?zcEv-vRcQV
z%NKuC#J9?-kI7%)#7(o#mfNK+T?gm&PqEse%jC%Y)`s`J46h#N{qGvnb|3DpmDn*M
zTlmw#duB!dtF8OptHeL86E=Blu<6c^Nz)k3`qF2o-(Y-m^56Z!nV0*n&+YmCy1~M;
zI!$TM>5Fl@{uHgLZ)}?QDq+XQ39H}57u?>tz`G={Xx6%b`17~Qzx=qw^h5RRg}m9H
zGjb0f$+_X%u}bCF{`Xz?kBd){d;Ujrz3AO{s}|QKaf?j6xg-B#PTSOp*Ul%aKisyn
z;P7;Nm6g_QH>E|>OqpZv+*^2hk=werxxXGPTJ=w(Yxm}zySt_cb1m`@IPJCE^5j8&
zCT2zk#>I`B3>w!P@Bu?umY<RFKMM;mS+#+qT~?Ka*MJ+ExRO&?7!CMAs)RwRSPhtg
zlz}WrfR9CtMWp+vrq}27rxq4X`OcQ>p6s~6eTJfeJV;uZMZ!R=K}7pPru&pK&VOIB
zd-WWaeRub*=ZG^f11XSa(KpaF&|aXqK)p>hqokz3N?*Ucyj(94lwS3c^K<pVtmH)f
zB4F~<OD@Vmj#glj2SzI+!=1A%2X?9Kk5<`os`7H_n``CC!8;2d?MwI~5s;)%xNq43
z>1(P>H5_&vC=T1%cF{+!vtY?9k^hb-1>bYbkiY4dW~s!(mwT&^S$|^we<hRVEz39i
z*v@nKXn*&t%9_2am;e1auh~VyzL_`jW7gwhwkh1Tb1x_SSUIyO?AxOkPsN>5G^1*N
zDD})b^GW_h$8vjv-PPTU507bm_;a{-)#QznCY=+kH=BF3)Hm$S-UuI7%{{-_KG|xp
zsfb=zyDlhvCvb*T{r~?JQmm^D^ZaDh>sd<kmosKs%ZC+4y3hZ8%A1v8>5_%!eBZ4_
fj=3EF&Q@KyuXp1lUOuNKzn!9v>uyMj?F<C~2hxp3
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleSystemIntegrationCAG3.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleSystemIntegrationCAG3.cer
new file mode 100644
index 0000000000000000000000000000000000000000..6af2b247653d54429df1a8eb7d2f6d7d3bac8af3
GIT binary patch
literal 751
zcmXqLVtQ@R#8j|=nTe5!i6b#;;mTs0*Np~TY#dr`9_MUXn3)XH4W$hv*_cCFn0bU8
z3kq^l6@v2fOB9?P6?7HcjSbZdR6vs4JhBi;=hUK-%(Tqp#FEVXJO#(nl8pSK%#un&
zVFN*sIxZeAh&s=_WIaP}15S`2n=n&ouz{R7uc3*7sezf1v5BdnL6kVJktGt>pwv*)
zKpo-`1&A5JmBl5gxeA_nC8_B}5DTgAtVjc4Hg<4mFfl@dg_)6^*@=PWVz^JA#nta-
z8X>h}Qcphk%WYb5KwtimT4vdOv(<Oru3t9kQ<UF&&6YJE+eBHMe>F2RM|_LxKcu9o
z@rg}>)1Y#3<9CC`F9vRG9NKJ*tgP&ej4W0L76xW8z5!#KRz^ulft9{~esXbvULq*;
z^^)^*!CV6qU9dnAFgB7C(~S*efng)d$0Eieq87V;l8wR)3DbQu0+unxEq|$~TWP=#
zk``uU{LjK_zzn1e<Us<;ED{D{4I;ZY+*=r7+%aoO*UWqS_P$<!>$J*h19Ol9c@_f$
zJp-KuS_?GV)S#|OF3Lf242moCfN}<WAdUPWtAGiJk<CDWjSConZQqkq*qC@(m{=K*
z6Bu(QgFzaTA;Yyzhd0|kHh5B{l4N@8!_GU_X;U0_^*SHX`ucdGSIyOSl{2qA`QEL1
zQpB6=&&-~a4Ak=fzDnH+4W`ijuX~GRPpUU9<lTOif7Pe|p1<suymfgOT-GVUm2zwv
NgZo?umiJMs*a4`p=r;fW
literal 0
HcmV?d00001
diff --git a/SecurityTests/shoebox-certs/Apple Worldwide Developer Relations Certification Authority Cert.crt b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleWWDR-expired.cer
similarity index 100%
rename from SecurityTests/shoebox-certs/Apple Worldwide Developer Relations Certification Authority Cert.crt
rename to OSX/shared_regressions/si-20-sectrust-policies-data/AppleWWDR-expired.cer
diff --git a/SecurityTests/shoebox-certs/Apple Worldwide Developer Relations Certification Authority TEST Cert.crt b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleWWDR-test.cer
similarity index 100%
rename from SecurityTests/shoebox-certs/Apple Worldwide Developer Relations Certification Authority TEST Cert.crt
rename to OSX/shared_regressions/si-20-sectrust-policies-data/AppleWWDR-test.cer
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleWWDR.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleWWDR.cer
new file mode 100644
index 0000000000000000000000000000000000000000..d2bb1da64122c864c872d9b711b176d042462748
GIT binary patch
literal 1062
zcmXqLVo@?^V&+=F%*4pV#KCxP&k@Vq1p)@VY@Awc9&O)w85vnw84QvPxeYkkm_u3E
zgqcEv4TTK^K^!h&F2{m`oKywRyktE?H3JopAh)nAM9?|4s3bEjGdZy&Ge1wkv9u&3
zzbLb$(ooDm1f-5xm=~fhC_leM!P(J3PMp`!*ucoZ+{n<x!o)mEoYx4MYtT3iyCZmz
z9id~O1$G3FGQ{xk{Gyzc^30S}1((#a)SUc+)FOqT)EuyziVa;1oWM@uu_i*b0uB!u
zG%+e6hZiF&19KB2KLb#li>Zl`k>Qj@$g<O6t4^p`dc5p;_a=Tvz1qY*Cc#zbYLXig
z%TwZ(vMX=1{1>1r8WvHYTX!VypjWG%{)c-lQVYXRuCJE(pY=;r$WxR<a?PsST1IcD
zC1(VQ+V*t4*`F;j^#Su5#@gwu>F4-br<!NI<=nO|{cK>${9`c}_k`!An>Li0EopDe
zv*^E}E$UaTdLwGTU-QA<OOvlk6>d$KGuPNJ^ruh+PumVL-h)reU3&vOc4_NAnbP|3
z#gVzkGL~*w{3pGxU>8%Qce&F<%bj1(KJ<Biz}ll{*;B>Xzgbzkmy4MuTza<lvzzA0
z7l*rFRvySoOc&ks;qTLoJxTF-=V#u1FP;2vQtE0ZW=00a#f{4h8W$VL0>fLDk420{
zq(fbtbLBRPgzh)5cYSk@JQ@_Tc)I~VNLrYY@jnZz0W**?kOv7Uvq%_-HHc_m$aJ4l
z#`*6{cCVhpvhVJ`^&D{qdLRYzEb0cT2FeQ*7s$8CW|Wi^Sn2C07v<<Bf>Nhma(=FU
z5ipVI0fh|sK<fEHHn0Gbe4Bv)8y7gCC#SG6F|sfL(>iL>2Sz0$ga7&Wk^6MMZpzW`
ze<$2-^n%rNMP7I9$xNP|H^ujq>s(2H^mkUSRb<TlX2!jn)@dacZCro$u&Y7;;%44+
zvhG_xPVQP<GJDD48Aa{ZcI#caCxz@Z+C4!cIGf8)VB1aEfE>jJu1>%3p6qBF+hu?6
zedkq{<@Qo*x8F5!lFt%JA<5kEuT>H4)frt++IqZRKk^h=we)T%!^(BLy$#kqT(EJE
zX2Ubi@~8Vu7BQZxzw?Oene~p{Z+0b3{mh!|*mRcPTGnUklH03)o}Bv9|B3H&wV91C
z_x#+Vd5N(q?V(=JH^r`_KPnzJuG@ck!rYZ>Kd=95AvG=CKqhc$%$vflrY$-AJfiXd
D2`7-6
literal 0
HcmV?d00001
diff --git a/SecurityTests/AppleID-certs/iPhoneCACert.crt b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleiPhoneCA.cer
similarity index 100%
rename from SecurityTests/AppleID-certs/iPhoneCACert.crt
rename to OSX/shared_regressions/si-20-sectrust-policies-data/AppleiPhoneCA.cer
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/AppleiPhoneDeviceCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/AppleiPhoneDeviceCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..fac79ff89daf7520aec9adafa728f34524663bac
GIT binary patch
literal 877
zcmXqLV$L*ZVhUWq%*4pV#K>sC%f_kI=F#?@mywZ`mBFCWklTQhjX9KsO_(V(*ihI&
z5X9jU=5j13$VpZ3%uCiYR5MTk333a|LIj;ti%K%nGLsWaGV}8k97{_w@{2M{Dh+iF
zv_a~ag;gNxG6OR5^HLRXC^wK3=QS`lFflYUGBPzWF^dxCH8eru8blG{G*JU#h|_qG
ztu&N3kcGHJ3|UygCABOw8R#HKgU0#D0l~=1z}(o&V9?mf)Y!=Iaf;W;SG%Gl64stx
z<m>AfBAF>3$)0w4`irz#?(uHx(yO+56^Cp*&GK!p*$$pii>{Vt!=Tik#t)~L&(Zc#
z+n{Ry(r8sRN6C~o2fZz1)BQMtrbKl|E{?fA`OAWTp{=`p+@{CnZ7O%wPmkHdEwMjx
zXHMI9t<thfl7(M1lXt3euV-RrWMEv}IM1MQwgDf|8?yY2jQ?3!fDzbczz^aJgZQil
z%s>k4Pgy<|F&2?c{}h#7+NNezUTswCD;Bu1+^4U^Kpv!CnMJ}ttU=_tiI$$yJ<Ejb
zEmO{wHz(>FE~qgzumCBLXE8L;H_%<6y+E@~J)@+gz)D}gyu4g55tIh>lJj%*!K~y&
z{mcSTl<FlH<sgS2Fd;EFF)}ig$DU8G@(I&k5>mc5(!)mX<-QC3UnUf-?~@TN|HN}3
zGyJ6A;Z`@XGP7;*e_r)(-S&WM=i7^1v&&zt7TOu37%JK4uIw(j@gna@<KNRo7Im6L
z^k*)$eV$mM`ET-)pQl|d;`W({)`;b2UR$A9%EY8sCZQj?Cw1R)!=QZ0^Lv^r=5mU4
zUw4w}d-~~$tk5BcXdTAwf7m<rtZma_^@#906{>nBbV-xyHaE?ZmLLTdhsPJs?pd^>
z-Qu&M{<)SVnjvfKEEFY=&2|cXT(->Y?)KZ8yW@T?jI!Uopp0o#Lv-A`mxb(#7tUC|
gyOUr0vNFiZ$F?%MnPa&Mf8KnJb)oluU9eFB0FE3n_5c6?
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/DeveloperIDCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/DeveloperIDCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..d3337393b5ba6a1cf74377a707350da14c3d5215
GIT binary patch
literal 1032
zcmXqLVqr08VtTWHnTe5!i9@1l<%&bo6nPAI**LY@JlekVGBR?rG8iNoavN~6F^96S
z2{VNT8wwi;f;e2lT#f|=IjIVsdC7W)Y6dDGL2hALh@f+7QAuW6W^!UlW`3T6V`)i7
zeo<ygrJ<OC2uK~XFfT-1P=0=ig0rK6oH(zck%5tcp^=fHk)dgnIIod864#*8P}e{k
ztdmE@CABOyC%+)INWs%Z0hdKE2k{Va5X?6`$i6}LuR#-|5^{(zvNA9?G4eA2#krW8
z7#SHl%lz4*XF0xGs;telIR1LE{Q=Vr-7Q@9Y%2B3r`o^v=bOBK3*Utkc29F9Hp{>0
zbl-oSljF(%uo;@7&!^1YX}Xx}?3M!$A0>P_^+vP8H8V3IJHBhupLxp9tPUw{HuRU-
z^=X?)q|>_%E18%jCbDeXT%l(y-{8vYn!lSbD!Sh4`3;Wi+<Zp4zuU~7<g7j-*j3P?
zwral1#g99VRZkJ0?eU#ELTs1v(fOj5b*Ewv8^!ZK2@wQmha%GBtSQgfa*oRZIS
zk;$<;vO!H=_D%KrxCL3Z?kgjN4DA)lG;(ESHXQO3%v9?>eeHr^(@8)6k6|SjZgP01
zRV-S)X8EH_KJAewnV1<F7#BA#GiY3FAPbBlSw0pq7LjoAw~Nl-shP1*;K84L?YcUj
z9*c(<@Pnj<85#exuo^G}DFb<sfHI4Ofmnlx_JvIMDP^4hzGV06IV}6`?px0hXP^gC
zAkU(1plYDJKyiV5n`}l&Nr9EVesWQcULq*{=_Tjq>K6f%kseUUfDfdeA7ldyFj2P|
z2(WR1lX7wj8xtD~6EHQSCT?I<GBP+>mSiuyb8Jb!xmM3+SuU47Q+4Y1MDAFV_?vyg
zB%_^I_FEqeu*`BPS@b4azToMqyWTl6%7wb|7mrTf_ilDqL2A=nvBy#Z;+?uH&i>`8
zi16gms5gGcP$j*kY|XZ<yZ!I4ke+)&a=I6HSi1fpyKS3~G+TWr&n-EkryTfh)>7vD
zgfB}yma`q&9rZ|F-p#e{$@H)40^1doit>wY9SbNuYOC5GyO`nSe6t=8%l^&QuO>9;
zO`VnSrQ+NdKCWQ9MZf%S$gOLc+H15Y%(wGpg~Wq3vz&HSxk<My>O3d%qT^yj_qTOn
kM|4=VT-S5o^j^utZ?dN2cw%U$%SrWO_IFKB{k|3e0G_UPUH||9
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/EntrustCAL1C.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/EntrustCAL1C.cer
new file mode 100644
index 0000000000000000000000000000000000000000..5d16f8d329d31f0969cadc909b4f868a42c5135e
GIT binary patch
literal 1270
zcmXqLV)<my#C&T3GZP~d6N^Ri%RdIZY@Awc9&O)w85vnw84Mb?7>XDOu`!3Ta0zp}
z=9Ltc7MJMdrIr{v7}$YCxkb#&%ggmr5i<JD0m1P`1|}8?nR&_iMFn~aNtFskscCu&
z8abJ{nI**vIhlz`dYXo+2FhR)gk?06H5CjkEiDz0EKu+PDNao>G&V2<DPtDaLY8$-
zEh@=O%S=uz$;{7Fa4ap!$S=w)sZ`Ja*{o?GC(dhNX=r3<0OT5*nna278bY{+h9Is%
z<3>Yn15S{+Y{E>T!G>Z6A|MWzFfY^+9R<(4WIaPm19ONQ4bXjARFJ5USq$}Keo-RO
zsZfum7NzDTry9x|$U?M=fxKsAU;y_X)NDNi9gqTMVO6M|3b;I_tKehkY|zB0gd97J
ztPIRejQk8haW1ANMn;C|i*;@0-DABad`Pf&Zr|hj<KA^q^EdxbT3viXBYT%XN>jV=
z*>H*f8s`o?<71l`pxJ!!(_yXKH*Wi}oMCv~y=~f^J*$2Nm9reYE%{{KoWC~R%<p~o
zNHM4WJh;)msO^)*D#>*M9Tgh4N)OvIH8IWEc`&uSOvPu$_gq7Z-?#tWHfJhZC^3E6
znR^PHo@OeUPT!uGCw+{}U1{^yWX|Hg+jp$4f9J}7uXp3><fy8*9G)4E93MwbIM^2Y
zC(wEBgH1=$x12UIRQ(V#-}_?z?JIZxtdGm7m@xI;DJzeil{T{_ua&Yc_}Ov&;ESc4
zPozZev@5ULRN9lQ+J57Q?Xp8>(*7?^%Lrv+W@KPo+{DNY3=wt%K493&@-s62XJG-R
zZZ-pc5MLO?XEk63QU=Cs9NKKaG|tY*$f9llN{mpx0b`qZMoCG5mA-y{a&ZB2+BPr(
znIg}kZJ=qOzCd+>a+@MlWpYstvO;}OGE7d?0}2~hgY+n{m;lqF0UHaD$zY&ipa!#z
ziBU`nY6g}h22Mk=d@N!tB61&Bce4HP<YzQ4e<xD)PO@gQhOdD<$ZTa62?MbPk<cfN
z7X=&k-RRuOvDonELKRN2odw7V2AG|J35Jn@{abufOMQdG@d+kwPAbgj^jGg{o~K&O
z`*sa$=CSs-i(@{8AKd6!Hp};u{oN;g|G4dT&bVnbRo3VW<GVR0PCT`L5L}k@=kDrU
z+bI)19oTF$L)|P+W4h8GX@|?&ylc0H=icXk?ESu&Ng(x?^o2EsS0D4g*kxqU{Lbsb
z{`*Q3s`kCHl0M?eBKvV&L%EF;$L;0T8p|3OnV(rMeto|oQu?#bzB@%Ol?!s%m*)Dq
z^f_gmno^@@wySmC*;Pm4Y(n<^(|?sYS4K{A_Ou%({sm6>sIqJV+vX3Ni~d*WmB+X$
r-gIFw{JhV||0|af@1H-r#LB`pUGtdqse75-_BAn?uej~gTz3Kh(9g@>
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/EntrustRootCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/EntrustRootCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..ce27297ade38c499c2db43ee85c55863b024de67
GIT binary patch
literal 1070
zcmXqLV$m{aVisD!%*4pV#A1<r?}q^|8>d#AN85K^Mn+av27|^eh9U++Y|No7T*BP0
zc_l@q#U*-qsU?OE26iA(ZV~hH@^ZaYgp9s(KybW~fr*7eW?piBQGuR9Ql&ysYMP#c
zMowmKW=XL^PG(|~o~EIyfil<xVHu5NO$9?sOG^bL3lw}nic?bzjSUPz%9w?<kY$}y
zi%K%nGLsWaGV}8k97{_w@{2M{Dit(9HftKliSt@o8X6gy7@C_Jm>Ncj^BP$im;<>c
zhNgx_QA5>RO^iy&5yZ&Kz}&>h&tTBR$i>ve$jGqP*L$T<+oo5G71%|^Qna+aFYf2|
z^6h)uP_{IEdxgV+Vy6=s2W|&z-;LW*Hp6ssx76GkVJklQ=<RanpQ?z+ZERfGTf5^-
zwm0)fCZ0R1mpZ60)R#<IIG00na|id=_VT%*XP+FdyPlP@x>clYYV>rYfPC8%yV7_b
z|Jl34^I%!0r{v!QEB1CSPS-y+e@~%g!VcY+IwvQTrBzRPw7%k6YH+O0wK<#4Ycl`T
zUlOqCipM!tqtLFun^JuEp3Gn`y<LBQCr4;PtAXavYL6wEZI4au<=SGaszmp`XXq1E
z3K3_Rpf-6ApJ&Fz{Xg6<&z<UYkk9vizS{Z25{gM_&IQ-59$<gS#LURRxY)_S!GI5#
zW@Pyp8UM4e024Qx0Y8W@4C1pIFas$AS&#r9ix`VY=#$2af(`p_bnfI>Z1{7b3a8l4
z0_0EzW&>a-Gcs7u?hl)7@H}{CO;zP`-|5#Sr%w3ICV$Gf#x1#jTAIo)2Wdt1Q_qTu
zKl%SNocZ?zk55MMv4$q$8Narzy%lTw@m$_FQNbxqJn!tMt`}U*e_j8cJad1zj@-%J
zv!q<6zLxM`CV#dzTtI&|3ujcz*1Q|CRu8YuyO>iMS1BWM^zj9s$=0bhZ|~dgTlRFS
z)Zwj?hxf)s@BXj+K11@f&}8)(X5D;)3v%0}*4&HwesR?b^=1Dm8;?}ZG!EY-v|;4~
zr<}>B!tVXcZQ<tVuIqhueTL$(&(Cct_2cGT^bzfS_(sY6%q(Z_>313?^lna{o$tXR
Z8g_pFN9~%pS!FLHCmgM5HWf?_1ORo~ir)YL
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/FakeAppleRootCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/FakeAppleRootCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..f122eca07c24f0bc6dc746da65e7ee9d5749dd13
GIT binary patch
literal 828
zcmXqLVzw}7Vp3pYWH8`m<J4;NX#38~$jHjdV31_UZNSOK9LmBb%oG}IC~P1I;&2Ib
zITjS;q$+skCF>cg8K{5+xrJpRg3hT$C7EfN$%!SI`FRSCr6n2pMVTd)hGGUHAa%^b
zybyIk`S~RZ&W;9h;=BfyhK7d5Mn(qaMy63<t`VF|7dJF9Dj|EFk(GhDiIJbdpox)-
zsfm%1;c{YF*XJOg^_zdFmjoN>@37by;cV5Uv?!!v%id{IZaOn8j&J_@+o#{**%7nr
zU%cilWIi`vgOOd+A#>&N4_x|X$6X#Tl{x9j^{ev)g9mHINd?h^y0>j~uD&>Qz)++p
z;^98`E$>#88*e)hTAmgpbH7k|rp76Ij$;Z;tB-^SWN$p*`o8Sj^sjc@Zw{&*`gvvE
z(>{Z1Q;zecWEY!#`M&My@ysuK&L<abxVzIW=D~Geh2t;&>Q*(H{8000W@<3rs514b
zz>I@aKR6%i?cy`eSR=kHqxR&RH{$Y_7zLR)g-RXHXgrcWb4dHs9pA!ejeG+!rCaTj
zs+~FIJA3Z--@LT5<KAK>W<~}^<PZWT4qyl|GNfr5>39n?{hA<glt=!kle@=zF0p@Z
zKN@|covqW-?(Y6S>*d->2g5eov%KS}@jqvIM8(o3pM%NeovIR}NGR*Jm`Nr*=Ekcp
z@74I!G3~zpL)YTDQenAlJQizCHLpKy|LIFbte$L;T7vJB+Ix;qX9z^rnN2BiePPEZ
z^}Ofl4b$mzD^!)(m*rV1nYQk|)9pEX&eA9QZ_JfYSE;XMuhQBzC3z0>0!KL^{*^1U
z#8%pP3GEi$bxCGXiRRUPG1Bc#(W;E!CiYjK(V3L`GXEE+?jwf<jRyBFPqWgA<9R2r
qymt1TQZ`4gUPBh0d28QZ{lT$oug^aDV>!%6E7fjQDxQk5dIJE<MmH@0
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/InvalidEKUTest16.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/InvalidEKUTest16.cer
new file mode 100644
index 0000000000000000000000000000000000000000..9c799a085ab41f145fe86dc62322bf68f3c7c2d1
GIT binary patch
literal 992
zcmXqLV!mV0#B^i<GZP~d6C<wyFB_*;n@8JsUPeZ4RtAH{K0`$Vc{b)y7G@ra;9wtx
zkfPG!5`}>LoXq4(g^*Mr+u6}j#6Sq7go}sUv7jI)RY$=yFImq})<7C0%FQDZoSIx(
zlvz@#;F_17nU|Vcl$n=qC~P1IlIGyya!$<2Ov^9I%S<%nHsAyavI#SV1{(?)2!J^3
zJe<y@1*t_PnR)pJa^k#(rUn*9hK6RQ7RJU=K&}~(YXIdM)EM#u{Q%U(%)<t9o}n2%
zUDw2@gdBp5tPIRejQk7+O^jSjO^l2T8-p+EKM|bhBK!Qn*T@C$>z0b2k?WM-t0e7y
zCS8U#<kN-X>OBm6PoI5d-?~oY*}T^;GIXBz|Gkx!bT6aLv-gpSee>F9*`0f~8hbpw
zxJB!z!8?z6t6Drvt@B$fSX6deMeDZoMuoC==6&{<+Um&i{Zi(?FfEU{8&`WS-KBe#
z{mR){^FDt1+fXfZZRzVdjCa->t?1WxvUTV?vGCi+l~VSH6e^8QPxvMNQ1<J-+?=)m
zr9zn&**E`R-fldhA#k_O!0v>e^W7NlM+=i(-*NQL3R@eO^zG-rYz5^t9)I5-*p}Dj
zzG9zm*^6wGm2S;TPKxpS7u5Q(tz(Ue(_=ouGPOPausjnpBLm~&FoO^SeqbEQ3NteP
zXJIv928N6QA4q^7B*4PV#NJ>a2I8xN_&f$&Y#iEbjI6Be%q#|yAaOw!VA^QnD*;BZ
zULq*T=_TjqB8NOM?E*udk%5ElR>|U=lOc?;6^kxsHH$32^YhojvM-(s{8yYhBXJ_m
z%4yN9{-v4hTkcKnTFzC-_)M#TC1vHOj=%$&*QD6J&Z_;rz^OHNS9PoSmBl<sY<1el
zLwNP_wjI;SV@z3o;DqhQ6UMSjcE8y$VfIW(X5kIlFSr~8=FGlO=w<Z0WBTTe&t@F@
z!EoBSIg>-7GUGwLAWP#p`IPPPFH{Zv=RUFiy6@xSMR)Y=#22cX{rCTO@`tvgqWe*)
z(&B9|R2k-Nz3=6m+GcV`)`NRp_lC;oU1uAguWB!^yxg&)s=Onju<YEiCz3DTzxZ=`
gYDW6+oPy4RFYjusqCXkzGfk+9`QUD(w&?VF0Kj)=C;$Ke
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/PairingRootCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/PairingRootCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..59546cba8eefe235322dc606b311ea86439d87a5
GIT binary patch
literal 689
zcmXqLVp?m^#5i>UGZP~d6C;BGFB_*;n@8JsUPeY%Rt5tG137VCLjwZ~BNHPdQ&U6p
zC~;mR5Z4gO1*&LbR6^Fq$jZRn#K;d4=VEGNWMsIWZvV04N8{Y=uDIjJ<^QmBHgZYT
z7bNGW^+{E2__?#t_SWgEEi2Of?$z0y5M_MixV_0MFG*<O^X`h60O5;VdvdbZZnI9k
z*2!EJsQqqXcZlO|=B&_LY->JTSYY{-PwAzL#&71mibuCy7POvFarn7o@9dAO`4=1d
z2SxIyrL{S$+52fW*C*IUhOTwzES(nc=C|lxQ7xll<rj7j#E!Xz<o<7o3Vrx$^BLn$
z3w5L9JdTzwY&p_cd;VuH=bc?^*9Ms!xb?<dMCI1~Yj!jK^f7$za(VjfIXhoh(EtBy
z=GYk?pZu)wv#`_SnZ@GKmA|eWI-3#cJaI$&h4>gHnf-@^d=7atF*7nSE(V600Y4ja
zsH`v}<9`-b17;v)APW-UV-aH!S$9~@-r(7juNl1IZ$pD$O}t&GavnKUfsp|WRYnF4
z+eZuQguAbQ{<<nkhiz)St&rB2y$zeJbc<TIeUrZvr~doM4v*KXUEXxB<SyT;xWGp6
z&76$x7pC#+-*NR?x-2Q3UhL`k{_*$Yy!Fbw|C&EnD>6ju?k;;(c}}NIl;gXQ2VWe|
z^mBVp@-8ZV(-@*1uzK68<qNy^zZ3hY%{=|L#oQJ5iZ}LOvUX@Qy8XJJ>%07#Jw~kE
z3y<Bkob#(-;;n{+U#s2+rs{Ai&Nh8JlYMV;OVNTOf^~W74{u#r^YPSyzvU^K)}ATx
zkA1o)&zLo9`*xN;wN10n$X@E1VLj_q@NAY`TSto??N_Tb-m70e&KJ4R;O4tYQ6`Fl
OAxrKaXk))=yb%C#sV5!)
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist b/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist
new file mode 100644
index 00000000..18ffe221
--- /dev/null
+++ b/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist
@@ -0,0 +1,2020 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AST2</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.42</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>idiagnostics-uat.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>ast2</string>
+ <key>Intermediates</key>
+ <string>TestAppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-12-16T00:19:45Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>EnableTestCertificates</key>
+ <string>AppleServerAuthenticationAllowUATAST2</string>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AST2</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.42</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>idiagnostics-uat.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>ast2</string>
+ <key>Intermediates</key>
+ <string>TestAppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-12-16T00:19:45Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>EscrowProxy</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.43</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>p04-escrowproxy.icloud.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>escrow</string>
+ <key>Intermediates</key>
+ <string>AppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-01-14T00:16:53Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>EnableTestCertificates</key>
+ <string>AppleServerAuthenticationAllowUATEscrow</string>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>EscrowProxy</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.43</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>p04-escrowproxy.icloud.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>escrow</string>
+ <key>Intermediates</key>
+ <string>AppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-01-14T00:16:53Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>FMiP</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.44</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>p04-fmip.icloud.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>fmip</string>
+ <key>Intermediates</key>
+ <string>AppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-01-14T00:16:53Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>EnableTestCertificates</key>
+ <string>AppleServerAuthenticationAllowUATFMiP</string>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>FMiP</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.44</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>p04-fmip.icloud.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>fmip</string>
+ <key>Intermediates</key>
+ <string>AppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-01-14T00:16:53Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>HomeKit</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.48</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>homekit.accessories-qa.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>homekit</string>
+ <key>Intermediates</key>
+ <string>AppleHomeKitServerCA</string>
+ <key>Anchors</key>
+ <string>AppleRootG3</string>
+ <key>VerifyDate</key>
+ <date>2016-02-12T17:56:50Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>HomeKit</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.48</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>homekit.accessories-qa.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>ast2</string>
+ <key>Intermediates</key>
+ <string>TestAppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-02-12T17:56:50Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>SWUpdate</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-3rdParty</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.10</string>
+ </dict>
+ <key>Leaf</key>
+ <string>AppleMacOSApplicationSigning</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-02-01T09:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>SWUpdate</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-1stParty</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.10</string>
+ </dict>
+ <key>Leaf</key>
+ <string>softwaresigning</string>
+ <key>Intermediates</key>
+ <string>AppleCodeSigningCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-02-01T09:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>SWUpdate</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-Development</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.10</string>
+ </dict>
+ <key>Leaf</key>
+ <string>developmentupdate</string>
+ <key>Intermediates</key>
+ <string>AppleSoftwareUpdateCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-02-01T09:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>SWUpdate</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-Prod</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.10</string>
+ </dict>
+ <key>Leaf</key>
+ <string>softwareupdate</string>
+ <key>Intermediates</key>
+ <string>AppleSoftwareUpdateCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-02-01T09:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>ApplePinned</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-TVOSAppSigning</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.62</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyPolicyName</key>
+ <string>ATVAppSigning</string>
+ <key>SecPolicyIntermediateMarkerOid</key>
+ <string>1.2.840.113635.100.6.2.1</string>
+ <key>SecPolicyLeafMarkerOid</key>
+ <string>1.2.840.113635.100.6.1.24</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>tvos_app_signing</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-02-01T09:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>ApplePinned</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-TVOSAppSigning</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.62</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyPolicyName</key>
+ <string>WrongATVAppSigning</string>
+ <key>SecPolicyIntermediateMarkerOid</key>
+ <string>1.2.840.113635.100.6.2.1</string>
+ <key>SecPolicyLeafMarkerOid</key>
+ <string>1.2.840.113635.100.6.1.23</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>tvos_app_signing</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-02-12T17:56:50Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleSSLPinned</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-Prod-CustomIntOid</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.63</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyPolicyName</key>
+ <string>HomeKitServerAuth</string>
+ <key>SecPolicyIntermediateMarkerOid</key>
+ <string>1.2.840.113635.100.6.2.16</string>
+ <key>SecPolicyLeafMarkerOid</key>
+ <string>1.2.840.113635.100.6.27.9</string>
+ <key>SecPolicyName</key>
+ <string>homekit.accessories-qa.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>homekit</string>
+ <key>Intermediates</key>
+ <string>AppleHomeKitServerCA</string>
+ <key>Anchors</key>
+ <string>AppleRootG3</string>
+ <key>VerifyDate</key>
+ <date>2016-02-12T17:56:50Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleSSLPinned</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-Prod-DefaultIntOid</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.63</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyPolicyName</key>
+ <string>HomeKitServerAuth</string>
+ <key>SecPolicyLeafMarkerOid</key>
+ <string>1.2.840.113635.100.6.27.9</string>
+ <key>SecPolicyName</key>
+ <string>homekit.accessories-qa.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>homekit</string>
+ <key>Intermediates</key>
+ <string>AppleHomeKitServerCA</string>
+ <key>Anchors</key>
+ <string>AppleRootG3</string>
+ <key>VerifyDate</key>
+ <date>2016-02-12T17:56:50Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleSSLPinned</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-TestHierarchy</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.63</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyPolicyName</key>
+ <string>TestAST2ServerAuth</string>
+ <key>SecPolicyLeafMarkerOid</key>
+ <string>1.2.840.113635.100.6.27.8.2</string>
+ <key>SecPolicyName</key>
+ <string>idiagnostics-uat.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>ast2</string>
+ <key>Intermediates</key>
+ <string>TestAppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-02-12T17:56:50Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleSSLPinned</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-TestHierarchy</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.63</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyPolicyName</key>
+ <string>TestAST2ServerAuth</string>
+ <key>SecPolicyLeafMarkerOid</key>
+ <string>1.2.840.113635.100.6.27.8.2</string>
+ <key>SecPolicyName</key>
+ <string>idiagnostics-uat.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>ast2</string>
+ <key>Intermediates</key>
+ <string>TestAppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2016-02-12T17:56:50Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>EnableTestCertificates</key>
+ <string>ApplePinningAllowTestCertsTestAST2ServerAuth</string>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>VPNProfile</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.41</string>
+ </dict>
+ <key>Leaf</key>
+ <string>tvos_vpn_profile</string>
+ <key>Intermediates</key>
+ <string>TestAppleSystemIntegration2CA</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-12-16T00:19:45Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>EnableTestCertificates</key>
+ <string>ApplePinningAllowTestCertsATVVPNProfile</string>
+ </dict>
+ <dict>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>MajorTestName</key>
+ <string>VPNProfile</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.41</string>
+ </dict>
+ <key>Leaf</key>
+ <string>osx_provisioning_profile</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-12-16T00:19:45Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleTVOSAppSigning</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-Test</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.71</string>
+ </dict>
+ <key>Leaf</key>
+ <string>test_tvos_app_signing</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-07-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleTVOSAppSigning</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-Prod</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.71</string>
+ </dict>
+ <key>Leaf</key>
+ <string>tvos_app_signing</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-07-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleTVOSAppSigning</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.71</string>
+ </dict>
+ <key>Leaf</key>
+ <string>iphone_developer</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-07-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>EAPTLS</string>
+ <key>MinorTestName</key>
+ <string>InvalidEKU</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.9</string>
+ </dict>
+ <key>Leaf</key>
+ <string>InvalidEKUTest16</string>
+ <key>Intermediates</key>
+ <string>SSLTrustPolicyTestRootCertificate</string>
+ <key>Anchors</key>
+ <string>SSLTrustPolicyTestRootCertificate</string>
+ <key>VerifyDate</key>
+ <date>2015-09-01T18:11:11Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleServerAuth</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.33</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>test.nosuchdomain</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>generic_apple_server</string>
+ <key>Intermediates</key>
+ <string>AppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2014-07-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleCorporate</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-SSLServer</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.3</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>com.apple.ist.ds.appleconnect2.production.vpn.8F2B3ADCD72ED2EA08DDC26AD0255A983B1DEBEB</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>apple_corp_vpn_client</string>
+ <key>Intermediates</key>
+ <string>AppleCorporateVPNClientCA</string>
+ <key>Anchors</key>
+ <string>AppleCorporateRootCA</string>
+ <key>VerifyDate</key>
+ <date>2014-07-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleCorporate</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-SSLClient</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.3</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>com.apple.ist.ds.appleconnect2.production.vpn.8F2B3ADCD72ED2EA08DDC26AD0255A983B1DEBEB</string>
+ <key>SecPolicyClient</key>
+ <true/>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>apple_corp_vpn_client</string>
+ <key>Intermediates</key>
+ <string>AppleCorporateVPNClientCA</string>
+ <key>Anchors</key>
+ <string>AppleCorporateRootCA</string>
+ <key>VerifyDate</key>
+ <date>2014-07-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleCorporate</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-EAPServer</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.9</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>com.apple.ist.ds.appleconnect2.production.vpn.8F2B3ADCD72ED2EA08DDC26AD0255A983B1DEBEB</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>apple_corp_vpn_client</string>
+ <key>Intermediates</key>
+ <string>AppleCorporateVPNClientCA</string>
+ <key>Anchors</key>
+ <string>AppleCorporateRootCA</string>
+ <key>VerifyDate</key>
+ <date>2014-07-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleCorporate</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-EAPClient</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.9</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>com.apple.ist.ds.appleconnect2.production.vpn.8F2B3ADCD72ED2EA08DDC26AD0255A983B1DEBEB</string>
+ <key>SecPolicyClient</key>
+ <true/>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>apple_corp_vpn_client</string>
+ <key>Intermediates</key>
+ <string>AppleCorporateVPNClientCA</string>
+ <key>Anchors</key>
+ <string>AppleCorporateRootCA</string>
+ <key>VerifyDate</key>
+ <date>2014-07-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleCorporate</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-IPSec</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.11</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyClient</key>
+ <true/>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>apple_corp_vpn_client</string>
+ <key>Intermediates</key>
+ <string>AppleCorporateVPNClientCA</string>
+ <key>Anchors</key>
+ <string>AppleCorporateRootCA</string>
+ <key>VerifyDate</key>
+ <date>2014-07-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>TestSMP</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.32</string>
+ </dict>
+ <key>Leaf</key>
+ <string>test_smp</string>
+ <key>Intermediates</key>
+ <string>TestAppleSystemIntegrationCA-ECC</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA-ECC</string>
+ <key>VerifyDate</key>
+ <date>2014-04-11T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>EnableTestCertificates</key>
+ <string>ApplePinningAllowTestCertsAppleSMPEncryption</string>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>TestSMP</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.32</string>
+ </dict>
+ <key>Leaf</key>
+ <string>smp</string>
+ <key>Intermediates</key>
+ <string>AppleSystemIntegrationCAG3</string>
+ <key>Anchors</key>
+ <string>AppleRootG3</string>
+ <key>VerifyDate</key>
+ <date>2014-04-11T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>SMP</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.31</string>
+ </dict>
+ <key>Leaf</key>
+ <string>smp</string>
+ <key>Intermediates</key>
+ <string>AppleSystemIntegrationCAG3</string>
+ <key>Anchors</key>
+ <string>AppleRootG3</string>
+ <key>VerifyDate</key>
+ <date>2014-04-11T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>SMP</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.31</string>
+ </dict>
+ <key>Leaf</key>
+ <string>test_smp</string>
+ <key>Intermediates</key>
+ <string>TestAppleSystemIntegrationCA-ECC</string>
+ <key>Anchors</key>
+ <string>TestAppleRootCA-ECC</string>
+ <key>VerifyDate</key>
+ <date>2014-04-11T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleIDRecordSigning</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.30</string>
+ </dict>
+ <key>Leaf</key>
+ <string>appleid_record_signing</string>
+ <key>Intermediates</key>
+ <string>AppleApplicationIntegrationCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2014-07-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>iPhoneApplicationSigning</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.54</string>
+ </dict>
+ <key>Leaf</key>
+ <string>iphone_developer</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2008-03-26T17:07:46Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>iPhoneApplicationSigning</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-TestCert</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.54</string>
+ </dict>
+ <key>Leaf</key>
+ <string>test_ios_app_signing</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2008-03-26T17:07:46Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>EnableTestCerts</key>
+ <string>ApplePinningAllowTestCertsiPhoneApplicationSigning</string>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>iPhoneApplicationSigning</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-app</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.54</string>
+ </dict>
+ <key>Leaf</key>
+ <string>ios_app_signing</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2008-03-26T17:07:46Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>iPhoneApplicationSigning</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-vpn</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.54</string>
+ </dict>
+ <key>Leaf</key>
+ <string>ios_vpn_app_signing</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2008-03-26T17:07:46Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>iPhoneProfileSigning</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.55</string>
+ </dict>
+ <key>Leaf</key>
+ <string>iphone_developer</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-06-16T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>iPhoneProvisioningProfile</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-ProdCert</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.56</string>
+ </dict>
+ <key>Leaf</key>
+ <string>ios_provisioning_profile</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2008-03-26T17:07:46Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>iPhoneProvisioningProfile</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-TestCert</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.56</string>
+ </dict>
+ <key>Leaf</key>
+ <string>test_ios_provisioning_profile</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2008-03-26T17:07:46Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>EnableTestCerts</key>
+ <string>ApplePinningAllowTestCertsiPhoneProvisioningProfileSigning</string>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>ExternalDeveloper</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-iPhoneDeveloper</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.65</string>
+ </dict>
+ <key>Leaf</key>
+ <string>iphone_developer</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-06-16T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>ExternalDeveloper</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-MacDeveloper</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.65</string>
+ </dict>
+ <key>Leaf</key>
+ <string>mac_developer</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2013-03-12T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>ExternalDeveloper</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-DeveloperID</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.65</string>
+ </dict>
+ <key>Leaf</key>
+ <string>developer_id</string>
+ <key>Intermediates</key>
+ <string>DeveloperIDCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2014-05-11T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>ExternalDeveloper</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.65</string>
+ </dict>
+ <key>Leaf</key>
+ <string>tvos_app_signing</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-07-30T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>SoftwareSigning</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.64</string>
+ </dict>
+ <key>Leaf</key>
+ <string>softwaresigning</string>
+ <key>Intermediates</key>
+ <string>AppleCodeSigningCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-07-30T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>SoftwareSigning</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.64</string>
+ </dict>
+ <key>Leaf</key>
+ <string>ios_app_signing</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-07-30T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>GrandSlam</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.46</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>gsa.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>gsa</string>
+ <key>Intermediates</key>
+ <string>AppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-04-20T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>IDS</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.68</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>sc5mv.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>ids</string>
+ <key>Intermediates</key>
+ <string>AppleServerAuthentication</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2015-05-11T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>EnableTestCertificates</key>
+ <string>AppleServerAuthenticationAllowUATIDS</string>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>LegacyAPN</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.70</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>courier.push.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>apn_legacy</string>
+ <key>Intermediates</key>
+ <array>
+ <string>EntrustCAL1C</string>
+ <string>EntrustRootCA</string>
+ </array>
+ <key>VerifyDate</key>
+ <date>2015-05-11T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>IPSec</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-host1</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.11</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>ipsec.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>test_ipsec_gateway</string>
+ <key>Intermediates</key>
+ <string>FakeAppleRootCA</string>
+ <key>Anchors</key>
+ <string>FakeAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2009-12-01T20:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>2</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>IPSec</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-host2</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.11</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>17.255.42.1</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>test_ipsec_gateway</string>
+ <key>Intermediates</key>
+ <string>FakeAppleRootCA</string>
+ <key>Anchors</key>
+ <string>FakeAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2009-12-01T20:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>2</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>IPSec</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-host3</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.11</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>ipsec2.apple.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>test_ipsec_gateway</string>
+ <key>Intermediates</key>
+ <string>FakeAppleRootCA</string>
+ <key>Anchors</key>
+ <string>FakeAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2009-12-01T20:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>2</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>IPSec</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-host4</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.11</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>17.255.42.2</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>test_ipsec_gateway</string>
+ <key>Intermediates</key>
+ <string>FakeAppleRootCA</string>
+ <key>Anchors</key>
+ <string>FakeAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2009-12-01T20:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>2</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>EAP</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.9</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <array>
+ <string>test.apple.com</string>
+ <string>fake.apple.com</string>
+ <string>ipsec.apple.com</string>
+ </array>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>test_ipsec_gateway</string>
+ <key>Intermediates</key>
+ <string>FakeAppleRootCA</string>
+ <key>Anchors</key>
+ <string>FakeAppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2009-12-01T20:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>2</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>IPSec</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest-host5</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.11</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>vpn3000.ivpntest.com</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>ivpntest</string>
+ <key>Intermediates</key>
+ <string>ivpntestCA</string>
+ <key>Anchors</key>
+ <string>ivpntestCA</string>
+ <key>VerifyDate</key>
+ <date>2009-03-11T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>2</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>EAP</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.9</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyClient</key>
+ <true/>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>wifi_user</string>
+ <key>Intermediates</key>
+ <array>
+ <string>WiFiIntermediateCA</string>
+ <string>WiFiRootCA</string>
+ </array>
+ <key>VerifyDate</key>
+ <date>2009-12-01T20:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>Passbook</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-WWDRTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.22</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>com.apple.testcard</string>
+ <key>SecPolicyTeamIdentifier</key>
+ <string>A1B2C3D4E5</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>passbook_testcard</string>
+ <key>Intermediates</key>
+ <array>
+ <string>AppleWWDR-expired</string>
+ <string>AppleWWDR-test</string>
+ </array>
+ <key>VerifyDate</key>
+ <date>2012-05-10T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>Passbook</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.22</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>pass.com.apple.cardman</string>
+ <key>SecPolicyTeamIdentifier</key>
+ <string>A1B2C3D4E5</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>passbook_cardman</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>VerifyDate</key>
+ <date>2012-08-10T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>Passbook</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-CardID</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.22</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>pass.com.scuzzo.cardman</string>
+ <key>SecPolicyTeamIdentifier</key>
+ <string>A1B2C3D4E5</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>passbook_cardman</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>VerifyDate</key>
+ <date>2012-08-10T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>Passbook</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-TeamID</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.22</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyName</key>
+ <string>pass.com.apple.cardman</string>
+ <key>SecPolicyTeamIdentifier</key>
+ <string>01B2C3D4E5</string>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>passbook_cardman</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>VerifyDate</key>
+ <date>2012-08-10T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>OTATasking</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.59</string>
+ </dict>
+ <key>Leaf</key>
+ <string>task_signing</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2011-09-01T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>OTATasking</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.59</string>
+ </dict>
+ <key>Leaf</key>
+ <string>asset_signing</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2011-09-01T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>MobileAsset</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.60</string>
+ </dict>
+ <key>Leaf</key>
+ <string>asset_signing</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2011-09-01T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>MobileAsset</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.60</string>
+ </dict>
+ <key>Leaf</key>
+ <string>task_signing</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2011-09-01T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleIDAuthority</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.18</string>
+ </dict>
+ <key>Leaf</key>
+ <string>appleid_authority</string>
+ <key>Intermediates</key>
+ <string>AppleApplicationIntegrationCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2011-09-01T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>AppleIDAuthority</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.18</string>
+ </dict>
+ <key>Leaf</key>
+ <string>appleid_record_signing</string>
+ <key>Intermediates</key>
+ <string>AppleApplicationIntegrationCA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>VerifyDate</key>
+ <date>2011-09-01T19:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>UniqueDeviceCert</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.72</string>
+ </dict>
+ <key>Leaf</key>
+ <string>ucrt</string>
+ <key>Intermediates</key>
+ <string>ucrtTestIntermediate</string>
+ <key>Anchors</key>
+ <string>ucrtTestRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>UniqueDeviceCert</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.72</string>
+ <key>Properties</key>
+ <dict>
+ <key>SecPolicyRootDigest</key>
+ <data>OWPVwBZPQ6apuGDbzYyOs3E6l+fzbjq+pLKBZHjtR0k=</data>
+ </dict>
+ </dict>
+ <key>Leaf</key>
+ <string>ucrt</string>
+ <key>Intermediates</key>
+ <string>ucrtTestIntermediate</string>
+ <key>Anchors</key>
+ <string>ucrtTestRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>EnableTestCertificates</key>
+ <string>ApplePinningAllowTestCertsUCRT</string>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>iPhoneActivation</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.49</string>
+ </dict>
+ <key>Leaf</key>
+ <string>device_activation</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>iPhoneActivation</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.49</string>
+ </dict>
+ <key>Leaf</key>
+ <string>device_activation</string>
+ <key>Intermediates</key>
+ <string>AppleiPhoneCA</string>
+ <key>Anchors</key>
+ <string>AppleiPhoneCA</string>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>ChainLength</key>
+ <integer>2</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>iPhoneDeviceCert</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.50</string>
+ </dict>
+ <key>Leaf</key>
+ <string>device_cert</string>
+ <key>Intermediates</key>
+ <array>
+ <string>AppleiPhoneDeviceCA</string>
+ <string>AppleiPhoneCA</string>
+ </array>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>VerifyDate</key>
+ <date>2008-01-01T20:00:00Z</date>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>FactoryDeviceCert</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.51</string>
+ </dict>
+ <key>Leaf</key>
+ <string>factory_device_cert</string>
+ <key>Intermediates</key>
+ <string>TestAppleiPhoneDeviceCA</string>
+ <key>Anchors</key>
+ <string>TestAppleiPhoneDeviceCA</string>
+ <key>VerifyDate</key>
+ <date>2008-01-01T20:00:00Z</date>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>2</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>LockdownPairing</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.57</string>
+ </dict>
+ <key>Leaf</key>
+ <string>pairing_host_cert</string>
+ <key>Intermediates</key>
+ <string>PairingRootCA</string>
+ <key>Anchors</key>
+ <string>PairingRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>2</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>LockdownPairing</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-noAnchor</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.57</string>
+ </dict>
+ <key>Leaf</key>
+ <string>pairing_host_cert</string>
+ <key>Intermediates</key>
+ <string>PairingRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>ChainLength</key>
+ <integer>2</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>LockdownPairing</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-wrongRoot</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.57</string>
+ </dict>
+ <key>Leaf</key>
+ <string>WrongPairingRootCA</string>
+ <key>Intermediates</key>
+ <string>PairingRootCA</string>
+ <key>Anchors</key>
+ <string>PairingRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>ConfigurationProfile</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.25</string>
+ </dict>
+ <key>Leaf</key>
+ <string>configuration_profile</string>
+ <key>Intermediates</key>
+ <string>AppleApplicationIntegration2CA</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>VerifyDate</key>
+ <date>2016-01-01T20:00:00Z</date>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>MacAppStoreReceipt</string>
+ <key>MinorTestName</key>
+ <string>PositiveTest</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.19</string>
+ </dict>
+ <key>Leaf</key>
+ <string>mac_app_store_receipt</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>4</integer>
+ <key>ChainLength</key>
+ <integer>3</integer>
+ <key>VerifyDate</key>
+ <date>2016-01-01T20:00:00Z</date>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>MacAppStoreReceipt</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-badOID</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.19</string>
+ </dict>
+ <key>Leaf</key>
+ <string>mac_app_store_receipt_badoid</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>VerifyDate</key>
+ <date>2016-03-01T20:00:00Z</date>
+ </dict>
+ <dict>
+ <key>MajorTestName</key>
+ <string>MacAppStoreReceipt</string>
+ <key>MinorTestName</key>
+ <string>NegativeTest-expired</string>
+ <key>Policies</key>
+ <dict>
+ <key>PolicyIdentifier</key>
+ <string>1.2.840.113635.100.1.19</string>
+ </dict>
+ <key>Leaf</key>
+ <string>mac_app_store_receipt</string>
+ <key>Intermediates</key>
+ <string>AppleWWDR-expired</string>
+ <key>Anchors</key>
+ <string>AppleRootCA</string>
+ <key>ExpectedResult</key>
+ <integer>5</integer>
+ <key>VerifyDate</key>
+ <date>2016-03-01T20:00:00Z</date>
+ </dict>
+</array>
+</plist>
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/SSLTrustPolicyTestRootCertificate.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/SSLTrustPolicyTestRootCertificate.cer
new file mode 100644
index 0000000000000000000000000000000000000000..de5db461fdbd8d716415d9b925668026f37427be
GIT binary patch
literal 987
zcmXqLV!m$B#I%0_GZP~d6C<MmFB_*;n@8JsUPeZ4RtAH{K0`$Vc{b)y7G@ra;9wtx
zkfPG!5`}>LoXq4(g^*Mr+u6}j#6Sq7go}sUv7jI)RY$=yFImq})<7C0%FQDZoSIx(
zlvz@#;F_17nU|Vcl$n=qC~P1IlIGyya!$<2Ov^9I%S<%nHsAyavI#SV1{(?)2!J^3
zJe<y@1*t_PnR)pJa^k#(rUn*91_nk3hK80=;=D#cuAw=UJNO*j#HfTEsEn)(%uS5^
z3<gb%Tue=jj12d!?f1Ofr}ELIvfGl;_VS!3pD$`VH~(|_{Nu*w>x*C1UXYfM<*keD
z+<g3@-M+lXcjxyyUE6pmIn$T(C8wgGlU&7jg`UvQMz62D{kwO$>I80;thR&pdnAwA
zG6f0z`+RxLbltCuzD{yKqgSDr6Mmw19!q4i_>JVa`%hJ@O}Isi-vlI1dcRucwbT8w
z?D&+67I$8nHDzr+lka7{{_-c;&tGovFNpnmS8<a3#~HjrMNM|EPJZ#>akiJ0=z8kA
zcYd^>`9+(xw~N+HxKQLIwC!QOK)GCkwUgnUId^}Xt&U6mvRa0>Ui$xrUrt<2dd@zY
zMNOv@zwF;_GS7L<`+%cIBI;8unV1<F7#G_a*nrcJtS}?ve-;h{HXy~s$Y8(+OaQX{
zATbtZCZ-kxF%VxB#OE>KV&l+eV`ODzXGTx9zz}9+;PqRRe&E5cG`+)i6HNT>r~G2m
z^P9O~;<srJ9b>;KhwVxES$VeL^o7OZ?I}67MW?*u*6n}a!g9sn^Zz{yHS{k2bzUrS
zu9G3sE~}vUl#R`rtUo(rDn+iJkW9`s*Z5g+ZKvL*(u=Hf&RuDLFzLJ7{o?pAng3H+
zR%~ABQ^J0XYv)-Xae0U0+HJ+hHRNmE+q4!fZ0=s-*7{nqC(dR`@m!Xs=X_c=%?kz2
zs5i>mN!7}D|8=$8Ep>FArc#)WR@n))`5*i}PRvy}IXC&p!?gt~OE+)&Z~D43t3fcK
ucJ<XuOD@ZpDBj=4<$tE~R7ayWo1na*lJn#;oe9zLPIl81z0WA+eE<M7o?|Bf
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleGlobalRootCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleGlobalRootCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..6bf7899fb749df376a9c1eea9fbabcd480a6c037
GIT binary patch
literal 630
zcmXqLVk$CdV*IgynTe5!i9=?qf4Sr5l_3UPY#dr`9_MUXn3)ao43!KN*qB3En0X{a
zQj1Fz9199^QWe~D@{<yC6oT^eOB9?P4b==(Kx(*oWFgYdsYNB3X_?81C7Jno3XY{E
z8Tmz-C6$K427(}UTs&M5b)I?2dWPHvoFG9qVW!Yv137VCLsJ72BO?PN6Jt~JC~;mB
z14APtGXrBoV`K9uy1S>$K!A-M92!iFY^>UiEDTD_NenFSns=;-dN=tmdrZE@Iq8ai
zVJmm_X;U|PzpGb&lF2;Z`oH@m4cB>l9`^=kmLBMcoH;3VXYh4rpFda4AGJD*?%s1c
zm}CF1%r;d<?|j3}Eo*f={_j_cQc&F<Epn<a%3r!{ak4?8fh;gsWcgUcSVX2>4vYWc
zdC=j$b(2{<XX(4C5k}4i{2*yzM#ldvtOm?L%0M0@pv)p+Al86g2OmfQKS&1)Fv{7G
zBbqsb!620h81P+p;uo-ot=#-|I_rGBWsL$p&+eRClh*C@YP)+b_q39^zAuhxe!RA-
zbWeo9r>C!(3>kj1rp}wV@_vWj1b&upbz9%><@@=HF>h{bnoM%_?1Hl_QwnU^*qZiQ
N9jQH9%d+O=Cjg3A%(wsm
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleRootCA-ECC.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleRootCA-ECC.cer
new file mode 100644
index 0000000000000000000000000000000000000000..72b24a954591839ea089c275916801951b2dfc3c
GIT binary patch
literal 555
zcmXqLVp2C~Vm!NmnTe5!i6ipj8-YoV$B!6rv2kd%d7QIlVP-N&H&ir`XJZa!Vdjwt
zNi8l>a4aauNmU5S&o5DMc2v++aCLSzR4|YODdFZ3cTO!T$xO>kPAtjH&r@(LEy>6)
z$}Fig6gCh9so>(_g6Q|mOV%^wHsAyavI#SV1{=tU^BS5M7#bTI8Jd`xm_>>68UwjT
zW>7Bu91>|D%*GD(KNBM~Aeb51nVlF|sx1UAa4nXukyZI^c`aLpYr2QQf1d(RTg5d0
zubm9*C%-S5^}<KpcHh*1Alu*xpN&>GZ;LBF@m#!Hf^+ix=~u-TCmSRh$O64A%f}+d
zB67+7(NUAaV*<UC-?2E$Ka}QwcvjGWA0#cz$oQXy)qojDfdgMwnMJ}ttO2_YK9CN6
zkPcvcF|r}Y9<v97fh&_D!yPv5qIQKh-|w9G^rMq2JbBh6ua>;K;sNjS8GRNmD7na_
mAa7c=mAkUx%AEOzcg$pt{Y@=$NZ<7*KQiw9tGM<x2D|_ix}<>s
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleRootCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleRootCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..7b905a910de1c3a329271234d221baea6591f2f5
GIT binary patch
literal 1232
zcmXqLVmV{b#JptzGZP~d6NfE>_XN9p4=xz+vT<s)d9;1!Wn^S!WiUuL<Tl`BV-96u
z6J`nxHWW4x1aY`{xEu=#a#9sM^OE%p)eKZXg4{f^5JBhEqLR$C%;dz9%=|nB$I_CF
z{G!Z~N<(P_Nsu~b9-)xb;t~aj;-LKe5(Q^R137VCLsJ72BO?PNLsJurC~;n6Qv)Ld
zOCv)Q17ou&`Z=VDQ3*K^7+D#Zn;7{S44N3Zn3@<F8IE6c4zB0z$bPmleeS#TZO_Yv
z8jsvp$*w9@`Oe6B&ScV83l68cH*-J5T1?zBd4{Q=%?yU}o7X>k{rIrw_4HWpM7`ff
z&tz=R%@jDZG_hhuBh$R+$w&WdDm7)STE+K!<qff7)%|lhlJqNBzI}6HH_w|XJ^4oc
zyP|t9jK1Youq;@isMcllcw=ho!fL6NOq+JUyL-3a(es4;9l868i>J=q{YP_`gY!<A
zvnLf@i`V}DyC^5dTE={$Nngz6tIQD^$3K<j3m(|Ix9+|2X4@TmEz){ERZKnDZIo&?
z+fypW(dJldz?;?&k>ZUnroG5Iv-!B&{zi|BoYH%W<*vU_U*YMoNXAi?iJ6gsad8u4
z6);4~3}k^ZD$B<r#v&5ALwkyq^sbK#>)r(fDI1@RJRCB^fFC3+%*gnkh1Gx=NEyh3
z1e94M48$6+>u6#Gr7&3qmL^6HpbacQ%m7W2$tkRi292K#wAeVb*?_5&orzIQE~BKR
zpx8=Zzr4I$FA<a`^^)^*^}(#<M16zC!*In+294Wz8aD@}=42-3C8sI?(`HFVX0bvt
zJh`SSBvmRT=2a>bBo>tbS;fVrxv9kpiOI>S1tkzYX+S-xAe^TFvICgNlYrTv7$}>P
zSd^krl3J7t)R32=ker{Fk_pNH#R~ap3Z=!VIw%$u<OB7BECZ^9+Yibv1x1O;C7D3y
z0nIE)%}vcKDb_RK0|f~`C>U9Q*_91BeF8HnFnuyI2*l-N{#nNVi1X@{3Cn7f?!4R3
zucG9?IsLZLhHEPA&pyAJcVTMjs^uL2H<(_RU%bCFlt*UCg&z#!E>p~st(*V(J>C4K
zy7t_^l_76;3oR?s-t56}yzgst#z_^W`h~uKLT+A&Z3-^bOgqn?YqZRMU5NUj9wDC(
z*A6z69yXS|*d6hVA+zlHQ(O0+2j)DNl$*LINc7y49|j`amVDjoH4VbnM`^5i$RAi%
zHtYG$+QkMh9v6zf*w5=PG&^<m`z0@(K3wuu2-WO}h-pesRtPwDisi)~+sSN-n-1&`
umV4Okv2y42XYqbf`p#=i_o^l6GhS`WPWhG2>Jr)<J$X*eay36DZ4Urlvc;DG
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleRootCAG3.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleRootCAG3.cer
new file mode 100644
index 0000000000000000000000000000000000000000..782883ad18080a70ac39c15bafca77261d97d3af
GIT binary patch
literal 592
zcmXqLV)8L)V!XV7nTe5!iKD`d`^)wd+cp?*v2kd%d7QIlVP-bSF;p;+V`C0wVdfDJ
zNi8l>a4aauNmU5S&o5DMc2v++a5pwoGf)Ak;O3EqNIIt$m1L%6CMT9;=I1FmmX>7X
z7iE@I8VVZ-g4A*Ga6#00<|XSHavN}h1lfd{LW2$D#CZ)(4NQ!T42%uUO-!Q1c})xq
zjf~8ITw`PNC_1~Q%s_yR9UKx&jBKphjVugG%t;I^E2WZ6-tSq~bxkYFLg}UI+FKe6
zJddXQi=B8l=ljejyPjypCtlibowFiQaO;D#?@EGg(_;_slFkjSzwoo+!T+1AYons~
zTU9OR43aXe=UMbZ;H%l?6R#FTb7{01Xv9zXHf6DsfrEi8Fi>RqSj1RF{<z&}&XIri
z>CXM-GsV|&yQGUtyBY9<q=gw7|Ff_fFas$AK9B%ENPq<xn{3E&$ehk#kiujjC1RoS
ze+$RyS0}A+ooV`fllP)_-hTNbq9QK$XUx8ScbD`&|M}ueE-{r(s4Y7)SxleFfa&@z
z?tOP{-~L?8HeqGN-t3y1r$_zxToz5y-@-EM?Ci{5tz)tg{~sG|yKQIkKfT~10C91`
AVE_OC
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleServerAuthentication.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleServerAuthentication.cer
new file mode 100644
index 0000000000000000000000000000000000000000..51e3ddca7fe6dbb15784546d294711ef08465e36
GIT binary patch
literal 1043
zcmXqLV&OMvV*0*-nTe5!iNjlCrFD4sH#GxZHcqWJkGAi;jEvl@3<l|j+y<O%%%Lo7
z!c3vThQbDdAPyG~mt#RePO5@uUb3E{nt=*Pkef#qBIul2RFavNnVeXXnV+ZNSXz>i
zUzAx=X((+V2~x+*BNUQaT%rI`9F(75qTuXkAScdiXlh_)U}0cxYGGm;CC+PPX<!WG
z8k!m#m_!*A8R{5lL9{C)X%9{<DoZT_Taubr0<+WE(NMua4&o?rT+YGj7i8ZWG%+e6
zhX*4o19KB2KLb#li>Zl`k>O~yy~pLG$&+h%%rkFmusR4`m*?7Xc$bQ$(j7}D`M;B0
zZIrp~woF?V8oBGp%;#P4{p-?}Ydo5laq~@3`oFvTBDbuao}99Q!)ABhMa>%#3uor&
z>u>%V6M1Ukvve05;VtWU8IA{U|C$(a^@P)(M}MzcN;Etw+VkV^{L?q|n;mA^g~lbW
zJkltlT`eiPwk57%MS3Nxm`BVyDecJltCG0&!_U505o@uwW<q7a8eich%Rd*ty*AnP
z?uujom^FMO4t5`8=6im>;;!PcT)71n*Oy;s>8U>@`l{pQx?Z;j?NjXfg9SU3XI9U>
zktwCLZmY!7`L7BMxz#7P%6?yPxQWaD-K8t<nV1<F7#BBgHfY>nAPWp_Sw0pq7LgUF
zs%Eb+FPvxlCTew>-ks|rw$+~u_(9UbjEw(TSPhtglz}`*K$%6tK&(L|a)<U5E9qSy
z8P>fE2vRma8F@HlhJiImfjo<efsuj10=)$~ZCV*6B?VUc`pHE(x}}LFddc}k1$v2~
zWC&#D>X!i1R1q*S=>g>p_&}QZLDsPV(>I%e02>!LRVSygG4Zf40TVWAItRupBZHty
zqIOMOy5<xSNwKR}s@?@lr7X(QW_hNwkYm@W#;+P$=dNZ4t$Dt8v+~Y#o#XQo7v9XV
z_Yb{Ny542&k8=^r^?qc1C<`<!^*QzJaOCl4>%0{F;&-l=*=DAiz+~iJyWo-8W@`t9
zc@_>bb<L)8=5}BF`RdB2<_89^4!^T4n=y}zee1SA7DnG3-}kBNJU+gBZAZDUfNXj|
z$_6GDomW1M#``{>bxxk{a)0-+N9IN!pGeAoU3ZK12=_08Q{@$@*Zg(=C13WjUCDQZ
z|JoTXUAEcxrhHS<>pY#|cdznk^SzYhm*pKF!#~ArDYrTypWEQmow4-STKSls0QI-u
Moio;&#C<CP07`v_)c^nh
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleSystemIntegration2CA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleSystemIntegration2CA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..025b0d3c8d4a42e2ecb41b0e0388406a89fe8441
GIT binary patch
literal 1070
zcmXqLV$m{aVisD!%*4pV#NizvbMe6?t?LH7Y@Awc9&O)w85y}*84S`5xeYkkm_u3E
zgqcEv4TTK^K^!g~F2{m`oKywRyktE?H3JopAUBUJM9?|4s3bEjGdZy&Ge1wkv9u&3
zzbLb$(oot!5~PlqM<^t<xI_V>I4D2AM8Vn7Ku(<3(A2=pz|z3b(9p;vN}Sio+`!V%
z*vQD()Yv@Aps~l$!N3lp-yBJQaAk2xYA(<rC8_B}5F3pYaJhh3mtyrMazGd~F)ASk
z6(cJHa}y&!15licsfm%1VYT<1SoO76XEyWZ6wlqJDdz6C@Vtr@N5%<>_yqy|J1SjN
zbE@2quXEn;RQ_`)N5QryYZtDSTC<}s>(ViP{rm^#k4^XCO1dV{p~$kT|F(Ej^O<`~
zuLzV*OAMNR%Z5SQvFh2iTZ`(;T@0rklD_QY#OKVlB=f<mmTx&FM_-#ic(*lj?}}Bo
zd*oayy(N<hX1?t#>iJ`7e&2>8oclNHGLt(Fv$Z-Z7T(bCmHz3}f8)2m(eB^Je=#=v
z-&3>7!=Br%(&5W8F~PYT%{11>asEq;Ym(0Sy7roscG{coPl{7(UP!P7S)3GO5Dthk
zILmBqXLX5D^g-CpyqOGEnsQT>WB%xGeaOVj$iTR`akD|=1_N1OtjY4Rh_Q(Lm72Q4
zKDo<sq0zi`#!D+N$1U7^#eg3qEzHRHpM}+c8Aut(g9MaWBn-qFL?U-+PqC8T^^sxS
zyMQ2N<CBqxLuMFQgA~ZKm>3ut7%b3Rpwp(6QBqQ1rLUh{l%rdkSfZDlUsRx%2uh(q
zX0Cn-Fu4^0)0rMn-hdCJnIB{w3oz-k83?d(ffIak3L6s_3llKSqh<kMyfQNMSz2#a
zVUM;tr)!tnklr!V;&B{*6#J_u0lFq1YBMj-ZMK~M<L|mDUXeGiN_~E|OZU!RQR4+^
z!mPeq+#F>mEN)?r<;gpqn(qH*+Nb;Caw``s*qK_{TI)2a_Sf-0TnnD8R(;&6H|c2q
zRrM`}M(lQs!AwO)jzx0*mhWF5aC3h5e09dB6c?SDT&jnHBW`=8h}2232ub{Sp;u*b
zIBDISSz&22dX2YCaCvi)S$74WZ-CbJ1>#FCshnS}rBNMRQs=mq@55p(F}Kd5Z`Gg5
zuTKv;bVf)^`m1|B+cL4ppr6O){3?rI?r-pNVVR?gt(}m>N1wmHr)_Oqcj9YJwa+DA
I9+%sn08Rjf!T<mO
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleSystemIntegrationCA-ECC.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleSystemIntegrationCA-ECC.cer
new file mode 100644
index 0000000000000000000000000000000000000000..967f52257bf452f4ec127e4b467d12111ee10efc
GIT binary patch
literal 732
zcmXqLV!C0_#8kh4nTe5!i6glnV#m{CQE~=cY#dr`9_MUXn3)XH4HXUK*_cCFn0X{Z
zQj1Fz9199^QWb*o^Gg(*9TjvHT%DZ_6%6D+O1OE%ol}cSGSf1X6H7Al^AsFQOEU6{
zGD|8Ag$)EjD!6#KAo@M?lJyL^4LCu9Y{E>T!3J{TyoM$QMh0evW=3Wv=27CjMj);U
zlxt9GsBfSPaflj{LxL-dOHy+cJo8FY(~BUsQq@_J2EuIY;Lu=Vga!*UBRjJb154l*
zkKF8ympmS@7{x7`_`gl@kpkyAx4J_Ds}#E2zeE-u%G~?!%Z@jv@4K?iPO+Miz#+Dy
z{mZ<(qx(fxZg9xH$i29Uk=3Ayk<lQ8jYFG_k(HI5k&(s2z|Ft~#y4PWv&bkZDX`Ml
z&rdEc&@D|Y(M!%RD$q*=#Q~6+3l=vp(JcYS3|O!T7%$0*smaL(vcRyC<zo?J5n1de
z{BKJAgGK#fAAZQq?iOh&i2P|F1d<kJWc<&<VZa8Ym>3zr@hq#%B4HrbAacq5(NUAa
zV*<UC-?2E$Ka}QwcvjHB6{Ja?#m>OSz-ocT0<$&~sPmGGa<I7$(^+~zl?HquWB5UK
z15+3y8*+MMc4shfVN%G-u%CL$^wKuBuO^GWNcD*39;@q^Ixn=Zzan*RbV0H!lY+GC
kMB|Tn)dzX?J{WKQe^`D^{^~#J+oZ$ScPu-<++TqW072Z}ssI20
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleiPhoneDeviceCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/TestAppleiPhoneDeviceCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..962c37bf30d42e354f43243ae9f1e2c2454bb6d1
GIT binary patch
literal 892
zcmXqLVy-Y~VoF%R%*4pV#K>sC%f_kI=F#?@mywZ`mBFB~!I0a4lZ`o)g-w_#G}uts
zKoG>?66SI&D9A}w@XSlrGgLEB0SR&o%R&U5Q;SM6(=wA2OEUBG6dX%SGV+TuODYXb
z42(ePm_@XsLtKMHVih3DGXpa6^HLRX=rWKK=QS`lFg7wYFf%eRHHZ@DH8L_VHZ+2A
z4HAiPp{Ri{#DzS_R>B<4EFz1|K`yCfnaMzRIT|$1M-CT8RtDzAUSQaCGBq|bTu%tn
z`ZYP|&h2%RvahX)6qlc+@YZDAA<-9)KUgQX+{o=^N-cSoB%yxsPsL$<vu4YQ^KFeD
zOs$__z1n@>NB7pA*wr#Iy9F}c!*+=7H}U%5nb&3N<?p`R?$w$5dS7--6Pt3^;@gL&
z^J;(77Zx)*-%#Dlq|?+{Q^1&UsH-)hrM#JmnUR5UapOFL#@PmZKu^l@Gcx{XVFAWx
zn*l$FFAU<d8ZZMX16hy&ABz}^hy|;{O8aA#U*62huXksP%Ue<@_|-rjB(2OMVIbBZ
z;=0IZWmmM9dR*%=Usf4)m!<7x;szEV1@bJ02KolN3$zz#wy9^7loVL$>z9|8>m`Cx
zgkExfu0EKRoT#5!0E$_?<f0tp@B^kR<|al)hTeVIC;S@bRkZPNUdVfU@Q%TEO>YH1
zot(`oMSst!m?TU!xNeka`1H!v<W=^ajo(~W7hc#SetY$vH@lZOWIcZpeoP}@u;>p@
zAiLphhmdz$pUFMGGyA7a)~*|e6+YheJZ-g1^K8)1&z~jY?lv{=c;Poiph`|~L9%aO
zf|smok?(>v@*8G!Z!wN)O*miQX_}OJQQBk4n^Or=bC+G*Y5O^4N&3a5(%Wu6Pc1#Y
zUcc)0jfG!6bMButQ_5u7TluCI?rkeFV&8aP*=*9X{`8WY3?KHe=ZHU_y8E#0&D~kT
svL<`=56=4Nn;su#JYm!O|LV6S6GAss9O^NNPPBUXCUH`?KFh3Q0OEB<EdT%j
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/WiFiIntermediateCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/WiFiIntermediateCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..f95a6cccecd30b4201c95dc2844a46ab243e92b3
GIT binary patch
literal 1115
zcmXqLVhJ~BVzytv%*4pV#K>&G%f_kI=F#?@mywZ`mBB#VP}D$}jX9KsS(qn0(=Ags
zC_leM*V)lPPMp`k)W8r3!5~VU*9e(wplqmUAP><f0oLf5SCU$ko0^iDSdt1fK)1Lg
z(V&S@3E4tMRtDxKMt%mMI2ThBBO}A2fAbhNq}G<XJmWIH@afZmci$ZpT^aVA@(<))
zvP$lw`Pn&-{~7MPn&M&j#@9m9FgfNokK1;qe@`nop1wYLd|420(jvBtf_~3EqYo|L
zsqg&l!S8*(FAXI^R}}N8UVWS9d-!d3VafX~ffJ0Pns?@T%;&qJc%m~QVCNbQw#Tc?
zR*FsXyR5~w&bC`>62nYSyQ!LC^P^oSPgr})&XJ$_X`@nbkaxY)jNM6cFTce;IiDFD
zBQRgRc*nb2-_AIPT~^YRs(aeC-SPa1DGY`tom$!IrnANN{SOg(C2?rF)r*Jedzm;*
zd?I#K-jlj5921Z@adN7fue@Ngv_`h;tlex6eH1;-nV1<F7#BA&E&zte90Pk`aLOvP
zSQwZ!h+LN~IdLs(N{_&KR{zJ-mR&o)De3b<=_QglBMcav299i;32h#XZ9kkCSy)WO
zj510}3as??i&KlrQj7G;Gt)A25|fJca`KZCbM%uF^^=Qo^g*IUz&KA%)B|!2oI!4o
zXR$G`GO$=+w!ox~97BBBIJDV-$%~zlk;T!#-oO^dH(+WrB<QF_R5z6vD1h7~!~*nt
zlPFfdKvW3gQ^5~1Lzt2AKMSh?GmtXi0}1eh1XzGsqs>4T#OGrXV-eZV^Jvq-wm)Hs
z75nAcu6`Drw9$eAITZu54KNimGEDh!t%vKLz=hhS8}9w>l{?+_CLygv$#7%ET0W-W
zna4^6QWGM>6Uv^pM>K88-zK;-cP?jrsDj3lOjkj#dASx>vekC6-trN8?9g_%-uw8+
z?O)bCJi61`yDMd4xYWmap<!a@>@VKX^g7fy>)oUiHqNc9bffj>WH4M0`|__f{*&vh
zo$8Vm5tTN#gR@<yd{W|k@b&QjJ+^Nhjgy~R`#cJ~B>U^n#YNNJh5K{dF?=mQckg_k
z(gSDxE9GmVvl3&ThkV|@<@w7ejPLxU_-7qZD%xN^C-9kmV9J~O4f!`Yq9fMaHTtql
j-&aC*Qk<UH`m%4n`p<=bl`U5a_j$?~oXP#uWY<;z?dF{>
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/WiFiRootCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/WiFiRootCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..b942726923d140b4e4aa31ef838e4c99b03197a1
GIT binary patch
literal 1038
zcmXqLV&O7qV*0dznTe5!iILHOmyJ`a&7<u*FC!x>D}#Z!p{Ri{8*?ZNvoKG1rdy_N
zP=0=iuCt?ooH(z6sevI7f<crxuMsjAx5g$$C1gt&Ss9p{82K3tni#p5niv@wc0QlY
z5)wR<ds}Y6^b<~IO%En73EW;cFYAtyt>vwl3yU-Z`yZMuc4a>^N9E+@=shOQum3)(
zyjCD6Ht$yRfqw-v^l$UcWms7=bJy-8x4j;{b6d02RQk}~4-c}+HBItz;{)%d|5g7O
zz_kCR^i;i>+?#!C_QZK>#s)nWxpz7D*B17i?aj}lHU}OnUN-IZbp2f{A3nW)cVNd<
z%^9cGcb`;Wt29}BPDfzn1jEzwXSi>RVZO*eWB)6o>8Y1Pt`>3!)rT(c*vQRtwWV-*
zl1A`u<9&jEXVh9T&k!%(e(fGpxVz<C9yRe*#!fC#8+iMrzVDaVuWO`b#N)H;<g1l>
z?E8E!9f|zT#LURRxVVWi9vC9g2K>OVmlbAY{LjK_zzn1e_&@^uAORL&l(iYig7|za
zVk{!pWlK(6%bL<7aGurw@w8>v&TmTkY~aYonb79J*!IJTk%h%X%qXLzq`*pFzc{t1
zEVW3lJTombCo!p5FDE}aF-Jc+Q9rpTM;|0w1dQh7L_Hwaz!_wNJd2Him4U?qvjrw?
z<QU@1#-YsyOi}ENj4X}@_6D{vz5!F4AwfqaqPnTXKmp_?Ar?sk@g`BMeu1bE#HRu^
zr2`WoBg4c}Q^lVtcYkawzMmo)@a^PXwtqiW-o2eI>wl|^{m<=o1>tSSIaFtH6dPUJ
zcJ0Y=hK@@KwXJ^5&*oh$%~?@4O?r~}OwrbS^_+Dc3k@%s+?w!e#|DGe(~Axr=-cgT
zXnLzc<f50E@AUn~Qb(WN>Y68dsQqG#;p@FSSiVjFWw9*CWV75^>EDO!eDqIoB}^~5
zFp+1$j2Gg`>efXI*f;3sTQRJ^?sMCG&Q`hft&MRfcOI;MaBM46&$Zku4BX*$-)9C~
zY2MTS<@H*HFG>~bLv=3Q3BC31)AMSTGRYl!vbW47cDI(lf33I0?%)H@^esz%{-1xR
WY|W%C)86bdb89%W<Y%Yd&sqR3ev~Ev
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/WrongPairingRootCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/WrongPairingRootCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..21df5d7246df15044a984abbdec0def296fbb7a6
GIT binary patch
literal 689
zcmXqLVp?m^#5i>UGZP~d6C;BGFB_*;n@8JsUPeY%Rt5tG137VCLjwZ~BXc8T19KD8
zC~;mR5Z46C1*&LbR6^Fq$jZRn#K;d4=VEGNWMo)Z@_xR2Y-@A)xzwv6x`n>4a>9H3
z?f;%uVqBoL*YV=lO<$i^Kfd_T<NUGPg+cdj%5BlSa^lm^yxspZ&5BlZhwy%nu}u=V
z)9ZCuaN>NGhjHf>n^yk(zwA-vA@0eG43pk7`juZ==D8)WZ*OuqW8k&T9|W&{{Bh=n
z-&~gOix-L{W+{q2UYt8={jtA7$szkyP6(d4y<X&Q%gwv7N1jdES7tpi=(LYv&ugJ`
z_a1B!s$ZCJW!_P4&ujZ<3D4w9ZT|mt^`o-I5mm2v`OAF%e?Fe)!L`f0-Drx-FSdfe
zv&8F)C*?gmS-ShO*rW|_|1{X{3TwLm{OiLL*E4<|?fxoid#n85i5<V0m>C%u7Xw4h
zfS-*yR92Xg@jnZz0W**?kOc|wv52vV<gvuwlZ!YtcZq7i>!1H^47Y10uRsn}U}OM8
z6=+cI?v-C7*&luFX=<?-exT1h`&_R_L&B{;eH^#`H+x<YXm}JpRejRdL}edkt67Ox
zZznL+N=!R6eR;m4#pmrTuiMT&R@eTNtNQa0OIJjmQ4h;gtpw(niXSHbRMN|@S514v
zYhI#sWSLX5RrFgyx4*Jidn~P03befLhwNRd*|zlA>3cJKY8%dM)Q?*m_^U)z{4m3x
z74_*Z@qC(nB|@upj=sCJc-xAK4J>`-#uH`x0;VU%$n!nW`V}S{ZI=96xL}imT!mv{
zZDaDwH&32bC;MxbR(+r5UK=fVDM&n1GT6TV(5m%Lrq-LL<e&es@zitoGjDUI|Gn#I
OrIh){=Dx6z%@P2skT0SD
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/apn_legacy.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/apn_legacy.cer
new file mode 100644
index 0000000000000000000000000000000000000000..b223c4b11c1af078015aefaa8ccd34467074eeab
GIT binary patch
literal 1319
zcmXqLVpTS1V&PuE%*4pV#NwlP-^75IjZ>@5qwPB{BO@y-gF)j)Lv903Hs(+kHesgF
zU_&tj5fFz<nAbJ0q^PvGL`T6hFImsf(!d-f&Mj<EUS6)33X#*xOD)kaDo9kwELO<O
zOU^GU$S+DPNlj5ms#GXSO-n6G%}Y)-lsAxtXcf~))>JSuFtAiWHCxX>2c&>mSQRR+
z;G9}il9`s7oLG{XpQqqhT9T1plvz@#psV0x=xiV-&TD95U}$7$U}$P$Y#s&Vnt{1M
z($F%>AP3b;!UlpM<2i)6oD*|0)AEb*G7}Aj3<N-e?82PRr3E0{^70L#3b};29199^
zQXw9Px}I5BEIGflC^NN4ub{LzLoX4eLN7T#*Pw|}2{}+1Ss9p{82K51;#^EkjEoF>
zmbM3qTr$6T{6W(3;sm{Ti~1u{5ihv6UZ~vq{Fai)$Avo{XlSgAa5l{4igz{Q-!@md
za^j*5ORDm}e37VD`sX(7xz+y7tGzWh@-4VhV<H)wDD@;NW$DMaUJ?uZD}D*+C<?#r
z>s^+}!n^apoFgHx%@<j$JyjdO#{Fc%hsI?-86OtbyDpJ9nbPyOdB@5-dzIHsD0tuR
z^hLu|>eo9HdsS0~IYEDYzs0;r3*PB)(cCh#@W_Pt<u<A7>^>W{x!UiWb+aW~_ySW`
z%FG{y0&EXYI<Hr2-8&=wsi7J(^W9dqxWjoj3{^#|y;zlR|2w!trs2O{kI1?30#1)b
z*KTf@_DtQ-oQau{fpKvYV=FL38V$ICp)SkM!otkNx&WLmWK~%}X^umi4VWI;nHk|M
zCIe%TT6q>711$rM1!@aa+LSU%N(!v>^^=QoP?BIyYFTQIVX_`j+#m&J03#zygh7~r
zGK_D)*d`9upPyV@fNX$)K3ow~n=({UVrC+;8hs-J6AN9iEvZEYULdC_us9ny8kj;d
z)VEr8Zzcl`12vdYOpIbuP@}M983PVBw)93GV74?+1eqnsB4r@age#57gOn(<NEnDU
zh{%0h-O2XDlb_MJ{GCYEJIR{K8orQ_<YN(I5!r58;}>V}RqFg7qgO|gW?BlmO+N_E
z;IhIjOa=_dNfns?fk~B-fhlNT+0ORdfKOcZuX8Rvi23&a#e+G;9II7#+!0XJ`!d(#
z$=~A~P4)_F8bm5m9$!*BV&Cr{dq@11d5FWK=-DMMf7sNYefG7!E@)y_dh+MZikOTO
zvmdQ8j-Hs`Y`!<vNcH}%nA#OymcrBh>?R2mdqfljIEpMW?2=Ypp1G<(NV?<1kLCJn
zzyDsQ!~Fa}ZkiYSi71CnC8uAsu&ysFWR0EI;>k84_4W6f*BY{txg4zfI2F74(@&Sw
z&GM4633!=OZ`?X#ZXWYTrGW2C4xL*qyu<01dsgS)YuXP}w)@T0UA5ZsaNU&oamjP$
eoDAHp%9D0w2A|H-v-i1Hg-U-}9aJlES`Yx~`n>o6
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/apple_corp_vpn_client.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/apple_corp_vpn_client.cer
new file mode 100644
index 0000000000000000000000000000000000000000..fd20ba0790698531000dcf9941cd4dbbee636bf5
GIT binary patch
literal 1113
zcmXqLVhJ^9Vzynt%*4pV#3BEscE4nS{u2XUHcqWJkGAi;jEvl@3<i0I8U|`?%%LpI
zJo1hO1v#k-&iO?J`9+B(sS05MehSVxnW=dt3eJuShK33Tav+u5JmSu&MJ1VOnaPPI
znfZANj-@3T`9+x}m4?Cwf*=)KJX{d7JoA$E47m+BL4s_;OrgOBa^k#(CI;pP=0*m_
z7N*8gAg-Z-fhm-0kZ2fh5DRfnSaN=@ULwd%dYQ!~dMU*aPI7);UTSiQkzPSjeoARF
z$OU?31$lZFZbnYVjxNqF=0>hAMy`$q7A`K%MrMvK21cf)j+Pe2PKGY7POeS{O^iy&
zp}@$>z}&>h&j1wXVrpV!WO%snbS6Uwn^nzYO?eq3rAvjs*xnuxb8PTwS~_C})49#H
zCp&v5-b*w&y;Ehy690O3&W5bjJT`l--dcSz)4fK1vfl@nfRKr;+tPzgT@xnVxTUbC
z&Ti>~>)J^bQ<h9GVP91>@z0lE0evdDdMS*`xnhf=Bz`xou9JLOFZa%e>($jK&o!Se
z3|jm4=F6~!e{Rg}JZWe@<JsQz(RpW_xo?IZ?~*c;dM@pD^~Z#p8G4%g-aZi3itpd$
zV>I(?b8AVTSLQK3dsCSk{o6FAWPD9E7JAk@w|{2gpH<pFD*tw-@!b*sQv6p?tLx~5
zp2Nl-Op>~7*Wcdo{i3)*c8B$us$BwejHcEyF*7nSE^cCEGHCp7;LXON&Bn;e%Ff8h
zVsBt;U=8CNFt+Jul#~=$>Fehw7Z*Sy3K(Tzu7RO$GB6zh<0ToKfRYmp4Gaxrfe|aq
z$0EieGM6Q2^{xz0);i7?B@71b>%~4?oom1Yk``uU{LjK<z+fN`;wiI87>G59tZaQ8
zef$3(-TDTWRUdAxHLqw|{J_8pq(Gj<7-+Em0^J4LZJJQ`Bp2l%IS1VxdO&FdK9F91
zkX0<qOzaH?Vj#XMh|god1@j^^6LLBM<`!T&VPp_2i?}6x$-d8j!8(hlC9P8u?5`W_
z4NE<(aWndS-D^+gti0di$6wjAoIkkePfh;;$;yvc*}pa~G0xh<uhO?5`7*<T8yu4q
zw?&6Ns*Lz#&p+c}<~D)FJxiXv3-}fk+v1TKnX6d;TY9nLu61X)E^XPrsy6vu$($s`
z)00K&`z&tCekk8qKIz53f9rDBN9DiR<F{u0{f`fQwA5xTyl(pUx%OU%-4C^1ZFv9w
zg@fkyJByBHFuvX=X|MEO*I9ShX5;gBukZ1G<KkXYVHx@Oc+{-av;UtqB)>o1wd7mo
u|5UZ5w}SUEe`^fV(kYCr*7ABdODpJIl}AI{g}G^4FF#+yEW+Y{EENDgj--|V
literal 0
HcmV?d00001
diff --git a/SecurityTests/AppleID-certs/Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt b/OSX/shared_regressions/si-20-sectrust-policies-data/appleid_authority.cer
similarity index 100%
rename from SecurityTests/AppleID-certs/Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt
rename to OSX/shared_regressions/si-20-sectrust-policies-data/appleid_authority.cer
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/appleid_record_signing.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/appleid_record_signing.cer
new file mode 100644
index 0000000000000000000000000000000000000000..f4561bd47d2395c5b6c3e462eb2040a20d0bba5e
GIT binary patch
literal 1301
zcmXqLVih!KV*a^+nTe5!iNm(|pnm8spI`%CHcqWJkGAi;jEvl@3<ix|hTI06Y|No7
zY{E>T!G^*Hf*=kT50_&>K~AcIXI`?Np_+jTNRXRH79!}JT2zvmmYJMbl9`{U;8<Fc
zkzbTqQfX*sU;|Re%wq~s2O?prJo8FY(~BTFaOgLX6X!KFHZV7`G_*7}Gqi{Ta!rxA
z1_p+D209QMRH4puQ3y-S$xMNm8<d)yUzDN{oSB}NnU}6$U}(_9sD$ieMpg#qCPsb+
zpg0#(6C)$TM&To2PsCj2?KREPJLk@9qoI1XbHa&#Tbbk!E3kYsDUsK@oc?se4(GKp
z9~SgoP5xh#z#J{X#2A)&>p#ccFeMAl8!zPaZ-q}bTj;A&<ZIJ;FD=pMk&`}Wt+VHY
zZdH@cZtLEwdsP~L9Gz)p_UDsA?eWuJHEoW()m?OIk)l7h_qVOtt_!?g$GgjK^>q<A
zc4SG^^a8ac^<8J~I=Nl1uzm43-;Mj(q8E(KzaRJPDr*Z{-uhGGblX8g-gjX$e3Dsh
z_ne*9Y+ll~q}au0u3yxPx%ch<F(kU)_!?u-G&TCpBwbO>p2RnMvbjENEBTc2?Bf;2
zZvBQA(Xr2$FU&ZYEgL7hor#%|fpKvY<0W8-oHKA><IrYfWMyS%WMnZhFfuTJ@eLT;
zR5D6R3as??^OK7U^b$d7LoYc$7tA#<(M?PQ#<PKmfh;g~WcgUcSVXK}Irek@H2v{7
z@ocxl@%g=8ay;tbgeEJ@!eqc;AP-Wh%pzeR)*xc|s%)il$<q5*{=QpqaM`?Lf_#E+
zfDV!YDN$f)ViX2)_<@)kns$>@SQ!l({~9zNhB=Ul$)Ir?PvhpG)SS%3yyR2`V7e^H
z$ShV!h9}ijg``S_#Joy{g2bW{Agj2zG&i+aAu%~QwV(u|Ck?146@>E?Kt2R|DG8Vb
zih;5ziNJJKl3J7t)R32=ker{Fk_k%u#R~ap3Z=!VIw%$u<OB7BECZ^9+Yibr1x1O;
zC7D3y0nIE)%}vcKDb_PEg?oZgOcNT)<>lo_fs8ODH4&EC4ER8y!_Ub0pM`~)iM_#q
zA09Ytk}OQXtc{w}f$5%+VfwB9)!~bNw=PZD{qk*&aEP4^!`3C2x^6zZHBZ~~NCW3e
zzFVI+iY?zQ;&*@QDZ7LE=Xn?NM4RP%Ja);Owo&F!p?${&c7>!Q+i77fo8p#9ho1^A
zy(Ktji%7U9yU5~OSD(mj6S<OJ#r65jLFJg>q{OT#=D)Ms&mUSQyvNf?@!pJP*Dv#q
zq>CK!R(tzn>vg47A(IontyjL#_hP}6U*Dz)iKskq+x_KJ^~1830~STirkp1>J&$47
zw~0@|n8BCx-hDaF3rl|_uokHmX&+_%e&P9w<00i*El+>?H&08~wKe;?%W0Wnd3)cI
fWuI3}@K#stsc^k9RfkXV{mF)^>D$cZ3?pp-qjKK=
literal 0
HcmV?d00001
diff --git a/SecurityTests/AppleID-certs/Invalid-asset_signing.crt b/OSX/shared_regressions/si-20-sectrust-policies-data/asset_signing.cer
similarity index 100%
rename from SecurityTests/AppleID-certs/Invalid-asset_signing.crt
rename to OSX/shared_regressions/si-20-sectrust-policies-data/asset_signing.cer
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ast2.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ast2.cer
new file mode 100644
index 0000000000000000000000000000000000000000..9d1c52ad20810c29779f4aeb84377eb7d585b508
GIT binary patch
literal 1185
zcmXqLVwr2u#N4`onTe5!iG$l>a?kOE3jzkbY@Awc9&O)w85y}*84QXHbquuFm_u2Z
zd6Yv^i%S$73kq^l6@pWX%2JCI97{_wQu9hOlM_oa^Yav(9Ss!><Up#qdBmMli%K%n
zU{WBJ`9+x}m4?Cwf*=)KJX{c?JoA$E47m+BL4s_;OrgOBa^k#(riMm_CWht)CI&`P
zK(4ugAy5FqH3&0QHc*7PNh&iXGci3czZmF-V%^fj61_x_`}C6Ya}9Y7xFJqq@eEcA
zA;R7!MkQqLGqN%;H!<=v7&I|*F*PwVGF*w9uqEQ>>3>sX%lGW~#bQ~t-tleNo!)C!
zeg~g~ee`MAtN%|W_wJetfBxLale)An{fc77nZCKE;RW_L84IpP-q04g5q&s1{oxtC
zJ;(P&*uA-Xl40SchiiV-*_&x`+;*P!u6)ZWiD&CRt?-=s#p>z&*3=6>mOQ%W`R32&
zfcx4ummhqJ=KXTZ<kf@e@+)__+*orZKXOxx$6v|C%QiVb-5560*GOUS#fU}qTW4MR
z+LuvXA~Nf!_nel)4{y1Os+!$jYqm%@DfWFG&t;up4z3wt2Yj<;87SHFpIQC8>at{q
zn`_73Z_>M1wC~0~DKkC4$7th`6y}#@S$vtdLa*0oXoyZSEo5S5WMEv}#25$+5nqE~
zHV$nzMpjmKMn)EQ16KoQ7~g=g%{-%|q`*pFKR>y+030jH`9%eYr~!)`80&)Lsu-M<
z5`pQ%z|cSz7-O=0EMhDohZT4}>V9c%-P(RJ@Yef%KHL9W=@{^Uq=gw7|FbX|Fc`>#
zc*-mi24W2&D^69-USVE1&-P8!>NLGO*F|irKN)y}6v(qU88{f&EwEW&)n);8S8`Df
zHfNOp6F8cik`oQ}fT|7nKt}O{Y-V9*VqIV$4C1S@@ECBxyv@vLpb8QcWRWwFX~L5*
zf$5(coW+t;*rYj_SeSs>3^msQlN}?2{zFEcGfoHD6<#|FyyusdJE@?VS~e%qsiJMi
z<5lb5^)$22`@GH9w`<D6cPsqj`*)r@_bgF%-%@E6LAIy>7O|`6^2%bu4xM}!VAXD}
zx?TO`m1rjAR~q`qmMLGIC2(}AukNFcu=DCK?_80cbSL&gg1xP;y`Eb^@~5+2r<Q!!
zeDQkDw3wKp`p^?4=T4XD&X(V>^_D^D(hI52oo6~P{O0`Lt3B=(i|e83hbG;&))Ec5
z{(QO5RFAy6PD8iD$`w;;9J~1sEb2LxpkJ`I_s)sKdc|J+LWLqXz5Ya|uW3xX*m`-I
me1HDu%G;M_c0b#+@J{(>m;Y}s?G6^7{YHT?yk@H5udM(b__<gB
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/configuration_profile.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/configuration_profile.cer
new file mode 100644
index 0000000000000000000000000000000000000000..d47bca49c22c6e80cba0c563ecabf2af2f9265c1
GIT binary patch
literal 1367
zcmXqLVhuKEVzFMp%*4pV#8JQ`=6SGh%MJrxHcqWJkGAi;jEvl@3<ixoh7JaHY|No7
z%sl3f1qC^&3Lr8wIk6-&KTp9kuOv0S2*Nf}a84~M$xMUEIhK}W<QHX@R2r%osDMo1
z=8=V%fJ>dQfgng77Y`Rioo8OMo*}mZCrFS@m?<>aKu(<3(AdD-z{tqZ#Msa<3dl7B
zat)zegJMHH109HKRl#OBCl;kD1Qg|`WddCuoSB}NnU{{_&QwEr16hdM#GLc<(lXOa
zp}v9YDK;eRs3t}w<X~fDWngY%<YzEwV&r0KVq|1^+wkfzOHO)VCF{C%Uz{sLzD#&k
zZoX!XjEgp_YI(@^==r>HvaR(8W*m<(-pRUhafy+Q^(GN5t;dRL@#h)WS(;efd}t|l
zZi^s~;nat!%N$>*T%I7TEwN@d=OeF|Yp*SlP@B8Ao*~)ln83;Tzb?6_>D5M=l^o^@
zoX_d^Up{ONf0AFO_{Wg1D_3tnR6AEqNZn42$K!a_ZlP}edZ5bELf-iBKFb%Ur|dc=
zE_LYXlY2k?)Z=%Qy_mm=>&u7b^IbJ;?2TUsoKJeT|J$F$HF>hLui2h+YL{oSib*a$
zx0#P=s)&qO>pR&$|2}#qaYw0ax@fF4e}&6IULHjjzVnNx8fZ;rVrFDuT-?NX9vC90
z4IJ1wwAmP0S=kvGSxgL!3=Cj=1I9L$jFOT9D}DX^<l+LoL{MteOU};)a}7*%6BB_+
z3#bDWVX}NIVk{!2zjoTH20Y%wHuFPr&xGwlv0XWC20S2XVMfOPEKCLr2J#@DGK++P
zScAy-eKm>+6K~r}SKqKQYRtSpFQ<Ms&`o?GB?>G}jI2Noqe0_8XckCLVFmI&7-+y;
z$iyfn19f3}c{!2;!A=Fbt?@8iDU(6tHlD`KL8&>JiFwJX3c$=#l95@gkPOcwsR~Jz
z3W<4@3I&NpB|uhjacOR9u|i^Ua%w>dL{Az}PbvuKDS)g1dOr!6jEjM?DTzfX3MHvU
zxj+qhDGJH?c`2Eo99gW8pQcb+oT`IjQ9(XXFUT^WO1S-?{990zm|T(xbRN*mlGNPP
zypm!)18{iog94C+nTfr@KpYf4svthE0XIBsSOkz0J+Q0*CVEDOJeElZpZDgrG3P84
zHw`N(i~n*<IruT}deJ54DwfUk78BGy@?!e|*NSaL>x3q`Xc{?(f3#kGOVzS+)lG&+
ze!DFArfAM{ba{D#Z`%!pB;j1Y#n=2r<@0O%S)D$pNG|?XaLrHaN7;-T^N2$|oc}8H
zmwNK-6<fjhFr{1O*Lnq!fIntSD;Kv+T`03PQ{Wz#aZP%Tra>sn`&UQv--$YWjdcl{
zK6_#AxkPdASGi_OT^IlEsZuE4sg^c1gl*~R8mDDjR#aVDx3fF*%|*RWe%I`{0-3HX
zJMFsXkAde4uVph^yPXQA)+R4p&%pG>Lb1^H;^LHOqr_joceZfk^KG^W(@xB_0{}F7
B+-U#+
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/developer_id.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/developer_id.cer
new file mode 100644
index 0000000000000000000000000000000000000000..5fead6f6d0ab591ea5180de335d6826994e597e1
GIT binary patch
literal 1385
zcmZ`(drVVT9PVjvYbh;kDHI0+R}nVlby|=|H6X90jE7r`5LnnKw-;Jc+R}T0HOiwE
z*@M^6uz`@sOUOvrMsNlu3P_xRv5-uhk^q4Ki6e@L^4K!Q?&THvV}IP_e&>9@^ZV|1
z&-a5CHV!RFTqBDKm`v{Jvf)dkNeMMjz_B`6Dl1(V0AS5#K$F-TdU9Cj5f=Y=B%X(B
z^#<ICMn|F%xRKOkXfP$I(d*E#TvDw!YDkmV10JX8)_mtMgF%b`FHZ>Hrg=O*Z-*DH
z!+gZn(28E<2$|;<(8WO@mOy`rSRCvZ><3dQ7)U|ME`;V%u_HXp;aOer`10zCmkIzr
z&o5A-2=EJ&$b-bb(0fO>#{u1Rw_Vjz^aH(GhlU%KCQ`2x?<%rBaEd(??#SdH;2sca
z0mt674X_z33$SHC3*a#=05GPRkNQlk$jHV~MQ_~Ndh%Fn&R3|hIc+h@Lmu3IXNwnQ
z(>xzuE{IwEhUiYT>F^A_t-1PW5M4PNbW7XS80*yba>0N6$&bta<({qmE>)^!_v@*+
zi}GhoEy|p>&U4@Vp}XIC(Q<jA_(8gpL-!|%i{rr!?ZNe~osVY=a%2ndC~C8S-BHE7
zMicsKK<jP!42$oW=f4=LQ;axrU)RXos)mIl?fl6e|IGK*Mx@YTkO(^3BR>^tAD3pq
zmI6oDTsQh!)?8<=NBy0$Hpmfeuu2Mj=LF9}*sBBlq>|WQ-OaJdUXxgRW1DtpvdE>w
z<%zg}Tkd<g*J^8m$pQ?}Vga+1BU3Ph!}a6<Hv13&hy+6DvxgxlJ*Fl}gVfhoj}ZnR
zC4GN<Fn#tm^j6_{8Wj{nXX<}A+aMyuuB&F@Z0gK~yfx49k45^g<q-{)i;z!m3jx?d
zn2-ToY2=0+hN5D-B!}nCW0Mzao8FrF=kDj;UMq7B36vrmnt~!0z@`9z=6`nsfT`FN
zT88iK>0<)XkzIZH`T1|i+ZKu`p?PSZ%7o@yd~>%P*J_kH3`ePmkZKKqV*9DV(R354
z)R|C&(nwNo1d*GK6Q~lya09thlR?$s^rJ)R7SydxrvgP#yDFtog_5{2n<~($P)x5=
zY3Ljhs6GSDC2+3;jSPCKmTpEd_xsbSH5io`siEXiXOeg}t|JK_xb256Z6Ly89x8?+
z+8=is^C55V16eF87rgC3fvGrv8Wxn_)VMe}J*XG}hQjJj%TF^{G&ARn^wltT`LB_9
z!+1sLLPO^B=$jW?QX{9AWxZ1g=MoDxxprsld$tnXuF39eWyX2f_RG`o^b<FP#v_Qf
z`pS@0!IMvVd@&u~lyr|JeLPox(p83U7MWjE2CI4kJkv(AKIEG^bAOMFXcDKq`>bpA
zo<wkJ!w{9xl6As0t#HYI-S)1V^S7be`L?xW;v*+v5K^05)nCzL^B{>)VJE#Yac&}h
zEBBIpn~mc`L7#PDowS$uz9f37%%k$*p8>yh4t~cNs4fdByx?9`B#3F9@63$Ldb$33
i;M16EH@)ktPp4$o-&fTkjbKbZbGvDH>W^HXr^tU2^XIex
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/developmentupdate.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/developmentupdate.cer
new file mode 100644
index 0000000000000000000000000000000000000000..18d3696535f6345e21d196f1525255a397c21823
GIT binary patch
literal 1332
zcmXqLVl^;mVv$(D%*4pV#KG5Xv?$W^Zl3`!8>d#AN85K^Mn+av27|^XLv903Hs(+k
zHesgFU_)U8K@f*an9H%CASYG9GcQ@sP|ZLEB*-l+3lVfqEh@=O%S=uz$;{7Fa4ap!
z$S=w)sWdb*FafD!7S@HR3(ij~DNig)RR}FeNi0cKz@g7TPMp`!$iT?R#K6G7%-AFf
z$h9;yFfuVTH?lM|k1~kI?nWMDH_92vfZfO=iq&pIX#+{H+jxXrQp-|v@(XfP^Gcu&
zGiYK|LJk;4RtDxKMt%mMI2ThBBO}9)?N^OgzRW)$v;XjZr7OBwnJ>0`sLnRJdNclw
z^|6MeS9enHC`<lr-M;(RZ;4;(tv%oDCm$E%zWcZFv~Nu3f&9GH8w{0l5A{zl+p7PM
zU*_nqS2s?jN?OVbJ0<%6@-`F<Xw$v>^}5qaV;#SPx2r>s&j}RVq<N;mY0<gu7P60n
z{=Uw47u=D?w2ZO$i13NB)8-4iSnn-b^6Ou~>G_4%V)n4jz9+=Q>y!WfT{U-8bLp`f
z&6~5#{=M~nA?(;^VqU)}{@?xwT&w-+`7a9gCqJ60EIIA@bcyXZlG<!z4V;TiS27>-
zz90R7Z^osEpFZ9E*OzvOUAaCd$VpXjPskprpxq2R_cAdvGB7S~Vmt*5kz)q3z<`wH
zV-aH!v7A?N<+S~KrI~ZZ{w-wuuav*!=wbsNkhCx(<9`+=0|o<m5Koy!!a%G+r2D9*
z*XQ-878XtU&X((*?6|>wh9b~JK9CXxmL^74AcxVQ@gFpaCa16hc^?ck*f_M=fT@+8
ziBU`@qokz3N?*Ucyj(94ltT5A^K<pVtmH(4#=~%>Oa_hHcp5hcrRHQN<|U^p0269S
zMrN@>GCb|3DkN1ZB<58r6eJdv09nPwrMaoa3W>?dsRbnvJ!wEasUV!E0I~v@;*)@R
zq8KQfl30|YP?B1d3)GO8qL7@Qmy!v}4aExiX$qyqsX8bY732f;f-D27gxe3wI|W6F
z$t9UU=K;+uNd+azVm$*ZP<Y6*7#kQG=r7P+pxvg4&(r$F<)z^4rI%ckV*n0Ieo)}E
zFf*|?7)XH3QU&q(fDyw5&ictIEWlt!EeL?=osnV1p2<o}v~RCjbWnQc@2hcv&l3Jx
zaZHp={wsXnrd6O#V?pbS(w6zVWa1yVZ`zS<`goz@iyfO+pJIBMYMr6om0;|Yx%Kr_
zt24K``4n6#La&shzg9XBbiHY5skQFCSyNx?er7&%n{)Q}3CY=N4>^|vq)%Aa`&hb8
z>k_Lazw6iKr)6#kMhDzJ@@($v`IFMQtS>M8!EsvE)mD2kvvAv=`j?tEmy-=+B&NiP
ze~f<a!r4FT$(_)X2~ja`T({H+80Nj^(Ra=(EhwBR-ev7}?)IxPzQ=P{>|SLoe0!~R
sUZ07>`f8OrcUHZ9-#nLc1{-NNddo7;_B+6IU%b3YT1Ru@mIwTg0DeX0zW@LL
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/device_activation.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/device_activation.cer
new file mode 100644
index 0000000000000000000000000000000000000000..20063818e044fa6ec2e751e92deecfbee3816f50
GIT binary patch
literal 875
zcmXqLVoo<`V)9?W%*4n9L<YQUoLX%jZQpqr8Ch8w3@Qz|4LI4DLs{5_nL>jNg$)Ej
z94=ul$AW^KR0YqxWIaPQ0~L@Ux3DZk&^fiJBr`2DIk6-&KTpB2v?L?HD6^!}P}e{k
zq>fow1)?r9AR|97RRM=`137VC19JltLo*{IQ&R(@C~;mx6C|!dG!ae{H4uh4jR)CE
zLj?mlh)cwgg%uo=OESyAt~O|#j~o(=tPISJy$lA8olK353`ZGjE-EEx&+2He-Lh@L
zcP++mNA|my_W2#lEB*buO=P-~{IWd<LvN;?PjXNCTX(t1Snbm9g8kJ2efKAOY_T|I
zk`*uYWAcUUR)yEG!FdaHe^nfq!KqMPcs;@(ma*WkktEYw`@f6#eYWJyn5HKac<1Td
z*7@gBx7gn9JNEh><1>lJOw5c7jEfs*8#K-^-~;+YmY<RFKMM;p6MKUJ4~Q=e;xidA
z7|4Qnd@N!tA`2H>`nP>c@xR$3S?kZ*7W>P;zc$4{9we>IB4HrbAoAQqOHb*ZWkU9r
zDd)<Y6ZH)j)R-DrfE38H7#ips=q}J+pxLILQBqQ1rLSLJUapr2N&$Mw`MLUFR&t_#
zW&tQd^^%KnkOL2xjF_7k85!cUW^Lsy;cs<$#%8}Otgz*P_ABob&;Ooz*7A1wROR!Q
z;m7P*7CxNLpz+&KrQ@l&=th1{{m`wtH7Vi-{Qu`Zog!=ysor{&^Wf!It1O>=*)_SQ
z{^O%LHWn8z^4qwV&97>BTF%_RCv&F;qxzks)hFDw!sqT@eRoS>tIdJUtsc61i~SWN
zPNl_pzR_iS_H34h#x;itofGH0Uv63Z;J}HpZ~2B=+y0bC&3f8*WyedFpPX_tsv?%B
zRjjz5ap0_&@Ubhq))(dMo$yHA@1H=qT1|T9aSp!U+ulY;xn}K^?1``MZR(oyjQ7-s
h)rZbJ%=~sKndgA?M9zhUjt}pz>`c7Ed-&tl;{fNcMdAPe
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/device_cert.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/device_cert.cer
new file mode 100644
index 0000000000000000000000000000000000000000..c3680ff712041e7aefd63e1e494dda5f3e3f4661
GIT binary patch
literal 835
zcmXqLVzxJEVp_3)nTe5!iHp%k(NV21x$(wL170>xtu~Lg@4SqR+^h@+QHI<GoNUaY
zENsF|p}~g227(|CmoS%OK|xNcf@fZ`o}s9LFi4PFm<J-58IX~mmue_)APW*^78XMm
zR&Yrz%S=vHaCS716X!LsFfcbVGPE!@GBJ%3=QT7$;u<uz1Nr(8Gc=40jgwPTO_Ng$
z4b9Chl2TKRfXw97L^C6kq~v6S#3Tzt;}j!fQ&jgt9nT@m<m_lDWFP=Cj9r-1xwIg)
zs3bElAG?S6fuR8Q5F5lR295KP!-bKRfw{4l!Jx5|sj-ovsqa?$<lGSE8E0<4VS9Vs
z?|8|HtrJsz1}O)u^A%O<W@WA{bNyp{TI*xXG|y>lf^2zZ`)1x*_cPs=nTI{z;^~Z(
z)Qn51k+ZH9L^ga1nYi<&YeSZ%|MK5Or3G4>UYgb>_kVBR<<+-C)BIk6-68(tp=Rd}
zUeOiY&g52Qkh!ZdA(n}mk%4h><6VQsTLz6yKzGY3vs4>YHi&Hcr>N}GHZ`mAYNJ|T
zvA~VxK7Az%<CetGGESQq8NsnG%f}+dA`;TGvgll?!q1rtme1QMUt5q~@|Dqm2joOy
zM#ldvOa=@Fd>|e_h{wXr#Ja#h48&Ij@p%lm*f_M=7+G1_nHiCTADAqef#Gg+;@g5!
z_tNz-Yj}l@6esgVzMCoa>P3&x&6KZ?UFDKow;uWP#eCAgoqcTWr@x79KP6?TQg`3&
z=0mln|7R}>?D{L`e#EAX*OEK@=EtkD5|>Ta$=-kSQEP7E!~|zieQ!yXlY74{N%Qas
eP2az&aM2`No8xzi^DLgN%kJB=dr|4ns&W8RMhCh8
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/escrow.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/escrow.cer
new file mode 100644
index 0000000000000000000000000000000000000000..d8a6ed086a192875958c960e39c9a8fc7fd1fce6
GIT binary patch
literal 2962
zcma*pYfKbZ6bJB`eX+0$l!73yg#sJfD$AWGERqN=v_M;0c}A@ASQc0dEG~;;Ekaki
zR6}Tiq=*PXUV@6)kN}M>vGP(d6}5<38xn+oMWi(ZVk^=eY?C&rC;c|({?E*v`OW=s
zkWo^Oj8^*__&l7)6H6PJD}GPoE0DFw@=a5?X~i1HB|;2k6Pu7+#E%p3rLvIR+$@b}
zj7Gm-qxTHSH)LvZ3|e)HL95I0RD}?pNX9ivq)sZ0-k?qYJK{QZdadCgVUO&%4lAkE
zi$_J|s1<|+S#paadtO`&k~vuuEFuVkq(~Z(iRRKDkx2PhiDC&4<o@Dy95s1rz3xD+
zURQ8Xp;c$;^3xP*T{dBB{)F|{5NTE1;{Vvyh<p9>yKy1LH{!M!GU8S|BaUMinzO>H
zJD62L*2v<fGhX(+&EB_8x}2?D5)T}&ncH*Xn%8RcboE#19b&)Pk>GQZefMJ$PK9sq
z2)7w)$6XWTM=xa`b>uHJR?do>e|65N?CzDEoXaxpxp{8w(n@JtxGb{0YED`G+Xtg6
zdB)O-qAez0UR-u?Z*NP+PRU_)UEUwNX962f9q#ne+F-}Nbc^b#Xu_9eF17w&EBDsi
zsUD?=cKKedf9_NCeqjCfn~@vk?+wgEhmOlF`&`?Pj}29Y7Io<-s<sIS_$4m46oRR+
z7I($n5q@{yc)wk|?k%S${>7Hz=>=$o#765b_CH7@E42l6!}H(Y`>EvG=lghk9K)N8
z;s|6Ehpqd&+Xx&54o~>vnRsb?V&OYgrwvEaJa2rbDnwGVzPmk+uL*bvLmph^E!c=0
ziygKMW=H=_ES5bIf4VSve?*0a;bSO>Yw!>-h(bhzUxTk{bEd(N8|de!)@LbFxD&_y
zRloJCy!E4(Vm?pm6hdKcKsManw%ld{K2O+y?73PlkRmIQc(Vu>3N83JGFlXJ%XR{z
zg~43p8eMV`;rrjmhs#JHqkxPCG6u+4AoB;Z03cJoJR=a00WJjKLI5rV;6eZ{1mHpd
zE(G9004^lpLIN%%;6ef}B;Y~<E+pVW0xl%rLIN%n;6ec|6yQPuE)?KG0WK8aLIExm
z;6ec|G~hx5E;Qgm11>b+LIW-|;6ei~G~hx5E)3wp04@yR!T>G|;KBed4B)~5E)3wp
z04^-x!U8TV;KBkfEa1WdE-c`p1YDFab1_eSlJ%KVohEX%zy&<>T>0-Y(>!kBSpDxB
zx9fLOdxJHLw+Edo&i_!R$*X<+;aouMf%4E#h7+bu4)NIZNBpML$#Top*@cLnq=B$)
z$xpGB9XYC|mSnfn)?-L{Bl>#X!=+<gL#biky!!lNcd1>!eDXqcB*`ufpZ#onaQCyV
zZL%L9yleAHaz<S1=+&5s%LT%T6j}ax?_aFgXD;_HkE@&pirA87w&o3|zSaV*{PA+Y
zQ2S8rp+iP2skLu0PGwlInUa4vF}Up9wOw91AGz$?*Mo(3BxOXs_ISgtGkK9IPC=%i
z5Lw7<lf}0~neKNV-Tq>pD#toiWl?WO?JS*Yqt^7DJA$r!T<o*AL?h(Il3NvVe*&c8
BPlW&g
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/factory_device_cert.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/factory_device_cert.cer
new file mode 100644
index 0000000000000000000000000000000000000000..7c97c6a7adca931ebcf7f552c92a2a6482a5933b
GIT binary patch
literal 896
zcmXqLVy-c0VtTrOnTe5!iILHOmyJ`a&7<u*FC!x>D}zCzA-4f18*?ZNn=n&ou%WPl
zAc(^y%;i{6kdvz5nU}0*C~6=K666-<fe2;>WaQ_i8mbwnfP|SvWTQh|gF|8!kYyEI
zQp+-vQx%*Y4dldm4J-`|jSLLTjLb}oqr`a)fm}liDA%B|-O$iLA8eGcMsi}3kwuEB
znYp1wilwQMNt%UWN^-KHfvKrQs;Nn;v5~2vnPqZXDyp-ge&7&ha&|NnG7tb6#xBh1
zTw0J?RFavOkKJGVz`y|eiw)u<gU0#D!NbVPz}(o&V9?mf)Y!<d{)x?Hr>#x-!oq>+
z7tP-s+qwGxy;*0n#SS}Glq;~ioeWs*`{gEI5LcUmhUEGO(^mPZtXcarJ8|YMPP;0v
zhp|hy3myMH`^Rl74P$nl58oXx@^6^V_;GXTL4OaYAV;T}otBZ)-sl#6Fe*LCaCYqn
z{e4;NYxb~&h(5?WE!bAR{u4VBGb01z;wDCEgC<6CaFodkvoIMj80fKaCbW4lw*7Eo
z<YiG5lUMRDNX-il_EB(8%}XsxEJ;mKa0Z1!T4pkkqhufp^s_7<ix`WD$phEqC0@1c
zpX3gPel}KIy0UN*n?d7Rki0TW<5GjhMGYbrtO_gbk5ztoGb_K|ohdGFNu}V|g^g`X
z8k-Fo8&D$wYubS(5^iBxNa{d1B{M%y!LhU?BfluKq|(sDzz7r<%p%&@5)%$xO~CZb
z4RS6&3kx$7>jLE1114@}V6-tE$n)`eUCnfulQmHDV3B>DrTt&|2b^>NZ~K4i@1B!;
zH}yvT?9Aev7I62Q*f-@C?)SW3#UlHwZ|;+wvYOqdM@~9)@#^Oa)6=E5trdLPbG2cY
z_1YhPqUYRwwbD!cAKOfIdpp5cl`*))QFCeFyQ&^NPJVq=)5b2n!`|mAAO0|W4FIbL
B8;k$|
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/fmip.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/fmip.cer
new file mode 100644
index 0000000000000000000000000000000000000000..bbe35e783cfacc066e5b2f17c3a31b8954aa1108
GIT binary patch
literal 2479
zcma*pdr(wW90%~dyLT_kKG>l(VM13P`2b}1ocmZ_KEj2>c*LL(snD#;3Rhm+x>Ai9
zb`30IoC3xXXlg-Ghe{1}LJg$`ZDpd+l2Ca_2BQtBWceV)_F~QS`2Ep;_xC-&d(ZjY
zduHxIg7=3=P}I0&QbH<KJms8dy0oF_0n$+3VHJrLcQgc{l1oq#o{#2IvJ6tD*2mfH
zg|@(zHb<$=5g510nQtq0@>YwJFDVW*$KgPv7aLV-KeNr@<k$Z-BzBfKc;_ovhkV5j
zrCRyuQ7ekA2CPEfVo2$v87q<APlHVeV@xx2Bw|;4%1A_`=s!!8g8k9VN6XQ!FXHV6
z-db3)Dc4{vDZ*OM+NbBIc(WM(kLd&=`0rpsE|Cd@R)PdVDHRApvWK!PFFA2^tn%!{
zN`JOKZB|uf4yyC};<M7lncEM#+uz*X!=+qoowsXyEWhOBmZW;GXD@6^cqXSNruxW!
z%jmkgh~CdbQx@o#*HT~kXPzmh9>%7*x@B3C{;v4Q@}c)N!-J*l8%=B4d(OGf2z4pR
zjiX&=-K@5dNjEx>;c|ON`BkjwFZ@=;EL%cqmuh#+%nu4sg{m6vCLg+9{hA`Hd8B9f
z?b>%+YZ~L3u6*y*`yY>9$QvqOy~W%-qL}pCYK?j)wOmpE!F!i$)||ZQ${FrU`SI27
zzk8xN=aZKb5|bknHkdzZtv~t8oy1))XT<CG6dbwQ_TYE`v*m7C<To=Wq%uN6>=vjZ
zBv3q>?RmYkeaM;QjKe-x!*4HYeQ-J2N0F}U(w<+hbRe}jtRskrq!dZe9I*-^J)djq
zjD@F)(g*R4s&U2ZKMxOdn<WWEFIprv%pp0%AnY=_A}Yf3olbj<(P(uP8Z6>g6Thl)
z`fB6!p0jv1lGTC@o(AM2-mMiUBV|+cpqE~!RJN)b*Ga=Dj`K!UtcjD1N#zROe8
z3OYN&5&zmZVn{<F1BEOUa!_c3!bm8Lg2HGZ#0Ux@5r#w<5@AS$ArXc|7!qMfgdq_P
ziD*bfLn0ay(U6FSL^LF#ArTFUXh_6BA_fvMkcfdq3?yP85d(=BNW?%Q1`@H5h=oKf
zBw`^E3yD}r#6lt#60wkog+v@A;vf+Ri8x5aK_U(kagd0EL>wgIAdv|YnIMq~5}6>8
z2@;tgkqHt-L!#*ah&)FE)%1bGno9*x1S$0#I{tYE@%)krNsGVB*!N_zSLZ7G*NTHj
zBjT?QG%O1`cPP8ACr8#LlxHk4wq=eF+zvhFJ+HSh?_xnx!^SHHW0LD|?`dPxq0Z1$
zVnzDdweou<<Y=d|J?Sm|PV@brs=3U97i?2W&&6*JUC=+*l97MQablfiZR2>hkr_Y5
zDEF^D)=_Y2ieGTAyQYIO@O<&LzQW+sVW~IuH#(~JwwDDxU*9+A+j2kXQ}dVpny{D`
zTY_VQ0{8VVTs$?h@3HI~mF|?|olD1l#gAvj?6hqg2pO8HB@g_tZ^vN6)3?f&oe#@1
rsJk<R=a0L6H&2vhFaG^E%4_VJGHunZ?gMxBhNMbzbFcVJYDWJ6Aj)*~
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/generic_apple_server.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/generic_apple_server.cer
new file mode 100644
index 0000000000000000000000000000000000000000..d38700210e7a9d85632f24e1654b1a489b6b518c
GIT binary patch
literal 1037
zcmXqLV&ODsV*0p%nTe5!i9<|c!Ii*8^Q;Yc**LY@JlekVGBR?rG8p6<svD@XF^94+
z^T;_C6y&5T1g932r4}hTmX>6s=9Oe7CzfR9=P5Wl8Y&pbffRD{h&!him1L&Dq(Cb3
zi!w_p4TTK^K`OX-xFAM(<|XSHavN}h1lfd{LW2$D#CZ)(42%sejf_pqj4YynTvG!R
zLklR^Aiz+{Kmy_%!IISC61}|q;?m@dl>FSp%sfK@13rig*q!r>QWgAziLkMWQ3=`4
zjI0dIO^o~u22G4yOihf83_E1rZwYR9EG_oCwRv@ufu#9dO}(j?w4CQiTVC09c5Ty>
zJ^2f#$dv9rt2kArT6mJMzvMls8M%wE9Lhhl&Htm_DbB-XOLm%kbxg0YJ33qG;mO&$
zlhqZiLiz4nv2O`FVKPOSzgurzlK0X-muwt^le)gEU4Nqdq4m`+M!61&Hz!?BE@VD$
zC3mMu>gdeL$3j=I-P)~rN4aTPEVIk9Pd9xI7&ST0Infqz?{jeW_c-t0`i-^{3-&C|
zl2E*S^w;E5&zO2-AKmGfJhtWM#1DM0LqGNxSIqro(Biu`OvZA7dvkn!c6!|6GcT6D
z>~{~VT4dzDdy4z@sb>{*_1Qn15@~<F@`3GJCT2zk#>I^%4H}Ob$O1!GmXAe@MMRe6
zZ_4bHsRj8yeC~nI_dL=#^3vIW2P7@b$oQXy$$-H?9>h~-kuVTz5YaiB8+6z3ea{<?
z#<%zHoN{JxWxQZu15zN*VrpP)V7Nekfo_|2MoCG5mA-y*QI1|BD6Q!w=jZB!S;gQ)
zmk3Nr$%%$~Kn38KmgNUo#=^|R-e4dGGEEi4=P}@7<IrYfWMyS%W;76B;{vDW<P<h(
zMiwSul15G8z}RMF;7hx1Q@wHW>So>f2L<dZWK|l)>!vg>b}RmJVb${aHa{fJ_XG&0
zPYJzgDrLIN@NS^QmDKH3?z@jJJ+d^4SE20NYF)F&Th33`#2;O%F<(y8G4^60|J7)X
zb_JgKdQ%tvb=td5)joLA)XQ5u_pR8ZSwGYCU89!oR)&<*uXYQr*(1a9xw*1;Z${&O
z)m<U056G4F`90jPDZO0(@5GdM3#MIJ{Wibcs{NVExAm85d3Tp9e38{#SyJ8i&18vr
zlWKXBOUcjG$C704o9ve1G`P;c=GMG?gZ0-AHnn=3-nB2Q&c(<%)gwCCb?xC;rA`O4
amq*(EmvEY>i<l+0m`gmGe>L-w#eD#>w|(FM
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/gsa.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/gsa.cer
new file mode 100644
index 0000000000000000000000000000000000000000..18664a3a4df92b6121e48765d10144f2e98ea862
GIT binary patch
literal 1030
zcmXqLVqr39VtTcJnTe5!i6iJj{;T!(w=){>vT<s)d9;1!Wn|=LWiZG!R5ws%V-96u
z=8<zOD9A}w2u>|3OD$4xEG@}M%`3@FPAtjH&r@)AG*mE<11aR@5qC~4D#=WPNr6=6
z7iE@I8VVZ-f>dzva6ydn%uCiY<Tl_039<<@g$5hQiSrto7?>KG8W<Q^m>5O@xuynY
zKp_a%z|&C7Km_6(-t^)`y+n|c^pf*)4S5Z?A-1!42CIb-VO0~O60&C*Ss9p{82K3t
zni#p5niv@wR(v+h62H7qI>X=Cv?HlxyOPsnTiN{^d<<)jPWf5>tI5Sxw#cnAA;o}k
zk4JK~r5}R`_hj!mQ4uP8Hy(cL_OZU+ZPlNva#s#0`mnXk%%0_|_j(EQtDNo9zeQH>
zY6#}tdR+b3LOtu~SxcTC>GUtXQFI~MrRCDPvajdY_Sr2uGVO)ro|hBXzWv4`S^ps7
zLpdAU`|pBc&z-DiwwrM0Zf~#j@#fm~w^zG-C&#<Qz@WB+|K<9QHlE!vmCNBr@JyGK
z)9uwCKF#iQ6WuE%!NthCuH#Tsmg~bW^E&eN-{>zE<(>G<GyBw%shV@xPggd4wwQg#
zz4u=0^%}k9U*#q~*uF2z&5((ik%4h><4J?YV+OLopq1rg5n~aF%v}|iQEmKd?&=G{
zhn9UcR{!GSYQO`M7G`Ap4@^=F2J#@DGK++PSc8bp(cGZBhVOgca5TQXf9I4lgDc|&
z0~?S6c@|RxV*|ql`U`a1v@=Rd3as??lZ$c?F{%%a+hTBPO9UpN<U~U~paKIvkZyjE
zWh~50><tEDAigSy&tt&F#-Yu|$jZvj%xECM#syBu$ti5oOe{>mw2Ydxfw9fVP}uUr
zE^^+h-F>+?`u#S(pS;wo!n;jw`qL*YMnb)(ckl9e_^u?O?a*ztgH=v4tSbvxloq#t
zD>>CBV6@0dFE%OmwoFdP>3vd(Pa2ZDdmjtj@-AN+qGlS!e%FRo^o-c0kIyc5ALH^V
z?1<7if3vN1Zr`qFvu<uU%ltidQR~#l?heJ?-;Ev~HIF+i|AB>Jsm$Z+rKtxOWQJW>
zxA4~Gr9LX+$roM}1-@nud~3|E;OTgM#mXj0_9n?6r;?pwmQ5FS%lUQnbg|ndldmUa
z{39pdvdK8`WcNP(qUwfepG}S^Y5bZgHFaAT2hZzCOG>h@{cByibWi^tu{MRCrx!k~
LT5OUeTE7keATfY^
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/homekit.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/homekit.cer
new file mode 100644
index 0000000000000000000000000000000000000000..9b92afc59808b7f8a14f171ae53ce9731283c232
GIT binary patch
literal 792
zcmXqLViqxIV%oicnTe5!i6im(Va;`-t4|nkv2kd%d7QIlVP-POF;p;+V`C0wVdfEc
zEGWoHRq)8qP4&(!Q3y^gDoZU=aCS6QGf)Ak;O3EqsBlg#D#=XCOinDx%+FJBEG@~%
zFUl;bG!!-v1gYcV;ex31%uCiY<Tl_039<<@g$5hQiSrto85kKF8W@-u85l(Yx#kAO
zhDK1XL9wBxfjY!B3K>9mWM`J>B_=1Q78e6;NG;YaOw>yRIZ`h<Ki5#jKndb3Y1iDO
z)RdIe6b0w}qEv;D)Z~o3{G9ysN`*j2A{-TIAk4-N4iF|rXvi=#vNJm|upIekDi$4(
zX07q7Tstzo{%*6(ae>0z6-^uu8Wr2JCB$D^Y;!trFQ-viOy{vpPGPd^evziFdm>HT
z+nNs?@%0c~+{9>S(8OqEAPaP;EFX&)i-^iuEzXN;izRz_v=&sqQ#6~_<k4rq1CkbI
zWc<&<WWZn`58^4aNEnDUh|J0Qb#xkA!kWzVyK#*_@1B~iXC-G~22vo;qHmyUpuIqI
zfqI*2MoCG5mA-y*Q4S(}^fR)H!BLn9j37OrlmQ<|A3w+%V9Yaj0KE<5tFrKb5`;Dz
zBP%OAGowK@NKlZa#Gt5&U=%c|79<uI>k*2nCiSA!g8ZTqf(i`;*tmcZ(e^z#g-x21
zg^85`Iju6gGZ?rqDHKZVx@~LE6SDkBW!BVM{yl#pB#&sF5nudRV#TF756%TJDOfU9
jw@5z8j`*`<qsPW*wVMS3XXf~@^%S2zzDi@cs#ZP#mgw+5
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ids.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ids.cer
new file mode 100644
index 0000000000000000000000000000000000000000..f3570c10c6f3337154127d8c8be0d834a0a75758
GIT binary patch
literal 1165
zcmXqLV(Bz!VlG_3%*4pV#9=QKn%A7>x!!=6jZ>@5qwPB{BO^B}gF&vLx`8Sib0`Zl
zkDOycK~AbdaB5LmYLS9tX-P(EUP)$hVo7Fxo`SQZp@M-NNFg_mxN~YzNoE>M3Zyc>
zD6^!}P}o2aq=Jiw3u2UKUb3Dcw*e<ekWH8=G}u5+oY&CQz{JSNz{J4P#4rlTH8U_Z
zGK6vs!VM)1#30V$FHSbiEz?T`IZ7`%Ki5#wKpbMffM>9~f=g;nCeWRg3jPJfL|EL!
zsD$iwMpg#qCPsb+gC<5UrY1&4hGVCf7P&s^I5JN>yppv=)@*U&k8P%o(f_|cc4O22
zmNqLy$7}J7w;RsPK72(#DNTZ<-6<_JWy<5b*JKp-y@>c@BP_8bVCmE3?<{|XMYzAk
zH{@JDxOM&Ulh;43x$^Nrh-pE+c;kB+?U~7kwXX>?-Qu>s^>>n()RT%8GFz5ho@H0o
z_S9t2E>#25Wh^U}?f)?&{^Z0}hb4p=54azi{w2;XDSYiyt5`St!_(qAA0?=(HE&?N
z@0aPrp}2>4gUdRF^Y524-tdX}<+*h_$7gT(U2*o_Opi3!nkS{XcioXR*%<NW^Z&?-
zK2||qE&sKb^uM*p-QT@7X_ltXndIx2#4av8#di256Eh<N<KiYpM_`E98pr|zT9%JR
zj78*0+QQIS3CI2O-_E=G=GzOmo-cfx4R}D(!i<dnS(pqM4CFyPWfow>HHhdO%?-M1
z_`c^2N8{W3cTPDoxH4WaumLHMXE8M}HZWYEzd*N5JENqez)D{~xhMw_zxv>qE(WK*
zL|~FiPBhd5Dlp&!>E;Jn#=^|Ry1+mf#8+kEG2mk3&}L&~Wo2h(G$;oN3bGU!<TatE
zn<oB(Vxyd5ghfpvWvO|Y$*H=9KpWu63rW-nNt6$$7FiXDk0cLF@Z8|+l$^pQ&BDmS
z1k6&XISiQ07#X^vwjAAFb6^FB#6mY_nKmDDF2NUlnL*tf1-|#LJ1dg);ljL0LCtZp
zLW{)aRr>r3@n=Z0h+1v(dW*)!(u?nHE7yjx`-b0VH99h}s@A{m(XvyQ3x0Rix2#fJ
z5U-hE!69;M=ZYP#?8`sI^B+IJmGQ;Vck`M{UvB5Un)puXPVb2skyGE~cTKc=8p?0K
zPx@wNUhnjXm}2h+VTU_>y+*GRB5bV+|6jMccjZjt&6;JuEYr?TeE;grgLzjksOUc4
zXld`aSL$e%%1x7Pd!GA<Jv#Wi`M76!n9cm!pE^hS`b3ZFU;dY+xSLD*QotoqeZ{ux
Yf%Ru!{>xhK%dYGZyxfSbJlKCO0PRVvzyJUM
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ios_app_signing.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ios_app_signing.cer
new file mode 100644
index 0000000000000000000000000000000000000000..64e2507d9813b2275fdd07cf26a1a72b078a5e15
GIT binary patch
literal 903
zcmXqLVs18QV#;2?%*4pV#3*OL%f_kI=F#?@mywZ`mBFCWklTQhjX9KsO_(V(*ihI&
z5X9jU=5j13$VpZ3%uCiYR5MTk333a|LIj;ti%K%nGLsWaGV}8k97{_w@{2M{Dh+iF
zv_a~ag;gNxG6OR5^HLRXC^wK3=QXe}Ff}qXFfuSPG>sDHH8Mcr8UzsGG#vvih?UAH
zR{94kfcP*c24|+{W#*+DG|or%J|imwb7L=qL1QOVV<W>x*-(ph@4p!=ot?U_(u~p9
zgDJ0YNBX57!C!CeRNuSS`@75M*lW#6hJ^~U`<NyQI=#JlM)QW@iv)IQ_UR?{zhpb_
zwR&HbU-C~w_p)Z*75mo$GmQm%u3Rw^eRqFzgpOuTrHA7>p8L<bbhMYgl)JI5aM5Z(
z4UeLuk4=~I+<(5trJaeHk%4h>;~|5_{RZ4XKgsg5urM>RHyH4MIKqsK|5=y}7!1Tf
zJXH{n$AF8CLz@j4i|owI1_Eqc;Al-wVPj-wVFJdiEJ!6Eix`WDX34}giZ{<L*<10U
z%k3xEmOQpKoCfkBX=N4(1F;5?=O$WuO7|=ivbRh*SKgecZ@8ew)W8CyK%T|WK;J-j
zf%XE;Hua2>k^(Dz{qpj1y+lyz&`ZwG)d#bZ6ZJC-K#{GNT$F<x#=s=T+{DPp(DP=i
zT|mPb-mkJ+Di*Q{Z;kpkRqQUF{&hm4kLjnWx3*8eT<XKR@7?2zX`jqqd|aDwf09Se
z#lus>mE`Y~Sesot>FIo-WOm8tzbE?GE30E3c$aM2$NJAXW03*NnP~5d%^Ygh8t&)5
zMXo+0@NjpiO?qhYj8A$00vnzehOF;+ar<TQ$~5uH0%@7mDkU5WZbxSt*a^={n9mV?
zhEeU;<m{s3+uqb!mp^{p8r<alUGRH+z3i>!|5Uy@)(U*wzidL=iO3o29e+(!snM};
zn7-(Rf7My3wfP5xWS2)i{i^<nA?Cxje!k!5GFQnfX5BbmDeW({>DbXZ?*;9uH*T+c
L(evQqzg!~#6Z=Jw
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ios_provisioning_profile.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ios_provisioning_profile.cer
new file mode 100644
index 0000000000000000000000000000000000000000..60c7c622d607e12b9b8deb7e442b9df70e6b47fd
GIT binary patch
literal 1021
zcmXqLV*Y8+#Po0hGZP~d6QjHVFB_*;n@8JsUPeY%RtAGgLv903Hs(+kHesgFU_)U8
zK@f*an9H%CASYG9GcQ@sP|ZLEB*-l+3lVfqEh@=O%S=uz$;{7Fa4ap!$S=w)sWj9z
z&<3ev7FL0%%M8fK&r4Onq1-@DoY%m@z|_dlz{tSF&@@V%*T?{gYY<6<(@YJFAy(?3
zSm__E5Kxp~mRSsRU}j!Ah?ABH^iFVQI*4!3#HfTE5R9x0%uS5^3_x)%rY1&4hNDW;
zwq5+Qx2EOL-)ze(31`mvS>1AUn%6sJr9^sLm)J+QjWU_4$M=8U+;R8B(v>Hdb~{-{
zSZ?XM?eME)$(qt|#opUDS1sb&_hgn<Gs7);bHM|rP6?F#eim?0RGK?|PXEHsF(>9$
zEL+Rku<kn7mX=vJ`mSur`{FrMU$(DC;IZJLNhKPaYP4sF9_I~ZSe3r;olnTJdBRT`
z^dBBJa~E3pKWxd|DespCJW7#f;8^l#)808{pVz%=DZbFZ>%Z~!3D2aq%I|Atcvb&R
zWx2z{wnxI#)wyG9k8=0tFFO*OY@paXb<!KDi=k8Mll#-`The)C3&i)#Tp=Von_Z5-
z%!<b$f4zn^6Eh<N<Ko8E28}BWxPbvI%g@5X%*5Vczysn4Gcx{XVKQI<rWI~*T1rk~
z1Ewt&CSZD!1u5WT5n~a#_E^n}H)AuOz}_GCRTUrC9}2C{F^~sIE3-%#h&6~jH__5l
zx@Vb?y=BU|^5#T+!v!^_1{NR%@+^i1`UbiSv=?Z$sb`dw6j<r&mzS68C4$nVUUGh}
zKA4r9sGnH?N@9A+MLEdv2~60)_+(^IzQ6Nu?{B-5<1(>M7bK=PTr@c=eBwav*S5nl
zanFy0hVVpe=Z_6`{CQ_<`SdO2lUpp~?^h>jmhOG?V^j5n@2{jh_UEu_89q23t>UnF
z#$T~nlMAx$ymjA}YW=6PJI&Rt=brbrg4|upH;VW#&bjUH?=++4D{I5qZGsy<ytxvY
zwO`uz*U~3@@9A&a+0Sk0@_CXBlSj$?|EpDd{ePFd(YDs%x|gasNml&T6tDaWN5|=g
zD^+KG%#^<JQ1^?}w$20luTACK-n#vm(+AC$zrH*v+#Y#5(a<=kB+$HVqP%CpzRyf*
m+<UGHMQnH<)%qsv^p=I|zINnvim3~$-hci`^huRs+AIL{euhH;
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ios_vpn_app_signing.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ios_vpn_app_signing.cer
new file mode 100644
index 0000000000000000000000000000000000000000..6947ea2f4f43545a21f178dd70cb3fc6320c1ba7
GIT binary patch
literal 925
zcmXqLVxDQx#MHQenTe5!iBZFVmyJ`a&7<u*FC!x>D}zC$A-4f18*?ZNn=n&ou%WPl
zAc(^y%;i{6kdvz5nU}0*sAix7666+^g$O#Q7L{bCWhN(<Waj57IF^=V<QHX@R2u3U
zXoJ)-3#&lXWd>yA=cOv(P;MY6&TD9BU}yxy#zqE~QR2KHrlAFtYmi2S(?kq}AWq{B
z3-D72&P>nC%u6@aG0=iIL>a{){=o_$KFr}z)dr38kpqR1m4Ugjm%*U1lc}+h;nHop
zjb`4i4-9s^I>-FH-Qwb_R8PPDB}Qi3qE4+~cKjS}t<nFq#5YI%+*L=PWp1zaF6>k{
z7gHBfD&O(1?zefx<Wi#rnta+d?bE&lT$qskYm-RCy5rVI{w{cXN+fS@Hakz<?&g9F
z-I(w_MT>v$tc%*S$z|HoT9>vRl_%!A=|6qS#LURRxVZ6<LF0Y{ZlIrJ`B_+)nb;c)
zct9LsM#ldvOa=@FVj!L>h{t2V#m1q{28>&FW@ZBcHZE{vC#SG6vav7$<69P_l8;4<
zMI_>xxX`R1E{Wc`xhlukoz9#nELm?L50X}9kuVTz5P5E*rKfbyG9i1*lyl|HiTZ{M
zYD^6*Knmnp3=Q-RbQfqZ&}>uBC@Cqh($_C9FV{;1r5U~C{9Ju7D>+d=vjCI?^pcBm
zki!_5@R*wz85wwOAFWvNx<P7}q?OAf??clize-L{6AsWZ-?+tJa6yvDq5PyT;<NH@
zluB<)xICwNSEa)`S?z-En?BBw>kt08$gasWZP`58sMI&j4Vh}i^_K2@{8w3HxieCZ
zOF!cl_pTCH^~U0=S7p>HZpl+~Po3K~CumOE2g^&k%kP|7bbL{X#W&k?#}B=?@GC8l
zP;i|d_f>pCEN@4rK-i0uPA!M7|N5k!6B?ZI;l#}CHy6%bA9Sr{UvIkVJGJGLCMVbx
z+U~#DaE_tCF7?@q+WOw@VY3q7KVO}0Ui|cm#(&;!n=6~{IqcDCHk{|3<`?{|<CUJ8
Y`$9gYzmwVOyS=ie-DOfT44fJd0GSX%hyVZp
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/iphone_developer.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/iphone_developer.cer
new file mode 100644
index 0000000000000000000000000000000000000000..d31481df2fce81be4ef93f78407807f743b7374f
GIT binary patch
literal 1448
zcmXqLVqId;#L}~XnTe5!iNnImBE53!k`o5JY@Awc9&O)w85vnw84Mby8FCwNvN4CU
zun9AT1{(?+2!c3VJY0?i1v#k-o_Wc7hB^jXAVF>(Wr$#Seo;<Jd1gwgf=g;yYEFJZ
zYLP-vYEEKFW`16=p^JeNNHsH$H4&;6oKuTRGSf1X!I~8uOG`5Hi!w_p4dldm4NVM<
z49$!T4J`}|qJUgeB(6c@bVDfv2{tayNot*wKk1|}G6J0(U~X>gZ4nmXV`ySv1aX9R
zW<W-M9+FF~6ue4vGE?&u{EJI~?$!u4Gw}^K_VP9H(S-S)n}^HS$jsE-J<7<}(ooSr
z9ug!Hh#*nWRqzj12u@8d1vwTa2o0JTm5@W3k(GhDiIJZHD9**y#K_37KH0}^ugZ>p
z7q{0vOP%=b{I&Q;U!RmJEm?k+&uj8tHOU2`VG;YAHXqOYIGg*$viD0`Pm7B#%$>iY
z?oGXGyBb%kQDL-a(xhq2)St*1bG;Td+-%q}vsnGBoVM}bmck8JT0U~ScxE|XJiO3X
zV)<^H_YKE1L@M=iW?mP#De(2l$4TwNilNJ8CM?`tzW3b`5z~LO@BLPPIQ6PX^tpb)
zgG~~0Chie?3vHif-g~X{EXJ++Vt~S<wz9QFev7PwpS{@~e)VVwcLe9LLywNfY5Hv{
zncL1)V>M6CDIp_iacrmkf=ze20&Y}j?R>sr;`L_1Eo%xz6Kv1?(Am-;E4h@nf8lzS
zne&;L85tNCH!*$$hR9n3Szy@8^0A1qh)j?VUoXD(&G~oyw`I)cEPgDyt7@wO4@g>=
zk?}tZlK}%bB4m|WBn-qFL^{;PIah9zNa%j^de=Ai$fH3ai?;(!<OgX`U}<7x19F%Q
z8vjGndvXdZqe0_GgT}*b9NKKaw9n22l-<VDxEYvoGZXWYQx)>_6iPBOixraLNitO-
zsZt>^uTr5Pv8V*dDlRU~O)XYPOioTMD1qon1L{cy;XH*zV2%MM<RoCWDF(`>Bo?J8
z0FziQP(xmdLUMjyN+vjmDCDOploqGzpjcFp57Y~?45$)rKQKQj6ci;Umt+E+2Q;%J
zH8(Y{q*%{D6YdE{G1-igk^(Dz{qpj1J&+Sp^^)^*^}(#<M12EaP=Ls@xETQR<pPHV
zc5OCL^(nBti=+$1>O@#(1R9-El$@xST$E$L2QrQy6d^3kOzaH?Vj#XMh|god1#=ZM
zvw<)h7r2~BPGMtY0>>Y)v_UO=fZ2kPVV=&eeu-x+E0|5chpFuRqp8&9^s(_=(=16J
z-VJ`wYA&*^et$Vy{QlaOMU%y<0<TT++Fku?dRh>3rm#p?OiqU@f98cG%{d1@7EQhG
zp^^7=u|meKdoMaB|59L;eaH9JzUkA6X9uPQ?6R9TSH$;1an0SZZ=Q2bZJZ$&|L*bW
z-QVYW7(B_%|MOz6#x_+>$NFm<tEaC%ygqH!Byj`bf=$X&HzM;M3B_iG$%lQIJEgo-
zah86q4dbLRnJ-1kQ<kv%T+J^Okgl6?Xm|1clU`22;t`w%yI6iqw-feD*L_o*E}#*A
n<<`>XeQeF_=OX9InaZZMud7P^T{ipt^^e<o^<(;$pXmhvE_(_*
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ivpntest.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ivpntest.cer
new file mode 100644
index 0000000000000000000000000000000000000000..51deacf4cd7ebc6ffc283b3a33eb7a1eb50c3ed4
GIT binary patch
literal 1672
zcmXqLVrwyIV$E5=%*4pV#3iz0fg%G4Xc_RbacZ@Bw0-AgWMpM!Fz_=JHV|av;+&+`
zIr)=L3ZtYLb8>#Jp@e}LiXca3SwUV&YH^97tbsHeb0`b5ut;HIaZ#C}fgVgs52(>V
zPMp`k(!kizz`)4F($pwQoY&A0iEEH+$Zfz0GJs8(sk9iz;Sgp@PBauU5CF-r3v(uy
z7Ni!HWai}?3L5Z(#JGeJE`S=qEzDGyh~ylg1C0#~(45ma7umy%tPISJ-3$he?M#i0
z3|*^4B0cj8%x!~})TbU0wA)e}W3G9_C$=%?PQc}r9jj($Op#5V_3=u0^5P23xOHC7
zx(j}?G|8=yO`LJ-@tU^nNfGPJ-$|SQ_$zcQvpwQ#+9vk5x;DF0)=XlbAzpOH@k6zg
zU9%>unIebsx2_h$=73kh4?0v@?r!q3n&ADKgFTyxk$G_w^GSmy=A#DkKu^jFvH*j<
zNd&7$WI+n}Sj1RFY&U)@@bPu};yCfj`xWP14aGDkNkQ~0gY-9uIBX3O=-_;9r<d8Z
zY{88u8)h8Lv^8jAi~*S-&(g#g4CMF&vG;-|Mt2}~Zfo3=lag3qrLV8=>}QKDT6GZO
zAf~fR0Eh}GP0GnkRy8v4POSuz!Kp=MnaQceASq<FbADc0W_oE+Vo7Fxo{o#NEiA!+
z*uXSnpA3rYw9MqhlGLEovV0&7ROpjgTw<S;Se$B~pOlrFT;iOQSX^wI9OUBylqkwf
zDg`MD$j{6xX|vBLDFL}2o6Gf`frh*073JsTV3pTPF3M?hOv}tk1sV_&gUyH-gb`Tf
zK}G<Bv!9Jan+=$!*clmtf!qibsWoWa0uwY~Y-?OjL?}CYI#M-g9YKzV1}>K1gi8Vg
z)3LN9BfluKq|zV($<-kg1a3UG-~<L&i9r&Q4Pg|8K5jeg**Jj_!ot{OF2clOBxk_j
z$q>L0%;3u43}odolrW?+6fxui$rOf6hD0#mpCJthbAbFjhExL{P>vC1Wc<&<WWZp+
z4dU^$urM>RE-(-Vaa37&47i{k;b3AyE@^;8D{~VgBSS!>shYHOf~Ms|+oN}$pY7RQ
z-L|&r(B@aSZ$9XDsIGhXa-Z)kr(2tSggIIS_!&0{cV7E&Y)4-C9uLn?ss}rhUflG%
zzS2ART9#{7$-zleON?H<`_0!baISJ%i(_5CeZv1I%3F_2oEbeqsN--J-%QhM8cFl#
zeAsNt)w7YYEM<j(EvFLO>b_l}Dc2^}Fz#G+G^};;^_pu^v99kNn%I~ZsWPRjT=02(
z)N||d7h8P!Uig&le0rqjk7>-~q(@F>FSo|O3AmS-S2p)~l>buKK*!6wdy4{(|DLH6
xB)Z_<$_snasv2j;TnQ@WYOq<!GcmCE<Mg{vcCU)&{rCI-+Z~0rd#Vf80|3}$J`Ml?
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ivpntestCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ivpntestCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..377ae181bdea7457888b45ac0de9612c08aa1cbe
GIT binary patch
literal 1180
zcmXqLVwqvk#N4oenTe5!NucVsUzpU63G3YQ*-BhEGujP!**LY@JlekVGBUEVG8p(7
z3L6NradA#k>zw>aCxuZ`j5#?!*HFSh3`LM5v#cPmB(=E2P}V@2jX9KsSy-envAC$r
z&_E9+r3ch#AScdiU}<1zWMN=rVr*;>CC+PT0^ynh1)`{KUlXGevX>ZH8JL?G`56qF
z7`d357#SJ%{rI1FYVLV<U$!qn-u5j=xeMRd*P5=$IM?#5hHDp7;rT{~)2g=}m0LP|
z#TGd()ta$*JJbJ=ZC67}#rIrgQ87*ab$W)y42jFa2j5Hm+kRH>&<<X^B#Q&AKckOc
z{dQz--{A>Hi#B$w_<5O^sdrz$<MT<a&wT`EdH-fuIsfZ#<y#;BPVKy^eRThv!;>!@
z`XRJWO~tVxMgKsxVJn->lVf#z5|=Ofvi$n>)30A`ICfq58s{(9W2*TkcPa`NEPZwT
z`K?D$Rfiu}^?r`3_!a)}<GSou%@?k(bk>dSUbA~rwAOX?ea{zMIy(FMl7m@4-uziM
z?GLBm)KjIayP_{`+9LR|!{qUHMJ8rO2FArrj0M0D$uZytMx87_3kxu9v>EV&IKqsK
z|5;cKn1PgmEJ%QlMT|wnVQYv$2j^=$z09U%3vN8wFymmREzkf-kOFy@CPo1uhX;r`
z7Bn%k05L;b<DQ(9!~!dQeSK#?TWl#q2O$n(I=cjbsDRR>oXliZBLnZ$N+21WT2z*q
zoLUT$LS{SX=cQ$)mlh?KWaj7TxH#Lw(j15lOm_CksYNB3X_?81C8<HFW%)oFsL&^~
zxWqmwu{hN}KPf9Uxx_gqvAEbaImpKaC{dJ|R0>iQke``X(q^AgQUY>4Hka!=0}Xf0
zE6UHw!78tpT$E!Vz{aV~#>m3hWG>1G3SI`}R0+&zz*Nb|z+R%>bGLLM@AQjvdDmHg
z7U5qg6L=%z`QHocpQk1LC@$^D*|}NnYm=31Q}tqrn^F#+&TejACltNK_2#}nJHeFo
zQ`xrdy}0o2?%PXt@3OmkP1d|Y`~^p8e5_}D!QJ$GvrMMyg+w^5?+X94MgF(L9M%O{
zvnKMXubOvzf56El`X>q*1b^t?n(;+;hSp2X<F86mKjyN{k6av3Cmj^EGw$31=HM5*
z%)Aawy={_s;>*&SYjaa3{#O3mZFMPqL(1}orjl0I<rU%EK5+e9w6(sjL-Bh0r6Y4@
z1kNt}ZTV^QUwiJv$OWPf!G&wSet*ZDEg!4N_1$0U)sh`d$u;KYcio&GKWv%;0PqOX
AT>t<8
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/mac_app_store_receipt.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/mac_app_store_receipt.cer
new file mode 100644
index 0000000000000000000000000000000000000000..1981fa82f3d84c68858b17605b7bf880ad86e810
GIT binary patch
literal 1408
zcmXqLVy!V~Vo6!R%*4pV#KHGEy#4t+&RzpvHcqWJkGAi;jEt<T3<izU47m+B*_cCF
z*o2uvgAIiZ1VJ1w9xlg%f}B(Z&%9(kLmdMxkRUgYGDI*uzbGfAJToO#!6mgUH7CCy
zwMZc-H7BtoGe57`(8a(Bq?(z>nh4bj&Z$KunQ58HV9g4Sr6n2pMVTd)26E!OhNgyw
zhQ<a)hNcFVQR2KtK&FAYk)er&iFuSkW2d3HfhoiyJ>SG+1)yaL!6o@csS1gCDGHe(
zrFp5vP=TP-<kZZ95{2N*^t{ZxbQ1l8HAs*H&7g@<2{~LDSs9p{82K51;#^EkjEoFR
z&o};6UDOzTt^KX?En}I!N6H759#K1Odu;w2FW%6$|4W#zPd{ZDl3QE9DMVuK5uKpI
zzLe^wbDg_9uW>xx(ouNcKH5$1*b&(s%qt@nvDhhAT)n;hLZ47?vrn{EhWX?}pZ3Zf
zxwMeSD<WvM(Brpv<!6XaFx5SDM(9+pN8|U1ijeFVJ%(oTUTi$>A)n1B?ASD^vo?N7
ztJlK=a~|wkvb$+|@)zyN2mjjTpE~%}W@Uen)B#nlGQNBNX8!wsDEn)4+?wJ*PmZw8
zGtLvv^ffYFSTKEC%*KV8ne7t<GSt*8cgPA9Z{UhOT72Ptne`3bn;mkG->{#5)OX?X
zFSXFd_m7x8m6@0s85kEgF<u9T$Yle2HV$nzVB%wEWMnZmFf`DI@eLT;lru_73as??
z^OK7U^b$cSP%k+@7tA#<)-5kjDKaoIkOjuNEFX&)i^#+!bN(DD+dh9m*B9Tf{bsRm
zwOLvXctFy^jEw(Tm<$*U<Uu@T76}8f29XYRan6<7Boeycyx#TAJ@RN!$l~olC&_`7
zD6lj!iUK);K+Ma=1<oVMDXeUa295s=8V|$V$i!sOxQ(ZAGcdVlCgvrlD&*%Wlw@QU
zD<s3yajHU6B`^(EDikCZl>k}A#ihBxq?nkToLW!<(US($lM2Fl3LsAcQ-2aLuN4Dj
zQxc0(6iQNya)BCv$v8PbFC`P4trYUp6iSOzbx<rS$Oq~LSq4-Iw;z}Z6$*+HlS?vz
z&I6iRlA4>ES5mBJU<UUDqnH*npv%k4k-`~aNNOT1C+ZvUfx?F$6re23OzaH?0`TBr
z<7Q-G0+u4Eg$gk7GcxcllfJBH`#4&gJ<n-c&gB<9&IV2K4`MF%?%T`1SL%=Iq}x5M
zhZ`dAKYnywk5yz1@9k|n{{1o4t2w<^JiD)6{z>`Hjp<Xj2*)jxY%BW_r7-n*au0v;
zpBHbB$*-IFBh@2j!2=De0|Mr{I~TB6$`|iE!TR^py?QAvtvqeUKMNFMZoaNnUuOK{
z>x>8cTyAglN&l0_<$v-K+loumKQHgg4qOz~Qkr^Ej3w#u!T7HnE6-=#oWyYQV9(|s
zy$mV4A`%YNtnV*9mANxo>zZsv-VCR&KFiG|XP>c_sgiX5yf}BiM*<s<*(B{Z_awFo
d-qKaR(D!FS<{WY9c@5Q;?yd%j`p1P=007ti1WW(`
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/mac_app_store_receipt_badoid.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/mac_app_store_receipt_badoid.cer
new file mode 100644
index 0000000000000000000000000000000000000000..c1c393ec4c8fbf9eecf7e4c695a369885638c12f
GIT binary patch
literal 1406
zcmXqLVy!Z0Vo6%S%*4pV#KGDczh#A#L#+WX8>d#AN85K^Mn-N{27|_FhTI06Y|No7
zY{E>T!G^*Hf*=kT50_&>K~AcIXI`?Np^kwTNRXRH86p^-UzC$lo|%%W;F4OFnv-9U
zTBHz^nv+<PnV(l|=wjdmQq9a`O@wL%=hUK-%(Tp8ux16v(vpn)qRf&?137VCLsJ8D
zLlZ-DQ%fVuC?MC|z{1c7$~9>01oBNG7U}sWCMy6fQwT1}FG^KN%u7+o3@Ob^ErtpN
zr6#9l7L+IiXQt<6=B1P9AFM%w9B2kjj7rGi%E-#V+{DPw02Jq9YGPz$SbDzkuj-=4
z=xgn7m2Vl#^gU8Ou=I%9Y1?D--+1wcw*6nibbb0M%aGjK`b{AcbC2i*751f6H=XO;
z<#~<c>6VVd^Y+nhddH5)?qFUSv53V^vEu6O?HBrldYgTswKB{nANsUc?#QKuJYEq&
ztA!rFy(>RMbb_hwp)*3KdOaGyM^uDlzvwYEllNldaS!=yK4HhENu9OvOIp1i9+>lB
z*OJ{$)04kwPd@n9F8|cQuQn_DgQO0qa+UGj`#1C7|3ledqvO^T2YPaZb)IpaaHg-3
z>B55P+hR5@%*<?`AdsP^X1POFpm+mU?9t*2_sgtr=-%v*d;Es|{G+}Lmw%~+Hokwv
z?5WJe%*epFxQX#9FhnjI*t2nHvoW%=vNJNW7#kQG=)?F1jBUypB_#z``uh3F#RYna
zpcJT=oSzHk8W`)Am!}jNm>9?cV_lYyMT|vc;*vRkj+AYmzo6@j@7I2_*tgm&tp+?G
zX<<gj|13-f3<mNbo-&Jsfmnk`hq^fD%54$}-EUs+`sN;aG$>^8cA%4FKuQ!?niz$F
z9DX3?X5-Lm`<|S_%EoBW_|Ks6FwBKaOa_hHcp5hY6MJT2UUI5Jex5=}MrN@>GCUQh
zDkN0`Q(&b+L1Iw}kX2k<nhQ*biOI>S1tkzYX+S-xAe^TF@**(pCjoO>F;F%ou_#5M
zB(*3Pr~#OWlk@XZGQpWjAwNx_v^Z4<#iD|Ipk9z=K$UR&fmu+YpeQl9BopX7pqVA9
zxv6<2#d-#2a8EFbX+eXzyu2JKlo5ucCc^Tez5yR7bofER$->OU-e4fW#sw}wl2h2Y
z8CjTsWe94K0!;dh3`c7;G_CatA9CBQG3L3jrAAaMo&S7&T1uwRI*UU`<+6^Qj<H<h
zefaYfja?m6I&I8e)$cpJXWEO(=QHp8*}7fZWBV7!ncJgJs_qH(-)rVjb~Z>RhVjiK
z=KG&b1zf`mEkd8ai|plDxoN>8kJ_N~se%WBf7?uDy1&N7QS6fQlm0&k?&T{TeE-$|
zT-@@^&!tmuZvV`wSj4=8ZQ?1fD{-v(x?Ybr99|e6?)kcW%hg?ys|Efak>6FkHuQ5T
zn~nUr8DCfpl%v@8y6)?q+_1@3+{Vf3#f*JYFAPH>k6zCza(P$${I44`qwcZT0^g{E
bsqYLvGRG|Rdg@|kD8El=Tf(M&nhPrcm?Hu0
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/mac_developer.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/mac_developer.cer
new file mode 100644
index 0000000000000000000000000000000000000000..3330fea5eb30d89c76ecbef323c85a2b668fca33
GIT binary patch
literal 1423
zcmXqLV(m6)Vkut0%*4pV#KGCjyHr2t@ks+-HcqWJkGAi;jEt<T3<izU47m+B*_cCF
z*o2uvgAIiZ1VJ1w9xlg%f}B(Z&%9(kLmdMxkRUgYGDI*uzbGfAJToO#!6mgUH7CCy
zwMZc-H7BtoGe57`(8a(Bq?(z>nh4bj&Z$KunQ58HV9g4Sr6n2pMVTd)26E!OhDHXK
zhDJsPriKOvQ9!OS64#)y&rr%hf{lxFl3M5FPdX`#j67VXVP3(O0Y;H7fk3r}5JzbF
zCMF}CX{F$vSX7ds;9Q!Uo0*qhtf1j+VeV$>;$a#Zp$YRmHxE~od4QQwM3`T=v!SGc
zI3z>_5Fw(VtKbq6j1qDNO^iy&fy>Csz}&>h&j1wXVrpV!WOz7R`T)mIwhPXR%2n@m
zxh<+TyyVh*<$2T2?#2fxkJUAOZ2M*YoYnX@bzRa2hR0_*{ra_cwaxLLr*moR%_$S6
z#aOuR<iCCJ-lwX9uKJ_bq;A%>-niO+HacQ2SI7Rds<9K-#O0+ZoohYQUE62rr~9YV
zQ2)?;_H%AA0*)p#7@NLM+-Uo0Vy@GNLu)-7BKrHojwn^^O}x58LU*UsvTe&x&fUJc
z&m>LZXHVnwqcv5UFGGI4s`F|~alRy(mSHGT9~63k%d9kVe!lcp)qQ*SR=Ea66mjUt
zrLR5|eYmmL_Ici^w_m@`U|)XsOy|r5r%TF<Efybh>?@dR9XaR9y6w-~6<lUAF*7nS
zE^cCc2n><C2DWS*+HAlS$j->fVrZampbO(0Ft#aXl#~=$>Fehw7Z>Oyf|8+La(*tD
zt6N^4Qe<FgAPbBVSw0pq7LoqChXogvO3rW}D(2#^kN+XmvG=_J4@g>=k?}tZlL3Q)
zJcy^vB4HrbAkv{O&be}%L_+tQ*So&CM;;9dS-c(SAbyY%1(qg8HXw(|pz%L6mn5gK
zG8!~~G-x~wa~~5>b{kLQW?*{HOw3D8Rmjg%D9OkyR!D{?<Wz;EN`=I{N`(SoS_86*
zi%WA;ixm=+lT!;yAbQe(dQw3+PXXjXVDe7_X0~FWY)WELib6?hQ7%wJUW!6;eqKr@
zIA1B`rzw;cr|O_sRFDtU3$hHT5^g^*7b+AKB_@|-0-Xmmvm`Y)HLs*t&p;FI2}Utl
zXdsuDmm`HSIJA=!^$qwy0m2UoK^A5v_67qn5MLF<=P}@d8N<wMAk4-EE>4nD*cf@h
z0S+uwP|Fx#Heh7X|MN^Lb6RFm!NnIPf&#gZd^_J;iBEN3`eoP6RuM<zLiIh5R=jWv
zs}o>86qK)0^l4G<inWWb)~`MJYERXhdm-F!7^G`@R9a83bN-(4(@t;OmCo|@Q%`&B
z{@2S>-gGzlUBUV8t=5d5tFs*R))@%Cf9tg3-mgnW229=Q99n6DFZ>@ZJryiy(CHR7
z<=uvEu8rPni#j^|jry;w{&2B+>+4e`(cI@NO=fP3l6rAD`UX>-b?4{KExpebHWv2(
zO-(e2>YdcRcN&|-)(3x{tX;l_i+O?HeffI_)y#OW1(XCGz0{HXU2$rF=p5cEgL5*W
a57&PF|87b_<b#L<g1cU9Z+_>#Xc_=7IRL=`
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/osx_provisioning_profile.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/osx_provisioning_profile.cer
new file mode 100644
index 0000000000000000000000000000000000000000..4396f1b4dba40f9109f8b39440287e2102db2d19
GIT binary patch
literal 1334
zcmXqLVl^^oVv$<F%*4pV#38k;{GY=13_Sy0HcqWJkGAi;jEt<T3<izU47m+B*_cCF
z*o2uvgAIiZ1VJ1w9xlg%f}B(Z&%9(kLmdMxkRUgYGDI*uzbGfAJToO#!6mgUH7CCy
zwMZc-H7BtoGe57`(8a(Bq?(z>nh4bj&Z$KunQ58HV9g4Sr6n2pMVTd)26E!OhK2?v
z1{Ov}hDJuFQ9!Plfsuh3lxq-VsAr%9u}9T6F<HSsSRq0opeVmAvl!@#%)E3ECoL1`
zh2YF|5FfkOkUekE#HfTEK8&mk%uS5^3_x)%rY1&4hGjl;ZyfoNQn)*K-L<mG1xgDp
z?v!Yq;1#elDkJjLoI;1oil_KyUUiYV@mRZDF`IXi<g1#etUKkV-dMXu{@J?SpSd+%
z9DD_qntP~)ncoOF7~k&q$oJZ{dS1)ryEm{+uw1=qnvNH{zW6H}hW-7oFF%iqXN`0^
zq!Ovw_}*`$eACwOwBzP`SH4x;dHRU@p$PNdt}otu?f*D(q&s<Aohtfev7-F*<s7%~
z#j(x1F1Ka9_Djs|Iyd1B-*d~%yPgZ`Hs7q%_6dxVy%i$%blJxZEDdYg%LR3Eqbn@t
z6#9MRJ6oZ{?6k(m+V0W5OM42U8M0O_PFuap#duoT8}r4+Cv@KCnQvucW@KPo+{Abk
z7$OG^Y}q)p*?@_Nosp5n&_Lfn7sfYWY*WlADJihh*UwKbF3?K^r6j%N{9G_sx4b;1
z$iUb@78rT5d@N!tB4Q39Kg7*-+@8dj_WTSj;CnCk{G$O6NLrYY@jnZb0fT`&h^NdV
zVIbBZ(xEQSxpJFCLid~3yS}+c9t{dvydCHuevlFcmL^6vAcx7I@jo=7C#SG78Z>@1
zXgmya9}`e^8&BhAV3N&D%u7yH$j?(K$;d2LNQS4yRE4BUg~Yr{g@VMQ5+JL%xHLDl
zSRpYvIklh!q9+ZgCl!SA6hIyXrr;!CVk-v9rX&`nD3qiY<pMS2r6?rl=cQzVvxY)`
znnG!Dst$@p1^Ga|Aj^O%;r0WQutGsmVsc3)(0M>JOHy-F^Gb^K3^d`MU=)*u26B0M
zIZ_ydLpwQ9-+&JkApD>ZWMO7vZ!qA82M7x{3llK!qZS3gq|V6TST@Jo$;_ejOGaRs
zefhqsG!~A<D{kFPFj!(0r~5;IZQAVX0wO(A3)N0CHg8g2S+eYQ{MMD0=^^<X&hvcS
z7Oqg*AK|%K=Gcc-pVK?zmQ~uRZhy(3ee>Ph{2w0H)4f8}EkX`??Kd^cpTv}Es+DXj
zyn-z@ur5*H``0j~-x`bi*FDqlepRDX;F(w!_-9Vatd8y+Zz-h@FE(HLrek>hh{67*
zyGoNq6pB~vxF{}XZ{|N`&gY-jvu<ZfP0S5T&}!SOnxS$=kW;+loch9t*#?_>cCJ{k
z{lhA^B~ulJPx!xFxzSW8{29vy+y6p$Uf();v-R4ZY3C;}9Zx&{y`ucqvg@7F>j6~T
B;6wlb
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/pairing_host_cert.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/pairing_host_cert.cer
new file mode 100644
index 0000000000000000000000000000000000000000..8ee41920b9448b8d36b0441080546793bd08f2f2
GIT binary patch
literal 702
zcmXqLV%lZU#JFeyGZP~d6C;BGFB_*;n@8JsUPeY%Rt5tG137VCLjwZ~BNHPdQ&U6p
zC~;mR5Z4gO1*&LbR6^Fq$jZRn#K;d4=VEGNWMtU4#IiWz)EQ@)jpyV(d!KFCIw6hi
zdlScxYm@WXI^Pzg{eC;`?CGrP$t9wF=G_jtn%~WRT+)i4Y^t9vTx=C9B(uPB#%;BQ
zVcK7gS}wlPth+M1c#YG69s7T8*ZVYK*|a4+U+-U0`_ExuDIa-dzka{U>W2S0QQ3cI
zuMwEm#?GQ3zxfB(T}}@cIp?&-X-j6<2Kc?#G_zWpP;j~I-P^3IKXcaDPx^26Vw&Xd
z{H}}(MtUb7xqpwnysM?2ZT-TPRXdqJb4`8x-gTyL?e7g!VnkjCi_Sh-Ei8OFc!$&7
z<o&B&{#R^Me80uU(c(r%_Ki{x(Qr$R509l{nD}L{O}KosBKOKJT_$Em2FAtq2DSz~
zY|Npu!i<dnS(t#~CJW;6v52vVESb%uet+ZP7H1bTyXYEc>&$tk+y;CgX?~Dm7G@^a
z1;{}Rj2U1MGcver;GcbPauL_v3@(m}5AUX081@uSi`{(a+Tz=XSFtVmv1P;M9cS&8
zK75S%`onF}r%RU?=^NabFkfo>?2{jh?rr^-w5|BX&L>vo+pf-6Vk<Okj=9WMR-4Y(
zw={F3-;?<Ck|$v|icR%+{qIU0bl)nruqU~icj}9lb9Gmat?Q}%cjU!(&YRk+_Dz`6
zcKXDbVyjixC2Q;dw8R_wZNKn3W;?eP8{g{&-)XHW`#+q>isiekR<>`enQDfk09R!M
zf4$3>kF#Ghtl7V8m2HPZ0dq~1t9Z}H$6pf5!{Yx`oiL4>`k3c;Zf?$*Hut%kA3jn$
ay<^G5ZGk>t%`-F)zTfqsyGcB?@g)FTv@Y-f
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/passbook_cardman.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/passbook_cardman.cer
new file mode 100644
index 0000000000000000000000000000000000000000..5bc14879b04c3d2ef55d055d318a75b5c5714968
GIT binary patch
literal 1525
zcma)6eNYr-7{A@yJAvav1nzFk(-%)5KJIw;E+i>S6cbQW5kxc5Wp9y#yS;UH;lyc_
zyBes>FQ6`mR1#CeEJjCA$nPvH4yV!@92GQY%#Sc_5Gjz}J3hicoav99+2`5cv(NMX
zp5O0<PT2$KB-(4FIELds(Z7satOB|M7$EnJDN8Nu3BWL!OadJrkqYQ5mu3<25Ik!!
z83KbnfuFx$GRIjMkjBz_G7iRgk_vzAU^3grTTFJdi2*50F=MfD3=c9G3niLutU#u~
znI5#%|E2$d2D2DmH0POVZ!t(N67y}mSuBAQRRN>{CK#c?Xn-Vq1BJ#>A#_xek#LIK
z&$lA-y~>AiCJggea+DzGX`59~d1lws6mPOpEUAOBg9A-jhyWn7ghS^_NdnJ+4^f~%
z6p%9wvy3S(%uXNyoH)pfYM2+1;aSQ8vIGV!U@aw2(FmQ`<k3uHGKtiQ1xZle4|igi
zq}gJ*=vK7PNxNSAMCc6Lt50ZYbRWq1x%~aAE%U1~_^9lo-TQAmtbgs`F<4#jtKUFi
z&f0k{m2#i-ddMvoKc!_u>9(I{*FFw!)BSxjDTjc!Q@=N~Wz4$}+Dj~j>5tQzr>WnZ
z`~1#OrB+}A-0u4y-`Yw9rne|37w3Q5u>$N%(`W5mNG@3z-Mhs1MMK1MNfTVJ5MAb%
z^HVYxMHO+ojb-b0tU0CDCmxxz=|pxz-DS=1YqfbTmfzO*Un}I|i#2;=U0ny4Z`>>?
zkLpln`nc3uGOl|^@}=fg+KTC|J9Pt}ZS3r2u2e0p-yz6k;h!E(+_PoH<+e{A(ba{!
z?6?$@V6{#>2|DqqaJt+lR*vL22Ezyv#zWn346(BCd{N|*;^S?!zzy%!X7z?TyWPY?
zBh;YHXaWf(5n6qQTE=S|R&EO-$}4*J{8f1S!~w6mH6a8JC2*1lsU_4<SsMCol*;$>
z2KB0q_wF`5nzQU&MrLgz+E0)N0thE2M*$8U14DkHO)?BR9>D0~*>Fs$8Jf**w~rdl
zD?XZvhmNx&SoEU?f5%~D5;Mip46w04%r^^w9#KC7a!UZkmLOH~B6<^qA}b>Ril!M(
z9IVMhHH_zBfu{%ZOfGV$fWDfL(g6~r6&0{1K-*Z8*=t5%%L7FM6Zcdj&W36|%@A^=
zKe8_1c#0OyXgu^!k+CwYDCi;d5Hg8~hEXu0Mq3kJHfiY8G;bMoYR@icN{^CI;i(8B
z2q`|M)N30}1fhaq!(>SD5lV?bI9BfGy^m;<T#6Gox{@OQ%V1*(^|Nd}+F$4<L;k`f
z)%Pb3bY1FSGrn8(MAiiRj$5&M#oFY##cO{2;7|7-?REDKYSMMBlHlc<_WM4&r{B4K
zJV7yG*R8wf&)?bJYL7aG`SLTGE=Fc<f$yxBGM9Z0Rdi9Wuarzn)op+K$T!AAJ-HVO
zPBtH%!JP~q*l_yvCe3O~Iew#3r968t$941SxYk2gw=LRlh_Lo#HKuPa-1<Y%yvp*J
zcJk<W<+x_Hul~z_DvRmF#;GB}=N8ZI3>f%IwsQ5N>zUEJ$G=5&o^gM1qHAyZm5L8j
zlj9RlnPhbfWL=%F*6f;PX}#n!S;Lk$xMRLnU;D1AR2S<A?Mv<HXsbHh-@Sh3eB;vj
I>vHwfzgd+Q`2YX_
literal 0
HcmV?d00001
diff --git a/SecurityTests/shoebox-certs/Invalid.com.apple.testcard.crt b/OSX/shared_regressions/si-20-sectrust-policies-data/passbook_testcard.cer
similarity index 100%
rename from SecurityTests/shoebox-certs/Invalid.com.apple.testcard.crt
rename to OSX/shared_regressions/si-20-sectrust-policies-data/passbook_testcard.cer
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/smp.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/smp.cer
new file mode 100644
index 0000000000000000000000000000000000000000..1065a7dbe0276c39b20bcb198149234a04fd3698
GIT binary patch
literal 714
zcmXqLVmfBf#FV>$nTe5!i6baK>3tQyC5HhQ8;4e#$2nUTW+sDDLrnv9Hs(+kW*!B{
zf`Xh>h2YBKlGI!U&%Bb<^rFO)%=|nBXGaBH1$SdZH3JopQf?kuh*Ia&qLR$C%w&iv
z$I_CF{G!Z~N<(1-L6ABw9xjMF&%9(kLv903kRY2dQ)sY(oH(zciGitsg@K`wp`l3>
zkZWcDf)K7jj-io(0mNCFsmaN@$wid~CHcC=sYPX($*IM<sd>qn1sSPDxv6<2@uAM9
zx&cA{E`}loLJ;?HXZi<2JyJ}BYa$JV+1SBB!o&y-8)im!W+w)gJ)AptG2LpgPdM}7
z^)a!sd-V=gK_)wtQg>8wC|%6|62+hS$gsXSfrV>-!}s3T4x%mlQVSfF-X(Lh#BKJ!
zUd*?+@x4Lg8v|E14sA9@R#tXKMixs0a|2Tt-+-}AGoz%Wz)D{~Ke@O-FA)?4ddc~@
zV6K6QE?A%#7{tZ~h6b`g-^uc^h_Q%V`YV4oam5q9ioLfJcAlxSckBMT#DE7REzHRH
zpM}YQ!9X6wQ)ZDc5Ni-oi(Nm-Mq!48>Ao2O%NXO9zf{z%G%x`vkY~{~&^FLqpuRx0
zO&RKv<f0rThag;_2b3`21L@)iSprNx%o+y#Y@EQ5Yx|y@!Y0SU#L9r2x|rP=3|yEL
zjODi<n5;CX@J7<d>Y_W-lkZ=&-haJk!}A9Rv(>VWd=Oz$P`G~mV)fby&C0J#<aqig
Xte(D6m+i4Zn5M#%60^V3bFKma{v6gb
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/softwaresigning.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/softwaresigning.cer
new file mode 100644
index 0000000000000000000000000000000000000000..d039cfd81111eeeefb501a6e6b588a1f4fcca324
GIT binary patch
literal 1343
zcmXqLVzoACVo_ee%*4pV#G!SoaM$v^;`0r7**LY@JlekVGBUEVG8ohwavN~6F^96S
z2{VNT8wwi;f;e0}T#f|=IjIVsdC7W)Y6dDGL2e#dh@f+7QAuW6W^!UlW`3T6V`)i7
zeo<ygrJ=EbAxIrFj}}y2eoCrBaAta5W?s4i4owDf;=DkOCWb~vM#d(_rcvU&MutdS
zgD@f-C~hDMaUdVW;^6$WlJdl&R6|JvafpiqU_vnW7&I{|A%_JcD+6;ABR>OBoQtW6
zk&$7)!H$v{{_EJdmrThs49VrZXtQ{OrNGJy&sHTU#a@2WvdF=4LdvlO+lh&{f>yYy
z&(ldc{X}ks3RjTT=F4xy94ijayU6yeLN%G=^Ziqf&t(6Zz6^{J7VUm{ac*Jt#gnVN
z=gqv;e?W7G{)GG`yHoocvaZ`^<UXl5v{Xp{htbQrld&;9c47+B*W>0&x9M_x-y^xi
zm(OvD*X?Yn2G;<Vl|H?q?60!a_wMePXJfx9$a4DQ?I&J`1kLEuR}M>k`cms=;1=ay
zEO)=ZUU2{FtWR+qALH9UY;?~l-MF#mqVVIYgKv@?OO`d8eEb<zl45BenRj02Kti*o
z&GUQy@w}fWTgDsoGBGnUFfMLld;|=Udj_(=V3g%!5n~ZK_SVkpx84hT;j0ToH^<(5
zzWIBGsR0j2T9}dXKMRuqgMmDVr_3T@Al4w#m$~dnxsxBu(lDnvf%0v)E-CbL0!@?w
zDN$f)ViX2)_<@)knk<u3SQ!l({~DOGacHvvQz$zVqnKt!NlAf~zJ7Umxn3eDS?VR{
z=jtcJQ(<Z%ED0Jk9){~<GHBe!)3`Y(H77GMFF92Km{dzLGK&?E^eH4&DkSDrDikCZ
zl>k}A#ihBa#R`eZ$*Bb;5It!?J*gm^rvS1UnC6p!xuO^-o03?RqEM1rlnd05m!goI
zpO=ye$`8c~`DqHJ#i=?d78T?J^@1z|s)V~6lzR$_5|c|ZfzAV(S(2KYnpaY+2lPBJ
zbmUp|40H^%7HBL`Yg2)SKypzIatHwPS1}}e=>cU7_(0nDL9xKX%*5VcAO_;Ag7`cJ
zT(EFqW;Wo5hc%lR3lp#qKrIu1`GAoj{K`?qaA}cSLPk1*tUN6IQ&(Mi^y|}++>Coc
zLA*-ECt8bT-v|1A=<?i<F(oxn>Hc4be$y=(4nezB`_BA2S0fa5<G_Vb)~#L}w<i9X
zS~D@O=%U6JS?%0g-s$sM|2%sh>E#?JU)^H9@87O2ZDZCc0nI!9&AQFJyEo~RWN!K7
z$ED}ZA`Rm>a$^}~QiFpgmsQLW=N6Egvd3&fn751GjGN007k-dQn=&(`Sa@ro#U7PK
z3k<BQQrp)Y*dzKS&fxgm#ab-)kDPaJ$({fAzw6-zl51>sukD}mbLa6Bg=T_pUoh_4
lQtHvPL@QW|m38*qWA4&lUnmqUkoJDMFXfK~@2vmMjsVDL;NbuO
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/softwareupdate.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/softwareupdate.cer
new file mode 100644
index 0000000000000000000000000000000000000000..fd375b33fd1cb073d0788f6d1fbfd2dfdffbff60
GIT binary patch
literal 1328
zcmXqLV%0HdVi8%u%*4pV#9`UybkfhMcYy&f8>d#AN85K^Mn+av27|^XLv903Hs(+k
zHesgFU_)U8K@f*an9H%CASYG9GcQ@sP|ZLEB*-l+3lVfqEh@=O%S=uz$;{7Fa4ap!
z$S=w)sWdb*FafD!7S@HR3(ij~DNig)RR}FeNi0cKz@g7TPMp`!$iT?R#K6G7+|V=%
z$h9;yFfuVTH?lM|k1~kC?nWMDH_92vfZfO=iq&pI2?H^(+j#iVTxHP2sDvCUjI0dI
zO^o~uKyfanCPqev{nK4UwF9dEE#5R?%TyO@VQ&2;?kxfzUcapmoNc`2-ooouGAub(
z>ss!reLg*_#a#5kwGR(xNa=4Xo?a2gyCBqlj!utf#x2#Kwukl`9FUu|siIhTf%xpd
z{3a{R8SiF^{!>UlHS1im{%uyyPj1y>M)#f-1bm;bD%D_QvtsR+)!P%aQ+GcwDQuRQ
zBqL(*aZ-WzrAn(RmDpn&d2P<Db??q*x4Y53@-DlsM50I5f#ChR44z;79^d=aVgFO;
zy~ctgA>mgZ=AM1~T<#73P0ovtFRXcFb(Yn4-og74(=G@8-tM5Ix<NYkxWm%WPg9;H
zmR0$%tF5^5E6h^jhE;Rvi#W#+jo(bnj0}v6n;1_5L*%G|EHD&h`B=nQM9f96PVRZ|
zC3l|RF{j+eYgFrMUPKu1fTV>P8UM2|888^ggLuj;z_4!+={~CI^?CiNg+)`ov*o%c
zJ8p2Fp$IgQ52QqarHPRh$YC^S{0B{+$tkQr-UkB>HV$nzU{YmgVic3fC@Cqh($_C9
zFV{;1B~QKN{9Ju7D>>1i@i1H|lR@J)p2p2VsX3X6dC92?z*Jh2ky)&e3{SYJ3Q3g;
ziFuU@1&Ku^Kvr>aX>Mw<LSk}qYC#D^Pa059DhTH(fUE!}_atD3C<e-=Bo?J8l%y8r
z0yX5NC?x0SrDTG#La{=AnnG!Dst$@p1^Ga|Aj^O%;r4?vPC-#(a!Dr8c|bEuQgc)D
zN{aOitU%!*&thy~XrRA9cY$`BCO%K=7nhfU^Ojz6QH}vPEcro!&%(^a-e4dOGD{W2
z=QZGlhbs#sa&iY20>I?X$iT+CS1~z=<#>T-mxgh@YQV18cZa)|DjRxjV?7*}U+?0k
z=kj#A?Xm8Zs_HvdJ}Cz`zuEAhvG}>tE_0t(={8f0Rn>}B-S(Umsxn;9vox;yvU0e4
z$v;NsvY#^3-t|gscsMKmmGr$T{p=NrY-YO-Y3z`eJ*^`2gypy6o7Z7amL&glOAXe3
zV*g;3+36!4lgi?@C}*sV%reWnalT~6n$4eNx0mv5om4)9y}z?*Qm_cy9m#o2fAuz9
zQxSYnR+K))HRk%$xi8&jDMo&u^IIVK@UC55bvaeXCw@M7U9<9A^P{J455^kb+#zb|
f*#Du=e)XCOHmr-wAFQ9<VwBs`cdbZDp!*X5dSK(k
literal 0
HcmV?d00001
diff --git a/SecurityTests/OTATasking-certs/task_signing.crt b/OSX/shared_regressions/si-20-sectrust-policies-data/task_signing.cer
similarity index 100%
rename from SecurityTests/OTATasking-certs/task_signing.crt
rename to OSX/shared_regressions/si-20-sectrust-policies-data/task_signing.cer
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/test_ios_app_signing.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/test_ios_app_signing.cer
new file mode 100644
index 0000000000000000000000000000000000000000..7e3f3047094f0993ad201302c9c2d6bff656f236
GIT binary patch
literal 1046
zcmXqLVi7WEV*0g!nTe5!iBZykmyJ`a&7<u*FC!x>D}zC$A-4f18*?ZNn=n&ou%WPl
zAc(^y%;i{6kdvz5nU}0*sAix7666+^g$O#Q7L{bCWhN(<Waj57IF^=V<QHX@R2u3U
zXoJ)-3#&lXWd>yA=cOv(P;MY6&TC*{U}|7wWMF7uU=ao6S|V``qKI&snSlw!O5G6G
z;1C5Ad;NpKe3(0fGt=`j^U@VS3JsbVm5@V%k(GhDiIJZHD9**y#K_2S>trO?g~Jp6
zNu26>=b9cU_pN-!1<fO$egE2>5Z7}$yS`QUXi0u=V+!X)zr!g%6dSi2i|^5WBf0wr
zuUEyXO;4&Sze@btl3aiHX?wNc-($ZD;-=q;xDwlVDuK6OJ#c1kBU7y2LZ?j^PX2Mb
zdU|EXp~-9IX4Y0JnHe3PHE9<M!|h*PYqpmdN33}}clA-_Rdws$O;4YuAGF9sxp}%o
z_{wEcA31HV#aJ%f6j`?-)!H@TZPt`atd+l31^Px#E_yvzMfsJ{<*4SZy4yu=sU)x;
zP^inl64vUj`SgIy#1l_gw%GZv4nC7xXxT3=Db}d+>x%CMYwvch|C8D}W&ijsh~Qs3
zN0Nz|k%4h><6(ow0|wl{5SHa<VPR%sZ!q8iafBHe|FbX|Fc^q|c&Z>Cj{z4Ohc+89
zO|dgG0}~N9IFTi%urV?-vM>P?nk+~uABz}^$PS?;E)qeN2F?%q{w%9{9?Q+LxyL{r
zB(2OMVIbBZ^4vsAPwAdzLiUy^=gONC^$i!)m>O7s6v(p}8t5D7F3?_}*`}URQc_^0
zuU}qXu9pZ(ta{1$x%yyMa-x1_0VwV1B^Tu&$1^a+1LK*IVRB{9O&=Am1d;6Z3tzqu
zy3;w)SNQYo32~ujG6DORg|`_M=LP0C>^d#`!{xL{&K^#^rLWX9SAXnI3!do^yLBJ?
zWgCgWH)6-0Xs}&2cH5#gZJ&I?_p0RM+ZBTYW;ci2s{Rp_`S*O~SN|nXOt??%RD2$u
zIqUIh_a`Nuvu-F=NAP}65irOsKGx@LCcS%!$E>)<>AW#s^3P6`9=aLZ^JMd`n4Ndd
zOs<g^J1%VTszLNeLc<T2rG3f*Ue{)c>%0s8!RY#S)`Up*XChmcDLq*qa3k-4<az4@
yIUzm%zxua?lrDYyO)2E5ly7^2zMa($CiYEyN8}1(w;$DbqxPLoaL<e6o+tn+Du5mU
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/test_ios_provisioning_profile.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/test_ios_provisioning_profile.cer
new file mode 100644
index 0000000000000000000000000000000000000000..868ce47854e44dd48372b2bd1884833f58774492
GIT binary patch
literal 1031
zcmXqLVqrFDVtT!RnTe5!iILBMmyJ`a&7<u*FC!x>D}zC$A-4f18*?ZNn=n&ou%WPl
zAc(^y%;i{6kdvz5nU}0*sAix7666+^g$O#Q7L{bCWhN(<Waj57IF^=V<QHX@R2u3U
zXoJ)-3#&lXWd>yA=cOv(P;MY6&TC*{U}|7wXl`m|Y8VCNS|V``l8JDdy@4&nO0y8x
z;1C5Ad;NnI0*dm>GK+z(%*;y%andq@ehSV^2lGKX44N2~kb{Jgm4Ug5k)Hu5&c)Qk
z$jGoZi0|j@kf~ycy8AD;SRc){;qkeyZW+1W+`ZKL*2mY6b}T!^{`Ju8Or!g*ddJru
zJDifE7PHIaL>_0$oi#^1nKW}9%4_SzIK)1)AF{gLputeWxAvk(Q)uSYZb{39PZwG|
zayqCxt8nYH)!!74?X|7m-^<tDYHkxSS?Kt}+3)2gt{;;TsxEoEDM#|pO6j{BtmF3z
zFg=a9ExCgA$tL|TW;{3bziQ7C&){!6zbE;>x2c<|)r=aY35#{VSHyCg&X{Jo@}W-2
zv}BGgRyJjhlApwFPs;B4bvL-%pm?|Kw9|##cWV8#%)My*MgHa54Xb2MFPGnyFD!oY
zVSm@z`@XyX<{V>t&BV;ez__?^wL#+w18!hY%ks0ZFf*|?81R5N!i<dnS(pqMfT@NX
zoT`#j*np{wg$bClWI+n}Sj1RFzVn_k$i2F;+W58Wfma-2yT$Z%3=HH!(#k9n24W2&
z&rP)Sl<rw3WN(>ruDm%>-*7>VseuJZfjo<$fxdz60__EwZR!~%B?VUc`sL;2dWoRa
zsh6Ces}E)+C+cSwfD)Tta#0R)d;*g=Fg_U>7EY<%c_wl1<n5`vZ@qsj&&c_E<Bfmf
zcaAMVM}0kHL?81$3y^wftC1YFT|+-`oob4<gn6jR;iHDRjc=P~y;hpYB`vx7-nT#c
zyie}6=vqu$nDI9B^xX5I?4Kq-a0pflt1IvmwGX!T^-1n?KIpjNu)w8zK_50cZZxtN
zX)@rQ_e(c%+EUJ?e{vbm+|@rasV=!`ZJ_^go$vCDt?&51=SldzUeG^L{FzOy%CXJz
zYwp}TIY~n;SgNIVb;-e=io~Q4<_#OQ*18B!ew`I__2(O=u>Owv^jMYq1<rpoBRb!T
qPt@<Zxp-^#x?B~<rn-O3OP^dek$tZC{CYvu>VL9<M<P8M{r~_E$a~QM
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/test_ipsec_gateway.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/test_ipsec_gateway.cer
new file mode 100644
index 0000000000000000000000000000000000000000..2ce556bb29b14dcceccdf4e1f99406ac23009f08
GIT binary patch
literal 807
zcmXqLVpcY2V&Y!F%*4pV#K>sC%f_kI=F#?@mywZ`mBAp%klTQhjX9KsO_(V(*ihI&
z5X9jU=5j13$VpZ3%uCiYR5MTk333a|LIj;ti%K%nGLsWaGV}8k97{_w@{2M{Dh<U9
zL_q48g?S<Bg7WiA6r3Fm<ivRmEDa3}jg5>9%#F>Xz+59Z*PsZywY&!0U~5HKJcHFj
zkWBXs2u@8_a8E2rEl;e(>V6JkF6YFY%(VQXyv#&HAp-%BLF~eu&ZPw)x98;>G|op3
z2}V{1=EhzIgT_v##zuzSD?}12!lRTA+&cL|%q{VjNBnZWw`nW(M)?&id7Zk!=X=q&
zz_T0ITfUz?@BT`TgCEX^%niBde{br`uNOCo&tuSZvcHtY^Skg!m!D$w>KVIY`fByQ
z$Qb9@Op;izSDAJH>L*`ymW5_IFaH&^Aw2Ntk0TEn4Z=Kk<bGK9W6cNWHN2adm>C%u
z7e^R`fdfF6pM`~)iFJX2JJ1udf-DXOc8$EH#i>OOX@x0yddc~@P5hY!#i_}9iJ&M0
z3AD2a{?}q^5&#Pup^2j>0p=z~MuyF$S{Jv5w1-DtvY6@jkB^BrVCoAIp)!dXB3JI6
zl2vWHW#^ufew$l7?&GJforkub3ii%ZSp4W+;DhTI-4q>~j8yXr#Fsz(cA;=d#QhL`
z&wrD3+}%Qc@E!dh{xov^`ERe~omb29eNu{<7UXbm>9bAG{`httj#D?<`?nxqS@@K$
zTeC|}JKyN5=nmrH6YMit)Ey)tx`}P2x=U=X&BL@#-^bdL(|BEuR(=pDv)Hq6W=pI=
z6iZ^M^udnnajTcDn4@#+`R!s!hYxN?MPFqrWqLlm(zATysu{M`^)mhIH5s0~)A;sn
kibH3@%rE!e-E(G%m7E*)cu&{0<vi!#%5}FrH(3@20N+C;wg3PC
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/test_smp.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/test_smp.cer
new file mode 100644
index 0000000000000000000000000000000000000000..ece80e980e84d5beebcc94106cfb51440fdcf46e
GIT binary patch
literal 712
zcmXqLVme~b#FV{&nTe5!iNiao=;PUQyLt_{*f_M>JkHs&Ff$pH8tNP9vN4CUF!QK|
zq!yPbI2IJ-q$&hg7MG;vDtP9Vq^1`omSpDVDL6YS=qk86I~yt($bmF)^N2gA7L{bC
zWhO%uIF^=V<QHX@R2m8!2!d2_@o+&*^UO=uGvqel1PQVUGld2l$cghBniv=vm>HUx
zn3|eK0l8*KT!R8bBLf47voyiZ0$Qx#TvS<5lCKb)T2z*qoLa2lnwOkekda!Ho0?am
z5bA7dC}AK5aT!0FQX*UwX&}tT4h|M3MrimjGqN)~F|e%JVI}P++J5)^Sw#b7jZbX?
z8a1C&EzkZn*qT`QAW~ubfk>5~^`*P78XQm!dL;aj+c)5dTX>dm=E<h6m5M4?CoOJ#
zY0&u0z>keXn~jl`m7S51#mT_Izz)VYU~DtWC@Cqh($~*VE-uh5O)Sw%&Mzv^O9Vv)
zkeLe>H!#sH0Y*?_F)+MSlamc(fnJs6V-aH!Ddz6_@@vt_{55)W&b<7$ciE#42mTxI
zfTV>P8UM2|888^ggLuj;zyN9xS?nhKZ%X}xMg3wQe#p)47HKJn{ApkYQXtO)ObiCv
z3p5v~x2Zy%1aysVa#0SFV_+`O0}31Pf%Nf%tO2GbW)0-D#q7>t;KHPk5O&ObXLkha
zht9;rB|Dnq=bg_}%zMAEGiIw^-a`R5e<lU?-lZ2#v>JZ!*4ZjO?MQ4}>kla_^XxYl
N>RmfbFO=R{1OR~E-hBW7
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/test_tvos_app_signing.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/test_tvos_app_signing.cer
new file mode 100644
index 0000000000000000000000000000000000000000..54615649aeebe837315e50b96ef61dae0749fef4
GIT binary patch
literal 1366
zcmXqLVhu8AVzFAl%*4pV#GzRoXy(2oU)g|{jZ>@5qwPB{BO^B}gF)joLv903Hs(+k
zHesgFU_)U8K@f+Fhs&{`ASYG9GcQ@sP{%+EB*@L93=s^^FUm<N&rC^Ga7iso&B-rF
zEm8<d%}FfD%+D(}bTM!Osb=P}CPKA>b81mZW?E)4ShIp-X-P(YQD#Y{ft)z6p{aq9
zftiu9sj;D1lsK=EF_3F+WN2bxVjg7>YG`Pn53xrh#5FiX0b*H5n13*s2{SP`Gd(Xe
zFI@qo2D|T&{cq63sDvCujI0dIO^o~uKyfanCPqevlO=^-5vlhj)j6im{wyTYx9Gwm
zIa#-L_m8{}KhPAv^J#K$_}W!QE&2QIr^**|wT4=4KJUyV@nkK_g62-!{9pGsH!a$f
z>z3@>!S#GvhIRh5A1fzGi1L1U>GCz{V}Ng4LUd=5O>oyOD}UJtsYC1Ccyfbt7yFtm
z_!n~Q?i5DngZGmz>6J|r&@}K5G>wfHFyeo+_5#<zd-b(vmV2kiP2cZ2pF3kRw^Oy}
z&s(;O<CL;Jblaw>9;^^tTVLSp$=VzFs3EX2BIb8#&Vu@+ueArC|6psKzj@V!8Nt2P
z4lIRVmYiFlU|VkVb&5jBqDM1&ERv@@Enax$%o9PA-~Szxbu8CgGBGnUFfMLld;|=U
zdj{@o9NKJ*tgP&ej4aj$mImf9z5!#Kc1B4_ft9{~esXbvULq(l=_Tjqg1H7Jx?q9w
z@|2?FL?Z(e16g29%JQ*@v50Vq{GOlhS9xIfiKV8m*|MIyW+kpQ-~mYsGcx{XVKQJa
zkO%RUStJa^8bmtO#W`1QlSt@(^Lp1e_sF9`A&a*Iodz~ffu)I21jrEpVjgI+PflTF
zG-&*1(0CZ;R3;{a#%(-}n}G>9GchkYRUto5p(G=-SRomnGE)_jDisp*DisP6i%Nj3
z;^NZW)MACi<mA+X5{RBOpq^9^&Qkz+4Ve0pfVrm_D4UX4l%i0QT9gaake8y6oS&DH
z3C<`A`DqHJ#i=?d78T?J^@1z|s)XAQ%vK5oMTyBJnLy_O%`8dHP0cGQ)-y1JdxB9+
z3mV?#<>g4hjW8rN5tg^~4fsGI$PWrn7G@^)1_Kc`Zg8QHoWjN^!3Yj#VA+6LQ~>h<
zBSXY{qZ|*-UvY6p%l19FWLI>4XGv1agoW|DFWaU|evw{iXz}3o6Or6`GfgfBPv5dC
zIWcUFTtUbT3Eh(`3>BxQs2;TYwfltdY@Ve{5B2%2Reis2$}_%+W-e<d3n|!G9r%~)
zzHg!Cz2J8_@50`!d(EL@=lp(BwpLoqeARNlX|BH4*Bm(U?~-}YiPMkO)^55v!9HX1
zR(pZViQ73%ovwVjXYFLy^YF#;(<(X^7Z=P_y1ClQ@>YeC7UQE^2HZ`jY9E}sFjY9f
zzqPH|)^?H3Yqy$!15pXp1zY2{uLx;;zTwlvW7iHIxpw>2uP+~R820lQ{@<Jv$)T@t
SdHvx__Z~`xl>O70@eu&{4e_`D
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/tvos_app_signing.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/tvos_app_signing.cer
new file mode 100644
index 0000000000000000000000000000000000000000..aad43385073e3ab19c4699c0aa37aab0bfcadc09
GIT binary patch
literal 1379
zcmXqLVvRRwVsT%<%*4pV#9?yeVaea7w~7Y5Y@Awc9&O)w85y}*84Mby8FCwNvN4CU
zun9AT1{(?+2!c3VJY0?i1v#k-o_Wc7hB^jXAVF>(Wr$#Seo;<Jd1gwgf=g;yYEFJZ
zYLP-vYEEKFW`16=p^JeNNHsH$H4&;6oKuTRGSf1X!I~8uOG`5Hi!w_p4dldm4NVQq
zjLeLTObiUoqr`cQj17zo%#939EKJO!47?514OAia$U*E03G)wD05M^P1!tz`W#*-0
z_Y<<O4VoC0kOPL1m4Ug5k)Hu5&c)Qk$jGp(|AO{!7RS2x#UI<E&%NN?`X>ISif3-j
z^w*n~{jQmR{({7>h4<%sIUPQH*==G^iFIDcj^}R#x)12TnAWzcdwc&oEyK_2S<1yY
z=lz^(P!c<DqhQ*5-b9&0|FTOP_?$%i?pXYlP-1=%xc9>6AhZ9?6YlLxc+-@&)-$Bg
z@~+2W;hBfdl!wN7ynbh5$nw7Kp;L&!dCob!M?!54W>oyPSabVEvV97BeX#F|JqdQ5
zo*nF48bq%i67K%bGhtgg&-yR#W9IJqJT>~#th$EYllf;$pKkk|*gePk+##P`+rN1%
ztMoGY_|ScqW-N<Z%DcEep1I3eA4gn&vemEpj@IgfubOI4PiA6fWMEv}#P|~!B3}*M
z**LV>7+G1_85vou4J-}JVSEF|Htmd(k^(Dz{ru$O0=+~~64Fb~&joW0Omx8l<>e_w
z$%#e=#s;#$_><*h5n~bYT(zzxTqLZY`*m`5QfbDY=$`V020S2XVMfOPEKCLr2J#@D
zGK++PSc6E1x;W>`Z4wFHZ(i^E<{o)8C}i<=pwqzSDX=s#iU2tRK+FS8?8zytj0TPW
z3>pu^oXW&x(727KaWgR4W+vt(rz+&<DU@Vn7Aqvf(_^YaQl&y-UZp}oVo?c@Ra{(}
zn_8@pn4FwiPy*4D2Go-Z!g&fHuK^QY5-`sc17%YZi&7LyQj2nd8uC&UlJoOYGQrtH
zAwNx_v^Z4<#iD|Ipk9z=K$UR&ftg96peQl9BopX7pqVA9xv6<2#d-#2a8EFbX+gug
zyu2JKxDke=Cc<)*z5yR71o=VX$->OU-e4dG;;VxAJO*4aGnttUgxR>jMMQE68>0j`
z_<;olYPkW-9*hig*zest^e1P^MyV`|(g!64FXy^nyLa}&?YH^?zjz<-v^6{F{m$=5
z^Uhia#!2=PU6L=>#BMxz$zVpS#zdY;g_Uo-1JB%_S=i2!z-jj@Z2ru}?|GOm-9In!
z$s}*`1-`~7e&*G(&wG{?=1xtkJ<w26`0)C4)7fe-TfC+j{Q0P+Ec>QV-_k*3y$N5d
z&4qcrem_{a4%xfZO6op8@bTPA{hZ3ZshM`)$|7GE@T_NXX<`ypu{-==UhIO$X+@EF
zfsWUT?)sjZwn6Hkd(``rM+60{-pr8^k}TSBc!r(zb1(ZH9uC(sR-R*j&KDPE{9}X9
Zp>3*X;`iQuTCpvDrrn+O3bs-F!T?b0`EURL
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/tvos_vpn_profile.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/tvos_vpn_profile.cer
new file mode 100644
index 0000000000000000000000000000000000000000..a926366b2afd36b8653e4b1bb4055088b861eb1d
GIT binary patch
literal 1060
zcmXqLVo@+?V&+)D%*4pV#9_R(DD;XLOPK*L8>d#AN85K^Mn-N{27|^PLk9ypHs(+k
zW*+m9)Z!8a$AW^KRE6Nm;*!){1<$;a)bygnlFa-(1tSIL)S{Biw9I4(-?6kLBfluK
zq|#8$Km}w1H;*htGcI+)27(}UTs&M5b)I?2dWPHvoFG9qVW!Yv137VCLsLTo0}BHS
zV{>EEC?MC|(9pmP$~A~K)G$zkxK<uwMo5@~f3QMWfS*D@QGQw`$myBsd6{|XhP(#c
z5LdBy2CIb_61KdFQ3*MC7+D#Zn;7{S44N3Zn3@<F8E&`!U^%ir($Vkg)fcKp`4K_E
z^`{=FuMXHCelyT*VeGdZyA`&t&fqCM;FUgK?q-nHQuCs1u3FC4FLSS-njLxc?$gHi
zUj!c>En|Ip_)~(l?f-f4GmGXIPsn$Ue#X9TQ-XwPrp{KKDbIFxI-i@7yV#F$PpL=i
z`TrFyuAifpneee5l-Y4|TFw`D_N@mV>c%v<^v}!so-25x$GwT^jkRd8M&E7!RcYqR
z^S>obyi{VawB}-#W@gdp6CrY`t{s2YZ7iSc_~ic=oppc9Rn+QCr!HtN>b0tKmD@8r
z!O&N&U*q3RchM&k6#Wl#E=ei!{uTY@hhuJOxBZ)=eP6Ac(l);fpSF{UnUR5UapP8l
z#!Uu}Y#iEbjI6BejEpR%2F3=4Funm}n`%Z$Nr9EVetvRsfnFjgIq4<m=YqKgCc25m
znMTQp28IT*z}S)HV-aH!Dco`KVd_EGWfwC7G88I$Cj1YMk2l}}NeeSF{%2t_U@(ve
z@swF448$5l{z^^VVV~S(xzK3dI^(64m*W<0zGA=!Qos*V&ce*Z-eABFP3OreY}zbL
zz?6=f@PRSQ$WXB9<`?BZfp+@eRCa4|FH2mpwK$xA&I08pxm@oT=4dZZ;yJ}vrE&K0
zlcTJO>XAS0ef^j<{X|VL{~Xp^k>{Le$Mx)ewBo$k<G;PWg}EHt-t(4EP`T71@>e+0
zv*!AWJ*CXIYL{)Am)IM&i_@YebJ7=Ou8MQlo=(`loPC4lC1$h5798K_KC?-%uy6F8
zy`%QYqv-`nZy6TVy}i<S=1A;J<&Emn+rO1?o$}3c4}Vm9d)tl8$Bu8=GwCF!{!RwF
zI$g%=m6^8{KQX&}S+Jv`DO&UTRGHIS0-wKDG!+XR5vi`WJ+)w)X=itK$n@$nDVB@g
YxZQTok(l9qi=is}<9SZ$!e_pT02+;pdH?_b
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ucrt.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ucrt.cer
new file mode 100644
index 0000000000000000000000000000000000000000..ffb49125047f2e6c0803cf8609f4774911700f4c
GIT binary patch
literal 839
zcmb7?T}TvB6vuaFuB-c@Vym-BSer;+TAZ1kon1G4$lY3nKBTb7zL>c)3lr`(&5ra~
zEV7G4V!KF^6h_fQQh_B1m6=hImXx7HMA%DV3iecw)2t~Z_!8WQ^Z%d!<^Im)K#~eU
zlKjy}kpxK+Zm?Smwxt>->JUYO$he@yN;RVbmpvr3D$z4qToIU3Sd%mDF2^oaZIx?0
zjd8q#@qstzQm&ddtmz(IPUxP5j8)dhYm6DuWi2L4ilED$kgVxSRKaEq>)nM64=k{(
z*F3%!cOlCI<Ao&&E&s!?9jgB_RISFaR~Dix-aZO0YyRT2B(XF$MdVZU7KHEK);oBv
zKhl9Kvw4RGDl>K2`LfyOxrq<jLfSU`kx@F;(XOqw(^FqIJ{_2TtT>V<W@|m~hQ;I0
zy)(9(N#Y75i7Yrxo(dO17>EQ56y;QLPMP0}ewvB1R+|Zs`i&(!fs%yCB#Dzod*;cl
zumfx~sy}crY_b{cS8rsRoM5L>sG+fmBvp&ie&<pqTm()U?G81DNmSJ{vdKtgJ6@`V
z;GmHxVwI%MH+{`{-{OlwQB1@UA{!FDra3r@*Fm`%j0qT(02h?RppOsAOpxP)f@q}r
zmlN`;32das2gj6haMMVM$qFj=`dHutz(as%YdOwH&2>*oYk{Vb*_Kez%D$2Aef>E`
zLn)0CT0DlFA#d$|9wJ;Mz#TEt{g)>t7Jx==l6iLvj>@bU@C%Gz76Tk7`ZzB(H_PwG
zVn7ra$*d(Vz+xl)Xc_z5s@TH68%{+m5GFm9LoWSh#iy=&&ik|D^B0Cf%EOCO8@i`o
uU6(fRta|o>^dwHT*k*q1>Dw27U;Q9BvTzu^dHelZSzl)lpEq`lYW@QyJp{A>
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ucrtTestIntermediate.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ucrtTestIntermediate.cer
new file mode 100644
index 0000000000000000000000000000000000000000..3e9f28a9d0923f0bf1c0092b30077ceb113fe9ba
GIT binary patch
literal 499
zcmXqLVtjAV#5ipMGZP~d6QiI37aNCGo5wj@7G@@c6hmPHK{n=477k%9=fs@MwEUvH
z%tS*G10j$gmoT?uK|xNcj)G@ivYw&2fhkCoSy-<$xu`^;B(=Cip*S_Uz{u3B$WS3D
zKfgr5Ikl)HGc7YYu_RT&v9u&3zbLb$(m+m}*U-$s(8$ur(7?>dG)kP;2*fpmat)G5
zafPXYF~k)**j(Y6SCU$ko0^gdasiTS3?dDL+1SDUW@3Z}05c;yvl9c$<ed|_e)74!
zczE>Dc3!3>#pxera#j2honw4!*(#B@hYtDgSl*&j+;=Ra+f_#Rc!}^jFOwN8^X*sM
zFMIHJ--=p=#nuLv2K+!b$qF+v{%2t|U<OhKd>{dSkN_~88QBcP*f@c<w|!4eVbcML
zvWc;P+>aa^%<c>ZE=&r_JC4inFU<3l?$5JZnD(ZlVZ+&|_eLKl@>yrR^qYA=mPx^L
lnbh2S@9hg3<+e>W{k^{J((fC^fd|e^=Xqqbt7w({O#p=do67(I
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/ucrtTestRootCA.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/ucrtTestRootCA.cer
new file mode 100644
index 0000000000000000000000000000000000000000..e4eb11809ae298779986eaec0fb3addd4f4fef8f
GIT binary patch
literal 551
zcmXqLVp29}Vmz^cnTe5!iId^(^E5H9M|V05xY#(f+C0wLvM@6lq!<bt2(mGUvTz7<
zIVa|1rsWsqWhNSm7zlv`xrDhL3kq^lbrd}FlJyMD4NO6z%))x5$weg!C8@<F3dO0(
z1xBW3MTQDN`S~RZ&Z$KunQ58Hi6yBDj-@3T`9+x}l?HO+yoRQRMuw&ahNk95#!=$D
zMj);cluIX9L>dUQv4efi#0U)nW=3{qCkB>n&kTO9-?^uuP~+T+?pHr5C2Tl<eN3(6
z>k9ej{?hEC#${cV-a8S}+KVz4Y}fhKIE&e4Nu}qK|E3;iHh%Zze%iA**&xwC78o|N
zd@N!tBK}s}9nu2%=P@a~(VDf>=$L-$mPZEsAZcMn#{Vp=2FyUpKprHZ%pzeR)_`3H
zA4mZ|NCz;c7~7EJjoFjIz>P_fVRhN<>kUC?@?S^tbe}bqT(!&4mvwp8!oG{GEJe2h
qMfL%eY&_2XBSTE$c}BEA?V}{^FJjxnY+Z^Dy*uTgnLkras}cawC#<dj
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/wifi_user.cer b/OSX/shared_regressions/si-20-sectrust-policies-data/wifi_user.cer
new file mode 100644
index 0000000000000000000000000000000000000000..77a3c623d3a0872958d9c4c40db0317aa9e4cb5a
GIT binary patch
literal 1305
zcmXqLVih%LV*a~;nTe5!iILTSmyJ`a&7<u*FC!x>D}#Zup`w928*?ZNv#>;Xrdy`2
zXI@EaQEqBVW@1UIuCt?VaY>?qoH(z6sevI7f<crxuMslWAk<LQK$wk-bCO!;<WD*&
zjFMukIr+(nIffDjVkp8K<(X-jIf+TdhI|G*5L;P8i&Kk=4TTH@Abd`c65Udupg|L(
z60&m{Ss9p{82K51;#^EkjEoFtzJ0u@_wQK1mVP;x{gd18PudiB-|)S+!(4?U9o4?m
z5-ikCxh~N=Ka;7`TyJ%3agO+jF0Drg=Wd?2uj}?-785%T7is=~+ZOOY47`z{p7m#6
z_tdX9S?%2KGG1;GXMfGR%=Xx)>rZM=&wugJnz`stfyL~4hRy45_^TDH@jX^Fan^lV
z=c`H&>k8aUJ_X7tOx+r{=B_|#(QPqlfhP_h9=DzOV7k++ElU5wW}#dC0f}3VJM4ec
z*u1JL^K#GJ^}JWP3bvYV*>~;zD^>m5GfkGTa0Yz!e)U%(R7`iC@}uv&t_w{vIC%Rh
zUvR{69-h!IDNgHVRr&KP9d`M?{(ENG`9BYKzcglIW@KPo+{C0{(8MHTU=IvGS!EUr
z1G5H^4Ly%G9c=p(mRPZ0p6%*q!ATn}7#2z|ku(qo#}qiadBD*fl%HP$jOHdrW&<ZS
z&V)7(#<m|$j4UjsV#XOIB?VUc`oNedOD)oa#he~EX7!U3^^=Qo^g*JTxygyZRH6su
z8@PZRA<trKU~OQzz<hye8(F6Kv2kd#0h1>?BO{BGfrEh^jBmiyW<=0giD<4WF;D=x
zN{9vM{U%YY-Z3x+sSsq*G0<9|!Nvu&oQ1K;T!e{vffSDfJV833hJgV$NE1H`3o{ez
z0s~nPhmS>!MTGlc>ukY2FS8E#acpkiqq*KRFG3k2t;!;1AOiCXGZUP}0t`1;uH@ur
zF$ZQgJ~j?WHf3gFVq$1O;<JGH>};&se9TPj23&B3>;~d&oN%YJaLI8ngfbK}q%ssC
z=OSRH2j(J127U?Urx|4ol^>oRT<EU$p!#Q2R@bjf6M}4Kv_(04KhI$=cAnRhvwZ0!
zjThcKU$)KKd27y>5DVcG3)e@TJv}Muz3b8Nh-ZiT{v2vK{$uBd39d_6G!u_h-Z*{v
z#Rth*MHZ*l7ykG@E$*yuis|(9N7EQTn8jU-JyXqWb1!|ZOKICX8AZW=A6)iy9^p|?
zHw$5&d@y{a%&P2$`_8A1+t;qX7Sw-;<qn7I)%kDs7Dz1nwd`$lTEU+UhA(YzC!M+X
zZQ?b7Gq$xlZX7@4!%WpyO$v#-vw)v%$Dd~wA66wy`@Z(T!nWp~vpEJkcOKlW+5d#U
Z^w{6V`*rVBtIB3KI9>T-eNxf34ggt})O`Q|
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-20-sectrust-policies.m b/OSX/shared_regressions/si-20-sectrust-policies.m
new file mode 100644
index 00000000..ee1658bf
--- /dev/null
+++ b/OSX/shared_regressions/si-20-sectrust-policies.m
@@ -0,0 +1,425 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+/* INSTRUCTIONS FOR ADDING NEW SUBTESTS:
+ * 1. Add the certificates, as DER-encoded files with the 'cer' extension, to OSX/shared_regressions/si-20-sectrust-policies-data/
+ * 2. Add a new dictionary to the test plist (OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist).
+ * This dictionary must include: (see constants below)
+ * MajorTestName
+ * MinorTestName
+ * Policies
+ * Leaf
+ * Intermediates
+ * ExpectedResult
+ * It is strongly recommended that all test dictionaries include the Anchors and VerifyDate keys.
+ * Addtional optional keys are defined below.
+ */
+
+/* INSTRUCTIONS FOR DEBUGGING SUBTESTS:
+ * Add a debugging.plist to OSX/shared_regressions/si-20-sectrust-policies-data/ containing only those subtest dictionaries
+ * you want to debug. Git will ignore this file, so you don't accidentally commit it.
+ */
+
+#include "shared_regressions.h"
+
+#include <AssertMacros.h>
+#import <Foundation/Foundation.h>
+
+#include <utilities/SecInternalReleasePriv.h>
+#include <utilities/SecCFRelease.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecPolicyPriv.h>
+#include <Security/SecTrust.h>
+
+/* Key Constants for Test Dictionaries */
+const NSString *kSecTrustTestMajorTestName = @"MajorTestName"; /* Required; value: string */
+const NSString *kSecTrustTestMinorTestName = @"MinorTestName"; /* Required; value: string */
+const NSString *kSecTrustTestPolicies = @"Policies"; /* Required; value: dictionary or array of dictionaries */
+const NSString *kSecTrustTestLeaf = @"Leaf"; /* Required; value: string */
+const NSString *kSecTrustTestIntermediates = @"Intermediates"; /* Required; value: string or array of strings */
+const NSString *kSecTrustTestAnchors = @"Anchors"; /* Recommended; value: string or array of strings */
+const NSString *kSecTrustTestVerifyDate = @"VerifyDate"; /* Recommended; value: date */
+const NSString *kSecTrustTestExpectedResult = @"ExpectedResult"; /* Required; value: number */
+const NSString *kSecTrustTestChainLength = @"ChainLength"; /* Optional; value: number */
+const NSString *kSecTrustTestEnableTestCerts= @"EnableTestCertificates"; /* Optiona; value: string */
+
+/* Key Constants for Policies Dictionaries */
+const NSString *kSecTrustTestPolicyOID = @"PolicyIdentifier"; /* Required; value: string */
+const NSString *kSecTrustTestPolicyProperties = @"Properties"; /* Optional; value: dictionary, see Policy Value Constants, SecPolicy.h */
+
+const NSString *kSecTrustTestPinningPolicyResources = @"si-20-sectrust-policies-data";
+
+@interface TestObject : NSObject
+@property (readonly) NSMutableArray *certificates;
+@property (readonly) NSMutableArray *policies;
+@property (readonly) NSMutableArray *anchors;
+@property (readonly) NSString *fullTestName;
+
+- (id)initWithMajorTestName:(NSString *)majorTestName minorTestName:(NSString *)minorTestName;
+- (bool)addLeafToCertificates:(NSString *)leafName;
+- (bool)addCertsToArray:(id)pathsObj outputArray:(NSMutableArray *)outArray;
+- (bool)addIntermediatesToCertificates:(id)intermediatesObj;
+- (bool)addPolicies:(id)policiesObj;
+- (bool)addAnchors:(id)anchorsObj;
+@end
+
+@implementation TestObject
+
+- (id)init {
+ self = [super init];
+ return self;
+}
+
+- (id)initWithMajorTestName:(NSString *)majorTestName minorTestName:(NSString *)minorTestName {
+ if ((self = [super init])) {
+ _fullTestName = [[majorTestName stringByAppendingString:@"-"] stringByAppendingString:minorTestName];
+ }
+ return self;
+}
+
+- (bool)addLeafToCertificates:(NSString *)leafName {
+ SecCertificateRef cert;
+ NSString *path = nil;
+ require_action_quiet(leafName, errOut,
+ fail("%@: failed to get leaf for test", _fullTestName));
+
+ path = [[NSBundle mainBundle]
+ pathForResource:leafName
+ ofType:@"cer"
+ inDirectory:(NSString *)kSecTrustTestPinningPolicyResources];
+ require_action_quiet(path, errOut, fail("%@: failed to get path for leaf", _fullTestName));
+ cert = SecCertificateCreateWithData(NULL, (CFDataRef)[NSData dataWithContentsOfFile:path]);
+ require_action_quiet(cert, errOut,
+ fail("%@: failed to create leaf certificate from path %@",
+ _fullTestName, path));
+ _certificates = [[NSMutableArray alloc] initWithObjects:(__bridge id)cert, nil];
+ CFReleaseNull(cert);
+ require_action_quiet(_certificates, errOut,
+ fail("%@: failed to initialize certificates array",
+ _fullTestName));
+ return true;
+
+errOut:
+ return false;
+}
+
+- (bool)addCertsToArray:(id)pathsObj outputArray:(NSMutableArray *)outArray {
+ __block SecCertificateRef cert = NULL;
+ __block NSString* path = nil;
+ require_action_quiet(pathsObj, errOut,
+ fail("%@: failed to get certificate paths for test", _fullTestName));
+
+ if ([pathsObj isKindOfClass:[NSString class]]) {
+ /* Only one cert path */
+ path = [[NSBundle mainBundle]
+ pathForResource:pathsObj
+ ofType:@"cer"
+ inDirectory:(NSString *)kSecTrustTestPinningPolicyResources];
+ require_action_quiet(path, errOut, fail("%@: failed to get path for cert",
+ _fullTestName));
+ cert = SecCertificateCreateWithData(NULL, (CFDataRef)[NSData dataWithContentsOfFile:path]);
+ require_action_quiet(cert, errOut,
+ fail("%@: failed to create certificate from path %@",
+ _fullTestName, path));
+ [outArray addObject:(__bridge id)cert];
+ CFReleaseNull(cert);
+ }
+
+ else if ([pathsObj isKindOfClass:[NSArray class]]) {
+ /* Test has more than one intermediate */
+ [(NSArray *)pathsObj enumerateObjectsUsingBlock:^(NSString *resource, NSUInteger idx, BOOL *stop) {
+ path = [[NSBundle mainBundle]
+ pathForResource:resource
+ ofType:@"cer"
+ inDirectory:(NSString *)kSecTrustTestPinningPolicyResources];
+ require_action_quiet(path, blockOut,
+ fail("%@: failed to get path for cert %ld",
+ _fullTestName, (unsigned long)idx));
+ cert = SecCertificateCreateWithData(NULL, (CFDataRef)[NSData dataWithContentsOfFile:path]);
+ require_action_quiet(cert, blockOut,
+ fail("%@: failed to create certificate %ld from path %@",
+ _fullTestName, (unsigned long) idx, path));
+ [outArray addObject:(__bridge id)cert];
+
+ CFReleaseNull(cert);
+ return;
+
+ blockOut:
+ CFReleaseNull(cert);
+ *stop = YES;
+ }];
+ }
+
+ else {
+ fail("%@: unexpected type for intermediates or anchors value", _fullTestName);
+ goto errOut;
+ }
+
+ return true;
+
+errOut:
+ CFReleaseNull(cert);
+ return false;
+
+}
+
+- (bool)addIntermediatesToCertificates:(id)intermediatesObj {
+ require_action_quiet(intermediatesObj, errOut,
+ fail("%@: failed to get intermediates for test", _fullTestName));
+
+ require_action_quiet([self addCertsToArray:intermediatesObj outputArray:_certificates], errOut,
+ fail("%@: failed to add intermediates to certificates array", _fullTestName));
+
+ if ([intermediatesObj isKindOfClass:[NSString class]]) {
+ require_action_quiet([_certificates count] == 2, errOut,
+ fail("%@: failed to add all intermediates", _fullTestName));
+ } else if ([intermediatesObj isKindOfClass:[NSArray class]]) {
+ require_action_quiet([_certificates count] == [(NSArray *)intermediatesObj count] + 1, errOut,
+ fail("%@: failed to add all intermediates", _fullTestName));
+ }
+
+ return true;
+
+errOut:
+ return false;
+}
+
+- (bool)addPolicies:(id)policiesObj {
+ __block SecPolicyRef policy = NULL;
+ require_action_quiet(policiesObj, errOut,
+ fail("%@: failed to get policies for test", _fullTestName));
+
+ _policies = [[NSMutableArray alloc] init];
+ require_action_quiet(_policies, errOut,
+ fail("%@: failed to initialize policies array", _fullTestName));
+ if ([policiesObj isKindOfClass:[NSDictionary class]]) {
+ /* Test has only one policy */
+ NSString *policyIdentifier = [(NSDictionary *)policiesObj objectForKey:kSecTrustTestPolicyOID];
+ NSDictionary *policyProperties = [(NSDictionary *)policiesObj objectForKey:kSecTrustTestPolicyProperties];
+ require_action_quiet(policyIdentifier, errOut, fail("%@: failed to get policy OID", _fullTestName));
+
+ policy = SecPolicyCreateWithProperties((__bridge CFStringRef)policyIdentifier,
+ (__bridge CFDictionaryRef)policyProperties);
+ require_action_quiet(policy, errOut,
+ fail("%@: failed to create properties for policy OID %@",
+ _fullTestName, policyIdentifier));
+ [_policies addObject:(__bridge id)policy];
+ CFReleaseNull(policy);
+ }
+
+ else if ([policiesObj isKindOfClass:[NSArray class]]) {
+ /* Test more than one intermediate */
+ [(NSArray *)policiesObj enumerateObjectsUsingBlock:^(NSDictionary *policyDict, NSUInteger idx, BOOL *stop) {
+ NSString *policyIdentifier = [(NSDictionary *)policyDict objectForKey:kSecTrustTestPolicyOID];
+ NSDictionary *policyProperties = [(NSDictionary *)policyDict objectForKey:kSecTrustTestPolicyProperties];
+ require_action_quiet(policyIdentifier, blockOut, fail("%@: failed to get policy OID", _fullTestName));
+
+ policy = SecPolicyCreateWithProperties((__bridge CFStringRef)policyIdentifier,
+ (__bridge CFDictionaryRef)policyProperties);
+ require_action_quiet(policy, blockOut,
+ fail("%@: failed to create properties for policy OID %@",
+ _fullTestName, policyIdentifier));
+ [_policies addObject:(__bridge id)policy];
+
+ CFReleaseNull(policy);
+ return;
+
+ blockOut:
+ CFReleaseNull(policy);
+ *stop = YES;
+ }];
+
+ require_action_quiet([(NSArray *)policiesObj count] == [_policies count], errOut,
+ fail("%@: failed to add all policies", _fullTestName));
+ }
+
+ else {
+ fail("%@: unexpected type for %@ value", _fullTestName, kSecTrustTestPolicies);
+ goto errOut;
+ }
+
+ return true;
+
+errOut:
+ CFReleaseNull(policy);
+ return false;
+}
+
+- (bool)addAnchors:(id)anchorsObj {
+ require_action_quiet(anchorsObj, errOut,
+ fail("%@: failed to get anchors for test", _fullTestName));
+
+ _anchors = [[NSMutableArray alloc] init];
+ require_action_quiet(_anchors, errOut,
+ fail("%@: failed to initialize anchors array", _fullTestName));
+ require_action_quiet([self addCertsToArray:anchorsObj outputArray:_anchors], errOut,
+ fail("%@: failed to add anchors to anchors array", _fullTestName));
+
+ if ([anchorsObj isKindOfClass:[NSString class]]) {
+ require_action_quiet([_anchors count] == 1, errOut,
+ fail("%@: failed to add all anchors", _fullTestName));
+ } else if ([anchorsObj isKindOfClass:[NSArray class]]) {
+ require_action_quiet([_anchors count] == [(NSArray *)anchorsObj count], errOut,
+ fail("%@: failed to add all anchors", _fullTestName));
+ }
+
+ return true;
+
+errOut:
+ return false;
+}
+
+@end
+
+void (^runTestForObject)(id, NSUInteger, BOOL *) =
+^(NSDictionary *testDict, NSUInteger idx, BOOL *stop) {
+ NSString *majorTestName = nil, *minorTestName = nil;
+ TestObject *test = nil;
+ SecTrustRef trust = NULL;
+ SecTrustResultType trustResult = kSecTrustResultInvalid;
+ NSDate *verifyDate = nil;
+ NSNumber *expectedResult = nil, *chainLen = nil;
+
+ bool enableTestCertificates = (bool)[testDict objectForKey:kSecTrustTestEnableTestCerts];
+
+ /* Test name, for documentation purposes */
+ majorTestName = [testDict objectForKey:kSecTrustTestMajorTestName];
+ minorTestName = [testDict objectForKey:kSecTrustTestMinorTestName];
+ require_action_quiet(majorTestName && minorTestName, testOut,
+ fail("Failed to create test names for test %lu",(unsigned long)idx));
+ test = [[TestObject alloc] initWithMajorTestName:majorTestName minorTestName:minorTestName];
+ require_action_quiet((test), testOut, fail("%@-%@: failed to create test object", majorTestName, minorTestName));
+
+ /* Populate the certificates array */
+ require_quiet([test addLeafToCertificates:[testDict objectForKey:kSecTrustTestLeaf]], testOut);
+ require_quiet([test addIntermediatesToCertificates:[testDict objectForKey:kSecTrustTestIntermediates]], testOut);
+
+ /* Optionally: enable test certificates for the policy */
+ if (enableTestCertificates) {
+ /* Note: Some of the policies use defaults writes with the "com.apple.Security" domain;
+ * others use "com.apple.security". Set both since we don't know which one this is. */
+ CFPreferencesSetAppValue((__bridge CFStringRef)[testDict objectForKey:kSecTrustTestEnableTestCerts],
+ kCFBooleanTrue, CFSTR("com.apple.Security"));
+ CFPreferencesSetAppValue((__bridge CFStringRef)[testDict objectForKey:kSecTrustTestEnableTestCerts],
+ kCFBooleanTrue, CFSTR("com.apple.security"));
+ }
+
+ /* Create the policies */
+ require_quiet([test addPolicies:[testDict objectForKey:kSecTrustTestPolicies]], testOut);
+
+ /* Create the trust object */
+ require_noerr_action_quiet(SecTrustCreateWithCertificates((__bridge CFArrayRef)test.certificates,
+ (__bridge CFArrayRef)test.policies,
+ &trust),
+ testOut,
+ fail("%@: failed to create trust ref", test.fullTestName));
+
+ /* Optionally set anchors in trust object */
+ if ([testDict objectForKey:kSecTrustTestAnchors]) {
+ require_quiet([test addAnchors:[testDict objectForKey:kSecTrustTestAnchors]], testOut);
+ require_noerr_action_quiet(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)test.anchors),
+ testOut,
+ fail("%@: failed to add anchors to trust ref", test.fullTestName));
+ }
+
+ /* Set optional date in trust object */
+ verifyDate = [testDict objectForKey:kSecTrustTestVerifyDate];
+ if (verifyDate) {
+ require_noerr_action_quiet(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)verifyDate), testOut,
+ fail("%@: failed to set verify date, %@, in trust ref", test.fullTestName,
+ verifyDate));
+ }
+
+ /* Evaluate */
+ require_noerr_action_quiet(SecTrustEvaluate(trust, &trustResult), testOut,
+ fail("%@: failed to evaluate trust", test.fullTestName));
+
+ /* Check results */
+ require_action_quiet(expectedResult = [testDict objectForKey:kSecTrustTestExpectedResult],
+ testOut, fail("%@: failed to get expected result for test", test.fullTestName));
+
+ /* If we enabled test certificates on a non-internal device, expect a failure instead of succees. */
+ if (enableTestCertificates && !SecIsInternalRelease() && ([expectedResult unsignedIntValue] == 4)) {
+ ok(trustResult == 5,
+ "%@: actual trust result %u did not match expected trust result %u",
+ test.fullTestName, trustResult, 5);
+ } else {
+ ok(trustResult == [expectedResult unsignedIntValue],
+ "%@: actual trust result %u did not match expected trust result %u",
+ test.fullTestName, trustResult, [expectedResult unsignedIntValue]);
+ }
+ require_quiet(trustResult == [expectedResult unsignedIntValue], testOut);
+
+ require_quiet(chainLen = [testDict objectForKey:kSecTrustTestChainLength], testOut);
+ require_action_quiet(SecTrustGetCertificateCount(trust) == [chainLen longValue], testOut,
+ fail("%@: actual chain length %ld did not match expected chain length %ld",
+ test.fullTestName, SecTrustGetCertificateCount(trust), [chainLen longValue]));
+
+testOut:
+ // Unset preferences to prevent contamination
+ if (enableTestCertificates) {
+ CFPreferencesSetAppValue((__bridge CFStringRef)[testDict objectForKey:kSecTrustTestEnableTestCerts],
+ kCFBooleanFalse, CFSTR("com.apple.security"));
+ CFPreferencesSetAppValue((__bridge CFStringRef)[testDict objectForKey:kSecTrustTestEnableTestCerts],
+ kCFBooleanFalse, CFSTR("com.apple.Security"));
+ }
+ CFReleaseNull(trust);
+};
+
+static void tests(void)
+{
+ NSURL *testPlist = nil;
+ NSArray *testsArray = nil;
+
+ testPlist = [[NSBundle mainBundle] URLForResource:@"debugging" withExtension:@"plist"
+ subdirectory:(NSString *)kSecTrustTestPinningPolicyResources ];
+ if (!testPlist) {
+ testPlist = [[NSBundle mainBundle] URLForResource:nil withExtension:@"plist"
+ subdirectory:(NSString *)kSecTrustTestPinningPolicyResources ];
+ }
+ require_action_quiet(testPlist, exit,
+ fail("Failed to get tests plist from %@", kSecTrustTestPinningPolicyResources));
+
+ testsArray = [NSArray arrayWithContentsOfURL: testPlist];
+ require_action_quiet(testsArray, exit,
+ fail("Failed to create array from plist"));
+
+ plan_tests((int)[testsArray count]);
+
+ [testsArray enumerateObjectsUsingBlock:runTestForObject];
+
+exit:
+ return;
+}
+
+int si_20_sectrust_policies(int argc, char *const *argv)
+{
+
+ @autoreleasepool {
+ tests();
+ }
+
+ return 0;
+}
diff --git a/OSX/shared_regressions/si-44-seckey-ec.m b/OSX/shared_regressions/si-44-seckey-ec.m
new file mode 100644
index 00000000..ef160784
--- /dev/null
+++ b/OSX/shared_regressions/si-44-seckey-ec.m
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#import <Foundation/Foundation.h>
+
+#include "shared_regressions.h"
+
+static void test_export_import_run(int size) {
+ NSError *error;
+ id privKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)@{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeECSECPrimeRandom, (id)kSecAttrKeySizeInBits: @(size)}, (void *)&error));
+ ok(privKey, "generate private key (size %d, error %@)", size, error);
+
+ NSData *message = [NSData dataWithBytes:"hello" length:5];
+ error = nil;
+ NSData *signature = CFBridgingRelease(SecKeyCreateSignature((SecKeyRef)privKey, kSecKeyAlgorithmECDSASignatureMessageX962SHA1, (CFDataRef)message, (void *)&error));
+ ok(signature, "create signature, %@", error);
+
+ id pubKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privKey));
+ error = nil;
+ NSData *pubKeyData = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)pubKey, (void *)&error));
+ ok(pubKeyData, "export public key, %@", error);
+ size = (size + 7) / 8;
+ is(pubKeyData.length, (unsigned)size * 2 + 1, "pubkey data has expected length");
+
+ id importedPubKey = CFBridgingRelease(SecKeyCreateWithData((CFDataRef)pubKeyData, (CFDictionaryRef)@{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeECSECPrimeRandom, (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPublic}, (void *)&error));
+ ok(importedPubKey, "import public key, %@", error);
+ ok(SecKeyVerifySignature((SecKeyRef)importedPubKey, kSecKeyAlgorithmECDSASignatureMessageX962SHA1, (CFDataRef)message, (CFDataRef)signature, (void *)&error), "verify signature, %@", error);
+
+ error = nil;
+ NSData *privKeyData = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)privKey, (void *)&error));
+ ok(privKeyData, "export privKey, %@", error);
+ is(privKeyData.length, (unsigned)size * 3 + 1, "privkey data has expected length");
+
+ error = nil;
+ id importedPrivKey = CFBridgingRelease(SecKeyCreateWithData((CFDataRef)privKeyData, (CFDictionaryRef)@{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeECSECPrimeRandom, (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate}, (void *)&error));
+ ok(importedPrivKey, "import privKey, %@", error);
+
+ id importedPrivKeyPubKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)importedPrivKey));
+ error = nil;
+ ok(SecKeyVerifySignature((SecKeyRef)importedPrivKeyPubKey, kSecKeyAlgorithmECDSASignatureMessageX962SHA1, (CFDataRef)message, (CFDataRef)signature, (void *)&error), "verify signature, %@", error);
+}
+static const int TestExportImportRun = 10;
+
+static void test_export_import() {
+ test_export_import_run(192);
+ test_export_import_run(256);
+ test_export_import_run(521);
+}
+static const int TestExportImport = TestExportImportRun * 3;
+
+static const int TestCount = TestExportImport;
+int si_44_seckey_ec(int argc, char *const *argv) {
+ plan_tests(TestCount);
+
+ @autoreleasepool {
+ test_export_import();
+ }
+
+ return 0;
+}
diff --git a/OSX/shared_regressions/si-44-seckey-gen.m b/OSX/shared_regressions/si-44-seckey-gen.m
new file mode 100644
index 00000000..fa9f9664
--- /dev/null
+++ b/OSX/shared_regressions/si-44-seckey-gen.m
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#import <Foundation/Foundation.h>
+
+#include "shared_regressions.h"
+
+static void create_random_key_worker(id keyType, int keySize, bool permPub, bool permPriv) {
+ NSDictionary *params = nil;
+ NSError *error = nil;
+
+ params = @{
+ (id)kSecAttrKeyType: keyType,
+ (id)kSecAttrKeySizeInBits: @(keySize),
+ (id)kSecAttrLabel: @"si-44-seckey-gen:0",
+ (id)kSecPublicKeyAttrs: @{
+ (id)kSecAttrIsPermanent: @(permPub),
+ },
+ (id)kSecPrivateKeyAttrs: @{
+ (id)kSecAttrIsPermanent: @(permPriv),
+ },
+ };
+
+ id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
+ ok(privateKey != nil, "successfully generated keys");
+
+ params = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrKeyType: keyType,
+ (id)kSecAttrKeySizeInBits: @(keySize),
+ (id)kSecAttrLabel: @"si-44-seckey-gen:0",
+ (id)kSecMatchLimit: (id)kSecMatchLimitAll,
+ (id)kSecReturnAttributes: @YES,
+ };
+ NSArray *items = nil;
+ OSStatus expected = (permPub || permPriv) ? errSecSuccess : errSecItemNotFound;
+ is_status(SecItemCopyMatching((CFDictionaryRef)params, (void *)&items), expected, "keychain query for generated keys");
+ is((int)items.count, (permPub ? 1 : 0) + (permPriv ? 1 : 0), "found keys in the keychain");
+
+ if (items.count > 0) {
+ params = @{
+ (id)kSecClass: (id)kSecClassKey,
+ (id)kSecAttrKeyType: keyType,
+ (id)kSecAttrKeySizeInBits: @(keySize),
+ (id)kSecAttrLabel: @"si-44-seckey-gen:0",
+ };
+ ok_status(SecItemDelete((CFDictionaryRef)params), "clear generated pair from keychain");
+ }
+}
+
+static void test_create_random_key() {
+ create_random_key_worker((id)kSecAttrKeyTypeRSA, 1024, false, false);
+ create_random_key_worker((id)kSecAttrKeyTypeRSA, 1024, true, false);
+ create_random_key_worker((id)kSecAttrKeyTypeRSA, 1024, false, true);
+ create_random_key_worker((id)kSecAttrKeyTypeRSA, 1024, true, true);
+ create_random_key_worker((id)kSecAttrKeyTypeECSECPrimeRandom, 256, false, false);
+ create_random_key_worker((id)kSecAttrKeyTypeECSECPrimeRandom, 256, true, false);
+ create_random_key_worker((id)kSecAttrKeyTypeECSECPrimeRandom, 256, false, true);
+ create_random_key_worker((id)kSecAttrKeyTypeECSECPrimeRandom, 256, true, true);
+}
+static const int TestCountCreateRandomKey = (3 * 4 + 1 * 3) * 2;
+
+static const int TestCount = TestCountCreateRandomKey;
+
+int si_44_seckey_gen(int argc, char *const *argv) {
+ plan_tests(TestCount);
+
+ @autoreleasepool {
+ test_create_random_key();
+ }
+
+ return 0;
+}
diff --git a/OSX/shared_regressions/si-44-seckey-ies.m b/OSX/shared_regressions/si-44-seckey-ies.m
new file mode 100644
index 00000000..b76be120
--- /dev/null
+++ b/OSX/shared_regressions/si-44-seckey-ies.m
@@ -0,0 +1,289 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#import <Foundation/Foundation.h>
+#import <Security/SecItemPriv.h>
+
+#import <corecrypto/ccrng_system.h>
+#import <corecrypto/ccsha1.h>
+#import <corecrypto/ccsha2.h>
+#import <corecrypto/ccec.h>
+#import <corecrypto/ccecies.h>
+
+#include "shared_regressions.h"
+
+static struct ccrng_system_state ccrng_system_state_seckey_ies_test;
+
+static void test_ies_run(CFStringRef keyType, id keySize, SecKeyAlgorithm algorithm) {
+ NSError *error = nil;
+ id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)@{(id)kSecAttrKeyType: (__bridge id)keyType, (id)kSecAttrKeySizeInBits: keySize}, (void *)&error));
+ ok(privateKey, "key properly generated");
+ id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privateKey));
+ ok(publicKey, "public key retrieved");
+
+ ok(SecKeyIsAlgorithmSupported((SecKeyRef)privateKey, kSecKeyOperationTypeDecrypt, algorithm),
+ "%@ supported for decryption", algorithm);
+ ok(SecKeyIsAlgorithmSupported((SecKeyRef)publicKey, kSecKeyOperationTypeEncrypt, algorithm),
+ "%@ supported for encryption", algorithm);
+ ok(!SecKeyIsAlgorithmSupported((SecKeyRef)publicKey, kSecKeyOperationTypeDecrypt, algorithm),
+ "%@ not supported for decryption - pubkey", algorithm);
+ ok(!SecKeyIsAlgorithmSupported((SecKeyRef)privateKey, kSecKeyOperationTypeEncrypt, algorithm),
+ "%@ not supported for encryption - privKey", algorithm);
+
+ NSData *message = [NSData dataWithBytes:"hello" length:5];
+ error = nil;
+ NSData *encrypted = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)message, (void *)&error));
+ ok(encrypted, "message encrypted");
+
+ error = nil;
+ NSData *decrypted = CFBridgingRelease(SecKeyCreateDecryptedData((SecKeyRef)privateKey, algorithm, (CFDataRef)encrypted, (void *)&error));
+ ok(decrypted, "encrypted message decrypted");
+ ok([decrypted isEqual:message], "decrypted message is equal as original one (original:%@ decrypted:%@)", message, decrypted);
+
+ // Modify encrypted message and verify that it cannot be decrypted.
+ NSMutableData *badEncrypted = [NSMutableData dataWithData:encrypted];
+ UInt8 *badEncryptedBuffer = badEncrypted.mutableBytes;
+ badEncryptedBuffer[badEncrypted.length - 8] ^= 0xff;
+
+ error = nil;
+ decrypted = CFBridgingRelease(SecKeyCreateDecryptedData((SecKeyRef)privateKey, algorithm, (CFDataRef)badEncrypted, (void *)&error));
+ ok(decrypted == nil, "broken encrypted message failed to decrypt (tag breakage)");
+
+ badEncrypted = [NSMutableData dataWithData:encrypted];
+ badEncryptedBuffer = badEncrypted.mutableBytes;
+ badEncryptedBuffer[badEncrypted.length - 20] ^= 0xff;
+
+ error = nil;
+ decrypted = CFBridgingRelease(SecKeyCreateDecryptedData((SecKeyRef)privateKey, algorithm, (CFDataRef)badEncrypted, (void *)&error));
+ ok(decrypted == nil, "broken encrypted message failed to decrypt (ciphertext breakage)");
+
+ badEncrypted = [NSMutableData dataWithData:encrypted];
+ badEncryptedBuffer = badEncrypted.mutableBytes;
+ badEncryptedBuffer[0] ^= 0xff;
+
+ error = nil;
+ decrypted = CFBridgingRelease(SecKeyCreateDecryptedData((SecKeyRef)privateKey, algorithm, (CFDataRef)badEncrypted, (void *)&error));
+ ok(decrypted == nil, "broken encrypted message failed to decrypt (pubkey intro breakage)");
+
+ badEncrypted = [NSMutableData dataWithData:encrypted];
+ badEncryptedBuffer = badEncrypted.mutableBytes;
+ badEncryptedBuffer[1] ^= 0xff;
+
+ error = nil;
+ decrypted = CFBridgingRelease(SecKeyCreateDecryptedData((SecKeyRef)privateKey, algorithm, (CFDataRef)badEncrypted, (void *)&error));
+ ok(decrypted == nil, "broken encrypted message failed to decrypt (pubkey data breakage)");
+}
+static const int TestCountIESRun = 13;
+
+static void test_ecies() {
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(192), kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(192), kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(192), kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(192), kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(192), kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM);
+
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(256), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(256), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(256), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(256), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(256), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM);
+
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(521), kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(521), kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(521), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(521), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM);
+ test_ies_run(kSecAttrKeyTypeECSECPrimeRandom, @(521), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM);
+}
+static const int TestCountECIES = TestCountIESRun * 5 * 3;
+
+static void test_rsawrap() {
+ test_ies_run(kSecAttrKeyTypeRSA, @(1024), kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM);
+ test_ies_run(kSecAttrKeyTypeRSA, @(1024), kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM);
+ test_ies_run(kSecAttrKeyTypeRSA, @(1024), kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM);
+ test_ies_run(kSecAttrKeyTypeRSA, @(1024), kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM);
+ test_ies_run(kSecAttrKeyTypeRSA, @(4096), kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM);
+}
+static const int TestCountRSAWRAP = TestCountIESRun * 5;
+
+static void test_ies_against_corecrypto(id keySize, ccec_const_cp_t cp, const struct ccdigest_info *di, uint32_t ccKeySize, SecKeyAlgorithm algorithm) {
+ // Generate SecKey and import it as corecrypto fullkey.
+ NSError *error = nil;
+ NSDictionary *params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeECSECPrimeRandom, (id)kSecAttrKeySizeInBits: keySize,
+ (id)kSecAttrNoLegacy: @YES};
+ id privKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
+ ok(privKey != nil, "create key (error %@)", error);
+ error = nil;
+ NSData *privKeyData = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)privKey, (void *)&error));
+ ok(privKey != nil, "export key (error %@)", error);
+ ccec_full_ctx_decl_cp(cp, fullkey);
+ ok(ccec_x963_import_priv(cp, privKeyData.length, privKeyData.bytes, fullkey) == 0, "error importing cc ec key");
+
+ // SecKey encrypt -> cc decrypt.
+ static const UInt8 knownPlaintext[] = "KNOWN PLAINTEXT";
+ NSData *plaintext = [NSData dataWithBytes:knownPlaintext length:sizeof(knownPlaintext)];
+ error = nil;
+ id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privKey));
+ NSData *ciphertext = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)plaintext, (void *)&error));
+ ok(ciphertext != nil, "encrypt data with SecKey (error %@)", error);
+ struct ccecies_gcm ecies_dec;
+ ccecies_decrypt_gcm_setup(&ecies_dec, di, ccaes_gcm_decrypt_mode(), ccKeySize, 16, ECIES_EPH_PUBKEY_IN_SHAREDINFO1 | ECIES_EXPORT_PUB_STANDARD);
+ size_t decryptedLength = plaintext.length;
+ NSMutableData *decrypted = [NSMutableData dataWithLength:decryptedLength];
+ if (ciphertext != nil) {
+ ok(ccecies_decrypt_gcm(fullkey, &ecies_dec, ciphertext.length, ciphertext.bytes, 0, NULL, 0, NULL,
+ &decryptedLength, decrypted.mutableBytes) == 0, "decrypt data with cc failed");
+ }
+ ok(decryptedLength = plaintext.length);
+ ok([plaintext isEqualToData:decrypted], "cc decrypted data are the same");
+
+ // cc encrypt -> SecKey decrypt
+ struct ccecies_gcm ecies_enc;
+ ccecies_encrypt_gcm_setup(&ecies_enc, di, (struct ccrng_state *)&ccrng_system_state_seckey_ies_test,
+ ccaes_gcm_encrypt_mode(), ccKeySize, 16, ECIES_EPH_PUBKEY_IN_SHAREDINFO1 | ECIES_EXPORT_PUB_STANDARD);
+ size_t encryptedLength = ccecies_encrypt_gcm_ciphertext_size(fullkey, &ecies_enc, sizeof(knownPlaintext));
+ NSMutableData *encrypted = [NSMutableData dataWithLength:encryptedLength];
+ ok(ccecies_encrypt_gcm(fullkey, &ecies_enc, sizeof(knownPlaintext), knownPlaintext, 0, NULL, 0, NULL, &encryptedLength, encrypted.mutableBytes) == 0, "encrypt data with cc failed");
+ error = nil;
+ NSData *decryptedPlaintext = CFBridgingRelease(SecKeyCreateDecryptedData((SecKeyRef)privKey, algorithm, (CFDataRef)encrypted, (void *)&error));
+ ok(decryptedPlaintext != nil, "decrypt data with SecKey (error %@)", error);
+ ok([plaintext isEqualToData:decryptedPlaintext], "SecKey decrypted data are the same");
+}
+static const int TestCountIESAgainstCoreCryptoRun = 10;
+
+static void test_against_corecrypto() {
+
+ // Tests ifdefed-out by this define fail because of
+ // <rdar://problem/26855537> ccecies is broken when AES keysize > KDF hash output size
+#define CC_HAS_BUG_26855537 1
+
+ test_ies_against_corecrypto(@(192), ccec_cp_192(), ccsha1_di(), 16, kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM);
+ test_ies_against_corecrypto(@(192), ccec_cp_192(), ccsha224_di(), 16, kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM);
+ test_ies_against_corecrypto(@(192), ccec_cp_192(), ccsha256_di(), 16, kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM);
+ test_ies_against_corecrypto(@(192), ccec_cp_192(), ccsha384_di(), 16, kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM);
+ test_ies_against_corecrypto(@(192), ccec_cp_192(), ccsha512_di(), 16, kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM);
+ test_ies_against_corecrypto(@(256), ccec_cp_256(), ccsha1_di(), 16, kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM);
+ test_ies_against_corecrypto(@(256), ccec_cp_256(), ccsha224_di(), 16, kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM);
+ test_ies_against_corecrypto(@(256), ccec_cp_256(), ccsha256_di(), 16, kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM);
+ test_ies_against_corecrypto(@(256), ccec_cp_256(), ccsha384_di(), 16, kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM);
+ test_ies_against_corecrypto(@(256), ccec_cp_256(), ccsha512_di(), 16, kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM);
+#if !CC_HAS_BUG_26855537
+ test_ies_against_corecrypto(@(384), ccec_cp_384(), ccsha1_di(), 32, kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM);
+ test_ies_against_corecrypto(@(384), ccec_cp_384(), ccsha224_di(), 32, kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM);
+#endif
+ test_ies_against_corecrypto(@(384), ccec_cp_384(), ccsha256_di(), 32, kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM);
+ test_ies_against_corecrypto(@(384), ccec_cp_384(), ccsha384_di(), 32, kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM);
+ test_ies_against_corecrypto(@(384), ccec_cp_384(), ccsha512_di(), 32, kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM);
+#if !CC_HAS_BUG_26855537
+ test_ies_against_corecrypto(@(521), ccec_cp_521(), ccsha1_di(), 32, kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM);
+ test_ies_against_corecrypto(@(521), ccec_cp_521(), ccsha224_di(), 32, kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM);
+#endif
+ test_ies_against_corecrypto(@(521), ccec_cp_521(), ccsha256_di(), 32, kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM);
+ test_ies_against_corecrypto(@(521), ccec_cp_521(), ccsha384_di(), 32, kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM);
+ test_ies_against_corecrypto(@(521), ccec_cp_521(), ccsha512_di(), 32, kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM);
+}
+#if !CC_HAS_BUG_26855537
+static const int TestCountAgainstCoreCrypto = TestCountIESAgainstCoreCryptoRun * 20;
+#else
+static const int TestCountAgainstCoreCrypto = TestCountIESAgainstCoreCryptoRun * 16;
+#endif
+
+static void test_ies_known_ciphertext(CFStringRef keyType, id keySize, SecKeyAlgorithm algorithm, NSString *privKeyData, NSString *ciphertext) {
+#define GENERATE_VECTORS 0
+
+ NSError *error = nil;
+#if GENERATE_VECTORS
+ NSDictionary *params = @{(id)kSecAttrKeyType: (__bridge id)keyType, (id)kSecAttrKeySizeInBits: keySize, (id)kSecAttrNoLegacy: @YES};
+ id privKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
+ ok(privKey != nil, "generate key (error %@)", error);
+#else
+ NSDictionary *params = @{(id)kSecAttrKeyType: (__bridge id)keyType, (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate};
+ id privKey = CFBridgingRelease(SecKeyCreateWithData((CFDataRef)[[NSData alloc] initWithBase64EncodedString:privKeyData options:0], (CFDictionaryRef)params, (void *)&error));
+ ok(privKey != nil, "import key (error %@)", error);
+#endif
+
+ static const UInt8 knownPlaintext[] = "KNOWN PLAINTEXT";
+ NSData *plaintext = [NSData dataWithBytes:knownPlaintext length:sizeof(knownPlaintext)];
+ error = nil;
+#if GENERATE_VECTORS
+ id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privKey));
+ NSData *ciphertextData = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, algorithm, (CFDataRef)plaintext, (void *)&error));
+ error = nil;
+ NSData *keyData = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)privKey, (void *)&error));
+ printf("\n@\"%s\", @\"%s\");\n",
+ [keyData base64EncodedStringWithOptions:0].UTF8String,
+ [ciphertextData base64EncodedStringWithOptions:0].UTF8String);
+#else
+ NSData *ciphertextData = [[NSData alloc] initWithBase64EncodedString:ciphertext options:0];
+ NSData *decrypted = CFBridgingRelease(SecKeyCreateDecryptedData((SecKeyRef)privKey, algorithm, (CFDataRef)ciphertextData, (void *)&error));
+ ok(decrypted != nil, "decrypt known ciphertext (error %@)", error);
+ ok([decrypted isEqual:plaintext], "known ciphertext decrypts to known plaintext (%@: %@)", plaintext, decrypted);
+#endif
+}
+static const int TestCountTestIESKnownCipherText = 3;
+
+static void test_known_ciphertext() {
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(192), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM, @"BJID1fgBoH7L1eHwBcJmZcP4oeuV0xDkeEEO3RdodExpqy5UQWf64FIfRRRbZKSA9cATBLVT0HIl2HXcDMYoX0kE9l8fA/G18w==", @"BMUM+ykbSAfK3zVjoqMpruH00UJWvtC05GITlPuqByGu7loVSl3LdOw8bmkHQB+yx6CdBuq2LGao1BqGP7rNYQRiVDrdA/klICsCm/HADu6a");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(192), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM, @"BGvXnhpVlguy834KfbQUn/HHJVz1mE2q1TOI/c5VdryxFdTSIHzO1OntV7rHVqoKhMXvgmtE88aKr0E6dDESlTmGUXlXvD7AoQ==", @"BL8xaAaQBe3+4GR8e6BO+wupb4dNAr6NgjdqH7C1p55LKhJyEP2QQJo1YHXadXpqdSvh9wWBWiz4NDgMeQx8F5Vst6FWKDuzgQKY1QS8Zp0z");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(192), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM, @"BPyRwvWxZr+tJsxRigfSQflyr1sq+CqUsh68E2JqNK33ud5J34OdI0dGSWe7/i4JF7l0a8piYVr4pkH2pTIPtYmwFAOGGtrzyA==", @"BAPIogml3kN6qJ7Lqdmah+C9LtxnGQ+npz1dj1wqf8UmCRScyjvB3Ir87vGLpOJTWNb7fWth+9FieyAyn9AtK9uRE+JH9x2mu2dmfVq+q48z");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(192), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM, @"BBXZUianpQozaYCBT4DzWfhg/+UqvW1BS4i17RIVvXZuYhXhfuYpCdgwfVc7NqJretuT/Bti6noQ6g1P+yj7BJF+i9pPwSnj5Q==", @"BEPRcNwrzSQ8fGzdQlhKaLmfUcuosUkZGfdta/cwTOpoREIrn/ax4BoNpNibuGVhgUMdWNMIg9Z519o0v/VZFKtRk++9cFQSDjE1SIw3NyOy");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(192), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM, @"BETnUivZ4Qg+x7F8mQZaAyh7rmb15O49EKwBIxodfx1BykjVXWBqC64odYkWcOUc3w2LZ/9/klr0VGvF9UC+5w9fKufyMVQdvg==", @"BEj8oriYbbcfX+y/RW+aHp47LMSChJy3TY5GU2Ld4vMP6M8y4AyB7mIZTLJLYQPOoMam/CGqpEAUhtJlhYxugQMzqJHr9ySEsgp89vsgM/X+");
+
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(256), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM, @"BOAqiwAFzjxO7xaYE/6+ywCRap/xxiBCxuUj4A0kzSQtu+0BJ0R71djlM+wtYPwff3+g7e52a8cQSioBciTrMjWCTZuTbhHqsMOdqsmKN/pLEwK9uI3FA6grFbSODA1u0g==", @"BIqvCZdbwbSmS4+hB8vbDdIDJxaUGBmcaOPoRpaTY8MWofTlcqc/OGB0AjbuzpJ7cqODphJ+B6LlsrK0SPogUyj7zT01PA9gwWau/BXb8/1JQa7zTeIJ1vsF7gSrTcMWxA==");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(256), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM, @"BPYROmZkeW3Zc9Qc8TzTZ27YO9+IGHjj78DNmZ3gwNjZtEW+knhI3Z3G/UNwaI3jCgezA3ZyPgIfizUTOqe4fYRIwy867Zn8BHpSxjzEG7Sk3zu/CgA7ObNVJQ6dJWu4PQ==", @"BCiu9fyMXqWXojfd0XWynB9CQwUSNedfdn1AC7OlrZaqH9IyUrgcyajdFaRCksBWt6lmUQx4Ypv48mOqvBcPXpX1TAr4NHkHK4cWXbBzaxesrYn3zOlUhZYvzB5WnWTorg==");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(256), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM, @"BINzTFiGIp6G4fpmFCP/KHot+ek+PUYvYp69iT8lHdJNwRbJir1Zr4i73A0vdKoKMn3jdp/8oQ5WnSE+PsFruYahsHI2tFyhPjGYEhUmFrwaA/2WQynh77dAqSiKhg0l3w==", @"BE7IWFWccaIl7n7Kffg5Q+vkJMJFVsHP8C5C/APzW6gjUQynJGRoG4Vw4UEsFTi/yfUQYTSV7Vv18CXE/3IecGAILuLpcDaSxSwzFqrwmqCcSqSRbYSat+8HuaKq19Cq4A==");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(256), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM, @"BE73i2R6RS7M83M2JGD+JKCR1Z8AST87PFRNLLIfIXoKhH6BFsVgUmuOhz+o450teB4rig57yn9nzDkBRTTn+QAp3g6zGzIE1CBuxSSWVcJNiUD8APCb6kJj7Y/95ekTHg==", @"BKl/2vl0v3BqnLYTMvjszf2hB48GwIrSqqBQU01p/RsAPk3zPb1QG1nq0/bL5mFyIbsQUq8jhAvx8YbXDG47e6qv44Q2nalZqvry55daTUyVvrHvZ+xM6qceFzLFUHYGLw==");
+
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(256), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM, @"BMnc5IlDIZJKns6G8ALvQqnaprPuhMkNy04G7rZmOD5w7O2OlViw+aDZr667+xIoQ/zqpMBLIA8ujun6mMQdgx2Wvtj3LPhvfbnHQnuTM60RDfA2BQ+Xj4WCQ4KzcaUElw==", @"BP997mVpTGiPFJp+2CKm2cWgAg/bUToX9UcJlGuasGxFdDqb6a3WZ0HYyujiwxihdSUOEcAdExU3RJdWTfFHDeXDAB7Qdf4WdjiWfyPO29kSWAWbJnHaC9JKC4UdTjTPBA==");
+
+
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(521), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA1AESGCM, @"BAD3+GLa92qTtnxZjAYCnkX+LqlwrDKD+jMvq8JYYNFk3rYBT7QKs8ddleTb1ScK732C/NtNTS6yBuqh1/GLLIH0+QCE4D+B3tk+gpgx7yc0Yy+RMTxPpdfX8h4holqwo81TlvLaYpriEmD+8fSFNJuOzc30COFJhpEa70aRkBOtXJbd0AFbq3fvwbC1epWVeTq5d73ZEuiFv5CJ6NIxBsdBFy0RvFm0I+hgqUXyk4gILgsNP6WdWQc1SFqHh6PvbmXO5f6Jzw==", @"BABKMqx3GstC3HtOo2FyOJ1TP0/v+CxRcKawwESkC2SQ7bvhkJGClfPpO57ZIUBULNzY04d+ZmrZ6JX9mp/qB2DtSAA9WGEm/dAawdzOrwwPbD55fi/BaUhP7HF/2x/5ST4WyU5oFTGc3c2vvTnHLLEKKUk13d9ybl8inWPWlNZolb5NNna7MrzX45H8IcRljg6xWntSVqzeglzB4BkRrmjqVbeJ");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(521), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA224AESGCM, @"BAAKStHnPj7CcT+M0wIAsCR89AzaD5h5Mvn8fMPgdqyWZjPuHOL1QaInfSytINx/w88AXLmdEVZucY/R1QB8Gj+5KQFvVYcxFH6rfyHiel00khFdiV0hiNKDQIgGOj3EtkMW2SBnawj2E9ku3m6AhR6p9XcnrwiORhqujH5VQsohJkWMCABNScNDTe19wGskuup11oTKnDNIucSrpggRJsldGymnyV4O74vFsl+8Kq3kfxpVKClU39tqAtC9hxduBRolHwfscg==", @"BAEPiWaky7NoDWFoNRot4xVsxxWP64hbwLM9xyIvYDWyQjXRXHaP4weUYV0n8Cw5aUzvDyON4ik9ouRlLId0SX8SYQCGvopjiBWyA9ieu0LKLxYvMYJCrZUshXmmpHdB25gVZ8vv9sZyE5ggA0IXVl7IxMJTLirbIcfO8EvMPAao/3z0rAx09Yht2iITOoNupE/gSbg/UY3ijuhccFd0bBaLlj9u");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(521), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA256AESGCM, @"BAHaS9E1bgFRlYB555Or19pwj9wOdMP1ETONjgS8MQ4NiOmkOaus4HMcqpiTfCruIAIjBJ0jfuM8j2TdTR8GdPEg3QHHXOav+tPlhfj8y+E/6dNAz0jLHO16wjcGjpq0MJcDMlHS7SKPh8j/GD2KwNya9LefD+VAM62yqRuaFFJihpBV5QHbLDN1AIjqhQO0nm2fRgW0Hff7EcFJXNHkl7ULby2sViPZx1+qN+LcAt4BoZVayiQVxIWX+p2l6nesBcChF+2Fvw==", @"BAFJqyEg7XOScWdtbgVTvmzsYbunFKhiDMJINwPp5tq0QSOiSkh7Cz91+SkUrlCN7Um6bPJmpRjksd9ThR2GlWiiPACFnhhcLmSlLkS1vG3H6kutOJLISBvru05qzXqhDAoda4lDh6jrqppAGUkOgk6lwSJq9w023fmxCxpPtth41Vfq7U2hxik8N81ZdeqiYALerJdXhGVmv8YVaZis2hdzGHLc");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(521), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA384AESGCM, @"BAHR8zVCUzKJi3yc7QJCpxIdsVUJ+N2tB9P0CnMWZ9gVt6bO+UCrGsS6pon0f+nERY+RlPfTyTlrBBGp24a2wWhs2wFaZf2Ng1eKcRFaXPgJozAdz+vOGy1UVK3PxhDkhusdDGyDu6d72UNAicyESa6OCl+f9uicZA5ANaDb0djGr2o67AHQNb41IMcZ+CQKW7XdoMBHT+tLCSZCw+7ZQ1mnHD9NaJbnaxI0qgI03RxXKFj4mqNKjxxzugl9rUfFF0HYJ1KANA==", @"BAFQj+wieG249oNkP5kzC0xTdgtQkd0tTwNmVxYarD05WIjWeaE9VgyfqPVHNyntNA7fEfpLjWy6d5WQGBdFwXxxiAHAqDXeNyNLL0MSzKPmyQNy4TAGjUmGXt/Nq2LafQgKSiWLagSvyaICgk7BBa2z9NvVr4ZcvpreUDzLTrl/+J1WRfR9/78vM3uLfFyTEJwKg6MH3fQRr8RWxcza9AQXspbD");
+ test_ies_known_ciphertext(kSecAttrKeyTypeECSECPrimeRandom, @(521), kSecKeyAlgorithmECIESEncryptionCofactorX963SHA512AESGCM, @"BAD56NOl02CAXGSBYKT9JMmMQNtYkaRjw/DP29GWe8X70zTNzTBRgQQzqtCmT2c10VRNxzR5bCAM47fR8HyK4OsV4wEes8IDR68JQC7+epF7cdx+m+EGhaHlB2N99MCEZx9NQni6/5LBMItVY7LSQUskKjqslG90vlIZZxn87EzbJ9MvHgFFgeZeUj9SXcbCu6/+ysgXAtldaGyFwXwzI6CrN84Pd72TR/6me1GZjm8pamJ0p507ntdISB5SBFcAQpNieDYxbg==", @"BAABJeJ2D+Yy0aA1/FKoUF4eBR5kr3JnM8iXDEjIZ47EWixF1nde4ehg7iZpbihxv/rDl7jdJYOW9LqXdqoF/2JO7gCrNSbqSkveG6UdsgfalnAd/tAYvz26Ct6vQiGSJJLvHcnss8thgQrOVQaf/NAoxgxIM0dxUmJE3B2EJxb5sKedzCje0XttQQWvEW1t3Ni606AVAhZ3Psiud23qf/qgtJxK");
+
+ test_ies_known_ciphertext(kSecAttrKeyTypeRSA, @(1024), kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM, @"MIICXQIBAAKBgQC0QZAuyNFNspGakQvFdgwkswN+eG6y2IKefIGbcrhGRvs4LJUp0Z+AjTR5ir6Mm7KeRaFMlwybz1eW0HXEJX86jtCGkB4T9iKW06HOevMqp5p/gOSMroGkX374UMdX5WIsI/qPXxHSp0OdoUC1vsAO99UYGitiYuiyzVm/XONKBQIDAQABAoGAFEkUlXnwDr27zm3oVI6BC1hCBRI/PaKeqytOgqnvEamcoqkRwvpePYn75SRiEVIsUHd8PDGmL5qukWsK9cn/0+xm3BsoB5uUPRUmXRtAJjSSZ3bkhxuGOiLuPpFBlpKvcDk6sUaNQPPel2TsmRpn2PLbyEfPuQH6PmzpePc49rkCQQD2zJgfzRl/PU2d/Z29YoWS/FtxLi0aOq2BcoPacwvaGr6/hfuQk0RiycwoJrXFGe5YfmPtPeg216gj4SteCIdbAkEAuvnk4ZsjquWiHL0UkbGjdXYhVQR+oazisfn7u+gNmjFGE8HBa0YiTXhW9mfvZSX/2sKuxljXqz94VF1qb0uSHwJAeH2Sl5QOqqxHRKcZZ+i9xfEmw68Dnhaftt8tuG0KkEUWc3L6Sq9bZ8+VuNSNUdlDIDk0mBLtWDkZgcrg3VvUmQJBALHi8/YMUnfR91TeM0aVuc0T8YxgNVX+FMN88RoKIX7UaDZ9vVYhKJuJ5TqTEbiq2Wu4ku1UMwPS49ln8s4mGMMCQQDHm3uYC1Okv31eeeJRY2w9ZbVARpMTT+nTCxd0xAxo7y+HPk+gJYWywJlxI3kvO7fl4EgpC0w+0oHPsehwHp3a", @"ItQD/o7D7hFGQaw6ODUWmjH/IhkldnH7/22cIf3vML3iR1T/gDq318oauBKqRUwF0WiVNr/OODlLV+OMiAVFV8oaao9p7ympLFTUv797N84FkftYDckU4qUItyGIqf3YJbe56G9s8Tc+/ztFDguS9B+coGh1jr7lba+XMtkmBJu0GLUxlPxaAEtEclSmTv1mGXn1CEieGTtQyo5ByzI5dA==");
+ test_ies_known_ciphertext(kSecAttrKeyTypeRSA, @(1024), kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM, @"MIICXAIBAAKBgQC5dl6b7suTbgA0vWFM7EtgqBLmIksuUwTspm7c/Ecfw2goKGH0D1ABprGKh5nop1oP8hUuMkszzxd5mNAO0ayUvsRhAU11okZkcmO05EKOfs6kqrw9E039bBoy4X/Ps5J5SmkkoigPg2Uh+ZK5+88gNRoXXYUPqGdX7AJ0heFIcwIDAQABAoGANf1yDFXneKtIrxHEjhap2OEE427vUPSFFflbg8SDVglWPH6JCXodseVbgPb5xKNXUhYIuXKVtubeMB1e0DmU0hbGXgYRsfe7wB+7LawPCyMc5K/jnH6hY14mdngFROcbNV1sdMt4Sfo6xvvVVMLDkREbBj+oDauoFSX3TFqQQ0kCQQD0UzUW/NSy0jcWmUUIOCRhvC1yNZWPkBNkq264QUfuz181wfZQx64MM34ECLFQU3XNlVte7ZzpGu0K7DcVHmAJAkEAwlManQJu7uhOq2rTmBugovIQNjvzKB+nF3Ma/1zbSsns6cAn87Btj9i1S0VWgEkMLknX+BfWGY9FEpuNfSbLmwJAaXwvNLCOCHKYFCqyUj0jAAtlt6SI4QW8Sb92Oxj8PI/NtID8np3HeD8XDhjOrTaLauosG80M7NuSMiAQHA8UOQJBAIpjRICsSvQ43E2XNjkM88kXOhRlfTUF1akNgBx7tG/+fYm6Hrmc22mlmvaP2pphaxtL21IDJ6XsMfSecpS+HCECQEcBOTs79wMov4bC42zpG2UCjTLps3Vhik6T5Z8ZE9vml8q1/poKgfYkssn8o9L/f3XZSwVzW1yTaaAjS855rps=", @"QsbG+lUASE1YjhFWgHhx9HkNlnJ9LbWV1fRZBHrxb6nNoJUiAoT4MYjVKrcDdBwmPl2Mg4xyKRePY3pJzc86G1obv76LOpRoaaQkg+hm0e/klGF/qJPBWCqpf3PndfUEHsakGxMQ2bJFL3u9wSQTWFiR1lbdeWADClK4oA5zNZBj1K9Tn1sXhXB/uRvfR3O7n4/1seLbhmyv9nMPIMZ8sQ==");
+ test_ies_known_ciphertext(kSecAttrKeyTypeRSA, @(1024), kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM, @"MIICWwIBAAKBgQCgWxqK/7sFc5D6QkVpCGkJ1ObSAlgqVcfaFWE8ftSa+70Hfb7AjjuU9RtkVglZXOM4r6VGv2an8B50XoJXJMe+UxFokzLOZhJ7cKOKk4o7QR0s3nDc8n/bzfQJ10hor0sv9kQTYUOXAqqCkC5XuHwrBtPzCz9qrRVGKGmwilvzhwIDAQABAoGAGYKKGp0WlFuaBOirCyED42+uWAV4dM+tr04hvb0oNw704kQI/Fqu3te5XQEU6VWjbilUf93uHP765qSsU+RYLs3JhZZ/KLGT0RBKXsBRFt5tk2n3XN8UqrSrAAhg2qT0I4a9mOM7dL+ZNBA+yYLamBT4hC22i44o20PLR7pTOn0CQQDbWTYtwY/xUYE6CkroWTGKHt5cyQn13WGYBJ5Ac7XkyiSteluQVZz8XAxxiF+DieehdzJbyRlgMLeqC3ZlUA+9AkEAuyZw4wDcrcPIBHKqH7CPi0R4ey2+ZCWZV24477uZYtQXdDi93WL4ev+ShbC+HahzQ11F2K76eqwrV+gXYJAykwJACu2B3nuzMSGPX5Xdr3+qESiCiXrWjTIvR4SLYcih+jj75MygvSsWvBfV4t4ZbBM1v/yRPLNjGUC0FbumdVusvQJARikGHwP+tyHzhT9bad/uIF698CfY/YBe+Tj4HV+uBC/QzyBKhYmJ78qKKpZ033d8Jp/8BFysyHptEVqQEQJeAwJACPdcu84kIC9myg+VULqQ8z8/R8a6YrVQM+G3dtas/o43v9tB/NlDTP4dFoQpdOP5EuH9YJwp2ttlDoO8+uG8MQ==", @"f6HqrDnncmx5z394bT+HHP4TiTh5249+SkDJYzRD9CrMDfPJuM3i8QmH9kGXFHnGZ2Y5dngEzOrlqqLQyVxTgnYUrHDrkNVz3mckzqlnDh2TifAC/laxGs3h9fQJT1oXmhIfGQqh94PFnFQiQVPVLKU1K9bSvdU6gVwmhkoakWGMHuC5aA1MX/trvUVfP2qE2ffvscPJP5pQdpXl5jLtHw==");
+ test_ies_known_ciphertext(kSecAttrKeyTypeRSA, @(1024), kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM, @"MIICXAIBAAKBgQDM7GnrRS4rJK9wGYELIefw0q33S7YMHlbxcrY5JcQl8Waka0mZ0Di6Yd5jlTHuz5wA8gs9019nqaN5F9n5U/Px9wCLXbMyQ4kOk94smRpC6v+GL/IVCLZgV6GPRh3KKLWu3LzLKvqNJ2YKTb2CnwvU3jCdzG/+WkJw3nzfZZfyFQIDAQABAoGAF1a1mX3/jBpZgMLm14W9DMhx18Bfs3GhJU6TQl7yv/+GWSN+9m2oiFGtKlpLnY83jUQD077HFt9TJu94e9T761av5WJVCthYynMhoPCykHRTgEQV9iYl6nES1VHai3ko3cInyhd6N6/EE2UO5Me8r0AOO4WjeQpgfcUfTwnSHeECQQDpafQxjoA6Ht8FLgZn23xP6eI6kq6c+K8dC/1Y8TAIiOUJd7zqzMRN4zYuAvFvIclUq2oitSida1Tq527fNHEHAkEA4MC0ur1ZgBkli4es1cFXyvdM/ja28t9r2CyJQoMf5dtVYgiLq1Co8/9KWCxfkhfm4a8PT8Q1kkIdIYGKjXupAwJAXmnSMZ1vdpL4KPM1+hqIzRZQwNqGMM5SntAzuR9OC5W79zlsvBj5qnumdbQRDp++/TWc588ZT5uTrLTSXwyqTwJAUL0Jb7gLyde+xBQWQ6e0GSaj0wLmz/Lw8/Rzzp/6OoGDd7coLX/JYfXIyEoQfxP1DgfsUTRkJkl324yEsHTG7wJBAKXnHl6SkuWC0C4s8th+gGzxNkAMB7gRUA2BbTM/9v559J2D6AsO7XLR2BhJNdkIot55lMwRsFbwimyDh70aQbk=", @"c7YwdZPmJu7zdciEupcViD60m9/zJdadmRcucAMksqXyKJBFUyTht0tDktz8NQe6NBoPRzBNloKRnaVI2yu8Sgq+m83oNrpzWkXb1CV82NnA4A4K/+MUL/+guG8/7lfNv+2YLO9Bs+FjfHCwRK+9lDZBRdzQkH2y3QHb0RCMzZ1UgbXrGkVQ2OxPb6zMn+19L23LYy5434JM7vFJ5AVv1g==");
+ test_ies_known_ciphertext(kSecAttrKeyTypeRSA, @(4096), kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM, @"MIIJKQIBAAKCAgEAthzNSZhL4/jngzsgu7ZiDo0k7w68Dw0va5eHEFpDgNzUDRoGkUMkf4gEo2BuVj6KsYnhDKddp4ijR+B65CEF+injO6IJQdG53TIK1AixguAZndnxYKbebKityMAIb78pUP/txBOEt/9WPXJcJNGSAlYU3R3GYchkMymVhHrCtR9VJupvsoFhtfYw6HoR22Mmq+9cd9EZa6yINt0PxphsrkLQKm1AQ9uzHtsZQZ/MYK/LUVwMEnZDn1l1KPE2uEQSdNlwy6qNMezQOAvgsgo3bBZWReXvgklLGMS0a6KvspKnl5zgFEinNugE+RJfCQs05f1zgupUhBTYRlL1aYMpNBlkclQ+yOcen4ZOjTQGrA3QkdIYKTvH4ptxUYgVgPpg07+rz9JUBzmBfkRcPu7CKb3Vt0ZZ41fhhsWkGIyhYEYjyYfLgxr5d2IHWVprSI62oSSGuFajNeZSXGmkjxQNcX3SFuKMMCNQh6SzRNgn23LtWo8bHjKSW5iuqeMZe7BMtG8pkh9fg0tZbxfEY6dBj334FfmP8JJ/TG4fbGC5yOHQ8jtckHtNv6+w+Z7x1O7/d3TTiJQPFIIN4WRXgDeWUayuKaGZsWAIHHW94dPn5nyu+7qyEUWWvo9UzJEDLNgylNCeT3fcc3fuZ0O4Y6PcuLqcQehpy2wlcEZyWM3A0pUCAwEAAQKCAgAHILuwPYH8sLtSkn7/fW37UZmbzxK4YW28KlUGVik2qjUjbUA8/7qn+zQG06svrk/f1irRfKODVLmNkKabKJJmpx5koueghIvRlTgPuWZ+lt9UeMeH0LH7i6oqiR72FEroJAp6lmunMcW3dfozFA4kgbYG5f7HVzk9qhJW+jYwwDSIyvSyBl3uP1GwhCosihRIvg3e6rB5IqNoclKVTjmJ3P62mJ+mpLr2Rf2IMD4Yuc/WUH5wd+HeIwfIBOcoDdkjFbCNL0m8XrvTKxdmyzgE/6174uS6FrzAnlCUKJeCHR540Oe8XGVmMsKg2J4fMEY2brlcsi7W4tWIrON0zKmmkq9gdYE4RsciLZVz1WS9revqlSRGJ0AYDF8ho5fwVHGkVEDXstZIm7MlPFQCryD2s4HwrTb6Wg21CViHlYanTiEbNor5H+3mNSVrGs8iG02QW3qrJoXWvPeNu1V+VXfaaqWXXxOLF+W0LEt6Ui62dzymwfz1/j/3nChOP4kQjmsxbMn70+BS/Fl4ON7w+7XGi+m5s9s5QHU3RcBgPOCkANqr+ft4z6AVyg0+233sjMnclfxzmXrL575Dokg2BVJrF6qDCzojDLGpoeADva01usHUYWb9U/n+Q1FPyHKSgAam1mBnXN5BBGMZfhfkg4K3DptPTHDxbXmvgRmAaHIuKQKCAQEA9BmIhPI6k3e/INIfWzvb1AvwDqOLY4IZkMMWfjhOk83s5DBKr6W90u1jRDZT6oldv24N7VLk4aRwcJpL552OKzLBgwiE6e2TnY79Cd7G1fEM6KeSh9X+oL2ZrPmxDFoxm3zfPmJWkcFM343WH43Qd2uLi6KktNPffxmE7lJsrCL2A2wSDGHAfdMCEtXIC9KD2NJtw0NeJMoGnlbZHdZTnlY9FsgrlnyX2DoOJGvOR/AHC6OXgOlZN6RbAEVpmMWsxpvlbLmtaWXntISxWWhJh9qNaFzVwKA4LtKUBfxw66MZSmqfAbvjDDO1j8Hbbause2OZEX0ev5tU+MjmUfcoWwKCAQEAvv2kXxD8VGBHB+jqSqQM1qDxDhC7H3BqLz7DYfmMRZkZ2tsAO5xPuRrl+zYNH5SKswCgZ9q/dlf4EKmhuYcqDSZvVheAfFO7ixENib6D6w9VGZ2BMfL9/pUib1f/0m6qJ7/CJHXWNYIMgc3yEhNE9erpE0oUhvlb6ERrpzN/6MEDVFtvNfNiZQWD1Bz5a+AEOXIv6pRzdKATSE+03mxoXLHetKLXbA6w+fV3FOo4xSi3xcPunrIikFgzGkF5fez35v96NrV5Bj4KQ3zNy5jYJw//jYtczP+HBbuB7oaEfGy7cwb10WfPpxaF2VmQAueJr8KMnBWgygkzC0s3yKRjzwKCAQEA8mXIo/zHHlnzemwupzKyAcg5AtB1QsOXD6IrW/weS7haXd92yyYTcro5sSsh+e2fItHvEpUWpNverHMMnVxgKZWlhLGZC5PY2sV7kamgWiOdZgvB/xIKYSTmzlbF8jY+vOEr749H2EXUSMtYrsztDynE0U0ZslgTwOtejitbrzSoiI1w/sqzlD9N99ZDaToLo+yTAyyK+I2GNQaZZH/JWZrZ3x236yCeySIdmR1VIyrAVFaHxIP1DMQxeftz+TmTcUaudWGNSvTfOuvqEZb2LepiMhi+SyLPp++E/szIdbbpDnUCoX4q4ZsX2UHw3N910LH+9tcBCdT+dG9MCGkfsQKCAQEAtkb2n/BjEdgNEoR9Tp1Az3osdWMMY5XzEYISEKiM8kOLBG+syjeFcsE0KsvMPI6UzP/VFykTP8v3KVfrzFgujvxWl9C4RG/ZdoDg7cxQtH8eleLXUad6N4V3ptJSijAp3uPJUujPdqPWce/ujserMhRvO4ShEKxdxc+++oVRFv9WwSS+f7v39TgNN9wrQ4Q6I+VRy8zAX9cCcCn6Eale9NChHr6nYC6pQvW9H83mPmx875buXrDeAerbYryISeFmOyUqK5qIlaeSPhSXiC8oZCeFmz4dZFyfLZ5mBBKH0QQo5kAHTUKJUQtS1TwAEHWP15mSfsi5evjKqYWxCKGzywKCAQArnDhMWXxo5al8SKem8a5OT92yBFmwJXD1uIr4lKBMXoDAZoI2HBFrEZ+kpyb0IYMq1IrVhl2QPApHNltG013slDNhlgaXOB/W34DOxNIPJa9SiKjgrqhbhl+wa7EXOOvuOlD2XJc9GcicMLu4JReVsRcQqyBYDLEDAatvNhS3Y6YmxaJ2uJyY6n3q+u09lmBGrrwBoCy7rit2LssXNEBnUy2JmYJrCjFQqMVbqAg9/114ZrIQJIZJO2VlapUv22O3ROLKliZs8uldBRsmUaeibiVSHUbLwR/dlSFTngUQiXYAhlvgBCaTIBU8grzkL1BB7bEO7M6Dxgf0L7rvLEBe", @"Kl3UWEzylpSG0R5m4hY/1S/ZlOdgKhQkG/d0O+WfpVcEmhF8LtjqS8VX5BfhK2u2H07qPxy6HB5XoP488JHzvmoimTFMkghhPY9dzAkuUNvCdSOcSMMeh+1KDIJHxV13YkmTzlf3dUsytwDfSZeRbZ/TLIoav9LbROKhNP4POL4jkKoSFoq0wBXoM6RebDZ+RI69igshJ2WJCAF52hvIiBl56e/6HHFRuuD+WyOJh82p/yCSWN5s4nCdS4urOPxYVQNpBRc9qSJsDiLf9nUBXccoaL7sHjZTPO/tCv13SZWYt1S+DaEl4GqdJ3OPRmYh2YPTObmIJ6vhZ2TgOwWxNjx9DBmh4Xxnf6EcuDvDpHlY0gQYWL9uKGNVCBwMi6jQv5BRsMeiUf6WwZCud7M6EsuaqVaj9JOQQgUScXIPx/b2OzmIRjJpGIMDghN7lnlHuIKz9ED5WoK5Gn9Ypp48PfnBgL6y538pn919VPfTCQ0afGEWsSoFfwl8PcMUkBGhNRRA8SY0LnJuF7raC3eOyQHld+C5Yvg/WW+cePKJjeDWot28ltBRobtQ5EgXOUatjjNMj+1lLZoFNm8eKdE1NKoA0nXCghX5g5Pt/J4mGNEp25T8TCM0Aoqou30sMN/a2NQHFCOvIBJeLP/0hD31Zig6FZZyiFQ3BAURlsqgbGP4O6y6Z98dFsf7eqXAOxSACj/GWad8pfQ3p9tPjADU8Q==");
+}
+static const int TestCountKnownCipherText = TestCountTestIESKnownCipherText * 5 * 4;
+
+static const int TestCount = TestCountECIES + TestCountRSAWRAP + TestCountAgainstCoreCrypto + TestCountKnownCipherText;
+
+int si_44_seckey_ies(int argc, char *const *argv) {
+ plan_tests(TestCount);
+
+ @autoreleasepool {
+ ccrng_system_init(&ccrng_system_state_seckey_ies_test);
+
+ test_ecies();
+ test_rsawrap();
+ test_against_corecrypto();
+ test_known_ciphertext();
+ }
+
+ return 0;
+}
diff --git a/OSX/shared_regressions/si-44-seckey-rsa.m b/OSX/shared_regressions/si-44-seckey-rsa.m
new file mode 100644
index 00000000..06ddc100
--- /dev/null
+++ b/OSX/shared_regressions/si-44-seckey-rsa.m
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#import <Foundation/Foundation.h>
+
+#include "shared_regressions.h"
+
+static NSData *decryptAndUnpad(SecKeyRef privateKey, SecKeyAlgorithm algorithm, NSData *ciphertext, NSError **error) {
+ NSData *plaintext = CFBridgingRelease(SecKeyCreateDecryptedData(privateKey, algorithm, (CFDataRef)ciphertext, (void *)error));
+ if (plaintext != nil && [(__bridge id)algorithm isEqual:(id)kSecKeyAlgorithmRSAEncryptionRaw]) {
+ NSRange range = NSMakeRange(0, plaintext.length);
+ while (((const UInt8 *)plaintext.bytes)[range.location] == 0x00 && range.location < plaintext.length) {
+ range.length--;
+ range.location++;
+ }
+ plaintext = [plaintext subdataWithRange:range];
+ }
+ return plaintext;
+}
+
+static void test_encrypt_run(SecKeyRef privateKey, SecKeyRef publicKey, SecKeyRef iosPrivateKey, SecKeyRef iosPublicKey, SecKeyAlgorithm algorithm) {
+ NSData *original = [NSData dataWithBytes:"encrypt" length:7], *plaintext;
+ NSError *error;
+
+ error = nil;
+ NSData *ciphertext = CFBridgingRelease(SecKeyCreateEncryptedData(publicKey, algorithm, (CFDataRef)original, (void *)&error));
+ ok(ciphertext != nil, "RSA encrypt (native) succeeded (error: %@, key %@)", error, publicKey);
+
+ error = nil;
+ NSData *iosCiphertext = CFBridgingRelease(SecKeyCreateEncryptedData(iosPublicKey, algorithm, (CFDataRef)original, (void *)&error));
+ ok(iosCiphertext != nil, "RSA encrypt (native) succeeded (error: %@, key %@)", error, iosPublicKey);
+
+ error = nil;
+ plaintext = decryptAndUnpad(privateKey, algorithm, ciphertext, &error);
+ ok(plaintext != nil, "RSA decrypt (native) succeeded (error: %@, key %@)", error, privateKey);
+ ok([plaintext isEqual:original], "(native -> native) plaintext equals original (%@ : %@)", original, plaintext);
+
+ error = nil;
+ plaintext = decryptAndUnpad(privateKey, algorithm, iosCiphertext, &error);
+ ok(plaintext != nil, "RSA decrypt (native) succeeded (error: %@, key %@)", error, privateKey);
+ ok([plaintext isEqual:original], "(ios -> native) plaintext equals original (%@ : %@)", original, plaintext);
+
+ error = nil;
+ plaintext = decryptAndUnpad(iosPrivateKey, algorithm, ciphertext, &error);
+ ok(plaintext != nil, "RSA decrypt (ios) succeeded (error: %@, key %@)", error, privateKey);
+ ok([plaintext isEqual:original], "(native -> ios) plaintext equals original (%@ : %@)", original, plaintext);
+
+ error = nil;
+ plaintext = decryptAndUnpad(iosPrivateKey, algorithm, iosCiphertext, &error);
+ ok(plaintext != nil, "RSA decrypt (ios) succeeded (error: %@, key %@)", error, privateKey);
+ ok([plaintext isEqual:original], "(ios -> ios) plaintext equals original (%@ : %@)", original, plaintext);
+}
+static const int TestCountEncryptRun = 10;
+
+static void test_encrypt_keypair_run(int keySizeInBits, NSArray *algorithms, NSArray *failAlgorithms) {
+ NSError *error;
+ NSDictionary *params = @{(id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits: @(keySizeInBits)};
+
+ error = nil;
+ id privateKey = CFBridgingRelease(SecKeyCreateRandomKey((CFDictionaryRef)params, (void *)&error));
+ ok(privateKey != nil, "generate private key (error %@)", error);
+
+ id publicKey = CFBridgingRelease(SecKeyCopyPublicKey((SecKeyRef)privateKey));
+ ok(publicKey != nil, "get public key");
+
+ NSData *data = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)privateKey, NULL));
+ NSDictionary *attrs = CFBridgingRelease(SecKeyCopyAttributes((SecKeyRef)privateKey));
+ error = nil;
+ id iosPrivateKey = CFBridgingRelease(SecKeyCreateWithData((CFDataRef)data, (CFDictionaryRef)attrs, (void *)&error));
+ ok(iosPrivateKey != nil, "get private key created from data");
+
+ data = CFBridgingRelease(SecKeyCopyExternalRepresentation((SecKeyRef)publicKey, NULL));
+ attrs = CFBridgingRelease(SecKeyCopyAttributes((SecKeyRef)publicKey));
+ error = nil;
+ id iosPublicKey = CFBridgingRelease(SecKeyCreateWithData((CFDataRef)data, (CFDictionaryRef)attrs, (void *)&error));
+ ok(iosPublicKey != nil, "get public key created from data");
+
+ for (id algorithm in algorithms) {
+ test_encrypt_run((__bridge SecKeyRef)privateKey, (__bridge SecKeyRef)publicKey,
+ (__bridge SecKeyRef)iosPrivateKey, (__bridge SecKeyRef)iosPublicKey,
+ (__bridge SecKeyAlgorithm)algorithm);
+ }
+
+ for (id algorithm in failAlgorithms) {
+ error = nil;
+ NSData *data = CFBridgingRelease(SecKeyCreateEncryptedData((SecKeyRef)publicKey, (SecKeyAlgorithm)algorithm, (CFDataRef)[NSData data], (void *)&error));
+ ok(data == nil && error.code == errSecParam, "incorrect algorithm refused");
+ }
+}
+static const int TestCountEncryptKeypairRun = 4;
+
+static void test_encryption() {
+ test_encrypt_keypair_run(1024,
+ @[
+ (id)kSecKeyAlgorithmRSAEncryptionRaw,
+ (id)kSecKeyAlgorithmRSAEncryptionPKCS1,
+ (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
+ (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
+ (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
+ (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
+ ],
+ @[
+ (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
+ ]);
+
+ test_encrypt_keypair_run(2048,
+ @[
+ (id)kSecKeyAlgorithmRSAEncryptionRaw,
+ (id)kSecKeyAlgorithmRSAEncryptionPKCS1,
+ (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
+ (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
+ (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
+ (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
+ (id)kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
+ ],
+ @[
+ ]);
+}
+static const int TestCountEncryption =
+TestCountEncryptKeypairRun + (TestCountEncryptRun * 6) + (1 * 1) +
+TestCountEncryptKeypairRun + (TestCountEncryptRun * 7) + (1 * 0);
+
+static const int TestCount = TestCountEncryption;
+int si_44_seckey_rsa(int argc, char *const *argv) {
+ plan_tests(TestCount);
+
+ @autoreleasepool {
+ test_encryption();
+ }
+
+ return 0;
+}
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-certs.h b/OSX/shared_regressions/si-82-sectrust-ct-certs.h
deleted file mode 100644
index 0924ee2e..00000000
--- a/OSX/shared_regressions/si-82-sectrust-ct-certs.h
+++ /dev/null
@@ -1,1029 +0,0 @@
-static uint8_t server_1601_cert_der[] = {
- 0x30, 0x82, 0x03, 0xec, 0x30, 0x82, 0x03, 0x55, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x3e, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0x9c, 0x02, 0x98, 0x19, 0xf0, 0x35, 0x78, 0x0e,
- 0x59, 0xeb, 0x92, 0x15, 0x9b, 0xe7, 0x68, 0xa6, 0xc2, 0x8e, 0x98, 0x62,
- 0x87, 0xbd, 0x53, 0x23, 0xdb, 0x9b, 0xe5, 0x5f, 0x9d, 0x04, 0x04, 0x30,
- 0x38, 0x31, 0x76, 0x48, 0x69, 0x91, 0x3a, 0x85, 0x8c, 0x61, 0x6e, 0x1e,
- 0xff, 0xd9, 0x40, 0x08, 0xfd, 0x89, 0x17, 0xe9, 0x74, 0x98, 0x86, 0x08,
- 0x7a, 0x53, 0x37, 0x1e, 0x84, 0xec, 0x80, 0xaa, 0xdc, 0xa1, 0xc9, 0xba,
- 0x1c, 0xf3, 0x42, 0x3d, 0x83, 0x23, 0x02, 0x7b, 0xce, 0xb6, 0x35, 0xc5,
- 0xef, 0x0f, 0xf9, 0x41, 0x66, 0x6f, 0x0e, 0xd8, 0xa7, 0x60, 0x54, 0x6c,
- 0x04, 0xf7, 0x8b, 0x1e, 0xcb, 0x99, 0x21, 0x8b, 0x97, 0xd0, 0x30, 0x48,
- 0x45, 0x7d, 0x83, 0x10, 0xc5, 0x59, 0x48, 0xd6, 0x80, 0x1e, 0x89, 0xb1,
- 0xe0, 0x1b, 0x7a, 0x24, 0x00, 0x13, 0xf8, 0xab, 0xf3, 0x68, 0x0c, 0x5b,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xb0, 0x30, 0x82, 0x01,
- 0xac, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0xa5, 0x46, 0x69, 0x26, 0x34, 0x3c, 0x9b, 0xdd, 0x4d, 0xad, 0xaf, 0xbb,
- 0x39, 0x9c, 0x7a, 0x34, 0xf5, 0x89, 0x19, 0x50, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09,
- 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73,
- 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x82, 0x01, 0x02, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
- 0x02, 0x04, 0x02, 0x04, 0x81, 0xf3, 0x04, 0x81, 0xf0, 0x00, 0xee, 0x00,
- 0x75, 0x00, 0xd4, 0xfa, 0xb2, 0x58, 0xf2, 0x2e, 0x21, 0x44, 0x79, 0x21,
- 0xb0, 0x29, 0x33, 0x6f, 0xa1, 0x94, 0xfc, 0xb5, 0x68, 0x11, 0x4e, 0x04,
- 0xc2, 0xcf, 0xee, 0xf8, 0xdb, 0xc2, 0x43, 0x88, 0x59, 0x54, 0x00, 0x00,
- 0x01, 0x4b, 0xf0, 0xe6, 0x11, 0x82, 0x00, 0x00, 0x04, 0x03, 0x00, 0x46,
- 0x30, 0x44, 0x02, 0x20, 0x4f, 0xfc, 0x27, 0x2d, 0x18, 0x7f, 0xef, 0x0c,
- 0x53, 0x9d, 0x6f, 0x85, 0x8a, 0xdb, 0x51, 0xdc, 0x7a, 0xc4, 0xe4, 0x0a,
- 0x46, 0x4b, 0x04, 0xf5, 0x96, 0x94, 0xdd, 0x2b, 0x91, 0x98, 0x08, 0x60,
- 0x02, 0x20, 0x22, 0x74, 0x59, 0x9c, 0xea, 0xa3, 0xa7, 0x89, 0x09, 0x16,
- 0xeb, 0x5f, 0x9e, 0x51, 0x98, 0x78, 0x9d, 0x95, 0x0b, 0x33, 0xe1, 0x6f,
- 0x2d, 0x62, 0xc3, 0x94, 0xeb, 0x07, 0x73, 0x4e, 0xe4, 0x32, 0x00, 0x75,
- 0x00, 0xd3, 0x57, 0x9c, 0x69, 0xf7, 0x5e, 0x9a, 0xe7, 0xae, 0x60, 0x36,
- 0xb6, 0x34, 0x51, 0xb1, 0x09, 0x27, 0xe4, 0xbb, 0x62, 0x5f, 0xe6, 0xa3,
- 0x9b, 0xfd, 0xd0, 0x1b, 0xce, 0xc0, 0x4a, 0xed, 0x96, 0x00, 0x00, 0x01,
- 0x4b, 0xf0, 0xe6, 0x1d, 0x6a, 0x00, 0x00, 0x04, 0x03, 0x00, 0x46, 0x30,
- 0x44, 0x02, 0x20, 0x63, 0x97, 0x60, 0xde, 0x96, 0xd6, 0x07, 0x8a, 0xe9,
- 0x06, 0x3a, 0x9e, 0x80, 0x8d, 0x00, 0xaa, 0x1f, 0xe3, 0xb2, 0x48, 0xd3,
- 0x17, 0x41, 0xd2, 0x90, 0x6a, 0x43, 0xf5, 0x4e, 0x2a, 0x55, 0x92, 0x02,
- 0x20, 0x72, 0xd2, 0x81, 0x37, 0x32, 0x2c, 0xc1, 0x09, 0x40, 0xfd, 0x63,
- 0x18, 0x76, 0x9b, 0xb6, 0x1f, 0x6a, 0x6c, 0x12, 0x6c, 0x40, 0x15, 0xdc,
- 0xef, 0xaf, 0x62, 0xeb, 0x5d, 0xe0, 0x0b, 0x8d, 0x45, 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00,
- 0x03, 0x81, 0x81, 0x00, 0xab, 0x17, 0x84, 0x3a, 0x6c, 0xb9, 0x69, 0x3b,
- 0x87, 0x9a, 0x75, 0xc0, 0x51, 0x26, 0xc1, 0x1b, 0x9f, 0x43, 0x8f, 0x56,
- 0x24, 0x15, 0xe9, 0x56, 0x84, 0xad, 0x81, 0xf0, 0x40, 0x39, 0xc7, 0x1e,
- 0xa7, 0x16, 0x8f, 0x47, 0x69, 0x5f, 0xcf, 0x96, 0x00, 0x26, 0x80, 0x3a,
- 0xb8, 0x83, 0x50, 0x7a, 0xc8, 0xd5, 0x48, 0x3c, 0x6d, 0x25, 0x7d, 0x1f,
- 0x0d, 0x10, 0x17, 0x95, 0xda, 0xb4, 0xe3, 0x2a, 0x8c, 0x3d, 0x7c, 0x5f,
- 0x4d, 0x77, 0xfd, 0xed, 0x5d, 0xdd, 0xa8, 0x51, 0x12, 0xb0, 0xd0, 0x25,
- 0xe0, 0xbc, 0x12, 0x53, 0x3e, 0x1c, 0x57, 0x32, 0x14, 0x01, 0x47, 0xd0,
- 0xc1, 0x33, 0x13, 0x99, 0xbe, 0x9b, 0x10, 0xa6, 0x16, 0xb9, 0x70, 0xf2,
- 0x0c, 0xd8, 0xf5, 0x67, 0x4c, 0xb3, 0x43, 0x72, 0xff, 0x08, 0x01, 0xaf,
- 0x4d, 0x89, 0xe7, 0x24, 0x8b, 0x9d, 0x5f, 0x67, 0x22, 0x6d, 0x64, 0xca
-};
-
-static uint8_t server_1603_cert_der[] = {
- 0x30, 0x82, 0x03, 0xef, 0x30, 0x82, 0x03, 0x58, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x3f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0x9c, 0xe9, 0x66, 0x86, 0x8f, 0x51, 0x79, 0x2b,
- 0xf4, 0x62, 0xf7, 0xed, 0x2b, 0x62, 0xf2, 0xd4, 0x28, 0x86, 0x98, 0x54,
- 0x37, 0x19, 0x78, 0x95, 0x60, 0x40, 0xe6, 0x20, 0x6a, 0x6e, 0xe1, 0x19,
- 0x40, 0xa3, 0xeb, 0xda, 0x74, 0x0f, 0xc2, 0x0a, 0x02, 0xf9, 0x7e, 0x7e,
- 0x7a, 0xf8, 0x12, 0x2f, 0x9c, 0x02, 0xa1, 0x00, 0x91, 0x36, 0x6f, 0x25,
- 0x20, 0xad, 0x06, 0xc1, 0xbc, 0x79, 0xfe, 0xa1, 0x74, 0x4a, 0x8a, 0x2d,
- 0x64, 0x5e, 0x07, 0x62, 0x06, 0xb8, 0x07, 0xe7, 0xe6, 0xb5, 0x4f, 0x1d,
- 0xe2, 0xa6, 0xaf, 0xba, 0xb9, 0xba, 0xed, 0x79, 0xe1, 0xeb, 0x4a, 0x9f,
- 0xc9, 0x52, 0x61, 0x43, 0xe5, 0x4d, 0x94, 0xa7, 0xf9, 0xac, 0x2f, 0xf6,
- 0xb9, 0x20, 0xaf, 0xdb, 0x93, 0x01, 0x36, 0x89, 0xbf, 0xed, 0xd0, 0xb0,
- 0x4f, 0x08, 0x9f, 0x12, 0x7f, 0x4c, 0x24, 0x20, 0x08, 0xc9, 0xe2, 0x53,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0xb3, 0x30, 0x82, 0x01,
- 0xaf, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0xbe, 0xeb, 0xd4, 0xdb, 0x03, 0x4c, 0xa5, 0x3e, 0x83, 0xae, 0xeb, 0x29,
- 0xda, 0xf9, 0x45, 0x00, 0x84, 0x1c, 0x84, 0xe9, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09,
- 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73,
- 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x82, 0x01, 0x05, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
- 0x02, 0x04, 0x02, 0x04, 0x81, 0xf6, 0x04, 0x81, 0xf3, 0x00, 0xf1, 0x00,
- 0x76, 0x00, 0xd4, 0xfa, 0xb2, 0x58, 0xf2, 0x2e, 0x21, 0x44, 0x79, 0x21,
- 0xb0, 0x29, 0x33, 0x6f, 0xa1, 0x94, 0xfc, 0xb5, 0x68, 0x11, 0x4e, 0x04,
- 0xc2, 0xcf, 0xee, 0xf8, 0xdb, 0xc2, 0x43, 0x88, 0x59, 0x54, 0x00, 0x00,
- 0x01, 0x4b, 0xf0, 0xe6, 0x29, 0xa7, 0x00, 0x00, 0x04, 0x03, 0x00, 0x47,
- 0x30, 0x45, 0x02, 0x20, 0x69, 0x89, 0x15, 0x7b, 0x51, 0x69, 0x4d, 0xfb,
- 0x3f, 0x16, 0x17, 0xe8, 0xf1, 0x95, 0xf8, 0xc9, 0x66, 0xd0, 0xd9, 0x58,
- 0xdf, 0x06, 0x22, 0x50, 0x9c, 0x80, 0x6d, 0xd2, 0x42, 0xff, 0x8f, 0xc9,
- 0x02, 0x21, 0x00, 0x82, 0x20, 0x4b, 0x1a, 0xe7, 0xe2, 0x7c, 0x6d, 0x16,
- 0x4b, 0xad, 0x03, 0xc4, 0xb7, 0x22, 0x58, 0x65, 0x9d, 0x95, 0x49, 0x00,
- 0x42, 0x53, 0x98, 0xfc, 0x33, 0x63, 0xb0, 0xa6, 0x8b, 0xfe, 0x6b, 0x00,
- 0x77, 0x00, 0xd3, 0x57, 0x9c, 0x69, 0xf7, 0x5e, 0x9a, 0xe7, 0xae, 0x60,
- 0x36, 0xb6, 0x34, 0x51, 0xb1, 0x09, 0x27, 0xe4, 0xbb, 0x62, 0x5f, 0xe6,
- 0xa3, 0x9b, 0xfd, 0xd0, 0x1b, 0xce, 0xc0, 0x4a, 0xed, 0x96, 0x00, 0x00,
- 0x01, 0x4b, 0xf0, 0xe6, 0x35, 0x86, 0x00, 0x00, 0x04, 0x03, 0x00, 0x48,
- 0x30, 0x46, 0x02, 0x21, 0x00, 0x95, 0x3b, 0x8b, 0xf6, 0x20, 0x57, 0x7c,
- 0x4f, 0xa2, 0x00, 0xfb, 0x73, 0xf8, 0x76, 0xeb, 0x1d, 0x76, 0xec, 0x3b,
- 0xa8, 0x5e, 0x56, 0xba, 0xb8, 0x95, 0x20, 0x19, 0xb6, 0xb1, 0x0a, 0x0d,
- 0xe5, 0x02, 0x21, 0x00, 0x86, 0xaf, 0xf5, 0xb0, 0x43, 0xda, 0x1b, 0xa7,
- 0x06, 0x04, 0x6c, 0x5e, 0xae, 0xa4, 0x92, 0xc2, 0x8a, 0xf0, 0xd1, 0x98,
- 0x44, 0xea, 0xd3, 0xf7, 0xe0, 0x60, 0xb7, 0xa6, 0xa9, 0x42, 0x12, 0xf0,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0xc7, 0xc3, 0xd5, 0x23, 0x59,
- 0x00, 0x8d, 0x90, 0xf5, 0x31, 0x61, 0x23, 0x07, 0x79, 0xcb, 0x4d, 0x46,
- 0x90, 0x88, 0x39, 0xa2, 0x8d, 0xc3, 0x99, 0xe5, 0xf3, 0xe3, 0xfa, 0x72,
- 0xc7, 0x02, 0xbf, 0x0c, 0xd4, 0x42, 0xb3, 0x12, 0xd7, 0xa9, 0xa5, 0x84,
- 0xfc, 0x3c, 0x7b, 0x9e, 0x32, 0x91, 0x50, 0x33, 0xe4, 0x82, 0x84, 0xd6,
- 0x5d, 0x86, 0x73, 0xe0, 0x94, 0x77, 0x38, 0x96, 0xd3, 0xb0, 0xc4, 0x46,
- 0x22, 0xe4, 0x7b, 0x72, 0xab, 0x7e, 0xd5, 0xfe, 0x04, 0x7e, 0x8e, 0x13,
- 0x69, 0x81, 0xa5, 0xce, 0xee, 0x82, 0x84, 0x88, 0x0d, 0xd0, 0x0d, 0x8f,
- 0x6c, 0xd0, 0xff, 0xd7, 0x1e, 0x86, 0xc5, 0x5a, 0xc7, 0x90, 0x24, 0x62,
- 0xa2, 0x37, 0xc0, 0x50, 0xbc, 0xb3, 0x1c, 0xde, 0x21, 0x4c, 0x30, 0x48,
- 0x1f, 0x52, 0xf5, 0x07, 0x5a, 0xa2, 0xbc, 0x97, 0xf8, 0xb6, 0xc3, 0x12,
- 0xe6, 0xb4, 0xd2
-};
-
-static uint8_t server_1604_cert_der[] = {
- 0x30, 0x82, 0x04, 0x68, 0x30, 0x82, 0x03, 0xd1, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x40, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x36, 0x30, 0x34, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xb2, 0xa5, 0xf9, 0x7b, 0x3b, 0xed, 0x6d, 0x8f,
- 0xf2, 0xb1, 0xe6, 0x2f, 0x3d, 0x60, 0xb5, 0x9b, 0x73, 0x2d, 0x07, 0x51,
- 0xa5, 0xc1, 0x93, 0x36, 0xaf, 0xff, 0x27, 0x72, 0xde, 0xcd, 0x5e, 0xe9,
- 0xe5, 0x54, 0x4d, 0xfa, 0x57, 0x4c, 0xf2, 0x23, 0xa8, 0xb3, 0xf6, 0xd1,
- 0x7a, 0x0a, 0xaf, 0xb8, 0x97, 0xda, 0xc3, 0x7f, 0xf9, 0xb4, 0x3d, 0x96,
- 0xa1, 0x32, 0x3a, 0x97, 0xf5, 0x56, 0x83, 0x9e, 0xf6, 0xd2, 0xae, 0x2f,
- 0x1e, 0xc8, 0x79, 0xc6, 0xbe, 0x3b, 0xc5, 0xb6, 0x2e, 0xcb, 0xd4, 0x42,
- 0x8e, 0x51, 0xd4, 0x12, 0xd0, 0x06, 0x7f, 0xbc, 0x8b, 0xe1, 0xa5, 0xe1,
- 0xaf, 0x63, 0x88, 0x73, 0x20, 0x0b, 0x6c, 0x52, 0xd4, 0x60, 0xdb, 0xa4,
- 0x31, 0xb7, 0xb3, 0x6d, 0x5a, 0x04, 0x7b, 0x7e, 0xae, 0x1b, 0x1e, 0xe6,
- 0xbc, 0x05, 0x2c, 0x34, 0xb1, 0x85, 0x2c, 0x5c, 0xbc, 0x7a, 0x01, 0x9b,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0x2c, 0x30, 0x82, 0x02,
- 0x28, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0xcc, 0xe6, 0xf0, 0x82, 0xe5, 0x15, 0x92, 0x4d, 0x35, 0x48, 0x31, 0x9d,
- 0x19, 0x01, 0x8d, 0x71, 0xe6, 0x4c, 0xad, 0x10, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09,
- 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73,
- 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x82, 0x01, 0x7e, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
- 0x02, 0x04, 0x02, 0x04, 0x82, 0x01, 0x6e, 0x04, 0x82, 0x01, 0x6a, 0x01,
- 0x68, 0x00, 0x76, 0x00, 0xd4, 0xfa, 0xb2, 0x58, 0xf2, 0x2e, 0x21, 0x44,
- 0x79, 0x21, 0xb0, 0x29, 0x33, 0x6f, 0xa1, 0x94, 0xfc, 0xb5, 0x68, 0x11,
- 0x4e, 0x04, 0xc2, 0xcf, 0xee, 0xf8, 0xdb, 0xc2, 0x43, 0x88, 0x59, 0x54,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0x41, 0xb4, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x20, 0x49, 0x50, 0x3e, 0xcf, 0x4e, 0x94,
- 0xc5, 0x7d, 0x0d, 0x96, 0x16, 0x50, 0x4f, 0x67, 0x9a, 0x44, 0x89, 0x24,
- 0x90, 0x55, 0xdb, 0x1b, 0x9e, 0x61, 0xef, 0x1b, 0x75, 0x36, 0x9d, 0xb5,
- 0xbe, 0xdd, 0x02, 0x21, 0x00, 0xc8, 0x8e, 0x38, 0x6d, 0x15, 0xc1, 0x2a,
- 0x1c, 0xdf, 0xbd, 0xbe, 0x8c, 0x9e, 0x84, 0xac, 0x71, 0x00, 0xcd, 0x12,
- 0xac, 0x8e, 0x83, 0xaf, 0xf2, 0x6c, 0xc3, 0xfd, 0xa8, 0x30, 0x6c, 0xd7,
- 0x2f, 0x00, 0x77, 0x00, 0xd3, 0x57, 0x9c, 0x69, 0xf7, 0x5e, 0x9a, 0xe7,
- 0xae, 0x60, 0x36, 0xb6, 0x34, 0x51, 0xb1, 0x09, 0x27, 0xe4, 0xbb, 0x62,
- 0x5f, 0xe6, 0xa3, 0x9b, 0xfd, 0xd0, 0x1b, 0xce, 0xc0, 0x4a, 0xed, 0x96,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0x4d, 0x93, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x48, 0x30, 0x46, 0x02, 0x21, 0x00, 0xdb, 0xdf, 0xab, 0x7e, 0x04,
- 0xa9, 0xef, 0x8c, 0x47, 0xad, 0x6e, 0xf7, 0xd4, 0xbe, 0x11, 0x21, 0x3b,
- 0x85, 0x00, 0xbe, 0xbe, 0xda, 0xe7, 0xcd, 0x04, 0xfa, 0x9d, 0x84, 0x5c,
- 0x6c, 0xd5, 0x70, 0x02, 0x21, 0x00, 0xaf, 0x10, 0x08, 0x03, 0xe5, 0x29,
- 0x53, 0x13, 0x61, 0x36, 0x2a, 0x4e, 0x81, 0x64, 0xe5, 0x7e, 0xf7, 0xb5,
- 0xe3, 0x73, 0x97, 0x87, 0x82, 0x37, 0x88, 0xf0, 0x6f, 0x0b, 0xc9, 0xe1,
- 0xf2, 0x4a, 0x00, 0x75, 0x00, 0x22, 0xb0, 0xa6, 0x33, 0x3f, 0xbd, 0x6d,
- 0x05, 0xf6, 0xf0, 0x25, 0xde, 0x66, 0x78, 0x3b, 0x55, 0x5b, 0x59, 0x90,
- 0xbf, 0x53, 0xc9, 0xa8, 0x69, 0x4a, 0x5f, 0x03, 0x0a, 0xe1, 0x2b, 0x05,
- 0x81, 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0x59, 0xa4, 0x00, 0x00, 0x04,
- 0x03, 0x00, 0x46, 0x30, 0x44, 0x02, 0x20, 0x05, 0x5c, 0x12, 0x77, 0x66,
- 0x66, 0xdb, 0x56, 0xdf, 0x0f, 0x67, 0xc7, 0x65, 0xd9, 0x21, 0x5b, 0xe6,
- 0xf3, 0x3e, 0xd4, 0xd2, 0xf6, 0x56, 0x2b, 0x7e, 0xe2, 0x89, 0xcd, 0x7f,
- 0xd5, 0x6b, 0x59, 0x02, 0x20, 0x5f, 0x9b, 0x01, 0x9f, 0x2f, 0xaa, 0xb3,
- 0xf8, 0xb9, 0xd0, 0x32, 0x56, 0x90, 0xb5, 0x41, 0x39, 0x55, 0x8d, 0xf0,
- 0x3a, 0xa3, 0x09, 0x7f, 0x54, 0xb7, 0x04, 0xac, 0x43, 0x13, 0x22, 0x81,
- 0x44, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x76, 0x5d, 0xb2, 0x05,
- 0x81, 0x3d, 0x58, 0xa1, 0x7a, 0xad, 0x01, 0x8e, 0x44, 0x2e, 0x0e, 0x0b,
- 0xd1, 0xe1, 0x81, 0xcb, 0xf0, 0x70, 0xe1, 0x0f, 0xe9, 0x00, 0x31, 0xd3,
- 0x06, 0x99, 0x46, 0xc8, 0x13, 0x2b, 0xcf, 0xd2, 0x2e, 0x50, 0x64, 0x70,
- 0x68, 0x8f, 0x5f, 0xd6, 0xe5, 0xb3, 0x56, 0xc1, 0x4a, 0xf1, 0x70, 0xe4,
- 0x38, 0x09, 0xfc, 0xa5, 0x6b, 0x5d, 0x0d, 0x4a, 0x2a, 0x4d, 0x6c, 0x7a,
- 0x0a, 0x1c, 0xbc, 0xfa, 0x80, 0xd8, 0xcf, 0x7b, 0x98, 0x2b, 0xe6, 0xfd,
- 0x83, 0x0d, 0xa8, 0xe7, 0xab, 0xd3, 0xc3, 0xad, 0xb5, 0x53, 0xde, 0x62,
- 0x0a, 0x89, 0xd9, 0x5f, 0x6a, 0xed, 0x25, 0xb3, 0xb5, 0x5a, 0x76, 0x15,
- 0xb6, 0xa2, 0xc5, 0xf4, 0xbc, 0x89, 0xa0, 0x74, 0x73, 0x82, 0xdf, 0x5e,
- 0x4d, 0xd1, 0x33, 0xb3, 0xb4, 0x11, 0x0d, 0xf3, 0x43, 0x6f, 0xb6, 0x8a,
- 0x86, 0x9c, 0x1f, 0x59
-};
-
-static uint8_t server_1701_cert_der[] = {
- 0x30, 0x82, 0x04, 0x69, 0x30, 0x82, 0x03, 0xd2, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x37, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xd3, 0x9c, 0x92, 0xee, 0x65, 0x6d, 0x3d, 0x67,
- 0x37, 0x90, 0x55, 0x45, 0x4c, 0x60, 0x36, 0x0e, 0x25, 0xe1, 0x28, 0x0c,
- 0x1e, 0x8a, 0xff, 0xe5, 0xa2, 0xc1, 0xda, 0x5f, 0x6d, 0xe4, 0x9a, 0x54,
- 0x3c, 0x47, 0x6c, 0x83, 0x15, 0x1d, 0xf1, 0x04, 0x04, 0x4a, 0x81, 0x32,
- 0xb4, 0x3b, 0x12, 0x04, 0x87, 0x13, 0x0d, 0xd0, 0xd4, 0x67, 0x24, 0x4a,
- 0x64, 0x9f, 0xe8, 0xfa, 0x48, 0x64, 0x59, 0x88, 0xb6, 0x58, 0xdc, 0xa4,
- 0x63, 0x5d, 0x5c, 0xef, 0xda, 0xef, 0xc2, 0x8f, 0xbd, 0x72, 0x58, 0xb4,
- 0xab, 0xdc, 0x0c, 0xcf, 0x50, 0x79, 0x42, 0x80, 0xb3, 0x98, 0x7e, 0x37,
- 0x81, 0x58, 0xbf, 0x13, 0x84, 0x59, 0xe8, 0x60, 0xb4, 0x54, 0xe5, 0x93,
- 0x62, 0x30, 0x3e, 0xd7, 0x7e, 0xbf, 0x1d, 0x5e, 0xd3, 0x2e, 0x8f, 0x08,
- 0x89, 0x3a, 0xa4, 0x2b, 0xc2, 0xc1, 0xa5, 0x9d, 0xea, 0x27, 0xb7, 0x19,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0x2d, 0x30, 0x82, 0x02,
- 0x29, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x1a, 0x15, 0x14, 0x59, 0x41, 0xb9, 0x46, 0x3e, 0x18, 0x01, 0xc1, 0x21,
- 0xa8, 0x08, 0xc6, 0x60, 0xcd, 0xbc, 0x14, 0x0b, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09,
- 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73,
- 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x82, 0x01, 0x7f, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
- 0x02, 0x04, 0x02, 0x04, 0x82, 0x01, 0x6f, 0x04, 0x82, 0x01, 0x6b, 0x01,
- 0x69, 0x00, 0x76, 0x00, 0xd4, 0xfa, 0xb2, 0x58, 0xf2, 0x2e, 0x21, 0x44,
- 0x79, 0x21, 0xb0, 0x29, 0x33, 0x6f, 0xa1, 0x94, 0xfc, 0xb5, 0x68, 0x11,
- 0x4e, 0x04, 0xc2, 0xcf, 0xee, 0xf8, 0xdb, 0xc2, 0x43, 0x88, 0x59, 0x54,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0x65, 0xec, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x20, 0x7b, 0x2a, 0xa4, 0xde, 0xdb, 0xeb,
- 0xa1, 0x9b, 0x47, 0xee, 0xa7, 0xdb, 0x9d, 0x7d, 0x12, 0x07, 0xf6, 0x48,
- 0x22, 0xac, 0x90, 0x43, 0x16, 0xe2, 0x07, 0x40, 0xa5, 0xd2, 0x79, 0xc1,
- 0xc7, 0x35, 0x02, 0x21, 0x00, 0x86, 0x6f, 0xd3, 0xc7, 0xff, 0xf2, 0x3b,
- 0xb6, 0x62, 0x78, 0xca, 0x18, 0x3c, 0x51, 0xa1, 0x22, 0xbe, 0xd3, 0x21,
- 0xdc, 0xac, 0x4b, 0xde, 0xd8, 0x0c, 0xdf, 0x21, 0x02, 0xdc, 0x3a, 0x16,
- 0xaf, 0x00, 0x76, 0x00, 0xd3, 0x57, 0x9c, 0x69, 0xf7, 0x5e, 0x9a, 0xe7,
- 0xae, 0x60, 0x36, 0xb6, 0x34, 0x51, 0xb1, 0x09, 0x27, 0xe4, 0xbb, 0x62,
- 0x5f, 0xe6, 0xa3, 0x9b, 0xfd, 0xd0, 0x1b, 0xce, 0xc0, 0x4a, 0xed, 0x96,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0x71, 0xd0, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xf1, 0x01, 0x14, 0xc6, 0x17,
- 0xfa, 0x33, 0x8e, 0xcd, 0x44, 0x37, 0xcb, 0x70, 0xea, 0x27, 0x78, 0x4b,
- 0x26, 0x8d, 0xf1, 0xb0, 0x39, 0x04, 0x09, 0x30, 0x2c, 0xe8, 0xce, 0x75,
- 0x77, 0xfd, 0xe7, 0x02, 0x20, 0x43, 0x2b, 0x06, 0xc5, 0xc0, 0x86, 0x3c,
- 0x39, 0x40, 0x55, 0x57, 0xf4, 0x04, 0xec, 0x82, 0x3c, 0x77, 0x20, 0xe7,
- 0x64, 0x9d, 0x71, 0x19, 0xbc, 0x3f, 0x47, 0xbe, 0xa5, 0x10, 0x4f, 0x5c,
- 0x4f, 0x00, 0x77, 0x00, 0x22, 0xb0, 0xa6, 0x33, 0x3f, 0xbd, 0x6d, 0x05,
- 0xf6, 0xf0, 0x25, 0xde, 0x66, 0x78, 0x3b, 0x55, 0x5b, 0x59, 0x90, 0xbf,
- 0x53, 0xc9, 0xa8, 0x69, 0x4a, 0x5f, 0x03, 0x0a, 0xe1, 0x2b, 0x05, 0x81,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0x7d, 0xae, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x48, 0x30, 0x46, 0x02, 0x21, 0x00, 0x9e, 0xfc, 0xb0, 0x80, 0x44,
- 0xda, 0xb6, 0x32, 0x4c, 0xcf, 0x54, 0x89, 0x40, 0xaf, 0x94, 0x31, 0xdf,
- 0xa1, 0xa4, 0x21, 0x05, 0x29, 0xcb, 0x02, 0x1c, 0xd7, 0x5f, 0x28, 0xf7,
- 0x43, 0x95, 0xc4, 0x02, 0x21, 0x00, 0xd6, 0x1e, 0xcd, 0x11, 0xa7, 0x2f,
- 0x10, 0x6c, 0xf6, 0x7d, 0x39, 0x70, 0xd0, 0xef, 0x8e, 0x9b, 0x93, 0xb2,
- 0xf3, 0x2c, 0x86, 0x77, 0x00, 0xb0, 0x70, 0xc9, 0x78, 0x3e, 0x03, 0x9d,
- 0xb4, 0xb7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x52, 0x1a, 0x77,
- 0xc1, 0x18, 0xd7, 0xa0, 0x3e, 0x0e, 0xc4, 0x5c, 0xc9, 0x3c, 0xca, 0x17,
- 0x8a, 0xad, 0x36, 0xb7, 0x46, 0xa9, 0xf4, 0xc3, 0xf2, 0x94, 0x7b, 0x38,
- 0xd6, 0xcb, 0x08, 0x93, 0x75, 0xcd, 0x71, 0x01, 0x28, 0xdf, 0x06, 0x3c,
- 0x6a, 0x02, 0xcc, 0xf7, 0xac, 0xc5, 0x7c, 0xf2, 0x23, 0x77, 0x10, 0x60,
- 0x8f, 0xc8, 0x4d, 0x30, 0x84, 0xa5, 0x6f, 0xce, 0x8c, 0x49, 0xe6, 0x1b,
- 0x4c, 0x28, 0x8c, 0x5b, 0x95, 0xb5, 0xdc, 0x5b, 0x1f, 0x8f, 0xea, 0x7e,
- 0x01, 0xb9, 0xc5, 0xef, 0x61, 0x37, 0x1a, 0x0f, 0xec, 0x80, 0xa8, 0x35,
- 0x5e, 0x79, 0x6e, 0x9d, 0x58, 0xdb, 0xbf, 0x36, 0x88, 0xf4, 0x07, 0x7e,
- 0x59, 0x03, 0xa2, 0x86, 0x34, 0x40, 0xaa, 0x1b, 0xd8, 0x01, 0x7e, 0x45,
- 0x60, 0xb3, 0x1f, 0x44, 0x0d, 0x55, 0x72, 0x1c, 0x81, 0xfb, 0xdc, 0x27,
- 0xfe, 0xc9, 0x77, 0x8f, 0xa0
-};
-
-static uint8_t server_1704_cert_der[] = {
- 0x30, 0x82, 0x04, 0x69, 0x30, 0x82, 0x03, 0xd2, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x42, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x37, 0x30, 0x34, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xb7, 0x36, 0x88, 0xcf, 0x75, 0x9e, 0xeb, 0x3d,
- 0x40, 0x88, 0x9c, 0xdf, 0x24, 0xbc, 0xae, 0xa1, 0xc8, 0x8a, 0x48, 0xef,
- 0x75, 0x98, 0x5c, 0x5e, 0x77, 0xb3, 0x7a, 0xa6, 0xdb, 0xdb, 0x18, 0x85,
- 0x4f, 0x22, 0x5e, 0x37, 0xe7, 0x66, 0x29, 0xd2, 0xb7, 0xc8, 0x6c, 0x30,
- 0xbd, 0x77, 0xbd, 0xfd, 0x58, 0xcd, 0x5d, 0xac, 0xd7, 0x58, 0xd9, 0x87,
- 0xa9, 0x0b, 0xa9, 0x6f, 0x0c, 0x6a, 0x5e, 0x1c, 0xee, 0xec, 0x65, 0xfe,
- 0xb9, 0x07, 0x47, 0x5d, 0x8d, 0x79, 0x74, 0x9d, 0x3e, 0x4e, 0x3e, 0x66,
- 0xc1, 0xfe, 0x58, 0x55, 0x3e, 0x5c, 0x00, 0xc5, 0x7a, 0x76, 0x91, 0x04,
- 0xde, 0x1b, 0x05, 0x86, 0x6e, 0xde, 0x06, 0x29, 0x97, 0xb9, 0x1c, 0xb5,
- 0xd1, 0x3f, 0x01, 0xbf, 0x8f, 0x28, 0xf4, 0x87, 0x1b, 0xd8, 0x1c, 0xf0,
- 0x80, 0xaf, 0x4d, 0xe2, 0x18, 0x8f, 0xf8, 0x3f, 0x28, 0xf2, 0xba, 0x9d,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0x2d, 0x30, 0x82, 0x02,
- 0x29, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x62, 0xff, 0xc0, 0x26, 0x22, 0xb3, 0x12, 0x1b, 0xe5, 0x51, 0x25, 0x9c,
- 0x21, 0x6d, 0x1e, 0x1a, 0x40, 0x19, 0x8c, 0x1f, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09,
- 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73,
- 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x82, 0x01, 0x7f, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
- 0x02, 0x04, 0x02, 0x04, 0x82, 0x01, 0x6f, 0x04, 0x82, 0x01, 0x6b, 0x01,
- 0x69, 0x00, 0x76, 0x00, 0xd4, 0xfa, 0xb2, 0x58, 0xf2, 0x2e, 0x21, 0x44,
- 0x79, 0x21, 0xb0, 0x29, 0x33, 0x6f, 0xa1, 0x94, 0xfc, 0xb5, 0x68, 0x11,
- 0x4e, 0x04, 0xc2, 0xcf, 0xee, 0xf8, 0xdb, 0xc2, 0x43, 0x88, 0x59, 0x54,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0x8a, 0x02, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0x8a, 0x50, 0x2f, 0xa1, 0xcd,
- 0xb1, 0xa0, 0xe6, 0x71, 0xd9, 0x34, 0xd4, 0x3d, 0x24, 0xd1, 0xb1, 0x49,
- 0x16, 0xd3, 0x0d, 0x7c, 0xdf, 0xbf, 0xe7, 0xfd, 0xcb, 0xb2, 0xc6, 0x87,
- 0x6f, 0xaa, 0xda, 0x02, 0x20, 0x69, 0x70, 0x97, 0x94, 0xb6, 0x36, 0x83,
- 0xba, 0xf7, 0x90, 0x41, 0x4b, 0x8b, 0xda, 0x38, 0x62, 0x10, 0x3f, 0x68,
- 0x9d, 0x71, 0xba, 0x4a, 0xd3, 0xca, 0xc9, 0xe7, 0xc9, 0xbd, 0x28, 0xcd,
- 0x28, 0x00, 0x76, 0x00, 0xd3, 0x57, 0x9c, 0x69, 0xf7, 0x5e, 0x9a, 0xe7,
- 0xae, 0x60, 0x36, 0xb6, 0x34, 0x51, 0xb1, 0x09, 0x27, 0xe4, 0xbb, 0x62,
- 0x5f, 0xe6, 0xa3, 0x9b, 0xfd, 0xd0, 0x1b, 0xce, 0xc0, 0x4a, 0xed, 0x96,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0x95, 0xed, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xd2, 0x88, 0xe6, 0xa9, 0x9a,
- 0x29, 0x76, 0x4e, 0xaa, 0xd3, 0xad, 0x00, 0xaf, 0xef, 0xa9, 0x09, 0x86,
- 0x84, 0x10, 0x5f, 0xd2, 0x2f, 0xc0, 0xe6, 0x6f, 0x26, 0xa0, 0x4d, 0x68,
- 0xb3, 0x5f, 0x92, 0x02, 0x20, 0x0c, 0xce, 0xea, 0x71, 0xd5, 0x06, 0x35,
- 0x03, 0x50, 0x66, 0xcc, 0x4f, 0x03, 0x65, 0x50, 0xaa, 0xfe, 0xbc, 0xcd,
- 0x3f, 0x9a, 0xb2, 0x53, 0xdc, 0xdd, 0x12, 0xe8, 0x3b, 0xf8, 0x4c, 0xdf,
- 0x4f, 0x00, 0x77, 0x00, 0x22, 0xb0, 0xa6, 0x33, 0x3f, 0xbd, 0x6d, 0x05,
- 0xf6, 0xf0, 0x25, 0xde, 0x66, 0x78, 0x3b, 0x55, 0x5b, 0x59, 0x90, 0xbf,
- 0x53, 0xc9, 0xa8, 0x69, 0x4a, 0x5f, 0x03, 0x0a, 0xe1, 0x2b, 0x05, 0x81,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0xa1, 0xcb, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x48, 0x30, 0x46, 0x02, 0x21, 0x00, 0xaf, 0xbd, 0xfb, 0x43, 0xfb,
- 0x29, 0x9a, 0x76, 0x93, 0xef, 0x0d, 0x1e, 0xe7, 0xd3, 0x01, 0x72, 0x61,
- 0xb2, 0x55, 0x4b, 0x89, 0x9f, 0x0b, 0xf5, 0xfa, 0xb8, 0xcb, 0xf1, 0x3d,
- 0xfa, 0x50, 0x22, 0x02, 0x21, 0x00, 0x90, 0xbf, 0xae, 0xaa, 0x16, 0x98,
- 0x2b, 0x88, 0xc9, 0x1e, 0x5b, 0xb2, 0x46, 0xb1, 0xc3, 0x31, 0xd4, 0xb2,
- 0x1f, 0x77, 0x41, 0x3c, 0xd2, 0x9e, 0x40, 0x96, 0x56, 0x8d, 0xb9, 0xaa,
- 0x21, 0xe0, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x02, 0xb1, 0x5d,
- 0xb7, 0x81, 0x6a, 0xc5, 0xe8, 0x37, 0x2d, 0x89, 0x8a, 0x43, 0x1b, 0xe6,
- 0xf2, 0x6e, 0x1b, 0xd7, 0x84, 0xaa, 0xb6, 0x8e, 0xf8, 0xdc, 0x25, 0xa6,
- 0x57, 0x36, 0xec, 0x0b, 0x79, 0x15, 0x63, 0x57, 0xb0, 0xb9, 0xe2, 0xf9,
- 0xa2, 0xd1, 0x61, 0x6d, 0x56, 0xfa, 0x4b, 0xb5, 0xae, 0x2e, 0x38, 0x73,
- 0x9a, 0x1b, 0x03, 0xa2, 0xaa, 0x11, 0xf9, 0xe5, 0x39, 0x73, 0xf8, 0x35,
- 0xe6, 0x4e, 0x5d, 0xea, 0x2f, 0xed, 0xe0, 0xc1, 0x31, 0x12, 0x53, 0x7e,
- 0x79, 0xff, 0xe8, 0x6b, 0x26, 0x8b, 0xf0, 0xcc, 0xc0, 0x5b, 0x54, 0x0d,
- 0x7d, 0x57, 0x05, 0x16, 0x30, 0x3e, 0x68, 0xe9, 0xb4, 0xf0, 0x04, 0x28,
- 0xae, 0xd5, 0x66, 0xbe, 0xb5, 0x15, 0x85, 0x58, 0x80, 0xe6, 0x14, 0x79,
- 0x63, 0x88, 0x5e, 0xe8, 0x4d, 0x97, 0x57, 0x30, 0xd3, 0xc8, 0x9a, 0x59,
- 0xcb, 0x44, 0x9d, 0x1f, 0x43
-};
-
-static uint8_t server_1705_cert_der[] = {
- 0x30, 0x82, 0x04, 0xe1, 0x30, 0x82, 0x04, 0x4a, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x43, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x37, 0x30, 0x35, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xbd, 0xd6, 0x6e, 0x36, 0x79, 0xdf, 0xf2, 0xaf,
- 0xf2, 0x18, 0x85, 0xd5, 0xed, 0x6a, 0xb0, 0xca, 0x36, 0xd2, 0x36, 0x0e,
- 0xb3, 0x94, 0x7c, 0x80, 0x0e, 0x56, 0xa3, 0x2c, 0x91, 0x94, 0x25, 0x98,
- 0x03, 0x52, 0x15, 0x63, 0x91, 0x39, 0x24, 0x6b, 0x6e, 0x3b, 0x67, 0xd7,
- 0x22, 0x67, 0x3f, 0x42, 0xa3, 0x0e, 0xbe, 0x2d, 0xcb, 0xc3, 0x43, 0xb8,
- 0x8a, 0x29, 0x08, 0x33, 0xe5, 0xb7, 0x63, 0xfe, 0x28, 0x5b, 0x78, 0x86,
- 0xf0, 0x62, 0x9a, 0x77, 0x82, 0xf6, 0x6a, 0x27, 0x5e, 0x4b, 0x21, 0x70,
- 0xe3, 0x06, 0x7b, 0x50, 0x6a, 0xf0, 0x43, 0xc9, 0xfd, 0xe2, 0x46, 0x6e,
- 0x12, 0x49, 0x29, 0x94, 0x7f, 0x7b, 0xff, 0x37, 0x0e, 0x71, 0xd8, 0x28,
- 0x81, 0x96, 0x4f, 0x52, 0x0b, 0x1d, 0x98, 0x43, 0xb8, 0x35, 0x28, 0x4f,
- 0x58, 0x21, 0x95, 0x13, 0x94, 0x6f, 0xc0, 0xb1, 0xbd, 0x6a, 0x44, 0xeb,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0xa5, 0x30, 0x82, 0x02,
- 0xa1, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0xcc, 0x03, 0xf5, 0x59, 0xab, 0x76, 0xec, 0xfb, 0xed, 0x7c, 0xf2, 0x1b,
- 0xec, 0x77, 0x6c, 0x8e, 0xf7, 0x8e, 0x2f, 0xb5, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09,
- 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73,
- 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x82, 0x01, 0xf7, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
- 0x02, 0x04, 0x02, 0x04, 0x82, 0x01, 0xe7, 0x04, 0x82, 0x01, 0xe3, 0x01,
- 0xe1, 0x00, 0x77, 0x00, 0xd4, 0xfa, 0xb2, 0x58, 0xf2, 0x2e, 0x21, 0x44,
- 0x79, 0x21, 0xb0, 0x29, 0x33, 0x6f, 0xa1, 0x94, 0xfc, 0xb5, 0x68, 0x11,
- 0x4e, 0x04, 0xc2, 0xcf, 0xee, 0xf8, 0xdb, 0xc2, 0x43, 0x88, 0x59, 0x54,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0xae, 0x34, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x48, 0x30, 0x46, 0x02, 0x21, 0x00, 0xe5, 0xd1, 0x23, 0xc8, 0xa9,
- 0x0f, 0x94, 0x63, 0x8c, 0xc2, 0xfc, 0x42, 0x14, 0xf0, 0x68, 0x01, 0x0e,
- 0x57, 0xe8, 0xc0, 0x5b, 0x30, 0x96, 0x08, 0xbc, 0x5f, 0x16, 0x21, 0x41,
- 0x2d, 0x83, 0x4d, 0x02, 0x21, 0x00, 0xd2, 0x37, 0x49, 0xa0, 0xc5, 0x36,
- 0x0b, 0x6f, 0xf8, 0xcf, 0x72, 0xb8, 0x77, 0xa9, 0xcb, 0x62, 0x8d, 0x5b,
- 0x08, 0xdd, 0x49, 0x77, 0x96, 0xd8, 0x3c, 0xf9, 0x1c, 0x91, 0xec, 0x59,
- 0x1c, 0x0b, 0x00, 0x76, 0x00, 0xd3, 0x57, 0x9c, 0x69, 0xf7, 0x5e, 0x9a,
- 0xe7, 0xae, 0x60, 0x36, 0xb6, 0x34, 0x51, 0xb1, 0x09, 0x27, 0xe4, 0xbb,
- 0x62, 0x5f, 0xe6, 0xa3, 0x9b, 0xfd, 0xd0, 0x1b, 0xce, 0xc0, 0x4a, 0xed,
- 0x96, 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0xba, 0x17, 0x00, 0x00, 0x04,
- 0x03, 0x00, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xc3, 0xcf, 0x0d, 0xcc,
- 0x82, 0x8f, 0x3f, 0x96, 0xcc, 0x57, 0x44, 0x64, 0x2b, 0xde, 0x8e, 0xf2,
- 0xa9, 0xfd, 0x12, 0x03, 0xfa, 0x08, 0x0b, 0x81, 0xdf, 0x36, 0x68, 0x59,
- 0xf4, 0xff, 0x30, 0xf6, 0x02, 0x20, 0x35, 0x62, 0x2e, 0x68, 0x89, 0xa0,
- 0x19, 0x91, 0x5d, 0xe6, 0xf8, 0x23, 0x6b, 0x3e, 0xad, 0x41, 0x2b, 0xba,
- 0x91, 0x92, 0x78, 0x79, 0x5c, 0xff, 0xf7, 0x84, 0x65, 0x4a, 0x03, 0xed,
- 0xdd, 0x70, 0x00, 0x77, 0x00, 0x22, 0xb0, 0xa6, 0x33, 0x3f, 0xbd, 0x6d,
- 0x05, 0xf6, 0xf0, 0x25, 0xde, 0x66, 0x78, 0x3b, 0x55, 0x5b, 0x59, 0x90,
- 0xbf, 0x53, 0xc9, 0xa8, 0x69, 0x4a, 0x5f, 0x03, 0x0a, 0xe1, 0x2b, 0x05,
- 0x81, 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0xc5, 0xf5, 0x00, 0x00, 0x04,
- 0x03, 0x00, 0x48, 0x30, 0x46, 0x02, 0x21, 0x00, 0xd9, 0xc9, 0x1e, 0x3a,
- 0x8e, 0xc3, 0x8e, 0xbd, 0xbe, 0xe5, 0xba, 0x75, 0x71, 0x73, 0x71, 0x97,
- 0xae, 0xa6, 0x70, 0x31, 0x56, 0x7a, 0x16, 0xbb, 0xc6, 0x63, 0x76, 0x73,
- 0x55, 0xf6, 0x5b, 0x92, 0x02, 0x21, 0x00, 0xd6, 0xb0, 0x64, 0x2f, 0x52,
- 0xb8, 0x28, 0x85, 0xc6, 0xc1, 0x4d, 0xf0, 0x97, 0x64, 0x7a, 0xd3, 0x3a,
- 0x5c, 0x5c, 0x6b, 0xaa, 0xbd, 0xa9, 0x8b, 0xcd, 0x1b, 0xe4, 0x53, 0xc2,
- 0x18, 0x5f, 0x5b, 0x00, 0x75, 0x00, 0x9a, 0x3c, 0xc4, 0x7b, 0xa4, 0x75,
- 0xd0, 0xc1, 0x24, 0xe4, 0x57, 0x1f, 0xac, 0x6c, 0x5a, 0x75, 0x4a, 0xd5,
- 0xbd, 0xfd, 0x33, 0x76, 0x5d, 0x21, 0x27, 0xda, 0x56, 0xaa, 0x21, 0x09,
- 0x47, 0x21, 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0xd1, 0xdd, 0x00, 0x00,
- 0x04, 0x03, 0x00, 0x46, 0x30, 0x44, 0x02, 0x20, 0x4c, 0x8b, 0xa0, 0xa7,
- 0x6c, 0x31, 0xb5, 0x50, 0x95, 0x11, 0x34, 0xdc, 0x76, 0x1e, 0x5b, 0x72,
- 0x9b, 0xd5, 0x41, 0x7d, 0xce, 0x77, 0x66, 0x64, 0xf4, 0xfd, 0x4c, 0x65,
- 0x2b, 0x80, 0xe8, 0xc1, 0x02, 0x20, 0x4d, 0x7e, 0x86, 0x60, 0xb3, 0x35,
- 0xa2, 0x18, 0x4b, 0x7b, 0xa8, 0x08, 0x02, 0xa8, 0xf9, 0xa9, 0x7a, 0x00,
- 0xf5, 0xbb, 0x27, 0x2d, 0x7d, 0xc5, 0xc0, 0xd0, 0x39, 0xd9, 0xfe, 0xcc,
- 0x89, 0x5a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x46, 0x23, 0x1d,
- 0x73, 0xb6, 0xa3, 0xa8, 0x66, 0x01, 0x08, 0xa1, 0x3d, 0xd1, 0x3c, 0x17,
- 0x7a, 0x96, 0x6d, 0x9e, 0xa3, 0xc7, 0x8f, 0xc8, 0x45, 0x9e, 0x9d, 0xd8,
- 0x8e, 0xa2, 0x12, 0x67, 0xb7, 0xd5, 0xd2, 0x56, 0x72, 0x48, 0xb5, 0x8d,
- 0xed, 0x9e, 0xc0, 0xb3, 0xb5, 0xe3, 0x84, 0xf9, 0x7e, 0xdf, 0xb0, 0xd6,
- 0x5c, 0x6d, 0x40, 0xd1, 0x28, 0x8d, 0x66, 0xb3, 0x83, 0x39, 0xba, 0x75,
- 0x75, 0xf0, 0xa5, 0x5d, 0x85, 0x88, 0x36, 0xf7, 0x54, 0x75, 0xbc, 0x3b,
- 0x2d, 0xdc, 0x95, 0xdc, 0xeb, 0x3d, 0xfc, 0x6d, 0x7b, 0xbc, 0x27, 0x35,
- 0xeb, 0x2f, 0x9a, 0x66, 0xfa, 0x78, 0x92, 0xb3, 0x1d, 0xaa, 0x75, 0x30,
- 0x4e, 0xcd, 0x8b, 0x06, 0xfa, 0x48, 0x5c, 0xc7, 0x40, 0x1c, 0xe5, 0xbb,
- 0xbf, 0x83, 0x3b, 0x03, 0x7b, 0x90, 0x81, 0xff, 0x8b, 0x3f, 0x6c, 0x6d,
- 0xd1, 0x54, 0xbd, 0xd8, 0x9b
-};
-
-static uint8_t server_1801_cert_der[] = {
- 0x30, 0x82, 0x04, 0xdf, 0x30, 0x82, 0x04, 0x48, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x44, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x38, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xc9, 0x26, 0x57, 0x44, 0x5e, 0x78, 0x36, 0x38,
- 0x9a, 0x11, 0xf7, 0x3e, 0x4a, 0x5e, 0xb2, 0xab, 0x62, 0x24, 0x22, 0x9e,
- 0xc7, 0x0c, 0x24, 0x31, 0x46, 0x81, 0x3d, 0x9d, 0x94, 0x48, 0x8e, 0x19,
- 0xa0, 0x97, 0x40, 0x0c, 0x52, 0xb1, 0x49, 0x9d, 0x20, 0xe8, 0xee, 0xcb,
- 0xf2, 0x8a, 0x76, 0x1b, 0x05, 0x9b, 0x70, 0x0a, 0x84, 0xa4, 0x14, 0x6d,
- 0x8d, 0x56, 0x44, 0xc2, 0xad, 0x8f, 0x4d, 0xb8, 0x13, 0x81, 0x41, 0xbf,
- 0xc8, 0x41, 0x00, 0x6b, 0x87, 0xf3, 0xe7, 0xeb, 0x27, 0x68, 0xaa, 0x3d,
- 0x68, 0xd0, 0xd8, 0xda, 0x7d, 0xd3, 0x4b, 0x08, 0x9d, 0xc4, 0x6b, 0xa7,
- 0x6d, 0x81, 0x92, 0x2f, 0x77, 0x03, 0x4d, 0x49, 0x58, 0xfe, 0x02, 0x06,
- 0x87, 0x40, 0x37, 0xab, 0xa4, 0x18, 0xe6, 0x53, 0x81, 0x1d, 0xc4, 0x33,
- 0xbc, 0xc2, 0x83, 0xff, 0x86, 0x01, 0xa1, 0xcb, 0x6d, 0x08, 0x9a, 0x63,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0xa3, 0x30, 0x82, 0x02,
- 0x9f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x83, 0x55, 0xae, 0xf2, 0xe4, 0x6b, 0x8d, 0xd0, 0x13, 0x27, 0x6a, 0x08,
- 0xd6, 0xd4, 0x14, 0xa9, 0xbd, 0xbe, 0x41, 0x90, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09,
- 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73,
- 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x82, 0x01, 0xf5, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
- 0x02, 0x04, 0x02, 0x04, 0x82, 0x01, 0xe5, 0x04, 0x82, 0x01, 0xe1, 0x01,
- 0xdf, 0x00, 0x76, 0x00, 0xd4, 0xfa, 0xb2, 0x58, 0xf2, 0x2e, 0x21, 0x44,
- 0x79, 0x21, 0xb0, 0x29, 0x33, 0x6f, 0xa1, 0x94, 0xfc, 0xb5, 0x68, 0x11,
- 0x4e, 0x04, 0xc2, 0xcf, 0xee, 0xf8, 0xdb, 0xc2, 0x43, 0x88, 0x59, 0x54,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0xde, 0x12, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xba, 0xbe, 0x87, 0x47, 0x25,
- 0xe3, 0xcf, 0xbf, 0x5d, 0x41, 0xfa, 0x99, 0xe6, 0x00, 0xea, 0x13, 0x6f,
- 0xdd, 0xe7, 0x3b, 0x0f, 0x96, 0xf0, 0xb3, 0x34, 0x7c, 0x67, 0x9b, 0x85,
- 0x42, 0x17, 0x5f, 0x02, 0x20, 0x1c, 0x59, 0xdb, 0x74, 0x6a, 0x17, 0x88,
- 0x05, 0xce, 0x90, 0xc7, 0x9c, 0x53, 0xfa, 0x64, 0xb8, 0x08, 0x34, 0x0b,
- 0xa5, 0xb2, 0x54, 0xe6, 0xa6, 0xb1, 0x18, 0x96, 0xbd, 0x6a, 0x02, 0x63,
- 0xea, 0x00, 0x76, 0x00, 0xd3, 0x57, 0x9c, 0x69, 0xf7, 0x5e, 0x9a, 0xe7,
- 0xae, 0x60, 0x36, 0xb6, 0x34, 0x51, 0xb1, 0x09, 0x27, 0xe4, 0xbb, 0x62,
- 0x5f, 0xe6, 0xa3, 0x9b, 0xfd, 0xd0, 0x1b, 0xce, 0xc0, 0x4a, 0xed, 0x96,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0xe9, 0xf7, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x20, 0x18, 0x4d, 0x56, 0x44, 0x38, 0x39,
- 0x30, 0x5e, 0xf2, 0x26, 0x8c, 0xb5, 0x4e, 0x3c, 0xd4, 0xbe, 0x0e, 0xe6,
- 0x9d, 0xf6, 0x6a, 0x5b, 0x40, 0x76, 0x98, 0x2e, 0x48, 0x44, 0xe5, 0xdb,
- 0x62, 0x89, 0x02, 0x21, 0x00, 0x9f, 0x0b, 0x94, 0x0f, 0xa0, 0x0a, 0xf7,
- 0x7c, 0xa3, 0x89, 0x6a, 0x27, 0x1b, 0x41, 0xc9, 0x5b, 0x1e, 0xf8, 0x8a,
- 0x5c, 0x83, 0xed, 0x71, 0xaf, 0xe7, 0x8b, 0x21, 0x23, 0xfc, 0x46, 0x95,
- 0x10, 0x00, 0x76, 0x00, 0x22, 0xb0, 0xa6, 0x33, 0x3f, 0xbd, 0x6d, 0x05,
- 0xf6, 0xf0, 0x25, 0xde, 0x66, 0x78, 0x3b, 0x55, 0x5b, 0x59, 0x90, 0xbf,
- 0x53, 0xc9, 0xa8, 0x69, 0x4a, 0x5f, 0x03, 0x0a, 0xe1, 0x2b, 0x05, 0x81,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe6, 0xf5, 0xdf, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x20, 0x5f, 0xf6, 0x22, 0x77, 0x2e, 0x06,
- 0x57, 0xaa, 0x79, 0x03, 0xd2, 0x17, 0x28, 0x72, 0x9e, 0xea, 0x49, 0x17,
- 0x71, 0x97, 0x55, 0xf1, 0xa3, 0x8b, 0x37, 0x19, 0xb9, 0x0d, 0x53, 0x6d,
- 0x64, 0x62, 0x02, 0x21, 0x00, 0x81, 0x72, 0xea, 0x8e, 0x31, 0xaf, 0x4d,
- 0x0c, 0xcc, 0x3b, 0x5c, 0xdc, 0xf8, 0x0b, 0xca, 0xff, 0x64, 0xfd, 0x8d,
- 0xb4, 0x03, 0x78, 0xe9, 0x41, 0x61, 0x2c, 0x1e, 0x27, 0x87, 0x08, 0x02,
- 0xef, 0x00, 0x75, 0x00, 0x9a, 0x3c, 0xc4, 0x7b, 0xa4, 0x75, 0xd0, 0xc1,
- 0x24, 0xe4, 0x57, 0x1f, 0xac, 0x6c, 0x5a, 0x75, 0x4a, 0xd5, 0xbd, 0xfd,
- 0x33, 0x76, 0x5d, 0x21, 0x27, 0xda, 0x56, 0xaa, 0x21, 0x09, 0x47, 0x21,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x01, 0xf4, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x46, 0x30, 0x44, 0x02, 0x20, 0x16, 0x8e, 0x6c, 0x97, 0x7d, 0xa6,
- 0xa9, 0x8a, 0x6a, 0x66, 0xe3, 0x2c, 0x45, 0x11, 0x75, 0xe8, 0x4b, 0xdc,
- 0x34, 0x42, 0x7e, 0x8f, 0x05, 0xdc, 0xd3, 0xc9, 0x4a, 0xe2, 0x9d, 0x5c,
- 0x16, 0xf2, 0x02, 0x20, 0x73, 0x8b, 0x9b, 0x39, 0x4f, 0x56, 0x32, 0xd7,
- 0x62, 0x4e, 0x4c, 0x18, 0x8f, 0xac, 0x51, 0xff, 0x28, 0x8e, 0x6e, 0xb3,
- 0x2f, 0xc2, 0xc6, 0x00, 0xa5, 0x63, 0x52, 0x9a, 0x52, 0xfd, 0xcb, 0x5d,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x96, 0xbc, 0x24, 0x78, 0xcb,
- 0x9c, 0x1a, 0xdf, 0x62, 0x54, 0x56, 0x6b, 0x57, 0x1b, 0x98, 0x4e, 0x7c,
- 0x17, 0xf8, 0x2e, 0x72, 0x5b, 0x2f, 0x0f, 0xea, 0x50, 0x0e, 0xbb, 0x5c,
- 0xf3, 0x64, 0xee, 0xb5, 0x04, 0x24, 0x48, 0xf6, 0x3b, 0xa7, 0xd7, 0x43,
- 0x21, 0x9d, 0x3d, 0x04, 0x87, 0x1f, 0x28, 0xe2, 0x91, 0xdb, 0x5a, 0x40,
- 0x62, 0x09, 0x15, 0xb1, 0x68, 0x52, 0xc9, 0x8d, 0xb2, 0x9c, 0x4a, 0x24,
- 0xce, 0xb1, 0xab, 0x31, 0x02, 0x07, 0x12, 0x34, 0xf2, 0x56, 0xfc, 0xd5,
- 0x01, 0x8d, 0x6c, 0xc7, 0xac, 0x81, 0x0d, 0xf2, 0xd8, 0x13, 0x9b, 0x11,
- 0xe1, 0xe7, 0x10, 0x31, 0xf8, 0xe3, 0x25, 0x3d, 0xea, 0x97, 0x22, 0xe6,
- 0xe0, 0xa9, 0x6f, 0xdf, 0xf1, 0xf7, 0x0b, 0x4d, 0x4f, 0xd5, 0xe0, 0xc8,
- 0xa0, 0xc6, 0xa5, 0x7d, 0x52, 0x89, 0x15, 0x74, 0xee, 0xbc, 0xc8, 0x7d,
- 0x05, 0x43, 0xab
-};
-
-static uint8_t server_1804_cert_der[] = {
- 0x30, 0x82, 0x04, 0xe0, 0x30, 0x82, 0x04, 0x49, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x45, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x38, 0x30, 0x34, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xc7, 0x8a, 0x7b, 0x77, 0xae, 0xe2, 0x52, 0x4a,
- 0xc4, 0xf4, 0x1b, 0xe2, 0x9e, 0x00, 0x44, 0x86, 0x1c, 0x9f, 0x15, 0x03,
- 0x9c, 0xf6, 0x70, 0x1b, 0x81, 0xde, 0x74, 0x84, 0xfc, 0x10, 0xfd, 0xed,
- 0xfc, 0x6a, 0x0f, 0x87, 0x55, 0xdd, 0x21, 0x51, 0x89, 0x07, 0x90, 0x7d,
- 0xfe, 0x61, 0x45, 0xab, 0x79, 0x9d, 0x6b, 0x98, 0x20, 0x0b, 0x4e, 0x40,
- 0x59, 0x6c, 0xc5, 0x59, 0x29, 0x32, 0x69, 0xde, 0xaa, 0x8a, 0x3a, 0x71,
- 0x16, 0x2c, 0xee, 0x51, 0xb9, 0xa3, 0x92, 0xf9, 0xb8, 0x05, 0xc3, 0x5d,
- 0x91, 0x1f, 0x72, 0x25, 0x31, 0x6e, 0x07, 0xd5, 0x55, 0xa5, 0x61, 0xc0,
- 0xb6, 0xd2, 0xe2, 0x98, 0x55, 0x49, 0xa9, 0x36, 0x97, 0x00, 0xdd, 0x12,
- 0xc8, 0xd3, 0x9d, 0x6c, 0x20, 0xb5, 0x89, 0x15, 0x37, 0xe0, 0x15, 0x37,
- 0x90, 0x63, 0xe7, 0x2c, 0x80, 0xbe, 0x70, 0xae, 0x3a, 0xfc, 0x97, 0xb9,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0xa4, 0x30, 0x82, 0x02,
- 0xa0, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x51, 0x27, 0xca, 0x39, 0xd3, 0x7e, 0x7a, 0xfd, 0x76, 0x71, 0x93, 0x89,
- 0xc4, 0xf8, 0xa7, 0x06, 0x18, 0x8a, 0xf9, 0x24, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09,
- 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73,
- 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x82, 0x01, 0xf6, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
- 0x02, 0x04, 0x02, 0x04, 0x82, 0x01, 0xe6, 0x04, 0x82, 0x01, 0xe2, 0x01,
- 0xe0, 0x00, 0x76, 0x00, 0xd4, 0xfa, 0xb2, 0x58, 0xf2, 0x2e, 0x21, 0x44,
- 0x79, 0x21, 0xb0, 0x29, 0x33, 0x6f, 0xa1, 0x94, 0xfc, 0xb5, 0x68, 0x11,
- 0x4e, 0x04, 0xc2, 0xcf, 0xee, 0xf8, 0xdb, 0xc2, 0x43, 0x88, 0x59, 0x54,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x0e, 0x31, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0x8d, 0xff, 0x22, 0x90, 0x22,
- 0x78, 0x8c, 0x5a, 0xf8, 0x90, 0xb6, 0x51, 0xf9, 0x57, 0xdd, 0x92, 0x3f,
- 0x85, 0x8a, 0x9e, 0x79, 0xbc, 0xd6, 0xad, 0x9a, 0x0b, 0xb5, 0x37, 0xfb,
- 0x1c, 0x03, 0x8e, 0x02, 0x20, 0x75, 0x16, 0x9a, 0x93, 0x5e, 0xaf, 0x4e,
- 0xa6, 0x7f, 0xc8, 0x9e, 0x41, 0xf7, 0x6f, 0x5f, 0x34, 0x40, 0x8b, 0x51,
- 0x51, 0xf7, 0x47, 0x0f, 0xcd, 0xa4, 0xf7, 0x5c, 0x77, 0x3f, 0xf3, 0xe4,
- 0x5e, 0x00, 0x75, 0x00, 0xd3, 0x57, 0x9c, 0x69, 0xf7, 0x5e, 0x9a, 0xe7,
- 0xae, 0x60, 0x36, 0xb6, 0x34, 0x51, 0xb1, 0x09, 0x27, 0xe4, 0xbb, 0x62,
- 0x5f, 0xe6, 0xa3, 0x9b, 0xfd, 0xd0, 0x1b, 0xce, 0xc0, 0x4a, 0xed, 0x96,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x1a, 0x10, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x46, 0x30, 0x44, 0x02, 0x20, 0x03, 0x2e, 0xa8, 0x86, 0x44, 0x99,
- 0x72, 0x36, 0x1d, 0xa1, 0xb8, 0xe3, 0x6d, 0xc7, 0x1a, 0x0c, 0x64, 0xc5,
- 0x5d, 0x5d, 0x10, 0x18, 0xd5, 0x45, 0x9d, 0xfa, 0x91, 0x38, 0x6e, 0xf2,
- 0x93, 0xc7, 0x02, 0x20, 0x4a, 0x32, 0x4d, 0x57, 0x0f, 0x82, 0x8c, 0x5d,
- 0x47, 0x8c, 0x65, 0xbe, 0xde, 0xdb, 0xfa, 0x55, 0x3a, 0x79, 0x95, 0x24,
- 0x6d, 0xb1, 0x6a, 0x22, 0x78, 0xbb, 0x03, 0xd2, 0xd7, 0x8c, 0x0c, 0x8f,
- 0x00, 0x76, 0x00, 0x22, 0xb0, 0xa6, 0x33, 0x3f, 0xbd, 0x6d, 0x05, 0xf6,
- 0xf0, 0x25, 0xde, 0x66, 0x78, 0x3b, 0x55, 0x5b, 0x59, 0x90, 0xbf, 0x53,
- 0xc9, 0xa8, 0x69, 0x4a, 0x5f, 0x03, 0x0a, 0xe1, 0x2b, 0x05, 0x81, 0x00,
- 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x25, 0xed, 0x00, 0x00, 0x04, 0x03, 0x00,
- 0x47, 0x30, 0x45, 0x02, 0x20, 0x24, 0xcd, 0xb3, 0x9b, 0x80, 0x3c, 0xc8,
- 0x14, 0x58, 0x4d, 0x02, 0x37, 0xa0, 0xa4, 0x25, 0x0b, 0x01, 0x21, 0x4e,
- 0x04, 0xed, 0xea, 0xbb, 0x38, 0x3a, 0xb2, 0xd6, 0x31, 0x16, 0x37, 0xd6,
- 0x6b, 0x02, 0x21, 0x00, 0xf6, 0xbc, 0x88, 0x82, 0x96, 0x37, 0x97, 0x5a,
- 0x72, 0x52, 0x37, 0x41, 0x51, 0xcb, 0x7f, 0xef, 0xdf, 0xe1, 0xe2, 0xd8,
- 0x81, 0x5f, 0xca, 0x39, 0x60, 0x4e, 0x2c, 0x63, 0xbe, 0xb0, 0x67, 0x83,
- 0x00, 0x77, 0x00, 0x9a, 0x3c, 0xc4, 0x7b, 0xa4, 0x75, 0xd0, 0xc1, 0x24,
- 0xe4, 0x57, 0x1f, 0xac, 0x6c, 0x5a, 0x75, 0x4a, 0xd5, 0xbd, 0xfd, 0x33,
- 0x76, 0x5d, 0x21, 0x27, 0xda, 0x56, 0xaa, 0x21, 0x09, 0x47, 0x21, 0x00,
- 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x31, 0xe8, 0x00, 0x00, 0x04, 0x03, 0x00,
- 0x48, 0x30, 0x46, 0x02, 0x21, 0x00, 0xbd, 0x6f, 0xe2, 0xd0, 0x50, 0x92,
- 0x5a, 0xdc, 0xa2, 0x1d, 0xa4, 0xcd, 0xa1, 0x00, 0xb7, 0x9f, 0xde, 0x7e,
- 0xcd, 0xdc, 0x52, 0x4e, 0x7b, 0xa7, 0xf5, 0x40, 0x8f, 0xc7, 0x21, 0xd3,
- 0xd5, 0x32, 0x02, 0x21, 0x00, 0xa2, 0x0e, 0xdb, 0x6a, 0xa2, 0x6f, 0x6c,
- 0x3b, 0x66, 0xad, 0xaf, 0xa8, 0x99, 0xbf, 0x71, 0x4d, 0x65, 0xa3, 0x0b,
- 0xa4, 0x13, 0x4b, 0xb2, 0xad, 0x26, 0xbe, 0x19, 0xe1, 0xf5, 0xb2, 0xac,
- 0x7c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x04, 0x3e, 0x25, 0xb8,
- 0x23, 0xc8, 0x38, 0xd0, 0x6f, 0xeb, 0xa5, 0xd8, 0xe3, 0x65, 0xcf, 0x39,
- 0x91, 0xdc, 0x15, 0x81, 0x13, 0xf0, 0xd6, 0x80, 0xa1, 0x2d, 0x8d, 0x20,
- 0x5c, 0xe7, 0xc0, 0xef, 0x74, 0x88, 0xe7, 0x70, 0xe2, 0xdc, 0x12, 0x6c,
- 0x35, 0xbb, 0x77, 0x73, 0x78, 0x10, 0xe1, 0x68, 0xa4, 0x4e, 0x2a, 0xed,
- 0x3f, 0x23, 0xbf, 0x8f, 0x80, 0x61, 0x4d, 0x3f, 0xd7, 0x75, 0x63, 0x0f,
- 0xd3, 0x08, 0x81, 0x02, 0xc9, 0xba, 0xb7, 0x39, 0x27, 0x26, 0x41, 0xcb,
- 0x5a, 0xd6, 0x25, 0xa4, 0xdc, 0x0e, 0x28, 0xc1, 0x9d, 0x10, 0x82, 0xd5,
- 0xc3, 0x8a, 0x2f, 0x59, 0xb0, 0xc9, 0x1e, 0x9f, 0x43, 0x58, 0xa6, 0x8e,
- 0xe2, 0x89, 0x1f, 0xc3, 0xc7, 0x34, 0x33, 0x53, 0x74, 0xd5, 0xf2, 0xde,
- 0x22, 0x1f, 0xfb, 0x46, 0x39, 0x87, 0x47, 0x6e, 0x21, 0x20, 0x1d, 0x1f,
- 0x74, 0x29, 0xf7, 0x19
-};
-
-static uint8_t server_1805_cert_der[] = {
- 0x30, 0x82, 0x05, 0x5b, 0x30, 0x82, 0x04, 0xc4, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x46, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x38, 0x30, 0x35, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xb5, 0x60, 0x30, 0x78, 0xf8, 0x28, 0x84, 0x1f,
- 0xd8, 0xe1, 0x25, 0x17, 0xe8, 0xb8, 0x18, 0x77, 0xfa, 0xe7, 0x1d, 0xfc,
- 0x03, 0x19, 0x0e, 0xbc, 0x77, 0x8b, 0xbd, 0x70, 0x2a, 0xe7, 0xb4, 0x82,
- 0x58, 0x83, 0x4d, 0xb9, 0x87, 0x52, 0x94, 0x34, 0x74, 0xe7, 0x0a, 0x9c,
- 0x93, 0x0f, 0xad, 0x13, 0x3c, 0x07, 0x5f, 0x08, 0xb6, 0xf5, 0x87, 0xb9,
- 0xf4, 0x4d, 0x3f, 0xf7, 0x05, 0x1a, 0x92, 0xae, 0x46, 0x19, 0xaa, 0xb4,
- 0xfb, 0x04, 0x80, 0xf1, 0x4f, 0xec, 0xe2, 0x0c, 0xbe, 0xb3, 0xb1, 0x27,
- 0x44, 0x5f, 0x86, 0x41, 0xac, 0xa6, 0x63, 0x70, 0x2d, 0x8e, 0x5f, 0x9c,
- 0x1a, 0x8e, 0xda, 0x80, 0x54, 0xa7, 0xea, 0x3c, 0xca, 0xc3, 0x99, 0x7b,
- 0x09, 0x89, 0x55, 0x13, 0x04, 0x1b, 0x76, 0xef, 0xc9, 0x84, 0xc6, 0xc0,
- 0x93, 0x47, 0xa9, 0x7a, 0x5a, 0xbe, 0xcd, 0xac, 0xa0, 0x66, 0xb6, 0xbf,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x03, 0x1f, 0x30, 0x82, 0x03,
- 0x1b, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0xee, 0xab, 0xd4, 0xb6, 0x6c, 0xc5, 0xcf, 0xde, 0x38, 0xd3, 0xb3, 0xe3,
- 0x58, 0x94, 0xc0, 0xa4, 0xa8, 0x09, 0x01, 0x24, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09,
- 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73,
- 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x82, 0x02, 0x71, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
- 0x02, 0x04, 0x02, 0x04, 0x82, 0x02, 0x61, 0x04, 0x82, 0x02, 0x5d, 0x02,
- 0x5b, 0x00, 0x77, 0x00, 0xd4, 0xfa, 0xb2, 0x58, 0xf2, 0x2e, 0x21, 0x44,
- 0x79, 0x21, 0xb0, 0x29, 0x33, 0x6f, 0xa1, 0x94, 0xfc, 0xb5, 0x68, 0x11,
- 0x4e, 0x04, 0xc2, 0xcf, 0xee, 0xf8, 0xdb, 0xc2, 0x43, 0x88, 0x59, 0x54,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x3e, 0x31, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x48, 0x30, 0x46, 0x02, 0x21, 0x00, 0xd8, 0x8f, 0x35, 0x95, 0x01,
- 0x7e, 0xc0, 0x18, 0x91, 0x4f, 0x06, 0x47, 0xab, 0xf6, 0xc7, 0xd6, 0x4e,
- 0x6b, 0xcd, 0x8b, 0x7e, 0xd7, 0xfa, 0xf4, 0xa5, 0xea, 0xa6, 0xf5, 0xcb,
- 0x57, 0x3a, 0x70, 0x02, 0x21, 0x00, 0xfd, 0x26, 0x95, 0x99, 0xef, 0xb4,
- 0x24, 0x9e, 0xb0, 0x90, 0xfd, 0x10, 0x20, 0x2e, 0x70, 0x6e, 0x0a, 0x82,
- 0x19, 0x57, 0xe0, 0x67, 0x49, 0xa2, 0x24, 0x18, 0x32, 0x99, 0x1a, 0x1e,
- 0xcf, 0xe1, 0x00, 0x77, 0x00, 0xd3, 0x57, 0x9c, 0x69, 0xf7, 0x5e, 0x9a,
- 0xe7, 0xae, 0x60, 0x36, 0xb6, 0x34, 0x51, 0xb1, 0x09, 0x27, 0xe4, 0xbb,
- 0x62, 0x5f, 0xe6, 0xa3, 0x9b, 0xfd, 0xd0, 0x1b, 0xce, 0xc0, 0x4a, 0xed,
- 0x96, 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x4a, 0x1a, 0x00, 0x00, 0x04,
- 0x03, 0x00, 0x48, 0x30, 0x46, 0x02, 0x21, 0x00, 0x90, 0x1a, 0xa8, 0x5f,
- 0x8a, 0x3d, 0x2d, 0x98, 0x53, 0x7f, 0xba, 0xe0, 0x80, 0xfe, 0x30, 0x87,
- 0x5c, 0x9a, 0x0f, 0x57, 0x26, 0x99, 0xa0, 0x2d, 0x66, 0xa7, 0xbe, 0x9e,
- 0xf6, 0x39, 0xd6, 0xaf, 0x02, 0x21, 0x00, 0x99, 0x3d, 0xd1, 0xce, 0xe3,
- 0x0b, 0x17, 0x59, 0xb4, 0xcf, 0x64, 0xb0, 0xd4, 0x38, 0x17, 0x2e, 0x43,
- 0x1a, 0xa1, 0x92, 0x8c, 0xa2, 0x37, 0x8f, 0xb2, 0x86, 0x4b, 0x46, 0x1a,
- 0x56, 0x84, 0xf0, 0x00, 0x76, 0x00, 0x22, 0xb0, 0xa6, 0x33, 0x3f, 0xbd,
- 0x6d, 0x05, 0xf6, 0xf0, 0x25, 0xde, 0x66, 0x78, 0x3b, 0x55, 0x5b, 0x59,
- 0x90, 0xbf, 0x53, 0xc9, 0xa8, 0x69, 0x4a, 0x5f, 0x03, 0x0a, 0xe1, 0x2b,
- 0x05, 0x81, 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x55, 0xf9, 0x00, 0x00,
- 0x04, 0x03, 0x00, 0x47, 0x30, 0x45, 0x02, 0x20, 0x24, 0xfc, 0x1f, 0xc9,
- 0x5f, 0xc8, 0x73, 0xdd, 0x19, 0xad, 0x5b, 0xdc, 0x66, 0x59, 0xd6, 0x0c,
- 0x7b, 0xe9, 0xdf, 0xdb, 0xfc, 0xde, 0x95, 0xa7, 0xeb, 0x6e, 0x70, 0x6b,
- 0xd5, 0xbf, 0x82, 0x2b, 0x02, 0x21, 0x00, 0xd7, 0xc0, 0x8d, 0x2d, 0x22,
- 0x27, 0xa2, 0xc4, 0x66, 0x08, 0x26, 0xbd, 0x22, 0x74, 0x3f, 0xc1, 0xc2,
- 0x34, 0x6d, 0xc9, 0xeb, 0x17, 0x1d, 0xa4, 0x37, 0x0f, 0xcd, 0x0f, 0xf4,
- 0x06, 0xa6, 0x88, 0x00, 0x76, 0x00, 0x9a, 0x3c, 0xc4, 0x7b, 0xa4, 0x75,
- 0xd0, 0xc1, 0x24, 0xe4, 0x57, 0x1f, 0xac, 0x6c, 0x5a, 0x75, 0x4a, 0xd5,
- 0xbd, 0xfd, 0x33, 0x76, 0x5d, 0x21, 0x27, 0xda, 0x56, 0xaa, 0x21, 0x09,
- 0x47, 0x21, 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x61, 0xd9, 0x00, 0x00,
- 0x04, 0x03, 0x00, 0x47, 0x30, 0x45, 0x02, 0x20, 0x7b, 0x2b, 0x29, 0x6f,
- 0x7a, 0xe2, 0xe0, 0x44, 0x6e, 0xb8, 0x73, 0x4e, 0x2d, 0xee, 0x4f, 0xc3,
- 0x28, 0x5b, 0x00, 0x84, 0x48, 0x0b, 0x44, 0x8b, 0x6a, 0x5d, 0x5f, 0xc2,
- 0x86, 0x58, 0x2e, 0x92, 0x02, 0x21, 0x00, 0x98, 0x42, 0xa2, 0x46, 0x80,
- 0x6b, 0xf0, 0x18, 0x6d, 0x6d, 0xc8, 0x2d, 0xce, 0x7d, 0xe4, 0xb2, 0xf7,
- 0xb3, 0x21, 0x42, 0x9a, 0x11, 0x7c, 0xd7, 0x4f, 0x58, 0x22, 0xba, 0x0c,
- 0x64, 0xa7, 0x5b, 0x00, 0x77, 0x00, 0xca, 0x1f, 0x8e, 0x82, 0x3f, 0x99,
- 0x64, 0xd4, 0x0b, 0x0f, 0xf0, 0x04, 0x01, 0x82, 0x53, 0x35, 0xc7, 0xa5,
- 0x35, 0x3b, 0xc5, 0x3a, 0x57, 0x56, 0x7d, 0xe4, 0xb5, 0x7b, 0x44, 0x13,
- 0xee, 0x7b, 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x6d, 0xe2, 0x00, 0x00,
- 0x04, 0x03, 0x00, 0x48, 0x30, 0x46, 0x02, 0x21, 0x00, 0xbf, 0xb8, 0x73,
- 0x47, 0xee, 0xd2, 0x16, 0x17, 0x13, 0xb4, 0x94, 0x55, 0x1c, 0x37, 0x3b,
- 0x1b, 0x55, 0xa5, 0x0b, 0x55, 0x8a, 0xbb, 0xdf, 0xdd, 0x6e, 0x51, 0x6a,
- 0x6e, 0x3d, 0xe6, 0x1b, 0x80, 0x02, 0x21, 0x00, 0x93, 0x71, 0x9b, 0xb5,
- 0x52, 0x66, 0xd0, 0xe3, 0xb4, 0x7a, 0x22, 0x80, 0x99, 0x7f, 0x87, 0xe6,
- 0x33, 0x4c, 0x89, 0xa8, 0x91, 0x91, 0xf2, 0x20, 0xb8, 0x36, 0x59, 0xe0,
- 0x30, 0x13, 0xcf, 0x11, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x18,
- 0x63, 0x0e, 0xd6, 0x12, 0x36, 0x2d, 0x75, 0x7a, 0x60, 0x2b, 0x3b, 0xf0,
- 0x59, 0x46, 0x8e, 0x3a, 0x49, 0xcb, 0xf2, 0x6d, 0x1d, 0x9e, 0xce, 0xa6,
- 0xd2, 0x4b, 0xa9, 0xe0, 0x21, 0x64, 0x33, 0xf7, 0xae, 0x26, 0xaa, 0xe1,
- 0xc5, 0xd2, 0x57, 0x01, 0xa5, 0x49, 0x9a, 0x2e, 0x1a, 0xca, 0xbd, 0x3b,
- 0x6c, 0x9e, 0x9a, 0x05, 0x50, 0x1c, 0xb3, 0x12, 0x4c, 0x17, 0x5d, 0x82,
- 0xad, 0x89, 0x7a, 0x9f, 0x2d, 0x5c, 0xd6, 0x52, 0xd8, 0x82, 0x20, 0x3f,
- 0x08, 0xaf, 0xfd, 0xf0, 0x52, 0xc8, 0xcd, 0xe5, 0x73, 0x9c, 0xf2, 0x67,
- 0xcd, 0x72, 0xea, 0x61, 0xcb, 0xe9, 0x0c, 0x40, 0xaf, 0xf8, 0x07, 0xae,
- 0xba, 0x09, 0x23, 0x62, 0x7a, 0x88, 0x5e, 0x35, 0xa6, 0xb4, 0x2a, 0xcf,
- 0x18, 0xaf, 0xf8, 0x3f, 0xcd, 0x50, 0x9c, 0xb7, 0x55, 0x0e, 0xa5, 0xec,
- 0xe5, 0xc2, 0xba, 0xe7, 0xbb, 0xf8, 0xfe
-};
-
-static uint8_t server_2001_cert_der[] = {
- 0x30, 0x82, 0x05, 0x58, 0x30, 0x82, 0x04, 0xc1, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x47, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x32, 0x30, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xe4, 0x83, 0x24, 0x29, 0x0b, 0xdd, 0xbc, 0x4b,
- 0x7f, 0xab, 0x98, 0xf2, 0xfc, 0x37, 0xa3, 0x00, 0xd6, 0x52, 0xa1, 0xfb,
- 0x35, 0x28, 0xe2, 0x0d, 0x5a, 0x6e, 0x4d, 0x7c, 0x13, 0x9b, 0x1c, 0xc3,
- 0x65, 0x75, 0x95, 0xa7, 0xae, 0x91, 0x38, 0x75, 0xf1, 0xcc, 0x9a, 0xf3,
- 0xb5, 0xa6, 0x0a, 0xbf, 0xe1, 0x75, 0x37, 0x48, 0x8a, 0x49, 0xbd, 0xe4,
- 0x18, 0x93, 0x92, 0xf0, 0xb1, 0xc4, 0x20, 0x89, 0xf6, 0x4a, 0xfb, 0xcf,
- 0x89, 0x8e, 0xa4, 0x0f, 0x4d, 0x9f, 0x6f, 0xc3, 0x61, 0xab, 0x1b, 0x26,
- 0xaa, 0x0a, 0xa5, 0x8f, 0x55, 0xfc, 0x0c, 0x94, 0xcc, 0x30, 0x21, 0x10,
- 0x36, 0xa4, 0x39, 0x9c, 0xf2, 0x98, 0xf4, 0xef, 0x14, 0xcd, 0xd4, 0xdd,
- 0x42, 0xd5, 0xd0, 0x08, 0x43, 0xc7, 0x40, 0x73, 0x41, 0xc3, 0xda, 0x60,
- 0xc4, 0x0e, 0xb5, 0x59, 0xd3, 0x7f, 0xcd, 0x8c, 0x22, 0xe6, 0x08, 0x5d,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x03, 0x1c, 0x30, 0x82, 0x03,
- 0x18, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x26, 0x2f, 0xb4, 0x4d, 0xb8, 0xe7, 0xda, 0x08, 0x42, 0x52, 0x90, 0xca,
- 0xbe, 0xe4, 0xe3, 0x25, 0xd9, 0x88, 0x43, 0xca, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09,
- 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73,
- 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x82, 0x02, 0x6e, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79,
- 0x02, 0x04, 0x02, 0x04, 0x82, 0x02, 0x5e, 0x04, 0x82, 0x02, 0x5a, 0x02,
- 0x58, 0x00, 0x76, 0x00, 0xd4, 0xfa, 0xb2, 0x58, 0xf2, 0x2e, 0x21, 0x44,
- 0x79, 0x21, 0xb0, 0x29, 0x33, 0x6f, 0xa1, 0x94, 0xfc, 0xb5, 0x68, 0x11,
- 0x4e, 0x04, 0xc2, 0xcf, 0xee, 0xf8, 0xdb, 0xc2, 0x43, 0x88, 0x59, 0x54,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x7a, 0x18, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x20, 0x16, 0xa5, 0x22, 0x2f, 0x0c, 0x26,
- 0x77, 0xfa, 0x8f, 0x37, 0x5e, 0xb4, 0x08, 0x3e, 0x98, 0x55, 0x31, 0x95,
- 0x82, 0xad, 0xfa, 0xed, 0xbc, 0x00, 0xff, 0x22, 0xf3, 0xf9, 0x68, 0x75,
- 0xcb, 0x13, 0x02, 0x21, 0x00, 0xba, 0xef, 0x07, 0xc3, 0x13, 0x23, 0xc2,
- 0xe8, 0x94, 0x83, 0x42, 0xc1, 0xef, 0xea, 0x03, 0x6e, 0xb8, 0x90, 0x37,
- 0xba, 0x84, 0xff, 0x21, 0xea, 0x26, 0x01, 0x49, 0x89, 0x93, 0x16, 0xd9,
- 0x31, 0x00, 0x76, 0x00, 0xd3, 0x57, 0x9c, 0x69, 0xf7, 0x5e, 0x9a, 0xe7,
- 0xae, 0x60, 0x36, 0xb6, 0x34, 0x51, 0xb1, 0x09, 0x27, 0xe4, 0xbb, 0x62,
- 0x5f, 0xe6, 0xa3, 0x9b, 0xfd, 0xd0, 0x1b, 0xce, 0xc0, 0x4a, 0xed, 0x96,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x85, 0xfd, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0x90, 0xd7, 0x26, 0x28, 0xd5,
- 0xa6, 0xb5, 0xc5, 0xd2, 0xd2, 0x70, 0x35, 0x63, 0xd7, 0x40, 0x33, 0x0c,
- 0x09, 0x5b, 0x6a, 0xb2, 0xde, 0x51, 0x36, 0x80, 0x68, 0x5f, 0x31, 0xab,
- 0xe3, 0xc4, 0x2a, 0x02, 0x20, 0x53, 0x5a, 0xd1, 0xb1, 0xeb, 0x5b, 0x10,
- 0x3a, 0x6e, 0x1f, 0x0d, 0x9f, 0x4f, 0xd5, 0xce, 0xc7, 0x0d, 0xc6, 0x9e,
- 0x99, 0x67, 0x26, 0x89, 0xd1, 0xf3, 0x54, 0xc2, 0x77, 0xb5, 0x6f, 0x6f,
- 0xba, 0x00, 0x76, 0x00, 0x22, 0xb0, 0xa6, 0x33, 0x3f, 0xbd, 0x6d, 0x05,
- 0xf6, 0xf0, 0x25, 0xde, 0x66, 0x78, 0x3b, 0x55, 0x5b, 0x59, 0x90, 0xbf,
- 0x53, 0xc9, 0xa8, 0x69, 0x4a, 0x5f, 0x03, 0x0a, 0xe1, 0x2b, 0x05, 0x81,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x91, 0xed, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0xe2, 0xc2, 0x6c, 0x4c, 0x40,
- 0x0b, 0x51, 0xfa, 0x06, 0x99, 0x5c, 0x2f, 0x42, 0x5c, 0xaf, 0xb4, 0x10,
- 0x30, 0x34, 0x8b, 0x1f, 0xbc, 0xea, 0x08, 0xa9, 0xfd, 0xd6, 0x57, 0x94,
- 0x88, 0x2f, 0x9e, 0x02, 0x20, 0x1e, 0xc3, 0x05, 0x8d, 0xa1, 0xea, 0xdc,
- 0x6f, 0xdb, 0xde, 0x15, 0x30, 0xe7, 0xb8, 0x72, 0x4e, 0x40, 0x5f, 0xd6,
- 0x6b, 0x0b, 0x0a, 0xbb, 0x66, 0x22, 0x03, 0xb4, 0xfc, 0x03, 0x81, 0x61,
- 0x19, 0x00, 0x76, 0x00, 0x9a, 0x3c, 0xc4, 0x7b, 0xa4, 0x75, 0xd0, 0xc1,
- 0x24, 0xe4, 0x57, 0x1f, 0xac, 0x6c, 0x5a, 0x75, 0x4a, 0xd5, 0xbd, 0xfd,
- 0x33, 0x76, 0x5d, 0x21, 0x27, 0xda, 0x56, 0xaa, 0x21, 0x09, 0x47, 0x21,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0x9d, 0xdb, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x20, 0x5f, 0xca, 0xe6, 0x05, 0x21, 0x54,
- 0x32, 0x77, 0xde, 0x5f, 0x23, 0x71, 0x2f, 0x51, 0x8b, 0x2a, 0xd4, 0xaf,
- 0x8f, 0xc5, 0xca, 0xf4, 0xb5, 0xfb, 0xc1, 0x19, 0x1e, 0x0b, 0x5a, 0x90,
- 0x2f, 0xb7, 0x02, 0x21, 0x00, 0x86, 0x8b, 0x55, 0x4e, 0x39, 0x06, 0xab,
- 0xe1, 0xcb, 0x7e, 0x92, 0xdc, 0x81, 0xe0, 0xa9, 0x24, 0x15, 0x4c, 0x5f,
- 0x71, 0x1a, 0xe1, 0xb6, 0x84, 0xcd, 0xb4, 0x7a, 0xb8, 0x03, 0x59, 0xa2,
- 0xf8, 0x00, 0x76, 0x00, 0xca, 0x1f, 0x8e, 0x82, 0x3f, 0x99, 0x64, 0xd4,
- 0x0b, 0x0f, 0xf0, 0x04, 0x01, 0x82, 0x53, 0x35, 0xc7, 0xa5, 0x35, 0x3b,
- 0xc5, 0x3a, 0x57, 0x56, 0x7d, 0xe4, 0xb5, 0x7b, 0x44, 0x13, 0xee, 0x7b,
- 0x00, 0x00, 0x01, 0x4b, 0xf0, 0xe7, 0xa9, 0xc1, 0x00, 0x00, 0x04, 0x03,
- 0x00, 0x47, 0x30, 0x45, 0x02, 0x21, 0x00, 0x9f, 0xc6, 0xcc, 0x11, 0x2f,
- 0xee, 0x3b, 0x84, 0x01, 0x7a, 0xf5, 0xbe, 0x3b, 0x30, 0xce, 0x30, 0xb7,
- 0x7e, 0xc4, 0x68, 0xb3, 0x44, 0x90, 0x80, 0x2c, 0x98, 0x13, 0xd7, 0x34,
- 0xdb, 0xf5, 0xf8, 0x02, 0x20, 0x27, 0xc1, 0x66, 0x0b, 0x27, 0x22, 0xc5,
- 0x20, 0xed, 0x3e, 0x48, 0x8d, 0x0d, 0x36, 0xba, 0xd5, 0x25, 0xa2, 0xc8,
- 0xbf, 0x78, 0xfb, 0xb9, 0x4a, 0x86, 0xef, 0x2c, 0x3b, 0x37, 0x29, 0x12,
- 0xcc, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x3b, 0x17, 0x05, 0x15,
- 0x0c, 0xf6, 0xa8, 0x98, 0x1d, 0x9f, 0xf0, 0x0f, 0xcf, 0x45, 0x40, 0x61,
- 0xd0, 0x4e, 0x04, 0xb4, 0xc2, 0xf3, 0x0e, 0x57, 0x55, 0x4f, 0xc2, 0x39,
- 0x25, 0x27, 0xe2, 0xf8, 0x73, 0x14, 0xd5, 0x68, 0xa3, 0xc8, 0x93, 0xa7,
- 0x71, 0x62, 0xc7, 0x0e, 0x60, 0x06, 0x5b, 0x52, 0x7d, 0x6a, 0x1f, 0xae,
- 0x9a, 0x77, 0xf3, 0x6c, 0x03, 0x10, 0xd8, 0x1a, 0x17, 0x31, 0x90, 0x94,
- 0x3a, 0xaa, 0x60, 0x67, 0x4b, 0x33, 0x86, 0x00, 0x4a, 0xf9, 0x0e, 0x03,
- 0x2c, 0xd6, 0x9e, 0x3b, 0xf4, 0xd3, 0xb9, 0x02, 0x2d, 0x66, 0x59, 0x4b,
- 0x23, 0x63, 0xb5, 0xf1, 0x63, 0x21, 0x0c, 0xf4, 0xda, 0x2e, 0x2c, 0x36,
- 0x2f, 0xfb, 0xf1, 0x4f, 0x6f, 0x58, 0x87, 0xdd, 0x68, 0x38, 0xdb, 0x47,
- 0x3d, 0x89, 0xb1, 0x1f, 0xc2, 0xc0, 0x65, 0xd5, 0xed, 0xdc, 0x74, 0x6e,
- 0x24, 0xec, 0xd4, 0x5f
-};
-
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/CA_alpha.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/CA_alpha.crt
new file mode 100644
index 0000000000000000000000000000000000000000..8d300ab4a61f06cee0ea96a0a4902cb63eaa063b
GIT binary patch
literal 715
zcmXqLVmfZn#AL95nTe5!iILHOmyJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghB8X1@w7#e^<lsK;uGM6THHqJ-(86ztLb7L=qL1QOVV<W@6h?pN!
z%SD||TRE{CX1-chS1ePLp~ZgZkm%d@Z1z*amY*|;d_8}~M<I#uLr>3T8tlt)?VK%D
zvj2(ksqb>zYo|;o4!pvs<nK4PLbgW2YG%ru4+7PfUbe}*o@~qUh+A#@d)a%}IOVji
zi;1y0akA&ngsk~_YQ=Khi~DaJzbBN@7R$uU$iTR`ag9OaN&{J7Xvy-ih_Q&=5pxl>
z3s%38k>=>oG2w|H*Da2f22~(wWtL)t!Un7g7KSYep+)#L0aFGK$Zla4Rs&{6#{bBn
z2}~!<z+jyA`qF8MX}-xzzc@-<3(`8jNjTbNs`%l_KC{j5FYTRgl012num+F#v6r$d
zcllRE^d^4YVy602#DXDs`V76xVSi)Yr^md$VX0Ss)5W<*P+)S4BU5~<#`DV+Wr|Hc
pU*EOI&aSZPc%6DJwM^M)|EfPPX0Ppiqh#&k+xug7hW6s%bpR?z>2Ux6
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/CA_beta.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/CA_beta.crt
new file mode 100644
index 0000000000000000000000000000000000000000..a0e7e205bb4571d787428fd1861724490cf6a460
GIT binary patch
literal 715
zcmXqLVmfZn#AL95nTe5!iILHOmyJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1zm>L)un;08M0l8*Ct_hS&6FVE{Bm0bzm4Ugjm%*U1lc}+h
z;nZr6b(gEuyK4lu7T;Fh^=EUH=cLQJ`wX*#FIRMbK3Sd?ym8TuU9Fe1^yX$9w9d@Z
z{dDl~x$_oblce0|-i>VEqTI8WTQONOu2#27;fUCA&0;?1>Vw;N-|Sc6dJ`1<e$l4#
zev6<u{RPK;XQUn65X!tG$0#-Z$ljZ6&HN5Q_s(`RF*7nSE^b_7(74h-78qKxd@N!t
zA}R8mGj+3~ec!*`y=&Uf;?%WyEqe{BK+?)A#Ri29SQRV`TM|Nx@M{953?7i(!Yr%?
z%#4ixkwX)hPMCqg$o=Y#<m-G}MvbWsQi1=I<o+I?n3(T&>S4omKErQf7qjCk?lUdw
zH_ewTym;L^*0+|s^<s^8OM%knz4NB5GBljhXf4R>tM$Ke&HJfSesUGRyil<_bz{tF
vng3U!oj(dmZ#cMYOLdb^%EGlBk6v~r9hlt1<CODO$XzUE*Li*M+w4;Tl$P(J
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/CTlogs.plist b/OSX/shared_regressions/si-82-sectrust-ct-data/CTlogs.plist
new file mode 100644
index 00000000..31aa5692
--- /dev/null
+++ b/OSX/shared_regressions/si-82-sectrust-ct-data/CTlogs.plist
@@ -0,0 +1,198 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+ <dict>
+ <key>description</key>
+ <string>Alfa-1</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjWLpGNv/x8wCLlZthIDbTKjc
+ Q8DmAebMeXf1TzPP/7fUxeWV7KJeD5vBWxB0V9wRFasAmYFfcqRD6AMTIW8q
+ eA==
+ </data>
+ <key>operator</key>
+ <string>Alfa</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Alfa-2</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl3VLq871ikjdTDDvr1LhhHKj
+ 3kOXWrtQoKJ3twK0BRBEj+rV/UZuZRjDNyiLK2mfMJN9TZdjLJphnYYJcstg
+ SQ==
+ </data>
+ <key>operator</key>
+ <string>Alfa</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Bravo-1</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXxLKuBw7sGl0/eRfkX4W7MpH
+ LiK7xB/xkQONXu6cX/IFxMGJ83vbN9NvAbjkiG4D/Pnvrrq9Lb0gWPxovk8u
+ fA==
+ </data>
+ <key>operator</key>
+ <string>Bravo</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Bravo-2</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpPTIhGHP8AjsFnvCog7JOM43
+ uSTkLbeJup8EN+wfhU2X5YJq8mCXXI7+MHyb/ncEYuJp7wg4B7zxhT5KSmIC
+ sQ==
+ </data>
+ <key>operator</key>
+ <string>Bravo</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Charlie-1</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp/wmWR+YBWqWiCJy/EE7FBe5
+ L+CvD3b10ua7BWA95yueo0GVLiw5b3qoNZz23CP+ecw5t4+JFsi/LvL45djj
+ CA==
+ </data>
+ <key>operator</key>
+ <string>Charlie</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Charlie-2</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFQvCj6M6CQKeyxhK2I/u3ZXq
+ YXyf5feihb0Sh4fk78GZisbJyivSHfFRmATdpo7T9IOlXExOZc/ZnGwkPHXS
+ GA==
+ </data>
+ <key>operator</key>
+ <string>Charlie</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Delta-1</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEey422SB0m/YU5R4km1+gQuRS
+ HjY7vcTTbUo7Vnehfe2KCW/yY7lJQD4Yv5OJLci8vCWzDAXCprK5ZpbEiQTA
+ 5g==
+ </data>
+ <key>operator</key>
+ <string>Delta</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Delta-2</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkC23vcfErQghrgdlOPDR7PPK
+ +8/7FPyQZy09igHW2+eLx0+8e6VhaO1OTn2YL50NBxW2WN1wAhAxBfSPOFD0
+ wA==
+ </data>
+ <key>operator</key>
+ <string>Delta</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Echo-1</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEe/QyaSib8V4jhT8vlZTGou9v
+ pCykmsmyQo/3lNI5tGFSiQWaonjQK/reZBXKpG6lwEblDdAazTCQlpmaOee1
+ WA==
+ </data>
+ <key>operator</key>
+ <string>Echo</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Echo-2</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEcxkV7jZBkfaV6BKH8fIYR/es
+ 6DoVZYOW75zIzB5vgvHl0uOKpdwaDVhU5KZo/2KebpqpSdLCeKqX+poxUFxX
+ OA==
+ </data>
+ <key>operator</key>
+ <string>Echo</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>coreos-ct-test log-alpha</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhcZUhfz61YzwzHJrp4RLcCF/
+ V3j+SZYXGXc69qUlq3twpPnAsRpJE1vzZmvqL0Df1t21LqXQK9EgFcIdu2LL
+ FQ==
+ </data>
+ <key>operator</key>
+ <string>coreos-ct-test alpha</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Google's aviator</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/TMabLkDpCjiupacAlP7xNi
+ 0I1JYP8bQFAHDG1xhtolSY1l4QgNRzRrvSe8liE+NPWHdjGxfx3JhTsN9x8/
+ 6Q==
+ </data>
+ <key>operator</key>
+ <string>Google</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Google's pilot</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfahLEimAoz2t01p3uMziiLOl
+ /fHTDM0YDOhBRuiBARsV4UvxG2LdNgoIGLrtCzWE0J5APC2em4JlvR8EEEFM
+ oA==
+ </data>
+ <key>operator</key>
+ <string>Google</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Digicert's CT log</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAkbFvhu7gkAW6MHSrBlpE1n4
+ +HCFRkC5OLAjgqhkTH+/uzSfSl8ois8ZxAD2NgaTZe1M9akhYlrYkes4JECs
+ 6A==
+ </data>
+ <key>operator</key>
+ <string>Digicert</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Bravo-3</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErSVuQLDBj8EWNrGVjb8e1T9d
+ 83xvvxi5NeWb9wnWrjbHVwXEkLQGAZBQvpWzJ5yFLqmVu40KSy1NmV0i78II
+ Pg==
+ </data>
+ <key>operator</key>
+ <string>Bravo</string>
+ </dict>
+ <dict>
+ <key>description</key>
+ <string>Alfa-3</string>
+ <key>key</key>
+ <data>
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfLrfEFaVzHLuCk+kjWnQCfrQ
+ YFW73h7tpMEwhfYmL0AKUGVgrgvg3x+D1YSKs/X86dwdg/wyGA3RXU09Mo/M
+ UQ==
+ </data>
+ <key>operator</key>
+ <string>Alfa</string>
+ </dict>
+</array>
+</plist>
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/bad_hash_ocsp_response.bin b/OSX/shared_regressions/si-82-sectrust-ct-data/bad_hash_ocsp_response.bin
new file mode 100644
index 0000000000000000000000000000000000000000..2a1c31f541d9e45243fad3464b5b457d5bfae630
GIT binary patch
literal 374
zcmXqLVl3ifWLVI|m~GI+n9jzj&Bn;e%5K2O$kN0Z0Tc=`Xxz6@$w0wS&OnBZIh2K2
zSTs4mC^f_<Si#v*!8x_4L_s4c*ilo0-^jqw#K6MHz{t?h*uXr>Aju%Xz{-G=ja8eE
znMs<Jfki~&%CybDFYaiuvJkm#e35s>scE}}SwuD|OY`eQEs}jb&18B0-06aiB8j`1
z7`+z?B8)TugD8Xm)Q*M928ssq2uCxq2(bwG98Lbj)zZVfgm?PIMZ4uT8St`kYPET^
zedlEadX0g(v5`Sq@jBzZ9TDD@S&O@uKiIqCR)ojy<!8T76y0o5aMM|}i0`oN&*KKV
zTjtAnCmDKdna{8{eA}B_9~L<!{&`<~H1y!NqRR83jGRv{z1zEt<CvwDc-f3qiA_5l
vAMW-~kK>N}Wg{fIZ$h8uvzXa`);laQyuRdEp%UY-O=t7u)oyQG{KgpoD5Zb5
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/digicert_sha2_ev_server_ca.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/digicert_sha2_ev_server_ca.crt
new file mode 100644
index 0000000000000000000000000000000000000000..dd14c1b21886d9e63559403e819aa2ac2b516b9b
GIT binary patch
literal 1210
zcmXqLV%cWU#5`{SGZP~dlK@ZUN|y~if>RYHCB{F>mTflRW#iOp^Jx3d%gD&h%3zRV
z$Zf#M#vIDRCd?EXY$$3V4B~JJ^SETDXF8`Al_+@TB^yc_h=YW=g$2sX%k@%#QprFm
zz2y8{Lu~_1kQB495?qHzW_pH#V{vh5QDR<ls)B2nLQsBwiGs7Eft)z6p|PQXk&&U1
z0T4uq^BP$oaSci-b&ZLE5yUmxaMuKTI2tLqR+OaXrKF}PgeB%=rX-eR=I1E{rxul^
z7J;1A#HfTEE{v=U%uS5^3_x)%rY1&4hU>vgSOR~{Tqfq>ovyxWvgZZMw>%p*FtmS6
z*Jx|)=}W$~XQP9~qsw34EM=A0VQY7Ernu1?iJo5{d6uOpww`7eFxe2)p)H>=`_jgK
zp$(faJ@1g0e{WG95**)9X|E@>YK5G)Ht*`~$vaKA*NW_k^u8bHb!p)vo<|d!+OyWZ
zx}I`vM(B&b>!kv6LiPxL`s?*+?(TZNFIV^ViFFEv-Z)Tb^6uLm-8V<tRoi-RC_dTX
z%hP$sQce8sx9d|{Z?Gs9%+1gLAG1sHq3h|eaE&?{UdQlN+jpq%-uUE~)_X<eQmM7N
zv)fF2=9F(OUVCGT?vu|vbKf2GOR5t;P&iNL-p8K;8j{9L%!~|-i<=ldfg$2*AOs9y
zSz$)T|12B^Y(R>Mk->luB*qUCV*#eSHUn7@UzJ77K!lA$n~jl`m7SRp&SEk!fw37G
zSu_mP3{+rz1I9LqjFOT9D}DX^<l+L9q-Nj^GE|<$#lXqHVS(KOn>H(`(&VBX6BMQT
zu-FGBMR-bd4Fjb^XGcAtdIMXKVG1l}2B0Lv0%S56Xc=h0+`+^sCId3O80Zl6B(Lur
z5Df7kABz}^i0$QorPmg$efQZbfh+a0;*}piuJIelgG^UukuVTz5ZP#VIFtFues{(z
zGt{IwnBFI+XdgySZoq5^Om2(}bGKcX(Dty6>Fv=4A53IQ4)&IvY2#Y)!K=&Zn*E8D
zzH4hZ);`-7uw#*wZwLEEO~pIUZymEyeDGM%vtUh?EaQ?>f>z<HYs0l1O8#D!ZIuYP
zAMRedur^dd&)qzrsHeV3`chKAE_2ka!zUJ=(+OI{ko>xMSK$dyb>-<Pt@AAS)+T4z
z><Vg(s9dbWbN^oMYr{{w7S!Z?)VcC-Z+VM3^EsofCuTKDc}?=OcAM4uuX)kWc|D8I
z@WySnJ<n3nFCtQHH0L<OvX~=V7l!smg=H*JDp+OHSa@^p3RmkdProe+ynDPl=|w(I
i$?F}re(Z1OtqhnrVYY<z#7OmzrW(Sl)#|Q(uL1xCVyYGZ
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/invalid_ocsp_response.bin b/OSX/shared_regressions/si-82-sectrust-ct-data/invalid_ocsp_response.bin
new file mode 100644
index 00000000..63bba785
--- /dev/null
+++ b/OSX/shared_regressions/si-82-sectrust-ct-data/invalid_ocsp_response.bin
@@ -0,0 +1,2 @@
+0�
+��
\ No newline at end of file
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/pilot_3055998.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/pilot_3055998.crt
new file mode 100644
index 0000000000000000000000000000000000000000..18e2d3ee9277853783b621540e2b41fa830f9513
GIT binary patch
literal 1534
zcmXqLV*O>%#PVnXGZP~dlOV&Ln1(K1(YME0BX8^z7GPXrz{|#|)#lOmotKf3m6gGu
zvCoj(fRl|ml!Z;0$=%6N+CUP-;Sd&bFG@`;Ni9<FP0UNqNG%334FwGNK$7gj?7@jS
zY57GdhEfI+AQ3KML1%woe;0oRXGaB}%-qb9)D%M#10#?ev#>T)&b6W>H7_MKMIkIP
zCo?6nBr`uxAviU;v?vuw6_o+)a&|P36X!KFHZ(LcHvoeuAlJ;m$jH>l*woV0GRmNd
zk;72PKmcSit1zd9fuV(=rMa1bp|F7<8@DzaBMW1bxeXH|voKR=u%VcN2(loPFl$I^
zMPjj`tbsJh0DfVSfTGMYpf?r#i_#PGGONIjLJAR}8GHsjAhm+Rtmc-cX67(S4q>K{
z2&51R&&&e`QL&-8fhb5hr!XJT2MWP@!0^iidb7k(#y|=r!6hsV_H$-QB~TP(wNqkV
zHrS;=S#DuoSYU-I1PA-T;)7XOsJy&fuedm=JTosHs7o(7KNlDlO33la$jZRn#K_M8
z6z5`UVq|1EUv{pvEMF-}J|{!QUP&^2#e?Ft8{7C7ga;;umG21rqG2$*>r)Wd)<;Z?
z-V-+Ytm*hGviHQS?FxtddksG{+jCueBI7E3Tz|!(#SN=mSGkDfeV=)FQo8(9pN-cK
z7pB}ie{ar8LC3?w#h<2jZqF4^da-W#qLq=4WM;qL{Dhr7_o_d8zwf%Zz{%g2FGy6L
zpD{ZxreG=CNkQXnC(;w$%2%GTT(8Lcw?A)UfT>GC-?I3ecsrddA>Suy<g63oy7_;m
zZcc!qo^y4g#UG7n-pQs~U&IRCmmhsA7_j!=RCm+$XNuL!bboUnkNn%)d~;vkfmt?t
zT#d@M+-N)_tr;e}&Un?1rA*9>42+AL7_R_B<br`bF!*JaStJa^8bmr=0{;hSWya}t
zd{NwWljqa9)30g_WI+n}Sj1RF5<XiiTE~`uUDv!seA?vydf#o@H-OW=EI%XTe-;*I
zCe{VuWFadI;xidAKs2kefKnU>Fd4G4vNJQnSxg3QAhQ)%><w%Utl4<L>2#AJBNHPl
zqk*=8CQKm{qnK<)Nl8JmmA-y4IA?(3IX@*IMCm&R1RDf{%#mmDG4L|*Sm3t6rOgSX
z9;iIIC<m%GIT4~7oFQR(4w2;`IS!KHoE`Om`V1OdU=CnpWT`MHGw_4)4VaKDC?V5=
z5(5>ud5momPzUEH7Z;!yXrK%7n;?stfl3pW)ZWC0mikdkGGNMQWZ1^Ub}C@UkNFbX
zx2GMjV)s9#!rGR>_}zPE@ZZjrJM#}L+Um(9Sw3G^H=$tWl+{V>_hbbQBropp?`p1|
z%lLMk<!0YK)z@yVNWJ)3=CtH{L)J$7IqUcO`P%G18l5()d*b#&lQIQIb)gJd-qjbT
zw2Loav{=cXd*<X)|8;jiuIzt*s%CMtsQbdc9j8Cpan2Ixt?=#tTH4^T@npHp$~--r
zjp>u7*zZ59bSJ9si~P*3CgN-U{^+>)cweM=_v%Rh;Gn=JW_SA^zjbxoX9dfvHul)e
zjQ$fQm@~`pyIIa^kIgdWt7@!jR?j^;tJn5mK~<~y_Kst742@sy|9k&@@<Q{Q|14zy
DKCAW2
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/pilot_3055998_issuer.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/pilot_3055998_issuer.crt
new file mode 100644
index 0000000000000000000000000000000000000000..84bc199609cd0f2816a2a06410b62224acee3cb1
GIT binary patch
literal 1290
zcmXqLVr4UEVt%)PnTe5!NkDM%mJ4rsx7W{Ia5h#qP~XXbmyJ`a&7<u*FC!x>D}zB}
zqan8eCmVAp3!5;LyOW``fh35-AuQxxl$uzQTBP8cn3tT9S`1_w3K;N#B-w@8gA;So
z@{3Xor3@rMB3#0P&i=msF8&J6jtV}RxtS%YDTe9>svtRLVL6ywYEemMT4r)$NoIbY
zf@5h(Mt)IdNu`0DIIp3BfvJ&+0T@Jy^BMuU#s-E4CKkpPQ3j2DG;^bgff2-w+E6#T
zR+OaXrKF}PgeB%=ra)X8oSIx(l&TP%T2uxM4`)Y%CPpRXaAag<U~XdMX8?+GF*PwV
zGMw?6W_(t)H~pQ)H1l@158qf8wbTc%n)Xb7Ba=+t+gimd*KOn$-N@8mvHk0!w<!@R
z4_#8tJRKDnd#!~ZaeU_a6mB`$e7nqKm*&3xx*r#^mfp&HSDi2Ys;pU~#7jo|^4BBG
zMU&UJo#X7WDZO%%OTXyz+P!=RHZ2Q_<(XAQmi8aM_GRmnyKPlpC3j_fY7JRrAb9HH
zq|??VY(fjnS7+S_5xk!>OKi%{Ez47nmFOCN_6>R&8aV&7-J;&I83mW}m!-PuOSkTh
z&i(o6085&1OV!+S>Nmc)%-g?a-^|<D{<k9(H*~6R={LIO9al6l?mp|>o1Xe#w&e%N
zm!58z`|R?Qi=QqtF*7nSE^cDX1cpeefjlsTWtCYZ48$5lxFeo+AM+74U*fRRV5Q<d
zceALl{|2%k1$-=GEFv8)f&T-vGUIeRz9{ax$@A&l=~p%2G$+f?$oQXy1(>GU41_?+
zg+Y7{12!PV#K>S^2NF|YF*h(ZFlJ)`G8qiC4K&#}wAp~EoSlhLOg5vWq@dVJU%wa}
znR?0jx%nyiAWGjkAlSeYq+g!J$-u$DZh_4Lt2PUedZ6;;q8zB&<V1*Sa5{HJPRj6<
ztOrzWPy(}+k&z|CAPwj=s4EPZ+Kk|)mS8j0F(oCWsI<5QlG2<Vf##JMsKE6zwn;$s
z=O-5zpcsIh9D&&ym>d}yW;yR)zoaPcY;Au1mp`^Wy9=Jl-DUY}e`oIe{hejAKeZYD
zso(roYhtj@qg5LopU^4%F50Cm^D$Ge@%P3(N!+WYLS$|##hLgl{ie(xTV;FO`D|vL
zxOvdo;Dv_-uLM`9r(ErH^c4%;J>m3+8&B@uz08^7q4D2HxkbOHI#mC>W{0^+1;6pC
z|Jy%JTQb|FVe7t}u#nYD8t17>XoOhR>m;9#ROpe&w$Ryf_w8ecdpu^U;j<20OqdtP
zoH2c!l=Umu>wz;p-?>DFamQ`!&v?}}@6@G}3z+K)RKFOV^b2TiUu5E8>u*~A=SIh?
dZ?$sgoVQ&)lvQVumhAidozZ)Kl^0s+zW}kj$&Ua4
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/serverA.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/serverA.crt
new file mode 100644
index 0000000000000000000000000000000000000000..b160f2ec9d2e42e909a31ee70cba122c68003817
GIT binary patch
literal 744
zcmXqLVtQiG#N@kxnTe5!iP77DmyJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9pfxn@XQgCbNr#SKIucJiUxNwkHAiU#r^6PS4<P)*QF
zEGWoH)l1ILHE5iV>~ls|2Ij_I27|^<rp88wL#Y#azjZmd?VUH__75SMUu93KMZVg<
z{~m7=`h8yHYmYVC9Ljfcr5t{7cW;o2|8}LfPfo0vH&6Fr+DeD8+gv-XGB2IC`6cdh
z-2cFjT?!e;N-Y)~y&@IUwtMP|Lc2eox0Otqq4<V*!t}yLS1ZqJMV=SC!_7SRZ^GL6
z`lVbdvzw15GchwVFfMLfY0$XLKo;l`Sw0pq7Li_aO{<QjF_P9770o}ty{h$fvuC?O
z6-Zi{rP!dbK_o?<bEa-qwD0@3yLV0dS)95yuVwGTuq7e1h|?xUMsPBb6=q>FU_cH^
zU?O4$hN1f7nQ^a#mrOeRWXaE-500Lm4uQKwo-K)P*?u_OauN3hg|tf(S6&p+uYVXB
z|KEJx@3*gxR?3^45&dw4kxeLyy>Wfc%%Z3q{?2=h9^aM<@nv5Vc9?x}{#Hv*c3l>e
phb+xYN_c`oCTAtHvh9~;G+6!Nt(#hD+^i*x&!(mx-O1T90{|eu`4s>F
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/serverA_proof_Alfa_3.bin b/OSX/shared_regressions/si-82-sectrust-ct-data/serverA_proof_Alfa_3.bin
new file mode 100644
index 0000000000000000000000000000000000000000..b1702025e83c7b2b4286a73fd6a36f6fa7dfd661
GIT binary patch
literal 118
zcmV-+0Ezzq%e|$gPn5-_89vOIq>qz1^8rnXyFoaJNo0{DtOn1I0003?@uL^u000C7
z07o!I0wDm3Kc<Lw8+)5Dn=Mr5;~Lubt#-Ovha?!r-;?JFXUld1AXQo7XX2ZjcaB+1
Y=y7Rnno_;$``0#}&>58`v{(3cY}cVR!vFvP
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/serverA_proof_Bravo_3.bin b/OSX/shared_regressions/si-82-sectrust-ct-data/serverA_proof_Bravo_3.bin
new file mode 100644
index 0000000000000000000000000000000000000000..345de9492cfd48e8c9a30526d793cc07e975cb9e
GIT binary patch
literal 118
zcmV-+0EzzqI~wHU`4y$2cm4p+UGW1@`3(yWZAx#T&*`Ifz|u!b0003?@uMHp000C7
z07o!I0wDmvkI?y>inOAMf53+1!j+-Vs@4DL+(yyb_vfFAo^M+MAY6dcB}lZVmq*Kx
Yo>uefW?~F{wMnrO>G^hyaMxA5i3~?OkN^Mx
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/serverD.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/serverD.crt
new file mode 100644
index 0000000000000000000000000000000000000000..1004067ad22a4aa86b32ad0e0c7353398795d18b
GIT binary patch
literal 744
zcmXqLVtQiG#N@kxnTe5!iBZ^qmyJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghB8X1@w7#e^<lsK;uGS{F8)lP8(QHY&<sCE)<p`oIIJjeuQ9tl(v
z^b!jSa#Hn@^K%Uv=Og=^k(GhDv6sQ1v6HE>kzp6Zk>B>S+MK1-X3mvNS6}6FWtaB9
zYNHog$2-j&udn|y-Pf`Dc*CyB)pK5-vDn^xKdEkgj#2m_$5+KGU4QI5q{h$q#+pf`
z)-q<<ocrGLSA8$V&FA#V5M0c(G1cjPx~jqCwtRD$=A?@%zdC&x`pUEZR<_zjzMXWx
zYvHNC|D?amGchwVFfMLfY0$XLKo;l`Sw0pq7LhMb6aM;~RTJR8ZlbhSS#3ei`c*jw
zRUm0)mSTg#29Y~rE~0k9>Nhgd9346)Jn`eY#j$c>*pd)h#Ay>FBRHAJ3bQa7Fdzpd
zFcC2W!?23&vG}QX57Nc{eq1~M$Ln*<;k6TTS|2#uZ?WP?eqZ_R;o=UX^ZokwE*zM|
zE%xw==haOudhNfYqo)Q2@@jTm=n*J=T(Q~D^5ByTO50QR9iIE2>15hr3%`zg%SszI
qi|_pRJLQeF*x3)fqWcS+c0GL~tN)Hm|GN3yW87+=e+y^M=L7(~@c8}!
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/serverD_proof.bin b/OSX/shared_regressions/si-82-sectrust-ct-data/serverD_proof.bin
new file mode 100644
index 0000000000000000000000000000000000000000..afb46d8789d798c97e44066104f69f0c48c1b097
GIT binary patch
literal 117
zcmV-*0E+(rtEjcKeE<L(Mp!7s3dair_K|R-U+u_rKs?Y`9XyN{0003;+yrnA000C7
z07fuG0w8f!FLkIo{Q)#Y$Aoc@9>O-_2nUiYpF|FX76{<4#km3?DLxNlT;~evAC^iH
XhH?g_CB$C#lGq5C7rOHPP+~SIi6tv{
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/serverF.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/serverF.crt
new file mode 100644
index 0000000000000000000000000000000000000000..6d853c326d1934e3c7afde1ca3e8f2b5f70ffc64
GIT binary patch
literal 887
zcmXqLVlFmlV!E?{nTe5!iBZ&mmyJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghB8X1@w7#e^<lsK;uGS{F8)lP8(QHY&<sCE)<p`oIIJjeuQ9tl(v
z^b!jSa#Hn@^K%Uv=Og=^k(GhDv6sQ1v6HE>k>Qdj&xNBa4)dGM3}LwbLF=@lg3p>&
zr_B_KDp)Tb`g!hT^d5^_ch$dVbA1qdbh4z!J(_*u(wy@@xmY)|X6=i-y+~S7^Wl45
z|Aj~QioNb}%};Tf+_X9Oe{<rU^Su{1b<EqPOTTUY;rjm3>HoRApDfjUcc4Oi%AM@v
zZj2>AQ>`NvzcMj1GB7S~Vl+2sVl+081$sr6k420{By;Zkx|=37zpfstW8#<dm0j7l
z;<P~(NLrbt*r2dM<c^q&s9mu7jf^x$hmHwP{J3s$tXvqjB!m{R+Qi5RPAIa%EKCN#
zkn3XO(q?01VZ2t!#KOc<!&1di!BEDqdd1c)wG0f>ZV?(sxQ=r(f16maIR5R45(k?L
z5wbQtVhjw7?sr)BL@_Y1Ff+ItxH2h3TR+NPbjx$o(ok7_UqwCL?~$98WG7g3l&|$X
zr6KFJf=Q8KI|s+_EH>d)&wMjo&K(f%w`(wXbm3w50TYex8?9SKrX$BJFikT9qjX(Q
zee&G9@BEJ(tyb9jqSH?2pBbN_l*P5pf6ZU3T~PnUA~ffb!o$S<?-E>F7Q8wq|Gn7o
z%Juf=SLgrl6){rk{AOtJUdAkxH=cK<Swz<2{~wM&h+|Ti&%(82mz2yV=hj1KE=}!M
h5R`p2PvE2LCEuwHZy&Z5z6;>rP%LD0ck0odApjdtEGYm0
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/server_1601.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/server_1601.crt
new file mode 100644
index 0000000000000000000000000000000000000000..82186677d4182a4faf95966cc93cbbf0b2f28ce7
GIT binary patch
literal 1008
zcmXqLVt!-L#2mVSnTe5!iP6r0myJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9pfxn@XQgCbNr#SKIucJiUxNwkHAiU#r^6PS4<P)*QF
zEGWoH)l1ILHE5iV>~ls|2Ij_I27|^<rp88wIZQJoKbThVMZTUSI{SIXvO|3{lG^tM
zE8m{|G=44%i-Cn<nMdYCtJa>xJh}fj9XS4WioYzG(Z*2~Y%bUGreW2cg(r8(e0H*J
zR%WU`x6SnEd;Xt}Y59CNmM4Vduzc^9J3Ujed-??f57*jefuoTg*BazHH$ITAQehDO
zvHEicPc#!VBLm~&CdLg0O^j;{WPx6h<zo?J5n1Y%sb*p``>yZW^}8+SRGED3lngMa
z0!b^g6dM#ah@{AK&eY9{_I>|$_pWI_i&NL;wd`FOwj_iWvD(DQ2u>)n!YoV%3_zDM
zv2kg$F|sgTt7KwfVrl%$()fYl9YZO@m0z18KItjCR4Q)JG|pc*<<Hg(K|hv5=imLf
zeaN{ZGK7JF(fh+Q!6pU<7G?%F0~aO*|3B)w67}zSg6HP9cHIuVQ+4DCmzy`s*J)Gk
zYEPWOk-(&&R1!Jo)#BxyoMNxz=LOEFm^+o*_+h?o(%~tu*^B+27y+%l96l%Wd)%z&
z>k`binFMa+RDZHNDgN2w*?%ucpF807b{fQ5*(`*$$<q_=O}ob4^^(nMUPCX#D*4Bo
zJT8knUYd~Q{MAn@bP|(7(WORnBb|es4u6v+%4Tnq&&m<XaS*-petpvG*azIbuE<FW
zn3<S?X=$~1i&f6fOzZYpr3V7l4oc5=?hjKDeHqrWw(*05<#D;?V*T!!@#m*8s5Mya
zXbz}4an-{nSG882S3rE~tu2qWdTeXrearv8jlH`fP-w#i)dzcog6(9&jYJsTFB~)$
np1E(fz%sF&1)q3sd`<V+>|FGpgK@oY=W~_rx$)^rxhbar5bj!1
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/server_1603.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/server_1603.crt
new file mode 100644
index 0000000000000000000000000000000000000000..60963d35ff1d5552cc362f68a47b953a836efd62
GIT binary patch
literal 1011
zcmXqLVt#MX#2m4JnTe5!iP7GGmyJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9pfxn>5&aIQfSs-5Bnq7XazQ0*kzLPJFZd5{UrJQAoT
z=p_~u<fQ5)=jR$U&PVn+BP#=QV=se2V<%H%Bg34RX>I+1mD*pDzQ5H@`gBF3ZAOT>
zWX043hi3{|c@HHW7Qen#!heX1>1SPC)ej;4IZO)~CYt4|Dy(HYxTo^p!V<48-IO@?
zB(@#w&!27emwmKs{jQz6-c~+*?KS^oP@?lw-zm#~uF?OtQ(^t>$&6;5``=#J;LkB%
zsNP3Kf#c+(U?yfp2FArrjGGOb7}p!f0=**3$0EievhVek+sr;o?V8uU*1Yx8m7ztZ
z<)uLtNLrbt*r2dMBt@QcrfycW@B6pAcTM|QoVqrzW$(hUB_Xtk)h0$pa6*w4W??d5
z0J@ZwjZ2%2k%jSEB@+u1OXD||#?K5N8Oj*0{Mr=pNl($GQgMT(asI+7f3{`_`mr23
z|L(`_L(UzMAq)(R-XET6E@xn1VP<eQaAi`+>=dmI%=G<jFDCxt<J2D~(=ObMxX-2(
zFsC8+lGFeGlT3;XO$y#p&mYy~ig~YPKC)dYB6aRmPX?#p8GnqEH!SP^m(5Vla5;QV
z=J&W+&(|fGZ8Hhn$f^EhcT)Vb#k2ojkUn?7>+Lj%y{2todp!)?fTm8h?*66_UgN)r
z;dk+mve&X@Z>(3uh3(ogRY7vwMlRl`KqYPKzix28CB2-DB`0p(l1YcUK3tsP^6K*U
z2MODkt#lIlfSjs;`H2~roQ@y9svODCJK?KgqB48sX<xSq9hQrF56^u1`SGu!<4pT`
zt~hNLy1sI0%O9KSc}5chjGr{MT#IchelVrnV%p^mN8FU2R2QwTyZVo%u1`3#ap}2t
zO)VX~7kK+~F8seP*LF1O_ym=tMdk+r_H359r|4tgAs_UWJ!;XO=|8p|7J9bj5&$Jl
BaZUgL
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/server_1604.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/server_1604.crt
new file mode 100644
index 0000000000000000000000000000000000000000..a7c9a2ada679e3e375970c2182e8b8369fe0aa12
GIT binary patch
literal 1132
zcmXqLV#zRQV!pV5nTe5!iP6D;myJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9pfxn>3?aIQfSs-5Bnq7XazQ0*kzLPJFZd5{UrJQAoT
z=p_~u<fQ5)=jR$U&PVn+BP#=QV=se2V<%H%Bg3YpKdY_Z=JtQu_)On6Ve9N-UG~7G
z2Pd1Y|F2$j?`+)5ry;(-!hJp|uh{(UVini=9n)_euK&5kcG^NCtLb0En&*AHv`$~{
zMCGx4)<?JLoxbAK7kEYJ0$cr_?uSbsu21eLR^ZMFx{`2viQ)Fmxlt_Db?c<%p6y}P
zG1=Iv6SJp^aW)e(BLm~&CMF$&CMFF7S)f;B`B=nQM9w_>(DYPvlCP<U;ao|^-oj@-
zYXuCdK+?)A#Ri29A}R8mGj+3~ec!*`y=&Uf;?%WyEqfP+EeWATtTr(+f)k3YFbk6b
zgFzEx9UGT68zT$jwMr%yCYC0~JRr_u%wQ;ExbkaL#3wyPmrBJAn#TDHr~KKPA?U|)
z=={4Mw+}gYM20XhFnWJ@=D3A{frXjD-N2Pe!85?_yx)|gwY<~B0{qiwxpb;b2)!*m
zFY&!}soC7E`|dI+GMwnM$Q3=PC3Ao8zMgq4YYG|83a#mDUjHfQ@ZS{%IoI_W${8+)
z&&m8AH|zPj1hZ`>fg3s1pX^SGf3|q`-wV>`4tTwt2C>(7GT2@Z12>?lx9_j6V_EsW
z$9-+y_bdAZ6|Gwt_U*g%{4C3_xh*j{R||kj)(dbjKh+EtPBhc<YfO1s_kHW*;_2;8
z<{cmMxlca)<i$|RptNC`vHjj$)^8tF@1<2(hek(E*dKgyMW$CgGuK0H)<%fMkxRf9
zyBWAJDX_)}m8YfM4!h5vemwQ2V)V1mc2_Qa3)8N9)Ooi4YIY=(Li}vT`TDCi|JZrK
zC~U%3N6XOO4_1pg>qEA)tZ^1rYIH$P&cKY!3{1ymv71;MZ6g*|t!3<U(c|O3_^|Qx
zhk}RvFBuFkv(0onA*_A=l3qYcK}LW4wWpiI4tjkocw)i%XK8jUua}l@P8FBTo?i_&
z&R5USe)hMScg6G7mk+Pq8hkH_tMg`j)?3xhTcgTEw=FvQWl!gVlH#WOalRLgH*XQ-
O{p_5-t*dR0d?WyZcAwDz
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/server_1701.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/server_1701.crt
new file mode 100644
index 0000000000000000000000000000000000000000..75a27553df2910c33c9ff9dd0759450165f061b9
GIT binary patch
literal 1133
zcmXqLV#zdUV!pJ1nTe5!iP6!3myJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9pfx#mb*gCbNr#SKIucJiUxNwkHAiU#r^6PS4<P)*QF
zEGWoH)l1ILHE5iV>~ls|2Ij_I27|^<rp88w%X22ZOU<=SH=hvd>XTr`r}|KXN3QGt
z(?thw#pgbm6=LI_(=00ck%h&p(P)dc5KFr-?}aPrDqbn`U;Oe&iR{=Gac4<#Y|Q&x
z?+^9wEsEH(`VP<efJ&!^%`@uE8zc4$w?w{3*b?$|a*~1F^}7ACahLV_IXbPDXdgPb
zbnYwl?UGE)j0}v6o0xPBnwT^VWPx6h<zo?J5s?xViFDlQW+%aTP;mvvv4pdGM7RyA
zK+?)A#Ri29A}R8mGj+3~ec!*`y=&Uf;?%WyEqfP+EeWATtTr(+f)k3YFbk6bgFzEx
zJsX!c8zT$jwMr%yCYC0~d?3zd%w#BIxbkaL#3wyPmrBJAn#TDHr~KKPA?U|)=={4M
zw+}gYM20XhFnWJ@mimT)frXjD-N2Pep;~Lnz1y!B&USyd{Px^hA@*+`N^2%Ki#=j@
zSbC}Q;BiwXMTWNg%g6tJvfh?daZ17_aG}z^%Zhi_c;CChb6=6^j+NMYpuLyF=VX45
zoArEMg4s5cz>S>hPj)B8KU+Ne?*-{|2fW@+gV<Ym0dB7%!$(GuW8%Mz`_8(UpDuW%
zUg53Q`*DLM3#Wn3i*u#rf1ficIBT;VJ<w)j=@1(Jh2>3?O}WDJl(~hHd+go!Efw&O
z@n<M!P};D}*nV#=>$eZ8_tGk?L!%=n><>P<BGW6Lnd_l8Ya_(o+I3)iJq+A{zM1!D
zLxan$ZAL!lLpmMSPcgi|aET(T=4mFG>+u@jou?iFD!C?iR&cq#K+d;X%YqB<`({tx
z^jW8^oMA)3$qGB>xm&g)r)OYJW(FqYAgS_$64w{l@g0ddX>&@vYpvOKx0PQGf0|Nl
zaqTq6<kGW+j2idZY_gcnd|z|4=96-{KtlfsUxSvV`R95(pGo^@^h8hHdM8@G|5Y91
z&ZF-W&87I?G^{X<tIV4laeKd6#~1dxNajUtCJw8lZ!p%mCTx~>;SDX4Y5aXh{ol#*
G{sjPiQ<3EW
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/server_1704.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/server_1704.crt
new file mode 100644
index 0000000000000000000000000000000000000000..1c7e0123f1920836103aaa130a6f4db24e157477
GIT binary patch
literal 1133
zcmXqLV#zdUV!pJ1nTe5!iP6b`myJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9pfx#k8YaIQfSs-5Bnq7XazQ0*kzLPJFZd5{UrJQAoT
z=p_~u<fQ5)=jR$U&PVn+BP#=QV=se2V<%H%Bg1yHj`OASUfVi!%(<_!XWhaRT^{dC
zXT-#nZ?0N)`?f@@zfzp}^EAy%+fU>e>@DB>H{xvUn(Gla+gEb0%;(99lX>?h_1{i*
z_t@UblDT$%c4-IyMTFYLFdVHao5*rcnzb$O9-HR$oibZ5+B5F&*Z9&deM9C$!+PIG
z68%5yH9qZ{%f!scz__@HN!Or>Nz*_U=oMK$7BLo)r2hxhlr{@VKMho!qnIlv<sjK3
zZ%_r2R%R(SC~Oc(k>{MLn-%T*{_XBv(|#7GuFY%NyD)4?2rXi@iIEYUP-KN!m<$*U
zni%WZxU|_ASs1TXGO;kRG%@A_aW-QnLm9)BUz;L6=_$HYDsIp;&R;m?&(;h<KbAx1
z-~G6K$hjjjgn@z4`@^#?CI$u;W(IcyS0+V<t^oaoXE!c*R(R9oiml4Ujh<qcd28<P
zfByIMrep2-t8OtVWEM=Hvdye{*Y^pI-rct>k_7BC<`(Yqx_s*7^OJiu&T0Vdy&OI#
z^LyN^=j#&8wwVNO<WzsMJ1PFz;@N*MNS{04^>!M>-l=bq?7h_SY~?J?GQU-q*D|bs
zzml`9MIio?{()!tY72ZbHpfq5Qs6oFs_-hCDRV&D8Gq)~fK~tYoVA~|DfrG^p%>Oa
zeD3=*lrt!8SY~X$H<$I>2i1FN71p8AkrVa@pInjY70=A|P@A<8V(-G!V0%3b+<^XF
zzxTKEZ_Qa{li%~oJ-^IYl(;F>yK_GG*IzqMf3*D-pafJhVgI^SVl%WmPRd1Za@%;=
z@X99naz~p>^Bksy_3m7y_y9RQ19LJnFd;K-jNRUtb@YX~ZfBRX^s`TS($`y7ZR`7S
zM|D}a*&FUk(d6(AJ0JaAbTKhE?3ee}b$S-Xv!t09trGnC)Ux=8=`+9BSNd-s95fUP
zuB-h2B3rHd!<hroA-uKWtYQXs885edV9{82HErKk(bkBDXCjr!9dR#wr-vI{J~1ou
Jw98z1X8=&&p^N|k
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/server_1705.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/server_1705.crt
new file mode 100644
index 0000000000000000000000000000000000000000..b8d6b324b81a0e523d130d05b064bf4d9877c7c3
GIT binary patch
literal 1253
zcmXqLVtHuL#NxGpnTe5!iP71BmyJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9pfx#k8S0SMQi2-Qw;15t>be5iI3ZK0u}fjr0rW*!Mt
z6Z8@b3UX5QlJj#78s{VXoRO7*xv`hQps|ywv5{f#wLG)R`=8c-l4!m9HfzHvvrA@t
zo2S$?@P#ebnK(st26K>T@<dCO>^$rA>q_bNPK){W>7G99yrWB#!}#g;<bN8`6>T4q
zW|cR6%TkZ?RxEhTRvnP_!TIFhM{apSo|;qYtN)wx72eQjoaP_IEjz<`hpC2tgyK};
zDftIB?#*&}&BV;ez__@HX{kXI(?SDTpjTx1Sj1RF&M<$CTwV6&_uHCJ(r?Oh`o8z+
zZ#Ad_Nh`Ay8x%H(q{ws5)Xj?aegAg%u4zAuQ`hFT>|GePB!m{R+Qi5RPAIa%EKCLr
z22G6L*|@aX7+DyvRWh+Ku{1G02ja(!4;jiCuKd~*@kvk7rBZQ&rg8qlDSx(R2>P)c
zI{)s+?L*ETks%BWjNTuftutX@U}0wPFmPj1WO#Z}`NT^8Dak#D{y2$z$YA6Pe{mq%
zU>e7scriss-DY2)l1t{E3yzv`=l?igw4;3G>7?Fhj=P@a({9-Ol$rP@QihwMjNx+l
zoXqcWv!1U@FxzGlxRF!+$?l~1XNzb5y&!$=fY;k;5Q}$-gDrM9a0Qxr_&o2KrhfZr
zXTn`lwD0wOTKQLq`4<Ow<9)M?$S?m5zA-77Ch28#E|8oU`|O8uw%uAs?OhWmRaD0O
z|K5`7#r*be0no!r8<rW{@6BcX_CfVtT7`9JbmWBn!6#Q_dc`wyJ=A7xgxGuZE0TwA
zo|LodJKVQ--_u>Cg~f%_*DWhB4672`eJr`GIP_ceB%sr-ZAj4%+M&^U?4a+5=_ys0
ztzu%bSM6QdeOCHO@F9u#XogaTSvE(imy}*OsPZISeoanPsn^xLe~rsx71eKrty1K4
zSA<x6@h;e6Hv<<Y1)uH(%X193222$+xl<+=T{QcuW9_-}w3IJ@eNwd>UL0gn@U3f0
z*lfB;!n=9}2h)n5E2|j3?pD{WJ$m4R<;{O*I-`*D5wHYd24)~PW!d6wi&vyEaxApH
zXd_-VEqC7H<NYUG=gqy*w@4^``_)TfMIKvw-_AR*dF$hrpLO>)T#LzdxTw*awz=7I
zS83^orLnCYX5T|f_gL%RnR@57?VsH0J?f^f^=GC1s+hD{c2%i?-`Q@qUmh{X9b}&F
X-rsD^Ts@)jf46;3?!}P3H)aC>7-Q8l
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/server_1801.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/server_1801.crt
new file mode 100644
index 0000000000000000000000000000000000000000..b8be6bcc379a5e23cb832186b51ea9ba401f83fe
GIT binary patch
literal 1251
zcmXqLV!3b7#Nx4lnTe5!iP6P?myJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9pfxfV!VgCbNr#SKIucJiUxNwkHAiU#r^6PS4<P)*QF
zEGWoH)l1ILHE5iV>~ls|2Ij_I27|^<rp88wlWO5EaTR73vjo4}dBts7our~P?>LW&
zp<AQv+$kP?k_)Cg@C0r2oU8ES-RVzVWzwv(3%FXAh~)N$xg1*C@4G{|(Q*F?M~3Y7
z&(B}0XRNZ#xNzfE?PYI{xks{>=Qd8#FK71kjQGdI*6v`wdWpod;6~Xa#(NGm|8HYl
zcsiG3Rx%SaBLm~&CZ@#(O-%C*WPx6h<zo?J5or!x_vuM??*(D?ERJheL{{$I=QzQj
z3M8$}QfyGzAd(`_Ia4<)+V}n2-Mgm!EKXgU*RpqE*pd)h#A*{GBRHYR3bQa7Fc>s3
zer4m*W@BVwyjID?!o<?V_!NjAGTvt>W4Q8bQ^Y4dMVCs&4VuRJ3#a_qnjz@Na_IcK
zAGZ%VcSMFTFfe+5cy>>Sfq{jY!QH@>Ns(dKzIJ!j$LIIQI{upZjNz4V{@v%+{L?;c
zHmOOU-RdMB&!iv|dAlS_yo2@JgyVC9f2Hi;FyUUhDdgF*jS|!LW-%qd0@`~yd`{-~
zxLMEFC75k93Ear3{$zJj{IkWg|6Y(jcfjlIG>E+~zr*cSknjz2v9L6V`=r*h)z9Y2
zKE7vjzhy-`l+DodaCv$=sT1h3`P@_Z7jS*AS=^bWF70?STJA?zO!M2q_0PK%mH)U+
z6#&|+v|*XC{oY*GZy!|erBzsmMn_KAAAE8}rdK>O*F$aAMu@#%?<4Gu|E5%~#}>Y-
zlKGOjM$x=ip5lemLq9I=HkaJV8=RYx1hluY=vANLdS9M1)-iW}aG(00^0#*jbHz)?
zL>)Qxb`GZZ45bXSY>refDZOw|<w>~wnw+Roud93i8kfZ?s^1D*rO4^72)6e*;}@{K
zZU!z)3SxaZ(`%Ql?8-`etm7(J`ojB;iBnxa>z&Idy&lbt5&OiXP~1J+(m%}TdXk@y
zME{z={~CRHoAnPJV_2FTG%M)u=~(1k1S~(8f!Sx;9+isIbENJkg@k2?OV9AD5&xlA
z6s^zyDu8cy%;%JMTUk^*zF9B7?yNZ1mZe=@<I%+1Q4UF*q8l@UPWEn^<E3(L<7z`D
zb|I5bVSlbN_U0U4)5!bjhVX2`htCBJe>_&TeKlR_*@Kn&_dkB;_VvH|;KYJsOKXEV
OMN8i8IZ?~%ycz(c5ydb7
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/server_1804.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/server_1804.crt
new file mode 100644
index 0000000000000000000000000000000000000000..5dbacf1bf6aa1a878ae00df6ca1550e07754f300
GIT binary patch
literal 1252
zcmXqLVtHWD#NxStnTe5!iP6=7myJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9pfxfTW{aIQfSs-5Bnq7XazQ0*kzLPJFZd5{UrJQAoT
z=p_~u<fQ5)=jR$U&PVn+BP#=QV=se2V<%H%Bg65o>hg7ug1nA=k$yCf!KF=Rz9{pY
zZw1ng_exs+2>gBfCyT#5^sZuHC;Noje~GTEE9Yj<P~i4+h|D<}scDpXZ&jC7p_tCQ
zz@3XH{oKKNICi3Zk*Z-H`_<5;i3he_dNd={bEVmIhPy&1F3-(T*xD&-{y@}xLh^H+
zhJ6L=to}^j$;8aaz__@HX^BA-(*gropjTx1Sj1RF0@Y7hUaqV9TUI!^^T?0oY!Y2R
zRSc>?(#kBw289hGDe{~%b+e*<-@o0xYueA^)U|mndl!Z+386)-HZd}S6N;=b3zGqZ
zK@;OQHZE;8Mi$0vl}s#5EKQ8hfcO#P1BNn&E59~He9}{NsZ`vcX`H`s%Ac(nf_^NA
z&cFL{`;c=-WC#NTqxXmBe1;4REX)k<2Chts488xACMZ?(ME#hsE%0af-AVSXUGpmU
zTw6Pfd#m|x8RkAFg;KFuljGL=Evr8<&+&VHyop11VBmLm{<BNI$CTTDeiFw}%5XV+
zPUiQxS<lxcm~Ar&+{mf^WOq{hv&FOjUXVU_!0YWah`mw*V0+yRT$mJ?^;WdG%q%jK
zUAW_M?r|xel%uh+0uonU=l+^#k@soxaV7;XBj0fTrk+^$p45H!ZvP6ks+_8lyD>|t
zVmI@p>peXEK<_GTSY~X$H<$I>2i1FN71p8AkrVa@pInjY70=A|P@A<8Vy)_1xOWv)
z&TgLFU~@tw!k5W>!4g$&MnylCx36|vSZ%syC}w^w8yFzp_H;B&GoKz+6lCrgc)I@m
z{fCckG{&E@Oz_i5-nSvWnW3Cvmd%msC8ZY*syqpoUy~D6>UDMRU*ob^MfF=@s}woi
z6(RN-z5v_nVc-Tdb#MNo3jvd&?ktjBa&{rZ_WAef&fW>~t6u)qq5rtz<*P<OC5!lO
zXD!Olu})jNe#OlFg}$kaxt9ogZ(6IiPx9f{O>1h9vk|ZWVFu<O7CY4)$|o!?<iB2e
z<8kVF%ZYbH8-+hyYgnk;s}S@2!26Pp=LL`M2<4dWE-$VSc$l%oPwTC{^8WsYL|^;s
zrOEu4IU1Qx?%HmtuI6|;>YD13JA4`k=L$4kJ=~=qx#6VTeCLQ|eUCcj4<9!%4lcR+
W>7J7OZ#T<!_dG=fS@{yp?~(w>^UO2=
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/server_1805.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/server_1805.crt
new file mode 100644
index 0000000000000000000000000000000000000000..fcfee306db626bf53ddb6fa49cc6c19941eb06a2
GIT binary patch
literal 1375
zcmXqLVvROvVmY#anTe5!iP6n~myJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9pfxfTW>0SMQi2-Qw;15t>be5iI3ZK0u}fjr0rW*!Mt
z6Z8@b3UX5QlJj#78s{VXoRO7*xv`hQps|ywv5{eGf<eU(jTZSE4^_oq?2st`^<4H3
zvn1c1^6tF_TF<vMMKt^FY!8}ZQu3T@&Sd_z!Zz&j9NWIO@BHFx|D9E8(mFTERa<_u
zG<@`b^N45P=8ftu@okQ4mL(VH_QlVU>buntviz0Jslzj?IXgpzS)|L}pKLjHV6ywl
zs;GTu*DOfewx5Zak%4h>6SKTQ6SK5|EYK^md@N!tBJWmT*_Lzk{5^}yn;%C^Ik02}
zC!>l%6-Zi{rP!dbK_o?<bEa-qwD0@3yLV0dS)95yuVwGTuq7e1h}9-WMsPxr6=q>F
zU@&N6DrDo*W@BVwyjID?!o<?VlnBJJOwkPG3|D?_iuk0b=u)Y;LDM*Y;gmmHGX(uu
z4xNAZ<Mtuvj>r%O21f4>&+QBu7+9DYJPh2J6d7*xn@(k{J0LO9pUr*sx8v9Rvd?zc
zUH|oE>8oX5PlsC-0G0ezn>zFT7L|D$Cj1pp&@0H}YLX0pknXuiMZ##Nl-&7;K#MPj
z&&m8AH|zPj1hZ`>fg3s1pX^SGf3|q`-wV>`4tTwt2C>*n3d!OLQY+%SY;|V@*YA4J
z@Xw$<W)^?A+RO#IY0LM``(}A<J<#HrwinMm<`$3Kaz16l6$^1aXQ_pgdKQ`YZ))>)
zlL~A3z);4Zv|*XC{oY*GZy!|erBzsmMn_KAAAE8}rdK>O*F$aAMu^3sKfxBe8@Mtl
zsQi&X8GoYquH@S2J86;Ec&cCCzy0Ul)a9@93bL>6Z_)<Zd;LJKu9EtqBWWCJdzDJ;
z4<0hfJ^5N(c8NLvS^h6<%Q}Ge&aydDy`=QQL6s-r@@sOUO1-Y`{cBtntEhe}Y?UIX
zyCTHi#G43vtF<-rs~$aY$=gxvr~A(TutqdPiwCz$cUEltp|%LUNkDsNI4yE($o?Ra
zn|ng{T<w!h-#05d%@VA+?jNDFizj6{D27kT_chtiOu53%|AB?EDcJP*Qd8@rR^ef_
zPqtRO2*0a_*qi$ZDWLc7D0Y8$NlaXL%al+Vb8G3)rQD%iyYJu43(U&1eJ0%iw0Lsi
z?5#m*7anh^Qfio4-~P<lr*p-`iJug9m_<G?5I!%6oP&X77c(&HN+k1L6Ef2+txC|g
z{t)TbXXSbNQ?Bg1bIUGyuY91GV*Gub+Ny^~FNHHM^_-<Ab!xA5&b(Qy0WzC~e8gj$
z)^=9S*NwRrbfZbZo@4#r4?!o+J}sW}DgA8GtHjeUc^uaNU|+Y3Q#q-sBhGZ$7OnFV
Y>wnmv4Vbe%lyB*qr-ybu-~Hns0AkAjMF0Q*
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/server_2001.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/server_2001.crt
new file mode 100644
index 0000000000000000000000000000000000000000..f1334559b26270ffea7d4898691a11e729df72ac
GIT binary patch
literal 1372
zcmXqLVvR6pVmY{gnTe5!iP7DFmyJ`a&7<u*FC!x>D}zChA-4f18*?ZNn=n&ou%VQJ
z1c<}MBbc0Dl$u|xn_Qw>l3HA%;OuB9Y#<1d<KW?PPRz+n%P-2yOf(cS5C93X^Kd$s
z7Ni!HWai}?$cghBni?1aAs9r7^BNf-aSe)4?G!f<h1ki5YA4Ya8Y&vdgG^xNkw7&;
zFR`E?Csi*wKi8mfKC;glSs9ocdl?KGJDD0A8J;w&Xma1(<6Xac#-~5#iy5v3E&Oe&
z@rXAn&$mW+w#?zw(y7bWO|&TecxKk;t;@LfKP)x(=<?kAL}K!!4;zmtbbj;teZI4A
z3BT|B{KJW>rPWq(E$t8e!!zZKfuexf63aQCW_)=sa`wtyr>hq@oR2#cJ08B3aD;Db
z<mLLaJxb3wVwsp385kEgG0PY<F-sW80=**3$0EieqNcyacgOQv98N(KPVIa0SoLOy
z^C^QWkhC&Ou|Z*jNQyk?Ox>(#-}i5K@0#|rICX7a%ie`yOG0Q7t4)lI;DjP8%)(^A
zV9>;r$Ht}2#>m2Wt&)j_iKU4t4v3?eA{fdTuKd~*@kvk7rBZQ&rg8qlDSx(R2>P)c
zI{)s+?L*ETks%BWjNTufS4l81urM>Y8@Mtlh%Hsp=TR&F)o&iRg~M(}sNvM6wZGo(
zVfe4~`DaGyX<;TshF$O34+|?FdNHNh>EQcU%y~N|nD1)&ulP!h(X(^1*iA#Ay_du1
zWPXpE^?Y4|**25FjhyOFb|=L@TRi*k1?h7KyxvZO*xULSZm%N4gzIV=SC?%)dg)Su
zY4UXkV;;`vtWEa<%^EV|4Oc%tqQ#^T9CdNy>u3S1JbB*v{#VZ(=RG!WX1ZGE#m^y!
z%D3j{?*iJZv|*XC{oY*GZy!|erBzsmMn_KAAAE8}rdK>O*F$aAMu@!=-y+%j=unQ2
z19#vrwwW>dPBH7Z2pE`j%kO!`vGVV=@F^Yo^OzLm4zu<ye03-P_B~O9=R1o09OAEK
zb93!ZQ)1rohq*CP5@_!%n<LdrN-rE#c@i$aCMT-Y>+0UW#$~aJ>bJsHDRR0iLhPM;
z8*Z;c{HbTGiXlej_u`cc^#i-LuB`7rdg{y8-v=e-xT7ZMZwH2RTX(3RCEMzUr|Tx&
zX?(C!Mbsz0Q0n2fma|)`b}&aS`T?}}lzd;4{mhgr-25L{7@LAkk1sW~K57*nR{LaY
zwTtk(YKXln55nzLWSD>KjG+EI>lVhUuluYG&KYd4JCd>4WkQ3_4B_i0x4-^iQcypb
z#;vY&RN<|iM=!70uB)nxPVBGvz0<4hy^giHrqCJW><cWon1T7$TAWps=i7=IvhzRi
zpLcagyx_;O<<Muo@KFClma6KHeiVyb%~*V5^76u@<9rEh(LuFY^6O@mf6ieRxFIEO
zIAMy_s)TfJ<2DAbpM1<Z*XCJ&xxAA}H!adzIeF{HWJR7YxAb((^nZW!&yQ%on_+R=
W-L`Y1{GkJ>SKr<#$y0fAB_04tIQxA7
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/valid_ocsp_response.bin b/OSX/shared_regressions/si-82-sectrust-ct-data/valid_ocsp_response.bin
new file mode 100644
index 0000000000000000000000000000000000000000..f87008d69b78e23edde22663d3bd0016d8f2def6
GIT binary patch
literal 374
zcmXqLVl3ifWLVI|m~GI+n9jzj&Bn;e%5K2O$kN0Z0Tc=`Xxz6@$w0wS&OnBZIh2K2
zSTs4mC^f_<Si#v*!8x_4L_s4c*ilo0-^jqw#K6MHz{t?h*uXr>Aju%Xz{-G=ja8eE
znMsP3fki~&%CybDFYaiuvJkm#e35s>scE}}SwuD|OY`eQEs}jb&18B0-06aiB8j`1
z7#SA|B8)TugD8Xm)Q*M928ssq2uCxq2(bwG98Lbj)zZVfgm?PIMZ4uT8St`kYPET^
zedlEadX0g(v5`Sq@jBzZ9TDD@S&O@uKiIqCR)ojy<!8T76y0o5aMM|}i0`oN&*KKV
zTjtAnCmDKdna{8{eA}B_9~L<!{&`<~H1y!NqRR83jGRv{z1zEt<CvwDc-f3qiA_5l
vAMW-~kK>N}Wg{fIZ$h8uvzXa`);laQyuRdEp%UY-O=t7u)oyQG{Kgpo=ca#b
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_00008013.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_00008013.crt
new file mode 100644
index 0000000000000000000000000000000000000000..38a469ebd82bf6b5658aade09d58f40e2600a097
GIT binary patch
literal 1464
zcmXqLV%=iU#4=|AGZP~d6T8>1Wh<{WPch(S<J4;NX#38~$jHsgV9>b5klTQhjX9Ks
zO_(V(*igWL55(aRW_K*gtjf<zG!!-v1c|T<a|I{omy{HzB<7?VN*PFi1i6F--Sb@%
zQ&KARlJj$Q6g=~i^$c|lv_W#*!YUahB?VUc`pKz9CB=H_`6)1k`bDV)`Nf$f`9+ob
zhQ<blAmz-$TJHG@V6zm0Q<F=JQWczm`ZCiplM_o)6&y=TGV+TuODYv~72J&s<ivRm
zO$-f;EDX&|jSbAAfLt>qu0i8Pu)Ddn*%(<Eo6K#P7@5J|lQxiKLlR^X=JHD|SMW+L
zDo(95lr@kBxrAR>B%mm>3}mZ+QF>xtW>sQIW_}(lAXtUD3=9nnER2B;w?qv*Xi#yW
zm?~r-05X+bnA0^cJtwt1KR?A#-ar;4#w9Ek?C2NbsNm+R;N$8T;^7*k;Ork1pl1lx
z#4OC2oRe6V2nt<;CPpRX*kfd6U~XdMX8?+GF*PwVGMx546V-R|ohoxzv}3HM%$Gfy
zQa6$=%RWj!P*<Egb-{Ys8KoM}f5^^n3)DWO^5!RJj+lO;`RRKH=Y;zUZs`!2T&eB3
zi-Xle?unJA&DG=n2hO-IG*y{q5nXz;@79ajJwIlB>+HMNRw5R4#-kvk%Xl)|)f4}g
zPCn%3p()G5BP@MV^|X0L!rm``c4zu_y_qv<j#1X`>FEus{`s@^<n8cRd>wu%vEz&G
zEn(paS50dQ*l!1kHn$&NF?IXSe>GG4zNUUHRZ9tGXefE<WwXjEHt$5llE{!1Pui08
zel9&TKkr<-zoce9$Dswg)ZWG#T#PLJ(ItIseQ(4Q1MUvp|Fb?jhQu>5GcqtPZem;o
z43T99Jiq{!6=r1o&%$KD01j?hRTeP=5jGBBnqXyRXJ&-6n80aXmLH^;g_((Ufq^MV
zvpkEQfsTRJ0*wV~ZSbUAl!KCx(^E3jjf#zR4fT?Xatwk&+7wuP47?0H*tiqgJQ&;l
z<}$L2GaFbMn8U1NVieOx${5fDjx&E4l)*GIGO}bDWEiNx_y&w^5>SKklZy*b+-2YZ
zSH;w3LV|T*4*@+>VjvIlj53Rafmnlx!=b(EeP>LX4Hg++|DCh>!xo)}a|X&F1%fOx
z22xFkRNBN_US6(;NVK4IF3ZOv#v=01XF?)tiYDKuKe`{Y%8qiM@jupuoSuQD5imV7
zGEAyk&2#0J`@QPY7bVlVQvB53p2~Ij<@NLSgTp0n&+RLbk-S#>tyNkl(f>u;KAWG?
zGq0{a{c4)foEhRm)xRoJjUyXheLZ+YShDnLLuQ`Q(paOJhfZ&hT7JD};f)h_7aq4V
zt7>>+;Ip8-C-<DuM$Qdi+CMT}E;Qa+Qz1PkJZFwN!yP`^1&Ig5?L}9A{N%ZDpX>Xz
z&noVl{fKy))$zzaTCPpS+ObpUg6bvz`-&BNJH=E^{QD#=>|tEC!k?#9IQW9XMBO*W
zYhK^txi!n=zG~tQcKx8!Mk{wSwf~fQRddVEUH-z|i}hu<#LUIRFKvG=e<!$Royw1A
QGZQv^+&=k`=zq1h0BCjZ+W-In
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_00008013_issuer.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_00008013_issuer.crt
new file mode 100644
index 0000000000000000000000000000000000000000..885c45a4c350ea8fd2c4fa2ee2bf312e3cf7a6f9
GIT binary patch
literal 1236
zcmXqLV!2?@#JpnxGZP~d6C=9;FB_*;n@8JsUPeZ4RtAH{W<zcRPB!LH7B*p~&|pIW
z13nOkLzvyMD6=X*FVRrgKoBItF3c62oL^E>oRXN6YA9tO0TSdA7Ie>dNlZzp)Jx9K
z)lu-wOV%?qG|&ghF$-(B=PQ6E6@v2fOB9?_i%K%nGLsWaQWYFaOEU6{GD|8IbQRo<
z4CKUlf!a(Bj19~UfFMeo*BF^=(71)_uGBTq2Dy@3SS6#Rq`*pFKN;w}V!ibI6qtAP
zi&6{ni!)2|iz@XEjSUPTp3;JQDmXQ{v?vvyx0)E0ki(mim4Ug5k)Oe!iIIz`iII_E
z=Y!J%SJs#9y)rrJwL!{`Mvk1rEH{(H`}F_YrJnCUm-NggNamK9t9R(?itOa(qzUKv
zGjnF1kP_+kIpb>ls^iYQ#p|{IH6+fh3_o&S?~A>GO|1K$Sz>z*n@@8L>=X13`Ju7z
zLeIVr1{QLkH>mwcb5G8_SE%ORZ{Z$%(M@*C<2wwmT-WT~Q+RV#KEv(XXAP_>{o{Sy
zf5^U%K6GSmg7wBt&J%AeG4^}4`I@@_TGg(l$G%*>uxwokYf5;>R+rE#x>{CtKX&YW
zX~e}eCFO{iRlrBDb<Zn}*YhZ_*T1;WVtFW&DJMDTSNTEd6D92@c21TE2r>1}^xI>7
z*;7yc&cRDTznPdB85kEgF-ieLM9hF67{Ic^jEw(TSPhtg6gVZy@`D6efT@?wKo+Ec
zk420{#Np6h^}aJE%?68%um8^3{9%hu!#M+akhC(3gn?Lth}EoCc7b$_ZSTMBWp&I`
zI5_1N|2+c}HV$nzMpjmKMn)D512qE`7~g=gO#+$<@{@}TP!fTGDacrP7Ci$U1FZ!b
z3)I@+38p9qMP+(Q5iptSrW@%c7v&hZfwU>G*c;dyShKMJnGC?xZ3wfGiBU`yWMeU*
zgom7dfcX`eei#`z>T)IvoUqt2ZRG^-{|n>&S>ET^&FNq}8PLD1_<Oja^u9e$^l$&z
zbvgRMmgmnZllXWRUC&A`Hr)Dkg~t+W4&6nu6RvNmQS}!LGdQx%Wp1_3+^2ER-t#1`
z+W$mL`d!Ps9nG}|ozJ-}7cStPDF5Yz@Y?2tn>UJ96syQ>U8BTzO1v{E!bN&@rz#@@
z|JftbNw)*HT;>ndn*C)@@t?ADW=qcAyrJ`I-R!Sgn<iZJEtTl9?{b`=TpR8EZwYh6
zY`0B^6B3$#)CM@7JG5}Z;oa|<^e>5qymJw~$+d2Im+{+;x@Bf+cUWG}|DGr>dZ#`A
ao!c~xwF}j1xj2{Wu`KT0^J5Q-0V4oR|FP8o
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_5555bc4f.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_5555bc4f.crt
new file mode 100644
index 0000000000000000000000000000000000000000..0418beaab5632c1797689f18be683eab3fa23907
GIT binary patch
literal 1594
zcma)6eM}Q)81G%L#kPDOA4Q-P1qDgl_f9Axnu#q^lwpx!BJRU$dz5qS6|Yxn3`99X
zg`s19%(*dE)Xgm${=tUPZBAnl@dGk86`9LWwy1N8#^@BC#@*rSz-`IyuX~>7_dM_O
z`2(C(4>*acT?|7o93JXVFCEp7)Z8Z4s*b$c)&)YOvROWp?|ujbDI_A`!4yCy6_+7W
z6fP^pq5&!hax~aT*(n3bu<AnEip7CgL9IZ;y<V@@#+$6XNo#dEu}pvqCNY}v%%jwl
zhpY3~vLtOIZR+KOgR&7U<)YQ4BvVZ?YC|4S#fI>nbMPE6{+08h9^?QV!v(n<)ct`a
zf_NctSa6h?p{fa%R4--h1Wm0QkA<NiLaNA+LI}iV&x0ZHc={@kFi{DkA;qLuZ6cgi
z?n;Uwu}}~!#FU^Cy*@h=U{N4akY%VskLAo(n<&~z&;e8gDgm>zv$7_4C<a6cE>oTl
z9S%YTeGnRCB4`(1CN>o)1&thyFcJ*wba~iHwZY|ZkaiMF08<5<7)2cfO;B1}0HGyq
z9>77<Ce8_xh{PNeCgSySn1dkEg`V1j`J4O&OE~+KggeK+ipFjXZB;CZY?MulDy};i
zUg56{Id^j)ojP5kIyZ83!`xKzIxvN<GhdgMEVXQD*iRfT;vN}NbMB3tPEnq$XFs!#
zZOMLs^yD;q4=qkRw<+$(`6s`oZSU&KAG0a@Tiz`AvCxGse4({m^-#9x((d&QLEtBY
ziF<K@cV~3-S=@5NQoF;Sc=?n5j6&D?t0c1J`#tISHh4#5TkeBx{%hj-MWZzbvy5L{
zPCl^9Sbz3j$;aR2u3U2QRPbx=lf^3g(Bj-HT^%?2(93K|>RVGI4)qSK!H4g6Um4Lf
zuiT5g-92;WsYN<Z@-e1lxFr6|I9LpcpgkO%12{MfB=Mb0oQ^0#%!a7>XUrcBw(q-n
zXYndIc_#Vn*w|ngNE85}NDLB{Est+8`u(=w2Udt>yK>dnzEK?qRf0JJp@5zHw`p*3
zR)QrQF1yA-StbvPi+5`O+o*I?B*PFIqN-}L+xVs=hC$F11QElM_NNJ^BEo7-;a6HB
z2@*rk{$St{5==s9-~gHJcsuZED_OQ`u1;rV9J41~qt0DP;2N@8;~u{>jUChSn16a@
z{vWS}!n0~5m%qzwsce<c1o<92U<k|tX@TTmC?-M3#my)4JTvGF=2B4C7=S_$QUlh3
zlz<E%pYpFVTvj*Vp$Vh{mOVqkzD0pz34wFmlYqJa=LnP&V4S}R=PBP9^7tmO<CmX^
z3QdQBXySSCG{~P9B$`$)4^3()FI?RyWAeqDf{P1-_Ue}Rta<4dy7kFG(*AwtS4)&-
ziW%KMpFl*_eI0WyzVF_wF}Dpm4Nbd@_fJ65!;iK%xy;gU>FD0Fn4XGC^AB|kYg;2e
zNO-KAajaj{F^ay@=Ipd;rym%~c!PaibZFztyY<}`PcQxsW9g_E9`F>ck{6srmgNl`
z;9@RZI^VK#xJ|7*ef2s=_pRybYx=zD-MjIz$;j8g(F>f|=;r!Q=XIvszOpu@Q?m4^
z9>3dZYwcHl7~a343!Bkc0QOkC4<q~T^lUtnR&m#u&RpHU^;TH2U$;G>cgWt1A8(mi
R)bL*HtvR(jI|gr#{0a4~783vf
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_5555bc4f_issuer.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_5555bc4f_issuer.crt
new file mode 100644
index 0000000000000000000000000000000000000000..dd14c1b21886d9e63559403e819aa2ac2b516b9b
GIT binary patch
literal 1210
zcmXqLV%cWU#5`{SGZP~dlK@ZUN|y~if>RYHCB{F>mTflRW#iOp^Jx3d%gD&h%3zRV
z$Zf#M#vIDRCd?EXY$$3V4B~JJ^SETDXF8`Al_+@TB^yc_h=YW=g$2sX%k@%#QprFm
zz2y8{Lu~_1kQB495?qHzW_pH#V{vh5QDR<ls)B2nLQsBwiGs7Eft)z6p|PQXk&&U1
z0T4uq^BP$oaSci-b&ZLE5yUmxaMuKTI2tLqR+OaXrKF}PgeB%=rX-eR=I1E{rxul^
z7J;1A#HfTEE{v=U%uS5^3_x)%rY1&4hU>vgSOR~{Tqfq>ovyxWvgZZMw>%p*FtmS6
z*Jx|)=}W$~XQP9~qsw34EM=A0VQY7Ernu1?iJo5{d6uOpww`7eFxe2)p)H>=`_jgK
zp$(faJ@1g0e{WG95**)9X|E@>YK5G)Ht*`~$vaKA*NW_k^u8bHb!p)vo<|d!+OyWZ
zx}I`vM(B&b>!kv6LiPxL`s?*+?(TZNFIV^ViFFEv-Z)Tb^6uLm-8V<tRoi-RC_dTX
z%hP$sQce8sx9d|{Z?Gs9%+1gLAG1sHq3h|eaE&?{UdQlN+jpq%-uUE~)_X<eQmM7N
zv)fF2=9F(OUVCGT?vu|vbKf2GOR5t;P&iNL-p8K;8j{9L%!~|-i<=ldfg$2*AOs9y
zSz$)T|12B^Y(R>Mk->luB*qUCV*#eSHUn7@UzJ77K!lA$n~jl`m7SRp&SEk!fw37G
zSu_mP3{+rz1I9LqjFOT9D}DX^<l+L9q-Nj^GE|<$#lXqHVS(KOn>H(`(&VBX6BMQT
zu-FGBMR-bd4Fjb^XGcAtdIMXKVG1l}2B0Lv0%S56Xc=h0+`+^sCId3O80Zl6B(Lur
z5Df7kABz}^i0$QorPmg$efQZbfh+a0;*}piuJIelgG^UukuVTz5ZP#VIFtFues{(z
zGt{IwnBFI+XdgySZoq5^Om2(}bGKcX(Dty6>Fv=4A53IQ4)&IvY2#Y)!K=&Zn*E8D
zzH4hZ);`-7uw#*wZwLEEO~pIUZymEyeDGM%vtUh?EaQ?>f>z<HYs0l1O8#D!ZIuYP
zAMRedur^dd&)qzrsHeV3`chKAE_2ka!zUJ=(+OI{ko>xMSK$dyb>-<Pt@AAS)+T4z
z><Vg(s9dbWbN^oMYr{{w7S!Z?)VcC-Z+VM3^EsofCuTKDc}?=OcAM4uuX)kWc|D8I
z@WySnJ<n3nFCtQHH0L<OvX~=V7l!smg=H*JDp+OHSa@^p3RmkdProe+ynDPl=|w(I
i$?F}re(Z1OtqhnrVYY<z#7OmzrW(Sl)#|Q(uL1xCVyYGZ
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_aaaae152.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_aaaae152.crt
new file mode 100644
index 0000000000000000000000000000000000000000..dfdd58953f95f1e0880dce6d7ae5c20e89eeb040
GIT binary patch
literal 1520
zcmXqLVtr%K#ByZ;GZP~dlK|&7vqsK~w>Z35ZhtL$TwZ3t%f_kI=F#?@mywa1mBFCY
zklTQhjX9KsO_(V(*ih6!7{uWc=5fhP&vZ^LDpByvOE#1=5C;i!3k#H&m+PefrILYC
zddc~@h9(9^ASq^HZMcqL4@V;f*NT$Vyp+@wg|Nh&%#_5E%=|os;MAhB)FK6EM*}%=
zUPBW@BLh<dFo*(j%?*qU%z;8c5M|K#%}~}r8e}j(k4QjKW?5oMs)Bz}dSYH?71%68
zVFN)nZf!P37RDxX8zx3(VJ6=QLjeOmkRDcHb|W)O6JsM|m?@mXB93Kx3eNd?#U+^~
zrO6=I7#o`z@)_`eGzbc_T9^SXMhXmsX&l1rA&E(e#mV`w;9(c$3CqmMNz6zs%FQoM
zG}JZF2ARSotm2lKQ>oxvTAZ1zpn=2=)^pTTNJ&+2)(g|qG?X%s04Zk{76gT68c<6v
zNCzl54VoC0kfVr^m4Ug5k)Hu5&c)Qk$jERs|M!vpZ!WLg9M7&WI)Cq3yM@=B26z7>
zacdRlA7btaj{J4zVc6E`y9#dhHb`qTdH?a`y>0aGcc{*OzEyjkvdbP6U6>rU>X(&#
zO~{l~UDe~KQ%)?IFzNA;B5}*3OTX4IOufSYt^1?2Y*p;}VCyB#i7w~aSCwc^j<0;w
z;5uEty8Hgm#w{(!0@OByRUQ{~d|Hy@dvZzV*7>VhCkkw0KkIN}yT+qslcsu_ozi32
zrR(|d!8sA-GI!TYhC)wfbarGJ9{xV%zFFzUNz0tLnM9pd9y=&8>+wO|9Sw)goNjv7
zmt=>oe-!)ND>EctDRirG_%)^jf%#Ek|H6cvm&tmaUHaU)o{5=}fpKvY;}>9vd@zs)
zhNG-9i-dt#gNW_rfTh<KtbO;{D}gKZvf`B=Kd$i`$buB`v52vVaL!|YCGz+zi%9>b
zAOBVa-QL_$bQc_LvVtrs21-qsanZz!8a1G#CCksq_@9M^nTd4)#B5a-F#{1c4q!rL
zWo2h(gtM3oN<qryS@H~W3``anEih=)%P1)+u+rC0F3K@R$wT_Z8Hq-^sb#vw;QXPR
zZm0)TgQ?4e7+p>vYZX|m4J-}J**Fv0JQ&;l<}fiDXc=h09LK~cCIfOyG0-vS`B~pN
zAlRU>1E!Rbk)_6<%0LCiH(+d&fO;c8xwrtuK?Xr^RZMMeFwZ7}N{V6>h5E3P0#s1I
z$_Yd<0VyS%9f5&R0?wYY!k|EBGGIW?8Nk8|m@^m|JSPc!`r|Mm`mw~%eR_(2S4XeB
zbkc0&Ew6w36!VLx+zoYcsHjkP`g!i1QsU%mdQS88<5Z$fzkj!*Rr6Ez_b7(zJ7*N#
zYRKDW#bIgqLAyFcufzA_f%2K!4~?0#9vSc2*ZXba6aC`32gOZHbKevOC333Q--~K7
z=-<3;!MAx=W9<q9uB-?YXUvTB;GcLzBAP=h#lc(XIAhuCfQEPJQRjMlWcvLl9o?|U
zWLNsX2=8s#OBM@kig?=H7*n0~Y}!8yfrs|N-5eIPrdaLg(BzQ}owDlaHQRF0hQ|gA
tnA{x~*-bbtl^3eL@4&{~lkdMIv85dgUGR0LF8k4^O|l(L-ex@~I{*-d1*HH0
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_fff9b5f6.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_fff9b5f6.crt
new file mode 100644
index 0000000000000000000000000000000000000000..d763f845a184819e63e018c01329d7533d16337a
GIT binary patch
literal 1353
zcmXqLVs$lWV$of|%*4pVB*10lV%IR$)vJ24{p#z7XDAx*vT<s)d9;1!Wn|=LWiTi=
z<Tl`BV-96u6J`nxHk37x264EAMS?4H6Z1+^lNFrviwg3K5=%1k^9<z;WI@v0!eVgg
zkfPG!5(U51lJfkbY(otLHIM>kVR^U$=bXgiVg+Lb*D!_PU>^l%M+IF4cVh!Nab80c
z14|<l12BjJa?K14jf{+pO)X6=qYN6)8wwi;vT<v(F|sf=ncFZiG7B>~hQeIPFDw#J
zlv$QolB(cel%ANESp{*Sh=CBu0j$E@1_l-iW=56@CKiTBegv8zXuuCr!Xd&DmYH0V
zUzC|>C}bc25@HwO^i9o4$}cU-ONIHBOGL~iH7zwSIaR?UH8H0oL%}CAH?t%)1!gF>
z2$N@sp`w92*yAD+<>lpiDG(hQU=4c7`MG+Dr3OumO30zl$jZRn#K_M86z5`UVq|1^
zrpJ&f@OSEO`IV<mEAa8#Xx@EVc8U2{@s^_%Q~utr{X4~aFIz=Y!$XaNH!*sv4%z4_
z9eLM1i-SYF@|MtvgR?)yD9oL>e6uz4^pYK)Eh`(tjCD@DSG{Tc`uPznpGVcbY4;hc
z%~{>fU)yD9+_}VPHM9EET^SK;X3Bru9<^!1^e)50`%nC@{nBK!#O3eIrnBcR*@VBi
zBmFMezdXKV^{m;`bhzJz&AKZzU#Ftq<}1&4>pOgVUfYDc^|{(;!FN1rbuwdZv80k*
za<S{rgP)d*+N<!3MxV7w-VxS5?S_<0fWkMWZ42g~ub)0~hu+KEVUvzJit76}9MzZk
zx~cAQ?`57~^QTPAj0}v6n;46LA(CgH3=B?LK^7SUsV3Y(3QD=M!YoV%3<i84CO;$N
ze-;*ICe{T8X&}A=OT0m>K{Ok8LYoI;+YeVpc5yZXAE4PBz+}bB%Fe_nCZ17JQc!HA
zub-k<T$!7k1d1*F<bq-YRk$K114$mN%8CjS4YWb_$g`*zC>ba$kXs<rCIvDOXkKv<
zl7T=@a#0RA_sFWUh#82$3}<G9vzWk1NLHCe!a%G+gfVjU^Sf5uk;_t&ubo$555GF`
zd6q#qOfe%Pi?@L%Py^H>28?aOsP?9SJOa#(Fa=C_99DvyE`g;2FkLb-Z01(bWK;XA
zEgew1Ffue##q9HCqn8cu`Q>}%f35rUL@3Z_zbU8Gu73vXdTVFqb={T;zx~*9!jUa6
zCWi0(I6-vE8-3;5bCcWdl>EzFk@$U=SwZy5hV-W`Pj~*^-#FVzN9t=7!<i>CFEVeu
zF|_?3u&97p@1H9Bim9BuoJwE%c;f}q_N6}1etLUHR9EbLhtAU{dtV3CZJoY@Q)knH
z*WWsA<$LSjU-K5L5c<G<emYZ^@x|@OrkOAcT}U{%bX!x_S~ZD|@b5jF|LuI<zB=Po
z?Vp>sKMDLSKM}rw*Zgag^PM9q)$7+yDV$McziL<Q{||n1_tm=Ze3(1W*ZPxjyReMe
HkEv4th2zMV
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_fff9b5f6_issuer.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/whitelist_fff9b5f6_issuer.crt
new file mode 100644
index 0000000000000000000000000000000000000000..a46f79f25838584f138567acebbf52fe8f057ab8
GIT binary patch
literal 1327
zcmXqLV%0WiVi8`z%*4pVBvALzD?k7Jr_1&BYg2u#Zf!B(W#iOp^Jx3d%gD&h%3#oV
z%8=WDlZ`o)g-w_#G}utwKorE`66Om_Ey@heOwZF%@XSlrGn6-w1xauVi@_umLW)X@
zOBDQ4OUm<$vJI^aEFcODHIg+Ij0_CS6ksYLMkweixaAiqB$k$B<QHXDrKTv97N;uY
z=jBuyx*9lx^fC+Ez_chh=Oh*vD;O&TlqTh5CMyIKW#%RpRVp~A7L{bCWhN(<Waj57
zI6}-SsRWwsZfYPW&TD9FXaGcD5GBrQ1mYSP8Jk*~T1FX^qxx0WKpNs#k>JYQ#JrN!
zWCiE^qJsP)u;EBPhD)RRSi?XK;%a%g0+_2^!xVypeH5G>K@KxEXkt`C4tPdZ2IeM4
zeg>d87gG}>Bg2h_sU^xUv{N1#T{kwj?fYsX=5g1*zFp>ri?VRvZ^0WbQ4)oH31VuK
zX8#rEepp!G^l$$!nFFg9FW*}D;=e@mxBCKI!bvA==PbXcXU}s}_PO3~t#c=4)wl1z
z;lm<obn@bvsf7#tH2hm`n*M&=mOmx<Sy5MVy57FbZ{PF!<|MGZ*8FwE-RV-rjK^=d
zmrlB~eb(NF6m5$d3(n}YZ@N>f+BTW!wa%Ns7r#ArNnnv%f$;wHPurIJipb^c41T99
z<=5*G>g>3&voy;=<7n;OOL>==B=xIRrg*>pD7A9-W93<|ei^Uk(%Jqcf#dFcnX`9w
z8PgipZ`Rk8Ro>C{aA5&Ej|o2$Gb01z;wHveV2DH-=(BNXvoW%=vNJNWC>tmm$iw&s
zjBUahB_#z``ufF2dc~Ew$w_+2`MCx{z-W*aW@P-&!ePJ$q?i~P3{pX23M_F3F$Pg=
zEI=lMK@c#$pe8dhib+9DDlabw83js~Aj9;N3yKXi;OdwRWTbGZEGkGeFaTL2&!TCd
zZlJnAd4Xb^Jj{WH2nXsHBqti{rkm;|7v&i6fpqYL9LoaCqHG45Aif}rl7Ye!IRhC(
zDFX?h05B^E!V*=0x2LY5uBovxI0wq|v52vVFh;I^e%FdSa#>39wet$>;a4X<&jN-M
z&?IFR2?MbPk^0N2%Maasv-^Vq=VxcjUrg(b4ULhLATaL(lOQ956Ju!g1u?1Eh!?wO
zukgM8`TA?&DQ(y46}jE_gwLK7>(4shVu?V_`R09W&ThRNd$O(zEc>;3y?)|~<WH&h
z>wP+eI{Y_h-u$nAfNT21{;=PjM^@~fq$^##;n-@kFVk`qINo!~rK!03r!zR5U=JxV
zwqCY&xAOe7w~Jf~On&pdV*Go)qU8SawV~VNeZO6^f6#VL<+#&IVG$Qo?``)_CamG9
zzd2da``w%;o=h_?CsfDmxoV)#e$K_|2=~l?&*uNxP|+5cdr@cZv1z|sn|8D4e@|+7
zpLDDK8{e7<JHqx>+J9=uTYPgTf2<X|?8M1!-kLrS?`(bez<BQF(`FOB|1I3|?!!+2
D@sQ1#
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/www_digicert_com_2015.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/www_digicert_com_2015.crt
new file mode 100644
index 0000000000000000000000000000000000000000..2a3db77fb0786ad3e54f1bcd3a75d19b5765dba5
GIT binary patch
literal 2144
zcma)7d0bO>5`R|$2?PR(0YxAv0&@Nm!zs1}f?O(;a1~rMg_uMj&?Fp@6(!aHg=#6s
zQp+Wx6%pI2rBLfpgOwt>RX_pjhea&VMNv_Z6|j8|#g+A+&0lY3zBAvMd71A6YTeC1
zt;4TH5g0+}n3gv+UGe328@??r1%mwV0gX(t*92;w(O_7Q1c7vp9-xrXNQ}%tA_bf!
zfI%2khCW{^mime0N_LPefwL5t5N<sNJu@@YIS~&f;34OP)D#X6aETDgaCn^|2=w8y
z{j-!JS)wSB9VJYbCJL3(R2f?!l4pqIY(F1hVM62ZH~`O{|Ha~_8*X}VxP%=G)UY1M
z9GDT64fUB}a%qN8DPo7p#X^~M$9ypk0~nF@9LO*RtKGd37=7LU8%~6QMJk1og|SEs
zeOIohr|TMbC!CtgF$Q#kfx@5&(xrHPR{%KHV8u(H8P^Q}cC<*L#AgvDq${NvB6gTi
zo|Gw6aSVVyfihx{Ja~Y&X7LhfK#vIOz9N5R>M*bkB8ik^0+tX_D#Ku5VUEO(ofnpj
zzP)6iMpnG};$RYlsu4p7_fruy0z*d&POU92jn0!(;<j9I^tG>kaB+^E?U=CZj?Vd+
zpv@1K*QKe_FY-Faj32$1@74P6)pbVu1%t?79yS%zs%hS}H=Y_3pglX1WTjJe`(bn;
z>zc>op}Y5D=`EgTs7)Q0=zF~mriy<t)yAFNa0G7FhMmi4S9N#`;*qQq<y)exPStzA
z`y%L)iQ=%VVe7H8EG+7I#EmPfF8onb@XI(o51zPO;-qz{{<YHAx{6{wwYzPU_eHF;
zjaFe7ZgZT%+jl8#aB`-kh3CY78fK}XewpZRL+bYLkfV1jb}y?Gkh9y}IB5Tt$Tr&Q
z3*nV3%RX(0ENe4D;trXOt4_*-w{HyQzvEe5NW1S*62JLWs9^sl`>b!nBSL1jm%0j3
zvTBrExi2>^$!*}m3%_eUtff=x($U?};KxjJJ4N9iKQu><95E?6k+$R<_OM;owr{{I
zM_fdvy<bWybFsbmQ+IuQM>(V52C2|bGRw(pXr9mp3=Q-xWrVhp8a}B&J1%{`dPp%6
zGD__?tGq1<+g9fA+o-1*^SMvgZ2$15m}BmB<A9%St8PV{4ITGomxmwOQ}Y2S$-&fT
zN9>sbGk^6bvh32Ve{G_SEkD}dcRH%OcBgL7L}{+`!P8V`l$DLP%{I_Gtmh+t*AVv=
z*;1S2+bx?W9@kAL%`7`HJQioMqz6G^2tK4nHvu&o3@q{gm-$M}6tH$P*L8&*zFFHe
z{v>!SRn%qGJw1KX5SSAH1B`_+rw@H4Z0ySnS-S1B%QZta!{6|&$RLLZ8)2CsUH#U*
ztM%W!el;^8RfgZWa*-yeO$e1pmE$rYTO2S>PJPQq7p6%Up@0FwZwSMGVi<~$YG1ay
z3S$8#Sr<Qe5=jSzUq2xroq$_nGLQ^-wcJ{uah52RX<jZa3G(DMiz>S)Btou}D8orH
zFGNmajx&yVJB#=KWcd=bY-}y?1ny+YR!tzRnM+1sU=QpTnnPgLa-tUn-pv0Br;A^h
z0OaN`Kw%jBJJ<oN7i<7)Oka(WnxIHq)DQ@NjY2f*7lsuQlB`$+bXiasLXj5)`M-Mn
zQjYz6@Fghc^~{_>EFA&3u)rvpIxns_RS1S)xlgg&$IwG41FCPOe0JJ2hM9MUQP(L>
zqk6kmVE-{2Xc@}9YS2#mjSfL@5dHbt0tmuTC;<2)>}|Kis;9@gT7IrU;qzDT?{VvH
z5B<r%r*DoG(Uh9L;vixLwUj;fLkH@OFmG!{Z?4q3>IPQ6u}QG5YP&U)yRowvN{1v<
z71Nf9>T_O2<E?h)8)iRx|8L@wZvJ(u`1qO7(3!SZysCNL^?;ACjd%w>aI9L}Rd^uA
z)ZIGrNtHoIMS0Tx%XRm9&qLSVo5K;-MvWitI+_0{CGEmot?0XEbiE}VJeW+$DaihT
z%}sn$bMcQQs)k``hjF)^*48t=5d;UX8*a+FHBuFOrR1L%LGg>L`6Acy%J`JQyD3o4
zT}5NB?LU(4tZ&fuvCuP(+a5PPTc17|KN)`iaAOi{C4XR)X*Y8He5aGV4zyJt_`S%g
zd2?ztYj$GK@UztsU&ZXxe6ug^N%yj^p+xr%7n%o;RUW-FGKJz29bl{9g&1tzR{VK@
z(Q&LlK~v1V{#@kveMX|a;i^3*?;7Mk8=IVz07<8cyAsvC56npJOjXIF2OsA5Hk!6o
zh_7(Z@sIBR@z0SjbhN*Q(EKNk^nUC&_O#sFTT+x8s<x=QomJ}_Q94nwCCDn;?01br
Q#IaKzfx>t88tx4H3jibon*aa+
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/www_digicert_com_2016.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/www_digicert_com_2016.crt
new file mode 100644
index 0000000000000000000000000000000000000000..5f776ff67e32ed594b78527c4d8b7f290dee2a2f
GIT binary patch
literal 2297
zcma)7dpJ~iAD?sP7`GXhW{{U**e<l;cg8)kZZlYg+?8Z7FH;&C;}TNlZ6}sjrmZKJ
z%_UvdzH3Fxx<sa{NE=F9cyf8IwtD6AFeJQZh|SwS?|Gi{Jm-7;e7~P_exCyba??N{
z+h2l*AsAMX{qAjM(Ef(d!@AEU%~p9ZAQ9xZ30;K}5(FvA;6Oa82;>QPKZHPr{d`b0
zK$aQ`WTG=ClH<hY@o8?{a8wg$NZpELmBhqE;|MGij)jcFV-BNcfG!Q;$zQHj__#XI
zX^bR3n;XH7p!u_+IT0*ACx%P&Ve=B$JerdO(9s~F7QhTO1<Ti7%(McQC>^Cs?Y%$%
zDWX)MCGD(Cq<HZ-2`oOF=E;j>aXHD$%}_E>B`AJLfDlMvX$wR6wfR4B!eqpc&x%@I
zONLA|r(0W_n_3zH)Qpa904h=hd9u7uJO}G<4gk6d=&$&+=oSFb0@!hUY!`NTJfD-m
zrg^b=hZ0#wQ6)f>W~q{8tjvI!>3R}LKv5c$`w0HglqDm(*ijr*1E@)(3S^~K!nR8}
zHeMwe|2fG(0PBDH;vg9uUH~iOFuwvUfFWGHoOK4m%X)BddhGgSac2hQI%lwiup1{4
zh1)kfMwqDoBX1EWv>!e)tM)9=_l4C|X2MC*O~;1JMN|DPe00~hZJwdG{Qqr~IRf^$
z1f5qLI{fet3stkbNKR#+L09AaAJe7n?kVMN?5h_FXo=p$G%;h7HsNf~?rRUWZzhYT
zBuA3(0kL}H3A@YYGn%f{`;P(&<2qyQ&&obqvIN5RLzX|x-KjyU62A9fCh5AD<&ufU
zvF3%or!w>BM!I$0ox3d5m@}-%#xE7b##fR$=C2o~{O%VU+(65}b2Rr1F`7HA{?Ez3
zovya89#x{WhkP4yxHUOXxl4UMy`6JQ-nKRW_$BT5ONEw8z0;u~u~tv~PjcttN}b**
zr*>%Uf1=8-?#oD_Zza*UWV<*%b$zJzs&_$dgLuJP;c6<?%0^w}cr7d?<I0$OTZ3nZ
z>*$qXyM;;jh8<NI)Z$<c@zv?d`;J~XnW<L}i@wT1y=e}f!7bwV=`X%FDgAp$ljQkR
z?J}WjF|+lDGkX{X-3Ed5-xiXBYp+@5YbKPA`w;XP{&&I*eOpfkX2+)$Ol~HtJ-z*K
z_A>hG=0EMcvXAYqWEn8GYl`a+9JBjRur8-4xY&Qkxu%J+WH*MMMxCT9r%iwS?Jp3<
zqI-_-HSO{XnOj6lHTB)8y)DP6zY}e0@Gu_2L1hB`C=lR>fiCuaQNKVo0`(J=o!wrS
zdrB(CroIkUV0Y_1nVs!X22^Q+5~7Y!YAuGB*v>QBt$n|Sr3-HR_DBY`K)Og8S4Gk@
zLAp@z*^w6zKNSE0B|L_U9d-UXSrBMQg(8NBDFt_ZU_*4wXFe5HEN6X|a$?*%2T+oZ
zqzpkz2!e-YN>*0bjHm+&K@JlE85vnTwDtspcxk#W!UfU5tb|?ygvL>Pe(VktlW<<N
z>AKD)aZxO~5j(*sZdsg+B2i;3=kqGF|EJ1b3QI$rfg`Xa$cGADA>l$a41sOHV0Abc
zQrDKw5{C`*zhY|Q<mCfo2{MuCL<j=u8LKrAgrtIGuxZr>kZ|M2ePY7nV%JRuyw|c|
zA#-(WmQ=6TQ);p*KT^3~RqMaRdPS?9956Qc%VI|*OWB73raI7Zg2J-$_8f%~7!g1*
z*nJ4%;1Y0`>g98P*%(MU)kwbhFfvxb);tfH(|TDqoY<k%O6pU=;UHhtftETP4#DGG
z00Y*;wGG%yblaHX^rE4NfuZ4?q@9Dwp$c{4ZC#=W?R!lunC7_a&9npb!ox~@=xb(>
zw(PUfQLU<+DW91~Z8K%&;5>#KHIp~18zE@kkv&##K;8A>$e#U?-#u~eREYek(bIGO
z&I<0$rZrp|qhWj>%q$*%IZ=b>JvMyvHjDTYO|nUk87Sy~_ft<DHrZ*yUE4QXS}!24
z;b`M&mGXca6~65*$yr5HIV{T|k7!&X&YwakFnM<CZTIwGlXJD*eP%-ajeOPMmUn0K
z{CYAU_pjiJjh1m;0Tb(5?qhkTkvjFL=)gCn9T(sKd3Eu(4{nABj!cVeoUguyl(3ZU
z=N+vN+Rm#rr{1f`urmA#84Y#e-BgI7C{w0Rd8)nt^k;zm#qk0N!kuAy-`p5-E25?H
zc-)2j-Ndjge7|H{&cT0GUm0g4o&%+|2W>pTfq<Hj+g&bud|Y-as=z(s2hB}CCO@|C
zyh!q<DVL9oJrByb5*BziHEbZvP@7xYpX5@%^=A>oHR`EE?jWhpp?<4t<~QXzCK@N&
zbt>coh>AKA3-nDjkJ}qauia2H!SgVP_kGlGWAQH0ZJ!ZgkTlq*>15=j`nt;caU|7X
zh*6l;Pjn!jzY$b8>K7@>)ts!dX2?h!%xs0N&9S+f`r~?$teSH*@*gHrm`qk#A9}KX
r<o$?o-n7UgO=sS=+IH*qw3P6lizdF>ch^tU*(%;NCj3ylH=gxhI<i?G
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/www_paypal_com.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/www_paypal_com.crt
new file mode 100644
index 0000000000000000000000000000000000000000..32b46fcebaa22bc99e6d20fd5fef2447ffc7480a
GIT binary patch
literal 1548
zcmaJ>Yfuwc6wck<gggu+Y$R2Q?1)$!G~CTYjbI%HQ4|H7h(R9el0=B))!jvij}cdi
zTHB!xS_j7}_1S8vmQh<NtwJk|TCKI9Gaa>K!BJZo9r4jotKCh7iJeaO*M8@G=bU@L
zbIygFL<%|Vej|zi1W`%Ny|%8&<@UtG&%Q8S$Xp4P5}7`f6?&osKr9x)H7%q9$|Pt$
zCc%+>8>xju1t7<x=euaP&0XdjN6hp&3}gb-2@VAwH{c-V(UlBK<ha->KV3nlLhC;S
z<2)DbWeEQgqLOhD6ibw|Y=D`Zl2TPwWmv{%W%#THhu@n*2Pk5!<1ILWG()2hjN-|I
z*)u#8!w@DSvzm4JoGvFZpYph!6zlf;2%Bv-k&zBZYL$GXnY6(0SI9#P<Wm_<7OTZt
z2st1laj2Fkk|h8G+{82lpy68%gW5<Vf=j2lJX94$yGR`zA)F)z*W}UeWfbcoa_KV4
z=UyJJOsZhC;1=UiCP<o%6DGbcpHPi=t2J_~g*1`ljnGJjkH8zHxIBZu!V*92b5o=m
z#t6(Pjnqc@h*^HdMaDsmV3KK+Mm~zjAxK_c8%qv_xL}uShU8JfJj(N`BN`Yhm=zjD
z#<U#5Rv8HRX?CE2s3uyFJ3s{klt&Po7h_ap^MP1|av(;;+vNxcfau%Lr_X8dc|Dfw
z4aP}dU%e>XdU1R2gj>7hM;=_c1WVC`rjCbR)w(Ca5v}a0PkOi)UGjRvl<e5iO-+kR
z`r^;T`|%aOwI$_DUzD3_C_L9zc$E9GX^-o6$aJhvSKV-+v-_#a@JyYPSRnau{X3O&
znfGEIo?ThDIVp%=J#zoLGzuu3KiHSXhDx<>mz*e_Qm{hrd%Pc}BhT+TX;XLi)C%vm
z{x<65q|`&{GrHQ*E2#_YAKmy^f4Tbh+L9^P4wh*D+H(2k@_UG*V^7EUB9nB}qkZVn
z7Y}rYPA=T}Rkf8!E~j#P8y*~NpOc++uDo3}_38GO(@Sl2qx!F$>D$|lpg;unaNszv
zNHZ+srPZmi#c(0_FCn?uayP^J>0pGo+z|FP<cLJkte1(zLj>$9rGnwM2)n1lF$9Xj
zlckFR;3bBkh`2GlaJnQ+7z-&s!D4X~3I_iWxI~B~utl&07D*I~Ls=m7XC{c!O5kjm
zIKV?doOWRUoCYT7b(Drz&k<l?(jW<e!-oGSjo(n1Ak<03-hgp6n&<E4wd_2RRJbC)
zHg~JYQFo`HA_FE1gam9f90iHSk&W@8;X*}z;TbBTA`cw22igaU0)S=1nSAzFcY`2=
zzaHld3p8esfc#HlHgdN4hmD_YAX+9p<b3>4(YxlG1<h~oef|io#1<?)_9E7-$98Ny
zf9^(_hp=}2?tjy~x->qMR$EVH9@JZkk4t)_2kNAUYnoLT_KhuypP8@zqe5TPChOzq
zth2*5-864W%NtWwG2GGOcl=b)m#q8pfDcP*_-+gO!QGhI^=mDmp1?X~+J(b8HM4%+
zJT>2xl2EojMYcQrlxo(v?>991>&M-jbcyP`+dpyD8RNd<ky+8To*DYp9dKd$W5czc
zIiJ0}mo=tyE<3|GU2%T7yrk&#`+eHh>$286^`EY+-LYZ++SbcA6U3@tn{#)c-X_{)
c?^NFEwA<IO!gm!HKj}X&+NiAEzB};C-vE*H$^ZZW
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct-data/www_paypal_com_issuer.crt b/OSX/shared_regressions/si-82-sectrust-ct-data/www_paypal_com_issuer.crt
new file mode 100644
index 0000000000000000000000000000000000000000..459373be94872c6cf99e61b0550d14e82f28497d
GIT binary patch
literal 1512
zcmXqLVtr!J#Byc<GZP~dlR$KN<T3G<hjGW%4;W3=)W|mAW#iOp^Jx3d%gD&e%3#oV
z%8=WDlZ`o)g-w_#G}utwKorE`66Om_Ey@heOwZF%@XSlrGn6-w1xauVi@_umLW)X@
zOBDQ4OUm<$vJI^aEFcODHIg+Ij0_CS6ksYLMkweixaAiqB$k$B<QHXDrKTv97N;uY
z=jBuyx*9lx^fC+Ez_chh=Oh*vD;O&TlqTh5CMyIKW#%RpRVp~A7L{bCWhN(<Waj57
zI6}-SsRWwsZfYPW&TC+1XlP(z00vRwyoMmIxskD{rKx3<LE|oJdDhy%65?5-kkq2w
zVuk!PuxAoW6f#Om3W}}t^~=l4^~!)jSPTq8z2y8{{i1?I1z^Yk9cW@;1o5plhHqUf
zN>cMufI$<Mn3I_T@nmqYkAkzKK@+1Aa^x|xGB7tW@-qO%xtN+585w5WUJ&|v&R_A$
z$FuT8WH(07P;M8?YcHF#)xvt~f~qa-$()kUv^qRiKA*eIAc|u;&zn_G#4?MLlxO{}
z3elKxlt*{_b){`5ep-khzkAEjZPpZ#zIpE|7Hn6#;u$jC_i0J=q&;tPbnZVtxJ_Cr
zG&_xhx!!gCEaQ&?2Xbb5O;R!B$i2&CmsnO&vF&Z0`MR9Xoe#G^yd!#Md)WMj1shrG
z{me!GZ`YUWXS1*m*q*7ecxzg`nN*O6b6U{-MU(t5OC;=j{3=eekahn&nVgIw)%?xX
z#V2$33jLq$XcYJ5Mcq;E#Xcz){r0GFr2dwi9#Qeoc>miByN&9u`3D}onV$JQ=JNMI
zCT2zk#>GvHmw+L14xCtJ`B=nQME-OI?3%YzHL5za)qg5Oa{tSSY-a-@U<AktGcx{X
z;V@tWQcR2t2DTtE1r{>{Q2ej}nG6P61{!P}+HAm_!p_7fCWA9>lM9L=+T|hI7Z@zi
zYtsQK2c`tqu;A3>(xOz|<f0tZBvFu@XsnxVst1%X-~-vt4{{L;Fz2!v2(ob|w0SVL
z{cvJrgbL-t+``Dil4uaWFm^$-L8L*rL8urfFmt4*>ZfO>87Laa8?dvnYV$EONwJ9Z
zKfNr~wx+i)`|$aOtScT8I@OYT2C8DpP^abOr{|+OsjL_*1~N$#<RU>9B?E;eat1Pn
zQU(%00bm{#1ZPcSXGbFg6AN8KT@!Pl-=U!dbgQ9(zJV@`Z@}25h#n02$;AaImKw-|
zY*J>CFc51HslS}M{LtMuyFVCkes;F}#kAho&=@)00}Cx+x@TmVw&+*=GuyXUw9jo9
zwLehA9N)c5Y=Y|dL(MmimzpGJ2nF*5cUGSa<6M5&%*BuILQ>M^wqGw6&NfN!4OSAj
z`@7~{x}Ni+*m~oZPm2l;<TXt{VDeY>m~#EwXB&=&JGX4Qr~C23HxGG{!thON3?EKc
zQ9dagTk_QHJ!j3lhcgYiI4Y(43+Iccov=9nu4no-ww=XpPcBb6_%vawYN_tcOv5*4
zryX8g_V-1J%Nn7bzWW1T?7ZUQr+#{!!o@nRnr+GM^U8KjzaaLUJ16(MbG|XRra}3y
zxj(=9?I_!PR$|Lfh4;3%pPgDe`-0!4_LaQLT#5tk7DT^YTj#Y$>FNr#Cx==Ucy9s#
Da6$|!
literal 0
HcmV?d00001
diff --git a/OSX/shared_regressions/si-82-sectrust-ct.c b/OSX/shared_regressions/si-82-sectrust-ct.c
deleted file mode 100644
index e33e85a3..00000000
--- a/OSX/shared_regressions/si-82-sectrust-ct.c
+++ /dev/null
@@ -1,1300 +0,0 @@
-/*
- * si-82-sectrust-ct.c
- * Security
- *
- * Copyright (c) 2014 Apple Inc. All Rights Reserved.
- *
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecTrustPriv.h>
-#include <Security/SecPolicy.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <utilities/SecCFRelease.h>
-#include <utilities/SecCFWrappers.h>
-
-#include "shared_regressions.h"
-
-#include "si-82-sectrust-ct-certs.h"
-
-
-static void test_ct_trust(CFArrayRef certs, CFArrayRef scts, CFTypeRef ocspresponses, CFArrayRef anchors, CFArrayRef trustedLogs, CFStringRef hostname, bool expected, const char *test_name)
-{
- CFDateRef date=NULL;
- CFArrayRef policies=NULL;
- SecPolicyRef policy=NULL;
- SecTrustRef trust=NULL;
- SecTrustResultType trustResult;
- CFCalendarRef cal = NULL;
- CFAbsoluteTime at;
- CFDictionaryRef results;
- CFArrayRef properties;
-
-
-
- isnt(policy = SecPolicyCreateSSL(false, hostname), NULL, "create policy");
- isnt(policies = CFArrayCreate(kCFAllocatorDefault, (const void **)&policy, 1, &kCFTypeArrayCallBacks), NULL, "create policies");
- ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust");
-
- isnt(cal = CFCalendarCreateWithIdentifier(kCFAllocatorDefault, kCFGregorianCalendar), NULL, "create calendar");
- ok(CFCalendarComposeAbsoluteTime(cal, &at, "yMd", 2015, 3, 7), "create verify absolute time");
- isnt(date = CFDateCreate(kCFAllocatorDefault, at), NULL, "create verify date");
-
- ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
-
- ok_status(SecTrustSetSignedCertificateTimestamps(trust, scts), "set standalone SCTs");;
-
- if(trustedLogs) {
- ok_status(SecTrustSetTrustedLogs(trust, trustedLogs), "set trusted logs");
- }
-
- if(ocspresponses) {
- ok_status(SecTrustSetOCSPResponse(trust, ocspresponses), "set ocsp responses");
- }
-
- ok_status(SecTrustSetVerifyDate(trust, date), "set date");
- ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
- ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
- (int)trustResult);
-
- results = SecTrustCopyResult(trust);
-
- CFTypeRef ct = CFDictionaryGetValue(results, kSecTrustCertificateTransparency);
- bool rv = false;
- if (ct && CFGetTypeID(ct) == CFBooleanGetTypeID()) {
- rv = CFBooleanGetValue((CFBooleanRef)ct);
- }
- ok((rv == expected), "unexpected CT result (%s)", test_name);
-
-#if 0
- // For test debugging purposes:
- if(ct) {
- printf("CT result:\n");
- CFShow(ct);
- } else {
- printf("no CT result\n");
- }
-#endif
-
-#if 0
- // for later: we will want to check that EV result abide by CT rules
-
- CFTypeRef ev = CFDictionaryGetValue(results, kSecTrustExtendedValidation);
-
- if(ev) {
- printf("EV result:\n");
- CFShow(ev);
- } else {
- printf("no EV result\n");
- }
-#endif
-
- properties = SecTrustCopyProperties(trust);
-
- CFReleaseSafe(policy);
- CFReleaseSafe(policies);
- CFReleaseSafe(trust);
- CFReleaseSafe(date);
- CFReleaseSafe(cal);
- CFReleaseSafe(results);
- CFReleaseSafe(properties);
-}
-
-static
-unsigned char CA_alpha_cert_der[] = {
- 0x30, 0x82, 0x02, 0xc7, 0x30, 0x82, 0x02, 0x30, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x32, 0x30, 0x36, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x32, 0x32, 0x30, 0x36, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x52, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c,
- 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06,
- 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74,
- 0x69, 0x6e, 0x6f, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
- 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d,
- 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xee, 0x58, 0x5c, 0xf8,
- 0x95, 0x77, 0x15, 0x42, 0xcb, 0x3a, 0x42, 0x07, 0x31, 0x69, 0xea, 0xa6,
- 0x7e, 0x73, 0x1c, 0x7c, 0x68, 0x2a, 0x07, 0xdc, 0xc2, 0x15, 0xed, 0xef,
- 0x06, 0x3f, 0x94, 0x56, 0xa7, 0xce, 0x34, 0x59, 0xeb, 0x9f, 0xa8, 0xf1,
- 0x12, 0x18, 0x57, 0xc2, 0xe5, 0xce, 0x69, 0x30, 0xbe, 0x6c, 0x45, 0x89,
- 0x9b, 0x1a, 0x74, 0xbf, 0xe4, 0x33, 0xca, 0xf7, 0x1e, 0xb7, 0x7d, 0x94,
- 0x90, 0x73, 0x51, 0xd4, 0x01, 0x22, 0x4f, 0x4e, 0x9d, 0x78, 0x1d, 0x7c,
- 0x18, 0x3a, 0x99, 0x64, 0x9c, 0xf0, 0x10, 0x7b, 0xd2, 0xe9, 0x86, 0x1f,
- 0x45, 0xc9, 0x86, 0x6c, 0x48, 0x5e, 0xab, 0x3d, 0xfb, 0xa6, 0xef, 0x45,
- 0x5e, 0x23, 0x66, 0x8a, 0xd1, 0x61, 0x5d, 0x6c, 0x5e, 0x1d, 0xcf, 0xcc,
- 0x54, 0xac, 0xf9, 0xca, 0xa8, 0xa7, 0x2d, 0xd1, 0xbf, 0xd8, 0xc7, 0xde,
- 0x12, 0x68, 0x86, 0x5d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xac,
- 0x30, 0x81, 0xa9, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
- 0x04, 0x14, 0xdc, 0x16, 0x44, 0x15, 0x3e, 0x53, 0x27, 0xd8, 0x68, 0x66,
- 0x41, 0x40, 0x88, 0x90, 0xe4, 0x4e, 0x0a, 0xda, 0x08, 0xa9, 0x30, 0x7a,
- 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0xdc,
- 0x16, 0x44, 0x15, 0x3e, 0x53, 0x27, 0xd8, 0x68, 0x66, 0x41, 0x40, 0x88,
- 0x90, 0xe4, 0x4e, 0x0a, 0xda, 0x08, 0xa9, 0xa1, 0x56, 0xa4, 0x54, 0x30,
- 0x52, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
- 0x11, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74,
- 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72,
- 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07,
- 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82,
- 0x01, 0x01, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30,
- 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x96,
- 0xeb, 0xd2, 0xcb, 0x18, 0x96, 0x4d, 0x63, 0xa5, 0xf4, 0x41, 0x18, 0xd6,
- 0x52, 0x2a, 0xcf, 0xb2, 0x13, 0x5b, 0x44, 0x95, 0x17, 0xc3, 0x93, 0x4c,
- 0x9b, 0x37, 0xdf, 0xa5, 0x8d, 0x9f, 0x34, 0x63, 0x93, 0xb2, 0x13, 0x28,
- 0x0c, 0x17, 0xc6, 0xe9, 0x1d, 0xa9, 0xba, 0x4f, 0x7a, 0x58, 0x8d, 0x61,
- 0xf5, 0xb4, 0x36, 0x25, 0xf9, 0x14, 0x38, 0x00, 0x53, 0x97, 0x98, 0x2e,
- 0xd3, 0x56, 0xfd, 0x5d, 0x47, 0x97, 0x5c, 0xeb, 0xd8, 0x39, 0x2e, 0x77,
- 0xd9, 0x44, 0x43, 0x8c, 0x11, 0x10, 0x93, 0x84, 0x41, 0x02, 0x5f, 0x85,
- 0x28, 0xe7, 0xd3, 0x78, 0x76, 0x21, 0x82, 0x4c, 0xf5, 0xee, 0x87, 0x5d,
- 0x9b, 0x78, 0x3a, 0x88, 0xeb, 0x65, 0xd6, 0x65, 0x76, 0x23, 0x32, 0xbf,
- 0xaa, 0xfc, 0xe8, 0x9b, 0xad, 0x8d, 0xec, 0x22, 0x3b, 0x44, 0x4d, 0x8d,
- 0xf8, 0x9b, 0x68, 0x2b, 0xa3, 0x53, 0xae
-};
-
-
-static
-unsigned char CA_beta_cert_der[] = {
- 0x30, 0x82, 0x02, 0xc7, 0x30, 0x82, 0x02, 0x30, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x33, 0x30, 0x35, 0x30, 0x30, 0x33, 0x34, 0x33, 0x33, 0x5a,
- 0x17, 0x0d, 0x31, 0x36, 0x30, 0x33, 0x30, 0x34, 0x30, 0x30, 0x33, 0x34,
- 0x33, 0x33, 0x5a, 0x30, 0x52, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c,
- 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06,
- 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74,
- 0x69, 0x6e, 0x6f, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
- 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d,
- 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xca, 0xab, 0x48, 0xae,
- 0xd3, 0x7a, 0x27, 0x8b, 0x7c, 0x11, 0xb5, 0x73, 0xdb, 0x23, 0xba, 0xfc,
- 0xb3, 0x7a, 0x49, 0x92, 0xd3, 0x2d, 0xbe, 0x31, 0x6b, 0x53, 0xd3, 0x78,
- 0x8b, 0xf3, 0xc9, 0x77, 0x66, 0x53, 0xb1, 0xa2, 0xd8, 0xba, 0x85, 0xd3,
- 0x6a, 0x2e, 0x9d, 0x68, 0xc1, 0x3b, 0x69, 0x6a, 0x2d, 0xf2, 0xc1, 0xc3,
- 0xce, 0xcf, 0x38, 0x56, 0x92, 0x1a, 0x47, 0x9d, 0xdd, 0x59, 0x87, 0xb4,
- 0x23, 0x8c, 0xbd, 0x0b, 0x21, 0x63, 0x19, 0x5e, 0x7d, 0x2d, 0x7a, 0x20,
- 0xc4, 0x16, 0xc7, 0x29, 0x73, 0x0e, 0x43, 0x7b, 0xc1, 0xb7, 0xbb, 0xd9,
- 0x8f, 0x24, 0x0a, 0xec, 0x52, 0x53, 0xef, 0xa2, 0xb2, 0x77, 0x8f, 0x38,
- 0x52, 0x5e, 0x2f, 0xa0, 0xc7, 0x4d, 0x98, 0x66, 0xc1, 0xb0, 0x55, 0x03,
- 0xb8, 0x6c, 0x32, 0x65, 0x67, 0xc4, 0xbd, 0xd9, 0x86, 0x83, 0x0f, 0x40,
- 0x52, 0xde, 0xcd, 0x8b, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xac,
- 0x30, 0x81, 0xa9, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
- 0x04, 0x14, 0x64, 0x1f, 0x09, 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed,
- 0xbb, 0xba, 0x96, 0xf9, 0x73, 0x65, 0xad, 0x6e, 0x84, 0xbd, 0x30, 0x7a,
- 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64,
- 0x1f, 0x09, 0x99, 0x2d, 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96,
- 0xf9, 0x73, 0x65, 0xad, 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30,
- 0x52, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
- 0x11, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74,
- 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72,
- 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07,
- 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82,
- 0x01, 0x01, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30,
- 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x0b,
- 0xea, 0xec, 0x19, 0xeb, 0x6f, 0x3d, 0x01, 0x28, 0x95, 0x40, 0x1a, 0x51,
- 0xff, 0x62, 0x1e, 0xfd, 0xc7, 0x91, 0x61, 0x6f, 0x46, 0xca, 0xe1, 0x80,
- 0xd7, 0x0e, 0x31, 0xf6, 0x16, 0xd1, 0x6b, 0x5e, 0x78, 0xdf, 0x02, 0xa2,
- 0x8f, 0x35, 0x6f, 0x1e, 0x71, 0xd1, 0xd7, 0x4b, 0x5d, 0x4d, 0x7d, 0x0b,
- 0x85, 0xd1, 0x7c, 0x4b, 0x84, 0x70, 0x22, 0xb3, 0xbd, 0x9e, 0x94, 0xaa,
- 0x31, 0x31, 0x94, 0x81, 0x3b, 0x11, 0x03, 0x4d, 0x2a, 0xff, 0x81, 0xac,
- 0xef, 0x95, 0x94, 0xf9, 0x0a, 0x73, 0xe9, 0xd0, 0x78, 0xbb, 0x65, 0xb1,
- 0x5c, 0xcb, 0x1c, 0xff, 0xd4, 0x5b, 0x43, 0xf1, 0x12, 0x1b, 0xb0, 0xc1,
- 0xa6, 0xb4, 0x7b, 0x82, 0x4c, 0x64, 0xa1, 0xad, 0x88, 0xe2, 0xe9, 0x89,
- 0x62, 0xc0, 0x93, 0x8c, 0x0c, 0x42, 0x6c, 0xed, 0x12, 0x47, 0x16, 0x5c,
- 0xba, 0xcf, 0x2f, 0x17, 0xdb, 0x07, 0x95
-};
-
-static
-unsigned char serverD_cert_proof[] = {
- 0x00, 0xab, 0xa8, 0xb5, 0xb4, 0x7d, 0x00, 0x00, 0x1b, 0x46, 0x58, 0x28,
- 0xc4, 0x0a, 0xc7, 0x0b, 0x03, 0xf6, 0x91, 0x70, 0xa3, 0x5f, 0xed, 0xc8,
- 0x74, 0x40, 0x3c, 0xd0, 0x58, 0x1d, 0x3c, 0x8c, 0x16, 0x00, 0x00, 0x01,
- 0x47, 0xdc, 0x04, 0x70, 0x0e, 0x00, 0x00, 0x04, 0x03, 0x00, 0x46, 0x30,
- 0x44, 0x02, 0x20, 0x71, 0x55, 0x2f, 0x75, 0xa8, 0x3a, 0xfd, 0x01, 0x34,
- 0x44, 0xc7, 0x84, 0x71, 0x8f, 0x1e, 0xc2, 0x36, 0xe2, 0x08, 0x07, 0x92,
- 0x2b, 0x9f, 0x44, 0x0e, 0x84, 0x16, 0x08, 0xe0, 0xaf, 0xc5, 0xb9, 0x02,
- 0x20, 0x29, 0x3e, 0x0f, 0x63, 0x5c, 0xe7, 0x0a, 0xea, 0x1f, 0x96, 0x4a,
- 0x11, 0x86, 0x72, 0x06, 0xa5, 0x25, 0xc4, 0x5e, 0xf6, 0x92, 0xd8, 0x08,
- 0x98, 0x17, 0xba, 0xf2, 0xfe, 0x50, 0x62, 0x36, 0x29
-};
-
-static
-unsigned char serverD_cert_der[] = {
- 0x30, 0x82, 0x02, 0xe4, 0x30, 0x82, 0x02, 0x4d, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x13, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x32, 0x30, 0x36, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x32, 0x32, 0x30, 0x36, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xba, 0x00, 0xc4, 0xfb, 0x3f, 0x9a, 0x86, 0x43,
- 0x1a, 0x26, 0x99, 0x9d, 0x19, 0x67, 0x27, 0xaa, 0x44, 0xd4, 0xba, 0x2b,
- 0xfe, 0x7b, 0x32, 0xe8, 0x2a, 0xc7, 0x89, 0x36, 0x41, 0xd7, 0xaf, 0xf4,
- 0x97, 0x4d, 0x41, 0x7b, 0xc7, 0x80, 0xba, 0x79, 0xab, 0x9c, 0xeb, 0xcc,
- 0x38, 0xb7, 0x83, 0xdf, 0x62, 0x7e, 0xaf, 0x6c, 0x32, 0x57, 0xc2, 0x41,
- 0xea, 0x73, 0xa9, 0x45, 0xf8, 0xbe, 0xc2, 0x26, 0x0f, 0x01, 0xec, 0x3b,
- 0x02, 0x24, 0x7d, 0x39, 0x5c, 0xa6, 0x9c, 0xdf, 0x4b, 0x1f, 0xd5, 0x4d,
- 0xd2, 0x5e, 0x9f, 0x09, 0x4c, 0x68, 0x11, 0xa3, 0x02, 0xb1, 0x65, 0x42,
- 0xef, 0x67, 0x25, 0x30, 0x93, 0x86, 0x6f, 0x37, 0x1c, 0x83, 0x62, 0xd1,
- 0x24, 0xfa, 0x89, 0x4d, 0x00, 0x8e, 0x77, 0x6a, 0xfd, 0x79, 0x85, 0x3e,
- 0x59, 0xed, 0x92, 0xdf, 0x8a, 0xa1, 0xca, 0xfd, 0xfe, 0x1b, 0xf7, 0x1f,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xa9, 0x30, 0x81, 0xa6, 0x30,
- 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xf4, 0x42,
- 0x90, 0xfd, 0x4c, 0xcd, 0x26, 0x10, 0x0b, 0xd7, 0x34, 0x22, 0xad, 0x23,
- 0x26, 0xa0, 0x6c, 0xaf, 0xaa, 0x6c, 0x30, 0x7a, 0x06, 0x03, 0x55, 0x1d,
- 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0xdc, 0x16, 0x44, 0x15, 0x3e,
- 0x53, 0x27, 0xd8, 0x68, 0x66, 0x41, 0x40, 0x88, 0x90, 0xe4, 0x4e, 0x0a,
- 0xda, 0x08, 0xa9, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01, 0x30, 0x09,
- 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00,
- 0x03, 0x81, 0x81, 0x00, 0x7a, 0x06, 0xe3, 0x17, 0xca, 0xee, 0xe0, 0x67,
- 0x16, 0xfd, 0xf1, 0xad, 0x9f, 0xf8, 0xeb, 0xce, 0x03, 0x57, 0x7d, 0x90,
- 0x6c, 0x85, 0xe0, 0x43, 0x3f, 0xb4, 0x3a, 0x08, 0x63, 0xef, 0x79, 0xf6,
- 0xe1, 0xa3, 0x88, 0x32, 0xcf, 0x8f, 0x2f, 0xde, 0xd0, 0xc0, 0x92, 0x0b,
- 0x16, 0xe1, 0xd4, 0x49, 0xd5, 0xb2, 0x84, 0x2e, 0x87, 0xfa, 0x1b, 0x5b,
- 0x95, 0x51, 0x51, 0x0d, 0x29, 0x88, 0xd0, 0x8c, 0x10, 0x75, 0xe3, 0x78,
- 0xb3, 0x4e, 0x39, 0xc1, 0xe4, 0xd0, 0x22, 0xb7, 0x64, 0xbe, 0xc3, 0x9d,
- 0xff, 0x02, 0xc9, 0x66, 0xc3, 0x38, 0x4e, 0x88, 0xde, 0xa6, 0x75, 0x80,
- 0xb3, 0x17, 0xb9, 0xfe, 0xfb, 0x64, 0xec, 0x3b, 0x16, 0xcd, 0xf0, 0x0d,
- 0x15, 0xbf, 0x70, 0x42, 0xba, 0xe5, 0xec, 0x1d, 0x2f, 0xee, 0x0a, 0x2f,
- 0xd7, 0x37, 0x9d, 0xc6, 0x0b, 0x26, 0xf3, 0xfb, 0x13, 0x69, 0x9f, 0x09
-};
-
-static
-unsigned char serverF_cert_der[] = {
- 0x30, 0x82, 0x03, 0x73, 0x30, 0x82, 0x02, 0xdc, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x15, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x32, 0x30, 0x36, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x32, 0x32, 0x30, 0x36, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xd2, 0x49, 0x0c, 0xd0, 0xc5, 0xa8, 0xc3, 0x0f,
- 0x36, 0x99, 0x54, 0x00, 0xd7, 0xf0, 0x2a, 0xcb, 0x21, 0x20, 0x4c, 0xac,
- 0xaa, 0xcb, 0x36, 0x20, 0x72, 0x78, 0x05, 0xd1, 0xc2, 0xf9, 0xce, 0xc9,
- 0x5b, 0xbc, 0x38, 0xda, 0xdd, 0x27, 0xf7, 0x6b, 0x0a, 0xf0, 0x16, 0xe2,
- 0xc9, 0x74, 0x8c, 0x47, 0x5b, 0x07, 0x91, 0xa5, 0x6c, 0xcf, 0xf9, 0x0a,
- 0x05, 0xb3, 0x05, 0x6a, 0xbe, 0x59, 0xdb, 0xa2, 0x1b, 0x21, 0x29, 0xe1,
- 0xef, 0x0d, 0x4f, 0xa1, 0xc5, 0xbd, 0x16, 0xeb, 0x8c, 0x45, 0x6f, 0x64,
- 0x42, 0x93, 0x82, 0xb3, 0x6d, 0xff, 0x83, 0x61, 0xdc, 0xcf, 0x8d, 0xd0,
- 0x09, 0x2c, 0x37, 0x87, 0x1b, 0x75, 0xf6, 0xb3, 0xf8, 0x45, 0xef, 0xe2,
- 0xcb, 0xff, 0x6d, 0xbb, 0xe4, 0xa5, 0x29, 0xee, 0xc0, 0x78, 0x17, 0x94,
- 0xdc, 0x6b, 0xc7, 0x46, 0x01, 0x74, 0xf9, 0x65, 0x3b, 0x59, 0x21, 0xf5,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x37, 0x30, 0x82, 0x01,
- 0x33, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x69, 0x9d, 0x9f, 0x7e, 0xd9, 0x34, 0x7c, 0xfa, 0xd5, 0xc2, 0x7e, 0x02,
- 0x0f, 0x1e, 0x4d, 0x1d, 0xa9, 0x8e, 0xa8, 0xcb, 0x30, 0x7a, 0x06, 0x03,
- 0x55, 0x1d, 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0xdc, 0x16, 0x44,
- 0x15, 0x3e, 0x53, 0x27, 0xd8, 0x68, 0x66, 0x41, 0x40, 0x88, 0x90, 0xe4,
- 0x4e, 0x0a, 0xda, 0x08, 0xa9, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31,
- 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x20, 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69,
- 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09,
- 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,
- 0x81, 0x8a, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02,
- 0x04, 0x02, 0x04, 0x7c, 0x04, 0x7a, 0x00, 0x78, 0x00, 0x76, 0x00, 0xab,
- 0xa8, 0xb5, 0xb4, 0x7d, 0x00, 0x00, 0x1b, 0x46, 0x58, 0x28, 0xc4, 0x0a,
- 0xc7, 0x0b, 0x03, 0xf6, 0x91, 0x70, 0xa3, 0x5f, 0xed, 0xc8, 0x74, 0x40,
- 0x3c, 0xd0, 0x58, 0x1d, 0x3c, 0x8c, 0x16, 0x00, 0x00, 0x01, 0x47, 0xdc,
- 0x04, 0xbc, 0x5a, 0x00, 0x00, 0x04, 0x03, 0x00, 0x47, 0x30, 0x45, 0x02,
- 0x20, 0x5b, 0x3b, 0xe2, 0x6b, 0xa2, 0xda, 0x49, 0xb2, 0xa5, 0x55, 0x1d,
- 0x2f, 0x4d, 0x21, 0x2e, 0x2d, 0xf7, 0x59, 0xb3, 0x22, 0x1d, 0x90, 0x38,
- 0x88, 0x77, 0xad, 0x49, 0xca, 0x28, 0x1d, 0x4a, 0xa8, 0x02, 0x21, 0x00,
- 0xb7, 0x08, 0x08, 0xfb, 0x6a, 0x06, 0x13, 0xaa, 0xe6, 0x4d, 0x69, 0x44,
- 0xce, 0xc0, 0x17, 0x8f, 0x3e, 0x80, 0x30, 0xe2, 0xd0, 0xe1, 0x8b, 0xc0,
- 0x34, 0x28, 0x8b, 0xd8, 0x85, 0xb5, 0x14, 0x97, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03,
- 0x81, 0x81, 0x00, 0xae, 0x8c, 0x7f, 0x63, 0x9d, 0xdd, 0xee, 0x4f, 0xc4,
- 0xc5, 0x7b, 0x20, 0xb5, 0xe8, 0x89, 0x3e, 0x2c, 0xfe, 0x36, 0x0e, 0x31,
- 0x1a, 0x38, 0xd6, 0xb3, 0xfd, 0x37, 0xeb, 0x26, 0xd0, 0x27, 0xfa, 0x04,
- 0x12, 0x9c, 0xe2, 0x20, 0xe1, 0x61, 0xbf, 0xee, 0x60, 0x45, 0x84, 0xa0,
- 0xea, 0xce, 0x1f, 0xf7, 0x73, 0x31, 0xd4, 0xd7, 0x87, 0xe7, 0xd5, 0x9f,
- 0xff, 0x8d, 0x14, 0x32, 0x22, 0x89, 0xf6, 0x31, 0x38, 0xef, 0x1c, 0x36,
- 0x55, 0x0d, 0x5f, 0x0d, 0x99, 0x36, 0x58, 0x6a, 0xa3, 0xff, 0xf0, 0xc7,
- 0xe0, 0x5e, 0x02, 0x20, 0x9f, 0x04, 0x0a, 0xa4, 0xba, 0x1a, 0x1c, 0xb2,
- 0x43, 0x85, 0xc2, 0xcc, 0xd2, 0x95, 0x8f, 0x20, 0x11, 0x1d, 0xea, 0x9e,
- 0x10, 0xf1, 0x45, 0xd2, 0x4d, 0x95, 0x80, 0xed, 0xe1, 0x86, 0x71, 0xee,
- 0x50, 0x0f, 0xb0, 0x73, 0x12, 0x32, 0xdd, 0x95, 0xc5, 0xb9, 0x54
-};
-
-
-static uint8_t server_A_proof_Alfa_3[] = {
- 0x00, 0xcb, 0xbd, 0xa5, 0xa5, 0x4f, 0x94, 0xc5, 0xa5, 0x19, 0x3e, 0xcc,
- 0x98, 0xa4, 0x8f, 0x93, 0x39, 0xf3, 0x01, 0x4d, 0x89, 0xbb, 0x41, 0x38,
- 0x88, 0x49, 0x64, 0x91, 0x23, 0xac, 0x06, 0xcf, 0x8f, 0x00, 0x00, 0x01,
- 0x4b, 0xf1, 0xa3, 0x17, 0xe0, 0x00, 0x00, 0x04, 0x03, 0x00, 0x47, 0x30,
- 0x45, 0x02, 0x21, 0x00, 0x8a, 0x3f, 0xa6, 0x88, 0x76, 0x1b, 0x7b, 0x9b,
- 0x30, 0x9b, 0x2d, 0x54, 0xe7, 0xe3, 0x1a, 0xda, 0xf6, 0xad, 0x76, 0xba,
- 0x5a, 0x87, 0x24, 0x18, 0xc6, 0xdf, 0x93, 0xe7, 0x09, 0x67, 0xcb, 0x76,
- 0x02, 0x20, 0x55, 0x59, 0xe2, 0x67, 0xe2, 0x9b, 0x9c, 0x77, 0x8e, 0x59,
- 0x4c, 0xe8, 0x71, 0x69, 0x6d, 0x9a, 0x52, 0xbd, 0xea, 0xfb, 0xd7, 0x36,
- 0x9e, 0xd0, 0x19, 0x95, 0x26, 0xb4, 0x57, 0xf8, 0x76, 0x6c
-};
-
-static uint8_t server_A_proof_Bravo_3[] = {
- 0x00, 0x3b, 0x1a, 0xe4, 0xe3, 0xf9, 0x15, 0xa5, 0xa2, 0x77, 0xfe, 0x00,
- 0xcf, 0x5d, 0xf1, 0x03, 0x50, 0xf9, 0x0d, 0x0b, 0x0e, 0x6d, 0x4a, 0x6f,
- 0xa0, 0xcf, 0xe9, 0xa3, 0x76, 0xc0, 0xd2, 0x47, 0x4a, 0x00, 0x00, 0x01,
- 0x4b, 0xf1, 0xa3, 0x1f, 0xd3, 0x00, 0x00, 0x04, 0x03, 0x00, 0x47, 0x30,
- 0x45, 0x02, 0x21, 0x00, 0xc0, 0x8f, 0xd0, 0xf9, 0x9b, 0x8a, 0xb4, 0xa2,
- 0x89, 0x7f, 0xc0, 0x86, 0xe4, 0xc2, 0x95, 0xa1, 0xcf, 0xaa, 0xd5, 0xff,
- 0xe9, 0xdc, 0x46, 0xd1, 0xda, 0xf7, 0xe7, 0x9f, 0x8a, 0x9e, 0x6f, 0x5b,
- 0x02, 0x20, 0x5c, 0x80, 0xd3, 0x25, 0x48, 0xb4, 0xa7, 0x97, 0x47, 0xcb,
- 0x90, 0x9e, 0x56, 0xf3, 0xea, 0x66, 0x62, 0x0c, 0x7c, 0xb5, 0x49, 0xb1,
- 0x12, 0xe9, 0xf9, 0x76, 0x8c, 0x70, 0xd7, 0x55, 0xbc, 0x89
-};
-
-
-static uint8_t server_A_cert_der[] = {
- 0x30, 0x82, 0x02, 0xe4, 0x30, 0x82, 0x02, 0x4d, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x4b, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x35, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x30, 0x72, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0e, 0x63, 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d,
- 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f,
- 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x07, 0x0c, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x63,
- 0x6f, 0x72, 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73,
- 0x74, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
- 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89,
- 0x02, 0x81, 0x81, 0x00, 0xc2, 0x65, 0x91, 0x0d, 0xf6, 0x8a, 0x40, 0x46,
- 0xbd, 0x9e, 0x90, 0xdb, 0xf8, 0x12, 0x1c, 0xfa, 0x76, 0xe4, 0x7b, 0x14,
- 0xf5, 0x3f, 0xef, 0xf7, 0x5f, 0x34, 0x55, 0xf7, 0x9e, 0x59, 0xeb, 0x48,
- 0xac, 0xb6, 0x40, 0x77, 0xb9, 0x0a, 0x64, 0xc3, 0xe8, 0xdd, 0xbd, 0x52,
- 0x24, 0x4f, 0xb7, 0x22, 0xed, 0xe4, 0xc8, 0xac, 0x9e, 0x9e, 0x2d, 0xe1,
- 0x66, 0xa9, 0x40, 0x56, 0xdb, 0x0a, 0xb9, 0x3a, 0x69, 0xd2, 0xcf, 0x3c,
- 0xfa, 0x17, 0x44, 0xc7, 0x4f, 0xc0, 0xf8, 0xba, 0x20, 0x68, 0xc6, 0x75,
- 0x38, 0xa0, 0xc5, 0xd4, 0x1a, 0x5c, 0x86, 0xbb, 0x95, 0xa8, 0x71, 0x3e,
- 0xfc, 0xf3, 0xb6, 0x74, 0x92, 0x98, 0x21, 0xec, 0x03, 0x90, 0x97, 0x71,
- 0xa2, 0xd5, 0x79, 0xcf, 0x2a, 0x59, 0xcf, 0x16, 0xdc, 0x0b, 0x03, 0x9d,
- 0xfd, 0x60, 0xad, 0x5f, 0x7f, 0xa5, 0x0a, 0x24, 0x9b, 0x83, 0xc5, 0x63,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xa9, 0x30, 0x81, 0xa6, 0x30,
- 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x8d, 0x37,
- 0x29, 0x3a, 0x88, 0xa5, 0x5c, 0x19, 0x3b, 0xd1, 0x21, 0x37, 0xf3, 0xed,
- 0xd5, 0x2a, 0xf5, 0xb3, 0x49, 0x87, 0x30, 0x7a, 0x06, 0x03, 0x55, 0x1d,
- 0x23, 0x04, 0x73, 0x30, 0x71, 0x80, 0x14, 0x64, 0x1f, 0x09, 0x99, 0x2d,
- 0x6a, 0x5b, 0x4d, 0xef, 0xed, 0xbb, 0xba, 0x96, 0xf9, 0x73, 0x65, 0xad,
- 0x6e, 0x84, 0xbd, 0xa1, 0x56, 0xa4, 0x54, 0x30, 0x52, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1a,
- 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x11, 0x63, 0x6f, 0x72,
- 0x65, 0x6f, 0x73, 0x2d, 0x63, 0x74, 0x2d, 0x74, 0x65, 0x73, 0x74, 0x20,
- 0x43, 0x41, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c,
- 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x43, 0x75,
- 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x82, 0x01, 0x01, 0x30, 0x09,
- 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00,
- 0x03, 0x81, 0x81, 0x00, 0x27, 0xe3, 0x99, 0x5e, 0xea, 0x13, 0xa4, 0x92,
- 0xc3, 0xe4, 0xa4, 0xf9, 0x8c, 0xf0, 0x41, 0x49, 0x49, 0x40, 0x51, 0xba,
- 0x14, 0xe6, 0xa4, 0x5b, 0x84, 0xb7, 0xc3, 0x57, 0x39, 0xa2, 0x0b, 0xd0,
- 0x20, 0x66, 0xd2, 0x91, 0xa9, 0xd1, 0x14, 0x2f, 0x7f, 0xe1, 0x59, 0x5f,
- 0xff, 0x37, 0x9e, 0xfb, 0xed, 0xea, 0xc5, 0x79, 0x1f, 0x34, 0xcc, 0x15,
- 0xf0, 0xc4, 0x01, 0x06, 0x12, 0x5a, 0x07, 0x81, 0xaf, 0x6c, 0x99, 0x72,
- 0x5a, 0x6c, 0x0f, 0x89, 0xde, 0x01, 0x48, 0xf6, 0xa5, 0x12, 0x0e, 0x6b,
- 0xd6, 0x13, 0x40, 0x9b, 0xd1, 0x9f, 0xb5, 0x39, 0x49, 0x07, 0x2d, 0x04,
- 0x34, 0xe1, 0x04, 0x83, 0xa4, 0x74, 0x0c, 0x52, 0x54, 0x93, 0x6a, 0x63,
- 0x05, 0x06, 0xbf, 0x1d, 0x01, 0x30, 0xab, 0xf0, 0xed, 0x46, 0x26, 0x75,
- 0x5e, 0x9a, 0xa4, 0x01, 0xe6, 0x95, 0x65, 0xc5, 0xb9, 0x09, 0x84, 0x98
-};
-
-static
-unsigned char www_digicert_com_cert_der[] = {
- 0x30, 0x82, 0x08, 0x5c, 0x30, 0x82, 0x07, 0x44, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x10, 0x04, 0xc3, 0x34, 0xf6, 0xf8, 0x98, 0x9b, 0xb5, 0x4c,
- 0xb1, 0x91, 0x94, 0x30, 0x53, 0x88, 0xb7, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x75,
- 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
- 0x53, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0c,
- 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x20, 0x49, 0x6e, 0x63,
- 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x10, 0x77,
- 0x77, 0x77, 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e,
- 0x63, 0x6f, 0x6d, 0x31, 0x34, 0x30, 0x32, 0x06, 0x03, 0x55, 0x04, 0x03,
- 0x13, 0x2b, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53,
- 0x48, 0x41, 0x32, 0x20, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x64, 0x65, 0x64,
- 0x20, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
- 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17,
- 0x0d, 0x31, 0x34, 0x31, 0x30, 0x31, 0x34, 0x30, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x31, 0x38, 0x31, 0x32,
- 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x82, 0x01, 0x0b, 0x31, 0x1d, 0x30,
- 0x1b, 0x06, 0x03, 0x55, 0x04, 0x0f, 0x0c, 0x14, 0x50, 0x72, 0x69, 0x76,
- 0x61, 0x74, 0x65, 0x20, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61,
- 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x13, 0x30, 0x11, 0x06, 0x0b, 0x2b, 0x06,
- 0x01, 0x04, 0x01, 0x82, 0x37, 0x3c, 0x02, 0x01, 0x03, 0x13, 0x02, 0x55,
- 0x53, 0x31, 0x15, 0x30, 0x13, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01,
- 0x82, 0x37, 0x3c, 0x02, 0x01, 0x02, 0x13, 0x04, 0x55, 0x74, 0x61, 0x68,
- 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x05, 0x13, 0x0c, 0x35,
- 0x32, 0x39, 0x39, 0x35, 0x33, 0x37, 0x2d, 0x30, 0x31, 0x34, 0x32, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x09, 0x13, 0x09, 0x53, 0x75,
- 0x69, 0x74, 0x65, 0x20, 0x35, 0x30, 0x30, 0x31, 0x24, 0x30, 0x22, 0x06,
- 0x03, 0x55, 0x04, 0x09, 0x13, 0x1b, 0x32, 0x36, 0x30, 0x30, 0x20, 0x57,
- 0x65, 0x73, 0x74, 0x20, 0x45, 0x78, 0x65, 0x63, 0x75, 0x74, 0x69, 0x76,
- 0x65, 0x20, 0x50, 0x61, 0x72, 0x6b, 0x77, 0x61, 0x79, 0x31, 0x0e, 0x30,
- 0x0c, 0x06, 0x03, 0x55, 0x04, 0x11, 0x13, 0x05, 0x38, 0x34, 0x30, 0x34,
- 0x33, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13,
- 0x04, 0x55, 0x74, 0x61, 0x68, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55,
- 0x04, 0x07, 0x13, 0x04, 0x4c, 0x65, 0x68, 0x69, 0x31, 0x17, 0x30, 0x15,
- 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x44, 0x69, 0x67, 0x69, 0x43,
- 0x65, 0x72, 0x74, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x19, 0x30,
- 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x10, 0x77, 0x77, 0x77, 0x2e,
- 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d,
- 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00,
- 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, 0x01, 0x00, 0xa8, 0x89, 0xb3,
- 0x3b, 0x91, 0x94, 0x57, 0x87, 0x72, 0x09, 0x5b, 0x5f, 0xcb, 0x2c, 0x42,
- 0x2a, 0x9e, 0xed, 0xc2, 0xfd, 0x20, 0x7b, 0x2c, 0x63, 0x7f, 0xdd, 0x07,
- 0xbf, 0xfb, 0x49, 0x5c, 0xed, 0x1c, 0xa2, 0x70, 0x79, 0x75, 0xc2, 0x34,
- 0xcc, 0xeb, 0x12, 0xf0, 0x40, 0x88, 0x3a, 0xb9, 0xea, 0x29, 0xa2, 0x11,
- 0x8f, 0x53, 0xe1, 0x02, 0xe1, 0x87, 0x04, 0xf6, 0x58, 0xb9, 0x86, 0xb6,
- 0x7f, 0x85, 0x5e, 0x0a, 0x58, 0x47, 0xc3, 0xbd, 0xe7, 0x6b, 0x21, 0x07,
- 0x9d, 0xdb, 0xef, 0x57, 0x8b, 0x16, 0xce, 0x38, 0xf1, 0xe3, 0xe2, 0xe4,
- 0x5a, 0x10, 0xb8, 0x39, 0xbb, 0x0a, 0xad, 0xca, 0xc5, 0x10, 0x85, 0x3a,
- 0xa1, 0x6f, 0x67, 0xc9, 0x18, 0xc3, 0x5b, 0xb2, 0x4c, 0xa6, 0x01, 0xb6,
- 0xc3, 0x50, 0xbe, 0x7e, 0xc8, 0x79, 0xca, 0x3c, 0x53, 0x5e, 0x02, 0x78,
- 0xae, 0x96, 0x5f, 0x56, 0x21, 0xb3, 0xa4, 0x3c, 0x3f, 0xfe, 0x49, 0xc5,
- 0x17, 0x73, 0xa5, 0x6e, 0xa9, 0x60, 0xaa, 0xbd, 0x16, 0x04, 0x56, 0xfa,
- 0x54, 0xd2, 0xcb, 0x25, 0xc0, 0xe9, 0x9f, 0x89, 0xc9, 0xee, 0x10, 0x87,
- 0x01, 0xf2, 0xc7, 0x93, 0x2d, 0xc3, 0x2f, 0x9e, 0xd0, 0x9c, 0x42, 0x24,
- 0x9d, 0x09, 0x24, 0xf6, 0x80, 0xc4, 0xe8, 0x34, 0x99, 0x5a, 0x2e, 0x26,
- 0xc3, 0x73, 0x28, 0x52, 0x26, 0xac, 0x09, 0x34, 0x8e, 0xc5, 0x70, 0xe1,
- 0xf5, 0xfb, 0x93, 0xb8, 0x34, 0x2d, 0x44, 0xf4, 0x50, 0x1f, 0x86, 0x0a,
- 0x9b, 0x64, 0x45, 0x26, 0x05, 0xd4, 0x45, 0xca, 0x72, 0x03, 0xdd, 0x1e,
- 0x80, 0x1a, 0x9c, 0x53, 0x06, 0x7b, 0xc8, 0x36, 0x31, 0x03, 0xda, 0x5f,
- 0x55, 0xc4, 0x0d, 0x29, 0xc0, 0x52, 0x9c, 0x23, 0x95, 0x8d, 0xa9, 0x55,
- 0x95, 0xc4, 0x11, 0x02, 0x5b, 0xa3, 0x1b, 0xee, 0x79, 0xb2, 0x6e, 0x4a,
- 0x6a, 0x4d, 0x4a, 0x44, 0x3e, 0x39, 0x9e, 0x8b, 0x0d, 0xec, 0x38, 0x93,
- 0x5e, 0x5c, 0xb3, 0x4f, 0x53, 0x8f, 0x4e, 0x2a, 0x78, 0xb1, 0x52, 0x54,
- 0x4b, 0xfb, 0x6a, 0x94, 0x35, 0x61, 0x03, 0x06, 0x79, 0xe8, 0x06, 0x9c,
- 0x8e, 0x81, 0x5b, 0x6b, 0x36, 0xdf, 0xc0, 0xfe, 0x43, 0xce, 0xd5, 0x16,
- 0x19, 0xf6, 0x82, 0x94, 0xe8, 0x80, 0x00, 0xe1, 0x84, 0x14, 0x1d, 0x28,
- 0x73, 0x8b, 0xe9, 0xba, 0xb6, 0x55, 0xe7, 0xa6, 0x17, 0x8c, 0xae, 0x70,
- 0x15, 0xbe, 0x04, 0xef, 0xc8, 0x08, 0x27, 0xd9, 0xdf, 0x3a, 0x7e, 0x67,
- 0x8c, 0x06, 0x0d, 0x51, 0x94, 0x05, 0x95, 0x2f, 0x27, 0xe4, 0xc1, 0xd4,
- 0xa4, 0x5e, 0xca, 0x96, 0x13, 0x89, 0xd2, 0x05, 0x8b, 0x43, 0x68, 0xfc,
- 0x31, 0x87, 0xa9, 0xb6, 0xf2, 0xc3, 0x47, 0xe3, 0xdf, 0xd9, 0x19, 0x13,
- 0x4f, 0xb9, 0x05, 0xa9, 0x8a, 0x98, 0x03, 0xca, 0xc5, 0x92, 0x29, 0xe3,
- 0x73, 0xe7, 0x4b, 0xe8, 0x0a, 0xda, 0x1b, 0x9c, 0xdb, 0x68, 0x50, 0x66,
- 0x95, 0x2b, 0xdc, 0xe8, 0x39, 0x1b, 0x14, 0xfa, 0x41, 0xd3, 0xfc, 0xda,
- 0xe6, 0x8d, 0x04, 0x2c, 0x81, 0xd1, 0x12, 0x47, 0xc6, 0x27, 0x9d, 0xd7,
- 0x54, 0xbd, 0x4f, 0xee, 0x42, 0x20, 0x96, 0x52, 0xa6, 0x83, 0x9f, 0x59,
- 0x05, 0x6b, 0x2b, 0x18, 0x41, 0x7a, 0x5a, 0xbb, 0x89, 0x1b, 0x45, 0x82,
- 0x8a, 0x6e, 0x7b, 0x94, 0x78, 0xe0, 0x4e, 0x09, 0xeb, 0x1c, 0xa8, 0xda,
- 0xd9, 0xb4, 0x56, 0xd4, 0xa0, 0x7d, 0x08, 0xd5, 0xf2, 0x94, 0x81, 0x2e,
- 0xa1, 0xb4, 0x0a, 0x14, 0x56, 0x21, 0x26, 0xc3, 0xc4, 0x27, 0x48, 0x3c,
- 0x50, 0xd5, 0x71, 0x45, 0x35, 0x4b, 0x37, 0x22, 0x7b, 0x69, 0x26, 0x6c,
- 0xdb, 0xb8, 0x4e, 0xf2, 0xf1, 0xa2, 0xf8, 0x6b, 0xfb, 0x1a, 0xae, 0xe6,
- 0xeb, 0x5b, 0x1e, 0x15, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82,
- 0x03, 0x4e, 0x30, 0x82, 0x03, 0x4a, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
- 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3d, 0xd3, 0x50, 0xa5, 0xd6,
- 0xa0, 0xad, 0xee, 0xf3, 0x4a, 0x60, 0x0a, 0x65, 0xd3, 0x21, 0xd4, 0xf8,
- 0xf8, 0xd6, 0x0f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
- 0x04, 0x14, 0xf8, 0xa3, 0xa7, 0x61, 0xab, 0xd9, 0x77, 0x4b, 0x19, 0x66,
- 0x90, 0xc7, 0x9f, 0xe3, 0x9f, 0xe6, 0xb0, 0x44, 0x21, 0x06, 0x30, 0x7e,
- 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x77, 0x30, 0x75, 0x82, 0x10, 0x77,
- 0x77, 0x77, 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e,
- 0x63, 0x6f, 0x6d, 0x82, 0x0c, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72,
- 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x14, 0x63, 0x6f, 0x6e, 0x74, 0x65,
- 0x6e, 0x74, 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e,
- 0x63, 0x6f, 0x6d, 0x82, 0x17, 0x77, 0x77, 0x77, 0x2e, 0x6f, 0x72, 0x69,
- 0x67, 0x69, 0x6e, 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74,
- 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x12, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x2e,
- 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d,
- 0x82, 0x10, 0x61, 0x70, 0x69, 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65,
- 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d,
- 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x1d,
- 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b,
- 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01,
- 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x75, 0x06, 0x03, 0x55, 0x1d, 0x1f,
- 0x04, 0x6e, 0x30, 0x6c, 0x30, 0x34, 0xa0, 0x32, 0xa0, 0x30, 0x86, 0x2e,
- 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x33, 0x2e,
- 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x73, 0x68, 0x61, 0x32, 0x2d, 0x65, 0x76, 0x2d, 0x73, 0x65, 0x72,
- 0x76, 0x65, 0x72, 0x2d, 0x67, 0x31, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x34,
- 0xa0, 0x32, 0xa0, 0x30, 0x86, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
- 0x2f, 0x63, 0x72, 0x6c, 0x34, 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65,
- 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x68, 0x61, 0x32, 0x2d,
- 0x65, 0x76, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2d, 0x67, 0x31,
- 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x42, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04,
- 0x3b, 0x30, 0x39, 0x30, 0x37, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86,
- 0xfd, 0x6c, 0x02, 0x01, 0x30, 0x2a, 0x30, 0x28, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x1c, 0x68, 0x74, 0x74, 0x70,
- 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x64, 0x69, 0x67, 0x69,
- 0x63, 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x43, 0x50, 0x53,
- 0x30, 0x81, 0x88, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
- 0x01, 0x04, 0x7c, 0x30, 0x7a, 0x30, 0x24, 0x06, 0x08, 0x2b, 0x06, 0x01,
- 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x18, 0x68, 0x74, 0x74, 0x70, 0x3a,
- 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63,
- 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x52, 0x06, 0x08, 0x2b,
- 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x46, 0x68, 0x74, 0x74,
- 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x61, 0x63, 0x65, 0x72, 0x74, 0x73, 0x2e,
- 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x53, 0x48, 0x41,
- 0x32, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x64, 0x65, 0x64, 0x56, 0x61, 0x6c,
- 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x65,
- 0x72, 0x43, 0x41, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0c, 0x06, 0x03, 0x55,
- 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x82, 0x01,
- 0x03, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04,
- 0x02, 0x04, 0x81, 0xf4, 0x04, 0x81, 0xf1, 0x00, 0xef, 0x00, 0x76, 0x00,
- 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13, 0xa2,
- 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b, 0xdf, 0xb8,
- 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10, 0x00, 0x00, 0x01, 0x49,
- 0x10, 0xfa, 0xbd, 0x89, 0x00, 0x00, 0x04, 0x03, 0x00, 0x47, 0x30, 0x45,
- 0x02, 0x20, 0x66, 0xd7, 0x67, 0x79, 0xf4, 0xaa, 0xd3, 0xb8, 0xc6, 0x9f,
- 0x03, 0x01, 0xbf, 0xcd, 0xec, 0x83, 0x36, 0xd4, 0xc8, 0x4f, 0xc1, 0x45,
- 0xd5, 0xd9, 0xfd, 0x16, 0x54, 0xad, 0x6f, 0x75, 0x22, 0xa1, 0x02, 0x21,
- 0x00, 0xb8, 0x95, 0xf1, 0x43, 0x03, 0xdf, 0xa4, 0x11, 0x04, 0x3c, 0x24,
- 0x13, 0xd8, 0x81, 0x69, 0x24, 0x9d, 0xd2, 0x04, 0x96, 0x4d, 0xad, 0x53,
- 0x3d, 0x9d, 0x6a, 0x24, 0x14, 0x32, 0x4d, 0xcc, 0x91, 0x00, 0x75, 0x00,
- 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee, 0xb9,
- 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4, 0x44, 0xd1,
- 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4, 0x00, 0x00, 0x01, 0x49,
- 0x10, 0xfa, 0xbd, 0x79, 0x00, 0x00, 0x04, 0x03, 0x00, 0x46, 0x30, 0x44,
- 0x02, 0x20, 0x11, 0x34, 0x9a, 0x59, 0x2c, 0x9d, 0x3b, 0xd3, 0x8b, 0x9a,
- 0x58, 0x18, 0x37, 0x24, 0x55, 0xf3, 0x9d, 0x0e, 0xca, 0x98, 0x96, 0x6b,
- 0x8f, 0xc7, 0xa2, 0xe4, 0xd8, 0xbf, 0x00, 0xce, 0x40, 0xfd, 0x02, 0x20,
- 0x11, 0x24, 0x11, 0xab, 0x62, 0x7f, 0xb2, 0x88, 0xf0, 0x6d, 0x70, 0xc0,
- 0xfd, 0xa0, 0x65, 0xb5, 0xb6, 0x03, 0x46, 0x1f, 0x10, 0x30, 0xed, 0xf5,
- 0x6d, 0x7e, 0x89, 0x7b, 0xba, 0x20, 0x32, 0x64, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
- 0x82, 0x01, 0x01, 0x00, 0x7a, 0x12, 0xd4, 0x28, 0xc3, 0x27, 0x39, 0x5e,
- 0xab, 0x30, 0x4a, 0x4a, 0x3d, 0xe6, 0xad, 0x78, 0xd7, 0xe7, 0x9d, 0x5a,
- 0xcb, 0x93, 0xcf, 0xc2, 0x30, 0x91, 0xfe, 0xcd, 0x88, 0x65, 0x35, 0x96,
- 0x9c, 0x5e, 0x6d, 0xe1, 0xe2, 0x6d, 0x00, 0x7e, 0xe2, 0x73, 0xab, 0xd8,
- 0x27, 0x97, 0x6b, 0xdd, 0x46, 0xa9, 0x08, 0x41, 0x1e, 0x0b, 0x18, 0x5b,
- 0x6a, 0x5b, 0xf8, 0xfc, 0xa4, 0x75, 0xf5, 0x5e, 0xf5, 0x52, 0xec, 0xa5,
- 0xab, 0x6b, 0x16, 0x23, 0x44, 0xdf, 0xe8, 0x14, 0x28, 0xe7, 0xd1, 0xbf,
- 0xcc, 0x2d, 0x72, 0xa2, 0x30, 0xc4, 0x9e, 0x9a, 0xe5, 0x8c, 0x21, 0xb6,
- 0x5c, 0x6f, 0x9e, 0x16, 0xfc, 0xf2, 0x83, 0xe6, 0xf7, 0x29, 0x54, 0xa7,
- 0x58, 0x8e, 0x86, 0xb0, 0x8e, 0x5b, 0xf3, 0xd4, 0x1a, 0xaf, 0x00, 0x64,
- 0x37, 0xca, 0x2f, 0x0d, 0x38, 0x34, 0x16, 0x96, 0x57, 0x7d, 0x55, 0x6d,
- 0x09, 0x2f, 0x57, 0x47, 0x27, 0x0c, 0xd3, 0x02, 0x0e, 0x60, 0x66, 0x91,
- 0x92, 0x47, 0x11, 0xac, 0x04, 0xda, 0x63, 0x86, 0x91, 0x32, 0xd1, 0xfa,
- 0x65, 0x2c, 0xb7, 0x76, 0x64, 0x2a, 0x0f, 0x25, 0x83, 0x17, 0x3f, 0x0e,
- 0x88, 0xf7, 0xeb, 0xf5, 0xf5, 0x68, 0x30, 0x68, 0xcc, 0x79, 0x32, 0x23,
- 0x03, 0x08, 0xec, 0x30, 0x1b, 0x05, 0x37, 0x14, 0x79, 0x93, 0xf0, 0xed,
- 0x62, 0x88, 0xd8, 0xab, 0x18, 0xc4, 0x98, 0x67, 0xcb, 0x32, 0xbe, 0x44,
- 0xa8, 0x8f, 0xbc, 0xff, 0xe7, 0x99, 0x07, 0xc3, 0xd0, 0x4b, 0x0d, 0x45,
- 0xf2, 0xa6, 0xd8, 0x84, 0x43, 0xeb, 0xf4, 0x96, 0x3c, 0x3c, 0x68, 0x8c,
- 0x81, 0x4f, 0x82, 0x1e, 0x9d, 0xdb, 0x78, 0xa0, 0x42, 0x54, 0x94, 0xf2,
- 0x93, 0x5f, 0x49, 0x21, 0x57, 0x1b, 0xe5, 0x86, 0x2b, 0x54, 0xaa, 0xb3,
- 0x38, 0x48, 0x61, 0x3e, 0x85, 0x0f, 0x7d, 0x50
-};
-
-
-static
-unsigned char digicert_sha2_ev_server_ca_der [] = {
- 0x30, 0x82, 0x04, 0xb6, 0x30, 0x82, 0x03, 0x9e, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x10, 0x0c, 0x79, 0xa9, 0x44, 0xb0, 0x8c, 0x11, 0x95, 0x20,
- 0x92, 0x61, 0x5f, 0xe2, 0x6b, 0x1d, 0x83, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x6c,
- 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
- 0x53, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0c,
- 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x20, 0x49, 0x6e, 0x63,
- 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x10, 0x77,
- 0x77, 0x77, 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e,
- 0x63, 0x6f, 0x6d, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03,
- 0x13, 0x22, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x20, 0x48,
- 0x69, 0x67, 0x68, 0x20, 0x41, 0x73, 0x73, 0x75, 0x72, 0x61, 0x6e, 0x63,
- 0x65, 0x20, 0x45, 0x56, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41,
- 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x33, 0x31, 0x30, 0x32, 0x32, 0x31, 0x32,
- 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x38, 0x31, 0x30, 0x32,
- 0x32, 0x31, 0x32, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x75, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
- 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0c, 0x44, 0x69,
- 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x20, 0x49, 0x6e, 0x63, 0x31, 0x19,
- 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x10, 0x77, 0x77, 0x77,
- 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f,
- 0x6d, 0x31, 0x34, 0x30, 0x32, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2b,
- 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x48, 0x41,
- 0x32, 0x20, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x64, 0x65, 0x64, 0x20, 0x56,
- 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x53, 0x65,
- 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
- 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
- 0x82, 0x01, 0x01, 0x00, 0xd7, 0x53, 0xa4, 0x04, 0x51, 0xf8, 0x99, 0xa6,
- 0x16, 0x48, 0x4b, 0x67, 0x27, 0xaa, 0x93, 0x49, 0xd0, 0x39, 0xed, 0x0c,
- 0xb0, 0xb0, 0x00, 0x87, 0xf1, 0x67, 0x28, 0x86, 0x85, 0x8c, 0x8e, 0x63,
- 0xda, 0xbc, 0xb1, 0x40, 0x38, 0xe2, 0xd3, 0xf5, 0xec, 0xa5, 0x05, 0x18,
- 0xb8, 0x3d, 0x3e, 0xc5, 0x99, 0x17, 0x32, 0xec, 0x18, 0x8c, 0xfa, 0xf1,
- 0x0c, 0xa6, 0x64, 0x21, 0x85, 0xcb, 0x07, 0x10, 0x34, 0xb0, 0x52, 0x88,
- 0x2b, 0x1f, 0x68, 0x9b, 0xd2, 0xb1, 0x8f, 0x12, 0xb0, 0xb3, 0xd2, 0xe7,
- 0x88, 0x1f, 0x1f, 0xef, 0x38, 0x77, 0x54, 0x53, 0x5f, 0x80, 0x79, 0x3f,
- 0x2e, 0x1a, 0xaa, 0xa8, 0x1e, 0x4b, 0x2b, 0x0d, 0xab, 0xb7, 0x63, 0xb9,
- 0x35, 0xb7, 0x7d, 0x14, 0xbc, 0x59, 0x4b, 0xdf, 0x51, 0x4a, 0xd2, 0xa1,
- 0xe2, 0x0c, 0xe2, 0x90, 0x82, 0x87, 0x6a, 0xae, 0xea, 0xd7, 0x64, 0xd6,
- 0x98, 0x55, 0xe8, 0xfd, 0xaf, 0x1a, 0x50, 0x6c, 0x54, 0xbc, 0x11, 0xf2,
- 0xfd, 0x4a, 0xf2, 0x9d, 0xbb, 0x7f, 0x0e, 0xf4, 0xd5, 0xbe, 0x8e, 0x16,
- 0x89, 0x12, 0x55, 0xd8, 0xc0, 0x71, 0x34, 0xee, 0xf6, 0xdc, 0x2d, 0xec,
- 0xc4, 0x87, 0x25, 0x86, 0x8d, 0xd8, 0x21, 0xe4, 0xb0, 0x4d, 0x0c, 0x89,
- 0xdc, 0x39, 0x26, 0x17, 0xdd, 0xf6, 0xd7, 0x94, 0x85, 0xd8, 0x04, 0x21,
- 0x70, 0x9d, 0x6f, 0x6f, 0xff, 0x5c, 0xba, 0x19, 0xe1, 0x45, 0xcb, 0x56,
- 0x57, 0x28, 0x7e, 0x1c, 0x0d, 0x41, 0x57, 0xaa, 0xb7, 0xb8, 0x27, 0xbb,
- 0xb1, 0xe4, 0xfa, 0x2a, 0xef, 0x21, 0x23, 0x75, 0x1a, 0xad, 0x2d, 0x9b,
- 0x86, 0x35, 0x8c, 0x9c, 0x77, 0xb5, 0x73, 0xad, 0xd8, 0x94, 0x2d, 0xe4,
- 0xf3, 0x0c, 0x9d, 0xee, 0xc1, 0x4e, 0x62, 0x7e, 0x17, 0xc0, 0x71, 0x9e,
- 0x2c, 0xde, 0xf1, 0xf9, 0x10, 0x28, 0x19, 0x33, 0x02, 0x03, 0x01, 0x00,
- 0x01, 0xa3, 0x82, 0x01, 0x49, 0x30, 0x82, 0x01, 0x45, 0x30, 0x12, 0x06,
- 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01,
- 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f,
- 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x1d, 0x06,
- 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x03, 0x02, 0x30, 0x34, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x01, 0x01, 0x04, 0x28, 0x30, 0x26, 0x30, 0x24, 0x06, 0x08,
- 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x18, 0x68, 0x74,
- 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x64, 0x69,
- 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x4b,
- 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x44, 0x30, 0x42, 0x30, 0x40, 0xa0,
- 0x3e, 0xa0, 0x3c, 0x86, 0x3a, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
- 0x63, 0x72, 0x6c, 0x34, 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72,
- 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65,
- 0x72, 0x74, 0x48, 0x69, 0x67, 0x68, 0x41, 0x73, 0x73, 0x75, 0x72, 0x61,
- 0x6e, 0x63, 0x65, 0x45, 0x56, 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x41, 0x2e,
- 0x63, 0x72, 0x6c, 0x30, 0x3d, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x36,
- 0x30, 0x34, 0x30, 0x32, 0x06, 0x04, 0x55, 0x1d, 0x20, 0x00, 0x30, 0x2a,
- 0x30, 0x28, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01,
- 0x16, 0x1c, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77,
- 0x77, 0x2e, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72, 0x74, 0x2e, 0x63,
- 0x6f, 0x6d, 0x2f, 0x43, 0x50, 0x53, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
- 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3d, 0xd3, 0x50, 0xa5, 0xd6, 0xa0, 0xad,
- 0xee, 0xf3, 0x4a, 0x60, 0x0a, 0x65, 0xd3, 0x21, 0xd4, 0xf8, 0xf8, 0xd6,
- 0x0f, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
- 0x80, 0x14, 0xb1, 0x3e, 0xc3, 0x69, 0x03, 0xf8, 0xbf, 0x47, 0x01, 0xd4,
- 0x98, 0x26, 0x1a, 0x08, 0x02, 0xef, 0x63, 0x64, 0x2b, 0xc3, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
- 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x9d, 0xb6, 0xd0, 0x90, 0x86, 0xe1,
- 0x86, 0x02, 0xed, 0xc5, 0xa0, 0xf0, 0x34, 0x1c, 0x74, 0xc1, 0x8d, 0x76,
- 0xcc, 0x86, 0x0a, 0xa8, 0xf0, 0x4a, 0x8a, 0x42, 0xd6, 0x3f, 0xc8, 0xa9,
- 0x4d, 0xad, 0x7c, 0x08, 0xad, 0xe6, 0xb6, 0x50, 0xb8, 0xa2, 0x1a, 0x4d,
- 0x88, 0x07, 0xb1, 0x29, 0x21, 0xdc, 0xe7, 0xda, 0xc6, 0x3c, 0x21, 0xe0,
- 0xe3, 0x11, 0x49, 0x70, 0xac, 0x7a, 0x1d, 0x01, 0xa4, 0xca, 0x11, 0x3a,
- 0x57, 0xab, 0x7d, 0x57, 0x2a, 0x40, 0x74, 0xfd, 0xd3, 0x1d, 0x85, 0x18,
- 0x50, 0xdf, 0x57, 0x47, 0x75, 0xa1, 0x7d, 0x55, 0x20, 0x2e, 0x47, 0x37,
- 0x50, 0x72, 0x8c, 0x7f, 0x82, 0x1b, 0xd2, 0x62, 0x8f, 0x2d, 0x03, 0x5a,
- 0xda, 0xc3, 0xc8, 0xa1, 0xce, 0x2c, 0x52, 0xa2, 0x00, 0x63, 0xeb, 0x73,
- 0xba, 0x71, 0xc8, 0x49, 0x27, 0x23, 0x97, 0x64, 0x85, 0x9e, 0x38, 0x0e,
- 0xad, 0x63, 0x68, 0x3c, 0xba, 0x52, 0x81, 0x58, 0x79, 0xa3, 0x2c, 0x0c,
- 0xdf, 0xde, 0x6d, 0xeb, 0x31, 0xf2, 0xba, 0xa0, 0x7c, 0x6c, 0xf1, 0x2c,
- 0xd4, 0xe1, 0xbd, 0x77, 0x84, 0x37, 0x03, 0xce, 0x32, 0xb5, 0xc8, 0x9a,
- 0x81, 0x1a, 0x4a, 0x92, 0x4e, 0x3b, 0x46, 0x9a, 0x85, 0xfe, 0x83, 0xa2,
- 0xf9, 0x9e, 0x8c, 0xa3, 0xcc, 0x0d, 0x5e, 0xb3, 0x3d, 0xcf, 0x04, 0x78,
- 0x8f, 0x14, 0x14, 0x7b, 0x32, 0x9c, 0xc7, 0x00, 0xa6, 0x5c, 0xc4, 0xb5,
- 0xa1, 0x55, 0x8d, 0x5a, 0x56, 0x68, 0xa4, 0x22, 0x70, 0xaa, 0x3c, 0x81,
- 0x71, 0xd9, 0x9d, 0xa8, 0x45, 0x3b, 0xf4, 0xe5, 0xf6, 0xa2, 0x51, 0xdd,
- 0xc7, 0x7b, 0x62, 0xe8, 0x6f, 0x0c, 0x74, 0xeb, 0xb8, 0xda, 0xf8, 0xbf,
- 0x87, 0x0d, 0x79, 0x50, 0x91, 0x90, 0x9b, 0x18, 0x3b, 0x91, 0x59, 0x27,
- 0xf1, 0x35, 0x28, 0x13, 0xab, 0x26, 0x7e, 0xd5, 0xf7, 0x7a
-};
-
-
-static
-unsigned char www_paypal_com_cert_der[] = {
- 0x30, 0x82, 0x06, 0x08, 0x30, 0x82, 0x04, 0xf0, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x10, 0x08, 0x34, 0xe4, 0x53, 0xd4, 0x3a, 0x68, 0x57, 0x23,
- 0xaf, 0xfb, 0xb1, 0x33, 0xce, 0x45, 0x7c, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81,
- 0xba, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
- 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x13, 0x16, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x54,
- 0x72, 0x75, 0x73, 0x74, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
- 0x31, 0x3b, 0x30, 0x39, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x32, 0x54,
- 0x65, 0x72, 0x6d, 0x73, 0x20, 0x6f, 0x66, 0x20, 0x75, 0x73, 0x65, 0x20,
- 0x61, 0x74, 0x20, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77,
- 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e,
- 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x70, 0x61, 0x20, 0x28, 0x63, 0x29, 0x30,
- 0x36, 0x31, 0x34, 0x30, 0x32, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2b,
- 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x43, 0x6c, 0x61,
- 0x73, 0x73, 0x20, 0x33, 0x20, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x64, 0x65,
- 0x64, 0x20, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x20, 0x53, 0x53, 0x4c, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x34, 0x30, 0x34, 0x31, 0x35, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a,
- 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34, 0x30, 0x32, 0x32, 0x33, 0x35, 0x39,
- 0x35, 0x39, 0x5a, 0x30, 0x82, 0x01, 0x09, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x3c, 0x02, 0x01, 0x03,
- 0x13, 0x02, 0x55, 0x53, 0x31, 0x19, 0x30, 0x17, 0x06, 0x0b, 0x2b, 0x06,
- 0x01, 0x04, 0x01, 0x82, 0x37, 0x3c, 0x02, 0x01, 0x02, 0x13, 0x08, 0x44,
- 0x65, 0x6c, 0x61, 0x77, 0x61, 0x72, 0x65, 0x31, 0x1d, 0x30, 0x1b, 0x06,
- 0x03, 0x55, 0x04, 0x0f, 0x13, 0x14, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74,
- 0x65, 0x20, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, 0x69,
- 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x05, 0x13,
- 0x07, 0x33, 0x30, 0x31, 0x34, 0x32, 0x36, 0x37, 0x31, 0x0b, 0x30, 0x09,
- 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
- 0x11, 0x06, 0x03, 0x55, 0x04, 0x11, 0x14, 0x0a, 0x39, 0x35, 0x31, 0x33,
- 0x31, 0x2d, 0x32, 0x30, 0x32, 0x31, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72,
- 0x6e, 0x69, 0x61, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x07,
- 0x14, 0x08, 0x53, 0x61, 0x6e, 0x20, 0x4a, 0x6f, 0x73, 0x65, 0x31, 0x16,
- 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x09, 0x14, 0x0d, 0x32, 0x32, 0x31,
- 0x31, 0x20, 0x4e, 0x20, 0x31, 0x73, 0x74, 0x20, 0x53, 0x74, 0x31, 0x15,
- 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x14, 0x0c, 0x50, 0x61, 0x79,
- 0x50, 0x61, 0x6c, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x14, 0x30,
- 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x14, 0x0b, 0x43, 0x44, 0x4e, 0x20,
- 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x31, 0x17, 0x30, 0x15, 0x06,
- 0x03, 0x55, 0x04, 0x03, 0x14, 0x0e, 0x77, 0x77, 0x77, 0x2e, 0x70, 0x61,
- 0x79, 0x70, 0x61, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
- 0x02, 0x82, 0x01, 0x01, 0x00, 0xbe, 0xae, 0x46, 0x4d, 0x99, 0x6e, 0x6d,
- 0x6c, 0x35, 0x4b, 0x88, 0x32, 0x38, 0xbb, 0xdc, 0xd0, 0x09, 0x95, 0xd0,
- 0x9a, 0xe4, 0x36, 0xe7, 0x9f, 0x0a, 0xb0, 0xf2, 0xd7, 0xd2, 0x30, 0x62,
- 0x03, 0x1f, 0xad, 0xc6, 0xf4, 0x6d, 0x10, 0x84, 0xf7, 0x79, 0x1b, 0xbc,
- 0x74, 0xc0, 0xa8, 0xe3, 0x82, 0xfe, 0xd4, 0x0a, 0x93, 0x2e, 0x3d, 0x4b,
- 0x12, 0x24, 0xad, 0xad, 0x5f, 0x5d, 0xed, 0x1c, 0xc9, 0x1c, 0x6f, 0x13,
- 0x7b, 0xe2, 0xc1, 0x25, 0x4e, 0x46, 0x5f, 0x4f, 0x3b, 0x2e, 0x5a, 0xcb,
- 0xc1, 0x5a, 0xb4, 0x82, 0xcf, 0xad, 0xa3, 0x65, 0xe8, 0x86, 0x33, 0xb5,
- 0xed, 0x1d, 0x78, 0x99, 0xa7, 0xc7, 0xd5, 0xfa, 0x10, 0x2e, 0xfb, 0x11,
- 0x4e, 0x23, 0x58, 0x06, 0x96, 0x87, 0x71, 0x75, 0x51, 0x73, 0x8c, 0x0f,
- 0xf4, 0xca, 0x7c, 0x8f, 0x91, 0x25, 0x79, 0x13, 0xdc, 0xb0, 0xf0, 0xde,
- 0x08, 0x07, 0x01, 0x0b, 0x64, 0xcc, 0x57, 0x6a, 0x12, 0x86, 0x62, 0x17,
- 0x3e, 0x5d, 0xb9, 0x62, 0x3d, 0x58, 0x7b, 0x2a, 0x6e, 0xf6, 0xa6, 0x30,
- 0x41, 0x02, 0xfc, 0xec, 0x64, 0x72, 0x33, 0xd5, 0xd5, 0x3f, 0x6b, 0x6d,
- 0x97, 0xf3, 0xc1, 0x61, 0xbf, 0x38, 0x3b, 0xab, 0x41, 0x47, 0xd4, 0xc2,
- 0x03, 0xd7, 0x3b, 0x59, 0x57, 0x9d, 0xe1, 0xa1, 0x2a, 0xd6, 0x78, 0xe8,
- 0x83, 0x5d, 0x3d, 0xdd, 0xaa, 0x5d, 0x17, 0xfd, 0x94, 0xd6, 0xe5, 0x7a,
- 0xef, 0x02, 0x63, 0xc6, 0xa3, 0xc6, 0x2d, 0x5b, 0x33, 0x08, 0x8b, 0xf5,
- 0xa5, 0x03, 0xb4, 0xfe, 0xf2, 0x1d, 0xab, 0xbf, 0x5e, 0x9e, 0xb8, 0x78,
- 0x39, 0x20, 0x2b, 0x68, 0x61, 0x4f, 0xe4, 0x99, 0xf2, 0xaa, 0xc2, 0x4d,
- 0x4b, 0x48, 0xcb, 0x68, 0xc2, 0x10, 0x3f, 0xfa, 0x9a, 0xba, 0xc5, 0x6a,
- 0x53, 0x8f, 0x22, 0xf3, 0xd7, 0xc9, 0xed, 0xa4, 0xd5, 0x02, 0x03, 0x01,
- 0x00, 0x01, 0xa3, 0x82, 0x01, 0xb6, 0x30, 0x82, 0x01, 0xb2, 0x30, 0x67,
- 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x60, 0x30, 0x5e, 0x82, 0x0e, 0x77,
- 0x77, 0x77, 0x2e, 0x70, 0x61, 0x79, 0x70, 0x61, 0x6c, 0x2e, 0x63, 0x6f,
- 0x6d, 0x82, 0x12, 0x68, 0x69, 0x73, 0x74, 0x6f, 0x72, 0x79, 0x2e, 0x70,
- 0x61, 0x79, 0x70, 0x61, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x0c, 0x74,
- 0x2e, 0x70, 0x61, 0x79, 0x70, 0x61, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x82,
- 0x0c, 0x63, 0x2e, 0x70, 0x61, 0x79, 0x70, 0x61, 0x6c, 0x2e, 0x63, 0x6f,
- 0x6d, 0x82, 0x0e, 0x74, 0x6d, 0x73, 0x2e, 0x70, 0x61, 0x79, 0x70, 0x61,
- 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x82, 0x0c, 0x74, 0x6d, 0x73, 0x2e, 0x65,
- 0x62, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d,
- 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x1d,
- 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b,
- 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01,
- 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x66, 0x06, 0x03, 0x55, 0x1d, 0x20,
- 0x04, 0x5f, 0x30, 0x5d, 0x30, 0x5b, 0x06, 0x0b, 0x60, 0x86, 0x48, 0x01,
- 0x86, 0xf8, 0x45, 0x01, 0x07, 0x17, 0x06, 0x30, 0x4c, 0x30, 0x23, 0x06,
- 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x17, 0x68,
- 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x2e, 0x73, 0x79, 0x6d,
- 0x63, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x70, 0x73, 0x30, 0x25,
- 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x19,
- 0x1a, 0x17, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x2e,
- 0x73, 0x79, 0x6d, 0x63, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x70,
- 0x61, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
- 0x80, 0x14, 0xfc, 0x8a, 0x50, 0xba, 0x9e, 0xb9, 0x25, 0x5a, 0x7b, 0x55,
- 0x85, 0x4f, 0x95, 0x00, 0x63, 0x8f, 0xe9, 0x58, 0x6b, 0x43, 0x30, 0x2b,
- 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x24, 0x30, 0x22, 0x30, 0x20, 0xa0,
- 0x1e, 0xa0, 0x1c, 0x86, 0x1a, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
- 0x73, 0x61, 0x2e, 0x73, 0x79, 0x6d, 0x63, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x73, 0x61, 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x57, 0x06, 0x08, 0x2b,
- 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x4b, 0x30, 0x49, 0x30,
- 0x1f, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86,
- 0x13, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x73, 0x61, 0x2e, 0x73,
- 0x79, 0x6d, 0x63, 0x64, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x26, 0x06, 0x08,
- 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x1a, 0x68, 0x74,
- 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x73, 0x61, 0x2e, 0x73, 0x79, 0x6d, 0x63,
- 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x61, 0x2e, 0x63, 0x72, 0x74,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x76, 0x08, 0xab, 0x64,
- 0xf6, 0xf4, 0x0b, 0xe4, 0x81, 0xbd, 0x59, 0xb2, 0x3e, 0xa4, 0xfc, 0xf5,
- 0x03, 0x75, 0x04, 0x59, 0x6a, 0xb5, 0xfe, 0x12, 0x34, 0x2a, 0x04, 0x9c,
- 0x89, 0xcd, 0xcb, 0xe1, 0x3c, 0x6c, 0x20, 0x39, 0xd4, 0xea, 0x6f, 0x27,
- 0x34, 0x7f, 0x62, 0x1c, 0x45, 0x72, 0x11, 0x39, 0xc0, 0x45, 0xaa, 0x2a,
- 0x35, 0x5c, 0xb6, 0x06, 0xe3, 0x08, 0xa7, 0x8f, 0x08, 0xaf, 0x80, 0xb2,
- 0x10, 0xce, 0xa5, 0x28, 0x5b, 0x1c, 0x49, 0x55, 0x11, 0xeb, 0x6b, 0x2a,
- 0x80, 0xc1, 0x09, 0xed, 0x82, 0x72, 0x48, 0xca, 0x19, 0x8b, 0xe5, 0x34,
- 0x94, 0x3c, 0x50, 0x26, 0x77, 0x6b, 0x1a, 0x63, 0xba, 0x6f, 0x63, 0xd1,
- 0x58, 0xed, 0x2b, 0x1d, 0xb7, 0xa7, 0x6e, 0x04, 0x25, 0x99, 0xc3, 0x94,
- 0x03, 0x90, 0xec, 0x0f, 0x4c, 0x93, 0x83, 0x35, 0x86, 0xe3, 0x70, 0x84,
- 0x0d, 0x3c, 0xce, 0xaf, 0x4e, 0x80, 0x4a, 0xd3, 0x91, 0x3f, 0x55, 0x33,
- 0x2f, 0x1f, 0x67, 0x87, 0x2f, 0x09, 0xa2, 0x41, 0xc0, 0x10, 0x4a, 0x2c,
- 0xc4, 0x88, 0xa0, 0x6f, 0x93, 0x2c, 0xef, 0x38, 0xd2, 0x61, 0xc7, 0xec,
- 0xf3, 0x37, 0x7d, 0xc9, 0x32, 0xa5, 0x5c, 0x1e, 0x48, 0x0e, 0x85, 0x6c,
- 0x47, 0x2a, 0x7f, 0xc6, 0x30, 0x5e, 0xc2, 0xf6, 0x2e, 0xdd, 0xe3, 0x4d,
- 0xac, 0xff, 0xef, 0x48, 0x26, 0xc7, 0x51, 0x74, 0x47, 0x32, 0x46, 0x0b,
- 0xcd, 0x7a, 0x0a, 0x5d, 0x5b, 0xc5, 0x8d, 0xed, 0x17, 0xbc, 0xde, 0x09,
- 0xbc, 0xe9, 0x93, 0xa9, 0x7c, 0x85, 0x9c, 0x88, 0xa6, 0x83, 0xbc, 0xd6,
- 0xe5, 0x1f, 0x05, 0x10, 0xdf, 0xb2, 0x4f, 0xa2, 0xc5, 0x97, 0x00, 0x8b,
- 0x57, 0xc7, 0x0d, 0xe7, 0xc7, 0x57, 0x57, 0x87, 0x7d, 0x13, 0x9f, 0x5c,
- 0x5c, 0xf7, 0xf3, 0xcd, 0x00, 0x89, 0x0d, 0x85, 0x9a, 0xa2, 0x70, 0xda
-};
-
-
-static
-unsigned char www_paypal_com_issuer_cert_der[] = {
- 0x30, 0x82, 0x05, 0xe4, 0x30, 0x82, 0x04, 0xcc, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x10, 0x5b, 0x77, 0x59, 0xc6, 0x17, 0x84, 0xe1, 0x5e, 0xc7,
- 0x27, 0xc0, 0x32, 0x95, 0x29, 0x28, 0x6b, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x81,
- 0xca, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
- 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x13, 0x16, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x54,
- 0x72, 0x75, 0x73, 0x74, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
- 0x31, 0x3a, 0x30, 0x38, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x31, 0x28,
- 0x63, 0x29, 0x20, 0x32, 0x30, 0x30, 0x36, 0x20, 0x56, 0x65, 0x72, 0x69,
- 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x20, 0x2d,
- 0x20, 0x46, 0x6f, 0x72, 0x20, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
- 0x7a, 0x65, 0x64, 0x20, 0x75, 0x73, 0x65, 0x20, 0x6f, 0x6e, 0x6c, 0x79,
- 0x31, 0x45, 0x30, 0x43, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x3c, 0x56,
- 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x43, 0x6c, 0x61, 0x73,
- 0x73, 0x20, 0x33, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20, 0x50,
- 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
- 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x2d, 0x20, 0x47, 0x35, 0x30,
- 0x1e, 0x17, 0x0d, 0x30, 0x36, 0x31, 0x31, 0x30, 0x38, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x31, 0x30, 0x37,
- 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x81, 0xba, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
- 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65,
- 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
- 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x16, 0x56,
- 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x54, 0x72, 0x75, 0x73,
- 0x74, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31, 0x3b, 0x30,
- 0x39, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x32, 0x54, 0x65, 0x72, 0x6d,
- 0x73, 0x20, 0x6f, 0x66, 0x20, 0x75, 0x73, 0x65, 0x20, 0x61, 0x74, 0x20,
- 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e,
- 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x72, 0x70, 0x61, 0x20, 0x28, 0x63, 0x29, 0x30, 0x36, 0x31, 0x34,
- 0x30, 0x32, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2b, 0x56, 0x65, 0x72,
- 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20,
- 0x33, 0x20, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x64, 0x65, 0x64, 0x20, 0x56,
- 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x53, 0x53,
- 0x4c, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
- 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
- 0x00, 0x98, 0xdb, 0xa0, 0x55, 0xeb, 0x9c, 0xfd, 0x17, 0x79, 0xe3, 0x9a,
- 0x6e, 0x14, 0x1d, 0xb1, 0x5b, 0x98, 0x23, 0x87, 0x16, 0x6e, 0x87, 0x76,
- 0x9c, 0xb5, 0x38, 0x3b, 0xb5, 0xa0, 0x7a, 0xb4, 0x07, 0x63, 0x09, 0x19,
- 0xe6, 0x2a, 0x88, 0x48, 0xa9, 0xe7, 0x9d, 0xb6, 0x30, 0x5a, 0x08, 0x97,
- 0x0c, 0xec, 0xaa, 0xe4, 0x16, 0x69, 0x72, 0x62, 0x23, 0x9a, 0xfb, 0x7a,
- 0x54, 0x28, 0x98, 0xc5, 0x0c, 0x2d, 0xb7, 0xd7, 0x22, 0xb6, 0xc8, 0xf9,
- 0x38, 0x17, 0xc7, 0xdd, 0xda, 0x31, 0x46, 0x9a, 0x94, 0x14, 0x8e, 0x9e,
- 0xee, 0x78, 0xa0, 0xb7, 0x22, 0xd4, 0x49, 0x54, 0x97, 0x4d, 0xe5, 0x74,
- 0x5b, 0x92, 0xbc, 0xec, 0x6c, 0x2c, 0xdf, 0xe7, 0xc1, 0xb6, 0x1b, 0x1a,
- 0x55, 0x6b, 0x66, 0x08, 0x03, 0x7f, 0x45, 0xaf, 0x9a, 0x33, 0xf1, 0x10,
- 0xc0, 0x6c, 0x99, 0x4a, 0x92, 0x24, 0x31, 0x08, 0x6d, 0xdd, 0x02, 0x3e,
- 0x61, 0x76, 0x78, 0x78, 0xb6, 0xed, 0x7e, 0x37, 0xae, 0x6c, 0xf3, 0x89,
- 0xe1, 0xb7, 0xe1, 0xdc, 0x15, 0xcc, 0xb7, 0x56, 0x9f, 0x80, 0xa0, 0xb1,
- 0x05, 0x7f, 0x4e, 0x37, 0x15, 0xff, 0xb7, 0x2f, 0x1e, 0x8f, 0x06, 0x38,
- 0x3f, 0x50, 0xb7, 0x69, 0x28, 0xa3, 0xb5, 0x66, 0x5f, 0x36, 0x1a, 0x52,
- 0x48, 0x43, 0x66, 0x52, 0xdf, 0xa2, 0x92, 0x4f, 0xd3, 0x18, 0x60, 0xbe,
- 0xe3, 0xea, 0x5e, 0x19, 0x71, 0x05, 0xbf, 0x9e, 0x1c, 0x6c, 0x68, 0x72,
- 0x25, 0x6f, 0xb3, 0x7b, 0x73, 0xc9, 0x6d, 0xbd, 0x12, 0xff, 0x9b, 0x41,
- 0x32, 0x5e, 0xf4, 0xe8, 0x7e, 0xc5, 0x0b, 0xa3, 0x4c, 0x64, 0xd1, 0x4e,
- 0xbc, 0x26, 0x08, 0x65, 0xfb, 0x19, 0x97, 0x58, 0x78, 0xe1, 0x33, 0xbf,
- 0xed, 0x68, 0x3e, 0xb1, 0x27, 0x45, 0x6f, 0xc0, 0xe2, 0xec, 0x97, 0x69,
- 0xf7, 0x5c, 0xd3, 0xf7, 0x51, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82,
- 0x01, 0xd2, 0x30, 0x82, 0x01, 0xce, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
- 0x0e, 0x04, 0x16, 0x04, 0x14, 0xfc, 0x8a, 0x50, 0xba, 0x9e, 0xb9, 0x25,
- 0x5a, 0x7b, 0x55, 0x85, 0x4f, 0x95, 0x00, 0x63, 0x8f, 0xe9, 0x58, 0x6b,
- 0x43, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
- 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x00, 0x30, 0x3d, 0x06,
- 0x03, 0x55, 0x1d, 0x20, 0x04, 0x36, 0x30, 0x34, 0x30, 0x32, 0x06, 0x04,
- 0x55, 0x1d, 0x20, 0x00, 0x30, 0x2a, 0x30, 0x28, 0x06, 0x08, 0x2b, 0x06,
- 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x1c, 0x68, 0x74, 0x74, 0x70,
- 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65, 0x72, 0x69,
- 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x70, 0x73,
- 0x30, 0x3d, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x36, 0x30, 0x34, 0x30,
- 0x32, 0xa0, 0x30, 0xa0, 0x2e, 0x86, 0x2c, 0x68, 0x74, 0x74, 0x70, 0x3a,
- 0x2f, 0x2f, 0x45, 0x56, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x2d, 0x63,
- 0x72, 0x6c, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e,
- 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x63, 0x61, 0x33, 0x2d, 0x67, 0x35, 0x2e,
- 0x63, 0x72, 0x6c, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01,
- 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x11, 0x06, 0x09, 0x60,
- 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x01, 0x04, 0x04, 0x03, 0x02,
- 0x01, 0x06, 0x30, 0x6d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x01, 0x0c, 0x04, 0x61, 0x30, 0x5f, 0xa1, 0x5d, 0xa0, 0x5b, 0x30, 0x59,
- 0x30, 0x57, 0x30, 0x55, 0x16, 0x09, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x2f,
- 0x67, 0x69, 0x66, 0x30, 0x21, 0x30, 0x1f, 0x30, 0x07, 0x06, 0x05, 0x2b,
- 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x8f, 0xe5, 0xd3, 0x1a, 0x86, 0xac,
- 0x8d, 0x8e, 0x6b, 0xc3, 0xcf, 0x80, 0x6a, 0xd4, 0x48, 0x18, 0x2c, 0x7b,
- 0x19, 0x2e, 0x30, 0x25, 0x16, 0x23, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
- 0x2f, 0x6c, 0x6f, 0x67, 0x6f, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69,
- 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x76, 0x73, 0x6c, 0x6f, 0x67,
- 0x6f, 0x2e, 0x67, 0x69, 0x66, 0x30, 0x29, 0x06, 0x03, 0x55, 0x1d, 0x11,
- 0x04, 0x22, 0x30, 0x20, 0xa4, 0x1e, 0x30, 0x1c, 0x31, 0x1a, 0x30, 0x18,
- 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x11, 0x43, 0x6c, 0x61, 0x73, 0x73,
- 0x33, 0x43, 0x41, 0x32, 0x30, 0x34, 0x38, 0x2d, 0x31, 0x2d, 0x34, 0x37,
- 0x30, 0x3d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01,
- 0x04, 0x31, 0x30, 0x2f, 0x30, 0x2d, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
- 0x05, 0x07, 0x30, 0x01, 0x86, 0x21, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
- 0x2f, 0x45, 0x56, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x2d, 0x6f, 0x63,
- 0x73, 0x70, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e,
- 0x63, 0x6f, 0x6d, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18,
- 0x30, 0x16, 0x80, 0x14, 0x7f, 0xd3, 0x65, 0xa7, 0xc2, 0xdd, 0xec, 0xbb,
- 0xf0, 0x30, 0x09, 0xf3, 0x43, 0x39, 0xfa, 0x02, 0xaf, 0x33, 0x31, 0x33,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x96, 0xa2, 0xfa, 0x7f,
- 0xe6, 0x3d, 0xed, 0xd4, 0x2b, 0xce, 0xb7, 0x15, 0x3f, 0xc0, 0x72, 0x03,
- 0x5f, 0x8b, 0xba, 0x16, 0x90, 0x25, 0xf7, 0xc2, 0x83, 0xd8, 0xc7, 0x75,
- 0x34, 0x63, 0x68, 0x12, 0x53, 0x0c, 0x53, 0x89, 0x7b, 0xc9, 0x56, 0x09,
- 0xa7, 0xc3, 0x36, 0x44, 0x4e, 0x0e, 0xd0, 0x62, 0x62, 0xb3, 0x86, 0xfa,
- 0xe8, 0xa1, 0x9b, 0x34, 0x67, 0x8d, 0x53, 0x22, 0x17, 0x3e, 0xfd, 0xac,
- 0xee, 0x67, 0x2e, 0x43, 0xe2, 0x5d, 0x7f, 0x33, 0x84, 0xf2, 0xa2, 0x70,
- 0xc0, 0x6e, 0x82, 0x97, 0xc0, 0x34, 0xfd, 0x25, 0xc6, 0x23, 0x7f, 0xed,
- 0xe6, 0xb0, 0xc5, 0x57, 0x43, 0x84, 0xb2, 0xde, 0x2d, 0xf1, 0xd0, 0xf6,
- 0x48, 0x1f, 0x14, 0x71, 0x57, 0xb2, 0xac, 0x31, 0xe1, 0x97, 0x24, 0x23,
- 0xc9, 0x13, 0x5d, 0x74, 0xe5, 0x46, 0xef, 0x09, 0x7c, 0x9e, 0xe1, 0x99,
- 0x31, 0x0a, 0x08, 0x79, 0x1b, 0x8f, 0x71, 0x9f, 0x17, 0x66, 0xc8, 0x38,
- 0xcf, 0xee, 0x8c, 0x97, 0xb6, 0x06, 0xb9, 0x73, 0x46, 0xe4, 0xd3, 0x94,
- 0xc1, 0xe5, 0x60, 0xb5, 0x25, 0x75, 0x2d, 0xd9, 0x69, 0x31, 0xec, 0xcd,
- 0x96, 0xc3, 0xa3, 0x76, 0xfd, 0xe8, 0x74, 0x44, 0xac, 0x12, 0xb9, 0x4d,
- 0xbf, 0x51, 0xe8, 0xb9, 0xd4, 0x44, 0x4e, 0x27, 0xcb, 0xae, 0x20, 0xd1,
- 0x7e, 0x2a, 0x7c, 0xb6, 0x63, 0x47, 0x9e, 0x76, 0xba, 0x97, 0xd0, 0x16,
- 0xe7, 0x0b, 0x6c, 0x6d, 0xf7, 0x43, 0x6f, 0x33, 0x0b, 0x29, 0x30, 0x77,
- 0xfa, 0x9d, 0xf9, 0xf5, 0x4e, 0xb8, 0x76, 0xb3, 0xcd, 0x18, 0xb4, 0xf9,
- 0x20, 0xef, 0x3d, 0xdb, 0xe6, 0xca, 0xad, 0x9b, 0xd0, 0x4e, 0xd2, 0x87,
- 0xa9, 0x0d, 0xa6, 0x44, 0x73, 0x50, 0xdd, 0x70, 0x5b, 0xed, 0xad, 0x7e,
- 0x4a, 0xbc, 0x22, 0xd5, 0xa8, 0x26, 0xe4, 0xc2, 0x85, 0x20, 0x0d, 0xd9
-};
-
-
-
-/* A valid ocsp response */
-static
-uint8_t valid_ocsp_response_der[] = {
- 0x30, 0x82, 0x01, 0x72, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x01, 0x6b, 0x30,
- 0x82, 0x01, 0x67, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
- 0x01, 0x01, 0x04, 0x82, 0x01, 0x58, 0x30, 0x82, 0x01, 0x54, 0x30, 0x81,
- 0xbe, 0xa1, 0x22, 0x30, 0x20, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
- 0x04, 0x03, 0x13, 0x15, 0x63, 0x6f, 0x72, 0x65, 0x54, 0x4c, 0x53, 0x20,
- 0x43, 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x28, 0x52, 0x53, 0x41,
- 0x29, 0x18, 0x0f, 0x32, 0x30, 0x31, 0x34, 0x30, 0x38, 0x32, 0x30, 0x32,
- 0x31, 0x31, 0x33, 0x30, 0x37, 0x5a, 0x30, 0x62, 0x30, 0x60, 0x30, 0x3a,
- 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04,
- 0x14, 0x20, 0xd4, 0x96, 0xb3, 0xfb, 0xd1, 0xb8, 0x84, 0x3a, 0x38, 0x14,
- 0xdb, 0x33, 0xd1, 0x0d, 0xa8, 0xca, 0x96, 0xba, 0x13, 0x04, 0x14, 0xb2,
- 0x23, 0x1b, 0x0f, 0x2c, 0x5a, 0xa2, 0x1d, 0xeb, 0x96, 0x34, 0xa7, 0x6f,
- 0x9d, 0x97, 0x11, 0x81, 0x14, 0x61, 0xbb, 0x02, 0x01, 0x01, 0xa1, 0x11,
- 0x18, 0x0f, 0x32, 0x30, 0x31, 0x34, 0x30, 0x38, 0x32, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x31, 0x34, 0x30,
- 0x38, 0x32, 0x30, 0x32, 0x31, 0x31, 0x33, 0x30, 0x37, 0x5a, 0xa1, 0x23,
- 0x30, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x30, 0x01, 0x02, 0x04, 0x12, 0x04, 0x10, 0x4c, 0xc5, 0x63, 0xf2, 0x0a,
- 0x84, 0x8c, 0x03, 0xa4, 0x0d, 0x97, 0xd1, 0xa2, 0xbb, 0x1e, 0xb2, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
- 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x1b, 0x21, 0xd7, 0x01, 0xde, 0xb8,
- 0x58, 0x4b, 0x79, 0x6a, 0xa3, 0x8b, 0xa7, 0xe0, 0xbd, 0xa8, 0xda, 0x58,
- 0x48, 0xbb, 0xa7, 0xcd, 0xf7, 0x91, 0x15, 0xb3, 0x38, 0x70, 0xd9, 0x43,
- 0x25, 0x72, 0x0e, 0xc3, 0x3d, 0xf9, 0xc7, 0x30, 0x2d, 0xb4, 0x9f, 0x1c,
- 0x4b, 0x62, 0x31, 0x48, 0xb4, 0x9f, 0x00, 0xbd, 0x57, 0xb6, 0xec, 0xda,
- 0xf0, 0xa2, 0x42, 0x61, 0xfc, 0xef, 0x73, 0xc5, 0x55, 0xc1, 0xf6, 0x72,
- 0x79, 0xcf, 0x55, 0x01, 0x09, 0xe4, 0xd2, 0xee, 0xbd, 0xa6, 0x08, 0xc6,
- 0x39, 0x3a, 0x17, 0x76, 0x98, 0xaa, 0x61, 0x82, 0xb9, 0x41, 0xe1, 0xbb,
- 0x4f, 0x67, 0x5e, 0x0b, 0x5e, 0xfa, 0x3c, 0x12, 0x15, 0xbe, 0x90, 0x8e,
- 0x29, 0xe6, 0x5c, 0x9b, 0xfc, 0xaf, 0x40, 0xa4, 0x31, 0xd7, 0xa4, 0xc6,
- 0x71, 0x22, 0x01, 0xfa, 0xb2, 0xcd, 0x6e, 0x1f, 0x26, 0xdb, 0xb1, 0xa3,
- 0xec, 0x43
-};
-
-
-/* An ocsp response with a bad hash algorithm */
-static
-uint8_t bad_hash_ocsp_response_der[] = {
- 0x30, 0x82, 0x01, 0x72, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x01, 0x6b, 0x30,
- 0x82, 0x01, 0x67, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
- 0x01, 0x01, 0x04, 0x82, 0x01, 0x58, 0x30, 0x82, 0x01, 0x54, 0x30, 0x81,
- 0xbe, 0xa1, 0x22, 0x30, 0x20, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
- 0x04, 0x03, 0x13, 0x15, 0x63, 0x6f, 0x72, 0x65, 0x54, 0x4c, 0x53, 0x20,
- 0x43, 0x41, 0x20, 0x43, 0x65, 0x72, 0x74, 0x20, 0x28, 0x52, 0x53, 0x41,
- 0x29, 0x18, 0x0f, 0x32, 0x30, 0x31, 0x34, 0x30, 0x38, 0x32, 0x30, 0x32,
- 0x31, 0x31, 0x33, 0x30, 0x37, 0x5a, 0x30, 0x62, 0x30, 0x60, 0x30, 0x3a,
- 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02,/**/ 0x1B, /**/ 0x05, 0x00, 0x04, // This line changed the OID for SHA1 to something else. (0x1B vs 0x1a)
- 0x14, 0x20, 0xd4, 0x96, 0xb3, 0xfb, 0xd1, 0xb8, 0x84, 0x3a, 0x38, 0x14,
- 0xdb, 0x33, 0xd1, 0x0d, 0xa8, 0xca, 0x96, 0xba, 0x13, 0x04, 0x14, 0xb2,
- 0x23, 0x1b, 0x0f, 0x2c, 0x5a, 0xa2, 0x1d, 0xeb, 0x96, 0x34, 0xa7, 0x6f,
- 0x9d, 0x97, 0x11, 0x81, 0x14, 0x61, 0xbb, 0x02, 0x01, /**/ 0x4B, /**/ 0xa1, 0x11, // This line change the serial number to match the cert (0x01 vs 0x4B)
- 0x18, 0x0f, 0x32, 0x30, 0x31, 0x34, 0x30, 0x38, 0x32, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x30, 0x30, 0x5a, 0x18, 0x0f, 0x32, 0x30, 0x31, 0x34, 0x30,
- 0x38, 0x32, 0x30, 0x32, 0x31, 0x31, 0x33, 0x30, 0x37, 0x5a, 0xa1, 0x23,
- 0x30, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x30, 0x01, 0x02, 0x04, 0x12, 0x04, 0x10, 0x4c, 0xc5, 0x63, 0xf2, 0x0a,
- 0x84, 0x8c, 0x03, 0xa4, 0x0d, 0x97, 0xd1, 0xa2, 0xbb, 0x1e, 0xb2, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
- 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x1b, 0x21, 0xd7, 0x01, 0xde, 0xb8,
- 0x58, 0x4b, 0x79, 0x6a, 0xa3, 0x8b, 0xa7, 0xe0, 0xbd, 0xa8, 0xda, 0x58,
- 0x48, 0xbb, 0xa7, 0xcd, 0xf7, 0x91, 0x15, 0xb3, 0x38, 0x70, 0xd9, 0x43,
- 0x25, 0x72, 0x0e, 0xc3, 0x3d, 0xf9, 0xc7, 0x30, 0x2d, 0xb4, 0x9f, 0x1c,
- 0x4b, 0x62, 0x31, 0x48, 0xb4, 0x9f, 0x00, 0xbd, 0x57, 0xb6, 0xec, 0xda,
- 0xf0, 0xa2, 0x42, 0x61, 0xfc, 0xef, 0x73, 0xc5, 0x55, 0xc1, 0xf6, 0x72,
- 0x79, 0xcf, 0x55, 0x01, 0x09, 0xe4, 0xd2, 0xee, 0xbd, 0xa6, 0x08, 0xc6,
- 0x39, 0x3a, 0x17, 0x76, 0x98, 0xaa, 0x61, 0x82, 0xb9, 0x41, 0xe1, 0xbb,
- 0x4f, 0x67, 0x5e, 0x0b, 0x5e, 0xfa, 0x3c, 0x12, 0x15, 0xbe, 0x90, 0x8e,
- 0x29, 0xe6, 0x5c, 0x9b, 0xfc, 0xaf, 0x40, 0xa4, 0x31, 0xd7, 0xa4, 0xc6,
- 0x71, 0x22, 0x01, 0xfa, 0xb2, 0xcd, 0x6e, 0x1f, 0x26, 0xdb, 0xb1, 0xa3,
- 0xec, 0x43
-};
-
-
-
-/* A invalid ocsp response */
-static uint8_t invalid_ocsp_response_der[] = {
- 0x30, 0x81, 0x03,
- 0x0a, 0x01, 0x01,
-};
-
-static void tests()
-{
- SecCertificateRef certA=NULL, certD=NULL, certF=NULL, certCA_alpha=NULL, certCA_beta=NULL;
- CFDataRef proofD=NULL, proofA_1=NULL, proofA_2=NULL;
- SecCertificateRef www_digicert_com_cert=NULL, digicert_sha2_ev_server_ca=NULL;
- SecCertificateRef www_paypal_com_cert=NULL, www_paypal_com_issuer_cert=NULL;
- SecCertificateRef cfCert = NULL;
- CFMutableArrayRef certs=NULL;
- CFMutableArrayRef scts=NULL;
- CFMutableArrayRef anchors=NULL;
- CFDataRef valid_ocsp=NULL;
- CFDataRef invalid_ocsp=NULL;
- CFDataRef bad_hash_ocsp=NULL;
-
- CFArrayRef trustedLogs=NULL;
- CFURLRef trustedLogsURL=NULL;
-
- trustedLogsURL = CFBundleCopyResourceURL(CFBundleGetMainBundle(),
- CFSTR("si-82-sectrust-ct-logs"),
- CFSTR("plist"),
- NULL);
- isnt(trustedLogsURL, NULL, "trustedLogsURL");
- ok(CFURLResourceIsReachable(trustedLogsURL, NULL), "trustedLog plist is accessible");
- trustedLogs = (CFArrayRef) CFPropertyListReadFromFile(trustedLogsURL);
-
-
- isnt(certCA_alpha = SecCertificateCreateWithBytes(NULL, CA_alpha_cert_der, sizeof(CA_alpha_cert_der)), NULL, "create ca-alpha cert");
- isnt(certCA_beta = SecCertificateCreateWithBytes(NULL, CA_beta_cert_der, sizeof(CA_beta_cert_der)), NULL, "create ca-beta cert");
- isnt(anchors = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create anchors array");
- CFArrayAppendValue(anchors, certCA_alpha);
- CFArrayAppendValue(anchors, certCA_beta);
- isnt(certA = SecCertificateCreateWithBytes(NULL, server_A_cert_der, sizeof(server_A_cert_der)), NULL, "create certD");
- isnt(certD = SecCertificateCreateWithBytes(NULL, serverD_cert_der, sizeof(serverD_cert_der)), NULL, "create certD");
- isnt(certF = SecCertificateCreateWithBytes(NULL, serverF_cert_der, sizeof(serverF_cert_der)), NULL, "create certF");
- isnt(proofD = CFDataCreate(kCFAllocatorDefault, serverD_cert_proof, sizeof(serverD_cert_proof)), NULL, "creat proofD");
- isnt(proofA_1 = CFDataCreate(kCFAllocatorDefault, server_A_proof_Alfa_3, sizeof(server_A_proof_Alfa_3)), NULL, "creat proofA_1");
- isnt(proofA_2 = CFDataCreate(kCFAllocatorDefault, server_A_proof_Bravo_3, sizeof(server_A_proof_Bravo_3)), NULL, "creat proofA_2");
- isnt(www_digicert_com_cert = SecCertificateCreateWithBytes(NULL, www_digicert_com_cert_der, sizeof(www_digicert_com_cert_der)), NULL, "create www.digicert.com cert");
- isnt(digicert_sha2_ev_server_ca = SecCertificateCreateWithBytes(NULL, digicert_sha2_ev_server_ca_der, sizeof(digicert_sha2_ev_server_ca_der)), NULL, "create digicert.com subCA cert");
- isnt(www_paypal_com_cert = SecCertificateCreateWithBytes(NULL, www_paypal_com_cert_der, sizeof(www_paypal_com_cert_der)), NULL, "create www.paypal.com cert");
- isnt(www_paypal_com_issuer_cert = SecCertificateCreateWithBytes(NULL, www_paypal_com_issuer_cert_der, sizeof(www_paypal_com_issuer_cert_der)), NULL, "create www.paypal.com issuer cert");
- isnt(valid_ocsp = CFDataCreate(kCFAllocatorDefault, valid_ocsp_response_der, sizeof(valid_ocsp_response_der)), NULL, "create valid_ocsp");
- isnt(invalid_ocsp = CFDataCreate(kCFAllocatorDefault, invalid_ocsp_response_der, sizeof(invalid_ocsp_response_der)), NULL, "create invalid_ocsp");
- isnt(bad_hash_ocsp = CFDataCreate(kCFAllocatorDefault, bad_hash_ocsp_response_der, sizeof(bad_hash_ocsp_response_der)), NULL, "create bad_hash_ocsp");
-
- /* Case 1: coreos-ct-test embedded SCT - only 1 SCT - so not CT qualified */
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, certF);
- test_ct_trust(certs, NULL, NULL, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), false, "coreos-ct-test 1");
- CFReleaseNull(certs);
-
- /* Case 2: coreos-ct-test standalone SCT - only 1 SCT - so not CT qualified */
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, certD);
- isnt(scts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create SCT array");
- CFArrayAppendValue(scts, proofD);
- test_ct_trust(certs, scts, NULL, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), false, "coreos-ct-test 2");
- CFReleaseNull(certs);
- CFReleaseNull(scts);
-
- /* case 3: digicert : 2 embedded SCTs, but both from Google, so not CT qualified */
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, www_digicert_com_cert);
- CFArrayAppendValue(certs, digicert_sha2_ev_server_ca);
- test_ct_trust(certs, NULL, NULL, NULL, NULL, CFSTR("www.digicert.com"), false, "digicert");
- CFReleaseNull(certs);
-
- /* case 4: paypal.com cert - not CT, but EV */
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, www_paypal_com_cert);
- CFArrayAppendValue(certs, www_paypal_com_issuer_cert);
- test_ct_trust(certs, NULL, NULL, NULL, trustedLogs, CFSTR("www.paypal.com"), false, "paypal");
- CFReleaseNull(certs);
-
- /* Case 5: coreos-ct-test standalone SCT - 2 SCTs - CT qualified */
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, certA);
- isnt(scts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create SCT array");
- CFArrayAppendValue(scts, proofA_1);
- CFArrayAppendValue(scts, proofA_2);
- test_ct_trust(certs, scts, NULL, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), true, "coreos-ct-test 3");
- CFReleaseNull(certs);
- CFReleaseNull(scts);
-
-
- /* Case 6: Test with an invalid OCSP response */
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, certA);
- isnt(scts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create SCT array");
- CFArrayAppendValue(scts, proofA_1);
- test_ct_trust(certs, scts, invalid_ocsp, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), false, "coreos-ct-test 3");
- CFReleaseNull(certs);
- CFReleaseNull(scts);
-
- /* Case 7: Test with a valid OCSP response */
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, certA);
- isnt(scts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create SCT array");
- CFArrayAppendValue(scts, proofA_1);
- test_ct_trust(certs, scts, valid_ocsp, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), false, "coreos-ct-test 3");
- CFReleaseNull(certs);
- CFReleaseNull(scts);
-
- /* Case 8: Test with a bad hash OCSP response */
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
- CFArrayAppendValue(certs, certA);
- isnt(scts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create SCT array");
- CFArrayAppendValue(scts, proofA_1);
- test_ct_trust(certs, scts, bad_hash_ocsp, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), false, "coreos-ct-test 3");
- CFReleaseNull(certs);
- CFReleaseNull(scts);
-
-
-#define TEST_CASE(x) \
- do { \
- isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array for " #x); \
- isnt(cfCert = SecCertificateCreateWithBytes(NULL, x, sizeof(x)), NULL, "create cfCert from " #x); \
- CFArrayAppendValue(certs, cfCert); \
- test_ct_trust(certs, NULL, NULL, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), true, #x); \
- CFReleaseNull(certs); \
- CFReleaseNull(cfCert); \
- } while (0)
-
-/*
- server_1601_cert_der
- server_1603_cert_der
- server_1604_cert_der
- server_1701_cert_der
- server_1704_cert_der
- server_1705_cert_der
- server_1801_cert_der
- server_1804_cert_der
- server_1805_cert_der
- server_2001_cert_der
-*/
-
- TEST_CASE(server_1601_cert_der);
- TEST_CASE(server_1603_cert_der);
- TEST_CASE(server_1604_cert_der);
- TEST_CASE(server_1701_cert_der);
- TEST_CASE(server_1704_cert_der);
- TEST_CASE(server_1705_cert_der);
- TEST_CASE(server_1801_cert_der);
- TEST_CASE(server_1804_cert_der);
- TEST_CASE(server_1805_cert_der);
- TEST_CASE(server_2001_cert_der);
-
- CFReleaseSafe(certCA_alpha);
- CFReleaseSafe(certCA_beta);
- CFReleaseSafe(anchors);
- CFReleaseSafe(certA);
- CFReleaseSafe(certD);
- CFReleaseSafe(certF);
- CFReleaseSafe(proofD);
- CFReleaseSafe(proofA_1);
- CFReleaseSafe(proofA_2);
- CFReleaseSafe(www_digicert_com_cert);
- CFReleaseSafe(digicert_sha2_ev_server_ca);
- CFReleaseSafe(www_paypal_com_cert);
- CFReleaseSafe(www_paypal_com_issuer_cert);
- CFReleaseSafe(trustedLogsURL);
- CFReleaseSafe(trustedLogs);
- CFReleaseSafe(valid_ocsp);
- CFReleaseSafe(invalid_ocsp);
- CFReleaseSafe(bad_hash_ocsp);
-
-}
-
-
-int si_82_sectrust_ct(int argc, char *const *argv)
-{
- plan_tests(287);
-
- tests();
-
- return 0;
-}
diff --git a/OSX/shared_regressions/si-82-sectrust-ct.m b/OSX/shared_regressions/si-82-sectrust-ct.m
new file mode 100644
index 00000000..64872ace
--- /dev/null
+++ b/OSX/shared_regressions/si-82-sectrust-ct.m
@@ -0,0 +1,381 @@
+/*
+ * si-82-sectrust-ct.c
+ * Security
+ *
+ * Copyright (c) 2014 Apple Inc. All Rights Reserved.
+ *
+ */
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecTrustPriv.h>
+#include <Security/SecPolicy.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <utilities/SecCFWrappers.h>
+
+#include "shared_regressions.h"
+
+//define this if you want to print clock time of SecTrustEvaluate call.
+//define PRINT_SECTRUST_EVALUATE_TIME
+
+static bool isCFTrue(CFTypeRef cf)
+{
+ return (cf == kCFBooleanTrue);
+}
+
+static void test_ct_trust(CFArrayRef certs, CFArrayRef scts, CFTypeRef ocspresponses, CFArrayRef anchors,
+ CFArrayRef trustedLogs, CFStringRef hostname, CFDateRef date,
+ bool ct_expected, bool ev_expected, bool ct_whitelist_expected,
+ const char *test_name)
+{
+ CFArrayRef policies=NULL;
+ SecPolicyRef policy=NULL;
+ SecTrustRef trust=NULL;
+ SecTrustResultType trustResult;
+ CFDictionaryRef results=NULL;
+ CFArrayRef properties=NULL;
+
+
+
+ isnt(policy = SecPolicyCreateSSL(false, hostname), NULL, "create policy");
+ isnt(policies = CFArrayCreate(kCFAllocatorDefault, (const void **)&policy, 1, &kCFTypeArrayCallBacks), NULL, "create policies");
+ ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust");
+
+ assert(trust); // silence analyzer
+ if(anchors) {
+ ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
+ }
+
+ if(scts) {
+ ok_status(SecTrustSetSignedCertificateTimestamps(trust, scts), "set standalone SCTs");;
+ }
+
+ if(trustedLogs) {
+ ok_status(SecTrustSetTrustedLogs(trust, trustedLogs), "set trusted logs");
+ }
+
+ if(ocspresponses) {
+ ok_status(SecTrustSetOCSPResponse(trust, ocspresponses), "set ocsp responses");
+ }
+
+ if (!date) { goto errOut; }
+ ok_status(SecTrustSetVerifyDate(trust, date), "set date");
+#ifdef PRINT_SECTRUST_EVALUATE_TIME
+ clock_t t0 = clock();
+#endif
+ ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+#ifdef PRINT_SECTRUST_EVALUATE_TIME
+ clock_t t1 = clock() - t0;
+#endif
+ ok(trustResult == kSecTrustResultUnspecified, "trustResult 4 expected (got %d)",
+ (int)trustResult);
+
+ results = SecTrustCopyResult(trust);
+
+ CFTypeRef ct = CFDictionaryGetValue(results, kSecTrustCertificateTransparency);
+ CFTypeRef ev = CFDictionaryGetValue(results, kSecTrustExtendedValidation);
+ CFTypeRef ct_whitelist = CFDictionaryGetValue(results, kSecTrustCertificateTransparencyWhiteList);
+
+
+ ok((isCFTrue(ct) == ct_expected), "unexpected CT result (%s)", test_name);
+ ok((isCFTrue(ev) == ev_expected), "unexpected EV result (%s)", test_name);
+ ok((isCFTrue(ct_whitelist) == ct_whitelist_expected), "unexpected CT WhiteList result (%s)", test_name);
+
+#ifdef PRINT_SECTRUST_EVALUATE_TIME
+ printf("%s: %lu\n", test_name, t1);
+#endif
+
+ properties = SecTrustCopyProperties(trust);
+
+errOut:
+ CFReleaseSafe(policy);
+ CFReleaseSafe(policies);
+ CFReleaseSafe(trust);
+ CFReleaseSafe(results);
+ CFReleaseSafe(properties);
+}
+
+#import <Foundation/Foundation.h>
+
+static
+SecCertificateRef SecCertificateCreateFromResource(NSString *name)
+{
+ NSURL *url = [[NSBundle mainBundle] URLForResource:name withExtension:@".crt" subdirectory:@"si-82-sectrust-ct-data"];
+
+ NSData *certData = [NSData dataWithContentsOfURL:url];
+
+ SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)certData);
+
+ return cert;
+}
+
+static
+CFDataRef CFDataCreateFromResource(NSString *name)
+{
+ NSURL *url = [[NSBundle mainBundle] URLForResource:name withExtension:@".bin" subdirectory:@"si-82-sectrust-ct-data"];
+
+ NSData *binData = [[NSData alloc] initWithContentsOfURL:url];
+
+ return (__bridge_retained CFDataRef) binData;
+}
+
+static void tests()
+{
+ SecCertificateRef certA=NULL, certD=NULL, certF=NULL, certCA_alpha=NULL, certCA_beta=NULL;
+ CFDataRef proofD=NULL, proofA_1=NULL, proofA_2=NULL;
+ SecCertificateRef www_digicert_com_2015_cert=NULL, www_digicert_com_2016_cert=NULL, digicert_sha2_ev_server_ca=NULL;
+ SecCertificateRef www_paypal_com_cert=NULL, www_paypal_com_issuer_cert=NULL;
+ SecCertificateRef pilot_cert_3055998=NULL, pilot_cert_3055998_issuer=NULL;
+ SecCertificateRef whitelist_00008013=NULL, whitelist_5555bc4f=NULL, whitelist_aaaae152=NULL, whitelist_fff9b5f6=NULL;
+ SecCertificateRef whitelist_00008013_issuer=NULL, whitelist_5555bc4f_issuer=NULL, whitelist_fff9b5f6_issuer=NULL;
+ SecCertificateRef cfCert = NULL;
+ CFMutableArrayRef certs=NULL;
+ CFMutableArrayRef scts=NULL;
+ CFMutableArrayRef anchors=NULL;
+ CFDataRef valid_ocsp=NULL;
+ CFDataRef invalid_ocsp=NULL;
+ CFDataRef bad_hash_ocsp=NULL;
+
+ CFArrayRef trustedLogs=NULL;
+ CFURLRef trustedLogsURL=NULL;
+
+ trustedLogsURL = CFBundleCopyResourceURL(CFBundleGetMainBundle(),
+ CFSTR("CTlogs"),
+ CFSTR("plist"),
+ CFSTR("si-82-sectrust-ct-data"));
+ isnt(trustedLogsURL, NULL, "trustedLogsURL");
+ trustedLogs = (CFArrayRef) CFPropertyListReadFromFile(trustedLogsURL);
+ isnt(trustedLogs, NULL, "trustedLogs");
+
+ isnt(certCA_alpha = SecCertificateCreateFromResource(@"CA_alpha"), NULL, "create ca-alpha cert");
+ isnt(certCA_beta = SecCertificateCreateFromResource(@"CA_beta"), NULL, "create ca-beta cert");
+ isnt(anchors = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create anchors array");
+ CFArrayAppendValue(anchors, certCA_alpha);
+ CFArrayAppendValue(anchors, certCA_beta);
+ isnt(certA = SecCertificateCreateFromResource(@"serverA"), NULL, "create certA");
+ isnt(certD = SecCertificateCreateFromResource(@"serverD"), NULL, "create certD");
+ isnt(certF = SecCertificateCreateFromResource(@"serverF"), NULL, "create certF");
+ isnt(proofD = CFDataCreateFromResource(@"serverD_proof"), NULL, "creat proofD");
+ isnt(proofA_1 = CFDataCreateFromResource(@"serverA_proof_Alfa_3"), NULL, "creat proofA_1");
+ isnt(proofA_2 = CFDataCreateFromResource(@"serverA_proof_Bravo_3"), NULL, "creat proofA_2");
+ isnt(www_digicert_com_2015_cert = SecCertificateCreateFromResource(@"www_digicert_com_2015"), NULL, "create www.digicert.com 2015 cert");
+ isnt(www_digicert_com_2016_cert = SecCertificateCreateFromResource(@"www_digicert_com_2016"), NULL, "create www.digicert.com 2016 cert");
+ isnt(digicert_sha2_ev_server_ca = SecCertificateCreateFromResource(@"digicert_sha2_ev_server_ca"), NULL, "create digicert.com subCA cert");
+ isnt(www_paypal_com_cert = SecCertificateCreateFromResource(@"www_paypal_com"), NULL, "create www.paypal.com cert");
+ isnt(www_paypal_com_issuer_cert = SecCertificateCreateFromResource(@"www_paypal_com_issuer"), NULL, "create www.paypal.com issuer cert");
+ isnt(valid_ocsp = CFDataCreateFromResource(@"valid_ocsp_response"), NULL, "create valid_ocsp");
+ isnt(invalid_ocsp = CFDataCreateFromResource(@"invalid_ocsp_response"), NULL, "create invalid_ocsp");
+ isnt(bad_hash_ocsp = CFDataCreateFromResource(@"bad_hash_ocsp_response"), NULL, "create bad_hash_ocsp");
+ isnt(pilot_cert_3055998 = SecCertificateCreateFromResource(@"pilot_3055998"), NULL, "create pilot_cert_3055998 cert");
+ isnt(pilot_cert_3055998_issuer = SecCertificateCreateFromResource(@"pilot_3055998_issuer"), NULL, "create pilot_cert_3055998 issuer cert");
+
+ isnt(whitelist_00008013 = SecCertificateCreateFromResource(@"whitelist_00008013"), NULL, "create whitelist_00008013 cert");
+ isnt(whitelist_5555bc4f = SecCertificateCreateFromResource(@"whitelist_5555bc4f"), NULL, "create whitelist_5555bc4f cert");
+ isnt(whitelist_aaaae152 = SecCertificateCreateFromResource(@"whitelist_aaaae152"), NULL, "create whitelist_aaaae152 cert");
+ isnt(whitelist_fff9b5f6 = SecCertificateCreateFromResource(@"whitelist_fff9b5f6"), NULL, "create whitelist_fff9b5f6 cert");
+ isnt(whitelist_00008013_issuer = SecCertificateCreateFromResource(@"whitelist_00008013_issuer"), NULL, "create whitelist_00008013_issuer cert");
+ isnt(whitelist_5555bc4f_issuer = SecCertificateCreateFromResource(@"whitelist_5555bc4f_issuer"), NULL, "create whitelist_5555bc4f_issuer cert");
+ isnt(whitelist_fff9b5f6_issuer = SecCertificateCreateFromResource(@"whitelist_fff9b5f6_issuer"), NULL, "create whitelist_fff9b5f6_issuer cert");
+
+ CFCalendarRef cal = NULL;
+ CFAbsoluteTime at;
+ CFDateRef date_20150307 = NULL; // Date for older set of tests.
+ CFDateRef date_20160422 = NULL; // Date for newer set of tests.
+
+ isnt(cal = CFCalendarCreateWithIdentifier(kCFAllocatorDefault, kCFGregorianCalendar), NULL, "create calendar");
+ ok(CFCalendarComposeAbsoluteTime(cal, &at, "yMd", 2015, 3, 7), "create verify absolute time 20150307");
+ isnt(date_20150307 = CFDateCreate(kCFAllocatorDefault, at), NULL, "create verify date 20150307");
+ ok(CFCalendarComposeAbsoluteTime(cal, &at, "yMd", 2016, 4, 22), "create verify absolute time 20160422");
+ isnt(date_20160422 = CFDateCreate(kCFAllocatorDefault, at), NULL, "create verify date 20160422");
+
+
+ /* Case 1: coreos-ct-test embedded SCT - only 1 SCT - so not CT qualified */
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, certF);
+ test_ct_trust(certs, NULL, NULL, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), date_20150307,
+ false, false, false, "coreos-ct-test 1");
+ CFReleaseNull(certs);
+
+ /* Case 2: coreos-ct-test standalone SCT - only 1 SCT - so not CT qualified */
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, certD);
+ isnt(scts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create SCT array");
+ CFArrayAppendValue(scts, proofD);
+ test_ct_trust(certs, scts, NULL, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), date_20150307,
+ false, false, false, "coreos-ct-test 2");
+ CFReleaseNull(certs);
+ CFReleaseNull(scts);
+
+ /* case 3: digicert : 2 embedded SCTs, but lifetime of cert is 24 month, so not CT qualified, but is whitelisted */
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, www_digicert_com_2015_cert);
+ CFArrayAppendValue(certs, digicert_sha2_ev_server_ca);
+ test_ct_trust(certs, NULL, NULL, NULL, NULL, CFSTR("www.digicert.com"), date_20150307,
+ false, true, true, "digicert 2015");
+ CFReleaseNull(certs);
+
+ /* case 4: paypal.com cert - not CT, but EV */
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, www_paypal_com_cert);
+ CFArrayAppendValue(certs, www_paypal_com_issuer_cert);
+ test_ct_trust(certs, NULL, NULL, NULL, trustedLogs, CFSTR("www.paypal.com"), date_20150307,
+ false, true, false, "paypal");
+ CFReleaseNull(certs);
+
+ /* Case 5: coreos-ct-test standalone SCT - 2 SCTs - CT qualified */
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, certA);
+ isnt(scts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create SCT array");
+ CFArrayAppendValue(scts, proofA_1);
+ CFArrayAppendValue(scts, proofA_2);
+ test_ct_trust(certs, scts, NULL, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), date_20150307,
+ true, false, false, "coreos-ct-test 3");
+ CFReleaseNull(certs);
+ CFReleaseNull(scts);
+
+
+ /* Case 6: Test with an invalid OCSP response */
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, certA);
+ isnt(scts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create SCT array");
+ CFArrayAppendValue(scts, proofA_1);
+ test_ct_trust(certs, scts, invalid_ocsp, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), date_20150307,
+ false, false, false, "coreos-ct-test 4");
+ CFReleaseNull(certs);
+ CFReleaseNull(scts);
+
+ /* Case 7: Test with a valid OCSP response */
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, certA);
+ isnt(scts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create SCT array");
+ CFArrayAppendValue(scts, proofA_1);
+ test_ct_trust(certs, scts, valid_ocsp, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), date_20150307,
+ false, false, false, "coreos-ct-test 5");
+ CFReleaseNull(certs);
+ CFReleaseNull(scts);
+
+ /* Case 8: Test with a bad hash OCSP response */
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, certA);
+ isnt(scts = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create SCT array");
+ CFArrayAppendValue(scts, proofA_1);
+ test_ct_trust(certs, scts, bad_hash_ocsp, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), date_20150307,
+ false, false, false, "coreos-ct-test 6");
+ CFReleaseNull(certs);
+ CFReleaseNull(scts);
+
+ /* Case 9: Previously WhiteListed EV cert (expired in Feb 2016, so not on final whitelist)*/
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, pilot_cert_3055998);
+ CFArrayAppendValue(certs, pilot_cert_3055998_issuer);
+ test_ct_trust(certs, NULL, NULL, NULL, NULL, CFSTR("www.ssbwingate.com"), date_20150307,
+ false, true, false, "previously whitelisted cert");
+ CFReleaseNull(certs);
+
+ /* Case 10-13: WhiteListed EV cert */
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, whitelist_00008013);
+ CFArrayAppendValue(certs, whitelist_00008013_issuer);
+ test_ct_trust(certs, NULL, NULL, NULL, NULL, CFSTR("clava.com"), date_20150307,
+ false, true, true, "whitelisted cert 00008013");
+ CFReleaseNull(certs);
+
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, whitelist_5555bc4f);
+ CFArrayAppendValue(certs, whitelist_5555bc4f_issuer);
+ test_ct_trust(certs, NULL, NULL, NULL, NULL, CFSTR("lanai.dartmouth.edu"),
+ date_20150307, false, true, true, "whitelisted cert 5555bc4f");
+ CFReleaseNull(certs);
+
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, whitelist_aaaae152);
+ CFArrayAppendValue(certs, whitelist_5555bc4f_issuer); // Same issuer (Go Daddy) as above
+ test_ct_trust(certs, NULL, NULL, NULL, NULL, CFSTR("www.falymusic.com"),
+ date_20150307, false, true, true, "whitelisted cert aaaae152");
+ CFReleaseNull(certs);
+
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, whitelist_fff9b5f6);
+ CFArrayAppendValue(certs, whitelist_fff9b5f6_issuer);
+ test_ct_trust(certs, NULL, NULL, NULL, NULL, CFSTR("www.defencehealth.com.au"),
+ date_20150307, false, true, true, "whitelisted cert fff9b5f6");
+ CFReleaseNull(certs);
+
+
+ /* case 14: Current (April 2016) www.digicert.com cert: 3 embedded SCTs, CT qualified */
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array");
+ CFArrayAppendValue(certs, www_digicert_com_2016_cert);
+ CFArrayAppendValue(certs, digicert_sha2_ev_server_ca);
+ test_ct_trust(certs, NULL, NULL, NULL, NULL, CFSTR("www.digicert.com"), date_20160422,
+ true, true, false, "digicert 2016");
+ CFReleaseNull(certs);
+
+
+
+#define TEST_CASE(x) \
+ do { \
+ isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array for " #x); \
+ isnt(cfCert = SecCertificateCreateFromResource(@#x), NULL, "create cfCert from " #x); \
+ CFArrayAppendValue(certs, cfCert); \
+ test_ct_trust(certs, NULL, NULL, anchors, trustedLogs, CFSTR("coreos-ct-test.apple.com"), date_20150307, true, false, false, #x); \
+ CFReleaseNull(certs); \
+ CFReleaseNull(cfCert); \
+ } while (0)
+
+
+ TEST_CASE(server_1601);
+ TEST_CASE(server_1603);
+ TEST_CASE(server_1604);
+ TEST_CASE(server_1701);
+ TEST_CASE(server_1704);
+ TEST_CASE(server_1705);
+ TEST_CASE(server_1801);
+ TEST_CASE(server_1804);
+ TEST_CASE(server_1805);
+ TEST_CASE(server_2001);
+
+
+ CFReleaseSafe(certCA_alpha);
+ CFReleaseSafe(certCA_beta);
+ CFReleaseSafe(anchors);
+ CFReleaseSafe(certA);
+ CFReleaseSafe(certD);
+ CFReleaseSafe(certF);
+ CFReleaseSafe(proofD);
+ CFReleaseSafe(proofA_1);
+ CFReleaseSafe(proofA_2);
+ CFReleaseSafe(www_digicert_com_2015_cert);
+ CFReleaseSafe(www_digicert_com_2016_cert);
+ CFReleaseSafe(digicert_sha2_ev_server_ca);
+ CFReleaseSafe(www_paypal_com_cert);
+ CFReleaseSafe(www_paypal_com_issuer_cert);
+ CFReleaseSafe(pilot_cert_3055998);
+ CFReleaseSafe(pilot_cert_3055998_issuer);
+ CFReleaseSafe(whitelist_00008013);
+ CFReleaseSafe(whitelist_5555bc4f);
+ CFReleaseSafe(whitelist_aaaae152);
+ CFReleaseSafe(whitelist_fff9b5f6);
+ CFReleaseSafe(whitelist_00008013_issuer);
+ CFReleaseSafe(whitelist_5555bc4f_issuer);
+ CFReleaseSafe(whitelist_fff9b5f6_issuer);
+ CFReleaseSafe(trustedLogsURL);
+ CFReleaseSafe(trustedLogs);
+ CFReleaseSafe(valid_ocsp);
+ CFReleaseSafe(invalid_ocsp);
+ CFReleaseSafe(bad_hash_ocsp);
+ CFReleaseSafe(cal);
+ CFReleaseSafe(date_20150307);
+ CFReleaseSafe(date_20160422);
+
+}
+
+
+int si_82_sectrust_ct(int argc, char *const *argv)
+{
+ plan_tests(329);
+
+ tests();
+
+ return 0;
+}
diff --git a/OSX/tlsnke/README.tlsnke b/OSX/tlsnke/README.tlsnke
deleted file mode 100644
index 3a867e81..00000000
--- a/OSX/tlsnke/README.tlsnke
+++ /dev/null
@@ -1,3 +0,0 @@
-The tlsnke kext is build as part of the coreTLS project.
-Only an helper library and test app are left here.
-THe tlsnke.h header is also copied here, as it is not exported by coreTLS.
diff --git a/OSX/tlsnke/tlsnke.xcodeproj/project.pbxproj b/OSX/tlsnke/tlsnke.xcodeproj/project.pbxproj
deleted file mode 100644
index a57a7850..00000000
--- a/OSX/tlsnke/tlsnke.xcodeproj/project.pbxproj
+++ /dev/null
@@ -1,611 +0,0 @@
-// !$*UTF8*$!
-{
- archiveVersion = 1;
- classes = {
- };
- objectVersion = 46;
- objects = {
-
-/* Begin PBXAggregateTarget section */
- 0CE08A7E148FF61C000473EB /* host-loadkext */ = {
- isa = PBXAggregateTarget;
- buildConfigurationList = 0CE08A7F148FF61C000473EB /* Build configuration list for PBXAggregateTarget "host-loadkext" */;
- buildPhases = (
- 0CE08A89148FF86C000473EB /* ShellScript */,
- );
- dependencies = (
- 0CE08A83148FF628000473EB /* PBXTargetDependency */,
- );
- name = "host-loadkext";
- productName = all;
- };
-/* End PBXAggregateTarget section */
-
-/* Begin PBXBuildFile section */
- 0C271D7515C8C80300560531 /* libsecurity_ssl_kext.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CBE354615C8C3A5006241C7 /* libsecurity_ssl_kext.a */; };
- 0C38E43D14BF707500DD862C /* tlsnke.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C38E43C14BF707500DD862C /* tlsnke.h */; };
- 0C6C642715D5A9C200BC68CD /* ssl-utils.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C6C642515D5A9C200BC68CD /* ssl-utils.c */; };
- 0C7CF8D714E18A9F00DF9D95 /* dtls_client.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C7CF8D614E18A9F00DF9D95 /* dtls_client.c */; };
- 0CBE354515C8C340006241C7 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CBE354415C8C340006241C7 /* Security.framework */; };
- 0CC9A7FA146DF66000C18F89 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = 0CC9A7F8146DF66000C18F89 /* InfoPlist.strings */; };
- 0CC9A7FC146DF66000C18F89 /* tlsnke.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CC9A7FB146DF66000C18F89 /* tlsnke.c */; };
- 0CDF46A414DC794F00FFE2FD /* tlssocket.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CA31A4214B7DFAB00BD348C /* tlssocket.c */; };
- 0CDF46A514DC795400FFE2FD /* tlssocket.h in Headers */ = {isa = PBXBuildFile; fileRef = 0CA31A4514B7DFBA00BD348C /* tlssocket.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 0CDF46A614DC79FA00FFE2FD /* libtlssocket.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CDF46A014DC794300FFE2FD /* libtlssocket.a */; };
- 0CE08A77148FF2C7000473EB /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CE08A76148FF2C7000473EB /* main.c */; };
- 0CEF580014C0E227000A93B0 /* st_test.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CEF57FF14C0E227000A93B0 /* st_test.c */; };
- 0CEF580614C0E566000A93B0 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CEF580514C0E566000A93B0 /* CoreFoundation.framework */; };
-/* End PBXBuildFile section */
-
-/* Begin PBXContainerItemProxy section */
- 0CDF46A714DC79FF00FFE2FD /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 0CC9A7E5146DF66000C18F89 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 0CDF469F14DC794300FFE2FD;
- remoteInfo = tlssocket;
- };
- 0CE08A82148FF628000473EB /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 0CC9A7E5146DF66000C18F89 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 0CC9A7EF146DF66000C18F89;
- remoteInfo = tlsnke;
- };
-/* End PBXContainerItemProxy section */
-
-/* Begin PBXCopyFilesBuildPhase section */
- 0CE08A71148FF2C6000473EB /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = /usr/share/man/man1/;
- dstSubfolderSpec = 0;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 1;
- };
-/* End PBXCopyFilesBuildPhase section */
-
-/* Begin PBXFileReference section */
- 0C31453A1492D4B600427C0B /* tlsnke-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "tlsnke-Info.plist"; sourceTree = "<group>"; };
- 0C38E43C14BF707500DD862C /* tlsnke.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = tlsnke.h; sourceTree = "<group>"; };
- 0C6C642515D5A9C200BC68CD /* ssl-utils.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "ssl-utils.c"; sourceTree = "<group>"; };
- 0C6C642615D5A9C200BC68CD /* ssl-utils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "ssl-utils.h"; sourceTree = "<group>"; };
- 0C7CF8D614E18A9F00DF9D95 /* dtls_client.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = dtls_client.c; sourceTree = "<group>"; };
- 0CA31A4214B7DFAB00BD348C /* tlssocket.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = tlssocket.c; path = tlsnketest/tlssocket.c; sourceTree = "<group>"; };
- 0CA31A4514B7DFBA00BD348C /* tlssocket.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = tlssocket.h; path = tlsnketest/tlssocket.h; sourceTree = "<group>"; };
- 0CBE354415C8C340006241C7 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; path = Security.framework; sourceTree = BUILT_PRODUCTS_DIR; };
- 0CBE354615C8C3A5006241C7 /* libsecurity_ssl_kext.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libsecurity_ssl_kext.a; sourceTree = BUILT_PRODUCTS_DIR; };
- 0CC9A7F0146DF66000C18F89 /* tlsnke.kext */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = tlsnke.kext; sourceTree = BUILT_PRODUCTS_DIR; };
- 0CC9A7F4146DF66000C18F89 /* Kernel.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Kernel.framework; path = System/Library/Frameworks/Kernel.framework; sourceTree = SDKROOT; };
- 0CC9A7F9146DF66000C18F89 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = "<group>"; };
- 0CC9A7FB146DF66000C18F89 /* tlsnke.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = tlsnke.c; sourceTree = "<group>"; };
- 0CC9A7FD146DF66000C18F89 /* tlsnke-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "tlsnke-Prefix.pch"; sourceTree = "<group>"; };
- 0CDF468F14DC788000FFE2FD /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
- 0CDF46A014DC794300FFE2FD /* libtlssocket.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libtlssocket.a; sourceTree = BUILT_PRODUCTS_DIR; };
- 0CE08A73148FF2C6000473EB /* tlsnketest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = tlsnketest; sourceTree = BUILT_PRODUCTS_DIR; };
- 0CE08A76148FF2C7000473EB /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = "<group>"; };
- 0CEF57FF14C0E227000A93B0 /* st_test.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = st_test.c; sourceTree = "<group>"; };
- 0CEF580514C0E566000A93B0 /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = System/Library/Frameworks/CoreFoundation.framework; sourceTree = SDKROOT; };
-/* End PBXFileReference section */
-
-/* Begin PBXFrameworksBuildPhase section */
- 0CC9A7EB146DF66000C18F89 /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 0C271D7515C8C80300560531 /* libsecurity_ssl_kext.a in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 0CDF469D14DC794300FFE2FD /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 0CE08A70148FF2C6000473EB /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 0CDF46A614DC79FA00FFE2FD /* libtlssocket.a in Frameworks */,
- 0CBE354515C8C340006241C7 /* Security.framework in Frameworks */,
- 0CEF580614C0E566000A93B0 /* CoreFoundation.framework in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
-/* End PBXFrameworksBuildPhase section */
-
-/* Begin PBXGroup section */
- 0C953FB814E4621800077526 /* Libraries */ = {
- isa = PBXGroup;
- children = (
- 0CBE354615C8C3A5006241C7 /* libsecurity_ssl_kext.a */,
- );
- name = Libraries;
- sourceTree = "<group>";
- };
- 0CC9A7E3146DF66000C18F89 = {
- isa = PBXGroup;
- children = (
- 0CDF468814DC784200FFE2FD /* tlssocket */,
- 0CC9A7F5146DF66000C18F89 /* tlsnke */,
- 0CE08A75148FF2C6000473EB /* tlsnketest */,
- 0CC9A7F2146DF66000C18F89 /* Frameworks */,
- 0C953FB814E4621800077526 /* Libraries */,
- 0CC9A7F1146DF66000C18F89 /* Products */,
- );
- sourceTree = "<group>";
- };
- 0CC9A7F1146DF66000C18F89 /* Products */ = {
- isa = PBXGroup;
- children = (
- 0CC9A7F0146DF66000C18F89 /* tlsnke.kext */,
- 0CE08A73148FF2C6000473EB /* tlsnketest */,
- 0CDF46A014DC794300FFE2FD /* libtlssocket.a */,
- );
- name = Products;
- sourceTree = "<group>";
- };
- 0CC9A7F2146DF66000C18F89 /* Frameworks */ = {
- isa = PBXGroup;
- children = (
- 0CBE354415C8C340006241C7 /* Security.framework */,
- 0CEF580514C0E566000A93B0 /* CoreFoundation.framework */,
- 0CDF468F14DC788000FFE2FD /* Foundation.framework */,
- 0CC9A7F3146DF66000C18F89 /* Other Frameworks */,
- );
- name = Frameworks;
- sourceTree = "<group>";
- };
- 0CC9A7F3146DF66000C18F89 /* Other Frameworks */ = {
- isa = PBXGroup;
- children = (
- 0CC9A7F4146DF66000C18F89 /* Kernel.framework */,
- );
- name = "Other Frameworks";
- sourceTree = "<group>";
- };
- 0CC9A7F5146DF66000C18F89 /* tlsnke */ = {
- isa = PBXGroup;
- children = (
- 0CC9A7FB146DF66000C18F89 /* tlsnke.c */,
- 0C38E43C14BF707500DD862C /* tlsnke.h */,
- 0CC9A7F6146DF66000C18F89 /* Supporting Files */,
- );
- path = tlsnke;
- sourceTree = "<group>";
- };
- 0CC9A7F6146DF66000C18F89 /* Supporting Files */ = {
- isa = PBXGroup;
- children = (
- 0C31453A1492D4B600427C0B /* tlsnke-Info.plist */,
- 0CC9A7F8146DF66000C18F89 /* InfoPlist.strings */,
- 0CC9A7FD146DF66000C18F89 /* tlsnke-Prefix.pch */,
- );
- name = "Supporting Files";
- sourceTree = "<group>";
- };
- 0CDF468814DC784200FFE2FD /* tlssocket */ = {
- isa = PBXGroup;
- children = (
- 0CA31A4214B7DFAB00BD348C /* tlssocket.c */,
- 0CA31A4514B7DFBA00BD348C /* tlssocket.h */,
- );
- name = tlssocket;
- sourceTree = "<group>";
- };
- 0CE08A75148FF2C6000473EB /* tlsnketest */ = {
- isa = PBXGroup;
- children = (
- 0C6C642515D5A9C200BC68CD /* ssl-utils.c */,
- 0C6C642615D5A9C200BC68CD /* ssl-utils.h */,
- 0CE08A76148FF2C7000473EB /* main.c */,
- 0CEF57FF14C0E227000A93B0 /* st_test.c */,
- 0C7CF8D614E18A9F00DF9D95 /* dtls_client.c */,
- );
- path = tlsnketest;
- sourceTree = "<group>";
- };
-/* End PBXGroup section */
-
-/* Begin PBXHeadersBuildPhase section */
- 0CC9A7EC146DF66000C18F89 /* Headers */ = {
- isa = PBXHeadersBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 0C38E43D14BF707500DD862C /* tlsnke.h in Headers */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 0CDF469E14DC794300FFE2FD /* Headers */ = {
- isa = PBXHeadersBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 0CDF46A514DC795400FFE2FD /* tlssocket.h in Headers */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
-/* End PBXHeadersBuildPhase section */
-
-/* Begin PBXNativeTarget section */
- 0CC9A7EF146DF66000C18F89 /* tlsnke */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 0CC9A800146DF66000C18F89 /* Build configuration list for PBXNativeTarget "tlsnke" */;
- buildPhases = (
- 0CC9A7EA146DF66000C18F89 /* Sources */,
- 0CC9A7EB146DF66000C18F89 /* Frameworks */,
- 0CC9A7EC146DF66000C18F89 /* Headers */,
- 0CC9A7ED146DF66000C18F89 /* Resources */,
- 0CC9A7EE146DF66000C18F89 /* Rez */,
- );
- buildRules = (
- );
- dependencies = (
- );
- name = tlsnke;
- productName = tlsnke;
- productReference = 0CC9A7F0146DF66000C18F89 /* tlsnke.kext */;
- productType = "com.apple.product-type.kernel-extension";
- };
- 0CDF469F14DC794300FFE2FD /* tlssocket */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 0CDF46A114DC794300FFE2FD /* Build configuration list for PBXNativeTarget "tlssocket" */;
- buildPhases = (
- 0CDF469C14DC794300FFE2FD /* Sources */,
- 0CDF469D14DC794300FFE2FD /* Frameworks */,
- 0CDF469E14DC794300FFE2FD /* Headers */,
- );
- buildRules = (
- );
- dependencies = (
- );
- name = tlssocket;
- productName = tlssocket;
- productReference = 0CDF46A014DC794300FFE2FD /* libtlssocket.a */;
- productType = "com.apple.product-type.library.static";
- };
- 0CE08A72148FF2C6000473EB /* tlsnketest */ = {
- isa = PBXNativeTarget;
- buildConfigurationList = 0CE08A7C148FF2C7000473EB /* Build configuration list for PBXNativeTarget "tlsnketest" */;
- buildPhases = (
- 0CE08A6F148FF2C6000473EB /* Sources */,
- 0CE08A70148FF2C6000473EB /* Frameworks */,
- 0CE08A71148FF2C6000473EB /* CopyFiles */,
- );
- buildRules = (
- );
- dependencies = (
- 0CDF46A814DC79FF00FFE2FD /* PBXTargetDependency */,
- );
- name = tlsnketest;
- productName = tlsnketest;
- productReference = 0CE08A73148FF2C6000473EB /* tlsnketest */;
- productType = "com.apple.product-type.tool";
- };
-/* End PBXNativeTarget section */
-
-/* Begin PBXProject section */
- 0CC9A7E5146DF66000C18F89 /* Project object */ = {
- isa = PBXProject;
- attributes = {
- LastUpgradeCheck = 0430;
- ORGANIZATIONNAME = "Apple, Inc.";
- };
- buildConfigurationList = 0CC9A7E8146DF66000C18F89 /* Build configuration list for PBXProject "tlsnke" */;
- compatibilityVersion = "Xcode 3.2";
- developmentRegion = English;
- hasScannedForEncodings = 0;
- knownRegions = (
- en,
- );
- mainGroup = 0CC9A7E3146DF66000C18F89;
- productRefGroup = 0CC9A7F1146DF66000C18F89 /* Products */;
- projectDirPath = "";
- projectRoot = "";
- targets = (
- 0CE08A7E148FF61C000473EB /* host-loadkext */,
- 0CC9A7EF146DF66000C18F89 /* tlsnke */,
- 0CE08A72148FF2C6000473EB /* tlsnketest */,
- 0CDF469F14DC794300FFE2FD /* tlssocket */,
- );
- };
-/* End PBXProject section */
-
-/* Begin PBXResourcesBuildPhase section */
- 0CC9A7ED146DF66000C18F89 /* Resources */ = {
- isa = PBXResourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 0CC9A7FA146DF66000C18F89 /* InfoPlist.strings in Resources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
-/* End PBXResourcesBuildPhase section */
-
-/* Begin PBXRezBuildPhase section */
- 0CC9A7EE146DF66000C18F89 /* Rez */ = {
- isa = PBXRezBuildPhase;
- buildActionMask = 2147483647;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
-/* End PBXRezBuildPhase section */
-
-/* Begin PBXShellScriptBuildPhase section */
- 0CE08A89148FF86C000473EB /* ShellScript */ = {
- isa = PBXShellScriptBuildPhase;
- buildActionMask = 2147483647;
- files = (
- );
- inputPaths = (
- );
- outputPaths = (
- );
- runOnlyForDeploymentPostprocessing = 0;
- shellPath = /bin/sh;
- shellScript = "sudo /var/root/loadkext.sh ${BUILT_PRODUCTS_DIR}/tlsnke.kext\n";
- };
-/* End PBXShellScriptBuildPhase section */
-
-/* Begin PBXSourcesBuildPhase section */
- 0CC9A7EA146DF66000C18F89 /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 0CC9A7FC146DF66000C18F89 /* tlsnke.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 0CDF469C14DC794300FFE2FD /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 0CDF46A414DC794F00FFE2FD /* tlssocket.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
- 0CE08A6F148FF2C6000473EB /* Sources */ = {
- isa = PBXSourcesBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 0CE08A77148FF2C7000473EB /* main.c in Sources */,
- 0CEF580014C0E227000A93B0 /* st_test.c in Sources */,
- 0C7CF8D714E18A9F00DF9D95 /* dtls_client.c in Sources */,
- 0C6C642715D5A9C200BC68CD /* ssl-utils.c in Sources */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
-/* End PBXSourcesBuildPhase section */
-
-/* Begin PBXTargetDependency section */
- 0CDF46A814DC79FF00FFE2FD /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 0CDF469F14DC794300FFE2FD /* tlssocket */;
- targetProxy = 0CDF46A714DC79FF00FFE2FD /* PBXContainerItemProxy */;
- };
- 0CE08A83148FF628000473EB /* PBXTargetDependency */ = {
- isa = PBXTargetDependency;
- target = 0CC9A7EF146DF66000C18F89 /* tlsnke */;
- targetProxy = 0CE08A82148FF628000473EB /* PBXContainerItemProxy */;
- };
-/* End PBXTargetDependency section */
-
-/* Begin PBXVariantGroup section */
- 0CC9A7F8146DF66000C18F89 /* InfoPlist.strings */ = {
- isa = PBXVariantGroup;
- children = (
- 0CC9A7F9146DF66000C18F89 /* en */,
- );
- name = InfoPlist.strings;
- sourceTree = "<group>";
- };
-/* End PBXVariantGroup section */
-
-/* Begin XCBuildConfiguration section */
- 0CC9A7FE146DF66000C18F89 /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ALWAYS_SEARCH_USER_PATHS = NO;
- ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
- CLANG_STATIC_ANALYZER_MODE = deep;
- COPY_PHASE_STRIP = NO;
- GCC_C_LANGUAGE_STANDARD = gnu99;
- GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
- GCC_OPTIMIZATION_LEVEL = 0;
- GCC_PREPROCESSOR_DEFINITIONS = (
- "DEBUG=1",
- "$(inherited)",
- );
- GCC_SYMBOLS_PRIVATE_EXTERN = NO;
- GCC_TREAT_WARNINGS_AS_ERRORS = YES;
- GCC_VERSION = com.apple.compilers.llvm.clang.1_0;
- GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES;
- GCC_WARN_UNUSED_VARIABLE = YES;
- RUN_CLANG_STATIC_ANALYZER = YES;
- SUPPORTED_PLATFORMS = "iphoneos macosx";
- };
- name = Debug;
- };
- 0CC9A7FF146DF66000C18F89 /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- ALWAYS_SEARCH_USER_PATHS = NO;
- ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
- CLANG_STATIC_ANALYZER_MODE = deep;
- COPY_PHASE_STRIP = YES;
- DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
- GCC_C_LANGUAGE_STANDARD = gnu99;
- GCC_ENABLE_OBJC_EXCEPTIONS = YES;
- GCC_TREAT_WARNINGS_AS_ERRORS = YES;
- GCC_VERSION = com.apple.compilers.llvm.clang.1_0;
- GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
- GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES;
- GCC_WARN_ABOUT_RETURN_TYPE = YES;
- GCC_WARN_UNUSED_VARIABLE = YES;
- RUN_CLANG_STATIC_ANALYZER = YES;
- SUPPORTED_PLATFORMS = "iphoneos macosx";
- };
- name = Release;
- };
- 0CC9A801146DF66000C18F89 /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- GCC_PRECOMPILE_PREFIX_HEADER = YES;
- GCC_PREFIX_HEADER = "tlsnke/tlsnke-Prefix.pch";
- HEADER_SEARCH_PATHS = (
- "$(PROJECT_DIR)/../libsecurity_ssl/lib",
- /usr/local/include,
- );
- INFOPLIST_FILE = "tlsnke/tlsnke-Info.plist";
- INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Extensions";
- MODULE_NAME = com.apple.nke.tls;
- MODULE_START = tlsnke_start;
- MODULE_STOP = tlsnke_stop;
- MODULE_VERSION = 1.0;
- PRODUCT_NAME = "$(TARGET_NAME)";
- WRAPPER_EXTENSION = kext;
- };
- name = Debug;
- };
- 0CC9A802146DF66000C18F89 /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- GCC_PRECOMPILE_PREFIX_HEADER = YES;
- GCC_PREFIX_HEADER = "tlsnke/tlsnke-Prefix.pch";
- HEADER_SEARCH_PATHS = (
- "$(PROJECT_DIR)/../libsecurity_ssl/lib",
- /usr/local/include,
- );
- INFOPLIST_FILE = "tlsnke/tlsnke-Info.plist";
- INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Extensions";
- MODULE_NAME = com.apple.nke.tls;
- MODULE_START = tlsnke_start;
- MODULE_STOP = tlsnke_stop;
- MODULE_VERSION = 1.0;
- PRODUCT_NAME = "$(TARGET_NAME)";
- WRAPPER_EXTENSION = kext;
- };
- name = Release;
- };
- 0CDF46A214DC794300FFE2FD /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- EXECUTABLE_PREFIX = lib;
- HEADER_SEARCH_PATHS = (
- "$(inherited)",
- ../libsecurity_ssl,
- );
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Debug;
- };
- 0CDF46A314DC794300FFE2FD /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- EXECUTABLE_PREFIX = lib;
- HEADER_SEARCH_PATHS = (
- "$(inherited)",
- ../libsecurity_ssl,
- );
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Release;
- };
- 0CE08A7A148FF2C7000473EB /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- FRAMEWORK_SEARCH_PATHS = "$(inherited)";
- HEADER_SEARCH_PATHS = "$(BUILT_PRODUCTS_DIR)/usr/local/include";
- LIBRARY_SEARCH_PATHS = (
- "$(inherited)",
- "$(BUILT_PRODUCTS_DIR)",
- );
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Debug;
- };
- 0CE08A7B148FF2C7000473EB /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- FRAMEWORK_SEARCH_PATHS = "$(inherited)";
- HEADER_SEARCH_PATHS = "$(BUILT_PRODUCTS_DIR)/usr/local/include";
- LIBRARY_SEARCH_PATHS = (
- "$(inherited)",
- "$(BUILT_PRODUCTS_DIR)",
- );
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Release;
- };
- 0CE08A80148FF61C000473EB /* Debug */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Debug;
- };
- 0CE08A81148FF61C000473EB /* Release */ = {
- isa = XCBuildConfiguration;
- buildSettings = {
- PRODUCT_NAME = "$(TARGET_NAME)";
- };
- name = Release;
- };
-/* End XCBuildConfiguration section */
-
-/* Begin XCConfigurationList section */
- 0CC9A7E8146DF66000C18F89 /* Build configuration list for PBXProject "tlsnke" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 0CC9A7FE146DF66000C18F89 /* Debug */,
- 0CC9A7FF146DF66000C18F89 /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
- 0CC9A800146DF66000C18F89 /* Build configuration list for PBXNativeTarget "tlsnke" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 0CC9A801146DF66000C18F89 /* Debug */,
- 0CC9A802146DF66000C18F89 /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
- 0CDF46A114DC794300FFE2FD /* Build configuration list for PBXNativeTarget "tlssocket" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 0CDF46A214DC794300FFE2FD /* Debug */,
- 0CDF46A314DC794300FFE2FD /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
- 0CE08A7C148FF2C7000473EB /* Build configuration list for PBXNativeTarget "tlsnketest" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 0CE08A7A148FF2C7000473EB /* Debug */,
- 0CE08A7B148FF2C7000473EB /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
- 0CE08A7F148FF61C000473EB /* Build configuration list for PBXAggregateTarget "host-loadkext" */ = {
- isa = XCConfigurationList;
- buildConfigurations = (
- 0CE08A80148FF61C000473EB /* Debug */,
- 0CE08A81148FF61C000473EB /* Release */,
- );
- defaultConfigurationIsVisible = 0;
- defaultConfigurationName = Release;
- };
-/* End XCConfigurationList section */
- };
- rootObject = 0CC9A7E5146DF66000C18F89 /* Project object */;
-}
diff --git a/OSX/tlsnke/tlsnke.xcodeproj/project.xcworkspace/contents.xcworkspacedata b/OSX/tlsnke/tlsnke.xcodeproj/project.xcworkspace/contents.xcworkspacedata
deleted file mode 100644
index 4efa47d6..00000000
--- a/OSX/tlsnke/tlsnke.xcodeproj/project.xcworkspace/contents.xcworkspacedata
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Workspace
- version = "1.0">
- <FileRef
- location = "self:tlsnke.xcodeproj">
- </FileRef>
-</Workspace>
diff --git a/OSX/tlsnke/tlsnke/tlsnke.h b/OSX/tlsnke/tlsnke/tlsnke.h
deleted file mode 100644
index 3256dc43..00000000
--- a/OSX/tlsnke/tlsnke/tlsnke.h
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#ifndef __TLSNKE_H__
-#define __TLSNKE_H__
-
-/* Those should be defined in kernel headers eg <sys/scoket.h> */
-
-
-#define TLS_HANDLE_IP4 0xBABABABA /* Temp hack to identify this filter */
-#define TLS_HANDLE_IP6 0xABABABAB /* Temp hack to identify this filter */
-
-
-/*
-SO_TLS_HANDLE:
-Get the DTLS handle used to enable utun to dtls bypass. (getsockopt only)
-option_value type: int
-*/
-#define SO_TLS_HANDLE 0x20000
-
-/*
-SO_TLS_INIT_CIPHER:
-Initialize the new cipher key material. (setsockopt only)
-option_value type:
-struct {
- uint16_t cipherspec;
- bool server;
- int keylen;
- char key[keylen];
-}
-*/
-#define SO_TLS_INIT_CIPHER 0x20001
-
-/*
-SO_TLS_PROTOCOL_VERSION:
-Set the protocol version. (setsockopt only)
-option_value type: int
-*/
-#define SO_TLS_PROTOCOL_VERSION 0x20002
-
-/*
-SO_TLS_ADVANCE_READ_CIPHER:
-Update the read cipher to use the new key. (setsockopt only)
-No option value.
-*/
-#define SO_TLS_ADVANCE_READ_CIPHER 0x20003
-
-/*
-SO_TLS_ADVANCE_WRITE_CIPHER:
-Update the write cipher to use the new key. (setsockopt only)
-No option value.
-*/
-#define SO_TLS_ADVANCE_WRITE_CIPHER 0x20004
-
-/*
-SO_TLS_ROLLBACK_WRITE_CIPHER:
-Rollback the write cipher to the previous key. (setsockopt only)
-No option value.
-*/
-#define SO_TLS_ROLLBACK_WRITE_CIPHER 0x20005
-
-/*
- SO_TLS_SERVICE_WRITE_QUEUE:
- Service the record write queue
- No option value.
- */
-#define SO_TLS_SERVICE_WRITE_QUEUE 0x20006
-
-
-/*
-SCM_TLS_HEADER:
- Type of anciallary data for DTLS record header
-*/
-
-#define SCM_TLS_HEADER 0x12345
-
-typedef struct tls_record_hdr{
- uint8_t content_type;
- uint16_t protocol_version;
-} *tls_record_hdr_t;
-
-
-#endif /* __TLSNKE_H__ */
diff --git a/OSX/tlsnke/tlsnketest/cert-1.h b/OSX/tlsnke/tlsnketest/cert-1.h
deleted file mode 100644
index 54bf58fe..00000000
--- a/OSX/tlsnke/tlsnketest/cert-1.h
+++ /dev/null
@@ -1,66 +0,0 @@
-unsigned char cert_1_der[] = {
- 0x30, 0x82, 0x02, 0xef, 0x30, 0x82, 0x02, 0x58, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x09, 0x00, 0x9f, 0xeb, 0x16, 0x7c, 0xc1, 0x64, 0xe6, 0x84,
- 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x05, 0x05, 0x00, 0x30, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b,
- 0x13, 0x18, 0x43, 0x6f, 0x72, 0x65, 0x4f, 0x53, 0x20, 0x50, 0x6c, 0x61,
- 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69,
- 0x74, 0x79, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
- 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x1e,
- 0x17, 0x0d, 0x31, 0x32, 0x30, 0x38, 0x31, 0x30, 0x31, 0x38, 0x30, 0x30,
- 0x31, 0x36, 0x5a, 0x17, 0x0d, 0x32, 0x32, 0x30, 0x38, 0x30, 0x38, 0x31,
- 0x38, 0x30, 0x30, 0x31, 0x36, 0x5a, 0x30, 0x59, 0x31, 0x0b, 0x30, 0x09,
- 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
- 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03,
- 0x55, 0x04, 0x0b, 0x13, 0x18, 0x43, 0x6f, 0x72, 0x65, 0x4f, 0x53, 0x20,
- 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x20, 0x53, 0x65, 0x63,
- 0x75, 0x72, 0x69, 0x74, 0x79, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55,
- 0x04, 0x03, 0x13, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73,
- 0x74, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30,
- 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xbb, 0x2c, 0xef, 0x95, 0x09, 0x80,
- 0xff, 0xca, 0xb1, 0xd3, 0xd1, 0x15, 0xb6, 0x01, 0x15, 0xc1, 0x7c, 0x39,
- 0x81, 0xf6, 0x31, 0x13, 0xf2, 0x46, 0x75, 0xe6, 0xc6, 0xae, 0x2e, 0x68,
- 0x3a, 0xb8, 0x48, 0x70, 0x47, 0xf9, 0x44, 0x5d, 0x6a, 0x0e, 0x37, 0x2f,
- 0x71, 0x1e, 0x54, 0x6c, 0x33, 0x21, 0xe2, 0x2f, 0x0c, 0xd4, 0xfa, 0x88,
- 0x72, 0xad, 0x2b, 0x27, 0x02, 0x7c, 0x48, 0x10, 0x28, 0x18, 0x24, 0x4b,
- 0xf0, 0x87, 0x15, 0xf8, 0xac, 0xb6, 0x69, 0x1c, 0x1c, 0x25, 0xd6, 0xaf,
- 0xb3, 0xc8, 0x60, 0x1a, 0xa4, 0x8a, 0x20, 0xa9, 0x9b, 0x7d, 0x5a, 0xcd,
- 0xea, 0x97, 0x20, 0x45, 0x1a, 0x3b, 0xda, 0xbc, 0x15, 0x30, 0x84, 0x17,
- 0x08, 0xda, 0x50, 0xc0, 0x93, 0xa6, 0xd3, 0x28, 0x06, 0xc5, 0x6a, 0xc3,
- 0x9c, 0x48, 0x53, 0x38, 0x96, 0x8e, 0x33, 0x2f, 0xf9, 0x42, 0xac, 0xf0,
- 0xb1, 0x7f, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xbe, 0x30, 0x81,
- 0xbb, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
- 0x73, 0x7a, 0xcc, 0xf7, 0x1c, 0xf4, 0xc2, 0xa3, 0x95, 0xac, 0x64, 0x48,
- 0xbd, 0x5f, 0x1d, 0x09, 0xa6, 0x8c, 0x91, 0x08, 0x30, 0x81, 0x8b, 0x06,
- 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0x83, 0x30, 0x81, 0x80, 0x80, 0x14,
- 0x73, 0x7a, 0xcc, 0xf7, 0x1c, 0xf4, 0xc2, 0xa3, 0x95, 0xac, 0x64, 0x48,
- 0xbd, 0x5f, 0x1d, 0x09, 0xa6, 0x8c, 0x91, 0x08, 0xa1, 0x5d, 0xa4, 0x5b,
- 0x30, 0x59, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a,
- 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x18, 0x43,
- 0x6f, 0x72, 0x65, 0x4f, 0x53, 0x20, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f,
- 0x72, 0x6d, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x31,
- 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x09, 0x6c, 0x6f,
- 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x82, 0x09, 0x00, 0x9f, 0xeb,
- 0x16, 0x7c, 0xc1, 0x64, 0xe6, 0x84, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d,
- 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03,
- 0x81, 0x81, 0x00, 0x4e, 0x9f, 0x0c, 0x99, 0x1b, 0x39, 0xf9, 0xf6, 0xd0,
- 0x3a, 0x16, 0x9b, 0xd9, 0xd1, 0x62, 0xb9, 0x71, 0xb2, 0xf7, 0x9a, 0x61,
- 0x60, 0x5a, 0x0f, 0x16, 0x07, 0xd9, 0x0e, 0x4d, 0xa3, 0x86, 0x7b, 0x18,
- 0xe2, 0xce, 0xa2, 0xbb, 0x44, 0x59, 0x57, 0xe0, 0x32, 0xeb, 0x75, 0x09,
- 0x15, 0xe1, 0xc5, 0x8c, 0x25, 0xfc, 0x04, 0x95, 0xa0, 0x2e, 0x75, 0xab,
- 0x54, 0x8b, 0x86, 0xf2, 0x43, 0x17, 0x79, 0x2f, 0xe8, 0x7f, 0x7c, 0x17,
- 0xaf, 0xf6, 0x91, 0xf7, 0xb0, 0x27, 0x53, 0x61, 0xf9, 0xd9, 0xb7, 0x22,
- 0x71, 0x78, 0x00, 0xfc, 0x8e, 0xc9, 0xd3, 0xb9, 0x5b, 0x09, 0x23, 0xa7,
- 0x92, 0xc5, 0xdc, 0x44, 0xcf, 0x4a, 0x6c, 0x0a, 0xf8, 0xda, 0x5c, 0x7d,
- 0x14, 0x36, 0x48, 0xc1, 0x76, 0xde, 0x6e, 0xde, 0xb6, 0xa0, 0xc6, 0x3a,
- 0x58, 0xd0, 0xc6, 0xfd, 0xe2, 0x32, 0xce, 0x49, 0x15, 0xcb, 0x71
-};
-unsigned int cert_1_der_len = 755;
diff --git a/OSX/tlsnke/tlsnketest/dtls_client.c b/OSX/tlsnke/tlsnketest/dtls_client.c
deleted file mode 100644
index a889243a..00000000
--- a/OSX/tlsnke/tlsnketest/dtls_client.c
+++ /dev/null
@@ -1,276 +0,0 @@
-/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-/*
- * dtlsEchoClient.c
- * Security
- *
- * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
- *
- */
-
-#include <Security/Security.h>
-
-#include "ssl-utils.h"
-
-#include <stdlib.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-#include <errno.h>
-#include <unistd.h> /* close() */
-#include <string.h> /* memset() */
-#include <fcntl.h>
-#include <time.h>
-
-#include "tlssocket.h"
-
-#define SERVER "10.0.2.1"
-#define PORT 23232
-#define BUFLEN 128
-#define COUNT 10
-
-#if 0
-static void dumppacket(const unsigned char *data, unsigned long len)
-{
- unsigned long i;
- for(i=0;i<len;i++)
- {
- if((i&0xf)==0) printf("%04lx :",i);
- printf(" %02x", data[i]);
- if((i&0xf)==0xf) printf("\n");
- }
- printf("\n");
-}
-#endif
-
-
-/* print a '.' every few seconds to keep UI alive while connecting */
-static time_t lastTime = (time_t)0;
-#define TIME_INTERVAL 3
-
-static void sslOutputDot()
-{
- time_t thisTime = time(0);
-
- if((thisTime - lastTime) >= TIME_INTERVAL) {
- printf("."); fflush(stdout);
- lastTime = thisTime;
- }
-}
-
-static void printSslErrStr(
- const char *op,
- OSStatus err)
-{
- printf("*** %s: %ld\n", op, (long)err);
-}
-
-/* 2K should be enough for everybody */
-#define MTU 2048
-
-
-int dtls_client(const char *hostname, int bypass);
-
-int dtls_client(const char *hostname, int bypass)
-{
- int fd;
- int tlsfd;
- struct sockaddr_in sa;
-
- printf("Running dtls_client test with hostname=%s, bypass=%d\n", hostname, bypass);
-
- if ((fd=socket(AF_INET, SOCK_DGRAM, 0))==-1) {
- perror("socket");
- exit(-1);
- }
-
- memset((char *) &sa, 0, sizeof(sa));
- sa.sin_family = AF_INET;
- sa.sin_port = htons(PORT);
- if (inet_aton(hostname, &sa.sin_addr)==0) {
- fprintf(stderr, "inet_aton() failed\n");
- exit(1);
- }
-
- if(connect(fd, (struct sockaddr *)&sa, sizeof(sa))==-1)
- {
- perror("connect");
- return errno;
- }
-
- /* Change to non blocking io */
- fcntl(fd, F_SETFL, O_NONBLOCK);
-
- SSLRecordContextRef c=(intptr_t)fd;
-
-
- OSStatus ortn;
- SSLContextRef ctx = NULL;
-
- SSLClientCertificateState certState;
- SSLCipherSuite negCipher;
- SSLProtocol negVersion;
-
- /*
- * Set up a SecureTransport session.
- */
-
- ctx = SSLCreateContextWithRecordFuncs(kCFAllocatorDefault, kSSLClientSide, kSSLDatagramType, &TLSSocket_Funcs);
- if(!ctx) {
- printSslErrStr("SSLCreateContextWithRecordFuncs", -1);
- return -1;
- }
-
- printf("Attaching filter\n");
- ortn = TLSSocket_Attach(fd);
- if(ortn) {
- printSslErrStr("TLSSocket_Attach", ortn);
- return ortn;
- }
-
- if(bypass) {
- tlsfd = open("/dev/tlsnke", O_RDWR);
- if(tlsfd<0) {
- perror("opening tlsnke dev");
- exit(-1);
- }
- }
-
- ortn = SSLSetRecordContext(ctx, c);
- if(ortn) {
- printSslErrStr("SSLSetRecordContext", ortn);
- return ortn;
- }
-
- ortn = SSLSetMaxDatagramRecordSize(ctx, 600);
- if(ortn) {
- printSslErrStr("SSLSetMaxDatagramRecordSize", ortn);
- return ortn;
- }
-
- /* Lets not verify the cert, which is a random test cert */
- ortn = SSLSetEnableCertVerify(ctx, false);
- if(ortn) {
- printSslErrStr("SSLSetEnableCertVerify", ortn);
- return ortn;
- }
-
- ortn = SSLSetCertificate(ctx, server_chain());
- if(ortn) {
- printSslErrStr("SSLSetCertificate", ortn);
- return ortn;
- }
-
- printf("Handshake...\n");
-
- do {
- ortn = SSLHandshake(ctx);
- if(ortn == errSSLWouldBlock) {
- /* keep UI responsive */
- sslOutputDot();
- }
- } while (ortn == errSSLWouldBlock);
-
-
- SSLGetClientCertificateState(ctx, &certState);
- SSLGetNegotiatedCipher(ctx, &negCipher);
- SSLGetNegotiatedProtocolVersion(ctx, &negVersion);
-
- int count;
- size_t len;
- ssize_t sreadLen, swriteLen;
- size_t readLen, writeLen;
-
- char buffer[BUFLEN];
-
- count = 0;
- while(count<COUNT) {
- int timeout = 10000;
-
- snprintf(buffer, BUFLEN, "Message %d", count);
- len = strlen(buffer);
-
- if(bypass) {
- /* Send data through the side channel, kind of like utun would */
- swriteLen=write(tlsfd, buffer, len);
- if(swriteLen<0) {
- perror("write to tlsfd");
- break;
- }
- writeLen=swriteLen;
- } else {
- ortn=SSLWrite(ctx, buffer, len, &writeLen);
- if(ortn) {
- printSslErrStr("SSLWrite", ortn);
- break;
- }
- }
-
- printf("Wrote %lu bytes\n", writeLen);
-
- count++;
-
- if(bypass) {
- do {
- sreadLen=read(tlsfd, buffer, BUFLEN);
- } while((sreadLen==-1) && (errno==EAGAIN) && (timeout--));
- if((sreadLen==-1) && (errno==EAGAIN)) {
- printf("Read timeout...\n");
- continue;
- }
- if(sreadLen<0) {
- perror("read from tlsfd");
- break;
- }
- readLen=sreadLen;
- }
- else {
- do {
- ortn=SSLRead(ctx, buffer, BUFLEN, &readLen);
- } while((ortn==errSSLWouldBlock) && (timeout--));
- if(ortn==errSSLWouldBlock) {
- printf("SSLRead timeout...\n");
- continue;
- }
- if(ortn) {
- printSslErrStr("SSLRead", ortn);
- break;
- }
- }
-
- buffer[readLen]=0;
- printf("Received %lu bytes: %s\n", readLen, buffer);
-
- }
-
- SSLClose(ctx);
-
- SSLDisposeContext(ctx);
-
- return ortn;
-}
-
diff --git a/OSX/tlsnke/tlsnketest/identity-1.h b/OSX/tlsnke/tlsnketest/identity-1.h
deleted file mode 100644
index 21d55d6d..00000000
--- a/OSX/tlsnke/tlsnketest/identity-1.h
+++ /dev/null
@@ -1,151 +0,0 @@
-unsigned char identity_1_p12[] = {
- 0x30, 0x82, 0x06, 0xe9, 0x02, 0x01, 0x03, 0x30, 0x82, 0x06, 0xaf, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82,
- 0x06, 0xa0, 0x04, 0x82, 0x06, 0x9c, 0x30, 0x82, 0x06, 0x98, 0x30, 0x82,
- 0x03, 0x97, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
- 0x06, 0xa0, 0x82, 0x03, 0x88, 0x30, 0x82, 0x03, 0x84, 0x02, 0x01, 0x00,
- 0x30, 0x82, 0x03, 0x7d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x0c, 0x01, 0x06, 0x30, 0x0e, 0x04, 0x08, 0xa1, 0x57, 0x35,
- 0x2d, 0xf3, 0x28, 0xdb, 0xf8, 0x02, 0x02, 0x08, 0x00, 0x80, 0x82, 0x03,
- 0x50, 0xf7, 0xae, 0x62, 0x01, 0x60, 0x8f, 0xa2, 0xda, 0x59, 0xf6, 0x8a,
- 0xc3, 0x46, 0xe7, 0x61, 0x69, 0x10, 0x7a, 0x4f, 0xab, 0x70, 0xf0, 0x73,
- 0xa9, 0x87, 0xba, 0x55, 0xdf, 0x47, 0x0c, 0xc4, 0xdd, 0x2e, 0x4c, 0x86,
- 0xb1, 0x06, 0x65, 0xad, 0xee, 0x2f, 0x7e, 0x8c, 0x5f, 0xbe, 0x7e, 0x46,
- 0x81, 0xa7, 0xe7, 0xa6, 0xca, 0x62, 0x65, 0xcb, 0x05, 0xe3, 0x67, 0x80,
- 0x3f, 0x3d, 0x7d, 0xf5, 0xbd, 0xb6, 0x6e, 0x3a, 0xb5, 0xc1, 0xa2, 0x99,
- 0x16, 0x0b, 0x21, 0x05, 0xf5, 0xc9, 0xde, 0x58, 0x77, 0xe4, 0x96, 0x75,
- 0x37, 0x85, 0x32, 0x2b, 0xed, 0x71, 0x99, 0xf3, 0xbe, 0xa4, 0x6c, 0x53,
- 0xe5, 0xe2, 0xea, 0x70, 0xaa, 0x63, 0x38, 0xa7, 0x5d, 0x4d, 0x8a, 0x39,
- 0xe7, 0xf4, 0xf5, 0xac, 0x43, 0xb1, 0x1f, 0x2b, 0xf6, 0x46, 0xee, 0xb1,
- 0x16, 0x27, 0x0d, 0x59, 0x6b, 0xc5, 0xff, 0xae, 0xb6, 0xfa, 0x76, 0x2b,
- 0x5c, 0x62, 0x9d, 0x19, 0x1c, 0xef, 0x6b, 0x1a, 0x69, 0x98, 0x43, 0x60,
- 0x03, 0x1f, 0x2a, 0x56, 0xe9, 0x26, 0x19, 0x4a, 0xe4, 0x3e, 0xd0, 0x85,
- 0xe4, 0x0d, 0x46, 0x2d, 0xaa, 0x2d, 0x61, 0x68, 0x8d, 0x00, 0xb8, 0xcd,
- 0x8b, 0x9d, 0xdc, 0xa9, 0xa8, 0xe9, 0xf7, 0x93, 0xdf, 0xb3, 0x84, 0x47,
- 0xe5, 0x12, 0xa4, 0xcd, 0x76, 0xd5, 0x28, 0xf4, 0xa9, 0xd5, 0x5e, 0x31,
- 0x94, 0x30, 0x44, 0x58, 0xbb, 0xcc, 0x5a, 0xe8, 0xf6, 0xc0, 0x67, 0x8b,
- 0xf5, 0x66, 0xe1, 0xdb, 0x28, 0x79, 0xf1, 0xa8, 0x78, 0x5a, 0x34, 0x1f,
- 0x3e, 0x2f, 0x57, 0x9d, 0xda, 0xa6, 0xbf, 0x38, 0xb6, 0x7e, 0xd4, 0x07,
- 0x30, 0x03, 0x65, 0xf9, 0xa2, 0xc9, 0xa5, 0x93, 0x2f, 0xc2, 0xf1, 0xbb,
- 0x1a, 0x2d, 0x39, 0xba, 0xa7, 0x47, 0xd3, 0x39, 0x70, 0xe1, 0x36, 0xf8,
- 0xba, 0x62, 0x57, 0x99, 0xf3, 0x38, 0xec, 0x82, 0xe2, 0x46, 0xe2, 0x39,
- 0x7e, 0x71, 0x08, 0x91, 0xbf, 0x8e, 0x5d, 0xf3, 0x31, 0x00, 0xf1, 0xff,
- 0xbf, 0x9e, 0xd6, 0x3b, 0xe6, 0xaa, 0xa0, 0x2c, 0xec, 0x1d, 0x50, 0x2b,
- 0xf3, 0xe0, 0xcd, 0xbd, 0x43, 0x94, 0xa9, 0x91, 0xff, 0x3c, 0x9f, 0xde,
- 0x70, 0x30, 0xc9, 0xee, 0x3f, 0xde, 0x8d, 0x4f, 0x75, 0x89, 0x5b, 0x58,
- 0x43, 0x33, 0x0c, 0x19, 0x85, 0x55, 0xc7, 0x22, 0x9f, 0xa7, 0xf3, 0x83,
- 0x6a, 0x34, 0xca, 0x8e, 0xfc, 0xcb, 0xa0, 0x71, 0x78, 0x59, 0xf4, 0x0b,
- 0x7f, 0xda, 0x2e, 0x21, 0x43, 0x0b, 0x11, 0xbb, 0xd5, 0x85, 0x09, 0xed,
- 0x08, 0x6e, 0x1b, 0x02, 0xb0, 0x1e, 0xf8, 0x45, 0xa0, 0xc4, 0xbb, 0xd4,
- 0xc4, 0x51, 0xb9, 0x16, 0x37, 0xd1, 0xfe, 0xf1, 0xa6, 0x41, 0x94, 0xbc,
- 0xb0, 0xaa, 0xf3, 0x7b, 0x90, 0xa7, 0xa2, 0xac, 0xc1, 0x82, 0xe5, 0x7c,
- 0x18, 0xcd, 0xd1, 0x83, 0x2b, 0xcd, 0x2d, 0x60, 0x5a, 0x48, 0x59, 0x2a,
- 0x27, 0x32, 0x1e, 0x14, 0xe6, 0x5b, 0x44, 0x98, 0xe7, 0xa0, 0x14, 0x22,
- 0x84, 0x52, 0xfa, 0x28, 0x1f, 0x54, 0xc5, 0xfc, 0x75, 0x12, 0x15, 0x9e,
- 0x22, 0xae, 0x12, 0xae, 0x7a, 0x98, 0xc4, 0x99, 0xa7, 0x26, 0x4f, 0xd3,
- 0x96, 0xd6, 0xbf, 0x98, 0x5f, 0x36, 0xf5, 0xd6, 0xee, 0xe8, 0x9a, 0x91,
- 0x8f, 0x23, 0x95, 0xe0, 0xa3, 0x30, 0x38, 0xc9, 0x7c, 0x03, 0xb7, 0x51,
- 0x96, 0x8d, 0x34, 0xbd, 0x4f, 0x10, 0x33, 0xdf, 0x48, 0xb3, 0x4e, 0x74,
- 0x43, 0x01, 0x55, 0x40, 0x85, 0x1a, 0xde, 0xa7, 0x34, 0xf0, 0x5e, 0x02,
- 0xa7, 0x1f, 0x24, 0x6c, 0x89, 0xf5, 0x3b, 0xe6, 0xdf, 0xae, 0xec, 0x06,
- 0x60, 0xe2, 0xfd, 0x1a, 0xa8, 0x03, 0x6c, 0xd8, 0x12, 0xbf, 0x11, 0x50,
- 0xd2, 0x6d, 0x64, 0xa0, 0xdc, 0x46, 0x4a, 0x26, 0x40, 0x80, 0x75, 0xec,
- 0x60, 0xa7, 0xbc, 0x6e, 0x0b, 0xdb, 0x76, 0x71, 0x20, 0xc5, 0x82, 0xfd,
- 0xe6, 0xd0, 0xc8, 0x14, 0x75, 0xf8, 0x3d, 0xd6, 0xd7, 0xe8, 0x46, 0x7f,
- 0x9d, 0x0a, 0xac, 0xa2, 0xfd, 0x32, 0xd9, 0xdc, 0x37, 0x00, 0x1d, 0xb0,
- 0x8e, 0x0b, 0x31, 0xba, 0x97, 0x1e, 0x0b, 0x42, 0x92, 0xe0, 0xaf, 0xe9,
- 0xe5, 0x06, 0xa4, 0xec, 0x3e, 0x97, 0x67, 0x7f, 0x0d, 0xef, 0xea, 0x53,
- 0xc1, 0xd3, 0x79, 0x33, 0xb8, 0xbd, 0x1d, 0x39, 0x33, 0xa2, 0x3d, 0xb0,
- 0x9d, 0xa2, 0x50, 0x85, 0xc9, 0x6e, 0x7e, 0x14, 0x88, 0x66, 0x5b, 0x10,
- 0x85, 0x95, 0xb9, 0xd0, 0x8b, 0xcb, 0xc5, 0x81, 0x0b, 0x16, 0xef, 0x05,
- 0x92, 0x99, 0x23, 0xc6, 0x78, 0xf0, 0x76, 0x30, 0x36, 0xda, 0x8e, 0x7d,
- 0x22, 0xbf, 0x73, 0x25, 0xd4, 0xfc, 0xa4, 0x20, 0xd9, 0x2f, 0x69, 0xa1,
- 0x1f, 0xca, 0xce, 0x28, 0xe8, 0xfd, 0xe0, 0x91, 0xfb, 0xe8, 0x76, 0x7f,
- 0xe2, 0xda, 0xfc, 0x7f, 0xa1, 0xd2, 0xc5, 0xd4, 0xac, 0x38, 0x7a, 0x28,
- 0x6b, 0xd7, 0x78, 0xed, 0xdf, 0xbf, 0xb5, 0xab, 0xa2, 0x2f, 0xa6, 0xdc,
- 0xfb, 0x12, 0x9c, 0xab, 0x89, 0x14, 0x88, 0x7c, 0x75, 0x15, 0x2a, 0x75,
- 0x83, 0x15, 0x89, 0x15, 0x28, 0x40, 0x48, 0xbf, 0x63, 0x81, 0xe2, 0x95,
- 0x65, 0x4d, 0x90, 0xf9, 0xd6, 0xc0, 0x67, 0x5f, 0x0d, 0xb4, 0x0f, 0x5c,
- 0xdb, 0xa9, 0x4f, 0x31, 0xe3, 0x71, 0x2d, 0x16, 0xfa, 0x81, 0x20, 0x45,
- 0xbf, 0xbb, 0xe7, 0x60, 0x0e, 0x59, 0xce, 0x33, 0x22, 0x98, 0x09, 0x3f,
- 0x7b, 0x7c, 0x80, 0x2f, 0xde, 0x5f, 0x6b, 0x51, 0x08, 0xae, 0xe4, 0x07,
- 0xef, 0x42, 0x90, 0x6d, 0xa9, 0x31, 0x7d, 0xe3, 0xaa, 0x55, 0x51, 0x79,
- 0x55, 0x83, 0xb0, 0x8d, 0x8e, 0xab, 0x5a, 0xe2, 0x18, 0xc5, 0x4e, 0x38,
- 0x2c, 0x2c, 0x68, 0x85, 0x7e, 0x55, 0xba, 0x50, 0x17, 0x6a, 0xa0, 0xb8,
- 0x7b, 0x84, 0xd1, 0xad, 0x37, 0xd0, 0x44, 0x92, 0x11, 0xfc, 0x69, 0x5c,
- 0x42, 0x8b, 0xe3, 0x43, 0xba, 0x35, 0x5b, 0x8f, 0xf0, 0xfa, 0xd1, 0xbd,
- 0x70, 0xf5, 0x4d, 0x75, 0x2f, 0x94, 0xc0, 0x77, 0xb3, 0xba, 0x95, 0x64,
- 0x27, 0x03, 0x10, 0x83, 0xc8, 0x2b, 0x01, 0xdf, 0xb7, 0xd3, 0xad, 0x41,
- 0x53, 0x14, 0x9f, 0xe8, 0x5d, 0x84, 0xb0, 0x27, 0x29, 0xb1, 0x99, 0xfe,
- 0x8b, 0xeb, 0x9f, 0xb7, 0x1e, 0x0c, 0xd5, 0x55, 0xa8, 0x30, 0x82, 0x02,
- 0xf9, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01,
- 0xa0, 0x82, 0x02, 0xea, 0x04, 0x82, 0x02, 0xe6, 0x30, 0x82, 0x02, 0xe2,
- 0x30, 0x82, 0x02, 0xde, 0x06, 0x0b, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x0c, 0x0a, 0x01, 0x02, 0xa0, 0x82, 0x02, 0xa6, 0x30, 0x82, 0x02,
- 0xa2, 0x30, 0x1c, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
- 0x0c, 0x01, 0x03, 0x30, 0x0e, 0x04, 0x08, 0xd4, 0xf3, 0x35, 0x1a, 0xbd,
- 0x5e, 0xcd, 0x9f, 0x02, 0x02, 0x08, 0x00, 0x04, 0x82, 0x02, 0x80, 0xe4,
- 0x9c, 0x93, 0xc2, 0x8b, 0x15, 0xb0, 0xfd, 0x41, 0x40, 0x8f, 0xe2, 0x32,
- 0xd6, 0x46, 0x3b, 0x89, 0x3d, 0xed, 0xfa, 0x3f, 0x31, 0xa6, 0xf0, 0x5f,
- 0x42, 0x63, 0x57, 0xaf, 0x3c, 0xf0, 0x1f, 0x28, 0x2e, 0x8e, 0x0f, 0x6e,
- 0x98, 0x9a, 0xf2, 0x2c, 0x9f, 0x05, 0x87, 0xf9, 0xd1, 0x32, 0xf3, 0x1d,
- 0xc1, 0x6d, 0x24, 0xd2, 0x33, 0x67, 0x38, 0x1b, 0x5a, 0x9e, 0x92, 0x01,
- 0xcb, 0x2b, 0x4b, 0x0e, 0x94, 0x63, 0xf7, 0xd9, 0x42, 0xc7, 0x08, 0xcc,
- 0x2e, 0xe0, 0xee, 0x89, 0xe2, 0xaf, 0x56, 0xe3, 0x64, 0x22, 0xb0, 0xdf,
- 0x7d, 0x5a, 0x71, 0xd5, 0x8e, 0xc2, 0xac, 0xc5, 0x70, 0x7f, 0x24, 0x2c,
- 0x2f, 0x61, 0x1a, 0xa1, 0x55, 0xec, 0x53, 0x16, 0xd6, 0xb7, 0xfb, 0xfd,
- 0x61, 0x89, 0xdc, 0x4c, 0xe3, 0x62, 0xe9, 0xc4, 0x41, 0x80, 0xe6, 0xf1,
- 0x25, 0xd6, 0x16, 0xd9, 0xe9, 0x6a, 0x7c, 0x9c, 0xf4, 0xae, 0xa5, 0x26,
- 0xbd, 0x4f, 0x8d, 0x2b, 0x14, 0x7e, 0xe0, 0xc0, 0x21, 0xe4, 0x94, 0x45,
- 0x66, 0xd4, 0x4e, 0xcc, 0x7e, 0x92, 0xe3, 0xb6, 0xdd, 0x25, 0x0b, 0x61,
- 0x27, 0x1f, 0x06, 0x51, 0x8d, 0x23, 0xf1, 0x13, 0xe7, 0xb6, 0x42, 0x96,
- 0xc8, 0x6b, 0xb5, 0x5d, 0x8c, 0x7e, 0x5c, 0xbc, 0x6a, 0x6e, 0xc8, 0x7f,
- 0xa0, 0x0f, 0x1b, 0xed, 0x4f, 0x14, 0xd5, 0xa1, 0xf6, 0xe8, 0xb9, 0x51,
- 0xd4, 0x02, 0x3c, 0xdd, 0xff, 0xca, 0x72, 0x1c, 0x0b, 0xd3, 0x53, 0xa0,
- 0x42, 0x55, 0x00, 0xfa, 0x2d, 0x17, 0x16, 0xd9, 0xe8, 0x2d, 0x2c, 0xad,
- 0xf4, 0x54, 0x14, 0xda, 0x13, 0x1f, 0xb9, 0x16, 0x5e, 0x29, 0x8a, 0xa8,
- 0xee, 0xfd, 0x87, 0xee, 0xa2, 0xe5, 0x6a, 0x86, 0x53, 0x35, 0xb5, 0xa2,
- 0xa0, 0x2e, 0x27, 0x9a, 0x16, 0xb8, 0xa8, 0x8c, 0x92, 0x28, 0xe6, 0x54,
- 0xea, 0xf2, 0x82, 0x7b, 0x4b, 0x8a, 0xa7, 0x5c, 0x25, 0xb8, 0xa7, 0x6d,
- 0x61, 0x02, 0x51, 0xd7, 0xe0, 0xb8, 0x28, 0x88, 0x21, 0xeb, 0x3c, 0x54,
- 0x7a, 0x01, 0x13, 0x76, 0x26, 0x1b, 0x03, 0x2d, 0xec, 0x3d, 0xc3, 0xa9,
- 0x78, 0xf4, 0xd3, 0x27, 0x81, 0x08, 0x5c, 0x70, 0x14, 0x8a, 0x1e, 0xe8,
- 0x0d, 0x89, 0x78, 0x87, 0x97, 0xfe, 0xc1, 0x28, 0x8b, 0xa0, 0xcc, 0xed,
- 0x63, 0xd5, 0x10, 0x01, 0x36, 0xdc, 0xb6, 0xf7, 0x2e, 0x34, 0x9b, 0x45,
- 0x0a, 0x5c, 0x91, 0xb5, 0x3e, 0xb9, 0x47, 0xfe, 0x8f, 0xd6, 0xdb, 0x9c,
- 0xb1, 0x4b, 0xd8, 0xeb, 0xf4, 0x21, 0x96, 0xf1, 0x6b, 0xe3, 0xad, 0xfd,
- 0xa5, 0xce, 0x36, 0xef, 0xc5, 0xe2, 0x33, 0xa1, 0x58, 0x00, 0x4d, 0x9f,
- 0xf7, 0x9e, 0x51, 0x9d, 0x5a, 0xe4, 0x62, 0x15, 0x5e, 0xf9, 0x0e, 0x29,
- 0x9a, 0xf4, 0xdb, 0x10, 0x9a, 0x14, 0x91, 0x74, 0x3c, 0xa1, 0xa7, 0x0e,
- 0x71, 0x2c, 0x36, 0x5c, 0x2f, 0x08, 0x09, 0x66, 0xb5, 0xb3, 0xec, 0x6b,
- 0xe2, 0x58, 0xed, 0x39, 0x90, 0xc2, 0x54, 0xd2, 0xf3, 0x80, 0xe9, 0x4f,
- 0xf2, 0xa0, 0xac, 0x2c, 0xb5, 0x6f, 0x9c, 0x1e, 0x36, 0x80, 0xe8, 0xe2,
- 0x27, 0x29, 0x97, 0x9a, 0x4b, 0xa2, 0xac, 0xac, 0x55, 0x13, 0x6c, 0x86,
- 0x1c, 0x94, 0xb7, 0x20, 0x0d, 0x9c, 0x82, 0x95, 0xcc, 0xb3, 0xbd, 0x84,
- 0x5f, 0x92, 0xcd, 0xe2, 0x98, 0x5b, 0x8e, 0x3a, 0x63, 0x63, 0xe8, 0x40,
- 0xcc, 0xfc, 0x91, 0x71, 0xfd, 0xf1, 0xce, 0x3d, 0xba, 0x62, 0x21, 0x57,
- 0x46, 0x18, 0x8c, 0x7e, 0x60, 0xfb, 0xc4, 0xb8, 0x9e, 0xb0, 0xdd, 0x30,
- 0x90, 0x0f, 0xdd, 0x41, 0x75, 0x68, 0xa4, 0x82, 0xa7, 0xdd, 0xc1, 0x16,
- 0x2e, 0x17, 0x8f, 0x7a, 0xd9, 0xa9, 0xb3, 0xae, 0x1b, 0x0f, 0x99, 0xdc,
- 0xe1, 0x86, 0x76, 0x0c, 0x19, 0xbf, 0x00, 0xc8, 0xda, 0x8c, 0xa0, 0x16,
- 0x29, 0xaf, 0x62, 0x76, 0x7f, 0xe4, 0x8e, 0xd4, 0x10, 0xf2, 0x85, 0x37,
- 0x72, 0x9e, 0xba, 0xd6, 0x45, 0xd9, 0x61, 0x9b, 0xa5, 0xf1, 0x78, 0xab,
- 0x39, 0x67, 0x4d, 0xed, 0xfb, 0x25, 0x25, 0x2f, 0x57, 0xfe, 0xb0, 0xe8,
- 0xd6, 0x88, 0x26, 0xff, 0xe3, 0xbd, 0x55, 0xc8, 0x0f, 0xe8, 0x16, 0x0a,
- 0x7c, 0x25, 0xbd, 0x7f, 0xe0, 0x67, 0xe2, 0x22, 0x06, 0xd8, 0xb2, 0xbb,
- 0xd0, 0x83, 0x05, 0x4d, 0x00, 0x6e, 0xe8, 0x69, 0xd9, 0xc7, 0xec, 0x53,
- 0xfe, 0xc8, 0x73, 0xe1, 0x8e, 0x56, 0xae, 0xe5, 0x75, 0x38, 0xa7, 0x4a,
- 0x90, 0x5a, 0x2b, 0x93, 0xf3, 0x19, 0xf5, 0x90, 0x8a, 0x9a, 0xe3, 0x71,
- 0x93, 0x42, 0xb8, 0xbe, 0x05, 0xb6, 0xbe, 0x25, 0x39, 0xd1, 0x57, 0x37,
- 0x3f, 0x17, 0x9c, 0xa7, 0xf2, 0xf5, 0x9d, 0xed, 0x69, 0x4d, 0x87, 0x1e,
- 0x3e, 0x09, 0xad, 0x31, 0x25, 0x30, 0x23, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x15, 0x31, 0x16, 0x04, 0x14, 0xe9, 0xac,
- 0x89, 0x1c, 0xee, 0x1d, 0xf8, 0xdd, 0xcb, 0xbc, 0x16, 0x15, 0xbf, 0xa5,
- 0x91, 0xdb, 0x2e, 0x6f, 0x42, 0x5b, 0x30, 0x31, 0x30, 0x21, 0x30, 0x09,
- 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0x24,
- 0xb2, 0x2c, 0x67, 0x3b, 0xe2, 0xee, 0xd9, 0x33, 0xeb, 0x6a, 0x79, 0xb3,
- 0x5c, 0x80, 0x10, 0x8f, 0xff, 0x53, 0x83, 0x04, 0x08, 0x12, 0x28, 0x41,
- 0x03, 0x3a, 0x0f, 0x13, 0xb9, 0x02, 0x02, 0x08, 0x00
-};
-unsigned int identity_1_p12_len = 1773;
diff --git a/OSX/tlsnke/tlsnketest/main.c b/OSX/tlsnke/tlsnketest/main.c
deleted file mode 100644
index 583de681..00000000
--- a/OSX/tlsnke/tlsnketest/main.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <unistd.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <net/kext_net.h>
-#include <pthread.h>
-#include <netdb.h>
-#include <fcntl.h>
-
-#include <stdbool.h>
-
-#include <AssertMacros.h>
-#include "tlssocket.h"
-#include "tlsnke.h"
-
-
-static void print_data(const char *s, size_t l, const unsigned char *p)
-{
- printf("%s, %zu:",s, l);
- for(int i=0; i<l; i++)
- printf(" %02x", p[i]);
- printf("\n");
-}
-
-static void *server_thread_func(void *arg)
-{
- int sock;
- struct sockaddr_in server_addr;
- int err;
-
- if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
- perror("server socket");
- exit(1);
- }
-
- // Dont use TLSSocket_Attach for the server:
- // TLSSocket_Attach can only open one TLS socket at a time.
- {
- struct so_nke so_tlsnke;
-
- memset(&so_tlsnke, 0, sizeof(so_tlsnke));
- so_tlsnke.nke_handle = TLS_HANDLE_IP4;
- err=setsockopt(sock, SOL_SOCKET, SO_NKE, &so_tlsnke, sizeof(so_tlsnke));
- if(err<0) {
- perror("attach (server)");
- exit(err);
- }
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(23232);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
- if (bind(sock, (struct sockaddr *)&server_addr, sizeof(struct sockaddr))
- == -1) {
- perror("Unable to bind");
- exit(1);
- }
-
- printf("\nBound - Server Waiting for client on port 23232\n");
- fflush(stdout);
-
- while (1)
- {
- int rc;
- SSLRecord rec;
- rc=TLSSocket_Funcs.read((intptr_t)sock, &rec);
- if(!rc) {
- print_data("recvd", rec.contents.length, rec.contents.data);
- rec.contents.data[rec.contents.length-1]=0;
- printf("recvd: %ld, %s\n", rec.contents.length, rec.contents.data);
- free(rec.contents.data);
- } else {
- printf("read failed: %d\n", rc);
- }
- }
-
- close(sock);
- return NULL;
-}
-
-static int create_client_socket(const char *hostname)
-{
- int sock;
- int err;
-
-
- printf("Create client socket\n");
- sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
- if(sock<0) {
- perror("client socket");
- return sock;
- }
-
-
-#if 1
- err=TLSSocket_Attach(sock);
- if(err<0) {
- perror("TLSSocket_Attach (server)");
- exit(err);
- }
-#endif
-
-
- struct hostent *host;
- struct sockaddr_in server_addr;
-
- //host = gethostbyname("kruk.apple.com");
- //host = gethostbyname("localhost");
- host= gethostbyname(hostname);
- if(!host) {
- herror("host");
- return -1;
- }
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(23232);
- server_addr.sin_addr = *((struct in_addr *)host->h_addr);
- bzero(&(server_addr.sin_zero),8);
-
- err = connect(sock, (struct sockaddr *)&server_addr,
- sizeof(struct sockaddr));
- if(err)
- {
- perror("connect");
- return err;
- }
-
- return sock;
-}
-
-/* simple test */
-static int kext_test(const char *hostname, int bypass)
-{
- int sock, i;
- char send_data[1024];
- int tlsfd;
- pthread_t server_thread;
-
- if(strcmp(hostname, "localhost")==0) {
- pthread_create(&server_thread, NULL, server_thread_func, NULL);
- // Just wait for the server to be setup
- sleep(1);
- }
-
-
- sock = create_client_socket(hostname);
-
- if(bypass) {
- /* Have to open this after we attached the filter to the client socket */
- tlsfd=open("/dev/tlsnke", O_RDWR);
- if(tlsfd<0) {
- perror("open tlsnke");
- exit(1);
- }
- }
-
-
- for(i=0; i<20;i++) {
- int n;
- ssize_t err;
- n=sprintf(send_data, "Message #%d\n", i);
- if(n<0) {
- perror("sprintf");
- exit(1);
- }
-
- printf("Client(1) sending %d bytes (\"%s\")\n", n, send_data);
-
- if(bypass) {
- err = write(tlsfd, send_data, n);
- if(err<0) {
- perror("write to tlsnke");
- exit(1);
- }
- } else {
- SSLRecord rec;
-
- rec.contentType = SSL_RecordTypeAppData;
- rec.protocolVersion = DTLS_Version_1_0;
- rec.contents.data = (uint8_t *)send_data;
- rec.contents.length = n;
-
- err = TLSSocket_Funcs.write((intptr_t)sock, rec);
- if(err<0) {
- perror("write to socket");
- exit(1);
- }
-
- /* serviceWriteQueue every 2 writes, this will trigger rdar://11348395 */
- if(i&1) {
- int err;
- err = TLSSocket_Funcs.serviceWriteQueue((intptr_t)sock);
- if(err<0) {
- perror("service write queue");
- exit(1);
- }
- }
- }
-
- sleep(1);
- }
-
- return 0;
-}
-
-
-/* handshake test */
-int st_test();
-
-/* echo test */
-int dtls_client(const char *hostname, int bypass);
-
-static
-int usage(const char *argv0)
-{
- printf("Usage: %s <test> <hostname> <bypass>\n", argv0);
- printf(" <test>: type of test: 's'imple, 'h'andshake or 'e'cho] (see below)\n");
- printf(" <hostname>: hostname of server\n");
- printf(" <bypass>: use /dev/tlsnke bypass test\n");
-
- printf("\n 'S'imple test:\n"
- "\tVery basic test with no handshake. DTLS packets are sent through the socket filter, non encrypted.\n"
- "\tIf hostname is 'localhost', a local simple server will be created that will also use the tls filter,\n"
- "\tsuch that the input path is tested.\n"
- "\tOtherwise, a server on the other side is not required only the output path is tested. If there is no server replying\n"
- "\tonly the ouput path will be tested. If a server is replying, input packet will be processed but are never read to userspace\n"
- "\tif bypass=1, also send the same packet through the /dev/tlsnke interface, as if they were coming from utun\n");
-
- printf("\n 'H'andshake:\n");
- printf("\tTest SSL Handshake with various ciphers, between a local client going through the tlsnke\n"
- "\tfilter, and a local server using only the userland SecureTransport.\n"
- "\thostname and bypass are ignored.\n");
-
- printf("\n 'E'cho:\n");
- printf("\tTest to connect to an udp echo server indicated by hostname, on port 23232.\n"
- "\tSet bypass=1 to use the /dev/tlsnke bsd device to send/recv the app data (emulate utun behaviour)\n");
-
- printf("\n\tbypass=1 require the tlsnke kext to be compiled with TLS_TEST=1 (not the default in the build)\n");
-
- return -1;
-}
-
-int main (int argc, const char * argv[])
-{
-
- printf("argv0=%s argc=%d\n", argv[0], argc);
- if(argc<2)
- return usage(argv[0]);
-
- switch (argv[1][0]) {
- case 's':
- case 'S':
- if(argc<3) return usage(argv[0]);
- return kext_test(argv[2], atoi(argv[3])?1:0);
- case 'h':
- case 'H':
- return st_test();
- case 'e':
- case 'E':
- if(argc<3) return usage(argv[0]);
- return dtls_client(argv[2], atoi(argv[3])?1:0);
- default:
- return usage(argv[0]);
- }
-}
-
diff --git a/OSX/tlsnke/tlsnketest/privkey-1.h b/OSX/tlsnke/tlsnketest/privkey-1.h
deleted file mode 100644
index f39a5a50..00000000
--- a/OSX/tlsnke/tlsnketest/privkey-1.h
+++ /dev/null
@@ -1,54 +0,0 @@
-unsigned char privkey_1_der[] = {
- 0x30, 0x82, 0x02, 0x5e, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xbb,
- 0x2c, 0xef, 0x95, 0x09, 0x80, 0xff, 0xca, 0xb1, 0xd3, 0xd1, 0x15, 0xb6,
- 0x01, 0x15, 0xc1, 0x7c, 0x39, 0x81, 0xf6, 0x31, 0x13, 0xf2, 0x46, 0x75,
- 0xe6, 0xc6, 0xae, 0x2e, 0x68, 0x3a, 0xb8, 0x48, 0x70, 0x47, 0xf9, 0x44,
- 0x5d, 0x6a, 0x0e, 0x37, 0x2f, 0x71, 0x1e, 0x54, 0x6c, 0x33, 0x21, 0xe2,
- 0x2f, 0x0c, 0xd4, 0xfa, 0x88, 0x72, 0xad, 0x2b, 0x27, 0x02, 0x7c, 0x48,
- 0x10, 0x28, 0x18, 0x24, 0x4b, 0xf0, 0x87, 0x15, 0xf8, 0xac, 0xb6, 0x69,
- 0x1c, 0x1c, 0x25, 0xd6, 0xaf, 0xb3, 0xc8, 0x60, 0x1a, 0xa4, 0x8a, 0x20,
- 0xa9, 0x9b, 0x7d, 0x5a, 0xcd, 0xea, 0x97, 0x20, 0x45, 0x1a, 0x3b, 0xda,
- 0xbc, 0x15, 0x30, 0x84, 0x17, 0x08, 0xda, 0x50, 0xc0, 0x93, 0xa6, 0xd3,
- 0x28, 0x06, 0xc5, 0x6a, 0xc3, 0x9c, 0x48, 0x53, 0x38, 0x96, 0x8e, 0x33,
- 0x2f, 0xf9, 0x42, 0xac, 0xf0, 0xb1, 0x7f, 0x02, 0x03, 0x01, 0x00, 0x01,
- 0x02, 0x81, 0x81, 0x00, 0xb0, 0x57, 0xb5, 0xa0, 0x84, 0x43, 0xb4, 0xba,
- 0x12, 0xaf, 0xac, 0xdc, 0xf7, 0x8c, 0x2e, 0x23, 0x0c, 0x16, 0x62, 0x0a,
- 0xc0, 0x52, 0x3a, 0x7f, 0x87, 0xb4, 0xd4, 0x9a, 0x65, 0xbe, 0x6d, 0x14,
- 0x11, 0xab, 0x37, 0x23, 0xf0, 0xf4, 0xd1, 0x66, 0x73, 0x37, 0x8f, 0x2b,
- 0x33, 0xfe, 0x7c, 0x6d, 0xff, 0xda, 0xb4, 0x0c, 0x33, 0xbd, 0x39, 0xcd,
- 0x4c, 0x4a, 0x84, 0x5c, 0xf2, 0xc7, 0xc5, 0xfc, 0xdc, 0x03, 0x86, 0x8f,
- 0x2f, 0xac, 0x68, 0x11, 0x86, 0x55, 0x1c, 0x86, 0x51, 0x5d, 0xae, 0x18,
- 0x20, 0x33, 0x9d, 0x12, 0x59, 0x4c, 0x1a, 0xb9, 0x5a, 0x48, 0x89, 0xc4,
- 0x1a, 0x7c, 0x24, 0xf7, 0xff, 0xd6, 0x21, 0xa7, 0x7a, 0x14, 0xe8, 0x8c,
- 0x14, 0x3b, 0x80, 0xee, 0x4b, 0xc1, 0x33, 0x7d, 0x4e, 0x22, 0x23, 0xf7,
- 0xe8, 0x18, 0x0e, 0x24, 0x39, 0x62, 0x48, 0x66, 0x5e, 0x47, 0xa5, 0x81,
- 0x02, 0x41, 0x00, 0xe2, 0x4c, 0x05, 0x28, 0xdf, 0xa7, 0x4a, 0xb7, 0x41,
- 0x1c, 0xff, 0xc2, 0x65, 0x91, 0xa2, 0xd0, 0x0b, 0xe2, 0xf5, 0x32, 0x27,
- 0x3d, 0x14, 0xd5, 0xb2, 0xc2, 0x01, 0x18, 0x05, 0x54, 0x55, 0xb9, 0xd8,
- 0xed, 0xb2, 0x86, 0x69, 0xd6, 0x90, 0x0f, 0x40, 0xe7, 0x8a, 0x70, 0x5e,
- 0x60, 0x7a, 0xf5, 0x81, 0x5a, 0x22, 0x0e, 0x8b, 0x92, 0x5a, 0x43, 0xe7,
- 0xeb, 0xb2, 0x6b, 0x97, 0x6d, 0xee, 0xc5, 0x02, 0x41, 0x00, 0xd3, 0xbe,
- 0x5d, 0xca, 0x62, 0x62, 0x88, 0x48, 0x55, 0x8b, 0x23, 0xb4, 0x62, 0x2c,
- 0xba, 0xb4, 0xbc, 0xb7, 0xdc, 0xb1, 0xc5, 0x27, 0xd9, 0x5b, 0x36, 0xbb,
- 0x8f, 0x39, 0x4c, 0xb1, 0x7b, 0xa6, 0xac, 0x1a, 0xcd, 0x14, 0xca, 0xdc,
- 0x17, 0x45, 0x89, 0x37, 0x37, 0x14, 0x0a, 0x4e, 0xf2, 0x2d, 0xb5, 0x23,
- 0xbf, 0x3e, 0x0a, 0xb7, 0xb9, 0x16, 0x95, 0xcd, 0xda, 0xf0, 0x21, 0xdb,
- 0xa3, 0x73, 0x02, 0x40, 0x0b, 0xf9, 0x91, 0xdc, 0x53, 0xd9, 0x7a, 0x6e,
- 0xb0, 0x17, 0x64, 0xc1, 0x58, 0xb6, 0x98, 0x33, 0x02, 0x2e, 0x04, 0x63,
- 0x9f, 0x07, 0xf0, 0x6e, 0x4e, 0x83, 0x4d, 0xa3, 0x83, 0xc4, 0xae, 0xb4,
- 0xa2, 0xf2, 0x11, 0x1c, 0x63, 0xc5, 0x62, 0xe2, 0x2b, 0xc1, 0x14, 0xe6,
- 0x55, 0x58, 0x2d, 0xa9, 0x88, 0x2a, 0xc8, 0xda, 0x94, 0x30, 0x2e, 0x6e,
- 0xa1, 0x7b, 0x2b, 0x79, 0xde, 0x0d, 0x87, 0x31, 0x02, 0x41, 0x00, 0xbe,
- 0xed, 0x4a, 0x78, 0xf1, 0x19, 0xd3, 0xb5, 0x15, 0x9d, 0x6e, 0xc6, 0x7a,
- 0x37, 0xc6, 0xea, 0xad, 0xb8, 0x44, 0x41, 0xef, 0x7a, 0xad, 0x1c, 0xf8,
- 0x4f, 0x4b, 0x27, 0xe9, 0xa5, 0xa7, 0xcf, 0x74, 0x24, 0x7e, 0x83, 0x9f,
- 0x1f, 0xb1, 0xc4, 0x3b, 0xa4, 0x13, 0xff, 0xf8, 0x03, 0x93, 0x8f, 0xef,
- 0x63, 0x9a, 0x50, 0x01, 0x2e, 0x04, 0xb0, 0xfe, 0xc7, 0x2e, 0x01, 0x95,
- 0x26, 0x0d, 0x4d, 0x02, 0x41, 0x00, 0x84, 0x5d, 0xd1, 0xc6, 0xe9, 0xa2,
- 0x43, 0x94, 0xb4, 0xb9, 0x8b, 0x97, 0xe3, 0x52, 0xf4, 0xf0, 0x05, 0xd2,
- 0x24, 0x6c, 0x92, 0x90, 0xa1, 0x5e, 0xf8, 0xa7, 0xe8, 0x1b, 0xf3, 0x10,
- 0x09, 0xe7, 0xb0, 0xf0, 0xd4, 0xf5, 0x3b, 0x22, 0xd0, 0x2b, 0xa4, 0xdd,
- 0xd3, 0xd0, 0xdb, 0xc2, 0x11, 0xc1, 0x98, 0xff, 0xc6, 0x00, 0xae, 0x44,
- 0x1a, 0x29, 0x0e, 0xcd, 0x92, 0x65, 0x78, 0x6e, 0x6e, 0xb2
-};
-unsigned int privkey_1_der_len = 610;
diff --git a/OSX/tlsnke/tlsnketest/ssl-utils.c b/OSX/tlsnke/tlsnketest/ssl-utils.c
deleted file mode 100644
index d9c87427..00000000
--- a/OSX/tlsnke/tlsnketest/ssl-utils.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#include <Security/Security.h>
-#include <AssertMacros.h>
-
-#include "ssl-utils.h"
-
-#if TARGET_OS_IPHONE
-
-
-#include <Security/Security.h>
-#include <Security/SecRSAKey.h>
-#include <Security/SecECKey.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecIdentityPriv.h>
-
-
-#include "privkey-1.h"
-#include "cert-1.h"
-
-static
-CFArrayRef chain_from_der(const unsigned char *cert_der, size_t cert_der_len, const unsigned char *pkey_der, size_t pkey_der_len)
-{
- SecKeyRef pkey = NULL;
- SecCertificateRef cert = NULL;
- SecIdentityRef ident = NULL;
- CFArrayRef items = NULL;
-
- require(pkey = SecKeyCreateRSAPrivateKey(kCFAllocatorDefault, pkey_der, pkey_der_len, kSecKeyEncodingPkcs1), errOut);
- require(cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, cert_der, cert_der_len), errOut);
- require(ident = SecIdentityCreate(kCFAllocatorDefault, cert, pkey), errOut);
- require(items = CFArrayCreate(kCFAllocatorDefault, (const void **)&ident, 1, &kCFTypeArrayCallBacks), errOut);
-
-errOut:
- CFReleaseSafe(pkey);
- CFReleaseSafe(cert);
- CFReleaseSafe(ident);
- return items;
-}
-
-#else
-
-#include "identity-1.h"
-#define P12_PASSWORD "password"
-
-static
-CFArrayRef chain_from_p12(const unsigned char *p12_data, size_t p12_len)
-{
- char keychain_path[] = "/tmp/keychain.XXXXXX";
-
- SecKeychainRef keychain;
- CFArrayRef list;
- CFDataRef data;
-
- require_noerr(SecKeychainCopyDomainSearchList(kSecPreferencesDomainUser, &list), errOut);
- require(mktemp(keychain_path), errOut);
- require_noerr(SecKeychainCreate (keychain_path, strlen(P12_PASSWORD), P12_PASSWORD,
- FALSE, NULL, &keychain), errOut);
- require_noerr(SecKeychainSetDomainSearchList(kSecPreferencesDomainUser, list), errOut); // restores the previous search list
- require(data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, p12_data, p12_len, kCFAllocatorNull), errOut);
-
- SecExternalFormat format=kSecFormatPKCS12;
- SecExternalItemType type=kSecItemTypeAggregate;
- SecItemImportExportFlags flags=0;
- SecKeyImportExportParameters params = {0,};
- CFArrayRef out = NULL;
-
- params.passphrase=CFSTR("password");
- params.keyAttributes = CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_SENSITIVE;
-
- require_noerr(SecKeychainItemImport(data, CFSTR(".p12"), &format, &type, flags,
- ¶ms, keychain, &out), errOut);
-
-errOut:
- CFReleaseSafe(keychain);
- CFReleaseSafe(list);
-
- return out;
-}
-
-#endif
-
-CFArrayRef server_chain(void)
-{
-#if TARGET_OS_IPHONE
- return chain_from_der(privkey_1_der, privkey_1_der_len, cert_1_der, cert_1_der_len);
-#else
- return chain_from_p12(identity_1_p12, identity_1_p12_len);
-#endif
-}
-
-CFArrayRef client_chain(void)
-{
-#if TARGET_OS_IPHONE
- return chain_from_der(privkey_1_der, privkey_1_der_len, cert_1_der, cert_1_der_len);
-#else
- return chain_from_p12(identity_1_p12, identity_1_p12_len);
-#endif
-}
-
-
diff --git a/OSX/tlsnke/tlsnketest/st_test.c b/OSX/tlsnke/tlsnketest/st_test.c
deleted file mode 100644
index e8e39131..00000000
--- a/OSX/tlsnke/tlsnketest/st_test.c
+++ /dev/null
@@ -1,759 +0,0 @@
-/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-#include <Security/SecureTransportPriv.h> /* SSLSetOption */
-#include <Security/SecRandom.h>
-
-#include <AssertMacros.h>
-
-#include "ssl-utils.h"
-
-#if 0
-#include <Security/SecPolicy.h>
-#include <Security/SecTrust.h>
-#include <Security/SecIdentity.h>
-#include <Security/SecIdentityPriv.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecKeyPriv.h>
-#if TARGET_OS_IPHONE
-#include <Security/SecRSAKey.h>
-#endif
-#include <Security/SecItem.h>
-#include <Security/SecRandom.h>
-#endif
-
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdbool.h>
-#include <pthread.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/mman.h>
-#include <mach/mach_time.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netdb.h>
-
-#include "tlssocket.h"
-
-/*
- SSL CipherSuite tests
-
- Below are all the ciphers that are individually tested. The first element
- is the SecureTransport/RFC name; the second is what openssl calls it, which
- can be looked up in ciphers(1).
-
- All SSL_DH_* and TLS_DH_* are disabled because neither openssl nor
- securetransport support them:
- SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_DSS_WITH_DES_CBC_SHA,
- SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DH_RSA_WITH_DES_CBC_SHA, SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,
- TLS_DH_DSS_WITH_AES_128_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA,
- TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA,
-
- DSS is unimplemented by securetransport on the phone:
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-
- SSLv2 ciphersuites disabled by securetransport on phone:
- SSL_RSA_WITH_RC2_CBC_MD5, SSL_RSA_WITH_IDEA_CBC_MD5,
- SSL_RSA_WITH_DES_CBC_MD5, SSL_RSA_WITH_3DES_EDE_CBC_MD5,
-
- SSLv3 ciphersuites disabled by securetransport on phone:
- SSL_RSA_WITH_IDEA_CBC_SHA, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
-
- Export ciphersuites disabled on iOS 5.0:
- SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
- SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA
-
- */
-
-typedef struct _CipherSuiteName {
- SSLCipherSuite cipher;
- const char *name;
- bool dh_anonymous;
-} CipherSuiteName;
-
-#define CIPHER(cipher, dh_anonymous) { cipher, #cipher, dh_anonymous },
-
-static const CipherSuiteName ciphers[] = {
- //SSL_NULL_WITH_NULL_NULL, unsupported
- CIPHER(SSL_RSA_WITH_NULL_SHA, false)
- CIPHER(SSL_RSA_WITH_NULL_MD5, false)
- CIPHER(TLS_RSA_WITH_NULL_SHA256, false)
-
- // CIPHER(SSL_RSA_WITH_RC4_128_MD5, false)
- //CIPHER(SSL_RSA_WITH_RC4_128_SHA, false)
- CIPHER(SSL_RSA_WITH_3DES_EDE_CBC_SHA, false)
-
- CIPHER(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, false)
- //CIPHER(SSL_DH_anon_WITH_RC4_128_MD5, true)
- CIPHER(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, true)
- CIPHER(TLS_DHE_RSA_WITH_AES_128_CBC_SHA, false)
- CIPHER(TLS_DH_anon_WITH_AES_128_CBC_SHA, true)
- CIPHER(TLS_DHE_RSA_WITH_AES_256_CBC_SHA, false)
- CIPHER(TLS_DH_anon_WITH_AES_256_CBC_SHA, true)
-
- CIPHER(TLS_RSA_WITH_AES_128_CBC_SHA, false)
- CIPHER(TLS_RSA_WITH_AES_256_CBC_SHA, false)
-
-
-#if 0
- CIPHER(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, false)
- CIPHER(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, false)
-
- CIPHER(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, false)
- CIPHER(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, false)
-
- CIPHER(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, false)
- CIPHER(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, false)
-
- CIPHER(TLS_ECDH_anon_WITH_AES_128_CBC_SHA, true)
- CIPHER(TLS_ECDH_anon_WITH_AES_256_CBC_SHA, true)
-
- CIPHER(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, false)
- CIPHER(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, false)
- CIPHER(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, false)
- CIPHER(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, false)
-#endif
-
-#if 0
- CIPHER(TLS_RSA_WITH_AES_256_GCM_SHA384, false)
- CIPHER(TLS_RSA_WITH_AES_128_GCM_SHA256, false)
-#endif
-
- /* Export ciphers are disabled */
-#if 0
- CIPHER(SSL_RSA_EXPORT_WITH_RC4_40_MD5, false)
- CIPHER(SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, false)
- CIPHER(SSL_RSA_WITH_DES_CBC_SHA, false)
- CIPHER(SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, false)
- CIPHER(SSL_DHE_RSA_WITH_DES_CBC_SHA, false)
- CIPHER(SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, true)
- CIPHER(SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, true)
- CIPHER(SSL_DH_anon_WITH_DES_CBC_SHA, true)
-#endif
-
- { -1 }
-};
-
-static int protos[]={kTLSProtocol1, kTLSProtocol11, kTLSProtocol12 };
-
-#if 0 // currently unused
-static SSLCipherSuite sslcipher_atoi(const char *name)
-{
- const CipherSuiteName *a = ciphers;
- while(a->name) {
- if (0 == strcmp(a->name, name)) break;
- a++;
- }
- return a->cipher;
-}
-
-static const char * sslcipher_itoa(SSLCipherSuite num)
-{
- const CipherSuiteName *a = ciphers;
- while(a->cipher >= 0) {
- if (num == a->cipher) break;
- a++;
- }
- return a->name;
-}
-#endif // currently unused
-
-static unsigned char dh_param_512_bytes[] = {
- 0x30, 0x46, 0x02, 0x41, 0x00, 0xdb, 0x3c, 0xfa, 0x13, 0xa6, 0xd2, 0x64,
- 0xdf, 0xcc, 0x40, 0xb1, 0x21, 0xd4, 0xf2, 0xad, 0x22, 0x7f, 0xce, 0xa0,
- 0xb9, 0x5b, 0x95, 0x1c, 0x2e, 0x99, 0xb0, 0x27, 0xd0, 0xed, 0xf4, 0xbd,
- 0xbb, 0x36, 0x93, 0xd0, 0x9d, 0x2b, 0x32, 0xa3, 0x56, 0x53, 0xe3, 0x7b,
- 0xed, 0xa1, 0x71, 0x82, 0x2e, 0x83, 0x14, 0xf9, 0xc0, 0x2f, 0x15, 0xcb,
- 0xcf, 0x97, 0xab, 0x88, 0x49, 0x20, 0x28, 0x2e, 0x63, 0x02, 0x01, 0x02
-};
-static unsigned char *dh_param_512_der = dh_param_512_bytes;
-static unsigned int dh_param_512_der_len = 72;
-
-
-typedef struct {
- uint32_t session_id;
- bool is_session_resume;
- SSLContextRef st;
- bool is_server;
- bool is_dtls;
- bool client_side_auth;
- bool dh_anonymous;
- int comm;
- CFArrayRef certs;
- SSLProtocol proto;
-} ssl_test_handle;
-
-
-// MARK: -
-// MARK: SecureTransport support
-
-#if 0
-static void hexdump(const uint8_t *bytes, size_t len) {
- size_t ix;
- printf("socket write(%p, %lu)\n", bytes, len);
- for (ix = 0; ix < len; ++ix) {
- if (!(ix % 16))
- printf("\n");
- printf("%02X ", bytes[ix]);
- }
- printf("\n");
-}
-#else
-#define hexdump(bytes, len)
-#endif
-
-
-/* 2K should be enough for everybody */
-#define MTU 8000
-static unsigned char readBuffer[MTU];
-static unsigned int readOff=0;
-static size_t readLeft=0;
-
-static
-OSStatus SocketRead(
- SSLConnectionRef connection,
- void *data,
- size_t *dataLength)
-{
- int fd = (int)connection;
- ssize_t len;
-
- if(readLeft==0)
- {
- // printf("SocketRead(%d): waiting for data %ld\n", fd, *dataLength);
-
- len = read(fd, readBuffer, MTU);
-
- if(len>0) {
- readOff=0;
- readLeft=(size_t) len;
- //printf("SocketRead(%d): %ld bytes... epoch: %02x seq=%02x%02x\n",
- // fd, len, d[4], d[9], d[10]);
-
- } else {
- int theErr = errno;
- switch(theErr) {
- case EAGAIN:
- printf("SocketRead(%d): WouldBlock\n", fd);
- *dataLength=0;
- /* nonblocking, no data */
- return errSSLWouldBlock;
- default:
- perror("SocketRead");
- return -36;
- }
- }
- }
-
- if(readLeft<*dataLength) {
- *dataLength=readLeft;
- }
-
-
- memcpy(data, readBuffer+readOff, *dataLength);
- readLeft-=*dataLength;
- readOff+=*dataLength;
-
- // printf("%s: returning %ld bytes, left %ld\n", __FUNCTION__, *dataLength, readLeft);
-
- return errSecSuccess;
-
-}
-
-static
-OSStatus SocketWrite(
- SSLConnectionRef connection,
- const void *data,
- size_t *dataLength) /* IN/OUT */
-{
- int fd = (int)connection;
- ssize_t len;
- OSStatus err = errSecSuccess;
-
-#if 0
- const uint8_t *d=data;
-
- if((rand()&3)==1) {
-
- /* drop 1/8th packets */
- printf("SocketWrite: Drop %ld bytes... epoch: %02x seq=%02x%02x\n",
- *dataLength, d[4], d[9], d[10]);
- return errSecSuccess;
-
- }
-#endif
-
- // printf("SocketWrite(%d): Sending %ld bytes... epoch: %02x seq=%02x%02x\n",
- // fd, *dataLength, d[4], d[9], d[10]);
-
- len = send(fd, data, *dataLength, 0);
- if(len>0) {
- *dataLength=(size_t)len;
- return err;
- }
-
- int theErr = errno;
- switch(theErr) {
- case EAGAIN:
- /* nonblocking, no data */
- printf("SocketWrite(%d): WouldBlock\n", fd);
- err = errSSLWouldBlock;
- break;
- default:
- perror("SocketWrite");
- err = -36;
- break;
- }
-
- return err;
-
-}
-
-
-static unsigned char dn[] = {
- 0x30, 0x5e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a,
- 0x13, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e,
- 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41,
- 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
- 0x72, 0x69, 0x74, 0x79, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x13, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74
-};
-static unsigned int dn_len = 96;
-
-
-static SSLContextRef make_ssl_ref(bool server, bool client_side_auth, bool dh_anonymous,
- bool dtls, int sock, CFArrayRef certs, SSLProtocol proto, bool kernel)
-{
- SSLContextRef ctx;
-
- if(kernel) {
- require(dtls, out);
- ctx = SSLCreateContextWithRecordFuncs(kCFAllocatorDefault, server?kSSLServerSide:kSSLClientSide, dtls?kSSLDatagramType:kSSLStreamType, &TLSSocket_Funcs);
- require(ctx, out);
- printf("Attaching filter\n");
- require_noerr(TLSSocket_Attach(sock), out);
- require_noerr(SSLSetRecordContext(ctx, (intptr_t) sock), out);
- } else {
- ctx = SSLCreateContext(kCFAllocatorDefault, server?kSSLServerSide:kSSLClientSide, dtls?kSSLDatagramType:kSSLStreamType);
- require(ctx, out);
- require_noerr(SSLSetIOFuncs(ctx,
- (SSLReadFunc)SocketRead, (SSLWriteFunc)SocketWrite), out);
- require_noerr(SSLSetConnection(ctx, (intptr_t)sock), out);
- }
- require(ctx, out);
-
- if(dtls) {
- size_t mtu;
- require_noerr(SSLSetMaxDatagramRecordSize(ctx, 400), out);
- require_noerr(SSLGetMaxDatagramRecordSize(ctx, &mtu), out);
- } else {
- require_noerr(SSLSetProtocolVersionMax(ctx, proto), out);
- kernel = false; // not available for tls, only dtls currently.
- }
-
- static const char *peer_domain_name = "localhost";
- require_noerr(SSLSetPeerDomainName(ctx, peer_domain_name,
- strlen(peer_domain_name)), out);
-
- if (!dh_anonymous) {
- if (server)
- require_noerr(SSLSetCertificate(ctx, certs), out);
- if (client_side_auth && server) {
- SSLAuthenticate auth;
- require_noerr(SSLSetClientSideAuthenticate(ctx, kAlwaysAuthenticate), out);
- require_noerr(SSLGetClientSideAuthenticate(ctx, &auth), out);
- require(auth==kAlwaysAuthenticate, out);
- require_noerr(SSLAddDistinguishedName(ctx, dn, dn_len), out);
- }
-#if 0 /* Setting client certificate in advance */
- if (client_side_auth && !server)
- require_noerr(SSLSetCertificate(ctx, certs), out);
-#endif
- if (client_side_auth && !server) /* enable break from SSLHandshake */
- require_noerr(SSLSetSessionOption(ctx,
- kSSLSessionOptionBreakOnCertRequested, true), out);
- require_noerr(SSLSetSessionOption(ctx,
- kSSLSessionOptionBreakOnServerAuth, true), out);
- }
-
- /* Tell SecureTransport to not check certs itself: it will break out of the
- handshake to let us take care of it instead. */
- require_noerr(SSLSetEnableCertVerify(ctx, false), out);
-
- if (server) {
- require_noerr(SSLSetDiffieHellmanParams(ctx,
- dh_param_512_der, dh_param_512_der_len), out);
- }
- else /* if client */ {
- }
-
- return ctx;
-out:
- if (ctx)
- CFRelease(ctx);
- return NULL;
-}
-
-static void *securetransport_ssl_thread(void *arg)
-{
- OSStatus ortn;
- ssl_test_handle * ssl = (ssl_test_handle *)arg;
- SSLContextRef ctx = ssl->st;
- SecTrustRef trust = NULL;
- bool got_server_auth = false, got_client_cert_req = false;
-
-
- if(ssl->is_server) {
- struct sockaddr_in ca; /* client address for connect */
- ssize_t l;
- int fd = ssl->comm;
-
- printf("Server waiting for first packet...\n");
- /* PEEK only... */
- socklen_t slen=sizeof(ca);
- char b;
- if((l=recvfrom(fd, &b, 1, MSG_PEEK, (struct sockaddr *)&ca, &slen))==-1)
- {
- perror("recvfrom");
- return NULL;
- }
-
- printf("Received packet from %s:%d (%ld), connecting...\n", inet_ntoa(ca.sin_addr), ca.sin_port, l);
-
- if(connect(fd, (struct sockaddr *)&ca, sizeof(ca))==-1)
- {
- perror("connect");
- return NULL;
- }
- }
-
- //uint64_t start = mach_absolute_time();
- do {
- ortn = SSLHandshake(ctx);
-
- if (ortn == errSSLServerAuthCompleted)
- {
- require_string(!got_server_auth, out, "second server auth");
- require_string(!got_client_cert_req, out, "got client cert req before server auth");
- got_server_auth = true;
- require_string(!trust, out, "Got errSSLServerAuthCompleted twice?");
- /* verify peer cert chain */
- require_noerr(SSLCopyPeerTrust(ctx, &trust), out);
- SecTrustResultType trust_result = 0;
- /* this won't verify without setting up a trusted anchor */
- require_noerr(SecTrustEvaluate(trust, &trust_result), out);
-
- CFIndex n_certs = SecTrustGetCertificateCount(trust);
- /*fprintf(stderr, "%ld certs; trust_eval: %d\n", n_certs, trust_result); */
-
- CFMutableArrayRef peer_cert_array =
- CFArrayCreateMutable(NULL, n_certs, &kCFTypeArrayCallBacks);
- CFMutableArrayRef orig_peer_cert_array =
- CFArrayCreateMutableCopy(NULL, n_certs, ssl->certs);
- while (n_certs--)
- CFArrayInsertValueAtIndex(peer_cert_array, 0,
- SecTrustGetCertificateAtIndex(trust, n_certs));
-
- SecIdentityRef ident =
- (SecIdentityRef)CFArrayGetValueAtIndex(orig_peer_cert_array, 0);
- SecCertificateRef peer_cert = NULL;
- require_noerr(SecIdentityCopyCertificate(ident, &peer_cert), out);
- CFArraySetValueAtIndex(orig_peer_cert_array, 0, peer_cert);
- CFRelease(peer_cert);
-
- require(CFEqual(orig_peer_cert_array, peer_cert_array), out);
- CFRelease(orig_peer_cert_array);
- CFRelease(peer_cert_array);
-
- /*
- CFStringRef cert_name = SecCertificateCopySubjectSummary(cert);
- char cert_name_buffer[1024];
- require(CFStringGetFileSystemRepresentation(cert_name,
- cert_name_buffer, sizeof(cert_name_buffer)), out);
- fprintf(stderr, "cert name: %s\n", cert_name_buffer);
- CFRelease(trust);
- */
- } else if (ortn == errSSLClientCertRequested) {
- require_string(!got_client_cert_req, out, "second client cert req");
- require_string(got_server_auth, out, "didn't get server auth first");
- got_client_cert_req = true;
-
- /* set client cert */
- require_string(!ssl->is_server, out, "errSSLClientCertRequested while running server");
- require_string(!ssl->dh_anonymous, out, "errSSLClientCertRequested while running anon DH");
-
- CFArrayRef DNs = NULL;
- require_noerr(SSLCopyDistinguishedNames (ctx, &DNs), out);
- require(DNs, out);
- CFRelease(DNs);
-
- require_string(ssl->client_side_auth, out, "errSSLClientCertRequested in run not testing that");
- require_noerr(SSLSetCertificate(ctx, ssl->certs), out);
- }
- } while (ortn == errSSLWouldBlock
- || ortn == errSSLServerAuthCompleted
- || ortn == errSSLClientCertRequested);
- require_noerr_action_quiet(ortn, out,
- fprintf(stderr, "Fell out of SSLHandshake with error: %ld\n", (long)ortn));
-
- if (!ssl->is_server && !ssl->dh_anonymous && !ssl->is_session_resume) {
- require_string(got_server_auth, out, "never got server auth");
- if (ssl->client_side_auth)
- require_string(got_client_cert_req, out, "never got client cert req");
- }
- //uint64_t elapsed = mach_absolute_time() - start;
- //fprintf(stderr, "setr elapsed: %lld\n", elapsed);
-
- /*
- SSLProtocol proto = kSSLProtocolUnknown;
- require_noerr_quiet(SSLGetNegotiatedProtocolVersion(ctx, &proto), out); */
-
- SSLCipherSuite cipherSuite;
- require_noerr_quiet(ortn = SSLGetNegotiatedCipher(ctx, &cipherSuite), out);
- //fprintf(stderr, "st negotiated %s\n", sslcipher_itoa(cipherSuite));
-
- if(ssl->is_dtls) {
- size_t sz;
- SSLGetDatagramWriteSize(ctx, &sz);
- // fprintf(stderr, "Max Write Size = %ld\n", sz);
- }
-
- Boolean sessionWasResumed = false;
- uint8_t session_id_data[MAX_SESSION_ID_LENGTH];
- size_t session_id_length = sizeof(session_id_data);
- require_noerr_quiet(ortn = SSLGetResumableSessionInfo(ctx, &sessionWasResumed, session_id_data, &session_id_length), out);
- require_action(ssl->dh_anonymous || (ssl->is_session_resume == sessionWasResumed), out, ortn = -1);
- // if (sessionWasResumed) fprintf(stderr, "st resumed session\n");
- //hexdump(session_id_data, session_id_length);
-
- unsigned char ibuf[300], obuf[300];
- size_t len;
- if (ssl->is_server) {
- SecRandomCopyBytes(kSecRandomDefault, sizeof(obuf), obuf);
- require_noerr_quiet(ortn = SSLWrite(ctx, obuf, sizeof(obuf), &len), out);
- require_action_quiet(len == sizeof(obuf), out, ortn = -1);
- }
- require_noerr_quiet(ortn = SSLRead(ctx, ibuf, sizeof(ibuf), &len), out);
- require_action_quiet(len == sizeof(ibuf), out, ortn = -1);
-
- if (ssl->is_server) {
- require_noerr(memcmp(ibuf, obuf, sizeof(ibuf)), out);
- } else {
- require_noerr_quiet(ortn = SSLWrite(ctx, ibuf, sizeof(ibuf), &len), out);
- require_action_quiet(len == sizeof(ibuf), out, ortn = -1);
- }
-
-out:
- SSLClose(ctx);
- CFRelease(ctx);
- if (trust) CFRelease(trust);
- close(ssl->comm);
- pthread_exit((void *)(intptr_t)ortn);
- return NULL;
-}
-
-
-
-static ssl_test_handle *
-ssl_test_handle_create(uint32_t session_id, bool resume, bool server, bool client_side_auth, bool dh_anonymous, bool dtls,
- int comm, CFArrayRef certs, SSLProtocol proto, bool kernel)
-{
- ssl_test_handle *handle = calloc(1, sizeof(ssl_test_handle));
- if (handle) {
- handle->session_id = session_id;
- handle->is_session_resume = resume;
- handle->is_server = server;
- handle->is_dtls = dtls;
- handle->client_side_auth = client_side_auth;
- handle->dh_anonymous = dh_anonymous;
- handle->comm = comm;
- handle->certs = certs;
- handle->proto = proto;
- handle->st = make_ssl_ref(server, client_side_auth, dh_anonymous, dtls, comm, certs, proto, kernel);
- }
- return handle;
-}
-
-
-
-static void createsockets(int sp[2])
-{
-
-
- int sock;
- struct sockaddr_in server_addr;
- struct hostent *host;
- int err;
-
- host = gethostbyname("localhost");
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(5000);
- server_addr.sin_addr = *((struct in_addr *)host->h_addr);
- bzero(&(server_addr.sin_zero),8);
- if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
- perror("server socket");
- exit(1);
- }
-
- if (bind(sock, (struct sockaddr *)&server_addr, sizeof(struct sockaddr))
- == -1) {
- perror("Unable to bind");
- exit(1);
- }
-
- printf("Server Waiting for client on port 5000\n");
-
- sp[0]=sock;
-
- printf("Create client socket\n");
- sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
- if(sock<0) {
- perror("client socket");
- exit(1);
- }
-
- err = connect(sock, (struct sockaddr *)&server_addr,
- sizeof(struct sockaddr));
- if(err)
- {
- perror("connect");
- exit(1);
- }
-
- sp[1]=sock;
-
- printf("Connected\n");
-
-
-}
-
-int st_test(void);
-int st_test(void)
-{
- pthread_t client_thread, server_thread;
- CFArrayRef server_certs = server_chain();
- check(server_certs);
-
- char msg[128];
-
- /* Enable this if you want to test a specific d/i/k/l/p/ combination */
-#if 0
- int d=0, i=0, l=0, c=0, k=0; { {
-#else
- int d,i,c,k,l,p;
-
- p=0;
- //for (p=0; p<nprotos; p++)
- d=1;
- //for (d=0;d<2; d++) /* dtls or not dtls */
- //for (c=0; c<2; k++) /* csa or not */
- for (k=1; k<2; k++) /* kernel or not */
- {
- for (i=0; ciphers[i].cipher != (SSLCipherSuite)(-1); i++) {
- l=0;
- //for (l = 0; l<2; l++) {
-#endif
- SKIP:{
- //skip("Session resumption tests do not work at this point", 1, l != 1);
- int sp[2];
-
-#if 0
- if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) exit(errno);
- fcntl(sp[0], F_SETNOSIGPIPE, 1);
- fcntl(sp[1], F_SETNOSIGPIPE, 1);
-#else
- createsockets(sp);
-#endif
- ssl_test_handle *server, *client;
-
- bool client_side_auth = (c);
- bool kernel = (k);
- uint32_t session_id = (c+1) << 16 | (i+1);
- //fprintf(stderr, "session_id: %d\n", session_id);
- server = ssl_test_handle_create(session_id, (l == 1), true /*server*/,
- client_side_auth, ciphers[i].dh_anonymous, d,
- sp[0], server_certs, protos[p], false);
- client = ssl_test_handle_create(session_id, (l == 1), false/*client*/,
- client_side_auth, ciphers[i].dh_anonymous, d,
- sp[1], server_certs, protos[p], kernel);
-
- require_noerr(SSLSetPeerID(server->st, &session_id, sizeof(session_id)), out);
- require_noerr(SSLSetPeerID(client->st, &session_id, sizeof(session_id)), out);
-
- /* set fixed cipher on client and server */
- require_noerr(SSLSetEnabledCiphers(client->st, &ciphers[i].cipher, 1), out);
- require_noerr(SSLSetEnabledCiphers(server->st, &ciphers[i].cipher, 1), out);
-
-
- snprintf(msg, sizeof(msg),
- "%40s ADH:%d CSA:%d DTLS:%d RESUME:%d PROTO:%d KERNEL:%d",
- ciphers[i].name,
- server->dh_anonymous,
- server->client_side_auth,
- d, l, p, k);
-
- printf("%s\n", msg);
-
- pthread_create(&client_thread, NULL, securetransport_ssl_thread, client);
- pthread_create(&server_thread, NULL, securetransport_ssl_thread, server);
-
- int server_err, client_err;
- pthread_join(client_thread, (void*)&client_err);
- pthread_join(server_thread, (void*)&server_err);
-
-
- __Check_String(!server_err && !client_err, msg);
-
- out:
- free(client);
- free(server);
-
- printf("\n\n");
- sleep(2);
- }
- } /* all ciphers */
- } /* all configs */
-
- CFRelease(server_certs);
-
- return 0;
-}
-
-
diff --git a/OSX/tlsnke/tlsnketest/tlssocket.c b/OSX/tlsnke/tlsnketest/tlssocket.c
deleted file mode 100644
index 6f0e6622..00000000
--- a/OSX/tlsnke/tlsnketest/tlssocket.c
+++ /dev/null
@@ -1,344 +0,0 @@
-/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#include <Security/SecureTransportPriv.h>
-#include <string.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <assert.h>
-
-#include <net/kext_net.h>
-
-#include "tlssocket.h"
-#include "tlsnke.h"
-
-#include <AssertMacros.h>
-#include <errno.h>
-
-/* TLSSocket functions */
-
-static
-int TLSSocket_Read(SSLRecordContextRef ref,
- SSLRecord *rec)
-{
- int socket = (int)ref;
- int rc;
- ssize_t sz;
- struct sockaddr_in client_addr;
- int avail;
- socklen_t avail_size;
- struct cmsghdr *cmsg;
- tls_record_hdr_t hdr;
- struct msghdr msg;
- struct iovec iov;
- int cbuf_len=CMSG_SPACE(sizeof(*hdr))+1024;
- uint8_t cbuf[cbuf_len];
-
-
- // printf("%s: Waiting for some data...\n", __FUNCTION__);
- /* PEEK only... */
- char b;
- rc = (int)recv(socket, &b, 1, MSG_PEEK);
-
- if(rc==-1)
- {
- if(errno==EAGAIN)
- return errSSLRecordWouldBlock;
- else {
- perror("recv");
- return errno;
- }
- }
-
- /* get the next packet size */
- avail_size = sizeof(avail);
- rc = getsockopt(socket, SOL_SOCKET, SO_NREAD, &avail, &avail_size);
-
- check_noerr(rc);
- check(avail_size==sizeof(avail));
-
- if(rc || (avail_size !=sizeof(avail)))
- return errSSLRecordInternal;
-
- // printf("%s: Available = %d\n", __FUNCTION__, avail);
-
- if(avail==0)
- return errSSLRecordWouldBlock;
-
-
- /* Allocate a buffer */
- rec->contents.data = malloc(avail);
- rec->contents.length = avail;
-
- /* read the message */
- iov.iov_base = rec->contents.data;
- iov.iov_len = rec->contents.length;
- msg.msg_name = &client_addr;
- msg.msg_namelen = sizeof(client_addr);
- msg.msg_iov = &iov;
- msg.msg_iovlen = 1;
- msg.msg_control = cbuf;
- msg.msg_controllen = cbuf_len;
-
- sz = recvmsg(socket, &msg, 0);
- check(sz==avail);
-
- // printf("%s: received = %ld, ctrl: l=%d f=%x\n", __FUNCTION__, sz, msg.msg_controllen, msg.msg_flags);
- rec->contents.length = sz;
-
- cmsg = CMSG_FIRSTHDR(&msg);
- check(cmsg);
- if(!cmsg)
- return 0;
-
- check(cmsg->cmsg_type == SCM_TLS_HEADER);
- check(cmsg->cmsg_level == SOL_SOCKET);
- check(cmsg->cmsg_len == CMSG_LEN(sizeof(*hdr)));
- hdr = (tls_record_hdr_t)CMSG_DATA(cmsg);
- check(hdr);
-
- /* print msg info */
- /*
- printf("%s: rc=%d, msg: %ld , cmsg = %d, %x, %x, hdr = %d, %x - from %s:%d\n", __FUNCTION__, rc,
- iov.iov_len,
- cmsg->cmsg_len, cmsg->cmsg_level, cmsg->cmsg_type,
- hdr->content_type, hdr->protocol_version,
- inet_ntoa(client_addr.sin_addr),ntohs(client_addr.sin_port));
- */
- rec->contentType = hdr->content_type;
- rec->protocolVersion = hdr->protocol_version;
-
- if(rec->contentType==SSL_RecordTypeChangeCipher) {
- printf("%s: Received ChangeCipherSpec message\n", __FUNCTION__);
- }
- return 0;
-}
-
-static
-int TLSSocket_Free(SSLRecordContextRef ref,
- SSLRecord rec)
-{
- free(rec.contents.data);
- return 0;
-}
-
-static
-int TLSSocket_Write(SSLRecordContextRef ref,
- SSLRecord rec)
-{
- int socket = (int)ref;
- ssize_t sz;
-
- struct msghdr msg;
- struct iovec iov;
- tls_record_hdr_t hdr;
- struct cmsghdr *cmsg;
- int cbuf_len=CMSG_SPACE(sizeof(*hdr));
- uint8_t cbuf[cbuf_len];
-
- if(rec.contentType==SSL_RecordTypeChangeCipher) {
- printf("%s: Sending ChangeCipherSpec message\n", __FUNCTION__);
- }
- // printf("%s: fd=%d, rec.len=%ld\n", __FUNCTION__, socket, rec.contents.length);
-
- /* write the message */
- iov.iov_base = rec.contents.data;
- iov.iov_len = rec.contents.length;
- msg.msg_name = NULL;
- msg.msg_namelen = 0;
- msg.msg_iov = &iov;
- msg.msg_iovlen = 1;
- msg.msg_control = cbuf;
- msg.msg_controllen = cbuf_len;
-
- cmsg = CMSG_FIRSTHDR(&msg);
- cmsg->cmsg_level = SOL_SOCKET;
- cmsg->cmsg_type = SCM_TLS_HEADER;
- cmsg->cmsg_len = CMSG_LEN(sizeof(*hdr));
- hdr = (tls_record_hdr_t)CMSG_DATA(cmsg);
- hdr->content_type = rec.contentType;
- hdr->protocol_version = rec.protocolVersion;
-
- /* print msg info */
- sz = sendmsg(socket, &msg, 0);
-
- if(sz<0)
- perror("sendmsg");
-
- /*
- printf("%s: sz=%ld, msg: %ld , cmsg = %d, %d, %04x\n", __FUNCTION__, sz,
- iov.iov_len,
- cmsg->cmsg_len, cmsg->cmsg_level, cmsg->cmsg_type);
- */
-
- check(sz==rec.contents.length);
-
- if(sz<0)
- return (int)sz;
- else
- return 0;
-}
-
-
-static
-int TLSSocket_InitPendingCiphers(SSLRecordContextRef ref,
- uint16_t selectedCipher,
- bool server,
- SSLBuffer key)
-{
- int socket = (int)ref;
- int rc;
- char *buf;
-
- buf = malloc(key.length+3);
- buf[0] = selectedCipher >> 8;
- buf[1] = selectedCipher & 0xff;
- buf[2] = server;
- memcpy(buf+3, key.data, key.length);
-
- printf("%s: cipher=%04x, keylen=%ld\n", __FUNCTION__, selectedCipher, key.length);
-
- rc = setsockopt(socket, SOL_SOCKET, SO_TLS_INIT_CIPHER, buf, (socklen_t)(key.length+3));
-
- printf("%s: rc=%d\n", __FUNCTION__, rc);
-
- free(buf);
-
- return rc;
-}
-
-static
-int TLSSocket_AdvanceWriteCipher(SSLRecordContextRef ref)
-{
- int socket = (int)ref;
- int rc;
- rc = setsockopt(socket, SOL_SOCKET, SO_TLS_ADVANCE_WRITE_CIPHER, NULL, 0);
-
- printf("%s: rc=%d\n", __FUNCTION__, rc);
-
- return rc;
-}
-
-static
-int TLSSocket_RollbackWriteCipher(SSLRecordContextRef ref)
-{
- int socket = (int)ref;
- int rc;
- rc = setsockopt(socket, SOL_SOCKET, SO_TLS_ROLLBACK_WRITE_CIPHER, NULL, 0);
-
- printf("%s: rc=%d\n", __FUNCTION__, rc);
-
- return rc;
-}
-
-static
-int TLSSocket_AdvanceReadCipher(SSLRecordContextRef ref)
-{
- int socket = (int)ref;
- int rc;
- rc = setsockopt(socket, SOL_SOCKET, SO_TLS_ADVANCE_READ_CIPHER, NULL, 0);
-
- printf("%s: rc=%d\n", __FUNCTION__, rc);
-
- return rc;
-}
-
-static
-int TLSSocket_SetProtocolVersion(SSLRecordContextRef ref,
- SSLProtocolVersion protocolVersion)
-{
- int socket = (int)ref;
- int rc;
- rc = setsockopt(socket, SOL_SOCKET, SO_TLS_PROTOCOL_VERSION, &protocolVersion, sizeof(protocolVersion));
-
- printf("%s: rc=%d\n", __FUNCTION__, rc);
-
- return rc;
-}
-
-
-static
-int TLSSocket_ServiceWriteQueue(SSLRecordContextRef ref)
-{
- int socket = (int)ref;
- int rc;
- rc = setsockopt(socket, SOL_SOCKET, SO_TLS_SERVICE_WRITE_QUEUE, NULL, 0);
-
- return rc;
-}
-
-
-static
-int TLSSocket_SetOption(SSLRecordContextRef ref,
- SSLRecordOption option,
- bool value)
-{
- /* This is not implemented, and is not needed for DTLS */
- return EINVAL;
-}
-
-const struct SSLRecordFuncs TLSSocket_Funcs = {
- .read = TLSSocket_Read,
- .write = TLSSocket_Write,
- .initPendingCiphers = TLSSocket_InitPendingCiphers,
- .advanceWriteCipher = TLSSocket_AdvanceWriteCipher,
- .rollbackWriteCipher = TLSSocket_RollbackWriteCipher,
- .advanceReadCipher = TLSSocket_AdvanceReadCipher,
- .setProtocolVersion = TLSSocket_SetProtocolVersion,
- .free = TLSSocket_Free,
- .serviceWriteQueue = TLSSocket_ServiceWriteQueue,
- .setOption = TLSSocket_SetOption,
-};
-
-
-/* TLSSocket SPIs */
-
-int TLSSocket_Attach(int socket)
-{
-
- /* Attach the TLS socket filter and return handle */
- struct so_nke so_tlsnke;
- int rc;
- int handle;
- socklen_t len;
-
- memset(&so_tlsnke, 0, sizeof(so_tlsnke));
- so_tlsnke.nke_handle = TLS_HANDLE_IP4;
- rc=setsockopt(socket, SOL_SOCKET, SO_NKE, &so_tlsnke, sizeof(so_tlsnke));
- if(rc)
- return rc;
-
- len = sizeof(handle);
- rc = getsockopt(socket, SOL_SOCKET, SO_TLS_HANDLE, &handle, &len);
- if(rc)
- return rc;
-
- assert(len==sizeof(handle));
-
- return handle;
-}
-
diff --git a/OSX/tlsnke/tlsnketest/tlssocket.h b/OSX/tlsnke/tlsnketest/tlssocket.h
deleted file mode 100644
index b68bfe90..00000000
--- a/OSX/tlsnke/tlsnketest/tlssocket.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (c) 2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-#ifndef __TLSSOCKET_H__
-#define __TLSSOCKET_H__
-
-#include <Security/SecureTransportPriv.h>
-
-/*
- Attach the TLS socket filter.
-
- This makes a socket a TLS socket by attaching the TLS socket filter to that socket.
- Return a positive TLS handle or a negative error.
- The return TLS handle can be used to route VPN data directly through this TLS
- socket
- */
-int TLSSocket_Attach(int socket);
-
-/*
- Detach the TLS socket filter.
-
- Return 0 or negative error.
- If the TLS Socket is used with SecureTransport, one should make sure
- to tear down the SecureTransport session before calling this.
- It is not required to use this, as closing the socket would have the same effect.
-*/
-int TLSSocket_Detach(int socket);
-
-/*
- Secure Transport Record Layer functions for TLS Sockets.
-
- To use SecureTransport with a TLS kernel socket, pass this to SSLSetRecordFuncs and
- the socket descriptor to SSLSetRecordContext
- */
-const struct SSLRecordFuncs TLSSocket_Funcs;
-
-
-#endif
diff --git a/OSX/libsecurity_ssl/sslViewer/printCert.h b/OSX/trustd/SecTrustOSXEntryPoints.h
similarity index 50%
rename from OSX/libsecurity_ssl/sslViewer/printCert.h
rename to OSX/trustd/SecTrustOSXEntryPoints.h
index 38a8ab65..13c073ee 100644
--- a/OSX/libsecurity_ssl/sslViewer/printCert.h
+++ b/OSX/trustd/SecTrustOSXEntryPoints.h
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2003-2008,2011-2012,2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,32 +17,37 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
/*
- * printCert.h - utility functions for printing certificate info
+ * SecTrustOSXEntryPoints - Interface for unified SecTrust into OS X Security
+ * Framework.
*/
-#ifndef _PRINT_CERT_H_
-#define _PRINT_CERT_H_ 1
+#ifndef _SECURITY_SECTRUST_OSX_ENTRY_POINTS_H_
+#define _SECURITY_SECTRUST_OSX_ENTRY_POINTS_H_
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+
+__BEGIN_DECLS
-#include <stdio.h>
-#include <Security/SecCertificate.h>
-#include <CoreFoundation/CFArray.h>
+void SecTrustLegacySourcesEventRunloopCreate(void);
-#ifdef __cplusplus
-extern "C" {
-#endif
+OSStatus SecTrustLegacyCRLStatus(SecCertificateRef cert, CFArrayRef chain, CFURLRef currCRLDP);
-void fprint_string(CFStringRef string, FILE *file);
-void print_line(CFStringRef line);
-void print_plist(CFArrayRef plist);
-void print_cert(SecCertificateRef cert, bool verbose);
+typedef struct async_ocspd_s {
+ void (*completed)(struct async_ocspd_s *ocspd);
+ void *info;
+ OSStatus response;
+ dispatch_queue_t queue;
+} async_ocspd_t;
-#ifdef __cplusplus
-}
-#endif
+bool SecTrustLegacyCRLFetch(async_ocspd_t *ocspd,
+ CFURLRef currCRLDP, CFAbsoluteTime verifyTime,
+ SecCertificateRef cert, CFArrayRef chain);
+__END_DECLS
-#endif /* _PRINT_CERT_H_ */
+#endif /* _SECURITY_SECTRUST_OSX_ENTRY_POINTS_H_ */
diff --git a/OSX/trustd/com.apple.trustd.agent.plist b/OSX/trustd/com.apple.trustd.agent.plist
index e9dd4a17..dd8116b8 100644
--- a/OSX/trustd/com.apple.trustd.agent.plist
+++ b/OSX/trustd/com.apple.trustd.agent.plist
@@ -26,8 +26,6 @@
<key>com.apple.trustd.agent</key>
<true/>
</dict>
- <key>OnDemand</key>
- <true/>
<key>POSIXSpawnType</key>
<string>Interactive</string>
<key>ProgramArguments</key>
@@ -35,8 +33,6 @@
<string>/usr/libexec/trustd</string>
<string>--agent</string>
</array>
- <key>ServiceIPC</key>
- <true/>
<key>Umask</key>
<integer>54</integer>
</dict>
diff --git a/OSX/trustd/entitlements.plist b/OSX/trustd/entitlements.plist
new file mode 100644
index 00000000..72ccc7b8
--- /dev/null
+++ b/OSX/trustd/entitlements.plist
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>application-identifier</key>
+ <string>com.apple.trustd</string>
+ <key>com.apple.private.necp.match</key>
+ <true/>
+ <key>com.apple.private.network.socket-delegate</key>
+ <true/>
+</dict>
+</plist>
diff --git a/OSX/trustd/trustd-Info.plist b/OSX/trustd/trustd-Info.plist
index 95655341..78df5db9 100644
--- a/OSX/trustd/trustd-Info.plist
+++ b/OSX/trustd/trustd-Info.plist
@@ -7,7 +7,7 @@
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
- <string>com.apple.$(PRODUCT_NAME:rfc1034identifier)</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/OSX/utilities/Regressions/su-07-debugging.c b/OSX/utilities/Regressions/su-07-debugging.c
index 93543908..4a364f3b 100644
--- a/OSX/utilities/Regressions/su-07-debugging.c
+++ b/OSX/utilities/Regressions/su-07-debugging.c
@@ -32,55 +32,56 @@
#include "utilities/debugging.h"
#include "utilities/debugging_test.h"
+#if USINGOLDLOGGING
#define kTestCount (39)
static void
tests(void) {
- ok(IsScopeActive(ASL_LEVEL_ERR, NULL), "Errors are active by default");
+ ok(IsScopeActive(SECLOG_LEVEL_ERR, NULL), "Errors are active by default");
- ok(!IsScopeActive(ASL_LEVEL_INFO, CFSTR("testscope")), "scope is off");
+ ok(!IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("testscope")), "scope is off");
ApplyScopeListForIDC("-first", kScopeIDXPC);
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("testscope")), "scope is on");
- ok(!IsScopeActive(ASL_LEVEL_INFO, CFSTR("first")), "scope is off");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("testscope")), "scope is on");
+ ok(!IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("first")), "scope is off");
ApplyScopeListForIDC("first", kScopeIDXPC);
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("first")), "scope is on");
- ok(!IsScopeActive(ASL_LEVEL_INFO, CFSTR("testscope")), "scope is off");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("first")), "scope is on");
+ ok(!IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("testscope")), "scope is off");
ApplyScopeListForIDC("testscope, bar, baz,frog", kScopeIDXPC);
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("testscope")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("bar")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("baz")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("frog")), "scope is on");
- ok(!IsScopeActive(ASL_LEVEL_INFO, CFSTR("bonzo")), "scope is off");
- ok(!IsScopeActive(ASL_LEVEL_INFO, CFSTR("nothing")), "scope is off");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("testscope")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("bar")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("baz")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("frog")), "scope is on");
+ ok(!IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("bonzo")), "scope is off");
+ ok(!IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("nothing")), "scope is off");
ApplyScopeListForID(CFSTR("-bonzo, boy"), kScopeIDDefaults);
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("testscope")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("bar")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("baz")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("frog")), "scope is on");
- ok(!IsScopeActive(ASL_LEVEL_INFO, CFSTR("bonzo")), "scope is off");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("nothing")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("testscope")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("bar")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("baz")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("frog")), "scope is on");
+ ok(!IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("bonzo")), "scope is off");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("nothing")), "scope is on");
ApplyScopeListForID(CFSTR(""), kScopeIDDefaults);
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("testscope")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("bar")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("baz")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("frog")), "scope is on");
- ok(!IsScopeActive(ASL_LEVEL_INFO, CFSTR("bonzo")), "scope is off");
- ok(!IsScopeActive(ASL_LEVEL_INFO, CFSTR("nothing")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("testscope")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("bar")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("baz")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("frog")), "scope is on");
+ ok(!IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("bonzo")), "scope is off");
+ ok(!IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("nothing")), "scope is on");
- int value = ASL_LEVEL_NOTICE;
+ int value = SECLOG_LEVEL_NOTICE;
CFNumberRef noticeNumber = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &value);
- value = ASL_LEVEL_INFO;
+ value = SECLOG_LEVEL_INFO;
CFNumberRef infoNumber = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &value);
CFDictionaryRef settings_dictionary = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
@@ -92,25 +93,25 @@ tests(void) {
ApplyScopeDictionaryForID(settings_dictionary, kScopeIDXPC);
- ok(!IsScopeActive(ASL_LEVEL_INFO, CFSTR("testscope")), "scope is off");
- ok(!IsScopeActive(ASL_LEVEL_INFO, CFSTR("bar")), "scope is off");
- ok(IsScopeActive(ASL_LEVEL_INFO, CFSTR("baz")), "scope is on");
+ ok(!IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("testscope")), "scope is off");
+ ok(!IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("bar")), "scope is off");
+ ok(IsScopeActive(SECLOG_LEVEL_INFO, CFSTR("baz")), "scope is on");
- ok(!IsScopeActive(ASL_LEVEL_NOTICE, CFSTR("testscope")), "scope is off");
- ok(IsScopeActive(ASL_LEVEL_NOTICE, CFSTR("bar")), "scope is on");
- ok(!IsScopeActive(ASL_LEVEL_NOTICE, CFSTR("baz")), "scope is off");
+ ok(!IsScopeActive(SECLOG_LEVEL_NOTICE, CFSTR("testscope")), "scope is off");
+ ok(IsScopeActive(SECLOG_LEVEL_NOTICE, CFSTR("bar")), "scope is on");
+ ok(!IsScopeActive(SECLOG_LEVEL_NOTICE, CFSTR("baz")), "scope is off");
- ok(!IsScopeActive(ASL_LEVEL_WARNING, CFSTR("testscope")), "scope is off");
- ok(IsScopeActive(ASL_LEVEL_WARNING, CFSTR("bar")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_WARNING, CFSTR("baz")), "scope is on");
+ ok(!IsScopeActive(SECLOG_LEVEL_WARNING, CFSTR("testscope")), "scope is off");
+ ok(IsScopeActive(SECLOG_LEVEL_WARNING, CFSTR("bar")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_WARNING, CFSTR("baz")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_DEBUG, CFSTR("testscope")), "scope is on");
- ok(IsScopeActive(ASL_LEVEL_DEBUG, CFSTR("bar")), "scope is on");
- ok(!IsScopeActive(ASL_LEVEL_DEBUG, CFSTR("baz")), "scope is off");
+ ok(IsScopeActive(SECLOG_LEVEL_DEBUG, CFSTR("testscope")), "scope is on");
+ ok(IsScopeActive(SECLOG_LEVEL_DEBUG, CFSTR("bar")), "scope is on");
+ ok(!IsScopeActive(SECLOG_LEVEL_DEBUG, CFSTR("baz")), "scope is off");
- ok(!IsScopeActive(ASL_LEVEL_ALERT, CFSTR("testscope")), "scope is off");
- ok(!IsScopeActive(ASL_LEVEL_ALERT, CFSTR("bar")), "scope is off");
- ok(!IsScopeActive(ASL_LEVEL_ALERT, CFSTR("baz")), "scope is off");
+ ok(!IsScopeActive(SECLOG_LEVEL_ALERT, CFSTR("testscope")), "scope is off");
+ ok(!IsScopeActive(SECLOG_LEVEL_ALERT, CFSTR("bar")), "scope is off");
+ ok(!IsScopeActive(SECLOG_LEVEL_ALERT, CFSTR("baz")), "scope is off");
CFReleaseSafe(noticeNumber);
CFReleaseSafe(infoNumber);
@@ -130,10 +131,10 @@ tests(void) {
static void
testLog()
{
- int value = ASL_LEVEL_NOTICE;
+ int value = SECLOG_LEVEL_NOTICE;
CFNumberRef noticeNumber = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &value);
- value = ASL_LEVEL_INFO;
+ value = SECLOG_LEVEL_INFO;
CFNumberRef infoNumber = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &value);
CFDictionaryRef settings_dictionary = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
@@ -171,11 +172,11 @@ testLog()
called = false; CFReleaseNull(scope); CFReleaseNull(message); CFReleaseNull(file); CFReleaseNull(function); level = -1; line = 0;
- secdebug("bar", "Get this!");
+ secinfo("bar", "Get this!");
#if !defined(NDEBUG)
is(called, true, "Handler called");
- is(level, ASL_LEVEL_DEBUG, "level");
+ is(level, SECLOG_LEVEL_DEBUG, "level");
eq_cf(scope, CFSTR("bar"), "Scope");
eq_cf(message, CFSTR("Get this!"), "message");
eq_cf(function, CFSTR("testLog"), "function");
@@ -186,18 +187,20 @@ testLog()
called = false;
CFReleaseNull(scope);
CFReleaseNull(message);
+ CFReleaseNull(file);
CFReleaseNull(function);
secnotice("bunz", "Get this, too!");
is(called, true, "Handler called");
- is(level, ASL_LEVEL_NOTICE, "level");
+ is(level, SECLOG_LEVEL_NOTICE, "level");
eq_cf(scope, CFSTR("bunz"), "Scope");
eq_cf(message, CFSTR("Get this, too!"), "message");
eq_cf(function, CFSTR("testLog"), "function");
CFReleaseNull(scope);
CFReleaseNull(message);
+ CFReleaseNull(file);
CFReleaseNull(function);
remove_security_log_handler(verify);
@@ -212,12 +215,19 @@ testLog()
CFReleaseSafe(result);
}
+#endif
+
int
su_07_debugging(int argc, char *const *argv) {
+#if USINGOLDLOGGING
plan_tests(kTestCount + kTestLogCount);
tests();
testLog();
+#else
+ plan_tests(1);
+ ok(1, "Using os_log");
+#endif
return 0;
}
diff --git a/OSX/utilities/Regressions/su-16-cfdate-der.c b/OSX/utilities/Regressions/su-16-cfdate-der.c
index 19d1227e..df3d05fc 100644
--- a/OSX/utilities/Regressions/su-16-cfdate-der.c
+++ b/OSX/utilities/Regressions/su-16-cfdate-der.c
@@ -278,13 +278,13 @@ static void tests(void)
for (int testnumber = 0; testnumber < array_size(test_cases); ++testnumber)
one_test(test_cases + testnumber, testnumber);
- testWithUnguardedZuluCalendar();
- testDoWithZulu();
+ // testWithUnguardedZuluCalendar();
+ // testDoWithZulu();
}
int su_16_cfdate_der(int argc, char *const *argv)
{
- plan_tests(kTestCount+2);
+ plan_tests(kTestCount);
tests();
return 0;
diff --git a/OSX/utilities/Regressions/su-41-secdb-stress.c b/OSX/utilities/Regressions/su-41-secdb-stress.c
index a31995e0..32c8f15a 100644
--- a/OSX/utilities/Regressions/su-41-secdb-stress.c
+++ b/OSX/utilities/Regressions/su-41-secdb-stress.c
@@ -232,6 +232,7 @@ static void tests(void)
}
dispatch_group_wait(group, DISPATCH_TIME_FOREVER);
dispatch_release(group);
+ dispatch_release(sema);
CFErrorRef writeError = NULL;
ts_ok(SecDbPerformWrite(db, &writeError, ^(SecDbConnectionRef dbconn){
@@ -251,6 +252,7 @@ static void tests(void)
is(max_readers, kSecDbMaxReaders, "max readers is %d", kSecDbMaxReaders);
}
+ CFReleaseSafe(dbName);
CFReleaseNull(db);
}
diff --git a/OSX/utilities/config/lib.xcconfig b/OSX/utilities/config/lib.xcconfig
index 682ab9d4..5ca24735 100644
--- a/OSX/utilities/config/lib.xcconfig
+++ b/OSX/utilities/config/lib.xcconfig
@@ -2,3 +2,7 @@ COPY_PHASE_STRIP = NO
SKIP_INSTALL = YES
WARNING_CFLAGS = -Wno-deprecated-declarations $(inherited)
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
+
+
+HEADER_SEARCH_PATHS = $(SDKROOT)/System/Library/Frameworks/System.framework/PrivateHeaders $(inherited)
diff --git a/OSX/utilities/src/SecAKSWrappers.c b/OSX/utilities/src/SecAKSWrappers.c
index 77d2ea91..032bc1c8 100644
--- a/OSX/utilities/src/SecAKSWrappers.c
+++ b/OSX/utilities/src/SecAKSWrappers.c
@@ -43,7 +43,7 @@
#endif
#if TARGET_OS_MAC && !TARGET_OS_EMBEDDED && TARGET_HAS_KEYSTORE
- // OS X
+// OS X
const keybag_handle_t keybagHandle = session_keybag_handle;
#elif TARGET_HAS_KEYSTORE // iOS, but not simulator
const keybag_handle_t keybagHandle = device_keybag_handle;
@@ -73,7 +73,7 @@ bool SecAKSLockUserKeybag(uint64_t timeout, CFErrorRef *error){
secnotice("lockassertions", "Requesting lock assertion for %lld seconds", timeout);
status = aks_assert_hold(keybagHandle, lockAssertType, timeout);
}
-
+
if (status == kIOReturnSuccess)
++count;
});
@@ -93,7 +93,7 @@ bool SecAKSUnLockUserKeybag(CFErrorRef *error){
status = aks_assert_drop(keybagHandle, lockAssertType);
}
});
-
+
return SecKernError(status, error, CFSTR("Kern return error"));
#endif /* !TARGET_HAS_KEYSTORE */
}
@@ -106,7 +106,7 @@ bool SecAKSDoWhileUserBagLocked(CFErrorRef *error, dispatch_block_t action)
return true;
#else
// Acquire lock assertion, ref count?
-
+
bool status = false;
uint64_t timeout = 60ull;
if (SecAKSLockUserKeybag(timeout, error)) {
@@ -116,7 +116,6 @@ bool SecAKSDoWhileUserBagLocked(CFErrorRef *error, dispatch_block_t action)
return status;
#endif /* !TARGET_HAS_KEYSTORE */
}
-
CFDataRef SecAKSCopyBackupBagWithSecret(size_t size, uint8_t *secret, CFErrorRef *error) {
#if !TARGET_HAS_KEYSTORE
return NULL;
diff --git a/OSX/utilities/src/SecAKSWrappers.h b/OSX/utilities/src/SecAKSWrappers.h
index b4a7ad23..9b485c04 100644
--- a/OSX/utilities/src/SecAKSWrappers.h
+++ b/OSX/utilities/src/SecAKSWrappers.h
@@ -127,7 +127,6 @@ static inline bool SecAKSGetHasBeenUnlocked(bool* hasBeenUnlocked, CFErrorRef* e
}
bool SecAKSDoWhileUserBagLocked(CFErrorRef *error, dispatch_block_t action);
-
//
// if you can't use the block version above, use these.
// !!!!!Remember to balance them!!!!!!
diff --git a/OSX/utilities/src/SecAppleAnchor.c b/OSX/utilities/src/SecAppleAnchor.c
index 6384e9fd..b453b927 100644
--- a/OSX/utilities/src/SecAppleAnchor.c
+++ b/OSX/utilities/src/SecAppleAnchor.c
@@ -1,17 +1,48 @@
-//
-// utilities
-//
-// Copyright © 2015 Apple Inc. All rights reserved.
-//
+/*
+ * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
#include <AssertMacros.h>
#include "SecAppleAnchorPriv.h"
#include "SecInternalReleasePriv.h"
#include "SecCFWrappers.h"
+#include <Security/SecCertificatePriv.h>
static CFDictionaryRef getAnchors(void);
+static bool testAppleAnchorsAllowed(SecAppleTrustAnchorFlags flags) {
+ if (!(flags & kSecAppleTrustAnchorFlagsIncludeTestAnchors)) {
+ /* user does not want test anchors */
+ return false;
+ }
+ if (SecIsInternalRelease() ||
+ flags & kSecAppleTrustAnchorFlagsAllowNonProduction) {
+ /* device allows test anchors */
+ return true;
+ }
+ return false;
+}
+
bool
SecIsAppleTrustAnchorData(CFDataRef cert,
SecAppleTrustAnchorFlags flags)
@@ -28,8 +59,7 @@ SecIsAppleTrustAnchorData(CFDataRef cert,
require(isBoolean(value), fail);
- if ((SecIsInternalRelease() || flags & kSecAppleTrustAnchorFlagsAllowNonProduction)
- && flags & kSecAppleTrustAnchorFlagsIncludeTestAnchors) {
+ if (testAppleAnchorsAllowed(flags)) {
res = true;
} else {
res = CFBooleanGetValue(value);
@@ -47,7 +77,7 @@ SecIsAppleTrustAnchor(SecCertificateRef cert,
CFDataRef data;
bool res = false;
- data = SecCertificateCopyData(cert);
+ data = SecCertificateCopySHA256Digest(cert);
require(data, fail);
res = SecIsAppleTrustAnchorData(data, flags);
@@ -57,499 +87,58 @@ fail:
return res;
}
-static const unsigned char AppleRoot[1215] = {
- 0x30, 0x82, 0x04, 0xbb, 0x30, 0x82, 0x03, 0xa3, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
- 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x62, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31,
- 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x30,
- 0x1e, 0x17, 0x0d, 0x30, 0x36, 0x30, 0x34, 0x32, 0x35, 0x32, 0x31, 0x34,
- 0x30, 0x33, 0x36, 0x5a, 0x17, 0x0d, 0x33, 0x35, 0x30, 0x32, 0x30, 0x39,
- 0x32, 0x31, 0x34, 0x30, 0x33, 0x36, 0x5a, 0x30, 0x62, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31,
- 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x30,
- 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
- 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xe4, 0x91, 0xa9, 0x09,
- 0x1f, 0x91, 0xdb, 0x1e, 0x47, 0x50, 0xeb, 0x05, 0xed, 0x5e, 0x79, 0x84,
- 0x2d, 0xeb, 0x36, 0xa2, 0x57, 0x4c, 0x55, 0xec, 0x8b, 0x19, 0x89, 0xde,
- 0xf9, 0x4b, 0x6c, 0xf5, 0x07, 0xab, 0x22, 0x30, 0x02, 0xe8, 0x18, 0x3e,
- 0xf8, 0x50, 0x09, 0xd3, 0x7f, 0x41, 0xa8, 0x98, 0xf9, 0xd1, 0xca, 0x66,
- 0x9c, 0x24, 0x6b, 0x11, 0xd0, 0xa3, 0xbb, 0xe4, 0x1b, 0x2a, 0xc3, 0x1f,
- 0x95, 0x9e, 0x7a, 0x0c, 0xa4, 0x47, 0x8b, 0x5b, 0xd4, 0x16, 0x37, 0x33,
- 0xcb, 0xc4, 0x0f, 0x4d, 0xce, 0x14, 0x69, 0xd1, 0xc9, 0x19, 0x72, 0xf5,
- 0x5d, 0x0e, 0xd5, 0x7f, 0x5f, 0x9b, 0xf2, 0x25, 0x03, 0xba, 0x55, 0x8f,
- 0x4d, 0x5d, 0x0d, 0xf1, 0x64, 0x35, 0x23, 0x15, 0x4b, 0x15, 0x59, 0x1d,
- 0xb3, 0x94, 0xf7, 0xf6, 0x9c, 0x9e, 0xcf, 0x50, 0xba, 0xc1, 0x58, 0x50,
- 0x67, 0x8f, 0x08, 0xb4, 0x20, 0xf7, 0xcb, 0xac, 0x2c, 0x20, 0x6f, 0x70,
- 0xb6, 0x3f, 0x01, 0x30, 0x8c, 0xb7, 0x43, 0xcf, 0x0f, 0x9d, 0x3d, 0xf3,
- 0x2b, 0x49, 0x28, 0x1a, 0xc8, 0xfe, 0xce, 0xb5, 0xb9, 0x0e, 0xd9, 0x5e,
- 0x1c, 0xd6, 0xcb, 0x3d, 0xb5, 0x3a, 0xad, 0xf4, 0x0f, 0x0e, 0x00, 0x92,
- 0x0b, 0xb1, 0x21, 0x16, 0x2e, 0x74, 0xd5, 0x3c, 0x0d, 0xdb, 0x62, 0x16,
- 0xab, 0xa3, 0x71, 0x92, 0x47, 0x53, 0x55, 0xc1, 0xaf, 0x2f, 0x41, 0xb3,
- 0xf8, 0xfb, 0xe3, 0x70, 0xcd, 0xe6, 0xa3, 0x4c, 0x45, 0x7e, 0x1f, 0x4c,
- 0x6b, 0x50, 0x96, 0x41, 0x89, 0xc4, 0x74, 0x62, 0x0b, 0x10, 0x83, 0x41,
- 0x87, 0x33, 0x8a, 0x81, 0xb1, 0x30, 0x58, 0xec, 0x5a, 0x04, 0x32, 0x8c,
- 0x68, 0xb3, 0x8f, 0x1d, 0xde, 0x65, 0x73, 0xff, 0x67, 0x5e, 0x65, 0xbc,
- 0x49, 0xd8, 0x76, 0x9f, 0x33, 0x14, 0x65, 0xa1, 0x77, 0x94, 0xc9, 0x2d,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x7a, 0x30, 0x82, 0x01,
- 0x76, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04,
- 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13,
- 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d,
- 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x2b, 0xd0, 0x69,
- 0x47, 0x94, 0x76, 0x09, 0xfe, 0xf4, 0x6b, 0x8d, 0x2e, 0x40, 0xa6, 0xf7,
- 0x47, 0x4d, 0x7f, 0x08, 0x5e, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
- 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x2b, 0xd0, 0x69, 0x47, 0x94, 0x76,
- 0x09, 0xfe, 0xf4, 0x6b, 0x8d, 0x2e, 0x40, 0xa6, 0xf7, 0x47, 0x4d, 0x7f,
- 0x08, 0x5e, 0x30, 0x82, 0x01, 0x11, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04,
- 0x82, 0x01, 0x08, 0x30, 0x82, 0x01, 0x04, 0x30, 0x82, 0x01, 0x00, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x05, 0x01, 0x30, 0x81,
- 0xf2, 0x30, 0x2a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02,
- 0x01, 0x16, 0x1e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77,
- 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
- 0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x63, 0x61, 0x2f, 0x30, 0x81, 0xc3,
- 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x81,
- 0xb6, 0x1a, 0x81, 0xb3, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e, 0x63, 0x65,
- 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x65, 0x72,
- 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x62, 0x79, 0x20,
- 0x61, 0x6e, 0x79, 0x20, 0x70, 0x61, 0x72, 0x74, 0x79, 0x20, 0x61, 0x73,
- 0x73, 0x75, 0x6d, 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74,
- 0x61, 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65, 0x20,
- 0x74, 0x68, 0x65, 0x6e, 0x20, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61,
- 0x62, 0x6c, 0x65, 0x20, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72, 0x64,
- 0x20, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63,
- 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6f, 0x66,
- 0x20, 0x75, 0x73, 0x65, 0x2c, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
- 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
- 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61, 0x63, 0x74,
- 0x69, 0x63, 0x65, 0x20, 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
- 0x74, 0x73, 0x2e, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x5c,
- 0x36, 0x99, 0x4c, 0x2d, 0x78, 0xb7, 0xed, 0x8c, 0x9b, 0xdc, 0xf3, 0x77,
- 0x9b, 0xf2, 0x76, 0xd2, 0x77, 0x30, 0x4f, 0xc1, 0x1f, 0x85, 0x83, 0x85,
- 0x1b, 0x99, 0x3d, 0x47, 0x37, 0xf2, 0xa9, 0x9b, 0x40, 0x8e, 0x2c, 0xd4,
- 0xb1, 0x90, 0x12, 0xd8, 0xbe, 0xf4, 0x73, 0x9b, 0xee, 0xd2, 0x64, 0x0f,
- 0xcb, 0x79, 0x4f, 0x34, 0xd8, 0xa2, 0x3e, 0xf9, 0x78, 0xff, 0x6b, 0xc8,
- 0x07, 0xec, 0x7d, 0x39, 0x83, 0x8b, 0x53, 0x20, 0xd3, 0x38, 0xc4, 0xb1,
- 0xbf, 0x9a, 0x4f, 0x0a, 0x6b, 0xff, 0x2b, 0xfc, 0x59, 0xa7, 0x05, 0x09,
- 0x7c, 0x17, 0x40, 0x56, 0x11, 0x1e, 0x74, 0xd3, 0xb7, 0x8b, 0x23, 0x3b,
- 0x47, 0xa3, 0xd5, 0x6f, 0x24, 0xe2, 0xeb, 0xd1, 0xb7, 0x70, 0xdf, 0x0f,
- 0x45, 0xe1, 0x27, 0xca, 0xf1, 0x6d, 0x78, 0xed, 0xe7, 0xb5, 0x17, 0x17,
- 0xa8, 0xdc, 0x7e, 0x22, 0x35, 0xca, 0x25, 0xd5, 0xd9, 0x0f, 0xd6, 0x6b,
- 0xd4, 0xa2, 0x24, 0x23, 0x11, 0xf7, 0xa1, 0xac, 0x8f, 0x73, 0x81, 0x60,
- 0xc6, 0x1b, 0x5b, 0x09, 0x2f, 0x92, 0xb2, 0xf8, 0x44, 0x48, 0xf0, 0x60,
- 0x38, 0x9e, 0x15, 0xf5, 0x3d, 0x26, 0x67, 0x20, 0x8a, 0x33, 0x6a, 0xf7,
- 0x0d, 0x82, 0xcf, 0xde, 0xeb, 0xa3, 0x2f, 0xf9, 0x53, 0x6a, 0x5b, 0x64,
- 0xc0, 0x63, 0x33, 0x77, 0xf7, 0x3a, 0x07, 0x2c, 0x56, 0xeb, 0xda, 0x0f,
- 0x21, 0x0e, 0xda, 0xba, 0x73, 0x19, 0x4f, 0xb5, 0xd9, 0x36, 0x7f, 0xc1,
- 0x87, 0x55, 0xd9, 0xa7, 0x99, 0xb9, 0x32, 0x42, 0xfb, 0xd8, 0xd5, 0x71,
- 0x9e, 0x7e, 0xa1, 0x52, 0xb7, 0x1b, 0xbd, 0x93, 0x42, 0x24, 0x12, 0x2a,
- 0xc7, 0x0f, 0x1d, 0xb6, 0x4d, 0x9c, 0x5e, 0x63, 0xc8, 0x4b, 0x80, 0x17,
- 0x50, 0xaa, 0x8a, 0xd5, 0xda, 0xe4, 0xfc, 0xd0, 0x09, 0x07, 0x37, 0xb0,
- 0x75, 0x75, 0x21
+/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA */
+/* SKID: 2B:D0:69:47:94:76:09:FE:F4:6B:8D:2E:40:A6:F7:47:4D:7F:08:5E */
+/* Not Before: Apr 25 21:40:36 2006 GMT, Not After : Feb 9 21:40:36 2035 GMT */
+/* Signature Algorithm: sha1WithRSAEncryption */
+static const unsigned char AppleRootCAHash[32] = {
+ 0xb0, 0xb1, 0x73, 0x0e, 0xcb, 0xc7, 0xff, 0x45, 0x05, 0x14, 0x2c, 0x49, 0xf1, 0x29, 0x5e, 0x6e,
+ 0xda, 0x6b, 0xca, 0xed, 0x7e, 0x2c, 0x68, 0xc5, 0xbe, 0x91, 0xb5, 0xa1, 0x10, 0x01, 0xf0, 0x24
};
-static const unsigned char AppleRootG2[1430] = {
- 0x30, 0x82, 0x05, 0x92, 0x30, 0x82, 0x03, 0x7a, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x01, 0xe0, 0xe5, 0xb5, 0x83, 0x67, 0xa3, 0xe0, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c,
- 0x05, 0x00, 0x30, 0x67, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x0c, 0x12, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f,
- 0x74, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x47, 0x32, 0x31, 0x26, 0x30,
- 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
- 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x30,
- 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x30, 0x34, 0x33, 0x30, 0x31, 0x38, 0x31,
- 0x30, 0x30, 0x39, 0x5a, 0x17, 0x0d, 0x33, 0x39, 0x30, 0x34, 0x33, 0x30,
- 0x31, 0x38, 0x31, 0x30, 0x30, 0x39, 0x5a, 0x30, 0x67, 0x31, 0x1b, 0x30,
- 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x12, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20,
- 0x47, 0x32, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
- 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
- 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49,
- 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
- 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
- 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, 0x01,
- 0x00, 0xd8, 0x11, 0x12, 0x48, 0x48, 0xda, 0x29, 0x8a, 0x49, 0xc5, 0x1c,
- 0xc7, 0xec, 0x6e, 0x33, 0x6d, 0xfe, 0x4d, 0xfb, 0xe0, 0x1c, 0xde, 0xac,
- 0x5e, 0xe2, 0x36, 0xa7, 0x24, 0xf9, 0x7f, 0x50, 0x6b, 0x4c, 0xce, 0xb9,
- 0x30, 0x54, 0x27, 0xe5, 0xb3, 0xd6, 0xed, 0x25, 0xe6, 0x30, 0xb6, 0x05,
- 0x37, 0x5e, 0x14, 0x22, 0x11, 0xc5, 0xe8, 0xaa, 0x1b, 0xd2, 0xfb, 0xb2,
- 0xd2, 0x09, 0x95, 0x38, 0xa4, 0xef, 0x2a, 0x49, 0x8c, 0x5d, 0x3e, 0x71,
- 0x66, 0x03, 0x38, 0xfb, 0x16, 0xf5, 0x85, 0x88, 0xe4, 0x5a, 0x92, 0x0c,
- 0x04, 0x32, 0xf2, 0xc8, 0x40, 0xfb, 0x52, 0x5f, 0x9f, 0xf6, 0xc0, 0xf1,
- 0xe3, 0xba, 0x45, 0xa0, 0x50, 0xd5, 0x12, 0x8b, 0xf2, 0xdd, 0xde, 0x91,
- 0x86, 0x23, 0xf0, 0xf5, 0xb6, 0x72, 0x2e, 0x01, 0xda, 0x0b, 0xf6, 0x2e,
- 0x39, 0x08, 0x5f, 0x19, 0xa1, 0x63, 0x41, 0x0b, 0x1c, 0xa7, 0x94, 0xc1,
- 0x86, 0xc4, 0x53, 0x2f, 0x76, 0xf6, 0x0a, 0xd7, 0x0c, 0xd1, 0x83, 0x3f,
- 0x1a, 0x53, 0x19, 0xf3, 0x57, 0xd5, 0x27, 0x7f, 0xfc, 0x13, 0xb8, 0xf8,
- 0x92, 0x8d, 0xfc, 0xd3, 0x28, 0x43, 0x3c, 0xb5, 0x68, 0x00, 0x25, 0x5d,
- 0x27, 0x62, 0xd3, 0xdd, 0x55, 0xdd, 0x44, 0x20, 0x90, 0x83, 0x35, 0x93,
- 0xc5, 0xbf, 0xb8, 0x19, 0xfb, 0x6b, 0xe3, 0xdc, 0x08, 0x42, 0xe6, 0xaf,
- 0x6d, 0xfa, 0x9e, 0x40, 0xca, 0x4e, 0x85, 0x85, 0x78, 0x49, 0xb1, 0xd7,
- 0xc3, 0xc1, 0x30, 0x39, 0x32, 0xab, 0x7e, 0x5f, 0xaa, 0xd3, 0x8b, 0x6f,
- 0x9f, 0x2d, 0x1a, 0x21, 0x68, 0x70, 0x67, 0xb3, 0xa3, 0xf1, 0x98, 0x41,
- 0x6d, 0x91, 0x7c, 0xf8, 0xd7, 0xdb, 0xa8, 0xe7, 0x5f, 0x21, 0x1a, 0x8c,
- 0x33, 0xbf, 0x31, 0x74, 0xb7, 0xb8, 0xd1, 0xf4, 0xe0, 0x22, 0xf4, 0xbf,
- 0x72, 0x34, 0xdf, 0xf7, 0x81, 0x4d, 0x71, 0x7d, 0x51, 0xa1, 0xe2, 0xb3,
- 0xf0, 0xd3, 0x28, 0x16, 0x73, 0x6f, 0xcd, 0xcc, 0xad, 0x37, 0x7d, 0x4e,
- 0xeb, 0xad, 0x40, 0xe1, 0x3f, 0x81, 0xfd, 0xf7, 0x3d, 0x0a, 0x3e, 0xa2,
- 0xf1, 0xbd, 0x31, 0x96, 0x29, 0x59, 0xdc, 0xc2, 0x19, 0x80, 0x8c, 0x5b,
- 0x74, 0xc6, 0x2c, 0xd3, 0x10, 0x53, 0x26, 0x1d, 0x14, 0x4f, 0xc4, 0xd4,
- 0x81, 0x66, 0x3c, 0x87, 0x67, 0x33, 0x27, 0x14, 0x08, 0xe9, 0xb4, 0x77,
- 0x84, 0x34, 0x52, 0x8f, 0x89, 0xf8, 0x68, 0x98, 0x17, 0xbf, 0xc3, 0xbb,
- 0xaa, 0x13, 0x93, 0x1f, 0x5d, 0x54, 0x2f, 0xa8, 0xc7, 0x7c, 0xfb, 0x0d,
- 0x14, 0xbe, 0x15, 0x3d, 0x24, 0x34, 0xf2, 0x9a, 0xdc, 0x75, 0x41, 0x66,
- 0x22, 0xb4, 0x01, 0xd6, 0x0b, 0xaf, 0x90, 0x9e, 0x0c, 0xea, 0x62, 0xf8,
- 0x9b, 0x59, 0x3c, 0x08, 0xe2, 0x96, 0x34, 0xe4, 0x63, 0xde, 0xbc, 0x37,
- 0xd4, 0xeb, 0x0c, 0x88, 0x03, 0x43, 0x0b, 0x50, 0xaf, 0xa0, 0x34, 0xdd,
- 0x50, 0x4d, 0x15, 0xfb, 0x5a, 0x24, 0xd8, 0x0c, 0xfa, 0x0c, 0x63, 0x9e,
- 0x1f, 0x03, 0xb1, 0xe1, 0xee, 0xe1, 0xaa, 0x43, 0xf4, 0x66, 0x65, 0x28,
- 0x37, 0x02, 0x31, 0xef, 0x01, 0xc7, 0x1e, 0xd1, 0xcc, 0x9f, 0x6d, 0xca,
- 0x54, 0x3a, 0x40, 0xdb, 0xce, 0xcf, 0x4f, 0x46, 0x8b, 0x4a, 0x65, 0x9a,
- 0x6a, 0xc6, 0x68, 0x6c, 0xd7, 0xcc, 0x99, 0x1b, 0x47, 0xb0, 0x72, 0xc3,
- 0x77, 0x8f, 0xc4, 0xf7, 0x61, 0x9c, 0x74, 0x1f, 0xce, 0xfd, 0x6b, 0xa1,
- 0xc2, 0x9c, 0x94, 0x82, 0xab, 0x94, 0xa2, 0xe7, 0xbd, 0x1b, 0xba, 0xb9,
- 0x70, 0x39, 0x95, 0x17, 0xc5, 0x29, 0xf3, 0x39, 0x58, 0x34, 0xf5, 0xc4,
- 0xa4, 0xc6, 0x7b, 0x60, 0xb9, 0x66, 0x43, 0x50, 0x3f, 0x6e, 0x61, 0xfc,
- 0x0e, 0xf9, 0x86, 0xaa, 0x60, 0x0c, 0x43, 0x4b, 0x95, 0x02, 0x03, 0x01,
- 0x00, 0x01, 0xa3, 0x42, 0x30, 0x40, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
- 0x0e, 0x04, 0x16, 0x04, 0x14, 0xc4, 0x99, 0x13, 0x6c, 0x18, 0x03, 0xc2,
- 0x7b, 0xc0, 0xa3, 0xa0, 0x0d, 0x7f, 0x72, 0x80, 0x7a, 0x1c, 0x77, 0x26,
- 0x8d, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
- 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d,
- 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0d,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c, 0x05,
- 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x51, 0xa6, 0xf3, 0xe2, 0xf4, 0xb8,
- 0x3d, 0x93, 0xbf, 0x2d, 0xce, 0x0f, 0xbb, 0x5b, 0xe1, 0x55, 0x14, 0x4e,
- 0x4e, 0xd1, 0xe5, 0xce, 0x79, 0x5d, 0x81, 0x7f, 0xfe, 0xb6, 0xf0, 0x87,
- 0x33, 0xf8, 0xef, 0x94, 0xe5, 0x7e, 0xdc, 0x6a, 0x79, 0xa7, 0x1c, 0xbe,
- 0xf0, 0x94, 0xb7, 0xa6, 0xd1, 0x30, 0x9c, 0xc8, 0x0d, 0x0a, 0x75, 0x9e,
- 0x7d, 0x92, 0x95, 0x7e, 0x18, 0x9d, 0x7e, 0xc2, 0x71, 0x69, 0x7c, 0x14,
- 0xea, 0xcf, 0x83, 0x0e, 0xe4, 0x14, 0x42, 0x9e, 0x74, 0x0e, 0x10, 0xcd,
- 0xab, 0x1a, 0xba, 0x11, 0x61, 0x81, 0x78, 0xd8, 0xf1, 0xb5, 0x45, 0x40,
- 0x78, 0xab, 0xa8, 0xc0, 0xce, 0xfb, 0x7d, 0x63, 0x37, 0x68, 0xf6, 0xe7,
- 0xfb, 0xaf, 0xc6, 0xc3, 0x4b, 0xec, 0x1f, 0x36, 0x26, 0x13, 0x54, 0x86,
- 0x94, 0x72, 0xb2, 0xea, 0x02, 0xed, 0x8b, 0x6d, 0xe4, 0x0c, 0xa6, 0x90,
- 0xc0, 0x57, 0x75, 0xcf, 0x8c, 0x42, 0x7d, 0x5c, 0xe6, 0x31, 0x7d, 0xf3,
- 0xc9, 0xb2, 0x92, 0x69, 0x46, 0x0e, 0x88, 0xf8, 0xe3, 0x2d, 0x42, 0xb2,
- 0x38, 0xa8, 0xa6, 0x19, 0x8d, 0xf1, 0x9f, 0xcd, 0xee, 0x6a, 0x65, 0xbc,
- 0x1a, 0xb0, 0x25, 0xbd, 0xa7, 0x29, 0xfd, 0xf4, 0x3e, 0xa2, 0x75, 0x49,
- 0xbf, 0x9e, 0xdb, 0xc9, 0xf7, 0xa7, 0x1e, 0x63, 0x99, 0xe1, 0x5c, 0x46,
- 0xff, 0x92, 0x05, 0x8c, 0xfa, 0x1e, 0x20, 0xf9, 0x86, 0x94, 0x56, 0x25,
- 0xe5, 0xb4, 0x57, 0x38, 0x9d, 0xeb, 0x88, 0x64, 0x14, 0x21, 0x49, 0x21,
- 0x39, 0xbf, 0x62, 0x66, 0xa9, 0xb1, 0xa2, 0xca, 0x6f, 0x3f, 0x21, 0x60,
- 0xc5, 0x89, 0xd4, 0x45, 0x36, 0xc8, 0x98, 0x7c, 0xbd, 0xf6, 0xfe, 0x99,
- 0x49, 0x80, 0x3b, 0x2c, 0xd2, 0xa6, 0xa7, 0x88, 0x03, 0x04, 0x31, 0x19,
- 0xb7, 0xb6, 0x3a, 0x61, 0x45, 0xfa, 0xc9, 0xf2, 0x23, 0xc8, 0x63, 0x73,
- 0xbf, 0x56, 0x89, 0x31, 0xb0, 0xd9, 0x7c, 0x62, 0xa7, 0x7b, 0x15, 0xa8,
- 0x88, 0x8a, 0xab, 0x38, 0x40, 0xc2, 0xcc, 0x12, 0xff, 0x15, 0xe3, 0xf0,
- 0x37, 0xdf, 0x37, 0x72, 0xcb, 0xcc, 0x98, 0xe6, 0xbf, 0xa2, 0xbc, 0xfa,
- 0x26, 0x8a, 0x71, 0x56, 0xd7, 0xe7, 0x24, 0x1b, 0x48, 0x44, 0x3e, 0x9e,
- 0xfc, 0x9f, 0xc9, 0xcc, 0x1a, 0xec, 0x43, 0x3c, 0x01, 0xbc, 0x34, 0x78,
- 0xc8, 0x69, 0xf5, 0xc6, 0xe6, 0x56, 0xec, 0x06, 0x09, 0x36, 0x90, 0xeb,
- 0x14, 0x4a, 0x1b, 0x5e, 0xc9, 0x88, 0x23, 0xda, 0x03, 0x30, 0x91, 0x0b,
- 0xb8, 0x36, 0x3e, 0xf9, 0xe7, 0xb5, 0x28, 0x6f, 0xbe, 0x3f, 0xec, 0x3c,
- 0x8f, 0x65, 0x1d, 0xe5, 0xc0, 0x1e, 0x87, 0xa4, 0xaa, 0xba, 0x98, 0xfd,
- 0x92, 0xe3, 0x6c, 0x26, 0x77, 0xdd, 0x06, 0xb4, 0x64, 0x06, 0x87, 0xf4,
- 0x4e, 0xd6, 0xba, 0x4a, 0xaa, 0x16, 0xa8, 0xf4, 0x05, 0x67, 0x66, 0x96,
- 0xba, 0xe2, 0x55, 0x79, 0xc3, 0x2c, 0x5d, 0x49, 0x8f, 0x80, 0x49, 0x2b,
- 0x8a, 0x12, 0xc7, 0x76, 0x80, 0x51, 0xdf, 0xba, 0xbd, 0x65, 0x5d, 0x3e,
- 0x37, 0x47, 0x63, 0x31, 0xe9, 0xe5, 0xf4, 0xc5, 0x3f, 0x4b, 0xad, 0x04,
- 0x8a, 0x7a, 0x71, 0x2c, 0xaf, 0x09, 0x43, 0x37, 0x0f, 0xa8, 0xe3, 0x32,
- 0x4f, 0xf4, 0x45, 0xb6, 0x6d, 0x97, 0x36, 0xec, 0x84, 0xf5, 0x0a, 0x01,
- 0xea, 0x17, 0xbb, 0x85, 0x8d, 0x42, 0x93, 0x70, 0xc3, 0x50, 0xe5, 0x14,
- 0x8b, 0xbf, 0x3f, 0xc3, 0x41, 0x0f, 0xdd, 0x22, 0x04, 0x23, 0x08, 0x8a,
- 0xba, 0x6d, 0x71, 0x44, 0xab, 0x73, 0x09, 0x3a, 0xc9, 0xf9, 0x52, 0x80,
- 0x09, 0xdf, 0xba, 0xe9, 0xe6, 0x16, 0xca, 0x2e, 0x2e, 0x4c, 0xb2, 0xd3,
- 0xdc, 0xe5, 0x04, 0x54, 0xb2, 0xd4, 0x34, 0x80, 0x32, 0xb5, 0xbc, 0x0f,
- 0x17, 0xe1
+/* subject:/CN=Apple Root CA - G2/OU=Apple Certification Authority/O=Apple Inc./C=US */
+/* SKID: C4:99:13:6C:18:03:C2:7B:C0:A3:A0:0D:7F:72:80:7A:1C:77:26:8D */
+/* Not Before: Apr 30 18:10:09 2014 GMT, Not After : Apr 30 18:10:09 2039 GMT */
+/* Signature Algorithm: sha384WithRSAEncryption */
+static const unsigned char AppleRootG2Hash[32] = {
+ 0xc2, 0xb9, 0xb0, 0x42, 0xdd, 0x57, 0x83, 0x0e, 0x7d, 0x11, 0x7d, 0xac, 0x55, 0xac, 0x8a, 0xe1,
+ 0x94, 0x07, 0xd3, 0x8e, 0x41, 0xd8, 0x8f, 0x32, 0x15, 0xbc, 0x3a, 0x89, 0x04, 0x44, 0xa0, 0x50
};
-static const unsigned char AppleRootG3[583] = {
- 0x30, 0x82, 0x02, 0x43, 0x30, 0x82, 0x01, 0xc9, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x2d, 0xc5, 0xfc, 0x88, 0xd2, 0xc5, 0x4b, 0x95, 0x30,
- 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03, 0x30,
- 0x67, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x12,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43,
- 0x41, 0x20, 0x2d, 0x20, 0x47, 0x33, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03,
- 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43,
- 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06,
- 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x1e, 0x17, 0x0d,
- 0x31, 0x34, 0x30, 0x34, 0x33, 0x30, 0x31, 0x38, 0x31, 0x39, 0x30, 0x36,
- 0x5a, 0x17, 0x0d, 0x33, 0x39, 0x30, 0x34, 0x33, 0x30, 0x31, 0x38, 0x31,
- 0x39, 0x30, 0x36, 0x5a, 0x30, 0x67, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03,
- 0x55, 0x04, 0x03, 0x0c, 0x12, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x52,
- 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x47, 0x33, 0x31,
- 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
- 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a,
- 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e,
- 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
- 0x53, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,
- 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00,
- 0x04, 0x98, 0xe9, 0x2f, 0x3d, 0x40, 0x72, 0xa4, 0xed, 0x93, 0x22, 0x72,
- 0x81, 0x13, 0x1c, 0xdd, 0x10, 0x95, 0xf1, 0xc5, 0xa3, 0x4e, 0x71, 0xdc,
- 0x14, 0x16, 0xd9, 0x0e, 0xe5, 0xa6, 0x05, 0x2a, 0x77, 0x64, 0x7b, 0x5f,
- 0x4e, 0x38, 0xd3, 0xbb, 0x1c, 0x44, 0xb5, 0x7f, 0xf5, 0x1f, 0xb6, 0x32,
- 0x62, 0x5d, 0xc9, 0xe9, 0x84, 0x5b, 0x4f, 0x30, 0x4f, 0x11, 0x5a, 0x00,
- 0xfd, 0x58, 0x58, 0x0c, 0xa5, 0xf5, 0x0f, 0x2c, 0x4d, 0x07, 0x47, 0x13,
- 0x75, 0xda, 0x97, 0x97, 0x97, 0x6f, 0x31, 0x5c, 0xed, 0x2b, 0x9d, 0x7b,
- 0x20, 0x3b, 0xd8, 0xb9, 0x54, 0xd9, 0x5e, 0x99, 0xa4, 0x3a, 0x51, 0x0a,
- 0x31, 0xa3, 0x42, 0x30, 0x40, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
- 0x04, 0x16, 0x04, 0x14, 0xbb, 0xb0, 0xde, 0xa1, 0x58, 0x33, 0x88, 0x9a,
- 0xa4, 0x8a, 0x99, 0xde, 0xbe, 0xbd, 0xeb, 0xaf, 0xda, 0xcb, 0x24, 0xab,
- 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
- 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f,
- 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06,
- 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03, 0x03, 0x68, 0x00,
- 0x30, 0x65, 0x02, 0x31, 0x00, 0x83, 0xe9, 0xc1, 0xc4, 0x16, 0x5e, 0x1a,
- 0x5d, 0x34, 0x18, 0xd9, 0xed, 0xef, 0xf4, 0x6c, 0x0e, 0x00, 0x46, 0x4b,
- 0xb8, 0xdf, 0xb2, 0x46, 0x11, 0xc5, 0x0f, 0xfd, 0xe6, 0x7a, 0x8c, 0xa1,
- 0xa6, 0x6b, 0xce, 0xc2, 0x03, 0xd4, 0x9c, 0xf5, 0x93, 0xc6, 0x74, 0xb8,
- 0x6a, 0xdf, 0xaa, 0x23, 0x15, 0x02, 0x30, 0x6d, 0x66, 0x8a, 0x10, 0xca,
- 0xd4, 0x0d, 0xd4, 0x4f, 0xcd, 0x8d, 0x43, 0x3e, 0xb4, 0x8a, 0x63, 0xa5,
- 0x33, 0x6e, 0xe3, 0x6d, 0xda, 0x17, 0xb7, 0x64, 0x1f, 0xc8, 0x53, 0x26,
- 0xf9, 0x88, 0x62, 0x74, 0x39, 0x0b, 0x17, 0x5b, 0xcb, 0x51, 0xa8, 0x0c,
- 0xe8, 0x18, 0x03, 0xe7, 0xa2, 0xb2, 0x28
+/* subject:/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */
+/* SKID: BB:B0:DE:A1:58:33:88:9A:A4:8A:99:DE:BE:BD:EB:AF:DA:CB:24:AB */
+/* Not Before: Apr 30 18:19:06 2014 GMT, Not After : Apr 30 18:19:06 2039 GMT */
+/* Signature Algorithm: ecdsa-with-SHA38 */
+static const unsigned char AppleRootG3Hash[32] = {
+ 0x63, 0x34, 0x3a, 0xbf, 0xb8, 0x9a, 0x6a, 0x03, 0xeb, 0xb5, 0x7e, 0x9b, 0x3f, 0x5f, 0xa7, 0xbe,
+ 0x7c, 0x4f, 0x5c, 0x75, 0x6f, 0x30, 0x17, 0xb3, 0xa8, 0xc4, 0x88, 0xc3, 0x65, 0x3e, 0x91, 0x79
};
-static const unsigned char TestAppleGlobalRootCA[630] = {
- 0x30, 0x82, 0x02, 0x72, 0x30, 0x82, 0x01, 0xf8, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x1c, 0xb5, 0x4f, 0x77, 0x41, 0xf3, 0xa9, 0x54, 0x30,
- 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03, 0x30,
- 0x6e, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x19,
- 0x54, 0x65, 0x73, 0x74, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x47,
- 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43,
- 0x41, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68,
- 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
- 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e,
- 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x55, 0x53, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34, 0x32,
- 0x32, 0x30, 0x32, 0x34, 0x33, 0x35, 0x37, 0x5a, 0x17, 0x0d, 0x34, 0x30,
- 0x31, 0x32, 0x32, 0x36, 0x30, 0x33, 0x31, 0x33, 0x33, 0x37, 0x5a, 0x30,
- 0x6e, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x19,
- 0x54, 0x65, 0x73, 0x74, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x47,
- 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43,
- 0x41, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68,
- 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
- 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e,
- 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x55, 0x53, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48,
- 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03,
- 0x62, 0x00, 0x04, 0xee, 0x83, 0xb8, 0xa8, 0x5a, 0xee, 0x93, 0xfd, 0x07,
- 0x5c, 0x6f, 0x28, 0xce, 0x1b, 0x78, 0x8f, 0x13, 0x3a, 0x47, 0x27, 0x96,
- 0x95, 0xb1, 0x4b, 0xee, 0x7f, 0x27, 0xe4, 0x69, 0x03, 0x9f, 0x3b, 0xff,
- 0x47, 0x92, 0x28, 0x45, 0x9e, 0xbc, 0xe3, 0x8d, 0x53, 0x69, 0x75, 0xc0,
- 0x88, 0x59, 0x99, 0x92, 0x65, 0xb9, 0x53, 0xd7, 0x43, 0x4c, 0xfc, 0xd5,
- 0x37, 0xe2, 0x85, 0x43, 0x15, 0xbb, 0xbc, 0xcb, 0x53, 0x08, 0xbf, 0xfa,
- 0x69, 0x86, 0x25, 0x01, 0x4b, 0x6f, 0x31, 0xb3, 0x84, 0xad, 0x2c, 0x48,
- 0xff, 0xbf, 0x22, 0x5a, 0x20, 0x25, 0xb7, 0x5b, 0x14, 0xca, 0x8e, 0x5a,
- 0x4f, 0x1b, 0x76, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x1d, 0x06, 0x03, 0x55,
- 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x96, 0xd3, 0x56, 0x5f, 0xf8, 0x49,
- 0xc1, 0x40, 0xdf, 0x3b, 0x82, 0x36, 0x5f, 0x09, 0x75, 0xee, 0x95, 0x58,
- 0x32, 0x43, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff,
- 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55,
- 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x96, 0xd3, 0x56, 0x5f,
- 0xf8, 0x49, 0xc1, 0x40, 0xdf, 0x3b, 0x82, 0x36, 0x5f, 0x09, 0x75, 0xee,
- 0x95, 0x58, 0x32, 0x43, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01,
- 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08,
- 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03, 0x03, 0x68, 0x00, 0x30,
- 0x65, 0x02, 0x30, 0x34, 0x32, 0x8a, 0xdc, 0x5f, 0xa0, 0x07, 0x56, 0xa9,
- 0xb3, 0xf5, 0x97, 0x05, 0x9f, 0x2e, 0xa6, 0x81, 0x10, 0x4c, 0xe6, 0xdc,
- 0xce, 0xac, 0x66, 0x8b, 0x42, 0xea, 0xb7, 0x47, 0x6d, 0x0b, 0x96, 0x74,
- 0x9d, 0x4d, 0xe8, 0xc6, 0x29, 0xf1, 0xd6, 0xaa, 0x75, 0xbc, 0x58, 0x10,
- 0xf2, 0xe5, 0xeb, 0x02, 0x31, 0x00, 0xf9, 0x05, 0x65, 0x9e, 0x91, 0xa9,
- 0xdf, 0x88, 0x2e, 0x90, 0x0f, 0x04, 0xf6, 0x7e, 0xb5, 0xef, 0xbd, 0x0e,
- 0xf9, 0xea, 0x01, 0x6e, 0x9d, 0x85, 0x66, 0x1c, 0x63, 0x7b, 0x9b, 0x70,
- 0xcd, 0x04, 0x94, 0x70, 0x3d, 0x06, 0x06, 0x82, 0xbd, 0x3a, 0xc4, 0x7d,
- 0xc5, 0x7d, 0x04, 0xac, 0xc9, 0xf2
+/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
+/* SKID: 59:B8:2B:94:3A:1B:BA:F1:00:AE:EE:50:52:23:33:C9:59:C3:54:98 */
+/* Not Before: Apr 22 02:15:48 2015 GMT, Not After : Feb 9 21:40:36 2035 GMT */
+/* Signature Algorithm: sha1WithRSAEncryption */
+static const unsigned char TestAppleRootCAHash[32] = {
+ 0x08, 0x47, 0x99, 0xfb, 0xa9, 0x9c, 0x06, 0x46, 0xe5, 0xcf, 0x0b, 0xf2, 0x73, 0x7f, 0x23, 0xa4,
+ 0x77, 0xe4, 0x98, 0x05, 0x5b, 0x9e, 0xf9, 0x0c, 0xdf, 0x40, 0xc2, 0x92, 0xfd, 0x46, 0x6c, 0xd7
};
-static const unsigned char TestAppleRootCA[1232] = {
- 0x30, 0x82, 0x04, 0xcc, 0x30, 0x82, 0x03, 0xb4, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x3d, 0x00, 0x4b, 0x90, 0x3e, 0xde, 0xe0, 0xd0, 0x30,
- 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
- 0x05, 0x00, 0x30, 0x67, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
- 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
- 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e,
- 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
- 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
- 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x1b, 0x30, 0x19, 0x06, 0x03,
- 0x55, 0x04, 0x03, 0x0c, 0x12, 0x54, 0x65, 0x73, 0x74, 0x20, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x30,
- 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34, 0x32, 0x32, 0x30, 0x32, 0x31,
- 0x35, 0x34, 0x38, 0x5a, 0x17, 0x0d, 0x33, 0x35, 0x30, 0x32, 0x30, 0x39,
- 0x32, 0x31, 0x34, 0x30, 0x33, 0x36, 0x5a, 0x30, 0x67, 0x31, 0x0b, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13,
- 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70,
- 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x26, 0x30, 0x24, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31,
- 0x1b, 0x30, 0x19, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x12, 0x54, 0x65,
- 0x73, 0x74, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f,
- 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03,
- 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01,
- 0x00, 0xc7, 0xd1, 0x43, 0x53, 0x7f, 0x0d, 0x88, 0x6b, 0xe6, 0xb1, 0x67,
- 0x9d, 0xee, 0x67, 0xb6, 0xe7, 0x77, 0x12, 0x81, 0xc4, 0xdf, 0x24, 0x6b,
- 0x7a, 0x75, 0x24, 0xf7, 0x01, 0x09, 0xce, 0x34, 0x92, 0xf5, 0x38, 0x08,
- 0x42, 0x7e, 0xec, 0x9d, 0xf2, 0x5d, 0x38, 0x91, 0xb4, 0x93, 0x98, 0x35,
- 0x11, 0x3c, 0x98, 0x00, 0x77, 0xd9, 0xd7, 0xf3, 0x4a, 0xf8, 0xf0, 0xbc,
- 0xeb, 0x97, 0x5d, 0x4b, 0x61, 0x2e, 0xfb, 0xc5, 0xcc, 0x68, 0xb7, 0x6d,
- 0x69, 0x10, 0xcc, 0xa5, 0x61, 0x78, 0xa8, 0x81, 0x02, 0x9e, 0xe7, 0x63,
- 0xc5, 0xff, 0x29, 0x22, 0x82, 0x68, 0xaa, 0xaa, 0x0e, 0xfb, 0xa9, 0xd8,
- 0x16, 0x73, 0x25, 0xbf, 0x9d, 0x08, 0x62, 0x2f, 0x78, 0x04, 0xf6, 0xf6,
- 0x44, 0x07, 0x37, 0x6e, 0x99, 0x1b, 0x93, 0xd8, 0x7f, 0xee, 0x72, 0xde,
- 0xe8, 0x32, 0xf6, 0x6d, 0x78, 0x04, 0xa0, 0xa8, 0x21, 0x26, 0x8a, 0x32,
- 0xe3, 0xb1, 0x65, 0x85, 0xa1, 0x7b, 0x1a, 0xa9, 0x02, 0xb2, 0xbb, 0xee,
- 0xdd, 0xdd, 0x8f, 0x41, 0x49, 0xc8, 0x3f, 0xdc, 0x1e, 0xdf, 0x21, 0xa3,
- 0x95, 0x99, 0xbb, 0xfc, 0x29, 0xba, 0x40, 0x43, 0xb9, 0x1c, 0xcd, 0xc9,
- 0x21, 0x45, 0x73, 0xad, 0xff, 0xfd, 0xa2, 0x6c, 0x5c, 0x3b, 0x1c, 0x37,
- 0x91, 0x34, 0x8e, 0x5c, 0xd3, 0xd5, 0x03, 0x58, 0x28, 0xc7, 0xf2, 0x76,
- 0x6f, 0x11, 0xc0, 0xb5, 0xbd, 0x7e, 0xef, 0x23, 0xb3, 0x3d, 0xb8, 0xbd,
- 0x38, 0x66, 0x8c, 0xf2, 0x78, 0x95, 0xc1, 0x8b, 0x32, 0x65, 0x3a, 0x9b,
- 0x49, 0x1a, 0x5c, 0x41, 0x3c, 0xc6, 0x85, 0x50, 0xec, 0x85, 0xf0, 0x59,
- 0x17, 0x81, 0xe8, 0x96, 0xe8, 0x6a, 0xcc, 0xb3, 0xc7, 0x46, 0xbf, 0x81,
- 0x48, 0xd1, 0x09, 0x1b, 0xbc, 0x73, 0x1e, 0xd7, 0xe8, 0x27, 0xa8, 0x49,
- 0x48, 0xa2, 0x1c, 0x41, 0x1d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82,
- 0x01, 0x7a, 0x30, 0x82, 0x01, 0x76, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
- 0x0e, 0x04, 0x16, 0x04, 0x14, 0x59, 0xb8, 0x2b, 0x94, 0x3a, 0x1b, 0xba,
- 0xf1, 0x00, 0xae, 0xee, 0x50, 0x52, 0x23, 0x33, 0xc9, 0x59, 0xc3, 0x54,
- 0x98, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
- 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
- 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x59, 0xb8, 0x2b, 0x94, 0x3a,
- 0x1b, 0xba, 0xf1, 0x00, 0xae, 0xee, 0x50, 0x52, 0x23, 0x33, 0xc9, 0x59,
- 0xc3, 0x54, 0x98, 0x30, 0x82, 0x01, 0x11, 0x06, 0x03, 0x55, 0x1d, 0x20,
- 0x04, 0x82, 0x01, 0x08, 0x30, 0x82, 0x01, 0x04, 0x30, 0x82, 0x01, 0x00,
- 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x05, 0x01, 0x30,
- 0x81, 0xf2, 0x30, 0x2a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
- 0x02, 0x01, 0x16, 0x1e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f,
- 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x2e, 0x63, 0x6f,
- 0x6d, 0x2f, 0x61, 0x70, 0x70, 0x6c, 0x65, 0x63, 0x61, 0x2f, 0x30, 0x81,
- 0xc3, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02, 0x30,
- 0x81, 0xb6, 0x0c, 0x81, 0xb3, 0x52, 0x65, 0x6c, 0x69, 0x61, 0x6e, 0x63,
- 0x65, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x65,
- 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x62, 0x79,
- 0x20, 0x61, 0x6e, 0x79, 0x20, 0x70, 0x61, 0x72, 0x74, 0x79, 0x20, 0x61,
- 0x73, 0x73, 0x75, 0x6d, 0x65, 0x73, 0x20, 0x61, 0x63, 0x63, 0x65, 0x70,
- 0x74, 0x61, 0x6e, 0x63, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x74, 0x68, 0x65,
- 0x20, 0x74, 0x68, 0x65, 0x6e, 0x20, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63,
- 0x61, 0x62, 0x6c, 0x65, 0x20, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x61, 0x72,
- 0x64, 0x20, 0x74, 0x65, 0x72, 0x6d, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20,
- 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6f,
- 0x66, 0x20, 0x75, 0x73, 0x65, 0x2c, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69,
- 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x70, 0x6f, 0x6c, 0x69, 0x63,
- 0x79, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
- 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x70, 0x72, 0x61, 0x63,
- 0x74, 0x69, 0x63, 0x65, 0x20, 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65,
- 0x6e, 0x74, 0x73, 0x2e, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01,
- 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0d, 0x06, 0x09,
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03,
- 0x82, 0x01, 0x01, 0x00, 0x10, 0x5e, 0x6c, 0x69, 0xfc, 0xa6, 0x0f, 0xe2,
- 0x09, 0xd5, 0x94, 0x90, 0xa6, 0x7c, 0x22, 0xdc, 0xee, 0xb0, 0x8f, 0x24,
- 0x22, 0x4f, 0xb3, 0x67, 0xdb, 0x32, 0xb0, 0xd6, 0x24, 0x87, 0xe6, 0xf3,
- 0xea, 0x9e, 0xd0, 0x95, 0x75, 0xaa, 0xa7, 0x08, 0xff, 0xb0, 0x35, 0xd7,
- 0x1f, 0xa3, 0xbf, 0x89, 0x55, 0x0c, 0x1c, 0xa4, 0xd0, 0xf8, 0x00, 0x17,
- 0x44, 0x94, 0x36, 0x63, 0x3b, 0x83, 0xfe, 0x4e, 0xe5, 0xb3, 0xec, 0x7b,
- 0x7d, 0xce, 0xfe, 0xa9, 0x54, 0xed, 0xbb, 0x12, 0xa6, 0x72, 0x2b, 0xb3,
- 0x48, 0x00, 0xc7, 0x8e, 0xf5, 0x5b, 0x68, 0xc9, 0x24, 0x22, 0x7f, 0xa1,
- 0x4d, 0xfc, 0x54, 0xd9, 0xd0, 0x5d, 0x82, 0x53, 0x71, 0x29, 0x66, 0xcf,
- 0x0f, 0x6d, 0x32, 0xa6, 0x3f, 0xae, 0x54, 0x27, 0xc2, 0x8c, 0x12, 0x4c,
- 0xf0, 0xd6, 0xc1, 0x80, 0x75, 0xc3, 0x33, 0x19, 0xd1, 0x8b, 0x58, 0xe6,
- 0x00, 0x69, 0x76, 0xe7, 0xe5, 0x3d, 0x47, 0xf9, 0xc0, 0x9c, 0xe7, 0x19,
- 0x1e, 0x95, 0xbc, 0x52, 0x15, 0xce, 0x94, 0xf8, 0x30, 0x14, 0x0b, 0x39,
- 0x0e, 0x8b, 0xaf, 0x29, 0x30, 0x56, 0xaf, 0x5a, 0x28, 0xac, 0xe1, 0x0f,
- 0x51, 0x76, 0x76, 0x9a, 0xe7, 0xb9, 0x7d, 0xa3, 0x30, 0xe8, 0xe3, 0x71,
- 0x15, 0xe8, 0xbf, 0x0d, 0x4f, 0x12, 0x9b, 0x65, 0xab, 0xef, 0xa4, 0xe9,
- 0x42, 0xf0, 0xd2, 0x4d, 0x20, 0x55, 0x29, 0x88, 0x58, 0x5c, 0x82, 0x67,
- 0x63, 0x20, 0x50, 0xc6, 0xca, 0x04, 0xe8, 0xbc, 0x3d, 0x93, 0x06, 0x21,
- 0xb2, 0xc0, 0xbf, 0x53, 0x1e, 0xe1, 0x8b, 0x48, 0xa9, 0xb9, 0xd7, 0xe6,
- 0x5f, 0x4e, 0x5a, 0x2f, 0x43, 0xac, 0x35, 0xbd, 0x26, 0x60, 0x2f, 0x01,
- 0xd5, 0x86, 0x6b, 0x64, 0xfa, 0x67, 0x05, 0x44, 0x55, 0x83, 0x5b, 0x93,
- 0x9c, 0x7c, 0xa7, 0x26, 0x4e, 0x02, 0x2b, 0x48
+/* subject:/CN=Test Apple Global Root CA/OU=Apple Certification Authority/O=Apple Inc./C=US */
+/* SKID: 96:D3:56:5F:F8:49:C1:40:DF:3B:82:36:5F:09:75:EE:95:58:32:43 */
+/* Not Before: Apr 22 02:43:57 2015 GMT, Not After : Dec 26 03:13:37 2040 GMT */
+/* Signature Algorithm: ecdsa-with-SHA384 */
+static const unsigned char TestAppleRootG2Hash[32] = {
+ 0x0c, 0x14, 0x3e, 0xab, 0x0e, 0xb9, 0x23, 0xbe, 0xa5, 0xc5, 0x3e, 0xe4, 0x24, 0xcf, 0xdb, 0x63,
+ 0xc6, 0xa9, 0xc2, 0x38, 0x0f, 0x6b, 0xf6, 0xbf, 0xb2, 0x62, 0xdd, 0x36, 0x92, 0x25, 0xfb, 0xea
};
-static const unsigned char TestAppleRootCAG3[592] = {
- 0x30, 0x82, 0x02, 0x4c, 0x30, 0x82, 0x01, 0xd3, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x08, 0x78, 0x36, 0x0b, 0xf4, 0xb7, 0xc8, 0xb6, 0xb0, 0x30,
- 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03, 0x30,
- 0x6c, 0x31, 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x17,
- 0x54, 0x65, 0x73, 0x74, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x52,
- 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x47, 0x33, 0x31,
- 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70,
- 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
- 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
- 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a,
- 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e,
- 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55,
- 0x53, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34, 0x32, 0x32, 0x30,
- 0x33, 0x31, 0x37, 0x34, 0x34, 0x5a, 0x17, 0x0d, 0x34, 0x30, 0x31, 0x32,
- 0x32, 0x36, 0x30, 0x33, 0x31, 0x33, 0x33, 0x37, 0x5a, 0x30, 0x6c, 0x31,
- 0x20, 0x30, 0x1e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x17, 0x54, 0x65,
- 0x73, 0x74, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x52, 0x6f, 0x6f,
- 0x74, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x47, 0x33, 0x31, 0x26, 0x30,
- 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70, 0x70, 0x6c,
- 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
- 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
- 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a,
- 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x30,
- 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01,
- 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, 0xa9,
- 0x1a, 0x63, 0x34, 0xef, 0xbc, 0xa6, 0x8a, 0xd6, 0x2a, 0x6a, 0x38, 0x22,
- 0xe9, 0x25, 0xad, 0xda, 0x28, 0xa0, 0x49, 0xc5, 0x64, 0xfe, 0x5d, 0x91,
- 0xc3, 0x6c, 0xf7, 0x99, 0xe4, 0xba, 0xe4, 0x2a, 0x5f, 0x61, 0xd2, 0xbf,
- 0x3b, 0x6c, 0xa8, 0x61, 0x11, 0xb5, 0xe0, 0x66, 0xf7, 0x22, 0x11, 0x86,
- 0x97, 0x5d, 0xc3, 0xba, 0x1b, 0x6d, 0x55, 0x7f, 0xd0, 0xf9, 0x80, 0xe0,
- 0xff, 0xd9, 0x05, 0xad, 0x5a, 0x5b, 0xbf, 0x3a, 0x7a, 0xa7, 0x09, 0x52,
- 0x1a, 0x31, 0x7f, 0x0c, 0xa2, 0xe8, 0x10, 0xf5, 0x36, 0xd3, 0xc8, 0xea,
- 0xa0, 0x5b, 0x0a, 0x28, 0x85, 0x30, 0x28, 0x5f, 0x94, 0xf6, 0x94, 0xa3,
- 0x42, 0x30, 0x40, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
- 0x04, 0x14, 0xfc, 0x46, 0xd8, 0x83, 0x6c, 0x1f, 0xe6, 0xf2, 0xdc, 0xdf,
- 0xa7, 0x99, 0x17, 0xae, 0x0b, 0x44, 0x67, 0x17, 0x1b, 0x46, 0x30, 0x0f,
- 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03,
- 0x01, 0x01, 0xff, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01,
- 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0a, 0x06, 0x08, 0x2a,
- 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03, 0x03, 0x67, 0x00, 0x30, 0x64,
- 0x02, 0x30, 0x1a, 0x14, 0x38, 0x24, 0xff, 0xb4, 0x08, 0xcb, 0xea, 0xc9,
- 0x3b, 0xda, 0xcc, 0x82, 0xf3, 0xd9, 0x0d, 0xd1, 0x2b, 0x6e, 0xbf, 0x1f,
- 0xc4, 0x15, 0x14, 0x44, 0xdf, 0x98, 0x9b, 0xd7, 0xdd, 0xba, 0x1b, 0xbe,
- 0x4f, 0x9f, 0x17, 0xa4, 0xd2, 0x02, 0x75, 0x90, 0x7d, 0x76, 0xcc, 0x93,
- 0x16, 0x2f, 0x02, 0x30, 0x02, 0xd7, 0xda, 0x0b, 0xbe, 0xdd, 0x3d, 0xed,
- 0xf9, 0xa3, 0x06, 0x90, 0xa9, 0x58, 0xbd, 0x6b, 0x7c, 0x7c, 0xe5, 0xc5,
- 0x4e, 0x0e, 0x44, 0xa2, 0x94, 0x2f, 0xb4, 0x04, 0x9a, 0xcd, 0x9b, 0x69,
- 0x8d, 0x2a, 0xc6, 0x1d, 0x58, 0xff, 0xe3, 0x32, 0xb6, 0xdb, 0x3e, 0x34,
- 0xff, 0x67, 0x70, 0xf1
+/* subject:/CN=Test Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */
+/* SKID: FC:46:D8:83:6C:1F:E6:F2:DC:DF:A7:99:17:AE:0B:44:67:17:1B:46 */
+/* Not Before: Apr 22 03:17:44 2015 GMT, Not After : Dec 26 03:13:37 2040 GMT */
+/* Signature Algorithm: ecdsa-with-SHA384 */
+static const unsigned char TestAppleRootG3Hash[32] = {
+ 0xbe, 0x9f, 0x7d, 0x2b, 0x62, 0x81, 0x8b, 0xb0, 0xce, 0x6d, 0x7d, 0x73, 0x65, 0xcc, 0x9f, 0xbc,
+ 0xbe, 0xa4, 0x1b, 0x5a, 0xe1, 0xd4, 0xe9, 0xdd, 0xd5, 0x4c, 0x1b, 0x34, 0x9e, 0x7a, 0x2d, 0xa6
};
static void
@@ -574,12 +163,12 @@ getAnchors(void)
CFMutableDictionaryRef temp;
temp = CFDictionaryCreateMutableForCFTypes(NULL);
- addAnchor(temp, AppleRoot, sizeof(AppleRoot), true);
- addAnchor(temp, AppleRootG2, sizeof(AppleRootG2), true);
- addAnchor(temp, AppleRootG3, sizeof(AppleRootG3), true);
- addAnchor(temp, TestAppleGlobalRootCA, sizeof(TestAppleGlobalRootCA), false);
- addAnchor(temp, TestAppleRootCA, sizeof(TestAppleRootCA), false);
- addAnchor(temp, TestAppleRootCAG3, sizeof(TestAppleRootCAG3), false);
+ addAnchor(temp, AppleRootCAHash, sizeof(AppleRootCAHash), true);
+ addAnchor(temp, AppleRootG2Hash, sizeof(AppleRootG2Hash), true);
+ addAnchor(temp, AppleRootG3Hash, sizeof(AppleRootG3Hash), true);
+ addAnchor(temp, TestAppleRootCAHash, sizeof(TestAppleRootCAHash), false);
+ addAnchor(temp, TestAppleRootG2Hash, sizeof(TestAppleRootG2Hash), false);
+ addAnchor(temp, TestAppleRootG3Hash, sizeof(TestAppleRootG3Hash), false);
anchors = temp;
diff --git a/OSX/utilities/src/SecAppleAnchorPriv.h b/OSX/utilities/src/SecAppleAnchorPriv.h
index f8c5a4ad..c24e3a0f 100644
--- a/OSX/utilities/src/SecAppleAnchorPriv.h
+++ b/OSX/utilities/src/SecAppleAnchorPriv.h
@@ -1,8 +1,26 @@
-//
-// utilities
-//
-// Copyright © 2015 Apple Inc. All rights reserved.
-//
+/*
+ * Copyright (c) 2015-2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
#ifndef SecAppleAnchor_c
#define SecAppleAnchor_c
diff --git a/OSX/utilities/src/SecCFError.c b/OSX/utilities/src/SecCFError.c
index 3fd4c39c..bb5e1e9f 100644
--- a/OSX/utilities/src/SecCFError.c
+++ b/OSX/utilities/src/SecCFError.c
@@ -186,7 +186,7 @@ bool SecCFCreateErrorWithFormat(CFIndex errorCode, CFStringRef domain, CFErrorRe
}
bool SecCFCreateErrorWithFormatAndArguments(CFIndex errorCode, CFStringRef domain,
- CFErrorRef previousError, CFErrorRef *newError,
+ CF_CONSUMED CFErrorRef previousError, CFErrorRef *newError,
CFDictionaryRef formatoptions, CFStringRef format, va_list args)
{
if (newError && !(*newError)) {
@@ -202,6 +202,7 @@ bool SecCFCreateErrorWithFormatAndArguments(CFIndex errorCode, CFStringRef domai
CFReleaseNull(formattedString);
if (previousError)
secdebug("error_thee_well", "encapsulated %@ with new error: %@", previousError, *newError);
+ CFReleaseNull(previousError);
} else {
if (previousError && newError && (previousError != *newError)) {
secdebug("error_thee_well", "dropping %@", previousError);
diff --git a/OSX/utilities/src/SecCFWrappers.c b/OSX/utilities/src/SecCFWrappers.c
index ed6d47c1..5510ccd3 100644
--- a/OSX/utilities/src/SecCFWrappers.c
+++ b/OSX/utilities/src/SecCFWrappers.c
@@ -38,6 +38,57 @@ CFGiblisGetSingleton(CFDictionaryRef, SecGetDebugDescriptionFormatOptions, forma
*formatOption = CFDictionaryCreate(kCFAllocatorDefault, k, v, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
})
+//
+// Smart comparitor for strings that matchies sorting functions
+//
+
+CFComparisonResult CFStringCompareSafe(const void *val1, const void *val2, void *context) {
+ if (!isString(val1))
+ return kCFCompareLessThan;
+ if (!isString(val2))
+ return kCFCompareGreaterThan;
+
+ return CFStringCompare(val1, val2, 0);
+}
+
+void CFStringArrayPerfromWithDelimeterWithDescription(CFArrayRef strings, CFStringRef start, CFStringRef end, void (^action)(CFStringRef description)) {
+ if(!strings) {
+ action(CFSTR("null"));
+ } else {
+ __block CFMutableStringRef description = CFStringCreateMutableCopy(kCFAllocatorDefault, 0, start);
+ __block CFStringRef separator = CFSTR("");
+
+ CFArrayForEach(strings, ^(const void *value) {
+ CFStringAppendFormat(description, NULL, CFSTR("%@%@"), separator, value);
+ separator = CFSTR(", ");
+ });
+
+ CFStringAppend(description, end);
+
+ action(description);
+
+ CFReleaseNull(description);
+ }
+}
+
+
+void CFStringArrayPerfromWithDescription(CFArrayRef strings, void (^action)(CFStringRef description)) {
+ CFStringArrayPerfromWithDelimeterWithDescription(strings, CFSTR("["), CFSTR("]"), action);
+}
+
+void CFStringSetPerformWithDescription(CFSetRef set, void (^action)(CFStringRef description)) {
+ if(!set) {
+ action(CFSTR("null"));
+ } else {
+ CFMutableArrayRef keys = CFSetCopyValues(set);
+
+ CFArraySortValues(keys, CFRangeMake(0, CFArrayGetCount(keys)), (CFComparatorFunction)&CFStringCompare, NULL);
+
+ CFStringArrayPerfromWithDelimeterWithDescription(keys, CFSTR("{("), CFSTR(")}"), action);
+
+ CFReleaseNull(keys);
+ }
+}
//
// Global sigleton Zulu time. Must be serialized since it is really a CFMutableCalendarRef
@@ -205,6 +256,16 @@ CFDataRef CFDataCreateWithRandomBytes(size_t len) {
return retval;
}
+CFDataRef CFDataCreateWithInitializer(CFAllocatorRef allocator, CFIndex size, bool (^operation)(size_t size, uint8_t *buffer)) {
+ __block CFMutableDataRef result = NULL;
+ if(!size) return NULL;
+ if((result = CFDataCreateMutableWithScratch(allocator, size)) == NULL) return NULL;
+ if (!operation(size, CFDataGetMutableBytePtr(result))) CFReleaseNull(result);
+errOut:
+ return result;
+}
+
+
CFGiblisGetSingleton(CFDateFormatterRef, GetShortDateFormatter, sDateFormatter, ^{
CFLocaleRef locale = CFLocaleCopyCurrent();
@@ -238,44 +299,3 @@ void withStringOfAbsoluteTime(CFAbsoluteTime at, void (^action)(CFStringRef decr
CFReleaseNull(formattedString);
}
-
-
-//
-// MARK: Custom Sensitive Data Allocator
-//
-#include <malloc/malloc.h>
-static CFStringRef SecCFAllocatorCopyDescription(const void *info) {
- return CFSTR("Custom CFAllocator for sensitive data");
-}
-
-// primary goal of this allocator is to clear memory when it is deallocated
-static void SecCFAllocatorDeallocate(void *ptr, void *info) {
- if (!ptr) return;
- size_t sz = malloc_size(ptr);
- if(sz) cc_clear(sz, ptr);
-
- CFAllocatorDeallocate(NULL, ptr);
-}
-
-CFAllocatorRef CFAllocatorSensitive(void) {
- static dispatch_once_t sOnce = 0;
- static CFAllocatorRef sAllocator = NULL;
- dispatch_once(&sOnce, ^{
- CFAllocatorContext defaultCtx;
- CFAllocatorGetContext(NULL, &defaultCtx);
-
- CFAllocatorContext ctx = {0,
- defaultCtx.info,
- defaultCtx.retain,
- defaultCtx.release,
- SecCFAllocatorCopyDescription,
- defaultCtx.allocate,
- defaultCtx.reallocate,
- SecCFAllocatorDeallocate,
- defaultCtx.preferredSize};
-
- sAllocator = CFAllocatorCreate(NULL, &ctx);
- });
-
- return sAllocator;
-}
\ No newline at end of file
diff --git a/OSX/utilities/src/SecCFWrappers.h b/OSX/utilities/src/SecCFWrappers.h
index 8e49fdb0..e6c4378f 100644
--- a/OSX/utilities/src/SecCFWrappers.h
+++ b/OSX/utilities/src/SecCFWrappers.h
@@ -39,6 +39,12 @@
#include <corecrypto/ccdigest.h>
+#if __has_feature(objc_arc)
+#define __SECBRIDGE __bridge
+#else
+#define __SECBRIDGE
+#endif
+
//
// Convenience routines.
//
@@ -145,7 +151,7 @@ CFGiblisGetSingleton(CFTypeID, gibliClassName##GetTypeID, typeID, (^{ \
#define CFTypeAllocate(classType, internalType, allocator) \
CFTypeAllocateWithSpace(classType, sizeof(internalType) - sizeof(CFRuntimeBase), allocator)
-
+#define SECWRAPPER_SENTINEL __attribute__((__sentinel__))
__BEGIN_DECLS
@@ -159,12 +165,56 @@ void withStringOfAbsoluteTime(CFAbsoluteTime at, void (^action)(CFStringRef decr
static void apply_block_1(const void *value, void *context)
{
- return ((void (^)(const void *value))context)(value);
+ ((__SECBRIDGE void (^)(const void *value))context)(value);
}
static void apply_block_2(const void *key, const void *value, void *context)
{
- return ((void (^)(const void *key, const void *value))context)(key, value);
+ ((__SECBRIDGE void (^)(const void *key, const void *value))context)(key, value);
+}
+
+//
+// MARK: Type checking
+//
+
+static inline bool isArray(CFTypeRef cfType) {
+ return cfType && CFGetTypeID(cfType) == CFArrayGetTypeID();
+}
+
+static inline bool isSet(CFTypeRef cfType) {
+ return cfType && CFGetTypeID(cfType) == CFSetGetTypeID();
+}
+
+static inline bool isData(CFTypeRef cfType) {
+ return cfType && CFGetTypeID(cfType) == CFDataGetTypeID();
+}
+
+static inline bool isDate(CFTypeRef cfType) {
+ return cfType && CFGetTypeID(cfType) == CFDateGetTypeID();
+}
+
+static inline bool isDictionary(CFTypeRef cfType) {
+ return cfType && CFGetTypeID(cfType) == CFDictionaryGetTypeID();
+}
+
+static inline bool isNumber(CFTypeRef cfType) {
+ return cfType && CFGetTypeID(cfType) == CFNumberGetTypeID();
+}
+
+static inline bool isNumberOfType(CFTypeRef cfType, CFNumberType number) {
+ return isNumber(cfType) && CFNumberGetType((CFNumberRef)cfType) == number;
+}
+
+static inline bool isString(CFTypeRef cfType) {
+ return cfType && CFGetTypeID(cfType) == CFStringGetTypeID();
+}
+
+static inline bool isBoolean(CFTypeRef cfType) {
+ return cfType && CFGetTypeID(cfType) == CFBooleanGetTypeID();
+}
+
+static inline bool isNull(CFTypeRef cfType) {
+ return cfType && CFGetTypeID(cfType) == CFNullGetTypeID();
}
//
@@ -275,6 +325,8 @@ static inline CFDataRef CFDataCreateCopyFromRange(CFAllocatorRef allocator, CFDa
CFDataRef CFDataCreateWithRandomBytes(size_t len);
+CFDataRef CFDataCreateWithInitializer(CFAllocatorRef allocator, CFIndex size, bool (^operation)(size_t size, uint8_t *buffer));
+
static inline uint8_t* CFDataIncreaseLengthAndGetMutableBytes(CFMutableDataRef data, CFIndex extraLength)
{
CFIndex startOffset = CFDataGetLength(data);
@@ -323,11 +375,31 @@ static inline CFDataRef CFDataCreateCopyFromPositions(CFAllocatorRef allocator,
return CFDataCreateCopyFromRange(allocator, source, CFRangeMake(start, end - start));
}
+static inline int nibletToByte(char niblet) {
+ if(niblet >= '0' && niblet <= '9') return niblet - '0';
+ if(niblet >= 'a' && niblet <= 'f') return niblet - 'a' + 10;
+ if(niblet >= 'A' && niblet <= 'F') return niblet - 'A' + 10;
+ return 0;
+}
+
+static inline CFDataRef CFDataCreateFromHexString(CFAllocatorRef allocator, CFStringRef sourceHex) {
+ CFIndex sourceLen = CFStringGetLength(sourceHex);
+ if((sourceLen % 2) != 0) return NULL;
+ const char *src = CFStringGetCStringPtr(sourceHex, kCFStringEncodingUTF8);
+ UInt8 bytes[sourceLen/2];
+ for(int i = 0; i < sourceLen; i+=2) {
+ bytes[i/2] = (UInt8) (nibletToByte(src[i]) * 16 + nibletToByte(src[i+1]));
+ }
+ return CFDataCreate(allocator, bytes, sourceLen/2);
+}
+
//
// MARK: CFString Helpers
//
+CFComparisonResult CFStringCompareSafe(const void *val1, const void *val2, void *context);
+
//
// Turn a CFString into an allocated UTF8-encoded C string.
//
@@ -395,7 +467,7 @@ static inline CF_RETURNS_RETAINED CFStringRef CFDataCopyHexString(CFDataRef data
}
static inline void CFDataPerformWithHexString(CFDataRef data, void (^operation)(CFStringRef dataString)) {
- CFStringRef hexString = CFDataCopyHexString(data);
+ CFStringRef hexString = data ? CFDataCopyHexString(data) : CFSTR("(null)");
operation(hexString);
CFRelease(hexString);
}
@@ -423,6 +495,12 @@ static inline void CFStringWriteToFileWithNewline(CFStringRef inStr, FILE* file)
fputc('\n', file);
}
+static inline CFStringRef CFStringCreateTruncatedCopy(CFStringRef s, CFIndex len) {
+ if(!s) return NULL;
+ if(len >= CFStringGetLength(s)) return CFStringCreateCopy(kCFAllocatorDefault, s);
+ return CFStringCreateWithSubstring(kCFAllocatorDefault, s, CFRangeMake(0, len));
+}
+
//
// MARK: CFCollectionHelpers
//
@@ -458,10 +536,14 @@ static inline CFIndex CFArrayRemoveAllValue(CFMutableArrayRef array, const void*
return numberRemoved;
}
+static inline void CFArrayAppendAll(CFMutableArrayRef array, CFArrayRef arrayToAppend) {
+ CFArrayAppendArray(array, arrayToAppend, CFRangeMake(0, CFArrayGetCount(arrayToAppend)));
+}
+
#define CFArrayForEachC(array, value) for (CFIndex _aCount = CFArrayGetCount(array), _aIX = 0;value = (__typeof__(value))(_aIX < _aCount ? CFArrayGetValueAtIndex(array, _aIX) : 0), _aIX < _aCount; ++_aIX)
static inline void CFArrayForEach(CFArrayRef array, void (^operation)(const void *value)) {
- CFArrayApplyFunction(array, CFRangeMake(0, CFArrayGetCount(array)), apply_block_1, operation);
+ CFArrayApplyFunction(array, CFRangeMake(0, CFArrayGetCount(array)), apply_block_1, (__SECBRIDGE void *)operation);
}
static inline void CFArrayForEachReverse(CFArrayRef array, void (^operation)(const void *value)) {
@@ -562,7 +644,7 @@ static inline CFMutableArrayRef CFArrayCreateMutableForCFTypes(CFAllocatorRef al
return CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks);
}
-static inline CFArrayRef CFArrayCreateForCFTypes(CFAllocatorRef allocator, ...)
+static inline CFArrayRef SECWRAPPER_SENTINEL CFArrayCreateForCFTypes(CFAllocatorRef allocator, ...)
{
va_list args;
va_start(args, allocator);
@@ -606,7 +688,7 @@ static inline CFDictionaryRef CFDictionaryCreateCountedForCFTypesV(CFAllocatorRe
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
}
-static inline CFDictionaryRef CFDictionaryCreateForCFTypes(CFAllocatorRef allocator, ...)
+static inline CFDictionaryRef SECWRAPPER_SENTINEL CFDictionaryCreateForCFTypes(CFAllocatorRef allocator, ...)
{
va_list args;
va_start(args, allocator);
@@ -638,7 +720,7 @@ static inline CFMutableDictionaryRef CFDictionaryCreateMutableForCFTypes(CFAlloc
return CFDictionaryCreateMutable(allocator, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
}
-static inline CFMutableDictionaryRef CFDictionaryCreateMutableForCFTypesWith(CFAllocatorRef allocator, ...)
+static inline CFMutableDictionaryRef SECWRAPPER_SENTINEL CFDictionaryCreateMutableForCFTypesWith(CFAllocatorRef allocator, ...)
{
CFMutableDictionaryRef result = CFDictionaryCreateMutableForCFTypes(allocator);
@@ -664,8 +746,12 @@ static inline CFMutableSetRef CFSetCreateMutableForCFTypes(CFAllocatorRef alloca
return CFSetCreateMutable(allocator, 0, &kCFTypeSetCallBacks);
}
+static inline bool CFSetIsEmpty(CFSetRef set) {
+ return CFSetGetCount(set) == 0;
+}
+
static inline void CFSetForEach(CFSetRef set, void (^operation)(const void *value)) {
- CFSetApplyFunction(set, apply_block_1, operation);
+ CFSetApplyFunction(set, apply_block_1, (__SECBRIDGE void *)operation);
}
static inline void CFSetUnion(CFMutableSetRef set, CFSetRef unionWith) {
@@ -707,6 +793,18 @@ static inline CFMutableArrayRef CFSetCopyValues(CFSetRef set) {
return values;
}
+static inline bool CFSetIntersectionIsEmpty(CFSetRef set1, CFSetRef set2) {
+ __block bool intersectionIsEmpty = true;
+ CFSetForEach(set1, ^(const void *value) {
+ intersectionIsEmpty &= !CFSetContainsValue(set2, value);
+ });
+ return intersectionIsEmpty;
+}
+
+static inline bool CFSetIntersects(CFSetRef set1, CFSetRef set2) {
+ return !CFSetIntersectionIsEmpty(set1, set2);
+}
+
static inline CFMutableSetRef CFSetCreateIntersection(CFAllocatorRef allocator, CFSetRef a, CFSetRef b) {
CFMutableSetRef result = CFSetCreateMutableCopy(allocator, 0, a);
@@ -734,13 +832,20 @@ static inline void CFSetTransferObject(CFTypeRef object, CFMutableSetRef from, C
CFSetRemoveValue(from, object);
}
+//
+// MARK: CFStringXxx Helpers
+//
+
+void CFStringArrayPerfromWithDelimeterWithDescription(CFArrayRef strings, CFStringRef start, CFStringRef end, void (^action)(CFStringRef description));
+void CFStringArrayPerfromWithDescription(CFArrayRef strings, void (^action)(CFStringRef description));
+void CFStringSetPerformWithDescription(CFSetRef set, void (^action)(CFStringRef description));
//
// MARK: CFDictionary Helpers
//
static inline void CFDictionaryForEach(CFDictionaryRef dictionary, void (^operation)(const void *key, const void *value)) {
- CFDictionaryApplyFunction(dictionary, apply_block_2, operation);
+ CFDictionaryApplyFunction(dictionary, apply_block_2, (__SECBRIDGE void *)operation);
}
CFStringRef CFDictionaryCopyCompactDescription(CFDictionaryRef dictionary);
@@ -831,51 +936,6 @@ static inline CFDateRef CFDateCreateForGregorianZuluDay(CFAllocatorRef allocator
return CFDateCreate(allocator, CFAbsoluteTimeForGregorianZuluDay(year, month, day));
}
-
-//
-// MARK: Type checking
-//
-
-static inline bool isArray(CFTypeRef cfType) {
- return cfType && CFGetTypeID(cfType) == CFArrayGetTypeID();
-}
-
-static inline bool isSet(CFTypeRef cfType) {
- return cfType && CFGetTypeID(cfType) == CFSetGetTypeID();
-}
-
-static inline bool isData(CFTypeRef cfType) {
- return cfType && CFGetTypeID(cfType) == CFDataGetTypeID();
-}
-
-static inline bool isDate(CFTypeRef cfType) {
- return cfType && CFGetTypeID(cfType) == CFDateGetTypeID();
-}
-
-static inline bool isDictionary(CFTypeRef cfType) {
- return cfType && CFGetTypeID(cfType) == CFDictionaryGetTypeID();
-}
-
-static inline bool isNumber(CFTypeRef cfType) {
- return cfType && CFGetTypeID(cfType) == CFNumberGetTypeID();
-}
-
-static inline bool isNumberOfType(CFTypeRef cfType, CFNumberType number) {
- return isNumber(cfType) && CFNumberGetType((CFNumberRef)cfType) == number;
-}
-
-static inline bool isString(CFTypeRef cfType) {
- return cfType && CFGetTypeID(cfType) == CFStringGetTypeID();
-}
-
-static inline bool isBoolean(CFTypeRef cfType) {
- return cfType && CFGetTypeID(cfType) == CFBooleanGetTypeID();
-}
-
-static inline bool isNull(CFTypeRef cfType) {
- return cfType && CFGetTypeID(cfType) == CFNullGetTypeID();
-}
-
//
// MARK: PropertyList Helpers
//
@@ -904,7 +964,7 @@ static inline CF_RETURNS_RETAINED CFPropertyListRef CFPropertyListReadFromFile(C
CFErrorRef error = NULL;
CFBooleanRef isRegularFile;
if (!CFURLCopyResourcePropertyForKey(file, kCFURLIsRegularFileKey, &isRegularFile, &error)) {
- secdebug("plist", "file %@: %@", file, error);
+ secinfo("plist", "file %@: %@", file, error);
} else if (CFBooleanGetValue(isRegularFile)) {
CFReadStreamRef readStream = CFReadStreamCreateWithFile(kCFAllocatorDefault, file);
if (readStream) {
@@ -923,11 +983,6 @@ static inline CF_RETURNS_RETAINED CFPropertyListRef CFPropertyListReadFromFile(C
return result;
}
-//
-// MARK: Custom Allocator for Sensitive Data
-//
-CFAllocatorRef CFAllocatorSensitive(void);
-
__END_DECLS
#endif /* _SECCFWRAPPERS_H_ */
diff --git a/OSX/utilities/src/SecDb.c b/OSX/utilities/src/SecDb.c
index 335add40..a75b5243 100644
--- a/OSX/utilities/src/SecDb.c
+++ b/OSX/utilities/src/SecDb.c
@@ -29,6 +29,7 @@
#include <sqlite3_private.h>
#include <CoreFoundation/CoreFoundation.h>
#include <libgen.h>
+#include <sys/csr.h>
#include <sys/stat.h>
#include <AssertMacros.h>
#include "SecCFWrappers.h"
@@ -46,10 +47,6 @@
#include <Security/SecureObjectSync/SOSDigestVector.h>
#include <Security/SecureObjectSync/SOSManifest.h>
-#define LOGE(ARG,...) secerror(ARG, ## __VA_ARGS__)
-#define LOGV(ARG,...) secdebug("secdb", ARG, ## __VA_ARGS__)
-#define LOGD(ARG,...) secdebug("secdb", ARG, ## __VA_ARGS__)
-
#define HAVE_UNLOCK_NOTIFY 0
struct __OpaqueSecDbStatement {
@@ -69,6 +66,7 @@ struct __OpaqueSecDbConnection {
bool inTransaction;
SecDbTransactionSource source;
bool isCorrupted;
+ int maybeCorruptedCode;
CFErrorRef corruptionError;
sqlite3 *handle;
// Pending deletions and additions for the current transaction
@@ -84,14 +82,14 @@ struct __OpaqueSecDb {
CFStringRef db_path;
dispatch_queue_t queue;
+ dispatch_queue_t commitQueue;
CFMutableArrayRef connections;
dispatch_semaphore_t write_semaphore;
dispatch_semaphore_t read_semaphore;
bool didFirstOpen;
bool (^opened)(SecDbConnectionRef dbconn, bool didCreate, bool *callMeAgainForNextConnection, CFErrorRef *error);
bool callOpenedHandlerForNextConnection;
- dispatch_queue_t notifyQueue;
- SecDBNotifyBlock notifyPhase;
+ CFMutableArrayRef notifyPhase; /* array of SecDBNotifyBlock */
};
// MARK: Error domains and error helper functions
@@ -100,6 +98,7 @@ CFStringRef kSecDbErrorDomain = CFSTR("com.apple.utilities.sqlite3");
bool SecDbError(int sql_code, CFErrorRef *error, CFStringRef format, ...) {
if (sql_code == SQLITE_OK) return true;
+
if (error) {
va_list args;
CFIndex code = sql_code;
@@ -108,7 +107,6 @@ bool SecDbError(int sql_code, CFErrorRef *error, CFStringRef format, ...) {
*error = NULL;
va_start(args, format);
SecCFCreateErrorWithFormatAndArguments(code, kSecDbErrorDomain, previousError, error, NULL, format, args);
- CFReleaseNull(previousError);
va_end(args);
}
return false;
@@ -177,10 +175,12 @@ SecDbDestroy(CFTypeRef value)
CFReleaseSafe(db->connections);
CFReleaseSafe(db->db_path);
dispatch_release(db->queue);
+ dispatch_release(db->commitQueue);
dispatch_release(db->read_semaphore);
dispatch_release(db->write_semaphore);
if (db->opened)
Block_release(db->opened);
+ CFReleaseNull(db->notifyPhase);
}
CFGiblisFor(SecDb)
@@ -197,17 +197,24 @@ SecDbCreate(CFStringRef dbName,
CFStringPerformWithCString(dbName, ^(const char *dbNameStr) {
db->queue = dispatch_queue_create(dbNameStr, DISPATCH_QUEUE_SERIAL);
});
+ CFStringRef commitQueueStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@-commit"), dbName);
+ CFStringPerformWithCString(commitQueueStr, ^(const char *cqNameStr) {
+ db->commitQueue = dispatch_queue_create(cqNameStr, DISPATCH_QUEUE_CONCURRENT);
+ });
+ CFReleaseNull(commitQueueStr);
db->read_semaphore = dispatch_semaphore_create(kSecDbMaxReaders);
db->write_semaphore = dispatch_semaphore_create(kSecDbMaxWriters);
db->connections = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
db->opened = opened ? Block_copy(opened) : NULL;
if (getenv("__OSINSTALL_ENVIRONMENT") != NULL) {
// TODO: Move this code out of this layer
- LOGV("sqlDb: running from installer");
+ secinfo("#SecDB", "SecDB: running from installer");
+
db->db_path = CFSTR("file::memory:?cache=shared");
} else {
db->db_path = CFStringCreateCopy(kCFAllocatorDefault, dbName);
}
+
done:
return db;
}
@@ -221,42 +228,32 @@ SecDbIdleConnectionCount(SecDbRef db) {
return count;
}
-void SecDbSetNotifyPhaseBlock(SecDbRef db, dispatch_queue_t queue, SecDBNotifyBlock notifyPhase) {
- if (db->notifyQueue)
- dispatch_release(db->notifyQueue);
- if (db->notifyPhase)
- Block_release(db->notifyPhase);
-
- if (queue) {
- db->notifyQueue = queue;
- dispatch_retain(db->notifyQueue);
- } else {
- db->notifyQueue = NULL;
+void SecDbAddNotifyPhaseBlock(SecDbRef db, SecDBNotifyBlock notifyPhase)
+{
+ SecDBNotifyBlock block = Block_copy(notifyPhase); /* Force the block off the stack */
+ if (db->notifyPhase == NULL) {
+ db->notifyPhase = CFArrayCreateMutableForCFTypes(NULL);
}
- if (notifyPhase)
- db->notifyPhase = Block_copy(notifyPhase);
- else
- db->notifyPhase = NULL;
+ CFArrayAppendValue(db->notifyPhase, block);
+ Block_release(block);
}
static void SecDbNotifyPhase(SecDbConnectionRef dbconn, SecDbTransactionPhase phase) {
if (CFArrayGetCount(dbconn->changes)) {
CFArrayRef changes = dbconn->changes;
dbconn->changes = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
- if (dbconn->db->notifyPhase)
- dbconn->db->notifyPhase(dbconn, phase, dbconn->source, changes);
+ if (dbconn->db->notifyPhase) {
+ CFArrayForEach(dbconn->db->notifyPhase, ^(const void *value) {
+ SecDBNotifyBlock notifyBlock = (SecDBNotifyBlock)value;
+ notifyBlock(dbconn, phase, dbconn->source, changes);
+ });
+ }
CFReleaseSafe(changes);
}
}
-static void SecDbOnNotifyQueue(SecDbConnectionRef dbconn, void (^perform)()) {
- if (dbconn->db->notifyQueue) {
- dispatch_sync(dbconn->db->notifyQueue, ^{
- perform();
- });
- } else {
- perform();
- }
+static void SecDbOnNotify(SecDbConnectionRef dbconn, void (^perform)()) {
+ perform();
}
CFStringRef SecDbGetPath(SecDbRef db) {
@@ -280,7 +277,7 @@ static bool SecDbCheckCorrupted(SecDbConnectionRef dbconn)
});
});
if (error) {
- LOGV("sqlDb: warning error %@ when running integrity check", error);
+ secinfo("#SecDB", "#SecDB warning error %{public}@ when running integrity check", error);
CFRelease(error);
}
return isCorrupted;
@@ -288,15 +285,16 @@ static bool SecDbCheckCorrupted(SecDbConnectionRef dbconn)
static bool SecDbDidCreateFirstConnection(SecDbConnectionRef dbconn, bool didCreate, CFErrorRef *error)
{
- LOGD("sqlDb: starting maintenance");
+ secinfo("#SecDB", "#SecDB starting maintenance");
bool ok = true;
if (!didCreate && !dbconn->isCorrupted) {
dbconn->isCorrupted = SecDbCheckCorrupted(dbconn);
- if (dbconn->isCorrupted)
- secerror("integrity check=fail");
- else
- LOGD("sqlDb: integrity check=pass");
+ if (dbconn->isCorrupted) {
+ secinfo("#SecDB", "#SecDB integrity check=fail");
+ } else {
+ secinfo("#SecDB", "#SecDB starting maintenance");
+ }
}
if (!dbconn->isCorrupted && dbconn->db->opened) {
@@ -312,7 +310,8 @@ static bool SecDbDidCreateFirstConnection(SecDbConnectionRef dbconn, bool didCre
*error = localError;
localError = NULL;
} else {
- secerror("opened block failed: error is released and lost");
+ if (localError)
+ secerror("opened block failed: error is released and lost");
CFReleaseNull(localError);
}
}
@@ -321,14 +320,25 @@ static bool SecDbDidCreateFirstConnection(SecDbConnectionRef dbconn, bool didCre
ok = SecDbHandleCorrupt(dbconn, 0, error);
}
- LOGD("sqlDb: finished maintenance");
+ secinfo("#SecDB", "#SecDB starting maintenance");
return ok;
}
void SecDbCorrupt(SecDbConnectionRef dbconn, CFErrorRef error)
{
+ CFStringRef str = CFStringCreateWithFormat(NULL, NULL, CFSTR("SecDBCorrupt: %@"), error);
+ if (str) {
+ char buffer[1000] = "?";
+ uint32_t errorCode = 0;
+ CFStringGetCString(str, buffer, sizeof(buffer), kCFStringEncodingUTF8);
+ os_log_fault(logObjForScope("SecEmergency"), "%s", buffer);
+ if (error)
+ errorCode = (uint32_t)CFErrorGetCode(error);
+ __security_simulatecrash(str, __sec_exception_code_CorruptDb(errorCode));
+ CFRelease(str);
+ }
dbconn->isCorrupted = true;
- CFAssignRetained(dbconn->corruptionError, error);
+ CFRetainAssign(dbconn->corruptionError, error);
}
@@ -365,7 +375,9 @@ static bool SecDbConnectionCheckCode(SecDbConnectionRef dbconn, int code, CFErro
/* If it's already corrupted, don't try to recover */
if (dbconn->isCorrupted) {
- CFStringRef reason = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SQL DB %@ is corrupted already. Not trying to recover"), dbconn->db->db_path);
+ CFStringRef reason = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
+ CFSTR("SQL DB %@ is corrupted already. Not trying to recover, corrution error was: %d (previously %d)"),
+ dbconn->db->db_path, code, dbconn->maybeCorruptedCode);
secerror("%@",reason);
__security_simulatecrash(reason, __sec_exception_code_TwiceCorruptDb(knownDbPathIndex(dbconn)));
CFReleaseSafe(reason);
@@ -376,6 +388,7 @@ static bool SecDbConnectionCheckCode(SecDbConnectionRef dbconn, int code, CFErro
if (dbconn->isCorrupted) {
/* Run integrity check and only make dbconn->isCorrupted true and
run the corruption handler if the integrity check conclusively fails. */
+ dbconn->maybeCorruptedCode = code;
dbconn->isCorrupted = SecDbCheckCorrupted(dbconn);
if (dbconn->isCorrupted) {
secerror("operation returned code: %d integrity check=fail", code);
@@ -424,7 +437,7 @@ static bool SecDbBusyHandler(SecDbConnectionRef dbconn, CFErrorRef *error) {
static int sleepBackoff[] = { 10, 20, 50, 100, 250 };
static int sumBackoff[] = { 10, 30, 80, 180, 430 };
-static int numEntries = sizeof(sleepBackoff)/sizeof(sleepBackoff[0]);
+static int NumberOfSleepBackoff = sizeof(sleepBackoff)/sizeof(sleepBackoff[0]);
// Return true causes the operation to be tried again.
static bool SecDbWaitIfNeeded(SecDbConnectionRef dbconn, int s3e, sqlite3_stmt *stmt, CFStringRef desc, int nTries, CFErrorRef *error) {
@@ -439,19 +452,19 @@ static bool SecDbWaitIfNeeded(SecDbConnectionRef dbconn, int s3e, sqlite3_stmt *
_Static_assert(sizeof(sumBackoff) == sizeof(sleepBackoff), "matching arrays not matching");
_Static_assert(sizeof(sumBackoff[0]) == sizeof(sleepBackoff[0]), "matching arrays not matching");
- if (nTries < numEntries) {
+ if (nTries < NumberOfSleepBackoff) {
timeout = sleepBackoff[nTries];
totaltimeout = sumBackoff[nTries];
} else {
- timeout = sleepBackoff[numEntries - 1];
- totaltimeout = sumBackoff[numEntries - 1] + (timeout * (nTries - numEntries));
+ timeout = sleepBackoff[NumberOfSleepBackoff - 1];
+ totaltimeout = sumBackoff[NumberOfSleepBackoff - 1] + (timeout * (nTries - NumberOfSleepBackoff));
}
if (totaltimeout < BUSY_TIMEOUT_MS) {
- LOGE("sqlite busy/locked: %d ntries: %d totaltimeout: %d", s3e, nTries, totaltimeout);
+ secinfo("#SecDB", "sqlite busy/locked: %d ntries: %d totaltimeout: %d", s3e, nTries, totaltimeout);
sqlite3_sleep(timeout);
return true;
} else {
- LOGE("sqlite busy/locked: too long: %d ms, giving up", totaltimeout);
+ secinfo("#SecDB", "sqlite busy/locked: too long: %d ms, giving up", totaltimeout);
}
}
@@ -472,11 +485,17 @@ static SecDbStepResult _SecDbStep(SecDbConnectionRef dbconn, sqlite3_stmt *stmt,
for (;;) {
s3e = sqlite3_step(stmt);
if (s3e == SQLITE_ROW) {
- ntries = 0;
return kSecDbRowStep;
- } else if (s3e == SQLITE_DONE)
+ } else if (s3e == SQLITE_DONE) {
+ /*
+ ** ^[SQLITE_DONE] means that the statement has finished executing
+ ** successfully. sqlite3_step() should not be called again on this virtual
+ ** machine without first calling [] to reset the virtual
+ ** machine back to its initial state.
+ */
+ sqlite3_reset(stmt);
return kSecDbDoneStep;
- else if (!SecDbWaitIfNeeded(dbconn, s3e, stmt, CFSTR("step"), ntries, error)) {
+ } else if (!SecDbWaitIfNeeded(dbconn, s3e, stmt, CFSTR("step"), ntries, error)) {
return kSecDbErrorStep;
}
ntries++;
@@ -516,17 +535,24 @@ static bool SecDbBeginTransaction(SecDbConnectionRef dbconn, SecDbTransactionTyp
CFStringRef query;
switch (type) {
case kSecDbImmediateTransactionType:
+ secnoticeq("db", "SecDbBeginTransaction SecDbBeginTransaction %p", dbconn);
query = CFSTR("BEGIN IMMEDATE");
break;
case kSecDbExclusiveRemoteTransactionType:
+ secnoticeq("db", "SecDbBeginTransaction kSecDbExclusiveRemoteTransactionType %p", dbconn);
dbconn->source = kSecDbSOSTransaction;
+ // FALL THROUGH
case kSecDbExclusiveTransactionType:
+ if (type==kSecDbExclusiveTransactionType)
+ secnoticeq("db", "SecDbBeginTransaction kSecDbExclusiveTransactionType %p", dbconn);
query = CFSTR("BEGIN EXCLUSIVE");
break;
case kSecDbNormalTransactionType:
+ secnoticeq("db", "SecDbBeginTransaction kSecDbNormalTransactionType %p", dbconn);
query = CFSTR("BEGIN");
break;
default:
+ secnoticeq("db", "SecDbBeginTransaction invalid transaction type %lu", type);
ok = SecDbError(SQLITE_ERROR, error, CFSTR("invalid transaction type %" PRIu32), type);
query = NULL;
break;
@@ -544,19 +570,26 @@ static bool SecDbBeginTransaction(SecDbConnectionRef dbconn, SecDbTransactionTyp
static bool SecDbEndTransaction(SecDbConnectionRef dbconn, bool commit, CFErrorRef *error)
{
__block bool ok = true;
- SecDbOnNotifyQueue(dbconn, ^{
- bool commited = false;
+ __block bool commited = false;
+
+ dispatch_block_t notifyAndExec = ^{
if (commit) {
+ secnoticeq("db", "SecDbEndTransaction kSecDbTransactionWillCommit %p", dbconn);
SecDbNotifyPhase(dbconn, kSecDbTransactionWillCommit);
commited = ok = SecDbExec(dbconn, CFSTR("END"), error);
+ secnoticeq("db", "SecDbEndTransaction kSecDbTransactionWillCommit %p (after notify)", dbconn);
} else {
ok = SecDbExec(dbconn, CFSTR("ROLLBACK"), error);
commited = false;
}
dbconn->inTransaction = false;
SecDbNotifyPhase(dbconn, commited ? kSecDbTransactionDidCommit : kSecDbTransactionDidRollback);
+ secnoticeq("db", "SecDbEndTransaction %s %p", commited ? "kSecDbTransactionDidCommit" : "kSecDbTransactionDidRollback", dbconn);
dbconn->source = kSecDbAPITransaction;
- });
+ };
+
+ SecDbPerformOnCommitQueue(dbconn, true, notifyAndExec);
+
return ok;
}
@@ -569,7 +602,7 @@ bool SecDbTransaction(SecDbConnectionRef dbconn, SecDbTransactionType type,
if (dbconn->inTransaction) {
transaction(&commit);
if (!commit) {
- LOGV("sqlDb: nested transaction asked to not be committed");
+ secinfo("#SecDB", "#SecDB nested transaction asked to not be committed");
}
} else {
ok = SecDbBeginTransaction(dbconn, type, error);
@@ -591,8 +624,10 @@ bool SecDbStep(SecDbConnectionRef dbconn, sqlite3_stmt *stmt, CFErrorRef *error,
for (;;) {
switch (_SecDbStep(dbconn, stmt, error)) {
case kSecDbErrorStep:
+ secdebug("db", "kSecDbErrorStep %@", error?*error:NULL);
return false;
case kSecDbRowStep:
+ secdebug("db", "kSecDbRowStep %@", error?*error:NULL);
if (row) {
bool stop = false;
row(&stop);
@@ -603,6 +638,7 @@ bool SecDbStep(SecDbConnectionRef dbconn, sqlite3_stmt *stmt, CFErrorRef *error,
SecDbError(SQLITE_ERROR, error, CFSTR("SecDbStep SQLITE_ROW returned without a row handler"));
return false;
case kSecDbDoneStep:
+ secdebug("db", "kSecDbDoneStep %@", error?*error:NULL);
return true;
}
}
@@ -654,7 +690,7 @@ static bool SecDbTruncate(SecDbConnectionRef dbconn, CFErrorRef *error)
}
});
if (!ok) {
- secerror("Failed to delete db handle: %@", error ? *error : NULL);
+ secinfo("#SecDB", "#SecDB Failed to delete db handle: %{public}@", error ? *error : NULL);
abort();
}
}
@@ -664,10 +700,6 @@ static bool SecDbTruncate(SecDbConnectionRef dbconn, CFErrorRef *error)
static bool SecDbHandleCorrupt(SecDbConnectionRef dbconn, int rc, CFErrorRef *error)
{
- CFStringRef reason = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SQL DB %@ is corrupted, trying to recover (rc=%d) %@"), dbconn->db->db_path, rc, dbconn->corruptionError);
- __security_simulatecrash(reason, __sec_exception_code_CorruptDb(knownDbPathIndex(dbconn), rc));
- CFReleaseSafe(reason);
-
// Backup current db.
__block bool didRename = false;
CFStringPerformWithCString(dbconn->db->db_path, ^(const char *db_path) {
@@ -686,8 +718,8 @@ static bool SecDbHandleCorrupt(SecDbConnectionRef dbconn, int rc, CFErrorRef *er
if (error)
CFReleaseNull(*error);
- didRename = SecCheckErrno(rename(db_path, buf), error, CFSTR("rename %s %s"), db_path, buf) &&
- (!dbconn->handle || SecDbError(sqlite3_close(dbconn->handle), error, CFSTR("close"))) &&
+ didRename = (!dbconn->handle || SecDbError(sqlite3_close(dbconn->handle), error, CFSTR("close"))) &&
+ SecCheckErrno(rename(db_path, buf), error, CFSTR("rename %s %s"), db_path, buf) &&
SecDbOpenHandle(dbconn, NULL, error);
}
if (didRename) {
@@ -716,57 +748,81 @@ static bool SecDbHandleCorrupt(SecDbConnectionRef dbconn, int rc, CFErrorRef *er
static bool SecDbProfileEnabled(void)
{
-#if 0
static dispatch_once_t onceToken;
static bool profile_enabled = false;
-
-#if DEBUG
- //sudo defaults write /Library/Preferences/com.apple.security.auth profile -bool true
+
+ // sudo defaults write /Library/Preferences/com.apple.security SQLProfile -bool true
dispatch_once(&onceToken, ^{
- CFTypeRef profile = (CFNumberRef)CFPreferencesCopyValue(CFSTR("profile"), CFSTR(SECURITY_AUTH_NAME), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
-
- if (profile && CFGetTypeID(profile) == CFBooleanGetTypeID()) {
+ CFTypeRef profile = NULL;
+
+ if (csr_check(CSR_ALLOW_APPLE_INTERNAL) != 0)
+ return;
+
+ profile = (CFNumberRef)CFPreferencesCopyValue(CFSTR("SQLProfile"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesAnyHost);
+
+ if (profile == NULL)
+ return;
+
+ if (CFGetTypeID(profile) == CFBooleanGetTypeID()) {
profile_enabled = CFBooleanGetValue((CFBooleanRef)profile);
+ } else if (CFGetTypeID(profile) == CFNumberGetTypeID()) {
+ int32_t num = 0;
+ CFNumberGetValue(profile, kCFNumberSInt32Type, &num);
+ profile_enabled = !!num;
}
- LOGV("sqlDb: sql profile: %s", profile_enabled ? "enabled" : "disabled");
+ secinfo("#SecDB", "sqlDb: sql profile: %{public}s", profile_enabled ? "enabled" : "disabled");
CFReleaseSafe(profile);
});
-#endif
-
+
return profile_enabled;
-#else
-#if DEBUG
- return true;
-#else
- return false;
-#endif
-#endif
}
-#if 0
-static void SecDbProfile(void *context __unused, const char *sql, sqlite3_uint64 ns) {
- LOGV("==\nsqlDb: %s\nTime: %llu ms\n", sql, ns >> 20);
-}
-#else
static void SecDbProfile(void *context, const char *sql, sqlite3_uint64 ns) {
sqlite3 *s3h = context;
int code = sqlite3_extended_errcode(s3h);
if (code == SQLITE_OK || code == SQLITE_DONE) {
- secdebug("profile", "==\nsqlDb: %s\nTime: %llu ms\n", sql, ns >> 20);
+ secinfo("#SecDB", "#SecDB sql: %{public}s\nTime: %llu ms", sql, ns >> 20);
} else {
- secdebug("profile", "==error[%d]: %s==\nsqlDb: %s\nTime: %llu ms \n", code, sqlite3_errmsg(s3h), sql, ns >> 20);
+ secinfo("#SecDB", "#SecDB error[%d]: %{public}s lDb: %{public}s time: %llu ms", code, sqlite3_errmsg(s3h), sql, ns >> 20);
}
}
-#endif
static bool SecDbTraceEnabled(void)
{
#if DEBUG
return true;
#else
- return false;
+ static dispatch_once_t onceToken;
+ static bool trace_enabled = false;
+
+ // sudo defaults write /Library/Preferences/com.apple.security SQLTrace -bool true
+ dispatch_once(&onceToken, ^{
+ CFTypeRef trace = NULL;
+
+ if (csr_check(CSR_ALLOW_APPLE_INTERNAL) != 0)
+ return;
+
+ trace = (CFNumberRef)CFPreferencesCopyValue(CFSTR("SQLTrace"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
+
+ if (trace == NULL)
+ return;
+
+ if (CFGetTypeID(trace) == CFBooleanGetTypeID()) {
+ trace_enabled = CFBooleanGetValue((CFBooleanRef)trace);
+ } else if (CFGetTypeID(trace) == CFNumberGetTypeID()) {
+ int32_t num = 0;
+ CFNumberGetValue(trace, kCFNumberSInt32Type, &num);
+ trace_enabled = !!num;
+ }
+
+ secinfo("#SecDB", "#SecDB sql trace: %{public}s", trace_enabled ? "enabled" : "disabled");
+
+ CFReleaseSafe(trace);
+ });
+
+ return trace_enabled;
#endif
}
@@ -778,7 +834,7 @@ static void SecDbTrace(void *ctx, const char *trace) {
queue = dispatch_queue_create("trace_queue", DISPATCH_QUEUE_SERIAL);
});
dispatch_sync(queue, ^{
- __security_debug(CFSTR("trace"), "", "", 0, CFSTR("%s"), trace);
+ secinfo("#SecDB", "#SecDB %{public}s", trace);
});
}
@@ -834,6 +890,7 @@ SecDbConnectionCreate(SecDbRef db, bool readOnly, CFErrorRef *error)
dbconn->inTransaction = false;
dbconn->source = NULL;
dbconn->isCorrupted = false;
+ dbconn->maybeCorruptedCode = 0;
dbconn->corruptionError = NULL;
dbconn->handle = NULL;
dbconn->changes = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
@@ -854,7 +911,7 @@ static void SecDbConectionSetReadOnly(SecDbConnectionRef dbconn, bool readOnly)
go to the start of the queue. */
SecDbConnectionRef SecDbConnectionAquire(SecDbRef db, bool readOnly, CFErrorRef *error) {
CFRetain(db);
- secdebug("dbconn", "acquire %s connection", readOnly ? "ro" : "rw");
+ secinfo("dbconn", "acquire %s connection", readOnly ? "ro" : "rw");
dispatch_semaphore_wait(readOnly ? db->read_semaphore : db->write_semaphore, DISPATCH_TIME_FOREVER);
__block SecDbConnectionRef dbconn = NULL;
__block bool ok = true;
@@ -942,7 +999,7 @@ void SecDbConnectionRelease(SecDbConnectionRef dbconn) {
return;
}
SecDbRef db = dbconn->db;
- secdebug("dbconn", "release %@", dbconn);
+ secinfo("dbconn", "release %@", dbconn);
dispatch_sync(db->queue, ^{
CFIndex count = CFArrayGetCount(db->connections);
// Add back possible writable dbconn to the pool.
@@ -1002,6 +1059,17 @@ SecDbConnectionDestroy(CFTypeRef value)
}
+void SecDbPerformOnCommitQueue(SecDbConnectionRef dbconn, bool barrier, dispatch_block_t perform) {
+ if (barrier) {
+ dispatch_barrier_sync(dbconn->db->commitQueue, ^{
+ perform();
+ });
+ } else {
+ dispatch_sync(dbconn->db->commitQueue, ^{
+ perform();
+ });
+ }
+}
// MARK: -
// MARK: Bind helpers
@@ -1010,7 +1078,7 @@ SecDbConnectionDestroy(CFTypeRef value)
bool SecDbBindNull(sqlite3_stmt *stmt, int param, CFErrorRef *error) {
bool ok = SecDbErrorWithStmt(sqlite3_bind_null(stmt, param),
stmt, error, CFSTR("bind_null[%d]"), param);
- secdebug("bind", "bind_null[%d]: %@", param, error ? *error : NULL);
+ secinfo("bind", "bind_null[%d]: %@", param, error ? *error : NULL);
return ok;
}
#endif
@@ -1022,7 +1090,7 @@ bool SecDbBindBlob(sqlite3_stmt *stmt, int param, const void *zData, size_t n, v
}
bool ok = SecDbErrorWithStmt(sqlite3_bind_blob(stmt, param, zData, (int)n, xDel),
stmt, error, CFSTR("bind_blob[%d]"), param);
- secdebug("bind", "bind_blob[%d]: %.*s: %@", param, (int)n, zData, error ? *error : NULL);
+ secinfo("bind", "bind_blob[%d]: %.*s: %@", param, (int)n, zData, error ? *error : NULL);
return ok;
}
@@ -1033,28 +1101,28 @@ bool SecDbBindText(sqlite3_stmt *stmt, int param, const char *zData, size_t n, v
}
bool ok = SecDbErrorWithStmt(sqlite3_bind_text(stmt, param, zData, (int)n, xDel), stmt, error,
CFSTR("bind_text[%d]"), param);
- secdebug("bind", "bind_text[%d]: \"%s\": %@", param, zData, error ? *error : NULL);
+ secinfo("bind", "bind_text[%d]: \"%s\": %@", param, zData, error ? *error : NULL);
return ok;
}
bool SecDbBindDouble(sqlite3_stmt *stmt, int param, double value, CFErrorRef *error) {
bool ok = SecDbErrorWithStmt(sqlite3_bind_double(stmt, param, value), stmt, error,
CFSTR("bind_double[%d]"), param);
- secdebug("bind", "bind_double[%d]: %f: %@", param, value, error ? *error : NULL);
+ secinfo("bind", "bind_double[%d]: %f: %@", param, value, error ? *error : NULL);
return ok;
}
bool SecDbBindInt(sqlite3_stmt *stmt, int param, int value, CFErrorRef *error) {
bool ok = SecDbErrorWithStmt(sqlite3_bind_int(stmt, param, value), stmt, error,
CFSTR("bind_int[%d]"), param);
- secdebug("bind", "bind_int[%d]: %d: %@", param, value, error ? *error : NULL);
+ secinfo("bind", "bind_int[%d]: %d: %@", param, value, error ? *error : NULL);
return ok;
}
bool SecDbBindInt64(sqlite3_stmt *stmt, int param, sqlite3_int64 value, CFErrorRef *error) {
bool ok = SecDbErrorWithStmt(sqlite3_bind_int64(stmt, param, value), stmt, error,
CFSTR("bind_int64[%d]"), param);
- secdebug("bind", "bind_int64[%d]: %lld: %@", param, value, error ? *error : NULL);
+ secinfo("bind", "bind_int64[%d]: %lld: %@", param, value, error ? *error : NULL);
return ok;
}
@@ -1102,7 +1170,7 @@ bool SecDbBindObject(sqlite3_stmt *stmt, int param, CFTypeRef value, CFErrorRef
convertOk = CFNumberGetValue(value, kCFNumberDoubleType, &nval);
result = SecDbBindDouble(stmt, param, nval, error);
} else {
- int nval;
+ SInt32 nval;
convertOk = CFNumberGetValue(value, kCFNumberSInt32Type, &nval);
if (convertOk) {
result = SecDbBindInt(stmt, param, nval, error);
@@ -1306,7 +1374,7 @@ void SecDbRecordChange(SecDbConnectionRef dbconn, CFTypeRef deleted, CFTypeRef i
secerror("db %@ changed outside txn", dbconn);
// Only notify of DidCommit, since WillCommit code assumes
// we are in a txn.
- SecDbOnNotifyQueue(dbconn, ^{
+ SecDbOnNotify(dbconn, ^{
SecDbNotifyPhase(dbconn, kSecDbTransactionDidCommit);
});
}
diff --git a/OSX/utilities/src/SecDb.h b/OSX/utilities/src/SecDb.h
index cefa055d..0cfb1f93 100644
--- a/OSX/utilities/src/SecDb.h
+++ b/OSX/utilities/src/SecDb.h
@@ -96,7 +96,7 @@ CFTypeID SecDbGetTypeID(void);
SecDbRef SecDbCreate(CFStringRef dbName, bool (^opened)(SecDbConnectionRef dbconn, bool didCreate, bool *callMeAgainForNextConnection, CFErrorRef *error));
-void SecDbSetNotifyPhaseBlock(SecDbRef db, dispatch_queue_t queue, SecDBNotifyBlock notifyPhase);
+void SecDbAddNotifyPhaseBlock(SecDbRef db, SecDBNotifyBlock notifyPhase);
// Read only connections go to the end of the queue, writeable
// connections go to the start of the queue. Use SecDbPerformRead() and SecDbPerformWrite() if you
@@ -134,6 +134,8 @@ sqlite3 *SecDbHandle(SecDbConnectionRef dbconn);
// Do not call this unless you are SecDbItem!
void SecDbRecordChange(SecDbConnectionRef dbconn, CFTypeRef deleted, CFTypeRef inserted);
+void SecDbPerformOnCommitQueue(SecDbConnectionRef dbconn, bool barrier, dispatch_block_t perform);
+
// MARK: -
// MARK: Bind helpers
diff --git a/OSX/utilities/src/SecFileLocations.c b/OSX/utilities/src/SecFileLocations.c
index 5be622fe..e1d6cba2 100644
--- a/OSX/utilities/src/SecFileLocations.c
+++ b/OSX/utilities/src/SecFileLocations.c
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -41,6 +41,7 @@
#include <sys/stat.h>
#include <uuid/uuid.h>
#include <copyfile.h>
+#include <syslog.h>
#include "SecFileLocations.h"
@@ -201,6 +202,29 @@ done:
#endif
}
+CFURLRef SecCopyURLForFileInUserCacheDirectory(CFStringRef fileName)
+{
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+ Boolean isDirectory = (fileName == NULL);
+ CFURLRef resultURL = NULL;
+ CFStringRef cacheDirStr = NULL;
+ char strBuffer[PATH_MAX + 1];
+ size_t result = confstr(_CS_DARWIN_USER_CACHE_DIR, strBuffer, sizeof(strBuffer));
+ if (result == 0) {
+ syslog(LOG_CRIT, "SecOCSPCacheCopyPath: confstr on _CS_DARWIN_USER_CACHE_DIR failed");
+ return resultURL;
+ }
+ cacheDirStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%s/%@"), strBuffer, fileName);
+ if (cacheDirStr) {
+ resultURL = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, cacheDirStr, kCFURLPOSIXPathStyle, isDirectory);
+ }
+ CFReleaseSafe(cacheDirStr);
+ return resultURL;
+#else
+ return SecCopyURLForFileInBaseDirectory(CFSTR("Library/Caches"), fileName);
+#endif
+}
+
CFURLRef SecCopyURLForFileInPreferencesDirectory(CFStringRef fileName)
{
return SecCopyURLForFileInBaseDirectory(CFSTR("Library/Preferences"), fileName);
@@ -209,14 +233,14 @@ CFURLRef SecCopyURLForFileInPreferencesDirectory(CFStringRef fileName)
CFURLRef SecCopyURLForFileInManagedPreferencesDirectory(CFStringRef fileName)
{
CFURLRef resultURL = NULL;
-
+
CFStringRef userName;
#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
userName = CFCopyUserName();
#else
userName = CFStringCreateWithCString(kCFAllocatorDefault, "mobile", kCFStringEncodingASCII);
#endif
-
+
if (userName) {
CFStringRef path = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("/Library/Managed Preferences/%@/%@"), userName, fileName);
if (path) {
@@ -225,7 +249,7 @@ CFURLRef SecCopyURLForFileInManagedPreferencesDirectory(CFStringRef fileName)
}
CFReleaseSafe(userName);
}
-
+
return resultURL;
}
diff --git a/OSX/utilities/src/SecFileLocations.h b/OSX/utilities/src/SecFileLocations.h
index cea9dae0..7066877c 100644
--- a/OSX/utilities/src/SecFileLocations.h
+++ b/OSX/utilities/src/SecFileLocations.h
@@ -1,15 +1,15 @@
/*
- * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2012-2016 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -17,7 +17,7 @@
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_LICENSE_HEADER_END@
*/
@@ -35,6 +35,7 @@
__BEGIN_DECLS
CFURLRef SecCopyURLForFileInKeychainDirectory(CFStringRef fileName);
+CFURLRef SecCopyURLForFileInUserCacheDirectory(CFStringRef fileName);
CFURLRef SecCopyURLForFileInPreferencesDirectory(CFStringRef fileName);
CFURLRef SecCopyURLForFileInManagedPreferencesDirectory(CFStringRef fileName);
diff --git a/OSX/utilities/src/SecInternalRelease.c b/OSX/utilities/src/SecInternalRelease.c
index b151fc41..6acb8b17 100644
--- a/OSX/utilities/src/SecInternalRelease.c
+++ b/OSX/utilities/src/SecInternalRelease.c
@@ -1,8 +1,25 @@
-//
-// utilities
-//
-// Copyright © 2015 Apple Inc. All rights reserved.
-//
+/*
+ * Copyright (c) 2015 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
#include "SecInternalReleasePriv.h"
@@ -40,6 +57,9 @@ bool SecIsProductionFused(void) {
CFRelease(productionFused);
}
});
+#else
+ /* Consider all Macs dev-fused. */
+ return false;
#endif
return isProduction;
}
diff --git a/OSX/utilities/src/SecInternalReleasePriv.h b/OSX/utilities/src/SecInternalReleasePriv.h
index d0dc1031..09f26617 100644
--- a/OSX/utilities/src/SecInternalReleasePriv.h
+++ b/OSX/utilities/src/SecInternalReleasePriv.h
@@ -1,8 +1,25 @@
-//
-// utilities
-//
-// Copyright © 2015 Apple Inc. All rights reserved.
-//
+/*
+ * Copyright (c) 2015 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
#ifndef SecInternalRelease_c
#define SecInternalRelease_c
diff --git a/OSX/utilities/src/SecMeta.h b/OSX/utilities/src/SecMeta.h
index f6212dcf..b7c05d49 100644
--- a/OSX/utilities/src/SecMeta.h
+++ b/OSX/utilities/src/SecMeta.h
@@ -106,7 +106,7 @@ enum SecFlagEnum {
kSecLogLevelMask = (15 << 0), // Bits 0-3 contain the log levels 1-15 (since 0 is no flags).
kSecFirstLogLevel = _SecLogLevel(1), // Lowest log level
- kSecDebugLogLevel = _SecLogLevel(1), // log secdebug
+ kSecDebugLogLevel = _SecLogLevel(1), // log secinfo
kSecInfoLogLevel = _SecLogLevel(2), // log info
kSecNoticeLogLevel = _SecLogLevel(3), // log notice
kSecWarningLogLevel = _SecLogLevel(4), // log warning
diff --git a/OSX/utilities/src/SecdUsage.c b/OSX/utilities/src/SecdUsage.c
deleted file mode 100644
index e69de29b..00000000
diff --git a/OSX/utilities/src/cloud_keychain_diagnose.c b/OSX/utilities/src/cloud_keychain_diagnose.c
deleted file mode 100644
index 4310cac6..00000000
--- a/OSX/utilities/src/cloud_keychain_diagnose.c
+++ /dev/null
@@ -1,1252 +0,0 @@
-/*
- * clang cloud_keychain_diagnose.c -laks -framework CoreFoundation -framework IOKit -framework Security -o /tmp/cloud_keychain_diagnose
- */
-
-#include <CoreFoundation/CoreFoundation.h>
-#include <CoreFoundation/CFPriv.h>
-
-#if !TARGET_IPHONE_SIMULATOR
-
-/* Header Declarations */
-#include <stdlib.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <asl.h>
-#include <asl_msg.h>
-
-#if TARGET_OS_EMBEDDED
-#include <asl_core.h>
-#endif
-
-#include <string.h>
-#include <errno.h>
-#include <libaks.h>
-
-#include "SOSCloudCircle.h"
-#include "SOSPeerInfo.h"
-
-
-/* Constant Declarations */
-#define SUCCESS 0
-#define FAILURE -1
-
-#define MAX_PATH_LEN 1024
-#define SUFFIX_LENGTH 4
-#define BUFFER_SIZE 1024
-#define MAX_DATA_RATE 32
-
-/* External CloudKeychain Bridge Types */
-typedef void (^CloudKeychainReplyBlock)(CFDictionaryRef returnedValues, CFErrorRef error);
-extern void SOSCloudKeychainGetAllObjectsFromCloud(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock);
-
-/* External AppleKeyStore Types */
-enum {
- my_keybag_state_bio_unlock = 1 << 3
-};
-
-
-/* Dictionary Dump State */
-struct dict_dump_state
-{
- FILE *log_file;
- CFDictionaryRef dict;
- unsigned int indent_level;
-};
-
-/* Static Function Declarations */
-static
-void
-usage();
-
-static
-int
-gather_diagnostics();
-
-static
-int
-enable_cloud_keychain_diagnostics(
- const unsigned int enable_flag);
-
-static
-int
-build_log_path(
- char *log_path);
-
-static
-int
-dump_system_information(
- FILE *log_file);
-
-static
-int
-dump_circle_state(
- FILE *log_file);
-
-static
-int
-dump_keychain_sync_kvs(
- FILE *log_file);
-
-static
-void
-dump_dict(
- FILE *log_file,
- CFDictionaryRef dict,
- const unsigned int indent_level);
-
-static
-void
-dump_dict_applier(
- const void *key,
- const void *value,
- void *context);
-
-static
-int
-dump_asl_sender(
- FILE *log_file,
- const char *asl_sender);
-
-static
-void
-dump_cferror(
- FILE *log_file,
- const char *description,
- CFErrorRef error);
-
-/* Function Definitions */
-int
-main(
- int argc,
- char **argv)
-{
- int result = EXIT_FAILURE;
-
- /* Parse the arguments. */
- if (argc > 2) {
-
- usage();
- }
-
- /* Should we just gather logs and status? */
- if (argc == 1) {
-
- if (gather_diagnostics()) {
-
- fprintf(stderr, "Could not gather diagnostics\n");
- goto BAIL;
- }
- } else {
-
- /* Should we enable or disable logging? */
- if (strncmp(argv[1], "enable", 6) == 0) {
-
- /* Enable. */
- if (enable_cloud_keychain_diagnostics(1)) {
-
- fprintf(stderr, "Could not enable additional cloud keychain diagnostics\n");
- goto BAIL;
- }
- } else if (strncmp(argv[1], "disable", 7) == 0) {
-
- /* Enable. */
- if (enable_cloud_keychain_diagnostics(1)) {
-
- fprintf(stderr, "Could not disable additional cloud keychain diagnostics\n");
- goto BAIL;
- }
- } else {
-
- /* Get a job, hippy. */
- usage();
- }
- }
-
- /* Set the exit status to success. */
- result = EXIT_FAILURE;
-
-BAIL:
-
- return result;
-}
-
-/* Static Function Definitions */
-static
-void
-usage()
-{
- fprintf(stderr, "usage: cloud_keychain_diagnose [enable|disable]\n");
- exit(EXIT_FAILURE);
-}
-
-static
-int
-gather_diagnostics()
-{
- int result = FAILURE;
- char log_path[MAX_PATH_LEN] = "";
- int log_fd = -1;
- FILE *log_file = NULL;
-
- /*
- * Create the diagnostics file.
- *
- * Dump the system information.
- * on OS X, defaults read if the shim is active
- * Dump the circle state.
- * Dump the raw KVS data.
- * Dump known ASL logs
- *
- * Remaining work to do from rdar://12479351
- * grab the syslog
- * query for all items with sync=1
- * enable KVS logging
- * enable push notification logging
- */
-
- /* Build the log path. */
- if (build_log_path(log_path)) {
-
- fprintf(stderr, "Could not build the log path\n");
- goto BAIL;
- }
-
- /* Create it with a randomized suffix. */
- log_fd = mkstemps(log_path, SUFFIX_LENGTH);
- if (log_fd == -1) {
-
- fprintf(stderr, "Could not create the log file: %s\n", strerror(errno));
- goto BAIL;
- }
-
- /* Create a file object from the descriptor. */
- log_file = fdopen(log_fd, "w");
- if (log_file == NULL) {
-
- fprintf(stderr, "Could not recreate the log file: %s\n", strerror(errno));
- goto BAIL;
- }
-
- log_fd = -1;
-
- printf("Writing cloud keychain diagnostics to %s\n", log_path);
-
- /* Dump the system information. */
- if (dump_system_information(log_file)) {
-
- fprintf(stderr, "Could not dump the system information\n");
- goto BAIL;
- }
-
- /* Dump the SOS circle state. */
- if (dump_circle_state(log_file)) {
-
- fprintf(stderr, "Could not dump the SOS circle state\n");
- goto BAIL;
- }
-
- /* Dump the raw keychain syncing KVS. */
- if (dump_keychain_sync_kvs(log_file)) {
-
- fprintf(stderr, "Could not the raw keychain syncing KVS\n");
- goto BAIL;
- }
-
- /*
- * Dump the various and sundry ASL logs.
- */
-
- if (dump_asl_sender(log_file, "com.apple.kb-service")) {
-
- fprintf(stderr, "Could not dump the ASL log for com.apple.kb-service\n");
- goto BAIL;
- }
-
- if (dump_asl_sender(log_file, "com.apple.securityd")) {
-
- fprintf(stderr, "Could not dump the ASL log for com.apple.securityd\n");
- goto BAIL;
- }
-
- if (dump_asl_sender(log_file, "com.apple.secd")) {
-
- fprintf(stderr, "Could not dump the ASL log for com.apple.secd\n");
- goto BAIL;
- }
-
- if (dump_asl_sender(log_file, "CloudKeychainProxy")) {
-
- fprintf(stderr, "Could not dump the ASL log for CloudKeychainProxy\n");
- goto BAIL;
- }
-
- if (dump_asl_sender(log_file, "IDSKeychainSyncingProxy")) {
-
- fprintf(stderr, "Could not dump the ASL log for IDSKeychainSyncingProxy\n");
- goto BAIL;
-
- }
-
- if (dump_asl_sender(log_file, "securityd")) {
-
- fprintf(stderr, "Could not dump the ASL log for securityd\n");
- goto BAIL;
- }
-
- if (dump_asl_sender(log_file, "secd")) {
-
- fprintf(stderr, "Could not dump the ASL log for secd\n");
- goto BAIL;
- }
-
- /* Set the result to success. */
- result = SUCCESS;
-
-BAIL:
-
- /* Close the diagnostics file? */
- if (log_file != NULL) {
-
- fclose(log_file);
- log_file = NULL;
- }
-
- /* Close the diagnostics file descriptor? */
- if (log_fd != -1) {
-
- close(log_fd);
- log_fd = -1;
- (void) log_fd;
- }
-
- return result;
-}
-
-static
-int
-enable_cloud_keychain_diagnostics(
- const unsigned int enable_flag)
-{
- int result = FAILURE;
-
- /* Set the result to success. */
- result = SUCCESS;
-
- return result;
-}
-
-static
-int
-build_log_path(
- char *log_path)
-{
- int result = FAILURE;
- time_t now;
- struct tm *time_cube;
- CFDictionaryRef system_version_dict = NULL;
- CFStringRef product_name = NULL;
-
- /* Get the current time. */
- now = time(NULL);
-
- /* Convert the time into something usable. */
- time_cube = localtime(&now);
- if (time_cube == NULL) {
-
- fprintf(stderr, "I don't know what time it is.\n");
- goto BAIL;
- }
-
- /* Copy the system version dictionary. */
- system_version_dict = _CFCopySystemVersionDictionary();
- if (system_version_dict == NULL) {
-
- fprintf(stderr, "Could not copy the system version dictionary\n");
- goto BAIL;
- }
-
- /* Extract the product name. */
- product_name = CFDictionaryGetValue(system_version_dict, _kCFSystemVersionProductNameKey);
- if (product_name == NULL) {
-
- fprintf(stderr, "Could not extract the product name from the system version dictionary\n");
- goto BAIL;
- }
-
- /* Is this a Mac? */
- if (CFEqual(product_name, CFSTR("Mac OS X"))) {
-
- /* Prepare the file template to go into /tmp. */
- snprintf(
- log_path,
- MAX_PATH_LEN,
- "/tmp/cloud_keychain_diagnostics.%d_%d_%d.%d%d%d.XXXX.txt",
- 1900 + time_cube->tm_year,
- time_cube->tm_mon,
- time_cube->tm_mday,
- time_cube->tm_hour,
- time_cube->tm_min,
- time_cube->tm_sec);
- } else {
-
- /* Prepare the file template to go into CrashReporter. */
- snprintf(
- log_path,
- MAX_PATH_LEN,
- "/Library/Logs/CrashReporter/cloud_keychain_diagnostics.%d_%d_%d.%d%d%d.XXXX.txt",
- 1900 + time_cube->tm_year,
- time_cube->tm_mon,
- time_cube->tm_mday,
- time_cube->tm_hour,
- time_cube->tm_min,
- time_cube->tm_sec);
- }
-
- /* Set the result to success. */
- result = SUCCESS;
-
-BAIL:
-
- /* Release the system version dictionary? */
- if (system_version_dict != NULL) {
-
- CFRelease(system_version_dict);
- system_version_dict = NULL;
- }
-
- return result;
-}
-
-static
-int
-dump_system_information(
- FILE *log_file)
-{
- int result = FAILURE;
- CFDictionaryRef dict = NULL;
- char buffer[BUFFER_SIZE];
- CFStringRef product_name;
- CFStringRef product_version;
- CFStringRef product_build_version;
- time_t now;
- CFTypeRef shim_flag = NULL;
- int keybag_handle = bad_keybag_handle;
- kern_return_t kr = 0;
- keybag_state_t keybag_state = 0;
-
- /*
- * Dump the system information.
- * ProductName
- * ProductVersion
- * ProductBuildVersion
- * Host name
- */
-
- /* Dump a header. */
- fprintf(log_file, "Host Information:\n");
- fprintf(log_file, "=================\n");
-
- /* Copy the system version dictionary. */
- dict = _CFCopySystemVersionDictionary();
- if (dict == NULL) {
-
- fprintf(stderr, "Could not copy the system version dictionary\n");
- goto BAIL;
- }
-
- /* Extract the product name. */
- product_name = CFDictionaryGetValue(dict, _kCFSystemVersionProductNameKey);
- if (product_name == NULL) {
-
- fprintf(stderr, "Could not extract the product name from the system version dictionary\n");
- goto BAIL;
- }
-
- /* Convert the product name to a C string. */
- if (!CFStringGetCString(product_name, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the product name to a C string\n");
- goto BAIL;
- }
-
- /* Dump the product name. */
- fprintf(log_file, "Product Name: %s\n", buffer);
-
- /* Extract the product version. */
- product_version = CFDictionaryGetValue(dict, _kCFSystemVersionProductVersionKey);
- if (product_version == NULL) {
-
- fprintf(stderr, "Could not extract the product version from the system version dictionary\n");
- goto BAIL;
- }
-
- /* Convert the product version to a C string. */
- if (!CFStringGetCString(product_version, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the product version to a C string\n");
- goto BAIL;
- }
-
- /* Dump the product version */
- fprintf(log_file, "Product Version: %s\n", buffer);
-
- /* Extract the product build version. */
- product_build_version = CFDictionaryGetValue(dict, _kCFSystemVersionBuildVersionKey);
- if (product_build_version == NULL) {
-
- fprintf(stderr, "Could not extract the product build version from the system version dictionary\n");
- goto BAIL;
- }
-
- /* Convert the product build version to a C string. */
- if (!CFStringGetCString(product_build_version, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the product build version to a C string\n");
- goto BAIL;
- }
-
- /* Dump the product build version. */
- fprintf(log_file, "Product Build Version: %s\n", buffer);
-
- /* Lookup the host name. */
- if (gethostname(buffer, BUFFER_SIZE) == -1) {
-
- fprintf(stderr, "Could not lookup the host name\n");
- goto BAIL;
- }
-
- /* Dump the host name. */
- fprintf(log_file, "Host Name: %s\n", buffer);
-
- /* Lookup the current time. */
- if (gethostname(buffer, BUFFER_SIZE) == -1) {
-
- fprintf(stderr, "Could not lookup the host name\n");
- goto BAIL;
- }
-
- /* Get the current time. */
- now = time(NULL);
-
- /* Dump the current time. */
- fprintf(log_file, "Time: %s", ctime(&now));
-
- /* Is this a Mac? */
- if (CFEqual(product_name, CFSTR("Mac OS X"))) {
-
- /* Set the keybag handle. */
- keybag_handle = session_keybag_handle;
-
- /* Lookup the state of the shim. */
- shim_flag = (CFNumberRef)CFPreferencesCopyValue(CFSTR("SecItemSynchronizable"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
- if (shim_flag && CFGetTypeID(shim_flag) == CFBooleanGetTypeID()) {
-
- /* Is the shim enabled? */
- if (CFBooleanGetValue((CFBooleanRef)shim_flag)) {
-
- fprintf(log_file, "The SecItem shim is enabled\n");
- } else {
-
- fprintf(log_file, "The SecItem shim is disabled\n");
- }
- } else {
-
- fprintf(log_file, "The SecItem shim is disabled\n");
- }
- } else {
-
- /* Set the keybag handle. */
- keybag_handle = device_keybag_handle;
- }
-
- /* Get the keybag state. */
- kr = aks_get_lock_state(keybag_handle, &keybag_state);
- if (kr) {
-
- fprintf(stderr, "Could not call aks_get_lock_state\n");
- } else {
-
- switch (keybag_state) {
-
- case keybag_state_unlocked: {
-
- fprintf(log_file, "Keybag State: Unlocked\n");
- }break;
-
- case keybag_state_locked: {
-
- fprintf(log_file, "Keybag State: Locked\n");
- }break;
-
- case keybag_state_no_pin: {
-
- fprintf(log_file, "Keybag State: No Passcode\n");
- }break;
-
- case keybag_state_been_unlocked: {
-
- fprintf(log_file, "Keybag State: Been Unlocked\n");
- }break;
-
- case my_keybag_state_bio_unlock: {
-
- fprintf(log_file, "Keybag State: Bio Unlock\n");
- }break;
-
- default: {
-
- fprintf(log_file, "Keybag State: UNKNOWN\n");
- }break;
- }
- }
-
- /* Dump a footer. */
- fprintf(log_file, "=================\n\n");
-
- /* Set the result to success. */
- result = SUCCESS;
-
-BAIL:
-
- /* Release the shim flag? */
- if (shim_flag) {
-
- CFRelease(shim_flag);
- shim_flag = NULL;
- }
-
- /* Release the system version dictionary? */
- if (dict != NULL) {
-
- CFRelease(dict);
- dict = NULL;
- }
-
- return result;
-}
-
-static
-int
-dump_circle_state(
- FILE *log_file)
-{
- int result = FAILURE;
- CFErrorRef error = NULL;
- SOSCCStatus circle_status;
- CFArrayRef peer_list = NULL;
- CFIndex num_peers;
- CFIndex i;
- SOSPeerInfoRef peer_info;
- CFDictionaryRef peer_gestalt = NULL;
- CFStringRef peer_name;
- CFStringRef peer_device_type;
- CFStringRef peerID;
- char buffer[BUFFER_SIZE] = {};
-
- /*
- * Dump the SOS circle state.
- */
-
- /* Dump a header. */
- fprintf(log_file, "SOS Circle State:\n");
- fprintf(log_file, "=================\n");
-
- /* Are we in a circle? */
- circle_status = SOSCCThisDeviceIsInCircle(&error);
- if (error != NULL) {
-
- /* Dump and consume the error. */
- dump_cferror(log_file, "Could not call SOSCCThisDeviceIsInCircle", error);
- } else {
- char *circle_state_string = NULL;
-
- switch (circle_status) {
-
- case kSOSCCInCircle: {
- circle_state_string = "kSOSCCInCircle";
- }break;
-
- case kSOSCCNotInCircle: {
- circle_state_string = "kSOSCCNotInCircle";
- }break;
-
- case kSOSCCRequestPending: {
- circle_state_string = "kSOSCCRequestPending";
- }break;
-
- case kSOSCCCircleAbsent: {
- circle_state_string = "kSOSCCCircleAbsent";
- }break;
-
- case kSOSCCError: {
- circle_state_string = "kSOSCCError";
- }break;
-
- default: {
- sprintf(buffer, "Unknown circle status (%d)?", circle_status);
- circle_state_string = buffer;
- }
- }
-
- fprintf(log_file, "Circle Status: %s\n", circle_state_string);
- }
-
- /* Can we authenticate? */
- if (!SOSCCCanAuthenticate(&error)) {
-
- if (error) {
-
- /* Dump and consume the error. */
- dump_cferror(log_file, "Could not call SOSCCCanAuthenticate", error);
- } else {
-
- fprintf(log_file, "Can Authenticate: NO\n");
- }
- } else {
-
- fprintf(log_file, "Can Authenticate: YES\n");
- }
-
- /* Copy the peers. */
- peer_list = SOSCCCopyPeerPeerInfo(&error);
- if (!peer_list) {
-
- /* Dump the error. */
- dump_cferror(log_file, "Could not call SOSCCCopyPeerPeerInfo", error);
- } else {
-
- /* Get the number of peers. */
- num_peers = CFArrayGetCount(peer_list);
-
- fprintf(log_file, "Number of syncing peers: %ld\n", num_peers);
-
- if (num_peers > 0) {
-
- fprintf(log_file, "\n");
- }
-
- /* Enumerate the peers. */
- for (i = 0; i < num_peers; i++) {
-
- peer_info = (SOSPeerInfoRef) CFArrayGetValueAtIndex(peer_list, i);
- if (peer_info == NULL) {
-
- fprintf(stderr, "Could not extract peer %ld of %ld\n", i, num_peers);
- goto BAIL;
- }
-
- /*
- peer_gestalt = SOSPeerInfoCopyPeerGestalt(peer_info);
- if (peer_gestalt == NULL) {
-
- fprintf(stderr, "Could not copy peer gestalt %ld of %ld\n", i, num_peers);
- goto BAIL;
- }
- */
-
- /* Get the peer name. */
- peer_name = SOSPeerInfoGetPeerName(peer_info);
- if (peer_name == NULL) {
-
- fprintf(stderr, "Could not extract peer name %ld of %ld\n", i, num_peers);
- goto BAIL;
- }
-
- /* Convert the peer name to a C string. */
- if (!CFStringGetCString(peer_name, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the peer name to a C string\n");
- goto BAIL;
- }
-
- /* Dump the peer name. */
- fprintf(log_file, " Peer Name: %s\n", buffer);
-
- /* Get the peer device type. */
- peer_device_type = SOSPeerInfoGetPeerDeviceType(peer_info);
- if (peer_device_type == NULL) {
-
- fprintf(stderr, "Could not extract peer device type %ld of %ld\n", i, num_peers);
- goto BAIL;
- }
-
- /* Convert the peer device type to a C string. */
- if (!CFStringGetCString(peer_device_type, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the peer device type to a C string\n");
- goto BAIL;
- }
-
- /* Dump the peer name. */
- fprintf(log_file, " Peer Device Type: %s\n", buffer);
-
- /* Get the peer ID. */
- peerID = SOSPeerInfoGetPeerID(peer_info);
- if (peerID == NULL) {
-
- fprintf(stderr, "Could not extract peer ID %ld of %ld\n", i, num_peers);
- goto BAIL;
- }
-
- /* Dump the peer name. */
- fprintf(log_file, " Peer ID: %s\n", buffer);
-
- /* Convert the peer ID to a C string. */
- if (!CFStringGetCString(peerID, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the peer ID to a C string\n");
- goto BAIL;
- }
-
- /* Make it pretty. */
- fprintf(log_file, "\n");
- }
-
- /* Release the peer list. */
- CFRelease(peer_list);
- peer_list = NULL;
- }
-
- /* Copy the applicant peers. */
- peer_list = SOSCCCopyApplicantPeerInfo(&error);
- if (!peer_list) {
-
- /* Dump the error. */
- dump_cferror(log_file, "Could not call SOSCCCopyApplicantPeerInfo", error);
- } else {
-
- /* Get the number of peers. */
- num_peers = CFArrayGetCount(peer_list);
-
- fprintf(log_file, "Number of applicant peers: %ld\n", num_peers);
-
- if (num_peers > 0) {
-
- fprintf(log_file, "\n");
- }
-
- /* Enumerate the peers. */
- for (i = 0; i < num_peers; i++) {
-
- peer_info = (SOSPeerInfoRef) CFArrayGetValueAtIndex(peer_list, i);
- if (peer_info == NULL) {
-
- fprintf(stderr, "Could not extract peer %ld of %ld\n", i, num_peers);
- goto BAIL;
- }
-
- /*
- peer_gestalt = SOSPeerInfoCopyPeerGestalt(peer_info);
- if (peer_gestalt == NULL) {
-
- fprintf(stderr, "Could not copy peer gestalt %ld of %ld\n", i, num_peers);
- goto BAIL;
- }
- */
-
- /* Get the peer name. */
- peer_name = SOSPeerInfoGetPeerName(peer_info);
- if (peer_name == NULL) {
-
- fprintf(stderr, "Could not extract peer name %ld of %ld\n", i, num_peers);
- goto BAIL;
- }
-
- /* Convert the peer name to a C string. */
- if (!CFStringGetCString(peer_name, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the peer name to a C string\n");
- goto BAIL;
- }
-
- /* Dump the peer name. */
- fprintf(log_file, " Applicant Name: %s\n", buffer);
-
- /* Get the peer device type. */
- peer_device_type = SOSPeerInfoGetPeerDeviceType(peer_info);
- if (peer_device_type == NULL) {
-
- fprintf(stderr, "Could not extract peer device type %ld of %ld\n", i, num_peers);
- goto BAIL;
- }
-
- /* Convert the peer device type to a C string. */
- if (!CFStringGetCString(peer_device_type, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the peer device type to a C string\n");
- goto BAIL;
- }
-
- /* Dump the peer name. */
- fprintf(log_file, " Applicant Device Type: %s\n", buffer);
-
- /* Get the peer ID. */
- peerID = SOSPeerInfoGetPeerID(peer_info);
- if (peerID == NULL) {
-
- fprintf(stderr, "Could not extract peer ID %ld of %ld\n", i, num_peers);
- goto BAIL;
- }
-
- /* Dump the peer name. */
- fprintf(log_file, " Applicant ID: %s\n", buffer);
-
- /* Convert the peer ID to a C string. */
- if (!CFStringGetCString(peerID, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the peer ID to a C string\n");
- goto BAIL;
- }
-
- /* Make it pretty. */
- if (i < num_peers - 1) {
-
- fprintf(log_file, "\n");
- }
- }
-
- /* Release the peer list. */
- CFRelease(peer_list);
- peer_list = NULL;
- }
-
- /* Dump a footer. */
- fprintf(log_file, "=================\n\n");
-
- /* Set the result to success. */
- result = SUCCESS;
-
-BAIL:
-
- /* Release the peer gestalt? */
- if (peer_gestalt != NULL) {
-
- CFRelease(peer_gestalt);
- peer_gestalt = NULL;
- }
-
- /* Release the peer list? */
- if (peer_list != NULL) {
-
- CFRelease(peer_list);
- peer_list = NULL;
- }
-
- /* Release the error string? */
- if (error != NULL) {
-
- CFRelease(error);
- error = NULL;
- }
-
- return result;
-}
-
-static
-int
-dump_keychain_sync_kvs(
- FILE *log_file)
-{
- int result = FAILURE;
- dispatch_group_t cloud_group;
- dispatch_queue_t cloud_queue;
- dispatch_semaphore_t waitSemaphore;
- dispatch_time_t finishTime;
- __block CFDictionaryRef kvs_dict = NULL;
-
- /*
- * Dump the keychain syncing KVS.
- */
-
- /* Dump a header. */
- fprintf(log_file, "Keychain Syncing KVS:\n");
- fprintf(log_file, "=================\n");
-
- /* Create the serial dispatch queue to talk to CloudKeychainProxy. */
- cloud_queue = dispatch_queue_create("cloud_queue", DISPATCH_QUEUE_SERIAL);
-
- /* Create a semaphore. */
- waitSemaphore = dispatch_semaphore_create(0);
-
- /* Create the finish time. */
- finishTime = dispatch_time(DISPATCH_TIME_NOW, 30ull * NSEC_PER_SEC);
-
- /* Create the dispatch group. */
- cloud_group = dispatch_group_create();
-
- /* Enter the dispatch group. */
- dispatch_group_enter(cloud_group);
-
- /* Establish the CloudKeychainProxy reply hander. */
- CloudKeychainReplyBlock replyBlock = ^(CFDictionaryRef returnedValues, CFErrorRef error)
- {
- /* Did we get back some values? */
- if (returnedValues) {
-
- kvs_dict = (returnedValues);
- CFRetain(kvs_dict);
- }
-
- /* Leave the cloud group. */
- dispatch_group_leave(cloud_group);
-
- /* Signal the other queue we're done. */
- dispatch_semaphore_signal(waitSemaphore);
- };
-
- /* Ask CloudKeychainProxy for all of the raw KVS data. */
- SOSCloudKeychainGetAllObjectsFromCloud(cloud_queue, replyBlock);
-
- /* Wait for CloudKeychainProxy to respond, up to 30 seconds. */
- dispatch_semaphore_wait(waitSemaphore, finishTime);
-
- /* Release the semaphore. */
- dispatch_release(waitSemaphore);
-
- /* Did we get any raw KVS data from CloudKeychainProxy? */
- if (kvs_dict) {
-
- dump_dict(log_file, kvs_dict, 0);
- }
-
- /* Dump a footer. */
- fprintf(log_file, "=================\n\n");
-
- /* Set the result to success. */
- result = SUCCESS;
-
- /* Release the KVS dictionary? */
- if (kvs_dict != NULL) {
-
- CFRelease(kvs_dict);
- kvs_dict = NULL;
- }
-
- return result;
-}
-
-static
-void
-dump_dict(
- FILE *log_file,
- CFDictionaryRef dict,
- const unsigned int indent_level)
-{
- struct dict_dump_state dump_state;
-
- /* Setup the context. */
- dump_state.log_file = log_file;
- dump_state.dict = dict;
- dump_state.indent_level = indent_level;
-
- /* Apply the dumper to each element in the dictionary. */
- CFDictionaryApplyFunction(dict, dump_dict_applier, (void *)&dump_state);
-}
-
-static
-void
-dump_dict_applier(
- const void *key,
- const void *value,
- void *context)
-{
- CFTypeRef key_object;
- CFTypeRef value_object;
- struct dict_dump_state *dump_state;
- unsigned int i;
- char buffer[BUFFER_SIZE];
- CFIndex length;
- const UInt8* bytes;
-
- /* Assign the CF types. */
- key_object = (CFTypeRef) key;
- value_object = (CFTypeRef) value;
-
- /* Get the context. */
- dump_state = (struct dict_dump_state *)context;
-
- /* Indent appropriately. */
- for (i = 0; i < dump_state->indent_level; i++) {
-
- fprintf(dump_state->log_file, " ");
- }
-
- /* Determine the key type. */
- if (CFGetTypeID(key_object) == CFStringGetTypeID()) {
-
- /* Convert the key to a C string. */
- if (!CFStringGetCString((CFStringRef) key_object, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the key to a C string\n");
- fprintf(dump_state->log_file, "[Failed Key Type]: ");
- } else {
-
- fprintf(dump_state->log_file, "%s: ", buffer);
- }
- }
-
- /* Determine the value type. */
- if (CFGetTypeID(value_object) == CFStringGetTypeID()) {
-
- /* Convert the value to a C string. */
- if (!CFStringGetCString((CFStringRef) value_object, buffer, BUFFER_SIZE, kCFStringEncodingUTF8)) {
-
- fprintf(stderr, "Could not convert the value to a C string\n");
- fprintf(dump_state->log_file, "[Failed Value Type]: ");
- } else {
-
- fprintf(dump_state->log_file, "%s\n", buffer);
- }
- } else if (CFGetTypeID(value_object) == CFDataGetTypeID()) {
-
- length = CFDataGetLength((CFDataRef)value_object);
- bytes = CFDataGetBytePtr((CFDataRef) value_object);
-
- fprintf(dump_state->log_file, "0x");
-
- for (i = 0; i < (unsigned int)length && i < MAX_DATA_RATE; i++) {
-
- fprintf(dump_state->log_file, "%02x", (unsigned char)bytes[i]);
- }
-
- fprintf(dump_state->log_file, " (%ld bytes)\n", length);
-
-
- } else if (CFGetTypeID(value_object) == CFDictionaryGetTypeID()) {
-
- /* Recurse */
- fprintf(dump_state->log_file, "\n");
- dump_dict(dump_state->log_file, (CFDictionaryRef) value_object, dump_state->indent_level + 1);
- } else {
-
- fprintf(dump_state->log_file, "[Unknown Value Type]\n");
- }
-}
-
-static
-int
-dump_asl_sender(
- FILE *log_file,
- const char *asl_sender)
-{
- int result = FAILURE;
- aslmsg log_query = NULL;
- aslresponse log_response = NULL;
- aslmsg log_message;
- char *message_string;
- uint32_t message_length;
-
- /*
- * Dump the ASL logs for the given sender.
- */
-
- /* Dump a header. */
- fprintf(log_file, "ASL: %s\n", asl_sender);
- fprintf(log_file, "=================\n");
-
- /* Create the ASL query. */
- log_query = asl_new(ASL_TYPE_QUERY);
- if (log_query == NULL) {
-
- fprintf(stderr, "Could not create ASL query\n");
- goto BAIL;
- }
-
- /* Setup the ASL query. */
- asl_set_query(log_query, ASL_KEY_SENDER, asl_sender, ASL_QUERY_OP_EQUAL);
-
- /* Perform the ASL search. */
- log_response = asl_search(NULL, log_query);
- if (log_response == NULL) {
-
- fprintf(log_file, "Could not perform ASL search for %s\n", asl_sender);
- } else {
-
- /* Enumerate the ASL messages in the response. */
- while ((log_message = asl_next(log_response)) != NULL) {
-
- /* Format the message entry. */
- message_string = asl_format_message((asl_msg_t *)log_message, ASL_MSG_FMT_STD, ASL_TIME_FMT_LCL, ASL_ENCODE_SAFE, &message_length);
- if (message_string == NULL) {
-
- fprintf(stderr, "Could not create ASL message string\n");
- goto BAIL;
- }
-
- fprintf(log_file, "%s", message_string);
-
- /* Release the message string. */
- free(message_string);
- message_string = NULL;
- }
- }
-
- /* Dump a footer. */
- fprintf(log_file, "=================\n\n");
-
- /* Set the result to success. */
- result = SUCCESS;
-
-BAIL:
-
- /* Release the ASL response? */
- if (log_response != NULL) {
-
- asl_free(log_response);
- log_response = NULL;
- }
-
- /* Release the ASL query? */
- if (log_query != NULL) {
-
- asl_free(log_query);
- log_query = NULL;
- }
-
- return result;
-}
-
-static
-void
-dump_cferror(
- FILE *log_file,
- const char *description,
- CFErrorRef error)
-{
- CFStringRef error_string = NULL;
- char buffer[BUFFER_SIZE];
-
- error_string = CFErrorCopyDescription(error);
- if (error_string == NULL) {
-
- fprintf(stderr, "Could not copy error description?\n");
- goto BAIL;
- }
-
- (void) CFStringGetCString(error_string, buffer, BUFFER_SIZE, kCFStringEncodingUTF8);
-
- fprintf(stderr, "%s: %s\n", description, buffer);
- fprintf(log_file, "%s: %s\n", description, buffer);
-
-BAIL:
-
- /* Release the error string? */
- if (error_string != NULL) {
-
- CFRelease(error_string);
- error_string = NULL;
- }
-}
-
-#else // TARGET_IPHONE_SIMULATOR
-
-int
-main(
- int argc,
- char **argv)
-{
-#pragma unused (argc, argv)
- return 0;
-}
-
-#endif
diff --git a/OSX/utilities/src/debugging.c b/OSX/utilities/src/debugging.c
index e7302d03..bc66de2d 100644
--- a/OSX/utilities/src/debugging.c
+++ b/OSX/utilities/src/debugging.c
@@ -45,27 +45,8 @@
#include <os/log_private.h>
#include <sqlite3.h>
-const uint8_t _os_trace_type_map[8] = {
- OS_TRACE_TYPE_FAULT, // ASL_LEVEL_EMERG
- OS_TRACE_TYPE_FAULT, // ASL_LEVEL_ALERT
- OS_TRACE_TYPE_FAULT, // ASL_LEVEL_CRIT
- OS_TRACE_TYPE_ERROR, // ASL_LEVEL_ERR
- OS_TRACE_TYPE_RELEASE, // ASL_LEVEL_WARNING
- OS_TRACE_TYPE_RELEASE, // ASL_LEVEL_NOTICE
- OS_TRACE_TYPE_RELEASE, // ASL_LEVEL_INFO
- OS_TRACE_TYPE_DEBUG // ASL_LEVEL_DEBUG
-};
-
-const char *_asl_string_map[8] = {
- ASL_STRING_EMERG, // ASL_LEVEL_EMERG
- ASL_STRING_ALERT, // ASL_LEVEL_ALERT
- ASL_STRING_CRIT, // ASL_LEVEL_CRIT
- ASL_STRING_ERR, // ASL_LEVEL_ERR
- ASL_STRING_WARNING, // ASL_LEVEL_WARNING
- ASL_STRING_NOTICE, // ASL_LEVEL_NOTICE
- ASL_STRING_INFO, // ASL_LEVEL_INFO
- ASL_STRING_DEBUG // ASL_LEVEL_DEBUG
-};
+const char *api_trace = "api_trace";
+
const CFStringRef kStringNegate = CFSTR("-");
const CFStringRef kStringAll = CFSTR("all");
@@ -140,12 +121,6 @@ bool IsScopeActiveC(int level, const char *scope)
}
-
-static CFStringRef copyScopeName(const char *scope, CFIndex scopeLen) {
- return CFStringCreateWithBytes(kCFAllocatorDefault, (const UInt8 *)scope,
- scopeLen, kCFStringEncodingUTF8, false);
-}
-
static CFMutableSetRef CopyScopesFromScopeList(CFStringRef scopes) {
CFMutableSetRef resultSet = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
@@ -220,21 +195,21 @@ static void SetNthScopeSet(int nth, CFTypeRef collection)
static int string_to_log_level(CFStringRef string) {
if (CFEqual(string, CFSTR(ASL_STRING_EMERG)))
- return ASL_LEVEL_EMERG;
+ return SECLOG_LEVEL_EMERG;
else if (CFEqual(string, CFSTR(ASL_STRING_ALERT)))
- return ASL_LEVEL_ALERT;
+ return SECLOG_LEVEL_ALERT;
else if (CFEqual(string, CFSTR(ASL_STRING_CRIT)))
- return ASL_LEVEL_CRIT;
+ return SECLOG_LEVEL_CRIT;
else if (CFEqual(string, CFSTR(ASL_STRING_ERR)))
- return ASL_LEVEL_ERR;
+ return SECLOG_LEVEL_ERR;
else if (CFEqual(string, CFSTR(ASL_STRING_WARNING)))
- return ASL_LEVEL_WARNING;
+ return SECLOG_LEVEL_WARNING;
else if (CFEqual(string, CFSTR(ASL_STRING_NOTICE)))
- return ASL_LEVEL_NOTICE;
+ return SECLOG_LEVEL_NOTICE;
else if (CFEqual(string, CFSTR(ASL_STRING_INFO)))
- return ASL_LEVEL_INFO;
+ return SECLOG_LEVEL_INFO;
else if (CFEqual(string, CFSTR(ASL_STRING_DEBUG)))
- return ASL_LEVEL_DEBUG;
+ return SECLOG_LEVEL_DEBUG;
else
return -1;
}
@@ -339,8 +314,6 @@ void ApplyScopeListForIDC(const char *scopeList, SecDebugScopeID whichID) {
#pragma mark - Log Handlers to catch log information
-static CFMutableArrayRef sSecurityLogHandlers;
-
/*
* Instead of using CFPropertyListReadFromFile we use a
@@ -414,17 +387,6 @@ static void setup_environment_scopes() {
ApplyScopeListForIDC(cur_scope, kScopeIDEnvironment);
}
-#define XPCSCOPESTRWANT "api,account,accountChange,circle,circleChange,circleCreat,flush,fresh,keygen,signing,talkwithkvs,syncbubble"
-#define XPCSCOPESTRDONTWANT "-event,http,item,keytrace,lockassertions,otr_keysetup,securityd,server,serverxpc,session,sync,titc,transport,trust,updates,xpc"
-static void setup_xpcdefault_scopes() {
-
- CFDictionaryRef noticeLogging = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
- CFSTR(ASL_STRING_NOTICE), CFSTR(XPCSCOPESTRDONTWANT), NULL);
-
- ApplyScopeDictionaryForID(noticeLogging, kScopeIDXPC);
-
- CFReleaseNull(noticeLogging);
-}
void __security_debug_init(void) {
static dispatch_once_t sdOnceToken;
@@ -433,186 +395,146 @@ void __security_debug_init(void) {
setup_environment_scopes();
setup_config_settings();
setup_defaults_settings();
- //setup_xpcdefault_scopes();
setup_circle_defaults_settings();
});
}
-// MARK: Log handler recording (e.g. grabbing security logging and sending it to test results).
-static void clean_aslclient(void *client)
-{
- asl_close(client);
-}
-static aslclient get_aslclient()
-{
- static dispatch_once_t once;
- static pthread_key_t asl_client_key;
- dispatch_once(&once, ^{
- pthread_key_create(&asl_client_key, clean_aslclient);
- });
- aslclient client = pthread_getspecific(asl_client_key);
- if (!client) {
- client = asl_open(NULL, "SecLogging", 0);
- asl_set_filter(client, ASL_FILTER_MASK_UPTO(ASL_LEVEL_DEBUG));
- pthread_setspecific(asl_client_key, client);
- }
- return client;
+
+static char *copyScopeStr(CFStringRef scope, char *alternative) {
+ char *scopeStr = NULL;
+ if(scope) {
+ scopeStr = CFStringToCString(scope);
+ } else {
+ scopeStr = strdup("noScope");
+ }
+ return scopeStr;
}
-static CFMutableArrayRef get_log_handlers()
-{
- static dispatch_once_t handlers_once;
+static os_log_t logObjForCFScope(CFStringRef scope) {
+ static dispatch_once_t onceToken = 0;
+ __block os_log_t retval = OS_LOG_DISABLED;
+ static dispatch_queue_t logObjectQueue = NULL;
+ static CFMutableDictionaryRef scopeMap = NULL;
- dispatch_once(&handlers_once, ^{
- sSecurityLogHandlers = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault);
-
- CFArrayAppendValue(sSecurityLogHandlers, ^(int level, CFStringRef scope, const char *function,
- const char *file, int line, CFStringRef message){
- CFStringRef logStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@ %s %@\n"), scope ? scope : CFSTR(""), function, message);
- CFStringPerformWithCString(logStr, ^(const char *logMsg) {
- aslmsg msg = asl_new(ASL_TYPE_MSG);
- if (scope) {
- CFStringPerformWithCString(scope, ^(const char *scopeStr) {
- asl_set(msg, ASL_KEY_FACILITY, scopeStr);
- });
- }
- asl_log(get_aslclient(), msg, level, "%s", logMsg);
- asl_free(msg);
- });
- CFReleaseSafe(logStr);
- });
- });
+ if(scope == NULL) scope = CFSTR("logging");
- return sSecurityLogHandlers;
-}
-
-static void log_api_trace_v(const char *api, const char *caller_info, CFStringRef format, va_list args)
-{
- aslmsg msg = asl_new(ASL_TYPE_MSG);
- asl_set(msg, ASL_KEY_LEVEL, ASL_STRING_DEBUG);
- CFStringPerformWithCString(kAPIScope, ^(const char *scopeStr) {
- asl_set(msg, ASL_KEY_FACILITY, scopeStr);
+ dispatch_once(&onceToken, ^{
+ logObjectQueue = dispatch_queue_create("logObjectQueue", DISPATCH_QUEUE_SERIAL);
+ scopeMap = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFCopyStringDictionaryKeyCallBacks, NULL);
});
- asl_set(msg, "SecAPITrace", api);
- asl_set(msg, caller_info ? "ENTER" : "RETURN", "");
-
- if (format) {
- CFStringRef message = CFStringCreateWithFormatAndArguments(kCFAllocatorDefault, NULL, format, args);
- CFStringPerformWithCString(message, ^(const char *utf8Str) {
- asl_set(msg, ASL_KEY_MSG, utf8Str);
- });
- CFReleaseSafe(message);
- }
-
- if (caller_info) {
- asl_set(msg, "CALLER", caller_info);
- }
-
- asl_send(get_aslclient(), msg);
- asl_free(msg);
-}
-
-void __security_trace_enter_api(const char *api, CFStringRef format, ...)
-{
- if (!IsScopeActive(ASL_LEVEL_DEBUG, kAPIScope))
- return;
- va_list args;
- va_start(args, format);
-
- {
- char stack_info[80];
+ dispatch_sync(logObjectQueue, ^{
+ retval = (os_log_t) CFDictionaryGetValue(scopeMap, scope);
+ if (retval) return;
- snprintf(stack_info, sizeof(stack_info), "C%p F%p", __builtin_return_address(1), __builtin_frame_address(2));
-
- log_api_trace_v(api, stack_info, format, args);
- }
-
- va_end(args);
-}
-
-void __security_trace_return_api(const char *api, CFStringRef format, ...)
-{
- if (!IsScopeActive(ASL_LEVEL_DEBUG, kAPIScope))
- return;
-
- va_list args;
- va_start(args, format);
-
- log_api_trace_v(api, NULL, format, args);
-
- va_end(args);
+ CFStringPerformWithCString(scope, ^(const char *scopeStr) {
+ CFDictionaryAddValue(scopeMap, scope, os_log_create("com.apple.securityd", scopeStr));
+ });
+ retval = (os_log_t) CFDictionaryGetValue(scopeMap, scope);
+ });
+
+ return retval;
}
+static bool loggingEnabled = true;
-void add_security_log_handler(security_log_handler handler)
-{
- CFArrayAppendValue(get_log_handlers(), handler);
+bool secLogEnabled(void) {
+ return loggingEnabled;
}
-
-void remove_security_log_handler(security_log_handler handler)
-{
- CFArrayRemoveAllValue(get_log_handlers(), handler);
+void secLogDisable(void) {
+ loggingEnabled = false;
}
-static void __security_post_msg(int level, CFStringRef scope, const char *function,
- const char *file, int line, CFStringRef message)
-{
- CFArrayForEach(get_log_handlers(), ^(const void *value) {
- security_log_handler handler = (security_log_handler) value;
- if (handler) {
- handler(level, scope, function, file, line, message);
- }
- });
+void secLogEnable(void) {
+ loggingEnabled = true;
}
-static void __security_log_msg_v(int level, CFStringRef scope, const char *function,
- const char *file, int line, CFStringRef format, va_list args)
-{
- __security_debug_init();
-
- if (!IsScopeActive(level, scope))
- return;
-
- CFStringRef message = CFStringCreateWithFormatAndArguments(kCFAllocatorDefault, NULL, format, args);
- __security_post_msg(level, scope, function, file, line, message);
- CFRelease(message);
+os_log_t logObjForScope(const char *scope) {
+ if (!loggingEnabled)
+ return OS_LOG_DISABLED;
+ CFStringRef cfscope = NULL;
+ if(scope) cfscope = CFStringCreateWithCString(kCFAllocatorDefault, scope, kCFStringEncodingASCII);
+ os_log_t retval = logObjForCFScope(cfscope);
+ CFReleaseNull(cfscope);
+ return retval;
}
-void __security_debug(CFStringRef scope, const char *function,
- const char *file, int line, CFStringRef format, ...)
-{
- va_list args;
- va_start(args, format);
-
- __security_log_msg_v(ASL_LEVEL_DEBUG, scope, function, file, line, format, args);
- va_end(args);
-}
-static void __os_log_shim(void *addr, int32_t level, CFStringRef format, va_list in_args) {
- if ((level & 0x7) == level) {
- va_list args;
- va_copy(args, in_args);
- os_log_shim_with_CFString(addr, OS_LOG_DEFAULT, _os_trace_type_map[level], format, args, NULL);
- va_end(args);
- }
-}
+CFStringRef SecLogAPICreate(bool apiIn, const char *api, CFStringRef format, ... ) {
+ CFMutableStringRef outStr = CFStringCreateMutable(kCFAllocatorDefault, 0);
-void __security_log(int level, CFStringRef scope, const char *function,
- const char *file, int line, CFStringRef format, ...)
-{
+ char *direction = apiIn ? "ENTER" : "RETURN";
va_list args;
va_start(args, format);
- __os_log_shim(__builtin_return_address(0), level, format, args);
+ CFStringAppend(outStr, CFSTR("SecAPITrace "));
+ CFStringAppendCString(outStr, api, kCFStringEncodingASCII);
+ CFStringAppendCString(outStr, direction, kCFStringEncodingASCII);
- if (os_log_shim_legacy_logging_enabled()) {
- __security_log_msg_v(level, scope, function, file, line, format, args);
+ if (format) {
+ CFStringRef message = CFStringCreateWithFormatAndArguments(kCFAllocatorDefault, NULL, format, args);
+ CFStringAppend(outStr, message);
+ CFReleaseSafe(message);
+ }
+
+ if (apiIn) {
+ char caller_info[80];
+ snprintf(caller_info, sizeof(caller_info), "C%p F%p", __builtin_return_address(1), __builtin_frame_address(2));
+ CFStringAppend(outStr, CFSTR("CALLER "));
+ CFStringAppendCString(outStr, caller_info, kCFStringEncodingASCII);
}
-
va_end(args);
-}
+
+ return outStr;
+}
+
+#if TARGET_OS_OSX
+#ifdef NO_OS_LOG
+// Functions for weak-linking os_log functions
+#include <dlfcn.h>
+
+#define weak_log_f(fname, newname, rettype, fallthrough) \
+ rettype newname(log_args) { \
+ static dispatch_once_t onceToken = 0; \
+ static rettype (*newname)(log_args) = NULL; \
+ \
+ dispatch_once(&onceToken, ^{ \
+ void* libtrace = dlopen("/usr/lib/system/libsystem_trace.dylib", RTLD_LAZY | RTLD_LOCAL); \
+ if (libtrace) { \
+ newname = (rettype(*)(log_args)) dlsym(libtrace, #fname); \
+ } \
+ }); \
+ \
+ if(newname) { \
+ return newname(log_argnames); \
+ } \
+ fallthrough;\
+}
+
+#define log_args void *dso, os_log_t log, os_log_type_t type, const char *format, uint8_t *buf, unsigned int size
+#define log_argnames dso, log, type, format, buf, size
+weak_log_f(_os_log_impl, weak_os_log_impl, void, return);
+#undef log_args
+#undef log_argnames
+
+#define log_args const char *subsystem, const char *category
+#define log_argnames subsystem, category
+weak_log_f(os_log_create, weak_os_log_create, os_log_t, return NULL);
+#undef log_args
+#undef log_argnames
+
+#define log_args os_log_t oslog, os_log_type_t type
+#define log_argnames oslog, type
+weak_log_f(os_log_type_enabled, weak_os_log_type_enabled, bool, return false);
+#undef log_args
+#undef log_argnames
+
+#undef weak_log_f
+
+#endif // NO_OS_LOG
+#endif // TARGET_OS_OSX
+
diff --git a/OSX/utilities/src/debugging.h b/OSX/utilities/src/debugging.h
index 7ec012fa..33f741a4 100644
--- a/OSX/utilities/src/debugging.h
+++ b/OSX/utilities/src/debugging.h
@@ -24,9 +24,24 @@
/*
* debugging.h - non-trivial debug support
*/
+
+/*
+ * CONFIGURING DEFAULT DEBUG SCOPES
+ *
+ * Default debug "scope" inclusion / exclusion is configured in com.apple.securityd.plist (iOS) and
+ * com.apple.secd.plist (OSX) in the Environmental Variable "DEBUGSCOPE". The current value for that
+ * variable begins with a dash ("-") indicating an "exclusion list". If you add a scope for a
+ * secnotice, etc that you don't want to always be "on" add the new string to the DEBUGSCOPE variable
+ * in both plists.
+ */
+
#ifndef _SECURITY_UTILITIES_DEBUGGING_H_
#define _SECURITY_UTILITIES_DEBUGGING_H_
+#if TARGET_OS_OSX
+#include <security_utilities/debugging_internal.h>
+#endif
+
#ifdef KERNEL
#include <libkern/libkern.h>
#define secalert(format, ...) printf((format), ## __VA_ARGS__)
@@ -37,6 +52,7 @@
#define secnotice(scope, format, ...) printf((format), ## __VA_ARGS__)
#define secnoticeq(scope, format, ...) printf((format), ## __VA_ARGS__)
#define secinfo(scope, format, ...) printf((format), ## __VA_ARGS__)
+ #undef secdebug
#if !defined(NDEBUG)
#define secdebug(scope, format, ...) printf((format), ## __VA_ARGS__)
#else // NDEBUG
@@ -50,87 +66,102 @@
__BEGIN_DECLS
-extern void __security_trace_enter_api(const char *api, CFStringRef format, ...) CF_FORMAT_FUNCTION(2, 3);
-extern void __security_trace_return_api(const char *api, CFStringRef format, ...) CF_FORMAT_FUNCTION(2, 3);
-
-extern void __security_debug(CFStringRef scope,
- const char *function, const char *file, int line,
- CFStringRef format, ...) CF_FORMAT_FUNCTION(5,6);
-
-extern void __security_log(int level, CFStringRef scope,
- const char *function, const char *file, int line,
- CFStringRef format, ...) CF_FORMAT_FUNCTION(6,7);
-
-#define sec_trace_enter_api(format...) __security_trace_enter_api(__FUNCTION__, format)
-#define sec_trace_return_api(rtype, body, format...) { rtype _r = body(); __security_trace_return_api(__FUNCTION__, format, _r); return _r; }
-#define sec_trace_return_bool_api(body, format...) { bool _r = body(); typeof(format) _fmt = format; __security_trace_return_api(__FUNCTION__, _fmt ? _fmt : CFSTR("return=%d"), (int)_r); return _r; }
-
-#define secemergency(format, ...) __security_log(ASL_LEVEL_EMERG, NULL, \
- __FUNCTION__, __FILE__, __LINE__, \
- CFSTR(format), ## __VA_ARGS__)
-
-#define secalert(format, ...) __security_log(ASL_LEVEL_ALERT, NULL, \
- __FUNCTION__, __FILE__, __LINE__, \
- CFSTR(format), ## __VA_ARGS__)
-
-#define seccritical(format, ...) __security_log(ASL_LEVEL_CRIT, NULL, \
- __FUNCTION__, __FILE__, __LINE__, \
- CFSTR(format), ## __VA_ARGS__)
-
-#define secerror(format, ...) __security_log(ASL_LEVEL_ERR, NULL, \
- __FUNCTION__, __FILE__, __LINE__, \
- CFSTR(format), ## __VA_ARGS__)
-
-#define secerrorq(format, ...) __security_log(ASL_LEVEL_ERR, NULL, \
- "", "", 0, \
- CFSTR(format), ## __VA_ARGS__)
-
-#define secwarning(format, ...) __security_log(ASL_LEVEL_WARNING, NULL, \
- __FUNCTION__, __FILE__, __LINE__, \
- CFSTR(format), ## __VA_ARGS__)
-
-#define secnotice(scope, format, ...) __security_log(ASL_LEVEL_NOTICE, CFSTR(scope), \
- __FUNCTION__, __FILE__, __LINE__, \
- CFSTR(format), ## __VA_ARGS__)
-
-#define secnoticeq(scope, format, ...) __security_log(ASL_LEVEL_NOTICE, CFSTR(scope), \
- "", "", 0, \
- CFSTR(format), ## __VA_ARGS__)
-
-
+#define SECLOG_LEVEL_EMERG 0
+#define SECLOG_LEVEL_ALERT 1
+#define SECLOG_LEVEL_CRIT 2
+#define SECLOG_LEVEL_ERR 3
+#define SECLOG_LEVEL_WARNING 4
+#define SECLOG_LEVEL_NOTICE 5
+#define SECLOG_LEVEL_INFO 6
+#define SECLOG_LEVEL_DEBUG 7
+
+#include <os/log_private.h>
+extern os_log_t logObjForScope(const char *scope);
+extern bool secLogEnabled(void);
+extern void secLogDisable(void);
+extern void secLogEnable(void);
+
+#if TARGET_OS_OSX
+#define NO_OS_LOG 1
+#ifdef NO_OS_LOG
+
+// There might be no os_log available. Weak link their internal functions.
+void weak_os_log_impl(void *dso, os_log_t log, os_log_type_t type, const char *format, uint8_t *buf, unsigned int size);
+#define _os_log_impl weak_os_log_impl
+
+#undef os_log_create
+os_log_t weak_os_log_create(const char *subsystem, const char *category);
+#define os_log_create weak_os_log_create
+
+bool weak_os_log_type_enabled(os_log_t oslog, os_log_type_t type);
+#define os_log_type_enabled weak_os_log_type_enabled
+
+#endif // NO_OS_LOG
+#endif // TARGET_OS_OSX
+
+CFStringRef SecLogAPICreate(bool apiIn, const char *api, CFStringRef format, ...);
+
+extern const char *api_trace;
+
+#define sec_trace_enter_api(format...) { \
+ CFStringRef info = SecLogAPICreate(true, __FUNCTION__, format, NULL); \
+ secinfo(api_trace, "%@", info); CFReleaseNull(info); \
+}
+
+#define sec_trace_return_api(rtype, body, format...) { \
+ rtype _r = body(); \
+ CFStringRef info = SecLogAPICreate(true, __FUNCTION__, format, _r); \
+ secinfo(api_trace, "%@", info); \
+ CFReleaseNull(info); return _r; \
+}
+
+#define sec_trace_return_bool_api(body, format...) { \
+ bool _r = body(); \
+ CFStringRef info = SecLogAPICreate(true, __FUNCTION__, format ? format : CFSTR("return=%d"), _r); \
+ secinfo(api_trace, "%@", info); \
+ CFReleaseNull(info); return _r; \
+}
+
+#define secemergency(format, ...) os_log_error(logObjForScope("SecEmergency"), format, ## __VA_ARGS__)
+#define secalert(format, ...) os_log_error(logObjForScope("SecAlert"), format, ## __VA_ARGS__)
+#define seccritical(format, ...) os_log(logObjForScope("SecCritical"), format, ## __VA_ARGS__)
+#define secerror(format, ...) os_log(logObjForScope("SecError"), format, ## __VA_ARGS__)
+#define secerrorq(format, ...) os_log(logObjForScope("SecError"), format, ## __VA_ARGS__)
+#define secwarning(format, ...) os_log(logObjForScope("SecWarning"), format, ## __VA_ARGS__)
+#define secnotice(scope, format, ...) os_log(logObjForScope(scope), format, ## __VA_ARGS__)
+#define secnoticeq(scope, format, ...) os_log(logObjForScope(scope), format, ## __VA_ARGS__)
+#define secinfo(scope, format, ...) os_log_debug(logObjForScope(scope), format, ## __VA_ARGS__)
+
+#define secinfoenabled(scope) os_log_debug_enabled(logObjForScope(scope))
+
+// secdebug is used for things that might not be privacy safe at all, so only debug builds can have these traces
+#undef secdebug
#if !defined(NDEBUG)
-
-#define secinfo(scope, format, ...) __security_log(ASL_LEVEL_INFO, CFSTR(scope), \
-__FUNCTION__, __FILE__, __LINE__, \
-CFSTR(format), ## __VA_ARGS__)
-
-# define secdebug(scope,format, ...) __security_debug(CFSTR(scope), \
- __FUNCTION__, __FILE__, __LINE__, \
- CFSTR(format), ## __VA_ARGS__)
-
+#define secdebug(scope, format, ...) os_log_debug(logObjForScope(scope), format, ## __VA_ARGS__)
#else
-# define secinfo(scope,...) /* nothing */
# define secdebug(scope,...) /* nothing */
#endif
typedef void (^security_log_handler)(int level, CFStringRef scope, const char *function,
const char *file, int line, CFStringRef message);
-void add_security_log_handler(security_log_handler handler);
-void remove_security_log_handler(security_log_handler handler);
-
/* To simulate a process crash in some conditions */
void __security_simulatecrash(CFStringRef reason, uint32_t code);
+void __security_stackshotreport(CFStringRef reason, uint32_t code);
/* predefined simulate crash exception codes */
#define __sec_exception_code(x) (0x53c00000+x)
-#define __sec_exception_code_CorruptDb(db,rc) __sec_exception_code(1|((db)<<8)|((rc)<<16))
+/* 1 was __sec_exception_code_CorruptDb */
#define __sec_exception_code_CorruptItem __sec_exception_code(2)
#define __sec_exception_code_OTRError __sec_exception_code(3)
#define __sec_exception_code_DbItemDescribe __sec_exception_code(4)
#define __sec_exception_code_TwiceCorruptDb(db) __sec_exception_code(5|((db)<<8))
#define __sec_exception_code_AuthLoop __sec_exception_code(6)
#define __sec_exception_code_MissingEntitlements __sec_exception_code(7)
+#define __sec_exception_code_LostInMist __sec_exception_code(8)
+#define __sec_exception_code_CKD_nil_pending_keys __sec_exception_code(9)
+#define __sec_exception_code_SQLiteBusy __sec_exception_code(10)
+#define __sec_exception_code_CorruptDb(rc) __sec_exception_code(11|((rc)<<8))
/* For testing only, turns off/on simulated crashes, when turning on, returns number of
simulated crashes which were not reported since last turned off. */
diff --git a/OSX/utilities/src/der_date.c b/OSX/utilities/src/der_date.c
index 2df138c5..5594ea20 100644
--- a/OSX/utilities/src/der_date.c
+++ b/OSX/utilities/src/der_date.c
@@ -206,7 +206,7 @@ static const uint8_t* der_decode_commontime_body(CFAbsoluteTime *at, CFErrorRef
CFTimeInterval timeZoneOffset = der_decode_timezone_offset(&der, der_end, error);
#if 0
- secdebug("dateparse",
+ secinfo("dateparse",
"date %.*s year: %04d%02d%02d%02d%02d%02d%+05g",
length, bytes, g.year, g.month,
g.day, g.hour, g.minute, g.second,
diff --git a/OSX/utilities/src/fileIo.c b/OSX/utilities/src/fileIo.c
index bb8523ab..c9b7024b 100644
--- a/OSX/utilities/src/fileIo.c
+++ b/OSX/utilities/src/fileIo.c
@@ -13,6 +13,15 @@
#include "fileIo.h"
int writeFile(
+ const char *fileName,
+ const unsigned char *bytes,
+ unsigned numBytes)
+{
+ size_t n = numBytes;
+ return writeFileSizet(fileName, bytes, n);
+}
+
+int writeFileSizet(
const char *fileName,
const unsigned char *bytes,
size_t numBytes)
@@ -28,7 +37,7 @@ int writeFile(
}
fd = open(fileName, O_RDWR | O_CREAT | O_TRUNC, 0600);
- if(fd <= 0) {
+ if(fd < 0) {
return errno;
}
wrc = write(fd, bytes, (size_t)numBytes);
@@ -48,7 +57,7 @@ int writeFile(
/*
* Read entire file.
*/
-int readFile(
+int readFileSizet(
const char *fileName,
unsigned char **bytes, // mallocd and returned
size_t *numBytes) // returned
@@ -63,7 +72,7 @@ int readFile(
*numBytes = 0;
*bytes = NULL;
fd = open(fileName, O_RDONLY);
- if(fd <= 0) {
+ if(fd < 0) {
return errno;
}
rtn = fstat(fd, &sb);
diff --git a/OSX/utilities/src/fileIo.h b/OSX/utilities/src/fileIo.h
index d12413fe..2e3bb293 100644
--- a/OSX/utilities/src/fileIo.h
+++ b/OSX/utilities/src/fileIo.h
@@ -11,12 +11,17 @@
extern "C" {
#endif
-int readFile(
+int readFileSizet(
const char *fileName,
unsigned char **bytes, // mallocd and returned
size_t *numBytes); // returned
int writeFile(
+ const char *fileName,
+ const unsigned char *bytes,
+ unsigned numBytes);
+
+int writeFileSizet(
const char *fileName,
const unsigned char *bytes,
size_t numBytes);
diff --git a/OSX/utilities/src/iCloudKeychainTrace.h b/OSX/utilities/src/iCloudKeychainTrace.h
index cd75ef67..c9c834f9 100644
--- a/OSX/utilities/src/iCloudKeychainTrace.h
+++ b/OSX/utilities/src/iCloudKeychainTrace.h
@@ -27,13 +27,13 @@
#include <CoreFoundation/CoreFoundation.h>
-const CFStringRef kCloudKeychainNumberOfSyncingConflicts
+extern const CFStringRef kCloudKeychainNumberOfSyncingConflicts
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
-const CFStringRef kCloudKeychainNumberOfTimesSyncFailed
+extern const CFStringRef kCloudKeychainNumberOfTimesSyncFailed
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
-const CFStringRef kCloudKeychainNumberOfConflictsResolved
+extern const CFStringRef kCloudKeychainNumberOfConflictsResolved
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
-const CFStringRef kCloudKeychainNumberOfTimesSyncedWithPeers
+extern const CFStringRef kCloudKeychainNumberOfTimesSyncedWithPeers
__OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
bool SetCloudKeychainTraceValueForKey(CFStringRef key, int64_t value)
diff --git a/OSX/utilities/src/iOSforOSX-SecAttr.c b/OSX/utilities/src/iOSforOSX-SecAttr.c
index 1b7dfe2d..f6d1cced 100644
--- a/OSX/utilities/src/iOSforOSX-SecAttr.c
+++ b/OSX/utilities/src/iOSforOSX-SecAttr.c
@@ -39,8 +39,10 @@
// We may not have all of these we need
SEC_CONST_DECL (kSecAttrAccessible, "pdmn");
SEC_CONST_DECL (kSecAttrAccessibleAlwaysThisDeviceOnly, "dku");
+SEC_CONST_DECL (kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate, "dku");
SEC_CONST_DECL (kSecAttrAccessControl, "accc");
SEC_CONST_DECL (kSecAttrTokenID, "tkid");
+SEC_CONST_DECL (kSecAttrAccessGroupToken, "com.apple.token");
SEC_CONST_DECL (kSecUseCredentialReference, "u_CredRef");
SEC_CONST_DECL (kSecUseOperationPrompt, "u_OpPrompt");
SEC_CONST_DECL (kSecUseNoAuthenticationUI, "u_NoAuthUI");
diff --git a/OSX/utilities/src/simulate_crash.c b/OSX/utilities/src/simulate_crash.c
index 65677ecc..74ebb05a 100644
--- a/OSX/utilities/src/simulate_crash.c
+++ b/OSX/utilities/src/simulate_crash.c
@@ -56,6 +56,31 @@ void __security_simulatecrash(CFStringRef reason, uint32_t code)
__simulate_crash_counter++;
}
+void __security_stackshotreport(CFStringRef reason, uint32_t code)
+{
+ secerror("stackshot report, reason: %@, code=%08x", reason, code);
+#if !TARGET_IPHONE_SIMULATOR
+ // Prototype defined in <CrashReporterSupport/CrashReporterSupport.h>, but objC only.
+ // Soft linking here so we don't link unless we hit this.
+ static BOOL (*__WriteStackshotReport)(void *, mach_exception_data_type_t) = NULL;
+
+ static dispatch_once_t once = 0;
+ dispatch_once(&once, ^{
+ void *image = dlopen("/System/Library/PrivateFrameworks/CrashReporterSupport.framework/CrashReporterSupport", RTLD_NOW);
+ if (image)
+ __WriteStackshotReport = dlsym(image, "WriteStackshotReport");
+ });
+
+ if (__WriteStackshotReport)
+ __WriteStackshotReport((void *)reason, code);
+ else
+ secerror("WriteStackshotReport not available");
+#else
+ secerror("WriteStackshotReport not available in iOS simulator");
+#endif
+}
+
+
int __security_simulatecrash_enable(bool enable)
{
int count = __simulate_crash_counter;
diff --git a/OSX/utilities/utilities.xcodeproj/project.pbxproj b/OSX/utilities/utilities.xcodeproj/project.pbxproj
index a069e601..2d1572c5 100644
--- a/OSX/utilities/utilities.xcodeproj/project.pbxproj
+++ b/OSX/utilities/utilities.xcodeproj/project.pbxproj
@@ -56,7 +56,6 @@
72B918A2179723C100940533 /* iCloudKeychainTrace.h in Headers */ = {isa = PBXBuildFile; fileRef = 72B918A0179723AE00940533 /* iCloudKeychainTrace.h */; };
BEA22A361811E4C800BE7682 /* SecCertificateTrace.c in Sources */ = {isa = PBXBuildFile; fileRef = BEA22A341811E4A600BE7682 /* SecCertificateTrace.c */; };
BEA22A371811E4CF00BE7682 /* SecCertificateTrace.h in Headers */ = {isa = PBXBuildFile; fileRef = BEA22A351811E4A600BE7682 /* SecCertificateTrace.h */; };
- D4DFE88E1BE5678B00E8A196 /* SecdUsage.c in Sources */ = {isa = PBXBuildFile; fileRef = D4DFE88D1BE5678B00E8A196 /* SecdUsage.c */; };
E706B78A18FC822B00797907 /* simulate_crash.c in Sources */ = {isa = PBXBuildFile; fileRef = E706B78918FC822B00797907 /* simulate_crash.c */; };
E7188DF81AAA819400B46156 /* SecBuffer.c in Sources */ = {isa = PBXBuildFile; fileRef = E7188DF61AAA819400B46156 /* SecBuffer.c */; };
E7188DF91AAA819400B46156 /* SecBuffer.h in Headers */ = {isa = PBXBuildFile; fileRef = E7188DF71AAA819400B46156 /* SecBuffer.h */; };
@@ -92,23 +91,23 @@
48FB16FC1A76C9AD00B586C7 /* su-17-cfset-der.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "su-17-cfset-der.c"; sourceTree = "<group>"; };
4C068F801653146500E8A1BB /* iOSforOSX.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = iOSforOSX.h; sourceTree = "<group>"; };
4C068F821653147D00E8A1BB /* iOSforOSX.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = iOSforOSX.c; sourceTree = "<group>"; };
- 4C143CF7165172AD003035A3 /* SecDb.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecDb.c; sourceTree = "<group>"; };
+ 4C143CF7165172AD003035A3 /* SecDb.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = SecDb.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
4C143CF9165172C0003035A3 /* SecDb.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecDb.h; sourceTree = "<group>"; };
4C3600431680DEB90049891B /* iOSforOSX-SecAttr.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "iOSforOSX-SecAttr.c"; sourceTree = "<group>"; };
4C3600441680DEB90049891B /* iOSforOSX-SecRandom.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "iOSforOSX-SecRandom.c"; sourceTree = "<group>"; };
4C3963D815ACF2E700762091 /* su-16-cfdate-der.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "su-16-cfdate-der.c"; sourceTree = "<group>"; };
4C5BCD8917304B8100DCEFB4 /* der_null.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = der_null.c; sourceTree = "<group>"; };
4C6882BF15ABADBC00028C8F /* SecCFRelease.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCFRelease.h; sourceTree = "<group>"; };
- 4C6882C015ABADBC00028C8F /* SecCFWrappers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCFWrappers.h; sourceTree = "<group>"; };
+ 4C6882C015ABADBC00028C8F /* SecCFWrappers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = SecCFWrappers.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
4C6882C115ABADBC00028C8F /* array_size.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = array_size.h; sourceTree = "<group>"; };
4C6882C215ABADBC00028C8F /* comparison.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = comparison.c; sourceTree = "<group>"; };
4C6882C315ABADBC00028C8F /* comparison.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = comparison.h; sourceTree = "<group>"; };
4C6882C415ABADBC00028C8F /* debugging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = debugging.c; sourceTree = "<group>"; };
- 4C6882C515ABADBC00028C8F /* debugging.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = debugging.h; sourceTree = "<group>"; };
+ 4C6882C515ABADBC00028C8F /* debugging.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = debugging.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
4C6882C615ABADBC00028C8F /* der_array.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = der_array.c; sourceTree = "<group>"; };
4C6882C715ABADBC00028C8F /* der_boolean.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = der_boolean.c; sourceTree = "<group>"; };
4C6882C815ABADBC00028C8F /* der_data.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = der_data.c; sourceTree = "<group>"; };
- 4C6882C915ABADBC00028C8F /* der_date.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = der_date.c; sourceTree = "<group>"; };
+ 4C6882C915ABADBC00028C8F /* der_date.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = der_date.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
4C6882CA15ABADBC00028C8F /* der_dictionary.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = der_dictionary.c; sourceTree = "<group>"; };
4C6882CB15ABADBC00028C8F /* der_number.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = der_number.c; sourceTree = "<group>"; };
4C6882CC15ABADBC00028C8F /* der_plist.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = der_plist.c; sourceTree = "<group>"; };
@@ -120,7 +119,7 @@
4C6882D215ABADBC00028C8F /* fileIo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = fileIo.h; sourceTree = "<group>"; };
4C6882D315ABADBC00028C8F /* sqlutils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = sqlutils.h; sourceTree = "<group>"; };
4C6882EB15ABC4B400028C8F /* der_date.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = der_date.h; sourceTree = "<group>"; };
- 4C8BDD6F17B3920F00C20EA5 /* SecMeta.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecMeta.h; sourceTree = "<group>"; };
+ 4C8BDD6F17B3920F00C20EA5 /* SecMeta.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; path = SecMeta.h; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objcpp; };
4C8BDD7117B4ABCC00C20EA5 /* su-05-cfwrappers.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "su-05-cfwrappers.c"; sourceTree = "<group>"; };
4CB23B9616A09318003A0131 /* security_tool_commands_table.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = security_tool_commands_table.h; sourceTree = "<group>"; };
4CB23B9716A09503003A0131 /* not_on_this_platorm.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = not_on_this_platorm.c; sourceTree = "<group>"; };
@@ -138,7 +137,6 @@
72B918A0179723AE00940533 /* iCloudKeychainTrace.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = iCloudKeychainTrace.h; sourceTree = "<group>"; };
BEA22A341811E4A600BE7682 /* SecCertificateTrace.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = SecCertificateTrace.c; sourceTree = "<group>"; };
BEA22A351811E4A600BE7682 /* SecCertificateTrace.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecCertificateTrace.h; sourceTree = "<group>"; };
- D4DFE88D1BE5678B00E8A196 /* SecdUsage.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecdUsage.c; sourceTree = "<group>"; };
E706B78918FC822B00797907 /* simulate_crash.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = simulate_crash.c; sourceTree = "<group>"; };
E7188DF61AAA819400B46156 /* SecBuffer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecBuffer.c; sourceTree = "<group>"; };
E7188DF71AAA819400B46156 /* SecBuffer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecBuffer.h; sourceTree = "<group>"; };
@@ -161,7 +159,7 @@
E7B01B961664031B000485F1 /* SecDispatchRelease.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecDispatchRelease.h; sourceTree = "<group>"; };
E7B183651AAE3FA3006C3392 /* su-08-secbuffer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "su-08-secbuffer.c"; sourceTree = "<group>"; };
E7CC89D31909DF3F005FFA08 /* debugging_test.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = debugging_test.h; sourceTree = "<group>"; };
- E7CC89D41909E0A2005FFA08 /* su-07-debugging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "su-07-debugging.c"; sourceTree = "<group>"; };
+ E7CC89D41909E0A2005FFA08 /* su-07-debugging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; lineEnding = 0; path = "su-07-debugging.c"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
E7E0D8F9158FA9A3002CA176 /* libutilitiesRegressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libutilitiesRegressions.a; sourceTree = BUILT_PRODUCTS_DIR; };
E7E0D908158FD9CD002CA176 /* su-10-cfstring-der.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "su-10-cfstring-der.c"; sourceTree = "<group>"; };
E7FC081B161A3038008E0760 /* SecIOFormat.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecIOFormat.h; sourceTree = "<group>"; };
@@ -247,7 +245,6 @@
4C3600441680DEB90049891B /* iOSforOSX-SecRandom.c */,
4C143CF7165172AD003035A3 /* SecDb.c */,
4C143CF9165172C0003035A3 /* SecDb.h */,
- D4DFE88D1BE5678B00E8A196 /* SecdUsage.c */,
52743BD516BB278C001A299D /* SecFileLocations.c */,
52743BD716BB27A1001A299D /* SecFileLocations.h */,
52E2E4941738371400E78313 /* SecXPCError.h */,
@@ -420,7 +417,7 @@
E742A09314E343E70052A486 /* Project object */ = {
isa = PBXProject;
attributes = {
- LastUpgradeCheck = 0700;
+ LastUpgradeCheck = 0800;
ORGANIZATIONNAME = "Apple Inc.";
};
buildConfigurationList = E742A09614E343E70052A486 /* Build configuration list for PBXProject "utilities" */;
@@ -467,7 +464,6 @@
E777C72315B74038004044A8 /* SecCFError.c in Sources */,
489E6E501A71B07600D7EB8C /* der_set.c in Sources */,
4C143CF8165172AD003035A3 /* SecDb.c in Sources */,
- D4DFE88E1BE5678B00E8A196 /* SecdUsage.c in Sources */,
4CF1FAC21654EAD100261CF4 /* SecCFWrappers.c in Sources */,
521C60C61A9D31580034F742 /* SecCFCCWrappers.c in Sources */,
52E2E4971738394C00E78313 /* SecXPCError.c in Sources */,
@@ -511,10 +507,11 @@
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
- ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
+ "ARCHS[sdk=macosx*]" = "$(ARCHS_STANDARD_32_64_BIT)";
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_STATIC_ANALYZER_MODE = deep;
COPY_PHASE_STRIP = NO;
+ ENABLE_TESTABILITY = YES;
GCC_C_LANGUAGE_STANDARD = gnu99;
GCC_DYNAMIC_NO_PIC = NO;
GCC_OPTIMIZATION_LEVEL = 0;
@@ -528,9 +525,10 @@
GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES;
GCC_WARN_ABOUT_RETURN_TYPE = YES;
GCC_WARN_UNUSED_VARIABLE = YES;
+ ONLY_ACTIVE_ARCH = YES;
RUN_CLANG_STATIC_ANALYZER = YES;
SDKROOT = macosx.internal;
- SUPPORTED_PLATFORMS = "iphonesimulator iphoneos macosx";
+ SUPPORTED_PLATFORMS = "iphonesimulator iphoneos macosx appletvos appletvsimulator watchos watchsimulator";
};
name = Debug;
};
@@ -538,7 +536,7 @@
isa = XCBuildConfiguration;
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
- ARCHS = "$(ARCHS_STANDARD_32_64_BIT)";
+ "ARCHS[sdk=macosx*]" = "$(ARCHS_STANDARD_32_64_BIT)";
CLANG_ENABLE_OBJC_ARC = YES;
CLANG_STATIC_ANALYZER_MODE = deep;
COPY_PHASE_STRIP = NO;
@@ -551,7 +549,7 @@
GCC_WARN_UNUSED_VARIABLE = YES;
RUN_CLANG_STATIC_ANALYZER = YES;
SDKROOT = macosx.internal;
- SUPPORTED_PLATFORMS = "iphonesimulator iphoneos macosx";
+ SUPPORTED_PLATFORMS = "iphonesimulator iphoneos macosx appletvos appletvsimulator watchos watchsimulator";
VALIDATE_PRODUCT = YES;
};
name = Release;
@@ -565,7 +563,7 @@
"$(inherited)",
"$(PROJECT_DIR)",
"$(PROJECT_DIR)/../sec/ProjectHeaders/",
- "$(BUILT_PRODUCTS_DIR)$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include",
+ "$(BUILT_PRODUCTS_DIR)/usr/local/include",
);
PRODUCT_NAME = "$(TARGET_NAME)";
SKIP_INSTALL = YES;
@@ -581,7 +579,7 @@
"$(inherited)",
"$(PROJECT_DIR)",
"$(PROJECT_DIR)/../sec/ProjectHeaders",
- "$(BUILT_PRODUCTS_DIR)$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include",
+ "$(BUILT_PRODUCTS_DIR)/usr/local/include",
);
PRODUCT_NAME = "$(TARGET_NAME)";
SKIP_INSTALL = YES;
@@ -596,7 +594,6 @@
"$(inherited)",
"$(PROJECT_DIR)",
"$(PROJECT_DIR)/../regressions",
- "$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include",
);
PRODUCT_NAME = "$(TARGET_NAME)";
SKIP_INSTALL = YES;
@@ -611,7 +608,6 @@
"$(inherited)",
"$(PROJECT_DIR)",
"$(PROJECT_DIR)/../regressions",
- "$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/include",
);
PRODUCT_NAME = "$(TARGET_NAME)";
SKIP_INSTALL = YES;
diff --git a/OTAPKIAssetTool/OTAPKIAssetTool.xcconfig b/OTAPKIAssetTool/OTAPKIAssetTool.xcconfig
index dcd45504..8d9ab8b2 100644
--- a/OTAPKIAssetTool/OTAPKIAssetTool.xcconfig
+++ b/OTAPKIAssetTool/OTAPKIAssetTool.xcconfig
@@ -11,4 +11,6 @@ LAUNCHD_PLIST_INSTALL_DIR = $(DSTROOT)$(SYSTEM_LIBRARY_DIR)/LaunchDaemons
// We do not want to install OTAPKIAssetTool into the simulator, so only
// define this for non-sim platforms.
-OTAPKIASSETTOOL_LAUNCHD_PLIST[sdk=iphoneos*] = OTAPKIAssetTool/com.apple.OTAPKIAssetTool.plist
+OTAPKIASSETTOOL_LAUNCHD_PLIST[sdk=embedded*] = OTAPKIAssetTool/com.apple.OTAPKIAssetTool.plist
+
+GCC_PREPROCESSOR_DEFINITIONS = $(inherited) OSSPINLOCK_USE_INLINED=0
diff --git a/README b/README
index 6338ba12..3732b416 100644
--- a/README
+++ b/README
@@ -34,5 +34,6 @@ libScripts/
====
To regenerate strings file run:
-genstrings -o resources/English.lproj -s SecString sec/Security/SecFrameworkStrings.h
+genstrings -u -o resources/English.lproj -s SecString OSX/sec/Security/SecFrameworkStrings.h
+
in the top level dir.
diff --git a/RegressionTests/Security.plist b/RegressionTests/Security.plist
index b2eb369f..c21bfa12 100644
--- a/RegressionTests/Security.plist
+++ b/RegressionTests/Security.plist
@@ -4,12 +4,6 @@
<dict>
<key>Project</key>
<string>Security</string>
- <key>TestSpecificLogs</key>
- <array>
- <string>/var/log/system.log</string>
- <string>/var/log/module/com.apple.securityd/.*</string>
- <string>/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/.*security.log.*</string>
- </array>
<key>Tests</key>
<array>
<dict>
@@ -20,9 +14,20 @@
<string>/AppleInternal/CoreOS/tests/Security/secbackupntest</string>
</array>
</dict>
+ <dict>
+ <key>TestName</key>
+ <string>keystorectl-get-lock-state</string>
+ <key>Command</key>
+ <array>
+ <string>/usr/local/bin/keystorectl</string>
+ <string>get-lock-state</string>
+ </array>
+ </dict>
<dict>
<key>TestName</key>
<string>BackupTest</string>
+ <key>Disabled</key>
+ <true/>
<key>Command</key>
<array>
<string>/AppleInternal/CoreOS/tests/Security/secbackuptest</string>
@@ -36,6 +41,30 @@
<string>/AppleInternal/CoreOS/tests/Security/secedumodetest</string>
</array>
</dict>
+ <dict>
+ <key>TestName</key>
+ <string>secitemstresstest</string>
+ <key>Command</key>
+ <array>
+ <string>/AppleInternal/CoreOS/tests/Security/secitemstresstest</string>
+ </array>
+ </dict>
+ <dict>
+ <key>TestName</key>
+ <string>secitemnotifications</string>
+ <key>Command</key>
+ <array>
+ <string>/AppleInternal/CoreOS/tests/Security/secitemnotifications</string>
+ </array>
+ </dict>
+ <dict>
+ <key>TestName</key>
+ <string>secitemfunctionality</string>
+ <key>Command</key>
+ <array>
+ <string>/AppleInternal/CoreOS/tests/Security/secitemfunctionality</string>
+ </array>
+ </dict>
<dict>
<key>TestName</key>
<string>secd_02_upgrade_while_locked</string>
diff --git a/RegressionTests/Security_edumode.plist b/RegressionTests/Security_edumode.plist
index 32e19d80..ec3e2a5b 100644
--- a/RegressionTests/Security_edumode.plist
+++ b/RegressionTests/Security_edumode.plist
@@ -4,12 +4,6 @@
<dict>
<key>Project</key>
<string>Security</string>
- <key>TestSpecificLogs</key>
- <array>
- <string>/var/log/system.log</string>
- <string>/var/log/module/com.apple.securityd/.*</string>
- <string>/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/.*security.log.*</string>
- </array>
<key>Tests</key>
<array>
<dict>
diff --git a/RegressionTests/secbackuptest/secbackuptest.m b/RegressionTests/secbackuptest/secbackuptest.m
index 962cb283..fbb18248 100644
--- a/RegressionTests/secbackuptest/secbackuptest.m
+++ b/RegressionTests/secbackuptest/secbackuptest.m
@@ -28,11 +28,16 @@ main(void)
#include <libaks.h>
-static NSData *
+static NSData *keybag = NULL;
+static NSString *keybaguuid = NULL;
+
+static void
BagMe(void)
{
keybag_handle_t handle;
kern_return_t result;
+ char uuidstr[37];
+ uuid_t uuid;
void *data = NULL;
int length;
@@ -44,19 +49,27 @@ BagMe(void)
if (result)
errx(1, "aks_save_bag");
- return [NSData dataWithBytes:data length:length];
+ result = aks_get_bag_uuid(handle, uuid);
+ if (result)
+ errx(1, "aks_get_bag_uuid");
+
+ uuid_unparse_lower(uuid, uuidstr);
+
+ keybaguuid = [NSString stringWithUTF8String:uuidstr];
+ keybag = [NSData dataWithBytes:data length:length];
}
int main (int argc, const char * argv[])
{
@autoreleasepool {
- NSData *bag = NULL, *password = NULL;
+ NSData *password = NULL;
CFErrorRef error = NULL;
+ NSString *uuid = NULL;
- bag = BagMe();
+ BagMe();
password = [NSData dataWithBytes:"foo" length:3];
- NSData *backup = CFBridgingRelease(_SecKeychainCopyBackup((__bridge CFDataRef)bag, (__bridge CFDataRef)password));
+ NSData *backup = CFBridgingRelease(_SecKeychainCopyBackup((__bridge CFDataRef)keybag, (__bridge CFDataRef)password));
if (backup == NULL) {
errx(1, "backup failed");
}
@@ -64,12 +77,23 @@ int main (int argc, const char * argv[])
char path[] = "/tmp/secbackuptestXXXXXXX";
int fd = mkstemp(path);
- bool status = _SecKeychainWriteBackupToFileDescriptor((__bridge CFDataRef)bag, (__bridge CFDataRef)password, fd, &error);
+ bool status = _SecKeychainWriteBackupToFileDescriptor((__bridge CFDataRef)keybag, (__bridge CFDataRef)password, fd, &error);
if (!status) {
NSLog(@"backup failed: %@", error);
errx(1, "failed backup 2");
}
+ uuid = CFBridgingRelease(_SecKeychainCopyKeybagUUIDFromFileDescriptor(fd, &error));
+ if (uuid == NULL) {
+ NSLog(@"getting uuid failed failed: %@", error);
+ errx(1, "failed getting uuid");
+ }
+
+ if (![uuid isEqual:keybaguuid]) {
+ NSLog(@"getting uuid failed failed: %@ vs %@", uuid, keybaguuid);
+ errx(1, "failed compare uuid");
+ }
+
struct stat sb;
fstat(fd, &sb);
@@ -79,8 +103,7 @@ int main (int argc, const char * argv[])
if (abs((int)(sb.st_size - (off_t)[backup length])) > 1000)
errx(1, "backup different enough to fail");
-
- status = _SecKeychainRestoreBackupFromFileDescriptor(fd, (__bridge CFDataRef)bag, (__bridge CFDataRef)password, &error);
+ status = _SecKeychainRestoreBackupFromFileDescriptor(fd, (__bridge CFDataRef)keybag, (__bridge CFDataRef)password, &error);
if (!status) {
NSLog(@"restore failed: %@", error);
errx(1, "restore failed");
@@ -89,7 +112,7 @@ int main (int argc, const char * argv[])
close(fd);
unlink(path);
- NSData *backup2 = CFBridgingRelease(_SecKeychainCopyBackup((__bridge CFDataRef)bag, (__bridge CFDataRef)password));
+ NSData *backup2 = CFBridgingRelease(_SecKeychainCopyBackup((__bridge CFDataRef)keybag, (__bridge CFDataRef)password));
if (backup2 == NULL) {
errx(1, "backup 3 failed");
}
diff --git a/RegressionTests/secitemfunctionality/secitemfunctionality.entitlements b/RegressionTests/secitemfunctionality/secitemfunctionality.entitlements
new file mode 100644
index 00000000..aca42f14
--- /dev/null
+++ b/RegressionTests/secitemfunctionality/secitemfunctionality.entitlements
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>keychain-access-groups</key>
+ <array>
+ <string>keychain-test1</string>
+ <string>keychain-test2</string>
+ </array>
+</dict>
+</plist>
diff --git a/RegressionTests/secitemfunctionality/secitemfunctionality.m b/RegressionTests/secitemfunctionality/secitemfunctionality.m
new file mode 100644
index 00000000..b6baabc1
--- /dev/null
+++ b/RegressionTests/secitemfunctionality/secitemfunctionality.m
@@ -0,0 +1,554 @@
+//
+// Copyright 2016 Apple. All rights reserved.
+//
+
+/*
+ * This is to fool os services to not provide the Keychain manager
+ * interface tht doens't work since we don't have unified headers
+ * between iOS and OS X. rdar://23405418/
+ */
+#define __KEYCHAINCORE__ 1
+
+#include <Foundation/Foundation.h>
+#include <Security/Security.h>
+#include <Security/SecItemPriv.h>
+#include <Security/SecBasePriv.h>
+#include <Security/SecIdentityPriv.h>
+#include <err.h>
+#include <strings.h>
+
+#if !TARGET_OS_IPHONE
+/*
+ * Becuase this file uses the iOS headers and we have no unified the headers
+ * yet, its not possible to include <Security/SecKeychain.h> here because
+ * of missing type. Pull in prototype needed.
+ */
+extern OSStatus SecKeychainUnlock(CFTypeRef keychain, UInt32 passwordLength, const void *password, Boolean usePassword);
+#endif
+
+static void
+fail(const char *fmt, ...) __printflike(1, 2) __attribute__((noreturn));
+
+
+static void
+fail(const char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+ printf("[FAIL] ");
+ verrx(1, fmt, ap);
+ va_end(ap);
+}
+
+/*
+ * Create item w/o data, try to make sure we end up in the OS X keychain
+ */
+
+static void
+CheckItemAddDeleteMaybeLegacyKeychainNoData(void)
+{
+ OSStatus status;
+
+ printf("[TEST] %s\n", __FUNCTION__);
+
+ NSDictionary *query = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccount : @"item-delete-me",
+ (id)kSecAttrAccessible : (id)kSecAttrAccessibleAfterFirstUnlock,
+ };
+ status = SecItemDelete((__bridge CFDictionaryRef)query);
+ if (status != errSecSuccess && status != errSecItemNotFound)
+ fail("cleanup item: %d", (int)status);
+
+ /*
+ * now check add notification
+ */
+
+ status = SecItemAdd((__bridge CFDictionaryRef)query, NULL);
+ if (status != errSecSuccess)
+ fail("add item: %d: %s", (int)status, [[query description] UTF8String]);
+
+ /*
+ * clean up
+ */
+
+ status = SecItemDelete((__bridge CFDictionaryRef)query);
+ if (status != errSecSuccess)
+ fail("cleanup2 item: %d", (int)status);
+
+
+ printf("[PASS] %s\n", __FUNCTION__);
+
+}
+
+static void
+CheckItemAddDeleteNoData(void)
+{
+ OSStatus status;
+
+ printf("[TEST] %s\n", __FUNCTION__);
+
+ NSDictionary *query = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ (id)kSecAttrAccount : @"item-delete-me",
+ (id)kSecAttrAccessible : (id)kSecAttrAccessibleAfterFirstUnlock,
+ };
+ status = SecItemDelete((__bridge CFDictionaryRef)query);
+ if (status != errSecSuccess && status != errSecItemNotFound)
+ fail("cleanup item: %d", (int)status);
+
+ /*
+ * Add item
+ */
+
+ status = SecItemAdd((__bridge CFDictionaryRef)query, NULL);
+ if (status != errSecSuccess)
+ fail("add item: %d: %s", (int)status, [[query description] UTF8String]);
+
+ /*
+ * clean up
+ */
+
+ status = SecItemDelete((__bridge CFDictionaryRef)query);
+ if (status != errSecSuccess)
+ fail("cleanup2 item: %d", (int)status);
+
+ printf("[PASS] %s\n", __FUNCTION__);
+}
+
+static void
+CheckItemUpdateAccessGroupGENP(void)
+{
+ OSStatus status;
+
+ printf("[TEST] %s\n", __FUNCTION__);
+
+ NSDictionary *clean1 = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ };
+ NSDictionary *clean2 = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccessGroup : @"keychain-test2",
+ };
+
+ (void)SecItemDelete((__bridge CFDictionaryRef)clean1);
+ (void)SecItemDelete((__bridge CFDictionaryRef)clean2);
+
+ /*
+ * Add item
+ */
+
+ NSDictionary *add = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ (id)kSecAttrAccount : @"item-delete-me",
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ (id)kSecAttrAccessible : (id)kSecAttrAccessibleAfterFirstUnlock,
+ };
+ status = SecItemAdd((__bridge CFDictionaryRef)add, NULL);
+ if (status != errSecSuccess)
+ fail("add item: %d: %s", (int)status, [[add description] UTF8String]);
+
+ /*
+ * Update access group
+ */
+ NSDictionary *query = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ (id)kSecAttrAccount : @"item-delete-me",
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ };
+ NSDictionary *modified = @{
+ (id)kSecAttrAccessGroup : @"keychain-test2",
+ };
+
+ status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)modified);
+ if (status != errSecSuccess)
+ fail("cleanup2 item: %d", (int)status);
+
+ /*
+ *
+ */
+ NSDictionary *check1 = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ (id)kSecAttrAccount : @"item-delete-me",
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ };
+ status = SecItemCopyMatching((__bridge CFDictionaryRef)check1, NULL);
+ if (status != errSecItemNotFound)
+ fail("check1 item: %d", (int)status);
+
+
+ NSDictionary *check2 = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccessGroup : @"keychain-test2",
+ (id)kSecAttrAccount : @"item-delete-me",
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ };
+ status = SecItemCopyMatching((__bridge CFDictionaryRef)check2, NULL);
+ if (status != errSecSuccess)
+ fail("check2 item: %d", (int)status);
+
+ /*
+ * Clean
+ */
+ (void)SecItemDelete((__bridge CFDictionaryRef)clean1);
+ (void)SecItemDelete((__bridge CFDictionaryRef)clean2);
+
+ printf("[PASS] %s\n", __FUNCTION__);
+}
+
+static NSString *certDataBase64 = @"\
+MIIEQjCCAyqgAwIBAgIJAJdFadWqNIfiMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNVBAYTAkNaMQ8wDQYD\
+VQQHEwZQcmFndWUxFTATBgNVBAoTDENvc21vcywgSW5jLjEXMBUGA1UEAxMOc3VuLmNvc21vcy5nb2Qx\
+IzAhBgkqhkiG9w0BCQEWFHRoaW5nQHN1bi5jb3Ntb3MuZ29kMB4XDTE2MDIyNjE0NTQ0OVoXDTE4MTEy\
+MjE0NTQ0OVowczELMAkGA1UEBhMCQ1oxDzANBgNVBAcTBlByYWd1ZTEVMBMGA1UEChMMQ29zbW9zLCBJ\
+bmMuMRcwFQYDVQQDEw5zdW4uY29zbW9zLmdvZDEjMCEGCSqGSIb3DQEJARYUdGhpbmdAc3VuLmNvc21v\
+cy5nb2QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5u9gnYEDzQIVu7yC40VcXTZ01D9CJ\
+oD/mH62tebEHEdfVPLWKeq+uAHnJ6fTIJQvksaISOxwiOosFjtI30mbe6LZ/oK22wYX+OUwKhAYjZQPy\
+RYfuaJe/52F0zmfUSJ+KTbUZrXbVVFma4xPfpg4bptvtGkFJWnufvEEHimOGmO5O69lXA0Hit1yLU0/A\
+MQrIMmZT8gb8LMZGPZearT90KhCbTHAxjcBfswZYeL8q3xuEVHXC7EMs6mq8IgZL7mzSBmrCfmBAIO0V\
+jW2kvmy0NFxkjIeHUShtYb11oYYyfHuz+1vr1y6FIoLmDejKVnwfcuNb545m26o+z/m9Lv9bAgMBAAGj\
+gdgwgdUwHQYDVR0OBBYEFGDdpPELS92xT+Hkh/7lcc+4G56VMIGlBgNVHSMEgZ0wgZqAFGDdpPELS92x\
+T+Hkh/7lcc+4G56VoXekdTBzMQswCQYDVQQGEwJDWjEPMA0GA1UEBxMGUHJhZ3VlMRUwEwYDVQQKEwxD\
+b3Ntb3MsIEluYy4xFzAVBgNVBAMTDnN1bi5jb3Ntb3MuZ29kMSMwIQYJKoZIhvcNAQkBFhR0aGluZ0Bz\
+dW4uY29zbW9zLmdvZIIJAJdFadWqNIfiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFYi\
+Zu/dfAMOrD51bYxP88Wu6iDGBe9nMG/0lkKgnX5JQKCxfxFMk875rfa+pljdUMOaPxegOXq1DrYmQB9O\
+/pHI+t7ozuWHRj2zKkVgMWAygNWDPcoqBEus53BdAgA644aPN2JvnE4NEPCllOMKftPoIWbd/5ZjCx3a\
+bCuxBdXq5YSmiEnOdGfKeXjeeEiIDgARb4tLgH5rkOpB1uH/ZCWn1hkiajBhrGhhPhpA0zbkZg2Ug+8g\
+XPlx1yQB1VOJkj2Z8dUEXCaRRijInCJ2eU+pgJvwLV7mxmSED7DEJ+b+opxJKYrsdKBU6RmYpPrDa+KC\
+/Yfu88P9hKKj0LmBiREA\
+";
+
+static NSString *keyDataBase64 = @"\
+MIIEogIBAAKCAQEAubvYJ2BA80CFbu8guNFXF02dNQ/QiaA/5h+trXmxBxHX1Ty1inqvrgB5yen0yCUL\
+5LGiEjscIjqLBY7SN9Jm3ui2f6CttsGF/jlMCoQGI2UD8kWH7miXv+dhdM5n1Eifik21Ga121VRZmuMT\
+36YOG6bb7RpBSVp7n7xBB4pjhpjuTuvZVwNB4rdci1NPwDEKyDJmU/IG/CzGRj2Xmq0/dCoQm0xwMY3A\
+X7MGWHi/Kt8bhFR1wuxDLOpqvCIGS+5s0gZqwn5gQCDtFY1tpL5stDRcZIyHh1EobWG9daGGMnx7s/tb\
+69cuhSKC5g3oylZ8H3LjW+eOZtuqPs/5vS7/WwIDAQABAoIBAGcwmQAPdyZus3OVwa1NCUD2KyB+39KG\
+yNmWwgx+br9Jx4s+RnJghVh8BS4MIKZOBtSRaEUOuCvAMNrupZbD+8leq34vDDRcQpCizr+M6Egj6FRj\
+Ewl+7Mh+yeN2hbMoghL552MTv9D4Iyxteu4nuPDd/JQ3oQwbDFIL6mlBFtiBDUr9ndemmcJ0WKuzor6a\
+3rgsygLs8SPyMefwIKjh5rJZls+iv3AyVEoBdCbHBz0HKgLVE9ZNmY/gWqda2dzAcJxxMdafeNVwHovv\
+BtyyRGnA7Yikx2XT4WLgKfuUsYLnDWs4GdAa738uxPBfiddQNeRjN7jRT1GZIWCk0P29rMECgYEA8jWi\
+g1Dph+4VlESPOffTEt1aCYQQWtHs13Qex95HrXX/L49fs6cOE7pvBh7nVzaKwBnPRh5+3bCPsPmRVb7h\
+k/GreOriCjTZtyt2XGp8eIfstfirofB7c1lNBjT61BhgjJ8Moii5c2ksNIOOZnKtD53n47mf7hiarYkw\
+xFEgU6ECgYEAxE8Js3gIPOBjsSw47XHuvsjP880nZZx/oiQ4IeJb/0rkoDMVJjU69WQu1HTNNAnMg4/u\
+RXo31h+gDZOlE9t9vSXHdrn3at67KAVmoTbRknGxZ+8tYpRJpPj1hyufynBGcKwevv3eHJHnE5eDqbHx\
+ynZFkXemzT9aMy3R4CCFMXsCgYAYyZpnG/m6WohE0zthMFaeoJ6dSLGvyboWVqDrzXjCbMf/4wllRlxv\
+cm34T2NXjpJmlH2c7HQJVg9uiivwfYdyb5If3tHhP4VkdIM5dABnCWoVOWy/NvA7XtE+KF/fItuGqKRP\
+WCGaiRHoEeqZ23SQm5VmvdF7OXNi/R5LiQ3o4QKBgAGX8qg2TTrRR33ksgGbbyi1UJrWC3/TqWWTjbEY\
+uU51OS3jvEQ3ImdjjM3EtPW7LqHSxUhjGZjvYMk7bZefrIGgkOHx2IRRkotcn9ynKURbD+mcE249beuc\
+6cFTJVTrXGcFvqomPWtV895A2JzECQZvt1ja88uuu/i2YoHDQdGJAoGAL2TEgiMXiunb6PzYMMKKa+mx\
+mFnagF0Ek3UJ9ByXKoLz3HFEl7cADIkqyenXFsAER/ifMyCoZp/PDBd6ZkpqLTdH0jQ2Yo4SllLykoiZ\
+fBWMfjRu4iw9E0MbPB3blmtzfv53BtWKy0LUOlN4juvpqryA7TgaUlZkfMT+T1TC7xU=\
+";
+
+
+static SecIdentityRef
+CreateTestIdentity(void)
+{
+ NSData *certData = [[NSData alloc] initWithBase64EncodedString:certDataBase64 options:0];
+ SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)certData);
+ if (cert == NULL)
+ fail("create certificate from data");
+
+ NSData *keyData = [[NSData alloc] initWithBase64EncodedString:keyDataBase64 options:0];
+ NSDictionary *keyAttrs = @{
+ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeRSA,
+ (id)kSecAttrKeySizeInBits: @2048,
+ (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate
+ };
+ SecKeyRef privateKey = SecKeyCreateWithData((CFDataRef)keyData, (CFDictionaryRef)keyAttrs, NULL);
+ if (privateKey == NULL)
+ fail("create private key from data");
+
+ // Create identity from certificate and private key.
+ SecIdentityRef identity = SecIdentityCreate(kCFAllocatorDefault, cert, privateKey);
+ CFRelease(privateKey);
+ CFRelease(cert);
+
+ return identity;
+}
+
+static void
+CheckIdentityItem(NSString *accessGroup, OSStatus expectedStatus)
+{
+ OSStatus status;
+
+ NSDictionary *check = @{
+ (id)kSecClass : (id)kSecClassIdentity,
+ (id)kSecAttrAccessGroup : accessGroup,
+ (id)kSecAttrLabel : @"item-delete-me",
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ };
+ status = SecItemCopyMatching((__bridge CFDictionaryRef)check, NULL);
+ if (status != expectedStatus)
+ fail("check %s for %d item: %d", [accessGroup UTF8String], (int)expectedStatus, (int)status);
+}
+
+static void
+CheckItemUpdateAccessGroupIdentity(void)
+{
+ OSStatus status;
+ CFTypeRef ref = NULL;
+
+ printf("[TEST] %s\n", __FUNCTION__);
+
+ NSDictionary *clean1 = @{
+ (id)kSecClass : (id)kSecClassIdentity,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ };
+ NSDictionary *clean2 = @{
+ (id)kSecClass : (id)kSecClassIdentity,
+ (id)kSecAttrAccessGroup : @"keychain-test2",
+ };
+
+ (void)SecItemDelete((__bridge CFDictionaryRef)clean1);
+ (void)SecItemDelete((__bridge CFDictionaryRef)clean2);
+
+ CheckIdentityItem(@"keychain-test1", errSecItemNotFound);
+ CheckIdentityItem(@"keychain-test2", errSecItemNotFound);
+
+ SecIdentityRef identity = CreateTestIdentity();
+ if (identity == NULL)
+ fail("create private key from data");
+
+
+ /*
+ * Add item
+ */
+
+ NSDictionary *add = @{
+ (id)kSecValueRef : (__bridge id)identity,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ (id)kSecAttrLabel : @"item-delete-me",
+ (id)kSecAttrAccessible : (id)kSecAttrAccessibleAfterFirstUnlock,
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ (id)kSecReturnPersistentRef: (id)kCFBooleanTrue,
+ };
+ status = SecItemAdd((__bridge CFDictionaryRef)add, &ref);
+ if (status != errSecSuccess)
+ fail("add item: %d: %s", (int)status, [[add description] UTF8String]);
+
+ /*
+ *
+ */
+ CheckIdentityItem(@"keychain-test1", errSecSuccess);
+ CheckIdentityItem(@"keychain-test2", errSecItemNotFound);
+
+
+ /*
+ * Update access group
+ */
+ NSDictionary *query = @{
+ (id)kSecClass : (id)kSecClassIdentity,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ (id)kSecAttrLabel : @"item-delete-me",
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ };
+ NSDictionary *modified = @{
+ (id)kSecAttrAccessGroup : @"keychain-test2",
+ };
+
+ status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)modified);
+ if (status != errSecSuccess)
+ fail("cleanup2 item: %d", (int)status);
+
+ /*
+ *
+ */
+
+ CheckIdentityItem(@"keychain-test1", errSecItemNotFound);
+ CheckIdentityItem(@"keychain-test2", errSecSuccess);
+
+ /*
+ * Check pref
+ */
+ CFDataRef data = NULL;
+
+ NSDictionary *prefQuery = @{
+ (id)kSecClass : (id)kSecClassIdentity,
+ (id)kSecAttrAccessGroup : @"keychain-test2",
+ (id)kSecAttrLabel : @"item-delete-me",
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ (id)kSecReturnPersistentRef : (id)kCFBooleanTrue,
+ };
+ status = SecItemCopyMatching((__bridge CFDictionaryRef)prefQuery, (CFTypeRef *)&data);
+ if (status != errSecSuccess)
+ fail("prefQuery item: %d", (int)status);
+
+ /*
+ * Update access group for identity
+ */
+ NSDictionary *query2 = @{
+ (id)kSecValuePersistentRef : (__bridge id)data,
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ };
+ NSDictionary *modified2 = @{
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ };
+
+ status = SecItemUpdate((__bridge CFDictionaryRef)query2, (__bridge CFDictionaryRef)modified2);
+ if (status != errSecInternal)
+ fail("update identity with pref fails differntly: %d", (int)status);
+
+/*
+ CheckIdentityItem(@"keychain-test1", errSecSuccess);
+ CheckIdentityItem(@"keychain-test2", errSecItemNotFound);
+ */
+
+
+ /*
+ * Clean
+ */
+ (void)SecItemDelete((__bridge CFDictionaryRef)clean1);
+ (void)SecItemDelete((__bridge CFDictionaryRef)clean2);
+
+ CFRelease(identity);
+
+ CheckIdentityItem(@"keychain-test1", errSecItemNotFound);
+ CheckIdentityItem(@"keychain-test2", errSecItemNotFound);
+
+
+ printf("[PASS] %s\n", __FUNCTION__);
+}
+
+static void
+CheckFindIdentityByReference(void)
+{
+ OSStatus status;
+ CFDataRef pref = NULL, pref2 = NULL;
+
+ printf("[TEST] %s\n", __FUNCTION__);
+
+ /*
+ * Clean identities
+ */
+ NSDictionary *clean1 = @{
+ (id)kSecClass : (id)kSecClassIdentity,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ };
+ (void)SecItemDelete((__bridge CFDictionaryRef)clean1);
+
+ /*
+ * Add
+ */
+ SecIdentityRef identity = CreateTestIdentity();
+ if (identity == NULL)
+ fail("create private key from data");
+
+
+ NSDictionary *add = @{
+ (id)kSecValueRef : (__bridge id)identity,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ (id)kSecAttrLabel : @"CheckItemReference",
+ (id)kSecAttrAccessible : (id)kSecAttrAccessibleAfterFirstUnlock,
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ (id)kSecReturnPersistentRef: (id)kCFBooleanTrue,
+ };
+ status = SecItemAdd((__bridge CFDictionaryRef)add, (CFTypeRef *)&pref);
+ if (status != errSecSuccess)
+ fail("add item: %d: %s", (int)status, [[add description] UTF8String]);
+
+ if (pref == NULL || CFGetTypeID(pref) != CFDataGetTypeID())
+ fail("no pref returned");
+
+ /*
+ * Find by identity
+ */
+
+ NSDictionary *query = @{
+ (id)kSecValueRef : (__bridge id)identity,
+ (id)kSecReturnPersistentRef: (id)kCFBooleanTrue,
+ };
+ status = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef *)&pref2);
+ if (status)
+ fail("SecItemCopyMatching: %d", (int)status);
+
+ if (pref2 == NULL || CFGetTypeID(pref2) != CFDataGetTypeID())
+ fail("no pref2 returned");
+
+
+ if (!CFEqual(pref, pref2))
+ fail("prefs not same");
+
+ CFRelease(pref2);
+
+ /*
+ * Find by label
+ */
+
+ NSDictionary *query2 = @{
+ (id)kSecClass : (id)kSecClassIdentity,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ (id)kSecAttrLabel : @"CheckItemReference",
+ (id)kSecReturnPersistentRef: (id)kCFBooleanTrue,
+ };
+ status = SecItemCopyMatching((CFDictionaryRef)query2, (CFTypeRef *)&pref2);
+ if (status)
+ fail("SecItemCopyMatching: %d", (int)status);
+
+ if (pref2 == NULL || CFGetTypeID(pref2) != CFDataGetTypeID())
+ fail("no pref2 returned");
+
+
+ if (!CFEqual(pref, pref2))
+ fail("prefs not same");
+
+ CFRelease(pref2);
+
+ /*
+ * Find by label + reference
+ */
+
+ NSDictionary *query3 = @{
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ (id)kSecAttrLabel : @"CheckItemReference",
+ (id)kSecValueRef : (__bridge id)identity,
+ (id)kSecReturnPersistentRef: (id)kCFBooleanTrue,
+ };
+ status = SecItemCopyMatching((CFDictionaryRef)query3, (CFTypeRef *)&pref2);
+ if (status)
+ fail("SecItemCopyMatching: %d", (int)status);
+
+ if (pref2 == NULL || CFGetTypeID(pref2) != CFDataGetTypeID())
+ fail("no pref2 returned");
+
+
+ if (!CFEqual(pref, pref2))
+ fail("prefs not same");
+
+ CFRelease(pref2);
+
+ /*
+ * Free stuff
+ */
+
+ CFRelease(pref);
+
+ printf("[PASS] %s\n", __FUNCTION__);
+}
+
+int
+main(int argc, const char ** argv)
+{
+#if !TARGET_OS_IPHONE
+ char *user = getenv("USER");
+ if (user && strcmp("bats", user) == 0) {
+ (void)SecKeychainUnlock(NULL, 4, "bats", true);
+ }
+#endif
+ CheckFindIdentityByReference();
+
+ if (random() == 17) {
+ CheckItemAddDeleteMaybeLegacyKeychainNoData();
+ CheckItemAddDeleteNoData();
+ CheckItemUpdateAccessGroupGENP();
+ CheckItemUpdateAccessGroupIdentity();
+ }
+
+ return 0;
+}
diff --git a/RegressionTests/secitemnotifications/secitemnotifications.entitlements b/RegressionTests/secitemnotifications/secitemnotifications.entitlements
new file mode 100644
index 00000000..cd67534b
--- /dev/null
+++ b/RegressionTests/secitemnotifications/secitemnotifications.entitlements
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>keychain-access-groups</key>
+ <array>
+ <string>keychain-test1</string>
+ </array>
+</dict>
+</plist>
diff --git a/RegressionTests/secitemnotifications/secitemnotifications.m b/RegressionTests/secitemnotifications/secitemnotifications.m
new file mode 100644
index 00000000..14986bd6
--- /dev/null
+++ b/RegressionTests/secitemnotifications/secitemnotifications.m
@@ -0,0 +1,71 @@
+//
+// Copyright 2016 Apple. All rights reserved.
+//
+
+/*
+ * This is to fool os services to not provide the Keychain manager
+ * interface tht doens't work since we don't have unified headers
+ * between iOS and OS X. rdar://23405418/
+ */
+#define __KEYCHAINCORE__ 1
+
+#include <Foundation/Foundation.h>
+#include <Security/Security.h>
+#include <Security/SecItemPriv.h>
+#include <notify.h>
+#include <err.h>
+
+int
+main(int argc, const char ** argv)
+{
+ dispatch_queue_t queue = dispatch_queue_create("notifications-queue", NULL);
+ __block int got_notification = false;
+ OSStatus status;
+ int token;
+
+ NSDictionary *query = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccessGroup : @"keychain-test1",
+ (id)kSecAttrSyncViewHint : @"PCS-Master",
+ (id)kSecAttrAccount : @"account-delete-me",
+ (id)kSecAttrSynchronizable : (id)kCFBooleanTrue,
+ (id)kSecAttrAccessible : (id)kSecAttrAccessibleAfterFirstUnlock,
+ };
+ status = SecItemDelete((__bridge CFDictionaryRef)query);
+ if (status != errSecSuccess && status != errSecItemNotFound)
+ errx(1, "cleanup item: %d", (int)status);
+
+ notify_register_dispatch("com.apple.security.view-change.PCS", &token, queue, ^(int __unused token2) {
+ printf("got notification\n");
+ got_notification = true;
+ });
+
+ /*
+ * now check add notification
+ */
+
+ status = SecItemAdd((__bridge CFDictionaryRef)query, NULL);
+ if (status != errSecSuccess)
+ errx(1, "add item: %d", (int)status);
+
+ sleep(3);
+
+ if (!got_notification)
+ errx(1, "failed to get notification on add");
+ got_notification = false;
+
+ /*
+ * clean up and check delete notification too
+ */
+
+ status = SecItemDelete((__bridge CFDictionaryRef)query);
+ if (status != errSecSuccess)
+ errx(1, "cleanup2 item: %d", (int)status);
+
+ sleep(3);
+
+ if (!got_notification)
+ errx(1, "failed to get notification on delete");
+
+ return 0;
+}
diff --git a/RegressionTests/secitemstresstest/secitemstresstest.entitlements b/RegressionTests/secitemstresstest/secitemstresstest.entitlements
new file mode 100644
index 00000000..aca42f14
--- /dev/null
+++ b/RegressionTests/secitemstresstest/secitemstresstest.entitlements
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>keychain-access-groups</key>
+ <array>
+ <string>keychain-test1</string>
+ <string>keychain-test2</string>
+ </array>
+</dict>
+</plist>
diff --git a/RegressionTests/secitemstresstest/secitemstresstest.m b/RegressionTests/secitemstresstest/secitemstresstest.m
new file mode 100644
index 00000000..fdbf00fe
--- /dev/null
+++ b/RegressionTests/secitemstresstest/secitemstresstest.m
@@ -0,0 +1,246 @@
+//
+// Copyright 2016 Apple. All rights reserved.
+//
+
+/*
+ * This is to fool os services to not provide the Keychain manager
+ * interface tht doens't work since we don't have unified headers
+ * between iOS and OS X. rdar://23405418/
+ */
+#define __KEYCHAINCORE__ 1
+
+#include <Foundation/Foundation.h>
+#include <Security/Security.h>
+#include <Security/SecItemPriv.h>
+#include <err.h>
+
+static void
+fail(const char *fmt, ...) __printflike(1, 2) __attribute__((noreturn));
+
+
+static void
+fail(const char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+ printf("[FAIL] ");
+ verrx(1, fmt, ap);
+ va_end(ap);
+}
+
+static NSString *kAccessGroup1 = @"keychain-test1";
+static NSString *kAccessGroup2 = @"keychain-test2";
+
+static void
+Cleanup(void)
+{
+ NSDictionary *query;
+ OSStatus status;
+
+ query = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccessGroup : kAccessGroup1,
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ };
+ status = SecItemDelete((__bridge CFDictionaryRef)query);
+ if (status != errSecSuccess || status == errSecItemNotFound)
+ printf("cleanup ag1: %d\n", (int)status);
+
+ query = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccessGroup : kAccessGroup2,
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ };
+ status = SecItemDelete((__bridge CFDictionaryRef)query);
+ if (status != errSecSuccess || status != errSecItemNotFound)
+ printf("cleanup ag2: %d\n", (int)status);
+}
+
+static void
+isPedestrian(const char *name, OSStatus status, bool ignorePedestrianFailures)
+{
+ if (!ignorePedestrianFailures) {
+ if (status == errSecSuccess)
+ return;
+ } else {
+ switch(status) {
+ case errSecSuccess:
+ case errSecItemNotFound:
+ case errSecDuplicateItem:
+ return;
+ default:
+ break;
+ }
+ }
+ fail("[FAIL] %s non pedestrian error: %d", name, (int)status);
+}
+
+static void
+CreateDeleteItem(NSString *account, NSString *accessGroup, bool ignorePedestrianFailures)
+{
+ NSDictionary *query = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrLabel : @"secitemstresstest-oneItem",
+ (id)kSecAttrAccount : account,
+ (id)kSecAttrAccessGroup : accessGroup,
+ (id)kSecAttrAccessible : (id)kSecAttrAccessibleAfterFirstUnlock,
+ (id)kSecAttrNoLegacy : (id)kCFBooleanTrue,
+ (id)kSecValueData : [NSData dataWithBytes:"password" length: 8],
+ };
+ OSStatus status;
+
+ status = SecItemAdd((__bridge CFDictionaryRef)query, NULL);
+ isPedestrian("SecItemAdd", status, ignorePedestrianFailures);
+
+ query = @{
+ (id)kSecClass : (id)kSecClassGenericPassword,
+ (id)kSecAttrAccount : account,
+ (id)kSecAttrAccessGroup : accessGroup,
+ };
+ NSDictionary *values = @{
+ (id)kSecAttrLabel : @"kaka",
+ };
+
+ status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)values);
+ isPedestrian("SecItemUpdate", status, ignorePedestrianFailures);
+
+ status = SecItemDelete((__bridge CFDictionaryRef)query);
+ isPedestrian("SecItemDelete", status, ignorePedestrianFailures);
+}
+
+#define CONCURRENT_RUNTIME 20
+
+static void
+CreateDeleteConcurrentItems(int width)
+{
+ dispatch_semaphore_t sema;
+ dispatch_group_t group;
+ dispatch_queue_t q, labelQueue;
+ int iter = 0;
+ time_t old;
+ __block unsigned long label = 0;
+
+ q = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
+ labelQueue = dispatch_queue_create("label-queue", NULL);
+ sema = dispatch_semaphore_create(width);
+ group = dispatch_group_create();
+
+
+ old = time(NULL);
+
+ while (time(NULL) - old < CONCURRENT_RUNTIME) {
+ size_t number = 10;
+
+ dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER);
+
+ printf("iteration: %d\n", ++iter);
+
+ dispatch_group_async(group, q, ^{
+ dispatch_group_t inner = dispatch_group_create();
+ if (inner == NULL) abort();
+ __block unsigned long me;
+
+ dispatch_sync(labelQueue, ^{
+ me = label++;
+ if (label == 0) abort();
+ });
+
+ dispatch_group_async(inner, q, ^{
+ dispatch_apply(number, q, ^(size_t num) {
+ NSString *account = [NSString stringWithFormat:@"account1-%lu-%lu", me, (unsigned long)num];
+ CreateDeleteItem(account, kAccessGroup1, false);
+ });
+ });
+ dispatch_group_async(inner, q, ^{
+ dispatch_apply(number, q, ^(size_t num) {
+ NSString *account = [NSString stringWithFormat:@"account2-%lu-%lu", me, (unsigned long)num];
+ CreateDeleteItem(account, kAccessGroup1, false);
+ });
+ });
+ dispatch_group_async(inner, q, ^{
+ dispatch_apply(number, q, ^(size_t num) {
+ NSString *account = [NSString stringWithFormat:@"account1-%lu-%lu", me, (unsigned long)num];
+ CreateDeleteItem(account, kAccessGroup2, false);
+ });
+ });
+ dispatch_group_async(inner, q, ^{
+ dispatch_apply(number, q, ^(size_t num) {
+ NSString *account = [NSString stringWithFormat:@"account2-%lu-%lu", me, (unsigned long)num];
+ CreateDeleteItem(account, kAccessGroup2, false);
+ });
+ });
+
+ dispatch_group_wait(inner, DISPATCH_TIME_FOREVER);
+ dispatch_semaphore_signal(sema);
+ });
+ }
+
+ dispatch_group_wait(group, DISPATCH_TIME_FOREVER);
+}
+
+static void
+CreateDeleteConcurrentSameItem(int width)
+{
+ dispatch_semaphore_t sema;
+ dispatch_group_t group;
+ dispatch_queue_t q;
+ time_t old;
+
+ q = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
+ sema = dispatch_semaphore_create(width);
+ group = dispatch_group_create();
+
+ old = time(NULL);
+
+ while (time(NULL) - old < CONCURRENT_RUNTIME) {
+ size_t number = 10;
+
+ dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER);
+
+ dispatch_group_async(group, q, ^{
+ dispatch_apply(number, q, ^(size_t num) {
+ CreateDeleteItem(@"account1", kAccessGroup1, true);
+ });
+
+ dispatch_semaphore_signal(sema);
+ });
+ }
+
+ dispatch_group_wait(group, DISPATCH_TIME_FOREVER);
+}
+
+
+
+int main (int argc, const char * argv[])
+{
+ @autoreleasepool {
+
+ Cleanup();
+ printf("[TEST] testing serial items\n");
+
+ CreateDeleteItem(@"account1", kAccessGroup1, false);
+ CreateDeleteItem(@"account2", kAccessGroup1, false);
+ CreateDeleteItem(@"account1", kAccessGroup2, false);
+ CreateDeleteItem(@"account2", kAccessGroup2, false);
+ printf("[PASS]\n");
+
+ Cleanup();
+ printf("[TEST] testing concurrent items\n");
+
+ CreateDeleteConcurrentItems(2);
+ CreateDeleteConcurrentItems(10);
+ printf("[PASS]\n");
+
+ Cleanup();
+ printf("[TEST] testing concurrent same item\n");
+
+ CreateDeleteConcurrentSameItem(2);
+ CreateDeleteConcurrentSameItem(10);
+ printf("[PASS]\n");
+
+
+ return 0;
+ }
+}
+
+
diff --git a/Security-Info.plist b/Security-Info.plist
index 4bc200ce..05674e42 100644
--- a/Security-Info.plist
+++ b/Security-Info.plist
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
@@ -7,7 +7,7 @@
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
- <string>com.apple.${EXECUTABLE_NAME}</string>
+ <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
diff --git a/Security.exp-in b/Security.exp-in
index 73587fdd..2c076611 100644
--- a/Security.exp-in
+++ b/Security.exp-in
@@ -66,6 +66,7 @@ _SSLInternalSetMasterSecretFunction
_SSLInternalSetSessionTicket
_SSLInternal_PRF
_SSLRead
+_SSLReHandshake
_SSLSetNPNData
_SSLSetNPNFunc
_SSLGetNPNData
@@ -96,11 +97,9 @@ _SSLSetPeerDomainName
_SSLSetPeerID
_SSLSetSessionCacheTimeout
_SSLWrite
-_SSLSetSessionStrengthPolicy
_SSLSetDHEEnabled
_SSLGetDHEEnabled
_SSLSetSessionConfig
-_SSLGetSessionConfig
_kSSLSessionConfig_default
_kSSLSessionConfig_ATSv1
@@ -111,7 +110,7 @@ _kSSLSessionConfig_RC4_fallback
_kSSLSessionConfig_TLSv1_fallback
_kSSLSessionConfig_TLSv1_RC4_fallback
_kSSLSessionConfig_legacy_DHE
-
+_kSSLSessionConfig_anonymous
/* Those are deprecated */
__SSLCopyPeerCertificates
@@ -167,6 +166,7 @@ _SecTaskCopyValueForEntitlement
_SecTaskCopyValuesForEntitlements
_SecTaskCreateFromSelf
_SecTaskCreateWithAuditToken
+_SecTaskGetCodeSignStatus
_SecTaskGetTypeID
__NtlmCreateClientResponse
_kSecAsn1OCSPBasicResponseTemplate
@@ -199,3 +199,9 @@ _SecSMIMEFindBulkAlgForRecipients
//Localization
_SecFrameworkCopyLocalizedString
+//
+// utilities
+//
+_readFileSizet
+_writeFileSizet
+
diff --git a/Security.xcodeproj/project.pbxproj b/Security.xcodeproj/project.pbxproj
index c1edcc99..926bc1da 100644
--- a/Security.xcodeproj/project.pbxproj
+++ b/Security.xcodeproj/project.pbxproj
@@ -24,24 +24,27 @@
buildPhases = (
);
dependencies = (
- 05EF68BA19491577007958C3 /* PBXTargetDependency */,
+ E79EEDDF1CD3FFEA00C2FBFC /* PBXTargetDependency */,
);
name = Security_frameworks;
productName = Security_framework;
};
- 05EF68BB194915A5007958C3 /* Security_executables */ = {
+ 05EF68BB194915A5007958C3 /* Security_executables_osx */ = {
isa = PBXAggregateTarget;
- buildConfigurationList = 05EF68BC194915A5007958C3 /* Build configuration list for PBXAggregateTarget "Security_executables" */;
+ buildConfigurationList = 05EF68BC194915A5007958C3 /* Build configuration list for PBXAggregateTarget "Security_executables_osx" */;
buildPhases = (
);
dependencies = (
EBD849361B242C8900C5FD1E /* PBXTargetDependency */,
05EF68CA1949167B007958C3 /* PBXTargetDependency */,
- 05EF68C81949166E007958C3 /* PBXTargetDependency */,
- 05EF68C0194915B6007958C3 /* PBXTargetDependency */,
- EB93052B1BE1B43700978606 /* PBXTargetDependency */,
- );
- name = Security_executables;
+ E7E7B2201BFA865300B1E66B /* PBXTargetDependency */,
+ E745841F1BF66525001B54A4 /* PBXTargetDependency */,
+ E74583BE1BF66489001B54A4 /* PBXTargetDependency */,
+ E7E7B24B1BFC0CD900B1E66B /* PBXTargetDependency */,
+ EB31EA831D3EF2FB008F952A /* PBXTargetDependency */,
+ EBC15EA91BE29AC3001C0C5B /* PBXTargetDependency */,
+ );
+ name = Security_executables_osx;
productName = Security_executables;
};
05EF68C1194915FB007958C3 /* Security_kexts */ = {
@@ -50,7 +53,6 @@
buildPhases = (
);
dependencies = (
- 05EF68C61949160C007958C3 /* PBXTargetDependency */,
);
name = Security_kexts;
productName = Security_kexts;
@@ -61,34 +63,33 @@
buildPhases = (
);
dependencies = (
- 0CCA42F715C8A820002AEC4C /* PBXTargetDependency */,
- 0CCA42F515C8A815002AEC4C /* PBXTargetDependency */,
+ 0C2BCBD11D0648FA00ED7A2F /* PBXTargetDependency */,
+ 0C2BCBBC1D0640B200ED7A2F /* PBXTargetDependency */,
);
name = dtlsTests;
productName = dtlsTests;
};
- 0C7CFA2E14E1BA4800DF9D95 /* phase1_ios */ = {
+ 0C7CFA2E14E1BA4800DF9D95 /* Security_frameworks_ios */ = {
isa = PBXAggregateTarget;
- buildConfigurationList = 0C7CFA2F14E1BA4800DF9D95 /* Build configuration list for PBXAggregateTarget "phase1_ios" */;
+ buildConfigurationList = 0C7CFA2F14E1BA4800DF9D95 /* Build configuration list for PBXAggregateTarget "Security_frameworks_ios" */;
buildPhases = (
);
dependencies = (
- 0C7CFA3714E1BAEC00DF9D95 /* PBXTargetDependency */,
- 0C7CFA3514E1BA7000DF9D95 /* PBXTargetDependency */,
+ EB6A6FBD1B90F9170045DC68 /* PBXTargetDependency */,
);
- name = phase1_ios;
+ name = Security_frameworks_ios;
productName = kernel;
};
- 4C541F840F250BF500E508AE /* phase2 */ = {
+ 4C541F840F250BF500E508AE /* Security_executables_ios */ = {
isa = PBXAggregateTarget;
- buildConfigurationList = 4C541FA30F250C8C00E508AE /* Build configuration list for PBXAggregateTarget "phase2" */;
+ buildConfigurationList = 4C541FA30F250C8C00E508AE /* Build configuration list for PBXAggregateTarget "Security_executables_ios" */;
buildPhases = (
);
dependencies = (
+ EBB696D41BE2085700715F16 /* PBXTargetDependency */,
438169E71B4EE4B300C54D58 /* PBXTargetDependency */,
5EF7C2561B00EEF900E5E99C /* PBXTargetDependency */,
5E10995419A5E80B00A60E2B /* PBXTargetDependency */,
- 72D41316175D13E40052A8ED /* PBXTargetDependency */,
4C541F8C0F250C0400E508AE /* PBXTargetDependency */,
4C541F8E0F250C0900E508AE /* PBXTargetDependency */,
4C541F920F250C1300E508AE /* PBXTargetDependency */,
@@ -108,7 +109,7 @@
F94E7AE21ACC8E7700F23132 /* PBXTargetDependency */,
EB9C1DB71BDFD51800F89272 /* PBXTargetDependency */,
);
- name = phase2;
+ name = Security_executables_ios;
productName = phase2;
};
4C541F950F250C3000E508AE /* phase1 */ = {
@@ -117,34 +118,186 @@
buildPhases = (
);
dependencies = (
- 4C541F9D0F250C3500E508AE /* PBXTargetDependency */,
+ E79EEDD71CD3F9F800C2FBFC /* PBXTargetDependency */,
);
name = phase1;
productName = phase1;
};
- 4C91273D0ADBF46200AF202E /* world */ = {
+ 4C91273D0ADBF46200AF202E /* ios */ = {
isa = PBXAggregateTarget;
- buildConfigurationList = 4C91274A0ADBF4A100AF202E /* Build configuration list for PBXAggregateTarget "world" */;
+ buildConfigurationList = 4C91274A0ADBF4A100AF202E /* Build configuration list for PBXAggregateTarget "ios" */;
buildPhases = (
);
dependencies = (
- 4C541F9F0F250C4F00E508AE /* PBXTargetDependency */,
+ EB6A6FBB1B90F8EC0045DC68 /* PBXTargetDependency */,
4C541FA10F250C5200E508AE /* PBXTargetDependency */,
+ E7CFF6771C84F66A00E3484E /* PBXTargetDependency */,
);
- name = world;
+ name = ios;
productName = world;
};
+ D41AD42D1B967169008C7270 /* Security_executables_watchos */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = D41AD42E1B967169008C7270 /* Build configuration list for PBXAggregateTarget "Security_executables_watchos" */;
+ buildPhases = (
+ );
+ dependencies = (
+ D41AD45C1B978A7A008C7270 /* PBXTargetDependency */,
+ D41AD4721B978F76008C7270 /* PBXTargetDependency */,
+ D41AD45E1B978A7C008C7270 /* PBXTargetDependency */,
+ D41AD4601B978E18008C7270 /* PBXTargetDependency */,
+ D41AD4621B978E24008C7270 /* PBXTargetDependency */,
+ D41AD4661B978F19008C7270 /* PBXTargetDependency */,
+ D41AD4681B978F20008C7270 /* PBXTargetDependency */,
+ D41AD46A1B978F24008C7270 /* PBXTargetDependency */,
+ D41AD46C1B978F28008C7270 /* PBXTargetDependency */,
+ D41AD46E1B978F4C008C7270 /* PBXTargetDependency */,
+ EB9FE0B61BFBC499004FEAAF /* PBXTargetDependency */,
+ );
+ name = Security_executables_watchos;
+ productName = Security_executables_watchos;
+ };
+ D41AD4311B967179008C7270 /* Security_executables_tvos */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = D41AD4321B96717A008C7270 /* Build configuration list for PBXAggregateTarget "Security_executables_tvos" */;
+ buildPhases = (
+ );
+ dependencies = (
+ D41AD43A1B96721E008C7270 /* PBXTargetDependency */,
+ D41AD4521B9788B2008C7270 /* PBXTargetDependency */,
+ D41AD45A1B978944008C7270 /* PBXTargetDependency */,
+ D41AD4461B9786A3008C7270 /* PBXTargetDependency */,
+ D41AD43E1B967242008C7270 /* PBXTargetDependency */,
+ D41AD43C1B96723B008C7270 /* PBXTargetDependency */,
+ D41AD44C1B9786E2008C7270 /* PBXTargetDependency */,
+ D41AD4401B96724C008C7270 /* PBXTargetDependency */,
+ D41AD4441B978681008C7270 /* PBXTargetDependency */,
+ D41AD4421B97866C008C7270 /* PBXTargetDependency */,
+ D41AD44E1B978791008C7270 /* PBXTargetDependency */,
+ D41AD44A1B9786D8008C7270 /* PBXTargetDependency */,
+ EB9FE08D1BFBC48F004FEAAF /* PBXTargetDependency */,
+ );
+ name = Security_executables_tvos;
+ productName = Security_executables_tvos;
+ };
+ E74584661BF68EBA001B54A4 /* osx */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = E74584671BF68EBA001B54A4 /* Build configuration list for PBXAggregateTarget "osx" */;
+ buildPhases = (
+ );
+ dependencies = (
+ E79EEDE71CD4003900C2FBFC /* PBXTargetDependency */,
+ E7CFF6751C84F65D00E3484E /* PBXTargetDependency */,
+ E745846D1BF68ECB001B54A4 /* PBXTargetDependency */,
+ E74584711BF68ECB001B54A4 /* PBXTargetDependency */,
+ E745846F1BF68ECB001B54A4 /* PBXTargetDependency */,
+ );
+ name = osx;
+ productName = macosx;
+ };
+ E79EEDA71CD3F87B00C2FBFC /* Security_tests_osx */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = E79EEDD11CD3F87B00C2FBFC /* Build configuration list for PBXAggregateTarget "Security_tests_osx" */;
+ buildPhases = (
+ EB0BF1711D25B47A000DEF32 /* CopyFiles */,
+ );
+ dependencies = (
+ );
+ name = Security_tests_osx;
+ productName = Security_test_macos;
+ };
+ E79EEDD21CD3F8AB00C2FBFC /* Security_tests_ios */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = E79EEDD31CD3F8AB00C2FBFC /* Build configuration list for PBXAggregateTarget "Security_tests_ios" */;
+ buildPhases = (
+ EB0BF1991D25B54B000DEF32 /* CopyFiles */,
+ );
+ dependencies = (
+ );
+ name = Security_tests_ios;
+ productName = Security_test_ios;
+ };
+ E79EEDD81CD3FFC800C2FBFC /* Security_frameworks_osx */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = E79EEDD91CD3FFC800C2FBFC /* Build configuration list for PBXAggregateTarget "Security_frameworks_osx" */;
+ buildPhases = (
+ );
+ dependencies = (
+ E79EEDDD1CD3FFE300C2FBFC /* PBXTargetDependency */,
+ );
+ name = Security_frameworks_osx;
+ productName = Security_frameworks_macos;
+ };
+ E79EEDE01CD4000C00C2FBFC /* Security_executables */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = E79EEDE11CD4000C00C2FBFC /* Build configuration list for PBXAggregateTarget "Security_executables" */;
+ buildPhases = (
+ );
+ dependencies = (
+ E79EEDE51CD4001300C2FBFC /* PBXTargetDependency */,
+ );
+ name = Security_executables;
+ productName = Security_executables;
+ };
+ E7CFF6471C84F61200E3484E /* Security_KeychainCircle */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = E7CFF66F1C84F61200E3484E /* Build configuration list for PBXAggregateTarget "Security_KeychainCircle" */;
+ buildPhases = (
+ );
+ dependencies = (
+ E7CFF6711C84F62900E3484E /* PBXTargetDependency */,
+ E7CFF6731C84F62900E3484E /* PBXTargetDependency */,
+ );
+ name = Security_KeychainCircle;
+ productName = Security_KeychainCircle;
+ };
+ EB6A6FA81B90F83A0045DC68 /* phase1_ios */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = EB6A6FA91B90F83A0045DC68 /* Build configuration list for PBXAggregateTarget "phase1_ios" */;
+ buildPhases = (
+ );
+ dependencies = (
+ EB6A6FAD1B90F84D0045DC68 /* PBXTargetDependency */,
+ );
+ name = phase1_ios;
+ productName = phase1_ios;
+ };
+ EB6A6FAE1B90F8810045DC68 /* Security_executables_bridge */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = EB6A6FAF1B90F8810045DC68 /* Build configuration list for PBXAggregateTarget "Security_executables_bridge" */;
+ buildPhases = (
+ );
+ dependencies = (
+ EB6A6FB31B90F89F0045DC68 /* PBXTargetDependency */,
+ );
+ name = Security_executables_bridge;
+ productName = Security_executables_Bridge;
+ };
+ EB6A6FB41B90F8C90045DC68 /* phase2 */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = EB6A6FB51B90F8C90045DC68 /* Build configuration list for PBXAggregateTarget "phase2" */;
+ buildPhases = (
+ );
+ dependencies = (
+ EB6A6FB91B90F8D70045DC68 /* PBXTargetDependency */,
+ );
+ name = phase2;
+ productName = phase2;
+ };
EB9C1DAE1BDFD4DE00F89272 /* SecurityBatsTests */ = {
isa = PBXAggregateTarget;
buildConfigurationList = EB9C1DAF1BDFD4DF00F89272 /* Build configuration list for PBXAggregateTarget "SecurityBatsTests" */;
buildPhases = (
- EB9C1DB41BDFD4F200F89272 /* install BATS plist */,
- EB9305021BE1B35D00978606 /* Chown BATS plist */,
+ EB9C1DB41BDFD4F200F89272 /* Install BATS plist */,
+ EBC15E801BE29A8C001C0C5B /* Chown BATS plist */,
);
dependencies = (
- EB9B37AF1C6470B20027E2F9 /* PBXTargetDependency */,
- EB0BC8411C3C079100785842 /* PBXTargetDependency */,
+ EBCF743F1CE593A700BED7CA /* PBXTargetDependency */,
+ EB433A2C1CC3252A00A7EACE /* PBXTargetDependency */,
+ EBA9AA891CE3E76C004E2B68 /* PBXTargetDependency */,
EB3A8E011BEEC6F3001A89AA /* PBXTargetDependency */,
+ EB63ADE11C3E74F900C45A69 /* PBXTargetDependency */,
+ EB425CD11C6585F1000ECE53 /* PBXTargetDependency */,
);
name = SecurityBatsTests;
productName = SecurityBatsTests;
@@ -168,7 +321,6 @@
0C0BDB861756A4C100BC1A7E /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F7F66514D77DF700F88A12 /* libsecurityd.a */; };
0C0BDB871756A4FA00BC1A7E /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C2FEC5115755D710008BE39 /* libutilities.a */; };
0C0BDB881756A51000BC1A7E /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB740680A4749C800D641BB /* libsqlite3.dylib */; };
- 0C0BDB891756A56A00BC1A7E /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F7F66314D77DF700F88A12 /* libsecurity.a */; };
0C0BDB8A1756A5D500BC1A7E /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8786AD0B03E05E00BB77D4 /* libDER.a */; };
0C0BDB8B1756A5D900BC1A7E /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 795CA9860D38269B00BAE6A2 /* libASN1.a */; };
0C0BDB8C1756A5F500BC1A7E /* libregressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E710C708133192EA00F85568 /* libregressions.a */; };
@@ -178,33 +330,43 @@
0C0BDB901756A80100BC1A7E /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F7F66914D77DF700F88A12 /* libsecipc_client.a */; };
0C0BDB911756A8A400BC1A7E /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; };
0C0BDB931756A8C900BC1A7E /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */; };
+ 0C0C88781CCEC5C400617D1B /* si-82-sectrust-ct-data in Resources */ = {isa = PBXBuildFile; fileRef = 0C0C88771CCEC5BD00617D1B /* si-82-sectrust-ct-data */; };
+ 0C0C88791CCEC5C500617D1B /* si-82-sectrust-ct-data in Resources */ = {isa = PBXBuildFile; fileRef = 0C0C88771CCEC5BD00617D1B /* si-82-sectrust-ct-data */; };
0C150099161D01D700181E9D /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8786AD0B03E05E00BB77D4 /* libDER.a */; };
0C15009A161D01F400181E9D /* libCMS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 79BDD39F0D60D5F9000D84D3 /* libCMS.a */; };
0C15009B161D020000181E9D /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 795CA9860D38269B00BAE6A2 /* libASN1.a */; };
+ 0C2BCBAF1D06401F00ED7A2F /* ioSock.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CE5A65809C79E0600D27A3F /* ioSock.c */; };
+ 0C2BCBB01D06401F00ED7A2F /* sslAppUtils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CE5A65A09C79E0600D27A3F /* sslAppUtils.cpp */; };
+ 0C2BCBB11D06401F00ED7A2F /* print_cert.c in Sources */ = {isa = PBXBuildFile; fileRef = EBD8495A1B24BEA000C5FD1E /* print_cert.c */; };
+ 0C2BCBB31D06401F00ED7A2F /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C2FEC5115755D710008BE39 /* libutilities.a */; };
+ 0C2BCBB41D06401F00ED7A2F /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; };
+ 0C2BCBB51D06401F00ED7A2F /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; };
+ 0C2BCBBA1D06403B00ED7A2F /* dtlsEchoClient.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C2BCBA51D063F7D00ED7A2F /* dtlsEchoClient.c */; };
+ 0C2BCBC41D0648D100ED7A2F /* ioSock.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CE5A65809C79E0600D27A3F /* ioSock.c */; };
+ 0C2BCBC51D0648D100ED7A2F /* sslAppUtils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CE5A65A09C79E0600D27A3F /* sslAppUtils.cpp */; };
+ 0C2BCBC61D0648D100ED7A2F /* print_cert.c in Sources */ = {isa = PBXBuildFile; fileRef = EBD8495A1B24BEA000C5FD1E /* print_cert.c */; };
+ 0C2BCBC81D0648D100ED7A2F /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C2FEC5115755D710008BE39 /* libutilities.a */; };
+ 0C2BCBC91D0648D100ED7A2F /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; };
+ 0C2BCBCA1D0648D100ED7A2F /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; };
+ 0C2BCBCF1D0648EF00ED7A2F /* dtlsEchoServer.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C2BCBA61D063F7D00ED7A2F /* dtlsEchoServer.c */; };
0C3145571496B8FB00427C0B /* SecureTransport.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C3145551496B8FB00427C0B /* SecureTransport.h */; settings = {ATTRIBUTES = (Public, ); }; };
0C3145581496B8FB00427C0B /* SecureTransportPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C3145561496B8FB00427C0B /* SecureTransportPriv.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 0C38B9341AA8331B00F0F2EA /* si-82-sectrust-ct-logs.plist in Resources */ = {isa = PBXBuildFile; fileRef = 0C38B9331AA8331B00F0F2EA /* si-82-sectrust-ct-logs.plist */; };
- 0C38B9351AA8331B00F0F2EA /* si-82-sectrust-ct-logs.plist in Resources */ = {isa = PBXBuildFile; fileRef = 0C38B9331AA8331B00F0F2EA /* si-82-sectrust-ct-logs.plist */; };
- 0C59B55417677C3E00617746 /* com.apple.securityd in CopyFiles */ = {isa = PBXBuildFile; fileRef = 0C59B54517677A9900617746 /* com.apple.securityd */; };
0C5D2EEB167FEAAC0077501D /* SecAsn1Coder.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C5D2EEA167FEAAC0077501D /* SecAsn1Coder.h */; settings = {ATTRIBUTES = (Private, ); }; };
0C5D2EED167FEEC90077501D /* secasn1t.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C5D2EEC167FEEC90077501D /* secasn1t.h */; settings = {ATTRIBUTES = (Private, ); }; };
0C5D2EEF167FF0560077501D /* SecAsn1Templates.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C5D2EEE167FF0560077501D /* SecAsn1Templates.h */; settings = {ATTRIBUTES = (Private, ); }; };
0C5D2EF1167FF1FC0077501D /* oidsalg.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C5D2EF0167FF1FC0077501D /* oidsalg.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 0C73C4C51A377FF400EE3A07 /* si-82-seccertificate-ct.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CBD090E1A1D31D400795EE5 /* si-82-seccertificate-ct.c */; };
- 0C73C4C61A377FF600EE3A07 /* si-82-seccertificate-ct.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CBD090E1A1D31D400795EE5 /* si-82-seccertificate-ct.c */; };
- 0C73C4C71A377FFA00EE3A07 /* si-82-sectrust-ct.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CC122B819C8AA4500D23178 /* si-82-sectrust-ct.c */; };
- 0C73C4C81A377FFB00EE3A07 /* si-82-sectrust-ct.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CC122B819C8AA4500D23178 /* si-82-sectrust-ct.c */; };
+ 0C6E38FA1C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyReceiveMessage.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C6E38F51C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyReceiveMessage.m */; };
+ 0C6E38FB1C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxySendMessage.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C6E38F71C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxySendMessage.m */; };
+ 0C6E38FC1C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyThrottle.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C6E38F91C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyThrottle.m */; };
0C78F1CC16A5E1BF00654E08 /* sectask-10-sectask.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C78F1CA16A5E1BF00654E08 /* sectask-10-sectask.c */; };
0C78F1CD16A5E1BF00654E08 /* sectask-10-sectask.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C78F1CA16A5E1BF00654E08 /* sectask-10-sectask.c */; };
0C78F1CE16A5E1BF00654E08 /* sectask_ipc.defs in Sources */ = {isa = PBXBuildFile; fileRef = 0C78F1CB16A5E1BF00654E08 /* sectask_ipc.defs */; settings = {ATTRIBUTES = (Client, Server, ); }; };
0C78F1CF16A5E1BF00654E08 /* sectask_ipc.defs in Sources */ = {isa = PBXBuildFile; fileRef = 0C78F1CB16A5E1BF00654E08 /* sectask_ipc.defs */; settings = {ATTRIBUTES = (Client, Server, ); }; };
0C78F1D016A5E3EB00654E08 /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 107227350D91FE89003CF14F /* libbsm.dylib */; };
+ 0C869B431C865E4D006A2873 /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 0C869B421C865E4D006A2873 /* CoreCDP.framework */; };
0CA31A4814BB5CDB00BD348C /* CipherSuite.h in Headers */ = {isa = PBXBuildFile; fileRef = 0CA31A4614BB5C9100BD348C /* CipherSuite.h */; settings = {ATTRIBUTES = (Public, ); }; };
0CA31A7514BB6C2500BD348C /* sslTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = 0CA31A7314BB6C2500BD348C /* sslTypes.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 0CAE462D1AC5F75D00EDDEAB /* Invalid.com.apple.testcard.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 5D83979C160259EE0075998F /* Invalid.com.apple.testcard.crt */; };
- 0CC827F51387137900BD99B7 /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 798B7FD40D3D7B5400AC1D04 /* libASN1.a */; };
0CC82948138716F400BD99B7 /* libregressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CC82947138716F400BD99B7 /* libregressions.a */; };
- 0CC8F26B1A9E930600447EB7 /* TrustedLogs.plist in Resources */ = {isa = PBXBuildFile; fileRef = 0CC8F2491A9E92E000447EB7 /* TrustedLogs.plist */; };
0CCA408015C745B9002AEC4C /* libsecurity_ssl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CCA406A15C73CA1002AEC4C /* libsecurity_ssl.a */; };
0CCA418715C89FBB002AEC4C /* libsecurity_ssl_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CCA418415C89ECD002AEC4C /* libsecurity_ssl_regressions.a */; };
0CCA418815C89FC4002AEC4C /* libsecurity_ssl_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CCA418415C89ECD002AEC4C /* libsecurity_ssl_regressions.a */; };
@@ -231,7 +393,6 @@
438168BE1B4ED42700C54D58 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; };
438168BF1B4ED42C00C54D58 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; };
438168C01B4ED42C00C54D58 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; };
- 438168C11B4ED42F00C54D58 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; };
438168C21B4ED43100C54D58 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; };
438168C31B4ED43200C54D58 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; };
438168C41B4ED43800C54D58 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; };
@@ -260,6 +421,8 @@
44A655831AA4B4BB0059D185 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FBDD1AA0A45C0021AA26 /* libctkclient.a */; };
44A655A51AA4B4C70059D185 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FBDD1AA0A45C0021AA26 /* libctkclient.a */; };
44A655A61AA4B4C80059D185 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FBDD1AA0A45C0021AA26 /* libctkclient.a */; };
+ 486326301CAA0BF400A466D9 /* com.apple.securityd.plist in Resources */ = {isa = PBXBuildFile; fileRef = 4863262F1CAA0BE900A466D9 /* com.apple.securityd.plist */; };
+ 486326311CAA0C0F00A466D9 /* com.apple.securityd.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4863262F1CAA0BE900A466D9 /* com.apple.securityd.plist */; };
4ACED92D15A10A320060775A /* libSecurityRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E79D9CD5159BEA78000834EC /* libSecurityRegressions.a */; };
4AF7000015AFB73800B9D400 /* SecOTRIdentityPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF615AFB73800B9D400 /* SecOTRIdentityPriv.h */; settings = {ATTRIBUTES = (Private, ); }; };
4AF7000115AFB73800B9D400 /* SecOTRMath.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF715AFB73800B9D400 /* SecOTRMath.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -297,93 +460,91 @@
4C32C1260A4976BF002891BD /* SecTrust.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C8FD03E099D5C91006867B6 /* SecTrust.h */; settings = {ATTRIBUTES = (Public, ); }; };
4C32C1990A497A0C002891BD /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; };
4C32C1A60A497A21002891BD /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; };
- 4C3CECF31416E25C00947741 /* DigiNotar_Root_CA_G2-RootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECF21416E20400947741 /* DigiNotar_Root_CA_G2-RootCertificate.crt */; };
- 4C3CECF41416E2EC00947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
- 4C3CECF51416E2FA00947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEB1416DB2200947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */; };
- 4C3CECF61416E31A00947741 /* Invalid-diginotarpkioverheidcaoverheid.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEC1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheid.crt */; };
- 4C3CECF81416E33500947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECED1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */; };
- 4C3CECF91416E34F00947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEE1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */; };
- 4C3CECFA1416E34F00947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEF1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt */; };
- 4C3CECFB1416E34F00947741 /* staatdernederlandenorganisatieca-g2-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECF01416DB2200947741 /* staatdernederlandenorganisatieca-g2-Cert.crt */; };
- 4C3CECFC1416E34F00947741 /* staatdernederlandenoverheidca-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECF11416DB2200947741 /* staatdernederlandenoverheidca-Cert.crt */; };
- 4C3CECFD1416E35400947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
- 4C3CECFE1416E35400947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEB1416DB2200947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */; };
- 4C3CECFF1416E35400947741 /* Invalid-diginotarpkioverheidcaoverheid.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEC1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheid.crt */; };
- 4C3CED001416E35400947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECED1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */; };
- 4C3CED011416E35400947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEE1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */; };
- 4C3CED021416E35400947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEF1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt */; };
- 4C3CED031416E35400947741 /* staatdernederlandenorganisatieca-g2-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECF01416DB2200947741 /* staatdernederlandenorganisatieca-g2-Cert.crt */; };
- 4C3CED041416E35400947741 /* staatdernederlandenoverheidca-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECF11416DB2200947741 /* staatdernederlandenoverheidca-Cert.crt */; };
- 4C3CED051416E35A00947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
+ 4C3CECF31416E25C00947741 /* DigiNotar_Root_CA_G2-RootCertificate.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECF21416E20400947741 /* DigiNotar_Root_CA_G2-RootCertificate.crt */; };
+ 4C3CECF41416E2EC00947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
+ 4C3CECF51416E2FA00947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEB1416DB2200947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */; };
+ 4C3CECF61416E31A00947741 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEC1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheid.crt */; };
+ 4C3CECF81416E33500947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECED1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */; };
+ 4C3CECF91416E34F00947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEE1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */; };
+ 4C3CECFB1416E34F00947741 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECF01416DB2200947741 /* staatdernederlandenorganisatieca-g2-Cert.crt */; };
+ 4C3CECFC1416E34F00947741 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECF11416DB2200947741 /* staatdernederlandenoverheidca-Cert.crt */; };
+ 4C3CECFD1416E35400947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
+ 4C3CECFE1416E35400947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEB1416DB2200947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */; };
+ 4C3CECFF1416E35400947741 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEC1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheid.crt */; };
+ 4C3CED001416E35400947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECED1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */; };
+ 4C3CED011416E35400947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEE1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */; };
+ 4C3CED031416E35400947741 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECF01416DB2200947741 /* staatdernederlandenorganisatieca-g2-Cert.crt */; };
+ 4C3CED041416E35400947741 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECF11416DB2200947741 /* staatdernederlandenoverheidca-Cert.crt */; };
+ 4C3CED051416E35A00947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
4C3DD6B0179755560093F9D8 /* NSDate+TimeIntervalDescription.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C3DD6AF179755560093F9D8 /* NSDate+TimeIntervalDescription.m */; };
4C3DD6BD179760280093F9D8 /* libMobileGestalt.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = E7D690911652E06A0079537A /* libMobileGestalt.dylib */; };
4C4296320BB0A68200491999 /* SecTrustSettings.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C4296300BB0A68200491999 /* SecTrustSettings.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 4C50AD0C1410679000EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
- 4C50AD0D1410679000EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
- 4C50AD0E1410679000EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
- 4C50AD0F1410679000EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
- 4C50AD101410679000EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
- 4C50AD111410679000EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
- 4C50AD121410679000EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
- 4C50AD131410679000EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
- 4C50AD141410679000EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
- 4C50AD151410679000EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
- 4C50AD181410679900EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
- 4C50AD191410679900EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
- 4C50AD1A1410679900EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
- 4C50AD1B1410679900EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
- 4C50AD1C1410679900EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
- 4C50AD1D1410679900EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
- 4C50AD1E1410679900EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
- 4C50AD1F1410679900EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
- 4C50AD201410679900EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
- 4C50AD211410679900EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
- 4C50AD221410679900EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD071410671D00EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt */; };
- 4C50AD23141067A100EE92DE /* DigiNotarCA2007RootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFC1410671D00EE92DE /* DigiNotarCA2007RootCertificate.crt */; };
- 4C50AD24141067A100EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
- 4C50AD25141067A100EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
- 4C50AD26141067A100EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
- 4C50AD27141067A100EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
- 4C50AD28141067A100EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
- 4C50AD29141067A100EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
- 4C50AD2A141067A100EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
- 4C50AD2B141067A100EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
- 4C50AD2C141067A100EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
- 4C50AD2D141067A100EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
- 4C50AD30141068C100EE92DE /* Expectations.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD2F1410689300EE92DE /* Expectations.plist */; };
- 4C50AD3914106A4E00EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
- 4C50AD3A14106A4E00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
- 4C50AD3B14106A4E00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
- 4C50AD3C14106A4E00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
- 4C50AD3D14106A4E00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
- 4C50AD3E14106A4E00EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
- 4C50AD3F14106A4E00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
- 4C50AD4014106A4E00EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
- 4C50AD4114106A4E00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
- 4C50AD4214106A4E00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
- 4C50AD4614106A5000EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
- 4C50AD4714106A5000EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
- 4C50AD4814106A5000EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
- 4C50AD4914106A5000EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
- 4C50AD4A14106A5000EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
- 4C50AD4B14106A5000EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
- 4C50AD4C14106A5000EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
- 4C50AD4D14106A5000EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
- 4C50AD4E14106A5000EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
- 4C50AD4F14106A5000EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
- 4C50AD5014106A5000EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD071410671D00EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt */; };
- 4C50AD5114106A5400EE92DE /* Expectations.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD2F1410689300EE92DE /* Expectations.plist */; };
- 4C50AD5214106A5400EE92DE /* DigiNotarCA2007RootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFC1410671D00EE92DE /* DigiNotarCA2007RootCertificate.crt */; };
- 4C50AD5314106A5400EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
- 4C50AD5414106A5400EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
- 4C50AD5514106A5400EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
- 4C50AD5614106A5400EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
- 4C50AD5714106A5400EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
- 4C50AD5814106A5400EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
- 4C50AD5914106A5400EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
- 4C50AD5A14106A5400EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
- 4C50AD5B14106A5400EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
- 4C50AD5C14106A5400EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
+ 4C50AD0C1410679000EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
+ 4C50AD0D1410679000EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
+ 4C50AD0E1410679000EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
+ 4C50AD0F1410679000EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
+ 4C50AD101410679000EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
+ 4C50AD111410679000EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
+ 4C50AD121410679000EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
+ 4C50AD131410679000EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
+ 4C50AD141410679000EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
+ 4C50AD151410679000EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
+ 4C50AD181410679900EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
+ 4C50AD191410679900EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
+ 4C50AD1A1410679900EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
+ 4C50AD1B1410679900EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
+ 4C50AD1C1410679900EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
+ 4C50AD1D1410679900EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
+ 4C50AD1E1410679900EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
+ 4C50AD1F1410679900EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
+ 4C50AD201410679900EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
+ 4C50AD211410679900EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
+ 4C50AD221410679900EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD071410671D00EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt */; };
+ 4C50AD23141067A100EE92DE /* DigiNotarCA2007RootCertificate.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFC1410671D00EE92DE /* DigiNotarCA2007RootCertificate.crt */; };
+ 4C50AD24141067A100EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
+ 4C50AD25141067A100EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
+ 4C50AD26141067A100EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
+ 4C50AD27141067A100EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
+ 4C50AD28141067A100EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
+ 4C50AD29141067A100EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
+ 4C50AD2A141067A100EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
+ 4C50AD2B141067A100EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
+ 4C50AD2C141067A100EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
+ 4C50AD2D141067A100EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
+ 4C50AD30141068C100EE92DE /* Expectations.plist in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD2F1410689300EE92DE /* Expectations.plist */; };
+ 4C50AD3914106A4E00EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
+ 4C50AD3A14106A4E00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
+ 4C50AD3B14106A4E00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
+ 4C50AD3C14106A4E00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
+ 4C50AD3D14106A4E00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
+ 4C50AD3E14106A4E00EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
+ 4C50AD3F14106A4E00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
+ 4C50AD4014106A4E00EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
+ 4C50AD4114106A4E00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
+ 4C50AD4214106A4E00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
+ 4C50AD4614106A5000EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
+ 4C50AD4714106A5000EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
+ 4C50AD4814106A5000EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
+ 4C50AD4914106A5000EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
+ 4C50AD4A14106A5000EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
+ 4C50AD4B14106A5000EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
+ 4C50AD4C14106A5000EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
+ 4C50AD4D14106A5000EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
+ 4C50AD4E14106A5000EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
+ 4C50AD4F14106A5000EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
+ 4C50AD5014106A5000EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD071410671D00EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt */; };
+ 4C50AD5114106A5400EE92DE /* Expectations.plist in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD2F1410689300EE92DE /* Expectations.plist */; };
+ 4C50AD5214106A5400EE92DE /* DigiNotarCA2007RootCertificate.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFC1410671D00EE92DE /* DigiNotarCA2007RootCertificate.crt */; };
+ 4C50AD5314106A5400EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */; };
+ 4C50AD5414106A5400EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFE1410671D00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt */; };
+ 4C50AD5514106A5400EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50ACFF1410671D00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt */; };
+ 4C50AD5614106A5400EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD001410671D00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt */; };
+ 4C50AD5714106A5400EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD011410671D00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt */; };
+ 4C50AD5814106A5400EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD021410671D00EE92DE /* diginotar-public-ca-2025-Cert.crt */; };
+ 4C50AD5914106A5400EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD031410671D00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt */; };
+ 4C50AD5A14106A5400EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD041410671D00EE92DE /* diginotar-services-diginotar-root-Cert.crt */; };
+ 4C50AD5B14106A5400EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD051410671D00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt */; };
+ 4C50AD5C14106A5400EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C50AD061410671D00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt */; };
4C52D0B516EFC61E0079966E /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
4C52D0BA16EFC61E0079966E /* CircleJoinRequested.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C52D0B916EFC61E0079966E /* CircleJoinRequested.m */; };
4C52D0E716EFCCA20079966E /* Applicant.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C52D0E316EFCCA20079966E /* Applicant.m */; };
@@ -398,8 +559,6 @@
4C7072860AC9EA4F007CC205 /* SecKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C7072840AC9EA4E007CC205 /* SecKey.h */; settings = {ATTRIBUTES = (Public, ); }; };
4C7072D40AC9ED5A007CC205 /* SecKeyPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C7072D30AC9ED5A007CC205 /* SecKeyPriv.h */; settings = {ATTRIBUTES = (Private, ); }; };
4C7073CA0ACB2BAD007CC205 /* SecRSAKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C7073C80ACB2BAD007CC205 /* SecRSAKey.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 4C711D6713AFCD0900FE865D /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8786D90B03E1BC00BB77D4 /* libDER.a */; };
- 4C711D6913AFCD0900FE865D /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 798B7FD40D3D7B5400AC1D04 /* libASN1.a */; };
4C711D6C13AFCD0900FE865D /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB740680A4749C800D641BB /* libsqlite3.dylib */; };
4C711D6D13AFCD0900FE865D /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; };
4C711D6F13AFCD0900FE865D /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF730310EF9CDE300E17471 /* CFNetwork.framework */; };
@@ -413,30 +572,28 @@
4C84DA551720698900AEE225 /* AppleAccount.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C84DA541720698900AEE225 /* AppleAccount.framework */; };
4C87F3A80D611C26000E7104 /* SecTrustPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C87F3A70D611C26000E7104 /* SecTrustPriv.h */; settings = {ATTRIBUTES = (Private, ); }; };
4C8A38C917B93DF10001B4C0 /* CloudServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8A38C817B93DF10001B4C0 /* CloudServices.framework */; };
- 4C8B91C61416EB8B00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
- 4C8B91C71416EBA400A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
- 4C8B91C81416EBB500A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
- 4C8B91C91416ED7E00A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
- 4C8B91CA1416ED7E00A254E2 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEB1416DB2200947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */; };
- 4C8B91CB1416ED7E00A254E2 /* Invalid-diginotarpkioverheidcaoverheid.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEC1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheid.crt */; };
- 4C8B91CC1416ED7E00A254E2 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECED1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */; };
- 4C8B91CD1416ED7E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEE1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */; };
- 4C8B91CE1416ED7E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEF1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt */; };
- 4C8B91CF1416ED7E00A254E2 /* staatdernederlandenorganisatieca-g2-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECF01416DB2200947741 /* staatdernederlandenorganisatieca-g2-Cert.crt */; };
- 4C8B91D01416ED7E00A254E2 /* staatdernederlandenoverheidca-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECF11416DB2200947741 /* staatdernederlandenoverheidca-Cert.crt */; };
- 4C8B91D11416ED7E00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
- 4C8B91D21416ED8E00A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
- 4C8B91D31416ED8E00A254E2 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEB1416DB2200947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */; };
- 4C8B91D41416ED8E00A254E2 /* Invalid-diginotarpkioverheidcaoverheid.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEC1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheid.crt */; };
- 4C8B91D51416ED8E00A254E2 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECED1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */; };
- 4C8B91D61416ED8E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEE1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */; };
- 4C8B91D71416ED8E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEF1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt */; };
- 4C8B91D81416ED8E00A254E2 /* staatdernederlandenorganisatieca-g2-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECF01416DB2200947741 /* staatdernederlandenorganisatieca-g2-Cert.crt */; };
- 4C8B91D91416ED8E00A254E2 /* staatdernederlandenoverheidca-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECF11416DB2200947741 /* staatdernederlandenoverheidca-Cert.crt */; };
- 4C8B91DA1416ED8E00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
- 4C8B91DB1416ED9400A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
- 4C8B91E31416ED9400A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
- 4C8B91E41416ED9A00A254E2 /* DigiNotar_Root_CA_G2-RootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C3CECF21416E20400947741 /* DigiNotar_Root_CA_G2-RootCertificate.crt */; };
+ 4C8B91C61416EB8B00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
+ 4C8B91C71416EBA400A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
+ 4C8B91C81416EBB500A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
+ 4C8B91C91416ED7E00A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
+ 4C8B91CA1416ED7E00A254E2 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEB1416DB2200947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */; };
+ 4C8B91CB1416ED7E00A254E2 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEC1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheid.crt */; };
+ 4C8B91CC1416ED7E00A254E2 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECED1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */; };
+ 4C8B91CD1416ED7E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEE1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */; };
+ 4C8B91CF1416ED7E00A254E2 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECF01416DB2200947741 /* staatdernederlandenorganisatieca-g2-Cert.crt */; };
+ 4C8B91D01416ED7E00A254E2 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECF11416DB2200947741 /* staatdernederlandenoverheidca-Cert.crt */; };
+ 4C8B91D11416ED7E00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar Resources */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
+ 4C8B91D21416ED8E00A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
+ 4C8B91D31416ED8E00A254E2 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEB1416DB2200947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt */; };
+ 4C8B91D41416ED8E00A254E2 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEC1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheid.crt */; };
+ 4C8B91D51416ED8E00A254E2 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECED1416DB2200947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt */; };
+ 4C8B91D61416ED8E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEE1416DB2200947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt */; };
+ 4C8B91D81416ED8E00A254E2 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECF01416DB2200947741 /* staatdernederlandenorganisatieca-g2-Cert.crt */; };
+ 4C8B91D91416ED8E00A254E2 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECF11416DB2200947741 /* staatdernederlandenoverheidca-Cert.crt */; };
+ 4C8B91DA1416ED8E00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-Entrust Resources */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
+ 4C8B91DB1416ED9400A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECEA1416DB2200947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt */; };
+ 4C8B91E31416ED9400A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C8B91C51416EB6A00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt */; };
+ 4C8B91E41416ED9A00A254E2 /* DigiNotar_Root_CA_G2-RootCertificate.crt in Copy DigiNotar-ok Resources */ = {isa = PBXBuildFile; fileRef = 4C3CECF21416E20400947741 /* DigiNotar_Root_CA_G2-RootCertificate.crt */; };
4C999BA60AB5F0BB0010451D /* NtlmGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C999BA20AB5F0BB0010451D /* NtlmGenerator.h */; settings = {ATTRIBUTES = (Private, ); }; };
4C999BA80AB5F0BB0010451D /* ntlmBlobPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C999BA40AB5F0BB0010451D /* ntlmBlobPriv.h */; };
4C9DE9E31181AC8300CF5C27 /* sslEcdsa.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9DE9E21181AC8300CF5C27 /* sslEcdsa.cpp */; };
@@ -507,12 +664,8 @@
52BF42C21AFAD10C00821B5D /* SOSCloudCircleInternal.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 9468B9691AF2B8FC00042383 /* SOSCloudCircleInternal.h */; };
52CD69FB16384C2000961848 /* KCAItemDetailViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 52CD69FA16384C2000961848 /* KCAItemDetailViewController.m */; };
52D82BDF16A621F70078DFE5 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
- 52D82BE516A621F70078DFE5 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = 52D82BE316A621F70078DFE5 /* InfoPlist.strings */; };
52D82BEE16A622370078DFE5 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; };
- 52D82BEF16A622470078DFE5 /* libCloudKeychainProxy.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 52849FAE164462E7005CDF23 /* libCloudKeychainProxy.a */; };
52D82BF016A622570078DFE5 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C2FEC5115755D710008BE39 /* libutilities.a */; };
- 52D82BF416A622E60078DFE5 /* com.apple.security.cloudkeychainproxy.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 52222D2C16A5CBCC00EDD09C /* com.apple.security.cloudkeychainproxy.plist */; };
- 52D82BF816A6283F0078DFE5 /* ckdmain.m in Sources */ = {isa = PBXBuildFile; fileRef = 52D82BF716A6283F0078DFE5 /* ckdmain.m */; };
52DE816B1636347500F49F0C /* UIKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE411314471B000DE34E /* UIKit.framework */; };
52DE816C1636347500F49F0C /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
52DE816D1636347500F49F0C /* CoreGraphics.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE451314471B000DE34E /* CoreGraphics.framework */; };
@@ -538,7 +691,6 @@
5346481E173322BD00FE9172 /* KeychainSyncAccountNotification.m in Sources */ = {isa = PBXBuildFile; fileRef = 5346481D173322BD00FE9172 /* KeychainSyncAccountNotification.m */; };
5346481F17332F9C00FE9172 /* Accounts.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF4C19C171E0EA600877419 /* Accounts.framework */; };
53C0E1FF177FB48A00F8A018 /* CloudKeychain.strings in Resources */ = {isa = PBXBuildFile; fileRef = 53C0E1F1177FAC2C00F8A018 /* CloudKeychain.strings */; };
- 5D83979E16025A720075998F /* Invalid.com.apple.testcard.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 5D83979C160259EE0075998F /* Invalid.com.apple.testcard.crt */; };
5E10992619A5E55800A60E2B /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
5E10995119A5E5CE00A60E2B /* ISProtectedItems.plist in Resources */ = {isa = PBXBuildFile; fileRef = 5E10994E19A5E5CE00A60E2B /* ISProtectedItems.plist */; };
5E10995219A5E5CE00A60E2B /* ISProtectedItemsController.m in Sources */ = {isa = PBXBuildFile; fileRef = 5E10995019A5E5CE00A60E2B /* ISProtectedItemsController.m */; };
@@ -560,10 +712,6 @@
5EBE247D1B00CCAE0007DB0E /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 5EBE247C1B00CCAE0007DB0E /* main.c */; };
7200D76F177B9999009BB396 /* ManagedConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 72C3EC2D1705F24E0040C87C /* ManagedConfiguration.framework */; };
728B56A216D59979008FA3AB /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
- 72979BE3175D095900BE8FD6 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
- 72979BF0175D0B2D00BE8FD6 /* cloud_keychain_diagnose.c in Sources */ = {isa = PBXBuildFile; fileRef = 72979BEF175D0B2D00BE8FD6 /* cloud_keychain_diagnose.c */; };
- 72979BF1175D0B5900BE8FD6 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; };
- 72979BF2175D0D4F00BE8FD6 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; };
72C3EC2E1705F24E0040C87C /* ManagedConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 72C3EC2D1705F24E0040C87C /* ManagedConfiguration.framework */; };
72CD2BBE16D59AE30064EEE1 /* OTAServiceApp.m in Sources */ = {isa = PBXBuildFile; fileRef = 72CD2BBB16D59AE30064EEE1 /* OTAServiceApp.m */; };
72CD2BBF16D59AE30064EEE1 /* OTAServicemain.m in Sources */ = {isa = PBXBuildFile; fileRef = 72CD2BBD16D59AE30064EEE1 /* OTAServicemain.m */; };
@@ -591,45 +739,26 @@
7913B2050D172B3900601FE9 /* sslServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 7913B1DF0D17280500601FE9 /* sslServer.cpp */; };
7913B2080D172B3900601FE9 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; };
791766DE0DD0162C00F3B974 /* SecCertificateRequest.h in Headers */ = {isa = PBXBuildFile; fileRef = 791766DD0DD0162C00F3B974 /* SecCertificateRequest.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 7930B058134A2D97007062F8 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB740680A4749C800D641BB /* libsqlite3.dylib */; };
7930B06A134A4864007062F8 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; };
7940D4130C3ACF9000FDB5D8 /* SecDH.h in Headers */ = {isa = PBXBuildFile; fileRef = 7940D4110C3ACF9000FDB5D8 /* SecDH.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 7947431A146213DC00D638A3 /* Invalid-www.cybersecurity.my.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 794743191462137C00D638A3 /* Invalid-www.cybersecurity.my.crt */; };
- 7947431B146213EF00D638A3 /* Invalid-www.cybersecurity.my.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 794743191462137C00D638A3 /* Invalid-www.cybersecurity.my.crt */; };
- 7947431D1462151400D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 7947431C146214E500D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt */; };
- 7947431E1462151E00D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 7947431C146214E500D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt */; };
+ 7947431A146213DC00D638A3 /* Invalid-www.cybersecurity.my.crt in Copy DigiCertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = 794743191462137C00D638A3 /* Invalid-www.cybersecurity.my.crt */; };
+ 7947431B146213EF00D638A3 /* Invalid-www.cybersecurity.my.crt in Copy DigicertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = 794743191462137C00D638A3 /* Invalid-www.cybersecurity.my.crt */; };
+ 7947431D1462151400D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt in Copy DigicertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = 7947431C146214E500D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt */; };
+ 7947431E1462151E00D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt in Copy DigiCertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = 7947431C146214E500D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt */; };
795CA9CE0D38435E00BAE6A2 /* p12pbegen.h in Headers */ = {isa = PBXBuildFile; fileRef = 795CA9CC0D38435E00BAE6A2 /* p12pbegen.h */; };
- 79679E29146202A800CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79679E251462028800CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt */; };
- 79679E2A146202A800CF997F /* Invalid-webmail.jaring.my.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79679E261462028800CF997F /* Invalid-webmail.jaring.my.crt */; };
- 79679E2C146202CB00CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79679E251462028800CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt */; };
- 79679E2D146202CB00CF997F /* Invalid-webmail.jaring.my.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79679E261462028800CF997F /* Invalid-webmail.jaring.my.crt */; };
+ 79679E29146202A800CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt in Copy DigiCertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = 79679E251462028800CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt */; };
+ 79679E2A146202A800CF997F /* Invalid-webmail.jaring.my.crt in Copy DigiCertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = 79679E261462028800CF997F /* Invalid-webmail.jaring.my.crt */; };
+ 79679E2C146202CB00CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt in Copy DigicertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = 79679E251462028800CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt */; };
+ 79679E2D146202CB00CF997F /* Invalid-webmail.jaring.my.crt in Copy DigicertMalaysia Resources */ = {isa = PBXBuildFile; fileRef = 79679E261462028800CF997F /* Invalid-webmail.jaring.my.crt */; };
79863B710CADCEAB00818B0D /* com.apple.securityd.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79863B700CADCEAB00818B0D /* com.apple.securityd.plist */; };
79863B960CADD21700818B0D /* securityd_server.h in Headers */ = {isa = PBXBuildFile; fileRef = 79863B940CADD21700818B0D /* securityd_server.h */; };
79BDD3C20D60DB84000D84D3 /* SecCMS.h in Headers */ = {isa = PBXBuildFile; fileRef = 79BDD3C00D60DB84000D84D3 /* SecCMS.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 79C0C675134A6E2D00A51BCB /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; };
- 79C0C6BC134A96C100A51BCB /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF730310EF9CDE300E17471 /* CFNetwork.framework */; };
- 79DCEA61134A280F007F57DC /* codesign_wrapper.c in Sources */ = {isa = PBXBuildFile; fileRef = 79DCEA5E134A280F007F57DC /* codesign_wrapper.c */; };
- 79DCEA62134A280F007F57DC /* codesign.c in Sources */ = {isa = PBXBuildFile; fileRef = 79DCEA5F134A280F007F57DC /* codesign.c */; };
- 79DCEA63134A280F007F57DC /* MISEntitlement.c in Sources */ = {isa = PBXBuildFile; fileRef = 79DCEA60134A280F007F57DC /* MISEntitlement.c */; };
- 79DCEA87134A2A1B007F57DC /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8786AD0B03E05E00BB77D4 /* libDER.a */; };
- 79E0D705143E55DB0010CE0E /* Apple Application Integration Certification Authority Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79E0D702143E558B0010CE0E /* Apple Application Integration Certification Authority Cert.crt */; };
- 79E0D706143E55DB0010CE0E /* Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79E0D703143E558B0010CE0E /* Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt */; };
- 79E0D707143E55DB0010CE0E /* AppleRootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79E0D704143E558B0010CE0E /* AppleRootCertificate.crt */; };
- 79E0D709143E56010010CE0E /* Apple Application Integration Certification Authority Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79E0D702143E558B0010CE0E /* Apple Application Integration Certification Authority Cert.crt */; };
- 79E0D70A143E56010010CE0E /* Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79E0D703143E558B0010CE0E /* Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt */; };
- 79E0D70B143E56010010CE0E /* AppleRootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79E0D704143E558B0010CE0E /* AppleRootCertificate.crt */; };
- 79E0D7A8143E672A0010CE0E /* Invalid-asset_signing.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79E0D7A6143E671C0010CE0E /* Invalid-asset_signing.crt */; };
- 79E0D7A9143E673B0010CE0E /* Invalid-asset_signing.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79E0D7A6143E671C0010CE0E /* Invalid-asset_signing.crt */; };
- 79E0D7AC143E68CF0010CE0E /* iPhoneCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79E0D7AA143E68BF0010CE0E /* iPhoneCACert.crt */; };
- 79E0D7AD143E68D70010CE0E /* iPhoneCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 79E0D7AA143E68BF0010CE0E /* iPhoneCACert.crt */; };
79EF5B6E0D3D6A31009F5270 /* SecImportExport.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EF5B6C0D3D6A31009F5270 /* SecImportExport.h */; settings = {ATTRIBUTES = (Public, ); }; };
79EF5B730D3D6AFE009F5270 /* p12import.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EF5B720D3D6AFE009F5270 /* p12import.h */; };
8E02FA6B1107BE460043545E /* pbkdf2.h in Headers */ = {isa = PBXBuildFile; fileRef = 8E02FA691107BE460043545E /* pbkdf2.h */; settings = {ATTRIBUTES = (Private, ); }; };
8ED6F6CA110904E300D2B368 /* SecPBKDF.h in Headers */ = {isa = PBXBuildFile; fileRef = 8ED6F6C8110904E300D2B368 /* SecPBKDF.h */; settings = {ATTRIBUTES = (Private, ); }; };
9468B9481AF2B60900042383 /* SOSBackupSliceKeyBag.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 9468B9471AF2B60800042383 /* SOSBackupSliceKeyBag.h */; };
- 9468B96C1AF2B91B00042383 /* SOSForerunnerSession.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 9468B96B1AF2B91B00042383 /* SOSForerunnerSession.h */; };
9468B96E1AF2B93300042383 /* SOSViews.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 9468B96D1AF2B93300042383 /* SOSViews.h */; };
- B9499C24139DC391004F4EDE /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8786D90B03E1BC00BB77D4 /* libDER.a */; };
BE061FE11899ECEE00C739F6 /* SecSharedCredential.h in Headers */ = {isa = PBXBuildFile; fileRef = BE061FE01899ECEE00C739F6 /* SecSharedCredential.h */; settings = {ATTRIBUTES = (Public, ); }; };
BE197F2C19116FD100BA91D1 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = BE197F2A19116FD100BA91D1 /* InfoPlist.strings */; };
BE197F2E19116FD100BA91D1 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = BE197F2D19116FD100BA91D1 /* main.m */; };
@@ -656,7 +785,6 @@
BE759DCB1917E38D00801E02 /* CoreGraphics.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE451314471B000DE34E /* CoreGraphics.framework */; };
BEF8AFF719176B0C00F80109 /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F7F66514D77DF700F88A12 /* libsecurityd.a */; };
BEF8AFF819176B1400F80109 /* libSWCAgent.a in Frameworks */ = {isa = PBXBuildFile; fileRef = BE442B9B18B7FD6700F24DAE /* libSWCAgent.a */; };
- CD045E461A83F8C0005FA0AC /* libIDSKeychainSyncingProxy.a in Frameworks */ = {isa = PBXBuildFile; fileRef = CDCDA31B1A803648005CF7C9 /* libIDSKeychainSyncingProxy.a */; };
CD045E471A83F8C7005FA0AC /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C2FEC5115755D710008BE39 /* libutilities.a */; };
CD0637551A84060600C81E74 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; };
CD0637561A84065F00C81E74 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; };
@@ -664,819 +792,73 @@
CD276C281A83F60C003226BC /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
CD4F44211B546A7E00FE3569 /* SOSPeerInfoV2.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = CD4F44201B546A7E00FE3569 /* SOSPeerInfoV2.h */; };
CD8B5AC61B618F1B004D4AEF /* SOSPeerInfoPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = CD8B5AC51B618F1B004D4AEF /* SOSPeerInfoPriv.h */; };
- CDB6DE131AAE6122005B00E1 /* idskeychainsyncingproxy.entitlements.plist in Resources */ = {isa = PBXBuildFile; fileRef = CDB22D0B1A9D37440043E348 /* idskeychainsyncingproxy.entitlements.plist */; };
CDB9FCAB179CD098000AAD66 /* Info.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = CDB9FCA9179CC757000AAD66 /* Info.plist */; };
CDDE9BD11729ABFA0013B0E8 /* SecPasswordGenerate.h in Headers */ = {isa = PBXBuildFile; fileRef = CDDE9BC31729AB910013B0E8 /* SecPasswordGenerate.h */; settings = {ATTRIBUTES = (Private, ); }; };
- CDF42C2D1A884C3E0080BB05 /* idksmain.m in Sources */ = {isa = PBXBuildFile; fileRef = CDF42C2C1A884C3E0080BB05 /* idksmain.m */; };
- CDF91EF21AAE023800E88CF7 /* com.apple.private.alloy.keychainsync.plist in Resources */ = {isa = PBXBuildFile; fileRef = CDF91EF11AAE023800E88CF7 /* com.apple.private.alloy.keychainsync.plist */; };
CDF91EF31AAE024A00E88CF7 /* com.apple.private.alloy.keychainsync.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = CDF91EF11AAE023800E88CF7 /* com.apple.private.alloy.keychainsync.plist */; };
- CDFD1D841A840F64004C2BEA /* com.apple.security.idskeychainsyncingproxy.plist in Copy Files */ = {isa = PBXBuildFile; fileRef = CD3F91151A802B4900E07119 /* com.apple.security.idskeychainsyncingproxy.plist */; };
+ D40771E91C9B518F0016AA66 /* libSharedRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D40771E21C9B51830016AA66 /* libSharedRegressions.a */; };
+ D40771EE1C9B51ED0016AA66 /* libSharedRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D40771E21C9B51830016AA66 /* libSharedRegressions.a */; };
+ D447C4101D3094740082FC1D /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; };
+ D447C4DA1D31C8280082FC1D /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F7F66314D77DF700F88A12 /* libsecurity.a */; };
+ D447C4E81D31CA720082FC1D /* libCMS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 79BDD39F0D60D5F9000D84D3 /* libCMS.a */; };
+ D453BA341C8E797A00E4D91F /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8786AD0B03E05E00BB77D4 /* libDER.a */; };
+ D453BA551C8E799100E4D91F /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8786AD0B03E05E00BB77D4 /* libDER.a */; };
D45D1A471B3A293E00C63E16 /* oids.h in Headers */ = {isa = PBXBuildFile; fileRef = D45D1A461B3A293E00C63E16 /* oids.h */; settings = {ATTRIBUTES = (Private, ); }; };
- D4B4A9FD1B8BBC5D0097B393 /* InvalidEKUTest16.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D31B8BBC1B0097B393 /* InvalidEKUTest16.cer */; };
- D4B4A9FE1B8BBC5D0097B393 /* InvalidHostnameTest1.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D41B8BBC1B0097B393 /* InvalidHostnameTest1.cer */; };
- D4B4A9FF1B8BBC5D0097B393 /* InvalidHostnameTest2.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D51B8BBC1B0097B393 /* InvalidHostnameTest2.cer */; };
- D4B4AA001B8BBC5D0097B393 /* InvalidHostnameTest22.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D61B8BBC1B0097B393 /* InvalidHostnameTest22.cer */; };
- D4B4AA011B8BBC5D0097B393 /* InvalidHostnameTest23.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D71B8BBC1B0097B393 /* InvalidHostnameTest23.cer */; };
- D4B4AA021B8BBC5D0097B393 /* InvalidHostnameTest24.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D81B8BBC1B0097B393 /* InvalidHostnameTest24.cer */; };
- D4B4AA031B8BBC5D0097B393 /* InvalidWildcardTest5Test6.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D91B8BBC1B0097B393 /* InvalidWildcardTest5Test6.cer */; };
- D4B4AA041B8BBC5D0097B393 /* InvalidWildcardTest10.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DA1B8BBC1B0097B393 /* InvalidWildcardTest10.cer */; };
- D4B4AA051B8BBC5D0097B393 /* InvalidWildcardTest11.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DB1B8BBC1B0097B393 /* InvalidWildcardTest11.cer */; };
- D4B4AA061B8BBC5D0097B393 /* InvalidWildcardTest12.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DC1B8BBC1B0097B393 /* InvalidWildcardTest12.cer */; };
- D4B4AA071B8BBC5D0097B393 /* InvalidWildcardTest13Test14.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DD1B8BBC1B0097B393 /* InvalidWildcardTest13Test14.cer */; };
- D4B4AA081B8BBC5D0097B393 /* InvalidWildcardTest15.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DE1B8BBC1B0097B393 /* InvalidWildcardTest15.cer */; };
- D4B4AA091B8BBC5D0097B393 /* InvalidWildcardTest25Test26.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DF1B8BBC1B0097B393 /* InvalidWildcardTest25Test26.cer */; };
- D4B4AA0A1B8BBC5D0097B393 /* SSLTrustPolicyTest.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E01B8BBC1B0097B393 /* SSLTrustPolicyTest.plist */; };
- D4B4AA0B1B8BBC5D0097B393 /* SSLTrustPolicyTestRootCertificate.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E11B8BBC1B0097B393 /* SSLTrustPolicyTestRootCertificate.cer */; };
- D4B4AA0C1B8BBC5D0097B393 /* ValidEKUTest17.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E21B8BBC1B0097B393 /* ValidEKUTest17.cer */; };
- D4B4AA0D1B8BBC5D0097B393 /* ValidHostnameTest3.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E31B8BBC1B0097B393 /* ValidHostnameTest3.cer */; };
- D4B4AA0E1B8BBC5D0097B393 /* ValidHostnameTest4.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E41B8BBC1B0097B393 /* ValidHostnameTest4.cer */; };
- D4B4AA0F1B8BBC5D0097B393 /* ValidHostnameTest18Test19Test20.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E51B8BBC1B0097B393 /* ValidHostnameTest18Test19Test20.cer */; };
- D4B4AA101B8BBC5D0097B393 /* ValidHostnameTest21.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E61B8BBC1B0097B393 /* ValidHostnameTest21.cer */; };
- D4B4AA111B8BBC5D0097B393 /* ValidWildcardTest7Test8Test9.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E71B8BBC1B0097B393 /* ValidWildcardTest7Test8Test9.cer */; };
- D4B4AA131B8BC64E0097B393 /* InvalidEKUTest16.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D31B8BBC1B0097B393 /* InvalidEKUTest16.cer */; };
- D4B4AA141B8BC64E0097B393 /* InvalidHostnameTest1.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D41B8BBC1B0097B393 /* InvalidHostnameTest1.cer */; };
- D4B4AA151B8BC64E0097B393 /* InvalidHostnameTest2.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D51B8BBC1B0097B393 /* InvalidHostnameTest2.cer */; };
- D4B4AA161B8BC64E0097B393 /* InvalidHostnameTest22.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D61B8BBC1B0097B393 /* InvalidHostnameTest22.cer */; };
- D4B4AA171B8BC64E0097B393 /* InvalidHostnameTest23.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D71B8BBC1B0097B393 /* InvalidHostnameTest23.cer */; };
- D4B4AA181B8BC64E0097B393 /* InvalidHostnameTest24.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D81B8BBC1B0097B393 /* InvalidHostnameTest24.cer */; };
- D4B4AA191B8BC64E0097B393 /* InvalidWildcardTest5Test6.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9D91B8BBC1B0097B393 /* InvalidWildcardTest5Test6.cer */; };
- D4B4AA1A1B8BC64E0097B393 /* InvalidWildcardTest10.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DA1B8BBC1B0097B393 /* InvalidWildcardTest10.cer */; };
- D4B4AA1B1B8BC64E0097B393 /* InvalidWildcardTest11.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DB1B8BBC1B0097B393 /* InvalidWildcardTest11.cer */; };
- D4B4AA1C1B8BC64E0097B393 /* InvalidWildcardTest12.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DC1B8BBC1B0097B393 /* InvalidWildcardTest12.cer */; };
- D4B4AA1D1B8BC64E0097B393 /* InvalidWildcardTest13Test14.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DD1B8BBC1B0097B393 /* InvalidWildcardTest13Test14.cer */; };
- D4B4AA1E1B8BC64E0097B393 /* InvalidWildcardTest15.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DE1B8BBC1B0097B393 /* InvalidWildcardTest15.cer */; };
- D4B4AA1F1B8BC64E0097B393 /* InvalidWildcardTest25Test26.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9DF1B8BBC1B0097B393 /* InvalidWildcardTest25Test26.cer */; };
- D4B4AA201B8BC64E0097B393 /* SSLTrustPolicyTest.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E01B8BBC1B0097B393 /* SSLTrustPolicyTest.plist */; };
- D4B4AA211B8BC64E0097B393 /* SSLTrustPolicyTestRootCertificate.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E11B8BBC1B0097B393 /* SSLTrustPolicyTestRootCertificate.cer */; };
- D4B4AA221B8BC64E0097B393 /* ValidEKUTest17.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E21B8BBC1B0097B393 /* ValidEKUTest17.cer */; };
- D4B4AA231B8BC64E0097B393 /* ValidHostnameTest3.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E31B8BBC1B0097B393 /* ValidHostnameTest3.cer */; };
- D4B4AA241B8BC64E0097B393 /* ValidHostnameTest4.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E41B8BBC1B0097B393 /* ValidHostnameTest4.cer */; };
- D4B4AA251B8BC64E0097B393 /* ValidHostnameTest18Test19Test20.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E51B8BBC1B0097B393 /* ValidHostnameTest18Test19Test20.cer */; };
- D4B4AA261B8BC64E0097B393 /* ValidHostnameTest21.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E61B8BBC1B0097B393 /* ValidHostnameTest21.cer */; };
- D4B4AA271B8BC64E0097B393 /* ValidWildcardTest7Test8Test9.cer in CopyFiles */ = {isa = PBXBuildFile; fileRef = D4B4A9E71B8BBC1B0097B393 /* ValidWildcardTest7Test8Test9.cer */; };
+ D47F514C1C3B812500A7CEFE /* SecCFAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = D47F514B1C3B812500A7CEFE /* SecCFAllocator.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ D4AA9D121C3B1B1900A5640C /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; };
+ D4B858671D370D9A003B2D95 /* MobileCoreServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D4B858661D370D9A003B2D95 /* MobileCoreServices.framework */; };
+ D4D886BF1CEB9F3B00DC7583 /* ssl-policy-certs in Resources */ = {isa = PBXBuildFile; fileRef = D4D886BE1CEB9F3B00DC7583 /* ssl-policy-certs */; };
+ D4D886C01CEB9F7200DC7583 /* ssl-policy-certs in Resources */ = {isa = PBXBuildFile; fileRef = D4D886BE1CEB9F3B00DC7583 /* ssl-policy-certs */; };
+ D4D886E91CEBDD2A00DC7583 /* nist-certs in Resources */ = {isa = PBXBuildFile; fileRef = D4D886E81CEBDD2A00DC7583 /* nist-certs */; };
+ D4D886EA1CEBDE0800DC7583 /* nist-certs in Resources */ = {isa = PBXBuildFile; fileRef = D4D886E81CEBDD2A00DC7583 /* nist-certs */; };
+ D4EC94FB1CEA482D0083E753 /* si-20-sectrust-policies-data in Resources */ = {isa = PBXBuildFile; fileRef = D4EC94FA1CEA482D0083E753 /* si-20-sectrust-policies-data */; };
+ D4EC94FE1CEA48760083E753 /* si-20-sectrust-policies-data in Resources */ = {isa = PBXBuildFile; fileRef = D4EC94FA1CEA482D0083E753 /* si-20-sectrust-policies-data */; };
E7104A07169E03CE00DB0045 /* libSecurityTool.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E7104A06169E038F00DB0045 /* libSecurityTool.a */; };
E7104A0C169E171900DB0045 /* security_tool_commands.c in Sources */ = {isa = PBXBuildFile; fileRef = E7104A0B169E171900DB0045 /* security_tool_commands.c */; };
E7104A24169E222F00DB0045 /* libSecurityCommands.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E7104A23169E21C000DB0045 /* libSecurityCommands.a */; };
+ E71454EF1C741E0800B5B20B /* KCError.h in Headers */ = {isa = PBXBuildFile; fileRef = E71454ED1C741E0800B5B20B /* KCError.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ E71454F01C741E0800B5B20B /* KCError.m in Sources */ = {isa = PBXBuildFile; fileRef = E71454EE1C741E0800B5B20B /* KCError.m */; };
+ E71454F11C741E1500B5B20B /* KCDer.h in Headers */ = {isa = PBXBuildFile; fileRef = E71454C71C741DCD00B5B20B /* KCDer.h */; settings = {ATTRIBUTES = (Private, ); }; };
E71F3E3116EA69A900FAF9B4 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */; };
E71F3E3E16EA69CF00FAF9B4 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */; };
E71F3E4016EA6A1800FAF9B4 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */; };
E71F3E4116EA6A5100FAF9B4 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */; };
E71F3E4216EA6A6300FAF9B4 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */; };
- E72783FB159BDFE900028D6C /* Apple TEST RootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E72783F6159BDFBB00028D6C /* Apple TEST RootCertificate.crt */; };
- E72783FC159BDFE900028D6C /* Apple Worldwide Developer Relations Certification Authority Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E72783F7159BDFBC00028D6C /* Apple Worldwide Developer Relations Certification Authority Cert.crt */; };
- E72783FD159BDFE900028D6C /* Apple Worldwide Developer Relations Certification Authority TEST Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E72783F8159BDFBC00028D6C /* Apple Worldwide Developer Relations Certification Authority TEST Cert.crt */; };
- E72783FE159BDFE900028D6C /* AppleRootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E72783F9159BDFBC00028D6C /* AppleRootCertificate.crt */; };
- E7278401159BE01A00028D6C /* Apple TEST RootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E72783F6159BDFBB00028D6C /* Apple TEST RootCertificate.crt */; };
- E7278402159BE02300028D6C /* Apple Worldwide Developer Relations Certification Authority Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E72783F7159BDFBC00028D6C /* Apple Worldwide Developer Relations Certification Authority Cert.crt */; };
- E7278403159BE03300028D6C /* AppleRootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E72783F9159BDFBC00028D6C /* AppleRootCertificate.crt */; };
- E7278404159BE03600028D6C /* Apple Worldwide Developer Relations Certification Authority TEST Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E72783F8159BDFBC00028D6C /* Apple Worldwide Developer Relations Certification Authority TEST Cert.crt */; };
+ E722E9121CE92DFC005AD94B /* CKDKVSStore.m in Sources */ = {isa = PBXBuildFile; fileRef = E722E9111CE92DFC005AD94B /* CKDKVSStore.m */; };
E72D462B175FBF3E00F70B9B /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; };
- E73000EA13D90A5A00B0DA1B /* Invalid-asset_signing.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000DD13D90A1F00B0DA1B /* Invalid-asset_signing.crt */; };
- E73000EC13D90A5A00B0DA1B /* task_signing.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000DF13D90A1F00B0DA1B /* task_signing.crt */; };
- E73000EF13D90A7E00B0DA1B /* Invalid-asset_signing.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000DD13D90A1F00B0DA1B /* Invalid-asset_signing.crt */; };
- E73000F113D90A7E00B0DA1B /* task_signing.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000DF13D90A1F00B0DA1B /* task_signing.crt */; };
- E730010213D90CF200B0DA1B /* AppleRootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F513D90CD900B0DA1B /* AppleRootCertificate.crt */; };
- E730010313D90CF200B0DA1B /* asset_signing.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F613D90CD900B0DA1B /* asset_signing.crt */; };
- E730010413D90CF200B0DA1B /* Invalid-task_signing.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F713D90CD900B0DA1B /* Invalid-task_signing.crt */; };
- E730010513D90CF200B0DA1B /* iPhoneCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F813D90CD900B0DA1B /* iPhoneCACert.crt */; };
- E730010713D90D0700B0DA1B /* AppleRootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F513D90CD900B0DA1B /* AppleRootCertificate.crt */; };
- E730010813D90D0700B0DA1B /* asset_signing.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F613D90CD900B0DA1B /* asset_signing.crt */; };
- E730010913D90D0700B0DA1B /* Invalid-task_signing.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F713D90CD900B0DA1B /* Invalid-task_signing.crt */; };
- E730010A13D90D0700B0DA1B /* iPhoneCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F813D90CD900B0DA1B /* iPhoneCACert.crt */; };
- E730010B13D90DB900B0DA1B /* AppleRootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F513D90CD900B0DA1B /* AppleRootCertificate.crt */; };
- E730010C13D90DB900B0DA1B /* iPhoneCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F813D90CD900B0DA1B /* iPhoneCACert.crt */; };
- E730010D13D90DBF00B0DA1B /* AppleRootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F513D90CD900B0DA1B /* AppleRootCertificate.crt */; };
- E730010E13D90DBF00B0DA1B /* iPhoneCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = E73000F813D90CD900B0DA1B /* iPhoneCACert.crt */; };
E73289281AED735A008CE839 /* SOSCloudCircle.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = E7450BAC16D42B17009C07B8 /* SOSCloudCircle.h */; };
E73289291AED7360008CE839 /* SOSPeerInfo.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = E7450BAD16D42B17009C07B8 /* SOSPeerInfo.h */; };
E732892B1AED7551008CE839 /* SOSCloudCircle.h in Headers */ = {isa = PBXBuildFile; fileRef = E732892A1AED7551008CE839 /* SOSCloudCircle.h */; settings = {ATTRIBUTES = (Private, ); }; };
E732892D1AED764A008CE839 /* SOSPeerInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = E732892C1AED7631008CE839 /* SOSPeerInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ E745836E1BF3CA13001B54A4 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
E75112EB166EFBF0008C578B /* PeerListCell.m in Sources */ = {isa = PBXBuildFile; fileRef = E75112EA166EFBF0008C578B /* PeerListCell.m */; };
E75112FA166F020E008C578B /* PeerListCell.m in Sources */ = {isa = PBXBuildFile; fileRef = E75112EA166EFBF0008C578B /* PeerListCell.m */; };
+ E7531F7B1D0887E300DAB140 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C2FEC5115755D710008BE39 /* libutilities.a */; };
+ E75C0E821C6FC31D00E6953B /* KCSRPContext.h in Headers */ = {isa = PBXBuildFile; fileRef = E75C0E801C6FC31D00E6953B /* KCSRPContext.h */; settings = {ATTRIBUTES = (Public, ); }; };
+ E75C0E831C6FC31D00E6953B /* KCSRPContext.m in Sources */ = {isa = PBXBuildFile; fileRef = E75C0E811C6FC31D00E6953B /* KCSRPContext.m */; };
+ E75C0E851C71329900E6953B /* KeychainCircle.h in Headers */ = {isa = PBXBuildFile; fileRef = E75C0E841C71325000E6953B /* KeychainCircle.h */; settings = {ATTRIBUTES = (Public, ); }; };
+ E75C27721C98D41400F7E12A /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8786AD0B03E05E00BB77D4 /* libDER.a */; };
+ E75C27731C98D41C00F7E12A /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 795CA9860D38269B00BAE6A2 /* libASN1.a */; };
+ E75C27741C98D42A00F7E12A /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8786AD0B03E05E00BB77D4 /* libDER.a */; };
+ E75C27751C98D43700F7E12A /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 795CA9860D38269B00BAE6A2 /* libASN1.a */; };
E76079DC1951FDBF00F69731 /* liblogging.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E76079DB1951FDBF00F69731 /* liblogging.a */; };
+ E7650E6F1C7699DA00378669 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; };
E7676DB619411DF300498DD4 /* SecServerEncryptionSupport.h in Headers */ = {isa = PBXBuildFile; fileRef = E7676DB519411DF300498DD4 /* SecServerEncryptionSupport.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ E772FD471CC15EFA00D63E41 /* NSData+SecRandom.m in Sources */ = {isa = PBXBuildFile; fileRef = E772FD461CC15EFA00D63E41 /* NSData+SecRandom.m */; };
+ E772FD701CC15F1F00D63E41 /* NSData+SecRandom.h in Headers */ = {isa = PBXBuildFile; fileRef = E772FD6F1CC15F1F00D63E41 /* NSData+SecRandom.h */; };
+ E78A9ADA1D34959200006B5B /* NSFileHandle+Formatting.m in Sources */ = {isa = PBXBuildFile; fileRef = E78A9AD91D34959200006B5B /* NSFileHandle+Formatting.m */; };
+ E794BA6F1C7424D800339A0F /* KCDer.m in Sources */ = {isa = PBXBuildFile; fileRef = E794BA6E1C7424D800339A0F /* KCDer.m */; };
+ E794BB001C7598F900339A0F /* KCJoiningMessages.m in Sources */ = {isa = PBXBuildFile; fileRef = E794BAFF1C7598F900339A0F /* KCJoiningMessages.m */; };
+ E794BB011C759B1200339A0F /* KCJoiningMessages.h in Headers */ = {isa = PBXBuildFile; fileRef = E794BAD91C7598E400339A0F /* KCJoiningMessages.h */; settings = {ATTRIBUTES = (Private, ); }; };
E7A011AE14E1B78800765C29 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
E7A011AF14E1B78C00765C29 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
- E7A94B2F13D89F25001C5FEE /* AllCertificatesNoPoliciesTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540BB13D51D63008048AC /* AllCertificatesNoPoliciesTest2EE.crt */; };
- E7A94B3013D89F25001C5FEE /* AllCertificatesSamePoliciesTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540BC13D51D63008048AC /* AllCertificatesSamePoliciesTest10EE.crt */; };
- E7A94B3113D89F25001C5FEE /* AllCertificatesSamePoliciesTest13EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540BD13D51D63008048AC /* AllCertificatesSamePoliciesTest13EE.crt */; };
- E7A94B3213D89F25001C5FEE /* AllCertificatesanyPolicyTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540BE13D51D63008048AC /* AllCertificatesanyPolicyTest11EE.crt */; };
- E7A94B3313D89F25001C5FEE /* AnyPolicyTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540BF13D51D63008048AC /* AnyPolicyTest14EE.crt */; };
- E7A94B3413D89F25001C5FEE /* BadCRLIssuerNameCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C013D51D63008048AC /* BadCRLIssuerNameCACert.crt */; };
- E7A94B3513D89F25001C5FEE /* BadCRLSignatureCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C113D51D63008048AC /* BadCRLSignatureCACert.crt */; };
- E7A94B3613D89F25001C5FEE /* BadSignedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C213D51D63008048AC /* BadSignedCACert.crt */; };
- E7A94B3713D89F25001C5FEE /* BadnotAfterDateCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C313D51D63008048AC /* BadnotAfterDateCACert.crt */; };
- E7A94B3813D89F25001C5FEE /* BadnotBeforeDateCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C413D51D63008048AC /* BadnotBeforeDateCACert.crt */; };
- E7A94B3913D89F25001C5FEE /* BasicSelfIssuedCRLSigningKeyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C513D51D63008048AC /* BasicSelfIssuedCRLSigningKeyCACert.crt */; };
- E7A94B3A13D89F25001C5FEE /* BasicSelfIssuedNewKeyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C613D51D63008048AC /* BasicSelfIssuedNewKeyCACert.crt */; };
- E7A94B3B13D89F25001C5FEE /* BasicSelfIssuedNewKeyOldWithNewCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C713D51D63008048AC /* BasicSelfIssuedNewKeyOldWithNewCACert.crt */; };
- E7A94B3C13D89F25001C5FEE /* BasicSelfIssuedOldKeyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C813D51D63008048AC /* BasicSelfIssuedOldKeyCACert.crt */; };
- E7A94B3D13D89F25001C5FEE /* BasicSelfIssuedOldKeyNewWithOldCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C913D51D63008048AC /* BasicSelfIssuedOldKeyNewWithOldCACert.crt */; };
- E7A94B3E13D89F25001C5FEE /* CPSPointerQualifierTest20EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CA13D51D63008048AC /* CPSPointerQualifierTest20EE.crt */; };
- E7A94B3F13D89F25001C5FEE /* DSACACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CB13D51D63008048AC /* DSACACert.crt */; };
- E7A94B4013D89F25001C5FEE /* DSAParametersInheritedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CC13D51D63008048AC /* DSAParametersInheritedCACert.crt */; };
- E7A94B4113D89F25001C5FEE /* DifferentPoliciesTest12EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CD13D51D63008048AC /* DifferentPoliciesTest12EE.crt */; };
- E7A94B4213D89F25001C5FEE /* DifferentPoliciesTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CE13D51D63008048AC /* DifferentPoliciesTest3EE.crt */; };
- E7A94B4313D89F25001C5FEE /* DifferentPoliciesTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CF13D51D63008048AC /* DifferentPoliciesTest4EE.crt */; };
- E7A94B4413D89F25001C5FEE /* DifferentPoliciesTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D013D51D63008048AC /* DifferentPoliciesTest5EE.crt */; };
- E7A94B4513D89F25001C5FEE /* DifferentPoliciesTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D113D51D63008048AC /* DifferentPoliciesTest7EE.crt */; };
- E7A94B4613D89F25001C5FEE /* DifferentPoliciesTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D213D51D63008048AC /* DifferentPoliciesTest8EE.crt */; };
- E7A94B4713D89F25001C5FEE /* DifferentPoliciesTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D313D51D63008048AC /* DifferentPoliciesTest9EE.crt */; };
- E7A94B4813D89F25001C5FEE /* GeneralizedTimeCRLnextUpdateCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D413D51D63008048AC /* GeneralizedTimeCRLnextUpdateCACert.crt */; };
- E7A94B4913D89F25001C5FEE /* GoodCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D513D51D63008048AC /* GoodCACert.crt */; };
- E7A94B4A13D89F25001C5FEE /* GoodsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D613D51D63008048AC /* GoodsubCACert.crt */; };
- E7A94B4B13D89F26001C5FEE /* GoodsubCAPanyPolicyMapping1to2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D713D51D63008048AC /* GoodsubCAPanyPolicyMapping1to2CACert.crt */; };
- E7A94B4C13D89F26001C5FEE /* InvalidBasicSelfIssuedNewWithOldTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D813D51D63008048AC /* InvalidBasicSelfIssuedNewWithOldTest5EE.crt */; };
- E7A94B4D13D89F26001C5FEE /* InvalidBasicSelfIssuedOldWithNewTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D913D51D63008048AC /* InvalidBasicSelfIssuedOldWithNewTest2EE.crt */; };
- E7A94B4E13D89F26001C5FEE /* InvalidCASignatureTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DA13D51D63008048AC /* InvalidCASignatureTest2EE.crt */; };
- E7A94B4F13D89F26001C5FEE /* InvalidCAnotAfterDateTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DB13D51D63008048AC /* InvalidCAnotAfterDateTest5EE.crt */; };
- E7A94B5013D89F26001C5FEE /* InvalidCAnotBeforeDateTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DC13D51D63008048AC /* InvalidCAnotBeforeDateTest1EE.crt */; };
- E7A94B5113D89F26001C5FEE /* InvalidDNSnameConstraintsTest31EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DD13D51D63008048AC /* InvalidDNSnameConstraintsTest31EE.crt */; };
- E7A94B5213D89F26001C5FEE /* InvalidDNSnameConstraintsTest33EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DE13D51D63008048AC /* InvalidDNSnameConstraintsTest33EE.crt */; };
- E7A94B5313D89F26001C5FEE /* InvalidDNSnameConstraintsTest38EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DF13D51D63008048AC /* InvalidDNSnameConstraintsTest38EE.crt */; };
- E7A94B5413D89F26001C5FEE /* InvalidDNandRFC822nameConstraintsTest28EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E013D51D63008048AC /* InvalidDNandRFC822nameConstraintsTest28EE.crt */; };
- E7A94B5513D89F26001C5FEE /* InvalidDNandRFC822nameConstraintsTest29EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E113D51D63008048AC /* InvalidDNandRFC822nameConstraintsTest29EE.crt */; };
- E7A94B5613D89F26001C5FEE /* InvalidDNnameConstraintsTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E213D51D63008048AC /* InvalidDNnameConstraintsTest10EE.crt */; };
- E7A94B5713D89F26001C5FEE /* InvalidDNnameConstraintsTest12EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E313D51D63008048AC /* InvalidDNnameConstraintsTest12EE.crt */; };
- E7A94B5813D89F26001C5FEE /* InvalidDNnameConstraintsTest13EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E413D51D63008048AC /* InvalidDNnameConstraintsTest13EE.crt */; };
- E7A94B5913D89F26001C5FEE /* InvalidDNnameConstraintsTest15EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E513D51D63008048AC /* InvalidDNnameConstraintsTest15EE.crt */; };
- E7A94B5A13D89F26001C5FEE /* InvalidDNnameConstraintsTest16EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E613D51D63008048AC /* InvalidDNnameConstraintsTest16EE.crt */; };
- E7A94B5B13D89F26001C5FEE /* InvalidDNnameConstraintsTest17EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E713D51D63008048AC /* InvalidDNnameConstraintsTest17EE.crt */; };
- E7A94B5C13D89F26001C5FEE /* InvalidDNnameConstraintsTest20EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E813D51D63008048AC /* InvalidDNnameConstraintsTest20EE.crt */; };
- E7A94B5D13D89F26001C5FEE /* InvalidDNnameConstraintsTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E913D51D63008048AC /* InvalidDNnameConstraintsTest2EE.crt */; };
- E7A94B5E13D89F26001C5FEE /* InvalidDNnameConstraintsTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540EA13D51D63008048AC /* InvalidDNnameConstraintsTest3EE.crt */; };
- E7A94B5F13D89F26001C5FEE /* InvalidDNnameConstraintsTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540EB13D51D63008048AC /* InvalidDNnameConstraintsTest7EE.crt */; };
- E7A94B6013D89F26001C5FEE /* InvalidDNnameConstraintsTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540EC13D51D63008048AC /* InvalidDNnameConstraintsTest8EE.crt */; };
- E7A94B6113D89F26001C5FEE /* InvalidDNnameConstraintsTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540ED13D51D63008048AC /* InvalidDNnameConstraintsTest9EE.crt */; };
- E7A94B6213D89F26001C5FEE /* InvalidDSASignatureTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540EE13D51D63008048AC /* InvalidDSASignatureTest6EE.crt */; };
- E7A94B6313D89F26001C5FEE /* InvalidEESignatureTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540EF13D51D63008048AC /* InvalidEESignatureTest3EE.crt */; };
- E7A94B6413D89F26001C5FEE /* InvalidEEnotAfterDateTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F013D51D63008048AC /* InvalidEEnotAfterDateTest6EE.crt */; };
- E7A94B6513D89F26001C5FEE /* InvalidEEnotBeforeDateTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F113D51D63008048AC /* InvalidEEnotBeforeDateTest2EE.crt */; };
- E7A94B6613D89F26001C5FEE /* InvalidLongSerialNumberTest18EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F213D51D63008048AC /* InvalidLongSerialNumberTest18EE.crt */; };
- E7A94B6713D89F26001C5FEE /* InvalidMappingFromanyPolicyTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F313D51D63008048AC /* InvalidMappingFromanyPolicyTest7EE.crt */; };
- E7A94B6813D89F26001C5FEE /* InvalidMappingToanyPolicyTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F413D51D63008048AC /* InvalidMappingToanyPolicyTest8EE.crt */; };
- E7A94B6913D89F26001C5FEE /* InvalidMissingbasicConstraintsTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F513D51D63008048AC /* InvalidMissingbasicConstraintsTest1EE.crt */; };
- E7A94B6A13D89F26001C5FEE /* InvalidNameChainingOrderTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F613D51D63008048AC /* InvalidNameChainingOrderTest2EE.crt */; };
- E7A94B6B13D89F26001C5FEE /* InvalidNameChainingTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F713D51D63008048AC /* InvalidNameChainingTest1EE.crt */; };
- E7A94B6C13D89F26001C5FEE /* InvalidNegativeSerialNumberTest15EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F813D51D63008048AC /* InvalidNegativeSerialNumberTest15EE.crt */; };
- E7A94B6D13D89F26001C5FEE /* InvalidPolicyMappingTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F913D51D63008048AC /* InvalidPolicyMappingTest10EE.crt */; };
- E7A94B6E13D89F26001C5FEE /* InvalidPolicyMappingTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FA13D51D63008048AC /* InvalidPolicyMappingTest2EE.crt */; };
- E7A94B6F13D89F26001C5FEE /* InvalidPolicyMappingTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FB13D51D63008048AC /* InvalidPolicyMappingTest4EE.crt */; };
- E7A94B7013D89F26001C5FEE /* InvalidRFC822nameConstraintsTest22EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FC13D51D63008048AC /* InvalidRFC822nameConstraintsTest22EE.crt */; };
- E7A94B7113D89F26001C5FEE /* InvalidRFC822nameConstraintsTest24EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FD13D51D63008048AC /* InvalidRFC822nameConstraintsTest24EE.crt */; };
- E7A94B7213D89F26001C5FEE /* InvalidRFC822nameConstraintsTest26EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FE13D51D63008048AC /* InvalidRFC822nameConstraintsTest26EE.crt */; };
- E7A94B7313D89F26001C5FEE /* InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FF13D51D63008048AC /* InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt */; };
- E7A94B7413D89F26001C5FEE /* InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410013D51D63008048AC /* InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt */; };
- E7A94B7513D89F26001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410113D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt */; };
- E7A94B7613D89F26001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410213D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt */; };
- E7A94B7713D89F26001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410313D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt */; };
- E7A94B7813D89F26001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410413D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt */; };
- E7A94B7913D89F26001C5FEE /* InvalidSelfIssuedpathLenConstraintTest16EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410513D51D63008048AC /* InvalidSelfIssuedpathLenConstraintTest16EE.crt */; };
- E7A94B7A13D89F26001C5FEE /* InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410613D51D63008048AC /* InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt */; };
- E7A94B7B13D89F26001C5FEE /* InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410713D51D63008048AC /* InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt */; };
- E7A94B7C13D89F26001C5FEE /* InvalidURInameConstraintsTest35EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410813D51D63008048AC /* InvalidURInameConstraintsTest35EE.crt */; };
- E7A94B7D13D89F26001C5FEE /* InvalidURInameConstraintsTest37EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410913D51D63008048AC /* InvalidURInameConstraintsTest37EE.crt */; };
- E7A94B7E13D89F26001C5FEE /* InvalidUnknownCriticalCertificateExtensionTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410A13D51D63008048AC /* InvalidUnknownCriticalCertificateExtensionTest2EE.crt */; };
- E7A94B7F13D89F26001C5FEE /* InvalidcAFalseTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410B13D51D63008048AC /* InvalidcAFalseTest2EE.crt */; };
- E7A94B8013D89F26001C5FEE /* InvalidcAFalseTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410C13D51D63008048AC /* InvalidcAFalseTest3EE.crt */; };
- E7A94B8113D89F26001C5FEE /* InvalidcRLIssuerTest27EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410D13D51D63008048AC /* InvalidcRLIssuerTest27EE.crt */; };
- E7A94B8213D89F26001C5FEE /* InvalidcRLIssuerTest31EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410E13D51D63008048AC /* InvalidcRLIssuerTest31EE.crt */; };
- E7A94B8313D89F26001C5FEE /* InvalidcRLIssuerTest32EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410F13D51D63008048AC /* InvalidcRLIssuerTest32EE.crt */; };
- E7A94B8413D89F26001C5FEE /* InvalidcRLIssuerTest34EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411013D51D63008048AC /* InvalidcRLIssuerTest34EE.crt */; };
- E7A94B8513D89F26001C5FEE /* InvalidcRLIssuerTest35EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411113D51D63008048AC /* InvalidcRLIssuerTest35EE.crt */; };
- E7A94B8613D89F26001C5FEE /* InvalidinhibitAnyPolicyTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411213D51D63008048AC /* InvalidinhibitAnyPolicyTest1EE.crt */; };
- E7A94B8713D89F26001C5FEE /* InvalidinhibitAnyPolicyTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411313D51D63008048AC /* InvalidinhibitAnyPolicyTest4EE.crt */; };
- E7A94B8813D89F26001C5FEE /* InvalidinhibitAnyPolicyTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411413D51D63008048AC /* InvalidinhibitAnyPolicyTest5EE.crt */; };
- E7A94B8913D89F26001C5FEE /* InvalidinhibitAnyPolicyTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411513D51D63008048AC /* InvalidinhibitAnyPolicyTest6EE.crt */; };
- E7A94B8A13D89F26001C5FEE /* InvalidinhibitPolicyMappingTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411613D51D63008048AC /* InvalidinhibitPolicyMappingTest1EE.crt */; };
- E7A94B8B13D89F26001C5FEE /* InvalidinhibitPolicyMappingTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411713D51D63008048AC /* InvalidinhibitPolicyMappingTest3EE.crt */; };
- E7A94B8C13D89F26001C5FEE /* InvalidinhibitPolicyMappingTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411813D51D63008048AC /* InvalidinhibitPolicyMappingTest5EE.crt */; };
- E7A94B8D13D89F26001C5FEE /* InvalidinhibitPolicyMappingTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411913D51D63008048AC /* InvalidinhibitPolicyMappingTest6EE.crt */; };
- E7A94B8E13D89F26001C5FEE /* InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411A13D51D63008048AC /* InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt */; };
- E7A94B8F13D89F26001C5FEE /* InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411B13D51D63008048AC /* InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt */; };
- E7A94B9013D89F26001C5FEE /* InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411C13D51D63008048AC /* InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt */; };
- E7A94B9113D89F26001C5FEE /* InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411D13D51D63008048AC /* InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt */; };
- E7A94B9213D89F26001C5FEE /* InvalidonlyContainsAttributeCertsTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411E13D51D63008048AC /* InvalidonlyContainsAttributeCertsTest14EE.crt */; };
- E7A94B9313D89F26001C5FEE /* InvalidonlyContainsCACertsTest12EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411F13D51D63008048AC /* InvalidonlyContainsCACertsTest12EE.crt */; };
- E7A94B9413D89F26001C5FEE /* InvalidonlyContainsUserCertsTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412013D51D63008048AC /* InvalidonlyContainsUserCertsTest11EE.crt */; };
- E7A94B9513D89F26001C5FEE /* InvalidonlySomeReasonsTest15EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412113D51D63008048AC /* InvalidonlySomeReasonsTest15EE.crt */; };
- E7A94B9613D89F26001C5FEE /* InvalidonlySomeReasonsTest16EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412213D51D63008048AC /* InvalidonlySomeReasonsTest16EE.crt */; };
- E7A94B9713D89F26001C5FEE /* InvalidonlySomeReasonsTest17EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412313D51D63008048AC /* InvalidonlySomeReasonsTest17EE.crt */; };
- E7A94B9813D89F26001C5FEE /* InvalidonlySomeReasonsTest20EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412413D51D63008048AC /* InvalidonlySomeReasonsTest20EE.crt */; };
- E7A94B9913D89F26001C5FEE /* InvalidonlySomeReasonsTest21EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412513D51D63008048AC /* InvalidonlySomeReasonsTest21EE.crt */; };
- E7A94B9A13D89F26001C5FEE /* InvalidpathLenConstraintTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412613D51D63008048AC /* InvalidpathLenConstraintTest10EE.crt */; };
- E7A94B9B13D89F26001C5FEE /* InvalidpathLenConstraintTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412713D51D63008048AC /* InvalidpathLenConstraintTest11EE.crt */; };
- E7A94B9C13D89F26001C5FEE /* InvalidpathLenConstraintTest12EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412813D51D63008048AC /* InvalidpathLenConstraintTest12EE.crt */; };
- E7A94B9D13D89F26001C5FEE /* InvalidpathLenConstraintTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412913D51D63008048AC /* InvalidpathLenConstraintTest5EE.crt */; };
- E7A94B9E13D89F26001C5FEE /* InvalidpathLenConstraintTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412A13D51D63008048AC /* InvalidpathLenConstraintTest6EE.crt */; };
- E7A94B9F13D89F26001C5FEE /* InvalidpathLenConstraintTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412B13D51D63008048AC /* InvalidpathLenConstraintTest9EE.crt */; };
- E7A94BA013D89F26001C5FEE /* Invalidpre2000UTCEEnotAfterDateTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412C13D51D63008048AC /* Invalidpre2000UTCEEnotAfterDateTest7EE.crt */; };
- E7A94BA113D89F26001C5FEE /* InvalidrequireExplicitPolicyTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412D13D51D63008048AC /* InvalidrequireExplicitPolicyTest3EE.crt */; };
- E7A94BA213D89F26001C5FEE /* InvalidrequireExplicitPolicyTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412E13D51D63008048AC /* InvalidrequireExplicitPolicyTest5EE.crt */; };
- E7A94BA313D89F26001C5FEE /* LongSerialNumberCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412F13D51D63008048AC /* LongSerialNumberCACert.crt */; };
- E7A94BA413D89F26001C5FEE /* Mapping1to2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413013D51D63008048AC /* Mapping1to2CACert.crt */; };
- E7A94BA513D89F26001C5FEE /* MappingFromanyPolicyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413113D51D63008048AC /* MappingFromanyPolicyCACert.crt */; };
- E7A94BA613D89F26001C5FEE /* MappingToanyPolicyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413213D51D63008048AC /* MappingToanyPolicyCACert.crt */; };
- E7A94BA713D89F26001C5FEE /* MissingbasicConstraintsCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413313D51D63008048AC /* MissingbasicConstraintsCACert.crt */; };
- E7A94BA813D89F26001C5FEE /* NameOrderingCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413413D51D63008048AC /* NameOrderingCACert.crt */; };
- E7A94BA913D89F26001C5FEE /* NegativeSerialNumberCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413513D51D63008048AC /* NegativeSerialNumberCACert.crt */; };
- E7A94BAA13D89F26001C5FEE /* NoCRLCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413613D51D63008048AC /* NoCRLCACert.crt */; };
- E7A94BAB13D89F26001C5FEE /* NoPoliciesCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413713D51D63008048AC /* NoPoliciesCACert.crt */; };
- E7A94BAC13D89F26001C5FEE /* NoissuingDistributionPointCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413813D51D63008048AC /* NoissuingDistributionPointCACert.crt */; };
- E7A94BAD13D89F26001C5FEE /* OldCRLnextUpdateCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413913D51D63008048AC /* OldCRLnextUpdateCACert.crt */; };
- E7A94BAE13D89F26001C5FEE /* OverlappingPoliciesTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413A13D51D63008048AC /* OverlappingPoliciesTest6EE.crt */; };
- E7A94BAF13D89F26001C5FEE /* P12Mapping1to3CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413B13D51D63008048AC /* P12Mapping1to3CACert.crt */; };
- E7A94BB013D89F26001C5FEE /* P12Mapping1to3subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413C13D51D63008048AC /* P12Mapping1to3subCACert.crt */; };
- E7A94BB113D89F26001C5FEE /* P12Mapping1to3subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413D13D51D63008048AC /* P12Mapping1to3subsubCACert.crt */; };
- E7A94BB213D89F26001C5FEE /* P1Mapping1to234CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413E13D51D63008048AC /* P1Mapping1to234CACert.crt */; };
- E7A94BB313D89F26001C5FEE /* P1Mapping1to234subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413F13D51D63008048AC /* P1Mapping1to234subCACert.crt */; };
- E7A94BB413D89F26001C5FEE /* P1anyPolicyMapping1to2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414013D51D63008048AC /* P1anyPolicyMapping1to2CACert.crt */; };
- E7A94BB513D89F26001C5FEE /* PanyPolicyMapping1to2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414113D51D63008048AC /* PanyPolicyMapping1to2CACert.crt */; };
- E7A94BB613D89F26001C5FEE /* PoliciesP1234CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414213D51D63008048AC /* PoliciesP1234CACert.crt */; };
- E7A94BB713D89F26001C5FEE /* PoliciesP1234subCAP123Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414313D51D63008048AC /* PoliciesP1234subCAP123Cert.crt */; };
- E7A94BB813D89F26001C5FEE /* PoliciesP1234subsubCAP123P12Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414413D51D63008048AC /* PoliciesP1234subsubCAP123P12Cert.crt */; };
- E7A94BB913D89F26001C5FEE /* PoliciesP123CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414513D51D63008048AC /* PoliciesP123CACert.crt */; };
- E7A94BBA13D89F26001C5FEE /* PoliciesP123subCAP12Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414613D51D63008048AC /* PoliciesP123subCAP12Cert.crt */; };
- E7A94BBB13D89F26001C5FEE /* PoliciesP123subsubCAP12P1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414713D51D63008048AC /* PoliciesP123subsubCAP12P1Cert.crt */; };
- E7A94BBC13D89F26001C5FEE /* PoliciesP123subsubCAP12P2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414813D51D63008048AC /* PoliciesP123subsubCAP12P2Cert.crt */; };
- E7A94BBD13D89F26001C5FEE /* PoliciesP123subsubsubCAP12P2P1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414913D51D63008048AC /* PoliciesP123subsubsubCAP12P2P1Cert.crt */; };
- E7A94BBE13D89F26001C5FEE /* PoliciesP12CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414A13D51D63008048AC /* PoliciesP12CACert.crt */; };
- E7A94BBF13D89F26001C5FEE /* PoliciesP12subCAP1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414B13D51D63008048AC /* PoliciesP12subCAP1Cert.crt */; };
- E7A94BC013D89F26001C5FEE /* PoliciesP12subsubCAP1P2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414C13D51D63008048AC /* PoliciesP12subsubCAP1P2Cert.crt */; };
- E7A94BC113D89F26001C5FEE /* PoliciesP2subCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414D13D51D63008048AC /* PoliciesP2subCA2Cert.crt */; };
- E7A94BC213D89F26001C5FEE /* PoliciesP2subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414E13D51D63008048AC /* PoliciesP2subCACert.crt */; };
- E7A94BC313D89F26001C5FEE /* PoliciesP3CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414F13D51D63008048AC /* PoliciesP3CACert.crt */; };
- E7A94BC413D89F26001C5FEE /* RFC3280MandatoryAttributeTypesCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415013D51D63008048AC /* RFC3280MandatoryAttributeTypesCACert.crt */; };
- E7A94BC513D89F26001C5FEE /* RFC3280OptionalAttributeTypesCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415113D51D63008048AC /* RFC3280OptionalAttributeTypesCACert.crt */; };
- E7A94BC613D89F26001C5FEE /* RevokedsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415213D51D63008048AC /* RevokedsubCACert.crt */; };
- E7A94BC713D89F26001C5FEE /* RolloverfromPrintableStringtoUTF8StringCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415313D51D63008048AC /* RolloverfromPrintableStringtoUTF8StringCACert.crt */; };
- E7A94BC813D89F26001C5FEE /* SeparateCertificateandCRLKeysCA2CRLSigningCert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415413D51D63008048AC /* SeparateCertificateandCRLKeysCA2CRLSigningCert.crt */; };
- E7A94BC913D89F26001C5FEE /* SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415513D51D63008048AC /* SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt */; };
- E7A94BCA13D89F26001C5FEE /* SeparateCertificateandCRLKeysCertificateSigningCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415613D51D63008048AC /* SeparateCertificateandCRLKeysCertificateSigningCACert.crt */; };
- E7A94BCB13D89F26001C5FEE /* TrustAnchorRootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415713D51D63008048AC /* TrustAnchorRootCertificate.crt */; };
- E7A94BCC13D89F26001C5FEE /* TwoCRLsCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415813D51D63008048AC /* TwoCRLsCACert.crt */; };
- E7A94BCD13D89F26001C5FEE /* UIDCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415913D51D63008048AC /* UIDCACert.crt */; };
- E7A94BCE13D89F26001C5FEE /* UTF8StringCaseInsensitiveMatchCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415A13D51D63008048AC /* UTF8StringCaseInsensitiveMatchCACert.crt */; };
- E7A94BCF13D89F26001C5FEE /* UTF8StringEncodedNamesCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415B13D51D63008048AC /* UTF8StringEncodedNamesCACert.crt */; };
- E7A94BD013D89F26001C5FEE /* UnknownCRLEntryExtensionCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415C13D51D63008048AC /* UnknownCRLEntryExtensionCACert.crt */; };
- E7A94BD113D89F26001C5FEE /* UnknownCRLExtensionCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415D13D51D63008048AC /* UnknownCRLExtensionCACert.crt */; };
- E7A94BD213D89F26001C5FEE /* UserNoticeQualifierTest15EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415E13D51D63008048AC /* UserNoticeQualifierTest15EE.crt */; };
- E7A94BD313D89F26001C5FEE /* UserNoticeQualifierTest16EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415F13D51D63008048AC /* UserNoticeQualifierTest16EE.crt */; };
- E7A94BD413D89F26001C5FEE /* UserNoticeQualifierTest17EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416013D51D63008048AC /* UserNoticeQualifierTest17EE.crt */; };
- E7A94BD513D89F26001C5FEE /* UserNoticeQualifierTest18EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416113D51D63008048AC /* UserNoticeQualifierTest18EE.crt */; };
- E7A94BD613D89F26001C5FEE /* UserNoticeQualifierTest19EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416213D51D63008048AC /* UserNoticeQualifierTest19EE.crt */; };
- E7A94BD713D89F26001C5FEE /* ValidBasicSelfIssuedNewWithOldTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416313D51D63008048AC /* ValidBasicSelfIssuedNewWithOldTest3EE.crt */; };
- E7A94BD813D89F26001C5FEE /* ValidBasicSelfIssuedNewWithOldTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416413D51D63008048AC /* ValidBasicSelfIssuedNewWithOldTest4EE.crt */; };
- E7A94BD913D89F26001C5FEE /* ValidBasicSelfIssuedOldWithNewTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416513D51D63008048AC /* ValidBasicSelfIssuedOldWithNewTest1EE.crt */; };
- E7A94BDA13D89F26001C5FEE /* ValidCertificatePathTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416613D51D63008048AC /* ValidCertificatePathTest1EE.crt */; };
- E7A94BDB13D89F26001C5FEE /* ValidDNSnameConstraintsTest30EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416713D51D63008048AC /* ValidDNSnameConstraintsTest30EE.crt */; };
- E7A94BDC13D89F26001C5FEE /* ValidDNSnameConstraintsTest32EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416813D51D63008048AC /* ValidDNSnameConstraintsTest32EE.crt */; };
- E7A94BDD13D89F26001C5FEE /* ValidDNandRFC822nameConstraintsTest27EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416913D51D63008048AC /* ValidDNandRFC822nameConstraintsTest27EE.crt */; };
- E7A94BDE13D89F26001C5FEE /* ValidDNnameConstraintsTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416A13D51D63008048AC /* ValidDNnameConstraintsTest11EE.crt */; };
- E7A94BDF13D89F26001C5FEE /* ValidDNnameConstraintsTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416B13D51D63008048AC /* ValidDNnameConstraintsTest14EE.crt */; };
- E7A94BE013D89F26001C5FEE /* ValidDNnameConstraintsTest18EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416C13D51D63008048AC /* ValidDNnameConstraintsTest18EE.crt */; };
- E7A94BE113D89F26001C5FEE /* ValidDNnameConstraintsTest19EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416D13D51D63008048AC /* ValidDNnameConstraintsTest19EE.crt */; };
- E7A94BE213D89F26001C5FEE /* ValidDNnameConstraintsTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416E13D51D63008048AC /* ValidDNnameConstraintsTest1EE.crt */; };
- E7A94BE313D89F26001C5FEE /* ValidDNnameConstraintsTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416F13D51D63008048AC /* ValidDNnameConstraintsTest4EE.crt */; };
- E7A94BE413D89F26001C5FEE /* ValidDNnameConstraintsTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417013D51D63008048AC /* ValidDNnameConstraintsTest5EE.crt */; };
- E7A94BE513D89F26001C5FEE /* ValidDNnameConstraintsTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417113D51D63008048AC /* ValidDNnameConstraintsTest6EE.crt */; };
- E7A94BE613D89F26001C5FEE /* ValidDSAParameterInheritanceTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417213D51D63008048AC /* ValidDSAParameterInheritanceTest5EE.crt */; };
- E7A94BE713D89F26001C5FEE /* ValidDSASignaturesTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417313D51D63008048AC /* ValidDSASignaturesTest4EE.crt */; };
- E7A94BE813D89F26001C5FEE /* ValidGeneralizedTimenotAfterDateTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417413D51D63008048AC /* ValidGeneralizedTimenotAfterDateTest8EE.crt */; };
- E7A94BE913D89F26001C5FEE /* ValidGeneralizedTimenotBeforeDateTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417513D51D63008048AC /* ValidGeneralizedTimenotBeforeDateTest4EE.crt */; };
- E7A94BEA13D89F26001C5FEE /* ValidLongSerialNumberTest16EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417613D51D63008048AC /* ValidLongSerialNumberTest16EE.crt */; };
- E7A94BEB13D89F26001C5FEE /* ValidLongSerialNumberTest17EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417713D51D63008048AC /* ValidLongSerialNumberTest17EE.crt */; };
- E7A94BEC13D89F26001C5FEE /* ValidNameChainingCapitalizationTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417813D51D63008048AC /* ValidNameChainingCapitalizationTest5EE.crt */; };
- E7A94BED13D89F26001C5FEE /* ValidNameChainingWhitespaceTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417913D51D63008048AC /* ValidNameChainingWhitespaceTest3EE.crt */; };
- E7A94BEE13D89F26001C5FEE /* ValidNameChainingWhitespaceTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417A13D51D63008048AC /* ValidNameChainingWhitespaceTest4EE.crt */; };
- E7A94BEF13D89F26001C5FEE /* ValidNameUIDsTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417B13D51D63008048AC /* ValidNameUIDsTest6EE.crt */; };
- E7A94BF013D89F26001C5FEE /* ValidNegativeSerialNumberTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417C13D51D63008048AC /* ValidNegativeSerialNumberTest14EE.crt */; };
- E7A94BF113D89F26001C5FEE /* ValidPolicyMappingTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417D13D51D63008048AC /* ValidPolicyMappingTest11EE.crt */; };
- E7A94BF213D89F26001C5FEE /* ValidPolicyMappingTest12EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417E13D51D63008048AC /* ValidPolicyMappingTest12EE.crt */; };
- E7A94BF313D89F26001C5FEE /* ValidPolicyMappingTest13EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417F13D51D63008048AC /* ValidPolicyMappingTest13EE.crt */; };
- E7A94BF413D89F26001C5FEE /* ValidPolicyMappingTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418013D51D63008048AC /* ValidPolicyMappingTest14EE.crt */; };
- E7A94BF513D89F26001C5FEE /* ValidPolicyMappingTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418113D51D63008048AC /* ValidPolicyMappingTest1EE.crt */; };
- E7A94BF613D89F26001C5FEE /* ValidPolicyMappingTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418213D51D63008048AC /* ValidPolicyMappingTest3EE.crt */; };
- E7A94BF713D89F26001C5FEE /* ValidPolicyMappingTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418313D51D63008048AC /* ValidPolicyMappingTest5EE.crt */; };
- E7A94BF813D89F26001C5FEE /* ValidPolicyMappingTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418413D51D63008048AC /* ValidPolicyMappingTest6EE.crt */; };
- E7A94BF913D89F26001C5FEE /* ValidPolicyMappingTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418513D51D63008048AC /* ValidPolicyMappingTest9EE.crt */; };
- E7A94BFA13D89F26001C5FEE /* ValidRFC3280MandatoryAttributeTypesTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418613D51D63008048AC /* ValidRFC3280MandatoryAttributeTypesTest7EE.crt */; };
- E7A94BFB13D89F26001C5FEE /* ValidRFC3280OptionalAttributeTypesTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418713D51D63008048AC /* ValidRFC3280OptionalAttributeTypesTest8EE.crt */; };
- E7A94BFC13D89F26001C5FEE /* ValidRFC822nameConstraintsTest21EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418813D51D63008048AC /* ValidRFC822nameConstraintsTest21EE.crt */; };
- E7A94BFD13D89F26001C5FEE /* ValidRFC822nameConstraintsTest23EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418913D51D63008048AC /* ValidRFC822nameConstraintsTest23EE.crt */; };
- E7A94BFE13D89F26001C5FEE /* ValidRFC822nameConstraintsTest25EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418A13D51D63008048AC /* ValidRFC822nameConstraintsTest25EE.crt */; };
- E7A94BFF13D89F26001C5FEE /* ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418B13D51D63008048AC /* ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt */; };
- E7A94C0013D89F26001C5FEE /* ValidSelfIssuedinhibitAnyPolicyTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418C13D51D63008048AC /* ValidSelfIssuedinhibitAnyPolicyTest7EE.crt */; };
- E7A94C0113D89F26001C5FEE /* ValidSelfIssuedinhibitAnyPolicyTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418D13D51D63008048AC /* ValidSelfIssuedinhibitAnyPolicyTest9EE.crt */; };
- E7A94C0213D89F26001C5FEE /* ValidSelfIssuedinhibitPolicyMappingTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418E13D51D63008048AC /* ValidSelfIssuedinhibitPolicyMappingTest7EE.crt */; };
- E7A94C0313D89F26001C5FEE /* ValidSelfIssuedpathLenConstraintTest15EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418F13D51D63008048AC /* ValidSelfIssuedpathLenConstraintTest15EE.crt */; };
- E7A94C0413D89F26001C5FEE /* ValidSelfIssuedpathLenConstraintTest17EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419013D51D63008048AC /* ValidSelfIssuedpathLenConstraintTest17EE.crt */; };
- E7A94C0513D89F26001C5FEE /* ValidSelfIssuedrequireExplicitPolicyTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419113D51D63008048AC /* ValidSelfIssuedrequireExplicitPolicyTest6EE.crt */; };
- E7A94C0613D89F26001C5FEE /* ValidURInameConstraintsTest34EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419213D51D63008048AC /* ValidURInameConstraintsTest34EE.crt */; };
- E7A94C0713D89F26001C5FEE /* ValidURInameConstraintsTest36EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419313D51D63008048AC /* ValidURInameConstraintsTest36EE.crt */; };
- E7A94C0813D89F26001C5FEE /* ValidUTF8StringCaseInsensitiveMatchTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419413D51D63008048AC /* ValidUTF8StringCaseInsensitiveMatchTest11EE.crt */; };
- E7A94C0913D89F26001C5FEE /* ValidUTF8StringEncodedNamesTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419513D51D63008048AC /* ValidUTF8StringEncodedNamesTest9EE.crt */; };
- E7A94C0A13D89F26001C5FEE /* ValidUnknownNotCriticalCertificateExtensionTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419613D51D63008048AC /* ValidUnknownNotCriticalCertificateExtensionTest1EE.crt */; };
- E7A94C0B13D89F26001C5FEE /* ValidbasicConstraintsNotCriticalTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419713D51D63008048AC /* ValidbasicConstraintsNotCriticalTest4EE.crt */; };
- E7A94C0C13D89F26001C5FEE /* ValidcRLIssuerTest28EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419813D51D63008048AC /* ValidcRLIssuerTest28EE.crt */; };
- E7A94C0D13D89F26001C5FEE /* ValidcRLIssuerTest29EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419913D51D63008048AC /* ValidcRLIssuerTest29EE.crt */; };
- E7A94C0E13D89F26001C5FEE /* ValidcRLIssuerTest30EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419A13D51D63008048AC /* ValidcRLIssuerTest30EE.crt */; };
- E7A94C0F13D89F26001C5FEE /* ValidcRLIssuerTest33EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419B13D51D63008048AC /* ValidcRLIssuerTest33EE.crt */; };
- E7A94C1013D89F26001C5FEE /* ValidinhibitAnyPolicyTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419C13D51D63008048AC /* ValidinhibitAnyPolicyTest2EE.crt */; };
- E7A94C1113D89F26001C5FEE /* ValidinhibitPolicyMappingTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419D13D51D63008048AC /* ValidinhibitPolicyMappingTest2EE.crt */; };
- E7A94C1213D89F27001C5FEE /* ValidinhibitPolicyMappingTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419E13D51D63008048AC /* ValidinhibitPolicyMappingTest4EE.crt */; };
- E7A94C1313D89F27001C5FEE /* ValidkeyUsageNotCriticalTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419F13D51D63008048AC /* ValidkeyUsageNotCriticalTest3EE.crt */; };
- E7A94C1413D89F27001C5FEE /* ValidonlyContainsCACertsTest13EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A013D51D63008048AC /* ValidonlyContainsCACertsTest13EE.crt */; };
- E7A94C1513D89F27001C5FEE /* ValidonlySomeReasonsTest18EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A113D51D63008048AC /* ValidonlySomeReasonsTest18EE.crt */; };
- E7A94C1613D89F27001C5FEE /* ValidonlySomeReasonsTest19EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A213D51D63008048AC /* ValidonlySomeReasonsTest19EE.crt */; };
- E7A94C1713D89F27001C5FEE /* ValidpathLenConstraintTest13EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A313D51D63008048AC /* ValidpathLenConstraintTest13EE.crt */; };
- E7A94C1813D89F27001C5FEE /* ValidpathLenConstraintTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A413D51D63008048AC /* ValidpathLenConstraintTest14EE.crt */; };
- E7A94C1913D89F27001C5FEE /* ValidpathLenConstraintTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A513D51D63008048AC /* ValidpathLenConstraintTest7EE.crt */; };
- E7A94C1A13D89F27001C5FEE /* ValidpathLenConstraintTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A613D51D63008048AC /* ValidpathLenConstraintTest8EE.crt */; };
- E7A94C1B13D89F27001C5FEE /* Validpre2000UTCnotBeforeDateTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A713D51D63008048AC /* Validpre2000UTCnotBeforeDateTest3EE.crt */; };
- E7A94C1C13D89F27001C5FEE /* ValidrequireExplicitPolicyTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A813D51D63008048AC /* ValidrequireExplicitPolicyTest1EE.crt */; };
- E7A94C1D13D89F27001C5FEE /* ValidrequireExplicitPolicyTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A913D51D63008048AC /* ValidrequireExplicitPolicyTest2EE.crt */; };
- E7A94C1E13D89F27001C5FEE /* ValidrequireExplicitPolicyTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AA13D51D63008048AC /* ValidrequireExplicitPolicyTest4EE.crt */; };
- E7A94C1F13D89F27001C5FEE /* WrongCRLCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AB13D51D63008048AC /* WrongCRLCACert.crt */; };
- E7A94C2013D89F27001C5FEE /* anyPolicyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AC13D51D63008048AC /* anyPolicyCACert.crt */; };
- E7A94C2113D89F27001C5FEE /* basicConstraintsCriticalcAFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AD13D51D63008048AC /* basicConstraintsCriticalcAFalseCACert.crt */; };
- E7A94C2213D89F27001C5FEE /* basicConstraintsNotCriticalCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AE13D51D63008048AC /* basicConstraintsNotCriticalCACert.crt */; };
- E7A94C2313D89F27001C5FEE /* basicConstraintsNotCriticalcAFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AF13D51D63008048AC /* basicConstraintsNotCriticalcAFalseCACert.crt */; };
- E7A94C2413D89F27001C5FEE /* deltaCRLCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B013D51D63008048AC /* deltaCRLCA1Cert.crt */; };
- E7A94C2513D89F27001C5FEE /* deltaCRLCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B113D51D63008048AC /* deltaCRLCA2Cert.crt */; };
- E7A94C2613D89F27001C5FEE /* deltaCRLCA3Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B213D51D63008048AC /* deltaCRLCA3Cert.crt */; };
- E7A94C2713D89F27001C5FEE /* deltaCRLIndicatorNoBaseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B313D51D63008048AC /* deltaCRLIndicatorNoBaseCACert.crt */; };
- E7A94C2813D89F27001C5FEE /* distributionPoint1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B413D51D63008048AC /* distributionPoint1CACert.crt */; };
- E7A94C2913D89F27001C5FEE /* distributionPoint2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B513D51D63008048AC /* distributionPoint2CACert.crt */; };
- E7A94C2A13D89F27001C5FEE /* indirectCRLCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B613D51D63008048AC /* indirectCRLCA1Cert.crt */; };
- E7A94C2B13D89F27001C5FEE /* indirectCRLCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B713D51D63008048AC /* indirectCRLCA2Cert.crt */; };
- E7A94C2C13D89F27001C5FEE /* indirectCRLCA3Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B813D51D63008048AC /* indirectCRLCA3Cert.crt */; };
- E7A94C2D13D89F27001C5FEE /* indirectCRLCA3cRLIssuerCert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B913D51D63008048AC /* indirectCRLCA3cRLIssuerCert.crt */; };
- E7A94C2E13D89F27001C5FEE /* indirectCRLCA4Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BA13D51D63008048AC /* indirectCRLCA4Cert.crt */; };
- E7A94C2F13D89F27001C5FEE /* indirectCRLCA4cRLIssuerCert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BB13D51D63008048AC /* indirectCRLCA4cRLIssuerCert.crt */; };
- E7A94C3013D89F27001C5FEE /* indirectCRLCA5Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BC13D51D63008048AC /* indirectCRLCA5Cert.crt */; };
- E7A94C3113D89F27001C5FEE /* indirectCRLCA6Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BD13D51D63008048AC /* indirectCRLCA6Cert.crt */; };
- E7A94C3213D89F27001C5FEE /* inhibitAnyPolicy0CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BE13D51D63008048AC /* inhibitAnyPolicy0CACert.crt */; };
- E7A94C3313D89F27001C5FEE /* inhibitAnyPolicy1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BF13D51D63008048AC /* inhibitAnyPolicy1CACert.crt */; };
- E7A94C3413D89F27001C5FEE /* inhibitAnyPolicy1SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C013D51D63008048AC /* inhibitAnyPolicy1SelfIssuedCACert.crt */; };
- E7A94C3513D89F27001C5FEE /* inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C113D51D63008048AC /* inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt */; };
- E7A94C3613D89F27001C5FEE /* inhibitAnyPolicy1subCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C213D51D63008048AC /* inhibitAnyPolicy1subCA1Cert.crt */; };
- E7A94C3713D89F27001C5FEE /* inhibitAnyPolicy1subCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C313D51D63008048AC /* inhibitAnyPolicy1subCA2Cert.crt */; };
- E7A94C3813D89F27001C5FEE /* inhibitAnyPolicy1subCAIAP5Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C413D51D63008048AC /* inhibitAnyPolicy1subCAIAP5Cert.crt */; };
- E7A94C3913D89F27001C5FEE /* inhibitAnyPolicy1subsubCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C513D51D63008048AC /* inhibitAnyPolicy1subsubCA2Cert.crt */; };
- E7A94C3A13D89F27001C5FEE /* inhibitAnyPolicy5CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C613D51D63008048AC /* inhibitAnyPolicy5CACert.crt */; };
- E7A94C3B13D89F27001C5FEE /* inhibitAnyPolicy5subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C713D51D63008048AC /* inhibitAnyPolicy5subCACert.crt */; };
- E7A94C3C13D89F27001C5FEE /* inhibitAnyPolicy5subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C813D51D63008048AC /* inhibitAnyPolicy5subsubCACert.crt */; };
- E7A94C3D13D89F27001C5FEE /* inhibitAnyPolicyTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C913D51D63008048AC /* inhibitAnyPolicyTest3EE.crt */; };
- E7A94C3E13D89F27001C5FEE /* inhibitPolicyMapping0CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CA13D51D63008048AC /* inhibitPolicyMapping0CACert.crt */; };
- E7A94C3F13D89F27001C5FEE /* inhibitPolicyMapping0subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CB13D51D63008048AC /* inhibitPolicyMapping0subCACert.crt */; };
- E7A94C4013D89F27001C5FEE /* inhibitPolicyMapping1P12CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CC13D51D63008048AC /* inhibitPolicyMapping1P12CACert.crt */; };
- E7A94C4113D89F27001C5FEE /* inhibitPolicyMapping1P12subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CD13D51D63008048AC /* inhibitPolicyMapping1P12subCACert.crt */; };
- E7A94C4213D89F27001C5FEE /* inhibitPolicyMapping1P12subCAIPM5Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CE13D51D63008048AC /* inhibitPolicyMapping1P12subCAIPM5Cert.crt */; };
- E7A94C4313D89F27001C5FEE /* inhibitPolicyMapping1P12subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CF13D51D63008048AC /* inhibitPolicyMapping1P12subsubCACert.crt */; };
- E7A94C4413D89F27001C5FEE /* inhibitPolicyMapping1P12subsubCAIPM5Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D013D51D63008048AC /* inhibitPolicyMapping1P12subsubCAIPM5Cert.crt */; };
- E7A94C4513D89F27001C5FEE /* inhibitPolicyMapping1P1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D113D51D63008048AC /* inhibitPolicyMapping1P1CACert.crt */; };
- E7A94C4613D89F27001C5FEE /* inhibitPolicyMapping1P1SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D213D51D63008048AC /* inhibitPolicyMapping1P1SelfIssuedCACert.crt */; };
- E7A94C4713D89F27001C5FEE /* inhibitPolicyMapping1P1SelfIssuedsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D313D51D63008048AC /* inhibitPolicyMapping1P1SelfIssuedsubCACert.crt */; };
- E7A94C4813D89F27001C5FEE /* inhibitPolicyMapping1P1subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D413D51D63008048AC /* inhibitPolicyMapping1P1subCACert.crt */; };
- E7A94C4913D89F27001C5FEE /* inhibitPolicyMapping1P1subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D513D51D63008048AC /* inhibitPolicyMapping1P1subsubCACert.crt */; };
- E7A94C4A13D89F27001C5FEE /* inhibitPolicyMapping5CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D613D51D63008048AC /* inhibitPolicyMapping5CACert.crt */; };
- E7A94C4B13D89F27001C5FEE /* inhibitPolicyMapping5subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D713D51D63008048AC /* inhibitPolicyMapping5subCACert.crt */; };
- E7A94C4C13D89F27001C5FEE /* inhibitPolicyMapping5subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D813D51D63008048AC /* inhibitPolicyMapping5subsubCACert.crt */; };
- E7A94C4D13D89F27001C5FEE /* inhibitPolicyMapping5subsubsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D913D51D63008048AC /* inhibitPolicyMapping5subsubsubCACert.crt */; };
- E7A94C4E13D89F27001C5FEE /* keyUsageCriticalcRLSignFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DA13D51D63008048AC /* keyUsageCriticalcRLSignFalseCACert.crt */; };
- E7A94C4F13D89F27001C5FEE /* keyUsageCriticalkeyCertSignFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DB13D51D63008048AC /* keyUsageCriticalkeyCertSignFalseCACert.crt */; };
- E7A94C5013D89F27001C5FEE /* keyUsageNotCriticalCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DC13D51D63008048AC /* keyUsageNotCriticalCACert.crt */; };
- E7A94C5113D89F27001C5FEE /* keyUsageNotCriticalcRLSignFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DD13D51D63008048AC /* keyUsageNotCriticalcRLSignFalseCACert.crt */; };
- E7A94C5213D89F27001C5FEE /* keyUsageNotCriticalkeyCertSignFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DE13D51D63008048AC /* keyUsageNotCriticalkeyCertSignFalseCACert.crt */; };
- E7A94C5313D89F27001C5FEE /* nameConstraintsDN1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DF13D51D63008048AC /* nameConstraintsDN1CACert.crt */; };
- E7A94C5413D89F27001C5FEE /* nameConstraintsDN1SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E013D51D63008048AC /* nameConstraintsDN1SelfIssuedCACert.crt */; };
- E7A94C5513D89F27001C5FEE /* nameConstraintsDN1subCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E113D51D63008048AC /* nameConstraintsDN1subCA1Cert.crt */; };
- E7A94C5613D89F27001C5FEE /* nameConstraintsDN1subCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E213D51D63008048AC /* nameConstraintsDN1subCA2Cert.crt */; };
- E7A94C5713D89F27001C5FEE /* nameConstraintsDN1subCA3Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E313D51D63008048AC /* nameConstraintsDN1subCA3Cert.crt */; };
- E7A94C5813D89F27001C5FEE /* nameConstraintsDN2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E413D51D63008048AC /* nameConstraintsDN2CACert.crt */; };
- E7A94C5913D89F27001C5FEE /* nameConstraintsDN3CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E513D51D63008048AC /* nameConstraintsDN3CACert.crt */; };
- E7A94C5A13D89F27001C5FEE /* nameConstraintsDN3subCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E613D51D63008048AC /* nameConstraintsDN3subCA1Cert.crt */; };
- E7A94C5B13D89F27001C5FEE /* nameConstraintsDN3subCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E713D51D63008048AC /* nameConstraintsDN3subCA2Cert.crt */; };
- E7A94C5C13D89F27001C5FEE /* nameConstraintsDN4CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E813D51D63008048AC /* nameConstraintsDN4CACert.crt */; };
- E7A94C5D13D89F27001C5FEE /* nameConstraintsDN5CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E913D51D63008048AC /* nameConstraintsDN5CACert.crt */; };
- E7A94C5E13D89F27001C5FEE /* nameConstraintsDNS1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541EA13D51D63008048AC /* nameConstraintsDNS1CACert.crt */; };
- E7A94C5F13D89F27001C5FEE /* nameConstraintsDNS2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541EB13D51D63008048AC /* nameConstraintsDNS2CACert.crt */; };
- E7A94C6013D89F27001C5FEE /* nameConstraintsRFC822CA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541EC13D51D63008048AC /* nameConstraintsRFC822CA1Cert.crt */; };
- E7A94C6113D89F27001C5FEE /* nameConstraintsRFC822CA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541ED13D51D63008048AC /* nameConstraintsRFC822CA2Cert.crt */; };
- E7A94C6213D89F27001C5FEE /* nameConstraintsRFC822CA3Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541EE13D51D63008048AC /* nameConstraintsRFC822CA3Cert.crt */; };
- E7A94C6313D89F27001C5FEE /* nameConstraintsURI1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541EF13D51D63008048AC /* nameConstraintsURI1CACert.crt */; };
- E7A94C6413D89F27001C5FEE /* nameConstraintsURI2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F013D51D63008048AC /* nameConstraintsURI2CACert.crt */; };
- E7A94C6513D89F27001C5FEE /* onlyContainsAttributeCertsCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F113D51D63008048AC /* onlyContainsAttributeCertsCACert.crt */; };
- E7A94C6613D89F27001C5FEE /* onlyContainsCACertsCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F213D51D63008048AC /* onlyContainsCACertsCACert.crt */; };
- E7A94C6713D89F27001C5FEE /* onlyContainsUserCertsCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F313D51D63008048AC /* onlyContainsUserCertsCACert.crt */; };
- E7A94C6813D89F27001C5FEE /* onlySomeReasonsCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F413D51D63008048AC /* onlySomeReasonsCA1Cert.crt */; };
- E7A94C6913D89F27001C5FEE /* onlySomeReasonsCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F513D51D63008048AC /* onlySomeReasonsCA2Cert.crt */; };
- E7A94C6A13D89F27001C5FEE /* onlySomeReasonsCA3Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F613D51D63008048AC /* onlySomeReasonsCA3Cert.crt */; };
- E7A94C6B13D89F27001C5FEE /* onlySomeReasonsCA4Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F713D51D63008048AC /* onlySomeReasonsCA4Cert.crt */; };
- E7A94C6C13D89F27001C5FEE /* pathLenConstraint0CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F813D51D63008048AC /* pathLenConstraint0CACert.crt */; };
- E7A94C6D13D89F27001C5FEE /* pathLenConstraint0SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F913D51D63008048AC /* pathLenConstraint0SelfIssuedCACert.crt */; };
- E7A94C6E13D89F27001C5FEE /* pathLenConstraint0subCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FA13D51D63008048AC /* pathLenConstraint0subCA2Cert.crt */; };
- E7A94C6F13D89F27001C5FEE /* pathLenConstraint0subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FB13D51D63008048AC /* pathLenConstraint0subCACert.crt */; };
- E7A94C7013D89F27001C5FEE /* pathLenConstraint1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FC13D51D63008048AC /* pathLenConstraint1CACert.crt */; };
- E7A94C7113D89F27001C5FEE /* pathLenConstraint1SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FD13D51D63008048AC /* pathLenConstraint1SelfIssuedCACert.crt */; };
- E7A94C7213D89F27001C5FEE /* pathLenConstraint1SelfIssuedsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FE13D51D63008048AC /* pathLenConstraint1SelfIssuedsubCACert.crt */; };
- E7A94C7313D89F27001C5FEE /* pathLenConstraint1subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FF13D51D63008048AC /* pathLenConstraint1subCACert.crt */; };
- E7A94C7413D89F27001C5FEE /* pathLenConstraint6CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420013D51D64008048AC /* pathLenConstraint6CACert.crt */; };
- E7A94C7513D89F27001C5FEE /* pathLenConstraint6subCA0Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420113D51D64008048AC /* pathLenConstraint6subCA0Cert.crt */; };
- E7A94C7613D89F27001C5FEE /* pathLenConstraint6subCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420213D51D64008048AC /* pathLenConstraint6subCA1Cert.crt */; };
- E7A94C7713D89F27001C5FEE /* pathLenConstraint6subCA4Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420313D51D64008048AC /* pathLenConstraint6subCA4Cert.crt */; };
- E7A94C7813D89F27001C5FEE /* pathLenConstraint6subsubCA00Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420413D51D64008048AC /* pathLenConstraint6subsubCA00Cert.crt */; };
- E7A94C7913D89F27001C5FEE /* pathLenConstraint6subsubCA11Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420513D51D64008048AC /* pathLenConstraint6subsubCA11Cert.crt */; };
- E7A94C7A13D89F27001C5FEE /* pathLenConstraint6subsubCA41Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420613D51D64008048AC /* pathLenConstraint6subsubCA41Cert.crt */; };
- E7A94C7B13D89F27001C5FEE /* pathLenConstraint6subsubsubCA11XCert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420713D51D64008048AC /* pathLenConstraint6subsubsubCA11XCert.crt */; };
- E7A94C7C13D89F27001C5FEE /* pathLenConstraint6subsubsubCA41XCert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420813D51D64008048AC /* pathLenConstraint6subsubsubCA41XCert.crt */; };
- E7A94C7D13D89F27001C5FEE /* pre2000CRLnextUpdateCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420913D51D64008048AC /* pre2000CRLnextUpdateCACert.crt */; };
- E7A94C7E13D89F27001C5FEE /* requireExplicitPolicy0CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420A13D51D64008048AC /* requireExplicitPolicy0CACert.crt */; };
- E7A94C7F13D89F27001C5FEE /* requireExplicitPolicy0subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420B13D51D64008048AC /* requireExplicitPolicy0subCACert.crt */; };
- E7A94C8013D89F27001C5FEE /* requireExplicitPolicy0subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420C13D51D64008048AC /* requireExplicitPolicy0subsubCACert.crt */; };
- E7A94C8113D89F27001C5FEE /* requireExplicitPolicy0subsubsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420D13D51D64008048AC /* requireExplicitPolicy0subsubsubCACert.crt */; };
- E7A94C8213D89F27001C5FEE /* requireExplicitPolicy10CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420E13D51D64008048AC /* requireExplicitPolicy10CACert.crt */; };
- E7A94C8313D89F27001C5FEE /* requireExplicitPolicy10subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420F13D51D64008048AC /* requireExplicitPolicy10subCACert.crt */; };
- E7A94C8413D89F27001C5FEE /* requireExplicitPolicy10subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421013D51D64008048AC /* requireExplicitPolicy10subsubCACert.crt */; };
- E7A94C8513D89F27001C5FEE /* requireExplicitPolicy10subsubsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421113D51D64008048AC /* requireExplicitPolicy10subsubsubCACert.crt */; };
- E7A94C8613D89F27001C5FEE /* requireExplicitPolicy2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421213D51D64008048AC /* requireExplicitPolicy2CACert.crt */; };
- E7A94C8713D89F27001C5FEE /* requireExplicitPolicy2SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421313D51D64008048AC /* requireExplicitPolicy2SelfIssuedCACert.crt */; };
- E7A94C8813D89F27001C5FEE /* requireExplicitPolicy2SelfIssuedsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421413D51D64008048AC /* requireExplicitPolicy2SelfIssuedsubCACert.crt */; };
- E7A94C8913D89F27001C5FEE /* requireExplicitPolicy2subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421513D51D64008048AC /* requireExplicitPolicy2subCACert.crt */; };
- E7A94C8A13D89F27001C5FEE /* requireExplicitPolicy4CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421613D51D64008048AC /* requireExplicitPolicy4CACert.crt */; };
- E7A94C8B13D89F27001C5FEE /* requireExplicitPolicy4subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421713D51D64008048AC /* requireExplicitPolicy4subCACert.crt */; };
- E7A94C8C13D89F27001C5FEE /* requireExplicitPolicy4subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421813D51D64008048AC /* requireExplicitPolicy4subsubCACert.crt */; };
- E7A94C8D13D89F27001C5FEE /* requireExplicitPolicy4subsubsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421913D51D64008048AC /* requireExplicitPolicy4subsubsubCACert.crt */; };
- E7A94C8E13D89F27001C5FEE /* requireExplicitPolicy5CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421A13D51D64008048AC /* requireExplicitPolicy5CACert.crt */; };
- E7A94C8F13D89F27001C5FEE /* requireExplicitPolicy5subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421B13D51D64008048AC /* requireExplicitPolicy5subCACert.crt */; };
- E7A94C9013D89F27001C5FEE /* requireExplicitPolicy5subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421C13D51D64008048AC /* requireExplicitPolicy5subsubCACert.crt */; };
- E7A94C9113D89F27001C5FEE /* requireExplicitPolicy5subsubsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421D13D51D64008048AC /* requireExplicitPolicy5subsubsubCACert.crt */; };
- E7A94C9213D89F27001C5FEE /* requireExplicitPolicy7CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421E13D51D64008048AC /* requireExplicitPolicy7CACert.crt */; };
- E7A94C9313D89F27001C5FEE /* requireExplicitPolicy7subCARE2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421F13D51D64008048AC /* requireExplicitPolicy7subCARE2Cert.crt */; };
- E7A94C9413D89F27001C5FEE /* requireExplicitPolicy7subsubCARE2RE4Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75422013D51D64008048AC /* requireExplicitPolicy7subsubCARE2RE4Cert.crt */; };
- E7A94C9513D89F27001C5FEE /* requireExplicitPolicy7subsubsubCARE2RE4Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75422113D51D64008048AC /* requireExplicitPolicy7subsubsubCARE2RE4Cert.crt */; };
- E7A94C9A13D8A128001C5FEE /* Expectations.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = E7A94C9713D8A0DF001C5FEE /* Expectations.plist */; };
- E7A94C9C13D8A1AC001C5FEE /* Expectations.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = E7A94C9713D8A0DF001C5FEE /* Expectations.plist */; };
- E7A94C9D13D8A1AC001C5FEE /* AllCertificatesNoPoliciesTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540BB13D51D63008048AC /* AllCertificatesNoPoliciesTest2EE.crt */; };
- E7A94C9E13D8A1AC001C5FEE /* AllCertificatesSamePoliciesTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540BC13D51D63008048AC /* AllCertificatesSamePoliciesTest10EE.crt */; };
- E7A94C9F13D8A1AC001C5FEE /* AllCertificatesSamePoliciesTest13EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540BD13D51D63008048AC /* AllCertificatesSamePoliciesTest13EE.crt */; };
- E7A94CA013D8A1AC001C5FEE /* AllCertificatesanyPolicyTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540BE13D51D63008048AC /* AllCertificatesanyPolicyTest11EE.crt */; };
- E7A94CA113D8A1AC001C5FEE /* AnyPolicyTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540BF13D51D63008048AC /* AnyPolicyTest14EE.crt */; };
- E7A94CA213D8A1AC001C5FEE /* BadCRLIssuerNameCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C013D51D63008048AC /* BadCRLIssuerNameCACert.crt */; };
- E7A94CA313D8A1AC001C5FEE /* BadCRLSignatureCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C113D51D63008048AC /* BadCRLSignatureCACert.crt */; };
- E7A94CA413D8A1AC001C5FEE /* BadSignedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C213D51D63008048AC /* BadSignedCACert.crt */; };
- E7A94CA513D8A1AC001C5FEE /* BadnotAfterDateCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C313D51D63008048AC /* BadnotAfterDateCACert.crt */; };
- E7A94CA613D8A1AC001C5FEE /* BadnotBeforeDateCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C413D51D63008048AC /* BadnotBeforeDateCACert.crt */; };
- E7A94CA713D8A1AC001C5FEE /* BasicSelfIssuedCRLSigningKeyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C513D51D63008048AC /* BasicSelfIssuedCRLSigningKeyCACert.crt */; };
- E7A94CA813D8A1AC001C5FEE /* BasicSelfIssuedNewKeyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C613D51D63008048AC /* BasicSelfIssuedNewKeyCACert.crt */; };
- E7A94CA913D8A1AC001C5FEE /* BasicSelfIssuedNewKeyOldWithNewCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C713D51D63008048AC /* BasicSelfIssuedNewKeyOldWithNewCACert.crt */; };
- E7A94CAA13D8A1AC001C5FEE /* BasicSelfIssuedOldKeyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C813D51D63008048AC /* BasicSelfIssuedOldKeyCACert.crt */; };
- E7A94CAB13D8A1AC001C5FEE /* BasicSelfIssuedOldKeyNewWithOldCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540C913D51D63008048AC /* BasicSelfIssuedOldKeyNewWithOldCACert.crt */; };
- E7A94CAC13D8A1AC001C5FEE /* CPSPointerQualifierTest20EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CA13D51D63008048AC /* CPSPointerQualifierTest20EE.crt */; };
- E7A94CAD13D8A1AC001C5FEE /* DSACACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CB13D51D63008048AC /* DSACACert.crt */; };
- E7A94CAE13D8A1AC001C5FEE /* DSAParametersInheritedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CC13D51D63008048AC /* DSAParametersInheritedCACert.crt */; };
- E7A94CAF13D8A1AC001C5FEE /* DifferentPoliciesTest12EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CD13D51D63008048AC /* DifferentPoliciesTest12EE.crt */; };
- E7A94CB013D8A1AC001C5FEE /* DifferentPoliciesTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CE13D51D63008048AC /* DifferentPoliciesTest3EE.crt */; };
- E7A94CB113D8A1AC001C5FEE /* DifferentPoliciesTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540CF13D51D63008048AC /* DifferentPoliciesTest4EE.crt */; };
- E7A94CB213D8A1AC001C5FEE /* DifferentPoliciesTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D013D51D63008048AC /* DifferentPoliciesTest5EE.crt */; };
- E7A94CB313D8A1AC001C5FEE /* DifferentPoliciesTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D113D51D63008048AC /* DifferentPoliciesTest7EE.crt */; };
- E7A94CB413D8A1AC001C5FEE /* DifferentPoliciesTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D213D51D63008048AC /* DifferentPoliciesTest8EE.crt */; };
- E7A94CB513D8A1AC001C5FEE /* DifferentPoliciesTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D313D51D63008048AC /* DifferentPoliciesTest9EE.crt */; };
- E7A94CB613D8A1AC001C5FEE /* GeneralizedTimeCRLnextUpdateCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D413D51D63008048AC /* GeneralizedTimeCRLnextUpdateCACert.crt */; };
- E7A94CB713D8A1AC001C5FEE /* GoodCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D513D51D63008048AC /* GoodCACert.crt */; };
- E7A94CB813D8A1AC001C5FEE /* GoodsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D613D51D63008048AC /* GoodsubCACert.crt */; };
- E7A94CB913D8A1AC001C5FEE /* GoodsubCAPanyPolicyMapping1to2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D713D51D63008048AC /* GoodsubCAPanyPolicyMapping1to2CACert.crt */; };
- E7A94CBA13D8A1AC001C5FEE /* InvalidBasicSelfIssuedNewWithOldTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D813D51D63008048AC /* InvalidBasicSelfIssuedNewWithOldTest5EE.crt */; };
- E7A94CBB13D8A1AC001C5FEE /* InvalidBasicSelfIssuedOldWithNewTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540D913D51D63008048AC /* InvalidBasicSelfIssuedOldWithNewTest2EE.crt */; };
- E7A94CBC13D8A1AC001C5FEE /* InvalidCASignatureTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DA13D51D63008048AC /* InvalidCASignatureTest2EE.crt */; };
- E7A94CBD13D8A1AC001C5FEE /* InvalidCAnotAfterDateTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DB13D51D63008048AC /* InvalidCAnotAfterDateTest5EE.crt */; };
- E7A94CBE13D8A1AC001C5FEE /* InvalidCAnotBeforeDateTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DC13D51D63008048AC /* InvalidCAnotBeforeDateTest1EE.crt */; };
- E7A94CBF13D8A1AC001C5FEE /* InvalidDNSnameConstraintsTest31EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DD13D51D63008048AC /* InvalidDNSnameConstraintsTest31EE.crt */; };
- E7A94CC013D8A1AC001C5FEE /* InvalidDNSnameConstraintsTest33EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DE13D51D63008048AC /* InvalidDNSnameConstraintsTest33EE.crt */; };
- E7A94CC113D8A1AC001C5FEE /* InvalidDNSnameConstraintsTest38EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540DF13D51D63008048AC /* InvalidDNSnameConstraintsTest38EE.crt */; };
- E7A94CC213D8A1AC001C5FEE /* InvalidDNandRFC822nameConstraintsTest28EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E013D51D63008048AC /* InvalidDNandRFC822nameConstraintsTest28EE.crt */; };
- E7A94CC313D8A1AC001C5FEE /* InvalidDNandRFC822nameConstraintsTest29EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E113D51D63008048AC /* InvalidDNandRFC822nameConstraintsTest29EE.crt */; };
- E7A94CC413D8A1AC001C5FEE /* InvalidDNnameConstraintsTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E213D51D63008048AC /* InvalidDNnameConstraintsTest10EE.crt */; };
- E7A94CC513D8A1AC001C5FEE /* InvalidDNnameConstraintsTest12EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E313D51D63008048AC /* InvalidDNnameConstraintsTest12EE.crt */; };
- E7A94CC613D8A1AC001C5FEE /* InvalidDNnameConstraintsTest13EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E413D51D63008048AC /* InvalidDNnameConstraintsTest13EE.crt */; };
- E7A94CC713D8A1AC001C5FEE /* InvalidDNnameConstraintsTest15EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E513D51D63008048AC /* InvalidDNnameConstraintsTest15EE.crt */; };
- E7A94CC813D8A1AC001C5FEE /* InvalidDNnameConstraintsTest16EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E613D51D63008048AC /* InvalidDNnameConstraintsTest16EE.crt */; };
- E7A94CC913D8A1AC001C5FEE /* InvalidDNnameConstraintsTest17EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E713D51D63008048AC /* InvalidDNnameConstraintsTest17EE.crt */; };
- E7A94CCA13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest20EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E813D51D63008048AC /* InvalidDNnameConstraintsTest20EE.crt */; };
- E7A94CCB13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540E913D51D63008048AC /* InvalidDNnameConstraintsTest2EE.crt */; };
- E7A94CCC13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540EA13D51D63008048AC /* InvalidDNnameConstraintsTest3EE.crt */; };
- E7A94CCD13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540EB13D51D63008048AC /* InvalidDNnameConstraintsTest7EE.crt */; };
- E7A94CCE13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540EC13D51D63008048AC /* InvalidDNnameConstraintsTest8EE.crt */; };
- E7A94CCF13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540ED13D51D63008048AC /* InvalidDNnameConstraintsTest9EE.crt */; };
- E7A94CD013D8A1AC001C5FEE /* InvalidDSASignatureTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540EE13D51D63008048AC /* InvalidDSASignatureTest6EE.crt */; };
- E7A94CD113D8A1AC001C5FEE /* InvalidEESignatureTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540EF13D51D63008048AC /* InvalidEESignatureTest3EE.crt */; };
- E7A94CD213D8A1AC001C5FEE /* InvalidEEnotAfterDateTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F013D51D63008048AC /* InvalidEEnotAfterDateTest6EE.crt */; };
- E7A94CD313D8A1AC001C5FEE /* InvalidEEnotBeforeDateTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F113D51D63008048AC /* InvalidEEnotBeforeDateTest2EE.crt */; };
- E7A94CD413D8A1AC001C5FEE /* InvalidLongSerialNumberTest18EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F213D51D63008048AC /* InvalidLongSerialNumberTest18EE.crt */; };
- E7A94CD513D8A1AC001C5FEE /* InvalidMappingFromanyPolicyTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F313D51D63008048AC /* InvalidMappingFromanyPolicyTest7EE.crt */; };
- E7A94CD613D8A1AC001C5FEE /* InvalidMappingToanyPolicyTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F413D51D63008048AC /* InvalidMappingToanyPolicyTest8EE.crt */; };
- E7A94CD713D8A1AC001C5FEE /* InvalidMissingbasicConstraintsTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F513D51D63008048AC /* InvalidMissingbasicConstraintsTest1EE.crt */; };
- E7A94CD813D8A1AC001C5FEE /* InvalidNameChainingOrderTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F613D51D63008048AC /* InvalidNameChainingOrderTest2EE.crt */; };
- E7A94CD913D8A1AC001C5FEE /* InvalidNameChainingTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F713D51D63008048AC /* InvalidNameChainingTest1EE.crt */; };
- E7A94CDA13D8A1AC001C5FEE /* InvalidNegativeSerialNumberTest15EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F813D51D63008048AC /* InvalidNegativeSerialNumberTest15EE.crt */; };
- E7A94CDB13D8A1AC001C5FEE /* InvalidPolicyMappingTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540F913D51D63008048AC /* InvalidPolicyMappingTest10EE.crt */; };
- E7A94CDC13D8A1AC001C5FEE /* InvalidPolicyMappingTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FA13D51D63008048AC /* InvalidPolicyMappingTest2EE.crt */; };
- E7A94CDD13D8A1AC001C5FEE /* InvalidPolicyMappingTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FB13D51D63008048AC /* InvalidPolicyMappingTest4EE.crt */; };
- E7A94CDE13D8A1AC001C5FEE /* InvalidRFC822nameConstraintsTest22EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FC13D51D63008048AC /* InvalidRFC822nameConstraintsTest22EE.crt */; };
- E7A94CDF13D8A1AC001C5FEE /* InvalidRFC822nameConstraintsTest24EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FD13D51D63008048AC /* InvalidRFC822nameConstraintsTest24EE.crt */; };
- E7A94CE013D8A1AC001C5FEE /* InvalidRFC822nameConstraintsTest26EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FE13D51D63008048AC /* InvalidRFC822nameConstraintsTest26EE.crt */; };
- E7A94CE113D8A1AC001C5FEE /* InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7540FF13D51D63008048AC /* InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt */; };
- E7A94CE213D8A1AC001C5FEE /* InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410013D51D63008048AC /* InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt */; };
- E7A94CE313D8A1AC001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410113D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt */; };
- E7A94CE413D8A1AC001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410213D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt */; };
- E7A94CE513D8A1AC001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410313D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt */; };
- E7A94CE613D8A1AC001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410413D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt */; };
- E7A94CE713D8A1AC001C5FEE /* InvalidSelfIssuedpathLenConstraintTest16EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410513D51D63008048AC /* InvalidSelfIssuedpathLenConstraintTest16EE.crt */; };
- E7A94CE813D8A1AC001C5FEE /* InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410613D51D63008048AC /* InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt */; };
- E7A94CE913D8A1AC001C5FEE /* InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410713D51D63008048AC /* InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt */; };
- E7A94CEA13D8A1AC001C5FEE /* InvalidURInameConstraintsTest35EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410813D51D63008048AC /* InvalidURInameConstraintsTest35EE.crt */; };
- E7A94CEB13D8A1AC001C5FEE /* InvalidURInameConstraintsTest37EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410913D51D63008048AC /* InvalidURInameConstraintsTest37EE.crt */; };
- E7A94CEC13D8A1AC001C5FEE /* InvalidUnknownCriticalCertificateExtensionTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410A13D51D63008048AC /* InvalidUnknownCriticalCertificateExtensionTest2EE.crt */; };
- E7A94CED13D8A1AC001C5FEE /* InvalidcAFalseTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410B13D51D63008048AC /* InvalidcAFalseTest2EE.crt */; };
- E7A94CEE13D8A1AC001C5FEE /* InvalidcAFalseTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410C13D51D63008048AC /* InvalidcAFalseTest3EE.crt */; };
- E7A94CEF13D8A1AC001C5FEE /* InvalidcRLIssuerTest27EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410D13D51D63008048AC /* InvalidcRLIssuerTest27EE.crt */; };
- E7A94CF013D8A1AC001C5FEE /* InvalidcRLIssuerTest31EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410E13D51D63008048AC /* InvalidcRLIssuerTest31EE.crt */; };
- E7A94CF113D8A1AC001C5FEE /* InvalidcRLIssuerTest32EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75410F13D51D63008048AC /* InvalidcRLIssuerTest32EE.crt */; };
- E7A94CF213D8A1AC001C5FEE /* InvalidcRLIssuerTest34EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411013D51D63008048AC /* InvalidcRLIssuerTest34EE.crt */; };
- E7A94CF313D8A1AC001C5FEE /* InvalidcRLIssuerTest35EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411113D51D63008048AC /* InvalidcRLIssuerTest35EE.crt */; };
- E7A94CF413D8A1AC001C5FEE /* InvalidinhibitAnyPolicyTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411213D51D63008048AC /* InvalidinhibitAnyPolicyTest1EE.crt */; };
- E7A94CF513D8A1AC001C5FEE /* InvalidinhibitAnyPolicyTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411313D51D63008048AC /* InvalidinhibitAnyPolicyTest4EE.crt */; };
- E7A94CF613D8A1AC001C5FEE /* InvalidinhibitAnyPolicyTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411413D51D63008048AC /* InvalidinhibitAnyPolicyTest5EE.crt */; };
- E7A94CF713D8A1AC001C5FEE /* InvalidinhibitAnyPolicyTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411513D51D63008048AC /* InvalidinhibitAnyPolicyTest6EE.crt */; };
- E7A94CF813D8A1AC001C5FEE /* InvalidinhibitPolicyMappingTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411613D51D63008048AC /* InvalidinhibitPolicyMappingTest1EE.crt */; };
- E7A94CF913D8A1AC001C5FEE /* InvalidinhibitPolicyMappingTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411713D51D63008048AC /* InvalidinhibitPolicyMappingTest3EE.crt */; };
- E7A94CFA13D8A1AC001C5FEE /* InvalidinhibitPolicyMappingTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411813D51D63008048AC /* InvalidinhibitPolicyMappingTest5EE.crt */; };
- E7A94CFB13D8A1AC001C5FEE /* InvalidinhibitPolicyMappingTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411913D51D63008048AC /* InvalidinhibitPolicyMappingTest6EE.crt */; };
- E7A94CFC13D8A1AC001C5FEE /* InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411A13D51D63008048AC /* InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt */; };
- E7A94CFD13D8A1AC001C5FEE /* InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411B13D51D63008048AC /* InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt */; };
- E7A94CFE13D8A1AC001C5FEE /* InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411C13D51D63008048AC /* InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt */; };
- E7A94CFF13D8A1AC001C5FEE /* InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411D13D51D63008048AC /* InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt */; };
- E7A94D0013D8A1AC001C5FEE /* InvalidonlyContainsAttributeCertsTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411E13D51D63008048AC /* InvalidonlyContainsAttributeCertsTest14EE.crt */; };
- E7A94D0113D8A1AC001C5FEE /* InvalidonlyContainsCACertsTest12EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75411F13D51D63008048AC /* InvalidonlyContainsCACertsTest12EE.crt */; };
- E7A94D0213D8A1AC001C5FEE /* InvalidonlyContainsUserCertsTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412013D51D63008048AC /* InvalidonlyContainsUserCertsTest11EE.crt */; };
- E7A94D0313D8A1AC001C5FEE /* InvalidonlySomeReasonsTest15EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412113D51D63008048AC /* InvalidonlySomeReasonsTest15EE.crt */; };
- E7A94D0413D8A1AC001C5FEE /* InvalidonlySomeReasonsTest16EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412213D51D63008048AC /* InvalidonlySomeReasonsTest16EE.crt */; };
- E7A94D0513D8A1AC001C5FEE /* InvalidonlySomeReasonsTest17EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412313D51D63008048AC /* InvalidonlySomeReasonsTest17EE.crt */; };
- E7A94D0613D8A1AC001C5FEE /* InvalidonlySomeReasonsTest20EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412413D51D63008048AC /* InvalidonlySomeReasonsTest20EE.crt */; };
- E7A94D0713D8A1AC001C5FEE /* InvalidonlySomeReasonsTest21EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412513D51D63008048AC /* InvalidonlySomeReasonsTest21EE.crt */; };
- E7A94D0813D8A1AC001C5FEE /* InvalidpathLenConstraintTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412613D51D63008048AC /* InvalidpathLenConstraintTest10EE.crt */; };
- E7A94D0913D8A1AC001C5FEE /* InvalidpathLenConstraintTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412713D51D63008048AC /* InvalidpathLenConstraintTest11EE.crt */; };
- E7A94D0A13D8A1AC001C5FEE /* InvalidpathLenConstraintTest12EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412813D51D63008048AC /* InvalidpathLenConstraintTest12EE.crt */; };
- E7A94D0B13D8A1AC001C5FEE /* InvalidpathLenConstraintTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412913D51D63008048AC /* InvalidpathLenConstraintTest5EE.crt */; };
- E7A94D0C13D8A1AC001C5FEE /* InvalidpathLenConstraintTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412A13D51D63008048AC /* InvalidpathLenConstraintTest6EE.crt */; };
- E7A94D0D13D8A1AC001C5FEE /* InvalidpathLenConstraintTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412B13D51D63008048AC /* InvalidpathLenConstraintTest9EE.crt */; };
- E7A94D0E13D8A1AC001C5FEE /* Invalidpre2000UTCEEnotAfterDateTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412C13D51D63008048AC /* Invalidpre2000UTCEEnotAfterDateTest7EE.crt */; };
- E7A94D0F13D8A1AC001C5FEE /* InvalidrequireExplicitPolicyTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412D13D51D63008048AC /* InvalidrequireExplicitPolicyTest3EE.crt */; };
- E7A94D1013D8A1AC001C5FEE /* InvalidrequireExplicitPolicyTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412E13D51D63008048AC /* InvalidrequireExplicitPolicyTest5EE.crt */; };
- E7A94D1113D8A1AC001C5FEE /* LongSerialNumberCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75412F13D51D63008048AC /* LongSerialNumberCACert.crt */; };
- E7A94D1213D8A1AC001C5FEE /* Mapping1to2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413013D51D63008048AC /* Mapping1to2CACert.crt */; };
- E7A94D1313D8A1AC001C5FEE /* MappingFromanyPolicyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413113D51D63008048AC /* MappingFromanyPolicyCACert.crt */; };
- E7A94D1413D8A1AC001C5FEE /* MappingToanyPolicyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413213D51D63008048AC /* MappingToanyPolicyCACert.crt */; };
- E7A94D1513D8A1AC001C5FEE /* MissingbasicConstraintsCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413313D51D63008048AC /* MissingbasicConstraintsCACert.crt */; };
- E7A94D1613D8A1AC001C5FEE /* NameOrderingCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413413D51D63008048AC /* NameOrderingCACert.crt */; };
- E7A94D1713D8A1AC001C5FEE /* NegativeSerialNumberCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413513D51D63008048AC /* NegativeSerialNumberCACert.crt */; };
- E7A94D1813D8A1AC001C5FEE /* NoCRLCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413613D51D63008048AC /* NoCRLCACert.crt */; };
- E7A94D1913D8A1AC001C5FEE /* NoPoliciesCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413713D51D63008048AC /* NoPoliciesCACert.crt */; };
- E7A94D1A13D8A1AC001C5FEE /* NoissuingDistributionPointCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413813D51D63008048AC /* NoissuingDistributionPointCACert.crt */; };
- E7A94D1B13D8A1AC001C5FEE /* OldCRLnextUpdateCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413913D51D63008048AC /* OldCRLnextUpdateCACert.crt */; };
- E7A94D1C13D8A1AC001C5FEE /* OverlappingPoliciesTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413A13D51D63008048AC /* OverlappingPoliciesTest6EE.crt */; };
- E7A94D1D13D8A1AC001C5FEE /* P12Mapping1to3CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413B13D51D63008048AC /* P12Mapping1to3CACert.crt */; };
- E7A94D1E13D8A1AC001C5FEE /* P12Mapping1to3subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413C13D51D63008048AC /* P12Mapping1to3subCACert.crt */; };
- E7A94D1F13D8A1AC001C5FEE /* P12Mapping1to3subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413D13D51D63008048AC /* P12Mapping1to3subsubCACert.crt */; };
- E7A94D2013D8A1AC001C5FEE /* P1Mapping1to234CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413E13D51D63008048AC /* P1Mapping1to234CACert.crt */; };
- E7A94D2113D8A1AC001C5FEE /* P1Mapping1to234subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75413F13D51D63008048AC /* P1Mapping1to234subCACert.crt */; };
- E7A94D2213D8A1AC001C5FEE /* P1anyPolicyMapping1to2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414013D51D63008048AC /* P1anyPolicyMapping1to2CACert.crt */; };
- E7A94D2313D8A1AC001C5FEE /* PanyPolicyMapping1to2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414113D51D63008048AC /* PanyPolicyMapping1to2CACert.crt */; };
- E7A94D2413D8A1AC001C5FEE /* PoliciesP1234CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414213D51D63008048AC /* PoliciesP1234CACert.crt */; };
- E7A94D2513D8A1AC001C5FEE /* PoliciesP1234subCAP123Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414313D51D63008048AC /* PoliciesP1234subCAP123Cert.crt */; };
- E7A94D2613D8A1AC001C5FEE /* PoliciesP1234subsubCAP123P12Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414413D51D63008048AC /* PoliciesP1234subsubCAP123P12Cert.crt */; };
- E7A94D2713D8A1AC001C5FEE /* PoliciesP123CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414513D51D63008048AC /* PoliciesP123CACert.crt */; };
- E7A94D2813D8A1AC001C5FEE /* PoliciesP123subCAP12Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414613D51D63008048AC /* PoliciesP123subCAP12Cert.crt */; };
- E7A94D2913D8A1AC001C5FEE /* PoliciesP123subsubCAP12P1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414713D51D63008048AC /* PoliciesP123subsubCAP12P1Cert.crt */; };
- E7A94D2A13D8A1AC001C5FEE /* PoliciesP123subsubCAP12P2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414813D51D63008048AC /* PoliciesP123subsubCAP12P2Cert.crt */; };
- E7A94D2B13D8A1AC001C5FEE /* PoliciesP123subsubsubCAP12P2P1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414913D51D63008048AC /* PoliciesP123subsubsubCAP12P2P1Cert.crt */; };
- E7A94D2C13D8A1AC001C5FEE /* PoliciesP12CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414A13D51D63008048AC /* PoliciesP12CACert.crt */; };
- E7A94D2D13D8A1AC001C5FEE /* PoliciesP12subCAP1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414B13D51D63008048AC /* PoliciesP12subCAP1Cert.crt */; };
- E7A94D2E13D8A1AC001C5FEE /* PoliciesP12subsubCAP1P2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414C13D51D63008048AC /* PoliciesP12subsubCAP1P2Cert.crt */; };
- E7A94D2F13D8A1AC001C5FEE /* PoliciesP2subCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414D13D51D63008048AC /* PoliciesP2subCA2Cert.crt */; };
- E7A94D3013D8A1AD001C5FEE /* PoliciesP2subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414E13D51D63008048AC /* PoliciesP2subCACert.crt */; };
- E7A94D3113D8A1AD001C5FEE /* PoliciesP3CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75414F13D51D63008048AC /* PoliciesP3CACert.crt */; };
- E7A94D3213D8A1AD001C5FEE /* RFC3280MandatoryAttributeTypesCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415013D51D63008048AC /* RFC3280MandatoryAttributeTypesCACert.crt */; };
- E7A94D3313D8A1AD001C5FEE /* RFC3280OptionalAttributeTypesCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415113D51D63008048AC /* RFC3280OptionalAttributeTypesCACert.crt */; };
- E7A94D3413D8A1AD001C5FEE /* RevokedsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415213D51D63008048AC /* RevokedsubCACert.crt */; };
- E7A94D3513D8A1AD001C5FEE /* RolloverfromPrintableStringtoUTF8StringCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415313D51D63008048AC /* RolloverfromPrintableStringtoUTF8StringCACert.crt */; };
- E7A94D3613D8A1AD001C5FEE /* SeparateCertificateandCRLKeysCA2CRLSigningCert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415413D51D63008048AC /* SeparateCertificateandCRLKeysCA2CRLSigningCert.crt */; };
- E7A94D3713D8A1AD001C5FEE /* SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415513D51D63008048AC /* SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt */; };
- E7A94D3813D8A1AD001C5FEE /* SeparateCertificateandCRLKeysCertificateSigningCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415613D51D63008048AC /* SeparateCertificateandCRLKeysCertificateSigningCACert.crt */; };
- E7A94D3913D8A1AD001C5FEE /* TrustAnchorRootCertificate.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415713D51D63008048AC /* TrustAnchorRootCertificate.crt */; };
- E7A94D3A13D8A1AD001C5FEE /* TwoCRLsCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415813D51D63008048AC /* TwoCRLsCACert.crt */; };
- E7A94D3B13D8A1AD001C5FEE /* UIDCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415913D51D63008048AC /* UIDCACert.crt */; };
- E7A94D3C13D8A1AD001C5FEE /* UTF8StringCaseInsensitiveMatchCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415A13D51D63008048AC /* UTF8StringCaseInsensitiveMatchCACert.crt */; };
- E7A94D3D13D8A1AD001C5FEE /* UTF8StringEncodedNamesCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415B13D51D63008048AC /* UTF8StringEncodedNamesCACert.crt */; };
- E7A94D3E13D8A1AD001C5FEE /* UnknownCRLEntryExtensionCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415C13D51D63008048AC /* UnknownCRLEntryExtensionCACert.crt */; };
- E7A94D3F13D8A1AD001C5FEE /* UnknownCRLExtensionCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415D13D51D63008048AC /* UnknownCRLExtensionCACert.crt */; };
- E7A94D4013D8A1AD001C5FEE /* UserNoticeQualifierTest15EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415E13D51D63008048AC /* UserNoticeQualifierTest15EE.crt */; };
- E7A94D4113D8A1AD001C5FEE /* UserNoticeQualifierTest16EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75415F13D51D63008048AC /* UserNoticeQualifierTest16EE.crt */; };
- E7A94D4213D8A1AD001C5FEE /* UserNoticeQualifierTest17EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416013D51D63008048AC /* UserNoticeQualifierTest17EE.crt */; };
- E7A94D4313D8A1AD001C5FEE /* UserNoticeQualifierTest18EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416113D51D63008048AC /* UserNoticeQualifierTest18EE.crt */; };
- E7A94D4413D8A1AD001C5FEE /* UserNoticeQualifierTest19EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416213D51D63008048AC /* UserNoticeQualifierTest19EE.crt */; };
- E7A94D4513D8A1AD001C5FEE /* ValidBasicSelfIssuedNewWithOldTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416313D51D63008048AC /* ValidBasicSelfIssuedNewWithOldTest3EE.crt */; };
- E7A94D4613D8A1AD001C5FEE /* ValidBasicSelfIssuedNewWithOldTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416413D51D63008048AC /* ValidBasicSelfIssuedNewWithOldTest4EE.crt */; };
- E7A94D4713D8A1AD001C5FEE /* ValidBasicSelfIssuedOldWithNewTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416513D51D63008048AC /* ValidBasicSelfIssuedOldWithNewTest1EE.crt */; };
- E7A94D4813D8A1AD001C5FEE /* ValidCertificatePathTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416613D51D63008048AC /* ValidCertificatePathTest1EE.crt */; };
- E7A94D4913D8A1AD001C5FEE /* ValidDNSnameConstraintsTest30EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416713D51D63008048AC /* ValidDNSnameConstraintsTest30EE.crt */; };
- E7A94D4A13D8A1AD001C5FEE /* ValidDNSnameConstraintsTest32EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416813D51D63008048AC /* ValidDNSnameConstraintsTest32EE.crt */; };
- E7A94D4B13D8A1AD001C5FEE /* ValidDNandRFC822nameConstraintsTest27EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416913D51D63008048AC /* ValidDNandRFC822nameConstraintsTest27EE.crt */; };
- E7A94D4C13D8A1AD001C5FEE /* ValidDNnameConstraintsTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416A13D51D63008048AC /* ValidDNnameConstraintsTest11EE.crt */; };
- E7A94D4D13D8A1AD001C5FEE /* ValidDNnameConstraintsTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416B13D51D63008048AC /* ValidDNnameConstraintsTest14EE.crt */; };
- E7A94D4E13D8A1AD001C5FEE /* ValidDNnameConstraintsTest18EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416C13D51D63008048AC /* ValidDNnameConstraintsTest18EE.crt */; };
- E7A94D4F13D8A1AD001C5FEE /* ValidDNnameConstraintsTest19EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416D13D51D63008048AC /* ValidDNnameConstraintsTest19EE.crt */; };
- E7A94D5013D8A1AD001C5FEE /* ValidDNnameConstraintsTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416E13D51D63008048AC /* ValidDNnameConstraintsTest1EE.crt */; };
- E7A94D5113D8A1AD001C5FEE /* ValidDNnameConstraintsTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75416F13D51D63008048AC /* ValidDNnameConstraintsTest4EE.crt */; };
- E7A94D5213D8A1AD001C5FEE /* ValidDNnameConstraintsTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417013D51D63008048AC /* ValidDNnameConstraintsTest5EE.crt */; };
- E7A94D5313D8A1AD001C5FEE /* ValidDNnameConstraintsTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417113D51D63008048AC /* ValidDNnameConstraintsTest6EE.crt */; };
- E7A94D5413D8A1AD001C5FEE /* ValidDSAParameterInheritanceTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417213D51D63008048AC /* ValidDSAParameterInheritanceTest5EE.crt */; };
- E7A94D5513D8A1AD001C5FEE /* ValidDSASignaturesTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417313D51D63008048AC /* ValidDSASignaturesTest4EE.crt */; };
- E7A94D5613D8A1AD001C5FEE /* ValidGeneralizedTimenotAfterDateTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417413D51D63008048AC /* ValidGeneralizedTimenotAfterDateTest8EE.crt */; };
- E7A94D5713D8A1AD001C5FEE /* ValidGeneralizedTimenotBeforeDateTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417513D51D63008048AC /* ValidGeneralizedTimenotBeforeDateTest4EE.crt */; };
- E7A94D5813D8A1AD001C5FEE /* ValidLongSerialNumberTest16EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417613D51D63008048AC /* ValidLongSerialNumberTest16EE.crt */; };
- E7A94D5913D8A1AD001C5FEE /* ValidLongSerialNumberTest17EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417713D51D63008048AC /* ValidLongSerialNumberTest17EE.crt */; };
- E7A94D5A13D8A1AD001C5FEE /* ValidNameChainingCapitalizationTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417813D51D63008048AC /* ValidNameChainingCapitalizationTest5EE.crt */; };
- E7A94D5B13D8A1AD001C5FEE /* ValidNameChainingWhitespaceTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417913D51D63008048AC /* ValidNameChainingWhitespaceTest3EE.crt */; };
- E7A94D5C13D8A1AD001C5FEE /* ValidNameChainingWhitespaceTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417A13D51D63008048AC /* ValidNameChainingWhitespaceTest4EE.crt */; };
- E7A94D5D13D8A1AD001C5FEE /* ValidNameUIDsTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417B13D51D63008048AC /* ValidNameUIDsTest6EE.crt */; };
- E7A94D5E13D8A1AD001C5FEE /* ValidNegativeSerialNumberTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417C13D51D63008048AC /* ValidNegativeSerialNumberTest14EE.crt */; };
- E7A94D5F13D8A1AD001C5FEE /* ValidPolicyMappingTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417D13D51D63008048AC /* ValidPolicyMappingTest11EE.crt */; };
- E7A94D6013D8A1AD001C5FEE /* ValidPolicyMappingTest12EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417E13D51D63008048AC /* ValidPolicyMappingTest12EE.crt */; };
- E7A94D6113D8A1AD001C5FEE /* ValidPolicyMappingTest13EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75417F13D51D63008048AC /* ValidPolicyMappingTest13EE.crt */; };
- E7A94D6213D8A1AD001C5FEE /* ValidPolicyMappingTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418013D51D63008048AC /* ValidPolicyMappingTest14EE.crt */; };
- E7A94D6313D8A1AD001C5FEE /* ValidPolicyMappingTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418113D51D63008048AC /* ValidPolicyMappingTest1EE.crt */; };
- E7A94D6413D8A1AD001C5FEE /* ValidPolicyMappingTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418213D51D63008048AC /* ValidPolicyMappingTest3EE.crt */; };
- E7A94D6513D8A1AD001C5FEE /* ValidPolicyMappingTest5EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418313D51D63008048AC /* ValidPolicyMappingTest5EE.crt */; };
- E7A94D6613D8A1AD001C5FEE /* ValidPolicyMappingTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418413D51D63008048AC /* ValidPolicyMappingTest6EE.crt */; };
- E7A94D6713D8A1AD001C5FEE /* ValidPolicyMappingTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418513D51D63008048AC /* ValidPolicyMappingTest9EE.crt */; };
- E7A94D6813D8A1AD001C5FEE /* ValidRFC3280MandatoryAttributeTypesTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418613D51D63008048AC /* ValidRFC3280MandatoryAttributeTypesTest7EE.crt */; };
- E7A94D6913D8A1AD001C5FEE /* ValidRFC3280OptionalAttributeTypesTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418713D51D63008048AC /* ValidRFC3280OptionalAttributeTypesTest8EE.crt */; };
- E7A94D6A13D8A1AD001C5FEE /* ValidRFC822nameConstraintsTest21EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418813D51D63008048AC /* ValidRFC822nameConstraintsTest21EE.crt */; };
- E7A94D6B13D8A1AD001C5FEE /* ValidRFC822nameConstraintsTest23EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418913D51D63008048AC /* ValidRFC822nameConstraintsTest23EE.crt */; };
- E7A94D6C13D8A1AD001C5FEE /* ValidRFC822nameConstraintsTest25EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418A13D51D63008048AC /* ValidRFC822nameConstraintsTest25EE.crt */; };
- E7A94D6D13D8A1AD001C5FEE /* ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418B13D51D63008048AC /* ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt */; };
- E7A94D6E13D8A1AD001C5FEE /* ValidSelfIssuedinhibitAnyPolicyTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418C13D51D63008048AC /* ValidSelfIssuedinhibitAnyPolicyTest7EE.crt */; };
- E7A94D6F13D8A1AD001C5FEE /* ValidSelfIssuedinhibitAnyPolicyTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418D13D51D63008048AC /* ValidSelfIssuedinhibitAnyPolicyTest9EE.crt */; };
- E7A94D7013D8A1AD001C5FEE /* ValidSelfIssuedinhibitPolicyMappingTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418E13D51D63008048AC /* ValidSelfIssuedinhibitPolicyMappingTest7EE.crt */; };
- E7A94D7113D8A1AD001C5FEE /* ValidSelfIssuedpathLenConstraintTest15EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75418F13D51D63008048AC /* ValidSelfIssuedpathLenConstraintTest15EE.crt */; };
- E7A94D7213D8A1AD001C5FEE /* ValidSelfIssuedpathLenConstraintTest17EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419013D51D63008048AC /* ValidSelfIssuedpathLenConstraintTest17EE.crt */; };
- E7A94D7313D8A1AD001C5FEE /* ValidSelfIssuedrequireExplicitPolicyTest6EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419113D51D63008048AC /* ValidSelfIssuedrequireExplicitPolicyTest6EE.crt */; };
- E7A94D7413D8A1AD001C5FEE /* ValidURInameConstraintsTest34EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419213D51D63008048AC /* ValidURInameConstraintsTest34EE.crt */; };
- E7A94D7513D8A1AD001C5FEE /* ValidURInameConstraintsTest36EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419313D51D63008048AC /* ValidURInameConstraintsTest36EE.crt */; };
- E7A94D7613D8A1AD001C5FEE /* ValidUTF8StringCaseInsensitiveMatchTest11EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419413D51D63008048AC /* ValidUTF8StringCaseInsensitiveMatchTest11EE.crt */; };
- E7A94D7713D8A1AD001C5FEE /* ValidUTF8StringEncodedNamesTest9EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419513D51D63008048AC /* ValidUTF8StringEncodedNamesTest9EE.crt */; };
- E7A94D7813D8A1AD001C5FEE /* ValidUnknownNotCriticalCertificateExtensionTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419613D51D63008048AC /* ValidUnknownNotCriticalCertificateExtensionTest1EE.crt */; };
- E7A94D7913D8A1AD001C5FEE /* ValidbasicConstraintsNotCriticalTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419713D51D63008048AC /* ValidbasicConstraintsNotCriticalTest4EE.crt */; };
- E7A94D7A13D8A1AD001C5FEE /* ValidcRLIssuerTest28EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419813D51D63008048AC /* ValidcRLIssuerTest28EE.crt */; };
- E7A94D7B13D8A1AD001C5FEE /* ValidcRLIssuerTest29EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419913D51D63008048AC /* ValidcRLIssuerTest29EE.crt */; };
- E7A94D7C13D8A1AD001C5FEE /* ValidcRLIssuerTest30EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419A13D51D63008048AC /* ValidcRLIssuerTest30EE.crt */; };
- E7A94D7D13D8A1AD001C5FEE /* ValidcRLIssuerTest33EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419B13D51D63008048AC /* ValidcRLIssuerTest33EE.crt */; };
- E7A94D7E13D8A1AD001C5FEE /* ValidinhibitAnyPolicyTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419C13D51D63008048AC /* ValidinhibitAnyPolicyTest2EE.crt */; };
- E7A94D7F13D8A1AD001C5FEE /* ValidinhibitPolicyMappingTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419D13D51D63008048AC /* ValidinhibitPolicyMappingTest2EE.crt */; };
- E7A94D8013D8A1AD001C5FEE /* ValidinhibitPolicyMappingTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419E13D51D63008048AC /* ValidinhibitPolicyMappingTest4EE.crt */; };
- E7A94D8113D8A1AD001C5FEE /* ValidkeyUsageNotCriticalTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75419F13D51D63008048AC /* ValidkeyUsageNotCriticalTest3EE.crt */; };
- E7A94D8213D8A1AD001C5FEE /* ValidonlyContainsCACertsTest13EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A013D51D63008048AC /* ValidonlyContainsCACertsTest13EE.crt */; };
- E7A94D8313D8A1AD001C5FEE /* ValidonlySomeReasonsTest18EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A113D51D63008048AC /* ValidonlySomeReasonsTest18EE.crt */; };
- E7A94D8413D8A1AD001C5FEE /* ValidonlySomeReasonsTest19EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A213D51D63008048AC /* ValidonlySomeReasonsTest19EE.crt */; };
- E7A94D8513D8A1AD001C5FEE /* ValidpathLenConstraintTest13EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A313D51D63008048AC /* ValidpathLenConstraintTest13EE.crt */; };
- E7A94D8613D8A1AD001C5FEE /* ValidpathLenConstraintTest14EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A413D51D63008048AC /* ValidpathLenConstraintTest14EE.crt */; };
- E7A94D8713D8A1AD001C5FEE /* ValidpathLenConstraintTest7EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A513D51D63008048AC /* ValidpathLenConstraintTest7EE.crt */; };
- E7A94D8813D8A1AD001C5FEE /* ValidpathLenConstraintTest8EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A613D51D63008048AC /* ValidpathLenConstraintTest8EE.crt */; };
- E7A94D8913D8A1AD001C5FEE /* Validpre2000UTCnotBeforeDateTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A713D51D63008048AC /* Validpre2000UTCnotBeforeDateTest3EE.crt */; };
- E7A94D8A13D8A1AD001C5FEE /* ValidrequireExplicitPolicyTest1EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A813D51D63008048AC /* ValidrequireExplicitPolicyTest1EE.crt */; };
- E7A94D8B13D8A1AD001C5FEE /* ValidrequireExplicitPolicyTest2EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541A913D51D63008048AC /* ValidrequireExplicitPolicyTest2EE.crt */; };
- E7A94D8C13D8A1AD001C5FEE /* ValidrequireExplicitPolicyTest4EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AA13D51D63008048AC /* ValidrequireExplicitPolicyTest4EE.crt */; };
- E7A94D8D13D8A1AD001C5FEE /* WrongCRLCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AB13D51D63008048AC /* WrongCRLCACert.crt */; };
- E7A94D8E13D8A1AD001C5FEE /* anyPolicyCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AC13D51D63008048AC /* anyPolicyCACert.crt */; };
- E7A94D8F13D8A1AD001C5FEE /* basicConstraintsCriticalcAFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AD13D51D63008048AC /* basicConstraintsCriticalcAFalseCACert.crt */; };
- E7A94D9013D8A1AD001C5FEE /* basicConstraintsNotCriticalCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AE13D51D63008048AC /* basicConstraintsNotCriticalCACert.crt */; };
- E7A94D9113D8A1AD001C5FEE /* basicConstraintsNotCriticalcAFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541AF13D51D63008048AC /* basicConstraintsNotCriticalcAFalseCACert.crt */; };
- E7A94D9213D8A1AD001C5FEE /* deltaCRLCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B013D51D63008048AC /* deltaCRLCA1Cert.crt */; };
- E7A94D9313D8A1AD001C5FEE /* deltaCRLCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B113D51D63008048AC /* deltaCRLCA2Cert.crt */; };
- E7A94D9413D8A1AD001C5FEE /* deltaCRLCA3Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B213D51D63008048AC /* deltaCRLCA3Cert.crt */; };
- E7A94D9513D8A1AD001C5FEE /* deltaCRLIndicatorNoBaseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B313D51D63008048AC /* deltaCRLIndicatorNoBaseCACert.crt */; };
- E7A94D9613D8A1AD001C5FEE /* distributionPoint1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B413D51D63008048AC /* distributionPoint1CACert.crt */; };
- E7A94D9713D8A1AD001C5FEE /* distributionPoint2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B513D51D63008048AC /* distributionPoint2CACert.crt */; };
- E7A94D9813D8A1AD001C5FEE /* indirectCRLCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B613D51D63008048AC /* indirectCRLCA1Cert.crt */; };
- E7A94D9913D8A1AD001C5FEE /* indirectCRLCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B713D51D63008048AC /* indirectCRLCA2Cert.crt */; };
- E7A94D9A13D8A1AD001C5FEE /* indirectCRLCA3Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B813D51D63008048AC /* indirectCRLCA3Cert.crt */; };
- E7A94D9B13D8A1AD001C5FEE /* indirectCRLCA3cRLIssuerCert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541B913D51D63008048AC /* indirectCRLCA3cRLIssuerCert.crt */; };
- E7A94D9C13D8A1AD001C5FEE /* indirectCRLCA4Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BA13D51D63008048AC /* indirectCRLCA4Cert.crt */; };
- E7A94D9D13D8A1AD001C5FEE /* indirectCRLCA4cRLIssuerCert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BB13D51D63008048AC /* indirectCRLCA4cRLIssuerCert.crt */; };
- E7A94D9E13D8A1AD001C5FEE /* indirectCRLCA5Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BC13D51D63008048AC /* indirectCRLCA5Cert.crt */; };
- E7A94D9F13D8A1AD001C5FEE /* indirectCRLCA6Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BD13D51D63008048AC /* indirectCRLCA6Cert.crt */; };
- E7A94DA013D8A1AD001C5FEE /* inhibitAnyPolicy0CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BE13D51D63008048AC /* inhibitAnyPolicy0CACert.crt */; };
- E7A94DA113D8A1AD001C5FEE /* inhibitAnyPolicy1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541BF13D51D63008048AC /* inhibitAnyPolicy1CACert.crt */; };
- E7A94DA213D8A1AD001C5FEE /* inhibitAnyPolicy1SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C013D51D63008048AC /* inhibitAnyPolicy1SelfIssuedCACert.crt */; };
- E7A94DA313D8A1AD001C5FEE /* inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C113D51D63008048AC /* inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt */; };
- E7A94DA413D8A1AD001C5FEE /* inhibitAnyPolicy1subCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C213D51D63008048AC /* inhibitAnyPolicy1subCA1Cert.crt */; };
- E7A94DA513D8A1AD001C5FEE /* inhibitAnyPolicy1subCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C313D51D63008048AC /* inhibitAnyPolicy1subCA2Cert.crt */; };
- E7A94DA613D8A1AD001C5FEE /* inhibitAnyPolicy1subCAIAP5Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C413D51D63008048AC /* inhibitAnyPolicy1subCAIAP5Cert.crt */; };
- E7A94DA713D8A1AD001C5FEE /* inhibitAnyPolicy1subsubCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C513D51D63008048AC /* inhibitAnyPolicy1subsubCA2Cert.crt */; };
- E7A94DA813D8A1AD001C5FEE /* inhibitAnyPolicy5CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C613D51D63008048AC /* inhibitAnyPolicy5CACert.crt */; };
- E7A94DA913D8A1AD001C5FEE /* inhibitAnyPolicy5subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C713D51D63008048AC /* inhibitAnyPolicy5subCACert.crt */; };
- E7A94DAA13D8A1AD001C5FEE /* inhibitAnyPolicy5subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C813D51D63008048AC /* inhibitAnyPolicy5subsubCACert.crt */; };
- E7A94DAB13D8A1AD001C5FEE /* inhibitAnyPolicyTest3EE.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541C913D51D63008048AC /* inhibitAnyPolicyTest3EE.crt */; };
- E7A94DAC13D8A1AD001C5FEE /* inhibitPolicyMapping0CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CA13D51D63008048AC /* inhibitPolicyMapping0CACert.crt */; };
- E7A94DAD13D8A1AD001C5FEE /* inhibitPolicyMapping0subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CB13D51D63008048AC /* inhibitPolicyMapping0subCACert.crt */; };
- E7A94DAE13D8A1AD001C5FEE /* inhibitPolicyMapping1P12CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CC13D51D63008048AC /* inhibitPolicyMapping1P12CACert.crt */; };
- E7A94DAF13D8A1AD001C5FEE /* inhibitPolicyMapping1P12subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CD13D51D63008048AC /* inhibitPolicyMapping1P12subCACert.crt */; };
- E7A94DB013D8A1AD001C5FEE /* inhibitPolicyMapping1P12subCAIPM5Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CE13D51D63008048AC /* inhibitPolicyMapping1P12subCAIPM5Cert.crt */; };
- E7A94DB113D8A1AD001C5FEE /* inhibitPolicyMapping1P12subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541CF13D51D63008048AC /* inhibitPolicyMapping1P12subsubCACert.crt */; };
- E7A94DB213D8A1AD001C5FEE /* inhibitPolicyMapping1P12subsubCAIPM5Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D013D51D63008048AC /* inhibitPolicyMapping1P12subsubCAIPM5Cert.crt */; };
- E7A94DB313D8A1AD001C5FEE /* inhibitPolicyMapping1P1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D113D51D63008048AC /* inhibitPolicyMapping1P1CACert.crt */; };
- E7A94DB413D8A1AD001C5FEE /* inhibitPolicyMapping1P1SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D213D51D63008048AC /* inhibitPolicyMapping1P1SelfIssuedCACert.crt */; };
- E7A94DB513D8A1AD001C5FEE /* inhibitPolicyMapping1P1SelfIssuedsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D313D51D63008048AC /* inhibitPolicyMapping1P1SelfIssuedsubCACert.crt */; };
- E7A94DB613D8A1AD001C5FEE /* inhibitPolicyMapping1P1subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D413D51D63008048AC /* inhibitPolicyMapping1P1subCACert.crt */; };
- E7A94DB713D8A1AD001C5FEE /* inhibitPolicyMapping1P1subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D513D51D63008048AC /* inhibitPolicyMapping1P1subsubCACert.crt */; };
- E7A94DB813D8A1AD001C5FEE /* inhibitPolicyMapping5CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D613D51D63008048AC /* inhibitPolicyMapping5CACert.crt */; };
- E7A94DB913D8A1AD001C5FEE /* inhibitPolicyMapping5subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D713D51D63008048AC /* inhibitPolicyMapping5subCACert.crt */; };
- E7A94DBA13D8A1AD001C5FEE /* inhibitPolicyMapping5subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D813D51D63008048AC /* inhibitPolicyMapping5subsubCACert.crt */; };
- E7A94DBB13D8A1AD001C5FEE /* inhibitPolicyMapping5subsubsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541D913D51D63008048AC /* inhibitPolicyMapping5subsubsubCACert.crt */; };
- E7A94DBC13D8A1AD001C5FEE /* keyUsageCriticalcRLSignFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DA13D51D63008048AC /* keyUsageCriticalcRLSignFalseCACert.crt */; };
- E7A94DBD13D8A1AD001C5FEE /* keyUsageCriticalkeyCertSignFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DB13D51D63008048AC /* keyUsageCriticalkeyCertSignFalseCACert.crt */; };
- E7A94DBE13D8A1AD001C5FEE /* keyUsageNotCriticalCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DC13D51D63008048AC /* keyUsageNotCriticalCACert.crt */; };
- E7A94DBF13D8A1AD001C5FEE /* keyUsageNotCriticalcRLSignFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DD13D51D63008048AC /* keyUsageNotCriticalcRLSignFalseCACert.crt */; };
- E7A94DC013D8A1AD001C5FEE /* keyUsageNotCriticalkeyCertSignFalseCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DE13D51D63008048AC /* keyUsageNotCriticalkeyCertSignFalseCACert.crt */; };
- E7A94DC113D8A1AD001C5FEE /* nameConstraintsDN1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541DF13D51D63008048AC /* nameConstraintsDN1CACert.crt */; };
- E7A94DC213D8A1AD001C5FEE /* nameConstraintsDN1SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E013D51D63008048AC /* nameConstraintsDN1SelfIssuedCACert.crt */; };
- E7A94DC313D8A1AD001C5FEE /* nameConstraintsDN1subCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E113D51D63008048AC /* nameConstraintsDN1subCA1Cert.crt */; };
- E7A94DC413D8A1AD001C5FEE /* nameConstraintsDN1subCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E213D51D63008048AC /* nameConstraintsDN1subCA2Cert.crt */; };
- E7A94DC513D8A1AD001C5FEE /* nameConstraintsDN1subCA3Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E313D51D63008048AC /* nameConstraintsDN1subCA3Cert.crt */; };
- E7A94DC613D8A1AD001C5FEE /* nameConstraintsDN2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E413D51D63008048AC /* nameConstraintsDN2CACert.crt */; };
- E7A94DC713D8A1AD001C5FEE /* nameConstraintsDN3CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E513D51D63008048AC /* nameConstraintsDN3CACert.crt */; };
- E7A94DC813D8A1AD001C5FEE /* nameConstraintsDN3subCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E613D51D63008048AC /* nameConstraintsDN3subCA1Cert.crt */; };
- E7A94DC913D8A1AD001C5FEE /* nameConstraintsDN3subCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E713D51D63008048AC /* nameConstraintsDN3subCA2Cert.crt */; };
- E7A94DCA13D8A1AD001C5FEE /* nameConstraintsDN4CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E813D51D63008048AC /* nameConstraintsDN4CACert.crt */; };
- E7A94DCB13D8A1AD001C5FEE /* nameConstraintsDN5CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541E913D51D63008048AC /* nameConstraintsDN5CACert.crt */; };
- E7A94DCC13D8A1AD001C5FEE /* nameConstraintsDNS1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541EA13D51D63008048AC /* nameConstraintsDNS1CACert.crt */; };
- E7A94DCD13D8A1AD001C5FEE /* nameConstraintsDNS2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541EB13D51D63008048AC /* nameConstraintsDNS2CACert.crt */; };
- E7A94DCE13D8A1AD001C5FEE /* nameConstraintsRFC822CA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541EC13D51D63008048AC /* nameConstraintsRFC822CA1Cert.crt */; };
- E7A94DCF13D8A1AD001C5FEE /* nameConstraintsRFC822CA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541ED13D51D63008048AC /* nameConstraintsRFC822CA2Cert.crt */; };
- E7A94DD013D8A1AD001C5FEE /* nameConstraintsRFC822CA3Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541EE13D51D63008048AC /* nameConstraintsRFC822CA3Cert.crt */; };
- E7A94DD113D8A1AD001C5FEE /* nameConstraintsURI1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541EF13D51D63008048AC /* nameConstraintsURI1CACert.crt */; };
- E7A94DD213D8A1AD001C5FEE /* nameConstraintsURI2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F013D51D63008048AC /* nameConstraintsURI2CACert.crt */; };
- E7A94DD313D8A1AD001C5FEE /* onlyContainsAttributeCertsCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F113D51D63008048AC /* onlyContainsAttributeCertsCACert.crt */; };
- E7A94DD413D8A1AD001C5FEE /* onlyContainsCACertsCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F213D51D63008048AC /* onlyContainsCACertsCACert.crt */; };
- E7A94DD513D8A1AD001C5FEE /* onlyContainsUserCertsCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F313D51D63008048AC /* onlyContainsUserCertsCACert.crt */; };
- E7A94DD613D8A1AD001C5FEE /* onlySomeReasonsCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F413D51D63008048AC /* onlySomeReasonsCA1Cert.crt */; };
- E7A94DD713D8A1AD001C5FEE /* onlySomeReasonsCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F513D51D63008048AC /* onlySomeReasonsCA2Cert.crt */; };
- E7A94DD813D8A1AD001C5FEE /* onlySomeReasonsCA3Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F613D51D63008048AC /* onlySomeReasonsCA3Cert.crt */; };
- E7A94DD913D8A1AD001C5FEE /* onlySomeReasonsCA4Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F713D51D63008048AC /* onlySomeReasonsCA4Cert.crt */; };
- E7A94DDA13D8A1AD001C5FEE /* pathLenConstraint0CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F813D51D63008048AC /* pathLenConstraint0CACert.crt */; };
- E7A94DDB13D8A1AD001C5FEE /* pathLenConstraint0SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541F913D51D63008048AC /* pathLenConstraint0SelfIssuedCACert.crt */; };
- E7A94DDC13D8A1AD001C5FEE /* pathLenConstraint0subCA2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FA13D51D63008048AC /* pathLenConstraint0subCA2Cert.crt */; };
- E7A94DDD13D8A1AD001C5FEE /* pathLenConstraint0subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FB13D51D63008048AC /* pathLenConstraint0subCACert.crt */; };
- E7A94DDE13D8A1AD001C5FEE /* pathLenConstraint1CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FC13D51D63008048AC /* pathLenConstraint1CACert.crt */; };
- E7A94DDF13D8A1AE001C5FEE /* pathLenConstraint1SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FD13D51D63008048AC /* pathLenConstraint1SelfIssuedCACert.crt */; };
- E7A94DE013D8A1AE001C5FEE /* pathLenConstraint1SelfIssuedsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FE13D51D63008048AC /* pathLenConstraint1SelfIssuedsubCACert.crt */; };
- E7A94DE113D8A1AE001C5FEE /* pathLenConstraint1subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C7541FF13D51D63008048AC /* pathLenConstraint1subCACert.crt */; };
- E7A94DE213D8A1AE001C5FEE /* pathLenConstraint6CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420013D51D64008048AC /* pathLenConstraint6CACert.crt */; };
- E7A94DE313D8A1AE001C5FEE /* pathLenConstraint6subCA0Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420113D51D64008048AC /* pathLenConstraint6subCA0Cert.crt */; };
- E7A94DE413D8A1AE001C5FEE /* pathLenConstraint6subCA1Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420213D51D64008048AC /* pathLenConstraint6subCA1Cert.crt */; };
- E7A94DE513D8A1AE001C5FEE /* pathLenConstraint6subCA4Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420313D51D64008048AC /* pathLenConstraint6subCA4Cert.crt */; };
- E7A94DE613D8A1AE001C5FEE /* pathLenConstraint6subsubCA00Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420413D51D64008048AC /* pathLenConstraint6subsubCA00Cert.crt */; };
- E7A94DE713D8A1AE001C5FEE /* pathLenConstraint6subsubCA11Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420513D51D64008048AC /* pathLenConstraint6subsubCA11Cert.crt */; };
- E7A94DE813D8A1AE001C5FEE /* pathLenConstraint6subsubCA41Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420613D51D64008048AC /* pathLenConstraint6subsubCA41Cert.crt */; };
- E7A94DE913D8A1AE001C5FEE /* pathLenConstraint6subsubsubCA11XCert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420713D51D64008048AC /* pathLenConstraint6subsubsubCA11XCert.crt */; };
- E7A94DEA13D8A1AE001C5FEE /* pathLenConstraint6subsubsubCA41XCert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420813D51D64008048AC /* pathLenConstraint6subsubsubCA41XCert.crt */; };
- E7A94DEB13D8A1AE001C5FEE /* pre2000CRLnextUpdateCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420913D51D64008048AC /* pre2000CRLnextUpdateCACert.crt */; };
- E7A94DEC13D8A1AE001C5FEE /* requireExplicitPolicy0CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420A13D51D64008048AC /* requireExplicitPolicy0CACert.crt */; };
- E7A94DED13D8A1AE001C5FEE /* requireExplicitPolicy0subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420B13D51D64008048AC /* requireExplicitPolicy0subCACert.crt */; };
- E7A94DEE13D8A1AE001C5FEE /* requireExplicitPolicy0subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420C13D51D64008048AC /* requireExplicitPolicy0subsubCACert.crt */; };
- E7A94DEF13D8A1AE001C5FEE /* requireExplicitPolicy0subsubsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420D13D51D64008048AC /* requireExplicitPolicy0subsubsubCACert.crt */; };
- E7A94DF013D8A1AE001C5FEE /* requireExplicitPolicy10CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420E13D51D64008048AC /* requireExplicitPolicy10CACert.crt */; };
- E7A94DF113D8A1AE001C5FEE /* requireExplicitPolicy10subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75420F13D51D64008048AC /* requireExplicitPolicy10subCACert.crt */; };
- E7A94DF213D8A1AE001C5FEE /* requireExplicitPolicy10subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421013D51D64008048AC /* requireExplicitPolicy10subsubCACert.crt */; };
- E7A94DF313D8A1AE001C5FEE /* requireExplicitPolicy10subsubsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421113D51D64008048AC /* requireExplicitPolicy10subsubsubCACert.crt */; };
- E7A94DF413D8A1AE001C5FEE /* requireExplicitPolicy2CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421213D51D64008048AC /* requireExplicitPolicy2CACert.crt */; };
- E7A94DF513D8A1AE001C5FEE /* requireExplicitPolicy2SelfIssuedCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421313D51D64008048AC /* requireExplicitPolicy2SelfIssuedCACert.crt */; };
- E7A94DF613D8A1AE001C5FEE /* requireExplicitPolicy2SelfIssuedsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421413D51D64008048AC /* requireExplicitPolicy2SelfIssuedsubCACert.crt */; };
- E7A94DF713D8A1AE001C5FEE /* requireExplicitPolicy2subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421513D51D64008048AC /* requireExplicitPolicy2subCACert.crt */; };
- E7A94DF813D8A1AE001C5FEE /* requireExplicitPolicy4CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421613D51D64008048AC /* requireExplicitPolicy4CACert.crt */; };
- E7A94DF913D8A1AE001C5FEE /* requireExplicitPolicy4subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421713D51D64008048AC /* requireExplicitPolicy4subCACert.crt */; };
- E7A94DFA13D8A1AE001C5FEE /* requireExplicitPolicy4subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421813D51D64008048AC /* requireExplicitPolicy4subsubCACert.crt */; };
- E7A94DFB13D8A1AE001C5FEE /* requireExplicitPolicy4subsubsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421913D51D64008048AC /* requireExplicitPolicy4subsubsubCACert.crt */; };
- E7A94DFC13D8A1AE001C5FEE /* requireExplicitPolicy5CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421A13D51D64008048AC /* requireExplicitPolicy5CACert.crt */; };
- E7A94DFD13D8A1AE001C5FEE /* requireExplicitPolicy5subCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421B13D51D64008048AC /* requireExplicitPolicy5subCACert.crt */; };
- E7A94DFE13D8A1AE001C5FEE /* requireExplicitPolicy5subsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421C13D51D64008048AC /* requireExplicitPolicy5subsubCACert.crt */; };
- E7A94DFF13D8A1AE001C5FEE /* requireExplicitPolicy5subsubsubCACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421D13D51D64008048AC /* requireExplicitPolicy5subsubsubCACert.crt */; };
- E7A94E0013D8A1AE001C5FEE /* requireExplicitPolicy7CACert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421E13D51D64008048AC /* requireExplicitPolicy7CACert.crt */; };
- E7A94E0113D8A1AE001C5FEE /* requireExplicitPolicy7subCARE2Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75421F13D51D64008048AC /* requireExplicitPolicy7subCARE2Cert.crt */; };
- E7A94E0213D8A1AE001C5FEE /* requireExplicitPolicy7subsubCARE2RE4Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75422013D51D64008048AC /* requireExplicitPolicy7subsubCARE2RE4Cert.crt */; };
- E7A94E0313D8A1AE001C5FEE /* requireExplicitPolicy7subsubsubCARE2RE4Cert.crt in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C75422113D51D64008048AC /* requireExplicitPolicy7subsubsubCARE2RE4Cert.crt */; };
+ E7A5F4D21C0CFF7900F3BEBB /* CKDKVSProxy.m in Sources */ = {isa = PBXBuildFile; fileRef = E7A5F4C71C0CFF3200F3BEBB /* CKDKVSProxy.m */; };
+ E7A5F4D41C0CFF7900F3BEBB /* CKDPersistentState.m in Sources */ = {isa = PBXBuildFile; fileRef = E7A5F4CA1C0CFF3200F3BEBB /* CKDPersistentState.m */; };
+ E7A5F4D51C0CFF7900F3BEBB /* cloudkeychainproxy.m in Sources */ = {isa = PBXBuildFile; fileRef = E7A5F4CE1C0CFF3300F3BEBB /* cloudkeychainproxy.m */; };
+ E7A5F4D81C0D01B000F3BEBB /* SOSCloudKeychainConstants.c in Sources */ = {isa = PBXBuildFile; fileRef = E7A5F4D71C0D01B000F3BEBB /* SOSCloudKeychainConstants.c */; };
+ E7A5F5531C0D03B400F3BEBB /* IDSPersistentState.m in Sources */ = {isa = PBXBuildFile; fileRef = E7A5F5511C0D03B400F3BEBB /* IDSPersistentState.m */; };
+ E7A5F5541C0D03B400F3BEBB /* IDSProxy.m in Sources */ = {isa = PBXBuildFile; fileRef = E7A5F5521C0D03B400F3BEBB /* IDSProxy.m */; };
+ E7A5F5581C0D03DB00F3BEBB /* idskeychainsyncingproxy.m in Sources */ = {isa = PBXBuildFile; fileRef = E7A5F5551C0D03DB00F3BEBB /* idskeychainsyncingproxy.m */; };
+ E7A5F5591C0D052600F3BEBB /* SOSCloudKeychainConstants.c in Sources */ = {isa = PBXBuildFile; fileRef = E7A5F4D71C0D01B000F3BEBB /* SOSCloudKeychainConstants.c */; };
E7B00700170B581D00B27966 /* Security.exp-in in Sources */ = {isa = PBXBuildFile; fileRef = 4CB7405F0A47498100D641BB /* Security.exp-in */; };
E7B01B7716572123000485F1 /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C60888B155C943D00A0904F /* libSecureObjectSync.a */; };
E7B01BC3166594AB000485F1 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 52DE81741636347500F49F0C /* main.m */; };
@@ -1516,28 +898,72 @@
E7B01BEC166594AB000485F1 /* second@2x.png in Resources */ = {isa = PBXBuildFile; fileRef = 52DE81921636347600F49F0C /* second@2x.png */; };
E7B01BED166594AB000485F1 /* KeychainKeys.png in Resources */ = {isa = PBXBuildFile; fileRef = 52704B7D1638F4EB007FEBB0 /* KeychainKeys.png */; };
E7B01BEE166594AB000485F1 /* Keychain-Entitlements.plist in Resources */ = {isa = PBXBuildFile; fileRef = 52704B871639193F007FEBB0 /* Keychain-Entitlements.plist */; };
+ E7B945B31CFE5EBD0027F31D /* CKDSecuritydAccount.m in Sources */ = {isa = PBXBuildFile; fileRef = E7B945B21CFE5EBD0027F31D /* CKDSecuritydAccount.m */; };
E7D690921652E06A0079537A /* libMobileGestalt.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = E7D690911652E06A0079537A /* libMobileGestalt.dylib */; };
E7D690A11652E07B0079537A /* libMobileGestalt.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = E7D690911652E06A0079537A /* libMobileGestalt.dylib */; };
E7D690A21652E0870079537A /* libMobileGestalt.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = E7D690911652E06A0079537A /* libMobileGestalt.dylib */; };
+ E7D848051C6BEFCD0025BB44 /* KCSRPTests.m in Sources */ = {isa = PBXBuildFile; fileRef = E7D848041C6BEFC10025BB44 /* KCSRPTests.m */; };
+ E7D848561C6C1E830025BB44 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7D848541C6C1D9C0025BB44 /* Foundation.framework */; };
+ E7D8489F1C6C244B0025BB44 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7D848541C6C1D9C0025BB44 /* Foundation.framework */; };
+ E7DC73B71C890F0E0008BF73 /* KeychainCircle.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7D847C51C6BE9710025BB44 /* KeychainCircle.framework */; };
+ E7E0C73A1C90EDED00E69A21 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C8786AD0B03E05E00BB77D4 /* libDER.a */; };
+ E7E0C73B1C90EDF500E69A21 /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 795CA9860D38269B00BAE6A2 /* libASN1.a */; };
E7E0D902158FAFED002CA176 /* libutilitiesRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E7E0D8FE158FAB3B002CA176 /* libutilitiesRegressions.a */; };
E7E0D903158FAFF7002CA176 /* libutilitiesRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E7E0D8FE158FAB3B002CA176 /* libutilitiesRegressions.a */; };
+ E7E3EFBA1CBC192A00E79A5D /* KCAccountKCCircleDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = E7E3EFB91CBC192A00E79A5D /* KCAccountKCCircleDelegate.m */; };
+ E7E3EFE31CBC195700E79A5D /* KCAccountKCCircleDelegate.h in Headers */ = {isa = PBXBuildFile; fileRef = E7E3EFE21CBC195700E79A5D /* KCAccountKCCircleDelegate.h */; settings = {ATTRIBUTES = (Public, ); }; };
+ E7EBDEBC1C87C0DB001BAA62 /* KeychainCircle.plist in Install BATS Tests */ = {isa = PBXBuildFile; fileRef = E7CFF7221C8660A000E3484E /* KeychainCircle.plist */; };
+ E7F480121C729C7B00390FDB /* NSError+KCCreationHelpers.h in Headers */ = {isa = PBXBuildFile; fileRef = E7F480111C729C7B00390FDB /* NSError+KCCreationHelpers.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ E7F480151C73980D00390FDB /* KCJoiningRequestSession.m in Sources */ = {isa = PBXBuildFile; fileRef = E7F480141C73980D00390FDB /* KCJoiningRequestSession.m */; };
+ E7F480321C73FC4C00390FDB /* KCAESGCMDuplexSession.h in Headers */ = {isa = PBXBuildFile; fileRef = E7F480301C73FC4C00390FDB /* KCAESGCMDuplexSession.h */; settings = {ATTRIBUTES = (Public, ); }; };
+ E7F480331C73FC4C00390FDB /* KCAESGCMDuplexSession.m in Sources */ = {isa = PBXBuildFile; fileRef = E7F480311C73FC4C00390FDB /* KCAESGCMDuplexSession.m */; };
+ E7F4809C1C74E85200390FDB /* KCDerTest.m in Sources */ = {isa = PBXBuildFile; fileRef = E7F4809B1C74E85200390FDB /* KCDerTest.m */; };
+ E7F4809E1C74E86D00390FDB /* KCAESGCMTest.m in Sources */ = {isa = PBXBuildFile; fileRef = E7F4809D1C74E86D00390FDB /* KCAESGCMTest.m */; };
+ E7F482701C74FDD100390FDB /* KCJoiningSessionTest.m in Sources */ = {isa = PBXBuildFile; fileRef = E7F4826F1C74FDD100390FDB /* KCJoiningSessionTest.m */; };
+ E7F482961C74FDF800390FDB /* KCJoiningSession.h in Headers */ = {isa = PBXBuildFile; fileRef = E7F480131C7397CE00390FDB /* KCJoiningSession.h */; settings = {ATTRIBUTES = (Public, ); }; };
+ E7F4829A1C75406900390FDB /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C60888B155C943D00A0904F /* libSecureObjectSync.a */; };
+ E7F4829C1C7540B200390FDB /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C2FEC5115755D710008BE39 /* libutilities.a */; };
+ E7F4829D1C75413C00390FDB /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F7F66314D77DF700F88A12 /* libsecurity.a */; };
+ E7F482A11C7543E500390FDB /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB740680A4749C800D641BB /* libsqlite3.dylib */; };
+ E7F482A31C7544E600390FDB /* libctkclient_test.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E7F482A21C7544E600390FDB /* libctkclient_test.a */; };
+ E7F482A41C75450600390FDB /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F7F66914D77DF700F88A12 /* libsecipc_client.a */; };
+ E7F482A61C75453900390FDB /* libcoreauthd_test_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E7F482A51C75453900390FDB /* libcoreauthd_test_client.a */; };
+ E7F482AA1C7554FB00390FDB /* NSError+KCCreationHelpers.m in Sources */ = {isa = PBXBuildFile; fileRef = E7F482A91C7554F500390FDB /* NSError+KCCreationHelpers.m */; };
+ E7F482AC1C7558F700390FDB /* KCJoiningAcceptSession.m in Sources */ = {isa = PBXBuildFile; fileRef = E7F482AB1C7558F700390FDB /* KCJoiningAcceptSession.m */; };
+ E7F482E61C7640D300390FDB /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; };
+ E7F482E71C7641AA00390FDB /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F7F66514D77DF700F88A12 /* libsecurityd.a */; };
E7FEEEF81332B7F70025EB06 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB740680A4749C800D641BB /* libsqlite3.dylib */; };
E7FEEEFA1332B8210025EB06 /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF730310EF9CDE300E17471 /* CFNetwork.framework */; };
E7FEEEFB1332B8300025EB06 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; };
E7FEFB94169E378500E18152 /* libSOSCommands.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FEFB8F169E36B000E18152 /* libSOSCommands.a */; };
- EB0BC8111C3C064400785842 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
- EB0BC83F1C3C076400785842 /* secedumodetest.m in Sources */ = {isa = PBXBuildFile; fileRef = EB0BC83D1C3C06CA00785842 /* secedumodetest.m */; };
+ EB0BC93A1C3C791500785842 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
+ EB0BC9671C3C798600785842 /* secedumodetest.m in Sources */ = {isa = PBXBuildFile; fileRef = EB0BC9661C3C794700785842 /* secedumodetest.m */; };
+ EB0BF1981D25B4BE000DEF32 /* README in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C4CE9120AF81F0E0056B01D /* README */; };
+ EB0BF19A1D25B551000DEF32 /* README in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C4CE9120AF81F0E0056B01D /* README */; };
+ EB2CA4DA1D2C28F100AB770F /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4432AF8C1A01472C000958DC /* libaks_acl.a */; };
+ EB2CA5571D2C36D400AB770F /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; };
EB3409B01C1D627400D77661 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
- EB3A8DFF1BEEC66F001A89AA /* Security_edumode.plist in install BATS plist */ = {isa = PBXBuildFile; fileRef = EB3A8DD71BEEC4D6001A89AA /* Security_edumode.plist */; };
+ EB3A8DFF1BEEC66F001A89AA /* Security_edumode.plist in Install BATS plist */ = {isa = PBXBuildFile; fileRef = EB3A8DD71BEEC4D6001A89AA /* Security_edumode.plist */; };
+ EB425CA21C65846D000ECE53 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
+ EB425CCF1C658554000ECE53 /* secbackuptest.m in Sources */ = {isa = PBXBuildFile; fileRef = EB425CCE1C65854F000ECE53 /* secbackuptest.m */; };
+ EB425CDE1C658668000ECE53 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; };
+ EB433A241CC3243600A7EACE /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
+ EB433A291CC3244C00A7EACE /* secitemstresstest.m in Sources */ = {isa = PBXBuildFile; fileRef = EB433A1E1CC3242C00A7EACE /* secitemstresstest.m */; };
+ EB433A2A1CC3246800A7EACE /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; };
+ EB433A2E1CC325E900A7EACE /* secitemstresstest.entitlements in Resources */ = {isa = PBXBuildFile; fileRef = EB433A2D1CC325E900A7EACE /* secitemstresstest.entitlements */; };
EB5D73101B0CB09E009CAA47 /* SOSTypes.h in Old SOS header location */ = {isa = PBXBuildFile; fileRef = 52F8DE4D1AF2EB8F00A2C271 /* SOSTypes.h */; };
EB5D73111B0CB0BE009CAA47 /* SOSPeerInfo.h in Old SOS header location */ = {isa = PBXBuildFile; fileRef = E7450BAD16D42B17009C07B8 /* SOSPeerInfo.h */; };
EB69AB301BF4348000913AF1 /* SecEMCSPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = EB69AB091BF4347700913AF1 /* SecEMCSPriv.h */; settings = {ATTRIBUTES = (Private, ); }; };
- EB9B37A91C64705F0027E2F9 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
- EB9B37B01C6476F10027E2F9 /* secbackuptest.m in Sources */ = {isa = PBXBuildFile; fileRef = EB9B37A31C646F070027E2F9 /* secbackuptest.m */; };
+ EB73F0111C210C11008191E3 /* SecurityFeatures.h in Headers */ = {isa = PBXBuildFile; fileRef = EBDED8B51C2107DF00E5ECDB /* SecurityFeatures.h */; settings = {ATTRIBUTES = (Public, ); }; };
EB9C1D7B1BDFD0E000F89272 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
EB9C1D7E1BDFD0E100F89272 /* secbackupntest.m in Sources */ = {isa = PBXBuildFile; fileRef = EB9C1D7D1BDFD0E100F89272 /* secbackupntest.m */; };
- EB9C1DB51BDFD50100F89272 /* Security.plist in install BATS plist */ = {isa = PBXBuildFile; fileRef = EB9C1DAD1BDFD49400F89272 /* Security.plist */; };
- EBC1B8E11BE96FE600E6ACA6 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
+ EB9C1DB51BDFD50100F89272 /* Security.plist in Install BATS plist */ = {isa = PBXBuildFile; fileRef = EB9C1DAD1BDFD49400F89272 /* Security.plist */; };
+ EBA9AA811CE30E58004E2B68 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; };
+ EBA9AA821CE30E58004E2B68 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
+ EBA9AA871CE30E6F004E2B68 /* secitemnotifications.m in Sources */ = {isa = PBXBuildFile; fileRef = EBA9AA7C1CE30CE7004E2B68 /* secitemnotifications.m */; };
+ EBCF73F71CE45F9C00BED7CA /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; };
+ EBCF73F81CE45F9C00BED7CA /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; };
+ EBCF73FD1CE45FAC00BED7CA /* secitemfunctionality.m in Sources */ = {isa = PBXBuildFile; fileRef = EBCF73F21CE45F8600BED7CA /* secitemfunctionality.m */; };
EBD8495B1B24BEA000C5FD1E /* print_cert.c in Sources */ = {isa = PBXBuildFile; fileRef = EBD8495A1B24BEA000C5FD1E /* print_cert.c */; };
EBE54D761BE32F6F000C4856 /* AggregateDictionary.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 72B368BD179891FC004C37CE /* AggregateDictionary.framework */; };
EBE901721C2283F7007308C6 /* AggregateDictionary.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 72B368BD179891FC004C37CE /* AggregateDictionary.framework */; };
@@ -1615,13 +1041,6 @@
remoteGlobalIDString = 18F234EB15C9F9A600060520;
remoteInfo = authd;
};
- 051D8FE4194913E700AEF66A /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 5214700616977CB800DF0DB3;
- remoteInfo = CloudKeychainProxy;
- };
051D8FE6194913E700AEF66A /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
@@ -1643,13 +1062,6 @@
remoteGlobalIDString = 4C96F7C116D6DF8300D3B39D;
remoteInfo = "Keychain Circle Notification";
};
- 051D8FEC194913E700AEF66A /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 72756BFE175D485D00F52070;
- remoteInfo = cloud_keychain_diagnose;
- };
05EF68A41949143A007958C3 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 05EF687F1949143A007958C3 /* securityd.xcodeproj */;
@@ -1671,54 +1083,61 @@
remoteGlobalIDString = 4CE4729E16D833FD009070D1;
remoteInfo = Security_temporary_UI;
};
- 05EF68B919491577007958C3 /* PBXContainerItemProxy */ = {
+ 05EF68C91949167B007958C3 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
+ containerPortal = 05EF68A919491453007958C3 /* SecurityTool.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = 186F778814E59FB200434E1F;
- remoteInfo = Security_frameworks;
+ remoteGlobalIDString = AACD2C7B0E12D81D00D485EA;
+ remoteInfo = security;
};
- 05EF68BF194915B6007958C3 /* PBXContainerItemProxy */ = {
+ 0C0BDB811756A1D700BC1A7E /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 186F778C14E59FDA00434E1F;
- remoteInfo = Security_executables;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = 0C0BDB5F175687EC00BC1A7E;
+ remoteInfo = libsecdRegressions;
};
- 05EF68C51949160C007958C3 /* PBXContainerItemProxy */ = {
+ 0C2BCBAA1D06401F00ED7A2F /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = 0C6C642915D5ADB500BC68CD;
- remoteInfo = Security_kexts;
+ remoteGlobalIDString = E71049F1169E023B00DB0045;
+ remoteInfo = libSecurityTool;
};
- 05EF68C71949166E007958C3 /* PBXContainerItemProxy */ = {
+ 0C2BCBAC1D06401F00ED7A2F /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 05EF687F1949143A007958C3 /* securityd.xcodeproj */;
+ containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = AA6D4B890E6F3BB80050206D;
- remoteInfo = securityd;
+ remoteGlobalIDString = E742A09B14E343E70052A486;
+ remoteInfo = libutilities;
};
- 05EF68C91949167B007958C3 /* PBXContainerItemProxy */ = {
+ 0C2BCBBB1D0640B200ED7A2F /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 05EF68A919491453007958C3 /* SecurityTool.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = AACD2C7B0E12D81D00D485EA;
- remoteInfo = security;
+ remoteGlobalIDString = 0C2BCBA81D06401F00ED7A2F;
+ remoteInfo = dtlsEchoClient;
};
- 0C0BDB811756A1D700BC1A7E /* PBXContainerItemProxy */ = {
+ 0C2BCBBF1D0648D100ED7A2F /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 0C0BDB5F175687EC00BC1A7E;
- remoteInfo = libsecdRegressions;
+ proxyType = 1;
+ remoteGlobalIDString = E71049F1169E023B00DB0045;
+ remoteInfo = libSecurityTool;
};
- 0C62D60714E0588700A97963 /* PBXContainerItemProxy */ = {
+ 0C2BCBC11D0648D100ED7A2F /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 0CF55E5514DB47DE003AD8F2 /* tlsnke.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 0CDF46A014DC794300FFE2FD;
- remoteInfo = tlssocket;
+ containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E742A09B14E343E70052A486;
+ remoteInfo = libutilities;
+ };
+ 0C2BCBD01D0648FA00ED7A2F /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 0C2BCBBD1D0648D100ED7A2F;
+ remoteInfo = dtlsEchoServer;
};
0C664AB31759270C0092D3D9 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
@@ -1790,20 +1209,6 @@
remoteGlobalIDString = 18270F5414CF651900B05E7F;
remoteInfo = libsecipc_client;
};
- 0C7CFA3414E1BA7000DF9D95 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 0CF55E5514DB47DE003AD8F2 /* tlsnke.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 0CE08A72148FF2C6000473EB;
- remoteInfo = tlsnketest;
- };
- 0C7CFA3614E1BAEC00DF9D95 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 4C541F950F250C3000E508AE;
- remoteInfo = phase1;
- };
0C99B73F131C984900584CF4 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
@@ -1867,20 +1272,6 @@
remoteGlobalIDString = 0CCA42D715C8A395002AEC4C;
remoteInfo = dtlsEchoServer;
};
- 0CCA42F415C8A815002AEC4C /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 0C95403F14E473AA00077526 /* libsecurity_ssl.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 0CCA42C815C8A387002AEC4C;
- remoteInfo = dtlsEchoClient;
- };
- 0CCA42F615C8A820002AEC4C /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 0C95403F14E473AA00077526 /* libsecurity_ssl.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 0CCA42D615C8A395002AEC4C;
- remoteInfo = dtlsEchoServer;
- };
0CD72A4B16D54BD300A4B8A3 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
@@ -1895,20 +1286,6 @@
remoteGlobalIDString = 52DE81681636347500F49F0C;
remoteInfo = Keychain;
};
- 0CF55E5F14DB47DF003AD8F2 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 0CF55E5514DB47DE003AD8F2 /* tlsnke.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 0CC9A7F0146DF66000C18F89;
- remoteInfo = tlsnke;
- };
- 0CF55E6114DB47DF003AD8F2 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 0CF55E5514DB47DE003AD8F2 /* tlsnke.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 0CE08A73148FF2C6000473EB;
- remoteInfo = tlsnketest;
- };
18F7F66214D77DF700F88A12 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
@@ -2084,20 +1461,6 @@
remoteGlobalIDString = 7913B1FF0D172B3900601FE9;
remoteInfo = sslServer;
};
- 4C541F9C0F250C3500E508AE /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 4C32C0AE0A4975F6002891BD;
- remoteInfo = Security;
- };
- 4C541F9E0F250C4F00E508AE /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 4C541F950F250C3000E508AE;
- remoteInfo = phase1;
- };
4C541FA00F250C5200E508AE /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
@@ -2161,13 +1524,6 @@
remoteGlobalIDString = 058F16540925135E009FA1C5;
remoteInfo = parseCrl;
};
- 4C8786B40B03E0A400BB77D4 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 4C8786A10B03E05D00BB77D4 /* libDER.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 053BA313091C00BF00A7007A;
- remoteInfo = libDER;
- };
4C9DE9EE1181ACA000CF5C27 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
@@ -2252,19 +1608,33 @@
remoteGlobalIDString = E742A09B14E343E70052A486;
remoteInfo = libutilities;
};
- 52849FAD164462E7005CDF23 /* PBXContainerItemProxy */ = {
+ 5250AC2F1C866F9D00169095 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 528402A0164445760035F320;
- remoteInfo = libCloudKeychainProxy;
+ proxyType = 1;
+ remoteGlobalIDString = 18D4043414CE0CF300A2BE4E;
+ remoteInfo = libsecurity;
+ };
+ 5250AC311C866F9D00169095 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 18D4056114CE53C200A2BE4E;
+ remoteInfo = libsecurityd;
};
- 52D82BEB16A622100078DFE5 /* PBXContainerItemProxy */ = {
+ 5250AC331C866F9D00169095 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = 5284029F164445760035F320;
- remoteInfo = libCloudKeychainProxy;
+ remoteGlobalIDString = E702E73514E1F3EA00CDE635;
+ remoteInfo = libSecureObjectSync;
+ };
+ 5250AC351C866FA500169095 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E742A09B14E343E70052A486;
+ remoteInfo = utilities;
};
52D82BF116A622600078DFE5 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
@@ -2350,13 +1720,6 @@
remoteGlobalIDString = 5EF7C20A1B00E25400E5E99C;
remoteInfo = secacltests;
};
- 72D41315175D13E40052A8ED /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
- proxyType = 1;
- remoteGlobalIDString = 72979BE1175D095900BE8FD6;
- remoteInfo = cloud_keychain_diagnose;
- };
795CA9850D38269B00BAE6A2 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 795CA97A0D38269B00BAE6A2 /* libsecurity_asn1.xcodeproj */;
@@ -2364,13 +1727,6 @@
remoteGlobalIDString = 795CA7FF0D38013D00BAE6A2;
remoteInfo = libASN1;
};
- 795CA9BC0D3829FC00BAE6A2 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 795CA97A0D38269B00BAE6A2 /* libsecurity_asn1.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 795CA7FE0D38013D00BAE6A2;
- remoteInfo = libASN1;
- };
79BDD39A0D60D5F9000D84D3 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 79BDD3940D60D5F9000D84D3 /* libsecurity_smime.xcodeproj */;
@@ -2392,20 +1748,6 @@
remoteGlobalIDString = 79DC33620D4E6EEA0039E4BC;
remoteInfo = cms;
};
- 79BDD3A40D60D637000D84D3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 79BDD3940D60D5F9000D84D3 /* libsecurity_smime.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 79DC33610D4E6EEA0039E4BC;
- remoteInfo = cms;
- };
- 79DCEA7C134A293D007F57DC /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 4C8786A10B03E05D00BB77D4 /* libDER.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = 053BA313091C00BF00A7007A;
- remoteInfo = libDER;
- };
BE197F621911742900BA91D1 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
@@ -2448,13 +1790,6 @@
remoteGlobalIDString = E742A09B14E343E70052A486;
remoteInfo = utilities;
};
- CD045E3F1A83F85E005FA0AC /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
- proxyType = 1;
- remoteGlobalIDString = CD3F914A1A802EBF00E07119;
- remoteInfo = libIDSKeychainSyncingProxy;
- };
CD0637801A840C6400C81E74 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
@@ -2462,20 +1797,6 @@
remoteGlobalIDString = CD276C261A83F60C003226BC;
remoteInfo = IDSKeychainSyncingProxy;
};
- CD19A67D1A806B1D00F9C276 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = CD63ACE01A8061FA001B5671;
- remoteInfo = IDSKeychainSyncingProxy;
- };
- CD8B5AE41B618F1B004D4AEF /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = BE94B7A41AD83AF700A7216D;
- remoteInfo = trustd.xpc;
- };
CD8B5AE61B618F1B004D4AEF /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
@@ -2490,1464 +1811,1029 @@
remoteGlobalIDString = BE8D228E1ABB7199009A4E18;
remoteInfo = libSecTrustOSX;
};
- CDCDA31A1A803648005CF7C9 /* PBXContainerItemProxy */ = {
+ D40771E11C9B51830016AA66 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
proxyType = 2;
- remoteGlobalIDString = CD3F914B1A802EBF00E07119;
- remoteInfo = libIDSKeychainSyncingProxy;
- };
- E7098DB21A3A53E000CBD4B3 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 37A7CEAB197DB8FA00926CE8;
- remoteInfo = codesign_tests;
+ remoteGlobalIDString = D40771B81C9B4D200016AA66;
+ remoteInfo = libSharedRegressions;
};
- E7104A02169E038F00DB0045 /* PBXContainerItemProxy */ = {
+ D40771EA1C9B51D80016AA66 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = E71049F1169E023B00DB0045;
- remoteInfo = libSecurityTool;
+ remoteGlobalIDString = D40771B71C9B4D200016AA66;
+ remoteInfo = libSharedRegressions;
};
- E7104A05169E038F00DB0045 /* PBXContainerItemProxy */ = {
+ D40771EC1C9B51E30016AA66 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = E71049F2169E023B00DB0045;
- remoteInfo = libSecurityTool;
+ proxyType = 1;
+ remoteGlobalIDString = D40771B71C9B4D200016AA66;
+ remoteInfo = libSharedRegressions;
};
- E7104A1F169E21C000DB0045 /* PBXContainerItemProxy */ = {
+ D41AD4391B96721E008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = E7104A12169E216E00DB0045;
- remoteInfo = libSecurityCommands;
+ remoteGlobalIDString = 790851B50CA9859F0083CC4D;
+ remoteInfo = securityd;
};
- E7104A22169E21C000DB0045 /* PBXContainerItemProxy */ = {
+ D41AD43B1B96723B008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = E7104A1D169E216E00DB0045;
- remoteInfo = libSecurityCommands;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = E710C7411331946400F85568;
+ remoteInfo = SecurityTests;
};
- E710C707133192EA00F85568 /* PBXContainerItemProxy */ = {
+ D41AD43D1B967242008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 0C25A871122726540050C2BD /* regressions.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = E710C6FE133192E900F85568;
- remoteInfo = regressions;
- };
- E717A1471A7880440021E134 /* PBXContainerItemProxy */ = {
- isa = PBXContainerItemProxy;
- containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 37AB390F1A44A88000B56E04;
- remoteInfo = gk_reset_check;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 0C0BDB2E175685B000BC1A7E;
+ remoteInfo = secdtests;
};
- E76079DA1951FDBF00F69731 /* PBXContainerItemProxy */ = {
+ D41AD43F1B96724C008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = E76079D21951FD2800F69731;
- remoteInfo = liblogging;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 0C6799F912F7C37C00712919;
+ remoteInfo = dtlsTests;
};
- E76079FB1951FE1F00F69731 /* PBXContainerItemProxy */ = {
+ D41AD4411B97866C008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = E76079971951FD2800F69731;
- remoteInfo = liblogging;
+ remoteGlobalIDString = 7913B1FF0D172B3900601FE9;
+ remoteInfo = sslServer;
};
- E777C71415B63C0B004044A8 /* PBXContainerItemProxy */ = {
+ D41AD4431B978681008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 4A5CCA4F15ACEFA500702357;
- remoteInfo = libSecOtrOSX;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 4C9DE9D11181AC4800CF5C27;
+ remoteInfo = sslEcdsa;
};
- E79D3388135CBEB1005777CF /* PBXContainerItemProxy */ = {
+ D41AD4451B9786A3008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 0C25A871122726540050C2BD /* regressions.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = E710C6FD133192E900F85568;
- remoteInfo = regressions;
+ remoteGlobalIDString = 4CB740A20A47567C00D641BB;
+ remoteInfo = securitytool;
};
- E79D9CD4159BEA78000834EC /* PBXContainerItemProxy */ = {
+ D41AD4491B9786D8008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = 4A824B03158FF07000F932C0;
- remoteInfo = libSecOTRRegressions;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = F93C49021AB8FCE00047E01A;
+ remoteInfo = ckcdiagnose.sh;
};
- E7B01B8316572132000485F1 /* PBXContainerItemProxy */ = {
+ D41AD44B1B9786E2008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = E702E73514E1F3EA00CDE635;
- remoteInfo = libSecureObjectSync;
+ remoteGlobalIDString = 5EBE24791B00CCAE0007DB0E;
+ remoteInfo = secacltests;
};
- E7B01BBF166594AB000485F1 /* PBXContainerItemProxy */ = {
+ D41AD44D1B978791008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = E702E73514E1F3EA00CDE635;
- remoteInfo = libSecureObjectSync;
+ remoteGlobalIDString = 5E10992419A5E55800A60E2B;
+ remoteInfo = ISACLProtectedItems;
};
- E7B01BC1166594AB000485F1 /* PBXContainerItemProxy */ = {
+ D41AD4511B9788B2008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = E702E75714E1F48800CDE635;
- remoteInfo = libSOSRegressions;
+ remoteGlobalIDString = 52D82BDD16A621F70078DFE5;
+ remoteInfo = CloudKeychainProxy;
};
- E7E0D8FA158FAB3B002CA176 /* PBXContainerItemProxy */ = {
+ D41AD4591B978944008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = E7E0D8E8158FA9A3002CA176;
- remoteInfo = libutilitiesRegressions;
+ remoteGlobalIDString = 728B56A016D59979008FA3AB;
+ remoteInfo = OTAPKIAssetTool;
};
- E7E0D8FD158FAB3B002CA176 /* PBXContainerItemProxy */ = {
+ D41AD45B1B978A7A008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = E7E0D8F9158FA9A3002CA176;
- remoteInfo = libutilitiesRegressions;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 790851B50CA9859F0083CC4D;
+ remoteInfo = securityd;
};
- E7E0D8FF158FAB52002CA176 /* PBXContainerItemProxy */ = {
+ D41AD45D1B978A7C008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = E7E0D8E8158FA9A3002CA176;
- remoteInfo = libutilitiesRegressions;
+ remoteGlobalIDString = 4CB740A20A47567C00D641BB;
+ remoteInfo = securitytool;
};
- E7EE5A33139DC042005C78BE /* PBXContainerItemProxy */ = {
+ D41AD45F1B978E18008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 4C8786A10B03E05D00BB77D4 /* libDER.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = 053BA313091C00BF00A7007A;
- remoteInfo = libDER;
+ remoteGlobalIDString = E710C7411331946400F85568;
+ remoteInfo = SecurityTests;
};
- E7FEFB8E169E36B000E18152 /* PBXContainerItemProxy */ = {
+ D41AD4611B978E24008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
- proxyType = 2;
- remoteGlobalIDString = E7FEFB8C169E363300E18152;
- remoteInfo = libSOSCommands;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 0C0BDB2E175685B000BC1A7E;
+ remoteInfo = secdtests;
};
- E7FEFB92169E377900E18152 /* PBXContainerItemProxy */ = {
+ D41AD4651B978F19008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = E7FEFB82169E363300E18152;
- remoteInfo = libSOSCommands;
+ remoteGlobalIDString = 0C6799F912F7C37C00712919;
+ remoteInfo = dtlsTests;
};
- EB0BC8401C3C079100785842 /* PBXContainerItemProxy */ = {
+ D41AD4671B978F20008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = EB0BC80D1C3C064400785842;
- remoteInfo = secedumodetest;
+ remoteGlobalIDString = 7913B1FF0D172B3900601FE9;
+ remoteInfo = sslServer;
};
- EB3A8E001BEEC6F3001A89AA /* PBXContainerItemProxy */ = {
+ D41AD4691B978F24008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = EB9C1D791BDFD0E000F89272;
- remoteInfo = secbackupntest;
+ remoteGlobalIDString = 4CE5A54C09C796E100D27A3F;
+ remoteInfo = sslViewer;
};
- EB93052A1BE1B43700978606 /* PBXContainerItemProxy */ = {
+ D41AD46B1B978F28008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = EB9C1DAE1BDFD4DE00F89272;
- remoteInfo = SecurityBatsTests;
+ remoteGlobalIDString = 4C9DE9D11181AC4800CF5C27;
+ remoteInfo = sslEcdsa;
};
- EB9B37AE1C6470B20027E2F9 /* PBXContainerItemProxy */ = {
+ D41AD46D1B978F4C008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = EB9B37A51C64705F0027E2F9;
- remoteInfo = secbackuptest;
+ remoteGlobalIDString = 5EBE24791B00CCAE0007DB0E;
+ remoteInfo = secacltests;
};
- EB9C1DB61BDFD51800F89272 /* PBXContainerItemProxy */ = {
+ D41AD4711B978F76008C7270 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = EB9C1DAE1BDFD4DE00F89272;
- remoteInfo = SecurityBatsTests;
+ remoteGlobalIDString = 728B56A016D59979008FA3AB;
+ remoteInfo = OTAPKIAssetTool;
};
- EBD849351B242C8900C5FD1E /* PBXContainerItemProxy */ = {
+ D42FA86F1C9B9081003E46A7 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = D42FA8241C9B8D3C003E46A7;
+ remoteInfo = SecurityTestsOSX;
+ };
+ D447C4E41D31CA540082FC1D /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 79BDD3940D60D5F9000D84D3 /* libsecurity_smime.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = 4CE5A54C09C796E100D27A3F;
- remoteInfo = sslViewer;
+ remoteGlobalIDString = D447C4DB1D31C9DD0082FC1D;
+ remoteInfo = libCMSInstall;
};
- F94E7AE11ACC8E7700F23132 /* PBXContainerItemProxy */ = {
+ D447C4E61D31CA650082FC1D /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
- containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ containerPortal = 79BDD3940D60D5F9000D84D3 /* libsecurity_smime.xcodeproj */;
proxyType = 1;
- remoteGlobalIDString = F93C49021AB8FCE00047E01A;
- remoteInfo = ckcdiagnose.sh;
+ remoteGlobalIDString = 79DC33610D4E6EEA0039E4BC;
+ remoteInfo = libCMS;
};
-/* End PBXContainerItemProxy section */
-
-/* Begin PBXCopyFilesBuildPhase section */
- 0C0BDB2D175685B000BC1A7E /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = /usr/share/man/man1/;
- dstSubfolderSpec = 0;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 1;
+ D46B07721C8FAFA900B5939A /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C8786A10B03E05D00BB77D4 /* libDER.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 053BA313091C00BF00A7007A;
+ remoteInfo = libDER;
};
- 0C59B55317677BF200617746 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/private/etc/asl";
- dstSubfolderSpec = 0;
- files = (
- 0C59B55417677C3E00617746 /* com.apple.securityd in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
+ D46B07FF1C8FBE3300B5939A /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C8786A10B03E05D00BB77D4 /* libDER.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = D46B07EB1C8FBDC600B5939A;
+ remoteInfo = libDERHeaders;
};
- 4C50AD081410673800EE92DE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = DigiNotar;
- dstSubfolderSpec = 7;
- files = (
- 4C50AD0C1410679000EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */,
- 4C50AD0D1410679000EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */,
- 4C50AD0E1410679000EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */,
- 4C50AD0F1410679000EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */,
- 4C50AD101410679000EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */,
- 4C50AD111410679000EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */,
- 4C50AD121410679000EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */,
- 4C50AD131410679000EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */,
- 4C50AD141410679000EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */,
- 4C50AD151410679000EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */,
- 4C8B91C91416ED7E00A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */,
- 4C8B91CA1416ED7E00A254E2 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in CopyFiles */,
- 4C8B91CB1416ED7E00A254E2 /* Invalid-diginotarpkioverheidcaoverheid.crt in CopyFiles */,
- 4C8B91CC1416ED7E00A254E2 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in CopyFiles */,
- 4C8B91CD1416ED7E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in CopyFiles */,
- 4C8B91CE1416ED7E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt in CopyFiles */,
- 4C8B91CF1416ED7E00A254E2 /* staatdernederlandenorganisatieca-g2-Cert.crt in CopyFiles */,
- 4C8B91D01416ED7E00A254E2 /* staatdernederlandenoverheidca-Cert.crt in CopyFiles */,
- 4C8B91D11416ED7E00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ D46B08A51C8FD8CF00B5939A /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 795CA97A0D38269B00BAE6A2 /* libsecurity_asn1.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = D46B08791C8FCA5000B5939A;
+ remoteInfo = libASN1Install;
};
- 4C50AD091410675400EE92DE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "DigiNotar-Entrust";
- dstSubfolderSpec = 7;
- files = (
- 4C50AD181410679900EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */,
- 4C50AD191410679900EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */,
- 4C50AD1A1410679900EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */,
- 4C50AD1B1410679900EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */,
- 4C50AD1C1410679900EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */,
- 4C50AD1D1410679900EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */,
- 4C50AD1E1410679900EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */,
- 4C50AD1F1410679900EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */,
- 4C50AD201410679900EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */,
- 4C50AD211410679900EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */,
- 4C50AD221410679900EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt in CopyFiles */,
- 4C8B91D21416ED8E00A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */,
- 4C8B91D31416ED8E00A254E2 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in CopyFiles */,
- 4C8B91D41416ED8E00A254E2 /* Invalid-diginotarpkioverheidcaoverheid.crt in CopyFiles */,
- 4C8B91D51416ED8E00A254E2 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in CopyFiles */,
- 4C8B91D61416ED8E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in CopyFiles */,
- 4C8B91D71416ED8E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt in CopyFiles */,
- 4C8B91D81416ED8E00A254E2 /* staatdernederlandenorganisatieca-g2-Cert.crt in CopyFiles */,
- 4C8B91D91416ED8E00A254E2 /* staatdernederlandenoverheidca-Cert.crt in CopyFiles */,
- 4C8B91DA1416ED8E00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ D4DC13891C8F738A00175415 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C8786A10B03E05D00BB77D4 /* libDER.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 053BA313091C00BF00A7007A;
+ remoteInfo = libDER;
};
- 4C50AD0A1410676300EE92DE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "DigiNotar-ok";
- dstSubfolderSpec = 7;
- files = (
- 4C50AD23141067A100EE92DE /* DigiNotarCA2007RootCertificate.crt in CopyFiles */,
- 4C8B91E41416ED9A00A254E2 /* DigiNotar_Root_CA_G2-RootCertificate.crt in CopyFiles */,
- 4C50AD24141067A100EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */,
- 4C50AD25141067A100EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */,
- 4C50AD26141067A100EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */,
- 4C50AD27141067A100EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */,
- 4C50AD28141067A100EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */,
- 4C50AD29141067A100EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */,
- 4C50AD2A141067A100EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */,
- 4C50AD2B141067A100EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */,
- 4C50AD2C141067A100EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */,
- 4C50AD2D141067A100EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */,
- 4C8B91DB1416ED9400A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */,
- 4C8B91E31416ED9400A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */,
- 4C50AD30141068C100EE92DE /* Expectations.plist in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E7098DB21A3A53E000CBD4B3 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = 37A7CEAB197DB8FA00926CE8;
+ remoteInfo = codesign_tests;
};
- 4C50AD3414106A2900EE92DE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = DigiNotar;
- dstSubfolderSpec = 7;
- files = (
- 4C50AD3914106A4E00EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */,
- 4C50AD3A14106A4E00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */,
- 4C50AD3B14106A4E00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */,
- 4C50AD3C14106A4E00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */,
- 4C50AD3D14106A4E00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */,
- 4C50AD3E14106A4E00EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */,
- 4C50AD3F14106A4E00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */,
- 4C50AD4014106A4E00EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */,
- 4C50AD4114106A4E00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */,
- 4C50AD4214106A4E00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */,
- 4C3CECF41416E2EC00947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */,
- 4C3CECF51416E2FA00947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in CopyFiles */,
- 4C3CECF61416E31A00947741 /* Invalid-diginotarpkioverheidcaoverheid.crt in CopyFiles */,
- 4C3CECF81416E33500947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in CopyFiles */,
- 4C3CECF91416E34F00947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in CopyFiles */,
- 4C3CECFA1416E34F00947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt in CopyFiles */,
- 4C3CECFB1416E34F00947741 /* staatdernederlandenorganisatieca-g2-Cert.crt in CopyFiles */,
- 4C3CECFC1416E34F00947741 /* staatdernederlandenoverheidca-Cert.crt in CopyFiles */,
- 4C8B91C81416EBB500A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E7104A02169E038F00DB0045 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E71049F1169E023B00DB0045;
+ remoteInfo = libSecurityTool;
};
- 4C50AD3514106A2B00EE92DE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "DigiNotar-Entrust";
- dstSubfolderSpec = 7;
- files = (
- 4C8B91C61416EB8B00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */,
- 4C50AD4614106A5000EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */,
- 4C50AD4714106A5000EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */,
- 4C50AD4814106A5000EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */,
- 4C50AD4914106A5000EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */,
- 4C50AD4A14106A5000EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */,
- 4C50AD4B14106A5000EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */,
- 4C50AD4C14106A5000EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */,
- 4C50AD4D14106A5000EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */,
- 4C50AD4E14106A5000EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */,
- 4C50AD4F14106A5000EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */,
- 4C50AD5014106A5000EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt in CopyFiles */,
- 4C3CECFD1416E35400947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */,
- 4C3CECFE1416E35400947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in CopyFiles */,
- 4C3CECFF1416E35400947741 /* Invalid-diginotarpkioverheidcaoverheid.crt in CopyFiles */,
- 4C3CED001416E35400947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in CopyFiles */,
- 4C3CED011416E35400947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in CopyFiles */,
- 4C3CED021416E35400947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit.crt in CopyFiles */,
- 4C3CED031416E35400947741 /* staatdernederlandenorganisatieca-g2-Cert.crt in CopyFiles */,
- 4C3CED041416E35400947741 /* staatdernederlandenoverheidca-Cert.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E7104A05169E038F00DB0045 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = E71049F2169E023B00DB0045;
+ remoteInfo = libSecurityTool;
};
- 4C50AD3614106A2C00EE92DE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "DigiNotar-ok";
- dstSubfolderSpec = 7;
- files = (
- 4C50AD5114106A5400EE92DE /* Expectations.plist in CopyFiles */,
- 4C50AD5214106A5400EE92DE /* DigiNotarCA2007RootCertificate.crt in CopyFiles */,
- 4C3CECF31416E25C00947741 /* DigiNotar_Root_CA_G2-RootCertificate.crt in CopyFiles */,
- 4C50AD5314106A5400EE92DE /* Invalid-asterisk.google.com.crt in CopyFiles */,
- 4C50AD5414106A5400EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in CopyFiles */,
- 4C50AD5514106A5400EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in CopyFiles */,
- 4C50AD5614106A5400EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in CopyFiles */,
- 4C50AD5714106A5400EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in CopyFiles */,
- 4C50AD5814106A5400EE92DE /* diginotar-public-ca-2025-Cert.crt in CopyFiles */,
- 4C50AD5914106A5400EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in CopyFiles */,
- 4C50AD5A14106A5400EE92DE /* diginotar-services-diginotar-root-Cert.crt in CopyFiles */,
- 4C50AD5B14106A5400EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in CopyFiles */,
- 4C50AD5C14106A5400EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in CopyFiles */,
- 4C3CED051416E35A00947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in CopyFiles */,
- 4C8B91C71416EBA400A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E7104A1F169E21C000DB0045 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E7104A12169E216E00DB0045;
+ remoteInfo = libSecurityCommands;
};
- 4C52D0B216EFC61E0079966E /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/System/Library/LaunchDaemons";
- dstSubfolderSpec = 0;
- files = (
- 4C52D0E916EFCCF80079966E /* com.apple.security.CircleJoinRequested.plist in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
+ E7104A22169E21C000DB0045 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = E7104A1D169E216E00DB0045;
+ remoteInfo = libSecurityCommands;
};
- 52D82BF316A622770078DFE5 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/System/Library/LaunchDaemons";
- dstSubfolderSpec = 0;
- files = (
- 52D82BF416A622E60078DFE5 /* com.apple.security.cloudkeychainproxy.plist in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
+ E710C707133192EA00F85568 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 0C25A871122726540050C2BD /* regressions.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = E710C6FE133192E900F85568;
+ remoteInfo = regressions;
};
- 5E11CAD919A759E2008A3664 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/usr/local/bin";
- dstSubfolderSpec = 0;
- files = (
- 5E11CADA19A75A1F008A3664 /* KeychainItemsAclTest.sh in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
+ E717A1471A7880440021E134 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = 37AB390F1A44A88000B56E04;
+ remoteInfo = gk_reset_check;
};
- 72979BE0175D095900BE8FD6 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = /usr/share/man/man1/;
- dstSubfolderSpec = 0;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 1;
+ E74583BD1BF66489001B54A4 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 52D82BDD16A621F70078DFE5;
+ remoteInfo = CloudKeychainProxy;
};
- 79679E231462023800CF997F /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = DigicertMalaysia;
- dstSubfolderSpec = 7;
- files = (
- 79679E29146202A800CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt in CopyFiles */,
- 7947431E1462151E00D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt in CopyFiles */,
- 79679E2A146202A800CF997F /* Invalid-webmail.jaring.my.crt in CopyFiles */,
- 7947431A146213DC00D638A3 /* Invalid-www.cybersecurity.my.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E745841E1BF66525001B54A4 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 186F778C14E59FDA00434E1F;
+ remoteInfo = Security_executables;
};
- 79679E2B146202BC00CF997F /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = DigicertMalaysia;
- dstSubfolderSpec = 7;
- files = (
- 79679E2C146202CB00CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt in CopyFiles */,
- 7947431D1462151400D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt in CopyFiles */,
- 79679E2D146202CB00CF997F /* Invalid-webmail.jaring.my.crt in CopyFiles */,
- 7947431B146213EF00D638A3 /* Invalid-www.cybersecurity.my.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E745846C1BF68ECB001B54A4 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 05EF68BB194915A5007958C3;
+ remoteInfo = Security_executables;
};
- 79863B6C0CADCE4300818B0D /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/System/Library/LaunchDaemons";
- dstSubfolderSpec = 0;
- files = (
- 79863B710CADCEAB00818B0D /* com.apple.securityd.plist in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
+ E745846E1BF68ECB001B54A4 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 05EF68C1194915FB007958C3;
+ remoteInfo = Security_kexts;
};
- 79DCEA52134A27D2007F57DC /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = /usr/share/man/man1/;
- dstSubfolderSpec = 0;
- files = (
- );
- runOnlyForDeploymentPostprocessing = 1;
+ E74584701BF68ECB001B54A4 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 05EF68AF1949149C007958C3;
+ remoteInfo = Security_temporary_UI;
};
- 79E0D700143E551F0010CE0E /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "AppleID-certs";
- dstSubfolderSpec = 7;
- files = (
- 79E0D7AD143E68D70010CE0E /* iPhoneCACert.crt in CopyFiles */,
- 79E0D7A8143E672A0010CE0E /* Invalid-asset_signing.crt in CopyFiles */,
- 79E0D705143E55DB0010CE0E /* Apple Application Integration Certification Authority Cert.crt in CopyFiles */,
- 79E0D706143E55DB0010CE0E /* Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt in CopyFiles */,
- 79E0D707143E55DB0010CE0E /* AppleRootCertificate.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E749F26F1D18C284006C2B27 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E742A09B14E343E70052A486;
+ remoteInfo = utilities;
};
- 79E0D708143E55F70010CE0E /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "AppleID-certs";
- dstSubfolderSpec = 7;
- files = (
- 79E0D7AC143E68CF0010CE0E /* iPhoneCACert.crt in CopyFiles */,
- 79E0D7A9143E673B0010CE0E /* Invalid-asset_signing.crt in CopyFiles */,
- 79E0D709143E56010010CE0E /* Apple Application Integration Certification Authority Cert.crt in CopyFiles */,
- 79E0D70A143E56010010CE0E /* Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt in CopyFiles */,
- 79E0D70B143E56010010CE0E /* AppleRootCertificate.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E75C27701C98D40500F7E12A /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 795CA97A0D38269B00BAE6A2 /* libsecurity_asn1.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 795CA7FE0D38013D00BAE6A2;
+ remoteInfo = libASN1;
};
- BE442BBA18B7FDB800F24DAE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/System/Library/LaunchDaemons";
- dstSubfolderSpec = 0;
- files = (
- BE4AC9AE18B7FFC800B84964 /* com.apple.security.swcagent.plist in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
+ E75C27761C98D44300F7E12A /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 795CA97A0D38269B00BAE6A2 /* libsecurity_asn1.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 795CA7FE0D38013D00BAE6A2;
+ remoteInfo = libASN1;
};
- CD045E191A83F7D6005FA0AC /* Copy Files */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/System/Library/LaunchDaemons";
- dstSubfolderSpec = 0;
- files = (
- CDFD1D841A840F64004C2BEA /* com.apple.security.idskeychainsyncingproxy.plist in Copy Files */,
- );
- name = "Copy Files";
- runOnlyForDeploymentPostprocessing = 1;
+ E75E498E1C8F79BB0001A34F /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 18270F5414CF651900B05E7F;
+ remoteInfo = libsecipc_client;
};
- CDB9FCAA179CD054000AAD66 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/System/Library/Frameworks/Security.framework/CircleJoinRequested";
- dstSubfolderSpec = 0;
- files = (
- CDB9FCAB179CD098000AAD66 /* Info.plist in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
+ E76079DA1951FDBF00F69731 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = E76079D21951FD2800F69731;
+ remoteInfo = liblogging;
};
- CDF91EA61AAE019800E88CF7 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = /System/Library/IdentityServices/ServiceDefinitions;
- dstSubfolderSpec = 0;
- files = (
- CDF91EF31AAE024A00E88CF7 /* com.apple.private.alloy.keychainsync.plist in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 1;
+ E76079FB1951FE1F00F69731 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E76079971951FD2800F69731;
+ remoteInfo = liblogging;
};
- D4B4A9A91B8BBB2F0097B393 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "ssl-policy-certs";
- dstSubfolderSpec = 7;
- files = (
- D4B4A9FD1B8BBC5D0097B393 /* InvalidEKUTest16.cer in CopyFiles */,
- D4B4A9FE1B8BBC5D0097B393 /* InvalidHostnameTest1.cer in CopyFiles */,
- D4B4A9FF1B8BBC5D0097B393 /* InvalidHostnameTest2.cer in CopyFiles */,
- D4B4AA001B8BBC5D0097B393 /* InvalidHostnameTest22.cer in CopyFiles */,
- D4B4AA011B8BBC5D0097B393 /* InvalidHostnameTest23.cer in CopyFiles */,
- D4B4AA021B8BBC5D0097B393 /* InvalidHostnameTest24.cer in CopyFiles */,
- D4B4AA031B8BBC5D0097B393 /* InvalidWildcardTest5Test6.cer in CopyFiles */,
- D4B4AA041B8BBC5D0097B393 /* InvalidWildcardTest10.cer in CopyFiles */,
- D4B4AA051B8BBC5D0097B393 /* InvalidWildcardTest11.cer in CopyFiles */,
- D4B4AA061B8BBC5D0097B393 /* InvalidWildcardTest12.cer in CopyFiles */,
- D4B4AA071B8BBC5D0097B393 /* InvalidWildcardTest13Test14.cer in CopyFiles */,
- D4B4AA081B8BBC5D0097B393 /* InvalidWildcardTest15.cer in CopyFiles */,
- D4B4AA091B8BBC5D0097B393 /* InvalidWildcardTest25Test26.cer in CopyFiles */,
- D4B4AA0A1B8BBC5D0097B393 /* SSLTrustPolicyTest.plist in CopyFiles */,
- D4B4AA0B1B8BBC5D0097B393 /* SSLTrustPolicyTestRootCertificate.cer in CopyFiles */,
- D4B4AA0C1B8BBC5D0097B393 /* ValidEKUTest17.cer in CopyFiles */,
- D4B4AA0D1B8BBC5D0097B393 /* ValidHostnameTest3.cer in CopyFiles */,
- D4B4AA0E1B8BBC5D0097B393 /* ValidHostnameTest4.cer in CopyFiles */,
- D4B4AA0F1B8BBC5D0097B393 /* ValidHostnameTest18Test19Test20.cer in CopyFiles */,
- D4B4AA101B8BBC5D0097B393 /* ValidHostnameTest21.cer in CopyFiles */,
- D4B4AA111B8BBC5D0097B393 /* ValidWildcardTest7Test8Test9.cer in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E777C71415B63C0B004044A8 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = 4A5CCA4F15ACEFA500702357;
+ remoteInfo = libSecOtrOSX;
};
- D4B4AA121B8BC6240097B393 /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "ssl-policy-certs";
- dstSubfolderSpec = 7;
- files = (
- D4B4AA131B8BC64E0097B393 /* InvalidEKUTest16.cer in CopyFiles */,
- D4B4AA141B8BC64E0097B393 /* InvalidHostnameTest1.cer in CopyFiles */,
- D4B4AA151B8BC64E0097B393 /* InvalidHostnameTest2.cer in CopyFiles */,
- D4B4AA161B8BC64E0097B393 /* InvalidHostnameTest22.cer in CopyFiles */,
- D4B4AA171B8BC64E0097B393 /* InvalidHostnameTest23.cer in CopyFiles */,
- D4B4AA181B8BC64E0097B393 /* InvalidHostnameTest24.cer in CopyFiles */,
- D4B4AA191B8BC64E0097B393 /* InvalidWildcardTest5Test6.cer in CopyFiles */,
- D4B4AA1A1B8BC64E0097B393 /* InvalidWildcardTest10.cer in CopyFiles */,
- D4B4AA1B1B8BC64E0097B393 /* InvalidWildcardTest11.cer in CopyFiles */,
- D4B4AA1C1B8BC64E0097B393 /* InvalidWildcardTest12.cer in CopyFiles */,
- D4B4AA1D1B8BC64E0097B393 /* InvalidWildcardTest13Test14.cer in CopyFiles */,
- D4B4AA1E1B8BC64E0097B393 /* InvalidWildcardTest15.cer in CopyFiles */,
- D4B4AA1F1B8BC64E0097B393 /* InvalidWildcardTest25Test26.cer in CopyFiles */,
- D4B4AA201B8BC64E0097B393 /* SSLTrustPolicyTest.plist in CopyFiles */,
- D4B4AA211B8BC64E0097B393 /* SSLTrustPolicyTestRootCertificate.cer in CopyFiles */,
- D4B4AA221B8BC64E0097B393 /* ValidEKUTest17.cer in CopyFiles */,
- D4B4AA231B8BC64E0097B393 /* ValidHostnameTest3.cer in CopyFiles */,
- D4B4AA241B8BC64E0097B393 /* ValidHostnameTest4.cer in CopyFiles */,
- D4B4AA251B8BC64E0097B393 /* ValidHostnameTest18Test19Test20.cer in CopyFiles */,
- D4B4AA261B8BC64E0097B393 /* ValidHostnameTest21.cer in CopyFiles */,
- D4B4AA271B8BC64E0097B393 /* ValidWildcardTest7Test8Test9.cer in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E79D3388135CBEB1005777CF /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 0C25A871122726540050C2BD /* regressions.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E710C6FD133192E900F85568;
+ remoteInfo = regressions;
};
- E72783F3159BDF4C00028D6C /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = Shoebox;
- dstSubfolderSpec = 7;
- files = (
- E72783FB159BDFE900028D6C /* Apple TEST RootCertificate.crt in CopyFiles */,
- E72783FC159BDFE900028D6C /* Apple Worldwide Developer Relations Certification Authority Cert.crt in CopyFiles */,
- 5D83979E16025A720075998F /* Invalid.com.apple.testcard.crt in CopyFiles */,
- E72783FD159BDFE900028D6C /* Apple Worldwide Developer Relations Certification Authority TEST Cert.crt in CopyFiles */,
- E72783FE159BDFE900028D6C /* AppleRootCertificate.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E79D9CD4159BEA78000834EC /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = 4A824B03158FF07000F932C0;
+ remoteInfo = libSecOTRRegressions;
};
- E7278400159BDFFF00028D6C /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = Shoebox;
- dstSubfolderSpec = 7;
- files = (
- 0CAE462D1AC5F75D00EDDEAB /* Invalid.com.apple.testcard.crt in CopyFiles */,
- E7278401159BE01A00028D6C /* Apple TEST RootCertificate.crt in CopyFiles */,
- E7278402159BE02300028D6C /* Apple Worldwide Developer Relations Certification Authority Cert.crt in CopyFiles */,
- E7278404159BE03600028D6C /* Apple Worldwide Developer Relations Certification Authority TEST Cert.crt in CopyFiles */,
- E7278403159BE03300028D6C /* AppleRootCertificate.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E79EEDD61CD3F9F800C2FBFC /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 0C7CFA2E14E1BA4800DF9D95;
+ remoteInfo = Security_frameworks_ios;
};
- E73000E813D90A4400B0DA1B /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "OTATasking-certs";
- dstSubfolderSpec = 7;
- files = (
- E73000EA13D90A5A00B0DA1B /* Invalid-asset_signing.crt in CopyFiles */,
- E730010B13D90DB900B0DA1B /* AppleRootCertificate.crt in CopyFiles */,
- E730010C13D90DB900B0DA1B /* iPhoneCACert.crt in CopyFiles */,
- E73000EC13D90A5A00B0DA1B /* task_signing.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E79EEDDC1CD3FFE300C2FBFC /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 186F778814E59FB200434E1F;
+ remoteInfo = Security_frameworks;
};
- E73000ED13D90A7500B0DA1B /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "OTATasking-certs";
- dstSubfolderSpec = 7;
- files = (
- E73000EF13D90A7E00B0DA1B /* Invalid-asset_signing.crt in CopyFiles */,
- E73000F113D90A7E00B0DA1B /* task_signing.crt in CopyFiles */,
- E730010D13D90DBF00B0DA1B /* AppleRootCertificate.crt in CopyFiles */,
- E730010E13D90DBF00B0DA1B /* iPhoneCACert.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E79EEDDE1CD3FFEA00C2FBFC /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = E79EEDD81CD3FFC800C2FBFC;
+ remoteInfo = Security_frameworks_macos;
};
- E730010113D90CE200B0DA1B /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "mobileasset-certs";
- dstSubfolderSpec = 7;
- files = (
- E730010213D90CF200B0DA1B /* AppleRootCertificate.crt in CopyFiles */,
- E730010313D90CF200B0DA1B /* asset_signing.crt in CopyFiles */,
- E730010413D90CF200B0DA1B /* Invalid-task_signing.crt in CopyFiles */,
- E730010513D90CF200B0DA1B /* iPhoneCACert.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E79EEDE41CD4001300C2FBFC /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 05EF68BB194915A5007958C3;
+ remoteInfo = Security_executables_macos;
};
- E730010613D90CFF00B0DA1B /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "mobileasset-certs";
- dstSubfolderSpec = 7;
- files = (
- E730010713D90D0700B0DA1B /* AppleRootCertificate.crt in CopyFiles */,
- E730010813D90D0700B0DA1B /* asset_signing.crt in CopyFiles */,
- E730010913D90D0700B0DA1B /* Invalid-task_signing.crt in CopyFiles */,
- E730010A13D90D0700B0DA1B /* iPhoneCACert.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E79EEDE61CD4003900C2FBFC /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = E79EEDD81CD3FFC800C2FBFC;
+ remoteInfo = Security_frameworks_macos;
};
- E73288DD1AED7215008CE839 /* Copy SecureObjectSync Headers */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = PrivateHeaders/SecureObjectSync;
- dstSubfolderSpec = 1;
- files = (
- 52BF42C21AFAD10C00821B5D /* SOSCloudCircleInternal.h in Copy SecureObjectSync Headers */,
- 52F8DE4E1AF2EB8F00A2C271 /* SOSTypes.h in Copy SecureObjectSync Headers */,
- 9468B96E1AF2B93300042383 /* SOSViews.h in Copy SecureObjectSync Headers */,
- E73289291AED7360008CE839 /* SOSPeerInfo.h in Copy SecureObjectSync Headers */,
- E73289281AED735A008CE839 /* SOSCloudCircle.h in Copy SecureObjectSync Headers */,
- CD4F44211B546A7E00FE3569 /* SOSPeerInfoV2.h in Copy SecureObjectSync Headers */,
- 9468B9481AF2B60900042383 /* SOSBackupSliceKeyBag.h in Copy SecureObjectSync Headers */,
- 9468B96C1AF2B91B00042383 /* SOSForerunnerSession.h in Copy SecureObjectSync Headers */,
- );
- name = "Copy SecureObjectSync Headers";
- runOnlyForDeploymentPostprocessing = 0;
+ E7B01B8316572132000485F1 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E702E73514E1F3EA00CDE635;
+ remoteInfo = libSecureObjectSync;
};
- E7A94B2E13D89EBF001C5FEE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "nist-certs";
- dstSubfolderSpec = 7;
- files = (
- E7A94C9A13D8A128001C5FEE /* Expectations.plist in CopyFiles */,
- E7A94B2F13D89F25001C5FEE /* AllCertificatesNoPoliciesTest2EE.crt in CopyFiles */,
- E7A94B3013D89F25001C5FEE /* AllCertificatesSamePoliciesTest10EE.crt in CopyFiles */,
- E7A94B3113D89F25001C5FEE /* AllCertificatesSamePoliciesTest13EE.crt in CopyFiles */,
- E7A94B3213D89F25001C5FEE /* AllCertificatesanyPolicyTest11EE.crt in CopyFiles */,
- E7A94B3313D89F25001C5FEE /* AnyPolicyTest14EE.crt in CopyFiles */,
- E7A94B3413D89F25001C5FEE /* BadCRLIssuerNameCACert.crt in CopyFiles */,
- E7A94B3513D89F25001C5FEE /* BadCRLSignatureCACert.crt in CopyFiles */,
- E7A94B3613D89F25001C5FEE /* BadSignedCACert.crt in CopyFiles */,
- E7A94B3713D89F25001C5FEE /* BadnotAfterDateCACert.crt in CopyFiles */,
- E7A94B3813D89F25001C5FEE /* BadnotBeforeDateCACert.crt in CopyFiles */,
- E7A94B3913D89F25001C5FEE /* BasicSelfIssuedCRLSigningKeyCACert.crt in CopyFiles */,
- E7A94B3A13D89F25001C5FEE /* BasicSelfIssuedNewKeyCACert.crt in CopyFiles */,
- E7A94B3B13D89F25001C5FEE /* BasicSelfIssuedNewKeyOldWithNewCACert.crt in CopyFiles */,
- E7A94B3C13D89F25001C5FEE /* BasicSelfIssuedOldKeyCACert.crt in CopyFiles */,
- E7A94B3D13D89F25001C5FEE /* BasicSelfIssuedOldKeyNewWithOldCACert.crt in CopyFiles */,
- E7A94B3E13D89F25001C5FEE /* CPSPointerQualifierTest20EE.crt in CopyFiles */,
- E7A94B3F13D89F25001C5FEE /* DSACACert.crt in CopyFiles */,
- E7A94B4013D89F25001C5FEE /* DSAParametersInheritedCACert.crt in CopyFiles */,
- E7A94B4113D89F25001C5FEE /* DifferentPoliciesTest12EE.crt in CopyFiles */,
- E7A94B4213D89F25001C5FEE /* DifferentPoliciesTest3EE.crt in CopyFiles */,
- E7A94B4313D89F25001C5FEE /* DifferentPoliciesTest4EE.crt in CopyFiles */,
- E7A94B4413D89F25001C5FEE /* DifferentPoliciesTest5EE.crt in CopyFiles */,
- E7A94B4513D89F25001C5FEE /* DifferentPoliciesTest7EE.crt in CopyFiles */,
- E7A94B4613D89F25001C5FEE /* DifferentPoliciesTest8EE.crt in CopyFiles */,
- E7A94B4713D89F25001C5FEE /* DifferentPoliciesTest9EE.crt in CopyFiles */,
- E7A94B4813D89F25001C5FEE /* GeneralizedTimeCRLnextUpdateCACert.crt in CopyFiles */,
- E7A94B4913D89F25001C5FEE /* GoodCACert.crt in CopyFiles */,
- E7A94B4A13D89F25001C5FEE /* GoodsubCACert.crt in CopyFiles */,
- E7A94B4B13D89F26001C5FEE /* GoodsubCAPanyPolicyMapping1to2CACert.crt in CopyFiles */,
- E7A94B4C13D89F26001C5FEE /* InvalidBasicSelfIssuedNewWithOldTest5EE.crt in CopyFiles */,
- E7A94B4D13D89F26001C5FEE /* InvalidBasicSelfIssuedOldWithNewTest2EE.crt in CopyFiles */,
- E7A94B4E13D89F26001C5FEE /* InvalidCASignatureTest2EE.crt in CopyFiles */,
- E7A94B4F13D89F26001C5FEE /* InvalidCAnotAfterDateTest5EE.crt in CopyFiles */,
- E7A94B5013D89F26001C5FEE /* InvalidCAnotBeforeDateTest1EE.crt in CopyFiles */,
- E7A94B5113D89F26001C5FEE /* InvalidDNSnameConstraintsTest31EE.crt in CopyFiles */,
- E7A94B5213D89F26001C5FEE /* InvalidDNSnameConstraintsTest33EE.crt in CopyFiles */,
- E7A94B5313D89F26001C5FEE /* InvalidDNSnameConstraintsTest38EE.crt in CopyFiles */,
- E7A94B5413D89F26001C5FEE /* InvalidDNandRFC822nameConstraintsTest28EE.crt in CopyFiles */,
- E7A94B5513D89F26001C5FEE /* InvalidDNandRFC822nameConstraintsTest29EE.crt in CopyFiles */,
- E7A94B5613D89F26001C5FEE /* InvalidDNnameConstraintsTest10EE.crt in CopyFiles */,
- E7A94B5713D89F26001C5FEE /* InvalidDNnameConstraintsTest12EE.crt in CopyFiles */,
- E7A94B5813D89F26001C5FEE /* InvalidDNnameConstraintsTest13EE.crt in CopyFiles */,
- E7A94B5913D89F26001C5FEE /* InvalidDNnameConstraintsTest15EE.crt in CopyFiles */,
- E7A94B5A13D89F26001C5FEE /* InvalidDNnameConstraintsTest16EE.crt in CopyFiles */,
- E7A94B5B13D89F26001C5FEE /* InvalidDNnameConstraintsTest17EE.crt in CopyFiles */,
- E7A94B5C13D89F26001C5FEE /* InvalidDNnameConstraintsTest20EE.crt in CopyFiles */,
- E7A94B5D13D89F26001C5FEE /* InvalidDNnameConstraintsTest2EE.crt in CopyFiles */,
- E7A94B5E13D89F26001C5FEE /* InvalidDNnameConstraintsTest3EE.crt in CopyFiles */,
- E7A94B5F13D89F26001C5FEE /* InvalidDNnameConstraintsTest7EE.crt in CopyFiles */,
- E7A94B6013D89F26001C5FEE /* InvalidDNnameConstraintsTest8EE.crt in CopyFiles */,
- E7A94B6113D89F26001C5FEE /* InvalidDNnameConstraintsTest9EE.crt in CopyFiles */,
- E7A94B6213D89F26001C5FEE /* InvalidDSASignatureTest6EE.crt in CopyFiles */,
- E7A94B6313D89F26001C5FEE /* InvalidEESignatureTest3EE.crt in CopyFiles */,
- E7A94B6413D89F26001C5FEE /* InvalidEEnotAfterDateTest6EE.crt in CopyFiles */,
- E7A94B6513D89F26001C5FEE /* InvalidEEnotBeforeDateTest2EE.crt in CopyFiles */,
- E7A94B6613D89F26001C5FEE /* InvalidLongSerialNumberTest18EE.crt in CopyFiles */,
- E7A94B6713D89F26001C5FEE /* InvalidMappingFromanyPolicyTest7EE.crt in CopyFiles */,
- E7A94B6813D89F26001C5FEE /* InvalidMappingToanyPolicyTest8EE.crt in CopyFiles */,
- E7A94B6913D89F26001C5FEE /* InvalidMissingbasicConstraintsTest1EE.crt in CopyFiles */,
- E7A94B6A13D89F26001C5FEE /* InvalidNameChainingOrderTest2EE.crt in CopyFiles */,
- E7A94B6B13D89F26001C5FEE /* InvalidNameChainingTest1EE.crt in CopyFiles */,
- E7A94B6C13D89F26001C5FEE /* InvalidNegativeSerialNumberTest15EE.crt in CopyFiles */,
- E7A94B6D13D89F26001C5FEE /* InvalidPolicyMappingTest10EE.crt in CopyFiles */,
- E7A94B6E13D89F26001C5FEE /* InvalidPolicyMappingTest2EE.crt in CopyFiles */,
- E7A94B6F13D89F26001C5FEE /* InvalidPolicyMappingTest4EE.crt in CopyFiles */,
- E7A94B7013D89F26001C5FEE /* InvalidRFC822nameConstraintsTest22EE.crt in CopyFiles */,
- E7A94B7113D89F26001C5FEE /* InvalidRFC822nameConstraintsTest24EE.crt in CopyFiles */,
- E7A94B7213D89F26001C5FEE /* InvalidRFC822nameConstraintsTest26EE.crt in CopyFiles */,
- E7A94B7313D89F26001C5FEE /* InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt in CopyFiles */,
- E7A94B7413D89F26001C5FEE /* InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt in CopyFiles */,
- E7A94B7513D89F26001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt in CopyFiles */,
- E7A94B7613D89F26001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt in CopyFiles */,
- E7A94B7713D89F26001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt in CopyFiles */,
- E7A94B7813D89F26001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt in CopyFiles */,
- E7A94B7913D89F26001C5FEE /* InvalidSelfIssuedpathLenConstraintTest16EE.crt in CopyFiles */,
- E7A94B7A13D89F26001C5FEE /* InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt in CopyFiles */,
- E7A94B7B13D89F26001C5FEE /* InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt in CopyFiles */,
- E7A94B7C13D89F26001C5FEE /* InvalidURInameConstraintsTest35EE.crt in CopyFiles */,
- E7A94B7D13D89F26001C5FEE /* InvalidURInameConstraintsTest37EE.crt in CopyFiles */,
- E7A94B7E13D89F26001C5FEE /* InvalidUnknownCriticalCertificateExtensionTest2EE.crt in CopyFiles */,
- E7A94B7F13D89F26001C5FEE /* InvalidcAFalseTest2EE.crt in CopyFiles */,
- E7A94B8013D89F26001C5FEE /* InvalidcAFalseTest3EE.crt in CopyFiles */,
- E7A94B8113D89F26001C5FEE /* InvalidcRLIssuerTest27EE.crt in CopyFiles */,
- E7A94B8213D89F26001C5FEE /* InvalidcRLIssuerTest31EE.crt in CopyFiles */,
- E7A94B8313D89F26001C5FEE /* InvalidcRLIssuerTest32EE.crt in CopyFiles */,
- E7A94B8413D89F26001C5FEE /* InvalidcRLIssuerTest34EE.crt in CopyFiles */,
- E7A94B8513D89F26001C5FEE /* InvalidcRLIssuerTest35EE.crt in CopyFiles */,
- E7A94B8613D89F26001C5FEE /* InvalidinhibitAnyPolicyTest1EE.crt in CopyFiles */,
- E7A94B8713D89F26001C5FEE /* InvalidinhibitAnyPolicyTest4EE.crt in CopyFiles */,
- E7A94B8813D89F26001C5FEE /* InvalidinhibitAnyPolicyTest5EE.crt in CopyFiles */,
- E7A94B8913D89F26001C5FEE /* InvalidinhibitAnyPolicyTest6EE.crt in CopyFiles */,
- E7A94B8A13D89F26001C5FEE /* InvalidinhibitPolicyMappingTest1EE.crt in CopyFiles */,
- E7A94B8B13D89F26001C5FEE /* InvalidinhibitPolicyMappingTest3EE.crt in CopyFiles */,
- E7A94B8C13D89F26001C5FEE /* InvalidinhibitPolicyMappingTest5EE.crt in CopyFiles */,
- E7A94B8D13D89F26001C5FEE /* InvalidinhibitPolicyMappingTest6EE.crt in CopyFiles */,
- E7A94B8E13D89F26001C5FEE /* InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt in CopyFiles */,
- E7A94B8F13D89F26001C5FEE /* InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt in CopyFiles */,
- E7A94B9013D89F26001C5FEE /* InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt in CopyFiles */,
- E7A94B9113D89F26001C5FEE /* InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt in CopyFiles */,
- E7A94B9213D89F26001C5FEE /* InvalidonlyContainsAttributeCertsTest14EE.crt in CopyFiles */,
- E7A94B9313D89F26001C5FEE /* InvalidonlyContainsCACertsTest12EE.crt in CopyFiles */,
- E7A94B9413D89F26001C5FEE /* InvalidonlyContainsUserCertsTest11EE.crt in CopyFiles */,
- E7A94B9513D89F26001C5FEE /* InvalidonlySomeReasonsTest15EE.crt in CopyFiles */,
- E7A94B9613D89F26001C5FEE /* InvalidonlySomeReasonsTest16EE.crt in CopyFiles */,
- E7A94B9713D89F26001C5FEE /* InvalidonlySomeReasonsTest17EE.crt in CopyFiles */,
- E7A94B9813D89F26001C5FEE /* InvalidonlySomeReasonsTest20EE.crt in CopyFiles */,
- E7A94B9913D89F26001C5FEE /* InvalidonlySomeReasonsTest21EE.crt in CopyFiles */,
- E7A94B9A13D89F26001C5FEE /* InvalidpathLenConstraintTest10EE.crt in CopyFiles */,
- E7A94B9B13D89F26001C5FEE /* InvalidpathLenConstraintTest11EE.crt in CopyFiles */,
- E7A94B9C13D89F26001C5FEE /* InvalidpathLenConstraintTest12EE.crt in CopyFiles */,
- E7A94B9D13D89F26001C5FEE /* InvalidpathLenConstraintTest5EE.crt in CopyFiles */,
- E7A94B9E13D89F26001C5FEE /* InvalidpathLenConstraintTest6EE.crt in CopyFiles */,
- E7A94B9F13D89F26001C5FEE /* InvalidpathLenConstraintTest9EE.crt in CopyFiles */,
- E7A94BA013D89F26001C5FEE /* Invalidpre2000UTCEEnotAfterDateTest7EE.crt in CopyFiles */,
- E7A94BA113D89F26001C5FEE /* InvalidrequireExplicitPolicyTest3EE.crt in CopyFiles */,
- E7A94BA213D89F26001C5FEE /* InvalidrequireExplicitPolicyTest5EE.crt in CopyFiles */,
- E7A94BA313D89F26001C5FEE /* LongSerialNumberCACert.crt in CopyFiles */,
- E7A94BA413D89F26001C5FEE /* Mapping1to2CACert.crt in CopyFiles */,
- E7A94BA513D89F26001C5FEE /* MappingFromanyPolicyCACert.crt in CopyFiles */,
- E7A94BA613D89F26001C5FEE /* MappingToanyPolicyCACert.crt in CopyFiles */,
- E7A94BA713D89F26001C5FEE /* MissingbasicConstraintsCACert.crt in CopyFiles */,
- E7A94BA813D89F26001C5FEE /* NameOrderingCACert.crt in CopyFiles */,
- E7A94BA913D89F26001C5FEE /* NegativeSerialNumberCACert.crt in CopyFiles */,
- E7A94BAA13D89F26001C5FEE /* NoCRLCACert.crt in CopyFiles */,
- E7A94BAB13D89F26001C5FEE /* NoPoliciesCACert.crt in CopyFiles */,
- E7A94BAC13D89F26001C5FEE /* NoissuingDistributionPointCACert.crt in CopyFiles */,
- E7A94BAD13D89F26001C5FEE /* OldCRLnextUpdateCACert.crt in CopyFiles */,
- E7A94BAE13D89F26001C5FEE /* OverlappingPoliciesTest6EE.crt in CopyFiles */,
- E7A94BAF13D89F26001C5FEE /* P12Mapping1to3CACert.crt in CopyFiles */,
- E7A94BB013D89F26001C5FEE /* P12Mapping1to3subCACert.crt in CopyFiles */,
- E7A94BB113D89F26001C5FEE /* P12Mapping1to3subsubCACert.crt in CopyFiles */,
- E7A94BB213D89F26001C5FEE /* P1Mapping1to234CACert.crt in CopyFiles */,
- E7A94BB313D89F26001C5FEE /* P1Mapping1to234subCACert.crt in CopyFiles */,
- E7A94BB413D89F26001C5FEE /* P1anyPolicyMapping1to2CACert.crt in CopyFiles */,
- E7A94BB513D89F26001C5FEE /* PanyPolicyMapping1to2CACert.crt in CopyFiles */,
- E7A94BB613D89F26001C5FEE /* PoliciesP1234CACert.crt in CopyFiles */,
- E7A94BB713D89F26001C5FEE /* PoliciesP1234subCAP123Cert.crt in CopyFiles */,
- E7A94BB813D89F26001C5FEE /* PoliciesP1234subsubCAP123P12Cert.crt in CopyFiles */,
- E7A94BB913D89F26001C5FEE /* PoliciesP123CACert.crt in CopyFiles */,
- E7A94BBA13D89F26001C5FEE /* PoliciesP123subCAP12Cert.crt in CopyFiles */,
- E7A94BBB13D89F26001C5FEE /* PoliciesP123subsubCAP12P1Cert.crt in CopyFiles */,
- E7A94BBC13D89F26001C5FEE /* PoliciesP123subsubCAP12P2Cert.crt in CopyFiles */,
- E7A94BBD13D89F26001C5FEE /* PoliciesP123subsubsubCAP12P2P1Cert.crt in CopyFiles */,
- E7A94BBE13D89F26001C5FEE /* PoliciesP12CACert.crt in CopyFiles */,
- E7A94BBF13D89F26001C5FEE /* PoliciesP12subCAP1Cert.crt in CopyFiles */,
- E7A94BC013D89F26001C5FEE /* PoliciesP12subsubCAP1P2Cert.crt in CopyFiles */,
- E7A94BC113D89F26001C5FEE /* PoliciesP2subCA2Cert.crt in CopyFiles */,
- E7A94BC213D89F26001C5FEE /* PoliciesP2subCACert.crt in CopyFiles */,
- E7A94BC313D89F26001C5FEE /* PoliciesP3CACert.crt in CopyFiles */,
- E7A94BC413D89F26001C5FEE /* RFC3280MandatoryAttributeTypesCACert.crt in CopyFiles */,
- E7A94BC513D89F26001C5FEE /* RFC3280OptionalAttributeTypesCACert.crt in CopyFiles */,
- E7A94BC613D89F26001C5FEE /* RevokedsubCACert.crt in CopyFiles */,
- E7A94BC713D89F26001C5FEE /* RolloverfromPrintableStringtoUTF8StringCACert.crt in CopyFiles */,
- E7A94BC813D89F26001C5FEE /* SeparateCertificateandCRLKeysCA2CRLSigningCert.crt in CopyFiles */,
- E7A94BC913D89F26001C5FEE /* SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt in CopyFiles */,
- E7A94BCA13D89F26001C5FEE /* SeparateCertificateandCRLKeysCertificateSigningCACert.crt in CopyFiles */,
- E7A94BCB13D89F26001C5FEE /* TrustAnchorRootCertificate.crt in CopyFiles */,
- E7A94BCC13D89F26001C5FEE /* TwoCRLsCACert.crt in CopyFiles */,
- E7A94BCD13D89F26001C5FEE /* UIDCACert.crt in CopyFiles */,
- E7A94BCE13D89F26001C5FEE /* UTF8StringCaseInsensitiveMatchCACert.crt in CopyFiles */,
- E7A94BCF13D89F26001C5FEE /* UTF8StringEncodedNamesCACert.crt in CopyFiles */,
- E7A94BD013D89F26001C5FEE /* UnknownCRLEntryExtensionCACert.crt in CopyFiles */,
- E7A94BD113D89F26001C5FEE /* UnknownCRLExtensionCACert.crt in CopyFiles */,
- E7A94BD213D89F26001C5FEE /* UserNoticeQualifierTest15EE.crt in CopyFiles */,
- E7A94BD313D89F26001C5FEE /* UserNoticeQualifierTest16EE.crt in CopyFiles */,
- E7A94BD413D89F26001C5FEE /* UserNoticeQualifierTest17EE.crt in CopyFiles */,
- E7A94BD513D89F26001C5FEE /* UserNoticeQualifierTest18EE.crt in CopyFiles */,
- E7A94BD613D89F26001C5FEE /* UserNoticeQualifierTest19EE.crt in CopyFiles */,
- E7A94BD713D89F26001C5FEE /* ValidBasicSelfIssuedNewWithOldTest3EE.crt in CopyFiles */,
- E7A94BD813D89F26001C5FEE /* ValidBasicSelfIssuedNewWithOldTest4EE.crt in CopyFiles */,
- E7A94BD913D89F26001C5FEE /* ValidBasicSelfIssuedOldWithNewTest1EE.crt in CopyFiles */,
- E7A94BDA13D89F26001C5FEE /* ValidCertificatePathTest1EE.crt in CopyFiles */,
- E7A94BDB13D89F26001C5FEE /* ValidDNSnameConstraintsTest30EE.crt in CopyFiles */,
- E7A94BDC13D89F26001C5FEE /* ValidDNSnameConstraintsTest32EE.crt in CopyFiles */,
- E7A94BDD13D89F26001C5FEE /* ValidDNandRFC822nameConstraintsTest27EE.crt in CopyFiles */,
- E7A94BDE13D89F26001C5FEE /* ValidDNnameConstraintsTest11EE.crt in CopyFiles */,
- E7A94BDF13D89F26001C5FEE /* ValidDNnameConstraintsTest14EE.crt in CopyFiles */,
- E7A94BE013D89F26001C5FEE /* ValidDNnameConstraintsTest18EE.crt in CopyFiles */,
- E7A94BE113D89F26001C5FEE /* ValidDNnameConstraintsTest19EE.crt in CopyFiles */,
- E7A94BE213D89F26001C5FEE /* ValidDNnameConstraintsTest1EE.crt in CopyFiles */,
- E7A94BE313D89F26001C5FEE /* ValidDNnameConstraintsTest4EE.crt in CopyFiles */,
- E7A94BE413D89F26001C5FEE /* ValidDNnameConstraintsTest5EE.crt in CopyFiles */,
- E7A94BE513D89F26001C5FEE /* ValidDNnameConstraintsTest6EE.crt in CopyFiles */,
- E7A94BE613D89F26001C5FEE /* ValidDSAParameterInheritanceTest5EE.crt in CopyFiles */,
- E7A94BE713D89F26001C5FEE /* ValidDSASignaturesTest4EE.crt in CopyFiles */,
- E7A94BE813D89F26001C5FEE /* ValidGeneralizedTimenotAfterDateTest8EE.crt in CopyFiles */,
- E7A94BE913D89F26001C5FEE /* ValidGeneralizedTimenotBeforeDateTest4EE.crt in CopyFiles */,
- E7A94BEA13D89F26001C5FEE /* ValidLongSerialNumberTest16EE.crt in CopyFiles */,
- E7A94BEB13D89F26001C5FEE /* ValidLongSerialNumberTest17EE.crt in CopyFiles */,
- E7A94BEC13D89F26001C5FEE /* ValidNameChainingCapitalizationTest5EE.crt in CopyFiles */,
- E7A94BED13D89F26001C5FEE /* ValidNameChainingWhitespaceTest3EE.crt in CopyFiles */,
- E7A94BEE13D89F26001C5FEE /* ValidNameChainingWhitespaceTest4EE.crt in CopyFiles */,
- E7A94BEF13D89F26001C5FEE /* ValidNameUIDsTest6EE.crt in CopyFiles */,
- E7A94BF013D89F26001C5FEE /* ValidNegativeSerialNumberTest14EE.crt in CopyFiles */,
- E7A94BF113D89F26001C5FEE /* ValidPolicyMappingTest11EE.crt in CopyFiles */,
- E7A94BF213D89F26001C5FEE /* ValidPolicyMappingTest12EE.crt in CopyFiles */,
- E7A94BF313D89F26001C5FEE /* ValidPolicyMappingTest13EE.crt in CopyFiles */,
- E7A94BF413D89F26001C5FEE /* ValidPolicyMappingTest14EE.crt in CopyFiles */,
- E7A94BF513D89F26001C5FEE /* ValidPolicyMappingTest1EE.crt in CopyFiles */,
- E7A94BF613D89F26001C5FEE /* ValidPolicyMappingTest3EE.crt in CopyFiles */,
- E7A94BF713D89F26001C5FEE /* ValidPolicyMappingTest5EE.crt in CopyFiles */,
- E7A94BF813D89F26001C5FEE /* ValidPolicyMappingTest6EE.crt in CopyFiles */,
- E7A94BF913D89F26001C5FEE /* ValidPolicyMappingTest9EE.crt in CopyFiles */,
- E7A94BFA13D89F26001C5FEE /* ValidRFC3280MandatoryAttributeTypesTest7EE.crt in CopyFiles */,
- E7A94BFB13D89F26001C5FEE /* ValidRFC3280OptionalAttributeTypesTest8EE.crt in CopyFiles */,
- E7A94BFC13D89F26001C5FEE /* ValidRFC822nameConstraintsTest21EE.crt in CopyFiles */,
- E7A94BFD13D89F26001C5FEE /* ValidRFC822nameConstraintsTest23EE.crt in CopyFiles */,
- E7A94BFE13D89F26001C5FEE /* ValidRFC822nameConstraintsTest25EE.crt in CopyFiles */,
- E7A94BFF13D89F26001C5FEE /* ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt in CopyFiles */,
- E7A94C0013D89F26001C5FEE /* ValidSelfIssuedinhibitAnyPolicyTest7EE.crt in CopyFiles */,
- E7A94C0113D89F26001C5FEE /* ValidSelfIssuedinhibitAnyPolicyTest9EE.crt in CopyFiles */,
- E7A94C0213D89F26001C5FEE /* ValidSelfIssuedinhibitPolicyMappingTest7EE.crt in CopyFiles */,
- E7A94C0313D89F26001C5FEE /* ValidSelfIssuedpathLenConstraintTest15EE.crt in CopyFiles */,
- E7A94C0413D89F26001C5FEE /* ValidSelfIssuedpathLenConstraintTest17EE.crt in CopyFiles */,
- E7A94C0513D89F26001C5FEE /* ValidSelfIssuedrequireExplicitPolicyTest6EE.crt in CopyFiles */,
- E7A94C0613D89F26001C5FEE /* ValidURInameConstraintsTest34EE.crt in CopyFiles */,
- E7A94C0713D89F26001C5FEE /* ValidURInameConstraintsTest36EE.crt in CopyFiles */,
- E7A94C0813D89F26001C5FEE /* ValidUTF8StringCaseInsensitiveMatchTest11EE.crt in CopyFiles */,
- E7A94C0913D89F26001C5FEE /* ValidUTF8StringEncodedNamesTest9EE.crt in CopyFiles */,
- E7A94C0A13D89F26001C5FEE /* ValidUnknownNotCriticalCertificateExtensionTest1EE.crt in CopyFiles */,
- E7A94C0B13D89F26001C5FEE /* ValidbasicConstraintsNotCriticalTest4EE.crt in CopyFiles */,
- E7A94C0C13D89F26001C5FEE /* ValidcRLIssuerTest28EE.crt in CopyFiles */,
- E7A94C0D13D89F26001C5FEE /* ValidcRLIssuerTest29EE.crt in CopyFiles */,
- E7A94C0E13D89F26001C5FEE /* ValidcRLIssuerTest30EE.crt in CopyFiles */,
- E7A94C0F13D89F26001C5FEE /* ValidcRLIssuerTest33EE.crt in CopyFiles */,
- E7A94C1013D89F26001C5FEE /* ValidinhibitAnyPolicyTest2EE.crt in CopyFiles */,
- E7A94C1113D89F26001C5FEE /* ValidinhibitPolicyMappingTest2EE.crt in CopyFiles */,
- E7A94C1213D89F27001C5FEE /* ValidinhibitPolicyMappingTest4EE.crt in CopyFiles */,
- E7A94C1313D89F27001C5FEE /* ValidkeyUsageNotCriticalTest3EE.crt in CopyFiles */,
- E7A94C1413D89F27001C5FEE /* ValidonlyContainsCACertsTest13EE.crt in CopyFiles */,
- E7A94C1513D89F27001C5FEE /* ValidonlySomeReasonsTest18EE.crt in CopyFiles */,
- E7A94C1613D89F27001C5FEE /* ValidonlySomeReasonsTest19EE.crt in CopyFiles */,
- E7A94C1713D89F27001C5FEE /* ValidpathLenConstraintTest13EE.crt in CopyFiles */,
- E7A94C1813D89F27001C5FEE /* ValidpathLenConstraintTest14EE.crt in CopyFiles */,
- E7A94C1913D89F27001C5FEE /* ValidpathLenConstraintTest7EE.crt in CopyFiles */,
- E7A94C1A13D89F27001C5FEE /* ValidpathLenConstraintTest8EE.crt in CopyFiles */,
- E7A94C1B13D89F27001C5FEE /* Validpre2000UTCnotBeforeDateTest3EE.crt in CopyFiles */,
- E7A94C1C13D89F27001C5FEE /* ValidrequireExplicitPolicyTest1EE.crt in CopyFiles */,
- E7A94C1D13D89F27001C5FEE /* ValidrequireExplicitPolicyTest2EE.crt in CopyFiles */,
- E7A94C1E13D89F27001C5FEE /* ValidrequireExplicitPolicyTest4EE.crt in CopyFiles */,
- E7A94C1F13D89F27001C5FEE /* WrongCRLCACert.crt in CopyFiles */,
- E7A94C2013D89F27001C5FEE /* anyPolicyCACert.crt in CopyFiles */,
- E7A94C2113D89F27001C5FEE /* basicConstraintsCriticalcAFalseCACert.crt in CopyFiles */,
- E7A94C2213D89F27001C5FEE /* basicConstraintsNotCriticalCACert.crt in CopyFiles */,
- E7A94C2313D89F27001C5FEE /* basicConstraintsNotCriticalcAFalseCACert.crt in CopyFiles */,
- E7A94C2413D89F27001C5FEE /* deltaCRLCA1Cert.crt in CopyFiles */,
- E7A94C2513D89F27001C5FEE /* deltaCRLCA2Cert.crt in CopyFiles */,
- E7A94C2613D89F27001C5FEE /* deltaCRLCA3Cert.crt in CopyFiles */,
- E7A94C2713D89F27001C5FEE /* deltaCRLIndicatorNoBaseCACert.crt in CopyFiles */,
- E7A94C2813D89F27001C5FEE /* distributionPoint1CACert.crt in CopyFiles */,
- E7A94C2913D89F27001C5FEE /* distributionPoint2CACert.crt in CopyFiles */,
- E7A94C2A13D89F27001C5FEE /* indirectCRLCA1Cert.crt in CopyFiles */,
- E7A94C2B13D89F27001C5FEE /* indirectCRLCA2Cert.crt in CopyFiles */,
- E7A94C2C13D89F27001C5FEE /* indirectCRLCA3Cert.crt in CopyFiles */,
- E7A94C2D13D89F27001C5FEE /* indirectCRLCA3cRLIssuerCert.crt in CopyFiles */,
- E7A94C2E13D89F27001C5FEE /* indirectCRLCA4Cert.crt in CopyFiles */,
- E7A94C2F13D89F27001C5FEE /* indirectCRLCA4cRLIssuerCert.crt in CopyFiles */,
- E7A94C3013D89F27001C5FEE /* indirectCRLCA5Cert.crt in CopyFiles */,
- E7A94C3113D89F27001C5FEE /* indirectCRLCA6Cert.crt in CopyFiles */,
- E7A94C3213D89F27001C5FEE /* inhibitAnyPolicy0CACert.crt in CopyFiles */,
- E7A94C3313D89F27001C5FEE /* inhibitAnyPolicy1CACert.crt in CopyFiles */,
- E7A94C3413D89F27001C5FEE /* inhibitAnyPolicy1SelfIssuedCACert.crt in CopyFiles */,
- E7A94C3513D89F27001C5FEE /* inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt in CopyFiles */,
- E7A94C3613D89F27001C5FEE /* inhibitAnyPolicy1subCA1Cert.crt in CopyFiles */,
- E7A94C3713D89F27001C5FEE /* inhibitAnyPolicy1subCA2Cert.crt in CopyFiles */,
- E7A94C3813D89F27001C5FEE /* inhibitAnyPolicy1subCAIAP5Cert.crt in CopyFiles */,
- E7A94C3913D89F27001C5FEE /* inhibitAnyPolicy1subsubCA2Cert.crt in CopyFiles */,
- E7A94C3A13D89F27001C5FEE /* inhibitAnyPolicy5CACert.crt in CopyFiles */,
- E7A94C3B13D89F27001C5FEE /* inhibitAnyPolicy5subCACert.crt in CopyFiles */,
- E7A94C3C13D89F27001C5FEE /* inhibitAnyPolicy5subsubCACert.crt in CopyFiles */,
- E7A94C3D13D89F27001C5FEE /* inhibitAnyPolicyTest3EE.crt in CopyFiles */,
- E7A94C3E13D89F27001C5FEE /* inhibitPolicyMapping0CACert.crt in CopyFiles */,
- E7A94C3F13D89F27001C5FEE /* inhibitPolicyMapping0subCACert.crt in CopyFiles */,
- E7A94C4013D89F27001C5FEE /* inhibitPolicyMapping1P12CACert.crt in CopyFiles */,
- E7A94C4113D89F27001C5FEE /* inhibitPolicyMapping1P12subCACert.crt in CopyFiles */,
- E7A94C4213D89F27001C5FEE /* inhibitPolicyMapping1P12subCAIPM5Cert.crt in CopyFiles */,
- E7A94C4313D89F27001C5FEE /* inhibitPolicyMapping1P12subsubCACert.crt in CopyFiles */,
- E7A94C4413D89F27001C5FEE /* inhibitPolicyMapping1P12subsubCAIPM5Cert.crt in CopyFiles */,
- E7A94C4513D89F27001C5FEE /* inhibitPolicyMapping1P1CACert.crt in CopyFiles */,
- E7A94C4613D89F27001C5FEE /* inhibitPolicyMapping1P1SelfIssuedCACert.crt in CopyFiles */,
- E7A94C4713D89F27001C5FEE /* inhibitPolicyMapping1P1SelfIssuedsubCACert.crt in CopyFiles */,
- E7A94C4813D89F27001C5FEE /* inhibitPolicyMapping1P1subCACert.crt in CopyFiles */,
- E7A94C4913D89F27001C5FEE /* inhibitPolicyMapping1P1subsubCACert.crt in CopyFiles */,
- E7A94C4A13D89F27001C5FEE /* inhibitPolicyMapping5CACert.crt in CopyFiles */,
- E7A94C4B13D89F27001C5FEE /* inhibitPolicyMapping5subCACert.crt in CopyFiles */,
- E7A94C4C13D89F27001C5FEE /* inhibitPolicyMapping5subsubCACert.crt in CopyFiles */,
- E7A94C4D13D89F27001C5FEE /* inhibitPolicyMapping5subsubsubCACert.crt in CopyFiles */,
- E7A94C4E13D89F27001C5FEE /* keyUsageCriticalcRLSignFalseCACert.crt in CopyFiles */,
- E7A94C4F13D89F27001C5FEE /* keyUsageCriticalkeyCertSignFalseCACert.crt in CopyFiles */,
- E7A94C5013D89F27001C5FEE /* keyUsageNotCriticalCACert.crt in CopyFiles */,
- E7A94C5113D89F27001C5FEE /* keyUsageNotCriticalcRLSignFalseCACert.crt in CopyFiles */,
- E7A94C5213D89F27001C5FEE /* keyUsageNotCriticalkeyCertSignFalseCACert.crt in CopyFiles */,
- E7A94C5313D89F27001C5FEE /* nameConstraintsDN1CACert.crt in CopyFiles */,
- E7A94C5413D89F27001C5FEE /* nameConstraintsDN1SelfIssuedCACert.crt in CopyFiles */,
- E7A94C5513D89F27001C5FEE /* nameConstraintsDN1subCA1Cert.crt in CopyFiles */,
- E7A94C5613D89F27001C5FEE /* nameConstraintsDN1subCA2Cert.crt in CopyFiles */,
- E7A94C5713D89F27001C5FEE /* nameConstraintsDN1subCA3Cert.crt in CopyFiles */,
- E7A94C5813D89F27001C5FEE /* nameConstraintsDN2CACert.crt in CopyFiles */,
- E7A94C5913D89F27001C5FEE /* nameConstraintsDN3CACert.crt in CopyFiles */,
- E7A94C5A13D89F27001C5FEE /* nameConstraintsDN3subCA1Cert.crt in CopyFiles */,
- E7A94C5B13D89F27001C5FEE /* nameConstraintsDN3subCA2Cert.crt in CopyFiles */,
- E7A94C5C13D89F27001C5FEE /* nameConstraintsDN4CACert.crt in CopyFiles */,
- E7A94C5D13D89F27001C5FEE /* nameConstraintsDN5CACert.crt in CopyFiles */,
- E7A94C5E13D89F27001C5FEE /* nameConstraintsDNS1CACert.crt in CopyFiles */,
- E7A94C5F13D89F27001C5FEE /* nameConstraintsDNS2CACert.crt in CopyFiles */,
- E7A94C6013D89F27001C5FEE /* nameConstraintsRFC822CA1Cert.crt in CopyFiles */,
- E7A94C6113D89F27001C5FEE /* nameConstraintsRFC822CA2Cert.crt in CopyFiles */,
- E7A94C6213D89F27001C5FEE /* nameConstraintsRFC822CA3Cert.crt in CopyFiles */,
- E7A94C6313D89F27001C5FEE /* nameConstraintsURI1CACert.crt in CopyFiles */,
- E7A94C6413D89F27001C5FEE /* nameConstraintsURI2CACert.crt in CopyFiles */,
- E7A94C6513D89F27001C5FEE /* onlyContainsAttributeCertsCACert.crt in CopyFiles */,
- E7A94C6613D89F27001C5FEE /* onlyContainsCACertsCACert.crt in CopyFiles */,
- E7A94C6713D89F27001C5FEE /* onlyContainsUserCertsCACert.crt in CopyFiles */,
- E7A94C6813D89F27001C5FEE /* onlySomeReasonsCA1Cert.crt in CopyFiles */,
- E7A94C6913D89F27001C5FEE /* onlySomeReasonsCA2Cert.crt in CopyFiles */,
- E7A94C6A13D89F27001C5FEE /* onlySomeReasonsCA3Cert.crt in CopyFiles */,
- E7A94C6B13D89F27001C5FEE /* onlySomeReasonsCA4Cert.crt in CopyFiles */,
- E7A94C6C13D89F27001C5FEE /* pathLenConstraint0CACert.crt in CopyFiles */,
- E7A94C6D13D89F27001C5FEE /* pathLenConstraint0SelfIssuedCACert.crt in CopyFiles */,
- E7A94C6E13D89F27001C5FEE /* pathLenConstraint0subCA2Cert.crt in CopyFiles */,
- E7A94C6F13D89F27001C5FEE /* pathLenConstraint0subCACert.crt in CopyFiles */,
- E7A94C7013D89F27001C5FEE /* pathLenConstraint1CACert.crt in CopyFiles */,
- E7A94C7113D89F27001C5FEE /* pathLenConstraint1SelfIssuedCACert.crt in CopyFiles */,
- E7A94C7213D89F27001C5FEE /* pathLenConstraint1SelfIssuedsubCACert.crt in CopyFiles */,
- E7A94C7313D89F27001C5FEE /* pathLenConstraint1subCACert.crt in CopyFiles */,
- E7A94C7413D89F27001C5FEE /* pathLenConstraint6CACert.crt in CopyFiles */,
- E7A94C7513D89F27001C5FEE /* pathLenConstraint6subCA0Cert.crt in CopyFiles */,
- E7A94C7613D89F27001C5FEE /* pathLenConstraint6subCA1Cert.crt in CopyFiles */,
- E7A94C7713D89F27001C5FEE /* pathLenConstraint6subCA4Cert.crt in CopyFiles */,
- E7A94C7813D89F27001C5FEE /* pathLenConstraint6subsubCA00Cert.crt in CopyFiles */,
- E7A94C7913D89F27001C5FEE /* pathLenConstraint6subsubCA11Cert.crt in CopyFiles */,
- E7A94C7A13D89F27001C5FEE /* pathLenConstraint6subsubCA41Cert.crt in CopyFiles */,
- E7A94C7B13D89F27001C5FEE /* pathLenConstraint6subsubsubCA11XCert.crt in CopyFiles */,
- E7A94C7C13D89F27001C5FEE /* pathLenConstraint6subsubsubCA41XCert.crt in CopyFiles */,
- E7A94C7D13D89F27001C5FEE /* pre2000CRLnextUpdateCACert.crt in CopyFiles */,
- E7A94C7E13D89F27001C5FEE /* requireExplicitPolicy0CACert.crt in CopyFiles */,
- E7A94C7F13D89F27001C5FEE /* requireExplicitPolicy0subCACert.crt in CopyFiles */,
- E7A94C8013D89F27001C5FEE /* requireExplicitPolicy0subsubCACert.crt in CopyFiles */,
- E7A94C8113D89F27001C5FEE /* requireExplicitPolicy0subsubsubCACert.crt in CopyFiles */,
- E7A94C8213D89F27001C5FEE /* requireExplicitPolicy10CACert.crt in CopyFiles */,
- E7A94C8313D89F27001C5FEE /* requireExplicitPolicy10subCACert.crt in CopyFiles */,
- E7A94C8413D89F27001C5FEE /* requireExplicitPolicy10subsubCACert.crt in CopyFiles */,
- E7A94C8513D89F27001C5FEE /* requireExplicitPolicy10subsubsubCACert.crt in CopyFiles */,
- E7A94C8613D89F27001C5FEE /* requireExplicitPolicy2CACert.crt in CopyFiles */,
- E7A94C8713D89F27001C5FEE /* requireExplicitPolicy2SelfIssuedCACert.crt in CopyFiles */,
- E7A94C8813D89F27001C5FEE /* requireExplicitPolicy2SelfIssuedsubCACert.crt in CopyFiles */,
- E7A94C8913D89F27001C5FEE /* requireExplicitPolicy2subCACert.crt in CopyFiles */,
- E7A94C8A13D89F27001C5FEE /* requireExplicitPolicy4CACert.crt in CopyFiles */,
- E7A94C8B13D89F27001C5FEE /* requireExplicitPolicy4subCACert.crt in CopyFiles */,
- E7A94C8C13D89F27001C5FEE /* requireExplicitPolicy4subsubCACert.crt in CopyFiles */,
- E7A94C8D13D89F27001C5FEE /* requireExplicitPolicy4subsubsubCACert.crt in CopyFiles */,
- E7A94C8E13D89F27001C5FEE /* requireExplicitPolicy5CACert.crt in CopyFiles */,
- E7A94C8F13D89F27001C5FEE /* requireExplicitPolicy5subCACert.crt in CopyFiles */,
- E7A94C9013D89F27001C5FEE /* requireExplicitPolicy5subsubCACert.crt in CopyFiles */,
- E7A94C9113D89F27001C5FEE /* requireExplicitPolicy5subsubsubCACert.crt in CopyFiles */,
- E7A94C9213D89F27001C5FEE /* requireExplicitPolicy7CACert.crt in CopyFiles */,
- E7A94C9313D89F27001C5FEE /* requireExplicitPolicy7subCARE2Cert.crt in CopyFiles */,
- E7A94C9413D89F27001C5FEE /* requireExplicitPolicy7subsubCARE2RE4Cert.crt in CopyFiles */,
- E7A94C9513D89F27001C5FEE /* requireExplicitPolicy7subsubsubCARE2RE4Cert.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E7B01BBF166594AB000485F1 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E702E73514E1F3EA00CDE635;
+ remoteInfo = libSecureObjectSync;
};
- E7A94C9B13D8A14A001C5FEE /* CopyFiles */ = {
- isa = PBXCopyFilesBuildPhase;
- buildActionMask = 2147483647;
- dstPath = "nist-certs";
- dstSubfolderSpec = 7;
- files = (
- E7A94C9C13D8A1AC001C5FEE /* Expectations.plist in CopyFiles */,
- E7A94C9D13D8A1AC001C5FEE /* AllCertificatesNoPoliciesTest2EE.crt in CopyFiles */,
- E7A94C9E13D8A1AC001C5FEE /* AllCertificatesSamePoliciesTest10EE.crt in CopyFiles */,
- E7A94C9F13D8A1AC001C5FEE /* AllCertificatesSamePoliciesTest13EE.crt in CopyFiles */,
- E7A94CA013D8A1AC001C5FEE /* AllCertificatesanyPolicyTest11EE.crt in CopyFiles */,
- E7A94CA113D8A1AC001C5FEE /* AnyPolicyTest14EE.crt in CopyFiles */,
- E7A94CA213D8A1AC001C5FEE /* BadCRLIssuerNameCACert.crt in CopyFiles */,
- E7A94CA313D8A1AC001C5FEE /* BadCRLSignatureCACert.crt in CopyFiles */,
- E7A94CA413D8A1AC001C5FEE /* BadSignedCACert.crt in CopyFiles */,
- E7A94CA513D8A1AC001C5FEE /* BadnotAfterDateCACert.crt in CopyFiles */,
- E7A94CA613D8A1AC001C5FEE /* BadnotBeforeDateCACert.crt in CopyFiles */,
- E7A94CA713D8A1AC001C5FEE /* BasicSelfIssuedCRLSigningKeyCACert.crt in CopyFiles */,
- E7A94CA813D8A1AC001C5FEE /* BasicSelfIssuedNewKeyCACert.crt in CopyFiles */,
- E7A94CA913D8A1AC001C5FEE /* BasicSelfIssuedNewKeyOldWithNewCACert.crt in CopyFiles */,
- E7A94CAA13D8A1AC001C5FEE /* BasicSelfIssuedOldKeyCACert.crt in CopyFiles */,
- E7A94CAB13D8A1AC001C5FEE /* BasicSelfIssuedOldKeyNewWithOldCACert.crt in CopyFiles */,
- E7A94CAC13D8A1AC001C5FEE /* CPSPointerQualifierTest20EE.crt in CopyFiles */,
- E7A94CAD13D8A1AC001C5FEE /* DSACACert.crt in CopyFiles */,
- E7A94CAE13D8A1AC001C5FEE /* DSAParametersInheritedCACert.crt in CopyFiles */,
- E7A94CAF13D8A1AC001C5FEE /* DifferentPoliciesTest12EE.crt in CopyFiles */,
- E7A94CB013D8A1AC001C5FEE /* DifferentPoliciesTest3EE.crt in CopyFiles */,
- E7A94CB113D8A1AC001C5FEE /* DifferentPoliciesTest4EE.crt in CopyFiles */,
- E7A94CB213D8A1AC001C5FEE /* DifferentPoliciesTest5EE.crt in CopyFiles */,
- E7A94CB313D8A1AC001C5FEE /* DifferentPoliciesTest7EE.crt in CopyFiles */,
- E7A94CB413D8A1AC001C5FEE /* DifferentPoliciesTest8EE.crt in CopyFiles */,
- E7A94CB513D8A1AC001C5FEE /* DifferentPoliciesTest9EE.crt in CopyFiles */,
- E7A94CB613D8A1AC001C5FEE /* GeneralizedTimeCRLnextUpdateCACert.crt in CopyFiles */,
- E7A94CB713D8A1AC001C5FEE /* GoodCACert.crt in CopyFiles */,
- E7A94CB813D8A1AC001C5FEE /* GoodsubCACert.crt in CopyFiles */,
- E7A94CB913D8A1AC001C5FEE /* GoodsubCAPanyPolicyMapping1to2CACert.crt in CopyFiles */,
- E7A94CBA13D8A1AC001C5FEE /* InvalidBasicSelfIssuedNewWithOldTest5EE.crt in CopyFiles */,
- E7A94CBB13D8A1AC001C5FEE /* InvalidBasicSelfIssuedOldWithNewTest2EE.crt in CopyFiles */,
- E7A94CBC13D8A1AC001C5FEE /* InvalidCASignatureTest2EE.crt in CopyFiles */,
- E7A94CBD13D8A1AC001C5FEE /* InvalidCAnotAfterDateTest5EE.crt in CopyFiles */,
- E7A94CBE13D8A1AC001C5FEE /* InvalidCAnotBeforeDateTest1EE.crt in CopyFiles */,
- E7A94CBF13D8A1AC001C5FEE /* InvalidDNSnameConstraintsTest31EE.crt in CopyFiles */,
- E7A94CC013D8A1AC001C5FEE /* InvalidDNSnameConstraintsTest33EE.crt in CopyFiles */,
- E7A94CC113D8A1AC001C5FEE /* InvalidDNSnameConstraintsTest38EE.crt in CopyFiles */,
- E7A94CC213D8A1AC001C5FEE /* InvalidDNandRFC822nameConstraintsTest28EE.crt in CopyFiles */,
- E7A94CC313D8A1AC001C5FEE /* InvalidDNandRFC822nameConstraintsTest29EE.crt in CopyFiles */,
- E7A94CC413D8A1AC001C5FEE /* InvalidDNnameConstraintsTest10EE.crt in CopyFiles */,
- E7A94CC513D8A1AC001C5FEE /* InvalidDNnameConstraintsTest12EE.crt in CopyFiles */,
- E7A94CC613D8A1AC001C5FEE /* InvalidDNnameConstraintsTest13EE.crt in CopyFiles */,
- E7A94CC713D8A1AC001C5FEE /* InvalidDNnameConstraintsTest15EE.crt in CopyFiles */,
- E7A94CC813D8A1AC001C5FEE /* InvalidDNnameConstraintsTest16EE.crt in CopyFiles */,
- E7A94CC913D8A1AC001C5FEE /* InvalidDNnameConstraintsTest17EE.crt in CopyFiles */,
- E7A94CCA13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest20EE.crt in CopyFiles */,
- E7A94CCB13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest2EE.crt in CopyFiles */,
- E7A94CCC13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest3EE.crt in CopyFiles */,
- E7A94CCD13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest7EE.crt in CopyFiles */,
- E7A94CCE13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest8EE.crt in CopyFiles */,
- E7A94CCF13D8A1AC001C5FEE /* InvalidDNnameConstraintsTest9EE.crt in CopyFiles */,
- E7A94CD013D8A1AC001C5FEE /* InvalidDSASignatureTest6EE.crt in CopyFiles */,
- E7A94CD113D8A1AC001C5FEE /* InvalidEESignatureTest3EE.crt in CopyFiles */,
- E7A94CD213D8A1AC001C5FEE /* InvalidEEnotAfterDateTest6EE.crt in CopyFiles */,
- E7A94CD313D8A1AC001C5FEE /* InvalidEEnotBeforeDateTest2EE.crt in CopyFiles */,
- E7A94CD413D8A1AC001C5FEE /* InvalidLongSerialNumberTest18EE.crt in CopyFiles */,
- E7A94CD513D8A1AC001C5FEE /* InvalidMappingFromanyPolicyTest7EE.crt in CopyFiles */,
- E7A94CD613D8A1AC001C5FEE /* InvalidMappingToanyPolicyTest8EE.crt in CopyFiles */,
- E7A94CD713D8A1AC001C5FEE /* InvalidMissingbasicConstraintsTest1EE.crt in CopyFiles */,
- E7A94CD813D8A1AC001C5FEE /* InvalidNameChainingOrderTest2EE.crt in CopyFiles */,
- E7A94CD913D8A1AC001C5FEE /* InvalidNameChainingTest1EE.crt in CopyFiles */,
- E7A94CDA13D8A1AC001C5FEE /* InvalidNegativeSerialNumberTest15EE.crt in CopyFiles */,
- E7A94CDB13D8A1AC001C5FEE /* InvalidPolicyMappingTest10EE.crt in CopyFiles */,
- E7A94CDC13D8A1AC001C5FEE /* InvalidPolicyMappingTest2EE.crt in CopyFiles */,
- E7A94CDD13D8A1AC001C5FEE /* InvalidPolicyMappingTest4EE.crt in CopyFiles */,
- E7A94CDE13D8A1AC001C5FEE /* InvalidRFC822nameConstraintsTest22EE.crt in CopyFiles */,
- E7A94CDF13D8A1AC001C5FEE /* InvalidRFC822nameConstraintsTest24EE.crt in CopyFiles */,
- E7A94CE013D8A1AC001C5FEE /* InvalidRFC822nameConstraintsTest26EE.crt in CopyFiles */,
- E7A94CE113D8A1AC001C5FEE /* InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt in CopyFiles */,
- E7A94CE213D8A1AC001C5FEE /* InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt in CopyFiles */,
- E7A94CE313D8A1AC001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt in CopyFiles */,
- E7A94CE413D8A1AC001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt in CopyFiles */,
- E7A94CE513D8A1AC001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt in CopyFiles */,
- E7A94CE613D8A1AC001C5FEE /* InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt in CopyFiles */,
- E7A94CE713D8A1AC001C5FEE /* InvalidSelfIssuedpathLenConstraintTest16EE.crt in CopyFiles */,
- E7A94CE813D8A1AC001C5FEE /* InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt in CopyFiles */,
- E7A94CE913D8A1AC001C5FEE /* InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt in CopyFiles */,
- E7A94CEA13D8A1AC001C5FEE /* InvalidURInameConstraintsTest35EE.crt in CopyFiles */,
- E7A94CEB13D8A1AC001C5FEE /* InvalidURInameConstraintsTest37EE.crt in CopyFiles */,
- E7A94CEC13D8A1AC001C5FEE /* InvalidUnknownCriticalCertificateExtensionTest2EE.crt in CopyFiles */,
- E7A94CED13D8A1AC001C5FEE /* InvalidcAFalseTest2EE.crt in CopyFiles */,
- E7A94CEE13D8A1AC001C5FEE /* InvalidcAFalseTest3EE.crt in CopyFiles */,
- E7A94CEF13D8A1AC001C5FEE /* InvalidcRLIssuerTest27EE.crt in CopyFiles */,
- E7A94CF013D8A1AC001C5FEE /* InvalidcRLIssuerTest31EE.crt in CopyFiles */,
- E7A94CF113D8A1AC001C5FEE /* InvalidcRLIssuerTest32EE.crt in CopyFiles */,
- E7A94CF213D8A1AC001C5FEE /* InvalidcRLIssuerTest34EE.crt in CopyFiles */,
- E7A94CF313D8A1AC001C5FEE /* InvalidcRLIssuerTest35EE.crt in CopyFiles */,
- E7A94CF413D8A1AC001C5FEE /* InvalidinhibitAnyPolicyTest1EE.crt in CopyFiles */,
- E7A94CF513D8A1AC001C5FEE /* InvalidinhibitAnyPolicyTest4EE.crt in CopyFiles */,
- E7A94CF613D8A1AC001C5FEE /* InvalidinhibitAnyPolicyTest5EE.crt in CopyFiles */,
- E7A94CF713D8A1AC001C5FEE /* InvalidinhibitAnyPolicyTest6EE.crt in CopyFiles */,
- E7A94CF813D8A1AC001C5FEE /* InvalidinhibitPolicyMappingTest1EE.crt in CopyFiles */,
- E7A94CF913D8A1AC001C5FEE /* InvalidinhibitPolicyMappingTest3EE.crt in CopyFiles */,
- E7A94CFA13D8A1AC001C5FEE /* InvalidinhibitPolicyMappingTest5EE.crt in CopyFiles */,
- E7A94CFB13D8A1AC001C5FEE /* InvalidinhibitPolicyMappingTest6EE.crt in CopyFiles */,
- E7A94CFC13D8A1AC001C5FEE /* InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt in CopyFiles */,
- E7A94CFD13D8A1AC001C5FEE /* InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt in CopyFiles */,
- E7A94CFE13D8A1AC001C5FEE /* InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt in CopyFiles */,
- E7A94CFF13D8A1AC001C5FEE /* InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt in CopyFiles */,
- E7A94D0013D8A1AC001C5FEE /* InvalidonlyContainsAttributeCertsTest14EE.crt in CopyFiles */,
- E7A94D0113D8A1AC001C5FEE /* InvalidonlyContainsCACertsTest12EE.crt in CopyFiles */,
- E7A94D0213D8A1AC001C5FEE /* InvalidonlyContainsUserCertsTest11EE.crt in CopyFiles */,
- E7A94D0313D8A1AC001C5FEE /* InvalidonlySomeReasonsTest15EE.crt in CopyFiles */,
- E7A94D0413D8A1AC001C5FEE /* InvalidonlySomeReasonsTest16EE.crt in CopyFiles */,
- E7A94D0513D8A1AC001C5FEE /* InvalidonlySomeReasonsTest17EE.crt in CopyFiles */,
- E7A94D0613D8A1AC001C5FEE /* InvalidonlySomeReasonsTest20EE.crt in CopyFiles */,
- E7A94D0713D8A1AC001C5FEE /* InvalidonlySomeReasonsTest21EE.crt in CopyFiles */,
- E7A94D0813D8A1AC001C5FEE /* InvalidpathLenConstraintTest10EE.crt in CopyFiles */,
- E7A94D0913D8A1AC001C5FEE /* InvalidpathLenConstraintTest11EE.crt in CopyFiles */,
- E7A94D0A13D8A1AC001C5FEE /* InvalidpathLenConstraintTest12EE.crt in CopyFiles */,
- E7A94D0B13D8A1AC001C5FEE /* InvalidpathLenConstraintTest5EE.crt in CopyFiles */,
- E7A94D0C13D8A1AC001C5FEE /* InvalidpathLenConstraintTest6EE.crt in CopyFiles */,
- E7A94D0D13D8A1AC001C5FEE /* InvalidpathLenConstraintTest9EE.crt in CopyFiles */,
- E7A94D0E13D8A1AC001C5FEE /* Invalidpre2000UTCEEnotAfterDateTest7EE.crt in CopyFiles */,
- E7A94D0F13D8A1AC001C5FEE /* InvalidrequireExplicitPolicyTest3EE.crt in CopyFiles */,
- E7A94D1013D8A1AC001C5FEE /* InvalidrequireExplicitPolicyTest5EE.crt in CopyFiles */,
- E7A94D1113D8A1AC001C5FEE /* LongSerialNumberCACert.crt in CopyFiles */,
- E7A94D1213D8A1AC001C5FEE /* Mapping1to2CACert.crt in CopyFiles */,
- E7A94D1313D8A1AC001C5FEE /* MappingFromanyPolicyCACert.crt in CopyFiles */,
- E7A94D1413D8A1AC001C5FEE /* MappingToanyPolicyCACert.crt in CopyFiles */,
- E7A94D1513D8A1AC001C5FEE /* MissingbasicConstraintsCACert.crt in CopyFiles */,
- E7A94D1613D8A1AC001C5FEE /* NameOrderingCACert.crt in CopyFiles */,
- E7A94D1713D8A1AC001C5FEE /* NegativeSerialNumberCACert.crt in CopyFiles */,
- E7A94D1813D8A1AC001C5FEE /* NoCRLCACert.crt in CopyFiles */,
- E7A94D1913D8A1AC001C5FEE /* NoPoliciesCACert.crt in CopyFiles */,
- E7A94D1A13D8A1AC001C5FEE /* NoissuingDistributionPointCACert.crt in CopyFiles */,
- E7A94D1B13D8A1AC001C5FEE /* OldCRLnextUpdateCACert.crt in CopyFiles */,
- E7A94D1C13D8A1AC001C5FEE /* OverlappingPoliciesTest6EE.crt in CopyFiles */,
- E7A94D1D13D8A1AC001C5FEE /* P12Mapping1to3CACert.crt in CopyFiles */,
- E7A94D1E13D8A1AC001C5FEE /* P12Mapping1to3subCACert.crt in CopyFiles */,
- E7A94D1F13D8A1AC001C5FEE /* P12Mapping1to3subsubCACert.crt in CopyFiles */,
- E7A94D2013D8A1AC001C5FEE /* P1Mapping1to234CACert.crt in CopyFiles */,
- E7A94D2113D8A1AC001C5FEE /* P1Mapping1to234subCACert.crt in CopyFiles */,
- E7A94D2213D8A1AC001C5FEE /* P1anyPolicyMapping1to2CACert.crt in CopyFiles */,
- E7A94D2313D8A1AC001C5FEE /* PanyPolicyMapping1to2CACert.crt in CopyFiles */,
- E7A94D2413D8A1AC001C5FEE /* PoliciesP1234CACert.crt in CopyFiles */,
- E7A94D2513D8A1AC001C5FEE /* PoliciesP1234subCAP123Cert.crt in CopyFiles */,
- E7A94D2613D8A1AC001C5FEE /* PoliciesP1234subsubCAP123P12Cert.crt in CopyFiles */,
- E7A94D2713D8A1AC001C5FEE /* PoliciesP123CACert.crt in CopyFiles */,
- E7A94D2813D8A1AC001C5FEE /* PoliciesP123subCAP12Cert.crt in CopyFiles */,
- E7A94D2913D8A1AC001C5FEE /* PoliciesP123subsubCAP12P1Cert.crt in CopyFiles */,
- E7A94D2A13D8A1AC001C5FEE /* PoliciesP123subsubCAP12P2Cert.crt in CopyFiles */,
- E7A94D2B13D8A1AC001C5FEE /* PoliciesP123subsubsubCAP12P2P1Cert.crt in CopyFiles */,
- E7A94D2C13D8A1AC001C5FEE /* PoliciesP12CACert.crt in CopyFiles */,
- E7A94D2D13D8A1AC001C5FEE /* PoliciesP12subCAP1Cert.crt in CopyFiles */,
- E7A94D2E13D8A1AC001C5FEE /* PoliciesP12subsubCAP1P2Cert.crt in CopyFiles */,
- E7A94D2F13D8A1AC001C5FEE /* PoliciesP2subCA2Cert.crt in CopyFiles */,
- E7A94D3013D8A1AD001C5FEE /* PoliciesP2subCACert.crt in CopyFiles */,
- E7A94D3113D8A1AD001C5FEE /* PoliciesP3CACert.crt in CopyFiles */,
- E7A94D3213D8A1AD001C5FEE /* RFC3280MandatoryAttributeTypesCACert.crt in CopyFiles */,
- E7A94D3313D8A1AD001C5FEE /* RFC3280OptionalAttributeTypesCACert.crt in CopyFiles */,
- E7A94D3413D8A1AD001C5FEE /* RevokedsubCACert.crt in CopyFiles */,
- E7A94D3513D8A1AD001C5FEE /* RolloverfromPrintableStringtoUTF8StringCACert.crt in CopyFiles */,
- E7A94D3613D8A1AD001C5FEE /* SeparateCertificateandCRLKeysCA2CRLSigningCert.crt in CopyFiles */,
- E7A94D3713D8A1AD001C5FEE /* SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt in CopyFiles */,
- E7A94D3813D8A1AD001C5FEE /* SeparateCertificateandCRLKeysCertificateSigningCACert.crt in CopyFiles */,
- E7A94D3913D8A1AD001C5FEE /* TrustAnchorRootCertificate.crt in CopyFiles */,
- E7A94D3A13D8A1AD001C5FEE /* TwoCRLsCACert.crt in CopyFiles */,
- E7A94D3B13D8A1AD001C5FEE /* UIDCACert.crt in CopyFiles */,
- E7A94D3C13D8A1AD001C5FEE /* UTF8StringCaseInsensitiveMatchCACert.crt in CopyFiles */,
- E7A94D3D13D8A1AD001C5FEE /* UTF8StringEncodedNamesCACert.crt in CopyFiles */,
- E7A94D3E13D8A1AD001C5FEE /* UnknownCRLEntryExtensionCACert.crt in CopyFiles */,
- E7A94D3F13D8A1AD001C5FEE /* UnknownCRLExtensionCACert.crt in CopyFiles */,
- E7A94D4013D8A1AD001C5FEE /* UserNoticeQualifierTest15EE.crt in CopyFiles */,
- E7A94D4113D8A1AD001C5FEE /* UserNoticeQualifierTest16EE.crt in CopyFiles */,
- E7A94D4213D8A1AD001C5FEE /* UserNoticeQualifierTest17EE.crt in CopyFiles */,
- E7A94D4313D8A1AD001C5FEE /* UserNoticeQualifierTest18EE.crt in CopyFiles */,
- E7A94D4413D8A1AD001C5FEE /* UserNoticeQualifierTest19EE.crt in CopyFiles */,
- E7A94D4513D8A1AD001C5FEE /* ValidBasicSelfIssuedNewWithOldTest3EE.crt in CopyFiles */,
- E7A94D4613D8A1AD001C5FEE /* ValidBasicSelfIssuedNewWithOldTest4EE.crt in CopyFiles */,
- E7A94D4713D8A1AD001C5FEE /* ValidBasicSelfIssuedOldWithNewTest1EE.crt in CopyFiles */,
- E7A94D4813D8A1AD001C5FEE /* ValidCertificatePathTest1EE.crt in CopyFiles */,
- E7A94D4913D8A1AD001C5FEE /* ValidDNSnameConstraintsTest30EE.crt in CopyFiles */,
- E7A94D4A13D8A1AD001C5FEE /* ValidDNSnameConstraintsTest32EE.crt in CopyFiles */,
- E7A94D4B13D8A1AD001C5FEE /* ValidDNandRFC822nameConstraintsTest27EE.crt in CopyFiles */,
- E7A94D4C13D8A1AD001C5FEE /* ValidDNnameConstraintsTest11EE.crt in CopyFiles */,
- E7A94D4D13D8A1AD001C5FEE /* ValidDNnameConstraintsTest14EE.crt in CopyFiles */,
- E7A94D4E13D8A1AD001C5FEE /* ValidDNnameConstraintsTest18EE.crt in CopyFiles */,
- E7A94D4F13D8A1AD001C5FEE /* ValidDNnameConstraintsTest19EE.crt in CopyFiles */,
- E7A94D5013D8A1AD001C5FEE /* ValidDNnameConstraintsTest1EE.crt in CopyFiles */,
- E7A94D5113D8A1AD001C5FEE /* ValidDNnameConstraintsTest4EE.crt in CopyFiles */,
- E7A94D5213D8A1AD001C5FEE /* ValidDNnameConstraintsTest5EE.crt in CopyFiles */,
- E7A94D5313D8A1AD001C5FEE /* ValidDNnameConstraintsTest6EE.crt in CopyFiles */,
- E7A94D5413D8A1AD001C5FEE /* ValidDSAParameterInheritanceTest5EE.crt in CopyFiles */,
- E7A94D5513D8A1AD001C5FEE /* ValidDSASignaturesTest4EE.crt in CopyFiles */,
- E7A94D5613D8A1AD001C5FEE /* ValidGeneralizedTimenotAfterDateTest8EE.crt in CopyFiles */,
- E7A94D5713D8A1AD001C5FEE /* ValidGeneralizedTimenotBeforeDateTest4EE.crt in CopyFiles */,
- E7A94D5813D8A1AD001C5FEE /* ValidLongSerialNumberTest16EE.crt in CopyFiles */,
- E7A94D5913D8A1AD001C5FEE /* ValidLongSerialNumberTest17EE.crt in CopyFiles */,
- E7A94D5A13D8A1AD001C5FEE /* ValidNameChainingCapitalizationTest5EE.crt in CopyFiles */,
- E7A94D5B13D8A1AD001C5FEE /* ValidNameChainingWhitespaceTest3EE.crt in CopyFiles */,
- E7A94D5C13D8A1AD001C5FEE /* ValidNameChainingWhitespaceTest4EE.crt in CopyFiles */,
- E7A94D5D13D8A1AD001C5FEE /* ValidNameUIDsTest6EE.crt in CopyFiles */,
- E7A94D5E13D8A1AD001C5FEE /* ValidNegativeSerialNumberTest14EE.crt in CopyFiles */,
- E7A94D5F13D8A1AD001C5FEE /* ValidPolicyMappingTest11EE.crt in CopyFiles */,
- E7A94D6013D8A1AD001C5FEE /* ValidPolicyMappingTest12EE.crt in CopyFiles */,
- E7A94D6113D8A1AD001C5FEE /* ValidPolicyMappingTest13EE.crt in CopyFiles */,
- E7A94D6213D8A1AD001C5FEE /* ValidPolicyMappingTest14EE.crt in CopyFiles */,
- E7A94D6313D8A1AD001C5FEE /* ValidPolicyMappingTest1EE.crt in CopyFiles */,
- E7A94D6413D8A1AD001C5FEE /* ValidPolicyMappingTest3EE.crt in CopyFiles */,
- E7A94D6513D8A1AD001C5FEE /* ValidPolicyMappingTest5EE.crt in CopyFiles */,
- E7A94D6613D8A1AD001C5FEE /* ValidPolicyMappingTest6EE.crt in CopyFiles */,
- E7A94D6713D8A1AD001C5FEE /* ValidPolicyMappingTest9EE.crt in CopyFiles */,
- E7A94D6813D8A1AD001C5FEE /* ValidRFC3280MandatoryAttributeTypesTest7EE.crt in CopyFiles */,
- E7A94D6913D8A1AD001C5FEE /* ValidRFC3280OptionalAttributeTypesTest8EE.crt in CopyFiles */,
- E7A94D6A13D8A1AD001C5FEE /* ValidRFC822nameConstraintsTest21EE.crt in CopyFiles */,
- E7A94D6B13D8A1AD001C5FEE /* ValidRFC822nameConstraintsTest23EE.crt in CopyFiles */,
- E7A94D6C13D8A1AD001C5FEE /* ValidRFC822nameConstraintsTest25EE.crt in CopyFiles */,
- E7A94D6D13D8A1AD001C5FEE /* ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt in CopyFiles */,
- E7A94D6E13D8A1AD001C5FEE /* ValidSelfIssuedinhibitAnyPolicyTest7EE.crt in CopyFiles */,
- E7A94D6F13D8A1AD001C5FEE /* ValidSelfIssuedinhibitAnyPolicyTest9EE.crt in CopyFiles */,
- E7A94D7013D8A1AD001C5FEE /* ValidSelfIssuedinhibitPolicyMappingTest7EE.crt in CopyFiles */,
- E7A94D7113D8A1AD001C5FEE /* ValidSelfIssuedpathLenConstraintTest15EE.crt in CopyFiles */,
- E7A94D7213D8A1AD001C5FEE /* ValidSelfIssuedpathLenConstraintTest17EE.crt in CopyFiles */,
- E7A94D7313D8A1AD001C5FEE /* ValidSelfIssuedrequireExplicitPolicyTest6EE.crt in CopyFiles */,
- E7A94D7413D8A1AD001C5FEE /* ValidURInameConstraintsTest34EE.crt in CopyFiles */,
- E7A94D7513D8A1AD001C5FEE /* ValidURInameConstraintsTest36EE.crt in CopyFiles */,
- E7A94D7613D8A1AD001C5FEE /* ValidUTF8StringCaseInsensitiveMatchTest11EE.crt in CopyFiles */,
- E7A94D7713D8A1AD001C5FEE /* ValidUTF8StringEncodedNamesTest9EE.crt in CopyFiles */,
- E7A94D7813D8A1AD001C5FEE /* ValidUnknownNotCriticalCertificateExtensionTest1EE.crt in CopyFiles */,
- E7A94D7913D8A1AD001C5FEE /* ValidbasicConstraintsNotCriticalTest4EE.crt in CopyFiles */,
- E7A94D7A13D8A1AD001C5FEE /* ValidcRLIssuerTest28EE.crt in CopyFiles */,
- E7A94D7B13D8A1AD001C5FEE /* ValidcRLIssuerTest29EE.crt in CopyFiles */,
- E7A94D7C13D8A1AD001C5FEE /* ValidcRLIssuerTest30EE.crt in CopyFiles */,
- E7A94D7D13D8A1AD001C5FEE /* ValidcRLIssuerTest33EE.crt in CopyFiles */,
- E7A94D7E13D8A1AD001C5FEE /* ValidinhibitAnyPolicyTest2EE.crt in CopyFiles */,
- E7A94D7F13D8A1AD001C5FEE /* ValidinhibitPolicyMappingTest2EE.crt in CopyFiles */,
- E7A94D8013D8A1AD001C5FEE /* ValidinhibitPolicyMappingTest4EE.crt in CopyFiles */,
- E7A94D8113D8A1AD001C5FEE /* ValidkeyUsageNotCriticalTest3EE.crt in CopyFiles */,
- E7A94D8213D8A1AD001C5FEE /* ValidonlyContainsCACertsTest13EE.crt in CopyFiles */,
- E7A94D8313D8A1AD001C5FEE /* ValidonlySomeReasonsTest18EE.crt in CopyFiles */,
- E7A94D8413D8A1AD001C5FEE /* ValidonlySomeReasonsTest19EE.crt in CopyFiles */,
- E7A94D8513D8A1AD001C5FEE /* ValidpathLenConstraintTest13EE.crt in CopyFiles */,
- E7A94D8613D8A1AD001C5FEE /* ValidpathLenConstraintTest14EE.crt in CopyFiles */,
- E7A94D8713D8A1AD001C5FEE /* ValidpathLenConstraintTest7EE.crt in CopyFiles */,
- E7A94D8813D8A1AD001C5FEE /* ValidpathLenConstraintTest8EE.crt in CopyFiles */,
- E7A94D8913D8A1AD001C5FEE /* Validpre2000UTCnotBeforeDateTest3EE.crt in CopyFiles */,
- E7A94D8A13D8A1AD001C5FEE /* ValidrequireExplicitPolicyTest1EE.crt in CopyFiles */,
- E7A94D8B13D8A1AD001C5FEE /* ValidrequireExplicitPolicyTest2EE.crt in CopyFiles */,
- E7A94D8C13D8A1AD001C5FEE /* ValidrequireExplicitPolicyTest4EE.crt in CopyFiles */,
- E7A94D8D13D8A1AD001C5FEE /* WrongCRLCACert.crt in CopyFiles */,
- E7A94D8E13D8A1AD001C5FEE /* anyPolicyCACert.crt in CopyFiles */,
- E7A94D8F13D8A1AD001C5FEE /* basicConstraintsCriticalcAFalseCACert.crt in CopyFiles */,
- E7A94D9013D8A1AD001C5FEE /* basicConstraintsNotCriticalCACert.crt in CopyFiles */,
- E7A94D9113D8A1AD001C5FEE /* basicConstraintsNotCriticalcAFalseCACert.crt in CopyFiles */,
- E7A94D9213D8A1AD001C5FEE /* deltaCRLCA1Cert.crt in CopyFiles */,
- E7A94D9313D8A1AD001C5FEE /* deltaCRLCA2Cert.crt in CopyFiles */,
- E7A94D9413D8A1AD001C5FEE /* deltaCRLCA3Cert.crt in CopyFiles */,
- E7A94D9513D8A1AD001C5FEE /* deltaCRLIndicatorNoBaseCACert.crt in CopyFiles */,
- E7A94D9613D8A1AD001C5FEE /* distributionPoint1CACert.crt in CopyFiles */,
- E7A94D9713D8A1AD001C5FEE /* distributionPoint2CACert.crt in CopyFiles */,
- E7A94D9813D8A1AD001C5FEE /* indirectCRLCA1Cert.crt in CopyFiles */,
- E7A94D9913D8A1AD001C5FEE /* indirectCRLCA2Cert.crt in CopyFiles */,
- E7A94D9A13D8A1AD001C5FEE /* indirectCRLCA3Cert.crt in CopyFiles */,
- E7A94D9B13D8A1AD001C5FEE /* indirectCRLCA3cRLIssuerCert.crt in CopyFiles */,
- E7A94D9C13D8A1AD001C5FEE /* indirectCRLCA4Cert.crt in CopyFiles */,
- E7A94D9D13D8A1AD001C5FEE /* indirectCRLCA4cRLIssuerCert.crt in CopyFiles */,
- E7A94D9E13D8A1AD001C5FEE /* indirectCRLCA5Cert.crt in CopyFiles */,
- E7A94D9F13D8A1AD001C5FEE /* indirectCRLCA6Cert.crt in CopyFiles */,
- E7A94DA013D8A1AD001C5FEE /* inhibitAnyPolicy0CACert.crt in CopyFiles */,
- E7A94DA113D8A1AD001C5FEE /* inhibitAnyPolicy1CACert.crt in CopyFiles */,
- E7A94DA213D8A1AD001C5FEE /* inhibitAnyPolicy1SelfIssuedCACert.crt in CopyFiles */,
- E7A94DA313D8A1AD001C5FEE /* inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt in CopyFiles */,
- E7A94DA413D8A1AD001C5FEE /* inhibitAnyPolicy1subCA1Cert.crt in CopyFiles */,
- E7A94DA513D8A1AD001C5FEE /* inhibitAnyPolicy1subCA2Cert.crt in CopyFiles */,
- E7A94DA613D8A1AD001C5FEE /* inhibitAnyPolicy1subCAIAP5Cert.crt in CopyFiles */,
- E7A94DA713D8A1AD001C5FEE /* inhibitAnyPolicy1subsubCA2Cert.crt in CopyFiles */,
- E7A94DA813D8A1AD001C5FEE /* inhibitAnyPolicy5CACert.crt in CopyFiles */,
- E7A94DA913D8A1AD001C5FEE /* inhibitAnyPolicy5subCACert.crt in CopyFiles */,
- E7A94DAA13D8A1AD001C5FEE /* inhibitAnyPolicy5subsubCACert.crt in CopyFiles */,
- E7A94DAB13D8A1AD001C5FEE /* inhibitAnyPolicyTest3EE.crt in CopyFiles */,
- E7A94DAC13D8A1AD001C5FEE /* inhibitPolicyMapping0CACert.crt in CopyFiles */,
- E7A94DAD13D8A1AD001C5FEE /* inhibitPolicyMapping0subCACert.crt in CopyFiles */,
- E7A94DAE13D8A1AD001C5FEE /* inhibitPolicyMapping1P12CACert.crt in CopyFiles */,
- E7A94DAF13D8A1AD001C5FEE /* inhibitPolicyMapping1P12subCACert.crt in CopyFiles */,
- E7A94DB013D8A1AD001C5FEE /* inhibitPolicyMapping1P12subCAIPM5Cert.crt in CopyFiles */,
- E7A94DB113D8A1AD001C5FEE /* inhibitPolicyMapping1P12subsubCACert.crt in CopyFiles */,
- E7A94DB213D8A1AD001C5FEE /* inhibitPolicyMapping1P12subsubCAIPM5Cert.crt in CopyFiles */,
- E7A94DB313D8A1AD001C5FEE /* inhibitPolicyMapping1P1CACert.crt in CopyFiles */,
- E7A94DB413D8A1AD001C5FEE /* inhibitPolicyMapping1P1SelfIssuedCACert.crt in CopyFiles */,
- E7A94DB513D8A1AD001C5FEE /* inhibitPolicyMapping1P1SelfIssuedsubCACert.crt in CopyFiles */,
- E7A94DB613D8A1AD001C5FEE /* inhibitPolicyMapping1P1subCACert.crt in CopyFiles */,
- E7A94DB713D8A1AD001C5FEE /* inhibitPolicyMapping1P1subsubCACert.crt in CopyFiles */,
- E7A94DB813D8A1AD001C5FEE /* inhibitPolicyMapping5CACert.crt in CopyFiles */,
- E7A94DB913D8A1AD001C5FEE /* inhibitPolicyMapping5subCACert.crt in CopyFiles */,
- E7A94DBA13D8A1AD001C5FEE /* inhibitPolicyMapping5subsubCACert.crt in CopyFiles */,
- E7A94DBB13D8A1AD001C5FEE /* inhibitPolicyMapping5subsubsubCACert.crt in CopyFiles */,
- E7A94DBC13D8A1AD001C5FEE /* keyUsageCriticalcRLSignFalseCACert.crt in CopyFiles */,
- E7A94DBD13D8A1AD001C5FEE /* keyUsageCriticalkeyCertSignFalseCACert.crt in CopyFiles */,
- E7A94DBE13D8A1AD001C5FEE /* keyUsageNotCriticalCACert.crt in CopyFiles */,
- E7A94DBF13D8A1AD001C5FEE /* keyUsageNotCriticalcRLSignFalseCACert.crt in CopyFiles */,
- E7A94DC013D8A1AD001C5FEE /* keyUsageNotCriticalkeyCertSignFalseCACert.crt in CopyFiles */,
- E7A94DC113D8A1AD001C5FEE /* nameConstraintsDN1CACert.crt in CopyFiles */,
- E7A94DC213D8A1AD001C5FEE /* nameConstraintsDN1SelfIssuedCACert.crt in CopyFiles */,
- E7A94DC313D8A1AD001C5FEE /* nameConstraintsDN1subCA1Cert.crt in CopyFiles */,
- E7A94DC413D8A1AD001C5FEE /* nameConstraintsDN1subCA2Cert.crt in CopyFiles */,
- E7A94DC513D8A1AD001C5FEE /* nameConstraintsDN1subCA3Cert.crt in CopyFiles */,
- E7A94DC613D8A1AD001C5FEE /* nameConstraintsDN2CACert.crt in CopyFiles */,
- E7A94DC713D8A1AD001C5FEE /* nameConstraintsDN3CACert.crt in CopyFiles */,
- E7A94DC813D8A1AD001C5FEE /* nameConstraintsDN3subCA1Cert.crt in CopyFiles */,
- E7A94DC913D8A1AD001C5FEE /* nameConstraintsDN3subCA2Cert.crt in CopyFiles */,
- E7A94DCA13D8A1AD001C5FEE /* nameConstraintsDN4CACert.crt in CopyFiles */,
- E7A94DCB13D8A1AD001C5FEE /* nameConstraintsDN5CACert.crt in CopyFiles */,
- E7A94DCC13D8A1AD001C5FEE /* nameConstraintsDNS1CACert.crt in CopyFiles */,
- E7A94DCD13D8A1AD001C5FEE /* nameConstraintsDNS2CACert.crt in CopyFiles */,
- E7A94DCE13D8A1AD001C5FEE /* nameConstraintsRFC822CA1Cert.crt in CopyFiles */,
- E7A94DCF13D8A1AD001C5FEE /* nameConstraintsRFC822CA2Cert.crt in CopyFiles */,
- E7A94DD013D8A1AD001C5FEE /* nameConstraintsRFC822CA3Cert.crt in CopyFiles */,
- E7A94DD113D8A1AD001C5FEE /* nameConstraintsURI1CACert.crt in CopyFiles */,
- E7A94DD213D8A1AD001C5FEE /* nameConstraintsURI2CACert.crt in CopyFiles */,
- E7A94DD313D8A1AD001C5FEE /* onlyContainsAttributeCertsCACert.crt in CopyFiles */,
- E7A94DD413D8A1AD001C5FEE /* onlyContainsCACertsCACert.crt in CopyFiles */,
- E7A94DD513D8A1AD001C5FEE /* onlyContainsUserCertsCACert.crt in CopyFiles */,
- E7A94DD613D8A1AD001C5FEE /* onlySomeReasonsCA1Cert.crt in CopyFiles */,
- E7A94DD713D8A1AD001C5FEE /* onlySomeReasonsCA2Cert.crt in CopyFiles */,
- E7A94DD813D8A1AD001C5FEE /* onlySomeReasonsCA3Cert.crt in CopyFiles */,
- E7A94DD913D8A1AD001C5FEE /* onlySomeReasonsCA4Cert.crt in CopyFiles */,
- E7A94DDA13D8A1AD001C5FEE /* pathLenConstraint0CACert.crt in CopyFiles */,
- E7A94DDB13D8A1AD001C5FEE /* pathLenConstraint0SelfIssuedCACert.crt in CopyFiles */,
- E7A94DDC13D8A1AD001C5FEE /* pathLenConstraint0subCA2Cert.crt in CopyFiles */,
- E7A94DDD13D8A1AD001C5FEE /* pathLenConstraint0subCACert.crt in CopyFiles */,
- E7A94DDE13D8A1AD001C5FEE /* pathLenConstraint1CACert.crt in CopyFiles */,
- E7A94DDF13D8A1AE001C5FEE /* pathLenConstraint1SelfIssuedCACert.crt in CopyFiles */,
- E7A94DE013D8A1AE001C5FEE /* pathLenConstraint1SelfIssuedsubCACert.crt in CopyFiles */,
- E7A94DE113D8A1AE001C5FEE /* pathLenConstraint1subCACert.crt in CopyFiles */,
- E7A94DE213D8A1AE001C5FEE /* pathLenConstraint6CACert.crt in CopyFiles */,
- E7A94DE313D8A1AE001C5FEE /* pathLenConstraint6subCA0Cert.crt in CopyFiles */,
- E7A94DE413D8A1AE001C5FEE /* pathLenConstraint6subCA1Cert.crt in CopyFiles */,
- E7A94DE513D8A1AE001C5FEE /* pathLenConstraint6subCA4Cert.crt in CopyFiles */,
- E7A94DE613D8A1AE001C5FEE /* pathLenConstraint6subsubCA00Cert.crt in CopyFiles */,
- E7A94DE713D8A1AE001C5FEE /* pathLenConstraint6subsubCA11Cert.crt in CopyFiles */,
- E7A94DE813D8A1AE001C5FEE /* pathLenConstraint6subsubCA41Cert.crt in CopyFiles */,
- E7A94DE913D8A1AE001C5FEE /* pathLenConstraint6subsubsubCA11XCert.crt in CopyFiles */,
- E7A94DEA13D8A1AE001C5FEE /* pathLenConstraint6subsubsubCA41XCert.crt in CopyFiles */,
- E7A94DEB13D8A1AE001C5FEE /* pre2000CRLnextUpdateCACert.crt in CopyFiles */,
- E7A94DEC13D8A1AE001C5FEE /* requireExplicitPolicy0CACert.crt in CopyFiles */,
- E7A94DED13D8A1AE001C5FEE /* requireExplicitPolicy0subCACert.crt in CopyFiles */,
- E7A94DEE13D8A1AE001C5FEE /* requireExplicitPolicy0subsubCACert.crt in CopyFiles */,
- E7A94DEF13D8A1AE001C5FEE /* requireExplicitPolicy0subsubsubCACert.crt in CopyFiles */,
- E7A94DF013D8A1AE001C5FEE /* requireExplicitPolicy10CACert.crt in CopyFiles */,
- E7A94DF113D8A1AE001C5FEE /* requireExplicitPolicy10subCACert.crt in CopyFiles */,
- E7A94DF213D8A1AE001C5FEE /* requireExplicitPolicy10subsubCACert.crt in CopyFiles */,
- E7A94DF313D8A1AE001C5FEE /* requireExplicitPolicy10subsubsubCACert.crt in CopyFiles */,
- E7A94DF413D8A1AE001C5FEE /* requireExplicitPolicy2CACert.crt in CopyFiles */,
- E7A94DF513D8A1AE001C5FEE /* requireExplicitPolicy2SelfIssuedCACert.crt in CopyFiles */,
- E7A94DF613D8A1AE001C5FEE /* requireExplicitPolicy2SelfIssuedsubCACert.crt in CopyFiles */,
- E7A94DF713D8A1AE001C5FEE /* requireExplicitPolicy2subCACert.crt in CopyFiles */,
- E7A94DF813D8A1AE001C5FEE /* requireExplicitPolicy4CACert.crt in CopyFiles */,
- E7A94DF913D8A1AE001C5FEE /* requireExplicitPolicy4subCACert.crt in CopyFiles */,
- E7A94DFA13D8A1AE001C5FEE /* requireExplicitPolicy4subsubCACert.crt in CopyFiles */,
- E7A94DFB13D8A1AE001C5FEE /* requireExplicitPolicy4subsubsubCACert.crt in CopyFiles */,
- E7A94DFC13D8A1AE001C5FEE /* requireExplicitPolicy5CACert.crt in CopyFiles */,
- E7A94DFD13D8A1AE001C5FEE /* requireExplicitPolicy5subCACert.crt in CopyFiles */,
- E7A94DFE13D8A1AE001C5FEE /* requireExplicitPolicy5subsubCACert.crt in CopyFiles */,
- E7A94DFF13D8A1AE001C5FEE /* requireExplicitPolicy5subsubsubCACert.crt in CopyFiles */,
- E7A94E0013D8A1AE001C5FEE /* requireExplicitPolicy7CACert.crt in CopyFiles */,
- E7A94E0113D8A1AE001C5FEE /* requireExplicitPolicy7subCARE2Cert.crt in CopyFiles */,
- E7A94E0213D8A1AE001C5FEE /* requireExplicitPolicy7subsubCARE2RE4Cert.crt in CopyFiles */,
- E7A94E0313D8A1AE001C5FEE /* requireExplicitPolicy7subsubsubCARE2RE4Cert.crt in CopyFiles */,
- );
- runOnlyForDeploymentPostprocessing = 0;
+ E7B01BC1166594AB000485F1 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E702E75714E1F48800CDE635;
+ remoteInfo = libSOSRegressions;
};
- EB5D72ED1B0CB082009CAA47 /* Old SOS header location */ = {
+ E7CFF6701C84F62900E3484E /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = E7D847C41C6BE9710025BB44;
+ remoteInfo = KeychainCircle;
+ };
+ E7CFF6721C84F62900E3484E /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = E7D847CD1C6BE9720025BB44;
+ remoteInfo = KeychainCircleTests;
+ };
+ E7CFF6741C84F65D00E3484E /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = E7CFF6471C84F61200E3484E;
+ remoteInfo = Security_KeychainCircle;
+ };
+ E7CFF6761C84F66A00E3484E /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = E7CFF6471C84F61200E3484E;
+ remoteInfo = Security_KeychainCircle;
+ };
+ E7D847D01C6BE9720025BB44 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = E7D847C41C6BE9710025BB44;
+ remoteInfo = KeychainCircle;
+ };
+ E7E0C73C1C90EE0000E69A21 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C8786A10B03E05D00BB77D4 /* libDER.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 053BA313091C00BF00A7007A;
+ remoteInfo = libDER;
+ };
+ E7E0C73E1C90EE0500E69A21 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 795CA97A0D38269B00BAE6A2 /* libsecurity_asn1.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 795CA7FE0D38013D00BAE6A2;
+ remoteInfo = libASN1;
+ };
+ E7E0D8FA158FAB3B002CA176 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E7E0D8E8158FA9A3002CA176;
+ remoteInfo = libutilitiesRegressions;
+ };
+ E7E0D8FD158FAB3B002CA176 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = E7E0D8F9158FA9A3002CA176;
+ remoteInfo = libutilitiesRegressions;
+ };
+ E7E0D8FF158FAB52002CA176 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C2FEC4915755D700008BE39 /* utilities.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E7E0D8E8158FA9A3002CA176;
+ remoteInfo = libutilitiesRegressions;
+ };
+ E7E7B21F1BFA865300B1E66B /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 05EF687F1949143A007958C3 /* securityd.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = AA6D4B890E6F3BB80050206D;
+ remoteInfo = securityd;
+ };
+ E7E7B24A1BFC0CD900B1E66B /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = CD276C261A83F60C003226BC;
+ remoteInfo = IDSKeychainSyncingProxy;
+ };
+ E7EE5A33139DC042005C78BE /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C8786A10B03E05D00BB77D4 /* libDER.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = 053BA313091C00BF00A7007A;
+ remoteInfo = libDER;
+ };
+ E7FEFB8E169E36B000E18152 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = E7FEFB8C169E363300E18152;
+ remoteInfo = libSOSCommands;
+ };
+ E7FEFB92169E377900E18152 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 18F7F65814D77DF700F88A12 /* sec.xcodeproj */;
+ proxyType = 1;
+ remoteGlobalIDString = E7FEFB82169E363300E18152;
+ remoteInfo = libSOSCommands;
+ };
+ EB31EA821D3EF2FB008F952A /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 5346480017331E1100FE9172;
+ remoteInfo = KeychainSyncAccountNotification;
+ };
+ EB3A8E001BEEC6F3001A89AA /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EB9C1D791BDFD0E000F89272;
+ remoteInfo = secbackupntest;
+ };
+ EB425CD01C6585F1000ECE53 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EB425C9E1C65846D000ECE53;
+ remoteInfo = secbackuptest;
+ };
+ EB433A2B1CC3252A00A7EACE /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EB433A201CC3243600A7EACE;
+ remoteInfo = secitemstresstest;
+ };
+ EB63ADE01C3E74F900C45A69 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EB0BC9361C3C791500785842;
+ remoteInfo = secedumodetest;
+ };
+ EB6A6FAC1B90F84D0045DC68 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 0C7CFA2E14E1BA4800DF9D95;
+ remoteInfo = Security_frameworks_ios;
+ };
+ EB6A6FB21B90F89F0045DC68 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 790851B50CA9859F0083CC4D;
+ remoteInfo = securityd;
+ };
+ EB6A6FB81B90F8D70045DC68 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 4C541F840F250BF500E508AE;
+ remoteInfo = Security_executables_ios;
+ };
+ EB6A6FBA1B90F8EC0045DC68 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 0C7CFA2E14E1BA4800DF9D95;
+ remoteInfo = Security_frameworks_ios;
+ };
+ EB6A6FBC1B90F9170045DC68 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 4C32C0AE0A4975F6002891BD;
+ remoteInfo = Security;
+ };
+ EB9C1DB61BDFD51800F89272 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EB9C1DAE1BDFD4DE00F89272;
+ remoteInfo = SecurityBatsTests;
+ };
+ EB9FE08C1BFBC48F004FEAAF /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EB9C1DAE1BDFD4DE00F89272;
+ remoteInfo = SecurityBatsTests;
+ };
+ EB9FE0B51BFBC499004FEAAF /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EB9C1DAE1BDFD4DE00F89272;
+ remoteInfo = SecurityBatsTests;
+ };
+ EBA9AA881CE3E76C004E2B68 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EBA9AA7D1CE30E58004E2B68;
+ remoteInfo = secitemnotifications;
+ };
+ EBB696D31BE2085700715F16 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EB9C1D791BDFD0E000F89272;
+ remoteInfo = secbackupntest;
+ };
+ EBB697121BE20C7600715F16 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 051D8F82194913E500AEF66A /* OSX.xcodeproj */;
+ proxyType = 2;
+ remoteGlobalIDString = EBB697041BE208FC00715F16;
+ remoteInfo = secbackupntest;
+ };
+ EBBE205B1C21382F00B7A639 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EBBE20571C21380100B7A639;
+ remoteInfo = SecurityFeatures;
+ };
+ EBC15EA81BE29AC3001C0C5B /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EB9C1DAE1BDFD4DE00F89272;
+ remoteInfo = SecurityBatsTests;
+ };
+ EBCF743E1CE593A700BED7CA /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = EBCF73F31CE45F9C00BED7CA;
+ remoteInfo = secitemfunctionality;
+ };
+ EBD849351B242C8900C5FD1E /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = 4CE5A54C09C796E100D27A3F;
+ remoteInfo = sslViewer;
+ };
+ F94E7AE11ACC8E7700F23132 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4C35DB69094F906D002917C4 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = F93C49021AB8FCE00047E01A;
+ remoteInfo = ckcdiagnose.sh;
+ };
+/* End PBXContainerItemProxy section */
+
+/* Begin PBXCopyFilesBuildPhase section */
+ 0C0BDB2D175685B000BC1A7E /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
- buildActionMask = 8;
- dstPath = /usr/local/include;
+ buildActionMask = 2147483647;
+ dstPath = /usr/share/man/man1/;
dstSubfolderSpec = 0;
files = (
- EB5D73111B0CB0BE009CAA47 /* SOSPeerInfo.h in Old SOS header location */,
- EB5D73101B0CB09E009CAA47 /* SOSTypes.h in Old SOS header location */,
);
- name = "Old SOS header location";
runOnlyForDeploymentPostprocessing = 1;
};
- EB9C1DB41BDFD4F200F89272 /* install BATS plist */ = {
+ 4814D8691CAA059E002FFC36 /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
- dstPath = /AppleInternal/CoreOS/BATS/unit_tests;
+ dstPath = /System/Library/Preferences/Logging/Subsystems;
dstSubfolderSpec = 0;
files = (
- EB9C1DB51BDFD50100F89272 /* Security.plist in install BATS plist */,
- EB3A8DFF1BEEC66F001A89AA /* Security_edumode.plist in install BATS plist */,
+ 486326311CAA0C0F00A466D9 /* com.apple.securityd.plist in CopyFiles */,
);
- name = "install BATS plist";
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ 4C50AD081410673800EE92DE /* Copy DigiNotar Resources */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = DigiNotar;
+ dstSubfolderSpec = 7;
+ files = (
+ 4C50AD0C1410679000EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar Resources */,
+ 4C50AD0D1410679000EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar Resources */,
+ 4C50AD0E1410679000EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar Resources */,
+ 4C50AD0F1410679000EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar Resources */,
+ 4C50AD101410679000EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar Resources */,
+ 4C50AD111410679000EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar Resources */,
+ 4C50AD121410679000EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar Resources */,
+ 4C50AD131410679000EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar Resources */,
+ 4C50AD141410679000EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar Resources */,
+ 4C50AD151410679000EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar Resources */,
+ 4C8B91C91416ED7E00A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar Resources */,
+ 4C8B91CA1416ED7E00A254E2 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar Resources */,
+ 4C8B91CB1416ED7E00A254E2 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar Resources */,
+ 4C8B91CC1416ED7E00A254E2 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar Resources */,
+ 4C8B91CD1416ED7E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar Resources */,
+ 4C8B91CF1416ED7E00A254E2 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar Resources */,
+ 4C8B91D01416ED7E00A254E2 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar Resources */,
+ 4C8B91D11416ED7E00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar Resources */,
+ );
+ name = "Copy DigiNotar Resources";
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ 4C50AD091410675400EE92DE /* Copy DigiNotar-Entrust Resources */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = "DigiNotar-Entrust";
+ dstSubfolderSpec = 7;
+ files = (
+ 4C50AD181410679900EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD191410679900EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD1A1410679900EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD1B1410679900EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD1C1410679900EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD1D1410679900EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD1E1410679900EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD1F1410679900EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD201410679900EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD211410679900EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD221410679900EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C8B91D21416ED8E00A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-Entrust Resources */,
+ 4C8B91D31416ED8E00A254E2 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C8B91D41416ED8E00A254E2 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar-Entrust Resources */,
+ 4C8B91D51416ED8E00A254E2 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C8B91D61416ED8E00A254E2 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar-Entrust Resources */,
+ 4C8B91D81416ED8E00A254E2 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C8B91D91416ED8E00A254E2 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C8B91DA1416ED8E00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-Entrust Resources */,
+ );
+ name = "Copy DigiNotar-Entrust Resources";
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ 4C50AD0A1410676300EE92DE /* Copy DigiNotar-ok Resources */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = "DigiNotar-ok";
+ dstSubfolderSpec = 7;
+ files = (
+ 4C50AD23141067A100EE92DE /* DigiNotarCA2007RootCertificate.crt in Copy DigiNotar-ok Resources */,
+ 4C8B91E41416ED9A00A254E2 /* DigiNotar_Root_CA_G2-RootCertificate.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD24141067A100EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD25141067A100EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD26141067A100EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD27141067A100EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD28141067A100EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD29141067A100EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD2A141067A100EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD2B141067A100EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD2C141067A100EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD2D141067A100EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-ok Resources */,
+ 4C8B91DB1416ED9400A254E2 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-ok Resources */,
+ 4C8B91E31416ED9400A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD30141068C100EE92DE /* Expectations.plist in Copy DigiNotar-ok Resources */,
+ );
+ name = "Copy DigiNotar-ok Resources";
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ 4C50AD3414106A2900EE92DE /* Copy DigiNotar Resources */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = DigiNotar;
+ dstSubfolderSpec = 7;
+ files = (
+ 4C50AD3914106A4E00EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar Resources */,
+ 4C50AD3A14106A4E00EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar Resources */,
+ 4C50AD3B14106A4E00EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar Resources */,
+ 4C50AD3C14106A4E00EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar Resources */,
+ 4C50AD3D14106A4E00EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar Resources */,
+ 4C50AD3E14106A4E00EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar Resources */,
+ 4C50AD3F14106A4E00EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar Resources */,
+ 4C50AD4014106A4E00EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar Resources */,
+ 4C50AD4114106A4E00EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar Resources */,
+ 4C50AD4214106A4E00EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar Resources */,
+ 4C3CECF41416E2EC00947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar Resources */,
+ 4C3CECF51416E2FA00947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar Resources */,
+ 4C3CECF61416E31A00947741 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar Resources */,
+ 4C3CECF81416E33500947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar Resources */,
+ 4C3CECF91416E34F00947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar Resources */,
+ 4C3CECFB1416E34F00947741 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar Resources */,
+ 4C3CECFC1416E34F00947741 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar Resources */,
+ 4C8B91C81416EBB500A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar Resources */,
+ );
+ name = "Copy DigiNotar Resources";
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ 4C50AD3514106A2B00EE92DE /* Copy DigiNotar-Entrust Resources */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = "DigiNotar-Entrust";
+ dstSubfolderSpec = 7;
+ files = (
+ 4C8B91C61416EB8B00A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD4614106A5000EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD4714106A5000EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD4814106A5000EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD4914106A5000EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD4A14106A5000EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD4B14106A5000EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD4C14106A5000EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD4D14106A5000EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD4E14106A5000EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD4F14106A5000EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C50AD5014106A5000EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C3CECFD1416E35400947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-Entrust Resources */,
+ 4C3CECFE1416E35400947741 /* Invalid-DigiNotar_PKIoverheid_CA_Organisatie_-_G2-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C3CECFF1416E35400947741 /* Invalid-diginotarpkioverheidcaoverheid.crt in Copy DigiNotar-Entrust Resources */,
+ 4C3CED001416E35400947741 /* Invalid-diginotarpkioverheidcaoverheidenbedrijven-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C3CED011416E35400947741 /* Ministerie_van_Defensie_Certificatie_Autoriteit_G2.crt in Copy DigiNotar-Entrust Resources */,
+ 4C3CED031416E35400947741 /* staatdernederlandenorganisatieca-g2-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ 4C3CED041416E35400947741 /* staatdernederlandenoverheidca-Cert.crt in Copy DigiNotar-Entrust Resources */,
+ );
+ name = "Copy DigiNotar-Entrust Resources";
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ 4C50AD3614106A2C00EE92DE /* Copy DigiNotar-ok Resources */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = "DigiNotar-ok";
+ dstSubfolderSpec = 7;
+ files = (
+ 4C50AD5114106A5400EE92DE /* Expectations.plist in Copy DigiNotar-ok Resources */,
+ 4C50AD5214106A5400EE92DE /* DigiNotarCA2007RootCertificate.crt in Copy DigiNotar-ok Resources */,
+ 4C3CECF31416E25C00947741 /* DigiNotar_Root_CA_G2-RootCertificate.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD5314106A5400EE92DE /* Invalid-asterisk.google.com.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD5414106A5400EE92DE /* Invalid-muisonline.omnyacc-denhelder.nl-diginotar.cyberca.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD5514106A5400EE92DE /* Invalid-webmail.terneuzen.nl-diginotar-services.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD5614106A5400EE92DE /* Invalid-www.maestre.com-diginotal.extended.validation.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD5714106A5400EE92DE /* Invalid-www.mobilehostingservices.nl-diginotar-services-1024.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD5814106A5400EE92DE /* diginotar-public-ca-2025-Cert.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD5914106A5400EE92DE /* diginotar-services-1024-entrust-secure-server-Cert.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD5A14106A5400EE92DE /* diginotar-services-diginotar-root-Cert.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD5B14106A5400EE92DE /* diginotar.cyberca-gte.global.root-Cert.crt in Copy DigiNotar-ok Resources */,
+ 4C50AD5C14106A5400EE92DE /* diginotar.extended.validation-diginotar.root.ca-Cert.crt in Copy DigiNotar-ok Resources */,
+ 4C3CED051416E35A00947741 /* Invalid-CertiID_Enterprise_Certificate_Authority.crt in Copy DigiNotar-ok Resources */,
+ 4C8B91C71416EBA400A254E2 /* Invalid-webmail.portofamsterdam.nl.crt in Copy DigiNotar-ok Resources */,
+ );
+ name = "Copy DigiNotar-ok Resources";
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ 4C52D0B216EFC61E0079966E /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = /System/Library/LaunchDaemons;
+ dstSubfolderSpec = 0;
+ files = (
+ 4C52D0E916EFCCF80079966E /* com.apple.security.CircleJoinRequested.plist in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ 5E11CAD919A759E2008A3664 /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /usr/local/bin;
+ dstSubfolderSpec = 0;
+ files = (
+ 5E11CADA19A75A1F008A3664 /* KeychainItemsAclTest.sh in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ 79679E231462023800CF997F /* Copy DigiCertMalaysia Resources */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = DigicertMalaysia;
+ dstSubfolderSpec = 7;
+ files = (
+ 79679E29146202A800CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt in Copy DigiCertMalaysia Resources */,
+ 7947431E1462151E00D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt in Copy DigiCertMalaysia Resources */,
+ 79679E2A146202A800CF997F /* Invalid-webmail.jaring.my.crt in Copy DigiCertMalaysia Resources */,
+ 7947431A146213DC00D638A3 /* Invalid-www.cybersecurity.my.crt in Copy DigiCertMalaysia Resources */,
+ );
+ name = "Copy DigiCertMalaysia Resources";
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ 79679E2B146202BC00CF997F /* Copy DigicertMalaysia Resources */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = DigicertMalaysia;
+ dstSubfolderSpec = 7;
+ files = (
+ 79679E2C146202CB00CF997F /* Digisign-Server-ID-Enrich-Entrust-Cert.crt in Copy DigicertMalaysia Resources */,
+ 7947431D1462151400D638A3 /* Digisign-Server-ID-Enrich-GTETrust-Cert.crt in Copy DigicertMalaysia Resources */,
+ 79679E2D146202CB00CF997F /* Invalid-webmail.jaring.my.crt in Copy DigicertMalaysia Resources */,
+ 7947431B146213EF00D638A3 /* Invalid-www.cybersecurity.my.crt in Copy DigicertMalaysia Resources */,
+ );
+ name = "Copy DigicertMalaysia Resources";
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ 79863B6C0CADCE4300818B0D /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /System/Library/LaunchDaemons;
+ dstSubfolderSpec = 0;
+ files = (
+ 79863B710CADCEAB00818B0D /* com.apple.securityd.plist in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ BE442BBA18B7FDB800F24DAE /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /System/Library/LaunchDaemons;
+ dstSubfolderSpec = 0;
+ files = (
+ BE4AC9AE18B7FFC800B84964 /* com.apple.security.swcagent.plist in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ CDB9FCAA179CD054000AAD66 /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /System/Library/Frameworks/Security.framework/CircleJoinRequested;
+ dstSubfolderSpec = 0;
+ files = (
+ CDB9FCAB179CD098000AAD66 /* Info.plist in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ CDF91EA61AAE019800E88CF7 /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /System/Library/IdentityServices/ServiceDefinitions;
+ dstSubfolderSpec = 0;
+ files = (
+ CDF91EF31AAE024A00E88CF7 /* com.apple.private.alloy.keychainsync.plist in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ E73288DD1AED7215008CE839 /* Copy SecureObjectSync Headers */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 2147483647;
+ dstPath = PrivateHeaders/SecureObjectSync;
+ dstSubfolderSpec = 1;
+ files = (
+ 52BF42C21AFAD10C00821B5D /* SOSCloudCircleInternal.h in Copy SecureObjectSync Headers */,
+ 52F8DE4E1AF2EB8F00A2C271 /* SOSTypes.h in Copy SecureObjectSync Headers */,
+ 9468B96E1AF2B93300042383 /* SOSViews.h in Copy SecureObjectSync Headers */,
+ E73289291AED7360008CE839 /* SOSPeerInfo.h in Copy SecureObjectSync Headers */,
+ E73289281AED735A008CE839 /* SOSCloudCircle.h in Copy SecureObjectSync Headers */,
+ CD4F44211B546A7E00FE3569 /* SOSPeerInfoV2.h in Copy SecureObjectSync Headers */,
+ 9468B9481AF2B60900042383 /* SOSBackupSliceKeyBag.h in Copy SecureObjectSync Headers */,
+ );
+ name = "Copy SecureObjectSync Headers";
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ E7CFF7211C86602B00E3484E /* Install BATS Tests */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /AppleInternal/CoreOS/BATS/unit_tests;
+ dstSubfolderSpec = 0;
+ files = (
+ E7EBDEBC1C87C0DB001BAA62 /* KeychainCircle.plist in Install BATS Tests */,
+ );
+ name = "Install BATS Tests";
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ EB0BF1711D25B47A000DEF32 /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /AppleInternal/CoreOS/tests/Security;
+ dstSubfolderSpec = 0;
+ files = (
+ EB0BF1981D25B4BE000DEF32 /* README in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ EB0BF1991D25B54B000DEF32 /* CopyFiles */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /AppleInternal/CoreOS/tests/Security;
+ dstSubfolderSpec = 0;
+ files = (
+ EB0BF19A1D25B551000DEF32 /* README in CopyFiles */,
+ );
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ EB5D72ED1B0CB082009CAA47 /* Old SOS header location */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /usr/local/include;
+ dstSubfolderSpec = 0;
+ files = (
+ EB5D73111B0CB0BE009CAA47 /* SOSPeerInfo.h in Old SOS header location */,
+ EB5D73101B0CB09E009CAA47 /* SOSTypes.h in Old SOS header location */,
+ );
+ name = "Old SOS header location";
+ runOnlyForDeploymentPostprocessing = 1;
+ };
+ EB9C1DB41BDFD4F200F89272 /* Install BATS plist */ = {
+ isa = PBXCopyFilesBuildPhase;
+ buildActionMask = 8;
+ dstPath = /AppleInternal/CoreOS/BATS/unit_tests;
+ dstSubfolderSpec = 0;
+ files = (
+ EB9C1DB51BDFD50100F89272 /* Security.plist in Install BATS plist */,
+ EB3A8DFF1BEEC66F001A89AA /* Security_edumode.plist in Install BATS plist */,
+ );
+ name = "Install BATS plist";
runOnlyForDeploymentPostprocessing = 1;
};
F93C49061AB8FCE50047E01A /* CopyFiles */ = {
@@ -3969,39 +2855,45 @@
0C0BDB2F175685B000BC1A7E /* secdtests */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secdtests; sourceTree = BUILT_PRODUCTS_DIR; };
0C0BDB31175685B000BC1A7E /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = "<group>"; };
0C0BDB441756868B00BC1A7E /* testlist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = testlist.h; sourceTree = "<group>"; };
+ 0C0C88771CCEC5BD00617D1B /* si-82-sectrust-ct-data */ = {isa = PBXFileReference; lastKnownFileType = folder; name = "si-82-sectrust-ct-data"; path = "../OSX/shared_regressions/si-82-sectrust-ct-data"; sourceTree = "<group>"; };
0C1EF18813A1946C000A4CE5 /* PostSecurityTests.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = PostSecurityTests.sh; sourceTree = "<group>"; };
0C25A871122726540050C2BD /* regressions.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = regressions.xcodeproj; path = OSX/regressions/regressions.xcodeproj; sourceTree = "<group>"; };
+ 0C2BCBA51D063F7D00ED7A2F /* dtlsEchoClient.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = dtlsEchoClient.c; sourceTree = "<group>"; };
+ 0C2BCBA61D063F7D00ED7A2F /* dtlsEchoServer.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = dtlsEchoServer.c; sourceTree = "<group>"; };
+ 0C2BCBA71D063F7D00ED7A2F /* README */ = {isa = PBXFileReference; lastKnownFileType = text; path = README; sourceTree = "<group>"; };
+ 0C2BCBB91D06401F00ED7A2F /* dtlsEchoClient */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = dtlsEchoClient; sourceTree = BUILT_PRODUCTS_DIR; };
+ 0C2BCBCE1D0648D100ED7A2F /* dtlsEchoServer */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = dtlsEchoServer; sourceTree = BUILT_PRODUCTS_DIR; };
0C3145551496B8FB00427C0B /* SecureTransport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecureTransport.h; path = OSX/libsecurity_ssl/lib/SecureTransport.h; sourceTree = "<group>"; };
0C3145561496B8FB00427C0B /* SecureTransportPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecureTransportPriv.h; path = OSX/libsecurity_ssl/lib/SecureTransportPriv.h; sourceTree = "<group>"; };
- 0C38B9331AA8331B00F0F2EA /* si-82-sectrust-ct-logs.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "si-82-sectrust-ct-logs.plist"; sourceTree = "<group>"; };
0C550308139F0B970019E5EB /* PreSecurityTests.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = PreSecurityTests.sh; sourceTree = "<group>"; };
- 0C59B54517677A9900617746 /* com.apple.securityd */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.securityd; sourceTree = "<group>"; };
0C5D2EEA167FEAAC0077501D /* SecAsn1Coder.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = SecAsn1Coder.h; path = OSX/libsecurity_asn1/lib/SecAsn1Coder.h; sourceTree = "<group>"; };
0C5D2EEC167FEEC90077501D /* secasn1t.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = secasn1t.h; path = OSX/libsecurity_asn1/lib/secasn1t.h; sourceTree = "<group>"; };
0C5D2EEE167FF0560077501D /* SecAsn1Templates.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = SecAsn1Templates.h; path = OSX/libsecurity_asn1/lib/SecAsn1Templates.h; sourceTree = "<group>"; };
0C5D2EF0167FF1FC0077501D /* oidsalg.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oidsalg.h; path = OSX/libsecurity_asn1/lib/oidsalg.h; sourceTree = "<group>"; };
0C664AB2175926B20092D3D9 /* secdtests-entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "secdtests-entitlements.plist"; sourceTree = "<group>"; };
+ 0C6E38F41C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyReceiveMessage.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "IDSKeychainSyncingProxy+IDSProxyReceiveMessage.h"; sourceTree = "<group>"; };
+ 0C6E38F51C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyReceiveMessage.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "IDSKeychainSyncingProxy+IDSProxyReceiveMessage.m"; sourceTree = "<group>"; };
+ 0C6E38F61C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxySendMessage.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "IDSKeychainSyncingProxy+IDSProxySendMessage.h"; sourceTree = "<group>"; };
+ 0C6E38F71C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxySendMessage.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "IDSKeychainSyncingProxy+IDSProxySendMessage.m"; sourceTree = "<group>"; };
+ 0C6E38F81C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyThrottle.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "IDSKeychainSyncingProxy+IDSProxyThrottle.h"; sourceTree = "<group>"; };
+ 0C6E38F91C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyThrottle.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "IDSKeychainSyncingProxy+IDSProxyThrottle.m"; sourceTree = "<group>"; };
0C78F1C916A5E13400654E08 /* sectask_regressions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = sectask_regressions.h; sourceTree = "<group>"; };
0C78F1CA16A5E1BF00654E08 /* sectask-10-sectask.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "sectask-10-sectask.c"; sourceTree = "<group>"; };
0C78F1CB16A5E1BF00654E08 /* sectask_ipc.defs */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.mig; path = sectask_ipc.defs; sourceTree = "<group>"; };
+ 0C869B421C865E4D006A2873 /* CoreCDP.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreCDP.framework; path = System/Library/PrivateFrameworks/CoreCDP.framework; sourceTree = SDKROOT; };
0C95403F14E473AA00077526 /* libsecurity_ssl.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_ssl.xcodeproj; path = OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj; sourceTree = "<group>"; };
0CA31A4614BB5C9100BD348C /* CipherSuite.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CipherSuite.h; path = OSX/libsecurity_ssl/lib/CipherSuite.h; sourceTree = "<group>"; };
0CA31A7314BB6C2500BD348C /* sslTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sslTypes.h; path = OSX/libsecurity_ssl/lib/sslTypes.h; sourceTree = "<group>"; };
0CB321F01464A95F00587CD3 /* CreateCerts.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = CreateCerts.sh; sourceTree = "<group>"; };
- 0CBD090E1A1D31D400795EE5 /* si-82-seccertificate-ct.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = "si-82-seccertificate-ct.c"; sourceTree = "<group>"; };
- 0CC122B719C8AA4500D23178 /* shared_regressions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = shared_regressions.h; sourceTree = "<group>"; };
- 0CC122B819C8AA4500D23178 /* si-82-sectrust-ct.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-82-sectrust-ct.c"; sourceTree = "<group>"; };
0CC82947138716F400BD99B7 /* libregressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libregressions.a; sourceTree = BUILT_PRODUCTS_DIR; };
- 0CC8F2491A9E92E000447EB7 /* TrustedLogs.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = TrustedLogs.plist; sourceTree = "<group>"; };
0CD72A5B16D5769A00A4B8A3 /* utilities.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = utilities.c; sourceTree = "<group>"; };
0CD72A5C16D5769A00A4B8A3 /* utilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = utilities.h; sourceTree = "<group>"; };
- 0CF372C11AA7E55300C58DDB /* si-82-sectrust-ct-certs.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "si-82-sectrust-ct-certs.h"; sourceTree = "<group>"; };
- 0CF55E5514DB47DE003AD8F2 /* tlsnke.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = tlsnke.xcodeproj; path = OSX/tlsnke/tlsnke.xcodeproj; sourceTree = "<group>"; };
107226D00D91DB32003CF14F /* SecTask.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecTask.c; sourceTree = "<group>"; };
107226D10D91DB32003CF14F /* SecTask.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecTask.h; sourceTree = "<group>"; };
107227350D91FE89003CF14F /* libbsm.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libbsm.dylib; path = usr/lib/libbsm.dylib; sourceTree = SDKROOT; };
18351B8F14CB65870097860E /* SecBase64.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecBase64.h; sourceTree = "<group>"; };
18F7F65814D77DF700F88A12 /* sec.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = sec.xcodeproj; path = OSX/sec/sec.xcodeproj; sourceTree = "<group>"; };
+ 1FDA9AB91C44844D0083929D /* SecTranslocate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecTranslocate.h; path = ../../libsecurity_translocate/lib/SecTranslocate.h; sourceTree = "<group>"; };
2281820D17B4686C0067C9C9 /* BackgroundTaskAgent.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = BackgroundTaskAgent.framework; path = System/Library/PrivateFrameworks/BackgroundTaskAgent.framework; sourceTree = SDKROOT; };
22C002A31AC9D33100B3469E /* OTAPKIAssetTool.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = OTAPKIAssetTool.xcconfig; sourceTree = "<group>"; };
433E519D1B66D5F600482618 /* AppSupport.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AppSupport.framework; path = System/Library/PrivateFrameworks/AppSupport.framework; sourceTree = SDKROOT; };
@@ -4016,6 +2908,8 @@
443381DA18A3D81400215606 /* SecAccessControlPriv.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecAccessControlPriv.h; sourceTree = "<group>"; };
4469FBDC1AA0A45C0021AA26 /* libctkclient_test.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libctkclient_test.a; path = usr/local/lib/libctkclient_test.a; sourceTree = SDKROOT; };
4469FBDD1AA0A45C0021AA26 /* libctkclient.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libctkclient.a; path = usr/local/lib/libctkclient.a; sourceTree = SDKROOT; };
+ 48284A041D1DB06E00C76CB7 /* README_os_log_prefs.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = README_os_log_prefs.txt; path = OSX/sec/os_log/README_os_log_prefs.txt; sourceTree = "<group>"; };
+ 4863262F1CAA0BE900A466D9 /* com.apple.securityd.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = com.apple.securityd.plist; path = OSX/sec/os_log/com.apple.securityd.plist; sourceTree = "<group>"; };
4AF7FFF315AFB73800B9D400 /* SecOTR.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecOTR.h; sourceTree = "<group>"; };
4AF7FFF415AFB73800B9D400 /* SecOTRDHKey.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecOTRDHKey.h; sourceTree = "<group>"; };
4AF7FFF515AFB73800B9D400 /* SecOTRErrors.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecOTRErrors.h; sourceTree = "<group>"; };
@@ -4031,7 +2925,7 @@
4C0B906C0ACCBD240077CD03 /* SecFramework.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecFramework.h; sourceTree = "<group>"; };
4C12828C0BB4957D00985BB0 /* SecTrustSettingsPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecTrustSettingsPriv.h; sourceTree = "<group>"; };
4C198F1E0ACDB4BF00AAB142 /* English */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = English; path = English.lproj/Certificate.strings; sourceTree = "<group>"; };
- 4C198F200ACDB4BF00AAB142 /* English */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = English; path = English.lproj/OID.strings; sourceTree = "<group>"; };
+ 4C198F200ACDB4BF00AAB142 /* English */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = English; path = English.lproj/OID.strings; sourceTree = "<group>"; usesTabs = 1; };
4C1B442C0BB9CAF900461B82 /* SecTrustStore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecTrustStore.h; sourceTree = "<group>"; };
4C28BCD60986EBCB0020C665 /* certextensions.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = certextensions.h; sourceTree = "<group>"; };
4C2F81D40BF121D2003C4F77 /* SecRandom.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecRandom.h; sourceTree = "<group>"; };
@@ -4053,7 +2947,6 @@
4C465C7D13AFD82300E841AC /* SecurityDevTests-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "SecurityDevTests-Info.plist"; sourceTree = "<group>"; };
4C4CB7100DDA44900026B660 /* entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = entitlements.plist; sourceTree = "<group>"; };
4C4CE9070AF81ED80056B01D /* TODO */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = TODO; sourceTree = "<group>"; };
- 4C4CE90D0AF81EF80056B01D /* WHITEPAPER */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = WHITEPAPER; sourceTree = "<group>"; };
4C4CE9120AF81F0E0056B01D /* README */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = README; sourceTree = "<group>"; };
4C50ACFC1410671D00EE92DE /* DigiNotarCA2007RootCertificate.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = DigiNotarCA2007RootCertificate.crt; sourceTree = "<group>"; };
4C50ACFD1410671D00EE92DE /* Invalid-asterisk.google.com.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = "Invalid-asterisk.google.com.crt"; sourceTree = "<group>"; };
@@ -4069,7 +2962,6 @@
4C50AD071410671D00EE92DE /* diginotar.root.ca-entrust-secure-server-Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = "diginotar.root.ca-entrust-secure-server-Cert.crt"; sourceTree = "<group>"; };
4C50AD2F1410689300EE92DE /* Expectations.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Expectations.plist; sourceTree = "<group>"; };
4C52D0B416EFC61E0079966E /* CircleJoinRequested */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = CircleJoinRequested; sourceTree = BUILT_PRODUCTS_DIR; };
- 4C52D0B816EFC61E0079966E /* AspenFamily.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = AspenFamily.xcconfig; path = AppleInternal/XcodeConfig/AspenFamily.xcconfig; sourceTree = DEVELOPER_DIR; };
4C52D0B916EFC61E0079966E /* CircleJoinRequested.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CircleJoinRequested.m; sourceTree = "<group>"; };
4C52D0BD16EFC61E0079966E /* Readme.txt */ = {isa = PBXFileReference; lastKnownFileType = text; path = Readme.txt; sourceTree = "<group>"; };
4C52D0E216EFCCA20079966E /* Applicant.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Applicant.h; sourceTree = "<group>"; };
@@ -4087,371 +2979,11 @@
4C711D7613AFCD0900FE865D /* SecurityDevTests.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = SecurityDevTests.app; sourceTree = BUILT_PRODUCTS_DIR; };
4C7391770B01745000C4CBFA /* vmdh.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = vmdh.h; sourceTree = "<group>"; };
4C7416020F1D71A2008E0E4D /* SecSCEP.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSCEP.h; sourceTree = "<group>"; };
- 4C7540BB13D51D63008048AC /* AllCertificatesNoPoliciesTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = AllCertificatesNoPoliciesTest2EE.crt; sourceTree = "<group>"; };
- 4C7540BC13D51D63008048AC /* AllCertificatesSamePoliciesTest10EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = AllCertificatesSamePoliciesTest10EE.crt; sourceTree = "<group>"; };
- 4C7540BD13D51D63008048AC /* AllCertificatesSamePoliciesTest13EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = AllCertificatesSamePoliciesTest13EE.crt; sourceTree = "<group>"; };
- 4C7540BE13D51D63008048AC /* AllCertificatesanyPolicyTest11EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = AllCertificatesanyPolicyTest11EE.crt; sourceTree = "<group>"; };
- 4C7540BF13D51D63008048AC /* AnyPolicyTest14EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = AnyPolicyTest14EE.crt; sourceTree = "<group>"; };
- 4C7540C013D51D63008048AC /* BadCRLIssuerNameCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = BadCRLIssuerNameCACert.crt; sourceTree = "<group>"; };
- 4C7540C113D51D63008048AC /* BadCRLSignatureCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = BadCRLSignatureCACert.crt; sourceTree = "<group>"; };
- 4C7540C213D51D63008048AC /* BadSignedCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = BadSignedCACert.crt; sourceTree = "<group>"; };
- 4C7540C313D51D63008048AC /* BadnotAfterDateCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = BadnotAfterDateCACert.crt; sourceTree = "<group>"; };
- 4C7540C413D51D63008048AC /* BadnotBeforeDateCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = BadnotBeforeDateCACert.crt; sourceTree = "<group>"; };
- 4C7540C513D51D63008048AC /* BasicSelfIssuedCRLSigningKeyCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = BasicSelfIssuedCRLSigningKeyCACert.crt; sourceTree = "<group>"; };
- 4C7540C613D51D63008048AC /* BasicSelfIssuedNewKeyCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = BasicSelfIssuedNewKeyCACert.crt; sourceTree = "<group>"; };
- 4C7540C713D51D63008048AC /* BasicSelfIssuedNewKeyOldWithNewCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = BasicSelfIssuedNewKeyOldWithNewCACert.crt; sourceTree = "<group>"; };
- 4C7540C813D51D63008048AC /* BasicSelfIssuedOldKeyCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = BasicSelfIssuedOldKeyCACert.crt; sourceTree = "<group>"; };
- 4C7540C913D51D63008048AC /* BasicSelfIssuedOldKeyNewWithOldCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = BasicSelfIssuedOldKeyNewWithOldCACert.crt; sourceTree = "<group>"; };
- 4C7540CA13D51D63008048AC /* CPSPointerQualifierTest20EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = CPSPointerQualifierTest20EE.crt; sourceTree = "<group>"; };
- 4C7540CB13D51D63008048AC /* DSACACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = DSACACert.crt; sourceTree = "<group>"; };
- 4C7540CC13D51D63008048AC /* DSAParametersInheritedCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = DSAParametersInheritedCACert.crt; sourceTree = "<group>"; };
- 4C7540CD13D51D63008048AC /* DifferentPoliciesTest12EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = DifferentPoliciesTest12EE.crt; sourceTree = "<group>"; };
- 4C7540CE13D51D63008048AC /* DifferentPoliciesTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = DifferentPoliciesTest3EE.crt; sourceTree = "<group>"; };
- 4C7540CF13D51D63008048AC /* DifferentPoliciesTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = DifferentPoliciesTest4EE.crt; sourceTree = "<group>"; };
- 4C7540D013D51D63008048AC /* DifferentPoliciesTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = DifferentPoliciesTest5EE.crt; sourceTree = "<group>"; };
- 4C7540D113D51D63008048AC /* DifferentPoliciesTest7EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = DifferentPoliciesTest7EE.crt; sourceTree = "<group>"; };
- 4C7540D213D51D63008048AC /* DifferentPoliciesTest8EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = DifferentPoliciesTest8EE.crt; sourceTree = "<group>"; };
- 4C7540D313D51D63008048AC /* DifferentPoliciesTest9EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = DifferentPoliciesTest9EE.crt; sourceTree = "<group>"; };
- 4C7540D413D51D63008048AC /* GeneralizedTimeCRLnextUpdateCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = GeneralizedTimeCRLnextUpdateCACert.crt; sourceTree = "<group>"; };
- 4C7540D513D51D63008048AC /* GoodCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = GoodCACert.crt; sourceTree = "<group>"; };
- 4C7540D613D51D63008048AC /* GoodsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = GoodsubCACert.crt; sourceTree = "<group>"; };
- 4C7540D713D51D63008048AC /* GoodsubCAPanyPolicyMapping1to2CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = GoodsubCAPanyPolicyMapping1to2CACert.crt; sourceTree = "<group>"; };
- 4C7540D813D51D63008048AC /* InvalidBasicSelfIssuedNewWithOldTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidBasicSelfIssuedNewWithOldTest5EE.crt; sourceTree = "<group>"; };
- 4C7540D913D51D63008048AC /* InvalidBasicSelfIssuedOldWithNewTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidBasicSelfIssuedOldWithNewTest2EE.crt; sourceTree = "<group>"; };
- 4C7540DA13D51D63008048AC /* InvalidCASignatureTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidCASignatureTest2EE.crt; sourceTree = "<group>"; };
- 4C7540DB13D51D63008048AC /* InvalidCAnotAfterDateTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidCAnotAfterDateTest5EE.crt; sourceTree = "<group>"; };
- 4C7540DC13D51D63008048AC /* InvalidCAnotBeforeDateTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidCAnotBeforeDateTest1EE.crt; sourceTree = "<group>"; };
- 4C7540DD13D51D63008048AC /* InvalidDNSnameConstraintsTest31EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNSnameConstraintsTest31EE.crt; sourceTree = "<group>"; };
- 4C7540DE13D51D63008048AC /* InvalidDNSnameConstraintsTest33EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNSnameConstraintsTest33EE.crt; sourceTree = "<group>"; };
- 4C7540DF13D51D63008048AC /* InvalidDNSnameConstraintsTest38EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNSnameConstraintsTest38EE.crt; sourceTree = "<group>"; };
- 4C7540E013D51D63008048AC /* InvalidDNandRFC822nameConstraintsTest28EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNandRFC822nameConstraintsTest28EE.crt; sourceTree = "<group>"; };
- 4C7540E113D51D63008048AC /* InvalidDNandRFC822nameConstraintsTest29EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNandRFC822nameConstraintsTest29EE.crt; sourceTree = "<group>"; };
- 4C7540E213D51D63008048AC /* InvalidDNnameConstraintsTest10EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest10EE.crt; sourceTree = "<group>"; };
- 4C7540E313D51D63008048AC /* InvalidDNnameConstraintsTest12EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest12EE.crt; sourceTree = "<group>"; };
- 4C7540E413D51D63008048AC /* InvalidDNnameConstraintsTest13EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest13EE.crt; sourceTree = "<group>"; };
- 4C7540E513D51D63008048AC /* InvalidDNnameConstraintsTest15EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest15EE.crt; sourceTree = "<group>"; };
- 4C7540E613D51D63008048AC /* InvalidDNnameConstraintsTest16EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest16EE.crt; sourceTree = "<group>"; };
- 4C7540E713D51D63008048AC /* InvalidDNnameConstraintsTest17EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest17EE.crt; sourceTree = "<group>"; };
- 4C7540E813D51D63008048AC /* InvalidDNnameConstraintsTest20EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest20EE.crt; sourceTree = "<group>"; };
- 4C7540E913D51D63008048AC /* InvalidDNnameConstraintsTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest2EE.crt; sourceTree = "<group>"; };
- 4C7540EA13D51D63008048AC /* InvalidDNnameConstraintsTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest3EE.crt; sourceTree = "<group>"; };
- 4C7540EB13D51D63008048AC /* InvalidDNnameConstraintsTest7EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest7EE.crt; sourceTree = "<group>"; };
- 4C7540EC13D51D63008048AC /* InvalidDNnameConstraintsTest8EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest8EE.crt; sourceTree = "<group>"; };
- 4C7540ED13D51D63008048AC /* InvalidDNnameConstraintsTest9EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDNnameConstraintsTest9EE.crt; sourceTree = "<group>"; };
- 4C7540EE13D51D63008048AC /* InvalidDSASignatureTest6EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidDSASignatureTest6EE.crt; sourceTree = "<group>"; };
- 4C7540EF13D51D63008048AC /* InvalidEESignatureTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidEESignatureTest3EE.crt; sourceTree = "<group>"; };
- 4C7540F013D51D63008048AC /* InvalidEEnotAfterDateTest6EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidEEnotAfterDateTest6EE.crt; sourceTree = "<group>"; };
- 4C7540F113D51D63008048AC /* InvalidEEnotBeforeDateTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidEEnotBeforeDateTest2EE.crt; sourceTree = "<group>"; };
- 4C7540F213D51D63008048AC /* InvalidLongSerialNumberTest18EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidLongSerialNumberTest18EE.crt; sourceTree = "<group>"; };
- 4C7540F313D51D63008048AC /* InvalidMappingFromanyPolicyTest7EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidMappingFromanyPolicyTest7EE.crt; sourceTree = "<group>"; };
- 4C7540F413D51D63008048AC /* InvalidMappingToanyPolicyTest8EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidMappingToanyPolicyTest8EE.crt; sourceTree = "<group>"; };
- 4C7540F513D51D63008048AC /* InvalidMissingbasicConstraintsTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidMissingbasicConstraintsTest1EE.crt; sourceTree = "<group>"; };
- 4C7540F613D51D63008048AC /* InvalidNameChainingOrderTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidNameChainingOrderTest2EE.crt; sourceTree = "<group>"; };
- 4C7540F713D51D63008048AC /* InvalidNameChainingTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidNameChainingTest1EE.crt; sourceTree = "<group>"; };
- 4C7540F813D51D63008048AC /* InvalidNegativeSerialNumberTest15EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidNegativeSerialNumberTest15EE.crt; sourceTree = "<group>"; };
- 4C7540F913D51D63008048AC /* InvalidPolicyMappingTest10EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidPolicyMappingTest10EE.crt; sourceTree = "<group>"; };
- 4C7540FA13D51D63008048AC /* InvalidPolicyMappingTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidPolicyMappingTest2EE.crt; sourceTree = "<group>"; };
- 4C7540FB13D51D63008048AC /* InvalidPolicyMappingTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidPolicyMappingTest4EE.crt; sourceTree = "<group>"; };
- 4C7540FC13D51D63008048AC /* InvalidRFC822nameConstraintsTest22EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidRFC822nameConstraintsTest22EE.crt; sourceTree = "<group>"; };
- 4C7540FD13D51D63008048AC /* InvalidRFC822nameConstraintsTest24EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidRFC822nameConstraintsTest24EE.crt; sourceTree = "<group>"; };
- 4C7540FE13D51D63008048AC /* InvalidRFC822nameConstraintsTest26EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidRFC822nameConstraintsTest26EE.crt; sourceTree = "<group>"; };
- 4C7540FF13D51D63008048AC /* InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt; sourceTree = "<group>"; };
- 4C75410013D51D63008048AC /* InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt; sourceTree = "<group>"; };
- 4C75410113D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt; sourceTree = "<group>"; };
- 4C75410213D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt; sourceTree = "<group>"; };
- 4C75410313D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt; sourceTree = "<group>"; };
- 4C75410413D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt; sourceTree = "<group>"; };
- 4C75410513D51D63008048AC /* InvalidSelfIssuedpathLenConstraintTest16EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidSelfIssuedpathLenConstraintTest16EE.crt; sourceTree = "<group>"; };
- 4C75410613D51D63008048AC /* InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt; sourceTree = "<group>"; };
- 4C75410713D51D63008048AC /* InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt; sourceTree = "<group>"; };
- 4C75410813D51D63008048AC /* InvalidURInameConstraintsTest35EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidURInameConstraintsTest35EE.crt; sourceTree = "<group>"; };
- 4C75410913D51D63008048AC /* InvalidURInameConstraintsTest37EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidURInameConstraintsTest37EE.crt; sourceTree = "<group>"; };
- 4C75410A13D51D63008048AC /* InvalidUnknownCriticalCertificateExtensionTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidUnknownCriticalCertificateExtensionTest2EE.crt; sourceTree = "<group>"; };
- 4C75410B13D51D63008048AC /* InvalidcAFalseTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidcAFalseTest2EE.crt; sourceTree = "<group>"; };
- 4C75410C13D51D63008048AC /* InvalidcAFalseTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidcAFalseTest3EE.crt; sourceTree = "<group>"; };
- 4C75410D13D51D63008048AC /* InvalidcRLIssuerTest27EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidcRLIssuerTest27EE.crt; sourceTree = "<group>"; };
- 4C75410E13D51D63008048AC /* InvalidcRLIssuerTest31EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidcRLIssuerTest31EE.crt; sourceTree = "<group>"; };
- 4C75410F13D51D63008048AC /* InvalidcRLIssuerTest32EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidcRLIssuerTest32EE.crt; sourceTree = "<group>"; };
- 4C75411013D51D63008048AC /* InvalidcRLIssuerTest34EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidcRLIssuerTest34EE.crt; sourceTree = "<group>"; };
- 4C75411113D51D63008048AC /* InvalidcRLIssuerTest35EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidcRLIssuerTest35EE.crt; sourceTree = "<group>"; };
- 4C75411213D51D63008048AC /* InvalidinhibitAnyPolicyTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidinhibitAnyPolicyTest1EE.crt; sourceTree = "<group>"; };
- 4C75411313D51D63008048AC /* InvalidinhibitAnyPolicyTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidinhibitAnyPolicyTest4EE.crt; sourceTree = "<group>"; };
- 4C75411413D51D63008048AC /* InvalidinhibitAnyPolicyTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidinhibitAnyPolicyTest5EE.crt; sourceTree = "<group>"; };
- 4C75411513D51D63008048AC /* InvalidinhibitAnyPolicyTest6EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidinhibitAnyPolicyTest6EE.crt; sourceTree = "<group>"; };
- 4C75411613D51D63008048AC /* InvalidinhibitPolicyMappingTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidinhibitPolicyMappingTest1EE.crt; sourceTree = "<group>"; };
- 4C75411713D51D63008048AC /* InvalidinhibitPolicyMappingTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidinhibitPolicyMappingTest3EE.crt; sourceTree = "<group>"; };
- 4C75411813D51D63008048AC /* InvalidinhibitPolicyMappingTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidinhibitPolicyMappingTest5EE.crt; sourceTree = "<group>"; };
- 4C75411913D51D63008048AC /* InvalidinhibitPolicyMappingTest6EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidinhibitPolicyMappingTest6EE.crt; sourceTree = "<group>"; };
- 4C75411A13D51D63008048AC /* InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt; sourceTree = "<group>"; };
- 4C75411B13D51D63008048AC /* InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt; sourceTree = "<group>"; };
- 4C75411C13D51D63008048AC /* InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt; sourceTree = "<group>"; };
- 4C75411D13D51D63008048AC /* InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt; sourceTree = "<group>"; };
- 4C75411E13D51D63008048AC /* InvalidonlyContainsAttributeCertsTest14EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidonlyContainsAttributeCertsTest14EE.crt; sourceTree = "<group>"; };
- 4C75411F13D51D63008048AC /* InvalidonlyContainsCACertsTest12EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidonlyContainsCACertsTest12EE.crt; sourceTree = "<group>"; };
- 4C75412013D51D63008048AC /* InvalidonlyContainsUserCertsTest11EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidonlyContainsUserCertsTest11EE.crt; sourceTree = "<group>"; };
- 4C75412113D51D63008048AC /* InvalidonlySomeReasonsTest15EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidonlySomeReasonsTest15EE.crt; sourceTree = "<group>"; };
- 4C75412213D51D63008048AC /* InvalidonlySomeReasonsTest16EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidonlySomeReasonsTest16EE.crt; sourceTree = "<group>"; };
- 4C75412313D51D63008048AC /* InvalidonlySomeReasonsTest17EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidonlySomeReasonsTest17EE.crt; sourceTree = "<group>"; };
- 4C75412413D51D63008048AC /* InvalidonlySomeReasonsTest20EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidonlySomeReasonsTest20EE.crt; sourceTree = "<group>"; };
- 4C75412513D51D63008048AC /* InvalidonlySomeReasonsTest21EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidonlySomeReasonsTest21EE.crt; sourceTree = "<group>"; };
- 4C75412613D51D63008048AC /* InvalidpathLenConstraintTest10EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidpathLenConstraintTest10EE.crt; sourceTree = "<group>"; };
- 4C75412713D51D63008048AC /* InvalidpathLenConstraintTest11EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidpathLenConstraintTest11EE.crt; sourceTree = "<group>"; };
- 4C75412813D51D63008048AC /* InvalidpathLenConstraintTest12EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidpathLenConstraintTest12EE.crt; sourceTree = "<group>"; };
- 4C75412913D51D63008048AC /* InvalidpathLenConstraintTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidpathLenConstraintTest5EE.crt; sourceTree = "<group>"; };
- 4C75412A13D51D63008048AC /* InvalidpathLenConstraintTest6EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidpathLenConstraintTest6EE.crt; sourceTree = "<group>"; };
- 4C75412B13D51D63008048AC /* InvalidpathLenConstraintTest9EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidpathLenConstraintTest9EE.crt; sourceTree = "<group>"; };
- 4C75412C13D51D63008048AC /* Invalidpre2000UTCEEnotAfterDateTest7EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = Invalidpre2000UTCEEnotAfterDateTest7EE.crt; sourceTree = "<group>"; };
- 4C75412D13D51D63008048AC /* InvalidrequireExplicitPolicyTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidrequireExplicitPolicyTest3EE.crt; sourceTree = "<group>"; };
- 4C75412E13D51D63008048AC /* InvalidrequireExplicitPolicyTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = InvalidrequireExplicitPolicyTest5EE.crt; sourceTree = "<group>"; };
- 4C75412F13D51D63008048AC /* LongSerialNumberCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = LongSerialNumberCACert.crt; sourceTree = "<group>"; };
- 4C75413013D51D63008048AC /* Mapping1to2CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = Mapping1to2CACert.crt; sourceTree = "<group>"; };
- 4C75413113D51D63008048AC /* MappingFromanyPolicyCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = MappingFromanyPolicyCACert.crt; sourceTree = "<group>"; };
- 4C75413213D51D63008048AC /* MappingToanyPolicyCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = MappingToanyPolicyCACert.crt; sourceTree = "<group>"; };
- 4C75413313D51D63008048AC /* MissingbasicConstraintsCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = MissingbasicConstraintsCACert.crt; sourceTree = "<group>"; };
- 4C75413413D51D63008048AC /* NameOrderingCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = NameOrderingCACert.crt; sourceTree = "<group>"; };
- 4C75413513D51D63008048AC /* NegativeSerialNumberCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = NegativeSerialNumberCACert.crt; sourceTree = "<group>"; };
- 4C75413613D51D63008048AC /* NoCRLCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = NoCRLCACert.crt; sourceTree = "<group>"; };
- 4C75413713D51D63008048AC /* NoPoliciesCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = NoPoliciesCACert.crt; sourceTree = "<group>"; };
- 4C75413813D51D63008048AC /* NoissuingDistributionPointCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = NoissuingDistributionPointCACert.crt; sourceTree = "<group>"; };
- 4C75413913D51D63008048AC /* OldCRLnextUpdateCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = OldCRLnextUpdateCACert.crt; sourceTree = "<group>"; };
- 4C75413A13D51D63008048AC /* OverlappingPoliciesTest6EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = OverlappingPoliciesTest6EE.crt; sourceTree = "<group>"; };
- 4C75413B13D51D63008048AC /* P12Mapping1to3CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = P12Mapping1to3CACert.crt; sourceTree = "<group>"; };
- 4C75413C13D51D63008048AC /* P12Mapping1to3subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = P12Mapping1to3subCACert.crt; sourceTree = "<group>"; };
- 4C75413D13D51D63008048AC /* P12Mapping1to3subsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = P12Mapping1to3subsubCACert.crt; sourceTree = "<group>"; };
- 4C75413E13D51D63008048AC /* P1Mapping1to234CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = P1Mapping1to234CACert.crt; sourceTree = "<group>"; };
- 4C75413F13D51D63008048AC /* P1Mapping1to234subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = P1Mapping1to234subCACert.crt; sourceTree = "<group>"; };
- 4C75414013D51D63008048AC /* P1anyPolicyMapping1to2CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = P1anyPolicyMapping1to2CACert.crt; sourceTree = "<group>"; };
- 4C75414113D51D63008048AC /* PanyPolicyMapping1to2CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PanyPolicyMapping1to2CACert.crt; sourceTree = "<group>"; };
- 4C75414213D51D63008048AC /* PoliciesP1234CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP1234CACert.crt; sourceTree = "<group>"; };
- 4C75414313D51D63008048AC /* PoliciesP1234subCAP123Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP1234subCAP123Cert.crt; sourceTree = "<group>"; };
- 4C75414413D51D63008048AC /* PoliciesP1234subsubCAP123P12Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP1234subsubCAP123P12Cert.crt; sourceTree = "<group>"; };
- 4C75414513D51D63008048AC /* PoliciesP123CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP123CACert.crt; sourceTree = "<group>"; };
- 4C75414613D51D63008048AC /* PoliciesP123subCAP12Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP123subCAP12Cert.crt; sourceTree = "<group>"; };
- 4C75414713D51D63008048AC /* PoliciesP123subsubCAP12P1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP123subsubCAP12P1Cert.crt; sourceTree = "<group>"; };
- 4C75414813D51D63008048AC /* PoliciesP123subsubCAP12P2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP123subsubCAP12P2Cert.crt; sourceTree = "<group>"; };
- 4C75414913D51D63008048AC /* PoliciesP123subsubsubCAP12P2P1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP123subsubsubCAP12P2P1Cert.crt; sourceTree = "<group>"; };
- 4C75414A13D51D63008048AC /* PoliciesP12CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP12CACert.crt; sourceTree = "<group>"; };
- 4C75414B13D51D63008048AC /* PoliciesP12subCAP1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP12subCAP1Cert.crt; sourceTree = "<group>"; };
- 4C75414C13D51D63008048AC /* PoliciesP12subsubCAP1P2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP12subsubCAP1P2Cert.crt; sourceTree = "<group>"; };
- 4C75414D13D51D63008048AC /* PoliciesP2subCA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP2subCA2Cert.crt; sourceTree = "<group>"; };
- 4C75414E13D51D63008048AC /* PoliciesP2subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP2subCACert.crt; sourceTree = "<group>"; };
- 4C75414F13D51D63008048AC /* PoliciesP3CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = PoliciesP3CACert.crt; sourceTree = "<group>"; };
- 4C75415013D51D63008048AC /* RFC3280MandatoryAttributeTypesCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = RFC3280MandatoryAttributeTypesCACert.crt; sourceTree = "<group>"; };
- 4C75415113D51D63008048AC /* RFC3280OptionalAttributeTypesCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = RFC3280OptionalAttributeTypesCACert.crt; sourceTree = "<group>"; };
- 4C75415213D51D63008048AC /* RevokedsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = RevokedsubCACert.crt; sourceTree = "<group>"; };
- 4C75415313D51D63008048AC /* RolloverfromPrintableStringtoUTF8StringCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = RolloverfromPrintableStringtoUTF8StringCACert.crt; sourceTree = "<group>"; };
- 4C75415413D51D63008048AC /* SeparateCertificateandCRLKeysCA2CRLSigningCert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = SeparateCertificateandCRLKeysCA2CRLSigningCert.crt; sourceTree = "<group>"; };
- 4C75415513D51D63008048AC /* SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt; sourceTree = "<group>"; };
- 4C75415613D51D63008048AC /* SeparateCertificateandCRLKeysCertificateSigningCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = SeparateCertificateandCRLKeysCertificateSigningCACert.crt; sourceTree = "<group>"; };
- 4C75415713D51D63008048AC /* TrustAnchorRootCertificate.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = TrustAnchorRootCertificate.crt; sourceTree = "<group>"; };
- 4C75415813D51D63008048AC /* TwoCRLsCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = TwoCRLsCACert.crt; sourceTree = "<group>"; };
- 4C75415913D51D63008048AC /* UIDCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = UIDCACert.crt; sourceTree = "<group>"; };
- 4C75415A13D51D63008048AC /* UTF8StringCaseInsensitiveMatchCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = UTF8StringCaseInsensitiveMatchCACert.crt; sourceTree = "<group>"; };
- 4C75415B13D51D63008048AC /* UTF8StringEncodedNamesCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = UTF8StringEncodedNamesCACert.crt; sourceTree = "<group>"; };
- 4C75415C13D51D63008048AC /* UnknownCRLEntryExtensionCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = UnknownCRLEntryExtensionCACert.crt; sourceTree = "<group>"; };
- 4C75415D13D51D63008048AC /* UnknownCRLExtensionCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = UnknownCRLExtensionCACert.crt; sourceTree = "<group>"; };
- 4C75415E13D51D63008048AC /* UserNoticeQualifierTest15EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = UserNoticeQualifierTest15EE.crt; sourceTree = "<group>"; };
- 4C75415F13D51D63008048AC /* UserNoticeQualifierTest16EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = UserNoticeQualifierTest16EE.crt; sourceTree = "<group>"; };
- 4C75416013D51D63008048AC /* UserNoticeQualifierTest17EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = UserNoticeQualifierTest17EE.crt; sourceTree = "<group>"; };
- 4C75416113D51D63008048AC /* UserNoticeQualifierTest18EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = UserNoticeQualifierTest18EE.crt; sourceTree = "<group>"; };
- 4C75416213D51D63008048AC /* UserNoticeQualifierTest19EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = UserNoticeQualifierTest19EE.crt; sourceTree = "<group>"; };
- 4C75416313D51D63008048AC /* ValidBasicSelfIssuedNewWithOldTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidBasicSelfIssuedNewWithOldTest3EE.crt; sourceTree = "<group>"; };
- 4C75416413D51D63008048AC /* ValidBasicSelfIssuedNewWithOldTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidBasicSelfIssuedNewWithOldTest4EE.crt; sourceTree = "<group>"; };
- 4C75416513D51D63008048AC /* ValidBasicSelfIssuedOldWithNewTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidBasicSelfIssuedOldWithNewTest1EE.crt; sourceTree = "<group>"; };
- 4C75416613D51D63008048AC /* ValidCertificatePathTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidCertificatePathTest1EE.crt; sourceTree = "<group>"; };
- 4C75416713D51D63008048AC /* ValidDNSnameConstraintsTest30EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNSnameConstraintsTest30EE.crt; sourceTree = "<group>"; };
- 4C75416813D51D63008048AC /* ValidDNSnameConstraintsTest32EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNSnameConstraintsTest32EE.crt; sourceTree = "<group>"; };
- 4C75416913D51D63008048AC /* ValidDNandRFC822nameConstraintsTest27EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNandRFC822nameConstraintsTest27EE.crt; sourceTree = "<group>"; };
- 4C75416A13D51D63008048AC /* ValidDNnameConstraintsTest11EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNnameConstraintsTest11EE.crt; sourceTree = "<group>"; };
- 4C75416B13D51D63008048AC /* ValidDNnameConstraintsTest14EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNnameConstraintsTest14EE.crt; sourceTree = "<group>"; };
- 4C75416C13D51D63008048AC /* ValidDNnameConstraintsTest18EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNnameConstraintsTest18EE.crt; sourceTree = "<group>"; };
- 4C75416D13D51D63008048AC /* ValidDNnameConstraintsTest19EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNnameConstraintsTest19EE.crt; sourceTree = "<group>"; };
- 4C75416E13D51D63008048AC /* ValidDNnameConstraintsTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNnameConstraintsTest1EE.crt; sourceTree = "<group>"; };
- 4C75416F13D51D63008048AC /* ValidDNnameConstraintsTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNnameConstraintsTest4EE.crt; sourceTree = "<group>"; };
- 4C75417013D51D63008048AC /* ValidDNnameConstraintsTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNnameConstraintsTest5EE.crt; sourceTree = "<group>"; };
- 4C75417113D51D63008048AC /* ValidDNnameConstraintsTest6EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDNnameConstraintsTest6EE.crt; sourceTree = "<group>"; };
- 4C75417213D51D63008048AC /* ValidDSAParameterInheritanceTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDSAParameterInheritanceTest5EE.crt; sourceTree = "<group>"; };
- 4C75417313D51D63008048AC /* ValidDSASignaturesTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidDSASignaturesTest4EE.crt; sourceTree = "<group>"; };
- 4C75417413D51D63008048AC /* ValidGeneralizedTimenotAfterDateTest8EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidGeneralizedTimenotAfterDateTest8EE.crt; sourceTree = "<group>"; };
- 4C75417513D51D63008048AC /* ValidGeneralizedTimenotBeforeDateTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidGeneralizedTimenotBeforeDateTest4EE.crt; sourceTree = "<group>"; };
- 4C75417613D51D63008048AC /* ValidLongSerialNumberTest16EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidLongSerialNumberTest16EE.crt; sourceTree = "<group>"; };
- 4C75417713D51D63008048AC /* ValidLongSerialNumberTest17EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidLongSerialNumberTest17EE.crt; sourceTree = "<group>"; };
- 4C75417813D51D63008048AC /* ValidNameChainingCapitalizationTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidNameChainingCapitalizationTest5EE.crt; sourceTree = "<group>"; };
- 4C75417913D51D63008048AC /* ValidNameChainingWhitespaceTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidNameChainingWhitespaceTest3EE.crt; sourceTree = "<group>"; };
- 4C75417A13D51D63008048AC /* ValidNameChainingWhitespaceTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidNameChainingWhitespaceTest4EE.crt; sourceTree = "<group>"; };
- 4C75417B13D51D63008048AC /* ValidNameUIDsTest6EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidNameUIDsTest6EE.crt; sourceTree = "<group>"; };
- 4C75417C13D51D63008048AC /* ValidNegativeSerialNumberTest14EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidNegativeSerialNumberTest14EE.crt; sourceTree = "<group>"; };
- 4C75417D13D51D63008048AC /* ValidPolicyMappingTest11EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidPolicyMappingTest11EE.crt; sourceTree = "<group>"; };
- 4C75417E13D51D63008048AC /* ValidPolicyMappingTest12EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidPolicyMappingTest12EE.crt; sourceTree = "<group>"; };
- 4C75417F13D51D63008048AC /* ValidPolicyMappingTest13EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidPolicyMappingTest13EE.crt; sourceTree = "<group>"; };
- 4C75418013D51D63008048AC /* ValidPolicyMappingTest14EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidPolicyMappingTest14EE.crt; sourceTree = "<group>"; };
- 4C75418113D51D63008048AC /* ValidPolicyMappingTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidPolicyMappingTest1EE.crt; sourceTree = "<group>"; };
- 4C75418213D51D63008048AC /* ValidPolicyMappingTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidPolicyMappingTest3EE.crt; sourceTree = "<group>"; };
- 4C75418313D51D63008048AC /* ValidPolicyMappingTest5EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidPolicyMappingTest5EE.crt; sourceTree = "<group>"; };
- 4C75418413D51D63008048AC /* ValidPolicyMappingTest6EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidPolicyMappingTest6EE.crt; sourceTree = "<group>"; };
- 4C75418513D51D63008048AC /* ValidPolicyMappingTest9EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidPolicyMappingTest9EE.crt; sourceTree = "<group>"; };
- 4C75418613D51D63008048AC /* ValidRFC3280MandatoryAttributeTypesTest7EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidRFC3280MandatoryAttributeTypesTest7EE.crt; sourceTree = "<group>"; };
- 4C75418713D51D63008048AC /* ValidRFC3280OptionalAttributeTypesTest8EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidRFC3280OptionalAttributeTypesTest8EE.crt; sourceTree = "<group>"; };
- 4C75418813D51D63008048AC /* ValidRFC822nameConstraintsTest21EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidRFC822nameConstraintsTest21EE.crt; sourceTree = "<group>"; };
- 4C75418913D51D63008048AC /* ValidRFC822nameConstraintsTest23EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidRFC822nameConstraintsTest23EE.crt; sourceTree = "<group>"; };
- 4C75418A13D51D63008048AC /* ValidRFC822nameConstraintsTest25EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidRFC822nameConstraintsTest25EE.crt; sourceTree = "<group>"; };
- 4C75418B13D51D63008048AC /* ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt; sourceTree = "<group>"; };
- 4C75418C13D51D63008048AC /* ValidSelfIssuedinhibitAnyPolicyTest7EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidSelfIssuedinhibitAnyPolicyTest7EE.crt; sourceTree = "<group>"; };
- 4C75418D13D51D63008048AC /* ValidSelfIssuedinhibitAnyPolicyTest9EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidSelfIssuedinhibitAnyPolicyTest9EE.crt; sourceTree = "<group>"; };
- 4C75418E13D51D63008048AC /* ValidSelfIssuedinhibitPolicyMappingTest7EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidSelfIssuedinhibitPolicyMappingTest7EE.crt; sourceTree = "<group>"; };
- 4C75418F13D51D63008048AC /* ValidSelfIssuedpathLenConstraintTest15EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidSelfIssuedpathLenConstraintTest15EE.crt; sourceTree = "<group>"; };
- 4C75419013D51D63008048AC /* ValidSelfIssuedpathLenConstraintTest17EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidSelfIssuedpathLenConstraintTest17EE.crt; sourceTree = "<group>"; };
- 4C75419113D51D63008048AC /* ValidSelfIssuedrequireExplicitPolicyTest6EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidSelfIssuedrequireExplicitPolicyTest6EE.crt; sourceTree = "<group>"; };
- 4C75419213D51D63008048AC /* ValidURInameConstraintsTest34EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidURInameConstraintsTest34EE.crt; sourceTree = "<group>"; };
- 4C75419313D51D63008048AC /* ValidURInameConstraintsTest36EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidURInameConstraintsTest36EE.crt; sourceTree = "<group>"; };
- 4C75419413D51D63008048AC /* ValidUTF8StringCaseInsensitiveMatchTest11EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidUTF8StringCaseInsensitiveMatchTest11EE.crt; sourceTree = "<group>"; };
- 4C75419513D51D63008048AC /* ValidUTF8StringEncodedNamesTest9EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidUTF8StringEncodedNamesTest9EE.crt; sourceTree = "<group>"; };
- 4C75419613D51D63008048AC /* ValidUnknownNotCriticalCertificateExtensionTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidUnknownNotCriticalCertificateExtensionTest1EE.crt; sourceTree = "<group>"; };
- 4C75419713D51D63008048AC /* ValidbasicConstraintsNotCriticalTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidbasicConstraintsNotCriticalTest4EE.crt; sourceTree = "<group>"; };
- 4C75419813D51D63008048AC /* ValidcRLIssuerTest28EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidcRLIssuerTest28EE.crt; sourceTree = "<group>"; };
- 4C75419913D51D63008048AC /* ValidcRLIssuerTest29EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidcRLIssuerTest29EE.crt; sourceTree = "<group>"; };
- 4C75419A13D51D63008048AC /* ValidcRLIssuerTest30EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidcRLIssuerTest30EE.crt; sourceTree = "<group>"; };
- 4C75419B13D51D63008048AC /* ValidcRLIssuerTest33EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidcRLIssuerTest33EE.crt; sourceTree = "<group>"; };
- 4C75419C13D51D63008048AC /* ValidinhibitAnyPolicyTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidinhibitAnyPolicyTest2EE.crt; sourceTree = "<group>"; };
- 4C75419D13D51D63008048AC /* ValidinhibitPolicyMappingTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidinhibitPolicyMappingTest2EE.crt; sourceTree = "<group>"; };
- 4C75419E13D51D63008048AC /* ValidinhibitPolicyMappingTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidinhibitPolicyMappingTest4EE.crt; sourceTree = "<group>"; };
- 4C75419F13D51D63008048AC /* ValidkeyUsageNotCriticalTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidkeyUsageNotCriticalTest3EE.crt; sourceTree = "<group>"; };
- 4C7541A013D51D63008048AC /* ValidonlyContainsCACertsTest13EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidonlyContainsCACertsTest13EE.crt; sourceTree = "<group>"; };
- 4C7541A113D51D63008048AC /* ValidonlySomeReasonsTest18EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidonlySomeReasonsTest18EE.crt; sourceTree = "<group>"; };
- 4C7541A213D51D63008048AC /* ValidonlySomeReasonsTest19EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidonlySomeReasonsTest19EE.crt; sourceTree = "<group>"; };
- 4C7541A313D51D63008048AC /* ValidpathLenConstraintTest13EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidpathLenConstraintTest13EE.crt; sourceTree = "<group>"; };
- 4C7541A413D51D63008048AC /* ValidpathLenConstraintTest14EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidpathLenConstraintTest14EE.crt; sourceTree = "<group>"; };
- 4C7541A513D51D63008048AC /* ValidpathLenConstraintTest7EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidpathLenConstraintTest7EE.crt; sourceTree = "<group>"; };
- 4C7541A613D51D63008048AC /* ValidpathLenConstraintTest8EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidpathLenConstraintTest8EE.crt; sourceTree = "<group>"; };
- 4C7541A713D51D63008048AC /* Validpre2000UTCnotBeforeDateTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = Validpre2000UTCnotBeforeDateTest3EE.crt; sourceTree = "<group>"; };
- 4C7541A813D51D63008048AC /* ValidrequireExplicitPolicyTest1EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidrequireExplicitPolicyTest1EE.crt; sourceTree = "<group>"; };
- 4C7541A913D51D63008048AC /* ValidrequireExplicitPolicyTest2EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidrequireExplicitPolicyTest2EE.crt; sourceTree = "<group>"; };
- 4C7541AA13D51D63008048AC /* ValidrequireExplicitPolicyTest4EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = ValidrequireExplicitPolicyTest4EE.crt; sourceTree = "<group>"; };
- 4C7541AB13D51D63008048AC /* WrongCRLCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = WrongCRLCACert.crt; sourceTree = "<group>"; };
- 4C7541AC13D51D63008048AC /* anyPolicyCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = anyPolicyCACert.crt; sourceTree = "<group>"; };
- 4C7541AD13D51D63008048AC /* basicConstraintsCriticalcAFalseCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = basicConstraintsCriticalcAFalseCACert.crt; sourceTree = "<group>"; };
- 4C7541AE13D51D63008048AC /* basicConstraintsNotCriticalCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = basicConstraintsNotCriticalCACert.crt; sourceTree = "<group>"; };
- 4C7541AF13D51D63008048AC /* basicConstraintsNotCriticalcAFalseCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = basicConstraintsNotCriticalcAFalseCACert.crt; sourceTree = "<group>"; };
- 4C7541B013D51D63008048AC /* deltaCRLCA1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = deltaCRLCA1Cert.crt; sourceTree = "<group>"; };
- 4C7541B113D51D63008048AC /* deltaCRLCA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = deltaCRLCA2Cert.crt; sourceTree = "<group>"; };
- 4C7541B213D51D63008048AC /* deltaCRLCA3Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = deltaCRLCA3Cert.crt; sourceTree = "<group>"; };
- 4C7541B313D51D63008048AC /* deltaCRLIndicatorNoBaseCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = deltaCRLIndicatorNoBaseCACert.crt; sourceTree = "<group>"; };
- 4C7541B413D51D63008048AC /* distributionPoint1CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = distributionPoint1CACert.crt; sourceTree = "<group>"; };
- 4C7541B513D51D63008048AC /* distributionPoint2CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = distributionPoint2CACert.crt; sourceTree = "<group>"; };
- 4C7541B613D51D63008048AC /* indirectCRLCA1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = indirectCRLCA1Cert.crt; sourceTree = "<group>"; };
- 4C7541B713D51D63008048AC /* indirectCRLCA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = indirectCRLCA2Cert.crt; sourceTree = "<group>"; };
- 4C7541B813D51D63008048AC /* indirectCRLCA3Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = indirectCRLCA3Cert.crt; sourceTree = "<group>"; };
- 4C7541B913D51D63008048AC /* indirectCRLCA3cRLIssuerCert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = indirectCRLCA3cRLIssuerCert.crt; sourceTree = "<group>"; };
- 4C7541BA13D51D63008048AC /* indirectCRLCA4Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = indirectCRLCA4Cert.crt; sourceTree = "<group>"; };
- 4C7541BB13D51D63008048AC /* indirectCRLCA4cRLIssuerCert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = indirectCRLCA4cRLIssuerCert.crt; sourceTree = "<group>"; };
- 4C7541BC13D51D63008048AC /* indirectCRLCA5Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = indirectCRLCA5Cert.crt; sourceTree = "<group>"; };
- 4C7541BD13D51D63008048AC /* indirectCRLCA6Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = indirectCRLCA6Cert.crt; sourceTree = "<group>"; };
- 4C7541BE13D51D63008048AC /* inhibitAnyPolicy0CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy0CACert.crt; sourceTree = "<group>"; };
- 4C7541BF13D51D63008048AC /* inhibitAnyPolicy1CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy1CACert.crt; sourceTree = "<group>"; };
- 4C7541C013D51D63008048AC /* inhibitAnyPolicy1SelfIssuedCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy1SelfIssuedCACert.crt; sourceTree = "<group>"; };
- 4C7541C113D51D63008048AC /* inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt; sourceTree = "<group>"; };
- 4C7541C213D51D63008048AC /* inhibitAnyPolicy1subCA1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy1subCA1Cert.crt; sourceTree = "<group>"; };
- 4C7541C313D51D63008048AC /* inhibitAnyPolicy1subCA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy1subCA2Cert.crt; sourceTree = "<group>"; };
- 4C7541C413D51D63008048AC /* inhibitAnyPolicy1subCAIAP5Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy1subCAIAP5Cert.crt; sourceTree = "<group>"; };
- 4C7541C513D51D63008048AC /* inhibitAnyPolicy1subsubCA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy1subsubCA2Cert.crt; sourceTree = "<group>"; };
- 4C7541C613D51D63008048AC /* inhibitAnyPolicy5CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy5CACert.crt; sourceTree = "<group>"; };
- 4C7541C713D51D63008048AC /* inhibitAnyPolicy5subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy5subCACert.crt; sourceTree = "<group>"; };
- 4C7541C813D51D63008048AC /* inhibitAnyPolicy5subsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicy5subsubCACert.crt; sourceTree = "<group>"; };
- 4C7541C913D51D63008048AC /* inhibitAnyPolicyTest3EE.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitAnyPolicyTest3EE.crt; sourceTree = "<group>"; };
- 4C7541CA13D51D63008048AC /* inhibitPolicyMapping0CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping0CACert.crt; sourceTree = "<group>"; };
- 4C7541CB13D51D63008048AC /* inhibitPolicyMapping0subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping0subCACert.crt; sourceTree = "<group>"; };
- 4C7541CC13D51D63008048AC /* inhibitPolicyMapping1P12CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping1P12CACert.crt; sourceTree = "<group>"; };
- 4C7541CD13D51D63008048AC /* inhibitPolicyMapping1P12subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping1P12subCACert.crt; sourceTree = "<group>"; };
- 4C7541CE13D51D63008048AC /* inhibitPolicyMapping1P12subCAIPM5Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping1P12subCAIPM5Cert.crt; sourceTree = "<group>"; };
- 4C7541CF13D51D63008048AC /* inhibitPolicyMapping1P12subsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping1P12subsubCACert.crt; sourceTree = "<group>"; };
- 4C7541D013D51D63008048AC /* inhibitPolicyMapping1P12subsubCAIPM5Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping1P12subsubCAIPM5Cert.crt; sourceTree = "<group>"; };
- 4C7541D113D51D63008048AC /* inhibitPolicyMapping1P1CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping1P1CACert.crt; sourceTree = "<group>"; };
- 4C7541D213D51D63008048AC /* inhibitPolicyMapping1P1SelfIssuedCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping1P1SelfIssuedCACert.crt; sourceTree = "<group>"; };
- 4C7541D313D51D63008048AC /* inhibitPolicyMapping1P1SelfIssuedsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping1P1SelfIssuedsubCACert.crt; sourceTree = "<group>"; };
- 4C7541D413D51D63008048AC /* inhibitPolicyMapping1P1subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping1P1subCACert.crt; sourceTree = "<group>"; };
- 4C7541D513D51D63008048AC /* inhibitPolicyMapping1P1subsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping1P1subsubCACert.crt; sourceTree = "<group>"; };
- 4C7541D613D51D63008048AC /* inhibitPolicyMapping5CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping5CACert.crt; sourceTree = "<group>"; };
- 4C7541D713D51D63008048AC /* inhibitPolicyMapping5subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping5subCACert.crt; sourceTree = "<group>"; };
- 4C7541D813D51D63008048AC /* inhibitPolicyMapping5subsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping5subsubCACert.crt; sourceTree = "<group>"; };
- 4C7541D913D51D63008048AC /* inhibitPolicyMapping5subsubsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = inhibitPolicyMapping5subsubsubCACert.crt; sourceTree = "<group>"; };
- 4C7541DA13D51D63008048AC /* keyUsageCriticalcRLSignFalseCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = keyUsageCriticalcRLSignFalseCACert.crt; sourceTree = "<group>"; };
- 4C7541DB13D51D63008048AC /* keyUsageCriticalkeyCertSignFalseCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = keyUsageCriticalkeyCertSignFalseCACert.crt; sourceTree = "<group>"; };
- 4C7541DC13D51D63008048AC /* keyUsageNotCriticalCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = keyUsageNotCriticalCACert.crt; sourceTree = "<group>"; };
- 4C7541DD13D51D63008048AC /* keyUsageNotCriticalcRLSignFalseCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = keyUsageNotCriticalcRLSignFalseCACert.crt; sourceTree = "<group>"; };
- 4C7541DE13D51D63008048AC /* keyUsageNotCriticalkeyCertSignFalseCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = keyUsageNotCriticalkeyCertSignFalseCACert.crt; sourceTree = "<group>"; };
- 4C7541DF13D51D63008048AC /* nameConstraintsDN1CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN1CACert.crt; sourceTree = "<group>"; };
- 4C7541E013D51D63008048AC /* nameConstraintsDN1SelfIssuedCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN1SelfIssuedCACert.crt; sourceTree = "<group>"; };
- 4C7541E113D51D63008048AC /* nameConstraintsDN1subCA1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN1subCA1Cert.crt; sourceTree = "<group>"; };
- 4C7541E213D51D63008048AC /* nameConstraintsDN1subCA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN1subCA2Cert.crt; sourceTree = "<group>"; };
- 4C7541E313D51D63008048AC /* nameConstraintsDN1subCA3Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN1subCA3Cert.crt; sourceTree = "<group>"; };
- 4C7541E413D51D63008048AC /* nameConstraintsDN2CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN2CACert.crt; sourceTree = "<group>"; };
- 4C7541E513D51D63008048AC /* nameConstraintsDN3CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN3CACert.crt; sourceTree = "<group>"; };
- 4C7541E613D51D63008048AC /* nameConstraintsDN3subCA1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN3subCA1Cert.crt; sourceTree = "<group>"; };
- 4C7541E713D51D63008048AC /* nameConstraintsDN3subCA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN3subCA2Cert.crt; sourceTree = "<group>"; };
- 4C7541E813D51D63008048AC /* nameConstraintsDN4CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN4CACert.crt; sourceTree = "<group>"; };
- 4C7541E913D51D63008048AC /* nameConstraintsDN5CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDN5CACert.crt; sourceTree = "<group>"; };
- 4C7541EA13D51D63008048AC /* nameConstraintsDNS1CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDNS1CACert.crt; sourceTree = "<group>"; };
- 4C7541EB13D51D63008048AC /* nameConstraintsDNS2CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsDNS2CACert.crt; sourceTree = "<group>"; };
- 4C7541EC13D51D63008048AC /* nameConstraintsRFC822CA1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsRFC822CA1Cert.crt; sourceTree = "<group>"; };
- 4C7541ED13D51D63008048AC /* nameConstraintsRFC822CA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsRFC822CA2Cert.crt; sourceTree = "<group>"; };
- 4C7541EE13D51D63008048AC /* nameConstraintsRFC822CA3Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsRFC822CA3Cert.crt; sourceTree = "<group>"; };
- 4C7541EF13D51D63008048AC /* nameConstraintsURI1CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsURI1CACert.crt; sourceTree = "<group>"; };
- 4C7541F013D51D63008048AC /* nameConstraintsURI2CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = nameConstraintsURI2CACert.crt; sourceTree = "<group>"; };
- 4C7541F113D51D63008048AC /* onlyContainsAttributeCertsCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = onlyContainsAttributeCertsCACert.crt; sourceTree = "<group>"; };
- 4C7541F213D51D63008048AC /* onlyContainsCACertsCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = onlyContainsCACertsCACert.crt; sourceTree = "<group>"; };
- 4C7541F313D51D63008048AC /* onlyContainsUserCertsCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = onlyContainsUserCertsCACert.crt; sourceTree = "<group>"; };
- 4C7541F413D51D63008048AC /* onlySomeReasonsCA1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = onlySomeReasonsCA1Cert.crt; sourceTree = "<group>"; };
- 4C7541F513D51D63008048AC /* onlySomeReasonsCA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = onlySomeReasonsCA2Cert.crt; sourceTree = "<group>"; };
- 4C7541F613D51D63008048AC /* onlySomeReasonsCA3Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = onlySomeReasonsCA3Cert.crt; sourceTree = "<group>"; };
- 4C7541F713D51D63008048AC /* onlySomeReasonsCA4Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = onlySomeReasonsCA4Cert.crt; sourceTree = "<group>"; };
- 4C7541F813D51D63008048AC /* pathLenConstraint0CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint0CACert.crt; sourceTree = "<group>"; };
- 4C7541F913D51D63008048AC /* pathLenConstraint0SelfIssuedCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint0SelfIssuedCACert.crt; sourceTree = "<group>"; };
- 4C7541FA13D51D63008048AC /* pathLenConstraint0subCA2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint0subCA2Cert.crt; sourceTree = "<group>"; };
- 4C7541FB13D51D63008048AC /* pathLenConstraint0subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint0subCACert.crt; sourceTree = "<group>"; };
- 4C7541FC13D51D63008048AC /* pathLenConstraint1CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint1CACert.crt; sourceTree = "<group>"; };
- 4C7541FD13D51D63008048AC /* pathLenConstraint1SelfIssuedCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint1SelfIssuedCACert.crt; sourceTree = "<group>"; };
- 4C7541FE13D51D63008048AC /* pathLenConstraint1SelfIssuedsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint1SelfIssuedsubCACert.crt; sourceTree = "<group>"; };
- 4C7541FF13D51D63008048AC /* pathLenConstraint1subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint1subCACert.crt; sourceTree = "<group>"; };
- 4C75420013D51D64008048AC /* pathLenConstraint6CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint6CACert.crt; sourceTree = "<group>"; };
- 4C75420113D51D64008048AC /* pathLenConstraint6subCA0Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint6subCA0Cert.crt; sourceTree = "<group>"; };
- 4C75420213D51D64008048AC /* pathLenConstraint6subCA1Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint6subCA1Cert.crt; sourceTree = "<group>"; };
- 4C75420313D51D64008048AC /* pathLenConstraint6subCA4Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint6subCA4Cert.crt; sourceTree = "<group>"; };
- 4C75420413D51D64008048AC /* pathLenConstraint6subsubCA00Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint6subsubCA00Cert.crt; sourceTree = "<group>"; };
- 4C75420513D51D64008048AC /* pathLenConstraint6subsubCA11Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint6subsubCA11Cert.crt; sourceTree = "<group>"; };
- 4C75420613D51D64008048AC /* pathLenConstraint6subsubCA41Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint6subsubCA41Cert.crt; sourceTree = "<group>"; };
- 4C75420713D51D64008048AC /* pathLenConstraint6subsubsubCA11XCert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint6subsubsubCA11XCert.crt; sourceTree = "<group>"; };
- 4C75420813D51D64008048AC /* pathLenConstraint6subsubsubCA41XCert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pathLenConstraint6subsubsubCA41XCert.crt; sourceTree = "<group>"; };
- 4C75420913D51D64008048AC /* pre2000CRLnextUpdateCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = pre2000CRLnextUpdateCACert.crt; sourceTree = "<group>"; };
- 4C75420A13D51D64008048AC /* requireExplicitPolicy0CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy0CACert.crt; sourceTree = "<group>"; };
- 4C75420B13D51D64008048AC /* requireExplicitPolicy0subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy0subCACert.crt; sourceTree = "<group>"; };
- 4C75420C13D51D64008048AC /* requireExplicitPolicy0subsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy0subsubCACert.crt; sourceTree = "<group>"; };
- 4C75420D13D51D64008048AC /* requireExplicitPolicy0subsubsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy0subsubsubCACert.crt; sourceTree = "<group>"; };
- 4C75420E13D51D64008048AC /* requireExplicitPolicy10CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy10CACert.crt; sourceTree = "<group>"; };
- 4C75420F13D51D64008048AC /* requireExplicitPolicy10subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy10subCACert.crt; sourceTree = "<group>"; };
- 4C75421013D51D64008048AC /* requireExplicitPolicy10subsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy10subsubCACert.crt; sourceTree = "<group>"; };
- 4C75421113D51D64008048AC /* requireExplicitPolicy10subsubsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy10subsubsubCACert.crt; sourceTree = "<group>"; };
- 4C75421213D51D64008048AC /* requireExplicitPolicy2CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy2CACert.crt; sourceTree = "<group>"; };
- 4C75421313D51D64008048AC /* requireExplicitPolicy2SelfIssuedCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy2SelfIssuedCACert.crt; sourceTree = "<group>"; };
- 4C75421413D51D64008048AC /* requireExplicitPolicy2SelfIssuedsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy2SelfIssuedsubCACert.crt; sourceTree = "<group>"; };
- 4C75421513D51D64008048AC /* requireExplicitPolicy2subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy2subCACert.crt; sourceTree = "<group>"; };
- 4C75421613D51D64008048AC /* requireExplicitPolicy4CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy4CACert.crt; sourceTree = "<group>"; };
- 4C75421713D51D64008048AC /* requireExplicitPolicy4subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy4subCACert.crt; sourceTree = "<group>"; };
- 4C75421813D51D64008048AC /* requireExplicitPolicy4subsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy4subsubCACert.crt; sourceTree = "<group>"; };
- 4C75421913D51D64008048AC /* requireExplicitPolicy4subsubsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy4subsubsubCACert.crt; sourceTree = "<group>"; };
- 4C75421A13D51D64008048AC /* requireExplicitPolicy5CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy5CACert.crt; sourceTree = "<group>"; };
- 4C75421B13D51D64008048AC /* requireExplicitPolicy5subCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy5subCACert.crt; sourceTree = "<group>"; };
- 4C75421C13D51D64008048AC /* requireExplicitPolicy5subsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy5subsubCACert.crt; sourceTree = "<group>"; };
- 4C75421D13D51D64008048AC /* requireExplicitPolicy5subsubsubCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy5subsubsubCACert.crt; sourceTree = "<group>"; };
- 4C75421E13D51D64008048AC /* requireExplicitPolicy7CACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy7CACert.crt; sourceTree = "<group>"; };
- 4C75421F13D51D64008048AC /* requireExplicitPolicy7subCARE2Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy7subCARE2Cert.crt; sourceTree = "<group>"; };
- 4C75422013D51D64008048AC /* requireExplicitPolicy7subsubCARE2RE4Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy7subsubCARE2RE4Cert.crt; sourceTree = "<group>"; };
- 4C75422113D51D64008048AC /* requireExplicitPolicy7subsubsubCARE2RE4Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = requireExplicitPolicy7subsubsubCARE2RE4Cert.crt; sourceTree = "<group>"; };
4C7608B10AC34A8100980096 /* SecCertificatePriv.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = SecCertificatePriv.h; sourceTree = "<group>"; };
4C7913241799A5CB00A9633E /* MobileCoreServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileCoreServices.framework; path = System/Library/Frameworks/MobileCoreServices.framework; sourceTree = SDKROOT; };
4C7CE56E0DC7DB0A00AE53FC /* SecEntitlements.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecEntitlements.h; sourceTree = "<group>"; };
4C84DA541720698900AEE225 /* AppleAccount.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AppleAccount.framework; path = System/Library/PrivateFrameworks/AppleAccount.framework; sourceTree = SDKROOT; };
4C84DA6217207E8D00AEE225 /* entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = entitlements.plist; sourceTree = "<group>"; };
- 4C86273C1137BEF8009EAB5A /* AspenFamily.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; name = AspenFamily.xcconfig; path = AppleInternal/XcodeConfig/AspenFamily.xcconfig; sourceTree = DEVELOPER_DIR; };
4C8786A10B03E05D00BB77D4 /* libDER.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libDER.xcodeproj; path = OSX/libsecurity_keychain/libDER/libDER.xcodeproj; sourceTree = "<group>"; };
4C8786D90B03E1BC00BB77D4 /* libDER.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libDER.a; sourceTree = BUILT_PRODUCTS_DIR; };
4C87F3A70D611C26000E7104 /* SecTrustPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecTrustPriv.h; sourceTree = "<group>"; };
@@ -4511,7 +3043,6 @@
5208F4CE16702D8800A49DDA /* CircleStatusView.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CircleStatusView.m; sourceTree = "<group>"; };
520C98E7162485CA00A7C80B /* QuartzCore.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = QuartzCore.framework; path = /System/Library/Frameworks/QuartzCore.framework; sourceTree = "<absolute>"; };
52222CC0167BDAE100EDD09C /* SpringBoardServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SpringBoardServices.framework; path = System/Library/PrivateFrameworks/SpringBoardServices.framework; sourceTree = SDKROOT; };
- 52222D2C16A5CBCC00EDD09C /* com.apple.security.cloudkeychainproxy.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.security.cloudkeychainproxy.plist; sourceTree = "<group>"; };
524492931AFD6D480043695A /* der_plist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = der_plist.h; path = ../../utilities/src/der_plist.h; sourceTree = "<group>"; };
5264FB4C163674B50005D258 /* MyKeychain.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MyKeychain.h; sourceTree = "<group>"; };
5264FB4D163674B50005D258 /* MyKeychain.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MyKeychain.m; sourceTree = "<group>"; };
@@ -4521,24 +3052,20 @@
52704B82163905EE007FEBB0 /* EditItemViewController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = EditItemViewController.h; sourceTree = "<group>"; };
52704B83163905EE007FEBB0 /* EditItemViewController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; lineEnding = 0; path = EditItemViewController.m; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objc; };
52704B871639193F007FEBB0 /* Keychain-Entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "Keychain-Entitlements.plist"; sourceTree = "<group>"; };
- 527435A916A9E6D1001A96FF /* Keychain_57x57.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = Keychain_57x57.png; sourceTree = SOURCE_ROOT; };
- 527435AB16A9E6DB001A96FF /* Keychain_114x114.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = Keychain_114x114.png; sourceTree = SOURCE_ROOT; };
- 527435AD16A9E6E5001A96FF /* Keychain_72x72.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = Keychain_72x72.png; sourceTree = SOURCE_ROOT; };
- 527435AF16A9E6E9001A96FF /* Keychain_144x144.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = Keychain_144x144.png; sourceTree = SOURCE_ROOT; };
+ 527435A916A9E6D1001A96FF /* Keychain_57x57.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; name = Keychain_57x57.png; path = Keychain/Keychain_57x57.png; sourceTree = SOURCE_ROOT; };
+ 527435AB16A9E6DB001A96FF /* Keychain_114x114.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; name = Keychain_114x114.png; path = Keychain/Keychain_114x114.png; sourceTree = SOURCE_ROOT; };
+ 527435AD16A9E6E5001A96FF /* Keychain_72x72.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; name = Keychain_72x72.png; path = Keychain/Keychain_72x72.png; sourceTree = SOURCE_ROOT; };
+ 527435AF16A9E6E9001A96FF /* Keychain_144x144.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; name = Keychain_144x144.png; path = Keychain/Keychain_144x144.png; sourceTree = SOURCE_ROOT; };
529990521661BA2600C297A2 /* DeviceTableViewController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DeviceTableViewController.h; sourceTree = "<group>"; };
529990531661BA2600C297A2 /* DeviceTableViewController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = DeviceTableViewController.m; sourceTree = "<group>"; };
529990551661BADF00C297A2 /* DeviceItemCell.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DeviceItemCell.h; sourceTree = "<group>"; };
529990561661BADF00C297A2 /* DeviceItemCell.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = DeviceItemCell.m; sourceTree = "<group>"; };
- 52A23EDB161DEC3700E271E0 /* Default-568h@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Default-568h@2x.png"; sourceTree = SOURCE_ROOT; };
+ 52A23EDB161DEC3700E271E0 /* Default-568h@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; name = "Default-568h@2x.png"; path = "SecurityTests/Default-568h@2x.png"; sourceTree = SOURCE_ROOT; };
52B35B051623753000B97D06 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = /System/Library/Frameworks/Security.framework; sourceTree = "<absolute>"; };
52CD69F916384C1F00961848 /* KCAItemDetailViewController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KCAItemDetailViewController.h; sourceTree = "<group>"; };
52CD69FA16384C2000961848 /* KCAItemDetailViewController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KCAItemDetailViewController.m; sourceTree = "<group>"; };
52D82BD316A5EADA0078DFE5 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = System/Library/Frameworks/Security.framework; sourceTree = SDKROOT; };
52D82BDE16A621F70078DFE5 /* CloudKeychainProxy.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = CloudKeychainProxy.bundle; sourceTree = BUILT_PRODUCTS_DIR; };
- 52D82BE216A621F70078DFE5 /* CloudKeychainProxy-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "CloudKeychainProxy-Info.plist"; sourceTree = "<group>"; };
- 52D82BE416A621F70078DFE5 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = "<group>"; };
- 52D82BE616A621F70078DFE5 /* AspenFamily.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = AspenFamily.xcconfig; path = AppleInternal/XcodeConfig/AspenFamily.xcconfig; sourceTree = DEVELOPER_DIR; };
- 52D82BF716A6283F0078DFE5 /* ckdmain.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = ckdmain.m; path = ../OSX/sec/SOSCircle/CloudKeychainProxy/ckdmain.m; sourceTree = "<group>"; };
52DE81691636347500F49F0C /* Keychain.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = Keychain.app; sourceTree = BUILT_PRODUCTS_DIR; };
52DE81701636347500F49F0C /* Keychain-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "Keychain-Info.plist"; sourceTree = "<group>"; };
52DE81741636347500F49F0C /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = "<group>"; };
@@ -4546,7 +3073,7 @@
52DE81781636347600F49F0C /* AppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = AppDelegate.m; sourceTree = "<group>"; };
52DE817A1636347600F49F0C /* Default.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = Default.png; sourceTree = "<group>"; };
52DE817C1636347600F49F0C /* Default@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Default@2x.png"; sourceTree = "<group>"; };
- 52DE817E1636347600F49F0C /* Default-568h@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Default-568h@2x.png"; sourceTree = "<group>"; };
+ 52DE817E1636347600F49F0C /* Default-568h@2x.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; name = "Default-568h@2x.png"; path = "Keychain/Default-568h@2x.png"; sourceTree = SOURCE_ROOT; };
52DE81861636347600F49F0C /* FirstViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = FirstViewController.h; sourceTree = "<group>"; };
52DE81871636347600F49F0C /* FirstViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = FirstViewController.m; sourceTree = "<group>"; };
52DE81891636347600F49F0C /* first.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = first.png; sourceTree = "<group>"; };
@@ -4565,12 +3092,10 @@
5346480117331E1200FE9172 /* KeychainSyncAccountNotification.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = KeychainSyncAccountNotification.bundle; sourceTree = BUILT_PRODUCTS_DIR; };
5346480517331E1200FE9172 /* KeychainSyncAccountNotification-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "KeychainSyncAccountNotification-Info.plist"; sourceTree = "<group>"; };
5346480717331E1200FE9172 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = "<group>"; };
- 5346480917331E1200FE9172 /* AspenFamily.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = AspenFamily.xcconfig; path = AppleInternal/XcodeConfig/AspenFamily.xcconfig; sourceTree = DEVELOPER_DIR; };
5346480A17331E1200FE9172 /* KeychainSyncAccountNotification-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "KeychainSyncAccountNotification-Prefix.pch"; sourceTree = "<group>"; };
5346481C173322BD00FE9172 /* KeychainSyncAccountNotification.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KeychainSyncAccountNotification.h; sourceTree = "<group>"; };
5346481D173322BD00FE9172 /* KeychainSyncAccountNotification.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KeychainSyncAccountNotification.m; sourceTree = "<group>"; };
53C0E1F2177FAC2C00F8A018 /* English */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = English; path = English.lproj/CloudKeychain.strings; sourceTree = "<group>"; };
- 5D83979C160259EE0075998F /* Invalid.com.apple.testcard.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = Invalid.com.apple.testcard.crt; path = "shoebox-certs/Invalid.com.apple.testcard.crt"; sourceTree = "<group>"; };
5DDD0BDD16D6740E00D6C0D6 /* com.apple.OTAPKIAssetTool.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.OTAPKIAssetTool.plist; sourceTree = "<group>"; };
5DDD0BDE16D6740E00D6C0D6 /* OTAPKIAssetTool-entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "OTAPKIAssetTool-entitlements.plist"; sourceTree = "<group>"; };
5E10992519A5E55800A60E2B /* ISACLProtectedItems.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = ISACLProtectedItems.bundle; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -4587,15 +3112,8 @@
5E8B53A41AA0B8A600345E7B /* libcoreauthd_test_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcoreauthd_test_client.a; path = usr/local/lib/libcoreauthd_test_client.a; sourceTree = SDKROOT; };
5EBE247A1B00CCAE0007DB0E /* secacltests */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secacltests; sourceTree = BUILT_PRODUCTS_DIR; };
5EBE247C1B00CCAE0007DB0E /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = "<group>"; };
- 721680C7179B514700406BB4 /* AspenFamily.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = AspenFamily.xcconfig; path = AppleInternal/XcodeConfig/AspenFamily.xcconfig; sourceTree = DEVELOPER_DIR; };
- 721680DC179B518400406BB4 /* main.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = "<group>"; };
- 721680DE179B51BC00406BB4 /* com.apple.icloudKeychainStats.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.icloudKeychainStats.plist; sourceTree = "<group>"; };
7273402816CAFB3C0096622A /* MobileAsset.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileAsset.framework; path = System/Library/PrivateFrameworks/MobileAsset.framework; sourceTree = SDKROOT; };
728B56A116D59979008FA3AB /* OTAPKIAssetTool */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = OTAPKIAssetTool; sourceTree = BUILT_PRODUCTS_DIR; };
- 728B56A516D59979008FA3AB /* AspenFamily.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = AspenFamily.xcconfig; path = AppleInternal/XcodeConfig/AspenFamily.xcconfig; sourceTree = DEVELOPER_DIR; };
- 72979BE2175D095900BE8FD6 /* cloud_keychain_diagnose */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = cloud_keychain_diagnose; sourceTree = BUILT_PRODUCTS_DIR; };
- 72979BE6175D095900BE8FD6 /* AspenFamily.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = AspenFamily.xcconfig; path = AppleInternal/XcodeConfig/AspenFamily.xcconfig; sourceTree = DEVELOPER_DIR; };
- 72979BEF175D0B2D00BE8FD6 /* cloud_keychain_diagnose.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = cloud_keychain_diagnose.c; path = OSX/utilities/src/cloud_keychain_diagnose.c; sourceTree = SOURCE_ROOT; };
72B368BD179891FC004C37CE /* AggregateDictionary.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AggregateDictionary.framework; path = System/Library/PrivateFrameworks/AggregateDictionary.framework; sourceTree = SDKROOT; };
72C3EC2D1705F24E0040C87C /* ManagedConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = ManagedConfiguration.framework; path = System/Library/PrivateFrameworks/ManagedConfiguration.framework; sourceTree = SDKROOT; };
72CD2BBB16D59AE30064EEE1 /* OTAServiceApp.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OTAServiceApp.m; sourceTree = "<group>"; };
@@ -4633,26 +3151,16 @@
798B7FD40D3D7B5400AC1D04 /* libASN1.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libASN1.a; sourceTree = BUILT_PRODUCTS_DIR; };
79BDD3940D60D5F9000D84D3 /* libsecurity_smime.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_smime.xcodeproj; path = libsecurity_smime/libsecurity_smime.xcodeproj; sourceTree = "<group>"; };
79BDD3C00D60DB84000D84D3 /* SecCMS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCMS.h; sourceTree = "<group>"; };
- 79DCEA54134A27D2007F57DC /* codesign_wrapper */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = codesign_wrapper; sourceTree = BUILT_PRODUCTS_DIR; };
- 79DCEA5E134A280F007F57DC /* codesign_wrapper.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = codesign_wrapper.c; sourceTree = "<group>"; };
- 79DCEA5F134A280F007F57DC /* codesign.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = codesign.c; sourceTree = "<group>"; };
- 79DCEA60134A280F007F57DC /* MISEntitlement.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = MISEntitlement.c; sourceTree = "<group>"; };
- 79DCEA67134A2820007F57DC /* codesign.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = codesign.h; sourceTree = "<group>"; };
- 79DCEA69134A2820007F57DC /* codesign_wrapper.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = codesign_wrapper.h; sourceTree = "<group>"; };
- 79DCEA6B134A2820007F57DC /* MISBase.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MISBase.h; sourceTree = "<group>"; };
- 79DCEA6D134A2820007F57DC /* MISEntitlement.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MISEntitlement.h; sourceTree = "<group>"; };
- 79E0D702143E558B0010CE0E /* Apple Application Integration Certification Authority Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = "Apple Application Integration Certification Authority Cert.crt"; sourceTree = "<group>"; };
- 79E0D703143E558B0010CE0E /* Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = "Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt"; sourceTree = "<group>"; };
- 79E0D704143E558B0010CE0E /* AppleRootCertificate.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = AppleRootCertificate.crt; sourceTree = "<group>"; };
- 79E0D7A6143E671C0010CE0E /* Invalid-asset_signing.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = "Invalid-asset_signing.crt"; sourceTree = "<group>"; };
- 79E0D7AA143E68BF0010CE0E /* iPhoneCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = iPhoneCACert.crt; sourceTree = "<group>"; };
79EF5B6C0D3D6A31009F5270 /* SecImportExport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecImportExport.h; sourceTree = "<group>"; };
79EF5B720D3D6AFE009F5270 /* p12import.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = p12import.h; sourceTree = "<group>"; };
8E02FA691107BE460043545E /* pbkdf2.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pbkdf2.h; sourceTree = "<group>"; };
+ 8E64DB451C17BCF40076C9DF /* com.apple.security.idskeychainsyncingproxy.ios.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.security.idskeychainsyncingproxy.ios.plist; sourceTree = "<group>"; };
+ 8E64DB461C17BCF40076C9DF /* com.apple.security.idskeychainsyncingproxy.osx.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.security.idskeychainsyncingproxy.osx.plist; sourceTree = "<group>"; };
+ 8E64DB4C1C17CD3F0076C9DF /* com.apple.security.cloudkeychainproxy.ios.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = com.apple.security.cloudkeychainproxy.ios.plist; path = KVSKeychainSyncingProxy/com.apple.security.cloudkeychainproxy.ios.plist; sourceTree = "<group>"; };
+ 8E64DB4D1C17CD400076C9DF /* com.apple.security.cloudkeychainproxy.osx.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = com.apple.security.cloudkeychainproxy.osx.plist; path = KVSKeychainSyncingProxy/com.apple.security.cloudkeychainproxy.osx.plist; sourceTree = "<group>"; };
8ED6F6C8110904E300D2B368 /* SecPBKDF.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecPBKDF.h; sourceTree = "<group>"; };
9468B9471AF2B60800042383 /* SOSBackupSliceKeyBag.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSBackupSliceKeyBag.h; path = SecureObjectSync/SOSBackupSliceKeyBag.h; sourceTree = "<group>"; };
9468B9691AF2B8FC00042383 /* SOSCloudCircleInternal.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSCloudCircleInternal.h; path = SecureObjectSync/SOSCloudCircleInternal.h; sourceTree = "<group>"; };
- 9468B96B1AF2B91B00042383 /* SOSForerunnerSession.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSForerunnerSession.h; path = SecureObjectSync/SOSForerunnerSession.h; sourceTree = "<group>"; };
9468B96D1AF2B93300042383 /* SOSViews.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSViews.h; path = SecureObjectSync/SOSViews.h; sourceTree = "<group>"; };
BE061FE01899ECEE00C739F6 /* SecSharedCredential.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecSharedCredential.h; sourceTree = "<group>"; };
BE197F2619116FD100BA91D1 /* SharedWebCredentialViewService.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = SharedWebCredentialViewService.app; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -4662,17 +3170,15 @@
BE197F2F19116FD100BA91D1 /* SharedWebCredentialViewService-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "SharedWebCredentialViewService-Prefix.pch"; sourceTree = "<group>"; };
BE197F3019116FD100BA91D1 /* SWCAppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SWCAppDelegate.h; sourceTree = "<group>"; };
BE197F3119116FD100BA91D1 /* SWCAppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SWCAppDelegate.m; sourceTree = "<group>"; };
- BE197F3319116FD100BA91D1 /* AspenFamily.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = AspenFamily.xcconfig; path = AppleInternal/XcodeConfig/AspenFamily.xcconfig; sourceTree = DEVELOPER_DIR; };
BE197F5A1911723E00BA91D1 /* SpringBoardUIServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SpringBoardUIServices.framework; path = System/Library/PrivateFrameworks/SpringBoardUIServices.framework; sourceTree = SDKROOT; };
BE197F5D191173A800BA91D1 /* SWCViewController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SWCViewController.m; sourceTree = "<group>"; };
BE197F5F191173C100BA91D1 /* SWCViewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SWCViewController.h; sourceTree = "<group>"; };
BE197F60191173F200BA91D1 /* entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = entitlements.plist; sourceTree = "<group>"; };
BE442BC118B7FDB800F24DAE /* swcagent */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = swcagent; sourceTree = BUILT_PRODUCTS_DIR; };
- BE4AC9A118B7FFAD00B84964 /* swcagent.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = swcagent.m; path = OSX/sec/SharedWebCredential/swcagent.m; sourceTree = "<group>"; };
+ BE4AC9A118B7FFAD00B84964 /* swcagent.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; lineEnding = 0; name = swcagent.m; path = OSX/sec/SharedWebCredential/swcagent.m; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.objc; };
BE4AC9AD18B7FFC800B84964 /* com.apple.security.swcagent.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; name = com.apple.security.swcagent.plist; path = OSX/sec/SharedWebCredential/com.apple.security.swcagent.plist; sourceTree = "<group>"; };
BE4AC9B918B8273600B84964 /* English */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = English; path = English.lproj/SharedWebCredentials.strings; sourceTree = "<group>"; };
CD276C271A83F60C003226BC /* IDSKeychainSyncingProxy.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = IDSKeychainSyncingProxy.bundle; sourceTree = BUILT_PRODUCTS_DIR; };
- CD3F91151A802B4900E07119 /* com.apple.security.idskeychainsyncingproxy.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.security.idskeychainsyncingproxy.plist; sourceTree = "<group>"; };
CD3F91181A802B4900E07119 /* IDSKeychainSyncingProxy-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "IDSKeychainSyncingProxy-Info.plist"; sourceTree = "<group>"; };
CD4F44201B546A7E00FE3569 /* SOSPeerInfoV2.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSPeerInfoV2.h; path = SecureObjectSync/SOSPeerInfoV2.h; sourceTree = "<group>"; };
CD744683195A00BB00FB01C0 /* IDS.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IDS.framework; path = System/Library/PrivateFrameworks/IDS.framework; sourceTree = SDKROOT; };
@@ -4680,73 +3186,119 @@
CDB22D0B1A9D37440043E348 /* idskeychainsyncingproxy.entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = idskeychainsyncingproxy.entitlements.plist; sourceTree = "<group>"; };
CDB9FCA9179CC757000AAD66 /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
CDDE9BC31729AB910013B0E8 /* SecPasswordGenerate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecPasswordGenerate.h; sourceTree = "<group>"; };
- CDF42C2C1A884C3E0080BB05 /* idksmain.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = idksmain.m; path = OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idksmain.m; sourceTree = SOURCE_ROOT; };
CDF91EF11AAE023800E88CF7 /* com.apple.private.alloy.keychainsync.plist */ = {isa = PBXFileReference; lastKnownFileType = file.bplist; path = com.apple.private.alloy.keychainsync.plist; sourceTree = "<group>"; };
D45D1A461B3A293E00C63E16 /* oids.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = oids.h; path = ../../libsecurity_keychain/libDER/libDER/oids.h; sourceTree = "<group>"; };
- D4B4A9D31B8BBC1B0097B393 /* InvalidEKUTest16.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidEKUTest16.cer; path = "ssl-policy-certs/InvalidEKUTest16.cer"; sourceTree = "<group>"; };
- D4B4A9D41B8BBC1B0097B393 /* InvalidHostnameTest1.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidHostnameTest1.cer; path = "ssl-policy-certs/InvalidHostnameTest1.cer"; sourceTree = "<group>"; };
- D4B4A9D51B8BBC1B0097B393 /* InvalidHostnameTest2.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidHostnameTest2.cer; path = "ssl-policy-certs/InvalidHostnameTest2.cer"; sourceTree = "<group>"; };
- D4B4A9D61B8BBC1B0097B393 /* InvalidHostnameTest22.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidHostnameTest22.cer; path = "ssl-policy-certs/InvalidHostnameTest22.cer"; sourceTree = "<group>"; };
- D4B4A9D71B8BBC1B0097B393 /* InvalidHostnameTest23.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidHostnameTest23.cer; path = "ssl-policy-certs/InvalidHostnameTest23.cer"; sourceTree = "<group>"; };
- D4B4A9D81B8BBC1B0097B393 /* InvalidHostnameTest24.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidHostnameTest24.cer; path = "ssl-policy-certs/InvalidHostnameTest24.cer"; sourceTree = "<group>"; };
- D4B4A9D91B8BBC1B0097B393 /* InvalidWildcardTest5Test6.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidWildcardTest5Test6.cer; path = "ssl-policy-certs/InvalidWildcardTest5Test6.cer"; sourceTree = "<group>"; };
- D4B4A9DA1B8BBC1B0097B393 /* InvalidWildcardTest10.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidWildcardTest10.cer; path = "ssl-policy-certs/InvalidWildcardTest10.cer"; sourceTree = "<group>"; };
- D4B4A9DB1B8BBC1B0097B393 /* InvalidWildcardTest11.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidWildcardTest11.cer; path = "ssl-policy-certs/InvalidWildcardTest11.cer"; sourceTree = "<group>"; };
- D4B4A9DC1B8BBC1B0097B393 /* InvalidWildcardTest12.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidWildcardTest12.cer; path = "ssl-policy-certs/InvalidWildcardTest12.cer"; sourceTree = "<group>"; };
- D4B4A9DD1B8BBC1B0097B393 /* InvalidWildcardTest13Test14.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidWildcardTest13Test14.cer; path = "ssl-policy-certs/InvalidWildcardTest13Test14.cer"; sourceTree = "<group>"; };
- D4B4A9DE1B8BBC1B0097B393 /* InvalidWildcardTest15.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidWildcardTest15.cer; path = "ssl-policy-certs/InvalidWildcardTest15.cer"; sourceTree = "<group>"; };
- D4B4A9DF1B8BBC1B0097B393 /* InvalidWildcardTest25Test26.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = InvalidWildcardTest25Test26.cer; path = "ssl-policy-certs/InvalidWildcardTest25Test26.cer"; sourceTree = "<group>"; };
- D4B4A9E01B8BBC1B0097B393 /* SSLTrustPolicyTest.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = SSLTrustPolicyTest.plist; path = "ssl-policy-certs/SSLTrustPolicyTest.plist"; sourceTree = "<group>"; };
- D4B4A9E11B8BBC1B0097B393 /* SSLTrustPolicyTestRootCertificate.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = SSLTrustPolicyTestRootCertificate.cer; path = "ssl-policy-certs/SSLTrustPolicyTestRootCertificate.cer"; sourceTree = "<group>"; };
- D4B4A9E21B8BBC1B0097B393 /* ValidEKUTest17.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = ValidEKUTest17.cer; path = "ssl-policy-certs/ValidEKUTest17.cer"; sourceTree = "<group>"; };
- D4B4A9E31B8BBC1B0097B393 /* ValidHostnameTest3.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = ValidHostnameTest3.cer; path = "ssl-policy-certs/ValidHostnameTest3.cer"; sourceTree = "<group>"; };
- D4B4A9E41B8BBC1B0097B393 /* ValidHostnameTest4.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = ValidHostnameTest4.cer; path = "ssl-policy-certs/ValidHostnameTest4.cer"; sourceTree = "<group>"; };
- D4B4A9E51B8BBC1B0097B393 /* ValidHostnameTest18Test19Test20.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = ValidHostnameTest18Test19Test20.cer; path = "ssl-policy-certs/ValidHostnameTest18Test19Test20.cer"; sourceTree = "<group>"; };
- D4B4A9E61B8BBC1B0097B393 /* ValidHostnameTest21.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = ValidHostnameTest21.cer; path = "ssl-policy-certs/ValidHostnameTest21.cer"; sourceTree = "<group>"; };
- D4B4A9E71B8BBC1B0097B393 /* ValidWildcardTest7Test8Test9.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = ValidWildcardTest7Test8Test9.cer; path = "ssl-policy-certs/ValidWildcardTest7Test8Test9.cer"; sourceTree = "<group>"; };
+ D47F514B1C3B812500A7CEFE /* SecCFAllocator.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecCFAllocator.h; sourceTree = "<group>"; };
+ D4B858661D370D9A003B2D95 /* MobileCoreServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileCoreServices.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS10.0.Internal.sdk/System/Library/Frameworks/MobileCoreServices.framework; sourceTree = DEVELOPER_DIR; };
+ D4D886BE1CEB9F3B00DC7583 /* ssl-policy-certs */ = {isa = PBXFileReference; lastKnownFileType = folder; path = "ssl-policy-certs"; sourceTree = "<group>"; };
+ D4D886E81CEBDD2A00DC7583 /* nist-certs */ = {isa = PBXFileReference; lastKnownFileType = folder; path = "nist-certs"; sourceTree = "<group>"; };
+ D4EC94FA1CEA482D0083E753 /* si-20-sectrust-policies-data */ = {isa = PBXFileReference; lastKnownFileType = folder; name = "si-20-sectrust-policies-data"; path = "../OSX/shared_regressions/si-20-sectrust-policies-data"; sourceTree = "<group>"; };
E7104A0B169E171900DB0045 /* security_tool_commands.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = security_tool_commands.c; sourceTree = "<group>"; };
E710C7421331946400F85568 /* SecurityTests.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = SecurityTests.app; sourceTree = BUILT_PRODUCTS_DIR; };
E710C74C1331946500F85568 /* SecurityTests-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "SecurityTests-Info.plist"; sourceTree = "<group>"; };
+ E71454C71C741DCD00B5B20B /* KCDer.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = KCDer.h; sourceTree = "<group>"; };
+ E71454ED1C741E0800B5B20B /* KCError.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KCError.h; sourceTree = "<group>"; };
+ E71454EE1C741E0800B5B20B /* KCError.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KCError.m; sourceTree = "<group>"; };
E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SystemConfiguration.framework; path = System/Library/Frameworks/SystemConfiguration.framework; sourceTree = SDKROOT; };
- E72783F6159BDFBB00028D6C /* Apple TEST RootCertificate.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Apple TEST RootCertificate.crt"; path = "shoebox-certs/Apple TEST RootCertificate.crt"; sourceTree = "<group>"; };
- E72783F7159BDFBC00028D6C /* Apple Worldwide Developer Relations Certification Authority Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Apple Worldwide Developer Relations Certification Authority Cert.crt"; path = "shoebox-certs/Apple Worldwide Developer Relations Certification Authority Cert.crt"; sourceTree = "<group>"; };
- E72783F8159BDFBC00028D6C /* Apple Worldwide Developer Relations Certification Authority TEST Cert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Apple Worldwide Developer Relations Certification Authority TEST Cert.crt"; path = "shoebox-certs/Apple Worldwide Developer Relations Certification Authority TEST Cert.crt"; sourceTree = "<group>"; };
- E72783F9159BDFBC00028D6C /* AppleRootCertificate.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = AppleRootCertificate.crt; path = "shoebox-certs/AppleRootCertificate.crt"; sourceTree = "<group>"; };
- E73000DD13D90A1F00B0DA1B /* Invalid-asset_signing.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = "Invalid-asset_signing.crt"; path = "OTATasking-certs/Invalid-asset_signing.crt"; sourceTree = "<group>"; };
- E73000DF13D90A1F00B0DA1B /* task_signing.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = task_signing.crt; path = "OTATasking-certs/task_signing.crt"; sourceTree = "<group>"; };
- E73000F513D90CD900B0DA1B /* AppleRootCertificate.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = AppleRootCertificate.crt; path = "mobileasset-certs/AppleRootCertificate.crt"; sourceTree = "<group>"; };
- E73000F613D90CD900B0DA1B /* asset_signing.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = asset_signing.crt; sourceTree = "<group>"; };
- E73000F713D90CD900B0DA1B /* Invalid-task_signing.crt */ = {isa = PBXFileReference; lastKnownFileType = file; path = "Invalid-task_signing.crt"; sourceTree = "<group>"; };
- E73000F813D90CD900B0DA1B /* iPhoneCACert.crt */ = {isa = PBXFileReference; lastKnownFileType = file; name = iPhoneCACert.crt; path = "mobileasset-certs/iPhoneCACert.crt"; sourceTree = "<group>"; };
+ E722E9111CE92DFC005AD94B /* CKDKVSStore.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = CKDKVSStore.m; path = KVSKeychainSyncingProxy/CKDKVSStore.m; sourceTree = "<group>"; };
+ E722E9381CE92EE0005AD94B /* CKDKVSStore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CKDKVSStore.h; path = KVSKeychainSyncingProxy/CKDKVSStore.h; sourceTree = "<group>"; };
E732892A1AED7551008CE839 /* SOSCloudCircle.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSCloudCircle.h; path = "Forwarding Headers/SOSCloudCircle.h"; sourceTree = SOURCE_ROOT; };
E732892C1AED7631008CE839 /* SOSPeerInfo.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSPeerInfo.h; path = "Forwarding Headers/SOSPeerInfo.h"; sourceTree = SOURCE_ROOT; };
+ E73AC9421D0250D900FFFEE0 /* CKDStore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CKDStore.h; path = KVSKeychainSyncingProxy/CKDStore.h; sourceTree = "<group>"; };
E7450BAC16D42B17009C07B8 /* SOSCloudCircle.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSCloudCircle.h; path = SecureObjectSync/SOSCloudCircle.h; sourceTree = "<group>"; };
E7450BAD16D42B17009C07B8 /* SOSPeerInfo.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSPeerInfo.h; path = SecureObjectSync/SOSPeerInfo.h; sourceTree = "<group>"; };
E75112E9166EFBF0008C578B /* PeerListCell.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PeerListCell.h; sourceTree = "<group>"; };
E75112EA166EFBF0008C578B /* PeerListCell.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = PeerListCell.m; sourceTree = "<group>"; };
+ E75C0E801C6FC31D00E6953B /* KCSRPContext.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KCSRPContext.h; sourceTree = "<group>"; };
+ E75C0E811C6FC31D00E6953B /* KCSRPContext.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KCSRPContext.m; sourceTree = "<group>"; };
+ E75C0E841C71325000E6953B /* KeychainCircle.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = KeychainCircle.h; sourceTree = "<group>"; };
+ E75E498A1C8F76360001A34F /* libDER.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libDER.a; path = ../../../../../usr/local/lib/libDER.a; sourceTree = "<group>"; };
+ E75E498C1C8F76680001A34F /* libASN1.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libASN1.a; path = ../../../../../usr/local/lib/libASN1.a; sourceTree = "<group>"; };
E7676DB519411DF300498DD4 /* SecServerEncryptionSupport.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecServerEncryptionSupport.h; sourceTree = "<group>"; };
- E7A94C9713D8A0DF001C5FEE /* Expectations.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Expectations.plist; sourceTree = "<group>"; };
+ E772FD461CC15EFA00D63E41 /* NSData+SecRandom.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "NSData+SecRandom.m"; sourceTree = "<group>"; };
+ E772FD6F1CC15F1F00D63E41 /* NSData+SecRandom.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "NSData+SecRandom.h"; sourceTree = "<group>"; };
+ E78A9AD81D34959200006B5B /* NSFileHandle+Formatting.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "NSFileHandle+Formatting.h"; path = "../OSX/sec/SOSCircle/Tool/NSFileHandle+Formatting.h"; sourceTree = "<group>"; };
+ E78A9AD91D34959200006B5B /* NSFileHandle+Formatting.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "NSFileHandle+Formatting.m"; path = "../OSX/sec/SOSCircle/Tool/NSFileHandle+Formatting.m"; sourceTree = "<group>"; };
+ E794BA6E1C7424D800339A0F /* KCDer.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KCDer.m; sourceTree = "<group>"; };
+ E794BAD91C7598E400339A0F /* KCJoiningMessages.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = KCJoiningMessages.h; sourceTree = "<group>"; };
+ E794BAFF1C7598F900339A0F /* KCJoiningMessages.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KCJoiningMessages.m; sourceTree = "<group>"; };
+ E7A5F4C61C0CFF3200F3BEBB /* CKDKVSProxy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CKDKVSProxy.h; path = KVSKeychainSyncingProxy/CKDKVSProxy.h; sourceTree = "<group>"; };
+ E7A5F4C71C0CFF3200F3BEBB /* CKDKVSProxy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = CKDKVSProxy.m; path = KVSKeychainSyncingProxy/CKDKVSProxy.m; sourceTree = "<group>"; };
+ E7A5F4C91C0CFF3200F3BEBB /* CKDPersistentState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CKDPersistentState.h; path = KVSKeychainSyncingProxy/CKDPersistentState.h; sourceTree = "<group>"; };
+ E7A5F4CA1C0CFF3200F3BEBB /* CKDPersistentState.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = CKDPersistentState.m; path = KVSKeychainSyncingProxy/CKDPersistentState.m; sourceTree = "<group>"; };
+ E7A5F4CB1C0CFF3300F3BEBB /* cloudkeychain.entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = cloudkeychain.entitlements.plist; path = KVSKeychainSyncingProxy/cloudkeychain.entitlements.plist; sourceTree = "<group>"; };
+ E7A5F4CC1C0CFF3300F3BEBB /* CloudKeychainProxy-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = "CloudKeychainProxy-Info.plist"; path = "KVSKeychainSyncingProxy/CloudKeychainProxy-Info.plist"; sourceTree = "<group>"; };
+ E7A5F4CE1C0CFF3300F3BEBB /* cloudkeychainproxy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = cloudkeychainproxy.m; path = KVSKeychainSyncingProxy/cloudkeychainproxy.m; sourceTree = "<group>"; };
+ E7A5F4D71C0D01B000F3BEBB /* SOSCloudKeychainConstants.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; name = SOSCloudKeychainConstants.c; path = OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.c; };
+ E7A5F5511C0D03B400F3BEBB /* IDSPersistentState.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = IDSPersistentState.m; sourceTree = "<group>"; };
+ E7A5F5521C0D03B400F3BEBB /* IDSProxy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = IDSProxy.m; sourceTree = "<group>"; };
+ E7A5F5551C0D03DB00F3BEBB /* idskeychainsyncingproxy.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = idskeychainsyncingproxy.m; sourceTree = "<group>"; };
+ E7A5F5561C0D03DB00F3BEBB /* IDSPersistentState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IDSPersistentState.h; sourceTree = "<group>"; };
+ E7A5F5571C0D03DB00F3BEBB /* IDSProxy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IDSProxy.h; sourceTree = "<group>"; };
E7AAB5F415929493005C8BCC /* libcorecrypto.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libcorecrypto.dylib; path = usr/lib/system/libcorecrypto.dylib; sourceTree = SDKROOT; };
E7B01BF2166594AB000485F1 /* SyncDevTest2.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = SyncDevTest2.app; sourceTree = BUILT_PRODUCTS_DIR; };
+ E7B945B01CFE5D440027F31D /* CKDAccount.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = CKDAccount.h; path = KVSKeychainSyncingProxy/CKDAccount.h; sourceTree = "<group>"; };
+ E7B945B11CFE5EBD0027F31D /* CKDSecuritydAccount.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CKDSecuritydAccount.h; path = KVSKeychainSyncingProxy/CKDSecuritydAccount.h; sourceTree = "<group>"; };
+ E7B945B21CFE5EBD0027F31D /* CKDSecuritydAccount.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = CKDSecuritydAccount.m; path = KVSKeychainSyncingProxy/CKDSecuritydAccount.m; sourceTree = "<group>"; };
+ E7CFF7221C8660A000E3484E /* KeychainCircle.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = KeychainCircle.plist; path = Tests/KeychainCircle.plist; sourceTree = "<group>"; };
E7D690911652E06A0079537A /* libMobileGestalt.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libMobileGestalt.dylib; path = usr/lib/libMobileGestalt.dylib; sourceTree = SDKROOT; };
+ E7D847C51C6BE9710025BB44 /* KeychainCircle.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = KeychainCircle.framework; sourceTree = BUILT_PRODUCTS_DIR; };
+ E7D847C91C6BE9710025BB44 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
+ E7D847CE1C6BE9720025BB44 /* KeychainCircleTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = KeychainCircleTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; };
+ E7D848041C6BEFC10025BB44 /* KCSRPTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = KCSRPTests.m; path = Tests/KCSRPTests.m; sourceTree = "<group>"; };
+ E7D848061C6BEFFA0025BB44 /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = Info.plist; path = Tests/Info.plist; sourceTree = "<group>"; };
+ E7D848541C6C1D9C0025BB44 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.12.sdk/System/Library/Frameworks/Foundation.framework; sourceTree = DEVELOPER_DIR; };
+ E7E3EFB91CBC192A00E79A5D /* KCAccountKCCircleDelegate.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KCAccountKCCircleDelegate.m; sourceTree = "<group>"; };
+ E7E3EFE21CBC195700E79A5D /* KCAccountKCCircleDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KCAccountKCCircleDelegate.h; sourceTree = "<group>"; };
E7E4318813319C0700AF0CFD /* SecurityTests-Entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "SecurityTests-Entitlements.plist"; sourceTree = "<group>"; };
+ E7F480111C729C7B00390FDB /* NSError+KCCreationHelpers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "NSError+KCCreationHelpers.h"; sourceTree = "<group>"; };
+ E7F480131C7397CE00390FDB /* KCJoiningSession.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = KCJoiningSession.h; sourceTree = "<group>"; };
+ E7F480141C73980D00390FDB /* KCJoiningRequestSession.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KCJoiningRequestSession.m; sourceTree = "<group>"; };
+ E7F480301C73FC4C00390FDB /* KCAESGCMDuplexSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KCAESGCMDuplexSession.h; sourceTree = "<group>"; };
+ E7F480311C73FC4C00390FDB /* KCAESGCMDuplexSession.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KCAESGCMDuplexSession.m; sourceTree = "<group>"; };
+ E7F4809B1C74E85200390FDB /* KCDerTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = KCDerTest.m; path = Tests/KCDerTest.m; sourceTree = "<group>"; };
+ E7F4809D1C74E86D00390FDB /* KCAESGCMTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = KCAESGCMTest.m; path = Tests/KCAESGCMTest.m; sourceTree = "<group>"; };
+ E7F4826F1C74FDD100390FDB /* KCJoiningSessionTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = KCJoiningSessionTest.m; path = Tests/KCJoiningSessionTest.m; sourceTree = "<group>"; };
+ E7F482A21C7544E600390FDB /* libctkclient_test.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libctkclient_test.a; path = ../../../../../usr/local/lib/libctkclient_test.a; sourceTree = "<group>"; };
+ E7F482A51C75453900390FDB /* libcoreauthd_test_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcoreauthd_test_client.a; path = ../../../../../usr/local/lib/libcoreauthd_test_client.a; sourceTree = "<group>"; };
+ E7F482A91C7554F500390FDB /* NSError+KCCreationHelpers.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "NSError+KCCreationHelpers.m"; sourceTree = "<group>"; };
+ E7F482AB1C7558F700390FDB /* KCJoiningAcceptSession.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KCJoiningAcceptSession.m; sourceTree = "<group>"; };
E7FC30AB1332DE9000802946 /* MobileKeyBag.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileKeyBag.framework; path = System/Library/PrivateFrameworks/MobileKeyBag.framework; sourceTree = SDKROOT; };
E7FCBE411314471B000DE34E /* UIKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = UIKit.framework; path = System/Library/Frameworks/UIKit.framework; sourceTree = SDKROOT; };
E7FCBE431314471B000DE34E /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
E7FCBE451314471B000DE34E /* CoreGraphics.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreGraphics.framework; path = System/Library/Frameworks/CoreGraphics.framework; sourceTree = SDKROOT; };
E7FEFB80169E26E200E18152 /* sub_commands.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = sub_commands.h; sourceTree = "<group>"; };
- EB0BC8151C3C064400785842 /* secedumodetest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secedumodetest; sourceTree = BUILT_PRODUCTS_DIR; };
- EB0BC83D1C3C06CA00785842 /* secedumodetest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = secedumodetest.m; path = secedumodetest/secedumodetest.m; sourceTree = "<group>"; };
- EB0BC83E1C3C072C00785842 /* secedumodetest.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.xml; name = secedumodetest.entitlements; path = secedumodetest/secedumodetest.entitlements; sourceTree = "<group>"; };
+ EB0BC93E1C3C791500785842 /* secedumodetest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secedumodetest; sourceTree = BUILT_PRODUCTS_DIR; };
+ EB0BC9651C3C794700785842 /* secedumodetest.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = secedumodetest.entitlements; path = secedumodetest/secedumodetest.entitlements; sourceTree = "<group>"; };
+ EB0BC9661C3C794700785842 /* secedumodetest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = secedumodetest.m; path = secedumodetest/secedumodetest.m; sourceTree = "<group>"; };
+ EB2CA4D81D2C28C800AB770F /* libaks.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libaks.a; path = usr/local/lib/libaks.a; sourceTree = SDKROOT; };
+ EB2CA5561D2C30F700AB770F /* Security.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = Security.xcconfig; path = xcconfig/Security.xcconfig; sourceTree = "<group>"; };
EB3A8DD71BEEC4D6001A89AA /* Security_edumode.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; path = Security_edumode.plist; sourceTree = "<group>"; };
+ EB425CA61C65846D000ECE53 /* secbackuptest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secbackuptest; sourceTree = BUILT_PRODUCTS_DIR; };
+ EB425CCD1C65854F000ECE53 /* secbackuptest.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = secbackuptest.entitlements; path = secbackuptest/secbackuptest.entitlements; sourceTree = "<group>"; };
+ EB425CCE1C65854F000ECE53 /* secbackuptest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = secbackuptest.m; path = secbackuptest/secbackuptest.m; sourceTree = "<group>"; };
+ EB433A1E1CC3242C00A7EACE /* secitemstresstest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = secitemstresstest.m; path = secitemstresstest/secitemstresstest.m; sourceTree = "<group>"; };
+ EB433A281CC3243600A7EACE /* secitemstresstest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secitemstresstest; sourceTree = BUILT_PRODUCTS_DIR; };
+ EB433A2D1CC325E900A7EACE /* secitemstresstest.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = secitemstresstest.entitlements; path = secitemstresstest/secitemstresstest.entitlements; sourceTree = "<group>"; };
EB69AB091BF4347700913AF1 /* SecEMCSPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecEMCSPriv.h; sourceTree = "<group>"; };
- EB9B37A31C646F070027E2F9 /* secbackuptest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = secbackuptest.m; path = secbackuptest/secbackuptest.m; sourceTree = "<group>"; };
- EB9B37A41C646F5F0027E2F9 /* secbackuptest.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.xml; name = secbackuptest.entitlements; path = secbackuptest/secbackuptest.entitlements; sourceTree = "<group>"; };
- EB9B37AD1C64705F0027E2F9 /* secbackuptest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secbackuptest; sourceTree = BUILT_PRODUCTS_DIR; };
+ EB8021411D3D90BB008540C4 /* Security.iOS.modulemap */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = "sourcecode.module-map"; name = Security.iOS.modulemap; path = Modules/Security.iOS.modulemap; sourceTree = "<group>"; };
+ EB8021421D3D90BB008540C4 /* Security.macOS.modulemap */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = "sourcecode.module-map"; name = Security.macOS.modulemap; path = Modules/Security.macOS.modulemap; sourceTree = "<group>"; };
EB9C1D7A1BDFD0E000F89272 /* secbackupntest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secbackupntest; sourceTree = BUILT_PRODUCTS_DIR; };
EB9C1D7D1BDFD0E100F89272 /* secbackupntest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = secbackupntest.m; sourceTree = "<group>"; };
EB9C1DAD1BDFD49400F89272 /* Security.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; path = Security.plist; sourceTree = "<group>"; };
+ EBA9AA7B1CE30CE7004E2B68 /* secitemnotifications.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = secitemnotifications.entitlements; path = secitemnotifications/secitemnotifications.entitlements; sourceTree = "<group>"; };
+ EBA9AA7C1CE30CE7004E2B68 /* secitemnotifications.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = secitemnotifications.m; path = secitemnotifications/secitemnotifications.m; sourceTree = "<group>"; };
+ EBA9AA861CE30E58004E2B68 /* secitemnotifications */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secitemnotifications; sourceTree = BUILT_PRODUCTS_DIR; };
+ EBBE20311C2137E900B7A639 /* ExternalProject.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; name = ExternalProject.sh; path = SecurityFeatures/ExternalProject.sh; sourceTree = "<group>"; };
+ EBCF73F11CE45F8600BED7CA /* secitemfunctionality.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = secitemfunctionality.entitlements; path = secitemfunctionality/secitemfunctionality.entitlements; sourceTree = "<group>"; };
+ EBCF73F21CE45F8600BED7CA /* secitemfunctionality.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = secitemfunctionality.m; path = secitemfunctionality/secitemfunctionality.m; sourceTree = "<group>"; };
+ EBCF73FC1CE45F9C00BED7CA /* secitemfunctionality */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secitemfunctionality; sourceTree = BUILT_PRODUCTS_DIR; };
EBD8495A1B24BEA000C5FD1E /* print_cert.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = print_cert.c; path = OSX/sec/SecurityTool/print_cert.c; sourceTree = SOURCE_ROOT; };
+ EBDED8AE1C21076C00E5ECDB /* CopyHeaders.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; name = CopyHeaders.sh; path = SecurityFeatures/CopyHeaders.sh; sourceTree = "<group>"; };
+ EBDED8AF1C21076C00E5ECDB /* README.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = README.txt; path = SecurityFeatures/README.txt; sourceTree = "<group>"; };
+ EBDED8B21C21078D00E5ECDB /* SecurityFeatures.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecurityFeatures.h; path = SecurityFeatures/OSX/SecurityFeatures.h; sourceTree = "<group>"; };
+ EBDED8B31C2107A200E5ECDB /* SecurityFeatures.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecurityFeatures.h; path = SecurityFeatures/iOS/SecurityFeatures.h; sourceTree = "<group>"; };
+ EBDED8B51C2107DF00E5ECDB /* SecurityFeatures.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecurityFeatures.h; path = include/Security/SecurityFeatures.h; sourceTree = "<group>"; };
EBE54D771BE33227000C4856 /* libmis.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libmis.dylib; path = usr/lib/libmis.dylib; sourceTree = SDKROOT; };
F93C493A1AB8FF530047E01A /* ckcdiagnose.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = ckcdiagnose.sh; sourceTree = "<group>"; };
/* End PBXFileReference section */
@@ -4763,11 +3315,13 @@
EB3409B01C1D627400D77661 /* Foundation.framework in Frameworks */,
0C0BDB8B1756A5D900BC1A7E /* libASN1.a in Frameworks */,
0C0BDB8A1756A5D500BC1A7E /* libDER.a in Frameworks */,
+ D447C4E81D31CA720082FC1D /* libCMS.a in Frameworks */,
+ D447C4DA1D31C8280082FC1D /* libsecurity.a in Frameworks */,
0C0BDB851756A4B900BC1A7E /* libsecdRegressions.a in Frameworks */,
- 0C0BDB891756A56A00BC1A7E /* libsecurity.a in Frameworks */,
0C0BDB861756A4C100BC1A7E /* libsecurityd.a in Frameworks */,
0C0BDB8E1756A69A00BC1A7E /* libSecureObjectSync.a in Frameworks */,
0C0BDB871756A4FA00BC1A7E /* libutilities.a in Frameworks */,
+ D447C4101D3094740082FC1D /* Security.framework in Frameworks */,
0C0BDB8D1756A66100BC1A7E /* CFNetwork.framework in Frameworks */,
0C0BDB911756A8A400BC1A7E /* IOKit.framework in Frameworks */,
0C0BDB931756A8C900BC1A7E /* SystemConfiguration.framework in Frameworks */,
@@ -4779,6 +3333,26 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
+ 0C2BCBB21D06401F00ED7A2F /* Frameworks */ = {
+ isa = PBXFrameworksBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ 0C2BCBB31D06401F00ED7A2F /* libutilities.a in Frameworks */,
+ 0C2BCBB41D06401F00ED7A2F /* Security.framework in Frameworks */,
+ 0C2BCBB51D06401F00ED7A2F /* CoreFoundation.framework in Frameworks */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ 0C2BCBC71D0648D100ED7A2F /* Frameworks */ = {
+ isa = PBXFrameworksBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ 0C2BCBC81D0648D100ED7A2F /* libutilities.a in Frameworks */,
+ 0C2BCBC91D0648D100ED7A2F /* Security.framework in Frameworks */,
+ 0C2BCBCA1D0648D100ED7A2F /* CoreFoundation.framework in Frameworks */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
438169091B4EDCBD00C54D58 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
@@ -4816,6 +3390,7 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ 0C869B431C865E4D006A2873 /* CoreCDP.framework in Frameworks */,
43DB54551BB1F8920083C3F1 /* ProtectedCloudStorage.framework in Frameworks */,
4C8A38C917B93DF10001B4C0 /* CloudServices.framework in Frameworks */,
4C7913251799A5CC00A9633E /* MobileCoreServices.framework in Frameworks */,
@@ -4830,6 +3405,7 @@
4C52D0EC16EFCD300079966E /* Security.framework in Frameworks */,
4C52D0B516EFC61E0079966E /* Foundation.framework in Frameworks */,
4364A1D81B2116CD00B6AFAC /* libutilities.a in Frameworks */,
+ EB2CA5571D2C36D400AB770F /* IOKit.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -4837,14 +3413,15 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ D40771EE1C9B51ED0016AA66 /* libSharedRegressions.a in Frameworks */,
EBE9019C1C2285DB007308C6 /* AggregateDictionary.framework in Frameworks */,
E7D690A11652E07B0079537A /* libMobileGestalt.dylib in Frameworks */,
0CCA418715C89FBB002AEC4C /* libsecurity_ssl_regressions.a in Frameworks */,
18F7F67814D77F0600F88A12 /* libsecurityd.a in Frameworks */,
4C2FEC671575887D0008BE39 /* libSecureObjectSync.a in Frameworks */,
- 4C711D6913AFCD0900FE865D /* libASN1.a in Frameworks */,
- 4C711D6713AFCD0900FE865D /* libDER.a in Frameworks */,
4C2FEC5B15755E2F0008BE39 /* libutilities.a in Frameworks */,
+ E75C27741C98D42A00F7E12A /* libDER.a in Frameworks */,
+ E75C27751C98D43700F7E12A /* libASN1.a in Frameworks */,
4C711D7113AFCD0900FE865D /* libregressions.a in Frameworks */,
438168C01B4ED42C00C54D58 /* CoreFoundation.framework in Frameworks */,
E7E0D902158FAFED002CA176 /* libutilitiesRegressions.a in Frameworks */,
@@ -4892,7 +3469,7 @@
4C32C1A60A497A21002891BD /* Security.framework in Frameworks */,
4CAE95DC0F3D6E020075278E /* CFNetwork.framework in Frameworks */,
4C0CC642174C580200CC799A /* SystemConfiguration.framework in Frameworks */,
- EBC1B8E11BE96FE600E6ACA6 /* Foundation.framework in Frameworks */,
+ E745836E1BF3CA13001B54A4 /* Foundation.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -4911,7 +3488,6 @@
buildActionMask = 2147483647;
files = (
52D82BF016A622570078DFE5 /* libutilities.a in Frameworks */,
- 52D82BEF16A622470078DFE5 /* libCloudKeychainProxy.a in Frameworks */,
52D82BEE16A622370078DFE5 /* Security.framework in Frameworks */,
52D82BDF16A621F70078DFE5 /* Foundation.framework in Frameworks */,
E72D462B175FBF3E00F70B9B /* IOKit.framework in Frameworks */,
@@ -4965,6 +3541,7 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ D453BA341C8E797A00E4D91F /* libDER.a in Frameworks */,
EBE901991C2284EE007308C6 /* AggregateDictionary.framework in Frameworks */,
EBF2D73C1C1E2B47006AB6FF /* Foundation.framework in Frameworks */,
5E43C49F1B00D63100E5ECB2 /* libutilities.a in Frameworks */,
@@ -4995,20 +3572,11 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- 72979BDF175D095900BE8FD6 /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 72979BF2175D0D4F00BE8FD6 /* IOKit.framework in Frameworks */,
- 72979BF1175D0B5900BE8FD6 /* Security.framework in Frameworks */,
- 72979BE3175D095900BE8FD6 /* Foundation.framework in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
790851B40CA9859F0083CC4D /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ D453BA551C8E799100E4D91F /* libDER.a in Frameworks */,
EBE54D761BE32F6F000C4856 /* AggregateDictionary.framework in Frameworks */,
438168941B4ED42300C54D58 /* CoreFoundation.framework in Frameworks */,
E7D690A21652E0870079537A /* libMobileGestalt.dylib in Frameworks */,
@@ -5041,22 +3609,11 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- 79DCEA51134A27D2007F57DC /* Frameworks */ = {
- isa = PBXFrameworksBuildPhase;
- buildActionMask = 2147483647;
- files = (
- 438168C11B4ED42F00C54D58 /* CoreFoundation.framework in Frameworks */,
- 79DCEA87134A2A1B007F57DC /* libDER.a in Frameworks */,
- 7930B058134A2D97007062F8 /* libsqlite3.dylib in Frameworks */,
- 79C0C675134A6E2D00A51BCB /* IOKit.framework in Frameworks */,
- 79C0C6BC134A96C100A51BCB /* CFNetwork.framework in Frameworks */,
- );
- runOnlyForDeploymentPostprocessing = 0;
- };
BE197F2319116FD100BA91D1 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ D4AA9D121C3B1B1900A5640C /* Security.framework in Frameworks */,
BE2D511D1917739F0093C265 /* libutilities.a in Frameworks */,
BEF8AFF819176B1400F80109 /* libSWCAgent.a in Frameworks */,
BEF8AFF719176B0C00F80109 /* libsecurityd.a in Frameworks */,
@@ -5079,6 +3636,7 @@
BE25C41618B83491003320E0 /* Foundation.framework in Frameworks */,
BE442BB718B7FDB800F24DAE /* IOKit.framework in Frameworks */,
438168C61B4ED43F00C54D58 /* CoreFoundation.framework in Frameworks */,
+ D4B858671D370D9A003B2D95 /* MobileCoreServices.framework in Frameworks */,
BE442BB818B7FDB800F24DAE /* libsqlite3.dylib in Frameworks */,
BE442BB918B7FDB800F24DAE /* libbsm.dylib in Frameworks */,
);
@@ -5091,7 +3649,6 @@
CD0637551A84060600C81E74 /* Security.framework in Frameworks */,
CD0637571A84068F00C81E74 /* IDS.framework in Frameworks */,
CD045E471A83F8C7005FA0AC /* libutilities.a in Frameworks */,
- CD045E461A83F8C0005FA0AC /* libIDSKeychainSyncingProxy.a in Frameworks */,
CD0637561A84065F00C81E74 /* IOKit.framework in Frameworks */,
CD276C281A83F60C003226BC /* Foundation.framework in Frameworks */,
);
@@ -5101,14 +3658,15 @@
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
+ D40771E91C9B518F0016AA66 /* libSharedRegressions.a in Frameworks */,
EBE9019B1C2285D4007308C6 /* AggregateDictionary.framework in Frameworks */,
E7A011AE14E1B78800765C29 /* Foundation.framework in Frameworks */,
E7D690921652E06A0079537A /* libMobileGestalt.dylib in Frameworks */,
0CCA418815C89FC4002AEC4C /* libsecurity_ssl_regressions.a in Frameworks */,
18F7F67514D77EF400F88A12 /* libsecurityd.a in Frameworks */,
4C2FEC66157588770008BE39 /* libSecureObjectSync.a in Frameworks */,
- 0CC827F51387137900BD99B7 /* libASN1.a in Frameworks */,
- B9499C24139DC391004F4EDE /* libDER.a in Frameworks */,
+ E75C27721C98D41400F7E12A /* libDER.a in Frameworks */,
+ E75C27731C98D41C00F7E12A /* libASN1.a in Frameworks */,
4C2FEC5A15755E2A0008BE39 /* libutilities.a in Frameworks */,
0CC82948138716F400BD99B7 /* libregressions.a in Frameworks */,
438168BF1B4ED42C00C54D58 /* CoreFoundation.framework in Frameworks */,
@@ -5152,19 +3710,60 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
- EB0BC8101C3C064400785842 /* Frameworks */ = {
+ E7D847C11C6BE9710025BB44 /* Frameworks */ = {
+ isa = PBXFrameworksBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ E7D8489F1C6C244B0025BB44 /* Foundation.framework in Frameworks */,
+ E7650E6F1C7699DA00378669 /* Security.framework in Frameworks */,
+ E7531F7B1D0887E300DAB140 /* libutilities.a in Frameworks */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ E7D847CB1C6BE9720025BB44 /* Frameworks */ = {
+ isa = PBXFrameworksBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ EB2CA4DA1D2C28F100AB770F /* libaks_acl.a in Frameworks */,
+ E7DC73B71C890F0E0008BF73 /* KeychainCircle.framework in Frameworks */,
+ E7D848561C6C1E830025BB44 /* Foundation.framework in Frameworks */,
+ E7F482E61C7640D300390FDB /* IOKit.framework in Frameworks */,
+ E7F4829D1C75413C00390FDB /* libsecurity.a in Frameworks */,
+ E7F482E71C7641AA00390FDB /* libsecurityd.a in Frameworks */,
+ E7F4829A1C75406900390FDB /* libSecureObjectSync.a in Frameworks */,
+ E7F4829C1C7540B200390FDB /* libutilities.a in Frameworks */,
+ E7E0C73A1C90EDED00E69A21 /* libDER.a in Frameworks */,
+ E7E0C73B1C90EDF500E69A21 /* libASN1.a in Frameworks */,
+ E7F482A11C7543E500390FDB /* libsqlite3.dylib in Frameworks */,
+ E7F482A41C75450600390FDB /* libsecipc_client.a in Frameworks */,
+ E7F482A31C7544E600390FDB /* libctkclient_test.a in Frameworks */,
+ E7F482A61C75453900390FDB /* libcoreauthd_test_client.a in Frameworks */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ EB0BC9391C3C791500785842 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- EB0BC8111C3C064400785842 /* Foundation.framework in Frameworks */,
+ EB0BC93A1C3C791500785842 /* Foundation.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
- EB9B37A81C64705F0027E2F9 /* Frameworks */ = {
+ EB425CA11C65846D000ECE53 /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
- EB9B37A91C64705F0027E2F9 /* Foundation.framework in Frameworks */,
+ EB425CDE1C658668000ECE53 /* Security.framework in Frameworks */,
+ EB425CA21C65846D000ECE53 /* Foundation.framework in Frameworks */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ EB433A231CC3243600A7EACE /* Frameworks */ = {
+ isa = PBXFrameworksBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ EB433A2A1CC3246800A7EACE /* Security.framework in Frameworks */,
+ EB433A241CC3243600A7EACE /* Foundation.framework in Frameworks */,
);
runOnlyForDeploymentPostprocessing = 0;
};
@@ -5176,6 +3775,24 @@
);
runOnlyForDeploymentPostprocessing = 0;
};
+ EBA9AA801CE30E58004E2B68 /* Frameworks */ = {
+ isa = PBXFrameworksBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ EBA9AA811CE30E58004E2B68 /* Security.framework in Frameworks */,
+ EBA9AA821CE30E58004E2B68 /* Foundation.framework in Frameworks */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
+ EBCF73F61CE45F9C00BED7CA /* Frameworks */ = {
+ isa = PBXFrameworksBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ EBCF73F71CE45F9C00BED7CA /* Security.framework in Frameworks */,
+ EBCF73F81CE45F9C00BED7CA /* Foundation.framework in Frameworks */,
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ };
/* End PBXFrameworksBuildPhase section */
/* Begin PBXGroup section */
@@ -5187,20 +3804,18 @@
051D8FDB194913E700AEF66A /* Security.framework */,
051D8FDD194913E700AEF66A /* secd */,
051D8FDF194913E700AEF66A /* secdtests */,
+ D42FA8701C9B9081003E46A7 /* SecurityTestsOSX.app */,
051D8FE1194913E700AEF66A /* sectests */,
051D8FE3194913E700AEF66A /* authd.xpc */,
- CD8B5AE51B618F1B004D4AEF /* trustd.xpc */,
CD8B5AE71B618F1B004D4AEF /* trustd */,
- 051D8FE5194913E700AEF66A /* CloudKeychainProxy.bundle */,
- CD19A67E1A806B1D00F9C276 /* IDSKeychainSyncingProxy.bundle */,
051D8FE7194913E700AEF66A /* security2 */,
051D8FE9194913E700AEF66A /* Cloud Keychain Utility.app */,
051D8FEB194913E700AEF66A /* Keychain Circle Notification.app */,
- 051D8FED194913E700AEF66A /* cloud_keychain_diagnose */,
E7098DB31A3A53E000CBD4B3 /* codesign_tests */,
E717A1481A7880440021E134 /* gk_reset_check */,
3792618F1A8987DB008ADD3C /* SecTaskTest */,
5EF7C2731B00EEF900E5E99C /* secacltests */,
+ EBB697131BE20C7600715F16 /* secbackupntest */,
);
name = Products;
sourceTree = "<group>";
@@ -5239,6 +3854,16 @@
name = Products;
sourceTree = "<group>";
};
+ 0C2BCBA41D063F7D00ED7A2F /* dtlsEcho */ = {
+ isa = PBXGroup;
+ children = (
+ 0C2BCBA51D063F7D00ED7A2F /* dtlsEchoClient.c */,
+ 0C2BCBA61D063F7D00ED7A2F /* dtlsEchoServer.c */,
+ 0C2BCBA71D063F7D00ED7A2F /* README */,
+ );
+ path = dtlsEcho;
+ sourceTree = "<group>";
+ };
0C3145531496B02100427C0B /* security_ssl */ = {
isa = PBXGroup;
children = (
@@ -5250,14 +3875,6 @@
name = security_ssl;
sourceTree = "<group>";
};
- 0C59B54417677A9900617746 /* asl */ = {
- isa = PBXGroup;
- children = (
- 0C59B54517677A9900617746 /* com.apple.securityd */,
- );
- path = asl;
- sourceTree = "<group>";
- };
0C5D2EDC167FEA880077501D /* security_asn1 */ = {
isa = PBXGroup;
children = (
@@ -5291,29 +3908,6 @@
name = Products;
sourceTree = "<group>";
};
- 0CC122B619C8AA4500D23178 /* shared_regressions */ = {
- isa = PBXGroup;
- children = (
- 0CC122B719C8AA4500D23178 /* shared_regressions.h */,
- 0CBD090E1A1D31D400795EE5 /* si-82-seccertificate-ct.c */,
- 0CC122B819C8AA4500D23178 /* si-82-sectrust-ct.c */,
- 0CF372C11AA7E55300C58DDB /* si-82-sectrust-ct-certs.h */,
- 0C38B9331AA8331B00F0F2EA /* si-82-sectrust-ct-logs.plist */,
- );
- name = shared_regressions;
- path = OSX/shared_regressions;
- sourceTree = "<group>";
- };
- 0CF55E5614DB47DE003AD8F2 /* Products */ = {
- isa = PBXGroup;
- children = (
- 0CF55E6014DB47DF003AD8F2 /* tlsnke.kext */,
- 0CF55E6214DB47DF003AD8F2 /* tlsnketest */,
- 0C62D60814E0588700A97963 /* libtlssocket.a */,
- );
- name = Products;
- sourceTree = "<group>";
- };
107226CF0D91DB32003CF14F /* sectask */ = {
isa = PBXGroup;
children = (
@@ -5334,18 +3928,17 @@
CD8B5AEC1B618F1B004D4AEF /* libSecTrustOSX.a */,
18F7F66914D77DF700F88A12 /* libsecipc_client.a */,
4C60888B155C943D00A0904F /* libSecureObjectSync.a */,
- 4C60888D155C943D00A0904F /* libSOSRegressions.a */,
- E79D9CD5159BEA78000834EC /* libSecurityRegressions.a */,
- 4CC92B1A15A3BF1E00C6D578 /* libsecuritydRegressions.a */,
E777C71515B63C0B004044A8 /* libSecOtrOSX.a */,
- 52849FAE164462E7005CDF23 /* libCloudKeychainProxy.a */,
- CDCDA31B1A803648005CF7C9 /* libIDSKeychainSyncingProxy.a */,
E7104A06169E038F00DB0045 /* libSecurityTool.a */,
E7104A23169E21C000DB0045 /* libSecurityCommands.a */,
E7FEFB8F169E36B000E18152 /* libSOSCommands.a */,
- 0C0BDB821756A1D700BC1A7E /* libsecdRegressions.a */,
BE442B9B18B7FD6700F24DAE /* libSWCAgent.a */,
E76079DB1951FDBF00F69731 /* liblogging.a */,
+ 4C60888D155C943D00A0904F /* libSOSRegressions.a */,
+ E79D9CD5159BEA78000834EC /* libSecurityRegressions.a */,
+ 4CC92B1A15A3BF1E00C6D578 /* libsecuritydRegressions.a */,
+ 0C0BDB821756A1D700BC1A7E /* libsecdRegressions.a */,
+ D40771E21C9B51830016AA66 /* libSharedRegressions.a */,
);
name = Products;
sourceTree = "<group>";
@@ -5360,11 +3953,19 @@
path = SOSCCAuthPlugin;
sourceTree = "<group>";
};
- 4C198F1A0ACDB4BF00AAB142 /* resources */ = {
+ 4814D86C1CAA064F002FFC36 /* os_log */ = {
isa = PBXGroup;
children = (
- 0CC8F2491A9E92E000447EB7 /* TrustedLogs.plist */,
- 53C0E1F1177FAC2C00F8A018 /* CloudKeychain.strings */,
+ 4863262F1CAA0BE900A466D9 /* com.apple.securityd.plist */,
+ 48284A041D1DB06E00C76CB7 /* README_os_log_prefs.txt */,
+ );
+ name = os_log;
+ sourceTree = "<group>";
+ };
+ 4C198F1A0ACDB4BF00AAB142 /* resources */ = {
+ isa = PBXGroup;
+ children = (
+ 53C0E1F1177FAC2C00F8A018 /* CloudKeychain.strings */,
BE4AC9B818B8273600B84964 /* SharedWebCredentials.strings */,
4C198F1D0ACDB4BF00AAB142 /* Certificate.strings */,
4C198F1F0ACDB4BF00AAB142 /* OID.strings */,
@@ -5387,7 +3988,6 @@
05EF68A919491453007958C3 /* SecurityTool.xcodeproj */,
05EF687F1949143A007958C3 /* securityd.xcodeproj */,
051D8F82194913E500AEF66A /* OSX.xcodeproj */,
- 0CF55E5514DB47DE003AD8F2 /* tlsnke.xcodeproj */,
0C25A871122726540050C2BD /* regressions.xcodeproj */,
4C8786A10B03E05D00BB77D4 /* libDER.xcodeproj */,
795CA97A0D38269B00BAE6A2 /* libsecurity_asn1.xcodeproj */,
@@ -5395,35 +3995,35 @@
18F7F65814D77DF700F88A12 /* sec.xcodeproj */,
0C95403F14E473AA00077526 /* libsecurity_ssl.xcodeproj */,
4C2FEC4915755D700008BE39 /* utilities.xcodeproj */,
- 0C59B54417677A9900617746 /* asl */,
+ 4814D86C1CAA064F002FFC36 /* os_log */,
4C999BA00AB5F0BB0010451D /* ntlm */,
107226CF0D91DB32003CF14F /* sectask */,
7908507E0CA87CF00083CC4D /* ipc */,
4C198F1A0ACDB4BF00AAB142 /* resources */,
- 0CC122B619C8AA4500D23178 /* shared_regressions */,
4CE5A55609C7970A00D27A3F /* sslViewer */,
+ 0C2BCBA41D063F7D00ED7A2F /* dtlsEcho */,
4CB740FA0A47580400D641BB /* SecurityTool */,
BE4AC9AF18B7FFFA00B84964 /* SharedWebCredentialAgent */,
F93C49391AB8FF530047E01A /* ckcdiagnose */,
- 72979BD1175D08C700BE8FD6 /* CloudKeychainDiagnoseTool */,
- 4C86273C1137BEF8009EAB5A /* AspenFamily.xcconfig */,
E710C74A1331946500F85568 /* SecurityTests */,
- 79DCEA56134A27D2007F57DC /* codesign_wrapper */,
52DE816E1636347500F49F0C /* Keychain */,
- 52D82BE016A621F70078DFE5 /* CloudKeychainProxy */,
+ E7A5F4D71C0D01B000F3BEBB /* SOSCloudKeychainConstants.c */,
CD3F91411A802E1100E07119 /* IDSKeychainSyncingProxy */,
+ E7A5F4D11C0CFF4E00F3BEBB /* KVSKeychainSyncingProxy */,
E7450BB216D42BD4009C07B8 /* Security.framework headers */,
+ E7D847C61C6BE9710025BB44 /* KeychainCircle.framework */,
728B56A316D59979008FA3AB /* OTAPKIAssetTool */,
4C52D0B616EFC61E0079966E /* CircleJoinRequested */,
5346480317331E1200FE9172 /* KeychainSyncAccountNotification */,
0C0BDB30175685B000BC1A7E /* secdtests */,
- 72979BE4175D095900BE8FD6 /* cloud_keychain_diagnose */,
- 721680C5179B514700406BB4 /* iCloudStat */,
BE197F2719116FD100BA91D1 /* SharedWebCredentialViewService */,
5E10992719A5E55800A60E2B /* ISACLProtectedItems */,
5EBE247B1B00CCAE0007DB0E /* secacltests */,
4381690E1B4EDCBD00C54D58 /* SOSCCAuthPlugin */,
+ EBDED8891C21074500E5ECDB /* SecurityFeatures */,
EB9C1DAA1BDFD0FE00F89272 /* RegressionTests */,
+ EB2CA5311D2C30CD00AB770F /* xcconfig */,
+ EB80211C1D3D9044008540C4 /* Modules */,
E7FCBE401314471B000DE34E /* Frameworks */,
4C35DC36094F9120002917C4 /* Products */,
4C8BC620097DBC1B00C781D5 /* Libraries */,
@@ -5432,7 +4032,6 @@
4C4CE9120AF81F0E0056B01D /* README */,
4CAB97FD1114CC5300EFB38D /* README.keychain */,
4C4CE9070AF81ED80056B01D /* TODO */,
- 4C4CE90D0AF81EF80056B01D /* WHITEPAPER */,
);
sourceTree = "<group>";
};
@@ -5446,7 +4045,6 @@
4CE5A54D09C796E200D27A3F /* sslViewer */,
4C9DE9D21181AC4800CF5C27 /* sslEcdsa */,
E710C7421331946400F85568 /* SecurityTests.app */,
- 79DCEA54134A27D2007F57DC /* codesign_wrapper */,
4C711D7613AFCD0900FE865D /* SecurityDevTests.app */,
52DE81691636347500F49F0C /* Keychain.app */,
E7B01BF2166594AB000485F1 /* SyncDevTest2.app */,
@@ -5455,7 +4053,6 @@
4C52D0B416EFC61E0079966E /* CircleJoinRequested */,
5346480117331E1200FE9172 /* KeychainSyncAccountNotification.bundle */,
0C0BDB2F175685B000BC1A7E /* secdtests */,
- 72979BE2175D095900BE8FD6 /* cloud_keychain_diagnose */,
BE442BC118B7FDB800F24DAE /* swcagent */,
BE197F2619116FD100BA91D1 /* SharedWebCredentialViewService.app */,
5E10992519A5E55800A60E2B /* ISACLProtectedItems.bundle */,
@@ -5463,8 +4060,15 @@
5EBE247A1B00CCAE0007DB0E /* secacltests */,
4381690C1B4EDCBD00C54D58 /* SOSCCAuthPlugin.bundle */,
EB9C1D7A1BDFD0E000F89272 /* secbackupntest */,
- EB0BC8151C3C064400785842 /* secedumodetest */,
- EB9B37AD1C64705F0027E2F9 /* secbackuptest */,
+ EB0BC93E1C3C791500785842 /* secedumodetest */,
+ EB425CA61C65846D000ECE53 /* secbackuptest */,
+ E7D847C51C6BE9710025BB44 /* KeychainCircle.framework */,
+ E7D847CE1C6BE9720025BB44 /* KeychainCircleTests.xctest */,
+ EB433A281CC3243600A7EACE /* secitemstresstest */,
+ EBA9AA861CE30E58004E2B68 /* secitemnotifications */,
+ EBCF73FC1CE45F9C00BED7CA /* secitemfunctionality */,
+ 0C2BCBB91D06401F00ED7A2F /* dtlsEchoClient */,
+ 0C2BCBCE1D0648D100ED7A2F /* dtlsEchoServer */,
);
name = Products;
sourceTree = "<group>";
@@ -5522,379 +4126,11 @@
4C52D0B716EFC61E0079966E /* Supporting Files */ = {
isa = PBXGroup;
children = (
- 4C52D0B816EFC61E0079966E /* AspenFamily.xcconfig */,
CDB9FCA9179CC757000AAD66 /* Info.plist */,
);
name = "Supporting Files";
sourceTree = "<group>";
};
- 4C7540BA13D51D63008048AC /* nist-certs */ = {
- isa = PBXGroup;
- children = (
- E7A94C9713D8A0DF001C5FEE /* Expectations.plist */,
- 4C7540BB13D51D63008048AC /* AllCertificatesNoPoliciesTest2EE.crt */,
- 4C7540BC13D51D63008048AC /* AllCertificatesSamePoliciesTest10EE.crt */,
- 4C7540BD13D51D63008048AC /* AllCertificatesSamePoliciesTest13EE.crt */,
- 4C7540BE13D51D63008048AC /* AllCertificatesanyPolicyTest11EE.crt */,
- 4C7540BF13D51D63008048AC /* AnyPolicyTest14EE.crt */,
- 4C7540C013D51D63008048AC /* BadCRLIssuerNameCACert.crt */,
- 4C7540C113D51D63008048AC /* BadCRLSignatureCACert.crt */,
- 4C7540C213D51D63008048AC /* BadSignedCACert.crt */,
- 4C7540C313D51D63008048AC /* BadnotAfterDateCACert.crt */,
- 4C7540C413D51D63008048AC /* BadnotBeforeDateCACert.crt */,
- 4C7540C513D51D63008048AC /* BasicSelfIssuedCRLSigningKeyCACert.crt */,
- 4C7540C613D51D63008048AC /* BasicSelfIssuedNewKeyCACert.crt */,
- 4C7540C713D51D63008048AC /* BasicSelfIssuedNewKeyOldWithNewCACert.crt */,
- 4C7540C813D51D63008048AC /* BasicSelfIssuedOldKeyCACert.crt */,
- 4C7540C913D51D63008048AC /* BasicSelfIssuedOldKeyNewWithOldCACert.crt */,
- 4C7540CA13D51D63008048AC /* CPSPointerQualifierTest20EE.crt */,
- 4C7540CB13D51D63008048AC /* DSACACert.crt */,
- 4C7540CC13D51D63008048AC /* DSAParametersInheritedCACert.crt */,
- 4C7540CD13D51D63008048AC /* DifferentPoliciesTest12EE.crt */,
- 4C7540CE13D51D63008048AC /* DifferentPoliciesTest3EE.crt */,
- 4C7540CF13D51D63008048AC /* DifferentPoliciesTest4EE.crt */,
- 4C7540D013D51D63008048AC /* DifferentPoliciesTest5EE.crt */,
- 4C7540D113D51D63008048AC /* DifferentPoliciesTest7EE.crt */,
- 4C7540D213D51D63008048AC /* DifferentPoliciesTest8EE.crt */,
- 4C7540D313D51D63008048AC /* DifferentPoliciesTest9EE.crt */,
- 4C7540D413D51D63008048AC /* GeneralizedTimeCRLnextUpdateCACert.crt */,
- 4C7540D513D51D63008048AC /* GoodCACert.crt */,
- 4C7540D613D51D63008048AC /* GoodsubCACert.crt */,
- 4C7540D713D51D63008048AC /* GoodsubCAPanyPolicyMapping1to2CACert.crt */,
- 4C7540D813D51D63008048AC /* InvalidBasicSelfIssuedNewWithOldTest5EE.crt */,
- 4C7540D913D51D63008048AC /* InvalidBasicSelfIssuedOldWithNewTest2EE.crt */,
- 4C7540DA13D51D63008048AC /* InvalidCASignatureTest2EE.crt */,
- 4C7540DB13D51D63008048AC /* InvalidCAnotAfterDateTest5EE.crt */,
- 4C7540DC13D51D63008048AC /* InvalidCAnotBeforeDateTest1EE.crt */,
- 4C7540DD13D51D63008048AC /* InvalidDNSnameConstraintsTest31EE.crt */,
- 4C7540DE13D51D63008048AC /* InvalidDNSnameConstraintsTest33EE.crt */,
- 4C7540DF13D51D63008048AC /* InvalidDNSnameConstraintsTest38EE.crt */,
- 4C7540E013D51D63008048AC /* InvalidDNandRFC822nameConstraintsTest28EE.crt */,
- 4C7540E113D51D63008048AC /* InvalidDNandRFC822nameConstraintsTest29EE.crt */,
- 4C7540E213D51D63008048AC /* InvalidDNnameConstraintsTest10EE.crt */,
- 4C7540E313D51D63008048AC /* InvalidDNnameConstraintsTest12EE.crt */,
- 4C7540E413D51D63008048AC /* InvalidDNnameConstraintsTest13EE.crt */,
- 4C7540E513D51D63008048AC /* InvalidDNnameConstraintsTest15EE.crt */,
- 4C7540E613D51D63008048AC /* InvalidDNnameConstraintsTest16EE.crt */,
- 4C7540E713D51D63008048AC /* InvalidDNnameConstraintsTest17EE.crt */,
- 4C7540E813D51D63008048AC /* InvalidDNnameConstraintsTest20EE.crt */,
- 4C7540E913D51D63008048AC /* InvalidDNnameConstraintsTest2EE.crt */,
- 4C7540EA13D51D63008048AC /* InvalidDNnameConstraintsTest3EE.crt */,
- 4C7540EB13D51D63008048AC /* InvalidDNnameConstraintsTest7EE.crt */,
- 4C7540EC13D51D63008048AC /* InvalidDNnameConstraintsTest8EE.crt */,
- 4C7540ED13D51D63008048AC /* InvalidDNnameConstraintsTest9EE.crt */,
- 4C7540EE13D51D63008048AC /* InvalidDSASignatureTest6EE.crt */,
- 4C7540EF13D51D63008048AC /* InvalidEESignatureTest3EE.crt */,
- 4C7540F013D51D63008048AC /* InvalidEEnotAfterDateTest6EE.crt */,
- 4C7540F113D51D63008048AC /* InvalidEEnotBeforeDateTest2EE.crt */,
- 4C7540F213D51D63008048AC /* InvalidLongSerialNumberTest18EE.crt */,
- 4C7540F313D51D63008048AC /* InvalidMappingFromanyPolicyTest7EE.crt */,
- 4C7540F413D51D63008048AC /* InvalidMappingToanyPolicyTest8EE.crt */,
- 4C7540F513D51D63008048AC /* InvalidMissingbasicConstraintsTest1EE.crt */,
- 4C7540F613D51D63008048AC /* InvalidNameChainingOrderTest2EE.crt */,
- 4C7540F713D51D63008048AC /* InvalidNameChainingTest1EE.crt */,
- 4C7540F813D51D63008048AC /* InvalidNegativeSerialNumberTest15EE.crt */,
- 4C7540F913D51D63008048AC /* InvalidPolicyMappingTest10EE.crt */,
- 4C7540FA13D51D63008048AC /* InvalidPolicyMappingTest2EE.crt */,
- 4C7540FB13D51D63008048AC /* InvalidPolicyMappingTest4EE.crt */,
- 4C7540FC13D51D63008048AC /* InvalidRFC822nameConstraintsTest22EE.crt */,
- 4C7540FD13D51D63008048AC /* InvalidRFC822nameConstraintsTest24EE.crt */,
- 4C7540FE13D51D63008048AC /* InvalidRFC822nameConstraintsTest26EE.crt */,
- 4C7540FF13D51D63008048AC /* InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt */,
- 4C75410013D51D63008048AC /* InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt */,
- 4C75410113D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt */,
- 4C75410213D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt */,
- 4C75410313D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt */,
- 4C75410413D51D63008048AC /* InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt */,
- 4C75410513D51D63008048AC /* InvalidSelfIssuedpathLenConstraintTest16EE.crt */,
- 4C75410613D51D63008048AC /* InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt */,
- 4C75410713D51D63008048AC /* InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt */,
- 4C75410813D51D63008048AC /* InvalidURInameConstraintsTest35EE.crt */,
- 4C75410913D51D63008048AC /* InvalidURInameConstraintsTest37EE.crt */,
- 4C75410A13D51D63008048AC /* InvalidUnknownCriticalCertificateExtensionTest2EE.crt */,
- 4C75410B13D51D63008048AC /* InvalidcAFalseTest2EE.crt */,
- 4C75410C13D51D63008048AC /* InvalidcAFalseTest3EE.crt */,
- 4C75410D13D51D63008048AC /* InvalidcRLIssuerTest27EE.crt */,
- 4C75410E13D51D63008048AC /* InvalidcRLIssuerTest31EE.crt */,
- 4C75410F13D51D63008048AC /* InvalidcRLIssuerTest32EE.crt */,
- 4C75411013D51D63008048AC /* InvalidcRLIssuerTest34EE.crt */,
- 4C75411113D51D63008048AC /* InvalidcRLIssuerTest35EE.crt */,
- 4C75411213D51D63008048AC /* InvalidinhibitAnyPolicyTest1EE.crt */,
- 4C75411313D51D63008048AC /* InvalidinhibitAnyPolicyTest4EE.crt */,
- 4C75411413D51D63008048AC /* InvalidinhibitAnyPolicyTest5EE.crt */,
- 4C75411513D51D63008048AC /* InvalidinhibitAnyPolicyTest6EE.crt */,
- 4C75411613D51D63008048AC /* InvalidinhibitPolicyMappingTest1EE.crt */,
- 4C75411713D51D63008048AC /* InvalidinhibitPolicyMappingTest3EE.crt */,
- 4C75411813D51D63008048AC /* InvalidinhibitPolicyMappingTest5EE.crt */,
- 4C75411913D51D63008048AC /* InvalidinhibitPolicyMappingTest6EE.crt */,
- 4C75411A13D51D63008048AC /* InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt */,
- 4C75411B13D51D63008048AC /* InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt */,
- 4C75411C13D51D63008048AC /* InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt */,
- 4C75411D13D51D63008048AC /* InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt */,
- 4C75411E13D51D63008048AC /* InvalidonlyContainsAttributeCertsTest14EE.crt */,
- 4C75411F13D51D63008048AC /* InvalidonlyContainsCACertsTest12EE.crt */,
- 4C75412013D51D63008048AC /* InvalidonlyContainsUserCertsTest11EE.crt */,
- 4C75412113D51D63008048AC /* InvalidonlySomeReasonsTest15EE.crt */,
- 4C75412213D51D63008048AC /* InvalidonlySomeReasonsTest16EE.crt */,
- 4C75412313D51D63008048AC /* InvalidonlySomeReasonsTest17EE.crt */,
- 4C75412413D51D63008048AC /* InvalidonlySomeReasonsTest20EE.crt */,
- 4C75412513D51D63008048AC /* InvalidonlySomeReasonsTest21EE.crt */,
- 4C75412613D51D63008048AC /* InvalidpathLenConstraintTest10EE.crt */,
- 4C75412713D51D63008048AC /* InvalidpathLenConstraintTest11EE.crt */,
- 4C75412813D51D63008048AC /* InvalidpathLenConstraintTest12EE.crt */,
- 4C75412913D51D63008048AC /* InvalidpathLenConstraintTest5EE.crt */,
- 4C75412A13D51D63008048AC /* InvalidpathLenConstraintTest6EE.crt */,
- 4C75412B13D51D63008048AC /* InvalidpathLenConstraintTest9EE.crt */,
- 4C75412C13D51D63008048AC /* Invalidpre2000UTCEEnotAfterDateTest7EE.crt */,
- 4C75412D13D51D63008048AC /* InvalidrequireExplicitPolicyTest3EE.crt */,
- 4C75412E13D51D63008048AC /* InvalidrequireExplicitPolicyTest5EE.crt */,
- 4C75412F13D51D63008048AC /* LongSerialNumberCACert.crt */,
- 4C75413013D51D63008048AC /* Mapping1to2CACert.crt */,
- 4C75413113D51D63008048AC /* MappingFromanyPolicyCACert.crt */,
- 4C75413213D51D63008048AC /* MappingToanyPolicyCACert.crt */,
- 4C75413313D51D63008048AC /* MissingbasicConstraintsCACert.crt */,
- 4C75413413D51D63008048AC /* NameOrderingCACert.crt */,
- 4C75413513D51D63008048AC /* NegativeSerialNumberCACert.crt */,
- 4C75413613D51D63008048AC /* NoCRLCACert.crt */,
- 4C75413713D51D63008048AC /* NoPoliciesCACert.crt */,
- 4C75413813D51D63008048AC /* NoissuingDistributionPointCACert.crt */,
- 4C75413913D51D63008048AC /* OldCRLnextUpdateCACert.crt */,
- 4C75413A13D51D63008048AC /* OverlappingPoliciesTest6EE.crt */,
- 4C75413B13D51D63008048AC /* P12Mapping1to3CACert.crt */,
- 4C75413C13D51D63008048AC /* P12Mapping1to3subCACert.crt */,
- 4C75413D13D51D63008048AC /* P12Mapping1to3subsubCACert.crt */,
- 4C75413E13D51D63008048AC /* P1Mapping1to234CACert.crt */,
- 4C75413F13D51D63008048AC /* P1Mapping1to234subCACert.crt */,
- 4C75414013D51D63008048AC /* P1anyPolicyMapping1to2CACert.crt */,
- 4C75414113D51D63008048AC /* PanyPolicyMapping1to2CACert.crt */,
- 4C75414213D51D63008048AC /* PoliciesP1234CACert.crt */,
- 4C75414313D51D63008048AC /* PoliciesP1234subCAP123Cert.crt */,
- 4C75414413D51D63008048AC /* PoliciesP1234subsubCAP123P12Cert.crt */,
- 4C75414513D51D63008048AC /* PoliciesP123CACert.crt */,
- 4C75414613D51D63008048AC /* PoliciesP123subCAP12Cert.crt */,
- 4C75414713D51D63008048AC /* PoliciesP123subsubCAP12P1Cert.crt */,
- 4C75414813D51D63008048AC /* PoliciesP123subsubCAP12P2Cert.crt */,
- 4C75414913D51D63008048AC /* PoliciesP123subsubsubCAP12P2P1Cert.crt */,
- 4C75414A13D51D63008048AC /* PoliciesP12CACert.crt */,
- 4C75414B13D51D63008048AC /* PoliciesP12subCAP1Cert.crt */,
- 4C75414C13D51D63008048AC /* PoliciesP12subsubCAP1P2Cert.crt */,
- 4C75414D13D51D63008048AC /* PoliciesP2subCA2Cert.crt */,
- 4C75414E13D51D63008048AC /* PoliciesP2subCACert.crt */,
- 4C75414F13D51D63008048AC /* PoliciesP3CACert.crt */,
- 4C75415013D51D63008048AC /* RFC3280MandatoryAttributeTypesCACert.crt */,
- 4C75415113D51D63008048AC /* RFC3280OptionalAttributeTypesCACert.crt */,
- 4C75415213D51D63008048AC /* RevokedsubCACert.crt */,
- 4C75415313D51D63008048AC /* RolloverfromPrintableStringtoUTF8StringCACert.crt */,
- 4C75415413D51D63008048AC /* SeparateCertificateandCRLKeysCA2CRLSigningCert.crt */,
- 4C75415513D51D63008048AC /* SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt */,
- 4C75415613D51D63008048AC /* SeparateCertificateandCRLKeysCertificateSigningCACert.crt */,
- 4C75415713D51D63008048AC /* TrustAnchorRootCertificate.crt */,
- 4C75415813D51D63008048AC /* TwoCRLsCACert.crt */,
- 4C75415913D51D63008048AC /* UIDCACert.crt */,
- 4C75415A13D51D63008048AC /* UTF8StringCaseInsensitiveMatchCACert.crt */,
- 4C75415B13D51D63008048AC /* UTF8StringEncodedNamesCACert.crt */,
- 4C75415C13D51D63008048AC /* UnknownCRLEntryExtensionCACert.crt */,
- 4C75415D13D51D63008048AC /* UnknownCRLExtensionCACert.crt */,
- 4C75415E13D51D63008048AC /* UserNoticeQualifierTest15EE.crt */,
- 4C75415F13D51D63008048AC /* UserNoticeQualifierTest16EE.crt */,
- 4C75416013D51D63008048AC /* UserNoticeQualifierTest17EE.crt */,
- 4C75416113D51D63008048AC /* UserNoticeQualifierTest18EE.crt */,
- 4C75416213D51D63008048AC /* UserNoticeQualifierTest19EE.crt */,
- 4C75416313D51D63008048AC /* ValidBasicSelfIssuedNewWithOldTest3EE.crt */,
- 4C75416413D51D63008048AC /* ValidBasicSelfIssuedNewWithOldTest4EE.crt */,
- 4C75416513D51D63008048AC /* ValidBasicSelfIssuedOldWithNewTest1EE.crt */,
- 4C75416613D51D63008048AC /* ValidCertificatePathTest1EE.crt */,
- 4C75416713D51D63008048AC /* ValidDNSnameConstraintsTest30EE.crt */,
- 4C75416813D51D63008048AC /* ValidDNSnameConstraintsTest32EE.crt */,
- 4C75416913D51D63008048AC /* ValidDNandRFC822nameConstraintsTest27EE.crt */,
- 4C75416A13D51D63008048AC /* ValidDNnameConstraintsTest11EE.crt */,
- 4C75416B13D51D63008048AC /* ValidDNnameConstraintsTest14EE.crt */,
- 4C75416C13D51D63008048AC /* ValidDNnameConstraintsTest18EE.crt */,
- 4C75416D13D51D63008048AC /* ValidDNnameConstraintsTest19EE.crt */,
- 4C75416E13D51D63008048AC /* ValidDNnameConstraintsTest1EE.crt */,
- 4C75416F13D51D63008048AC /* ValidDNnameConstraintsTest4EE.crt */,
- 4C75417013D51D63008048AC /* ValidDNnameConstraintsTest5EE.crt */,
- 4C75417113D51D63008048AC /* ValidDNnameConstraintsTest6EE.crt */,
- 4C75417213D51D63008048AC /* ValidDSAParameterInheritanceTest5EE.crt */,
- 4C75417313D51D63008048AC /* ValidDSASignaturesTest4EE.crt */,
- 4C75417413D51D63008048AC /* ValidGeneralizedTimenotAfterDateTest8EE.crt */,
- 4C75417513D51D63008048AC /* ValidGeneralizedTimenotBeforeDateTest4EE.crt */,
- 4C75417613D51D63008048AC /* ValidLongSerialNumberTest16EE.crt */,
- 4C75417713D51D63008048AC /* ValidLongSerialNumberTest17EE.crt */,
- 4C75417813D51D63008048AC /* ValidNameChainingCapitalizationTest5EE.crt */,
- 4C75417913D51D63008048AC /* ValidNameChainingWhitespaceTest3EE.crt */,
- 4C75417A13D51D63008048AC /* ValidNameChainingWhitespaceTest4EE.crt */,
- 4C75417B13D51D63008048AC /* ValidNameUIDsTest6EE.crt */,
- 4C75417C13D51D63008048AC /* ValidNegativeSerialNumberTest14EE.crt */,
- 4C75417D13D51D63008048AC /* ValidPolicyMappingTest11EE.crt */,
- 4C75417E13D51D63008048AC /* ValidPolicyMappingTest12EE.crt */,
- 4C75417F13D51D63008048AC /* ValidPolicyMappingTest13EE.crt */,
- 4C75418013D51D63008048AC /* ValidPolicyMappingTest14EE.crt */,
- 4C75418113D51D63008048AC /* ValidPolicyMappingTest1EE.crt */,
- 4C75418213D51D63008048AC /* ValidPolicyMappingTest3EE.crt */,
- 4C75418313D51D63008048AC /* ValidPolicyMappingTest5EE.crt */,
- 4C75418413D51D63008048AC /* ValidPolicyMappingTest6EE.crt */,
- 4C75418513D51D63008048AC /* ValidPolicyMappingTest9EE.crt */,
- 4C75418613D51D63008048AC /* ValidRFC3280MandatoryAttributeTypesTest7EE.crt */,
- 4C75418713D51D63008048AC /* ValidRFC3280OptionalAttributeTypesTest8EE.crt */,
- 4C75418813D51D63008048AC /* ValidRFC822nameConstraintsTest21EE.crt */,
- 4C75418913D51D63008048AC /* ValidRFC822nameConstraintsTest23EE.crt */,
- 4C75418A13D51D63008048AC /* ValidRFC822nameConstraintsTest25EE.crt */,
- 4C75418B13D51D63008048AC /* ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt */,
- 4C75418C13D51D63008048AC /* ValidSelfIssuedinhibitAnyPolicyTest7EE.crt */,
- 4C75418D13D51D63008048AC /* ValidSelfIssuedinhibitAnyPolicyTest9EE.crt */,
- 4C75418E13D51D63008048AC /* ValidSelfIssuedinhibitPolicyMappingTest7EE.crt */,
- 4C75418F13D51D63008048AC /* ValidSelfIssuedpathLenConstraintTest15EE.crt */,
- 4C75419013D51D63008048AC /* ValidSelfIssuedpathLenConstraintTest17EE.crt */,
- 4C75419113D51D63008048AC /* ValidSelfIssuedrequireExplicitPolicyTest6EE.crt */,
- 4C75419213D51D63008048AC /* ValidURInameConstraintsTest34EE.crt */,
- 4C75419313D51D63008048AC /* ValidURInameConstraintsTest36EE.crt */,
- 4C75419413D51D63008048AC /* ValidUTF8StringCaseInsensitiveMatchTest11EE.crt */,
- 4C75419513D51D63008048AC /* ValidUTF8StringEncodedNamesTest9EE.crt */,
- 4C75419613D51D63008048AC /* ValidUnknownNotCriticalCertificateExtensionTest1EE.crt */,
- 4C75419713D51D63008048AC /* ValidbasicConstraintsNotCriticalTest4EE.crt */,
- 4C75419813D51D63008048AC /* ValidcRLIssuerTest28EE.crt */,
- 4C75419913D51D63008048AC /* ValidcRLIssuerTest29EE.crt */,
- 4C75419A13D51D63008048AC /* ValidcRLIssuerTest30EE.crt */,
- 4C75419B13D51D63008048AC /* ValidcRLIssuerTest33EE.crt */,
- 4C75419C13D51D63008048AC /* ValidinhibitAnyPolicyTest2EE.crt */,
- 4C75419D13D51D63008048AC /* ValidinhibitPolicyMappingTest2EE.crt */,
- 4C75419E13D51D63008048AC /* ValidinhibitPolicyMappingTest4EE.crt */,
- 4C75419F13D51D63008048AC /* ValidkeyUsageNotCriticalTest3EE.crt */,
- 4C7541A013D51D63008048AC /* ValidonlyContainsCACertsTest13EE.crt */,
- 4C7541A113D51D63008048AC /* ValidonlySomeReasonsTest18EE.crt */,
- 4C7541A213D51D63008048AC /* ValidonlySomeReasonsTest19EE.crt */,
- 4C7541A313D51D63008048AC /* ValidpathLenConstraintTest13EE.crt */,
- 4C7541A413D51D63008048AC /* ValidpathLenConstraintTest14EE.crt */,
- 4C7541A513D51D63008048AC /* ValidpathLenConstraintTest7EE.crt */,
- 4C7541A613D51D63008048AC /* ValidpathLenConstraintTest8EE.crt */,
- 4C7541A713D51D63008048AC /* Validpre2000UTCnotBeforeDateTest3EE.crt */,
- 4C7541A813D51D63008048AC /* ValidrequireExplicitPolicyTest1EE.crt */,
- 4C7541A913D51D63008048AC /* ValidrequireExplicitPolicyTest2EE.crt */,
- 4C7541AA13D51D63008048AC /* ValidrequireExplicitPolicyTest4EE.crt */,
- 4C7541AB13D51D63008048AC /* WrongCRLCACert.crt */,
- 4C7541AC13D51D63008048AC /* anyPolicyCACert.crt */,
- 4C7541AD13D51D63008048AC /* basicConstraintsCriticalcAFalseCACert.crt */,
- 4C7541AE13D51D63008048AC /* basicConstraintsNotCriticalCACert.crt */,
- 4C7541AF13D51D63008048AC /* basicConstraintsNotCriticalcAFalseCACert.crt */,
- 4C7541B013D51D63008048AC /* deltaCRLCA1Cert.crt */,
- 4C7541B113D51D63008048AC /* deltaCRLCA2Cert.crt */,
- 4C7541B213D51D63008048AC /* deltaCRLCA3Cert.crt */,
- 4C7541B313D51D63008048AC /* deltaCRLIndicatorNoBaseCACert.crt */,
- 4C7541B413D51D63008048AC /* distributionPoint1CACert.crt */,
- 4C7541B513D51D63008048AC /* distributionPoint2CACert.crt */,
- 4C7541B613D51D63008048AC /* indirectCRLCA1Cert.crt */,
- 4C7541B713D51D63008048AC /* indirectCRLCA2Cert.crt */,
- 4C7541B813D51D63008048AC /* indirectCRLCA3Cert.crt */,
- 4C7541B913D51D63008048AC /* indirectCRLCA3cRLIssuerCert.crt */,
- 4C7541BA13D51D63008048AC /* indirectCRLCA4Cert.crt */,
- 4C7541BB13D51D63008048AC /* indirectCRLCA4cRLIssuerCert.crt */,
- 4C7541BC13D51D63008048AC /* indirectCRLCA5Cert.crt */,
- 4C7541BD13D51D63008048AC /* indirectCRLCA6Cert.crt */,
- 4C7541BE13D51D63008048AC /* inhibitAnyPolicy0CACert.crt */,
- 4C7541BF13D51D63008048AC /* inhibitAnyPolicy1CACert.crt */,
- 4C7541C013D51D63008048AC /* inhibitAnyPolicy1SelfIssuedCACert.crt */,
- 4C7541C113D51D63008048AC /* inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt */,
- 4C7541C213D51D63008048AC /* inhibitAnyPolicy1subCA1Cert.crt */,
- 4C7541C313D51D63008048AC /* inhibitAnyPolicy1subCA2Cert.crt */,
- 4C7541C413D51D63008048AC /* inhibitAnyPolicy1subCAIAP5Cert.crt */,
- 4C7541C513D51D63008048AC /* inhibitAnyPolicy1subsubCA2Cert.crt */,
- 4C7541C613D51D63008048AC /* inhibitAnyPolicy5CACert.crt */,
- 4C7541C713D51D63008048AC /* inhibitAnyPolicy5subCACert.crt */,
- 4C7541C813D51D63008048AC /* inhibitAnyPolicy5subsubCACert.crt */,
- 4C7541C913D51D63008048AC /* inhibitAnyPolicyTest3EE.crt */,
- 4C7541CA13D51D63008048AC /* inhibitPolicyMapping0CACert.crt */,
- 4C7541CB13D51D63008048AC /* inhibitPolicyMapping0subCACert.crt */,
- 4C7541CC13D51D63008048AC /* inhibitPolicyMapping1P12CACert.crt */,
- 4C7541CD13D51D63008048AC /* inhibitPolicyMapping1P12subCACert.crt */,
- 4C7541CE13D51D63008048AC /* inhibitPolicyMapping1P12subCAIPM5Cert.crt */,
- 4C7541CF13D51D63008048AC /* inhibitPolicyMapping1P12subsubCACert.crt */,
- 4C7541D013D51D63008048AC /* inhibitPolicyMapping1P12subsubCAIPM5Cert.crt */,
- 4C7541D113D51D63008048AC /* inhibitPolicyMapping1P1CACert.crt */,
- 4C7541D213D51D63008048AC /* inhibitPolicyMapping1P1SelfIssuedCACert.crt */,
- 4C7541D313D51D63008048AC /* inhibitPolicyMapping1P1SelfIssuedsubCACert.crt */,
- 4C7541D413D51D63008048AC /* inhibitPolicyMapping1P1subCACert.crt */,
- 4C7541D513D51D63008048AC /* inhibitPolicyMapping1P1subsubCACert.crt */,
- 4C7541D613D51D63008048AC /* inhibitPolicyMapping5CACert.crt */,
- 4C7541D713D51D63008048AC /* inhibitPolicyMapping5subCACert.crt */,
- 4C7541D813D51D63008048AC /* inhibitPolicyMapping5subsubCACert.crt */,
- 4C7541D913D51D63008048AC /* inhibitPolicyMapping5subsubsubCACert.crt */,
- 4C7541DA13D51D63008048AC /* keyUsageCriticalcRLSignFalseCACert.crt */,
- 4C7541DB13D51D63008048AC /* keyUsageCriticalkeyCertSignFalseCACert.crt */,
- 4C7541DC13D51D63008048AC /* keyUsageNotCriticalCACert.crt */,
- 4C7541DD13D51D63008048AC /* keyUsageNotCriticalcRLSignFalseCACert.crt */,
- 4C7541DE13D51D63008048AC /* keyUsageNotCriticalkeyCertSignFalseCACert.crt */,
- 4C7541DF13D51D63008048AC /* nameConstraintsDN1CACert.crt */,
- 4C7541E013D51D63008048AC /* nameConstraintsDN1SelfIssuedCACert.crt */,
- 4C7541E113D51D63008048AC /* nameConstraintsDN1subCA1Cert.crt */,
- 4C7541E213D51D63008048AC /* nameConstraintsDN1subCA2Cert.crt */,
- 4C7541E313D51D63008048AC /* nameConstraintsDN1subCA3Cert.crt */,
- 4C7541E413D51D63008048AC /* nameConstraintsDN2CACert.crt */,
- 4C7541E513D51D63008048AC /* nameConstraintsDN3CACert.crt */,
- 4C7541E613D51D63008048AC /* nameConstraintsDN3subCA1Cert.crt */,
- 4C7541E713D51D63008048AC /* nameConstraintsDN3subCA2Cert.crt */,
- 4C7541E813D51D63008048AC /* nameConstraintsDN4CACert.crt */,
- 4C7541E913D51D63008048AC /* nameConstraintsDN5CACert.crt */,
- 4C7541EA13D51D63008048AC /* nameConstraintsDNS1CACert.crt */,
- 4C7541EB13D51D63008048AC /* nameConstraintsDNS2CACert.crt */,
- 4C7541EC13D51D63008048AC /* nameConstraintsRFC822CA1Cert.crt */,
- 4C7541ED13D51D63008048AC /* nameConstraintsRFC822CA2Cert.crt */,
- 4C7541EE13D51D63008048AC /* nameConstraintsRFC822CA3Cert.crt */,
- 4C7541EF13D51D63008048AC /* nameConstraintsURI1CACert.crt */,
- 4C7541F013D51D63008048AC /* nameConstraintsURI2CACert.crt */,
- 4C7541F113D51D63008048AC /* onlyContainsAttributeCertsCACert.crt */,
- 4C7541F213D51D63008048AC /* onlyContainsCACertsCACert.crt */,
- 4C7541F313D51D63008048AC /* onlyContainsUserCertsCACert.crt */,
- 4C7541F413D51D63008048AC /* onlySomeReasonsCA1Cert.crt */,
- 4C7541F513D51D63008048AC /* onlySomeReasonsCA2Cert.crt */,
- 4C7541F613D51D63008048AC /* onlySomeReasonsCA3Cert.crt */,
- 4C7541F713D51D63008048AC /* onlySomeReasonsCA4Cert.crt */,
- 4C7541F813D51D63008048AC /* pathLenConstraint0CACert.crt */,
- 4C7541F913D51D63008048AC /* pathLenConstraint0SelfIssuedCACert.crt */,
- 4C7541FA13D51D63008048AC /* pathLenConstraint0subCA2Cert.crt */,
- 4C7541FB13D51D63008048AC /* pathLenConstraint0subCACert.crt */,
- 4C7541FC13D51D63008048AC /* pathLenConstraint1CACert.crt */,
- 4C7541FD13D51D63008048AC /* pathLenConstraint1SelfIssuedCACert.crt */,
- 4C7541FE13D51D63008048AC /* pathLenConstraint1SelfIssuedsubCACert.crt */,
- 4C7541FF13D51D63008048AC /* pathLenConstraint1subCACert.crt */,
- 4C75420013D51D64008048AC /* pathLenConstraint6CACert.crt */,
- 4C75420113D51D64008048AC /* pathLenConstraint6subCA0Cert.crt */,
- 4C75420213D51D64008048AC /* pathLenConstraint6subCA1Cert.crt */,
- 4C75420313D51D64008048AC /* pathLenConstraint6subCA4Cert.crt */,
- 4C75420413D51D64008048AC /* pathLenConstraint6subsubCA00Cert.crt */,
- 4C75420513D51D64008048AC /* pathLenConstraint6subsubCA11Cert.crt */,
- 4C75420613D51D64008048AC /* pathLenConstraint6subsubCA41Cert.crt */,
- 4C75420713D51D64008048AC /* pathLenConstraint6subsubsubCA11XCert.crt */,
- 4C75420813D51D64008048AC /* pathLenConstraint6subsubsubCA41XCert.crt */,
- 4C75420913D51D64008048AC /* pre2000CRLnextUpdateCACert.crt */,
- 4C75420A13D51D64008048AC /* requireExplicitPolicy0CACert.crt */,
- 4C75420B13D51D64008048AC /* requireExplicitPolicy0subCACert.crt */,
- 4C75420C13D51D64008048AC /* requireExplicitPolicy0subsubCACert.crt */,
- 4C75420D13D51D64008048AC /* requireExplicitPolicy0subsubsubCACert.crt */,
- 4C75420E13D51D64008048AC /* requireExplicitPolicy10CACert.crt */,
- 4C75420F13D51D64008048AC /* requireExplicitPolicy10subCACert.crt */,
- 4C75421013D51D64008048AC /* requireExplicitPolicy10subsubCACert.crt */,
- 4C75421113D51D64008048AC /* requireExplicitPolicy10subsubsubCACert.crt */,
- 4C75421213D51D64008048AC /* requireExplicitPolicy2CACert.crt */,
- 4C75421313D51D64008048AC /* requireExplicitPolicy2SelfIssuedCACert.crt */,
- 4C75421413D51D64008048AC /* requireExplicitPolicy2SelfIssuedsubCACert.crt */,
- 4C75421513D51D64008048AC /* requireExplicitPolicy2subCACert.crt */,
- 4C75421613D51D64008048AC /* requireExplicitPolicy4CACert.crt */,
- 4C75421713D51D64008048AC /* requireExplicitPolicy4subCACert.crt */,
- 4C75421813D51D64008048AC /* requireExplicitPolicy4subsubCACert.crt */,
- 4C75421913D51D64008048AC /* requireExplicitPolicy4subsubsubCACert.crt */,
- 4C75421A13D51D64008048AC /* requireExplicitPolicy5CACert.crt */,
- 4C75421B13D51D64008048AC /* requireExplicitPolicy5subCACert.crt */,
- 4C75421C13D51D64008048AC /* requireExplicitPolicy5subsubCACert.crt */,
- 4C75421D13D51D64008048AC /* requireExplicitPolicy5subsubsubCACert.crt */,
- 4C75421E13D51D64008048AC /* requireExplicitPolicy7CACert.crt */,
- 4C75421F13D51D64008048AC /* requireExplicitPolicy7subCARE2Cert.crt */,
- 4C75422013D51D64008048AC /* requireExplicitPolicy7subsubCARE2RE4Cert.crt */,
- 4C75422113D51D64008048AC /* requireExplicitPolicy7subsubsubCARE2RE4Cert.crt */,
- );
- path = "nist-certs";
- sourceTree = "<group>";
- };
4C8786A20B03E05D00BB77D4 /* Products */ = {
isa = PBXGroup;
children = (
@@ -5912,7 +4148,6 @@
children = (
5E8B53A41AA0B8A600345E7B /* libcoreauthd_test_client.a */,
4432AF6A1A01458F000958DC /* libcoreauthd_client.a */,
- 4432AF8C1A01472C000958DC /* libaks_acl.a */,
E7D690911652E06A0079537A /* libMobileGestalt.dylib */,
E7AAB5F415929493005C8BCC /* libcorecrypto.dylib */,
4469FBDD1AA0A45C0021AA26 /* libctkclient.a */,
@@ -5930,6 +4165,7 @@
4C922CB2097F1984004CEEBD /* Security */ = {
isa = PBXGroup;
children = (
+ 1FDA9AB91C44844D0083929D /* SecTranslocate.h */,
D45D1A461B3A293E00C63E16 /* oids.h */,
4C28BCD60986EBCB0020C665 /* certextensions.h */,
524492931AFD6D480043695A /* der_plist.h */,
@@ -5946,6 +4182,7 @@
4CF41D0A0BBB4022005F3248 /* SecCertificatePath.h */,
4C7608B10AC34A8100980096 /* SecCertificatePriv.h */,
791766DD0DD0162C00F3B974 /* SecCertificateRequest.h */,
+ D47F514B1C3B812500A7CEFE /* SecCFAllocator.h */,
79BDD3C00D60DB84000D84D3 /* SecCMS.h */,
7940D4110C3ACF9000FDB5D8 /* SecDH.h */,
4CD3BA601106FF4D00BE8B75 /* SecECKey.h */,
@@ -6011,6 +4248,8 @@
4CB740FA0A47580400D641BB /* SecurityTool */ = {
isa = PBXGroup;
children = (
+ E78A9AD81D34959200006B5B /* NSFileHandle+Formatting.h */,
+ E78A9AD91D34959200006B5B /* NSFileHandle+Formatting.m */,
4C4CB7100DDA44900026B660 /* entitlements.plist */,
E7104A0B169E171900DB0045 /* security_tool_commands.c */,
E7FEFB80169E26E200E18152 /* sub_commands.h */,
@@ -6041,26 +4280,6 @@
path = sslViewer;
sourceTree = "<group>";
};
- 52D82BE016A621F70078DFE5 /* CloudKeychainProxy */ = {
- isa = PBXGroup;
- children = (
- 52D82BF716A6283F0078DFE5 /* ckdmain.m */,
- 52D82BE116A621F70078DFE5 /* Supporting Files */,
- );
- path = CloudKeychainProxy;
- sourceTree = "<group>";
- };
- 52D82BE116A621F70078DFE5 /* Supporting Files */ = {
- isa = PBXGroup;
- children = (
- 52D82BE216A621F70078DFE5 /* CloudKeychainProxy-Info.plist */,
- 52D82BE316A621F70078DFE5 /* InfoPlist.strings */,
- 52222D2C16A5CBCC00EDD09C /* com.apple.security.cloudkeychainproxy.plist */,
- 52D82BE616A621F70078DFE5 /* AspenFamily.xcconfig */,
- );
- name = "Supporting Files";
- sourceTree = "<group>";
- };
52DE816E1636347500F49F0C /* Keychain */ = {
isa = PBXGroup;
children = (
@@ -6140,7 +4359,6 @@
children = (
5346480517331E1200FE9172 /* KeychainSyncAccountNotification-Info.plist */,
5346480617331E1200FE9172 /* InfoPlist.strings */,
- 5346480917331E1200FE9172 /* AspenFamily.xcconfig */,
5346480A17331E1200FE9172 /* KeychainSyncAccountNotification-Prefix.pch */,
);
name = "Supporting Files";
@@ -6177,24 +4395,6 @@
path = secacltests;
sourceTree = "<group>";
};
- 721680C5179B514700406BB4 /* iCloudStat */ = {
- isa = PBXGroup;
- children = (
- 721680C6179B514700406BB4 /* Supporting Files */,
- 721680DC179B518400406BB4 /* main.c */,
- 721680DE179B51BC00406BB4 /* com.apple.icloudKeychainStats.plist */,
- );
- path = iCloudStat;
- sourceTree = "<group>";
- };
- 721680C6179B514700406BB4 /* Supporting Files */ = {
- isa = PBXGroup;
- children = (
- 721680C7179B514700406BB4 /* AspenFamily.xcconfig */,
- );
- name = "Supporting Files";
- sourceTree = "<group>";
- };
728B56A316D59979008FA3AB /* OTAPKIAssetTool */ = {
isa = PBXGroup;
children = (
@@ -6211,36 +4411,11 @@
children = (
5DDD0BDD16D6740E00D6C0D6 /* com.apple.OTAPKIAssetTool.plist */,
5DDD0BDE16D6740E00D6C0D6 /* OTAPKIAssetTool-entitlements.plist */,
- 728B56A516D59979008FA3AB /* AspenFamily.xcconfig */,
22C002A31AC9D33100B3469E /* OTAPKIAssetTool.xcconfig */,
);
name = "Supporting Files";
sourceTree = "<group>";
};
- 72979BD1175D08C700BE8FD6 /* CloudKeychainDiagnoseTool */ = {
- isa = PBXGroup;
- children = (
- );
- name = CloudKeychainDiagnoseTool;
- sourceTree = "<group>";
- };
- 72979BE4175D095900BE8FD6 /* cloud_keychain_diagnose */ = {
- isa = PBXGroup;
- children = (
- 72979BEF175D0B2D00BE8FD6 /* cloud_keychain_diagnose.c */,
- 72979BE5175D095900BE8FD6 /* Supporting Files */,
- );
- path = cloud_keychain_diagnose;
- sourceTree = "<group>";
- };
- 72979BE5175D095900BE8FD6 /* Supporting Files */ = {
- isa = PBXGroup;
- children = (
- 72979BE6175D095900BE8FD6 /* AspenFamily.xcconfig */,
- );
- name = "Supporting Files";
- sourceTree = "<group>";
- };
7908507E0CA87CF00083CC4D /* ipc */ = {
isa = PBXGroup;
children = (
@@ -6284,32 +4459,6 @@
name = Products;
sourceTree = "<group>";
};
- 79DCEA56134A27D2007F57DC /* codesign_wrapper */ = {
- isa = PBXGroup;
- children = (
- 79DCEA5E134A280F007F57DC /* codesign_wrapper.c */,
- 79DCEA5F134A280F007F57DC /* codesign.c */,
- 79DCEA60134A280F007F57DC /* MISEntitlement.c */,
- 79DCEA67134A2820007F57DC /* codesign.h */,
- 79DCEA69134A2820007F57DC /* codesign_wrapper.h */,
- 79DCEA6B134A2820007F57DC /* MISBase.h */,
- 79DCEA6D134A2820007F57DC /* MISEntitlement.h */,
- );
- path = codesign_wrapper;
- sourceTree = "<group>";
- };
- 79E0D701143E558B0010CE0E /* AppleID-certs */ = {
- isa = PBXGroup;
- children = (
- 79E0D7AA143E68BF0010CE0E /* iPhoneCACert.crt */,
- 79E0D7A6143E671C0010CE0E /* Invalid-asset_signing.crt */,
- 79E0D702143E558B0010CE0E /* Apple Application Integration Certification Authority Cert.crt */,
- 79E0D703143E558B0010CE0E /* Apple Production ShareServices-7130767241416543643077536561487847634e4d6f773d3d.crt */,
- 79E0D704143E558B0010CE0E /* AppleRootCertificate.crt */,
- );
- path = "AppleID-certs";
- sourceTree = "<group>";
- };
BE197F2719116FD100BA91D1 /* SharedWebCredentialViewService */ = {
isa = PBXGroup;
children = (
@@ -6330,7 +4479,6 @@
BE197F2A19116FD100BA91D1 /* InfoPlist.strings */,
BE197F2D19116FD100BA91D1 /* main.m */,
BE197F2F19116FD100BA91D1 /* SharedWebCredentialViewService-Prefix.pch */,
- BE197F3319116FD100BA91D1 /* AspenFamily.xcconfig */,
);
name = "Supporting Files";
sourceTree = "<group>";
@@ -6347,7 +4495,17 @@
CD3F91411A802E1100E07119 /* IDSKeychainSyncingProxy */ = {
isa = PBXGroup;
children = (
- CDF42C2C1A884C3E0080BB05 /* idksmain.m */,
+ 0C6E38F41C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyReceiveMessage.h */,
+ 0C6E38F51C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyReceiveMessage.m */,
+ 0C6E38F61C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxySendMessage.h */,
+ 0C6E38F71C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxySendMessage.m */,
+ 0C6E38F81C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyThrottle.h */,
+ 0C6E38F91C741BD1005D8827 /* IDSKeychainSyncingProxy+IDSProxyThrottle.m */,
+ E7A5F5551C0D03DB00F3BEBB /* idskeychainsyncingproxy.m */,
+ E7A5F5561C0D03DB00F3BEBB /* IDSPersistentState.h */,
+ E7A5F5511C0D03B400F3BEBB /* IDSPersistentState.m */,
+ E7A5F5571C0D03DB00F3BEBB /* IDSProxy.h */,
+ E7A5F5521C0D03B400F3BEBB /* IDSProxy.m */,
CD3F91421A802E1100E07119 /* Supporting Files */,
);
path = IDSKeychainSyncingProxy;
@@ -6356,57 +4514,26 @@
CD3F91421A802E1100E07119 /* Supporting Files */ = {
isa = PBXGroup;
children = (
+ CD3F91181A802B4900E07119 /* IDSKeychainSyncingProxy-Info.plist */,
CDB22D0B1A9D37440043E348 /* idskeychainsyncingproxy.entitlements.plist */,
- CD3F91151A802B4900E07119 /* com.apple.security.idskeychainsyncingproxy.plist */,
+ 8E64DB451C17BCF40076C9DF /* com.apple.security.idskeychainsyncingproxy.ios.plist */,
+ 8E64DB461C17BCF40076C9DF /* com.apple.security.idskeychainsyncingproxy.osx.plist */,
CDF91EF11AAE023800E88CF7 /* com.apple.private.alloy.keychainsync.plist */,
- CD3F91181A802B4900E07119 /* IDSKeychainSyncingProxy-Info.plist */,
);
name = "Supporting Files";
sourceTree = "<group>";
};
- D4B4A9D21B8BBBDF0097B393 /* ssl-policy-certs */ = {
- isa = PBXGroup;
- children = (
- D4B4A9D31B8BBC1B0097B393 /* InvalidEKUTest16.cer */,
- D4B4A9D41B8BBC1B0097B393 /* InvalidHostnameTest1.cer */,
- D4B4A9D51B8BBC1B0097B393 /* InvalidHostnameTest2.cer */,
- D4B4A9D61B8BBC1B0097B393 /* InvalidHostnameTest22.cer */,
- D4B4A9D71B8BBC1B0097B393 /* InvalidHostnameTest23.cer */,
- D4B4A9D81B8BBC1B0097B393 /* InvalidHostnameTest24.cer */,
- D4B4A9D91B8BBC1B0097B393 /* InvalidWildcardTest5Test6.cer */,
- D4B4A9DA1B8BBC1B0097B393 /* InvalidWildcardTest10.cer */,
- D4B4A9DB1B8BBC1B0097B393 /* InvalidWildcardTest11.cer */,
- D4B4A9DC1B8BBC1B0097B393 /* InvalidWildcardTest12.cer */,
- D4B4A9DD1B8BBC1B0097B393 /* InvalidWildcardTest13Test14.cer */,
- D4B4A9DE1B8BBC1B0097B393 /* InvalidWildcardTest15.cer */,
- D4B4A9DF1B8BBC1B0097B393 /* InvalidWildcardTest25Test26.cer */,
- D4B4A9E01B8BBC1B0097B393 /* SSLTrustPolicyTest.plist */,
- D4B4A9E11B8BBC1B0097B393 /* SSLTrustPolicyTestRootCertificate.cer */,
- D4B4A9E21B8BBC1B0097B393 /* ValidEKUTest17.cer */,
- D4B4A9E31B8BBC1B0097B393 /* ValidHostnameTest3.cer */,
- D4B4A9E41B8BBC1B0097B393 /* ValidHostnameTest4.cer */,
- D4B4A9E51B8BBC1B0097B393 /* ValidHostnameTest18Test19Test20.cer */,
- D4B4A9E61B8BBC1B0097B393 /* ValidHostnameTest21.cer */,
- D4B4A9E71B8BBC1B0097B393 /* ValidWildcardTest7Test8Test9.cer */,
- );
- name = "ssl-policy-certs";
- sourceTree = "<group>";
- };
E710C74A1331946500F85568 /* SecurityTests */ = {
isa = PBXGroup;
children = (
- D4B4A9D21B8BBBDF0097B393 /* ssl-policy-certs */,
4CC92ABA15A3B3D900C6D578 /* testlist.h */,
4CC92B1B15A3BF2F00C6D578 /* testmain.c */,
- 79E0D701143E558B0010CE0E /* AppleID-certs */,
- E73000F513D90CD900B0DA1B /* AppleRootCertificate.crt */,
- E73000F813D90CD900B0DA1B /* iPhoneCACert.crt */,
- E73000F413D90CD900B0DA1B /* mobileasset-certs */,
- 4C7540BA13D51D63008048AC /* nist-certs */,
- E73000C713D9049B00B0DA1B /* OTATasking-certs */,
+ D4D886E81CEBDD2A00DC7583 /* nist-certs */,
+ D4D886BE1CEB9F3B00DC7583 /* ssl-policy-certs */,
+ D4EC94FA1CEA482D0083E753 /* si-20-sectrust-policies-data */,
+ 0C0C88771CCEC5BD00617D1B /* si-82-sectrust-ct-data */,
4C50ACFB1410671D00EE92DE /* DigiNotar */,
79679E241462028800CF997F /* DigicertMalaysia */,
- E72783F5159BDF9600028D6C /* Shoebox */,
E710C74B1331946500F85568 /* Supporting Files */,
0CB321F01464A95F00587CD3 /* CreateCerts.sh */,
0C550308139F0B970019E5EB /* PreSecurityTests.sh */,
@@ -6426,36 +4553,6 @@
name = "Supporting Files";
sourceTree = "<group>";
};
- E72783F5159BDF9600028D6C /* Shoebox */ = {
- isa = PBXGroup;
- children = (
- 5D83979C160259EE0075998F /* Invalid.com.apple.testcard.crt */,
- E72783F6159BDFBB00028D6C /* Apple TEST RootCertificate.crt */,
- E72783F7159BDFBC00028D6C /* Apple Worldwide Developer Relations Certification Authority Cert.crt */,
- E72783F8159BDFBC00028D6C /* Apple Worldwide Developer Relations Certification Authority TEST Cert.crt */,
- E72783F9159BDFBC00028D6C /* AppleRootCertificate.crt */,
- );
- name = Shoebox;
- sourceTree = "<group>";
- };
- E73000C713D9049B00B0DA1B /* OTATasking-certs */ = {
- isa = PBXGroup;
- children = (
- E73000DD13D90A1F00B0DA1B /* Invalid-asset_signing.crt */,
- E73000DF13D90A1F00B0DA1B /* task_signing.crt */,
- );
- name = "OTATasking-certs";
- sourceTree = "<group>";
- };
- E73000F413D90CD900B0DA1B /* mobileasset-certs */ = {
- isa = PBXGroup;
- children = (
- E73000F613D90CD900B0DA1B /* asset_signing.crt */,
- E73000F713D90CD900B0DA1B /* Invalid-task_signing.crt */,
- );
- path = "mobileasset-certs";
- sourceTree = "<group>";
- };
E7450BB216D42BD4009C07B8 /* Security.framework headers */ = {
isa = PBXGroup;
children = (
@@ -6473,7 +4570,6 @@
children = (
52F8DE4D1AF2EB8F00A2C271 /* SOSTypes.h */,
9468B96D1AF2B93300042383 /* SOSViews.h */,
- 9468B96B1AF2B91B00042383 /* SOSForerunnerSession.h */,
9468B9691AF2B8FC00042383 /* SOSCloudCircleInternal.h */,
9468B9471AF2B60800042383 /* SOSBackupSliceKeyBag.h */,
E7450BAC16D42B17009C07B8 /* SOSCloudCircle.h */,
@@ -6487,6 +4583,36 @@
path = OSX/sec/SOSCircle;
sourceTree = "<group>";
};
+ E7A5F4D11C0CFF4E00F3BEBB /* KVSKeychainSyncingProxy */ = {
+ isa = PBXGroup;
+ children = (
+ E7A5F4C61C0CFF3200F3BEBB /* CKDKVSProxy.h */,
+ E7A5F4C71C0CFF3200F3BEBB /* CKDKVSProxy.m */,
+ E73AC9421D0250D900FFFEE0 /* CKDStore.h */,
+ E722E9381CE92EE0005AD94B /* CKDKVSStore.h */,
+ E722E9111CE92DFC005AD94B /* CKDKVSStore.m */,
+ E7A5F4C91C0CFF3200F3BEBB /* CKDPersistentState.h */,
+ E7B945B01CFE5D440027F31D /* CKDAccount.h */,
+ E7B945B11CFE5EBD0027F31D /* CKDSecuritydAccount.h */,
+ E7B945B21CFE5EBD0027F31D /* CKDSecuritydAccount.m */,
+ E7A5F4CA1C0CFF3200F3BEBB /* CKDPersistentState.m */,
+ E7A5F4CE1C0CFF3300F3BEBB /* cloudkeychainproxy.m */,
+ E7A5F4D91C0D01EE00F3BEBB /* Supporting Files */,
+ );
+ name = KVSKeychainSyncingProxy;
+ sourceTree = "<group>";
+ };
+ E7A5F4D91C0D01EE00F3BEBB /* Supporting Files */ = {
+ isa = PBXGroup;
+ children = (
+ E7A5F4CC1C0CFF3300F3BEBB /* CloudKeychainProxy-Info.plist */,
+ E7A5F4CB1C0CFF3300F3BEBB /* cloudkeychain.entitlements.plist */,
+ 8E64DB4C1C17CD3F0076C9DF /* com.apple.security.cloudkeychainproxy.ios.plist */,
+ 8E64DB4D1C17CD400076C9DF /* com.apple.security.cloudkeychainproxy.osx.plist */,
+ );
+ name = "Supporting Files";
+ sourceTree = "<group>";
+ };
E7C4D03512F9EB210022E067 /* security_smime */ = {
isa = PBXGroup;
children = (
@@ -6504,9 +4630,68 @@
name = security_smime;
sourceTree = "<group>";
};
+ E7D847C61C6BE9710025BB44 /* KeychainCircle.framework */ = {
+ isa = PBXGroup;
+ children = (
+ E7D848031C6BEFAB0025BB44 /* Tests */,
+ E7D848011C6BEE360025BB44 /* Supporting Files */,
+ E7E3EFE21CBC195700E79A5D /* KCAccountKCCircleDelegate.h */,
+ E7E3EFB91CBC192A00E79A5D /* KCAccountKCCircleDelegate.m */,
+ E7F480131C7397CE00390FDB /* KCJoiningSession.h */,
+ E7F480141C73980D00390FDB /* KCJoiningRequestSession.m */,
+ E7F482AB1C7558F700390FDB /* KCJoiningAcceptSession.m */,
+ E794BAD91C7598E400339A0F /* KCJoiningMessages.h */,
+ E794BAFF1C7598F900339A0F /* KCJoiningMessages.m */,
+ E71454C71C741DCD00B5B20B /* KCDer.h */,
+ E794BA6E1C7424D800339A0F /* KCDer.m */,
+ E71454ED1C741E0800B5B20B /* KCError.h */,
+ E71454EE1C741E0800B5B20B /* KCError.m */,
+ E75C0E801C6FC31D00E6953B /* KCSRPContext.h */,
+ E75C0E811C6FC31D00E6953B /* KCSRPContext.m */,
+ E7F480111C729C7B00390FDB /* NSError+KCCreationHelpers.h */,
+ E7F482A91C7554F500390FDB /* NSError+KCCreationHelpers.m */,
+ E772FD6F1CC15F1F00D63E41 /* NSData+SecRandom.h */,
+ E772FD461CC15EFA00D63E41 /* NSData+SecRandom.m */,
+ E75C0E841C71325000E6953B /* KeychainCircle.h */,
+ E7F480301C73FC4C00390FDB /* KCAESGCMDuplexSession.h */,
+ E7F480311C73FC4C00390FDB /* KCAESGCMDuplexSession.m */,
+ );
+ name = KeychainCircle.framework;
+ path = KeychainCircle;
+ sourceTree = "<group>";
+ };
+ E7D848011C6BEE360025BB44 /* Supporting Files */ = {
+ isa = PBXGroup;
+ children = (
+ E7D847C91C6BE9710025BB44 /* Info.plist */,
+ );
+ name = "Supporting Files";
+ sourceTree = "<group>";
+ };
+ E7D848031C6BEFAB0025BB44 /* Tests */ = {
+ isa = PBXGroup;
+ children = (
+ E7CFF7221C8660A000E3484E /* KeychainCircle.plist */,
+ E7D848061C6BEFFA0025BB44 /* Info.plist */,
+ E7D848041C6BEFC10025BB44 /* KCSRPTests.m */,
+ E7F4809B1C74E85200390FDB /* KCDerTest.m */,
+ E7F4809D1C74E86D00390FDB /* KCAESGCMTest.m */,
+ E7F4826F1C74FDD100390FDB /* KCJoiningSessionTest.m */,
+ );
+ name = Tests;
+ sourceTree = "<group>";
+ };
E7FCBE401314471B000DE34E /* Frameworks */ = {
isa = PBXGroup;
children = (
+ D4B858661D370D9A003B2D95 /* MobileCoreServices.framework */,
+ EB2CA4D81D2C28C800AB770F /* libaks.a */,
+ 4432AF8C1A01472C000958DC /* libaks_acl.a */,
+ E75E498C1C8F76680001A34F /* libASN1.a */,
+ E75E498A1C8F76360001A34F /* libDER.a */,
+ E7F482A51C75453900390FDB /* libcoreauthd_test_client.a */,
+ E7F482A21C7544E600390FDB /* libctkclient_test.a */,
+ E7D848541C6C1D9C0025BB44 /* Foundation.framework */,
EBE54D771BE33227000C4856 /* libmis.dylib */,
4CF4C19C171E0EA600877419 /* Accounts.framework */,
72B368BD179891FC004C37CE /* AggregateDictionary.framework */,
@@ -6536,24 +4721,50 @@
name = Frameworks;
sourceTree = "<group>";
};
- EB0BC83C1C3C069500785842 /* secedumodetest */ = {
+ EB0BC9641C3C792E00785842 /* secedumodetest */ = {
isa = PBXGroup;
children = (
- EB0BC83D1C3C06CA00785842 /* secedumodetest.m */,
- EB0BC83E1C3C072C00785842 /* secedumodetest.entitlements */,
+ EB0BC9651C3C794700785842 /* secedumodetest.entitlements */,
+ EB0BC9661C3C794700785842 /* secedumodetest.m */,
);
name = secedumodetest;
sourceTree = "<group>";
};
- EB9B377C1C646ED10027E2F9 /* secbackuptest */ = {
+ EB2CA5311D2C30CD00AB770F /* xcconfig */ = {
+ isa = PBXGroup;
+ children = (
+ EB2CA5561D2C30F700AB770F /* Security.xcconfig */,
+ );
+ name = xcconfig;
+ sourceTree = "<group>";
+ };
+ EB425CCC1C6584A9000ECE53 /* secbackuptest */ = {
isa = PBXGroup;
children = (
- EB9B37A31C646F070027E2F9 /* secbackuptest.m */,
- EB9B37A41C646F5F0027E2F9 /* secbackuptest.entitlements */,
+ EB425CCD1C65854F000ECE53 /* secbackuptest.entitlements */,
+ EB425CCE1C65854F000ECE53 /* secbackuptest.m */,
);
name = secbackuptest;
sourceTree = "<group>";
};
+ EB4339F61CC323F000A7EACE /* secitemstresstest */ = {
+ isa = PBXGroup;
+ children = (
+ EB433A2D1CC325E900A7EACE /* secitemstresstest.entitlements */,
+ EB433A1E1CC3242C00A7EACE /* secitemstresstest.m */,
+ );
+ name = secitemstresstest;
+ sourceTree = "<group>";
+ };
+ EB80211C1D3D9044008540C4 /* Modules */ = {
+ isa = PBXGroup;
+ children = (
+ EB8021411D3D90BB008540C4 /* Security.iOS.modulemap */,
+ EB8021421D3D90BB008540C4 /* Security.macOS.modulemap */,
+ );
+ name = Modules;
+ sourceTree = "<group>";
+ };
EB9C1D7C1BDFD0E100F89272 /* secbackupntest */ = {
isa = PBXGroup;
children = (
@@ -6568,12 +4779,70 @@
EB9C1DAD1BDFD49400F89272 /* Security.plist */,
EB3A8DD71BEEC4D6001A89AA /* Security_edumode.plist */,
EB9C1D7C1BDFD0E100F89272 /* secbackupntest */,
- EB9B377C1C646ED10027E2F9 /* secbackuptest */,
- EB0BC83C1C3C069500785842 /* secedumodetest */,
+ EB425CCC1C6584A9000ECE53 /* secbackuptest */,
+ EB0BC9641C3C792E00785842 /* secedumodetest */,
+ EBCF73CC1CE45F3F00BED7CA /* secitemfunctionality */,
+ EBA9AA561CE30C91004E2B68 /* secitemnotifications */,
+ EB4339F61CC323F000A7EACE /* secitemstresstest */,
);
path = RegressionTests;
sourceTree = "<group>";
};
+ EBA9AA561CE30C91004E2B68 /* secitemnotifications */ = {
+ isa = PBXGroup;
+ children = (
+ EBA9AA7B1CE30CE7004E2B68 /* secitemnotifications.entitlements */,
+ EBA9AA7C1CE30CE7004E2B68 /* secitemnotifications.m */,
+ );
+ name = secitemnotifications;
+ sourceTree = "<group>";
+ };
+ EBCF73CC1CE45F3F00BED7CA /* secitemfunctionality */ = {
+ isa = PBXGroup;
+ children = (
+ EBCF73F11CE45F8600BED7CA /* secitemfunctionality.entitlements */,
+ EBCF73F21CE45F8600BED7CA /* secitemfunctionality.m */,
+ );
+ name = secitemfunctionality;
+ sourceTree = "<group>";
+ };
+ EBDED8891C21074500E5ECDB /* SecurityFeatures */ = {
+ isa = PBXGroup;
+ children = (
+ EBDED8B41C2107BD00E5ECDB /* BUILT_PRODUCTS_DIR */,
+ EBDED8B01C21077100E5ECDB /* iOS */,
+ EBDED8B11C21077600E5ECDB /* OSX */,
+ EBDED8AE1C21076C00E5ECDB /* CopyHeaders.sh */,
+ EBBE20311C2137E900B7A639 /* ExternalProject.sh */,
+ EBDED8AF1C21076C00E5ECDB /* README.txt */,
+ );
+ name = SecurityFeatures;
+ sourceTree = "<group>";
+ };
+ EBDED8B01C21077100E5ECDB /* iOS */ = {
+ isa = PBXGroup;
+ children = (
+ EBDED8B31C2107A200E5ECDB /* SecurityFeatures.h */,
+ );
+ name = iOS;
+ sourceTree = "<group>";
+ };
+ EBDED8B11C21077600E5ECDB /* OSX */ = {
+ isa = PBXGroup;
+ children = (
+ EBDED8B21C21078D00E5ECDB /* SecurityFeatures.h */,
+ );
+ name = OSX;
+ sourceTree = "<group>